Gitiles
Code Review Sign In
gerrit.openfyde.cn / boringssl.googlesource.com / boringssl / c3174b7b2d3b4517b597dc3e0d0db18a718d6ab5 / . / ssl / t1_lib.c
blob: 8964352ee71032b4d689cfe1c88c3818e485e9fc [file] [log] [blame]
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
2 * All rights reserved.
3 *
4 * This package is an SSL implementation written
5 * by Eric Young (eay@cryptsoft.com).
6 * The implementation was written so as to conform with Netscapes SSL.
7 *
8 * This library is free for commercial and non-commercial use as long as
9 * the following conditions are aheared to. The following conditions
10 * apply to all code found in this distribution, be it the RC4, RSA,
11 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
12 * included with this distribution is covered by the same copyright terms
13 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
14 *
15 * Copyright remains Eric Young's, and as such any Copyright notices in
16 * the code are not to be removed.
17 * If this package is used in a product, Eric Young should be given attribution
18 * as the author of the parts of the library used.
19 * This can be in the form of a textual message at program startup or
20 * in documentation (online or textual) provided with the package.
21 *
22 * Redistribution and use in source and binary forms, with or without
23 * modification, are permitted provided that the following conditions
24 * are met:
25 * 1. Redistributions of source code must retain the copyright
26 * notice, this list of conditions and the following disclaimer.
27 * 2. Redistributions in binary form must reproduce the above copyright
28 * notice, this list of conditions and the following disclaimer in the
29 * documentation and/or other materials provided with the distribution.
30 * 3. All advertising materials mentioning features or use of this software
31 * must display the following acknowledgement:
32 * "This product includes cryptographic software written by
33 * Eric Young (eay@cryptsoft.com)"
34 * The word 'cryptographic' can be left out if the rouines from the library
35 * being used are not cryptographic related :-).
36 * 4. If you include any Windows specific code (or a derivative thereof) from
37 * the apps directory (application code) you must include an acknowledgement:
38 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
39 *
40 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
41 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
43 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
44 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
45 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
46 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
48 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
49 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
50 * SUCH DAMAGE.
51 *
52 * The licence and distribution terms for any publically available version or
53 * derivative of this code cannot be changed. i.e. this code cannot simply be
54 * copied and put under another distribution licence
55 * [including the GNU Public Licence.]
56 */
57/* ====================================================================
58 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
59 *
60 * Redistribution and use in source and binary forms, with or without
61 * modification, are permitted provided that the following conditions
62 * are met:
63 *
64 * 1. Redistributions of source code must retain the above copyright
65 * notice, this list of conditions and the following disclaimer.
66 *
67 * 2. Redistributions in binary form must reproduce the above copyright
68 * notice, this list of conditions and the following disclaimer in
69 * the documentation and/or other materials provided with the
70 * distribution.
71 *
72 * 3. All advertising materials mentioning features or use of this
73 * software must display the following acknowledgment:
74 * "This product includes software developed by the OpenSSL Project
75 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
76 *
77 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
78 * endorse or promote products derived from this software without
79 * prior written permission. For written permission, please contact
80 * openssl-core@openssl.org.
81 *
82 * 5. Products derived from this software may not be called "OpenSSL"
83 * nor may "OpenSSL" appear in their names without prior written
84 * permission of the OpenSSL Project.
85 *
86 * 6. Redistributions of any form whatsoever must retain the following
87 * acknowledgment:
88 * "This product includes software developed by the OpenSSL Project
89 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
90 *
91 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
92 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
93 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
94 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
95 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
96 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
97 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
98 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
99 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
100 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
101 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
102 * OF THE POSSIBILITY OF SUCH DAMAGE.
103 * ====================================================================
104 *
105 * This product includes cryptographic software written by Eric Young
106 * (eay@cryptsoft.com). This product includes software written by Tim
107 * Hudson (tjh@cryptsoft.com). */
108
109#include <stdio.h>
110#include <assert.h>
111
112#include <openssl/evp.h>
113#include <openssl/hmac.h>
114#include <openssl/mem.h>
115#include <openssl/obj.h>
116#include <openssl/rand.h>
117
118#include "ssl_locl.h"
119#ifndef OPENSSL_NO_TLSEXT
120static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen,
121 const unsigned char *sess_id, int sesslen,
122 SSL_SESSION **psess);
123static int ssl_check_clienthello_tlsext_early(SSL *s);
124int ssl_check_serverhello_tlsext(SSL *s);
125#endif
126
127SSL3_ENC_METHOD TLSv1_enc_data={
128 tls1_enc,
129 tls1_mac,
130 tls1_setup_key_block,
131 tls1_generate_master_secret,
132 tls1_change_cipher_state,
133 tls1_final_finish_mac,
134 TLS1_FINISH_MAC_LENGTH,
135 tls1_cert_verify_mac,
136 TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE,
137 TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE,
138 tls1_alert_code,
139 tls1_export_keying_material,
140 0,
141 SSL3_HM_HEADER_LENGTH,
142 ssl3_set_handshake_header,
143 ssl3_handshake_write
144 };
145
146SSL3_ENC_METHOD TLSv1_1_enc_data={
147 tls1_enc,
148 tls1_mac,
149 tls1_setup_key_block,
150 tls1_generate_master_secret,
151 tls1_change_cipher_state,
152 tls1_final_finish_mac,
153 TLS1_FINISH_MAC_LENGTH,
154 tls1_cert_verify_mac,
155 TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE,
156 TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE,
157 tls1_alert_code,
158 tls1_export_keying_material,
159 SSL_ENC_FLAG_EXPLICIT_IV,
160 SSL3_HM_HEADER_LENGTH,
161 ssl3_set_handshake_header,
162 ssl3_handshake_write
163 };
164
165SSL3_ENC_METHOD TLSv1_2_enc_data={
166 tls1_enc,
167 tls1_mac,
168 tls1_setup_key_block,
169 tls1_generate_master_secret,
170 tls1_change_cipher_state,
171 tls1_final_finish_mac,
172 TLS1_FINISH_MAC_LENGTH,
173 tls1_cert_verify_mac,
174 TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE,
175 TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE,
176 tls1_alert_code,
177 tls1_export_keying_material,
178 SSL_ENC_FLAG_EXPLICIT_IV|SSL_ENC_FLAG_SIGALGS|SSL_ENC_FLAG_SHA256_PRF
179 |SSL_ENC_FLAG_TLS1_2_CIPHERS,
180 SSL3_HM_HEADER_LENGTH,
181 ssl3_set_handshake_header,
182 ssl3_handshake_write
183 };
184
185long tls1_default_timeout(void)
186 {
187 /* 2 hours, the 24 hours mentioned in the TLSv1 spec
188 * is way too long for http, the cache would over fill */
189 return(60*60*2);
190 }
191
192int tls1_new(SSL *s)
193 {
194 if (!ssl3_new(s)) return(0);
195 s->method->ssl_clear(s);
196 return(1);
197 }
198
199void tls1_free(SSL *s)
200 {
201#ifndef OPENSSL_NO_TLSEXT
202 if (s->tlsext_session_ticket)
203 {
204 OPENSSL_free(s->tlsext_session_ticket);
205 }
206#endif /* OPENSSL_NO_TLSEXT */
207 ssl3_free(s);
208 }
209
210void tls1_clear(SSL *s)
211 {
212 ssl3_clear(s);
213 s->version = s->method->version;
214 }
215
Adam Langleydc9b1412014-06-20 12:00:00 -0700[diff] [blame]216char ssl_early_callback_init(struct ssl_early_callback_ctx *ctx)
217 {
218 size_t len = ctx->client_hello_len;
219 const unsigned char *p = ctx->client_hello;
220 uint16_t *extension_types;
221 unsigned num_extensions;
222
223 /* Skip client version. */
224 if (len < 2)
225 return 0;
226 len -= 2; p += 2;
227
228 /* Skip client nonce. */
229 if (len < 32)
230 return 0;
231 len -= 32; p += 32;
232
233 /* Get length of session id. */
234 if (len < 1)
235 return 0;
236 ctx->session_id_len = *p;
237 p++; len--;
238
239 ctx->session_id = p;
240 if (len < ctx->session_id_len)
241 return 0;
242 p += ctx->session_id_len; len -= ctx->session_id_len;
243
244 /* Skip past DTLS cookie */
245 if (ctx->ssl->version == DTLS1_VERSION || ctx->ssl->version == DTLS1_BAD_VER)
246 {
247 unsigned cookie_len;
248
249 if (len < 1)
250 return 0;
251 cookie_len = *p;
252 p++; len--;
253 if (len < cookie_len)
254 return 0;
255 p += cookie_len; len -= cookie_len;
256 }
257
258 /* Skip cipher suites. */
259 if (len < 2)
260 return 0;
261 n2s(p, ctx->cipher_suites_len);
262 len -= 2;
263
264 if ((ctx->cipher_suites_len & 1) != 0)
265 return 0;
266
267 ctx->cipher_suites = p;
268 if (len < ctx->cipher_suites_len)
269 return 0;
270 p += ctx->cipher_suites_len; len -= ctx->cipher_suites_len;
271
272 /* Skip compression methods. */
273 if (len < 1)
274 return 0;
275 ctx->compression_methods_len = *p;
276 p++; len--;
277
278 ctx->compression_methods = p;
279 if (len < ctx->compression_methods_len)
280 return 0;
281 p += ctx->compression_methods_len; len -= ctx->compression_methods_len;
282
283 /* If the ClientHello ends here then it's valid, but doesn't have any
284 * extensions. (E.g. SSLv3.) */
285 if (len == 0)
286 {
287 ctx->extensions = NULL;
288 ctx->extensions_len = 0;
289 return 1;
290 }
291
292 if (len < 2)
293 return 0;
294 n2s(p, ctx->extensions_len);
295 len -= 2;
296
297 if (ctx->extensions_len == 0 && len == 0)
298 {
299 ctx->extensions = NULL;
300 return 1;
301 }
302
303 ctx->extensions = p;
304 if (len != ctx->extensions_len)
305 return 0;
306
307 /* Verify that the extensions have valid lengths and that there are
308 * no duplicates. Each extension takes, at least, four bytes, so
309 * we can allocate a buffer of extensions_len/4 elements and be sure
310 * that we have enough space for all the extension types. */
311 extension_types =
312 OPENSSL_malloc(sizeof(uint16_t) * ctx->extensions_len/4);
313 if (extension_types == NULL)
314 return 0;
315 num_extensions = 0;
316
317 while (len != 0)
318 {
319 uint16_t extension_type, extension_len;
320 unsigned i;
321
322 if (len < 4)
323 goto err;
324 n2s(p, extension_type);
325 n2s(p, extension_len);
326 len -= 4;
327
328 if (len < extension_len)
329 goto err;
330 p += extension_len; len -= extension_len;
331
332 for (i = 0; i < num_extensions; i++)
333 {
334 if (extension_types[i] == extension_type)
335 {
336 /* Duplicate extension type. */
337 goto err;
338 }
339 }
340 extension_types[num_extensions] = extension_type;
341 num_extensions++;
342 }
343
344 OPENSSL_free(extension_types);
345 return 1;
346
347err:
348 OPENSSL_free(extension_types);
349 return 0;
350 }
351
352char
353SSL_early_callback_ctx_extension_get(const struct ssl_early_callback_ctx *ctx,
354 uint16_t extension_type,
355 const unsigned char **out_data,
356 size_t *out_len)
357 {
358 size_t len = ctx->extensions_len;
359 const unsigned char *p = ctx->extensions;
360
361 while (len != 0)
362 {
363 uint16_t ext_type, ext_len;
364
365 if (len < 4)
366 return 0;
367 n2s(p, ext_type);
368 n2s(p, ext_len);
369 len -= 4;
370
371 if (len < ext_len)
372 return 0;
373 if (ext_type == extension_type)
374 {
375 *out_data = p;
376 *out_len = ext_len;
377 return 1;
378 }
379
380 p += ext_len; len -= ext_len;
381 }
382
383 return 0;
384 }
385
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]386#ifndef OPENSSL_NO_EC
387
388static int nid_list[] =
389 {
390 NID_sect163k1, /* sect163k1 (1) */
391 NID_sect163r1, /* sect163r1 (2) */
392 NID_sect163r2, /* sect163r2 (3) */
393 NID_sect193r1, /* sect193r1 (4) */
394 NID_sect193r2, /* sect193r2 (5) */
395 NID_sect233k1, /* sect233k1 (6) */
396 NID_sect233r1, /* sect233r1 (7) */
397 NID_sect239k1, /* sect239k1 (8) */
398 NID_sect283k1, /* sect283k1 (9) */
399 NID_sect283r1, /* sect283r1 (10) */
400 NID_sect409k1, /* sect409k1 (11) */
401 NID_sect409r1, /* sect409r1 (12) */
402 NID_sect571k1, /* sect571k1 (13) */
403 NID_sect571r1, /* sect571r1 (14) */
404 NID_secp160k1, /* secp160k1 (15) */
405 NID_secp160r1, /* secp160r1 (16) */
406 NID_secp160r2, /* secp160r2 (17) */
407 NID_secp192k1, /* secp192k1 (18) */
408 NID_X9_62_prime192v1, /* secp192r1 (19) */
409 NID_secp224k1, /* secp224k1 (20) */
410 NID_secp224r1, /* secp224r1 (21) */
411 NID_secp256k1, /* secp256k1 (22) */
412 NID_X9_62_prime256v1, /* secp256r1 (23) */
413 NID_secp384r1, /* secp384r1 (24) */
414 NID_secp521r1, /* secp521r1 (25) */
415 NID_brainpoolP256r1, /* brainpoolP256r1 (26) */
416 NID_brainpoolP384r1, /* brainpoolP384r1 (27) */
417 NID_brainpoolP512r1 /* brainpool512r1 (28) */
418 };
419
420
421static const unsigned char ecformats_default[] =
422 {
423 TLSEXT_ECPOINTFORMAT_uncompressed,
424 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime,
425 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2
426 };
427
428static const unsigned char eccurves_default[] =
429 {
430 0,14, /* sect571r1 (14) */
431 0,13, /* sect571k1 (13) */
432 0,25, /* secp521r1 (25) */
433 0,28, /* brainpool512r1 (28) */
434 0,11, /* sect409k1 (11) */
435 0,12, /* sect409r1 (12) */
436 0,27, /* brainpoolP384r1 (27) */
437 0,24, /* secp384r1 (24) */
438 0,9, /* sect283k1 (9) */
439 0,10, /* sect283r1 (10) */
440 0,26, /* brainpoolP256r1 (26) */
441 0,22, /* secp256k1 (22) */
442 0,23, /* secp256r1 (23) */
443 0,8, /* sect239k1 (8) */
444 0,6, /* sect233k1 (6) */
445 0,7, /* sect233r1 (7) */
446 0,20, /* secp224k1 (20) */
447 0,21, /* secp224r1 (21) */
448 0,4, /* sect193r1 (4) */
449 0,5, /* sect193r2 (5) */
450 0,18, /* secp192k1 (18) */
451 0,19, /* secp192r1 (19) */
452 0,1, /* sect163k1 (1) */
453 0,2, /* sect163r1 (2) */
454 0,3, /* sect163r2 (3) */
455 0,15, /* secp160k1 (15) */
456 0,16, /* secp160r1 (16) */
457 0,17, /* secp160r2 (17) */
458 };
459
460static const unsigned char suiteb_curves[] =
461 {
462 0, TLSEXT_curve_P_256,
463 0, TLSEXT_curve_P_384
464 };
465
466int tls1_ec_curve_id2nid(int curve_id)
467 {
468 /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
469 if ((curve_id < 1) || ((unsigned int)curve_id >
470 sizeof(nid_list)/sizeof(nid_list[0])))
471 return 0;
472 return nid_list[curve_id-1];
473 }
474
475int tls1_ec_nid2curve_id(int nid)
476 {
477 /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
478 switch (nid)
479 {
480 case NID_sect163k1: /* sect163k1 (1) */
481 return 1;
482 case NID_sect163r1: /* sect163r1 (2) */
483 return 2;
484 case NID_sect163r2: /* sect163r2 (3) */
485 return 3;
486 case NID_sect193r1: /* sect193r1 (4) */
487 return 4;
488 case NID_sect193r2: /* sect193r2 (5) */
489 return 5;
490 case NID_sect233k1: /* sect233k1 (6) */
491 return 6;
492 case NID_sect233r1: /* sect233r1 (7) */
493 return 7;
494 case NID_sect239k1: /* sect239k1 (8) */
495 return 8;
496 case NID_sect283k1: /* sect283k1 (9) */
497 return 9;
498 case NID_sect283r1: /* sect283r1 (10) */
499 return 10;
500 case NID_sect409k1: /* sect409k1 (11) */
501 return 11;
502 case NID_sect409r1: /* sect409r1 (12) */
503 return 12;
504 case NID_sect571k1: /* sect571k1 (13) */
505 return 13;
506 case NID_sect571r1: /* sect571r1 (14) */
507 return 14;
508 case NID_secp160k1: /* secp160k1 (15) */
509 return 15;
510 case NID_secp160r1: /* secp160r1 (16) */
511 return 16;
512 case NID_secp160r2: /* secp160r2 (17) */
513 return 17;
514 case NID_secp192k1: /* secp192k1 (18) */
515 return 18;
516 case NID_X9_62_prime192v1: /* secp192r1 (19) */
517 return 19;
518 case NID_secp224k1: /* secp224k1 (20) */
519 return 20;
520 case NID_secp224r1: /* secp224r1 (21) */
521 return 21;
522 case NID_secp256k1: /* secp256k1 (22) */
523 return 22;
524 case NID_X9_62_prime256v1: /* secp256r1 (23) */
525 return 23;
526 case NID_secp384r1: /* secp384r1 (24) */
527 return 24;
528 case NID_secp521r1: /* secp521r1 (25) */
529 return 25;
530 case NID_brainpoolP256r1: /* brainpoolP256r1 (26) */
531 return 26;
532 case NID_brainpoolP384r1: /* brainpoolP384r1 (27) */
533 return 27;
534 case NID_brainpoolP512r1: /* brainpool512r1 (28) */
535 return 28;
536 default:
537 return 0;
538 }
539 }
540/* Get curves list, if "sess" is set return client curves otherwise
541 * preferred list
542 */
543static void tls1_get_curvelist(SSL *s, int sess,
544 const unsigned char **pcurves,
545 size_t *pcurveslen)
546 {
547 if (sess)
548 {
549 *pcurves = s->session->tlsext_ellipticcurvelist;
550 *pcurveslen = s->session->tlsext_ellipticcurvelist_length;
551 return;
552 }
553 /* For Suite B mode only include P-256, P-384 */
554 switch (tls1_suiteb(s))
555 {
556 case SSL_CERT_FLAG_SUITEB_128_LOS:
557 *pcurves = suiteb_curves;
558 *pcurveslen = sizeof(suiteb_curves);
559 break;
560
561 case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY:
562 *pcurves = suiteb_curves;
563 *pcurveslen = 2;
564 break;
565
566 case SSL_CERT_FLAG_SUITEB_192_LOS:
567 *pcurves = suiteb_curves + 2;
568 *pcurveslen = 2;
569 break;
570 default:
571 *pcurves = s->tlsext_ellipticcurvelist;
572 *pcurveslen = s->tlsext_ellipticcurvelist_length;
573 }
574 if (!*pcurves)
575 {
576 *pcurves = eccurves_default;
577 *pcurveslen = sizeof(eccurves_default);
578 }
579 }
580/* Check a curve is one of our preferences */
581int tls1_check_curve(SSL *s, const unsigned char *p, size_t len)
582 {
583 const unsigned char *curves;
584 size_t curveslen, i;
585 unsigned int suiteb_flags = tls1_suiteb(s);
586 if (len != 3 || p[0] != NAMED_CURVE_TYPE)
587 return 0;
588 /* Check curve matches Suite B preferences */
589 if (suiteb_flags)
590 {
591 unsigned long cid = s->s3->tmp.new_cipher->id;
592 if (p[1])
593 return 0;
594 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
595 {
596 if (p[2] != TLSEXT_curve_P_256)
597 return 0;
598 }
599 else if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)
600 {
601 if (p[2] != TLSEXT_curve_P_384)
602 return 0;
603 }
604 else /* Should never happen */
605 return 0;
606 }
607 tls1_get_curvelist(s, 0, &curves, &curveslen);
608 for (i = 0; i < curveslen; i += 2, curves += 2)
609 {
610 if (p[1] == curves[0] && p[2] == curves[1])
611 return 1;
612 }
613 return 0;
614 }
615
616/* Return nth shared curve. If nmatch == -1 return number of
617 * matches. For nmatch == -2 return the NID of the curve to use for
618 * an EC tmp key.
619 */
620
621int tls1_shared_curve(SSL *s, int nmatch)
622 {
623 const unsigned char *pref, *supp;
624 size_t preflen, supplen, i, j;
625 int k;
626 /* Can't do anything on client side */
627 if (s->server == 0)
628 return -1;
629 if (nmatch == -2)
630 {
631 if (tls1_suiteb(s))
632 {
633 /* For Suite B ciphersuite determines curve: we
634 * already know these are acceptable due to previous
635 * checks.
