Google Git
Sign in
flutter / third_party / openssl / 936166aff21dafed33aeb92bad0a5b46d730221d / . / ssl / t1_lib.c
blob: 908f8e909c2477adf45e35dc651c6ccb9f3db7cb [file] [log] [blame]
Ralf S. Engelschall58964a41998-12-21 10:56:39 +0000[diff] [blame]1/* ssl/t1_lib.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]8 *
Ralf S. Engelschall58964a41998-12-21 10:56:39 +0000[diff] [blame]9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]15 *
Ralf S. Engelschall58964a41998-12-21 10:56:39 +0000[diff] [blame]16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]22 *
Ralf S. Engelschall58964a41998-12-21 10:56:39 +0000[diff] [blame]23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]37 * 4. If you include any Windows specific code (or a derivative thereof) from
Ralf S. Engelschall58964a41998-12-21 10:56:39 +0000[diff] [blame]38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]40 *
Ralf S. Engelschall58964a41998-12-21 10:56:39 +0000[diff] [blame]41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]52 *
Ralf S. Engelschall58964a41998-12-21 10:56:39 +0000[diff] [blame]53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
Bodo Möllerf1fd4542006-01-03 03:27:19 +0000[diff] [blame]58/* ====================================================================
Bodo Möller52b8dad2007-02-17 06:45:38 +0000[diff] [blame]59 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
Bodo Möllerf1fd4542006-01-03 03:27:19 +0000[diff] [blame]60 *
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
63 * are met:
64 *
65 * 1. Redistributions of source code must retain the above copyright
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]66 * notice, this list of conditions and the following disclaimer.
Bodo Möllerf1fd4542006-01-03 03:27:19 +0000[diff] [blame]67 *
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
71 * distribution.
72 *
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77 *
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
82 *
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
86 *
87 * 6. Redistributions of any form whatsoever must retain the following
88 * acknowledgment:
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91 *
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
105 *
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
109 *
110 */
Ralf S. Engelschall58964a41998-12-21 10:56:39 +0000[diff] [blame]111
112#include <stdio.h>
Bodo Möllerec577821999-04-23 22:13:45 +0000[diff] [blame]113#include <openssl/objects.h>
Dr. Stephen Henson6434abb2007-08-11 23:18:29 +0000[diff] [blame]114#include <openssl/evp.h>
115#include <openssl/hmac.h>
Dr. Stephen Henson67c8e7f2007-09-26 21:56:59 +0000[diff] [blame]116#include <openssl/ocsp.h>
Dr. Stephen Henson48175042011-12-31 22:59:57 +0000[diff] [blame]117#include <openssl/rand.h>
Dr. Stephen Henson09599b52014-01-22 16:22:48 +0000[diff] [blame]118#ifndef OPENSSL_NO_DH
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]119# include <openssl/dh.h>
120# include <openssl/bn.h>
Dr. Stephen Henson09599b52014-01-22 16:22:48 +0000[diff] [blame]121#endif
Ralf S. Engelschall58964a41998-12-21 10:56:39 +0000[diff] [blame]122#include "ssl_locl.h"
123
Dr. Stephen Henson6434abb2007-08-11 23:18:29 +0000[diff] [blame]124static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen,
