Gitiles
Code Review Sign In
gerrit.openfyde.cn / boringssl.googlesource.com / boringssl / b7bf53c8087fd4cd75a3530621a2f2d7650e9a0f / . / ssl / t1_lib.c
blob: bdfbc0d8375d05ba343f58024500ea3d64f66c23 [file] [log] [blame]
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
2 * All rights reserved.
3 *
4 * This package is an SSL implementation written
5 * by Eric Young (eay@cryptsoft.com).
6 * The implementation was written so as to conform with Netscapes SSL.
7 *
8 * This library is free for commercial and non-commercial use as long as
9 * the following conditions are aheared to. The following conditions
10 * apply to all code found in this distribution, be it the RC4, RSA,
11 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
12 * included with this distribution is covered by the same copyright terms
13 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
14 *
15 * Copyright remains Eric Young's, and as such any Copyright notices in
16 * the code are not to be removed.
17 * If this package is used in a product, Eric Young should be given attribution
18 * as the author of the parts of the library used.
19 * This can be in the form of a textual message at program startup or
20 * in documentation (online or textual) provided with the package.
21 *
22 * Redistribution and use in source and binary forms, with or without
23 * modification, are permitted provided that the following conditions
24 * are met:
25 * 1. Redistributions of source code must retain the copyright
26 * notice, this list of conditions and the following disclaimer.
27 * 2. Redistributions in binary form must reproduce the above copyright
28 * notice, this list of conditions and the following disclaimer in the
29 * documentation and/or other materials provided with the distribution.
30 * 3. All advertising materials mentioning features or use of this software
31 * must display the following acknowledgement:
32 * "This product includes cryptographic software written by
33 * Eric Young (eay@cryptsoft.com)"
34 * The word 'cryptographic' can be left out if the rouines from the library
35 * being used are not cryptographic related :-).
36 * 4. If you include any Windows specific code (or a derivative thereof) from
37 * the apps directory (application code) you must include an acknowledgement:
38 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
39 *
40 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
41 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
43 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
44 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
45 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
46 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
48 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
49 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
50 * SUCH DAMAGE.
51 *
52 * The licence and distribution terms for any publically available version or
53 * derivative of this code cannot be changed. i.e. this code cannot simply be
54 * copied and put under another distribution licence
55 * [including the GNU Public Licence.]
56 */
57/* ====================================================================
58 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
59 *
60 * Redistribution and use in source and binary forms, with or without
61 * modification, are permitted provided that the following conditions
62 * are met:
63 *
64 * 1. Redistributions of source code must retain the above copyright
65 * notice, this list of conditions and the following disclaimer.
66 *
67 * 2. Redistributions in binary form must reproduce the above copyright
68 * notice, this list of conditions and the following disclaimer in
69 * the documentation and/or other materials provided with the
70 * distribution.
71 *
72 * 3. All advertising materials mentioning features or use of this
73 * software must display the following acknowledgment:
74 * "This product includes software developed by the OpenSSL Project
75 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
76 *
77 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
78 * endorse or promote products derived from this software without
79 * prior written permission. For written permission, please contact
80 * openssl-core@openssl.org.
81 *
82 * 5. Products derived from this software may not be called "OpenSSL"
83 * nor may "OpenSSL" appear in their names without prior written
84 * permission of the OpenSSL Project.
85 *
86 * 6. Redistributions of any form whatsoever must retain the following
87 * acknowledgment:
88 * "This product includes software developed by the OpenSSL Project
89 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
90 *
91 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
92 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
93 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
94 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
95 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
96 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
97 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
98 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
99 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
100 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
101 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
102 * OF THE POSSIBILITY OF SUCH DAMAGE.
103 * ====================================================================
104 *
105 * This product includes cryptographic software written by Eric Young
106 * (eay@cryptsoft.com). This product includes software written by Tim
107 * Hudson (tjh@cryptsoft.com). */
108
109#include <stdio.h>
110#include <assert.h>
111
112#include <openssl/evp.h>
113#include <openssl/hmac.h>
114#include <openssl/mem.h>
115#include <openssl/obj.h>
116#include <openssl/rand.h>
117
118#include "ssl_locl.h"
119#ifndef OPENSSL_NO_TLSEXT
120static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen,
121 const unsigned char *sess_id, int sesslen,
122 SSL_SESSION **psess);
123static int ssl_check_clienthello_tlsext_early(SSL *s);
124int ssl_check_serverhello_tlsext(SSL *s);
125#endif
126
127SSL3_ENC_METHOD TLSv1_enc_data={
128 tls1_enc,
129 tls1_mac,
130 tls1_setup_key_block,
131 tls1_generate_master_secret,
132 tls1_change_cipher_state,
133 tls1_final_finish_mac,
134 TLS1_FINISH_MAC_LENGTH,
135 tls1_cert_verify_mac,
136 TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE,
137 TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE,
138 tls1_alert_code,
139 tls1_export_keying_material,
140 0,
141 SSL3_HM_HEADER_LENGTH,
142 ssl3_set_handshake_header,
143 ssl3_handshake_write
144 };
145
146SSL3_ENC_METHOD TLSv1_1_enc_data={
147 tls1_enc,
148 tls1_mac,
149 tls1_setup_key_block,
150 tls1_generate_master_secret,
151 tls1_change_cipher_state,
152 tls1_final_finish_mac,
153 TLS1_FINISH_MAC_LENGTH,
154 tls1_cert_verify_mac,
155 TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE,
156 TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE,
157 tls1_alert_code,
158 tls1_export_keying_material,
159 SSL_ENC_FLAG_EXPLICIT_IV,
160 SSL3_HM_HEADER_LENGTH,
161 ssl3_set_handshake_header,
162 ssl3_handshake_write
163 };
164
165SSL3_ENC_METHOD TLSv1_2_enc_data={
166 tls1_enc,
167 tls1_mac,
168 tls1_setup_key_block,
169 tls1_generate_master_secret,
170 tls1_change_cipher_state,
171 tls1_final_finish_mac,
172 TLS1_FINISH_MAC_LENGTH,
173 tls1_cert_verify_mac,
174 TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE,
175 TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE,
176 tls1_alert_code,
177 tls1_export_keying_material,
178 SSL_ENC_FLAG_EXPLICIT_IV|SSL_ENC_FLAG_SIGALGS|SSL_ENC_FLAG_SHA256_PRF
179 |SSL_ENC_FLAG_TLS1_2_CIPHERS,
180 SSL3_HM_HEADER_LENGTH,
181 ssl3_set_handshake_header,
182 ssl3_handshake_write
183 };
184
185long tls1_default_timeout(void)
186 {
187 /* 2 hours, the 24 hours mentioned in the TLSv1 spec
188 * is way too long for http, the cache would over fill */
189 return(60*60*2);
190 }
191
192int tls1_new(SSL *s)
193 {
194 if (!ssl3_new(s)) return(0);
195 s->method->ssl_clear(s);
196 return(1);
197 }
198
199void tls1_free(SSL *s)
200 {
201#ifndef OPENSSL_NO_TLSEXT
202 if (s->tlsext_session_ticket)
203 {
204 OPENSSL_free(s->tlsext_session_ticket);
205 }
206#endif /* OPENSSL_NO_TLSEXT */
207 ssl3_free(s);
208 }
209
210void tls1_clear(SSL *s)
211 {
212 ssl3_clear(s);
213 s->version = s->method->version;
214 }
215
Adam Langleydc9b1412014-06-20 12:00:00 -0700[diff] [blame]216char ssl_early_callback_init(struct ssl_early_callback_ctx *ctx)
217 {
218 size_t len = ctx->client_hello_len;
219 const unsigned char *p = ctx->client_hello;
220 uint16_t *extension_types;
221 unsigned num_extensions;
222
223 /* Skip client version. */
224 if (len < 2)
225 return 0;
226 len -= 2; p += 2;
227
228 /* Skip client nonce. */
229 if (len < 32)
230 return 0;
231 len -= 32; p += 32;
232
233 /* Get length of session id. */
234 if (len < 1)
235 return 0;
236 ctx->session_id_len = *p;
237 p++; len--;
238
239 ctx->session_id = p;
240 if (len < ctx->session_id_len)
241 return 0;
242 p += ctx->session_id_len; len -= ctx->session_id_len;
243
244 /* Skip past DTLS cookie */
245 if (ctx->ssl->version == DTLS1_VERSION || ctx->ssl->version == DTLS1_BAD_VER)
246 {
247 unsigned cookie_len;
248
249 if (len < 1)
250 return 0;
251 cookie_len = *p;
252 p++; len--;
253 if (len < cookie_len)
254 return 0;
255 p += cookie_len; len -= cookie_len;
256 }
257
258 /* Skip cipher suites. */
259 if (len < 2)
260 return 0;
261 n2s(p, ctx->cipher_suites_len);
262 len -= 2;
263
264 if ((ctx->cipher_suites_len & 1) != 0)
265 return 0;
266
267 ctx->cipher_suites = p;
268 if (len < ctx->cipher_suites_len)
269 return 0;
270 p += ctx->cipher_suites_len; len -= ctx->cipher_suites_len;
271
272 /* Skip compression methods. */
273 if (len < 1)
274 return 0;
275 ctx->compression_methods_len = *p;
276 p++; len--;
277
278 ctx->compression_methods = p;
279 if (len < ctx->compression_methods_len)
280 return 0;
281 p += ctx->compression_methods_len; len -= ctx->compression_methods_len;
282
283 /* If the ClientHello ends here then it's valid, but doesn't have any
284 * extensions. (E.g. SSLv3.) */
285 if (len == 0)
286 {
287 ctx->extensions = NULL;
288 ctx->extensions_len = 0;
289 return 1;
290 }
291
292 if (len < 2)
293 return 0;
294 n2s(p, ctx->extensions_len);
295 len -= 2;
296
297 if (ctx->extensions_len == 0 && len == 0)
298 {
299 ctx->extensions = NULL;
300 return 1;
301 }
302
303 ctx->extensions = p;
304 if (len != ctx->extensions_len)
305 return 0;
306
307 /* Verify that the extensions have valid lengths and that there are
308 * no duplicates. Each extension takes, at least, four bytes, so
309 * we can allocate a buffer of extensions_len/4 elements and be sure
310 * that we have enough space for all the extension types. */
311 extension_types =
312 OPENSSL_malloc(sizeof(uint16_t) * ctx->extensions_len/4);
313 if (extension_types == NULL)
314 return 0;
315 num_extensions = 0;
316
317 while (len != 0)
318 {
319 uint16_t extension_type, extension_len;
320 unsigned i;
321
322 if (len < 4)
323 goto err;
324 n2s(p, extension_type);
325 n2s(p, extension_len);
326 len -= 4;
327
328 if (len < extension_len)
329 goto err;
330 p += extension_len; len -= extension_len;
331
332 for (i = 0; i < num_extensions; i++)
333 {
334 if (extension_types[i] == extension_type)
335 {
336 /* Duplicate extension type. */
337 goto err;
338 }
339 }
340 extension_types[num_extensions] = extension_type;
341 num_extensions++;
342 }
343
344 OPENSSL_free(extension_types);
345 return 1;
346
347err:
348 OPENSSL_free(extension_types);
349 return 0;
350 }
351
352char
353SSL_early_callback_ctx_extension_get(const struct ssl_early_callback_ctx *ctx,
354 uint16_t extension_type,
355 const unsigned char **out_data,
356 size_t *out_len)
357 {
358 size_t len = ctx->extensions_len;
359 const unsigned char *p = ctx->extensions;
360
361 while (len != 0)
362 {
363 uint16_t ext_type, ext_len;
364
365 if (len < 4)
366 return 0;
367 n2s(p, ext_type);
368 n2s(p, ext_len);
369 len -= 4;
370
371 if (len < ext_len)
372 return 0;
373 if (ext_type == extension_type)
374 {
375 *out_data = p;
376 *out_len = ext_len;
377 return 1;
378 }
379
380 p += ext_len; len -= ext_len;
381 }
382
383 return 0;
384 }
385
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]386#ifndef OPENSSL_NO_EC
387
388static int nid_list[] =
389 {
390 NID_sect163k1, /* sect163k1 (1) */
391 NID_sect163r1, /* sect163r1 (2) */
392 NID_sect163r2, /* sect163r2 (3) */
393 NID_sect193r1, /* sect193r1 (4) */
394 NID_sect193r2, /* sect193r2 (5) */
395 NID_sect233k1, /* sect233k1 (6) */
396 NID_sect233r1, /* sect233r1 (7) */
397 NID_sect239k1, /* sect239k1 (8) */
398 NID_sect283k1, /* sect283k1 (9) */
399 NID_sect283r1, /* sect283r1 (10) */
400 NID_sect409k1, /* sect409k1 (11) */
401 NID_sect409r1, /* sect409r1 (12) */
402 NID_sect571k1, /* sect571k1 (13) */
403 NID_sect571r1, /* sect571r1 (14) */
404 NID_secp160k1, /* secp160k1 (15) */
405 NID_secp160r1, /* secp160r1 (16) */
406 NID_secp160r2, /* secp160r2 (17) */
407 NID_secp192k1, /* secp192k1 (18) */
408 NID_X9_62_prime192v1, /* secp192r1 (19) */
409 NID_secp224k1, /* secp224k1 (20) */
410 NID_secp224r1, /* secp224r1 (21) */
411 NID_secp256k1, /* secp256k1 (22) */
412 NID_X9_62_prime256v1, /* secp256r1 (23) */
413 NID_secp384r1, /* secp384r1 (24) */
414 NID_secp521r1, /* secp521r1 (25) */
415 NID_brainpoolP256r1, /* brainpoolP256r1 (26) */
416 NID_brainpoolP384r1, /* brainpoolP384r1 (27) */
417 NID_brainpoolP512r1 /* brainpool512r1 (28) */
418 };
419
420
421static const unsigned char ecformats_default[] =
422 {
423 TLSEXT_ECPOINTFORMAT_uncompressed,
424 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime,
425 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2
426 };
427
428static const unsigned char eccurves_default[] =
429 {
430 0,14, /* sect571r1 (14) */
431 0,13, /* sect571k1 (13) */
432 0,25, /* secp521r1 (25) */
433 0,28, /* brainpool512r1 (28) */
434 0,11, /* sect409k1 (11) */
435 0,12, /* sect409r1 (12) */
436 0,27, /* brainpoolP384r1 (27) */
437 0,24, /* secp384r1 (24) */
438 0,9, /* sect283k1 (9) */
439 0,10, /* sect283r1 (10) */
440 0,26, /* brainpoolP256r1 (26) */
441 0,22, /* secp256k1 (22) */
442 0,23, /* secp256r1 (23) */
443 0,8, /* sect239k1 (8) */
444 0,6, /* sect233k1 (6) */
445 0,7, /* sect233r1 (7) */
446 0,20, /* secp224k1 (20) */
447 0,21, /* secp224r1 (21) */
448 0,4, /* sect193r1 (4) */
449 0,5, /* sect193r2 (5) */
450 0,18, /* secp192k1 (18) */
451 0,19, /* secp192r1 (19) */
452 0,1, /* sect163k1 (1) */
453 0,2, /* sect163r1 (2) */
454 0,3, /* sect163r2 (3) */
455 0,15, /* secp160k1 (15) */
456 0,16, /* secp160r1 (16) */
457 0,17, /* secp160r2 (17) */
458 };
459
460static const unsigned char suiteb_curves[] =
461 {
462 0, TLSEXT_curve_P_256,
463 0, TLSEXT_curve_P_384
464 };
465
466int tls1_ec_curve_id2nid(int curve_id)
467 {
468 /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
469 if ((curve_id < 1) || ((unsigned int)curve_id >
470 sizeof(nid_list)/sizeof(nid_list[0])))
471 return 0;
472 return nid_list[curve_id-1];
473 }
474
475int tls1_ec_nid2curve_id(int nid)
476 {
477 /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
478 switch (nid)
479 {
480 case NID_sect163k1: /* sect163k1 (1) */
481 return 1;
482 case NID_sect163r1: /* sect163r1 (2) */
483 return 2;
484 case NID_sect163r2: /* sect163r2 (3) */
485 return 3;
486 case NID_sect193r1: /* sect193r1 (4) */
487 return 4;
488 case NID_sect193r2: /* sect193r2 (5) */
489 return 5;
490 case NID_sect233k1: /* sect233k1 (6) */
491 return 6;
492 case NID_sect233r1: /* sect233r1 (7) */
493 return 7;
494 case NID_sect239k1: /* sect239k1 (8) */
495 return 8;
496 case NID_sect283k1: /* sect283k1 (9) */
497 return 9;
498 case NID_sect283r1: /* sect283r1 (10) */
499 return 10;
500 case NID_sect409k1: /* sect409k1 (11) */
501 return 11;
502 case NID_sect409r1: /* sect409r1 (12) */
503 return 12;
504 case NID_sect571k1: /* sect571k1 (13) */
505 return 13;
506 case NID_sect571r1: /* sect571r1 (14) */
507 return 14;
508 case NID_secp160k1: /* secp160k1 (15) */
509 return 15;
510 case NID_secp160r1: /* secp160r1 (16) */
511 return 16;
512 case NID_secp160r2: /* secp160r2 (17) */
513 return 17;
514 case NID_secp192k1: /* secp192k1 (18) */
515 return 18;
516 case NID_X9_62_prime192v1: /* secp192r1 (19) */
517 return 19;
518 case NID_secp224k1: /* secp224k1 (20) */
519 return 20;
520 case NID_secp224r1: /* secp224r1 (21) */
521 return 21;
522 case NID_secp256k1: /* secp256k1 (22) */
523 return 22;
524 case NID_X9_62_prime256v1: /* secp256r1 (23) */
525 return 23;
526 case NID_secp384r1: /* secp384r1 (24) */
527 return 24;
528 case NID_secp521r1: /* secp521r1 (25) */
529 return 25;
530 case NID_brainpoolP256r1: /* brainpoolP256r1 (26) */
531 return 26;
532 case NID_brainpoolP384r1: /* brainpoolP384r1 (27) */
533 return 27;
534 case NID_brainpoolP512r1: /* brainpool512r1 (28) */
535 return 28;
536 default:
537 return 0;
538 }
539 }
540/* Get curves list, if "sess" is set return client curves otherwise
541 * preferred list
542 */
543static void tls1_get_curvelist(SSL *s, int sess,
544 const unsigned char **pcurves,
545 size_t *pcurveslen)
546 {
547 if (sess)
548 {
549 *pcurves = s->session->tlsext_ellipticcurvelist;
550 *pcurveslen = s->session->tlsext_ellipticcurvelist_length;
551 return;
552 }
553 /* For Suite B mode only include P-256, P-384 */
554 switch (tls1_suiteb(s))
555 {
556 case SSL_CERT_FLAG_SUITEB_128_LOS:
557 *pcurves = suiteb_curves;
558 *pcurveslen = sizeof(suiteb_curves);
559 break;
560
561 case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY:
562 *pcurves = suiteb_curves;
563 *pcurveslen = 2;
564 break;
565
566 case SSL_CERT_FLAG_SUITEB_192_LOS:
567 *pcurves = suiteb_curves + 2;
568 *pcurveslen = 2;
569 break;
570 default:
571 *pcurves = s->tlsext_ellipticcurvelist;
572 *pcurveslen = s->tlsext_ellipticcurvelist_length;
573 }
574 if (!*pcurves)
575 {
576 *pcurves = eccurves_default;
577 *pcurveslen = sizeof(eccurves_default);
578 }
579 }
580/* Check a curve is one of our preferences */
581int tls1_check_curve(SSL *s, const unsigned char *p, size_t len)
582 {
583 const unsigned char *curves;
584 size_t curveslen, i;
585 unsigned int suiteb_flags = tls1_suiteb(s);
586 if (len != 3 || p[0] != NAMED_CURVE_TYPE)
587 return 0;
588 /* Check curve matches Suite B preferences */
589 if (suiteb_flags)
590 {
591 unsigned long cid = s->s3->tmp.new_cipher->id;
592 if (p[1])
593 return 0;
594 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
595 {
596 if (p[2] != TLSEXT_curve_P_256)
597 return 0;
598 }
599 else if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)
600 {
601 if (p[2] != TLSEXT_curve_P_384)
602 return 0;
603 }
604 else /* Should never happen */
605 return 0;
606 }
607 tls1_get_curvelist(s, 0, &curves, &curveslen);
608 for (i = 0; i < curveslen; i += 2, curves += 2)
609 {
610 if (p[1] == curves[0] && p[2] == curves[1])
611 return 1;
612 }
613 return 0;
614 }
615
616/* Return nth shared curve. If nmatch == -1 return number of
617 * matches. For nmatch == -2 return the NID of the curve to use for
618 * an EC tmp key.
619 */
620
621int tls1_shared_curve(SSL *s, int nmatch)
622 {
623 const unsigned char *pref, *supp;
624 size_t preflen, supplen, i, j;
625 int k;
626 /* Can't do anything on client side */
627 if (s->server == 0)
628 return -1;
629 if (nmatch == -2)
630 {
631 if (tls1_suiteb(s))
632 {
633 /* For Suite B ciphersuite determines curve: we
634 * already know these are acceptable due to previous
635 * checks.
