Gitiles
Code Review Sign In
gerrit.openfyde.cn / boringssl.googlesource.com / boringssl / 8f2c20eb7068429b5883d6e334d9cb0f0102f44d / . / ssl / t1_lib.c
blob: 2fa4101d6c674772e426d212b61659462255a20d [file] [log] [blame]
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
2 * All rights reserved.
3 *
4 * This package is an SSL implementation written
5 * by Eric Young (eay@cryptsoft.com).
6 * The implementation was written so as to conform with Netscapes SSL.
7 *
8 * This library is free for commercial and non-commercial use as long as
9 * the following conditions are aheared to. The following conditions
10 * apply to all code found in this distribution, be it the RC4, RSA,
11 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
12 * included with this distribution is covered by the same copyright terms
13 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
14 *
15 * Copyright remains Eric Young's, and as such any Copyright notices in
16 * the code are not to be removed.
17 * If this package is used in a product, Eric Young should be given attribution
18 * as the author of the parts of the library used.
19 * This can be in the form of a textual message at program startup or
20 * in documentation (online or textual) provided with the package.
21 *
22 * Redistribution and use in source and binary forms, with or without
23 * modification, are permitted provided that the following conditions
24 * are met:
25 * 1. Redistributions of source code must retain the copyright
26 * notice, this list of conditions and the following disclaimer.
27 * 2. Redistributions in binary form must reproduce the above copyright
28 * notice, this list of conditions and the following disclaimer in the
29 * documentation and/or other materials provided with the distribution.
30 * 3. All advertising materials mentioning features or use of this software
31 * must display the following acknowledgement:
32 * "This product includes cryptographic software written by
33 * Eric Young (eay@cryptsoft.com)"
34 * The word 'cryptographic' can be left out if the rouines from the library
35 * being used are not cryptographic related :-).
36 * 4. If you include any Windows specific code (or a derivative thereof) from
37 * the apps directory (application code) you must include an acknowledgement:
38 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
39 *
40 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
41 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
43 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
44 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
45 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
46 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
48 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
49 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
50 * SUCH DAMAGE.
51 *
52 * The licence and distribution terms for any publically available version or
53 * derivative of this code cannot be changed. i.e. this code cannot simply be
54 * copied and put under another distribution licence
55 * [including the GNU Public Licence.]
56 */
57/* ====================================================================
58 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
59 *
60 * Redistribution and use in source and binary forms, with or without
61 * modification, are permitted provided that the following conditions
62 * are met:
63 *
64 * 1. Redistributions of source code must retain the above copyright
65 * notice, this list of conditions and the following disclaimer.
66 *
67 * 2. Redistributions in binary form must reproduce the above copyright
68 * notice, this list of conditions and the following disclaimer in
69 * the documentation and/or other materials provided with the
70 * distribution.
71 *
72 * 3. All advertising materials mentioning features or use of this
73 * software must display the following acknowledgment:
74 * "This product includes software developed by the OpenSSL Project
75 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
76 *
77 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
78 * endorse or promote products derived from this software without
79 * prior written permission. For written permission, please contact
80 * openssl-core@openssl.org.
81 *
82 * 5. Products derived from this software may not be called "OpenSSL"
83 * nor may "OpenSSL" appear in their names without prior written
84 * permission of the OpenSSL Project.
85 *
86 * 6. Redistributions of any form whatsoever must retain the following
87 * acknowledgment:
88 * "This product includes software developed by the OpenSSL Project
89 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
90 *
91 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
92 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
93 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
94 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
95 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
96 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
97 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
98 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
99 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
100 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
101 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
102 * OF THE POSSIBILITY OF SUCH DAMAGE.
103 * ====================================================================
104 *
105 * This product includes cryptographic software written by Eric Young
106 * (eay@cryptsoft.com). This product includes software written by Tim
107 * Hudson (tjh@cryptsoft.com). */
108
109#include <stdio.h>
David Benjamin35a7a442014-07-05 00:23:20 -0400[diff] [blame]110#include <stdlib.h>
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]111#include <assert.h>
112
David Benjamin03973092014-06-24 23:27:17 -0400[diff] [blame]113#include <openssl/bytestring.h>
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]114#include <openssl/evp.h>
115#include <openssl/hmac.h>
116#include <openssl/mem.h>
117#include <openssl/obj.h>
118#include <openssl/rand.h>
119
120#include "ssl_locl.h"
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]121static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen,
122 const unsigned char *sess_id, int sesslen,
123 SSL_SESSION **psess);
124static int ssl_check_clienthello_tlsext_early(SSL *s);
125int ssl_check_serverhello_tlsext(SSL *s);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]126
127SSL3_ENC_METHOD TLSv1_enc_data={
128 tls1_enc,
129 tls1_mac,
130 tls1_setup_key_block,
131 tls1_generate_master_secret,
132 tls1_change_cipher_state,
133 tls1_final_finish_mac,
134 TLS1_FINISH_MAC_LENGTH,
135 tls1_cert_verify_mac,
136 TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE,
137 TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE,
138 tls1_alert_code,
139 tls1_export_keying_material,
140 0,
141 SSL3_HM_HEADER_LENGTH,
142 ssl3_set_handshake_header,
143 ssl3_handshake_write
144 };
145
146SSL3_ENC_METHOD TLSv1_1_enc_data={
147 tls1_enc,
148 tls1_mac,
149 tls1_setup_key_block,
150 tls1_generate_master_secret,
151 tls1_change_cipher_state,
152 tls1_final_finish_mac,
153 TLS1_FINISH_MAC_LENGTH,
154 tls1_cert_verify_mac,
155 TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE,
156 TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE,
157 tls1_alert_code,
158 tls1_export_keying_material,
159 SSL_ENC_FLAG_EXPLICIT_IV,
160 SSL3_HM_HEADER_LENGTH,
161 ssl3_set_handshake_header,
162 ssl3_handshake_write
163 };
164
165SSL3_ENC_METHOD TLSv1_2_enc_data={
166 tls1_enc,
167 tls1_mac,
168 tls1_setup_key_block,
169 tls1_generate_master_secret,
170 tls1_change_cipher_state,
171 tls1_final_finish_mac,
172 TLS1_FINISH_MAC_LENGTH,
173 tls1_cert_verify_mac,
174 TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE,
175 TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE,
176 tls1_alert_code,
177 tls1_export_keying_material,
178 SSL_ENC_FLAG_EXPLICIT_IV|SSL_ENC_FLAG_SIGALGS|SSL_ENC_FLAG_SHA256_PRF
179 |SSL_ENC_FLAG_TLS1_2_CIPHERS,
180 SSL3_HM_HEADER_LENGTH,
181 ssl3_set_handshake_header,
182 ssl3_handshake_write
183 };
184
185long tls1_default_timeout(void)
186 {
187 /* 2 hours, the 24 hours mentioned in the TLSv1 spec
188 * is way too long for http, the cache would over fill */
189 return(60*60*2);
190 }
191
192int tls1_new(SSL *s)
193 {
194 if (!ssl3_new(s)) return(0);
195 s->method->ssl_clear(s);
196 return(1);
197 }
198
199void tls1_free(SSL *s)
200 {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]201 if (s->tlsext_session_ticket)
202 {
203 OPENSSL_free(s->tlsext_session_ticket);
204 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]205 ssl3_free(s);
206 }
207
208void tls1_clear(SSL *s)
209 {
210 ssl3_clear(s);
211 s->version = s->method->version;
212 }
213
David Benjamin35a7a442014-07-05 00:23:20 -0400[diff] [blame]214static int compare_uint16_t(const void *p1, const void *p2)
215 {
216 uint16_t u1 = *((const uint16_t*)p1);
217 uint16_t u2 = *((const uint16_t*)p2);
218 if (u1 < u2)
219 {
220 return -1;
221 }
222 else if (u1 > u2)
223 {
224 return 1;
225 }
226 else
227 {
228 return 0;
229 }
230 }
231
232/* Per http://tools.ietf.org/html/rfc5246#section-7.4.1.4, there may not be more
233 * than one extension of the same type in a ClientHello or ServerHello. This
234 * function does an initial scan over the extensions block to filter those
235 * out. */
236static int tls1_check_duplicate_extensions(const CBS *cbs)
237 {
238 CBS extensions = *cbs;
239 size_t num_extensions = 0, i = 0;
240 uint16_t *extension_types = NULL;
241 int ret = 0;
242
243 /* First pass: count the extensions. */
244 while (CBS_len(&extensions) > 0)
245 {
246 uint16_t type;
247 CBS extension;
248
249 if (!CBS_get_u16(&extensions, &type) ||
250 !CBS_get_u16_length_prefixed(&extensions, &extension))
251 {
252 goto done;
253 }
254
255 num_extensions++;
256 }
257
258 extension_types = (uint16_t*)OPENSSL_malloc(sizeof(uint16_t) * num_extensions);
259 if (extension_types == NULL)
260 {
261 OPENSSL_PUT_ERROR(SSL, tls1_check_duplicate_extensions, ERR_R_MALLOC_FAILURE);
262 goto done;
263 }
264
265 /* Second pass: gather the extension types. */
266 extensions = *cbs;
267 for (i = 0; i < num_extensions; i++)
268 {
269 CBS extension;
270
271 if (!CBS_get_u16(&extensions, &extension_types[i]) ||
272 !CBS_get_u16_length_prefixed(&extensions, &extension))
273 {
274 /* This should not happen. */
275 goto done;
276 }
277 }
278 assert(CBS_len(&extensions) == 0);
279
280 /* Sort the extensions and make sure there are no duplicates. */
281 qsort(extension_types, num_extensions, sizeof(uint16_t), compare_uint16_t);
282 for (i = 1; i < num_extensions; i++)
283 {
284 if (extension_types[i-1] == extension_types[i])
285 {
286 goto done;
287 }
288 }
289
290 ret = 1;
291done:
292 if (extension_types)
293 OPENSSL_free(extension_types);
294 return ret;
295 }
296
Adam Langleydc9b1412014-06-20 12:00:00 -0700[diff] [blame]297char ssl_early_callback_init(struct ssl_early_callback_ctx *ctx)
298 {
David Benjamin8f2c20e2014-07-09 09:30:38 -0400[diff] [blame^]299 CBS client_hello, session_id, cipher_suites, compression_methods, extensions;
300
301 CBS_init(&client_hello, ctx->client_hello, ctx->client_hello_len);
Adam Langleydc9b1412014-06-20 12:00:00 -0700[diff] [blame]302
303 /* Skip client version. */
David Benjamin8f2c20e2014-07-09 09:30:38 -0400[diff] [blame^]304 if (!CBS_skip(&client_hello, 2))
Adam Langleydc9b1412014-06-20 12:00:00 -0700[diff] [blame]305 return 0;
Adam Langleydc9b1412014-06-20 12:00:00 -0700[diff] [blame]306
307 /* Skip client nonce. */
David Benjamin8f2c20e2014-07-09 09:30:38 -0400[diff] [blame^]308 if (!CBS_skip(&client_hello, 32))
Adam Langleydc9b1412014-06-20 12:00:00 -0700[diff] [blame]309 return 0;
Adam Langleydc9b1412014-06-20 12:00:00 -0700[diff] [blame]310
David Benjamin8f2c20e2014-07-09 09:30:38 -0400[diff] [blame^]311 /* Extract session_id. */
312 if (!CBS_get_u8_length_prefixed(&client_hello, &session_id))
Adam Langleydc9b1412014-06-20 12:00:00 -0700[diff] [blame]313 return 0;
David Benjamin8f2c20e2014-07-09 09:30:38 -0400[diff] [blame^]314 ctx->session_id = CBS_data(&session_id);
315 ctx->session_id_len = CBS_len(&session_id);
Adam Langleydc9b1412014-06-20 12:00:00 -0700[diff] [blame]316
317 /* Skip past DTLS cookie */
318 if (ctx->ssl->version == DTLS1_VERSION || ctx->ssl->version == DTLS1_BAD_VER)
319 {
David Benjamin8f2c20e2014-07-09 09:30:38 -0400[diff] [blame^]320 CBS cookie;
Adam Langleydc9b1412014-06-20 12:00:00 -0700[diff] [blame]321
David Benjamin8f2c20e2014-07-09 09:30:38 -0400[diff] [blame^]322 if (!CBS_get_u8_length_prefixed(&client_hello, &cookie))
Adam Langleydc9b1412014-06-20 12:00:00 -0700[diff] [blame]323 return 0;
Adam Langleydc9b1412014-06-20 12:00:00 -0700[diff] [blame]324 }
325
David Benjamin8f2c20e2014-07-09 09:30:38 -0400[diff] [blame^]326 /* Extract cipher_suites. */
327 if (!CBS_get_u16_length_prefixed(&client_hello, &cipher_suites) ||
328 CBS_len(&cipher_suites) < 2 ||
329 (CBS_len(&cipher_suites) & 1) != 0)
Adam Langleydc9b1412014-06-20 12:00:00 -0700[diff] [blame]330 return 0;
David Benjamin8f2c20e2014-07-09 09:30:38 -0400[diff] [blame^]331 ctx->cipher_suites = CBS_data(&cipher_suites);
332 ctx->cipher_suites_len = CBS_len(&cipher_suites);
Adam Langleydc9b1412014-06-20 12:00:00 -0700[diff] [blame]333
David Benjamin8f2c20e2014-07-09 09:30:38 -0400[diff] [blame^]334 /* Extract compression_methods. */
335 if (!CBS_get_u8_length_prefixed(&client_hello, &compression_methods) ||
336 CBS_len(&compression_methods) < 1)
Adam Langleydc9b1412014-06-20 12:00:00 -0700[diff] [blame]337 return 0;
David Benjamin8f2c20e2014-07-09 09:30:38 -0400[diff] [blame^]338 ctx->compression_methods = CBS_data(&compression_methods);
339 ctx->compression_methods_len = CBS_len(&compression_methods);
Adam Langleydc9b1412014-06-20 12:00:00 -0700[diff] [blame]340
341 /* If the ClientHello ends here then it's valid, but doesn't have any
342 * extensions. (E.g. SSLv3.) */
David Benjamin8f2c20e2014-07-09 09:30:38 -0400[diff] [blame^]343 if (CBS_len(&client_hello) == 0)
Adam Langleydc9b1412014-06-20 12:00:00 -0700[diff] [blame]344 {
345 ctx->extensions = NULL;
346 ctx->extensions_len = 0;
347 return 1;
348 }
349
David Benjamin8f2c20e2014-07-09 09:30:38 -0400[diff] [blame^]350 /* Extract extensions and check it is valid. */
351 if (!CBS_get_u16_length_prefixed(&client_hello, &extensions) ||
352 !tls1_check_duplicate_extensions(&extensions) ||
353 CBS_len(&client_hello) != 0)
Adam Langleydc9b1412014-06-20 12:00:00 -0700[diff] [blame]354 return 0;
David Benjamin8f2c20e2014-07-09 09:30:38 -0400[diff] [blame^]355 ctx->extensions = CBS_data(&extensions);
356 ctx->extensions_len = CBS_len(&extensions);
Adam Langleydc9b1412014-06-20 12:00:00 -0700[diff] [blame]357
Adam Langleydc9b1412014-06-20 12:00:00 -0700[diff] [blame]358 return 1;
Adam Langleydc9b1412014-06-20 12:00:00 -0700[diff] [blame]359 }
360
361char
362SSL_early_callback_ctx_extension_get(const struct ssl_early_callback_ctx *ctx,
363 uint16_t extension_type,
364 const unsigned char **out_data,
365 size_t *out_len)
366 {
David Benjamin8f2c20e2014-07-09 09:30:38 -0400[diff] [blame^]367 CBS extensions;
Adam Langleydc9b1412014-06-20 12:00:00 -0700[diff] [blame]368
David Benjamin8f2c20e2014-07-09 09:30:38 -0400[diff] [blame^]369 CBS_init(&extensions, ctx->extensions, ctx->extensions_len);
370
371 while (CBS_len(&extensions) != 0)
Adam Langleydc9b1412014-06-20 12:00:00 -0700[diff] [blame]372 {
David Benjamin8f2c20e2014-07-09 09:30:38 -0400[diff] [blame^]373 uint16_t type;
374 CBS extension;
Adam Langleydc9b1412014-06-20 12:00:00 -0700[diff] [blame]375
David Benjamin8f2c20e2014-07-09 09:30:38 -0400[diff] [blame^]376 /* Decode the next extension. */
377 if (!CBS_get_u16(&extensions, &type) ||
378 !CBS_get_u16_length_prefixed(&extensions, &extension))
Adam Langleydc9b1412014-06-20 12:00:00 -0700[diff] [blame]379 return 0;
Adam Langleydc9b1412014-06-20 12:00:00 -0700[diff] [blame]380
David Benjamin8f2c20e2014-07-09 09:30:38 -0400[diff] [blame^]381 if (type == extension_type)
Adam Langleydc9b1412014-06-20 12:00:00 -0700[diff] [blame]382 {
David Benjamin8f2c20e2014-07-09 09:30:38 -0400[diff] [blame^]383 *out_data = CBS_data(&extension);
384 *out_len = CBS_len(&extension);
Adam Langleydc9b1412014-06-20 12:00:00 -0700[diff] [blame]385 return 1;
386 }
Adam Langleydc9b1412014-06-20 12:00:00 -0700[diff] [blame]387 }
388
389 return 0;
390 }
391
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]392#ifndef OPENSSL_NO_EC
393
394static int nid_list[] =
395 {
396 NID_sect163k1, /* sect163k1 (1) */
397 NID_sect163r1, /* sect163r1 (2) */
398 NID_sect163r2, /* sect163r2 (3) */
399 NID_sect193r1, /* sect193r1 (4) */
400 NID_sect193r2, /* sect193r2 (5) */
401 NID_sect233k1, /* sect233k1 (6) */
402 NID_sect233r1, /* sect233r1 (7) */
403 NID_sect239k1, /* sect239k1 (8) */
404 NID_sect283k1, /* sect283k1 (9) */
405 NID_sect283r1, /* sect283r1 (10) */
406 NID_sect409k1, /* sect409k1 (11) */
407 NID_sect409r1, /* sect409r1 (12) */
408 NID_sect571k1, /* sect571k1 (13) */
409 NID_sect571r1, /* sect571r1 (14) */
410 NID_secp160k1, /* secp160k1 (15) */
411 NID_secp160r1, /* secp160r1 (16) */
412 NID_secp160r2, /* secp160r2 (17) */
413 NID_secp192k1, /* secp192k1 (18) */
414 NID_X9_62_prime192v1, /* secp192r1 (19) */
415 NID_secp224k1, /* secp224k1 (20) */
416 NID_secp224r1, /* secp224r1 (21) */
417 NID_secp256k1, /* secp256k1 (22) */
418 NID_X9_62_prime256v1, /* secp256r1 (23) */
419 NID_secp384r1, /* secp384r1 (24) */
420 NID_secp521r1, /* secp521r1 (25) */
421 NID_brainpoolP256r1, /* brainpoolP256r1 (26) */
422 NID_brainpoolP384r1, /* brainpoolP384r1 (27) */
423 NID_brainpoolP512r1 /* brainpool512r1 (28) */
424 };
425
426
427static const unsigned char ecformats_default[] =
428 {
429 TLSEXT_ECPOINTFORMAT_uncompressed,
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]430 };
431
432static const unsigned char eccurves_default[] =
433 {
Adam Langleyf3a95c42014-06-20 15:50:41 -0700[diff] [blame]434 0,23, /* secp256r1 (23) */
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]435 0,24, /* secp384r1 (24) */
Adam Langleyf3a95c42014-06-20 15:50:41 -0700[diff] [blame]436 0,25, /* secp521r1 (25) */
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]437 };
438
439static const unsigned char suiteb_curves[] =
440 {
441 0, TLSEXT_curve_P_256,
442 0, TLSEXT_curve_P_384
443 };
444
445int tls1_ec_curve_id2nid(int curve_id)
446 {
447 /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
448 if ((curve_id < 1) || ((unsigned int)curve_id >
449 sizeof(nid_list)/sizeof(nid_list[0])))
450 return 0;
451 return nid_list[curve_id-1];
452 }
453
454int tls1_ec_nid2curve_id(int nid)
455 {
456 /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
457 switch (nid)
458 {
459 case NID_sect163k1: /* sect163k1 (1) */
460 return 1;
461 case NID_sect163r1: /* sect163r1 (2) */
462 return 2;
463 case NID_sect163r2: /* sect163r2 (3) */
464 return 3;
465 case NID_sect193r1: /* sect193r1 (4) */
466 return 4;
467 case NID_sect193r2: /* sect193r2 (5) */
468 return 5;
469 case NID_sect233k1: /* sect233k1 (6) */
470 return 6;
471 case NID_sect233r1: /* sect233r1 (7) */
472 return 7;
473 case NID_sect239k1: /* sect239k1 (8) */
474 return 8;
475 case NID_sect283k1: /* sect283k1 (9) */
476 return 9;
477 case NID_sect283r1: /* sect283r1 (10) */
478 return 10;
479 case NID_sect409k1: /* sect409k1 (11) */
480 return 11;
481 case NID_sect409r1: /* sect409r1 (12) */
482 return 12;
483 case NID_sect571k1: /* sect571k1 (13) */
484 return 13;
485 case NID_sect571r1: /* sect571r1 (14) */
486 return 14;
487 case NID_secp160k1: /* secp160k1 (15) */
488 return 15;
489 case NID_secp160r1: /* secp160r1 (16) */
490 return 16;
491 case NID_secp160r2: /* secp160r2 (17) */
492 return 17;
493 case NID_secp192k1: /* secp192k1 (18) */
494 return 18;
495 case NID_X9_62_prime192v1: /* secp192r1 (19) */
496 return 19;
497 case NID_secp224k1: /* secp224k1 (20) */
498 return 20;
499 case NID_secp224r1: /* secp224r1 (21) */
500 return 21;
501 case NID_secp256k1: /* secp256k1 (22) */
502 return 22;
503 case NID_X9_62_prime256v1: /* secp256r1 (23) */
504 return 23;
505 case NID_secp384r1: /* secp384r1 (24) */
506 return 24;
507 case NID_secp521r1: /* secp521r1 (25) */
508 return 25;
509 case NID_brainpoolP256r1: /* brainpoolP256r1 (26) */
510 return 26;
511 case NID_brainpoolP384r1: /* brainpoolP384r1 (27) */
512 return 27;
513 case NID_brainpoolP512r1: /* brainpool512r1 (28) */
514 return 28;
515 default:
516 return 0;
517 }
518 }
519/* Get curves list, if "sess" is set return client curves otherwise
520 * preferred list
521 */
522static void tls1_get_curvelist(SSL *s, int sess,
523 const unsigned char **pcurves,
524 size_t *pcurveslen)
525 {
526 if (sess)
527 {
528 *pcurves = s->session->tlsext_ellipticcurvelist;
529 *pcurveslen = s->session->tlsext_ellipticcurvelist_length;
530 return;
531 }
532 /* For Suite B mode only include P-256, P-384 */
533 switch (tls1_suiteb(s))
534 {
535 case SSL_CERT_FLAG_SUITEB_128_LOS:
536 *pcurves = suiteb_curves;
537 *pcurveslen = sizeof(suiteb_curves);
538 break;
539
540 case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY:
541 *pcurves = suiteb_curves;
542 *pcurveslen = 2;
543 break;
544
545 case SSL_CERT_FLAG_SUITEB_192_LOS:
546 *pcurves = suiteb_curves + 2;
547 *pcurveslen = 2;
548 break;
549 default:
550 *pcurves = s->tlsext_ellipticcurvelist;
551 *pcurveslen = s->tlsext_ellipticcurvelist_length;
552 }
553 if (!*pcurves)
554 {
555 *pcurves = eccurves_default;
556 *pcurveslen = sizeof(eccurves_default);
557 }
558 }
559/* Check a curve is one of our preferences */
560int tls1_check_curve(SSL *s, const unsigned char *p, size_t len)
561 {
562 const unsigned char *curves;
563 size_t curveslen, i;
564 unsigned int suiteb_flags = tls1_suiteb(s);
565 if (len != 3 || p[0] != NAMED_CURVE_TYPE)
566 return 0;
567 /* Check curve matches Suite B preferences */
568 if (suiteb_flags)
569 {
570 unsigned long cid = s->s3->tmp.new_cipher->id;
571 if (p[1])
572 return 0;
573 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
574 {
575 if (p[2] != TLSEXT_curve_P_256)
576 return 0;
577 }
578 else if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)
579 {
580 if (p[2] != TLSEXT_curve_P_384)
581 return 0;
582 }
583 else /* Should never happen */
584 return 0;
585 }
586 tls1_get_curvelist(s, 0, &curves, &curveslen);
587 for (i = 0; i < curveslen; i += 2, curves += 2)
588 {
589 if (p[1] == curves[0] && p[2] == curves[1])
590 return 1;
591 }
592 return 0;
593 }
594
595/* Return nth shared curve. If nmatch == -1 return number of
596 * matches. For nmatch == -2 return the NID of the curve to use for
597 * an EC tmp key.
