VirtualBox

source: vbox/trunk/src/libs/openssl-1.1.0g/ssl/t1_lib.c@ 69881

Last change on this file since 69881 was 69881, checked in by vboxsync, 7 years ago

Update OpenSSL to 1.1.0g.
bugref:8070: src/libs maintenance
  • Property svn:eol-style set to native
File size: 134.5 KB
Line 
1/*
2 * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10#include <stdio.h>
11#include "e_os.h"
12#include <stdlib.h>
13#include <openssl/objects.h>
14#include <openssl/evp.h>
15#include <openssl/hmac.h>
16#include <openssl/ocsp.h>
17#include <openssl/conf.h>
18#include <openssl/x509v3.h>
19#include <openssl/dh.h>
20#include <openssl/bn.h>
21#include "ssl_locl.h"
22#include <openssl/ct.h>
23
24
25#define CHECKLEN(curr, val, limit) \
26 (((curr) >= (limit)) || (size_t)((limit) - (curr)) < (size_t)(val))
27
28static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen,
29 const unsigned char *sess_id, int sesslen,
30 SSL_SESSION **psess);
31static int ssl_check_clienthello_tlsext_early(SSL *s);
32static int ssl_check_serverhello_tlsext(SSL *s);
33
34SSL3_ENC_METHOD const TLSv1_enc_data = {
35 tls1_enc,
36 tls1_mac,
37 tls1_setup_key_block,
38 tls1_generate_master_secret,
39 tls1_change_cipher_state,
40 tls1_final_finish_mac,
41 TLS1_FINISH_MAC_LENGTH,
42 TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
43 TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
44 tls1_alert_code,
45 tls1_export_keying_material,
46 0,
47 SSL3_HM_HEADER_LENGTH,
48 ssl3_set_handshake_header,
49 ssl3_handshake_write
50};
51
52SSL3_ENC_METHOD const TLSv1_1_enc_data = {
53 tls1_enc,
54 tls1_mac,
55 tls1_setup_key_block,
56 tls1_generate_master_secret,
57 tls1_change_cipher_state,
58 tls1_final_finish_mac,
59 TLS1_FINISH_MAC_LENGTH,
60 TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
61 TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
62 tls1_alert_code,
63 tls1_export_keying_material,
64 SSL_ENC_FLAG_EXPLICIT_IV,
65 SSL3_HM_HEADER_LENGTH,
66 ssl3_set_handshake_header,
67 ssl3_handshake_write
68};
69
70SSL3_ENC_METHOD const TLSv1_2_enc_data = {
71 tls1_enc,
72 tls1_mac,
73 tls1_setup_key_block,
74 tls1_generate_master_secret,
75 tls1_change_cipher_state,
76 tls1_final_finish_mac,
77 TLS1_FINISH_MAC_LENGTH,
78 TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
79 TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
80 tls1_alert_code,
81 tls1_export_keying_material,
82 SSL_ENC_FLAG_EXPLICIT_IV | SSL_ENC_FLAG_SIGALGS | SSL_ENC_FLAG_SHA256_PRF
83 | SSL_ENC_FLAG_TLS1_2_CIPHERS,
84 SSL3_HM_HEADER_LENGTH,
85 ssl3_set_handshake_header,
86 ssl3_handshake_write
87};
88
89long tls1_default_timeout(void)
90{
91 /*
92 * 2 hours, the 24 hours mentioned in the TLSv1 spec is way too long for
93 * http, the cache would over fill
94 */
95 return (60 * 60 * 2);
96}
97
98int tls1_new(SSL *s)
99{
100 if (!ssl3_new(s))
101 return (0);
102 s->method->ssl_clear(s);
103 return (1);
104}
105
106void tls1_free(SSL *s)
107{
108 OPENSSL_free(s->tlsext_session_ticket);
109 ssl3_free(s);
110}
111
112void tls1_clear(SSL *s)
113{
114 ssl3_clear(s);
115 if (s->method->version == TLS_ANY_VERSION)
116 s->version = TLS_MAX_VERSION;
117 else
118 s->version = s->method->version;
119}
120
121#ifndef OPENSSL_NO_EC
122
123typedef struct {
124 int nid; /* Curve NID */
125 int secbits; /* Bits of security (from SP800-57) */
126 unsigned int flags; /* Flags: currently just field type */
127} tls_curve_info;
128
129/*
130 * Table of curve information.
131 * Do not delete entries or reorder this array! It is used as a lookup
132 * table: the index of each entry is one less than the TLS curve id.
133 */
134static const tls_curve_info nid_list[] = {
135 {NID_sect163k1, 80, TLS_CURVE_CHAR2}, /* sect163k1 (1) */
136 {NID_sect163r1, 80, TLS_CURVE_CHAR2}, /* sect163r1 (2) */
137 {NID_sect163r2, 80, TLS_CURVE_CHAR2}, /* sect163r2 (3) */
138 {NID_sect193r1, 80, TLS_CURVE_CHAR2}, /* sect193r1 (4) */
139 {NID_sect193r2, 80, TLS_CURVE_CHAR2}, /* sect193r2 (5) */
140 {NID_sect233k1, 112, TLS_CURVE_CHAR2}, /* sect233k1 (6) */
141 {NID_sect233r1, 112, TLS_CURVE_CHAR2}, /* sect233r1 (7) */
142 {NID_sect239k1, 112, TLS_CURVE_CHAR2}, /* sect239k1 (8) */
143 {NID_sect283k1, 128, TLS_CURVE_CHAR2}, /* sect283k1 (9) */
144 {NID_sect283r1, 128, TLS_CURVE_CHAR2}, /* sect283r1 (10) */
145 {NID_sect409k1, 192, TLS_CURVE_CHAR2}, /* sect409k1 (11) */
146 {NID_sect409r1, 192, TLS_CURVE_CHAR2}, /* sect409r1 (12) */
147 {NID_sect571k1, 256, TLS_CURVE_CHAR2}, /* sect571k1 (13) */
148 {NID_sect571r1, 256, TLS_CURVE_CHAR2}, /* sect571r1 (14) */
149 {NID_secp160k1, 80, TLS_CURVE_PRIME}, /* secp160k1 (15) */
150 {NID_secp160r1, 80, TLS_CURVE_PRIME}, /* secp160r1 (16) */
151 {NID_secp160r2, 80, TLS_CURVE_PRIME}, /* secp160r2 (17) */
152 {NID_secp192k1, 80, TLS_CURVE_PRIME}, /* secp192k1 (18) */
153 {NID_X9_62_prime192v1, 80, TLS_CURVE_PRIME}, /* secp192r1 (19) */
154 {NID_secp224k1, 112, TLS_CURVE_PRIME}, /* secp224k1 (20) */
155 {NID_secp224r1, 112, TLS_CURVE_PRIME}, /* secp224r1 (21) */
156 {NID_secp256k1, 128, TLS_CURVE_PRIME}, /* secp256k1 (22) */
157 {NID_X9_62_prime256v1, 128, TLS_CURVE_PRIME}, /* secp256r1 (23) */
158 {NID_secp384r1, 192, TLS_CURVE_PRIME}, /* secp384r1 (24) */
159 {NID_secp521r1, 256, TLS_CURVE_PRIME}, /* secp521r1 (25) */
160 {NID_brainpoolP256r1, 128, TLS_CURVE_PRIME}, /* brainpoolP256r1 (26) */
161 {NID_brainpoolP384r1, 192, TLS_CURVE_PRIME}, /* brainpoolP384r1 (27) */
162 {NID_brainpoolP512r1, 256, TLS_CURVE_PRIME}, /* brainpool512r1 (28) */
163 {NID_X25519, 128, TLS_CURVE_CUSTOM}, /* X25519 (29) */
164};
165
166static const unsigned char ecformats_default[] = {
167 TLSEXT_ECPOINTFORMAT_uncompressed,
168 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime,
169 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2
170};
171
172/* The default curves */
173static const unsigned char eccurves_default[] = {
174 0, 29, /* X25519 (29) */
175 0, 23, /* secp256r1 (23) */
176 0, 25, /* secp521r1 (25) */
177 0, 24, /* secp384r1 (24) */
178};
179
180static const unsigned char suiteb_curves[] = {
181 0, TLSEXT_curve_P_256,
182 0, TLSEXT_curve_P_384
183};
184
185int tls1_ec_curve_id2nid(int curve_id, unsigned int *pflags)
186{
187 const tls_curve_info *cinfo;
188 /* ECC curves from RFC 4492 and RFC 7027 */
189 if ((curve_id < 1) || ((unsigned int)curve_id > OSSL_NELEM(nid_list)))
190 return 0;
191 cinfo = nid_list + curve_id - 1;
192 if (pflags)
193 *pflags = cinfo->flags;
194 return cinfo->nid;
195}
196
197int tls1_ec_nid2curve_id(int nid)
198{
199 size_t i;
200 for (i = 0; i < OSSL_NELEM(nid_list); i++) {
201 if (nid_list[i].nid == nid)
202 return i + 1;
203 }
204 return 0;
205}
206
207/*
208 * Get curves list, if "sess" is set return client curves otherwise
209 * preferred list.
210 * Sets |num_curves| to the number of curves in the list, i.e.,
211 * the length of |pcurves| is 2 * num_curves.
212 * Returns 1 on success and 0 if the client curves list has invalid format.
213 * The latter indicates an internal error: we should not be accepting such
214 * lists in the first place.
215 * TODO(emilia): we should really be storing the curves list in explicitly
216 * parsed form instead. (However, this would affect binary compatibility
217 * so cannot happen in the 1.0.x series.)
218 */
219static int tls1_get_curvelist(SSL *s, int sess,
220 const unsigned char **pcurves, size_t *num_curves)
221{
222 size_t pcurveslen = 0;
223
224 if (sess) {
225 *pcurves = s->session->tlsext_ellipticcurvelist;
226 pcurveslen = s->session->tlsext_ellipticcurvelist_length;
227 } else {
228 /* For Suite B mode only include P-256, P-384 */
229 switch (tls1_suiteb(s)) {
230 case SSL_CERT_FLAG_SUITEB_128_LOS:
231 *pcurves = suiteb_curves;
232 pcurveslen = sizeof(suiteb_curves);
233 break;
234
235 case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY:
236 *pcurves = suiteb_curves;
237 pcurveslen = 2;
238 break;
239
240 case SSL_CERT_FLAG_SUITEB_192_LOS:
241 *pcurves = suiteb_curves + 2;
242 pcurveslen = 2;
243 break;
244 default:
245 *pcurves = s->tlsext_ellipticcurvelist;
246 pcurveslen = s->tlsext_ellipticcurvelist_length;
247 }
248 if (!*pcurves) {
249 *pcurves = eccurves_default;
250 pcurveslen = sizeof(eccurves_default);
251 }
252 }
253
254 /* We do not allow odd length arrays to enter the system. */
255 if (pcurveslen & 1) {
256 SSLerr(SSL_F_TLS1_GET_CURVELIST, ERR_R_INTERNAL_ERROR);
257 *num_curves = 0;
258 return 0;
259 }
260 *num_curves = pcurveslen / 2;
261 return 1;
262}
263
264/* See if curve is allowed by security callback */
265static int tls_curve_allowed(SSL *s, const unsigned char *curve, int op)
266{
267 const tls_curve_info *cinfo;
268 if (curve[0])
269 return 1;
270 if ((curve[1] < 1) || ((size_t)curve[1] > OSSL_NELEM(nid_list)))
271 return 0;
272 cinfo = &nid_list[curve[1] - 1];
273# ifdef OPENSSL_NO_EC2M
274 if (cinfo->flags & TLS_CURVE_CHAR2)
275 return 0;
276# endif
277 return ssl_security(s, op, cinfo->secbits, cinfo->nid, (void *)curve);
278}
279
280/* Check a curve is one of our preferences */
281int tls1_check_curve(SSL *s, const unsigned char *p, size_t len)
282{
283 const unsigned char *curves;
284 size_t num_curves, i;
285 unsigned int suiteb_flags = tls1_suiteb(s);
286 if (len != 3 || p[0] != NAMED_CURVE_TYPE)
287 return 0;
288 /* Check curve matches Suite B preferences */
289 if (suiteb_flags) {
290 unsigned long cid = s->s3->tmp.new_cipher->id;
291 if (p[1])
292 return 0;
293 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256) {
294 if (p[2] != TLSEXT_curve_P_256)
295 return 0;
296 } else if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384) {
297 if (p[2] != TLSEXT_curve_P_384)
298 return 0;
299 } else /* Should never happen */
300 return 0;
301 }
302 if (!tls1_get_curvelist(s, 0, &curves, &num_curves))
303 return 0;
304 for (i = 0; i < num_curves; i++, curves += 2) {
305 if (p[1] == curves[0] && p[2] == curves[1])
306 return tls_curve_allowed(s, p + 1, SSL_SECOP_CURVE_CHECK);
307 }
308 return 0;
309}
310
311/*-
312 * For nmatch >= 0, return the NID of the |nmatch|th shared curve or NID_undef
313 * if there is no match.
314 * For nmatch == -1, return number of matches
315 * For nmatch == -2, return the NID of the curve to use for
316 * an EC tmp key, or NID_undef if there is no match.
317 */
318int tls1_shared_curve(SSL *s, int nmatch)
319{
320 const unsigned char *pref, *supp;
321 size_t num_pref, num_supp, i, j;
322 int k;
323
324 /* Can't do anything on client side */
325 if (s->server == 0)
326 return -1;
327 if (nmatch == -2) {
328 if (tls1_suiteb(s)) {
329 /*
330 * For Suite B ciphersuite determines curve: we already know
331 * these are acceptable due to previous checks.
332 */
333 unsigned long cid = s->s3->tmp.new_cipher->id;
334
335 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
336 return NID_X9_62_prime256v1; /* P-256 */
337 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)
338 return NID_secp384r1; /* P-384 */
339 /* Should never happen */
340 return NID_undef;
341 }
342 /* If not Suite B just return first preference shared curve */
343 nmatch = 0;
344 }
345 /*
346 * Avoid truncation. tls1_get_curvelist takes an int
347 * but s->options is a long...
348 */
349 if (!tls1_get_curvelist(s,
350 (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) != 0,
351 &supp, &num_supp))
352 /* In practice, NID_undef == 0 but let's be precise. */
353 return nmatch == -1 ? 0 : NID_undef;
354 if (!tls1_get_curvelist(s,
355 (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) == 0,
356 &pref, &num_pref))
357 return nmatch == -1 ? 0 : NID_undef;
358
359 for (k = 0, i = 0; i < num_pref; i++, pref += 2) {
360 const unsigned char *tsupp = supp;
361
362 for (j = 0; j < num_supp; j++, tsupp += 2) {
363 if (pref[0] == tsupp[0] && pref[1] == tsupp[1]) {
364 if (!tls_curve_allowed(s, pref, SSL_SECOP_CURVE_SHARED))
365 continue;
366 if (nmatch == k) {
367 int id = (pref[0] << 8) | pref[1];
368
369 return tls1_ec_curve_id2nid(id, NULL);
370 }
371 k++;
372 }
373 }
374 }
375 if (nmatch == -1)
376 return k;
377 /* Out of range (nmatch > k). */
378 return NID_undef;
379}
380
381int tls1_set_curves(unsigned char **pext, size_t *pextlen,
382 int *curves, size_t ncurves)
383{
384 unsigned char *clist, *p;
385 size_t i;
386 /*
387 * Bitmap of curves included to detect duplicates: only works while curve
388 * ids < 32
389 */
390 unsigned long dup_list = 0;
391 clist = OPENSSL_malloc(ncurves * 2);
392 if (clist == NULL)
393 return 0;
394 for (i = 0, p = clist; i < ncurves; i++) {
395 unsigned long idmask;
396 int id;
397 id = tls1_ec_nid2curve_id(curves[i]);
398 idmask = 1L << id;
399 if (!id || (dup_list & idmask)) {
400 OPENSSL_free(clist);
401 return 0;
402 }
403 dup_list |= idmask;
404 s2n(id, p);
405 }
406 OPENSSL_free(*pext);
407 *pext = clist;
408 *pextlen = ncurves * 2;
409 return 1;
410}
411
412# define MAX_CURVELIST 28
413
414typedef struct {
415 size_t nidcnt;
416 int nid_arr[MAX_CURVELIST];
417} nid_cb_st;
418
419static int nid_cb(const char *elem, int len, void *arg)
420{
421 nid_cb_st *narg = arg;
422 size_t i;
423 int nid;
424 char etmp[20];
425 if (elem == NULL)
426 return 0;
427 if (narg->nidcnt == MAX_CURVELIST)
428 return 0;
429 if (len > (int)(sizeof(etmp) - 1))
430 return 0;
431 memcpy(etmp, elem, len);
432 etmp[len] = 0;
433 nid = EC_curve_nist2nid(etmp);
434 if (nid == NID_undef)
435 nid = OBJ_sn2nid(etmp);
436 if (nid == NID_undef)
437 nid = OBJ_ln2nid(etmp);
438 if (nid == NID_undef)
439 return 0;
440 for (i = 0; i < narg->nidcnt; i++)
441 if (narg->nid_arr[i] == nid)
442 return 0;
443 narg->nid_arr[narg->nidcnt++] = nid;
444 return 1;
445}
446
447/* Set curves based on a colon separate list */
448int tls1_set_curves_list(unsigned char **pext, size_t *pextlen, const char *str)
449{
450 nid_cb_st ncb;
451 ncb.nidcnt = 0;
452 if (!CONF_parse_list(str, ':', 1, nid_cb, &ncb))
453 return 0;
454 if (pext == NULL)
455 return 1;
456 return tls1_set_curves(pext, pextlen, ncb.nid_arr, ncb.nidcnt);
457}
458
459/* For an EC key set TLS id and required compression based on parameters */
460static int tls1_set_ec_id(unsigned char *curve_id, unsigned char *comp_id,
461 EC_KEY *ec)
462{
463 int id;
464 const EC_GROUP *grp;
465 if (!ec)
466 return 0;
467 /* Determine if it is a prime field */
468 grp = EC_KEY_get0_group(ec);
469 if (!grp)
470 return 0;
471 /* Determine curve ID */
472 id = EC_GROUP_get_curve_name(grp);
473 id = tls1_ec_nid2curve_id(id);
474 /* If no id return error: we don't support arbitrary explicit curves */
475 if (id == 0)
476 return 0;
477 curve_id[0] = 0;
478 curve_id[1] = (unsigned char)id;
479 if (comp_id) {
480 if (EC_KEY_get0_public_key(ec) == NULL)
481 return 0;
482 if (EC_KEY_get_conv_form(ec) == POINT_CONVERSION_UNCOMPRESSED) {
483 *comp_id = TLSEXT_ECPOINTFORMAT_uncompressed;
484 } else {
485 if ((nid_list[id - 1].flags & TLS_CURVE_TYPE) == TLS_CURVE_PRIME)
486 *comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
487 else
488 *comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
489 }
490 }
491 return 1;
492}
493
494/* Check an EC key is compatible with extensions */
495static int tls1_check_ec_key(SSL *s,
496 unsigned char *curve_id, unsigned char *comp_id)
497{
498 const unsigned char *pformats, *pcurves;
499 size_t num_formats, num_curves, i;
500 int j;
501 /*
502 * If point formats extension present check it, otherwise everything is
503 * supported (see RFC4492).
504 */
505 if (comp_id && s->session->tlsext_ecpointformatlist) {
506 pformats = s->session->tlsext_ecpointformatlist;
507 num_formats = s->session->tlsext_ecpointformatlist_length;
508 for (i = 0; i < num_formats; i++, pformats++) {
509 if (*comp_id == *pformats)
510 break;
511 }
512 if (i == num_formats)
513 return 0;
514 }
515 if (!curve_id)
516 return 1;
517 /* Check curve is consistent with client and server preferences */
518 for (j = 0; j <= 1; j++) {
519 if (!tls1_get_curvelist(s, j, &pcurves, &num_curves))
520 return 0;
521 if (j == 1 && num_curves == 0) {
522 /*
523 * If we've not received any curves then skip this check.
524 * RFC 4492 does not require the supported elliptic curves extension
525 * so if it is not sent we can just choose any curve.
526 * It is invalid to send an empty list in the elliptic curves
527 * extension, so num_curves == 0 always means no extension.