636 */
637 unsigned long cid = s->s3->tmp.new_cipher->id;
638 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
639 return NID_X9_62_prime256v1; /* P-256 */
640 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)
641 return NID_secp384r1; /* P-384 */
642 /* Should never happen */
643 return NID_undef;
644 }
645 /* If not Suite B just return first preference shared curve */
646 nmatch = 0;
647 }
648 tls1_get_curvelist(s, !!(s->options & SSL_OP_CIPHER_SERVER_PREFERENCE),
649 &supp, &supplen);
650 tls1_get_curvelist(s, !(s->options & SSL_OP_CIPHER_SERVER_PREFERENCE),
651 &pref, &preflen);
652 preflen /= 2;
653 supplen /= 2;
654 k = 0;
655 for (i = 0; i < preflen; i++, pref+=2)
656 {
657 const unsigned char *tsupp = supp;
658 for (j = 0; j < supplen; j++, tsupp+=2)
659 {
660 if (pref[0] == tsupp[0] && pref[1] == tsupp[1])
661 {
662 if (nmatch == k)
663 {
664 int id = (pref[0] << 8) | pref[1];
665 return tls1_ec_curve_id2nid(id);
666 }
667 k++;
668 }
669 }
670 }
671 if (nmatch == -1)
672 return k;
673 return 0;
674 }
675
676int tls1_set_curves(unsigned char **pext, size_t *pextlen,
677 int *curves, size_t ncurves)
678 {
679 unsigned char *clist, *p;
680 size_t i;
681 /* Bitmap of curves included to detect duplicates: only works
682 * while curve ids < 32
683 */
684 unsigned long dup_list = 0;
685 clist = OPENSSL_malloc(ncurves * 2);
686 if (!clist)
687 return 0;
688 for (i = 0, p = clist; i < ncurves; i++)
689 {
690 unsigned long idmask;
691 int id;
692 id = tls1_ec_nid2curve_id(curves[i]);
693 idmask = 1L << id;
694 if (!id || (dup_list & idmask))
695 {
696 OPENSSL_free(clist);
697 return 0;
698 }
699 dup_list |= idmask;
700 s2n(id, p);
701 }
702 if (*pext)
703 OPENSSL_free(*pext);
704 *pext = clist;
705 *pextlen = ncurves * 2;
706 return 1;
707 }
708
709/* TODO(fork): remove */
710#if 0
711#define MAX_CURVELIST 28
712
713typedef struct
714 {
715 size_t nidcnt;
716 int nid_arr[MAX_CURVELIST];
717 } nid_cb_st;
718
719static int nid_cb(const char *elem, int len, void *arg)
720 {
721 nid_cb_st *narg = arg;
722 size_t i;
723 int nid;
724 char etmp[20];
725 if (narg->nidcnt == MAX_CURVELIST)
726 return 0;
727 if (len > (int)(sizeof(etmp) - 1))
728 return 0;
729 memcpy(etmp, elem, len);
730 etmp[len] = 0;
731 nid = EC_curve_nist2nid(etmp);
732 if (nid == NID_undef)
733 nid = OBJ_sn2nid(etmp);
734 if (nid == NID_undef)
735 nid = OBJ_ln2nid(etmp);
736 if (nid == NID_undef)
737 return 0;
738 for (i = 0; i < narg->nidcnt; i++)
739 if (narg->nid_arr[i] == nid)
740 return 0;
741 narg->nid_arr[narg->nidcnt++] = nid;
742 return 1;
743 }
744/* Set curves based on a colon separate list */
745int tls1_set_curves_list(unsigned char **pext, size_t *pextlen,
746 const char *str)
747 {
748 nid_cb_st ncb;
749 ncb.nidcnt = 0;
750 if (!CONF_parse_list(str, ':', 1, nid_cb, &ncb))
751 return 0;
752 if (pext == NULL)
753 return 1;
754 return tls1_set_curves(pext, pextlen, ncb.nid_arr, ncb.nidcnt);
755 }
756#endif
757
758/* For an EC key set TLS id and required compression based on parameters */
759static int tls1_set_ec_id(unsigned char *curve_id, unsigned char *comp_id,
760 EC_KEY *ec)
761 {
762 int is_prime = 1, id;
763 const EC_GROUP *grp;
764 if (!ec)
765 return 0;
766
767 /* TODO(fork): remove. All curves are prime now. */
768 grp = EC_KEY_get0_group(ec);
769 if (!grp)
770 return 0;
771#if 0
772 /* Determine if it is a prime field */
773 meth = EC_GROUP_method_of(grp);
774 if (!meth)
775 return 0;
776 if (EC_METHOD_get_field_type(meth) == NID_X9_62_prime_field)
777 is_prime = 1;
778 else
779 is_prime = 0;
780#endif
781
782 /* Determine curve ID */
783 id = EC_GROUP_get_curve_name(grp);
784 id = tls1_ec_nid2curve_id(id);
785 /* If we have an ID set it, otherwise set arbitrary explicit curve */
786 if (id)
787 {
788 curve_id[0] = 0;
789 curve_id[1] = (unsigned char)id;
790 }
791 else
792 {
793 curve_id[0] = 0xff;
794 if (is_prime)
795 curve_id[1] = 0x01;
796 else
797 curve_id[1] = 0x02;
798 }
799 if (comp_id)
800 {
801 if (EC_KEY_get0_public_key(ec) == NULL)
802 return 0;
803 if (EC_KEY_get_conv_form(ec) == POINT_CONVERSION_COMPRESSED)
804 {
805 if (is_prime)
806 *comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
807 else
808 *comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
809 }
810 else
811 *comp_id = TLSEXT_ECPOINTFORMAT_uncompressed;
812 }
813 return 1;
814 }
815/* Check an EC key is compatible with extensions */
816static int tls1_check_ec_key(SSL *s,
817 unsigned char *curve_id, unsigned char *comp_id)
818 {
819 const unsigned char *p;
820 size_t plen, i;
821 int j;
822 /* If point formats extension present check it, otherwise everything
823 * is supported (see RFC4492).
824 */
825 if (comp_id && s->session->tlsext_ecpointformatlist)
826 {
827 p = s->session->tlsext_ecpointformatlist;
828 plen = s->session->tlsext_ecpointformatlist_length;
829 for (i = 0; i < plen; i++, p++)
830 {
831 if (*comp_id == *p)
832 break;
833 }
834 if (i == plen)
835 return 0;
836 }
837 if (!curve_id)
838 return 1;
839 /* Check curve is consistent with client and server preferences */
840 for (j = 0; j <= 1; j++)
841 {
842 tls1_get_curvelist(s, j, &p, &plen);
843 for (i = 0; i < plen; i+=2, p+=2)
844 {
845 if (p[0] == curve_id[0] && p[1] == curve_id[1])
846 break;
847 }
848 if (i == plen)
849 return 0;
850 /* For clients can only check sent curve list */
851 if (!s->server)
852 return 1;
853 }
854 return 1;
855 }
856
857static void tls1_get_formatlist(SSL *s, const unsigned char **pformats,
858 size_t *pformatslen)
859 {
860 /* If we have a custom point format list use it otherwise
861 * use default */
862 if (s->tlsext_ecpointformatlist)
863 {
864 *pformats = s->tlsext_ecpointformatlist;
865 *pformatslen = s->tlsext_ecpointformatlist_length;
866 }
867 else
868 {
869 *pformats = ecformats_default;
870 /* For Suite B we don't support char2 fields */
871 if (tls1_suiteb(s))
872 *pformatslen = sizeof(ecformats_default) - 1;
873 else
874 *pformatslen = sizeof(ecformats_default);
875 }
876 }
877
878/* Check cert parameters compatible with extensions: currently just checks
879 * EC certificates have compatible curves and compression.
880 */
881static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md)
882 {
883 unsigned char comp_id, curve_id[2];
884 EVP_PKEY *pkey;
885 int rv;
886 pkey = X509_get_pubkey(x);
887 if (!pkey)
888 return 0;
889 /* If not EC nothing to do */
890 if (pkey->type != EVP_PKEY_EC)
891 {
892 EVP_PKEY_free(pkey);
893 return 1;
894 }
895 rv = tls1_set_ec_id(curve_id, &comp_id, pkey->pkey.ec);
896 EVP_PKEY_free(pkey);
897 if (!rv)
898 return 0;
899 /* Can't check curve_id for client certs as we don't have a
900 * supported curves extension.
901 */
902 rv = tls1_check_ec_key(s, s->server ? curve_id : NULL, &comp_id);
903 if (!rv)
904 return 0;
905 /* Special case for suite B. We *MUST* sign using SHA256+P-256 or
906 * SHA384+P-384, adjust digest if necessary.
907 */
908 if (set_ee_md && tls1_suiteb(s))
909 {
910 int check_md;
911 size_t i;
912 CERT *c = s->cert;
913 if (curve_id[0])
914 return 0;
915 /* Check to see we have necessary signing algorithm */
916 if (curve_id[1] == TLSEXT_curve_P_256)
917 check_md = NID_ecdsa_with_SHA256;
918 else if (curve_id[1] == TLSEXT_curve_P_384)
919 check_md = NID_ecdsa_with_SHA384;
920 else
921 return 0; /* Should never happen */
922 for (i = 0; i < c->shared_sigalgslen; i++)
923 if (check_md == c->shared_sigalgs[i].signandhash_nid)
924 break;
925 if (i == c->shared_sigalgslen)
926 return 0;
927 if (set_ee_md == 2)
928 {
929 if (check_md == NID_ecdsa_with_SHA256)
930 c->pkeys[SSL_PKEY_ECC].digest = EVP_sha256();
931 else
932 c->pkeys[SSL_PKEY_ECC].digest = EVP_sha384();
933 }
934 }
935 return rv;
936 }
937/* Check EC temporary key is compatible with client extensions */
938int tls1_check_ec_tmp_key(SSL *s, unsigned long cid)
939 {
940 unsigned char curve_id[2];
941 EC_KEY *ec = s->cert->ecdh_tmp;
942#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
943 /* Allow any curve: not just those peer supports */
944 if (s->cert->cert_flags & SSL_CERT_FLAG_BROKEN_PROTOCOL)
945 return 1;
946#endif
947 /* If Suite B, AES128 MUST use P-256 and AES256 MUST use P-384,
948 * no other curves permitted.
949 */
950 if (tls1_suiteb(s))
951 {
952 /* Curve to check determined by ciphersuite */
953 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
954 curve_id[1] = TLSEXT_curve_P_256;
955 else if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)
956 curve_id[1] = TLSEXT_curve_P_384;
957 else
958 return 0;
959 curve_id[0] = 0;
960 /* Check this curve is acceptable */
961 if (!tls1_check_ec_key(s, curve_id, NULL))
962 return 0;
963 /* If auto or setting curve from callback assume OK */
964 if (s->cert->ecdh_tmp_auto || s->cert->ecdh_tmp_cb)
965 return 1;
966 /* Otherwise check curve is acceptable */
967 else
968 {
969 unsigned char curve_tmp[2];
970 if (!ec)
971 return 0;
972 if (!tls1_set_ec_id(curve_tmp, NULL, ec))
973 return 0;
974 if (!curve_tmp[0] || curve_tmp[1] == curve_id[1])
975 return 1;
976 return 0;
977 }
978
979 }
980 if (s->cert->ecdh_tmp_auto)
981 {
982 /* Need a shared curve */
983 if (tls1_shared_curve(s, 0))
984 return 1;
985 else return 0;
986 }
987 if (!ec)
988 {
989 if (s->cert->ecdh_tmp_cb)
990 return 1;
991 else
992 return 0;
993 }
994 if (!tls1_set_ec_id(curve_id, NULL, ec))
995 return 0;
996/* Set this to allow use of invalid curves for testing */
997#if 0
998 return 1;
999#else
1000 return tls1_check_ec_key(s, curve_id, NULL);
1001#endif
1002 }
1003
1004#else
1005
1006static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md)
1007 {
1008 return 1;
1009 }
1010
1011#endif /* OPENSSL_NO_EC */
1012
1013#ifndef OPENSSL_NO_TLSEXT
1014
1015/* List of supported signature algorithms and hashes. Should make this
1016 * customisable at some point, for now include everything we support.
1017 */
1018
1019#ifdef OPENSSL_NO_RSA
1020#define tlsext_sigalg_rsa(md) /* */
1021#else
1022#define tlsext_sigalg_rsa(md) md, TLSEXT_signature_rsa,
1023#endif
1024
1025#ifdef OPENSSL_NO_DSA
1026#define tlsext_sigalg_dsa(md) /* */
1027#else
1028#define tlsext_sigalg_dsa(md) md, TLSEXT_signature_dsa,
1029#endif
1030
1031#ifdef OPENSSL_NO_ECDSA
1032#define tlsext_sigalg_ecdsa(md) /* */
1033#else
1034#define tlsext_sigalg_ecdsa(md) md, TLSEXT_signature_ecdsa,
1035#endif
1036
1037#define tlsext_sigalg(md) \
1038 tlsext_sigalg_rsa(md) \
1039 tlsext_sigalg_dsa(md) \
1040 tlsext_sigalg_ecdsa(md)
1041
1042static unsigned char tls12_sigalgs[] = {
1043#ifndef OPENSSL_NO_SHA512
1044 tlsext_sigalg(TLSEXT_hash_sha512)
1045 tlsext_sigalg(TLSEXT_hash_sha384)
1046#endif
1047#ifndef OPENSSL_NO_SHA256
1048 tlsext_sigalg(TLSEXT_hash_sha256)
1049 tlsext_sigalg(TLSEXT_hash_sha224)
1050#endif
1051#ifndef OPENSSL_NO_SHA
1052 tlsext_sigalg(TLSEXT_hash_sha1)
1053#endif
1054};
1055#ifndef OPENSSL_NO_ECDSA
1056static unsigned char suiteb_sigalgs[] = {
1057 tlsext_sigalg_ecdsa(TLSEXT_hash_sha256)
1058 tlsext_sigalg_ecdsa(TLSEXT_hash_sha384)
1059};
1060#endif
1061size_t tls12_get_psigalgs(SSL *s, const unsigned char **psigs)
1062 {
1063 /* If Suite B mode use Suite B sigalgs only, ignore any other
1064 * preferences.
1065 */
1066#ifndef OPENSSL_NO_EC
1067 switch (tls1_suiteb(s))
1068 {
1069 case SSL_CERT_FLAG_SUITEB_128_LOS:
1070 *psigs = suiteb_sigalgs;
1071 return sizeof(suiteb_sigalgs);
1072
1073 case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY:
1074 *psigs = suiteb_sigalgs;
1075 return 2;
1076
1077 case SSL_CERT_FLAG_SUITEB_192_LOS:
1078 *psigs = suiteb_sigalgs + 2;
1079 return 2;
1080 }
1081#endif
1082 /* If server use client authentication sigalgs if not NULL */
1083 if (s->server && s->cert->client_sigalgs)
1084 {
1085 *psigs = s->cert->client_sigalgs;
1086 return s->cert->client_sigalgslen;
1087 }
1088 else if (s->cert->conf_sigalgs)
1089 {
1090 *psigs = s->cert->conf_sigalgs;
1091 return s->cert->conf_sigalgslen;
1092 }
1093 else
1094 {
1095 *psigs = tls12_sigalgs;
1096 return sizeof(tls12_sigalgs);
1097 }
1098 }
1099/* Check signature algorithm is consistent with sent supported signature
1100 * algorithms and if so return relevant digest.
1101 */
1102int tls12_check_peer_sigalg(const EVP_MD **pmd, SSL *s,
1103 const unsigned char *sig, EVP_PKEY *pkey)
1104 {
1105 const unsigned char *sent_sigs;
1106 size_t sent_sigslen, i;
1107 int sigalg = tls12_get_sigid(pkey);
1108 /* Should never happen */
1109 if (sigalg == -1)
1110 return -1;
1111 /* Check key type is consistent with signature */
1112 if (sigalg != (int)sig[1])
1113 {
1114 OPENSSL_PUT_ERROR(SSL, tls12_check_peer_sigalg, SSL_R_WRONG_SIGNATURE_TYPE);
1115 return 0;
1116 }
1117#ifndef OPENSSL_NO_EC
1118 if (pkey->type == EVP_PKEY_EC)
1119 {
1120 unsigned char curve_id[2], comp_id;
1121 /* Check compression and curve matches extensions */
1122 if (!tls1_set_ec_id(curve_id, &comp_id, pkey->pkey.ec))
1123 return 0;
1124 if (!s->server && !tls1_check_ec_key(s, curve_id, &comp_id))
1125 {
1126 OPENSSL_PUT_ERROR(SSL, tls12_check_peer_sigalg, SSL_R_WRONG_CURVE);
1127 return 0;
1128 }
1129 /* If Suite B only P-384+SHA384 or P-256+SHA-256 allowed */
1130 if (tls1_suiteb(s))
1131 {
1132 if (curve_id[0])
1133 return 0;
1134 if (curve_id[1] == TLSEXT_curve_P_256)
1135 {
1136 if (sig[0] != TLSEXT_hash_sha256)
1137 {
1138 OPENSSL_PUT_ERROR(SSL, tls12_check_peer_sigalg, SSL_R_ILLEGAL_SUITEB_DIGEST);
1139 return 0;
1140 }
1141 }
1142 else if (curve_id[1] == TLSEXT_curve_P_384)
1143 {
1144 if (sig[0] != TLSEXT_hash_sha384)
1145 {
1146 OPENSSL_PUT_ERROR(SSL, tls12_check_peer_sigalg, SSL_R_ILLEGAL_SUITEB_DIGEST);
1147 return 0;
1148 }
1149 }
1150 else
1151 return 0;
1152 }
1153 }
1154 else if (tls1_suiteb(s))
1155 return 0;
1156#endif
1157
1158 /* Check signature matches a type we sent */
1159 sent_sigslen = tls12_get_psigalgs(s, &sent_sigs);
1160 for (i = 0; i < sent_sigslen; i+=2, sent_sigs+=2)
1161 {
1162 if (sig[0] == sent_sigs[0] && sig[1] == sent_sigs[1])
1163 break;
1164 }
1165 /* Allow fallback to SHA1 if not strict mode */
1166 if (i == sent_sigslen && (sig[0] != TLSEXT_hash_sha1 || s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT))
1167 {
1168 OPENSSL_PUT_ERROR(SSL, tls12_check_peer_sigalg, SSL_R_WRONG_SIGNATURE_TYPE);
1169 return 0;
1170 }
1171 *pmd = tls12_get_hash(sig[0]);
1172 if (*pmd == NULL)
1173 {
1174 OPENSSL_PUT_ERROR(SSL, tls12_check_peer_sigalg, SSL_R_UNKNOWN_DIGEST);
1175 return 0;
1176 }
1177 /* Store the digest used so applications can retrieve it if they
1178 * wish.
1179 */
1180 if (s->session && s->session->sess_cert)
1181 s->session->sess_cert->peer_key->digest = *pmd;
1182 return 1;
1183 }
1184/* Get a mask of disabled algorithms: an algorithm is disabled
1185 * if it isn't supported or doesn't appear in supported signature
1186 * algorithms. Unlike ssl_cipher_get_disabled this applies to a specific
1187 * session and not global settings.
1188 *
1189 */
1190void ssl_set_client_disabled(SSL *s)
1191 {
1192 CERT *c = s->cert;
1193 const unsigned char *sigalgs;
1194 size_t i, sigalgslen;
1195 int have_rsa = 0, have_dsa = 0, have_ecdsa = 0;
1196 c->mask_a = 0;
1197 c->mask_k = 0;
1198 /* Don't allow TLS 1.2 only ciphers if we don't suppport them */
1199 if (!SSL_CLIENT_USE_TLS1_2_CIPHERS(s))
1200 c->mask_ssl = SSL_TLSV1_2;
1201 else
1202 c->mask_ssl = 0;
1203 /* Now go through all signature algorithms seeing if we support
1204 * any for RSA, DSA, ECDSA. Do this for all versions not just
1205 * TLS 1.2.
1206 */
1207 sigalgslen = tls12_get_psigalgs(s, &sigalgs);
1208 for (i = 0; i < sigalgslen; i += 2, sigalgs += 2)
1209 {
1210 switch(sigalgs[1])
1211 {
1212#ifndef OPENSSL_NO_RSA
1213 case TLSEXT_signature_rsa:
1214 have_rsa = 1;
1215 break;
1216#endif
1217#ifndef OPENSSL_NO_DSA
1218 case TLSEXT_signature_dsa:
1219 have_dsa = 1;
1220 break;
1221#endif
1222#ifndef OPENSSL_NO_ECDSA
1223 case TLSEXT_signature_ecdsa:
1224 have_ecdsa = 1;
1225 break;
1226#endif
1227 }
1228 }
1229 /* Disable auth and static DH if we don't include any appropriate
1230 * signature algorithms.