598 */
599
600int tls1_shared_curve(SSL *s, int nmatch)
601 {
602 const unsigned char *pref, *supp;
603 size_t preflen, supplen, i, j;
604 int k;
605 /* Can't do anything on client side */
606 if (s->server == 0)
607 return -1;
608 if (nmatch == -2)
609 {
610 if (tls1_suiteb(s))
611 {
612 /* For Suite B ciphersuite determines curve: we
613 * already know these are acceptable due to previous
614 * checks.
615 */
616 unsigned long cid = s->s3->tmp.new_cipher->id;
617 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
618 return NID_X9_62_prime256v1; /* P-256 */
619 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)
620 return NID_secp384r1; /* P-384 */
621 /* Should never happen */
622 return NID_undef;
623 }
624 /* If not Suite B just return first preference shared curve */
625 nmatch = 0;
626 }
627 tls1_get_curvelist(s, !!(s->options & SSL_OP_CIPHER_SERVER_PREFERENCE),
628 &supp, &supplen);
629 tls1_get_curvelist(s, !(s->options & SSL_OP_CIPHER_SERVER_PREFERENCE),
630 &pref, &preflen);
631 preflen /= 2;
632 supplen /= 2;
633 k = 0;
634 for (i = 0; i < preflen; i++, pref+=2)
635 {
636 const unsigned char *tsupp = supp;
637 for (j = 0; j < supplen; j++, tsupp+=2)
638 {
639 if (pref[0] == tsupp[0] && pref[1] == tsupp[1])
640 {
641 if (nmatch == k)
642 {
643 int id = (pref[0] << 8) | pref[1];
644 return tls1_ec_curve_id2nid(id);
645 }
646 k++;
647 }
648 }
649 }
650 if (nmatch == -1)
651 return k;
652 return 0;
653 }
654
655int tls1_set_curves(unsigned char **pext, size_t *pextlen,
656 int *curves, size_t ncurves)
657 {
658 unsigned char *clist, *p;
659 size_t i;
660 /* Bitmap of curves included to detect duplicates: only works
661 * while curve ids < 32
662 */
663 unsigned long dup_list = 0;
664 clist = OPENSSL_malloc(ncurves * 2);
665 if (!clist)
666 return 0;
667 for (i = 0, p = clist; i < ncurves; i++)
668 {
669 unsigned long idmask;
670 int id;
671 id = tls1_ec_nid2curve_id(curves[i]);
672 idmask = 1L << id;
673 if (!id || (dup_list & idmask))
674 {
675 OPENSSL_free(clist);
676 return 0;
677 }
678 dup_list |= idmask;
679 s2n(id, p);
680 }
681 if (*pext)
682 OPENSSL_free(*pext);
683 *pext = clist;
684 *pextlen = ncurves * 2;
685 return 1;
686 }
687
688/* TODO(fork): remove */
689#if 0
690#define MAX_CURVELIST 28
691
692typedef struct
693 {
694 size_t nidcnt;
695 int nid_arr[MAX_CURVELIST];
696 } nid_cb_st;
697
698static int nid_cb(const char *elem, int len, void *arg)
699 {
700 nid_cb_st *narg = arg;
701 size_t i;
702 int nid;
703 char etmp[20];
704 if (narg->nidcnt == MAX_CURVELIST)
705 return 0;
706 if (len > (int)(sizeof(etmp) - 1))
707 return 0;
708 memcpy(etmp, elem, len);
709 etmp[len] = 0;
710 nid = EC_curve_nist2nid(etmp);
711 if (nid == NID_undef)
712 nid = OBJ_sn2nid(etmp);
713 if (nid == NID_undef)
714 nid = OBJ_ln2nid(etmp);
715 if (nid == NID_undef)
716 return 0;
717 for (i = 0; i < narg->nidcnt; i++)
718 if (narg->nid_arr[i] == nid)
719 return 0;
720 narg->nid_arr[narg->nidcnt++] = nid;
721 return 1;
722 }
723/* Set curves based on a colon separate list */
724int tls1_set_curves_list(unsigned char **pext, size_t *pextlen,
725 const char *str)
726 {
727 nid_cb_st ncb;
728 ncb.nidcnt = 0;
729 if (!CONF_parse_list(str, ':', 1, nid_cb, &ncb))
730 return 0;
731 if (pext == NULL)
732 return 1;
733 return tls1_set_curves(pext, pextlen, ncb.nid_arr, ncb.nidcnt);
734 }
735#endif
736
737/* For an EC key set TLS id and required compression based on parameters */
738static int tls1_set_ec_id(unsigned char *curve_id, unsigned char *comp_id,
739 EC_KEY *ec)
740 {
741 int is_prime = 1, id;
742 const EC_GROUP *grp;
743 if (!ec)
744 return 0;
745
746 /* TODO(fork): remove. All curves are prime now. */
747 grp = EC_KEY_get0_group(ec);
748 if (!grp)
749 return 0;
750#if 0
751 /* Determine if it is a prime field */
752 meth = EC_GROUP_method_of(grp);
753 if (!meth)
754 return 0;
755 if (EC_METHOD_get_field_type(meth) == NID_X9_62_prime_field)
756 is_prime = 1;
757 else
758 is_prime = 0;
759#endif
760
761 /* Determine curve ID */
762 id = EC_GROUP_get_curve_name(grp);
763 id = tls1_ec_nid2curve_id(id);
764 /* If we have an ID set it, otherwise set arbitrary explicit curve */
765 if (id)
766 {
767 curve_id[0] = 0;
768 curve_id[1] = (unsigned char)id;
769 }
770 else
771 {
772 curve_id[0] = 0xff;
773 if (is_prime)
774 curve_id[1] = 0x01;
775 else
776 curve_id[1] = 0x02;
777 }
778 if (comp_id)
779 {
780 if (EC_KEY_get0_public_key(ec) == NULL)
781 return 0;
782 if (EC_KEY_get_conv_form(ec) == POINT_CONVERSION_COMPRESSED)
783 {
784 if (is_prime)
785 *comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
786 else
787 *comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
788 }
789 else
790 *comp_id = TLSEXT_ECPOINTFORMAT_uncompressed;
791 }
792 return 1;
793 }
794/* Check an EC key is compatible with extensions */
795static int tls1_check_ec_key(SSL *s,
796 unsigned char *curve_id, unsigned char *comp_id)
797 {
798 const unsigned char *p;
799 size_t plen, i;
800 int j;
801 /* If point formats extension present check it, otherwise everything
802 * is supported (see RFC4492).
803 */
804 if (comp_id && s->session->tlsext_ecpointformatlist)
805 {
806 p = s->session->tlsext_ecpointformatlist;
807 plen = s->session->tlsext_ecpointformatlist_length;
808 for (i = 0; i < plen; i++, p++)
809 {
810 if (*comp_id == *p)
811 break;
812 }
813 if (i == plen)
814 return 0;
815 }
816 if (!curve_id)
817 return 1;
818 /* Check curve is consistent with client and server preferences */
819 for (j = 0; j <= 1; j++)
820 {
821 tls1_get_curvelist(s, j, &p, &plen);
822 for (i = 0; i < plen; i+=2, p+=2)
823 {
824 if (p[0] == curve_id[0] && p[1] == curve_id[1])
825 break;
826 }
827 if (i == plen)
828 return 0;
829 /* For clients can only check sent curve list */
830 if (!s->server)
831 return 1;
832 }
833 return 1;
834 }
835
836static void tls1_get_formatlist(SSL *s, const unsigned char **pformats,
837 size_t *pformatslen)
838 {
839 /* If we have a custom point format list use it otherwise
840 * use default */
841 if (s->tlsext_ecpointformatlist)
842 {
843 *pformats = s->tlsext_ecpointformatlist;
844 *pformatslen = s->tlsext_ecpointformatlist_length;
845 }
846 else
847 {
848 *pformats = ecformats_default;
849 /* For Suite B we don't support char2 fields */
850 if (tls1_suiteb(s))
851 *pformatslen = sizeof(ecformats_default) - 1;
852 else
853 *pformatslen = sizeof(ecformats_default);
854 }
855 }
856
857/* Check cert parameters compatible with extensions: currently just checks
858 * EC certificates have compatible curves and compression.
859 */
860static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md)
861 {
862 unsigned char comp_id, curve_id[2];
863 EVP_PKEY *pkey;
864 int rv;
865 pkey = X509_get_pubkey(x);
866 if (!pkey)
867 return 0;
868 /* If not EC nothing to do */
869 if (pkey->type != EVP_PKEY_EC)
870 {
871 EVP_PKEY_free(pkey);
872 return 1;
873 }
874 rv = tls1_set_ec_id(curve_id, &comp_id, pkey->pkey.ec);
875 EVP_PKEY_free(pkey);
876 if (!rv)
877 return 0;
878 /* Can't check curve_id for client certs as we don't have a
879 * supported curves extension.
880 */
881 rv = tls1_check_ec_key(s, s->server ? curve_id : NULL, &comp_id);
882 if (!rv)
883 return 0;
884 /* Special case for suite B. We *MUST* sign using SHA256+P-256 or
885 * SHA384+P-384, adjust digest if necessary.
886 */
887 if (set_ee_md && tls1_suiteb(s))
888 {
889 int check_md;
890 size_t i;
891 CERT *c = s->cert;
892 if (curve_id[0])
893 return 0;
894 /* Check to see we have necessary signing algorithm */
895 if (curve_id[1] == TLSEXT_curve_P_256)
896 check_md = NID_ecdsa_with_SHA256;
897 else if (curve_id[1] == TLSEXT_curve_P_384)
898 check_md = NID_ecdsa_with_SHA384;
899 else
900 return 0; /* Should never happen */
901 for (i = 0; i < c->shared_sigalgslen; i++)
902 if (check_md == c->shared_sigalgs[i].signandhash_nid)
903 break;
904 if (i == c->shared_sigalgslen)
905 return 0;
906 if (set_ee_md == 2)
907 {
908 if (check_md == NID_ecdsa_with_SHA256)
909 c->pkeys[SSL_PKEY_ECC].digest = EVP_sha256();
910 else
911 c->pkeys[SSL_PKEY_ECC].digest = EVP_sha384();
912 }
913 }
914 return rv;
915 }
916/* Check EC temporary key is compatible with client extensions */
917int tls1_check_ec_tmp_key(SSL *s, unsigned long cid)
918 {
919 unsigned char curve_id[2];
920 EC_KEY *ec = s->cert->ecdh_tmp;
921#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
922 /* Allow any curve: not just those peer supports */
923 if (s->cert->cert_flags & SSL_CERT_FLAG_BROKEN_PROTOCOL)
924 return 1;
925#endif
926 /* If Suite B, AES128 MUST use P-256 and AES256 MUST use P-384,
927 * no other curves permitted.
928 */
929 if (tls1_suiteb(s))
930 {
931 /* Curve to check determined by ciphersuite */
932 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
933 curve_id[1] = TLSEXT_curve_P_256;
934 else if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)
935 curve_id[1] = TLSEXT_curve_P_384;
936 else
937 return 0;
938 curve_id[0] = 0;
939 /* Check this curve is acceptable */
940 if (!tls1_check_ec_key(s, curve_id, NULL))
941 return 0;
942 /* If auto or setting curve from callback assume OK */
943 if (s->cert->ecdh_tmp_auto || s->cert->ecdh_tmp_cb)
944 return 1;
945 /* Otherwise check curve is acceptable */
946 else
947 {
948 unsigned char curve_tmp[2];
949 if (!ec)
950 return 0;
951 if (!tls1_set_ec_id(curve_tmp, NULL, ec))
952 return 0;
953 if (!curve_tmp[0] || curve_tmp[1] == curve_id[1])
954 return 1;
955 return 0;
956 }
957
958 }
959 if (s->cert->ecdh_tmp_auto)
960 {
961 /* Need a shared curve */
962 if (tls1_shared_curve(s, 0))
963 return 1;
964 else return 0;
965 }
966 if (!ec)
967 {
968 if (s->cert->ecdh_tmp_cb)
969 return 1;
970 else
971 return 0;
972 }
973 if (!tls1_set_ec_id(curve_id, NULL, ec))
974 return 0;
975/* Set this to allow use of invalid curves for testing */
976#if 0
977 return 1;
978#else
979 return tls1_check_ec_key(s, curve_id, NULL);
980#endif
981 }
982
983#else
984
985static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md)
986 {
987 return 1;
988 }
989
990#endif /* OPENSSL_NO_EC */
991
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]992
993/* List of supported signature algorithms and hashes. Should make this
994 * customisable at some point, for now include everything we support.
995 */
996
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]997#define tlsext_sigalg_rsa(md) md, TLSEXT_signature_rsa,
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]998
999#ifdef OPENSSL_NO_DSA
1000#define tlsext_sigalg_dsa(md) /* */
1001#else
1002#define tlsext_sigalg_dsa(md) md, TLSEXT_signature_dsa,
1003#endif
1004
1005#ifdef OPENSSL_NO_ECDSA
1006#define tlsext_sigalg_ecdsa(md) /* */
1007#else
1008#define tlsext_sigalg_ecdsa(md) md, TLSEXT_signature_ecdsa,
1009#endif
1010
1011#define tlsext_sigalg(md) \
1012 tlsext_sigalg_rsa(md) \
1013 tlsext_sigalg_dsa(md) \
1014 tlsext_sigalg_ecdsa(md)
1015
1016static unsigned char tls12_sigalgs[] = {
1017#ifndef OPENSSL_NO_SHA512
1018 tlsext_sigalg(TLSEXT_hash_sha512)
1019 tlsext_sigalg(TLSEXT_hash_sha384)
1020#endif
1021#ifndef OPENSSL_NO_SHA256
1022 tlsext_sigalg(TLSEXT_hash_sha256)
1023 tlsext_sigalg(TLSEXT_hash_sha224)
1024#endif
1025#ifndef OPENSSL_NO_SHA
1026 tlsext_sigalg(TLSEXT_hash_sha1)
1027#endif
1028};
1029#ifndef OPENSSL_NO_ECDSA
1030static unsigned char suiteb_sigalgs[] = {
1031 tlsext_sigalg_ecdsa(TLSEXT_hash_sha256)
1032 tlsext_sigalg_ecdsa(TLSEXT_hash_sha384)
1033};
1034#endif
1035size_t tls12_get_psigalgs(SSL *s, const unsigned char **psigs)
1036 {
1037 /* If Suite B mode use Suite B sigalgs only, ignore any other
1038 * preferences.
