Google Git
Sign in
flutter / third_party / openssl / 70c22888c1648fe8652e77107f3c74bf2212de36 / . / ssl / t1_lib.c
blob: 2418c658628b59f111864e413f8aa6af0da19cd4 [file] [log] [blame]
Rich Salz846e33c2016-05-17 14:18:30 -0400[diff] [blame]1/*
2 * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
Ralf S. Engelschall58964a41998-12-21 10:56:39 +0000[diff] [blame]3 *
Rich Salz846e33c2016-05-17 14:18:30 -0400[diff] [blame]4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
Bodo Möllerf1fd4542006-01-03 03:27:19 +0000[diff] [blame]8 */
Ralf S. Engelschall58964a41998-12-21 10:56:39 +0000[diff] [blame]9
10#include <stdio.h>
Emilia Kasperaa474d12016-02-19 17:24:44 +0100[diff] [blame]11#include <stdlib.h>
Bodo Möllerec577821999-04-23 22:13:45 +0000[diff] [blame]12#include <openssl/objects.h>
Dr. Stephen Henson6434abb2007-08-11 23:18:29 +0000[diff] [blame]13#include <openssl/evp.h>
14#include <openssl/hmac.h>
Dr. Stephen Henson67c8e7f2007-09-26 21:56:59 +0000[diff] [blame]15#include <openssl/ocsp.h>
Matt Caswell5951e842016-04-20 16:38:29 +0100[diff] [blame]16#include <openssl/conf.h>
17#include <openssl/x509v3.h>
Rich Salz3c272082016-03-18 14:30:20 -0400[diff] [blame]18#include <openssl/dh.h>
19#include <openssl/bn.h>
Ralf S. Engelschall58964a41998-12-21 10:56:39 +0000[diff] [blame]20#include "ssl_locl.h"
Rich Salz3c272082016-03-18 14:30:20 -0400[diff] [blame]21#include <openssl/ct.h>
Ralf S. Engelschall58964a41998-12-21 10:56:39 +0000[diff] [blame]22
Dr. Stephen Henson6434abb2007-08-11 23:18:29 +0000[diff] [blame]23static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen,
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]24 const unsigned char *sess_id, int sesslen,
25 SSL_SESSION **psess);
Ben Laurie2daceb02012-09-11 12:57:46 +0000[diff] [blame]26static int ssl_check_clienthello_tlsext_early(SSL *s);
Emilia Kasperaa474d12016-02-19 17:24:44 +0100[diff] [blame]27static int ssl_check_serverhello_tlsext(SSL *s);
Dr. Stephen Henson6434abb2007-08-11 23:18:29 +0000[diff] [blame]28
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]29SSL3_ENC_METHOD const TLSv1_enc_data = {
30 tls1_enc,
31 tls1_mac,
32 tls1_setup_key_block,
33 tls1_generate_master_secret,
34 tls1_change_cipher_state,
35 tls1_final_finish_mac,
36 TLS1_FINISH_MAC_LENGTH,
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]37 TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
38 TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
39 tls1_alert_code,
40 tls1_export_keying_material,
41 0,
42 SSL3_HM_HEADER_LENGTH,
43 ssl3_set_handshake_header,
44 ssl3_handshake_write
45};
Dr. Stephen Henson173e72e2013-03-11 15:34:28 +0000[diff] [blame]46
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]47SSL3_ENC_METHOD const TLSv1_1_enc_data = {
48 tls1_enc,
49 tls1_mac,
50 tls1_setup_key_block,
51 tls1_generate_master_secret,
52 tls1_change_cipher_state,
53 tls1_final_finish_mac,
54 TLS1_FINISH_MAC_LENGTH,
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]55 TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
56 TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
57 tls1_alert_code,
58 tls1_export_keying_material,
59 SSL_ENC_FLAG_EXPLICIT_IV,
60 SSL3_HM_HEADER_LENGTH,
61 ssl3_set_handshake_header,
62 ssl3_handshake_write
63};
Dr. Stephen Henson173e72e2013-03-11 15:34:28 +0000[diff] [blame]64
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]65SSL3_ENC_METHOD const TLSv1_2_enc_data = {
66 tls1_enc,
67 tls1_mac,
68 tls1_setup_key_block,
69 tls1_generate_master_secret,
70 tls1_change_cipher_state,
71 tls1_final_finish_mac,
72 TLS1_FINISH_MAC_LENGTH,
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]73 TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
74 TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
75 tls1_alert_code,
76 tls1_export_keying_material,
77 SSL_ENC_FLAG_EXPLICIT_IV | SSL_ENC_FLAG_SIGALGS | SSL_ENC_FLAG_SHA256_PRF
78 | SSL_ENC_FLAG_TLS1_2_CIPHERS,
79 SSL3_HM_HEADER_LENGTH,
80 ssl3_set_handshake_header,
81 ssl3_handshake_write
82};
Ralf S. Engelschall58964a41998-12-21 10:56:39 +0000[diff] [blame]83
Dr. Stephen Hensonf3b656b2005-08-05 23:56:11 +0000[diff] [blame]84long tls1_default_timeout(void)
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]85{
86 /*
87 * 2 hours, the 24 hours mentioned in the TLSv1 spec is way too long for
88 * http, the cache would over fill
89 */
90 return (60 * 60 * 2);
91}
Ralf S. Engelschall58964a41998-12-21 10:56:39 +0000[diff] [blame]92
Ulf Möller6b691a51999-04-19 21:31:43 +0000[diff] [blame]93int tls1_new(SSL *s)
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]94{
95 if (!ssl3_new(s))
96 return (0);
97 s->method->ssl_clear(s);
98 return (1);
99}
Ralf S. Engelschall58964a41998-12-21 10:56:39 +0000[diff] [blame]100
Ulf Möller6b691a51999-04-19 21:31:43 +0000[diff] [blame]101void tls1_free(SSL *s)
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]102{
Rich Salzb548a1f2015-05-01 10:02:07 -0400[diff] [blame]103 OPENSSL_free(s->tlsext_session_ticket);
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]104 ssl3_free(s);
105}
Ralf S. Engelschall58964a41998-12-21 10:56:39 +0000[diff] [blame]106
Ulf Möller6b691a51999-04-19 21:31:43 +0000[diff] [blame]107void tls1_clear(SSL *s)
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]108{
109 ssl3_clear(s);
Viktor Dukhovni4fa52142015-12-29 03:24:17 -0500[diff] [blame]110 if (s->method->version == TLS_ANY_VERSION)
111 s->version = TLS_MAX_VERSION;
112 else
113 s->version = s->method->version;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]114}
Ralf S. Engelschall58964a41998-12-21 10:56:39 +0000[diff] [blame]115
Dr. Stephen Henson525de5d2007-08-12 23:59:05 +0000[diff] [blame]116#ifndef OPENSSL_NO_EC
Dr. Stephen Hensoneda37662011-05-30 17:58:13 +0000[diff] [blame]117
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]118typedef struct {
119 int nid; /* Curve NID */
120 int secbits; /* Bits of security (from SP800-57) */
121 unsigned int flags; /* Flags: currently just field type */
122} tls_curve_info;
Dr. Stephen Hensonb362cca2013-12-15 13:32:24 +0000[diff] [blame]123
Dr. Stephen Henson1db31072016-02-25 17:46:14 +0000[diff] [blame]124/* Mask for curve type */
125# define TLS_CURVE_TYPE 0x3
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]126# define TLS_CURVE_PRIME 0x0
Dr. Stephen Henson1db31072016-02-25 17:46:14 +0000[diff] [blame]127# define TLS_CURVE_CHAR2 0x1
128# define TLS_CURVE_CUSTOM 0x2
Dr. Stephen Hensonb362cca2013-12-15 13:32:24 +0000[diff] [blame]129
Dr. Stephen Henson2dc1aee2016-02-13 15:27:43 +0000[diff] [blame]130/*
131 * Table of curve information.
Rich Salzddb4c042016-01-03 13:24:32 -0500[diff] [blame]132 * Do not delete entries or reorder this array! It is used as a lookup
Dr. Stephen Henson2dc1aee2016-02-13 15:27:43 +0000[diff] [blame]133 * table: the index of each entry is one less than the TLS curve id.
134 */
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]135static const tls_curve_info nid_list[] = {
136 {NID_sect163k1, 80, TLS_CURVE_CHAR2}, /* sect163k1 (1) */
137 {NID_sect163r1, 80, TLS_CURVE_CHAR2}, /* sect163r1 (2) */
138 {NID_sect163r2, 80, TLS_CURVE_CHAR2}, /* sect163r2 (3) */
139 {NID_sect193r1, 80, TLS_CURVE_CHAR2}, /* sect193r1 (4) */
140 {NID_sect193r2, 80, TLS_CURVE_CHAR2}, /* sect193r2 (5) */
141 {NID_sect233k1, 112, TLS_CURVE_CHAR2}, /* sect233k1 (6) */
142 {NID_sect233r1, 112, TLS_CURVE_CHAR2}, /* sect233r1 (7) */
143 {NID_sect239k1, 112, TLS_CURVE_CHAR2}, /* sect239k1 (8) */
144 {NID_sect283k1, 128, TLS_CURVE_CHAR2}, /* sect283k1 (9) */
145 {NID_sect283r1, 128, TLS_CURVE_CHAR2}, /* sect283r1 (10) */
146 {NID_sect409k1, 192, TLS_CURVE_CHAR2}, /* sect409k1 (11) */
147 {NID_sect409r1, 192, TLS_CURVE_CHAR2}, /* sect409r1 (12) */
148 {NID_sect571k1, 256, TLS_CURVE_CHAR2}, /* sect571k1 (13) */
149 {NID_sect571r1, 256, TLS_CURVE_CHAR2}, /* sect571r1 (14) */
150 {NID_secp160k1, 80, TLS_CURVE_PRIME}, /* secp160k1 (15) */
151 {NID_secp160r1, 80, TLS_CURVE_PRIME}, /* secp160r1 (16) */
152 {NID_secp160r2, 80, TLS_CURVE_PRIME}, /* secp160r2 (17) */
153 {NID_secp192k1, 80, TLS_CURVE_PRIME}, /* secp192k1 (18) */
154 {NID_X9_62_prime192v1, 80, TLS_CURVE_PRIME}, /* secp192r1 (19) */
155 {NID_secp224k1, 112, TLS_CURVE_PRIME}, /* secp224k1 (20) */
156 {NID_secp224r1, 112, TLS_CURVE_PRIME}, /* secp224r1 (21) */
157 {NID_secp256k1, 128, TLS_CURVE_PRIME}, /* secp256k1 (22) */
158 {NID_X9_62_prime256v1, 128, TLS_CURVE_PRIME}, /* secp256r1 (23) */
159 {NID_secp384r1, 192, TLS_CURVE_PRIME}, /* secp384r1 (24) */
160 {NID_secp521r1, 256, TLS_CURVE_PRIME}, /* secp521r1 (25) */
161 {NID_brainpoolP256r1, 128, TLS_CURVE_PRIME}, /* brainpoolP256r1 (26) */
162 {NID_brainpoolP384r1, 192, TLS_CURVE_PRIME}, /* brainpoolP384r1 (27) */
163 {NID_brainpoolP512r1, 256, TLS_CURVE_PRIME}, /* brainpool512r1 (28) */
Dr. Stephen Henson1db31072016-02-25 17:46:14 +0000[diff] [blame]164 /* X25519 (29) */
165 {NID_X25519, 128, TLS_CURVE_CUSTOM},
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]166};
Dr. Stephen Hensoneda37662011-05-30 17:58:13 +0000[diff] [blame]167
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]168static const unsigned char ecformats_default[] = {
169 TLSEXT_ECPOINTFORMAT_uncompressed,
170 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime,
171 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2
172};
Dr. Stephen Hensond0595f12012-03-28 15:05:04 +0000[diff] [blame]173
Kurt Roeckxfe6ef242015-12-04 22:30:36 +0100[diff] [blame]174/* The default curves */
175static const unsigned char eccurves_default[] = {
Dr. Stephen Henson1db31072016-02-25 17:46:14 +0000[diff] [blame]176 0, 29, /* X25519 (29) */
Emilia Kasperde57d232015-05-20 15:47:51 +0200[diff] [blame]177 0, 23, /* secp256r1 (23) */
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]178 0, 25, /* secp521r1 (25) */
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]179 0, 24, /* secp384r1 (24) */
Emilia Kasperde57d232015-05-20 15:47:51 +0200[diff] [blame]180};
181
182static const unsigned char eccurves_all[] = {
Dr. Stephen Henson1db31072016-02-25 17:46:14 +0000[diff] [blame]183 0, 29, /* X25519 (29) */
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]184 0, 23, /* secp256r1 (23) */
Emilia Kasperde57d232015-05-20 15:47:51 +0200[diff] [blame]185 0, 25, /* secp521r1 (25) */
Emilia Kasperde57d232015-05-20 15:47:51 +0200[diff] [blame]186 0, 24, /* secp384r1 (24) */
187 0, 26, /* brainpoolP256r1 (26) */
Rich Salzddb4c042016-01-03 13:24:32 -0500[diff] [blame]188 0, 27, /* brainpoolP384r1 (27) */
189 0, 28, /* brainpool512r1 (28) */
190
191 /*
192 * Remaining curves disabled by default but still permitted if set
193 * via an explicit callback or parameters.
194 */
Emilia Kasperde57d232015-05-20 15:47:51 +0200[diff] [blame]195 0, 22, /* secp256k1 (22) */
Emilia Kasperde57d232015-05-20 15:47:51 +0200[diff] [blame]196 0, 14, /* sect571r1 (14) */
197 0, 13, /* sect571k1 (13) */
198 0, 11, /* sect409k1 (11) */
199 0, 12, /* sect409r1 (12) */
200 0, 9, /* sect283k1 (9) */
201 0, 10, /* sect283r1 (10) */
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]202 0, 20, /* secp224k1 (20) */
203 0, 21, /* secp224r1 (21) */
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]204 0, 18, /* secp192k1 (18) */
205 0, 19, /* secp192r1 (19) */
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]206 0, 15, /* secp160k1 (15) */
207 0, 16, /* secp160r1 (16) */
208 0, 17, /* secp160r2 (17) */
Emilia Kasperde57d232015-05-20 15:47:51 +0200[diff] [blame]209 0, 8, /* sect239k1 (8) */
210 0, 6, /* sect233k1 (6) */
211 0, 7, /* sect233r1 (7) */
212 0, 4, /* sect193r1 (4) */
213 0, 5, /* sect193r2 (5) */
214 0, 1, /* sect163k1 (1) */
215 0, 2, /* sect163r1 (2) */
216 0, 3, /* sect163r2 (3) */
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]217};
Dr. Stephen Hensond0595f12012-03-28 15:05:04 +0000[diff] [blame]218
Emilia Kasperde57d232015-05-20 15:47:51 +0200[diff] [blame]219
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]220static const unsigned char suiteb_curves[] = {
221 0, TLSEXT_curve_P_256,
222 0, TLSEXT_curve_P_384
223};
Dr. Stephen Henson2ea80352012-08-15 15:15:05 +0000[diff] [blame]224
Dr. Stephen Henson525de5d2007-08-12 23:59:05 +0000[diff] [blame]225int tls1_ec_curve_id2nid(int curve_id)
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]226{
227 /* ECC curves from RFC 4492 and RFC 7027 */
Dr. Stephen Hensonb6eb9822015-05-02 18:30:00 +0100[diff] [blame]228 if ((curve_id < 1) || ((unsigned int)curve_id > OSSL_NELEM(nid_list)))
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]229 return 0;
230 return nid_list[curve_id - 1].nid;
231}
Dr. Stephen Henson525de5d2007-08-12 23:59:05 +0000[diff] [blame]232
233int tls1_ec_nid2curve_id(int nid)
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]234{
Dr. Stephen Henson2fa2d152016-02-13 15:28:25 +0000[diff] [blame]235 size_t i;
236 for (i = 0; i < OSSL_NELEM(nid_list); i++) {
237 if (nid_list[i].nid == nid)
238 return i + 1;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]239 }
Dr. Stephen Henson2fa2d152016-02-13 15:28:25 +0000[diff] [blame]240 return 0;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]241}
242
Emilia Kasper740580c2014-12-01 16:55:55 +0100[diff] [blame]243/*
244 * Get curves list, if "sess" is set return client curves otherwise
245 * preferred list.
246 * Sets |num_curves| to the number of curves in the list, i.e.,
247 * the length of |pcurves| is 2 * num_curves.
248 * Returns 1 on success and 0 if the client curves list has invalid format.
249 * The latter indicates an internal error: we should not be accepting such
250 * lists in the first place.
251 * TODO(emilia): we should really be storing the curves list in explicitly
252 * parsed form instead. (However, this would affect binary compatibility
253 * so cannot happen in the 1.0.x series.)
Dr. Stephen Hensonfd2b65c2012-04-04 14:41:01 +0000[diff] [blame]254 */
Emilia Kasper740580c2014-12-01 16:55:55 +0100[diff] [blame]255static int tls1_get_curvelist(SSL *s, int sess,
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]256 const unsigned char **pcurves,
257 size_t *num_curves)
258{
259 size_t pcurveslen = 0;
260 if (sess) {
261 *pcurves = s->session->tlsext_ellipticcurvelist;
262 pcurveslen = s->session->tlsext_ellipticcurvelist_length;
263 } else {
264 /* For Suite B mode only include P-256, P-384 */
265 switch (tls1_suiteb(s)) {
266 case SSL_CERT_FLAG_SUITEB_128_LOS:
267 *pcurves = suiteb_curves;
268 pcurveslen = sizeof(suiteb_curves);
269 break;
Dr. Stephen Henson2ea80352012-08-15 15:15:05 +0000[diff] [blame]270
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]271 case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY:
272 *pcurves = suiteb_curves;
273 pcurveslen = 2;
274 break;
Dr. Stephen Hensonb34aa492012-12-10 02:02:16 +0000[diff] [blame]275
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]276 case SSL_CERT_FLAG_SUITEB_192_LOS:
277 *pcurves = suiteb_curves + 2;
278 pcurveslen = 2;
279 break;
280 default:
281 *pcurves = s->tlsext_ellipticcurvelist;
282 pcurveslen = s->tlsext_ellipticcurvelist_length;
283 }
284 if (!*pcurves) {
Kurt Roeckxfe6ef242015-12-04 22:30:36 +0100[diff] [blame]285 *pcurves = eccurves_default;
286 pcurveslen = sizeof(eccurves_default);
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]287 }
288 }
Emilia Kasper740580c2014-12-01 16:55:55 +0100[diff] [blame]289
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]290 /* We do not allow odd length arrays to enter the system. */
291 if (pcurveslen & 1) {
292 SSLerr(SSL_F_TLS1_GET_CURVELIST, ERR_R_INTERNAL_ERROR);
293 *num_curves = 0;
294 return 0;
295 } else {
296 *num_curves = pcurveslen / 2;
297 return 1;
298 }
299}
Dr. Stephen Hensonb362cca2013-12-15 13:32:24 +0000[diff] [blame]300
301/* See if curve is allowed by security callback */
302static int tls_curve_allowed(SSL *s, const unsigned char *curve, int op)
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]303{
304 const tls_curve_info *cinfo;
305 if (curve[0])
306 return 1;
Dr. Stephen Hensonb6eb9822015-05-02 18:30:00 +0100[diff] [blame]307 if ((curve[1] < 1) || ((size_t)curve[1] > OSSL_NELEM(nid_list)))
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]308 return 0;
309 cinfo = &nid_list[curve[1] - 1];
310# ifdef OPENSSL_NO_EC2M
311 if (cinfo->flags & TLS_CURVE_CHAR2)
312 return 0;
313# endif
314 return ssl_security(s, op, cinfo->secbits, cinfo->nid, (void *)curve);
315}
Dr. Stephen Hensonb362cca2013-12-15 13:32:24 +0000[diff] [blame]316
Dr. Stephen Hensond18b7162012-07-24 13:47:40 +0000[diff] [blame]317/* Check a curve is one of our preferences */
318int tls1_check_curve(SSL *s, const unsigned char *p, size_t len)
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]319{
320 const unsigned char *curves;
321 size_t num_curves, i;
322 unsigned int suiteb_flags = tls1_suiteb(s);
323 if (len != 3 || p[0] != NAMED_CURVE_TYPE)
324 return 0;
325 /* Check curve matches Suite B preferences */
326 if (suiteb_flags) {
327 unsigned long cid = s->s3->tmp.new_cipher->id;
328 if (p[1])
329 return 0;
330 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256) {
331 if (p[2] != TLSEXT_curve_P_256)
332 return 0;
333 } else if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384) {
334 if (p[2] != TLSEXT_curve_P_384)
335 return 0;
336 } else /* Should never happen */
337 return 0;
338 }
339 if (!tls1_get_curvelist(s, 0, &curves, &num_curves))
340 return 0;
341 for (i = 0; i < num_curves; i++, curves += 2) {
342 if (p[1] == curves[0] && p[2] == curves[1])
343 return tls_curve_allowed(s, p + 1, SSL_SECOP_CURVE_CHECK);
344 }
345 return 0;
346}
Dr. Stephen Hensond0595f12012-03-28 15:05:04 +0000[diff] [blame]347
Tim Hudson1d97c842014-12-28 12:48:40 +1000[diff] [blame]348/*-
Kurt Roeckx6977e8e2015-12-04 22:25:11 +0100[diff] [blame]349 * For nmatch >= 0, return the NID of the |nmatch|th shared curve or NID_undef
350 * if there is no match.
351 * For nmatch == -1, return number of matches
Emilia Kasper376e2ca2014-12-04 15:00:11 +0100[diff] [blame]352 * For nmatch == -2, return the NID of the curve to use for
353 * an EC tmp key, or NID_undef if there is no match.
Dr. Stephen Hensond0595f12012-03-28 15:05:04 +0000[diff] [blame]354 */
Dr. Stephen Hensona4352632012-04-05 13:38:27 +0000[diff] [blame]355int tls1_shared_curve(SSL *s, int nmatch)
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]356{
357 const unsigned char *pref, *supp;
358 size_t num_pref, num_supp, i, j;
359 int k;
360 /* Can't do anything on client side */
361 if (s->server == 0)
362 return -1;
363 if (nmatch == -2) {
364 if (tls1_suiteb(s)) {
365 /*
366 * For Suite B ciphersuite determines curve: we already know
367 * these are acceptable due to previous checks.
368 */
369 unsigned long cid = s->s3->tmp.new_cipher->id;
370 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
371 return NID_X9_62_prime256v1; /* P-256 */
372 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)
373 return NID_secp384r1; /* P-384 */
374 /* Should never happen */
375 return NID_undef;
376 }
377 /* If not Suite B just return first preference shared curve */
378 nmatch = 0;
379 }
380 /*
381 * Avoid truncation. tls1_get_curvelist takes an int
382 * but s->options is a long...
383 */
384 if (!tls1_get_curvelist
385 (s, (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) != 0, &supp,
386 &num_supp))
387 /* In practice, NID_undef == 0 but let's be precise. */
388 return nmatch == -1 ? 0 : NID_undef;
389 if (!tls1_get_curvelist
390 (s, !(s->options & SSL_OP_CIPHER_SERVER_PREFERENCE), &pref,
391 &num_pref))
392 return nmatch == -1 ? 0 : NID_undef;
Kurt Roeckx3c065132015-05-30 19:20:12 +0200[diff] [blame]393
394 /*
395 * If the client didn't send the elliptic_curves extension all of them
396 * are allowed.
397 */
398 if (num_supp == 0 && (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) != 0) {
399 supp = eccurves_all;
400 num_supp = sizeof(eccurves_all) / 2;
401 } else if (num_pref == 0 &&
402 (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) == 0) {
403 pref = eccurves_all;
404 num_pref = sizeof(eccurves_all) / 2;
405 }
406
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]407 k = 0;
408 for (i = 0; i < num_pref; i++, pref += 2) {
409 const unsigned char *tsupp = supp;
410 for (j = 0; j < num_supp; j++, tsupp += 2) {
411 if (pref[0] == tsupp[0] && pref[1] == tsupp[1]) {
412 if (!tls_curve_allowed(s, pref, SSL_SECOP_CURVE_SHARED))
413 continue;
414 if (nmatch == k) {
415 int id = (pref[0] << 8) | pref[1];
416 return tls1_ec_curve_id2nid(id);
417 }
418 k++;
419 }
420 }
421 }
422 if (nmatch == -1)
423 return k;
424 /* Out of range (nmatch > k). */
425 return NID_undef;
426}
Dr. Stephen Hensond0595f12012-03-28 15:05:04 +0000[diff] [blame]427
428int tls1_set_curves(unsigned char **pext, size_t *pextlen,
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]429 int *curves, size_t ncurves)
430{
431 unsigned char *clist, *p;
432 size_t i;
433 /*
434 * Bitmap of curves included to detect duplicates: only works while curve
435 * ids < 32
436 */
437 unsigned long dup_list = 0;
438 clist = OPENSSL_malloc(ncurves * 2);
Matt Caswella71edf32015-10-30 10:05:53 +0000[diff] [blame]439 if (clist == NULL)
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]440 return 0;
441 for (i = 0, p = clist; i < ncurves; i++) {
442 unsigned long idmask;
443 int id;
444 id = tls1_ec_nid2curve_id(curves[i]);
445 idmask = 1L << id;
446 if (!id || (dup_list & idmask)) {
447 OPENSSL_free(clist);
448 return 0;
449 }
450 dup_list |= idmask;
451 s2n(id, p);
452 }
Rich Salzb548a1f2015-05-01 10:02:07 -0400[diff] [blame]453 OPENSSL_free(*pext);
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]454 *pext = clist;
455 *pextlen = ncurves * 2;
456 return 1;
457}
Dr. Stephen Hensond0595f12012-03-28 15:05:04 +0000[diff] [blame]458
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]459# define MAX_CURVELIST 28
Dr. Stephen Hensond0595f12012-03-28 15:05:04 +0000[diff] [blame]460
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]461typedef struct {
462 size_t nidcnt;
463 int nid_arr[MAX_CURVELIST];
464} nid_cb_st;
Dr. Stephen Hensond0595f12012-03-28 15:05:04 +0000[diff] [blame]465
466static int nid_cb(const char *elem, int len, void *arg)
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]467{
468 nid_cb_st *narg = arg;
469 size_t i;
470 int nid;
471 char etmp[20];
Kurt Roeckx2747d732015-01-24 14:46:50 +0100[diff] [blame]472 if (elem == NULL)
473 return 0;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]474 if (narg->nidcnt == MAX_CURVELIST)
475 return 0;
476 if (len > (int)(sizeof(etmp) - 1))
477 return 0;
478 memcpy(etmp, elem, len);
479 etmp[len] = 0;
480 nid = EC_curve_nist2nid(etmp);
481 if (nid == NID_undef)
482 nid = OBJ_sn2nid(etmp);
483 if (nid == NID_undef)
484 nid = OBJ_ln2nid(etmp);
485 if (nid == NID_undef)
486 return 0;
487 for (i = 0; i < narg->nidcnt; i++)
488 if (narg->nid_arr[i] == nid)
489 return 0;
490 narg->nid_arr[narg->nidcnt++] = nid;
491 return 1;
492}
493
Dr. Stephen Hensond0595f12012-03-28 15:05:04 +0000[diff] [blame]494/* Set curves based on a colon separate list */
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]495int tls1_set_curves_list(unsigned char **pext, size_t *pextlen,
496 const char *str)
497{
498 nid_cb_st ncb;
499 ncb.nidcnt = 0;
500 if (!CONF_parse_list(str, ':', 1, nid_cb, &ncb))
501 return 0;
502 if (pext == NULL)
503 return 1;
504 return tls1_set_curves(pext, pextlen, ncb.nid_arr, ncb.nidcnt);
505}
506
Dr. Stephen Hensonfd2b65c2012-04-04 14:41:01 +0000[diff] [blame]507/* For an EC key set TLS id and required compression based on parameters */
508static int tls1_set_ec_id(unsigned char *curve_id, unsigned char *comp_id,
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]509 EC_KEY *ec)
510{
Dr. Stephen Henson2235b7f2016-02-13 15:26:15 +0000[diff] [blame]511 int id;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]512 const EC_GROUP *grp;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]513 if (!ec)
514 return 0;
515 /* Determine if it is a prime field */
516 grp = EC_KEY_get0_group(ec);
517 if (!grp)
518 return 0;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]519 /* Determine curve ID */
520 id = EC_GROUP_get_curve_name(grp);
521 id = tls1_ec_nid2curve_id(id);
Dr. Stephen Henson2235b7f2016-02-13 15:26:15 +0000[diff] [blame]522 /* If no id return error: we don't support arbitrary explicit curves */
523 if (id == 0)
524 return 0;
525 curve_id[0] = 0;
526 curve_id[1] = (unsigned char)id;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]527 if (comp_id) {
528 if (EC_KEY_get0_public_key(ec) == NULL)
529 return 0;
Dr. Stephen Henson2235b7f2016-02-13 15:26:15 +0000[diff] [blame]530 if (EC_KEY_get_conv_form(ec) == POINT_CONVERSION_UNCOMPRESSED) {
531 *comp_id = TLSEXT_ECPOINTFORMAT_uncompressed;
532 } else {
533 if ((nid_list[id - 1].flags & TLS_CURVE_TYPE) == TLS_CURVE_PRIME)
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]534 *comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
535 else
536 *comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
Dr. Stephen Henson2235b7f2016-02-13 15:26:15 +0000[diff] [blame]537 }
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]538 }
539 return 1;
540}
541
Dr. Stephen Hensonfd2b65c2012-04-04 14:41:01 +0000[diff] [blame]542/* Check an EC key is compatible with extensions */
543static int tls1_check_ec_key(SSL *s,
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]544 unsigned char *curve_id, unsigned char *comp_id)
545{
546 const unsigned char *pformats, *pcurves;
547 size_t num_formats, num_curves, i;
548 int j;
549 /*
550 * If point formats extension present check it, otherwise everything is
551 * supported (see RFC4492).
