Gitiles
Code Review Sign In
gerrit.openfyde.cn / boringssl.googlesource.com / boringssl / dc9b1411279f02e604367bc56fca8cf2acc9d531 / . / ssl / t1_lib.c
blob: d1a67b31c5aef007e8060aa15065e928a619efdf [file] [log] [blame]
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
2 * All rights reserved.
3 *
4 * This package is an SSL implementation written
5 * by Eric Young (eay@cryptsoft.com).
6 * The implementation was written so as to conform with Netscapes SSL.
7 *
8 * This library is free for commercial and non-commercial use as long as
9 * the following conditions are aheared to. The following conditions
10 * apply to all code found in this distribution, be it the RC4, RSA,
11 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
12 * included with this distribution is covered by the same copyright terms
13 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
14 *
15 * Copyright remains Eric Young's, and as such any Copyright notices in
16 * the code are not to be removed.
17 * If this package is used in a product, Eric Young should be given attribution
18 * as the author of the parts of the library used.
19 * This can be in the form of a textual message at program startup or
20 * in documentation (online or textual) provided with the package.
21 *
22 * Redistribution and use in source and binary forms, with or without
23 * modification, are permitted provided that the following conditions
24 * are met:
25 * 1. Redistributions of source code must retain the copyright
26 * notice, this list of conditions and the following disclaimer.
27 * 2. Redistributions in binary form must reproduce the above copyright
28 * notice, this list of conditions and the following disclaimer in the
29 * documentation and/or other materials provided with the distribution.
30 * 3. All advertising materials mentioning features or use of this software
31 * must display the following acknowledgement:
32 * "This product includes cryptographic software written by
33 * Eric Young (eay@cryptsoft.com)"
34 * The word 'cryptographic' can be left out if the rouines from the library
35 * being used are not cryptographic related :-).
36 * 4. If you include any Windows specific code (or a derivative thereof) from
37 * the apps directory (application code) you must include an acknowledgement:
38 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
39 *
40 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
41 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
43 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
44 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
45 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
46 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
48 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
49 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
50 * SUCH DAMAGE.
51 *
52 * The licence and distribution terms for any publically available version or
53 * derivative of this code cannot be changed. i.e. this code cannot simply be
54 * copied and put under another distribution licence
55 * [including the GNU Public Licence.]
56 */
57/* ====================================================================
58 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
59 *
60 * Redistribution and use in source and binary forms, with or without
61 * modification, are permitted provided that the following conditions
62 * are met:
63 *
64 * 1. Redistributions of source code must retain the above copyright
65 * notice, this list of conditions and the following disclaimer.
66 *
67 * 2. Redistributions in binary form must reproduce the above copyright
68 * notice, this list of conditions and the following disclaimer in
69 * the documentation and/or other materials provided with the
70 * distribution.
71 *
72 * 3. All advertising materials mentioning features or use of this
73 * software must display the following acknowledgment:
74 * "This product includes software developed by the OpenSSL Project
75 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
76 *
77 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
78 * endorse or promote products derived from this software without
79 * prior written permission. For written permission, please contact
80 * openssl-core@openssl.org.
81 *
82 * 5. Products derived from this software may not be called "OpenSSL"
83 * nor may "OpenSSL" appear in their names without prior written
84 * permission of the OpenSSL Project.
85 *
86 * 6. Redistributions of any form whatsoever must retain the following
87 * acknowledgment:
88 * "This product includes software developed by the OpenSSL Project
89 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
90 *
91 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
92 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
93 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
94 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
95 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
96 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
97 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
98 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
99 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
100 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
101 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
102 * OF THE POSSIBILITY OF SUCH DAMAGE.
103 * ====================================================================
104 *
105 * This product includes cryptographic software written by Eric Young
106 * (eay@cryptsoft.com). This product includes software written by Tim
107 * Hudson (tjh@cryptsoft.com). */
108
109#include <stdio.h>
110#include <assert.h>
111
112#include <openssl/evp.h>
113#include <openssl/hmac.h>
114#include <openssl/mem.h>
115#include <openssl/obj.h>
116#include <openssl/rand.h>
117
118#include "ssl_locl.h"
119#ifndef OPENSSL_NO_TLSEXT
120static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen,
121 const unsigned char *sess_id, int sesslen,
122 SSL_SESSION **psess);
123static int ssl_check_clienthello_tlsext_early(SSL *s);
124int ssl_check_serverhello_tlsext(SSL *s);
125#endif
126
127SSL3_ENC_METHOD TLSv1_enc_data={
128 tls1_enc,
129 tls1_mac,
130 tls1_setup_key_block,
131 tls1_generate_master_secret,
132 tls1_change_cipher_state,
133 tls1_final_finish_mac,
134 TLS1_FINISH_MAC_LENGTH,
135 tls1_cert_verify_mac,
136 TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE,
137 TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE,
138 tls1_alert_code,
139 tls1_export_keying_material,
140 0,
141 SSL3_HM_HEADER_LENGTH,
142 ssl3_set_handshake_header,
143 ssl3_handshake_write
144 };
145
146SSL3_ENC_METHOD TLSv1_1_enc_data={
147 tls1_enc,
148 tls1_mac,
149 tls1_setup_key_block,
150 tls1_generate_master_secret,
151 tls1_change_cipher_state,
152 tls1_final_finish_mac,
153 TLS1_FINISH_MAC_LENGTH,
154 tls1_cert_verify_mac,
155 TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE,
156 TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE,
157 tls1_alert_code,
158 tls1_export_keying_material,
159 SSL_ENC_FLAG_EXPLICIT_IV,
160 SSL3_HM_HEADER_LENGTH,
161 ssl3_set_handshake_header,
162 ssl3_handshake_write
163 };
164
165SSL3_ENC_METHOD TLSv1_2_enc_data={
166 tls1_enc,
167 tls1_mac,
168 tls1_setup_key_block,
169 tls1_generate_master_secret,
170 tls1_change_cipher_state,
171 tls1_final_finish_mac,
172 TLS1_FINISH_MAC_LENGTH,
173 tls1_cert_verify_mac,
174 TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE,
175 TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE,
176 tls1_alert_code,
177 tls1_export_keying_material,
178 SSL_ENC_FLAG_EXPLICIT_IV|SSL_ENC_FLAG_SIGALGS|SSL_ENC_FLAG_SHA256_PRF
179 |SSL_ENC_FLAG_TLS1_2_CIPHERS,
180 SSL3_HM_HEADER_LENGTH,
181 ssl3_set_handshake_header,
182 ssl3_handshake_write
183 };
184
185long tls1_default_timeout(void)
186 {
187 /* 2 hours, the 24 hours mentioned in the TLSv1 spec
188 * is way too long for http, the cache would over fill */
189 return(60*60*2);
190 }
191
192int tls1_new(SSL *s)
193 {
194 if (!ssl3_new(s)) return(0);
195 s->method->ssl_clear(s);
196 return(1);
197 }
198
199void tls1_free(SSL *s)
200 {
201#ifndef OPENSSL_NO_TLSEXT
202 if (s->tlsext_session_ticket)
203 {
204 OPENSSL_free(s->tlsext_session_ticket);
205 }
206#endif /* OPENSSL_NO_TLSEXT */
207 ssl3_free(s);
208 }
209
210void tls1_clear(SSL *s)
211 {
212 ssl3_clear(s);
213 s->version = s->method->version;
214 }
215
Adam Langleydc9b1412014-06-20 12:00:00 -0700[diff] [blame^]216char ssl_early_callback_init(struct ssl_early_callback_ctx *ctx)
217 {
218 size_t len = ctx->client_hello_len;
219 const unsigned char *p = ctx->client_hello;
220 uint16_t *extension_types;
221 unsigned num_extensions;
222
223 /* Skip client version. */
224 if (len < 2)
225 return 0;
226 len -= 2; p += 2;
227
228 /* Skip client nonce. */
229 if (len < 32)
230 return 0;
231 len -= 32; p += 32;
232
233 /* Get length of session id. */
234 if (len < 1)
235 return 0;
236 ctx->session_id_len = *p;
237 p++; len--;
238
239 ctx->session_id = p;
240 if (len < ctx->session_id_len)
241 return 0;
242 p += ctx->session_id_len; len -= ctx->session_id_len;
243
244 /* Skip past DTLS cookie */
245 if (ctx->ssl->version == DTLS1_VERSION || ctx->ssl->version == DTLS1_BAD_VER)
246 {
247 unsigned cookie_len;
248
249 if (len < 1)
250 return 0;
251 cookie_len = *p;
252 p++; len--;
253 if (len < cookie_len)
254 return 0;
255 p += cookie_len; len -= cookie_len;
256 }
257
258 /* Skip cipher suites. */
259 if (len < 2)
260 return 0;
261 n2s(p, ctx->cipher_suites_len);
262 len -= 2;
263
264 if ((ctx->cipher_suites_len & 1) != 0)
265 return 0;
266
267 ctx->cipher_suites = p;
268 if (len < ctx->cipher_suites_len)
269 return 0;
270 p += ctx->cipher_suites_len; len -= ctx->cipher_suites_len;
271
272 /* Skip compression methods. */
273 if (len < 1)
274 return 0;
275 ctx->compression_methods_len = *p;
276 p++; len--;
277
278 ctx->compression_methods = p;
279 if (len < ctx->compression_methods_len)
280 return 0;
281 p += ctx->compression_methods_len; len -= ctx->compression_methods_len;
282
283 /* If the ClientHello ends here then it's valid, but doesn't have any
284 * extensions. (E.g. SSLv3.) */
285 if (len == 0)
286 {
287 ctx->extensions = NULL;
288 ctx->extensions_len = 0;
289 return 1;
290 }
291
292 if (len < 2)
293 return 0;
294 n2s(p, ctx->extensions_len);
295 len -= 2;
296
297 if (ctx->extensions_len == 0 && len == 0)
298 {
299 ctx->extensions = NULL;
300 return 1;
301 }
302
303 ctx->extensions = p;
304 if (len != ctx->extensions_len)
305 return 0;
306
307 /* Verify that the extensions have valid lengths and that there are
308 * no duplicates. Each extension takes, at least, four bytes, so
309 * we can allocate a buffer of extensions_len/4 elements and be sure
310 * that we have enough space for all the extension types. */
311 extension_types =
312 OPENSSL_malloc(sizeof(uint16_t) * ctx->extensions_len/4);
313 if (extension_types == NULL)
314 return 0;
315 num_extensions = 0;
316
317 while (len != 0)
318 {
319 uint16_t extension_type, extension_len;
320 unsigned i;
321
322 if (len < 4)
323 goto err;
324 n2s(p, extension_type);
325 n2s(p, extension_len);
326 len -= 4;
327
328 if (len < extension_len)
329 goto err;
330 p += extension_len; len -= extension_len;
331
332 for (i = 0; i < num_extensions; i++)
333 {
334 if (extension_types[i] == extension_type)
335 {
336 /* Duplicate extension type. */
337 goto err;
338 }
339 }
340 extension_types[num_extensions] = extension_type;
341 num_extensions++;
342 }
343
344 OPENSSL_free(extension_types);
345 return 1;
346
347err:
348 OPENSSL_free(extension_types);
349 return 0;
350 }
351
352char
353SSL_early_callback_ctx_extension_get(const struct ssl_early_callback_ctx *ctx,
354 uint16_t extension_type,
355 const unsigned char **out_data,
356 size_t *out_len)
357 {
358 size_t len = ctx->extensions_len;
359 const unsigned char *p = ctx->extensions;
360
361 while (len != 0)
362 {
363 uint16_t ext_type, ext_len;
364
365 if (len < 4)
366 return 0;
367 n2s(p, ext_type);
368 n2s(p, ext_len);
369 len -= 4;
370
371 if (len < ext_len)
372 return 0;
373 if (ext_type == extension_type)
374 {
375 *out_data = p;
376 *out_len = ext_len;
377 return 1;
378 }
379
380 p += ext_len; len -= ext_len;
381 }
382
383 return 0;
384 }
385
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]386#ifndef OPENSSL_NO_EC
387
388static int nid_list[] =
389 {
390 NID_sect163k1, /* sect163k1 (1) */
391 NID_sect163r1, /* sect163r1 (2) */
392 NID_sect163r2, /* sect163r2 (3) */
393 NID_sect193r1, /* sect193r1 (4) */
394 NID_sect193r2, /* sect193r2 (5) */
395 NID_sect233k1, /* sect233k1 (6) */
396 NID_sect233r1, /* sect233r1 (7) */
397 NID_sect239k1, /* sect239k1 (8) */
398 NID_sect283k1, /* sect283k1 (9) */
399 NID_sect283r1, /* sect283r1 (10) */
400 NID_sect409k1, /* sect409k1 (11) */
401 NID_sect409r1, /* sect409r1 (12) */
402 NID_sect571k1, /* sect571k1 (13) */
403 NID_sect571r1, /* sect571r1 (14) */
404 NID_secp160k1, /* secp160k1 (15) */
405 NID_secp160r1, /* secp160r1 (16) */
406 NID_secp160r2, /* secp160r2 (17) */
407 NID_secp192k1, /* secp192k1 (18) */
408 NID_X9_62_prime192v1, /* secp192r1 (19) */
409 NID_secp224k1, /* secp224k1 (20) */
410 NID_secp224r1, /* secp224r1 (21) */
411 NID_secp256k1, /* secp256k1 (22) */
412 NID_X9_62_prime256v1, /* secp256r1 (23) */
413 NID_secp384r1, /* secp384r1 (24) */
414 NID_secp521r1, /* secp521r1 (25) */
415 NID_brainpoolP256r1, /* brainpoolP256r1 (26) */
416 NID_brainpoolP384r1, /* brainpoolP384r1 (27) */
417 NID_brainpoolP512r1 /* brainpool512r1 (28) */
418 };
419
420
421static const unsigned char ecformats_default[] =
422 {
423 TLSEXT_ECPOINTFORMAT_uncompressed,
424 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime,
425 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2
426 };
427
428static const unsigned char eccurves_default[] =
429 {
430 0,14, /* sect571r1 (14) */
431 0,13, /* sect571k1 (13) */
432 0,25, /* secp521r1 (25) */
433 0,28, /* brainpool512r1 (28) */
434 0,11, /* sect409k1 (11) */
435 0,12, /* sect409r1 (12) */
436 0,27, /* brainpoolP384r1 (27) */
437 0,24, /* secp384r1 (24) */
438 0,9, /* sect283k1 (9) */
439 0,10, /* sect283r1 (10) */
440 0,26, /* brainpoolP256r1 (26) */
441 0,22, /* secp256k1 (22) */
442 0,23, /* secp256r1 (23) */
443 0,8, /* sect239k1 (8) */
444 0,6, /* sect233k1 (6) */
445 0,7, /* sect233r1 (7) */
446 0,20, /* secp224k1 (20) */
447 0,21, /* secp224r1 (21) */
448 0,4, /* sect193r1 (4) */
449 0,5, /* sect193r2 (5) */
450 0,18, /* secp192k1 (18) */
451 0,19, /* secp192r1 (19) */
452 0,1, /* sect163k1 (1) */
453 0,2, /* sect163r1 (2) */
454 0,3, /* sect163r2 (3) */
455 0,15, /* secp160k1 (15) */
456 0,16, /* secp160r1 (16) */
457 0,17, /* secp160r2 (17) */
458 };
459
460static const unsigned char suiteb_curves[] =
461 {
462 0, TLSEXT_curve_P_256,
463 0, TLSEXT_curve_P_384
464 };
465
466int tls1_ec_curve_id2nid(int curve_id)
467 {
468 /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
469 if ((curve_id < 1) || ((unsigned int)curve_id >
470 sizeof(nid_list)/sizeof(nid_list[0])))
471 return 0;
472 return nid_list[curve_id-1];
473 }
474
475int tls1_ec_nid2curve_id(int nid)
476 {
477 /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
478 switch (nid)
479 {
480 case NID_sect163k1: /* sect163k1 (1) */
481 return 1;
482 case NID_sect163r1: /* sect163r1 (2) */
483 return 2;
484 case NID_sect163r2: /* sect163r2 (3) */
485 return 3;
486 case NID_sect193r1: /* sect193r1 (4) */
487 return 4;
488 case NID_sect193r2: /* sect193r2 (5) */
489 return 5;
490 case NID_sect233k1: /* sect233k1 (6) */
491 return 6;
492 case NID_sect233r1: /* sect233r1 (7) */
493 return 7;
494 case NID_sect239k1: /* sect239k1 (8) */
495 return 8;
496 case NID_sect283k1: /* sect283k1 (9) */
497 return 9;
498 case NID_sect283r1: /* sect283r1 (10) */
499 return 10;
500 case NID_sect409k1: /* sect409k1 (11) */
501 return 11;
502 case NID_sect409r1: /* sect409r1 (12) */
503 return 12;
504 case NID_sect571k1: /* sect571k1 (13) */
505 return 13;
506 case NID_sect571r1: /* sect571r1 (14) */
507 return 14;
508 case NID_secp160k1: /* secp160k1 (15) */
509 return 15;
510 case NID_secp160r1: /* secp160r1 (16) */
511 return 16;
512 case NID_secp160r2: /* secp160r2 (17) */
513 return 17;
514 case NID_secp192k1: /* secp192k1 (18) */
515 return 18;
516 case NID_X9_62_prime192v1: /* secp192r1 (19) */
517 return 19;
518 case NID_secp224k1: /* secp224k1 (20) */
519 return 20;
520 case NID_secp224r1: /* secp224r1 (21) */
521 return 21;
522 case NID_secp256k1: /* secp256k1 (22) */
523 return 22;
524 case NID_X9_62_prime256v1: /* secp256r1 (23) */
525 return 23;
526 case NID_secp384r1: /* secp384r1 (24) */
527 return 24;
528 case NID_secp521r1: /* secp521r1 (25) */
529 return 25;
530 case NID_brainpoolP256r1: /* brainpoolP256r1 (26) */
531 return 26;
532 case NID_brainpoolP384r1: /* brainpoolP384r1 (27) */
533 return 27;
534 case NID_brainpoolP512r1: /* brainpool512r1 (28) */
535 return 28;
536 default:
537 return 0;
538 }
539 }
540/* Get curves list, if "sess" is set return client curves otherwise
541 * preferred list
542 */
543static void tls1_get_curvelist(SSL *s, int sess,
544 const unsigned char **pcurves,
545 size_t *pcurveslen)
546 {
547 if (sess)
548 {
549 *pcurves = s->session->tlsext_ellipticcurvelist;
550 *pcurveslen = s->session->tlsext_ellipticcurvelist_length;
551 return;
552 }
553 /* For Suite B mode only include P-256, P-384 */
554 switch (tls1_suiteb(s))
555 {
556 case SSL_CERT_FLAG_SUITEB_128_LOS:
557 *pcurves = suiteb_curves;
558 *pcurveslen = sizeof(suiteb_curves);
559 break;
560
561 case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY:
562 *pcurves = suiteb_curves;
563 *pcurveslen = 2;
564 break;
565
566 case SSL_CERT_FLAG_SUITEB_192_LOS:
567 *pcurves = suiteb_curves + 2;
568 *pcurveslen = 2;
569 break;
570 default:
571 *pcurves = s->tlsext_ellipticcurvelist;
572 *pcurveslen = s->tlsext_ellipticcurvelist_length;
573 }
574 if (!*pcurves)
575 {
576 *pcurves = eccurves_default;
577 *pcurveslen = sizeof(eccurves_default);
578 }
579 }
580/* Check a curve is one of our preferences */
581int tls1_check_curve(SSL *s, const unsigned char *p, size_t len)
582 {
583 const unsigned char *curves;
584 size_t curveslen, i;
585 unsigned int suiteb_flags = tls1_suiteb(s);
586 if (len != 3 || p[0] != NAMED_CURVE_TYPE)
587 return 0;
588 /* Check curve matches Suite B preferences */
589 if (suiteb_flags)
590 {
591 unsigned long cid = s->s3->tmp.new_cipher->id;
592 if (p[1])
593 return 0;
594 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
595 {
596 if (p[2] != TLSEXT_curve_P_256)
597 return 0;
598 }
599 else if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)
600 {
601 if (p[2] != TLSEXT_curve_P_384)
602 return 0;
603 }
604 else /* Should never happen */
605 return 0;
606 }
607 tls1_get_curvelist(s, 0, &curves, &curveslen);
608 for (i = 0; i < curveslen; i += 2, curves += 2)
609 {
610 if (p[1] == curves[0] && p[2] == curves[1])
611 return 1;
612 }
613 return 0;
614 }
615
616/* Return nth shared curve. If nmatch == -1 return number of
617 * matches. For nmatch == -2 return the NID of the curve to use for
618 * an EC tmp key.
619 */
620
621int tls1_shared_curve(SSL *s, int nmatch)
622 {
623 const unsigned char *pref, *supp;
624 size_t preflen, supplen, i, j;
625 int k;
626 /* Can't do anything on client side */
627 if (s->server == 0)
628 return -1;
629 if (nmatch == -2)
630 {
631 if (tls1_suiteb(s))
632 {
633 /* For Suite B ciphersuite determines curve: we
634 * already know these are acceptable due to previous
635 * checks.