636 */
637 unsigned long cid = s->s3->tmp.new_cipher->id;
638 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
639 return NID_X9_62_prime256v1; /* P-256 */
640 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)
641 return NID_secp384r1; /* P-384 */
642 /* Should never happen */
643 return NID_undef;
644 }
645 /* If not Suite B just return first preference shared curve */
646 nmatch = 0;
647 }
648 tls1_get_curvelist(s, !!(s->options & SSL_OP_CIPHER_SERVER_PREFERENCE),
649 &supp, &supplen);
650 tls1_get_curvelist(s, !(s->options & SSL_OP_CIPHER_SERVER_PREFERENCE),
651 &pref, &preflen);
652 preflen /= 2;
653 supplen /= 2;
654 k = 0;
655 for (i = 0; i < preflen; i++, pref+=2)
656 {
657 const unsigned char *tsupp = supp;
658 for (j = 0; j < supplen; j++, tsupp+=2)
659 {
660 if (pref[0] == tsupp[0] && pref[1] == tsupp[1])
661 {
662 if (nmatch == k)
663 {
664 int id = (pref[0] << 8) | pref[1];
665 return tls1_ec_curve_id2nid(id);
666 }
667 k++;
668 }
669 }
670 }
671 if (nmatch == -1)
672 return k;
673 return 0;
674 }
675
676int tls1_set_curves(unsigned char **pext, size_t *pextlen,
677 int *curves, size_t ncurves)
678 {
679 unsigned char *clist, *p;
680 size_t i;
681 /* Bitmap of curves included to detect duplicates: only works
682 * while curve ids < 32
683 */
684 unsigned long dup_list = 0;
685 clist = OPENSSL_malloc(ncurves * 2);
686 if (!clist)
687 return 0;
688 for (i = 0, p = clist; i < ncurves; i++)
689 {
690 unsigned long idmask;
691 int id;
692 id = tls1_ec_nid2curve_id(curves[i]);
693 idmask = 1L << id;
694 if (!id || (dup_list & idmask))
695 {
696 OPENSSL_free(clist);
697 return 0;
698 }
699 dup_list |= idmask;
700 s2n(id, p);
701 }
702 if (*pext)
703 OPENSSL_free(*pext);
704 *pext = clist;
705 *pextlen = ncurves * 2;
706 return 1;
707 }
708
709/* TODO(fork): remove */
710#if 0
711#define MAX_CURVELIST 28
712
713typedef struct
714 {
715 size_t nidcnt;
716 int nid_arr[MAX_CURVELIST];
717 } nid_cb_st;
718
719static int nid_cb(const char *elem, int len, void *arg)
720 {
721 nid_cb_st *narg = arg;
722 size_t i;
723 int nid;
724 char etmp[20];
725 if (narg->nidcnt == MAX_CURVELIST)
726 return 0;
727 if (len > (int)(sizeof(etmp) - 1))
728 return 0;
729 memcpy(etmp, elem, len);
730 etmp[len] = 0;
731 nid = EC_curve_nist2nid(etmp);
732 if (nid == NID_undef)
733 nid = OBJ_sn2nid(etmp);
734 if (nid == NID_undef)
735 nid = OBJ_ln2nid(etmp);
736 if (nid == NID_undef)
737 return 0;
738 for (i = 0; i < narg->nidcnt; i++)
739 if (narg->nid_arr[i] == nid)
740 return 0;
741 narg->nid_arr[narg->nidcnt++] = nid;
742 return 1;
743 }
744/* Set curves based on a colon separate list */
745int tls1_set_curves_list(unsigned char **pext, size_t *pextlen,
746 const char *str)
747 {
748 nid_cb_st ncb;
749 ncb.nidcnt = 0;
750 if (!CONF_parse_list(str, ':', 1, nid_cb, &ncb))
751 return 0;
752 if (pext == NULL)
753 return 1;
754 return tls1_set_curves(pext, pextlen, ncb.nid_arr, ncb.nidcnt);
755 }
756#endif
757
758/* For an EC key set TLS id and required compression based on parameters */
759static int tls1_set_ec_id(unsigned char *curve_id, unsigned char *comp_id,
760 EC_KEY *ec)
761 {
762 int is_prime = 1, id;
763 const EC_GROUP *grp;
764 if (!ec)
765 return 0;
766
767 /* TODO(fork): remove. All curves are prime now. */
768 grp = EC_KEY_get0_group(ec);
769 if (!grp)
770 return 0;
771#if 0
772 /* Determine if it is a prime field */
773 meth = EC_GROUP_method_of(grp);
774 if (!meth)
775 return 0;
776 if (EC_METHOD_get_field_type(meth) == NID_X9_62_prime_field)
777 is_prime = 1;
778 else
779 is_prime = 0;
780#endif
781
782 /* Determine curve ID */
783 id = EC_GROUP_get_curve_name(grp);
784 id = tls1_ec_nid2curve_id(id);
785 /* If we have an ID set it, otherwise set arbitrary explicit curve */
786 if (id)
787 {
788 curve_id[0] = 0;
789 curve_id[1] = (unsigned char)id;
790 }
791 else
792 {
793 curve_id[0] = 0xff;
794 if (is_prime)
795 curve_id[1] = 0x01;
796 else
797 curve_id[1] = 0x02;
798 }
799 if (comp_id)
800 {
801 if (EC_KEY_get0_public_key(ec) == NULL)
802 return 0;
803 if (EC_KEY_get_conv_form(ec) == POINT_CONVERSION_COMPRESSED)
804 {
805 if (is_prime)
806 *comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
807 else
808 *comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
809 }
810 else
811 *comp_id = TLSEXT_ECPOINTFORMAT_uncompressed;
812 }
813 return 1;
814 }
815/* Check an EC key is compatible with extensions */
816static int tls1_check_ec_key(SSL *s,
817 unsigned char *curve_id, unsigned char *comp_id)
818 {
819 const unsigned char *p;
820 size_t plen, i;
821 int j;
822 /* If point formats extension present check it, otherwise everything
823 * is supported (see RFC4492).
824 */
825 if (comp_id && s->session->tlsext_ecpointformatlist)
826 {
827 p = s->session->tlsext_ecpointformatlist;
828 plen = s->session->tlsext_ecpointformatlist_length;
829 for (i = 0; i < plen; i++, p++)
830 {
831 if (*comp_id == *p)
832 break;
833 }
834 if (i == plen)
835 return 0;
836 }
837 if (!curve_id)
838 return 1;
839 /* Check curve is consistent with client and server preferences */
840 for (j = 0; j <= 1; j++)
841 {
842 tls1_get_curvelist(s, j, &p, &plen);
843 for (i = 0; i < plen; i+=2, p+=2)
844 {
845 if (p[0] == curve_id[0] && p[1] == curve_id[1])
846 break;
847 }
848 if (i == plen)
849 return 0;
850 /* For clients can only check sent curve list */
851 if (!s->server)
852 return 1;
853 }
854 return 1;
855 }
856
857static void tls1_get_formatlist(SSL *s, const unsigned char **pformats,
858 size_t *pformatslen)
859 {
860 /* If we have a custom point format list use it otherwise
861 * use default */
862 if (s->tlsext_ecpointformatlist)
863 {
864 *pformats = s->tlsext_ecpointformatlist;
865 *pformatslen = s->tlsext_ecpointformatlist_length;
866 }
867 else
868 {
869 *pformats = ecformats_default;
870 /* For Suite B we don't support char2 fields */
871 if (tls1_suiteb(s))
872 *pformatslen = sizeof(ecformats_default) - 1;
873 else
874 *pformatslen = sizeof(ecformats_default);
875 }
876 }
877
878/* Check cert parameters compatible with extensions: currently just checks
879 * EC certificates have compatible curves and compression.
880 */
881static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md)
882 {
883 unsigned char comp_id, curve_id[2];
884 EVP_PKEY *pkey;
885 int rv;
886 pkey = X509_get_pubkey(x);
887 if (!pkey)
888 return 0;
889 /* If not EC nothing to do */
890 if (pkey->type != EVP_PKEY_EC)
891 {
892 EVP_PKEY_free(pkey);
893 return 1;
894 }
895 rv = tls1_set_ec_id(curve_id, &comp_id, pkey->pkey.ec);
896 EVP_PKEY_free(pkey);
897 if (!rv)
898 return 0;
899 /* Can't check curve_id for client certs as we don't have a
900 * supported curves extension.
901 */
902 rv = tls1_check_ec_key(s, s->server ? curve_id : NULL, &comp_id);
903 if (!rv)
904 return 0;
905 /* Special case for suite B. We *MUST* sign using SHA256+P-256 or
906 * SHA384+P-384, adjust digest if necessary.
907 */
908 if (set_ee_md && tls1_suiteb(s))
909 {
910 int check_md;
911 size_t i;
912 CERT *c = s->cert;
913 if (curve_id[0])
914 return 0;
915 /* Check to see we have necessary signing algorithm */
916 if (curve_id[1] == TLSEXT_curve_P_256)
917 check_md = NID_ecdsa_with_SHA256;
918 else if (curve_id[1] == TLSEXT_curve_P_384)
919 check_md = NID_ecdsa_with_SHA384;
920 else
921 return 0; /* Should never happen */
922 for (i = 0; i < c->shared_sigalgslen; i++)
923 if (check_md == c->shared_sigalgs[i].signandhash_nid)
924 break;
925 if (i == c->shared_sigalgslen)
926 return 0;
927 if (set_ee_md == 2)
928 {
929 if (check_md == NID_ecdsa_with_SHA256)
930 c->pkeys[SSL_PKEY_ECC].digest = EVP_sha256();
931 else
932 c->pkeys[SSL_PKEY_ECC].digest = EVP_sha384();
933 }
934 }
935 return rv;
936 }
937/* Check EC temporary key is compatible with client extensions */
938int tls1_check_ec_tmp_key(SSL *s, unsigned long cid)
939 {
940 unsigned char curve_id[2];
941 EC_KEY *ec = s->cert->ecdh_tmp;
942#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
943 /* Allow any curve: not just those peer supports */
944 if (s->cert->cert_flags & SSL_CERT_FLAG_BROKEN_PROTOCOL)
945 return 1;
946#endif
947 /* If Suite B, AES128 MUST use P-256 and AES256 MUST use P-384,
948 * no other curves permitted.
949 */
950 if (tls1_suiteb(s))
951 {
952 /* Curve to check determined by ciphersuite */
953 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
954 curve_id[1] = TLSEXT_curve_P_256;
955 else if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)
956 curve_id[1] = TLSEXT_curve_P_384;
957 else
958 return 0;
959 curve_id[0] = 0;
960 /* Check this curve is acceptable */
961 if (!tls1_check_ec_key(s, curve_id, NULL))
962 return 0;
963 /* If auto or setting curve from callback assume OK */
964 if (s->cert->ecdh_tmp_auto || s->cert->ecdh_tmp_cb)
965 return 1;
966 /* Otherwise check curve is acceptable */
967 else
968 {
969 unsigned char curve_tmp[2];
970 if (!ec)
971 return 0;
972 if (!tls1_set_ec_id(curve_tmp, NULL, ec))
973 return 0;
974 if (!curve_tmp[0] || curve_tmp[1] == curve_id[1])
975 return 1;
976 return 0;
977 }
978
979 }
980 if (s->cert->ecdh_tmp_auto)
981 {
982 /* Need a shared curve */
983 if (tls1_shared_curve(s, 0))
984 return 1;
985 else return 0;
986 }
987 if (!ec)
988 {
989 if (s->cert->ecdh_tmp_cb)
990 return 1;
991 else
992 return 0;
993 }
994 if (!tls1_set_ec_id(curve_id, NULL, ec))
995 return 0;
996/* Set this to allow use of invalid curves for testing */
997#if 0
998 return 1;
999#else
1000 return tls1_check_ec_key(s, curve_id, NULL);
1001#endif
1002 }
1003
1004#else
1005
1006static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md)
1007 {
1008 return 1;
1009 }
1010
1011#endif /* OPENSSL_NO_EC */
1012
1013#ifndef OPENSSL_NO_TLSEXT
1014
1015/* List of supported signature algorithms and hashes. Should make this
1016 * customisable at some point, for now include everything we support.
1017 */
1018
1019#ifdef OPENSSL_NO_RSA
1020#define tlsext_sigalg_rsa(md) /* */
1021#else
1022#define tlsext_sigalg_rsa(md) md, TLSEXT_signature_rsa,
1023#endif
1024
1025#ifdef OPENSSL_NO_DSA
1026#define tlsext_sigalg_dsa(md) /* */
1027#else
1028#define tlsext_sigalg_dsa(md) md, TLSEXT_signature_dsa,
1029#endif
1030
1031#ifdef OPENSSL_NO_ECDSA
1032#define tlsext_sigalg_ecdsa(md) /* */
1033#else
1034#define tlsext_sigalg_ecdsa(md) md, TLSEXT_signature_ecdsa,
1035#endif
1036
1037#define tlsext_sigalg(md) \
1038 tlsext_sigalg_rsa(md) \
1039 tlsext_sigalg_dsa(md) \
1040 tlsext_sigalg_ecdsa(md)
1041
1042static unsigned char tls12_sigalgs[] = {
1043#ifndef OPENSSL_NO_SHA512
1044 tlsext_sigalg(TLSEXT_hash_sha512)
1045 tlsext_sigalg(TLSEXT_hash_sha384)
1046#endif
1047#ifndef OPENSSL_NO_SHA256
1048 tlsext_sigalg(TLSEXT_hash_sha256)
1049 tlsext_sigalg(TLSEXT_hash_sha224)
1050#endif
1051#ifndef OPENSSL_NO_SHA
1052 tlsext_sigalg(TLSEXT_hash_sha1)
1053#endif
1054};
1055#ifndef OPENSSL_NO_ECDSA
1056static unsigned char suiteb_sigalgs[] = {
1057 tlsext_sigalg_ecdsa(TLSEXT_hash_sha256)
1058 tlsext_sigalg_ecdsa(TLSEXT_hash_sha384)
1059};
1060#endif
1061size_t tls12_get_psigalgs(SSL *s, const unsigned char **psigs)
1062 {
1063 /* If Suite B mode use Suite B sigalgs only, ignore any other
1064 * preferences.
1065 */
1066#ifndef OPENSSL_NO_EC
1067 switch (tls1_suiteb(s))
1068 {
1069 case SSL_CERT_FLAG_SUITEB_128_LOS:
1070 *psigs = suiteb_sigalgs;
1071 return sizeof(suiteb_sigalgs);
1072
1073 case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY:
1074 *psigs = suiteb_sigalgs;
1075 return 2;
1076
1077 case SSL_CERT_FLAG_SUITEB_192_LOS:
1078 *psigs = suiteb_sigalgs + 2;
1079 return 2;
1080 }
1081#endif
1082 /* If server use client authentication sigalgs if not NULL */
1083 if (s->server && s->cert->client_sigalgs)
1084 {
1085 *psigs = s->cert->client_sigalgs;
1086 return s->cert->client_sigalgslen;
1087 }
1088 else if (s->cert->conf_sigalgs)
1089 {
1090 *psigs = s->cert->conf_sigalgs;
1091 return s->cert->conf_sigalgslen;
1092 }
1093 else
1094 {
1095 *psigs = tls12_sigalgs;
1096 return sizeof(tls12_sigalgs);
1097 }
1098 }
1099/* Check signature algorithm is consistent with sent supported signature
1100 * algorithms and if so return relevant digest.
1101 */
1102int tls12_check_peer_sigalg(const EVP_MD **pmd, SSL *s,
1103 const unsigned char *sig, EVP_PKEY *pkey)
1104 {
1105 const unsigned char *sent_sigs;
1106 size_t sent_sigslen, i;
1107 int sigalg = tls12_get_sigid(pkey);
1108 /* Should never happen */
1109 if (sigalg == -1)
1110 return -1;
1111 /* Check key type is consistent with signature */
1112 if (sigalg != (int)sig[1])
1113 {
1114 OPENSSL_PUT_ERROR(SSL, tls12_check_peer_sigalg, SSL_R_WRONG_SIGNATURE_TYPE);
1115 return 0;
1116 }
1117#ifndef OPENSSL_NO_EC
1118 if (pkey->type == EVP_PKEY_EC)
1119 {
1120 unsigned char curve_id[2], comp_id;
1121 /* Check compression and curve matches extensions */
1122 if (!tls1_set_ec_id(curve_id, &comp_id, pkey->pkey.ec))
1123 return 0;
1124 if (!s->server && !tls1_check_ec_key(s, curve_id, &comp_id))
1125 {
1126 OPENSSL_PUT_ERROR(SSL, tls12_check_peer_sigalg, SSL_R_WRONG_CURVE);
1127 return 0;
1128 }
1129 /* If Suite B only P-384+SHA384 or P-256+SHA-256 allowed */
1130 if (tls1_suiteb(s))
1131 {
1132 if (curve_id[0])
1133 return 0;
1134 if (curve_id[1] == TLSEXT_curve_P_256)
1135 {
1136 if (sig[0] != TLSEXT_hash_sha256)
1137 {
1138 OPENSSL_PUT_ERROR(SSL, tls12_check_peer_sigalg, SSL_R_ILLEGAL_SUITEB_DIGEST);
1139 return 0;
1140 }
1141 }
1142 else if (curve_id[1] == TLSEXT_curve_P_384)
1143 {
1144 if (sig[0] != TLSEXT_hash_sha384)
1145 {
1146 OPENSSL_PUT_ERROR(SSL, tls12_check_peer_sigalg, SSL_R_ILLEGAL_SUITEB_DIGEST);
1147 return 0;
1148 }
1149 }
1150 else
1151 return 0;
1152 }
1153 }
1154 else if (tls1_suiteb(s))
1155 return 0;
1156#endif
1157
1158 /* Check signature matches a type we sent */
1159 sent_sigslen = tls12_get_psigalgs(s, &sent_sigs);
1160 for (i = 0; i < sent_sigslen; i+=2, sent_sigs+=2)
1161 {
1162 if (sig[0] == sent_sigs[0] && sig[1] == sent_sigs[1])
1163 break;
1164 }
1165 /* Allow fallback to SHA1 if not strict mode */
1166 if (i == sent_sigslen && (sig[0] != TLSEXT_hash_sha1 || s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT))
1167 {
1168 OPENSSL_PUT_ERROR(SSL, tls12_check_peer_sigalg, SSL_R_WRONG_SIGNATURE_TYPE);
1169 return 0;
1170 }
1171 *pmd = tls12_get_hash(sig[0]);
1172 if (*pmd == NULL)
1173 {
1174 OPENSSL_PUT_ERROR(SSL, tls12_check_peer_sigalg, SSL_R_UNKNOWN_DIGEST);
1175 return 0;
1176 }
1177 /* Store the digest used so applications can retrieve it if they
1178 * wish.
1179 */
1180 if (s->session && s->session->sess_cert)
1181 s->session->sess_cert->peer_key->digest = *pmd;
1182 return 1;
1183 }
1184/* Get a mask of disabled algorithms: an algorithm is disabled
1185 * if it isn't supported or doesn't appear in supported signature
1186 * algorithms. Unlike ssl_cipher_get_disabled this applies to a specific
1187 * session and not global settings.
1188 *
1189 */
1190void ssl_set_client_disabled(SSL *s)
1191 {
1192 CERT *c = s->cert;
1193 const unsigned char *sigalgs;
1194 size_t i, sigalgslen;
1195 int have_rsa = 0, have_dsa = 0, have_ecdsa = 0;
1196 c->mask_a = 0;
1197 c->mask_k = 0;
1198 /* Don't allow TLS 1.2 only ciphers if we don't suppport them */
1199 if (!SSL_CLIENT_USE_TLS1_2_CIPHERS(s))
1200 c->mask_ssl = SSL_TLSV1_2;
1201 else
1202 c->mask_ssl = 0;
1203 /* Now go through all signature algorithms seeing if we support
1204 * any for RSA, DSA, ECDSA. Do this for all versions not just
1205 * TLS 1.2.
1206 */
1207 sigalgslen = tls12_get_psigalgs(s, &sigalgs);
1208 for (i = 0; i < sigalgslen; i += 2, sigalgs += 2)
1209 {
1210 switch(sigalgs[1])
1211 {
1212#ifndef OPENSSL_NO_RSA
1213 case TLSEXT_signature_rsa:
1214 have_rsa = 1;
1215 break;
1216#endif
1217#ifndef OPENSSL_NO_DSA
1218 case TLSEXT_signature_dsa:
1219 have_dsa = 1;
1220 break;
1221#endif
1222#ifndef OPENSSL_NO_ECDSA
1223 case TLSEXT_signature_ecdsa:
1224 have_ecdsa = 1;
1225 break;
1226#endif
1227 }
1228 }
1229 /* Disable auth and static DH if we don't include any appropriate
1230 * signature algorithms.
