source: EcnlProtoTool/trunk/openssl-1.1.0e/ssl/t1_lib.c@ 331

Last change on this file since 331 was 331, checked in by coas-nagasima, 6 years ago

prototoolに関連するプロジェクトをnewlibからmuslを使うよう変更・更新
ntshellをnewlibの下位の実装から、muslのsyscallの実装に変更・更新
以下のOSSをアップデート
・mruby-1.3.0
・musl-1.1.18
・onigmo-6.1.3
・tcc-0.9.27
以下のOSSを追加
・openssl-1.1.0e
・curl-7.57.0
・zlib-1.2.11
以下のmrbgemsを追加
・iij/mruby-digest
・iij/mruby-env
・iij/mruby-errno
・iij/mruby-iijson
・iij/mruby-ipaddr
・iij/mruby-mock
・iij/mruby-require
・iij/mruby-tls-openssl
  • Property svn:eol-style set to native
  • Property svn:mime-type set to text/x-csrc
File size: 133.3 KB
Line 
1/*
2 * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10#include <stdio.h>
11#include <stdlib.h>
12#include <openssl/objects.h>
13#include <openssl/evp.h>
14#include <openssl/hmac.h>
15#include <openssl/ocsp.h>
16#include <openssl/conf.h>
17#include <openssl/x509v3.h>
18#include <openssl/dh.h>
19#include <openssl/bn.h>
20#include "ssl_locl.h"
21#include <openssl/ct.h>
22
23
24#define CHECKLEN(curr, val, limit) \
25 (((curr) >= (limit)) || (size_t)((limit) - (curr)) < (size_t)(val))
26
27static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen,
28 const unsigned char *sess_id, int sesslen,
29 SSL_SESSION **psess);
30static int ssl_check_clienthello_tlsext_early(SSL *s);
31static int ssl_check_serverhello_tlsext(SSL *s);
32
33SSL3_ENC_METHOD const TLSv1_enc_data = {
34 tls1_enc,
35 tls1_mac,
36 tls1_setup_key_block,
37 tls1_generate_master_secret,
38 tls1_change_cipher_state,
39 tls1_final_finish_mac,
40 TLS1_FINISH_MAC_LENGTH,
41 TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
42 TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
43 tls1_alert_code,
44 tls1_export_keying_material,
45 0,
46 SSL3_HM_HEADER_LENGTH,
47 ssl3_set_handshake_header,
48 ssl3_handshake_write
49};
50
51SSL3_ENC_METHOD const TLSv1_1_enc_data = {
52 tls1_enc,
53 tls1_mac,
54 tls1_setup_key_block,
55 tls1_generate_master_secret,
56 tls1_change_cipher_state,
57 tls1_final_finish_mac,
58 TLS1_FINISH_MAC_LENGTH,
59 TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
60 TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
61 tls1_alert_code,
62 tls1_export_keying_material,
63 SSL_ENC_FLAG_EXPLICIT_IV,
64 SSL3_HM_HEADER_LENGTH,
65 ssl3_set_handshake_header,
66 ssl3_handshake_write
67};
68
69SSL3_ENC_METHOD const TLSv1_2_enc_data = {
70 tls1_enc,
71 tls1_mac,
72 tls1_setup_key_block,
73 tls1_generate_master_secret,
74 tls1_change_cipher_state,
75 tls1_final_finish_mac,
76 TLS1_FINISH_MAC_LENGTH,
77 TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
78 TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
79 tls1_alert_code,
80 tls1_export_keying_material,
81 SSL_ENC_FLAG_EXPLICIT_IV | SSL_ENC_FLAG_SIGALGS | SSL_ENC_FLAG_SHA256_PRF
82 | SSL_ENC_FLAG_TLS1_2_CIPHERS,
83 SSL3_HM_HEADER_LENGTH,
84 ssl3_set_handshake_header,
85 ssl3_handshake_write
86};
87
88long tls1_default_timeout(void)
89{
90 /*
91 * 2 hours, the 24 hours mentioned in the TLSv1 spec is way too long for
92 * http, the cache would over fill
93 */
94 return (60 * 60 * 2);
95}
96
97int tls1_new(SSL *s)
98{
99 if (!ssl3_new(s))
100 return (0);
101 s->method->ssl_clear(s);
102 return (1);
103}
104
105void tls1_free(SSL *s)
106{
107 OPENSSL_free(s->tlsext_session_ticket);
108 ssl3_free(s);
109}
110
111void tls1_clear(SSL *s)
112{
113 ssl3_clear(s);
114 if (s->method->version == TLS_ANY_VERSION)
115 s->version = TLS_MAX_VERSION;
116 else
117 s->version = s->method->version;
118}
119
120#ifndef OPENSSL_NO_EC
121
122typedef struct {
123 int nid; /* Curve NID */
124 int secbits; /* Bits of security (from SP800-57) */
125 unsigned int flags; /* Flags: currently just field type */
126} tls_curve_info;
127
128/*
129 * Table of curve information.
130 * Do not delete entries or reorder this array! It is used as a lookup
131 * table: the index of each entry is one less than the TLS curve id.
132 */
133static const tls_curve_info nid_list[] = {
134 {NID_sect163k1, 80, TLS_CURVE_CHAR2}, /* sect163k1 (1) */
135 {NID_sect163r1, 80, TLS_CURVE_CHAR2}, /* sect163r1 (2) */
136 {NID_sect163r2, 80, TLS_CURVE_CHAR2}, /* sect163r2 (3) */
137 {NID_sect193r1, 80, TLS_CURVE_CHAR2}, /* sect193r1 (4) */
138 {NID_sect193r2, 80, TLS_CURVE_CHAR2}, /* sect193r2 (5) */
139 {NID_sect233k1, 112, TLS_CURVE_CHAR2}, /* sect233k1 (6) */
140 {NID_sect233r1, 112, TLS_CURVE_CHAR2}, /* sect233r1 (7) */
141 {NID_sect239k1, 112, TLS_CURVE_CHAR2}, /* sect239k1 (8) */
142 {NID_sect283k1, 128, TLS_CURVE_CHAR2}, /* sect283k1 (9) */
143 {NID_sect283r1, 128, TLS_CURVE_CHAR2}, /* sect283r1 (10) */
144 {NID_sect409k1, 192, TLS_CURVE_CHAR2}, /* sect409k1 (11) */
145 {NID_sect409r1, 192, TLS_CURVE_CHAR2}, /* sect409r1 (12) */
146 {NID_sect571k1, 256, TLS_CURVE_CHAR2}, /* sect571k1 (13) */
147 {NID_sect571r1, 256, TLS_CURVE_CHAR2}, /* sect571r1 (14) */
148 {NID_secp160k1, 80, TLS_CURVE_PRIME}, /* secp160k1 (15) */
149 {NID_secp160r1, 80, TLS_CURVE_PRIME}, /* secp160r1 (16) */
150 {NID_secp160r2, 80, TLS_CURVE_PRIME}, /* secp160r2 (17) */
151 {NID_secp192k1, 80, TLS_CURVE_PRIME}, /* secp192k1 (18) */
152 {NID_X9_62_prime192v1, 80, TLS_CURVE_PRIME}, /* secp192r1 (19) */
153 {NID_secp224k1, 112, TLS_CURVE_PRIME}, /* secp224k1 (20) */
154 {NID_secp224r1, 112, TLS_CURVE_PRIME}, /* secp224r1 (21) */
155 {NID_secp256k1, 128, TLS_CURVE_PRIME}, /* secp256k1 (22) */
156 {NID_X9_62_prime256v1, 128, TLS_CURVE_PRIME}, /* secp256r1 (23) */
157 {NID_secp384r1, 192, TLS_CURVE_PRIME}, /* secp384r1 (24) */
158 {NID_secp521r1, 256, TLS_CURVE_PRIME}, /* secp521r1 (25) */
159 {NID_brainpoolP256r1, 128, TLS_CURVE_PRIME}, /* brainpoolP256r1 (26) */
160 {NID_brainpoolP384r1, 192, TLS_CURVE_PRIME}, /* brainpoolP384r1 (27) */
161 {NID_brainpoolP512r1, 256, TLS_CURVE_PRIME}, /* brainpool512r1 (28) */
162 {NID_X25519, 128, TLS_CURVE_CUSTOM}, /* X25519 (29) */
163};
164
165static const unsigned char ecformats_default[] = {
166 TLSEXT_ECPOINTFORMAT_uncompressed,
167 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime,
168 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2
169};
170
171/* The default curves */
172static const unsigned char eccurves_default[] = {
173 0, 29, /* X25519 (29) */
174 0, 23, /* secp256r1 (23) */
175 0, 25, /* secp521r1 (25) */
176 0, 24, /* secp384r1 (24) */
177};
178
179static const unsigned char suiteb_curves[] = {
180 0, TLSEXT_curve_P_256,
181 0, TLSEXT_curve_P_384
182};
183
184int tls1_ec_curve_id2nid(int curve_id, unsigned int *pflags)
185{
186 const tls_curve_info *cinfo;
187 /* ECC curves from RFC 4492 and RFC 7027 */
188 if ((curve_id < 1) || ((unsigned int)curve_id > OSSL_NELEM(nid_list)))
189 return 0;
190 cinfo = nid_list + curve_id - 1;
191 if (pflags)
192 *pflags = cinfo->flags;
193 return cinfo->nid;
194}
195
196int tls1_ec_nid2curve_id(int nid)
197{
198 size_t i;
199 for (i = 0; i < OSSL_NELEM(nid_list); i++) {
200 if (nid_list[i].nid == nid)
201 return i + 1;
202 }
203 return 0;
204}
205
206/*
207 * Get curves list, if "sess" is set return client curves otherwise
208 * preferred list.
209 * Sets |num_curves| to the number of curves in the list, i.e.,
210 * the length of |pcurves| is 2 * num_curves.
211 * Returns 1 on success and 0 if the client curves list has invalid format.
212 * The latter indicates an internal error: we should not be accepting such
213 * lists in the first place.
214 * TODO(emilia): we should really be storing the curves list in explicitly
215 * parsed form instead. (However, this would affect binary compatibility
216 * so cannot happen in the 1.0.x series.)
217 */
218static int tls1_get_curvelist(SSL *s, int sess,
219 const unsigned char **pcurves, size_t *num_curves)
220{
221 size_t pcurveslen = 0;
222
223 if (sess) {
224 *pcurves = s->session->tlsext_ellipticcurvelist;
225 pcurveslen = s->session->tlsext_ellipticcurvelist_length;
226 } else {
227 /* For Suite B mode only include P-256, P-384 */
228 switch (tls1_suiteb(s)) {
229 case SSL_CERT_FLAG_SUITEB_128_LOS:
230 *pcurves = suiteb_curves;
231 pcurveslen = sizeof(suiteb_curves);
232 break;
233
234 case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY:
235 *pcurves = suiteb_curves;
236 pcurveslen = 2;
237 break;
238
239 case SSL_CERT_FLAG_SUITEB_192_LOS:
240 *pcurves = suiteb_curves + 2;
241 pcurveslen = 2;
242 break;
243 default:
244 *pcurves = s->tlsext_ellipticcurvelist;
245 pcurveslen = s->tlsext_ellipticcurvelist_length;
246 }
247 if (!*pcurves) {
248 *pcurves = eccurves_default;
249 pcurveslen = sizeof(eccurves_default);
250 }
251 }
252
253 /* We do not allow odd length arrays to enter the system. */
254 if (pcurveslen & 1) {
255 SSLerr(SSL_F_TLS1_GET_CURVELIST, ERR_R_INTERNAL_ERROR);
256 *num_curves = 0;
257 return 0;
258 }
259 *num_curves = pcurveslen / 2;
260 return 1;
261}
262
263/* See if curve is allowed by security callback */
264static int tls_curve_allowed(SSL *s, const unsigned char *curve, int op)
265{
266 const tls_curve_info *cinfo;
267 if (curve[0])
268 return 1;
269 if ((curve[1] < 1) || ((size_t)curve[1] > OSSL_NELEM(nid_list)))
270 return 0;
271 cinfo = &nid_list[curve[1] - 1];
272# ifdef OPENSSL_NO_EC2M
273 if (cinfo->flags & TLS_CURVE_CHAR2)
274 return 0;
275# endif
276 return ssl_security(s, op, cinfo->secbits, cinfo->nid, (void *)curve);
277}
278
279/* Check a curve is one of our preferences */
280int tls1_check_curve(SSL *s, const unsigned char *p, size_t len)
281{
282 const unsigned char *curves;
283 size_t num_curves, i;
284 unsigned int suiteb_flags = tls1_suiteb(s);
285 if (len != 3 || p[0] != NAMED_CURVE_TYPE)
286 return 0;
287 /* Check curve matches Suite B preferences */
288 if (suiteb_flags) {
289 unsigned long cid = s->s3->tmp.new_cipher->id;
290 if (p[1])
291 return 0;
292 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256) {
293 if (p[2] != TLSEXT_curve_P_256)
294 return 0;
295 } else if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384) {
296 if (p[2] != TLSEXT_curve_P_384)
297 return 0;
298 } else /* Should never happen */
299 return 0;
300 }
301 if (!tls1_get_curvelist(s, 0, &curves, &num_curves))
302 return 0;
303 for (i = 0; i < num_curves; i++, curves += 2) {
304 if (p[1] == curves[0] && p[2] == curves[1])
305 return tls_curve_allowed(s, p + 1, SSL_SECOP_CURVE_CHECK);
306 }
307 return 0;
308}
309
310/*-
311 * For nmatch >= 0, return the NID of the |nmatch|th shared curve or NID_undef
312 * if there is no match.
313 * For nmatch == -1, return number of matches
314 * For nmatch == -2, return the NID of the curve to use for
315 * an EC tmp key, or NID_undef if there is no match.
316 */
317int tls1_shared_curve(SSL *s, int nmatch)
318{
319 const unsigned char *pref, *supp;
320 size_t num_pref, num_supp, i, j;
321 int k;
322
323 /* Can't do anything on client side */
324 if (s->server == 0)
325 return -1;
326 if (nmatch == -2) {
327 if (tls1_suiteb(s)) {
328 /*
329 * For Suite B ciphersuite determines curve: we already know
330 * these are acceptable due to previous checks.
331 */
332 unsigned long cid = s->s3->tmp.new_cipher->id;
333
334 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
335 return NID_X9_62_prime256v1; /* P-256 */
336 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)
337 return NID_secp384r1; /* P-384 */
338 /* Should never happen */
339 return NID_undef;
340 }
341 /* If not Suite B just return first preference shared curve */
342 nmatch = 0;
343 }
344 /*
345 * Avoid truncation. tls1_get_curvelist takes an int
346 * but s->options is a long...
347 */
348 if (!tls1_get_curvelist(s,
349 (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) != 0,
350 &supp, &num_supp))
351 /* In practice, NID_undef == 0 but let's be precise. */
352 return nmatch == -1 ? 0 : NID_undef;
353 if (!tls1_get_curvelist(s,
354 (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) == 0,
355 &pref, &num_pref))
356 return nmatch == -1 ? 0 : NID_undef;
357
358 for (k = 0, i = 0; i < num_pref; i++, pref += 2) {
359 const unsigned char *tsupp = supp;
360
361 for (j = 0; j < num_supp; j++, tsupp += 2) {
362 if (pref[0] == tsupp[0] && pref[1] == tsupp[1]) {
363 if (!tls_curve_allowed(s, pref, SSL_SECOP_CURVE_SHARED))
364 continue;
365 if (nmatch == k) {
366 int id = (pref[0] << 8) | pref[1];
367
368 return tls1_ec_curve_id2nid(id, NULL);
369 }
370 k++;
371 }
372 }
373 }
374 if (nmatch == -1)
375 return k;
376 /* Out of range (nmatch > k). */
377 return NID_undef;
378}
379
380int tls1_set_curves(unsigned char **pext, size_t *pextlen,
381 int *curves, size_t ncurves)
382{
383 unsigned char *clist, *p;
384 size_t i;
385 /*
386 * Bitmap of curves included to detect duplicates: only works while curve
387 * ids < 32
388 */
389 unsigned long dup_list = 0;
390 clist = OPENSSL_malloc(ncurves * 2);
391 if (clist == NULL)
392 return 0;
393 for (i = 0, p = clist; i < ncurves; i++) {
394 unsigned long idmask;
395 int id;
396 id = tls1_ec_nid2curve_id(curves[i]);
397 idmask = 1L << id;
398 if (!id || (dup_list & idmask)) {
399 OPENSSL_free(clist);
400 return 0;
401 }
402 dup_list |= idmask;
403 s2n(id, p);
404 }
405 OPENSSL_free(*pext);
406 *pext = clist;
407 *pextlen = ncurves * 2;
408 return 1;
409}
410
411# define MAX_CURVELIST 28
412
413typedef struct {
414 size_t nidcnt;
415 int nid_arr[MAX_CURVELIST];
416} nid_cb_st;
417
418static int nid_cb(const char *elem, int len, void *arg)
419{
420 nid_cb_st *narg = arg;
421 size_t i;
422 int nid;
423 char etmp[20];
424 if (elem == NULL)
425 return 0;
426 if (narg->nidcnt == MAX_CURVELIST)
427 return 0;
428 if (len > (int)(sizeof(etmp) - 1))
429 return 0;
430 memcpy(etmp, elem, len);
431 etmp[len] = 0;
432 nid = EC_curve_nist2nid(etmp);
433 if (nid == NID_undef)
434 nid = OBJ_sn2nid(etmp);
435 if (nid == NID_undef)
436 nid = OBJ_ln2nid(etmp);
437 if (nid == NID_undef)
438 return 0;
439 for (i = 0; i < narg->nidcnt; i++)
440 if (narg->nid_arr[i] == nid)
441 return 0;
442 narg->nid_arr[narg->nidcnt++] = nid;
443 return 1;
444}
445
446/* Set curves based on a colon separate list */
447int tls1_set_curves_list(unsigned char **pext, size_t *pextlen, const char *str)
448{
449 nid_cb_st ncb;
450 ncb.nidcnt = 0;
451 if (!CONF_parse_list(str, ':', 1, nid_cb, &ncb))
452 return 0;
453 if (pext == NULL)
454 return 1;
455 return tls1_set_curves(pext, pextlen, ncb.nid_arr, ncb.nidcnt);
456}
457
458/* For an EC key set TLS id and required compression based on parameters */
459static int tls1_set_ec_id(unsigned char *curve_id, unsigned char *comp_id,
460 EC_KEY *ec)
461{
462 int id;
463 const EC_GROUP *grp;
464 if (!ec)
465 return 0;
466 /* Determine if it is a prime field */
467 grp = EC_KEY_get0_group(ec);
468 if (!grp)
469 return 0;
470 /* Determine curve ID */
471 id = EC_GROUP_get_curve_name(grp);
472 id = tls1_ec_nid2curve_id(id);
473 /* If no id return error: we don't support arbitrary explicit curves */
474 if (id == 0)
475 return 0;
476 curve_id[0] = 0;
477 curve_id[1] = (unsigned char)id;
478 if (comp_id) {
479 if (EC_KEY_get0_public_key(ec) == NULL)
480 return 0;
481 if (EC_KEY_get_conv_form(ec) == POINT_CONVERSION_UNCOMPRESSED) {
482 *comp_id = TLSEXT_ECPOINTFORMAT_uncompressed;
483 } else {
484 if ((nid_list[id - 1].flags & TLS_CURVE_TYPE) == TLS_CURVE_PRIME)
485 *comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
486 else
487 *comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
488 }
489 }
490 return 1;
491}
492
493/* Check an EC key is compatible with extensions */
494static int tls1_check_ec_key(SSL *s,
495 unsigned char *curve_id, unsigned char *comp_id)
496{
497 const unsigned char *pformats, *pcurves;
498 size_t num_formats, num_curves, i;
499 int j;
500 /*
501 * If point formats extension present check it, otherwise everything is
502 * supported (see RFC4492).
503 */
504 if (comp_id && s->session->tlsext_ecpointformatlist) {
505 pformats = s->session->tlsext_ecpointformatlist;
506 num_formats = s->session->tlsext_ecpointformatlist_length;
507 for (i = 0; i < num_formats; i++, pformats++) {
508 if (*comp_id == *pformats)
509 break;
510 }
511 if (i == num_formats)
512 return 0;
513 }
514 if (!curve_id)
515 return 1;
516 /* Check curve is consistent with client and server preferences */
517 for (j = 0; j <= 1; j++) {
518 if (!tls1_get_curvelist(s, j, &pcurves, &num_curves))
519 return 0;
520 if (j == 1 && num_curves == 0) {
521 /*
522 * If we've not received any curves then skip this check.