636 */
637 unsigned long cid = s->s3->tmp.new_cipher->id;
638 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
639 return NID_X9_62_prime256v1; /* P-256 */
640 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)
641 return NID_secp384r1; /* P-384 */
642 /* Should never happen */
643 return NID_undef;
644 }
645 /* If not Suite B just return first preference shared curve */
646 nmatch = 0;
647 }
648 tls1_get_curvelist(s, !!(s->options & SSL_OP_CIPHER_SERVER_PREFERENCE),
649 &supp, &supplen);
650 tls1_get_curvelist(s, !(s->options & SSL_OP_CIPHER_SERVER_PREFERENCE),
651 &pref, &preflen);
652 preflen /= 2;
653 supplen /= 2;
654 k = 0;
655 for (i = 0; i < preflen; i++, pref+=2)
656 {
657 const unsigned char *tsupp = supp;
658 for (j = 0; j < supplen; j++, tsupp+=2)
659 {
660 if (pref[0] == tsupp[0] && pref[1] == tsupp[1])
661 {
662 if (nmatch == k)
663 {
664 int id = (pref[0] << 8) | pref[1];
665 return tls1_ec_curve_id2nid(id);
666 }
667 k++;
668 }
669 }
670 }
671 if (nmatch == -1)
672 return k;
673 return 0;
674 }
675
676int tls1_set_curves(unsigned char **pext, size_t *pextlen,
677 int *curves, size_t ncurves)
678 {
679 unsigned char *clist, *p;
680 size_t i;
681 /* Bitmap of curves included to detect duplicates: only works
682 * while curve ids < 32
683 */
684 unsigned long dup_list = 0;
685 clist = OPENSSL_malloc(ncurves * 2);
686 if (!clist)
687 return 0;
688 for (i = 0, p = clist; i < ncurves; i++)
689 {
690 unsigned long idmask;
691 int id;
692 id = tls1_ec_nid2curve_id(curves[i]);
693 idmask = 1L << id;
694 if (!id || (dup_list & idmask))
695 {
696 OPENSSL_free(clist);
697 return 0;
698 }
699 dup_list |= idmask;
700 s2n(id, p);
701 }
702 if (*pext)
703 OPENSSL_free(*pext);
704 *pext = clist;
705 *pextlen = ncurves * 2;
706 return 1;
707 }
708
709/* TODO(fork): remove */
710#if 0
711#define MAX_CURVELIST 28
712
713typedef struct
714 {
715 size_t nidcnt;
716 int nid_arr[MAX_CURVELIST];
717 } nid_cb_st;
718
719static int nid_cb(const char *elem, int len, void *arg)
720 {
721 nid_cb_st *narg = arg;
722 size_t i;
723 int nid;
724 char etmp[20];
725 if (narg->nidcnt == MAX_CURVELIST)
726 return 0;
727 if (len > (int)(sizeof(etmp) - 1))
728 return 0;
729 memcpy(etmp, elem, len);
730 etmp[len] = 0;
731 nid = EC_curve_nist2nid(etmp);
732 if (nid == NID_undef)
733 nid = OBJ_sn2nid(etmp);
734 if (nid == NID_undef)
735 nid = OBJ_ln2nid(etmp);
736 if (nid == NID_undef)
737 return 0;
738 for (i = 0; i < narg->nidcnt; i++)
739 if (narg->nid_arr[i] == nid)
740 return 0;
741 narg->nid_arr[narg->nidcnt++] = nid;
742 return 1;
743 }
744/* Set curves based on a colon separate list */
745int tls1_set_curves_list(unsigned char **pext, size_t *pextlen,
746 const char *str)
747 {
748 nid_cb_st ncb;
749 ncb.nidcnt = 0;
750 if (!CONF_parse_list(str, ':', 1, nid_cb, &ncb))
751 return 0;
752 if (pext == NULL)
753 return 1;
754 return tls1_set_curves(pext, pextlen, ncb.nid_arr, ncb.nidcnt);
755 }
756#endif
757
758/* For an EC key set TLS id and required compression based on parameters */
759static int tls1_set_ec_id(unsigned char *curve_id, unsigned char *comp_id,
760 EC_KEY *ec)
761 {
762 int is_prime = 1, id;
763 const EC_GROUP *grp;
764 if (!ec)
765 return 0;
766
767 /* TODO(fork): remove. All curves are prime now. */
768 grp = EC_KEY_get0_group(ec);
769 if (!grp)
770 return 0;
771#if 0
772 /* Determine if it is a prime field */
773 meth = EC_GROUP_method_of(grp);
774 if (!meth)
775 return 0;
776 if (EC_METHOD_get_field_type(meth) == NID_X9_62_prime_field)
777 is_prime = 1;
778 else
779 is_prime = 0;
780#endif
781
782 /* Determine curve ID */
783 id = EC_GROUP_get_curve_name(grp);
784 id = tls1_ec_nid2curve_id(id);
785 /* If we have an ID set it, otherwise set arbitrary explicit curve */
786 if (id)
787 {
788 curve_id[0] = 0;
789 curve_id[1] = (unsigned char)id;
790 }
791 else
792 {
793 curve_id[0] = 0xff;
794 if (is_prime)
795 curve_id[1] = 0x01;
796 else
797 curve_id[1] = 0x02;
798 }
799 if (comp_id)
800 {
801 if (EC_KEY_get0_public_key(ec) == NULL)
802 return 0;
803 if (EC_KEY_get_conv_form(ec) == POINT_CONVERSION_COMPRESSED)
804 {
805 if (is_prime)
806 *comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
807 else
808 *comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
809 }
810 else
811 *comp_id = TLSEXT_ECPOINTFORMAT_uncompressed;
812 }
813 return 1;
814 }
815/* Check an EC key is compatible with extensions */
816static int tls1_check_ec_key(SSL *s,
817 unsigned char *curve_id, unsigned char *comp_id)
818 {
819 const unsigned char *p;
820 size_t plen, i;
821 int j;
822 /* If point formats extension present check it, otherwise everything
823 * is supported (see RFC4492).
824 */
825 if (comp_id && s->session->tlsext_ecpointformatlist)
826 {
827 p = s->session->tlsext_ecpointformatlist;
828 plen = s->session->tlsext_ecpointformatlist_length;
829 for (i = 0; i < plen; i++, p++)
830 {
831 if (*comp_id == *p)
832 break;
833 }
834 if (i == plen)
835 return 0;
836 }
837 if (!curve_id)
838 return 1;
839 /* Check curve is consistent with client and server preferences */
840 for (j = 0; j <= 1; j++)
841 {
842 tls1_get_curvelist(s, j, &p, &plen);
843 for (i = 0; i < plen; i+=2, p+=2)
844 {
845 if (p[0] == curve_id[0] && p[1] == curve_id[1])
846 break;
847 }
848 if (i == plen)
849 return 0;
850 /* For clients can only check sent curve list */
851 if (!s->server)
852 return 1;
853 }
854 return 1;
855 }
856
857static void tls1_get_formatlist(SSL *s, const unsigned char **pformats,
858 size_t *pformatslen)
859 {
860 /* If we have a custom point format list use it otherwise
861 * use default */
862 if (s->tlsext_ecpointformatlist)
863 {
864 *pformats = s->tlsext_ecpointformatlist;
865 *pformatslen = s->tlsext_ecpointformatlist_length;
866 }
867 else
868 {
869 *pformats = ecformats_default;
870 /* For Suite B we don't support char2 fields */
871 if (tls1_suiteb(s))
872 *pformatslen = sizeof(ecformats_default) - 1;
873 else
874 *pformatslen = sizeof(ecformats_default);
875 }
876 }
877
878/* Check cert parameters compatible with extensions: currently just checks
879 * EC certificates have compatible curves and compression.
880 */
881static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md)
882 {
883 unsigned char comp_id, curve_id[2];
884 EVP_PKEY *pkey;
885 int rv;
886 pkey = X509_get_pubkey(x);
887 if (!pkey)
888 return 0;
889 /* If not EC nothing to do */
890 if (pkey->type != EVP_PKEY_EC)
891 {
892 EVP_PKEY_free(pkey);
893 return 1;
894 }
895 rv = tls1_set_ec_id(curve_id, &comp_id, pkey->pkey.ec);
896 EVP_PKEY_free(pkey);
897 if (!rv)
898 return 0;
899 /* Can't check curve_id for client certs as we don't have a
900 * supported curves extension.
901 */
902 rv = tls1_check_ec_key(s, s->server ? curve_id : NULL, &comp_id);
903 if (!rv)
904 return 0;
905 /* Special case for suite B. We *MUST* sign using SHA256+P-256 or
906 * SHA384+P-384, adjust digest if necessary.
907 */
908 if (set_ee_md && tls1_suiteb(s))
909 {
910 int check_md;
911 size_t i;
912 CERT *c = s->cert;
913 if (curve_id[0])
914 return 0;
915 /* Check to see we have necessary signing algorithm */
916 if (curve_id[1] == TLSEXT_curve_P_256)
917 check_md = NID_ecdsa_with_SHA256;
918 else if (curve_id[1] == TLSEXT_curve_P_384)
919 check_md = NID_ecdsa_with_SHA384;
920 else
921 return 0; /* Should never happen */
922 for (i = 0; i < c->shared_sigalgslen; i++)
923 if (check_md == c->shared_sigalgs[i].signandhash_nid)
924 break;
925 if (i == c->shared_sigalgslen)
926 return 0;
927 if (set_ee_md == 2)
928 {
929 if (check_md == NID_ecdsa_with_SHA256)
930 c->pkeys[SSL_PKEY_ECC].digest = EVP_sha256();
931 else
932 c->pkeys[SSL_PKEY_ECC].digest = EVP_sha384();
933 }
934 }
935 return rv;
936 }
937/* Check EC temporary key is compatible with client extensions */
938int tls1_check_ec_tmp_key(SSL *s, unsigned long cid)
939 {
940 unsigned char curve_id[2];
941 EC_KEY *ec = s->cert->ecdh_tmp;
942#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
943 /* Allow any curve: not just those peer supports */
944 if (s->cert->cert_flags & SSL_CERT_FLAG_BROKEN_PROTOCOL)
945 return 1;
946#endif
947 /* If Suite B, AES128 MUST use P-256 and AES256 MUST use P-384,
948 * no other curves permitted.
949 */
950 if (tls1_suiteb(s))
951 {
952 /* Curve to check determined by ciphersuite */
953 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
954 curve_id[1] = TLSEXT_curve_P_256;
955 else if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)
956 curve_id[1] = TLSEXT_curve_P_384;
957 else
958 return 0;
959 curve_id[0] = 0;
960 /* Check this curve is acceptable */
961 if (!tls1_check_ec_key(s, curve_id, NULL))
962 return 0;
963 /* If auto or setting curve from callback assume OK */
964 if (s->cert->ecdh_tmp_auto || s->cert->ecdh_tmp_cb)
965 return 1;
966 /* Otherwise check curve is acceptable */
967 else
968 {
969 unsigned char curve_tmp[2];
970 if (!ec)
971 return 0;
972 if (!tls1_set_ec_id(curve_tmp, NULL, ec))
973 return 0;
974 if (!curve_tmp[0] || curve_tmp[1] == curve_id[1])
975 return 1;
976 return 0;
977 }
978
979 }
980 if (s->cert->ecdh_tmp_auto)
981 {
982 /* Need a shared curve */
983 if (tls1_shared_curve(s, 0))
984 return 1;
985 else return 0;
986 }
987 if (!ec)
988 {
989 if (s->cert->ecdh_tmp_cb)
990 return 1;
991 else
992 return 0;
993 }
994 if (!tls1_set_ec_id(curve_id, NULL, ec))
995 return 0;
996/* Set this to allow use of invalid curves for testing */
997#if 0
998 return 1;
999#else
1000 return tls1_check_ec_key(s, curve_id, NULL);
1001#endif
1002 }
1003
1004#else
1005
1006static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md)
1007 {
1008 return 1;
1009 }
1010
1011#endif /* OPENSSL_NO_EC */
1012
1013#ifndef OPENSSL_NO_TLSEXT
1014
1015/* List of supported signature algorithms and hashes. Should make this
1016 * customisable at some point, for now include everything we support.
1017 */
1018
1019#ifdef OPENSSL_NO_RSA
1020#define tlsext_sigalg_rsa(md) /* */
1021#else
1022#define tlsext_sigalg_rsa(md) md, TLSEXT_signature_rsa,
1023#endif
1024
1025#ifdef OPENSSL_NO_DSA
1026#define tlsext_sigalg_dsa(md) /* */
1027#else
1028#define tlsext_sigalg_dsa(md) md, TLSEXT_signature_dsa,
1029#endif
1030
1031#ifdef OPENSSL_NO_ECDSA
1032#define tlsext_sigalg_ecdsa(md) /* */
1033#else
1034#define tlsext_sigalg_ecdsa(md) md, TLSEXT_signature_ecdsa,
1035#endif
1036
1037#define tlsext_sigalg(md) \
1038 tlsext_sigalg_rsa(md) \
1039 tlsext_sigalg_dsa(md) \
1040 tlsext_sigalg_ecdsa(md)
1041
1042static unsigned char tls12_sigalgs[] = {
1043#ifndef OPENSSL_NO_SHA512
1044 tlsext_sigalg(TLSEXT_hash_sha512)
1045 tlsext_sigalg(TLSEXT_hash_sha384)
1046#endif
1047#ifndef OPENSSL_NO_SHA256
1048 tlsext_sigalg(TLSEXT_hash_sha256)
1049 tlsext_sigalg(TLSEXT_hash_sha224)
1050#endif
1051#ifndef OPENSSL_NO_SHA
1052 tlsext_sigalg(TLSEXT_hash_sha1)
1053#endif
1054};
1055#ifndef OPENSSL_NO_ECDSA
1056static unsigned char suiteb_sigalgs[] = {
1057 tlsext_sigalg_ecdsa(TLSEXT_hash_sha256)
1058 tlsext_sigalg_ecdsa(TLSEXT_hash_sha384)
1059};
1060#endif
1061size_t tls12_get_psigalgs(SSL *s, const unsigned char **psigs)
1062 {
1063 /* If Suite B mode use Suite B sigalgs only, ignore any other
1064 * preferences.
1065 */
1066#ifndef OPENSSL_NO_EC
1067 switch (tls1_suiteb(s))
1068 {
1069 case SSL_CERT_FLAG_SUITEB_128_LOS:
1070 *psigs = suiteb_sigalgs;
1071 return sizeof(suiteb_sigalgs);
1072
1073 case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY:
1074 *psigs = suiteb_sigalgs;
1075 return 2;
1076
1077 case SSL_CERT_FLAG_SUITEB_192_LOS:
1078 *psigs = suiteb_sigalgs + 2;
1079 return 2;
1080 }
1081#endif
1082 /* If server use client authentication sigalgs if not NULL */
1083 if (s->server && s->cert->client_sigalgs)
1084 {
1085 *psigs = s->cert->client_sigalgs;
1086 return s->cert->client_sigalgslen;
1087 }
1088 else if (s->cert->conf_sigalgs)
1089 {
1090 *psigs = s->cert->conf_sigalgs;
1091 return s->cert->conf_sigalgslen;
1092 }
1093 else
1094 {
1095 *psigs = tls12_sigalgs;
1096 return sizeof(tls12_sigalgs);
1097 }
1098 }
1099/* Check signature algorithm is consistent with sent supported signature
1100 * algorithms and if so return relevant digest.
1101 */
1102int tls12_check_peer_sigalg(const EVP_MD **pmd, SSL *s,
1103 const unsigned char *sig, EVP_PKEY *pkey)
1104 {
1105 const unsigned char *sent_sigs;
1106 size_t sent_sigslen, i;
1107 int sigalg = tls12_get_sigid(pkey);
1108 /* Should never happen */
1109 if (sigalg == -1)
1110 return -1;
1111 /* Check key type is consistent with signature */
1112 if (sigalg != (int)sig[1])
1113 {
1114 OPENSSL_PUT_ERROR(SSL, tls12_check_peer_sigalg, SSL_R_WRONG_SIGNATURE_TYPE);
1115 return 0;
1116 }
1117#ifndef OPENSSL_NO_EC
1118 if (pkey->type == EVP_PKEY_EC)
1119 {
1120 unsigned char curve_id[2], comp_id;
1121 /* Check compression and curve matches extensions */
1122 if (!tls1_set_ec_id(curve_id, &comp_id, pkey->pkey.ec))
1123 return 0;
1124 if (!s->server && !tls1_check_ec_key(s, curve_id, &comp_id))
1125 {
1126 OPENSSL_PUT_ERROR(SSL, tls12_check_peer_sigalg, SSL_R_WRONG_CURVE);
1127 return 0;
1128 }
1129 /* If Suite B only P-384+SHA384 or P-256+SHA-256 allowed */
1130 if (tls1_suiteb(s))
1131 {
1132 if (curve_id[0])
1133 return 0;
1134 if (curve_id[1] == TLSEXT_curve_P_256)
1135 {
1136 if (sig[0] != TLSEXT_hash_sha256)
1137 {
1138 OPENSSL_PUT_ERROR(SSL, tls12_check_peer_sigalg, SSL_R_ILLEGAL_SUITEB_DIGEST);
1139 return 0;
1140 }
1141 }
1142 else if (curve_id[1] == TLSEXT_curve_P_384)
1143 {
1144 if (sig[0] != TLSEXT_hash_sha384)
1145 {
1146 OPENSSL_PUT_ERROR(SSL, tls12_check_peer_sigalg, SSL_R_ILLEGAL_SUITEB_DIGEST);
1147 return 0;
1148 }
1149 }
1150 else
1151 return 0;
1152 }
1153 }
1154 else if (tls1_suiteb(s))
1155 return 0;
1156#endif
1157
1158 /* Check signature matches a type we sent */
1159 sent_sigslen = tls12_get_psigalgs(s, &sent_sigs);
1160 for (i = 0; i < sent_sigslen; i+=2, sent_sigs+=2)
1161 {
1162 if (sig[0] == sent_sigs[0] && sig[1] == sent_sigs[1])
1163 break;
1164 }
1165 /* Allow fallback to SHA1 if not strict mode */
1166 if (i == sent_sigslen && (sig[0] != TLSEXT_hash_sha1 || s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT))
1167 {
1168 OPENSSL_PUT_ERROR(SSL, tls12_check_peer_sigalg, SSL_R_WRONG_SIGNATURE_TYPE);
1169 return 0;
1170 }
1171 *pmd = tls12_get_hash(sig[0]);
1172 if (*pmd == NULL)
1173 {
1174 OPENSSL_PUT_ERROR(SSL, tls12_check_peer_sigalg, SSL_R_UNKNOWN_DIGEST);
1175 return 0;
1176 }
1177 /* Store the digest used so applications can retrieve it if they
1178 * wish.
1179 */
1180 if (s->session && s->session->sess_cert)
1181 s->session->sess_cert->peer_key->digest = *pmd;
1182 return 1;
1183 }
1184/* Get a mask of disabled algorithms: an algorithm is disabled
1185 * if it isn't supported or doesn't appear in supported signature
1186 * algorithms. Unlike ssl_cipher_get_disabled this applies to a specific
1187 * session and not global settings.
1188 *
1189 */
1190void ssl_set_client_disabled(SSL *s)
1191 {
1192 CERT *c = s->cert;
1193 const unsigned char *sigalgs;
1194 size_t i, sigalgslen;
1195 int have_rsa = 0, have_dsa = 0, have_ecdsa = 0;
1196 c->mask_a = 0;
1197 c->mask_k = 0;
1198 /* Don't allow TLS 1.2 only ciphers if we don't suppport them */
1199 if (!SSL_CLIENT_USE_TLS1_2_CIPHERS(s))
1200 c->mask_ssl = SSL_TLSV1_2;
1201 else
1202 c->mask_ssl = 0;
1203 /* Now go through all signature algorithms seeing if we support
1204 * any for RSA, DSA, ECDSA. Do this for all versions not just
1205 * TLS 1.2.
1206 */
1207 sigalgslen = tls12_get_psigalgs(s, &sigalgs);
1208 for (i = 0; i < sigalgslen; i += 2, sigalgs += 2)
1209 {
1210 switch(sigalgs[1])
1211 {
1212#ifndef OPENSSL_NO_RSA
1213 case TLSEXT_signature_rsa:
1214 have_rsa = 1;
1215 break;
1216#endif
1217#ifndef OPENSSL_NO_DSA
1218 case TLSEXT_signature_dsa:
1219 have_dsa = 1;
1220 break;
1221#endif
1222#ifndef OPENSSL_NO_ECDSA
1223 case TLSEXT_signature_ecdsa:
1224 have_ecdsa = 1;
1225 break;
1226#endif
1227 }
1228 }
1229 /* Disable auth and static DH if we don't include any appropriate
1230 * signature algorithms.