1231 */
1232 if (!have_rsa)
1233 {
1234 c->mask_a |= SSL_aRSA;
1235 c->mask_k |= SSL_kDHr|SSL_kECDHr;
1236 }
1237 if (!have_dsa)
1238 {
1239 c->mask_a |= SSL_aDSS;
1240 c->mask_k |= SSL_kDHd;
1241 }
1242 if (!have_ecdsa)
1243 {
1244 c->mask_a |= SSL_aECDSA;
1245 c->mask_k |= SSL_kECDHe;
1246 }
1247#ifndef OPENSSL_NO_PSK
1248 /* with PSK there must be client callback set */
1249 if (!s->psk_client_callback)
1250 {
1251 c->mask_a |= SSL_aPSK;
1252 c->mask_k |= SSL_kPSK;
1253 }
1254#endif /* OPENSSL_NO_PSK */
1255 c->valid = 1;
1256 }
1257
1258/* byte_compare is a compare function for qsort(3) that compares bytes. */
1259static int byte_compare(const void *in_a, const void *in_b)
1260 {
1261 unsigned char a = *((const unsigned char*) in_a);
1262 unsigned char b = *((const unsigned char*) in_b);
1263
1264 if (a > b)
1265 return 1;
1266 else if (a < b)
1267 return -1;
1268 return 0;
1269}
1270
Adam Langleyb0c235e2014-06-20 12:00:00 -0700[diff] [blame]1271/* header_len is the length of the ClientHello header written so far, used to
1272 * compute padding. It does not include the record header. Pass 0 if no padding
1273 * is to be done. */
1274unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf, unsigned char *limit, size_t header_len)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1275 {
1276 int extdatalen=0;
Adam Langleyb0c235e2014-06-20 12:00:00 -0700[diff] [blame]1277 unsigned char *ret = buf;
1278 unsigned char *orig = buf;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1279#ifndef OPENSSL_NO_EC
1280 /* See if we support any ECC ciphersuites */
1281 int using_ecc = 0;
1282 if (s->version >= TLS1_VERSION || SSL_IS_DTLS(s))
1283 {
1284 int i;
1285 unsigned long alg_k, alg_a;
1286 STACK_OF(SSL_CIPHER) *cipher_stack = SSL_get_ciphers(s);
1287
1288 for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++)
1289 {
1290 SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i);
1291
1292 alg_k = c->algorithm_mkey;
1293 alg_a = c->algorithm_auth;
1294 if ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)
1295 || (alg_a & SSL_aECDSA)))
1296 {
1297 using_ecc = 1;
1298 break;
1299 }
1300 }
1301 }
1302#endif
1303
1304 /* don't add extensions for SSLv3 unless doing secure renegotiation */
1305 if (s->client_version == SSL3_VERSION
1306 && !s->s3->send_connection_binding)
Adam Langleyb0c235e2014-06-20 12:00:00 -0700[diff] [blame]1307 return orig;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1308
1309 ret+=2;
1310
1311 if (ret>=limit) return NULL; /* this really never occurs, but ... */
1312
1313 if (s->tlsext_hostname != NULL)
1314 {
1315 /* Add TLS extension servername to the Client Hello message */
1316 unsigned long size_str;
1317 long lenmax;
1318
1319 /* check for enough space.
1320 4 for the servername type and entension length
1321 2 for servernamelist length
1322 1 for the hostname type
1323 2 for hostname length
1324 + hostname length
1325 */
1326
1327 if ((lenmax = limit - ret - 9) < 0
1328 || (size_str = strlen(s->tlsext_hostname)) > (unsigned long)lenmax)
1329 return NULL;
1330
1331 /* extension type and length */
1332 s2n(TLSEXT_TYPE_server_name,ret);
1333 s2n(size_str+5,ret);
1334
1335 /* length of servername list */
1336 s2n(size_str+3,ret);
1337
1338 /* hostname type, length and hostname */
1339 *(ret++) = (unsigned char) TLSEXT_NAMETYPE_host_name;
1340 s2n(size_str,ret);
1341 memcpy(ret, s->tlsext_hostname, size_str);
1342 ret+=size_str;
1343 }
1344
1345 /* Add RI if renegotiating */
1346 if (s->renegotiate)
1347 {
1348 int el;
1349
1350 if(!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0))
1351 {
1352 OPENSSL_PUT_ERROR(SSL, ssl_add_clienthello_tlsext, ERR_R_INTERNAL_ERROR);
1353 return NULL;
1354 }
1355
Adam Langleyb0c235e2014-06-20 12:00:00 -0700[diff] [blame]1356 if((limit - ret - 4 - el) < 0) return NULL;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1357
1358 s2n(TLSEXT_TYPE_renegotiate,ret);
1359 s2n(el,ret);
1360
1361 if(!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el))
1362 {
1363 OPENSSL_PUT_ERROR(SSL, ssl_add_clienthello_tlsext, ERR_R_INTERNAL_ERROR);
1364 return NULL;
1365 }
1366
1367 ret += el;
1368 }
1369
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1370 if (!(SSL_get_options(s) & SSL_OP_NO_TICKET))
1371 {
1372 int ticklen;
1373 if (!s->new_session && s->session && s->session->tlsext_tick)
1374 ticklen = s->session->tlsext_ticklen;
1375 else if (s->session && s->tlsext_session_ticket &&
1376 s->tlsext_session_ticket->data)
1377 {
1378 ticklen = s->tlsext_session_ticket->length;
1379 s->session->tlsext_tick = OPENSSL_malloc(ticklen);
1380 if (!s->session->tlsext_tick)
1381 return NULL;
1382 memcpy(s->session->tlsext_tick,
1383 s->tlsext_session_ticket->data,
1384 ticklen);
1385 s->session->tlsext_ticklen = ticklen;
1386 }
1387 else
1388 ticklen = 0;
1389 if (ticklen == 0 && s->tlsext_session_ticket &&
1390 s->tlsext_session_ticket->data == NULL)
1391 goto skip_ext;
1392 /* Check for enough room 2 for extension type, 2 for len
1393 * rest for ticket
1394 */
1395 if ((long)(limit - ret - 4 - ticklen) < 0) return NULL;
1396 s2n(TLSEXT_TYPE_session_ticket,ret);
1397 s2n(ticklen,ret);
1398 if (ticklen)
1399 {
1400 memcpy(ret, s->session->tlsext_tick, ticklen);
1401 ret += ticklen;
1402 }
1403 }
1404 skip_ext:
1405
1406 if (SSL_USE_SIGALGS(s))
1407 {
1408 size_t salglen;
1409 const unsigned char *salg;
1410 salglen = tls12_get_psigalgs(s, &salg);
1411 if ((size_t)(limit - ret) < salglen + 6)
1412 return NULL;
1413 s2n(TLSEXT_TYPE_signature_algorithms,ret);
1414 s2n(salglen + 2, ret);
1415 s2n(salglen, ret);
1416 memcpy(ret, salg, salglen);
1417 ret += salglen;
1418 }
1419
1420#ifdef TLSEXT_TYPE_opaque_prf_input
1421 if (s->s3->client_opaque_prf_input != NULL)
1422 {
1423 size_t col = s->s3->client_opaque_prf_input_len;
1424
1425 if ((long)(limit - ret - 6 - col < 0))
1426 return NULL;
1427 if (col > 0xFFFD) /* can't happen */
1428 return NULL;
1429
1430 s2n(TLSEXT_TYPE_opaque_prf_input, ret);
1431 s2n(col + 2, ret);
1432 s2n(col, ret);
1433 memcpy(ret, s->s3->client_opaque_prf_input, col);
1434 ret += col;
1435 }
1436#endif
1437
1438 /* TODO(fork): we probably want OCSP stapling, but it currently pulls in a lot of code. */
1439#if 0
1440 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp)
1441 {
1442 int i;
1443 long extlen, idlen, itmp;
1444 OCSP_RESPID *id;
1445
1446 idlen = 0;
1447 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++)
1448 {
1449 id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
1450 itmp = i2d_OCSP_RESPID(id, NULL);
1451 if (itmp <= 0)
1452 return NULL;
1453 idlen += itmp + 2;
1454 }
1455
1456 if (s->tlsext_ocsp_exts)
1457 {
1458 extlen = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, NULL);
1459 if (extlen < 0)
1460 return NULL;
1461 }
1462 else
1463 extlen = 0;
1464
1465 if ((long)(limit - ret - 7 - extlen - idlen) < 0) return NULL;
1466 s2n(TLSEXT_TYPE_status_request, ret);
1467 if (extlen + idlen > 0xFFF0)
1468 return NULL;
1469 s2n(extlen + idlen + 5, ret);
1470 *(ret++) = TLSEXT_STATUSTYPE_ocsp;
1471 s2n(idlen, ret);
1472 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++)
1473 {
1474 /* save position of id len */
1475 unsigned char *q = ret;
1476 id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
1477 /* skip over id len */
1478 ret += 2;
1479 itmp = i2d_OCSP_RESPID(id, &ret);
1480 /* write id len */
1481 s2n(itmp, q);
1482 }
1483 s2n(extlen, ret);
1484 if (extlen > 0)
1485 i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret);
1486 }
1487#endif
1488
1489#ifndef OPENSSL_NO_HEARTBEATS
1490 /* Add Heartbeat extension */
Adam Langleyb7bf53c2014-06-20 12:00:00 -0700[diff] [blame^]1491 if ((limit - ret - 4 - 1) < 0)
1492 return NULL;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1493 s2n(TLSEXT_TYPE_heartbeat,ret);
1494 s2n(1,ret);
1495 /* Set mode:
1496 * 1: peer may send requests
1497 * 2: peer not allowed to send requests
1498 */
1499 if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS)
1500 *(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
1501 else
1502 *(ret++) = SSL_TLSEXT_HB_ENABLED;
1503#endif
1504
1505#ifndef OPENSSL_NO_NEXTPROTONEG
1506 if (s->ctx->next_proto_select_cb && !s->s3->tmp.finish_md_len)
1507 {
1508 /* The client advertises an emtpy extension to indicate its
1509 * support for Next Protocol Negotiation */
1510 if (limit - ret - 4 < 0)
1511 return NULL;
1512 s2n(TLSEXT_TYPE_next_proto_neg,ret);
1513 s2n(0,ret);
1514 }
1515#endif
1516
1517 if (s->alpn_client_proto_list && !s->s3->tmp.finish_md_len)
1518 {
1519 if ((size_t)(limit - ret) < 6 + s->alpn_client_proto_list_len)
1520 return NULL;
1521 s2n(TLSEXT_TYPE_application_layer_protocol_negotiation,ret);
1522 s2n(2 + s->alpn_client_proto_list_len,ret);
1523 s2n(s->alpn_client_proto_list_len,ret);
1524 memcpy(ret, s->alpn_client_proto_list,
1525 s->alpn_client_proto_list_len);
1526 ret += s->alpn_client_proto_list_len;
1527 }
1528
Adam Langley1258b6a2014-06-20 12:00:00 -0700[diff] [blame]1529 if (s->tlsext_channel_id_enabled)
1530 {
1531 /* The client advertises an emtpy extension to indicate its
1532 * support for Channel ID. */
1533 if (limit - ret - 4 < 0)
1534 return NULL;
1535 if (s->ctx->tlsext_channel_id_enabled_new)
1536 s2n(TLSEXT_TYPE_channel_id_new,ret);
1537 else
1538 s2n(TLSEXT_TYPE_channel_id,ret);
1539 s2n(0,ret);
1540 }
1541
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1542 if(SSL_get_srtp_profiles(s))
1543 {
1544 int el;
1545
1546 ssl_add_clienthello_use_srtp_ext(s, 0, &el, 0);
1547
Adam Langleyb0c235e2014-06-20 12:00:00 -0700[diff] [blame]1548 if((limit - ret - 4 - el) < 0) return NULL;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1549
1550 s2n(TLSEXT_TYPE_use_srtp,ret);
1551 s2n(el,ret);
1552
1553 if(ssl_add_clienthello_use_srtp_ext(s, ret, &el, el))
1554 {
1555 OPENSSL_PUT_ERROR(SSL, ssl_add_clienthello_tlsext, ERR_R_INTERNAL_ERROR);
1556 return NULL;
1557 }
1558 ret += el;
1559 }
1560
1561 /* Add TLS extension Server_Authz_DataFormats to the ClientHello */
1562 /* 2 bytes for extension type */
1563 /* 2 bytes for extension length */
1564 /* 1 byte for the list length */
1565 /* 1 byte for the list (we only support audit proofs) */
1566 if (s->ctx->tlsext_authz_server_audit_proof_cb != NULL)
1567 {
1568 const unsigned short ext_len = 2;
1569 const unsigned char list_len = 1;
1570
1571 if (limit < ret + 6)
1572 return NULL;
1573
1574 s2n(TLSEXT_TYPE_server_authz, ret);
1575 /* Extension length: 2 bytes */
1576 s2n(ext_len, ret);
1577 *(ret++) = list_len;
1578 *(ret++) = TLSEXT_AUTHZDATAFORMAT_audit_proof;
1579 }
1580
1581 /* Add custom TLS Extensions to ClientHello */
1582 if (s->ctx->custom_cli_ext_records_count)
1583 {
1584 size_t i;
1585 custom_cli_ext_record* record;
1586
1587 for (i = 0; i < s->ctx->custom_cli_ext_records_count; i++)
1588 {
1589 const unsigned char* out = NULL;
1590 unsigned short outlen = 0;
1591
1592 record = &s->ctx->custom_cli_ext_records[i];
1593 /* NULL callback sends empty extension */
1594 /* -1 from callback omits extension */
1595 if (record->fn1)
1596 {
1597 int cb_retval = 0;
1598 cb_retval = record->fn1(s, record->ext_type,
1599 &out, &outlen,
1600 record->arg);
1601 if (cb_retval == 0)
1602 return NULL; /* error */
1603 if (cb_retval == -1)
1604 continue; /* skip this extension */
1605 }
1606 if (limit < ret + 4 + outlen)
1607 return NULL;
1608 s2n(record->ext_type, ret);
1609 s2n(outlen, ret);
1610 memcpy(ret, out, outlen);
1611 ret += outlen;
1612 }
1613 }
1614
Adam Langleyc3174b72014-06-20 12:00:00 -0700[diff] [blame]1615#ifndef OPENSSL_NO_EC
1616 if (using_ecc)
1617 {
1618 /* Add TLS extension ECPointFormats to the ClientHello message */
1619 long lenmax;
1620 const unsigned char *plist;
1621 size_t plistlen;
1622
1623 tls1_get_formatlist(s, &plist, &plistlen);
1624
1625 if ((lenmax = limit - ret - 5) < 0) return NULL;
1626 if (plistlen > (size_t)lenmax) return NULL;
1627 if (plistlen > 255)
1628 {
1629 OPENSSL_PUT_ERROR(SSL, ssl_add_clienthello_tlsext, ERR_R_INTERNAL_ERROR);
1630 return NULL;
1631 }
1632
1633 s2n(TLSEXT_TYPE_ec_point_formats,ret);
1634 s2n(plistlen + 1,ret);
1635 *(ret++) = (unsigned char)plistlen ;
1636 memcpy(ret, plist, plistlen);
1637 ret+=plistlen;
1638
1639 /* Add TLS extension EllipticCurves to the ClientHello message */
1640 plist = s->tlsext_ellipticcurvelist;
1641 tls1_get_curvelist(s, 0, &plist, &plistlen);
1642
1643 if ((lenmax = limit - ret - 6) < 0) return NULL;
1644 if (plistlen > (size_t)lenmax) return NULL;
1645 if (plistlen > 65532)
1646 {
1647 OPENSSL_PUT_ERROR(SSL, ssl_add_clienthello_tlsext, ERR_R_INTERNAL_ERROR);
1648 return NULL;
1649 }
1650
1651 s2n(TLSEXT_TYPE_elliptic_curves,ret);
1652 s2n(plistlen + 2, ret);
1653
1654 /* NB: draft-ietf-tls-ecc-12.txt uses a one-byte prefix for
1655 * elliptic_curve_list, but the examples use two bytes.
1656 * http://www1.ietf.org/mail-archive/web/tls/current/msg00538.html
1657 * resolves this to two bytes.
1658 */
1659 s2n(plistlen, ret);
1660 memcpy(ret, plist, plistlen);
1661 ret+=plistlen;
1662 }
1663#endif /* OPENSSL_NO_EC */
1664
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1665#ifdef TLSEXT_TYPE_padding
1666 /* Add padding to workaround bugs in F5 terminators.
Adam Langleyb0c235e2014-06-20 12:00:00 -0700[diff] [blame]1667 * See https://tools.ietf.org/html/draft-agl-tls-padding-03
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1668 *
1669 * NB: because this code works out the length of all existing
Adam Langleyb0c235e2014-06-20 12:00:00 -0700[diff] [blame]1670 * extensions it MUST always appear last. */
1671 if (header_len > 0)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1672 {
Adam Langleyb0c235e2014-06-20 12:00:00 -0700[diff] [blame]1673 header_len += ret - orig;
1674 if (header_len > 0xff && header_len < 0x200)
1675 {
1676 size_t padding_len = 0x200 - header_len;
Adam Langleyc3174b72014-06-20 12:00:00 -0700[diff] [blame]1677 /* Extensions take at least four bytes to encode. Always
1678 * include least one byte of data if including the
1679 * extension. WebSphere Application Server 7.0 is
1680 * intolerant to the last extension being zero-length. */
1681 if (padding_len >= 4 + 1)
Adam Langleyb0c235e2014-06-20 12:00:00 -0700[diff] [blame]1682 padding_len -= 4;
1683 else
Adam Langleyc3174b72014-06-20 12:00:00 -0700[diff] [blame]1684 padding_len = 1;
Adam Langleyb0c235e2014-06-20 12:00:00 -0700[diff] [blame]1685 if (limit - ret - 4 - (long)padding_len < 0)
1686 return NULL;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1687
Adam Langleyb0c235e2014-06-20 12:00:00 -0700[diff] [blame]1688 s2n(TLSEXT_TYPE_padding, ret);
1689 s2n(padding_len, ret);
1690 memset(ret, 0, padding_len);
1691 ret += padding_len;
1692 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1693 }
1694#endif
1695
Adam Langleyb0c235e2014-06-20 12:00:00 -0700[diff] [blame]1696 if ((extdatalen = ret-orig-2)== 0)
1697 return orig;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1698
Adam Langleyb0c235e2014-06-20 12:00:00 -0700[diff] [blame]1699 s2n(extdatalen, orig);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1700 return ret;
1701 }
1702
Adam Langleyb0c235e2014-06-20 12:00:00 -0700[diff] [blame]1703unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *buf, unsigned char *limit)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1704 {
1705 int extdatalen=0;
Adam Langleyb0c235e2014-06-20 12:00:00 -0700[diff] [blame]1706 unsigned char *orig = buf;
1707 unsigned char *ret = buf;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1708#ifndef OPENSSL_NO_NEXTPROTONEG
1709 int next_proto_neg_seen;
1710#endif
1711#ifndef OPENSSL_NO_EC
1712 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
1713 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
1714 int using_ecc = (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA);
1715 using_ecc = using_ecc && (s->session->tlsext_ecpointformatlist != NULL);
1716#endif
1717 /* don't add extensions for SSLv3, unless doing secure renegotiation */
1718 if (s->version == SSL3_VERSION && !s->s3->send_connection_binding)
Adam Langleyb0c235e2014-06-20 12:00:00 -0700[diff] [blame]1719 return orig;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1720
1721 ret+=2;
1722 if (ret>=limit) return NULL; /* this really never occurs, but ... */
1723
1724 if (!s->hit && s->servername_done == 1 && s->session->tlsext_hostname != NULL)
1725 {
1726 if ((long)(limit - ret - 4) < 0) return NULL;
1727
1728 s2n(TLSEXT_TYPE_server_name,ret);
1729 s2n(0,ret);
1730 }
1731
1732 if(s->s3->send_connection_binding)
1733 {
1734 int el;
1735
1736 if(!ssl_add_serverhello_renegotiate_ext(s, 0, &el, 0))
1737 {
1738 OPENSSL_PUT_ERROR(SSL, ssl_add_serverhello_tlsext, ERR_R_INTERNAL_ERROR);
1739 return NULL;
1740 }
1741
Adam Langleyb0c235e2014-06-20 12:00:00 -0700[diff] [blame]1742 if((limit - ret - 4 - el) < 0) return NULL;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1743
1744 s2n(TLSEXT_TYPE_renegotiate,ret);
1745 s2n(el,ret);
1746
1747 if(!ssl_add_serverhello_renegotiate_ext(s, ret, &el, el))
1748 {
1749 OPENSSL_PUT_ERROR(SSL, ssl_add_serverhello_tlsext, ERR_R_INTERNAL_ERROR);
1750 return NULL;
1751 }
1752
1753 ret += el;
1754 }
1755
1756#ifndef OPENSSL_NO_EC
1757 if (using_ecc)
1758 {
1759 const unsigned char *plist;
1760 size_t plistlen;
1761 /* Add TLS extension ECPointFormats to the ServerHello message */
1762 long lenmax;
1763
1764 tls1_get_formatlist(s, &plist, &plistlen);
1765
1766 if ((lenmax = limit - ret - 5) < 0) return NULL;
1767 if (plistlen > (size_t)lenmax) return NULL;
1768 if (plistlen > 255)
1769 {
1770 OPENSSL_PUT_ERROR(SSL, ssl_add_serverhello_tlsext, ERR_R_INTERNAL_ERROR);
1771 return NULL;
1772 }
1773
1774 s2n(TLSEXT_TYPE_ec_point_formats,ret);
1775 s2n(plistlen + 1,ret);
1776 *(ret++) = (unsigned char) plistlen;
1777 memcpy(ret, plist, plistlen);
1778 ret+=plistlen;
1779
1780 }
1781 /* Currently the server should not respond with a SupportedCurves extension */
1782#endif /* OPENSSL_NO_EC */
1783
1784 if (s->tlsext_ticket_expected
1785 && !(SSL_get_options(s) & SSL_OP_NO_TICKET))
1786 {
1787 if ((long)(limit - ret - 4) < 0) return NULL;
1788 s2n(TLSEXT_TYPE_session_ticket,ret);
1789 s2n(0,ret);
1790 }
1791
1792 if (s->tlsext_status_expected)
1793 {
1794 if ((long)(limit - ret - 4) < 0) return NULL;
1795 s2n(TLSEXT_TYPE_status_request,ret);
1796 s2n(0,ret);
1797 }
1798
1799#ifdef TLSEXT_TYPE_opaque_prf_input
1800 if (s->s3->server_opaque_prf_input != NULL)
1801 {
1802 size_t sol = s->s3->server_opaque_prf_input_len;
1803
1804 if ((long)(limit - ret - 6 - sol) < 0)
1805 return NULL;
1806 if (sol > 0xFFFD) /* can't happen */
1807 return NULL;
1808
1809 s2n(TLSEXT_TYPE_opaque_prf_input, ret);
1810 s2n(sol + 2, ret);
1811 s2n(sol, ret);
1812 memcpy(ret, s->s3->server_opaque_prf_input, sol);
1813 ret += sol;
1814 }
1815#endif
1816
1817 if(s->srtp_profile)
1818 {
1819 int el;
1820
1821 ssl_add_serverhello_use_srtp_ext(s, 0, &el, 0);
1822
Adam Langleyb0c235e2014-06-20 12:00:00 -0700[diff] [blame]1823 if((limit - ret - 4 - el) < 0) return NULL;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1824
1825 s2n(TLSEXT_TYPE_use_srtp,ret);
1826 s2n(el,ret);
1827
1828 if(ssl_add_serverhello_use_srtp_ext(s, ret, &el, el))
1829 {
1830 OPENSSL_PUT_ERROR(SSL, ssl_add_serverhello_tlsext, ERR_R_INTERNAL_ERROR);
1831 return NULL;
1832 }
1833 ret+=el;
1834 }
1835
1836 if (((s->s3->tmp.new_cipher->id & 0xFFFF)==0x80 || (s->s3->tmp.new_cipher->id & 0xFFFF)==0x81)
1837 && (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG))
1838 { const unsigned char cryptopro_ext[36] = {
1839 0xfd, 0xe8, /*65000*/
1840 0x00, 0x20, /*32 bytes length*/
1841 0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85,