523 * RFC 4492 does not require the supported elliptic curves extension
524 * so if it is not sent we can just choose any curve.
525 * It is invalid to send an empty list in the elliptic curves
526 * extension, so num_curves == 0 always means no extension.
527 */
528 break;
529 }
530 for (i = 0; i < num_curves; i++, pcurves += 2) {
531 if (pcurves[0] == curve_id[0] && pcurves[1] == curve_id[1])
532 break;
533 }
534 if (i == num_curves)
535 return 0;
536 /* For clients can only check sent curve list */
537 if (!s->server)
538 break;
539 }
540 return 1;
541}
542
543static void tls1_get_formatlist(SSL *s, const unsigned char **pformats,
544 size_t *num_formats)
545{
546 /*
547 * If we have a custom point format list use it otherwise use default
548 */
549 if (s->tlsext_ecpointformatlist) {
550 *pformats = s->tlsext_ecpointformatlist;
551 *num_formats = s->tlsext_ecpointformatlist_length;
552 } else {
553 *pformats = ecformats_default;
554 /* For Suite B we don't support char2 fields */
555 if (tls1_suiteb(s))
556 *num_formats = sizeof(ecformats_default) - 1;
557 else
558 *num_formats = sizeof(ecformats_default);
559 }
560}
561
562/*
563 * Check cert parameters compatible with extensions: currently just checks EC
564 * certificates have compatible curves and compression.
565 */
566static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md)
567{
568 unsigned char comp_id, curve_id[2];
569 EVP_PKEY *pkey;
570 int rv;
571 pkey = X509_get0_pubkey(x);
572 if (!pkey)
573 return 0;
574 /* If not EC nothing to do */
575 if (EVP_PKEY_id(pkey) != EVP_PKEY_EC)
576 return 1;
577 rv = tls1_set_ec_id(curve_id, &comp_id, EVP_PKEY_get0_EC_KEY(pkey));
578 if (!rv)
579 return 0;
580 /*
581 * Can't check curve_id for client certs as we don't have a supported
582 * curves extension.
583 */
584 rv = tls1_check_ec_key(s, s->server ? curve_id : NULL, &comp_id);
585 if (!rv)
586 return 0;
587 /*
588 * Special case for suite B. We *MUST* sign using SHA256+P-256 or
589 * SHA384+P-384, adjust digest if necessary.
590 */
591 if (set_ee_md && tls1_suiteb(s)) {
592 int check_md;
593 size_t i;
594 CERT *c = s->cert;
595 if (curve_id[0])
596 return 0;
597 /* Check to see we have necessary signing algorithm */
598 if (curve_id[1] == TLSEXT_curve_P_256)
599 check_md = NID_ecdsa_with_SHA256;
600 else if (curve_id[1] == TLSEXT_curve_P_384)
601 check_md = NID_ecdsa_with_SHA384;
602 else
603 return 0; /* Should never happen */
604 for (i = 0; i < c->shared_sigalgslen; i++)
605 if (check_md == c->shared_sigalgs[i].signandhash_nid)
606 break;
607 if (i == c->shared_sigalgslen)
608 return 0;
609 if (set_ee_md == 2) {
610 if (check_md == NID_ecdsa_with_SHA256)
611 s->s3->tmp.md[SSL_PKEY_ECC] = EVP_sha256();
612 else
613 s->s3->tmp.md[SSL_PKEY_ECC] = EVP_sha384();
614 }
615 }
616 return rv;
617}
618
619# ifndef OPENSSL_NO_EC
620/*
621 * tls1_check_ec_tmp_key - Check EC temporary key compatibility
622 * @s: SSL connection
623 * @cid: Cipher ID we're considering using
624 *
625 * Checks that the kECDHE cipher suite we're considering using
626 * is compatible with the client extensions.
627 *
628 * Returns 0 when the cipher can't be used or 1 when it can.
629 */
630int tls1_check_ec_tmp_key(SSL *s, unsigned long cid)
631{
632 /*
633 * If Suite B, AES128 MUST use P-256 and AES256 MUST use P-384, no other
634 * curves permitted.
635 */
636 if (tls1_suiteb(s)) {
637 unsigned char curve_id[2];
638 /* Curve to check determined by ciphersuite */
639 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
640 curve_id[1] = TLSEXT_curve_P_256;
641 else if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)
642 curve_id[1] = TLSEXT_curve_P_384;
643 else
644 return 0;
645 curve_id[0] = 0;
646 /* Check this curve is acceptable */
647 if (!tls1_check_ec_key(s, curve_id, NULL))
648 return 0;
649 return 1;
650 }
651 /* Need a shared curve */
652 if (tls1_shared_curve(s, 0))
653 return 1;
654 return 0;
655}
656# endif /* OPENSSL_NO_EC */
657
658#else
659
660static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md)
661{
662 return 1;
663}
664
665#endif /* OPENSSL_NO_EC */
666
667/*
668 * List of supported signature algorithms and hashes. Should make this
669 * customisable at some point, for now include everything we support.
670 */
671
672#ifdef OPENSSL_NO_RSA
673# define tlsext_sigalg_rsa(md) /* */
674#else
675# define tlsext_sigalg_rsa(md) md, TLSEXT_signature_rsa,
676#endif
677
678#ifdef OPENSSL_NO_DSA
679# define tlsext_sigalg_dsa(md) /* */
680#else
681# define tlsext_sigalg_dsa(md) md, TLSEXT_signature_dsa,
682#endif
683
684#ifdef OPENSSL_NO_EC
685# define tlsext_sigalg_ecdsa(md)/* */
686#else
687# define tlsext_sigalg_ecdsa(md) md, TLSEXT_signature_ecdsa,
688#endif
689
690#define tlsext_sigalg(md) \
691 tlsext_sigalg_rsa(md) \
692 tlsext_sigalg_dsa(md) \
693 tlsext_sigalg_ecdsa(md)
694
695static const unsigned char tls12_sigalgs[] = {
696 tlsext_sigalg(TLSEXT_hash_sha512)
697 tlsext_sigalg(TLSEXT_hash_sha384)
698 tlsext_sigalg(TLSEXT_hash_sha256)
699 tlsext_sigalg(TLSEXT_hash_sha224)
700 tlsext_sigalg(TLSEXT_hash_sha1)
701#ifndef OPENSSL_NO_GOST
702 TLSEXT_hash_gostr3411, TLSEXT_signature_gostr34102001,
703 TLSEXT_hash_gostr34112012_256, TLSEXT_signature_gostr34102012_256,
704 TLSEXT_hash_gostr34112012_512, TLSEXT_signature_gostr34102012_512
705#endif
706};
707
708#ifndef OPENSSL_NO_EC
709static const unsigned char suiteb_sigalgs[] = {
710 tlsext_sigalg_ecdsa(TLSEXT_hash_sha256)
711 tlsext_sigalg_ecdsa(TLSEXT_hash_sha384)
712};
713#endif
714size_t tls12_get_psigalgs(SSL *s, int sent, const unsigned char **psigs)
715{
716 /*
717 * If Suite B mode use Suite B sigalgs only, ignore any other
718 * preferences.
719 */
720#ifndef OPENSSL_NO_EC
721 switch (tls1_suiteb(s)) {
722 case SSL_CERT_FLAG_SUITEB_128_LOS:
723 *psigs = suiteb_sigalgs;
724 return sizeof(suiteb_sigalgs);
725
726 case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY:
727 *psigs = suiteb_sigalgs;
728 return 2;
729
730 case SSL_CERT_FLAG_SUITEB_192_LOS:
731 *psigs = suiteb_sigalgs + 2;
732 return 2;
733 }
734#endif
735 /* If server use client authentication sigalgs if not NULL */
736 if (s->server == sent && s->cert->client_sigalgs) {
737 *psigs = s->cert->client_sigalgs;
738 return s->cert->client_sigalgslen;
739 } else if (s->cert->conf_sigalgs) {
740 *psigs = s->cert->conf_sigalgs;
741 return s->cert->conf_sigalgslen;
742 } else {
743 *psigs = tls12_sigalgs;
744 return sizeof(tls12_sigalgs);
745 }
746}
747
748/*
749 * Check signature algorithm is consistent with sent supported signature
750 * algorithms and if so return relevant digest.
751 */
752int tls12_check_peer_sigalg(const EVP_MD **pmd, SSL *s,
753 const unsigned char *sig, EVP_PKEY *pkey)
754{
755 const unsigned char *sent_sigs;
756 size_t sent_sigslen, i;
757 int sigalg = tls12_get_sigid(pkey);
758 /* Should never happen */
759 if (sigalg == -1)
760 return -1;
761 /* Check key type is consistent with signature */
762 if (sigalg != (int)sig[1]) {
763 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_SIGNATURE_TYPE);
764 return 0;
765 }
766#ifndef OPENSSL_NO_EC
767 if (EVP_PKEY_id(pkey) == EVP_PKEY_EC) {
768 unsigned char curve_id[2], comp_id;
769 /* Check compression and curve matches extensions */
770 if (!tls1_set_ec_id(curve_id, &comp_id, EVP_PKEY_get0_EC_KEY(pkey)))
771 return 0;
772 if (!s->server && !tls1_check_ec_key(s, curve_id, &comp_id)) {
773 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_CURVE);
774 return 0;
775 }
776 /* If Suite B only P-384+SHA384 or P-256+SHA-256 allowed */
777 if (tls1_suiteb(s)) {
778 if (curve_id[0])
779 return 0;
780 if (curve_id[1] == TLSEXT_curve_P_256) {
781 if (sig[0] != TLSEXT_hash_sha256) {
782 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG,
783 SSL_R_ILLEGAL_SUITEB_DIGEST);
784 return 0;
785 }
786 } else if (curve_id[1] == TLSEXT_curve_P_384) {
787 if (sig[0] != TLSEXT_hash_sha384) {
788 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG,
789 SSL_R_ILLEGAL_SUITEB_DIGEST);
790 return 0;
791 }
792 } else
793 return 0;
794 }
795 } else if (tls1_suiteb(s))
796 return 0;
797#endif
798
799 /* Check signature matches a type we sent */
800 sent_sigslen = tls12_get_psigalgs(s, 1, &sent_sigs);
801 for (i = 0; i < sent_sigslen; i += 2, sent_sigs += 2) {
802 if (sig[0] == sent_sigs[0] && sig[1] == sent_sigs[1])
803 break;
804 }
805 /* Allow fallback to SHA1 if not strict mode */
806 if (i == sent_sigslen
807 && (sig[0] != TLSEXT_hash_sha1
808 || s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)) {
809 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_SIGNATURE_TYPE);
810 return 0;
811 }
812 *pmd = tls12_get_hash(sig[0]);
813 if (*pmd == NULL) {
814 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_UNKNOWN_DIGEST);
815 return 0;
816 }
817 /* Make sure security callback allows algorithm */
818 if (!ssl_security(s, SSL_SECOP_SIGALG_CHECK,
819 EVP_MD_size(*pmd) * 4, EVP_MD_type(*pmd), (void *)sig)) {
820 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_SIGNATURE_TYPE);
821 return 0;
822 }
823 /*
824 * Store the digest used so applications can retrieve it if they wish.
825 */
826 s->s3->tmp.peer_md = *pmd;
827 return 1;
828}
829
830/*
831 * Set a mask of disabled algorithms: an algorithm is disabled if it isn't
832 * supported, doesn't appear in supported signature algorithms, isn't supported
833 * by the enabled protocol versions or by the security level.
834 *
835 * This function should only be used for checking which ciphers are supported
836 * by the client.
837 *
838 * Call ssl_cipher_disabled() to check that it's enabled or not.
839 */
840void ssl_set_client_disabled(SSL *s)
841{
842 s->s3->tmp.mask_a = 0;
843 s->s3->tmp.mask_k = 0;
844 ssl_set_sig_mask(&s->s3->tmp.mask_a, s, SSL_SECOP_SIGALG_MASK);
845 ssl_get_client_min_max_version(s, &s->s3->tmp.min_ver, &s->s3->tmp.max_ver);
846#ifndef OPENSSL_NO_PSK
847 /* with PSK there must be client callback set */
848 if (!s->psk_client_callback) {
849 s->s3->tmp.mask_a |= SSL_aPSK;
850 s->s3->tmp.mask_k |= SSL_PSK;
851 }
852#endif /* OPENSSL_NO_PSK */
853#ifndef OPENSSL_NO_SRP
854 if (!(s->srp_ctx.srp_Mask & SSL_kSRP)) {
855 s->s3->tmp.mask_a |= SSL_aSRP;
856 s->s3->tmp.mask_k |= SSL_kSRP;
857 }
858#endif
859}
860
861/*
862 * ssl_cipher_disabled - check that a cipher is disabled or not
863 * @s: SSL connection that you want to use the cipher on
864 * @c: cipher to check
865 * @op: Security check that you want to do
866 *
867 * Returns 1 when it's disabled, 0 when enabled.
868 */
869int ssl_cipher_disabled(SSL *s, const SSL_CIPHER *c, int op)
870{
871 if (c->algorithm_mkey & s->s3->tmp.mask_k
872 || c->algorithm_auth & s->s3->tmp.mask_a)
873 return 1;
874 if (s->s3->tmp.max_ver == 0)
875 return 1;
876 if (!SSL_IS_DTLS(s) && ((c->min_tls > s->s3->tmp.max_ver)
877 || (c->max_tls < s->s3->tmp.min_ver)))
878 return 1;
879 if (SSL_IS_DTLS(s) && (DTLS_VERSION_GT(c->min_dtls, s->s3->tmp.max_ver)
880 || DTLS_VERSION_LT(c->max_dtls, s->s3->tmp.min_ver)))
881 return 1;
882
883 return !ssl_security(s, op, c->strength_bits, 0, (void *)c);
884}
885
886static int tls_use_ticket(SSL *s)
887{
888 if (s->options & SSL_OP_NO_TICKET)
889 return 0;
890 return ssl_security(s, SSL_SECOP_TICKET, 0, 0, NULL);
891}
892
893static int compare_uint(const void *p1, const void *p2)
894{
895 unsigned int u1 = *((const unsigned int *)p1);
896 unsigned int u2 = *((const unsigned int *)p2);
897 if (u1 < u2)
898 return -1;
899 else if (u1 > u2)
900 return 1;
901 else
902 return 0;
903}
904
905/*
906 * Per http://tools.ietf.org/html/rfc5246#section-7.4.1.4, there may not be
907 * more than one extension of the same type in a ClientHello or ServerHello.
908 * This function does an initial scan over the extensions block to filter those
909 * out. It returns 1 if all extensions are unique, and 0 if the extensions
910 * contain duplicates, could not be successfully parsed, or an internal error
911 * occurred.
912 */
913static int tls1_check_duplicate_extensions(const PACKET *packet)
914{
915 PACKET extensions = *packet;
916 size_t num_extensions = 0, i = 0;
917 unsigned int *extension_types = NULL;
918 int ret = 0;
919
920 /* First pass: count the extensions. */
921 while (PACKET_remaining(&extensions) > 0) {
922 unsigned int type;
923 PACKET extension;
924 if (!PACKET_get_net_2(&extensions, &type) ||
925 !PACKET_get_length_prefixed_2(&extensions, &extension)) {
926 goto done;
927 }
928 num_extensions++;
929 }
930
931 if (num_extensions <= 1)
932 return 1;
933
934 extension_types = OPENSSL_malloc(sizeof(unsigned int) * num_extensions);
935 if (extension_types == NULL) {
936 SSLerr(SSL_F_TLS1_CHECK_DUPLICATE_EXTENSIONS, ERR_R_MALLOC_FAILURE);
937 goto done;
938 }
939
940 /* Second pass: gather the extension types. */
941 extensions = *packet;
942 for (i = 0; i < num_extensions; i++) {
943 PACKET extension;
944 if (!PACKET_get_net_2(&extensions, &extension_types[i]) ||
945 !PACKET_get_length_prefixed_2(&extensions, &extension)) {
946 /* This should not happen. */
947 SSLerr(SSL_F_TLS1_CHECK_DUPLICATE_EXTENSIONS, ERR_R_INTERNAL_ERROR);
948 goto done;
949 }
950 }
951
952 if (PACKET_remaining(&extensions) != 0) {
953 SSLerr(SSL_F_TLS1_CHECK_DUPLICATE_EXTENSIONS, ERR_R_INTERNAL_ERROR);
954 goto done;
955 }
956 /* Sort the extensions and make sure there are no duplicates. */
957 qsort(extension_types, num_extensions, sizeof(unsigned int), compare_uint);
958 for (i = 1; i < num_extensions; i++) {
959 if (extension_types[i - 1] == extension_types[i])
960 goto done;
961 }
962 ret = 1;
963 done:
964 OPENSSL_free(extension_types);
965 return ret;
966}
967
968unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf,
969 unsigned char *limit, int *al)
970{
971 int extdatalen = 0;
972 unsigned char *orig = buf;
973 unsigned char *ret = buf;
974#ifndef OPENSSL_NO_EC
975 /* See if we support any ECC ciphersuites */
976 int using_ecc = 0;
977 if (s->version >= TLS1_VERSION || SSL_IS_DTLS(s)) {
978 int i;
979 unsigned long alg_k, alg_a;
980 STACK_OF(SSL_CIPHER) *cipher_stack = SSL_get_ciphers(s);
981
982 for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++) {
983 const SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i);
984
985 alg_k = c->algorithm_mkey;
986 alg_a = c->algorithm_auth;
987 if ((alg_k & (SSL_kECDHE | SSL_kECDHEPSK))
988 || (alg_a & SSL_aECDSA)) {
989 using_ecc = 1;
990 break;
991 }
992 }
993 }
994#endif
995
996 ret += 2;
997
998 if (ret >= limit)
999 return NULL; /* this really never occurs, but ... */
1000
1001 /* Add RI if renegotiating */
1002 if (s->renegotiate) {
1003 int el;
1004
1005 if (!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0)) {
1006 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1007 return NULL;
1008 }
1009
1010 if (CHECKLEN(ret, 4 + el, limit))
1011 return NULL;
1012
1013 s2n(TLSEXT_TYPE_renegotiate, ret);
1014 s2n(el, ret);
1015
1016 if (!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el)) {
1017 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1018 return NULL;
1019 }
1020
1021 ret += el;
1022 }
1023 /* Only add RI for SSLv3 */
1024 if (s->client_version == SSL3_VERSION)
1025 goto done;
1026
1027 if (s->tlsext_hostname != NULL) {
1028 /* Add TLS extension servername to the Client Hello message */
1029 size_t size_str;
1030
1031 /*-
1032 * check for enough space.
1033 * 4 for the servername type and extension length
1034 * 2 for servernamelist length
1035 * 1 for the hostname type
1036 * 2 for hostname length
1037 * + hostname length
1038 */
1039 size_str = strlen(s->tlsext_hostname);
1040 if (CHECKLEN(ret, 9 + size_str, limit))
1041 return NULL;
1042
1043 /* extension type and length */
1044 s2n(TLSEXT_TYPE_server_name, ret);
1045 s2n(size_str + 5, ret);
1046
1047 /* length of servername list */
1048 s2n(size_str + 3, ret);
1049
1050 /* hostname type, length and hostname */
1051 *(ret++) = (unsigned char)TLSEXT_NAMETYPE_host_name;
1052 s2n(size_str, ret);
1053 memcpy(ret, s->tlsext_hostname, size_str);
1054 ret += size_str;
1055 }
1056#ifndef OPENSSL_NO_SRP
1057 /* Add SRP username if there is one */
1058 if (s->srp_ctx.login != NULL) { /* Add TLS extension SRP username to the
1059 * Client Hello message */
1060
1061 size_t login_len = strlen(s->srp_ctx.login);
1062 if (login_len > 255 || login_len == 0) {
1063 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1064 return NULL;
1065 }
1066
1067 /*-
1068 * check for enough space.