1231 */
1232 if (!have_rsa)
1233 {
1234 c->mask_a |= SSL_aRSA;
1235 c->mask_k |= SSL_kDHr|SSL_kECDHr;
1236 }
1237 if (!have_dsa)
1238 {
1239 c->mask_a |= SSL_aDSS;
1240 c->mask_k |= SSL_kDHd;
1241 }
1242 if (!have_ecdsa)
1243 {
1244 c->mask_a |= SSL_aECDSA;
1245 c->mask_k |= SSL_kECDHe;
1246 }
1247#ifndef OPENSSL_NO_PSK
1248 /* with PSK there must be client callback set */
1249 if (!s->psk_client_callback)
1250 {
1251 c->mask_a |= SSL_aPSK;
1252 c->mask_k |= SSL_kPSK;
1253 }
1254#endif /* OPENSSL_NO_PSK */
1255 c->valid = 1;
1256 }
1257
1258/* byte_compare is a compare function for qsort(3) that compares bytes. */
1259static int byte_compare(const void *in_a, const void *in_b)
1260 {
1261 unsigned char a = *((const unsigned char*) in_a);
1262 unsigned char b = *((const unsigned char*) in_b);
1263
1264 if (a > b)
1265 return 1;
1266 else if (a < b)
1267 return -1;
1268 return 0;
1269}
1270
Adam Langleyb0c235e2014-06-20 12:00:00 -0700[diff] [blame]1271/* header_len is the length of the ClientHello header written so far, used to
1272 * compute padding. It does not include the record header. Pass 0 if no padding
1273 * is to be done. */
1274unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf, unsigned char *limit, size_t header_len)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1275 {
1276 int extdatalen=0;
Adam Langleyb0c235e2014-06-20 12:00:00 -0700[diff] [blame]1277 unsigned char *ret = buf;
1278 unsigned char *orig = buf;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1279#ifndef OPENSSL_NO_EC
1280 /* See if we support any ECC ciphersuites */
1281 int using_ecc = 0;
1282 if (s->version >= TLS1_VERSION || SSL_IS_DTLS(s))
1283 {
1284 int i;
1285 unsigned long alg_k, alg_a;
1286 STACK_OF(SSL_CIPHER) *cipher_stack = SSL_get_ciphers(s);
1287
1288 for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++)
1289 {
1290 SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i);
1291
1292 alg_k = c->algorithm_mkey;
1293 alg_a = c->algorithm_auth;
1294 if ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)
1295 || (alg_a & SSL_aECDSA)))
1296 {
1297 using_ecc = 1;
1298 break;
1299 }
1300 }
1301 }
1302#endif
1303
1304 /* don't add extensions for SSLv3 unless doing secure renegotiation */
1305 if (s->client_version == SSL3_VERSION
1306 && !s->s3->send_connection_binding)
Adam Langleyb0c235e2014-06-20 12:00:00 -0700[diff] [blame]1307 return orig;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1308
1309 ret+=2;
1310
1311 if (ret>=limit) return NULL; /* this really never occurs, but ... */
1312
1313 if (s->tlsext_hostname != NULL)
1314 {
1315 /* Add TLS extension servername to the Client Hello message */
1316 unsigned long size_str;
1317 long lenmax;
1318
1319 /* check for enough space.
1320 4 for the servername type and entension length
1321 2 for servernamelist length
1322 1 for the hostname type
1323 2 for hostname length
1324 + hostname length
1325 */
1326
1327 if ((lenmax = limit - ret - 9) < 0
1328 || (size_str = strlen(s->tlsext_hostname)) > (unsigned long)lenmax)
1329 return NULL;
1330
1331 /* extension type and length */
1332 s2n(TLSEXT_TYPE_server_name,ret);
1333 s2n(size_str+5,ret);
1334
1335 /* length of servername list */
1336 s2n(size_str+3,ret);
1337
1338 /* hostname type, length and hostname */
1339 *(ret++) = (unsigned char) TLSEXT_NAMETYPE_host_name;
1340 s2n(size_str,ret);
1341 memcpy(ret, s->tlsext_hostname, size_str);
1342 ret+=size_str;
1343 }
1344
1345 /* Add RI if renegotiating */
1346 if (s->renegotiate)
1347 {
1348 int el;
1349
1350 if(!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0))
1351 {
1352 OPENSSL_PUT_ERROR(SSL, ssl_add_clienthello_tlsext, ERR_R_INTERNAL_ERROR);
1353 return NULL;
1354 }
1355
Adam Langleyb0c235e2014-06-20 12:00:00 -0700[diff] [blame]1356 if((limit - ret - 4 - el) < 0) return NULL;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1357
1358 s2n(TLSEXT_TYPE_renegotiate,ret);
1359 s2n(el,ret);
1360
1361 if(!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el))
1362 {
1363 OPENSSL_PUT_ERROR(SSL, ssl_add_clienthello_tlsext, ERR_R_INTERNAL_ERROR);
1364 return NULL;
1365 }
1366
1367 ret += el;
1368 }
1369
1370
1371#ifndef OPENSSL_NO_EC
1372 if (using_ecc)
1373 {
1374 /* Add TLS extension ECPointFormats to the ClientHello message */
1375 long lenmax;
1376 const unsigned char *plist;
1377 size_t plistlen;
1378
1379 tls1_get_formatlist(s, &plist, &plistlen);
1380
1381 if ((lenmax = limit - ret - 5) < 0) return NULL;
1382 if (plistlen > (size_t)lenmax) return NULL;
1383 if (plistlen > 255)
1384 {
1385 OPENSSL_PUT_ERROR(SSL, ssl_add_clienthello_tlsext, ERR_R_INTERNAL_ERROR);
1386 return NULL;
1387 }
1388
1389 s2n(TLSEXT_TYPE_ec_point_formats,ret);
1390 s2n(plistlen + 1,ret);
1391 *(ret++) = (unsigned char)plistlen ;
1392 memcpy(ret, plist, plistlen);
1393 ret+=plistlen;
1394
1395 /* Add TLS extension EllipticCurves to the ClientHello message */
1396 plist = s->tlsext_ellipticcurvelist;
1397 tls1_get_curvelist(s, 0, &plist, &plistlen);
1398
1399 if ((lenmax = limit - ret - 6) < 0) return NULL;
1400 if (plistlen > (size_t)lenmax) return NULL;
1401 if (plistlen > 65532)
1402 {
1403 OPENSSL_PUT_ERROR(SSL, ssl_add_clienthello_tlsext, ERR_R_INTERNAL_ERROR);
1404 return NULL;
1405 }
1406
1407 s2n(TLSEXT_TYPE_elliptic_curves,ret);
1408 s2n(plistlen + 2, ret);
1409
1410 /* NB: draft-ietf-tls-ecc-12.txt uses a one-byte prefix for
1411 * elliptic_curve_list, but the examples use two bytes.
1412 * http://www1.ietf.org/mail-archive/web/tls/current/msg00538.html
1413 * resolves this to two bytes.
1414 */
1415 s2n(plistlen, ret);
1416 memcpy(ret, plist, plistlen);
1417 ret+=plistlen;
1418 }
1419#endif /* OPENSSL_NO_EC */
1420
1421 if (!(SSL_get_options(s) & SSL_OP_NO_TICKET))
1422 {
1423 int ticklen;
1424 if (!s->new_session && s->session && s->session->tlsext_tick)
1425 ticklen = s->session->tlsext_ticklen;
1426 else if (s->session && s->tlsext_session_ticket &&
1427 s->tlsext_session_ticket->data)
1428 {
1429 ticklen = s->tlsext_session_ticket->length;
1430 s->session->tlsext_tick = OPENSSL_malloc(ticklen);
1431 if (!s->session->tlsext_tick)
1432 return NULL;
1433 memcpy(s->session->tlsext_tick,
1434 s->tlsext_session_ticket->data,
1435 ticklen);
1436 s->session->tlsext_ticklen = ticklen;
1437 }
1438 else
1439 ticklen = 0;
1440 if (ticklen == 0 && s->tlsext_session_ticket &&
1441 s->tlsext_session_ticket->data == NULL)
1442 goto skip_ext;
1443 /* Check for enough room 2 for extension type, 2 for len
1444 * rest for ticket
1445 */
1446 if ((long)(limit - ret - 4 - ticklen) < 0) return NULL;
1447 s2n(TLSEXT_TYPE_session_ticket,ret);
1448 s2n(ticklen,ret);
1449 if (ticklen)
1450 {
1451 memcpy(ret, s->session->tlsext_tick, ticklen);
1452 ret += ticklen;
1453 }
1454 }
1455 skip_ext:
1456
1457 if (SSL_USE_SIGALGS(s))
1458 {
1459 size_t salglen;
1460 const unsigned char *salg;
1461 salglen = tls12_get_psigalgs(s, &salg);
1462 if ((size_t)(limit - ret) < salglen + 6)
1463 return NULL;
1464 s2n(TLSEXT_TYPE_signature_algorithms,ret);
1465 s2n(salglen + 2, ret);
1466 s2n(salglen, ret);
1467 memcpy(ret, salg, salglen);
1468 ret += salglen;
1469 }
1470
1471#ifdef TLSEXT_TYPE_opaque_prf_input
1472 if (s->s3->client_opaque_prf_input != NULL)
1473 {
1474 size_t col = s->s3->client_opaque_prf_input_len;
1475
1476 if ((long)(limit - ret - 6 - col < 0))
1477 return NULL;
1478 if (col > 0xFFFD) /* can't happen */
1479 return NULL;
1480
1481 s2n(TLSEXT_TYPE_opaque_prf_input, ret);
1482 s2n(col + 2, ret);
1483 s2n(col, ret);
1484 memcpy(ret, s->s3->client_opaque_prf_input, col);
1485 ret += col;
1486 }
1487#endif
1488
1489 /* TODO(fork): we probably want OCSP stapling, but it currently pulls in a lot of code. */
1490#if 0
1491 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp)
1492 {
1493 int i;
1494 long extlen, idlen, itmp;
1495 OCSP_RESPID *id;
1496
1497 idlen = 0;
1498 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++)
1499 {
1500 id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
1501 itmp = i2d_OCSP_RESPID(id, NULL);
1502 if (itmp <= 0)
1503 return NULL;
1504 idlen += itmp + 2;
1505 }
1506
1507 if (s->tlsext_ocsp_exts)
1508 {
1509 extlen = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, NULL);
1510 if (extlen < 0)
1511 return NULL;
1512 }
1513 else
1514 extlen = 0;
1515
1516 if ((long)(limit - ret - 7 - extlen - idlen) < 0) return NULL;
1517 s2n(TLSEXT_TYPE_status_request, ret);
1518 if (extlen + idlen > 0xFFF0)
1519 return NULL;
1520 s2n(extlen + idlen + 5, ret);
1521 *(ret++) = TLSEXT_STATUSTYPE_ocsp;
1522 s2n(idlen, ret);
1523 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++)
1524 {
1525 /* save position of id len */
1526 unsigned char *q = ret;
1527 id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
1528 /* skip over id len */
1529 ret += 2;
1530 itmp = i2d_OCSP_RESPID(id, &ret);
1531 /* write id len */
1532 s2n(itmp, q);
1533 }
1534 s2n(extlen, ret);
1535 if (extlen > 0)
1536 i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret);
1537 }
1538#endif
1539
1540#ifndef OPENSSL_NO_HEARTBEATS
1541 /* Add Heartbeat extension */
1542 s2n(TLSEXT_TYPE_heartbeat,ret);
1543 s2n(1,ret);
1544 /* Set mode:
1545 * 1: peer may send requests
1546 * 2: peer not allowed to send requests
1547 */
1548 if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS)
1549 *(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
1550 else
1551 *(ret++) = SSL_TLSEXT_HB_ENABLED;
1552#endif
1553
1554#ifndef OPENSSL_NO_NEXTPROTONEG
1555 if (s->ctx->next_proto_select_cb && !s->s3->tmp.finish_md_len)
1556 {
1557 /* The client advertises an emtpy extension to indicate its
1558 * support for Next Protocol Negotiation */
1559 if (limit - ret - 4 < 0)
1560 return NULL;
1561 s2n(TLSEXT_TYPE_next_proto_neg,ret);
1562 s2n(0,ret);
1563 }
1564#endif
1565
1566 if (s->alpn_client_proto_list && !s->s3->tmp.finish_md_len)
1567 {
1568 if ((size_t)(limit - ret) < 6 + s->alpn_client_proto_list_len)
1569 return NULL;
1570 s2n(TLSEXT_TYPE_application_layer_protocol_negotiation,ret);
1571 s2n(2 + s->alpn_client_proto_list_len,ret);
1572 s2n(s->alpn_client_proto_list_len,ret);
1573 memcpy(ret, s->alpn_client_proto_list,
1574 s->alpn_client_proto_list_len);
1575 ret += s->alpn_client_proto_list_len;
1576 }
1577
Adam Langley1258b6a2014-06-20 12:00:00 -0700[diff] [blame]1578 if (s->tlsext_channel_id_enabled)
1579 {
1580 /* The client advertises an emtpy extension to indicate its
1581 * support for Channel ID. */
1582 if (limit - ret - 4 < 0)
1583 return NULL;
1584 if (s->ctx->tlsext_channel_id_enabled_new)
1585 s2n(TLSEXT_TYPE_channel_id_new,ret);
1586 else
1587 s2n(TLSEXT_TYPE_channel_id,ret);
1588 s2n(0,ret);
1589 }
1590
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1591 if(SSL_get_srtp_profiles(s))
1592 {
1593 int el;
1594
1595 ssl_add_clienthello_use_srtp_ext(s, 0, &el, 0);
1596
Adam Langleyb0c235e2014-06-20 12:00:00 -0700[diff] [blame]1597 if((limit - ret - 4 - el) < 0) return NULL;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1598
1599 s2n(TLSEXT_TYPE_use_srtp,ret);
1600 s2n(el,ret);
1601
1602 if(ssl_add_clienthello_use_srtp_ext(s, ret, &el, el))
1603 {
1604 OPENSSL_PUT_ERROR(SSL, ssl_add_clienthello_tlsext, ERR_R_INTERNAL_ERROR);
1605 return NULL;
1606 }
1607 ret += el;
1608 }
1609
1610 /* Add TLS extension Server_Authz_DataFormats to the ClientHello */
1611 /* 2 bytes for extension type */
1612 /* 2 bytes for extension length */
1613 /* 1 byte for the list length */
1614 /* 1 byte for the list (we only support audit proofs) */
1615 if (s->ctx->tlsext_authz_server_audit_proof_cb != NULL)
1616 {
1617 const unsigned short ext_len = 2;
1618 const unsigned char list_len = 1;
1619
1620 if (limit < ret + 6)
1621 return NULL;
1622
1623 s2n(TLSEXT_TYPE_server_authz, ret);
1624 /* Extension length: 2 bytes */
1625 s2n(ext_len, ret);
1626 *(ret++) = list_len;
1627 *(ret++) = TLSEXT_AUTHZDATAFORMAT_audit_proof;
1628 }
1629
1630 /* Add custom TLS Extensions to ClientHello */
1631 if (s->ctx->custom_cli_ext_records_count)
1632 {
1633 size_t i;
1634 custom_cli_ext_record* record;
1635
1636 for (i = 0; i < s->ctx->custom_cli_ext_records_count; i++)
1637 {
1638 const unsigned char* out = NULL;
1639 unsigned short outlen = 0;
1640
1641 record = &s->ctx->custom_cli_ext_records[i];
1642 /* NULL callback sends empty extension */
1643 /* -1 from callback omits extension */
1644 if (record->fn1)
1645 {
1646 int cb_retval = 0;
1647 cb_retval = record->fn1(s, record->ext_type,
1648 &out, &outlen,
1649 record->arg);
1650 if (cb_retval == 0)
1651 return NULL; /* error */
1652 if (cb_retval == -1)
1653 continue; /* skip this extension */
1654 }
1655 if (limit < ret + 4 + outlen)
1656 return NULL;
1657 s2n(record->ext_type, ret);
1658 s2n(outlen, ret);
1659 memcpy(ret, out, outlen);
1660 ret += outlen;
1661 }
1662 }
1663
1664#ifdef TLSEXT_TYPE_padding
1665 /* Add padding to workaround bugs in F5 terminators.