1842 0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06,
1843 0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08,
1844 0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17};
1845 if (limit-ret<36) return NULL;
1846 memcpy(ret,cryptopro_ext,36);
1847 ret+=36;
1848
1849 }
1850
1851#ifndef OPENSSL_NO_HEARTBEATS
1852 /* Add Heartbeat extension if we've received one */
1853 if (s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED)
1854 {
Adam Langleyb7bf53c2014-06-20 12:00:00 -0700[diff] [blame^]1855 if ((limit - ret - 4 - 1) < 0)
1856 return NULL;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1857 s2n(TLSEXT_TYPE_heartbeat,ret);
1858 s2n(1,ret);
1859 /* Set mode:
1860 * 1: peer may send requests
1861 * 2: peer not allowed to send requests
1862 */
1863 if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS)
1864 *(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
1865 else
1866 *(ret++) = SSL_TLSEXT_HB_ENABLED;
1867
1868 }
1869#endif
1870
1871#ifndef OPENSSL_NO_NEXTPROTONEG
1872 next_proto_neg_seen = s->s3->next_proto_neg_seen;
1873 s->s3->next_proto_neg_seen = 0;
1874 if (next_proto_neg_seen && s->ctx->next_protos_advertised_cb)
1875 {
1876 const unsigned char *npa;
1877 unsigned int npalen;
1878 int r;
1879
1880 r = s->ctx->next_protos_advertised_cb(s, &npa, &npalen, s->ctx->next_protos_advertised_cb_arg);
1881 if (r == SSL_TLSEXT_ERR_OK)
1882 {
1883 if ((long)(limit - ret - 4 - npalen) < 0) return NULL;
1884 s2n(TLSEXT_TYPE_next_proto_neg,ret);
1885 s2n(npalen,ret);
1886 memcpy(ret, npa, npalen);
1887 ret += npalen;
1888 s->s3->next_proto_neg_seen = 1;
1889 }
1890 }
1891#endif
1892
1893 /* If the client supports authz then see whether we have any to offer
1894 * to it. */
1895 if (s->s3->tlsext_authz_client_types_len)
1896 {
1897 size_t authz_length;
1898 /* By now we already know the new cipher, so we can look ahead
1899 * to see whether the cert we are going to send
1900 * has any authz data attached to it. */
1901 const unsigned char* authz = ssl_get_authz_data(s, &authz_length);
1902 const unsigned char* const orig_authz = authz;
1903 size_t i;
1904 unsigned authz_count = 0;
1905
1906 /* The authz data contains a number of the following structures:
1907 * uint8_t authz_type
1908 * uint16_t length
1909 * uint8_t data[length]
1910 *
1911 * First we walk over it to find the number of authz elements. */
1912 for (i = 0; i < authz_length; i++)
1913 {
1914 unsigned short length;
1915 unsigned char type;
1916
1917 type = *(authz++);
1918 if (memchr(s->s3->tlsext_authz_client_types,
1919 type,
1920 s->s3->tlsext_authz_client_types_len) != NULL)
1921 authz_count++;
1922
1923 n2s(authz, length);
1924 /* n2s increments authz by 2 */
1925 i += 2;
1926 authz += length;
1927 i += length;
1928 }
1929
1930 if (authz_count)
1931 {
1932 /* Add TLS extension server_authz to the ServerHello message
1933 * 2 bytes for extension type
1934 * 2 bytes for extension length
1935 * 1 byte for the list length
1936 * n bytes for the list */
1937 const unsigned short ext_len = 1 + authz_count;
1938
1939 if ((long)(limit - ret - 4 - ext_len) < 0) return NULL;
1940 s2n(TLSEXT_TYPE_server_authz, ret);
1941 s2n(ext_len, ret);
1942 *(ret++) = authz_count;
1943 s->s3->tlsext_authz_promised_to_client = 1;
1944 }
1945
1946 authz = orig_authz;
1947 for (i = 0; i < authz_length; i++)
1948 {
1949 unsigned short length;
1950 unsigned char type;
1951
1952 authz_count++;
1953 type = *(authz++);
1954 if (memchr(s->s3->tlsext_authz_client_types,
1955 type,
1956 s->s3->tlsext_authz_client_types_len) != NULL)
1957 *(ret++) = type;
1958 n2s(authz, length);
1959 /* n2s increments authz by 2 */
1960 i += 2;
1961 authz += length;
1962 i += length;
1963 }
1964 }
1965
1966 /* If custom types were sent in ClientHello, add ServerHello responses */
1967 if (s->s3->tlsext_custom_types_count)
1968 {
1969 size_t i;
1970
1971 for (i = 0; i < s->s3->tlsext_custom_types_count; i++)
1972 {
1973 size_t j;
1974 custom_srv_ext_record *record;
1975
1976 for (j = 0; j < s->ctx->custom_srv_ext_records_count; j++)
1977 {
1978 record = &s->ctx->custom_srv_ext_records[j];
1979 if (s->s3->tlsext_custom_types[i] == record->ext_type)
1980 {
1981 const unsigned char *out = NULL;
1982 unsigned short outlen = 0;
1983 int cb_retval = 0;
1984
1985 /* NULL callback or -1 omits extension */
1986 if (!record->fn2)
1987 break;
1988 cb_retval = record->fn2(s, record->ext_type,
1989 &out, &outlen,
1990 record->arg);
1991 if (cb_retval == 0)
1992 return NULL; /* error */
1993 if (cb_retval == -1)
1994 break; /* skip this extension */
1995 if (limit < ret + 4 + outlen)
1996 return NULL;
1997 s2n(record->ext_type, ret);
1998 s2n(outlen, ret);
1999 memcpy(ret, out, outlen);
2000 ret += outlen;
2001 break;
2002 }
2003 }
2004 }
2005 }
2006
2007 if (s->s3->alpn_selected)
2008 {
2009 const unsigned char *selected = s->s3->alpn_selected;
2010 unsigned len = s->s3->alpn_selected_len;
2011
2012 if ((long)(limit - ret - 4 - 2 - 1 - len) < 0)
2013 return NULL;
2014 s2n(TLSEXT_TYPE_application_layer_protocol_negotiation,ret);
2015 s2n(3 + len,ret);
2016 s2n(1 + len,ret);
2017 *ret++ = len;
2018 memcpy(ret, selected, len);
2019 ret += len;
2020 }
2021
Adam Langley1258b6a2014-06-20 12:00:00 -0700[diff] [blame]2022 /* If the client advertised support for Channel ID, and we have it
2023 * enabled, then we want to echo it back. */
2024 if (s->s3->tlsext_channel_id_valid)
2025 {
2026 if (limit - ret - 4 < 0)
2027 return NULL;
2028 if (s->s3->tlsext_channel_id_new)
2029 s2n(TLSEXT_TYPE_channel_id_new,ret);
2030 else
2031 s2n(TLSEXT_TYPE_channel_id,ret);
2032 s2n(0,ret);
2033 }
2034
Adam Langleyb0c235e2014-06-20 12:00:00 -0700[diff] [blame]2035 if ((extdatalen = ret-orig-2) == 0)
2036 return orig;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2037
Adam Langleyb0c235e2014-06-20 12:00:00 -0700[diff] [blame]2038 s2n(extdatalen, orig);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2039 return ret;
2040 }
2041
2042#ifndef OPENSSL_NO_EC
2043/* ssl_check_for_safari attempts to fingerprint Safari using OS X
2044 * SecureTransport using the TLS extension block in |d|, of length |n|.
2045 * Safari, since 10.6, sends exactly these extensions, in this order:
2046 * SNI,
2047 * elliptic_curves
2048 * ec_point_formats
2049 *
2050 * We wish to fingerprint Safari because they broke ECDHE-ECDSA support in 10.8,
2051 * but they advertise support. So enabling ECDHE-ECDSA ciphers breaks them.
2052 * Sadly we cannot differentiate 10.6, 10.7 and 10.8.4 (which work), from
2053 * 10.8..10.8.3 (which don't work).
2054 */
2055static void ssl_check_for_safari(SSL *s, const unsigned char *data, const unsigned char *d, int n) {
2056 unsigned short type, size;
2057 static const unsigned char kSafariExtensionsBlock[] = {
2058 0x00, 0x0a, /* elliptic_curves extension */
2059 0x00, 0x08, /* 8 bytes */
2060 0x00, 0x06, /* 6 bytes of curve ids */
2061 0x00, 0x17, /* P-256 */
2062 0x00, 0x18, /* P-384 */
2063 0x00, 0x19, /* P-521 */
2064
2065 0x00, 0x0b, /* ec_point_formats */
2066 0x00, 0x02, /* 2 bytes */
2067 0x01, /* 1 point format */
2068 0x00, /* uncompressed */
2069 };
2070
2071 /* The following is only present in TLS 1.2 */
2072 static const unsigned char kSafariTLS12ExtensionsBlock[] = {
2073 0x00, 0x0d, /* signature_algorithms */
2074 0x00, 0x0c, /* 12 bytes */
2075 0x00, 0x0a, /* 10 bytes */
2076 0x05, 0x01, /* SHA-384/RSA */
2077 0x04, 0x01, /* SHA-256/RSA */
2078 0x02, 0x01, /* SHA-1/RSA */
2079 0x04, 0x03, /* SHA-256/ECDSA */
2080 0x02, 0x03, /* SHA-1/ECDSA */
2081 };
2082
2083 if (data >= (d+n-2))
2084 return;
2085 data += 2;
2086
2087 if (data > (d+n-4))
2088 return;
2089 n2s(data,type);
2090 n2s(data,size);
2091
2092 if (type != TLSEXT_TYPE_server_name)
2093 return;
2094
2095 if (data+size > d+n)
2096 return;
2097 data += size;
2098
2099 if (TLS1_get_client_version(s) >= TLS1_2_VERSION)
2100 {
2101 const size_t len1 = sizeof(kSafariExtensionsBlock);
2102 const size_t len2 = sizeof(kSafariTLS12ExtensionsBlock);
2103
2104 if (data + len1 + len2 != d+n)
2105 return;
2106 if (memcmp(data, kSafariExtensionsBlock, len1) != 0)
2107 return;
2108 if (memcmp(data + len1, kSafariTLS12ExtensionsBlock, len2) != 0)
2109 return;
2110 }
2111 else
2112 {
2113 const size_t len = sizeof(kSafariExtensionsBlock);
2114
2115 if (data + len != d+n)
2116 return;
2117 if (memcmp(data, kSafariExtensionsBlock, len) != 0)
2118 return;
2119 }
2120
2121 s->s3->is_probably_safari = 1;
2122}
2123#endif /* !OPENSSL_NO_EC */
2124
2125/* tls1_alpn_handle_client_hello is called to process the ALPN extension in a
2126 * ClientHello.
2127 * data: the contents of the extension, not including the type and length.
2128 * data_len: the number of bytes in |data|
2129 * al: a pointer to the alert value to send in the event of a non-zero
2130 * return.
2131 *
2132 * returns: 0 on success. */
2133static int tls1_alpn_handle_client_hello(SSL *s, const unsigned char *data,
2134 unsigned data_len, int *al)
2135 {
2136 unsigned i;
2137 unsigned proto_len;
2138 const unsigned char *selected;
2139 unsigned char selected_len;
2140 int r;
2141
2142 if (s->ctx->alpn_select_cb == NULL)
2143 return 0;
2144
2145 if (data_len < 2)
2146 goto parse_error;
2147
2148 /* data should contain a uint16 length followed by a series of 8-bit,
2149 * length-prefixed strings. */
2150 i = ((unsigned) data[0]) << 8 |
2151 ((unsigned) data[1]);
2152 data_len -= 2;
2153 data += 2;
2154 if (data_len != i)
2155 goto parse_error;
2156
2157 if (data_len < 2)
2158 goto parse_error;
2159
2160 for (i = 0; i < data_len;)
2161 {
2162 proto_len = data[i];
2163 i++;
2164
2165 if (proto_len == 0)
2166 goto parse_error;
2167
2168 if (i + proto_len < i || i + proto_len > data_len)
2169 goto parse_error;
2170
2171 i += proto_len;
2172 }
2173
2174 r = s->ctx->alpn_select_cb(s, &selected, &selected_len, data, data_len,
2175 s->ctx->alpn_select_cb_arg);
2176 if (r == SSL_TLSEXT_ERR_OK) {
2177 if (s->s3->alpn_selected)
2178 OPENSSL_free(s->s3->alpn_selected);
2179 s->s3->alpn_selected = OPENSSL_malloc(selected_len);
2180 if (!s->s3->alpn_selected)
2181 {
2182 *al = SSL_AD_INTERNAL_ERROR;
2183 return -1;
2184 }
2185 memcpy(s->s3->alpn_selected, selected, selected_len);
2186 s->s3->alpn_selected_len = selected_len;
2187 }
2188 return 0;
2189
2190parse_error:
2191 *al = SSL_AD_DECODE_ERROR;
2192 return -1;
2193 }
2194
2195static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
2196 {
2197 unsigned short type;
2198 unsigned short size;
2199 unsigned short len;
2200 unsigned char *data = *p;
2201 int renegotiate_seen = 0;
2202 size_t i;
2203
2204 s->servername_done = 0;
2205 s->tlsext_status_type = -1;
2206#ifndef OPENSSL_NO_NEXTPROTONEG
2207 s->s3->next_proto_neg_seen = 0;
2208#endif
2209
2210 /* Clear observed custom extensions */
2211 s->s3->tlsext_custom_types_count = 0;
2212 if (s->s3->tlsext_custom_types != NULL)
2213 {
2214 OPENSSL_free(s->s3->tlsext_custom_types);
2215 s->s3->tlsext_custom_types = NULL;
2216 }
2217
2218 if (s->s3->alpn_selected)
2219 {
2220 OPENSSL_free(s->s3->alpn_selected);
2221 s->s3->alpn_selected = NULL;
2222 }
2223
2224#ifndef OPENSSL_NO_HEARTBEATS
2225 s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED |
2226 SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
2227#endif
2228
2229#ifndef OPENSSL_NO_EC
2230 if (s->options & SSL_OP_SAFARI_ECDHE_ECDSA_BUG)
2231 ssl_check_for_safari(s, data, d, n);
2232#endif /* !OPENSSL_NO_EC */
2233
2234 /* Clear any signature algorithms extension received */
2235 if (s->cert->peer_sigalgs)
2236 {
2237 OPENSSL_free(s->cert->peer_sigalgs);
2238 s->cert->peer_sigalgs = NULL;
2239 }
2240 /* Clear any shared sigtnature algorithms */
2241 if (s->cert->shared_sigalgs)
2242 {
2243 OPENSSL_free(s->cert->shared_sigalgs);
2244 s->cert->shared_sigalgs = NULL;
2245 }
2246 /* Clear certificate digests and validity flags */
2247 for (i = 0; i < SSL_PKEY_NUM; i++)
2248 {
2249 s->cert->pkeys[i].digest = NULL;
2250 s->cert->pkeys[i].valid_flags = 0;
2251 }
2252
2253 if (data >= (d+n-2))
2254 goto ri_check;
2255 n2s(data,len);
2256
2257 if (data > (d+n-len))
2258 goto ri_check;
2259
2260 while (data <= (d+n-4))
2261 {
2262 n2s(data,type);
2263 n2s(data,size);
2264
2265 if (data+size > (d+n))
2266 goto ri_check;
2267#if 0
2268 fprintf(stderr,"Received extension type %d size %d\n",type,size);
2269#endif
2270 if (s->tlsext_debug_cb)
2271 s->tlsext_debug_cb(s, 0, type, data, size,
2272 s->tlsext_debug_arg);
2273/* The servername extension is treated as follows:
2274
2275 - Only the hostname type is supported with a maximum length of 255.
2276 - The servername is rejected if too long or if it contains zeros,
2277 in which case an fatal alert is generated.
2278 - The servername field is maintained together with the session cache.
2279 - When a session is resumed, the servername call back invoked in order
2280 to allow the application to position itself to the right context.
2281 - The servername is acknowledged if it is new for a session or when
2282 it is identical to a previously used for the same session.
2283 Applications can control the behaviour. They can at any time
2284 set a 'desirable' servername for a new SSL object. This can be the
2285 case for example with HTTPS when a Host: header field is received and
2286 a renegotiation is requested. In this case, a possible servername
2287 presented in the new client hello is only acknowledged if it matches
2288 the value of the Host: field.
2289 - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
2290 if they provide for changing an explicit servername context for the session,
2291 i.e. when the session has been established with a servername extension.
2292 - On session reconnect, the servername extension may be absent.
2293
2294*/
2295
2296 if (type == TLSEXT_TYPE_server_name)
2297 {
2298 unsigned char *sdata;
2299 int servname_type;
2300 int dsize;
2301
2302 if (size < 2)
2303 {
2304 *al = SSL_AD_DECODE_ERROR;
2305 return 0;
2306 }
2307 n2s(data,dsize);
2308 size -= 2;
2309 if (dsize > size )
2310 {
2311 *al = SSL_AD_DECODE_ERROR;
2312 return 0;
2313 }
2314
2315 sdata = data;
2316 while (dsize > 3)
2317 {
2318 servname_type = *(sdata++);
2319 n2s(sdata,len);
2320 dsize -= 3;
2321
2322 if (len > dsize)
2323 {
2324 *al = SSL_AD_DECODE_ERROR;
2325 return 0;
2326 }
2327 if (s->servername_done == 0)
2328 switch (servname_type)
2329 {
2330 case TLSEXT_NAMETYPE_host_name:
2331 if (!s->hit)
2332 {
2333 if(s->session->tlsext_hostname)
2334 {
2335 *al = SSL_AD_DECODE_ERROR;
2336 return 0;
2337 }
2338 if (len > TLSEXT_MAXLEN_host_name)
2339 {
2340 *al = TLS1_AD_UNRECOGNIZED_NAME;
2341 return 0;
2342 }
2343 if ((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL)
2344 {
2345 *al = TLS1_AD_INTERNAL_ERROR;
2346 return 0;
2347 }
2348 memcpy(s->session->tlsext_hostname, sdata, len);
2349 s->session->tlsext_hostname[len]='\0';
2350 if (strlen(s->session->tlsext_hostname) != len) {
2351 OPENSSL_free(s->session->tlsext_hostname);
2352 s->session->tlsext_hostname = NULL;
2353 *al = TLS1_AD_UNRECOGNIZED_NAME;
2354 return 0;
2355 }
2356 s->servername_done = 1;
2357
2358 }
2359 else
2360 s->servername_done = s->session->tlsext_hostname
2361 && strlen(s->session->tlsext_hostname) == len
2362 && strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0;
2363
2364 break;
2365
2366 default:
2367 break;
2368 }
2369
2370 dsize -= len;
2371 }
2372 if (dsize != 0)
2373 {
2374 *al = SSL_AD_DECODE_ERROR;
2375 return 0;
2376 }
2377
2378 }
2379
2380#ifndef OPENSSL_NO_EC
2381 else if (type == TLSEXT_TYPE_ec_point_formats)
2382 {
2383 unsigned char *sdata = data;
2384 int ecpointformatlist_length = *(sdata++);
2385
2386 if (ecpointformatlist_length != size - 1 ||
2387 ecpointformatlist_length < 1)
2388 {
2389 *al = TLS1_AD_DECODE_ERROR;
2390 return 0;
2391 }
2392 if (!s->hit)
2393 {
2394 if(s->session->tlsext_ecpointformatlist)
2395 {
2396 OPENSSL_free(s->session->tlsext_ecpointformatlist);
2397 s->session->tlsext_ecpointformatlist = NULL;
2398 }
2399 s->session->tlsext_ecpointformatlist_length = 0;
2400 if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
2401 {
2402 *al = TLS1_AD_INTERNAL_ERROR;
2403 return 0;
2404 }
2405 s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
2406 memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
2407 }
2408#if 0
2409 fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ecpointformatlist (length=%i) ", s->session->tlsext_ecpointformatlist_length);
2410 sdata = s->session->tlsext_ecpointformatlist;
2411 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
2412 fprintf(stderr,"%i ",*(sdata++));
2413 fprintf(stderr,"\n");
2414#endif
2415 }
2416 else if (type == TLSEXT_TYPE_elliptic_curves)
2417 {
2418 unsigned char *sdata = data;
2419 int ellipticcurvelist_length = (*(sdata++) << 8);
2420 ellipticcurvelist_length += (*(sdata++));
2421
2422 if (ellipticcurvelist_length != size - 2 ||
2423 ellipticcurvelist_length < 1)
2424 {
2425 *al = TLS1_AD_DECODE_ERROR;
2426 return 0;
2427 }
2428 if (!s->hit)
2429 {
2430 if(s->session->tlsext_ellipticcurvelist)
2431 {
2432 *al = TLS1_AD_DECODE_ERROR;
2433 return 0;
2434 }
2435 s->session->tlsext_ellipticcurvelist_length = 0;
2436 if ((s->session->tlsext_ellipticcurvelist = OPENSSL_malloc(ellipticcurvelist_length)) == NULL)
2437 {
2438 *al = TLS1_AD_INTERNAL_ERROR;
2439 return 0;
2440 }
2441 s->session->tlsext_ellipticcurvelist_length = ellipticcurvelist_length;
2442 memcpy(s->session->tlsext_ellipticcurvelist, sdata, ellipticcurvelist_length);
2443 }
2444#if 0
2445 fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ellipticcurvelist (length=%i) ", s->session->tlsext_ellipticcurvelist_length);
2446 sdata = s->session->tlsext_ellipticcurvelist;
2447 for (i = 0; i < s->session->tlsext_ellipticcurvelist_length; i++)
2448 fprintf(stderr,"%i ",*(sdata++));
2449 fprintf(stderr,"\n");
2450#endif
2451 }
2452#endif /* OPENSSL_NO_EC */
2453#ifdef TLSEXT_TYPE_opaque_prf_input
2454 else if (type == TLSEXT_TYPE_opaque_prf_input)
2455 {
2456 unsigned char *sdata = data;
2457
2458 if (size < 2)
2459 {
2460 *al = SSL_AD_DECODE_ERROR;
2461 return 0;
2462 }
2463 n2s(sdata, s->s3->client_opaque_prf_input_len);
2464 if (s->s3->client_opaque_prf_input_len != size - 2)
2465 {
2466 *al = SSL_AD_DECODE_ERROR;
2467 return 0;
2468 }
2469
2470 if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */
2471 OPENSSL_free(s->s3->client_opaque_prf_input);
2472 if (s->s3->client_opaque_prf_input_len == 0)
2473 s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
2474 else
2475 s->s3->client_opaque_prf_input = BUF_memdup(sdata, s->s3->client_opaque_prf_input_len);
2476 if (s->s3->client_opaque_prf_input == NULL)
2477 {
2478 *al = TLS1_AD_INTERNAL_ERROR;
2479 return 0;
2480 }
2481 }
2482#endif
2483 else if (type == TLSEXT_TYPE_session_ticket)
2484 {
2485 if (s->tls_session_ticket_ext_cb &&
2486 !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg))
2487 {
2488 *al = TLS1_AD_INTERNAL_ERROR;
2489 return 0;
2490 }
2491 }
2492 else if (type == TLSEXT_TYPE_renegotiate)
2493 {
2494 if(!ssl_parse_clienthello_renegotiate_ext(s, data, size, al))
2495 return 0;
2496 renegotiate_seen = 1;
2497 }
2498 else if (type == TLSEXT_TYPE_signature_algorithms)
2499 {
2500 int dsize;
2501 if (s->cert->peer_sigalgs || size < 2)
2502 {
2503 *al = SSL_AD_DECODE_ERROR;
2504 return 0;
2505 }
2506 n2s(data,dsize);
2507 size -= 2;
2508 if (dsize != size || dsize & 1 || !dsize)
2509 {
2510 *al = SSL_AD_DECODE_ERROR;
2511 return 0;
2512 }
2513 if (!tls1_process_sigalgs(s, data, dsize))
2514 {
2515 *al = SSL_AD_DECODE_ERROR;
2516 return 0;
2517 }
2518 /* If sigalgs received and no shared algorithms fatal
2519 * error.
