]> git.ipfire.org Git - thirdparty/openssl.git/blob - ssl/t1_lib.c
projects / thirdparty / openssl.git / blob
? search:


df963b78005dfa777093885e0302a49f4c592d86
[thirdparty/openssl.git] / ssl / t1_lib.c
1 /*
2 * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10 #include <stdio.h>
11 #include <stdlib.h>
12 #include <openssl/objects.h>
13 #include <openssl/evp.h>
14 #include <openssl/hmac.h>
15 #include <openssl/ocsp.h>
16 #include <openssl/conf.h>
17 #include <openssl/x509v3.h>
18 #include <openssl/dh.h>
19 #include <openssl/bn.h>
20 #include "ssl_locl.h"
21 #include <openssl/ct.h>
22
23
24 #define CHECKLEN(curr, val, limit) \
25 (((curr) >= (limit)) || (size_t)((limit) - (curr)) < (size_t)(val))
26
27 static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen,
28 const unsigned char *sess_id, int sesslen,
29 SSL_SESSION **psess);
30 static int ssl_check_clienthello_tlsext_early(SSL *s);
31 static int ssl_check_serverhello_tlsext(SSL *s);
32
33 SSL3_ENC_METHOD const TLSv1_enc_data = {
34 tls1_enc,
35 tls1_mac,
36 tls1_setup_key_block,
37 tls1_generate_master_secret,
38 tls1_change_cipher_state,
39 tls1_final_finish_mac,
40 TLS1_FINISH_MAC_LENGTH,
41 TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
42 TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
43 tls1_alert_code,
44 tls1_export_keying_material,
45 0,
46 SSL3_HM_HEADER_LENGTH,
47 ssl3_set_handshake_header,
48 ssl3_handshake_write
49 };
50
51 SSL3_ENC_METHOD const TLSv1_1_enc_data = {
52 tls1_enc,
53 tls1_mac,
54 tls1_setup_key_block,
55 tls1_generate_master_secret,
56 tls1_change_cipher_state,
57 tls1_final_finish_mac,
58 TLS1_FINISH_MAC_LENGTH,
59 TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
60 TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
61 tls1_alert_code,
62 tls1_export_keying_material,
63 SSL_ENC_FLAG_EXPLICIT_IV,
64 SSL3_HM_HEADER_LENGTH,
65 ssl3_set_handshake_header,
66 ssl3_handshake_write
67 };
68
69 SSL3_ENC_METHOD const TLSv1_2_enc_data = {
70 tls1_enc,
71 tls1_mac,
72 tls1_setup_key_block,
73 tls1_generate_master_secret,
74 tls1_change_cipher_state,
75 tls1_final_finish_mac,
76 TLS1_FINISH_MAC_LENGTH,
77 TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
78 TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
79 tls1_alert_code,
80 tls1_export_keying_material,
81 SSL_ENC_FLAG_EXPLICIT_IV | SSL_ENC_FLAG_SIGALGS | SSL_ENC_FLAG_SHA256_PRF
82 | SSL_ENC_FLAG_TLS1_2_CIPHERS,
83 SSL3_HM_HEADER_LENGTH,
84 ssl3_set_handshake_header,
85 ssl3_handshake_write
86 };
87
88 long tls1_default_timeout(void)
89 {
90 /*
91 * 2 hours, the 24 hours mentioned in the TLSv1 spec is way too long for
92 * http, the cache would over fill
93 */
94 return (60 * 60 * 2);
95 }
96
97 int tls1_new(SSL *s)
98 {
99 if (!ssl3_new(s))
100 return (0);
101 s->method->ssl_clear(s);
102 return (1);
103 }
104
105 void tls1_free(SSL *s)
106 {
107 OPENSSL_free(s->tlsext_session_ticket);
108 ssl3_free(s);
109 }
110
111 void tls1_clear(SSL *s)
112 {
113 ssl3_clear(s);
114 if (s->method->version == TLS_ANY_VERSION)
115 s->version = TLS_MAX_VERSION;
116 else
117 s->version = s->method->version;
118 }
119
120 #ifndef OPENSSL_NO_EC
121
122 typedef struct {
123 int nid; /* Curve NID */
124 int secbits; /* Bits of security (from SP800-57) */
125 unsigned int flags; /* Flags: currently just field type */
126 } tls_curve_info;
127
128 /*
129 * Table of curve information.
130 * Do not delete entries or reorder this array! It is used as a lookup
131 * table: the index of each entry is one less than the TLS curve id.
132 */
133 static const tls_curve_info nid_list[] = {
134 {NID_sect163k1, 80, TLS_CURVE_CHAR2}, /* sect163k1 (1) */
135 {NID_sect163r1, 80, TLS_CURVE_CHAR2}, /* sect163r1 (2) */
136 {NID_sect163r2, 80, TLS_CURVE_CHAR2}, /* sect163r2 (3) */
137 {NID_sect193r1, 80, TLS_CURVE_CHAR2}, /* sect193r1 (4) */
138 {NID_sect193r2, 80, TLS_CURVE_CHAR2}, /* sect193r2 (5) */
139 {NID_sect233k1, 112, TLS_CURVE_CHAR2}, /* sect233k1 (6) */
140 {NID_sect233r1, 112, TLS_CURVE_CHAR2}, /* sect233r1 (7) */
141 {NID_sect239k1, 112, TLS_CURVE_CHAR2}, /* sect239k1 (8) */
142 {NID_sect283k1, 128, TLS_CURVE_CHAR2}, /* sect283k1 (9) */
143 {NID_sect283r1, 128, TLS_CURVE_CHAR2}, /* sect283r1 (10) */
144 {NID_sect409k1, 192, TLS_CURVE_CHAR2}, /* sect409k1 (11) */
145 {NID_sect409r1, 192, TLS_CURVE_CHAR2}, /* sect409r1 (12) */
146 {NID_sect571k1, 256, TLS_CURVE_CHAR2}, /* sect571k1 (13) */
147 {NID_sect571r1, 256, TLS_CURVE_CHAR2}, /* sect571r1 (14) */
148 {NID_secp160k1, 80, TLS_CURVE_PRIME}, /* secp160k1 (15) */
149 {NID_secp160r1, 80, TLS_CURVE_PRIME}, /* secp160r1 (16) */
150 {NID_secp160r2, 80, TLS_CURVE_PRIME}, /* secp160r2 (17) */
151 {NID_secp192k1, 80, TLS_CURVE_PRIME}, /* secp192k1 (18) */
152 {NID_X9_62_prime192v1, 80, TLS_CURVE_PRIME}, /* secp192r1 (19) */
153 {NID_secp224k1, 112, TLS_CURVE_PRIME}, /* secp224k1 (20) */
154 {NID_secp224r1, 112, TLS_CURVE_PRIME}, /* secp224r1 (21) */
155 {NID_secp256k1, 128, TLS_CURVE_PRIME}, /* secp256k1 (22) */
156 {NID_X9_62_prime256v1, 128, TLS_CURVE_PRIME}, /* secp256r1 (23) */
157 {NID_secp384r1, 192, TLS_CURVE_PRIME}, /* secp384r1 (24) */
158 {NID_secp521r1, 256, TLS_CURVE_PRIME}, /* secp521r1 (25) */
159 {NID_brainpoolP256r1, 128, TLS_CURVE_PRIME}, /* brainpoolP256r1 (26) */
160 {NID_brainpoolP384r1, 192, TLS_CURVE_PRIME}, /* brainpoolP384r1 (27) */
161 {NID_brainpoolP512r1, 256, TLS_CURVE_PRIME}, /* brainpool512r1 (28) */
162 {NID_X25519, 128, TLS_CURVE_CUSTOM}, /* X25519 (29) */
163 };
164
165 static const unsigned char ecformats_default[] = {
166 TLSEXT_ECPOINTFORMAT_uncompressed,
167 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime,
168 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2
169 };
170
171 /* The default curves */
172 static const unsigned char eccurves_default[] = {
173 0, 29, /* X25519 (29) */
174 0, 23, /* secp256r1 (23) */
175 0, 25, /* secp521r1 (25) */
176 0, 24, /* secp384r1 (24) */
177 };
178
179 static const unsigned char suiteb_curves[] = {
180 0, TLSEXT_curve_P_256,
181 0, TLSEXT_curve_P_384
182 };
183
184 int tls1_ec_curve_id2nid(int curve_id, unsigned int *pflags)
185 {
186 const tls_curve_info *cinfo;
187 /* ECC curves from RFC 4492 and RFC 7027 */
188 if ((curve_id < 1) || ((unsigned int)curve_id > OSSL_NELEM(nid_list)))
189 return 0;
190 cinfo = nid_list + curve_id - 1;
191 if (pflags)
192 *pflags = cinfo->flags;
193 return cinfo->nid;
194 }
195
196 int tls1_ec_nid2curve_id(int nid)
197 {
198 size_t i;
199 for (i = 0; i < OSSL_NELEM(nid_list); i++) {
200 if (nid_list[i].nid == nid)
201 return i + 1;
202 }
203 return 0;
204 }
205
206 /*
207 * Get curves list, if "sess" is set return client curves otherwise
208 * preferred list.
209 * Sets |num_curves| to the number of curves in the list, i.e.,
210 * the length of |pcurves| is 2 * num_curves.
211 * Returns 1 on success and 0 if the client curves list has invalid format.
212 * The latter indicates an internal error: we should not be accepting such
213 * lists in the first place.
214 * TODO(emilia): we should really be storing the curves list in explicitly
215 * parsed form instead. (However, this would affect binary compatibility
216 * so cannot happen in the 1.0.x series.)
217 */
218 static int tls1_get_curvelist(SSL *s, int sess,
219 const unsigned char **pcurves, size_t *num_curves)
220 {
221 size_t pcurveslen = 0;
222
223 if (sess) {
224 *pcurves = s->session->tlsext_ellipticcurvelist;
225 pcurveslen = s->session->tlsext_ellipticcurvelist_length;
226 } else {
227 /* For Suite B mode only include P-256, P-384 */
228 switch (tls1_suiteb(s)) {
229 case SSL_CERT_FLAG_SUITEB_128_LOS:
230 *pcurves = suiteb_curves;
231 pcurveslen = sizeof(suiteb_curves);
232 break;
233
234 case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY:
235 *pcurves = suiteb_curves;
236 pcurveslen = 2;
237 break;
238
239 case SSL_CERT_FLAG_SUITEB_192_LOS:
240 *pcurves = suiteb_curves + 2;
241 pcurveslen = 2;
242 break;
243 default:
244 *pcurves = s->tlsext_ellipticcurvelist;
245 pcurveslen = s->tlsext_ellipticcurvelist_length;
246 }
247 if (!*pcurves) {
248 *pcurves = eccurves_default;
249 pcurveslen = sizeof(eccurves_default);
250 }
251 }
252
253 /* We do not allow odd length arrays to enter the system. */
254 if (pcurveslen & 1) {
255 SSLerr(SSL_F_TLS1_GET_CURVELIST, ERR_R_INTERNAL_ERROR);
256 *num_curves = 0;
257 return 0;
258 }
259 *num_curves = pcurveslen / 2;
260 return 1;
261 }
262
263 /* See if curve is allowed by security callback */
264 static int tls_curve_allowed(SSL *s, const unsigned char *curve, int op)
265 {
266 const tls_curve_info *cinfo;
267 if (curve[0])
268 return 1;
269 if ((curve[1] < 1) || ((size_t)curve[1] > OSSL_NELEM(nid_list)))
270 return 0;
271 cinfo = &nid_list[curve[1] - 1];
272 # ifdef OPENSSL_NO_EC2M
273 if (cinfo->flags & TLS_CURVE_CHAR2)
274 return 0;
275 # endif
276 return ssl_security(s, op, cinfo->secbits, cinfo->nid, (void *)curve);
277 }
278
279 /* Check a curve is one of our preferences */
280 int tls1_check_curve(SSL *s, const unsigned char *p, size_t len)
281 {
282 const unsigned char *curves;
283 size_t num_curves, i;
284 unsigned int suiteb_flags = tls1_suiteb(s);
285 if (len != 3 || p[0] != NAMED_CURVE_TYPE)
286 return 0;
287 /* Check curve matches Suite B preferences */
288 if (suiteb_flags) {
289 unsigned long cid = s->s3->tmp.new_cipher->id;
290 if (p[1])
291 return 0;
292 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256) {
293 if (p[2] != TLSEXT_curve_P_256)
294 return 0;
295 } else if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384) {
296 if (p[2] != TLSEXT_curve_P_384)
297 return 0;
298 } else /* Should never happen */
299 return 0;
300 }
301 if (!tls1_get_curvelist(s, 0, &curves, &num_curves))
302 return 0;
303 for (i = 0; i < num_curves; i++, curves += 2) {
304 if (p[1] == curves[0] && p[2] == curves[1])
305 return tls_curve_allowed(s, p + 1, SSL_SECOP_CURVE_CHECK);
306 }
307 return 0;
308 }
309
310 /*-
311 * For nmatch >= 0, return the NID of the |nmatch|th shared curve or NID_undef
312 * if there is no match.
313 * For nmatch == -1, return number of matches
314 * For nmatch == -2, return the NID of the curve to use for
315 * an EC tmp key, or NID_undef if there is no match.
316 */
317 int tls1_shared_curve(SSL *s, int nmatch)
318 {
319 const unsigned char *pref, *supp;
320 size_t num_pref, num_supp, i, j;
321 int k;
322
323 /* Can't do anything on client side */
324 if (s->server == 0)
325 return -1;
326 if (nmatch == -2) {
327 if (tls1_suiteb(s)) {
328 /*
329 * For Suite B ciphersuite determines curve: we already know
330 * these are acceptable due to previous checks.
331 */
332 unsigned long cid = s->s3->tmp.new_cipher->id;
333
334 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
335 return NID_X9_62_prime256v1; /* P-256 */
336 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)
337 return NID_secp384r1; /* P-384 */
338 /* Should never happen */
339 return NID_undef;
340 }
341 /* If not Suite B just return first preference shared curve */
342 nmatch = 0;
343 }
344 /*
345 * Avoid truncation. tls1_get_curvelist takes an int
346 * but s->options is a long...
347 */
348 if (!tls1_get_curvelist(s,
349 (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) != 0,
350 &supp, &num_supp))
351 /* In practice, NID_undef == 0 but let's be precise. */
352 return nmatch == -1 ? 0 : NID_undef;
353 if (!tls1_get_curvelist(s,
354 (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) == 0,
355 &pref, &num_pref))
356 return nmatch == -1 ? 0 : NID_undef;
357
358 for (k = 0, i = 0; i < num_pref; i++, pref += 2) {
359 const unsigned char *tsupp = supp;
360
361 for (j = 0; j < num_supp; j++, tsupp += 2) {
362 if (pref[0] == tsupp[0] && pref[1] == tsupp[1]) {
363 if (!tls_curve_allowed(s, pref, SSL_SECOP_CURVE_SHARED))
364 continue;
365 if (nmatch == k) {
366 int id = (pref[0] << 8) | pref[1];
367
368 return tls1_ec_curve_id2nid(id, NULL);
369 }
370 k++;
371 }
372 }
373 }
374 if (nmatch == -1)
375 return k;
376 /* Out of range (nmatch > k). */
377 return NID_undef;
378 }
379
380 int tls1_set_curves(unsigned char **pext, size_t *pextlen,
381 int *curves, size_t ncurves)
382 {
383 unsigned char *clist, *p;
384 size_t i;
385 /*
386 * Bitmap of curves included to detect duplicates: only works while curve
387 * ids < 32
388 */
389 unsigned long dup_list = 0;
390 clist = OPENSSL_malloc(ncurves * 2);
391 if (clist == NULL)
392 return 0;
393 for (i = 0, p = clist; i < ncurves; i++) {
394 unsigned long idmask;
395 int id;
396 id = tls1_ec_nid2curve_id(curves[i]);
397 idmask = 1L << id;
398 if (!id || (dup_list & idmask)) {
399 OPENSSL_free(clist);
400 return 0;
401 }
402 dup_list |= idmask;
403 s2n(id, p);
404 }
405 OPENSSL_free(*pext);
406 *pext = clist;
407 *pextlen = ncurves * 2;
408 return 1;
409 }
410
411 # define MAX_CURVELIST 28
412
413 typedef struct {
414 size_t nidcnt;
415 int nid_arr[MAX_CURVELIST];
416 } nid_cb_st;
417
418 static int nid_cb(const char *elem, int len, void *arg)
419 {
420 nid_cb_st *narg = arg;
421 size_t i;
422 int nid;
423 char etmp[20];
424 if (elem == NULL)
425 return 0;
426 if (narg->nidcnt == MAX_CURVELIST)
427 return 0;
428 if (len > (int)(sizeof(etmp) - 1))
429 return 0;
430 memcpy(etmp, elem, len);
431 etmp[len] = 0;
432 nid = EC_curve_nist2nid(etmp);
433 if (nid == NID_undef)
434 nid = OBJ_sn2nid(etmp);
435 if (nid == NID_undef)
436 nid = OBJ_ln2nid(etmp);
437 if (nid == NID_undef)
438 return 0;
439 for (i = 0; i < narg->nidcnt; i++)
440 if (narg->nid_arr[i] == nid)
441 return 0;
442 narg->nid_arr[narg->nidcnt++] = nid;
443 return 1;
444 }
445
446 /* Set curves based on a colon separate list */
447 int tls1_set_curves_list(unsigned char **pext, size_t *pextlen, const char *str)
448 {
449 nid_cb_st ncb;
450 ncb.nidcnt = 0;
451 if (!CONF_parse_list(str, ':', 1, nid_cb, &ncb))
452 return 0;
453 if (pext == NULL)
454 return 1;
455 return tls1_set_curves(pext, pextlen, ncb.nid_arr, ncb.nidcnt);
456 }
457
458 /* For an EC key set TLS id and required compression based on parameters */
459 static int tls1_set_ec_id(unsigned char *curve_id, unsigned char *comp_id,
460 EC_KEY *ec)
461 {
462 int id;
463 const EC_GROUP *grp;
464 if (!ec)
465 return 0;
466 /* Determine if it is a prime field */
467 grp = EC_KEY_get0_group(ec);
468 if (!grp)
469 return 0;
470 /* Determine curve ID */
471 id = EC_GROUP_get_curve_name(grp);
472 id = tls1_ec_nid2curve_id(id);
473 /* If no id return error: we don't support arbitrary explicit curves */
474 if (id == 0)
475 return 0;
476 curve_id[0] = 0;
477 curve_id[1] = (unsigned char)id;
478 if (comp_id) {
479 if (EC_KEY_get0_public_key(ec) == NULL)
480 return 0;
481 if (EC_KEY_get_conv_form(ec) == POINT_CONVERSION_UNCOMPRESSED) {
482 *comp_id = TLSEXT_ECPOINTFORMAT_uncompressed;
483 } else {
484 if ((nid_list[id - 1].flags & TLS_CURVE_TYPE) == TLS_CURVE_PRIME)
485 *comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
486 else
487 *comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
488 }
489 }
490 return 1;
491 }
492
493 /* Check an EC key is compatible with extensions */
494 static int tls1_check_ec_key(SSL *s,
495 unsigned char *curve_id, unsigned char *comp_id)
496 {
497 const unsigned char *pformats, *pcurves;
498 size_t num_formats, num_curves, i;
499 int j;
500 /*
501 * If point formats extension present check it, otherwise everything is
502 * supported (see RFC4492).
503 */
504 if (comp_id && s->session->tlsext_ecpointformatlist) {
505 pformats = s->session->tlsext_ecpointformatlist;
506 num_formats = s->session->tlsext_ecpointformatlist_length;
507 for (i = 0; i < num_formats; i++, pformats++) {
508 if (*comp_id == *pformats)
509 break;
510 }
511 if (i == num_formats)
512 return 0;
513 }
514 if (!curve_id)
515 return 1;
516 /* Check curve is consistent with client and server preferences */
517 for (j = 0; j <= 1; j++) {
518 if (!tls1_get_curvelist(s, j, &pcurves, &num_curves))
519 return 0;
520 if (j == 1 && num_curves == 0) {
521 /*
522 * If we've not received any curves then skip this check.
523 * RFC 4492 does not require the supported elliptic curves extension
524 * so if it is not sent we can just choose any curve.
525 * It is invalid to send an empty list in the elliptic curves
526 * extension, so num_curves == 0 always means no extension.