1039 */
1040#ifndef OPENSSL_NO_EC
1041 switch (tls1_suiteb(s))
1042 {
1043 case SSL_CERT_FLAG_SUITEB_128_LOS:
1044 *psigs = suiteb_sigalgs;
1045 return sizeof(suiteb_sigalgs);
1046
1047 case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY:
1048 *psigs = suiteb_sigalgs;
1049 return 2;
1050
1051 case SSL_CERT_FLAG_SUITEB_192_LOS:
1052 *psigs = suiteb_sigalgs + 2;
1053 return 2;
1054 }
1055#endif
1056 /* If server use client authentication sigalgs if not NULL */
1057 if (s->server && s->cert->client_sigalgs)
1058 {
1059 *psigs = s->cert->client_sigalgs;
1060 return s->cert->client_sigalgslen;
1061 }
1062 else if (s->cert->conf_sigalgs)
1063 {
1064 *psigs = s->cert->conf_sigalgs;
1065 return s->cert->conf_sigalgslen;
1066 }
1067 else
1068 {
1069 *psigs = tls12_sigalgs;
1070 return sizeof(tls12_sigalgs);
1071 }
1072 }
1073/* Check signature algorithm is consistent with sent supported signature
1074 * algorithms and if so return relevant digest.
1075 */
1076int tls12_check_peer_sigalg(const EVP_MD **pmd, SSL *s,
1077 const unsigned char *sig, EVP_PKEY *pkey)
1078 {
1079 const unsigned char *sent_sigs;
1080 size_t sent_sigslen, i;
1081 int sigalg = tls12_get_sigid(pkey);
1082 /* Should never happen */
1083 if (sigalg == -1)
1084 return -1;
1085 /* Check key type is consistent with signature */
1086 if (sigalg != (int)sig[1])
1087 {
1088 OPENSSL_PUT_ERROR(SSL, tls12_check_peer_sigalg, SSL_R_WRONG_SIGNATURE_TYPE);
1089 return 0;
1090 }
1091#ifndef OPENSSL_NO_EC
1092 if (pkey->type == EVP_PKEY_EC)
1093 {
1094 unsigned char curve_id[2], comp_id;
1095 /* Check compression and curve matches extensions */
1096 if (!tls1_set_ec_id(curve_id, &comp_id, pkey->pkey.ec))
1097 return 0;
1098 if (!s->server && !tls1_check_ec_key(s, curve_id, &comp_id))
1099 {
1100 OPENSSL_PUT_ERROR(SSL, tls12_check_peer_sigalg, SSL_R_WRONG_CURVE);
1101 return 0;
1102 }
1103 /* If Suite B only P-384+SHA384 or P-256+SHA-256 allowed */
1104 if (tls1_suiteb(s))
1105 {
1106 if (curve_id[0])
1107 return 0;
1108 if (curve_id[1] == TLSEXT_curve_P_256)
1109 {
1110 if (sig[0] != TLSEXT_hash_sha256)
1111 {
1112 OPENSSL_PUT_ERROR(SSL, tls12_check_peer_sigalg, SSL_R_ILLEGAL_SUITEB_DIGEST);
1113 return 0;
1114 }
1115 }
1116 else if (curve_id[1] == TLSEXT_curve_P_384)
1117 {
1118 if (sig[0] != TLSEXT_hash_sha384)
1119 {
1120 OPENSSL_PUT_ERROR(SSL, tls12_check_peer_sigalg, SSL_R_ILLEGAL_SUITEB_DIGEST);
1121 return 0;
1122 }
1123 }
1124 else
1125 return 0;
1126 }
1127 }
1128 else if (tls1_suiteb(s))
1129 return 0;
1130#endif
1131
1132 /* Check signature matches a type we sent */
1133 sent_sigslen = tls12_get_psigalgs(s, &sent_sigs);
1134 for (i = 0; i < sent_sigslen; i+=2, sent_sigs+=2)
1135 {
1136 if (sig[0] == sent_sigs[0] && sig[1] == sent_sigs[1])
1137 break;
1138 }
1139 /* Allow fallback to SHA1 if not strict mode */
1140 if (i == sent_sigslen && (sig[0] != TLSEXT_hash_sha1 || s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT))
1141 {
1142 OPENSSL_PUT_ERROR(SSL, tls12_check_peer_sigalg, SSL_R_WRONG_SIGNATURE_TYPE);
1143 return 0;
1144 }
1145 *pmd = tls12_get_hash(sig[0]);
1146 if (*pmd == NULL)
1147 {
1148 OPENSSL_PUT_ERROR(SSL, tls12_check_peer_sigalg, SSL_R_UNKNOWN_DIGEST);
1149 return 0;
1150 }
1151 /* Store the digest used so applications can retrieve it if they
1152 * wish.
1153 */
1154 if (s->session && s->session->sess_cert)
1155 s->session->sess_cert->peer_key->digest = *pmd;
1156 return 1;
1157 }
1158/* Get a mask of disabled algorithms: an algorithm is disabled
1159 * if it isn't supported or doesn't appear in supported signature
1160 * algorithms. Unlike ssl_cipher_get_disabled this applies to a specific
1161 * session and not global settings.
1162 *
1163 */
1164void ssl_set_client_disabled(SSL *s)
1165 {
1166 CERT *c = s->cert;
1167 const unsigned char *sigalgs;
1168 size_t i, sigalgslen;
1169 int have_rsa = 0, have_dsa = 0, have_ecdsa = 0;
1170 c->mask_a = 0;
1171 c->mask_k = 0;
1172 /* Don't allow TLS 1.2 only ciphers if we don't suppport them */
1173 if (!SSL_CLIENT_USE_TLS1_2_CIPHERS(s))
1174 c->mask_ssl = SSL_TLSV1_2;
1175 else
1176 c->mask_ssl = 0;
1177 /* Now go through all signature algorithms seeing if we support
1178 * any for RSA, DSA, ECDSA. Do this for all versions not just
1179 * TLS 1.2.
1180 */
1181 sigalgslen = tls12_get_psigalgs(s, &sigalgs);
1182 for (i = 0; i < sigalgslen; i += 2, sigalgs += 2)
1183 {
1184 switch(sigalgs[1])
1185 {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1186 case TLSEXT_signature_rsa:
1187 have_rsa = 1;
1188 break;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1189#ifndef OPENSSL_NO_DSA
1190 case TLSEXT_signature_dsa:
1191 have_dsa = 1;
1192 break;
1193#endif
1194#ifndef OPENSSL_NO_ECDSA
1195 case TLSEXT_signature_ecdsa:
1196 have_ecdsa = 1;
1197 break;
1198#endif
1199 }
1200 }
1201 /* Disable auth and static DH if we don't include any appropriate
1202 * signature algorithms.
1203 */
1204 if (!have_rsa)
1205 {
1206 c->mask_a |= SSL_aRSA;
1207 c->mask_k |= SSL_kDHr|SSL_kECDHr;
1208 }
1209 if (!have_dsa)
1210 {
1211 c->mask_a |= SSL_aDSS;
1212 c->mask_k |= SSL_kDHd;
1213 }
1214 if (!have_ecdsa)
1215 {
1216 c->mask_a |= SSL_aECDSA;
1217 c->mask_k |= SSL_kECDHe;
1218 }
1219#ifndef OPENSSL_NO_PSK
1220 /* with PSK there must be client callback set */
1221 if (!s->psk_client_callback)
1222 {
1223 c->mask_a |= SSL_aPSK;
1224 c->mask_k |= SSL_kPSK;
1225 }
1226#endif /* OPENSSL_NO_PSK */
1227 c->valid = 1;
1228 }
1229
Adam Langleyb0c235e2014-06-20 12:00:00 -0700[diff] [blame]1230/* header_len is the length of the ClientHello header written so far, used to
1231 * compute padding. It does not include the record header. Pass 0 if no padding
1232 * is to be done. */
1233unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf, unsigned char *limit, size_t header_len)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1234 {
1235 int extdatalen=0;
Adam Langleyb0c235e2014-06-20 12:00:00 -0700[diff] [blame]1236 unsigned char *ret = buf;
1237 unsigned char *orig = buf;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1238#ifndef OPENSSL_NO_EC
1239 /* See if we support any ECC ciphersuites */
1240 int using_ecc = 0;
1241 if (s->version >= TLS1_VERSION || SSL_IS_DTLS(s))
1242 {
1243 int i;
1244 unsigned long alg_k, alg_a;
1245 STACK_OF(SSL_CIPHER) *cipher_stack = SSL_get_ciphers(s);
1246
1247 for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++)
1248 {
1249 SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i);
1250
1251 alg_k = c->algorithm_mkey;
1252 alg_a = c->algorithm_auth;
1253 if ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)
1254 || (alg_a & SSL_aECDSA)))
1255 {
1256 using_ecc = 1;
1257 break;
1258 }
1259 }
1260 }
1261#endif
1262
1263 /* don't add extensions for SSLv3 unless doing secure renegotiation */
1264 if (s->client_version == SSL3_VERSION
1265 && !s->s3->send_connection_binding)
Adam Langleyb0c235e2014-06-20 12:00:00 -0700[diff] [blame]1266 return orig;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1267
1268 ret+=2;
1269
1270 if (ret>=limit) return NULL; /* this really never occurs, but ... */
1271
1272 if (s->tlsext_hostname != NULL)
1273 {
1274 /* Add TLS extension servername to the Client Hello message */
1275 unsigned long size_str;
1276 long lenmax;
1277
1278 /* check for enough space.
1279 4 for the servername type and entension length
1280 2 for servernamelist length
1281 1 for the hostname type
1282 2 for hostname length
1283 + hostname length
1284 */
1285
1286 if ((lenmax = limit - ret - 9) < 0
1287 || (size_str = strlen(s->tlsext_hostname)) > (unsigned long)lenmax)
1288 return NULL;
1289
1290 /* extension type and length */
1291 s2n(TLSEXT_TYPE_server_name,ret);
1292 s2n(size_str+5,ret);
1293
1294 /* length of servername list */
1295 s2n(size_str+3,ret);
1296
1297 /* hostname type, length and hostname */
1298 *(ret++) = (unsigned char) TLSEXT_NAMETYPE_host_name;
1299 s2n(size_str,ret);
1300 memcpy(ret, s->tlsext_hostname, size_str);
1301 ret+=size_str;
1302 }
1303
1304 /* Add RI if renegotiating */
1305 if (s->renegotiate)
1306 {
1307 int el;
1308
1309 if(!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0))
1310 {
1311 OPENSSL_PUT_ERROR(SSL, ssl_add_clienthello_tlsext, ERR_R_INTERNAL_ERROR);
1312 return NULL;
1313 }
1314
Adam Langleyb0c235e2014-06-20 12:00:00 -0700[diff] [blame]1315 if((limit - ret - 4 - el) < 0) return NULL;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1316
1317 s2n(TLSEXT_TYPE_renegotiate,ret);
1318 s2n(el,ret);
1319
1320 if(!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el))
1321 {
1322 OPENSSL_PUT_ERROR(SSL, ssl_add_clienthello_tlsext, ERR_R_INTERNAL_ERROR);
1323 return NULL;
1324 }
1325
1326 ret += el;
1327 }
1328
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1329 if (!(SSL_get_options(s) & SSL_OP_NO_TICKET))
1330 {
1331 int ticklen;
1332 if (!s->new_session && s->session && s->session->tlsext_tick)
1333 ticklen = s->session->tlsext_ticklen;
1334 else if (s->session && s->tlsext_session_ticket &&
1335 s->tlsext_session_ticket->data)
1336 {
1337 ticklen = s->tlsext_session_ticket->length;
1338 s->session->tlsext_tick = OPENSSL_malloc(ticklen);
1339 if (!s->session->tlsext_tick)
1340 return NULL;
1341 memcpy(s->session->tlsext_tick,
1342 s->tlsext_session_ticket->data,
1343 ticklen);
1344 s->session->tlsext_ticklen = ticklen;
1345 }
1346 else
1347 ticklen = 0;
1348 if (ticklen == 0 && s->tlsext_session_ticket &&
1349 s->tlsext_session_ticket->data == NULL)
1350 goto skip_ext;
1351 /* Check for enough room 2 for extension type, 2 for len
1352 * rest for ticket
1353 */
1354 if ((long)(limit - ret - 4 - ticklen) < 0) return NULL;
1355 s2n(TLSEXT_TYPE_session_ticket,ret);
1356 s2n(ticklen,ret);
1357 if (ticklen)
1358 {
1359 memcpy(ret, s->session->tlsext_tick, ticklen);
1360 ret += ticklen;
1361 }
1362 }
1363 skip_ext:
1364
1365 if (SSL_USE_SIGALGS(s))
1366 {
1367 size_t salglen;
1368 const unsigned char *salg;
1369 salglen = tls12_get_psigalgs(s, &salg);
1370 if ((size_t)(limit - ret) < salglen + 6)
1371 return NULL;
1372 s2n(TLSEXT_TYPE_signature_algorithms,ret);
1373 s2n(salglen + 2, ret);
1374 s2n(salglen, ret);
1375 memcpy(ret, salg, salglen);
1376 ret += salglen;
1377 }
1378
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1379 /* TODO(fork): we probably want OCSP stapling, but it currently pulls in a lot of code. */
1380#if 0
1381 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp)
1382 {
1383 int i;
1384 long extlen, idlen, itmp;
1385 OCSP_RESPID *id;
1386
1387 idlen = 0;
1388 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++)
1389 {
1390 id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
1391 itmp = i2d_OCSP_RESPID(id, NULL);
1392 if (itmp <= 0)
1393 return NULL;
1394 idlen += itmp + 2;
1395 }
1396
1397 if (s->tlsext_ocsp_exts)
1398 {
1399 extlen = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, NULL);
1400 if (extlen < 0)
1401 return NULL;
1402 }
1403 else
1404 extlen = 0;
1405
1406 if ((long)(limit - ret - 7 - extlen - idlen) < 0) return NULL;
1407 s2n(TLSEXT_TYPE_status_request, ret);
1408 if (extlen + idlen > 0xFFF0)
1409 return NULL;
1410 s2n(extlen + idlen + 5, ret);
1411 *(ret++) = TLSEXT_STATUSTYPE_ocsp;
1412 s2n(idlen, ret);
1413 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++)
1414 {
1415 /* save position of id len */
1416 unsigned char *q = ret;
1417 id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
1418 /* skip over id len */
1419 ret += 2;
1420 itmp = i2d_OCSP_RESPID(id, &ret);
1421 /* write id len */
1422 s2n(itmp, q);
1423 }
1424 s2n(extlen, ret);
1425 if (extlen > 0)
1426 i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret);
1427 }
1428#endif
1429
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1430#ifndef OPENSSL_NO_NEXTPROTONEG
1431 if (s->ctx->next_proto_select_cb && !s->s3->tmp.finish_md_len)
1432 {
1433 /* The client advertises an emtpy extension to indicate its
1434 * support for Next Protocol Negotiation */
1435 if (limit - ret - 4 < 0)
1436 return NULL;
1437 s2n(TLSEXT_TYPE_next_proto_neg,ret);
1438 s2n(0,ret);
1439 }
1440#endif
1441
1442 if (s->alpn_client_proto_list && !s->s3->tmp.finish_md_len)
1443 {
1444 if ((size_t)(limit - ret) < 6 + s->alpn_client_proto_list_len)
1445 return NULL;
1446 s2n(TLSEXT_TYPE_application_layer_protocol_negotiation,ret);
1447 s2n(2 + s->alpn_client_proto_list_len,ret);
1448 s2n(s->alpn_client_proto_list_len,ret);
1449 memcpy(ret, s->alpn_client_proto_list,
1450 s->alpn_client_proto_list_len);
1451 ret += s->alpn_client_proto_list_len;
1452 }
1453
Adam Langley1258b6a2014-06-20 12:00:00 -0700[diff] [blame]1454 if (s->tlsext_channel_id_enabled)
1455 {
1456 /* The client advertises an emtpy extension to indicate its
1457 * support for Channel ID. */
1458 if (limit - ret - 4 < 0)
1459 return NULL;
1460 if (s->ctx->tlsext_channel_id_enabled_new)
1461 s2n(TLSEXT_TYPE_channel_id_new,ret);
1462 else
1463 s2n(TLSEXT_TYPE_channel_id,ret);
1464 s2n(0,ret);
1465 }
1466
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1467 if(SSL_get_srtp_profiles(s))
1468 {
1469 int el;
1470
1471 ssl_add_clienthello_use_srtp_ext(s, 0, &el, 0);
1472
Adam Langleyb0c235e2014-06-20 12:00:00 -0700[diff] [blame]1473 if((limit - ret - 4 - el) < 0) return NULL;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1474
1475 s2n(TLSEXT_TYPE_use_srtp,ret);
1476 s2n(el,ret);
1477
1478 if(ssl_add_clienthello_use_srtp_ext(s, ret, &el, el))
1479 {
1480 OPENSSL_PUT_ERROR(SSL, ssl_add_clienthello_tlsext, ERR_R_INTERNAL_ERROR);
1481 return NULL;
1482 }
1483 ret += el;
1484 }
1485
Adam Langleyc3174b72014-06-20 12:00:00 -0700[diff] [blame]1486#ifndef OPENSSL_NO_EC
1487 if (using_ecc)
1488 {
1489 /* Add TLS extension ECPointFormats to the ClientHello message */
1490 long lenmax;
1491 const unsigned char *plist;
1492 size_t plistlen;
1493
1494 tls1_get_formatlist(s, &plist, &plistlen);
1495
1496 if ((lenmax = limit - ret - 5) < 0) return NULL;
1497 if (plistlen > (size_t)lenmax) return NULL;
1498 if (plistlen > 255)
1499 {
1500 OPENSSL_PUT_ERROR(SSL, ssl_add_clienthello_tlsext, ERR_R_INTERNAL_ERROR);
1501 return NULL;
1502 }
1503
1504 s2n(TLSEXT_TYPE_ec_point_formats,ret);
1505 s2n(plistlen + 1,ret);
1506 *(ret++) = (unsigned char)plistlen ;
1507 memcpy(ret, plist, plistlen);
1508 ret+=plistlen;
1509
1510 /* Add TLS extension EllipticCurves to the ClientHello message */
1511 plist = s->tlsext_ellipticcurvelist;
1512 tls1_get_curvelist(s, 0, &plist, &plistlen);
1513
1514 if ((lenmax = limit - ret - 6) < 0) return NULL;
1515 if (plistlen > (size_t)lenmax) return NULL;
1516 if (plistlen > 65532)
1517 {
1518 OPENSSL_PUT_ERROR(SSL, ssl_add_clienthello_tlsext, ERR_R_INTERNAL_ERROR);
1519 return NULL;
1520 }
1521
1522 s2n(TLSEXT_TYPE_elliptic_curves,ret);
1523 s2n(plistlen + 2, ret);
1524
1525 /* NB: draft-ietf-tls-ecc-12.txt uses a one-byte prefix for
1526 * elliptic_curve_list, but the examples use two bytes.
1527 * http://www1.ietf.org/mail-archive/web/tls/current/msg00538.html
1528 * resolves this to two bytes.
1529 */
1530 s2n(plistlen, ret);
1531 memcpy(ret, plist, plistlen);
1532 ret+=plistlen;
1533 }
1534#endif /* OPENSSL_NO_EC */
1535
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1536#ifdef TLSEXT_TYPE_padding
1537 /* Add padding to workaround bugs in F5 terminators.