528 */
529 break;
530 }
531 for (i = 0; i < num_curves; i++, pcurves += 2) {
532 if (pcurves[0] == curve_id[0] && pcurves[1] == curve_id[1])
533 break;
534 }
535 if (i == num_curves)
536 return 0;
537 /* For clients can only check sent curve list */
538 if (!s->server)
539 break;
540 }
541 return 1;
542}
543
544static void tls1_get_formatlist(SSL *s, const unsigned char **pformats,
545 size_t *num_formats)
546{
547 /*
548 * If we have a custom point format list use it otherwise use default
549 */
550 if (s->tlsext_ecpointformatlist) {
551 *pformats = s->tlsext_ecpointformatlist;
552 *num_formats = s->tlsext_ecpointformatlist_length;
553 } else {
554 *pformats = ecformats_default;
555 /* For Suite B we don't support char2 fields */
556 if (tls1_suiteb(s))
557 *num_formats = sizeof(ecformats_default) - 1;
558 else
559 *num_formats = sizeof(ecformats_default);
560 }
561}
562
563/*
564 * Check cert parameters compatible with extensions: currently just checks EC
565 * certificates have compatible curves and compression.
566 */
567static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md)
568{
569 unsigned char comp_id, curve_id[2];
570 EVP_PKEY *pkey;
571 int rv;
572 pkey = X509_get0_pubkey(x);
573 if (!pkey)
574 return 0;
575 /* If not EC nothing to do */
576 if (EVP_PKEY_id(pkey) != EVP_PKEY_EC)
577 return 1;
578 rv = tls1_set_ec_id(curve_id, &comp_id, EVP_PKEY_get0_EC_KEY(pkey));
579 if (!rv)
580 return 0;
581 /*
582 * Can't check curve_id for client certs as we don't have a supported
583 * curves extension.
584 */
585 rv = tls1_check_ec_key(s, s->server ? curve_id : NULL, &comp_id);
586 if (!rv)
587 return 0;
588 /*
589 * Special case for suite B. We *MUST* sign using SHA256+P-256 or
590 * SHA384+P-384, adjust digest if necessary.
591 */
592 if (set_ee_md && tls1_suiteb(s)) {
593 int check_md;
594 size_t i;
595 CERT *c = s->cert;
596 if (curve_id[0])
597 return 0;
598 /* Check to see we have necessary signing algorithm */
599 if (curve_id[1] == TLSEXT_curve_P_256)
600 check_md = NID_ecdsa_with_SHA256;
601 else if (curve_id[1] == TLSEXT_curve_P_384)
602 check_md = NID_ecdsa_with_SHA384;
603 else
604 return 0; /* Should never happen */
605 for (i = 0; i < c->shared_sigalgslen; i++)
606 if (check_md == c->shared_sigalgs[i].signandhash_nid)
607 break;
608 if (i == c->shared_sigalgslen)
609 return 0;
610 if (set_ee_md == 2) {
611 if (check_md == NID_ecdsa_with_SHA256)
612 s->s3->tmp.md[SSL_PKEY_ECC] = EVP_sha256();
613 else
614 s->s3->tmp.md[SSL_PKEY_ECC] = EVP_sha384();
615 }
616 }
617 return rv;
618}
619
620# ifndef OPENSSL_NO_EC
621/*
622 * tls1_check_ec_tmp_key - Check EC temporary key compatibility
623 * @s: SSL connection
624 * @cid: Cipher ID we're considering using
625 *
626 * Checks that the kECDHE cipher suite we're considering using
627 * is compatible with the client extensions.
628 *
629 * Returns 0 when the cipher can't be used or 1 when it can.
630 */
631int tls1_check_ec_tmp_key(SSL *s, unsigned long cid)
632{
633 /*
634 * If Suite B, AES128 MUST use P-256 and AES256 MUST use P-384, no other
635 * curves permitted.
636 */
637 if (tls1_suiteb(s)) {
638 unsigned char curve_id[2];
639 /* Curve to check determined by ciphersuite */
640 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
641 curve_id[1] = TLSEXT_curve_P_256;
642 else if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)
643 curve_id[1] = TLSEXT_curve_P_384;
644 else
645 return 0;
646 curve_id[0] = 0;
647 /* Check this curve is acceptable */
648 if (!tls1_check_ec_key(s, curve_id, NULL))
649 return 0;
650 return 1;
651 }
652 /* Need a shared curve */
653 if (tls1_shared_curve(s, 0))
654 return 1;
655 return 0;
656}
657# endif /* OPENSSL_NO_EC */
658
659#else
660
661static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md)
662{
663 return 1;
664}
665
666#endif /* OPENSSL_NO_EC */
667
668/*
669 * List of supported signature algorithms and hashes. Should make this
670 * customisable at some point, for now include everything we support.
671 */
672
673#ifdef OPENSSL_NO_RSA
674# define tlsext_sigalg_rsa(md) /* */
675#else
676# define tlsext_sigalg_rsa(md) md, TLSEXT_signature_rsa,
677#endif
678
679#ifdef OPENSSL_NO_DSA
680# define tlsext_sigalg_dsa(md) /* */
681#else
682# define tlsext_sigalg_dsa(md) md, TLSEXT_signature_dsa,
683#endif
684
685#ifdef OPENSSL_NO_EC
686# define tlsext_sigalg_ecdsa(md)/* */
687#else
688# define tlsext_sigalg_ecdsa(md) md, TLSEXT_signature_ecdsa,
689#endif
690
691#define tlsext_sigalg(md) \
692 tlsext_sigalg_rsa(md) \
693 tlsext_sigalg_dsa(md) \
694 tlsext_sigalg_ecdsa(md)
695
696static const unsigned char tls12_sigalgs[] = {
697 tlsext_sigalg(TLSEXT_hash_sha512)
698 tlsext_sigalg(TLSEXT_hash_sha384)
699 tlsext_sigalg(TLSEXT_hash_sha256)
700 tlsext_sigalg(TLSEXT_hash_sha224)
701 tlsext_sigalg(TLSEXT_hash_sha1)
702#ifndef OPENSSL_NO_GOST
703 TLSEXT_hash_gostr3411, TLSEXT_signature_gostr34102001,
704 TLSEXT_hash_gostr34112012_256, TLSEXT_signature_gostr34102012_256,
705 TLSEXT_hash_gostr34112012_512, TLSEXT_signature_gostr34102012_512
706#endif
707};
708
709#ifndef OPENSSL_NO_EC
710static const unsigned char suiteb_sigalgs[] = {
711 tlsext_sigalg_ecdsa(TLSEXT_hash_sha256)
712 tlsext_sigalg_ecdsa(TLSEXT_hash_sha384)
713};
714#endif
715size_t tls12_get_psigalgs(SSL *s, int sent, const unsigned char **psigs)
716{
717 /*
718 * If Suite B mode use Suite B sigalgs only, ignore any other
719 * preferences.
720 */
721#ifndef OPENSSL_NO_EC
722 switch (tls1_suiteb(s)) {
723 case SSL_CERT_FLAG_SUITEB_128_LOS:
724 *psigs = suiteb_sigalgs;
725 return sizeof(suiteb_sigalgs);
726
727 case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY:
728 *psigs = suiteb_sigalgs;
729 return 2;
730
731 case SSL_CERT_FLAG_SUITEB_192_LOS:
732 *psigs = suiteb_sigalgs + 2;
733 return 2;
734 }
735#endif
736 /* If server use client authentication sigalgs if not NULL */
737 if (s->server == sent && s->cert->client_sigalgs) {
738 *psigs = s->cert->client_sigalgs;
739 return s->cert->client_sigalgslen;
740 } else if (s->cert->conf_sigalgs) {
741 *psigs = s->cert->conf_sigalgs;
742 return s->cert->conf_sigalgslen;
743 } else {
744 *psigs = tls12_sigalgs;
745 return sizeof(tls12_sigalgs);
746 }
747}
748
749/*
750 * Check signature algorithm is consistent with sent supported signature
751 * algorithms and if so return relevant digest.
752 */
753int tls12_check_peer_sigalg(const EVP_MD **pmd, SSL *s,
754 const unsigned char *sig, EVP_PKEY *pkey)
755{
756 const unsigned char *sent_sigs;
757 size_t sent_sigslen, i;
758 int sigalg = tls12_get_sigid(pkey);
759 /* Should never happen */
760 if (sigalg == -1)
761 return -1;
762 /* Check key type is consistent with signature */
763 if (sigalg != (int)sig[1]) {
764 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_SIGNATURE_TYPE);
765 return 0;
766 }
767#ifndef OPENSSL_NO_EC
768 if (EVP_PKEY_id(pkey) == EVP_PKEY_EC) {
769 unsigned char curve_id[2], comp_id;
770 /* Check compression and curve matches extensions */
771 if (!tls1_set_ec_id(curve_id, &comp_id, EVP_PKEY_get0_EC_KEY(pkey)))
772 return 0;
773 if (!s->server && !tls1_check_ec_key(s, curve_id, &comp_id)) {
774 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_CURVE);
775 return 0;
776 }
777 /* If Suite B only P-384+SHA384 or P-256+SHA-256 allowed */
778 if (tls1_suiteb(s)) {
779 if (curve_id[0])
780 return 0;
781 if (curve_id[1] == TLSEXT_curve_P_256) {
782 if (sig[0] != TLSEXT_hash_sha256) {
783 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG,
784 SSL_R_ILLEGAL_SUITEB_DIGEST);
785 return 0;
786 }
787 } else if (curve_id[1] == TLSEXT_curve_P_384) {
788 if (sig[0] != TLSEXT_hash_sha384) {
789 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG,
790 SSL_R_ILLEGAL_SUITEB_DIGEST);
791 return 0;
792 }
793 } else
794 return 0;
795 }
796 } else if (tls1_suiteb(s))
797 return 0;
798#endif
799
800 /* Check signature matches a type we sent */
801 sent_sigslen = tls12_get_psigalgs(s, 1, &sent_sigs);
802 for (i = 0; i < sent_sigslen; i += 2, sent_sigs += 2) {
803 if (sig[0] == sent_sigs[0] && sig[1] == sent_sigs[1])
804 break;
805 }
806 /* Allow fallback to SHA1 if not strict mode */
807 if (i == sent_sigslen
808 && (sig[0] != TLSEXT_hash_sha1
809 || s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)) {
810 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_SIGNATURE_TYPE);
811 return 0;
812 }
813 *pmd = tls12_get_hash(sig[0]);
814 if (*pmd == NULL) {
815 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_UNKNOWN_DIGEST);
816 return 0;
817 }
818 /* Make sure security callback allows algorithm */
819 if (!ssl_security(s, SSL_SECOP_SIGALG_CHECK,
820 EVP_MD_size(*pmd) * 4, EVP_MD_type(*pmd), (void *)sig)) {
821 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_SIGNATURE_TYPE);
822 return 0;
823 }
824 /*
825 * Store the digest used so applications can retrieve it if they wish.
826 */
827 s->s3->tmp.peer_md = *pmd;
828 return 1;
829}
830
831/*
832 * Set a mask of disabled algorithms: an algorithm is disabled if it isn't
833 * supported, doesn't appear in supported signature algorithms, isn't supported
834 * by the enabled protocol versions or by the security level.
835 *
836 * This function should only be used for checking which ciphers are supported
837 * by the client.
838 *
839 * Call ssl_cipher_disabled() to check that it's enabled or not.
840 */
841void ssl_set_client_disabled(SSL *s)
842{
843 s->s3->tmp.mask_a = 0;
844 s->s3->tmp.mask_k = 0;
845 ssl_set_sig_mask(&s->s3->tmp.mask_a, s, SSL_SECOP_SIGALG_MASK);
846 ssl_get_client_min_max_version(s, &s->s3->tmp.min_ver, &s->s3->tmp.max_ver);
847#ifndef OPENSSL_NO_PSK
848 /* with PSK there must be client callback set */
849 if (!s->psk_client_callback) {
850 s->s3->tmp.mask_a |= SSL_aPSK;
851 s->s3->tmp.mask_k |= SSL_PSK;
852 }
853#endif /* OPENSSL_NO_PSK */
854#ifndef OPENSSL_NO_SRP
855 if (!(s->srp_ctx.srp_Mask & SSL_kSRP)) {
856 s->s3->tmp.mask_a |= SSL_aSRP;
857 s->s3->tmp.mask_k |= SSL_kSRP;
858 }
859#endif
860}
861
862/*
863 * ssl_cipher_disabled - check that a cipher is disabled or not
864 * @s: SSL connection that you want to use the cipher on
865 * @c: cipher to check
866 * @op: Security check that you want to do
867 * @ecdhe: If set to 1 then TLSv1 ECDHE ciphers are also allowed in SSLv3
868 *
869 * Returns 1 when it's disabled, 0 when enabled.
870 */
871int ssl_cipher_disabled(SSL *s, const SSL_CIPHER *c, int op, int ecdhe)
872{
873 if (c->algorithm_mkey & s->s3->tmp.mask_k
874 || c->algorithm_auth & s->s3->tmp.mask_a)
875 return 1;
876 if (s->s3->tmp.max_ver == 0)
877 return 1;
878 if (!SSL_IS_DTLS(s)) {
879 int min_tls = c->min_tls;
880
881 /*
882 * For historical reasons we will allow ECHDE to be selected by a server
883 * in SSLv3 if we are a client
884 */
885 if (min_tls == TLS1_VERSION && ecdhe
886 && (c->algorithm_mkey & (SSL_kECDHE | SSL_kECDHEPSK)) != 0)
887 min_tls = SSL3_VERSION;
888
889 if ((min_tls > s->s3->tmp.max_ver) || (c->max_tls < s->s3->tmp.min_ver))
890 return 1;
891 }
892 if (SSL_IS_DTLS(s) && (DTLS_VERSION_GT(c->min_dtls, s->s3->tmp.max_ver)
893 || DTLS_VERSION_LT(c->max_dtls, s->s3->tmp.min_ver)))
894 return 1;
895
896 return !ssl_security(s, op, c->strength_bits, 0, (void *)c);
897}
898
899static int tls_use_ticket(SSL *s)
900{
901 if (s->options & SSL_OP_NO_TICKET)
902 return 0;
903 return ssl_security(s, SSL_SECOP_TICKET, 0, 0, NULL);
904}
905
906static int compare_uint(const void *p1, const void *p2)
907{
908 unsigned int u1 = *((const unsigned int *)p1);
909 unsigned int u2 = *((const unsigned int *)p2);
910 if (u1 < u2)
911 return -1;
912 else if (u1 > u2)
913 return 1;
914 else
915 return 0;
916}
917
918/*
919 * Per http://tools.ietf.org/html/rfc5246#section-7.4.1.4, there may not be
920 * more than one extension of the same type in a ClientHello or ServerHello.
921 * This function does an initial scan over the extensions block to filter those
922 * out. It returns 1 if all extensions are unique, and 0 if the extensions
923 * contain duplicates, could not be successfully parsed, or an internal error
924 * occurred.
925 */
926static int tls1_check_duplicate_extensions(const PACKET *packet)
927{
928 PACKET extensions = *packet;
929 size_t num_extensions = 0, i = 0;
930 unsigned int *extension_types = NULL;
931 int ret = 0;
932
933 /* First pass: count the extensions. */
934 while (PACKET_remaining(&extensions) > 0) {
935 unsigned int type;
936 PACKET extension;
937 if (!PACKET_get_net_2(&extensions, &type) ||
938 !PACKET_get_length_prefixed_2(&extensions, &extension)) {
939 goto done;
940 }
941 num_extensions++;
942 }
943
944 if (num_extensions <= 1)
945 return 1;
946
947 extension_types = OPENSSL_malloc(sizeof(unsigned int) * num_extensions);
948 if (extension_types == NULL) {
949 SSLerr(SSL_F_TLS1_CHECK_DUPLICATE_EXTENSIONS, ERR_R_MALLOC_FAILURE);
950 goto done;
951 }
952
953 /* Second pass: gather the extension types. */
954 extensions = *packet;
955 for (i = 0; i < num_extensions; i++) {
956 PACKET extension;
957 if (!PACKET_get_net_2(&extensions, &extension_types[i]) ||
958 !PACKET_get_length_prefixed_2(&extensions, &extension)) {
959 /* This should not happen. */
960 SSLerr(SSL_F_TLS1_CHECK_DUPLICATE_EXTENSIONS, ERR_R_INTERNAL_ERROR);
961 goto done;
962 }
963 }
964
965 if (PACKET_remaining(&extensions) != 0) {
966 SSLerr(SSL_F_TLS1_CHECK_DUPLICATE_EXTENSIONS, ERR_R_INTERNAL_ERROR);
967 goto done;
968 }
969 /* Sort the extensions and make sure there are no duplicates. */
970 qsort(extension_types, num_extensions, sizeof(unsigned int), compare_uint);
971 for (i = 1; i < num_extensions; i++) {
972 if (extension_types[i - 1] == extension_types[i])
973 goto done;
974 }
975 ret = 1;
976 done:
977 OPENSSL_free(extension_types);
978 return ret;
979}
980
981unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf,
982 unsigned char *limit, int *al)
983{
984 int extdatalen = 0;
985 unsigned char *orig = buf;
986 unsigned char *ret = buf;
987#ifndef OPENSSL_NO_EC
988 /* See if we support any ECC ciphersuites */
989 int using_ecc = 0;
990 if (s->version >= TLS1_VERSION || SSL_IS_DTLS(s)) {
991 int i;
992 unsigned long alg_k, alg_a;
993 STACK_OF(SSL_CIPHER) *cipher_stack = SSL_get_ciphers(s);
994
995 for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++) {
996 const SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i);
997
998 alg_k = c->algorithm_mkey;
999 alg_a = c->algorithm_auth;
1000 if ((alg_k & (SSL_kECDHE | SSL_kECDHEPSK))
1001 || (alg_a & SSL_aECDSA)) {
1002 using_ecc = 1;
1003 break;
1004 }
1005 }
1006 }
1007#endif
1008
1009 ret += 2;
1010
1011 if (ret >= limit)
1012 return NULL; /* this really never occurs, but ... */
1013
1014 /* Add RI if renegotiating */
1015 if (s->renegotiate) {
1016 int el;
1017
1018 if (!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0)) {
1019 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1020 return NULL;
1021 }
1022
1023 if (CHECKLEN(ret, 4 + el, limit))
1024 return NULL;
1025
1026 s2n(TLSEXT_TYPE_renegotiate, ret);
1027 s2n(el, ret);
1028
1029 if (!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el)) {
1030 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1031 return NULL;
1032 }
1033
1034 ret += el;
1035 }
1036 /* Only add RI for SSLv3 */
1037 if (s->client_version == SSL3_VERSION)
1038 goto done;
1039
1040 if (s->tlsext_hostname != NULL) {
1041 /* Add TLS extension servername to the Client Hello message */
1042 size_t size_str;
1043
1044 /*-
1045 * check for enough space.
1046 * 4 for the servername type and extension length
1047 * 2 for servernamelist length
1048 * 1 for the hostname type
1049 * 2 for hostname length
1050 * + hostname length
1051 */
1052 size_str = strlen(s->tlsext_hostname);
1053 if (CHECKLEN(ret, 9 + size_str, limit))
1054 return NULL;
1055
1056 /* extension type and length */
1057 s2n(TLSEXT_TYPE_server_name, ret);
1058 s2n(size_str + 5, ret);
1059
1060 /* length of servername list */
1061 s2n(size_str + 3, ret);
1062
1063 /* hostname type, length and hostname */
1064 *(ret++) = (unsigned char)TLSEXT_NAMETYPE_host_name;
1065 s2n(size_str, ret);
1066 memcpy(ret, s->tlsext_hostname, size_str);
1067 ret += size_str;
1068 }
1069#ifndef OPENSSL_NO_SRP
1070 /* Add SRP username if there is one */
1071 if (s->srp_ctx.login != NULL) { /* Add TLS extension SRP username to the
1072 * Client Hello message */
1073
1074 size_t login_len = strlen(s->srp_ctx.login);
1075 if (login_len > 255 || login_len == 0) {
1076 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1077 return NULL;
1078 }
1079
1080 /*-
1081 * check for enough space.