1069 * 4 for the srp type type and extension length
1070 * 1 for the srp user identity
1071 * + srp user identity length
1072 */
1073 if (CHECKLEN(ret, 5 + login_len, limit))
1074 return NULL;
1075
1076 /* fill in the extension */
1077 s2n(TLSEXT_TYPE_srp, ret);
1078 s2n(login_len + 1, ret);
1079 (*ret++) = (unsigned char)login_len;
1080 memcpy(ret, s->srp_ctx.login, login_len);
1081 ret += login_len;
1082 }
1083#endif
1084
1085#ifndef OPENSSL_NO_EC
1086 if (using_ecc) {
1087 /*
1088 * Add TLS extension ECPointFormats to the ClientHello message
1089 */
1090 const unsigned char *pcurves, *pformats;
1091 size_t num_curves, num_formats, curves_list_len;
1092 size_t i;
1093 unsigned char *etmp;
1094
1095 tls1_get_formatlist(s, &pformats, &num_formats);
1096
1097 if (num_formats > 255) {
1098 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1099 return NULL;
1100 }
1101 /*-
1102 * check for enough space.
1103 * 4 bytes for the ec point formats type and extension length
1104 * 1 byte for the length of the formats
1105 * + formats length
1106 */
1107 if (CHECKLEN(ret, 5 + num_formats, limit))
1108 return NULL;
1109
1110 s2n(TLSEXT_TYPE_ec_point_formats, ret);
1111 /* The point format list has 1-byte length. */
1112 s2n(num_formats + 1, ret);
1113 *(ret++) = (unsigned char)num_formats;
1114 memcpy(ret, pformats, num_formats);
1115 ret += num_formats;
1116
1117 /*
1118 * Add TLS extension EllipticCurves to the ClientHello message
1119 */
1120 pcurves = s->tlsext_ellipticcurvelist;
1121 if (!tls1_get_curvelist(s, 0, &pcurves, &num_curves))
1122 return NULL;
1123
1124 if (num_curves > 65532 / 2) {
1125 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1126 return NULL;
1127 }
1128 /*-
1129 * check for enough space.
1130 * 4 bytes for the ec curves type and extension length
1131 * 2 bytes for the curve list length
1132 * + curve list length
1133 */
1134 if (CHECKLEN(ret, 6 + (num_curves * 2), limit))
1135 return NULL;
1136
1137 s2n(TLSEXT_TYPE_elliptic_curves, ret);
1138 etmp = ret + 4;
1139 /* Copy curve ID if supported */
1140 for (i = 0; i < num_curves; i++, pcurves += 2) {
1141 if (tls_curve_allowed(s, pcurves, SSL_SECOP_CURVE_SUPPORTED)) {
1142 *etmp++ = pcurves[0];
1143 *etmp++ = pcurves[1];
1144 }
1145 }
1146
1147 curves_list_len = etmp - ret - 4;
1148
1149 s2n(curves_list_len + 2, ret);
1150 s2n(curves_list_len, ret);
1151 ret += curves_list_len;
1152 }
1153#endif /* OPENSSL_NO_EC */
1154
1155 if (tls_use_ticket(s)) {
1156 size_t ticklen;
1157 if (!s->new_session && s->session && s->session->tlsext_tick)
1158 ticklen = s->session->tlsext_ticklen;
1159 else if (s->session && s->tlsext_session_ticket &&
1160 s->tlsext_session_ticket->data) {
1161 ticklen = s->tlsext_session_ticket->length;
1162 s->session->tlsext_tick = OPENSSL_malloc(ticklen);
1163 if (s->session->tlsext_tick == NULL)
1164 return NULL;
1165 memcpy(s->session->tlsext_tick,
1166 s->tlsext_session_ticket->data, ticklen);
1167 s->session->tlsext_ticklen = ticklen;
1168 } else
1169 ticklen = 0;
1170 if (ticklen == 0 && s->tlsext_session_ticket &&
1171 s->tlsext_session_ticket->data == NULL)
1172 goto skip_ext;
1173 /*
1174 * Check for enough room 2 for extension type, 2 for len rest for
1175 * ticket
1176 */
1177 if (CHECKLEN(ret, 4 + ticklen, limit))
1178 return NULL;
1179 s2n(TLSEXT_TYPE_session_ticket, ret);
1180 s2n(ticklen, ret);
1181 if (ticklen > 0) {
1182 memcpy(ret, s->session->tlsext_tick, ticklen);
1183 ret += ticklen;
1184 }
1185 }
1186 skip_ext:
1187
1188 if (SSL_CLIENT_USE_SIGALGS(s)) {
1189 size_t salglen;
1190 const unsigned char *salg;
1191 unsigned char *etmp;
1192 salglen = tls12_get_psigalgs(s, 1, &salg);
1193
1194 /*-
1195 * check for enough space.
1196 * 4 bytes for the sigalgs type and extension length
1197 * 2 bytes for the sigalg list length
1198 * + sigalg list length
1199 */
1200 if (CHECKLEN(ret, salglen + 6, limit))
1201 return NULL;
1202 s2n(TLSEXT_TYPE_signature_algorithms, ret);
1203 etmp = ret;
1204 /* Skip over lengths for now */
1205 ret += 4;
1206 salglen = tls12_copy_sigalgs(s, ret, salg, salglen);
1207 /* Fill in lengths */
1208 s2n(salglen + 2, etmp);
1209 s2n(salglen, etmp);
1210 ret += salglen;
1211 }
1212#ifndef OPENSSL_NO_OCSP
1213 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp) {
1214 int i;
1215 size_t extlen, idlen;
1216 int lentmp;
1217 OCSP_RESPID *id;
1218
1219 idlen = 0;
1220 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) {
1221 id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
1222 lentmp = i2d_OCSP_RESPID(id, NULL);
1223 if (lentmp <= 0)
1224 return NULL;
1225 idlen += (size_t)lentmp + 2;
1226 }
1227
1228 if (s->tlsext_ocsp_exts) {
1229 lentmp = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, NULL);
1230 if (lentmp < 0)
1231 return NULL;
1232 extlen = (size_t)lentmp;
1233 } else
1234 extlen = 0;
1235
1236 if (extlen + idlen > 0xFFF0)
1237 return NULL;
1238 /*
1239 * 2 bytes for status request type
1240 * 2 bytes for status request len
1241 * 1 byte for OCSP request type
1242 * 2 bytes for length of ids
1243 * 2 bytes for length of extensions
1244 * + length of ids
1245 * + length of extensions
1246 */
1247 if (CHECKLEN(ret, 9 + idlen + extlen, limit))
1248 return NULL;
1249
1250 s2n(TLSEXT_TYPE_status_request, ret);
1251 s2n(extlen + idlen + 5, ret);
1252 *(ret++) = TLSEXT_STATUSTYPE_ocsp;
1253 s2n(idlen, ret);
1254 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) {
1255 /* save position of id len */
1256 unsigned char *q = ret;
1257 id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
1258 /* skip over id len */
1259 ret += 2;
1260 lentmp = i2d_OCSP_RESPID(id, &ret);
1261 /* write id len */
1262 s2n(lentmp, q);
1263 }
1264 s2n(extlen, ret);
1265 if (extlen > 0)
1266 i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret);
1267 }
1268#endif
1269#ifndef OPENSSL_NO_HEARTBEATS
1270 if (SSL_IS_DTLS(s)) {
1271 /* Add Heartbeat extension */
1272
1273 /*-
1274 * check for enough space.
1275 * 4 bytes for the heartbeat ext type and extension length
1276 * 1 byte for the mode
1277 */
1278 if (CHECKLEN(ret, 5, limit))
1279 return NULL;
1280
1281 s2n(TLSEXT_TYPE_heartbeat, ret);
1282 s2n(1, ret);
1283 /*-
1284 * Set mode:
1285 * 1: peer may send requests
1286 * 2: peer not allowed to send requests
1287 */
1288 if (s->tlsext_heartbeat & SSL_DTLSEXT_HB_DONT_RECV_REQUESTS)
1289 *(ret++) = SSL_DTLSEXT_HB_DONT_SEND_REQUESTS;
1290 else
1291 *(ret++) = SSL_DTLSEXT_HB_ENABLED;
1292 }
1293#endif
1294
1295#ifndef OPENSSL_NO_NEXTPROTONEG
1296 if (s->ctx->next_proto_select_cb && !s->s3->tmp.finish_md_len) {
1297 /*
1298 * The client advertises an empty extension to indicate its support
1299 * for Next Protocol Negotiation
1300 */
1301
1302 /*-
1303 * check for enough space.
1304 * 4 bytes for the NPN ext type and extension length
1305 */
1306 if (CHECKLEN(ret, 4, limit))
1307 return NULL;
1308 s2n(TLSEXT_TYPE_next_proto_neg, ret);
1309 s2n(0, ret);
1310 }
1311#endif
1312
1313 /*
1314 * finish_md_len is non-zero during a renegotiation, so
1315 * this avoids sending ALPN during the renegotiation
1316 * (see longer comment below)
1317 */
1318 if (s->alpn_client_proto_list && !s->s3->tmp.finish_md_len) {
1319 /*-
1320 * check for enough space.
1321 * 4 bytes for the ALPN type and extension length
1322 * 2 bytes for the ALPN protocol list length
1323 * + ALPN protocol list length
1324 */
1325 if (CHECKLEN(ret, 6 + s->alpn_client_proto_list_len, limit))
1326 return NULL;
1327 s2n(TLSEXT_TYPE_application_layer_protocol_negotiation, ret);
1328 s2n(2 + s->alpn_client_proto_list_len, ret);
1329 s2n(s->alpn_client_proto_list_len, ret);
1330 memcpy(ret, s->alpn_client_proto_list, s->alpn_client_proto_list_len);
1331 ret += s->alpn_client_proto_list_len;
1332 s->s3->alpn_sent = 1;
1333 }
1334#ifndef OPENSSL_NO_SRTP
1335 if (SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s)) {
1336 int el;
1337
1338 /* Returns 0 on success!! */
1339 if (ssl_add_clienthello_use_srtp_ext(s, 0, &el, 0)) {
1340 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1341 return NULL;
1342 }
1343
1344 /*-
1345 * check for enough space.
1346 * 4 bytes for the SRTP type and extension length
1347 * + SRTP profiles length
1348 */
1349 if (CHECKLEN(ret, 4 + el, limit))
1350 return NULL;
1351
1352 s2n(TLSEXT_TYPE_use_srtp, ret);
1353 s2n(el, ret);
1354
1355 if (ssl_add_clienthello_use_srtp_ext(s, ret, &el, el)) {
1356 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1357 return NULL;
1358 }
1359 ret += el;
1360 }
1361#endif
1362 custom_ext_init(&s->cert->cli_ext);
1363 /* Add custom TLS Extensions to ClientHello */
1364 if (!custom_ext_add(s, 0, &ret, limit, al))
1365 return NULL;
1366 /*
1367 * In 1.1.0 before 1.1.0c we negotiated EtM with DTLS, then just
1368 * silently failed to actually do it. It is fixed in 1.1.1 but to
1369 * ease the transition especially from 1.1.0b to 1.1.0c, we just
1370 * disable it in 1.1.0.
1371 */
1372 if (!SSL_IS_DTLS(s)) {
1373 /*-
1374 * check for enough space.
1375 * 4 bytes for the ETM type and extension length
1376 */
1377 if (CHECKLEN(ret, 4, limit))
1378 return NULL;
1379 s2n(TLSEXT_TYPE_encrypt_then_mac, ret);
1380 s2n(0, ret);
1381 }
1382
1383#ifndef OPENSSL_NO_CT
1384 if (s->ct_validation_callback != NULL) {
1385 /*-
1386 * check for enough space.
1387 * 4 bytes for the SCT type and extension length
1388 */
1389 if (CHECKLEN(ret, 4, limit))
1390 return NULL;
1391
1392 s2n(TLSEXT_TYPE_signed_certificate_timestamp, ret);
1393 s2n(0, ret);
1394 }
1395#endif
1396
1397 /*-
1398 * check for enough space.
1399 * 4 bytes for the EMS type and extension length
1400 */
1401 if (CHECKLEN(ret, 4, limit))
1402 return NULL;
1403 s2n(TLSEXT_TYPE_extended_master_secret, ret);
1404 s2n(0, ret);
1405
1406 /*
1407 * Add padding to workaround bugs in F5 terminators. See
1408 * https://tools.ietf.org/html/draft-agl-tls-padding-03 NB: because this
1409 * code works out the length of all existing extensions it MUST always
1410 * appear last.
1411 */
1412 if (s->options & SSL_OP_TLSEXT_PADDING) {
1413 int hlen = ret - (unsigned char *)s->init_buf->data;
1414
1415 if (hlen > 0xff && hlen < 0x200) {
1416 hlen = 0x200 - hlen;
1417 if (hlen >= 4)
1418 hlen -= 4;
1419 else
1420 hlen = 0;
1421
1422 /*-
1423 * check for enough space. Strictly speaking we know we've already
1424 * got enough space because to get here the message size is < 0x200,
1425 * but we know that we've allocated far more than that in the buffer
1426 * - but for consistency and robustness we're going to check anyway.
1427 *
1428 * 4 bytes for the padding type and extension length
1429 * + padding length
1430 */
1431 if (CHECKLEN(ret, 4 + hlen, limit))
1432 return NULL;
1433 s2n(TLSEXT_TYPE_padding, ret);
1434 s2n(hlen, ret);
1435 memset(ret, 0, hlen);
1436 ret += hlen;
1437 }
1438 }
1439
1440 done:
1441
1442 if ((extdatalen = ret - orig - 2) == 0)
1443 return orig;
1444
1445 s2n(extdatalen, orig);
1446 return ret;
1447}
1448
1449unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *buf,
1450 unsigned char *limit, int *al)
1451{
1452 int extdatalen = 0;
1453 unsigned char *orig = buf;
1454 unsigned char *ret = buf;
1455#ifndef OPENSSL_NO_NEXTPROTONEG
1456 int next_proto_neg_seen;
1457#endif
1458#ifndef OPENSSL_NO_EC
1459 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
1460 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
1461 int using_ecc = (alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA);
1462 using_ecc = using_ecc && (s->session->tlsext_ecpointformatlist != NULL);
1463#endif
1464
1465 ret += 2;
1466 if (ret >= limit)
1467 return NULL; /* this really never occurs, but ... */
1468
1469 if (s->s3->send_connection_binding) {
1470 int el;
1471
1472 if (!ssl_add_serverhello_renegotiate_ext(s, 0, &el, 0)) {
1473 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1474 return NULL;
1475 }
1476
1477 /*-
1478 * check for enough space.
1479 * 4 bytes for the reneg type and extension length
1480 * + reneg data length
1481 */
1482 if (CHECKLEN(ret, 4 + el, limit))
1483 return NULL;
1484
1485 s2n(TLSEXT_TYPE_renegotiate, ret);
1486 s2n(el, ret);
1487
1488 if (!ssl_add_serverhello_renegotiate_ext(s, ret, &el, el)) {
1489 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1490 return NULL;
1491 }
1492
1493 ret += el;
1494 }
1495
1496 /* Only add RI for SSLv3 */
1497 if (s->version == SSL3_VERSION)
1498 goto done;
1499
1500 if (!s->hit && s->servername_done == 1
1501 && s->session->tlsext_hostname != NULL) {
1502 /*-
1503 * check for enough space.
1504 * 4 bytes for the server name type and extension length
1505 */
1506 if (CHECKLEN(ret, 4, limit))
1507 return NULL;
1508
1509 s2n(TLSEXT_TYPE_server_name, ret);
1510 s2n(0, ret);
1511 }
1512#ifndef OPENSSL_NO_EC
1513 if (using_ecc) {
1514 const unsigned char *plist;
1515 size_t plistlen;
1516 /*
1517 * Add TLS extension ECPointFormats to the ServerHello message
1518 */
1519
1520 tls1_get_formatlist(s, &plist, &plistlen);
1521
1522 if (plistlen > 255) {
1523 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1524 return NULL;
1525 }
1526
1527 /*-
1528 * check for enough space.
1529 * 4 bytes for the ec points format type and extension length
1530 * 1 byte for the points format list length
1531 * + length of points format list
1532 */
1533 if (CHECKLEN(ret, 5 + plistlen, limit))
1534 return NULL;
1535
1536 s2n(TLSEXT_TYPE_ec_point_formats, ret);
1537 s2n(plistlen + 1, ret);
1538 *(ret++) = (unsigned char)plistlen;
1539 memcpy(ret, plist, plistlen);
1540 ret += plistlen;
1541
1542 }
1543 /*
1544 * Currently the server should not respond with a SupportedCurves
1545 * extension
1546 */
1547#endif /* OPENSSL_NO_EC */
1548
1549 if (s->tlsext_ticket_expected && tls_use_ticket(s)) {
1550 /*-
1551 * check for enough space.
1552 * 4 bytes for the Ticket type and extension length
1553 */
1554 if (CHECKLEN(ret, 4, limit))
1555 return NULL;
1556 s2n(TLSEXT_TYPE_session_ticket, ret);
1557 s2n(0, ret);
1558 } else {
1559 /*
1560 * if we don't add the above TLSEXT, we can't add a session ticket
1561 * later
1562 */
1563 s->tlsext_ticket_expected = 0;
1564 }
1565
1566 if (s->tlsext_status_expected) {
1567 /*-
1568 * check for enough space.
1569 * 4 bytes for the Status request type and extension length
1570 */
1571 if (CHECKLEN(ret, 4, limit))
1572 return NULL;
1573 s2n(TLSEXT_TYPE_status_request, ret);
1574 s2n(0, ret);
1575 }
1576#ifndef OPENSSL_NO_SRTP
1577 if (SSL_IS_DTLS(s) && s->srtp_profile) {
1578 int el;
1579
1580 /* Returns 0 on success!! */
1581 if (ssl_add_serverhello_use_srtp_ext(s, 0, &el, 0)) {
1582 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1583 return NULL;
1584 }
1585 /*-
1586 * check for enough space.
1587 * 4 bytes for the SRTP profiles type and extension length
1588 * + length of the SRTP profiles list
1589 */
1590 if (CHECKLEN(ret, 4 + el, limit))
1591 return NULL;
1592
1593 s2n(TLSEXT_TYPE_use_srtp, ret);
1594 s2n(el, ret);
1595
1596 if (ssl_add_serverhello_use_srtp_ext(s, ret, &el, el)) {
1597 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1598 return NULL;
1599 }
1600 ret += el;
1601 }
1602#endif
1603
1604 if (((s->s3->tmp.new_cipher->id & 0xFFFF) == 0x80
1605 || (s->s3->tmp.new_cipher->id & 0xFFFF) == 0x81)
1606 && (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG)) {
1607 const unsigned char cryptopro_ext[36] = {
1608 0xfd, 0xe8, /* 65000 */
1609 0x00, 0x20, /* 32 bytes length */
1610 0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85,
1611 0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06,
1612 0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08,
1613 0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17
1614 };
1615
1616 /* check for enough space. */
1617 if (CHECKLEN(ret, sizeof(cryptopro_ext), limit))
1618 return NULL;
1619 memcpy(ret, cryptopro_ext, sizeof(cryptopro_ext));
1620 ret += sizeof(cryptopro_ext);
1621
1622 }
1623#ifndef OPENSSL_NO_HEARTBEATS
1624 /* Add Heartbeat extension if we've received one */
1625 if (SSL_IS_DTLS(s) && (s->tlsext_heartbeat & SSL_DTLSEXT_HB_ENABLED)) {
1626 /*-
1627 * check for enough space.
1628 * 4 bytes for the Heartbeat type and extension length
1629 * 1 byte for the mode
1630 */
1631 if (CHECKLEN(ret, 5, limit))
1632 return NULL;
1633 s2n(TLSEXT_TYPE_heartbeat, ret);
1634 s2n(1, ret);
1635 /*-
1636 * Set mode:
1637 * 1: peer may send requests
1638 * 2: peer not allowed to send requests
1639 */
1640 if (s->tlsext_heartbeat & SSL_DTLSEXT_HB_DONT_RECV_REQUESTS)
1641 *(ret++) = SSL_DTLSEXT_HB_DONT_SEND_REQUESTS;
1642 else
1643 *(ret++) = SSL_DTLSEXT_HB_ENABLED;
1644
1645 }
1646#endif
1647
1648#ifndef OPENSSL_NO_NEXTPROTONEG
1649 next_proto_neg_seen = s->s3->next_proto_neg_seen;
1650 s->s3->next_proto_neg_seen = 0;
1651 if (next_proto_neg_seen && s->ctx->next_protos_advertised_cb) {
1652 const unsigned char *npa;
1653 unsigned int npalen;
1654 int r;
1655
1656 r = s->ctx->next_protos_advertised_cb(s, &npa, &npalen,
1657 s->
1658 ctx->next_protos_advertised_cb_arg);
1659 if (r == SSL_TLSEXT_ERR_OK) {
1660 /*-
1661 * check for enough space.