552 */
553 if (comp_id && s->session->tlsext_ecpointformatlist) {
554 pformats = s->session->tlsext_ecpointformatlist;
555 num_formats = s->session->tlsext_ecpointformatlist_length;
556 for (i = 0; i < num_formats; i++, pformats++) {
557 if (*comp_id == *pformats)
558 break;
559 }
560 if (i == num_formats)
561 return 0;
562 }
563 if (!curve_id)
564 return 1;
565 /* Check curve is consistent with client and server preferences */
566 for (j = 0; j <= 1; j++) {
567 if (!tls1_get_curvelist(s, j, &pcurves, &num_curves))
568 return 0;
Matt Caswellb79d2412015-03-20 15:10:16 +0000[diff] [blame]569 if (j == 1 && num_curves == 0) {
570 /*
571 * If we've not received any curves then skip this check.
572 * RFC 4492 does not require the supported elliptic curves extension
573 * so if it is not sent we can just choose any curve.
574 * It is invalid to send an empty list in the elliptic curves
575 * extension, so num_curves == 0 always means no extension.
576 */
577 break;
578 }
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]579 for (i = 0; i < num_curves; i++, pcurves += 2) {
580 if (pcurves[0] == curve_id[0] && pcurves[1] == curve_id[1])
581 break;
582 }
583 if (i == num_curves)
584 return 0;
585 /* For clients can only check sent curve list */
586 if (!s->server)
587 break;
588 }
589 return 1;
590}
Dr. Stephen Hensond61ff832012-06-28 12:45:49 +0000[diff] [blame]591
Dr. Stephen Henson5087afa2012-11-26 18:38:10 +0000[diff] [blame]592static void tls1_get_formatlist(SSL *s, const unsigned char **pformats,
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]593 size_t *num_formats)
594{
595 /*
596 * If we have a custom point format list use it otherwise use default
597 */
598 if (s->tlsext_ecpointformatlist) {
599 *pformats = s->tlsext_ecpointformatlist;
600 *num_formats = s->tlsext_ecpointformatlist_length;
601 } else {
602 *pformats = ecformats_default;
603 /* For Suite B we don't support char2 fields */
604 if (tls1_suiteb(s))
605 *num_formats = sizeof(ecformats_default) - 1;
606 else
607 *num_formats = sizeof(ecformats_default);
608 }
609}
Dr. Stephen Henson5087afa2012-11-26 18:38:10 +0000[diff] [blame]610
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]611/*
612 * Check cert parameters compatible with extensions: currently just checks EC
613 * certificates have compatible curves and compression.
Dr. Stephen Hensond61ff832012-06-28 12:45:49 +0000[diff] [blame]614 */
Dr. Stephen Henson2ea80352012-08-15 15:15:05 +0000[diff] [blame]615static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md)
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]616{
617 unsigned char comp_id, curve_id[2];
618 EVP_PKEY *pkey;
619 int rv;
Dr. Stephen Henson8382fd32015-12-20 00:32:36 +0000[diff] [blame]620 pkey = X509_get0_pubkey(x);
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]621 if (!pkey)
622 return 0;
623 /* If not EC nothing to do */
Dr. Stephen Henson3aeb9342016-01-19 00:21:12 +0000[diff] [blame]624 if (EVP_PKEY_id(pkey) != EVP_PKEY_EC)
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]625 return 1;
Dr. Stephen Henson3aeb9342016-01-19 00:21:12 +0000[diff] [blame]626 rv = tls1_set_ec_id(curve_id, &comp_id, EVP_PKEY_get0_EC_KEY(pkey));
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]627 if (!rv)
628 return 0;
629 /*
630 * Can't check curve_id for client certs as we don't have a supported
631 * curves extension.
632 */
633 rv = tls1_check_ec_key(s, s->server ? curve_id : NULL, &comp_id);
634 if (!rv)
635 return 0;
636 /*
637 * Special case for suite B. We *MUST* sign using SHA256+P-256 or
638 * SHA384+P-384, adjust digest if necessary.
639 */
640 if (set_ee_md && tls1_suiteb(s)) {
641 int check_md;
642 size_t i;
643 CERT *c = s->cert;
644 if (curve_id[0])
645 return 0;
646 /* Check to see we have necessary signing algorithm */
647 if (curve_id[1] == TLSEXT_curve_P_256)
648 check_md = NID_ecdsa_with_SHA256;
649 else if (curve_id[1] == TLSEXT_curve_P_384)
650 check_md = NID_ecdsa_with_SHA384;
651 else
652 return 0; /* Should never happen */
653 for (i = 0; i < c->shared_sigalgslen; i++)
654 if (check_md == c->shared_sigalgs[i].signandhash_nid)
655 break;
656 if (i == c->shared_sigalgslen)
657 return 0;
658 if (set_ee_md == 2) {
659 if (check_md == NID_ecdsa_with_SHA256)
Dr. Stephen Hensond376e572015-05-12 18:56:39 +0100[diff] [blame]660 s->s3->tmp.md[SSL_PKEY_ECC] = EVP_sha256();
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]661 else
Dr. Stephen Hensond376e572015-05-12 18:56:39 +0100[diff] [blame]662 s->s3->tmp.md[SSL_PKEY_ECC] = EVP_sha384();
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]663 }
664 }
665 return rv;
666}
667
Rich Salz10bf4fc2015-03-10 19:09:27 -0400[diff] [blame]668# ifndef OPENSSL_NO_EC
Kurt Roeckx6977e8e2015-12-04 22:25:11 +0100[diff] [blame]669/*
FdaSilvaYY8483a002016-03-10 21:34:48 +0100[diff] [blame]670 * tls1_check_ec_tmp_key - Check EC temporary key compatibility
Kurt Roeckx6977e8e2015-12-04 22:25:11 +0100[diff] [blame]671 * @s: SSL connection
672 * @cid: Cipher ID we're considering using
673 *
674 * Checks that the kECDHE cipher suite we're considering using
675 * is compatible with the client extensions.
676 *
677 * Returns 0 when the cipher can't be used or 1 when it can.
678 */
Dr. Stephen Henson2ea80352012-08-15 15:15:05 +0000[diff] [blame]679int tls1_check_ec_tmp_key(SSL *s, unsigned long cid)
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]680{
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]681 /*
682 * If Suite B, AES128 MUST use P-256 and AES256 MUST use P-384, no other
683 * curves permitted.
684 */
685 if (tls1_suiteb(s)) {
Kurt Roeckx6977e8e2015-12-04 22:25:11 +0100[diff] [blame]686 unsigned char curve_id[2];
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]687 /* Curve to check determined by ciphersuite */
688 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
689 curve_id[1] = TLSEXT_curve_P_256;
690 else if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)
691 curve_id[1] = TLSEXT_curve_P_384;
692 else
693 return 0;
694 curve_id[0] = 0;
695 /* Check this curve is acceptable */
696 if (!tls1_check_ec_key(s, curve_id, NULL))
697 return 0;
Kurt Roeckxfe6ef242015-12-04 22:30:36 +0100[diff] [blame]698 return 1;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]699 }
Kurt Roeckxfe6ef242015-12-04 22:30:36 +0100[diff] [blame]700 /* Need a shared curve */
701 if (tls1_shared_curve(s, 0))
702 return 1;
Kurt Roeckx6977e8e2015-12-04 22:25:11 +0100[diff] [blame]703 return 0;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]704}
Rich Salz10bf4fc2015-03-10 19:09:27 -0400[diff] [blame]705# endif /* OPENSSL_NO_EC */
Dr. Stephen Hensond0595f12012-03-28 15:05:04 +0000[diff] [blame]706
Dr. Stephen Henson14536c82013-08-17 17:40:08 +0100[diff] [blame]707#else
708
709static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md)
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]710{
711 return 1;
712}
Dr. Stephen Henson14536c82013-08-17 17:40:08 +0100[diff] [blame]713
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]714#endif /* OPENSSL_NO_EC */
Bodo Möllerf1fd4542006-01-03 03:27:19 +0000[diff] [blame]715
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]716/*
717 * List of supported signature algorithms and hashes. Should make this
Dr. Stephen Hensonfc101f82011-05-11 16:33:28 +0000[diff] [blame]718 * customisable at some point, for now include everything we support.
719 */
720
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]721#ifdef OPENSSL_NO_RSA
722# define tlsext_sigalg_rsa(md) /* */
723#else
724# define tlsext_sigalg_rsa(md) md, TLSEXT_signature_rsa,
725#endif
Dr. Stephen Hensonfc101f82011-05-11 16:33:28 +0000[diff] [blame]726
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]727#ifdef OPENSSL_NO_DSA
728# define tlsext_sigalg_dsa(md) /* */
729#else
730# define tlsext_sigalg_dsa(md) md, TLSEXT_signature_dsa,
731#endif
Dr. Stephen Hensonfc101f82011-05-11 16:33:28 +0000[diff] [blame]732
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]733#ifdef OPENSSL_NO_EC
734# define tlsext_sigalg_ecdsa(md) /* */
735#else
736# define tlsext_sigalg_ecdsa(md) md, TLSEXT_signature_ecdsa,
737#endif
Dr. Stephen Hensonfc101f82011-05-11 16:33:28 +0000[diff] [blame]738
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]739#define tlsext_sigalg(md) \
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]740 tlsext_sigalg_rsa(md) \
741 tlsext_sigalg_dsa(md) \
742 tlsext_sigalg_ecdsa(md)
Dr. Stephen Hensonfc101f82011-05-11 16:33:28 +0000[diff] [blame]743
Cristian Rodríguezd97ed212014-04-20 18:41:15 -0300[diff] [blame]744static const unsigned char tls12_sigalgs[] = {
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]745 tlsext_sigalg(TLSEXT_hash_sha512)
746 tlsext_sigalg(TLSEXT_hash_sha384)
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]747 tlsext_sigalg(TLSEXT_hash_sha256)
748 tlsext_sigalg(TLSEXT_hash_sha224)
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]749 tlsext_sigalg(TLSEXT_hash_sha1)
Dmitry Belyavskye44380a2015-11-17 15:32:30 +0000[diff] [blame]750#ifndef OPENSSL_NO_GOST
751 TLSEXT_hash_gostr3411, TLSEXT_signature_gostr34102001,
752 TLSEXT_hash_gostr34112012_256, TLSEXT_signature_gostr34102012_256,
753 TLSEXT_hash_gostr34112012_512, TLSEXT_signature_gostr34102012_512
754#endif
Dr. Stephen Hensonfc101f82011-05-11 16:33:28 +0000[diff] [blame]755};
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]756
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]757#ifndef OPENSSL_NO_EC
Cristian Rodríguezd97ed212014-04-20 18:41:15 -0300[diff] [blame]758static const unsigned char suiteb_sigalgs[] = {
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]759 tlsext_sigalg_ecdsa(TLSEXT_hash_sha256)
760 tlsext_sigalg_ecdsa(TLSEXT_hash_sha384)
Dr. Stephen Henson2ea80352012-08-15 15:15:05 +0000[diff] [blame]761};
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]762#endif
Dr. Stephen Hensonb7bfe692012-07-18 14:09:46 +0000[diff] [blame]763size_t tls12_get_psigalgs(SSL *s, const unsigned char **psigs)
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]764{
765 /*
766 * If Suite B mode use Suite B sigalgs only, ignore any other
767 * preferences.
768 */
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]769#ifndef OPENSSL_NO_EC
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]770 switch (tls1_suiteb(s)) {
771 case SSL_CERT_FLAG_SUITEB_128_LOS:
772 *psigs = suiteb_sigalgs;
773 return sizeof(suiteb_sigalgs);
Dr. Stephen Henson2ea80352012-08-15 15:15:05 +0000[diff] [blame]774
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]775 case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY:
776 *psigs = suiteb_sigalgs;
777 return 2;
Dr. Stephen Henson2ea80352012-08-15 15:15:05 +0000[diff] [blame]778
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]779 case SSL_CERT_FLAG_SUITEB_192_LOS:
780 *psigs = suiteb_sigalgs + 2;
781 return 2;
782 }
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]783#endif
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]784 /* If server use client authentication sigalgs if not NULL */
785 if (s->server && s->cert->client_sigalgs) {
786 *psigs = s->cert->client_sigalgs;
787 return s->cert->client_sigalgslen;
788 } else if (s->cert->conf_sigalgs) {
789 *psigs = s->cert->conf_sigalgs;
790 return s->cert->conf_sigalgslen;
791 } else {
792 *psigs = tls12_sigalgs;
793 return sizeof(tls12_sigalgs);
794 }
795}
796
797/*
798 * Check signature algorithm is consistent with sent supported signature
Dr. Stephen Hensonec4a50b2012-07-24 18:11:27 +0000[diff] [blame]799 * algorithms and if so return relevant digest.
800 */
801int tls12_check_peer_sigalg(const EVP_MD **pmd, SSL *s,
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]802 const unsigned char *sig, EVP_PKEY *pkey)
803{
804 const unsigned char *sent_sigs;
805 size_t sent_sigslen, i;
806 int sigalg = tls12_get_sigid(pkey);
807 /* Should never happen */
808 if (sigalg == -1)
809 return -1;
810 /* Check key type is consistent with signature */
811 if (sigalg != (int)sig[1]) {
812 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_SIGNATURE_TYPE);
813 return 0;
814 }
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]815#ifndef OPENSSL_NO_EC
Dr. Stephen Henson3aeb9342016-01-19 00:21:12 +0000[diff] [blame]816 if (EVP_PKEY_id(pkey) == EVP_PKEY_EC) {
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]817 unsigned char curve_id[2], comp_id;
818 /* Check compression and curve matches extensions */
Dr. Stephen Henson3aeb9342016-01-19 00:21:12 +0000[diff] [blame]819 if (!tls1_set_ec_id(curve_id, &comp_id, EVP_PKEY_get0_EC_KEY(pkey)))
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]820 return 0;
821 if (!s->server && !tls1_check_ec_key(s, curve_id, &comp_id)) {
822 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_CURVE);
823 return 0;
824 }
825 /* If Suite B only P-384+SHA384 or P-256+SHA-256 allowed */
826 if (tls1_suiteb(s)) {
827 if (curve_id[0])
828 return 0;
829 if (curve_id[1] == TLSEXT_curve_P_256) {
830 if (sig[0] != TLSEXT_hash_sha256) {
831 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG,
832 SSL_R_ILLEGAL_SUITEB_DIGEST);
833 return 0;
834 }
835 } else if (curve_id[1] == TLSEXT_curve_P_384) {
836 if (sig[0] != TLSEXT_hash_sha384) {
837 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG,
838 SSL_R_ILLEGAL_SUITEB_DIGEST);
839 return 0;
840 }
841 } else
842 return 0;
843 }
844 } else if (tls1_suiteb(s))
845 return 0;
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]846#endif
Dr. Stephen Henson2ea80352012-08-15 15:15:05 +0000[diff] [blame]847
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]848 /* Check signature matches a type we sent */
849 sent_sigslen = tls12_get_psigalgs(s, &sent_sigs);
850 for (i = 0; i < sent_sigslen; i += 2, sent_sigs += 2) {
851 if (sig[0] == sent_sigs[0] && sig[1] == sent_sigs[1])
852 break;
853 }
854 /* Allow fallback to SHA1 if not strict mode */
855 if (i == sent_sigslen
856 && (sig[0] != TLSEXT_hash_sha1
857 || s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)) {
858 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_SIGNATURE_TYPE);
859 return 0;
860 }
861 *pmd = tls12_get_hash(sig[0]);
862 if (*pmd == NULL) {
863 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_UNKNOWN_DIGEST);
864 return 0;
865 }
866 /* Make sure security callback allows algorithm */
867 if (!ssl_security(s, SSL_SECOP_SIGALG_CHECK,
868 EVP_MD_size(*pmd) * 4, EVP_MD_type(*pmd),
869 (void *)sig)) {
870 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_SIGNATURE_TYPE);
871 return 0;
872 }
873 /*
874 * Store the digest used so applications can retrieve it if they wish.
875 */
Dr. Stephen Hensond376e572015-05-12 18:56:39 +0100[diff] [blame]876 s->s3->tmp.peer_md = *pmd;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]877 return 1;
878}
Dr. Stephen Hensonb362cca2013-12-15 13:32:24 +0000[diff] [blame]879
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]880/*
Kurt Roeckx3eb2aff2016-02-07 20:17:07 +0100[diff] [blame]881 * Set a mask of disabled algorithms: an algorithm is disabled if it isn't
882 * supported, doesn't appear in supported signature algorithms, isn't supported
883 * by the enabled protocol versions or by the security level.
884 *
885 * This function should only be used for checking which ciphers are supported
886 * by the client.
887 *
888 * Call ssl_cipher_disabled() to check that it's enabled or not.
Dr. Stephen Hensonb7bfe692012-07-18 14:09:46 +0000[diff] [blame]889 */
890void ssl_set_client_disabled(SSL *s)
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]891{
Dr. Stephen Henson4d69f9e2015-05-18 23:29:57 +0100[diff] [blame]892 s->s3->tmp.mask_a = 0;
893 s->s3->tmp.mask_k = 0;
Dr. Stephen Henson4d69f9e2015-05-18 23:29:57 +0100[diff] [blame]894 ssl_set_sig_mask(&s->s3->tmp.mask_a, s, SSL_SECOP_SIGALG_MASK);
Kurt Roeckx3eb2aff2016-02-07 20:17:07 +0100[diff] [blame]895 ssl_get_client_min_max_version(s, &s->s3->tmp.min_ver, &s->s3->tmp.max_ver);
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]896# ifndef OPENSSL_NO_PSK
897 /* with PSK there must be client callback set */
898 if (!s->psk_client_callback) {
Dr. Stephen Henson4d69f9e2015-05-18 23:29:57 +0100[diff] [blame]899 s->s3->tmp.mask_a |= SSL_aPSK;
Dr. Stephen Hensonfe5eef32015-06-28 17:01:07 +0100[diff] [blame]900 s->s3->tmp.mask_k |= SSL_PSK;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]901 }
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]902#endif /* OPENSSL_NO_PSK */
903#ifndef OPENSSL_NO_SRP
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]904 if (!(s->srp_ctx.srp_Mask & SSL_kSRP)) {
Dr. Stephen Henson4d69f9e2015-05-18 23:29:57 +0100[diff] [blame]905 s->s3->tmp.mask_a |= SSL_aSRP;
906 s->s3->tmp.mask_k |= SSL_kSRP;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]907 }
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]908#endif
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]909}
Dr. Stephen Hensonfc101f82011-05-11 16:33:28 +0000[diff] [blame]910
Kurt Roeckx3eb2aff2016-02-07 20:17:07 +0100[diff] [blame]911/*
912 * ssl_cipher_disabled - check that a cipher is disabled or not
913 * @s: SSL connection that you want to use the cipher on
914 * @c: cipher to check
915 * @op: Security check that you want to do
916 *
917 * Returns 1 when it's disabled, 0 when enabled.
918 */
Dr. Stephen Hensonb362cca2013-12-15 13:32:24 +0000[diff] [blame]919int ssl_cipher_disabled(SSL *s, const SSL_CIPHER *c, int op)
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]920{
Kurt Roeckx3eb2aff2016-02-07 20:17:07 +0100[diff] [blame]921 if (c->algorithm_mkey & s->s3->tmp.mask_k
Dr. Stephen Henson4d69f9e2015-05-18 23:29:57 +0100[diff] [blame]922 || c->algorithm_auth & s->s3->tmp.mask_a)
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]923 return 1;
Kurt Roeckx3eb2aff2016-02-07 20:17:07 +0100[diff] [blame]924 if (s->s3->tmp.max_ver == 0)
925 return 1;
926 if (!SSL_IS_DTLS(s) && ((c->min_tls > s->s3->tmp.max_ver)
927 || (c->max_tls < s->s3->tmp.min_ver)))
928 return 1;
929 if (SSL_IS_DTLS(s) && (DTLS_VERSION_GT(c->min_dtls, s->s3->tmp.max_ver)
930 || DTLS_VERSION_LT(c->max_dtls, s->s3->tmp.min_ver)))
931 return 1;
932
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]933 return !ssl_security(s, op, c->strength_bits, 0, (void *)c);
934}
Dr. Stephen Hensonb362cca2013-12-15 13:32:24 +0000[diff] [blame]935
936static int tls_use_ticket(SSL *s)
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]937{
938 if (s->options & SSL_OP_NO_TICKET)
939 return 0;
940 return ssl_security(s, SSL_SECOP_TICKET, 0, 0, NULL);
941}
Dr. Stephen Henson8b8e5be2014-01-14 14:55:21 +0000[diff] [blame]942
Emilia Kasperaa474d12016-02-19 17:24:44 +0100[diff] [blame]943static int compare_uint(const void *p1, const void *p2) {
944 unsigned int u1 = *((const unsigned int *)p1);
945 unsigned int u2 = *((const unsigned int *)p2);
946 if (u1 < u2)
947 return -1;
948 else if (u1 > u2)
949 return 1;
950 else
951 return 0;
952}
953
954/*
955 * Per http://tools.ietf.org/html/rfc5246#section-7.4.1.4, there may not be
956 * more than one extension of the same type in a ClientHello or ServerHello.
957 * This function does an initial scan over the extensions block to filter those
958 * out. It returns 1 if all extensions are unique, and 0 if the extensions
959 * contain duplicates, could not be successfully parsed, or an internal error
960 * occurred.
961 */
962static int tls1_check_duplicate_extensions(const PACKET *packet) {
963 PACKET extensions = *packet;
964 size_t num_extensions = 0, i = 0;
965 unsigned int *extension_types = NULL;
966 int ret = 0;
967
968 /* First pass: count the extensions. */
969 while (PACKET_remaining(&extensions) > 0) {
970 unsigned int type;
971 PACKET extension;
972 if (!PACKET_get_net_2(&extensions, &type) ||
973 !PACKET_get_length_prefixed_2(&extensions, &extension)) {
974 goto done;
975 }
976 num_extensions++;
977 }
978
979 if (num_extensions <= 1)
980 return 1;
981
982 extension_types = OPENSSL_malloc(sizeof(unsigned int) * num_extensions);
983 if (extension_types == NULL) {
984 SSLerr(SSL_F_TLS1_CHECK_DUPLICATE_EXTENSIONS, ERR_R_MALLOC_FAILURE);
985 goto done;
986 }
987
988 /* Second pass: gather the extension types. */
989 extensions = *packet;
990 for (i = 0; i < num_extensions; i++) {
991 PACKET extension;
992 if (!PACKET_get_net_2(&extensions, &extension_types[i]) ||
993 !PACKET_get_length_prefixed_2(&extensions, &extension)) {
994 /* This should not happen. */
995 SSLerr(SSL_F_TLS1_CHECK_DUPLICATE_EXTENSIONS, ERR_R_INTERNAL_ERROR);
996 goto done;
997 }
998 }
999
1000 if (PACKET_remaining(&extensions) != 0) {
1001 SSLerr(SSL_F_TLS1_CHECK_DUPLICATE_EXTENSIONS, ERR_R_INTERNAL_ERROR);
1002 goto done;
1003 }
1004 /* Sort the extensions and make sure there are no duplicates. */
1005 qsort(extension_types, num_extensions, sizeof(unsigned int), compare_uint);
1006 for (i = 1; i < num_extensions; i++) {
1007 if (extension_types[i - 1] == extension_types[i])
1008 goto done;
1009 }
1010 ret = 1;
1011 done:
1012 OPENSSL_free(extension_types);
1013 return ret;
1014}
1015
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1016unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf,
1017 unsigned char *limit, int *al)
1018{
1019 int extdatalen = 0;
1020 unsigned char *orig = buf;
1021 unsigned char *ret = buf;
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]1022#ifndef OPENSSL_NO_EC
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1023 /* See if we support any ECC ciphersuites */
1024 int using_ecc = 0;
1025 if (s->version >= TLS1_VERSION || SSL_IS_DTLS(s)) {
1026 int i;
1027 unsigned long alg_k, alg_a;
1028 STACK_OF(SSL_CIPHER) *cipher_stack = SSL_get_ciphers(s);
Dr. Stephen Hensond0595f12012-03-28 15:05:04 +0000[diff] [blame]1029
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1030 for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++) {
Dr. Stephen Henson4a640fb2015-12-23 00:47:28 +0000[diff] [blame]1031 const SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i);
Dr. Stephen Hensond0595f12012-03-28 15:05:04 +0000[diff] [blame]1032
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1033 alg_k = c->algorithm_mkey;
1034 alg_a = c->algorithm_auth;
Dr. Stephen Hensonce0c1f22016-02-11 18:19:27 +0000[diff] [blame]1035 if ((alg_k & (SSL_kECDHE | SSL_kECDHEPSK))
1036 || (alg_a & SSL_aECDSA)) {
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1037 using_ecc = 1;
1038 break;
1039 }
Dr. Stephen Henson5a3d8ee2014-11-03 17:47:11 +0000[diff] [blame]1040 }
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1041 }
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]1042#endif
Dr. Stephen Henson5a3d8ee2014-11-03 17:47:11 +0000[diff] [blame]1043
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1044 ret += 2;
Bodo Möllered3883d2006-01-02 23:14:37 +0000[diff] [blame]1045
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1046 if (ret >= limit)
1047 return NULL; /* this really never occurs, but ... */
Bodo Möller761772d2007-09-21 06:54:24 +0000[diff] [blame]1048
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1049 /* Add RI if renegotiating */
1050 if (s->renegotiate) {
1051 int el;
Ben Laurieedc032b2011-03-12 17:01:19 +0000[diff] [blame]1052
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1053 if (!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0)) {
1054 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1055 return NULL;
Dr. Stephen Henson860c3dd2009-11-11 14:51:19 +0000[diff] [blame]1056 }
1057
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1058 if ((limit - ret - 4 - el) < 0)
1059 return NULL;
Dr. Stephen Henson5a3d8ee2014-11-03 17:47:11 +0000[diff] [blame]1060
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1061 s2n(TLSEXT_TYPE_renegotiate, ret);
1062 s2n(el, ret);
Dr. Stephen Henson5a3d8ee2014-11-03 17:47:11 +0000[diff] [blame]1063
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1064 if (!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el)) {
1065 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1066 return NULL;
1067 }
Dr. Stephen Henson5a3d8ee2014-11-03 17:47:11 +0000[diff] [blame]1068
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1069 ret += el;
1070 }
1071 /* Only add RI for SSLv3 */
1072 if (s->client_version == SSL3_VERSION)
1073 goto done;
Bodo Möller36ca4ba2006-03-11 23:46:37 +0000[diff] [blame]1074
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1075 if (s->tlsext_hostname != NULL) {
1076 /* Add TLS extension servername to the Client Hello message */
1077 unsigned long size_str;
1078 long lenmax;
Dr. Stephen Henson5087afa2012-11-26 18:38:10 +0000[diff] [blame]1079
Matt Caswell50e735f2015-01-05 11:30:03 +0000[diff] [blame]1080 /*-
1081 * check for enough space.