1231 */
1232 if (!have_rsa)
1233 {
1234 c->mask_a |= SSL_aRSA;
1235 c->mask_k |= SSL_kDHr|SSL_kECDHr;
1236 }
1237 if (!have_dsa)
1238 {
1239 c->mask_a |= SSL_aDSS;
1240 c->mask_k |= SSL_kDHd;
1241 }
1242 if (!have_ecdsa)
1243 {
1244 c->mask_a |= SSL_aECDSA;
1245 c->mask_k |= SSL_kECDHe;
1246 }
1247#ifndef OPENSSL_NO_PSK
1248 /* with PSK there must be client callback set */
1249 if (!s->psk_client_callback)
1250 {
1251 c->mask_a |= SSL_aPSK;
1252 c->mask_k |= SSL_kPSK;
1253 }
1254#endif /* OPENSSL_NO_PSK */
1255 c->valid = 1;
1256 }
1257
1258/* byte_compare is a compare function for qsort(3) that compares bytes. */
1259static int byte_compare(const void *in_a, const void *in_b)
1260 {
1261 unsigned char a = *((const unsigned char*) in_a);
1262 unsigned char b = *((const unsigned char*) in_b);
1263
1264 if (a > b)
1265 return 1;
1266 else if (a < b)
1267 return -1;
1268 return 0;
1269}
1270
Adam Langleyb0c235e2014-06-20 12:00:00 -0700[diff] [blame]1271/* header_len is the length of the ClientHello header written so far, used to
1272 * compute padding. It does not include the record header. Pass 0 if no padding
1273 * is to be done. */
1274unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf, unsigned char *limit, size_t header_len)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1275 {
1276 int extdatalen=0;
Adam Langleyb0c235e2014-06-20 12:00:00 -0700[diff] [blame]1277 unsigned char *ret = buf;
1278 unsigned char *orig = buf;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1279#ifndef OPENSSL_NO_EC
1280 /* See if we support any ECC ciphersuites */
1281 int using_ecc = 0;
1282 if (s->version >= TLS1_VERSION || SSL_IS_DTLS(s))
1283 {
1284 int i;
1285 unsigned long alg_k, alg_a;
1286 STACK_OF(SSL_CIPHER) *cipher_stack = SSL_get_ciphers(s);
1287
1288 for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++)
1289 {
1290 SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i);
1291
1292 alg_k = c->algorithm_mkey;
1293 alg_a = c->algorithm_auth;
1294 if ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)
1295 || (alg_a & SSL_aECDSA)))
1296 {
1297 using_ecc = 1;
1298 break;
1299 }
1300 }
1301 }
1302#endif
1303
1304 /* don't add extensions for SSLv3 unless doing secure renegotiation */
1305 if (s->client_version == SSL3_VERSION
1306 && !s->s3->send_connection_binding)
Adam Langleyb0c235e2014-06-20 12:00:00 -0700[diff] [blame]1307 return orig;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1308
1309 ret+=2;
1310
1311 if (ret>=limit) return NULL; /* this really never occurs, but ... */
1312
1313 if (s->tlsext_hostname != NULL)
1314 {
1315 /* Add TLS extension servername to the Client Hello message */
1316 unsigned long size_str;
1317 long lenmax;
1318
1319 /* check for enough space.
1320 4 for the servername type and entension length
1321 2 for servernamelist length
1322 1 for the hostname type
1323 2 for hostname length
1324 + hostname length
1325 */
1326
1327 if ((lenmax = limit - ret - 9) < 0
1328 || (size_str = strlen(s->tlsext_hostname)) > (unsigned long)lenmax)
1329 return NULL;
1330
1331 /* extension type and length */
1332 s2n(TLSEXT_TYPE_server_name,ret);
1333 s2n(size_str+5,ret);
1334
1335 /* length of servername list */
1336 s2n(size_str+3,ret);
1337
1338 /* hostname type, length and hostname */
1339 *(ret++) = (unsigned char) TLSEXT_NAMETYPE_host_name;
1340 s2n(size_str,ret);
1341 memcpy(ret, s->tlsext_hostname, size_str);
1342 ret+=size_str;
1343 }
1344
1345 /* Add RI if renegotiating */
1346 if (s->renegotiate)
1347 {
1348 int el;
1349
1350 if(!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0))
1351 {
1352 OPENSSL_PUT_ERROR(SSL, ssl_add_clienthello_tlsext, ERR_R_INTERNAL_ERROR);
1353 return NULL;
1354 }
1355
Adam Langleyb0c235e2014-06-20 12:00:00 -0700[diff] [blame]1356 if((limit - ret - 4 - el) < 0) return NULL;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1357
1358 s2n(TLSEXT_TYPE_renegotiate,ret);
1359 s2n(el,ret);
1360
1361 if(!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el))
1362 {
1363 OPENSSL_PUT_ERROR(SSL, ssl_add_clienthello_tlsext, ERR_R_INTERNAL_ERROR);
1364 return NULL;
1365 }
1366
1367 ret += el;
1368 }
1369
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1370 if (!(SSL_get_options(s) & SSL_OP_NO_TICKET))
1371 {
1372 int ticklen;
1373 if (!s->new_session && s->session && s->session->tlsext_tick)
1374 ticklen = s->session->tlsext_ticklen;
1375 else if (s->session && s->tlsext_session_ticket &&
1376 s->tlsext_session_ticket->data)
1377 {
1378 ticklen = s->tlsext_session_ticket->length;
1379 s->session->tlsext_tick = OPENSSL_malloc(ticklen);
1380 if (!s->session->tlsext_tick)
1381 return NULL;
1382 memcpy(s->session->tlsext_tick,
1383 s->tlsext_session_ticket->data,
1384 ticklen);
1385 s->session->tlsext_ticklen = ticklen;
1386 }
1387 else
1388 ticklen = 0;
1389 if (ticklen == 0 && s->tlsext_session_ticket &&
1390 s->tlsext_session_ticket->data == NULL)
1391 goto skip_ext;
1392 /* Check for enough room 2 for extension type, 2 for len
1393 * rest for ticket
1394 */
1395 if ((long)(limit - ret - 4 - ticklen) < 0) return NULL;
1396 s2n(TLSEXT_TYPE_session_ticket,ret);
1397 s2n(ticklen,ret);
1398 if (ticklen)
1399 {
1400 memcpy(ret, s->session->tlsext_tick, ticklen);
1401 ret += ticklen;
1402 }
1403 }
1404 skip_ext:
1405
1406 if (SSL_USE_SIGALGS(s))
1407 {
1408 size_t salglen;
1409 const unsigned char *salg;
1410 salglen = tls12_get_psigalgs(s, &salg);
1411 if ((size_t)(limit - ret) < salglen + 6)
1412 return NULL;
1413 s2n(TLSEXT_TYPE_signature_algorithms,ret);
1414 s2n(salglen + 2, ret);
1415 s2n(salglen, ret);
1416 memcpy(ret, salg, salglen);
1417 ret += salglen;
1418 }
1419
1420#ifdef TLSEXT_TYPE_opaque_prf_input
1421 if (s->s3->client_opaque_prf_input != NULL)
1422 {
1423 size_t col = s->s3->client_opaque_prf_input_len;
1424
1425 if ((long)(limit - ret - 6 - col < 0))
1426 return NULL;
1427 if (col > 0xFFFD) /* can't happen */
1428 return NULL;
1429
1430 s2n(TLSEXT_TYPE_opaque_prf_input, ret);
1431 s2n(col + 2, ret);
1432 s2n(col, ret);
1433 memcpy(ret, s->s3->client_opaque_prf_input, col);
1434 ret += col;
1435 }
1436#endif
1437
1438 /* TODO(fork): we probably want OCSP stapling, but it currently pulls in a lot of code. */
1439#if 0
1440 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp)
1441 {
1442 int i;
1443 long extlen, idlen, itmp;
1444 OCSP_RESPID *id;
1445
1446 idlen = 0;
1447 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++)
1448 {
1449 id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
1450 itmp = i2d_OCSP_RESPID(id, NULL);
1451 if (itmp <= 0)
1452 return NULL;
1453 idlen += itmp + 2;
1454 }
1455
1456 if (s->tlsext_ocsp_exts)
1457 {
1458 extlen = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, NULL);
1459 if (extlen < 0)
1460 return NULL;
1461 }
1462 else
1463 extlen = 0;
1464
1465 if ((long)(limit - ret - 7 - extlen - idlen) < 0) return NULL;
1466 s2n(TLSEXT_TYPE_status_request, ret);
1467 if (extlen + idlen > 0xFFF0)
1468 return NULL;
1469 s2n(extlen + idlen + 5, ret);
1470 *(ret++) = TLSEXT_STATUSTYPE_ocsp;
1471 s2n(idlen, ret);
1472 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++)
1473 {
1474 /* save position of id len */
1475 unsigned char *q = ret;
1476 id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
1477 /* skip over id len */
1478 ret += 2;
1479 itmp = i2d_OCSP_RESPID(id, &ret);
1480 /* write id len */
1481 s2n(itmp, q);
1482 }
1483 s2n(extlen, ret);
1484 if (extlen > 0)
1485 i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret);
1486 }
1487#endif
1488
1489#ifndef OPENSSL_NO_HEARTBEATS
1490 /* Add Heartbeat extension */
1491 s2n(TLSEXT_TYPE_heartbeat,ret);
1492 s2n(1,ret);
1493 /* Set mode:
1494 * 1: peer may send requests
1495 * 2: peer not allowed to send requests
1496 */
1497 if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS)
1498 *(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
1499 else
1500 *(ret++) = SSL_TLSEXT_HB_ENABLED;
1501#endif
1502
1503#ifndef OPENSSL_NO_NEXTPROTONEG
1504 if (s->ctx->next_proto_select_cb && !s->s3->tmp.finish_md_len)
1505 {
1506 /* The client advertises an emtpy extension to indicate its
1507 * support for Next Protocol Negotiation */
1508 if (limit - ret - 4 < 0)
1509 return NULL;
1510 s2n(TLSEXT_TYPE_next_proto_neg,ret);
1511 s2n(0,ret);
1512 }
1513#endif
1514
1515 if (s->alpn_client_proto_list && !s->s3->tmp.finish_md_len)
1516 {
1517 if ((size_t)(limit - ret) < 6 + s->alpn_client_proto_list_len)
1518 return NULL;
1519 s2n(TLSEXT_TYPE_application_layer_protocol_negotiation,ret);
1520 s2n(2 + s->alpn_client_proto_list_len,ret);
1521 s2n(s->alpn_client_proto_list_len,ret);
1522 memcpy(ret, s->alpn_client_proto_list,
1523 s->alpn_client_proto_list_len);
1524 ret += s->alpn_client_proto_list_len;
1525 }
1526
Adam Langley1258b6a2014-06-20 12:00:00 -0700[diff] [blame]1527 if (s->tlsext_channel_id_enabled)
1528 {
1529 /* The client advertises an emtpy extension to indicate its
1530 * support for Channel ID. */
1531 if (limit - ret - 4 < 0)
1532 return NULL;
1533 if (s->ctx->tlsext_channel_id_enabled_new)
1534 s2n(TLSEXT_TYPE_channel_id_new,ret);
1535 else
1536 s2n(TLSEXT_TYPE_channel_id,ret);
1537 s2n(0,ret);
1538 }
1539
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1540 if(SSL_get_srtp_profiles(s))
1541 {
1542 int el;
1543
1544 ssl_add_clienthello_use_srtp_ext(s, 0, &el, 0);
1545
Adam Langleyb0c235e2014-06-20 12:00:00 -0700[diff] [blame]1546 if((limit - ret - 4 - el) < 0) return NULL;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1547
1548 s2n(TLSEXT_TYPE_use_srtp,ret);
1549 s2n(el,ret);
1550
1551 if(ssl_add_clienthello_use_srtp_ext(s, ret, &el, el))
1552 {
1553 OPENSSL_PUT_ERROR(SSL, ssl_add_clienthello_tlsext, ERR_R_INTERNAL_ERROR);
1554 return NULL;
1555 }
1556 ret += el;
1557 }
1558
1559 /* Add TLS extension Server_Authz_DataFormats to the ClientHello */
1560 /* 2 bytes for extension type */
1561 /* 2 bytes for extension length */
1562 /* 1 byte for the list length */
1563 /* 1 byte for the list (we only support audit proofs) */
1564 if (s->ctx->tlsext_authz_server_audit_proof_cb != NULL)
1565 {
1566 const unsigned short ext_len = 2;
1567 const unsigned char list_len = 1;
1568
1569 if (limit < ret + 6)
1570 return NULL;
1571
1572 s2n(TLSEXT_TYPE_server_authz, ret);
1573 /* Extension length: 2 bytes */
1574 s2n(ext_len, ret);
1575 *(ret++) = list_len;
1576 *(ret++) = TLSEXT_AUTHZDATAFORMAT_audit_proof;
1577 }
1578
1579 /* Add custom TLS Extensions to ClientHello */
1580 if (s->ctx->custom_cli_ext_records_count)
1581 {
1582 size_t i;
1583 custom_cli_ext_record* record;
1584
1585 for (i = 0; i < s->ctx->custom_cli_ext_records_count; i++)
1586 {
1587 const unsigned char* out = NULL;
1588 unsigned short outlen = 0;
1589
1590 record = &s->ctx->custom_cli_ext_records[i];
1591 /* NULL callback sends empty extension */
1592 /* -1 from callback omits extension */
1593 if (record->fn1)
1594 {
1595 int cb_retval = 0;
1596 cb_retval = record->fn1(s, record->ext_type,
1597 &out, &outlen,
1598 record->arg);
1599 if (cb_retval == 0)
1600 return NULL; /* error */
1601 if (cb_retval == -1)
1602 continue; /* skip this extension */
1603 }
1604 if (limit < ret + 4 + outlen)
1605 return NULL;
1606 s2n(record->ext_type, ret);
1607 s2n(outlen, ret);
1608 memcpy(ret, out, outlen);
1609 ret += outlen;
1610 }
1611 }
1612
Adam Langleyc3174b72014-06-20 12:00:00 -0700[diff] [blame^]1613#ifndef OPENSSL_NO_EC
1614 if (using_ecc)
1615 {
1616 /* Add TLS extension ECPointFormats to the ClientHello message */
1617 long lenmax;
1618 const unsigned char *plist;
1619 size_t plistlen;
1620
1621 tls1_get_formatlist(s, &plist, &plistlen);
1622
1623 if ((lenmax = limit - ret - 5) < 0) return NULL;
1624 if (plistlen > (size_t)lenmax) return NULL;
1625 if (plistlen > 255)
1626 {
1627 OPENSSL_PUT_ERROR(SSL, ssl_add_clienthello_tlsext, ERR_R_INTERNAL_ERROR);
1628 return NULL;
1629 }
1630
1631 s2n(TLSEXT_TYPE_ec_point_formats,ret);
1632 s2n(plistlen + 1,ret);
1633 *(ret++) = (unsigned char)plistlen ;
1634 memcpy(ret, plist, plistlen);
1635 ret+=plistlen;
1636
1637 /* Add TLS extension EllipticCurves to the ClientHello message */
1638 plist = s->tlsext_ellipticcurvelist;
1639 tls1_get_curvelist(s, 0, &plist, &plistlen);
1640
1641 if ((lenmax = limit - ret - 6) < 0) return NULL;
1642 if (plistlen > (size_t)lenmax) return NULL;
1643 if (plistlen > 65532)
1644 {
1645 OPENSSL_PUT_ERROR(SSL, ssl_add_clienthello_tlsext, ERR_R_INTERNAL_ERROR);
1646 return NULL;
1647 }
1648
1649 s2n(TLSEXT_TYPE_elliptic_curves,ret);
1650 s2n(plistlen + 2, ret);
1651
1652 /* NB: draft-ietf-tls-ecc-12.txt uses a one-byte prefix for
1653 * elliptic_curve_list, but the examples use two bytes.
1654 * http://www1.ietf.org/mail-archive/web/tls/current/msg00538.html
1655 * resolves this to two bytes.
1656 */
1657 s2n(plistlen, ret);
1658 memcpy(ret, plist, plistlen);
1659 ret+=plistlen;
1660 }
1661#endif /* OPENSSL_NO_EC */
1662
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1663#ifdef TLSEXT_TYPE_padding
1664 /* Add padding to workaround bugs in F5 terminators.
