1 | /*
|
---|
2 | * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
|
---|
3 | *
|
---|
4 | * Licensed under the OpenSSL license (the "License"). You may not use
|
---|
5 | * this file except in compliance with the License. You can obtain a copy
|
---|
6 | * in the file LICENSE in the source distribution or at
|
---|
7 | * https://www.openssl.org/source/license.html
|
---|
8 | */
|
---|
9 |
|
---|
10 | #include <stdio.h>
|
---|
11 | #include <stdlib.h>
|
---|
12 | #include <openssl/objects.h>
|
---|
13 | #include <openssl/evp.h>
|
---|
14 | #include <openssl/hmac.h>
|
---|
15 | #include <openssl/ocsp.h>
|
---|
16 | #include <openssl/conf.h>
|
---|
17 | #include <openssl/x509v3.h>
|
---|
18 | #include <openssl/dh.h>
|
---|
19 | #include <openssl/bn.h>
|
---|
20 | #include "ssl_locl.h"
|
---|
21 | #include <openssl/ct.h>
|
---|
22 |
|
---|
23 |
|
---|
24 | #define CHECKLEN(curr, val, limit) \
|
---|
25 | (((curr) >= (limit)) || (size_t)((limit) - (curr)) < (size_t)(val))
|
---|
26 |
|
---|
27 | static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen,
|
---|
28 | const unsigned char *sess_id, int sesslen,
|
---|
29 | SSL_SESSION **psess);
|
---|
30 | static int ssl_check_clienthello_tlsext_early(SSL *s);
|
---|
31 | static int ssl_check_serverhello_tlsext(SSL *s);
|
---|
32 |
|
---|
33 | SSL3_ENC_METHOD const TLSv1_enc_data = {
|
---|
34 | tls1_enc,
|
---|
35 | tls1_mac,
|
---|
36 | tls1_setup_key_block,
|
---|
37 | tls1_generate_master_secret,
|
---|
38 | tls1_change_cipher_state,
|
---|
39 | tls1_final_finish_mac,
|
---|
40 | TLS1_FINISH_MAC_LENGTH,
|
---|
41 | TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
|
---|
42 | TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
|
---|
43 | tls1_alert_code,
|
---|
44 | tls1_export_keying_material,
|
---|
45 | 0,
|
---|
46 | SSL3_HM_HEADER_LENGTH,
|
---|
47 | ssl3_set_handshake_header,
|
---|
48 | ssl3_handshake_write
|
---|
49 | };
|
---|
50 |
|
---|
51 | SSL3_ENC_METHOD const TLSv1_1_enc_data = {
|
---|
52 | tls1_enc,
|
---|
53 | tls1_mac,
|
---|
54 | tls1_setup_key_block,
|
---|
55 | tls1_generate_master_secret,
|
---|
56 | tls1_change_cipher_state,
|
---|
57 | tls1_final_finish_mac,
|
---|
58 | TLS1_FINISH_MAC_LENGTH,
|
---|
59 | TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
|
---|
60 | TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
|
---|
61 | tls1_alert_code,
|
---|
62 | tls1_export_keying_material,
|
---|
63 | SSL_ENC_FLAG_EXPLICIT_IV,
|
---|
64 | SSL3_HM_HEADER_LENGTH,
|
---|
65 | ssl3_set_handshake_header,
|
---|
66 | ssl3_handshake_write
|
---|
67 | };
|
---|
68 |
|
---|
69 | SSL3_ENC_METHOD const TLSv1_2_enc_data = {
|
---|
70 | tls1_enc,
|
---|
71 | tls1_mac,
|
---|
72 | tls1_setup_key_block,
|
---|
73 | tls1_generate_master_secret,
|
---|
74 | tls1_change_cipher_state,
|
---|
75 | tls1_final_finish_mac,
|
---|
76 | TLS1_FINISH_MAC_LENGTH,
|
---|
77 | TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
|
---|
78 | TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
|
---|
79 | tls1_alert_code,
|
---|
80 | tls1_export_keying_material,
|
---|
81 | SSL_ENC_FLAG_EXPLICIT_IV | SSL_ENC_FLAG_SIGALGS | SSL_ENC_FLAG_SHA256_PRF
|
---|
82 | | SSL_ENC_FLAG_TLS1_2_CIPHERS,
|
---|
83 | SSL3_HM_HEADER_LENGTH,
|
---|
84 | ssl3_set_handshake_header,
|
---|
85 | ssl3_handshake_write
|
---|
86 | };
|
---|
87 |
|
---|
88 | long tls1_default_timeout(void)
|
---|
89 | {
|
---|
90 | /*
|
---|
91 | * 2 hours, the 24 hours mentioned in the TLSv1 spec is way too long for
|
---|
92 | * http, the cache would over fill
|
---|
93 | */
|
---|
94 | return (60 * 60 * 2);
|
---|
95 | }
|
---|
96 |
|
---|
97 | int tls1_new(SSL *s)
|
---|
98 | {
|
---|
99 | if (!ssl3_new(s))
|
---|
100 | return (0);
|
---|
101 | s->method->ssl_clear(s);
|
---|
102 | return (1);
|
---|
103 | }
|
---|
104 |
|
---|
105 | void tls1_free(SSL *s)
|
---|
106 | {
|
---|
107 | OPENSSL_free(s->tlsext_session_ticket);
|
---|
108 | ssl3_free(s);
|
---|
109 | }
|
---|
110 |
|
---|
111 | void tls1_clear(SSL *s)
|
---|
112 | {
|
---|
113 | ssl3_clear(s);
|
---|
114 | if (s->method->version == TLS_ANY_VERSION)
|
---|
115 | s->version = TLS_MAX_VERSION;
|
---|
116 | else
|
---|
117 | s->version = s->method->version;
|
---|
118 | }
|
---|
119 |
|
---|
120 | #ifndef OPENSSL_NO_EC
|
---|
121 |
|
---|
122 | typedef struct {
|
---|
123 | int nid; /* Curve NID */
|
---|
124 | int secbits; /* Bits of security (from SP800-57) */
|
---|
125 | unsigned int flags; /* Flags: currently just field type */
|
---|
126 | } tls_curve_info;
|
---|
127 |
|
---|
128 | /*
|
---|
129 | * Table of curve information.
|
---|
130 | * Do not delete entries or reorder this array! It is used as a lookup
|
---|
131 | * table: the index of each entry is one less than the TLS curve id.
|
---|
132 | */
|
---|
133 | static const tls_curve_info nid_list[] = {
|
---|
134 | {NID_sect163k1, 80, TLS_CURVE_CHAR2}, /* sect163k1 (1) */
|
---|
135 | {NID_sect163r1, 80, TLS_CURVE_CHAR2}, /* sect163r1 (2) */
|
---|
136 | {NID_sect163r2, 80, TLS_CURVE_CHAR2}, /* sect163r2 (3) */
|
---|
137 | {NID_sect193r1, 80, TLS_CURVE_CHAR2}, /* sect193r1 (4) */
|
---|
138 | {NID_sect193r2, 80, TLS_CURVE_CHAR2}, /* sect193r2 (5) */
|
---|
139 | {NID_sect233k1, 112, TLS_CURVE_CHAR2}, /* sect233k1 (6) */
|
---|
140 | {NID_sect233r1, 112, TLS_CURVE_CHAR2}, /* sect233r1 (7) */
|
---|
141 | {NID_sect239k1, 112, TLS_CURVE_CHAR2}, /* sect239k1 (8) */
|
---|
142 | {NID_sect283k1, 128, TLS_CURVE_CHAR2}, /* sect283k1 (9) */
|
---|
143 | {NID_sect283r1, 128, TLS_CURVE_CHAR2}, /* sect283r1 (10) */
|
---|
144 | {NID_sect409k1, 192, TLS_CURVE_CHAR2}, /* sect409k1 (11) */
|
---|
145 | {NID_sect409r1, 192, TLS_CURVE_CHAR2}, /* sect409r1 (12) */
|
---|
146 | {NID_sect571k1, 256, TLS_CURVE_CHAR2}, /* sect571k1 (13) */
|
---|
147 | {NID_sect571r1, 256, TLS_CURVE_CHAR2}, /* sect571r1 (14) */
|
---|
148 | {NID_secp160k1, 80, TLS_CURVE_PRIME}, /* secp160k1 (15) */
|
---|
149 | {NID_secp160r1, 80, TLS_CURVE_PRIME}, /* secp160r1 (16) */
|
---|
150 | {NID_secp160r2, 80, TLS_CURVE_PRIME}, /* secp160r2 (17) */
|
---|
151 | {NID_secp192k1, 80, TLS_CURVE_PRIME}, /* secp192k1 (18) */
|
---|
152 | {NID_X9_62_prime192v1, 80, TLS_CURVE_PRIME}, /* secp192r1 (19) */
|
---|
153 | {NID_secp224k1, 112, TLS_CURVE_PRIME}, /* secp224k1 (20) */
|
---|
154 | {NID_secp224r1, 112, TLS_CURVE_PRIME}, /* secp224r1 (21) */
|
---|
155 | {NID_secp256k1, 128, TLS_CURVE_PRIME}, /* secp256k1 (22) */
|
---|
156 | {NID_X9_62_prime256v1, 128, TLS_CURVE_PRIME}, /* secp256r1 (23) */
|
---|
157 | {NID_secp384r1, 192, TLS_CURVE_PRIME}, /* secp384r1 (24) */
|
---|
158 | {NID_secp521r1, 256, TLS_CURVE_PRIME}, /* secp521r1 (25) */
|
---|
159 | {NID_brainpoolP256r1, 128, TLS_CURVE_PRIME}, /* brainpoolP256r1 (26) */
|
---|
160 | {NID_brainpoolP384r1, 192, TLS_CURVE_PRIME}, /* brainpoolP384r1 (27) */
|
---|
161 | {NID_brainpoolP512r1, 256, TLS_CURVE_PRIME}, /* brainpool512r1 (28) */
|
---|
162 | {NID_X25519, 128, TLS_CURVE_CUSTOM}, /* X25519 (29) */
|
---|
163 | };
|
---|
164 |
|
---|
165 | static const unsigned char ecformats_default[] = {
|
---|
166 | TLSEXT_ECPOINTFORMAT_uncompressed,
|
---|
167 | TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime,
|
---|
168 | TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2
|
---|
169 | };
|
---|
170 |
|
---|
171 | /* The default curves */
|
---|
172 | static const unsigned char eccurves_default[] = {
|
---|
173 | 0, 29, /* X25519 (29) */
|
---|
174 | 0, 23, /* secp256r1 (23) */
|
---|
175 | 0, 25, /* secp521r1 (25) */
|
---|
176 | 0, 24, /* secp384r1 (24) */
|
---|
177 | };
|
---|
178 |
|
---|
179 | static const unsigned char suiteb_curves[] = {
|
---|
180 | 0, TLSEXT_curve_P_256,
|
---|
181 | 0, TLSEXT_curve_P_384
|
---|
182 | };
|
---|
183 |
|
---|
184 | int tls1_ec_curve_id2nid(int curve_id, unsigned int *pflags)
|
---|
185 | {
|
---|
186 | const tls_curve_info *cinfo;
|
---|
187 | /* ECC curves from RFC 4492 and RFC 7027 */
|
---|
188 | if ((curve_id < 1) || ((unsigned int)curve_id > OSSL_NELEM(nid_list)))
|
---|
189 | return 0;
|
---|
190 | cinfo = nid_list + curve_id - 1;
|
---|
191 | if (pflags)
|
---|
192 | *pflags = cinfo->flags;
|
---|
193 | return cinfo->nid;
|
---|
194 | }
|
---|
195 |
|
---|
196 | int tls1_ec_nid2curve_id(int nid)
|
---|
197 | {
|
---|
198 | size_t i;
|
---|
199 | for (i = 0; i < OSSL_NELEM(nid_list); i++) {
|
---|
200 | if (nid_list[i].nid == nid)
|
---|
201 | return i + 1;
|
---|
202 | }
|
---|
203 | return 0;
|
---|
204 | }
|
---|
205 |
|
---|
206 | /*
|
---|
207 | * Get curves list, if "sess" is set return client curves otherwise
|
---|
208 | * preferred list.
|
---|
209 | * Sets |num_curves| to the number of curves in the list, i.e.,
|
---|
210 | * the length of |pcurves| is 2 * num_curves.
|
---|
211 | * Returns 1 on success and 0 if the client curves list has invalid format.
|
---|
212 | * The latter indicates an internal error: we should not be accepting such
|
---|
213 | * lists in the first place.
|
---|
214 | * TODO(emilia): we should really be storing the curves list in explicitly
|
---|
215 | * parsed form instead. (However, this would affect binary compatibility
|
---|
216 | * so cannot happen in the 1.0.x series.)
|
---|
217 | */
|
---|
218 | static int tls1_get_curvelist(SSL *s, int sess,
|
---|
219 | const unsigned char **pcurves, size_t *num_curves)
|
---|
220 | {
|
---|
221 | size_t pcurveslen = 0;
|
---|
222 |
|
---|
223 | if (sess) {
|
---|
224 | *pcurves = s->session->tlsext_ellipticcurvelist;
|
---|
225 | pcurveslen = s->session->tlsext_ellipticcurvelist_length;
|
---|
226 | } else {
|
---|
227 | /* For Suite B mode only include P-256, P-384 */
|
---|
228 | switch (tls1_suiteb(s)) {
|
---|
229 | case SSL_CERT_FLAG_SUITEB_128_LOS:
|
---|
230 | *pcurves = suiteb_curves;
|
---|
231 | pcurveslen = sizeof(suiteb_curves);
|
---|
232 | break;
|
---|
233 |
|
---|
234 | case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY:
|
---|
235 | *pcurves = suiteb_curves;
|
---|
236 | pcurveslen = 2;
|
---|
237 | break;
|
---|
238 |
|
---|
239 | case SSL_CERT_FLAG_SUITEB_192_LOS:
|
---|
240 | *pcurves = suiteb_curves + 2;
|
---|
241 | pcurveslen = 2;
|
---|
242 | break;
|
---|
243 | default:
|
---|
244 | *pcurves = s->tlsext_ellipticcurvelist;
|
---|
245 | pcurveslen = s->tlsext_ellipticcurvelist_length;
|
---|
246 | }
|
---|
247 | if (!*pcurves) {
|
---|
248 | *pcurves = eccurves_default;
|
---|
249 | pcurveslen = sizeof(eccurves_default);
|
---|
250 | }
|
---|
251 | }
|
---|
252 |
|
---|
253 | /* We do not allow odd length arrays to enter the system. */
|
---|
254 | if (pcurveslen & 1) {
|
---|
255 | SSLerr(SSL_F_TLS1_GET_CURVELIST, ERR_R_INTERNAL_ERROR);
|
---|
256 | *num_curves = 0;
|
---|
257 | return 0;
|
---|
258 | }
|
---|
259 | *num_curves = pcurveslen / 2;
|
---|
260 | return 1;
|
---|
261 | }
|
---|
262 |
|
---|
263 | /* See if curve is allowed by security callback */
|
---|
264 | static int tls_curve_allowed(SSL *s, const unsigned char *curve, int op)
|
---|
265 | {
|
---|
266 | const tls_curve_info *cinfo;
|
---|
267 | if (curve[0])
|
---|
268 | return 1;
|
---|
269 | if ((curve[1] < 1) || ((size_t)curve[1] > OSSL_NELEM(nid_list)))
|
---|
270 | return 0;
|
---|
271 | cinfo = &nid_list[curve[1] - 1];
|
---|
272 | # ifdef OPENSSL_NO_EC2M
|
---|
273 | if (cinfo->flags & TLS_CURVE_CHAR2)
|
---|
274 | return 0;
|
---|
275 | # endif
|
---|
276 | return ssl_security(s, op, cinfo->secbits, cinfo->nid, (void *)curve);
|
---|
277 | }
|
---|
278 |
|
---|
279 | /* Check a curve is one of our preferences */
|
---|
280 | int tls1_check_curve(SSL *s, const unsigned char *p, size_t len)
|
---|
281 | {
|
---|
282 | const unsigned char *curves;
|
---|
283 | size_t num_curves, i;
|
---|
284 | unsigned int suiteb_flags = tls1_suiteb(s);
|
---|
285 | if (len != 3 || p[0] != NAMED_CURVE_TYPE)
|
---|
286 | return 0;
|
---|
287 | /* Check curve matches Suite B preferences */
|
---|
288 | if (suiteb_flags) {
|
---|
289 | unsigned long cid = s->s3->tmp.new_cipher->id;
|
---|
290 | if (p[1])
|
---|
291 | return 0;
|
---|
292 | if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256) {
|
---|
293 | if (p[2] != TLSEXT_curve_P_256)
|
---|
294 | return 0;
|
---|
295 | } else if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384) {
|
---|
296 | if (p[2] != TLSEXT_curve_P_384)
|
---|
297 | return 0;
|
---|
298 | } else /* Should never happen */
|
---|
299 | return 0;
|
---|
300 | }
|
---|
301 | if (!tls1_get_curvelist(s, 0, &curves, &num_curves))
|
---|
302 | return 0;
|
---|
303 | for (i = 0; i < num_curves; i++, curves += 2) {
|
---|
304 | if (p[1] == curves[0] && p[2] == curves[1])
|
---|
305 | return tls_curve_allowed(s, p + 1, SSL_SECOP_CURVE_CHECK);
|
---|
306 | }
|
---|
307 | return 0;
|
---|
308 | }
|
---|
309 |
|
---|
310 | /*-
|
---|
311 | * For nmatch >= 0, return the NID of the |nmatch|th shared curve or NID_undef
|
---|
312 | * if there is no match.
|
---|
313 | * For nmatch == -1, return number of matches
|
---|
314 | * For nmatch == -2, return the NID of the curve to use for
|
---|
315 | * an EC tmp key, or NID_undef if there is no match.
|
---|
316 | */
|
---|
317 | int tls1_shared_curve(SSL *s, int nmatch)
|
---|
318 | {
|
---|
319 | const unsigned char *pref, *supp;
|
---|
320 | size_t num_pref, num_supp, i, j;
|
---|
321 | int k;
|
---|
322 |
|
---|
323 | /* Can't do anything on client side */
|
---|
324 | if (s->server == 0)
|
---|
325 | return -1;
|
---|
326 | if (nmatch == -2) {
|
---|
327 | if (tls1_suiteb(s)) {
|
---|
328 | /*
|
---|
329 | * For Suite B ciphersuite determines curve: we already know
|
---|
330 | * these are acceptable due to previous checks.
|
---|
331 | */
|
---|
332 | unsigned long cid = s->s3->tmp.new_cipher->id;
|
---|
333 |
|
---|
334 | if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
|
---|
335 | return NID_X9_62_prime256v1; /* P-256 */
|
---|
336 | if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)
|
---|
337 | return NID_secp384r1; /* P-384 */
|
---|
338 | /* Should never happen */
|
---|
339 | return NID_undef;
|
---|
340 | }
|
---|
341 | /* If not Suite B just return first preference shared curve */
|
---|
342 | nmatch = 0;
|
---|
343 | }
|
---|
344 | /*
|
---|
345 | * Avoid truncation. tls1_get_curvelist takes an int
|
---|
346 | * but s->options is a long...
|
---|
347 | */
|
---|
348 | if (!tls1_get_curvelist(s,
|
---|
349 | (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) != 0,
|
---|
350 | &supp, &num_supp))
|
---|
351 | /* In practice, NID_undef == 0 but let's be precise. */
|
---|
352 | return nmatch == -1 ? 0 : NID_undef;
|
---|
353 | if (!tls1_get_curvelist(s,
|
---|
354 | (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) == 0,
|
---|
355 | &pref, &num_pref))
|
---|
356 | return nmatch == -1 ? 0 : NID_undef;
|
---|
357 |
|
---|
358 | for (k = 0, i = 0; i < num_pref; i++, pref += 2) {
|
---|
359 | const unsigned char *tsupp = supp;
|
---|
360 |
|
---|
361 | for (j = 0; j < num_supp; j++, tsupp += 2) {
|
---|
362 | if (pref[0] == tsupp[0] && pref[1] == tsupp[1]) {
|
---|
363 | if (!tls_curve_allowed(s, pref, SSL_SECOP_CURVE_SHARED))
|
---|
364 | continue;
|
---|
365 | if (nmatch == k) {
|
---|
366 | int id = (pref[0] << 8) | pref[1];
|
---|
367 |
|
---|
368 | return tls1_ec_curve_id2nid(id, NULL);
|
---|
369 | }
|
---|
370 | k++;
|
---|
371 | }
|
---|
372 | }
|
---|
373 | }
|
---|
374 | if (nmatch == -1)
|
---|
375 | return k;
|
---|
376 | /* Out of range (nmatch > k). */
|
---|
377 | return NID_undef;
|
---|
378 | }
|
---|
379 |
|
---|
380 | int tls1_set_curves(unsigned char **pext, size_t *pextlen,
|
---|
381 | int *curves, size_t ncurves)
|
---|
382 | {
|
---|
383 | unsigned char *clist, *p;
|
---|
384 | size_t i;
|
---|
385 | /*
|
---|
386 | * Bitmap of curves included to detect duplicates: only works while curve
|
---|
387 | * ids < 32
|
---|
388 | */
|
---|
389 | unsigned long dup_list = 0;
|
---|
390 | clist = OPENSSL_malloc(ncurves * 2);
|
---|
391 | if (clist == NULL)
|
---|
392 | return 0;
|
---|
393 | for (i = 0, p = clist; i < ncurves; i++) {
|
---|
394 | unsigned long idmask;
|
---|
395 | int id;
|
---|
396 | id = tls1_ec_nid2curve_id(curves[i]);
|
---|
397 | idmask = 1L << id;
|
---|
398 | if (!id || (dup_list & idmask)) {
|
---|
399 | OPENSSL_free(clist);
|
---|
400 | return 0;
|
---|
401 | }
|
---|
402 | dup_list |= idmask;
|
---|
403 | s2n(id, p);
|
---|
404 | }
|
---|
405 | OPENSSL_free(*pext);
|
---|
406 | *pext = clist;
|
---|
407 | *pextlen = ncurves * 2;
|
---|
408 | return 1;
|
---|
409 | }
|
---|
410 |
|
---|
411 | # define MAX_CURVELIST 28
|
---|
412 |
|
---|
413 | typedef struct {
|
---|
414 | size_t nidcnt;
|
---|
415 | int nid_arr[MAX_CURVELIST];
|
---|
416 | } nid_cb_st;
|
---|
417 |
|
---|
418 | static int nid_cb(const char *elem, int len, void *arg)
|
---|
419 | {
|
---|
420 | nid_cb_st *narg = arg;
|
---|
421 | size_t i;
|
---|
422 | int nid;
|
---|
423 | char etmp[20];
|
---|
424 | if (elem == NULL)
|
---|
425 | return 0;
|
---|
426 | if (narg->nidcnt == MAX_CURVELIST)
|
---|
427 | return 0;
|
---|
428 | if (len > (int)(sizeof(etmp) - 1))
|
---|
429 | return 0;
|
---|
430 | memcpy(etmp, elem, len);
|
---|
431 | etmp[len] = 0;
|
---|
432 | nid = EC_curve_nist2nid(etmp);
|
---|
433 | if (nid == NID_undef)
|
---|
434 | nid = OBJ_sn2nid(etmp);
|
---|
435 | if (nid == NID_undef)
|
---|
436 | nid = OBJ_ln2nid(etmp);
|
---|
437 | if (nid == NID_undef)
|
---|
438 | return 0;
|
---|
439 | for (i = 0; i < narg->nidcnt; i++)
|
---|
440 | if (narg->nid_arr[i] == nid)
|
---|
441 | return 0;
|
---|
442 | narg->nid_arr[narg->nidcnt++] = nid;
|
---|
443 | return 1;
|
---|
444 | }
|
---|
445 |
|
---|
446 | /* Set curves based on a colon separate list */
|
---|
447 | int tls1_set_curves_list(unsigned char **pext, size_t *pextlen, const char *str)
|
---|
448 | {
|
---|
449 | nid_cb_st ncb;
|
---|
450 | ncb.nidcnt = 0;
|
---|
451 | if (!CONF_parse_list(str, ':', 1, nid_cb, &ncb))
|
---|
452 | return 0;
|
---|
453 | if (pext == NULL)
|
---|
454 | return 1;
|
---|
455 | return tls1_set_curves(pext, pextlen, ncb.nid_arr, ncb.nidcnt);
|
---|
456 | }
|
---|
457 |
|
---|
458 | /* For an EC key set TLS id and required compression based on parameters */
|
---|
459 | static int tls1_set_ec_id(unsigned char *curve_id, unsigned char *comp_id,
|
---|
460 | EC_KEY *ec)
|
---|
461 | {
|
---|
462 | int id;
|
---|
463 | const EC_GROUP *grp;
|
---|
464 | if (!ec)
|
---|
465 | return 0;
|
---|
466 | /* Determine if it is a prime field */
|
---|
467 | grp = EC_KEY_get0_group(ec);
|
---|
468 | if (!grp)
|
---|
469 | return 0;
|
---|
470 | /* Determine curve ID */
|
---|
471 | id = EC_GROUP_get_curve_name(grp);
|
---|
472 | id = tls1_ec_nid2curve_id(id);
|
---|
473 | /* If no id return error: we don't support arbitrary explicit curves */
|
---|
474 | if (id == 0)
|
---|
475 | return 0;
|
---|
476 | curve_id[0] = 0;
|
---|
477 | curve_id[1] = (unsigned char)id;
|
---|
478 | if (comp_id) {
|
---|
479 | if (EC_KEY_get0_public_key(ec) == NULL)
|
---|
480 | return 0;
|
---|
481 | if (EC_KEY_get_conv_form(ec) == POINT_CONVERSION_UNCOMPRESSED) {
|
---|
482 | *comp_id = TLSEXT_ECPOINTFORMAT_uncompressed;
|
---|
483 | } else {
|
---|
484 | if ((nid_list[id - 1].flags & TLS_CURVE_TYPE) == TLS_CURVE_PRIME)
|
---|
485 | *comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
|
---|
486 | else
|
---|
487 | *comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
|
---|
488 | }
|
---|
489 | }
|
---|
490 | return 1;
|
---|
491 | }
|
---|
492 |
|
---|
493 | /* Check an EC key is compatible with extensions */
|
---|
494 | static int tls1_check_ec_key(SSL *s,
|
---|
495 | unsigned char *curve_id, unsigned char *comp_id)
|
---|
496 | {
|
---|
497 | const unsigned char *pformats, *pcurves;
|
---|
498 | size_t num_formats, num_curves, i;
|
---|
499 | int j;
|
---|
500 | /*
|
---|
501 | * If point formats extension present check it, otherwise everything is
|
---|
502 | * supported (see RFC4492).
|
---|
503 | */
|
---|
504 | if (comp_id && s->session->tlsext_ecpointformatlist) {
|
---|
505 | pformats = s->session->tlsext_ecpointformatlist;
|
---|
506 | num_formats = s->session->tlsext_ecpointformatlist_length;
|
---|
507 | for (i = 0; i < num_formats; i++, pformats++) {
|
---|
508 | if (*comp_id == *pformats)
|
---|
509 | break;
|
---|
510 | }
|
---|
511 | if (i == num_formats)
|
---|
512 | return 0;
|
---|
513 | }
|
---|
514 | if (!curve_id)
|
---|
515 | return 1;
|
---|
516 | /* Check curve is consistent with client and server preferences */
|
---|
517 | for (j = 0; j <= 1; j++) {
|
---|
518 | if (!tls1_get_curvelist(s, j, &pcurves, &num_curves))
|
---|
519 | return 0;
|
---|
520 | if (j == 1 && num_curves == 0) {
|
---|
521 | /*
|
---|
522 | * If we've not received any curves then skip this check.
|
---|
523 | * RFC 4492 does not require the supported elliptic curves extension
|
---|
524 | * so if it is not sent we can just choose any curve.
|
---|
525 | * It is invalid to send an empty list in the elliptic curves
|
---|
526 | * extension, so num_curves == 0 always means no extension.
