summaryrefslogtreecommitdiff
path: root/src/lib/libssl/t1_lib.c
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--src/lib/libssl/t1_lib.c2423
1 files changed, 0 insertions, 2423 deletions
diff --git a/src/lib/libssl/t1_lib.c b/src/lib/libssl/t1_lib.c
deleted file mode 100644
index 9ee495c790..0000000000
--- a/src/lib/libssl/t1_lib.c
+++ /dev/null
@@ -1,2423 +0,0 @@
1/* $OpenBSD: t1_lib.c,v 1.82 2015/07/24 07:57:48 doug Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58/* ====================================================================
59 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
60 *
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
63 * are met:
64 *
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
67 *
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
71 * distribution.
72 *
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77 *
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
82 *
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
86 *
87 * 6. Redistributions of any form whatsoever must retain the following
88 * acknowledgment:
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91 *
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
105 *
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
109 *
110 */
111
112#include <stdio.h>
113
114#include <openssl/evp.h>
115#include <openssl/hmac.h>
116#include <openssl/objects.h>
117#include <openssl/ocsp.h>
118
119#include "ssl_locl.h"
120#include "bytestring.h"
121
122static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen,
123 const unsigned char *sess_id, int sesslen,
124 SSL_SESSION **psess);
125
126SSL3_ENC_METHOD TLSv1_enc_data = {
127 .enc = tls1_enc,
128 .mac = tls1_mac,
129 .setup_key_block = tls1_setup_key_block,
130 .generate_master_secret = tls1_generate_master_secret,
131 .change_cipher_state = tls1_change_cipher_state,
132 .final_finish_mac = tls1_final_finish_mac,
133 .finish_mac_length = TLS1_FINISH_MAC_LENGTH,
134 .cert_verify_mac = tls1_cert_verify_mac,
135 .client_finished_label = TLS_MD_CLIENT_FINISH_CONST,
136 .client_finished_label_len = TLS_MD_CLIENT_FINISH_CONST_SIZE,
137 .server_finished_label = TLS_MD_SERVER_FINISH_CONST,
138 .server_finished_label_len = TLS_MD_SERVER_FINISH_CONST_SIZE,
139 .alert_value = tls1_alert_code,
140 .export_keying_material = tls1_export_keying_material,
141 .enc_flags = 0,
142};
143
144SSL3_ENC_METHOD TLSv1_1_enc_data = {
145 .enc = tls1_enc,
146 .mac = tls1_mac,
147 .setup_key_block = tls1_setup_key_block,
148 .generate_master_secret = tls1_generate_master_secret,
149 .change_cipher_state = tls1_change_cipher_state,
150 .final_finish_mac = tls1_final_finish_mac,
151 .finish_mac_length = TLS1_FINISH_MAC_LENGTH,
152 .cert_verify_mac = tls1_cert_verify_mac,
153 .client_finished_label = TLS_MD_CLIENT_FINISH_CONST,
154 .client_finished_label_len = TLS_MD_CLIENT_FINISH_CONST_SIZE,
155 .server_finished_label = TLS_MD_SERVER_FINISH_CONST,
156 .server_finished_label_len = TLS_MD_SERVER_FINISH_CONST_SIZE,
157 .alert_value = tls1_alert_code,
158 .export_keying_material = tls1_export_keying_material,
159 .enc_flags = SSL_ENC_FLAG_EXPLICIT_IV,
160};
161
162SSL3_ENC_METHOD TLSv1_2_enc_data = {
163 .enc = tls1_enc,
164 .mac = tls1_mac,
165 .setup_key_block = tls1_setup_key_block,
166 .generate_master_secret = tls1_generate_master_secret,
167 .change_cipher_state = tls1_change_cipher_state,
168 .final_finish_mac = tls1_final_finish_mac,
169 .finish_mac_length = TLS1_FINISH_MAC_LENGTH,
170 .cert_verify_mac = tls1_cert_verify_mac,
171 .client_finished_label = TLS_MD_CLIENT_FINISH_CONST,
172 .client_finished_label_len = TLS_MD_CLIENT_FINISH_CONST_SIZE,
173 .server_finished_label = TLS_MD_SERVER_FINISH_CONST,
174 .server_finished_label_len = TLS_MD_SERVER_FINISH_CONST_SIZE,
175 .alert_value = tls1_alert_code,
176 .export_keying_material = tls1_export_keying_material,
177 .enc_flags = SSL_ENC_FLAG_EXPLICIT_IV|SSL_ENC_FLAG_SIGALGS|
178 SSL_ENC_FLAG_SHA256_PRF|SSL_ENC_FLAG_TLS1_2_CIPHERS,
179};
180
181long
182tls1_default_timeout(void)
183{
184 /* 2 hours, the 24 hours mentioned in the TLSv1 spec
185 * is way too long for http, the cache would over fill */
186 return (60 * 60 * 2);
187}
188
189int
190tls1_new(SSL *s)
191{
192 if (!ssl3_new(s))
193 return (0);
194 s->method->ssl_clear(s);
195 return (1);
196}
197
198void
199tls1_free(SSL *s)
200{
201 if (s == NULL)
202 return;
203
204 free(s->tlsext_session_ticket);
205 ssl3_free(s);
206}
207
208void
209tls1_clear(SSL *s)
210{
211 ssl3_clear(s);
212 s->version = s->method->version;
213}
214
215
216static int nid_list[] = {
217 NID_sect163k1, /* sect163k1 (1) */
218 NID_sect163r1, /* sect163r1 (2) */
219 NID_sect163r2, /* sect163r2 (3) */
220 NID_sect193r1, /* sect193r1 (4) */
221 NID_sect193r2, /* sect193r2 (5) */
222 NID_sect233k1, /* sect233k1 (6) */
223 NID_sect233r1, /* sect233r1 (7) */
224 NID_sect239k1, /* sect239k1 (8) */
225 NID_sect283k1, /* sect283k1 (9) */
226 NID_sect283r1, /* sect283r1 (10) */
227 NID_sect409k1, /* sect409k1 (11) */
228 NID_sect409r1, /* sect409r1 (12) */
229 NID_sect571k1, /* sect571k1 (13) */
230 NID_sect571r1, /* sect571r1 (14) */
231 NID_secp160k1, /* secp160k1 (15) */
232 NID_secp160r1, /* secp160r1 (16) */
233 NID_secp160r2, /* secp160r2 (17) */
234 NID_secp192k1, /* secp192k1 (18) */
235 NID_X9_62_prime192v1, /* secp192r1 (19) */
236 NID_secp224k1, /* secp224k1 (20) */
237 NID_secp224r1, /* secp224r1 (21) */
238 NID_secp256k1, /* secp256k1 (22) */
239 NID_X9_62_prime256v1, /* secp256r1 (23) */
240 NID_secp384r1, /* secp384r1 (24) */
241 NID_secp521r1, /* secp521r1 (25) */
242 NID_brainpoolP256r1, /* brainpoolP256r1 (26) */
243 NID_brainpoolP384r1, /* brainpoolP384r1 (27) */
244 NID_brainpoolP512r1 /* brainpoolP512r1 (28) */
245};
246
247static const uint8_t ecformats_default[] = {
248 TLSEXT_ECPOINTFORMAT_uncompressed,
249 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime,
250 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2
251};
252
253static const uint16_t eccurves_default[] = {
254 14, /* sect571r1 (14) */
255 13, /* sect571k1 (13) */
256 25, /* secp521r1 (25) */
257 28, /* brainpool512r1 (28) */
258 11, /* sect409k1 (11) */
259 12, /* sect409r1 (12) */
260 27, /* brainpoolP384r1 (27) */
261 24, /* secp384r1 (24) */
262 9, /* sect283k1 (9) */
263 10, /* sect283r1 (10) */
264 26, /* brainpoolP256r1 (26) */
265 22, /* secp256k1 (22) */
266 23, /* secp256r1 (23) */
267 8, /* sect239k1 (8) */
268 6, /* sect233k1 (6) */
269 7, /* sect233r1 (7) */
270 20, /* secp224k1 (20) */
271 21, /* secp224r1 (21) */
272 4, /* sect193r1 (4) */
273 5, /* sect193r2 (5) */
274 18, /* secp192k1 (18) */
275 19, /* secp192r1 (19) */
276 1, /* sect163k1 (1) */
277 2, /* sect163r1 (2) */
278 3, /* sect163r2 (3) */
279 15, /* secp160k1 (15) */
280 16, /* secp160r1 (16) */
281 17, /* secp160r2 (17) */
282};
283
284int
285tls1_ec_curve_id2nid(uint16_t curve_id)
286{
287 /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
288 if ((curve_id < 1) ||
289 ((unsigned int)curve_id > sizeof(nid_list) / sizeof(nid_list[0])))
290 return 0;
291 return nid_list[curve_id - 1];
292}
293
294uint16_t
295tls1_ec_nid2curve_id(int nid)
296{
297 /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
298 switch (nid) {
299 case NID_sect163k1: /* sect163k1 (1) */
300 return 1;
301 case NID_sect163r1: /* sect163r1 (2) */
302 return 2;
303 case NID_sect163r2: /* sect163r2 (3) */
304 return 3;
305 case NID_sect193r1: /* sect193r1 (4) */
306 return 4;
307 case NID_sect193r2: /* sect193r2 (5) */
308 return 5;
309 case NID_sect233k1: /* sect233k1 (6) */
310 return 6;
311 case NID_sect233r1: /* sect233r1 (7) */
312 return 7;
313 case NID_sect239k1: /* sect239k1 (8) */
314 return 8;
315 case NID_sect283k1: /* sect283k1 (9) */
316 return 9;
317 case NID_sect283r1: /* sect283r1 (10) */
318 return 10;
319 case NID_sect409k1: /* sect409k1 (11) */
320 return 11;
321 case NID_sect409r1: /* sect409r1 (12) */
322 return 12;
323 case NID_sect571k1: /* sect571k1 (13) */
324 return 13;
325 case NID_sect571r1: /* sect571r1 (14) */
326 return 14;
327 case NID_secp160k1: /* secp160k1 (15) */
328 return 15;
329 case NID_secp160r1: /* secp160r1 (16) */
330 return 16;
331 case NID_secp160r2: /* secp160r2 (17) */
332 return 17;
333 case NID_secp192k1: /* secp192k1 (18) */
334 return 18;
335 case NID_X9_62_prime192v1: /* secp192r1 (19) */
336 return 19;
337 case NID_secp224k1: /* secp224k1 (20) */
338 return 20;
339 case NID_secp224r1: /* secp224r1 (21) */
340 return 21;
341 case NID_secp256k1: /* secp256k1 (22) */
342 return 22;
343 case NID_X9_62_prime256v1: /* secp256r1 (23) */
344 return 23;
345 case NID_secp384r1: /* secp384r1 (24) */
346 return 24;
347 case NID_secp521r1: /* secp521r1 (25) */
348 return 25;
349 case NID_brainpoolP256r1: /* brainpoolP256r1 (26) */
350 return 26;
351 case NID_brainpoolP384r1: /* brainpoolP384r1 (27) */
352 return 27;
353 case NID_brainpoolP512r1: /* brainpoolP512r1 (28) */
354 return 28;
355 default:
356 return 0;
357 }
358}
359
360/*
361 * Return the appropriate format list. If client_formats is non-zero, return
362 * the client/session formats. Otherwise return the custom format list if one
363 * exists, or the default formats if a custom list has not been specified.