Adam Langleyb0c235e2014-06-20 12:00:00 -0700[diff] [blame]1666 * See https://tools.ietf.org/html/draft-agl-tls-padding-03
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1667 *
1668 * NB: because this code works out the length of all existing
Adam Langleyb0c235e2014-06-20 12:00:00 -0700[diff] [blame]1669 * extensions it MUST always appear last. */
1670 if (header_len > 0)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1671 {
Adam Langleyb0c235e2014-06-20 12:00:00 -0700[diff] [blame]1672 header_len += ret - orig;
1673 if (header_len > 0xff && header_len < 0x200)
1674 {
1675 size_t padding_len = 0x200 - header_len;
1676 if (padding_len >= 4)
1677 padding_len -= 4;
1678 else
1679 padding_len = 0;
1680 if (limit - ret - 4 - (long)padding_len < 0)
1681 return NULL;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1682
Adam Langleyb0c235e2014-06-20 12:00:00 -0700[diff] [blame]1683 s2n(TLSEXT_TYPE_padding, ret);
1684 s2n(padding_len, ret);
1685 memset(ret, 0, padding_len);
1686 ret += padding_len;
1687 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1688 }
1689#endif
1690
Adam Langleyb0c235e2014-06-20 12:00:00 -0700[diff] [blame]1691 if ((extdatalen = ret-orig-2)== 0)
1692 return orig;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1693
Adam Langleyb0c235e2014-06-20 12:00:00 -0700[diff] [blame]1694 s2n(extdatalen, orig);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1695 return ret;
1696 }
1697
Adam Langleyb0c235e2014-06-20 12:00:00 -0700[diff] [blame]1698unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *buf, unsigned char *limit)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1699 {
1700 int extdatalen=0;
Adam Langleyb0c235e2014-06-20 12:00:00 -0700[diff] [blame]1701 unsigned char *orig = buf;
1702 unsigned char *ret = buf;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1703#ifndef OPENSSL_NO_NEXTPROTONEG
1704 int next_proto_neg_seen;
1705#endif
1706#ifndef OPENSSL_NO_EC
1707 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
1708 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
1709 int using_ecc = (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA);
1710 using_ecc = using_ecc && (s->session->tlsext_ecpointformatlist != NULL);
1711#endif
1712 /* don't add extensions for SSLv3, unless doing secure renegotiation */
1713 if (s->version == SSL3_VERSION && !s->s3->send_connection_binding)
Adam Langleyb0c235e2014-06-20 12:00:00 -0700[diff] [blame]1714 return orig;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1715
1716 ret+=2;
1717 if (ret>=limit) return NULL; /* this really never occurs, but ... */
1718
1719 if (!s->hit && s->servername_done == 1 && s->session->tlsext_hostname != NULL)
1720 {
1721 if ((long)(limit - ret - 4) < 0) return NULL;
1722
1723 s2n(TLSEXT_TYPE_server_name,ret);
1724 s2n(0,ret);
1725 }
1726
1727 if(s->s3->send_connection_binding)
1728 {
1729 int el;
1730
1731 if(!ssl_add_serverhello_renegotiate_ext(s, 0, &el, 0))
1732 {
1733 OPENSSL_PUT_ERROR(SSL, ssl_add_serverhello_tlsext, ERR_R_INTERNAL_ERROR);
1734 return NULL;
1735 }
1736
Adam Langleyb0c235e2014-06-20 12:00:00 -0700[diff] [blame]1737 if((limit - ret - 4 - el) < 0) return NULL;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1738
1739 s2n(TLSEXT_TYPE_renegotiate,ret);
1740 s2n(el,ret);
1741
1742 if(!ssl_add_serverhello_renegotiate_ext(s, ret, &el, el))
1743 {
1744 OPENSSL_PUT_ERROR(SSL, ssl_add_serverhello_tlsext, ERR_R_INTERNAL_ERROR);
1745 return NULL;
1746 }
1747
1748 ret += el;
1749 }
1750
1751#ifndef OPENSSL_NO_EC
1752 if (using_ecc)
1753 {
1754 const unsigned char *plist;
1755 size_t plistlen;
1756 /* Add TLS extension ECPointFormats to the ServerHello message */
1757 long lenmax;
1758
1759 tls1_get_formatlist(s, &plist, &plistlen);
1760
1761 if ((lenmax = limit - ret - 5) < 0) return NULL;
1762 if (plistlen > (size_t)lenmax) return NULL;
1763 if (plistlen > 255)
1764 {
1765 OPENSSL_PUT_ERROR(SSL, ssl_add_serverhello_tlsext, ERR_R_INTERNAL_ERROR);
1766 return NULL;
1767 }
1768
1769 s2n(TLSEXT_TYPE_ec_point_formats,ret);
1770 s2n(plistlen + 1,ret);
1771 *(ret++) = (unsigned char) plistlen;
1772 memcpy(ret, plist, plistlen);
1773 ret+=plistlen;
1774
1775 }
1776 /* Currently the server should not respond with a SupportedCurves extension */
1777#endif /* OPENSSL_NO_EC */
1778
1779 if (s->tlsext_ticket_expected
1780 && !(SSL_get_options(s) & SSL_OP_NO_TICKET))
1781 {
1782 if ((long)(limit - ret - 4) < 0) return NULL;
1783 s2n(TLSEXT_TYPE_session_ticket,ret);
1784 s2n(0,ret);
1785 }
1786
1787 if (s->tlsext_status_expected)
1788 {
1789 if ((long)(limit - ret - 4) < 0) return NULL;
1790 s2n(TLSEXT_TYPE_status_request,ret);
1791 s2n(0,ret);
1792 }
1793
1794#ifdef TLSEXT_TYPE_opaque_prf_input
1795 if (s->s3->server_opaque_prf_input != NULL)
1796 {
1797 size_t sol = s->s3->server_opaque_prf_input_len;
1798
1799 if ((long)(limit - ret - 6 - sol) < 0)
1800 return NULL;
1801 if (sol > 0xFFFD) /* can't happen */
1802 return NULL;
1803
1804 s2n(TLSEXT_TYPE_opaque_prf_input, ret);
1805 s2n(sol + 2, ret);
1806 s2n(sol, ret);
1807 memcpy(ret, s->s3->server_opaque_prf_input, sol);
1808 ret += sol;
1809 }
1810#endif
1811
1812 if(s->srtp_profile)
1813 {
1814 int el;
1815
1816 ssl_add_serverhello_use_srtp_ext(s, 0, &el, 0);
1817
Adam Langleyb0c235e2014-06-20 12:00:00 -0700[diff] [blame]1818 if((limit - ret - 4 - el) < 0) return NULL;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1819
1820 s2n(TLSEXT_TYPE_use_srtp,ret);
1821 s2n(el,ret);
1822
1823 if(ssl_add_serverhello_use_srtp_ext(s, ret, &el, el))
1824 {
1825 OPENSSL_PUT_ERROR(SSL, ssl_add_serverhello_tlsext, ERR_R_INTERNAL_ERROR);
1826 return NULL;
1827 }
1828 ret+=el;
1829 }
1830
1831 if (((s->s3->tmp.new_cipher->id & 0xFFFF)==0x80 || (s->s3->tmp.new_cipher->id & 0xFFFF)==0x81)
1832 && (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG))
1833 { const unsigned char cryptopro_ext[36] = {
1834 0xfd, 0xe8, /*65000*/
1835 0x00, 0x20, /*32 bytes length*/
1836 0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85,
1837 0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06,
1838 0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08,
1839 0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17};
1840 if (limit-ret<36) return NULL;
1841 memcpy(ret,cryptopro_ext,36);
1842 ret+=36;
1843
1844 }
1845
1846#ifndef OPENSSL_NO_HEARTBEATS
1847 /* Add Heartbeat extension if we've received one */
1848 if (s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED)
1849 {
1850 s2n(TLSEXT_TYPE_heartbeat,ret);
1851 s2n(1,ret);
1852 /* Set mode:
1853 * 1: peer may send requests
1854 * 2: peer not allowed to send requests
1855 */
1856 if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS)
1857 *(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
1858 else
1859 *(ret++) = SSL_TLSEXT_HB_ENABLED;
1860
1861 }
1862#endif
1863
1864#ifndef OPENSSL_NO_NEXTPROTONEG
1865 next_proto_neg_seen = s->s3->next_proto_neg_seen;
1866 s->s3->next_proto_neg_seen = 0;
1867 if (next_proto_neg_seen && s->ctx->next_protos_advertised_cb)
1868 {
1869 const unsigned char *npa;
1870 unsigned int npalen;
1871 int r;
1872
1873 r = s->ctx->next_protos_advertised_cb(s, &npa, &npalen, s->ctx->next_protos_advertised_cb_arg);
1874 if (r == SSL_TLSEXT_ERR_OK)
1875 {
1876 if ((long)(limit - ret - 4 - npalen) < 0) return NULL;
1877 s2n(TLSEXT_TYPE_next_proto_neg,ret);
1878 s2n(npalen,ret);
1879 memcpy(ret, npa, npalen);
1880 ret += npalen;
1881 s->s3->next_proto_neg_seen = 1;
1882 }
1883 }
1884#endif
1885
1886 /* If the client supports authz then see whether we have any to offer
1887 * to it. */
1888 if (s->s3->tlsext_authz_client_types_len)
1889 {
1890 size_t authz_length;
1891 /* By now we already know the new cipher, so we can look ahead
1892 * to see whether the cert we are going to send
1893 * has any authz data attached to it. */
1894 const unsigned char* authz = ssl_get_authz_data(s, &authz_length);
1895 const unsigned char* const orig_authz = authz;
1896 size_t i;
1897 unsigned authz_count = 0;
1898
1899 /* The authz data contains a number of the following structures:
1900 * uint8_t authz_type
1901 * uint16_t length
1902 * uint8_t data[length]
1903 *
1904 * First we walk over it to find the number of authz elements. */
1905 for (i = 0; i < authz_length; i++)
1906 {
1907 unsigned short length;
1908 unsigned char type;
1909
1910 type = *(authz++);
1911 if (memchr(s->s3->tlsext_authz_client_types,
1912 type,
1913 s->s3->tlsext_authz_client_types_len) != NULL)
1914 authz_count++;
1915
1916 n2s(authz, length);
1917 /* n2s increments authz by 2 */
1918 i += 2;
1919 authz += length;
1920 i += length;
1921 }
1922
1923 if (authz_count)
1924 {
1925 /* Add TLS extension server_authz to the ServerHello message
1926 * 2 bytes for extension type
1927 * 2 bytes for extension length
1928 * 1 byte for the list length
1929 * n bytes for the list */
1930 const unsigned short ext_len = 1 + authz_count;
1931
1932 if ((long)(limit - ret - 4 - ext_len) < 0) return NULL;
1933 s2n(TLSEXT_TYPE_server_authz, ret);
1934 s2n(ext_len, ret);
1935 *(ret++) = authz_count;
1936 s->s3->tlsext_authz_promised_to_client = 1;
1937 }
1938
1939 authz = orig_authz;
1940 for (i = 0; i < authz_length; i++)
1941 {
1942 unsigned short length;
1943 unsigned char type;
1944
1945 authz_count++;
1946 type = *(authz++);
1947 if (memchr(s->s3->tlsext_authz_client_types,
1948 type,
1949 s->s3->tlsext_authz_client_types_len) != NULL)
1950 *(ret++) = type;
1951 n2s(authz, length);
1952 /* n2s increments authz by 2 */
1953 i += 2;
1954 authz += length;
1955 i += length;
1956 }
1957 }
1958
1959 /* If custom types were sent in ClientHello, add ServerHello responses */
1960 if (s->s3->tlsext_custom_types_count)
1961 {
1962 size_t i;
1963
1964 for (i = 0; i < s->s3->tlsext_custom_types_count; i++)
1965 {
1966 size_t j;
1967 custom_srv_ext_record *record;
1968
1969 for (j = 0; j < s->ctx->custom_srv_ext_records_count; j++)
1970 {
1971 record = &s->ctx->custom_srv_ext_records[j];
1972 if (s->s3->tlsext_custom_types[i] == record->ext_type)
1973 {
1974 const unsigned char *out = NULL;
1975 unsigned short outlen = 0;
1976 int cb_retval = 0;
1977
1978 /* NULL callback or -1 omits extension */
1979 if (!record->fn2)
1980 break;
1981 cb_retval = record->fn2(s, record->ext_type,
1982 &out, &outlen,
1983 record->arg);
1984 if (cb_retval == 0)
1985 return NULL; /* error */
1986 if (cb_retval == -1)
1987 break; /* skip this extension */
1988 if (limit < ret + 4 + outlen)
1989 return NULL;
1990 s2n(record->ext_type, ret);
1991 s2n(outlen, ret);
1992 memcpy(ret, out, outlen);
1993 ret += outlen;
1994 break;
1995 }
1996 }
1997 }
1998 }
1999
2000 if (s->s3->alpn_selected)
2001 {
2002 const unsigned char *selected = s->s3->alpn_selected;
2003 unsigned len = s->s3->alpn_selected_len;
2004
2005 if ((long)(limit - ret - 4 - 2 - 1 - len) < 0)
2006 return NULL;
2007 s2n(TLSEXT_TYPE_application_layer_protocol_negotiation,ret);
2008 s2n(3 + len,ret);
2009 s2n(1 + len,ret);
2010 *ret++ = len;
2011 memcpy(ret, selected, len);
2012 ret += len;
2013 }
2014
Adam Langley1258b6a2014-06-20 12:00:00 -0700[diff] [blame]2015 /* If the client advertised support for Channel ID, and we have it
2016 * enabled, then we want to echo it back. */
2017 if (s->s3->tlsext_channel_id_valid)
2018 {
2019 if (limit - ret - 4 < 0)
2020 return NULL;
2021 if (s->s3->tlsext_channel_id_new)
2022 s2n(TLSEXT_TYPE_channel_id_new,ret);
2023 else
2024 s2n(TLSEXT_TYPE_channel_id,ret);
2025 s2n(0,ret);
2026 }
2027
Adam Langleyb0c235e2014-06-20 12:00:00 -0700[diff] [blame]2028 if ((extdatalen = ret-orig-2) == 0)
2029 return orig;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2030
Adam Langleyb0c235e2014-06-20 12:00:00 -0700[diff] [blame]2031 s2n(extdatalen, orig);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2032 return ret;
2033 }
2034
2035#ifndef OPENSSL_NO_EC
2036/* ssl_check_for_safari attempts to fingerprint Safari using OS X
2037 * SecureTransport using the TLS extension block in |d|, of length |n|.
2038 * Safari, since 10.6, sends exactly these extensions, in this order:
2039 * SNI,
2040 * elliptic_curves
2041 * ec_point_formats
2042 *
2043 * We wish to fingerprint Safari because they broke ECDHE-ECDSA support in 10.8,
2044 * but they advertise support. So enabling ECDHE-ECDSA ciphers breaks them.
2045 * Sadly we cannot differentiate 10.6, 10.7 and 10.8.4 (which work), from
2046 * 10.8..10.8.3 (which don't work).
2047 */
2048static void ssl_check_for_safari(SSL *s, const unsigned char *data, const unsigned char *d, int n) {
2049 unsigned short type, size;
2050 static const unsigned char kSafariExtensionsBlock[] = {
2051 0x00, 0x0a, /* elliptic_curves extension */
2052 0x00, 0x08, /* 8 bytes */
2053 0x00, 0x06, /* 6 bytes of curve ids */
2054 0x00, 0x17, /* P-256 */
2055 0x00, 0x18, /* P-384 */
2056 0x00, 0x19, /* P-521 */
2057
2058 0x00, 0x0b, /* ec_point_formats */
2059 0x00, 0x02, /* 2 bytes */
2060 0x01, /* 1 point format */
2061 0x00, /* uncompressed */
2062 };
2063
2064 /* The following is only present in TLS 1.2 */
2065 static const unsigned char kSafariTLS12ExtensionsBlock[] = {
2066 0x00, 0x0d, /* signature_algorithms */
2067 0x00, 0x0c, /* 12 bytes */
2068 0x00, 0x0a, /* 10 bytes */
2069 0x05, 0x01, /* SHA-384/RSA */
2070 0x04, 0x01, /* SHA-256/RSA */
2071 0x02, 0x01, /* SHA-1/RSA */
2072 0x04, 0x03, /* SHA-256/ECDSA */
2073 0x02, 0x03, /* SHA-1/ECDSA */
2074 };
2075
2076 if (data >= (d+n-2))
2077 return;
2078 data += 2;
2079
2080 if (data > (d+n-4))
2081 return;
2082 n2s(data,type);
2083 n2s(data,size);
2084
2085 if (type != TLSEXT_TYPE_server_name)
2086 return;
2087
2088 if (data+size > d+n)
2089 return;
2090 data += size;
2091
2092 if (TLS1_get_client_version(s) >= TLS1_2_VERSION)
2093 {
2094 const size_t len1 = sizeof(kSafariExtensionsBlock);
2095 const size_t len2 = sizeof(kSafariTLS12ExtensionsBlock);
2096
2097 if (data + len1 + len2 != d+n)
2098 return;
2099 if (memcmp(data, kSafariExtensionsBlock, len1) != 0)
2100 return;
2101 if (memcmp(data + len1, kSafariTLS12ExtensionsBlock, len2) != 0)
2102 return;
2103 }
2104 else
2105 {
2106 const size_t len = sizeof(kSafariExtensionsBlock);
2107
2108 if (data + len != d+n)
2109 return;
2110 if (memcmp(data, kSafariExtensionsBlock, len) != 0)
2111 return;
2112 }
2113
2114 s->s3->is_probably_safari = 1;
2115}
2116#endif /* !OPENSSL_NO_EC */
2117
2118/* tls1_alpn_handle_client_hello is called to process the ALPN extension in a
2119 * ClientHello.
2120 * data: the contents of the extension, not including the type and length.
2121 * data_len: the number of bytes in |data|
2122 * al: a pointer to the alert value to send in the event of a non-zero
2123 * return.
2124 *
2125 * returns: 0 on success. */
2126static int tls1_alpn_handle_client_hello(SSL *s, const unsigned char *data,
2127 unsigned data_len, int *al)
2128 {
2129 unsigned i;
2130 unsigned proto_len;
2131 const unsigned char *selected;
2132 unsigned char selected_len;
2133 int r;
2134
2135 if (s->ctx->alpn_select_cb == NULL)
2136 return 0;
2137
2138 if (data_len < 2)
2139 goto parse_error;
2140
2141 /* data should contain a uint16 length followed by a series of 8-bit,
2142 * length-prefixed strings. */
2143 i = ((unsigned) data[0]) << 8 |
2144 ((unsigned) data[1]);
2145 data_len -= 2;
2146 data += 2;
2147 if (data_len != i)
2148 goto parse_error;
2149
2150 if (data_len < 2)
2151 goto parse_error;
2152
2153 for (i = 0; i < data_len;)
2154 {
2155 proto_len = data[i];
2156 i++;
2157
2158 if (proto_len == 0)
2159 goto parse_error;
2160
2161 if (i + proto_len < i || i + proto_len > data_len)
2162 goto parse_error;
2163
2164 i += proto_len;
2165 }
2166
2167 r = s->ctx->alpn_select_cb(s, &selected, &selected_len, data, data_len,
2168 s->ctx->alpn_select_cb_arg);
2169 if (r == SSL_TLSEXT_ERR_OK) {
2170 if (s->s3->alpn_selected)
2171 OPENSSL_free(s->s3->alpn_selected);
2172 s->s3->alpn_selected = OPENSSL_malloc(selected_len);
2173 if (!s->s3->alpn_selected)
2174 {
2175 *al = SSL_AD_INTERNAL_ERROR;
2176 return -1;
2177 }
2178 memcpy(s->s3->alpn_selected, selected, selected_len);
2179 s->s3->alpn_selected_len = selected_len;
2180 }
2181 return 0;
2182
2183parse_error:
2184 *al = SSL_AD_DECODE_ERROR;
2185 return -1;
2186 }
2187
2188static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
2189 {
2190 unsigned short type;
2191 unsigned short size;
2192 unsigned short len;
2193 unsigned char *data = *p;
2194 int renegotiate_seen = 0;
2195 size_t i;
2196
2197 s->servername_done = 0;
2198 s->tlsext_status_type = -1;
2199#ifndef OPENSSL_NO_NEXTPROTONEG
2200 s->s3->next_proto_neg_seen = 0;
2201#endif
2202
2203 /* Clear observed custom extensions */
2204 s->s3->tlsext_custom_types_count = 0;
2205 if (s->s3->tlsext_custom_types != NULL)
2206 {
2207 OPENSSL_free(s->s3->tlsext_custom_types);
2208 s->s3->tlsext_custom_types = NULL;
2209 }
2210
2211 if (s->s3->alpn_selected)
2212 {
2213 OPENSSL_free(s->s3->alpn_selected);
2214 s->s3->alpn_selected = NULL;
2215 }
2216
2217#ifndef OPENSSL_NO_HEARTBEATS
2218 s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED |
2219 SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
2220#endif
2221
2222#ifndef OPENSSL_NO_EC
2223 if (s->options & SSL_OP_SAFARI_ECDHE_ECDSA_BUG)
2224 ssl_check_for_safari(s, data, d, n);
2225#endif /* !OPENSSL_NO_EC */
2226
2227 /* Clear any signature algorithms extension received */
2228 if (s->cert->peer_sigalgs)
2229 {
2230 OPENSSL_free(s->cert->peer_sigalgs);
2231 s->cert->peer_sigalgs = NULL;
2232 }
2233 /* Clear any shared sigtnature algorithms */
2234 if (s->cert->shared_sigalgs)
2235 {
2236 OPENSSL_free(s->cert->shared_sigalgs);
2237 s->cert->shared_sigalgs = NULL;
2238 }
2239 /* Clear certificate digests and validity flags */
2240 for (i = 0; i < SSL_PKEY_NUM; i++)
2241 {
2242 s->cert->pkeys[i].digest = NULL;
2243 s->cert->pkeys[i].valid_flags = 0;
2244 }
2245
2246 if (data >= (d+n-2))
2247 goto ri_check;
2248 n2s(data,len);
2249
2250 if (data > (d+n-len))
2251 goto ri_check;
2252
2253 while (data <= (d+n-4))
2254 {
2255 n2s(data,type);
2256 n2s(data,size);
2257
2258 if (data+size > (d+n))
2259 goto ri_check;
2260#if 0
2261 fprintf(stderr,"Received extension type %d size %d\n",type,size);
2262#endif
2263 if (s->tlsext_debug_cb)
2264 s->tlsext_debug_cb(s, 0, type, data, size,
2265 s->tlsext_debug_arg);
2266/* The servername extension is treated as follows:
2267
2268 - Only the hostname type is supported with a maximum length of 255.
2269 - The servername is rejected if too long or if it contains zeros,
2270 in which case an fatal alert is generated.
2271 - The servername field is maintained together with the session cache.
2272 - When a session is resumed, the servername call back invoked in order
2273 to allow the application to position itself to the right context.
2274 - The servername is acknowledged if it is new for a session or when
2275 it is identical to a previously used for the same session.
2276 Applications can control the behaviour. They can at any time
2277 set a 'desirable' servername for a new SSL object. This can be the
2278 case for example with HTTPS when a Host: header field is received and
2279 a renegotiation is requested. In this case, a possible servername
2280 presented in the new client hello is only acknowledged if it matches
2281 the value of the Host: field.
2282 - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
2283 if they provide for changing an explicit servername context for the session,
2284 i.e. when the session has been established with a servername extension.
2285 - On session reconnect, the servername extension may be absent.
2286
2287*/
2288
2289 if (type == TLSEXT_TYPE_server_name)
2290 {
2291 unsigned char *sdata;
2292 int servname_type;
2293 int dsize;
2294
2295 if (size < 2)
2296 {
2297 *al = SSL_AD_DECODE_ERROR;
2298 return 0;
2299 }
2300 n2s(data,dsize);
2301 size -= 2;
2302 if (dsize > size )
2303 {
2304 *al = SSL_AD_DECODE_ERROR;
2305 return 0;
2306 }
2307
2308 sdata = data;
2309 while (dsize > 3)
2310 {
2311 servname_type = *(sdata++);
2312 n2s(sdata,len);
2313 dsize -= 3;
2314
2315 if (len > dsize)
2316 {
2317 *al = SSL_AD_DECODE_ERROR;
2318 return 0;
2319 }
2320 if (s->servername_done == 0)
2321 switch (servname_type)
2322 {
2323 case TLSEXT_NAMETYPE_host_name:
2324 if (!s->hit)
2325 {
2326 if(s->session->tlsext_hostname)
2327 {
2328 *al = SSL_AD_DECODE_ERROR;
2329 return 0;
2330 }
2331 if (len > TLSEXT_MAXLEN_host_name)
2332 {
2333 *al = TLS1_AD_UNRECOGNIZED_NAME;
2334 return 0;
2335 }
2336 if ((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL)
2337 {
2338 *al = TLS1_AD_INTERNAL_ERROR;
2339 return 0;
2340 }
2341 memcpy(s->session->tlsext_hostname, sdata, len);
2342 s->session->tlsext_hostname[len]='\0';
2343 if (strlen(s->session->tlsext_hostname) != len) {
2344 OPENSSL_free(s->session->tlsext_hostname);
2345 s->session->tlsext_hostname = NULL;
2346 *al = TLS1_AD_UNRECOGNIZED_NAME;
2347 return 0;
2348 }
2349 s->servername_done = 1;
2350
2351 }
2352 else
2353 s->servername_done = s->session->tlsext_hostname
2354 && strlen(s->session->tlsext_hostname) == len
2355 && strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0;
2356
2357 break;
2358
2359 default:
2360 break;
2361 }
2362
2363 dsize -= len;
2364 }
2365 if (dsize != 0)
2366 {
2367 *al = SSL_AD_DECODE_ERROR;
2368 return 0;
2369 }
2370
2371 }
2372
2373#ifndef OPENSSL_NO_EC
2374 else if (type == TLSEXT_TYPE_ec_point_formats)
2375 {
2376 unsigned char *sdata = data;
2377 int ecpointformatlist_length = *(sdata++);
2378
2379 if (ecpointformatlist_length != size - 1 ||
2380 ecpointformatlist_length < 1)
2381 {
2382 *al = TLS1_AD_DECODE_ERROR;
2383 return 0;
2384 }
2385 if (!s->hit)
2386 {
2387 if(s->session->tlsext_ecpointformatlist)
2388 {
2389 OPENSSL_free(s->session->tlsext_ecpointformatlist);
2390 s->session->tlsext_ecpointformatlist = NULL;
2391 }
2392 s->session->tlsext_ecpointformatlist_length = 0;
2393 if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
2394 {
2395 *al = TLS1_AD_INTERNAL_ERROR;
2396 return 0;
2397 }
2398 s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
2399 memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
2400 }
2401#if 0
2402 fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ecpointformatlist (length=%i) ", s->session->tlsext_ecpointformatlist_length);
2403 sdata = s->session->tlsext_ecpointformatlist;
2404 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
2405 fprintf(stderr,"%i ",*(sdata++));
2406 fprintf(stderr,"\n");
2407#endif
2408 }
2409 else if (type == TLSEXT_TYPE_elliptic_curves)
2410 {
2411 unsigned char *sdata = data;
2412 int ellipticcurvelist_length = (*(sdata++) << 8);
2413 ellipticcurvelist_length += (*(sdata++));
2414
2415 if (ellipticcurvelist_length != size - 2 ||
2416 ellipticcurvelist_length < 1)
2417 {
2418 *al = TLS1_AD_DECODE_ERROR;
2419 return 0;
2420 }
2421 if (!s->hit)
2422 {
2423 if(s->session->tlsext_ellipticcurvelist)
2424 {
2425 *al = TLS1_AD_DECODE_ERROR;
2426 return 0;
2427 }
2428 s->session->tlsext_ellipticcurvelist_length = 0;
2429 if ((s->session->tlsext_ellipticcurvelist = OPENSSL_malloc(ellipticcurvelist_length)) == NULL)
2430 {
2431 *al = TLS1_AD_INTERNAL_ERROR;
2432 return 0;
2433 }
2434 s->session->tlsext_ellipticcurvelist_length = ellipticcurvelist_length;
2435 memcpy(s->session->tlsext_ellipticcurvelist, sdata, ellipticcurvelist_length);
2436 }
2437#if 0
2438 fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ellipticcurvelist (length=%i) ", s->session->tlsext_ellipticcurvelist_length);
2439 sdata = s->session->tlsext_ellipticcurvelist;
2440 for (i = 0; i < s->session->tlsext_ellipticcurvelist_length; i++)
2441 fprintf(stderr,"%i ",*(sdata++));
2442 fprintf(stderr,"\n");
2443#endif
2444 }
2445#endif /* OPENSSL_NO_EC */
2446#ifdef TLSEXT_TYPE_opaque_prf_input
2447 else if (type == TLSEXT_TYPE_opaque_prf_input)
2448 {
2449 unsigned char *sdata = data;
2450
2451 if (size < 2)
2452 {
2453 *al = SSL_AD_DECODE_ERROR;
2454 return 0;
2455 }
2456 n2s(sdata, s->s3->client_opaque_prf_input_len);
2457 if (s->s3->client_opaque_prf_input_len != size - 2)
2458 {
2459 *al = SSL_AD_DECODE_ERROR;
2460 return 0;
2461 }
2462
2463 if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */
2464 OPENSSL_free(s->s3->client_opaque_prf_input);
2465 if (s->s3->client_opaque_prf_input_len == 0)
2466 s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
2467 else
2468 s->s3->client_opaque_prf_input = BUF_memdup(sdata, s->s3->client_opaque_prf_input_len);
2469 if (s->s3->client_opaque_prf_input == NULL)
2470 {
2471 *al = TLS1_AD_INTERNAL_ERROR;
2472 return 0;
2473 }
2474 }
2475#endif
2476 else if (type == TLSEXT_TYPE_session_ticket)
2477 {
2478 if (s->tls_session_ticket_ext_cb &&
2479 !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg))
2480 {
2481 *al = TLS1_AD_INTERNAL_ERROR;
2482 return 0;
2483 }
2484 }
2485 else if (type == TLSEXT_TYPE_renegotiate)
2486 {
2487 if(!ssl_parse_clienthello_renegotiate_ext(s, data, size, al))
2488 return 0;
2489 renegotiate_seen = 1;
2490 }
2491 else if (type == TLSEXT_TYPE_signature_algorithms)
2492 {
2493 int dsize;
2494 if (s->cert->peer_sigalgs || size < 2)
2495 {
2496 *al = SSL_AD_DECODE_ERROR;
2497 return 0;
2498 }
2499 n2s(data,dsize);
2500 size -= 2;
2501 if (dsize != size || dsize & 1 || !dsize)
2502 {
2503 *al = SSL_AD_DECODE_ERROR;
2504 return 0;
2505 }
2506 if (!tls1_process_sigalgs(s, data, dsize))
2507 {
2508 *al = SSL_AD_DECODE_ERROR;
2509 return 0;
2510 }
2511 /* If sigalgs received and no shared algorithms fatal
2512 * error.