|
---|
527 | */
|
---|
528 | break;
|
---|
529 | }
|
---|
530 | for (i = 0; i < num_curves; i++, pcurves += 2) {
|
---|
531 | if (pcurves[0] == curve_id[0] && pcurves[1] == curve_id[1])
|
---|
532 | break;
|
---|
533 | }
|
---|
534 | if (i == num_curves)
|
---|
535 | return 0;
|
---|
536 | /* For clients can only check sent curve list */
|
---|
537 | if (!s->server)
|
---|
538 | break;
|
---|
539 | }
|
---|
540 | return 1;
|
---|
541 | }
|
---|
542 |
|
---|
543 | static void tls1_get_formatlist(SSL *s, const unsigned char **pformats,
|
---|
544 | size_t *num_formats)
|
---|
545 | {
|
---|
546 | /*
|
---|
547 | * If we have a custom point format list use it otherwise use default
|
---|
548 | */
|
---|
549 | if (s->tlsext_ecpointformatlist) {
|
---|
550 | *pformats = s->tlsext_ecpointformatlist;
|
---|
551 | *num_formats = s->tlsext_ecpointformatlist_length;
|
---|
552 | } else {
|
---|
553 | *pformats = ecformats_default;
|
---|
554 | /* For Suite B we don't support char2 fields */
|
---|
555 | if (tls1_suiteb(s))
|
---|
556 | *num_formats = sizeof(ecformats_default) - 1;
|
---|
557 | else
|
---|
558 | *num_formats = sizeof(ecformats_default);
|
---|
559 | }
|
---|
560 | }
|
---|
561 |
|
---|
562 | /*
|
---|
563 | * Check cert parameters compatible with extensions: currently just checks EC
|
---|
564 | * certificates have compatible curves and compression.
|
---|
565 | */
|
---|
566 | static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md)
|
---|
567 | {
|
---|
568 | unsigned char comp_id, curve_id[2];
|
---|
569 | EVP_PKEY *pkey;
|
---|
570 | int rv;
|
---|
571 | pkey = X509_get0_pubkey(x);
|
---|
572 | if (!pkey)
|
---|
573 | return 0;
|
---|
574 | /* If not EC nothing to do */
|
---|
575 | if (EVP_PKEY_id(pkey) != EVP_PKEY_EC)
|
---|
576 | return 1;
|
---|
577 | rv = tls1_set_ec_id(curve_id, &comp_id, EVP_PKEY_get0_EC_KEY(pkey));
|
---|
578 | if (!rv)
|
---|
579 | return 0;
|
---|
580 | /*
|
---|
581 | * Can't check curve_id for client certs as we don't have a supported
|
---|
582 | * curves extension.
|
---|
583 | */
|
---|
584 | rv = tls1_check_ec_key(s, s->server ? curve_id : NULL, &comp_id);
|
---|
585 | if (!rv)
|
---|
586 | return 0;
|
---|
587 | /*
|
---|
588 | * Special case for suite B. We *MUST* sign using SHA256+P-256 or
|
---|
589 | * SHA384+P-384, adjust digest if necessary.
|
---|
590 | */
|
---|
591 | if (set_ee_md && tls1_suiteb(s)) {
|
---|
592 | int check_md;
|
---|
593 | size_t i;
|
---|
594 | CERT *c = s->cert;
|
---|
595 | if (curve_id[0])
|
---|
596 | return 0;
|
---|
597 | /* Check to see we have necessary signing algorithm */
|
---|
598 | if (curve_id[1] == TLSEXT_curve_P_256)
|
---|
599 | check_md = NID_ecdsa_with_SHA256;
|
---|
600 | else if (curve_id[1] == TLSEXT_curve_P_384)
|
---|
601 | check_md = NID_ecdsa_with_SHA384;
|
---|
602 | else
|
---|
603 | return 0; /* Should never happen */
|
---|
604 | for (i = 0; i < c->shared_sigalgslen; i++)
|
---|
605 | if (check_md == c->shared_sigalgs[i].signandhash_nid)
|
---|
606 | break;
|
---|
607 | if (i == c->shared_sigalgslen)
|
---|
608 | return 0;
|
---|
609 | if (set_ee_md == 2) {
|
---|
610 | if (check_md == NID_ecdsa_with_SHA256)
|
---|
611 | s->s3->tmp.md[SSL_PKEY_ECC] = EVP_sha256();
|
---|
612 | else
|
---|
613 | s->s3->tmp.md[SSL_PKEY_ECC] = EVP_sha384();
|
---|
614 | }
|
---|
615 | }
|
---|
616 | return rv;
|
---|
617 | }
|
---|
618 |
|
---|
619 | # ifndef OPENSSL_NO_EC
|
---|
620 | /*
|
---|
621 | * tls1_check_ec_tmp_key - Check EC temporary key compatibility
|
---|
622 | * @s: SSL connection
|
---|
623 | * @cid: Cipher ID we're considering using
|
---|
624 | *
|
---|
625 | * Checks that the kECDHE cipher suite we're considering using
|
---|
626 | * is compatible with the client extensions.
|
---|
627 | *
|
---|
628 | * Returns 0 when the cipher can't be used or 1 when it can.
|
---|
629 | */
|
---|
630 | int tls1_check_ec_tmp_key(SSL *s, unsigned long cid)
|
---|
631 | {
|
---|
632 | /*
|
---|
633 | * If Suite B, AES128 MUST use P-256 and AES256 MUST use P-384, no other
|
---|
634 | * curves permitted.
|
---|
635 | */
|
---|
636 | if (tls1_suiteb(s)) {
|
---|
637 | unsigned char curve_id[2];
|
---|
638 | /* Curve to check determined by ciphersuite */
|
---|
639 | if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
|
---|
640 | curve_id[1] = TLSEXT_curve_P_256;
|
---|
641 | else if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)
|
---|
642 | curve_id[1] = TLSEXT_curve_P_384;
|
---|
643 | else
|
---|
644 | return 0;
|
---|
645 | curve_id[0] = 0;
|
---|
646 | /* Check this curve is acceptable */
|
---|
647 | if (!tls1_check_ec_key(s, curve_id, NULL))
|
---|
648 | return 0;
|
---|
649 | return 1;
|
---|
650 | }
|
---|
651 | /* Need a shared curve */
|
---|
652 | if (tls1_shared_curve(s, 0))
|
---|
653 | return 1;
|
---|
654 | return 0;
|
---|
655 | }
|
---|
656 | # endif /* OPENSSL_NO_EC */
|
---|
657 |
|
---|
658 | #else
|
---|
659 |
|
---|
660 | static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md)
|
---|
661 | {
|
---|
662 | return 1;
|
---|
663 | }
|
---|
664 |
|
---|
665 | #endif /* OPENSSL_NO_EC */
|
---|
666 |
|
---|
667 | /*
|
---|
668 | * List of supported signature algorithms and hashes. Should make this
|
---|
669 | * customisable at some point, for now include everything we support.
|
---|
670 | */
|
---|
671 |
|
---|
672 | #ifdef OPENSSL_NO_RSA
|
---|
673 | # define tlsext_sigalg_rsa(md) /* */
|
---|
674 | #else
|
---|
675 | # define tlsext_sigalg_rsa(md) md, TLSEXT_signature_rsa,
|
---|
676 | #endif
|
---|
677 |
|
---|
678 | #ifdef OPENSSL_NO_DSA
|
---|
679 | # define tlsext_sigalg_dsa(md) /* */
|
---|
680 | #else
|
---|
681 | # define tlsext_sigalg_dsa(md) md, TLSEXT_signature_dsa,
|
---|
682 | #endif
|
---|
683 |
|
---|
684 | #ifdef OPENSSL_NO_EC
|
---|
685 | # define tlsext_sigalg_ecdsa(md)/* */
|
---|
686 | #else
|
---|
687 | # define tlsext_sigalg_ecdsa(md) md, TLSEXT_signature_ecdsa,
|
---|
688 | #endif
|
---|
689 |
|
---|
690 | #define tlsext_sigalg(md) \
|
---|
691 | tlsext_sigalg_rsa(md) \
|
---|
692 | tlsext_sigalg_dsa(md) \
|
---|
693 | tlsext_sigalg_ecdsa(md)
|
---|
694 |
|
---|
695 | static const unsigned char tls12_sigalgs[] = {
|
---|
696 | tlsext_sigalg(TLSEXT_hash_sha512)
|
---|
697 | tlsext_sigalg(TLSEXT_hash_sha384)
|
---|
698 | tlsext_sigalg(TLSEXT_hash_sha256)
|
---|
699 | tlsext_sigalg(TLSEXT_hash_sha224)
|
---|
700 | tlsext_sigalg(TLSEXT_hash_sha1)
|
---|
701 | #ifndef OPENSSL_NO_GOST
|
---|
702 | TLSEXT_hash_gostr3411, TLSEXT_signature_gostr34102001,
|
---|
703 | TLSEXT_hash_gostr34112012_256, TLSEXT_signature_gostr34102012_256,
|
---|
704 | TLSEXT_hash_gostr34112012_512, TLSEXT_signature_gostr34102012_512
|
---|
705 | #endif
|
---|
706 | };
|
---|
707 |
|
---|
708 | #ifndef OPENSSL_NO_EC
|
---|
709 | static const unsigned char suiteb_sigalgs[] = {
|
---|
710 | tlsext_sigalg_ecdsa(TLSEXT_hash_sha256)
|
---|
711 | tlsext_sigalg_ecdsa(TLSEXT_hash_sha384)
|
---|
712 | };
|
---|
713 | #endif
|
---|
714 | size_t tls12_get_psigalgs(SSL *s, int sent, const unsigned char **psigs)
|
---|
715 | {
|
---|
716 | /*
|
---|
717 | * If Suite B mode use Suite B sigalgs only, ignore any other
|
---|
718 | * preferences.
|
---|
719 | */
|
---|
720 | #ifndef OPENSSL_NO_EC
|
---|
721 | switch (tls1_suiteb(s)) {
|
---|
722 | case SSL_CERT_FLAG_SUITEB_128_LOS:
|
---|
723 | *psigs = suiteb_sigalgs;
|
---|
724 | return sizeof(suiteb_sigalgs);
|
---|
725 |
|
---|
726 | case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY:
|
---|
727 | *psigs = suiteb_sigalgs;
|
---|
728 | return 2;
|
---|
729 |
|
---|
730 | case SSL_CERT_FLAG_SUITEB_192_LOS:
|
---|
731 | *psigs = suiteb_sigalgs + 2;
|
---|
732 | return 2;
|
---|
733 | }
|
---|
734 | #endif
|
---|
735 | /* If server use client authentication sigalgs if not NULL */
|
---|
736 | if (s->server == sent && s->cert->client_sigalgs) {
|
---|
737 | *psigs = s->cert->client_sigalgs;
|
---|
738 | return s->cert->client_sigalgslen;
|
---|
739 | } else if (s->cert->conf_sigalgs) {
|
---|
740 | *psigs = s->cert->conf_sigalgs;
|
---|
741 | return s->cert->conf_sigalgslen;
|
---|
742 | } else {
|
---|
743 | *psigs = tls12_sigalgs;
|
---|
744 | return sizeof(tls12_sigalgs);
|
---|
745 | }
|
---|
746 | }
|
---|
747 |
|
---|
748 | /*
|
---|
749 | * Check signature algorithm is consistent with sent supported signature
|
---|
750 | * algorithms and if so return relevant digest.
|
---|
751 | */
|
---|
752 | int tls12_check_peer_sigalg(const EVP_MD **pmd, SSL *s,
|
---|
753 | const unsigned char *sig, EVP_PKEY *pkey)
|
---|
754 | {
|
---|
755 | const unsigned char *sent_sigs;
|
---|
756 | size_t sent_sigslen, i;
|
---|
757 | int sigalg = tls12_get_sigid(pkey);
|
---|
758 | /* Should never happen */
|
---|
759 | if (sigalg == -1)
|
---|
760 | return -1;
|
---|
761 | /* Check key type is consistent with signature */
|
---|
762 | if (sigalg != (int)sig[1]) {
|
---|
763 | SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_SIGNATURE_TYPE);
|
---|
764 | return 0;
|
---|
765 | }
|
---|
766 | #ifndef OPENSSL_NO_EC
|
---|
767 | if (EVP_PKEY_id(pkey) == EVP_PKEY_EC) {
|
---|
768 | unsigned char curve_id[2], comp_id;
|
---|
769 | /* Check compression and curve matches extensions */
|
---|
770 | if (!tls1_set_ec_id(curve_id, &comp_id, EVP_PKEY_get0_EC_KEY(pkey)))
|
---|
771 | return 0;
|
---|
772 | if (!s->server && !tls1_check_ec_key(s, curve_id, &comp_id)) {
|
---|
773 | SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_CURVE);
|
---|
774 | return 0;
|
---|
775 | }
|
---|
776 | /* If Suite B only P-384+SHA384 or P-256+SHA-256 allowed */
|
---|
777 | if (tls1_suiteb(s)) {
|
---|
778 | if (curve_id[0])
|
---|
779 | return 0;
|
---|
780 | if (curve_id[1] == TLSEXT_curve_P_256) {
|
---|
781 | if (sig[0] != TLSEXT_hash_sha256) {
|
---|
782 | SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG,
|
---|
783 | SSL_R_ILLEGAL_SUITEB_DIGEST);
|
---|
784 | return 0;
|
---|
785 | }
|
---|
786 | } else if (curve_id[1] == TLSEXT_curve_P_384) {
|
---|
787 | if (sig[0] != TLSEXT_hash_sha384) {
|
---|
788 | SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG,
|
---|
789 | SSL_R_ILLEGAL_SUITEB_DIGEST);
|
---|
790 | return 0;
|
---|
791 | }
|
---|
792 | } else
|
---|
793 | return 0;
|
---|
794 | }
|
---|
795 | } else if (tls1_suiteb(s))
|
---|
796 | return 0;
|
---|
797 | #endif
|
---|
798 |
|
---|
799 | /* Check signature matches a type we sent */
|
---|
800 | sent_sigslen = tls12_get_psigalgs(s, 1, &sent_sigs);
|
---|
801 | for (i = 0; i < sent_sigslen; i += 2, sent_sigs += 2) {
|
---|
802 | if (sig[0] == sent_sigs[0] && sig[1] == sent_sigs[1])
|
---|
803 | break;
|
---|
804 | }
|
---|
805 | /* Allow fallback to SHA1 if not strict mode */
|
---|
806 | if (i == sent_sigslen
|
---|
807 | && (sig[0] != TLSEXT_hash_sha1
|
---|
808 | || s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)) {
|
---|
809 | SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_SIGNATURE_TYPE);
|
---|
810 | return 0;
|
---|
811 | }
|
---|
812 | *pmd = tls12_get_hash(sig[0]);
|
---|
813 | if (*pmd == NULL) {
|
---|
814 | SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_UNKNOWN_DIGEST);
|
---|
815 | return 0;
|
---|
816 | }
|
---|
817 | /* Make sure security callback allows algorithm */
|
---|
818 | if (!ssl_security(s, SSL_SECOP_SIGALG_CHECK,
|
---|
819 | EVP_MD_size(*pmd) * 4, EVP_MD_type(*pmd), (void *)sig)) {
|
---|
820 | SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_SIGNATURE_TYPE);
|
---|
821 | return 0;
|
---|
822 | }
|
---|
823 | /*
|
---|
824 | * Store the digest used so applications can retrieve it if they wish.
|
---|
825 | */
|
---|
826 | s->s3->tmp.peer_md = *pmd;
|
---|
827 | return 1;
|
---|
828 | }
|
---|
829 |
|
---|
830 | /*
|
---|
831 | * Set a mask of disabled algorithms: an algorithm is disabled if it isn't
|
---|
832 | * supported, doesn't appear in supported signature algorithms, isn't supported
|
---|
833 | * by the enabled protocol versions or by the security level.
|
---|
834 | *
|
---|
835 | * This function should only be used for checking which ciphers are supported
|
---|
836 | * by the client.
|
---|
837 | *
|
---|
838 | * Call ssl_cipher_disabled() to check that it's enabled or not.
|
---|
839 | */
|
---|
840 | void ssl_set_client_disabled(SSL *s)
|
---|
841 | {
|
---|
842 | s->s3->tmp.mask_a = 0;
|
---|
843 | s->s3->tmp.mask_k = 0;
|
---|
844 | ssl_set_sig_mask(&s->s3->tmp.mask_a, s, SSL_SECOP_SIGALG_MASK);
|
---|
845 | ssl_get_client_min_max_version(s, &s->s3->tmp.min_ver, &s->s3->tmp.max_ver);
|
---|
846 | #ifndef OPENSSL_NO_PSK
|
---|
847 | /* with PSK there must be client callback set */
|
---|
848 | if (!s->psk_client_callback) {
|
---|
849 | s->s3->tmp.mask_a |= SSL_aPSK;
|
---|
850 | s->s3->tmp.mask_k |= SSL_PSK;
|
---|
851 | }
|
---|
852 | #endif /* OPENSSL_NO_PSK */
|
---|
853 | #ifndef OPENSSL_NO_SRP
|
---|
854 | if (!(s->srp_ctx.srp_Mask & SSL_kSRP)) {
|
---|
855 | s->s3->tmp.mask_a |= SSL_aSRP;
|
---|
856 | s->s3->tmp.mask_k |= SSL_kSRP;
|
---|
857 | }
|
---|
858 | #endif
|
---|
859 | }
|
---|
860 |
|
---|
861 | /*
|
---|
862 | * ssl_cipher_disabled - check that a cipher is disabled or not
|
---|
863 | * @s: SSL connection that you want to use the cipher on
|
---|
864 | * @c: cipher to check
|
---|
865 | * @op: Security check that you want to do
|
---|
866 | *
|
---|
867 | * Returns 1 when it's disabled, 0 when enabled.
|
---|
868 | */
|
---|
869 | int ssl_cipher_disabled(SSL *s, const SSL_CIPHER *c, int op)
|
---|
870 | {
|
---|
871 | if (c->algorithm_mkey & s->s3->tmp.mask_k
|
---|
872 | || c->algorithm_auth & s->s3->tmp.mask_a)
|
---|
873 | return 1;
|
---|
874 | if (s->s3->tmp.max_ver == 0)
|
---|
875 | return 1;
|
---|
876 | if (!SSL_IS_DTLS(s) && ((c->min_tls > s->s3->tmp.max_ver)
|
---|
877 | || (c->max_tls < s->s3->tmp.min_ver)))
|
---|
878 | return 1;
|
---|
879 | if (SSL_IS_DTLS(s) && (DTLS_VERSION_GT(c->min_dtls, s->s3->tmp.max_ver)
|
---|
880 | || DTLS_VERSION_LT(c->max_dtls, s->s3->tmp.min_ver)))
|
---|
881 | return 1;
|
---|
882 |
|
---|
883 | return !ssl_security(s, op, c->strength_bits, 0, (void *)c);
|
---|
884 | }
|
---|
885 |
|
---|
886 | static int tls_use_ticket(SSL *s)
|
---|
887 | {
|
---|
888 | if (s->options & SSL_OP_NO_TICKET)
|
---|
889 | return 0;
|
---|
890 | return ssl_security(s, SSL_SECOP_TICKET, 0, 0, NULL);
|
---|
891 | }
|
---|
892 |
|
---|
893 | static int compare_uint(const void *p1, const void *p2)
|
---|
894 | {
|
---|
895 | unsigned int u1 = *((const unsigned int *)p1);
|
---|
896 | unsigned int u2 = *((const unsigned int *)p2);
|
---|
897 | if (u1 < u2)
|
---|
898 | return -1;
|
---|
899 | else if (u1 > u2)
|
---|
900 | return 1;
|
---|
901 | else
|
---|
902 | return 0;
|
---|
903 | }
|
---|
904 |
|
---|
905 | /*
|
---|
906 | * Per http://tools.ietf.org/html/rfc5246#section-7.4.1.4, there may not be
|
---|
907 | * more than one extension of the same type in a ClientHello or ServerHello.
|
---|
908 | * This function does an initial scan over the extensions block to filter those
|
---|
909 | * out. It returns 1 if all extensions are unique, and 0 if the extensions
|
---|
910 | * contain duplicates, could not be successfully parsed, or an internal error
|
---|
911 | * occurred.
|
---|
912 | */
|
---|
913 | static int tls1_check_duplicate_extensions(const PACKET *packet)
|
---|
914 | {
|
---|
915 | PACKET extensions = *packet;
|
---|
916 | size_t num_extensions = 0, i = 0;
|
---|
917 | unsigned int *extension_types = NULL;
|
---|
918 | int ret = 0;
|
---|
919 |
|
---|
920 | /* First pass: count the extensions. */
|
---|
921 | while (PACKET_remaining(&extensions) > 0) {
|
---|
922 | unsigned int type;
|
---|
923 | PACKET extension;
|
---|
924 | if (!PACKET_get_net_2(&extensions, &type) ||
|
---|
925 | !PACKET_get_length_prefixed_2(&extensions, &extension)) {
|
---|
926 | goto done;
|
---|
927 | }
|
---|
928 | num_extensions++;
|
---|
929 | }
|
---|
930 |
|
---|
931 | if (num_extensions <= 1)
|
---|
932 | return 1;
|
---|
933 |
|
---|
934 | extension_types = OPENSSL_malloc(sizeof(unsigned int) * num_extensions);
|
---|
935 | if (extension_types == NULL) {
|
---|
936 | SSLerr(SSL_F_TLS1_CHECK_DUPLICATE_EXTENSIONS, ERR_R_MALLOC_FAILURE);
|
---|
937 | goto done;
|
---|
938 | }
|
---|
939 |
|
---|
940 | /* Second pass: gather the extension types. */
|
---|
941 | extensions = *packet;
|
---|
942 | for (i = 0; i < num_extensions; i++) {
|
---|
943 | PACKET extension;
|
---|
944 | if (!PACKET_get_net_2(&extensions, &extension_types[i]) ||
|
---|
945 | !PACKET_get_length_prefixed_2(&extensions, &extension)) {
|
---|
946 | /* This should not happen. */
|
---|
947 | SSLerr(SSL_F_TLS1_CHECK_DUPLICATE_EXTENSIONS, ERR_R_INTERNAL_ERROR);
|
---|
948 | goto done;
|
---|
949 | }
|
---|
950 | }
|
---|
951 |
|
---|
952 | if (PACKET_remaining(&extensions) != 0) {
|
---|
953 | SSLerr(SSL_F_TLS1_CHECK_DUPLICATE_EXTENSIONS, ERR_R_INTERNAL_ERROR);
|
---|
954 | goto done;
|
---|
955 | }
|
---|
956 | /* Sort the extensions and make sure there are no duplicates. */
|
---|
957 | qsort(extension_types, num_extensions, sizeof(unsigned int), compare_uint);
|
---|
958 | for (i = 1; i < num_extensions; i++) {
|
---|
959 | if (extension_types[i - 1] == extension_types[i])
|
---|
960 | goto done;
|
---|
961 | }
|
---|
962 | ret = 1;
|
---|
963 | done:
|
---|
964 | OPENSSL_free(extension_types);
|
---|
965 | return ret;
|
---|
966 | }
|
---|
967 |
|
---|
968 | unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf,
|
---|
969 | unsigned char *limit, int *al)
|
---|
970 | {
|
---|
971 | int extdatalen = 0;
|
---|
972 | unsigned char *orig = buf;
|
---|
973 | unsigned char *ret = buf;
|
---|
974 | #ifndef OPENSSL_NO_EC
|
---|
975 | /* See if we support any ECC ciphersuites */
|
---|
976 | int using_ecc = 0;
|
---|
977 | if (s->version >= TLS1_VERSION || SSL_IS_DTLS(s)) {
|
---|
978 | int i;
|
---|
979 | unsigned long alg_k, alg_a;
|
---|
980 | STACK_OF(SSL_CIPHER) *cipher_stack = SSL_get_ciphers(s);
|
---|
981 |
|
---|
982 | for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++) {
|
---|
983 | const SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i);
|
---|
984 |
|
---|
985 | alg_k = c->algorithm_mkey;
|
---|
986 | alg_a = c->algorithm_auth;
|
---|
987 | if ((alg_k & (SSL_kECDHE | SSL_kECDHEPSK))
|
---|
988 | || (alg_a & SSL_aECDSA)) {
|
---|
989 | using_ecc = 1;
|
---|
990 | break;
|
---|
991 | }
|
---|
992 | }
|
---|
993 | }
|
---|
994 | #endif
|
---|
995 |
|
---|
996 | ret += 2;
|
---|
997 |
|
---|
998 | if (ret >= limit)
|
---|
999 | return NULL; /* this really never occurs, but ... */
|
---|
1000 |
|
---|
1001 | /* Add RI if renegotiating */
|
---|
1002 | if (s->renegotiate) {
|
---|
1003 | int el;
|
---|
1004 |
|
---|
1005 | if (!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0)) {
|
---|
1006 | SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
|
---|
1007 | return NULL;
|
---|
1008 | }
|
---|
1009 |
|
---|
1010 | if (CHECKLEN(ret, 4 + el, limit))
|
---|
1011 | return NULL;
|
---|
1012 |
|
---|
1013 | s2n(TLSEXT_TYPE_renegotiate, ret);
|
---|
1014 | s2n(el, ret);
|
---|
1015 |
|
---|
1016 | if (!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el)) {
|
---|
1017 | SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
|
---|
1018 | return NULL;
|
---|
1019 | }
|
---|
1020 |
|
---|
1021 | ret += el;
|
---|
1022 | }
|
---|
1023 | /* Only add RI for SSLv3 */
|
---|
1024 | if (s->client_version == SSL3_VERSION)
|
---|
1025 | goto done;
|
---|
1026 |
|
---|
1027 | if (s->tlsext_hostname != NULL) {
|
---|
1028 | /* Add TLS extension servername to the Client Hello message */
|
---|
1029 | size_t size_str;
|
---|
1030 |
|
---|
1031 | /*-
|
---|
1032 | * check for enough space.
|
---|
1033 | * 4 for the servername type and extension length
|
---|
1034 | * 2 for servernamelist length
|
---|
1035 | * 1 for the hostname type
|
---|
1036 | * 2 for hostname length
|
---|
1037 | * + hostname length
|
---|
1038 | */
|
---|
1039 | size_str = strlen(s->tlsext_hostname);
|
---|
1040 | if (CHECKLEN(ret, 9 + size_str, limit))
|
---|
1041 | return NULL;
|
---|
1042 |
|
---|
1043 | /* extension type and length */
|
---|
1044 | s2n(TLSEXT_TYPE_server_name, ret);
|
---|
1045 | s2n(size_str + 5, ret);
|
---|
1046 |
|
---|
1047 | /* length of servername list */
|
---|
1048 | s2n(size_str + 3, ret);
|
---|
1049 |
|
---|
1050 | /* hostname type, length and hostname */
|
---|
1051 | *(ret++) = (unsigned char)TLSEXT_NAMETYPE_host_name;
|
---|
1052 | s2n(size_str, ret);
|
---|
1053 | memcpy(ret, s->tlsext_hostname, size_str);
|
---|
1054 | ret += size_str;
|
---|
1055 | }
|
---|
1056 | #ifndef OPENSSL_NO_SRP
|
---|
1057 | /* Add SRP username if there is one */
|
---|
1058 | if (s->srp_ctx.login != NULL) { /* Add TLS extension SRP username to the
|
---|
1059 | * Client Hello message */
|
---|
1060 |
|
---|
1061 | size_t login_len = strlen(s->srp_ctx.login);
|
---|
1062 | if (login_len > 255 || login_len == 0) {
|
---|
1063 | SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
|
---|
1064 | return NULL;
|
---|
1065 | }
|
---|
1066 |
|
---|
1067 | /*-
|
---|
1068 | * check for enough space.