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]125 const unsigned char *sess_id, int sesslen,
126 SSL_SESSION **psess);
Ben Laurie2daceb02012-09-11 12:57:46 +0000[diff] [blame]127static int ssl_check_clienthello_tlsext_early(SSL *s);
Dr. Stephen Henson09e4e4b2012-04-24 12:22:23 +0000[diff] [blame]128int ssl_check_serverhello_tlsext(SSL *s);
Dr. Stephen Henson6434abb2007-08-11 23:18:29 +0000[diff] [blame]129
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]130SSL3_ENC_METHOD const TLSv1_enc_data = {
131 tls1_enc,
132 tls1_mac,
133 tls1_setup_key_block,
134 tls1_generate_master_secret,
135 tls1_change_cipher_state,
136 tls1_final_finish_mac,
137 TLS1_FINISH_MAC_LENGTH,
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]138 TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
139 TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
140 tls1_alert_code,
141 tls1_export_keying_material,
142 0,
143 SSL3_HM_HEADER_LENGTH,
144 ssl3_set_handshake_header,
145 ssl3_handshake_write
146};
Dr. Stephen Henson173e72e2013-03-11 15:34:28 +0000[diff] [blame]147
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]148SSL3_ENC_METHOD const TLSv1_1_enc_data = {
149 tls1_enc,
150 tls1_mac,
151 tls1_setup_key_block,
152 tls1_generate_master_secret,
153 tls1_change_cipher_state,
154 tls1_final_finish_mac,
155 TLS1_FINISH_MAC_LENGTH,
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]156 TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
157 TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
158 tls1_alert_code,
159 tls1_export_keying_material,
160 SSL_ENC_FLAG_EXPLICIT_IV,
161 SSL3_HM_HEADER_LENGTH,
162 ssl3_set_handshake_header,
163 ssl3_handshake_write
164};
Dr. Stephen Henson173e72e2013-03-11 15:34:28 +0000[diff] [blame]165
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]166SSL3_ENC_METHOD const TLSv1_2_enc_data = {
167 tls1_enc,
168 tls1_mac,
169 tls1_setup_key_block,
170 tls1_generate_master_secret,
171 tls1_change_cipher_state,
172 tls1_final_finish_mac,
173 TLS1_FINISH_MAC_LENGTH,
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]174 TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
175 TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
176 tls1_alert_code,
177 tls1_export_keying_material,
178 SSL_ENC_FLAG_EXPLICIT_IV | SSL_ENC_FLAG_SIGALGS | SSL_ENC_FLAG_SHA256_PRF
179 | SSL_ENC_FLAG_TLS1_2_CIPHERS,
180 SSL3_HM_HEADER_LENGTH,
181 ssl3_set_handshake_header,
182 ssl3_handshake_write
183};
Ralf S. Engelschall58964a41998-12-21 10:56:39 +0000[diff] [blame]184
Dr. Stephen Hensonf3b656b2005-08-05 23:56:11 +0000[diff] [blame]185long tls1_default_timeout(void)
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]186{
187 /*
188 * 2 hours, the 24 hours mentioned in the TLSv1 spec is way too long for
189 * http, the cache would over fill
190 */
191 return (60 * 60 * 2);
192}
Ralf S. Engelschall58964a41998-12-21 10:56:39 +0000[diff] [blame]193
Ulf Möller6b691a51999-04-19 21:31:43 +0000[diff] [blame]194int tls1_new(SSL *s)
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]195{
196 if (!ssl3_new(s))
197 return (0);
198 s->method->ssl_clear(s);
199 return (1);
200}
Ralf S. Engelschall58964a41998-12-21 10:56:39 +0000[diff] [blame]201
Ulf Möller6b691a51999-04-19 21:31:43 +0000[diff] [blame]202void tls1_free(SSL *s)