FdaSilvaYY8483a002016-03-10 21:34:48 +0100[diff] [blame]1082 * 4 for the servername type and extension length
Matt Caswell50e735f2015-01-05 11:30:03 +0000[diff] [blame]1083 * 2 for servernamelist length
1084 * 1 for the hostname type
1085 * 2 for hostname length
1086 * + hostname length
1087 */
Bodo Möllera70183b2006-03-30 02:53:30 +0000[diff] [blame]1088
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1089 if ((lenmax = limit - ret - 9) < 0
1090 || (size_str =
1091 strlen(s->tlsext_hostname)) > (unsigned long)lenmax)
1092 return NULL;
Dr. Stephen Henson67c8e7f2007-09-26 21:56:59 +0000[diff] [blame]1093
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1094 /* extension type and length */
1095 s2n(TLSEXT_TYPE_server_name, ret);
1096 s2n(size_str + 5, ret);
Bodo Möller761772d2007-09-21 06:54:24 +0000[diff] [blame]1097
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1098 /* length of servername list */
1099 s2n(size_str + 3, ret);
Dr. Stephen Henson67c8e7f2007-09-26 21:56:59 +0000[diff] [blame]1100
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1101 /* hostname type, length and hostname */
1102 *(ret++) = (unsigned char)TLSEXT_NAMETYPE_host_name;
1103 s2n(size_str, ret);
1104 memcpy(ret, s->tlsext_hostname, size_str);
1105 ret += size_str;
1106 }
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]1107#ifndef OPENSSL_NO_SRP
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1108 /* Add SRP username if there is one */
1109 if (s->srp_ctx.login != NULL) { /* Add TLS extension SRP username to the
1110 * Client Hello message */
Bodo Möller761772d2007-09-21 06:54:24 +0000[diff] [blame]1111
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1112 int login_len = strlen(s->srp_ctx.login);
1113 if (login_len > 255 || login_len == 0) {
1114 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1115 return NULL;
1116 }
Ben Laurie333f9262011-11-15 22:59:20 +0000[diff] [blame]1117
Matt Caswell50e735f2015-01-05 11:30:03 +0000[diff] [blame]1118 /*-
1119 * check for enough space.
FdaSilvaYY8483a002016-03-10 21:34:48 +0100[diff] [blame]1120 * 4 for the srp type type and extension length
Matt Caswell50e735f2015-01-05 11:30:03 +0000[diff] [blame]1121 * 1 for the srp user identity
1122 * + srp user identity length
1123 */
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1124 if ((limit - ret - 5 - login_len) < 0)
1125 return NULL;
Ben Laurie333f9262011-11-15 22:59:20 +0000[diff] [blame]1126
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1127 /* fill in the extension */
1128 s2n(TLSEXT_TYPE_srp, ret);
1129 s2n(login_len + 1, ret);
1130 (*ret++) = (unsigned char)login_len;
1131 memcpy(ret, s->srp_ctx.login, login_len);
1132 ret += login_len;
1133 }
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]1134#endif
Ben Laurie333f9262011-11-15 22:59:20 +0000[diff] [blame]1135
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]1136#ifndef OPENSSL_NO_EC
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1137 if (using_ecc) {
1138 /*
1139 * Add TLS extension ECPointFormats to the ClientHello message
1140 */
1141 long lenmax;
1142 const unsigned char *pcurves, *pformats;
1143 size_t num_curves, num_formats, curves_list_len;
1144 size_t i;
1145 unsigned char *etmp;
Ben Laurie333f9262011-11-15 22:59:20 +0000[diff] [blame]1146
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1147 tls1_get_formatlist(s, &pformats, &num_formats);
Ben Laurie333f9262011-11-15 22:59:20 +0000[diff] [blame]1148
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1149 if ((lenmax = limit - ret - 5) < 0)
1150 return NULL;
1151 if (num_formats > (size_t)lenmax)
1152 return NULL;
1153 if (num_formats > 255) {
1154 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1155 return NULL;
1156 }
Dr. Stephen Henson0e1dba92007-10-26 12:06:36 +0000[diff] [blame]1157
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1158 s2n(TLSEXT_TYPE_ec_point_formats, ret);
1159 /* The point format list has 1-byte length. */
1160 s2n(num_formats + 1, ret);
1161 *(ret++) = (unsigned char)num_formats;
1162 memcpy(ret, pformats, num_formats);
1163 ret += num_formats;
Bodo Möller761772d2007-09-21 06:54:24 +0000[diff] [blame]1164
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1165 /*
1166 * Add TLS extension EllipticCurves to the ClientHello message
1167 */
1168 pcurves = s->tlsext_ellipticcurvelist;
1169 if (!tls1_get_curvelist(s, 0, &pcurves, &num_curves))
1170 return NULL;
Dr. Stephen Henson192540b2012-01-05 00:23:17 +0000[diff] [blame]1171
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1172 if ((lenmax = limit - ret - 6) < 0)
1173 return NULL;
1174 if (num_curves > (size_t)lenmax / 2)
1175 return NULL;
1176 if (num_curves > 65532 / 2) {
1177 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1178 return NULL;
1179 }
Dr. Stephen Henson48175042011-12-31 22:59:57 +0000[diff] [blame]1180
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1181 s2n(TLSEXT_TYPE_elliptic_curves, ret);
1182 etmp = ret + 4;
1183 /* Copy curve ID if supported */
1184 for (i = 0; i < num_curves; i++, pcurves += 2) {
1185 if (tls_curve_allowed(s, pcurves, SSL_SECOP_CURVE_SUPPORTED)) {
1186 *etmp++ = pcurves[0];
1187 *etmp++ = pcurves[1];
1188 }
1189 }
Ben Laurieee2ffc22010-07-28 10:06:55 +0000[diff] [blame]1190
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1191 curves_list_len = etmp - ret - 4;
Trevora398f822013-05-12 18:55:27 -0700[diff] [blame]1192
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1193 s2n(curves_list_len + 2, ret);
1194 s2n(curves_list_len, ret);
1195 ret += curves_list_len;
1196 }
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]1197#endif /* OPENSSL_NO_EC */
Adam Langley6f017a82013-04-15 18:07:47 -0400[diff] [blame]1198
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1199 if (tls_use_ticket(s)) {
1200 int ticklen;
1201 if (!s->new_session && s->session && s->session->tlsext_tick)
1202 ticklen = s->session->tlsext_ticklen;
1203 else if (s->session && s->tlsext_session_ticket &&
1204 s->tlsext_session_ticket->data) {
1205 ticklen = s->tlsext_session_ticket->length;
1206 s->session->tlsext_tick = OPENSSL_malloc(ticklen);
Matt Caswella71edf32015-10-30 10:05:53 +0000[diff] [blame]1207 if (s->session->tlsext_tick == NULL)
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1208 return NULL;
1209 memcpy(s->session->tlsext_tick,
1210 s->tlsext_session_ticket->data, ticklen);
1211 s->session->tlsext_ticklen = ticklen;
1212 } else
1213 ticklen = 0;
1214 if (ticklen == 0 && s->tlsext_session_ticket &&
1215 s->tlsext_session_ticket->data == NULL)
1216 goto skip_ext;
1217 /*
1218 * Check for enough room 2 for extension type, 2 for len rest for
1219 * ticket
1220 */
1221 if ((long)(limit - ret - 4 - ticklen) < 0)
1222 return NULL;
1223 s2n(TLSEXT_TYPE_session_ticket, ret);
1224 s2n(ticklen, ret);
1225 if (ticklen) {
1226 memcpy(ret, s->session->tlsext_tick, ticklen);
1227 ret += ticklen;
1228 }
1229 }
1230 skip_ext:
Adam Langley6f017a82013-04-15 18:07:47 -0400[diff] [blame]1231
David Benjaminf7aa3182016-03-05 19:49:20 -0500[diff] [blame]1232 if (SSL_CLIENT_USE_SIGALGS(s)) {
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1233 size_t salglen;
1234 const unsigned char *salg;
1235 unsigned char *etmp;
1236 salglen = tls12_get_psigalgs(s, &salg);
1237 if ((size_t)(limit - ret) < salglen + 6)
1238 return NULL;
1239 s2n(TLSEXT_TYPE_signature_algorithms, ret);
1240 etmp = ret;
1241 /* Skip over lengths for now */
1242 ret += 4;
1243 salglen = tls12_copy_sigalgs(s, ret, salg, salglen);
1244 /* Fill in lengths */
1245 s2n(salglen + 2, etmp);
1246 s2n(salglen, etmp);
1247 ret += salglen;
1248 }
Bodo Möllered3883d2006-01-02 23:14:37 +0000[diff] [blame]1249
Matt Caswell3e41ac32016-03-21 16:54:53 +0000[diff] [blame]1250#ifndef OPENSSL_NO_OCSP
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1251 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp) {
1252 int i;
1253 long extlen, idlen, itmp;
1254 OCSP_RESPID *id;
1255
1256 idlen = 0;
1257 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) {
1258 id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
1259 itmp = i2d_OCSP_RESPID(id, NULL);
1260 if (itmp <= 0)
1261 return NULL;
1262 idlen += itmp + 2;
1263 }
1264
1265 if (s->tlsext_ocsp_exts) {
1266 extlen = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, NULL);
1267 if (extlen < 0)
1268 return NULL;
1269 } else
1270 extlen = 0;
1271
1272 if ((long)(limit - ret - 7 - extlen - idlen) < 0)
1273 return NULL;
1274 s2n(TLSEXT_TYPE_status_request, ret);
1275 if (extlen + idlen > 0xFFF0)
1276 return NULL;
1277 s2n(extlen + idlen + 5, ret);
1278 *(ret++) = TLSEXT_STATUSTYPE_ocsp;
1279 s2n(idlen, ret);
1280 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) {
1281 /* save position of id len */
1282 unsigned char *q = ret;
1283 id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
1284 /* skip over id len */
1285 ret += 2;
1286 itmp = i2d_OCSP_RESPID(id, &ret);
1287 /* write id len */
1288 s2n(itmp, q);
1289 }
1290 s2n(extlen, ret);
1291 if (extlen > 0)
1292 i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret);
1293 }
Matt Caswell3e41ac32016-03-21 16:54:53 +0000[diff] [blame]1294#endif
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]1295#ifndef OPENSSL_NO_HEARTBEATS
Rich Salz22e3dcb2016-01-25 13:30:37 -0500[diff] [blame]1296 if (SSL_IS_DTLS(s)) {
1297 /* Add Heartbeat extension */
1298 if ((limit - ret - 4 - 1) < 0)
1299 return NULL;
1300 s2n(TLSEXT_TYPE_heartbeat, ret);
1301 s2n(1, ret);
1302 /*-
1303 * Set mode:
1304 * 1: peer may send requests
1305 * 2: peer not allowed to send requests
1306 */
1307 if (s->tlsext_heartbeat & SSL_DTLSEXT_HB_DONT_RECV_REQUESTS)
1308 *(ret++) = SSL_DTLSEXT_HB_DONT_SEND_REQUESTS;
1309 else
1310 *(ret++) = SSL_DTLSEXT_HB_ENABLED;
1311 }
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]1312#endif
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1313
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]1314#ifndef OPENSSL_NO_NEXTPROTONEG
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1315 if (s->ctx->next_proto_select_cb && !s->s3->tmp.finish_md_len) {
1316 /*
FdaSilvaYY8483a002016-03-10 21:34:48 +0100[diff] [blame]1317 * The client advertises an empty extension to indicate its support
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1318 * for Next Protocol Negotiation
1319 */
1320 if (limit - ret - 4 < 0)
1321 return NULL;
1322 s2n(TLSEXT_TYPE_next_proto_neg, ret);
1323 s2n(0, ret);
1324 }
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]1325#endif
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1326
Todd Short817cd0d2016-03-05 08:47:55 -0500[diff] [blame]1327 /*
1328 * finish_md_len is non-zero during a renegotiation, so
1329 * this avoids sending ALPN during the renegotiation
1330 * (see longer comment below)
1331 */
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1332 if (s->alpn_client_proto_list && !s->s3->tmp.finish_md_len) {
1333 if ((size_t)(limit - ret) < 6 + s->alpn_client_proto_list_len)
1334 return NULL;
1335 s2n(TLSEXT_TYPE_application_layer_protocol_negotiation, ret);
1336 s2n(2 + s->alpn_client_proto_list_len, ret);
1337 s2n(s->alpn_client_proto_list_len, ret);
1338 memcpy(ret, s->alpn_client_proto_list, s->alpn_client_proto_list_len);
1339 ret += s->alpn_client_proto_list_len;
Todd Short817cd0d2016-03-05 08:47:55 -0500[diff] [blame]1340 s->s3->alpn_sent = 1;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1341 }
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]1342#ifndef OPENSSL_NO_SRTP
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1343 if (SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s)) {
1344 int el;
1345
Matt Caswell69f68232015-03-06 14:37:17 +0000[diff] [blame]1346 /* Returns 0 on success!! */
1347 if (ssl_add_clienthello_use_srtp_ext(s, 0, &el, 0)) {
1348 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1349 return NULL;
1350 }
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1351
1352 if ((limit - ret - 4 - el) < 0)
1353 return NULL;
1354
1355 s2n(TLSEXT_TYPE_use_srtp, ret);
1356 s2n(el, ret);
1357
1358 if (ssl_add_clienthello_use_srtp_ext(s, ret, &el, el)) {
1359 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1360 return NULL;
1361 }
1362 ret += el;
1363 }
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]1364#endif
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1365 custom_ext_init(&s->cert->cli_ext);
1366 /* Add custom TLS Extensions to ClientHello */
1367 if (!custom_ext_add(s, 0, &ret, limit, al))
1368 return NULL;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1369 s2n(TLSEXT_TYPE_encrypt_then_mac, ret);
1370 s2n(0, ret);
Rob Percivaled29e822016-03-03 16:19:23 +0000[diff] [blame]1371#ifndef OPENSSL_NO_CT
1372 if (s->ct_validation_callback != NULL) {
1373 s2n(TLSEXT_TYPE_signed_certificate_timestamp, ret);
1374 s2n(0, ret);
1375 }
1376#endif
Dr. Stephen Hensonddc06b32015-01-23 02:45:13 +0000[diff] [blame]1377 s2n(TLSEXT_TYPE_extended_master_secret, ret);
1378 s2n(0, ret);
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1379
1380 /*
1381 * Add padding to workaround bugs in F5 terminators. See
1382 * https://tools.ietf.org/html/draft-agl-tls-padding-03 NB: because this
1383 * code works out the length of all existing extensions it MUST always
1384 * appear last.
1385 */
1386 if (s->options & SSL_OP_TLSEXT_PADDING) {
1387 int hlen = ret - (unsigned char *)s->init_buf->data;
Matt Caswella3680c82015-03-31 13:57:46 +0100[diff] [blame]1388
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1389 if (hlen > 0xff && hlen < 0x200) {
1390 hlen = 0x200 - hlen;
1391 if (hlen >= 4)
1392 hlen -= 4;
1393 else
1394 hlen = 0;
1395
1396 s2n(TLSEXT_TYPE_padding, ret);
1397 s2n(hlen, ret);
1398 memset(ret, 0, hlen);
1399 ret += hlen;
1400 }
1401 }
1402
1403 done:
1404
1405 if ((extdatalen = ret - orig - 2) == 0)
1406 return orig;
1407
1408 s2n(extdatalen, orig);
1409 return ret;
1410}
1411
1412unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *buf,
1413 unsigned char *limit, int *al)
1414{
1415 int extdatalen = 0;
1416 unsigned char *orig = buf;
1417 unsigned char *ret = buf;
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]1418#ifndef OPENSSL_NO_NEXTPROTONEG
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1419 int next_proto_neg_seen;
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]1420#endif
1421#ifndef OPENSSL_NO_EC
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1422 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
1423 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
Dr. Stephen Hensonce0c1f22016-02-11 18:19:27 +0000[diff] [blame]1424 int using_ecc = (alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA);
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1425 using_ecc = using_ecc && (s->session->tlsext_ecpointformatlist != NULL);
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]1426#endif
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1427
1428 ret += 2;
1429 if (ret >= limit)
1430 return NULL; /* this really never occurs, but ... */
1431
1432 if (s->s3->send_connection_binding) {
1433 int el;
1434
1435 if (!ssl_add_serverhello_renegotiate_ext(s, 0, &el, 0)) {
1436 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1437 return NULL;
1438 }
1439
1440 if ((limit - ret - 4 - el) < 0)
1441 return NULL;
1442
1443 s2n(TLSEXT_TYPE_renegotiate, ret);
1444 s2n(el, ret);
1445
1446 if (!ssl_add_serverhello_renegotiate_ext(s, ret, &el, el)) {
1447 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1448 return NULL;
1449 }
1450
1451 ret += el;
1452 }
1453
1454 /* Only add RI for SSLv3 */
1455 if (s->version == SSL3_VERSION)
1456 goto done;
1457
1458 if (!s->hit && s->servername_done == 1
1459 && s->session->tlsext_hostname != NULL) {
1460 if ((long)(limit - ret - 4) < 0)
1461 return NULL;
1462
1463 s2n(TLSEXT_TYPE_server_name, ret);
1464 s2n(0, ret);
1465 }
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]1466#ifndef OPENSSL_NO_EC
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1467 if (using_ecc) {
1468 const unsigned char *plist;
1469 size_t plistlen;
1470 /*
1471 * Add TLS extension ECPointFormats to the ServerHello message
1472 */
1473 long lenmax;
1474
1475 tls1_get_formatlist(s, &plist, &plistlen);
1476
1477 if ((lenmax = limit - ret - 5) < 0)
1478 return NULL;
1479 if (plistlen > (size_t)lenmax)
1480 return NULL;
1481 if (plistlen > 255) {
1482 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1483 return NULL;
1484 }
1485
1486 s2n(TLSEXT_TYPE_ec_point_formats, ret);
1487 s2n(plistlen + 1, ret);
1488 *(ret++) = (unsigned char)plistlen;
1489 memcpy(ret, plist, plistlen);
1490 ret += plistlen;
1491
1492 }
1493 /*
1494 * Currently the server should not respond with a SupportedCurves
1495 * extension
1496 */
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]1497#endif /* OPENSSL_NO_EC */
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1498
1499 if (s->tlsext_ticket_expected && tls_use_ticket(s)) {
1500 if ((long)(limit - ret - 4) < 0)
1501 return NULL;
1502 s2n(TLSEXT_TYPE_session_ticket, ret);
1503 s2n(0, ret);
Todd Short5c753de2016-05-12 18:16:52 -0400[diff] [blame]1504 } else {
1505 /* if we don't add the above TLSEXT, we can't add a session ticket later */
1506 s->tlsext_ticket_expected = 0;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1507 }
1508
1509 if (s->tlsext_status_expected) {
1510 if ((long)(limit - ret - 4) < 0)
1511 return NULL;
1512 s2n(TLSEXT_TYPE_status_request, ret);
1513 s2n(0, ret);
1514 }
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1515
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]1516#ifndef OPENSSL_NO_SRTP
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1517 if (SSL_IS_DTLS(s) && s->srtp_profile) {
1518 int el;
1519
Matt Caswell69f68232015-03-06 14:37:17 +0000[diff] [blame]1520 /* Returns 0 on success!! */
Viktor Dukhovni61986d32015-04-16 01:50:03 -0400[diff] [blame]1521 if (ssl_add_serverhello_use_srtp_ext(s, 0, &el, 0)) {
Matt Caswell69f68232015-03-06 14:37:17 +0000[diff] [blame]1522 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1523 return NULL;
1524 }
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1525 if ((limit - ret - 4 - el) < 0)
1526 return NULL;
1527
1528 s2n(TLSEXT_TYPE_use_srtp, ret);
1529 s2n(el, ret);
1530
1531 if (ssl_add_serverhello_use_srtp_ext(s, ret, &el, el)) {
1532 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1533 return NULL;
1534 }
1535 ret += el;
1536 }
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]1537#endif
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1538
1539 if (((s->s3->tmp.new_cipher->id & 0xFFFF) == 0x80
1540 || (s->s3->tmp.new_cipher->id & 0xFFFF) == 0x81)
1541 && (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG)) {
1542 const unsigned char cryptopro_ext[36] = {
1543 0xfd, 0xe8, /* 65000 */
1544 0x00, 0x20, /* 32 bytes length */
1545 0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85,
1546 0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06,
1547 0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08,
1548 0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17
1549 };
1550 if (limit - ret < 36)
1551 return NULL;
1552 memcpy(ret, cryptopro_ext, 36);
1553 ret += 36;
1554
1555 }
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]1556#ifndef OPENSSL_NO_HEARTBEATS
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1557 /* Add Heartbeat extension if we've received one */
Rich Salz22e3dcb2016-01-25 13:30:37 -0500[diff] [blame]1558 if (SSL_IS_DTLS(s) && (s->tlsext_heartbeat & SSL_DTLSEXT_HB_ENABLED)) {
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1559 if ((limit - ret - 4 - 1) < 0)
1560 return NULL;
1561 s2n(TLSEXT_TYPE_heartbeat, ret);
1562 s2n(1, ret);
Matt Caswell50e735f2015-01-05 11:30:03 +0000[diff] [blame]1563 /*-
1564 * Set mode:
1565 * 1: peer may send requests
1566 * 2: peer not allowed to send requests
1567 */
Rich Salz22e3dcb2016-01-25 13:30:37 -0500[diff] [blame]1568 if (s->tlsext_heartbeat & SSL_DTLSEXT_HB_DONT_RECV_REQUESTS)
1569 *(ret++) = SSL_DTLSEXT_HB_DONT_SEND_REQUESTS;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1570 else
Rich Salz22e3dcb2016-01-25 13:30:37 -0500[diff] [blame]1571 *(ret++) = SSL_DTLSEXT_HB_ENABLED;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1572
1573 }
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]1574#endif
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1575
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]1576#ifndef OPENSSL_NO_NEXTPROTONEG
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1577 next_proto_neg_seen = s->s3->next_proto_neg_seen;
1578 s->s3->next_proto_neg_seen = 0;
1579 if (next_proto_neg_seen && s->ctx->next_protos_advertised_cb) {
1580 const unsigned char *npa;
1581 unsigned int npalen;
1582 int r;
1583
1584 r = s->ctx->next_protos_advertised_cb(s, &npa, &npalen,
1585 s->
1586 ctx->next_protos_advertised_cb_arg);
1587 if (r == SSL_TLSEXT_ERR_OK) {
1588 if ((long)(limit - ret - 4 - npalen) < 0)
1589 return NULL;
1590 s2n(TLSEXT_TYPE_next_proto_neg, ret);
1591 s2n(npalen, ret);
1592 memcpy(ret, npa, npalen);
1593 ret += npalen;
1594 s->s3->next_proto_neg_seen = 1;
1595 }
1596 }
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]1597#endif
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1598 if (!custom_ext_add(s, 1, &ret, limit, al))
1599 return NULL;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1600 if (s->s3->flags & TLS1_FLAGS_ENCRYPT_THEN_MAC) {
1601 /*
1602 * Don't use encrypt_then_mac if AEAD or RC4 might want to disable
1603 * for other cases too.
1604 */
1605 if (s->s3->tmp.new_cipher->algorithm_mac == SSL_AEAD
Dmitry Belyavskye44380a2015-11-17 15:32:30 +0000[diff] [blame]1606 || s->s3->tmp.new_cipher->algorithm_enc == SSL_RC4
1607 || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT
1608 || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT12)
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1609 s->s3->flags &= ~TLS1_FLAGS_ENCRYPT_THEN_MAC;
1610 else {
1611 s2n(TLSEXT_TYPE_encrypt_then_mac, ret);
1612 s2n(0, ret);
1613 }
1614 }
Dr. Stephen Hensone7f0d922015-12-04 19:48:15 +0000[diff] [blame]1615 if (s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) {
Dr. Stephen Hensonddc06b32015-01-23 02:45:13 +0000[diff] [blame]1616 s2n(TLSEXT_TYPE_extended_master_secret, ret);
1617 s2n(0, ret);
1618 }
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1619
Todd Short817cd0d2016-03-05 08:47:55 -0500[diff] [blame]1620 if (s->s3->alpn_selected != NULL) {
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1621 const unsigned char *selected = s->s3->alpn_selected;
Todd Short817cd0d2016-03-05 08:47:55 -0500[diff] [blame]1622 unsigned int len = s->s3->alpn_selected_len;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1623
1624 if ((long)(limit - ret - 4 - 2 - 1 - len) < 0)
1625 return NULL;
1626 s2n(TLSEXT_TYPE_application_layer_protocol_negotiation, ret);
1627 s2n(3 + len, ret);
1628 s2n(1 + len, ret);
1629 *ret++ = len;
1630 memcpy(ret, selected, len);
1631 ret += len;
1632 }
1633
1634 done:
1635
1636 if ((extdatalen = ret - orig - 2) == 0)
1637 return orig;
1638
1639 s2n(extdatalen, orig);
1640 return ret;
1641}
1642
1643/*
Todd Short817cd0d2016-03-05 08:47:55 -0500[diff] [blame]1644 * Save the ALPN extension in a ClientHello.
Emilia Kasper06217862015-09-22 15:20:26 +0200[diff] [blame]1645 * pkt: the contents of the ALPN extension, not including type and length.
1646 * al: a pointer to the alert value to send in the event of a failure.
1647 * returns: 1 on success, 0 on error.
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1648 */
Matt Caswell9ceb2422015-04-16 10:06:25 +0100[diff] [blame]1649static int tls1_alpn_handle_client_hello(SSL *s, PACKET *pkt, int *al)
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1650{
Emilia Kasper06217862015-09-22 15:20:26 +0200[diff] [blame]1651 PACKET protocol_list, save_protocol_list, protocol;
1652
1653 *al = SSL_AD_DECODE_ERROR;
1654
1655 if (!PACKET_as_length_prefixed_2(pkt, &protocol_list)
1656 || PACKET_remaining(&protocol_list) < 2) {
1657 return 0;
1658 }
1659
1660 save_protocol_list = protocol_list;
1661 do {
1662 /* Protocol names can't be empty. */
1663 if (!PACKET_get_length_prefixed_1(&protocol_list, &protocol)
1664 || PACKET_remaining(&protocol) == 0) {
1665 return 0;
1666 }
1667 } while (PACKET_remaining(&protocol_list) != 0);
Adam Langley6f017a82013-04-15 18:07:47 -0400[diff] [blame]1668
Todd Short817cd0d2016-03-05 08:47:55 -0500[diff] [blame]1669 if (!PACKET_memdup(&save_protocol_list,
1670 &s->s3->alpn_proposed,
1671 &s->s3->alpn_proposed_len)) {
1672 *al = TLS1_AD_INTERNAL_ERROR;
1673 return 0;
1674 }
Adam Langley6f017a82013-04-15 18:07:47 -0400[diff] [blame]1675
Todd Short817cd0d2016-03-05 08:47:55 -0500[diff] [blame]1676 return 1;
1677}
1678
1679/*
1680 * Process the ALPN extension in a ClientHello.
Todd Short817cd0d2016-03-05 08:47:55 -0500[diff] [blame]1681 * al: a pointer to the alert value to send in the event of a failure.
Emilia Kasper70c22882016-07-04 20:32:28 +0200[diff] [blame^]1682 * returns 1 on success, 0 on error.