2520 */
2521 if (s->cert->peer_sigalgs && !s->cert->shared_sigalgs)
2522 {
2523 OPENSSL_PUT_ERROR(SSL, ssl_add_serverhello_tlsext, SSL_R_NO_SHARED_SIGATURE_ALGORITHMS);
2524 *al = SSL_AD_ILLEGAL_PARAMETER;
2525 return 0;
2526 }
2527 }
2528
2529 /* TODO(fork): we probably want OCSP stapling support, but this pulls in a lot of code. */
2530#if 0
2531 else if (type == TLSEXT_TYPE_status_request)
2532 {
2533
2534 if (size < 5)
2535 {
2536 *al = SSL_AD_DECODE_ERROR;
2537 return 0;
2538 }
2539
2540 s->tlsext_status_type = *data++;
2541 size--;
2542 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp)
2543 {
2544 const unsigned char *sdata;
2545 int dsize;
2546 /* Read in responder_id_list */
2547 n2s(data,dsize);
2548 size -= 2;
2549 if (dsize > size )
2550 {
2551 *al = SSL_AD_DECODE_ERROR;
2552 return 0;
2553 }
2554 while (dsize > 0)
2555 {
2556 OCSP_RESPID *id;
2557 int idsize;
2558 if (dsize < 4)
2559 {
2560 *al = SSL_AD_DECODE_ERROR;
2561 return 0;
2562 }
2563 n2s(data, idsize);
2564 dsize -= 2 + idsize;
2565 size -= 2 + idsize;
2566 if (dsize < 0)
2567 {
2568 *al = SSL_AD_DECODE_ERROR;
2569 return 0;
2570 }
2571 sdata = data;
2572 data += idsize;
2573 id = d2i_OCSP_RESPID(NULL,
2574 &sdata, idsize);
2575 if (!id)
2576 {
2577 *al = SSL_AD_DECODE_ERROR;
2578 return 0;
2579 }
2580 if (data != sdata)
2581 {
2582 OCSP_RESPID_free(id);
2583 *al = SSL_AD_DECODE_ERROR;
2584 return 0;
2585 }
2586 if (!s->tlsext_ocsp_ids
2587 && !(s->tlsext_ocsp_ids =
2588 sk_OCSP_RESPID_new_null()))
2589 {
2590 OCSP_RESPID_free(id);
2591 *al = SSL_AD_INTERNAL_ERROR;
2592 return 0;
2593 }
2594 if (!sk_OCSP_RESPID_push(
2595 s->tlsext_ocsp_ids, id))
2596 {
2597 OCSP_RESPID_free(id);
2598 *al = SSL_AD_INTERNAL_ERROR;
2599 return 0;
2600 }
2601 }
2602
2603 /* Read in request_extensions */
2604 if (size < 2)
2605 {
2606 *al = SSL_AD_DECODE_ERROR;
2607 return 0;
2608 }
2609 n2s(data,dsize);
2610 size -= 2;
2611 if (dsize != size)
2612 {
2613 *al = SSL_AD_DECODE_ERROR;
2614 return 0;
2615 }
2616 sdata = data;
2617 if (dsize > 0)
2618 {
2619 if (s->tlsext_ocsp_exts)
2620 {
2621 sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts,
2622 X509_EXTENSION_free);
2623 }
2624
2625 s->tlsext_ocsp_exts =
2626 d2i_X509_EXTENSIONS(NULL,
2627 &sdata, dsize);
2628 if (!s->tlsext_ocsp_exts
2629 || (data + dsize != sdata))
2630 {
2631 *al = SSL_AD_DECODE_ERROR;
2632 return 0;
2633 }
2634 }
2635 }
2636 /* We don't know what to do with any other type
2637 * so ignore it.
2638 */
2639 else
2640 s->tlsext_status_type = -1;
2641 }
2642#endif
2643
2644#ifndef OPENSSL_NO_HEARTBEATS
2645 else if (type == TLSEXT_TYPE_heartbeat)
2646 {
2647 switch(data[0])
2648 {
2649 case 0x01: /* Client allows us to send HB requests */
2650 s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
2651 break;
2652 case 0x02: /* Client doesn't accept HB requests */
2653 s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
2654 s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
2655 break;
2656 default: *al = SSL_AD_ILLEGAL_PARAMETER;
2657 return 0;
2658 }
2659 }
2660#endif
2661#ifndef OPENSSL_NO_NEXTPROTONEG
2662 else if (type == TLSEXT_TYPE_next_proto_neg &&
2663 s->s3->tmp.finish_md_len == 0 &&
2664 s->s3->alpn_selected == NULL)
2665 {
2666 /* We shouldn't accept this extension on a
2667 * renegotiation.
2668 *
2669 * s->new_session will be set on renegotiation, but we
2670 * probably shouldn't rely that it couldn't be set on
2671 * the initial renegotation too in certain cases (when
2672 * there's some other reason to disallow resuming an
2673 * earlier session -- the current code won't be doing
2674 * anything like that, but this might change).
2675
2676 * A valid sign that there's been a previous handshake
2677 * in this connection is if s->s3->tmp.finish_md_len >
2678 * 0. (We are talking about a check that will happen
2679 * in the Hello protocol round, well before a new
2680 * Finished message could have been computed.) */
2681 s->s3->next_proto_neg_seen = 1;
2682 }
2683#endif
2684
2685 else if (type == TLSEXT_TYPE_application_layer_protocol_negotiation &&
2686 s->ctx->alpn_select_cb &&
2687 s->s3->tmp.finish_md_len == 0)
2688 {
2689 if (tls1_alpn_handle_client_hello(s, data, size, al) != 0)
2690 return 0;
2691#ifndef OPENSSL_NO_NEXTPROTONEG
2692 /* ALPN takes precedence over NPN. */
2693 s->s3->next_proto_neg_seen = 0;
2694#endif
2695 }
2696
Adam Langley1258b6a2014-06-20 12:00:00 -0700[diff] [blame]2697 else if (type == TLSEXT_TYPE_channel_id &&
2698 s->tlsext_channel_id_enabled)
2699 s->s3->tlsext_channel_id_valid = 1;
2700
2701 else if (type == TLSEXT_TYPE_channel_id_new &&
2702 s->tlsext_channel_id_enabled)
2703 {
2704 s->s3->tlsext_channel_id_valid = 1;
2705 s->s3->tlsext_channel_id_new = 1;
2706 }
2707
2708
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2709 /* session ticket processed earlier */
2710 else if (type == TLSEXT_TYPE_use_srtp)
2711 {
2712 if(ssl_parse_clienthello_use_srtp_ext(s, data, size,
2713 al))
2714 return 0;
2715 }
2716
2717 else if (type == TLSEXT_TYPE_server_authz)
2718 {
2719 unsigned char *sdata = data;
2720 unsigned char server_authz_dataformatlist_length;
2721
2722 if (size == 0)
2723 {
2724 *al = TLS1_AD_DECODE_ERROR;
2725 return 0;
2726 }
2727
2728 server_authz_dataformatlist_length = *(sdata++);
2729
2730 if (server_authz_dataformatlist_length != size - 1)
2731 {
2732 *al = TLS1_AD_DECODE_ERROR;
2733 return 0;
2734 }
2735
2736 /* Successful session resumption uses the same authz
2737 * information as the original session so we ignore this
2738 * in the case of a session resumption. */
2739 if (!s->hit)
2740 {
2741 if (s->s3->tlsext_authz_client_types != NULL)
2742 OPENSSL_free(s->s3->tlsext_authz_client_types);
2743 s->s3->tlsext_authz_client_types =
2744 OPENSSL_malloc(server_authz_dataformatlist_length);
2745 if (!s->s3->tlsext_authz_client_types)
2746 {
2747 *al = TLS1_AD_INTERNAL_ERROR;
2748 return 0;
2749 }
2750
2751 s->s3->tlsext_authz_client_types_len =
2752 server_authz_dataformatlist_length;
2753 memcpy(s->s3->tlsext_authz_client_types,
2754 sdata,
2755 server_authz_dataformatlist_length);
2756
2757 /* Sort the types in order to check for duplicates. */
2758 qsort(s->s3->tlsext_authz_client_types,
2759 server_authz_dataformatlist_length,
2760 1 /* element size */,
2761 byte_compare);
2762
2763 for (i = 0; i < server_authz_dataformatlist_length; i++)
2764 {
2765 if (i > 0 &&
2766 s->s3->tlsext_authz_client_types[i] ==
2767 s->s3->tlsext_authz_client_types[i-1])
2768 {
2769 *al = TLS1_AD_DECODE_ERROR;
2770 return 0;
2771 }
2772 }
2773 }
2774 }
2775
2776 /* If this ClientHello extension was unhandled and this is
2777 * a nonresumed connection, check whether the extension is a
2778 * custom TLS Extension (has a custom_srv_ext_record), and if
2779 * so call the callback and record the extension number so that
2780 * an appropriate ServerHello may be later returned.
2781 */
2782 else if (!s->hit && s->ctx->custom_srv_ext_records_count)
2783 {
2784 custom_srv_ext_record *record;
2785
2786 for (i=0; i < s->ctx->custom_srv_ext_records_count; i++)
2787 {
2788 record = &s->ctx->custom_srv_ext_records[i];
2789 if (type == record->ext_type)
2790 {
2791 size_t j;
2792
2793 /* Error on duplicate TLS Extensions */
2794 for (j = 0; j < s->s3->tlsext_custom_types_count; j++)
2795 {
2796 if (type == s->s3->tlsext_custom_types[j])
2797 {
2798 *al = TLS1_AD_DECODE_ERROR;
2799 return 0;
2800 }
2801 }
2802
2803 /* NULL callback still notes the extension */
2804 if (record->fn1 && !record->fn1(s, type, data, size, al, record->arg))
2805 return 0;
2806
2807 /* Add the (non-duplicated) entry */
2808 s->s3->tlsext_custom_types_count++;
2809 s->s3->tlsext_custom_types = OPENSSL_realloc(
2810 s->s3->tlsext_custom_types,
2811 s->s3->tlsext_custom_types_count * 2);
2812 if (s->s3->tlsext_custom_types == NULL)
2813 {
2814 s->s3->tlsext_custom_types = 0;
2815 *al = TLS1_AD_INTERNAL_ERROR;
2816 return 0;
2817 }
2818 s->s3->tlsext_custom_types[
2819 s->s3->tlsext_custom_types_count - 1] = type;
2820 }
2821 }
2822 }
2823
2824 data+=size;
2825 }
2826
2827 *p = data;
2828
2829 ri_check:
2830
2831 /* Need RI if renegotiating */
2832
2833 if (!renegotiate_seen && s->renegotiate &&
2834 !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
2835 {
2836 *al = SSL_AD_HANDSHAKE_FAILURE;
2837 OPENSSL_PUT_ERROR(SSL, ssl_add_serverhello_tlsext, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
2838 return 0;
2839 }
2840 /* If no signature algorithms extension set default values */
2841 if (!s->cert->peer_sigalgs)
2842 ssl_cert_set_default_md(s->cert);
2843
2844 return 1;
2845 }
2846
2847int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n)
2848 {
2849 int al = -1;
2850 if (ssl_scan_clienthello_tlsext(s, p, d, n, &al) <= 0)
2851 {
2852 ssl3_send_alert(s,SSL3_AL_FATAL,al);
2853 return 0;
2854 }
2855
2856 if (ssl_check_clienthello_tlsext_early(s) <= 0)
2857 {
2858 OPENSSL_PUT_ERROR(SSL, ssl_add_serverhello_tlsext, SSL_R_CLIENTHELLO_TLSEXT);
2859 return 0;
2860 }
2861 return 1;
2862}
2863
2864#ifndef OPENSSL_NO_NEXTPROTONEG
2865/* ssl_next_proto_validate validates a Next Protocol Negotiation block. No
2866 * elements of zero length are allowed and the set of elements must exactly fill
2867 * the length of the block. */
2868static char ssl_next_proto_validate(unsigned char *d, unsigned len)
2869 {
2870 unsigned int off = 0;
2871
2872 while (off < len)
2873 {
2874 if (d[off] == 0)
2875 return 0;
2876 off += d[off];
2877 off++;
2878 }
2879
2880 return off == len;
2881 }
2882#endif
2883
2884static int ssl_scan_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
2885 {
2886 unsigned short length;
2887 unsigned short type;
2888 unsigned short size;
2889 unsigned char *data = *p;
2890 int tlsext_servername = 0;
2891 int renegotiate_seen = 0;
2892
2893#ifndef OPENSSL_NO_NEXTPROTONEG
2894 s->s3->next_proto_neg_seen = 0;
2895#endif
2896
2897 if (s->s3->alpn_selected)
2898 {
2899 OPENSSL_free(s->s3->alpn_selected);
2900 s->s3->alpn_selected = NULL;
2901 }
2902
2903#ifndef OPENSSL_NO_HEARTBEATS
2904 s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED |
2905 SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
2906#endif
2907
2908 if (data >= (d+n-2))
2909 goto ri_check;
2910
2911 n2s(data,length);
2912 if (data+length != d+n)
2913 {
2914 *al = SSL_AD_DECODE_ERROR;
2915 return 0;
2916 }
2917
2918 while(data <= (d+n-4))
2919 {
2920 n2s(data,type);
2921 n2s(data,size);
2922
2923 if (data+size > (d+n))
2924 goto ri_check;
2925
2926 if (s->tlsext_debug_cb)
2927 s->tlsext_debug_cb(s, 1, type, data, size,
2928 s->tlsext_debug_arg);
2929
2930 if (type == TLSEXT_TYPE_server_name)
2931 {
2932 if (s->tlsext_hostname == NULL || size > 0)
2933 {
2934 *al = TLS1_AD_UNRECOGNIZED_NAME;
2935 return 0;
2936 }
2937 tlsext_servername = 1;
2938 }
2939
2940#ifndef OPENSSL_NO_EC
2941 else if (type == TLSEXT_TYPE_ec_point_formats)
2942 {
2943 unsigned char *sdata = data;
2944 int ecpointformatlist_length = *(sdata++);
2945
2946 if (ecpointformatlist_length != size - 1)
2947 {
2948 *al = TLS1_AD_DECODE_ERROR;
2949 return 0;
2950 }
2951 s->session->tlsext_ecpointformatlist_length = 0;
2952 if (s->session->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->session->tlsext_ecpointformatlist);
2953 if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
2954 {
2955 *al = TLS1_AD_INTERNAL_ERROR;
2956 return 0;
2957 }
2958 s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
2959 memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
2960#if 0
2961 fprintf(stderr,"ssl_parse_serverhello_tlsext s->session->tlsext_ecpointformatlist ");
2962 sdata = s->session->tlsext_ecpointformatlist;
2963 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
2964 fprintf(stderr,"%i ",*(sdata++));
2965 fprintf(stderr,"\n");
2966#endif
2967 }
2968#endif /* OPENSSL_NO_EC */
2969
2970 else if (type == TLSEXT_TYPE_session_ticket)
2971 {
2972 if (s->tls_session_ticket_ext_cb &&
2973 !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg))
2974 {
2975 *al = TLS1_AD_INTERNAL_ERROR;
2976 return 0;
2977 }
2978 if ((SSL_get_options(s) & SSL_OP_NO_TICKET)
2979 || (size > 0))
2980 {
2981 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2982 return 0;
2983 }
2984 s->tlsext_ticket_expected = 1;
2985 }
2986#ifdef TLSEXT_TYPE_opaque_prf_input
2987 else if (type == TLSEXT_TYPE_opaque_prf_input)
2988 {
2989 unsigned char *sdata = data;
2990
2991 if (size < 2)
2992 {
2993 *al = SSL_AD_DECODE_ERROR;
2994 return 0;
2995 }
2996 n2s(sdata, s->s3->server_opaque_prf_input_len);
2997 if (s->s3->server_opaque_prf_input_len != size - 2)
2998 {
2999 *al = SSL_AD_DECODE_ERROR;
3000 return 0;
3001 }
3002
3003 if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */
3004 OPENSSL_free(s->s3->server_opaque_prf_input);
3005 if (s->s3->server_opaque_prf_input_len == 0)
3006 s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
3007 else
3008 s->s3->server_opaque_prf_input = BUF_memdup(sdata, s->s3->server_opaque_prf_input_len);
3009
3010 if (s->s3->server_opaque_prf_input == NULL)
3011 {
3012 *al = TLS1_AD_INTERNAL_ERROR;
3013 return 0;
3014 }
3015 }
3016#endif
3017 else if (type == TLSEXT_TYPE_status_request)
3018 {
3019 /* MUST be empty and only sent if we've requested
3020 * a status request message.