364 */
365static void
366tls1_get_formatlist(SSL *s, int client_formats, const uint8_t **pformats,
367 size_t *pformatslen)
368{
369 if (client_formats != 0) {
370 *pformats = s->session->tlsext_ecpointformatlist;
371 *pformatslen = s->session->tlsext_ecpointformatlist_length;
372 return;
373 }
374
375 *pformats = s->tlsext_ecpointformatlist;
376 *pformatslen = s->tlsext_ecpointformatlist_length;
377 if (*pformats == NULL) {
378 *pformats = ecformats_default;
379 *pformatslen = sizeof(ecformats_default);
380 }
381}
382
383/*
384 * Return the appropriate curve list. If client_curves is non-zero, return
385 * the client/session curves. Otherwise return the custom curve list if one
386 * exists, or the default curves if a custom list has not been specified.
387 */
388static void
389tls1_get_curvelist(SSL *s, int client_curves, const uint16_t **pcurves,
390 size_t *pcurveslen)
391{
392 if (client_curves != 0) {
393 *pcurves = s->session->tlsext_ellipticcurvelist;
394 *pcurveslen = s->session->tlsext_ellipticcurvelist_length;
395 return;
396 }
397
398 *pcurves = s->tlsext_ellipticcurvelist;
399 *pcurveslen = s->tlsext_ellipticcurvelist_length;
400 if (*pcurves == NULL) {
401 *pcurves = eccurves_default;
402 *pcurveslen = sizeof(eccurves_default) / 2;
403 }
404}
405
406/* Check that a curve is one of our preferences. */
407int
408tls1_check_curve(SSL *s, const unsigned char *p, size_t len)
409{
410 CBS cbs;
411 const uint16_t *curves;
412 size_t curveslen, i;
413 uint8_t type;
414 uint16_t cid;
415
416 CBS_init(&cbs, p, len);
417
418 /* Only named curves are supported. */
419 if (CBS_len(&cbs) != 3 ||
420 !CBS_get_u8(&cbs, &type) ||
421 type != NAMED_CURVE_TYPE ||
422 !CBS_get_u16(&cbs, &cid))
423 return (0);
424
425 tls1_get_curvelist(s, 0, &curves, &curveslen);
426
427 for (i = 0; i < curveslen; i++) {
428 if (curves[i] == cid)
429 return (1);
430 }
431 return (0);
432}
433
434int
435tls1_get_shared_curve(SSL *s)
436{
437 size_t preflen, supplen, i, j;
438 const uint16_t *pref, *supp;
439 unsigned long server_pref;
440
441 /* Cannot do anything on the client side. */
442 if (s->server == 0)
443 return (NID_undef);
444
445 /* Return first preference shared curve. */
446 server_pref = (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE);
447 tls1_get_curvelist(s, (server_pref == 0), &pref, &preflen);
448 tls1_get_curvelist(s, (server_pref != 0), &supp, &supplen);
449
450 for (i = 0; i < preflen; i++) {
451 for (j = 0; j < supplen; j++) {
452 if (pref[i] == supp[j])
453 return (tls1_ec_curve_id2nid(pref[i]));
454 }
455 }
456 return (NID_undef);
457}
458
459/* For an EC key set TLS ID and required compression based on parameters. */
460static int
461tls1_set_ec_id(uint16_t *curve_id, uint8_t *comp_id, EC_KEY *ec)
462{
463 const EC_GROUP *grp;
464 const EC_METHOD *meth;
465 int is_prime = 0;
466 int nid, id;
467
468 if (ec == NULL)
469 return (0);
470
471 /* Determine if it is a prime field. */
472 if ((grp = EC_KEY_get0_group(ec)) == NULL)
473 return (0);
474 if ((meth = EC_GROUP_method_of(grp)) == NULL)
475 return (0);
476 if (EC_METHOD_get_field_type(meth) == NID_X9_62_prime_field)
477 is_prime = 1;
478
479 /* Determine curve ID. */
480 nid = EC_GROUP_get_curve_name(grp);
481 id = tls1_ec_nid2curve_id(nid);
482
483 /* If we have an ID set it, otherwise set arbitrary explicit curve. */
484 if (id != 0)
485 *curve_id = id;
486 else
487 *curve_id = is_prime ? 0xff01 : 0xff02;
488
489 /* Specify the compression identifier. */
490 if (comp_id != NULL) {
491 if (EC_KEY_get0_public_key(ec) == NULL)
492 return (0);
493
494 if (EC_KEY_get_conv_form(ec) == POINT_CONVERSION_COMPRESSED) {
495 *comp_id = is_prime ?
496 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime :
497 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
498 } else {
499 *comp_id = TLSEXT_ECPOINTFORMAT_uncompressed;
500 }
501 }
502 return (1);
503}
504
505/* Check that an EC key is compatible with extensions. */
506static int
507tls1_check_ec_key(SSL *s, const uint16_t *curve_id, const uint8_t *comp_id)
508{
509 size_t curveslen, formatslen, i;
510 const uint16_t *curves;
511 const uint8_t *formats;
512
513 /*
514 * Check point formats extension if present, otherwise everything
515 * is supported (see RFC4492).
516 */
517 tls1_get_formatlist(s, 1, &formats, &formatslen);
518 if (comp_id != NULL && formats != NULL) {
519 for (i = 0; i < formatslen; i++) {
520 if (formats[i] == *comp_id)
521 break;
522 }
523 if (i == formatslen)
524 return (0);
525 }
526
527 /*
528 * Check curve list if present, otherwise everything is supported.
529 */
530 tls1_get_curvelist(s, 1, &curves, &curveslen);
531 if (curve_id != NULL && curves != NULL) {
532 for (i = 0; i < curveslen; i++) {
533 if (curves[i] == *curve_id)
534 break;
535 }
536 if (i == curveslen)
537 return (0);
538 }
539
540 return (1);
541}
542
543/* Check EC server key is compatible with client extensions. */
544int
545tls1_check_ec_server_key(SSL *s)
546{
547 CERT_PKEY *cpk = s->cert->pkeys + SSL_PKEY_ECC;
548 uint16_t curve_id;
549 uint8_t comp_id;
550 EVP_PKEY *pkey;
551 int rv;
552
553 if (cpk->x509 == NULL || cpk->privatekey == NULL)
554 return (0);
555 if ((pkey = X509_get_pubkey(cpk->x509)) == NULL)
556 return (0);
557 rv = tls1_set_ec_id(&curve_id, &comp_id, pkey->pkey.ec);
558 EVP_PKEY_free(pkey);
559 if (rv != 1)
560 return (0);
561
562 return tls1_check_ec_key(s, &curve_id, &comp_id);
563}
564
565/* Check EC temporary key is compatible with client extensions. */
566int
567tls1_check_ec_tmp_key(SSL *s)
568{
569 EC_KEY *ec = s->cert->ecdh_tmp;
570 uint16_t curve_id;
571
572 if (s->cert->ecdh_tmp_auto != 0) {
573 /* Need a shared curve. */
574 if (tls1_get_shared_curve(s) != NID_undef)
575 return (1);
576 return (0);
577 }
578
579 if (ec == NULL) {
580 if (s->cert->ecdh_tmp_cb != NULL)
581 return (1);
582 return (0);
583 }
584 if (tls1_set_ec_id(&curve_id, NULL, ec) != 1)
585 return (0);
586
587 return tls1_check_ec_key(s, &curve_id, NULL);
588}
589
590/*
591 * List of supported signature algorithms and hashes. Should make this
592 * customisable at some point, for now include everything we support.
593 */
594
595static unsigned char tls12_sigalgs[] = {
596 TLSEXT_hash_sha512, TLSEXT_signature_rsa,
597 TLSEXT_hash_sha512, TLSEXT_signature_dsa,
598 TLSEXT_hash_sha512, TLSEXT_signature_ecdsa,
599#ifndef OPENSSL_NO_GOST
600 TLSEXT_hash_streebog_512, TLSEXT_signature_gostr12_512,
601#endif
602
603 TLSEXT_hash_sha384, TLSEXT_signature_rsa,
604 TLSEXT_hash_sha384, TLSEXT_signature_dsa,
605 TLSEXT_hash_sha384, TLSEXT_signature_ecdsa,
606
607 TLSEXT_hash_sha256, TLSEXT_signature_rsa,
608 TLSEXT_hash_sha256, TLSEXT_signature_dsa,
609 TLSEXT_hash_sha256, TLSEXT_signature_ecdsa,
610
611#ifndef OPENSSL_NO_GOST
612 TLSEXT_hash_streebog_256, TLSEXT_signature_gostr12_256,
613 TLSEXT_hash_gost94, TLSEXT_signature_gostr01,
614#endif
615
616 TLSEXT_hash_sha224, TLSEXT_signature_rsa,
617 TLSEXT_hash_sha224, TLSEXT_signature_dsa,
618 TLSEXT_hash_sha224, TLSEXT_signature_ecdsa,
619
620 TLSEXT_hash_sha1, TLSEXT_signature_rsa,
621 TLSEXT_hash_sha1, TLSEXT_signature_dsa,
622 TLSEXT_hash_sha1, TLSEXT_signature_ecdsa,
623};
624
625int
626tls12_get_req_sig_algs(SSL *s, unsigned char *p)
627{
628 size_t slen = sizeof(tls12_sigalgs);
629
630 if (p)
631 memcpy(p, tls12_sigalgs, slen);
632 return (int)slen;
633}
634
635unsigned char *
636ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
637{
638 int extdatalen = 0;
639 unsigned char *ret = p;
640 int using_ecc = 0;
641
642 /* See if we support any ECC ciphersuites. */
643 if (s->version != DTLS1_VERSION && s->version >= TLS1_VERSION) {
644 STACK_OF(SSL_CIPHER) *cipher_stack = SSL_get_ciphers(s);
645 unsigned long alg_k, alg_a;
646 int i;
647
648 for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++) {
649 SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i);
650
651 alg_k = c->algorithm_mkey;
652 alg_a = c->algorithm_auth;
653
654 if ((alg_k & (SSL_kECDHE|SSL_kECDHr|SSL_kECDHe) ||
655 (alg_a & SSL_aECDSA))) {
656 using_ecc = 1;
657 break;
658 }
659 }
660 }
661
662 /* don't add extensions for SSLv3 unless doing secure renegotiation */
663 if (s->client_version == SSL3_VERSION &&
664 !s->s3->send_connection_binding)
665 return p;
666
667 ret += 2;
668
669 if (ret >= limit)
670 return NULL; /* this really never occurs, but ... */
671
672 if (s->tlsext_hostname != NULL) {
673 /* Add TLS extension servername to the Client Hello message */
674 size_t size_str, lenmax;
675
676 /* check for enough space.