Todd Short817cd0d2016-03-05 08:47:55 -0500[diff] [blame]1683 */
Emilia Kasper70c22882016-07-04 20:32:28 +0200[diff] [blame^]1684static int tls1_alpn_handle_client_hello_late(SSL *s, int *al)
Todd Short817cd0d2016-03-05 08:47:55 -0500[diff] [blame]1685{
1686 const unsigned char *selected = NULL;
1687 unsigned char selected_len = 0;
1688
1689 if (s->ctx->alpn_select_cb != NULL && s->s3->alpn_proposed != NULL) {
1690 int r = s->ctx->alpn_select_cb(s, &selected, &selected_len,
1691 s->s3->alpn_proposed,
1692 s->s3->alpn_proposed_len,
1693 s->ctx->alpn_select_cb_arg);
1694
1695 if (r == SSL_TLSEXT_ERR_OK) {
1696 OPENSSL_free(s->s3->alpn_selected);
1697 s->s3->alpn_selected = OPENSSL_memdup(selected, selected_len);
1698 if (s->s3->alpn_selected == NULL) {
1699 *al = SSL_AD_INTERNAL_ERROR;
Todd Short817cd0d2016-03-05 08:47:55 -0500[diff] [blame]1700 return 0;
1701 }
1702 s->s3->alpn_selected_len = selected_len;
Todd Short0351baa2016-03-12 09:14:05 -0500[diff] [blame]1703#ifndef OPENSSL_NO_NEXTPROTONEG
1704 /* ALPN takes precedence over NPN. */
1705 s->s3->next_proto_neg_seen = 0;
1706#endif
Todd Short817cd0d2016-03-05 08:47:55 -0500[diff] [blame]1707 } else {
1708 *al = SSL_AD_NO_APPLICATION_PROTOCOL;
Emilia Kasper06217862015-09-22 15:20:26 +0200[diff] [blame]1709 return 0;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1710 }
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1711 }
Adam Langley6f017a82013-04-15 18:07:47 -0400[diff] [blame]1712
Emilia Kasper06217862015-09-22 15:20:26 +0200[diff] [blame]1713 return 1;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1714}
Adam Langley6f017a82013-04-15 18:07:47 -0400[diff] [blame]1715
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]1716#ifndef OPENSSL_NO_EC
Tim Hudson1d97c842014-12-28 12:48:40 +1000[diff] [blame]1717/*-
1718 * ssl_check_for_safari attempts to fingerprint Safari using OS X
Emilia Kasper06217862015-09-22 15:20:26 +0200[diff] [blame]1719 * SecureTransport using the TLS extension block in |pkt|.
Rob Stradlingdece3202013-09-05 13:09:03 +0100[diff] [blame]1720 * Safari, since 10.6, sends exactly these extensions, in this order:
1721 * SNI,
1722 * elliptic_curves
1723 * ec_point_formats
1724 *
1725 * We wish to fingerprint Safari because they broke ECDHE-ECDSA support in 10.8,
1726 * but they advertise support. So enabling ECDHE-ECDSA ciphers breaks them.
1727 * Sadly we cannot differentiate 10.6, 10.7 and 10.8.4 (which work), from
1728 * 10.8..10.8.3 (which don't work).
1729 */
Matt Caswell68a16622015-10-07 15:20:47 +0100[diff] [blame]1730static void ssl_check_for_safari(SSL *s, const PACKET *pkt)
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1731{
Emilia Kasper06217862015-09-22 15:20:26 +0200[diff] [blame]1732 unsigned int type;
1733 PACKET sni, tmppkt;
1734 size_t ext_len;
Matt Caswell9ceb2422015-04-16 10:06:25 +0100[diff] [blame]1735
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1736 static const unsigned char kSafariExtensionsBlock[] = {
1737 0x00, 0x0a, /* elliptic_curves extension */
1738 0x00, 0x08, /* 8 bytes */
1739 0x00, 0x06, /* 6 bytes of curve ids */
1740 0x00, 0x17, /* P-256 */
1741 0x00, 0x18, /* P-384 */
1742 0x00, 0x19, /* P-521 */
Rob Stradlingdece3202013-09-05 13:09:03 +0100[diff] [blame]1743
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1744 0x00, 0x0b, /* ec_point_formats */
1745 0x00, 0x02, /* 2 bytes */
1746 0x01, /* 1 point format */
1747 0x00, /* uncompressed */
Emilia Kasper06217862015-09-22 15:20:26 +0200[diff] [blame]1748 /* The following is only present in TLS 1.2 */
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1749 0x00, 0x0d, /* signature_algorithms */
1750 0x00, 0x0c, /* 12 bytes */
1751 0x00, 0x0a, /* 10 bytes */
1752 0x05, 0x01, /* SHA-384/RSA */
1753 0x04, 0x01, /* SHA-256/RSA */
1754 0x02, 0x01, /* SHA-1/RSA */
1755 0x04, 0x03, /* SHA-256/ECDSA */
1756 0x02, 0x03, /* SHA-1/ECDSA */
1757 };
Rob Stradlingdece3202013-09-05 13:09:03 +0100[diff] [blame]1758
Emilia Kasper06217862015-09-22 15:20:26 +0200[diff] [blame]1759 /* Length of the common prefix (first two extensions). */
1760 static const size_t kSafariCommonExtensionsLength = 18;
1761
Matt Caswell68a16622015-10-07 15:20:47 +0100[diff] [blame]1762 tmppkt = *pkt;
1763
1764 if (!PACKET_forward(&tmppkt, 2)
Emilia Kasper06217862015-09-22 15:20:26 +0200[diff] [blame]1765 || !PACKET_get_net_2(&tmppkt, &type)
1766 || !PACKET_get_length_prefixed_2(&tmppkt, &sni)) {
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1767 return;
Emilia Kasper06217862015-09-22 15:20:26 +0200[diff] [blame]1768 }
Rob Stradlingdece3202013-09-05 13:09:03 +0100[diff] [blame]1769
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1770 if (type != TLSEXT_TYPE_server_name)
1771 return;
Rob Stradlingdece3202013-09-05 13:09:03 +0100[diff] [blame]1772
Emilia Kasper06217862015-09-22 15:20:26 +0200[diff] [blame]1773 ext_len = TLS1_get_client_version(s) >= TLS1_2_VERSION ?
1774 sizeof(kSafariExtensionsBlock) : kSafariCommonExtensionsLength;
Rob Stradlingdece3202013-09-05 13:09:03 +0100[diff] [blame]1775
Emilia Kasper06217862015-09-22 15:20:26 +0200[diff] [blame]1776 s->s3->is_probably_safari = PACKET_equal(&tmppkt, kSafariExtensionsBlock,
1777 ext_len);
Rob Stradlingdece3202013-09-05 13:09:03 +0100[diff] [blame]1778}
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]1779#endif /* !OPENSSL_NO_EC */
Rob Stradlingdece3202013-09-05 13:09:03 +0100[diff] [blame]1780
Emilia Kasper06217862015-09-22 15:20:26 +0200[diff] [blame]1781/*
1782 * Parse ClientHello extensions and stash extension info in various parts of
1783 * the SSL object. Verify that there are no duplicate extensions.
1784 *
1785 * Behaviour upon resumption is extension-specific. If the extension has no
1786 * effect during resumption, it is parsed (to verify its format) but otherwise
1787 * ignored.
1788 *
1789 * Consumes the entire packet in |pkt|. Returns 1 on success and 0 on failure.
1790 * Upon failure, sets |al| to the appropriate alert.
1791 */
Matt Caswell9ceb2422015-04-16 10:06:25 +0100[diff] [blame]1792static int ssl_scan_clienthello_tlsext(SSL *s, PACKET *pkt, int *al)
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1793{
Matt Caswell9ceb2422015-04-16 10:06:25 +0100[diff] [blame]1794 unsigned int type;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1795 int renegotiate_seen = 0;
Emilia Kasper06217862015-09-22 15:20:26 +0200[diff] [blame]1796 PACKET extensions;
Dr. Stephen Hensonecf4d662014-08-10 12:08:08 +0100[diff] [blame]1797
Emilia Kasper06217862015-09-22 15:20:26 +0200[diff] [blame]1798 *al = SSL_AD_DECODE_ERROR;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1799 s->servername_done = 0;
1800 s->tlsext_status_type = -1;
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]1801#ifndef OPENSSL_NO_NEXTPROTONEG
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1802 s->s3->next_proto_neg_seen = 0;
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]1803#endif
Dr. Stephen Henson860c3dd2009-11-11 14:51:19 +0000[diff] [blame]1804
Rich Salzb548a1f2015-05-01 10:02:07 -0400[diff] [blame]1805 OPENSSL_free(s->s3->alpn_selected);
1806 s->s3->alpn_selected = NULL;
Todd Short0351baa2016-03-12 09:14:05 -0500[diff] [blame]1807 s->s3->alpn_selected_len = 0;
1808 OPENSSL_free(s->s3->alpn_proposed);
1809 s->s3->alpn_proposed = NULL;
1810 s->s3->alpn_proposed_len = 0;
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]1811#ifndef OPENSSL_NO_HEARTBEATS
Rich Salz22e3dcb2016-01-25 13:30:37 -0500[diff] [blame]1812 s->tlsext_heartbeat &= ~(SSL_DTLSEXT_HB_ENABLED |
1813 SSL_DTLSEXT_HB_DONT_SEND_REQUESTS);
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]1814#endif
Bodo Möllered3883d2006-01-02 23:14:37 +0000[diff] [blame]1815
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]1816#ifndef OPENSSL_NO_EC
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1817 if (s->options & SSL_OP_SAFARI_ECDHE_ECDSA_BUG)
Matt Caswell9ceb2422015-04-16 10:06:25 +0100[diff] [blame]1818 ssl_check_for_safari(s, pkt);
1819# endif /* !OPENSSL_NO_EC */
Adam Langley6f017a82013-04-15 18:07:47 -0400[diff] [blame]1820
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1821 /* Clear any signature algorithms extension received */
Dr. Stephen Henson76106e62015-05-12 17:17:37 +0100[diff] [blame]1822 OPENSSL_free(s->s3->tmp.peer_sigalgs);
1823 s->s3->tmp.peer_sigalgs = NULL;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1824 s->s3->flags &= ~TLS1_FLAGS_ENCRYPT_THEN_MAC;
Rob Stradlingdece3202013-09-05 13:09:03 +0100[diff] [blame]1825
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]1826#ifndef OPENSSL_NO_SRP
Rich Salzb548a1f2015-05-01 10:02:07 -0400[diff] [blame]1827 OPENSSL_free(s->srp_ctx.login);
1828 s->srp_ctx.login = NULL;
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]1829#endif
Rob Stradlingdece3202013-09-05 13:09:03 +0100[diff] [blame]1830
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1831 s->srtp_profile = NULL;
Dr. Stephen Henson48175042011-12-31 22:59:57 +0000[diff] [blame]1832
Matt Caswell9ceb2422015-04-16 10:06:25 +0100[diff] [blame]1833 if (PACKET_remaining(pkt) == 0)
Adam Langley1ae3fdb2015-06-12 08:05:49 +0100[diff] [blame]1834 goto ri_check;
1835
Emilia Kasper06217862015-09-22 15:20:26 +0200[diff] [blame]1836 if (!PACKET_as_length_prefixed_2(pkt, &extensions))
1837 return 0;
Adam Langley1ae3fdb2015-06-12 08:05:49 +0100[diff] [blame]1838
Emilia Kasper06217862015-09-22 15:20:26 +0200[diff] [blame]1839 if (!tls1_check_duplicate_extensions(&extensions))
1840 return 0;
Alessandro Ghedini52a48f92015-10-02 13:43:29 +0200[diff] [blame]1841
Emilia Kasper06217862015-09-22 15:20:26 +0200[diff] [blame]1842 /*
1843 * We parse all extensions to ensure the ClientHello is well-formed but,
1844 * unless an extension specifies otherwise, we ignore extensions upon
1845 * resumption.
1846 */
1847 while (PACKET_get_net_2(&extensions, &type)) {
1848 PACKET extension;
1849 if (!PACKET_get_length_prefixed_2(&extensions, &extension))
1850 return 0;
Matt Caswell9ceb2422015-04-16 10:06:25 +0100[diff] [blame]1851
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1852 if (s->tlsext_debug_cb)
Emilia Kasper06217862015-09-22 15:20:26 +0200[diff] [blame]1853 s->tlsext_debug_cb(s, 0, type, PACKET_data(&extension),
1854 PACKET_remaining(&extension),
1855 s->tlsext_debug_arg);
Matt Caswell9ceb2422015-04-16 10:06:25 +0100[diff] [blame]1856
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1857 if (type == TLSEXT_TYPE_renegotiate) {
Emilia Kasper06217862015-09-22 15:20:26 +0200[diff] [blame]1858 if (!ssl_parse_clienthello_renegotiate_ext(s, &extension, al))
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1859 return 0;
1860 renegotiate_seen = 1;
1861 } else if (s->version == SSL3_VERSION) {
1862 }
Tim Hudson1d97c842014-12-28 12:48:40 +1000[diff] [blame]1863/*-
1864 * The servername extension is treated as follows:
1865 *
1866 * - Only the hostname type is supported with a maximum length of 255.
1867 * - The servername is rejected if too long or if it contains zeros,
1868 * in which case an fatal alert is generated.
1869 * - The servername field is maintained together with the session cache.
1870 * - When a session is resumed, the servername call back invoked in order
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1871 * to allow the application to position itself to the right context.
1872 * - The servername is acknowledged if it is new for a session or when
1873 * it is identical to a previously used for the same session.
Tim Hudson1d97c842014-12-28 12:48:40 +1000[diff] [blame]1874 * Applications can control the behaviour. They can at any time
1875 * set a 'desirable' servername for a new SSL object. This can be the
1876 * case for example with HTTPS when a Host: header field is received and
1877 * a renegotiation is requested. In this case, a possible servername
1878 * presented in the new client hello is only acknowledged if it matches
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1879 * the value of the Host: field.
Tim Hudson1d97c842014-12-28 12:48:40 +1000[diff] [blame]1880 * - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1881 * if they provide for changing an explicit servername context for the
1882 * session, i.e. when the session has been established with a servername
1883 * extension.
1884 * - On session reconnect, the servername extension may be absent.
Tim Hudson1d97c842014-12-28 12:48:40 +1000[diff] [blame]1885 *
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1886 */
Bodo Möllera13c20f2006-01-09 19:49:05 +0000[diff] [blame]1887
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1888 else if (type == TLSEXT_TYPE_server_name) {
Matt Caswell9ceb2422015-04-16 10:06:25 +0100[diff] [blame]1889 unsigned int servname_type;
Emilia Kasper06217862015-09-22 15:20:26 +0200[diff] [blame]1890 PACKET sni, hostname;
Bodo Möllera70183b2006-03-30 02:53:30 +0000[diff] [blame]1891
Emilia Kasper06217862015-09-22 15:20:26 +0200[diff] [blame]1892 if (!PACKET_as_length_prefixed_2(&extension, &sni)
1893 /* ServerNameList must be at least 1 byte long. */
1894 || PACKET_remaining(&sni) == 0) {
1895 return 0;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1896 }
Bodo Möller33273722006-03-30 02:44:56 +0000[diff] [blame]1897
Emilia Kasper06217862015-09-22 15:20:26 +0200[diff] [blame]1898 /*
1899 * Although the server_name extension was intended to be
1900 * extensible to new name types, RFC 4366 defined the
FdaSilvaYY8483a002016-03-10 21:34:48 +0100[diff] [blame]1901 * syntax inextensibility and OpenSSL 1.0.x parses it as
Emilia Kasper06217862015-09-22 15:20:26 +0200[diff] [blame]1902 * such.
1903 * RFC 6066 corrected the mistake but adding new name types
1904 * is nevertheless no longer feasible, so act as if no other
1905 * SNI types can exist, to simplify parsing.
1906 *
1907 * Also note that the RFC permits only one SNI value per type,
1908 * i.e., we can only have a single hostname.
1909 */
1910 if (!PACKET_get_1(&sni, &servname_type)
1911 || servname_type != TLSEXT_NAMETYPE_host_name
1912 || !PACKET_as_length_prefixed_2(&sni, &hostname)) {
1913 return 0;
1914 }
1915
1916 if (!s->hit) {
1917 if (PACKET_remaining(&hostname) > TLSEXT_MAXLEN_host_name) {
1918 *al = TLS1_AD_UNRECOGNIZED_NAME;
1919 return 0;
1920 }
1921
1922 if (PACKET_contains_zero_byte(&hostname)) {
1923 *al = TLS1_AD_UNRECOGNIZED_NAME;
1924 return 0;
1925 }
1926
1927 if (!PACKET_strndup(&hostname, &s->session->tlsext_hostname)) {
1928 *al = TLS1_AD_INTERNAL_ERROR;
1929 return 0;
1930 }
1931
1932 s->servername_done = 1;
1933 } else {
1934 /*
1935 * TODO(openssl-team): if the SNI doesn't match, we MUST
1936 * fall back to a full handshake.
1937 */
1938 s->servername_done = s->session->tlsext_hostname
1939 && PACKET_equal(&hostname, s->session->tlsext_hostname,
1940 strlen(s->session->tlsext_hostname));
1941 }
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1942 }
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]1943#ifndef OPENSSL_NO_SRP
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1944 else if (type == TLSEXT_TYPE_srp) {
Emilia Kasper06217862015-09-22 15:20:26 +0200[diff] [blame]1945 PACKET srp_I;
Matt Caswell9ceb2422015-04-16 10:06:25 +0100[diff] [blame]1946
Emilia Kasper06217862015-09-22 15:20:26 +0200[diff] [blame]1947 if (!PACKET_as_length_prefixed_1(&extension, &srp_I))
1948 return 0;
Bodo Möller761772d2007-09-21 06:54:24 +0000[diff] [blame]1949
Emilia Kasper06217862015-09-22 15:20:26 +0200[diff] [blame]1950 if (PACKET_contains_zero_byte(&srp_I))
1951 return 0;
1952
1953 /*
1954 * TODO(openssl-team): currently, we re-authenticate the user
1955 * upon resumption. Instead, we MUST ignore the login.
1956 */
1957 if (!PACKET_strndup(&srp_I, &s->srp_ctx.login)) {
1958 *al = TLS1_AD_INTERNAL_ERROR;
1959 return 0;
1960 }
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1961 }
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]1962#endif
Bodo Möller761772d2007-09-21 06:54:24 +0000[diff] [blame]1963
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]1964#ifndef OPENSSL_NO_EC
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1965 else if (type == TLSEXT_TYPE_ec_point_formats) {
Emilia Kasper06217862015-09-22 15:20:26 +0200[diff] [blame]1966 PACKET ec_point_format_list;
Dr. Stephen Henson67c8e7f2007-09-26 21:56:59 +0000[diff] [blame]1967
Emilia Kasper06217862015-09-22 15:20:26 +0200[diff] [blame]1968 if (!PACKET_as_length_prefixed_1(&extension,
1969 &ec_point_format_list)
1970 || PACKET_remaining(&ec_point_format_list) == 0) {
Matt Caswell9ceb2422015-04-16 10:06:25 +0100[diff] [blame]1971 return 0;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1972 }
Matt Caswell54e3ad02015-04-30 15:20:25 +0100[diff] [blame]1973
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1974 if (!s->hit) {
Emilia Kasper06217862015-09-22 15:20:26 +0200[diff] [blame]1975 if (!PACKET_memdup(&ec_point_format_list,
1976 &s->session->tlsext_ecpointformatlist,
1977 &s->session->tlsext_ecpointformatlist_length)) {
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1978 *al = TLS1_AD_INTERNAL_ERROR;
1979 return 0;
1980 }
Matt Caswell9ceb2422015-04-16 10:06:25 +0100[diff] [blame]1981 }
Emilia Kasper06217862015-09-22 15:20:26 +0200[diff] [blame]1982 } else if (type == TLSEXT_TYPE_elliptic_curves) {
1983 PACKET elliptic_curve_list;
1984
1985 /* Each NamedCurve is 2 bytes and we must have at least 1. */
1986 if (!PACKET_as_length_prefixed_2(&extension,
1987 &elliptic_curve_list)
1988 || PACKET_remaining(&elliptic_curve_list) == 0
1989 || (PACKET_remaining(&elliptic_curve_list) % 2) != 0) {
1990 return 0;
1991 }
1992
1993 if (!s->hit) {
1994 if (!PACKET_memdup(&elliptic_curve_list,
1995 &s->session->tlsext_ellipticcurvelist,
1996 &s->session->tlsext_ellipticcurvelist_length)) {
1997 *al = TLS1_AD_INTERNAL_ERROR;
1998 return 0;
1999 }
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2000 }
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2001 }
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]2002#endif /* OPENSSL_NO_EC */
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2003 else if (type == TLSEXT_TYPE_session_ticket) {
Emilia Kasper06217862015-09-22 15:20:26 +0200[diff] [blame]2004 if (s->tls_session_ticket_ext_cb &&
2005 !s->tls_session_ticket_ext_cb(s, PACKET_data(&extension),
2006 PACKET_remaining(&extension),
2007 s->tls_session_ticket_ext_cb_arg)) {
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2008 *al = TLS1_AD_INTERNAL_ERROR;
2009 return 0;
2010 }
2011 } else if (type == TLSEXT_TYPE_signature_algorithms) {
Emilia Kasper06217862015-09-22 15:20:26 +0200[diff] [blame]2012 PACKET supported_sig_algs;
Matt Caswell9ceb2422015-04-16 10:06:25 +0100[diff] [blame]2013
Emilia Kasper06217862015-09-22 15:20:26 +0200[diff] [blame]2014 if (!PACKET_as_length_prefixed_2(&extension, &supported_sig_algs)
2015 || (PACKET_remaining(&supported_sig_algs) % 2) != 0
2016 || PACKET_remaining(&supported_sig_algs) == 0) {
2017 return 0;
2018 }
2019
2020 if (!s->hit) {
2021 if (!tls1_save_sigalgs(s, PACKET_data(&supported_sig_algs),
2022 PACKET_remaining(&supported_sig_algs))) {
2023 return 0;
2024 }
Matt Caswell9ceb2422015-04-16 10:06:25 +0100[diff] [blame]2025 }
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2026 } else if (type == TLSEXT_TYPE_status_request) {
Emilia Kasper06217862015-09-22 15:20:26 +0200[diff] [blame]2027 if (!PACKET_get_1(&extension,
2028 (unsigned int *)&s->tlsext_status_type)) {
2029 return 0;
2030 }
Ben Lauriea9e1c502012-05-30 10:10:58 +0000[diff] [blame]2031
Matt Caswell3e41ac32016-03-21 16:54:53 +0000[diff] [blame]2032#ifndef OPENSSL_NO_OCSP
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2033 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp) {
Matt Caswell3e41ac32016-03-21 16:54:53 +0000[diff] [blame]2034 const unsigned char *ext_data;
Emilia Kasper06217862015-09-22 15:20:26 +0200[diff] [blame]2035 PACKET responder_id_list, exts;
2036 if (!PACKET_get_length_prefixed_2(&extension, &responder_id_list))
2037 return 0;
Matt Caswell9ceb2422015-04-16 10:06:25 +0100[diff] [blame]2038
Emilia Kasper06217862015-09-22 15:20:26 +0200[diff] [blame]2039 while (PACKET_remaining(&responder_id_list) > 0) {
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2040 OCSP_RESPID *id;
Emilia Kasper06217862015-09-22 15:20:26 +0200[diff] [blame]2041 PACKET responder_id;
2042 const unsigned char *id_data;
Matt Caswell9ceb2422015-04-16 10:06:25 +0100[diff] [blame]2043
Emilia Kasper06217862015-09-22 15:20:26 +0200[diff] [blame]2044 if (!PACKET_get_length_prefixed_2(&responder_id_list,
2045 &responder_id)
2046 || PACKET_remaining(&responder_id) == 0) {
2047 return 0;
Matt Caswell9ceb2422015-04-16 10:06:25 +0100[diff] [blame]2048 }
Emilia Kasper06217862015-09-22 15:20:26 +0200[diff] [blame]2049
2050 if (s->tlsext_ocsp_ids == NULL
2051 && (s->tlsext_ocsp_ids =
2052 sk_OCSP_RESPID_new_null()) == NULL) {
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2053 *al = SSL_AD_INTERNAL_ERROR;
2054 return 0;
2055 }
Emilia Kasper06217862015-09-22 15:20:26 +0200[diff] [blame]2056
2057 id_data = PACKET_data(&responder_id);
2058 id = d2i_OCSP_RESPID(NULL, &id_data,
2059 PACKET_remaining(&responder_id));
2060 if (id == NULL)
2061 return 0;
2062
2063 if (id_data != PACKET_end(&responder_id)) {
2064 OCSP_RESPID_free(id);
2065 return 0;
2066 }
2067
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2068 if (!sk_OCSP_RESPID_push(s->tlsext_ocsp_ids, id)) {
2069 OCSP_RESPID_free(id);
2070 *al = SSL_AD_INTERNAL_ERROR;
2071 return 0;
2072 }
2073 }
Dr. Stephen Hensonc27c9cb2009-12-14 13:56:04 +0000[diff] [blame]2074
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2075 /* Read in request_extensions */
Emilia Kasper06217862015-09-22 15:20:26 +0200[diff] [blame]2076 if (!PACKET_as_length_prefixed_2(&extension, &exts))
2077 return 0;
2078
2079 if (PACKET_remaining(&exts) > 0) {
2080 ext_data = PACKET_data(&exts);
Rich Salz222561f2015-04-30 17:33:59 -0400[diff] [blame]2081 sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts,
2082 X509_EXTENSION_free);
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2083 s->tlsext_ocsp_exts =
Emilia Kasper06217862015-09-22 15:20:26 +0200[diff] [blame]2084 d2i_X509_EXTENSIONS(NULL, &ext_data,
2085 PACKET_remaining(&exts));
2086 if (s->tlsext_ocsp_exts == NULL
2087 || ext_data != PACKET_end(&exts)) {
2088 return 0;
2089 }
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2090 }
Matt Caswell3e41ac32016-03-21 16:54:53 +0000[diff] [blame]2091 } else
2092#endif
2093 {
2094 /*
2095 * We don't know what to do with any other type so ignore it.
2096 */
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2097 s->tlsext_status_type = -1;
Emilia Kasper06217862015-09-22 15:20:26 +0200[diff] [blame]2098 }
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2099 }
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]2100#ifndef OPENSSL_NO_HEARTBEATS
Rich Salz22e3dcb2016-01-25 13:30:37 -0500[diff] [blame]2101 else if (SSL_IS_DTLS(s) && type == TLSEXT_TYPE_heartbeat) {
Matt Caswell9ceb2422015-04-16 10:06:25 +0100[diff] [blame]2102 unsigned int hbtype;
2103
Emilia Kasper06217862015-09-22 15:20:26 +0200[diff] [blame]2104 if (!PACKET_get_1(&extension, &hbtype)
2105 || PACKET_remaining(&extension)) {
Matt Caswell9ceb2422015-04-16 10:06:25 +0100[diff] [blame]2106 *al = SSL_AD_DECODE_ERROR;
2107 return 0;
2108 }
2109 switch (hbtype) {
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2110 case 0x01: /* Client allows us to send HB requests */
Rich Salz22e3dcb2016-01-25 13:30:37 -0500[diff] [blame]2111 s->tlsext_heartbeat |= SSL_DTLSEXT_HB_ENABLED;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2112 break;
2113 case 0x02: /* Client doesn't accept HB requests */
Rich Salz22e3dcb2016-01-25 13:30:37 -0500[diff] [blame]2114 s->tlsext_heartbeat |= SSL_DTLSEXT_HB_ENABLED;
2115 s->tlsext_heartbeat |= SSL_DTLSEXT_HB_DONT_SEND_REQUESTS;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2116 break;
2117 default:
2118 *al = SSL_AD_ILLEGAL_PARAMETER;
2119 return 0;
2120 }
2121 }
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]2122#endif
2123#ifndef OPENSSL_NO_NEXTPROTONEG
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2124 else if (type == TLSEXT_TYPE_next_proto_neg &&
Todd Short0351baa2016-03-12 09:14:05 -0500[diff] [blame]2125 s->s3->tmp.finish_md_len == 0) {
Matt Caswell50e735f2015-01-05 11:30:03 +0000[diff] [blame]2126 /*-
2127 * We shouldn't accept this extension on a
2128 * renegotiation.
2129 *
2130 * s->new_session will be set on renegotiation, but we
2131 * probably shouldn't rely that it couldn't be set on
FdaSilvaYY8483a002016-03-10 21:34:48 +0100[diff] [blame]2132 * the initial renegotiation too in certain cases (when
Matt Caswell50e735f2015-01-05 11:30:03 +0000[diff] [blame]2133 * there's some other reason to disallow resuming an
2134 * earlier session -- the current code won't be doing
2135 * anything like that, but this might change).