1082 * 4 for the srp type type and extension length
1083 * 1 for the srp user identity
1084 * + srp user identity length
1085 */
1086 if (CHECKLEN(ret, 5 + login_len, limit))
1087 return NULL;
1088
1089 /* fill in the extension */
1090 s2n(TLSEXT_TYPE_srp, ret);
1091 s2n(login_len + 1, ret);
1092 (*ret++) = (unsigned char)login_len;
1093 memcpy(ret, s->srp_ctx.login, login_len);
1094 ret += login_len;
1095 }
1096#endif
1097
1098#ifndef OPENSSL_NO_EC
1099 if (using_ecc) {
1100 /*
1101 * Add TLS extension ECPointFormats to the ClientHello message
1102 */
1103 const unsigned char *pcurves, *pformats;
1104 size_t num_curves, num_formats, curves_list_len;
1105 size_t i;
1106 unsigned char *etmp;
1107
1108 tls1_get_formatlist(s, &pformats, &num_formats);
1109
1110 if (num_formats > 255) {
1111 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1112 return NULL;
1113 }
1114 /*-
1115 * check for enough space.
1116 * 4 bytes for the ec point formats type and extension length
1117 * 1 byte for the length of the formats
1118 * + formats length
1119 */
1120 if (CHECKLEN(ret, 5 + num_formats, limit))
1121 return NULL;
1122
1123 s2n(TLSEXT_TYPE_ec_point_formats, ret);
1124 /* The point format list has 1-byte length. */
1125 s2n(num_formats + 1, ret);
1126 *(ret++) = (unsigned char)num_formats;
1127 memcpy(ret, pformats, num_formats);
1128 ret += num_formats;
1129
1130 /*
1131 * Add TLS extension EllipticCurves to the ClientHello message
1132 */
1133 pcurves = s->tlsext_ellipticcurvelist;
1134 if (!tls1_get_curvelist(s, 0, &pcurves, &num_curves))
1135 return NULL;
1136
1137 if (num_curves > 65532 / 2) {
1138 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1139 return NULL;
1140 }
1141 /*-
1142 * check for enough space.
1143 * 4 bytes for the ec curves type and extension length
1144 * 2 bytes for the curve list length
1145 * + curve list length
1146 */
1147 if (CHECKLEN(ret, 6 + (num_curves * 2), limit))
1148 return NULL;
1149
1150 s2n(TLSEXT_TYPE_elliptic_curves, ret);
1151 etmp = ret + 4;
1152 /* Copy curve ID if supported */
1153 for (i = 0; i < num_curves; i++, pcurves += 2) {
1154 if (tls_curve_allowed(s, pcurves, SSL_SECOP_CURVE_SUPPORTED)) {
1155 *etmp++ = pcurves[0];
1156 *etmp++ = pcurves[1];
1157 }
1158 }
1159
1160 curves_list_len = etmp - ret - 4;
1161
1162 s2n(curves_list_len + 2, ret);
1163 s2n(curves_list_len, ret);
1164 ret += curves_list_len;
1165 }
1166#endif /* OPENSSL_NO_EC */
1167
1168 if (tls_use_ticket(s)) {
1169 size_t ticklen;
1170 if (!s->new_session && s->session && s->session->tlsext_tick)
1171 ticklen = s->session->tlsext_ticklen;
1172 else if (s->session && s->tlsext_session_ticket &&
1173 s->tlsext_session_ticket->data) {
1174 ticklen = s->tlsext_session_ticket->length;
1175 s->session->tlsext_tick = OPENSSL_malloc(ticklen);
1176 if (s->session->tlsext_tick == NULL)
1177 return NULL;
1178 memcpy(s->session->tlsext_tick,
1179 s->tlsext_session_ticket->data, ticklen);
1180 s->session->tlsext_ticklen = ticklen;
1181 } else
1182 ticklen = 0;
1183 if (ticklen == 0 && s->tlsext_session_ticket &&
1184 s->tlsext_session_ticket->data == NULL)
1185 goto skip_ext;
1186 /*
1187 * Check for enough room 2 for extension type, 2 for len rest for
1188 * ticket
1189 */
1190 if (CHECKLEN(ret, 4 + ticklen, limit))
1191 return NULL;
1192 s2n(TLSEXT_TYPE_session_ticket, ret);
1193 s2n(ticklen, ret);
1194 if (ticklen > 0) {
1195 memcpy(ret, s->session->tlsext_tick, ticklen);
1196 ret += ticklen;
1197 }
1198 }
1199 skip_ext:
1200
1201#ifndef OPENSSL_NO_OCSP
1202 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp) {
1203 int i;
1204 size_t extlen, idlen;
1205 int lentmp;
1206 OCSP_RESPID *id;
1207
1208 idlen = 0;
1209 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) {
1210 id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
1211 lentmp = i2d_OCSP_RESPID(id, NULL);
1212 if (lentmp <= 0)
1213 return NULL;
1214 idlen += (size_t)lentmp + 2;
1215 }
1216
1217 if (s->tlsext_ocsp_exts) {
1218 lentmp = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, NULL);
1219 if (lentmp < 0)
1220 return NULL;
1221 extlen = (size_t)lentmp;
1222 } else
1223 extlen = 0;
1224
1225 if (extlen + idlen > 0xFFF0)
1226 return NULL;
1227 /*
1228 * 2 bytes for status request type
1229 * 2 bytes for status request len
1230 * 1 byte for OCSP request type
1231 * 2 bytes for length of ids
1232 * 2 bytes for length of extensions
1233 * + length of ids
1234 * + length of extensions
1235 */
1236 if (CHECKLEN(ret, 9 + idlen + extlen, limit))
1237 return NULL;
1238
1239 s2n(TLSEXT_TYPE_status_request, ret);
1240 s2n(extlen + idlen + 5, ret);
1241 *(ret++) = TLSEXT_STATUSTYPE_ocsp;
1242 s2n(idlen, ret);
1243 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) {
1244 /* save position of id len */
1245 unsigned char *q = ret;
1246 id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
1247 /* skip over id len */
1248 ret += 2;
1249 lentmp = i2d_OCSP_RESPID(id, &ret);
1250 /* write id len */
1251 s2n(lentmp, q);
1252 }
1253 s2n(extlen, ret);
1254 if (extlen > 0)
1255 i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret);
1256 }
1257#endif
1258#ifndef OPENSSL_NO_HEARTBEATS
1259 if (SSL_IS_DTLS(s)) {
1260 /* Add Heartbeat extension */
1261
1262 /*-
1263 * check for enough space.
1264 * 4 bytes for the heartbeat ext type and extension length
1265 * 1 byte for the mode
1266 */
1267 if (CHECKLEN(ret, 5, limit))
1268 return NULL;
1269
1270 s2n(TLSEXT_TYPE_heartbeat, ret);
1271 s2n(1, ret);
1272 /*-
1273 * Set mode:
1274 * 1: peer may send requests
1275 * 2: peer not allowed to send requests
1276 */
1277 if (s->tlsext_heartbeat & SSL_DTLSEXT_HB_DONT_RECV_REQUESTS)
1278 *(ret++) = SSL_DTLSEXT_HB_DONT_SEND_REQUESTS;
1279 else
1280 *(ret++) = SSL_DTLSEXT_HB_ENABLED;
1281 }
1282#endif
1283
1284#ifndef OPENSSL_NO_NEXTPROTONEG
1285 if (s->ctx->next_proto_select_cb && !s->s3->tmp.finish_md_len) {
1286 /*
1287 * The client advertises an empty extension to indicate its support
1288 * for Next Protocol Negotiation
1289 */
1290
1291 /*-
1292 * check for enough space.
1293 * 4 bytes for the NPN ext type and extension length
1294 */
1295 if (CHECKLEN(ret, 4, limit))
1296 return NULL;
1297 s2n(TLSEXT_TYPE_next_proto_neg, ret);
1298 s2n(0, ret);
1299 }
1300#endif
1301
1302 /*
1303 * finish_md_len is non-zero during a renegotiation, so
1304 * this avoids sending ALPN during the renegotiation
1305 * (see longer comment below)
1306 */
1307 if (s->alpn_client_proto_list && !s->s3->tmp.finish_md_len) {
1308 /*-
1309 * check for enough space.
1310 * 4 bytes for the ALPN type and extension length
1311 * 2 bytes for the ALPN protocol list length
1312 * + ALPN protocol list length
1313 */
1314 if (CHECKLEN(ret, 6 + s->alpn_client_proto_list_len, limit))
1315 return NULL;
1316 s2n(TLSEXT_TYPE_application_layer_protocol_negotiation, ret);
1317 s2n(2 + s->alpn_client_proto_list_len, ret);
1318 s2n(s->alpn_client_proto_list_len, ret);
1319 memcpy(ret, s->alpn_client_proto_list, s->alpn_client_proto_list_len);
1320 ret += s->alpn_client_proto_list_len;
1321 s->s3->alpn_sent = 1;
1322 }
1323#ifndef OPENSSL_NO_SRTP
1324 if (SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s)) {
1325 int el;
1326
1327 /* Returns 0 on success!! */
1328 if (ssl_add_clienthello_use_srtp_ext(s, 0, &el, 0)) {
1329 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1330 return NULL;
1331 }
1332
1333 /*-
1334 * check for enough space.
1335 * 4 bytes for the SRTP type and extension length
1336 * + SRTP profiles length
1337 */
1338 if (CHECKLEN(ret, 4 + el, limit))
1339 return NULL;
1340
1341 s2n(TLSEXT_TYPE_use_srtp, ret);
1342 s2n(el, ret);
1343
1344 if (ssl_add_clienthello_use_srtp_ext(s, ret, &el, el)) {
1345 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1346 return NULL;
1347 }
1348 ret += el;
1349 }
1350#endif
1351 custom_ext_init(&s->cert->cli_ext);
1352 /* Add custom TLS Extensions to ClientHello */
1353 if (!custom_ext_add(s, 0, &ret, limit, al))
1354 return NULL;
1355 /*
1356 * In 1.1.0 before 1.1.0c we negotiated EtM with DTLS, then just
1357 * silently failed to actually do it. It is fixed in 1.1.1 but to
1358 * ease the transition especially from 1.1.0b to 1.1.0c, we just
1359 * disable it in 1.1.0.
1360 * Also skip if SSL_OP_NO_ENCRYPT_THEN_MAC is set.
1361 */
1362 if (!SSL_IS_DTLS(s) && !(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC)) {
1363 /*-
1364 * check for enough space.
1365 * 4 bytes for the ETM type and extension length
1366 */
1367 if (CHECKLEN(ret, 4, limit))
1368 return NULL;
1369 s2n(TLSEXT_TYPE_encrypt_then_mac, ret);
1370 s2n(0, ret);
1371 }
1372
1373#ifndef OPENSSL_NO_CT
1374 if (s->ct_validation_callback != NULL) {
1375 /*-
1376 * check for enough space.
1377 * 4 bytes for the SCT type and extension length
1378 */
1379 if (CHECKLEN(ret, 4, limit))
1380 return NULL;
1381
1382 s2n(TLSEXT_TYPE_signed_certificate_timestamp, ret);
1383 s2n(0, ret);
1384 }
1385#endif
1386
1387 /*-
1388 * check for enough space.
1389 * 4 bytes for the EMS type and extension length
1390 */
1391 if (CHECKLEN(ret, 4, limit))
1392 return NULL;
1393 s2n(TLSEXT_TYPE_extended_master_secret, ret);
1394 s2n(0, ret);
1395
1396 /*
1397 * WebSphere application server can not handle having the
1398 * last extension be 0-length (e.g. EMS, EtM), so keep those
1399 * before SigAlgs
1400 */
1401 if (SSL_CLIENT_USE_SIGALGS(s)) {
1402 size_t salglen;
1403 const unsigned char *salg;
1404 unsigned char *etmp;
1405 salglen = tls12_get_psigalgs(s, 1, &salg);
1406
1407 /*-
1408 * check for enough space.
1409 * 4 bytes for the sigalgs type and extension length
1410 * 2 bytes for the sigalg list length
1411 * + sigalg list length
1412 */
1413 if (CHECKLEN(ret, salglen + 6, limit))
1414 return NULL;
1415 s2n(TLSEXT_TYPE_signature_algorithms, ret);
1416 etmp = ret;
1417 /* Skip over lengths for now */
1418 ret += 4;
1419 salglen = tls12_copy_sigalgs(s, ret, salg, salglen);
1420 /* Fill in lengths */
1421 s2n(salglen + 2, etmp);
1422 s2n(salglen, etmp);
1423 ret += salglen;
1424 }
1425
1426 /*
1427 * Add padding to workaround bugs in F5 terminators. See
1428 * https://tools.ietf.org/html/draft-agl-tls-padding-03 NB: because this
1429 * code works out the length of all existing extensions it MUST always
1430 * appear last. WebSphere 7.x/8.x is intolerant of empty extensions
1431 * being last, so minimum length of 1.
1432 */
1433 if (s->options & SSL_OP_TLSEXT_PADDING) {
1434 int hlen = ret - (unsigned char *)s->init_buf->data;
1435
1436 if (hlen > 0xff && hlen < 0x200) {
1437 hlen = 0x200 - hlen;
1438 if (hlen >= 4)
1439 hlen -= 4;
1440 else
1441 hlen = 1;
1442
1443 /*-
1444 * check for enough space. Strictly speaking we know we've already
1445 * got enough space because to get here the message size is < 0x200,
1446 * but we know that we've allocated far more than that in the buffer
1447 * - but for consistency and robustness we're going to check anyway.
1448 *
1449 * 4 bytes for the padding type and extension length
1450 * + padding length
1451 */
1452 if (CHECKLEN(ret, 4 + hlen, limit))
1453 return NULL;
1454 s2n(TLSEXT_TYPE_padding, ret);
1455 s2n(hlen, ret);
1456 memset(ret, 0, hlen);
1457 ret += hlen;
1458 }
1459 }
1460
1461 done:
1462
1463 if ((extdatalen = ret - orig - 2) == 0)
1464 return orig;
1465
1466 s2n(extdatalen, orig);
1467 return ret;
1468}
1469
1470unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *buf,
1471 unsigned char *limit, int *al)
1472{
1473 int extdatalen = 0;
1474 unsigned char *orig = buf;
1475 unsigned char *ret = buf;
1476#ifndef OPENSSL_NO_NEXTPROTONEG
1477 int next_proto_neg_seen;
1478#endif
1479#ifndef OPENSSL_NO_EC
1480 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
1481 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
1482 int using_ecc = (alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA);
1483 using_ecc = using_ecc && (s->session->tlsext_ecpointformatlist != NULL);
1484#endif
1485
1486 ret += 2;
1487 if (ret >= limit)
1488 return NULL; /* this really never occurs, but ... */
1489
1490 if (s->s3->send_connection_binding) {
1491 int el;
1492
1493 if (!ssl_add_serverhello_renegotiate_ext(s, 0, &el, 0)) {
1494 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1495 return NULL;
1496 }
1497
1498 /*-
1499 * check for enough space.
1500 * 4 bytes for the reneg type and extension length
1501 * + reneg data length
1502 */
1503 if (CHECKLEN(ret, 4 + el, limit))
1504 return NULL;
1505
1506 s2n(TLSEXT_TYPE_renegotiate, ret);
1507 s2n(el, ret);
1508
1509 if (!ssl_add_serverhello_renegotiate_ext(s, ret, &el, el)) {
1510 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1511 return NULL;
1512 }
1513
1514 ret += el;
1515 }
1516
1517 /* Only add RI for SSLv3 */
1518 if (s->version == SSL3_VERSION)
1519 goto done;
1520
1521 if (!s->hit && s->servername_done == 1
1522 && s->session->tlsext_hostname != NULL) {
1523 /*-
1524 * check for enough space.
1525 * 4 bytes for the server name type and extension length
1526 */
1527 if (CHECKLEN(ret, 4, limit))
1528 return NULL;
1529
1530 s2n(TLSEXT_TYPE_server_name, ret);
1531 s2n(0, ret);
1532 }
1533#ifndef OPENSSL_NO_EC
1534 if (using_ecc) {
1535 const unsigned char *plist;
1536 size_t plistlen;
1537 /*
1538 * Add TLS extension ECPointFormats to the ServerHello message
1539 */
1540
1541 tls1_get_formatlist(s, &plist, &plistlen);
1542
1543 if (plistlen > 255) {
1544 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1545 return NULL;
1546 }
1547
1548 /*-
1549 * check for enough space.
1550 * 4 bytes for the ec points format type and extension length
1551 * 1 byte for the points format list length
1552 * + length of points format list
1553 */
1554 if (CHECKLEN(ret, 5 + plistlen, limit))
1555 return NULL;
1556
1557 s2n(TLSEXT_TYPE_ec_point_formats, ret);
1558 s2n(plistlen + 1, ret);
1559 *(ret++) = (unsigned char)plistlen;
1560 memcpy(ret, plist, plistlen);
1561 ret += plistlen;
1562
1563 }
1564 /*
1565 * Currently the server should not respond with a SupportedCurves
1566 * extension
1567 */
1568#endif /* OPENSSL_NO_EC */
1569
1570 if (s->tlsext_ticket_expected && tls_use_ticket(s)) {
1571 /*-
1572 * check for enough space.
1573 * 4 bytes for the Ticket type and extension length
1574 */
1575 if (CHECKLEN(ret, 4, limit))
1576 return NULL;
1577 s2n(TLSEXT_TYPE_session_ticket, ret);
1578 s2n(0, ret);
1579 } else {
1580 /*
1581 * if we don't add the above TLSEXT, we can't add a session ticket
1582 * later
1583 */
1584 s->tlsext_ticket_expected = 0;
1585 }
1586
1587 if (s->tlsext_status_expected) {
1588 /*-
1589 * check for enough space.
1590 * 4 bytes for the Status request type and extension length
1591 */
1592 if (CHECKLEN(ret, 4, limit))
1593 return NULL;
1594 s2n(TLSEXT_TYPE_status_request, ret);
1595 s2n(0, ret);
1596 }
1597#ifndef OPENSSL_NO_SRTP
1598 if (SSL_IS_DTLS(s) && s->srtp_profile) {
1599 int el;
1600
1601 /* Returns 0 on success!! */
1602 if (ssl_add_serverhello_use_srtp_ext(s, 0, &el, 0)) {
1603 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1604 return NULL;
1605 }
1606 /*-
1607 * check for enough space.
1608 * 4 bytes for the SRTP profiles type and extension length
1609 * + length of the SRTP profiles list
1610 */
1611 if (CHECKLEN(ret, 4 + el, limit))
1612 return NULL;
1613
1614 s2n(TLSEXT_TYPE_use_srtp, ret);
1615 s2n(el, ret);
1616
1617 if (ssl_add_serverhello_use_srtp_ext(s, ret, &el, el)) {
1618 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1619 return NULL;
1620 }
1621 ret += el;
1622 }
1623#endif
1624
1625 if (((s->s3->tmp.new_cipher->id & 0xFFFF) == 0x80
1626 || (s->s3->tmp.new_cipher->id & 0xFFFF) == 0x81)
1627 && (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG)) {
1628 const unsigned char cryptopro_ext[36] = {
1629 0xfd, 0xe8, /* 65000 */
1630 0x00, 0x20, /* 32 bytes length */
1631 0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85,
1632 0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06,
1633 0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08,
1634 0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17
1635 };
1636
1637 /* check for enough space. */
1638 if (CHECKLEN(ret, sizeof(cryptopro_ext), limit))
1639 return NULL;
1640 memcpy(ret, cryptopro_ext, sizeof(cryptopro_ext));
1641 ret += sizeof(cryptopro_ext);
1642
1643 }
1644#ifndef OPENSSL_NO_HEARTBEATS
1645 /* Add Heartbeat extension if we've received one */
1646 if (SSL_IS_DTLS(s) && (s->tlsext_heartbeat & SSL_DTLSEXT_HB_ENABLED)) {
1647 /*-
1648 * check for enough space.
1649 * 4 bytes for the Heartbeat type and extension length
1650 * 1 byte for the mode
1651 */
1652 if (CHECKLEN(ret, 5, limit))
1653 return NULL;
1654 s2n(TLSEXT_TYPE_heartbeat, ret);
1655 s2n(1, ret);
1656 /*-
1657 * Set mode:
1658 * 1: peer may send requests
1659 * 2: peer not allowed to send requests
1660 */
1661 if (s->tlsext_heartbeat & SSL_DTLSEXT_HB_DONT_RECV_REQUESTS)
1662 *(ret++) = SSL_DTLSEXT_HB_DONT_SEND_REQUESTS;
1663 else
1664 *(ret++) = SSL_DTLSEXT_HB_ENABLED;
1665
1666 }
1667#endif
1668
1669#ifndef OPENSSL_NO_NEXTPROTONEG
1670 next_proto_neg_seen = s->s3->next_proto_neg_seen;
1671 s->s3->next_proto_neg_seen = 0;
1672 if (next_proto_neg_seen && s->ctx->next_protos_advertised_cb) {
1673 const unsigned char *npa;
1674 unsigned int npalen;
1675 int r;
1676
1677 r = s->ctx->next_protos_advertised_cb(s, &npa, &npalen,
1678 s->
1679 ctx->next_protos_advertised_cb_arg);
1680 if (r == SSL_TLSEXT_ERR_OK) {
1681 /*-
1682 * check for enough space.