Adam Langleyb0c235e2014-06-20 12:00:00 -0700[diff] [blame]1665 * See https://tools.ietf.org/html/draft-agl-tls-padding-03
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1666 *
1667 * NB: because this code works out the length of all existing
Adam Langleyb0c235e2014-06-20 12:00:00 -0700[diff] [blame]1668 * extensions it MUST always appear last. */
1669 if (header_len > 0)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1670 {
Adam Langleyb0c235e2014-06-20 12:00:00 -0700[diff] [blame]1671 header_len += ret - orig;
1672 if (header_len > 0xff && header_len < 0x200)
1673 {
1674 size_t padding_len = 0x200 - header_len;
Adam Langleyc3174b72014-06-20 12:00:00 -0700[diff] [blame^]1675 /* Extensions take at least four bytes to encode. Always
1676 * include least one byte of data if including the
1677 * extension. WebSphere Application Server 7.0 is
1678 * intolerant to the last extension being zero-length. */
1679 if (padding_len >= 4 + 1)
Adam Langleyb0c235e2014-06-20 12:00:00 -0700[diff] [blame]1680 padding_len -= 4;
1681 else
Adam Langleyc3174b72014-06-20 12:00:00 -0700[diff] [blame^]1682 padding_len = 1;
Adam Langleyb0c235e2014-06-20 12:00:00 -0700[diff] [blame]1683 if (limit - ret - 4 - (long)padding_len < 0)
1684 return NULL;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1685
Adam Langleyb0c235e2014-06-20 12:00:00 -0700[diff] [blame]1686 s2n(TLSEXT_TYPE_padding, ret);
1687 s2n(padding_len, ret);
1688 memset(ret, 0, padding_len);
1689 ret += padding_len;
1690 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1691 }
1692#endif
1693
Adam Langleyb0c235e2014-06-20 12:00:00 -0700[diff] [blame]1694 if ((extdatalen = ret-orig-2)== 0)
1695 return orig;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1696
Adam Langleyb0c235e2014-06-20 12:00:00 -0700[diff] [blame]1697 s2n(extdatalen, orig);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1698 return ret;
1699 }
1700
Adam Langleyb0c235e2014-06-20 12:00:00 -0700[diff] [blame]1701unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *buf, unsigned char *limit)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1702 {
1703 int extdatalen=0;
Adam Langleyb0c235e2014-06-20 12:00:00 -0700[diff] [blame]1704 unsigned char *orig = buf;
1705 unsigned char *ret = buf;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1706#ifndef OPENSSL_NO_NEXTPROTONEG
1707 int next_proto_neg_seen;
1708#endif
1709#ifndef OPENSSL_NO_EC
1710 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
1711 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
1712 int using_ecc = (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA);
1713 using_ecc = using_ecc && (s->session->tlsext_ecpointformatlist != NULL);
1714#endif
1715 /* don't add extensions for SSLv3, unless doing secure renegotiation */
1716 if (s->version == SSL3_VERSION && !s->s3->send_connection_binding)
Adam Langleyb0c235e2014-06-20 12:00:00 -0700[diff] [blame]1717 return orig;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1718
1719 ret+=2;
1720 if (ret>=limit) return NULL; /* this really never occurs, but ... */
1721
1722 if (!s->hit && s->servername_done == 1 && s->session->tlsext_hostname != NULL)
1723 {
1724 if ((long)(limit - ret - 4) < 0) return NULL;
1725
1726 s2n(TLSEXT_TYPE_server_name,ret);
1727 s2n(0,ret);
1728 }
1729
1730 if(s->s3->send_connection_binding)
1731 {
1732 int el;
1733
1734 if(!ssl_add_serverhello_renegotiate_ext(s, 0, &el, 0))
1735 {
1736 OPENSSL_PUT_ERROR(SSL, ssl_add_serverhello_tlsext, ERR_R_INTERNAL_ERROR);
1737 return NULL;
1738 }
1739
Adam Langleyb0c235e2014-06-20 12:00:00 -0700[diff] [blame]1740 if((limit - ret - 4 - el) < 0) return NULL;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1741
1742 s2n(TLSEXT_TYPE_renegotiate,ret);
1743 s2n(el,ret);
1744
1745 if(!ssl_add_serverhello_renegotiate_ext(s, ret, &el, el))
1746 {
1747 OPENSSL_PUT_ERROR(SSL, ssl_add_serverhello_tlsext, ERR_R_INTERNAL_ERROR);
1748 return NULL;
1749 }
1750
1751 ret += el;
1752 }
1753
1754#ifndef OPENSSL_NO_EC
1755 if (using_ecc)
1756 {
1757 const unsigned char *plist;
1758 size_t plistlen;
1759 /* Add TLS extension ECPointFormats to the ServerHello message */
1760 long lenmax;
1761
1762 tls1_get_formatlist(s, &plist, &plistlen);
1763
1764 if ((lenmax = limit - ret - 5) < 0) return NULL;
1765 if (plistlen > (size_t)lenmax) return NULL;
1766 if (plistlen > 255)
1767 {
1768 OPENSSL_PUT_ERROR(SSL, ssl_add_serverhello_tlsext, ERR_R_INTERNAL_ERROR);
1769 return NULL;
1770 }
1771
1772 s2n(TLSEXT_TYPE_ec_point_formats,ret);
1773 s2n(plistlen + 1,ret);
1774 *(ret++) = (unsigned char) plistlen;
1775 memcpy(ret, plist, plistlen);
1776 ret+=plistlen;
1777
1778 }
1779 /* Currently the server should not respond with a SupportedCurves extension */
1780#endif /* OPENSSL_NO_EC */
1781
1782 if (s->tlsext_ticket_expected
1783 && !(SSL_get_options(s) & SSL_OP_NO_TICKET))
1784 {
1785 if ((long)(limit - ret - 4) < 0) return NULL;
1786 s2n(TLSEXT_TYPE_session_ticket,ret);
1787 s2n(0,ret);
1788 }
1789
1790 if (s->tlsext_status_expected)
1791 {
1792 if ((long)(limit - ret - 4) < 0) return NULL;
1793 s2n(TLSEXT_TYPE_status_request,ret);
1794 s2n(0,ret);
1795 }
1796
1797#ifdef TLSEXT_TYPE_opaque_prf_input
1798 if (s->s3->server_opaque_prf_input != NULL)
1799 {
1800 size_t sol = s->s3->server_opaque_prf_input_len;
1801
1802 if ((long)(limit - ret - 6 - sol) < 0)
1803 return NULL;
1804 if (sol > 0xFFFD) /* can't happen */
1805 return NULL;
1806
1807 s2n(TLSEXT_TYPE_opaque_prf_input, ret);
1808 s2n(sol + 2, ret);
1809 s2n(sol, ret);
1810 memcpy(ret, s->s3->server_opaque_prf_input, sol);
1811 ret += sol;
1812 }
1813#endif
1814
1815 if(s->srtp_profile)
1816 {
1817 int el;
1818
1819 ssl_add_serverhello_use_srtp_ext(s, 0, &el, 0);
1820
Adam Langleyb0c235e2014-06-20 12:00:00 -0700[diff] [blame]1821 if((limit - ret - 4 - el) < 0) return NULL;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1822
1823 s2n(TLSEXT_TYPE_use_srtp,ret);
1824 s2n(el,ret);
1825
1826 if(ssl_add_serverhello_use_srtp_ext(s, ret, &el, el))
1827 {
1828 OPENSSL_PUT_ERROR(SSL, ssl_add_serverhello_tlsext, ERR_R_INTERNAL_ERROR);
1829 return NULL;
1830 }
1831 ret+=el;
1832 }
1833
1834 if (((s->s3->tmp.new_cipher->id & 0xFFFF)==0x80 || (s->s3->tmp.new_cipher->id & 0xFFFF)==0x81)
1835 && (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG))
1836 { const unsigned char cryptopro_ext[36] = {
1837 0xfd, 0xe8, /*65000*/
1838 0x00, 0x20, /*32 bytes length*/
1839 0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85,
1840 0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06,
1841 0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08,
1842 0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17};
1843 if (limit-ret<36) return NULL;
1844 memcpy(ret,cryptopro_ext,36);
1845 ret+=36;
1846
1847 }
1848
1849#ifndef OPENSSL_NO_HEARTBEATS
1850 /* Add Heartbeat extension if we've received one */
1851 if (s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED)
1852 {
1853 s2n(TLSEXT_TYPE_heartbeat,ret);
1854 s2n(1,ret);
1855 /* Set mode:
1856 * 1: peer may send requests
1857 * 2: peer not allowed to send requests
1858 */
1859 if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS)
1860 *(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
1861 else
1862 *(ret++) = SSL_TLSEXT_HB_ENABLED;
1863
1864 }
1865#endif
1866
1867#ifndef OPENSSL_NO_NEXTPROTONEG
1868 next_proto_neg_seen = s->s3->next_proto_neg_seen;
1869 s->s3->next_proto_neg_seen = 0;
1870 if (next_proto_neg_seen && s->ctx->next_protos_advertised_cb)
1871 {
1872 const unsigned char *npa;
1873 unsigned int npalen;
1874 int r;
1875
1876 r = s->ctx->next_protos_advertised_cb(s, &npa, &npalen, s->ctx->next_protos_advertised_cb_arg);
1877 if (r == SSL_TLSEXT_ERR_OK)
1878 {
1879 if ((long)(limit - ret - 4 - npalen) < 0) return NULL;
1880 s2n(TLSEXT_TYPE_next_proto_neg,ret);
1881 s2n(npalen,ret);
1882 memcpy(ret, npa, npalen);
1883 ret += npalen;
1884 s->s3->next_proto_neg_seen = 1;
1885 }
1886 }
1887#endif
1888
1889 /* If the client supports authz then see whether we have any to offer
1890 * to it. */
1891 if (s->s3->tlsext_authz_client_types_len)
1892 {
1893 size_t authz_length;
1894 /* By now we already know the new cipher, so we can look ahead
1895 * to see whether the cert we are going to send
1896 * has any authz data attached to it. */
1897 const unsigned char* authz = ssl_get_authz_data(s, &authz_length);
1898 const unsigned char* const orig_authz = authz;
1899 size_t i;
1900 unsigned authz_count = 0;
1901
1902 /* The authz data contains a number of the following structures:
1903 * uint8_t authz_type
1904 * uint16_t length
1905 * uint8_t data[length]
1906 *
1907 * First we walk over it to find the number of authz elements. */
1908 for (i = 0; i < authz_length; i++)
1909 {
1910 unsigned short length;
1911 unsigned char type;
1912
1913 type = *(authz++);
1914 if (memchr(s->s3->tlsext_authz_client_types,
1915 type,
1916 s->s3->tlsext_authz_client_types_len) != NULL)
1917 authz_count++;
1918
1919 n2s(authz, length);
1920 /* n2s increments authz by 2 */
1921 i += 2;
1922 authz += length;
1923 i += length;
1924 }
1925
1926 if (authz_count)
1927 {
1928 /* Add TLS extension server_authz to the ServerHello message
1929 * 2 bytes for extension type
1930 * 2 bytes for extension length
1931 * 1 byte for the list length
1932 * n bytes for the list */
1933 const unsigned short ext_len = 1 + authz_count;
1934
1935 if ((long)(limit - ret - 4 - ext_len) < 0) return NULL;
1936 s2n(TLSEXT_TYPE_server_authz, ret);
1937 s2n(ext_len, ret);
1938 *(ret++) = authz_count;
1939 s->s3->tlsext_authz_promised_to_client = 1;
1940 }
1941
1942 authz = orig_authz;
1943 for (i = 0; i < authz_length; i++)
1944 {
1945 unsigned short length;
1946 unsigned char type;
1947
1948 authz_count++;
1949 type = *(authz++);
1950 if (memchr(s->s3->tlsext_authz_client_types,
1951 type,
1952 s->s3->tlsext_authz_client_types_len) != NULL)
1953 *(ret++) = type;
1954 n2s(authz, length);
1955 /* n2s increments authz by 2 */
1956 i += 2;
1957 authz += length;
1958 i += length;
1959 }
1960 }
1961
1962 /* If custom types were sent in ClientHello, add ServerHello responses */
1963 if (s->s3->tlsext_custom_types_count)
1964 {
1965 size_t i;
1966
1967 for (i = 0; i < s->s3->tlsext_custom_types_count; i++)
1968 {
1969 size_t j;
1970 custom_srv_ext_record *record;
1971
1972 for (j = 0; j < s->ctx->custom_srv_ext_records_count; j++)
1973 {
1974 record = &s->ctx->custom_srv_ext_records[j];
1975 if (s->s3->tlsext_custom_types[i] == record->ext_type)
1976 {
1977 const unsigned char *out = NULL;
1978 unsigned short outlen = 0;
1979 int cb_retval = 0;
1980
1981 /* NULL callback or -1 omits extension */
1982 if (!record->fn2)
1983 break;
1984 cb_retval = record->fn2(s, record->ext_type,
1985 &out, &outlen,
1986 record->arg);
1987 if (cb_retval == 0)
1988 return NULL; /* error */
1989 if (cb_retval == -1)
1990 break; /* skip this extension */
1991 if (limit < ret + 4 + outlen)
1992 return NULL;
1993 s2n(record->ext_type, ret);
1994 s2n(outlen, ret);
1995 memcpy(ret, out, outlen);
1996 ret += outlen;
1997 break;
1998 }
1999 }
2000 }
2001 }
2002
2003 if (s->s3->alpn_selected)
2004 {
2005 const unsigned char *selected = s->s3->alpn_selected;
2006 unsigned len = s->s3->alpn_selected_len;
2007
2008 if ((long)(limit - ret - 4 - 2 - 1 - len) < 0)
2009 return NULL;
2010 s2n(TLSEXT_TYPE_application_layer_protocol_negotiation,ret);
2011 s2n(3 + len,ret);
2012 s2n(1 + len,ret);
2013 *ret++ = len;
2014 memcpy(ret, selected, len);
2015 ret += len;
2016 }
2017
Adam Langley1258b6a2014-06-20 12:00:00 -0700[diff] [blame]2018 /* If the client advertised support for Channel ID, and we have it
2019 * enabled, then we want to echo it back. */
2020 if (s->s3->tlsext_channel_id_valid)
2021 {
2022 if (limit - ret - 4 < 0)
2023 return NULL;
2024 if (s->s3->tlsext_channel_id_new)
2025 s2n(TLSEXT_TYPE_channel_id_new,ret);
2026 else
2027 s2n(TLSEXT_TYPE_channel_id,ret);
2028 s2n(0,ret);
2029 }
2030
Adam Langleyb0c235e2014-06-20 12:00:00 -0700[diff] [blame]2031 if ((extdatalen = ret-orig-2) == 0)
2032 return orig;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2033
Adam Langleyb0c235e2014-06-20 12:00:00 -0700[diff] [blame]2034 s2n(extdatalen, orig);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2035 return ret;
2036 }
2037
2038#ifndef OPENSSL_NO_EC
2039/* ssl_check_for_safari attempts to fingerprint Safari using OS X
2040 * SecureTransport using the TLS extension block in |d|, of length |n|.
2041 * Safari, since 10.6, sends exactly these extensions, in this order:
2042 * SNI,
2043 * elliptic_curves
2044 * ec_point_formats
2045 *
2046 * We wish to fingerprint Safari because they broke ECDHE-ECDSA support in 10.8,
2047 * but they advertise support. So enabling ECDHE-ECDSA ciphers breaks them.
2048 * Sadly we cannot differentiate 10.6, 10.7 and 10.8.4 (which work), from
2049 * 10.8..10.8.3 (which don't work).
2050 */
2051static void ssl_check_for_safari(SSL *s, const unsigned char *data, const unsigned char *d, int n) {
2052 unsigned short type, size;
2053 static const unsigned char kSafariExtensionsBlock[] = {
2054 0x00, 0x0a, /* elliptic_curves extension */
2055 0x00, 0x08, /* 8 bytes */
2056 0x00, 0x06, /* 6 bytes of curve ids */
2057 0x00, 0x17, /* P-256 */
2058 0x00, 0x18, /* P-384 */
2059 0x00, 0x19, /* P-521 */
2060
2061 0x00, 0x0b, /* ec_point_formats */
2062 0x00, 0x02, /* 2 bytes */
2063 0x01, /* 1 point format */
2064 0x00, /* uncompressed */
2065 };
2066
2067 /* The following is only present in TLS 1.2 */
2068 static const unsigned char kSafariTLS12ExtensionsBlock[] = {
2069 0x00, 0x0d, /* signature_algorithms */
2070 0x00, 0x0c, /* 12 bytes */
2071 0x00, 0x0a, /* 10 bytes */
2072 0x05, 0x01, /* SHA-384/RSA */
2073 0x04, 0x01, /* SHA-256/RSA */
2074 0x02, 0x01, /* SHA-1/RSA */
2075 0x04, 0x03, /* SHA-256/ECDSA */
2076 0x02, 0x03, /* SHA-1/ECDSA */
2077 };
2078
2079 if (data >= (d+n-2))
2080 return;
2081 data += 2;
2082
2083 if (data > (d+n-4))
2084 return;
2085 n2s(data,type);
2086 n2s(data,size);
2087
2088 if (type != TLSEXT_TYPE_server_name)
2089 return;
2090
2091 if (data+size > d+n)
2092 return;
2093 data += size;
2094
2095 if (TLS1_get_client_version(s) >= TLS1_2_VERSION)
2096 {
2097 const size_t len1 = sizeof(kSafariExtensionsBlock);
2098 const size_t len2 = sizeof(kSafariTLS12ExtensionsBlock);
2099
2100 if (data + len1 + len2 != d+n)
2101 return;
2102 if (memcmp(data, kSafariExtensionsBlock, len1) != 0)
2103 return;
2104 if (memcmp(data + len1, kSafariTLS12ExtensionsBlock, len2) != 0)
2105 return;
2106 }
2107 else
2108 {
2109 const size_t len = sizeof(kSafariExtensionsBlock);
2110
2111 if (data + len != d+n)
2112 return;
2113 if (memcmp(data, kSafariExtensionsBlock, len) != 0)
2114 return;
2115 }
2116
2117 s->s3->is_probably_safari = 1;
2118}
2119#endif /* !OPENSSL_NO_EC */
2120
2121/* tls1_alpn_handle_client_hello is called to process the ALPN extension in a
2122 * ClientHello.
2123 * data: the contents of the extension, not including the type and length.
2124 * data_len: the number of bytes in |data|
2125 * al: a pointer to the alert value to send in the event of a non-zero
2126 * return.
2127 *
2128 * returns: 0 on success. */
2129static int tls1_alpn_handle_client_hello(SSL *s, const unsigned char *data,
2130 unsigned data_len, int *al)
2131 {
2132 unsigned i;
2133 unsigned proto_len;
2134 const unsigned char *selected;
2135 unsigned char selected_len;
2136 int r;
2137
2138 if (s->ctx->alpn_select_cb == NULL)
2139 return 0;
2140
2141 if (data_len < 2)
2142 goto parse_error;
2143
2144 /* data should contain a uint16 length followed by a series of 8-bit,
2145 * length-prefixed strings. */
2146 i = ((unsigned) data[0]) << 8 |
2147 ((unsigned) data[1]);
2148 data_len -= 2;
2149 data += 2;
2150 if (data_len != i)
2151 goto parse_error;
2152
2153 if (data_len < 2)
2154 goto parse_error;
2155
2156 for (i = 0; i < data_len;)
2157 {
2158 proto_len = data[i];
2159 i++;
2160
2161 if (proto_len == 0)
2162 goto parse_error;
2163
2164 if (i + proto_len < i || i + proto_len > data_len)
2165 goto parse_error;
2166
2167 i += proto_len;
2168 }
2169
2170 r = s->ctx->alpn_select_cb(s, &selected, &selected_len, data, data_len,
2171 s->ctx->alpn_select_cb_arg);
2172 if (r == SSL_TLSEXT_ERR_OK) {
2173 if (s->s3->alpn_selected)
2174 OPENSSL_free(s->s3->alpn_selected);
2175 s->s3->alpn_selected = OPENSSL_malloc(selected_len);
2176 if (!s->s3->alpn_selected)
2177 {
2178 *al = SSL_AD_INTERNAL_ERROR;
2179 return -1;
2180 }
2181 memcpy(s->s3->alpn_selected, selected, selected_len);
2182 s->s3->alpn_selected_len = selected_len;
2183 }
2184 return 0;
2185
2186parse_error:
2187 *al = SSL_AD_DECODE_ERROR;
2188 return -1;
2189 }
2190
2191static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
2192 {
2193 unsigned short type;
2194 unsigned short size;
2195 unsigned short len;
2196 unsigned char *data = *p;
2197 int renegotiate_seen = 0;
2198 size_t i;
2199
2200 s->servername_done = 0;
2201 s->tlsext_status_type = -1;
2202#ifndef OPENSSL_NO_NEXTPROTONEG
2203 s->s3->next_proto_neg_seen = 0;
2204#endif
2205
2206 /* Clear observed custom extensions */
2207 s->s3->tlsext_custom_types_count = 0;
2208 if (s->s3->tlsext_custom_types != NULL)
2209 {
2210 OPENSSL_free(s->s3->tlsext_custom_types);
2211 s->s3->tlsext_custom_types = NULL;
2212 }
2213
2214 if (s->s3->alpn_selected)
2215 {
2216 OPENSSL_free(s->s3->alpn_selected);
2217 s->s3->alpn_selected = NULL;
2218 }
2219
2220#ifndef OPENSSL_NO_HEARTBEATS
2221 s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED |
2222 SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
2223#endif
2224
2225#ifndef OPENSSL_NO_EC
2226 if (s->options & SSL_OP_SAFARI_ECDHE_ECDSA_BUG)
2227 ssl_check_for_safari(s, data, d, n);
2228#endif /* !OPENSSL_NO_EC */
2229
2230 /* Clear any signature algorithms extension received */
2231 if (s->cert->peer_sigalgs)
2232 {
2233 OPENSSL_free(s->cert->peer_sigalgs);
2234 s->cert->peer_sigalgs = NULL;
2235 }
2236 /* Clear any shared sigtnature algorithms */
2237 if (s->cert->shared_sigalgs)
2238 {
2239 OPENSSL_free(s->cert->shared_sigalgs);
2240 s->cert->shared_sigalgs = NULL;
2241 }
2242 /* Clear certificate digests and validity flags */
2243 for (i = 0; i < SSL_PKEY_NUM; i++)
2244 {
2245 s->cert->pkeys[i].digest = NULL;
2246 s->cert->pkeys[i].valid_flags = 0;
2247 }
2248
2249 if (data >= (d+n-2))
2250 goto ri_check;
2251 n2s(data,len);
2252
2253 if (data > (d+n-len))
2254 goto ri_check;
2255
2256 while (data <= (d+n-4))
2257 {
2258 n2s(data,type);
2259 n2s(data,size);
2260
2261 if (data+size > (d+n))
2262 goto ri_check;
2263#if 0
2264 fprintf(stderr,"Received extension type %d size %d\n",type,size);
2265#endif
2266 if (s->tlsext_debug_cb)
2267 s->tlsext_debug_cb(s, 0, type, data, size,
2268 s->tlsext_debug_arg);
2269/* The servername extension is treated as follows:
2270
2271 - Only the hostname type is supported with a maximum length of 255.
2272 - The servername is rejected if too long or if it contains zeros,
2273 in which case an fatal alert is generated.
2274 - The servername field is maintained together with the session cache.
2275 - When a session is resumed, the servername call back invoked in order
2276 to allow the application to position itself to the right context.
2277 - The servername is acknowledged if it is new for a session or when
2278 it is identical to a previously used for the same session.
2279 Applications can control the behaviour. They can at any time
2280 set a 'desirable' servername for a new SSL object. This can be the
2281 case for example with HTTPS when a Host: header field is received and
2282 a renegotiation is requested. In this case, a possible servername
2283 presented in the new client hello is only acknowledged if it matches
2284 the value of the Host: field.
2285 - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
2286 if they provide for changing an explicit servername context for the session,
2287 i.e. when the session has been established with a servername extension.
2288 - On session reconnect, the servername extension may be absent.