527 */
528 break;
529 }
530 for (i = 0; i < num_curves; i++, pcurves += 2) {
531 if (pcurves[0] == curve_id[0] && pcurves[1] == curve_id[1])
532 break;
533 }
534 if (i == num_curves)
535 return 0;
536 /* For clients can only check sent curve list */
537 if (!s->server)
538 break;
539 }
540 return 1;
541 }
542
543 static void tls1_get_formatlist(SSL *s, const unsigned char **pformats,
544 size_t *num_formats)
545 {
546 /*
547 * If we have a custom point format list use it otherwise use default
548 */
549 if (s->tlsext_ecpointformatlist) {
550 *pformats = s->tlsext_ecpointformatlist;
551 *num_formats = s->tlsext_ecpointformatlist_length;
552 } else {
553 *pformats = ecformats_default;
554 /* For Suite B we don't support char2 fields */
555 if (tls1_suiteb(s))
556 *num_formats = sizeof(ecformats_default) - 1;
557 else
558 *num_formats = sizeof(ecformats_default);
559 }
560 }
561
562 /*
563 * Check cert parameters compatible with extensions: currently just checks EC
564 * certificates have compatible curves and compression.
565 */
566 static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md)
567 {
568 unsigned char comp_id, curve_id[2];
569 EVP_PKEY *pkey;
570 int rv;
571 pkey = X509_get0_pubkey(x);
572 if (!pkey)
573 return 0;
574 /* If not EC nothing to do */
575 if (EVP_PKEY_id(pkey) != EVP_PKEY_EC)
576 return 1;
577 rv = tls1_set_ec_id(curve_id, &comp_id, EVP_PKEY_get0_EC_KEY(pkey));
578 if (!rv)
579 return 0;
580 /*
581 * Can't check curve_id for client certs as we don't have a supported
582 * curves extension.
583 */
584 rv = tls1_check_ec_key(s, s->server ? curve_id : NULL, &comp_id);
585 if (!rv)
586 return 0;
587 /*
588 * Special case for suite B. We *MUST* sign using SHA256+P-256 or
589 * SHA384+P-384, adjust digest if necessary.
590 */
591 if (set_ee_md && tls1_suiteb(s)) {
592 int check_md;
593 size_t i;
594 CERT *c = s->cert;
595 if (curve_id[0])
596 return 0;
597 /* Check to see we have necessary signing algorithm */
598 if (curve_id[1] == TLSEXT_curve_P_256)
599 check_md = NID_ecdsa_with_SHA256;
600 else if (curve_id[1] == TLSEXT_curve_P_384)
601 check_md = NID_ecdsa_with_SHA384;
602 else
603 return 0; /* Should never happen */
604 for (i = 0; i < c->shared_sigalgslen; i++)
605 if (check_md == c->shared_sigalgs[i].signandhash_nid)
606 break;
607 if (i == c->shared_sigalgslen)
608 return 0;
609 if (set_ee_md == 2) {
610 if (check_md == NID_ecdsa_with_SHA256)
611 s->s3->tmp.md[SSL_PKEY_ECC] = EVP_sha256();
612 else
613 s->s3->tmp.md[SSL_PKEY_ECC] = EVP_sha384();
614 }
615 }
616 return rv;
617 }
618
619 # ifndef OPENSSL_NO_EC
620 /*
621 * tls1_check_ec_tmp_key - Check EC temporary key compatibility
622 * @s: SSL connection
623 * @cid: Cipher ID we're considering using
624 *
625 * Checks that the kECDHE cipher suite we're considering using
626 * is compatible with the client extensions.
627 *
628 * Returns 0 when the cipher can't be used or 1 when it can.
629 */
630 int tls1_check_ec_tmp_key(SSL *s, unsigned long cid)
631 {
632 /*
633 * If Suite B, AES128 MUST use P-256 and AES256 MUST use P-384, no other
634 * curves permitted.
635 */
636 if (tls1_suiteb(s)) {
637 unsigned char curve_id[2];
638 /* Curve to check determined by ciphersuite */
639 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
640 curve_id[1] = TLSEXT_curve_P_256;
641 else if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)
642 curve_id[1] = TLSEXT_curve_P_384;
643 else
644 return 0;
645 curve_id[0] = 0;
646 /* Check this curve is acceptable */
647 if (!tls1_check_ec_key(s, curve_id, NULL))
648 return 0;
649 return 1;
650 }
651 /* Need a shared curve */
652 if (tls1_shared_curve(s, 0))
653 return 1;
654 return 0;
655 }
656 # endif /* OPENSSL_NO_EC */
657
658 #else
659
660 static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md)
661 {
662 return 1;
663 }
664
665 #endif /* OPENSSL_NO_EC */
666
667 /*
668 * List of supported signature algorithms and hashes. Should make this
669 * customisable at some point, for now include everything we support.
670 */
671
672 #ifdef OPENSSL_NO_RSA
673 # define tlsext_sigalg_rsa(md) /* */
674 #else
675 # define tlsext_sigalg_rsa(md) md, TLSEXT_signature_rsa,
676 #endif
677
678 #ifdef OPENSSL_NO_DSA
679 # define tlsext_sigalg_dsa(md) /* */
680 #else
681 # define tlsext_sigalg_dsa(md) md, TLSEXT_signature_dsa,
682 #endif
683
684 #ifdef OPENSSL_NO_EC
685 # define tlsext_sigalg_ecdsa(md)/* */
686 #else
687 # define tlsext_sigalg_ecdsa(md) md, TLSEXT_signature_ecdsa,
688 #endif
689
690 #define tlsext_sigalg(md) \
691 tlsext_sigalg_rsa(md) \
692 tlsext_sigalg_dsa(md) \
693 tlsext_sigalg_ecdsa(md)
694
695 static const unsigned char tls12_sigalgs[] = {
696 tlsext_sigalg(TLSEXT_hash_sha512)
697 tlsext_sigalg(TLSEXT_hash_sha384)
698 tlsext_sigalg(TLSEXT_hash_sha256)
699 tlsext_sigalg(TLSEXT_hash_sha224)
700 tlsext_sigalg(TLSEXT_hash_sha1)
701 #ifndef OPENSSL_NO_GOST
702 TLSEXT_hash_gostr3411, TLSEXT_signature_gostr34102001,
703 TLSEXT_hash_gostr34112012_256, TLSEXT_signature_gostr34102012_256,
704 TLSEXT_hash_gostr34112012_512, TLSEXT_signature_gostr34102012_512
705 #endif
706 };
707
708 #ifndef OPENSSL_NO_EC
709 static const unsigned char suiteb_sigalgs[] = {
710 tlsext_sigalg_ecdsa(TLSEXT_hash_sha256)
711 tlsext_sigalg_ecdsa(TLSEXT_hash_sha384)
712 };
713 #endif
714 size_t tls12_get_psigalgs(SSL *s, int sent, const unsigned char **psigs)
715 {
716 /*
717 * If Suite B mode use Suite B sigalgs only, ignore any other
718 * preferences.
719 */
720 #ifndef OPENSSL_NO_EC
721 switch (tls1_suiteb(s)) {
722 case SSL_CERT_FLAG_SUITEB_128_LOS:
723 *psigs = suiteb_sigalgs;
724 return sizeof(suiteb_sigalgs);
725
726 case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY:
727 *psigs = suiteb_sigalgs;
728 return 2;
729
730 case SSL_CERT_FLAG_SUITEB_192_LOS:
731 *psigs = suiteb_sigalgs + 2;
732 return 2;
733 }
734 #endif
735 /* If server use client authentication sigalgs if not NULL */
736 if (s->server == sent && s->cert->client_sigalgs) {
737 *psigs = s->cert->client_sigalgs;
738 return s->cert->client_sigalgslen;
739 } else if (s->cert->conf_sigalgs) {
740 *psigs = s->cert->conf_sigalgs;
741 return s->cert->conf_sigalgslen;
742 } else {
743 *psigs = tls12_sigalgs;
744 return sizeof(tls12_sigalgs);
745 }
746 }
747
748 /*
749 * Check signature algorithm is consistent with sent supported signature
750 * algorithms and if so return relevant digest.
751 */
752 int tls12_check_peer_sigalg(const EVP_MD **pmd, SSL *s,
753 const unsigned char *sig, EVP_PKEY *pkey)
754 {
755 const unsigned char *sent_sigs;
756 size_t sent_sigslen, i;
757 int sigalg = tls12_get_sigid(pkey);
758 /* Should never happen */
759 if (sigalg == -1)
760 return -1;
761 /* Check key type is consistent with signature */
762 if (sigalg != (int)sig[1]) {
763 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_SIGNATURE_TYPE);
764 return 0;
765 }
766 #ifndef OPENSSL_NO_EC
767 if (EVP_PKEY_id(pkey) == EVP_PKEY_EC) {
768 unsigned char curve_id[2], comp_id;
769 /* Check compression and curve matches extensions */
770 if (!tls1_set_ec_id(curve_id, &comp_id, EVP_PKEY_get0_EC_KEY(pkey)))
771 return 0;
772 if (!s->server && !tls1_check_ec_key(s, curve_id, &comp_id)) {
773 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_CURVE);
774 return 0;
775 }
776 /* If Suite B only P-384+SHA384 or P-256+SHA-256 allowed */
777 if (tls1_suiteb(s)) {
778 if (curve_id[0])
779 return 0;
780 if (curve_id[1] == TLSEXT_curve_P_256) {
781 if (sig[0] != TLSEXT_hash_sha256) {
782 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG,
783 SSL_R_ILLEGAL_SUITEB_DIGEST);
784 return 0;
785 }
786 } else if (curve_id[1] == TLSEXT_curve_P_384) {
787 if (sig[0] != TLSEXT_hash_sha384) {
788 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG,
789 SSL_R_ILLEGAL_SUITEB_DIGEST);
790 return 0;
791 }
792 } else
793 return 0;
794 }
795 } else if (tls1_suiteb(s))
796 return 0;
797 #endif
798
799 /* Check signature matches a type we sent */
800 sent_sigslen = tls12_get_psigalgs(s, 1, &sent_sigs);
801 for (i = 0; i < sent_sigslen; i += 2, sent_sigs += 2) {
802 if (sig[0] == sent_sigs[0] && sig[1] == sent_sigs[1])
803 break;
804 }
805 /* Allow fallback to SHA1 if not strict mode */
806 if (i == sent_sigslen
807 && (sig[0] != TLSEXT_hash_sha1
808 || s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)) {
809 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_SIGNATURE_TYPE);
810 return 0;
811 }
812 *pmd = tls12_get_hash(sig[0]);
813 if (*pmd == NULL) {
814 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_UNKNOWN_DIGEST);
815 return 0;
816 }
817 /* Make sure security callback allows algorithm */
818 if (!ssl_security(s, SSL_SECOP_SIGALG_CHECK,
819 EVP_MD_size(*pmd) * 4, EVP_MD_type(*pmd), (void *)sig)) {
820 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_SIGNATURE_TYPE);
821 return 0;
822 }
823 /*
824 * Store the digest used so applications can retrieve it if they wish.
825 */
826 s->s3->tmp.peer_md = *pmd;
827 return 1;
828 }
829
830 /*
831 * Set a mask of disabled algorithms: an algorithm is disabled if it isn't
832 * supported, doesn't appear in supported signature algorithms, isn't supported
833 * by the enabled protocol versions or by the security level.
834 *
835 * This function should only be used for checking which ciphers are supported
836 * by the client.
837 *
838 * Call ssl_cipher_disabled() to check that it's enabled or not.
839 */
840 void ssl_set_client_disabled(SSL *s)
841 {
842 s->s3->tmp.mask_a = 0;
843 s->s3->tmp.mask_k = 0;
844 ssl_set_sig_mask(&s->s3->tmp.mask_a, s, SSL_SECOP_SIGALG_MASK);
845 ssl_get_client_min_max_version(s, &s->s3->tmp.min_ver, &s->s3->tmp.max_ver);
846 #ifndef OPENSSL_NO_PSK
847 /* with PSK there must be client callback set */
848 if (!s->psk_client_callback) {
849 s->s3->tmp.mask_a |= SSL_aPSK;
850 s->s3->tmp.mask_k |= SSL_PSK;
851 }
852 #endif /* OPENSSL_NO_PSK */
853 #ifndef OPENSSL_NO_SRP
854 if (!(s->srp_ctx.srp_Mask & SSL_kSRP)) {
855 s->s3->tmp.mask_a |= SSL_aSRP;
856 s->s3->tmp.mask_k |= SSL_kSRP;
857 }
858 #endif
859 }
860
861 /*
862 * ssl_cipher_disabled - check that a cipher is disabled or not
863 * @s: SSL connection that you want to use the cipher on
864 * @c: cipher to check
865 * @op: Security check that you want to do
866 * @ecdhe: If set to 1 then TLSv1 ECDHE ciphers are also allowed in SSLv3
867 *
868 * Returns 1 when it's disabled, 0 when enabled.
869 */
870 int ssl_cipher_disabled(SSL *s, const SSL_CIPHER *c, int op, int ecdhe)
871 {
872 if (c->algorithm_mkey & s->s3->tmp.mask_k
873 || c->algorithm_auth & s->s3->tmp.mask_a)
874 return 1;
875 if (s->s3->tmp.max_ver == 0)
876 return 1;
877 if (!SSL_IS_DTLS(s)) {
878 int min_tls = c->min_tls;
879
880 /*
881 * For historical reasons we will allow ECHDE to be selected by a server
882 * in SSLv3 if we are a client
883 */
884 if (min_tls == TLS1_VERSION && ecdhe
885 && (c->algorithm_mkey & (SSL_kECDHE | SSL_kECDHEPSK)) != 0)
886 min_tls = SSL3_VERSION;
887
888 if ((min_tls > s->s3->tmp.max_ver) || (c->max_tls < s->s3->tmp.min_ver))
889 return 1;
890 }
891 if (SSL_IS_DTLS(s) && (DTLS_VERSION_GT(c->min_dtls, s->s3->tmp.max_ver)
892 || DTLS_VERSION_LT(c->max_dtls, s->s3->tmp.min_ver)))
893 return 1;
894
895 return !ssl_security(s, op, c->strength_bits, 0, (void *)c);
896 }
897
898 static int tls_use_ticket(SSL *s)
899 {
900 if (s->options & SSL_OP_NO_TICKET)
901 return 0;
902 return ssl_security(s, SSL_SECOP_TICKET, 0, 0, NULL);
903 }
904
905 static int compare_uint(const void *p1, const void *p2)
906 {
907 unsigned int u1 = *((const unsigned int *)p1);
908 unsigned int u2 = *((const unsigned int *)p2);
909 if (u1 < u2)
910 return -1;
911 else if (u1 > u2)
912 return 1;
913 else
914 return 0;
915 }
916
917 /*
918 * Per http://tools.ietf.org/html/rfc5246#section-7.4.1.4, there may not be
919 * more than one extension of the same type in a ClientHello or ServerHello.
920 * This function does an initial scan over the extensions block to filter those
921 * out. It returns 1 if all extensions are unique, and 0 if the extensions
922 * contain duplicates, could not be successfully parsed, or an internal error
923 * occurred.
924 */
925 static int tls1_check_duplicate_extensions(const PACKET *packet)
926 {
927 PACKET extensions = *packet;
928 size_t num_extensions = 0, i = 0;
929 unsigned int *extension_types = NULL;
930 int ret = 0;
931
932 /* First pass: count the extensions. */
933 while (PACKET_remaining(&extensions) > 0) {
934 unsigned int type;
935 PACKET extension;
936 if (!PACKET_get_net_2(&extensions, &type) ||
937 !PACKET_get_length_prefixed_2(&extensions, &extension)) {
938 goto done;
939 }
940 num_extensions++;
941 }
942
943 if (num_extensions <= 1)
944 return 1;
945
946 extension_types = OPENSSL_malloc(sizeof(unsigned int) * num_extensions);
947 if (extension_types == NULL) {
948 SSLerr(SSL_F_TLS1_CHECK_DUPLICATE_EXTENSIONS, ERR_R_MALLOC_FAILURE);
949 goto done;
950 }
951
952 /* Second pass: gather the extension types. */
953 extensions = *packet;
954 for (i = 0; i < num_extensions; i++) {
955 PACKET extension;
956 if (!PACKET_get_net_2(&extensions, &extension_types[i]) ||
957 !PACKET_get_length_prefixed_2(&extensions, &extension)) {
958 /* This should not happen. */
959 SSLerr(SSL_F_TLS1_CHECK_DUPLICATE_EXTENSIONS, ERR_R_INTERNAL_ERROR);
960 goto done;
961 }
962 }
963
964 if (PACKET_remaining(&extensions) != 0) {
965 SSLerr(SSL_F_TLS1_CHECK_DUPLICATE_EXTENSIONS, ERR_R_INTERNAL_ERROR);
966 goto done;
967 }
968 /* Sort the extensions and make sure there are no duplicates. */
969 qsort(extension_types, num_extensions, sizeof(unsigned int), compare_uint);
970 for (i = 1; i < num_extensions; i++) {
971 if (extension_types[i - 1] == extension_types[i])
972 goto done;
973 }
974 ret = 1;
975 done:
976 OPENSSL_free(extension_types);
977 return ret;
978 }
979
980 unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf,
981 unsigned char *limit, int *al)
982 {
983 int extdatalen = 0;
984 unsigned char *orig = buf;
985 unsigned char *ret = buf;
986 #ifndef OPENSSL_NO_EC
987 /* See if we support any ECC ciphersuites */
988 int using_ecc = 0;
989 if (s->version >= TLS1_VERSION || SSL_IS_DTLS(s)) {
990 int i;
991 unsigned long alg_k, alg_a;
992 STACK_OF(SSL_CIPHER) *cipher_stack = SSL_get_ciphers(s);
993
994 for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++) {
995 const SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i);
996
997 alg_k = c->algorithm_mkey;
998 alg_a = c->algorithm_auth;
999 if ((alg_k & (SSL_kECDHE | SSL_kECDHEPSK))
1000 || (alg_a & SSL_aECDSA)) {
1001 using_ecc = 1;
1002 break;
1003 }
1004 }
1005 }
1006 #endif
1007
1008 ret += 2;
1009
1010 if (ret >= limit)
1011 return NULL; /* this really never occurs, but ... */
1012
1013 /* Add RI if renegotiating */
1014 if (s->renegotiate) {
1015 int el;
1016
1017 if (!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0)) {
1018 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1019 return NULL;
1020 }
1021
1022 if (CHECKLEN(ret, 4 + el, limit))
1023 return NULL;
1024
1025 s2n(TLSEXT_TYPE_renegotiate, ret);
1026 s2n(el, ret);
1027
1028 if (!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el)) {
1029 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1030 return NULL;
1031 }
1032
1033 ret += el;
1034 }
1035 /* Only add RI for SSLv3 */
1036 if (s->client_version == SSL3_VERSION)
1037 goto done;
1038
1039 if (s->tlsext_hostname != NULL) {
1040 /* Add TLS extension servername to the Client Hello message */
1041 size_t size_str;
1042
1043 /*-
1044 * check for enough space.
1045 * 4 for the servername type and extension length
1046 * 2 for servernamelist length
1047 * 1 for the hostname type
1048 * 2 for hostname length
1049 * + hostname length
1050 */
1051 size_str = strlen(s->tlsext_hostname);
1052 if (CHECKLEN(ret, 9 + size_str, limit))
1053 return NULL;
1054
1055 /* extension type and length */
1056 s2n(TLSEXT_TYPE_server_name, ret);
1057 s2n(size_str + 5, ret);
1058
1059 /* length of servername list */
1060 s2n(size_str + 3, ret);
1061
1062 /* hostname type, length and hostname */
1063 *(ret++) = (unsigned char)TLSEXT_NAMETYPE_host_name;
1064 s2n(size_str, ret);
1065 memcpy(ret, s->tlsext_hostname, size_str);
1066 ret += size_str;
1067 }
1068 #ifndef OPENSSL_NO_SRP
1069 /* Add SRP username if there is one */
1070 if (s->srp_ctx.login != NULL) { /* Add TLS extension SRP username to the
1071 * Client Hello message */
1072
1073 size_t login_len = strlen(s->srp_ctx.login);
1074 if (login_len > 255 || login_len == 0) {
1075 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1076 return NULL;
1077 }
1078
1079 /*-
1080 * check for enough space.