|
---|
1069 | * 4 for the srp type type and extension length
|
---|
1070 | * 1 for the srp user identity
|
---|
1071 | * + srp user identity length
|
---|
1072 | */
|
---|
1073 | if (CHECKLEN(ret, 5 + login_len, limit))
|
---|
1074 | return NULL;
|
---|
1075 |
|
---|
1076 | /* fill in the extension */
|
---|
1077 | s2n(TLSEXT_TYPE_srp, ret);
|
---|
1078 | s2n(login_len + 1, ret);
|
---|
1079 | (*ret++) = (unsigned char)login_len;
|
---|
1080 | memcpy(ret, s->srp_ctx.login, login_len);
|
---|
1081 | ret += login_len;
|
---|
1082 | }
|
---|
1083 | #endif
|
---|
1084 |
|
---|
1085 | #ifndef OPENSSL_NO_EC
|
---|
1086 | if (using_ecc) {
|
---|
1087 | /*
|
---|
1088 | * Add TLS extension ECPointFormats to the ClientHello message
|
---|
1089 | */
|
---|
1090 | const unsigned char *pcurves, *pformats;
|
---|
1091 | size_t num_curves, num_formats, curves_list_len;
|
---|
1092 | size_t i;
|
---|
1093 | unsigned char *etmp;
|
---|
1094 |
|
---|
1095 | tls1_get_formatlist(s, &pformats, &num_formats);
|
---|
1096 |
|
---|
1097 | if (num_formats > 255) {
|
---|
1098 | SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
|
---|
1099 | return NULL;
|
---|
1100 | }
|
---|
1101 | /*-
|
---|
1102 | * check for enough space.
|
---|
1103 | * 4 bytes for the ec point formats type and extension length
|
---|
1104 | * 1 byte for the length of the formats
|
---|
1105 | * + formats length
|
---|
1106 | */
|
---|
1107 | if (CHECKLEN(ret, 5 + num_formats, limit))
|
---|
1108 | return NULL;
|
---|
1109 |
|
---|
1110 | s2n(TLSEXT_TYPE_ec_point_formats, ret);
|
---|
1111 | /* The point format list has 1-byte length. */
|
---|
1112 | s2n(num_formats + 1, ret);
|
---|
1113 | *(ret++) = (unsigned char)num_formats;
|
---|
1114 | memcpy(ret, pformats, num_formats);
|
---|
1115 | ret += num_formats;
|
---|
1116 |
|
---|
1117 | /*
|
---|
1118 | * Add TLS extension EllipticCurves to the ClientHello message
|
---|
1119 | */
|
---|
1120 | pcurves = s->tlsext_ellipticcurvelist;
|
---|
1121 | if (!tls1_get_curvelist(s, 0, &pcurves, &num_curves))
|
---|
1122 | return NULL;
|
---|
1123 |
|
---|
1124 | if (num_curves > 65532 / 2) {
|
---|
1125 | SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
|
---|
1126 | return NULL;
|
---|
1127 | }
|
---|
1128 | /*-
|
---|
1129 | * check for enough space.
|
---|
1130 | * 4 bytes for the ec curves type and extension length
|
---|
1131 | * 2 bytes for the curve list length
|
---|
1132 | * + curve list length
|
---|
1133 | */
|
---|
1134 | if (CHECKLEN(ret, 6 + (num_curves * 2), limit))
|
---|
1135 | return NULL;
|
---|
1136 |
|
---|
1137 | s2n(TLSEXT_TYPE_elliptic_curves, ret);
|
---|
1138 | etmp = ret + 4;
|
---|
1139 | /* Copy curve ID if supported */
|
---|
1140 | for (i = 0; i < num_curves; i++, pcurves += 2) {
|
---|
1141 | if (tls_curve_allowed(s, pcurves, SSL_SECOP_CURVE_SUPPORTED)) {
|
---|
1142 | *etmp++ = pcurves[0];
|
---|
1143 | *etmp++ = pcurves[1];
|
---|
1144 | }
|
---|
1145 | }
|
---|
1146 |
|
---|
1147 | curves_list_len = etmp - ret - 4;
|
---|
1148 |
|
---|
1149 | s2n(curves_list_len + 2, ret);
|
---|
1150 | s2n(curves_list_len, ret);
|
---|
1151 | ret += curves_list_len;
|
---|
1152 | }
|
---|
1153 | #endif /* OPENSSL_NO_EC */
|
---|
1154 |
|
---|
1155 | if (tls_use_ticket(s)) {
|
---|
1156 | size_t ticklen;
|
---|
1157 | if (!s->new_session && s->session && s->session->tlsext_tick)
|
---|
1158 | ticklen = s->session->tlsext_ticklen;
|
---|
1159 | else if (s->session && s->tlsext_session_ticket &&
|
---|
1160 | s->tlsext_session_ticket->data) {
|
---|
1161 | ticklen = s->tlsext_session_ticket->length;
|
---|
1162 | s->session->tlsext_tick = OPENSSL_malloc(ticklen);
|
---|
1163 | if (s->session->tlsext_tick == NULL)
|
---|
1164 | return NULL;
|
---|
1165 | memcpy(s->session->tlsext_tick,
|
---|
1166 | s->tlsext_session_ticket->data, ticklen);
|
---|
1167 | s->session->tlsext_ticklen = ticklen;
|
---|
1168 | } else
|
---|
1169 | ticklen = 0;
|
---|
1170 | if (ticklen == 0 && s->tlsext_session_ticket &&
|
---|
1171 | s->tlsext_session_ticket->data == NULL)
|
---|
1172 | goto skip_ext;
|
---|
1173 | /*
|
---|
1174 | * Check for enough room 2 for extension type, 2 for len rest for
|
---|
1175 | * ticket
|
---|
1176 | */
|
---|
1177 | if (CHECKLEN(ret, 4 + ticklen, limit))
|
---|
1178 | return NULL;
|
---|
1179 | s2n(TLSEXT_TYPE_session_ticket, ret);
|
---|
1180 | s2n(ticklen, ret);
|
---|
1181 | if (ticklen > 0) {
|
---|
1182 | memcpy(ret, s->session->tlsext_tick, ticklen);
|
---|
1183 | ret += ticklen;
|
---|
1184 | }
|
---|
1185 | }
|
---|
1186 | skip_ext:
|
---|
1187 |
|
---|
1188 | if (SSL_CLIENT_USE_SIGALGS(s)) {
|
---|
1189 | size_t salglen;
|
---|
1190 | const unsigned char *salg;
|
---|
1191 | unsigned char *etmp;
|
---|
1192 | salglen = tls12_get_psigalgs(s, 1, &salg);
|
---|
1193 |
|
---|
1194 | /*-
|
---|
1195 | * check for enough space.
|
---|
1196 | * 4 bytes for the sigalgs type and extension length
|
---|
1197 | * 2 bytes for the sigalg list length
|
---|
1198 | * + sigalg list length
|
---|
1199 | */
|
---|
1200 | if (CHECKLEN(ret, salglen + 6, limit))
|
---|
1201 | return NULL;
|
---|
1202 | s2n(TLSEXT_TYPE_signature_algorithms, ret);
|
---|
1203 | etmp = ret;
|
---|
1204 | /* Skip over lengths for now */
|
---|
1205 | ret += 4;
|
---|
1206 | salglen = tls12_copy_sigalgs(s, ret, salg, salglen);
|
---|
1207 | /* Fill in lengths */
|
---|
1208 | s2n(salglen + 2, etmp);
|
---|
1209 | s2n(salglen, etmp);
|
---|
1210 | ret += salglen;
|
---|
1211 | }
|
---|
1212 | #ifndef OPENSSL_NO_OCSP
|
---|
1213 | if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp) {
|
---|
1214 | int i;
|
---|
1215 | size_t extlen, idlen;
|
---|
1216 | int lentmp;
|
---|
1217 | OCSP_RESPID *id;
|
---|
1218 |
|
---|
1219 | idlen = 0;
|
---|
1220 | for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) {
|
---|
1221 | id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
|
---|
1222 | lentmp = i2d_OCSP_RESPID(id, NULL);
|
---|
1223 | if (lentmp <= 0)
|
---|
1224 | return NULL;
|
---|
1225 | idlen += (size_t)lentmp + 2;
|
---|
1226 | }
|
---|
1227 |
|
---|
1228 | if (s->tlsext_ocsp_exts) {
|
---|
1229 | lentmp = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, NULL);
|
---|
1230 | if (lentmp < 0)
|
---|
1231 | return NULL;
|
---|
1232 | extlen = (size_t)lentmp;
|
---|
1233 | } else
|
---|
1234 | extlen = 0;
|
---|
1235 |
|
---|
1236 | if (extlen + idlen > 0xFFF0)
|
---|
1237 | return NULL;
|
---|
1238 | /*
|
---|
1239 | * 2 bytes for status request type
|
---|
1240 | * 2 bytes for status request len
|
---|
1241 | * 1 byte for OCSP request type
|
---|
1242 | * 2 bytes for length of ids
|
---|
1243 | * 2 bytes for length of extensions
|
---|
1244 | * + length of ids
|
---|
1245 | * + length of extensions
|
---|
1246 | */
|
---|
1247 | if (CHECKLEN(ret, 9 + idlen + extlen, limit))
|
---|
1248 | return NULL;
|
---|
1249 |
|
---|
1250 | s2n(TLSEXT_TYPE_status_request, ret);
|
---|
1251 | s2n(extlen + idlen + 5, ret);
|
---|
1252 | *(ret++) = TLSEXT_STATUSTYPE_ocsp;
|
---|
1253 | s2n(idlen, ret);
|
---|
1254 | for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) {
|
---|
1255 | /* save position of id len */
|
---|
1256 | unsigned char *q = ret;
|
---|
1257 | id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
|
---|
1258 | /* skip over id len */
|
---|
1259 | ret += 2;
|
---|
1260 | lentmp = i2d_OCSP_RESPID(id, &ret);
|
---|
1261 | /* write id len */
|
---|
1262 | s2n(lentmp, q);
|
---|
1263 | }
|
---|
1264 | s2n(extlen, ret);
|
---|
1265 | if (extlen > 0)
|
---|
1266 | i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret);
|
---|
1267 | }
|
---|
1268 | #endif
|
---|
1269 | #ifndef OPENSSL_NO_HEARTBEATS
|
---|
1270 | if (SSL_IS_DTLS(s)) {
|
---|
1271 | /* Add Heartbeat extension */
|
---|
1272 |
|
---|
1273 | /*-
|
---|
1274 | * check for enough space.
|
---|
1275 | * 4 bytes for the heartbeat ext type and extension length
|
---|
1276 | * 1 byte for the mode
|
---|
1277 | */
|
---|
1278 | if (CHECKLEN(ret, 5, limit))
|
---|
1279 | return NULL;
|
---|
1280 |
|
---|
1281 | s2n(TLSEXT_TYPE_heartbeat, ret);
|
---|
1282 | s2n(1, ret);
|
---|
1283 | /*-
|
---|
1284 | * Set mode:
|
---|
1285 | * 1: peer may send requests
|
---|
1286 | * 2: peer not allowed to send requests
|
---|
1287 | */
|
---|
1288 | if (s->tlsext_heartbeat & SSL_DTLSEXT_HB_DONT_RECV_REQUESTS)
|
---|
1289 | *(ret++) = SSL_DTLSEXT_HB_DONT_SEND_REQUESTS;
|
---|
1290 | else
|
---|
1291 | *(ret++) = SSL_DTLSEXT_HB_ENABLED;
|
---|
1292 | }
|
---|
1293 | #endif
|
---|
1294 |
|
---|
1295 | #ifndef OPENSSL_NO_NEXTPROTONEG
|
---|
1296 | if (s->ctx->next_proto_select_cb && !s->s3->tmp.finish_md_len) {
|
---|
1297 | /*
|
---|
1298 | * The client advertises an empty extension to indicate its support
|
---|
1299 | * for Next Protocol Negotiation
|
---|
1300 | */
|
---|
1301 |
|
---|
1302 | /*-
|
---|
1303 | * check for enough space.
|
---|
1304 | * 4 bytes for the NPN ext type and extension length
|
---|
1305 | */
|
---|
1306 | if (CHECKLEN(ret, 4, limit))
|
---|
1307 | return NULL;
|
---|
1308 | s2n(TLSEXT_TYPE_next_proto_neg, ret);
|
---|
1309 | s2n(0, ret);
|
---|
1310 | }
|
---|
1311 | #endif
|
---|
1312 |
|
---|
1313 | /*
|
---|
1314 | * finish_md_len is non-zero during a renegotiation, so
|
---|
1315 | * this avoids sending ALPN during the renegotiation
|
---|
1316 | * (see longer comment below)
|
---|
1317 | */
|
---|
1318 | if (s->alpn_client_proto_list && !s->s3->tmp.finish_md_len) {
|
---|
1319 | /*-
|
---|
1320 | * check for enough space.
|
---|
1321 | * 4 bytes for the ALPN type and extension length
|
---|
1322 | * 2 bytes for the ALPN protocol list length
|
---|
1323 | * + ALPN protocol list length
|
---|
1324 | */
|
---|
1325 | if (CHECKLEN(ret, 6 + s->alpn_client_proto_list_len, limit))
|
---|
1326 | return NULL;
|
---|
1327 | s2n(TLSEXT_TYPE_application_layer_protocol_negotiation, ret);
|
---|
1328 | s2n(2 + s->alpn_client_proto_list_len, ret);
|
---|
1329 | s2n(s->alpn_client_proto_list_len, ret);
|
---|
1330 | memcpy(ret, s->alpn_client_proto_list, s->alpn_client_proto_list_len);
|
---|
1331 | ret += s->alpn_client_proto_list_len;
|
---|
1332 | s->s3->alpn_sent = 1;
|
---|
1333 | }
|
---|
1334 | #ifndef OPENSSL_NO_SRTP
|
---|
1335 | if (SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s)) {
|
---|
1336 | int el;
|
---|
1337 |
|
---|
1338 | /* Returns 0 on success!! */
|
---|
1339 | if (ssl_add_clienthello_use_srtp_ext(s, 0, &el, 0)) {
|
---|
1340 | SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
|
---|
1341 | return NULL;
|
---|
1342 | }
|
---|
1343 |
|
---|
1344 | /*-
|
---|
1345 | * check for enough space.
|
---|
1346 | * 4 bytes for the SRTP type and extension length
|
---|
1347 | * + SRTP profiles length
|
---|
1348 | */
|
---|
1349 | if (CHECKLEN(ret, 4 + el, limit))
|
---|
1350 | return NULL;
|
---|
1351 |
|
---|
1352 | s2n(TLSEXT_TYPE_use_srtp, ret);
|
---|
1353 | s2n(el, ret);
|
---|
1354 |
|
---|
1355 | if (ssl_add_clienthello_use_srtp_ext(s, ret, &el, el)) {
|
---|
1356 | SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
|
---|
1357 | return NULL;
|
---|
1358 | }
|
---|
1359 | ret += el;
|
---|
1360 | }
|
---|
1361 | #endif
|
---|
1362 | custom_ext_init(&s->cert->cli_ext);
|
---|
1363 | /* Add custom TLS Extensions to ClientHello */
|
---|
1364 | if (!custom_ext_add(s, 0, &ret, limit, al))
|
---|
1365 | return NULL;
|
---|
1366 | /*
|
---|
1367 | * In 1.1.0 before 1.1.0c we negotiated EtM with DTLS, then just
|
---|
1368 | * silently failed to actually do it. It is fixed in 1.1.1 but to
|
---|
1369 | * ease the transition especially from 1.1.0b to 1.1.0c, we just
|
---|
1370 | * disable it in 1.1.0.
|
---|
1371 | */
|
---|
1372 | if (!SSL_IS_DTLS(s)) {
|
---|
1373 | /*-
|
---|
1374 | * check for enough space.
|
---|
1375 | * 4 bytes for the ETM type and extension length
|
---|
1376 | */
|
---|
1377 | if (CHECKLEN(ret, 4, limit))
|
---|
1378 | return NULL;
|
---|
1379 | s2n(TLSEXT_TYPE_encrypt_then_mac, ret);
|
---|
1380 | s2n(0, ret);
|
---|
1381 | }
|
---|
1382 |
|
---|
1383 | #ifndef OPENSSL_NO_CT
|
---|
1384 | if (s->ct_validation_callback != NULL) {
|
---|
1385 | /*-
|
---|
1386 | * check for enough space.
|
---|
1387 | * 4 bytes for the SCT type and extension length
|
---|
1388 | */
|
---|
1389 | if (CHECKLEN(ret, 4, limit))
|
---|
1390 | return NULL;
|
---|
1391 |
|
---|
1392 | s2n(TLSEXT_TYPE_signed_certificate_timestamp, ret);
|
---|
1393 | s2n(0, ret);
|
---|
1394 | }
|
---|
1395 | #endif
|
---|
1396 |
|
---|
1397 | /*-
|
---|
1398 | * check for enough space.
|
---|
1399 | * 4 bytes for the EMS type and extension length
|
---|
1400 | */
|
---|
1401 | if (CHECKLEN(ret, 4, limit))
|
---|
1402 | return NULL;
|
---|
1403 | s2n(TLSEXT_TYPE_extended_master_secret, ret);
|
---|
1404 | s2n(0, ret);
|
---|
1405 |
|
---|
1406 | /*
|
---|
1407 | * Add padding to workaround bugs in F5 terminators. See
|
---|
1408 | * https://tools.ietf.org/html/draft-agl-tls-padding-03 NB: because this
|
---|
1409 | * code works out the length of all existing extensions it MUST always
|
---|
1410 | * appear last.
|
---|
1411 | */
|
---|
1412 | if (s->options & SSL_OP_TLSEXT_PADDING) {
|
---|
1413 | int hlen = ret - (unsigned char *)s->init_buf->data;
|
---|
1414 |
|
---|
1415 | if (hlen > 0xff && hlen < 0x200) {
|
---|
1416 | hlen = 0x200 - hlen;
|
---|
1417 | if (hlen >= 4)
|
---|
1418 | hlen -= 4;
|
---|
1419 | else
|
---|
1420 | hlen = 0;
|
---|
1421 |
|
---|
1422 | /*-
|
---|
1423 | * check for enough space. Strictly speaking we know we've already
|
---|
1424 | * got enough space because to get here the message size is < 0x200,
|
---|
1425 | * but we know that we've allocated far more than that in the buffer
|
---|
1426 | * - but for consistency and robustness we're going to check anyway.
|
---|
1427 | *
|
---|
1428 | * 4 bytes for the padding type and extension length
|
---|
1429 | * + padding length
|
---|
1430 | */
|
---|
1431 | if (CHECKLEN(ret, 4 + hlen, limit))
|
---|
1432 | return NULL;
|
---|
1433 | s2n(TLSEXT_TYPE_padding, ret);
|
---|
1434 | s2n(hlen, ret);
|
---|
1435 | memset(ret, 0, hlen);
|
---|
1436 | ret += hlen;
|
---|
1437 | }
|
---|
1438 | }
|
---|
1439 |
|
---|
1440 | done:
|
---|
1441 |
|
---|
1442 | if ((extdatalen = ret - orig - 2) == 0)
|
---|
1443 | return orig;
|
---|
1444 |
|
---|
1445 | s2n(extdatalen, orig);
|
---|
1446 | return ret;
|
---|
1447 | }
|
---|
1448 |
|
---|
1449 | unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *buf,
|
---|
1450 | unsigned char *limit, int *al)
|
---|
1451 | {
|
---|
1452 | int extdatalen = 0;
|
---|
1453 | unsigned char *orig = buf;
|
---|
1454 | unsigned char *ret = buf;
|
---|
1455 | #ifndef OPENSSL_NO_NEXTPROTONEG
|
---|
1456 | int next_proto_neg_seen;
|
---|
1457 | #endif
|
---|
1458 | #ifndef OPENSSL_NO_EC
|
---|
1459 | unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
|
---|
1460 | unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
|
---|
1461 | int using_ecc = (alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA);
|
---|
1462 | using_ecc = using_ecc && (s->session->tlsext_ecpointformatlist != NULL);
|
---|
1463 | #endif
|
---|
1464 |
|
---|
1465 | ret += 2;
|
---|
1466 | if (ret >= limit)
|
---|
1467 | return NULL; /* this really never occurs, but ... */
|
---|
1468 |
|
---|
1469 | if (s->s3->send_connection_binding) {
|
---|
1470 | int el;
|
---|
1471 |
|
---|
1472 | if (!ssl_add_serverhello_renegotiate_ext(s, 0, &el, 0)) {
|
---|
1473 | SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
|
---|
1474 | return NULL;
|
---|
1475 | }
|
---|
1476 |
|
---|
1477 | /*-
|
---|
1478 | * check for enough space.
|
---|
1479 | * 4 bytes for the reneg type and extension length
|
---|
1480 | * + reneg data length
|
---|
1481 | */
|
---|
1482 | if (CHECKLEN(ret, 4 + el, limit))
|
---|
1483 | return NULL;
|
---|
1484 |
|
---|
1485 | s2n(TLSEXT_TYPE_renegotiate, ret);
|
---|
1486 | s2n(el, ret);
|
---|
1487 |
|
---|
1488 | if (!ssl_add_serverhello_renegotiate_ext(s, ret, &el, el)) {
|
---|
1489 | SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
|
---|
1490 | return NULL;
|
---|
1491 | }
|
---|
1492 |
|
---|
1493 | ret += el;
|
---|
1494 | }
|
---|
1495 |
|
---|
1496 | /* Only add RI for SSLv3 */
|
---|
1497 | if (s->version == SSL3_VERSION)
|
---|
1498 | goto done;
|
---|
1499 |
|
---|
1500 | if (!s->hit && s->servername_done == 1
|
---|
1501 | && s->session->tlsext_hostname != NULL) {
|
---|
1502 | /*-
|
---|
1503 | * check for enough space.
|
---|
1504 | * 4 bytes for the server name type and extension length
|
---|
1505 | */
|
---|
1506 | if (CHECKLEN(ret, 4, limit))
|
---|
1507 | return NULL;
|
---|
1508 |
|
---|
1509 | s2n(TLSEXT_TYPE_server_name, ret);
|
---|
1510 | s2n(0, ret);
|
---|
1511 | }
|
---|
1512 | #ifndef OPENSSL_NO_EC
|
---|
1513 | if (using_ecc) {
|
---|
1514 | const unsigned char *plist;
|
---|
1515 | size_t plistlen;
|
---|
1516 | /*
|
---|
1517 | * Add TLS extension ECPointFormats to the ServerHello message
|
---|
1518 | */
|
---|
1519 |
|
---|
1520 | tls1_get_formatlist(s, &plist, &plistlen);
|
---|
1521 |
|
---|
1522 | if (plistlen > 255) {
|
---|
1523 | SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
|
---|
1524 | return NULL;
|
---|
1525 | }
|
---|
1526 |
|
---|
1527 | /*-
|
---|
1528 | * check for enough space.
|
---|
1529 | * 4 bytes for the ec points format type and extension length
|
---|
1530 | * 1 byte for the points format list length
|
---|
1531 | * + length of points format list
|
---|
1532 | */
|
---|
1533 | if (CHECKLEN(ret, 5 + plistlen, limit))
|
---|
1534 | return NULL;
|
---|
1535 |
|
---|
1536 | s2n(TLSEXT_TYPE_ec_point_formats, ret);
|
---|
1537 | s2n(plistlen + 1, ret);
|
---|
1538 | *(ret++) = (unsigned char)plistlen;
|
---|
1539 | memcpy(ret, plist, plistlen);
|
---|
1540 | ret += plistlen;
|
---|
1541 |
|
---|
1542 | }
|
---|
1543 | /*
|
---|
1544 | * Currently the server should not respond with a SupportedCurves
|
---|
1545 | * extension
|
---|
1546 | */
|
---|
1547 | #endif /* OPENSSL_NO_EC */
|
---|
1548 |
|
---|
1549 | if (s->tlsext_ticket_expected && tls_use_ticket(s)) {
|
---|
1550 | /*-
|
---|
1551 | * check for enough space.
|
---|
1552 | * 4 bytes for the Ticket type and extension length
|
---|
1553 | */
|
---|
1554 | if (CHECKLEN(ret, 4, limit))
|
---|
1555 | return NULL;
|
---|
1556 | s2n(TLSEXT_TYPE_session_ticket, ret);
|
---|
1557 | s2n(0, ret);
|
---|
1558 | } else {
|
---|
1559 | /*
|
---|
1560 | * if we don't add the above TLSEXT, we can't add a session ticket
|
---|
1561 | * later
|
---|
1562 | */
|
---|
1563 | s->tlsext_ticket_expected = 0;
|
---|
1564 | }
|
---|
1565 |
|
---|
1566 | if (s->tlsext_status_expected) {
|
---|
1567 | /*-
|
---|
1568 | * check for enough space.
|
---|
1569 | * 4 bytes for the Status request type and extension length
|
---|
1570 | */
|
---|
1571 | if (CHECKLEN(ret, 4, limit))
|
---|
1572 | return NULL;
|
---|
1573 | s2n(TLSEXT_TYPE_status_request, ret);
|
---|
1574 | s2n(0, ret);
|
---|
1575 | }
|
---|
1576 | #ifndef OPENSSL_NO_SRTP
|
---|
1577 | if (SSL_IS_DTLS(s) && s->srtp_profile) {
|
---|
1578 | int el;
|
---|
1579 |
|
---|
1580 | /* Returns 0 on success!! */
|
---|
1581 | if (ssl_add_serverhello_use_srtp_ext(s, 0, &el, 0)) {
|
---|
1582 | SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
|
---|
1583 | return NULL;
|
---|
1584 | }
|
---|
1585 | /*-
|
---|
1586 | * check for enough space.
|
---|
1587 | * 4 bytes for the SRTP profiles type and extension length
|
---|
1588 | * + length of the SRTP profiles list
|
---|
1589 | */
|
---|
1590 | if (CHECKLEN(ret, 4 + el, limit))
|
---|
1591 | return NULL;
|
---|
1592 |
|
---|
1593 | s2n(TLSEXT_TYPE_use_srtp, ret);
|
---|
1594 | s2n(el, ret);
|
---|
1595 |
|
---|
1596 | if (ssl_add_serverhello_use_srtp_ext(s, ret, &el, el)) {
|
---|
1597 | SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
|
---|
1598 | return NULL;
|
---|
1599 | }
|
---|
1600 | ret += el;
|
---|
1601 | }
|
---|
1602 | #endif
|
---|
1603 |
|
---|
1604 | if (((s->s3->tmp.new_cipher->id & 0xFFFF) == 0x80
|
---|
1605 | || (s->s3->tmp.new_cipher->id & 0xFFFF) == 0x81)
|
---|
1606 | && (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG)) {
|
---|
1607 | const unsigned char cryptopro_ext[36] = {
|
---|
1608 | 0xfd, 0xe8, /* 65000 */
|
---|
1609 | 0x00, 0x20, /* 32 bytes length */
|
---|
1610 | 0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85,
|
---|
1611 | 0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06,
|
---|
1612 | 0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08,
|
---|
1613 | 0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17
|
---|
1614 | };
|
---|
1615 |
|
---|
1616 | /* check for enough space. */
|
---|
1617 | if (CHECKLEN(ret, sizeof(cryptopro_ext), limit))
|
---|
1618 | return NULL;
|
---|
1619 | memcpy(ret, cryptopro_ext, sizeof(cryptopro_ext));
|
---|
1620 | ret += sizeof(cryptopro_ext);
|
---|
1621 |
|
---|
1622 | }
|
---|
1623 | #ifndef OPENSSL_NO_HEARTBEATS
|
---|
1624 | /* Add Heartbeat extension if we've received one */
|
---|
1625 | if (SSL_IS_DTLS(s) && (s->tlsext_heartbeat & SSL_DTLSEXT_HB_ENABLED)) {
|
---|
1626 | /*-
|
---|
1627 | * check for enough space.