1683 * 4 bytes for the NPN type and extension length
1684 * + length of protocols list
1685 */
1686 if (CHECKLEN(ret, 4 + npalen, limit))
1687 return NULL;
1688 s2n(TLSEXT_TYPE_next_proto_neg, ret);
1689 s2n(npalen, ret);
1690 memcpy(ret, npa, npalen);
1691 ret += npalen;
1692 s->s3->next_proto_neg_seen = 1;
1693 }
1694 }
1695#endif
1696 if (!custom_ext_add(s, 1, &ret, limit, al))
1697 return NULL;
1698 if (s->tlsext_use_etm) {
1699 /*
1700 * Don't use encrypt_then_mac if AEAD or RC4 might want to disable
1701 * for other cases too.
1702 */
1703 if (SSL_IS_DTLS(s) || s->s3->tmp.new_cipher->algorithm_mac == SSL_AEAD
1704 || s->s3->tmp.new_cipher->algorithm_enc == SSL_RC4
1705 || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT
1706 || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT12)
1707 s->tlsext_use_etm = 0;
1708 else {
1709 /*-
1710 * check for enough space.
1711 * 4 bytes for the ETM type and extension length
1712 */
1713 if (CHECKLEN(ret, 4, limit))
1714 return NULL;
1715 s2n(TLSEXT_TYPE_encrypt_then_mac, ret);
1716 s2n(0, ret);
1717 }
1718 }
1719 if (s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) {
1720 /*-
1721 * check for enough space.
1722 * 4 bytes for the EMS type and extension length
1723 */
1724 if (CHECKLEN(ret, 4, limit))
1725 return NULL;
1726 s2n(TLSEXT_TYPE_extended_master_secret, ret);
1727 s2n(0, ret);
1728 }
1729
1730 if (s->s3->alpn_selected != NULL) {
1731 const unsigned char *selected = s->s3->alpn_selected;
1732 size_t len = s->s3->alpn_selected_len;
1733
1734 /*-
1735 * check for enough space.
1736 * 4 bytes for the ALPN type and extension length
1737 * 2 bytes for ALPN data length
1738 * 1 byte for selected protocol length
1739 * + length of the selected protocol
1740 */
1741 if (CHECKLEN(ret, 7 + len, limit))
1742 return NULL;
1743 s2n(TLSEXT_TYPE_application_layer_protocol_negotiation, ret);
1744 s2n(3 + len, ret);
1745 s2n(1 + len, ret);
1746 *ret++ = len;
1747 memcpy(ret, selected, len);
1748 ret += len;
1749 }
1750
1751 done:
1752
1753 if ((extdatalen = ret - orig - 2) == 0)
1754 return orig;
1755
1756 s2n(extdatalen, orig);
1757 return ret;
1758}
1759
1760/*
1761 * Save the ALPN extension in a ClientHello.
1762 * pkt: the contents of the ALPN extension, not including type and length.
1763 * al: a pointer to the alert value to send in the event of a failure.
1764 * returns: 1 on success, 0 on error.
1765 */
1766static int tls1_alpn_handle_client_hello(SSL *s, PACKET *pkt, int *al)
1767{
1768 PACKET protocol_list, save_protocol_list, protocol;
1769
1770 *al = SSL_AD_DECODE_ERROR;
1771
1772 if (!PACKET_as_length_prefixed_2(pkt, &protocol_list)
1773 || PACKET_remaining(&protocol_list) < 2) {
1774 return 0;
1775 }
1776
1777 save_protocol_list = protocol_list;
1778 do {
1779 /* Protocol names can't be empty. */
1780 if (!PACKET_get_length_prefixed_1(&protocol_list, &protocol)
1781 || PACKET_remaining(&protocol) == 0) {
1782 return 0;
1783 }
1784 } while (PACKET_remaining(&protocol_list) != 0);
1785
1786 if (!PACKET_memdup(&save_protocol_list,
1787 &s->s3->alpn_proposed, &s->s3->alpn_proposed_len)) {
1788 *al = TLS1_AD_INTERNAL_ERROR;
1789 return 0;
1790 }
1791
1792 return 1;
1793}
1794
1795/*
1796 * Process the ALPN extension in a ClientHello.
1797 * al: a pointer to the alert value to send in the event of a failure.
1798 * returns 1 on success, 0 on error.
1799 */
1800static int tls1_alpn_handle_client_hello_late(SSL *s, int *al)
1801{
1802 const unsigned char *selected = NULL;
1803 unsigned char selected_len = 0;
1804
1805 if (s->ctx->alpn_select_cb != NULL && s->s3->alpn_proposed != NULL) {
1806 int r = s->ctx->alpn_select_cb(s, &selected, &selected_len,
1807 s->s3->alpn_proposed,
1808 s->s3->alpn_proposed_len,
1809 s->ctx->alpn_select_cb_arg);
1810
1811 if (r == SSL_TLSEXT_ERR_OK) {
1812 OPENSSL_free(s->s3->alpn_selected);
1813 s->s3->alpn_selected = OPENSSL_memdup(selected, selected_len);
1814 if (s->s3->alpn_selected == NULL) {
1815 *al = SSL_AD_INTERNAL_ERROR;
1816 return 0;
1817 }
1818 s->s3->alpn_selected_len = selected_len;
1819#ifndef OPENSSL_NO_NEXTPROTONEG
1820 /* ALPN takes precedence over NPN. */
1821 s->s3->next_proto_neg_seen = 0;
1822#endif
1823 } else if (r == SSL_TLSEXT_ERR_NOACK) {
1824 /* Behave as if no callback was present. */
1825 return 1;
1826 } else {
1827 *al = SSL_AD_NO_APPLICATION_PROTOCOL;
1828 return 0;
1829 }
1830 }
1831
1832 return 1;
1833}
1834
1835#ifndef OPENSSL_NO_EC
1836/*-
1837 * ssl_check_for_safari attempts to fingerprint Safari using OS X
1838 * SecureTransport using the TLS extension block in |pkt|.
1839 * Safari, since 10.6, sends exactly these extensions, in this order:
1840 * SNI,
1841 * elliptic_curves
1842 * ec_point_formats
1843 *
1844 * We wish to fingerprint Safari because they broke ECDHE-ECDSA support in 10.8,
1845 * but they advertise support. So enabling ECDHE-ECDSA ciphers breaks them.
1846 * Sadly we cannot differentiate 10.6, 10.7 and 10.8.4 (which work), from
1847 * 10.8..10.8.3 (which don't work).
1848 */
1849static void ssl_check_for_safari(SSL *s, const PACKET *pkt)
1850{
1851 unsigned int type;
1852 PACKET sni, tmppkt;
1853 size_t ext_len;
1854
1855 static const unsigned char kSafariExtensionsBlock[] = {
1856 0x00, 0x0a, /* elliptic_curves extension */
1857 0x00, 0x08, /* 8 bytes */
1858 0x00, 0x06, /* 6 bytes of curve ids */
1859 0x00, 0x17, /* P-256 */
1860 0x00, 0x18, /* P-384 */
1861 0x00, 0x19, /* P-521 */
1862
1863 0x00, 0x0b, /* ec_point_formats */
1864 0x00, 0x02, /* 2 bytes */
1865 0x01, /* 1 point format */
1866 0x00, /* uncompressed */
1867 /* The following is only present in TLS 1.2 */
1868 0x00, 0x0d, /* signature_algorithms */
1869 0x00, 0x0c, /* 12 bytes */
1870 0x00, 0x0a, /* 10 bytes */
1871 0x05, 0x01, /* SHA-384/RSA */
1872 0x04, 0x01, /* SHA-256/RSA */
1873 0x02, 0x01, /* SHA-1/RSA */
1874 0x04, 0x03, /* SHA-256/ECDSA */
1875 0x02, 0x03, /* SHA-1/ECDSA */
1876 };
1877
1878 /* Length of the common prefix (first two extensions). */
1879 static const size_t kSafariCommonExtensionsLength = 18;
1880
1881 tmppkt = *pkt;
1882
1883 if (!PACKET_forward(&tmppkt, 2)
1884 || !PACKET_get_net_2(&tmppkt, &type)
1885 || !PACKET_get_length_prefixed_2(&tmppkt, &sni)) {
1886 return;
1887 }
1888
1889 if (type != TLSEXT_TYPE_server_name)
1890 return;
1891
1892 ext_len = TLS1_get_client_version(s) >= TLS1_2_VERSION ?
1893 sizeof(kSafariExtensionsBlock) : kSafariCommonExtensionsLength;
1894
1895 s->s3->is_probably_safari = PACKET_equal(&tmppkt, kSafariExtensionsBlock,
1896 ext_len);
1897}
1898#endif /* !OPENSSL_NO_EC */
1899
1900/*
1901 * Parse ClientHello extensions and stash extension info in various parts of
1902 * the SSL object. Verify that there are no duplicate extensions.
1903 *
1904 * Behaviour upon resumption is extension-specific. If the extension has no
1905 * effect during resumption, it is parsed (to verify its format) but otherwise
1906 * ignored.
1907 *
1908 * Consumes the entire packet in |pkt|. Returns 1 on success and 0 on failure.
1909 * Upon failure, sets |al| to the appropriate alert.
1910 */
1911static int ssl_scan_clienthello_tlsext(SSL *s, PACKET *pkt, int *al)
1912{
1913 unsigned int type;
1914 int renegotiate_seen = 0;
1915 PACKET extensions;
1916
1917 *al = SSL_AD_DECODE_ERROR;
1918 s->servername_done = 0;
1919 s->tlsext_status_type = -1;
1920#ifndef OPENSSL_NO_NEXTPROTONEG
1921 s->s3->next_proto_neg_seen = 0;
1922#endif
1923
1924 OPENSSL_free(s->s3->alpn_selected);
1925 s->s3->alpn_selected = NULL;
1926 s->s3->alpn_selected_len = 0;
1927 OPENSSL_free(s->s3->alpn_proposed);
1928 s->s3->alpn_proposed = NULL;
1929 s->s3->alpn_proposed_len = 0;
1930#ifndef OPENSSL_NO_HEARTBEATS
1931 s->tlsext_heartbeat &= ~(SSL_DTLSEXT_HB_ENABLED |
1932 SSL_DTLSEXT_HB_DONT_SEND_REQUESTS);
1933#endif
1934
1935#ifndef OPENSSL_NO_EC
1936 if (s->options & SSL_OP_SAFARI_ECDHE_ECDSA_BUG)
1937 ssl_check_for_safari(s, pkt);
1938#endif /* !OPENSSL_NO_EC */
1939
1940 /* Clear any signature algorithms extension received */
1941 OPENSSL_free(s->s3->tmp.peer_sigalgs);
1942 s->s3->tmp.peer_sigalgs = NULL;
1943 s->tlsext_use_etm = 0;
1944
1945#ifndef OPENSSL_NO_SRP
1946 OPENSSL_free(s->srp_ctx.login);
1947 s->srp_ctx.login = NULL;
1948#endif
1949
1950 s->srtp_profile = NULL;
1951
1952 if (PACKET_remaining(pkt) == 0)
1953 goto ri_check;
1954
1955 if (!PACKET_as_length_prefixed_2(pkt, &extensions))
1956 return 0;
1957
1958 if (!tls1_check_duplicate_extensions(&extensions))
1959 return 0;
1960
1961 /*
1962 * We parse all extensions to ensure the ClientHello is well-formed but,
1963 * unless an extension specifies otherwise, we ignore extensions upon
1964 * resumption.
1965 */
1966 while (PACKET_get_net_2(&extensions, &type)) {
1967 PACKET extension;
1968 if (!PACKET_get_length_prefixed_2(&extensions, &extension))
1969 return 0;
1970
1971 if (s->tlsext_debug_cb)
1972 s->tlsext_debug_cb(s, 0, type, PACKET_data(&extension),
1973 PACKET_remaining(&extension),
1974 s->tlsext_debug_arg);
1975
1976 if (type == TLSEXT_TYPE_renegotiate) {
1977 if (!ssl_parse_clienthello_renegotiate_ext(s, &extension, al))
1978 return 0;
1979 renegotiate_seen = 1;
1980 } else if (s->version == SSL3_VERSION) {
1981 }
1982/*-
1983 * The servername extension is treated as follows:
1984 *
1985 * - Only the hostname type is supported with a maximum length of 255.
1986 * - The servername is rejected if too long or if it contains zeros,
1987 * in which case an fatal alert is generated.
1988 * - The servername field is maintained together with the session cache.
1989 * - When a session is resumed, the servername call back invoked in order
1990 * to allow the application to position itself to the right context.
1991 * - The servername is acknowledged if it is new for a session or when
1992 * it is identical to a previously used for the same session.
1993 * Applications can control the behaviour. They can at any time
1994 * set a 'desirable' servername for a new SSL object. This can be the
1995 * case for example with HTTPS when a Host: header field is received and
1996 * a renegotiation is requested. In this case, a possible servername
1997 * presented in the new client hello is only acknowledged if it matches
1998 * the value of the Host: field.
1999 * - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
2000 * if they provide for changing an explicit servername context for the
2001 * session, i.e. when the session has been established with a servername
2002 * extension.
2003 * - On session reconnect, the servername extension may be absent.
2004 *
2005 */
2006
2007 else if (type == TLSEXT_TYPE_server_name) {
2008 unsigned int servname_type;
2009 PACKET sni, hostname;
2010
2011 if (!PACKET_as_length_prefixed_2(&extension, &sni)
2012 /* ServerNameList must be at least 1 byte long. */
2013 || PACKET_remaining(&sni) == 0) {
2014 return 0;
2015 }
2016
2017 /*
2018 * Although the server_name extension was intended to be
2019 * extensible to new name types, RFC 4366 defined the
2020 * syntax inextensibility and OpenSSL 1.0.x parses it as
2021 * such.
2022 * RFC 6066 corrected the mistake but adding new name types
2023 * is nevertheless no longer feasible, so act as if no other
2024 * SNI types can exist, to simplify parsing.
2025 *
2026 * Also note that the RFC permits only one SNI value per type,
2027 * i.e., we can only have a single hostname.
2028 */
2029 if (!PACKET_get_1(&sni, &servname_type)
2030 || servname_type != TLSEXT_NAMETYPE_host_name
2031 || !PACKET_as_length_prefixed_2(&sni, &hostname)) {
2032 return 0;
2033 }
2034
2035 if (!s->hit) {
2036 if (PACKET_remaining(&hostname) > TLSEXT_MAXLEN_host_name) {
2037 *al = TLS1_AD_UNRECOGNIZED_NAME;
2038 return 0;
2039 }
2040
2041 if (PACKET_contains_zero_byte(&hostname)) {
2042 *al = TLS1_AD_UNRECOGNIZED_NAME;
2043 return 0;
2044 }
2045
2046 if (!PACKET_strndup(&hostname, &s->session->tlsext_hostname)) {
2047 *al = TLS1_AD_INTERNAL_ERROR;
2048 return 0;
2049 }
2050
2051 s->servername_done = 1;
2052 } else {
2053 /*
2054 * TODO(openssl-team): if the SNI doesn't match, we MUST
2055 * fall back to a full handshake.
2056 */
2057 s->servername_done = s->session->tlsext_hostname
2058 && PACKET_equal(&hostname, s->session->tlsext_hostname,
2059 strlen(s->session->tlsext_hostname));
2060 }
2061 }
2062#ifndef OPENSSL_NO_SRP
2063 else if (type == TLSEXT_TYPE_srp) {
2064 PACKET srp_I;
2065
2066 if (!PACKET_as_length_prefixed_1(&extension, &srp_I))
2067 return 0;
2068
2069 if (PACKET_contains_zero_byte(&srp_I))
2070 return 0;
2071
2072 /*
2073 * TODO(openssl-team): currently, we re-authenticate the user
2074 * upon resumption. Instead, we MUST ignore the login.
2075 */
2076 if (!PACKET_strndup(&srp_I, &s->srp_ctx.login)) {
2077 *al = TLS1_AD_INTERNAL_ERROR;
2078 return 0;
2079 }
2080 }
2081#endif
2082
2083#ifndef OPENSSL_NO_EC
2084 else if (type == TLSEXT_TYPE_ec_point_formats) {
2085 PACKET ec_point_format_list;
2086
2087 if (!PACKET_as_length_prefixed_1(&extension, &ec_point_format_list)
2088 || PACKET_remaining(&ec_point_format_list) == 0) {
2089 return 0;
2090 }
2091
2092 if (!s->hit) {
2093 if (!PACKET_memdup(&ec_point_format_list,
2094 &s->session->tlsext_ecpointformatlist,
2095 &s->
2096 session->tlsext_ecpointformatlist_length)) {
2097 *al = TLS1_AD_INTERNAL_ERROR;
2098 return 0;
2099 }
2100 }
2101 } else if (type == TLSEXT_TYPE_elliptic_curves) {
2102 PACKET elliptic_curve_list;
2103
2104 /* Each NamedCurve is 2 bytes and we must have at least 1. */
2105 if (!PACKET_as_length_prefixed_2(&extension, &elliptic_curve_list)
2106 || PACKET_remaining(&elliptic_curve_list) == 0
2107 || (PACKET_remaining(&elliptic_curve_list) % 2) != 0) {
2108 return 0;
2109 }
2110
2111 if (!s->hit) {
2112 if (!PACKET_memdup(&elliptic_curve_list,
2113 &s->session->tlsext_ellipticcurvelist,
2114 &s->
2115 session->tlsext_ellipticcurvelist_length)) {
2116 *al = TLS1_AD_INTERNAL_ERROR;
2117 return 0;
2118 }
2119 }
2120 }
2121#endif /* OPENSSL_NO_EC */
2122 else if (type == TLSEXT_TYPE_session_ticket) {
2123 if (s->tls_session_ticket_ext_cb &&
2124 !s->tls_session_ticket_ext_cb(s, PACKET_data(&extension),
2125 PACKET_remaining(&extension),
2126 s->tls_session_ticket_ext_cb_arg))
2127 {
2128 *al = TLS1_AD_INTERNAL_ERROR;
2129 return 0;
2130 }
2131 } else if (type == TLSEXT_TYPE_signature_algorithms) {
2132 PACKET supported_sig_algs;
2133
2134 if (!PACKET_as_length_prefixed_2(&extension, &supported_sig_algs)
2135 || (PACKET_remaining(&supported_sig_algs) % 2) != 0
2136 || PACKET_remaining(&supported_sig_algs) == 0) {
2137 return 0;
2138 }
2139
2140 if (!s->hit) {
2141 if (!tls1_save_sigalgs(s, PACKET_data(&supported_sig_algs),
2142 PACKET_remaining(&supported_sig_algs))) {
2143 return 0;
2144 }
2145 }
2146 } else if (type == TLSEXT_TYPE_status_request) {
2147 if (!PACKET_get_1(&extension,
2148 (unsigned int *)&s->tlsext_status_type)) {
2149 return 0;
2150 }
2151#ifndef OPENSSL_NO_OCSP
2152 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp) {
2153 const unsigned char *ext_data;
2154 PACKET responder_id_list, exts;
2155 if (!PACKET_get_length_prefixed_2
2156 (&extension, &responder_id_list))
2157 return 0;
2158
2159 /*
2160 * We remove any OCSP_RESPIDs from a previous handshake
2161 * to prevent unbounded memory growth - CVE-2016-6304
2162 */
2163 sk_OCSP_RESPID_pop_free(s->tlsext_ocsp_ids,
2164 OCSP_RESPID_free);
2165 if (PACKET_remaining(&responder_id_list) > 0) {
2166 s->tlsext_ocsp_ids = sk_OCSP_RESPID_new_null();
2167 if (s->tlsext_ocsp_ids == NULL) {
2168 *al = SSL_AD_INTERNAL_ERROR;
2169 return 0;
2170 }
2171 } else {
2172 s->tlsext_ocsp_ids = NULL;
2173 }
2174
2175 while (PACKET_remaining(&responder_id_list) > 0) {
2176 OCSP_RESPID *id;
2177 PACKET responder_id;
2178 const unsigned char *id_data;
2179
2180 if (!PACKET_get_length_prefixed_2(&responder_id_list,
2181 &responder_id)
2182 || PACKET_remaining(&responder_id) == 0) {
2183 return 0;
2184 }
2185
2186 id_data = PACKET_data(&responder_id);
2187 id = d2i_OCSP_RESPID(NULL, &id_data,
2188 PACKET_remaining(&responder_id));
2189 if (id == NULL)
2190 return 0;
2191
2192 if (id_data != PACKET_end(&responder_id)) {
2193 OCSP_RESPID_free(id);
2194 return 0;
2195 }
2196
2197 if (!sk_OCSP_RESPID_push(s->tlsext_ocsp_ids, id)) {
2198 OCSP_RESPID_free(id);
2199 *al = SSL_AD_INTERNAL_ERROR;
2200 return 0;
2201 }
2202 }
2203
2204 /* Read in request_extensions */
2205 if (!PACKET_as_length_prefixed_2(&extension, &exts))
2206 return 0;
2207
2208 if (PACKET_remaining(&exts) > 0) {
2209 ext_data = PACKET_data(&exts);
2210 sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts,
2211 X509_EXTENSION_free);
2212 s->tlsext_ocsp_exts =
2213 d2i_X509_EXTENSIONS(NULL, &ext_data,
2214 PACKET_remaining(&exts));
2215 if (s->tlsext_ocsp_exts == NULL
2216 || ext_data != PACKET_end(&exts)) {
2217 return 0;
2218 }
2219 }
2220 } else
2221#endif
2222 {
2223 /*
2224 * We don't know what to do with any other type so ignore it.