1662 * 4 bytes for the NPN type and extension length
1663 * + length of protocols list
1664 */
1665 if (CHECKLEN(ret, 4 + npalen, limit))
1666 return NULL;
1667 s2n(TLSEXT_TYPE_next_proto_neg, ret);
1668 s2n(npalen, ret);
1669 memcpy(ret, npa, npalen);
1670 ret += npalen;
1671 s->s3->next_proto_neg_seen = 1;
1672 }
1673 }
1674#endif
1675 if (!custom_ext_add(s, 1, &ret, limit, al))
1676 return NULL;
1677 if (s->tlsext_use_etm) {
1678 /*
1679 * Don't use encrypt_then_mac if AEAD or RC4 might want to disable
1680 * for other cases too.
1681 */
1682 if (SSL_IS_DTLS(s) || s->s3->tmp.new_cipher->algorithm_mac == SSL_AEAD
1683 || s->s3->tmp.new_cipher->algorithm_enc == SSL_RC4
1684 || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT
1685 || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT12)
1686 s->tlsext_use_etm = 0;
1687 else {
1688 /*-
1689 * check for enough space.
1690 * 4 bytes for the ETM type and extension length
1691 */
1692 if (CHECKLEN(ret, 4, limit))
1693 return NULL;
1694 s2n(TLSEXT_TYPE_encrypt_then_mac, ret);
1695 s2n(0, ret);
1696 }
1697 }
1698 if (s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) {
1699 /*-
1700 * check for enough space.
1701 * 4 bytes for the EMS type and extension length
1702 */
1703 if (CHECKLEN(ret, 4, limit))
1704 return NULL;
1705 s2n(TLSEXT_TYPE_extended_master_secret, ret);
1706 s2n(0, ret);
1707 }
1708
1709 if (s->s3->alpn_selected != NULL) {
1710 const unsigned char *selected = s->s3->alpn_selected;
1711 size_t len = s->s3->alpn_selected_len;
1712
1713 /*-
1714 * check for enough space.
1715 * 4 bytes for the ALPN type and extension length
1716 * 2 bytes for ALPN data length
1717 * 1 byte for selected protocol length
1718 * + length of the selected protocol
1719 */
1720 if (CHECKLEN(ret, 7 + len, limit))
1721 return NULL;
1722 s2n(TLSEXT_TYPE_application_layer_protocol_negotiation, ret);
1723 s2n(3 + len, ret);
1724 s2n(1 + len, ret);
1725 *ret++ = len;
1726 memcpy(ret, selected, len);
1727 ret += len;
1728 }
1729
1730 done:
1731
1732 if ((extdatalen = ret - orig - 2) == 0)
1733 return orig;
1734
1735 s2n(extdatalen, orig);
1736 return ret;
1737}
1738
1739/*
1740 * Save the ALPN extension in a ClientHello.
1741 * pkt: the contents of the ALPN extension, not including type and length.
1742 * al: a pointer to the alert value to send in the event of a failure.
1743 * returns: 1 on success, 0 on error.
1744 */
1745static int tls1_alpn_handle_client_hello(SSL *s, PACKET *pkt, int *al)
1746{
1747 PACKET protocol_list, save_protocol_list, protocol;
1748
1749 *al = SSL_AD_DECODE_ERROR;
1750
1751 if (!PACKET_as_length_prefixed_2(pkt, &protocol_list)
1752 || PACKET_remaining(&protocol_list) < 2) {
1753 return 0;
1754 }
1755
1756 save_protocol_list = protocol_list;
1757 do {
1758 /* Protocol names can't be empty. */
1759 if (!PACKET_get_length_prefixed_1(&protocol_list, &protocol)
1760 || PACKET_remaining(&protocol) == 0) {
1761 return 0;
1762 }
1763 } while (PACKET_remaining(&protocol_list) != 0);
1764
1765 if (!PACKET_memdup(&save_protocol_list,
1766 &s->s3->alpn_proposed, &s->s3->alpn_proposed_len)) {
1767 *al = TLS1_AD_INTERNAL_ERROR;
1768 return 0;
1769 }
1770
1771 return 1;
1772}
1773
1774/*
1775 * Process the ALPN extension in a ClientHello.
1776 * al: a pointer to the alert value to send in the event of a failure.
1777 * returns 1 on success, 0 on error.
1778 */
1779static int tls1_alpn_handle_client_hello_late(SSL *s, int *al)
1780{
1781 const unsigned char *selected = NULL;
1782 unsigned char selected_len = 0;
1783
1784 if (s->ctx->alpn_select_cb != NULL && s->s3->alpn_proposed != NULL) {
1785 int r = s->ctx->alpn_select_cb(s, &selected, &selected_len,
1786 s->s3->alpn_proposed,
1787 s->s3->alpn_proposed_len,
1788 s->ctx->alpn_select_cb_arg);
1789
1790 if (r == SSL_TLSEXT_ERR_OK) {
1791 OPENSSL_free(s->s3->alpn_selected);
1792 s->s3->alpn_selected = OPENSSL_memdup(selected, selected_len);
1793 if (s->s3->alpn_selected == NULL) {
1794 *al = SSL_AD_INTERNAL_ERROR;
1795 return 0;
1796 }
1797 s->s3->alpn_selected_len = selected_len;
1798#ifndef OPENSSL_NO_NEXTPROTONEG
1799 /* ALPN takes precedence over NPN. */
1800 s->s3->next_proto_neg_seen = 0;
1801#endif
1802 } else {
1803 *al = SSL_AD_NO_APPLICATION_PROTOCOL;
1804 return 0;
1805 }
1806 }
1807
1808 return 1;
1809}
1810
1811#ifndef OPENSSL_NO_EC
1812/*-
1813 * ssl_check_for_safari attempts to fingerprint Safari using OS X
1814 * SecureTransport using the TLS extension block in |pkt|.
1815 * Safari, since 10.6, sends exactly these extensions, in this order:
1816 * SNI,
1817 * elliptic_curves
1818 * ec_point_formats
1819 *
1820 * We wish to fingerprint Safari because they broke ECDHE-ECDSA support in 10.8,
1821 * but they advertise support. So enabling ECDHE-ECDSA ciphers breaks them.
1822 * Sadly we cannot differentiate 10.6, 10.7 and 10.8.4 (which work), from
1823 * 10.8..10.8.3 (which don't work).
1824 */
1825static void ssl_check_for_safari(SSL *s, const PACKET *pkt)
1826{
1827 unsigned int type;
1828 PACKET sni, tmppkt;
1829 size_t ext_len;
1830
1831 static const unsigned char kSafariExtensionsBlock[] = {
1832 0x00, 0x0a, /* elliptic_curves extension */
1833 0x00, 0x08, /* 8 bytes */
1834 0x00, 0x06, /* 6 bytes of curve ids */
1835 0x00, 0x17, /* P-256 */
1836 0x00, 0x18, /* P-384 */
1837 0x00, 0x19, /* P-521 */
1838
1839 0x00, 0x0b, /* ec_point_formats */
1840 0x00, 0x02, /* 2 bytes */
1841 0x01, /* 1 point format */
1842 0x00, /* uncompressed */
1843 /* The following is only present in TLS 1.2 */
1844 0x00, 0x0d, /* signature_algorithms */
1845 0x00, 0x0c, /* 12 bytes */
1846 0x00, 0x0a, /* 10 bytes */
1847 0x05, 0x01, /* SHA-384/RSA */
1848 0x04, 0x01, /* SHA-256/RSA */
1849 0x02, 0x01, /* SHA-1/RSA */
1850 0x04, 0x03, /* SHA-256/ECDSA */
1851 0x02, 0x03, /* SHA-1/ECDSA */
1852 };
1853
1854 /* Length of the common prefix (first two extensions). */
1855 static const size_t kSafariCommonExtensionsLength = 18;
1856
1857 tmppkt = *pkt;
1858
1859 if (!PACKET_forward(&tmppkt, 2)
1860 || !PACKET_get_net_2(&tmppkt, &type)
1861 || !PACKET_get_length_prefixed_2(&tmppkt, &sni)) {
1862 return;
1863 }
1864
1865 if (type != TLSEXT_TYPE_server_name)
1866 return;
1867
1868 ext_len = TLS1_get_client_version(s) >= TLS1_2_VERSION ?
1869 sizeof(kSafariExtensionsBlock) : kSafariCommonExtensionsLength;
1870
1871 s->s3->is_probably_safari = PACKET_equal(&tmppkt, kSafariExtensionsBlock,
1872 ext_len);
1873}
1874#endif /* !OPENSSL_NO_EC */
1875
1876/*
1877 * Parse ClientHello extensions and stash extension info in various parts of
1878 * the SSL object. Verify that there are no duplicate extensions.
1879 *
1880 * Behaviour upon resumption is extension-specific. If the extension has no
1881 * effect during resumption, it is parsed (to verify its format) but otherwise
1882 * ignored.
1883 *
1884 * Consumes the entire packet in |pkt|. Returns 1 on success and 0 on failure.
1885 * Upon failure, sets |al| to the appropriate alert.
1886 */
1887static int ssl_scan_clienthello_tlsext(SSL *s, PACKET *pkt, int *al)
1888{
1889 unsigned int type;
1890 int renegotiate_seen = 0;
1891 PACKET extensions;
1892
1893 *al = SSL_AD_DECODE_ERROR;
1894 s->servername_done = 0;
1895 s->tlsext_status_type = -1;
1896#ifndef OPENSSL_NO_NEXTPROTONEG
1897 s->s3->next_proto_neg_seen = 0;
1898#endif
1899
1900 OPENSSL_free(s->s3->alpn_selected);
1901 s->s3->alpn_selected = NULL;
1902 s->s3->alpn_selected_len = 0;
1903 OPENSSL_free(s->s3->alpn_proposed);
1904 s->s3->alpn_proposed = NULL;
1905 s->s3->alpn_proposed_len = 0;
1906#ifndef OPENSSL_NO_HEARTBEATS
1907 s->tlsext_heartbeat &= ~(SSL_DTLSEXT_HB_ENABLED |
1908 SSL_DTLSEXT_HB_DONT_SEND_REQUESTS);
1909#endif
1910
1911#ifndef OPENSSL_NO_EC
1912 if (s->options & SSL_OP_SAFARI_ECDHE_ECDSA_BUG)
1913 ssl_check_for_safari(s, pkt);
1914#endif /* !OPENSSL_NO_EC */
1915
1916 /* Clear any signature algorithms extension received */
1917 OPENSSL_free(s->s3->tmp.peer_sigalgs);
1918 s->s3->tmp.peer_sigalgs = NULL;
1919 s->tlsext_use_etm = 0;
1920
1921#ifndef OPENSSL_NO_SRP
1922 OPENSSL_free(s->srp_ctx.login);
1923 s->srp_ctx.login = NULL;
1924#endif
1925
1926 s->srtp_profile = NULL;
1927
1928 if (PACKET_remaining(pkt) == 0)
1929 goto ri_check;
1930
1931 if (!PACKET_as_length_prefixed_2(pkt, &extensions))
1932 return 0;
1933
1934 if (!tls1_check_duplicate_extensions(&extensions))
1935 return 0;
1936
1937 /*
1938 * We parse all extensions to ensure the ClientHello is well-formed but,
1939 * unless an extension specifies otherwise, we ignore extensions upon
1940 * resumption.
1941 */
1942 while (PACKET_get_net_2(&extensions, &type)) {
1943 PACKET extension;
1944 if (!PACKET_get_length_prefixed_2(&extensions, &extension))
1945 return 0;
1946
1947 if (s->tlsext_debug_cb)
1948 s->tlsext_debug_cb(s, 0, type, PACKET_data(&extension),
1949 PACKET_remaining(&extension),
1950 s->tlsext_debug_arg);
1951
1952 if (type == TLSEXT_TYPE_renegotiate) {
1953 if (!ssl_parse_clienthello_renegotiate_ext(s, &extension, al))
1954 return 0;
1955 renegotiate_seen = 1;
1956 } else if (s->version == SSL3_VERSION) {
1957 }
1958/*-
1959 * The servername extension is treated as follows:
1960 *
1961 * - Only the hostname type is supported with a maximum length of 255.
1962 * - The servername is rejected if too long or if it contains zeros,
1963 * in which case an fatal alert is generated.
1964 * - The servername field is maintained together with the session cache.
1965 * - When a session is resumed, the servername call back invoked in order
1966 * to allow the application to position itself to the right context.
1967 * - The servername is acknowledged if it is new for a session or when
1968 * it is identical to a previously used for the same session.
1969 * Applications can control the behaviour. They can at any time
1970 * set a 'desirable' servername for a new SSL object. This can be the
1971 * case for example with HTTPS when a Host: header field is received and
1972 * a renegotiation is requested. In this case, a possible servername
1973 * presented in the new client hello is only acknowledged if it matches
1974 * the value of the Host: field.
1975 * - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
1976 * if they provide for changing an explicit servername context for the
1977 * session, i.e. when the session has been established with a servername
1978 * extension.
1979 * - On session reconnect, the servername extension may be absent.
1980 *
1981 */
1982
1983 else if (type == TLSEXT_TYPE_server_name) {
1984 unsigned int servname_type;
1985 PACKET sni, hostname;
1986
1987 if (!PACKET_as_length_prefixed_2(&extension, &sni)
1988 /* ServerNameList must be at least 1 byte long. */
1989 || PACKET_remaining(&sni) == 0) {
1990 return 0;
1991 }
1992
1993 /*
1994 * Although the server_name extension was intended to be
1995 * extensible to new name types, RFC 4366 defined the
1996 * syntax inextensibility and OpenSSL 1.0.x parses it as
1997 * such.
1998 * RFC 6066 corrected the mistake but adding new name types
1999 * is nevertheless no longer feasible, so act as if no other
2000 * SNI types can exist, to simplify parsing.
2001 *
2002 * Also note that the RFC permits only one SNI value per type,
2003 * i.e., we can only have a single hostname.
2004 */
2005 if (!PACKET_get_1(&sni, &servname_type)
2006 || servname_type != TLSEXT_NAMETYPE_host_name
2007 || !PACKET_as_length_prefixed_2(&sni, &hostname)) {
2008 return 0;
2009 }
2010
2011 if (!s->hit) {
2012 if (PACKET_remaining(&hostname) > TLSEXT_MAXLEN_host_name) {
2013 *al = TLS1_AD_UNRECOGNIZED_NAME;
2014 return 0;
2015 }
2016
2017 if (PACKET_contains_zero_byte(&hostname)) {
2018 *al = TLS1_AD_UNRECOGNIZED_NAME;
2019 return 0;
2020 }
2021
2022 if (!PACKET_strndup(&hostname, &s->session->tlsext_hostname)) {
2023 *al = TLS1_AD_INTERNAL_ERROR;
2024 return 0;
2025 }
2026
2027 s->servername_done = 1;
2028 } else {
2029 /*
2030 * TODO(openssl-team): if the SNI doesn't match, we MUST
2031 * fall back to a full handshake.
2032 */
2033 s->servername_done = s->session->tlsext_hostname
2034 && PACKET_equal(&hostname, s->session->tlsext_hostname,
2035 strlen(s->session->tlsext_hostname));
2036 }
2037 }
2038#ifndef OPENSSL_NO_SRP
2039 else if (type == TLSEXT_TYPE_srp) {
2040 PACKET srp_I;
2041
2042 if (!PACKET_as_length_prefixed_1(&extension, &srp_I))
2043 return 0;
2044
2045 if (PACKET_contains_zero_byte(&srp_I))
2046 return 0;
2047
2048 /*
2049 * TODO(openssl-team): currently, we re-authenticate the user
2050 * upon resumption. Instead, we MUST ignore the login.
2051 */
2052 if (!PACKET_strndup(&srp_I, &s->srp_ctx.login)) {
2053 *al = TLS1_AD_INTERNAL_ERROR;
2054 return 0;
2055 }
2056 }
2057#endif
2058
2059#ifndef OPENSSL_NO_EC
2060 else if (type == TLSEXT_TYPE_ec_point_formats) {
2061 PACKET ec_point_format_list;
2062
2063 if (!PACKET_as_length_prefixed_1(&extension, &ec_point_format_list)
2064 || PACKET_remaining(&ec_point_format_list) == 0) {
2065 return 0;
2066 }
2067
2068 if (!s->hit) {
2069 if (!PACKET_memdup(&ec_point_format_list,
2070 &s->session->tlsext_ecpointformatlist,
2071 &s->
2072 session->tlsext_ecpointformatlist_length)) {
2073 *al = TLS1_AD_INTERNAL_ERROR;
2074 return 0;
2075 }
2076 }
2077 } else if (type == TLSEXT_TYPE_elliptic_curves) {
2078 PACKET elliptic_curve_list;
2079
2080 /* Each NamedCurve is 2 bytes and we must have at least 1. */
2081 if (!PACKET_as_length_prefixed_2(&extension, &elliptic_curve_list)
2082 || PACKET_remaining(&elliptic_curve_list) == 0
2083 || (PACKET_remaining(&elliptic_curve_list) % 2) != 0) {
2084 return 0;
2085 }
2086
2087 if (!s->hit) {
2088 if (!PACKET_memdup(&elliptic_curve_list,
2089 &s->session->tlsext_ellipticcurvelist,
2090 &s->
2091 session->tlsext_ellipticcurvelist_length)) {
2092 *al = TLS1_AD_INTERNAL_ERROR;
2093 return 0;
2094 }
2095 }
2096 }
2097#endif /* OPENSSL_NO_EC */
2098 else if (type == TLSEXT_TYPE_session_ticket) {
2099 if (s->tls_session_ticket_ext_cb &&
2100 !s->tls_session_ticket_ext_cb(s, PACKET_data(&extension),
2101 PACKET_remaining(&extension),
2102 s->tls_session_ticket_ext_cb_arg))
2103 {
2104 *al = TLS1_AD_INTERNAL_ERROR;
2105 return 0;
2106 }
2107 } else if (type == TLSEXT_TYPE_signature_algorithms) {
2108 PACKET supported_sig_algs;
2109
2110 if (!PACKET_as_length_prefixed_2(&extension, &supported_sig_algs)
2111 || (PACKET_remaining(&supported_sig_algs) % 2) != 0
2112 || PACKET_remaining(&supported_sig_algs) == 0) {
2113 return 0;
2114 }
2115
2116 if (!s->hit) {
2117 if (!tls1_save_sigalgs(s, PACKET_data(&supported_sig_algs),
2118 PACKET_remaining(&supported_sig_algs))) {
2119 return 0;
2120 }
2121 }
2122 } else if (type == TLSEXT_TYPE_status_request) {
2123 if (!PACKET_get_1(&extension,
2124 (unsigned int *)&s->tlsext_status_type)) {
2125 return 0;
2126 }
2127#ifndef OPENSSL_NO_OCSP
2128 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp) {
2129 const unsigned char *ext_data;
2130 PACKET responder_id_list, exts;
2131 if (!PACKET_get_length_prefixed_2
2132 (&extension, &responder_id_list))
2133 return 0;
2134
2135 /*
2136 * We remove any OCSP_RESPIDs from a previous handshake
2137 * to prevent unbounded memory growth - CVE-2016-6304
2138 */
2139 sk_OCSP_RESPID_pop_free(s->tlsext_ocsp_ids,
2140 OCSP_RESPID_free);
2141 if (PACKET_remaining(&responder_id_list) > 0) {
2142 s->tlsext_ocsp_ids = sk_OCSP_RESPID_new_null();
2143 if (s->tlsext_ocsp_ids == NULL) {
2144 *al = SSL_AD_INTERNAL_ERROR;
2145 return 0;
2146 }
2147 } else {
2148 s->tlsext_ocsp_ids = NULL;
2149 }
2150
2151 while (PACKET_remaining(&responder_id_list) > 0) {
2152 OCSP_RESPID *id;
2153 PACKET responder_id;
2154 const unsigned char *id_data;
2155
2156 if (!PACKET_get_length_prefixed_2(&responder_id_list,
2157 &responder_id)
2158 || PACKET_remaining(&responder_id) == 0) {
2159 return 0;
2160 }
2161
2162 id_data = PACKET_data(&responder_id);
2163 id = d2i_OCSP_RESPID(NULL, &id_data,
2164 PACKET_remaining(&responder_id));
2165 if (id == NULL)
2166 return 0;
2167
2168 if (id_data != PACKET_end(&responder_id)) {
2169 OCSP_RESPID_free(id);
2170 return 0;
2171 }
2172
2173 if (!sk_OCSP_RESPID_push(s->tlsext_ocsp_ids, id)) {
2174 OCSP_RESPID_free(id);
2175 *al = SSL_AD_INTERNAL_ERROR;
2176 return 0;
2177 }
2178 }
2179
2180 /* Read in request_extensions */
2181 if (!PACKET_as_length_prefixed_2(&extension, &exts))
2182 return 0;
2183
2184 if (PACKET_remaining(&exts) > 0) {
2185 ext_data = PACKET_data(&exts);
2186 sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts,
2187 X509_EXTENSION_free);
2188 s->tlsext_ocsp_exts =
2189 d2i_X509_EXTENSIONS(NULL, &ext_data,
2190 PACKET_remaining(&exts));
2191 if (s->tlsext_ocsp_exts == NULL
2192 || ext_data != PACKET_end(&exts)) {
2193 return 0;
2194 }
2195 }
2196 } else
2197#endif
2198 {
2199 /*
2200 * We don't know what to do with any other type so ignore it.