|
---|
1628 | * 4 bytes for the Heartbeat type and extension length
|
---|
1629 | * 1 byte for the mode
|
---|
1630 | */
|
---|
1631 | if (CHECKLEN(ret, 5, limit))
|
---|
1632 | return NULL;
|
---|
1633 | s2n(TLSEXT_TYPE_heartbeat, ret);
|
---|
1634 | s2n(1, ret);
|
---|
1635 | /*-
|
---|
1636 | * Set mode:
|
---|
1637 | * 1: peer may send requests
|
---|
1638 | * 2: peer not allowed to send requests
|
---|
1639 | */
|
---|
1640 | if (s->tlsext_heartbeat & SSL_DTLSEXT_HB_DONT_RECV_REQUESTS)
|
---|
1641 | *(ret++) = SSL_DTLSEXT_HB_DONT_SEND_REQUESTS;
|
---|
1642 | else
|
---|
1643 | *(ret++) = SSL_DTLSEXT_HB_ENABLED;
|
---|
1644 |
|
---|
1645 | }
|
---|
1646 | #endif
|
---|
1647 |
|
---|
1648 | #ifndef OPENSSL_NO_NEXTPROTONEG
|
---|
1649 | next_proto_neg_seen = s->s3->next_proto_neg_seen;
|
---|
1650 | s->s3->next_proto_neg_seen = 0;
|
---|
1651 | if (next_proto_neg_seen && s->ctx->next_protos_advertised_cb) {
|
---|
1652 | const unsigned char *npa;
|
---|
1653 | unsigned int npalen;
|
---|
1654 | int r;
|
---|
1655 |
|
---|
1656 | r = s->ctx->next_protos_advertised_cb(s, &npa, &npalen,
|
---|
1657 | s->
|
---|
1658 | ctx->next_protos_advertised_cb_arg);
|
---|
1659 | if (r == SSL_TLSEXT_ERR_OK) {
|
---|
1660 | /*-
|
---|
1661 | * check for enough space.
|
---|
1662 | * 4 bytes for the NPN type and extension length
|
---|
1663 | * + length of protocols list
|
---|
1664 | */
|
---|
1665 | if (CHECKLEN(ret, 4 + npalen, limit))
|
---|
1666 | return NULL;
|
---|
1667 | s2n(TLSEXT_TYPE_next_proto_neg, ret);
|
---|
1668 | s2n(npalen, ret);
|
---|
1669 | memcpy(ret, npa, npalen);
|
---|
1670 | ret += npalen;
|
---|
1671 | s->s3->next_proto_neg_seen = 1;
|
---|
1672 | }
|
---|
1673 | }
|
---|
1674 | #endif
|
---|
1675 | if (!custom_ext_add(s, 1, &ret, limit, al))
|
---|
1676 | return NULL;
|
---|
1677 | if (s->tlsext_use_etm) {
|
---|
1678 | /*
|
---|
1679 | * Don't use encrypt_then_mac if AEAD or RC4 might want to disable
|
---|
1680 | * for other cases too.
|
---|
1681 | */
|
---|
1682 | if (SSL_IS_DTLS(s) || s->s3->tmp.new_cipher->algorithm_mac == SSL_AEAD
|
---|
1683 | || s->s3->tmp.new_cipher->algorithm_enc == SSL_RC4
|
---|
1684 | || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT
|
---|
1685 | || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT12)
|
---|
1686 | s->tlsext_use_etm = 0;
|
---|
1687 | else {
|
---|
1688 | /*-
|
---|
1689 | * check for enough space.
|
---|
1690 | * 4 bytes for the ETM type and extension length
|
---|
1691 | */
|
---|
1692 | if (CHECKLEN(ret, 4, limit))
|
---|
1693 | return NULL;
|
---|
1694 | s2n(TLSEXT_TYPE_encrypt_then_mac, ret);
|
---|
1695 | s2n(0, ret);
|
---|
1696 | }
|
---|
1697 | }
|
---|
1698 | if (s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) {
|
---|
1699 | /*-
|
---|
1700 | * check for enough space.
|
---|
1701 | * 4 bytes for the EMS type and extension length
|
---|
1702 | */
|
---|
1703 | if (CHECKLEN(ret, 4, limit))
|
---|
1704 | return NULL;
|
---|
1705 | s2n(TLSEXT_TYPE_extended_master_secret, ret);
|
---|
1706 | s2n(0, ret);
|
---|
1707 | }
|
---|
1708 |
|
---|
1709 | if (s->s3->alpn_selected != NULL) {
|
---|
1710 | const unsigned char *selected = s->s3->alpn_selected;
|
---|
1711 | size_t len = s->s3->alpn_selected_len;
|
---|
1712 |
|
---|
1713 | /*-
|
---|
1714 | * check for enough space.
|
---|
1715 | * 4 bytes for the ALPN type and extension length
|
---|
1716 | * 2 bytes for ALPN data length
|
---|
1717 | * 1 byte for selected protocol length
|
---|
1718 | * + length of the selected protocol
|
---|
1719 | */
|
---|
1720 | if (CHECKLEN(ret, 7 + len, limit))
|
---|
1721 | return NULL;
|
---|
1722 | s2n(TLSEXT_TYPE_application_layer_protocol_negotiation, ret);
|
---|
1723 | s2n(3 + len, ret);
|
---|
1724 | s2n(1 + len, ret);
|
---|
1725 | *ret++ = len;
|
---|
1726 | memcpy(ret, selected, len);
|
---|
1727 | ret += len;
|
---|
1728 | }
|
---|
1729 |
|
---|
1730 | done:
|
---|
1731 |
|
---|
1732 | if ((extdatalen = ret - orig - 2) == 0)
|
---|
1733 | return orig;
|
---|
1734 |
|
---|
1735 | s2n(extdatalen, orig);
|
---|
1736 | return ret;
|
---|
1737 | }
|
---|
1738 |
|
---|
1739 | /*
|
---|
1740 | * Save the ALPN extension in a ClientHello.
|
---|
1741 | * pkt: the contents of the ALPN extension, not including type and length.
|
---|
1742 | * al: a pointer to the alert value to send in the event of a failure.
|
---|
1743 | * returns: 1 on success, 0 on error.
|
---|
1744 | */
|
---|
1745 | static int tls1_alpn_handle_client_hello(SSL *s, PACKET *pkt, int *al)
|
---|
1746 | {
|
---|
1747 | PACKET protocol_list, save_protocol_list, protocol;
|
---|
1748 |
|
---|
1749 | *al = SSL_AD_DECODE_ERROR;
|
---|
1750 |
|
---|
1751 | if (!PACKET_as_length_prefixed_2(pkt, &protocol_list)
|
---|
1752 | || PACKET_remaining(&protocol_list) < 2) {
|
---|
1753 | return 0;
|
---|
1754 | }
|
---|
1755 |
|
---|
1756 | save_protocol_list = protocol_list;
|
---|
1757 | do {
|
---|
1758 | /* Protocol names can't be empty. */
|
---|
1759 | if (!PACKET_get_length_prefixed_1(&protocol_list, &protocol)
|
---|
1760 | || PACKET_remaining(&protocol) == 0) {
|
---|
1761 | return 0;
|
---|
1762 | }
|
---|
1763 | } while (PACKET_remaining(&protocol_list) != 0);
|
---|
1764 |
|
---|
1765 | if (!PACKET_memdup(&save_protocol_list,
|
---|
1766 | &s->s3->alpn_proposed, &s->s3->alpn_proposed_len)) {
|
---|
1767 | *al = TLS1_AD_INTERNAL_ERROR;
|
---|
1768 | return 0;
|
---|
1769 | }
|
---|
1770 |
|
---|
1771 | return 1;
|
---|
1772 | }
|
---|
1773 |
|
---|
1774 | /*
|
---|
1775 | * Process the ALPN extension in a ClientHello.
|
---|
1776 | * al: a pointer to the alert value to send in the event of a failure.
|
---|
1777 | * returns 1 on success, 0 on error.
|
---|
1778 | */
|
---|
1779 | static int tls1_alpn_handle_client_hello_late(SSL *s, int *al)
|
---|
1780 | {
|
---|
1781 | const unsigned char *selected = NULL;
|
---|
1782 | unsigned char selected_len = 0;
|
---|
1783 |
|
---|
1784 | if (s->ctx->alpn_select_cb != NULL && s->s3->alpn_proposed != NULL) {
|
---|
1785 | int r = s->ctx->alpn_select_cb(s, &selected, &selected_len,
|
---|
1786 | s->s3->alpn_proposed,
|
---|
1787 | s->s3->alpn_proposed_len,
|
---|
1788 | s->ctx->alpn_select_cb_arg);
|
---|
1789 |
|
---|
1790 | if (r == SSL_TLSEXT_ERR_OK) {
|
---|
1791 | OPENSSL_free(s->s3->alpn_selected);
|
---|
1792 | s->s3->alpn_selected = OPENSSL_memdup(selected, selected_len);
|
---|
1793 | if (s->s3->alpn_selected == NULL) {
|
---|
1794 | *al = SSL_AD_INTERNAL_ERROR;
|
---|
1795 | return 0;
|
---|
1796 | }
|
---|
1797 | s->s3->alpn_selected_len = selected_len;
|
---|
1798 | #ifndef OPENSSL_NO_NEXTPROTONEG
|
---|
1799 | /* ALPN takes precedence over NPN. */
|
---|
1800 | s->s3->next_proto_neg_seen = 0;
|
---|
1801 | #endif
|
---|
1802 | } else {
|
---|
1803 | *al = SSL_AD_NO_APPLICATION_PROTOCOL;
|
---|
1804 | return 0;
|
---|
1805 | }
|
---|
1806 | }
|
---|
1807 |
|
---|
1808 | return 1;
|
---|
1809 | }
|
---|
1810 |
|
---|
1811 | #ifndef OPENSSL_NO_EC
|
---|
1812 | /*-
|
---|
1813 | * ssl_check_for_safari attempts to fingerprint Safari using OS X
|
---|
1814 | * SecureTransport using the TLS extension block in |pkt|.
|
---|
1815 | * Safari, since 10.6, sends exactly these extensions, in this order:
|
---|
1816 | * SNI,
|
---|
1817 | * elliptic_curves
|
---|
1818 | * ec_point_formats
|
---|
1819 | *
|
---|
1820 | * We wish to fingerprint Safari because they broke ECDHE-ECDSA support in 10.8,
|
---|
1821 | * but they advertise support. So enabling ECDHE-ECDSA ciphers breaks them.
|
---|
1822 | * Sadly we cannot differentiate 10.6, 10.7 and 10.8.4 (which work), from
|
---|
1823 | * 10.8..10.8.3 (which don't work).
|
---|
1824 | */
|
---|
1825 | static void ssl_check_for_safari(SSL *s, const PACKET *pkt)
|
---|
1826 | {
|
---|
1827 | unsigned int type;
|
---|
1828 | PACKET sni, tmppkt;
|
---|
1829 | size_t ext_len;
|
---|
1830 |
|
---|
1831 | static const unsigned char kSafariExtensionsBlock[] = {
|
---|
1832 | 0x00, 0x0a, /* elliptic_curves extension */
|
---|
1833 | 0x00, 0x08, /* 8 bytes */
|
---|
1834 | 0x00, 0x06, /* 6 bytes of curve ids */
|
---|
1835 | 0x00, 0x17, /* P-256 */
|
---|
1836 | 0x00, 0x18, /* P-384 */
|
---|
1837 | 0x00, 0x19, /* P-521 */
|
---|
1838 |
|
---|
1839 | 0x00, 0x0b, /* ec_point_formats */
|
---|
1840 | 0x00, 0x02, /* 2 bytes */
|
---|
1841 | 0x01, /* 1 point format */
|
---|
1842 | 0x00, /* uncompressed */
|
---|
1843 | /* The following is only present in TLS 1.2 */
|
---|
1844 | 0x00, 0x0d, /* signature_algorithms */
|
---|
1845 | 0x00, 0x0c, /* 12 bytes */
|
---|
1846 | 0x00, 0x0a, /* 10 bytes */
|
---|
1847 | 0x05, 0x01, /* SHA-384/RSA */
|
---|
1848 | 0x04, 0x01, /* SHA-256/RSA */
|
---|
1849 | 0x02, 0x01, /* SHA-1/RSA */
|
---|
1850 | 0x04, 0x03, /* SHA-256/ECDSA */
|
---|
1851 | 0x02, 0x03, /* SHA-1/ECDSA */
|
---|
1852 | };
|
---|
1853 |
|
---|
1854 | /* Length of the common prefix (first two extensions). */
|
---|
1855 | static const size_t kSafariCommonExtensionsLength = 18;
|
---|
1856 |
|
---|
1857 | tmppkt = *pkt;
|
---|
1858 |
|
---|
1859 | if (!PACKET_forward(&tmppkt, 2)
|
---|
1860 | || !PACKET_get_net_2(&tmppkt, &type)
|
---|
1861 | || !PACKET_get_length_prefixed_2(&tmppkt, &sni)) {
|
---|
1862 | return;
|
---|
1863 | }
|
---|
1864 |
|
---|
1865 | if (type != TLSEXT_TYPE_server_name)
|
---|
1866 | return;
|
---|
1867 |
|
---|
1868 | ext_len = TLS1_get_client_version(s) >= TLS1_2_VERSION ?
|
---|
1869 | sizeof(kSafariExtensionsBlock) : kSafariCommonExtensionsLength;
|
---|
1870 |
|
---|
1871 | s->s3->is_probably_safari = PACKET_equal(&tmppkt, kSafariExtensionsBlock,
|
---|
1872 | ext_len);
|
---|
1873 | }
|
---|
1874 | #endif /* !OPENSSL_NO_EC */
|
---|
1875 |
|
---|
1876 | /*
|
---|
1877 | * Parse ClientHello extensions and stash extension info in various parts of
|
---|
1878 | * the SSL object. Verify that there are no duplicate extensions.
|
---|
1879 | *
|
---|
1880 | * Behaviour upon resumption is extension-specific. If the extension has no
|
---|
1881 | * effect during resumption, it is parsed (to verify its format) but otherwise
|
---|
1882 | * ignored.
|
---|
1883 | *
|
---|
1884 | * Consumes the entire packet in |pkt|. Returns 1 on success and 0 on failure.
|
---|
1885 | * Upon failure, sets |al| to the appropriate alert.
|
---|
1886 | */
|
---|
1887 | static int ssl_scan_clienthello_tlsext(SSL *s, PACKET *pkt, int *al)
|
---|
1888 | {
|
---|
1889 | unsigned int type;
|
---|
1890 | int renegotiate_seen = 0;
|
---|
1891 | PACKET extensions;
|
---|
1892 |
|
---|
1893 | *al = SSL_AD_DECODE_ERROR;
|
---|
1894 | s->servername_done = 0;
|
---|
1895 | s->tlsext_status_type = -1;
|
---|
1896 | #ifndef OPENSSL_NO_NEXTPROTONEG
|
---|
1897 | s->s3->next_proto_neg_seen = 0;
|
---|
1898 | #endif
|
---|
1899 |
|
---|
1900 | OPENSSL_free(s->s3->alpn_selected);
|
---|
1901 | s->s3->alpn_selected = NULL;
|
---|
1902 | s->s3->alpn_selected_len = 0;
|
---|
1903 | OPENSSL_free(s->s3->alpn_proposed);
|
---|
1904 | s->s3->alpn_proposed = NULL;
|
---|
1905 | s->s3->alpn_proposed_len = 0;
|
---|
1906 | #ifndef OPENSSL_NO_HEARTBEATS
|
---|
1907 | s->tlsext_heartbeat &= ~(SSL_DTLSEXT_HB_ENABLED |
|
---|
1908 | SSL_DTLSEXT_HB_DONT_SEND_REQUESTS);
|
---|
1909 | #endif
|
---|
1910 |
|
---|
1911 | #ifndef OPENSSL_NO_EC
|
---|
1912 | if (s->options & SSL_OP_SAFARI_ECDHE_ECDSA_BUG)
|
---|
1913 | ssl_check_for_safari(s, pkt);
|
---|
1914 | #endif /* !OPENSSL_NO_EC */
|
---|
1915 |
|
---|
1916 | /* Clear any signature algorithms extension received */
|
---|
1917 | OPENSSL_free(s->s3->tmp.peer_sigalgs);
|
---|
1918 | s->s3->tmp.peer_sigalgs = NULL;
|
---|
1919 | s->tlsext_use_etm = 0;
|
---|
1920 |
|
---|
1921 | #ifndef OPENSSL_NO_SRP
|
---|
1922 | OPENSSL_free(s->srp_ctx.login);
|
---|
1923 | s->srp_ctx.login = NULL;
|
---|
1924 | #endif
|
---|
1925 |
|
---|
1926 | s->srtp_profile = NULL;
|
---|
1927 |
|
---|
1928 | if (PACKET_remaining(pkt) == 0)
|
---|
1929 | goto ri_check;
|
---|
1930 |
|
---|
1931 | if (!PACKET_as_length_prefixed_2(pkt, &extensions))
|
---|
1932 | return 0;
|
---|
1933 |
|
---|
1934 | if (!tls1_check_duplicate_extensions(&extensions))
|
---|
1935 | return 0;
|
---|
1936 |
|
---|
1937 | /*
|
---|
1938 | * We parse all extensions to ensure the ClientHello is well-formed but,
|
---|
1939 | * unless an extension specifies otherwise, we ignore extensions upon
|
---|
1940 | * resumption.
|
---|
1941 | */
|
---|
1942 | while (PACKET_get_net_2(&extensions, &type)) {
|
---|
1943 | PACKET extension;
|
---|
1944 | if (!PACKET_get_length_prefixed_2(&extensions, &extension))
|
---|
1945 | return 0;
|
---|
1946 |
|
---|
1947 | if (s->tlsext_debug_cb)
|
---|
1948 | s->tlsext_debug_cb(s, 0, type, PACKET_data(&extension),
|
---|
1949 | PACKET_remaining(&extension),
|
---|
1950 | s->tlsext_debug_arg);
|
---|
1951 |
|
---|
1952 | if (type == TLSEXT_TYPE_renegotiate) {
|
---|
1953 | if (!ssl_parse_clienthello_renegotiate_ext(s, &extension, al))
|
---|
1954 | return 0;
|
---|
1955 | renegotiate_seen = 1;
|
---|
1956 | } else if (s->version == SSL3_VERSION) {
|
---|
1957 | }
|
---|
1958 | /*-
|
---|
1959 | * The servername extension is treated as follows:
|
---|
1960 | *
|
---|
1961 | * - Only the hostname type is supported with a maximum length of 255.
|
---|
1962 | * - The servername is rejected if too long or if it contains zeros,
|
---|
1963 | * in which case an fatal alert is generated.
|
---|
1964 | * - The servername field is maintained together with the session cache.
|
---|
1965 | * - When a session is resumed, the servername call back invoked in order
|
---|
1966 | * to allow the application to position itself to the right context.
|
---|
1967 | * - The servername is acknowledged if it is new for a session or when
|
---|
1968 | * it is identical to a previously used for the same session.
|
---|
1969 | * Applications can control the behaviour. They can at any time
|
---|
1970 | * set a 'desirable' servername for a new SSL object. This can be the
|
---|
1971 | * case for example with HTTPS when a Host: header field is received and
|
---|
1972 | * a renegotiation is requested. In this case, a possible servername
|
---|
1973 | * presented in the new client hello is only acknowledged if it matches
|
---|
1974 | * the value of the Host: field.
|
---|
1975 | * - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
|
---|
1976 | * if they provide for changing an explicit servername context for the
|
---|
1977 | * session, i.e. when the session has been established with a servername
|
---|
1978 | * extension.
|
---|
1979 | * - On session reconnect, the servername extension may be absent.
|
---|
1980 | *
|
---|
1981 | */
|
---|
1982 |
|
---|
1983 | else if (type == TLSEXT_TYPE_server_name) {
|
---|
1984 | unsigned int servname_type;
|
---|
1985 | PACKET sni, hostname;
|
---|
1986 |
|
---|
1987 | if (!PACKET_as_length_prefixed_2(&extension, &sni)
|
---|
1988 | /* ServerNameList must be at least 1 byte long. */
|
---|
1989 | || PACKET_remaining(&sni) == 0) {
|
---|
1990 | return 0;
|
---|
1991 | }
|
---|
1992 |
|
---|
1993 | /*
|
---|
1994 | * Although the server_name extension was intended to be
|
---|
1995 | * extensible to new name types, RFC 4366 defined the
|
---|
1996 | * syntax inextensibility and OpenSSL 1.0.x parses it as
|
---|
1997 | * such.
|
---|
1998 | * RFC 6066 corrected the mistake but adding new name types
|
---|
1999 | * is nevertheless no longer feasible, so act as if no other
|
---|
2000 | * SNI types can exist, to simplify parsing.
|
---|
2001 | *
|
---|
2002 | * Also note that the RFC permits only one SNI value per type,
|
---|
2003 | * i.e., we can only have a single hostname.
|
---|
2004 | */
|
---|
2005 | if (!PACKET_get_1(&sni, &servname_type)
|
---|
2006 | || servname_type != TLSEXT_NAMETYPE_host_name
|
---|
2007 | || !PACKET_as_length_prefixed_2(&sni, &hostname)) {
|
---|
2008 | return 0;
|
---|
2009 | }
|
---|
2010 |
|
---|
2011 | if (!s->hit) {
|
---|
2012 | if (PACKET_remaining(&hostname) > TLSEXT_MAXLEN_host_name) {
|
---|
2013 | *al = TLS1_AD_UNRECOGNIZED_NAME;
|
---|
2014 | return 0;
|
---|
2015 | }
|
---|
2016 |
|
---|
2017 | if (PACKET_contains_zero_byte(&hostname)) {
|
---|
2018 | *al = TLS1_AD_UNRECOGNIZED_NAME;
|
---|
2019 | return 0;
|
---|
2020 | }
|
---|
2021 |
|
---|
2022 | if (!PACKET_strndup(&hostname, &s->session->tlsext_hostname)) {
|
---|
2023 | *al = TLS1_AD_INTERNAL_ERROR;
|
---|
2024 | return 0;
|
---|
2025 | }
|
---|
2026 |
|
---|
2027 | s->servername_done = 1;
|
---|
2028 | } else {
|
---|
2029 | /*
|
---|
2030 | * TODO(openssl-team): if the SNI doesn't match, we MUST
|
---|
2031 | * fall back to a full handshake.
|
---|
2032 | */
|
---|
2033 | s->servername_done = s->session->tlsext_hostname
|
---|
2034 | && PACKET_equal(&hostname, s->session->tlsext_hostname,
|
---|
2035 | strlen(s->session->tlsext_hostname));
|
---|
2036 | }
|
---|
2037 | }
|
---|
2038 | #ifndef OPENSSL_NO_SRP
|
---|
2039 | else if (type == TLSEXT_TYPE_srp) {
|
---|
2040 | PACKET srp_I;
|
---|
2041 |
|
---|
2042 | if (!PACKET_as_length_prefixed_1(&extension, &srp_I))
|
---|
2043 | return 0;
|
---|
2044 |
|
---|
2045 | if (PACKET_contains_zero_byte(&srp_I))
|
---|
2046 | return 0;
|
---|
2047 |
|
---|
2048 | /*
|
---|
2049 | * TODO(openssl-team): currently, we re-authenticate the user
|
---|
2050 | * upon resumption. Instead, we MUST ignore the login.
|
---|
2051 | */
|
---|
2052 | if (!PACKET_strndup(&srp_I, &s->srp_ctx.login)) {
|
---|
2053 | *al = TLS1_AD_INTERNAL_ERROR;
|
---|
2054 | return 0;
|
---|
2055 | }
|
---|
2056 | }
|
---|
2057 | #endif
|
---|
2058 |
|
---|
2059 | #ifndef OPENSSL_NO_EC
|
---|
2060 | else if (type == TLSEXT_TYPE_ec_point_formats) {
|
---|
2061 | PACKET ec_point_format_list;
|
---|
2062 |
|
---|
2063 | if (!PACKET_as_length_prefixed_1(&extension, &ec_point_format_list)
|
---|
2064 | || PACKET_remaining(&ec_point_format_list) == 0) {
|
---|
2065 | return 0;
|
---|
2066 | }
|
---|
2067 |
|
---|
2068 | if (!s->hit) {
|
---|
2069 | if (!PACKET_memdup(&ec_point_format_list,
|
---|
2070 | &s->session->tlsext_ecpointformatlist,
|
---|
2071 | &s->
|
---|
2072 | session->tlsext_ecpointformatlist_length)) {
|
---|
2073 | *al = TLS1_AD_INTERNAL_ERROR;
|
---|
2074 | return 0;
|
---|
2075 | }
|
---|
2076 | }
|
---|
2077 | } else if (type == TLSEXT_TYPE_elliptic_curves) {
|
---|
2078 | PACKET elliptic_curve_list;
|
---|
2079 |
|
---|
2080 | /* Each NamedCurve is 2 bytes and we must have at least 1. */
|
---|
2081 | if (!PACKET_as_length_prefixed_2(&extension, &elliptic_curve_list)
|
---|
2082 | || PACKET_remaining(&elliptic_curve_list) == 0
|
---|
2083 | || (PACKET_remaining(&elliptic_curve_list) % 2) != 0) {
|
---|
2084 | return 0;
|
---|
2085 | }
|
---|
2086 |
|
---|
2087 | if (!s->hit) {
|
---|
2088 | if (!PACKET_memdup(&elliptic_curve_list,
|
---|
2089 | &s->session->tlsext_ellipticcurvelist,
|
---|
2090 | &s->
|
---|
2091 | session->tlsext_ellipticcurvelist_length)) {
|
---|
2092 | *al = TLS1_AD_INTERNAL_ERROR;
|
---|
2093 | return 0;
|
---|
2094 | }
|
---|
2095 | }
|
---|
2096 | }
|
---|
2097 | #endif /* OPENSSL_NO_EC */
|
---|
2098 | else if (type == TLSEXT_TYPE_session_ticket) {
|
---|
2099 | if (s->tls_session_ticket_ext_cb &&
|
---|
2100 | !s->tls_session_ticket_ext_cb(s, PACKET_data(&extension),
|
---|
2101 | PACKET_remaining(&extension),
|
---|
2102 | s->tls_session_ticket_ext_cb_arg))
|
---|
2103 | {
|
---|
2104 | *al = TLS1_AD_INTERNAL_ERROR;
|
---|
2105 | return 0;
|
---|
2106 | }
|
---|
2107 | } else if (type == TLSEXT_TYPE_signature_algorithms) {
|
---|
2108 | PACKET supported_sig_algs;
|
---|
2109 |
|
---|
2110 | if (!PACKET_as_length_prefixed_2(&extension, &supported_sig_algs)
|
---|
2111 | || (PACKET_remaining(&supported_sig_algs) % 2) != 0
|
---|
2112 | || PACKET_remaining(&supported_sig_algs) == 0) {
|
---|
2113 | return 0;
|
---|
2114 | }
|
---|
2115 |
|
---|
2116 | if (!s->hit) {
|
---|
2117 | if (!tls1_save_sigalgs(s, PACKET_data(&supported_sig_algs),
|
---|
2118 | PACKET_remaining(&supported_sig_algs))) {
|
---|
2119 | return 0;
|
---|
2120 | }
|
---|
2121 | }
|
---|
2122 | } else if (type == TLSEXT_TYPE_status_request) {
|
---|
2123 | if (!PACKET_get_1(&extension,
|
---|
2124 | (unsigned int *)&s->tlsext_status_type)) {
|
---|
2125 | return 0;
|
---|
2126 | }
|
---|
2127 | #ifndef OPENSSL_NO_OCSP
|
---|
2128 | if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp) {
|
---|
2129 | const unsigned char *ext_data;
|
---|
2130 | PACKET responder_id_list, exts;
|
---|
2131 | if (!PACKET_get_length_prefixed_2
|
---|
2132 | (&extension, &responder_id_list))
|
---|
2133 | return 0;
|
---|
2134 |
|
---|
2135 | /*
|
---|
2136 | * We remove any OCSP_RESPIDs from a previous handshake
|
---|
2137 | * to prevent unbounded memory growth - CVE-2016-6304
|
---|
2138 | */
|
---|
2139 | sk_OCSP_RESPID_pop_free(s->tlsext_ocsp_ids,
|
---|
2140 | OCSP_RESPID_free);
|
---|
2141 | if (PACKET_remaining(&responder_id_list) > 0) {
|
---|
2142 | s->tlsext_ocsp_ids = sk_OCSP_RESPID_new_null();
|
---|
2143 | if (s->tlsext_ocsp_ids == NULL) {
|
---|
2144 | *al = SSL_AD_INTERNAL_ERROR;
|
---|
2145 | return 0;
|
---|
2146 | }
|
---|
2147 | } else {
|
---|
2148 | s->tlsext_ocsp_ids = NULL;
|
---|
2149 | }
|
---|
2150 |
|
---|
2151 | while (PACKET_remaining(&responder_id_list) > 0) {
|
---|
2152 | OCSP_RESPID *id;
|
---|
2153 | PACKET responder_id;
|
---|
2154 | const unsigned char *id_data;
|
---|
2155 |
|
---|
2156 | if (!PACKET_get_length_prefixed_2(&responder_id_list,
|
---|
2157 | &responder_id)
|
---|
2158 | || PACKET_remaining(&responder_id) == 0) {
|
---|
2159 | return 0;
|
---|
2160 | }
|
---|
2161 |
|
---|
2162 | id_data = PACKET_data(&responder_id);
|
---|
2163 | id = d2i_OCSP_RESPID(NULL, &id_data,
|
---|
2164 | PACKET_remaining(&responder_id));
|
---|
2165 | if (id == NULL)
|
---|
2166 | return 0;
|
---|
2167 |
|
---|
2168 | if (id_data != PACKET_end(&responder_id)) {
|
---|
2169 | OCSP_RESPID_free(id);
|
---|
2170 | return 0;
|
---|
2171 | }
|
---|
2172 |
|
---|
2173 | if (!sk_OCSP_RESPID_push(s->tlsext_ocsp_ids, id)) {
|
---|
2174 | OCSP_RESPID_free(id);
|
---|
2175 | *al = SSL_AD_INTERNAL_ERROR;
|
---|
2176 | return 0;
|
---|
2177 | }
|
---|
2178 | }
|
---|
2179 |
|
---|
2180 | /* Read in request_extensions */
|
---|
2181 | if (!PACKET_as_length_prefixed_2(&extension, &exts))
|
---|
2182 | return 0;
|
---|
2183 |
|
---|
2184 | if (PACKET_remaining(&exts) > 0) {
|
---|
2185 | ext_data = PACKET_data(&exts);
|
---|
2186 | sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts,
|
---|
2187 | X509_EXTENSION_free);
|
---|
2188 | s->tlsext_ocsp_exts =
|
---|
2189 | d2i_X509_EXTENSIONS(NULL, &ext_data,
|
---|
2190 | PACKET_remaining(&exts));
|
---|
2191 | if (s->tlsext_ocsp_exts == NULL
|
---|
2192 | || ext_data != PACKET_end(&exts)) {
|
---|
2193 | return 0;
|
---|
2194 | }
|
---|
2195 | }
|
---|
2196 | } else
|
---|
2197 | #endif
|
---|
2198 | {
|
---|
2199 | /*
|
---|
2200 | * We don't know what to do with any other type so ignore it.