2225 */
2226 s->tlsext_status_type = -1;
2227 }
2228 }
2229#ifndef OPENSSL_NO_HEARTBEATS
2230 else if (SSL_IS_DTLS(s) && type == TLSEXT_TYPE_heartbeat) {
2231 unsigned int hbtype;
2232
2233 if (!PACKET_get_1(&extension, &hbtype)
2234 || PACKET_remaining(&extension)) {
2235 *al = SSL_AD_DECODE_ERROR;
2236 return 0;
2237 }
2238 switch (hbtype) {
2239 case 0x01: /* Client allows us to send HB requests */
2240 s->tlsext_heartbeat |= SSL_DTLSEXT_HB_ENABLED;
2241 break;
2242 case 0x02: /* Client doesn't accept HB requests */
2243 s->tlsext_heartbeat |= SSL_DTLSEXT_HB_ENABLED;
2244 s->tlsext_heartbeat |= SSL_DTLSEXT_HB_DONT_SEND_REQUESTS;
2245 break;
2246 default:
2247 *al = SSL_AD_ILLEGAL_PARAMETER;
2248 return 0;
2249 }
2250 }
2251#endif
2252#ifndef OPENSSL_NO_NEXTPROTONEG
2253 else if (type == TLSEXT_TYPE_next_proto_neg &&
2254 s->s3->tmp.finish_md_len == 0) {
2255 /*-
2256 * We shouldn't accept this extension on a
2257 * renegotiation.
2258 *
2259 * s->new_session will be set on renegotiation, but we
2260 * probably shouldn't rely that it couldn't be set on
2261 * the initial renegotiation too in certain cases (when
2262 * there's some other reason to disallow resuming an
2263 * earlier session -- the current code won't be doing
2264 * anything like that, but this might change).
2265 *
2266 * A valid sign that there's been a previous handshake
2267 * in this connection is if s->s3->tmp.finish_md_len >
2268 * 0. (We are talking about a check that will happen
2269 * in the Hello protocol round, well before a new
2270 * Finished message could have been computed.)
2271 */
2272 s->s3->next_proto_neg_seen = 1;
2273 }
2274#endif
2275
2276 else if (type == TLSEXT_TYPE_application_layer_protocol_negotiation &&
2277 s->s3->tmp.finish_md_len == 0) {
2278 if (!tls1_alpn_handle_client_hello(s, &extension, al))
2279 return 0;
2280 }
2281
2282 /* session ticket processed earlier */
2283#ifndef OPENSSL_NO_SRTP
2284 else if (SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s)
2285 && type == TLSEXT_TYPE_use_srtp) {
2286 if (ssl_parse_clienthello_use_srtp_ext(s, &extension, al))
2287 return 0;
2288 }
2289#endif
2290 else if (type == TLSEXT_TYPE_encrypt_then_mac &&
2291 !(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC))
2292 s->tlsext_use_etm = 1;
2293 /*
2294 * Note: extended master secret extension handled in
2295 * tls_check_serverhello_tlsext_early()
2296 */
2297
2298 /*
2299 * If this ClientHello extension was unhandled and this is a
2300 * nonresumed connection, check whether the extension is a custom
2301 * TLS Extension (has a custom_srv_ext_record), and if so call the
2302 * callback and record the extension number so that an appropriate
2303 * ServerHello may be later returned.
2304 */
2305 else if (!s->hit) {
2306 if (custom_ext_parse(s, 1, type, PACKET_data(&extension),
2307 PACKET_remaining(&extension), al) <= 0)
2308 return 0;
2309 }
2310 }
2311
2312 if (PACKET_remaining(pkt) != 0) {
2313 /*
2314 * tls1_check_duplicate_extensions should ensure this never happens.
2315 */
2316 *al = SSL_AD_INTERNAL_ERROR;
2317 return 0;
2318 }
2319
2320 ri_check:
2321
2322 /* Need RI if renegotiating */
2323
2324 if (!renegotiate_seen && s->renegotiate &&
2325 !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) {
2326 *al = SSL_AD_HANDSHAKE_FAILURE;
2327 SSLerr(SSL_F_SSL_SCAN_CLIENTHELLO_TLSEXT,
2328 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
2329 return 0;
2330 }
2331
2332 /*
2333 * This function currently has no state to clean up, so it returns directly.
2334 * If parsing fails at any point, the function returns early.
2335 * The SSL object may be left with partial data from extensions, but it must
2336 * then no longer be used, and clearing it up will free the leftovers.
2337 */
2338 return 1;
2339}
2340
2341int ssl_parse_clienthello_tlsext(SSL *s, PACKET *pkt)
2342{
2343 int al = -1;
2344 custom_ext_init(&s->cert->srv_ext);
2345 if (ssl_scan_clienthello_tlsext(s, pkt, &al) <= 0) {
2346 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2347 return 0;
2348 }
2349 if (ssl_check_clienthello_tlsext_early(s) <= 0) {
2350 SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT, SSL_R_CLIENTHELLO_TLSEXT);
2351 return 0;
2352 }
2353 return 1;
2354}
2355
2356#ifndef OPENSSL_NO_NEXTPROTONEG
2357/*
2358 * ssl_next_proto_validate validates a Next Protocol Negotiation block. No
2359 * elements of zero length are allowed and the set of elements must exactly
2360 * fill the length of the block.
2361 */
2362static char ssl_next_proto_validate(PACKET *pkt)
2363{
2364 PACKET tmp_protocol;
2365
2366 while (PACKET_remaining(pkt)) {
2367 if (!PACKET_get_length_prefixed_1(pkt, &tmp_protocol)
2368 || PACKET_remaining(&tmp_protocol) == 0)
2369 return 0;
2370 }
2371
2372 return 1;
2373}
2374#endif
2375
2376static int ssl_scan_serverhello_tlsext(SSL *s, PACKET *pkt, int *al)
2377{
2378 unsigned int length, type, size;
2379 int tlsext_servername = 0;
2380 int renegotiate_seen = 0;
2381
2382#ifndef OPENSSL_NO_NEXTPROTONEG
2383 s->s3->next_proto_neg_seen = 0;
2384#endif
2385 s->tlsext_ticket_expected = 0;
2386
2387 OPENSSL_free(s->s3->alpn_selected);
2388 s->s3->alpn_selected = NULL;
2389#ifndef OPENSSL_NO_HEARTBEATS
2390 s->tlsext_heartbeat &= ~(SSL_DTLSEXT_HB_ENABLED |
2391 SSL_DTLSEXT_HB_DONT_SEND_REQUESTS);
2392#endif
2393
2394 s->tlsext_use_etm = 0;
2395
2396 s->s3->flags &= ~TLS1_FLAGS_RECEIVED_EXTMS;
2397
2398 if (!PACKET_get_net_2(pkt, &length))
2399 goto ri_check;
2400
2401 if (PACKET_remaining(pkt) != length) {
2402 *al = SSL_AD_DECODE_ERROR;
2403 return 0;
2404 }
2405
2406 if (!tls1_check_duplicate_extensions(pkt)) {
2407 *al = SSL_AD_DECODE_ERROR;
2408 return 0;
2409 }
2410
2411 while (PACKET_get_net_2(pkt, &type) && PACKET_get_net_2(pkt, &size)) {
2412 const unsigned char *data;
2413 PACKET spkt;
2414
2415 if (!PACKET_get_sub_packet(pkt, &spkt, size)
2416 || !PACKET_peek_bytes(&spkt, &data, size))
2417 goto ri_check;
2418
2419 if (s->tlsext_debug_cb)
2420 s->tlsext_debug_cb(s, 1, type, data, size, s->tlsext_debug_arg);
2421
2422 if (type == TLSEXT_TYPE_renegotiate) {
2423 if (!ssl_parse_serverhello_renegotiate_ext(s, &spkt, al))
2424 return 0;
2425 renegotiate_seen = 1;
2426 } else if (s->version == SSL3_VERSION) {
2427 } else if (type == TLSEXT_TYPE_server_name) {
2428 if (s->tlsext_hostname == NULL || size > 0) {
2429 *al = TLS1_AD_UNRECOGNIZED_NAME;
2430 return 0;
2431 }
2432 tlsext_servername = 1;
2433 }
2434#ifndef OPENSSL_NO_EC
2435 else if (type == TLSEXT_TYPE_ec_point_formats) {
2436 unsigned int ecpointformatlist_length;
2437 if (!PACKET_get_1(&spkt, &ecpointformatlist_length)
2438 || ecpointformatlist_length != size - 1) {
2439 *al = TLS1_AD_DECODE_ERROR;
2440 return 0;
2441 }
2442 if (!s->hit) {
2443 s->session->tlsext_ecpointformatlist_length = 0;
2444 OPENSSL_free(s->session->tlsext_ecpointformatlist);
2445 if ((s->session->tlsext_ecpointformatlist =
2446 OPENSSL_malloc(ecpointformatlist_length)) == NULL) {
2447 *al = TLS1_AD_INTERNAL_ERROR;
2448 return 0;
2449 }
2450 s->session->tlsext_ecpointformatlist_length =
2451 ecpointformatlist_length;
2452 if (!PACKET_copy_bytes(&spkt,
2453 s->session->tlsext_ecpointformatlist,
2454 ecpointformatlist_length)) {
2455 *al = TLS1_AD_DECODE_ERROR;
2456 return 0;
2457 }
2458
2459 }
2460 }
2461#endif /* OPENSSL_NO_EC */
2462
2463 else if (type == TLSEXT_TYPE_session_ticket) {
2464 if (s->tls_session_ticket_ext_cb &&
2465 !s->tls_session_ticket_ext_cb(s, data, size,
2466 s->tls_session_ticket_ext_cb_arg))
2467 {
2468 *al = TLS1_AD_INTERNAL_ERROR;
2469 return 0;
2470 }
2471 if (!tls_use_ticket(s) || (size > 0)) {
2472 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2473 return 0;
2474 }
2475 s->tlsext_ticket_expected = 1;
2476 } else if (type == TLSEXT_TYPE_status_request) {
2477 /*
2478 * MUST be empty and only sent if we've requested a status
2479 * request message.
2480 */
2481 if ((s->tlsext_status_type == -1) || (size > 0)) {
2482 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2483 return 0;
2484 }
2485 /* Set flag to expect CertificateStatus message */
2486 s->tlsext_status_expected = 1;
2487 }
2488#ifndef OPENSSL_NO_CT
2489 /*
2490 * Only take it if we asked for it - i.e if there is no CT validation
2491 * callback set, then a custom extension MAY be processing it, so we
2492 * need to let control continue to flow to that.
2493 */
2494 else if (type == TLSEXT_TYPE_signed_certificate_timestamp &&
2495 s->ct_validation_callback != NULL) {
2496 /* Simply copy it off for later processing */
2497 if (s->tlsext_scts != NULL) {
2498 OPENSSL_free(s->tlsext_scts);
2499 s->tlsext_scts = NULL;
2500 }
2501 s->tlsext_scts_len = size;
2502 if (size > 0) {
2503 s->tlsext_scts = OPENSSL_malloc(size);
2504 if (s->tlsext_scts == NULL) {
2505 *al = TLS1_AD_INTERNAL_ERROR;
2506 return 0;
2507 }
2508 memcpy(s->tlsext_scts, data, size);
2509 }
2510 }
2511#endif
2512#ifndef OPENSSL_NO_NEXTPROTONEG
2513 else if (type == TLSEXT_TYPE_next_proto_neg &&
2514 s->s3->tmp.finish_md_len == 0) {
2515 unsigned char *selected;
2516 unsigned char selected_len;
2517 /* We must have requested it. */
2518 if (s->ctx->next_proto_select_cb == NULL) {
2519 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2520 return 0;
2521 }
2522 /* The data must be valid */
2523 if (!ssl_next_proto_validate(&spkt)) {
2524 *al = TLS1_AD_DECODE_ERROR;
2525 return 0;
2526 }
2527 if (s->ctx->next_proto_select_cb(s, &selected, &selected_len, data,
2528 size,
2529 s->
2530 ctx->next_proto_select_cb_arg) !=
2531 SSL_TLSEXT_ERR_OK) {
2532 *al = TLS1_AD_INTERNAL_ERROR;
2533 return 0;
2534 }
2535 /*
2536 * Could be non-NULL if server has sent multiple NPN extensions in
2537 * a single Serverhello
2538 */
2539 OPENSSL_free(s->next_proto_negotiated);
2540 s->next_proto_negotiated = OPENSSL_malloc(selected_len);
2541 if (s->next_proto_negotiated == NULL) {
2542 *al = TLS1_AD_INTERNAL_ERROR;
2543 return 0;
2544 }
2545 memcpy(s->next_proto_negotiated, selected, selected_len);
2546 s->next_proto_negotiated_len = selected_len;
2547 s->s3->next_proto_neg_seen = 1;
2548 }
2549#endif
2550
2551 else if (type == TLSEXT_TYPE_application_layer_protocol_negotiation) {
2552 unsigned len;
2553 /* We must have requested it. */
2554 if (!s->s3->alpn_sent) {
2555 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2556 return 0;
2557 }
2558 /*-
2559 * The extension data consists of:
2560 * uint16 list_length
2561 * uint8 proto_length;
2562 * uint8 proto[proto_length];
2563 */
2564 if (!PACKET_get_net_2(&spkt, &len)
2565 || PACKET_remaining(&spkt) != len || !PACKET_get_1(&spkt, &len)
2566 || PACKET_remaining(&spkt) != len) {
2567 *al = TLS1_AD_DECODE_ERROR;
2568 return 0;
2569 }
2570 OPENSSL_free(s->s3->alpn_selected);
2571 s->s3->alpn_selected = OPENSSL_malloc(len);
2572 if (s->s3->alpn_selected == NULL) {
2573 *al = TLS1_AD_INTERNAL_ERROR;
2574 return 0;
2575 }
2576 if (!PACKET_copy_bytes(&spkt, s->s3->alpn_selected, len)) {
2577 *al = TLS1_AD_DECODE_ERROR;
2578 return 0;
2579 }
2580 s->s3->alpn_selected_len = len;
2581 }
2582#ifndef OPENSSL_NO_HEARTBEATS
2583 else if (SSL_IS_DTLS(s) && type == TLSEXT_TYPE_heartbeat) {
2584 unsigned int hbtype;
2585 if (!PACKET_get_1(&spkt, &hbtype)) {
2586 *al = SSL_AD_DECODE_ERROR;
2587 return 0;
2588 }
2589 switch (hbtype) {
2590 case 0x01: /* Server allows us to send HB requests */
2591 s->tlsext_heartbeat |= SSL_DTLSEXT_HB_ENABLED;
2592 break;
2593 case 0x02: /* Server doesn't accept HB requests */
2594 s->tlsext_heartbeat |= SSL_DTLSEXT_HB_ENABLED;
2595 s->tlsext_heartbeat |= SSL_DTLSEXT_HB_DONT_SEND_REQUESTS;
2596 break;
2597 default:
2598 *al = SSL_AD_ILLEGAL_PARAMETER;
2599 return 0;
2600 }
2601 }
2602#endif
2603#ifndef OPENSSL_NO_SRTP
2604 else if (SSL_IS_DTLS(s) && type == TLSEXT_TYPE_use_srtp) {
2605 if (ssl_parse_serverhello_use_srtp_ext(s, &spkt, al))
2606 return 0;
2607 }
2608#endif
2609 else if (type == TLSEXT_TYPE_encrypt_then_mac) {
2610 /* Ignore if inappropriate ciphersuite */
2611 if (!(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC) &&
2612 s->s3->tmp.new_cipher->algorithm_mac != SSL_AEAD
2613 && s->s3->tmp.new_cipher->algorithm_enc != SSL_RC4)
2614 s->tlsext_use_etm = 1;
2615 } else if (type == TLSEXT_TYPE_extended_master_secret) {
2616 s->s3->flags |= TLS1_FLAGS_RECEIVED_EXTMS;
2617 if (!s->hit)
2618 s->session->flags |= SSL_SESS_FLAG_EXTMS;
2619 }
2620 /*
2621 * If this extension type was not otherwise handled, but matches a
2622 * custom_cli_ext_record, then send it to the c callback
2623 */
2624 else if (custom_ext_parse(s, 0, type, data, size, al) <= 0)
2625 return 0;
2626 }
2627
2628 if (PACKET_remaining(pkt) != 0) {
2629 *al = SSL_AD_DECODE_ERROR;
2630 return 0;
2631 }
2632
2633 if (!s->hit && tlsext_servername == 1) {
2634 if (s->tlsext_hostname) {
2635 if (s->session->tlsext_hostname == NULL) {
2636 s->session->tlsext_hostname =
2637 OPENSSL_strdup(s->tlsext_hostname);
2638 if (!s->session->tlsext_hostname) {
2639 *al = SSL_AD_UNRECOGNIZED_NAME;
2640 return 0;
2641 }
2642 } else {
2643 *al = SSL_AD_DECODE_ERROR;
2644 return 0;
2645 }
2646 }
2647 }
2648
2649 ri_check:
2650
2651 /*
2652 * Determine if we need to see RI. Strictly speaking if we want to avoid
2653 * an attack we should *always* see RI even on initial server hello
2654 * because the client doesn't see any renegotiation during an attack.
2655 * However this would mean we could not connect to any server which
2656 * doesn't support RI so for the immediate future tolerate RI absence
2657 */
2658 if (!renegotiate_seen && !(s->options & SSL_OP_LEGACY_SERVER_CONNECT)
2659 && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) {
2660 *al = SSL_AD_HANDSHAKE_FAILURE;
2661 SSLerr(SSL_F_SSL_SCAN_SERVERHELLO_TLSEXT,
2662 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
2663 return 0;
2664 }
2665
2666 if (s->hit) {
2667 /*
2668 * Check extended master secret extension is consistent with
2669 * original session.
2670 */
2671 if (!(s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) !=
2672 !(s->session->flags & SSL_SESS_FLAG_EXTMS)) {
2673 *al = SSL_AD_HANDSHAKE_FAILURE;
2674 SSLerr(SSL_F_SSL_SCAN_SERVERHELLO_TLSEXT, SSL_R_INCONSISTENT_EXTMS);
2675 return 0;
2676 }
2677 }
2678
2679 return 1;
2680}
2681
2682int ssl_prepare_clienthello_tlsext(SSL *s)
2683{
2684 s->s3->alpn_sent = 0;
2685 return 1;
2686}
2687
2688int ssl_prepare_serverhello_tlsext(SSL *s)
2689{
2690 return 1;
2691}
2692
2693static int ssl_check_clienthello_tlsext_early(SSL *s)
2694{
2695 int ret = SSL_TLSEXT_ERR_NOACK;
2696 int al = SSL_AD_UNRECOGNIZED_NAME;
2697
2698#ifndef OPENSSL_NO_EC
2699 /*
2700 * The handling of the ECPointFormats extension is done elsewhere, namely
2701 * in ssl3_choose_cipher in s3_lib.c.