2513 */
2514 if (s->cert->peer_sigalgs && !s->cert->shared_sigalgs)
2515 {
2516 OPENSSL_PUT_ERROR(SSL, ssl_add_serverhello_tlsext, SSL_R_NO_SHARED_SIGATURE_ALGORITHMS);
2517 *al = SSL_AD_ILLEGAL_PARAMETER;
2518 return 0;
2519 }
2520 }
2521
2522 /* TODO(fork): we probably want OCSP stapling support, but this pulls in a lot of code. */
2523#if 0
2524 else if (type == TLSEXT_TYPE_status_request)
2525 {
2526
2527 if (size < 5)
2528 {
2529 *al = SSL_AD_DECODE_ERROR;
2530 return 0;
2531 }
2532
2533 s->tlsext_status_type = *data++;
2534 size--;
2535 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp)
2536 {
2537 const unsigned char *sdata;
2538 int dsize;
2539 /* Read in responder_id_list */
2540 n2s(data,dsize);
2541 size -= 2;
2542 if (dsize > size )
2543 {
2544 *al = SSL_AD_DECODE_ERROR;
2545 return 0;
2546 }
2547 while (dsize > 0)
2548 {
2549 OCSP_RESPID *id;
2550 int idsize;
2551 if (dsize < 4)
2552 {
2553 *al = SSL_AD_DECODE_ERROR;
2554 return 0;
2555 }
2556 n2s(data, idsize);
2557 dsize -= 2 + idsize;
2558 size -= 2 + idsize;
2559 if (dsize < 0)
2560 {
2561 *al = SSL_AD_DECODE_ERROR;
2562 return 0;
2563 }
2564 sdata = data;
2565 data += idsize;
2566 id = d2i_OCSP_RESPID(NULL,
2567 &sdata, idsize);
2568 if (!id)
2569 {
2570 *al = SSL_AD_DECODE_ERROR;
2571 return 0;
2572 }
2573 if (data != sdata)
2574 {
2575 OCSP_RESPID_free(id);
2576 *al = SSL_AD_DECODE_ERROR;
2577 return 0;
2578 }
2579 if (!s->tlsext_ocsp_ids
2580 && !(s->tlsext_ocsp_ids =
2581 sk_OCSP_RESPID_new_null()))
2582 {
2583 OCSP_RESPID_free(id);
2584 *al = SSL_AD_INTERNAL_ERROR;
2585 return 0;
2586 }
2587 if (!sk_OCSP_RESPID_push(
2588 s->tlsext_ocsp_ids, id))
2589 {
2590 OCSP_RESPID_free(id);
2591 *al = SSL_AD_INTERNAL_ERROR;
2592 return 0;
2593 }
2594 }
2595
2596 /* Read in request_extensions */
2597 if (size < 2)
2598 {
2599 *al = SSL_AD_DECODE_ERROR;
2600 return 0;
2601 }
2602 n2s(data,dsize);
2603 size -= 2;
2604 if (dsize != size)
2605 {
2606 *al = SSL_AD_DECODE_ERROR;
2607 return 0;
2608 }
2609 sdata = data;
2610 if (dsize > 0)
2611 {
2612 if (s->tlsext_ocsp_exts)
2613 {
2614 sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts,
2615 X509_EXTENSION_free);
2616 }
2617
2618 s->tlsext_ocsp_exts =
2619 d2i_X509_EXTENSIONS(NULL,
2620 &sdata, dsize);
2621 if (!s->tlsext_ocsp_exts
2622 || (data + dsize != sdata))
2623 {
2624 *al = SSL_AD_DECODE_ERROR;
2625 return 0;
2626 }
2627 }
2628 }
2629 /* We don't know what to do with any other type
2630 * so ignore it.
2631 */
2632 else
2633 s->tlsext_status_type = -1;
2634 }
2635#endif
2636
2637#ifndef OPENSSL_NO_HEARTBEATS
2638 else if (type == TLSEXT_TYPE_heartbeat)
2639 {
2640 switch(data[0])
2641 {
2642 case 0x01: /* Client allows us to send HB requests */
2643 s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
2644 break;
2645 case 0x02: /* Client doesn't accept HB requests */
2646 s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
2647 s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
2648 break;
2649 default: *al = SSL_AD_ILLEGAL_PARAMETER;
2650 return 0;
2651 }
2652 }
2653#endif
2654#ifndef OPENSSL_NO_NEXTPROTONEG
2655 else if (type == TLSEXT_TYPE_next_proto_neg &&
2656 s->s3->tmp.finish_md_len == 0 &&
2657 s->s3->alpn_selected == NULL)
2658 {
2659 /* We shouldn't accept this extension on a
2660 * renegotiation.
2661 *
2662 * s->new_session will be set on renegotiation, but we
2663 * probably shouldn't rely that it couldn't be set on
2664 * the initial renegotation too in certain cases (when
2665 * there's some other reason to disallow resuming an
2666 * earlier session -- the current code won't be doing
2667 * anything like that, but this might change).
2668
2669 * A valid sign that there's been a previous handshake
2670 * in this connection is if s->s3->tmp.finish_md_len >
2671 * 0. (We are talking about a check that will happen
2672 * in the Hello protocol round, well before a new
2673 * Finished message could have been computed.) */
2674 s->s3->next_proto_neg_seen = 1;
2675 }
2676#endif
2677
2678 else if (type == TLSEXT_TYPE_application_layer_protocol_negotiation &&
2679 s->ctx->alpn_select_cb &&
2680 s->s3->tmp.finish_md_len == 0)
2681 {
2682 if (tls1_alpn_handle_client_hello(s, data, size, al) != 0)
2683 return 0;
2684#ifndef OPENSSL_NO_NEXTPROTONEG
2685 /* ALPN takes precedence over NPN. */
2686 s->s3->next_proto_neg_seen = 0;
2687#endif
2688 }
2689
Adam Langley1258b6a2014-06-20 12:00:00 -0700[diff] [blame]2690 else if (type == TLSEXT_TYPE_channel_id &&
2691 s->tlsext_channel_id_enabled)
2692 s->s3->tlsext_channel_id_valid = 1;
2693
2694 else if (type == TLSEXT_TYPE_channel_id_new &&
2695 s->tlsext_channel_id_enabled)
2696 {
2697 s->s3->tlsext_channel_id_valid = 1;
2698 s->s3->tlsext_channel_id_new = 1;
2699 }
2700
2701
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2702 /* session ticket processed earlier */
2703 else if (type == TLSEXT_TYPE_use_srtp)
2704 {
2705 if(ssl_parse_clienthello_use_srtp_ext(s, data, size,
2706 al))
2707 return 0;
2708 }
2709
2710 else if (type == TLSEXT_TYPE_server_authz)
2711 {
2712 unsigned char *sdata = data;
2713 unsigned char server_authz_dataformatlist_length;
2714
2715 if (size == 0)
2716 {
2717 *al = TLS1_AD_DECODE_ERROR;
2718 return 0;
2719 }
2720
2721 server_authz_dataformatlist_length = *(sdata++);
2722
2723 if (server_authz_dataformatlist_length != size - 1)
2724 {
2725 *al = TLS1_AD_DECODE_ERROR;
2726 return 0;
2727 }
2728
2729 /* Successful session resumption uses the same authz
2730 * information as the original session so we ignore this
2731 * in the case of a session resumption. */
2732 if (!s->hit)
2733 {
2734 if (s->s3->tlsext_authz_client_types != NULL)
2735 OPENSSL_free(s->s3->tlsext_authz_client_types);
2736 s->s3->tlsext_authz_client_types =
2737 OPENSSL_malloc(server_authz_dataformatlist_length);
2738 if (!s->s3->tlsext_authz_client_types)
2739 {
2740 *al = TLS1_AD_INTERNAL_ERROR;
2741 return 0;
2742 }
2743
2744 s->s3->tlsext_authz_client_types_len =
2745 server_authz_dataformatlist_length;
2746 memcpy(s->s3->tlsext_authz_client_types,
2747 sdata,
2748 server_authz_dataformatlist_length);
2749
2750 /* Sort the types in order to check for duplicates. */
2751 qsort(s->s3->tlsext_authz_client_types,
2752 server_authz_dataformatlist_length,
2753 1 /* element size */,
2754 byte_compare);
2755
2756 for (i = 0; i < server_authz_dataformatlist_length; i++)
2757 {
2758 if (i > 0 &&
2759 s->s3->tlsext_authz_client_types[i] ==
2760 s->s3->tlsext_authz_client_types[i-1])
2761 {
2762 *al = TLS1_AD_DECODE_ERROR;
2763 return 0;
2764 }
2765 }
2766 }
2767 }
2768
2769 /* If this ClientHello extension was unhandled and this is
2770 * a nonresumed connection, check whether the extension is a
2771 * custom TLS Extension (has a custom_srv_ext_record), and if
2772 * so call the callback and record the extension number so that
2773 * an appropriate ServerHello may be later returned.
2774 */
2775 else if (!s->hit && s->ctx->custom_srv_ext_records_count)
2776 {
2777 custom_srv_ext_record *record;
2778
2779 for (i=0; i < s->ctx->custom_srv_ext_records_count; i++)
2780 {
2781 record = &s->ctx->custom_srv_ext_records[i];
2782 if (type == record->ext_type)
2783 {
2784 size_t j;
2785
2786 /* Error on duplicate TLS Extensions */
2787 for (j = 0; j < s->s3->tlsext_custom_types_count; j++)
2788 {
2789 if (type == s->s3->tlsext_custom_types[j])
2790 {
2791 *al = TLS1_AD_DECODE_ERROR;
2792 return 0;
2793 }
2794 }
2795
2796 /* NULL callback still notes the extension */
2797 if (record->fn1 && !record->fn1(s, type, data, size, al, record->arg))
2798 return 0;
2799
2800 /* Add the (non-duplicated) entry */
2801 s->s3->tlsext_custom_types_count++;
2802 s->s3->tlsext_custom_types = OPENSSL_realloc(
2803 s->s3->tlsext_custom_types,
2804 s->s3->tlsext_custom_types_count * 2);
2805 if (s->s3->tlsext_custom_types == NULL)
2806 {
2807 s->s3->tlsext_custom_types = 0;
2808 *al = TLS1_AD_INTERNAL_ERROR;
2809 return 0;
2810 }
2811 s->s3->tlsext_custom_types[
2812 s->s3->tlsext_custom_types_count - 1] = type;
2813 }
2814 }
2815 }
2816
2817 data+=size;
2818 }
2819
2820 *p = data;
2821
2822 ri_check:
2823
2824 /* Need RI if renegotiating */
2825
2826 if (!renegotiate_seen && s->renegotiate &&
2827 !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
2828 {
2829 *al = SSL_AD_HANDSHAKE_FAILURE;
2830 OPENSSL_PUT_ERROR(SSL, ssl_add_serverhello_tlsext, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
2831 return 0;
2832 }
2833 /* If no signature algorithms extension set default values */
2834 if (!s->cert->peer_sigalgs)
2835 ssl_cert_set_default_md(s->cert);
2836
2837 return 1;
2838 }
2839
2840int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n)
2841 {
2842 int al = -1;
2843 if (ssl_scan_clienthello_tlsext(s, p, d, n, &al) <= 0)
2844 {
2845 ssl3_send_alert(s,SSL3_AL_FATAL,al);
2846 return 0;
2847 }
2848
2849 if (ssl_check_clienthello_tlsext_early(s) <= 0)
2850 {
2851 OPENSSL_PUT_ERROR(SSL, ssl_add_serverhello_tlsext, SSL_R_CLIENTHELLO_TLSEXT);
2852 return 0;
2853 }
2854 return 1;
2855}
2856
2857#ifndef OPENSSL_NO_NEXTPROTONEG
2858/* ssl_next_proto_validate validates a Next Protocol Negotiation block. No
2859 * elements of zero length are allowed and the set of elements must exactly fill
2860 * the length of the block. */
2861static char ssl_next_proto_validate(unsigned char *d, unsigned len)
2862 {
2863 unsigned int off = 0;
2864
2865 while (off < len)
2866 {
2867 if (d[off] == 0)
2868 return 0;
2869 off += d[off];
2870 off++;
2871 }
2872
2873 return off == len;
2874 }
2875#endif
2876
2877static int ssl_scan_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
2878 {
2879 unsigned short length;
2880 unsigned short type;
2881 unsigned short size;
2882 unsigned char *data = *p;
2883 int tlsext_servername = 0;
2884 int renegotiate_seen = 0;
2885
2886#ifndef OPENSSL_NO_NEXTPROTONEG
2887 s->s3->next_proto_neg_seen = 0;
2888#endif
2889
2890 if (s->s3->alpn_selected)
2891 {
2892 OPENSSL_free(s->s3->alpn_selected);
2893 s->s3->alpn_selected = NULL;
2894 }
2895
2896#ifndef OPENSSL_NO_HEARTBEATS
2897 s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED |
2898 SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
2899#endif
2900
2901 if (data >= (d+n-2))
2902 goto ri_check;
2903
2904 n2s(data,length);
2905 if (data+length != d+n)
2906 {
2907 *al = SSL_AD_DECODE_ERROR;
2908 return 0;
2909 }
2910
2911 while(data <= (d+n-4))
2912 {
2913 n2s(data,type);
2914 n2s(data,size);
2915
2916 if (data+size > (d+n))
2917 goto ri_check;
2918
2919 if (s->tlsext_debug_cb)
2920 s->tlsext_debug_cb(s, 1, type, data, size,
2921 s->tlsext_debug_arg);
2922
2923 if (type == TLSEXT_TYPE_server_name)
2924 {
2925 if (s->tlsext_hostname == NULL || size > 0)
2926 {
2927 *al = TLS1_AD_UNRECOGNIZED_NAME;
2928 return 0;
2929 }
2930 tlsext_servername = 1;
2931 }
2932
2933#ifndef OPENSSL_NO_EC
2934 else if (type == TLSEXT_TYPE_ec_point_formats)
2935 {
2936 unsigned char *sdata = data;
2937 int ecpointformatlist_length = *(sdata++);
2938
2939 if (ecpointformatlist_length != size - 1)
2940 {
2941 *al = TLS1_AD_DECODE_ERROR;
2942 return 0;
2943 }
2944 s->session->tlsext_ecpointformatlist_length = 0;
2945 if (s->session->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->session->tlsext_ecpointformatlist);
2946 if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
2947 {
2948 *al = TLS1_AD_INTERNAL_ERROR;
2949 return 0;
2950 }
2951 s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
2952 memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
2953#if 0
2954 fprintf(stderr,"ssl_parse_serverhello_tlsext s->session->tlsext_ecpointformatlist ");
2955 sdata = s->session->tlsext_ecpointformatlist;
2956 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
2957 fprintf(stderr,"%i ",*(sdata++));
2958 fprintf(stderr,"\n");
2959#endif
2960 }
2961#endif /* OPENSSL_NO_EC */
2962
2963 else if (type == TLSEXT_TYPE_session_ticket)
2964 {
2965 if (s->tls_session_ticket_ext_cb &&
2966 !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg))
2967 {
2968 *al = TLS1_AD_INTERNAL_ERROR;
2969 return 0;
2970 }
2971 if ((SSL_get_options(s) & SSL_OP_NO_TICKET)
2972 || (size > 0))
2973 {
2974 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2975 return 0;
2976 }
2977 s->tlsext_ticket_expected = 1;
2978 }
2979#ifdef TLSEXT_TYPE_opaque_prf_input
2980 else if (type == TLSEXT_TYPE_opaque_prf_input)
2981 {
2982 unsigned char *sdata = data;
2983
2984 if (size < 2)
2985 {
2986 *al = SSL_AD_DECODE_ERROR;
2987 return 0;
2988 }
2989 n2s(sdata, s->s3->server_opaque_prf_input_len);
2990 if (s->s3->server_opaque_prf_input_len != size - 2)
2991 {
2992 *al = SSL_AD_DECODE_ERROR;
2993 return 0;
2994 }
2995
2996 if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */
2997 OPENSSL_free(s->s3->server_opaque_prf_input);
2998 if (s->s3->server_opaque_prf_input_len == 0)
2999 s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
3000 else
3001 s->s3->server_opaque_prf_input = BUF_memdup(sdata, s->s3->server_opaque_prf_input_len);
3002
3003 if (s->s3->server_opaque_prf_input == NULL)
3004 {
3005 *al = TLS1_AD_INTERNAL_ERROR;
3006 return 0;
3007 }
3008 }
3009#endif
3010 else if (type == TLSEXT_TYPE_status_request)
3011 {
3012 /* MUST be empty and only sent if we've requested
3013 * a status request message.