1081 * 4 for the srp type type and extension length
1082 * 1 for the srp user identity
1083 * + srp user identity length
1084 */
1085 if (CHECKLEN(ret, 5 + login_len, limit))
1086 return NULL;
1087
1088 /* fill in the extension */
1089 s2n(TLSEXT_TYPE_srp, ret);
1090 s2n(login_len + 1, ret);
1091 (*ret++) = (unsigned char)login_len;
1092 memcpy(ret, s->srp_ctx.login, login_len);
1093 ret += login_len;
1094 }
1095 #endif
1096
1097 #ifndef OPENSSL_NO_EC
1098 if (using_ecc) {
1099 /*
1100 * Add TLS extension ECPointFormats to the ClientHello message
1101 */
1102 const unsigned char *pcurves, *pformats;
1103 size_t num_curves, num_formats, curves_list_len;
1104 size_t i;
1105 unsigned char *etmp;
1106
1107 tls1_get_formatlist(s, &pformats, &num_formats);
1108
1109 if (num_formats > 255) {
1110 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1111 return NULL;
1112 }
1113 /*-
1114 * check for enough space.
1115 * 4 bytes for the ec point formats type and extension length
1116 * 1 byte for the length of the formats
1117 * + formats length
1118 */
1119 if (CHECKLEN(ret, 5 + num_formats, limit))
1120 return NULL;
1121
1122 s2n(TLSEXT_TYPE_ec_point_formats, ret);
1123 /* The point format list has 1-byte length. */
1124 s2n(num_formats + 1, ret);
1125 *(ret++) = (unsigned char)num_formats;
1126 memcpy(ret, pformats, num_formats);
1127 ret += num_formats;
1128
1129 /*
1130 * Add TLS extension EllipticCurves to the ClientHello message
1131 */
1132 pcurves = s->tlsext_ellipticcurvelist;
1133 if (!tls1_get_curvelist(s, 0, &pcurves, &num_curves))
1134 return NULL;
1135
1136 if (num_curves > 65532 / 2) {
1137 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1138 return NULL;
1139 }
1140 /*-
1141 * check for enough space.
1142 * 4 bytes for the ec curves type and extension length
1143 * 2 bytes for the curve list length
1144 * + curve list length
1145 */
1146 if (CHECKLEN(ret, 6 + (num_curves * 2), limit))
1147 return NULL;
1148
1149 s2n(TLSEXT_TYPE_elliptic_curves, ret);
1150 etmp = ret + 4;
1151 /* Copy curve ID if supported */
1152 for (i = 0; i < num_curves; i++, pcurves += 2) {
1153 if (tls_curve_allowed(s, pcurves, SSL_SECOP_CURVE_SUPPORTED)) {
1154 *etmp++ = pcurves[0];
1155 *etmp++ = pcurves[1];
1156 }
1157 }
1158
1159 curves_list_len = etmp - ret - 4;
1160
1161 s2n(curves_list_len + 2, ret);
1162 s2n(curves_list_len, ret);
1163 ret += curves_list_len;
1164 }
1165 #endif /* OPENSSL_NO_EC */
1166
1167 if (tls_use_ticket(s)) {
1168 size_t ticklen;
1169 if (!s->new_session && s->session && s->session->tlsext_tick)
1170 ticklen = s->session->tlsext_ticklen;
1171 else if (s->session && s->tlsext_session_ticket &&
1172 s->tlsext_session_ticket->data) {
1173 ticklen = s->tlsext_session_ticket->length;
1174 s->session->tlsext_tick = OPENSSL_malloc(ticklen);
1175 if (s->session->tlsext_tick == NULL)
1176 return NULL;
1177 memcpy(s->session->tlsext_tick,
1178 s->tlsext_session_ticket->data, ticklen);
1179 s->session->tlsext_ticklen = ticklen;
1180 } else
1181 ticklen = 0;
1182 if (ticklen == 0 && s->tlsext_session_ticket &&
1183 s->tlsext_session_ticket->data == NULL)
1184 goto skip_ext;
1185 /*
1186 * Check for enough room 2 for extension type, 2 for len rest for
1187 * ticket
1188 */
1189 if (CHECKLEN(ret, 4 + ticklen, limit))
1190 return NULL;
1191 s2n(TLSEXT_TYPE_session_ticket, ret);
1192 s2n(ticklen, ret);
1193 if (ticklen > 0) {
1194 memcpy(ret, s->session->tlsext_tick, ticklen);
1195 ret += ticklen;
1196 }
1197 }
1198 skip_ext:
1199
1200 #ifndef OPENSSL_NO_OCSP
1201 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp) {
1202 int i;
1203 size_t extlen, idlen;
1204 int lentmp;
1205 OCSP_RESPID *id;
1206
1207 idlen = 0;
1208 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) {
1209 id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
1210 lentmp = i2d_OCSP_RESPID(id, NULL);
1211 if (lentmp <= 0)
1212 return NULL;
1213 idlen += (size_t)lentmp + 2;
1214 }
1215
1216 if (s->tlsext_ocsp_exts) {
1217 lentmp = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, NULL);
1218 if (lentmp < 0)
1219 return NULL;
1220 extlen = (size_t)lentmp;
1221 } else
1222 extlen = 0;
1223
1224 if (extlen + idlen > 0xFFF0)
1225 return NULL;
1226 /*
1227 * 2 bytes for status request type
1228 * 2 bytes for status request len
1229 * 1 byte for OCSP request type
1230 * 2 bytes for length of ids
1231 * 2 bytes for length of extensions
1232 * + length of ids
1233 * + length of extensions
1234 */
1235 if (CHECKLEN(ret, 9 + idlen + extlen, limit))
1236 return NULL;
1237
1238 s2n(TLSEXT_TYPE_status_request, ret);
1239 s2n(extlen + idlen + 5, ret);
1240 *(ret++) = TLSEXT_STATUSTYPE_ocsp;
1241 s2n(idlen, ret);
1242 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) {
1243 /* save position of id len */
1244 unsigned char *q = ret;
1245 id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
1246 /* skip over id len */
1247 ret += 2;
1248 lentmp = i2d_OCSP_RESPID(id, &ret);
1249 /* write id len */
1250 s2n(lentmp, q);
1251 }
1252 s2n(extlen, ret);
1253 if (extlen > 0)
1254 i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret);
1255 }
1256 #endif
1257 #ifndef OPENSSL_NO_HEARTBEATS
1258 if (SSL_IS_DTLS(s)) {
1259 /* Add Heartbeat extension */
1260
1261 /*-
1262 * check for enough space.
1263 * 4 bytes for the heartbeat ext type and extension length
1264 * 1 byte for the mode
1265 */
1266 if (CHECKLEN(ret, 5, limit))
1267 return NULL;
1268
1269 s2n(TLSEXT_TYPE_heartbeat, ret);
1270 s2n(1, ret);
1271 /*-
1272 * Set mode:
1273 * 1: peer may send requests
1274 * 2: peer not allowed to send requests
1275 */
1276 if (s->tlsext_heartbeat & SSL_DTLSEXT_HB_DONT_RECV_REQUESTS)
1277 *(ret++) = SSL_DTLSEXT_HB_DONT_SEND_REQUESTS;
1278 else
1279 *(ret++) = SSL_DTLSEXT_HB_ENABLED;
1280 }
1281 #endif
1282
1283 #ifndef OPENSSL_NO_NEXTPROTONEG
1284 if (s->ctx->next_proto_select_cb && !s->s3->tmp.finish_md_len) {
1285 /*
1286 * The client advertises an empty extension to indicate its support
1287 * for Next Protocol Negotiation
1288 */
1289
1290 /*-
1291 * check for enough space.
1292 * 4 bytes for the NPN ext type and extension length
1293 */
1294 if (CHECKLEN(ret, 4, limit))
1295 return NULL;
1296 s2n(TLSEXT_TYPE_next_proto_neg, ret);
1297 s2n(0, ret);
1298 }
1299 #endif
1300
1301 /*
1302 * finish_md_len is non-zero during a renegotiation, so
1303 * this avoids sending ALPN during the renegotiation
1304 * (see longer comment below)
1305 */
1306 if (s->alpn_client_proto_list && !s->s3->tmp.finish_md_len) {
1307 /*-
1308 * check for enough space.
1309 * 4 bytes for the ALPN type and extension length
1310 * 2 bytes for the ALPN protocol list length
1311 * + ALPN protocol list length
1312 */
1313 if (CHECKLEN(ret, 6 + s->alpn_client_proto_list_len, limit))
1314 return NULL;
1315 s2n(TLSEXT_TYPE_application_layer_protocol_negotiation, ret);
1316 s2n(2 + s->alpn_client_proto_list_len, ret);
1317 s2n(s->alpn_client_proto_list_len, ret);
1318 memcpy(ret, s->alpn_client_proto_list, s->alpn_client_proto_list_len);
1319 ret += s->alpn_client_proto_list_len;
1320 s->s3->alpn_sent = 1;
1321 }
1322 #ifndef OPENSSL_NO_SRTP
1323 if (SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s)) {
1324 int el;
1325
1326 /* Returns 0 on success!! */
1327 if (ssl_add_clienthello_use_srtp_ext(s, 0, &el, 0)) {
1328 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1329 return NULL;
1330 }
1331
1332 /*-
1333 * check for enough space.
1334 * 4 bytes for the SRTP type and extension length
1335 * + SRTP profiles length
1336 */
1337 if (CHECKLEN(ret, 4 + el, limit))
1338 return NULL;
1339
1340 s2n(TLSEXT_TYPE_use_srtp, ret);
1341 s2n(el, ret);
1342
1343 if (ssl_add_clienthello_use_srtp_ext(s, ret, &el, el)) {
1344 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1345 return NULL;
1346 }
1347 ret += el;
1348 }
1349 #endif
1350 custom_ext_init(&s->cert->cli_ext);
1351 /* Add custom TLS Extensions to ClientHello */
1352 if (!custom_ext_add(s, 0, &ret, limit, al))
1353 return NULL;
1354 /*
1355 * In 1.1.0 before 1.1.0c we negotiated EtM with DTLS, then just
1356 * silently failed to actually do it. It is fixed in 1.1.1 but to
1357 * ease the transition especially from 1.1.0b to 1.1.0c, we just
1358 * disable it in 1.1.0.
1359 * Also skip if SSL_OP_NO_ENCRYPT_THEN_MAC is set.
1360 */
1361 if (!SSL_IS_DTLS(s) && !(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC)) {
1362 /*-
1363 * check for enough space.
1364 * 4 bytes for the ETM type and extension length
1365 */
1366 if (CHECKLEN(ret, 4, limit))
1367 return NULL;
1368 s2n(TLSEXT_TYPE_encrypt_then_mac, ret);
1369 s2n(0, ret);
1370 }
1371
1372 #ifndef OPENSSL_NO_CT
1373 if (s->ct_validation_callback != NULL) {
1374 /*-
1375 * check for enough space.
1376 * 4 bytes for the SCT type and extension length
1377 */
1378 if (CHECKLEN(ret, 4, limit))
1379 return NULL;
1380
1381 s2n(TLSEXT_TYPE_signed_certificate_timestamp, ret);
1382 s2n(0, ret);
1383 }
1384 #endif
1385
1386 /*-
1387 * check for enough space.
1388 * 4 bytes for the EMS type and extension length
1389 */
1390 if (CHECKLEN(ret, 4, limit))
1391 return NULL;
1392 s2n(TLSEXT_TYPE_extended_master_secret, ret);
1393 s2n(0, ret);
1394
1395 /*
1396 * WebSphere application server can not handle having the
1397 * last extension be 0-length (e.g. EMS, EtM), so keep those
1398 * before SigAlgs
1399 */
1400 if (SSL_CLIENT_USE_SIGALGS(s)) {
1401 size_t salglen;
1402 const unsigned char *salg;
1403 unsigned char *etmp;
1404 salglen = tls12_get_psigalgs(s, 1, &salg);
1405
1406 /*-
1407 * check for enough space.
1408 * 4 bytes for the sigalgs type and extension length
1409 * 2 bytes for the sigalg list length
1410 * + sigalg list length
1411 */
1412 if (CHECKLEN(ret, salglen + 6, limit))
1413 return NULL;
1414 s2n(TLSEXT_TYPE_signature_algorithms, ret);
1415 etmp = ret;
1416 /* Skip over lengths for now */
1417 ret += 4;
1418 salglen = tls12_copy_sigalgs(s, ret, salg, salglen);
1419 /* Fill in lengths */
1420 s2n(salglen + 2, etmp);
1421 s2n(salglen, etmp);
1422 ret += salglen;
1423 }
1424
1425 /*
1426 * Add padding to workaround bugs in F5 terminators. See
1427 * https://tools.ietf.org/html/draft-agl-tls-padding-03 NB: because this
1428 * code works out the length of all existing extensions it MUST always
1429 * appear last. WebSphere 7.x/8.x is intolerant of empty extensions
1430 * being last, so minimum length of 1.
1431 */
1432 if (s->options & SSL_OP_TLSEXT_PADDING) {
1433 int hlen = ret - (unsigned char *)s->init_buf->data;
1434
1435 if (hlen > 0xff && hlen < 0x200) {
1436 hlen = 0x200 - hlen;
1437 if (hlen >= 4)
1438 hlen -= 4;
1439 else
1440 hlen = 1;
1441
1442 /*-
1443 * check for enough space. Strictly speaking we know we've already
1444 * got enough space because to get here the message size is < 0x200,
1445 * but we know that we've allocated far more than that in the buffer
1446 * - but for consistency and robustness we're going to check anyway.
1447 *
1448 * 4 bytes for the padding type and extension length
1449 * + padding length
1450 */
1451 if (CHECKLEN(ret, 4 + hlen, limit))
1452 return NULL;
1453 s2n(TLSEXT_TYPE_padding, ret);
1454 s2n(hlen, ret);
1455 memset(ret, 0, hlen);
1456 ret += hlen;
1457 }
1458 }
1459
1460 done:
1461
1462 if ((extdatalen = ret - orig - 2) == 0)
1463 return orig;
1464
1465 s2n(extdatalen, orig);
1466 return ret;
1467 }
1468
1469 unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *buf,
1470 unsigned char *limit, int *al)
1471 {
1472 int extdatalen = 0;
1473 unsigned char *orig = buf;
1474 unsigned char *ret = buf;
1475 #ifndef OPENSSL_NO_NEXTPROTONEG
1476 int next_proto_neg_seen;
1477 #endif
1478 #ifndef OPENSSL_NO_EC
1479 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
1480 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
1481 int using_ecc = (alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA);
1482 using_ecc = using_ecc && (s->session->tlsext_ecpointformatlist != NULL);
1483 #endif
1484
1485 ret += 2;
1486 if (ret >= limit)
1487 return NULL; /* this really never occurs, but ... */
1488
1489 if (s->s3->send_connection_binding) {
1490 int el;
1491
1492 /* Still add this even if SSL_OP_NO_RENEGOTIATION is set */
1493 if (!ssl_add_serverhello_renegotiate_ext(s, 0, &el, 0)) {
1494 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1495 return NULL;
1496 }
1497
1498 /*-
1499 * check for enough space.
1500 * 4 bytes for the reneg type and extension length
1501 * + reneg data length
1502 */
1503 if (CHECKLEN(ret, 4 + el, limit))
1504 return NULL;
1505
1506 s2n(TLSEXT_TYPE_renegotiate, ret);
1507 s2n(el, ret);
1508
1509 if (!ssl_add_serverhello_renegotiate_ext(s, ret, &el, el)) {
1510 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1511 return NULL;
1512 }
1513
1514 ret += el;
1515 }
1516
1517 /* Only add RI for SSLv3 */
1518 if (s->version == SSL3_VERSION)
1519 goto done;
1520
1521 if (!s->hit && s->servername_done == 1
1522 && s->session->tlsext_hostname != NULL) {
1523 /*-
1524 * check for enough space.
1525 * 4 bytes for the server name type and extension length
1526 */
1527 if (CHECKLEN(ret, 4, limit))
1528 return NULL;
1529
1530 s2n(TLSEXT_TYPE_server_name, ret);
1531 s2n(0, ret);
1532 }
1533 #ifndef OPENSSL_NO_EC
1534 if (using_ecc) {
1535 const unsigned char *plist;
1536 size_t plistlen;
1537 /*
1538 * Add TLS extension ECPointFormats to the ServerHello message
1539 */
1540
1541 tls1_get_formatlist(s, &plist, &plistlen);
1542
1543 if (plistlen > 255) {
1544 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1545 return NULL;
1546 }
1547
1548 /*-
1549 * check for enough space.
1550 * 4 bytes for the ec points format type and extension length
1551 * 1 byte for the points format list length
1552 * + length of points format list
1553 */
1554 if (CHECKLEN(ret, 5 + plistlen, limit))
1555 return NULL;
1556
1557 s2n(TLSEXT_TYPE_ec_point_formats, ret);
1558 s2n(plistlen + 1, ret);
1559 *(ret++) = (unsigned char)plistlen;
1560 memcpy(ret, plist, plistlen);
1561 ret += plistlen;
1562
1563 }
1564 /*
1565 * Currently the server should not respond with a SupportedCurves
1566 * extension
1567 */
1568 #endif /* OPENSSL_NO_EC */
1569
1570 if (s->tlsext_ticket_expected && tls_use_ticket(s)) {
1571 /*-
1572 * check for enough space.
1573 * 4 bytes for the Ticket type and extension length
1574 */
1575 if (CHECKLEN(ret, 4, limit))
1576 return NULL;
1577 s2n(TLSEXT_TYPE_session_ticket, ret);
1578 s2n(0, ret);
1579 } else {
1580 /*
1581 * if we don't add the above TLSEXT, we can't add a session ticket
1582 * later
1583 */
1584 s->tlsext_ticket_expected = 0;
1585 }
1586
1587 if (s->tlsext_status_expected) {
1588 /*-
1589 * check for enough space.
1590 * 4 bytes for the Status request type and extension length
1591 */
1592 if (CHECKLEN(ret, 4, limit))
1593 return NULL;
1594 s2n(TLSEXT_TYPE_status_request, ret);
1595 s2n(0, ret);
1596 }
1597 #ifndef OPENSSL_NO_SRTP
1598 if (SSL_IS_DTLS(s) && s->srtp_profile) {
1599 int el;
1600
1601 /* Returns 0 on success!! */
1602 if (ssl_add_serverhello_use_srtp_ext(s, 0, &el, 0)) {
1603 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1604 return NULL;
1605 }
1606 /*-
1607 * check for enough space.
1608 * 4 bytes for the SRTP profiles type and extension length
1609 * + length of the SRTP profiles list
1610 */
1611 if (CHECKLEN(ret, 4 + el, limit))
1612 return NULL;
1613
1614 s2n(TLSEXT_TYPE_use_srtp, ret);
1615 s2n(el, ret);
1616
1617 if (ssl_add_serverhello_use_srtp_ext(s, ret, &el, el)) {
1618 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1619 return NULL;
1620 }
1621 ret += el;
1622 }
1623 #endif
1624
1625 if (((s->s3->tmp.new_cipher->id & 0xFFFF) == 0x80
1626 || (s->s3->tmp.new_cipher->id & 0xFFFF) == 0x81)
1627 && (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG)) {
1628 const unsigned char cryptopro_ext[36] = {
1629 0xfd, 0xe8, /* 65000 */
1630 0x00, 0x20, /* 32 bytes length */
1631 0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85,
1632 0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06,
1633 0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08,
1634 0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17
1635 };
1636
1637 /* check for enough space. */
1638 if (CHECKLEN(ret, sizeof(cryptopro_ext), limit))
1639 return NULL;
1640 memcpy(ret, cryptopro_ext, sizeof(cryptopro_ext));
1641 ret += sizeof(cryptopro_ext);
1642
1643 }
1644 #ifndef OPENSSL_NO_HEARTBEATS
1645 /* Add Heartbeat extension if we've received one */
1646 if (SSL_IS_DTLS(s) && (s->tlsext_heartbeat & SSL_DTLSEXT_HB_ENABLED)) {
1647 /*-
1648 * check for enough space.
1649 * 4 bytes for the Heartbeat type and extension length
1650 * 1 byte for the mode
1651 */
1652 if (CHECKLEN(ret, 5, limit))
1653 return NULL;
1654 s2n(TLSEXT_TYPE_heartbeat, ret);
1655 s2n(1, ret);
1656 /*-
1657 * Set mode:
1658 * 1: peer may send requests
1659 * 2: peer not allowed to send requests
1660 */
1661 if (s->tlsext_heartbeat & SSL_DTLSEXT_HB_DONT_RECV_REQUESTS)
1662 *(ret++) = SSL_DTLSEXT_HB_DONT_SEND_REQUESTS;
1663 else
1664 *(ret++) = SSL_DTLSEXT_HB_ENABLED;
1665
1666 }
1667 #endif
1668
1669 #ifndef OPENSSL_NO_NEXTPROTONEG
1670 next_proto_neg_seen = s->s3->next_proto_neg_seen;
1671 s->s3->next_proto_neg_seen = 0;
1672 if (next_proto_neg_seen && s->ctx->next_protos_advertised_cb) {
1673 const unsigned char *npa;
1674 unsigned int npalen;
1675 int r;
1676
1677 r = s->ctx->next_protos_advertised_cb(s, &npa, &npalen,
1678 s->
1679 ctx->next_protos_advertised_cb_arg);
1680 if (r == SSL_TLSEXT_ERR_OK) {
1681 /*-
1682 * check for enough space.