3021 */
3022 if ((s->tlsext_status_type == -1) || (size > 0))
3023 {
3024 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
3025 return 0;
3026 }
3027 /* Set flag to expect CertificateStatus message */
3028 s->tlsext_status_expected = 1;
3029 }
3030#ifndef OPENSSL_NO_NEXTPROTONEG
3031 else if (type == TLSEXT_TYPE_next_proto_neg &&
3032 s->s3->tmp.finish_md_len == 0)
3033 {
3034 unsigned char *selected;
3035 unsigned char selected_len;
3036
3037 /* We must have requested it. */
3038 if (s->ctx->next_proto_select_cb == NULL)
3039 {
3040 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
3041 return 0;
3042 }
3043 /* The data must be valid */
3044 if (!ssl_next_proto_validate(data, size))
3045 {
3046 *al = TLS1_AD_DECODE_ERROR;
3047 return 0;
3048 }
3049 if (s->ctx->next_proto_select_cb(s, &selected, &selected_len, data, size, s->ctx->next_proto_select_cb_arg) != SSL_TLSEXT_ERR_OK)
3050 {
3051 *al = TLS1_AD_INTERNAL_ERROR;
3052 return 0;
3053 }
3054 s->next_proto_negotiated = OPENSSL_malloc(selected_len);
3055 if (!s->next_proto_negotiated)
3056 {
3057 *al = TLS1_AD_INTERNAL_ERROR;
3058 return 0;
3059 }
3060 memcpy(s->next_proto_negotiated, selected, selected_len);
3061 s->next_proto_negotiated_len = selected_len;
3062 s->s3->next_proto_neg_seen = 1;
3063 }
3064#endif
3065
3066 else if (type == TLSEXT_TYPE_application_layer_protocol_negotiation)
3067 {
3068 unsigned len;
3069
3070 /* We must have requested it. */
3071 if (s->alpn_client_proto_list == NULL)
3072 {
3073 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
3074 return 0;
3075 }
3076 if (size < 4)
3077 {
3078 *al = TLS1_AD_DECODE_ERROR;
3079 return 0;
3080 }
3081 /* The extension data consists of:
3082 * uint16 list_length
3083 * uint8 proto_length;
3084 * uint8 proto[proto_length]; */
3085 len = data[0];
3086 len <<= 8;
3087 len |= data[1];
3088 if (len != (unsigned) size - 2)
3089 {
3090 *al = TLS1_AD_DECODE_ERROR;
3091 return 0;
3092 }
3093 len = data[2];
3094 if (len != (unsigned) size - 3)
3095 {
3096 *al = TLS1_AD_DECODE_ERROR;
3097 return 0;
3098 }
3099 if (s->s3->alpn_selected)
3100 OPENSSL_free(s->s3->alpn_selected);
3101 s->s3->alpn_selected = OPENSSL_malloc(len);
3102 if (!s->s3->alpn_selected)
3103 {
3104 *al = TLS1_AD_INTERNAL_ERROR;
3105 return 0;
3106 }
3107 memcpy(s->s3->alpn_selected, data + 3, len);
3108 s->s3->alpn_selected_len = len;
3109 }
3110
Adam Langley1258b6a2014-06-20 12:00:00 -0700[diff] [blame]3111 else if (type == TLSEXT_TYPE_channel_id)
3112 s->s3->tlsext_channel_id_valid = 1;
3113
3114 else if (type == TLSEXT_TYPE_channel_id_new)
3115 {
3116 s->s3->tlsext_channel_id_valid = 1;
3117 s->s3->tlsext_channel_id_new = 1;
3118 }
3119
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]3120 else if (type == TLSEXT_TYPE_renegotiate)
3121 {
3122 if(!ssl_parse_serverhello_renegotiate_ext(s, data, size, al))
3123 return 0;
3124 renegotiate_seen = 1;
3125 }
3126#ifndef OPENSSL_NO_HEARTBEATS
3127 else if (type == TLSEXT_TYPE_heartbeat)
3128 {
3129 switch(data[0])
3130 {
3131 case 0x01: /* Server allows us to send HB requests */
3132 s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
3133 break;
3134 case 0x02: /* Server doesn't accept HB requests */
3135 s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
3136 s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
3137 break;
3138 default: *al = SSL_AD_ILLEGAL_PARAMETER;
3139 return 0;
3140 }
3141 }
3142#endif
3143 else if (type == TLSEXT_TYPE_use_srtp)
3144 {
3145 if(ssl_parse_serverhello_use_srtp_ext(s, data, size,
3146 al))
3147 return 0;
3148 }
3149
3150 else if (type == TLSEXT_TYPE_server_authz)
3151 {
3152 /* We only support audit proofs. It's an error to send
3153 * an authz hello extension if the client
3154 * didn't request a proof. */
3155 unsigned char *sdata = data;
3156 unsigned char server_authz_dataformatlist_length;
3157
3158 if (!s->ctx->tlsext_authz_server_audit_proof_cb)
3159 {
3160 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
3161 return 0;
3162 }
3163
3164 if (!size)
3165 {
3166 *al = TLS1_AD_DECODE_ERROR;
3167 return 0;
3168 }
3169
3170 server_authz_dataformatlist_length = *(sdata++);
3171 if (server_authz_dataformatlist_length != size - 1)
3172 {
3173 *al = TLS1_AD_DECODE_ERROR;
3174 return 0;
3175 }
3176
3177 /* We only support audit proofs, so a legal ServerHello
3178 * authz list contains exactly one entry. */
3179 if (server_authz_dataformatlist_length != 1 ||
3180 sdata[0] != TLSEXT_AUTHZDATAFORMAT_audit_proof)
3181 {
3182 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
3183 return 0;
3184 }
3185
3186 s->s3->tlsext_authz_server_promised = 1;
3187 }
3188
3189 /* If this extension type was not otherwise handled, but
3190 * matches a custom_cli_ext_record, then send it to the c
3191 * callback */
3192 else if (s->ctx->custom_cli_ext_records_count)
3193 {
3194 size_t i;
3195 custom_cli_ext_record* record;
3196
3197 for (i = 0; i < s->ctx->custom_cli_ext_records_count; i++)
3198 {
3199 record = &s->ctx->custom_cli_ext_records[i];
3200 if (record->ext_type == type)
3201 {
3202 if (record->fn2 && !record->fn2(s, type, data, size, al, record->arg))
3203 return 0;
3204 break;
3205 }
3206 }
3207 }
3208
3209 data += size;
3210 }
3211
3212 if (data != d+n)
3213 {
3214 *al = SSL_AD_DECODE_ERROR;
3215 return 0;
3216 }
3217
3218 if (!s->hit && tlsext_servername == 1)
3219 {
3220 if (s->tlsext_hostname)
3221 {
3222 if (s->session->tlsext_hostname == NULL)
3223 {
3224 s->session->tlsext_hostname = BUF_strdup(s->tlsext_hostname);
3225 if (!s->session->tlsext_hostname)
3226 {
3227 *al = SSL_AD_UNRECOGNIZED_NAME;
3228 return 0;
3229 }
3230 }
3231 else
3232 {
3233 *al = SSL_AD_DECODE_ERROR;
3234 return 0;
3235 }
3236 }
3237 }
3238
3239 *p = data;
3240
3241 ri_check:
3242
3243 /* Determine if we need to see RI. Strictly speaking if we want to
3244 * avoid an attack we should *always* see RI even on initial server
3245 * hello because the client doesn't see any renegotiation during an
3246 * attack. However this would mean we could not connect to any server
3247 * which doesn't support RI so for the immediate future tolerate RI
3248 * absence on initial connect only.
3249 */
3250 if (!renegotiate_seen
3251 && !(s->options & SSL_OP_LEGACY_SERVER_CONNECT)
3252 && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
3253 {
3254 *al = SSL_AD_HANDSHAKE_FAILURE;
3255 OPENSSL_PUT_ERROR(SSL, ssl_add_serverhello_tlsext, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
3256 return 0;
3257 }
3258
3259 return 1;
3260 }
3261
3262
3263int ssl_prepare_clienthello_tlsext(SSL *s)
3264 {
3265
3266#ifdef TLSEXT_TYPE_opaque_prf_input
3267 {
3268 int r = 1;
3269
3270 if (s->ctx->tlsext_opaque_prf_input_callback != 0)
3271 {
3272 r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg);
3273 if (!r)
3274 return -1;
3275 }
3276
3277 if (s->tlsext_opaque_prf_input != NULL)
3278 {
3279 if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */
3280 OPENSSL_free(s->s3->client_opaque_prf_input);
3281
3282 if (s->tlsext_opaque_prf_input_len == 0)
3283 s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
3284 else
3285 s->s3->client_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len);
3286 if (s->s3->client_opaque_prf_input == NULL)
3287 {
3288 OPENSSL_PUT_ERROR(SSL, ssl_add_serverhello_tlsext, ERR_R_MALLOC_FAILURE);
3289 return -1;
3290 }
3291 s->s3->client_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
3292 }
3293
3294 if (r == 2)
3295 /* at callback's request, insist on receiving an appropriate server opaque PRF input */
3296 s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
3297 }
3298#endif
3299
3300 return 1;
3301 }
3302
3303int ssl_prepare_serverhello_tlsext(SSL *s)
3304 {
3305 return 1;
3306 }
3307
3308static int ssl_check_clienthello_tlsext_early(SSL *s)
3309 {
3310 int ret=SSL_TLSEXT_ERR_NOACK;
3311 int al = SSL_AD_UNRECOGNIZED_NAME;
3312
3313#ifndef OPENSSL_NO_EC
3314 /* The handling of the ECPointFormats extension is done elsewhere, namely in
3315 * ssl3_choose_cipher in s3_lib.c.
3316 */
3317 /* The handling of the EllipticCurves extension is done elsewhere, namely in
3318 * ssl3_choose_cipher in s3_lib.c.
3319 */
3320#endif
3321
3322 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
3323 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
3324 else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)
3325 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
3326
3327#ifdef TLSEXT_TYPE_opaque_prf_input
3328 {
3329 /* This sort of belongs into ssl_prepare_serverhello_tlsext(),
3330 * but we might be sending an alert in response to the client hello,
3331 * so this has to happen here in
3332 * ssl_check_clienthello_tlsext_early(). */
3333
3334 int r = 1;
3335
3336 if (s->ctx->tlsext_opaque_prf_input_callback != 0)
3337 {
3338 r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg);
3339 if (!r)
3340 {
3341 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
3342 al = SSL_AD_INTERNAL_ERROR;
3343 goto err;
3344 }
3345 }
3346
3347 if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */
3348 OPENSSL_free(s->s3->server_opaque_prf_input);
3349 s->s3->server_opaque_prf_input = NULL;
3350
3351 if (s->tlsext_opaque_prf_input != NULL)
3352 {
3353 if (s->s3->client_opaque_prf_input != NULL &&
3354 s->s3->client_opaque_prf_input_len == s->tlsext_opaque_prf_input_len)
3355 {
3356 /* can only use this extension if we have a server opaque PRF input
3357 * of the same length as the client opaque PRF input! */
3358
3359 if (s->tlsext_opaque_prf_input_len == 0)
3360 s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
3361 else
3362 s->s3->server_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len);
3363 if (s->s3->server_opaque_prf_input == NULL)
3364 {
3365 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
3366 al = SSL_AD_INTERNAL_ERROR;
3367 goto err;
3368 }
3369 s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
3370 }
3371 }
3372
3373 if (r == 2 && s->s3->server_opaque_prf_input == NULL)
3374 {
3375 /* The callback wants to enforce use of the extension,
3376 * but we can't do that with the client opaque PRF input;
3377 * abort the handshake.
3378 */
3379 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
3380 al = SSL_AD_HANDSHAKE_FAILURE;
3381 }
3382 }
3383
3384 err:
3385#endif
3386 switch (ret)
3387 {
3388 case SSL_TLSEXT_ERR_ALERT_FATAL:
3389 ssl3_send_alert(s,SSL3_AL_FATAL,al);
3390 return -1;
3391
3392 case SSL_TLSEXT_ERR_ALERT_WARNING:
3393 ssl3_send_alert(s,SSL3_AL_WARNING,al);
3394 return 1;
3395
3396 case SSL_TLSEXT_ERR_NOACK:
3397 s->servername_done=0;
3398 default:
3399 return 1;
3400 }
3401 }
3402
3403int ssl_check_clienthello_tlsext_late(SSL *s)
3404 {
3405 int ret = SSL_TLSEXT_ERR_OK;
3406 int al;
3407
3408 /* If status request then ask callback what to do.
3409 * Note: this must be called after servername callbacks in case
3410 * the certificate has changed, and must be called after the cipher
3411 * has been chosen because this may influence which certificate is sent
3412 */
3413 if ((s->tlsext_status_type != -1) && s->ctx && s->ctx->tlsext_status_cb)
3414 {
3415 int r;
3416 CERT_PKEY *certpkey;
3417 certpkey = ssl_get_server_send_pkey(s);
3418 /* If no certificate can't return certificate status */
3419 if (certpkey == NULL)
3420 {
3421 s->tlsext_status_expected = 0;
3422 return 1;
3423 }
3424 /* Set current certificate to one we will use so
3425 * SSL_get_certificate et al can pick it up.
3426 */
3427 s->cert->key = certpkey;
3428 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
3429 switch (r)
3430 {
3431 /* We don't want to send a status request response */
3432 case SSL_TLSEXT_ERR_NOACK:
3433 s->tlsext_status_expected = 0;
3434 break;
3435 /* status request response should be sent */
3436 case SSL_TLSEXT_ERR_OK:
3437 if (s->tlsext_ocsp_resp)
3438 s->tlsext_status_expected = 1;
3439 else
3440 s->tlsext_status_expected = 0;
3441 break;
3442 /* something bad happened */
3443 case SSL_TLSEXT_ERR_ALERT_FATAL:
3444 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
3445 al = SSL_AD_INTERNAL_ERROR;
3446 goto err;
3447 }
3448 }
3449 else
3450 s->tlsext_status_expected = 0;
3451
3452 err:
3453 switch (ret)
3454 {
3455 case SSL_TLSEXT_ERR_ALERT_FATAL:
3456 ssl3_send_alert(s, SSL3_AL_FATAL, al);
3457 return -1;
3458
3459 case SSL_TLSEXT_ERR_ALERT_WARNING:
3460 ssl3_send_alert(s, SSL3_AL_WARNING, al);
3461 return 1;
3462
3463 default:
3464 return 1;
3465 }
3466 }
3467
3468int ssl_check_serverhello_tlsext(SSL *s)
3469 {
3470 int ret=SSL_TLSEXT_ERR_NOACK;
3471 int al = SSL_AD_UNRECOGNIZED_NAME;
3472
3473#ifndef OPENSSL_NO_EC
3474 /* If we are client and using an elliptic curve cryptography cipher
3475 * suite, then if server returns an EC point formats lists extension
3476 * it must contain uncompressed.
3477 */
3478 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
3479 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
3480 if ((s->tlsext_ecpointformatlist != NULL) && (s->tlsext_ecpointformatlist_length > 0) &&
3481 (s->session->tlsext_ecpointformatlist != NULL) && (s->session->tlsext_ecpointformatlist_length > 0) &&
3482 ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA)))
3483 {
3484 /* we are using an ECC cipher */
3485 size_t i;
3486 unsigned char *list;
3487 int found_uncompressed = 0;
3488 list = s->session->tlsext_ecpointformatlist;
3489 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
3490 {
3491 if (*(list++) == TLSEXT_ECPOINTFORMAT_uncompressed)
3492 {
3493 found_uncompressed = 1;
3494 break;
3495 }
3496 }
3497 if (!found_uncompressed)
3498 {
3499 OPENSSL_PUT_ERROR(SSL, ssl_add_serverhello_tlsext, SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
3500 return -1;
3501 }
3502 }
3503 ret = SSL_TLSEXT_ERR_OK;
3504#endif /* OPENSSL_NO_EC */
3505
3506 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
3507 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
3508 else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)
3509 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
3510
3511#ifdef TLSEXT_TYPE_opaque_prf_input
3512 if (s->s3->server_opaque_prf_input_len > 0)
3513 {
3514 /* This case may indicate that we, as a client, want to insist on using opaque PRF inputs.
3515 * So first verify that we really have a value from the server too. */
3516
3517 if (s->s3->server_opaque_prf_input == NULL)
3518 {
3519 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
3520 al = SSL_AD_HANDSHAKE_FAILURE;
3521 }
3522
3523 /* Anytime the server *has* sent an opaque PRF input, we need to check
3524 * that we have a client opaque PRF input of the same size. */
3525 if (s->s3->client_opaque_prf_input == NULL ||
3526 s->s3->client_opaque_prf_input_len != s->s3->server_opaque_prf_input_len)
3527 {
3528 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
3529 al = SSL_AD_ILLEGAL_PARAMETER;
3530 }
3531 }
3532#endif
3533
3534 /* If we've requested certificate status and we wont get one
3535 * tell the callback
3536 */
3537 if ((s->tlsext_status_type != -1) && !(s->tlsext_status_expected)
3538 && s->ctx && s->ctx->tlsext_status_cb)
3539 {
3540 int r;
3541 /* Set resp to NULL, resplen to -1 so callback knows
3542 * there is no response.
3543 */
3544 if (s->tlsext_ocsp_resp)
3545 {
3546 OPENSSL_free(s->tlsext_ocsp_resp);
3547 s->tlsext_ocsp_resp = NULL;
3548 }
3549 s->tlsext_ocsp_resplen = -1;
3550 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
3551 if (r == 0)
3552 {
3553 al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE;
3554 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
3555 }
3556 if (r < 0)
3557 {
3558 al = SSL_AD_INTERNAL_ERROR;
3559 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
3560 }
3561 }
3562
3563 switch (ret)
3564 {
3565 case SSL_TLSEXT_ERR_ALERT_FATAL:
3566 ssl3_send_alert(s,SSL3_AL_FATAL,al);
3567 return -1;
3568
3569 case SSL_TLSEXT_ERR_ALERT_WARNING:
3570 ssl3_send_alert(s,SSL3_AL_WARNING,al);
3571 return 1;
3572
3573 case SSL_TLSEXT_ERR_NOACK:
3574 s->servername_done=0;
3575 default:
3576 return 1;
3577 }
3578 }
3579
3580int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n)
3581 {
3582 int al = -1;
3583 if (s->version < SSL3_VERSION)
3584 return 1;
3585 if (ssl_scan_serverhello_tlsext(s, p, d, n, &al) <= 0)
3586 {
3587 ssl3_send_alert(s,SSL3_AL_FATAL,al);
3588 return 0;
3589 }
3590
3591 if (ssl_check_serverhello_tlsext(s) <= 0)
3592 {
3593 OPENSSL_PUT_ERROR(SSL, ssl_add_serverhello_tlsext, SSL_R_SERVERHELLO_TLSEXT);
3594 return 0;
3595 }
3596 return 1;
3597}
3598
3599/* Since the server cache lookup is done early on in the processing of the
3600 * ClientHello, and other operations depend on the result, we need to handle
3601 * any TLS session ticket extension at the same time.
3602 *
Adam Langleydc9b1412014-06-20 12:00:00 -0700[diff] [blame]3603 * ctx: contains the early callback context, which is the result of a
3604 * shallow parse of the ClientHello.
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]3605 * ret: (output) on return, if a ticket was decrypted, then this is set to
3606 * point to the resulting session.
3607 *
3608 * If s->tls_session_secret_cb is set then we are expecting a pre-shared key
3609 * ciphersuite, in which case we have no use for session tickets and one will
3610 * never be decrypted, nor will s->tlsext_ticket_expected be set to 1.
3611 *
3612 * Returns:
3613 * -1: fatal error, either from parsing or decrypting the ticket.
3614 * 0: no ticket was found (or was ignored, based on settings).
3615 * 1: a zero length extension was found, indicating that the client supports
3616 * session tickets but doesn't currently have one to offer.
3617 * 2: either s->tls_session_secret_cb was set, or a ticket was offered but
3618 * couldn't be decrypted because of a non-fatal error.
3619 * 3: a ticket was successfully decrypted and *ret was set.
3620 *
3621 * Side effects:
3622 * Sets s->tlsext_ticket_expected to 1 if the server will have to issue
3623 * a new session ticket to the client because the client indicated support
3624 * (and s->tls_session_secret_cb is NULL) but the client either doesn't have
3625 * a session ticket or we couldn't use the one it gave us, or if
3626 * s->ctx->tlsext_ticket_key_cb asked to renew the client's ticket.
3627 * Otherwise, s->tlsext_ticket_expected is set to 0.
3628 */
Adam Langleydc9b1412014-06-20 12:00:00 -0700[diff] [blame]3629int tls1_process_ticket(SSL *s, const struct ssl_early_callback_ctx *ctx,
3630 SSL_SESSION **ret)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]3631 {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]3632 *ret = NULL;
3633 s->tlsext_ticket_expected = 0;
Adam Langleydc9b1412014-06-20 12:00:00 -0700[diff] [blame]3634 const unsigned char *data;
3635 size_t len;
3636 int r;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]3637
3638 /* If tickets disabled behave as if no ticket present
3639 * to permit stateful resumption.
3640 */
3641 if (SSL_get_options(s) & SSL_OP_NO_TICKET)
3642 return 0;
Adam Langleydc9b1412014-06-20 12:00:00 -0700[diff] [blame]3643 if ((s->version <= SSL3_VERSION) && !ctx->extensions)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]3644 return 0;
Adam Langleydc9b1412014-06-20 12:00:00 -0700[diff] [blame]3645 if (!SSL_early_callback_ctx_extension_get(
3646 ctx, TLSEXT_TYPE_session_ticket, &data, &len))
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]3647 {
Adam Langleydc9b1412014-06-20 12:00:00 -0700[diff] [blame]3648 return 0;
3649 }
3650 if (len == 0)
3651 {
3652 /* The client will accept a ticket but doesn't
3653 * currently have one. */
3654 s->tlsext_ticket_expected = 1;
3655 return 1;
3656 }
3657 if (s->tls_session_secret_cb)
3658 {
3659 /* Indicate that the ticket couldn't be
3660 * decrypted rather than generating the session
3661 * from ticket now, trigger abbreviated
3662 * handshake based on external mechanism to
3663 * calculate the master secret later. */
3664 return 2;
3665 }
3666 r = tls_decrypt_ticket(s, data, len, ctx->session_id,
3667 ctx->session_id_len, ret);
3668 switch (r)
3669 {
3670 case 2: /* ticket couldn't be decrypted */
3671 s->tlsext_ticket_expected = 1;
3672 return 2;
3673 case 3: /* ticket was decrypted */
3674 return r;
3675 case 4: /* ticket decrypted but need to renew */
3676 s->tlsext_ticket_expected = 1;
3677 return 3;
3678 default: /* fatal error */
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]3679 return -1;
3680 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]3681 }
3682
3683/* tls_decrypt_ticket attempts to decrypt a session ticket.
3684 *
3685 * etick: points to the body of the session ticket extension.
3686 * eticklen: the length of the session tickets extenion.
3687 * sess_id: points at the session ID.
3688 * sesslen: the length of the session ID.