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]203{
Rich Salzb548a1f2015-05-01 10:02:07 -0400[diff] [blame]204 OPENSSL_free(s->tlsext_session_ticket);
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]205 ssl3_free(s);
206}
Ralf S. Engelschall58964a41998-12-21 10:56:39 +0000[diff] [blame]207
Ulf Möller6b691a51999-04-19 21:31:43 +0000[diff] [blame]208void tls1_clear(SSL *s)
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]209{
210 ssl3_clear(s);
Viktor Dukhovni4fa52142015-12-29 03:24:17 -0500[diff] [blame]211 if (s->method->version == TLS_ANY_VERSION)
212 s->version = TLS_MAX_VERSION;
213 else
214 s->version = s->method->version;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]215}
Ralf S. Engelschall58964a41998-12-21 10:56:39 +0000[diff] [blame]216
Dr. Stephen Henson525de5d2007-08-12 23:59:05 +0000[diff] [blame]217#ifndef OPENSSL_NO_EC
Dr. Stephen Hensoneda37662011-05-30 17:58:13 +0000[diff] [blame]218
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]219typedef struct {
220 int nid; /* Curve NID */
221 int secbits; /* Bits of security (from SP800-57) */
222 unsigned int flags; /* Flags: currently just field type */
223} tls_curve_info;
Dr. Stephen Hensonb362cca2013-12-15 13:32:24 +0000[diff] [blame]224
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]225# define TLS_CURVE_CHAR2 0x1
226# define TLS_CURVE_PRIME 0x0
Dr. Stephen Hensonb362cca2013-12-15 13:32:24 +0000[diff] [blame]227
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]228static const tls_curve_info nid_list[] = {
229 {NID_sect163k1, 80, TLS_CURVE_CHAR2}, /* sect163k1 (1) */
230 {NID_sect163r1, 80, TLS_CURVE_CHAR2}, /* sect163r1 (2) */
231 {NID_sect163r2, 80, TLS_CURVE_CHAR2}, /* sect163r2 (3) */
232 {NID_sect193r1, 80, TLS_CURVE_CHAR2}, /* sect193r1 (4) */
233 {NID_sect193r2, 80, TLS_CURVE_CHAR2}, /* sect193r2 (5) */
234 {NID_sect233k1, 112, TLS_CURVE_CHAR2}, /* sect233k1 (6) */
235 {NID_sect233r1, 112, TLS_CURVE_CHAR2}, /* sect233r1 (7) */
236 {NID_sect239k1, 112, TLS_CURVE_CHAR2}, /* sect239k1 (8) */
237 {NID_sect283k1, 128, TLS_CURVE_CHAR2}, /* sect283k1 (9) */
238 {NID_sect283r1, 128, TLS_CURVE_CHAR2}, /* sect283r1 (10) */
239 {NID_sect409k1, 192, TLS_CURVE_CHAR2}, /* sect409k1 (11) */
240 {NID_sect409r1, 192, TLS_CURVE_CHAR2}, /* sect409r1 (12) */
241 {NID_sect571k1, 256, TLS_CURVE_CHAR2}, /* sect571k1 (13) */
242 {NID_sect571r1, 256, TLS_CURVE_CHAR2}, /* sect571r1 (14) */
243 {NID_secp160k1, 80, TLS_CURVE_PRIME}, /* secp160k1 (15) */
244 {NID_secp160r1, 80, TLS_CURVE_PRIME}, /* secp160r1 (16) */
245 {NID_secp160r2, 80, TLS_CURVE_PRIME}, /* secp160r2 (17) */
246 {NID_secp192k1, 80, TLS_CURVE_PRIME}, /* secp192k1 (18) */
247 {NID_X9_62_prime192v1, 80, TLS_CURVE_PRIME}, /* secp192r1 (19) */
248 {NID_secp224k1, 112, TLS_CURVE_PRIME}, /* secp224k1 (20) */
249 {NID_secp224r1, 112, TLS_CURVE_PRIME}, /* secp224r1 (21) */
250 {NID_secp256k1, 128, TLS_CURVE_PRIME}, /* secp256k1 (22) */
251 {NID_X9_62_prime256v1, 128, TLS_CURVE_PRIME}, /* secp256r1 (23) */
252 {NID_secp384r1, 192, TLS_CURVE_PRIME}, /* secp384r1 (24) */
253 {NID_secp521r1, 256, TLS_CURVE_PRIME}, /* secp521r1 (25) */
254 {NID_brainpoolP256r1, 128, TLS_CURVE_PRIME}, /* brainpoolP256r1 (26) */
255 {NID_brainpoolP384r1, 192, TLS_CURVE_PRIME}, /* brainpoolP384r1 (27) */