1683 * 4 bytes for the NPN type and extension length
1684 * + length of protocols list
1685 */
1686 if (CHECKLEN(ret, 4 + npalen, limit))
1687 return NULL;
1688 s2n(TLSEXT_TYPE_next_proto_neg, ret);
1689 s2n(npalen, ret);
1690 memcpy(ret, npa, npalen);
1691 ret += npalen;
1692 s->s3->next_proto_neg_seen = 1;
1693 }
1694 }
1695 #endif
1696 if (!custom_ext_add(s, 1, &ret, limit, al))
1697 return NULL;
1698 if (s->tlsext_use_etm) {
1699 /*
1700 * Don't use encrypt_then_mac if AEAD or RC4 might want to disable
1701 * for other cases too.
1702 */
1703 if (SSL_IS_DTLS(s) || s->s3->tmp.new_cipher->algorithm_mac == SSL_AEAD
1704 || s->s3->tmp.new_cipher->algorithm_enc == SSL_RC4
1705 || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT
1706 || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT12)
1707 s->tlsext_use_etm = 0;
1708 else {
1709 /*-
1710 * check for enough space.
1711 * 4 bytes for the ETM type and extension length
1712 */
1713 if (CHECKLEN(ret, 4, limit))
1714 return NULL;
1715 s2n(TLSEXT_TYPE_encrypt_then_mac, ret);
1716 s2n(0, ret);
1717 }
1718 }
1719 if (s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) {
1720 /*-
1721 * check for enough space.
1722 * 4 bytes for the EMS type and extension length
1723 */
1724 if (CHECKLEN(ret, 4, limit))
1725 return NULL;
1726 s2n(TLSEXT_TYPE_extended_master_secret, ret);
1727 s2n(0, ret);
1728 }
1729
1730 if (s->s3->alpn_selected != NULL) {
1731 const unsigned char *selected = s->s3->alpn_selected;
1732 size_t len = s->s3->alpn_selected_len;
1733
1734 /*-
1735 * check for enough space.
1736 * 4 bytes for the ALPN type and extension length
1737 * 2 bytes for ALPN data length
1738 * 1 byte for selected protocol length
1739 * + length of the selected protocol
1740 */
1741 if (CHECKLEN(ret, 7 + len, limit))
1742 return NULL;
1743 s2n(TLSEXT_TYPE_application_layer_protocol_negotiation, ret);
1744 s2n(3 + len, ret);
1745 s2n(1 + len, ret);
1746 *ret++ = len;
1747 memcpy(ret, selected, len);
1748 ret += len;
1749 }
1750
1751 done:
1752
1753 if ((extdatalen = ret - orig - 2) == 0)
1754 return orig;
1755
1756 s2n(extdatalen, orig);
1757 return ret;
1758 }
1759
1760 /*
1761 * Save the ALPN extension in a ClientHello.
1762 * pkt: the contents of the ALPN extension, not including type and length.
1763 * al: a pointer to the alert value to send in the event of a failure.
1764 * returns: 1 on success, 0 on error.
1765 */
1766 static int tls1_alpn_handle_client_hello(SSL *s, PACKET *pkt, int *al)
1767 {
1768 PACKET protocol_list, save_protocol_list, protocol;
1769
1770 *al = SSL_AD_DECODE_ERROR;
1771
1772 if (!PACKET_as_length_prefixed_2(pkt, &protocol_list)
1773 || PACKET_remaining(&protocol_list) < 2) {
1774 return 0;
1775 }
1776
1777 save_protocol_list = protocol_list;
1778 do {
1779 /* Protocol names can't be empty. */
1780 if (!PACKET_get_length_prefixed_1(&protocol_list, &protocol)
1781 || PACKET_remaining(&protocol) == 0) {
1782 return 0;
1783 }
1784 } while (PACKET_remaining(&protocol_list) != 0);
1785
1786 if (!PACKET_memdup(&save_protocol_list,
1787 &s->s3->alpn_proposed, &s->s3->alpn_proposed_len)) {
1788 *al = TLS1_AD_INTERNAL_ERROR;
1789 return 0;
1790 }
1791
1792 return 1;
1793 }
1794
1795 /*
1796 * Process the ALPN extension in a ClientHello.
1797 * al: a pointer to the alert value to send in the event of a failure.
1798 * returns 1 on success, 0 on error.
1799 */
1800 static int tls1_alpn_handle_client_hello_late(SSL *s, int *al)
1801 {
1802 const unsigned char *selected = NULL;
1803 unsigned char selected_len = 0;
1804
1805 if (s->ctx->alpn_select_cb != NULL && s->s3->alpn_proposed != NULL) {
1806 int r = s->ctx->alpn_select_cb(s, &selected, &selected_len,
1807 s->s3->alpn_proposed,
1808 s->s3->alpn_proposed_len,
1809 s->ctx->alpn_select_cb_arg);
1810
1811 if (r == SSL_TLSEXT_ERR_OK) {
1812 OPENSSL_free(s->s3->alpn_selected);
1813 s->s3->alpn_selected = OPENSSL_memdup(selected, selected_len);
1814 if (s->s3->alpn_selected == NULL) {
1815 *al = SSL_AD_INTERNAL_ERROR;
1816 return 0;
1817 }
1818 s->s3->alpn_selected_len = selected_len;
1819 #ifndef OPENSSL_NO_NEXTPROTONEG
1820 /* ALPN takes precedence over NPN. */
1821 s->s3->next_proto_neg_seen = 0;
1822 #endif
1823 } else if (r == SSL_TLSEXT_ERR_NOACK) {
1824 /* Behave as if no callback was present. */
1825 return 1;
1826 } else {
1827 *al = SSL_AD_NO_APPLICATION_PROTOCOL;
1828 return 0;
1829 }
1830 }
1831
1832 return 1;
1833 }
1834
1835 #ifndef OPENSSL_NO_EC
1836 /*-
1837 * ssl_check_for_safari attempts to fingerprint Safari using OS X
1838 * SecureTransport using the TLS extension block in |pkt|.
1839 * Safari, since 10.6, sends exactly these extensions, in this order:
1840 * SNI,
1841 * elliptic_curves
1842 * ec_point_formats
1843 *
1844 * We wish to fingerprint Safari because they broke ECDHE-ECDSA support in 10.8,
1845 * but they advertise support. So enabling ECDHE-ECDSA ciphers breaks them.
1846 * Sadly we cannot differentiate 10.6, 10.7 and 10.8.4 (which work), from
1847 * 10.8..10.8.3 (which don't work).
1848 */
1849 static void ssl_check_for_safari(SSL *s, const PACKET *pkt)
1850 {
1851 unsigned int type;
1852 PACKET sni, tmppkt;
1853 size_t ext_len;
1854
1855 static const unsigned char kSafariExtensionsBlock[] = {
1856 0x00, 0x0a, /* elliptic_curves extension */
1857 0x00, 0x08, /* 8 bytes */
1858 0x00, 0x06, /* 6 bytes of curve ids */
1859 0x00, 0x17, /* P-256 */
1860 0x00, 0x18, /* P-384 */
1861 0x00, 0x19, /* P-521 */
1862
1863 0x00, 0x0b, /* ec_point_formats */
1864 0x00, 0x02, /* 2 bytes */
1865 0x01, /* 1 point format */
1866 0x00, /* uncompressed */
1867 /* The following is only present in TLS 1.2 */
1868 0x00, 0x0d, /* signature_algorithms */
1869 0x00, 0x0c, /* 12 bytes */
1870 0x00, 0x0a, /* 10 bytes */
1871 0x05, 0x01, /* SHA-384/RSA */
1872 0x04, 0x01, /* SHA-256/RSA */
1873 0x02, 0x01, /* SHA-1/RSA */
1874 0x04, 0x03, /* SHA-256/ECDSA */
1875 0x02, 0x03, /* SHA-1/ECDSA */
1876 };
1877
1878 /* Length of the common prefix (first two extensions). */
1879 static const size_t kSafariCommonExtensionsLength = 18;
1880
1881 tmppkt = *pkt;
1882
1883 if (!PACKET_forward(&tmppkt, 2)
1884 || !PACKET_get_net_2(&tmppkt, &type)
1885 || !PACKET_get_length_prefixed_2(&tmppkt, &sni)) {
1886 return;
1887 }
1888
1889 if (type != TLSEXT_TYPE_server_name)
1890 return;
1891
1892 ext_len = TLS1_get_client_version(s) >= TLS1_2_VERSION ?
1893 sizeof(kSafariExtensionsBlock) : kSafariCommonExtensionsLength;
1894
1895 s->s3->is_probably_safari = PACKET_equal(&tmppkt, kSafariExtensionsBlock,
1896 ext_len);
1897 }
1898 #endif /* !OPENSSL_NO_EC */
1899
1900 /*
1901 * Parse ClientHello extensions and stash extension info in various parts of
1902 * the SSL object. Verify that there are no duplicate extensions.
1903 *
1904 * Behaviour upon resumption is extension-specific. If the extension has no
1905 * effect during resumption, it is parsed (to verify its format) but otherwise
1906 * ignored.
1907 *
1908 * Consumes the entire packet in |pkt|. Returns 1 on success and 0 on failure.
1909 * Upon failure, sets |al| to the appropriate alert.
1910 */
1911 static int ssl_scan_clienthello_tlsext(SSL *s, PACKET *pkt, int *al)
1912 {
1913 unsigned int type;
1914 int renegotiate_seen = 0;
1915 PACKET extensions;
1916
1917 *al = SSL_AD_DECODE_ERROR;
1918 s->servername_done = 0;
1919 s->tlsext_status_type = -1;
1920 #ifndef OPENSSL_NO_NEXTPROTONEG
1921 s->s3->next_proto_neg_seen = 0;
1922 #endif
1923
1924 OPENSSL_free(s->s3->alpn_selected);
1925 s->s3->alpn_selected = NULL;
1926 s->s3->alpn_selected_len = 0;
1927 OPENSSL_free(s->s3->alpn_proposed);
1928 s->s3->alpn_proposed = NULL;
1929 s->s3->alpn_proposed_len = 0;
1930 #ifndef OPENSSL_NO_HEARTBEATS
1931 s->tlsext_heartbeat &= ~(SSL_DTLSEXT_HB_ENABLED |
1932 SSL_DTLSEXT_HB_DONT_SEND_REQUESTS);
1933 #endif
1934
1935 #ifndef OPENSSL_NO_EC
1936 if (s->options & SSL_OP_SAFARI_ECDHE_ECDSA_BUG)
1937 ssl_check_for_safari(s, pkt);
1938 #endif /* !OPENSSL_NO_EC */
1939
1940 /* Clear any signature algorithms extension received */
1941 OPENSSL_free(s->s3->tmp.peer_sigalgs);
1942 s->s3->tmp.peer_sigalgs = NULL;
1943 s->tlsext_use_etm = 0;
1944
1945 #ifndef OPENSSL_NO_SRP
1946 OPENSSL_free(s->srp_ctx.login);
1947 s->srp_ctx.login = NULL;
1948 #endif
1949
1950 s->srtp_profile = NULL;
1951
1952 if (PACKET_remaining(pkt) == 0)
1953 goto ri_check;
1954
1955 if (!PACKET_as_length_prefixed_2(pkt, &extensions))
1956 return 0;
1957
1958 if (!tls1_check_duplicate_extensions(&extensions))
1959 return 0;
1960
1961 /*
1962 * We parse all extensions to ensure the ClientHello is well-formed but,
1963 * unless an extension specifies otherwise, we ignore extensions upon
1964 * resumption.
1965 */
1966 while (PACKET_get_net_2(&extensions, &type)) {
1967 PACKET extension;
1968 if (!PACKET_get_length_prefixed_2(&extensions, &extension))
1969 return 0;
1970
1971 if (s->tlsext_debug_cb)
1972 s->tlsext_debug_cb(s, 0, type, PACKET_data(&extension),
1973 PACKET_remaining(&extension),
1974 s->tlsext_debug_arg);
1975
1976 if (type == TLSEXT_TYPE_renegotiate) {
1977 if (!ssl_parse_clienthello_renegotiate_ext(s, &extension, al))
1978 return 0;
1979 renegotiate_seen = 1;
1980 } else if (s->version == SSL3_VERSION) {
1981 }
1982 /*-
1983 * The servername extension is treated as follows:
1984 *
1985 * - Only the hostname type is supported with a maximum length of 255.
1986 * - The servername is rejected if too long or if it contains zeros,
1987 * in which case an fatal alert is generated.
1988 * - The servername field is maintained together with the session cache.
1989 * - When a session is resumed, the servername call back invoked in order
1990 * to allow the application to position itself to the right context.
1991 * - The servername is acknowledged if it is new for a session or when
1992 * it is identical to a previously used for the same session.
1993 * Applications can control the behaviour. They can at any time
1994 * set a 'desirable' servername for a new SSL object. This can be the
1995 * case for example with HTTPS when a Host: header field is received and
1996 * a renegotiation is requested. In this case, a possible servername
1997 * presented in the new client hello is only acknowledged if it matches
1998 * the value of the Host: field.
1999 * - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
2000 * if they provide for changing an explicit servername context for the
2001 * session, i.e. when the session has been established with a servername
2002 * extension.
2003 * - On session reconnect, the servername extension may be absent.
2004 *
2005 */
2006
2007 else if (type == TLSEXT_TYPE_server_name) {
2008 unsigned int servname_type;
2009 PACKET sni, hostname;
2010
2011 if (!PACKET_as_length_prefixed_2(&extension, &sni)
2012 /* ServerNameList must be at least 1 byte long. */
2013 || PACKET_remaining(&sni) == 0) {
2014 return 0;
2015 }
2016
2017 /*
2018 * Although the server_name extension was intended to be
2019 * extensible to new name types, RFC 4366 defined the
2020 * syntax inextensibility and OpenSSL 1.0.x parses it as
2021 * such.
2022 * RFC 6066 corrected the mistake but adding new name types
2023 * is nevertheless no longer feasible, so act as if no other
2024 * SNI types can exist, to simplify parsing.
2025 *
2026 * Also note that the RFC permits only one SNI value per type,
2027 * i.e., we can only have a single hostname.
2028 */
2029 if (!PACKET_get_1(&sni, &servname_type)
2030 || servname_type != TLSEXT_NAMETYPE_host_name
2031 || !PACKET_as_length_prefixed_2(&sni, &hostname)) {
2032 return 0;
2033 }
2034
2035 if (!s->hit) {
2036 if (PACKET_remaining(&hostname) > TLSEXT_MAXLEN_host_name) {
2037 *al = TLS1_AD_UNRECOGNIZED_NAME;
2038 return 0;
2039 }
2040
2041 if (PACKET_contains_zero_byte(&hostname)) {
2042 *al = TLS1_AD_UNRECOGNIZED_NAME;
2043 return 0;
2044 }
2045
2046 if (!PACKET_strndup(&hostname, &s->session->tlsext_hostname)) {
2047 *al = TLS1_AD_INTERNAL_ERROR;
2048 return 0;
2049 }
2050
2051 s->servername_done = 1;
2052 } else {
2053 /*
2054 * TODO(openssl-team): if the SNI doesn't match, we MUST
2055 * fall back to a full handshake.
2056 */
2057 s->servername_done = s->session->tlsext_hostname
2058 && PACKET_equal(&hostname, s->session->tlsext_hostname,
2059 strlen(s->session->tlsext_hostname));
2060 }
2061 }
2062 #ifndef OPENSSL_NO_SRP
2063 else if (type == TLSEXT_TYPE_srp) {
2064 PACKET srp_I;
2065
2066 if (!PACKET_as_length_prefixed_1(&extension, &srp_I))
2067 return 0;
2068
2069 if (PACKET_contains_zero_byte(&srp_I))
2070 return 0;
2071
2072 /*
2073 * TODO(openssl-team): currently, we re-authenticate the user
2074 * upon resumption. Instead, we MUST ignore the login.
2075 */
2076 if (!PACKET_strndup(&srp_I, &s->srp_ctx.login)) {
2077 *al = TLS1_AD_INTERNAL_ERROR;
2078 return 0;
2079 }
2080 }
2081 #endif
2082
2083 #ifndef OPENSSL_NO_EC
2084 else if (type == TLSEXT_TYPE_ec_point_formats) {
2085 PACKET ec_point_format_list;
2086
2087 if (!PACKET_as_length_prefixed_1(&extension, &ec_point_format_list)
2088 || PACKET_remaining(&ec_point_format_list) == 0) {
2089 return 0;
2090 }
2091
2092 if (!s->hit) {
2093 if (!PACKET_memdup(&ec_point_format_list,
2094 &s->session->tlsext_ecpointformatlist,
2095 &s->
2096 session->tlsext_ecpointformatlist_length)) {
2097 *al = TLS1_AD_INTERNAL_ERROR;
2098 return 0;
2099 }
2100 }
2101 } else if (type == TLSEXT_TYPE_elliptic_curves) {
2102 PACKET elliptic_curve_list;
2103
2104 /* Each NamedCurve is 2 bytes and we must have at least 1. */
2105 if (!PACKET_as_length_prefixed_2(&extension, &elliptic_curve_list)
2106 || PACKET_remaining(&elliptic_curve_list) == 0
2107 || (PACKET_remaining(&elliptic_curve_list) % 2) != 0) {
2108 return 0;
2109 }
2110
2111 if (!s->hit) {
2112 if (!PACKET_memdup(&elliptic_curve_list,
2113 &s->session->tlsext_ellipticcurvelist,
2114 &s->
2115 session->tlsext_ellipticcurvelist_length)) {
2116 *al = TLS1_AD_INTERNAL_ERROR;
2117 return 0;
2118 }
2119 }
2120 }
2121 #endif /* OPENSSL_NO_EC */
2122 else if (type == TLSEXT_TYPE_session_ticket) {
2123 if (s->tls_session_ticket_ext_cb &&
2124 !s->tls_session_ticket_ext_cb(s, PACKET_data(&extension),
2125 PACKET_remaining(&extension),
2126 s->tls_session_ticket_ext_cb_arg))
2127 {
2128 *al = TLS1_AD_INTERNAL_ERROR;
2129 return 0;
2130 }
2131 } else if (type == TLSEXT_TYPE_signature_algorithms) {
2132 PACKET supported_sig_algs;
2133
2134 if (!PACKET_as_length_prefixed_2(&extension, &supported_sig_algs)
2135 || (PACKET_remaining(&supported_sig_algs) % 2) != 0
2136 || PACKET_remaining(&supported_sig_algs) == 0) {
2137 return 0;
2138 }
2139
2140 if (!s->hit) {
2141 if (!tls1_save_sigalgs(s, PACKET_data(&supported_sig_algs),
2142 PACKET_remaining(&supported_sig_algs))) {
2143 return 0;
2144 }
2145 }
2146 } else if (type == TLSEXT_TYPE_status_request) {
2147 if (!PACKET_get_1(&extension,
2148 (unsigned int *)&s->tlsext_status_type)) {
2149 return 0;
2150 }
2151 #ifndef OPENSSL_NO_OCSP
2152 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp) {
2153 const unsigned char *ext_data;
2154 PACKET responder_id_list, exts;
2155 if (!PACKET_get_length_prefixed_2
2156 (&extension, &responder_id_list))
2157 return 0;
2158
2159 /*
2160 * We remove any OCSP_RESPIDs from a previous handshake
2161 * to prevent unbounded memory growth - CVE-2016-6304
2162 */
2163 sk_OCSP_RESPID_pop_free(s->tlsext_ocsp_ids,
2164 OCSP_RESPID_free);
2165 if (PACKET_remaining(&responder_id_list) > 0) {
2166 s->tlsext_ocsp_ids = sk_OCSP_RESPID_new_null();
2167 if (s->tlsext_ocsp_ids == NULL) {
2168 *al = SSL_AD_INTERNAL_ERROR;
2169 return 0;
2170 }
2171 } else {
2172 s->tlsext_ocsp_ids = NULL;
2173 }
2174
2175 while (PACKET_remaining(&responder_id_list) > 0) {
2176 OCSP_RESPID *id;
2177 PACKET responder_id;
2178 const unsigned char *id_data;
2179
2180 if (!PACKET_get_length_prefixed_2(&responder_id_list,
2181 &responder_id)
2182 || PACKET_remaining(&responder_id) == 0) {
2183 return 0;
2184 }
2185
2186 id_data = PACKET_data(&responder_id);
2187 id = d2i_OCSP_RESPID(NULL, &id_data,
2188 PACKET_remaining(&responder_id));
2189 if (id == NULL)
2190 return 0;
2191
2192 if (id_data != PACKET_end(&responder_id)) {
2193 OCSP_RESPID_free(id);
2194 return 0;
2195 }
2196
2197 if (!sk_OCSP_RESPID_push(s->tlsext_ocsp_ids, id)) {
2198 OCSP_RESPID_free(id);
2199 *al = SSL_AD_INTERNAL_ERROR;
2200 return 0;
2201 }
2202 }
2203
2204 /* Read in request_extensions */
2205 if (!PACKET_as_length_prefixed_2(&extension, &exts))
2206 return 0;
2207
2208 if (PACKET_remaining(&exts) > 0) {
2209 ext_data = PACKET_data(&exts);
2210 sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts,
2211 X509_EXTENSION_free);
2212 s->tlsext_ocsp_exts =
2213 d2i_X509_EXTENSIONS(NULL, &ext_data,
2214 PACKET_remaining(&exts));
2215 if (s->tlsext_ocsp_exts == NULL
2216 || ext_data != PACKET_end(&exts)) {
2217 return 0;
2218 }
2219 }
2220 } else
2221 #endif
2222 {
2223 /*
2224 * We don't know what to do with any other type so ignore it.