2289
2290*/
2291
2292 if (type == TLSEXT_TYPE_server_name)
2293 {
2294 unsigned char *sdata;
2295 int servname_type;
2296 int dsize;
2297
2298 if (size < 2)
2299 {
2300 *al = SSL_AD_DECODE_ERROR;
2301 return 0;
2302 }
2303 n2s(data,dsize);
2304 size -= 2;
2305 if (dsize > size )
2306 {
2307 *al = SSL_AD_DECODE_ERROR;
2308 return 0;
2309 }
2310
2311 sdata = data;
2312 while (dsize > 3)
2313 {
2314 servname_type = *(sdata++);
2315 n2s(sdata,len);
2316 dsize -= 3;
2317
2318 if (len > dsize)
2319 {
2320 *al = SSL_AD_DECODE_ERROR;
2321 return 0;
2322 }
2323 if (s->servername_done == 0)
2324 switch (servname_type)
2325 {
2326 case TLSEXT_NAMETYPE_host_name:
2327 if (!s->hit)
2328 {
2329 if(s->session->tlsext_hostname)
2330 {
2331 *al = SSL_AD_DECODE_ERROR;
2332 return 0;
2333 }
2334 if (len > TLSEXT_MAXLEN_host_name)
2335 {
2336 *al = TLS1_AD_UNRECOGNIZED_NAME;
2337 return 0;
2338 }
2339 if ((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL)
2340 {
2341 *al = TLS1_AD_INTERNAL_ERROR;
2342 return 0;
2343 }
2344 memcpy(s->session->tlsext_hostname, sdata, len);
2345 s->session->tlsext_hostname[len]='\0';
2346 if (strlen(s->session->tlsext_hostname) != len) {
2347 OPENSSL_free(s->session->tlsext_hostname);
2348 s->session->tlsext_hostname = NULL;
2349 *al = TLS1_AD_UNRECOGNIZED_NAME;
2350 return 0;
2351 }
2352 s->servername_done = 1;
2353
2354 }
2355 else
2356 s->servername_done = s->session->tlsext_hostname
2357 && strlen(s->session->tlsext_hostname) == len
2358 && strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0;
2359
2360 break;
2361
2362 default:
2363 break;
2364 }
2365
2366 dsize -= len;
2367 }
2368 if (dsize != 0)
2369 {
2370 *al = SSL_AD_DECODE_ERROR;
2371 return 0;
2372 }
2373
2374 }
2375
2376#ifndef OPENSSL_NO_EC
2377 else if (type == TLSEXT_TYPE_ec_point_formats)
2378 {
2379 unsigned char *sdata = data;
2380 int ecpointformatlist_length = *(sdata++);
2381
2382 if (ecpointformatlist_length != size - 1 ||
2383 ecpointformatlist_length < 1)
2384 {
2385 *al = TLS1_AD_DECODE_ERROR;
2386 return 0;
2387 }
2388 if (!s->hit)
2389 {
2390 if(s->session->tlsext_ecpointformatlist)
2391 {
2392 OPENSSL_free(s->session->tlsext_ecpointformatlist);
2393 s->session->tlsext_ecpointformatlist = NULL;
2394 }
2395 s->session->tlsext_ecpointformatlist_length = 0;
2396 if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
2397 {
2398 *al = TLS1_AD_INTERNAL_ERROR;
2399 return 0;
2400 }
2401 s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
2402 memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
2403 }
2404#if 0
2405 fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ecpointformatlist (length=%i) ", s->session->tlsext_ecpointformatlist_length);
2406 sdata = s->session->tlsext_ecpointformatlist;
2407 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
2408 fprintf(stderr,"%i ",*(sdata++));
2409 fprintf(stderr,"\n");
2410#endif
2411 }
2412 else if (type == TLSEXT_TYPE_elliptic_curves)
2413 {
2414 unsigned char *sdata = data;
2415 int ellipticcurvelist_length = (*(sdata++) << 8);
2416 ellipticcurvelist_length += (*(sdata++));
2417
2418 if (ellipticcurvelist_length != size - 2 ||
2419 ellipticcurvelist_length < 1)
2420 {
2421 *al = TLS1_AD_DECODE_ERROR;
2422 return 0;
2423 }
2424 if (!s->hit)
2425 {
2426 if(s->session->tlsext_ellipticcurvelist)
2427 {
2428 *al = TLS1_AD_DECODE_ERROR;
2429 return 0;
2430 }
2431 s->session->tlsext_ellipticcurvelist_length = 0;
2432 if ((s->session->tlsext_ellipticcurvelist = OPENSSL_malloc(ellipticcurvelist_length)) == NULL)
2433 {
2434 *al = TLS1_AD_INTERNAL_ERROR;
2435 return 0;
2436 }
2437 s->session->tlsext_ellipticcurvelist_length = ellipticcurvelist_length;
2438 memcpy(s->session->tlsext_ellipticcurvelist, sdata, ellipticcurvelist_length);
2439 }
2440#if 0
2441 fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ellipticcurvelist (length=%i) ", s->session->tlsext_ellipticcurvelist_length);
2442 sdata = s->session->tlsext_ellipticcurvelist;
2443 for (i = 0; i < s->session->tlsext_ellipticcurvelist_length; i++)
2444 fprintf(stderr,"%i ",*(sdata++));
2445 fprintf(stderr,"\n");
2446#endif
2447 }
2448#endif /* OPENSSL_NO_EC */
2449#ifdef TLSEXT_TYPE_opaque_prf_input
2450 else if (type == TLSEXT_TYPE_opaque_prf_input)
2451 {
2452 unsigned char *sdata = data;
2453
2454 if (size < 2)
2455 {
2456 *al = SSL_AD_DECODE_ERROR;
2457 return 0;
2458 }
2459 n2s(sdata, s->s3->client_opaque_prf_input_len);
2460 if (s->s3->client_opaque_prf_input_len != size - 2)
2461 {
2462 *al = SSL_AD_DECODE_ERROR;
2463 return 0;
2464 }
2465
2466 if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */
2467 OPENSSL_free(s->s3->client_opaque_prf_input);
2468 if (s->s3->client_opaque_prf_input_len == 0)
2469 s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
2470 else
2471 s->s3->client_opaque_prf_input = BUF_memdup(sdata, s->s3->client_opaque_prf_input_len);
2472 if (s->s3->client_opaque_prf_input == NULL)
2473 {
2474 *al = TLS1_AD_INTERNAL_ERROR;
2475 return 0;
2476 }
2477 }
2478#endif
2479 else if (type == TLSEXT_TYPE_session_ticket)
2480 {
2481 if (s->tls_session_ticket_ext_cb &&
2482 !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg))
2483 {
2484 *al = TLS1_AD_INTERNAL_ERROR;
2485 return 0;
2486 }
2487 }
2488 else if (type == TLSEXT_TYPE_renegotiate)
2489 {
2490 if(!ssl_parse_clienthello_renegotiate_ext(s, data, size, al))
2491 return 0;
2492 renegotiate_seen = 1;
2493 }
2494 else if (type == TLSEXT_TYPE_signature_algorithms)
2495 {
2496 int dsize;
2497 if (s->cert->peer_sigalgs || size < 2)
2498 {
2499 *al = SSL_AD_DECODE_ERROR;
2500 return 0;
2501 }
2502 n2s(data,dsize);
2503 size -= 2;
2504 if (dsize != size || dsize & 1 || !dsize)
2505 {
2506 *al = SSL_AD_DECODE_ERROR;
2507 return 0;
2508 }
2509 if (!tls1_process_sigalgs(s, data, dsize))
2510 {
2511 *al = SSL_AD_DECODE_ERROR;
2512 return 0;
2513 }
2514 /* If sigalgs received and no shared algorithms fatal
2515 * error.
2516 */
2517 if (s->cert->peer_sigalgs && !s->cert->shared_sigalgs)
2518 {
2519 OPENSSL_PUT_ERROR(SSL, ssl_add_serverhello_tlsext, SSL_R_NO_SHARED_SIGATURE_ALGORITHMS);
2520 *al = SSL_AD_ILLEGAL_PARAMETER;
2521 return 0;
2522 }
2523 }
2524
2525 /* TODO(fork): we probably want OCSP stapling support, but this pulls in a lot of code. */
2526#if 0
2527 else if (type == TLSEXT_TYPE_status_request)
2528 {
2529
2530 if (size < 5)
2531 {
2532 *al = SSL_AD_DECODE_ERROR;
2533 return 0;
2534 }
2535
2536 s->tlsext_status_type = *data++;
2537 size--;
2538 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp)
2539 {
2540 const unsigned char *sdata;
2541 int dsize;
2542 /* Read in responder_id_list */
2543 n2s(data,dsize);
2544 size -= 2;
2545 if (dsize > size )
2546 {
2547 *al = SSL_AD_DECODE_ERROR;
2548 return 0;
2549 }
2550 while (dsize > 0)
2551 {
2552 OCSP_RESPID *id;
2553 int idsize;
2554 if (dsize < 4)
2555 {
2556 *al = SSL_AD_DECODE_ERROR;
2557 return 0;
2558 }
2559 n2s(data, idsize);
2560 dsize -= 2 + idsize;
2561 size -= 2 + idsize;
2562 if (dsize < 0)
2563 {
2564 *al = SSL_AD_DECODE_ERROR;
2565 return 0;
2566 }
2567 sdata = data;
2568 data += idsize;
2569 id = d2i_OCSP_RESPID(NULL,
2570 &sdata, idsize);
2571 if (!id)
2572 {
2573 *al = SSL_AD_DECODE_ERROR;
2574 return 0;
2575 }
2576 if (data != sdata)
2577 {
2578 OCSP_RESPID_free(id);
2579 *al = SSL_AD_DECODE_ERROR;
2580 return 0;
2581 }
2582 if (!s->tlsext_ocsp_ids
2583 && !(s->tlsext_ocsp_ids =
2584 sk_OCSP_RESPID_new_null()))
2585 {
2586 OCSP_RESPID_free(id);
2587 *al = SSL_AD_INTERNAL_ERROR;
2588 return 0;
2589 }
2590 if (!sk_OCSP_RESPID_push(
2591 s->tlsext_ocsp_ids, id))
2592 {
2593 OCSP_RESPID_free(id);
2594 *al = SSL_AD_INTERNAL_ERROR;
2595 return 0;
2596 }
2597 }
2598
2599 /* Read in request_extensions */
2600 if (size < 2)
2601 {
2602 *al = SSL_AD_DECODE_ERROR;
2603 return 0;
2604 }
2605 n2s(data,dsize);
2606 size -= 2;
2607 if (dsize != size)
2608 {
2609 *al = SSL_AD_DECODE_ERROR;
2610 return 0;
2611 }
2612 sdata = data;
2613 if (dsize > 0)
2614 {
2615 if (s->tlsext_ocsp_exts)
2616 {
2617 sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts,
2618 X509_EXTENSION_free);
2619 }
2620
2621 s->tlsext_ocsp_exts =
2622 d2i_X509_EXTENSIONS(NULL,
2623 &sdata, dsize);
2624 if (!s->tlsext_ocsp_exts
2625 || (data + dsize != sdata))
2626 {
2627 *al = SSL_AD_DECODE_ERROR;
2628 return 0;
2629 }
2630 }
2631 }
2632 /* We don't know what to do with any other type
2633 * so ignore it.
2634 */
2635 else
2636 s->tlsext_status_type = -1;
2637 }
2638#endif
2639
2640#ifndef OPENSSL_NO_HEARTBEATS
2641 else if (type == TLSEXT_TYPE_heartbeat)
2642 {
2643 switch(data[0])
2644 {
2645 case 0x01: /* Client allows us to send HB requests */
2646 s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
2647 break;
2648 case 0x02: /* Client doesn't accept HB requests */
2649 s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
2650 s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
2651 break;
2652 default: *al = SSL_AD_ILLEGAL_PARAMETER;
2653 return 0;
2654 }
2655 }
2656#endif
2657#ifndef OPENSSL_NO_NEXTPROTONEG
2658 else if (type == TLSEXT_TYPE_next_proto_neg &&
2659 s->s3->tmp.finish_md_len == 0 &&
2660 s->s3->alpn_selected == NULL)
2661 {
2662 /* We shouldn't accept this extension on a
2663 * renegotiation.
2664 *
2665 * s->new_session will be set on renegotiation, but we
2666 * probably shouldn't rely that it couldn't be set on
2667 * the initial renegotation too in certain cases (when
2668 * there's some other reason to disallow resuming an
2669 * earlier session -- the current code won't be doing
2670 * anything like that, but this might change).
2671
2672 * A valid sign that there's been a previous handshake
2673 * in this connection is if s->s3->tmp.finish_md_len >
2674 * 0. (We are talking about a check that will happen
2675 * in the Hello protocol round, well before a new
2676 * Finished message could have been computed.) */
2677 s->s3->next_proto_neg_seen = 1;
2678 }
2679#endif
2680
2681 else if (type == TLSEXT_TYPE_application_layer_protocol_negotiation &&
2682 s->ctx->alpn_select_cb &&
2683 s->s3->tmp.finish_md_len == 0)
2684 {
2685 if (tls1_alpn_handle_client_hello(s, data, size, al) != 0)
2686 return 0;
2687#ifndef OPENSSL_NO_NEXTPROTONEG
2688 /* ALPN takes precedence over NPN. */
2689 s->s3->next_proto_neg_seen = 0;
2690#endif
2691 }
2692
Adam Langley1258b6a2014-06-20 12:00:00 -0700[diff] [blame]2693 else if (type == TLSEXT_TYPE_channel_id &&
2694 s->tlsext_channel_id_enabled)
2695 s->s3->tlsext_channel_id_valid = 1;
2696
2697 else if (type == TLSEXT_TYPE_channel_id_new &&
2698 s->tlsext_channel_id_enabled)
2699 {
2700 s->s3->tlsext_channel_id_valid = 1;
2701 s->s3->tlsext_channel_id_new = 1;
2702 }
2703
2704
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2705 /* session ticket processed earlier */
2706 else if (type == TLSEXT_TYPE_use_srtp)
2707 {
2708 if(ssl_parse_clienthello_use_srtp_ext(s, data, size,
2709 al))
2710 return 0;
2711 }
2712
2713 else if (type == TLSEXT_TYPE_server_authz)
2714 {
2715 unsigned char *sdata = data;
2716 unsigned char server_authz_dataformatlist_length;
2717
2718 if (size == 0)
2719 {
2720 *al = TLS1_AD_DECODE_ERROR;
2721 return 0;
2722 }
2723
2724 server_authz_dataformatlist_length = *(sdata++);
2725
2726 if (server_authz_dataformatlist_length != size - 1)
2727 {
2728 *al = TLS1_AD_DECODE_ERROR;
2729 return 0;
2730 }
2731
2732 /* Successful session resumption uses the same authz
2733 * information as the original session so we ignore this
2734 * in the case of a session resumption. */
2735 if (!s->hit)
2736 {
2737 if (s->s3->tlsext_authz_client_types != NULL)
2738 OPENSSL_free(s->s3->tlsext_authz_client_types);
2739 s->s3->tlsext_authz_client_types =
2740 OPENSSL_malloc(server_authz_dataformatlist_length);
2741 if (!s->s3->tlsext_authz_client_types)
2742 {
2743 *al = TLS1_AD_INTERNAL_ERROR;
2744 return 0;
2745 }
2746
2747 s->s3->tlsext_authz_client_types_len =
2748 server_authz_dataformatlist_length;
2749 memcpy(s->s3->tlsext_authz_client_types,
2750 sdata,
2751 server_authz_dataformatlist_length);
2752
2753 /* Sort the types in order to check for duplicates. */
2754 qsort(s->s3->tlsext_authz_client_types,
2755 server_authz_dataformatlist_length,
2756 1 /* element size */,
2757 byte_compare);
2758
2759 for (i = 0; i < server_authz_dataformatlist_length; i++)
2760 {
2761 if (i > 0 &&
2762 s->s3->tlsext_authz_client_types[i] ==
2763 s->s3->tlsext_authz_client_types[i-1])
2764 {
2765 *al = TLS1_AD_DECODE_ERROR;
2766 return 0;
2767 }
2768 }
2769 }
2770 }
2771
2772 /* If this ClientHello extension was unhandled and this is
2773 * a nonresumed connection, check whether the extension is a
2774 * custom TLS Extension (has a custom_srv_ext_record), and if
2775 * so call the callback and record the extension number so that
2776 * an appropriate ServerHello may be later returned.
2777 */
2778 else if (!s->hit && s->ctx->custom_srv_ext_records_count)
2779 {
2780 custom_srv_ext_record *record;
2781
2782 for (i=0; i < s->ctx->custom_srv_ext_records_count; i++)
2783 {
2784 record = &s->ctx->custom_srv_ext_records[i];
2785 if (type == record->ext_type)
2786 {
2787 size_t j;
2788
2789 /* Error on duplicate TLS Extensions */
2790 for (j = 0; j < s->s3->tlsext_custom_types_count; j++)
2791 {
2792 if (type == s->s3->tlsext_custom_types[j])
2793 {
2794 *al = TLS1_AD_DECODE_ERROR;
2795 return 0;
2796 }
2797 }
2798
2799 /* NULL callback still notes the extension */
2800 if (record->fn1 && !record->fn1(s, type, data, size, al, record->arg))
2801 return 0;
2802
2803 /* Add the (non-duplicated) entry */
2804 s->s3->tlsext_custom_types_count++;
2805 s->s3->tlsext_custom_types = OPENSSL_realloc(
2806 s->s3->tlsext_custom_types,
2807 s->s3->tlsext_custom_types_count * 2);
2808 if (s->s3->tlsext_custom_types == NULL)
2809 {
2810 s->s3->tlsext_custom_types = 0;
2811 *al = TLS1_AD_INTERNAL_ERROR;
2812 return 0;
2813 }
2814 s->s3->tlsext_custom_types[
2815 s->s3->tlsext_custom_types_count - 1] = type;
2816 }
2817 }
2818 }
2819
2820 data+=size;
2821 }
2822
2823 *p = data;
2824
2825 ri_check:
2826
2827 /* Need RI if renegotiating */
2828
2829 if (!renegotiate_seen && s->renegotiate &&
2830 !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
2831 {
2832 *al = SSL_AD_HANDSHAKE_FAILURE;
2833 OPENSSL_PUT_ERROR(SSL, ssl_add_serverhello_tlsext, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
2834 return 0;
2835 }
2836 /* If no signature algorithms extension set default values */
2837 if (!s->cert->peer_sigalgs)
2838 ssl_cert_set_default_md(s->cert);
2839
2840 return 1;
2841 }
2842
2843int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n)
2844 {
2845 int al = -1;
2846 if (ssl_scan_clienthello_tlsext(s, p, d, n, &al) <= 0)
2847 {
2848 ssl3_send_alert(s,SSL3_AL_FATAL,al);
2849 return 0;
2850 }
2851
2852 if (ssl_check_clienthello_tlsext_early(s) <= 0)
2853 {
2854 OPENSSL_PUT_ERROR(SSL, ssl_add_serverhello_tlsext, SSL_R_CLIENTHELLO_TLSEXT);
2855 return 0;
2856 }
2857 return 1;
2858}
2859
2860#ifndef OPENSSL_NO_NEXTPROTONEG
2861/* ssl_next_proto_validate validates a Next Protocol Negotiation block. No
2862 * elements of zero length are allowed and the set of elements must exactly fill
2863 * the length of the block. */
2864static char ssl_next_proto_validate(unsigned char *d, unsigned len)
2865 {
2866 unsigned int off = 0;
2867
2868 while (off < len)
2869 {
2870 if (d[off] == 0)
2871 return 0;
2872 off += d[off];
2873 off++;
2874 }
2875
2876 return off == len;
2877 }
2878#endif
2879
2880static int ssl_scan_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
2881 {
2882 unsigned short length;
2883 unsigned short type;
2884 unsigned short size;
2885 unsigned char *data = *p;
2886 int tlsext_servername = 0;
2887 int renegotiate_seen = 0;
2888
2889#ifndef OPENSSL_NO_NEXTPROTONEG
2890 s->s3->next_proto_neg_seen = 0;
2891#endif
2892
2893 if (s->s3->alpn_selected)
2894 {
2895 OPENSSL_free(s->s3->alpn_selected);
2896 s->s3->alpn_selected = NULL;
2897 }
2898
2899#ifndef OPENSSL_NO_HEARTBEATS
2900 s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED |
2901 SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
2902#endif
2903
2904 if (data >= (d+n-2))
2905 goto ri_check;
2906
2907 n2s(data,length);
2908 if (data+length != d+n)
2909 {
2910 *al = SSL_AD_DECODE_ERROR;
2911 return 0;
2912 }
2913
2914 while(data <= (d+n-4))
2915 {
2916 n2s(data,type);
2917 n2s(data,size);
2918
2919 if (data+size > (d+n))
2920 goto ri_check;
2921
2922 if (s->tlsext_debug_cb)
2923 s->tlsext_debug_cb(s, 1, type, data, size,
2924 s->tlsext_debug_arg);
2925
2926 if (type == TLSEXT_TYPE_server_name)
2927 {
2928 if (s->tlsext_hostname == NULL || size > 0)
2929 {
2930 *al = TLS1_AD_UNRECOGNIZED_NAME;
2931 return 0;
2932 }
2933 tlsext_servername = 1;
2934 }
2935
2936#ifndef OPENSSL_NO_EC
2937 else if (type == TLSEXT_TYPE_ec_point_formats)
2938 {
2939 unsigned char *sdata = data;
2940 int ecpointformatlist_length = *(sdata++);
2941
2942 if (ecpointformatlist_length != size - 1)
2943 {
2944 *al = TLS1_AD_DECODE_ERROR;
2945 return 0;
2946 }
2947 s->session->tlsext_ecpointformatlist_length = 0;
2948 if (s->session->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->session->tlsext_ecpointformatlist);
2949 if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
2950 {
2951 *al = TLS1_AD_INTERNAL_ERROR;
2952 return 0;
2953 }
2954 s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
2955 memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
2956#if 0
2957 fprintf(stderr,"ssl_parse_serverhello_tlsext s->session->tlsext_ecpointformatlist ");
2958 sdata = s->session->tlsext_ecpointformatlist;
2959 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
2960 fprintf(stderr,"%i ",*(sdata++));
2961 fprintf(stderr,"\n");
2962#endif
2963 }
2964#endif /* OPENSSL_NO_EC */
2965
2966 else if (type == TLSEXT_TYPE_session_ticket)
2967 {
2968 if (s->tls_session_ticket_ext_cb &&
2969 !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg))
2970 {
2971 *al = TLS1_AD_INTERNAL_ERROR;
2972 return 0;
2973 }
2974 if ((SSL_get_options(s) & SSL_OP_NO_TICKET)
2975 || (size > 0))
2976 {
2977 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2978 return 0;
2979 }
2980 s->tlsext_ticket_expected = 1;
2981 }
2982#ifdef TLSEXT_TYPE_opaque_prf_input
2983 else if (type == TLSEXT_TYPE_opaque_prf_input)
2984 {
2985 unsigned char *sdata = data;
2986
2987 if (size < 2)
2988 {
2989 *al = SSL_AD_DECODE_ERROR;
2990 return 0;
2991 }
2992 n2s(sdata, s->s3->server_opaque_prf_input_len);
2993 if (s->s3->server_opaque_prf_input_len != size - 2)
2994 {
2995 *al = SSL_AD_DECODE_ERROR;
2996 return 0;
2997 }
2998
2999 if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */
3000 OPENSSL_free(s->s3->server_opaque_prf_input);
3001 if (s->s3->server_opaque_prf_input_len == 0)
3002 s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
3003 else
3004 s->s3->server_opaque_prf_input = BUF_memdup(sdata, s->s3->server_opaque_prf_input_len);
3005
3006 if (s->s3->server_opaque_prf_input == NULL)
3007 {
3008 *al = TLS1_AD_INTERNAL_ERROR;
3009 return 0;
3010 }
3011 }
3012#endif
3013 else if (type == TLSEXT_TYPE_status_request)
3014 {
3015 /* MUST be empty and only sent if we've requested
3016 * a status request message.