256 {NID_brainpoolP512r1, 256, TLS_CURVE_PRIME}, /* brainpool512r1 (28) */
257};
Dr. Stephen Hensoneda37662011-05-30 17:58:13 +0000[diff] [blame]258
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]259static const unsigned char ecformats_default[] = {
260 TLSEXT_ECPOINTFORMAT_uncompressed,
261 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime,
262 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2
263};
Dr. Stephen Hensond0595f12012-03-28 15:05:04 +0000[diff] [blame]264
Kurt Roeckxfe6ef242015-12-04 22:30:36 +0100[diff] [blame]265/* The default curves */
266static const unsigned char eccurves_default[] = {
Emilia Kasperde57d232015-05-20 15:47:51 +0200[diff] [blame]267 /* Prefer P-256 which has the fastest and most secure implementations. */
268 0, 23, /* secp256r1 (23) */
269 /* Other >= 256-bit prime curves. */
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]270 0, 25, /* secp521r1 (25) */
271 0, 28, /* brainpool512r1 (28) */
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]272 0, 27, /* brainpoolP384r1 (27) */
273 0, 24, /* secp384r1 (24) */
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]274 0, 26, /* brainpoolP256r1 (26) */
275 0, 22, /* secp256k1 (22) */
Emilia Kasperde57d232015-05-20 15:47:51 +0200[diff] [blame]276 /* >= 256-bit binary curves. */
277 0, 14, /* sect571r1 (14) */
278 0, 13, /* sect571k1 (13) */
279 0, 11, /* sect409k1 (11) */
280 0, 12, /* sect409r1 (12) */
281 0, 9, /* sect283k1 (9) */
282 0, 10, /* sect283r1 (10) */
283};
284
285static const unsigned char eccurves_all[] = {
286 /* Prefer P-256 which has the fastest and most secure implementations. */
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]287 0, 23, /* secp256r1 (23) */
Emilia Kasperde57d232015-05-20 15:47:51 +0200[diff] [blame]288 /* Other >= 256-bit prime curves. */
289 0, 25, /* secp521r1 (25) */
290 0, 28, /* brainpool512r1 (28) */
291 0, 27, /* brainpoolP384r1 (27) */
292 0, 24, /* secp384r1 (24) */
293 0, 26, /* brainpoolP256r1 (26) */
294 0, 22, /* secp256k1 (22) */
295 /* >= 256-bit binary curves. */
296 0, 14, /* sect571r1 (14) */
297 0, 13, /* sect571k1 (13) */
298 0, 11, /* sect409k1 (11) */
299 0, 12, /* sect409r1 (12) */
300 0, 9, /* sect283k1 (9) */
301 0, 10, /* sect283r1 (10) */
302 /*
303 * Remaining curves disabled by default but still permitted if set
304 * via an explicit callback or parameters.
305 */
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]306 0, 20, /* secp224k1 (20) */
307 0, 21, /* secp224r1 (21) */
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]308 0, 18, /* secp192k1 (18) */
309 0, 19, /* secp192r1 (19) */
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]310 0, 15, /* secp160k1 (15) */
311 0, 16, /* secp160r1 (16) */
312 0, 17, /* secp160r2 (17) */
Emilia Kasperde57d232015-05-20 15:47:51 +0200[diff] [blame]313 0, 8, /* sect239k1 (8) */
314 0, 6, /* sect233k1 (6) */
315 0, 7, /* sect233r1 (7) */
316 0, 4, /* sect193r1 (4) */
317 0, 5, /* sect193r2 (5) */
318 0, 1, /* sect163k1 (1) */
319 0, 2, /* sect163r1 (2) */
320 0, 3, /* sect163r2 (3) */
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]321};
Dr. Stephen Hensond0595f12012-03-28 15:05:04 +0000[diff] [blame]322
Emilia Kasperde57d232015-05-20 15:47:51 +0200[diff] [blame]323