2201 */
2202 s->tlsext_status_type = -1;
2203 }
2204 }
2205#ifndef OPENSSL_NO_HEARTBEATS
2206 else if (SSL_IS_DTLS(s) && type == TLSEXT_TYPE_heartbeat) {
2207 unsigned int hbtype;
2208
2209 if (!PACKET_get_1(&extension, &hbtype)
2210 || PACKET_remaining(&extension)) {
2211 *al = SSL_AD_DECODE_ERROR;
2212 return 0;
2213 }
2214 switch (hbtype) {
2215 case 0x01: /* Client allows us to send HB requests */
2216 s->tlsext_heartbeat |= SSL_DTLSEXT_HB_ENABLED;
2217 break;
2218 case 0x02: /* Client doesn't accept HB requests */
2219 s->tlsext_heartbeat |= SSL_DTLSEXT_HB_ENABLED;
2220 s->tlsext_heartbeat |= SSL_DTLSEXT_HB_DONT_SEND_REQUESTS;
2221 break;
2222 default:
2223 *al = SSL_AD_ILLEGAL_PARAMETER;
2224 return 0;
2225 }
2226 }
2227#endif
2228#ifndef OPENSSL_NO_NEXTPROTONEG
2229 else if (type == TLSEXT_TYPE_next_proto_neg &&
2230 s->s3->tmp.finish_md_len == 0) {
2231 /*-
2232 * We shouldn't accept this extension on a
2233 * renegotiation.
2234 *
2235 * s->new_session will be set on renegotiation, but we
2236 * probably shouldn't rely that it couldn't be set on
2237 * the initial renegotiation too in certain cases (when
2238 * there's some other reason to disallow resuming an
2239 * earlier session -- the current code won't be doing
2240 * anything like that, but this might change).
2241 *
2242 * A valid sign that there's been a previous handshake
2243 * in this connection is if s->s3->tmp.finish_md_len >
2244 * 0. (We are talking about a check that will happen
2245 * in the Hello protocol round, well before a new
2246 * Finished message could have been computed.)
2247 */
2248 s->s3->next_proto_neg_seen = 1;
2249 }
2250#endif
2251
2252 else if (type == TLSEXT_TYPE_application_layer_protocol_negotiation &&
2253 s->s3->tmp.finish_md_len == 0) {
2254 if (!tls1_alpn_handle_client_hello(s, &extension, al))
2255 return 0;
2256 }
2257
2258 /* session ticket processed earlier */
2259#ifndef OPENSSL_NO_SRTP
2260 else if (SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s)
2261 && type == TLSEXT_TYPE_use_srtp) {
2262 if (ssl_parse_clienthello_use_srtp_ext(s, &extension, al))
2263 return 0;
2264 }
2265#endif
2266 else if (type == TLSEXT_TYPE_encrypt_then_mac)
2267 s->tlsext_use_etm = 1;
2268 /*
2269 * Note: extended master secret extension handled in
2270 * tls_check_serverhello_tlsext_early()
2271 */
2272
2273 /*
2274 * If this ClientHello extension was unhandled and this is a
2275 * nonresumed connection, check whether the extension is a custom
2276 * TLS Extension (has a custom_srv_ext_record), and if so call the
2277 * callback and record the extension number so that an appropriate
2278 * ServerHello may be later returned.
2279 */
2280 else if (!s->hit) {
2281 if (custom_ext_parse(s, 1, type, PACKET_data(&extension),
2282 PACKET_remaining(&extension), al) <= 0)
2283 return 0;
2284 }
2285 }
2286
2287 if (PACKET_remaining(pkt) != 0) {
2288 /*
2289 * tls1_check_duplicate_extensions should ensure this never happens.
2290 */
2291 *al = SSL_AD_INTERNAL_ERROR;
2292 return 0;
2293 }
2294
2295 ri_check:
2296
2297 /* Need RI if renegotiating */
2298
2299 if (!renegotiate_seen && s->renegotiate &&
2300 !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) {
2301 *al = SSL_AD_HANDSHAKE_FAILURE;
2302 SSLerr(SSL_F_SSL_SCAN_CLIENTHELLO_TLSEXT,
2303 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
2304 return 0;
2305 }
2306
2307 /*
2308 * This function currently has no state to clean up, so it returns directly.
2309 * If parsing fails at any point, the function returns early.
2310 * The SSL object may be left with partial data from extensions, but it must
2311 * then no longer be used, and clearing it up will free the leftovers.
2312 */
2313 return 1;
2314}
2315
2316int ssl_parse_clienthello_tlsext(SSL *s, PACKET *pkt)
2317{
2318 int al = -1;
2319 custom_ext_init(&s->cert->srv_ext);
2320 if (ssl_scan_clienthello_tlsext(s, pkt, &al) <= 0) {
2321 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2322 return 0;
2323 }
2324 if (ssl_check_clienthello_tlsext_early(s) <= 0) {
2325 SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT, SSL_R_CLIENTHELLO_TLSEXT);
2326 return 0;
2327 }
2328 return 1;
2329}
2330
2331#ifndef OPENSSL_NO_NEXTPROTONEG
2332/*
2333 * ssl_next_proto_validate validates a Next Protocol Negotiation block. No
2334 * elements of zero length are allowed and the set of elements must exactly
2335 * fill the length of the block.
2336 */
2337static char ssl_next_proto_validate(PACKET *pkt)
2338{
2339 PACKET tmp_protocol;
2340
2341 while (PACKET_remaining(pkt)) {
2342 if (!PACKET_get_length_prefixed_1(pkt, &tmp_protocol)
2343 || PACKET_remaining(&tmp_protocol) == 0)
2344 return 0;
2345 }
2346
2347 return 1;
2348}
2349#endif
2350
2351static int ssl_scan_serverhello_tlsext(SSL *s, PACKET *pkt, int *al)
2352{
2353 unsigned int length, type, size;
2354 int tlsext_servername = 0;
2355 int renegotiate_seen = 0;
2356
2357#ifndef OPENSSL_NO_NEXTPROTONEG
2358 s->s3->next_proto_neg_seen = 0;
2359#endif
2360 s->tlsext_ticket_expected = 0;
2361
2362 OPENSSL_free(s->s3->alpn_selected);
2363 s->s3->alpn_selected = NULL;
2364#ifndef OPENSSL_NO_HEARTBEATS
2365 s->tlsext_heartbeat &= ~(SSL_DTLSEXT_HB_ENABLED |
2366 SSL_DTLSEXT_HB_DONT_SEND_REQUESTS);
2367#endif
2368
2369 s->tlsext_use_etm = 0;
2370
2371 s->s3->flags &= ~TLS1_FLAGS_RECEIVED_EXTMS;
2372
2373 if (!PACKET_get_net_2(pkt, &length))
2374 goto ri_check;
2375
2376 if (PACKET_remaining(pkt) != length) {
2377 *al = SSL_AD_DECODE_ERROR;
2378 return 0;
2379 }
2380
2381 if (!tls1_check_duplicate_extensions(pkt)) {
2382 *al = SSL_AD_DECODE_ERROR;
2383 return 0;
2384 }
2385
2386 while (PACKET_get_net_2(pkt, &type) && PACKET_get_net_2(pkt, &size)) {
2387 const unsigned char *data;
2388 PACKET spkt;
2389
2390 if (!PACKET_get_sub_packet(pkt, &spkt, size)
2391 || !PACKET_peek_bytes(&spkt, &data, size))
2392 goto ri_check;
2393
2394 if (s->tlsext_debug_cb)
2395 s->tlsext_debug_cb(s, 1, type, data, size, s->tlsext_debug_arg);
2396
2397 if (type == TLSEXT_TYPE_renegotiate) {
2398 if (!ssl_parse_serverhello_renegotiate_ext(s, &spkt, al))
2399 return 0;
2400 renegotiate_seen = 1;
2401 } else if (s->version == SSL3_VERSION) {
2402 } else if (type == TLSEXT_TYPE_server_name) {
2403 if (s->tlsext_hostname == NULL || size > 0) {
2404 *al = TLS1_AD_UNRECOGNIZED_NAME;
2405 return 0;
2406 }
2407 tlsext_servername = 1;
2408 }
2409#ifndef OPENSSL_NO_EC
2410 else if (type == TLSEXT_TYPE_ec_point_formats) {
2411 unsigned int ecpointformatlist_length;
2412 if (!PACKET_get_1(&spkt, &ecpointformatlist_length)
2413 || ecpointformatlist_length != size - 1) {
2414 *al = TLS1_AD_DECODE_ERROR;
2415 return 0;
2416 }
2417 if (!s->hit) {
2418 s->session->tlsext_ecpointformatlist_length = 0;
2419 OPENSSL_free(s->session->tlsext_ecpointformatlist);
2420 if ((s->session->tlsext_ecpointformatlist =
2421 OPENSSL_malloc(ecpointformatlist_length)) == NULL) {
2422 *al = TLS1_AD_INTERNAL_ERROR;
2423 return 0;
2424 }
2425 s->session->tlsext_ecpointformatlist_length =
2426 ecpointformatlist_length;
2427 if (!PACKET_copy_bytes(&spkt,
2428 s->session->tlsext_ecpointformatlist,
2429 ecpointformatlist_length)) {
2430 *al = TLS1_AD_DECODE_ERROR;
2431 return 0;
2432 }
2433
2434 }
2435 }
2436#endif /* OPENSSL_NO_EC */
2437
2438 else if (type == TLSEXT_TYPE_session_ticket) {
2439 if (s->tls_session_ticket_ext_cb &&
2440 !s->tls_session_ticket_ext_cb(s, data, size,
2441 s->tls_session_ticket_ext_cb_arg))
2442 {
2443 *al = TLS1_AD_INTERNAL_ERROR;
2444 return 0;
2445 }
2446 if (!tls_use_ticket(s) || (size > 0)) {
2447 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2448 return 0;
2449 }
2450 s->tlsext_ticket_expected = 1;
2451 } else if (type == TLSEXT_TYPE_status_request) {
2452 /*
2453 * MUST be empty and only sent if we've requested a status
2454 * request message.
2455 */
2456 if ((s->tlsext_status_type == -1) || (size > 0)) {
2457 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2458 return 0;
2459 }
2460 /* Set flag to expect CertificateStatus message */
2461 s->tlsext_status_expected = 1;
2462 }
2463#ifndef OPENSSL_NO_CT
2464 /*
2465 * Only take it if we asked for it - i.e if there is no CT validation
2466 * callback set, then a custom extension MAY be processing it, so we
2467 * need to let control continue to flow to that.
2468 */
2469 else if (type == TLSEXT_TYPE_signed_certificate_timestamp &&
2470 s->ct_validation_callback != NULL) {
2471 /* Simply copy it off for later processing */
2472 if (s->tlsext_scts != NULL) {
2473 OPENSSL_free(s->tlsext_scts);
2474 s->tlsext_scts = NULL;
2475 }
2476 s->tlsext_scts_len = size;
2477 if (size > 0) {
2478 s->tlsext_scts = OPENSSL_malloc(size);
2479 if (s->tlsext_scts == NULL) {
2480 *al = TLS1_AD_INTERNAL_ERROR;
2481 return 0;
2482 }
2483 memcpy(s->tlsext_scts, data, size);
2484 }
2485 }
2486#endif
2487#ifndef OPENSSL_NO_NEXTPROTONEG
2488 else if (type == TLSEXT_TYPE_next_proto_neg &&
2489 s->s3->tmp.finish_md_len == 0) {
2490 unsigned char *selected;
2491 unsigned char selected_len;
2492 /* We must have requested it. */
2493 if (s->ctx->next_proto_select_cb == NULL) {
2494 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2495 return 0;
2496 }
2497 /* The data must be valid */
2498 if (!ssl_next_proto_validate(&spkt)) {
2499 *al = TLS1_AD_DECODE_ERROR;
2500 return 0;
2501 }
2502 if (s->ctx->next_proto_select_cb(s, &selected, &selected_len, data,
2503 size,
2504 s->
2505 ctx->next_proto_select_cb_arg) !=
2506 SSL_TLSEXT_ERR_OK) {
2507 *al = TLS1_AD_INTERNAL_ERROR;
2508 return 0;
2509 }
2510 /*
2511 * Could be non-NULL if server has sent multiple NPN extensions in
2512 * a single Serverhello
2513 */
2514 OPENSSL_free(s->next_proto_negotiated);
2515 s->next_proto_negotiated = OPENSSL_malloc(selected_len);
2516 if (s->next_proto_negotiated == NULL) {
2517 *al = TLS1_AD_INTERNAL_ERROR;
2518 return 0;
2519 }
2520 memcpy(s->next_proto_negotiated, selected, selected_len);
2521 s->next_proto_negotiated_len = selected_len;
2522 s->s3->next_proto_neg_seen = 1;
2523 }
2524#endif
2525
2526 else if (type == TLSEXT_TYPE_application_layer_protocol_negotiation) {
2527 unsigned len;
2528 /* We must have requested it. */
2529 if (!s->s3->alpn_sent) {
2530 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2531 return 0;
2532 }
2533 /*-
2534 * The extension data consists of:
2535 * uint16 list_length
2536 * uint8 proto_length;
2537 * uint8 proto[proto_length];
2538 */
2539 if (!PACKET_get_net_2(&spkt, &len)
2540 || PACKET_remaining(&spkt) != len || !PACKET_get_1(&spkt, &len)
2541 || PACKET_remaining(&spkt) != len) {
2542 *al = TLS1_AD_DECODE_ERROR;
2543 return 0;
2544 }
2545 OPENSSL_free(s->s3->alpn_selected);
2546 s->s3->alpn_selected = OPENSSL_malloc(len);
2547 if (s->s3->alpn_selected == NULL) {
2548 *al = TLS1_AD_INTERNAL_ERROR;
2549 return 0;
2550 }
2551 if (!PACKET_copy_bytes(&spkt, s->s3->alpn_selected, len)) {
2552 *al = TLS1_AD_DECODE_ERROR;
2553 return 0;
2554 }
2555 s->s3->alpn_selected_len = len;
2556 }
2557#ifndef OPENSSL_NO_HEARTBEATS
2558 else if (SSL_IS_DTLS(s) && type == TLSEXT_TYPE_heartbeat) {
2559 unsigned int hbtype;
2560 if (!PACKET_get_1(&spkt, &hbtype)) {
2561 *al = SSL_AD_DECODE_ERROR;
2562 return 0;
2563 }
2564 switch (hbtype) {
2565 case 0x01: /* Server allows us to send HB requests */
2566 s->tlsext_heartbeat |= SSL_DTLSEXT_HB_ENABLED;
2567 break;
2568 case 0x02: /* Server doesn't accept HB requests */
2569 s->tlsext_heartbeat |= SSL_DTLSEXT_HB_ENABLED;
2570 s->tlsext_heartbeat |= SSL_DTLSEXT_HB_DONT_SEND_REQUESTS;
2571 break;
2572 default:
2573 *al = SSL_AD_ILLEGAL_PARAMETER;
2574 return 0;
2575 }
2576 }
2577#endif
2578#ifndef OPENSSL_NO_SRTP
2579 else if (SSL_IS_DTLS(s) && type == TLSEXT_TYPE_use_srtp) {
2580 if (ssl_parse_serverhello_use_srtp_ext(s, &spkt, al))
2581 return 0;
2582 }
2583#endif
2584 else if (type == TLSEXT_TYPE_encrypt_then_mac) {
2585 /* Ignore if inappropriate ciphersuite */
2586 if (s->s3->tmp.new_cipher->algorithm_mac != SSL_AEAD
2587 && s->s3->tmp.new_cipher->algorithm_enc != SSL_RC4)
2588 s->tlsext_use_etm = 1;
2589 } else if (type == TLSEXT_TYPE_extended_master_secret) {
2590 s->s3->flags |= TLS1_FLAGS_RECEIVED_EXTMS;
2591 if (!s->hit)
2592 s->session->flags |= SSL_SESS_FLAG_EXTMS;
2593 }
2594 /*
2595 * If this extension type was not otherwise handled, but matches a
2596 * custom_cli_ext_record, then send it to the c callback
2597 */
2598 else if (custom_ext_parse(s, 0, type, data, size, al) <= 0)
2599 return 0;
2600 }
2601
2602 if (PACKET_remaining(pkt) != 0) {
2603 *al = SSL_AD_DECODE_ERROR;
2604 return 0;
2605 }
2606
2607 if (!s->hit && tlsext_servername == 1) {
2608 if (s->tlsext_hostname) {
2609 if (s->session->tlsext_hostname == NULL) {
2610 s->session->tlsext_hostname =
2611 OPENSSL_strdup(s->tlsext_hostname);
2612 if (!s->session->tlsext_hostname) {
2613 *al = SSL_AD_UNRECOGNIZED_NAME;
2614 return 0;
2615 }
2616 } else {
2617 *al = SSL_AD_DECODE_ERROR;
2618 return 0;
2619 }
2620 }
2621 }
2622
2623 ri_check:
2624
2625 /*
2626 * Determine if we need to see RI. Strictly speaking if we want to avoid
2627 * an attack we should *always* see RI even on initial server hello
2628 * because the client doesn't see any renegotiation during an attack.
2629 * However this would mean we could not connect to any server which
2630 * doesn't support RI so for the immediate future tolerate RI absence
2631 */
2632 if (!renegotiate_seen && !(s->options & SSL_OP_LEGACY_SERVER_CONNECT)
2633 && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) {
2634 *al = SSL_AD_HANDSHAKE_FAILURE;
2635 SSLerr(SSL_F_SSL_SCAN_SERVERHELLO_TLSEXT,
2636 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
2637 return 0;
2638 }
2639
2640 if (s->hit) {
2641 /*
2642 * Check extended master secret extension is consistent with
2643 * original session.
2644 */
2645 if (!(s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) !=
2646 !(s->session->flags & SSL_SESS_FLAG_EXTMS)) {
2647 *al = SSL_AD_HANDSHAKE_FAILURE;
2648 SSLerr(SSL_F_SSL_SCAN_SERVERHELLO_TLSEXT, SSL_R_INCONSISTENT_EXTMS);
2649 return 0;
2650 }
2651 }
2652
2653 return 1;
2654}
2655
2656int ssl_prepare_clienthello_tlsext(SSL *s)
2657{
2658 s->s3->alpn_sent = 0;
2659 return 1;
2660}
2661
2662int ssl_prepare_serverhello_tlsext(SSL *s)
2663{
2664 return 1;
2665}
2666
2667static int ssl_check_clienthello_tlsext_early(SSL *s)
2668{
2669 int ret = SSL_TLSEXT_ERR_NOACK;
2670 int al = SSL_AD_UNRECOGNIZED_NAME;
2671
2672#ifndef OPENSSL_NO_EC
2673 /*
2674 * The handling of the ECPointFormats extension is done elsewhere, namely
2675 * in ssl3_choose_cipher in s3_lib.c.