2136 *
2137 * A valid sign that there's been a previous handshake
2138 * in this connection is if s->s3->tmp.finish_md_len >
2139 * 0. (We are talking about a check that will happen
2140 * in the Hello protocol round, well before a new
2141 * Finished message could have been computed.)
2142 */
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2143 s->s3->next_proto_neg_seen = 1;
2144 }
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]2145#endif
Dr. Stephen Hensonc27c9cb2009-12-14 13:56:04 +0000[diff] [blame]2146
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2147 else if (type == TLSEXT_TYPE_application_layer_protocol_negotiation &&
Emilia Kasper06217862015-09-22 15:20:26 +0200[diff] [blame]2148 s->s3->tmp.finish_md_len == 0) {
2149 if (!tls1_alpn_handle_client_hello(s, &extension, al))
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2150 return 0;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2151 }
Dr. Stephen Hensonc27c9cb2009-12-14 13:56:04 +0000[diff] [blame]2152
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2153 /* session ticket processed earlier */
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]2154#ifndef OPENSSL_NO_SRTP
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2155 else if (SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s)
2156 && type == TLSEXT_TYPE_use_srtp) {
Emilia Kasper06217862015-09-22 15:20:26 +0200[diff] [blame]2157 if (ssl_parse_clienthello_use_srtp_ext(s, &extension, al))
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2158 return 0;
2159 }
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]2160#endif
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2161 else if (type == TLSEXT_TYPE_encrypt_then_mac)
2162 s->s3->flags |= TLS1_FLAGS_ENCRYPT_THEN_MAC;
Dr. Stephen Hensone7f0d922015-12-04 19:48:15 +0000[diff] [blame]2163 /*
2164 * Note: extended master secret extension handled in
2165 * tls_check_serverhello_tlsext_early()
2166 */
2167
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2168 /*
2169 * If this ClientHello extension was unhandled and this is a
2170 * nonresumed connection, check whether the extension is a custom
2171 * TLS Extension (has a custom_srv_ext_record), and if so call the
2172 * callback and record the extension number so that an appropriate
2173 * ServerHello may be later returned.
2174 */
2175 else if (!s->hit) {
Emilia Kasper06217862015-09-22 15:20:26 +0200[diff] [blame]2176 if (custom_ext_parse(s, 1, type, PACKET_data(&extension),
2177 PACKET_remaining(&extension), al) <= 0)
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2178 return 0;
2179 }
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2180 }
Dr. Stephen Hensonb2284ed2012-04-06 11:18:40 +0000[diff] [blame]2181
Emilia Kasper06217862015-09-22 15:20:26 +0200[diff] [blame]2182 if (PACKET_remaining(pkt) != 0) {
2183 /* tls1_check_duplicate_extensions should ensure this never happens. */
2184 *al = SSL_AD_INTERNAL_ERROR;
2185 return 0;
2186 }
Matt Caswell54e3ad02015-04-30 15:20:25 +0100[diff] [blame]2187
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2188 ri_check:
2189
2190 /* Need RI if renegotiating */
2191
2192 if (!renegotiate_seen && s->renegotiate &&
2193 !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) {
2194 *al = SSL_AD_HANDSHAKE_FAILURE;
2195 SSLerr(SSL_F_SSL_SCAN_CLIENTHELLO_TLSEXT,
2196 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
2197 return 0;
2198 }
2199
Emilia Kasper06217862015-09-22 15:20:26 +0200[diff] [blame]2200 /*
2201 * This function currently has no state to clean up, so it returns directly.
2202 * If parsing fails at any point, the function returns early.
2203 * The SSL object may be left with partial data from extensions, but it must
2204 * then no longer be used, and clearing it up will free the leftovers.
2205 */
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2206 return 1;
Dr. Stephen Hensonb2284ed2012-04-06 11:18:40 +0000[diff] [blame]2207}
2208
Matt Caswell9ceb2422015-04-16 10:06:25 +0100[diff] [blame]2209int ssl_parse_clienthello_tlsext(SSL *s, PACKET *pkt)
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2210{
2211 int al = -1;
2212 custom_ext_init(&s->cert->srv_ext);
Matt Caswell9ceb2422015-04-16 10:06:25 +0100[diff] [blame]2213 if (ssl_scan_clienthello_tlsext(s, pkt, &al) <= 0) {
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2214 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2215 return 0;
2216 }
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2217 if (ssl_check_clienthello_tlsext_early(s) <= 0) {
2218 SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT, SSL_R_CLIENTHELLO_TLSEXT);
2219 return 0;
2220 }
2221 return 1;
2222}
2223
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]2224#ifndef OPENSSL_NO_NEXTPROTONEG
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2225/*
2226 * ssl_next_proto_validate validates a Next Protocol Negotiation block. No
2227 * elements of zero length are allowed and the set of elements must exactly
2228 * fill the length of the block.
2229 */
Matt Caswell50932c42015-08-04 17:36:02 +0100[diff] [blame]2230static char ssl_next_proto_validate(PACKET *pkt)
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2231{
Kazuki Yamaguchib04f9472015-12-13 00:51:06 +0900[diff] [blame]2232 PACKET tmp_protocol;
Ben Laurieee2ffc22010-07-28 10:06:55 +0000[diff] [blame]2233
Matt Caswell50932c42015-08-04 17:36:02 +0100[diff] [blame]2234 while (PACKET_remaining(pkt)) {
Kazuki Yamaguchib04f9472015-12-13 00:51:06 +0900[diff] [blame]2235 if (!PACKET_get_length_prefixed_1(pkt, &tmp_protocol)
2236 || PACKET_remaining(&tmp_protocol) == 0)
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2237 return 0;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2238 }
Ben Laurieee2ffc22010-07-28 10:06:55 +0000[diff] [blame]2239
Matt Caswell50932c42015-08-04 17:36:02 +0100[diff] [blame]2240 return 1;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2241}
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]2242#endif
Ben Laurieee2ffc22010-07-28 10:06:55 +0000[diff] [blame]2243
Matt Caswell50932c42015-08-04 17:36:02 +0100[diff] [blame]2244static int ssl_scan_serverhello_tlsext(SSL *s, PACKET *pkt, int *al)
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2245{
Matt Caswell50932c42015-08-04 17:36:02 +0100[diff] [blame]2246 unsigned int length, type, size;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2247 int tlsext_servername = 0;
2248 int renegotiate_seen = 0;
Bodo Möllered3883d2006-01-02 23:14:37 +0000[diff] [blame]2249
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]2250#ifndef OPENSSL_NO_NEXTPROTONEG
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2251 s->s3->next_proto_neg_seen = 0;
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]2252#endif
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2253 s->tlsext_ticket_expected = 0;
Bodo Möller6f31dd72011-11-24 21:07:01 +0000[diff] [blame]2254
Rich Salzb548a1f2015-05-01 10:02:07 -0400[diff] [blame]2255 OPENSSL_free(s->s3->alpn_selected);
2256 s->s3->alpn_selected = NULL;
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]2257#ifndef OPENSSL_NO_HEARTBEATS
Rich Salz22e3dcb2016-01-25 13:30:37 -0500[diff] [blame]2258 s->tlsext_heartbeat &= ~(SSL_DTLSEXT_HB_ENABLED |
2259 SSL_DTLSEXT_HB_DONT_SEND_REQUESTS);
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]2260#endif
Adam Langley6f017a82013-04-15 18:07:47 -0400[diff] [blame]2261
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2262 s->s3->flags &= ~TLS1_FLAGS_ENCRYPT_THEN_MAC;
Dr. Stephen Henson48175042011-12-31 22:59:57 +0000[diff] [blame]2263
Dr. Stephen Hensone7f0d922015-12-04 19:48:15 +0000[diff] [blame]2264 s->s3->flags &= ~TLS1_FLAGS_RECEIVED_EXTMS;
2265
Matt Caswell50932c42015-08-04 17:36:02 +0100[diff] [blame]2266 if (!PACKET_get_net_2(pkt, &length))
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2267 goto ri_check;
Dr. Stephen Henson5e3ff622013-03-22 17:12:33 +0000[diff] [blame]2268
Matt Caswell50932c42015-08-04 17:36:02 +0100[diff] [blame]2269 if (PACKET_remaining(pkt) != length) {
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2270 *al = SSL_AD_DECODE_ERROR;
2271 return 0;
2272 }
Bodo Möllered3883d2006-01-02 23:14:37 +0000[diff] [blame]2273
Emilia Kasperaa474d12016-02-19 17:24:44 +0100[diff] [blame]2274 if (!tls1_check_duplicate_extensions(pkt)) {
2275 *al = SSL_AD_DECODE_ERROR;
2276 return 0;
2277 }
2278
Matt Caswell50932c42015-08-04 17:36:02 +0100[diff] [blame]2279 while (PACKET_get_net_2(pkt, &type) && PACKET_get_net_2(pkt, &size)) {
Emilia Kasperb6981742016-02-01 15:26:18 +0100[diff] [blame]2280 const unsigned char *data;
Matt Caswell50932c42015-08-04 17:36:02 +0100[diff] [blame]2281 PACKET spkt;
Bodo Möllered3883d2006-01-02 23:14:37 +0000[diff] [blame]2282
Matt Caswell50932c42015-08-04 17:36:02 +0100[diff] [blame]2283 if (!PACKET_get_sub_packet(pkt, &spkt, size)
2284 || !PACKET_peek_bytes(&spkt, &data, size))
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2285 goto ri_check;
Bodo Möllered3883d2006-01-02 23:14:37 +0000[diff] [blame]2286
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2287 if (s->tlsext_debug_cb)
2288 s->tlsext_debug_cb(s, 1, type, data, size, s->tlsext_debug_arg);
Bodo Möllered3883d2006-01-02 23:14:37 +0000[diff] [blame]2289
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2290 if (type == TLSEXT_TYPE_renegotiate) {
Matt Caswell50932c42015-08-04 17:36:02 +0100[diff] [blame]2291 if (!ssl_parse_serverhello_renegotiate_ext(s, &spkt, al))
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2292 return 0;
2293 renegotiate_seen = 1;
2294 } else if (s->version == SSL3_VERSION) {
2295 } else if (type == TLSEXT_TYPE_server_name) {
2296 if (s->tlsext_hostname == NULL || size > 0) {
2297 *al = TLS1_AD_UNRECOGNIZED_NAME;
2298 return 0;
2299 }
2300 tlsext_servername = 1;
2301 }
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]2302#ifndef OPENSSL_NO_EC
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2303 else if (type == TLSEXT_TYPE_ec_point_formats) {
Matt Caswell50932c42015-08-04 17:36:02 +0100[diff] [blame]2304 unsigned int ecpointformatlist_length;
2305 if (!PACKET_get_1(&spkt, &ecpointformatlist_length)
2306 || ecpointformatlist_length != size - 1) {
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2307 *al = TLS1_AD_DECODE_ERROR;
2308 return 0;
2309 }
2310 if (!s->hit) {
2311 s->session->tlsext_ecpointformatlist_length = 0;
Rich Salzb548a1f2015-05-01 10:02:07 -0400[diff] [blame]2312 OPENSSL_free(s->session->tlsext_ecpointformatlist);
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2313 if ((s->session->tlsext_ecpointformatlist =
2314 OPENSSL_malloc(ecpointformatlist_length)) == NULL) {
2315 *al = TLS1_AD_INTERNAL_ERROR;
2316 return 0;
2317 }
2318 s->session->tlsext_ecpointformatlist_length =
2319 ecpointformatlist_length;
Matt Caswell50932c42015-08-04 17:36:02 +0100[diff] [blame]2320 if (!PACKET_copy_bytes(&spkt,
2321 s->session->tlsext_ecpointformatlist,
2322 ecpointformatlist_length)) {
2323 *al = TLS1_AD_DECODE_ERROR;
2324 return 0;
2325 }
2326
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2327 }
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2328 }
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]2329#endif /* OPENSSL_NO_EC */
Dr. Stephen Henson5a3d8ee2014-11-03 17:47:11 +0000[diff] [blame]2330
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2331 else if (type == TLSEXT_TYPE_session_ticket) {
2332 if (s->tls_session_ticket_ext_cb &&
2333 !s->tls_session_ticket_ext_cb(s, data, size,
2334 s->tls_session_ticket_ext_cb_arg))
2335 {
2336 *al = TLS1_AD_INTERNAL_ERROR;
2337 return 0;
2338 }
2339 if (!tls_use_ticket(s) || (size > 0)) {
2340 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2341 return 0;
2342 }
2343 s->tlsext_ticket_expected = 1;
2344 }
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2345 else if (type == TLSEXT_TYPE_status_request) {
2346 /*
2347 * MUST be empty and only sent if we've requested a status
2348 * request message.
2349 */
2350 if ((s->tlsext_status_type == -1) || (size > 0)) {
2351 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2352 return 0;
2353 }
2354 /* Set flag to expect CertificateStatus message */
2355 s->tlsext_status_expected = 1;
2356 }
Rob Percivaled29e822016-03-03 16:19:23 +0000[diff] [blame]2357#ifndef OPENSSL_NO_CT
2358 /*
2359 * Only take it if we asked for it - i.e if there is no CT validation
2360 * callback set, then a custom extension MAY be processing it, so we
2361 * need to let control continue to flow to that.
2362 */
2363 else if (type == TLSEXT_TYPE_signed_certificate_timestamp &&
2364 s->ct_validation_callback != NULL) {
2365 /* Simply copy it off for later processing */
2366 if (s->tlsext_scts != NULL) {
2367 OPENSSL_free(s->tlsext_scts);
2368 s->tlsext_scts = NULL;
2369 }
2370 s->tlsext_scts_len = size;
2371 if (size > 0) {
2372 s->tlsext_scts = OPENSSL_malloc(size);
2373 if (s->tlsext_scts == NULL) {
2374 *al = TLS1_AD_INTERNAL_ERROR;
2375 return 0;
2376 }
2377 memcpy(s->tlsext_scts, data, size);
2378 }
2379 }
2380#endif
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]2381#ifndef OPENSSL_NO_NEXTPROTONEG
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2382 else if (type == TLSEXT_TYPE_next_proto_neg &&
2383 s->s3->tmp.finish_md_len == 0) {
2384 unsigned char *selected;
2385 unsigned char selected_len;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2386 /* We must have requested it. */
2387 if (s->ctx->next_proto_select_cb == NULL) {
2388 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2389 return 0;
2390 }
2391 /* The data must be valid */
Matt Caswell50932c42015-08-04 17:36:02 +0100[diff] [blame]2392 if (!ssl_next_proto_validate(&spkt)) {
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2393 *al = TLS1_AD_DECODE_ERROR;
2394 return 0;
2395 }
2396 if (s->
2397 ctx->next_proto_select_cb(s, &selected, &selected_len, data,
2398 size,
2399 s->ctx->next_proto_select_cb_arg) !=
2400 SSL_TLSEXT_ERR_OK) {
2401 *al = TLS1_AD_INTERNAL_ERROR;
2402 return 0;
2403 }
2404 s->next_proto_negotiated = OPENSSL_malloc(selected_len);
Matt Caswella71edf32015-10-30 10:05:53 +0000[diff] [blame]2405 if (s->next_proto_negotiated == NULL) {
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2406 *al = TLS1_AD_INTERNAL_ERROR;
2407 return 0;
2408 }
2409 memcpy(s->next_proto_negotiated, selected, selected_len);
2410 s->next_proto_negotiated_len = selected_len;
2411 s->s3->next_proto_neg_seen = 1;
2412 }
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]2413#endif
Bodo Möller761772d2007-09-21 06:54:24 +0000[diff] [blame]2414
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2415 else if (type == TLSEXT_TYPE_application_layer_protocol_negotiation) {
2416 unsigned len;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2417 /* We must have requested it. */
Todd Short817cd0d2016-03-05 08:47:55 -0500[diff] [blame]2418 if (!s->s3->alpn_sent) {
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2419 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2420 return 0;
2421 }
Matt Caswell50e735f2015-01-05 11:30:03 +0000[diff] [blame]2422 /*-
2423 * The extension data consists of:
2424 * uint16 list_length
2425 * uint8 proto_length;
2426 * uint8 proto[proto_length];
2427 */
Matt Caswell50932c42015-08-04 17:36:02 +0100[diff] [blame]2428 if (!PACKET_get_net_2(&spkt, &len)
2429 || PACKET_remaining(&spkt) != len
2430 || !PACKET_get_1(&spkt, &len)
2431 || PACKET_remaining(&spkt) != len) {
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2432 *al = TLS1_AD_DECODE_ERROR;
2433 return 0;
2434 }
Rich Salzb548a1f2015-05-01 10:02:07 -0400[diff] [blame]2435 OPENSSL_free(s->s3->alpn_selected);
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2436 s->s3->alpn_selected = OPENSSL_malloc(len);
Matt Caswella71edf32015-10-30 10:05:53 +0000[diff] [blame]2437 if (s->s3->alpn_selected == NULL) {
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2438 *al = TLS1_AD_INTERNAL_ERROR;
2439 return 0;
2440 }
Matt Caswell50932c42015-08-04 17:36:02 +0100[diff] [blame]2441 if (!PACKET_copy_bytes(&spkt, s->s3->alpn_selected, len)) {
2442 *al = TLS1_AD_DECODE_ERROR;
2443 return 0;
2444 }
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2445 s->s3->alpn_selected_len = len;
2446 }
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]2447#ifndef OPENSSL_NO_HEARTBEATS
Rich Salz22e3dcb2016-01-25 13:30:37 -0500[diff] [blame]2448 else if (SSL_IS_DTLS(s) && type == TLSEXT_TYPE_heartbeat) {
Matt Caswell50932c42015-08-04 17:36:02 +0100[diff] [blame]2449 unsigned int hbtype;
2450 if (!PACKET_get_1(&spkt, &hbtype)) {
2451 *al = SSL_AD_DECODE_ERROR;
2452 return 0;
2453 }
2454 switch (hbtype) {
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2455 case 0x01: /* Server allows us to send HB requests */
Rich Salz22e3dcb2016-01-25 13:30:37 -0500[diff] [blame]2456 s->tlsext_heartbeat |= SSL_DTLSEXT_HB_ENABLED;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2457 break;
2458 case 0x02: /* Server doesn't accept HB requests */
Rich Salz22e3dcb2016-01-25 13:30:37 -0500[diff] [blame]2459 s->tlsext_heartbeat |= SSL_DTLSEXT_HB_ENABLED;
2460 s->tlsext_heartbeat |= SSL_DTLSEXT_HB_DONT_SEND_REQUESTS;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2461 break;
2462 default:
2463 *al = SSL_AD_ILLEGAL_PARAMETER;
2464 return 0;
2465 }
2466 }
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]2467#endif
2468#ifndef OPENSSL_NO_SRTP
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2469 else if (SSL_IS_DTLS(s) && type == TLSEXT_TYPE_use_srtp) {
Matt Caswell50932c42015-08-04 17:36:02 +0100[diff] [blame]2470 if (ssl_parse_serverhello_use_srtp_ext(s, &spkt, al))
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2471 return 0;
2472 }
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]2473#endif
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2474 else if (type == TLSEXT_TYPE_encrypt_then_mac) {
2475 /* Ignore if inappropriate ciphersuite */
2476 if (s->s3->tmp.new_cipher->algorithm_mac != SSL_AEAD
2477 && s->s3->tmp.new_cipher->algorithm_enc != SSL_RC4)
2478 s->s3->flags |= TLS1_FLAGS_ENCRYPT_THEN_MAC;
2479 }
Dr. Stephen Hensonddc06b32015-01-23 02:45:13 +0000[diff] [blame]2480 else if (type == TLSEXT_TYPE_extended_master_secret) {
Dr. Stephen Hensone7f0d922015-12-04 19:48:15 +0000[diff] [blame]2481 s->s3->flags |= TLS1_FLAGS_RECEIVED_EXTMS;
Dr. Stephen Hensonddc06b32015-01-23 02:45:13 +0000[diff] [blame]2482 if (!s->hit)
2483 s->session->flags |= SSL_SESS_FLAG_EXTMS;
2484 }
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2485 /*
2486 * If this extension type was not otherwise handled, but matches a
2487 * custom_cli_ext_record, then send it to the c callback
2488 */
2489 else if (custom_ext_parse(s, 0, type, data, size, al) <= 0)
2490 return 0;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2491 }
Adam Langley6f017a82013-04-15 18:07:47 -0400[diff] [blame]2492
Matt Caswell50932c42015-08-04 17:36:02 +0100[diff] [blame]2493 if (PACKET_remaining(pkt) != 0) {
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2494 *al = SSL_AD_DECODE_ERROR;
2495 return 0;
2496 }
Bodo Möllered3883d2006-01-02 23:14:37 +0000[diff] [blame]2497
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2498 if (!s->hit && tlsext_servername == 1) {
2499 if (s->tlsext_hostname) {
2500 if (s->session->tlsext_hostname == NULL) {
Rich Salz7644a9a2015-12-16 16:12:24 -0500[diff] [blame]2501 s->session->tlsext_hostname = OPENSSL_strdup(s->tlsext_hostname);
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2502 if (!s->session->tlsext_hostname) {
2503 *al = SSL_AD_UNRECOGNIZED_NAME;
2504 return 0;
2505 }
2506 } else {
2507 *al = SSL_AD_DECODE_ERROR;
2508 return 0;
2509 }
2510 }
2511 }
Bodo Möllered3883d2006-01-02 23:14:37 +0000[diff] [blame]2512
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2513 ri_check:
Dr. Stephen Hensonc27c9cb2009-12-14 13:56:04 +0000[diff] [blame]2514
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2515 /*
2516 * Determine if we need to see RI. Strictly speaking if we want to avoid
2517 * an attack we should *always* see RI even on initial server hello
2518 * because the client doesn't see any renegotiation during an attack.
2519 * However this would mean we could not connect to any server which
Matt Caswelle7653f32016-06-14 10:41:00 +0100[diff] [blame]2520 * doesn't support RI so for the immediate future tolerate RI absence
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2521 */
2522 if (!renegotiate_seen && !(s->options & SSL_OP_LEGACY_SERVER_CONNECT)
2523 && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) {
2524 *al = SSL_AD_HANDSHAKE_FAILURE;
2525 SSLerr(SSL_F_SSL_SCAN_SERVERHELLO_TLSEXT,
2526 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
2527 return 0;
2528 }
Dr. Stephen Hensonc27c9cb2009-12-14 13:56:04 +0000[diff] [blame]2529
Dr. Stephen Hensone7f0d922015-12-04 19:48:15 +0000[diff] [blame]2530 if (s->hit) {
2531 /*
2532 * Check extended master secret extension is consistent with
2533 * original session.
2534 */
2535 if (!(s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) !=
2536 !(s->session->flags & SSL_SESS_FLAG_EXTMS)) {
2537 *al = SSL_AD_HANDSHAKE_FAILURE;
2538 SSLerr(SSL_F_SSL_SCAN_SERVERHELLO_TLSEXT, SSL_R_INCONSISTENT_EXTMS);
2539 return 0;
2540 }
2541 }
2542
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2543 return 1;
2544}
Bodo Möllerb2172f42006-04-03 11:56:30 +0000[diff] [blame]2545
Bodo Möller36ca4ba2006-03-11 23:46:37 +0000[diff] [blame]2546int ssl_prepare_clienthello_tlsext(SSL *s)
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2547{
Todd Short817cd0d2016-03-05 08:47:55 -0500[diff] [blame]2548 s->s3->alpn_sent = 0;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2549 return 1;
2550}
Bodo Möller36ca4ba2006-03-11 23:46:37 +0000[diff] [blame]2551
2552int ssl_prepare_serverhello_tlsext(SSL *s)
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2553{
2554 return 1;
2555}
Bodo Möller36ca4ba2006-03-11 23:46:37 +0000[diff] [blame]2556
Ben Laurie2daceb02012-09-11 12:57:46 +0000[diff] [blame]2557static int ssl_check_clienthello_tlsext_early(SSL *s)
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2558{
2559 int ret = SSL_TLSEXT_ERR_NOACK;
2560 int al = SSL_AD_UNRECOGNIZED_NAME;
Bodo Möller241520e2006-01-11 06:10:40 +0000[diff] [blame]2561
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]2562#ifndef OPENSSL_NO_EC
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2563 /*
2564 * The handling of the ECPointFormats extension is done elsewhere, namely
2565 * in ssl3_choose_cipher in s3_lib.c.
2566 */
2567 /*
2568 * The handling of the EllipticCurves extension is done elsewhere, namely
2569 * in ssl3_choose_cipher in s3_lib.c.
2570 */
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]2571#endif
Bodo Möller36ca4ba2006-03-11 23:46:37 +0000[diff] [blame]2572
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2573 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
2574 ret =
2575 s->ctx->tlsext_servername_callback(s, &al,
2576 s->ctx->tlsext_servername_arg);
2577 else if (s->initial_ctx != NULL
2578 && s->initial_ctx->tlsext_servername_callback != 0)
2579 ret =
2580 s->initial_ctx->tlsext_servername_callback(s, &al,
2581 s->
2582 initial_ctx->tlsext_servername_arg);
Bodo Möller36ca4ba2006-03-11 23:46:37 +0000[diff] [blame]2583
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2584 switch (ret) {
2585 case SSL_TLSEXT_ERR_ALERT_FATAL:
2586 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2587 return -1;
Bodo Möller36ca4ba2006-03-11 23:46:37 +0000[diff] [blame]2588
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2589 case SSL_TLSEXT_ERR_ALERT_WARNING:
2590 ssl3_send_alert(s, SSL3_AL_WARNING, al);
2591 return 1;
2592
2593 case SSL_TLSEXT_ERR_NOACK:
2594 s->servername_done = 0;
2595 default:
2596 return 1;
2597 }
2598}
Dr. Stephen Hensond376e572015-05-12 18:56:39 +0100[diff] [blame]2599/* Initialise digests to default values */
Dr. Stephen Hensona0f63822015-11-24 00:08:35 +0000[diff] [blame]2600void ssl_set_default_md(SSL *s)
Dr. Stephen Hensond376e572015-05-12 18:56:39 +0100[diff] [blame]2601{
2602 const EVP_MD **pmd = s->s3->tmp.md;
2603#ifndef OPENSSL_NO_DSA
Dr. Stephen Henson152fbc22015-11-29 16:27:08 +0000[diff] [blame]2604 pmd[SSL_PKEY_DSA_SIGN] = ssl_md(SSL_MD_SHA1_IDX);
Dr. Stephen Hensond376e572015-05-12 18:56:39 +0100[diff] [blame]2605#endif
2606#ifndef OPENSSL_NO_RSA
Dr. Stephen Hensond18d31a2015-08-29 22:11:05 +0100[diff] [blame]2607 if (SSL_USE_SIGALGS(s))
Dr. Stephen Henson152fbc22015-11-29 16:27:08 +0000[diff] [blame]2608 pmd[SSL_PKEY_RSA_SIGN] = ssl_md(SSL_MD_SHA1_IDX);
Dr. Stephen Hensond18d31a2015-08-29 22:11:05 +0100[diff] [blame]2609 else
Dr. Stephen Henson152fbc22015-11-29 16:27:08 +0000[diff] [blame]2610 pmd[SSL_PKEY_RSA_SIGN] = ssl_md(SSL_MD_MD5_SHA1_IDX);
Dr. Stephen Hensond18d31a2015-08-29 22:11:05 +0100[diff] [blame]2611 pmd[SSL_PKEY_RSA_ENC] = pmd[SSL_PKEY_RSA_SIGN];
Dr. Stephen Hensond376e572015-05-12 18:56:39 +0100[diff] [blame]2612#endif
2613#ifndef OPENSSL_NO_EC
Dr. Stephen Henson152fbc22015-11-29 16:27:08 +0000[diff] [blame]2614 pmd[SSL_PKEY_ECC] = ssl_md(SSL_MD_SHA1_IDX);
Dr. Stephen Hensond376e572015-05-12 18:56:39 +0100[diff] [blame]2615#endif
Dmitry Belyavskye44380a2015-11-17 15:32:30 +0000[diff] [blame]2616#ifndef OPENSSL_NO_GOST
Dr. Stephen Henson152fbc22015-11-29 16:27:08 +0000[diff] [blame]2617 pmd[SSL_PKEY_GOST01] = ssl_md(SSL_MD_GOST94_IDX);
2618 pmd[SSL_PKEY_GOST12_256] = ssl_md(SSL_MD_GOST12_256_IDX);
2619 pmd[SSL_PKEY_GOST12_512] = ssl_md(SSL_MD_GOST12_512_IDX);
Dmitry Belyavskye44380a2015-11-17 15:32:30 +0000[diff] [blame]2620#endif
Dr. Stephen Hensond376e572015-05-12 18:56:39 +0100[diff] [blame]2621}
Bodo Möller36ca4ba2006-03-11 23:46:37 +0000[diff] [blame]2622
Dr. Stephen Hensone469af82014-11-17 16:52:59 +0000[diff] [blame]2623int tls1_set_server_sigalgs(SSL *s)
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2624{
2625 int al;
2626 size_t i;
FdaSilvaYY8483a002016-03-10 21:34:48 +0100[diff] [blame]2627
2628 /* Clear any shared signature algorithms */
Rich Salzb548a1f2015-05-01 10:02:07 -0400[diff] [blame]2629 OPENSSL_free(s->cert->shared_sigalgs);
2630 s->cert->shared_sigalgs = NULL;
2631 s->cert->shared_sigalgslen = 0;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2632 /* Clear certificate digests and validity flags */
2633 for (i = 0; i < SSL_PKEY_NUM; i++) {
Dr. Stephen Hensond376e572015-05-12 18:56:39 +0100[diff] [blame]2634 s->s3->tmp.md[i] = NULL;
Dr. Stephen Henson6383d312015-05-12 22:17:34 +0100[diff] [blame]2635 s->s3->tmp.valid_flags[i] = 0;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2636 }
Dr. Stephen Hensone469af82014-11-17 16:52:59 +0000[diff] [blame]2637
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2638 /* If sigalgs received process it. */
Dr. Stephen Henson76106e62015-05-12 17:17:37 +0100[diff] [blame]2639 if (s->s3->tmp.peer_sigalgs) {
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2640 if (!tls1_process_sigalgs(s)) {
2641 SSLerr(SSL_F_TLS1_SET_SERVER_SIGALGS, ERR_R_MALLOC_FAILURE);
2642 al = SSL_AD_INTERNAL_ERROR;
2643 goto err;
2644 }
2645 /* Fatal error is no shared signature algorithms */
2646 if (!s->cert->shared_sigalgs) {
2647 SSLerr(SSL_F_TLS1_SET_SERVER_SIGALGS,
FdaSilvaYYf430ba32016-06-19 19:39:01 +0200[diff] [blame]2648 SSL_R_NO_SHARED_SIGNATURE_ALGORITHMS);
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2649 al = SSL_AD_ILLEGAL_PARAMETER;
2650 goto err;
2651 }
Dr. Stephen Hensond376e572015-05-12 18:56:39 +0100[diff] [blame]2652 } else {
2653 ssl_set_default_md(s);
2654 }
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2655 return 1;
2656 err:
2657 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2658 return 0;
2659}
Dr. Stephen Hensone469af82014-11-17 16:52:59 +0000[diff] [blame]2660
Emilia Kasper70c22882016-07-04 20:32:28 +0200[diff] [blame^]2661/*
2662 * Upon success, returns 1.