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]324static const unsigned char suiteb_curves[] = {
325 0, TLSEXT_curve_P_256,
326 0, TLSEXT_curve_P_384
327};
Dr. Stephen Henson2ea80352012-08-15 15:15:05 +0000[diff] [blame]328
Dr. Stephen Henson525de5d2007-08-12 23:59:05 +0000[diff] [blame]329int tls1_ec_curve_id2nid(int curve_id)
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]330{
331 /* ECC curves from RFC 4492 and RFC 7027 */
Dr. Stephen Hensonb6eb9822015-05-02 18:30:00 +0100[diff] [blame]332 if ((curve_id < 1) || ((unsigned int)curve_id > OSSL_NELEM(nid_list)))
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]333 return 0;
334 return nid_list[curve_id - 1].nid;
335}
Dr. Stephen Henson525de5d2007-08-12 23:59:05 +0000[diff] [blame]336
337int tls1_ec_nid2curve_id(int nid)
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]338{
339 /* ECC curves from RFC 4492 and RFC 7027 */
340 switch (nid) {
341 case NID_sect163k1: /* sect163k1 (1) */
342 return 1;
343 case NID_sect163r1: /* sect163r1 (2) */
344 return 2;
345 case NID_sect163r2: /* sect163r2 (3) */
346 return 3;
347 case NID_sect193r1: /* sect193r1 (4) */
348 return 4;
349 case NID_sect193r2: /* sect193r2 (5) */
350 return 5;
351 case NID_sect233k1: /* sect233k1 (6) */
352 return 6;
353 case NID_sect233r1: /* sect233r1 (7) */
354 return 7;
355 case NID_sect239k1: /* sect239k1 (8) */
356 return 8;
357 case NID_sect283k1: /* sect283k1 (9) */
358 return 9;
359 case NID_sect283r1: /* sect283r1 (10) */
360 return 10;
361 case NID_sect409k1: /* sect409k1 (11) */
362 return 11;
363 case NID_sect409r1: /* sect409r1 (12) */
364 return 12;
365 case NID_sect571k1: /* sect571k1 (13) */
366 return 13;
367 case NID_sect571r1: /* sect571r1 (14) */
368 return 14;
369 case NID_secp160k1: /* secp160k1 (15) */
370 return 15;
371 case NID_secp160r1: /* secp160r1 (16) */
372 return 16;
373 case NID_secp160r2: /* secp160r2 (17) */
374 return 17;
375 case NID_secp192k1: /* secp192k1 (18) */
376 return 18;
377 case NID_X9_62_prime192v1: /* secp192r1 (19) */
378 return 19;
379 case NID_secp224k1: /* secp224k1 (20) */
380 return 20;
381 case NID_secp224r1: /* secp224r1 (21) */
382 return 21;
383 case NID_secp256k1: /* secp256k1 (22) */
384 return 22;
385 case NID_X9_62_prime256v1: /* secp256r1 (23) */
386 return 23;
387 case NID_secp384r1: /* secp384r1 (24) */
388 return 24;
389 case NID_secp521r1: /* secp521r1 (25) */
390 return 25;
391 case NID_brainpoolP256r1: /* brainpoolP256r1 (26) */
392 return 26;
393 case NID_brainpoolP384r1: /* brainpoolP384r1 (27) */
394 return 27;
395 case NID_brainpoolP512r1: /* brainpool512r1 (28) */
396 return 28;
397 default:
398 return 0;
399 }
400}
401
Emilia Kasper740580c2014-12-01 16:55:55 +0100[diff] [blame]402/*
403 * Get curves list, if "sess" is set return client curves otherwise
404 * preferred list.
405 * Sets |num_curves| to the number of curves in the list, i.e.,
406 * the length of |pcurves| is 2 * num_curves.
407 * Returns 1 on success and 0 if the client curves list has invalid format.
408 * The latter indicates an internal error: we should not be accepting such
409 * lists in the first place.
410 * TODO(emilia): we should really be storing the curves list in explicitly
411 * parsed form instead. (However, this would affect binary compatibility
412 * so cannot happen in the 1.0.x series.)