|
---|
2201 | */
|
---|
2202 | s->tlsext_status_type = -1;
|
---|
2203 | }
|
---|
2204 | }
|
---|
2205 | #ifndef OPENSSL_NO_HEARTBEATS
|
---|
2206 | else if (SSL_IS_DTLS(s) && type == TLSEXT_TYPE_heartbeat) {
|
---|
2207 | unsigned int hbtype;
|
---|
2208 |
|
---|
2209 | if (!PACKET_get_1(&extension, &hbtype)
|
---|
2210 | || PACKET_remaining(&extension)) {
|
---|
2211 | *al = SSL_AD_DECODE_ERROR;
|
---|
2212 | return 0;
|
---|
2213 | }
|
---|
2214 | switch (hbtype) {
|
---|
2215 | case 0x01: /* Client allows us to send HB requests */
|
---|
2216 | s->tlsext_heartbeat |= SSL_DTLSEXT_HB_ENABLED;
|
---|
2217 | break;
|
---|
2218 | case 0x02: /* Client doesn't accept HB requests */
|
---|
2219 | s->tlsext_heartbeat |= SSL_DTLSEXT_HB_ENABLED;
|
---|
2220 | s->tlsext_heartbeat |= SSL_DTLSEXT_HB_DONT_SEND_REQUESTS;
|
---|
2221 | break;
|
---|
2222 | default:
|
---|
2223 | *al = SSL_AD_ILLEGAL_PARAMETER;
|
---|
2224 | return 0;
|
---|
2225 | }
|
---|
2226 | }
|
---|
2227 | #endif
|
---|
2228 | #ifndef OPENSSL_NO_NEXTPROTONEG
|
---|
2229 | else if (type == TLSEXT_TYPE_next_proto_neg &&
|
---|
2230 | s->s3->tmp.finish_md_len == 0) {
|
---|
2231 | /*-
|
---|
2232 | * We shouldn't accept this extension on a
|
---|
2233 | * renegotiation.
|
---|
2234 | *
|
---|
2235 | * s->new_session will be set on renegotiation, but we
|
---|
2236 | * probably shouldn't rely that it couldn't be set on
|
---|
2237 | * the initial renegotiation too in certain cases (when
|
---|
2238 | * there's some other reason to disallow resuming an
|
---|
2239 | * earlier session -- the current code won't be doing
|
---|
2240 | * anything like that, but this might change).
|
---|
2241 | *
|
---|
2242 | * A valid sign that there's been a previous handshake
|
---|
2243 | * in this connection is if s->s3->tmp.finish_md_len >
|
---|
2244 | * 0. (We are talking about a check that will happen
|
---|
2245 | * in the Hello protocol round, well before a new
|
---|
2246 | * Finished message could have been computed.)
|
---|
2247 | */
|
---|
2248 | s->s3->next_proto_neg_seen = 1;
|
---|
2249 | }
|
---|
2250 | #endif
|
---|
2251 |
|
---|
2252 | else if (type == TLSEXT_TYPE_application_layer_protocol_negotiation &&
|
---|
2253 | s->s3->tmp.finish_md_len == 0) {
|
---|
2254 | if (!tls1_alpn_handle_client_hello(s, &extension, al))
|
---|
2255 | return 0;
|
---|
2256 | }
|
---|
2257 |
|
---|
2258 | /* session ticket processed earlier */
|
---|
2259 | #ifndef OPENSSL_NO_SRTP
|
---|
2260 | else if (SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s)
|
---|
2261 | && type == TLSEXT_TYPE_use_srtp) {
|
---|
2262 | if (ssl_parse_clienthello_use_srtp_ext(s, &extension, al))
|
---|
2263 | return 0;
|
---|
2264 | }
|
---|
2265 | #endif
|
---|
2266 | else if (type == TLSEXT_TYPE_encrypt_then_mac)
|
---|
2267 | s->tlsext_use_etm = 1;
|
---|
2268 | /*
|
---|
2269 | * Note: extended master secret extension handled in
|
---|
2270 | * tls_check_serverhello_tlsext_early()
|
---|
2271 | */
|
---|
2272 |
|
---|
2273 | /*
|
---|
2274 | * If this ClientHello extension was unhandled and this is a
|
---|
2275 | * nonresumed connection, check whether the extension is a custom
|
---|
2276 | * TLS Extension (has a custom_srv_ext_record), and if so call the
|
---|
2277 | * callback and record the extension number so that an appropriate
|
---|
2278 | * ServerHello may be later returned.
|
---|
2279 | */
|
---|
2280 | else if (!s->hit) {
|
---|
2281 | if (custom_ext_parse(s, 1, type, PACKET_data(&extension),
|
---|
2282 | PACKET_remaining(&extension), al) <= 0)
|
---|
2283 | return 0;
|
---|
2284 | }
|
---|
2285 | }
|
---|
2286 |
|
---|
2287 | if (PACKET_remaining(pkt) != 0) {
|
---|
2288 | /*
|
---|
2289 | * tls1_check_duplicate_extensions should ensure this never happens.
|
---|
2290 | */
|
---|
2291 | *al = SSL_AD_INTERNAL_ERROR;
|
---|
2292 | return 0;
|
---|
2293 | }
|
---|
2294 |
|
---|
2295 | ri_check:
|
---|
2296 |
|
---|
2297 | /* Need RI if renegotiating */
|
---|
2298 |
|
---|
2299 | if (!renegotiate_seen && s->renegotiate &&
|
---|
2300 | !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) {
|
---|
2301 | *al = SSL_AD_HANDSHAKE_FAILURE;
|
---|
2302 | SSLerr(SSL_F_SSL_SCAN_CLIENTHELLO_TLSEXT,
|
---|
2303 | SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
|
---|
2304 | return 0;
|
---|
2305 | }
|
---|
2306 |
|
---|
2307 | /*
|
---|
2308 | * This function currently has no state to clean up, so it returns directly.
|
---|
2309 | * If parsing fails at any point, the function returns early.
|
---|
2310 | * The SSL object may be left with partial data from extensions, but it must
|
---|
2311 | * then no longer be used, and clearing it up will free the leftovers.
|
---|
2312 | */
|
---|
2313 | return 1;
|
---|
2314 | }
|
---|
2315 |
|
---|
2316 | int ssl_parse_clienthello_tlsext(SSL *s, PACKET *pkt)
|
---|
2317 | {
|
---|
2318 | int al = -1;
|
---|
2319 | custom_ext_init(&s->cert->srv_ext);
|
---|
2320 | if (ssl_scan_clienthello_tlsext(s, pkt, &al) <= 0) {
|
---|
2321 | ssl3_send_alert(s, SSL3_AL_FATAL, al);
|
---|
2322 | return 0;
|
---|
2323 | }
|
---|
2324 | if (ssl_check_clienthello_tlsext_early(s) <= 0) {
|
---|
2325 | SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT, SSL_R_CLIENTHELLO_TLSEXT);
|
---|
2326 | return 0;
|
---|
2327 | }
|
---|
2328 | return 1;
|
---|
2329 | }
|
---|
2330 |
|
---|
2331 | #ifndef OPENSSL_NO_NEXTPROTONEG
|
---|
2332 | /*
|
---|
2333 | * ssl_next_proto_validate validates a Next Protocol Negotiation block. No
|
---|
2334 | * elements of zero length are allowed and the set of elements must exactly
|
---|
2335 | * fill the length of the block.
|
---|
2336 | */
|
---|
2337 | static char ssl_next_proto_validate(PACKET *pkt)
|
---|
2338 | {
|
---|
2339 | PACKET tmp_protocol;
|
---|
2340 |
|
---|
2341 | while (PACKET_remaining(pkt)) {
|
---|
2342 | if (!PACKET_get_length_prefixed_1(pkt, &tmp_protocol)
|
---|
2343 | || PACKET_remaining(&tmp_protocol) == 0)
|
---|
2344 | return 0;
|
---|
2345 | }
|
---|
2346 |
|
---|
2347 | return 1;
|
---|
2348 | }
|
---|
2349 | #endif
|
---|
2350 |
|
---|
2351 | static int ssl_scan_serverhello_tlsext(SSL *s, PACKET *pkt, int *al)
|
---|
2352 | {
|
---|
2353 | unsigned int length, type, size;
|
---|
2354 | int tlsext_servername = 0;
|
---|
2355 | int renegotiate_seen = 0;
|
---|
2356 |
|
---|
2357 | #ifndef OPENSSL_NO_NEXTPROTONEG
|
---|
2358 | s->s3->next_proto_neg_seen = 0;
|
---|
2359 | #endif
|
---|
2360 | s->tlsext_ticket_expected = 0;
|
---|
2361 |
|
---|
2362 | OPENSSL_free(s->s3->alpn_selected);
|
---|
2363 | s->s3->alpn_selected = NULL;
|
---|
2364 | #ifndef OPENSSL_NO_HEARTBEATS
|
---|
2365 | s->tlsext_heartbeat &= ~(SSL_DTLSEXT_HB_ENABLED |
|
---|
2366 | SSL_DTLSEXT_HB_DONT_SEND_REQUESTS);
|
---|
2367 | #endif
|
---|
2368 |
|
---|
2369 | s->tlsext_use_etm = 0;
|
---|
2370 |
|
---|
2371 | s->s3->flags &= ~TLS1_FLAGS_RECEIVED_EXTMS;
|
---|
2372 |
|
---|
2373 | if (!PACKET_get_net_2(pkt, &length))
|
---|
2374 | goto ri_check;
|
---|
2375 |
|
---|
2376 | if (PACKET_remaining(pkt) != length) {
|
---|
2377 | *al = SSL_AD_DECODE_ERROR;
|
---|
2378 | return 0;
|
---|
2379 | }
|
---|
2380 |
|
---|
2381 | if (!tls1_check_duplicate_extensions(pkt)) {
|
---|
2382 | *al = SSL_AD_DECODE_ERROR;
|
---|
2383 | return 0;
|
---|
2384 | }
|
---|
2385 |
|
---|
2386 | while (PACKET_get_net_2(pkt, &type) && PACKET_get_net_2(pkt, &size)) {
|
---|
2387 | const unsigned char *data;
|
---|
2388 | PACKET spkt;
|
---|
2389 |
|
---|
2390 | if (!PACKET_get_sub_packet(pkt, &spkt, size)
|
---|
2391 | || !PACKET_peek_bytes(&spkt, &data, size))
|
---|
2392 | goto ri_check;
|
---|
2393 |
|
---|
2394 | if (s->tlsext_debug_cb)
|
---|
2395 | s->tlsext_debug_cb(s, 1, type, data, size, s->tlsext_debug_arg);
|
---|
2396 |
|
---|
2397 | if (type == TLSEXT_TYPE_renegotiate) {
|
---|
2398 | if (!ssl_parse_serverhello_renegotiate_ext(s, &spkt, al))
|
---|
2399 | return 0;
|
---|
2400 | renegotiate_seen = 1;
|
---|
2401 | } else if (s->version == SSL3_VERSION) {
|
---|
2402 | } else if (type == TLSEXT_TYPE_server_name) {
|
---|
2403 | if (s->tlsext_hostname == NULL || size > 0) {
|
---|
2404 | *al = TLS1_AD_UNRECOGNIZED_NAME;
|
---|
2405 | return 0;
|
---|
2406 | }
|
---|
2407 | tlsext_servername = 1;
|
---|
2408 | }
|
---|
2409 | #ifndef OPENSSL_NO_EC
|
---|
2410 | else if (type == TLSEXT_TYPE_ec_point_formats) {
|
---|
2411 | unsigned int ecpointformatlist_length;
|
---|
2412 | if (!PACKET_get_1(&spkt, &ecpointformatlist_length)
|
---|
2413 | || ecpointformatlist_length != size - 1) {
|
---|
2414 | *al = TLS1_AD_DECODE_ERROR;
|
---|
2415 | return 0;
|
---|
2416 | }
|
---|
2417 | if (!s->hit) {
|
---|
2418 | s->session->tlsext_ecpointformatlist_length = 0;
|
---|
2419 | OPENSSL_free(s->session->tlsext_ecpointformatlist);
|
---|
2420 | if ((s->session->tlsext_ecpointformatlist =
|
---|
2421 | OPENSSL_malloc(ecpointformatlist_length)) == NULL) {
|
---|
2422 | *al = TLS1_AD_INTERNAL_ERROR;
|
---|
2423 | return 0;
|
---|
2424 | }
|
---|
2425 | s->session->tlsext_ecpointformatlist_length =
|
---|
2426 | ecpointformatlist_length;
|
---|
2427 | if (!PACKET_copy_bytes(&spkt,
|
---|
2428 | s->session->tlsext_ecpointformatlist,
|
---|
2429 | ecpointformatlist_length)) {
|
---|
2430 | *al = TLS1_AD_DECODE_ERROR;
|
---|
2431 | return 0;
|
---|
2432 | }
|
---|
2433 |
|
---|
2434 | }
|
---|
2435 | }
|
---|
2436 | #endif /* OPENSSL_NO_EC */
|
---|
2437 |
|
---|
2438 | else if (type == TLSEXT_TYPE_session_ticket) {
|
---|
2439 | if (s->tls_session_ticket_ext_cb &&
|
---|
2440 | !s->tls_session_ticket_ext_cb(s, data, size,
|
---|
2441 | s->tls_session_ticket_ext_cb_arg))
|
---|
2442 | {
|
---|
2443 | *al = TLS1_AD_INTERNAL_ERROR;
|
---|
2444 | return 0;
|
---|
2445 | }
|
---|
2446 | if (!tls_use_ticket(s) || (size > 0)) {
|
---|
2447 | *al = TLS1_AD_UNSUPPORTED_EXTENSION;
|
---|
2448 | return 0;
|
---|
2449 | }
|
---|
2450 | s->tlsext_ticket_expected = 1;
|
---|
2451 | } else if (type == TLSEXT_TYPE_status_request) {
|
---|
2452 | /*
|
---|
2453 | * MUST be empty and only sent if we've requested a status
|
---|
2454 | * request message.
|
---|
2455 | */
|
---|
2456 | if ((s->tlsext_status_type == -1) || (size > 0)) {
|
---|
2457 | *al = TLS1_AD_UNSUPPORTED_EXTENSION;
|
---|
2458 | return 0;
|
---|
2459 | }
|
---|
2460 | /* Set flag to expect CertificateStatus message */
|
---|
2461 | s->tlsext_status_expected = 1;
|
---|
2462 | }
|
---|
2463 | #ifndef OPENSSL_NO_CT
|
---|
2464 | /*
|
---|
2465 | * Only take it if we asked for it - i.e if there is no CT validation
|
---|
2466 | * callback set, then a custom extension MAY be processing it, so we
|
---|
2467 | * need to let control continue to flow to that.
|
---|
2468 | */
|
---|
2469 | else if (type == TLSEXT_TYPE_signed_certificate_timestamp &&
|
---|
2470 | s->ct_validation_callback != NULL) {
|
---|
2471 | /* Simply copy it off for later processing */
|
---|
2472 | if (s->tlsext_scts != NULL) {
|
---|
2473 | OPENSSL_free(s->tlsext_scts);
|
---|
2474 | s->tlsext_scts = NULL;
|
---|
2475 | }
|
---|
2476 | s->tlsext_scts_len = size;
|
---|
2477 | if (size > 0) {
|
---|
2478 | s->tlsext_scts = OPENSSL_malloc(size);
|
---|
2479 | if (s->tlsext_scts == NULL) {
|
---|
2480 | *al = TLS1_AD_INTERNAL_ERROR;
|
---|
2481 | return 0;
|
---|
2482 | }
|
---|
2483 | memcpy(s->tlsext_scts, data, size);
|
---|
2484 | }
|
---|
2485 | }
|
---|
2486 | #endif
|
---|
2487 | #ifndef OPENSSL_NO_NEXTPROTONEG
|
---|
2488 | else if (type == TLSEXT_TYPE_next_proto_neg &&
|
---|
2489 | s->s3->tmp.finish_md_len == 0) {
|
---|
2490 | unsigned char *selected;
|
---|
2491 | unsigned char selected_len;
|
---|
2492 | /* We must have requested it. */
|
---|
2493 | if (s->ctx->next_proto_select_cb == NULL) {
|
---|
2494 | *al = TLS1_AD_UNSUPPORTED_EXTENSION;
|
---|
2495 | return 0;
|
---|
2496 | }
|
---|
2497 | /* The data must be valid */
|
---|
2498 | if (!ssl_next_proto_validate(&spkt)) {
|
---|
2499 | *al = TLS1_AD_DECODE_ERROR;
|
---|
2500 | return 0;
|
---|
2501 | }
|
---|
2502 | if (s->ctx->next_proto_select_cb(s, &selected, &selected_len, data,
|
---|
2503 | size,
|
---|
2504 | s->
|
---|
2505 | ctx->next_proto_select_cb_arg) !=
|
---|
2506 | SSL_TLSEXT_ERR_OK) {
|
---|
2507 | *al = TLS1_AD_INTERNAL_ERROR;
|
---|
2508 | return 0;
|
---|
2509 | }
|
---|
2510 | /*
|
---|
2511 | * Could be non-NULL if server has sent multiple NPN extensions in
|
---|
2512 | * a single Serverhello
|
---|
2513 | */
|
---|
2514 | OPENSSL_free(s->next_proto_negotiated);
|
---|
2515 | s->next_proto_negotiated = OPENSSL_malloc(selected_len);
|
---|
2516 | if (s->next_proto_negotiated == NULL) {
|
---|
2517 | *al = TLS1_AD_INTERNAL_ERROR;
|
---|
2518 | return 0;
|
---|
2519 | }
|
---|
2520 | memcpy(s->next_proto_negotiated, selected, selected_len);
|
---|
2521 | s->next_proto_negotiated_len = selected_len;
|
---|
2522 | s->s3->next_proto_neg_seen = 1;
|
---|
2523 | }
|
---|
2524 | #endif
|
---|
2525 |
|
---|
2526 | else if (type == TLSEXT_TYPE_application_layer_protocol_negotiation) {
|
---|
2527 | unsigned len;
|
---|
2528 | /* We must have requested it. */
|
---|
2529 | if (!s->s3->alpn_sent) {
|
---|
2530 | *al = TLS1_AD_UNSUPPORTED_EXTENSION;
|
---|
2531 | return 0;
|
---|
2532 | }
|
---|
2533 | /*-
|
---|
2534 | * The extension data consists of:
|
---|
2535 | * uint16 list_length
|
---|
2536 | * uint8 proto_length;
|
---|
2537 | * uint8 proto[proto_length];
|
---|
2538 | */
|
---|
2539 | if (!PACKET_get_net_2(&spkt, &len)
|
---|
2540 | || PACKET_remaining(&spkt) != len || !PACKET_get_1(&spkt, &len)
|
---|
2541 | || PACKET_remaining(&spkt) != len) {
|
---|
2542 | *al = TLS1_AD_DECODE_ERROR;
|
---|
2543 | return 0;
|
---|
2544 | }
|
---|
2545 | OPENSSL_free(s->s3->alpn_selected);
|
---|
2546 | s->s3->alpn_selected = OPENSSL_malloc(len);
|
---|
2547 | if (s->s3->alpn_selected == NULL) {
|
---|
2548 | *al = TLS1_AD_INTERNAL_ERROR;
|
---|
2549 | return 0;
|
---|
2550 | }
|
---|
2551 | if (!PACKET_copy_bytes(&spkt, s->s3->alpn_selected, len)) {
|
---|
2552 | *al = TLS1_AD_DECODE_ERROR;
|
---|
2553 | return 0;
|
---|
2554 | }
|
---|
2555 | s->s3->alpn_selected_len = len;
|
---|
2556 | }
|
---|
2557 | #ifndef OPENSSL_NO_HEARTBEATS
|
---|
2558 | else if (SSL_IS_DTLS(s) && type == TLSEXT_TYPE_heartbeat) {
|
---|
2559 | unsigned int hbtype;
|
---|
2560 | if (!PACKET_get_1(&spkt, &hbtype)) {
|
---|
2561 | *al = SSL_AD_DECODE_ERROR;
|
---|
2562 | return 0;
|
---|
2563 | }
|
---|
2564 | switch (hbtype) {
|
---|
2565 | case 0x01: /* Server allows us to send HB requests */
|
---|
2566 | s->tlsext_heartbeat |= SSL_DTLSEXT_HB_ENABLED;
|
---|
2567 | break;
|
---|
2568 | case 0x02: /* Server doesn't accept HB requests */
|
---|
2569 | s->tlsext_heartbeat |= SSL_DTLSEXT_HB_ENABLED;
|
---|
2570 | s->tlsext_heartbeat |= SSL_DTLSEXT_HB_DONT_SEND_REQUESTS;
|
---|
2571 | break;
|
---|
2572 | default:
|
---|
2573 | *al = SSL_AD_ILLEGAL_PARAMETER;
|
---|
2574 | return 0;
|
---|
2575 | }
|
---|
2576 | }
|
---|
2577 | #endif
|
---|
2578 | #ifndef OPENSSL_NO_SRTP
|
---|
2579 | else if (SSL_IS_DTLS(s) && type == TLSEXT_TYPE_use_srtp) {
|
---|
2580 | if (ssl_parse_serverhello_use_srtp_ext(s, &spkt, al))
|
---|
2581 | return 0;
|
---|
2582 | }
|
---|
2583 | #endif
|
---|
2584 | else if (type == TLSEXT_TYPE_encrypt_then_mac) {
|
---|
2585 | /* Ignore if inappropriate ciphersuite */
|
---|
2586 | if (s->s3->tmp.new_cipher->algorithm_mac != SSL_AEAD
|
---|
2587 | && s->s3->tmp.new_cipher->algorithm_enc != SSL_RC4)
|
---|
2588 | s->tlsext_use_etm = 1;
|
---|
2589 | } else if (type == TLSEXT_TYPE_extended_master_secret) {
|
---|
2590 | s->s3->flags |= TLS1_FLAGS_RECEIVED_EXTMS;
|
---|
2591 | if (!s->hit)
|
---|
2592 | s->session->flags |= SSL_SESS_FLAG_EXTMS;
|
---|
2593 | }
|
---|
2594 | /*
|
---|
2595 | * If this extension type was not otherwise handled, but matches a
|
---|
2596 | * custom_cli_ext_record, then send it to the c callback
|
---|
2597 | */
|
---|
2598 | else if (custom_ext_parse(s, 0, type, data, size, al) <= 0)
|
---|
2599 | return 0;
|
---|
2600 | }
|
---|
2601 |
|
---|
2602 | if (PACKET_remaining(pkt) != 0) {
|
---|
2603 | *al = SSL_AD_DECODE_ERROR;
|
---|
2604 | return 0;
|
---|
2605 | }
|
---|
2606 |
|
---|
2607 | if (!s->hit && tlsext_servername == 1) {
|
---|
2608 | if (s->tlsext_hostname) {
|
---|
2609 | if (s->session->tlsext_hostname == NULL) {
|
---|
2610 | s->session->tlsext_hostname =
|
---|
2611 | OPENSSL_strdup(s->tlsext_hostname);
|
---|
2612 | if (!s->session->tlsext_hostname) {
|
---|
2613 | *al = SSL_AD_UNRECOGNIZED_NAME;
|
---|
2614 | return 0;
|
---|
2615 | }
|
---|
2616 | } else {
|
---|
2617 | *al = SSL_AD_DECODE_ERROR;
|
---|
2618 | return 0;
|
---|
2619 | }
|
---|
2620 | }
|
---|
2621 | }
|
---|
2622 |
|
---|
2623 | ri_check:
|
---|
2624 |
|
---|
2625 | /*
|
---|
2626 | * Determine if we need to see RI. Strictly speaking if we want to avoid
|
---|
2627 | * an attack we should *always* see RI even on initial server hello
|
---|
2628 | * because the client doesn't see any renegotiation during an attack.
|
---|
2629 | * However this would mean we could not connect to any server which
|
---|
2630 | * doesn't support RI so for the immediate future tolerate RI absence
|
---|
2631 | */
|
---|
2632 | if (!renegotiate_seen && !(s->options & SSL_OP_LEGACY_SERVER_CONNECT)
|
---|
2633 | && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) {
|
---|
2634 | *al = SSL_AD_HANDSHAKE_FAILURE;
|
---|
2635 | SSLerr(SSL_F_SSL_SCAN_SERVERHELLO_TLSEXT,
|
---|
2636 | SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
|
---|
2637 | return 0;
|
---|
2638 | }
|
---|
2639 |
|
---|
2640 | if (s->hit) {
|
---|
2641 | /*
|
---|
2642 | * Check extended master secret extension is consistent with
|
---|
2643 | * original session.