677 4 for the servername type and extension length
678 2 for servernamelist length
679 1 for the hostname type
680 2 for hostname length
681 + hostname length
682 */
683
684 if ((size_t)(limit - ret) < 9)
685 return NULL;
686
687 lenmax = limit - ret - 9;
688 if ((size_str = strlen(s->tlsext_hostname)) > lenmax)
689 return NULL;
690
691 /* extension type and length */
692 s2n(TLSEXT_TYPE_server_name, ret);
693
694 s2n(size_str + 5, ret);
695
696 /* length of servername list */
697 s2n(size_str + 3, ret);
698
699 /* hostname type, length and hostname */
700 *(ret++) = (unsigned char) TLSEXT_NAMETYPE_host_name;
701 s2n(size_str, ret);
702 memcpy(ret, s->tlsext_hostname, size_str);
703 ret += size_str;
704 }
705
706 /* Add RI if renegotiating */
707 if (s->renegotiate) {
708 int el;
709
710 if (!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0)) {
711 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT,
712 ERR_R_INTERNAL_ERROR);
713 return NULL;
714 }
715
716 if ((size_t)(limit - ret) < 4 + el)
717 return NULL;
718
719 s2n(TLSEXT_TYPE_renegotiate, ret);
720 s2n(el, ret);
721
722 if (!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el)) {
723 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT,
724 ERR_R_INTERNAL_ERROR);
725 return NULL;
726 }
727
728 ret += el;
729 }
730
731 if (using_ecc) {
732 size_t curveslen, formatslen, lenmax;
733 const uint16_t *curves;
734 const uint8_t *formats;
735 int i;
736
737 /*
738 * Add TLS extension ECPointFormats to the ClientHello message.
739 */
740 tls1_get_formatlist(s, 0, &formats, &formatslen);
741
742 if ((size_t)(limit - ret) < 5)
743 return NULL;
744
745 lenmax = limit - ret - 5;
746 if (formatslen > lenmax)
747 return NULL;
748 if (formatslen > 255) {
749 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT,
750 ERR_R_INTERNAL_ERROR);
751 return NULL;
752 }
753
754 s2n(TLSEXT_TYPE_ec_point_formats, ret);
755 s2n(formatslen + 1, ret);
756 *(ret++) = (unsigned char)formatslen;
757 memcpy(ret, formats, formatslen);
758 ret += formatslen;
759
760 /*
761 * Add TLS extension EllipticCurves to the ClientHello message.
762 */
763 tls1_get_curvelist(s, 0, &curves, &curveslen);
764
765 if ((size_t)(limit - ret) < 6)
766 return NULL;
767
768 lenmax = limit - ret - 6;
769 if (curveslen > lenmax)
770 return NULL;
771 if (curveslen > 65532) {
772 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT,
773 ERR_R_INTERNAL_ERROR);
774 return NULL;
775 }
776
777 s2n(TLSEXT_TYPE_elliptic_curves, ret);
778 s2n((curveslen * 2) + 2, ret);
779
780 /* NB: draft-ietf-tls-ecc-12.txt uses a one-byte prefix for
781 * elliptic_curve_list, but the examples use two bytes.
782 * http://www1.ietf.org/mail-archive/web/tls/current/msg00538.html
783 * resolves this to two bytes.
784 */
785 s2n(curveslen * 2, ret);
786 for (i = 0; i < curveslen; i++)
787 s2n(curves[i], ret);
788 }
789
790 if (!(SSL_get_options(s) & SSL_OP_NO_TICKET)) {
791 int ticklen;
792 if (!s->new_session && s->session && s->session->tlsext_tick)
793 ticklen = s->session->tlsext_ticklen;
794 else if (s->session && s->tlsext_session_ticket &&
795 s->tlsext_session_ticket->data) {
796 ticklen = s->tlsext_session_ticket->length;
797 s->session->tlsext_tick = malloc(ticklen);
798 if (!s->session->tlsext_tick)
799 return NULL;
800 memcpy(s->session->tlsext_tick,
801 s->tlsext_session_ticket->data, ticklen);
802 s->session->tlsext_ticklen = ticklen;
803 } else
804 ticklen = 0;
805 if (ticklen == 0 && s->tlsext_session_ticket &&
806 s->tlsext_session_ticket->data == NULL)
807 goto skip_ext;
808 /* Check for enough room 2 for extension type, 2 for len
809 * rest for ticket
810 */
811 if ((size_t)(limit - ret) < 4 + ticklen)
812 return NULL;
813 s2n(TLSEXT_TYPE_session_ticket, ret);
814
815 s2n(ticklen, ret);
816 if (ticklen) {
817 memcpy(ret, s->session->tlsext_tick, ticklen);
818 ret += ticklen;
819 }
820 }
821skip_ext:
822
823 if (TLS1_get_client_version(s) >= TLS1_2_VERSION) {
824 if ((size_t)(limit - ret) < sizeof(tls12_sigalgs) + 6)
825 return NULL;
826
827 s2n(TLSEXT_TYPE_signature_algorithms, ret);
828 s2n(sizeof(tls12_sigalgs) + 2, ret);
829 s2n(sizeof(tls12_sigalgs), ret);
830 memcpy(ret, tls12_sigalgs, sizeof(tls12_sigalgs));
831 ret += sizeof(tls12_sigalgs);
832 }
833
834 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp &&
835 s->version != DTLS1_VERSION) {
836 int i;
837 long extlen, idlen, itmp;
838 OCSP_RESPID *id;
839
840 idlen = 0;
841 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) {
842 id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
843 itmp = i2d_OCSP_RESPID(id, NULL);
844 if (itmp <= 0)
845 return NULL;
846 idlen += itmp + 2;
847 }
848
849 if (s->tlsext_ocsp_exts) {
850 extlen = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, NULL);
851 if (extlen < 0)
852 return NULL;
853 } else
854 extlen = 0;
855
856 if ((size_t)(limit - ret) < 7 + extlen + idlen)
857 return NULL;
858 s2n(TLSEXT_TYPE_status_request, ret);
859 if (extlen + idlen > 0xFFF0)
860 return NULL;
861 s2n(extlen + idlen + 5, ret);
862 *(ret++) = TLSEXT_STATUSTYPE_ocsp;
863 s2n(idlen, ret);
864 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) {
865 /* save position of id len */
866 unsigned char *q = ret;
867 id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
868 /* skip over id len */
869 ret += 2;
870 itmp = i2d_OCSP_RESPID(id, &ret);
871 /* write id len */
872 s2n(itmp, q);
873 }
874 s2n(extlen, ret);
875 if (extlen > 0)
876 i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret);
877 }
878
879 if (s->ctx->next_proto_select_cb && !s->s3->tmp.finish_md_len) {
880 /* The client advertises an emtpy extension to indicate its
881 * support for Next Protocol Negotiation */
882 if ((size_t)(limit - ret) < 4)
883 return NULL;
884 s2n(TLSEXT_TYPE_next_proto_neg, ret);
885 s2n(0, ret);
886 }
887
888 if (s->alpn_client_proto_list != NULL &&
889 s->s3->tmp.finish_md_len == 0) {
890 if ((size_t)(limit - ret) < 6 + s->alpn_client_proto_list_len)
891 return (NULL);
892 s2n(TLSEXT_TYPE_application_layer_protocol_negotiation, ret);
893 s2n(2 + s->alpn_client_proto_list_len, ret);
894 s2n(s->alpn_client_proto_list_len, ret);
895 memcpy(ret, s->alpn_client_proto_list,
896 s->alpn_client_proto_list_len);
897 ret += s->alpn_client_proto_list_len;
898 }
899
900#ifndef OPENSSL_NO_SRTP
901 if (SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s)) {
902 int el;
903
904 ssl_add_clienthello_use_srtp_ext(s, 0, &el, 0);
905
906 if ((size_t)(limit - ret) < 4 + el)
907 return NULL;
908
909 s2n(TLSEXT_TYPE_use_srtp, ret);
910 s2n(el, ret);
911
912 if (ssl_add_clienthello_use_srtp_ext(s, ret, &el, el)) {
913 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT,
914 ERR_R_INTERNAL_ERROR);
915 return NULL;
916 }
917 ret += el;
918 }
919#endif
920
921 /*
922 * Add padding to workaround bugs in F5 terminators.
923 * See https://tools.ietf.org/html/draft-agl-tls-padding-03
924 *
925 * Note that this seems to trigger issues with IronPort SMTP
926 * appliances.
927 *
928 * NB: because this code works out the length of all existing
929 * extensions it MUST always appear last.
930 */
931 if (s->options & SSL_OP_TLSEXT_PADDING) {
932 int hlen = ret - (unsigned char *)s->init_buf->data;
933
934 /*
935 * The code in s23_clnt.c to build ClientHello messages
936 * includes the 5-byte record header in the buffer, while the
937 * code in s3_clnt.c does not.