3689 * psess: (output) on return, if a ticket was decrypted, then this is set to
3690 * point to the resulting session.
3691 *
3692 * Returns:
3693 * -1: fatal error, either from parsing or decrypting the ticket.
3694 * 2: the ticket couldn't be decrypted.
3695 * 3: a ticket was successfully decrypted and *psess was set.
3696 * 4: same as 3, but the ticket needs to be renewed.
3697 */
3698static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen,
3699 const unsigned char *sess_id, int sesslen,
3700 SSL_SESSION **psess)
3701 {
3702 SSL_SESSION *sess;
3703 unsigned char *sdec;
3704 const unsigned char *p;
3705 int slen, mlen, renew_ticket = 0;
3706 unsigned char tick_hmac[EVP_MAX_MD_SIZE];
3707 HMAC_CTX hctx;
3708 EVP_CIPHER_CTX ctx;
3709 SSL_CTX *tctx = s->initial_ctx;
3710 /* Need at least keyname + iv + some encrypted data */
3711 if (eticklen < 48)
3712 return 2;
3713 /* Initialize session ticket encryption and HMAC contexts */
3714 HMAC_CTX_init(&hctx);
3715 EVP_CIPHER_CTX_init(&ctx);
3716 if (tctx->tlsext_ticket_key_cb)
3717 {
3718 unsigned char *nctick = (unsigned char *)etick;
3719 int rv = tctx->tlsext_ticket_key_cb(s, nctick, nctick + 16,
3720 &ctx, &hctx, 0);
3721 if (rv < 0)
3722 return -1;
3723 if (rv == 0)
3724 return 2;
3725 if (rv == 2)
3726 renew_ticket = 1;
3727 }
3728 else
3729 {
3730 /* Check key name matches */
3731 if (memcmp(etick, tctx->tlsext_tick_key_name, 16))
3732 return 2;
3733 HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16,
3734 tlsext_tick_md(), NULL);
3735 EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL,
3736 tctx->tlsext_tick_aes_key, etick + 16);
3737 }
3738 /* Attempt to process session ticket, first conduct sanity and
3739 * integrity checks on ticket.
3740 */
3741 mlen = HMAC_size(&hctx);
3742 if (mlen < 0)
3743 {
3744 EVP_CIPHER_CTX_cleanup(&ctx);
3745 return -1;
3746 }
3747 eticklen -= mlen;
3748 /* Check HMAC of encrypted ticket */
3749 HMAC_Update(&hctx, etick, eticklen);
3750 HMAC_Final(&hctx, tick_hmac, NULL);
3751 HMAC_CTX_cleanup(&hctx);
3752 if (CRYPTO_memcmp(tick_hmac, etick + eticklen, mlen))
3753 return 2;
3754 /* Attempt to decrypt session data */
3755 /* Move p after IV to start of encrypted ticket, update length */
3756 p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx);
3757 eticklen -= 16 + EVP_CIPHER_CTX_iv_length(&ctx);
3758 sdec = OPENSSL_malloc(eticklen);
3759 if (!sdec)
3760 {
3761 EVP_CIPHER_CTX_cleanup(&ctx);
3762 return -1;
3763 }
3764 EVP_DecryptUpdate(&ctx, sdec, &slen, p, eticklen);
3765 if (EVP_DecryptFinal_ex(&ctx, sdec + slen, &mlen) <= 0)
3766 return 2;
3767 slen += mlen;
3768 EVP_CIPHER_CTX_cleanup(&ctx);
3769 p = sdec;
3770
3771 sess = d2i_SSL_SESSION(NULL, &p, slen);
3772 OPENSSL_free(sdec);
3773 if (sess)
3774 {
3775 /* The session ID, if non-empty, is used by some clients to
3776 * detect that the ticket has been accepted. So we copy it to
3777 * the session structure. If it is empty set length to zero
3778 * as required by standard.
3779 */
3780 if (sesslen)
3781 memcpy(sess->session_id, sess_id, sesslen);
3782 sess->session_id_length = sesslen;
3783 *psess = sess;
3784 if (renew_ticket)
3785 return 4;
3786 else
3787 return 3;
3788 }
3789 ERR_clear_error();
3790 /* For session parse failure, indicate that we need to send a new
3791 * ticket. */
3792 return 2;
3793 }
3794
3795/* Tables to translate from NIDs to TLS v1.2 ids */
3796
3797typedef struct
3798 {
3799 int nid;
3800 int id;
3801 } tls12_lookup;
3802
3803static tls12_lookup tls12_md[] = {
3804 {NID_md5, TLSEXT_hash_md5},
3805 {NID_sha1, TLSEXT_hash_sha1},
3806 {NID_sha224, TLSEXT_hash_sha224},
3807 {NID_sha256, TLSEXT_hash_sha256},
3808 {NID_sha384, TLSEXT_hash_sha384},
3809 {NID_sha512, TLSEXT_hash_sha512}
3810};
3811
3812static tls12_lookup tls12_sig[] = {
3813 {EVP_PKEY_RSA, TLSEXT_signature_rsa},
3814 {EVP_PKEY_DSA, TLSEXT_signature_dsa},
3815 {EVP_PKEY_EC, TLSEXT_signature_ecdsa}
3816};
3817
3818static int tls12_find_id(int nid, tls12_lookup *table, size_t tlen)
3819 {
3820 size_t i;
3821 for (i = 0; i < tlen; i++)
3822 {
3823 if (table[i].nid == nid)
3824 return table[i].id;
3825 }
3826 return -1;
3827 }
3828
3829static int tls12_find_nid(int id, tls12_lookup *table, size_t tlen)
3830 {
3831 size_t i;
3832 for (i = 0; i < tlen; i++)
3833 {
3834 if ((table[i].id) == id)
3835 return table[i].nid;
3836 }
3837 return NID_undef;
3838 }
3839
3840int tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk, const EVP_MD *md)
3841 {
3842 int sig_id, md_id;
3843 if (!md)
3844 return 0;
3845 md_id = tls12_find_id(EVP_MD_type(md), tls12_md,
3846 sizeof(tls12_md)/sizeof(tls12_lookup));
3847 if (md_id == -1)
3848 return 0;
3849 sig_id = tls12_get_sigid(pk);
3850 if (sig_id == -1)
3851 return 0;
3852 p[0] = (unsigned char)md_id;
3853 p[1] = (unsigned char)sig_id;
3854 return 1;
3855 }
3856
3857int tls12_get_sigid(const EVP_PKEY *pk)
3858 {
3859 return tls12_find_id(pk->type, tls12_sig,
3860 sizeof(tls12_sig)/sizeof(tls12_lookup));
3861 }
3862
3863const EVP_MD *tls12_get_hash(unsigned char hash_alg)
3864 {
3865 switch(hash_alg)
3866 {
3867#ifndef OPENSSL_NO_MD5
3868 case TLSEXT_hash_md5:
3869#ifdef OPENSSL_FIPS
3870 if (FIPS_mode())
3871 return NULL;
3872#endif
3873 return EVP_md5();
3874#endif
3875#ifndef OPENSSL_NO_SHA
3876 case TLSEXT_hash_sha1:
3877 return EVP_sha1();
3878#endif
3879#ifndef OPENSSL_NO_SHA256
3880 case TLSEXT_hash_sha224:
3881 return EVP_sha224();
3882
3883 case TLSEXT_hash_sha256:
3884 return EVP_sha256();
3885#endif
3886#ifndef OPENSSL_NO_SHA512
3887 case TLSEXT_hash_sha384:
3888 return EVP_sha384();
3889
3890 case TLSEXT_hash_sha512:
3891 return EVP_sha512();
3892#endif
3893 default:
3894 return NULL;
3895
3896 }
3897 }
3898
3899static int tls12_get_pkey_idx(unsigned char sig_alg)
3900 {
3901 switch(sig_alg)
3902 {
3903#ifndef OPENSSL_NO_RSA
3904 case TLSEXT_signature_rsa:
3905 return SSL_PKEY_RSA_SIGN;
3906#endif
3907#ifndef OPENSSL_NO_DSA
3908 case TLSEXT_signature_dsa:
3909 return SSL_PKEY_DSA_SIGN;
3910#endif
3911#ifndef OPENSSL_NO_ECDSA
3912 case TLSEXT_signature_ecdsa:
3913 return SSL_PKEY_ECC;
3914#endif
3915 }
3916 return -1;
3917 }
3918
3919/* Convert TLS 1.2 signature algorithm extension values into NIDs */
3920static void tls1_lookup_sigalg(int *phash_nid, int *psign_nid,
3921 int *psignhash_nid, const unsigned char *data)
3922 {
3923 int sign_nid = 0, hash_nid = 0;
3924 if (!phash_nid && !psign_nid && !psignhash_nid)
3925 return;
3926 if (phash_nid || psignhash_nid)
3927 {
3928 hash_nid = tls12_find_nid(data[0], tls12_md,
3929 sizeof(tls12_md)/sizeof(tls12_lookup));
3930 if (phash_nid)
3931 *phash_nid = hash_nid;
3932 }
3933 if (psign_nid || psignhash_nid)
3934 {
3935 sign_nid = tls12_find_nid(data[1], tls12_sig,
3936 sizeof(tls12_sig)/sizeof(tls12_lookup));
3937 if (psign_nid)
3938 *psign_nid = sign_nid;
3939 }
3940 if (psignhash_nid)
3941 {
3942 if (sign_nid && hash_nid)
3943 OBJ_find_sigid_by_algs(psignhash_nid,
3944 hash_nid, sign_nid);
3945 else
3946 *psignhash_nid = NID_undef;
3947 }
3948 }
3949/* Given preference and allowed sigalgs set shared sigalgs */
3950static int tls12_do_shared_sigalgs(TLS_SIGALGS *shsig,
3951 const unsigned char *pref, size_t preflen,
3952 const unsigned char *allow, size_t allowlen)
3953 {
3954 const unsigned char *ptmp, *atmp;
3955 size_t i, j, nmatch = 0;
3956 for (i = 0, ptmp = pref; i < preflen; i+=2, ptmp+=2)
3957 {
3958 /* Skip disabled hashes or signature algorithms */
3959 if (tls12_get_hash(ptmp[0]) == NULL)
3960 continue;
3961 if (tls12_get_pkey_idx(ptmp[1]) == -1)
3962 continue;
3963 for (j = 0, atmp = allow; j < allowlen; j+=2, atmp+=2)
3964 {
3965 if (ptmp[0] == atmp[0] && ptmp[1] == atmp[1])
3966 {
3967 nmatch++;
3968 if (shsig)
3969 {
3970 shsig->rhash = ptmp[0];
3971 shsig->rsign = ptmp[1];
3972 tls1_lookup_sigalg(&shsig->hash_nid,
3973 &shsig->sign_nid,
3974 &shsig->signandhash_nid,
3975 ptmp);
3976 shsig++;
3977 }
3978 break;
3979 }
3980 }
3981 }
3982 return nmatch;
3983 }
3984
3985/* Set shared signature algorithms for SSL structures */
3986static int tls1_set_shared_sigalgs(SSL *s)
3987 {
3988 const unsigned char *pref, *allow, *conf;
3989 size_t preflen, allowlen, conflen;
3990 size_t nmatch;
3991 TLS_SIGALGS *salgs = NULL;
3992 CERT *c = s->cert;
3993 unsigned int is_suiteb = tls1_suiteb(s);
Adam Langleydb4f9522014-06-20 12:00:00 -0700[diff] [blame]3994 if (c->shared_sigalgs)
3995 {
3996 OPENSSL_free(c->shared_sigalgs);
3997 c->shared_sigalgs = NULL;
3998 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]3999 /* If client use client signature algorithms if not NULL */
4000 if (!s->server && c->client_sigalgs && !is_suiteb)
4001 {
4002 conf = c->client_sigalgs;
4003 conflen = c->client_sigalgslen;
4004 }
4005 else if (c->conf_sigalgs && !is_suiteb)
4006 {
4007 conf = c->conf_sigalgs;
4008 conflen = c->conf_sigalgslen;
4009 }
4010 else
4011 conflen = tls12_get_psigalgs(s, &conf);
4012 if(s->options & SSL_OP_CIPHER_SERVER_PREFERENCE || is_suiteb)
4013 {
4014 pref = conf;
4015 preflen = conflen;
4016 allow = c->peer_sigalgs;
4017 allowlen = c->peer_sigalgslen;
4018 }
4019 else
4020 {
4021 allow = conf;
4022 allowlen = conflen;
4023 pref = c->peer_sigalgs;
4024 preflen = c->peer_sigalgslen;
4025 }
4026 nmatch = tls12_do_shared_sigalgs(NULL, pref, preflen, allow, allowlen);
4027 if (!nmatch)
4028 return 1;
4029 salgs = OPENSSL_malloc(nmatch * sizeof(TLS_SIGALGS));
4030 if (!salgs)
4031 return 0;
4032 nmatch = tls12_do_shared_sigalgs(salgs, pref, preflen, allow, allowlen);
4033 c->shared_sigalgs = salgs;
4034 c->shared_sigalgslen = nmatch;
4035 return 1;
4036 }
4037
4038
4039/* Set preferred digest for each key type */
4040
4041int tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize)
4042 {
4043 int idx;
4044 size_t i;
4045 const EVP_MD *md;
4046 CERT *c = s->cert;
4047 TLS_SIGALGS *sigptr;
4048 /* Extension ignored for inappropriate versions */
4049 if (!SSL_USE_SIGALGS(s))
4050 return 1;
4051 /* Should never happen */
4052 if (!c)
4053 return 0;
4054
Adam Langleydb4f9522014-06-20 12:00:00 -0700[diff] [blame]4055 if (c->peer_sigalgs)
4056 OPENSSL_free(c->peer_sigalgs);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]4057 c->peer_sigalgs = OPENSSL_malloc(dsize);
4058 if (!c->peer_sigalgs)
4059 return 0;
4060 c->peer_sigalgslen = dsize;
4061 memcpy(c->peer_sigalgs, data, dsize);
4062
4063 tls1_set_shared_sigalgs(s);
4064
4065#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
4066 if (s->cert->cert_flags & SSL_CERT_FLAG_BROKEN_PROTOCOL)
4067 {
4068 /* Use first set signature preference to force message
4069 * digest, ignoring any peer preferences.
4070 */
4071 const unsigned char *sigs = NULL;
4072 if (s->server)
4073 sigs = c->conf_sigalgs;
4074 else
4075 sigs = c->client_sigalgs;
4076 if (sigs)
4077 {
4078 idx = tls12_get_pkey_idx(sigs[1]);
4079 md = tls12_get_hash(sigs[0]);
4080 c->pkeys[idx].digest = md;
4081 c->pkeys[idx].valid_flags = CERT_PKEY_EXPLICIT_SIGN;
4082 if (idx == SSL_PKEY_RSA_SIGN)
4083 {
4084 c->pkeys[SSL_PKEY_RSA_ENC].valid_flags = CERT_PKEY_EXPLICIT_SIGN;
4085 c->pkeys[SSL_PKEY_RSA_ENC].digest = md;
4086 }
4087 }
4088 }
4089#endif
4090
4091 for (i = 0, sigptr = c->shared_sigalgs;
4092 i < c->shared_sigalgslen; i++, sigptr++)
4093 {
4094 idx = tls12_get_pkey_idx(sigptr->rsign);
4095 if (idx > 0 && c->pkeys[idx].digest == NULL)
4096 {
4097 md = tls12_get_hash(sigptr->rhash);
4098 c->pkeys[idx].digest = md;
4099 c->pkeys[idx].valid_flags = CERT_PKEY_EXPLICIT_SIGN;
4100 if (idx == SSL_PKEY_RSA_SIGN)
4101 {
4102 c->pkeys[SSL_PKEY_RSA_ENC].valid_flags = CERT_PKEY_EXPLICIT_SIGN;
4103 c->pkeys[SSL_PKEY_RSA_ENC].digest = md;
4104 }
4105 }
4106
4107 }
4108 /* In strict mode leave unset digests as NULL to indicate we can't
4109 * use the certificate for signing.
4110 */
4111 if (!(s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT))
4112 {
4113 /* Set any remaining keys to default values. NOTE: if alg is
4114 * not supported it stays as NULL.
4115 */
4116#ifndef OPENSSL_NO_DSA
4117 if (!c->pkeys[SSL_PKEY_DSA_SIGN].digest)
4118 c->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_sha1();
4119#endif
4120#ifndef OPENSSL_NO_RSA
4121 if (!c->pkeys[SSL_PKEY_RSA_SIGN].digest)
4122 {
4123 c->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1();
4124 c->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1();
4125 }
4126#endif
4127#ifndef OPENSSL_NO_ECDSA
4128 if (!c->pkeys[SSL_PKEY_ECC].digest)
4129 c->pkeys[SSL_PKEY_ECC].digest = EVP_sha1();
4130#endif
4131 }
4132 return 1;
4133 }
4134
4135
4136int SSL_get_sigalgs(SSL *s, int idx,
4137 int *psign, int *phash, int *psignhash,
4138 unsigned char *rsig, unsigned char *rhash)
4139 {
4140 const unsigned char *psig = s->cert->peer_sigalgs;
4141 if (psig == NULL)
4142 return 0;
4143 if (idx >= 0)
4144 {
4145 idx <<= 1;
4146 if (idx >= (int)s->cert->peer_sigalgslen)
4147 return 0;
4148 psig += idx;
4149 if (rhash)
4150 *rhash = psig[0];
4151 if (rsig)
4152 *rsig = psig[1];
4153 tls1_lookup_sigalg(phash, psign, psignhash, psig);
4154 }
4155 return s->cert->peer_sigalgslen / 2;
4156 }
4157
4158int SSL_get_shared_sigalgs(SSL *s, int idx,
4159 int *psign, int *phash, int *psignhash,
4160 unsigned char *rsig, unsigned char *rhash)
4161 {
4162 TLS_SIGALGS *shsigalgs = s->cert->shared_sigalgs;
4163 if (!shsigalgs || idx >= (int)s->cert->shared_sigalgslen)
4164 return 0;
4165 shsigalgs += idx;
4166 if (phash)
4167 *phash = shsigalgs->hash_nid;
4168 if (psign)
4169 *psign = shsigalgs->sign_nid;
4170 if (psignhash)
4171 *psignhash = shsigalgs->signandhash_nid;
4172 if (rsig)
4173 *rsig = shsigalgs->rsign;
4174 if (rhash)
4175 *rhash = shsigalgs->rhash;
4176 return s->cert->shared_sigalgslen;
4177 }
4178
4179
4180#ifndef OPENSSL_NO_HEARTBEATS
4181int
4182tls1_process_heartbeat(SSL *s)
4183 {
4184 unsigned char *p = &s->s3->rrec.data[0], *pl;
4185 unsigned short hbtype;
4186 unsigned int payload;
4187 unsigned int padding = 16; /* Use minimum padding */
4188
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]4189 if (s->msg_callback)
4190 s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT,
4191 &s->s3->rrec.data[0], s->s3->rrec.length,
4192 s, s->msg_callback_arg);
4193
Adam Langley56475202014-06-20 12:00:00 -0700[diff] [blame]4194 /* Read type and payload length first */
4195 if (1 + 2 + 16 > s->s3->rrec.length)
4196 return 0; /* silently discard */
4197 hbtype = *p++;
4198 n2s(p, payload);
4199 if (1 + 2 + payload + 16 > s->s3->rrec.length)
4200 return 0; /* silently discard per RFC 6520 sec. 4 */
4201 pl = p;
4202
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]4203 if (hbtype == TLS1_HB_REQUEST)
4204 {
4205 unsigned char *buffer, *bp;
4206 int r;
4207
4208 /* Allocate memory for the response, size is 1 bytes
4209 * message type, plus 2 bytes payload length, plus
4210 * payload, plus padding
4211 */
4212 buffer = OPENSSL_malloc(1 + 2 + payload + padding);
4213 bp = buffer;
4214
4215 /* Enter response type, length and copy payload */
4216 *bp++ = TLS1_HB_RESPONSE;
4217 s2n(payload, bp);
4218 memcpy(bp, pl, payload);
4219 bp += payload;
4220 /* Random padding */
4221 RAND_pseudo_bytes(bp, padding);
4222
4223 r = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, 3 + payload + padding);
4224
4225 if (r >= 0 && s->msg_callback)
4226 s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT,
4227 buffer, 3 + payload + padding,
4228 s, s->msg_callback_arg);
4229
4230 OPENSSL_free(buffer);
4231
4232 if (r < 0)
4233 return r;
4234 }
4235 else if (hbtype == TLS1_HB_RESPONSE)
4236 {
4237 unsigned int seq;
4238
4239 /* We only send sequence numbers (2 bytes unsigned int),
4240 * and 16 random bytes, so we just try to read the
4241 * sequence number */
4242 n2s(pl, seq);
4243
4244 if (payload == 18 && seq == s->tlsext_hb_seq)
4245 {
4246 s->tlsext_hb_seq++;
4247 s->tlsext_hb_pending = 0;
4248 }
4249 }
4250
4251 return 0;
4252 }
4253
4254int
4255tls1_heartbeat(SSL *s)
4256 {
4257 unsigned char *buf, *p;
4258 int ret;
4259 unsigned int payload = 18; /* Sequence number + random bytes */
4260 unsigned int padding = 16; /* Use minimum padding */
4261
4262 /* Only send if peer supports and accepts HB requests... */
4263 if (!(s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED) ||
4264 s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_SEND_REQUESTS)
4265 {
4266 OPENSSL_PUT_ERROR(SSL, ssl_add_serverhello_tlsext, SSL_R_TLS_HEARTBEAT_PEER_DOESNT_ACCEPT);
4267 return -1;
4268 }
4269
4270 /* ...and there is none in flight yet... */
4271 if (s->tlsext_hb_pending)
4272 {
4273 OPENSSL_PUT_ERROR(SSL, ssl_add_serverhello_tlsext, SSL_R_TLS_HEARTBEAT_PENDING);
4274 return -1;
4275 }
4276
4277 /* ...and no handshake in progress. */
4278 if (SSL_in_init(s) || s->in_handshake)
4279 {
4280 OPENSSL_PUT_ERROR(SSL, ssl_add_serverhello_tlsext, SSL_R_UNEXPECTED_MESSAGE);
4281 return -1;
4282 }
4283
4284 /* Check if padding is too long, payload and padding
4285 * must not exceed 2^14 - 3 = 16381 bytes in total.