Adam Langleyb0c235e2014-06-20 12:00:00 -0700[diff] [blame]1538 * See https://tools.ietf.org/html/draft-agl-tls-padding-03
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1539 *
1540 * NB: because this code works out the length of all existing
Adam Langleyb0c235e2014-06-20 12:00:00 -0700[diff] [blame]1541 * extensions it MUST always appear last. */
1542 if (header_len > 0)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1543 {
Adam Langleyb0c235e2014-06-20 12:00:00 -0700[diff] [blame]1544 header_len += ret - orig;
1545 if (header_len > 0xff && header_len < 0x200)
1546 {
1547 size_t padding_len = 0x200 - header_len;
Adam Langleyc3174b72014-06-20 12:00:00 -0700[diff] [blame]1548 /* Extensions take at least four bytes to encode. Always
1549 * include least one byte of data if including the
1550 * extension. WebSphere Application Server 7.0 is
1551 * intolerant to the last extension being zero-length. */
1552 if (padding_len >= 4 + 1)
Adam Langleyb0c235e2014-06-20 12:00:00 -0700[diff] [blame]1553 padding_len -= 4;
1554 else
Adam Langleyc3174b72014-06-20 12:00:00 -0700[diff] [blame]1555 padding_len = 1;
Adam Langleyb0c235e2014-06-20 12:00:00 -0700[diff] [blame]1556 if (limit - ret - 4 - (long)padding_len < 0)
1557 return NULL;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1558
Adam Langleyb0c235e2014-06-20 12:00:00 -0700[diff] [blame]1559 s2n(TLSEXT_TYPE_padding, ret);
1560 s2n(padding_len, ret);
1561 memset(ret, 0, padding_len);
1562 ret += padding_len;
1563 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1564 }
1565#endif
1566
Adam Langleyb0c235e2014-06-20 12:00:00 -0700[diff] [blame]1567 if ((extdatalen = ret-orig-2)== 0)
1568 return orig;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1569
Adam Langleyb0c235e2014-06-20 12:00:00 -0700[diff] [blame]1570 s2n(extdatalen, orig);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1571 return ret;
1572 }
1573
Adam Langleyb0c235e2014-06-20 12:00:00 -0700[diff] [blame]1574unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *buf, unsigned char *limit)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1575 {
1576 int extdatalen=0;
Adam Langleyb0c235e2014-06-20 12:00:00 -0700[diff] [blame]1577 unsigned char *orig = buf;
1578 unsigned char *ret = buf;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1579#ifndef OPENSSL_NO_NEXTPROTONEG
1580 int next_proto_neg_seen;
1581#endif
1582#ifndef OPENSSL_NO_EC
1583 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
1584 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
1585 int using_ecc = (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA);
1586 using_ecc = using_ecc && (s->session->tlsext_ecpointformatlist != NULL);
1587#endif
1588 /* don't add extensions for SSLv3, unless doing secure renegotiation */
1589 if (s->version == SSL3_VERSION && !s->s3->send_connection_binding)
Adam Langleyb0c235e2014-06-20 12:00:00 -0700[diff] [blame]1590 return orig;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1591
1592 ret+=2;
1593 if (ret>=limit) return NULL; /* this really never occurs, but ... */
1594
1595 if (!s->hit && s->servername_done == 1 && s->session->tlsext_hostname != NULL)
1596 {
1597 if ((long)(limit - ret - 4) < 0) return NULL;
1598
1599 s2n(TLSEXT_TYPE_server_name,ret);
1600 s2n(0,ret);
1601 }
1602
1603 if(s->s3->send_connection_binding)
1604 {
1605 int el;
1606
1607 if(!ssl_add_serverhello_renegotiate_ext(s, 0, &el, 0))
1608 {
1609 OPENSSL_PUT_ERROR(SSL, ssl_add_serverhello_tlsext, ERR_R_INTERNAL_ERROR);
1610 return NULL;
1611 }
1612
Adam Langleyb0c235e2014-06-20 12:00:00 -0700[diff] [blame]1613 if((limit - ret - 4 - el) < 0) return NULL;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1614
1615 s2n(TLSEXT_TYPE_renegotiate,ret);
1616 s2n(el,ret);
1617
1618 if(!ssl_add_serverhello_renegotiate_ext(s, ret, &el, el))
1619 {
1620 OPENSSL_PUT_ERROR(SSL, ssl_add_serverhello_tlsext, ERR_R_INTERNAL_ERROR);
1621 return NULL;
1622 }
1623
1624 ret += el;
1625 }
1626
1627#ifndef OPENSSL_NO_EC
1628 if (using_ecc)
1629 {
1630 const unsigned char *plist;
1631 size_t plistlen;
1632 /* Add TLS extension ECPointFormats to the ServerHello message */
1633 long lenmax;
1634
1635 tls1_get_formatlist(s, &plist, &plistlen);
1636
1637 if ((lenmax = limit - ret - 5) < 0) return NULL;
1638 if (plistlen > (size_t)lenmax) return NULL;
1639 if (plistlen > 255)
1640 {
1641 OPENSSL_PUT_ERROR(SSL, ssl_add_serverhello_tlsext, ERR_R_INTERNAL_ERROR);
1642 return NULL;
1643 }
1644
1645 s2n(TLSEXT_TYPE_ec_point_formats,ret);
1646 s2n(plistlen + 1,ret);
1647 *(ret++) = (unsigned char) plistlen;
1648 memcpy(ret, plist, plistlen);
1649 ret+=plistlen;
1650
1651 }
1652 /* Currently the server should not respond with a SupportedCurves extension */
1653#endif /* OPENSSL_NO_EC */
1654
1655 if (s->tlsext_ticket_expected
1656 && !(SSL_get_options(s) & SSL_OP_NO_TICKET))
1657 {
1658 if ((long)(limit - ret - 4) < 0) return NULL;
1659 s2n(TLSEXT_TYPE_session_ticket,ret);
1660 s2n(0,ret);
1661 }
1662
1663 if (s->tlsext_status_expected)
1664 {
1665 if ((long)(limit - ret - 4) < 0) return NULL;
1666 s2n(TLSEXT_TYPE_status_request,ret);
1667 s2n(0,ret);
1668 }
1669
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1670 if(s->srtp_profile)
1671 {
1672 int el;
1673
1674 ssl_add_serverhello_use_srtp_ext(s, 0, &el, 0);
1675
Adam Langleyb0c235e2014-06-20 12:00:00 -0700[diff] [blame]1676 if((limit - ret - 4 - el) < 0) return NULL;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1677
1678 s2n(TLSEXT_TYPE_use_srtp,ret);
1679 s2n(el,ret);
1680
1681 if(ssl_add_serverhello_use_srtp_ext(s, ret, &el, el))
1682 {
1683 OPENSSL_PUT_ERROR(SSL, ssl_add_serverhello_tlsext, ERR_R_INTERNAL_ERROR);
1684 return NULL;
1685 }
1686 ret+=el;
1687 }
1688
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1689#ifndef OPENSSL_NO_NEXTPROTONEG
1690 next_proto_neg_seen = s->s3->next_proto_neg_seen;
1691 s->s3->next_proto_neg_seen = 0;
1692 if (next_proto_neg_seen && s->ctx->next_protos_advertised_cb)
1693 {
1694 const unsigned char *npa;
1695 unsigned int npalen;
1696 int r;
1697
1698 r = s->ctx->next_protos_advertised_cb(s, &npa, &npalen, s->ctx->next_protos_advertised_cb_arg);
1699 if (r == SSL_TLSEXT_ERR_OK)
1700 {
1701 if ((long)(limit - ret - 4 - npalen) < 0) return NULL;
1702 s2n(TLSEXT_TYPE_next_proto_neg,ret);
1703 s2n(npalen,ret);
1704 memcpy(ret, npa, npalen);
1705 ret += npalen;
1706 s->s3->next_proto_neg_seen = 1;
1707 }
1708 }
1709#endif
1710
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1711 if (s->s3->alpn_selected)
1712 {
David Benjamin03973092014-06-24 23:27:17 -0400[diff] [blame]1713 const uint8_t *selected = s->s3->alpn_selected;
1714 size_t len = s->s3->alpn_selected_len;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1715
1716 if ((long)(limit - ret - 4 - 2 - 1 - len) < 0)
1717 return NULL;
1718 s2n(TLSEXT_TYPE_application_layer_protocol_negotiation,ret);
1719 s2n(3 + len,ret);
1720 s2n(1 + len,ret);
1721 *ret++ = len;
1722 memcpy(ret, selected, len);
1723 ret += len;
1724 }
1725
Adam Langley1258b6a2014-06-20 12:00:00 -0700[diff] [blame]1726 /* If the client advertised support for Channel ID, and we have it
1727 * enabled, then we want to echo it back. */
1728 if (s->s3->tlsext_channel_id_valid)
1729 {
1730 if (limit - ret - 4 < 0)
1731 return NULL;
1732 if (s->s3->tlsext_channel_id_new)
1733 s2n(TLSEXT_TYPE_channel_id_new,ret);
1734 else
1735 s2n(TLSEXT_TYPE_channel_id,ret);
1736 s2n(0,ret);
1737 }
1738
Adam Langleyb0c235e2014-06-20 12:00:00 -0700[diff] [blame]1739 if ((extdatalen = ret-orig-2) == 0)
1740 return orig;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1741
Adam Langleyb0c235e2014-06-20 12:00:00 -0700[diff] [blame]1742 s2n(extdatalen, orig);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1743 return ret;
1744 }
1745
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1746/* tls1_alpn_handle_client_hello is called to process the ALPN extension in a
1747 * ClientHello.
David Benjamindc72ff72014-06-25 12:36:10 -0400[diff] [blame]1748 * cbs: the contents of the extension, not including the type and length.
1749 * out_alert: a pointer to the alert value to send in the event of a zero
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1750 * return.
1751 *
David Benjamindc72ff72014-06-25 12:36:10 -0400[diff] [blame]1752 * returns: 1 on success. */
1753static int tls1_alpn_handle_client_hello(SSL *s, CBS *cbs, int *out_alert)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1754 {
David Benjamindc72ff72014-06-25 12:36:10 -0400[diff] [blame]1755 CBS protocol_name_list;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1756 const unsigned char *selected;
1757 unsigned char selected_len;
1758 int r;
1759
1760 if (s->ctx->alpn_select_cb == NULL)
David Benjamindc72ff72014-06-25 12:36:10 -0400[diff] [blame]1761 return 1;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1762
David Benjamindc72ff72014-06-25 12:36:10 -0400[diff] [blame]1763 if (!CBS_get_u16_length_prefixed(cbs, &protocol_name_list) ||
1764 CBS_len(cbs) != 0 ||
1765 CBS_len(&protocol_name_list) < 2)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1766 goto parse_error;
1767
David Benjamindc72ff72014-06-25 12:36:10 -0400[diff] [blame]1768 /* Validate the protocol list. */
1769 CBS protocol_name_list_copy = protocol_name_list;
1770 while (CBS_len(&protocol_name_list_copy) > 0)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1771 {
David Benjamindc72ff72014-06-25 12:36:10 -0400[diff] [blame]1772 CBS protocol_name;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1773
David Benjamindc72ff72014-06-25 12:36:10 -0400[diff] [blame]1774 if (!CBS_get_u8_length_prefixed(&protocol_name_list_copy, &protocol_name))
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1775 goto parse_error;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1776 }
1777
David Benjamindc72ff72014-06-25 12:36:10 -0400[diff] [blame]1778 r = s->ctx->alpn_select_cb(s, &selected, &selected_len,
1779 CBS_data(&protocol_name_list), CBS_len(&protocol_name_list),
1780 s->ctx->alpn_select_cb_arg);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1781 if (r == SSL_TLSEXT_ERR_OK) {
1782 if (s->s3->alpn_selected)
1783 OPENSSL_free(s->s3->alpn_selected);
1784 s->s3->alpn_selected = OPENSSL_malloc(selected_len);
1785 if (!s->s3->alpn_selected)
1786 {
David Benjamindc72ff72014-06-25 12:36:10 -0400[diff] [blame]1787 *out_alert = SSL_AD_INTERNAL_ERROR;
1788 return 0;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1789 }
1790 memcpy(s->s3->alpn_selected, selected, selected_len);
1791 s->s3->alpn_selected_len = selected_len;
1792 }
David Benjamindc72ff72014-06-25 12:36:10 -0400[diff] [blame]1793 return 1;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1794
1795parse_error:
David Benjamindc72ff72014-06-25 12:36:10 -0400[diff] [blame]1796 *out_alert = SSL_AD_DECODE_ERROR;
1797 return 0;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1798 }
1799
David Benjamindc72ff72014-06-25 12:36:10 -0400[diff] [blame]1800static int ssl_scan_clienthello_tlsext(SSL *s, CBS *cbs, int *out_alert)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1801 {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1802 int renegotiate_seen = 0;
David Benjamindc72ff72014-06-25 12:36:10 -0400[diff] [blame]1803 CBS extensions;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1804 size_t i;
1805
1806 s->servername_done = 0;
1807 s->tlsext_status_type = -1;
1808#ifndef OPENSSL_NO_NEXTPROTONEG
1809 s->s3->next_proto_neg_seen = 0;
1810#endif
1811
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1812 if (s->s3->alpn_selected)
1813 {
1814 OPENSSL_free(s->s3->alpn_selected);
1815 s->s3->alpn_selected = NULL;
1816 }
1817
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1818 /* Clear any signature algorithms extension received */
1819 if (s->cert->peer_sigalgs)
1820 {
1821 OPENSSL_free(s->cert->peer_sigalgs);
1822 s->cert->peer_sigalgs = NULL;
1823 }
1824 /* Clear any shared sigtnature algorithms */
1825 if (s->cert->shared_sigalgs)
1826 {
1827 OPENSSL_free(s->cert->shared_sigalgs);
1828 s->cert->shared_sigalgs = NULL;
1829 }
1830 /* Clear certificate digests and validity flags */
1831 for (i = 0; i < SSL_PKEY_NUM; i++)
1832 {
1833 s->cert->pkeys[i].digest = NULL;
1834 s->cert->pkeys[i].valid_flags = 0;
1835 }
1836
David Benjamin35a7a442014-07-05 00:23:20 -0400[diff] [blame]1837 /* TODO(fork): we probably want OCSP stapling support, but this pulls in
1838 * a lot of code. */
1839#if 0
1840 /* Clear OCSP state. */
1841 s->tlsext_status_type = -1;
1842 if (s->tlsext_ocsp_ids)
1843 {
1844 sk_OCSP_RESPID_pop_free(s->tlsext_ocsp_ids, OCSP_RESPID_free);
1845 s->tlsext_ocsp_ids = NULL;
1846 }
1847 if (s->tlsext_ocsp_exts)
1848 {
1849 sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts, X509_EXTENSION_free);
1850 s->tlsext_ocsp_exts = NULL;
1851 }
1852#endif
1853
David Benjamindc72ff72014-06-25 12:36:10 -0400[diff] [blame]1854 /* There may be no extensions. */
1855 if (CBS_len(cbs) == 0)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1856 {
David Benjamindc72ff72014-06-25 12:36:10 -0400[diff] [blame]1857 goto ri_check;
1858 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1859
David Benjamin35a7a442014-07-05 00:23:20 -0400[diff] [blame]1860 /* Decode the extensions block and check it is valid. */
1861 if (!CBS_get_u16_length_prefixed(cbs, &extensions) ||
1862 !tls1_check_duplicate_extensions(&extensions))
David Benjamindc72ff72014-06-25 12:36:10 -0400[diff] [blame]1863 {
1864 *out_alert = SSL_AD_DECODE_ERROR;
1865 return 0;
1866 }
1867
David Benjamindc72ff72014-06-25 12:36:10 -0400[diff] [blame]1868 while (CBS_len(&extensions) != 0)
1869 {
1870 uint16_t type;
1871 CBS extension;
1872
1873 /* Decode the next extension. */
1874 if (!CBS_get_u16(&extensions, &type) ||
1875 !CBS_get_u16_length_prefixed(&extensions, &extension))
1876 {
1877 *out_alert = SSL_AD_DECODE_ERROR;
1878 return 0;
1879 }
1880
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1881 if (s->tlsext_debug_cb)
David Benjamindc72ff72014-06-25 12:36:10 -0400[diff] [blame]1882 {
1883 s->tlsext_debug_cb(s, 0, type, (unsigned char*)CBS_data(&extension),
1884 CBS_len(&extension), s->tlsext_debug_arg);
1885 }
1886
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1887/* The servername extension is treated as follows:
1888
1889 - Only the hostname type is supported with a maximum length of 255.
1890 - The servername is rejected if too long or if it contains zeros,
1891 in which case an fatal alert is generated.
1892 - The servername field is maintained together with the session cache.
1893 - When a session is resumed, the servername call back invoked in order
1894 to allow the application to position itself to the right context.
1895 - The servername is acknowledged if it is new for a session or when
1896 it is identical to a previously used for the same session.
1897 Applications can control the behaviour. They can at any time
1898 set a 'desirable' servername for a new SSL object. This can be the
1899 case for example with HTTPS when a Host: header field is received and
1900 a renegotiation is requested. In this case, a possible servername
1901 presented in the new client hello is only acknowledged if it matches
1902 the value of the Host: field.
1903 - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
1904 if they provide for changing an explicit servername context for the session,
1905 i.e. when the session has been established with a servername extension.
1906 - On session reconnect, the servername extension may be absent.