938 */
939 if (s->state == SSL23_ST_CW_CLNT_HELLO_A)
940 hlen -= 5;
941 if (hlen > 0xff && hlen < 0x200) {
942 hlen = 0x200 - hlen;
943 if (hlen >= 4)
944 hlen -= 4;
945 else
946 hlen = 0;
947
948 s2n(TLSEXT_TYPE_padding, ret);
949 s2n(hlen, ret);
950 memset(ret, 0, hlen);
951 ret += hlen;
952 }
953 }
954
955 if ((extdatalen = ret - p - 2) == 0)
956 return p;
957
958 s2n(extdatalen, p);
959 return ret;
960}
961
962unsigned char *
963ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
964{
965 int using_ecc, extdatalen = 0;
966 unsigned long alg_a, alg_k;
967 unsigned char *ret = p;
968 int next_proto_neg_seen;
969
970 alg_a = s->s3->tmp.new_cipher->algorithm_auth;
971 alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
972 using_ecc = (alg_k & (SSL_kECDHE|SSL_kECDHr|SSL_kECDHe) ||
973 alg_a & SSL_aECDSA) &&
974 s->session->tlsext_ecpointformatlist != NULL;
975
976 /* don't add extensions for SSLv3, unless doing secure renegotiation */
977 if (s->version == SSL3_VERSION && !s->s3->send_connection_binding)
978 return p;
979
980 ret += 2;
981 if (ret >= limit)
982 return NULL; /* this really never occurs, but ... */
983
984 if (!s->hit && s->servername_done == 1 &&
985 s->session->tlsext_hostname != NULL) {
986 if ((size_t)(limit - ret) < 4)
987 return NULL;
988
989 s2n(TLSEXT_TYPE_server_name, ret);
990 s2n(0, ret);
991 }
992
993 if (s->s3->send_connection_binding) {
994 int el;
995
996 if (!ssl_add_serverhello_renegotiate_ext(s, 0, &el, 0)) {
997 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT,
998 ERR_R_INTERNAL_ERROR);
999 return NULL;
1000 }
1001
1002 if ((size_t)(limit - ret) < 4 + el)
1003 return NULL;
1004
1005 s2n(TLSEXT_TYPE_renegotiate, ret);
1006 s2n(el, ret);
1007
1008 if (!ssl_add_serverhello_renegotiate_ext(s, ret, &el, el)) {
1009 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT,
1010 ERR_R_INTERNAL_ERROR);
1011 return NULL;
1012 }
1013
1014 ret += el;
1015 }
1016
1017 if (using_ecc && s->version != DTLS1_VERSION) {
1018 const unsigned char *formats;
1019 size_t formatslen, lenmax;
1020
1021 /*
1022 * Add TLS extension ECPointFormats to the ServerHello message.
1023 */
1024 tls1_get_formatlist(s, 0, &formats, &formatslen);
1025
1026 if ((size_t)(limit - ret) < 5)
1027 return NULL;
1028
1029 lenmax = limit - ret - 5;
1030 if (formatslen > lenmax)
1031 return NULL;
1032 if (formatslen > 255) {
1033 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT,
1034 ERR_R_INTERNAL_ERROR);
1035 return NULL;
1036 }
1037
1038 s2n(TLSEXT_TYPE_ec_point_formats, ret);
1039 s2n(formatslen + 1, ret);
1040 *(ret++) = (unsigned char)formatslen;
1041 memcpy(ret, formats, formatslen);
1042 ret += formatslen;
1043 }
1044
1045 /*
1046 * Currently the server should not respond with a SupportedCurves
1047 * extension.
1048 */
1049
1050 if (s->tlsext_ticket_expected &&
1051 !(SSL_get_options(s) & SSL_OP_NO_TICKET)) {
1052 if ((size_t)(limit - ret) < 4)
1053 return NULL;
1054
1055 s2n(TLSEXT_TYPE_session_ticket, ret);
1056 s2n(0, ret);
1057 }
1058
1059 if (s->tlsext_status_expected) {
1060 if ((size_t)(limit - ret) < 4)
1061 return NULL;
1062
1063 s2n(TLSEXT_TYPE_status_request, ret);
1064 s2n(0, ret);
1065 }
1066
1067#ifndef OPENSSL_NO_SRTP
1068 if (SSL_IS_DTLS(s) && s->srtp_profile) {
1069 int el;
1070
1071 ssl_add_serverhello_use_srtp_ext(s, 0, &el, 0);
1072
1073 if ((size_t)(limit - ret) < 4 + el)
1074 return NULL;
1075
1076 s2n(TLSEXT_TYPE_use_srtp, ret);
1077 s2n(el, ret);
1078
1079 if (ssl_add_serverhello_use_srtp_ext(s, ret, &el, el)) {
1080 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT,
1081 ERR_R_INTERNAL_ERROR);
1082 return NULL;
1083 }
1084 ret += el;
1085 }
1086#endif
1087
1088 if (((s->s3->tmp.new_cipher->id & 0xFFFF) == 0x80 ||
1089 (s->s3->tmp.new_cipher->id & 0xFFFF) == 0x81) &&
1090 (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG)) {
1091 static const unsigned char cryptopro_ext[36] = {
1092 0xfd, 0xe8, /*65000*/
1093 0x00, 0x20, /*32 bytes length*/
1094 0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85,
1095 0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06,
1096 0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08,
1097 0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17
1098 };
1099 if ((size_t)(limit - ret) < sizeof(cryptopro_ext))
1100 return NULL;
1101 memcpy(ret, cryptopro_ext, sizeof(cryptopro_ext));
1102 ret += sizeof(cryptopro_ext);
1103 }
1104
1105 next_proto_neg_seen = s->s3->next_proto_neg_seen;
1106 s->s3->next_proto_neg_seen = 0;
1107 if (next_proto_neg_seen && s->ctx->next_protos_advertised_cb) {
1108 const unsigned char *npa;
1109 unsigned int npalen;
1110 int r;
1111
1112 r = s->ctx->next_protos_advertised_cb(s, &npa, &npalen,
1113 s->ctx->next_protos_advertised_cb_arg);
1114 if (r == SSL_TLSEXT_ERR_OK) {
1115 if ((size_t)(limit - ret) < 4 + npalen)
1116 return NULL;
1117 s2n(TLSEXT_TYPE_next_proto_neg, ret);
1118 s2n(npalen, ret);
1119 memcpy(ret, npa, npalen);
1120 ret += npalen;
1121 s->s3->next_proto_neg_seen = 1;
1122 }
1123 }
1124
1125 if (s->s3->alpn_selected != NULL) {
1126 const unsigned char *selected = s->s3->alpn_selected;
1127 unsigned int len = s->s3->alpn_selected_len;
1128
1129 if ((long)(limit - ret - 4 - 2 - 1 - len) < 0)
1130 return (NULL);
1131 s2n(TLSEXT_TYPE_application_layer_protocol_negotiation, ret);
1132 s2n(3 + len, ret);
1133 s2n(1 + len, ret);
1134 *ret++ = len;
1135 memcpy(ret, selected, len);
1136 ret += len;
1137 }
1138
1139 if ((extdatalen = ret - p - 2) == 0)
1140 return p;
1141
1142 s2n(extdatalen, p);
1143 return ret;
1144}
1145
1146/*
1147 * tls1_alpn_handle_client_hello is called to process the ALPN extension in a
1148 * ClientHello.
1149 * data: the contents of the extension, not including the type and length.
1150 * data_len: the number of bytes in data.
1151 * al: a pointer to the alert value to send in the event of a non-zero
1152 * return.
1153 * returns: 1 on success.
1154 */
1155static int
1156tls1_alpn_handle_client_hello(SSL *s, const unsigned char *data,
1157 unsigned int data_len, int *al)
1158{
1159 CBS cbs, proto_name_list, alpn;
1160 const unsigned char *selected;
1161 unsigned char selected_len;
1162 int r;
1163
1164 if (s->ctx->alpn_select_cb == NULL)
1165 return (1);
1166
1167 if (data_len < 2)
1168 goto parse_error;
1169
1170 CBS_init(&cbs, data, data_len);
1171
1172 /*
1173 * data should contain a uint16 length followed by a series of 8-bit,
1174 * length-prefixed strings.
1175 */
1176 if (!CBS_get_u16_length_prefixed(&cbs, &alpn) ||
1177 CBS_len(&alpn) < 2 ||
1178 CBS_len(&cbs) != 0)
1179 goto parse_error;
1180
1181 /* Validate data before sending to callback. */
1182 CBS_dup(&alpn, &proto_name_list);
1183 while (CBS_len(&proto_name_list) > 0) {
1184 CBS proto_name;
1185
1186 if (!CBS_get_u8_length_prefixed(&proto_name_list, &proto_name) ||
1187 CBS_len(&proto_name) == 0)
1188 goto parse_error;
1189 }
1190
1191 r = s->ctx->alpn_select_cb(s, &selected, &selected_len,
1192 CBS_data(&alpn), CBS_len(&alpn), s->ctx->alpn_select_cb_arg);
1193 if (r == SSL_TLSEXT_ERR_OK) {
1194 free(s->s3->alpn_selected);
1195 if ((s->s3->alpn_selected = malloc(selected_len)) == NULL) {
1196 *al = SSL_AD_INTERNAL_ERROR;
1197 return (-1);
1198 }
1199 memcpy(s->s3->alpn_selected, selected, selected_len);
1200 s->s3->alpn_selected_len = selected_len;
1201 }
1202
1203 return (1);
1204
1205parse_error:
1206 *al = SSL_AD_DECODE_ERROR;
1207 return (0);
1208}
1209
1210int
1211ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d,
1212 int n, int *al)
1213{
1214 unsigned short type;
1215 unsigned short size;
1216 unsigned short len;
1217 unsigned char *data = *p;
1218 int renegotiate_seen = 0;
1219 int sigalg_seen = 0;
1220
1221 s->servername_done = 0;
1222 s->tlsext_status_type = -1;
1223 s->s3->next_proto_neg_seen = 0;
1224 free(s->s3->alpn_selected);
1225 s->s3->alpn_selected = NULL;
1226
1227 if (data >= (d + n - 2))
1228 goto ri_check;
1229 n2s(data, len);
1230
1231 if (data > (d + n - len))
1232 goto ri_check;
1233
1234 while (data <= (d + n - 4)) {
1235 n2s(data, type);
1236 n2s(data, size);
1237
1238 if (data + size > (d + n))
1239 goto ri_check;
1240 if (s->tlsext_debug_cb)
1241 s->tlsext_debug_cb(s, 0, type, data, size,
1242 s->tlsext_debug_arg);
1243/* The servername extension is treated as follows:
1244
1245 - Only the hostname type is supported with a maximum length of 255.
1246 - The servername is rejected if too long or if it contains zeros,
1247 in which case an fatal alert is generated.
1248 - The servername field is maintained together with the session cache.
1249 - When a session is resumed, the servername call back invoked in order
1250 to allow the application to position itself to the right context.
1251 - The servername is acknowledged if it is new for a session or when
1252 it is identical to a previously used for the same session.
1253 Applications can control the behaviour. They can at any time
1254 set a 'desirable' servername for a new SSL object. This can be the
1255 case for example with HTTPS when a Host: header field is received and
1256 a renegotiation is requested. In this case, a possible servername
1257 presented in the new client hello is only acknowledged if it matches
1258 the value of the Host: field.