Dr. Stephen Hensonfd2b65c2012-04-04 14:41:01 +0000[diff] [blame]413 */
Emilia Kasper740580c2014-12-01 16:55:55 +0100[diff] [blame]414static int tls1_get_curvelist(SSL *s, int sess,
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]415 const unsigned char **pcurves,
416 size_t *num_curves)
417{
418 size_t pcurveslen = 0;
419 if (sess) {
420 *pcurves = s->session->tlsext_ellipticcurvelist;
421 pcurveslen = s->session->tlsext_ellipticcurvelist_length;
422 } else {
423 /* For Suite B mode only include P-256, P-384 */
424 switch (tls1_suiteb(s)) {
425 case SSL_CERT_FLAG_SUITEB_128_LOS:
426 *pcurves = suiteb_curves;
427 pcurveslen = sizeof(suiteb_curves);
428 break;
Dr. Stephen Henson2ea80352012-08-15 15:15:05 +0000[diff] [blame]429
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]430 case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY:
431 *pcurves = suiteb_curves;
432 pcurveslen = 2;
433 break;
Dr. Stephen Hensonb34aa492012-12-10 02:02:16 +0000[diff] [blame]434
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]435 case SSL_CERT_FLAG_SUITEB_192_LOS:
436 *pcurves = suiteb_curves + 2;
437 pcurveslen = 2;
438 break;
439 default:
440 *pcurves = s->tlsext_ellipticcurvelist;
441 pcurveslen = s->tlsext_ellipticcurvelist_length;
442 }
443 if (!*pcurves) {
Kurt Roeckxfe6ef242015-12-04 22:30:36 +0100[diff] [blame]444 *pcurves = eccurves_default;
445 pcurveslen = sizeof(eccurves_default);
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]446 }
447 }
Emilia Kasper740580c2014-12-01 16:55:55 +0100[diff] [blame]448
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]449 /* We do not allow odd length arrays to enter the system. */
450 if (pcurveslen & 1) {
451 SSLerr(SSL_F_TLS1_GET_CURVELIST, ERR_R_INTERNAL_ERROR);
452 *num_curves = 0;
453 return 0;
454 } else {
455 *num_curves = pcurveslen / 2;
456 return 1;
457 }
458}
Dr. Stephen Hensonb362cca2013-12-15 13:32:24 +0000[diff] [blame]459
460/* See if curve is allowed by security callback */
461static int tls_curve_allowed(SSL *s, const unsigned char *curve, int op)
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]462{
463 const tls_curve_info *cinfo;
464 if (curve[0])
465 return 1;
Dr. Stephen Hensonb6eb9822015-05-02 18:30:00 +0100[diff] [blame]466 if ((curve[1] < 1) || ((size_t)curve[1] > OSSL_NELEM(nid_list)))
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]467 return 0;
468 cinfo = &nid_list[curve[1] - 1];
469# ifdef OPENSSL_NO_EC2M
470 if (cinfo->flags & TLS_CURVE_CHAR2)
471 return 0;
472# endif
473 return ssl_security(s, op, cinfo->secbits, cinfo->nid, (void *)curve);
474}
Dr. Stephen Hensonb362cca2013-12-15 13:32:24 +0000[diff] [blame]475
Dr. Stephen Hensond18b7162012-07-24 13:47:40 +0000[diff] [blame]476/* Check a curve is one of our preferences */
477int tls1_check_curve(SSL *s, const unsigned char *p, size_t len)
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]478{
479 const unsigned char *curves;
480 size_t num_curves, i;
481 unsigned int suiteb_flags = tls1_suiteb(s);
482 if (len != 3 || p[0] != NAMED_CURVE_TYPE)
483 return 0;
484 /* Check curve matches Suite B preferences */
485 if (suiteb_flags) {
486 unsigned long cid = s->s3->tmp.new_cipher->id;
487 if (p[1])
488 return 0;
489 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256) {
490 if (p[2] != TLSEXT_curve_P_256)
491 return 0;
492 } else if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384) {
493 if (p[2] != TLSEXT_curve_P_384)
494 return 0;
495 } else /* Should never happen */
496 return 0;
497 }
498 if (!tls1_get_curvelist(s, 0, &curves, &num_curves))
499 return 0;
500 for (i = 0; i < num_curves; i++, curves += 2) {
501 if (p[1] == curves[0] && p[2] == curves[1])
502 return tls_curve_allowed(s, p + 1, SSL_SECOP_CURVE_CHECK);
503 }
504 return 0;
505}
Dr. Stephen Hensond0595f12012-03-28 15:05:04 +0000[diff] [blame]506
Tim Hudson1d97c842014-12-28 12:48:40 +1000[diff] [blame]507/*-
Kurt Roeckx6977e8e2015-12-04 22:25:11 +0100[diff] [blame]508 * For nmatch >= 0, return the NID of the |nmatch|th shared curve or NID_undef
509 * if there is no match.