2663 * Upon failure, returns 0 and sets |al| to the appropriate fatal alert.
2664 */
2665int ssl_check_clienthello_tlsext_late(SSL *s, int *al)
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2666{
Emilia Kasper70c22882016-07-04 20:32:28 +0200[diff] [blame^]2667 s->tlsext_status_expected = 0;
Ben Laurie2daceb02012-09-11 12:57:46 +0000[diff] [blame]2668
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2669 /*
2670 * If status request then ask callback what to do. Note: this must be
2671 * called after servername callbacks in case the certificate has changed,
2672 * and must be called after the cipher has been chosen because this may
2673 * influence which certificate is sent
2674 */
2675 if ((s->tlsext_status_type != -1) && s->ctx && s->ctx->tlsext_status_cb) {
Emilia Kasper70c22882016-07-04 20:32:28 +0200[diff] [blame^]2676 int ret;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2677 CERT_PKEY *certpkey;
2678 certpkey = ssl_get_server_send_pkey(s);
2679 /* If no certificate can't return certificate status */
Emilia Kasper70c22882016-07-04 20:32:28 +0200[diff] [blame^]2680 if (certpkey != NULL) {
2681 /*
2682 * Set current certificate to one we will use so SSL_get_certificate
2683 * et al can pick it up.
2684 */
2685 s->cert->key = certpkey;
2686 ret = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
2687 switch (ret) {
2688 /* We don't want to send a status request response */
2689 case SSL_TLSEXT_ERR_NOACK:
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2690 s->tlsext_status_expected = 0;
Emilia Kasper70c22882016-07-04 20:32:28 +0200[diff] [blame^]2691 break;
2692 /* status request response should be sent */
2693 case SSL_TLSEXT_ERR_OK:
2694 if (s->tlsext_ocsp_resp)
2695 s->tlsext_status_expected = 1;
2696 break;
2697 /* something bad happened */
2698 case SSL_TLSEXT_ERR_ALERT_FATAL:
2699 default:
2700 *al = SSL_AD_INTERNAL_ERROR;
2701 return 0;
2702 }
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2703 }
Todd Short817cd0d2016-03-05 08:47:55 -0500[diff] [blame]2704 }
2705
Emilia Kasper70c22882016-07-04 20:32:28 +0200[diff] [blame^]2706 if (!tls1_alpn_handle_client_hello_late(s, al)) {
2707 return 0;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2708 }
Emilia Kasper70c22882016-07-04 20:32:28 +0200[diff] [blame^]2709
2710 return 1;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2711}
Ben Laurie2daceb02012-09-11 12:57:46 +0000[diff] [blame]2712
Bodo Möller36ca4ba2006-03-11 23:46:37 +0000[diff] [blame]2713int ssl_check_serverhello_tlsext(SSL *s)
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2714{
2715 int ret = SSL_TLSEXT_ERR_NOACK;
2716 int al = SSL_AD_UNRECOGNIZED_NAME;
Bodo Möller36ca4ba2006-03-11 23:46:37 +0000[diff] [blame]2717
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]2718#ifndef OPENSSL_NO_EC
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2719 /*
2720 * If we are client and using an elliptic curve cryptography cipher
2721 * suite, then if server returns an EC point formats lists extension it
2722 * must contain uncompressed.
2723 */
2724 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
2725 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
2726 if ((s->tlsext_ecpointformatlist != NULL)
2727 && (s->tlsext_ecpointformatlist_length > 0)
2728 && (s->session->tlsext_ecpointformatlist != NULL)
2729 && (s->session->tlsext_ecpointformatlist_length > 0)
Dr. Stephen Hensonce0c1f22016-02-11 18:19:27 +0000[diff] [blame]2730 && ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA))) {
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2731 /* we are using an ECC cipher */
2732 size_t i;
2733 unsigned char *list;
2734 int found_uncompressed = 0;
2735 list = s->session->tlsext_ecpointformatlist;
2736 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++) {
2737 if (*(list++) == TLSEXT_ECPOINTFORMAT_uncompressed) {
2738 found_uncompressed = 1;
2739 break;
2740 }
2741 }
2742 if (!found_uncompressed) {
2743 SSLerr(SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT,
2744 SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
2745 return -1;
2746 }
2747 }
2748 ret = SSL_TLSEXT_ERR_OK;
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]2749#endif /* OPENSSL_NO_EC */
Bodo Möller36ca4ba2006-03-11 23:46:37 +0000[diff] [blame]2750
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2751 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
2752 ret =
2753 s->ctx->tlsext_servername_callback(s, &al,
2754 s->ctx->tlsext_servername_arg);
2755 else if (s->initial_ctx != NULL
2756 && s->initial_ctx->tlsext_servername_callback != 0)
2757 ret =
2758 s->initial_ctx->tlsext_servername_callback(s, &al,
2759 s->
2760 initial_ctx->tlsext_servername_arg);
Bodo Möller241520e2006-01-11 06:10:40 +0000[diff] [blame]2761
Matt Caswellb1931d42015-12-10 10:44:30 +0000[diff] [blame]2762 /*
2763 * Ensure we get sensible values passed to tlsext_status_cb in the event
2764 * that we don't receive a status message
2765 */
Matt Caswellbb1aaab2015-11-05 14:31:11 +0000[diff] [blame]2766 OPENSSL_free(s->tlsext_ocsp_resp);
2767 s->tlsext_ocsp_resp = NULL;
2768 s->tlsext_ocsp_resplen = -1;
Bodo Möller58ece832006-01-13 09:21:10 +0000[diff] [blame]2769
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2770 switch (ret) {
2771 case SSL_TLSEXT_ERR_ALERT_FATAL:
2772 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2773 return -1;
Bodo Möller33273722006-03-30 02:44:56 +0000[diff] [blame]2774
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2775 case SSL_TLSEXT_ERR_ALERT_WARNING:
2776 ssl3_send_alert(s, SSL3_AL_WARNING, al);
2777 return 1;
Dr. Stephen Henson09e4e4b2012-04-24 12:22:23 +0000[diff] [blame]2778
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2779 case SSL_TLSEXT_ERR_NOACK:
2780 s->servername_done = 0;
2781 default:
2782 return 1;
2783 }
2784}
2785
Matt Caswell50932c42015-08-04 17:36:02 +0100[diff] [blame]2786int ssl_parse_serverhello_tlsext(SSL *s, PACKET *pkt)
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2787{
2788 int al = -1;
2789 if (s->version < SSL3_VERSION)
2790 return 1;
Matt Caswell50932c42015-08-04 17:36:02 +0100[diff] [blame]2791 if (ssl_scan_serverhello_tlsext(s, pkt, &al) <= 0) {
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2792 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2793 return 0;
2794 }
2795
2796 if (ssl_check_serverhello_tlsext(s) <= 0) {
2797 SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT, SSL_R_SERVERHELLO_TLSEXT);
2798 return 0;
2799 }
2800 return 1;
Dr. Stephen Henson09e4e4b2012-04-24 12:22:23 +0000[diff] [blame]2801}
2802
Tim Hudson1d97c842014-12-28 12:48:40 +1000[diff] [blame]2803/*-
2804 * Since the server cache lookup is done early on in the processing of the
Dr. Stephen Hensone7f0d922015-12-04 19:48:15 +0000[diff] [blame]2805 * ClientHello and other operations depend on the result some extensions
2806 * need to be handled at the same time.
2807 *
2808 * Two extensions are currently handled, session ticket and extended master
2809 * secret.
Bodo Möllerc519e892011-09-05 13:36:23 +0000[diff] [blame]2810 *
Emilia Kasperb3e22722015-09-30 15:33:12 +0200[diff] [blame]2811 * session_id: ClientHello session ID.
2812 * ext: ClientHello extensions (including length prefix)
Bodo Möllerc519e892011-09-05 13:36:23 +0000[diff] [blame]2813 * ret: (output) on return, if a ticket was decrypted, then this is set to
2814 * point to the resulting session.
2815 *
2816 * If s->tls_session_secret_cb is set then we are expecting a pre-shared key
2817 * ciphersuite, in which case we have no use for session tickets and one will
2818 * never be decrypted, nor will s->tlsext_ticket_expected be set to 1.
2819 *
2820 * Returns:
2821 * -1: fatal error, either from parsing or decrypting the ticket.
2822 * 0: no ticket was found (or was ignored, based on settings).
2823 * 1: a zero length extension was found, indicating that the client supports
2824 * session tickets but doesn't currently have one to offer.
2825 * 2: either s->tls_session_secret_cb was set, or a ticket was offered but
2826 * couldn't be decrypted because of a non-fatal error.
2827 * 3: a ticket was successfully decrypted and *ret was set.
2828 *
2829 * Side effects:
2830 * Sets s->tlsext_ticket_expected to 1 if the server will have to issue
2831 * a new session ticket to the client because the client indicated support
2832 * (and s->tls_session_secret_cb is NULL) but the client either doesn't have
2833 * a session ticket or we couldn't use the one it gave us, or if
2834 * s->ctx->tlsext_ticket_key_cb asked to renew the client's ticket.
2835 * Otherwise, s->tlsext_ticket_expected is set to 0.
Dr. Stephen Hensone7f0d922015-12-04 19:48:15 +0000[diff] [blame]2836 *
2837 * For extended master secret flag is set if the extension is present.
2838 *
Dr. Stephen Henson6434abb2007-08-11 23:18:29 +0000[diff] [blame]2839 */
Dr. Stephen Hensone7f0d922015-12-04 19:48:15 +0000[diff] [blame]2840int tls_check_serverhello_tlsext_early(SSL *s, const PACKET *ext,
2841 const PACKET *session_id,
2842 SSL_SESSION **ret)
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2843{
Matt Caswell9ceb2422015-04-16 10:06:25 +0100[diff] [blame]2844 unsigned int i;
Emilia Kasperb3e22722015-09-30 15:33:12 +0200[diff] [blame]2845 PACKET local_ext = *ext;
Matt Caswell9ceb2422015-04-16 10:06:25 +0100[diff] [blame]2846 int retv = -1;
Dr. Stephen Hensone8da6a12008-09-03 22:17:11 +0000[diff] [blame]2847
Dr. Stephen Hensone7f0d922015-12-04 19:48:15 +0000[diff] [blame]2848 int have_ticket = 0;
2849 int use_ticket = tls_use_ticket(s);
2850
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2851 *ret = NULL;
2852 s->tlsext_ticket_expected = 0;
Dr. Stephen Hensone7f0d922015-12-04 19:48:15 +0000[diff] [blame]2853 s->s3->flags &= ~TLS1_FLAGS_RECEIVED_EXTMS;
Dr. Stephen Hensone8da6a12008-09-03 22:17:11 +0000[diff] [blame]2854
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2855 /*
2856 * If tickets disabled behave as if no ticket present to permit stateful
2857 * resumption.
2858 */
Matt Caswell9ceb2422015-04-16 10:06:25 +0100[diff] [blame]2859 if ((s->version <= SSL3_VERSION))
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2860 return 0;
Matt Caswell9ceb2422015-04-16 10:06:25 +0100[diff] [blame]2861
Emilia Kasperb3e22722015-09-30 15:33:12 +0200[diff] [blame]2862 if (!PACKET_get_net_2(&local_ext, &i)) {
Matt Caswell9ceb2422015-04-16 10:06:25 +0100[diff] [blame]2863 retv = 0;
2864 goto end;
2865 }
Emilia Kasperb3e22722015-09-30 15:33:12 +0200[diff] [blame]2866 while (PACKET_remaining(&local_ext) >= 4) {
Matt Caswell9ceb2422015-04-16 10:06:25 +0100[diff] [blame]2867 unsigned int type, size;
2868
Emilia Kasperb3e22722015-09-30 15:33:12 +0200[diff] [blame]2869 if (!PACKET_get_net_2(&local_ext, &type)
2870 || !PACKET_get_net_2(&local_ext, &size)) {
Matt Caswell9ceb2422015-04-16 10:06:25 +0100[diff] [blame]2871 /* Shouldn't ever happen */
2872 retv = -1;
2873 goto end;
2874 }
Emilia Kasperb3e22722015-09-30 15:33:12 +0200[diff] [blame]2875 if (PACKET_remaining(&local_ext) < size) {
Matt Caswell9ceb2422015-04-16 10:06:25 +0100[diff] [blame]2876 retv = 0;
2877 goto end;
2878 }
Dr. Stephen Hensone7f0d922015-12-04 19:48:15 +0000[diff] [blame]2879 if (type == TLSEXT_TYPE_session_ticket && use_ticket) {
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2880 int r;
Emilia Kasperb6981742016-02-01 15:26:18 +0100[diff] [blame]2881 const unsigned char *etick;
Matt Caswell9ceb2422015-04-16 10:06:25 +0100[diff] [blame]2882
Dr. Stephen Hensone7f0d922015-12-04 19:48:15 +0000[diff] [blame]2883 /* Duplicate extension */
2884 if (have_ticket != 0) {
2885 retv = -1;
2886 goto end;
2887 }
2888 have_ticket = 1;
2889
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2890 if (size == 0) {
2891 /*
2892 * The client will accept a ticket but doesn't currently have
2893 * one.
2894 */
2895 s->tlsext_ticket_expected = 1;
Matt Caswell9ceb2422015-04-16 10:06:25 +0100[diff] [blame]2896 retv = 1;
Dr. Stephen Hensone7f0d922015-12-04 19:48:15 +0000[diff] [blame]2897 continue;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2898 }
2899 if (s->tls_session_secret_cb) {
2900 /*
2901 * Indicate that the ticket couldn't be decrypted rather than
2902 * generating the session from ticket now, trigger
2903 * abbreviated handshake based on external mechanism to
2904 * calculate the master secret later.
2905 */
Matt Caswell9ceb2422015-04-16 10:06:25 +0100[diff] [blame]2906 retv = 2;
Dr. Stephen Hensone7f0d922015-12-04 19:48:15 +0000[diff] [blame]2907 continue;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2908 }
Emilia Kasperb3e22722015-09-30 15:33:12 +0200[diff] [blame]2909 if (!PACKET_get_bytes(&local_ext, &etick, size)) {
Matt Caswell9ceb2422015-04-16 10:06:25 +0100[diff] [blame]2910 /* Shouldn't ever happen */
2911 retv = -1;
2912 goto end;
2913 }
Emilia Kasperb3e22722015-09-30 15:33:12 +0200[diff] [blame]2914 r = tls_decrypt_ticket(s, etick, size, PACKET_data(session_id),
2915 PACKET_remaining(session_id), ret);
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2916 switch (r) {
2917 case 2: /* ticket couldn't be decrypted */
2918 s->tlsext_ticket_expected = 1;
Matt Caswell9ceb2422015-04-16 10:06:25 +0100[diff] [blame]2919 retv = 2;
2920 break;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2921 case 3: /* ticket was decrypted */
Matt Caswell9ceb2422015-04-16 10:06:25 +0100[diff] [blame]2922 retv = r;
2923 break;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2924 case 4: /* ticket decrypted but need to renew */
2925 s->tlsext_ticket_expected = 1;
Matt Caswell9ceb2422015-04-16 10:06:25 +0100[diff] [blame]2926 retv = 3;
2927 break;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2928 default: /* fatal error */
Matt Caswell9ceb2422015-04-16 10:06:25 +0100[diff] [blame]2929 retv = -1;
2930 break;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2931 }
Dr. Stephen Hensone7f0d922015-12-04 19:48:15 +0000[diff] [blame]2932 continue;
Matt Caswellc83eda82015-08-13 10:04:23 +0100[diff] [blame]2933 } else {
Dr. Stephen Hensone7f0d922015-12-04 19:48:15 +0000[diff] [blame]2934 if (type == TLSEXT_TYPE_extended_master_secret)
2935 s->s3->flags |= TLS1_FLAGS_RECEIVED_EXTMS;
Emilia Kasperb3e22722015-09-30 15:33:12 +0200[diff] [blame]2936 if (!PACKET_forward(&local_ext, size)) {
Matt Caswellc83eda82015-08-13 10:04:23 +0100[diff] [blame]2937 retv = -1;
2938 goto end;
2939 }
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2940 }
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2941 }
Dr. Stephen Hensone7f0d922015-12-04 19:48:15 +0000[diff] [blame]2942 if (have_ticket == 0)
2943 retv = 0;
Matt Caswell9ceb2422015-04-16 10:06:25 +0100[diff] [blame]2944end:
Matt Caswell9ceb2422015-04-16 10:06:25 +0100[diff] [blame]2945 return retv;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2946}
Dr. Stephen Henson6434abb2007-08-11 23:18:29 +0000[diff] [blame]2947
Tim Hudson1d97c842014-12-28 12:48:40 +1000[diff] [blame]2948/*-
2949 * tls_decrypt_ticket attempts to decrypt a session ticket.
Bodo Möllerc519e892011-09-05 13:36:23 +0000[diff] [blame]2950 *
2951 * etick: points to the body of the session ticket extension.
FdaSilvaYY8483a002016-03-10 21:34:48 +0100[diff] [blame]2952 * eticklen: the length of the session tickets extension.
Bodo Möllerc519e892011-09-05 13:36:23 +0000[diff] [blame]2953 * sess_id: points at the session ID.
2954 * sesslen: the length of the session ID.
2955 * psess: (output) on return, if a ticket was decrypted, then this is set to
2956 * point to the resulting session.
2957 *
2958 * Returns:
Richard Levittebf7c6812015-11-30 13:44:28 +0100[diff] [blame]2959 * -2: fatal error, malloc failure.
Bodo Möllerc519e892011-09-05 13:36:23 +0000[diff] [blame]2960 * -1: fatal error, either from parsing or decrypting the ticket.
2961 * 2: the ticket couldn't be decrypted.
2962 * 3: a ticket was successfully decrypted and *psess was set.
2963 * 4: same as 3, but the ticket needs to be renewed.
2964 */
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2965static int tls_decrypt_ticket(SSL *s, const unsigned char *etick,
2966 int eticklen, const unsigned char *sess_id,
2967 int sesslen, SSL_SESSION **psess)
2968{
2969 SSL_SESSION *sess;
2970 unsigned char *sdec;
2971 const unsigned char *p;
Matt Caswell35b1a432016-02-13 23:22:45 +0000[diff] [blame]2972 int slen, mlen, renew_ticket = 0, ret = -1;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2973 unsigned char tick_hmac[EVP_MAX_MD_SIZE];
Richard Levittebf7c6812015-11-30 13:44:28 +0100[diff] [blame]2974 HMAC_CTX *hctx = NULL;
Richard Levitte846ec072015-12-13 22:08:41 +0100[diff] [blame]2975 EVP_CIPHER_CTX *ctx;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2976 SSL_CTX *tctx = s->initial_ctx;
2977 /* Need at least keyname + iv + some encrypted data */
2978 if (eticklen < 48)
2979 return 2;
2980 /* Initialize session ticket encryption and HMAC contexts */
Richard Levittebf7c6812015-11-30 13:44:28 +0100[diff] [blame]2981 hctx = HMAC_CTX_new();
2982 if (hctx == NULL)
2983 return -2;
Richard Levitte846ec072015-12-13 22:08:41 +0100[diff] [blame]2984 ctx = EVP_CIPHER_CTX_new();
Matt Caswell35b1a432016-02-13 23:22:45 +0000[diff] [blame]2985 if (ctx == NULL) {
2986 ret = -2;
2987 goto err;
2988 }
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2989 if (tctx->tlsext_ticket_key_cb) {
2990 unsigned char *nctick = (unsigned char *)etick;
2991 int rv = tctx->tlsext_ticket_key_cb(s, nctick, nctick + 16,
Richard Levitte846ec072015-12-13 22:08:41 +0100[diff] [blame]2992 ctx, hctx, 0);
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2993 if (rv < 0)
Matt Caswell35b1a432016-02-13 23:22:45 +0000[diff] [blame]2994 goto err;
2995 if (rv == 0) {
2996 ret = 2;
2997 goto err;
2998 }
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2999 if (rv == 2)
3000 renew_ticket = 1;
3001 } else {
3002 /* Check key name matches */
TJ Saunders4e2e1ec2016-02-27 19:36:00 +0100[diff] [blame]3003 if (memcmp(etick, tctx->tlsext_tick_key_name,
3004 sizeof(tctx->tlsext_tick_key_name)) != 0) {
Matt Caswell35b1a432016-02-13 23:22:45 +0000[diff] [blame]3005 ret = 2;
3006 goto err;
3007 }
TJ Saunders4e2e1ec2016-02-27 19:36:00 +0100[diff] [blame]3008 if (HMAC_Init_ex(hctx, tctx->tlsext_tick_hmac_key,
3009 sizeof(tctx->tlsext_tick_hmac_key),
Matt Caswell5f3d93e2015-11-06 16:31:21 +0000[diff] [blame]3010 EVP_sha256(), NULL) <= 0
TJ Saunders05df5c22016-02-27 19:37:34 +0100[diff] [blame]3011 || EVP_DecryptInit_ex(ctx, EVP_aes_256_cbc(), NULL,
Matt Caswell5f3d93e2015-11-06 16:31:21 +0000[diff] [blame]3012 tctx->tlsext_tick_aes_key,
TJ Saunders4e2e1ec2016-02-27 19:36:00 +0100[diff] [blame]3013 etick + sizeof(tctx->tlsext_tick_key_name)) <= 0) {
Matt Caswell5f3d93e2015-11-06 16:31:21 +0000[diff] [blame]3014 goto err;
3015 }
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3016 }
3017 /*
3018 * Attempt to process session ticket, first conduct sanity and integrity
3019 * checks on ticket.
3020 */
Richard Levittebf7c6812015-11-30 13:44:28 +0100[diff] [blame]3021 mlen = HMAC_size(hctx);
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3022 if (mlen < 0) {
Matt Caswell5f3d93e2015-11-06 16:31:21 +0000[diff] [blame]3023 goto err;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3024 }
3025 eticklen -= mlen;
3026 /* Check HMAC of encrypted ticket */
Richard Levittebf7c6812015-11-30 13:44:28 +0100[diff] [blame]3027 if (HMAC_Update(hctx, etick, eticklen) <= 0
3028 || HMAC_Final(hctx, tick_hmac, NULL) <= 0) {
Matt Caswell5f3d93e2015-11-06 16:31:21 +0000[diff] [blame]3029 goto err;
3030 }
Richard Levittebf7c6812015-11-30 13:44:28 +0100[diff] [blame]3031 HMAC_CTX_free(hctx);
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3032 if (CRYPTO_memcmp(tick_hmac, etick + eticklen, mlen)) {
Richard Levitte846ec072015-12-13 22:08:41 +0100[diff] [blame]3033 EVP_CIPHER_CTX_free(ctx);
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3034 return 2;
3035 }
3036 /* Attempt to decrypt session data */
3037 /* Move p after IV to start of encrypted ticket, update length */
Richard Levitte846ec072015-12-13 22:08:41 +0100[diff] [blame]3038 p = etick + 16 + EVP_CIPHER_CTX_iv_length(ctx);
3039 eticklen -= 16 + EVP_CIPHER_CTX_iv_length(ctx);
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3040 sdec = OPENSSL_malloc(eticklen);
Matt Caswell5f3d93e2015-11-06 16:31:21 +0000[diff] [blame]3041 if (sdec == NULL
Richard Levitte846ec072015-12-13 22:08:41 +0100[diff] [blame]3042 || EVP_DecryptUpdate(ctx, sdec, &slen, p, eticklen) <= 0) {
3043 EVP_CIPHER_CTX_free(ctx);
Matt Caswelld1247df2016-03-15 11:38:56 +0000[diff] [blame]3044 OPENSSL_free(sdec);
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3045 return -1;
3046 }
Richard Levitte846ec072015-12-13 22:08:41 +0100[diff] [blame]3047 if (EVP_DecryptFinal(ctx, sdec + slen, &mlen) <= 0) {
3048 EVP_CIPHER_CTX_free(ctx);
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3049 OPENSSL_free(sdec);
3050 return 2;
3051 }
3052 slen += mlen;
Richard Levitte846ec072015-12-13 22:08:41 +0100[diff] [blame]3053 EVP_CIPHER_CTX_free(ctx);
3054 ctx = NULL;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3055 p = sdec;
Bodo Möllerc519e892011-09-05 13:36:23 +0000[diff] [blame]3056
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3057 sess = d2i_SSL_SESSION(NULL, &p, slen);
3058 OPENSSL_free(sdec);
3059 if (sess) {
3060 /*
3061 * The session ID, if non-empty, is used by some clients to detect
3062 * that the ticket has been accepted. So we copy it to the session
3063 * structure. If it is empty set length to zero as required by
3064 * standard.
3065 */
3066 if (sesslen)
3067 memcpy(sess->session_id, sess_id, sesslen);
3068 sess->session_id_length = sesslen;
3069 *psess = sess;
3070 if (renew_ticket)
3071 return 4;
3072 else
3073 return 3;
3074 }
3075 ERR_clear_error();
3076 /*
3077 * For session parse failure, indicate that we need to send a new ticket.