1259 - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
1260 if they provide for changing an explicit servername context for the session,
1261 i.e. when the session has been established with a servername extension.
1262 - On session reconnect, the servername extension may be absent.
1263
1264*/
1265
1266 if (type == TLSEXT_TYPE_server_name) {
1267 unsigned char *sdata;
1268 int servname_type;
1269 int dsize;
1270
1271 if (size < 2) {
1272 *al = SSL_AD_DECODE_ERROR;
1273 return 0;
1274 }
1275 n2s(data, dsize);
1276
1277 size -= 2;
1278 if (dsize > size) {
1279 *al = SSL_AD_DECODE_ERROR;
1280 return 0;
1281 }
1282
1283 sdata = data;
1284 while (dsize > 3) {
1285 servname_type = *(sdata++);
1286
1287 n2s(sdata, len);
1288 dsize -= 3;
1289
1290 if (len > dsize) {
1291 *al = SSL_AD_DECODE_ERROR;
1292 return 0;
1293 }
1294 if (s->servername_done == 0)
1295 switch (servname_type) {
1296 case TLSEXT_NAMETYPE_host_name:
1297 if (!s->hit) {
1298 if (s->session->tlsext_hostname) {
1299 *al = SSL_AD_DECODE_ERROR;
1300 return 0;
1301 }
1302 if (len > TLSEXT_MAXLEN_host_name) {
1303 *al = TLS1_AD_UNRECOGNIZED_NAME;
1304 return 0;
1305 }
1306 if ((s->session->tlsext_hostname =
1307 malloc(len + 1)) == NULL) {
1308 *al = TLS1_AD_INTERNAL_ERROR;
1309 return 0;
1310 }
1311 memcpy(s->session->tlsext_hostname, sdata, len);
1312 s->session->tlsext_hostname[len] = '\0';
1313 if (strlen(s->session->tlsext_hostname) != len) {
1314 free(s->session->tlsext_hostname);
1315 s->session->tlsext_hostname = NULL;
1316 *al = TLS1_AD_UNRECOGNIZED_NAME;
1317 return 0;
1318 }
1319 s->servername_done = 1;
1320
1321
1322 } else {
1323 s->servername_done = s->session->tlsext_hostname &&
1324 strlen(s->session->tlsext_hostname) == len &&
1325 strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0;
1326 }
1327 break;
1328
1329 default:
1330 break;
1331 }
1332
1333 dsize -= len;
1334 }
1335 if (dsize != 0) {
1336 *al = SSL_AD_DECODE_ERROR;
1337 return 0;
1338 }
1339
1340 }
1341
1342 else if (type == TLSEXT_TYPE_ec_point_formats &&
1343 s->version != DTLS1_VERSION) {
1344 unsigned char *sdata = data;
1345 size_t formatslen;
1346 uint8_t *formats;
1347
1348 if (size < 1) {
1349 *al = TLS1_AD_DECODE_ERROR;
1350 return 0;
1351 }
1352 formatslen = *(sdata++);
1353 if (formatslen != size - 1) {
1354 *al = TLS1_AD_DECODE_ERROR;
1355 return 0;
1356 }
1357
1358 if (!s->hit) {
1359 free(s->session->tlsext_ecpointformatlist);
1360 s->session->tlsext_ecpointformatlist = NULL;
1361 s->session->tlsext_ecpointformatlist_length = 0;
1362
1363 if ((formats = reallocarray(NULL, formatslen,
1364 sizeof(uint8_t))) == NULL) {
1365 *al = TLS1_AD_INTERNAL_ERROR;
1366 return 0;
1367 }
1368 memcpy(formats, sdata, formatslen);
1369 s->session->tlsext_ecpointformatlist = formats;
1370 s->session->tlsext_ecpointformatlist_length =
1371 formatslen;
1372 }
1373 } else if (type == TLSEXT_TYPE_elliptic_curves &&
1374 s->version != DTLS1_VERSION) {
1375 unsigned char *sdata = data;
1376 size_t curveslen, i;
1377 uint16_t *curves;
1378
1379 if (size < 2) {
1380 *al = TLS1_AD_DECODE_ERROR;
1381 return 0;
1382 }
1383 n2s(sdata, curveslen);
1384 if (curveslen != size - 2 || curveslen % 2 != 0) {
1385 *al = TLS1_AD_DECODE_ERROR;
1386 return 0;
1387 }
1388 curveslen /= 2;
1389
1390 if (!s->hit) {
1391 if (s->session->tlsext_ellipticcurvelist) {
1392 *al = TLS1_AD_DECODE_ERROR;
1393 return 0;
1394 }
1395 s->session->tlsext_ellipticcurvelist_length = 0;
1396 if ((curves = reallocarray(NULL, curveslen,
1397 sizeof(uint16_t))) == NULL) {
1398 *al = TLS1_AD_INTERNAL_ERROR;
1399 return 0;
1400 }
1401 for (i = 0; i < curveslen; i++)
1402 n2s(sdata, curves[i]);
1403 s->session->tlsext_ellipticcurvelist = curves;
1404 s->session->tlsext_ellipticcurvelist_length = curveslen;
1405 }
1406 }
1407 else if (type == TLSEXT_TYPE_session_ticket) {
1408 if (s->tls_session_ticket_ext_cb &&
1409 !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg)) {
1410 *al = TLS1_AD_INTERNAL_ERROR;
1411 return 0;
1412 }
1413 } else if (type == TLSEXT_TYPE_renegotiate) {
1414 if (!ssl_parse_clienthello_renegotiate_ext(s, data, size, al))
1415 return 0;
1416 renegotiate_seen = 1;
1417 } else if (type == TLSEXT_TYPE_signature_algorithms) {
1418 int dsize;
1419 if (sigalg_seen || size < 2) {
1420 *al = SSL_AD_DECODE_ERROR;
1421 return 0;
1422 }
1423 sigalg_seen = 1;
1424 n2s(data, dsize);
1425 size -= 2;
1426 if (dsize != size || dsize & 1) {
1427 *al = SSL_AD_DECODE_ERROR;
1428 return 0;
1429 }
1430 if (!tls1_process_sigalgs(s, data, dsize)) {
1431 *al = SSL_AD_DECODE_ERROR;
1432 return 0;
1433 }
1434 } else if (type == TLSEXT_TYPE_status_request &&
1435 s->version != DTLS1_VERSION) {
1436
1437 if (size < 5) {
1438 *al = SSL_AD_DECODE_ERROR;
1439 return 0;
1440 }
1441
1442 s->tlsext_status_type = *data++;
1443 size--;
1444 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp) {
1445 const unsigned char *sdata;
1446 int dsize;
1447 /* Read in responder_id_list */
1448 n2s(data, dsize);
1449 size -= 2;
1450 if (dsize > size ) {
1451 *al = SSL_AD_DECODE_ERROR;
1452 return 0;
1453 }
1454 while (dsize > 0) {
1455 OCSP_RESPID *id;
1456 int idsize;
1457 if (dsize < 4) {
1458 *al = SSL_AD_DECODE_ERROR;
1459 return 0;
1460 }
1461 n2s(data, idsize);
1462 dsize -= 2 + idsize;
1463 size -= 2 + idsize;
1464 if (dsize < 0) {
1465 *al = SSL_AD_DECODE_ERROR;
1466 return 0;
1467 }
1468 sdata = data;
1469 data += idsize;
1470 id = d2i_OCSP_RESPID(NULL,
1471 &sdata, idsize);
1472 if (!id) {
1473 *al = SSL_AD_DECODE_ERROR;
1474 return 0;
1475 }
1476 if (data != sdata) {
1477 OCSP_RESPID_free(id);
1478 *al = SSL_AD_DECODE_ERROR;
1479 return 0;
1480 }
1481 if (!s->tlsext_ocsp_ids &&
1482 !(s->tlsext_ocsp_ids =
1483 sk_OCSP_RESPID_new_null())) {
1484 OCSP_RESPID_free(id);
1485 *al = SSL_AD_INTERNAL_ERROR;
1486 return 0;
1487 }
1488 if (!sk_OCSP_RESPID_push(
1489 s->tlsext_ocsp_ids, id)) {
1490 OCSP_RESPID_free(id);
1491 *al = SSL_AD_INTERNAL_ERROR;
1492 return 0;
1493 }
1494 }
1495
1496 /* Read in request_extensions */
1497 if (size < 2) {
1498 *al = SSL_AD_DECODE_ERROR;
1499 return 0;
1500 }
1501 n2s(data, dsize);
1502 size -= 2;
1503 if (dsize != size) {
1504 *al = SSL_AD_DECODE_ERROR;
1505 return 0;
1506 }
1507 sdata = data;
1508 if (dsize > 0) {
1509 if (s->tlsext_ocsp_exts) {
1510 sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts,
1511 X509_EXTENSION_free);
1512 }
1513
1514 s->tlsext_ocsp_exts =
1515 d2i_X509_EXTENSIONS(NULL,
1516 &sdata, dsize);
1517 if (!s->tlsext_ocsp_exts ||
1518 (data + dsize != sdata)) {
1519 *al = SSL_AD_DECODE_ERROR;
1520 return 0;
1521 }
1522 }
1523 } else {
1524 /* We don't know what to do with any other type
1525 * so ignore it.
1526 */
1527 s->tlsext_status_type = -1;
1528 }
1529 }
1530 else if (type == TLSEXT_TYPE_next_proto_neg &&
1531 s->s3->tmp.finish_md_len == 0 &&
1532 s->s3->alpn_selected == NULL) {
1533 /* We shouldn't accept this extension on a
1534 * renegotiation.
1535 *
1536 * s->new_session will be set on renegotiation, but we
1537 * probably shouldn't rely that it couldn't be set on
1538 * the initial renegotation too in certain cases (when
1539 * there's some other reason to disallow resuming an
1540 * earlier session -- the current code won't be doing
1541 * anything like that, but this might change).