2225 */
2226 s->tlsext_status_type = -1;
2227 }
2228 }
2229 #ifndef OPENSSL_NO_HEARTBEATS
2230 else if (SSL_IS_DTLS(s) && type == TLSEXT_TYPE_heartbeat) {
2231 unsigned int hbtype;
2232
2233 if (!PACKET_get_1(&extension, &hbtype)
2234 || PACKET_remaining(&extension)) {
2235 *al = SSL_AD_DECODE_ERROR;
2236 return 0;
2237 }
2238 switch (hbtype) {
2239 case 0x01: /* Client allows us to send HB requests */
2240 s->tlsext_heartbeat |= SSL_DTLSEXT_HB_ENABLED;
2241 break;
2242 case 0x02: /* Client doesn't accept HB requests */
2243 s->tlsext_heartbeat |= SSL_DTLSEXT_HB_ENABLED;
2244 s->tlsext_heartbeat |= SSL_DTLSEXT_HB_DONT_SEND_REQUESTS;
2245 break;
2246 default:
2247 *al = SSL_AD_ILLEGAL_PARAMETER;
2248 return 0;
2249 }
2250 }
2251 #endif
2252 #ifndef OPENSSL_NO_NEXTPROTONEG
2253 else if (type == TLSEXT_TYPE_next_proto_neg &&
2254 s->s3->tmp.finish_md_len == 0) {
2255 /*-
2256 * We shouldn't accept this extension on a
2257 * renegotiation.
2258 *
2259 * s->new_session will be set on renegotiation, but we
2260 * probably shouldn't rely that it couldn't be set on
2261 * the initial renegotiation too in certain cases (when
2262 * there's some other reason to disallow resuming an
2263 * earlier session -- the current code won't be doing
2264 * anything like that, but this might change).
2265 *
2266 * A valid sign that there's been a previous handshake
2267 * in this connection is if s->s3->tmp.finish_md_len >
2268 * 0. (We are talking about a check that will happen
2269 * in the Hello protocol round, well before a new
2270 * Finished message could have been computed.)
2271 */
2272 s->s3->next_proto_neg_seen = 1;
2273 }
2274 #endif
2275
2276 else if (type == TLSEXT_TYPE_application_layer_protocol_negotiation &&
2277 s->s3->tmp.finish_md_len == 0) {
2278 if (!tls1_alpn_handle_client_hello(s, &extension, al))
2279 return 0;
2280 }
2281
2282 /* session ticket processed earlier */
2283 #ifndef OPENSSL_NO_SRTP
2284 else if (SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s)
2285 && type == TLSEXT_TYPE_use_srtp) {
2286 if (ssl_parse_clienthello_use_srtp_ext(s, &extension, al))
2287 return 0;
2288 }
2289 #endif
2290 else if (type == TLSEXT_TYPE_encrypt_then_mac &&
2291 !(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC))
2292 s->tlsext_use_etm = 1;
2293 /*
2294 * Note: extended master secret extension handled in
2295 * tls_check_serverhello_tlsext_early()
2296 */
2297
2298 /*
2299 * If this ClientHello extension was unhandled and this is a
2300 * nonresumed connection, check whether the extension is a custom
2301 * TLS Extension (has a custom_srv_ext_record), and if so call the
2302 * callback and record the extension number so that an appropriate
2303 * ServerHello may be later returned.
2304 */
2305 else if (!s->hit) {
2306 if (custom_ext_parse(s, 1, type, PACKET_data(&extension),
2307 PACKET_remaining(&extension), al) <= 0)
2308 return 0;
2309 }
2310 }
2311
2312 if (PACKET_remaining(pkt) != 0) {
2313 /*
2314 * tls1_check_duplicate_extensions should ensure this never happens.
2315 */
2316 *al = SSL_AD_INTERNAL_ERROR;
2317 return 0;
2318 }
2319
2320 ri_check:
2321
2322 /* Need RI if renegotiating */
2323
2324 if (!renegotiate_seen && s->renegotiate &&
2325 !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) {
2326 *al = SSL_AD_HANDSHAKE_FAILURE;
2327 SSLerr(SSL_F_SSL_SCAN_CLIENTHELLO_TLSEXT,
2328 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
2329 return 0;
2330 }
2331
2332 /*
2333 * This function currently has no state to clean up, so it returns directly.
2334 * If parsing fails at any point, the function returns early.
2335 * The SSL object may be left with partial data from extensions, but it must
2336 * then no longer be used, and clearing it up will free the leftovers.
2337 */
2338 return 1;
2339 }
2340
2341 int ssl_parse_clienthello_tlsext(SSL *s, PACKET *pkt)
2342 {
2343 int al = -1;
2344 custom_ext_init(&s->cert->srv_ext);
2345 if (ssl_scan_clienthello_tlsext(s, pkt, &al) <= 0) {
2346 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2347 return 0;
2348 }
2349 if (ssl_check_clienthello_tlsext_early(s) <= 0) {
2350 SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT, SSL_R_CLIENTHELLO_TLSEXT);
2351 return 0;
2352 }
2353 return 1;
2354 }
2355
2356 #ifndef OPENSSL_NO_NEXTPROTONEG
2357 /*
2358 * ssl_next_proto_validate validates a Next Protocol Negotiation block. No
2359 * elements of zero length are allowed and the set of elements must exactly
2360 * fill the length of the block.
2361 */
2362 static char ssl_next_proto_validate(PACKET *pkt)
2363 {
2364 PACKET tmp_protocol;
2365
2366 while (PACKET_remaining(pkt)) {
2367 if (!PACKET_get_length_prefixed_1(pkt, &tmp_protocol)
2368 || PACKET_remaining(&tmp_protocol) == 0)
2369 return 0;
2370 }
2371
2372 return 1;
2373 }
2374 #endif
2375
2376 static int ssl_scan_serverhello_tlsext(SSL *s, PACKET *pkt, int *al)
2377 {
2378 unsigned int length, type, size;
2379 int tlsext_servername = 0;
2380 int renegotiate_seen = 0;
2381
2382 #ifndef OPENSSL_NO_NEXTPROTONEG
2383 s->s3->next_proto_neg_seen = 0;
2384 #endif
2385 s->tlsext_ticket_expected = 0;
2386
2387 OPENSSL_free(s->s3->alpn_selected);
2388 s->s3->alpn_selected = NULL;
2389 #ifndef OPENSSL_NO_HEARTBEATS
2390 s->tlsext_heartbeat &= ~(SSL_DTLSEXT_HB_ENABLED |
2391 SSL_DTLSEXT_HB_DONT_SEND_REQUESTS);
2392 #endif
2393
2394 s->tlsext_use_etm = 0;
2395
2396 s->s3->flags &= ~TLS1_FLAGS_RECEIVED_EXTMS;
2397
2398 if (!PACKET_get_net_2(pkt, &length))
2399 goto ri_check;
2400
2401 if (PACKET_remaining(pkt) != length) {
2402 *al = SSL_AD_DECODE_ERROR;
2403 return 0;
2404 }
2405
2406 if (!tls1_check_duplicate_extensions(pkt)) {
2407 *al = SSL_AD_DECODE_ERROR;
2408 return 0;
2409 }
2410
2411 while (PACKET_get_net_2(pkt, &type) && PACKET_get_net_2(pkt, &size)) {
2412 const unsigned char *data;
2413 PACKET spkt;
2414
2415 if (!PACKET_get_sub_packet(pkt, &spkt, size)
2416 || !PACKET_peek_bytes(&spkt, &data, size))
2417 goto ri_check;
2418
2419 if (s->tlsext_debug_cb)
2420 s->tlsext_debug_cb(s, 1, type, data, size, s->tlsext_debug_arg);
2421
2422 if (type == TLSEXT_TYPE_renegotiate) {
2423 if (!ssl_parse_serverhello_renegotiate_ext(s, &spkt, al))
2424 return 0;
2425 renegotiate_seen = 1;
2426 } else if (s->version == SSL3_VERSION) {
2427 } else if (type == TLSEXT_TYPE_server_name) {
2428 if (s->tlsext_hostname == NULL || size > 0) {
2429 *al = TLS1_AD_UNRECOGNIZED_NAME;
2430 return 0;
2431 }
2432 tlsext_servername = 1;
2433 }
2434 #ifndef OPENSSL_NO_EC
2435 else if (type == TLSEXT_TYPE_ec_point_formats) {
2436 unsigned int ecpointformatlist_length;
2437 if (!PACKET_get_1(&spkt, &ecpointformatlist_length)
2438 || ecpointformatlist_length != size - 1) {
2439 *al = TLS1_AD_DECODE_ERROR;
2440 return 0;
2441 }
2442 if (!s->hit) {
2443 s->session->tlsext_ecpointformatlist_length = 0;
2444 OPENSSL_free(s->session->tlsext_ecpointformatlist);
2445 if ((s->session->tlsext_ecpointformatlist =
2446 OPENSSL_malloc(ecpointformatlist_length)) == NULL) {
2447 *al = TLS1_AD_INTERNAL_ERROR;
2448 return 0;
2449 }
2450 s->session->tlsext_ecpointformatlist_length =
2451 ecpointformatlist_length;
2452 if (!PACKET_copy_bytes(&spkt,
2453 s->session->tlsext_ecpointformatlist,
2454 ecpointformatlist_length)) {
2455 *al = TLS1_AD_DECODE_ERROR;
2456 return 0;
2457 }
2458
2459 }
2460 }
2461 #endif /* OPENSSL_NO_EC */
2462
2463 else if (type == TLSEXT_TYPE_session_ticket) {
2464 if (s->tls_session_ticket_ext_cb &&
2465 !s->tls_session_ticket_ext_cb(s, data, size,
2466 s->tls_session_ticket_ext_cb_arg))
2467 {
2468 *al = TLS1_AD_INTERNAL_ERROR;
2469 return 0;
2470 }
2471 if (!tls_use_ticket(s) || (size > 0)) {
2472 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2473 return 0;
2474 }
2475 s->tlsext_ticket_expected = 1;
2476 } else if (type == TLSEXT_TYPE_status_request) {
2477 /*
2478 * MUST be empty and only sent if we've requested a status
2479 * request message.
2480 */
2481 if ((s->tlsext_status_type == -1) || (size > 0)) {
2482 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2483 return 0;
2484 }
2485 /* Set flag to expect CertificateStatus message */
2486 s->tlsext_status_expected = 1;
2487 }
2488 #ifndef OPENSSL_NO_CT
2489 /*
2490 * Only take it if we asked for it - i.e if there is no CT validation
2491 * callback set, then a custom extension MAY be processing it, so we
2492 * need to let control continue to flow to that.
2493 */
2494 else if (type == TLSEXT_TYPE_signed_certificate_timestamp &&
2495 s->ct_validation_callback != NULL) {
2496 /* Simply copy it off for later processing */
2497 if (s->tlsext_scts != NULL) {
2498 OPENSSL_free(s->tlsext_scts);
2499 s->tlsext_scts = NULL;
2500 }
2501 s->tlsext_scts_len = size;
2502 if (size > 0) {
2503 s->tlsext_scts = OPENSSL_malloc(size);
2504 if (s->tlsext_scts == NULL) {
2505 *al = TLS1_AD_INTERNAL_ERROR;
2506 return 0;
2507 }
2508 memcpy(s->tlsext_scts, data, size);
2509 }
2510 }
2511 #endif
2512 #ifndef OPENSSL_NO_NEXTPROTONEG
2513 else if (type == TLSEXT_TYPE_next_proto_neg &&
2514 s->s3->tmp.finish_md_len == 0) {
2515 unsigned char *selected;
2516 unsigned char selected_len;
2517 /* We must have requested it. */
2518 if (s->ctx->next_proto_select_cb == NULL) {
2519 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2520 return 0;
2521 }
2522 /* The data must be valid */
2523 if (!ssl_next_proto_validate(&spkt)) {
2524 *al = TLS1_AD_DECODE_ERROR;
2525 return 0;
2526 }
2527 if (s->ctx->next_proto_select_cb(s, &selected, &selected_len, data,
2528 size,
2529 s->
2530 ctx->next_proto_select_cb_arg) !=
2531 SSL_TLSEXT_ERR_OK) {
2532 *al = TLS1_AD_INTERNAL_ERROR;
2533 return 0;
2534 }
2535 /*
2536 * Could be non-NULL if server has sent multiple NPN extensions in
2537 * a single Serverhello
2538 */
2539 OPENSSL_free(s->next_proto_negotiated);
2540 s->next_proto_negotiated = OPENSSL_malloc(selected_len);
2541 if (s->next_proto_negotiated == NULL) {
2542 *al = TLS1_AD_INTERNAL_ERROR;
2543 return 0;
2544 }
2545 memcpy(s->next_proto_negotiated, selected, selected_len);
2546 s->next_proto_negotiated_len = selected_len;
2547 s->s3->next_proto_neg_seen = 1;
2548 }
2549 #endif
2550
2551 else if (type == TLSEXT_TYPE_application_layer_protocol_negotiation) {
2552 unsigned len;
2553 /* We must have requested it. */
2554 if (!s->s3->alpn_sent) {
2555 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2556 return 0;
2557 }
2558 /*-
2559 * The extension data consists of:
2560 * uint16 list_length
2561 * uint8 proto_length;
2562 * uint8 proto[proto_length];
2563 */
2564 if (!PACKET_get_net_2(&spkt, &len)
2565 || PACKET_remaining(&spkt) != len || !PACKET_get_1(&spkt, &len)
2566 || PACKET_remaining(&spkt) != len) {
2567 *al = TLS1_AD_DECODE_ERROR;
2568 return 0;
2569 }
2570 OPENSSL_free(s->s3->alpn_selected);
2571 s->s3->alpn_selected = OPENSSL_malloc(len);
2572 if (s->s3->alpn_selected == NULL) {
2573 *al = TLS1_AD_INTERNAL_ERROR;
2574 return 0;
2575 }
2576 if (!PACKET_copy_bytes(&spkt, s->s3->alpn_selected, len)) {
2577 *al = TLS1_AD_DECODE_ERROR;
2578 return 0;
2579 }
2580 s->s3->alpn_selected_len = len;
2581 }
2582 #ifndef OPENSSL_NO_HEARTBEATS
2583 else if (SSL_IS_DTLS(s) && type == TLSEXT_TYPE_heartbeat) {
2584 unsigned int hbtype;
2585 if (!PACKET_get_1(&spkt, &hbtype)) {
2586 *al = SSL_AD_DECODE_ERROR;
2587 return 0;
2588 }
2589 switch (hbtype) {
2590 case 0x01: /* Server allows us to send HB requests */
2591 s->tlsext_heartbeat |= SSL_DTLSEXT_HB_ENABLED;
2592 break;
2593 case 0x02: /* Server doesn't accept HB requests */
2594 s->tlsext_heartbeat |= SSL_DTLSEXT_HB_ENABLED;
2595 s->tlsext_heartbeat |= SSL_DTLSEXT_HB_DONT_SEND_REQUESTS;
2596 break;
2597 default:
2598 *al = SSL_AD_ILLEGAL_PARAMETER;
2599 return 0;
2600 }
2601 }
2602 #endif
2603 #ifndef OPENSSL_NO_SRTP
2604 else if (SSL_IS_DTLS(s) && type == TLSEXT_TYPE_use_srtp) {
2605 if (ssl_parse_serverhello_use_srtp_ext(s, &spkt, al))
2606 return 0;
2607 }
2608 #endif
2609 else if (type == TLSEXT_TYPE_encrypt_then_mac) {
2610 /* Ignore if inappropriate ciphersuite */
2611 if (!(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC) &&
2612 s->s3->tmp.new_cipher->algorithm_mac != SSL_AEAD
2613 && s->s3->tmp.new_cipher->algorithm_enc != SSL_RC4)
2614 s->tlsext_use_etm = 1;
2615 } else if (type == TLSEXT_TYPE_extended_master_secret) {
2616 s->s3->flags |= TLS1_FLAGS_RECEIVED_EXTMS;
2617 if (!s->hit)
2618 s->session->flags |= SSL_SESS_FLAG_EXTMS;
2619 }
2620 /*
2621 * If this extension type was not otherwise handled, but matches a
2622 * custom_cli_ext_record, then send it to the c callback
2623 */
2624 else if (custom_ext_parse(s, 0, type, data, size, al) <= 0)
2625 return 0;
2626 }
2627
2628 if (PACKET_remaining(pkt) != 0) {
2629 *al = SSL_AD_DECODE_ERROR;
2630 return 0;
2631 }
2632
2633 if (!s->hit && tlsext_servername == 1) {
2634 if (s->tlsext_hostname) {
2635 if (s->session->tlsext_hostname == NULL) {
2636 s->session->tlsext_hostname =
2637 OPENSSL_strdup(s->tlsext_hostname);
2638 if (!s->session->tlsext_hostname) {
2639 *al = SSL_AD_UNRECOGNIZED_NAME;
2640 return 0;
2641 }
2642 } else {
2643 *al = SSL_AD_DECODE_ERROR;
2644 return 0;
2645 }
2646 }
2647 }
2648
2649 ri_check:
2650
2651 /*
2652 * Determine if we need to see RI. Strictly speaking if we want to avoid
2653 * an attack we should *always* see RI even on initial server hello
2654 * because the client doesn't see any renegotiation during an attack.
2655 * However this would mean we could not connect to any server which
2656 * doesn't support RI so for the immediate future tolerate RI absence
2657 */
2658 if (!renegotiate_seen && !(s->options & SSL_OP_LEGACY_SERVER_CONNECT)
2659 && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) {
2660 *al = SSL_AD_HANDSHAKE_FAILURE;
2661 SSLerr(SSL_F_SSL_SCAN_SERVERHELLO_TLSEXT,
2662 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
2663 return 0;
2664 }
2665
2666 if (s->hit) {
2667 /*
2668 * Check extended master secret extension is consistent with
2669 * original session.
2670 */
2671 if (!(s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) !=
2672 !(s->session->flags & SSL_SESS_FLAG_EXTMS)) {
2673 *al = SSL_AD_HANDSHAKE_FAILURE;
2674 SSLerr(SSL_F_SSL_SCAN_SERVERHELLO_TLSEXT, SSL_R_INCONSISTENT_EXTMS);
2675 return 0;
2676 }
2677 }
2678
2679 return 1;
2680 }
2681
2682 int ssl_prepare_clienthello_tlsext(SSL *s)
2683 {
2684 s->s3->alpn_sent = 0;
2685 return 1;
2686 }
2687
2688 int ssl_prepare_serverhello_tlsext(SSL *s)
2689 {
2690 return 1;
2691 }
2692
2693 static int ssl_check_clienthello_tlsext_early(SSL *s)
2694 {
2695 int ret = SSL_TLSEXT_ERR_NOACK;
2696 int al = SSL_AD_UNRECOGNIZED_NAME;
2697
2698 #ifndef OPENSSL_NO_EC
2699 /*
2700 * The handling of the ECPointFormats extension is done elsewhere, namely
2701 * in ssl3_choose_cipher in s3_lib.c.