2676 */
2677 /*
2678 * The handling of the EllipticCurves extension is done elsewhere, namely
2679 * in ssl3_choose_cipher in s3_lib.c.
2680 */
2681#endif
2682
2683 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
2684 ret =
2685 s->ctx->tlsext_servername_callback(s, &al,
2686 s->ctx->tlsext_servername_arg);
2687 else if (s->session_ctx != NULL
2688 && s->session_ctx->tlsext_servername_callback != 0)
2689 ret =
2690 s->session_ctx->tlsext_servername_callback(s, &al,
2691 s->
2692 session_ctx->tlsext_servername_arg);
2693
2694 switch (ret) {
2695 case SSL_TLSEXT_ERR_ALERT_FATAL:
2696 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2697 return -1;
2698
2699 case SSL_TLSEXT_ERR_ALERT_WARNING:
2700 ssl3_send_alert(s, SSL3_AL_WARNING, al);
2701 return 1;
2702
2703 case SSL_TLSEXT_ERR_NOACK:
2704 s->servername_done = 0;
2705 default:
2706 return 1;
2707 }
2708}
2709
2710/* Initialise digests to default values */
2711void ssl_set_default_md(SSL *s)
2712{
2713 const EVP_MD **pmd = s->s3->tmp.md;
2714#ifndef OPENSSL_NO_DSA
2715 pmd[SSL_PKEY_DSA_SIGN] = ssl_md(SSL_MD_SHA1_IDX);
2716#endif
2717#ifndef OPENSSL_NO_RSA
2718 if (SSL_USE_SIGALGS(s))
2719 pmd[SSL_PKEY_RSA_SIGN] = ssl_md(SSL_MD_SHA1_IDX);
2720 else
2721 pmd[SSL_PKEY_RSA_SIGN] = ssl_md(SSL_MD_MD5_SHA1_IDX);
2722 pmd[SSL_PKEY_RSA_ENC] = pmd[SSL_PKEY_RSA_SIGN];
2723#endif
2724#ifndef OPENSSL_NO_EC
2725 pmd[SSL_PKEY_ECC] = ssl_md(SSL_MD_SHA1_IDX);
2726#endif
2727#ifndef OPENSSL_NO_GOST
2728 pmd[SSL_PKEY_GOST01] = ssl_md(SSL_MD_GOST94_IDX);
2729 pmd[SSL_PKEY_GOST12_256] = ssl_md(SSL_MD_GOST12_256_IDX);
2730 pmd[SSL_PKEY_GOST12_512] = ssl_md(SSL_MD_GOST12_512_IDX);
2731#endif
2732}
2733
2734int tls1_set_server_sigalgs(SSL *s)
2735{
2736 int al;
2737 size_t i;
2738
2739 /* Clear any shared signature algorithms */
2740 OPENSSL_free(s->cert->shared_sigalgs);
2741 s->cert->shared_sigalgs = NULL;
2742 s->cert->shared_sigalgslen = 0;
2743 /* Clear certificate digests and validity flags */
2744 for (i = 0; i < SSL_PKEY_NUM; i++) {
2745 s->s3->tmp.md[i] = NULL;
2746 s->s3->tmp.valid_flags[i] = 0;
2747 }
2748
2749 /* If sigalgs received process it. */
2750 if (s->s3->tmp.peer_sigalgs) {
2751 if (!tls1_process_sigalgs(s)) {
2752 SSLerr(SSL_F_TLS1_SET_SERVER_SIGALGS, ERR_R_MALLOC_FAILURE);
2753 al = SSL_AD_INTERNAL_ERROR;
2754 goto err;
2755 }
2756 /* Fatal error is no shared signature algorithms */
2757 if (!s->cert->shared_sigalgs) {
2758 SSLerr(SSL_F_TLS1_SET_SERVER_SIGALGS,
2759 SSL_R_NO_SHARED_SIGNATURE_ALGORITHMS);
2760 al = SSL_AD_ILLEGAL_PARAMETER;
2761 goto err;
2762 }
2763 } else {
2764 ssl_set_default_md(s);
2765 }
2766 return 1;
2767 err:
2768 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2769 return 0;
2770}
2771
2772/*
2773 * Upon success, returns 1.
2774 * Upon failure, returns 0 and sets |al| to the appropriate fatal alert.
2775 */
2776int ssl_check_clienthello_tlsext_late(SSL *s, int *al)
2777{
2778 s->tlsext_status_expected = 0;
2779
2780 /*
2781 * If status request then ask callback what to do. Note: this must be
2782 * called after servername callbacks in case the certificate has changed,
2783 * and must be called after the cipher has been chosen because this may
2784 * influence which certificate is sent
2785 */
2786 if ((s->tlsext_status_type != -1) && s->ctx && s->ctx->tlsext_status_cb) {
2787 int ret;
2788 CERT_PKEY *certpkey;
2789 certpkey = ssl_get_server_send_pkey(s);
2790 /* If no certificate can't return certificate status */
2791 if (certpkey != NULL) {
2792 /*
2793 * Set current certificate to one we will use so SSL_get_certificate
2794 * et al can pick it up.
2795 */
2796 s->cert->key = certpkey;
2797 ret = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
2798 switch (ret) {
2799 /* We don't want to send a status request response */
2800 case SSL_TLSEXT_ERR_NOACK:
2801 s->tlsext_status_expected = 0;
2802 break;
2803 /* status request response should be sent */
2804 case SSL_TLSEXT_ERR_OK:
2805 if (s->tlsext_ocsp_resp)
2806 s->tlsext_status_expected = 1;
2807 break;
2808 /* something bad happened */
2809 case SSL_TLSEXT_ERR_ALERT_FATAL:
2810 default:
2811 *al = SSL_AD_INTERNAL_ERROR;
2812 return 0;
2813 }
2814 }
2815 }
2816
2817 if (!tls1_alpn_handle_client_hello_late(s, al)) {
2818 return 0;
2819 }
2820
2821 return 1;
2822}
2823
2824int ssl_check_serverhello_tlsext(SSL *s)
2825{
2826 int ret = SSL_TLSEXT_ERR_NOACK;
2827 int al = SSL_AD_UNRECOGNIZED_NAME;
2828
2829#ifndef OPENSSL_NO_EC
2830 /*
2831 * If we are client and using an elliptic curve cryptography cipher
2832 * suite, then if server returns an EC point formats lists extension it
2833 * must contain uncompressed.
2834 */
2835 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
2836 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
2837 if ((s->tlsext_ecpointformatlist != NULL)
2838 && (s->tlsext_ecpointformatlist_length > 0)
2839 && (s->session->tlsext_ecpointformatlist != NULL)
2840 && (s->session->tlsext_ecpointformatlist_length > 0)
2841 && ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA))) {
2842 /* we are using an ECC cipher */
2843 size_t i;
2844 unsigned char *list;
2845 int found_uncompressed = 0;
2846 list = s->session->tlsext_ecpointformatlist;
2847 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++) {
2848 if (*(list++) == TLSEXT_ECPOINTFORMAT_uncompressed) {
2849 found_uncompressed = 1;
2850 break;
2851 }
2852 }
2853 if (!found_uncompressed) {
2854 SSLerr(SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT,
2855 SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
2856 return -1;
2857 }
2858 }
2859 ret = SSL_TLSEXT_ERR_OK;
2860#endif /* OPENSSL_NO_EC */
2861
2862 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
2863 ret =
2864 s->ctx->tlsext_servername_callback(s, &al,
2865 s->ctx->tlsext_servername_arg);
2866 else if (s->session_ctx != NULL
2867 && s->session_ctx->tlsext_servername_callback != 0)
2868 ret =
2869 s->session_ctx->tlsext_servername_callback(s, &al,
2870 s->
2871 session_ctx->tlsext_servername_arg);
2872
2873 /*
2874 * Ensure we get sensible values passed to tlsext_status_cb in the event
2875 * that we don't receive a status message
2876 */
2877 OPENSSL_free(s->tlsext_ocsp_resp);
2878 s->tlsext_ocsp_resp = NULL;
2879 s->tlsext_ocsp_resplen = -1;
2880
2881 switch (ret) {
2882 case SSL_TLSEXT_ERR_ALERT_FATAL:
2883 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2884 return -1;
2885
2886 case SSL_TLSEXT_ERR_ALERT_WARNING:
2887 ssl3_send_alert(s, SSL3_AL_WARNING, al);
2888 return 1;
2889
2890 case SSL_TLSEXT_ERR_NOACK:
2891 s->servername_done = 0;
2892 default:
2893 return 1;
2894 }
2895}
2896
2897int ssl_parse_serverhello_tlsext(SSL *s, PACKET *pkt)
2898{
2899 int al = -1;
2900 if (s->version < SSL3_VERSION)
2901 return 1;
2902 if (ssl_scan_serverhello_tlsext(s, pkt, &al) <= 0) {
2903 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2904 return 0;
2905 }
2906
2907 if (ssl_check_serverhello_tlsext(s) <= 0) {
2908 SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT, SSL_R_SERVERHELLO_TLSEXT);
2909 return 0;
2910 }
2911 return 1;
2912}
2913
2914/*-
2915 * Since the server cache lookup is done early on in the processing of the
2916 * ClientHello and other operations depend on the result some extensions
2917 * need to be handled at the same time.
2918 *
2919 * Two extensions are currently handled, session ticket and extended master
2920 * secret.
2921 *
2922 * session_id: ClientHello session ID.
2923 * ext: ClientHello extensions (including length prefix)
2924 * ret: (output) on return, if a ticket was decrypted, then this is set to
2925 * point to the resulting session.
2926 *
2927 * If s->tls_session_secret_cb is set then we are expecting a pre-shared key
2928 * ciphersuite, in which case we have no use for session tickets and one will
2929 * never be decrypted, nor will s->tlsext_ticket_expected be set to 1.
2930 *
2931 * Returns:
2932 * -1: fatal error, either from parsing or decrypting the ticket.
2933 * 0: no ticket was found (or was ignored, based on settings).
2934 * 1: a zero length extension was found, indicating that the client supports
2935 * session tickets but doesn't currently have one to offer.
2936 * 2: either s->tls_session_secret_cb was set, or a ticket was offered but
2937 * couldn't be decrypted because of a non-fatal error.
2938 * 3: a ticket was successfully decrypted and *ret was set.
2939 *
2940 * Side effects:
2941 * Sets s->tlsext_ticket_expected to 1 if the server will have to issue
2942 * a new session ticket to the client because the client indicated support
2943 * (and s->tls_session_secret_cb is NULL) but the client either doesn't have
2944 * a session ticket or we couldn't use the one it gave us, or if
2945 * s->ctx->tlsext_ticket_key_cb asked to renew the client's ticket.
2946 * Otherwise, s->tlsext_ticket_expected is set to 0.
2947 *
2948 * For extended master secret flag is set if the extension is present.
2949 *
2950 */
2951int tls_check_serverhello_tlsext_early(SSL *s, const PACKET *ext,
2952 const PACKET *session_id,
2953 SSL_SESSION **ret)
2954{
2955 unsigned int i;
2956 PACKET local_ext = *ext;
2957 int retv = -1;
2958
2959 int have_ticket = 0;
2960 int use_ticket = tls_use_ticket(s);
2961
2962 *ret = NULL;
2963 s->tlsext_ticket_expected = 0;
2964 s->s3->flags &= ~TLS1_FLAGS_RECEIVED_EXTMS;
2965
2966 /*
2967 * If tickets disabled behave as if no ticket present to permit stateful
2968 * resumption.
2969 */
2970 if ((s->version <= SSL3_VERSION))
2971 return 0;
2972
2973 if (!PACKET_get_net_2(&local_ext, &i)) {
2974 retv = 0;
2975 goto end;
2976 }
2977 while (PACKET_remaining(&local_ext) >= 4) {
2978 unsigned int type, size;
2979
2980 if (!PACKET_get_net_2(&local_ext, &type)
2981 || !PACKET_get_net_2(&local_ext, &size)) {
2982 /* Shouldn't ever happen */
2983 retv = -1;
2984 goto end;
2985 }
2986 if (PACKET_remaining(&local_ext) < size) {
2987 retv = 0;
2988 goto end;
2989 }
2990 if (type == TLSEXT_TYPE_session_ticket && use_ticket) {
2991 int r;
2992 const unsigned char *etick;
2993
2994 /* Duplicate extension */
2995 if (have_ticket != 0) {
2996 retv = -1;
2997 goto end;
2998 }
2999 have_ticket = 1;
3000
3001 if (size == 0) {
3002 /*
3003 * The client will accept a ticket but doesn't currently have
3004 * one.
3005 */
3006 s->tlsext_ticket_expected = 1;
3007 retv = 1;
3008 continue;
3009 }
3010 if (s->tls_session_secret_cb) {
3011 /*
3012 * Indicate that the ticket couldn't be decrypted rather than
3013 * generating the session from ticket now, trigger
3014 * abbreviated handshake based on external mechanism to
3015 * calculate the master secret later.
3016 */
3017 retv = 2;
3018 continue;
3019 }
3020 if (!PACKET_get_bytes(&local_ext, &etick, size)) {
3021 /* Shouldn't ever happen */
3022 retv = -1;
3023 goto end;
3024 }
3025 r = tls_decrypt_ticket(s, etick, size, PACKET_data(session_id),
3026 PACKET_remaining(session_id), ret);
3027 switch (r) {
3028 case 2: /* ticket couldn't be decrypted */
3029 s->tlsext_ticket_expected = 1;
3030 retv = 2;
3031 break;
3032 case 3: /* ticket was decrypted */
3033 retv = r;
3034 break;
3035 case 4: /* ticket decrypted but need to renew */
3036 s->tlsext_ticket_expected = 1;
3037 retv = 3;
3038 break;
3039 default: /* fatal error */
3040 retv = -1;
3041 break;
3042 }
3043 continue;
3044 } else {
3045 if (type == TLSEXT_TYPE_extended_master_secret)
3046 s->s3->flags |= TLS1_FLAGS_RECEIVED_EXTMS;
3047 if (!PACKET_forward(&local_ext, size)) {
3048 retv = -1;
3049 goto end;
3050 }
3051 }
3052 }
3053 if (have_ticket == 0)
3054 retv = 0;
3055 end:
3056 return retv;
3057}
3058
3059/*-
3060 * tls_decrypt_ticket attempts to decrypt a session ticket.
3061 *
3062 * etick: points to the body of the session ticket extension.
3063 * eticklen: the length of the session tickets extension.
3064 * sess_id: points at the session ID.
3065 * sesslen: the length of the session ID.
3066 * psess: (output) on return, if a ticket was decrypted, then this is set to
3067 * point to the resulting session.
3068 *
3069 * Returns:
3070 * -2: fatal error, malloc failure.
3071 * -1: fatal error, either from parsing or decrypting the ticket.
3072 * 2: the ticket couldn't be decrypted.
3073 * 3: a ticket was successfully decrypted and *psess was set.
3074 * 4: same as 3, but the ticket needs to be renewed.
3075 */
3076static int tls_decrypt_ticket(SSL *s, const unsigned char *etick,
3077 int eticklen, const unsigned char *sess_id,
3078 int sesslen, SSL_SESSION **psess)
3079{
3080 SSL_SESSION *sess;
3081 unsigned char *sdec;
3082 const unsigned char *p;
3083 int slen, mlen, renew_ticket = 0, ret = -1;
3084 unsigned char tick_hmac[EVP_MAX_MD_SIZE];
3085 HMAC_CTX *hctx = NULL;
3086 EVP_CIPHER_CTX *ctx;
3087 SSL_CTX *tctx = s->session_ctx;
3088
3089 /* Initialize session ticket encryption and HMAC contexts */
3090 hctx = HMAC_CTX_new();
3091 if (hctx == NULL)
3092 return -2;
3093 ctx = EVP_CIPHER_CTX_new();
3094 if (ctx == NULL) {
3095 ret = -2;
3096 goto err;
3097 }
3098 if (tctx->tlsext_ticket_key_cb) {
3099 unsigned char *nctick = (unsigned char *)etick;
3100 int rv = tctx->tlsext_ticket_key_cb(s, nctick, nctick + 16,
3101 ctx, hctx, 0);
3102 if (rv < 0)
3103 goto err;
3104 if (rv == 0) {
3105 ret = 2;
3106 goto err;
3107 }
3108 if (rv == 2)
3109 renew_ticket = 1;
3110 } else {
3111 /* Check key name matches */
3112 if (memcmp(etick, tctx->tlsext_tick_key_name,
3113 sizeof(tctx->tlsext_tick_key_name)) != 0) {
3114 ret = 2;
3115 goto err;
3116 }
3117 if (HMAC_Init_ex(hctx, tctx->tlsext_tick_hmac_key,
3118 sizeof(tctx->tlsext_tick_hmac_key),
3119 EVP_sha256(), NULL) <= 0
3120 || EVP_DecryptInit_ex(ctx, EVP_aes_256_cbc(), NULL,
3121 tctx->tlsext_tick_aes_key,
3122 etick + sizeof(tctx->tlsext_tick_key_name)) <=
3123 0) {
3124 goto err;
3125 }
3126 }
3127 /*
3128 * Attempt to process session ticket, first conduct sanity and integrity
3129 * checks on ticket.
3130 */
3131 mlen = HMAC_size(hctx);
3132 if (mlen < 0) {
3133 goto err;
3134 }
3135 /* Sanity check ticket length: must exceed keyname + IV + HMAC */
3136 if (eticklen <=
3137 TLSEXT_KEYNAME_LENGTH + EVP_CIPHER_CTX_iv_length(ctx) + mlen) {
3138 ret = 2;
3139 goto err;
3140 }
3141 eticklen -= mlen;
3142 /* Check HMAC of encrypted ticket */
3143 if (HMAC_Update(hctx, etick, eticklen) <= 0
3144 || HMAC_Final(hctx, tick_hmac, NULL) <= 0) {
3145 goto err;
3146 }
3147 HMAC_CTX_free(hctx);
3148 if (CRYPTO_memcmp(tick_hmac, etick + eticklen, mlen)) {
3149 EVP_CIPHER_CTX_free(ctx);
3150 return 2;
3151 }
3152 /* Attempt to decrypt session data */
3153 /* Move p after IV to start of encrypted ticket, update length */
3154 p = etick + TLSEXT_KEYNAME_LENGTH + EVP_CIPHER_CTX_iv_length(ctx);
3155 eticklen -= TLSEXT_KEYNAME_LENGTH + EVP_CIPHER_CTX_iv_length(ctx);
3156 sdec = OPENSSL_malloc(eticklen);
3157 if (sdec == NULL || EVP_DecryptUpdate(ctx, sdec, &slen, p, eticklen) <= 0) {
3158 EVP_CIPHER_CTX_free(ctx);
3159 OPENSSL_free(sdec);
3160 return -1;
3161 }
3162 if (EVP_DecryptFinal(ctx, sdec + slen, &mlen) <= 0) {
3163 EVP_CIPHER_CTX_free(ctx);
3164 OPENSSL_free(sdec);
3165 return 2;
3166 }
3167 slen += mlen;
3168 EVP_CIPHER_CTX_free(ctx);
3169 ctx = NULL;
3170 p = sdec;
3171
3172 sess = d2i_SSL_SESSION(NULL, &p, slen);
3173 OPENSSL_free(sdec);
3174 if (sess) {
3175 /*
3176 * The session ID, if non-empty, is used by some clients to detect
3177 * that the ticket has been accepted. So we copy it to the session
3178 * structure. If it is empty set length to zero as required by
3179 * standard.
3180 */
3181 if (sesslen)
3182 memcpy(sess->session_id, sess_id, sesslen);
3183 sess->session_id_length = sesslen;
3184 *psess = sess;
3185 if (renew_ticket)
3186 return 4;
3187 else
3188 return 3;
3189 }
3190 ERR_clear_error();
3191 /*
3192 * For session parse failure, indicate that we need to send a new ticket.