3014 */
3015 if ((s->tlsext_status_type == -1) || (size > 0))
3016 {
3017 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
3018 return 0;
3019 }
3020 /* Set flag to expect CertificateStatus message */
3021 s->tlsext_status_expected = 1;
3022 }
3023#ifndef OPENSSL_NO_NEXTPROTONEG
3024 else if (type == TLSEXT_TYPE_next_proto_neg &&
3025 s->s3->tmp.finish_md_len == 0)
3026 {
3027 unsigned char *selected;
3028 unsigned char selected_len;
3029
3030 /* We must have requested it. */
3031 if (s->ctx->next_proto_select_cb == NULL)
3032 {
3033 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
3034 return 0;
3035 }
3036 /* The data must be valid */
3037 if (!ssl_next_proto_validate(data, size))
3038 {
3039 *al = TLS1_AD_DECODE_ERROR;
3040 return 0;
3041 }
3042 if (s->ctx->next_proto_select_cb(s, &selected, &selected_len, data, size, s->ctx->next_proto_select_cb_arg) != SSL_TLSEXT_ERR_OK)
3043 {
3044 *al = TLS1_AD_INTERNAL_ERROR;
3045 return 0;
3046 }
3047 s->next_proto_negotiated = OPENSSL_malloc(selected_len);
3048 if (!s->next_proto_negotiated)
3049 {
3050 *al = TLS1_AD_INTERNAL_ERROR;
3051 return 0;
3052 }
3053 memcpy(s->next_proto_negotiated, selected, selected_len);
3054 s->next_proto_negotiated_len = selected_len;
3055 s->s3->next_proto_neg_seen = 1;
3056 }
3057#endif
3058
3059 else if (type == TLSEXT_TYPE_application_layer_protocol_negotiation)
3060 {
3061 unsigned len;
3062
3063 /* We must have requested it. */
3064 if (s->alpn_client_proto_list == NULL)
3065 {
3066 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
3067 return 0;
3068 }
3069 if (size < 4)
3070 {
3071 *al = TLS1_AD_DECODE_ERROR;
3072 return 0;
3073 }
3074 /* The extension data consists of:
3075 * uint16 list_length
3076 * uint8 proto_length;
3077 * uint8 proto[proto_length]; */
3078 len = data[0];
3079 len <<= 8;
3080 len |= data[1];
3081 if (len != (unsigned) size - 2)
3082 {
3083 *al = TLS1_AD_DECODE_ERROR;
3084 return 0;
3085 }
3086 len = data[2];
3087 if (len != (unsigned) size - 3)
3088 {
3089 *al = TLS1_AD_DECODE_ERROR;
3090 return 0;
3091 }
3092 if (s->s3->alpn_selected)
3093 OPENSSL_free(s->s3->alpn_selected);
3094 s->s3->alpn_selected = OPENSSL_malloc(len);
3095 if (!s->s3->alpn_selected)
3096 {
3097 *al = TLS1_AD_INTERNAL_ERROR;
3098 return 0;
3099 }
3100 memcpy(s->s3->alpn_selected, data + 3, len);
3101 s->s3->alpn_selected_len = len;
3102 }
3103
Adam Langley1258b6a2014-06-20 12:00:00 -0700[diff] [blame]3104 else if (type == TLSEXT_TYPE_channel_id)
3105 s->s3->tlsext_channel_id_valid = 1;
3106
3107 else if (type == TLSEXT_TYPE_channel_id_new)
3108 {
3109 s->s3->tlsext_channel_id_valid = 1;
3110 s->s3->tlsext_channel_id_new = 1;
3111 }
3112
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]3113 else if (type == TLSEXT_TYPE_renegotiate)
3114 {
3115 if(!ssl_parse_serverhello_renegotiate_ext(s, data, size, al))
3116 return 0;
3117 renegotiate_seen = 1;
3118 }
3119#ifndef OPENSSL_NO_HEARTBEATS
3120 else if (type == TLSEXT_TYPE_heartbeat)
3121 {
3122 switch(data[0])
3123 {
3124 case 0x01: /* Server allows us to send HB requests */
3125 s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
3126 break;
3127 case 0x02: /* Server doesn't accept HB requests */
3128 s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
3129 s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
3130 break;
3131 default: *al = SSL_AD_ILLEGAL_PARAMETER;
3132 return 0;
3133 }
3134 }
3135#endif
3136 else if (type == TLSEXT_TYPE_use_srtp)
3137 {
3138 if(ssl_parse_serverhello_use_srtp_ext(s, data, size,
3139 al))
3140 return 0;
3141 }
3142
3143 else if (type == TLSEXT_TYPE_server_authz)
3144 {
3145 /* We only support audit proofs. It's an error to send
3146 * an authz hello extension if the client
3147 * didn't request a proof. */
3148 unsigned char *sdata = data;
3149 unsigned char server_authz_dataformatlist_length;
3150
3151 if (!s->ctx->tlsext_authz_server_audit_proof_cb)
3152 {
3153 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
3154 return 0;
3155 }
3156
3157 if (!size)
3158 {
3159 *al = TLS1_AD_DECODE_ERROR;
3160 return 0;
3161 }
3162
3163 server_authz_dataformatlist_length = *(sdata++);
3164 if (server_authz_dataformatlist_length != size - 1)
3165 {
3166 *al = TLS1_AD_DECODE_ERROR;
3167 return 0;
3168 }
3169
3170 /* We only support audit proofs, so a legal ServerHello
3171 * authz list contains exactly one entry. */
3172 if (server_authz_dataformatlist_length != 1 ||
3173 sdata[0] != TLSEXT_AUTHZDATAFORMAT_audit_proof)
3174 {
3175 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
3176 return 0;
3177 }
3178
3179 s->s3->tlsext_authz_server_promised = 1;
3180 }
3181
3182 /* If this extension type was not otherwise handled, but
3183 * matches a custom_cli_ext_record, then send it to the c
3184 * callback */
3185 else if (s->ctx->custom_cli_ext_records_count)
3186 {
3187 size_t i;
3188 custom_cli_ext_record* record;
3189
3190 for (i = 0; i < s->ctx->custom_cli_ext_records_count; i++)
3191 {
3192 record = &s->ctx->custom_cli_ext_records[i];
3193 if (record->ext_type == type)
3194 {
3195 if (record->fn2 && !record->fn2(s, type, data, size, al, record->arg))
3196 return 0;
3197 break;
3198 }
3199 }
3200 }
3201
3202 data += size;
3203 }
3204
3205 if (data != d+n)
3206 {
3207 *al = SSL_AD_DECODE_ERROR;
3208 return 0;
3209 }
3210
3211 if (!s->hit && tlsext_servername == 1)
3212 {
3213 if (s->tlsext_hostname)
3214 {
3215 if (s->session->tlsext_hostname == NULL)
3216 {
3217 s->session->tlsext_hostname = BUF_strdup(s->tlsext_hostname);
3218 if (!s->session->tlsext_hostname)
3219 {
3220 *al = SSL_AD_UNRECOGNIZED_NAME;
3221 return 0;
3222 }
3223 }
3224 else
3225 {
3226 *al = SSL_AD_DECODE_ERROR;
3227 return 0;
3228 }
3229 }
3230 }
3231
3232 *p = data;
3233
3234 ri_check:
3235
3236 /* Determine if we need to see RI. Strictly speaking if we want to
3237 * avoid an attack we should *always* see RI even on initial server
3238 * hello because the client doesn't see any renegotiation during an
3239 * attack. However this would mean we could not connect to any server
3240 * which doesn't support RI so for the immediate future tolerate RI
3241 * absence on initial connect only.
3242 */
3243 if (!renegotiate_seen
3244 && !(s->options & SSL_OP_LEGACY_SERVER_CONNECT)
3245 && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
3246 {
3247 *al = SSL_AD_HANDSHAKE_FAILURE;
3248 OPENSSL_PUT_ERROR(SSL, ssl_add_serverhello_tlsext, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
3249 return 0;
3250 }
3251
3252 return 1;
3253 }
3254
3255
3256int ssl_prepare_clienthello_tlsext(SSL *s)
3257 {
3258
3259#ifdef TLSEXT_TYPE_opaque_prf_input
3260 {
3261 int r = 1;
3262
3263 if (s->ctx->tlsext_opaque_prf_input_callback != 0)
3264 {
3265 r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg);
3266 if (!r)
3267 return -1;
3268 }
3269
3270 if (s->tlsext_opaque_prf_input != NULL)
3271 {
3272 if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */
3273 OPENSSL_free(s->s3->client_opaque_prf_input);
3274
3275 if (s->tlsext_opaque_prf_input_len == 0)
3276 s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
3277 else
3278 s->s3->client_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len);
3279 if (s->s3->client_opaque_prf_input == NULL)
3280 {
3281 OPENSSL_PUT_ERROR(SSL, ssl_add_serverhello_tlsext, ERR_R_MALLOC_FAILURE);
3282 return -1;
3283 }
3284 s->s3->client_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
3285 }
3286
3287 if (r == 2)
3288 /* at callback's request, insist on receiving an appropriate server opaque PRF input */
3289 s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
3290 }
3291#endif
3292
3293 return 1;
3294 }
3295
3296int ssl_prepare_serverhello_tlsext(SSL *s)
3297 {
3298 return 1;
3299 }
3300
3301static int ssl_check_clienthello_tlsext_early(SSL *s)
3302 {
3303 int ret=SSL_TLSEXT_ERR_NOACK;
3304 int al = SSL_AD_UNRECOGNIZED_NAME;
3305
3306#ifndef OPENSSL_NO_EC
3307 /* The handling of the ECPointFormats extension is done elsewhere, namely in
3308 * ssl3_choose_cipher in s3_lib.c.
3309 */
3310 /* The handling of the EllipticCurves extension is done elsewhere, namely in
3311 * ssl3_choose_cipher in s3_lib.c.
3312 */
3313#endif
3314
3315 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
3316 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
3317 else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)
3318 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
3319
3320#ifdef TLSEXT_TYPE_opaque_prf_input
3321 {
3322 /* This sort of belongs into ssl_prepare_serverhello_tlsext(),
3323 * but we might be sending an alert in response to the client hello,
3324 * so this has to happen here in
3325 * ssl_check_clienthello_tlsext_early(). */
3326
3327 int r = 1;
3328
3329 if (s->ctx->tlsext_opaque_prf_input_callback != 0)
3330 {
3331 r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg);
3332 if (!r)
3333 {
3334 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
3335 al = SSL_AD_INTERNAL_ERROR;
3336 goto err;
3337 }
3338 }
3339
3340 if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */
3341 OPENSSL_free(s->s3->server_opaque_prf_input);
3342 s->s3->server_opaque_prf_input = NULL;
3343
3344 if (s->tlsext_opaque_prf_input != NULL)
3345 {
3346 if (s->s3->client_opaque_prf_input != NULL &&
3347 s->s3->client_opaque_prf_input_len == s->tlsext_opaque_prf_input_len)
3348 {
3349 /* can only use this extension if we have a server opaque PRF input
3350 * of the same length as the client opaque PRF input! */
3351
3352 if (s->tlsext_opaque_prf_input_len == 0)
3353 s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
3354 else
3355 s->s3->server_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len);
3356 if (s->s3->server_opaque_prf_input == NULL)
3357 {
3358 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
3359 al = SSL_AD_INTERNAL_ERROR;
3360 goto err;
3361 }
3362 s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
3363 }
3364 }
3365
3366 if (r == 2 && s->s3->server_opaque_prf_input == NULL)
3367 {
3368 /* The callback wants to enforce use of the extension,
3369 * but we can't do that with the client opaque PRF input;
3370 * abort the handshake.
3371 */
3372 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
3373 al = SSL_AD_HANDSHAKE_FAILURE;
3374 }
3375 }
3376
3377 err:
3378#endif
3379 switch (ret)
3380 {
3381 case SSL_TLSEXT_ERR_ALERT_FATAL:
3382 ssl3_send_alert(s,SSL3_AL_FATAL,al);
3383 return -1;
3384
3385 case SSL_TLSEXT_ERR_ALERT_WARNING:
3386 ssl3_send_alert(s,SSL3_AL_WARNING,al);
3387 return 1;
3388
3389 case SSL_TLSEXT_ERR_NOACK:
3390 s->servername_done=0;
3391 default:
3392 return 1;
3393 }
3394 }
3395
3396int ssl_check_clienthello_tlsext_late(SSL *s)
3397 {
3398 int ret = SSL_TLSEXT_ERR_OK;
3399 int al;
3400
3401 /* If status request then ask callback what to do.
3402 * Note: this must be called after servername callbacks in case
3403 * the certificate has changed, and must be called after the cipher
3404 * has been chosen because this may influence which certificate is sent
3405 */
3406 if ((s->tlsext_status_type != -1) && s->ctx && s->ctx->tlsext_status_cb)
3407 {
3408 int r;
3409 CERT_PKEY *certpkey;
3410 certpkey = ssl_get_server_send_pkey(s);
3411 /* If no certificate can't return certificate status */
3412 if (certpkey == NULL)
3413 {
3414 s->tlsext_status_expected = 0;
3415 return 1;
3416 }
3417 /* Set current certificate to one we will use so
3418 * SSL_get_certificate et al can pick it up.
3419 */
3420 s->cert->key = certpkey;
3421 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
3422 switch (r)
3423 {
3424 /* We don't want to send a status request response */
3425 case SSL_TLSEXT_ERR_NOACK:
3426 s->tlsext_status_expected = 0;
3427 break;
3428 /* status request response should be sent */
3429 case SSL_TLSEXT_ERR_OK:
3430 if (s->tlsext_ocsp_resp)
3431 s->tlsext_status_expected = 1;
3432 else
3433 s->tlsext_status_expected = 0;
3434 break;
3435 /* something bad happened */
3436 case SSL_TLSEXT_ERR_ALERT_FATAL:
3437 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
3438 al = SSL_AD_INTERNAL_ERROR;
3439 goto err;
3440 }
3441 }
3442 else
3443 s->tlsext_status_expected = 0;
3444
3445 err:
3446 switch (ret)
3447 {
3448 case SSL_TLSEXT_ERR_ALERT_FATAL:
3449 ssl3_send_alert(s, SSL3_AL_FATAL, al);
3450 return -1;
3451
3452 case SSL_TLSEXT_ERR_ALERT_WARNING:
3453 ssl3_send_alert(s, SSL3_AL_WARNING, al);
3454 return 1;
3455
3456 default:
3457 return 1;
3458 }
3459 }
3460
3461int ssl_check_serverhello_tlsext(SSL *s)
3462 {
3463 int ret=SSL_TLSEXT_ERR_NOACK;
3464 int al = SSL_AD_UNRECOGNIZED_NAME;
3465
3466#ifndef OPENSSL_NO_EC
3467 /* If we are client and using an elliptic curve cryptography cipher
3468 * suite, then if server returns an EC point formats lists extension
3469 * it must contain uncompressed.
3470 */
3471 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
3472 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
3473 if ((s->tlsext_ecpointformatlist != NULL) && (s->tlsext_ecpointformatlist_length > 0) &&
3474 (s->session->tlsext_ecpointformatlist != NULL) && (s->session->tlsext_ecpointformatlist_length > 0) &&
3475 ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA)))
3476 {
3477 /* we are using an ECC cipher */
3478 size_t i;
3479 unsigned char *list;
3480 int found_uncompressed = 0;
3481 list = s->session->tlsext_ecpointformatlist;
3482 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
3483 {
3484 if (*(list++) == TLSEXT_ECPOINTFORMAT_uncompressed)
3485 {
3486 found_uncompressed = 1;
3487 break;
3488 }
3489 }
3490 if (!found_uncompressed)
3491 {
3492 OPENSSL_PUT_ERROR(SSL, ssl_add_serverhello_tlsext, SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
3493 return -1;
3494 }
3495 }
3496 ret = SSL_TLSEXT_ERR_OK;
3497#endif /* OPENSSL_NO_EC */
3498
3499 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
3500 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
3501 else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)
3502 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
3503
3504#ifdef TLSEXT_TYPE_opaque_prf_input
3505 if (s->s3->server_opaque_prf_input_len > 0)
3506 {
3507 /* This case may indicate that we, as a client, want to insist on using opaque PRF inputs.
3508 * So first verify that we really have a value from the server too. */
3509
3510 if (s->s3->server_opaque_prf_input == NULL)
3511 {
3512 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
3513 al = SSL_AD_HANDSHAKE_FAILURE;
3514 }
3515
3516 /* Anytime the server *has* sent an opaque PRF input, we need to check
3517 * that we have a client opaque PRF input of the same size. */
3518 if (s->s3->client_opaque_prf_input == NULL ||
3519 s->s3->client_opaque_prf_input_len != s->s3->server_opaque_prf_input_len)
3520 {
3521 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
3522 al = SSL_AD_ILLEGAL_PARAMETER;
3523 }
3524 }
3525#endif
3526
3527 /* If we've requested certificate status and we wont get one
3528 * tell the callback
3529 */
3530 if ((s->tlsext_status_type != -1) && !(s->tlsext_status_expected)
3531 && s->ctx && s->ctx->tlsext_status_cb)
3532 {
3533 int r;
3534 /* Set resp to NULL, resplen to -1 so callback knows
3535 * there is no response.
3536 */
3537 if (s->tlsext_ocsp_resp)
3538 {
3539 OPENSSL_free(s->tlsext_ocsp_resp);
3540 s->tlsext_ocsp_resp = NULL;
3541 }
3542 s->tlsext_ocsp_resplen = -1;
3543 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
3544 if (r == 0)
3545 {
3546 al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE;
3547 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
3548 }
3549 if (r < 0)
3550 {
3551 al = SSL_AD_INTERNAL_ERROR;
3552 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
3553 }
3554 }
3555
3556 switch (ret)
3557 {
3558 case SSL_TLSEXT_ERR_ALERT_FATAL:
3559 ssl3_send_alert(s,SSL3_AL_FATAL,al);
3560 return -1;
3561
3562 case SSL_TLSEXT_ERR_ALERT_WARNING:
3563 ssl3_send_alert(s,SSL3_AL_WARNING,al);
3564 return 1;
3565
3566 case SSL_TLSEXT_ERR_NOACK:
3567 s->servername_done=0;
3568 default:
3569 return 1;
3570 }
3571 }
3572
3573int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n)
3574 {
3575 int al = -1;
3576 if (s->version < SSL3_VERSION)
3577 return 1;
3578 if (ssl_scan_serverhello_tlsext(s, p, d, n, &al) <= 0)
3579 {
3580 ssl3_send_alert(s,SSL3_AL_FATAL,al);
3581 return 0;
3582 }
3583
3584 if (ssl_check_serverhello_tlsext(s) <= 0)
3585 {
3586 OPENSSL_PUT_ERROR(SSL, ssl_add_serverhello_tlsext, SSL_R_SERVERHELLO_TLSEXT);
3587 return 0;
3588 }
3589 return 1;
3590}
3591
3592/* Since the server cache lookup is done early on in the processing of the
3593 * ClientHello, and other operations depend on the result, we need to handle
3594 * any TLS session ticket extension at the same time.
3595 *
Adam Langleydc9b1412014-06-20 12:00:00 -0700[diff] [blame^]3596 * ctx: contains the early callback context, which is the result of a
3597 * shallow parse of the ClientHello.
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]3598 * ret: (output) on return, if a ticket was decrypted, then this is set to
3599 * point to the resulting session.
3600 *
3601 * If s->tls_session_secret_cb is set then we are expecting a pre-shared key
3602 * ciphersuite, in which case we have no use for session tickets and one will
3603 * never be decrypted, nor will s->tlsext_ticket_expected be set to 1.
3604 *
3605 * Returns:
3606 * -1: fatal error, either from parsing or decrypting the ticket.
3607 * 0: no ticket was found (or was ignored, based on settings).
3608 * 1: a zero length extension was found, indicating that the client supports
3609 * session tickets but doesn't currently have one to offer.
3610 * 2: either s->tls_session_secret_cb was set, or a ticket was offered but
3611 * couldn't be decrypted because of a non-fatal error.
3612 * 3: a ticket was successfully decrypted and *ret was set.
3613 *
3614 * Side effects:
3615 * Sets s->tlsext_ticket_expected to 1 if the server will have to issue
3616 * a new session ticket to the client because the client indicated support
3617 * (and s->tls_session_secret_cb is NULL) but the client either doesn't have
3618 * a session ticket or we couldn't use the one it gave us, or if
3619 * s->ctx->tlsext_ticket_key_cb asked to renew the client's ticket.
3620 * Otherwise, s->tlsext_ticket_expected is set to 0.
3621 */
Adam Langleydc9b1412014-06-20 12:00:00 -0700[diff] [blame^]3622int tls1_process_ticket(SSL *s, const struct ssl_early_callback_ctx *ctx,
3623 SSL_SESSION **ret)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]3624 {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]3625 *ret = NULL;
3626 s->tlsext_ticket_expected = 0;
Adam Langleydc9b1412014-06-20 12:00:00 -0700[diff] [blame^]3627 const unsigned char *data;
3628 size_t len;
3629 int r;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]3630
3631 /* If tickets disabled behave as if no ticket present
3632 * to permit stateful resumption.
3633 */
3634 if (SSL_get_options(s) & SSL_OP_NO_TICKET)
3635 return 0;
Adam Langleydc9b1412014-06-20 12:00:00 -0700[diff] [blame^]3636 if ((s->version <= SSL3_VERSION) && !ctx->extensions)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]3637 return 0;
Adam Langleydc9b1412014-06-20 12:00:00 -0700[diff] [blame^]3638 if (!SSL_early_callback_ctx_extension_get(
3639 ctx, TLSEXT_TYPE_session_ticket, &data, &len))
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]3640 {
Adam Langleydc9b1412014-06-20 12:00:00 -0700[diff] [blame^]3641 return 0;
3642 }
3643 if (len == 0)
3644 {
3645 /* The client will accept a ticket but doesn't
3646 * currently have one. */
3647 s->tlsext_ticket_expected = 1;
3648 return 1;
3649 }
3650 if (s->tls_session_secret_cb)
3651 {
3652 /* Indicate that the ticket couldn't be
3653 * decrypted rather than generating the session
3654 * from ticket now, trigger abbreviated
3655 * handshake based on external mechanism to
3656 * calculate the master secret later. */
3657 return 2;
3658 }
3659 r = tls_decrypt_ticket(s, data, len, ctx->session_id,
3660 ctx->session_id_len, ret);
3661 switch (r)
3662 {
3663 case 2: /* ticket couldn't be decrypted */
3664 s->tlsext_ticket_expected = 1;
3665 return 2;
3666 case 3: /* ticket was decrypted */
3667 return r;
3668 case 4: /* ticket decrypted but need to renew */
3669 s->tlsext_ticket_expected = 1;
3670 return 3;
3671 default: /* fatal error */
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]3672 return -1;
3673 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]3674 }
3675
3676/* tls_decrypt_ticket attempts to decrypt a session ticket.