2702 */
2703 /*
2704 * The handling of the EllipticCurves extension is done elsewhere, namely
2705 * in ssl3_choose_cipher in s3_lib.c.
2706 */
2707 #endif
2708
2709 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
2710 ret =
2711 s->ctx->tlsext_servername_callback(s, &al,
2712 s->ctx->tlsext_servername_arg);
2713 else if (s->session_ctx != NULL
2714 && s->session_ctx->tlsext_servername_callback != 0)
2715 ret =
2716 s->session_ctx->tlsext_servername_callback(s, &al,
2717 s->
2718 session_ctx->tlsext_servername_arg);
2719
2720 switch (ret) {
2721 case SSL_TLSEXT_ERR_ALERT_FATAL:
2722 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2723 return -1;
2724
2725 case SSL_TLSEXT_ERR_ALERT_WARNING:
2726 ssl3_send_alert(s, SSL3_AL_WARNING, al);
2727 return 1;
2728
2729 case SSL_TLSEXT_ERR_NOACK:
2730 s->servername_done = 0;
2731 /* fall thru */
2732 default:
2733 return 1;
2734 }
2735 }
2736
2737 /* Initialise digests to default values */
2738 void ssl_set_default_md(SSL *s)
2739 {
2740 const EVP_MD **pmd = s->s3->tmp.md;
2741 #ifndef OPENSSL_NO_DSA
2742 pmd[SSL_PKEY_DSA_SIGN] = ssl_md(SSL_MD_SHA1_IDX);
2743 #endif
2744 #ifndef OPENSSL_NO_RSA
2745 if (SSL_USE_SIGALGS(s))
2746 pmd[SSL_PKEY_RSA_SIGN] = ssl_md(SSL_MD_SHA1_IDX);
2747 else
2748 pmd[SSL_PKEY_RSA_SIGN] = ssl_md(SSL_MD_MD5_SHA1_IDX);
2749 pmd[SSL_PKEY_RSA_ENC] = pmd[SSL_PKEY_RSA_SIGN];
2750 #endif
2751 #ifndef OPENSSL_NO_EC
2752 pmd[SSL_PKEY_ECC] = ssl_md(SSL_MD_SHA1_IDX);
2753 #endif
2754 #ifndef OPENSSL_NO_GOST
2755 pmd[SSL_PKEY_GOST01] = ssl_md(SSL_MD_GOST94_IDX);
2756 pmd[SSL_PKEY_GOST12_256] = ssl_md(SSL_MD_GOST12_256_IDX);
2757 pmd[SSL_PKEY_GOST12_512] = ssl_md(SSL_MD_GOST12_512_IDX);
2758 #endif
2759 }
2760
2761 int tls1_set_server_sigalgs(SSL *s)
2762 {
2763 int al;
2764 size_t i;
2765
2766 /* Clear any shared signature algorithms */
2767 OPENSSL_free(s->cert->shared_sigalgs);
2768 s->cert->shared_sigalgs = NULL;
2769 s->cert->shared_sigalgslen = 0;
2770 /* Clear certificate digests and validity flags */
2771 for (i = 0; i < SSL_PKEY_NUM; i++) {
2772 s->s3->tmp.md[i] = NULL;
2773 s->s3->tmp.valid_flags[i] = 0;
2774 }
2775
2776 /* If sigalgs received process it. */
2777 if (s->s3->tmp.peer_sigalgs) {
2778 if (!tls1_process_sigalgs(s)) {
2779 SSLerr(SSL_F_TLS1_SET_SERVER_SIGALGS, ERR_R_MALLOC_FAILURE);
2780 al = SSL_AD_INTERNAL_ERROR;
2781 goto err;
2782 }
2783 /* Fatal error is no shared signature algorithms */
2784 if (!s->cert->shared_sigalgs) {
2785 SSLerr(SSL_F_TLS1_SET_SERVER_SIGALGS,
2786 SSL_R_NO_SHARED_SIGNATURE_ALGORITHMS);
2787 al = SSL_AD_ILLEGAL_PARAMETER;
2788 goto err;
2789 }
2790 } else {
2791 ssl_set_default_md(s);
2792 }
2793 return 1;
2794 err:
2795 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2796 return 0;
2797 }
2798
2799 /*
2800 * Upon success, returns 1.
2801 * Upon failure, returns 0 and sets |al| to the appropriate fatal alert.
2802 */
2803 int ssl_check_clienthello_tlsext_late(SSL *s, int *al)
2804 {
2805 s->tlsext_status_expected = 0;
2806
2807 /*
2808 * If status request then ask callback what to do. Note: this must be
2809 * called after servername callbacks in case the certificate has changed,
2810 * and must be called after the cipher has been chosen because this may
2811 * influence which certificate is sent
2812 */
2813 if ((s->tlsext_status_type != -1) && s->ctx && s->ctx->tlsext_status_cb) {
2814 int ret;
2815 CERT_PKEY *certpkey;
2816 certpkey = ssl_get_server_send_pkey(s);
2817 /* If no certificate can't return certificate status */
2818 if (certpkey != NULL) {
2819 /*
2820 * Set current certificate to one we will use so SSL_get_certificate
2821 * et al can pick it up.
2822 */
2823 s->cert->key = certpkey;
2824 ret = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
2825 switch (ret) {
2826 /* We don't want to send a status request response */
2827 case SSL_TLSEXT_ERR_NOACK:
2828 s->tlsext_status_expected = 0;
2829 break;
2830 /* status request response should be sent */
2831 case SSL_TLSEXT_ERR_OK:
2832 if (s->tlsext_ocsp_resp)
2833 s->tlsext_status_expected = 1;
2834 break;
2835 /* something bad happened */
2836 case SSL_TLSEXT_ERR_ALERT_FATAL:
2837 default:
2838 *al = SSL_AD_INTERNAL_ERROR;
2839 return 0;
2840 }
2841 }
2842 }
2843
2844 if (!tls1_alpn_handle_client_hello_late(s, al)) {
2845 return 0;
2846 }
2847
2848 return 1;
2849 }
2850
2851 int ssl_check_serverhello_tlsext(SSL *s)
2852 {
2853 int ret = SSL_TLSEXT_ERR_NOACK;
2854 int al = SSL_AD_UNRECOGNIZED_NAME;
2855
2856 #ifndef OPENSSL_NO_EC
2857 /*
2858 * If we are client and using an elliptic curve cryptography cipher
2859 * suite, then if server returns an EC point formats lists extension it
2860 * must contain uncompressed.
2861 */
2862 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
2863 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
2864 if ((s->tlsext_ecpointformatlist != NULL)
2865 && (s->tlsext_ecpointformatlist_length > 0)
2866 && (s->session->tlsext_ecpointformatlist != NULL)
2867 && (s->session->tlsext_ecpointformatlist_length > 0)
2868 && ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA))) {
2869 /* we are using an ECC cipher */
2870 size_t i;
2871 unsigned char *list;
2872 int found_uncompressed = 0;
2873 list = s->session->tlsext_ecpointformatlist;
2874 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++) {
2875 if (*(list++) == TLSEXT_ECPOINTFORMAT_uncompressed) {
2876 found_uncompressed = 1;
2877 break;
2878 }
2879 }
2880 if (!found_uncompressed) {
2881 SSLerr(SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT,
2882 SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
2883 return -1;
2884 }
2885 }
2886 ret = SSL_TLSEXT_ERR_OK;
2887 #endif /* OPENSSL_NO_EC */
2888
2889 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
2890 ret =
2891 s->ctx->tlsext_servername_callback(s, &al,
2892 s->ctx->tlsext_servername_arg);
2893 else if (s->session_ctx != NULL
2894 && s->session_ctx->tlsext_servername_callback != 0)
2895 ret =
2896 s->session_ctx->tlsext_servername_callback(s, &al,
2897 s->
2898 session_ctx->tlsext_servername_arg);
2899
2900 /*
2901 * Ensure we get sensible values passed to tlsext_status_cb in the event
2902 * that we don't receive a status message
2903 */
2904 OPENSSL_free(s->tlsext_ocsp_resp);
2905 s->tlsext_ocsp_resp = NULL;
2906 s->tlsext_ocsp_resplen = -1;
2907
2908 switch (ret) {
2909 case SSL_TLSEXT_ERR_ALERT_FATAL:
2910 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2911 return -1;
2912
2913 case SSL_TLSEXT_ERR_ALERT_WARNING:
2914 ssl3_send_alert(s, SSL3_AL_WARNING, al);
2915 return 1;
2916
2917 case SSL_TLSEXT_ERR_NOACK:
2918 s->servername_done = 0;
2919 /* fall thru */
2920 default:
2921 return 1;
2922 }
2923 }
2924
2925 int ssl_parse_serverhello_tlsext(SSL *s, PACKET *pkt)
2926 {
2927 int al = -1;
2928 if (s->version < SSL3_VERSION)
2929 return 1;
2930 if (ssl_scan_serverhello_tlsext(s, pkt, &al) <= 0) {
2931 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2932 return 0;
2933 }
2934
2935 if (ssl_check_serverhello_tlsext(s) <= 0) {
2936 SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT, SSL_R_SERVERHELLO_TLSEXT);
2937 return 0;
2938 }
2939 return 1;
2940 }
2941
2942 /*-
2943 * Since the server cache lookup is done early on in the processing of the
2944 * ClientHello and other operations depend on the result some extensions
2945 * need to be handled at the same time.
2946 *
2947 * Two extensions are currently handled, session ticket and extended master
2948 * secret.
2949 *
2950 * session_id: ClientHello session ID.
2951 * ext: ClientHello extensions (including length prefix)
2952 * ret: (output) on return, if a ticket was decrypted, then this is set to
2953 * point to the resulting session.
2954 *
2955 * If s->tls_session_secret_cb is set then we are expecting a pre-shared key
2956 * ciphersuite, in which case we have no use for session tickets and one will
2957 * never be decrypted, nor will s->tlsext_ticket_expected be set to 1.
2958 *
2959 * Returns:
2960 * -1: fatal error, either from parsing or decrypting the ticket.
2961 * 0: no ticket was found (or was ignored, based on settings).
2962 * 1: a zero length extension was found, indicating that the client supports
2963 * session tickets but doesn't currently have one to offer.
2964 * 2: either s->tls_session_secret_cb was set, or a ticket was offered but
2965 * couldn't be decrypted because of a non-fatal error.
2966 * 3: a ticket was successfully decrypted and *ret was set.
2967 *
2968 * Side effects:
2969 * Sets s->tlsext_ticket_expected to 1 if the server will have to issue
2970 * a new session ticket to the client because the client indicated support
2971 * (and s->tls_session_secret_cb is NULL) but the client either doesn't have
2972 * a session ticket or we couldn't use the one it gave us, or if
2973 * s->ctx->tlsext_ticket_key_cb asked to renew the client's ticket.
2974 * Otherwise, s->tlsext_ticket_expected is set to 0.
2975 *
2976 * For extended master secret flag is set if the extension is present.
2977 *
2978 */
2979 int tls_check_serverhello_tlsext_early(SSL *s, const PACKET *ext,
2980 const PACKET *session_id,
2981 SSL_SESSION **ret)
2982 {
2983 unsigned int i;
2984 PACKET local_ext = *ext;
2985 int retv = -1;
2986
2987 int have_ticket = 0;
2988 int use_ticket = tls_use_ticket(s);
2989
2990 *ret = NULL;
2991 s->tlsext_ticket_expected = 0;
2992 s->s3->flags &= ~TLS1_FLAGS_RECEIVED_EXTMS;
2993
2994 /*
2995 * If tickets disabled behave as if no ticket present to permit stateful
2996 * resumption.
2997 */
2998 if ((s->version <= SSL3_VERSION))
2999 return 0;
3000
3001 if (!PACKET_get_net_2(&local_ext, &i)) {
3002 retv = 0;
3003 goto end;
3004 }
3005 while (PACKET_remaining(&local_ext) >= 4) {
3006 unsigned int type, size;
3007
3008 if (!PACKET_get_net_2(&local_ext, &type)
3009 || !PACKET_get_net_2(&local_ext, &size)) {
3010 /* Shouldn't ever happen */
3011 retv = -1;
3012 goto end;
3013 }
3014 if (PACKET_remaining(&local_ext) < size) {
3015 retv = 0;
3016 goto end;
3017 }
3018 if (type == TLSEXT_TYPE_session_ticket && use_ticket) {
3019 int r;
3020 const unsigned char *etick;
3021
3022 /* Duplicate extension */
3023 if (have_ticket != 0) {
3024 retv = -1;
3025 goto end;
3026 }
3027 have_ticket = 1;
3028
3029 if (size == 0) {
3030 /*
3031 * The client will accept a ticket but doesn't currently have
3032 * one.
3033 */
3034 s->tlsext_ticket_expected = 1;
3035 retv = 1;
3036 continue;
3037 }
3038 if (s->tls_session_secret_cb) {
3039 /*
3040 * Indicate that the ticket couldn't be decrypted rather than
3041 * generating the session from ticket now, trigger
3042 * abbreviated handshake based on external mechanism to
3043 * calculate the master secret later.
3044 */
3045 retv = 2;
3046 continue;
3047 }
3048 if (!PACKET_get_bytes(&local_ext, &etick, size)) {
3049 /* Shouldn't ever happen */
3050 retv = -1;
3051 goto end;
3052 }
3053 r = tls_decrypt_ticket(s, etick, size, PACKET_data(session_id),
3054 PACKET_remaining(session_id), ret);
3055 switch (r) {
3056 case 2: /* ticket couldn't be decrypted */
3057 s->tlsext_ticket_expected = 1;
3058 retv = 2;
3059 break;
3060 case 3: /* ticket was decrypted */
3061 retv = r;
3062 break;
3063 case 4: /* ticket decrypted but need to renew */
3064 s->tlsext_ticket_expected = 1;
3065 retv = 3;
3066 break;
3067 default: /* fatal error */
3068 retv = -1;
3069 break;
3070 }
3071 continue;
3072 } else {
3073 if (type == TLSEXT_TYPE_extended_master_secret)
3074 s->s3->flags |= TLS1_FLAGS_RECEIVED_EXTMS;
3075 if (!PACKET_forward(&local_ext, size)) {
3076 retv = -1;
3077 goto end;
3078 }
3079 }
3080 }
3081 if (have_ticket == 0)
3082 retv = 0;
3083 end:
3084 return retv;
3085 }
3086
3087 /*-
3088 * tls_decrypt_ticket attempts to decrypt a session ticket.
3089 *
3090 * etick: points to the body of the session ticket extension.
3091 * eticklen: the length of the session tickets extension.
3092 * sess_id: points at the session ID.
3093 * sesslen: the length of the session ID.
3094 * psess: (output) on return, if a ticket was decrypted, then this is set to
3095 * point to the resulting session.
3096 *
3097 * Returns:
3098 * -2: fatal error, malloc failure.
3099 * -1: fatal error, either from parsing or decrypting the ticket.
3100 * 2: the ticket couldn't be decrypted.
3101 * 3: a ticket was successfully decrypted and *psess was set.
3102 * 4: same as 3, but the ticket needs to be renewed.
3103 */
3104 static int tls_decrypt_ticket(SSL *s, const unsigned char *etick,
3105 int eticklen, const unsigned char *sess_id,
3106 int sesslen, SSL_SESSION **psess)
3107 {
3108 SSL_SESSION *sess;
3109 unsigned char *sdec;
3110 const unsigned char *p;
3111 int slen, mlen, renew_ticket = 0, ret = -1;
3112 unsigned char tick_hmac[EVP_MAX_MD_SIZE];
3113 HMAC_CTX *hctx = NULL;
3114 EVP_CIPHER_CTX *ctx;
3115 SSL_CTX *tctx = s->session_ctx;
3116
3117 /* Initialize session ticket encryption and HMAC contexts */
3118 hctx = HMAC_CTX_new();
3119 if (hctx == NULL)
3120 return -2;
3121 ctx = EVP_CIPHER_CTX_new();
3122 if (ctx == NULL) {
3123 ret = -2;
3124 goto err;
3125 }
3126 if (tctx->tlsext_ticket_key_cb) {
3127 unsigned char *nctick = (unsigned char *)etick;
3128 int rv = tctx->tlsext_ticket_key_cb(s, nctick, nctick + 16,
3129 ctx, hctx, 0);
3130 if (rv < 0)
3131 goto err;
3132 if (rv == 0) {
3133 ret = 2;
3134 goto err;
3135 }
3136 if (rv == 2)
3137 renew_ticket = 1;
3138 } else {
3139 /* Check key name matches */
3140 if (memcmp(etick, tctx->tlsext_tick_key_name,
3141 sizeof(tctx->tlsext_tick_key_name)) != 0) {
3142 ret = 2;
3143 goto err;
3144 }
3145 if (HMAC_Init_ex(hctx, tctx->tlsext_tick_hmac_key,
3146 sizeof(tctx->tlsext_tick_hmac_key),
3147 EVP_sha256(), NULL) <= 0
3148 || EVP_DecryptInit_ex(ctx, EVP_aes_256_cbc(), NULL,
3149 tctx->tlsext_tick_aes_key,
3150 etick + sizeof(tctx->tlsext_tick_key_name)) <=
3151 0) {
3152 goto err;
3153 }
3154 }
3155 /*
3156 * Attempt to process session ticket, first conduct sanity and integrity
3157 * checks on ticket.
3158 */
3159 mlen = HMAC_size(hctx);
3160 if (mlen < 0) {
3161 goto err;
3162 }
3163 /* Sanity check ticket length: must exceed keyname + IV + HMAC */
3164 if (eticklen <=
3165 TLSEXT_KEYNAME_LENGTH + EVP_CIPHER_CTX_iv_length(ctx) + mlen) {
3166 ret = 2;
3167 goto err;
3168 }
3169 eticklen -= mlen;
3170 /* Check HMAC of encrypted ticket */
3171 if (HMAC_Update(hctx, etick, eticklen) <= 0
3172 || HMAC_Final(hctx, tick_hmac, NULL) <= 0) {
3173 goto err;
3174 }
3175 HMAC_CTX_free(hctx);
3176 if (CRYPTO_memcmp(tick_hmac, etick + eticklen, mlen)) {
3177 EVP_CIPHER_CTX_free(ctx);
3178 return 2;
3179 }
3180 /* Attempt to decrypt session data */
3181 /* Move p after IV to start of encrypted ticket, update length */
3182 p = etick + TLSEXT_KEYNAME_LENGTH + EVP_CIPHER_CTX_iv_length(ctx);
3183 eticklen -= TLSEXT_KEYNAME_LENGTH + EVP_CIPHER_CTX_iv_length(ctx);
3184 sdec = OPENSSL_malloc(eticklen);
3185 if (sdec == NULL || EVP_DecryptUpdate(ctx, sdec, &slen, p, eticklen) <= 0) {
3186 EVP_CIPHER_CTX_free(ctx);
3187 OPENSSL_free(sdec);
3188 return -1;
3189 }
3190 if (EVP_DecryptFinal(ctx, sdec + slen, &mlen) <= 0) {
3191 EVP_CIPHER_CTX_free(ctx);
3192 OPENSSL_free(sdec);
3193 return 2;
3194 }
3195 slen += mlen;
3196 EVP_CIPHER_CTX_free(ctx);
3197 ctx = NULL;
3198 p = sdec;
3199
3200 sess = d2i_SSL_SESSION(NULL, &p, slen);
3201 slen -= p - sdec;
3202 OPENSSL_free(sdec);
3203 if (sess) {
3204 /* Some additional consistency checks */
3205 if (slen != 0 || sess->session_id_length != 0) {
3206 SSL_SESSION_free(sess);
3207 return 2;
3208 }
3209 /*
3210 * The session ID, if non-empty, is used by some clients to detect
3211 * that the ticket has been accepted. So we copy it to the session
3212 * structure. If it is empty set length to zero as required by
3213 * standard.
3214 */
3215 if (sesslen)
3216 memcpy(sess->session_id, sess_id, sesslen);
3217 sess->session_id_length = sesslen;
3218 *psess = sess;
3219 if (renew_ticket)
3220 return 4;
3221 else
3222 return 3;
3223 }
3224 ERR_clear_error();
3225 /*
3226 * For session parse failure, indicate that we need to send a new ticket.