3193 */
3194 return 2;
3195 err:
3196 EVP_CIPHER_CTX_free(ctx);
3197 HMAC_CTX_free(hctx);
3198 return ret;
3199}
3200
3201/* Tables to translate from NIDs to TLS v1.2 ids */
3202
3203typedef struct {
3204 int nid;
3205 int id;
3206} tls12_lookup;
3207
3208static const tls12_lookup tls12_md[] = {
3209 {NID_md5, TLSEXT_hash_md5},
3210 {NID_sha1, TLSEXT_hash_sha1},
3211 {NID_sha224, TLSEXT_hash_sha224},
3212 {NID_sha256, TLSEXT_hash_sha256},
3213 {NID_sha384, TLSEXT_hash_sha384},
3214 {NID_sha512, TLSEXT_hash_sha512},
3215 {NID_id_GostR3411_94, TLSEXT_hash_gostr3411},
3216 {NID_id_GostR3411_2012_256, TLSEXT_hash_gostr34112012_256},
3217 {NID_id_GostR3411_2012_512, TLSEXT_hash_gostr34112012_512},
3218};
3219
3220static const tls12_lookup tls12_sig[] = {
3221 {EVP_PKEY_RSA, TLSEXT_signature_rsa},
3222 {EVP_PKEY_DSA, TLSEXT_signature_dsa},
3223 {EVP_PKEY_EC, TLSEXT_signature_ecdsa},
3224 {NID_id_GostR3410_2001, TLSEXT_signature_gostr34102001},
3225 {NID_id_GostR3410_2012_256, TLSEXT_signature_gostr34102012_256},
3226 {NID_id_GostR3410_2012_512, TLSEXT_signature_gostr34102012_512}
3227};
3228
3229static int tls12_find_id(int nid, const tls12_lookup *table, size_t tlen)
3230{
3231 size_t i;
3232 for (i = 0; i < tlen; i++) {
3233 if (table[i].nid == nid)
3234 return table[i].id;
3235 }
3236 return -1;
3237}
3238
3239static int tls12_find_nid(int id, const tls12_lookup *table, size_t tlen)
3240{
3241 size_t i;
3242 for (i = 0; i < tlen; i++) {
3243 if ((table[i].id) == id)
3244 return table[i].nid;
3245 }
3246 return NID_undef;
3247}
3248
3249int tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk, const EVP_MD *md)
3250{
3251 int sig_id, md_id;
3252 if (!md)
3253 return 0;
3254 md_id = tls12_find_id(EVP_MD_type(md), tls12_md, OSSL_NELEM(tls12_md));
3255 if (md_id == -1)
3256 return 0;
3257 sig_id = tls12_get_sigid(pk);
3258 if (sig_id == -1)
3259 return 0;
3260 p[0] = (unsigned char)md_id;
3261 p[1] = (unsigned char)sig_id;
3262 return 1;
3263}
3264
3265int tls12_get_sigid(const EVP_PKEY *pk)
3266{
3267 return tls12_find_id(EVP_PKEY_id(pk), tls12_sig, OSSL_NELEM(tls12_sig));
3268}
3269
3270typedef struct {
3271 int nid;
3272 int secbits;
3273 int md_idx;
3274 unsigned char tlsext_hash;
3275} tls12_hash_info;
3276
3277static const tls12_hash_info tls12_md_info[] = {
3278 {NID_md5, 64, SSL_MD_MD5_IDX, TLSEXT_hash_md5},
3279 {NID_sha1, 80, SSL_MD_SHA1_IDX, TLSEXT_hash_sha1},
3280 {NID_sha224, 112, SSL_MD_SHA224_IDX, TLSEXT_hash_sha224},
3281 {NID_sha256, 128, SSL_MD_SHA256_IDX, TLSEXT_hash_sha256},
3282 {NID_sha384, 192, SSL_MD_SHA384_IDX, TLSEXT_hash_sha384},
3283 {NID_sha512, 256, SSL_MD_SHA512_IDX, TLSEXT_hash_sha512},
3284 {NID_id_GostR3411_94, 128, SSL_MD_GOST94_IDX, TLSEXT_hash_gostr3411},
3285 {NID_id_GostR3411_2012_256, 128, SSL_MD_GOST12_256_IDX,
3286 TLSEXT_hash_gostr34112012_256},
3287 {NID_id_GostR3411_2012_512, 256, SSL_MD_GOST12_512_IDX,
3288 TLSEXT_hash_gostr34112012_512},
3289};
3290
3291static const tls12_hash_info *tls12_get_hash_info(unsigned char hash_alg)
3292{
3293 unsigned int i;
3294 if (hash_alg == 0)
3295 return NULL;
3296
3297 for (i = 0; i < OSSL_NELEM(tls12_md_info); i++) {
3298 if (tls12_md_info[i].tlsext_hash == hash_alg)
3299 return tls12_md_info + i;
3300 }
3301
3302 return NULL;
3303}
3304
3305const EVP_MD *tls12_get_hash(unsigned char hash_alg)
3306{
3307 const tls12_hash_info *inf;
3308 if (hash_alg == TLSEXT_hash_md5 && FIPS_mode())
3309 return NULL;
3310 inf = tls12_get_hash_info(hash_alg);
3311 if (!inf)
3312 return NULL;
3313 return ssl_md(inf->md_idx);
3314}
3315
3316static int tls12_get_pkey_idx(unsigned char sig_alg)
3317{
3318 switch (sig_alg) {
3319#ifndef OPENSSL_NO_RSA
3320 case TLSEXT_signature_rsa:
3321 return SSL_PKEY_RSA_SIGN;
3322#endif
3323#ifndef OPENSSL_NO_DSA
3324 case TLSEXT_signature_dsa:
3325 return SSL_PKEY_DSA_SIGN;
3326#endif
3327#ifndef OPENSSL_NO_EC
3328 case TLSEXT_signature_ecdsa:
3329 return SSL_PKEY_ECC;
3330#endif
3331#ifndef OPENSSL_NO_GOST
3332 case TLSEXT_signature_gostr34102001:
3333 return SSL_PKEY_GOST01;
3334
3335 case TLSEXT_signature_gostr34102012_256:
3336 return SSL_PKEY_GOST12_256;
3337
3338 case TLSEXT_signature_gostr34102012_512:
3339 return SSL_PKEY_GOST12_512;
3340#endif
3341 }
3342 return -1;
3343}
3344
3345/* Convert TLS 1.2 signature algorithm extension values into NIDs */
3346static void tls1_lookup_sigalg(int *phash_nid, int *psign_nid,
3347 int *psignhash_nid, const unsigned char *data)
3348{
3349 int sign_nid = NID_undef, hash_nid = NID_undef;
3350 if (!phash_nid && !psign_nid && !psignhash_nid)
3351 return;
3352 if (phash_nid || psignhash_nid) {
3353 hash_nid = tls12_find_nid(data[0], tls12_md, OSSL_NELEM(tls12_md));
3354 if (phash_nid)
3355 *phash_nid = hash_nid;
3356 }
3357 if (psign_nid || psignhash_nid) {
3358 sign_nid = tls12_find_nid(data[1], tls12_sig, OSSL_NELEM(tls12_sig));
3359 if (psign_nid)
3360 *psign_nid = sign_nid;
3361 }
3362 if (psignhash_nid) {
3363 if (sign_nid == NID_undef || hash_nid == NID_undef
3364 || OBJ_find_sigid_by_algs(psignhash_nid, hash_nid, sign_nid) <= 0)
3365 *psignhash_nid = NID_undef;
3366 }
3367}
3368
3369/* Check to see if a signature algorithm is allowed */
3370static int tls12_sigalg_allowed(SSL *s, int op, const unsigned char *ptmp)
3371{
3372 /* See if we have an entry in the hash table and it is enabled */
3373 const tls12_hash_info *hinf = tls12_get_hash_info(ptmp[0]);
3374 if (hinf == NULL || ssl_md(hinf->md_idx) == NULL)
3375 return 0;
3376 /* See if public key algorithm allowed */
3377 if (tls12_get_pkey_idx(ptmp[1]) == -1)
3378 return 0;
3379 /* Finally see if security callback allows it */
3380 return ssl_security(s, op, hinf->secbits, hinf->nid, (void *)ptmp);
3381}
3382
3383/*
3384 * Get a mask of disabled public key algorithms based on supported signature
3385 * algorithms. For example if no signature algorithm supports RSA then RSA is
3386 * disabled.
3387 */
3388
3389void ssl_set_sig_mask(uint32_t *pmask_a, SSL *s, int op)
3390{
3391 const unsigned char *sigalgs;
3392 size_t i, sigalgslen;
3393 int have_rsa = 0, have_dsa = 0, have_ecdsa = 0;
3394 /*
3395 * Now go through all signature algorithms seeing if we support any for
3396 * RSA, DSA, ECDSA. Do this for all versions not just TLS 1.2. To keep
3397 * down calls to security callback only check if we have to.
3398 */
3399 sigalgslen = tls12_get_psigalgs(s, 1, &sigalgs);
3400 for (i = 0; i < sigalgslen; i += 2, sigalgs += 2) {
3401 switch (sigalgs[1]) {
3402#ifndef OPENSSL_NO_RSA
3403 case TLSEXT_signature_rsa:
3404 if (!have_rsa && tls12_sigalg_allowed(s, op, sigalgs))
3405 have_rsa = 1;
3406 break;
3407#endif
3408#ifndef OPENSSL_NO_DSA
3409 case TLSEXT_signature_dsa:
3410 if (!have_dsa && tls12_sigalg_allowed(s, op, sigalgs))
3411 have_dsa = 1;
3412 break;
3413#endif
3414#ifndef OPENSSL_NO_EC
3415 case TLSEXT_signature_ecdsa:
3416 if (!have_ecdsa && tls12_sigalg_allowed(s, op, sigalgs))
3417 have_ecdsa = 1;
3418 break;
3419#endif
3420 }
3421 }
3422 if (!have_rsa)
3423 *pmask_a |= SSL_aRSA;
3424 if (!have_dsa)
3425 *pmask_a |= SSL_aDSS;
3426 if (!have_ecdsa)
3427 *pmask_a |= SSL_aECDSA;
3428}
3429
3430size_t tls12_copy_sigalgs(SSL *s, unsigned char *out,
3431 const unsigned char *psig, size_t psiglen)
3432{
3433 unsigned char *tmpout = out;
3434 size_t i;
3435 for (i = 0; i < psiglen; i += 2, psig += 2) {
3436 if (tls12_sigalg_allowed(s, SSL_SECOP_SIGALG_SUPPORTED, psig)) {
3437 *tmpout++ = psig[0];
3438 *tmpout++ = psig[1];
3439 }
3440 }
3441 return tmpout - out;
3442}
3443
3444/* Given preference and allowed sigalgs set shared sigalgs */
3445static int tls12_shared_sigalgs(SSL *s, TLS_SIGALGS *shsig,
3446 const unsigned char *pref, size_t preflen,
3447 const unsigned char *allow, size_t allowlen)
3448{
3449 const unsigned char *ptmp, *atmp;
3450 size_t i, j, nmatch = 0;
3451 for (i = 0, ptmp = pref; i < preflen; i += 2, ptmp += 2) {
3452 /* Skip disabled hashes or signature algorithms */
3453 if (!tls12_sigalg_allowed(s, SSL_SECOP_SIGALG_SHARED, ptmp))
3454 continue;
3455 for (j = 0, atmp = allow; j < allowlen; j += 2, atmp += 2) {
3456 if (ptmp[0] == atmp[0] && ptmp[1] == atmp[1]) {
3457 nmatch++;
3458 if (shsig) {
3459 shsig->rhash = ptmp[0];
3460 shsig->rsign = ptmp[1];
3461 tls1_lookup_sigalg(&shsig->hash_nid,
3462 &shsig->sign_nid,
3463 &shsig->signandhash_nid, ptmp);
3464 shsig++;
3465 }
3466 break;
3467 }
3468 }
3469 }
3470 return nmatch;
3471}
3472
3473/* Set shared signature algorithms for SSL structures */
3474static int tls1_set_shared_sigalgs(SSL *s)
3475{
3476 const unsigned char *pref, *allow, *conf;
3477 size_t preflen, allowlen, conflen;
3478 size_t nmatch;
3479 TLS_SIGALGS *salgs = NULL;
3480 CERT *c = s->cert;
3481 unsigned int is_suiteb = tls1_suiteb(s);
3482
3483 OPENSSL_free(c->shared_sigalgs);
3484 c->shared_sigalgs = NULL;
3485 c->shared_sigalgslen = 0;
3486 /* If client use client signature algorithms if not NULL */
3487 if (!s->server && c->client_sigalgs && !is_suiteb) {
3488 conf = c->client_sigalgs;
3489 conflen = c->client_sigalgslen;
3490 } else if (c->conf_sigalgs && !is_suiteb) {
3491 conf = c->conf_sigalgs;
3492 conflen = c->conf_sigalgslen;
3493 } else
3494 conflen = tls12_get_psigalgs(s, 0, &conf);
3495 if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE || is_suiteb) {
3496 pref = conf;
3497 preflen = conflen;
3498 allow = s->s3->tmp.peer_sigalgs;
3499 allowlen = s->s3->tmp.peer_sigalgslen;
3500 } else {
3501 allow = conf;
3502 allowlen = conflen;
3503 pref = s->s3->tmp.peer_sigalgs;
3504 preflen = s->s3->tmp.peer_sigalgslen;
3505 }
3506 nmatch = tls12_shared_sigalgs(s, NULL, pref, preflen, allow, allowlen);
3507 if (nmatch) {
3508 salgs = OPENSSL_malloc(nmatch * sizeof(TLS_SIGALGS));
3509 if (salgs == NULL)
3510 return 0;
3511 nmatch = tls12_shared_sigalgs(s, salgs, pref, preflen, allow, allowlen);
3512 } else {
3513 salgs = NULL;
3514 }
3515 c->shared_sigalgs = salgs;
3516 c->shared_sigalgslen = nmatch;
3517 return 1;
3518}
3519
3520/* Set preferred digest for each key type */
3521
3522int tls1_save_sigalgs(SSL *s, const unsigned char *data, int dsize)
3523{
3524 CERT *c = s->cert;
3525 /* Extension ignored for inappropriate versions */
3526 if (!SSL_USE_SIGALGS(s))
3527 return 1;
3528 /* Should never happen */
3529 if (!c)
3530 return 0;
3531
3532 OPENSSL_free(s->s3->tmp.peer_sigalgs);
3533 s->s3->tmp.peer_sigalgs = OPENSSL_malloc(dsize);
3534 if (s->s3->tmp.peer_sigalgs == NULL)
3535 return 0;
3536 s->s3->tmp.peer_sigalgslen = dsize;
3537 memcpy(s->s3->tmp.peer_sigalgs, data, dsize);
3538 return 1;
3539}
3540
3541int tls1_process_sigalgs(SSL *s)
3542{
3543 int idx;
3544 size_t i;
3545 const EVP_MD *md;
3546 const EVP_MD **pmd = s->s3->tmp.md;
3547 uint32_t *pvalid = s->s3->tmp.valid_flags;
3548 CERT *c = s->cert;
3549 TLS_SIGALGS *sigptr;
3550 if (!tls1_set_shared_sigalgs(s))
3551 return 0;
3552
3553 for (i = 0, sigptr = c->shared_sigalgs;
3554 i < c->shared_sigalgslen; i++, sigptr++) {
3555 idx = tls12_get_pkey_idx(sigptr->rsign);
3556 if (idx > 0 && pmd[idx] == NULL) {
3557 md = tls12_get_hash(sigptr->rhash);
3558 pmd[idx] = md;
3559 pvalid[idx] = CERT_PKEY_EXPLICIT_SIGN;
3560 if (idx == SSL_PKEY_RSA_SIGN) {
3561 pvalid[SSL_PKEY_RSA_ENC] = CERT_PKEY_EXPLICIT_SIGN;
3562 pmd[SSL_PKEY_RSA_ENC] = md;
3563 }
3564 }
3565
3566 }
3567 /*
3568 * In strict mode leave unset digests as NULL to indicate we can't use
3569 * the certificate for signing.
3570 */
3571 if (!(s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)) {
3572 /*
3573 * Set any remaining keys to default values. NOTE: if alg is not
3574 * supported it stays as NULL.