3677 *
3678 * etick: points to the body of the session ticket extension.
3679 * eticklen: the length of the session tickets extenion.
3680 * sess_id: points at the session ID.
3681 * sesslen: the length of the session ID.
3682 * psess: (output) on return, if a ticket was decrypted, then this is set to
3683 * point to the resulting session.
3684 *
3685 * Returns:
3686 * -1: fatal error, either from parsing or decrypting the ticket.
3687 * 2: the ticket couldn't be decrypted.
3688 * 3: a ticket was successfully decrypted and *psess was set.
3689 * 4: same as 3, but the ticket needs to be renewed.
3690 */
3691static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen,
3692 const unsigned char *sess_id, int sesslen,
3693 SSL_SESSION **psess)
3694 {
3695 SSL_SESSION *sess;
3696 unsigned char *sdec;
3697 const unsigned char *p;
3698 int slen, mlen, renew_ticket = 0;
3699 unsigned char tick_hmac[EVP_MAX_MD_SIZE];
3700 HMAC_CTX hctx;
3701 EVP_CIPHER_CTX ctx;
3702 SSL_CTX *tctx = s->initial_ctx;
3703 /* Need at least keyname + iv + some encrypted data */
3704 if (eticklen < 48)
3705 return 2;
3706 /* Initialize session ticket encryption and HMAC contexts */
3707 HMAC_CTX_init(&hctx);
3708 EVP_CIPHER_CTX_init(&ctx);
3709 if (tctx->tlsext_ticket_key_cb)
3710 {
3711 unsigned char *nctick = (unsigned char *)etick;
3712 int rv = tctx->tlsext_ticket_key_cb(s, nctick, nctick + 16,
3713 &ctx, &hctx, 0);
3714 if (rv < 0)
3715 return -1;
3716 if (rv == 0)
3717 return 2;
3718 if (rv == 2)
3719 renew_ticket = 1;
3720 }
3721 else
3722 {
3723 /* Check key name matches */
3724 if (memcmp(etick, tctx->tlsext_tick_key_name, 16))
3725 return 2;
3726 HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16,
3727 tlsext_tick_md(), NULL);
3728 EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL,
3729 tctx->tlsext_tick_aes_key, etick + 16);
3730 }
3731 /* Attempt to process session ticket, first conduct sanity and
3732 * integrity checks on ticket.
3733 */
3734 mlen = HMAC_size(&hctx);
3735 if (mlen < 0)
3736 {
3737 EVP_CIPHER_CTX_cleanup(&ctx);
3738 return -1;
3739 }
3740 eticklen -= mlen;
3741 /* Check HMAC of encrypted ticket */
3742 HMAC_Update(&hctx, etick, eticklen);
3743 HMAC_Final(&hctx, tick_hmac, NULL);
3744 HMAC_CTX_cleanup(&hctx);
3745 if (CRYPTO_memcmp(tick_hmac, etick + eticklen, mlen))
3746 return 2;
3747 /* Attempt to decrypt session data */
3748 /* Move p after IV to start of encrypted ticket, update length */
3749 p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx);
3750 eticklen -= 16 + EVP_CIPHER_CTX_iv_length(&ctx);
3751 sdec = OPENSSL_malloc(eticklen);
3752 if (!sdec)
3753 {
3754 EVP_CIPHER_CTX_cleanup(&ctx);
3755 return -1;
3756 }
3757 EVP_DecryptUpdate(&ctx, sdec, &slen, p, eticklen);
3758 if (EVP_DecryptFinal_ex(&ctx, sdec + slen, &mlen) <= 0)
3759 return 2;
3760 slen += mlen;
3761 EVP_CIPHER_CTX_cleanup(&ctx);
3762 p = sdec;
3763
3764 sess = d2i_SSL_SESSION(NULL, &p, slen);
3765 OPENSSL_free(sdec);
3766 if (sess)
3767 {
3768 /* The session ID, if non-empty, is used by some clients to
3769 * detect that the ticket has been accepted. So we copy it to
3770 * the session structure. If it is empty set length to zero
3771 * as required by standard.
3772 */
3773 if (sesslen)
3774 memcpy(sess->session_id, sess_id, sesslen);
3775 sess->session_id_length = sesslen;
3776 *psess = sess;
3777 if (renew_ticket)
3778 return 4;
3779 else
3780 return 3;
3781 }
3782 ERR_clear_error();
3783 /* For session parse failure, indicate that we need to send a new
3784 * ticket. */
3785 return 2;
3786 }
3787
3788/* Tables to translate from NIDs to TLS v1.2 ids */
3789
3790typedef struct
3791 {
3792 int nid;
3793 int id;
3794 } tls12_lookup;
3795
3796static tls12_lookup tls12_md[] = {
3797 {NID_md5, TLSEXT_hash_md5},
3798 {NID_sha1, TLSEXT_hash_sha1},
3799 {NID_sha224, TLSEXT_hash_sha224},
3800 {NID_sha256, TLSEXT_hash_sha256},
3801 {NID_sha384, TLSEXT_hash_sha384},
3802 {NID_sha512, TLSEXT_hash_sha512}
3803};
3804
3805static tls12_lookup tls12_sig[] = {
3806 {EVP_PKEY_RSA, TLSEXT_signature_rsa},
3807 {EVP_PKEY_DSA, TLSEXT_signature_dsa},
3808 {EVP_PKEY_EC, TLSEXT_signature_ecdsa}
3809};
3810
3811static int tls12_find_id(int nid, tls12_lookup *table, size_t tlen)
3812 {
3813 size_t i;
3814 for (i = 0; i < tlen; i++)
3815 {
3816 if (table[i].nid == nid)
3817 return table[i].id;
3818 }
3819 return -1;
3820 }
3821
3822static int tls12_find_nid(int id, tls12_lookup *table, size_t tlen)
3823 {
3824 size_t i;
3825 for (i = 0; i < tlen; i++)
3826 {
3827 if ((table[i].id) == id)
3828 return table[i].nid;
3829 }
3830 return NID_undef;
3831 }
3832
3833int tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk, const EVP_MD *md)
3834 {
3835 int sig_id, md_id;
3836 if (!md)
3837 return 0;
3838 md_id = tls12_find_id(EVP_MD_type(md), tls12_md,
3839 sizeof(tls12_md)/sizeof(tls12_lookup));
3840 if (md_id == -1)
3841 return 0;
3842 sig_id = tls12_get_sigid(pk);
3843 if (sig_id == -1)
3844 return 0;
3845 p[0] = (unsigned char)md_id;
3846 p[1] = (unsigned char)sig_id;
3847 return 1;
3848 }
3849
3850int tls12_get_sigid(const EVP_PKEY *pk)
3851 {
3852 return tls12_find_id(pk->type, tls12_sig,
3853 sizeof(tls12_sig)/sizeof(tls12_lookup));
3854 }
3855
3856const EVP_MD *tls12_get_hash(unsigned char hash_alg)
3857 {
3858 switch(hash_alg)
3859 {
3860#ifndef OPENSSL_NO_MD5
3861 case TLSEXT_hash_md5:
3862#ifdef OPENSSL_FIPS
3863 if (FIPS_mode())
3864 return NULL;
3865#endif
3866 return EVP_md5();
3867#endif
3868#ifndef OPENSSL_NO_SHA
3869 case TLSEXT_hash_sha1:
3870 return EVP_sha1();
3871#endif
3872#ifndef OPENSSL_NO_SHA256
3873 case TLSEXT_hash_sha224:
3874 return EVP_sha224();
3875
3876 case TLSEXT_hash_sha256:
3877 return EVP_sha256();
3878#endif
3879#ifndef OPENSSL_NO_SHA512
3880 case TLSEXT_hash_sha384:
3881 return EVP_sha384();
3882
3883 case TLSEXT_hash_sha512:
3884 return EVP_sha512();
3885#endif
3886 default:
3887 return NULL;
3888
3889 }
3890 }
3891
3892static int tls12_get_pkey_idx(unsigned char sig_alg)
3893 {
3894 switch(sig_alg)
3895 {
3896#ifndef OPENSSL_NO_RSA
3897 case TLSEXT_signature_rsa:
3898 return SSL_PKEY_RSA_SIGN;
3899#endif
3900#ifndef OPENSSL_NO_DSA
3901 case TLSEXT_signature_dsa:
3902 return SSL_PKEY_DSA_SIGN;
3903#endif
3904#ifndef OPENSSL_NO_ECDSA
3905 case TLSEXT_signature_ecdsa:
3906 return SSL_PKEY_ECC;
3907#endif
3908 }
3909 return -1;
3910 }
3911
3912/* Convert TLS 1.2 signature algorithm extension values into NIDs */
3913static void tls1_lookup_sigalg(int *phash_nid, int *psign_nid,
3914 int *psignhash_nid, const unsigned char *data)
3915 {
3916 int sign_nid = 0, hash_nid = 0;
3917 if (!phash_nid && !psign_nid && !psignhash_nid)
3918 return;
3919 if (phash_nid || psignhash_nid)
3920 {
3921 hash_nid = tls12_find_nid(data[0], tls12_md,
3922 sizeof(tls12_md)/sizeof(tls12_lookup));
3923 if (phash_nid)
3924 *phash_nid = hash_nid;
3925 }
3926 if (psign_nid || psignhash_nid)
3927 {
3928 sign_nid = tls12_find_nid(data[1], tls12_sig,
3929 sizeof(tls12_sig)/sizeof(tls12_lookup));
3930 if (psign_nid)
3931 *psign_nid = sign_nid;
3932 }
3933 if (psignhash_nid)
3934 {
3935 if (sign_nid && hash_nid)
3936 OBJ_find_sigid_by_algs(psignhash_nid,
3937 hash_nid, sign_nid);
3938 else
3939 *psignhash_nid = NID_undef;
3940 }
3941 }
3942/* Given preference and allowed sigalgs set shared sigalgs */
3943static int tls12_do_shared_sigalgs(TLS_SIGALGS *shsig,
3944 const unsigned char *pref, size_t preflen,
3945 const unsigned char *allow, size_t allowlen)
3946 {
3947 const unsigned char *ptmp, *atmp;
3948 size_t i, j, nmatch = 0;
3949 for (i = 0, ptmp = pref; i < preflen; i+=2, ptmp+=2)
3950 {
3951 /* Skip disabled hashes or signature algorithms */
3952 if (tls12_get_hash(ptmp[0]) == NULL)
3953 continue;
3954 if (tls12_get_pkey_idx(ptmp[1]) == -1)
3955 continue;
3956 for (j = 0, atmp = allow; j < allowlen; j+=2, atmp+=2)
3957 {
3958 if (ptmp[0] == atmp[0] && ptmp[1] == atmp[1])
3959 {
3960 nmatch++;
3961 if (shsig)
3962 {
3963 shsig->rhash = ptmp[0];
3964 shsig->rsign = ptmp[1];
3965 tls1_lookup_sigalg(&shsig->hash_nid,
3966 &shsig->sign_nid,
3967 &shsig->signandhash_nid,
3968 ptmp);
3969 shsig++;
3970 }
3971 break;
3972 }
3973 }
3974 }
3975 return nmatch;
3976 }
3977
3978/* Set shared signature algorithms for SSL structures */
3979static int tls1_set_shared_sigalgs(SSL *s)
3980 {
3981 const unsigned char *pref, *allow, *conf;
3982 size_t preflen, allowlen, conflen;
3983 size_t nmatch;
3984 TLS_SIGALGS *salgs = NULL;
3985 CERT *c = s->cert;
3986 unsigned int is_suiteb = tls1_suiteb(s);
3987 /* If client use client signature algorithms if not NULL */
3988 if (!s->server && c->client_sigalgs && !is_suiteb)
3989 {
3990 conf = c->client_sigalgs;
3991 conflen = c->client_sigalgslen;
3992 }
3993 else if (c->conf_sigalgs && !is_suiteb)
3994 {
3995 conf = c->conf_sigalgs;
3996 conflen = c->conf_sigalgslen;
3997 }
3998 else
3999 conflen = tls12_get_psigalgs(s, &conf);
4000 if(s->options & SSL_OP_CIPHER_SERVER_PREFERENCE || is_suiteb)
4001 {
4002 pref = conf;
4003 preflen = conflen;
4004 allow = c->peer_sigalgs;
4005 allowlen = c->peer_sigalgslen;
4006 }
4007 else
4008 {
4009 allow = conf;
4010 allowlen = conflen;
4011 pref = c->peer_sigalgs;
4012 preflen = c->peer_sigalgslen;
4013 }
4014 nmatch = tls12_do_shared_sigalgs(NULL, pref, preflen, allow, allowlen);
4015 if (!nmatch)
4016 return 1;
4017 salgs = OPENSSL_malloc(nmatch * sizeof(TLS_SIGALGS));
4018 if (!salgs)
4019 return 0;
4020 nmatch = tls12_do_shared_sigalgs(salgs, pref, preflen, allow, allowlen);
4021 c->shared_sigalgs = salgs;
4022 c->shared_sigalgslen = nmatch;
4023 return 1;
4024 }
4025
4026
4027/* Set preferred digest for each key type */
4028
4029int tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize)
4030 {
4031 int idx;
4032 size_t i;
4033 const EVP_MD *md;
4034 CERT *c = s->cert;
4035 TLS_SIGALGS *sigptr;
4036 /* Extension ignored for inappropriate versions */
4037 if (!SSL_USE_SIGALGS(s))
4038 return 1;
4039 /* Should never happen */
4040 if (!c)
4041 return 0;
4042
4043 c->peer_sigalgs = OPENSSL_malloc(dsize);
4044 if (!c->peer_sigalgs)
4045 return 0;
4046 c->peer_sigalgslen = dsize;
4047 memcpy(c->peer_sigalgs, data, dsize);
4048
4049 tls1_set_shared_sigalgs(s);
4050
4051#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
4052 if (s->cert->cert_flags & SSL_CERT_FLAG_BROKEN_PROTOCOL)
4053 {
4054 /* Use first set signature preference to force message
4055 * digest, ignoring any peer preferences.
4056 */
4057 const unsigned char *sigs = NULL;
4058 if (s->server)
4059 sigs = c->conf_sigalgs;
4060 else
4061 sigs = c->client_sigalgs;
4062 if (sigs)
4063 {
4064 idx = tls12_get_pkey_idx(sigs[1]);
4065 md = tls12_get_hash(sigs[0]);
4066 c->pkeys[idx].digest = md;
4067 c->pkeys[idx].valid_flags = CERT_PKEY_EXPLICIT_SIGN;
4068 if (idx == SSL_PKEY_RSA_SIGN)
4069 {
4070 c->pkeys[SSL_PKEY_RSA_ENC].valid_flags = CERT_PKEY_EXPLICIT_SIGN;
4071 c->pkeys[SSL_PKEY_RSA_ENC].digest = md;
4072 }
4073 }
4074 }
4075#endif
4076
4077 for (i = 0, sigptr = c->shared_sigalgs;
4078 i < c->shared_sigalgslen; i++, sigptr++)
4079 {
4080 idx = tls12_get_pkey_idx(sigptr->rsign);
4081 if (idx > 0 && c->pkeys[idx].digest == NULL)
4082 {
4083 md = tls12_get_hash(sigptr->rhash);
4084 c->pkeys[idx].digest = md;
4085 c->pkeys[idx].valid_flags = CERT_PKEY_EXPLICIT_SIGN;
4086 if (idx == SSL_PKEY_RSA_SIGN)
4087 {
4088 c->pkeys[SSL_PKEY_RSA_ENC].valid_flags = CERT_PKEY_EXPLICIT_SIGN;
4089 c->pkeys[SSL_PKEY_RSA_ENC].digest = md;
4090 }
4091 }
4092
4093 }
4094 /* In strict mode leave unset digests as NULL to indicate we can't
4095 * use the certificate for signing.
4096 */
4097 if (!(s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT))
4098 {
4099 /* Set any remaining keys to default values. NOTE: if alg is
4100 * not supported it stays as NULL.
4101 */
4102#ifndef OPENSSL_NO_DSA
4103 if (!c->pkeys[SSL_PKEY_DSA_SIGN].digest)
4104 c->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_sha1();
4105#endif
4106#ifndef OPENSSL_NO_RSA
4107 if (!c->pkeys[SSL_PKEY_RSA_SIGN].digest)
4108 {
4109 c->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1();
4110 c->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1();
4111 }
4112#endif
4113#ifndef OPENSSL_NO_ECDSA
4114 if (!c->pkeys[SSL_PKEY_ECC].digest)
4115 c->pkeys[SSL_PKEY_ECC].digest = EVP_sha1();
4116#endif
4117 }
4118 return 1;
4119 }
4120
4121
4122int SSL_get_sigalgs(SSL *s, int idx,
4123 int *psign, int *phash, int *psignhash,
4124 unsigned char *rsig, unsigned char *rhash)
4125 {
4126 const unsigned char *psig = s->cert->peer_sigalgs;
4127 if (psig == NULL)
4128 return 0;
4129 if (idx >= 0)
4130 {
4131 idx <<= 1;
4132 if (idx >= (int)s->cert->peer_sigalgslen)
4133 return 0;
4134 psig += idx;
4135 if (rhash)
4136 *rhash = psig[0];
4137 if (rsig)
4138 *rsig = psig[1];
4139 tls1_lookup_sigalg(phash, psign, psignhash, psig);
4140 }
4141 return s->cert->peer_sigalgslen / 2;
4142 }
4143
4144int SSL_get_shared_sigalgs(SSL *s, int idx,
4145 int *psign, int *phash, int *psignhash,
4146 unsigned char *rsig, unsigned char *rhash)
4147 {
4148 TLS_SIGALGS *shsigalgs = s->cert->shared_sigalgs;
4149 if (!shsigalgs || idx >= (int)s->cert->shared_sigalgslen)
4150 return 0;
4151 shsigalgs += idx;
4152 if (phash)
4153 *phash = shsigalgs->hash_nid;
4154 if (psign)
4155 *psign = shsigalgs->sign_nid;
4156 if (psignhash)
4157 *psignhash = shsigalgs->signandhash_nid;
4158 if (rsig)
4159 *rsig = shsigalgs->rsign;
4160 if (rhash)
4161 *rhash = shsigalgs->rhash;
4162 return s->cert->shared_sigalgslen;
4163 }
4164
4165
4166#ifndef OPENSSL_NO_HEARTBEATS
4167int
4168tls1_process_heartbeat(SSL *s)
4169 {
4170 unsigned char *p = &s->s3->rrec.data[0], *pl;
4171 unsigned short hbtype;
4172 unsigned int payload;
4173 unsigned int padding = 16; /* Use minimum padding */
4174
4175 /* Read type and payload length first */
4176 hbtype = *p++;
4177 n2s(p, payload);
4178 pl = p;
4179
4180 if (s->msg_callback)
4181 s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT,
4182 &s->s3->rrec.data[0], s->s3->rrec.length,
4183 s, s->msg_callback_arg);
4184
4185 if (hbtype == TLS1_HB_REQUEST)
4186 {
4187 unsigned char *buffer, *bp;
4188 int r;
4189
4190 /* Allocate memory for the response, size is 1 bytes
4191 * message type, plus 2 bytes payload length, plus
4192 * payload, plus padding
4193 */
4194 buffer = OPENSSL_malloc(1 + 2 + payload + padding);
4195 bp = buffer;
4196
4197 /* Enter response type, length and copy payload */
4198 *bp++ = TLS1_HB_RESPONSE;
4199 s2n(payload, bp);
4200 memcpy(bp, pl, payload);
4201 bp += payload;
4202 /* Random padding */
4203 RAND_pseudo_bytes(bp, padding);
4204
4205 r = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, 3 + payload + padding);
4206
4207 if (r >= 0 && s->msg_callback)
4208 s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT,
4209 buffer, 3 + payload + padding,
4210 s, s->msg_callback_arg);
4211
4212 OPENSSL_free(buffer);
4213
4214 if (r < 0)
4215 return r;
4216 }
4217 else if (hbtype == TLS1_HB_RESPONSE)
4218 {
4219 unsigned int seq;
4220
4221 /* We only send sequence numbers (2 bytes unsigned int),
4222 * and 16 random bytes, so we just try to read the
4223 * sequence number */
4224 n2s(pl, seq);
4225
4226 if (payload == 18 && seq == s->tlsext_hb_seq)
4227 {
4228 s->tlsext_hb_seq++;
4229 s->tlsext_hb_pending = 0;
4230 }
4231 }
4232
4233 return 0;
4234 }
4235
4236int
4237tls1_heartbeat(SSL *s)
4238 {
4239 unsigned char *buf, *p;
4240 int ret;
4241 unsigned int payload = 18; /* Sequence number + random bytes */
4242 unsigned int padding = 16; /* Use minimum padding */
4243
4244 /* Only send if peer supports and accepts HB requests... */
4245 if (!(s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED) ||
4246 s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_SEND_REQUESTS)
4247 {
4248 OPENSSL_PUT_ERROR(SSL, ssl_add_serverhello_tlsext, SSL_R_TLS_HEARTBEAT_PEER_DOESNT_ACCEPT);
4249 return -1;
4250 }
4251
4252 /* ...and there is none in flight yet... */
4253 if (s->tlsext_hb_pending)
4254 {
4255 OPENSSL_PUT_ERROR(SSL, ssl_add_serverhello_tlsext, SSL_R_TLS_HEARTBEAT_PENDING);
4256 return -1;
4257 }
4258
4259 /* ...and no handshake in progress. */
4260 if (SSL_in_init(s) || s->in_handshake)
4261 {
4262 OPENSSL_PUT_ERROR(SSL, ssl_add_serverhello_tlsext, SSL_R_UNEXPECTED_MESSAGE);
4263 return -1;
4264 }
4265
4266 /* Check if padding is too long, payload and padding
4267 * must not exceed 2^14 - 3 = 16381 bytes in total.