3078 */
3079 return 2;
Matt Caswell5f3d93e2015-11-06 16:31:21 +0000[diff] [blame]3080err:
Richard Levitte846ec072015-12-13 22:08:41 +0100[diff] [blame]3081 EVP_CIPHER_CTX_free(ctx);
Richard Levittebf7c6812015-11-30 13:44:28 +0100[diff] [blame]3082 HMAC_CTX_free(hctx);
Matt Caswell35b1a432016-02-13 23:22:45 +0000[diff] [blame]3083 return ret;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3084}
Dr. Stephen Henson6434abb2007-08-11 23:18:29 +0000[diff] [blame]3085
Dr. Stephen Henson6b7be582011-05-06 13:00:07 +0000[diff] [blame]3086/* Tables to translate from NIDs to TLS v1.2 ids */
3087
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3088typedef struct {
3089 int nid;
3090 int id;
3091} tls12_lookup;
Dr. Stephen Henson6b7be582011-05-06 13:00:07 +0000[diff] [blame]3092
Cristian Rodríguezd97ed212014-04-20 18:41:15 -0300[diff] [blame]3093static const tls12_lookup tls12_md[] = {
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3094 {NID_md5, TLSEXT_hash_md5},
3095 {NID_sha1, TLSEXT_hash_sha1},
3096 {NID_sha224, TLSEXT_hash_sha224},
3097 {NID_sha256, TLSEXT_hash_sha256},
3098 {NID_sha384, TLSEXT_hash_sha384},
Dmitry Belyavskye44380a2015-11-17 15:32:30 +0000[diff] [blame]3099 {NID_sha512, TLSEXT_hash_sha512},
3100 {NID_id_GostR3411_94, TLSEXT_hash_gostr3411},
3101 {NID_id_GostR3411_2012_256, TLSEXT_hash_gostr34112012_256},
3102 {NID_id_GostR3411_2012_512, TLSEXT_hash_gostr34112012_512},
Dr. Stephen Henson6b7be582011-05-06 13:00:07 +0000[diff] [blame]3103};
3104
Cristian Rodríguezd97ed212014-04-20 18:41:15 -0300[diff] [blame]3105static const tls12_lookup tls12_sig[] = {
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3106 {EVP_PKEY_RSA, TLSEXT_signature_rsa},
3107 {EVP_PKEY_DSA, TLSEXT_signature_dsa},
Dmitry Belyavskye44380a2015-11-17 15:32:30 +0000[diff] [blame]3108 {EVP_PKEY_EC, TLSEXT_signature_ecdsa},
3109 {NID_id_GostR3410_2001, TLSEXT_signature_gostr34102001},
3110 {NID_id_GostR3410_2012_256, TLSEXT_signature_gostr34102012_256},
3111 {NID_id_GostR3410_2012_512, TLSEXT_signature_gostr34102012_512}
Dr. Stephen Henson6b7be582011-05-06 13:00:07 +0000[diff] [blame]3112};
3113
Cristian Rodríguezd97ed212014-04-20 18:41:15 -0300[diff] [blame]3114static int tls12_find_id(int nid, const tls12_lookup *table, size_t tlen)
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3115{
3116 size_t i;
3117 for (i = 0; i < tlen; i++) {
3118 if (table[i].nid == nid)
3119 return table[i].id;
3120 }
3121 return -1;
3122}
Dr. Stephen Hensone7f8ff42012-03-06 14:28:21 +0000[diff] [blame]3123
Cristian Rodríguezd97ed212014-04-20 18:41:15 -0300[diff] [blame]3124static int tls12_find_nid(int id, const tls12_lookup *table, size_t tlen)
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3125{
3126 size_t i;
3127 for (i = 0; i < tlen; i++) {
3128 if ((table[i].id) == id)
3129 return table[i].nid;
3130 }
3131 return NID_undef;
3132}
Dr. Stephen Hensona2f92002011-05-09 15:44:01 +0000[diff] [blame]3133
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3134int tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk,
3135 const EVP_MD *md)
3136{
3137 int sig_id, md_id;
3138 if (!md)
3139 return 0;
Dr. Stephen Hensonb6eb9822015-05-02 18:30:00 +0100[diff] [blame]3140 md_id = tls12_find_id(EVP_MD_type(md), tls12_md, OSSL_NELEM(tls12_md));
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3141 if (md_id == -1)
3142 return 0;
3143 sig_id = tls12_get_sigid(pk);
3144 if (sig_id == -1)
3145 return 0;
3146 p[0] = (unsigned char)md_id;
3147 p[1] = (unsigned char)sig_id;
3148 return 1;
3149}
Dr. Stephen Henson6b7be582011-05-06 13:00:07 +0000[diff] [blame]3150
Dr. Stephen Hensona2f92002011-05-09 15:44:01 +0000[diff] [blame]3151int tls12_get_sigid(const EVP_PKEY *pk)
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3152{
Dr. Stephen Henson3aeb9342016-01-19 00:21:12 +0000[diff] [blame]3153 return tls12_find_id(EVP_PKEY_id(pk), tls12_sig, OSSL_NELEM(tls12_sig));
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3154}
Dr. Stephen Hensona2f92002011-05-09 15:44:01 +0000[diff] [blame]3155
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3156typedef struct {
3157 int nid;
3158 int secbits;
Dr. Stephen Henson7afd2312015-11-29 16:54:27 +0000[diff] [blame]3159 int md_idx;
Dmitry Belyavskye44380a2015-11-17 15:32:30 +0000[diff] [blame]3160 unsigned char tlsext_hash;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3161} tls12_hash_info;
Dr. Stephen Hensonb362cca2013-12-15 13:32:24 +0000[diff] [blame]3162
3163static const tls12_hash_info tls12_md_info[] = {
Dr. Stephen Henson7afd2312015-11-29 16:54:27 +0000[diff] [blame]3164 {NID_md5, 64, SSL_MD_MD5_IDX, TLSEXT_hash_md5},
3165 {NID_sha1, 80, SSL_MD_SHA1_IDX, TLSEXT_hash_sha1},
3166 {NID_sha224, 112, SSL_MD_SHA224_IDX, TLSEXT_hash_sha224},
3167 {NID_sha256, 128, SSL_MD_SHA256_IDX, TLSEXT_hash_sha256},
3168 {NID_sha384, 192, SSL_MD_SHA384_IDX, TLSEXT_hash_sha384},
3169 {NID_sha512, 256, SSL_MD_SHA512_IDX, TLSEXT_hash_sha512},
3170 {NID_id_GostR3411_94, 128, SSL_MD_GOST94_IDX, TLSEXT_hash_gostr3411},
3171 {NID_id_GostR3411_2012_256, 128, SSL_MD_GOST12_256_IDX, TLSEXT_hash_gostr34112012_256},
3172 {NID_id_GostR3411_2012_512, 256, SSL_MD_GOST12_512_IDX, TLSEXT_hash_gostr34112012_512},
Dr. Stephen Hensonb362cca2013-12-15 13:32:24 +0000[diff] [blame]3173};
3174
3175static const tls12_hash_info *tls12_get_hash_info(unsigned char hash_alg)
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3176{
Dmitry Belyavskye44380a2015-11-17 15:32:30 +0000[diff] [blame]3177 unsigned int i;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3178 if (hash_alg == 0)
3179 return NULL;
Dmitry Belyavskye44380a2015-11-17 15:32:30 +0000[diff] [blame]3180
3181 for (i=0; i < OSSL_NELEM(tls12_md_info); i++)
3182 {
3183 if (tls12_md_info[i].tlsext_hash == hash_alg)
3184 return tls12_md_info + i;
3185 }
3186
3187 return NULL;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3188}
Dr. Stephen Hensonb362cca2013-12-15 13:32:24 +0000[diff] [blame]3189
Dr. Stephen Hensona2f92002011-05-09 15:44:01 +0000[diff] [blame]3190const EVP_MD *tls12_get_hash(unsigned char hash_alg)
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3191{
3192 const tls12_hash_info *inf;
3193 if (hash_alg == TLSEXT_hash_md5 && FIPS_mode())
3194 return NULL;
3195 inf = tls12_get_hash_info(hash_alg);
Dr. Stephen Henson7afd2312015-11-29 16:54:27 +0000[diff] [blame]3196 if (!inf)
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3197 return NULL;
Dr. Stephen Henson7afd2312015-11-29 16:54:27 +0000[diff] [blame]3198 return ssl_md(inf->md_idx);
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3199}
Dr. Stephen Hensona2f92002011-05-09 15:44:01 +0000[diff] [blame]3200
Dr. Stephen Henson4453cd82012-06-25 14:32:30 +0000[diff] [blame]3201static int tls12_get_pkey_idx(unsigned char sig_alg)
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3202{
3203 switch (sig_alg) {
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]3204#ifndef OPENSSL_NO_RSA
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3205 case TLSEXT_signature_rsa:
3206 return SSL_PKEY_RSA_SIGN;
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]3207#endif
3208#ifndef OPENSSL_NO_DSA
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3209 case TLSEXT_signature_dsa:
3210 return SSL_PKEY_DSA_SIGN;
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]3211#endif
3212#ifndef OPENSSL_NO_EC
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3213 case TLSEXT_signature_ecdsa:
3214 return SSL_PKEY_ECC;
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]3215#endif
Dmitry Belyavskye44380a2015-11-17 15:32:30 +0000[diff] [blame]3216# ifndef OPENSSL_NO_GOST
3217 case TLSEXT_signature_gostr34102001:
3218 return SSL_PKEY_GOST01;
3219
3220 case TLSEXT_signature_gostr34102012_256:
3221 return SSL_PKEY_GOST12_256;
3222
3223 case TLSEXT_signature_gostr34102012_512:
3224 return SSL_PKEY_GOST12_512;
3225# endif
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3226 }
3227 return -1;
3228}
Dr. Stephen Henson4453cd82012-06-25 14:32:30 +0000[diff] [blame]3229
3230/* Convert TLS 1.2 signature algorithm extension values into NIDs */
3231static void tls1_lookup_sigalg(int *phash_nid, int *psign_nid,
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3232 int *psignhash_nid, const unsigned char *data)
3233{
Matt Caswell330dcb02015-11-11 10:44:07 +0000[diff] [blame]3234 int sign_nid = NID_undef, hash_nid = NID_undef;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3235 if (!phash_nid && !psign_nid && !psignhash_nid)
3236 return;
3237 if (phash_nid || psignhash_nid) {
Dr. Stephen Hensonb6eb9822015-05-02 18:30:00 +0100[diff] [blame]3238 hash_nid = tls12_find_nid(data[0], tls12_md, OSSL_NELEM(tls12_md));
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3239 if (phash_nid)
3240 *phash_nid = hash_nid;
3241 }
3242 if (psign_nid || psignhash_nid) {
Dr. Stephen Hensonb6eb9822015-05-02 18:30:00 +0100[diff] [blame]3243 sign_nid = tls12_find_nid(data[1], tls12_sig, OSSL_NELEM(tls12_sig));
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3244 if (psign_nid)
3245 *psign_nid = sign_nid;
3246 }
3247 if (psignhash_nid) {
Matt Caswell330dcb02015-11-11 10:44:07 +0000[diff] [blame]3248 if (sign_nid == NID_undef || hash_nid == NID_undef
3249 || OBJ_find_sigid_by_algs(psignhash_nid, hash_nid,
3250 sign_nid) <= 0)
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3251 *psignhash_nid = NID_undef;
3252 }
3253}
3254
Dr. Stephen Hensonb362cca2013-12-15 13:32:24 +0000[diff] [blame]3255/* Check to see if a signature algorithm is allowed */
3256static int tls12_sigalg_allowed(SSL *s, int op, const unsigned char *ptmp)
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3257{
3258 /* See if we have an entry in the hash table and it is enabled */
3259 const tls12_hash_info *hinf = tls12_get_hash_info(ptmp[0]);
Dr. Stephen Henson7afd2312015-11-29 16:54:27 +0000[diff] [blame]3260 if (hinf == NULL || ssl_md(hinf->md_idx) == NULL)
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3261 return 0;
3262 /* See if public key algorithm allowed */
3263 if (tls12_get_pkey_idx(ptmp[1]) == -1)
3264 return 0;
3265 /* Finally see if security callback allows it */
3266 return ssl_security(s, op, hinf->secbits, hinf->nid, (void *)ptmp);
3267}
Dr. Stephen Hensonb362cca2013-12-15 13:32:24 +0000[diff] [blame]3268
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3269/*
3270 * Get a mask of disabled public key algorithms based on supported signature
3271 * algorithms. For example if no signature algorithm supports RSA then RSA is
3272 * disabled.
Dr. Stephen Hensonb362cca2013-12-15 13:32:24 +0000[diff] [blame]3273 */
3274
Dr. Stephen Henson90d9e492015-11-05 16:14:17 +0000[diff] [blame]3275void ssl_set_sig_mask(uint32_t *pmask_a, SSL *s, int op)
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3276{
3277 const unsigned char *sigalgs;
3278 size_t i, sigalgslen;
3279 int have_rsa = 0, have_dsa = 0, have_ecdsa = 0;
3280 /*
3281 * Now go through all signature algorithms seeing if we support any for
3282 * RSA, DSA, ECDSA. Do this for all versions not just TLS 1.2. To keep
3283 * down calls to security callback only check if we have to.
3284 */
3285 sigalgslen = tls12_get_psigalgs(s, &sigalgs);
3286 for (i = 0; i < sigalgslen; i += 2, sigalgs += 2) {
3287 switch (sigalgs[1]) {
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]3288#ifndef OPENSSL_NO_RSA
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3289 case TLSEXT_signature_rsa:
3290 if (!have_rsa && tls12_sigalg_allowed(s, op, sigalgs))
3291 have_rsa = 1;
3292 break;
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]3293#endif
3294#ifndef OPENSSL_NO_DSA
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3295 case TLSEXT_signature_dsa:
3296 if (!have_dsa && tls12_sigalg_allowed(s, op, sigalgs))
3297 have_dsa = 1;
3298 break;
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]3299#endif
3300#ifndef OPENSSL_NO_EC
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3301 case TLSEXT_signature_ecdsa:
3302 if (!have_ecdsa && tls12_sigalg_allowed(s, op, sigalgs))
3303 have_ecdsa = 1;
3304 break;
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]3305#endif
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3306 }
3307 }
3308 if (!have_rsa)
3309 *pmask_a |= SSL_aRSA;
3310 if (!have_dsa)
3311 *pmask_a |= SSL_aDSS;
3312 if (!have_ecdsa)
3313 *pmask_a |= SSL_aECDSA;
3314}
Dr. Stephen Hensonb362cca2013-12-15 13:32:24 +0000[diff] [blame]3315
3316size_t tls12_copy_sigalgs(SSL *s, unsigned char *out,
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3317 const unsigned char *psig, size_t psiglen)
3318{
3319 unsigned char *tmpout = out;
3320 size_t i;
3321 for (i = 0; i < psiglen; i += 2, psig += 2) {
3322 if (tls12_sigalg_allowed(s, SSL_SECOP_SIGALG_SUPPORTED, psig)) {
3323 *tmpout++ = psig[0];
3324 *tmpout++ = psig[1];
3325 }
3326 }
3327 return tmpout - out;
3328}
Dr. Stephen Hensonb362cca2013-12-15 13:32:24 +0000[diff] [blame]3329
Dr. Stephen Henson4453cd82012-06-25 14:32:30 +0000[diff] [blame]3330/* Given preference and allowed sigalgs set shared sigalgs */
Dr. Stephen Hensonb362cca2013-12-15 13:32:24 +0000[diff] [blame]3331static int tls12_shared_sigalgs(SSL *s, TLS_SIGALGS *shsig,
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3332 const unsigned char *pref, size_t preflen,
3333 const unsigned char *allow, size_t allowlen)
3334{
3335 const unsigned char *ptmp, *atmp;
3336 size_t i, j, nmatch = 0;
3337 for (i = 0, ptmp = pref; i < preflen; i += 2, ptmp += 2) {
3338 /* Skip disabled hashes or signature algorithms */
3339 if (!tls12_sigalg_allowed(s, SSL_SECOP_SIGALG_SHARED, ptmp))
3340 continue;
3341 for (j = 0, atmp = allow; j < allowlen; j += 2, atmp += 2) {
3342 if (ptmp[0] == atmp[0] && ptmp[1] == atmp[1]) {
3343 nmatch++;
3344 if (shsig) {
3345 shsig->rhash = ptmp[0];
3346 shsig->rsign = ptmp[1];
3347 tls1_lookup_sigalg(&shsig->hash_nid,
3348 &shsig->sign_nid,
3349 &shsig->signandhash_nid, ptmp);
3350 shsig++;
3351 }
3352 break;
3353 }
3354 }
3355 }
3356 return nmatch;
3357}
Dr. Stephen Henson4453cd82012-06-25 14:32:30 +0000[diff] [blame]3358
3359/* Set shared signature algorithms for SSL structures */
3360static int tls1_set_shared_sigalgs(SSL *s)
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3361{
3362 const unsigned char *pref, *allow, *conf;
3363 size_t preflen, allowlen, conflen;
3364 size_t nmatch;
3365 TLS_SIGALGS *salgs = NULL;
3366 CERT *c = s->cert;
3367 unsigned int is_suiteb = tls1_suiteb(s);
Rich Salzb548a1f2015-05-01 10:02:07 -0400[diff] [blame]3368
3369 OPENSSL_free(c->shared_sigalgs);
3370 c->shared_sigalgs = NULL;
3371 c->shared_sigalgslen = 0;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3372 /* If client use client signature algorithms if not NULL */
3373 if (!s->server && c->client_sigalgs && !is_suiteb) {
3374 conf = c->client_sigalgs;
3375 conflen = c->client_sigalgslen;
3376 } else if (c->conf_sigalgs && !is_suiteb) {
3377 conf = c->conf_sigalgs;
3378 conflen = c->conf_sigalgslen;
3379 } else
3380 conflen = tls12_get_psigalgs(s, &conf);
3381 if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE || is_suiteb) {
3382 pref = conf;
3383 preflen = conflen;
Dr. Stephen Henson76106e62015-05-12 17:17:37 +0100[diff] [blame]3384 allow = s->s3->tmp.peer_sigalgs;
3385 allowlen = s->s3->tmp.peer_sigalgslen;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3386 } else {
3387 allow = conf;
3388 allowlen = conflen;
Dr. Stephen Henson76106e62015-05-12 17:17:37 +0100[diff] [blame]3389 pref = s->s3->tmp.peer_sigalgs;
3390 preflen = s->s3->tmp.peer_sigalgslen;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3391 }
3392 nmatch = tls12_shared_sigalgs(s, NULL, pref, preflen, allow, allowlen);
Dr. Stephen Henson34e3edb2015-03-03 13:20:57 +0000[diff] [blame]3393 if (nmatch) {
3394 salgs = OPENSSL_malloc(nmatch * sizeof(TLS_SIGALGS));
Matt Caswella71edf32015-10-30 10:05:53 +0000[diff] [blame]3395 if (salgs == NULL)
Dr. Stephen Henson34e3edb2015-03-03 13:20:57 +0000[diff] [blame]3396 return 0;
3397 nmatch = tls12_shared_sigalgs(s, salgs, pref, preflen, allow, allowlen);
3398 } else {
3399 salgs = NULL;
3400 }
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3401 c->shared_sigalgs = salgs;
3402 c->shared_sigalgslen = nmatch;
3403 return 1;
3404}
Dr. Stephen Henson4453cd82012-06-25 14:32:30 +0000[diff] [blame]3405
Dr. Stephen Henson6b7be582011-05-06 13:00:07 +0000[diff] [blame]3406/* Set preferred digest for each key type */
3407
Dr. Stephen Hensonc800c272014-10-09 20:37:27 +0100[diff] [blame]3408int tls1_save_sigalgs(SSL *s, const unsigned char *data, int dsize)
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3409{
3410 CERT *c = s->cert;
3411 /* Extension ignored for inappropriate versions */
3412 if (!SSL_USE_SIGALGS(s))
3413 return 1;
3414 /* Should never happen */
3415 if (!c)
3416 return 0;
Dr. Stephen Henson6b7be582011-05-06 13:00:07 +0000[diff] [blame]3417
Dr. Stephen Henson76106e62015-05-12 17:17:37 +0100[diff] [blame]3418 OPENSSL_free(s->s3->tmp.peer_sigalgs);
3419 s->s3->tmp.peer_sigalgs = OPENSSL_malloc(dsize);
3420 if (s->s3->tmp.peer_sigalgs == NULL)
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3421 return 0;
Dr. Stephen Henson76106e62015-05-12 17:17:37 +0100[diff] [blame]3422 s->s3->tmp.peer_sigalgslen = dsize;
3423 memcpy(s->s3->tmp.peer_sigalgs, data, dsize);
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3424 return 1;
3425}
Dr. Stephen Henson6b7be582011-05-06 13:00:07 +0000[diff] [blame]3426
Dr. Stephen Hensonc800c272014-10-09 20:37:27 +0100[diff] [blame]3427int tls1_process_sigalgs(SSL *s)
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3428{
3429 int idx;
3430 size_t i;
3431 const EVP_MD *md;
Dr. Stephen Hensond376e572015-05-12 18:56:39 +0100[diff] [blame]3432 const EVP_MD **pmd = s->s3->tmp.md;
Dr. Stephen Hensonf7d53482015-07-14 23:19:11 +0100[diff] [blame]3433 uint32_t *pvalid = s->s3->tmp.valid_flags;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3434 CERT *c = s->cert;
3435 TLS_SIGALGS *sigptr;
3436 if (!tls1_set_shared_sigalgs(s))
3437 return 0;
Dr. Stephen Henson4453cd82012-06-25 14:32:30 +0000[diff] [blame]3438
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3439 for (i = 0, sigptr = c->shared_sigalgs;
3440 i < c->shared_sigalgslen; i++, sigptr++) {
3441 idx = tls12_get_pkey_idx(sigptr->rsign);
Dr. Stephen Hensond376e572015-05-12 18:56:39 +0100[diff] [blame]3442 if (idx > 0 && pmd[idx] == NULL) {
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3443 md = tls12_get_hash(sigptr->rhash);
Dr. Stephen Hensond376e572015-05-12 18:56:39 +0100[diff] [blame]3444 pmd[idx] = md;
Dr. Stephen Henson6383d312015-05-12 22:17:34 +0100[diff] [blame]3445 pvalid[idx] = CERT_PKEY_EXPLICIT_SIGN;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3446 if (idx == SSL_PKEY_RSA_SIGN) {
Dr. Stephen Henson6383d312015-05-12 22:17:34 +0100[diff] [blame]3447 pvalid[SSL_PKEY_RSA_ENC] = CERT_PKEY_EXPLICIT_SIGN;
Dr. Stephen Hensond376e572015-05-12 18:56:39 +0100[diff] [blame]3448 pmd[SSL_PKEY_RSA_ENC] = md;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3449 }
3450 }
Dr. Stephen Henson6b7be582011-05-06 13:00:07 +0000[diff] [blame]3451
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3452 }
3453 /*
3454 * In strict mode leave unset digests as NULL to indicate we can't use
3455 * the certificate for signing.
3456 */
3457 if (!(s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)) {
3458 /*
3459 * Set any remaining keys to default values. NOTE: if alg is not
3460 * supported it stays as NULL.