3017 */
3018 if ((s->tlsext_status_type == -1) || (size > 0))
3019 {
3020 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
3021 return 0;
3022 }
3023 /* Set flag to expect CertificateStatus message */
3024 s->tlsext_status_expected = 1;
3025 }
3026#ifndef OPENSSL_NO_NEXTPROTONEG
3027 else if (type == TLSEXT_TYPE_next_proto_neg &&
3028 s->s3->tmp.finish_md_len == 0)
3029 {
3030 unsigned char *selected;
3031 unsigned char selected_len;
3032
3033 /* We must have requested it. */
3034 if (s->ctx->next_proto_select_cb == NULL)
3035 {
3036 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
3037 return 0;
3038 }
3039 /* The data must be valid */
3040 if (!ssl_next_proto_validate(data, size))
3041 {
3042 *al = TLS1_AD_DECODE_ERROR;
3043 return 0;
3044 }
3045 if (s->ctx->next_proto_select_cb(s, &selected, &selected_len, data, size, s->ctx->next_proto_select_cb_arg) != SSL_TLSEXT_ERR_OK)
3046 {
3047 *al = TLS1_AD_INTERNAL_ERROR;
3048 return 0;
3049 }
3050 s->next_proto_negotiated = OPENSSL_malloc(selected_len);
3051 if (!s->next_proto_negotiated)
3052 {
3053 *al = TLS1_AD_INTERNAL_ERROR;
3054 return 0;
3055 }
3056 memcpy(s->next_proto_negotiated, selected, selected_len);
3057 s->next_proto_negotiated_len = selected_len;
3058 s->s3->next_proto_neg_seen = 1;
3059 }
3060#endif
3061
3062 else if (type == TLSEXT_TYPE_application_layer_protocol_negotiation)
3063 {
3064 unsigned len;
3065
3066 /* We must have requested it. */
3067 if (s->alpn_client_proto_list == NULL)
3068 {
3069 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
3070 return 0;
3071 }
3072 if (size < 4)
3073 {
3074 *al = TLS1_AD_DECODE_ERROR;
3075 return 0;
3076 }
3077 /* The extension data consists of:
3078 * uint16 list_length
3079 * uint8 proto_length;
3080 * uint8 proto[proto_length]; */
3081 len = data[0];
3082 len <<= 8;
3083 len |= data[1];
3084 if (len != (unsigned) size - 2)
3085 {
3086 *al = TLS1_AD_DECODE_ERROR;
3087 return 0;
3088 }
3089 len = data[2];
3090 if (len != (unsigned) size - 3)
3091 {
3092 *al = TLS1_AD_DECODE_ERROR;
3093 return 0;
3094 }
3095 if (s->s3->alpn_selected)
3096 OPENSSL_free(s->s3->alpn_selected);
3097 s->s3->alpn_selected = OPENSSL_malloc(len);
3098 if (!s->s3->alpn_selected)
3099 {
3100 *al = TLS1_AD_INTERNAL_ERROR;
3101 return 0;
3102 }
3103 memcpy(s->s3->alpn_selected, data + 3, len);
3104 s->s3->alpn_selected_len = len;
3105 }
3106
Adam Langley1258b6a2014-06-20 12:00:00 -0700[diff] [blame]3107 else if (type == TLSEXT_TYPE_channel_id)
3108 s->s3->tlsext_channel_id_valid = 1;
3109
3110 else if (type == TLSEXT_TYPE_channel_id_new)
3111 {
3112 s->s3->tlsext_channel_id_valid = 1;
3113 s->s3->tlsext_channel_id_new = 1;
3114 }
3115
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]3116 else if (type == TLSEXT_TYPE_renegotiate)
3117 {
3118 if(!ssl_parse_serverhello_renegotiate_ext(s, data, size, al))
3119 return 0;
3120 renegotiate_seen = 1;
3121 }
3122#ifndef OPENSSL_NO_HEARTBEATS
3123 else if (type == TLSEXT_TYPE_heartbeat)
3124 {
3125 switch(data[0])
3126 {
3127 case 0x01: /* Server allows us to send HB requests */
3128 s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
3129 break;
3130 case 0x02: /* Server doesn't accept HB requests */
3131 s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
3132 s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
3133 break;
3134 default: *al = SSL_AD_ILLEGAL_PARAMETER;
3135 return 0;
3136 }
3137 }
3138#endif
3139 else if (type == TLSEXT_TYPE_use_srtp)
3140 {
3141 if(ssl_parse_serverhello_use_srtp_ext(s, data, size,
3142 al))
3143 return 0;
3144 }
3145
3146 else if (type == TLSEXT_TYPE_server_authz)
3147 {
3148 /* We only support audit proofs. It's an error to send
3149 * an authz hello extension if the client
3150 * didn't request a proof. */
3151 unsigned char *sdata = data;
3152 unsigned char server_authz_dataformatlist_length;
3153
3154 if (!s->ctx->tlsext_authz_server_audit_proof_cb)
3155 {
3156 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
3157 return 0;
3158 }
3159
3160 if (!size)
3161 {
3162 *al = TLS1_AD_DECODE_ERROR;
3163 return 0;
3164 }
3165
3166 server_authz_dataformatlist_length = *(sdata++);
3167 if (server_authz_dataformatlist_length != size - 1)
3168 {
3169 *al = TLS1_AD_DECODE_ERROR;
3170 return 0;
3171 }
3172
3173 /* We only support audit proofs, so a legal ServerHello
3174 * authz list contains exactly one entry. */
3175 if (server_authz_dataformatlist_length != 1 ||
3176 sdata[0] != TLSEXT_AUTHZDATAFORMAT_audit_proof)
3177 {
3178 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
3179 return 0;
3180 }
3181
3182 s->s3->tlsext_authz_server_promised = 1;
3183 }
3184
3185 /* If this extension type was not otherwise handled, but
3186 * matches a custom_cli_ext_record, then send it to the c
3187 * callback */
3188 else if (s->ctx->custom_cli_ext_records_count)
3189 {
3190 size_t i;
3191 custom_cli_ext_record* record;
3192
3193 for (i = 0; i < s->ctx->custom_cli_ext_records_count; i++)
3194 {
3195 record = &s->ctx->custom_cli_ext_records[i];
3196 if (record->ext_type == type)
3197 {
3198 if (record->fn2 && !record->fn2(s, type, data, size, al, record->arg))
3199 return 0;
3200 break;
3201 }
3202 }
3203 }
3204
3205 data += size;
3206 }
3207
3208 if (data != d+n)
3209 {
3210 *al = SSL_AD_DECODE_ERROR;
3211 return 0;
3212 }
3213
3214 if (!s->hit && tlsext_servername == 1)
3215 {
3216 if (s->tlsext_hostname)
3217 {
3218 if (s->session->tlsext_hostname == NULL)
3219 {
3220 s->session->tlsext_hostname = BUF_strdup(s->tlsext_hostname);
3221 if (!s->session->tlsext_hostname)
3222 {
3223 *al = SSL_AD_UNRECOGNIZED_NAME;
3224 return 0;
3225 }
3226 }
3227 else
3228 {
3229 *al = SSL_AD_DECODE_ERROR;
3230 return 0;
3231 }
3232 }
3233 }
3234
3235 *p = data;
3236
3237 ri_check:
3238
3239 /* Determine if we need to see RI. Strictly speaking if we want to
3240 * avoid an attack we should *always* see RI even on initial server
3241 * hello because the client doesn't see any renegotiation during an
3242 * attack. However this would mean we could not connect to any server
3243 * which doesn't support RI so for the immediate future tolerate RI
3244 * absence on initial connect only.
3245 */
3246 if (!renegotiate_seen
3247 && !(s->options & SSL_OP_LEGACY_SERVER_CONNECT)
3248 && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
3249 {
3250 *al = SSL_AD_HANDSHAKE_FAILURE;
3251 OPENSSL_PUT_ERROR(SSL, ssl_add_serverhello_tlsext, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
3252 return 0;
3253 }
3254
3255 return 1;
3256 }
3257
3258
3259int ssl_prepare_clienthello_tlsext(SSL *s)
3260 {
3261
3262#ifdef TLSEXT_TYPE_opaque_prf_input
3263 {
3264 int r = 1;
3265
3266 if (s->ctx->tlsext_opaque_prf_input_callback != 0)
3267 {
3268 r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg);
3269 if (!r)
3270 return -1;
3271 }
3272
3273 if (s->tlsext_opaque_prf_input != NULL)
3274 {
3275 if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */
3276 OPENSSL_free(s->s3->client_opaque_prf_input);
3277
3278 if (s->tlsext_opaque_prf_input_len == 0)
3279 s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
3280 else
3281 s->s3->client_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len);
3282 if (s->s3->client_opaque_prf_input == NULL)
3283 {
3284 OPENSSL_PUT_ERROR(SSL, ssl_add_serverhello_tlsext, ERR_R_MALLOC_FAILURE);
3285 return -1;
3286 }
3287 s->s3->client_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
3288 }
3289
3290 if (r == 2)
3291 /* at callback's request, insist on receiving an appropriate server opaque PRF input */
3292 s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
3293 }
3294#endif
3295
3296 return 1;
3297 }
3298
3299int ssl_prepare_serverhello_tlsext(SSL *s)
3300 {
3301 return 1;
3302 }
3303
3304static int ssl_check_clienthello_tlsext_early(SSL *s)
3305 {
3306 int ret=SSL_TLSEXT_ERR_NOACK;
3307 int al = SSL_AD_UNRECOGNIZED_NAME;
3308
3309#ifndef OPENSSL_NO_EC
3310 /* The handling of the ECPointFormats extension is done elsewhere, namely in
3311 * ssl3_choose_cipher in s3_lib.c.
3312 */
3313 /* The handling of the EllipticCurves extension is done elsewhere, namely in
3314 * ssl3_choose_cipher in s3_lib.c.
3315 */
3316#endif
3317
3318 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
3319 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
3320 else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)
3321 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
3322
3323#ifdef TLSEXT_TYPE_opaque_prf_input
3324 {
3325 /* This sort of belongs into ssl_prepare_serverhello_tlsext(),
3326 * but we might be sending an alert in response to the client hello,
3327 * so this has to happen here in
3328 * ssl_check_clienthello_tlsext_early(). */
3329
3330 int r = 1;
3331
3332 if (s->ctx->tlsext_opaque_prf_input_callback != 0)
3333 {
3334 r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg);
3335 if (!r)
3336 {
3337 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
3338 al = SSL_AD_INTERNAL_ERROR;
3339 goto err;
3340 }
3341 }
3342
3343 if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */
3344 OPENSSL_free(s->s3->server_opaque_prf_input);
3345 s->s3->server_opaque_prf_input = NULL;
3346
3347 if (s->tlsext_opaque_prf_input != NULL)
3348 {
3349 if (s->s3->client_opaque_prf_input != NULL &&
3350 s->s3->client_opaque_prf_input_len == s->tlsext_opaque_prf_input_len)
3351 {
3352 /* can only use this extension if we have a server opaque PRF input
3353 * of the same length as the client opaque PRF input! */
3354
3355 if (s->tlsext_opaque_prf_input_len == 0)
3356 s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
3357 else
3358 s->s3->server_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len);
3359 if (s->s3->server_opaque_prf_input == NULL)
3360 {
3361 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
3362 al = SSL_AD_INTERNAL_ERROR;
3363 goto err;
3364 }
3365 s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
3366 }
3367 }
3368
3369 if (r == 2 && s->s3->server_opaque_prf_input == NULL)
3370 {
3371 /* The callback wants to enforce use of the extension,
3372 * but we can't do that with the client opaque PRF input;
3373 * abort the handshake.
3374 */
3375 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
3376 al = SSL_AD_HANDSHAKE_FAILURE;
3377 }
3378 }
3379
3380 err:
3381#endif
3382 switch (ret)
3383 {
3384 case SSL_TLSEXT_ERR_ALERT_FATAL:
3385 ssl3_send_alert(s,SSL3_AL_FATAL,al);
3386 return -1;
3387
3388 case SSL_TLSEXT_ERR_ALERT_WARNING:
3389 ssl3_send_alert(s,SSL3_AL_WARNING,al);
3390 return 1;
3391
3392 case SSL_TLSEXT_ERR_NOACK:
3393 s->servername_done=0;
3394 default:
3395 return 1;
3396 }
3397 }
3398
3399int ssl_check_clienthello_tlsext_late(SSL *s)
3400 {
3401 int ret = SSL_TLSEXT_ERR_OK;
3402 int al;
3403
3404 /* If status request then ask callback what to do.
3405 * Note: this must be called after servername callbacks in case
3406 * the certificate has changed, and must be called after the cipher
3407 * has been chosen because this may influence which certificate is sent
3408 */
3409 if ((s->tlsext_status_type != -1) && s->ctx && s->ctx->tlsext_status_cb)
3410 {
3411 int r;
3412 CERT_PKEY *certpkey;
3413 certpkey = ssl_get_server_send_pkey(s);
3414 /* If no certificate can't return certificate status */
3415 if (certpkey == NULL)
3416 {
3417 s->tlsext_status_expected = 0;
3418 return 1;
3419 }
3420 /* Set current certificate to one we will use so
3421 * SSL_get_certificate et al can pick it up.
3422 */
3423 s->cert->key = certpkey;
3424 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
3425 switch (r)
3426 {
3427 /* We don't want to send a status request response */
3428 case SSL_TLSEXT_ERR_NOACK:
3429 s->tlsext_status_expected = 0;
3430 break;
3431 /* status request response should be sent */
3432 case SSL_TLSEXT_ERR_OK:
3433 if (s->tlsext_ocsp_resp)
3434 s->tlsext_status_expected = 1;
3435 else
3436 s->tlsext_status_expected = 0;
3437 break;
3438 /* something bad happened */
3439 case SSL_TLSEXT_ERR_ALERT_FATAL:
3440 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
3441 al = SSL_AD_INTERNAL_ERROR;
3442 goto err;
3443 }
3444 }
3445 else
3446 s->tlsext_status_expected = 0;
3447
3448 err:
3449 switch (ret)
3450 {
3451 case SSL_TLSEXT_ERR_ALERT_FATAL:
3452 ssl3_send_alert(s, SSL3_AL_FATAL, al);
3453 return -1;
3454
3455 case SSL_TLSEXT_ERR_ALERT_WARNING:
3456 ssl3_send_alert(s, SSL3_AL_WARNING, al);
3457 return 1;
3458
3459 default:
3460 return 1;
3461 }
3462 }
3463
3464int ssl_check_serverhello_tlsext(SSL *s)
3465 {
3466 int ret=SSL_TLSEXT_ERR_NOACK;
3467 int al = SSL_AD_UNRECOGNIZED_NAME;
3468
3469#ifndef OPENSSL_NO_EC
3470 /* If we are client and using an elliptic curve cryptography cipher
3471 * suite, then if server returns an EC point formats lists extension
3472 * it must contain uncompressed.
3473 */
3474 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
3475 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
3476 if ((s->tlsext_ecpointformatlist != NULL) && (s->tlsext_ecpointformatlist_length > 0) &&
3477 (s->session->tlsext_ecpointformatlist != NULL) && (s->session->tlsext_ecpointformatlist_length > 0) &&
3478 ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA)))
3479 {
3480 /* we are using an ECC cipher */
3481 size_t i;
3482 unsigned char *list;
3483 int found_uncompressed = 0;
3484 list = s->session->tlsext_ecpointformatlist;
3485 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
3486 {
3487 if (*(list++) == TLSEXT_ECPOINTFORMAT_uncompressed)
3488 {
3489 found_uncompressed = 1;
3490 break;
3491 }
3492 }
3493 if (!found_uncompressed)
3494 {
3495 OPENSSL_PUT_ERROR(SSL, ssl_add_serverhello_tlsext, SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
3496 return -1;
3497 }
3498 }
3499 ret = SSL_TLSEXT_ERR_OK;
3500#endif /* OPENSSL_NO_EC */
3501
3502 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
3503 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
3504 else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)
3505 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
3506
3507#ifdef TLSEXT_TYPE_opaque_prf_input
3508 if (s->s3->server_opaque_prf_input_len > 0)
3509 {
3510 /* This case may indicate that we, as a client, want to insist on using opaque PRF inputs.
3511 * So first verify that we really have a value from the server too. */
3512
3513 if (s->s3->server_opaque_prf_input == NULL)
3514 {
3515 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
3516 al = SSL_AD_HANDSHAKE_FAILURE;
3517 }
3518
3519 /* Anytime the server *has* sent an opaque PRF input, we need to check
3520 * that we have a client opaque PRF input of the same size. */
3521 if (s->s3->client_opaque_prf_input == NULL ||
3522 s->s3->client_opaque_prf_input_len != s->s3->server_opaque_prf_input_len)
3523 {
3524 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
3525 al = SSL_AD_ILLEGAL_PARAMETER;
3526 }
3527 }
3528#endif
3529
3530 /* If we've requested certificate status and we wont get one
3531 * tell the callback
3532 */
3533 if ((s->tlsext_status_type != -1) && !(s->tlsext_status_expected)
3534 && s->ctx && s->ctx->tlsext_status_cb)
3535 {
3536 int r;
3537 /* Set resp to NULL, resplen to -1 so callback knows
3538 * there is no response.
3539 */
3540 if (s->tlsext_ocsp_resp)
3541 {
3542 OPENSSL_free(s->tlsext_ocsp_resp);
3543 s->tlsext_ocsp_resp = NULL;
3544 }
3545 s->tlsext_ocsp_resplen = -1;
3546 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
3547 if (r == 0)
3548 {
3549 al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE;
3550 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
3551 }
3552 if (r < 0)
3553 {
3554 al = SSL_AD_INTERNAL_ERROR;
3555 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
3556 }
3557 }
3558
3559 switch (ret)
3560 {
3561 case SSL_TLSEXT_ERR_ALERT_FATAL:
3562 ssl3_send_alert(s,SSL3_AL_FATAL,al);
3563 return -1;
3564
3565 case SSL_TLSEXT_ERR_ALERT_WARNING:
3566 ssl3_send_alert(s,SSL3_AL_WARNING,al);
3567 return 1;
3568
3569 case SSL_TLSEXT_ERR_NOACK:
3570 s->servername_done=0;
3571 default:
3572 return 1;
3573 }
3574 }
3575
3576int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n)
3577 {
3578 int al = -1;
3579 if (s->version < SSL3_VERSION)
3580 return 1;
3581 if (ssl_scan_serverhello_tlsext(s, p, d, n, &al) <= 0)
3582 {
3583 ssl3_send_alert(s,SSL3_AL_FATAL,al);
3584 return 0;
3585 }
3586
3587 if (ssl_check_serverhello_tlsext(s) <= 0)
3588 {
3589 OPENSSL_PUT_ERROR(SSL, ssl_add_serverhello_tlsext, SSL_R_SERVERHELLO_TLSEXT);
3590 return 0;
3591 }
3592 return 1;
3593}
3594
3595/* Since the server cache lookup is done early on in the processing of the
3596 * ClientHello, and other operations depend on the result, we need to handle
3597 * any TLS session ticket extension at the same time.
3598 *
Adam Langleydc9b1412014-06-20 12:00:00 -0700[diff] [blame]3599 * ctx: contains the early callback context, which is the result of a
3600 * shallow parse of the ClientHello.
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]3601 * ret: (output) on return, if a ticket was decrypted, then this is set to
3602 * point to the resulting session.
3603 *
3604 * If s->tls_session_secret_cb is set then we are expecting a pre-shared key
3605 * ciphersuite, in which case we have no use for session tickets and one will
3606 * never be decrypted, nor will s->tlsext_ticket_expected be set to 1.
3607 *
3608 * Returns:
3609 * -1: fatal error, either from parsing or decrypting the ticket.
3610 * 0: no ticket was found (or was ignored, based on settings).
3611 * 1: a zero length extension was found, indicating that the client supports
3612 * session tickets but doesn't currently have one to offer.
3613 * 2: either s->tls_session_secret_cb was set, or a ticket was offered but
3614 * couldn't be decrypted because of a non-fatal error.
3615 * 3: a ticket was successfully decrypted and *ret was set.
3616 *
3617 * Side effects:
3618 * Sets s->tlsext_ticket_expected to 1 if the server will have to issue
3619 * a new session ticket to the client because the client indicated support
3620 * (and s->tls_session_secret_cb is NULL) but the client either doesn't have
3621 * a session ticket or we couldn't use the one it gave us, or if
3622 * s->ctx->tlsext_ticket_key_cb asked to renew the client's ticket.
3623 * Otherwise, s->tlsext_ticket_expected is set to 0.
3624 */
Adam Langleydc9b1412014-06-20 12:00:00 -0700[diff] [blame]3625int tls1_process_ticket(SSL *s, const struct ssl_early_callback_ctx *ctx,
3626 SSL_SESSION **ret)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]3627 {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]3628 *ret = NULL;
3629 s->tlsext_ticket_expected = 0;
Adam Langleydc9b1412014-06-20 12:00:00 -0700[diff] [blame]3630 const unsigned char *data;
3631 size_t len;
3632 int r;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]3633
3634 /* If tickets disabled behave as if no ticket present
3635 * to permit stateful resumption.
3636 */
3637 if (SSL_get_options(s) & SSL_OP_NO_TICKET)
3638 return 0;
Adam Langleydc9b1412014-06-20 12:00:00 -0700[diff] [blame]3639 if ((s->version <= SSL3_VERSION) && !ctx->extensions)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]3640 return 0;
Adam Langleydc9b1412014-06-20 12:00:00 -0700[diff] [blame]3641 if (!SSL_early_callback_ctx_extension_get(
3642 ctx, TLSEXT_TYPE_session_ticket, &data, &len))
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]3643 {
Adam Langleydc9b1412014-06-20 12:00:00 -0700[diff] [blame]3644 return 0;
3645 }
3646 if (len == 0)
3647 {
3648 /* The client will accept a ticket but doesn't
3649 * currently have one. */
3650 s->tlsext_ticket_expected = 1;
3651 return 1;
3652 }
3653 if (s->tls_session_secret_cb)
3654 {
3655 /* Indicate that the ticket couldn't be
3656 * decrypted rather than generating the session
3657 * from ticket now, trigger abbreviated
3658 * handshake based on external mechanism to
3659 * calculate the master secret later. */
3660 return 2;
3661 }
3662 r = tls_decrypt_ticket(s, data, len, ctx->session_id,
3663 ctx->session_id_len, ret);
3664 switch (r)
3665 {
3666 case 2: /* ticket couldn't be decrypted */
3667 s->tlsext_ticket_expected = 1;
3668 return 2;
3669 case 3: /* ticket was decrypted */
3670 return r;
3671 case 4: /* ticket decrypted but need to renew */
3672 s->tlsext_ticket_expected = 1;
3673 return 3;
3674 default: /* fatal error */
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]3675 return -1;
3676 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]3677 }
3678
3679/* tls_decrypt_ticket attempts to decrypt a session ticket.