2702 */
2703 /*
2704 * The handling of the EllipticCurves extension is done elsewhere, namely
2705 * in ssl3_choose_cipher in s3_lib.c.
2706 */
2707#endif
2708
2709 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
2710 ret =
2711 s->ctx->tlsext_servername_callback(s, &al,
2712 s->ctx->tlsext_servername_arg);
2713 else if (s->session_ctx != NULL
2714 && s->session_ctx->tlsext_servername_callback != 0)
2715 ret =
2716 s->session_ctx->tlsext_servername_callback(s, &al,
2717 s->
2718 session_ctx->tlsext_servername_arg);
2719
2720 switch (ret) {
2721 case SSL_TLSEXT_ERR_ALERT_FATAL:
2722 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2723 return -1;
2724
2725 case SSL_TLSEXT_ERR_ALERT_WARNING:
2726 ssl3_send_alert(s, SSL3_AL_WARNING, al);
2727 return 1;
2728
2729 case SSL_TLSEXT_ERR_NOACK:
2730 s->servername_done = 0;
2731 /* fall thru */
2732 default:
2733 return 1;
2734 }
2735}
2736
2737/* Initialise digests to default values */
2738void ssl_set_default_md(SSL *s)
2739{
2740 const EVP_MD **pmd = s->s3->tmp.md;
2741#ifndef OPENSSL_NO_DSA
2742 pmd[SSL_PKEY_DSA_SIGN] = ssl_md(SSL_MD_SHA1_IDX);
2743#endif
2744#ifndef OPENSSL_NO_RSA
2745 if (SSL_USE_SIGALGS(s))
2746 pmd[SSL_PKEY_RSA_SIGN] = ssl_md(SSL_MD_SHA1_IDX);
2747 else
2748 pmd[SSL_PKEY_RSA_SIGN] = ssl_md(SSL_MD_MD5_SHA1_IDX);
2749 pmd[SSL_PKEY_RSA_ENC] = pmd[SSL_PKEY_RSA_SIGN];
2750#endif
2751#ifndef OPENSSL_NO_EC
2752 pmd[SSL_PKEY_ECC] = ssl_md(SSL_MD_SHA1_IDX);
2753#endif
2754#ifndef OPENSSL_NO_GOST
2755 pmd[SSL_PKEY_GOST01] = ssl_md(SSL_MD_GOST94_IDX);
2756 pmd[SSL_PKEY_GOST12_256] = ssl_md(SSL_MD_GOST12_256_IDX);
2757 pmd[SSL_PKEY_GOST12_512] = ssl_md(SSL_MD_GOST12_512_IDX);
2758#endif
2759}
2760
2761int tls1_set_server_sigalgs(SSL *s)
2762{
2763 int al;
2764 size_t i;
2765
2766 /* Clear any shared signature algorithms */
2767 OPENSSL_free(s->cert->shared_sigalgs);
2768 s->cert->shared_sigalgs = NULL;
2769 s->cert->shared_sigalgslen = 0;
2770 /* Clear certificate digests and validity flags */
2771 for (i = 0; i < SSL_PKEY_NUM; i++) {
2772 s->s3->tmp.md[i] = NULL;
2773 s->s3->tmp.valid_flags[i] = 0;
2774 }
2775
2776 /* If sigalgs received process it. */
2777 if (s->s3->tmp.peer_sigalgs) {
2778 if (!tls1_process_sigalgs(s)) {
2779 SSLerr(SSL_F_TLS1_SET_SERVER_SIGALGS, ERR_R_MALLOC_FAILURE);
2780 al = SSL_AD_INTERNAL_ERROR;
2781 goto err;
2782 }
2783 /* Fatal error is no shared signature algorithms */
2784 if (!s->cert->shared_sigalgs) {
2785 SSLerr(SSL_F_TLS1_SET_SERVER_SIGALGS,
2786 SSL_R_NO_SHARED_SIGNATURE_ALGORITHMS);
2787 al = SSL_AD_ILLEGAL_PARAMETER;
2788 goto err;
2789 }
2790 } else {
2791 ssl_set_default_md(s);
2792 }
2793 return 1;
2794 err:
2795 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2796 return 0;
2797}
2798
2799/*
2800 * Upon success, returns 1.
2801 * Upon failure, returns 0 and sets |al| to the appropriate fatal alert.
2802 */
2803int ssl_check_clienthello_tlsext_late(SSL *s, int *al)
2804{
2805 s->tlsext_status_expected = 0;
2806
2807 /*
2808 * If status request then ask callback what to do. Note: this must be
2809 * called after servername callbacks in case the certificate has changed,
2810 * and must be called after the cipher has been chosen because this may
2811 * influence which certificate is sent
2812 */
2813 if ((s->tlsext_status_type != -1) && s->ctx && s->ctx->tlsext_status_cb) {
2814 int ret;
2815 CERT_PKEY *certpkey;
2816 certpkey = ssl_get_server_send_pkey(s);
2817 /* If no certificate can't return certificate status */
2818 if (certpkey != NULL) {
2819 /*
2820 * Set current certificate to one we will use so SSL_get_certificate
2821 * et al can pick it up.
2822 */
2823 s->cert->key = certpkey;
2824 ret = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
2825 switch (ret) {
2826 /* We don't want to send a status request response */
2827 case SSL_TLSEXT_ERR_NOACK:
2828 s->tlsext_status_expected = 0;
2829 break;
2830 /* status request response should be sent */
2831 case SSL_TLSEXT_ERR_OK:
2832 if (s->tlsext_ocsp_resp)
2833 s->tlsext_status_expected = 1;
2834 break;
2835 /* something bad happened */
2836 case SSL_TLSEXT_ERR_ALERT_FATAL:
2837 default:
2838 *al = SSL_AD_INTERNAL_ERROR;
2839 return 0;
2840 }
2841 }
2842 }
2843
2844 if (!tls1_alpn_handle_client_hello_late(s, al)) {
2845 return 0;
2846 }
2847
2848 return 1;
2849}
2850
2851int ssl_check_serverhello_tlsext(SSL *s)
2852{
2853 int ret = SSL_TLSEXT_ERR_NOACK;
2854 int al = SSL_AD_UNRECOGNIZED_NAME;
2855
2856#ifndef OPENSSL_NO_EC
2857 /*
2858 * If we are client and using an elliptic curve cryptography cipher
2859 * suite, then if server returns an EC point formats lists extension it
2860 * must contain uncompressed.
2861 */
2862 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
2863 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
2864 if ((s->tlsext_ecpointformatlist != NULL)
2865 && (s->tlsext_ecpointformatlist_length > 0)
2866 && (s->session->tlsext_ecpointformatlist != NULL)
2867 && (s->session->tlsext_ecpointformatlist_length > 0)
2868 && ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA))) {
2869 /* we are using an ECC cipher */
2870 size_t i;
2871 unsigned char *list;
2872 int found_uncompressed = 0;
2873 list = s->session->tlsext_ecpointformatlist;
2874 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++) {
2875 if (*(list++) == TLSEXT_ECPOINTFORMAT_uncompressed) {
2876 found_uncompressed = 1;
2877 break;
2878 }
2879 }
2880 if (!found_uncompressed) {
2881 SSLerr(SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT,
2882 SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
2883 return -1;
2884 }
2885 }
2886 ret = SSL_TLSEXT_ERR_OK;
2887#endif /* OPENSSL_NO_EC */
2888
2889 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
2890 ret =
2891 s->ctx->tlsext_servername_callback(s, &al,
2892 s->ctx->tlsext_servername_arg);
2893 else if (s->session_ctx != NULL
2894 && s->session_ctx->tlsext_servername_callback != 0)
2895 ret =
2896 s->session_ctx->tlsext_servername_callback(s, &al,
2897 s->
2898 session_ctx->tlsext_servername_arg);
2899
2900 /*
2901 * Ensure we get sensible values passed to tlsext_status_cb in the event
2902 * that we don't receive a status message
2903 */
2904 OPENSSL_free(s->tlsext_ocsp_resp);
2905 s->tlsext_ocsp_resp = NULL;
2906 s->tlsext_ocsp_resplen = -1;
2907
2908 switch (ret) {
2909 case SSL_TLSEXT_ERR_ALERT_FATAL:
2910 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2911 return -1;
2912
2913 case SSL_TLSEXT_ERR_ALERT_WARNING:
2914 ssl3_send_alert(s, SSL3_AL_WARNING, al);
2915 return 1;
2916
2917 case SSL_TLSEXT_ERR_NOACK:
2918 s->servername_done = 0;
2919 /* fall thru */
2920 default:
2921 return 1;
2922 }
2923}
2924
2925int ssl_parse_serverhello_tlsext(SSL *s, PACKET *pkt)
2926{
2927 int al = -1;
2928 if (s->version < SSL3_VERSION)
2929 return 1;
2930 if (ssl_scan_serverhello_tlsext(s, pkt, &al) <= 0) {
2931 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2932 return 0;
2933 }
2934
2935 if (ssl_check_serverhello_tlsext(s) <= 0) {
2936 SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT, SSL_R_SERVERHELLO_TLSEXT);
2937 return 0;
2938 }
2939 return 1;
2940}
2941
2942/*-
2943 * Since the server cache lookup is done early on in the processing of the
2944 * ClientHello and other operations depend on the result some extensions
2945 * need to be handled at the same time.
2946 *
2947 * Two extensions are currently handled, session ticket and extended master
2948 * secret.
2949 *
2950 * session_id: ClientHello session ID.
2951 * ext: ClientHello extensions (including length prefix)
2952 * ret: (output) on return, if a ticket was decrypted, then this is set to
2953 * point to the resulting session.
2954 *
2955 * If s->tls_session_secret_cb is set then we are expecting a pre-shared key
2956 * ciphersuite, in which case we have no use for session tickets and one will
2957 * never be decrypted, nor will s->tlsext_ticket_expected be set to 1.
2958 *
2959 * Returns:
2960 * -1: fatal error, either from parsing or decrypting the ticket.
2961 * 0: no ticket was found (or was ignored, based on settings).
2962 * 1: a zero length extension was found, indicating that the client supports
2963 * session tickets but doesn't currently have one to offer.
2964 * 2: either s->tls_session_secret_cb was set, or a ticket was offered but
2965 * couldn't be decrypted because of a non-fatal error.
2966 * 3: a ticket was successfully decrypted and *ret was set.
2967 *
2968 * Side effects:
2969 * Sets s->tlsext_ticket_expected to 1 if the server will have to issue
2970 * a new session ticket to the client because the client indicated support
2971 * (and s->tls_session_secret_cb is NULL) but the client either doesn't have
2972 * a session ticket or we couldn't use the one it gave us, or if
2973 * s->ctx->tlsext_ticket_key_cb asked to renew the client's ticket.
2974 * Otherwise, s->tlsext_ticket_expected is set to 0.
2975 *
2976 * For extended master secret flag is set if the extension is present.
2977 *
2978 */
2979int tls_check_serverhello_tlsext_early(SSL *s, const PACKET *ext,
2980 const PACKET *session_id,
2981 SSL_SESSION **ret)
2982{
2983 unsigned int i;
2984 PACKET local_ext = *ext;
2985 int retv = -1;
2986
2987 int have_ticket = 0;
2988 int use_ticket = tls_use_ticket(s);
2989
2990 *ret = NULL;
2991 s->tlsext_ticket_expected = 0;
2992 s->s3->flags &= ~TLS1_FLAGS_RECEIVED_EXTMS;
2993
2994 /*
2995 * If tickets disabled behave as if no ticket present to permit stateful
2996 * resumption.
2997 */
2998 if ((s->version <= SSL3_VERSION))
2999 return 0;
3000
3001 if (!PACKET_get_net_2(&local_ext, &i)) {
3002 retv = 0;
3003 goto end;
3004 }
3005 while (PACKET_remaining(&local_ext) >= 4) {
3006 unsigned int type, size;
3007
3008 if (!PACKET_get_net_2(&local_ext, &type)
3009 || !PACKET_get_net_2(&local_ext, &size)) {
3010 /* Shouldn't ever happen */
3011 retv = -1;
3012 goto end;
3013 }
3014 if (PACKET_remaining(&local_ext) < size) {
3015 retv = 0;
3016 goto end;
3017 }
3018 if (type == TLSEXT_TYPE_session_ticket && use_ticket) {
3019 int r;
3020 const unsigned char *etick;
3021
3022 /* Duplicate extension */
3023 if (have_ticket != 0) {
3024 retv = -1;
3025 goto end;
3026 }
3027 have_ticket = 1;
3028
3029 if (size == 0) {
3030 /*
3031 * The client will accept a ticket but doesn't currently have
3032 * one.
3033 */
3034 s->tlsext_ticket_expected = 1;
3035 retv = 1;
3036 continue;
3037 }
3038 if (s->tls_session_secret_cb) {
3039 /*
3040 * Indicate that the ticket couldn't be decrypted rather than
3041 * generating the session from ticket now, trigger
3042 * abbreviated handshake based on external mechanism to
3043 * calculate the master secret later.
3044 */
3045 retv = 2;
3046 continue;
3047 }
3048 if (!PACKET_get_bytes(&local_ext, &etick, size)) {
3049 /* Shouldn't ever happen */
3050 retv = -1;
3051 goto end;
3052 }
3053 r = tls_decrypt_ticket(s, etick, size, PACKET_data(session_id),
3054 PACKET_remaining(session_id), ret);
3055 switch (r) {
3056 case 2: /* ticket couldn't be decrypted */
3057 s->tlsext_ticket_expected = 1;
3058 retv = 2;
3059 break;
3060 case 3: /* ticket was decrypted */
3061 retv = r;
3062 break;
3063 case 4: /* ticket decrypted but need to renew */
3064 s->tlsext_ticket_expected = 1;
3065 retv = 3;
3066 break;
3067 default: /* fatal error */
3068 retv = -1;
3069 break;
3070 }
3071 continue;
3072 } else {
3073 if (type == TLSEXT_TYPE_extended_master_secret)
3074 s->s3->flags |= TLS1_FLAGS_RECEIVED_EXTMS;
3075 if (!PACKET_forward(&local_ext, size)) {
3076 retv = -1;
3077 goto end;
3078 }
3079 }
3080 }
3081 if (have_ticket == 0)
3082 retv = 0;
3083 end:
3084 return retv;
3085}
3086
3087/*-
3088 * tls_decrypt_ticket attempts to decrypt a session ticket.
3089 *
3090 * etick: points to the body of the session ticket extension.
3091 * eticklen: the length of the session tickets extension.
3092 * sess_id: points at the session ID.
3093 * sesslen: the length of the session ID.
3094 * psess: (output) on return, if a ticket was decrypted, then this is set to
3095 * point to the resulting session.
3096 *
3097 * Returns:
3098 * -2: fatal error, malloc failure.
3099 * -1: fatal error, either from parsing or decrypting the ticket.
3100 * 2: the ticket couldn't be decrypted.
3101 * 3: a ticket was successfully decrypted and *psess was set.
3102 * 4: same as 3, but the ticket needs to be renewed.
3103 */
3104static int tls_decrypt_ticket(SSL *s, const unsigned char *etick,
3105 int eticklen, const unsigned char *sess_id,
3106 int sesslen, SSL_SESSION **psess)
3107{
3108 SSL_SESSION *sess;
3109 unsigned char *sdec;
3110 const unsigned char *p;
3111 int slen, mlen, renew_ticket = 0, ret = -1;
3112 unsigned char tick_hmac[EVP_MAX_MD_SIZE];
3113 HMAC_CTX *hctx = NULL;
3114 EVP_CIPHER_CTX *ctx;
3115 SSL_CTX *tctx = s->session_ctx;
3116
3117 /* Initialize session ticket encryption and HMAC contexts */
3118 hctx = HMAC_CTX_new();
3119 if (hctx == NULL)
3120 return -2;
3121 ctx = EVP_CIPHER_CTX_new();
3122 if (ctx == NULL) {
3123 ret = -2;
3124 goto err;
3125 }
3126 if (tctx->tlsext_ticket_key_cb) {
3127 unsigned char *nctick = (unsigned char *)etick;
3128 int rv = tctx->tlsext_ticket_key_cb(s, nctick, nctick + 16,
3129 ctx, hctx, 0);
3130 if (rv < 0)
3131 goto err;
3132 if (rv == 0) {
3133 ret = 2;
3134 goto err;
3135 }
3136 if (rv == 2)
3137 renew_ticket = 1;
3138 } else {
3139 /* Check key name matches */
3140 if (memcmp(etick, tctx->tlsext_tick_key_name,
3141 sizeof(tctx->tlsext_tick_key_name)) != 0) {
3142 ret = 2;
3143 goto err;
3144 }
3145 if (HMAC_Init_ex(hctx, tctx->tlsext_tick_hmac_key,
3146 sizeof(tctx->tlsext_tick_hmac_key),
3147 EVP_sha256(), NULL) <= 0
3148 || EVP_DecryptInit_ex(ctx, EVP_aes_256_cbc(), NULL,
3149 tctx->tlsext_tick_aes_key,
3150 etick + sizeof(tctx->tlsext_tick_key_name)) <=
3151 0) {
3152 goto err;
3153 }
3154 }
3155 /*
3156 * Attempt to process session ticket, first conduct sanity and integrity
3157 * checks on ticket.
3158 */
3159 mlen = HMAC_size(hctx);
3160 if (mlen < 0) {
3161 goto err;
3162 }
3163 /* Sanity check ticket length: must exceed keyname + IV + HMAC */
3164 if (eticklen <=
3165 TLSEXT_KEYNAME_LENGTH + EVP_CIPHER_CTX_iv_length(ctx) + mlen) {
3166 ret = 2;
3167 goto err;
3168 }
3169 eticklen -= mlen;
3170 /* Check HMAC of encrypted ticket */
3171 if (HMAC_Update(hctx, etick, eticklen) <= 0
3172 || HMAC_Final(hctx, tick_hmac, NULL) <= 0) {
3173 goto err;
3174 }
3175 HMAC_CTX_free(hctx);
3176 if (CRYPTO_memcmp(tick_hmac, etick + eticklen, mlen)) {
3177 EVP_CIPHER_CTX_free(ctx);
3178 return 2;
3179 }
3180 /* Attempt to decrypt session data */
3181 /* Move p after IV to start of encrypted ticket, update length */
3182 p = etick + TLSEXT_KEYNAME_LENGTH + EVP_CIPHER_CTX_iv_length(ctx);
3183 eticklen -= TLSEXT_KEYNAME_LENGTH + EVP_CIPHER_CTX_iv_length(ctx);
3184 sdec = OPENSSL_malloc(eticklen);
3185 if (sdec == NULL || EVP_DecryptUpdate(ctx, sdec, &slen, p, eticklen) <= 0) {
3186 EVP_CIPHER_CTX_free(ctx);
3187 OPENSSL_free(sdec);
3188 return -1;
3189 }
3190 if (EVP_DecryptFinal(ctx, sdec + slen, &mlen) <= 0) {
3191 EVP_CIPHER_CTX_free(ctx);
3192 OPENSSL_free(sdec);
3193 return 2;
3194 }
3195 slen += mlen;
3196 EVP_CIPHER_CTX_free(ctx);
3197 ctx = NULL;
3198 p = sdec;
3199
3200 sess = d2i_SSL_SESSION(NULL, &p, slen);
3201 slen -= p - sdec;
3202 OPENSSL_free(sdec);
3203 if (sess) {
3204 /* Some additional consistency checks */
3205 if (slen != 0 || sess->session_id_length != 0) {
3206 SSL_SESSION_free(sess);
3207 return 2;
3208 }
3209 /*
3210 * The session ID, if non-empty, is used by some clients to detect
3211 * that the ticket has been accepted. So we copy it to the session
3212 * structure. If it is empty set length to zero as required by
3213 * standard.
3214 */
3215 if (sesslen)
3216 memcpy(sess->session_id, sess_id, sesslen);
3217 sess->session_id_length = sesslen;
3218 *psess = sess;
3219 if (renew_ticket)
3220 return 4;
3221 else
3222 return 3;
3223 }
3224 ERR_clear_error();
3225 /*
3226 * For session parse failure, indicate that we need to send a new ticket.