|
---|
2644 | */
|
---|
2645 | if (!(s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) !=
|
---|
2646 | !(s->session->flags & SSL_SESS_FLAG_EXTMS)) {
|
---|
2647 | *al = SSL_AD_HANDSHAKE_FAILURE;
|
---|
2648 | SSLerr(SSL_F_SSL_SCAN_SERVERHELLO_TLSEXT, SSL_R_INCONSISTENT_EXTMS);
|
---|
2649 | return 0;
|
---|
2650 | }
|
---|
2651 | }
|
---|
2652 |
|
---|
2653 | return 1;
|
---|
2654 | }
|
---|
2655 |
|
---|
2656 | int ssl_prepare_clienthello_tlsext(SSL *s)
|
---|
2657 | {
|
---|
2658 | s->s3->alpn_sent = 0;
|
---|
2659 | return 1;
|
---|
2660 | }
|
---|
2661 |
|
---|
2662 | int ssl_prepare_serverhello_tlsext(SSL *s)
|
---|
2663 | {
|
---|
2664 | return 1;
|
---|
2665 | }
|
---|
2666 |
|
---|
2667 | static int ssl_check_clienthello_tlsext_early(SSL *s)
|
---|
2668 | {
|
---|
2669 | int ret = SSL_TLSEXT_ERR_NOACK;
|
---|
2670 | int al = SSL_AD_UNRECOGNIZED_NAME;
|
---|
2671 |
|
---|
2672 | #ifndef OPENSSL_NO_EC
|
---|
2673 | /*
|
---|
2674 | * The handling of the ECPointFormats extension is done elsewhere, namely
|
---|
2675 | * in ssl3_choose_cipher in s3_lib.c.
|
---|
2676 | */
|
---|
2677 | /*
|
---|
2678 | * The handling of the EllipticCurves extension is done elsewhere, namely
|
---|
2679 | * in ssl3_choose_cipher in s3_lib.c.
|
---|
2680 | */
|
---|
2681 | #endif
|
---|
2682 |
|
---|
2683 | if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
|
---|
2684 | ret =
|
---|
2685 | s->ctx->tlsext_servername_callback(s, &al,
|
---|
2686 | s->ctx->tlsext_servername_arg);
|
---|
2687 | else if (s->session_ctx != NULL
|
---|
2688 | && s->session_ctx->tlsext_servername_callback != 0)
|
---|
2689 | ret =
|
---|
2690 | s->session_ctx->tlsext_servername_callback(s, &al,
|
---|
2691 | s->
|
---|
2692 | session_ctx->tlsext_servername_arg);
|
---|
2693 |
|
---|
2694 | switch (ret) {
|
---|
2695 | case SSL_TLSEXT_ERR_ALERT_FATAL:
|
---|
2696 | ssl3_send_alert(s, SSL3_AL_FATAL, al);
|
---|
2697 | return -1;
|
---|
2698 |
|
---|
2699 | case SSL_TLSEXT_ERR_ALERT_WARNING:
|
---|
2700 | ssl3_send_alert(s, SSL3_AL_WARNING, al);
|
---|
2701 | return 1;
|
---|
2702 |
|
---|
2703 | case SSL_TLSEXT_ERR_NOACK:
|
---|
2704 | s->servername_done = 0;
|
---|
2705 | default:
|
---|
2706 | return 1;
|
---|
2707 | }
|
---|
2708 | }
|
---|
2709 |
|
---|
2710 | /* Initialise digests to default values */
|
---|
2711 | void ssl_set_default_md(SSL *s)
|
---|
2712 | {
|
---|
2713 | const EVP_MD **pmd = s->s3->tmp.md;
|
---|
2714 | #ifndef OPENSSL_NO_DSA
|
---|
2715 | pmd[SSL_PKEY_DSA_SIGN] = ssl_md(SSL_MD_SHA1_IDX);
|
---|
2716 | #endif
|
---|
2717 | #ifndef OPENSSL_NO_RSA
|
---|
2718 | if (SSL_USE_SIGALGS(s))
|
---|
2719 | pmd[SSL_PKEY_RSA_SIGN] = ssl_md(SSL_MD_SHA1_IDX);
|
---|
2720 | else
|
---|
2721 | pmd[SSL_PKEY_RSA_SIGN] = ssl_md(SSL_MD_MD5_SHA1_IDX);
|
---|
2722 | pmd[SSL_PKEY_RSA_ENC] = pmd[SSL_PKEY_RSA_SIGN];
|
---|
2723 | #endif
|
---|
2724 | #ifndef OPENSSL_NO_EC
|
---|
2725 | pmd[SSL_PKEY_ECC] = ssl_md(SSL_MD_SHA1_IDX);
|
---|
2726 | #endif
|
---|
2727 | #ifndef OPENSSL_NO_GOST
|
---|
2728 | pmd[SSL_PKEY_GOST01] = ssl_md(SSL_MD_GOST94_IDX);
|
---|
2729 | pmd[SSL_PKEY_GOST12_256] = ssl_md(SSL_MD_GOST12_256_IDX);
|
---|
2730 | pmd[SSL_PKEY_GOST12_512] = ssl_md(SSL_MD_GOST12_512_IDX);
|
---|
2731 | #endif
|
---|
2732 | }
|
---|
2733 |
|
---|
2734 | int tls1_set_server_sigalgs(SSL *s)
|
---|
2735 | {
|
---|
2736 | int al;
|
---|
2737 | size_t i;
|
---|
2738 |
|
---|
2739 | /* Clear any shared signature algorithms */
|
---|
2740 | OPENSSL_free(s->cert->shared_sigalgs);
|
---|
2741 | s->cert->shared_sigalgs = NULL;
|
---|
2742 | s->cert->shared_sigalgslen = 0;
|
---|
2743 | /* Clear certificate digests and validity flags */
|
---|
2744 | for (i = 0; i < SSL_PKEY_NUM; i++) {
|
---|
2745 | s->s3->tmp.md[i] = NULL;
|
---|
2746 | s->s3->tmp.valid_flags[i] = 0;
|
---|
2747 | }
|
---|
2748 |
|
---|
2749 | /* If sigalgs received process it. */
|
---|
2750 | if (s->s3->tmp.peer_sigalgs) {
|
---|
2751 | if (!tls1_process_sigalgs(s)) {
|
---|
2752 | SSLerr(SSL_F_TLS1_SET_SERVER_SIGALGS, ERR_R_MALLOC_FAILURE);
|
---|
2753 | al = SSL_AD_INTERNAL_ERROR;
|
---|
2754 | goto err;
|
---|
2755 | }
|
---|
2756 | /* Fatal error is no shared signature algorithms */
|
---|
2757 | if (!s->cert->shared_sigalgs) {
|
---|
2758 | SSLerr(SSL_F_TLS1_SET_SERVER_SIGALGS,
|
---|
2759 | SSL_R_NO_SHARED_SIGNATURE_ALGORITHMS);
|
---|
2760 | al = SSL_AD_ILLEGAL_PARAMETER;
|
---|
2761 | goto err;
|
---|
2762 | }
|
---|
2763 | } else {
|
---|
2764 | ssl_set_default_md(s);
|
---|
2765 | }
|
---|
2766 | return 1;
|
---|
2767 | err:
|
---|
2768 | ssl3_send_alert(s, SSL3_AL_FATAL, al);
|
---|
2769 | return 0;
|
---|
2770 | }
|
---|
2771 |
|
---|
2772 | /*
|
---|
2773 | * Upon success, returns 1.
|
---|
2774 | * Upon failure, returns 0 and sets |al| to the appropriate fatal alert.
|
---|
2775 | */
|
---|
2776 | int ssl_check_clienthello_tlsext_late(SSL *s, int *al)
|
---|
2777 | {
|
---|
2778 | s->tlsext_status_expected = 0;
|
---|
2779 |
|
---|
2780 | /*
|
---|
2781 | * If status request then ask callback what to do. Note: this must be
|
---|
2782 | * called after servername callbacks in case the certificate has changed,
|
---|
2783 | * and must be called after the cipher has been chosen because this may
|
---|
2784 | * influence which certificate is sent
|
---|
2785 | */
|
---|
2786 | if ((s->tlsext_status_type != -1) && s->ctx && s->ctx->tlsext_status_cb) {
|
---|
2787 | int ret;
|
---|
2788 | CERT_PKEY *certpkey;
|
---|
2789 | certpkey = ssl_get_server_send_pkey(s);
|
---|
2790 | /* If no certificate can't return certificate status */
|
---|
2791 | if (certpkey != NULL) {
|
---|
2792 | /*
|
---|
2793 | * Set current certificate to one we will use so SSL_get_certificate
|
---|
2794 | * et al can pick it up.
|
---|
2795 | */
|
---|
2796 | s->cert->key = certpkey;
|
---|
2797 | ret = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
|
---|
2798 | switch (ret) {
|
---|
2799 | /* We don't want to send a status request response */
|
---|
2800 | case SSL_TLSEXT_ERR_NOACK:
|
---|
2801 | s->tlsext_status_expected = 0;
|
---|
2802 | break;
|
---|
2803 | /* status request response should be sent */
|
---|
2804 | case SSL_TLSEXT_ERR_OK:
|
---|
2805 | if (s->tlsext_ocsp_resp)
|
---|
2806 | s->tlsext_status_expected = 1;
|
---|
2807 | break;
|
---|
2808 | /* something bad happened */
|
---|
2809 | case SSL_TLSEXT_ERR_ALERT_FATAL:
|
---|
2810 | default:
|
---|
2811 | *al = SSL_AD_INTERNAL_ERROR;
|
---|
2812 | return 0;
|
---|
2813 | }
|
---|
2814 | }
|
---|
2815 | }
|
---|
2816 |
|
---|
2817 | if (!tls1_alpn_handle_client_hello_late(s, al)) {
|
---|
2818 | return 0;
|
---|
2819 | }
|
---|
2820 |
|
---|
2821 | return 1;
|
---|
2822 | }
|
---|
2823 |
|
---|
2824 | int ssl_check_serverhello_tlsext(SSL *s)
|
---|
2825 | {
|
---|
2826 | int ret = SSL_TLSEXT_ERR_NOACK;
|
---|
2827 | int al = SSL_AD_UNRECOGNIZED_NAME;
|
---|
2828 |
|
---|
2829 | #ifndef OPENSSL_NO_EC
|
---|
2830 | /*
|
---|
2831 | * If we are client and using an elliptic curve cryptography cipher
|
---|
2832 | * suite, then if server returns an EC point formats lists extension it
|
---|
2833 | * must contain uncompressed.
|
---|
2834 | */
|
---|
2835 | unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
|
---|
2836 | unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
|
---|
2837 | if ((s->tlsext_ecpointformatlist != NULL)
|
---|
2838 | && (s->tlsext_ecpointformatlist_length > 0)
|
---|
2839 | && (s->session->tlsext_ecpointformatlist != NULL)
|
---|
2840 | && (s->session->tlsext_ecpointformatlist_length > 0)
|
---|
2841 | && ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA))) {
|
---|
2842 | /* we are using an ECC cipher */
|
---|
2843 | size_t i;
|
---|
2844 | unsigned char *list;
|
---|
2845 | int found_uncompressed = 0;
|
---|
2846 | list = s->session->tlsext_ecpointformatlist;
|
---|
2847 | for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++) {
|
---|
2848 | if (*(list++) == TLSEXT_ECPOINTFORMAT_uncompressed) {
|
---|
2849 | found_uncompressed = 1;
|
---|
2850 | break;
|
---|
2851 | }
|
---|
2852 | }
|
---|
2853 | if (!found_uncompressed) {
|
---|
2854 | SSLerr(SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT,
|
---|
2855 | SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
|
---|
2856 | return -1;
|
---|
2857 | }
|
---|
2858 | }
|
---|
2859 | ret = SSL_TLSEXT_ERR_OK;
|
---|
2860 | #endif /* OPENSSL_NO_EC */
|
---|
2861 |
|
---|
2862 | if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
|
---|
2863 | ret =
|
---|
2864 | s->ctx->tlsext_servername_callback(s, &al,
|
---|
2865 | s->ctx->tlsext_servername_arg);
|
---|
2866 | else if (s->session_ctx != NULL
|
---|
2867 | && s->session_ctx->tlsext_servername_callback != 0)
|
---|
2868 | ret =
|
---|
2869 | s->session_ctx->tlsext_servername_callback(s, &al,
|
---|
2870 | s->
|
---|
2871 | session_ctx->tlsext_servername_arg);
|
---|
2872 |
|
---|
2873 | /*
|
---|
2874 | * Ensure we get sensible values passed to tlsext_status_cb in the event
|
---|
2875 | * that we don't receive a status message
|
---|
2876 | */
|
---|
2877 | OPENSSL_free(s->tlsext_ocsp_resp);
|
---|
2878 | s->tlsext_ocsp_resp = NULL;
|
---|
2879 | s->tlsext_ocsp_resplen = -1;
|
---|
2880 |
|
---|
2881 | switch (ret) {
|
---|
2882 | case SSL_TLSEXT_ERR_ALERT_FATAL:
|
---|
2883 | ssl3_send_alert(s, SSL3_AL_FATAL, al);
|
---|
2884 | return -1;
|
---|
2885 |
|
---|
2886 | case SSL_TLSEXT_ERR_ALERT_WARNING:
|
---|
2887 | ssl3_send_alert(s, SSL3_AL_WARNING, al);
|
---|
2888 | return 1;
|
---|
2889 |
|
---|
2890 | case SSL_TLSEXT_ERR_NOACK:
|
---|
2891 | s->servername_done = 0;
|
---|
2892 | default:
|
---|
2893 | return 1;
|
---|
2894 | }
|
---|
2895 | }
|
---|
2896 |
|
---|
2897 | int ssl_parse_serverhello_tlsext(SSL *s, PACKET *pkt)
|
---|
2898 | {
|
---|
2899 | int al = -1;
|
---|
2900 | if (s->version < SSL3_VERSION)
|
---|
2901 | return 1;
|
---|
2902 | if (ssl_scan_serverhello_tlsext(s, pkt, &al) <= 0) {
|
---|
2903 | ssl3_send_alert(s, SSL3_AL_FATAL, al);
|
---|
2904 | return 0;
|
---|
2905 | }
|
---|
2906 |
|
---|
2907 | if (ssl_check_serverhello_tlsext(s) <= 0) {
|
---|
2908 | SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT, SSL_R_SERVERHELLO_TLSEXT);
|
---|
2909 | return 0;
|
---|
2910 | }
|
---|
2911 | return 1;
|
---|
2912 | }
|
---|
2913 |
|
---|
2914 | /*-
|
---|
2915 | * Since the server cache lookup is done early on in the processing of the
|
---|
2916 | * ClientHello and other operations depend on the result some extensions
|
---|
2917 | * need to be handled at the same time.
|
---|
2918 | *
|
---|
2919 | * Two extensions are currently handled, session ticket and extended master
|
---|
2920 | * secret.
|
---|
2921 | *
|
---|
2922 | * session_id: ClientHello session ID.
|
---|
2923 | * ext: ClientHello extensions (including length prefix)
|
---|
2924 | * ret: (output) on return, if a ticket was decrypted, then this is set to
|
---|
2925 | * point to the resulting session.
|
---|
2926 | *
|
---|
2927 | * If s->tls_session_secret_cb is set then we are expecting a pre-shared key
|
---|
2928 | * ciphersuite, in which case we have no use for session tickets and one will
|
---|
2929 | * never be decrypted, nor will s->tlsext_ticket_expected be set to 1.
|
---|
2930 | *
|
---|
2931 | * Returns:
|
---|
2932 | * -1: fatal error, either from parsing or decrypting the ticket.
|
---|
2933 | * 0: no ticket was found (or was ignored, based on settings).
|
---|
2934 | * 1: a zero length extension was found, indicating that the client supports
|
---|
2935 | * session tickets but doesn't currently have one to offer.
|
---|
2936 | * 2: either s->tls_session_secret_cb was set, or a ticket was offered but
|
---|
2937 | * couldn't be decrypted because of a non-fatal error.
|
---|
2938 | * 3: a ticket was successfully decrypted and *ret was set.
|
---|
2939 | *
|
---|
2940 | * Side effects:
|
---|
2941 | * Sets s->tlsext_ticket_expected to 1 if the server will have to issue
|
---|
2942 | * a new session ticket to the client because the client indicated support
|
---|
2943 | * (and s->tls_session_secret_cb is NULL) but the client either doesn't have
|
---|
2944 | * a session ticket or we couldn't use the one it gave us, or if
|
---|
2945 | * s->ctx->tlsext_ticket_key_cb asked to renew the client's ticket.
|
---|
2946 | * Otherwise, s->tlsext_ticket_expected is set to 0.
|
---|
2947 | *
|
---|
2948 | * For extended master secret flag is set if the extension is present.
|
---|
2949 | *
|
---|
2950 | */
|
---|
2951 | int tls_check_serverhello_tlsext_early(SSL *s, const PACKET *ext,
|
---|
2952 | const PACKET *session_id,
|
---|
2953 | SSL_SESSION **ret)
|
---|
2954 | {
|
---|
2955 | unsigned int i;
|
---|
2956 | PACKET local_ext = *ext;
|
---|
2957 | int retv = -1;
|
---|
2958 |
|
---|
2959 | int have_ticket = 0;
|
---|
2960 | int use_ticket = tls_use_ticket(s);
|
---|
2961 |
|
---|
2962 | *ret = NULL;
|
---|
2963 | s->tlsext_ticket_expected = 0;
|
---|
2964 | s->s3->flags &= ~TLS1_FLAGS_RECEIVED_EXTMS;
|
---|
2965 |
|
---|
2966 | /*
|
---|
2967 | * If tickets disabled behave as if no ticket present to permit stateful
|
---|
2968 | * resumption.
|
---|
2969 | */
|
---|
2970 | if ((s->version <= SSL3_VERSION))
|
---|
2971 | return 0;
|
---|
2972 |
|
---|
2973 | if (!PACKET_get_net_2(&local_ext, &i)) {
|
---|
2974 | retv = 0;
|
---|
2975 | goto end;
|
---|
2976 | }
|
---|
2977 | while (PACKET_remaining(&local_ext) >= 4) {
|
---|
2978 | unsigned int type, size;
|
---|
2979 |
|
---|
2980 | if (!PACKET_get_net_2(&local_ext, &type)
|
---|
2981 | || !PACKET_get_net_2(&local_ext, &size)) {
|
---|
2982 | /* Shouldn't ever happen */
|
---|
2983 | retv = -1;
|
---|
2984 | goto end;
|
---|
2985 | }
|
---|
2986 | if (PACKET_remaining(&local_ext) < size) {
|
---|
2987 | retv = 0;
|
---|
2988 | goto end;
|
---|
2989 | }
|
---|
2990 | if (type == TLSEXT_TYPE_session_ticket && use_ticket) {
|
---|
2991 | int r;
|
---|
2992 | const unsigned char *etick;
|
---|
2993 |
|
---|
2994 | /* Duplicate extension */
|
---|
2995 | if (have_ticket != 0) {
|
---|
2996 | retv = -1;
|
---|
2997 | goto end;
|
---|
2998 | }
|
---|
2999 | have_ticket = 1;
|
---|
3000 |
|
---|
3001 | if (size == 0) {
|
---|
3002 | /*
|
---|
3003 | * The client will accept a ticket but doesn't currently have
|
---|
3004 | * one.
|
---|
3005 | */
|
---|
3006 | s->tlsext_ticket_expected = 1;
|
---|
3007 | retv = 1;
|
---|
3008 | continue;
|
---|
3009 | }
|
---|
3010 | if (s->tls_session_secret_cb) {
|
---|
3011 | /*
|
---|
3012 | * Indicate that the ticket couldn't be decrypted rather than
|
---|
3013 | * generating the session from ticket now, trigger
|
---|
3014 | * abbreviated handshake based on external mechanism to
|
---|
3015 | * calculate the master secret later.
|
---|
3016 | */
|
---|
3017 | retv = 2;
|
---|
3018 | continue;
|
---|
3019 | }
|
---|
3020 | if (!PACKET_get_bytes(&local_ext, &etick, size)) {
|
---|
3021 | /* Shouldn't ever happen */
|
---|
3022 | retv = -1;
|
---|
3023 | goto end;
|
---|
3024 | }
|
---|
3025 | r = tls_decrypt_ticket(s, etick, size, PACKET_data(session_id),
|
---|
3026 | PACKET_remaining(session_id), ret);
|
---|
3027 | switch (r) {
|
---|
3028 | case 2: /* ticket couldn't be decrypted */
|
---|
3029 | s->tlsext_ticket_expected = 1;
|
---|
3030 | retv = 2;
|
---|
3031 | break;
|
---|
3032 | case 3: /* ticket was decrypted */
|
---|
3033 | retv = r;
|
---|
3034 | break;
|
---|
3035 | case 4: /* ticket decrypted but need to renew */
|
---|
3036 | s->tlsext_ticket_expected = 1;
|
---|
3037 | retv = 3;
|
---|
3038 | break;
|
---|
3039 | default: /* fatal error */
|
---|
3040 | retv = -1;
|
---|
3041 | break;
|
---|
3042 | }
|
---|
3043 | continue;
|
---|
3044 | } else {
|
---|
3045 | if (type == TLSEXT_TYPE_extended_master_secret)
|
---|
3046 | s->s3->flags |= TLS1_FLAGS_RECEIVED_EXTMS;
|
---|
3047 | if (!PACKET_forward(&local_ext, size)) {
|
---|
3048 | retv = -1;
|
---|
3049 | goto end;
|
---|
3050 | }
|
---|
3051 | }
|
---|
3052 | }
|
---|
3053 | if (have_ticket == 0)
|
---|
3054 | retv = 0;
|
---|
3055 | end:
|
---|
3056 | return retv;
|
---|
3057 | }
|
---|
3058 |
|
---|
3059 | /*-
|
---|
3060 | * tls_decrypt_ticket attempts to decrypt a session ticket.
|
---|
3061 | *
|
---|
3062 | * etick: points to the body of the session ticket extension.
|
---|
3063 | * eticklen: the length of the session tickets extension.
|
---|
3064 | * sess_id: points at the session ID.
|
---|
3065 | * sesslen: the length of the session ID.
|
---|
3066 | * psess: (output) on return, if a ticket was decrypted, then this is set to
|
---|
3067 | * point to the resulting session.
|
---|
3068 | *
|
---|
3069 | * Returns:
|
---|
3070 | * -2: fatal error, malloc failure.
|
---|
3071 | * -1: fatal error, either from parsing or decrypting the ticket.
|
---|
3072 | * 2: the ticket couldn't be decrypted.
|
---|
3073 | * 3: a ticket was successfully decrypted and *psess was set.
|
---|
3074 | * 4: same as 3, but the ticket needs to be renewed.
|
---|
3075 | */
|
---|
3076 | static int tls_decrypt_ticket(SSL *s, const unsigned char *etick,
|
---|
3077 | int eticklen, const unsigned char *sess_id,
|
---|
3078 | int sesslen, SSL_SESSION **psess)
|
---|
3079 | {
|
---|
3080 | SSL_SESSION *sess;
|
---|
3081 | unsigned char *sdec;
|
---|
3082 | const unsigned char *p;
|
---|
3083 | int slen, mlen, renew_ticket = 0, ret = -1;
|
---|
3084 | unsigned char tick_hmac[EVP_MAX_MD_SIZE];
|
---|
3085 | HMAC_CTX *hctx = NULL;
|
---|
3086 | EVP_CIPHER_CTX *ctx;
|
---|
3087 | SSL_CTX *tctx = s->session_ctx;
|
---|
3088 |
|
---|
3089 | /* Initialize session ticket encryption and HMAC contexts */
|
---|
3090 | hctx = HMAC_CTX_new();
|
---|
3091 | if (hctx == NULL)
|
---|
3092 | return -2;
|
---|
3093 | ctx = EVP_CIPHER_CTX_new();
|
---|
3094 | if (ctx == NULL) {
|
---|
3095 | ret = -2;
|
---|
3096 | goto err;
|
---|
3097 | }
|
---|
3098 | if (tctx->tlsext_ticket_key_cb) {
|
---|
3099 | unsigned char *nctick = (unsigned char *)etick;
|
---|
3100 | int rv = tctx->tlsext_ticket_key_cb(s, nctick, nctick + 16,
|
---|
3101 | ctx, hctx, 0);
|
---|
3102 | if (rv < 0)
|
---|
3103 | goto err;
|
---|
3104 | if (rv == 0) {
|
---|
3105 | ret = 2;
|
---|
3106 | goto err;
|
---|
3107 | }
|
---|
3108 | if (rv == 2)
|
---|
3109 | renew_ticket = 1;
|
---|
3110 | } else {
|
---|
3111 | /* Check key name matches */
|
---|
3112 | if (memcmp(etick, tctx->tlsext_tick_key_name,
|
---|
3113 | sizeof(tctx->tlsext_tick_key_name)) != 0) {
|
---|
3114 | ret = 2;
|
---|
3115 | goto err;
|
---|
3116 | }
|
---|
3117 | if (HMAC_Init_ex(hctx, tctx->tlsext_tick_hmac_key,
|
---|
3118 | sizeof(tctx->tlsext_tick_hmac_key),
|
---|
3119 | EVP_sha256(), NULL) <= 0
|
---|
3120 | || EVP_DecryptInit_ex(ctx, EVP_aes_256_cbc(), NULL,
|
---|
3121 | tctx->tlsext_tick_aes_key,
|
---|
3122 | etick + sizeof(tctx->tlsext_tick_key_name)) <=
|
---|
3123 | 0) {
|
---|
3124 | goto err;
|
---|
3125 | }
|
---|
3126 | }
|
---|
3127 | /*
|
---|
3128 | * Attempt to process session ticket, first conduct sanity and integrity
|
---|
3129 | * checks on ticket.
|
---|
3130 | */
|
---|
3131 | mlen = HMAC_size(hctx);
|
---|
3132 | if (mlen < 0) {
|
---|
3133 | goto err;
|
---|
3134 | }
|
---|
3135 | /* Sanity check ticket length: must exceed keyname + IV + HMAC */
|
---|
3136 | if (eticklen <=
|
---|
3137 | TLSEXT_KEYNAME_LENGTH + EVP_CIPHER_CTX_iv_length(ctx) + mlen) {
|
---|
3138 | ret = 2;
|
---|
3139 | goto err;
|
---|
3140 | }
|
---|
3141 | eticklen -= mlen;
|
---|
3142 | /* Check HMAC of encrypted ticket */
|
---|
3143 | if (HMAC_Update(hctx, etick, eticklen) <= 0
|
---|
3144 | || HMAC_Final(hctx, tick_hmac, NULL) <= 0) {
|
---|
3145 | goto err;
|
---|
3146 | }
|
---|
3147 | HMAC_CTX_free(hctx);
|
---|
3148 | if (CRYPTO_memcmp(tick_hmac, etick + eticklen, mlen)) {
|
---|
3149 | EVP_CIPHER_CTX_free(ctx);
|
---|
3150 | return 2;
|
---|
3151 | }
|
---|
3152 | /* Attempt to decrypt session data */
|
---|
3153 | /* Move p after IV to start of encrypted ticket, update length */
|
---|
3154 | p = etick + TLSEXT_KEYNAME_LENGTH + EVP_CIPHER_CTX_iv_length(ctx);
|
---|
3155 | eticklen -= TLSEXT_KEYNAME_LENGTH + EVP_CIPHER_CTX_iv_length(ctx);
|
---|
3156 | sdec = OPENSSL_malloc(eticklen);
|
---|
3157 | if (sdec == NULL || EVP_DecryptUpdate(ctx, sdec, &slen, p, eticklen) <= 0) {
|
---|
3158 | EVP_CIPHER_CTX_free(ctx);
|
---|
3159 | OPENSSL_free(sdec);
|
---|
3160 | return -1;
|
---|
3161 | }
|
---|
3162 | if (EVP_DecryptFinal(ctx, sdec + slen, &mlen) <= 0) {
|
---|
3163 | EVP_CIPHER_CTX_free(ctx);
|
---|
3164 | OPENSSL_free(sdec);
|
---|
3165 | return 2;
|
---|
3166 | }
|
---|
3167 | slen += mlen;
|
---|
3168 | EVP_CIPHER_CTX_free(ctx);
|
---|
3169 | ctx = NULL;
|
---|
3170 | p = sdec;
|
---|
3171 |
|
---|
3172 | sess = d2i_SSL_SESSION(NULL, &p, slen);
|
---|
3173 | OPENSSL_free(sdec);
|
---|
3174 | if (sess) {
|
---|
3175 | /*
|
---|
3176 | * The session ID, if non-empty, is used by some clients to detect
|
---|
3177 | * that the ticket has been accepted. So we copy it to the session
|
---|
3178 | * structure. If it is empty set length to zero as required by
|
---|
3179 | * standard.