4268 */
4269 assert(payload + padding <= 16381);
4270
4271 /* Create HeartBeat message, we just use a sequence number
4272 * as payload to distuingish different messages and add
4273 * some random stuff.
4274 * - Message Type, 1 byte
4275 * - Payload Length, 2 bytes (unsigned int)
4276 * - Payload, the sequence number (2 bytes uint)
4277 * - Payload, random bytes (16 bytes uint)
4278 * - Padding
4279 */
4280 buf = OPENSSL_malloc(1 + 2 + payload + padding);
4281 p = buf;
4282 /* Message Type */
4283 *p++ = TLS1_HB_REQUEST;
4284 /* Payload length (18 bytes here) */
4285 s2n(payload, p);
4286 /* Sequence number */
4287 s2n(s->tlsext_hb_seq, p);
4288 /* 16 random bytes */
4289 RAND_pseudo_bytes(p, 16);
4290 p += 16;
4291 /* Random padding */
4292 RAND_pseudo_bytes(p, padding);
4293
4294 ret = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buf, 3 + payload + padding);
4295 if (ret >= 0)
4296 {
4297 if (s->msg_callback)
4298 s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT,
4299 buf, 3 + payload + padding,
4300 s, s->msg_callback_arg);
4301
4302 s->tlsext_hb_pending = 1;
4303 }
4304
4305 OPENSSL_free(buf);
4306
4307 return ret;
4308 }
4309#endif
4310
Adam Langley1258b6a2014-06-20 12:00:00 -0700[diff] [blame]4311#if !defined(OPENSSL_NO_TLSEXT)
4312/* tls1_channel_id_hash calculates the signed data for a Channel ID on the given
4313 * SSL connection and writes it to |md|. */
4314int
4315tls1_channel_id_hash(EVP_MD_CTX *md, SSL *s)
4316 {
4317 EVP_MD_CTX ctx;
4318 unsigned char temp_digest[EVP_MAX_MD_SIZE];
4319 unsigned temp_digest_len;
4320 int i;
4321 static const char kClientIDMagic[] = "TLS Channel ID signature";
4322
4323 if (s->s3->handshake_buffer)
4324 if (!ssl3_digest_cached_records(s))
4325 return 0;
4326
4327 EVP_DigestUpdate(md, kClientIDMagic, sizeof(kClientIDMagic));
4328
4329 if (s->hit && s->s3->tlsext_channel_id_new)
4330 {
4331 static const char kResumptionMagic[] = "Resumption";
4332 EVP_DigestUpdate(md, kResumptionMagic,
4333 sizeof(kResumptionMagic));
4334 if (s->session->original_handshake_hash_len == 0)
4335 return 0;
4336 EVP_DigestUpdate(md, s->session->original_handshake_hash,
4337 s->session->original_handshake_hash_len);
4338 }
4339
4340 EVP_MD_CTX_init(&ctx);
4341 for (i = 0; i < SSL_MAX_DIGEST; i++)
4342 {
4343 if (s->s3->handshake_dgst[i] == NULL)
4344 continue;
4345 EVP_MD_CTX_copy_ex(&ctx, s->s3->handshake_dgst[i]);
4346 EVP_DigestFinal_ex(&ctx, temp_digest, &temp_digest_len);
4347 EVP_DigestUpdate(md, temp_digest, temp_digest_len);
4348 }
4349 EVP_MD_CTX_cleanup(&ctx);
4350
4351 return 1;
4352 }
4353#endif
4354
4355/* tls1_record_handshake_hashes_for_channel_id records the current handshake
4356 * hashes in |s->session| so that Channel ID resumptions can sign that data. */
4357int tls1_record_handshake_hashes_for_channel_id(SSL *s)
4358 {
4359 int digest_len;
4360 /* This function should never be called for a resumed session because
4361 * the handshake hashes that we wish to record are for the original,
4362 * full handshake. */
4363 if (s->hit)
4364 return -1;
4365 /* It only makes sense to call this function if Channel IDs have been
4366 * negotiated. */
4367 if (!s->s3->tlsext_channel_id_new)
4368 return -1;
4369
4370 digest_len = tls1_handshake_digest(
4371 s, s->session->original_handshake_hash,
4372 sizeof(s->session->original_handshake_hash));
4373 if (digest_len < 0)
4374 return -1;
4375
4376 s->session->original_handshake_hash_len = digest_len;
4377
4378 return 1;
4379 }
4380
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]4381/* TODO(fork): remove */
4382#if 0
4383#define MAX_SIGALGLEN (TLSEXT_hash_num * TLSEXT_signature_num * 2)
4384
4385typedef struct
4386 {
4387 size_t sigalgcnt;
4388 int sigalgs[MAX_SIGALGLEN];
4389 } sig_cb_st;
4390
4391static int sig_cb(const char *elem, int len, void *arg)
4392 {
4393 sig_cb_st *sarg = arg;
4394 size_t i;
4395 char etmp[20], *p;
4396 int sig_alg, hash_alg;
4397 if (sarg->sigalgcnt == MAX_SIGALGLEN)
4398 return 0;
4399 if (len > (int)(sizeof(etmp) - 1))
4400 return 0;
4401 memcpy(etmp, elem, len);
4402 etmp[len] = 0;
4403 p = strchr(etmp, '+');
4404 if (!p)
4405 return 0;
4406 *p = 0;
4407 p++;
4408 if (!*p)
4409 return 0;
4410
4411 if (!strcmp(etmp, "RSA"))
4412 sig_alg = EVP_PKEY_RSA;
4413 else if (!strcmp(etmp, "DSA"))
4414 sig_alg = EVP_PKEY_DSA;
4415 else if (!strcmp(etmp, "ECDSA"))
4416 sig_alg = EVP_PKEY_EC;
4417 else return 0;
4418
4419 hash_alg = OBJ_sn2nid(p);
4420 if (hash_alg == NID_undef)
4421 hash_alg = OBJ_ln2nid(p);
4422 if (hash_alg == NID_undef)
4423 return 0;
4424
4425 for (i = 0; i < sarg->sigalgcnt; i+=2)
4426 {
4427 if (sarg->sigalgs[i] == sig_alg
4428 && sarg->sigalgs[i + 1] == hash_alg)
4429 return 0;
4430 }
4431 sarg->sigalgs[sarg->sigalgcnt++] = hash_alg;
4432 sarg->sigalgs[sarg->sigalgcnt++] = sig_alg;
4433 return 1;
4434 }
4435
4436/* Set suppored signature algorithms based on a colon separated list
4437 * of the form sig+hash e.g. RSA+SHA512:DSA+SHA512 */
4438int tls1_set_sigalgs_list(CERT *c, const char *str, int client)
4439 {
4440 sig_cb_st sig;
4441 sig.sigalgcnt = 0;
4442 if (!CONF_parse_list(str, ':', 1, sig_cb, &sig))
4443 return 0;
4444 if (c == NULL)
4445 return 1;
4446 return tls1_set_sigalgs(c, sig.sigalgs, sig.sigalgcnt, client);
4447 }
4448#endif
4449
4450int tls1_set_sigalgs(CERT *c, const int *psig_nids, size_t salglen, int client)
4451 {
4452 unsigned char *sigalgs, *sptr;
4453 int rhash, rsign;
4454 size_t i;
4455 if (salglen & 1)
4456 return 0;
4457 sigalgs = OPENSSL_malloc(salglen);
4458 if (sigalgs == NULL)
4459 return 0;
4460 for (i = 0, sptr = sigalgs; i < salglen; i+=2)
4461 {
4462 rhash = tls12_find_id(*psig_nids++, tls12_md,
4463 sizeof(tls12_md)/sizeof(tls12_lookup));
4464 rsign = tls12_find_id(*psig_nids++, tls12_sig,
4465 sizeof(tls12_sig)/sizeof(tls12_lookup));
4466
4467 if (rhash == -1 || rsign == -1)
4468 goto err;
4469 *sptr++ = rhash;
4470 *sptr++ = rsign;
4471 }
4472
4473 if (client)
4474 {
4475 if (c->client_sigalgs)
4476 OPENSSL_free(c->client_sigalgs);
4477 c->client_sigalgs = sigalgs;
4478 c->client_sigalgslen = salglen;
4479 }
4480 else
4481 {
4482 if (c->conf_sigalgs)
4483 OPENSSL_free(c->conf_sigalgs);
4484 c->conf_sigalgs = sigalgs;
4485 c->conf_sigalgslen = salglen;
4486 }
4487
4488 return 1;
4489
4490 err:
4491 OPENSSL_free(sigalgs);
4492 return 0;
4493 }
4494
4495static int tls1_check_sig_alg(CERT *c, X509 *x, int default_nid)
4496 {
4497 int sig_nid;
4498 size_t i;
4499 if (default_nid == -1)
4500 return 1;
4501 sig_nid = X509_get_signature_nid(x);
4502 if (default_nid)
4503 return sig_nid == default_nid ? 1 : 0;
4504 for (i = 0; i < c->shared_sigalgslen; i++)
4505 if (sig_nid == c->shared_sigalgs[i].signandhash_nid)
4506 return 1;
4507 return 0;
4508 }
4509/* Check to see if a certificate issuer name matches list of CA names */
4510static int ssl_check_ca_name(STACK_OF(X509_NAME) *names, X509 *x)
4511 {
4512 X509_NAME *nm;
4513 int i;
4514 nm = X509_get_issuer_name(x);
4515 for (i = 0; i < sk_X509_NAME_num(names); i++)
4516 {
4517 if(!X509_NAME_cmp(nm, sk_X509_NAME_value(names, i)))
4518 return 1;
4519 }
4520 return 0;
4521 }
4522
4523/* Check certificate chain is consistent with TLS extensions and is
4524 * usable by server. This servers two purposes: it allows users to
4525 * check chains before passing them to the server and it allows the
4526 * server to check chains before attempting to use them.
4527 */
4528
4529/* Flags which need to be set for a certificate when stict mode not set */
4530
4531#define CERT_PKEY_VALID_FLAGS \
4532 (CERT_PKEY_EE_SIGNATURE|CERT_PKEY_EE_PARAM)
4533/* Strict mode flags */
4534#define CERT_PKEY_STRICT_FLAGS \
4535 (CERT_PKEY_VALID_FLAGS|CERT_PKEY_CA_SIGNATURE|CERT_PKEY_CA_PARAM \
4536 | CERT_PKEY_ISSUER_NAME|CERT_PKEY_CERT_TYPE)
4537
4538int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain,
4539 int idx)
4540 {
4541 int i;
4542 int rv = 0;
4543 int check_flags = 0, strict_mode;
4544 CERT_PKEY *cpk = NULL;
4545 CERT *c = s->cert;
4546 unsigned int suiteb_flags = tls1_suiteb(s);
4547 /* idx == -1 means checking server chains */
4548 if (idx != -1)
4549 {
4550 /* idx == -2 means checking client certificate chains */
4551 if (idx == -2)
4552 {
4553 cpk = c->key;
4554 idx = cpk - c->pkeys;
4555 }
4556 else
4557 cpk = c->pkeys + idx;
4558 x = cpk->x509;
4559 pk = cpk->privatekey;
4560 chain = cpk->chain;
4561 strict_mode = c->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT;
4562 /* If no cert or key, forget it */
4563 if (!x || !pk)
4564 goto end;
4565#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
4566 /* Allow any certificate to pass test */
4567 if (s->cert->cert_flags & SSL_CERT_FLAG_BROKEN_PROTOCOL)
4568 {
4569 rv = CERT_PKEY_STRICT_FLAGS|CERT_PKEY_EXPLICIT_SIGN|CERT_PKEY_VALID|CERT_PKEY_SIGN;
4570 cpk->valid_flags = rv;
4571 return rv;
4572 }
4573#endif
4574 }
4575 else
4576 {
4577 if (!x || !pk)
4578 goto end;
4579 idx = ssl_cert_type(x, pk);
4580 if (idx == -1)
4581 goto end;
4582 cpk = c->pkeys + idx;
4583 if (c->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)
4584 check_flags = CERT_PKEY_STRICT_FLAGS;
4585 else
4586 check_flags = CERT_PKEY_VALID_FLAGS;
4587 strict_mode = 1;
4588 }
4589
4590 if (suiteb_flags)
4591 {
4592 int ok;
4593 if (check_flags)
4594 check_flags |= CERT_PKEY_SUITEB;
4595 ok = X509_chain_check_suiteb(NULL, x, chain, suiteb_flags);
4596 if (ok != X509_V_OK)
4597 {
4598 if (check_flags)
4599 rv |= CERT_PKEY_SUITEB;
4600 else
4601 goto end;
4602 }
4603 }
4604
4605 /* Check all signature algorithms are consistent with
4606 * signature algorithms extension if TLS 1.2 or later
4607 * and strict mode.
4608 */
4609 if (TLS1_get_version(s) >= TLS1_2_VERSION && strict_mode)
4610 {
4611 int default_nid;
4612 unsigned char rsign = 0;
4613 if (c->peer_sigalgs)
4614 default_nid = 0;
4615 /* If no sigalgs extension use defaults from RFC5246 */
4616 else
4617 {
4618 switch(idx)
4619 {
4620 case SSL_PKEY_RSA_ENC:
4621 case SSL_PKEY_RSA_SIGN:
4622 case SSL_PKEY_DH_RSA:
4623 rsign = TLSEXT_signature_rsa;
4624 default_nid = NID_sha1WithRSAEncryption;
4625 break;
4626
4627 case SSL_PKEY_DSA_SIGN:
4628 case SSL_PKEY_DH_DSA:
4629 rsign = TLSEXT_signature_dsa;
4630 default_nid = NID_dsaWithSHA1;
4631 break;
4632
4633 case SSL_PKEY_ECC:
4634 rsign = TLSEXT_signature_ecdsa;
4635 default_nid = NID_ecdsa_with_SHA1;
4636 break;
4637
4638 default:
4639 default_nid = -1;
4640 break;
4641 }
4642 }
4643 /* If peer sent no signature algorithms extension and we
4644 * have set preferred signature algorithms check we support
4645 * sha1.
4646 */
4647 if (default_nid > 0 && c->conf_sigalgs)
4648 {
4649 size_t j;
4650 const unsigned char *p = c->conf_sigalgs;
4651 for (j = 0; j < c->conf_sigalgslen; j += 2, p += 2)
4652 {
4653 if (p[0] == TLSEXT_hash_sha1 && p[1] == rsign)
4654 break;
4655 }
4656 if (j == c->conf_sigalgslen)
4657 {
4658 if (check_flags)
4659 goto skip_sigs;
4660 else
4661 goto end;
4662 }
4663 }
4664 /* Check signature algorithm of each cert in chain */
4665 if (!tls1_check_sig_alg(c, x, default_nid))
4666 {
4667 if (!check_flags) goto end;
4668 }
4669 else
4670 rv |= CERT_PKEY_EE_SIGNATURE;
4671 rv |= CERT_PKEY_CA_SIGNATURE;
4672 for (i = 0; i < sk_X509_num(chain); i++)
4673 {
4674 if (!tls1_check_sig_alg(c, sk_X509_value(chain, i),
4675 default_nid))
4676 {
4677 if (check_flags)
4678 {
4679 rv &= ~CERT_PKEY_CA_SIGNATURE;
4680 break;
4681 }
4682 else
4683 goto end;
4684 }
4685 }
4686 }
4687 /* Else not TLS 1.2, so mark EE and CA signing algorithms OK */
4688 else if(check_flags)
4689 rv |= CERT_PKEY_EE_SIGNATURE|CERT_PKEY_CA_SIGNATURE;
4690 skip_sigs:
4691 /* Check cert parameters are consistent */
4692 if (tls1_check_cert_param(s, x, check_flags ? 1 : 2))
4693 rv |= CERT_PKEY_EE_PARAM;
4694 else if (!check_flags)
4695 goto end;
4696 if (!s->server)
4697 rv |= CERT_PKEY_CA_PARAM;
4698 /* In strict mode check rest of chain too */
4699 else if (strict_mode)
4700 {
4701 rv |= CERT_PKEY_CA_PARAM;
4702 for (i = 0; i < sk_X509_num(chain); i++)
4703 {
4704 X509 *ca = sk_X509_value(chain, i);
4705 if (!tls1_check_cert_param(s, ca, 0))
4706 {
4707 if (check_flags)
4708 {
4709 rv &= ~CERT_PKEY_CA_PARAM;
4710 break;
4711 }
4712 else
4713 goto end;
4714 }
4715 }
4716 }
4717 if (!s->server && strict_mode)
4718 {
4719 STACK_OF(X509_NAME) *ca_dn;
4720 int check_type = 0;
4721 switch (pk->type)
4722 {
4723 case EVP_PKEY_RSA:
4724 check_type = TLS_CT_RSA_SIGN;
4725 break;
4726 case EVP_PKEY_DSA:
4727 check_type = TLS_CT_DSS_SIGN;
4728 break;
4729 case EVP_PKEY_EC:
4730 check_type = TLS_CT_ECDSA_SIGN;
4731 break;
4732 case EVP_PKEY_DH:
4733 case EVP_PKEY_DHX:
4734 {
4735 int cert_type = X509_certificate_type(x, pk);
4736 if (cert_type & EVP_PKS_RSA)
4737 check_type = TLS_CT_RSA_FIXED_DH;
4738 if (cert_type & EVP_PKS_DSA)
4739 check_type = TLS_CT_DSS_FIXED_DH;
4740 }
4741 }
4742 if (check_type)
4743 {
4744 const unsigned char *ctypes;
4745 int ctypelen;
4746 if (c->ctypes)
4747 {
4748 ctypes = c->ctypes;
4749 ctypelen = (int)c->ctype_num;
4750 }
4751 else
4752 {
4753 ctypes = (unsigned char *)s->s3->tmp.ctype;
4754 ctypelen = s->s3->tmp.ctype_num;
4755 }
4756 for (i = 0; i < ctypelen; i++)
4757 {
4758 if (ctypes[i] == check_type)
4759 {
4760 rv |= CERT_PKEY_CERT_TYPE;
4761 break;
4762 }
4763 }
4764 if (!(rv & CERT_PKEY_CERT_TYPE) && !check_flags)
4765 goto end;
4766 }
4767 else
4768 rv |= CERT_PKEY_CERT_TYPE;
4769
4770
4771 ca_dn = s->s3->tmp.ca_names;
4772
4773 if (!sk_X509_NAME_num(ca_dn))
4774 rv |= CERT_PKEY_ISSUER_NAME;
4775
4776 if (!(rv & CERT_PKEY_ISSUER_NAME))
4777 {
4778 if (ssl_check_ca_name(ca_dn, x))
4779 rv |= CERT_PKEY_ISSUER_NAME;
4780 }
4781 if (!(rv & CERT_PKEY_ISSUER_NAME))
4782 {
4783 for (i = 0; i < sk_X509_num(chain); i++)
4784 {
4785 X509 *xtmp = sk_X509_value(chain, i);
4786 if (ssl_check_ca_name(ca_dn, xtmp))
4787 {
4788 rv |= CERT_PKEY_ISSUER_NAME;
4789 break;
4790 }
4791 }
4792 }
4793 if (!check_flags && !(rv & CERT_PKEY_ISSUER_NAME))
4794 goto end;
4795 }
4796 else
4797 rv |= CERT_PKEY_ISSUER_NAME|CERT_PKEY_CERT_TYPE;
4798
4799 if (!check_flags || (rv & check_flags) == check_flags)
4800 rv |= CERT_PKEY_VALID;
4801
4802 end:
4803
4804 if (TLS1_get_version(s) >= TLS1_2_VERSION)
4805 {
4806 if (cpk->valid_flags & CERT_PKEY_EXPLICIT_SIGN)
4807 rv |= CERT_PKEY_EXPLICIT_SIGN|CERT_PKEY_SIGN;
4808 else if (cpk->digest)
4809 rv |= CERT_PKEY_SIGN;
4810 }
4811 else
4812 rv |= CERT_PKEY_SIGN|CERT_PKEY_EXPLICIT_SIGN;
4813
4814 /* When checking a CERT_PKEY structure all flags are irrelevant
4815 * if the chain is invalid.
4816 */
4817 if (!check_flags)
4818 {
4819 if (rv & CERT_PKEY_VALID)
4820 cpk->valid_flags = rv;
4821 else
4822 {
4823 /* Preserve explicit sign flag, clear rest */
4824 cpk->valid_flags &= CERT_PKEY_EXPLICIT_SIGN;
4825 return 0;
4826 }
4827 }
4828 return rv;
4829 }
4830
4831/* Set validity of certificates in an SSL structure */
4832void tls1_set_cert_validity(SSL *s)
4833 {
4834 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA_ENC);
4835 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA_SIGN);
4836 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DSA_SIGN);
4837 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DH_RSA);
4838 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DH_DSA);
4839 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_ECC);
4840 }
4841/* User level utiity function to check a chain is suitable */
4842int SSL_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain)
4843 {
4844 return tls1_check_chain(s, x, pk, chain, -1);
4845 }
4846
4847#endif