3227 */
3228 return 2;
3229 err:
3230 EVP_CIPHER_CTX_free(ctx);
3231 HMAC_CTX_free(hctx);
3232 return ret;
3233}
3234
3235/* Tables to translate from NIDs to TLS v1.2 ids */
3236
3237typedef struct {
3238 int nid;
3239 int id;
3240} tls12_lookup;
3241
3242static const tls12_lookup tls12_md[] = {
3243 {NID_md5, TLSEXT_hash_md5},
3244 {NID_sha1, TLSEXT_hash_sha1},
3245 {NID_sha224, TLSEXT_hash_sha224},
3246 {NID_sha256, TLSEXT_hash_sha256},
3247 {NID_sha384, TLSEXT_hash_sha384},
3248 {NID_sha512, TLSEXT_hash_sha512},
3249 {NID_id_GostR3411_94, TLSEXT_hash_gostr3411},
3250 {NID_id_GostR3411_2012_256, TLSEXT_hash_gostr34112012_256},
3251 {NID_id_GostR3411_2012_512, TLSEXT_hash_gostr34112012_512},
3252};
3253
3254static const tls12_lookup tls12_sig[] = {
3255 {EVP_PKEY_RSA, TLSEXT_signature_rsa},
3256 {EVP_PKEY_DSA, TLSEXT_signature_dsa},
3257 {EVP_PKEY_EC, TLSEXT_signature_ecdsa},
3258 {NID_id_GostR3410_2001, TLSEXT_signature_gostr34102001},
3259 {NID_id_GostR3410_2012_256, TLSEXT_signature_gostr34102012_256},
3260 {NID_id_GostR3410_2012_512, TLSEXT_signature_gostr34102012_512}
3261};
3262
3263static int tls12_find_id(int nid, const tls12_lookup *table, size_t tlen)
3264{
3265 size_t i;
3266 for (i = 0; i < tlen; i++) {
3267 if (table[i].nid == nid)
3268 return table[i].id;
3269 }
3270 return -1;
3271}
3272
3273static int tls12_find_nid(int id, const tls12_lookup *table, size_t tlen)
3274{
3275 size_t i;
3276 for (i = 0; i < tlen; i++) {
3277 if ((table[i].id) == id)
3278 return table[i].nid;
3279 }
3280 return NID_undef;
3281}
3282
3283int tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk, const EVP_MD *md)
3284{
3285 int sig_id, md_id;
3286 if (!md)
3287 return 0;
3288 md_id = tls12_find_id(EVP_MD_type(md), tls12_md, OSSL_NELEM(tls12_md));
3289 if (md_id == -1)
3290 return 0;
3291 sig_id = tls12_get_sigid(pk);
3292 if (sig_id == -1)
3293 return 0;
3294 p[0] = (unsigned char)md_id;
3295 p[1] = (unsigned char)sig_id;
3296 return 1;
3297}
3298
3299int tls12_get_sigid(const EVP_PKEY *pk)
3300{
3301 return tls12_find_id(EVP_PKEY_id(pk), tls12_sig, OSSL_NELEM(tls12_sig));
3302}
3303
3304typedef struct {
3305 int nid;
3306 int secbits;
3307 int md_idx;
3308 unsigned char tlsext_hash;
3309} tls12_hash_info;
3310
3311static const tls12_hash_info tls12_md_info[] = {
3312 {NID_md5, 64, SSL_MD_MD5_IDX, TLSEXT_hash_md5},
3313 {NID_sha1, 80, SSL_MD_SHA1_IDX, TLSEXT_hash_sha1},
3314 {NID_sha224, 112, SSL_MD_SHA224_IDX, TLSEXT_hash_sha224},
3315 {NID_sha256, 128, SSL_MD_SHA256_IDX, TLSEXT_hash_sha256},
3316 {NID_sha384, 192, SSL_MD_SHA384_IDX, TLSEXT_hash_sha384},
3317 {NID_sha512, 256, SSL_MD_SHA512_IDX, TLSEXT_hash_sha512},
3318 {NID_id_GostR3411_94, 128, SSL_MD_GOST94_IDX, TLSEXT_hash_gostr3411},
3319 {NID_id_GostR3411_2012_256, 128, SSL_MD_GOST12_256_IDX,
3320 TLSEXT_hash_gostr34112012_256},
3321 {NID_id_GostR3411_2012_512, 256, SSL_MD_GOST12_512_IDX,
3322 TLSEXT_hash_gostr34112012_512},
3323};
3324
3325static const tls12_hash_info *tls12_get_hash_info(unsigned char hash_alg)
3326{
3327 unsigned int i;
3328 if (hash_alg == 0)
3329 return NULL;
3330
3331 for (i = 0; i < OSSL_NELEM(tls12_md_info); i++) {
3332 if (tls12_md_info[i].tlsext_hash == hash_alg)
3333 return tls12_md_info + i;
3334 }
3335
3336 return NULL;
3337}
3338
3339const EVP_MD *tls12_get_hash(unsigned char hash_alg)
3340{
3341 const tls12_hash_info *inf;
3342 if (hash_alg == TLSEXT_hash_md5 && FIPS_mode())
3343 return NULL;
3344 inf = tls12_get_hash_info(hash_alg);
3345 if (!inf)
3346 return NULL;
3347 return ssl_md(inf->md_idx);
3348}
3349
3350static int tls12_get_pkey_idx(unsigned char sig_alg)
3351{
3352 switch (sig_alg) {
3353#ifndef OPENSSL_NO_RSA
3354 case TLSEXT_signature_rsa:
3355 return SSL_PKEY_RSA_SIGN;
3356#endif
3357#ifndef OPENSSL_NO_DSA
3358 case TLSEXT_signature_dsa:
3359 return SSL_PKEY_DSA_SIGN;
3360#endif
3361#ifndef OPENSSL_NO_EC
3362 case TLSEXT_signature_ecdsa:
3363 return SSL_PKEY_ECC;
3364#endif
3365#ifndef OPENSSL_NO_GOST
3366 case TLSEXT_signature_gostr34102001:
3367 return SSL_PKEY_GOST01;
3368
3369 case TLSEXT_signature_gostr34102012_256:
3370 return SSL_PKEY_GOST12_256;
3371
3372 case TLSEXT_signature_gostr34102012_512:
3373 return SSL_PKEY_GOST12_512;
3374#endif
3375 }
3376 return -1;
3377}
3378
3379/* Convert TLS 1.2 signature algorithm extension values into NIDs */
3380static void tls1_lookup_sigalg(int *phash_nid, int *psign_nid,
3381 int *psignhash_nid, const unsigned char *data)
3382{
3383 int sign_nid = NID_undef, hash_nid = NID_undef;
3384 if (!phash_nid && !psign_nid && !psignhash_nid)
3385 return;
3386 if (phash_nid || psignhash_nid) {
3387 hash_nid = tls12_find_nid(data[0], tls12_md, OSSL_NELEM(tls12_md));
3388 if (phash_nid)
3389 *phash_nid = hash_nid;
3390 }
3391 if (psign_nid || psignhash_nid) {
3392 sign_nid = tls12_find_nid(data[1], tls12_sig, OSSL_NELEM(tls12_sig));
3393 if (psign_nid)
3394 *psign_nid = sign_nid;
3395 }
3396 if (psignhash_nid) {
3397 if (sign_nid == NID_undef || hash_nid == NID_undef
3398 || OBJ_find_sigid_by_algs(psignhash_nid, hash_nid, sign_nid) <= 0)
3399 *psignhash_nid = NID_undef;
3400 }
3401}
3402
3403/* Check to see if a signature algorithm is allowed */
3404static int tls12_sigalg_allowed(SSL *s, int op, const unsigned char *ptmp)
3405{
3406 /* See if we have an entry in the hash table and it is enabled */
3407 const tls12_hash_info *hinf = tls12_get_hash_info(ptmp[0]);
3408 if (hinf == NULL || ssl_md(hinf->md_idx) == NULL)
3409 return 0;
3410 /* See if public key algorithm allowed */
3411 if (tls12_get_pkey_idx(ptmp[1]) == -1)
3412 return 0;
3413 /* Finally see if security callback allows it */
3414 return ssl_security(s, op, hinf->secbits, hinf->nid, (void *)ptmp);
3415}
3416
3417/*
3418 * Get a mask of disabled public key algorithms based on supported signature
3419 * algorithms. For example if no signature algorithm supports RSA then RSA is
3420 * disabled.
3421 */
3422
3423void ssl_set_sig_mask(uint32_t *pmask_a, SSL *s, int op)
3424{
3425 const unsigned char *sigalgs;
3426 size_t i, sigalgslen;
3427 int have_rsa = 0, have_dsa = 0, have_ecdsa = 0;
3428 /*
3429 * Now go through all signature algorithms seeing if we support any for
3430 * RSA, DSA, ECDSA. Do this for all versions not just TLS 1.2. To keep
3431 * down calls to security callback only check if we have to.
3432 */
3433 sigalgslen = tls12_get_psigalgs(s, 1, &sigalgs);
3434 for (i = 0; i < sigalgslen; i += 2, sigalgs += 2) {
3435 switch (sigalgs[1]) {
3436#ifndef OPENSSL_NO_RSA
3437 case TLSEXT_signature_rsa:
3438 if (!have_rsa && tls12_sigalg_allowed(s, op, sigalgs))
3439 have_rsa = 1;
3440 break;
3441#endif
3442#ifndef OPENSSL_NO_DSA
3443 case TLSEXT_signature_dsa:
3444 if (!have_dsa && tls12_sigalg_allowed(s, op, sigalgs))
3445 have_dsa = 1;
3446 break;
3447#endif
3448#ifndef OPENSSL_NO_EC
3449 case TLSEXT_signature_ecdsa:
3450 if (!have_ecdsa && tls12_sigalg_allowed(s, op, sigalgs))
3451 have_ecdsa = 1;
3452 break;
3453#endif
3454 }
3455 }
3456 if (!have_rsa)
3457 *pmask_a |= SSL_aRSA;
3458 if (!have_dsa)
3459 *pmask_a |= SSL_aDSS;
3460 if (!have_ecdsa)
3461 *pmask_a |= SSL_aECDSA;
3462}
3463
3464size_t tls12_copy_sigalgs(SSL *s, unsigned char *out,
3465 const unsigned char *psig, size_t psiglen)
3466{
3467 unsigned char *tmpout = out;
3468 size_t i;
3469 for (i = 0; i < psiglen; i += 2, psig += 2) {
3470 if (tls12_sigalg_allowed(s, SSL_SECOP_SIGALG_SUPPORTED, psig)) {
3471 *tmpout++ = psig[0];
3472 *tmpout++ = psig[1];
3473 }
3474 }
3475 return tmpout - out;
3476}
3477
3478/* Given preference and allowed sigalgs set shared sigalgs */
3479static int tls12_shared_sigalgs(SSL *s, TLS_SIGALGS *shsig,
3480 const unsigned char *pref, size_t preflen,
3481 const unsigned char *allow, size_t allowlen)
3482{
3483 const unsigned char *ptmp, *atmp;
3484 size_t i, j, nmatch = 0;
3485 for (i = 0, ptmp = pref; i < preflen; i += 2, ptmp += 2) {
3486 /* Skip disabled hashes or signature algorithms */
3487 if (!tls12_sigalg_allowed(s, SSL_SECOP_SIGALG_SHARED, ptmp))
3488 continue;
3489 for (j = 0, atmp = allow; j < allowlen; j += 2, atmp += 2) {
3490 if (ptmp[0] == atmp[0] && ptmp[1] == atmp[1]) {
3491 nmatch++;
3492 if (shsig) {
3493 shsig->rhash = ptmp[0];
3494 shsig->rsign = ptmp[1];
3495 tls1_lookup_sigalg(&shsig->hash_nid,
3496 &shsig->sign_nid,
3497 &shsig->signandhash_nid, ptmp);
3498 shsig++;
3499 }
3500 break;
3501 }
3502 }
3503 }
3504 return nmatch;
3505}
3506
3507/* Set shared signature algorithms for SSL structures */
3508static int tls1_set_shared_sigalgs(SSL *s)
3509{
3510 const unsigned char *pref, *allow, *conf;
3511 size_t preflen, allowlen, conflen;
3512 size_t nmatch;
3513 TLS_SIGALGS *salgs = NULL;
3514 CERT *c = s->cert;
3515 unsigned int is_suiteb = tls1_suiteb(s);
3516
3517 OPENSSL_free(c->shared_sigalgs);
3518 c->shared_sigalgs = NULL;
3519 c->shared_sigalgslen = 0;
3520 /* If client use client signature algorithms if not NULL */
3521 if (!s->server && c->client_sigalgs && !is_suiteb) {
3522 conf = c->client_sigalgs;
3523 conflen = c->client_sigalgslen;
3524 } else if (c->conf_sigalgs && !is_suiteb) {
3525 conf = c->conf_sigalgs;
3526 conflen = c->conf_sigalgslen;
3527 } else
3528 conflen = tls12_get_psigalgs(s, 0, &conf);
3529 if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE || is_suiteb) {
3530 pref = conf;
3531 preflen = conflen;
3532 allow = s->s3->tmp.peer_sigalgs;
3533 allowlen = s->s3->tmp.peer_sigalgslen;
3534 } else {
3535 allow = conf;
3536 allowlen = conflen;
3537 pref = s->s3->tmp.peer_sigalgs;
3538 preflen = s->s3->tmp.peer_sigalgslen;
3539 }
3540 nmatch = tls12_shared_sigalgs(s, NULL, pref, preflen, allow, allowlen);
3541 if (nmatch) {
3542 salgs = OPENSSL_malloc(nmatch * sizeof(TLS_SIGALGS));
3543 if (salgs == NULL)
3544 return 0;
3545 nmatch = tls12_shared_sigalgs(s, salgs, pref, preflen, allow, allowlen);
3546 } else {
3547 salgs = NULL;
3548 }
3549 c->shared_sigalgs = salgs;
3550 c->shared_sigalgslen = nmatch;
3551 return 1;
3552}
3553
3554/* Set preferred digest for each key type */
3555
3556int tls1_save_sigalgs(SSL *s, const unsigned char *data, int dsize)
3557{
3558 CERT *c = s->cert;
3559 /* Extension ignored for inappropriate versions */
3560 if (!SSL_USE_SIGALGS(s))
3561 return 1;
3562 /* Should never happen */
3563 if (!c)
3564 return 0;
3565
3566 OPENSSL_free(s->s3->tmp.peer_sigalgs);
3567 s->s3->tmp.peer_sigalgs = OPENSSL_malloc(dsize);
3568 if (s->s3->tmp.peer_sigalgs == NULL)
3569 return 0;
3570 s->s3->tmp.peer_sigalgslen = dsize;
3571 memcpy(s->s3->tmp.peer_sigalgs, data, dsize);
3572 return 1;
3573}
3574
3575int tls1_process_sigalgs(SSL *s)
3576{
3577 int idx;
3578 size_t i;
3579 const EVP_MD *md;
3580 const EVP_MD **pmd = s->s3->tmp.md;
3581 uint32_t *pvalid = s->s3->tmp.valid_flags;
3582 CERT *c = s->cert;
3583 TLS_SIGALGS *sigptr;
3584 if (!tls1_set_shared_sigalgs(s))
3585 return 0;
3586
3587 for (i = 0, sigptr = c->shared_sigalgs;
3588 i < c->shared_sigalgslen; i++, sigptr++) {
3589 idx = tls12_get_pkey_idx(sigptr->rsign);
3590 if (idx > 0 && pmd[idx] == NULL) {
3591 md = tls12_get_hash(sigptr->rhash);
3592 pmd[idx] = md;
3593 pvalid[idx] = CERT_PKEY_EXPLICIT_SIGN;
3594 if (idx == SSL_PKEY_RSA_SIGN) {
3595 pvalid[SSL_PKEY_RSA_ENC] = CERT_PKEY_EXPLICIT_SIGN;
3596 pmd[SSL_PKEY_RSA_ENC] = md;
3597 }
3598 }
3599
3600 }
3601 /*
3602 * In strict mode leave unset digests as NULL to indicate we can't use
3603 * the certificate for signing.
3604 */
3605 if (!(s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)) {
3606 /*
3607 * Set any remaining keys to default values. NOTE: if alg is not
3608 * supported it stays as NULL.