510 * For nmatch == -1, return number of matches
Emilia Kasper376e2ca2014-12-04 15:00:11 +0100[diff] [blame]511 * For nmatch == -2, return the NID of the curve to use for
512 * an EC tmp key, or NID_undef if there is no match.
Dr. Stephen Hensond0595f12012-03-28 15:05:04 +0000[diff] [blame]513 */
Dr. Stephen Hensona4352632012-04-05 13:38:27 +0000[diff] [blame]514int tls1_shared_curve(SSL *s, int nmatch)
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]515{
516 const unsigned char *pref, *supp;
517 size_t num_pref, num_supp, i, j;
518 int k;
519 /* Can't do anything on client side */
520 if (s->server == 0)
521 return -1;
522 if (nmatch == -2) {
523 if (tls1_suiteb(s)) {
524 /*
525 * For Suite B ciphersuite determines curve: we already know
526 * these are acceptable due to previous checks.
527 */
528 unsigned long cid = s->s3->tmp.new_cipher->id;
529 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
530 return NID_X9_62_prime256v1; /* P-256 */
531 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)
532 return NID_secp384r1; /* P-384 */
533 /* Should never happen */
534 return NID_undef;
535 }
536 /* If not Suite B just return first preference shared curve */
537 nmatch = 0;
538 }
539 /*
540 * Avoid truncation. tls1_get_curvelist takes an int
541 * but s->options is a long...
542 */
543 if (!tls1_get_curvelist
544 (s, (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) != 0, &supp,
545 &num_supp))
546 /* In practice, NID_undef == 0 but let's be precise. */
547 return nmatch == -1 ? 0 : NID_undef;
548 if (!tls1_get_curvelist
549 (s, !(s->options & SSL_OP_CIPHER_SERVER_PREFERENCE), &pref,
550 &num_pref))
551 return nmatch == -1 ? 0 : NID_undef;
Kurt Roeckx3c065132015-05-30 19:20:12 +0200[diff] [blame]552
553 /*
554 * If the client didn't send the elliptic_curves extension all of them
555 * are allowed.
556 */
557 if (num_supp == 0 && (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) != 0) {
558 supp = eccurves_all;
559 num_supp = sizeof(eccurves_all) / 2;
560 } else if (num_pref == 0 &&
561 (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) == 0) {
562 pref = eccurves_all;
563 num_pref = sizeof(eccurves_all) / 2;
564 }
565
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]566 k = 0;
567 for (i = 0; i < num_pref; i++, pref += 2) {
568 const unsigned char *tsupp = supp;
569 for (j = 0; j < num_supp; j++, tsupp += 2) {
570 if (pref[0] == tsupp[0] && pref[1] == tsupp[1]) {
571 if (!tls_curve_allowed(s, pref, SSL_SECOP_CURVE_SHARED))
572 continue;
573 if (nmatch == k) {
574 int id = (pref[0] << 8) | pref[1];
575 return tls1_ec_curve_id2nid(id);
576 }
577 k++;
578 }
579 }
580 }
581 if (nmatch == -1)
582 return k;
583 /* Out of range (nmatch > k). */
584 return NID_undef;
585}
Dr. Stephen Hensond0595f12012-03-28 15:05:04 +0000[diff] [blame]586
587int tls1_set_curves(unsigned char **pext, size_t *pextlen,
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]588 int *curves, size_t ncurves)
589{
590 unsigned char *clist, *p;
591 size_t i;
592 /*
593 * Bitmap of curves included to detect duplicates: only works while curve
594 * ids < 32
595 */
596 unsigned long dup_list = 0;
597 clist = OPENSSL_malloc(ncurves * 2);
Matt Caswella71edf32015-10-30 10:05:53 +0000[diff] [blame]598 if (clist == NULL)
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]599 return 0;
600 for (i = 0, p = clist; i < ncurves; i++) {
601 unsigned long idmask;