3575 */
3576#ifndef OPENSSL_NO_DSA
3577 if (pmd[SSL_PKEY_DSA_SIGN] == NULL)
3578 pmd[SSL_PKEY_DSA_SIGN] = EVP_sha1();
3579#endif
3580#ifndef OPENSSL_NO_RSA
3581 if (pmd[SSL_PKEY_RSA_SIGN] == NULL) {
3582 pmd[SSL_PKEY_RSA_SIGN] = EVP_sha1();
3583 pmd[SSL_PKEY_RSA_ENC] = EVP_sha1();
3584 }
3585#endif
3586#ifndef OPENSSL_NO_EC
3587 if (pmd[SSL_PKEY_ECC] == NULL)
3588 pmd[SSL_PKEY_ECC] = EVP_sha1();
3589#endif
3590#ifndef OPENSSL_NO_GOST
3591 if (pmd[SSL_PKEY_GOST01] == NULL)
3592 pmd[SSL_PKEY_GOST01] = EVP_get_digestbynid(NID_id_GostR3411_94);
3593 if (pmd[SSL_PKEY_GOST12_256] == NULL)
3594 pmd[SSL_PKEY_GOST12_256] =
3595 EVP_get_digestbynid(NID_id_GostR3411_2012_256);
3596 if (pmd[SSL_PKEY_GOST12_512] == NULL)
3597 pmd[SSL_PKEY_GOST12_512] =
3598 EVP_get_digestbynid(NID_id_GostR3411_2012_512);
3599#endif
3600 }
3601 return 1;
3602}
3603
3604int SSL_get_sigalgs(SSL *s, int idx,
3605 int *psign, int *phash, int *psignhash,
3606 unsigned char *rsig, unsigned char *rhash)
3607{
3608 const unsigned char *psig = s->s3->tmp.peer_sigalgs;
3609 if (psig == NULL)
3610 return 0;
3611 if (idx >= 0) {
3612 idx <<= 1;
3613 if (idx >= (int)s->s3->tmp.peer_sigalgslen)
3614 return 0;
3615 psig += idx;
3616 if (rhash)
3617 *rhash = psig[0];
3618 if (rsig)
3619 *rsig = psig[1];
3620 tls1_lookup_sigalg(phash, psign, psignhash, psig);
3621 }
3622 return s->s3->tmp.peer_sigalgslen / 2;
3623}
3624
3625int SSL_get_shared_sigalgs(SSL *s, int idx,
3626 int *psign, int *phash, int *psignhash,
3627 unsigned char *rsig, unsigned char *rhash)
3628{
3629 TLS_SIGALGS *shsigalgs = s->cert->shared_sigalgs;
3630 if (!shsigalgs || idx >= (int)s->cert->shared_sigalgslen)
3631 return 0;
3632 shsigalgs += idx;
3633 if (phash)
3634 *phash = shsigalgs->hash_nid;
3635 if (psign)
3636 *psign = shsigalgs->sign_nid;
3637 if (psignhash)
3638 *psignhash = shsigalgs->signandhash_nid;
3639 if (rsig)
3640 *rsig = shsigalgs->rsign;
3641 if (rhash)
3642 *rhash = shsigalgs->rhash;
3643 return s->cert->shared_sigalgslen;
3644}
3645
3646#define MAX_SIGALGLEN (TLSEXT_hash_num * TLSEXT_signature_num * 2)
3647
3648typedef struct {
3649 size_t sigalgcnt;
3650 int sigalgs[MAX_SIGALGLEN];
3651} sig_cb_st;
3652
3653static void get_sigorhash(int *psig, int *phash, const char *str)
3654{
3655 if (strcmp(str, "RSA") == 0) {
3656 *psig = EVP_PKEY_RSA;
3657 } else if (strcmp(str, "DSA") == 0) {
3658 *psig = EVP_PKEY_DSA;
3659 } else if (strcmp(str, "ECDSA") == 0) {
3660 *psig = EVP_PKEY_EC;
3661 } else {
3662 *phash = OBJ_sn2nid(str);
3663 if (*phash == NID_undef)
3664 *phash = OBJ_ln2nid(str);
3665 }
3666}
3667
3668static int sig_cb(const char *elem, int len, void *arg)
3669{
3670 sig_cb_st *sarg = arg;
3671 size_t i;
3672 char etmp[20], *p;
3673 int sig_alg = NID_undef, hash_alg = NID_undef;
3674 if (elem == NULL)
3675 return 0;
3676 if (sarg->sigalgcnt == MAX_SIGALGLEN)
3677 return 0;
3678 if (len > (int)(sizeof(etmp) - 1))
3679 return 0;
3680 memcpy(etmp, elem, len);
3681 etmp[len] = 0;
3682 p = strchr(etmp, '+');
3683 if (!p)
3684 return 0;
3685 *p = 0;
3686 p++;
3687 if (!*p)
3688 return 0;
3689
3690 get_sigorhash(&sig_alg, &hash_alg, etmp);
3691 get_sigorhash(&sig_alg, &hash_alg, p);
3692
3693 if (sig_alg == NID_undef || hash_alg == NID_undef)
3694 return 0;
3695
3696 for (i = 0; i < sarg->sigalgcnt; i += 2) {
3697 if (sarg->sigalgs[i] == sig_alg && sarg->sigalgs[i + 1] == hash_alg)
3698 return 0;
3699 }
3700 sarg->sigalgs[sarg->sigalgcnt++] = hash_alg;
3701 sarg->sigalgs[sarg->sigalgcnt++] = sig_alg;
3702 return 1;
3703}
3704
3705/*
3706 * Set supported signature algorithms based on a colon separated list of the
3707 * form sig+hash e.g. RSA+SHA512:DSA+SHA512
3708 */
3709int tls1_set_sigalgs_list(CERT *c, const char *str, int client)
3710{
3711 sig_cb_st sig;
3712 sig.sigalgcnt = 0;
3713 if (!CONF_parse_list(str, ':', 1, sig_cb, &sig))
3714 return 0;
3715 if (c == NULL)
3716 return 1;
3717 return tls1_set_sigalgs(c, sig.sigalgs, sig.sigalgcnt, client);
3718}
3719
3720int tls1_set_sigalgs(CERT *c, const int *psig_nids, size_t salglen, int client)
3721{
3722 unsigned char *sigalgs, *sptr;
3723 int rhash, rsign;
3724 size_t i;
3725 if (salglen & 1)
3726 return 0;
3727 sigalgs = OPENSSL_malloc(salglen);
3728 if (sigalgs == NULL)
3729 return 0;
3730 for (i = 0, sptr = sigalgs; i < salglen; i += 2) {
3731 rhash = tls12_find_id(*psig_nids++, tls12_md, OSSL_NELEM(tls12_md));
3732 rsign = tls12_find_id(*psig_nids++, tls12_sig, OSSL_NELEM(tls12_sig));
3733
3734 if (rhash == -1 || rsign == -1)
3735 goto err;
3736 *sptr++ = rhash;
3737 *sptr++ = rsign;
3738 }
3739
3740 if (client) {
3741 OPENSSL_free(c->client_sigalgs);
3742 c->client_sigalgs = sigalgs;
3743 c->client_sigalgslen = salglen;
3744 } else {
3745 OPENSSL_free(c->conf_sigalgs);
3746 c->conf_sigalgs = sigalgs;
3747 c->conf_sigalgslen = salglen;
3748 }
3749
3750 return 1;
3751
3752 err:
3753 OPENSSL_free(sigalgs);
3754 return 0;
3755}
3756
3757static int tls1_check_sig_alg(CERT *c, X509 *x, int default_nid)
3758{
3759 int sig_nid;
3760 size_t i;
3761 if (default_nid == -1)
3762 return 1;
3763 sig_nid = X509_get_signature_nid(x);
3764 if (default_nid)
3765 return sig_nid == default_nid ? 1 : 0;
3766 for (i = 0; i < c->shared_sigalgslen; i++)
3767 if (sig_nid == c->shared_sigalgs[i].signandhash_nid)
3768 return 1;
3769 return 0;
3770}
3771
3772/* Check to see if a certificate issuer name matches list of CA names */
3773static int ssl_check_ca_name(STACK_OF(X509_NAME) *names, X509 *x)
3774{
3775 X509_NAME *nm;
3776 int i;
3777 nm = X509_get_issuer_name(x);
3778 for (i = 0; i < sk_X509_NAME_num(names); i++) {
3779 if (!X509_NAME_cmp(nm, sk_X509_NAME_value(names, i)))
3780 return 1;
3781 }
3782 return 0;
3783}
3784
3785/*
3786 * Check certificate chain is consistent with TLS extensions and is usable by
3787 * server. This servers two purposes: it allows users to check chains before
3788 * passing them to the server and it allows the server to check chains before
3789 * attempting to use them.
3790 */
3791
3792/* Flags which need to be set for a certificate when stict mode not set */
3793
3794#define CERT_PKEY_VALID_FLAGS \
3795 (CERT_PKEY_EE_SIGNATURE|CERT_PKEY_EE_PARAM)
3796/* Strict mode flags */
3797#define CERT_PKEY_STRICT_FLAGS \
3798 (CERT_PKEY_VALID_FLAGS|CERT_PKEY_CA_SIGNATURE|CERT_PKEY_CA_PARAM \
3799 | CERT_PKEY_ISSUER_NAME|CERT_PKEY_CERT_TYPE)
3800
3801int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain,
3802 int idx)
3803{
3804 int i;
3805 int rv = 0;
3806 int check_flags = 0, strict_mode;
3807 CERT_PKEY *cpk = NULL;
3808 CERT *c = s->cert;
3809 uint32_t *pvalid;
3810 unsigned int suiteb_flags = tls1_suiteb(s);
3811 /* idx == -1 means checking server chains */
3812 if (idx != -1) {
3813 /* idx == -2 means checking client certificate chains */
3814 if (idx == -2) {
3815 cpk = c->key;
3816 idx = cpk - c->pkeys;
3817 } else
3818 cpk = c->pkeys + idx;
3819 pvalid = s->s3->tmp.valid_flags + idx;
3820 x = cpk->x509;
3821 pk = cpk->privatekey;
3822 chain = cpk->chain;
3823 strict_mode = c->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT;
3824 /* If no cert or key, forget it */
3825 if (!x || !pk)
3826 goto end;
3827 } else {
3828 if (!x || !pk)
3829 return 0;
3830 idx = ssl_cert_type(x, pk);
3831 if (idx == -1)
3832 return 0;
3833 pvalid = s->s3->tmp.valid_flags + idx;
3834
3835 if (c->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)
3836 check_flags = CERT_PKEY_STRICT_FLAGS;
3837 else
3838 check_flags = CERT_PKEY_VALID_FLAGS;
3839 strict_mode = 1;
3840 }
3841
3842 if (suiteb_flags) {
3843 int ok;
3844 if (check_flags)
3845 check_flags |= CERT_PKEY_SUITEB;
3846 ok = X509_chain_check_suiteb(NULL, x, chain, suiteb_flags);
3847 if (ok == X509_V_OK)
3848 rv |= CERT_PKEY_SUITEB;
3849 else if (!check_flags)
3850 goto end;
3851 }
3852
3853 /*
3854 * Check all signature algorithms are consistent with signature
3855 * algorithms extension if TLS 1.2 or later and strict mode.
3856 */
3857 if (TLS1_get_version(s) >= TLS1_2_VERSION && strict_mode) {
3858 int default_nid;
3859 unsigned char rsign = 0;
3860 if (s->s3->tmp.peer_sigalgs)
3861 default_nid = 0;
3862 /* If no sigalgs extension use defaults from RFC5246 */
3863 else {
3864 switch (idx) {
3865 case SSL_PKEY_RSA_ENC:
3866 case SSL_PKEY_RSA_SIGN:
3867 rsign = TLSEXT_signature_rsa;
3868 default_nid = NID_sha1WithRSAEncryption;
3869 break;
3870
3871 case SSL_PKEY_DSA_SIGN:
3872 rsign = TLSEXT_signature_dsa;
3873 default_nid = NID_dsaWithSHA1;
3874 break;
3875
3876 case SSL_PKEY_ECC:
3877 rsign = TLSEXT_signature_ecdsa;
3878 default_nid = NID_ecdsa_with_SHA1;
3879 break;
3880
3881 case SSL_PKEY_GOST01:
3882 rsign = TLSEXT_signature_gostr34102001;
3883 default_nid = NID_id_GostR3411_94_with_GostR3410_2001;
3884 break;
3885
3886 case SSL_PKEY_GOST12_256:
3887 rsign = TLSEXT_signature_gostr34102012_256;
3888 default_nid = NID_id_tc26_signwithdigest_gost3410_2012_256;
3889 break;
3890
3891 case SSL_PKEY_GOST12_512:
3892 rsign = TLSEXT_signature_gostr34102012_512;
3893 default_nid = NID_id_tc26_signwithdigest_gost3410_2012_512;
3894 break;
3895
3896 default:
3897 default_nid = -1;
3898 break;
3899 }
3900 }
3901 /*
3902 * If peer sent no signature algorithms extension and we have set
3903 * preferred signature algorithms check we support sha1.
3904 */
3905 if (default_nid > 0 && c->conf_sigalgs) {
3906 size_t j;
3907 const unsigned char *p = c->conf_sigalgs;
3908 for (j = 0; j < c->conf_sigalgslen; j += 2, p += 2) {
3909 if (p[0] == TLSEXT_hash_sha1 && p[1] == rsign)
3910 break;
3911 }
3912 if (j == c->conf_sigalgslen) {
3913 if (check_flags)
3914 goto skip_sigs;
3915 else
3916 goto end;
3917 }
3918 }
3919 /* Check signature algorithm of each cert in chain */
3920 if (!tls1_check_sig_alg(c, x, default_nid)) {
3921 if (!check_flags)
3922 goto end;
3923 } else
3924 rv |= CERT_PKEY_EE_SIGNATURE;
3925 rv |= CERT_PKEY_CA_SIGNATURE;
3926 for (i = 0; i < sk_X509_num(chain); i++) {
3927 if (!tls1_check_sig_alg(c, sk_X509_value(chain, i), default_nid)) {
3928 if (check_flags) {
3929 rv &= ~CERT_PKEY_CA_SIGNATURE;
3930 break;
3931 } else
3932 goto end;
3933 }
3934 }
3935 }
3936 /* Else not TLS 1.2, so mark EE and CA signing algorithms OK */
3937 else if (check_flags)
3938 rv |= CERT_PKEY_EE_SIGNATURE | CERT_PKEY_CA_SIGNATURE;
3939 skip_sigs:
3940 /* Check cert parameters are consistent */
3941 if (tls1_check_cert_param(s, x, check_flags ? 1 : 2))
3942 rv |= CERT_PKEY_EE_PARAM;
3943 else if (!check_flags)
3944 goto end;
3945 if (!s->server)
3946 rv |= CERT_PKEY_CA_PARAM;
3947 /* In strict mode check rest of chain too */
3948 else if (strict_mode) {
3949 rv |= CERT_PKEY_CA_PARAM;
3950 for (i = 0; i < sk_X509_num(chain); i++) {
3951 X509 *ca = sk_X509_value(chain, i);
3952 if (!tls1_check_cert_param(s, ca, 0)) {
3953 if (check_flags) {
3954 rv &= ~CERT_PKEY_CA_PARAM;
3955 break;
3956 } else
3957 goto end;
3958 }
3959 }
3960 }
3961 if (!s->server && strict_mode) {
3962 STACK_OF(X509_NAME) *ca_dn;
3963 int check_type = 0;
3964 switch (EVP_PKEY_id(pk)) {
3965 case EVP_PKEY_RSA:
3966 check_type = TLS_CT_RSA_SIGN;
3967 break;
3968 case EVP_PKEY_DSA:
3969 check_type = TLS_CT_DSS_SIGN;
3970 break;
3971 case EVP_PKEY_EC:
3972 check_type = TLS_CT_ECDSA_SIGN;
3973 break;
3974 }
3975 if (check_type) {
3976 const unsigned char *ctypes;
3977 int ctypelen;
3978 if (c->ctypes) {
3979 ctypes = c->ctypes;
3980 ctypelen = (int)c->ctype_num;
3981 } else {
3982 ctypes = (unsigned char *)s->s3->tmp.ctype;
3983 ctypelen = s->s3->tmp.ctype_num;
3984 }
3985 for (i = 0; i < ctypelen; i++) {
3986 if (ctypes[i] == check_type) {
3987 rv |= CERT_PKEY_CERT_TYPE;
3988 break;
3989 }
3990 }
3991 if (!(rv & CERT_PKEY_CERT_TYPE) && !check_flags)
3992 goto end;
3993 } else
3994 rv |= CERT_PKEY_CERT_TYPE;
3995
3996 ca_dn = s->s3->tmp.ca_names;
3997
3998 if (!sk_X509_NAME_num(ca_dn))
3999 rv |= CERT_PKEY_ISSUER_NAME;
4000
4001 if (!(rv & CERT_PKEY_ISSUER_NAME)) {
4002 if (ssl_check_ca_name(ca_dn, x))
4003 rv |= CERT_PKEY_ISSUER_NAME;
4004 }
4005 if (!(rv & CERT_PKEY_ISSUER_NAME)) {
4006 for (i = 0; i < sk_X509_num(chain); i++) {
4007 X509 *xtmp = sk_X509_value(chain, i);
4008 if (ssl_check_ca_name(ca_dn, xtmp)) {
4009 rv |= CERT_PKEY_ISSUER_NAME;
4010 break;
4011 }
4012 }
4013 }
4014 if (!check_flags && !(rv & CERT_PKEY_ISSUER_NAME))
4015 goto end;
4016 } else
4017 rv |= CERT_PKEY_ISSUER_NAME | CERT_PKEY_CERT_TYPE;
4018
4019 if (!check_flags || (rv & check_flags) == check_flags)
4020 rv |= CERT_PKEY_VALID;
4021
4022 end:
4023
4024 if (TLS1_get_version(s) >= TLS1_2_VERSION) {
4025 if (*pvalid & CERT_PKEY_EXPLICIT_SIGN)
4026 rv |= CERT_PKEY_EXPLICIT_SIGN | CERT_PKEY_SIGN;
4027 else if (s->s3->tmp.md[idx] != NULL)
4028 rv |= CERT_PKEY_SIGN;
4029 } else
4030 rv |= CERT_PKEY_SIGN | CERT_PKEY_EXPLICIT_SIGN;
4031
4032 /*
4033 * When checking a CERT_PKEY structure all flags are irrelevant if the
4034 * chain is invalid.
4035 */
4036 if (!check_flags) {
4037 if (rv & CERT_PKEY_VALID)
4038 *pvalid = rv;
4039 else {
4040 /* Preserve explicit sign flag, clear rest */
4041 *pvalid &= CERT_PKEY_EXPLICIT_SIGN;
4042 return 0;
4043 }
4044 }
4045 return rv;
4046}
4047
4048/* Set validity of certificates in an SSL structure */
4049void tls1_set_cert_validity(SSL *s)
4050{
4051 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA_ENC);
4052 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA_SIGN);
4053 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DSA_SIGN);
4054 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_ECC);
4055 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_GOST01);
4056 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_GOST12_256);
4057 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_GOST12_512);
4058}
4059
4060/* User level utiity function to check a chain is suitable */
4061int SSL_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain)
4062{
4063 return tls1_check_chain(s, x, pk, chain, -1);
4064}
4065
4066#ifndef OPENSSL_NO_DH
4067DH *ssl_get_auto_dh(SSL *s)
4068{
4069 int dh_secbits = 80;
4070 if (s->cert->dh_tmp_auto == 2)
4071 return DH_get_1024_160();
4072 if (s->s3->tmp.new_cipher->algorithm_auth & (SSL_aNULL | SSL_aPSK)) {
4073 if (s->s3->tmp.new_cipher->strength_bits == 256)
4074 dh_secbits = 128;
4075 else
4076 dh_secbits = 80;
4077 } else {
4078 CERT_PKEY *cpk = ssl_get_server_send_pkey(s);
4079 dh_secbits = EVP_PKEY_security_bits(cpk->privatekey);
4080 }
4081
4082 if (dh_secbits >= 128) {
4083 DH *dhp = DH_new();
4084 BIGNUM *p, *g;
4085 if (dhp == NULL)
4086 return NULL;
4087 g = BN_new();
4088 if (g != NULL)
4089 BN_set_word(g, 2);
4090 if (dh_secbits >= 192)
4091 p = BN_get_rfc3526_prime_8192(NULL);
4092 else
4093 p = BN_get_rfc3526_prime_3072(NULL);
4094 if (p == NULL || g == NULL || !DH_set0_pqg(dhp, p, NULL, g)) {
4095 DH_free(dhp);
4096 BN_free(p);
4097 BN_free(g);
4098 return NULL;
4099 }
4100 return dhp;
4101 }
4102 if (dh_secbits >= 112)
4103 return DH_get_2048_224();
4104 return DH_get_1024_160();
4105}
4106#endif
4107
4108static int ssl_security_cert_key(SSL *s, SSL_CTX *ctx, X509 *x, int op)
4109{
4110 int secbits = -1;
4111 EVP_PKEY *pkey = X509_get0_pubkey(x);
4112 if (pkey) {
4113 /*
4114 * If no parameters this will return -1 and fail using the default
4115 * security callback for any non-zero security level. This will
4116 * reject keys which omit parameters but this only affects DSA and
4117 * omission of parameters is never (?) done in practice.
4118 */
4119 secbits = EVP_PKEY_security_bits(pkey);
4120 }
4121 if (s)
4122 return ssl_security(s, op, secbits, 0, x);
4123 else
4124 return ssl_ctx_security(ctx, op, secbits, 0, x);
4125}
4126
4127static int ssl_security_cert_sig(SSL *s, SSL_CTX *ctx, X509 *x, int op)
4128{
4129 /* Lookup signature algorithm digest */
4130 int secbits = -1, md_nid = NID_undef, sig_nid;
4131 /* Don't check signature if self signed */
4132 if ((X509_get_extension_flags(x) & EXFLAG_SS) != 0)
4133 return 1;
4134 sig_nid = X509_get_signature_nid(x);
4135 if (sig_nid && OBJ_find_sigid_algs(sig_nid, &md_nid, NULL)) {
4136 const EVP_MD *md;
4137 if (md_nid && (md = EVP_get_digestbynid(md_nid)))
4138 secbits = EVP_MD_size(md) * 4;
4139 }
4140 if (s)
4141 return ssl_security(s, op, secbits, md_nid, x);
4142 else
4143 return ssl_ctx_security(ctx, op, secbits, md_nid, x);
4144}
4145
4146int ssl_security_cert(SSL *s, SSL_CTX *ctx, X509 *x, int vfy, int is_ee)
4147{
4148 if (vfy)
4149 vfy = SSL_SECOP_PEER;
4150 if (is_ee) {
4151 if (!ssl_security_cert_key(s, ctx, x, SSL_SECOP_EE_KEY | vfy))
4152 return SSL_R_EE_KEY_TOO_SMALL;
4153 } else {
4154 if (!ssl_security_cert_key(s, ctx, x, SSL_SECOP_CA_KEY | vfy))
4155 return SSL_R_CA_KEY_TOO_SMALL;
4156 }
4157 if (!ssl_security_cert_sig(s, ctx, x, SSL_SECOP_CA_MD | vfy))
4158 return SSL_R_CA_MD_TOO_WEAK;
4159 return 1;
4160}
4161
4162/*
4163 * Check security of a chain, if sk includes the end entity certificate then
4164 * x is NULL. If vfy is 1 then we are verifying a peer chain and not sending
4165 * one to the peer. Return values: 1 if ok otherwise error code to use
4166 */
4167
4168int ssl_security_cert_chain(SSL *s, STACK_OF(X509) *sk, X509 *x, int vfy)
4169{
4170 int rv, start_idx, i;
4171 if (x == NULL) {
4172 x = sk_X509_value(sk, 0);
4173 start_idx = 1;
4174 } else
4175 start_idx = 0;
4176
4177 rv = ssl_security_cert(s, NULL, x, vfy, 1);
4178 if (rv != 1)
4179 return rv;
4180
4181 for (i = start_idx; i < sk_X509_num(sk); i++) {
4182 x = sk_X509_value(sk, i);
4183 rv = ssl_security_cert(s, NULL, x, vfy, 0);
4184 if (rv != 1)
4185 return rv;
4186 }
4187 return 1;
4188}
Note: See TracBrowser for help on using the repository browser.