|
---|
3180 | */
|
---|
3181 | if (sesslen)
|
---|
3182 | memcpy(sess->session_id, sess_id, sesslen);
|
---|
3183 | sess->session_id_length = sesslen;
|
---|
3184 | *psess = sess;
|
---|
3185 | if (renew_ticket)
|
---|
3186 | return 4;
|
---|
3187 | else
|
---|
3188 | return 3;
|
---|
3189 | }
|
---|
3190 | ERR_clear_error();
|
---|
3191 | /*
|
---|
3192 | * For session parse failure, indicate that we need to send a new ticket.
|
---|
3193 | */
|
---|
3194 | return 2;
|
---|
3195 | err:
|
---|
3196 | EVP_CIPHER_CTX_free(ctx);
|
---|
3197 | HMAC_CTX_free(hctx);
|
---|
3198 | return ret;
|
---|
3199 | }
|
---|
3200 |
|
---|
3201 | /* Tables to translate from NIDs to TLS v1.2 ids */
|
---|
3202 |
|
---|
3203 | typedef struct {
|
---|
3204 | int nid;
|
---|
3205 | int id;
|
---|
3206 | } tls12_lookup;
|
---|
3207 |
|
---|
3208 | static const tls12_lookup tls12_md[] = {
|
---|
3209 | {NID_md5, TLSEXT_hash_md5},
|
---|
3210 | {NID_sha1, TLSEXT_hash_sha1},
|
---|
3211 | {NID_sha224, TLSEXT_hash_sha224},
|
---|
3212 | {NID_sha256, TLSEXT_hash_sha256},
|
---|
3213 | {NID_sha384, TLSEXT_hash_sha384},
|
---|
3214 | {NID_sha512, TLSEXT_hash_sha512},
|
---|
3215 | {NID_id_GostR3411_94, TLSEXT_hash_gostr3411},
|
---|
3216 | {NID_id_GostR3411_2012_256, TLSEXT_hash_gostr34112012_256},
|
---|
3217 | {NID_id_GostR3411_2012_512, TLSEXT_hash_gostr34112012_512},
|
---|
3218 | };
|
---|
3219 |
|
---|
3220 | static const tls12_lookup tls12_sig[] = {
|
---|
3221 | {EVP_PKEY_RSA, TLSEXT_signature_rsa},
|
---|
3222 | {EVP_PKEY_DSA, TLSEXT_signature_dsa},
|
---|
3223 | {EVP_PKEY_EC, TLSEXT_signature_ecdsa},
|
---|
3224 | {NID_id_GostR3410_2001, TLSEXT_signature_gostr34102001},
|
---|
3225 | {NID_id_GostR3410_2012_256, TLSEXT_signature_gostr34102012_256},
|
---|
3226 | {NID_id_GostR3410_2012_512, TLSEXT_signature_gostr34102012_512}
|
---|
3227 | };
|
---|
3228 |
|
---|
3229 | static int tls12_find_id(int nid, const tls12_lookup *table, size_t tlen)
|
---|
3230 | {
|
---|
3231 | size_t i;
|
---|
3232 | for (i = 0; i < tlen; i++) {
|
---|
3233 | if (table[i].nid == nid)
|
---|
3234 | return table[i].id;
|
---|
3235 | }
|
---|
3236 | return -1;
|
---|
3237 | }
|
---|
3238 |
|
---|
3239 | static int tls12_find_nid(int id, const tls12_lookup *table, size_t tlen)
|
---|
3240 | {
|
---|
3241 | size_t i;
|
---|
3242 | for (i = 0; i < tlen; i++) {
|
---|
3243 | if ((table[i].id) == id)
|
---|
3244 | return table[i].nid;
|
---|
3245 | }
|
---|
3246 | return NID_undef;
|
---|
3247 | }
|
---|
3248 |
|
---|
3249 | int tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk, const EVP_MD *md)
|
---|
3250 | {
|
---|
3251 | int sig_id, md_id;
|
---|
3252 | if (!md)
|
---|
3253 | return 0;
|
---|
3254 | md_id = tls12_find_id(EVP_MD_type(md), tls12_md, OSSL_NELEM(tls12_md));
|
---|
3255 | if (md_id == -1)
|
---|
3256 | return 0;
|
---|
3257 | sig_id = tls12_get_sigid(pk);
|
---|
3258 | if (sig_id == -1)
|
---|
3259 | return 0;
|
---|
3260 | p[0] = (unsigned char)md_id;
|
---|
3261 | p[1] = (unsigned char)sig_id;
|
---|
3262 | return 1;
|
---|
3263 | }
|
---|
3264 |
|
---|
3265 | int tls12_get_sigid(const EVP_PKEY *pk)
|
---|
3266 | {
|
---|
3267 | return tls12_find_id(EVP_PKEY_id(pk), tls12_sig, OSSL_NELEM(tls12_sig));
|
---|
3268 | }
|
---|
3269 |
|
---|
3270 | typedef struct {
|
---|
3271 | int nid;
|
---|
3272 | int secbits;
|
---|
3273 | int md_idx;
|
---|
3274 | unsigned char tlsext_hash;
|
---|
3275 | } tls12_hash_info;
|
---|
3276 |
|
---|
3277 | static const tls12_hash_info tls12_md_info[] = {
|
---|
3278 | {NID_md5, 64, SSL_MD_MD5_IDX, TLSEXT_hash_md5},
|
---|
3279 | {NID_sha1, 80, SSL_MD_SHA1_IDX, TLSEXT_hash_sha1},
|
---|
3280 | {NID_sha224, 112, SSL_MD_SHA224_IDX, TLSEXT_hash_sha224},
|
---|
3281 | {NID_sha256, 128, SSL_MD_SHA256_IDX, TLSEXT_hash_sha256},
|
---|
3282 | {NID_sha384, 192, SSL_MD_SHA384_IDX, TLSEXT_hash_sha384},
|
---|
3283 | {NID_sha512, 256, SSL_MD_SHA512_IDX, TLSEXT_hash_sha512},
|
---|
3284 | {NID_id_GostR3411_94, 128, SSL_MD_GOST94_IDX, TLSEXT_hash_gostr3411},
|
---|
3285 | {NID_id_GostR3411_2012_256, 128, SSL_MD_GOST12_256_IDX,
|
---|
3286 | TLSEXT_hash_gostr34112012_256},
|
---|
3287 | {NID_id_GostR3411_2012_512, 256, SSL_MD_GOST12_512_IDX,
|
---|
3288 | TLSEXT_hash_gostr34112012_512},
|
---|
3289 | };
|
---|
3290 |
|
---|
3291 | static const tls12_hash_info *tls12_get_hash_info(unsigned char hash_alg)
|
---|
3292 | {
|
---|
3293 | unsigned int i;
|
---|
3294 | if (hash_alg == 0)
|
---|
3295 | return NULL;
|
---|
3296 |
|
---|
3297 | for (i = 0; i < OSSL_NELEM(tls12_md_info); i++) {
|
---|
3298 | if (tls12_md_info[i].tlsext_hash == hash_alg)
|
---|
3299 | return tls12_md_info + i;
|
---|
3300 | }
|
---|
3301 |
|
---|
3302 | return NULL;
|
---|
3303 | }
|
---|
3304 |
|
---|
3305 | const EVP_MD *tls12_get_hash(unsigned char hash_alg)
|
---|
3306 | {
|
---|
3307 | const tls12_hash_info *inf;
|
---|
3308 | if (hash_alg == TLSEXT_hash_md5 && FIPS_mode())
|
---|
3309 | return NULL;
|
---|
3310 | inf = tls12_get_hash_info(hash_alg);
|
---|
3311 | if (!inf)
|
---|
3312 | return NULL;
|
---|
3313 | return ssl_md(inf->md_idx);
|
---|
3314 | }
|
---|
3315 |
|
---|
3316 | static int tls12_get_pkey_idx(unsigned char sig_alg)
|
---|
3317 | {
|
---|
3318 | switch (sig_alg) {
|
---|
3319 | #ifndef OPENSSL_NO_RSA
|
---|
3320 | case TLSEXT_signature_rsa:
|
---|
3321 | return SSL_PKEY_RSA_SIGN;
|
---|
3322 | #endif
|
---|
3323 | #ifndef OPENSSL_NO_DSA
|
---|
3324 | case TLSEXT_signature_dsa:
|
---|
3325 | return SSL_PKEY_DSA_SIGN;
|
---|
3326 | #endif
|
---|
3327 | #ifndef OPENSSL_NO_EC
|
---|
3328 | case TLSEXT_signature_ecdsa:
|
---|
3329 | return SSL_PKEY_ECC;
|
---|
3330 | #endif
|
---|
3331 | #ifndef OPENSSL_NO_GOST
|
---|
3332 | case TLSEXT_signature_gostr34102001:
|
---|
3333 | return SSL_PKEY_GOST01;
|
---|
3334 |
|
---|
3335 | case TLSEXT_signature_gostr34102012_256:
|
---|
3336 | return SSL_PKEY_GOST12_256;
|
---|
3337 |
|
---|
3338 | case TLSEXT_signature_gostr34102012_512:
|
---|
3339 | return SSL_PKEY_GOST12_512;
|
---|
3340 | #endif
|
---|
3341 | }
|
---|
3342 | return -1;
|
---|
3343 | }
|
---|
3344 |
|
---|
3345 | /* Convert TLS 1.2 signature algorithm extension values into NIDs */
|
---|
3346 | static void tls1_lookup_sigalg(int *phash_nid, int *psign_nid,
|
---|
3347 | int *psignhash_nid, const unsigned char *data)
|
---|
3348 | {
|
---|
3349 | int sign_nid = NID_undef, hash_nid = NID_undef;
|
---|
3350 | if (!phash_nid && !psign_nid && !psignhash_nid)
|
---|
3351 | return;
|
---|
3352 | if (phash_nid || psignhash_nid) {
|
---|
3353 | hash_nid = tls12_find_nid(data[0], tls12_md, OSSL_NELEM(tls12_md));
|
---|
3354 | if (phash_nid)
|
---|
3355 | *phash_nid = hash_nid;
|
---|
3356 | }
|
---|
3357 | if (psign_nid || psignhash_nid) {
|
---|
3358 | sign_nid = tls12_find_nid(data[1], tls12_sig, OSSL_NELEM(tls12_sig));
|
---|
3359 | if (psign_nid)
|
---|
3360 | *psign_nid = sign_nid;
|
---|
3361 | }
|
---|
3362 | if (psignhash_nid) {
|
---|
3363 | if (sign_nid == NID_undef || hash_nid == NID_undef
|
---|
3364 | || OBJ_find_sigid_by_algs(psignhash_nid, hash_nid, sign_nid) <= 0)
|
---|
3365 | *psignhash_nid = NID_undef;
|
---|
3366 | }
|
---|
3367 | }
|
---|
3368 |
|
---|
3369 | /* Check to see if a signature algorithm is allowed */
|
---|
3370 | static int tls12_sigalg_allowed(SSL *s, int op, const unsigned char *ptmp)
|
---|
3371 | {
|
---|
3372 | /* See if we have an entry in the hash table and it is enabled */
|
---|
3373 | const tls12_hash_info *hinf = tls12_get_hash_info(ptmp[0]);
|
---|
3374 | if (hinf == NULL || ssl_md(hinf->md_idx) == NULL)
|
---|
3375 | return 0;
|
---|
3376 | /* See if public key algorithm allowed */
|
---|
3377 | if (tls12_get_pkey_idx(ptmp[1]) == -1)
|
---|
3378 | return 0;
|
---|
3379 | /* Finally see if security callback allows it */
|
---|
3380 | return ssl_security(s, op, hinf->secbits, hinf->nid, (void *)ptmp);
|
---|
3381 | }
|
---|
3382 |
|
---|
3383 | /*
|
---|
3384 | * Get a mask of disabled public key algorithms based on supported signature
|
---|
3385 | * algorithms. For example if no signature algorithm supports RSA then RSA is
|
---|
3386 | * disabled.
|
---|
3387 | */
|
---|
3388 |
|
---|
3389 | void ssl_set_sig_mask(uint32_t *pmask_a, SSL *s, int op)
|
---|
3390 | {
|
---|
3391 | const unsigned char *sigalgs;
|
---|
3392 | size_t i, sigalgslen;
|
---|
3393 | int have_rsa = 0, have_dsa = 0, have_ecdsa = 0;
|
---|
3394 | /*
|
---|
3395 | * Now go through all signature algorithms seeing if we support any for
|
---|
3396 | * RSA, DSA, ECDSA. Do this for all versions not just TLS 1.2. To keep
|
---|
3397 | * down calls to security callback only check if we have to.
|
---|
3398 | */
|
---|
3399 | sigalgslen = tls12_get_psigalgs(s, 1, &sigalgs);
|
---|
3400 | for (i = 0; i < sigalgslen; i += 2, sigalgs += 2) {
|
---|
3401 | switch (sigalgs[1]) {
|
---|
3402 | #ifndef OPENSSL_NO_RSA
|
---|
3403 | case TLSEXT_signature_rsa:
|
---|
3404 | if (!have_rsa && tls12_sigalg_allowed(s, op, sigalgs))
|
---|
3405 | have_rsa = 1;
|
---|
3406 | break;
|
---|
3407 | #endif
|
---|
3408 | #ifndef OPENSSL_NO_DSA
|
---|
3409 | case TLSEXT_signature_dsa:
|
---|
3410 | if (!have_dsa && tls12_sigalg_allowed(s, op, sigalgs))
|
---|
3411 | have_dsa = 1;
|
---|
3412 | break;
|
---|
3413 | #endif
|
---|
3414 | #ifndef OPENSSL_NO_EC
|
---|
3415 | case TLSEXT_signature_ecdsa:
|
---|
3416 | if (!have_ecdsa && tls12_sigalg_allowed(s, op, sigalgs))
|
---|
3417 | have_ecdsa = 1;
|
---|
3418 | break;
|
---|
3419 | #endif
|
---|
3420 | }
|
---|
3421 | }
|
---|
3422 | if (!have_rsa)
|
---|
3423 | *pmask_a |= SSL_aRSA;
|
---|
3424 | if (!have_dsa)
|
---|
3425 | *pmask_a |= SSL_aDSS;
|
---|
3426 | if (!have_ecdsa)
|
---|
3427 | *pmask_a |= SSL_aECDSA;
|
---|
3428 | }
|
---|
3429 |
|
---|
3430 | size_t tls12_copy_sigalgs(SSL *s, unsigned char *out,
|
---|
3431 | const unsigned char *psig, size_t psiglen)
|
---|
3432 | {
|
---|
3433 | unsigned char *tmpout = out;
|
---|
3434 | size_t i;
|
---|
3435 | for (i = 0; i < psiglen; i += 2, psig += 2) {
|
---|
3436 | if (tls12_sigalg_allowed(s, SSL_SECOP_SIGALG_SUPPORTED, psig)) {
|
---|
3437 | *tmpout++ = psig[0];
|
---|
3438 | *tmpout++ = psig[1];
|
---|
3439 | }
|
---|
3440 | }
|
---|
3441 | return tmpout - out;
|
---|
3442 | }
|
---|
3443 |
|
---|
3444 | /* Given preference and allowed sigalgs set shared sigalgs */
|
---|
3445 | static int tls12_shared_sigalgs(SSL *s, TLS_SIGALGS *shsig,
|
---|
3446 | const unsigned char *pref, size_t preflen,
|
---|
3447 | const unsigned char *allow, size_t allowlen)
|
---|
3448 | {
|
---|
3449 | const unsigned char *ptmp, *atmp;
|
---|
3450 | size_t i, j, nmatch = 0;
|
---|
3451 | for (i = 0, ptmp = pref; i < preflen; i += 2, ptmp += 2) {
|
---|
3452 | /* Skip disabled hashes or signature algorithms */
|
---|
3453 | if (!tls12_sigalg_allowed(s, SSL_SECOP_SIGALG_SHARED, ptmp))
|
---|
3454 | continue;
|
---|
3455 | for (j = 0, atmp = allow; j < allowlen; j += 2, atmp += 2) {
|
---|
3456 | if (ptmp[0] == atmp[0] && ptmp[1] == atmp[1]) {
|
---|
3457 | nmatch++;
|
---|
3458 | if (shsig) {
|
---|
3459 | shsig->rhash = ptmp[0];
|
---|
3460 | shsig->rsign = ptmp[1];
|
---|
3461 | tls1_lookup_sigalg(&shsig->hash_nid,
|
---|
3462 | &shsig->sign_nid,
|
---|
3463 | &shsig->signandhash_nid, ptmp);
|
---|
3464 | shsig++;
|
---|
3465 | }
|
---|
3466 | break;
|
---|
3467 | }
|
---|
3468 | }
|
---|
3469 | }
|
---|
3470 | return nmatch;
|
---|
3471 | }
|
---|
3472 |
|
---|
3473 | /* Set shared signature algorithms for SSL structures */
|
---|
3474 | static int tls1_set_shared_sigalgs(SSL *s)
|
---|
3475 | {
|
---|
3476 | const unsigned char *pref, *allow, *conf;
|
---|
3477 | size_t preflen, allowlen, conflen;
|
---|
3478 | size_t nmatch;
|
---|
3479 | TLS_SIGALGS *salgs = NULL;
|
---|
3480 | CERT *c = s->cert;
|
---|
3481 | unsigned int is_suiteb = tls1_suiteb(s);
|
---|
3482 |
|
---|
3483 | OPENSSL_free(c->shared_sigalgs);
|
---|
3484 | c->shared_sigalgs = NULL;
|
---|
3485 | c->shared_sigalgslen = 0;
|
---|
3486 | /* If client use client signature algorithms if not NULL */
|
---|
3487 | if (!s->server && c->client_sigalgs && !is_suiteb) {
|
---|
3488 | conf = c->client_sigalgs;
|
---|
3489 | conflen = c->client_sigalgslen;
|
---|
3490 | } else if (c->conf_sigalgs && !is_suiteb) {
|
---|
3491 | conf = c->conf_sigalgs;
|
---|
3492 | conflen = c->conf_sigalgslen;
|
---|
3493 | } else
|
---|
3494 | conflen = tls12_get_psigalgs(s, 0, &conf);
|
---|
3495 | if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE || is_suiteb) {
|
---|
3496 | pref = conf;
|
---|
3497 | preflen = conflen;
|
---|
3498 | allow = s->s3->tmp.peer_sigalgs;
|
---|
3499 | allowlen = s->s3->tmp.peer_sigalgslen;
|
---|
3500 | } else {
|
---|
3501 | allow = conf;
|
---|
3502 | allowlen = conflen;
|
---|
3503 | pref = s->s3->tmp.peer_sigalgs;
|
---|
3504 | preflen = s->s3->tmp.peer_sigalgslen;
|
---|
3505 | }
|
---|
3506 | nmatch = tls12_shared_sigalgs(s, NULL, pref, preflen, allow, allowlen);
|
---|
3507 | if (nmatch) {
|
---|
3508 | salgs = OPENSSL_malloc(nmatch * sizeof(TLS_SIGALGS));
|
---|
3509 | if (salgs == NULL)
|
---|
3510 | return 0;
|
---|
3511 | nmatch = tls12_shared_sigalgs(s, salgs, pref, preflen, allow, allowlen);
|
---|
3512 | } else {
|
---|
3513 | salgs = NULL;
|
---|
3514 | }
|
---|
3515 | c->shared_sigalgs = salgs;
|
---|
3516 | c->shared_sigalgslen = nmatch;
|
---|
3517 | return 1;
|
---|
3518 | }
|
---|
3519 |
|
---|
3520 | /* Set preferred digest for each key type */
|
---|
3521 |
|
---|
3522 | int tls1_save_sigalgs(SSL *s, const unsigned char *data, int dsize)
|
---|
3523 | {
|
---|
3524 | CERT *c = s->cert;
|
---|
3525 | /* Extension ignored for inappropriate versions */
|
---|
3526 | if (!SSL_USE_SIGALGS(s))
|
---|
3527 | return 1;
|
---|
3528 | /* Should never happen */
|
---|
3529 | if (!c)
|
---|
3530 | return 0;
|
---|
3531 |
|
---|
3532 | OPENSSL_free(s->s3->tmp.peer_sigalgs);
|
---|
3533 | s->s3->tmp.peer_sigalgs = OPENSSL_malloc(dsize);
|
---|
3534 | if (s->s3->tmp.peer_sigalgs == NULL)
|
---|
3535 | return 0;
|
---|
3536 | s->s3->tmp.peer_sigalgslen = dsize;
|
---|
3537 | memcpy(s->s3->tmp.peer_sigalgs, data, dsize);
|
---|
3538 | return 1;
|
---|
3539 | }
|
---|
3540 |
|
---|
3541 | int tls1_process_sigalgs(SSL *s)
|
---|
3542 | {
|
---|
3543 | int idx;
|
---|
3544 | size_t i;
|
---|
3545 | const EVP_MD *md;
|
---|
3546 | const EVP_MD **pmd = s->s3->tmp.md;
|
---|
3547 | uint32_t *pvalid = s->s3->tmp.valid_flags;
|
---|
3548 | CERT *c = s->cert;
|
---|
3549 | TLS_SIGALGS *sigptr;
|
---|
3550 | if (!tls1_set_shared_sigalgs(s))
|
---|
3551 | return 0;
|
---|
3552 |
|
---|
3553 | for (i = 0, sigptr = c->shared_sigalgs;
|
---|
3554 | i < c->shared_sigalgslen; i++, sigptr++) {
|
---|
3555 | idx = tls12_get_pkey_idx(sigptr->rsign);
|
---|
3556 | if (idx > 0 && pmd[idx] == NULL) {
|
---|
3557 | md = tls12_get_hash(sigptr->rhash);
|
---|
3558 | pmd[idx] = md;
|
---|
3559 | pvalid[idx] = CERT_PKEY_EXPLICIT_SIGN;
|
---|
3560 | if (idx == SSL_PKEY_RSA_SIGN) {
|
---|
3561 | pvalid[SSL_PKEY_RSA_ENC] = CERT_PKEY_EXPLICIT_SIGN;
|
---|
3562 | pmd[SSL_PKEY_RSA_ENC] = md;
|
---|
3563 | }
|
---|
3564 | }
|
---|
3565 |
|
---|
3566 | }
|
---|
3567 | /*
|
---|
3568 | * In strict mode leave unset digests as NULL to indicate we can't use
|
---|
3569 | * the certificate for signing.
|
---|
3570 | */
|
---|
3571 | if (!(s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)) {
|
---|
3572 | /*
|
---|
3573 | * Set any remaining keys to default values. NOTE: if alg is not
|
---|
3574 | * supported it stays as NULL.