3680 *
3681 * etick: points to the body of the session ticket extension.
3682 * eticklen: the length of the session tickets extenion.
3683 * sess_id: points at the session ID.
3684 * sesslen: the length of the session ID.
3685 * psess: (output) on return, if a ticket was decrypted, then this is set to
3686 * point to the resulting session.
3687 *
3688 * Returns:
3689 * -1: fatal error, either from parsing or decrypting the ticket.
3690 * 2: the ticket couldn't be decrypted.
3691 * 3: a ticket was successfully decrypted and *psess was set.
3692 * 4: same as 3, but the ticket needs to be renewed.
3693 */
3694static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen,
3695 const unsigned char *sess_id, int sesslen,
3696 SSL_SESSION **psess)
3697 {
3698 SSL_SESSION *sess;
3699 unsigned char *sdec;
3700 const unsigned char *p;
3701 int slen, mlen, renew_ticket = 0;
3702 unsigned char tick_hmac[EVP_MAX_MD_SIZE];
3703 HMAC_CTX hctx;
3704 EVP_CIPHER_CTX ctx;
3705 SSL_CTX *tctx = s->initial_ctx;
3706 /* Need at least keyname + iv + some encrypted data */
3707 if (eticklen < 48)
3708 return 2;
3709 /* Initialize session ticket encryption and HMAC contexts */
3710 HMAC_CTX_init(&hctx);
3711 EVP_CIPHER_CTX_init(&ctx);
3712 if (tctx->tlsext_ticket_key_cb)
3713 {
3714 unsigned char *nctick = (unsigned char *)etick;
3715 int rv = tctx->tlsext_ticket_key_cb(s, nctick, nctick + 16,
3716 &ctx, &hctx, 0);
3717 if (rv < 0)
3718 return -1;
3719 if (rv == 0)
3720 return 2;
3721 if (rv == 2)
3722 renew_ticket = 1;
3723 }
3724 else
3725 {
3726 /* Check key name matches */
3727 if (memcmp(etick, tctx->tlsext_tick_key_name, 16))
3728 return 2;
3729 HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16,
3730 tlsext_tick_md(), NULL);
3731 EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL,
3732 tctx->tlsext_tick_aes_key, etick + 16);
3733 }
3734 /* Attempt to process session ticket, first conduct sanity and
3735 * integrity checks on ticket.
3736 */
3737 mlen = HMAC_size(&hctx);
3738 if (mlen < 0)
3739 {
3740 EVP_CIPHER_CTX_cleanup(&ctx);
3741 return -1;
3742 }
3743 eticklen -= mlen;
3744 /* Check HMAC of encrypted ticket */
3745 HMAC_Update(&hctx, etick, eticklen);
3746 HMAC_Final(&hctx, tick_hmac, NULL);
3747 HMAC_CTX_cleanup(&hctx);
3748 if (CRYPTO_memcmp(tick_hmac, etick + eticklen, mlen))
3749 return 2;
3750 /* Attempt to decrypt session data */
3751 /* Move p after IV to start of encrypted ticket, update length */
3752 p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx);
3753 eticklen -= 16 + EVP_CIPHER_CTX_iv_length(&ctx);
3754 sdec = OPENSSL_malloc(eticklen);
3755 if (!sdec)
3756 {
3757 EVP_CIPHER_CTX_cleanup(&ctx);
3758 return -1;
3759 }
3760 EVP_DecryptUpdate(&ctx, sdec, &slen, p, eticklen);
3761 if (EVP_DecryptFinal_ex(&ctx, sdec + slen, &mlen) <= 0)
3762 return 2;
3763 slen += mlen;
3764 EVP_CIPHER_CTX_cleanup(&ctx);
3765 p = sdec;
3766
3767 sess = d2i_SSL_SESSION(NULL, &p, slen);
3768 OPENSSL_free(sdec);
3769 if (sess)
3770 {
3771 /* The session ID, if non-empty, is used by some clients to
3772 * detect that the ticket has been accepted. So we copy it to
3773 * the session structure. If it is empty set length to zero
3774 * as required by standard.
3775 */
3776 if (sesslen)
3777 memcpy(sess->session_id, sess_id, sesslen);
3778 sess->session_id_length = sesslen;
3779 *psess = sess;
3780 if (renew_ticket)
3781 return 4;
3782 else
3783 return 3;
3784 }
3785 ERR_clear_error();
3786 /* For session parse failure, indicate that we need to send a new
3787 * ticket. */
3788 return 2;
3789 }
3790
3791/* Tables to translate from NIDs to TLS v1.2 ids */
3792
3793typedef struct
3794 {
3795 int nid;
3796 int id;
3797 } tls12_lookup;
3798
3799static tls12_lookup tls12_md[] = {
3800 {NID_md5, TLSEXT_hash_md5},
3801 {NID_sha1, TLSEXT_hash_sha1},
3802 {NID_sha224, TLSEXT_hash_sha224},
3803 {NID_sha256, TLSEXT_hash_sha256},
3804 {NID_sha384, TLSEXT_hash_sha384},
3805 {NID_sha512, TLSEXT_hash_sha512}
3806};
3807
3808static tls12_lookup tls12_sig[] = {
3809 {EVP_PKEY_RSA, TLSEXT_signature_rsa},
3810 {EVP_PKEY_DSA, TLSEXT_signature_dsa},
3811 {EVP_PKEY_EC, TLSEXT_signature_ecdsa}
3812};
3813
3814static int tls12_find_id(int nid, tls12_lookup *table, size_t tlen)
3815 {
3816 size_t i;
3817 for (i = 0; i < tlen; i++)
3818 {
3819 if (table[i].nid == nid)
3820 return table[i].id;
3821 }
3822 return -1;
3823 }
3824
3825static int tls12_find_nid(int id, tls12_lookup *table, size_t tlen)
3826 {
3827 size_t i;
3828 for (i = 0; i < tlen; i++)
3829 {
3830 if ((table[i].id) == id)
3831 return table[i].nid;
3832 }
3833 return NID_undef;
3834 }
3835
3836int tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk, const EVP_MD *md)
3837 {
3838 int sig_id, md_id;
3839 if (!md)
3840 return 0;
3841 md_id = tls12_find_id(EVP_MD_type(md), tls12_md,
3842 sizeof(tls12_md)/sizeof(tls12_lookup));
3843 if (md_id == -1)
3844 return 0;
3845 sig_id = tls12_get_sigid(pk);
3846 if (sig_id == -1)
3847 return 0;
3848 p[0] = (unsigned char)md_id;
3849 p[1] = (unsigned char)sig_id;
3850 return 1;
3851 }
3852
3853int tls12_get_sigid(const EVP_PKEY *pk)
3854 {
3855 return tls12_find_id(pk->type, tls12_sig,
3856 sizeof(tls12_sig)/sizeof(tls12_lookup));
3857 }
3858
3859const EVP_MD *tls12_get_hash(unsigned char hash_alg)
3860 {
3861 switch(hash_alg)
3862 {
3863#ifndef OPENSSL_NO_MD5
3864 case TLSEXT_hash_md5:
3865#ifdef OPENSSL_FIPS
3866 if (FIPS_mode())
3867 return NULL;
3868#endif
3869 return EVP_md5();
3870#endif
3871#ifndef OPENSSL_NO_SHA
3872 case TLSEXT_hash_sha1:
3873 return EVP_sha1();
3874#endif
3875#ifndef OPENSSL_NO_SHA256
3876 case TLSEXT_hash_sha224:
3877 return EVP_sha224();
3878
3879 case TLSEXT_hash_sha256:
3880 return EVP_sha256();
3881#endif
3882#ifndef OPENSSL_NO_SHA512
3883 case TLSEXT_hash_sha384:
3884 return EVP_sha384();
3885
3886 case TLSEXT_hash_sha512:
3887 return EVP_sha512();
3888#endif
3889 default:
3890 return NULL;
3891
3892 }
3893 }
3894
3895static int tls12_get_pkey_idx(unsigned char sig_alg)
3896 {
3897 switch(sig_alg)
3898 {
3899#ifndef OPENSSL_NO_RSA
3900 case TLSEXT_signature_rsa:
3901 return SSL_PKEY_RSA_SIGN;
3902#endif
3903#ifndef OPENSSL_NO_DSA
3904 case TLSEXT_signature_dsa:
3905 return SSL_PKEY_DSA_SIGN;
3906#endif
3907#ifndef OPENSSL_NO_ECDSA
3908 case TLSEXT_signature_ecdsa:
3909 return SSL_PKEY_ECC;
3910#endif
3911 }
3912 return -1;
3913 }
3914
3915/* Convert TLS 1.2 signature algorithm extension values into NIDs */
3916static void tls1_lookup_sigalg(int *phash_nid, int *psign_nid,
3917 int *psignhash_nid, const unsigned char *data)
3918 {
3919 int sign_nid = 0, hash_nid = 0;
3920 if (!phash_nid && !psign_nid && !psignhash_nid)
3921 return;
3922 if (phash_nid || psignhash_nid)
3923 {
3924 hash_nid = tls12_find_nid(data[0], tls12_md,
3925 sizeof(tls12_md)/sizeof(tls12_lookup));
3926 if (phash_nid)
3927 *phash_nid = hash_nid;
3928 }
3929 if (psign_nid || psignhash_nid)
3930 {
3931 sign_nid = tls12_find_nid(data[1], tls12_sig,
3932 sizeof(tls12_sig)/sizeof(tls12_lookup));
3933 if (psign_nid)
3934 *psign_nid = sign_nid;
3935 }
3936 if (psignhash_nid)
3937 {
3938 if (sign_nid && hash_nid)
3939 OBJ_find_sigid_by_algs(psignhash_nid,
3940 hash_nid, sign_nid);
3941 else
3942 *psignhash_nid = NID_undef;
3943 }
3944 }
3945/* Given preference and allowed sigalgs set shared sigalgs */
3946static int tls12_do_shared_sigalgs(TLS_SIGALGS *shsig,
3947 const unsigned char *pref, size_t preflen,
3948 const unsigned char *allow, size_t allowlen)
3949 {
3950 const unsigned char *ptmp, *atmp;
3951 size_t i, j, nmatch = 0;
3952 for (i = 0, ptmp = pref; i < preflen; i+=2, ptmp+=2)
3953 {
3954 /* Skip disabled hashes or signature algorithms */
3955 if (tls12_get_hash(ptmp[0]) == NULL)
3956 continue;
3957 if (tls12_get_pkey_idx(ptmp[1]) == -1)
3958 continue;
3959 for (j = 0, atmp = allow; j < allowlen; j+=2, atmp+=2)
3960 {
3961 if (ptmp[0] == atmp[0] && ptmp[1] == atmp[1])
3962 {
3963 nmatch++;
3964 if (shsig)
3965 {
3966 shsig->rhash = ptmp[0];
3967 shsig->rsign = ptmp[1];
3968 tls1_lookup_sigalg(&shsig->hash_nid,
3969 &shsig->sign_nid,
3970 &shsig->signandhash_nid,
3971 ptmp);
3972 shsig++;
3973 }
3974 break;
3975 }
3976 }
3977 }
3978 return nmatch;
3979 }
3980
3981/* Set shared signature algorithms for SSL structures */
3982static int tls1_set_shared_sigalgs(SSL *s)
3983 {
3984 const unsigned char *pref, *allow, *conf;
3985 size_t preflen, allowlen, conflen;
3986 size_t nmatch;
3987 TLS_SIGALGS *salgs = NULL;
3988 CERT *c = s->cert;
3989 unsigned int is_suiteb = tls1_suiteb(s);
3990 /* If client use client signature algorithms if not NULL */
3991 if (!s->server && c->client_sigalgs && !is_suiteb)
3992 {
3993 conf = c->client_sigalgs;
3994 conflen = c->client_sigalgslen;
3995 }
3996 else if (c->conf_sigalgs && !is_suiteb)
3997 {
3998 conf = c->conf_sigalgs;
3999 conflen = c->conf_sigalgslen;
4000 }
4001 else
4002 conflen = tls12_get_psigalgs(s, &conf);
4003 if(s->options & SSL_OP_CIPHER_SERVER_PREFERENCE || is_suiteb)
4004 {
4005 pref = conf;
4006 preflen = conflen;
4007 allow = c->peer_sigalgs;
4008 allowlen = c->peer_sigalgslen;
4009 }
4010 else
4011 {
4012 allow = conf;
4013 allowlen = conflen;
4014 pref = c->peer_sigalgs;
4015 preflen = c->peer_sigalgslen;
4016 }
4017 nmatch = tls12_do_shared_sigalgs(NULL, pref, preflen, allow, allowlen);
4018 if (!nmatch)
4019 return 1;
4020 salgs = OPENSSL_malloc(nmatch * sizeof(TLS_SIGALGS));
4021 if (!salgs)
4022 return 0;
4023 nmatch = tls12_do_shared_sigalgs(salgs, pref, preflen, allow, allowlen);
4024 c->shared_sigalgs = salgs;
4025 c->shared_sigalgslen = nmatch;
4026 return 1;
4027 }
4028
4029
4030/* Set preferred digest for each key type */
4031
4032int tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize)
4033 {
4034 int idx;
4035 size_t i;
4036 const EVP_MD *md;
4037 CERT *c = s->cert;
4038 TLS_SIGALGS *sigptr;
4039 /* Extension ignored for inappropriate versions */
4040 if (!SSL_USE_SIGALGS(s))
4041 return 1;
4042 /* Should never happen */
4043 if (!c)
4044 return 0;
4045
4046 c->peer_sigalgs = OPENSSL_malloc(dsize);
4047 if (!c->peer_sigalgs)
4048 return 0;
4049 c->peer_sigalgslen = dsize;
4050 memcpy(c->peer_sigalgs, data, dsize);
4051
4052 tls1_set_shared_sigalgs(s);
4053
4054#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
4055 if (s->cert->cert_flags & SSL_CERT_FLAG_BROKEN_PROTOCOL)
4056 {
4057 /* Use first set signature preference to force message
4058 * digest, ignoring any peer preferences.
4059 */
4060 const unsigned char *sigs = NULL;
4061 if (s->server)
4062 sigs = c->conf_sigalgs;
4063 else
4064 sigs = c->client_sigalgs;
4065 if (sigs)
4066 {
4067 idx = tls12_get_pkey_idx(sigs[1]);
4068 md = tls12_get_hash(sigs[0]);
4069 c->pkeys[idx].digest = md;
4070 c->pkeys[idx].valid_flags = CERT_PKEY_EXPLICIT_SIGN;
4071 if (idx == SSL_PKEY_RSA_SIGN)
4072 {
4073 c->pkeys[SSL_PKEY_RSA_ENC].valid_flags = CERT_PKEY_EXPLICIT_SIGN;
4074 c->pkeys[SSL_PKEY_RSA_ENC].digest = md;
4075 }
4076 }
4077 }
4078#endif
4079
4080 for (i = 0, sigptr = c->shared_sigalgs;
4081 i < c->shared_sigalgslen; i++, sigptr++)
4082 {
4083 idx = tls12_get_pkey_idx(sigptr->rsign);
4084 if (idx > 0 && c->pkeys[idx].digest == NULL)
4085 {
4086 md = tls12_get_hash(sigptr->rhash);
4087 c->pkeys[idx].digest = md;
4088 c->pkeys[idx].valid_flags = CERT_PKEY_EXPLICIT_SIGN;
4089 if (idx == SSL_PKEY_RSA_SIGN)
4090 {
4091 c->pkeys[SSL_PKEY_RSA_ENC].valid_flags = CERT_PKEY_EXPLICIT_SIGN;
4092 c->pkeys[SSL_PKEY_RSA_ENC].digest = md;
4093 }
4094 }
4095
4096 }
4097 /* In strict mode leave unset digests as NULL to indicate we can't
4098 * use the certificate for signing.
4099 */
4100 if (!(s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT))
4101 {
4102 /* Set any remaining keys to default values. NOTE: if alg is
4103 * not supported it stays as NULL.
4104 */
4105#ifndef OPENSSL_NO_DSA
4106 if (!c->pkeys[SSL_PKEY_DSA_SIGN].digest)
4107 c->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_sha1();
4108#endif
4109#ifndef OPENSSL_NO_RSA
4110 if (!c->pkeys[SSL_PKEY_RSA_SIGN].digest)
4111 {
4112 c->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1();
4113 c->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1();
4114 }
4115#endif
4116#ifndef OPENSSL_NO_ECDSA
4117 if (!c->pkeys[SSL_PKEY_ECC].digest)
4118 c->pkeys[SSL_PKEY_ECC].digest = EVP_sha1();
4119#endif
4120 }
4121 return 1;
4122 }
4123
4124
4125int SSL_get_sigalgs(SSL *s, int idx,
4126 int *psign, int *phash, int *psignhash,
4127 unsigned char *rsig, unsigned char *rhash)
4128 {
4129 const unsigned char *psig = s->cert->peer_sigalgs;
4130 if (psig == NULL)
4131 return 0;
4132 if (idx >= 0)
4133 {
4134 idx <<= 1;
4135 if (idx >= (int)s->cert->peer_sigalgslen)
4136 return 0;
4137 psig += idx;
4138 if (rhash)
4139 *rhash = psig[0];
4140 if (rsig)
4141 *rsig = psig[1];
4142 tls1_lookup_sigalg(phash, psign, psignhash, psig);
4143 }
4144 return s->cert->peer_sigalgslen / 2;
4145 }
4146
4147int SSL_get_shared_sigalgs(SSL *s, int idx,
4148 int *psign, int *phash, int *psignhash,
4149 unsigned char *rsig, unsigned char *rhash)
4150 {
4151 TLS_SIGALGS *shsigalgs = s->cert->shared_sigalgs;
4152 if (!shsigalgs || idx >= (int)s->cert->shared_sigalgslen)
4153 return 0;
4154 shsigalgs += idx;
4155 if (phash)
4156 *phash = shsigalgs->hash_nid;
4157 if (psign)
4158 *psign = shsigalgs->sign_nid;
4159 if (psignhash)
4160 *psignhash = shsigalgs->signandhash_nid;
4161 if (rsig)
4162 *rsig = shsigalgs->rsign;
4163 if (rhash)
4164 *rhash = shsigalgs->rhash;
4165 return s->cert->shared_sigalgslen;
4166 }
4167
4168
4169#ifndef OPENSSL_NO_HEARTBEATS
4170int
4171tls1_process_heartbeat(SSL *s)
4172 {
4173 unsigned char *p = &s->s3->rrec.data[0], *pl;
4174 unsigned short hbtype;
4175 unsigned int payload;
4176 unsigned int padding = 16; /* Use minimum padding */
4177
4178 /* Read type and payload length first */
4179 hbtype = *p++;
4180 n2s(p, payload);
4181 pl = p;
4182
4183 if (s->msg_callback)
4184 s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT,
4185 &s->s3->rrec.data[0], s->s3->rrec.length,
4186 s, s->msg_callback_arg);
4187
4188 if (hbtype == TLS1_HB_REQUEST)
4189 {
4190 unsigned char *buffer, *bp;
4191 int r;
4192
4193 /* Allocate memory for the response, size is 1 bytes
4194 * message type, plus 2 bytes payload length, plus
4195 * payload, plus padding
4196 */
4197 buffer = OPENSSL_malloc(1 + 2 + payload + padding);
4198 bp = buffer;
4199
4200 /* Enter response type, length and copy payload */
4201 *bp++ = TLS1_HB_RESPONSE;
4202 s2n(payload, bp);
4203 memcpy(bp, pl, payload);
4204 bp += payload;
4205 /* Random padding */
4206 RAND_pseudo_bytes(bp, padding);
4207
4208 r = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, 3 + payload + padding);
4209
4210 if (r >= 0 && s->msg_callback)
4211 s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT,
4212 buffer, 3 + payload + padding,
4213 s, s->msg_callback_arg);
4214
4215 OPENSSL_free(buffer);
4216
4217 if (r < 0)
4218 return r;
4219 }
4220 else if (hbtype == TLS1_HB_RESPONSE)
4221 {
4222 unsigned int seq;
4223
4224 /* We only send sequence numbers (2 bytes unsigned int),
4225 * and 16 random bytes, so we just try to read the
4226 * sequence number */
4227 n2s(pl, seq);
4228
4229 if (payload == 18 && seq == s->tlsext_hb_seq)
4230 {
4231 s->tlsext_hb_seq++;
4232 s->tlsext_hb_pending = 0;
4233 }
4234 }
4235
4236 return 0;
4237 }
4238
4239int
4240tls1_heartbeat(SSL *s)
4241 {
4242 unsigned char *buf, *p;
4243 int ret;
4244 unsigned int payload = 18; /* Sequence number + random bytes */
4245 unsigned int padding = 16; /* Use minimum padding */
4246
4247 /* Only send if peer supports and accepts HB requests... */
4248 if (!(s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED) ||
4249 s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_SEND_REQUESTS)
4250 {
4251 OPENSSL_PUT_ERROR(SSL, ssl_add_serverhello_tlsext, SSL_R_TLS_HEARTBEAT_PEER_DOESNT_ACCEPT);
4252 return -1;
4253 }
4254
4255 /* ...and there is none in flight yet... */
4256 if (s->tlsext_hb_pending)
4257 {
4258 OPENSSL_PUT_ERROR(SSL, ssl_add_serverhello_tlsext, SSL_R_TLS_HEARTBEAT_PENDING);
4259 return -1;
4260 }
4261
4262 /* ...and no handshake in progress. */
4263 if (SSL_in_init(s) || s->in_handshake)
4264 {
4265 OPENSSL_PUT_ERROR(SSL, ssl_add_serverhello_tlsext, SSL_R_UNEXPECTED_MESSAGE);
4266 return -1;
4267 }
4268
4269 /* Check if padding is too long, payload and padding
4270 * must not exceed 2^14 - 3 = 16381 bytes in total.