1907
1908*/
1909
1910 if (type == TLSEXT_TYPE_server_name)
1911 {
David Benjamindc72ff72014-06-25 12:36:10 -0400[diff] [blame]1912 CBS server_name_list;
1913
1914 if (!CBS_get_u16_length_prefixed(&extension, &server_name_list) ||
1915 CBS_len(&server_name_list) < 1 ||
1916 CBS_len(&extension) != 0)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1917 {
David Benjamindc72ff72014-06-25 12:36:10 -0400[diff] [blame]1918 *out_alert = SSL_AD_DECODE_ERROR;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1919 return 0;
1920 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1921
David Benjamindc72ff72014-06-25 12:36:10 -0400[diff] [blame]1922 /* Decode each ServerName in the extension. */
1923 while (CBS_len(&server_name_list) > 0)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1924 {
David Benjamindc72ff72014-06-25 12:36:10 -0400[diff] [blame]1925 uint8_t name_type;
1926 CBS host_name;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1927
David Benjamindc72ff72014-06-25 12:36:10 -0400[diff] [blame]1928 /* Decode the NameType. */
1929 if (!CBS_get_u8(&server_name_list, &name_type))
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1930 {
David Benjamindc72ff72014-06-25 12:36:10 -0400[diff] [blame]1931 *out_alert = SSL_AD_DECODE_ERROR;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1932 return 0;
1933 }
David Benjamindc72ff72014-06-25 12:36:10 -0400[diff] [blame]1934
David Benjamindc72ff72014-06-25 12:36:10 -0400[diff] [blame]1935 /* Only host_name is supported. */
1936 if (name_type != TLSEXT_NAMETYPE_host_name)
1937 continue;
1938
1939 if (!s->hit)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1940 {
David Benjamindc72ff72014-06-25 12:36:10 -0400[diff] [blame]1941 if (s->session->tlsext_hostname)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1942 {
David Benjamindc72ff72014-06-25 12:36:10 -0400[diff] [blame]1943 /* The ServerNameList MUST NOT
1944 contain more than one name of
1945 the same name_type. */
1946 *out_alert = SSL_AD_DECODE_ERROR;
1947 return 0;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1948 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1949
David Benjamindc72ff72014-06-25 12:36:10 -0400[diff] [blame]1950 if (!CBS_get_u16_length_prefixed(&server_name_list, &host_name) ||
1951 CBS_len(&host_name) < 1)
1952 {
1953 *out_alert = SSL_AD_DECODE_ERROR;
1954 return 0;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1955 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1956
David Benjamindc72ff72014-06-25 12:36:10 -0400[diff] [blame]1957 if (CBS_len(&host_name) > TLSEXT_MAXLEN_host_name)
1958 {
1959 *out_alert = SSL_AD_UNRECOGNIZED_NAME;
1960 return 0;
1961 }
1962
1963 /* host_name may not contain a NUL character. */
1964 if (BUF_strnlen((const char*)CBS_data(&host_name),
1965 CBS_len(&host_name)) != CBS_len(&host_name))
1966 {
1967 *out_alert = SSL_AD_UNRECOGNIZED_NAME;
1968 return 0;
1969 }
1970
1971 /* Copy the hostname as a string. */
1972 s->session->tlsext_hostname = BUF_strndup(
1973 (const char*)CBS_data(&host_name), CBS_len(&host_name));
1974 if (s->session->tlsext_hostname == NULL)
1975 {
1976 *out_alert = SSL_AD_INTERNAL_ERROR;
1977 return 0;
1978 }
1979 s->servername_done = 1;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1980 }
David Benjamindc72ff72014-06-25 12:36:10 -0400[diff] [blame]1981 else
1982 {
1983 s->servername_done = s->session->tlsext_hostname
1984 && strlen(s->session->tlsext_hostname) == CBS_len(&host_name)
1985 && strncmp(s->session->tlsext_hostname,
1986 (char *)CBS_data(&host_name), CBS_len(&host_name)) == 0;
1987 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1988 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1989 }
1990
1991#ifndef OPENSSL_NO_EC
1992 else if (type == TLSEXT_TYPE_ec_point_formats)
1993 {
David Benjamindc72ff72014-06-25 12:36:10 -0400[diff] [blame]1994 CBS ec_point_format_list;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1995
David Benjamindc72ff72014-06-25 12:36:10 -0400[diff] [blame]1996 if (!CBS_get_u8_length_prefixed(&extension, &ec_point_format_list) ||
1997 CBS_len(&extension) != 0)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1998 {
David Benjamindc72ff72014-06-25 12:36:10 -0400[diff] [blame]1999 *out_alert = SSL_AD_DECODE_ERROR;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2000 return 0;
2001 }
David Benjamindc72ff72014-06-25 12:36:10 -0400[diff] [blame]2002
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2003 if (!s->hit)
2004 {
David Benjamindc72ff72014-06-25 12:36:10 -0400[diff] [blame]2005 if (!CBS_stow(&ec_point_format_list,
2006 &s->session->tlsext_ecpointformatlist,
2007 &s->session->tlsext_ecpointformatlist_length))
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2008 {
David Benjamindc72ff72014-06-25 12:36:10 -0400[diff] [blame]2009 *out_alert = SSL_AD_INTERNAL_ERROR;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2010 return 0;
2011 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2012 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2013 }
2014 else if (type == TLSEXT_TYPE_elliptic_curves)
2015 {
David Benjamindc72ff72014-06-25 12:36:10 -0400[diff] [blame]2016 CBS elliptic_curve_list;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2017
David Benjamindc72ff72014-06-25 12:36:10 -0400[diff] [blame]2018 if (!CBS_get_u16_length_prefixed(&extension, &elliptic_curve_list) ||
2019 CBS_len(&extension) != 0)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2020 {
David Benjamindc72ff72014-06-25 12:36:10 -0400[diff] [blame]2021 *out_alert = SSL_AD_DECODE_ERROR;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2022 return 0;
2023 }
David Benjamindc72ff72014-06-25 12:36:10 -0400[diff] [blame]2024
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2025 if (!s->hit)
2026 {
David Benjamindc72ff72014-06-25 12:36:10 -0400[diff] [blame]2027 if (!CBS_stow(&elliptic_curve_list,
2028 &s->session->tlsext_ellipticcurvelist,
2029 &s->session->tlsext_ellipticcurvelist_length))
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2030 {
David Benjamindc72ff72014-06-25 12:36:10 -0400[diff] [blame]2031 *out_alert = SSL_AD_INTERNAL_ERROR;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2032 return 0;
2033 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2034 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2035 }
2036#endif /* OPENSSL_NO_EC */
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2037 else if (type == TLSEXT_TYPE_session_ticket)
2038 {
2039 if (s->tls_session_ticket_ext_cb &&
David Benjamindc72ff72014-06-25 12:36:10 -0400[diff] [blame]2040 !s->tls_session_ticket_ext_cb(s, CBS_data(&extension), CBS_len(&extension), s->tls_session_ticket_ext_cb_arg))
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2041 {
David Benjamindc72ff72014-06-25 12:36:10 -0400[diff] [blame]2042 *out_alert = SSL_AD_INTERNAL_ERROR;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2043 return 0;
2044 }
2045 }
2046 else if (type == TLSEXT_TYPE_renegotiate)
2047 {
David Benjamindc72ff72014-06-25 12:36:10 -0400[diff] [blame]2048 if (!ssl_parse_clienthello_renegotiate_ext(s, &extension, out_alert))
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2049 return 0;
2050 renegotiate_seen = 1;
2051 }
2052 else if (type == TLSEXT_TYPE_signature_algorithms)
2053 {
David Benjamindc72ff72014-06-25 12:36:10 -0400[diff] [blame]2054 CBS supported_signature_algorithms;
2055
David Benjamindc72ff72014-06-25 12:36:10 -0400[diff] [blame]2056 if (!CBS_get_u16_length_prefixed(&extension, &supported_signature_algorithms) ||
2057 CBS_len(&extension) != 0)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2058 {
David Benjamindc72ff72014-06-25 12:36:10 -0400[diff] [blame]2059 *out_alert = SSL_AD_DECODE_ERROR;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2060 return 0;
2061 }
David Benjamindc72ff72014-06-25 12:36:10 -0400[diff] [blame]2062
2063 /* Ensure the signature algorithms are non-empty. It
2064 * contains a list of SignatureAndHashAlgorithms
2065 * which are two bytes each. */
2066 if (CBS_len(&supported_signature_algorithms) == 0 ||
2067 (CBS_len(&supported_signature_algorithms) % 2) != 0)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2068 {
David Benjamindc72ff72014-06-25 12:36:10 -0400[diff] [blame]2069 *out_alert = SSL_AD_DECODE_ERROR;
2070 return 0;
2071 }
2072
2073 if (!tls1_process_sigalgs(s,
2074 CBS_data(&supported_signature_algorithms),
2075 CBS_len(&supported_signature_algorithms)))
2076 {
2077 *out_alert = SSL_AD_DECODE_ERROR;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2078 return 0;
2079 }
2080 /* If sigalgs received and no shared algorithms fatal
2081 * error.
2082 */
2083 if (s->cert->peer_sigalgs && !s->cert->shared_sigalgs)
2084 {
2085 OPENSSL_PUT_ERROR(SSL, ssl_add_serverhello_tlsext, SSL_R_NO_SHARED_SIGATURE_ALGORITHMS);
David Benjamindc72ff72014-06-25 12:36:10 -0400[diff] [blame]2086 *out_alert = SSL_AD_ILLEGAL_PARAMETER;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2087 return 0;
2088 }
2089 }
2090
2091 /* TODO(fork): we probably want OCSP stapling support, but this pulls in a lot of code. */
2092#if 0
2093 else if (type == TLSEXT_TYPE_status_request)
2094 {
David Benjamindc72ff72014-06-25 12:36:10 -0400[diff] [blame]2095 uint8_t status_type;
2096 CBS responder_id_list;
2097 CBS request_extensions;
2098
David Benjamindc72ff72014-06-25 12:36:10 -0400[diff] [blame]2099 if (!CBS_get_u8(&extension, &status_type))
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2100 {
David Benjamindc72ff72014-06-25 12:36:10 -0400[diff] [blame]2101 *out_alert = SSL_AD_DECODE_ERROR;
2102 return 0;
2103 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2104
David Benjamindc72ff72014-06-25 12:36:10 -0400[diff] [blame]2105 /* Only OCSP is supported. */
2106 if (status_type != TLSEXT_STATUSTYPE_ocsp)
2107 continue;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2108
David Benjamindc72ff72014-06-25 12:36:10 -0400[diff] [blame]2109 s->tlsext_status_type = status_type;
2110
2111 /* Extension consists of a responder_id_list and
2112 * request_extensions. */
2113 if (!CBS_get_u16_length_prefixed(&extension, &responder_id_list) ||
2114 CBS_get_u16_length_prefixed(&extension, &request_extensions) ||
2115 CBS_len(&extension) != 0)
2116 {
2117 *out_alert = SSL_AD_DECODE_ERROR;
2118 return 0;
2119 }
2120
2121 if (CBS_len(&responder_id_list) > 0)
2122 {
2123 s->tlsext_ocsp_ids = sk_OCSP_RESPID_new_null();
2124 if (s->tlsext_ocsp_ids == NULL)
2125 {
2126 *out_alert = SSL_AD_INTERNAL_ERROR;
2127 return 0;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2128 }
2129 }
David Benjamindc72ff72014-06-25 12:36:10 -0400[diff] [blame]2130
2131 /* Parse out the responder IDs. */
2132 while (CBS_len(&responder_id_list) > 0)
2133 {
2134 CBS responder_id;
2135 OCSP_RESPID *id;
2136 const uint8_t *data;
2137
2138 /* Each ResponderID must have size at least 1. */
2139 if (!CBS_get_u16_length_prefixed(&responder_id_list, &responder_id) ||
2140 CBS_len(&responder_id) < 1)
2141 {
2142 *out_alert = SSL_AD_DECODE_ERROR;
2143 return 0;
2144 }
2145
2146 /* TODO(fork): Add CBS versions of d2i_FOO_BAR. */
2147 data = CBS_data(&responder_id);
2148 id = d2i_OCSP_RESPID(NULL, &data, CBS_len(&responder_id));
2149 if (!id)
2150 {
2151 *out_alert = SSL_AD_DECODE_ERROR;
2152 return 0;
2153 }
2154 if (!CBS_skip(&responder_id, data - CBS_data(&responder_id)))
2155 {
2156 /* This should never happen. */
2157 *out_alert = SSL_AD_INTERNAL_ERROR;
2158 OCSP_RESPID_free(id);
2159 return 0;
2160 }
2161 if (CBS_len(&responder_id) != 0)
2162 {
2163 *out_alert = SSL_AD_DECODE_ERROR;
2164 OCSP_RESPID_free(id);
2165 return 0;
2166 }
2167
2168 if (!sk_OCSP_RESPID_push(s->tlsext_ocsp_ids, id))
2169 {
2170 *out_alert = SSL_AD_INTERNAL_ERROR;
2171 OCSP_RESPID_free(id);
2172 return 0;
2173 }
2174 }
2175
2176 /* Parse out request_extensions. */
2177 if (CBS_len(&request_extensions) > 0)
2178 {
2179 const uint8_t *data;
2180
2181 data = CBS_data(&request_extensions);
2182 s->tlsext_ocsp_exts = d2i_X509_EXTENSIONS(NULL,
2183 &data, CBS_len(&request_extensions));
2184 if (s->tlsext_ocsp_exts == NULL)
2185 {
2186 *out_alert = SSL_AD_DECODE_ERROR;
2187 return 0;
2188 }
2189 if (!CBS_skip(&request_extensions, data - CBS_data(&request_extensions)))
2190 {
2191 /* This should never happen. */
2192 *out_alert = SSL_AD_INTERNAL_ERROR;
2193 return 0;
2194 }
2195 if (CBS_len(&request_extensions) != 0)
2196 {
2197 *out_alert = SSL_AD_DECODE_ERROR;
2198 return 0;
2199 }
2200 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2201 }
2202#endif
2203
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2204#ifndef OPENSSL_NO_NEXTPROTONEG
2205 else if (type == TLSEXT_TYPE_next_proto_neg &&
2206 s->s3->tmp.finish_md_len == 0 &&
2207 s->s3->alpn_selected == NULL)
2208 {
David Benjamindc72ff72014-06-25 12:36:10 -0400[diff] [blame]2209 /* The extension must be empty. */
2210 if (CBS_len(&extension) != 0)
2211 {
2212 *out_alert = SSL_AD_DECODE_ERROR;
2213 return 0;
2214 }
2215
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2216 /* We shouldn't accept this extension on a
2217 * renegotiation.
2218 *
2219 * s->new_session will be set on renegotiation, but we
2220 * probably shouldn't rely that it couldn't be set on
2221 * the initial renegotation too in certain cases (when
2222 * there's some other reason to disallow resuming an
2223 * earlier session -- the current code won't be doing
2224 * anything like that, but this might change).
2225
2226 * A valid sign that there's been a previous handshake
2227 * in this connection is if s->s3->tmp.finish_md_len >
2228 * 0. (We are talking about a check that will happen
2229 * in the Hello protocol round, well before a new
2230 * Finished message could have been computed.) */
2231 s->s3->next_proto_neg_seen = 1;
2232 }
2233#endif
2234
2235 else if (type == TLSEXT_TYPE_application_layer_protocol_negotiation &&
2236 s->ctx->alpn_select_cb &&
2237 s->s3->tmp.finish_md_len == 0)
2238 {
David Benjamindc72ff72014-06-25 12:36:10 -0400[diff] [blame]2239 if (!tls1_alpn_handle_client_hello(s, &extension, out_alert))
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2240 return 0;
2241#ifndef OPENSSL_NO_NEXTPROTONEG
2242 /* ALPN takes precedence over NPN. */
2243 s->s3->next_proto_neg_seen = 0;
2244#endif
2245 }
2246
Adam Langley1258b6a2014-06-20 12:00:00 -0700[diff] [blame]2247 else if (type == TLSEXT_TYPE_channel_id &&
2248 s->tlsext_channel_id_enabled)
David Benjamindc72ff72014-06-25 12:36:10 -0400[diff] [blame]2249 {
2250 /* The extension must be empty. */
2251 if (CBS_len(&extension) != 0)
2252 {
2253 *out_alert = SSL_AD_DECODE_ERROR;
2254 return 0;
2255 }
2256
Adam Langley1258b6a2014-06-20 12:00:00 -0700[diff] [blame]2257 s->s3->tlsext_channel_id_valid = 1;
David Benjamindc72ff72014-06-25 12:36:10 -0400[diff] [blame]2258 }
Adam Langley1258b6a2014-06-20 12:00:00 -0700[diff] [blame]2259
2260 else if (type == TLSEXT_TYPE_channel_id_new &&
2261 s->tlsext_channel_id_enabled)
2262 {
David Benjamindc72ff72014-06-25 12:36:10 -0400[diff] [blame]2263 /* The extension must be empty. */
2264 if (CBS_len(&extension) != 0)
2265 {
2266 *out_alert = SSL_AD_DECODE_ERROR;
2267 return 0;
2268 }
2269
Adam Langley1258b6a2014-06-20 12:00:00 -0700[diff] [blame]2270 s->s3->tlsext_channel_id_valid = 1;
2271 s->s3->tlsext_channel_id_new = 1;
2272 }
2273
2274
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2275 /* session ticket processed earlier */
2276 else if (type == TLSEXT_TYPE_use_srtp)
2277 {
David Benjamindc72ff72014-06-25 12:36:10 -0400[diff] [blame]2278 if (!ssl_parse_clienthello_use_srtp_ext(s, &extension, out_alert))
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2279 return 0;
2280 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2281 }
2282
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2283 ri_check:
2284
2285 /* Need RI if renegotiating */
2286
2287 if (!renegotiate_seen && s->renegotiate &&
2288 !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
2289 {
David Benjamindc72ff72014-06-25 12:36:10 -0400[diff] [blame]2290 *out_alert = SSL_AD_HANDSHAKE_FAILURE;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2291 OPENSSL_PUT_ERROR(SSL, ssl_add_serverhello_tlsext, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
2292 return 0;
2293 }
2294 /* If no signature algorithms extension set default values */
2295 if (!s->cert->peer_sigalgs)
2296 ssl_cert_set_default_md(s->cert);
2297
2298 return 1;
2299 }
2300
David Benjamindc72ff72014-06-25 12:36:10 -0400[diff] [blame]2301int ssl_parse_clienthello_tlsext(SSL *s, CBS *cbs)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2302 {
David Benjamindc72ff72014-06-25 12:36:10 -0400[diff] [blame]2303 int alert = -1;
2304 if (ssl_scan_clienthello_tlsext(s, cbs, &alert) <= 0)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2305 {
David Benjamindc72ff72014-06-25 12:36:10 -0400[diff] [blame]2306 ssl3_send_alert(s, SSL3_AL_FATAL, alert);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2307 return 0;
2308 }
2309
2310 if (ssl_check_clienthello_tlsext_early(s) <= 0)
2311 {
David Benjamin9d28c752014-07-05 00:43:48 -0400[diff] [blame]2312 OPENSSL_PUT_ERROR(SSL, ssl_parse_clienthello_tlsext, SSL_R_CLIENTHELLO_TLSEXT);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2313 return 0;
2314 }
2315 return 1;
2316}
2317
2318#ifndef OPENSSL_NO_NEXTPROTONEG
2319/* ssl_next_proto_validate validates a Next Protocol Negotiation block. No
2320 * elements of zero length are allowed and the set of elements must exactly fill
2321 * the length of the block. */
David Benjamin03973092014-06-24 23:27:17 -0400[diff] [blame]2322static char ssl_next_proto_validate(const CBS *cbs)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2323 {
David Benjamin03973092014-06-24 23:27:17 -0400[diff] [blame]2324 CBS copy = *cbs;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2325
David Benjamin03973092014-06-24 23:27:17 -0400[diff] [blame]2326 while (CBS_len(&copy) != 0)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2327 {
David Benjamin03973092014-06-24 23:27:17 -0400[diff] [blame]2328 CBS proto;
2329 if (!CBS_get_u8_length_prefixed(&copy, &proto) ||
2330 CBS_len(&proto) == 0)
2331 {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2332 return 0;
David Benjamin03973092014-06-24 23:27:17 -0400[diff] [blame]2333 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2334 }
David Benjamin03973092014-06-24 23:27:17 -0400[diff] [blame]2335 return 1;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2336 }
2337#endif
2338
David Benjamin03973092014-06-24 23:27:17 -0400[diff] [blame]2339static int ssl_scan_serverhello_tlsext(SSL *s, CBS *cbs, int *out_alert)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2340 {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2341 int tlsext_servername = 0;
2342 int renegotiate_seen = 0;
David Benjamin03973092014-06-24 23:27:17 -0400[diff] [blame]2343 CBS extensions;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2344
2345#ifndef OPENSSL_NO_NEXTPROTONEG
2346 s->s3->next_proto_neg_seen = 0;
2347#endif
2348
2349 if (s->s3->alpn_selected)
2350 {
2351 OPENSSL_free(s->s3->alpn_selected);
2352 s->s3->alpn_selected = NULL;
2353 }
2354
David Benjamin03973092014-06-24 23:27:17 -0400[diff] [blame]2355 /* There may be no extensions. */
2356 if (CBS_len(cbs) == 0)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2357 {
David Benjamin03973092014-06-24 23:27:17 -0400[diff] [blame]2358 goto ri_check;
2359 }
2360
David Benjamin35a7a442014-07-05 00:23:20 -0400[diff] [blame]2361 /* Decode the extensions block and check it is valid. */
2362 if (!CBS_get_u16_length_prefixed(cbs, &extensions) ||
2363 !tls1_check_duplicate_extensions(&extensions))
David Benjamin03973092014-06-24 23:27:17 -0400[diff] [blame]2364 {
2365 *out_alert = SSL_AD_DECODE_ERROR;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2366 return 0;
2367 }
2368
David Benjamin03973092014-06-24 23:27:17 -0400[diff] [blame]2369 while (CBS_len(&extensions) != 0)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2370 {
David Benjamin03973092014-06-24 23:27:17 -0400[diff] [blame]2371 uint16_t type;
2372 CBS extension;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2373
David Benjamin03973092014-06-24 23:27:17 -0400[diff] [blame]2374 /* Decode the next extension. */
2375 if (!CBS_get_u16(&extensions, &type) ||