1542
1543 * A valid sign that there's been a previous handshake
1544 * in this connection is if s->s3->tmp.finish_md_len >
1545 * 0. (We are talking about a check that will happen
1546 * in the Hello protocol round, well before a new
1547 * Finished message could have been computed.) */
1548 s->s3->next_proto_neg_seen = 1;
1549 }
1550 else if (type ==
1551 TLSEXT_TYPE_application_layer_protocol_negotiation &&
1552 s->ctx->alpn_select_cb != NULL &&
1553 s->s3->tmp.finish_md_len == 0) {
1554 if (tls1_alpn_handle_client_hello(s, data,
1555 size, al) != 1)
1556 return (0);
1557 /* ALPN takes precedence over NPN. */
1558 s->s3->next_proto_neg_seen = 0;
1559 }
1560
1561 /* session ticket processed earlier */
1562#ifndef OPENSSL_NO_SRTP
1563 else if (SSL_IS_DTLS(s) && type == TLSEXT_TYPE_use_srtp) {
1564 if (ssl_parse_clienthello_use_srtp_ext(s, data, size, al))
1565 return 0;
1566 }
1567#endif
1568
1569 data += size;
1570 }
1571
1572 *p = data;
1573
1574ri_check:
1575
1576 /* Need RI if renegotiating */
1577
1578 if (!renegotiate_seen && s->renegotiate) {
1579 *al = SSL_AD_HANDSHAKE_FAILURE;
1580 SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT,
1581 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
1582 return 0;
1583 }
1584
1585 return 1;
1586}
1587
1588/*
1589 * ssl_next_proto_validate validates a Next Protocol Negotiation block. No
1590 * elements of zero length are allowed and the set of elements must exactly fill
1591 * the length of the block.
1592 */
1593static char
1594ssl_next_proto_validate(const unsigned char *d, unsigned int len)
1595{
1596 CBS npn, value;
1597
1598 CBS_init(&npn, d, len);
1599 while (CBS_len(&npn) > 0) {
1600 if (!CBS_get_u8_length_prefixed(&npn, &value) ||
1601 CBS_len(&value) == 0)
1602 return 0;
1603 }
1604 return 1;
1605}
1606
1607int
1608ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d,
1609 int n, int *al)
1610{
1611 unsigned short length;
1612 unsigned short type;
1613 unsigned short size;
1614 unsigned char *data = *p;
1615 int tlsext_servername = 0;
1616 int renegotiate_seen = 0;
1617
1618 s->s3->next_proto_neg_seen = 0;
1619 free(s->s3->alpn_selected);
1620 s->s3->alpn_selected = NULL;
1621
1622 if (data >= (d + n - 2))
1623 goto ri_check;
1624
1625 n2s(data, length);
1626 if (data + length != d + n) {
1627 *al = SSL_AD_DECODE_ERROR;
1628 return 0;
1629 }
1630
1631 while (data <= (d + n - 4)) {
1632 n2s(data, type);
1633 n2s(data, size);
1634
1635 if (data + size > (d + n))
1636 goto ri_check;
1637
1638 if (s->tlsext_debug_cb)
1639 s->tlsext_debug_cb(s, 1, type, data, size,
1640 s->tlsext_debug_arg);
1641
1642 if (type == TLSEXT_TYPE_server_name) {
1643 if (s->tlsext_hostname == NULL || size > 0) {
1644 *al = TLS1_AD_UNRECOGNIZED_NAME;
1645 return 0;
1646 }
1647 tlsext_servername = 1;
1648
1649 }
1650 else if (type == TLSEXT_TYPE_ec_point_formats &&
1651 s->version != DTLS1_VERSION) {
1652 unsigned char *sdata = data;
1653 size_t formatslen;
1654 uint8_t *formats;
1655
1656 if (size < 1) {
1657 *al = TLS1_AD_DECODE_ERROR;
1658 return 0;
1659 }
1660 formatslen = *(sdata++);
1661 if (formatslen != size - 1) {
1662 *al = TLS1_AD_DECODE_ERROR;
1663 return 0;
1664 }
1665
1666 if (!s->hit) {
1667 free(s->session->tlsext_ecpointformatlist);
1668 s->session->tlsext_ecpointformatlist = NULL;
1669 s->session->tlsext_ecpointformatlist_length = 0;
1670
1671 if ((formats = reallocarray(NULL, formatslen,
1672 sizeof(uint8_t))) == NULL) {
1673 *al = TLS1_AD_INTERNAL_ERROR;
1674 return 0;
1675 }
1676 memcpy(formats, sdata, formatslen);
1677 s->session->tlsext_ecpointformatlist = formats;
1678 s->session->tlsext_ecpointformatlist_length =
1679 formatslen;
1680 }
1681 }
1682 else if (type == TLSEXT_TYPE_session_ticket) {
1683 if (s->tls_session_ticket_ext_cb &&
1684 !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg)) {
1685 *al = TLS1_AD_INTERNAL_ERROR;
1686 return 0;
1687 }
1688 if ((SSL_get_options(s) & SSL_OP_NO_TICKET) || (size > 0)) {
1689 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
1690 return 0;
1691 }
1692 s->tlsext_ticket_expected = 1;
1693 }
1694 else if (type == TLSEXT_TYPE_status_request &&
1695 s->version != DTLS1_VERSION) {
1696 /* MUST be empty and only sent if we've requested
1697 * a status request message.
1698 */
1699 if ((s->tlsext_status_type == -1) || (size > 0)) {
1700 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
1701 return 0;
1702 }
1703 /* Set flag to expect CertificateStatus message */
1704 s->tlsext_status_expected = 1;
1705 }
1706 else if (type == TLSEXT_TYPE_next_proto_neg &&
1707 s->s3->tmp.finish_md_len == 0) {
1708 unsigned char *selected;
1709 unsigned char selected_len;
1710
1711 /* We must have requested it. */
1712 if (s->ctx->next_proto_select_cb == NULL) {
1713 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
1714 return 0;
1715 }
1716 /* The data must be valid */
1717 if (!ssl_next_proto_validate(data, size)) {
1718 *al = TLS1_AD_DECODE_ERROR;
1719 return 0;
1720 }
1721 if (s->ctx->next_proto_select_cb(s, &selected, &selected_len, data, size, s->ctx->next_proto_select_cb_arg) != SSL_TLSEXT_ERR_OK) {
1722 *al = TLS1_AD_INTERNAL_ERROR;
1723 return 0;
1724 }
1725 s->next_proto_negotiated = malloc(selected_len);
1726 if (!s->next_proto_negotiated) {
1727 *al = TLS1_AD_INTERNAL_ERROR;
1728 return 0;
1729 }
1730 memcpy(s->next_proto_negotiated, selected, selected_len);
1731 s->next_proto_negotiated_len = selected_len;
1732 s->s3->next_proto_neg_seen = 1;
1733 }
1734 else if (type ==
1735 TLSEXT_TYPE_application_layer_protocol_negotiation) {
1736 unsigned int len;
1737
1738 /* We must have requested it. */
1739 if (s->alpn_client_proto_list == NULL) {
1740 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
1741 return 0;
1742 }
1743 if (size < 4) {
1744 *al = TLS1_AD_DECODE_ERROR;
1745 return (0);
1746 }
1747
1748 /* The extension data consists of:
1749 * uint16 list_length
1750 * uint8 proto_length;
1751 * uint8 proto[proto_length]; */
1752 len = ((unsigned int)data[0]) << 8 |
1753 ((unsigned int)data[1]);
1754 if (len != (unsigned int)size - 2) {
1755 *al = TLS1_AD_DECODE_ERROR;
1756 return (0);
1757 }
1758 len = data[2];
1759 if (len != (unsigned int)size - 3) {
1760 *al = TLS1_AD_DECODE_ERROR;
1761 return (0);
1762 }
1763 free(s->s3->alpn_selected);
1764 s->s3->alpn_selected = malloc(len);
1765 if (s->s3->alpn_selected == NULL) {
1766 *al = TLS1_AD_INTERNAL_ERROR;
1767 return (0);
1768 }
1769 memcpy(s->s3->alpn_selected, data + 3, len);
1770 s->s3->alpn_selected_len = len;
1771
1772 } else if (type == TLSEXT_TYPE_renegotiate) {
1773 if (!ssl_parse_serverhello_renegotiate_ext(s, data, size, al))
1774 return 0;
1775 renegotiate_seen = 1;
1776 }
1777#ifndef OPENSSL_NO_SRTP
1778 else if (SSL_IS_DTLS(s) && type == TLSEXT_TYPE_use_srtp) {
1779 if (ssl_parse_serverhello_use_srtp_ext(s, data,
1780 size, al))
1781 return 0;
1782 }
1783#endif
1784
1785 data += size;
1786
1787 }
1788
1789 if (data != d + n) {
1790 *al = SSL_AD_DECODE_ERROR;
1791 return 0;
1792 }
1793
1794 if (!s->hit && tlsext_servername == 1) {
1795 if (s->tlsext_hostname) {
1796 if (s->session->tlsext_hostname == NULL) {
1797 s->session->tlsext_hostname =
1798 strdup(s->tlsext_hostname);
1799
1800 if (!s->session->tlsext_hostname) {
1801 *al = SSL_AD_UNRECOGNIZED_NAME;
1802 return 0;
1803 }
1804 } else {
1805 *al = SSL_AD_DECODE_ERROR;
1806 return 0;
1807 }
1808 }
1809 }
1810
1811 *p = data;
1812
1813ri_check:
1814
1815 /* Determine if we need to see RI. Strictly speaking if we want to
1816 * avoid an attack we should *always* see RI even on initial server
1817 * hello because the client doesn't see any renegotiation during an
1818 * attack. However this would mean we could not connect to any server
1819 * which doesn't support RI so for the immediate future tolerate RI
1820 * absence on initial connect only.
1821 */
1822 if (!renegotiate_seen && !(s->options & SSL_OP_LEGACY_SERVER_CONNECT)) {
1823 *al = SSL_AD_HANDSHAKE_FAILURE;
1824 SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT,
1825 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
1826 return 0;
1827 }
1828
1829 return 1;
1830}
1831
1832int
1833ssl_prepare_clienthello_tlsext(SSL *s)
1834{
1835 return 1;
1836}
1837
1838int
1839ssl_prepare_serverhello_tlsext(SSL *s)
1840{
1841 return 1;
1842}
1843
1844int
1845ssl_check_clienthello_tlsext_early(SSL *s)
1846{
1847 int ret = SSL_TLSEXT_ERR_NOACK;
1848 int al = SSL_AD_UNRECOGNIZED_NAME;
1849
1850 /* The handling of the ECPointFormats extension is done elsewhere, namely in
1851 * ssl3_choose_cipher in s3_lib.c.
1852 */
1853 /* The handling of the EllipticCurves extension is done elsewhere, namely in
1854 * ssl3_choose_cipher in s3_lib.c.