3227 */
3228 return 2;
3229 err:
3230 EVP_CIPHER_CTX_free(ctx);
3231 HMAC_CTX_free(hctx);
3232 return ret;
3233 }
3234
3235 /* Tables to translate from NIDs to TLS v1.2 ids */
3236
3237 typedef struct {
3238 int nid;
3239 int id;
3240 } tls12_lookup;
3241
3242 static const tls12_lookup tls12_md[] = {
3243 {NID_md5, TLSEXT_hash_md5},
3244 {NID_sha1, TLSEXT_hash_sha1},
3245 {NID_sha224, TLSEXT_hash_sha224},
3246 {NID_sha256, TLSEXT_hash_sha256},
3247 {NID_sha384, TLSEXT_hash_sha384},
3248 {NID_sha512, TLSEXT_hash_sha512},
3249 {NID_id_GostR3411_94, TLSEXT_hash_gostr3411},
3250 {NID_id_GostR3411_2012_256, TLSEXT_hash_gostr34112012_256},
3251 {NID_id_GostR3411_2012_512, TLSEXT_hash_gostr34112012_512},
3252 };
3253
3254 static const tls12_lookup tls12_sig[] = {
3255 {EVP_PKEY_RSA, TLSEXT_signature_rsa},
3256 {EVP_PKEY_DSA, TLSEXT_signature_dsa},
3257 {EVP_PKEY_EC, TLSEXT_signature_ecdsa},
3258 {NID_id_GostR3410_2001, TLSEXT_signature_gostr34102001},
3259 {NID_id_GostR3410_2012_256, TLSEXT_signature_gostr34102012_256},
3260 {NID_id_GostR3410_2012_512, TLSEXT_signature_gostr34102012_512}
3261 };
3262
3263 static int tls12_find_id(int nid, const tls12_lookup *table, size_t tlen)
3264 {
3265 size_t i;
3266 for (i = 0; i < tlen; i++) {
3267 if (table[i].nid == nid)
3268 return table[i].id;
3269 }
3270 return -1;
3271 }
3272
3273 static int tls12_find_nid(int id, const tls12_lookup *table, size_t tlen)
3274 {
3275 size_t i;
3276 for (i = 0; i < tlen; i++) {
3277 if ((table[i].id) == id)
3278 return table[i].nid;
3279 }
3280 return NID_undef;
3281 }
3282
3283 int tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk, const EVP_MD *md)
3284 {
3285 int sig_id, md_id;
3286 if (!md)
3287 return 0;
3288 md_id = tls12_find_id(EVP_MD_type(md), tls12_md, OSSL_NELEM(tls12_md));
3289 if (md_id == -1)
3290 return 0;
3291 sig_id = tls12_get_sigid(pk);
3292 if (sig_id == -1)
3293 return 0;
3294 p[0] = (unsigned char)md_id;
3295 p[1] = (unsigned char)sig_id;
3296 return 1;
3297 }
3298
3299 int tls12_get_sigid(const EVP_PKEY *pk)
3300 {
3301 return tls12_find_id(EVP_PKEY_id(pk), tls12_sig, OSSL_NELEM(tls12_sig));
3302 }
3303
3304 typedef struct {
3305 int nid;
3306 int secbits;
3307 int md_idx;
3308 unsigned char tlsext_hash;
3309 } tls12_hash_info;
3310
3311 static const tls12_hash_info tls12_md_info[] = {
3312 {NID_md5, 64, SSL_MD_MD5_IDX, TLSEXT_hash_md5},
3313 {NID_sha1, 80, SSL_MD_SHA1_IDX, TLSEXT_hash_sha1},
3314 {NID_sha224, 112, SSL_MD_SHA224_IDX, TLSEXT_hash_sha224},
3315 {NID_sha256, 128, SSL_MD_SHA256_IDX, TLSEXT_hash_sha256},
3316 {NID_sha384, 192, SSL_MD_SHA384_IDX, TLSEXT_hash_sha384},
3317 {NID_sha512, 256, SSL_MD_SHA512_IDX, TLSEXT_hash_sha512},
3318 {NID_id_GostR3411_94, 128, SSL_MD_GOST94_IDX, TLSEXT_hash_gostr3411},
3319 {NID_id_GostR3411_2012_256, 128, SSL_MD_GOST12_256_IDX,
3320 TLSEXT_hash_gostr34112012_256},
3321 {NID_id_GostR3411_2012_512, 256, SSL_MD_GOST12_512_IDX,
3322 TLSEXT_hash_gostr34112012_512},
3323 };
3324
3325 static const tls12_hash_info *tls12_get_hash_info(unsigned char hash_alg)
3326 {
3327 unsigned int i;
3328 if (hash_alg == 0)
3329 return NULL;
3330
3331 for (i = 0; i < OSSL_NELEM(tls12_md_info); i++) {
3332 if (tls12_md_info[i].tlsext_hash == hash_alg)
3333 return tls12_md_info + i;
3334 }
3335
3336 return NULL;
3337 }
3338
3339 const EVP_MD *tls12_get_hash(unsigned char hash_alg)
3340 {
3341 const tls12_hash_info *inf;
3342 if (hash_alg == TLSEXT_hash_md5 && FIPS_mode())
3343 return NULL;
3344 inf = tls12_get_hash_info(hash_alg);
3345 if (!inf)
3346 return NULL;
3347 return ssl_md(inf->md_idx);
3348 }
3349
3350 static int tls12_get_pkey_idx(unsigned char sig_alg)
3351 {
3352 switch (sig_alg) {
3353 #ifndef OPENSSL_NO_RSA
3354 case TLSEXT_signature_rsa:
3355 return SSL_PKEY_RSA_SIGN;
3356 #endif
3357 #ifndef OPENSSL_NO_DSA
3358 case TLSEXT_signature_dsa:
3359 return SSL_PKEY_DSA_SIGN;
3360 #endif
3361 #ifndef OPENSSL_NO_EC
3362 case TLSEXT_signature_ecdsa:
3363 return SSL_PKEY_ECC;
3364 #endif
3365 #ifndef OPENSSL_NO_GOST
3366 case TLSEXT_signature_gostr34102001:
3367 return SSL_PKEY_GOST01;
3368
3369 case TLSEXT_signature_gostr34102012_256:
3370 return SSL_PKEY_GOST12_256;
3371
3372 case TLSEXT_signature_gostr34102012_512:
3373 return SSL_PKEY_GOST12_512;
3374 #endif
3375 }
3376 return -1;
3377 }
3378
3379 /* Convert TLS 1.2 signature algorithm extension values into NIDs */
3380 static void tls1_lookup_sigalg(int *phash_nid, int *psign_nid,
3381 int *psignhash_nid, const unsigned char *data)
3382 {
3383 int sign_nid = NID_undef, hash_nid = NID_undef;
3384 if (!phash_nid && !psign_nid && !psignhash_nid)
3385 return;
3386 if (phash_nid || psignhash_nid) {
3387 hash_nid = tls12_find_nid(data[0], tls12_md, OSSL_NELEM(tls12_md));
3388 if (phash_nid)
3389 *phash_nid = hash_nid;
3390 }
3391 if (psign_nid || psignhash_nid) {
3392 sign_nid = tls12_find_nid(data[1], tls12_sig, OSSL_NELEM(tls12_sig));
3393 if (psign_nid)
3394 *psign_nid = sign_nid;
3395 }
3396 if (psignhash_nid) {
3397 if (sign_nid == NID_undef || hash_nid == NID_undef
3398 || OBJ_find_sigid_by_algs(psignhash_nid, hash_nid, sign_nid) <= 0)
3399 *psignhash_nid = NID_undef;
3400 }
3401 }
3402
3403 /* Check to see if a signature algorithm is allowed */
3404 static int tls12_sigalg_allowed(SSL *s, int op, const unsigned char *ptmp)
3405 {
3406 /* See if we have an entry in the hash table and it is enabled */
3407 const tls12_hash_info *hinf = tls12_get_hash_info(ptmp[0]);
3408 if (hinf == NULL || ssl_md(hinf->md_idx) == NULL)
3409 return 0;
3410 /* See if public key algorithm allowed */
3411 if (tls12_get_pkey_idx(ptmp[1]) == -1)
3412 return 0;
3413 /* Finally see if security callback allows it */
3414 return ssl_security(s, op, hinf->secbits, hinf->nid, (void *)ptmp);
3415 }
3416
3417 /*
3418 * Get a mask of disabled public key algorithms based on supported signature
3419 * algorithms. For example if no signature algorithm supports RSA then RSA is
3420 * disabled.
3421 */
3422
3423 void ssl_set_sig_mask(uint32_t *pmask_a, SSL *s, int op)
3424 {
3425 const unsigned char *sigalgs;
3426 size_t i, sigalgslen;
3427 int have_rsa = 0, have_dsa = 0, have_ecdsa = 0;
3428 /*
3429 * Now go through all signature algorithms seeing if we support any for
3430 * RSA, DSA, ECDSA. Do this for all versions not just TLS 1.2. To keep
3431 * down calls to security callback only check if we have to.
3432 */
3433 sigalgslen = tls12_get_psigalgs(s, 1, &sigalgs);
3434 for (i = 0; i < sigalgslen; i += 2, sigalgs += 2) {
3435 switch (sigalgs[1]) {
3436 #ifndef OPENSSL_NO_RSA
3437 case TLSEXT_signature_rsa:
3438 if (!have_rsa && tls12_sigalg_allowed(s, op, sigalgs))
3439 have_rsa = 1;
3440 break;
3441 #endif
3442 #ifndef OPENSSL_NO_DSA
3443 case TLSEXT_signature_dsa:
3444 if (!have_dsa && tls12_sigalg_allowed(s, op, sigalgs))
3445 have_dsa = 1;
3446 break;
3447 #endif
3448 #ifndef OPENSSL_NO_EC
3449 case TLSEXT_signature_ecdsa:
3450 if (!have_ecdsa && tls12_sigalg_allowed(s, op, sigalgs))
3451 have_ecdsa = 1;
3452 break;
3453 #endif
3454 }
3455 }
3456 if (!have_rsa)
3457 *pmask_a |= SSL_aRSA;
3458 if (!have_dsa)
3459 *pmask_a |= SSL_aDSS;
3460 if (!have_ecdsa)
3461 *pmask_a |= SSL_aECDSA;
3462 }
3463
3464 size_t tls12_copy_sigalgs(SSL *s, unsigned char *out,
3465 const unsigned char *psig, size_t psiglen)
3466 {
3467 unsigned char *tmpout = out;
3468 size_t i;
3469 for (i = 0; i < psiglen; i += 2, psig += 2) {
3470 if (tls12_sigalg_allowed(s, SSL_SECOP_SIGALG_SUPPORTED, psig)) {
3471 *tmpout++ = psig[0];
3472 *tmpout++ = psig[1];
3473 }
3474 }
3475 return tmpout - out;
3476 }
3477
3478 /* Given preference and allowed sigalgs set shared sigalgs */
3479 static int tls12_shared_sigalgs(SSL *s, TLS_SIGALGS *shsig,
3480 const unsigned char *pref, size_t preflen,
3481 const unsigned char *allow, size_t allowlen)
3482 {
3483 const unsigned char *ptmp, *atmp;
3484 size_t i, j, nmatch = 0;
3485 for (i = 0, ptmp = pref; i < preflen; i += 2, ptmp += 2) {
3486 /* Skip disabled hashes or signature algorithms */
3487 if (!tls12_sigalg_allowed(s, SSL_SECOP_SIGALG_SHARED, ptmp))
3488 continue;
3489 for (j = 0, atmp = allow; j < allowlen; j += 2, atmp += 2) {
3490 if (ptmp[0] == atmp[0] && ptmp[1] == atmp[1]) {
3491 nmatch++;
3492 if (shsig) {
3493 shsig->rhash = ptmp[0];
3494 shsig->rsign = ptmp[1];
3495 tls1_lookup_sigalg(&shsig->hash_nid,
3496 &shsig->sign_nid,
3497 &shsig->signandhash_nid, ptmp);
3498 shsig++;
3499 }
3500 break;
3501 }
3502 }
3503 }
3504 return nmatch;
3505 }
3506
3507 /* Set shared signature algorithms for SSL structures */
3508 static int tls1_set_shared_sigalgs(SSL *s)
3509 {
3510 const unsigned char *pref, *allow, *conf;
3511 size_t preflen, allowlen, conflen;
3512 size_t nmatch;
3513 TLS_SIGALGS *salgs = NULL;
3514 CERT *c = s->cert;
3515 unsigned int is_suiteb = tls1_suiteb(s);
3516
3517 OPENSSL_free(c->shared_sigalgs);
3518 c->shared_sigalgs = NULL;
3519 c->shared_sigalgslen = 0;
3520 /* If client use client signature algorithms if not NULL */
3521 if (!s->server && c->client_sigalgs && !is_suiteb) {
3522 conf = c->client_sigalgs;
3523 conflen = c->client_sigalgslen;
3524 } else if (c->conf_sigalgs && !is_suiteb) {
3525 conf = c->conf_sigalgs;
3526 conflen = c->conf_sigalgslen;
3527 } else
3528 conflen = tls12_get_psigalgs(s, 0, &conf);
3529 if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE || is_suiteb) {
3530 pref = conf;
3531 preflen = conflen;
3532 allow = s->s3->tmp.peer_sigalgs;
3533 allowlen = s->s3->tmp.peer_sigalgslen;
3534 } else {
3535 allow = conf;
3536 allowlen = conflen;
3537 pref = s->s3->tmp.peer_sigalgs;
3538 preflen = s->s3->tmp.peer_sigalgslen;
3539 }
3540 nmatch = tls12_shared_sigalgs(s, NULL, pref, preflen, allow, allowlen);
3541 if (nmatch) {
3542 salgs = OPENSSL_malloc(nmatch * sizeof(TLS_SIGALGS));
3543 if (salgs == NULL)
3544 return 0;
3545 nmatch = tls12_shared_sigalgs(s, salgs, pref, preflen, allow, allowlen);
3546 } else {
3547 salgs = NULL;
3548 }
3549 c->shared_sigalgs = salgs;
3550 c->shared_sigalgslen = nmatch;
3551 return 1;
3552 }
3553
3554 /* Set preferred digest for each key type */
3555
3556 int tls1_save_sigalgs(SSL *s, const unsigned char *data, int dsize)
3557 {
3558 CERT *c = s->cert;
3559 /* Extension ignored for inappropriate versions */
3560 if (!SSL_USE_SIGALGS(s))
3561 return 1;
3562 /* Should never happen */
3563 if (!c)
3564 return 0;
3565
3566 OPENSSL_free(s->s3->tmp.peer_sigalgs);
3567 s->s3->tmp.peer_sigalgs = OPENSSL_malloc(dsize);
3568 if (s->s3->tmp.peer_sigalgs == NULL)
3569 return 0;
3570 s->s3->tmp.peer_sigalgslen = dsize;
3571 memcpy(s->s3->tmp.peer_sigalgs, data, dsize);
3572 return 1;
3573 }
3574
3575 int tls1_process_sigalgs(SSL *s)
3576 {
3577 int idx;
3578 size_t i;
3579 const EVP_MD *md;
3580 const EVP_MD **pmd = s->s3->tmp.md;
3581 uint32_t *pvalid = s->s3->tmp.valid_flags;
3582 CERT *c = s->cert;
3583 TLS_SIGALGS *sigptr;
3584 if (!tls1_set_shared_sigalgs(s))
3585 return 0;
3586
3587 for (i = 0, sigptr = c->shared_sigalgs;
3588 i < c->shared_sigalgslen; i++, sigptr++) {
3589 idx = tls12_get_pkey_idx(sigptr->rsign);
3590 if (idx > 0 && pmd[idx] == NULL) {
3591 md = tls12_get_hash(sigptr->rhash);
3592 pmd[idx] = md;
3593 pvalid[idx] = CERT_PKEY_EXPLICIT_SIGN;
3594 if (idx == SSL_PKEY_RSA_SIGN) {
3595 pvalid[SSL_PKEY_RSA_ENC] = CERT_PKEY_EXPLICIT_SIGN;
3596 pmd[SSL_PKEY_RSA_ENC] = md;
3597 }
3598 }
3599
3600 }
3601 /*
3602 * In strict mode leave unset digests as NULL to indicate we can't use
3603 * the certificate for signing.
3604 */
3605 if (!(s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)) {
3606 /*
3607 * Set any remaining keys to default values. NOTE: if alg is not
3608 * supported it stays as NULL.