2376 !CBS_get_u16_length_prefixed(&extensions, &extension))
2377 {
2378 *out_alert = SSL_AD_DECODE_ERROR;
2379 return 0;
2380 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2381
2382 if (s->tlsext_debug_cb)
David Benjamin03973092014-06-24 23:27:17 -0400[diff] [blame]2383 {
2384 s->tlsext_debug_cb(s, 1, type, (unsigned char*)CBS_data(&extension),
2385 CBS_len(&extension), s->tlsext_debug_arg);
2386 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2387
2388 if (type == TLSEXT_TYPE_server_name)
2389 {
David Benjamin03973092014-06-24 23:27:17 -0400[diff] [blame]2390 /* The extension must be empty. */
2391 if (CBS_len(&extension) != 0)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2392 {
David Benjamin03973092014-06-24 23:27:17 -0400[diff] [blame]2393 *out_alert = SSL_AD_DECODE_ERROR;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2394 return 0;
2395 }
David Benjamin03973092014-06-24 23:27:17 -0400[diff] [blame]2396 /* We must have sent it in ClientHello. */
2397 if (s->tlsext_hostname == NULL)
2398 {
2399 *out_alert = SSL_AD_UNSUPPORTED_EXTENSION;
2400 return 0;
2401 }
2402 tlsext_servername = 1;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2403 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2404#ifndef OPENSSL_NO_EC
2405 else if (type == TLSEXT_TYPE_ec_point_formats)
2406 {
David Benjamin03973092014-06-24 23:27:17 -0400[diff] [blame]2407 CBS ec_point_format_list;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2408
David Benjamin03973092014-06-24 23:27:17 -0400[diff] [blame]2409 if (!CBS_get_u8_length_prefixed(&extension, &ec_point_format_list) ||
2410 CBS_len(&extension) != 0)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2411 {
David Benjamin03973092014-06-24 23:27:17 -0400[diff] [blame]2412 *out_alert = SSL_AD_DECODE_ERROR;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2413 return 0;
2414 }
David Benjamin03973092014-06-24 23:27:17 -0400[diff] [blame]2415
2416 if (!CBS_stow(&ec_point_format_list,
2417 &s->session->tlsext_ecpointformatlist,
2418 &s->session->tlsext_ecpointformatlist_length))
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2419 {
David Benjamin03973092014-06-24 23:27:17 -0400[diff] [blame]2420 *out_alert = SSL_AD_INTERNAL_ERROR;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2421 return 0;
2422 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2423 }
2424#endif /* OPENSSL_NO_EC */
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2425 else if (type == TLSEXT_TYPE_session_ticket)
2426 {
2427 if (s->tls_session_ticket_ext_cb &&
David Benjamin03973092014-06-24 23:27:17 -0400[diff] [blame]2428 !s->tls_session_ticket_ext_cb(s, CBS_data(&extension), CBS_len(&extension),
2429 s->tls_session_ticket_ext_cb_arg))
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2430 {
David Benjamin03973092014-06-24 23:27:17 -0400[diff] [blame]2431 *out_alert = SSL_AD_INTERNAL_ERROR;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2432 return 0;
2433 }
David Benjamin03973092014-06-24 23:27:17 -0400[diff] [blame]2434
2435 if ((SSL_get_options(s) & SSL_OP_NO_TICKET) || CBS_len(&extension) > 0)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2436 {
David Benjamin03973092014-06-24 23:27:17 -0400[diff] [blame]2437 *out_alert = SSL_AD_UNSUPPORTED_EXTENSION;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2438 return 0;
2439 }
David Benjamin03973092014-06-24 23:27:17 -0400[diff] [blame]2440
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2441 s->tlsext_ticket_expected = 1;
2442 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2443 else if (type == TLSEXT_TYPE_status_request)
2444 {
David Benjamin03973092014-06-24 23:27:17 -0400[diff] [blame]2445 /* The extension MUST be empty and may only sent if
2446 * we've requested a status request message. */
2447 if (CBS_len(&extension) != 0)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2448 {
David Benjamin03973092014-06-24 23:27:17 -0400[diff] [blame]2449 *out_alert = SSL_AD_DECODE_ERROR;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2450 return 0;
2451 }
David Benjamin03973092014-06-24 23:27:17 -0400[diff] [blame]2452 if (s->tlsext_status_type == -1)
2453 {
2454 *out_alert = SSL_AD_UNSUPPORTED_EXTENSION;
2455 return 0;
2456 }
2457 /* Set a flag to expect a CertificateStatus message */
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2458 s->tlsext_status_expected = 1;
2459 }
2460#ifndef OPENSSL_NO_NEXTPROTONEG
David Benjamin03973092014-06-24 23:27:17 -0400[diff] [blame]2461 else if (type == TLSEXT_TYPE_next_proto_neg && s->s3->tmp.finish_md_len == 0) {
2462 unsigned char *selected;
2463 unsigned char selected_len;
2464
2465 /* We must have requested it. */
2466 if (s->ctx->next_proto_select_cb == NULL)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2467 {
David Benjamin03973092014-06-24 23:27:17 -0400[diff] [blame]2468 *out_alert = SSL_AD_UNSUPPORTED_EXTENSION;
2469 return 0;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2470 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2471
David Benjamin03973092014-06-24 23:27:17 -0400[diff] [blame]2472 /* The data must be valid. */
2473 if (!ssl_next_proto_validate(&extension))
2474 {
2475 *out_alert = SSL_AD_DECODE_ERROR;
2476 return 0;
2477 }
2478
2479 if (s->ctx->next_proto_select_cb(s, &selected, &selected_len,
2480 CBS_data(&extension), CBS_len(&extension),
2481 s->ctx->next_proto_select_cb_arg) != SSL_TLSEXT_ERR_OK)
2482 {
2483 *out_alert = SSL_AD_INTERNAL_ERROR;
2484 return 0;
2485 }
2486
2487 s->next_proto_negotiated = BUF_memdup(selected, selected_len);
2488 if (s->next_proto_negotiated == NULL)
2489 {
2490 *out_alert = SSL_AD_INTERNAL_ERROR;
2491 return 0;
2492 }
2493 s->next_proto_negotiated_len = selected_len;
2494 s->s3->next_proto_neg_seen = 1;
2495 }
2496#endif
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2497 else if (type == TLSEXT_TYPE_application_layer_protocol_negotiation)
2498 {
David Benjamin03973092014-06-24 23:27:17 -0400[diff] [blame]2499 CBS protocol_name_list, protocol_name;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2500
2501 /* We must have requested it. */
2502 if (s->alpn_client_proto_list == NULL)
2503 {
David Benjamin03973092014-06-24 23:27:17 -0400[diff] [blame]2504 *out_alert = SSL_AD_UNSUPPORTED_EXTENSION;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2505 return 0;
2506 }
David Benjamin03973092014-06-24 23:27:17 -0400[diff] [blame]2507
2508 /* The extension data consists of a ProtocolNameList
2509 * which must have exactly one ProtocolName. Each of
2510 * these is length-prefixed. */
2511 if (!CBS_get_u16_length_prefixed(&extension, &protocol_name_list) ||
2512 CBS_len(&extension) != 0 ||
2513 !CBS_get_u8_length_prefixed(&protocol_name_list, &protocol_name) ||
2514 CBS_len(&protocol_name_list) != 0)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2515 {
David Benjamin03973092014-06-24 23:27:17 -0400[diff] [blame]2516 *out_alert = SSL_AD_DECODE_ERROR;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2517 return 0;
2518 }
David Benjamin03973092014-06-24 23:27:17 -0400[diff] [blame]2519
2520 if (!CBS_stow(&protocol_name,
2521 &s->s3->alpn_selected,
2522 &s->s3->alpn_selected_len))
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2523 {
David Benjamin03973092014-06-24 23:27:17 -0400[diff] [blame]2524 *out_alert = SSL_AD_INTERNAL_ERROR;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2525 return 0;
2526 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2527 }
2528
Adam Langley1258b6a2014-06-20 12:00:00 -0700[diff] [blame]2529 else if (type == TLSEXT_TYPE_channel_id)
David Benjamin03973092014-06-24 23:27:17 -0400[diff] [blame]2530 {
2531 if (CBS_len(&extension) != 0)
2532 {
2533 *out_alert = SSL_AD_DECODE_ERROR;
2534 return 0;
2535 }
Adam Langley1258b6a2014-06-20 12:00:00 -0700[diff] [blame]2536 s->s3->tlsext_channel_id_valid = 1;
David Benjamin03973092014-06-24 23:27:17 -0400[diff] [blame]2537 }
Adam Langley1258b6a2014-06-20 12:00:00 -0700[diff] [blame]2538 else if (type == TLSEXT_TYPE_channel_id_new)
2539 {
David Benjamin03973092014-06-24 23:27:17 -0400[diff] [blame]2540 if (CBS_len(&extension) != 0)
2541 {
2542 *out_alert = SSL_AD_DECODE_ERROR;
2543 return 0;
2544 }
Adam Langley1258b6a2014-06-20 12:00:00 -0700[diff] [blame]2545 s->s3->tlsext_channel_id_valid = 1;
2546 s->s3->tlsext_channel_id_new = 1;
2547 }
2548
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2549 else if (type == TLSEXT_TYPE_renegotiate)
2550 {
David Benjamin03973092014-06-24 23:27:17 -0400[diff] [blame]2551 if (!ssl_parse_serverhello_renegotiate_ext(s, &extension, out_alert))
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2552 return 0;
2553 renegotiate_seen = 1;
2554 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2555 else if (type == TLSEXT_TYPE_use_srtp)
2556 {
David Benjamin03973092014-06-24 23:27:17 -0400[diff] [blame]2557 if (!ssl_parse_serverhello_use_srtp_ext(s, &extension, out_alert))
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2558 return 0;
2559 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2560 }
2561
2562 if (!s->hit && tlsext_servername == 1)
2563 {
2564 if (s->tlsext_hostname)
2565 {
2566 if (s->session->tlsext_hostname == NULL)
2567 {
2568 s->session->tlsext_hostname = BUF_strdup(s->tlsext_hostname);
2569 if (!s->session->tlsext_hostname)
2570 {
David Benjamin03973092014-06-24 23:27:17 -0400[diff] [blame]2571 *out_alert = SSL_AD_UNRECOGNIZED_NAME;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2572 return 0;
2573 }
2574 }
2575 else
2576 {
David Benjamin03973092014-06-24 23:27:17 -0400[diff] [blame]2577 *out_alert = SSL_AD_DECODE_ERROR;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2578 return 0;
2579 }
2580 }
2581 }
2582
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2583 ri_check:
2584
2585 /* Determine if we need to see RI. Strictly speaking if we want to
2586 * avoid an attack we should *always* see RI even on initial server
2587 * hello because the client doesn't see any renegotiation during an
2588 * attack. However this would mean we could not connect to any server
2589 * which doesn't support RI so for the immediate future tolerate RI
2590 * absence on initial connect only.
2591 */
2592 if (!renegotiate_seen
2593 && !(s->options & SSL_OP_LEGACY_SERVER_CONNECT)
2594 && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
2595 {
David Benjamin03973092014-06-24 23:27:17 -0400[diff] [blame]2596 *out_alert = SSL_AD_HANDSHAKE_FAILURE;
David Benjamin9d28c752014-07-05 00:43:48 -0400[diff] [blame]2597 OPENSSL_PUT_ERROR(SSL, ssl_scan_serverhello_tlsext, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2598 return 0;
2599 }
2600
2601 return 1;
2602 }
2603
2604
2605int ssl_prepare_clienthello_tlsext(SSL *s)
2606 {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2607 return 1;
2608 }
2609
2610int ssl_prepare_serverhello_tlsext(SSL *s)
2611 {
2612 return 1;
2613 }
2614
2615static int ssl_check_clienthello_tlsext_early(SSL *s)
2616 {
2617 int ret=SSL_TLSEXT_ERR_NOACK;
2618 int al = SSL_AD_UNRECOGNIZED_NAME;
2619
2620#ifndef OPENSSL_NO_EC
2621 /* The handling of the ECPointFormats extension is done elsewhere, namely in
2622 * ssl3_choose_cipher in s3_lib.c.
2623 */
2624 /* The handling of the EllipticCurves extension is done elsewhere, namely in
2625 * ssl3_choose_cipher in s3_lib.c.
2626 */
2627#endif
2628
2629 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
2630 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
2631 else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)
2632 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
2633
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2634 switch (ret)
2635 {
2636 case SSL_TLSEXT_ERR_ALERT_FATAL:
2637 ssl3_send_alert(s,SSL3_AL_FATAL,al);
2638 return -1;
2639
2640 case SSL_TLSEXT_ERR_ALERT_WARNING:
2641 ssl3_send_alert(s,SSL3_AL_WARNING,al);
2642 return 1;
2643
2644 case SSL_TLSEXT_ERR_NOACK:
2645 s->servername_done=0;
2646 default:
2647 return 1;
2648 }
2649 }
2650
2651int ssl_check_clienthello_tlsext_late(SSL *s)
2652 {
2653 int ret = SSL_TLSEXT_ERR_OK;
2654 int al;
2655
2656 /* If status request then ask callback what to do.
2657 * Note: this must be called after servername callbacks in case
2658 * the certificate has changed, and must be called after the cipher
2659 * has been chosen because this may influence which certificate is sent
2660 */
2661 if ((s->tlsext_status_type != -1) && s->ctx && s->ctx->tlsext_status_cb)
2662 {
2663 int r;
2664 CERT_PKEY *certpkey;
2665 certpkey = ssl_get_server_send_pkey(s);
2666 /* If no certificate can't return certificate status */
2667 if (certpkey == NULL)
2668 {
2669 s->tlsext_status_expected = 0;
2670 return 1;
2671 }
2672 /* Set current certificate to one we will use so
2673 * SSL_get_certificate et al can pick it up.
2674 */
2675 s->cert->key = certpkey;
2676 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
2677 switch (r)
2678 {
2679 /* We don't want to send a status request response */
2680 case SSL_TLSEXT_ERR_NOACK:
2681 s->tlsext_status_expected = 0;
2682 break;
2683 /* status request response should be sent */
2684 case SSL_TLSEXT_ERR_OK:
2685 if (s->tlsext_ocsp_resp)
2686 s->tlsext_status_expected = 1;
2687 else
2688 s->tlsext_status_expected = 0;
2689 break;
2690 /* something bad happened */
2691 case SSL_TLSEXT_ERR_ALERT_FATAL:
2692 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2693 al = SSL_AD_INTERNAL_ERROR;
2694 goto err;
2695 }
2696 }
2697 else
2698 s->tlsext_status_expected = 0;
2699
2700 err:
2701 switch (ret)
2702 {
2703 case SSL_TLSEXT_ERR_ALERT_FATAL:
2704 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2705 return -1;
2706
2707 case SSL_TLSEXT_ERR_ALERT_WARNING:
2708 ssl3_send_alert(s, SSL3_AL_WARNING, al);
2709 return 1;
2710
2711 default:
2712 return 1;
2713 }
2714 }
2715
2716int ssl_check_serverhello_tlsext(SSL *s)
2717 {
2718 int ret=SSL_TLSEXT_ERR_NOACK;
2719 int al = SSL_AD_UNRECOGNIZED_NAME;
2720
2721#ifndef OPENSSL_NO_EC
2722 /* If we are client and using an elliptic curve cryptography cipher
2723 * suite, then if server returns an EC point formats lists extension
2724 * it must contain uncompressed.
2725 */
2726 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
2727 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
2728 if ((s->tlsext_ecpointformatlist != NULL) && (s->tlsext_ecpointformatlist_length > 0) &&
2729 (s->session->tlsext_ecpointformatlist != NULL) && (s->session->tlsext_ecpointformatlist_length > 0) &&
2730 ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA)))
2731 {
2732 /* we are using an ECC cipher */
2733 size_t i;
2734 unsigned char *list;
2735 int found_uncompressed = 0;
2736 list = s->session->tlsext_ecpointformatlist;
2737 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
2738 {
2739 if (*(list++) == TLSEXT_ECPOINTFORMAT_uncompressed)
2740 {
2741 found_uncompressed = 1;
2742 break;
2743 }
2744 }
2745 if (!found_uncompressed)
2746 {
2747 OPENSSL_PUT_ERROR(SSL, ssl_add_serverhello_tlsext, SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
2748 return -1;
2749 }
2750 }
2751 ret = SSL_TLSEXT_ERR_OK;
2752#endif /* OPENSSL_NO_EC */
2753
2754 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
2755 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
2756 else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)
2757 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
2758
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2759 /* If we've requested certificate status and we wont get one
2760 * tell the callback
2761 */
2762 if ((s->tlsext_status_type != -1) && !(s->tlsext_status_expected)
2763 && s->ctx && s->ctx->tlsext_status_cb)
2764 {
2765 int r;
2766 /* Set resp to NULL, resplen to -1 so callback knows
2767 * there is no response.
2768 */
2769 if (s->tlsext_ocsp_resp)
2770 {
2771 OPENSSL_free(s->tlsext_ocsp_resp);
2772 s->tlsext_ocsp_resp = NULL;
2773 }
2774 s->tlsext_ocsp_resplen = -1;
2775 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
2776 if (r == 0)
2777 {
2778 al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE;
2779 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2780 }
2781 if (r < 0)
2782 {
2783 al = SSL_AD_INTERNAL_ERROR;
2784 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2785 }
2786 }
2787
2788 switch (ret)
2789 {
2790 case SSL_TLSEXT_ERR_ALERT_FATAL:
2791 ssl3_send_alert(s,SSL3_AL_FATAL,al);
2792 return -1;
2793
2794 case SSL_TLSEXT_ERR_ALERT_WARNING:
2795 ssl3_send_alert(s,SSL3_AL_WARNING,al);
2796 return 1;
2797
2798 case SSL_TLSEXT_ERR_NOACK:
2799 s->servername_done=0;
2800 default:
2801 return 1;
2802 }
2803 }
2804
David Benjamin03973092014-06-24 23:27:17 -0400[diff] [blame]2805int ssl_parse_serverhello_tlsext(SSL *s, CBS *cbs)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2806 {
David Benjamin03973092014-06-24 23:27:17 -0400[diff] [blame]2807 int alert = -1;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2808 if (s->version < SSL3_VERSION)
2809 return 1;
David Benjamin03973092014-06-24 23:27:17 -0400[diff] [blame]2810
2811 if (ssl_scan_serverhello_tlsext(s, cbs, &alert) <= 0)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2812 {
David Benjamin03973092014-06-24 23:27:17 -0400[diff] [blame]2813 ssl3_send_alert(s, SSL3_AL_FATAL, alert);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2814 return 0;
2815 }
2816
David Benjamin03973092014-06-24 23:27:17 -0400[diff] [blame]2817 if (ssl_check_serverhello_tlsext(s) <= 0)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2818 {
David Benjamin9d28c752014-07-05 00:43:48 -0400[diff] [blame]2819 OPENSSL_PUT_ERROR(SSL, ssl_parse_serverhello_tlsext, SSL_R_SERVERHELLO_TLSEXT);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2820 return 0;
2821 }
David Benjamin03973092014-06-24 23:27:17 -0400[diff] [blame]2822
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2823 return 1;
David Benjamin03973092014-06-24 23:27:17 -0400[diff] [blame]2824 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2825
2826/* Since the server cache lookup is done early on in the processing of the
2827 * ClientHello, and other operations depend on the result, we need to handle
2828 * any TLS session ticket extension at the same time.
2829 *
Adam Langleydc9b1412014-06-20 12:00:00 -0700[diff] [blame]2830 * ctx: contains the early callback context, which is the result of a
2831 * shallow parse of the ClientHello.
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2832 * ret: (output) on return, if a ticket was decrypted, then this is set to
2833 * point to the resulting session.
2834 *
2835 * If s->tls_session_secret_cb is set then we are expecting a pre-shared key
2836 * ciphersuite, in which case we have no use for session tickets and one will
2837 * never be decrypted, nor will s->tlsext_ticket_expected be set to 1.
2838 *
2839 * Returns:
2840 * -1: fatal error, either from parsing or decrypting the ticket.
2841 * 0: no ticket was found (or was ignored, based on settings).
2842 * 1: a zero length extension was found, indicating that the client supports
2843 * session tickets but doesn't currently have one to offer.
2844 * 2: either s->tls_session_secret_cb was set, or a ticket was offered but
2845 * couldn't be decrypted because of a non-fatal error.
2846 * 3: a ticket was successfully decrypted and *ret was set.
2847 *
2848 * Side effects:
2849 * Sets s->tlsext_ticket_expected to 1 if the server will have to issue
2850 * a new session ticket to the client because the client indicated support
2851 * (and s->tls_session_secret_cb is NULL) but the client either doesn't have
2852 * a session ticket or we couldn't use the one it gave us, or if
2853 * s->ctx->tlsext_ticket_key_cb asked to renew the client's ticket.
2854 * Otherwise, s->tlsext_ticket_expected is set to 0.
2855 */
Adam Langleydc9b1412014-06-20 12:00:00 -0700[diff] [blame]2856int tls1_process_ticket(SSL *s, const struct ssl_early_callback_ctx *ctx,
2857 SSL_SESSION **ret)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2858 {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2859 *ret = NULL;
2860 s->tlsext_ticket_expected = 0;
Adam Langleydc9b1412014-06-20 12:00:00 -0700[diff] [blame]2861 const unsigned char *data;
2862 size_t len;
2863 int r;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2864
2865 /* If tickets disabled behave as if no ticket present
2866 * to permit stateful resumption.