1855 */
1856
1857 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
1858 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
1859 else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)
1860 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
1861
1862 switch (ret) {
1863 case SSL_TLSEXT_ERR_ALERT_FATAL:
1864 ssl3_send_alert(s, SSL3_AL_FATAL, al);
1865 return -1;
1866 case SSL_TLSEXT_ERR_ALERT_WARNING:
1867 ssl3_send_alert(s, SSL3_AL_WARNING, al);
1868 return 1;
1869 case SSL_TLSEXT_ERR_NOACK:
1870 s->servername_done = 0;
1871 default:
1872 return 1;
1873 }
1874}
1875
1876int
1877ssl_check_clienthello_tlsext_late(SSL *s)
1878{
1879 int ret = SSL_TLSEXT_ERR_OK;
1880 int al = 0; /* XXX gcc3 */
1881
1882 /* If status request then ask callback what to do.
1883 * Note: this must be called after servername callbacks in case
1884 * the certificate has changed, and must be called after the cipher
1885 * has been chosen because this may influence which certificate is sent
1886 */
1887 if ((s->tlsext_status_type != -1) &&
1888 s->ctx && s->ctx->tlsext_status_cb) {
1889 int r;
1890 CERT_PKEY *certpkey;
1891 certpkey = ssl_get_server_send_pkey(s);
1892 /* If no certificate can't return certificate status */
1893 if (certpkey == NULL) {
1894 s->tlsext_status_expected = 0;
1895 return 1;
1896 }
1897 /* Set current certificate to one we will use so
1898 * SSL_get_certificate et al can pick it up.
1899 */
1900 s->cert->key = certpkey;
1901 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
1902 switch (r) {
1903 /* We don't want to send a status request response */
1904 case SSL_TLSEXT_ERR_NOACK:
1905 s->tlsext_status_expected = 0;
1906 break;
1907 /* status request response should be sent */
1908 case SSL_TLSEXT_ERR_OK:
1909 if (s->tlsext_ocsp_resp)
1910 s->tlsext_status_expected = 1;
1911 else
1912 s->tlsext_status_expected = 0;
1913 break;
1914 /* something bad happened */
1915 case SSL_TLSEXT_ERR_ALERT_FATAL:
1916 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1917 al = SSL_AD_INTERNAL_ERROR;
1918 goto err;
1919 }
1920 } else
1921 s->tlsext_status_expected = 0;
1922
1923err:
1924 switch (ret) {
1925 case SSL_TLSEXT_ERR_ALERT_FATAL:
1926 ssl3_send_alert(s, SSL3_AL_FATAL, al);
1927 return -1;
1928 case SSL_TLSEXT_ERR_ALERT_WARNING:
1929 ssl3_send_alert(s, SSL3_AL_WARNING, al);
1930 return 1;
1931 default:
1932 return 1;
1933 }
1934}
1935
1936int
1937ssl_check_serverhello_tlsext(SSL *s)
1938{
1939 int ret = SSL_TLSEXT_ERR_NOACK;
1940 int al = SSL_AD_UNRECOGNIZED_NAME;
1941
1942 /* If we are client and using an elliptic curve cryptography cipher
1943 * suite, then if server returns an EC point formats lists extension
1944 * it must contain uncompressed.
1945 */
1946 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
1947 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
1948 if ((s->tlsext_ecpointformatlist != NULL) &&
1949 (s->tlsext_ecpointformatlist_length > 0) &&
1950 (s->session->tlsext_ecpointformatlist != NULL) &&
1951 (s->session->tlsext_ecpointformatlist_length > 0) &&
1952 ((alg_k & (SSL_kECDHE|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA))) {
1953 /* we are using an ECC cipher */
1954 size_t i;
1955 unsigned char *list;
1956 int found_uncompressed = 0;
1957 list = s->session->tlsext_ecpointformatlist;
1958 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++) {
1959 if (*(list++) == TLSEXT_ECPOINTFORMAT_uncompressed) {
1960 found_uncompressed = 1;
1961 break;
1962 }
1963 }
1964 if (!found_uncompressed) {
1965 SSLerr(SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT, SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
1966 return -1;
1967 }
1968 }
1969 ret = SSL_TLSEXT_ERR_OK;
1970
1971 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
1972 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
1973 else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)
1974 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
1975
1976 /* If we've requested certificate status and we wont get one
1977 * tell the callback
1978 */
1979 if ((s->tlsext_status_type != -1) && !(s->tlsext_status_expected) &&
1980 s->ctx && s->ctx->tlsext_status_cb) {
1981 int r;
1982 /* Set resp to NULL, resplen to -1 so callback knows
1983 * there is no response.
1984 */
1985 free(s->tlsext_ocsp_resp);
1986 s->tlsext_ocsp_resp = NULL;
1987 s->tlsext_ocsp_resplen = -1;
1988 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
1989 if (r == 0) {
1990 al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE;
1991 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1992 }
1993 if (r < 0) {
1994 al = SSL_AD_INTERNAL_ERROR;
1995 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1996 }
1997 }
1998
1999 switch (ret) {
2000 case SSL_TLSEXT_ERR_ALERT_FATAL:
2001 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2002
2003 return -1;
2004 case SSL_TLSEXT_ERR_ALERT_WARNING:
2005 ssl3_send_alert(s, SSL3_AL_WARNING, al);
2006
2007 return 1;
2008 case SSL_TLSEXT_ERR_NOACK:
2009 s->servername_done = 0;
2010 default:
2011 return 1;
2012 }
2013}
2014
2015/* Since the server cache lookup is done early on in the processing of the
2016 * ClientHello, and other operations depend on the result, we need to handle
2017 * any TLS session ticket extension at the same time.
2018 *
2019 * session_id: points at the session ID in the ClientHello. This code will
2020 * read past the end of this in order to parse out the session ticket
2021 * extension, if any.
2022 * len: the length of the session ID.
2023 * limit: a pointer to the first byte after the ClientHello.
2024 * ret: (output) on return, if a ticket was decrypted, then this is set to
2025 * point to the resulting session.
2026 *
2027 * If s->tls_session_secret_cb is set then we are expecting a pre-shared key
2028 * ciphersuite, in which case we have no use for session tickets and one will
2029 * never be decrypted, nor will s->tlsext_ticket_expected be set to 1.
2030 *
2031 * Returns:
2032 * -1: fatal error, either from parsing or decrypting the ticket.
2033 * 0: no ticket was found (or was ignored, based on settings).
2034 * 1: a zero length extension was found, indicating that the client supports
2035 * session tickets but doesn't currently have one to offer.
2036 * 2: either s->tls_session_secret_cb was set, or a ticket was offered but
2037 * couldn't be decrypted because of a non-fatal error.
2038 * 3: a ticket was successfully decrypted and *ret was set.
2039 *
2040 * Side effects:
2041 * Sets s->tlsext_ticket_expected to 1 if the server will have to issue
2042 * a new session ticket to the client because the client indicated support
2043 * (and s->tls_session_secret_cb is NULL) but the client either doesn't have
2044 * a session ticket or we couldn't use the one it gave us, or if
2045 * s->ctx->tlsext_ticket_key_cb asked to renew the client's ticket.
2046 * Otherwise, s->tlsext_ticket_expected is set to 0.
2047 */
2048int
2049tls1_process_ticket(SSL *s, const unsigned char *session, int session_len,
2050 const unsigned char *limit, SSL_SESSION **ret)
2051{
2052 /* Point after session ID in client hello */
2053 CBS session_id, cookie, cipher_list, compress_algo, extensions;
2054
2055 *ret = NULL;
2056 s->tlsext_ticket_expected = 0;
2057
2058 /* If tickets disabled behave as if no ticket present
2059 * to permit stateful resumption.
2060 */
2061 if (SSL_get_options(s) & SSL_OP_NO_TICKET)
2062 return 0;
2063 if (s->version <= SSL3_VERSION || !limit)
2064 return 0;
2065
2066 if (limit < session)
2067 return -1;
2068
2069 CBS_init(&session_id, session, limit - session);
2070
2071 /* Skip past the session id */
2072 if (!CBS_skip(&session_id, session_len))
2073 return -1;
2074
2075 /* Skip past DTLS cookie */
2076 if (SSL_IS_DTLS(s)) {
2077 if (!CBS_get_u8_length_prefixed(&session_id, &cookie))
2078 return -1;
2079 }
2080
2081 /* Skip past cipher list */
2082 if (!CBS_get_u16_length_prefixed(&session_id, &cipher_list))
2083 return -1;
2084
2085 /* Skip past compression algorithm list */
2086 if (!CBS_get_u8_length_prefixed(&session_id, &compress_algo))
2087 return -1;
2088
2089 /* Now at start of extensions */
2090 if (!CBS_get_u16_length_prefixed(&session_id, &extensions))
2091 return -1;
2092
2093 while (CBS_len(&extensions) > 0) {
2094 CBS ext_data;
2095 uint16_t ext_type;
2096
2097 if (!CBS_get_u16(&extensions, &ext_type) ||
2098 !CBS_get_u16_length_prefixed(&extensions, &ext_data))
2099 return -1;
2100
2101 if (ext_type == TLSEXT_TYPE_session_ticket) {
2102 int r;
2103 if (CBS_len(&ext_data) == 0) {
2104 /* The client will accept a ticket but doesn't
2105 * currently have one. */
2106 s->tlsext_ticket_expected = 1;
2107 return 1;
2108 }
2109 if (s->tls_session_secret_cb) {
2110 /* Indicate that the ticket couldn't be
2111 * decrypted rather than generating the session
2112 * from ticket now, trigger abbreviated
2113 * handshake based on external mechanism to
2114 * calculate the master secret later. */
2115 return 2;
2116 }
2117
2118 r = tls_decrypt_ticket(s, CBS_data(&ext_data),
2119 CBS_len(&ext_data), session, session_len, ret);
2120
2121 switch (r) {
2122 case 2: /* ticket couldn't be decrypted */
2123 s->tlsext_ticket_expected = 1;
2124 return 2;
2125 case 3: /* ticket was decrypted */
2126 return r;
2127 case 4: /* ticket decrypted but need to renew */
2128 s->tlsext_ticket_expected = 1;
2129 return 3;
2130 default: /* fatal error */
2131 return -1;
2132 }
2133 }
2134 }
2135 return 0;
2136}
2137
2138/* tls_decrypt_ticket attempts to decrypt a session ticket.
2139 *
2140 * etick: points to the body of the session ticket extension.
2141 * eticklen: the length of the session tickets extenion.
2142 * sess_id: points at the session ID.
2143 * sesslen: the length of the session ID.
2144 * psess: (output) on return, if a ticket was decrypted, then this is set to
2145 * point to the resulting session.
2146 *
2147 * Returns:
2148 * -1: fatal error, either from parsing or decrypting the ticket.
2149 * 2: the ticket couldn't be decrypted.
2150 * 3: a ticket was successfully decrypted and *psess was set.
2151 * 4: same as 3, but the ticket needs to be renewed.