3609 */
3610 #ifndef OPENSSL_NO_DSA
3611 if (pmd[SSL_PKEY_DSA_SIGN] == NULL)
3612 pmd[SSL_PKEY_DSA_SIGN] = EVP_sha1();
3613 #endif
3614 #ifndef OPENSSL_NO_RSA
3615 if (pmd[SSL_PKEY_RSA_SIGN] == NULL) {
3616 pmd[SSL_PKEY_RSA_SIGN] = EVP_sha1();
3617 pmd[SSL_PKEY_RSA_ENC] = EVP_sha1();
3618 }
3619 #endif
3620 #ifndef OPENSSL_NO_EC
3621 if (pmd[SSL_PKEY_ECC] == NULL)
3622 pmd[SSL_PKEY_ECC] = EVP_sha1();
3623 #endif
3624 #ifndef OPENSSL_NO_GOST
3625 if (pmd[SSL_PKEY_GOST01] == NULL)
3626 pmd[SSL_PKEY_GOST01] = EVP_get_digestbynid(NID_id_GostR3411_94);
3627 if (pmd[SSL_PKEY_GOST12_256] == NULL)
3628 pmd[SSL_PKEY_GOST12_256] =
3629 EVP_get_digestbynid(NID_id_GostR3411_2012_256);
3630 if (pmd[SSL_PKEY_GOST12_512] == NULL)
3631 pmd[SSL_PKEY_GOST12_512] =
3632 EVP_get_digestbynid(NID_id_GostR3411_2012_512);
3633 #endif
3634 }
3635 return 1;
3636 }
3637
3638 int SSL_get_sigalgs(SSL *s, int idx,
3639 int *psign, int *phash, int *psignhash,
3640 unsigned char *rsig, unsigned char *rhash)
3641 {
3642 const unsigned char *psig = s->s3->tmp.peer_sigalgs;
3643 if (psig == NULL)
3644 return 0;
3645 if (idx >= 0) {
3646 idx <<= 1;
3647 if (idx >= (int)s->s3->tmp.peer_sigalgslen)
3648 return 0;
3649 psig += idx;
3650 if (rhash)
3651 *rhash = psig[0];
3652 if (rsig)
3653 *rsig = psig[1];
3654 tls1_lookup_sigalg(phash, psign, psignhash, psig);
3655 }
3656 return s->s3->tmp.peer_sigalgslen / 2;
3657 }
3658
3659 int SSL_get_shared_sigalgs(SSL *s, int idx,
3660 int *psign, int *phash, int *psignhash,
3661 unsigned char *rsig, unsigned char *rhash)
3662 {
3663 TLS_SIGALGS *shsigalgs = s->cert->shared_sigalgs;
3664 if (!shsigalgs || idx >= (int)s->cert->shared_sigalgslen)
3665 return 0;
3666 shsigalgs += idx;
3667 if (phash)
3668 *phash = shsigalgs->hash_nid;
3669 if (psign)
3670 *psign = shsigalgs->sign_nid;
3671 if (psignhash)
3672 *psignhash = shsigalgs->signandhash_nid;
3673 if (rsig)
3674 *rsig = shsigalgs->rsign;
3675 if (rhash)
3676 *rhash = shsigalgs->rhash;
3677 return s->cert->shared_sigalgslen;
3678 }
3679
3680 #define MAX_SIGALGLEN (TLSEXT_hash_num * TLSEXT_signature_num * 2)
3681
3682 typedef struct {
3683 size_t sigalgcnt;
3684 int sigalgs[MAX_SIGALGLEN];
3685 } sig_cb_st;
3686
3687 static void get_sigorhash(int *psig, int *phash, const char *str)
3688 {
3689 if (strcmp(str, "RSA") == 0) {
3690 *psig = EVP_PKEY_RSA;
3691 } else if (strcmp(str, "DSA") == 0) {
3692 *psig = EVP_PKEY_DSA;
3693 } else if (strcmp(str, "ECDSA") == 0) {
3694 *psig = EVP_PKEY_EC;
3695 } else {
3696 *phash = OBJ_sn2nid(str);
3697 if (*phash == NID_undef)
3698 *phash = OBJ_ln2nid(str);
3699 }
3700 }
3701
3702 static int sig_cb(const char *elem, int len, void *arg)
3703 {
3704 sig_cb_st *sarg = arg;
3705 size_t i;
3706 char etmp[20], *p;
3707 int sig_alg = NID_undef, hash_alg = NID_undef;
3708 if (elem == NULL)
3709 return 0;
3710 if (sarg->sigalgcnt == MAX_SIGALGLEN)
3711 return 0;
3712 if (len > (int)(sizeof(etmp) - 1))
3713 return 0;
3714 memcpy(etmp, elem, len);
3715 etmp[len] = 0;
3716 p = strchr(etmp, '+');
3717 if (!p)
3718 return 0;
3719 *p = 0;
3720 p++;
3721 if (!*p)
3722 return 0;
3723
3724 get_sigorhash(&sig_alg, &hash_alg, etmp);
3725 get_sigorhash(&sig_alg, &hash_alg, p);
3726
3727 if (sig_alg == NID_undef || hash_alg == NID_undef)
3728 return 0;
3729
3730 for (i = 0; i < sarg->sigalgcnt; i += 2) {
3731 if (sarg->sigalgs[i] == sig_alg && sarg->sigalgs[i + 1] == hash_alg)
3732 return 0;
3733 }
3734 sarg->sigalgs[sarg->sigalgcnt++] = hash_alg;
3735 sarg->sigalgs[sarg->sigalgcnt++] = sig_alg;
3736 return 1;
3737 }
3738
3739 /*
3740 * Set supported signature algorithms based on a colon separated list of the
3741 * form sig+hash e.g. RSA+SHA512:DSA+SHA512
3742 */
3743 int tls1_set_sigalgs_list(CERT *c, const char *str, int client)
3744 {
3745 sig_cb_st sig;
3746 sig.sigalgcnt = 0;
3747 if (!CONF_parse_list(str, ':', 1, sig_cb, &sig))
3748 return 0;
3749 if (c == NULL)
3750 return 1;
3751 return tls1_set_sigalgs(c, sig.sigalgs, sig.sigalgcnt, client);
3752 }
3753
3754 int tls1_set_sigalgs(CERT *c, const int *psig_nids, size_t salglen, int client)
3755 {
3756 unsigned char *sigalgs, *sptr;
3757 int rhash, rsign;
3758 size_t i;
3759 if (salglen & 1)
3760 return 0;
3761 sigalgs = OPENSSL_malloc(salglen);
3762 if (sigalgs == NULL)
3763 return 0;
3764 for (i = 0, sptr = sigalgs; i < salglen; i += 2) {
3765 rhash = tls12_find_id(*psig_nids++, tls12_md, OSSL_NELEM(tls12_md));
3766 rsign = tls12_find_id(*psig_nids++, tls12_sig, OSSL_NELEM(tls12_sig));
3767
3768 if (rhash == -1 || rsign == -1)
3769 goto err;
3770 *sptr++ = rhash;
3771 *sptr++ = rsign;
3772 }
3773
3774 if (client) {
3775 OPENSSL_free(c->client_sigalgs);
3776 c->client_sigalgs = sigalgs;
3777 c->client_sigalgslen = salglen;
3778 } else {
3779 OPENSSL_free(c->conf_sigalgs);
3780 c->conf_sigalgs = sigalgs;
3781 c->conf_sigalgslen = salglen;
3782 }
3783
3784 return 1;
3785
3786 err:
3787 OPENSSL_free(sigalgs);
3788 return 0;
3789 }
3790
3791 static int tls1_check_sig_alg(CERT *c, X509 *x, int default_nid)
3792 {
3793 int sig_nid;
3794 size_t i;
3795 if (default_nid == -1)
3796 return 1;
3797 sig_nid = X509_get_signature_nid(x);
3798 if (default_nid)
3799 return sig_nid == default_nid ? 1 : 0;
3800 for (i = 0; i < c->shared_sigalgslen; i++)
3801 if (sig_nid == c->shared_sigalgs[i].signandhash_nid)
3802 return 1;
3803 return 0;
3804 }
3805
3806 /* Check to see if a certificate issuer name matches list of CA names */
3807 static int ssl_check_ca_name(STACK_OF(X509_NAME) *names, X509 *x)
3808 {
3809 X509_NAME *nm;
3810 int i;
3811 nm = X509_get_issuer_name(x);
3812 for (i = 0; i < sk_X509_NAME_num(names); i++) {
3813 if (!X509_NAME_cmp(nm, sk_X509_NAME_value(names, i)))
3814 return 1;
3815 }
3816 return 0;
3817 }
3818
3819 /*
3820 * Check certificate chain is consistent with TLS extensions and is usable by
3821 * server. This servers two purposes: it allows users to check chains before
3822 * passing them to the server and it allows the server to check chains before
3823 * attempting to use them.
3824 */
3825
3826 /* Flags which need to be set for a certificate when strict mode not set */
3827
3828 #define CERT_PKEY_VALID_FLAGS \
3829 (CERT_PKEY_EE_SIGNATURE|CERT_PKEY_EE_PARAM)
3830 /* Strict mode flags */
3831 #define CERT_PKEY_STRICT_FLAGS \
3832 (CERT_PKEY_VALID_FLAGS|CERT_PKEY_CA_SIGNATURE|CERT_PKEY_CA_PARAM \
3833 | CERT_PKEY_ISSUER_NAME|CERT_PKEY_CERT_TYPE)
3834
3835 int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain,
3836 int idx)
3837 {
3838 int i;
3839 int rv = 0;
3840 int check_flags = 0, strict_mode;
3841 CERT_PKEY *cpk = NULL;
3842 CERT *c = s->cert;
3843 uint32_t *pvalid;
3844 unsigned int suiteb_flags = tls1_suiteb(s);
3845 /* idx == -1 means checking server chains */
3846 if (idx != -1) {
3847 /* idx == -2 means checking client certificate chains */
3848 if (idx == -2) {
3849 cpk = c->key;
3850 idx = cpk - c->pkeys;
3851 } else
3852 cpk = c->pkeys + idx;
3853 pvalid = s->s3->tmp.valid_flags + idx;
3854 x = cpk->x509;
3855 pk = cpk->privatekey;
3856 chain = cpk->chain;
3857 strict_mode = c->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT;
3858 /* If no cert or key, forget it */
3859 if (!x || !pk)
3860 goto end;
3861 } else {
3862 if (!x || !pk)
3863 return 0;
3864 idx = ssl_cert_type(x, pk);
3865 if (idx == -1)
3866 return 0;
3867 pvalid = s->s3->tmp.valid_flags + idx;
3868
3869 if (c->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)
3870 check_flags = CERT_PKEY_STRICT_FLAGS;
3871 else
3872 check_flags = CERT_PKEY_VALID_FLAGS;
3873 strict_mode = 1;
3874 }
3875
3876 if (suiteb_flags) {
3877 int ok;
3878 if (check_flags)
3879 check_flags |= CERT_PKEY_SUITEB;
3880 ok = X509_chain_check_suiteb(NULL, x, chain, suiteb_flags);
3881 if (ok == X509_V_OK)
3882 rv |= CERT_PKEY_SUITEB;
3883 else if (!check_flags)
3884 goto end;
3885 }
3886
3887 /*
3888 * Check all signature algorithms are consistent with signature
3889 * algorithms extension if TLS 1.2 or later and strict mode.
3890 */
3891 if (TLS1_get_version(s) >= TLS1_2_VERSION && strict_mode) {
3892 int default_nid;
3893 unsigned char rsign = 0;
3894 if (s->s3->tmp.peer_sigalgs)
3895 default_nid = 0;
3896 /* If no sigalgs extension use defaults from RFC5246 */
3897 else {
3898 switch (idx) {
3899 case SSL_PKEY_RSA_ENC:
3900 case SSL_PKEY_RSA_SIGN:
3901 rsign = TLSEXT_signature_rsa;
3902 default_nid = NID_sha1WithRSAEncryption;
3903 break;
3904
3905 case SSL_PKEY_DSA_SIGN:
3906 rsign = TLSEXT_signature_dsa;
3907 default_nid = NID_dsaWithSHA1;
3908 break;
3909
3910 case SSL_PKEY_ECC:
3911 rsign = TLSEXT_signature_ecdsa;
3912 default_nid = NID_ecdsa_with_SHA1;
3913 break;
3914
3915 case SSL_PKEY_GOST01:
3916 rsign = TLSEXT_signature_gostr34102001;
3917 default_nid = NID_id_GostR3411_94_with_GostR3410_2001;
3918 break;
3919
3920 case SSL_PKEY_GOST12_256:
3921 rsign = TLSEXT_signature_gostr34102012_256;
3922 default_nid = NID_id_tc26_signwithdigest_gost3410_2012_256;
3923 break;
3924
3925 case SSL_PKEY_GOST12_512:
3926 rsign = TLSEXT_signature_gostr34102012_512;
3927 default_nid = NID_id_tc26_signwithdigest_gost3410_2012_512;
3928 break;
3929
3930 default:
3931 default_nid = -1;
3932 break;
3933 }
3934 }
3935 /*
3936 * If peer sent no signature algorithms extension and we have set
3937 * preferred signature algorithms check we support sha1.
3938 */
3939 if (default_nid > 0 && c->conf_sigalgs) {
3940 size_t j;
3941 const unsigned char *p = c->conf_sigalgs;
3942 for (j = 0; j < c->conf_sigalgslen; j += 2, p += 2) {
3943 if (p[0] == TLSEXT_hash_sha1 && p[1] == rsign)
3944 break;
3945 }
3946 if (j == c->conf_sigalgslen) {
3947 if (check_flags)
3948 goto skip_sigs;
3949 else
3950 goto end;
3951 }
3952 }
3953 /* Check signature algorithm of each cert in chain */
3954 if (!tls1_check_sig_alg(c, x, default_nid)) {
3955 if (!check_flags)
3956 goto end;
3957 } else
3958 rv |= CERT_PKEY_EE_SIGNATURE;
3959 rv |= CERT_PKEY_CA_SIGNATURE;
3960 for (i = 0; i < sk_X509_num(chain); i++) {
3961 if (!tls1_check_sig_alg(c, sk_X509_value(chain, i), default_nid)) {
3962 if (check_flags) {
3963 rv &= ~CERT_PKEY_CA_SIGNATURE;
3964 break;
3965 } else
3966 goto end;
3967 }
3968 }
3969 }
3970 /* Else not TLS 1.2, so mark EE and CA signing algorithms OK */
3971 else if (check_flags)
3972 rv |= CERT_PKEY_EE_SIGNATURE | CERT_PKEY_CA_SIGNATURE;
3973 skip_sigs:
3974 /* Check cert parameters are consistent */
3975 if (tls1_check_cert_param(s, x, check_flags ? 1 : 2))
3976 rv |= CERT_PKEY_EE_PARAM;
3977 else if (!check_flags)
3978 goto end;
3979 if (!s->server)
3980 rv |= CERT_PKEY_CA_PARAM;
3981 /* In strict mode check rest of chain too */
3982 else if (strict_mode) {
3983 rv |= CERT_PKEY_CA_PARAM;
3984 for (i = 0; i < sk_X509_num(chain); i++) {
3985 X509 *ca = sk_X509_value(chain, i);
3986 if (!tls1_check_cert_param(s, ca, 0)) {
3987 if (check_flags) {
3988 rv &= ~CERT_PKEY_CA_PARAM;
3989 break;
3990 } else
3991 goto end;
3992 }
3993 }
3994 }
3995 if (!s->server && strict_mode) {
3996 STACK_OF(X509_NAME) *ca_dn;
3997 int check_type = 0;
3998 switch (EVP_PKEY_id(pk)) {
3999 case EVP_PKEY_RSA:
4000 check_type = TLS_CT_RSA_SIGN;
4001 break;
4002 case EVP_PKEY_DSA:
4003 check_type = TLS_CT_DSS_SIGN;
4004 break;
4005 case EVP_PKEY_EC:
4006 check_type = TLS_CT_ECDSA_SIGN;
4007 break;
4008 }
4009 if (check_type) {
4010 const unsigned char *ctypes;
4011 int ctypelen;
4012 if (c->ctypes) {
4013 ctypes = c->ctypes;
4014 ctypelen = (int)c->ctype_num;
4015 } else {
4016 ctypes = (unsigned char *)s->s3->tmp.ctype;
4017 ctypelen = s->s3->tmp.ctype_num;
4018 }
4019 for (i = 0; i < ctypelen; i++) {
4020 if (ctypes[i] == check_type) {
4021 rv |= CERT_PKEY_CERT_TYPE;
4022 break;
4023 }
4024 }
4025 if (!(rv & CERT_PKEY_CERT_TYPE) && !check_flags)
4026 goto end;
4027 } else
4028 rv |= CERT_PKEY_CERT_TYPE;
4029
4030 ca_dn = s->s3->tmp.ca_names;
4031
4032 if (!sk_X509_NAME_num(ca_dn))
4033 rv |= CERT_PKEY_ISSUER_NAME;
4034
4035 if (!(rv & CERT_PKEY_ISSUER_NAME)) {
4036 if (ssl_check_ca_name(ca_dn, x))
4037 rv |= CERT_PKEY_ISSUER_NAME;
4038 }
4039 if (!(rv & CERT_PKEY_ISSUER_NAME)) {
4040 for (i = 0; i < sk_X509_num(chain); i++) {
4041 X509 *xtmp = sk_X509_value(chain, i);
4042 if (ssl_check_ca_name(ca_dn, xtmp)) {
4043 rv |= CERT_PKEY_ISSUER_NAME;
4044 break;
4045 }
4046 }
4047 }
4048 if (!check_flags && !(rv & CERT_PKEY_ISSUER_NAME))
4049 goto end;
4050 } else
4051 rv |= CERT_PKEY_ISSUER_NAME | CERT_PKEY_CERT_TYPE;
4052
4053 if (!check_flags || (rv & check_flags) == check_flags)
4054 rv |= CERT_PKEY_VALID;
4055
4056 end:
4057
4058 if (TLS1_get_version(s) >= TLS1_2_VERSION) {
4059 if (*pvalid & CERT_PKEY_EXPLICIT_SIGN)
4060 rv |= CERT_PKEY_EXPLICIT_SIGN | CERT_PKEY_SIGN;
4061 else if (s->s3->tmp.md[idx] != NULL)
4062 rv |= CERT_PKEY_SIGN;
4063 } else
4064 rv |= CERT_PKEY_SIGN | CERT_PKEY_EXPLICIT_SIGN;
4065
4066 /*
4067 * When checking a CERT_PKEY structure all flags are irrelevant if the
4068 * chain is invalid.
4069 */
4070 if (!check_flags) {
4071 if (rv & CERT_PKEY_VALID)
4072 *pvalid = rv;
4073 else {
4074 /* Preserve explicit sign flag, clear rest */
4075 *pvalid &= CERT_PKEY_EXPLICIT_SIGN;
4076 return 0;
4077 }
4078 }
4079 return rv;
4080 }
4081
4082 /* Set validity of certificates in an SSL structure */
4083 void tls1_set_cert_validity(SSL *s)
4084 {
4085 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA_ENC);
4086 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA_SIGN);
4087 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DSA_SIGN);
4088 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_ECC);
4089 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_GOST01);
4090 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_GOST12_256);
4091 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_GOST12_512);
4092 }
4093
4094 /* User level utility function to check a chain is suitable */
4095 int SSL_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain)
4096 {
4097 return tls1_check_chain(s, x, pk, chain, -1);
4098 }
4099
4100 #ifndef OPENSSL_NO_DH
4101 DH *ssl_get_auto_dh(SSL *s)
4102 {
4103 int dh_secbits = 80;
4104 if (s->cert->dh_tmp_auto == 2)
4105 return DH_get_1024_160();
4106 if (s->s3->tmp.new_cipher->algorithm_auth & (SSL_aNULL | SSL_aPSK)) {
4107 if (s->s3->tmp.new_cipher->strength_bits == 256)
4108 dh_secbits = 128;
4109 else
4110 dh_secbits = 80;
4111 } else {
4112 CERT_PKEY *cpk = ssl_get_server_send_pkey(s);
4113 dh_secbits = EVP_PKEY_security_bits(cpk->privatekey);
4114 }
4115
4116 if (dh_secbits >= 128) {
4117 DH *dhp = DH_new();
4118 BIGNUM *p, *g;
4119 if (dhp == NULL)
4120 return NULL;
4121 g = BN_new();
4122 if (g != NULL)
4123 BN_set_word(g, 2);
4124 if (dh_secbits >= 192)
4125 p = BN_get_rfc3526_prime_8192(NULL);
4126 else
4127 p = BN_get_rfc3526_prime_3072(NULL);
4128 if (p == NULL || g == NULL || !DH_set0_pqg(dhp, p, NULL, g)) {
4129 DH_free(dhp);
4130 BN_free(p);
4131 BN_free(g);
4132 return NULL;
4133 }
4134 return dhp;
4135 }
4136 if (dh_secbits >= 112)
4137 return DH_get_2048_224();
4138 return DH_get_1024_160();
4139 }
4140 #endif
4141
4142 static int ssl_security_cert_key(SSL *s, SSL_CTX *ctx, X509 *x, int op)
4143 {
4144 int secbits = -1;
4145 EVP_PKEY *pkey = X509_get0_pubkey(x);
4146 if (pkey) {
4147 /*
4148 * If no parameters this will return -1 and fail using the default
4149 * security callback for any non-zero security level. This will
4150 * reject keys which omit parameters but this only affects DSA and
4151 * omission of parameters is never (?) done in practice.
4152 */
4153 secbits = EVP_PKEY_security_bits(pkey);
4154 }
4155 if (s)
4156 return ssl_security(s, op, secbits, 0, x);
4157 else
4158 return ssl_ctx_security(ctx, op, secbits, 0, x);
4159 }
4160
4161 static int ssl_security_cert_sig(SSL *s, SSL_CTX *ctx, X509 *x, int op)
4162 {
4163 /* Lookup signature algorithm digest */
4164 int secbits = -1, md_nid = NID_undef, sig_nid;
4165 /* Don't check signature if self signed */
4166 if ((X509_get_extension_flags(x) & EXFLAG_SS) != 0)
4167 return 1;
4168 sig_nid = X509_get_signature_nid(x);
4169 if (sig_nid && OBJ_find_sigid_algs(sig_nid, &md_nid, NULL)) {
4170 const EVP_MD *md;
4171 if (md_nid && (md = EVP_get_digestbynid(md_nid)))
4172 secbits = EVP_MD_size(md) * 4;
4173 }
4174 if (s)
4175 return ssl_security(s, op, secbits, md_nid, x);
4176 else
4177 return ssl_ctx_security(ctx, op, secbits, md_nid, x);
4178 }
4179
4180 int ssl_security_cert(SSL *s, SSL_CTX *ctx, X509 *x, int vfy, int is_ee)
4181 {
4182 if (vfy)
4183 vfy = SSL_SECOP_PEER;
4184 if (is_ee) {
4185 if (!ssl_security_cert_key(s, ctx, x, SSL_SECOP_EE_KEY | vfy))
4186 return SSL_R_EE_KEY_TOO_SMALL;
4187 } else {
4188 if (!ssl_security_cert_key(s, ctx, x, SSL_SECOP_CA_KEY | vfy))
4189 return SSL_R_CA_KEY_TOO_SMALL;
4190 }
4191 if (!ssl_security_cert_sig(s, ctx, x, SSL_SECOP_CA_MD | vfy))
4192 return SSL_R_CA_MD_TOO_WEAK;
4193 return 1;
4194 }
4195
4196 /*
4197 * Check security of a chain, if |sk| includes the end entity certificate then
4198 * |x| is NULL. If |vfy| is 1 then we are verifying a peer chain and not sending
4199 * one to the peer. Return values: 1 if ok otherwise error code to use
4200 */
4201
4202 int ssl_security_cert_chain(SSL *s, STACK_OF(X509) *sk, X509 *x, int vfy)
4203 {
4204 int rv, start_idx, i;
4205 if (x == NULL) {
4206 x = sk_X509_value(sk, 0);
4207 start_idx = 1;
4208 } else
4209 start_idx = 0;
4210
4211 rv = ssl_security_cert(s, NULL, x, vfy, 1);
4212 if (rv != 1)
4213 return rv;
4214
4215 for (i = start_idx; i < sk_X509_num(sk); i++) {
4216 x = sk_X509_value(sk, i);
4217 rv = ssl_security_cert(s, NULL, x, vfy, 0);
4218 if (rv != 1)
4219 return rv;
4220 }
4221 return 1;
4222 }
A mirror of the official openssl repository