4286 */
4287 assert(payload + padding <= 16381);
4288
4289 /* Create HeartBeat message, we just use a sequence number
4290 * as payload to distuingish different messages and add
4291 * some random stuff.
4292 * - Message Type, 1 byte
4293 * - Payload Length, 2 bytes (unsigned int)
4294 * - Payload, the sequence number (2 bytes uint)
4295 * - Payload, random bytes (16 bytes uint)
4296 * - Padding
4297 */
4298 buf = OPENSSL_malloc(1 + 2 + payload + padding);
4299 p = buf;
4300 /* Message Type */
4301 *p++ = TLS1_HB_REQUEST;
4302 /* Payload length (18 bytes here) */
4303 s2n(payload, p);
4304 /* Sequence number */
4305 s2n(s->tlsext_hb_seq, p);
4306 /* 16 random bytes */
4307 RAND_pseudo_bytes(p, 16);
4308 p += 16;
4309 /* Random padding */
4310 RAND_pseudo_bytes(p, padding);
4311
4312 ret = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buf, 3 + payload + padding);
4313 if (ret >= 0)
4314 {
4315 if (s->msg_callback)
4316 s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT,
4317 buf, 3 + payload + padding,
4318 s, s->msg_callback_arg);
4319
4320 s->tlsext_hb_pending = 1;
4321 }
4322
4323 OPENSSL_free(buf);
4324
4325 return ret;
4326 }
4327#endif
4328
Adam Langley1258b6a2014-06-20 12:00:00 -0700[diff] [blame]4329#if !defined(OPENSSL_NO_TLSEXT)
4330/* tls1_channel_id_hash calculates the signed data for a Channel ID on the given
4331 * SSL connection and writes it to |md|. */
4332int
4333tls1_channel_id_hash(EVP_MD_CTX *md, SSL *s)
4334 {
4335 EVP_MD_CTX ctx;
4336 unsigned char temp_digest[EVP_MAX_MD_SIZE];
4337 unsigned temp_digest_len;
4338 int i;
4339 static const char kClientIDMagic[] = "TLS Channel ID signature";
4340
4341 if (s->s3->handshake_buffer)
4342 if (!ssl3_digest_cached_records(s))
4343 return 0;
4344
4345 EVP_DigestUpdate(md, kClientIDMagic, sizeof(kClientIDMagic));
4346
4347 if (s->hit && s->s3->tlsext_channel_id_new)
4348 {
4349 static const char kResumptionMagic[] = "Resumption";
4350 EVP_DigestUpdate(md, kResumptionMagic,
4351 sizeof(kResumptionMagic));
4352 if (s->session->original_handshake_hash_len == 0)
4353 return 0;
4354 EVP_DigestUpdate(md, s->session->original_handshake_hash,
4355 s->session->original_handshake_hash_len);
4356 }
4357
4358 EVP_MD_CTX_init(&ctx);
4359 for (i = 0; i < SSL_MAX_DIGEST; i++)
4360 {
4361 if (s->s3->handshake_dgst[i] == NULL)
4362 continue;
4363 EVP_MD_CTX_copy_ex(&ctx, s->s3->handshake_dgst[i]);
4364 EVP_DigestFinal_ex(&ctx, temp_digest, &temp_digest_len);
4365 EVP_DigestUpdate(md, temp_digest, temp_digest_len);
4366 }
4367 EVP_MD_CTX_cleanup(&ctx);
4368
4369 return 1;
4370 }
4371#endif
4372
4373/* tls1_record_handshake_hashes_for_channel_id records the current handshake
4374 * hashes in |s->session| so that Channel ID resumptions can sign that data. */
4375int tls1_record_handshake_hashes_for_channel_id(SSL *s)
4376 {
4377 int digest_len;
4378 /* This function should never be called for a resumed session because
4379 * the handshake hashes that we wish to record are for the original,
4380 * full handshake. */
4381 if (s->hit)
4382 return -1;
4383 /* It only makes sense to call this function if Channel IDs have been
4384 * negotiated. */
4385 if (!s->s3->tlsext_channel_id_new)
4386 return -1;
4387
4388 digest_len = tls1_handshake_digest(
4389 s, s->session->original_handshake_hash,
4390 sizeof(s->session->original_handshake_hash));
4391 if (digest_len < 0)
4392 return -1;
4393
4394 s->session->original_handshake_hash_len = digest_len;
4395
4396 return 1;
4397 }
4398
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]4399/* TODO(fork): remove */
4400#if 0
4401#define MAX_SIGALGLEN (TLSEXT_hash_num * TLSEXT_signature_num * 2)
4402
4403typedef struct
4404 {
4405 size_t sigalgcnt;
4406 int sigalgs[MAX_SIGALGLEN];
4407 } sig_cb_st;
4408
4409static int sig_cb(const char *elem, int len, void *arg)
4410 {
4411 sig_cb_st *sarg = arg;
4412 size_t i;
4413 char etmp[20], *p;
4414 int sig_alg, hash_alg;
4415 if (sarg->sigalgcnt == MAX_SIGALGLEN)
4416 return 0;
4417 if (len > (int)(sizeof(etmp) - 1))
4418 return 0;
4419 memcpy(etmp, elem, len);
4420 etmp[len] = 0;
4421 p = strchr(etmp, '+');
4422 if (!p)
4423 return 0;
4424 *p = 0;
4425 p++;
4426 if (!*p)
4427 return 0;
4428
4429 if (!strcmp(etmp, "RSA"))
4430 sig_alg = EVP_PKEY_RSA;
4431 else if (!strcmp(etmp, "DSA"))
4432 sig_alg = EVP_PKEY_DSA;
4433 else if (!strcmp(etmp, "ECDSA"))
4434 sig_alg = EVP_PKEY_EC;
4435 else return 0;
4436
4437 hash_alg = OBJ_sn2nid(p);
4438 if (hash_alg == NID_undef)
4439 hash_alg = OBJ_ln2nid(p);
4440 if (hash_alg == NID_undef)
4441 return 0;
4442
4443 for (i = 0; i < sarg->sigalgcnt; i+=2)
4444 {
4445 if (sarg->sigalgs[i] == sig_alg
4446 && sarg->sigalgs[i + 1] == hash_alg)
4447 return 0;
4448 }
4449 sarg->sigalgs[sarg->sigalgcnt++] = hash_alg;
4450 sarg->sigalgs[sarg->sigalgcnt++] = sig_alg;
4451 return 1;
4452 }
4453
4454/* Set suppored signature algorithms based on a colon separated list
4455 * of the form sig+hash e.g. RSA+SHA512:DSA+SHA512 */
4456int tls1_set_sigalgs_list(CERT *c, const char *str, int client)
4457 {
4458 sig_cb_st sig;
4459 sig.sigalgcnt = 0;
4460 if (!CONF_parse_list(str, ':', 1, sig_cb, &sig))
4461 return 0;
4462 if (c == NULL)
4463 return 1;
4464 return tls1_set_sigalgs(c, sig.sigalgs, sig.sigalgcnt, client);
4465 }
4466#endif
4467
4468int tls1_set_sigalgs(CERT *c, const int *psig_nids, size_t salglen, int client)
4469 {
4470 unsigned char *sigalgs, *sptr;
4471 int rhash, rsign;
4472 size_t i;
4473 if (salglen & 1)
4474 return 0;
4475 sigalgs = OPENSSL_malloc(salglen);
4476 if (sigalgs == NULL)
4477 return 0;
4478 for (i = 0, sptr = sigalgs; i < salglen; i+=2)
4479 {
4480 rhash = tls12_find_id(*psig_nids++, tls12_md,
4481 sizeof(tls12_md)/sizeof(tls12_lookup));
4482 rsign = tls12_find_id(*psig_nids++, tls12_sig,
4483 sizeof(tls12_sig)/sizeof(tls12_lookup));
4484
4485 if (rhash == -1 || rsign == -1)
4486 goto err;
4487 *sptr++ = rhash;
4488 *sptr++ = rsign;
4489 }
4490
4491 if (client)
4492 {
4493 if (c->client_sigalgs)
4494 OPENSSL_free(c->client_sigalgs);
4495 c->client_sigalgs = sigalgs;
4496 c->client_sigalgslen = salglen;
4497 }
4498 else
4499 {
4500 if (c->conf_sigalgs)
4501 OPENSSL_free(c->conf_sigalgs);
4502 c->conf_sigalgs = sigalgs;
4503 c->conf_sigalgslen = salglen;
4504 }
4505
4506 return 1;
4507
4508 err:
4509 OPENSSL_free(sigalgs);
4510 return 0;
4511 }
4512
4513static int tls1_check_sig_alg(CERT *c, X509 *x, int default_nid)
4514 {
4515 int sig_nid;
4516 size_t i;
4517 if (default_nid == -1)
4518 return 1;
4519 sig_nid = X509_get_signature_nid(x);
4520 if (default_nid)
4521 return sig_nid == default_nid ? 1 : 0;
4522 for (i = 0; i < c->shared_sigalgslen; i++)
4523 if (sig_nid == c->shared_sigalgs[i].signandhash_nid)
4524 return 1;
4525 return 0;
4526 }
4527/* Check to see if a certificate issuer name matches list of CA names */
4528static int ssl_check_ca_name(STACK_OF(X509_NAME) *names, X509 *x)
4529 {
4530 X509_NAME *nm;
4531 int i;
4532 nm = X509_get_issuer_name(x);
4533 for (i = 0; i < sk_X509_NAME_num(names); i++)
4534 {
4535 if(!X509_NAME_cmp(nm, sk_X509_NAME_value(names, i)))
4536 return 1;
4537 }
4538 return 0;
4539 }
4540
4541/* Check certificate chain is consistent with TLS extensions and is
4542 * usable by server. This servers two purposes: it allows users to
4543 * check chains before passing them to the server and it allows the
4544 * server to check chains before attempting to use them.
4545 */
4546
4547/* Flags which need to be set for a certificate when stict mode not set */
4548
4549#define CERT_PKEY_VALID_FLAGS \
4550 (CERT_PKEY_EE_SIGNATURE|CERT_PKEY_EE_PARAM)
4551/* Strict mode flags */
4552#define CERT_PKEY_STRICT_FLAGS \
4553 (CERT_PKEY_VALID_FLAGS|CERT_PKEY_CA_SIGNATURE|CERT_PKEY_CA_PARAM \
4554 | CERT_PKEY_ISSUER_NAME|CERT_PKEY_CERT_TYPE)
4555
4556int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain,
4557 int idx)
4558 {
4559 int i;
4560 int rv = 0;
4561 int check_flags = 0, strict_mode;
4562 CERT_PKEY *cpk = NULL;
4563 CERT *c = s->cert;
4564 unsigned int suiteb_flags = tls1_suiteb(s);
4565 /* idx == -1 means checking server chains */
4566 if (idx != -1)
4567 {
4568 /* idx == -2 means checking client certificate chains */
4569 if (idx == -2)
4570 {
4571 cpk = c->key;
4572 idx = cpk - c->pkeys;
4573 }
4574 else
4575 cpk = c->pkeys + idx;
4576 x = cpk->x509;
4577 pk = cpk->privatekey;
4578 chain = cpk->chain;
4579 strict_mode = c->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT;
4580 /* If no cert or key, forget it */
4581 if (!x || !pk)
4582 goto end;
4583#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
4584 /* Allow any certificate to pass test */
4585 if (s->cert->cert_flags & SSL_CERT_FLAG_BROKEN_PROTOCOL)
4586 {
4587 rv = CERT_PKEY_STRICT_FLAGS|CERT_PKEY_EXPLICIT_SIGN|CERT_PKEY_VALID|CERT_PKEY_SIGN;
4588 cpk->valid_flags = rv;
4589 return rv;
4590 }
4591#endif
4592 }
4593 else
4594 {
4595 if (!x || !pk)
4596 goto end;
4597 idx = ssl_cert_type(x, pk);
4598 if (idx == -1)
4599 goto end;
4600 cpk = c->pkeys + idx;
4601 if (c->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)
4602 check_flags = CERT_PKEY_STRICT_FLAGS;
4603 else
4604 check_flags = CERT_PKEY_VALID_FLAGS;
4605 strict_mode = 1;
4606 }
4607
4608 if (suiteb_flags)
4609 {
4610 int ok;
4611 if (check_flags)
4612 check_flags |= CERT_PKEY_SUITEB;
4613 ok = X509_chain_check_suiteb(NULL, x, chain, suiteb_flags);
4614 if (ok != X509_V_OK)
4615 {
4616 if (check_flags)
4617 rv |= CERT_PKEY_SUITEB;
4618 else
4619 goto end;
4620 }
4621 }
4622
4623 /* Check all signature algorithms are consistent with
4624 * signature algorithms extension if TLS 1.2 or later
4625 * and strict mode.
4626 */
4627 if (TLS1_get_version(s) >= TLS1_2_VERSION && strict_mode)
4628 {
4629 int default_nid;
4630 unsigned char rsign = 0;
4631 if (c->peer_sigalgs)
4632 default_nid = 0;
4633 /* If no sigalgs extension use defaults from RFC5246 */
4634 else
4635 {
4636 switch(idx)
4637 {
4638 case SSL_PKEY_RSA_ENC:
4639 case SSL_PKEY_RSA_SIGN:
4640 case SSL_PKEY_DH_RSA:
4641 rsign = TLSEXT_signature_rsa;
4642 default_nid = NID_sha1WithRSAEncryption;
4643 break;
4644
4645 case SSL_PKEY_DSA_SIGN:
4646 case SSL_PKEY_DH_DSA:
4647 rsign = TLSEXT_signature_dsa;
4648 default_nid = NID_dsaWithSHA1;
4649 break;
4650
4651 case SSL_PKEY_ECC:
4652 rsign = TLSEXT_signature_ecdsa;
4653 default_nid = NID_ecdsa_with_SHA1;
4654 break;
4655
4656 default:
4657 default_nid = -1;
4658 break;
4659 }
4660 }
4661 /* If peer sent no signature algorithms extension and we
4662 * have set preferred signature algorithms check we support
4663 * sha1.
4664 */
4665 if (default_nid > 0 && c->conf_sigalgs)
4666 {
4667 size_t j;
4668 const unsigned char *p = c->conf_sigalgs;
4669 for (j = 0; j < c->conf_sigalgslen; j += 2, p += 2)
4670 {
4671 if (p[0] == TLSEXT_hash_sha1 && p[1] == rsign)
4672 break;
4673 }
4674 if (j == c->conf_sigalgslen)
4675 {
4676 if (check_flags)
4677 goto skip_sigs;
4678 else
4679 goto end;
4680 }
4681 }
4682 /* Check signature algorithm of each cert in chain */
4683 if (!tls1_check_sig_alg(c, x, default_nid))
4684 {
4685 if (!check_flags) goto end;
4686 }
4687 else
4688 rv |= CERT_PKEY_EE_SIGNATURE;
4689 rv |= CERT_PKEY_CA_SIGNATURE;
4690 for (i = 0; i < sk_X509_num(chain); i++)
4691 {
4692 if (!tls1_check_sig_alg(c, sk_X509_value(chain, i),
4693 default_nid))
4694 {
4695 if (check_flags)
4696 {
4697 rv &= ~CERT_PKEY_CA_SIGNATURE;
4698 break;
4699 }
4700 else
4701 goto end;
4702 }
4703 }
4704 }
4705 /* Else not TLS 1.2, so mark EE and CA signing algorithms OK */
4706 else if(check_flags)
4707 rv |= CERT_PKEY_EE_SIGNATURE|CERT_PKEY_CA_SIGNATURE;
4708 skip_sigs:
4709 /* Check cert parameters are consistent */
4710 if (tls1_check_cert_param(s, x, check_flags ? 1 : 2))
4711 rv |= CERT_PKEY_EE_PARAM;
4712 else if (!check_flags)
4713 goto end;
4714 if (!s->server)
4715 rv |= CERT_PKEY_CA_PARAM;
4716 /* In strict mode check rest of chain too */
4717 else if (strict_mode)
4718 {
4719 rv |= CERT_PKEY_CA_PARAM;
4720 for (i = 0; i < sk_X509_num(chain); i++)
4721 {
4722 X509 *ca = sk_X509_value(chain, i);
4723 if (!tls1_check_cert_param(s, ca, 0))
4724 {
4725 if (check_flags)
4726 {
4727 rv &= ~CERT_PKEY_CA_PARAM;
4728 break;
4729 }
4730 else
4731 goto end;
4732 }
4733 }
4734 }
4735 if (!s->server && strict_mode)
4736 {
4737 STACK_OF(X509_NAME) *ca_dn;
4738 int check_type = 0;
4739 switch (pk->type)
4740 {
4741 case EVP_PKEY_RSA:
4742 check_type = TLS_CT_RSA_SIGN;
4743 break;
4744 case EVP_PKEY_DSA:
4745 check_type = TLS_CT_DSS_SIGN;
4746 break;
4747 case EVP_PKEY_EC:
4748 check_type = TLS_CT_ECDSA_SIGN;
4749 break;
4750 case EVP_PKEY_DH:
4751 case EVP_PKEY_DHX:
4752 {
4753 int cert_type = X509_certificate_type(x, pk);
4754 if (cert_type & EVP_PKS_RSA)
4755 check_type = TLS_CT_RSA_FIXED_DH;
4756 if (cert_type & EVP_PKS_DSA)
4757 check_type = TLS_CT_DSS_FIXED_DH;
4758 }
4759 }
4760 if (check_type)
4761 {
4762 const unsigned char *ctypes;
4763 int ctypelen;
4764 if (c->ctypes)
4765 {
4766 ctypes = c->ctypes;
4767 ctypelen = (int)c->ctype_num;
4768 }
4769 else
4770 {
4771 ctypes = (unsigned char *)s->s3->tmp.ctype;
4772 ctypelen = s->s3->tmp.ctype_num;
4773 }
4774 for (i = 0; i < ctypelen; i++)
4775 {
4776 if (ctypes[i] == check_type)
4777 {
4778 rv |= CERT_PKEY_CERT_TYPE;
4779 break;
4780 }
4781 }
4782 if (!(rv & CERT_PKEY_CERT_TYPE) && !check_flags)
4783 goto end;
4784 }
4785 else
4786 rv |= CERT_PKEY_CERT_TYPE;
4787
4788
4789 ca_dn = s->s3->tmp.ca_names;
4790
4791 if (!sk_X509_NAME_num(ca_dn))
4792 rv |= CERT_PKEY_ISSUER_NAME;
4793
4794 if (!(rv & CERT_PKEY_ISSUER_NAME))
4795 {
4796 if (ssl_check_ca_name(ca_dn, x))
4797 rv |= CERT_PKEY_ISSUER_NAME;
4798 }
4799 if (!(rv & CERT_PKEY_ISSUER_NAME))
4800 {
4801 for (i = 0; i < sk_X509_num(chain); i++)
4802 {
4803 X509 *xtmp = sk_X509_value(chain, i);
4804 if (ssl_check_ca_name(ca_dn, xtmp))
4805 {
4806 rv |= CERT_PKEY_ISSUER_NAME;
4807 break;
4808 }
4809 }
4810 }
4811 if (!check_flags && !(rv & CERT_PKEY_ISSUER_NAME))
4812 goto end;
4813 }
4814 else
4815 rv |= CERT_PKEY_ISSUER_NAME|CERT_PKEY_CERT_TYPE;
4816
4817 if (!check_flags || (rv & check_flags) == check_flags)
4818 rv |= CERT_PKEY_VALID;
4819
4820 end:
4821
4822 if (TLS1_get_version(s) >= TLS1_2_VERSION)
4823 {
4824 if (cpk->valid_flags & CERT_PKEY_EXPLICIT_SIGN)
4825 rv |= CERT_PKEY_EXPLICIT_SIGN|CERT_PKEY_SIGN;
4826 else if (cpk->digest)
4827 rv |= CERT_PKEY_SIGN;
4828 }
4829 else
4830 rv |= CERT_PKEY_SIGN|CERT_PKEY_EXPLICIT_SIGN;
4831
4832 /* When checking a CERT_PKEY structure all flags are irrelevant
4833 * if the chain is invalid.
4834 */
4835 if (!check_flags)
4836 {
4837 if (rv & CERT_PKEY_VALID)
4838 cpk->valid_flags = rv;
4839 else
4840 {
4841 /* Preserve explicit sign flag, clear rest */
4842 cpk->valid_flags &= CERT_PKEY_EXPLICIT_SIGN;
4843 return 0;
4844 }
4845 }
4846 return rv;
4847 }
4848
4849/* Set validity of certificates in an SSL structure */
4850void tls1_set_cert_validity(SSL *s)
4851 {
4852 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA_ENC);
4853 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA_SIGN);
4854 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DSA_SIGN);
4855 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DH_RSA);
4856 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DH_DSA);
4857 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_ECC);
4858 }
4859/* User level utiity function to check a chain is suitable */
4860int SSL_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain)
4861 {
4862 return tls1_check_chain(s, x, pk, chain, -1);
4863 }
4864
4865#endif