2152 */
2153static int
2154tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen,
2155 const unsigned char *sess_id, int sesslen, SSL_SESSION **psess)
2156{
2157 SSL_SESSION *sess;
2158 unsigned char *sdec;
2159 const unsigned char *p;
2160 int slen, mlen, renew_ticket = 0;
2161 unsigned char tick_hmac[EVP_MAX_MD_SIZE];
2162 HMAC_CTX hctx;
2163 EVP_CIPHER_CTX ctx;
2164 SSL_CTX *tctx = s->initial_ctx;
2165 /* Need at least keyname + iv + some encrypted data */
2166 if (eticklen < 48)
2167 return 2;
2168 /* Initialize session ticket encryption and HMAC contexts */
2169 HMAC_CTX_init(&hctx);
2170 EVP_CIPHER_CTX_init(&ctx);
2171 if (tctx->tlsext_ticket_key_cb) {
2172 unsigned char *nctick = (unsigned char *)etick;
2173 int rv = tctx->tlsext_ticket_key_cb(s, nctick, nctick + 16,
2174 &ctx, &hctx, 0);
2175 if (rv < 0) {
2176 EVP_CIPHER_CTX_cleanup(&ctx);
2177 return -1;
2178 }
2179 if (rv == 0) {
2180 EVP_CIPHER_CTX_cleanup(&ctx);
2181 return 2;
2182 }
2183 if (rv == 2)
2184 renew_ticket = 1;
2185 } else {
2186 /* Check key name matches */
2187 if (timingsafe_memcmp(etick, tctx->tlsext_tick_key_name, 16))
2188 return 2;
2189 HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16,
2190 tlsext_tick_md(), NULL);
2191 EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL,
2192 tctx->tlsext_tick_aes_key, etick + 16);
2193 }
2194 /* Attempt to process session ticket, first conduct sanity and
2195 * integrity checks on ticket.
2196 */
2197 mlen = HMAC_size(&hctx);
2198 if (mlen < 0) {
2199 EVP_CIPHER_CTX_cleanup(&ctx);
2200 return -1;
2201 }
2202 eticklen -= mlen;
2203 /* Check HMAC of encrypted ticket */
2204 HMAC_Update(&hctx, etick, eticklen);
2205 HMAC_Final(&hctx, tick_hmac, NULL);
2206 HMAC_CTX_cleanup(&hctx);
2207 if (timingsafe_memcmp(tick_hmac, etick + eticklen, mlen)) {
2208 EVP_CIPHER_CTX_cleanup(&ctx);
2209 return 2;
2210 }
2211 /* Attempt to decrypt session data */
2212 /* Move p after IV to start of encrypted ticket, update length */
2213 p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx);
2214 eticklen -= 16 + EVP_CIPHER_CTX_iv_length(&ctx);
2215 sdec = malloc(eticklen);
2216 if (!sdec) {
2217 EVP_CIPHER_CTX_cleanup(&ctx);
2218 return -1;
2219 }
2220 EVP_DecryptUpdate(&ctx, sdec, &slen, p, eticklen);
2221 if (EVP_DecryptFinal(&ctx, sdec + slen, &mlen) <= 0) {
2222 free(sdec);
2223 EVP_CIPHER_CTX_cleanup(&ctx);
2224 return 2;
2225 }
2226 slen += mlen;
2227 EVP_CIPHER_CTX_cleanup(&ctx);
2228 p = sdec;
2229
2230 sess = d2i_SSL_SESSION(NULL, &p, slen);
2231 free(sdec);
2232 if (sess) {
2233 /* The session ID, if non-empty, is used by some clients to
2234 * detect that the ticket has been accepted. So we copy it to
2235 * the session structure. If it is empty set length to zero
2236 * as required by standard.
2237 */
2238 if (sesslen)
2239 memcpy(sess->session_id, sess_id, sesslen);
2240 sess->session_id_length = sesslen;
2241 *psess = sess;
2242 if (renew_ticket)
2243 return 4;
2244 else
2245 return 3;
2246 }
2247 ERR_clear_error();
2248 /* For session parse failure, indicate that we need to send a new
2249 * ticket. */
2250 return 2;
2251}
2252
2253/* Tables to translate from NIDs to TLS v1.2 ids */
2254
2255typedef struct {
2256 int nid;
2257 int id;
2258} tls12_lookup;
2259
2260static tls12_lookup tls12_md[] = {
2261 {NID_md5, TLSEXT_hash_md5},
2262 {NID_sha1, TLSEXT_hash_sha1},
2263 {NID_sha224, TLSEXT_hash_sha224},
2264 {NID_sha256, TLSEXT_hash_sha256},
2265 {NID_sha384, TLSEXT_hash_sha384},
2266 {NID_sha512, TLSEXT_hash_sha512},
2267 {NID_id_GostR3411_94, TLSEXT_hash_gost94},
2268 {NID_id_tc26_gost3411_2012_256, TLSEXT_hash_streebog_256},
2269 {NID_id_tc26_gost3411_2012_512, TLSEXT_hash_streebog_512}
2270};
2271
2272static tls12_lookup tls12_sig[] = {
2273 {EVP_PKEY_RSA, TLSEXT_signature_rsa},
2274 {EVP_PKEY_DSA, TLSEXT_signature_dsa},
2275 {EVP_PKEY_EC, TLSEXT_signature_ecdsa},
2276 {EVP_PKEY_GOSTR01, TLSEXT_signature_gostr01},
2277};
2278
2279static int
2280tls12_find_id(int nid, tls12_lookup *table, size_t tlen)
2281{
2282 size_t i;
2283 for (i = 0; i < tlen; i++) {
2284 if (table[i].nid == nid)
2285 return table[i].id;
2286 }
2287 return -1;
2288}
2289
2290int
2291tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk, const EVP_MD *md)
2292{
2293 int sig_id, md_id;
2294 if (!md)
2295 return 0;
2296 md_id = tls12_find_id(EVP_MD_type(md), tls12_md,
2297 sizeof(tls12_md) / sizeof(tls12_lookup));
2298 if (md_id == -1)
2299 return 0;
2300 sig_id = tls12_get_sigid(pk);
2301 if (sig_id == -1)
2302 return 0;
2303 p[0] = (unsigned char)md_id;
2304 p[1] = (unsigned char)sig_id;
2305 return 1;
2306}
2307
2308int
2309tls12_get_sigid(const EVP_PKEY *pk)
2310{
2311 return tls12_find_id(pk->type, tls12_sig,
2312 sizeof(tls12_sig) / sizeof(tls12_lookup));
2313}
2314
2315const EVP_MD *
2316tls12_get_hash(unsigned char hash_alg)
2317{
2318 switch (hash_alg) {
2319 case TLSEXT_hash_sha1:
2320 return EVP_sha1();
2321 case TLSEXT_hash_sha224:
2322 return EVP_sha224();
2323 case TLSEXT_hash_sha256:
2324 return EVP_sha256();
2325 case TLSEXT_hash_sha384:
2326 return EVP_sha384();
2327 case TLSEXT_hash_sha512:
2328 return EVP_sha512();
2329#ifndef OPENSSL_NO_GOST
2330 case TLSEXT_hash_gost94:
2331 return EVP_gostr341194();
2332 case TLSEXT_hash_streebog_256:
2333 return EVP_streebog256();
2334 case TLSEXT_hash_streebog_512:
2335 return EVP_streebog512();
2336#endif
2337 default:
2338 return NULL;
2339 }
2340}
2341
2342/* Set preferred digest for each key type */
2343
2344int
2345tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize)
2346{
2347 int idx;
2348 const EVP_MD *md;
2349 CERT *c = s->cert;
2350 CBS cbs;
2351
2352 /* Extension ignored for inappropriate versions */
2353 if (!SSL_USE_SIGALGS(s))
2354 return 1;
2355
2356 /* Should never happen */
2357 if (!c || dsize < 0)
2358 return 0;
2359
2360 CBS_init(&cbs, data, dsize);
2361
2362 c->pkeys[SSL_PKEY_DSA_SIGN].digest = NULL;
2363 c->pkeys[SSL_PKEY_RSA_SIGN].digest = NULL;
2364 c->pkeys[SSL_PKEY_RSA_ENC].digest = NULL;
2365 c->pkeys[SSL_PKEY_ECC].digest = NULL;
2366 c->pkeys[SSL_PKEY_GOST01].digest = NULL;
2367
2368 while (CBS_len(&cbs) > 0) {
2369 uint8_t hash_alg, sig_alg;
2370
2371 if (!CBS_get_u8(&cbs, &hash_alg) ||
2372 !CBS_get_u8(&cbs, &sig_alg)) {
2373 /* Should never happen */
2374 return 0;
2375 }
2376
2377 switch (sig_alg) {
2378 case TLSEXT_signature_rsa:
2379 idx = SSL_PKEY_RSA_SIGN;
2380 break;
2381 case TLSEXT_signature_dsa:
2382 idx = SSL_PKEY_DSA_SIGN;
2383 break;
2384 case TLSEXT_signature_ecdsa:
2385 idx = SSL_PKEY_ECC;
2386 break;
2387 case TLSEXT_signature_gostr01:
2388 case TLSEXT_signature_gostr12_256:
2389 case TLSEXT_signature_gostr12_512:
2390 idx = SSL_PKEY_GOST01;
2391 break;
2392 default:
2393 continue;
2394 }
2395
2396 if (c->pkeys[idx].digest == NULL) {
2397 md = tls12_get_hash(hash_alg);
2398 if (md) {
2399 c->pkeys[idx].digest = md;
2400 if (idx == SSL_PKEY_RSA_SIGN)
2401 c->pkeys[SSL_PKEY_RSA_ENC].digest = md;
2402 }
2403 }
2404
2405 }
2406
2407 /* Set any remaining keys to default values. NOTE: if alg is not
2408 * supported it stays as NULL.
2409 */
2410 if (!c->pkeys[SSL_PKEY_DSA_SIGN].digest)
2411 c->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_sha1();
2412 if (!c->pkeys[SSL_PKEY_RSA_SIGN].digest) {
2413 c->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1();
2414 c->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1();
2415 }
2416 if (!c->pkeys[SSL_PKEY_ECC].digest)
2417 c->pkeys[SSL_PKEY_ECC].digest = EVP_sha1();
2418#ifndef OPENSSL_NO_GOST
2419 if (!c->pkeys[SSL_PKEY_GOST01].digest)
2420 c->pkeys[SSL_PKEY_GOST01].digest = EVP_gostr341194();
2421#endif
2422 return 1;
2423}
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-21 17:24:52 +0000