2867 */
2868 if (SSL_get_options(s) & SSL_OP_NO_TICKET)
2869 return 0;
Adam Langleydc9b1412014-06-20 12:00:00 -0700[diff] [blame]2870 if ((s->version <= SSL3_VERSION) && !ctx->extensions)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2871 return 0;
Adam Langleydc9b1412014-06-20 12:00:00 -0700[diff] [blame]2872 if (!SSL_early_callback_ctx_extension_get(
2873 ctx, TLSEXT_TYPE_session_ticket, &data, &len))
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2874 {
Adam Langleydc9b1412014-06-20 12:00:00 -0700[diff] [blame]2875 return 0;
2876 }
2877 if (len == 0)
2878 {
2879 /* The client will accept a ticket but doesn't
2880 * currently have one. */
2881 s->tlsext_ticket_expected = 1;
2882 return 1;
2883 }
2884 if (s->tls_session_secret_cb)
2885 {
2886 /* Indicate that the ticket couldn't be
2887 * decrypted rather than generating the session
2888 * from ticket now, trigger abbreviated
2889 * handshake based on external mechanism to
2890 * calculate the master secret later. */
2891 return 2;
2892 }
2893 r = tls_decrypt_ticket(s, data, len, ctx->session_id,
2894 ctx->session_id_len, ret);
2895 switch (r)
2896 {
2897 case 2: /* ticket couldn't be decrypted */
2898 s->tlsext_ticket_expected = 1;
2899 return 2;
2900 case 3: /* ticket was decrypted */
2901 return r;
2902 case 4: /* ticket decrypted but need to renew */
2903 s->tlsext_ticket_expected = 1;
2904 return 3;
2905 default: /* fatal error */
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2906 return -1;
2907 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2908 }
2909
2910/* tls_decrypt_ticket attempts to decrypt a session ticket.
2911 *
2912 * etick: points to the body of the session ticket extension.
2913 * eticklen: the length of the session tickets extenion.
2914 * sess_id: points at the session ID.
2915 * sesslen: the length of the session ID.
2916 * psess: (output) on return, if a ticket was decrypted, then this is set to
2917 * point to the resulting session.
2918 *
2919 * Returns:
2920 * -1: fatal error, either from parsing or decrypting the ticket.
2921 * 2: the ticket couldn't be decrypted.
2922 * 3: a ticket was successfully decrypted and *psess was set.
2923 * 4: same as 3, but the ticket needs to be renewed.
2924 */
2925static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen,
2926 const unsigned char *sess_id, int sesslen,
2927 SSL_SESSION **psess)
2928 {
2929 SSL_SESSION *sess;
2930 unsigned char *sdec;
2931 const unsigned char *p;
2932 int slen, mlen, renew_ticket = 0;
2933 unsigned char tick_hmac[EVP_MAX_MD_SIZE];
2934 HMAC_CTX hctx;
2935 EVP_CIPHER_CTX ctx;
2936 SSL_CTX *tctx = s->initial_ctx;
2937 /* Need at least keyname + iv + some encrypted data */
2938 if (eticklen < 48)
2939 return 2;
2940 /* Initialize session ticket encryption and HMAC contexts */
2941 HMAC_CTX_init(&hctx);
2942 EVP_CIPHER_CTX_init(&ctx);
2943 if (tctx->tlsext_ticket_key_cb)
2944 {
2945 unsigned char *nctick = (unsigned char *)etick;
2946 int rv = tctx->tlsext_ticket_key_cb(s, nctick, nctick + 16,
2947 &ctx, &hctx, 0);
2948 if (rv < 0)
2949 return -1;
2950 if (rv == 0)
2951 return 2;
2952 if (rv == 2)
2953 renew_ticket = 1;
2954 }
2955 else
2956 {
2957 /* Check key name matches */
2958 if (memcmp(etick, tctx->tlsext_tick_key_name, 16))
2959 return 2;
2960 HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16,
2961 tlsext_tick_md(), NULL);
2962 EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL,
2963 tctx->tlsext_tick_aes_key, etick + 16);
2964 }
2965 /* Attempt to process session ticket, first conduct sanity and
2966 * integrity checks on ticket.
2967 */
2968 mlen = HMAC_size(&hctx);
2969 if (mlen < 0)
2970 {
2971 EVP_CIPHER_CTX_cleanup(&ctx);
2972 return -1;
2973 }
2974 eticklen -= mlen;
2975 /* Check HMAC of encrypted ticket */
2976 HMAC_Update(&hctx, etick, eticklen);
2977 HMAC_Final(&hctx, tick_hmac, NULL);
2978 HMAC_CTX_cleanup(&hctx);
2979 if (CRYPTO_memcmp(tick_hmac, etick + eticklen, mlen))
2980 return 2;
2981 /* Attempt to decrypt session data */
2982 /* Move p after IV to start of encrypted ticket, update length */
2983 p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx);
2984 eticklen -= 16 + EVP_CIPHER_CTX_iv_length(&ctx);
2985 sdec = OPENSSL_malloc(eticklen);
2986 if (!sdec)
2987 {
2988 EVP_CIPHER_CTX_cleanup(&ctx);
2989 return -1;
2990 }
2991 EVP_DecryptUpdate(&ctx, sdec, &slen, p, eticklen);
2992 if (EVP_DecryptFinal_ex(&ctx, sdec + slen, &mlen) <= 0)
2993 return 2;
2994 slen += mlen;
2995 EVP_CIPHER_CTX_cleanup(&ctx);
2996 p = sdec;
2997
2998 sess = d2i_SSL_SESSION(NULL, &p, slen);
2999 OPENSSL_free(sdec);
3000 if (sess)
3001 {
3002 /* The session ID, if non-empty, is used by some clients to
3003 * detect that the ticket has been accepted. So we copy it to
3004 * the session structure. If it is empty set length to zero
3005 * as required by standard.
3006 */
3007 if (sesslen)
3008 memcpy(sess->session_id, sess_id, sesslen);
3009 sess->session_id_length = sesslen;
3010 *psess = sess;
3011 if (renew_ticket)
3012 return 4;
3013 else
3014 return 3;
3015 }
3016 ERR_clear_error();
3017 /* For session parse failure, indicate that we need to send a new
3018 * ticket. */
3019 return 2;
3020 }
3021
3022/* Tables to translate from NIDs to TLS v1.2 ids */
3023
3024typedef struct
3025 {
3026 int nid;
3027 int id;
3028 } tls12_lookup;
3029
3030static tls12_lookup tls12_md[] = {
3031 {NID_md5, TLSEXT_hash_md5},
3032 {NID_sha1, TLSEXT_hash_sha1},
3033 {NID_sha224, TLSEXT_hash_sha224},
3034 {NID_sha256, TLSEXT_hash_sha256},
3035 {NID_sha384, TLSEXT_hash_sha384},
3036 {NID_sha512, TLSEXT_hash_sha512}
3037};
3038
3039static tls12_lookup tls12_sig[] = {
3040 {EVP_PKEY_RSA, TLSEXT_signature_rsa},
3041 {EVP_PKEY_DSA, TLSEXT_signature_dsa},
3042 {EVP_PKEY_EC, TLSEXT_signature_ecdsa}
3043};
3044
3045static int tls12_find_id(int nid, tls12_lookup *table, size_t tlen)
3046 {
3047 size_t i;
3048 for (i = 0; i < tlen; i++)
3049 {
3050 if (table[i].nid == nid)
3051 return table[i].id;
3052 }
3053 return -1;
3054 }
3055
3056static int tls12_find_nid(int id, tls12_lookup *table, size_t tlen)
3057 {
3058 size_t i;
3059 for (i = 0; i < tlen; i++)
3060 {
3061 if ((table[i].id) == id)
3062 return table[i].nid;
3063 }
3064 return NID_undef;
3065 }
3066
3067int tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk, const EVP_MD *md)
3068 {
3069 int sig_id, md_id;
3070 if (!md)
3071 return 0;
3072 md_id = tls12_find_id(EVP_MD_type(md), tls12_md,
3073 sizeof(tls12_md)/sizeof(tls12_lookup));
3074 if (md_id == -1)
3075 return 0;
3076 sig_id = tls12_get_sigid(pk);
3077 if (sig_id == -1)
3078 return 0;
3079 p[0] = (unsigned char)md_id;
3080 p[1] = (unsigned char)sig_id;
3081 return 1;
3082 }
3083
3084int tls12_get_sigid(const EVP_PKEY *pk)
3085 {
3086 return tls12_find_id(pk->type, tls12_sig,
3087 sizeof(tls12_sig)/sizeof(tls12_lookup));
3088 }
3089
3090const EVP_MD *tls12_get_hash(unsigned char hash_alg)
3091 {
3092 switch(hash_alg)
3093 {
3094#ifndef OPENSSL_NO_MD5
3095 case TLSEXT_hash_md5:
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]3096 return EVP_md5();
3097#endif
3098#ifndef OPENSSL_NO_SHA
3099 case TLSEXT_hash_sha1:
3100 return EVP_sha1();
3101#endif
3102#ifndef OPENSSL_NO_SHA256
3103 case TLSEXT_hash_sha224:
3104 return EVP_sha224();
3105
3106 case TLSEXT_hash_sha256:
3107 return EVP_sha256();
3108#endif
3109#ifndef OPENSSL_NO_SHA512
3110 case TLSEXT_hash_sha384:
3111 return EVP_sha384();
3112
3113 case TLSEXT_hash_sha512:
3114 return EVP_sha512();
3115#endif
3116 default:
3117 return NULL;
3118
3119 }
3120 }
3121
3122static int tls12_get_pkey_idx(unsigned char sig_alg)
3123 {
3124 switch(sig_alg)
3125 {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]3126 case TLSEXT_signature_rsa:
3127 return SSL_PKEY_RSA_SIGN;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]3128#ifndef OPENSSL_NO_DSA
3129 case TLSEXT_signature_dsa:
3130 return SSL_PKEY_DSA_SIGN;
3131#endif
3132#ifndef OPENSSL_NO_ECDSA
3133 case TLSEXT_signature_ecdsa:
3134 return SSL_PKEY_ECC;
3135#endif
3136 }
3137 return -1;
3138 }
3139
3140/* Convert TLS 1.2 signature algorithm extension values into NIDs */
3141static void tls1_lookup_sigalg(int *phash_nid, int *psign_nid,
3142 int *psignhash_nid, const unsigned char *data)
3143 {
3144 int sign_nid = 0, hash_nid = 0;
3145 if (!phash_nid && !psign_nid && !psignhash_nid)
3146 return;
3147 if (phash_nid || psignhash_nid)
3148 {
3149 hash_nid = tls12_find_nid(data[0], tls12_md,
3150 sizeof(tls12_md)/sizeof(tls12_lookup));
3151 if (phash_nid)
3152 *phash_nid = hash_nid;
3153 }
3154 if (psign_nid || psignhash_nid)
3155 {
3156 sign_nid = tls12_find_nid(data[1], tls12_sig,
3157 sizeof(tls12_sig)/sizeof(tls12_lookup));
3158 if (psign_nid)
3159 *psign_nid = sign_nid;
3160 }
3161 if (psignhash_nid)
3162 {
3163 if (sign_nid && hash_nid)
3164 OBJ_find_sigid_by_algs(psignhash_nid,
3165 hash_nid, sign_nid);
3166 else
3167 *psignhash_nid = NID_undef;
3168 }
3169 }
3170/* Given preference and allowed sigalgs set shared sigalgs */
3171static int tls12_do_shared_sigalgs(TLS_SIGALGS *shsig,
3172 const unsigned char *pref, size_t preflen,
3173 const unsigned char *allow, size_t allowlen)
3174 {
3175 const unsigned char *ptmp, *atmp;
3176 size_t i, j, nmatch = 0;
3177 for (i = 0, ptmp = pref; i < preflen; i+=2, ptmp+=2)
3178 {
3179 /* Skip disabled hashes or signature algorithms */
3180 if (tls12_get_hash(ptmp[0]) == NULL)
3181 continue;
3182 if (tls12_get_pkey_idx(ptmp[1]) == -1)
3183 continue;
3184 for (j = 0, atmp = allow; j < allowlen; j+=2, atmp+=2)
3185 {
3186 if (ptmp[0] == atmp[0] && ptmp[1] == atmp[1])
3187 {
3188 nmatch++;
3189 if (shsig)
3190 {
3191 shsig->rhash = ptmp[0];
3192 shsig->rsign = ptmp[1];
3193 tls1_lookup_sigalg(&shsig->hash_nid,
3194 &shsig->sign_nid,
3195 &shsig->signandhash_nid,
3196 ptmp);
3197 shsig++;
3198 }
3199 break;
3200 }
3201 }
3202 }
3203 return nmatch;
3204 }
3205
3206/* Set shared signature algorithms for SSL structures */
3207static int tls1_set_shared_sigalgs(SSL *s)
3208 {
3209 const unsigned char *pref, *allow, *conf;
3210 size_t preflen, allowlen, conflen;
3211 size_t nmatch;
3212 TLS_SIGALGS *salgs = NULL;
3213 CERT *c = s->cert;
3214 unsigned int is_suiteb = tls1_suiteb(s);
Adam Langleydb4f9522014-06-20 12:00:00 -0700[diff] [blame]3215 if (c->shared_sigalgs)
3216 {
3217 OPENSSL_free(c->shared_sigalgs);
3218 c->shared_sigalgs = NULL;
3219 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]3220 /* If client use client signature algorithms if not NULL */
3221 if (!s->server && c->client_sigalgs && !is_suiteb)
3222 {
3223 conf = c->client_sigalgs;
3224 conflen = c->client_sigalgslen;
3225 }
3226 else if (c->conf_sigalgs && !is_suiteb)
3227 {
3228 conf = c->conf_sigalgs;
3229 conflen = c->conf_sigalgslen;
3230 }
3231 else
3232 conflen = tls12_get_psigalgs(s, &conf);
3233 if(s->options & SSL_OP_CIPHER_SERVER_PREFERENCE || is_suiteb)
3234 {
3235 pref = conf;
3236 preflen = conflen;
3237 allow = c->peer_sigalgs;
3238 allowlen = c->peer_sigalgslen;
3239 }
3240 else
3241 {
3242 allow = conf;
3243 allowlen = conflen;
3244 pref = c->peer_sigalgs;
3245 preflen = c->peer_sigalgslen;
3246 }
3247 nmatch = tls12_do_shared_sigalgs(NULL, pref, preflen, allow, allowlen);
3248 if (!nmatch)
3249 return 1;
3250 salgs = OPENSSL_malloc(nmatch * sizeof(TLS_SIGALGS));
3251 if (!salgs)
3252 return 0;
3253 nmatch = tls12_do_shared_sigalgs(salgs, pref, preflen, allow, allowlen);
3254 c->shared_sigalgs = salgs;
3255 c->shared_sigalgslen = nmatch;
3256 return 1;
3257 }
3258
3259
3260/* Set preferred digest for each key type */
3261
3262int tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize)
3263 {
3264 int idx;
3265 size_t i;
3266 const EVP_MD *md;
3267 CERT *c = s->cert;
3268 TLS_SIGALGS *sigptr;
3269 /* Extension ignored for inappropriate versions */
3270 if (!SSL_USE_SIGALGS(s))
3271 return 1;
Alex Chernyakhovsky31955f92014-07-05 01:12:34 -0400[diff] [blame]3272 /* Length must be even */
3273 if (dsize % 2 != 0)
3274 return 0;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]3275 /* Should never happen */
3276 if (!c)
3277 return 0;
3278
Adam Langleydb4f9522014-06-20 12:00:00 -0700[diff] [blame]3279 if (c->peer_sigalgs)
3280 OPENSSL_free(c->peer_sigalgs);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]3281 c->peer_sigalgs = OPENSSL_malloc(dsize);
3282 if (!c->peer_sigalgs)
3283 return 0;
3284 c->peer_sigalgslen = dsize;
3285 memcpy(c->peer_sigalgs, data, dsize);
3286
3287 tls1_set_shared_sigalgs(s);
3288
3289#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
3290 if (s->cert->cert_flags & SSL_CERT_FLAG_BROKEN_PROTOCOL)
3291 {
3292 /* Use first set signature preference to force message
3293 * digest, ignoring any peer preferences.
3294 */
3295 const unsigned char *sigs = NULL;
3296 if (s->server)
3297 sigs = c->conf_sigalgs;
3298 else
3299 sigs = c->client_sigalgs;
3300 if (sigs)
3301 {
3302 idx = tls12_get_pkey_idx(sigs[1]);
3303 md = tls12_get_hash(sigs[0]);
3304 c->pkeys[idx].digest = md;
3305 c->pkeys[idx].valid_flags = CERT_PKEY_EXPLICIT_SIGN;
3306 if (idx == SSL_PKEY_RSA_SIGN)
3307 {
3308 c->pkeys[SSL_PKEY_RSA_ENC].valid_flags = CERT_PKEY_EXPLICIT_SIGN;
3309 c->pkeys[SSL_PKEY_RSA_ENC].digest = md;
3310 }
3311 }
3312 }
3313#endif
3314
3315 for (i = 0, sigptr = c->shared_sigalgs;
3316 i < c->shared_sigalgslen; i++, sigptr++)
3317 {
3318 idx = tls12_get_pkey_idx(sigptr->rsign);
3319 if (idx > 0 && c->pkeys[idx].digest == NULL)
3320 {
3321 md = tls12_get_hash(sigptr->rhash);
3322 c->pkeys[idx].digest = md;
3323 c->pkeys[idx].valid_flags = CERT_PKEY_EXPLICIT_SIGN;
3324 if (idx == SSL_PKEY_RSA_SIGN)
3325 {
3326 c->pkeys[SSL_PKEY_RSA_ENC].valid_flags = CERT_PKEY_EXPLICIT_SIGN;
3327 c->pkeys[SSL_PKEY_RSA_ENC].digest = md;
3328 }
3329 }
3330
3331 }
3332 /* In strict mode leave unset digests as NULL to indicate we can't
3333 * use the certificate for signing.
3334 */
3335 if (!(s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT))
3336 {
3337 /* Set any remaining keys to default values. NOTE: if alg is
3338 * not supported it stays as NULL.