3461 */
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]3462#ifndef OPENSSL_NO_DSA
Dr. Stephen Hensond376e572015-05-12 18:56:39 +0100[diff] [blame]3463 if (pmd[SSL_PKEY_DSA_SIGN] == NULL)
3464 pmd[SSL_PKEY_DSA_SIGN] = EVP_sha1();
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]3465#endif
3466#ifndef OPENSSL_NO_RSA
Dr. Stephen Hensond376e572015-05-12 18:56:39 +0100[diff] [blame]3467 if (pmd[SSL_PKEY_RSA_SIGN] == NULL) {
3468 pmd[SSL_PKEY_RSA_SIGN] = EVP_sha1();
3469 pmd[SSL_PKEY_RSA_ENC] = EVP_sha1();
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3470 }
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]3471#endif
3472#ifndef OPENSSL_NO_EC
Dr. Stephen Hensond376e572015-05-12 18:56:39 +0100[diff] [blame]3473 if (pmd[SSL_PKEY_ECC] == NULL)
3474 pmd[SSL_PKEY_ECC] = EVP_sha1();
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]3475#endif
Dmitry Belyavskye44380a2015-11-17 15:32:30 +0000[diff] [blame]3476# ifndef OPENSSL_NO_GOST
3477 if (pmd[SSL_PKEY_GOST01] == NULL)
3478 pmd[SSL_PKEY_GOST01] = EVP_get_digestbynid(NID_id_GostR3411_94);
3479 if (pmd[SSL_PKEY_GOST12_256] == NULL)
3480 pmd[SSL_PKEY_GOST12_256] = EVP_get_digestbynid(NID_id_GostR3411_2012_256);
3481 if (pmd[SSL_PKEY_GOST12_512] == NULL)
3482 pmd[SSL_PKEY_GOST12_512] = EVP_get_digestbynid(NID_id_GostR3411_2012_512);
3483# endif
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3484 }
3485 return 1;
3486}
Dr. Stephen Henson48175042011-12-31 22:59:57 +0000[diff] [blame]3487
Dr. Stephen Hensone7f8ff42012-03-06 14:28:21 +0000[diff] [blame]3488int SSL_get_sigalgs(SSL *s, int idx,
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3489 int *psign, int *phash, int *psignhash,
3490 unsigned char *rsig, unsigned char *rhash)
3491{
Dr. Stephen Henson76106e62015-05-12 17:17:37 +0100[diff] [blame]3492 const unsigned char *psig = s->s3->tmp.peer_sigalgs;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3493 if (psig == NULL)
3494 return 0;
3495 if (idx >= 0) {
3496 idx <<= 1;
Dr. Stephen Henson76106e62015-05-12 17:17:37 +0100[diff] [blame]3497 if (idx >= (int)s->s3->tmp.peer_sigalgslen)
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3498 return 0;
3499 psig += idx;
3500 if (rhash)
3501 *rhash = psig[0];
3502 if (rsig)
3503 *rsig = psig[1];
3504 tls1_lookup_sigalg(phash, psign, psignhash, psig);
3505 }
Dr. Stephen Henson76106e62015-05-12 17:17:37 +0100[diff] [blame]3506 return s->s3->tmp.peer_sigalgslen / 2;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3507}
Dr. Stephen Henson4453cd82012-06-25 14:32:30 +0000[diff] [blame]3508
3509int SSL_get_shared_sigalgs(SSL *s, int idx,
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3510 int *psign, int *phash, int *psignhash,
3511 unsigned char *rsig, unsigned char *rhash)
3512{
3513 TLS_SIGALGS *shsigalgs = s->cert->shared_sigalgs;
3514 if (!shsigalgs || idx >= (int)s->cert->shared_sigalgslen)
3515 return 0;
3516 shsigalgs += idx;
3517 if (phash)
3518 *phash = shsigalgs->hash_nid;
3519 if (psign)
3520 *psign = shsigalgs->sign_nid;
3521 if (psignhash)
3522 *psignhash = shsigalgs->signandhash_nid;
3523 if (rsig)
3524 *rsig = shsigalgs->rsign;
3525 if (rhash)
3526 *rhash = shsigalgs->rhash;
3527 return s->cert->shared_sigalgslen;
3528}
Dr. Stephen Hensone7f8ff42012-03-06 14:28:21 +0000[diff] [blame]3529
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]3530#define MAX_SIGALGLEN (TLSEXT_hash_num * TLSEXT_signature_num * 2)
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3531
3532typedef struct {
3533 size_t sigalgcnt;
3534 int sigalgs[MAX_SIGALGLEN];
3535} sig_cb_st;
Dr. Stephen Henson0f229cc2012-06-22 14:03:31 +0000[diff] [blame]3536
Dr. Stephen Henson431f4582015-07-23 14:57:42 +0100[diff] [blame]3537static void get_sigorhash(int *psig, int *phash, const char *str)
3538{
3539 if (strcmp(str, "RSA") == 0) {
3540 *psig = EVP_PKEY_RSA;
3541 } else if (strcmp(str, "DSA") == 0) {
3542 *psig = EVP_PKEY_DSA;
3543 } else if (strcmp(str, "ECDSA") == 0) {
3544 *psig = EVP_PKEY_EC;
3545 } else {
3546 *phash = OBJ_sn2nid(str);
3547 if (*phash == NID_undef)
3548 *phash = OBJ_ln2nid(str);
3549 }
3550}
3551
Dr. Stephen Henson0f229cc2012-06-22 14:03:31 +0000[diff] [blame]3552static int sig_cb(const char *elem, int len, void *arg)
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3553{
3554 sig_cb_st *sarg = arg;
3555 size_t i;
3556 char etmp[20], *p;
Dr. Stephen Henson431f4582015-07-23 14:57:42 +0100[diff] [blame]3557 int sig_alg = NID_undef, hash_alg = NID_undef;
Kurt Roeckx2747d732015-01-24 14:46:50 +0100[diff] [blame]3558 if (elem == NULL)
3559 return 0;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3560 if (sarg->sigalgcnt == MAX_SIGALGLEN)
3561 return 0;
3562 if (len > (int)(sizeof(etmp) - 1))
3563 return 0;
3564 memcpy(etmp, elem, len);
3565 etmp[len] = 0;
3566 p = strchr(etmp, '+');
3567 if (!p)
3568 return 0;
3569 *p = 0;
3570 p++;
3571 if (!*p)
3572 return 0;
Dr. Stephen Henson0f229cc2012-06-22 14:03:31 +0000[diff] [blame]3573
Dr. Stephen Henson431f4582015-07-23 14:57:42 +0100[diff] [blame]3574 get_sigorhash(&sig_alg, &hash_alg, etmp);
3575 get_sigorhash(&sig_alg, &hash_alg, p);
Dr. Stephen Henson0f229cc2012-06-22 14:03:31 +0000[diff] [blame]3576
Dr. Stephen Henson431f4582015-07-23 14:57:42 +0100[diff] [blame]3577 if (sig_alg == NID_undef || hash_alg == NID_undef)
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3578 return 0;
Dr. Stephen Henson0f229cc2012-06-22 14:03:31 +0000[diff] [blame]3579
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3580 for (i = 0; i < sarg->sigalgcnt; i += 2) {
3581 if (sarg->sigalgs[i] == sig_alg && sarg->sigalgs[i + 1] == hash_alg)
3582 return 0;
3583 }
3584 sarg->sigalgs[sarg->sigalgcnt++] = hash_alg;
3585 sarg->sigalgs[sarg->sigalgcnt++] = sig_alg;
3586 return 1;
3587}
Dr. Stephen Henson0f229cc2012-06-22 14:03:31 +0000[diff] [blame]3588
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3589/*
FdaSilvaYY9d226662016-06-28 22:39:55 +0200[diff] [blame]3590 * Set supported signature algorithms based on a colon separated list of the
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3591 * form sig+hash e.g. RSA+SHA512:DSA+SHA512
3592 */
Dr. Stephen Henson3dbc46d2012-07-03 12:51:14 +0000[diff] [blame]3593int tls1_set_sigalgs_list(CERT *c, const char *str, int client)
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3594{
3595 sig_cb_st sig;
3596 sig.sigalgcnt = 0;
3597 if (!CONF_parse_list(str, ':', 1, sig_cb, &sig))
3598 return 0;
3599 if (c == NULL)
3600 return 1;
3601 return tls1_set_sigalgs(c, sig.sigalgs, sig.sigalgcnt, client);
3602}
Dr. Stephen Henson0f229cc2012-06-22 14:03:31 +0000[diff] [blame]3603
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3604int tls1_set_sigalgs(CERT *c, const int *psig_nids, size_t salglen,
3605 int client)
3606{
3607 unsigned char *sigalgs, *sptr;
3608 int rhash, rsign;
3609 size_t i;
3610 if (salglen & 1)
3611 return 0;
3612 sigalgs = OPENSSL_malloc(salglen);
3613 if (sigalgs == NULL)
3614 return 0;
3615 for (i = 0, sptr = sigalgs; i < salglen; i += 2) {
Dr. Stephen Hensonb6eb9822015-05-02 18:30:00 +0100[diff] [blame]3616 rhash = tls12_find_id(*psig_nids++, tls12_md, OSSL_NELEM(tls12_md));
3617 rsign = tls12_find_id(*psig_nids++, tls12_sig, OSSL_NELEM(tls12_sig));
Dr. Stephen Henson0f229cc2012-06-22 14:03:31 +0000[diff] [blame]3618
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3619 if (rhash == -1 || rsign == -1)
3620 goto err;
3621 *sptr++ = rhash;
3622 *sptr++ = rsign;
3623 }
Dr. Stephen Henson0f229cc2012-06-22 14:03:31 +0000[diff] [blame]3624
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3625 if (client) {
Rich Salzb548a1f2015-05-01 10:02:07 -0400[diff] [blame]3626 OPENSSL_free(c->client_sigalgs);
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3627 c->client_sigalgs = sigalgs;
3628 c->client_sigalgslen = salglen;
3629 } else {
Rich Salzb548a1f2015-05-01 10:02:07 -0400[diff] [blame]3630 OPENSSL_free(c->conf_sigalgs);
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3631 c->conf_sigalgs = sigalgs;
3632 c->conf_sigalgslen = salglen;
3633 }
Dr. Stephen Henson0f229cc2012-06-22 14:03:31 +0000[diff] [blame]3634
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3635 return 1;
Dr. Stephen Henson0f229cc2012-06-22 14:03:31 +0000[diff] [blame]3636
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3637 err:
3638 OPENSSL_free(sigalgs);
3639 return 0;
3640}
Dr. Stephen Henson4453cd82012-06-25 14:32:30 +0000[diff] [blame]3641
Dr. Stephen Hensond61ff832012-06-28 12:45:49 +0000[diff] [blame]3642static int tls1_check_sig_alg(CERT *c, X509 *x, int default_nid)
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3643{
3644 int sig_nid;
3645 size_t i;
3646 if (default_nid == -1)
3647 return 1;
3648 sig_nid = X509_get_signature_nid(x);
3649 if (default_nid)
3650 return sig_nid == default_nid ? 1 : 0;
3651 for (i = 0; i < c->shared_sigalgslen; i++)
3652 if (sig_nid == c->shared_sigalgs[i].signandhash_nid)
3653 return 1;
3654 return 0;
3655}
3656
Dr. Stephen Henson6dbb6212012-07-27 13:39:23 +0000[diff] [blame]3657/* Check to see if a certificate issuer name matches list of CA names */
3658static int ssl_check_ca_name(STACK_OF(X509_NAME) *names, X509 *x)
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3659{
3660 X509_NAME *nm;
3661 int i;
3662 nm = X509_get_issuer_name(x);
3663 for (i = 0; i < sk_X509_NAME_num(names); i++) {
3664 if (!X509_NAME_cmp(nm, sk_X509_NAME_value(names, i)))
3665 return 1;
3666 }
3667 return 0;
3668}
Dr. Stephen Hensond61ff832012-06-28 12:45:49 +0000[diff] [blame]3669
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3670/*
3671 * Check certificate chain is consistent with TLS extensions and is usable by
3672 * server. This servers two purposes: it allows users to check chains before
3673 * passing them to the server and it allows the server to check chains before
3674 * attempting to use them.
Dr. Stephen Hensond61ff832012-06-28 12:45:49 +0000[diff] [blame]3675 */
Dr. Stephen Henson6dbb6212012-07-27 13:39:23 +0000[diff] [blame]3676
3677/* Flags which need to be set for a certificate when stict mode not set */
3678
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]3679#define CERT_PKEY_VALID_FLAGS \
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3680 (CERT_PKEY_EE_SIGNATURE|CERT_PKEY_EE_PARAM)
Dr. Stephen Henson6dbb6212012-07-27 13:39:23 +0000[diff] [blame]3681/* Strict mode flags */
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]3682#define CERT_PKEY_STRICT_FLAGS \
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3683 (CERT_PKEY_VALID_FLAGS|CERT_PKEY_CA_SIGNATURE|CERT_PKEY_CA_PARAM \
3684 | CERT_PKEY_ISSUER_NAME|CERT_PKEY_CERT_TYPE)
Dr. Stephen Henson6dbb6212012-07-27 13:39:23 +0000[diff] [blame]3685
Dr. Stephen Hensond61ff832012-06-28 12:45:49 +0000[diff] [blame]3686int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain,
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3687 int idx)
3688{
3689 int i;
3690 int rv = 0;
3691 int check_flags = 0, strict_mode;
3692 CERT_PKEY *cpk = NULL;
3693 CERT *c = s->cert;
Dr. Stephen Hensonf7d53482015-07-14 23:19:11 +0100[diff] [blame]3694 uint32_t *pvalid;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3695 unsigned int suiteb_flags = tls1_suiteb(s);
3696 /* idx == -1 means checking server chains */
3697 if (idx != -1) {
3698 /* idx == -2 means checking client certificate chains */
3699 if (idx == -2) {
3700 cpk = c->key;
3701 idx = cpk - c->pkeys;
3702 } else
3703 cpk = c->pkeys + idx;
Dr. Stephen Henson6383d312015-05-12 22:17:34 +0100[diff] [blame]3704 pvalid = s->s3->tmp.valid_flags + idx;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3705 x = cpk->x509;
3706 pk = cpk->privatekey;
3707 chain = cpk->chain;
3708 strict_mode = c->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT;
3709 /* If no cert or key, forget it */
3710 if (!x || !pk)
3711 goto end;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3712 } else {
3713 if (!x || !pk)
Matt Caswelld813f9e2015-03-11 17:01:38 +0000[diff] [blame]3714 return 0;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3715 idx = ssl_cert_type(x, pk);
3716 if (idx == -1)
Matt Caswelld813f9e2015-03-11 17:01:38 +0000[diff] [blame]3717 return 0;
Dr. Stephen Henson6383d312015-05-12 22:17:34 +0100[diff] [blame]3718 pvalid = s->s3->tmp.valid_flags + idx;
3719
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3720 if (c->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)
3721 check_flags = CERT_PKEY_STRICT_FLAGS;
3722 else
3723 check_flags = CERT_PKEY_VALID_FLAGS;
3724 strict_mode = 1;
3725 }
Dr. Stephen Hensond61ff832012-06-28 12:45:49 +0000[diff] [blame]3726
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3727 if (suiteb_flags) {
3728 int ok;
3729 if (check_flags)
3730 check_flags |= CERT_PKEY_SUITEB;
3731 ok = X509_chain_check_suiteb(NULL, x, chain, suiteb_flags);
3732 if (ok == X509_V_OK)
3733 rv |= CERT_PKEY_SUITEB;
3734 else if (!check_flags)
3735 goto end;
3736 }
Dr. Stephen Henson6dbb6212012-07-27 13:39:23 +0000[diff] [blame]3737
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3738 /*
3739 * Check all signature algorithms are consistent with signature
3740 * algorithms extension if TLS 1.2 or later and strict mode.
3741 */
3742 if (TLS1_get_version(s) >= TLS1_2_VERSION && strict_mode) {
3743 int default_nid;
3744 unsigned char rsign = 0;
Dr. Stephen Henson76106e62015-05-12 17:17:37 +0100[diff] [blame]3745 if (s->s3->tmp.peer_sigalgs)
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3746 default_nid = 0;
3747 /* If no sigalgs extension use defaults from RFC5246 */
3748 else {
3749 switch (idx) {
3750 case SSL_PKEY_RSA_ENC:
3751 case SSL_PKEY_RSA_SIGN:
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3752 rsign = TLSEXT_signature_rsa;
3753 default_nid = NID_sha1WithRSAEncryption;
3754 break;
Dr. Stephen Hensond61ff832012-06-28 12:45:49 +0000[diff] [blame]3755
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3756 case SSL_PKEY_DSA_SIGN:
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3757 rsign = TLSEXT_signature_dsa;
3758 default_nid = NID_dsaWithSHA1;
3759 break;
Dr. Stephen Hensond61ff832012-06-28 12:45:49 +0000[diff] [blame]3760
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3761 case SSL_PKEY_ECC:
3762 rsign = TLSEXT_signature_ecdsa;
3763 default_nid = NID_ecdsa_with_SHA1;
3764 break;
Dr. Stephen Hensond61ff832012-06-28 12:45:49 +0000[diff] [blame]3765
Dmitry Belyavskye44380a2015-11-17 15:32:30 +0000[diff] [blame]3766 case SSL_PKEY_GOST01:
3767 rsign = TLSEXT_signature_gostr34102001;
3768 default_nid = NID_id_GostR3411_94_with_GostR3410_2001;
3769 break;
3770
3771 case SSL_PKEY_GOST12_256:
3772 rsign = TLSEXT_signature_gostr34102012_256;
3773 default_nid = NID_id_tc26_signwithdigest_gost3410_2012_256;
3774 break;
3775
3776 case SSL_PKEY_GOST12_512:
3777 rsign = TLSEXT_signature_gostr34102012_512;
3778 default_nid = NID_id_tc26_signwithdigest_gost3410_2012_512;
3779 break;
3780
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3781 default:
3782 default_nid = -1;
3783 break;
3784 }
3785 }
3786 /*
3787 * If peer sent no signature algorithms extension and we have set
3788 * preferred signature algorithms check we support sha1.
3789 */
3790 if (default_nid > 0 && c->conf_sigalgs) {
3791 size_t j;
3792 const unsigned char *p = c->conf_sigalgs;
3793 for (j = 0; j < c->conf_sigalgslen; j += 2, p += 2) {
3794 if (p[0] == TLSEXT_hash_sha1 && p[1] == rsign)
3795 break;
3796 }
3797 if (j == c->conf_sigalgslen) {
3798 if (check_flags)
3799 goto skip_sigs;
3800 else
3801 goto end;
3802 }
3803 }
3804 /* Check signature algorithm of each cert in chain */
3805 if (!tls1_check_sig_alg(c, x, default_nid)) {
3806 if (!check_flags)
3807 goto end;
3808 } else
3809 rv |= CERT_PKEY_EE_SIGNATURE;
3810 rv |= CERT_PKEY_CA_SIGNATURE;
3811 for (i = 0; i < sk_X509_num(chain); i++) {
3812 if (!tls1_check_sig_alg(c, sk_X509_value(chain, i), default_nid)) {
3813 if (check_flags) {
3814 rv &= ~CERT_PKEY_CA_SIGNATURE;
3815 break;
3816 } else
3817 goto end;
3818 }
3819 }
3820 }
3821 /* Else not TLS 1.2, so mark EE and CA signing algorithms OK */
3822 else if (check_flags)
3823 rv |= CERT_PKEY_EE_SIGNATURE | CERT_PKEY_CA_SIGNATURE;
3824 skip_sigs:
3825 /* Check cert parameters are consistent */
3826 if (tls1_check_cert_param(s, x, check_flags ? 1 : 2))
3827 rv |= CERT_PKEY_EE_PARAM;
3828 else if (!check_flags)
3829 goto end;
3830 if (!s->server)
3831 rv |= CERT_PKEY_CA_PARAM;
3832 /* In strict mode check rest of chain too */
3833 else if (strict_mode) {
3834 rv |= CERT_PKEY_CA_PARAM;
3835 for (i = 0; i < sk_X509_num(chain); i++) {
3836 X509 *ca = sk_X509_value(chain, i);
3837 if (!tls1_check_cert_param(s, ca, 0)) {
3838 if (check_flags) {
3839 rv &= ~CERT_PKEY_CA_PARAM;
3840 break;
3841 } else
3842 goto end;
3843 }
3844 }
3845 }
3846 if (!s->server && strict_mode) {
3847 STACK_OF(X509_NAME) *ca_dn;
3848 int check_type = 0;
Dr. Stephen Henson3aeb9342016-01-19 00:21:12 +0000[diff] [blame]3849 switch (EVP_PKEY_id(pk)) {
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3850 case EVP_PKEY_RSA:
3851 check_type = TLS_CT_RSA_SIGN;
3852 break;
3853 case EVP_PKEY_DSA:
3854 check_type = TLS_CT_DSS_SIGN;
3855 break;
3856 case EVP_PKEY_EC:
3857 check_type = TLS_CT_ECDSA_SIGN;
3858 break;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3859 }
3860 if (check_type) {
3861 const unsigned char *ctypes;
3862 int ctypelen;
3863 if (c->ctypes) {
3864 ctypes = c->ctypes;
3865 ctypelen = (int)c->ctype_num;
3866 } else {
3867 ctypes = (unsigned char *)s->s3->tmp.ctype;
3868 ctypelen = s->s3->tmp.ctype_num;
3869 }
3870 for (i = 0; i < ctypelen; i++) {
3871 if (ctypes[i] == check_type) {
3872 rv |= CERT_PKEY_CERT_TYPE;
3873 break;
3874 }
3875 }
3876 if (!(rv & CERT_PKEY_CERT_TYPE) && !check_flags)
3877 goto end;
3878 } else
3879 rv |= CERT_PKEY_CERT_TYPE;
Dr. Stephen Henson6dbb6212012-07-27 13:39:23 +0000[diff] [blame]3880
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3881 ca_dn = s->s3->tmp.ca_names;
Dr. Stephen Henson6dbb6212012-07-27 13:39:23 +0000[diff] [blame]3882
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3883 if (!sk_X509_NAME_num(ca_dn))
3884 rv |= CERT_PKEY_ISSUER_NAME;
Dr. Stephen Henson6dbb6212012-07-27 13:39:23 +0000[diff] [blame]3885
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3886 if (!(rv & CERT_PKEY_ISSUER_NAME)) {
3887 if (ssl_check_ca_name(ca_dn, x))
3888 rv |= CERT_PKEY_ISSUER_NAME;
3889 }
3890 if (!(rv & CERT_PKEY_ISSUER_NAME)) {
3891 for (i = 0; i < sk_X509_num(chain); i++) {
3892 X509 *xtmp = sk_X509_value(chain, i);
3893 if (ssl_check_ca_name(ca_dn, xtmp)) {
3894 rv |= CERT_PKEY_ISSUER_NAME;
3895 break;
3896 }
3897 }
3898 }
3899 if (!check_flags && !(rv & CERT_PKEY_ISSUER_NAME))
3900 goto end;
3901 } else
3902 rv |= CERT_PKEY_ISSUER_NAME | CERT_PKEY_CERT_TYPE;
Dr. Stephen Henson6dbb6212012-07-27 13:39:23 +0000[diff] [blame]3903
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3904 if (!check_flags || (rv & check_flags) == check_flags)
3905 rv |= CERT_PKEY_VALID;
Dr. Stephen Henson6dbb6212012-07-27 13:39:23 +0000[diff] [blame]3906
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3907 end:
Dr. Stephen Hensond61ff832012-06-28 12:45:49 +0000[diff] [blame]3908
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3909 if (TLS1_get_version(s) >= TLS1_2_VERSION) {
Dr. Stephen Henson6383d312015-05-12 22:17:34 +0100[diff] [blame]3910 if (*pvalid & CERT_PKEY_EXPLICIT_SIGN)
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3911 rv |= CERT_PKEY_EXPLICIT_SIGN | CERT_PKEY_SIGN;
Dr. Stephen Hensond376e572015-05-12 18:56:39 +0100[diff] [blame]3912 else if (s->s3->tmp.md[idx] != NULL)
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3913 rv |= CERT_PKEY_SIGN;
3914 } else
3915 rv |= CERT_PKEY_SIGN | CERT_PKEY_EXPLICIT_SIGN;
Dr. Stephen Henson6dbb6212012-07-27 13:39:23 +0000[diff] [blame]3916
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3917 /*
3918 * When checking a CERT_PKEY structure all flags are irrelevant if the
3919 * chain is invalid.
3920 */
3921 if (!check_flags) {
3922 if (rv & CERT_PKEY_VALID)
Dr. Stephen Henson6383d312015-05-12 22:17:34 +0100[diff] [blame]3923 *pvalid = rv;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3924 else {
3925 /* Preserve explicit sign flag, clear rest */
Dr. Stephen Henson6383d312015-05-12 22:17:34 +0100[diff] [blame]3926 *pvalid &= CERT_PKEY_EXPLICIT_SIGN;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3927 return 0;
3928 }
3929 }
3930 return rv;
3931}
Dr. Stephen Hensond61ff832012-06-28 12:45:49 +0000[diff] [blame]3932
3933/* Set validity of certificates in an SSL structure */
3934void tls1_set_cert_validity(SSL *s)
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3935{
Matt Caswell17dd65e2015-03-24 15:10:15 +0000[diff] [blame]3936 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA_ENC);
3937 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA_SIGN);
3938 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DSA_SIGN);
Matt Caswell17dd65e2015-03-24 15:10:15 +0000[diff] [blame]3939 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_ECC);
Dmitry Belyavskye44380a2015-11-17 15:32:30 +0000[diff] [blame]3940 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_GOST01);
3941 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_GOST12_256);
3942 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_GOST12_512);
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3943}
3944
Dr. Stephen Henson18d71582012-06-29 14:24:42 +0000[diff] [blame]3945/* User level utiity function to check a chain is suitable */
3946int SSL_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain)
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3947{
3948 return tls1_check_chain(s, x, pk, chain, -1);
3949}
Dr. Stephen Hensond61ff832012-06-28 12:45:49 +0000[diff] [blame]3950
Dr. Stephen Henson09599b52014-01-22 16:22:48 +0000[diff] [blame]3951
3952#ifndef OPENSSL_NO_DH
3953DH *ssl_get_auto_dh(SSL *s)
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3954{
3955 int dh_secbits = 80;
3956 if (s->cert->dh_tmp_auto == 2)
3957 return DH_get_1024_160();
Dr. Stephen Hensonadc55062015-06-28 17:01:52 +0100[diff] [blame]3958 if (s->s3->tmp.new_cipher->algorithm_auth & (SSL_aNULL | SSL_aPSK)) {
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3959 if (s->s3->tmp.new_cipher->strength_bits == 256)
3960 dh_secbits = 128;
3961 else
3962 dh_secbits = 80;
3963 } else {
3964 CERT_PKEY *cpk = ssl_get_server_send_pkey(s);
3965 dh_secbits = EVP_PKEY_security_bits(cpk->privatekey);
3966 }
Dr. Stephen Henson09599b52014-01-22 16:22:48 +0000[diff] [blame]3967
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3968 if (dh_secbits >= 128) {
3969 DH *dhp = DH_new();
Matt Caswell0aeddcf2016-04-06 17:49:48 +0100[diff] [blame]3970 BIGNUM *p, *g;
Matt Caswella71edf32015-10-30 10:05:53 +0000[diff] [blame]3971 if (dhp == NULL)
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3972 return NULL;
Matt Caswell0aeddcf2016-04-06 17:49:48 +0100[diff] [blame]3973 g = BN_new();
3974 if (g != NULL)
3975 BN_set_word(g, 2);
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3976 if (dh_secbits >= 192)
Rich Salz9021a5d2016-04-18 07:43:54 -0400[diff] [blame]3977 p = BN_get_rfc3526_prime_8192(NULL);
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3978 else
Rich Salz9021a5d2016-04-18 07:43:54 -0400[diff] [blame]3979 p = BN_get_rfc3526_prime_3072(NULL);
Matt Caswell0aeddcf2016-04-06 17:49:48 +0100[diff] [blame]3980 if (p == NULL || g == NULL || !DH_set0_pqg(dhp, p, NULL, g)) {
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3981 DH_free(dhp);
Matt Caswell0aeddcf2016-04-06 17:49:48 +0100[diff] [blame]3982 BN_free(p);
3983 BN_free(g);
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3984 return NULL;
3985 }
3986 return dhp;
3987 }
3988 if (dh_secbits >= 112)
3989 return DH_get_2048_224();
3990 return DH_get_1024_160();
3991}
Dr. Stephen Henson09599b52014-01-22 16:22:48 +0000[diff] [blame]3992#endif
Dr. Stephen Hensonb362cca2013-12-15 13:32:24 +0000[diff] [blame]3993
3994static int ssl_security_cert_key(SSL *s, SSL_CTX *ctx, X509 *x, int op)
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3995{
Dr. Stephen Henson72245f32015-12-30 13:34:53 +0000[diff] [blame]3996 int secbits = -1;
Dr. Stephen Henson8382fd32015-12-20 00:32:36 +0000[diff] [blame]3997 EVP_PKEY *pkey = X509_get0_pubkey(x);
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3998 if (pkey) {
Dr. Stephen Henson72245f32015-12-30 13:34:53 +0000[diff] [blame]3999 /*
4000 * If no parameters this will return -1 and fail using the default
4001 * security callback for any non-zero security level. This will
4002 * reject keys which omit parameters but this only affects DSA and
4003 * omission of parameters is never (?) done in practice.
4004 */
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]4005 secbits = EVP_PKEY_security_bits(pkey);
Dr. Stephen Henson72245f32015-12-30 13:34:53 +0000[diff] [blame]4006 }
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]4007 if (s)
4008 return ssl_security(s, op, secbits, 0, x);
4009 else
4010 return ssl_ctx_security(ctx, op, secbits, 0, x);
4011}
Dr. Stephen Hensonb362cca2013-12-15 13:32:24 +0000[diff] [blame]4012
4013static int ssl_security_cert_sig(SSL *s, SSL_CTX *ctx, X509 *x, int op)
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]4014{
4015 /* Lookup signature algorithm digest */
4016 int secbits = -1, md_nid = NID_undef, sig_nid;
Dr. Stephen Henson221c7b52016-02-11 15:25:11 +0000[diff] [blame]4017 /* Don't check signature if self signed */
4018 if ((X509_get_extension_flags(x) & EXFLAG_SS) != 0)
4019 return 1;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]4020 sig_nid = X509_get_signature_nid(x);
4021 if (sig_nid && OBJ_find_sigid_algs(sig_nid, &md_nid, NULL)) {
4022 const EVP_MD *md;
4023 if (md_nid && (md = EVP_get_digestbynid(md_nid)))
4024 secbits = EVP_MD_size(md) * 4;
4025 }
4026 if (s)
4027 return ssl_security(s, op, secbits, md_nid, x);
4028 else
4029 return ssl_ctx_security(ctx, op, secbits, md_nid, x);
4030}
Dr. Stephen Hensonb362cca2013-12-15 13:32:24 +0000[diff] [blame]4031
4032int ssl_security_cert(SSL *s, SSL_CTX *ctx, X509 *x, int vfy, int is_ee)
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]4033{
4034 if (vfy)
4035 vfy = SSL_SECOP_PEER;
4036 if (is_ee) {
4037 if (!ssl_security_cert_key(s, ctx, x, SSL_SECOP_EE_KEY | vfy))
4038 return SSL_R_EE_KEY_TOO_SMALL;
4039 } else {
4040 if (!ssl_security_cert_key(s, ctx, x, SSL_SECOP_CA_KEY | vfy))
4041 return SSL_R_CA_KEY_TOO_SMALL;
4042 }
4043 if (!ssl_security_cert_sig(s, ctx, x, SSL_SECOP_CA_MD | vfy))
4044 return SSL_R_CA_MD_TOO_WEAK;
4045 return 1;
4046}
Dr. Stephen Hensonb362cca2013-12-15 13:32:24 +0000[diff] [blame]4047
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]4048/*
4049 * Check security of a chain, if sk includes the end entity certificate then
4050 * x is NULL. If vfy is 1 then we are verifying a peer chain and not sending
4051 * one to the peer. Return values: 1 if ok otherwise error code to use
Dr. Stephen Hensonb362cca2013-12-15 13:32:24 +0000[diff] [blame]4052 */
4053
4054int ssl_security_cert_chain(SSL *s, STACK_OF(X509) *sk, X509 *x, int vfy)
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]4055{
4056 int rv, start_idx, i;
4057 if (x == NULL) {
4058 x = sk_X509_value(sk, 0);
4059 start_idx = 1;
4060 } else
4061 start_idx = 0;
Dr. Stephen Hensonb362cca2013-12-15 13:32:24 +0000[diff] [blame]4062
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]4063 rv = ssl_security_cert(s, NULL, x, vfy, 1);
4064 if (rv != 1)
4065 return rv;
Dr. Stephen Hensonb362cca2013-12-15 13:32:24 +0000[diff] [blame]4066
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]4067 for (i = start_idx; i < sk_X509_num(sk); i++) {
4068 x = sk_X509_value(sk, i);
4069 rv = ssl_security_cert(s, NULL, x, vfy, 0);
4070 if (rv != 1)
4071 return rv;
4072 }
4073 return 1;
4074}