|
---|
3575 | */
|
---|
3576 | #ifndef OPENSSL_NO_DSA
|
---|
3577 | if (pmd[SSL_PKEY_DSA_SIGN] == NULL)
|
---|
3578 | pmd[SSL_PKEY_DSA_SIGN] = EVP_sha1();
|
---|
3579 | #endif
|
---|
3580 | #ifndef OPENSSL_NO_RSA
|
---|
3581 | if (pmd[SSL_PKEY_RSA_SIGN] == NULL) {
|
---|
3582 | pmd[SSL_PKEY_RSA_SIGN] = EVP_sha1();
|
---|
3583 | pmd[SSL_PKEY_RSA_ENC] = EVP_sha1();
|
---|
3584 | }
|
---|
3585 | #endif
|
---|
3586 | #ifndef OPENSSL_NO_EC
|
---|
3587 | if (pmd[SSL_PKEY_ECC] == NULL)
|
---|
3588 | pmd[SSL_PKEY_ECC] = EVP_sha1();
|
---|
3589 | #endif
|
---|
3590 | #ifndef OPENSSL_NO_GOST
|
---|
3591 | if (pmd[SSL_PKEY_GOST01] == NULL)
|
---|
3592 | pmd[SSL_PKEY_GOST01] = EVP_get_digestbynid(NID_id_GostR3411_94);
|
---|
3593 | if (pmd[SSL_PKEY_GOST12_256] == NULL)
|
---|
3594 | pmd[SSL_PKEY_GOST12_256] =
|
---|
3595 | EVP_get_digestbynid(NID_id_GostR3411_2012_256);
|
---|
3596 | if (pmd[SSL_PKEY_GOST12_512] == NULL)
|
---|
3597 | pmd[SSL_PKEY_GOST12_512] =
|
---|
3598 | EVP_get_digestbynid(NID_id_GostR3411_2012_512);
|
---|
3599 | #endif
|
---|
3600 | }
|
---|
3601 | return 1;
|
---|
3602 | }
|
---|
3603 |
|
---|
3604 | int SSL_get_sigalgs(SSL *s, int idx,
|
---|
3605 | int *psign, int *phash, int *psignhash,
|
---|
3606 | unsigned char *rsig, unsigned char *rhash)
|
---|
3607 | {
|
---|
3608 | const unsigned char *psig = s->s3->tmp.peer_sigalgs;
|
---|
3609 | if (psig == NULL)
|
---|
3610 | return 0;
|
---|
3611 | if (idx >= 0) {
|
---|
3612 | idx <<= 1;
|
---|
3613 | if (idx >= (int)s->s3->tmp.peer_sigalgslen)
|
---|
3614 | return 0;
|
---|
3615 | psig += idx;
|
---|
3616 | if (rhash)
|
---|
3617 | *rhash = psig[0];
|
---|
3618 | if (rsig)
|
---|
3619 | *rsig = psig[1];
|
---|
3620 | tls1_lookup_sigalg(phash, psign, psignhash, psig);
|
---|
3621 | }
|
---|
3622 | return s->s3->tmp.peer_sigalgslen / 2;
|
---|
3623 | }
|
---|
3624 |
|
---|
3625 | int SSL_get_shared_sigalgs(SSL *s, int idx,
|
---|
3626 | int *psign, int *phash, int *psignhash,
|
---|
3627 | unsigned char *rsig, unsigned char *rhash)
|
---|
3628 | {
|
---|
3629 | TLS_SIGALGS *shsigalgs = s->cert->shared_sigalgs;
|
---|
3630 | if (!shsigalgs || idx >= (int)s->cert->shared_sigalgslen)
|
---|
3631 | return 0;
|
---|
3632 | shsigalgs += idx;
|
---|
3633 | if (phash)
|
---|
3634 | *phash = shsigalgs->hash_nid;
|
---|
3635 | if (psign)
|
---|
3636 | *psign = shsigalgs->sign_nid;
|
---|
3637 | if (psignhash)
|
---|
3638 | *psignhash = shsigalgs->signandhash_nid;
|
---|
3639 | if (rsig)
|
---|
3640 | *rsig = shsigalgs->rsign;
|
---|
3641 | if (rhash)
|
---|
3642 | *rhash = shsigalgs->rhash;
|
---|
3643 | return s->cert->shared_sigalgslen;
|
---|
3644 | }
|
---|
3645 |
|
---|
3646 | #define MAX_SIGALGLEN (TLSEXT_hash_num * TLSEXT_signature_num * 2)
|
---|
3647 |
|
---|
3648 | typedef struct {
|
---|
3649 | size_t sigalgcnt;
|
---|
3650 | int sigalgs[MAX_SIGALGLEN];
|
---|
3651 | } sig_cb_st;
|
---|
3652 |
|
---|
3653 | static void get_sigorhash(int *psig, int *phash, const char *str)
|
---|
3654 | {
|
---|
3655 | if (strcmp(str, "RSA") == 0) {
|
---|
3656 | *psig = EVP_PKEY_RSA;
|
---|
3657 | } else if (strcmp(str, "DSA") == 0) {
|
---|
3658 | *psig = EVP_PKEY_DSA;
|
---|
3659 | } else if (strcmp(str, "ECDSA") == 0) {
|
---|
3660 | *psig = EVP_PKEY_EC;
|
---|
3661 | } else {
|
---|
3662 | *phash = OBJ_sn2nid(str);
|
---|
3663 | if (*phash == NID_undef)
|
---|
3664 | *phash = OBJ_ln2nid(str);
|
---|
3665 | }
|
---|
3666 | }
|
---|
3667 |
|
---|
3668 | static int sig_cb(const char *elem, int len, void *arg)
|
---|
3669 | {
|
---|
3670 | sig_cb_st *sarg = arg;
|
---|
3671 | size_t i;
|
---|
3672 | char etmp[20], *p;
|
---|
3673 | int sig_alg = NID_undef, hash_alg = NID_undef;
|
---|
3674 | if (elem == NULL)
|
---|
3675 | return 0;
|
---|
3676 | if (sarg->sigalgcnt == MAX_SIGALGLEN)
|
---|
3677 | return 0;
|
---|
3678 | if (len > (int)(sizeof(etmp) - 1))
|
---|
3679 | return 0;
|
---|
3680 | memcpy(etmp, elem, len);
|
---|
3681 | etmp[len] = 0;
|
---|
3682 | p = strchr(etmp, '+');
|
---|
3683 | if (!p)
|
---|
3684 | return 0;
|
---|
3685 | *p = 0;
|
---|
3686 | p++;
|
---|
3687 | if (!*p)
|
---|
3688 | return 0;
|
---|
3689 |
|
---|
3690 | get_sigorhash(&sig_alg, &hash_alg, etmp);
|
---|
3691 | get_sigorhash(&sig_alg, &hash_alg, p);
|
---|
3692 |
|
---|
3693 | if (sig_alg == NID_undef || hash_alg == NID_undef)
|
---|
3694 | return 0;
|
---|
3695 |
|
---|
3696 | for (i = 0; i < sarg->sigalgcnt; i += 2) {
|
---|
3697 | if (sarg->sigalgs[i] == sig_alg && sarg->sigalgs[i + 1] == hash_alg)
|
---|
3698 | return 0;
|
---|
3699 | }
|
---|
3700 | sarg->sigalgs[sarg->sigalgcnt++] = hash_alg;
|
---|
3701 | sarg->sigalgs[sarg->sigalgcnt++] = sig_alg;
|
---|
3702 | return 1;
|
---|
3703 | }
|
---|
3704 |
|
---|
3705 | /*
|
---|
3706 | * Set supported signature algorithms based on a colon separated list of the
|
---|
3707 | * form sig+hash e.g. RSA+SHA512:DSA+SHA512
|
---|
3708 | */
|
---|
3709 | int tls1_set_sigalgs_list(CERT *c, const char *str, int client)
|
---|
3710 | {
|
---|
3711 | sig_cb_st sig;
|
---|
3712 | sig.sigalgcnt = 0;
|
---|
3713 | if (!CONF_parse_list(str, ':', 1, sig_cb, &sig))
|
---|
3714 | return 0;
|
---|
3715 | if (c == NULL)
|
---|
3716 | return 1;
|
---|
3717 | return tls1_set_sigalgs(c, sig.sigalgs, sig.sigalgcnt, client);
|
---|
3718 | }
|
---|
3719 |
|
---|
3720 | int tls1_set_sigalgs(CERT *c, const int *psig_nids, size_t salglen, int client)
|
---|
3721 | {
|
---|
3722 | unsigned char *sigalgs, *sptr;
|
---|
3723 | int rhash, rsign;
|
---|
3724 | size_t i;
|
---|
3725 | if (salglen & 1)
|
---|
3726 | return 0;
|
---|
3727 | sigalgs = OPENSSL_malloc(salglen);
|
---|
3728 | if (sigalgs == NULL)
|
---|
3729 | return 0;
|
---|
3730 | for (i = 0, sptr = sigalgs; i < salglen; i += 2) {
|
---|
3731 | rhash = tls12_find_id(*psig_nids++, tls12_md, OSSL_NELEM(tls12_md));
|
---|
3732 | rsign = tls12_find_id(*psig_nids++, tls12_sig, OSSL_NELEM(tls12_sig));
|
---|
3733 |
|
---|
3734 | if (rhash == -1 || rsign == -1)
|
---|
3735 | goto err;
|
---|
3736 | *sptr++ = rhash;
|
---|
3737 | *sptr++ = rsign;
|
---|
3738 | }
|
---|
3739 |
|
---|
3740 | if (client) {
|
---|
3741 | OPENSSL_free(c->client_sigalgs);
|
---|
3742 | c->client_sigalgs = sigalgs;
|
---|
3743 | c->client_sigalgslen = salglen;
|
---|
3744 | } else {
|
---|
3745 | OPENSSL_free(c->conf_sigalgs);
|
---|
3746 | c->conf_sigalgs = sigalgs;
|
---|
3747 | c->conf_sigalgslen = salglen;
|
---|
3748 | }
|
---|
3749 |
|
---|
3750 | return 1;
|
---|
3751 |
|
---|
3752 | err:
|
---|
3753 | OPENSSL_free(sigalgs);
|
---|
3754 | return 0;
|
---|
3755 | }
|
---|
3756 |
|
---|
3757 | static int tls1_check_sig_alg(CERT *c, X509 *x, int default_nid)
|
---|
3758 | {
|
---|
3759 | int sig_nid;
|
---|
3760 | size_t i;
|
---|
3761 | if (default_nid == -1)
|
---|
3762 | return 1;
|
---|
3763 | sig_nid = X509_get_signature_nid(x);
|
---|
3764 | if (default_nid)
|
---|
3765 | return sig_nid == default_nid ? 1 : 0;
|
---|
3766 | for (i = 0; i < c->shared_sigalgslen; i++)
|
---|
3767 | if (sig_nid == c->shared_sigalgs[i].signandhash_nid)
|
---|
3768 | return 1;
|
---|
3769 | return 0;
|
---|
3770 | }
|
---|
3771 |
|
---|
3772 | /* Check to see if a certificate issuer name matches list of CA names */
|
---|
3773 | static int ssl_check_ca_name(STACK_OF(X509_NAME) *names, X509 *x)
|
---|
3774 | {
|
---|
3775 | X509_NAME *nm;
|
---|
3776 | int i;
|
---|
3777 | nm = X509_get_issuer_name(x);
|
---|
3778 | for (i = 0; i < sk_X509_NAME_num(names); i++) {
|
---|
3779 | if (!X509_NAME_cmp(nm, sk_X509_NAME_value(names, i)))
|
---|
3780 | return 1;
|
---|
3781 | }
|
---|
3782 | return 0;
|
---|
3783 | }
|
---|
3784 |
|
---|
3785 | /*
|
---|
3786 | * Check certificate chain is consistent with TLS extensions and is usable by
|
---|
3787 | * server. This servers two purposes: it allows users to check chains before
|
---|
3788 | * passing them to the server and it allows the server to check chains before
|
---|
3789 | * attempting to use them.
|
---|
3790 | */
|
---|
3791 |
|
---|
3792 | /* Flags which need to be set for a certificate when stict mode not set */
|
---|
3793 |
|
---|
3794 | #define CERT_PKEY_VALID_FLAGS \
|
---|
3795 | (CERT_PKEY_EE_SIGNATURE|CERT_PKEY_EE_PARAM)
|
---|
3796 | /* Strict mode flags */
|
---|
3797 | #define CERT_PKEY_STRICT_FLAGS \
|
---|
3798 | (CERT_PKEY_VALID_FLAGS|CERT_PKEY_CA_SIGNATURE|CERT_PKEY_CA_PARAM \
|
---|
3799 | | CERT_PKEY_ISSUER_NAME|CERT_PKEY_CERT_TYPE)
|
---|
3800 |
|
---|
3801 | int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain,
|
---|
3802 | int idx)
|
---|
3803 | {
|
---|
3804 | int i;
|
---|
3805 | int rv = 0;
|
---|
3806 | int check_flags = 0, strict_mode;
|
---|
3807 | CERT_PKEY *cpk = NULL;
|
---|
3808 | CERT *c = s->cert;
|
---|
3809 | uint32_t *pvalid;
|
---|
3810 | unsigned int suiteb_flags = tls1_suiteb(s);
|
---|
3811 | /* idx == -1 means checking server chains */
|
---|
3812 | if (idx != -1) {
|
---|
3813 | /* idx == -2 means checking client certificate chains */
|
---|
3814 | if (idx == -2) {
|
---|
3815 | cpk = c->key;
|
---|
3816 | idx = cpk - c->pkeys;
|
---|
3817 | } else
|
---|
3818 | cpk = c->pkeys + idx;
|
---|
3819 | pvalid = s->s3->tmp.valid_flags + idx;
|
---|
3820 | x = cpk->x509;
|
---|
3821 | pk = cpk->privatekey;
|
---|
3822 | chain = cpk->chain;
|
---|
3823 | strict_mode = c->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT;
|
---|
3824 | /* If no cert or key, forget it */
|
---|
3825 | if (!x || !pk)
|
---|
3826 | goto end;
|
---|
3827 | } else {
|
---|
3828 | if (!x || !pk)
|
---|
3829 | return 0;
|
---|
3830 | idx = ssl_cert_type(x, pk);
|
---|
3831 | if (idx == -1)
|
---|
3832 | return 0;
|
---|
3833 | pvalid = s->s3->tmp.valid_flags + idx;
|
---|
3834 |
|
---|
3835 | if (c->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)
|
---|
3836 | check_flags = CERT_PKEY_STRICT_FLAGS;
|
---|
3837 | else
|
---|
3838 | check_flags = CERT_PKEY_VALID_FLAGS;
|
---|
3839 | strict_mode = 1;
|
---|
3840 | }
|
---|
3841 |
|
---|
3842 | if (suiteb_flags) {
|
---|
3843 | int ok;
|
---|
3844 | if (check_flags)
|
---|
3845 | check_flags |= CERT_PKEY_SUITEB;
|
---|
3846 | ok = X509_chain_check_suiteb(NULL, x, chain, suiteb_flags);
|
---|
3847 | if (ok == X509_V_OK)
|
---|
3848 | rv |= CERT_PKEY_SUITEB;
|
---|
3849 | else if (!check_flags)
|
---|
3850 | goto end;
|
---|
3851 | }
|
---|
3852 |
|
---|
3853 | /*
|
---|
3854 | * Check all signature algorithms are consistent with signature
|
---|
3855 | * algorithms extension if TLS 1.2 or later and strict mode.
|
---|
3856 | */
|
---|
3857 | if (TLS1_get_version(s) >= TLS1_2_VERSION && strict_mode) {
|
---|
3858 | int default_nid;
|
---|
3859 | unsigned char rsign = 0;
|
---|
3860 | if (s->s3->tmp.peer_sigalgs)
|
---|
3861 | default_nid = 0;
|
---|
3862 | /* If no sigalgs extension use defaults from RFC5246 */
|
---|
3863 | else {
|
---|
3864 | switch (idx) {
|
---|
3865 | case SSL_PKEY_RSA_ENC:
|
---|
3866 | case SSL_PKEY_RSA_SIGN:
|
---|
3867 | rsign = TLSEXT_signature_rsa;
|
---|
3868 | default_nid = NID_sha1WithRSAEncryption;
|
---|
3869 | break;
|
---|
3870 |
|
---|
3871 | case SSL_PKEY_DSA_SIGN:
|
---|
3872 | rsign = TLSEXT_signature_dsa;
|
---|
3873 | default_nid = NID_dsaWithSHA1;
|
---|
3874 | break;
|
---|
3875 |
|
---|
3876 | case SSL_PKEY_ECC:
|
---|
3877 | rsign = TLSEXT_signature_ecdsa;
|
---|
3878 | default_nid = NID_ecdsa_with_SHA1;
|
---|
3879 | break;
|
---|
3880 |
|
---|
3881 | case SSL_PKEY_GOST01:
|
---|
3882 | rsign = TLSEXT_signature_gostr34102001;
|
---|
3883 | default_nid = NID_id_GostR3411_94_with_GostR3410_2001;
|
---|
3884 | break;
|
---|
3885 |
|
---|
3886 | case SSL_PKEY_GOST12_256:
|
---|
3887 | rsign = TLSEXT_signature_gostr34102012_256;
|
---|
3888 | default_nid = NID_id_tc26_signwithdigest_gost3410_2012_256;
|
---|
3889 | break;
|
---|
3890 |
|
---|
3891 | case SSL_PKEY_GOST12_512:
|
---|
3892 | rsign = TLSEXT_signature_gostr34102012_512;
|
---|
3893 | default_nid = NID_id_tc26_signwithdigest_gost3410_2012_512;
|
---|
3894 | break;
|
---|
3895 |
|
---|
3896 | default:
|
---|
3897 | default_nid = -1;
|
---|
3898 | break;
|
---|
3899 | }
|
---|
3900 | }
|
---|
3901 | /*
|
---|
3902 | * If peer sent no signature algorithms extension and we have set
|
---|
3903 | * preferred signature algorithms check we support sha1.
|
---|
3904 | */
|
---|
3905 | if (default_nid > 0 && c->conf_sigalgs) {
|
---|
3906 | size_t j;
|
---|
3907 | const unsigned char *p = c->conf_sigalgs;
|
---|
3908 | for (j = 0; j < c->conf_sigalgslen; j += 2, p += 2) {
|
---|
3909 | if (p[0] == TLSEXT_hash_sha1 && p[1] == rsign)
|
---|
3910 | break;
|
---|
3911 | }
|
---|
3912 | if (j == c->conf_sigalgslen) {
|
---|
3913 | if (check_flags)
|
---|
3914 | goto skip_sigs;
|
---|
3915 | else
|
---|
3916 | goto end;
|
---|
3917 | }
|
---|
3918 | }
|
---|
3919 | /* Check signature algorithm of each cert in chain */
|
---|
3920 | if (!tls1_check_sig_alg(c, x, default_nid)) {
|
---|
3921 | if (!check_flags)
|
---|
3922 | goto end;
|
---|
3923 | } else
|
---|
3924 | rv |= CERT_PKEY_EE_SIGNATURE;
|
---|
3925 | rv |= CERT_PKEY_CA_SIGNATURE;
|
---|
3926 | for (i = 0; i < sk_X509_num(chain); i++) {
|
---|
3927 | if (!tls1_check_sig_alg(c, sk_X509_value(chain, i), default_nid)) {
|
---|
3928 | if (check_flags) {
|
---|
3929 | rv &= ~CERT_PKEY_CA_SIGNATURE;
|
---|
3930 | break;
|
---|
3931 | } else
|
---|
3932 | goto end;
|
---|
3933 | }
|
---|
3934 | }
|
---|
3935 | }
|
---|
3936 | /* Else not TLS 1.2, so mark EE and CA signing algorithms OK */
|
---|
3937 | else if (check_flags)
|
---|
3938 | rv |= CERT_PKEY_EE_SIGNATURE | CERT_PKEY_CA_SIGNATURE;
|
---|
3939 | skip_sigs:
|
---|
3940 | /* Check cert parameters are consistent */
|
---|
3941 | if (tls1_check_cert_param(s, x, check_flags ? 1 : 2))
|
---|
3942 | rv |= CERT_PKEY_EE_PARAM;
|
---|
3943 | else if (!check_flags)
|
---|
3944 | goto end;
|
---|
3945 | if (!s->server)
|
---|
3946 | rv |= CERT_PKEY_CA_PARAM;
|
---|
3947 | /* In strict mode check rest of chain too */
|
---|
3948 | else if (strict_mode) {
|
---|
3949 | rv |= CERT_PKEY_CA_PARAM;
|
---|
3950 | for (i = 0; i < sk_X509_num(chain); i++) {
|
---|
3951 | X509 *ca = sk_X509_value(chain, i);
|
---|
3952 | if (!tls1_check_cert_param(s, ca, 0)) {
|
---|
3953 | if (check_flags) {
|
---|
3954 | rv &= ~CERT_PKEY_CA_PARAM;
|
---|
3955 | break;
|
---|
3956 | } else
|
---|
3957 | goto end;
|
---|
3958 | }
|
---|
3959 | }
|
---|
3960 | }
|
---|
3961 | if (!s->server && strict_mode) {
|
---|
3962 | STACK_OF(X509_NAME) *ca_dn;
|
---|
3963 | int check_type = 0;
|
---|
3964 | switch (EVP_PKEY_id(pk)) {
|
---|
3965 | case EVP_PKEY_RSA:
|
---|
3966 | check_type = TLS_CT_RSA_SIGN;
|
---|
3967 | break;
|
---|
3968 | case EVP_PKEY_DSA:
|
---|
3969 | check_type = TLS_CT_DSS_SIGN;
|
---|
3970 | break;
|
---|
3971 | case EVP_PKEY_EC:
|
---|
3972 | check_type = TLS_CT_ECDSA_SIGN;
|
---|
3973 | break;
|
---|
3974 | }
|
---|
3975 | if (check_type) {
|
---|
3976 | const unsigned char *ctypes;
|
---|
3977 | int ctypelen;
|
---|
3978 | if (c->ctypes) {
|
---|
3979 | ctypes = c->ctypes;
|
---|
3980 | ctypelen = (int)c->ctype_num;
|
---|
3981 | } else {
|
---|
3982 | ctypes = (unsigned char *)s->s3->tmp.ctype;
|
---|
3983 | ctypelen = s->s3->tmp.ctype_num;
|
---|
3984 | }
|
---|
3985 | for (i = 0; i < ctypelen; i++) {
|
---|
3986 | if (ctypes[i] == check_type) {
|
---|
3987 | rv |= CERT_PKEY_CERT_TYPE;
|
---|
3988 | break;
|
---|
3989 | }
|
---|
3990 | }
|
---|
3991 | if (!(rv & CERT_PKEY_CERT_TYPE) && !check_flags)
|
---|
3992 | goto end;
|
---|
3993 | } else
|
---|
3994 | rv |= CERT_PKEY_CERT_TYPE;
|
---|
3995 |
|
---|
3996 | ca_dn = s->s3->tmp.ca_names;
|
---|
3997 |
|
---|
3998 | if (!sk_X509_NAME_num(ca_dn))
|
---|
3999 | rv |= CERT_PKEY_ISSUER_NAME;
|
---|
4000 |
|
---|
4001 | if (!(rv & CERT_PKEY_ISSUER_NAME)) {
|
---|
4002 | if (ssl_check_ca_name(ca_dn, x))
|
---|
4003 | rv |= CERT_PKEY_ISSUER_NAME;
|
---|
4004 | }
|
---|
4005 | if (!(rv & CERT_PKEY_ISSUER_NAME)) {
|
---|
4006 | for (i = 0; i < sk_X509_num(chain); i++) {
|
---|
4007 | X509 *xtmp = sk_X509_value(chain, i);
|
---|
4008 | if (ssl_check_ca_name(ca_dn, xtmp)) {
|
---|
4009 | rv |= CERT_PKEY_ISSUER_NAME;
|
---|
4010 | break;
|
---|
4011 | }
|
---|
4012 | }
|
---|
4013 | }
|
---|
4014 | if (!check_flags && !(rv & CERT_PKEY_ISSUER_NAME))
|
---|
4015 | goto end;
|
---|
4016 | } else
|
---|
4017 | rv |= CERT_PKEY_ISSUER_NAME | CERT_PKEY_CERT_TYPE;
|
---|
4018 |
|
---|
4019 | if (!check_flags || (rv & check_flags) == check_flags)
|
---|
4020 | rv |= CERT_PKEY_VALID;
|
---|
4021 |
|
---|
4022 | end:
|
---|
4023 |
|
---|
4024 | if (TLS1_get_version(s) >= TLS1_2_VERSION) {
|
---|
4025 | if (*pvalid & CERT_PKEY_EXPLICIT_SIGN)
|
---|
4026 | rv |= CERT_PKEY_EXPLICIT_SIGN | CERT_PKEY_SIGN;
|
---|
4027 | else if (s->s3->tmp.md[idx] != NULL)
|
---|
4028 | rv |= CERT_PKEY_SIGN;
|
---|
4029 | } else
|
---|
4030 | rv |= CERT_PKEY_SIGN | CERT_PKEY_EXPLICIT_SIGN;
|
---|
4031 |
|
---|
4032 | /*
|
---|
4033 | * When checking a CERT_PKEY structure all flags are irrelevant if the
|
---|
4034 | * chain is invalid.
|
---|
4035 | */
|
---|
4036 | if (!check_flags) {
|
---|
4037 | if (rv & CERT_PKEY_VALID)
|
---|
4038 | *pvalid = rv;
|
---|
4039 | else {
|
---|
4040 | /* Preserve explicit sign flag, clear rest */
|
---|
4041 | *pvalid &= CERT_PKEY_EXPLICIT_SIGN;
|
---|
4042 | return 0;
|
---|
4043 | }
|
---|
4044 | }
|
---|
4045 | return rv;
|
---|
4046 | }
|
---|
4047 |
|
---|
4048 | /* Set validity of certificates in an SSL structure */
|
---|
4049 | void tls1_set_cert_validity(SSL *s)
|
---|
4050 | {
|
---|
4051 | tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA_ENC);
|
---|
4052 | tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA_SIGN);
|
---|
4053 | tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DSA_SIGN);
|
---|
4054 | tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_ECC);
|
---|
4055 | tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_GOST01);
|
---|
4056 | tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_GOST12_256);
|
---|
4057 | tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_GOST12_512);
|
---|
4058 | }
|
---|
4059 |
|
---|
4060 | /* User level utiity function to check a chain is suitable */
|
---|
4061 | int SSL_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain)
|
---|
4062 | {
|
---|
4063 | return tls1_check_chain(s, x, pk, chain, -1);
|
---|
4064 | }
|
---|
4065 |
|
---|
4066 | #ifndef OPENSSL_NO_DH
|
---|
4067 | DH *ssl_get_auto_dh(SSL *s)
|
---|
4068 | {
|
---|
4069 | int dh_secbits = 80;
|
---|
4070 | if (s->cert->dh_tmp_auto == 2)
|
---|
4071 | return DH_get_1024_160();
|
---|
4072 | if (s->s3->tmp.new_cipher->algorithm_auth & (SSL_aNULL | SSL_aPSK)) {
|
---|
4073 | if (s->s3->tmp.new_cipher->strength_bits == 256)
|
---|
4074 | dh_secbits = 128;
|
---|
4075 | else
|
---|
4076 | dh_secbits = 80;
|
---|
4077 | } else {
|
---|
4078 | CERT_PKEY *cpk = ssl_get_server_send_pkey(s);
|
---|
4079 | dh_secbits = EVP_PKEY_security_bits(cpk->privatekey);
|
---|
4080 | }
|
---|
4081 |
|
---|
4082 | if (dh_secbits >= 128) {
|
---|
4083 | DH *dhp = DH_new();
|
---|
4084 | BIGNUM *p, *g;
|
---|
4085 | if (dhp == NULL)
|
---|
4086 | return NULL;
|
---|
4087 | g = BN_new();
|
---|
4088 | if (g != NULL)
|
---|
4089 | BN_set_word(g, 2);
|
---|
4090 | if (dh_secbits >= 192)
|
---|
4091 | p = BN_get_rfc3526_prime_8192(NULL);
|
---|
4092 | else
|
---|
4093 | p = BN_get_rfc3526_prime_3072(NULL);
|
---|
4094 | if (p == NULL || g == NULL || !DH_set0_pqg(dhp, p, NULL, g)) {
|
---|
4095 | DH_free(dhp);
|
---|
4096 | BN_free(p);
|
---|
4097 | BN_free(g);
|
---|
4098 | return NULL;
|
---|
4099 | }
|
---|
4100 | return dhp;
|
---|
4101 | }
|
---|
4102 | if (dh_secbits >= 112)
|
---|
4103 | return DH_get_2048_224();
|
---|
4104 | return DH_get_1024_160();
|
---|
4105 | }
|
---|
4106 | #endif
|
---|
4107 |
|
---|
4108 | static int ssl_security_cert_key(SSL *s, SSL_CTX *ctx, X509 *x, int op)
|
---|
4109 | {
|
---|
4110 | int secbits = -1;
|
---|
4111 | EVP_PKEY *pkey = X509_get0_pubkey(x);
|
---|
4112 | if (pkey) {
|
---|
4113 | /*
|
---|
4114 | * If no parameters this will return -1 and fail using the default
|
---|
4115 | * security callback for any non-zero security level. This will
|
---|
4116 | * reject keys which omit parameters but this only affects DSA and
|
---|
4117 | * omission of parameters is never (?) done in practice.
|
---|
4118 | */
|
---|
4119 | secbits = EVP_PKEY_security_bits(pkey);
|
---|
4120 | }
|
---|
4121 | if (s)
|
---|
4122 | return ssl_security(s, op, secbits, 0, x);
|
---|
4123 | else
|
---|
4124 | return ssl_ctx_security(ctx, op, secbits, 0, x);
|
---|
4125 | }
|
---|
4126 |
|
---|
4127 | static int ssl_security_cert_sig(SSL *s, SSL_CTX *ctx, X509 *x, int op)
|
---|
4128 | {
|
---|
4129 | /* Lookup signature algorithm digest */
|
---|
4130 | int secbits = -1, md_nid = NID_undef, sig_nid;
|
---|
4131 | /* Don't check signature if self signed */
|
---|
4132 | if ((X509_get_extension_flags(x) & EXFLAG_SS) != 0)
|
---|
4133 | return 1;
|
---|
4134 | sig_nid = X509_get_signature_nid(x);
|
---|
4135 | if (sig_nid && OBJ_find_sigid_algs(sig_nid, &md_nid, NULL)) {
|
---|
4136 | const EVP_MD *md;
|
---|
4137 | if (md_nid && (md = EVP_get_digestbynid(md_nid)))
|
---|
4138 | secbits = EVP_MD_size(md) * 4;
|
---|
4139 | }
|
---|
4140 | if (s)
|
---|
4141 | return ssl_security(s, op, secbits, md_nid, x);
|
---|
4142 | else
|
---|
4143 | return ssl_ctx_security(ctx, op, secbits, md_nid, x);
|
---|
4144 | }
|
---|
4145 |
|
---|
4146 | int ssl_security_cert(SSL *s, SSL_CTX *ctx, X509 *x, int vfy, int is_ee)
|
---|
4147 | {
|
---|
4148 | if (vfy)
|
---|
4149 | vfy = SSL_SECOP_PEER;
|
---|
4150 | if (is_ee) {
|
---|
4151 | if (!ssl_security_cert_key(s, ctx, x, SSL_SECOP_EE_KEY | vfy))
|
---|
4152 | return SSL_R_EE_KEY_TOO_SMALL;
|
---|
4153 | } else {
|
---|
4154 | if (!ssl_security_cert_key(s, ctx, x, SSL_SECOP_CA_KEY | vfy))
|
---|
4155 | return SSL_R_CA_KEY_TOO_SMALL;
|
---|
4156 | }
|
---|
4157 | if (!ssl_security_cert_sig(s, ctx, x, SSL_SECOP_CA_MD | vfy))
|
---|
4158 | return SSL_R_CA_MD_TOO_WEAK;
|
---|
4159 | return 1;
|
---|
4160 | }
|
---|
4161 |
|
---|
4162 | /*
|
---|
4163 | * Check security of a chain, if sk includes the end entity certificate then
|
---|
4164 | * x is NULL. If vfy is 1 then we are verifying a peer chain and not sending
|
---|
4165 | * one to the peer. Return values: 1 if ok otherwise error code to use
|
---|
4166 | */
|
---|
4167 |
|
---|
4168 | int ssl_security_cert_chain(SSL *s, STACK_OF(X509) *sk, X509 *x, int vfy)
|
---|
4169 | {
|
---|
4170 | int rv, start_idx, i;
|
---|
4171 | if (x == NULL) {
|
---|
4172 | x = sk_X509_value(sk, 0);
|
---|
4173 | start_idx = 1;
|
---|
4174 | } else
|
---|
4175 | start_idx = 0;
|
---|
4176 |
|
---|
4177 | rv = ssl_security_cert(s, NULL, x, vfy, 1);
|
---|
4178 | if (rv != 1)
|
---|
4179 | return rv;
|
---|
4180 |
|
---|
4181 | for (i = start_idx; i < sk_X509_num(sk); i++) {
|
---|
4182 | x = sk_X509_value(sk, i);
|
---|
4183 | rv = ssl_security_cert(s, NULL, x, vfy, 0);
|
---|
4184 | if (rv != 1)
|
---|
4185 | return rv;
|
---|
4186 | }
|
---|
4187 | return 1;
|
---|
4188 | }
|
---|