3339 */
3340#ifndef OPENSSL_NO_DSA
3341 if (!c->pkeys[SSL_PKEY_DSA_SIGN].digest)
3342 c->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_sha1();
3343#endif
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]3344 if (!c->pkeys[SSL_PKEY_RSA_SIGN].digest)
3345 {
3346 c->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1();
3347 c->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1();
3348 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]3349#ifndef OPENSSL_NO_ECDSA
3350 if (!c->pkeys[SSL_PKEY_ECC].digest)
3351 c->pkeys[SSL_PKEY_ECC].digest = EVP_sha1();
3352#endif
3353 }
3354 return 1;
3355 }
3356
3357
3358int SSL_get_sigalgs(SSL *s, int idx,
3359 int *psign, int *phash, int *psignhash,
3360 unsigned char *rsig, unsigned char *rhash)
3361 {
3362 const unsigned char *psig = s->cert->peer_sigalgs;
3363 if (psig == NULL)
3364 return 0;
3365 if (idx >= 0)
3366 {
3367 idx <<= 1;
3368 if (idx >= (int)s->cert->peer_sigalgslen)
3369 return 0;
3370 psig += idx;
3371 if (rhash)
3372 *rhash = psig[0];
3373 if (rsig)
3374 *rsig = psig[1];
3375 tls1_lookup_sigalg(phash, psign, psignhash, psig);
3376 }
3377 return s->cert->peer_sigalgslen / 2;
3378 }
3379
3380int SSL_get_shared_sigalgs(SSL *s, int idx,
3381 int *psign, int *phash, int *psignhash,
3382 unsigned char *rsig, unsigned char *rhash)
3383 {
3384 TLS_SIGALGS *shsigalgs = s->cert->shared_sigalgs;
3385 if (!shsigalgs || idx >= (int)s->cert->shared_sigalgslen)
3386 return 0;
3387 shsigalgs += idx;
3388 if (phash)
3389 *phash = shsigalgs->hash_nid;
3390 if (psign)
3391 *psign = shsigalgs->sign_nid;
3392 if (psignhash)
3393 *psignhash = shsigalgs->signandhash_nid;
3394 if (rsig)
3395 *rsig = shsigalgs->rsign;
3396 if (rhash)
3397 *rhash = shsigalgs->rhash;
3398 return s->cert->shared_sigalgslen;
3399 }
3400
Adam Langley1258b6a2014-06-20 12:00:00 -0700[diff] [blame]3401/* tls1_channel_id_hash calculates the signed data for a Channel ID on the given
3402 * SSL connection and writes it to |md|. */
3403int
3404tls1_channel_id_hash(EVP_MD_CTX *md, SSL *s)
3405 {
3406 EVP_MD_CTX ctx;
3407 unsigned char temp_digest[EVP_MAX_MD_SIZE];
3408 unsigned temp_digest_len;
3409 int i;
3410 static const char kClientIDMagic[] = "TLS Channel ID signature";
3411
3412 if (s->s3->handshake_buffer)
3413 if (!ssl3_digest_cached_records(s))
3414 return 0;
3415
3416 EVP_DigestUpdate(md, kClientIDMagic, sizeof(kClientIDMagic));
3417
3418 if (s->hit && s->s3->tlsext_channel_id_new)
3419 {
3420 static const char kResumptionMagic[] = "Resumption";
3421 EVP_DigestUpdate(md, kResumptionMagic,
3422 sizeof(kResumptionMagic));
3423 if (s->session->original_handshake_hash_len == 0)
3424 return 0;
3425 EVP_DigestUpdate(md, s->session->original_handshake_hash,
3426 s->session->original_handshake_hash_len);
3427 }
3428
3429 EVP_MD_CTX_init(&ctx);
3430 for (i = 0; i < SSL_MAX_DIGEST; i++)
3431 {
3432 if (s->s3->handshake_dgst[i] == NULL)
3433 continue;
3434 EVP_MD_CTX_copy_ex(&ctx, s->s3->handshake_dgst[i]);
3435 EVP_DigestFinal_ex(&ctx, temp_digest, &temp_digest_len);
3436 EVP_DigestUpdate(md, temp_digest, temp_digest_len);
3437 }
3438 EVP_MD_CTX_cleanup(&ctx);
3439
3440 return 1;
3441 }
Adam Langley1258b6a2014-06-20 12:00:00 -0700[diff] [blame]3442
3443/* tls1_record_handshake_hashes_for_channel_id records the current handshake
3444 * hashes in |s->session| so that Channel ID resumptions can sign that data. */
3445int tls1_record_handshake_hashes_for_channel_id(SSL *s)
3446 {
3447 int digest_len;
3448 /* This function should never be called for a resumed session because
3449 * the handshake hashes that we wish to record are for the original,
3450 * full handshake. */
3451 if (s->hit)
3452 return -1;
3453 /* It only makes sense to call this function if Channel IDs have been
3454 * negotiated. */
3455 if (!s->s3->tlsext_channel_id_new)
3456 return -1;
3457
3458 digest_len = tls1_handshake_digest(
3459 s, s->session->original_handshake_hash,
3460 sizeof(s->session->original_handshake_hash));
3461 if (digest_len < 0)
3462 return -1;
3463
3464 s->session->original_handshake_hash_len = digest_len;
3465
3466 return 1;
3467 }
3468
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]3469/* TODO(fork): remove */
3470#if 0
3471#define MAX_SIGALGLEN (TLSEXT_hash_num * TLSEXT_signature_num * 2)
3472
3473typedef struct
3474 {
3475 size_t sigalgcnt;
3476 int sigalgs[MAX_SIGALGLEN];
3477 } sig_cb_st;
3478
3479static int sig_cb(const char *elem, int len, void *arg)
3480 {
3481 sig_cb_st *sarg = arg;
3482 size_t i;
3483 char etmp[20], *p;
3484 int sig_alg, hash_alg;
3485 if (sarg->sigalgcnt == MAX_SIGALGLEN)
3486 return 0;
3487 if (len > (int)(sizeof(etmp) - 1))
3488 return 0;
3489 memcpy(etmp, elem, len);
3490 etmp[len] = 0;
3491 p = strchr(etmp, '+');
3492 if (!p)
3493 return 0;
3494 *p = 0;
3495 p++;
3496 if (!*p)
3497 return 0;
3498
3499 if (!strcmp(etmp, "RSA"))
3500 sig_alg = EVP_PKEY_RSA;
3501 else if (!strcmp(etmp, "DSA"))
3502 sig_alg = EVP_PKEY_DSA;
3503 else if (!strcmp(etmp, "ECDSA"))
3504 sig_alg = EVP_PKEY_EC;
3505 else return 0;
3506
3507 hash_alg = OBJ_sn2nid(p);
3508 if (hash_alg == NID_undef)
3509 hash_alg = OBJ_ln2nid(p);
3510 if (hash_alg == NID_undef)
3511 return 0;
3512
3513 for (i = 0; i < sarg->sigalgcnt; i+=2)
3514 {
3515 if (sarg->sigalgs[i] == sig_alg
3516 && sarg->sigalgs[i + 1] == hash_alg)
3517 return 0;
3518 }
3519 sarg->sigalgs[sarg->sigalgcnt++] = hash_alg;
3520 sarg->sigalgs[sarg->sigalgcnt++] = sig_alg;
3521 return 1;
3522 }
3523
3524/* Set suppored signature algorithms based on a colon separated list
3525 * of the form sig+hash e.g. RSA+SHA512:DSA+SHA512 */
3526int tls1_set_sigalgs_list(CERT *c, const char *str, int client)
3527 {
3528 sig_cb_st sig;
3529 sig.sigalgcnt = 0;
3530 if (!CONF_parse_list(str, ':', 1, sig_cb, &sig))
3531 return 0;
3532 if (c == NULL)
3533 return 1;
3534 return tls1_set_sigalgs(c, sig.sigalgs, sig.sigalgcnt, client);
3535 }
3536#endif
3537
3538int tls1_set_sigalgs(CERT *c, const int *psig_nids, size_t salglen, int client)
3539 {
3540 unsigned char *sigalgs, *sptr;
3541 int rhash, rsign;
3542 size_t i;
3543 if (salglen & 1)
3544 return 0;
3545 sigalgs = OPENSSL_malloc(salglen);
3546 if (sigalgs == NULL)
3547 return 0;
3548 for (i = 0, sptr = sigalgs; i < salglen; i+=2)
3549 {
3550 rhash = tls12_find_id(*psig_nids++, tls12_md,
3551 sizeof(tls12_md)/sizeof(tls12_lookup));
3552 rsign = tls12_find_id(*psig_nids++, tls12_sig,
3553 sizeof(tls12_sig)/sizeof(tls12_lookup));
3554
3555 if (rhash == -1 || rsign == -1)
3556 goto err;
3557 *sptr++ = rhash;
3558 *sptr++ = rsign;
3559 }
3560
3561 if (client)
3562 {
3563 if (c->client_sigalgs)
3564 OPENSSL_free(c->client_sigalgs);
3565 c->client_sigalgs = sigalgs;
3566 c->client_sigalgslen = salglen;
3567 }
3568 else
3569 {
3570 if (c->conf_sigalgs)
3571 OPENSSL_free(c->conf_sigalgs);
3572 c->conf_sigalgs = sigalgs;
3573 c->conf_sigalgslen = salglen;
3574 }
3575
3576 return 1;
3577
3578 err:
3579 OPENSSL_free(sigalgs);
3580 return 0;
3581 }
3582
3583static int tls1_check_sig_alg(CERT *c, X509 *x, int default_nid)
3584 {
3585 int sig_nid;
3586 size_t i;
3587 if (default_nid == -1)
3588 return 1;
3589 sig_nid = X509_get_signature_nid(x);
3590 if (default_nid)
3591 return sig_nid == default_nid ? 1 : 0;
3592 for (i = 0; i < c->shared_sigalgslen; i++)
3593 if (sig_nid == c->shared_sigalgs[i].signandhash_nid)
3594 return 1;
3595 return 0;
3596 }
3597/* Check to see if a certificate issuer name matches list of CA names */
3598static int ssl_check_ca_name(STACK_OF(X509_NAME) *names, X509 *x)
3599 {
3600 X509_NAME *nm;
3601 int i;
3602 nm = X509_get_issuer_name(x);
3603 for (i = 0; i < sk_X509_NAME_num(names); i++)
3604 {
3605 if(!X509_NAME_cmp(nm, sk_X509_NAME_value(names, i)))
3606 return 1;
3607 }
3608 return 0;
3609 }
3610
3611/* Check certificate chain is consistent with TLS extensions and is
3612 * usable by server. This servers two purposes: it allows users to
3613 * check chains before passing them to the server and it allows the
3614 * server to check chains before attempting to use them.
3615 */
3616
3617/* Flags which need to be set for a certificate when stict mode not set */
3618
3619#define CERT_PKEY_VALID_FLAGS \
3620 (CERT_PKEY_EE_SIGNATURE|CERT_PKEY_EE_PARAM)
3621/* Strict mode flags */
3622#define CERT_PKEY_STRICT_FLAGS \
3623 (CERT_PKEY_VALID_FLAGS|CERT_PKEY_CA_SIGNATURE|CERT_PKEY_CA_PARAM \
3624 | CERT_PKEY_ISSUER_NAME|CERT_PKEY_CERT_TYPE)
3625
3626int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain,
3627 int idx)
3628 {
3629 int i;
3630 int rv = 0;
3631 int check_flags = 0, strict_mode;
3632 CERT_PKEY *cpk = NULL;
3633 CERT *c = s->cert;
3634 unsigned int suiteb_flags = tls1_suiteb(s);
3635 /* idx == -1 means checking server chains */
3636 if (idx != -1)
3637 {
3638 /* idx == -2 means checking client certificate chains */
3639 if (idx == -2)
3640 {
3641 cpk = c->key;
3642 idx = cpk - c->pkeys;
3643 }
3644 else
3645 cpk = c->pkeys + idx;
3646 x = cpk->x509;
3647 pk = cpk->privatekey;
3648 chain = cpk->chain;
3649 strict_mode = c->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT;
3650 /* If no cert or key, forget it */
3651 if (!x || !pk)
3652 goto end;
3653#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
3654 /* Allow any certificate to pass test */
3655 if (s->cert->cert_flags & SSL_CERT_FLAG_BROKEN_PROTOCOL)
3656 {
3657 rv = CERT_PKEY_STRICT_FLAGS|CERT_PKEY_EXPLICIT_SIGN|CERT_PKEY_VALID|CERT_PKEY_SIGN;
3658 cpk->valid_flags = rv;
3659 return rv;
3660 }
3661#endif
3662 }
3663 else
3664 {
3665 if (!x || !pk)
3666 goto end;
3667 idx = ssl_cert_type(x, pk);
3668 if (idx == -1)
3669 goto end;
3670 cpk = c->pkeys + idx;
3671 if (c->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)
3672 check_flags = CERT_PKEY_STRICT_FLAGS;
3673 else
3674 check_flags = CERT_PKEY_VALID_FLAGS;
3675 strict_mode = 1;
3676 }
3677
3678 if (suiteb_flags)
3679 {
3680 int ok;
3681 if (check_flags)
3682 check_flags |= CERT_PKEY_SUITEB;
3683 ok = X509_chain_check_suiteb(NULL, x, chain, suiteb_flags);
3684 if (ok != X509_V_OK)
3685 {
3686 if (check_flags)
3687 rv |= CERT_PKEY_SUITEB;
3688 else
3689 goto end;
3690 }
3691 }
3692
3693 /* Check all signature algorithms are consistent with
3694 * signature algorithms extension if TLS 1.2 or later
3695 * and strict mode.
3696 */
3697 if (TLS1_get_version(s) >= TLS1_2_VERSION && strict_mode)
3698 {
3699 int default_nid;
3700 unsigned char rsign = 0;
3701 if (c->peer_sigalgs)
3702 default_nid = 0;
3703 /* If no sigalgs extension use defaults from RFC5246 */
3704 else
3705 {
3706 switch(idx)
3707 {
3708 case SSL_PKEY_RSA_ENC:
3709 case SSL_PKEY_RSA_SIGN:
3710 case SSL_PKEY_DH_RSA:
3711 rsign = TLSEXT_signature_rsa;
3712 default_nid = NID_sha1WithRSAEncryption;
3713 break;
3714
3715 case SSL_PKEY_DSA_SIGN:
3716 case SSL_PKEY_DH_DSA:
3717 rsign = TLSEXT_signature_dsa;
3718 default_nid = NID_dsaWithSHA1;
3719 break;
3720
3721 case SSL_PKEY_ECC:
3722 rsign = TLSEXT_signature_ecdsa;
3723 default_nid = NID_ecdsa_with_SHA1;
3724 break;
3725
3726 default:
3727 default_nid = -1;
3728 break;
3729 }
3730 }
3731 /* If peer sent no signature algorithms extension and we
3732 * have set preferred signature algorithms check we support
3733 * sha1.
3734 */
3735 if (default_nid > 0 && c->conf_sigalgs)
3736 {
3737 size_t j;
3738 const unsigned char *p = c->conf_sigalgs;
3739 for (j = 0; j < c->conf_sigalgslen; j += 2, p += 2)
3740 {
3741 if (p[0] == TLSEXT_hash_sha1 && p[1] == rsign)
3742 break;
3743 }
3744 if (j == c->conf_sigalgslen)
3745 {
3746 if (check_flags)
3747 goto skip_sigs;
3748 else
3749 goto end;
3750 }
3751 }
3752 /* Check signature algorithm of each cert in chain */
3753 if (!tls1_check_sig_alg(c, x, default_nid))
3754 {
3755 if (!check_flags) goto end;
3756 }
3757 else
3758 rv |= CERT_PKEY_EE_SIGNATURE;
3759 rv |= CERT_PKEY_CA_SIGNATURE;
3760 for (i = 0; i < sk_X509_num(chain); i++)
3761 {
3762 if (!tls1_check_sig_alg(c, sk_X509_value(chain, i),
3763 default_nid))
3764 {
3765 if (check_flags)
3766 {
3767 rv &= ~CERT_PKEY_CA_SIGNATURE;
3768 break;
3769 }
3770 else
3771 goto end;
3772 }
3773 }
3774 }
3775 /* Else not TLS 1.2, so mark EE and CA signing algorithms OK */
3776 else if(check_flags)
3777 rv |= CERT_PKEY_EE_SIGNATURE|CERT_PKEY_CA_SIGNATURE;
3778 skip_sigs:
3779 /* Check cert parameters are consistent */
3780 if (tls1_check_cert_param(s, x, check_flags ? 1 : 2))
3781 rv |= CERT_PKEY_EE_PARAM;
3782 else if (!check_flags)
3783 goto end;
3784 if (!s->server)
3785 rv |= CERT_PKEY_CA_PARAM;
3786 /* In strict mode check rest of chain too */
3787 else if (strict_mode)
3788 {
3789 rv |= CERT_PKEY_CA_PARAM;
3790 for (i = 0; i < sk_X509_num(chain); i++)
3791 {
3792 X509 *ca = sk_X509_value(chain, i);
3793 if (!tls1_check_cert_param(s, ca, 0))
3794 {
3795 if (check_flags)
3796 {
3797 rv &= ~CERT_PKEY_CA_PARAM;
3798 break;
3799 }
3800 else
3801 goto end;
3802 }
3803 }
3804 }
3805 if (!s->server && strict_mode)
3806 {
3807 STACK_OF(X509_NAME) *ca_dn;
3808 int check_type = 0;
3809 switch (pk->type)
3810 {
3811 case EVP_PKEY_RSA:
3812 check_type = TLS_CT_RSA_SIGN;
3813 break;
3814 case EVP_PKEY_DSA:
3815 check_type = TLS_CT_DSS_SIGN;
3816 break;
3817 case EVP_PKEY_EC:
3818 check_type = TLS_CT_ECDSA_SIGN;
3819 break;
3820 case EVP_PKEY_DH:
3821 case EVP_PKEY_DHX:
3822 {
3823 int cert_type = X509_certificate_type(x, pk);
3824 if (cert_type & EVP_PKS_RSA)
3825 check_type = TLS_CT_RSA_FIXED_DH;
3826 if (cert_type & EVP_PKS_DSA)
3827 check_type = TLS_CT_DSS_FIXED_DH;
3828 }
3829 }
3830 if (check_type)
3831 {
3832 const unsigned char *ctypes;
3833 int ctypelen;
Alex Chernyakhovsky31955f92014-07-05 01:12:34 -0400[diff] [blame]3834 ctypes = c->ctypes;
3835 ctypelen = (int)c->ctype_num;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]3836 for (i = 0; i < ctypelen; i++)
3837 {
3838 if (ctypes[i] == check_type)
3839 {
3840 rv |= CERT_PKEY_CERT_TYPE;
3841 break;
3842 }
3843 }
3844 if (!(rv & CERT_PKEY_CERT_TYPE) && !check_flags)
3845 goto end;
3846 }
3847 else
3848 rv |= CERT_PKEY_CERT_TYPE;
3849
3850
3851 ca_dn = s->s3->tmp.ca_names;
3852
3853 if (!sk_X509_NAME_num(ca_dn))
3854 rv |= CERT_PKEY_ISSUER_NAME;
3855
3856 if (!(rv & CERT_PKEY_ISSUER_NAME))
3857 {
3858 if (ssl_check_ca_name(ca_dn, x))
3859 rv |= CERT_PKEY_ISSUER_NAME;
3860 }
3861 if (!(rv & CERT_PKEY_ISSUER_NAME))
3862 {
3863 for (i = 0; i < sk_X509_num(chain); i++)
3864 {
3865 X509 *xtmp = sk_X509_value(chain, i);
3866 if (ssl_check_ca_name(ca_dn, xtmp))
3867 {
3868 rv |= CERT_PKEY_ISSUER_NAME;
3869 break;
3870 }
3871 }
3872 }
3873 if (!check_flags && !(rv & CERT_PKEY_ISSUER_NAME))
3874 goto end;
3875 }
3876 else
3877 rv |= CERT_PKEY_ISSUER_NAME|CERT_PKEY_CERT_TYPE;
3878
3879 if (!check_flags || (rv & check_flags) == check_flags)
3880 rv |= CERT_PKEY_VALID;
3881
3882 end:
3883
3884 if (TLS1_get_version(s) >= TLS1_2_VERSION)
3885 {
3886 if (cpk->valid_flags & CERT_PKEY_EXPLICIT_SIGN)
3887 rv |= CERT_PKEY_EXPLICIT_SIGN|CERT_PKEY_SIGN;
3888 else if (cpk->digest)
3889 rv |= CERT_PKEY_SIGN;
3890 }
3891 else
3892 rv |= CERT_PKEY_SIGN|CERT_PKEY_EXPLICIT_SIGN;
3893
3894 /* When checking a CERT_PKEY structure all flags are irrelevant
3895 * if the chain is invalid.
3896 */
3897 if (!check_flags)
3898 {
3899 if (rv & CERT_PKEY_VALID)
3900 cpk->valid_flags = rv;
3901 else
3902 {
3903 /* Preserve explicit sign flag, clear rest */
3904 cpk->valid_flags &= CERT_PKEY_EXPLICIT_SIGN;
3905 return 0;
3906 }
3907 }
3908 return rv;
3909 }
3910
3911/* Set validity of certificates in an SSL structure */
3912void tls1_set_cert_validity(SSL *s)
3913 {
3914 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA_ENC);
3915 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA_SIGN);
3916 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DSA_SIGN);
3917 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DH_RSA);
3918 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DH_DSA);
3919 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_ECC);
3920 }
3921/* User level utiity function to check a chain is suitable */
3922int SSL_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain)
3923 {
3924 return tls1_check_chain(s, x, pk, chain, -1);
3925 }
3926