3609 */
3610#ifndef OPENSSL_NO_DSA
3611 if (pmd[SSL_PKEY_DSA_SIGN] == NULL)
3612 pmd[SSL_PKEY_DSA_SIGN] = EVP_sha1();
3613#endif
3614#ifndef OPENSSL_NO_RSA
3615 if (pmd[SSL_PKEY_RSA_SIGN] == NULL) {
3616 pmd[SSL_PKEY_RSA_SIGN] = EVP_sha1();
3617 pmd[SSL_PKEY_RSA_ENC] = EVP_sha1();
3618 }
3619#endif
3620#ifndef OPENSSL_NO_EC
3621 if (pmd[SSL_PKEY_ECC] == NULL)
3622 pmd[SSL_PKEY_ECC] = EVP_sha1();
3623#endif
3624#ifndef OPENSSL_NO_GOST
3625 if (pmd[SSL_PKEY_GOST01] == NULL)
3626 pmd[SSL_PKEY_GOST01] = EVP_get_digestbynid(NID_id_GostR3411_94);
3627 if (pmd[SSL_PKEY_GOST12_256] == NULL)
3628 pmd[SSL_PKEY_GOST12_256] =
3629 EVP_get_digestbynid(NID_id_GostR3411_2012_256);
3630 if (pmd[SSL_PKEY_GOST12_512] == NULL)
3631 pmd[SSL_PKEY_GOST12_512] =
3632 EVP_get_digestbynid(NID_id_GostR3411_2012_512);
3633#endif
3634 }
3635 return 1;
3636}
3637
3638int SSL_get_sigalgs(SSL *s, int idx,
3639 int *psign, int *phash, int *psignhash,
3640 unsigned char *rsig, unsigned char *rhash)
3641{
3642 const unsigned char *psig = s->s3->tmp.peer_sigalgs;
3643 if (psig == NULL)
3644 return 0;
3645 if (idx >= 0) {
3646 idx <<= 1;
3647 if (idx >= (int)s->s3->tmp.peer_sigalgslen)
3648 return 0;
3649 psig += idx;
3650 if (rhash)
3651 *rhash = psig[0];
3652 if (rsig)
3653 *rsig = psig[1];
3654 tls1_lookup_sigalg(phash, psign, psignhash, psig);
3655 }
3656 return s->s3->tmp.peer_sigalgslen / 2;
3657}
3658
3659int SSL_get_shared_sigalgs(SSL *s, int idx,
3660 int *psign, int *phash, int *psignhash,
3661 unsigned char *rsig, unsigned char *rhash)
3662{
3663 TLS_SIGALGS *shsigalgs = s->cert->shared_sigalgs;
3664 if (!shsigalgs || idx >= (int)s->cert->shared_sigalgslen)
3665 return 0;
3666 shsigalgs += idx;
3667 if (phash)
3668 *phash = shsigalgs->hash_nid;
3669 if (psign)
3670 *psign = shsigalgs->sign_nid;
3671 if (psignhash)
3672 *psignhash = shsigalgs->signandhash_nid;
3673 if (rsig)
3674 *rsig = shsigalgs->rsign;
3675 if (rhash)
3676 *rhash = shsigalgs->rhash;
3677 return s->cert->shared_sigalgslen;
3678}
3679
3680#define MAX_SIGALGLEN (TLSEXT_hash_num * TLSEXT_signature_num * 2)
3681
3682typedef struct {
3683 size_t sigalgcnt;
3684 int sigalgs[MAX_SIGALGLEN];
3685} sig_cb_st;
3686
3687static void get_sigorhash(int *psig, int *phash, const char *str)
3688{
3689 if (strcmp(str, "RSA") == 0) {
3690 *psig = EVP_PKEY_RSA;
3691 } else if (strcmp(str, "DSA") == 0) {
3692 *psig = EVP_PKEY_DSA;
3693 } else if (strcmp(str, "ECDSA") == 0) {
3694 *psig = EVP_PKEY_EC;
3695 } else {
3696 *phash = OBJ_sn2nid(str);
3697 if (*phash == NID_undef)
3698 *phash = OBJ_ln2nid(str);
3699 }
3700}
3701
3702static int sig_cb(const char *elem, int len, void *arg)
3703{
3704 sig_cb_st *sarg = arg;
3705 size_t i;
3706 char etmp[20], *p;
3707 int sig_alg = NID_undef, hash_alg = NID_undef;
3708 if (elem == NULL)
3709 return 0;
3710 if (sarg->sigalgcnt == MAX_SIGALGLEN)
3711 return 0;
3712 if (len > (int)(sizeof(etmp) - 1))
3713 return 0;
3714 memcpy(etmp, elem, len);
3715 etmp[len] = 0;
3716 p = strchr(etmp, '+');
3717 if (!p)
3718 return 0;
3719 *p = 0;
3720 p++;
3721 if (!*p)
3722 return 0;
3723
3724 get_sigorhash(&sig_alg, &hash_alg, etmp);
3725 get_sigorhash(&sig_alg, &hash_alg, p);
3726
3727 if (sig_alg == NID_undef || hash_alg == NID_undef)
3728 return 0;
3729
3730 for (i = 0; i < sarg->sigalgcnt; i += 2) {
3731 if (sarg->sigalgs[i] == sig_alg && sarg->sigalgs[i + 1] == hash_alg)
3732 return 0;
3733 }
3734 sarg->sigalgs[sarg->sigalgcnt++] = hash_alg;
3735 sarg->sigalgs[sarg->sigalgcnt++] = sig_alg;
3736 return 1;
3737}
3738
3739/*
3740 * Set supported signature algorithms based on a colon separated list of the
3741 * form sig+hash e.g. RSA+SHA512:DSA+SHA512
3742 */
3743int tls1_set_sigalgs_list(CERT *c, const char *str, int client)
3744{
3745 sig_cb_st sig;
3746 sig.sigalgcnt = 0;
3747 if (!CONF_parse_list(str, ':', 1, sig_cb, &sig))
3748 return 0;
3749 if (c == NULL)
3750 return 1;
3751 return tls1_set_sigalgs(c, sig.sigalgs, sig.sigalgcnt, client);
3752}
3753
3754int tls1_set_sigalgs(CERT *c, const int *psig_nids, size_t salglen, int client)
3755{
3756 unsigned char *sigalgs, *sptr;
3757 int rhash, rsign;
3758 size_t i;
3759 if (salglen & 1)
3760 return 0;
3761 sigalgs = OPENSSL_malloc(salglen);
3762 if (sigalgs == NULL)
3763 return 0;
3764 for (i = 0, sptr = sigalgs; i < salglen; i += 2) {
3765 rhash = tls12_find_id(*psig_nids++, tls12_md, OSSL_NELEM(tls12_md));
3766 rsign = tls12_find_id(*psig_nids++, tls12_sig, OSSL_NELEM(tls12_sig));
3767
3768 if (rhash == -1 || rsign == -1)
3769 goto err;
3770 *sptr++ = rhash;
3771 *sptr++ = rsign;
3772 }
3773
3774 if (client) {
3775 OPENSSL_free(c->client_sigalgs);
3776 c->client_sigalgs = sigalgs;
3777 c->client_sigalgslen = salglen;
3778 } else {
3779 OPENSSL_free(c->conf_sigalgs);
3780 c->conf_sigalgs = sigalgs;
3781 c->conf_sigalgslen = salglen;
3782 }
3783
3784 return 1;
3785
3786 err:
3787 OPENSSL_free(sigalgs);
3788 return 0;
3789}
3790
3791static int tls1_check_sig_alg(CERT *c, X509 *x, int default_nid)
3792{
3793 int sig_nid;
3794 size_t i;
3795 if (default_nid == -1)
3796 return 1;
3797 sig_nid = X509_get_signature_nid(x);
3798 if (default_nid)
3799 return sig_nid == default_nid ? 1 : 0;
3800 for (i = 0; i < c->shared_sigalgslen; i++)
3801 if (sig_nid == c->shared_sigalgs[i].signandhash_nid)
3802 return 1;
3803 return 0;
3804}
3805
3806/* Check to see if a certificate issuer name matches list of CA names */
3807static int ssl_check_ca_name(STACK_OF(X509_NAME) *names, X509 *x)
3808{
3809 X509_NAME *nm;
3810 int i;
3811 nm = X509_get_issuer_name(x);
3812 for (i = 0; i < sk_X509_NAME_num(names); i++) {
3813 if (!X509_NAME_cmp(nm, sk_X509_NAME_value(names, i)))
3814 return 1;
3815 }
3816 return 0;
3817}
3818
3819/*
3820 * Check certificate chain is consistent with TLS extensions and is usable by
3821 * server. This servers two purposes: it allows users to check chains before
3822 * passing them to the server and it allows the server to check chains before
3823 * attempting to use them.
3824 */
3825
3826/* Flags which need to be set for a certificate when strict mode not set */
3827
3828#define CERT_PKEY_VALID_FLAGS \
3829 (CERT_PKEY_EE_SIGNATURE|CERT_PKEY_EE_PARAM)
3830/* Strict mode flags */
3831#define CERT_PKEY_STRICT_FLAGS \
3832 (CERT_PKEY_VALID_FLAGS|CERT_PKEY_CA_SIGNATURE|CERT_PKEY_CA_PARAM \
3833 | CERT_PKEY_ISSUER_NAME|CERT_PKEY_CERT_TYPE)
3834
3835int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain,
3836 int idx)
3837{
3838 int i;
3839 int rv = 0;
3840 int check_flags = 0, strict_mode;
3841 CERT_PKEY *cpk = NULL;
3842 CERT *c = s->cert;
3843 uint32_t *pvalid;
3844 unsigned int suiteb_flags = tls1_suiteb(s);
3845 /* idx == -1 means checking server chains */
3846 if (idx != -1) {
3847 /* idx == -2 means checking client certificate chains */
3848 if (idx == -2) {
3849 cpk = c->key;
3850 idx = cpk - c->pkeys;
3851 } else
3852 cpk = c->pkeys + idx;
3853 pvalid = s->s3->tmp.valid_flags + idx;
3854 x = cpk->x509;
3855 pk = cpk->privatekey;
3856 chain = cpk->chain;
3857 strict_mode = c->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT;
3858 /* If no cert or key, forget it */
3859 if (!x || !pk)
3860 goto end;
3861 } else {
3862 if (!x || !pk)
3863 return 0;
3864 idx = ssl_cert_type(x, pk);
3865 if (idx == -1)
3866 return 0;
3867 pvalid = s->s3->tmp.valid_flags + idx;
3868
3869 if (c->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)
3870 check_flags = CERT_PKEY_STRICT_FLAGS;
3871 else
3872 check_flags = CERT_PKEY_VALID_FLAGS;
3873 strict_mode = 1;
3874 }
3875
3876 if (suiteb_flags) {
3877 int ok;
3878 if (check_flags)
3879 check_flags |= CERT_PKEY_SUITEB;
3880 ok = X509_chain_check_suiteb(NULL, x, chain, suiteb_flags);
3881 if (ok == X509_V_OK)
3882 rv |= CERT_PKEY_SUITEB;
3883 else if (!check_flags)
3884 goto end;
3885 }
3886
3887 /*
3888 * Check all signature algorithms are consistent with signature
3889 * algorithms extension if TLS 1.2 or later and strict mode.
3890 */
3891 if (TLS1_get_version(s) >= TLS1_2_VERSION && strict_mode) {
3892 int default_nid;
3893 unsigned char rsign = 0;
3894 if (s->s3->tmp.peer_sigalgs)
3895 default_nid = 0;
3896 /* If no sigalgs extension use defaults from RFC5246 */
3897 else {
3898 switch (idx) {
3899 case SSL_PKEY_RSA_ENC:
3900 case SSL_PKEY_RSA_SIGN:
3901 rsign = TLSEXT_signature_rsa;
3902 default_nid = NID_sha1WithRSAEncryption;
3903 break;
3904
3905 case SSL_PKEY_DSA_SIGN:
3906 rsign = TLSEXT_signature_dsa;
3907 default_nid = NID_dsaWithSHA1;
3908 break;
3909
3910 case SSL_PKEY_ECC:
3911 rsign = TLSEXT_signature_ecdsa;
3912 default_nid = NID_ecdsa_with_SHA1;
3913 break;
3914
3915 case SSL_PKEY_GOST01:
3916 rsign = TLSEXT_signature_gostr34102001;
3917 default_nid = NID_id_GostR3411_94_with_GostR3410_2001;
3918 break;
3919
3920 case SSL_PKEY_GOST12_256:
3921 rsign = TLSEXT_signature_gostr34102012_256;
3922 default_nid = NID_id_tc26_signwithdigest_gost3410_2012_256;
3923 break;
3924
3925 case SSL_PKEY_GOST12_512:
3926 rsign = TLSEXT_signature_gostr34102012_512;
3927 default_nid = NID_id_tc26_signwithdigest_gost3410_2012_512;
3928 break;
3929
3930 default:
3931 default_nid = -1;
3932 break;
3933 }
3934 }
3935 /*
3936 * If peer sent no signature algorithms extension and we have set
3937 * preferred signature algorithms check we support sha1.
3938 */
3939 if (default_nid > 0 && c->conf_sigalgs) {
3940 size_t j;
3941 const unsigned char *p = c->conf_sigalgs;
3942 for (j = 0; j < c->conf_sigalgslen; j += 2, p += 2) {
3943 if (p[0] == TLSEXT_hash_sha1 && p[1] == rsign)
3944 break;
3945 }
3946 if (j == c->conf_sigalgslen) {
3947 if (check_flags)
3948 goto skip_sigs;
3949 else
3950 goto end;
3951 }
3952 }
3953 /* Check signature algorithm of each cert in chain */
3954 if (!tls1_check_sig_alg(c, x, default_nid)) {
3955 if (!check_flags)
3956 goto end;
3957 } else
3958 rv |= CERT_PKEY_EE_SIGNATURE;
3959 rv |= CERT_PKEY_CA_SIGNATURE;
3960 for (i = 0; i < sk_X509_num(chain); i++) {
3961 if (!tls1_check_sig_alg(c, sk_X509_value(chain, i), default_nid)) {
3962 if (check_flags) {
3963 rv &= ~CERT_PKEY_CA_SIGNATURE;
3964 break;
3965 } else
3966 goto end;
3967 }
3968 }
3969 }
3970 /* Else not TLS 1.2, so mark EE and CA signing algorithms OK */
3971 else if (check_flags)
3972 rv |= CERT_PKEY_EE_SIGNATURE | CERT_PKEY_CA_SIGNATURE;
3973 skip_sigs:
3974 /* Check cert parameters are consistent */
3975 if (tls1_check_cert_param(s, x, check_flags ? 1 : 2))
3976 rv |= CERT_PKEY_EE_PARAM;
3977 else if (!check_flags)
3978 goto end;
3979 if (!s->server)
3980 rv |= CERT_PKEY_CA_PARAM;
3981 /* In strict mode check rest of chain too */
3982 else if (strict_mode) {
3983 rv |= CERT_PKEY_CA_PARAM;
3984 for (i = 0; i < sk_X509_num(chain); i++) {
3985 X509 *ca = sk_X509_value(chain, i);
3986 if (!tls1_check_cert_param(s, ca, 0)) {
3987 if (check_flags) {
3988 rv &= ~CERT_PKEY_CA_PARAM;
3989 break;
3990 } else
3991 goto end;
3992 }
3993 }
3994 }
3995 if (!s->server && strict_mode) {
3996 STACK_OF(X509_NAME) *ca_dn;
3997 int check_type = 0;
3998 switch (EVP_PKEY_id(pk)) {
3999 case EVP_PKEY_RSA:
4000 check_type = TLS_CT_RSA_SIGN;
4001 break;
4002 case EVP_PKEY_DSA:
4003 check_type = TLS_CT_DSS_SIGN;
4004 break;
4005 case EVP_PKEY_EC:
4006 check_type = TLS_CT_ECDSA_SIGN;
4007 break;
4008 }
4009 if (check_type) {
4010 const unsigned char *ctypes;
4011 int ctypelen;
4012 if (c->ctypes) {
4013 ctypes = c->ctypes;
4014 ctypelen = (int)c->ctype_num;
4015 } else {
4016 ctypes = (unsigned char *)s->s3->tmp.ctype;
4017 ctypelen = s->s3->tmp.ctype_num;
4018 }
4019 for (i = 0; i < ctypelen; i++) {
4020 if (ctypes[i] == check_type) {
4021 rv |= CERT_PKEY_CERT_TYPE;
4022 break;
4023 }
4024 }
4025 if (!(rv & CERT_PKEY_CERT_TYPE) && !check_flags)
4026 goto end;
4027 } else
4028 rv |= CERT_PKEY_CERT_TYPE;
4029
4030 ca_dn = s->s3->tmp.ca_names;
4031
4032 if (!sk_X509_NAME_num(ca_dn))
4033 rv |= CERT_PKEY_ISSUER_NAME;
4034
4035 if (!(rv & CERT_PKEY_ISSUER_NAME)) {
4036 if (ssl_check_ca_name(ca_dn, x))
4037 rv |= CERT_PKEY_ISSUER_NAME;
4038 }
4039 if (!(rv & CERT_PKEY_ISSUER_NAME)) {
4040 for (i = 0; i < sk_X509_num(chain); i++) {
4041 X509 *xtmp = sk_X509_value(chain, i);
4042 if (ssl_check_ca_name(ca_dn, xtmp)) {
4043 rv |= CERT_PKEY_ISSUER_NAME;
4044 break;
4045 }
4046 }
4047 }
4048 if (!check_flags && !(rv & CERT_PKEY_ISSUER_NAME))
4049 goto end;
4050 } else
4051 rv |= CERT_PKEY_ISSUER_NAME | CERT_PKEY_CERT_TYPE;
4052
4053 if (!check_flags || (rv & check_flags) == check_flags)
4054 rv |= CERT_PKEY_VALID;
4055
4056 end:
4057
4058 if (TLS1_get_version(s) >= TLS1_2_VERSION) {
4059 if (*pvalid & CERT_PKEY_EXPLICIT_SIGN)
4060 rv |= CERT_PKEY_EXPLICIT_SIGN | CERT_PKEY_SIGN;
4061 else if (s->s3->tmp.md[idx] != NULL)
4062 rv |= CERT_PKEY_SIGN;
4063 } else
4064 rv |= CERT_PKEY_SIGN | CERT_PKEY_EXPLICIT_SIGN;
4065
4066 /*
4067 * When checking a CERT_PKEY structure all flags are irrelevant if the
4068 * chain is invalid.
4069 */
4070 if (!check_flags) {
4071 if (rv & CERT_PKEY_VALID)
4072 *pvalid = rv;
4073 else {
4074 /* Preserve explicit sign flag, clear rest */
4075 *pvalid &= CERT_PKEY_EXPLICIT_SIGN;
4076 return 0;
4077 }
4078 }
4079 return rv;
4080}
4081
4082/* Set validity of certificates in an SSL structure */
4083void tls1_set_cert_validity(SSL *s)
4084{
4085 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA_ENC);
4086 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA_SIGN);
4087 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DSA_SIGN);
4088 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_ECC);
4089 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_GOST01);
4090 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_GOST12_256);
4091 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_GOST12_512);
4092}
4093
4094/* User level utility function to check a chain is suitable */
4095int SSL_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain)
4096{
4097 return tls1_check_chain(s, x, pk, chain, -1);
4098}
4099
4100#ifndef OPENSSL_NO_DH
4101DH *ssl_get_auto_dh(SSL *s)
4102{
4103 int dh_secbits = 80;
4104 if (s->cert->dh_tmp_auto == 2)
4105 return DH_get_1024_160();
4106 if (s->s3->tmp.new_cipher->algorithm_auth & (SSL_aNULL | SSL_aPSK)) {
4107 if (s->s3->tmp.new_cipher->strength_bits == 256)
4108 dh_secbits = 128;
4109 else
4110 dh_secbits = 80;
4111 } else {
4112 CERT_PKEY *cpk = ssl_get_server_send_pkey(s);
4113 dh_secbits = EVP_PKEY_security_bits(cpk->privatekey);
4114 }
4115
4116 if (dh_secbits >= 128) {
4117 DH *dhp = DH_new();
4118 BIGNUM *p, *g;
4119 if (dhp == NULL)
4120 return NULL;
4121 g = BN_new();
4122 if (g != NULL)
4123 BN_set_word(g, 2);
4124 if (dh_secbits >= 192)
4125 p = BN_get_rfc3526_prime_8192(NULL);
4126 else
4127 p = BN_get_rfc3526_prime_3072(NULL);
4128 if (p == NULL || g == NULL || !DH_set0_pqg(dhp, p, NULL, g)) {
4129 DH_free(dhp);
4130 BN_free(p);
4131 BN_free(g);
4132 return NULL;
4133 }
4134 return dhp;
4135 }
4136 if (dh_secbits >= 112)
4137 return DH_get_2048_224();
4138 return DH_get_1024_160();
4139}
4140#endif
4141
4142static int ssl_security_cert_key(SSL *s, SSL_CTX *ctx, X509 *x, int op)
4143{
4144 int secbits = -1;
4145 EVP_PKEY *pkey = X509_get0_pubkey(x);
4146 if (pkey) {
4147 /*
4148 * If no parameters this will return -1 and fail using the default
4149 * security callback for any non-zero security level. This will
4150 * reject keys which omit parameters but this only affects DSA and
4151 * omission of parameters is never (?) done in practice.
4152 */
4153 secbits = EVP_PKEY_security_bits(pkey);
4154 }
4155 if (s)
4156 return ssl_security(s, op, secbits, 0, x);
4157 else
4158 return ssl_ctx_security(ctx, op, secbits, 0, x);
4159}
4160
4161static int ssl_security_cert_sig(SSL *s, SSL_CTX *ctx, X509 *x, int op)
4162{
4163 /* Lookup signature algorithm digest */
4164 int secbits = -1, md_nid = NID_undef, sig_nid;
4165 /* Don't check signature if self signed */
4166 if ((X509_get_extension_flags(x) & EXFLAG_SS) != 0)
4167 return 1;
4168 sig_nid = X509_get_signature_nid(x);
4169 if (sig_nid && OBJ_find_sigid_algs(sig_nid, &md_nid, NULL)) {
4170 const EVP_MD *md;
4171 if (md_nid && (md = EVP_get_digestbynid(md_nid)))
4172 secbits = EVP_MD_size(md) * 4;
4173 }
4174 if (s)
4175 return ssl_security(s, op, secbits, md_nid, x);
4176 else
4177 return ssl_ctx_security(ctx, op, secbits, md_nid, x);
4178}
4179
4180int ssl_security_cert(SSL *s, SSL_CTX *ctx, X509 *x, int vfy, int is_ee)
4181{
4182 if (vfy)
4183 vfy = SSL_SECOP_PEER;
4184 if (is_ee) {
4185 if (!ssl_security_cert_key(s, ctx, x, SSL_SECOP_EE_KEY | vfy))
4186 return SSL_R_EE_KEY_TOO_SMALL;
4187 } else {
4188 if (!ssl_security_cert_key(s, ctx, x, SSL_SECOP_CA_KEY | vfy))
4189 return SSL_R_CA_KEY_TOO_SMALL;
4190 }
4191 if (!ssl_security_cert_sig(s, ctx, x, SSL_SECOP_CA_MD | vfy))
4192 return SSL_R_CA_MD_TOO_WEAK;
4193 return 1;
4194}
4195
4196/*
4197 * Check security of a chain, if |sk| includes the end entity certificate then
4198 * |x| is NULL. If |vfy| is 1 then we are verifying a peer chain and not sending
4199 * one to the peer. Return values: 1 if ok otherwise error code to use
4200 */
4201
4202int ssl_security_cert_chain(SSL *s, STACK_OF(X509) *sk, X509 *x, int vfy)
4203{
4204 int rv, start_idx, i;
4205 if (x == NULL) {
4206 x = sk_X509_value(sk, 0);
4207 start_idx = 1;
4208 } else
4209 start_idx = 0;
4210
4211 rv = ssl_security_cert(s, NULL, x, vfy, 1);
4212 if (rv != 1)
4213 return rv;
4214
4215 for (i = start_idx; i < sk_X509_num(sk); i++) {
4216 x = sk_X509_value(sk, i);
4217 rv = ssl_security_cert(s, NULL, x, vfy, 0);
4218 if (rv != 1)
4219 return rv;
4220 }
4221 return 1;
4222}
Note: See TracBrowser for help on using the repository browser.

© 2025 Oracle Support Privacy / Do Not Sell My Info Terms of Use Trademark Policy Automated Access Etiquette