4271 */
4272 assert(payload + padding <= 16381);
4273
4274 /* Create HeartBeat message, we just use a sequence number
4275 * as payload to distuingish different messages and add
4276 * some random stuff.
4277 * - Message Type, 1 byte
4278 * - Payload Length, 2 bytes (unsigned int)
4279 * - Payload, the sequence number (2 bytes uint)
4280 * - Payload, random bytes (16 bytes uint)
4281 * - Padding
4282 */
4283 buf = OPENSSL_malloc(1 + 2 + payload + padding);
4284 p = buf;
4285 /* Message Type */
4286 *p++ = TLS1_HB_REQUEST;
4287 /* Payload length (18 bytes here) */
4288 s2n(payload, p);
4289 /* Sequence number */
4290 s2n(s->tlsext_hb_seq, p);
4291 /* 16 random bytes */
4292 RAND_pseudo_bytes(p, 16);
4293 p += 16;
4294 /* Random padding */
4295 RAND_pseudo_bytes(p, padding);
4296
4297 ret = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buf, 3 + payload + padding);
4298 if (ret >= 0)
4299 {
4300 if (s->msg_callback)
4301 s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT,
4302 buf, 3 + payload + padding,
4303 s, s->msg_callback_arg);
4304
4305 s->tlsext_hb_pending = 1;
4306 }
4307
4308 OPENSSL_free(buf);
4309
4310 return ret;
4311 }
4312#endif
4313
Adam Langley1258b6a2014-06-20 12:00:00 -0700[diff] [blame]4314#if !defined(OPENSSL_NO_TLSEXT)
4315/* tls1_channel_id_hash calculates the signed data for a Channel ID on the given
4316 * SSL connection and writes it to |md|. */
4317int
4318tls1_channel_id_hash(EVP_MD_CTX *md, SSL *s)
4319 {
4320 EVP_MD_CTX ctx;
4321 unsigned char temp_digest[EVP_MAX_MD_SIZE];
4322 unsigned temp_digest_len;
4323 int i;
4324 static const char kClientIDMagic[] = "TLS Channel ID signature";
4325
4326 if (s->s3->handshake_buffer)
4327 if (!ssl3_digest_cached_records(s))
4328 return 0;
4329
4330 EVP_DigestUpdate(md, kClientIDMagic, sizeof(kClientIDMagic));
4331
4332 if (s->hit && s->s3->tlsext_channel_id_new)
4333 {
4334 static const char kResumptionMagic[] = "Resumption";
4335 EVP_DigestUpdate(md, kResumptionMagic,
4336 sizeof(kResumptionMagic));
4337 if (s->session->original_handshake_hash_len == 0)
4338 return 0;
4339 EVP_DigestUpdate(md, s->session->original_handshake_hash,
4340 s->session->original_handshake_hash_len);
4341 }
4342
4343 EVP_MD_CTX_init(&ctx);
4344 for (i = 0; i < SSL_MAX_DIGEST; i++)
4345 {
4346 if (s->s3->handshake_dgst[i] == NULL)
4347 continue;
4348 EVP_MD_CTX_copy_ex(&ctx, s->s3->handshake_dgst[i]);
4349 EVP_DigestFinal_ex(&ctx, temp_digest, &temp_digest_len);
4350 EVP_DigestUpdate(md, temp_digest, temp_digest_len);
4351 }
4352 EVP_MD_CTX_cleanup(&ctx);
4353
4354 return 1;
4355 }
4356#endif
4357
4358/* tls1_record_handshake_hashes_for_channel_id records the current handshake
4359 * hashes in |s->session| so that Channel ID resumptions can sign that data. */
4360int tls1_record_handshake_hashes_for_channel_id(SSL *s)
4361 {
4362 int digest_len;
4363 /* This function should never be called for a resumed session because
4364 * the handshake hashes that we wish to record are for the original,
4365 * full handshake. */
4366 if (s->hit)
4367 return -1;
4368 /* It only makes sense to call this function if Channel IDs have been
4369 * negotiated. */
4370 if (!s->s3->tlsext_channel_id_new)
4371 return -1;
4372
4373 digest_len = tls1_handshake_digest(
4374 s, s->session->original_handshake_hash,
4375 sizeof(s->session->original_handshake_hash));
4376 if (digest_len < 0)
4377 return -1;
4378
4379 s->session->original_handshake_hash_len = digest_len;
4380
4381 return 1;
4382 }
4383
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]4384/* TODO(fork): remove */
4385#if 0
4386#define MAX_SIGALGLEN (TLSEXT_hash_num * TLSEXT_signature_num * 2)
4387
4388typedef struct
4389 {
4390 size_t sigalgcnt;
4391 int sigalgs[MAX_SIGALGLEN];
4392 } sig_cb_st;
4393
4394static int sig_cb(const char *elem, int len, void *arg)
4395 {
4396 sig_cb_st *sarg = arg;
4397 size_t i;
4398 char etmp[20], *p;
4399 int sig_alg, hash_alg;
4400 if (sarg->sigalgcnt == MAX_SIGALGLEN)
4401 return 0;
4402 if (len > (int)(sizeof(etmp) - 1))
4403 return 0;
4404 memcpy(etmp, elem, len);
4405 etmp[len] = 0;
4406 p = strchr(etmp, '+');
4407 if (!p)
4408 return 0;
4409 *p = 0;
4410 p++;
4411 if (!*p)
4412 return 0;
4413
4414 if (!strcmp(etmp, "RSA"))
4415 sig_alg = EVP_PKEY_RSA;
4416 else if (!strcmp(etmp, "DSA"))
4417 sig_alg = EVP_PKEY_DSA;
4418 else if (!strcmp(etmp, "ECDSA"))
4419 sig_alg = EVP_PKEY_EC;
4420 else return 0;
4421
4422 hash_alg = OBJ_sn2nid(p);
4423 if (hash_alg == NID_undef)
4424 hash_alg = OBJ_ln2nid(p);
4425 if (hash_alg == NID_undef)
4426 return 0;
4427
4428 for (i = 0; i < sarg->sigalgcnt; i+=2)
4429 {
4430 if (sarg->sigalgs[i] == sig_alg
4431 && sarg->sigalgs[i + 1] == hash_alg)
4432 return 0;
4433 }
4434 sarg->sigalgs[sarg->sigalgcnt++] = hash_alg;
4435 sarg->sigalgs[sarg->sigalgcnt++] = sig_alg;
4436 return 1;
4437 }
4438
4439/* Set suppored signature algorithms based on a colon separated list
4440 * of the form sig+hash e.g. RSA+SHA512:DSA+SHA512 */
4441int tls1_set_sigalgs_list(CERT *c, const char *str, int client)
4442 {
4443 sig_cb_st sig;
4444 sig.sigalgcnt = 0;
4445 if (!CONF_parse_list(str, ':', 1, sig_cb, &sig))
4446 return 0;
4447 if (c == NULL)
4448 return 1;
4449 return tls1_set_sigalgs(c, sig.sigalgs, sig.sigalgcnt, client);
4450 }
4451#endif
4452
4453int tls1_set_sigalgs(CERT *c, const int *psig_nids, size_t salglen, int client)
4454 {
4455 unsigned char *sigalgs, *sptr;
4456 int rhash, rsign;
4457 size_t i;
4458 if (salglen & 1)
4459 return 0;
4460 sigalgs = OPENSSL_malloc(salglen);
4461 if (sigalgs == NULL)
4462 return 0;
4463 for (i = 0, sptr = sigalgs; i < salglen; i+=2)
4464 {
4465 rhash = tls12_find_id(*psig_nids++, tls12_md,
4466 sizeof(tls12_md)/sizeof(tls12_lookup));
4467 rsign = tls12_find_id(*psig_nids++, tls12_sig,
4468 sizeof(tls12_sig)/sizeof(tls12_lookup));
4469
4470 if (rhash == -1 || rsign == -1)
4471 goto err;
4472 *sptr++ = rhash;
4473 *sptr++ = rsign;
4474 }
4475
4476 if (client)
4477 {
4478 if (c->client_sigalgs)
4479 OPENSSL_free(c->client_sigalgs);
4480 c->client_sigalgs = sigalgs;
4481 c->client_sigalgslen = salglen;
4482 }
4483 else
4484 {
4485 if (c->conf_sigalgs)
4486 OPENSSL_free(c->conf_sigalgs);
4487 c->conf_sigalgs = sigalgs;
4488 c->conf_sigalgslen = salglen;
4489 }
4490
4491 return 1;
4492
4493 err:
4494 OPENSSL_free(sigalgs);
4495 return 0;
4496 }
4497
4498static int tls1_check_sig_alg(CERT *c, X509 *x, int default_nid)
4499 {
4500 int sig_nid;
4501 size_t i;
4502 if (default_nid == -1)
4503 return 1;
4504 sig_nid = X509_get_signature_nid(x);
4505 if (default_nid)
4506 return sig_nid == default_nid ? 1 : 0;
4507 for (i = 0; i < c->shared_sigalgslen; i++)
4508 if (sig_nid == c->shared_sigalgs[i].signandhash_nid)
4509 return 1;
4510 return 0;
4511 }
4512/* Check to see if a certificate issuer name matches list of CA names */
4513static int ssl_check_ca_name(STACK_OF(X509_NAME) *names, X509 *x)
4514 {
4515 X509_NAME *nm;
4516 int i;
4517 nm = X509_get_issuer_name(x);
4518 for (i = 0; i < sk_X509_NAME_num(names); i++)
4519 {
4520 if(!X509_NAME_cmp(nm, sk_X509_NAME_value(names, i)))
4521 return 1;
4522 }
4523 return 0;
4524 }
4525
4526/* Check certificate chain is consistent with TLS extensions and is
4527 * usable by server. This servers two purposes: it allows users to
4528 * check chains before passing them to the server and it allows the
4529 * server to check chains before attempting to use them.
4530 */
4531
4532/* Flags which need to be set for a certificate when stict mode not set */
4533
4534#define CERT_PKEY_VALID_FLAGS \
4535 (CERT_PKEY_EE_SIGNATURE|CERT_PKEY_EE_PARAM)
4536/* Strict mode flags */
4537#define CERT_PKEY_STRICT_FLAGS \
4538 (CERT_PKEY_VALID_FLAGS|CERT_PKEY_CA_SIGNATURE|CERT_PKEY_CA_PARAM \
4539 | CERT_PKEY_ISSUER_NAME|CERT_PKEY_CERT_TYPE)
4540
4541int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain,
4542 int idx)
4543 {
4544 int i;
4545 int rv = 0;
4546 int check_flags = 0, strict_mode;
4547 CERT_PKEY *cpk = NULL;
4548 CERT *c = s->cert;
4549 unsigned int suiteb_flags = tls1_suiteb(s);
4550 /* idx == -1 means checking server chains */
4551 if (idx != -1)
4552 {
4553 /* idx == -2 means checking client certificate chains */
4554 if (idx == -2)
4555 {
4556 cpk = c->key;
4557 idx = cpk - c->pkeys;
4558 }
4559 else
4560 cpk = c->pkeys + idx;
4561 x = cpk->x509;
4562 pk = cpk->privatekey;
4563 chain = cpk->chain;
4564 strict_mode = c->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT;
4565 /* If no cert or key, forget it */
4566 if (!x || !pk)
4567 goto end;
4568#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
4569 /* Allow any certificate to pass test */
4570 if (s->cert->cert_flags & SSL_CERT_FLAG_BROKEN_PROTOCOL)
4571 {
4572 rv = CERT_PKEY_STRICT_FLAGS|CERT_PKEY_EXPLICIT_SIGN|CERT_PKEY_VALID|CERT_PKEY_SIGN;
4573 cpk->valid_flags = rv;
4574 return rv;
4575 }
4576#endif
4577 }
4578 else
4579 {
4580 if (!x || !pk)
4581 goto end;
4582 idx = ssl_cert_type(x, pk);
4583 if (idx == -1)
4584 goto end;
4585 cpk = c->pkeys + idx;
4586 if (c->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)
4587 check_flags = CERT_PKEY_STRICT_FLAGS;
4588 else
4589 check_flags = CERT_PKEY_VALID_FLAGS;
4590 strict_mode = 1;
4591 }
4592
4593 if (suiteb_flags)
4594 {
4595 int ok;
4596 if (check_flags)
4597 check_flags |= CERT_PKEY_SUITEB;
4598 ok = X509_chain_check_suiteb(NULL, x, chain, suiteb_flags);
4599 if (ok != X509_V_OK)
4600 {
4601 if (check_flags)
4602 rv |= CERT_PKEY_SUITEB;
4603 else
4604 goto end;
4605 }
4606 }
4607
4608 /* Check all signature algorithms are consistent with
4609 * signature algorithms extension if TLS 1.2 or later
4610 * and strict mode.
4611 */
4612 if (TLS1_get_version(s) >= TLS1_2_VERSION && strict_mode)
4613 {
4614 int default_nid;
4615 unsigned char rsign = 0;
4616 if (c->peer_sigalgs)
4617 default_nid = 0;
4618 /* If no sigalgs extension use defaults from RFC5246 */
4619 else
4620 {
4621 switch(idx)
4622 {
4623 case SSL_PKEY_RSA_ENC:
4624 case SSL_PKEY_RSA_SIGN:
4625 case SSL_PKEY_DH_RSA:
4626 rsign = TLSEXT_signature_rsa;
4627 default_nid = NID_sha1WithRSAEncryption;
4628 break;
4629
4630 case SSL_PKEY_DSA_SIGN:
4631 case SSL_PKEY_DH_DSA:
4632 rsign = TLSEXT_signature_dsa;
4633 default_nid = NID_dsaWithSHA1;
4634 break;
4635
4636 case SSL_PKEY_ECC:
4637 rsign = TLSEXT_signature_ecdsa;
4638 default_nid = NID_ecdsa_with_SHA1;
4639 break;
4640
4641 default:
4642 default_nid = -1;
4643 break;
4644 }
4645 }
4646 /* If peer sent no signature algorithms extension and we
4647 * have set preferred signature algorithms check we support
4648 * sha1.
4649 */
4650 if (default_nid > 0 && c->conf_sigalgs)
4651 {
4652 size_t j;
4653 const unsigned char *p = c->conf_sigalgs;
4654 for (j = 0; j < c->conf_sigalgslen; j += 2, p += 2)
4655 {
4656 if (p[0] == TLSEXT_hash_sha1 && p[1] == rsign)
4657 break;
4658 }
4659 if (j == c->conf_sigalgslen)
4660 {
4661 if (check_flags)
4662 goto skip_sigs;
4663 else
4664 goto end;
4665 }
4666 }
4667 /* Check signature algorithm of each cert in chain */
4668 if (!tls1_check_sig_alg(c, x, default_nid))
4669 {
4670 if (!check_flags) goto end;
4671 }
4672 else
4673 rv |= CERT_PKEY_EE_SIGNATURE;
4674 rv |= CERT_PKEY_CA_SIGNATURE;
4675 for (i = 0; i < sk_X509_num(chain); i++)
4676 {
4677 if (!tls1_check_sig_alg(c, sk_X509_value(chain, i),
4678 default_nid))
4679 {
4680 if (check_flags)
4681 {
4682 rv &= ~CERT_PKEY_CA_SIGNATURE;
4683 break;
4684 }
4685 else
4686 goto end;
4687 }
4688 }
4689 }
4690 /* Else not TLS 1.2, so mark EE and CA signing algorithms OK */
4691 else if(check_flags)
4692 rv |= CERT_PKEY_EE_SIGNATURE|CERT_PKEY_CA_SIGNATURE;
4693 skip_sigs:
4694 /* Check cert parameters are consistent */
4695 if (tls1_check_cert_param(s, x, check_flags ? 1 : 2))
4696 rv |= CERT_PKEY_EE_PARAM;
4697 else if (!check_flags)
4698 goto end;
4699 if (!s->server)
4700 rv |= CERT_PKEY_CA_PARAM;
4701 /* In strict mode check rest of chain too */
4702 else if (strict_mode)
4703 {
4704 rv |= CERT_PKEY_CA_PARAM;
4705 for (i = 0; i < sk_X509_num(chain); i++)
4706 {
4707 X509 *ca = sk_X509_value(chain, i);
4708 if (!tls1_check_cert_param(s, ca, 0))
4709 {
4710 if (check_flags)
4711 {
4712 rv &= ~CERT_PKEY_CA_PARAM;
4713 break;
4714 }
4715 else
4716 goto end;
4717 }
4718 }
4719 }
4720 if (!s->server && strict_mode)
4721 {
4722 STACK_OF(X509_NAME) *ca_dn;
4723 int check_type = 0;
4724 switch (pk->type)
4725 {
4726 case EVP_PKEY_RSA:
4727 check_type = TLS_CT_RSA_SIGN;
4728 break;
4729 case EVP_PKEY_DSA:
4730 check_type = TLS_CT_DSS_SIGN;
4731 break;
4732 case EVP_PKEY_EC:
4733 check_type = TLS_CT_ECDSA_SIGN;
4734 break;
4735 case EVP_PKEY_DH:
4736 case EVP_PKEY_DHX:
4737 {
4738 int cert_type = X509_certificate_type(x, pk);
4739 if (cert_type & EVP_PKS_RSA)
4740 check_type = TLS_CT_RSA_FIXED_DH;
4741 if (cert_type & EVP_PKS_DSA)
4742 check_type = TLS_CT_DSS_FIXED_DH;
4743 }
4744 }
4745 if (check_type)
4746 {
4747 const unsigned char *ctypes;
4748 int ctypelen;
4749 if (c->ctypes)
4750 {
4751 ctypes = c->ctypes;
4752 ctypelen = (int)c->ctype_num;
4753 }
4754 else
4755 {
4756 ctypes = (unsigned char *)s->s3->tmp.ctype;
4757 ctypelen = s->s3->tmp.ctype_num;
4758 }
4759 for (i = 0; i < ctypelen; i++)
4760 {
4761 if (ctypes[i] == check_type)
4762 {
4763 rv |= CERT_PKEY_CERT_TYPE;
4764 break;
4765 }
4766 }
4767 if (!(rv & CERT_PKEY_CERT_TYPE) && !check_flags)
4768 goto end;
4769 }
4770 else
4771 rv |= CERT_PKEY_CERT_TYPE;
4772
4773
4774 ca_dn = s->s3->tmp.ca_names;
4775
4776 if (!sk_X509_NAME_num(ca_dn))
4777 rv |= CERT_PKEY_ISSUER_NAME;
4778
4779 if (!(rv & CERT_PKEY_ISSUER_NAME))
4780 {
4781 if (ssl_check_ca_name(ca_dn, x))
4782 rv |= CERT_PKEY_ISSUER_NAME;
4783 }
4784 if (!(rv & CERT_PKEY_ISSUER_NAME))
4785 {
4786 for (i = 0; i < sk_X509_num(chain); i++)
4787 {
4788 X509 *xtmp = sk_X509_value(chain, i);
4789 if (ssl_check_ca_name(ca_dn, xtmp))
4790 {
4791 rv |= CERT_PKEY_ISSUER_NAME;
4792 break;
4793 }
4794 }
4795 }
4796 if (!check_flags && !(rv & CERT_PKEY_ISSUER_NAME))
4797 goto end;
4798 }
4799 else
4800 rv |= CERT_PKEY_ISSUER_NAME|CERT_PKEY_CERT_TYPE;
4801
4802 if (!check_flags || (rv & check_flags) == check_flags)
4803 rv |= CERT_PKEY_VALID;
4804
4805 end:
4806
4807 if (TLS1_get_version(s) >= TLS1_2_VERSION)
4808 {
4809 if (cpk->valid_flags & CERT_PKEY_EXPLICIT_SIGN)
4810 rv |= CERT_PKEY_EXPLICIT_SIGN|CERT_PKEY_SIGN;
4811 else if (cpk->digest)
4812 rv |= CERT_PKEY_SIGN;
4813 }
4814 else
4815 rv |= CERT_PKEY_SIGN|CERT_PKEY_EXPLICIT_SIGN;
4816
4817 /* When checking a CERT_PKEY structure all flags are irrelevant
4818 * if the chain is invalid.
4819 */
4820 if (!check_flags)
4821 {
4822 if (rv & CERT_PKEY_VALID)
4823 cpk->valid_flags = rv;
4824 else
4825 {
4826 /* Preserve explicit sign flag, clear rest */
4827 cpk->valid_flags &= CERT_PKEY_EXPLICIT_SIGN;
4828 return 0;
4829 }
4830 }
4831 return rv;
4832 }
4833
4834/* Set validity of certificates in an SSL structure */
4835void tls1_set_cert_validity(SSL *s)
4836 {
4837 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA_ENC);
4838 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA_SIGN);
4839 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DSA_SIGN);
4840 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DH_RSA);
4841 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DH_DSA);
4842 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_ECC);
4843 }
4844/* User level utiity function to check a chain is suitable */
4845int SSL_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain)
4846 {
4847 return tls1_check_chain(s, x, pk, chain, -1);
4848 }
4849
4850#endif