602 int id;
603 id = tls1_ec_nid2curve_id(curves[i]);
604 idmask = 1L << id;
605 if (!id || (dup_list & idmask)) {
606 OPENSSL_free(clist);
607 return 0;
608 }
609 dup_list |= idmask;
610 s2n(id, p);
611 }
Rich Salzb548a1f2015-05-01 10:02:07 -0400[diff] [blame]612 OPENSSL_free(*pext);
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]613 *pext = clist;
614 *pextlen = ncurves * 2;
615 return 1;
616}
Dr. Stephen Hensond0595f12012-03-28 15:05:04 +0000[diff] [blame]617
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]618# define MAX_CURVELIST 28
Dr. Stephen Hensond0595f12012-03-28 15:05:04 +0000[diff] [blame]619
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]620typedef struct {
621 size_t nidcnt;
622 int nid_arr[MAX_CURVELIST];
623} nid_cb_st;
Dr. Stephen Hensond0595f12012-03-28 15:05:04 +0000[diff] [blame]624
625static int nid_cb(const char *elem, int len, void *arg)
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]626{
627 nid_cb_st *narg = arg;
628 size_t i;
629 int nid;
630 char etmp[20];
Kurt Roeckx2747d732015-01-24 14:46:50 +0100[diff] [blame]631 if (elem == NULL)
632 return 0;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]633 if (narg->nidcnt == MAX_CURVELIST)
634 return 0;
635 if (len > (int)(sizeof(etmp) - 1))
636 return 0;
637 memcpy(etmp, elem, len);
638 etmp[len] = 0;
639 nid = EC_curve_nist2nid(etmp);
640 if (nid == NID_undef)
641 nid = OBJ_sn2nid(etmp);
642 if (nid == NID_undef)
643 nid = OBJ_ln2nid(etmp);
644 if (nid == NID_undef)
645 return 0;
646 for (i = 0; i < narg->nidcnt; i++)
647 if (narg->nid_arr[i] == nid)
648 return 0;
649 narg->nid_arr[narg->nidcnt++] = nid;
650 return 1;
651}
652
Dr. Stephen Hensond0595f12012-03-28 15:05:04 +0000[diff] [blame]653/* Set curves based on a colon separate list */
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]654int tls1_set_curves_list(unsigned char **pext, size_t *pextlen,
655 const char *str)
656{
657 nid_cb_st ncb;
658 ncb.nidcnt = 0;
659 if (!CONF_parse_list(str, ':', 1, nid_cb, &ncb))
660 return 0;
661 if (pext == NULL)
662 return 1;
663 return tls1_set_curves(pext, pextlen, ncb.nid_arr, ncb.nidcnt);
664}
665
Dr. Stephen Hensonfd2b65c2012-04-04 14:41:01 +0000[diff] [blame]666/* For an EC key set TLS id and required compression based on parameters */
667static int tls1_set_ec_id(unsigned char *curve_id, unsigned char *comp_id,
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]668 EC_KEY *ec)
669{
670 int is_prime, id;
671 const EC_GROUP *grp;
672 const EC_METHOD *meth;
673 if (!ec)
674 return 0;
675 /* Determine if it is a prime field */
676 grp = EC_KEY_get0_group(ec);
677 if (!grp)
678 return 0;
679 meth = EC_GROUP_method_of(grp);
680 if (!meth)
681 return 0;
682 if (EC_METHOD_get_field_type(meth) == NID_X9_62_prime_field)
683 is_prime = 1;
684 else
685 is_prime = 0;
686 /* Determine curve ID */
687 id = EC_GROUP_get_curve_name(grp);
688 id = tls1_ec_nid2curve_id(id);
689 /* If we have an ID set it, otherwise set arbitrary explicit curve */
690 if (id) {
691 curve_id[0] = 0;
692 curve_id[1] = (unsigned char)id;
693 } else {
694 curve_id[0] = 0xff;
695 if (is_prime)
696 curve_id[1] = 0x01;
697 else
698 curve_id[1] = 0x02;
699 }
700 if (comp_id) {
701 if (EC_KEY_get0_public_key(ec) == NULL)
702 return 0;
703 if (EC_KEY_get_conv_form(ec) == POINT_CONVERSION_COMPRESSED) {
704 if (is_prime)
705 *comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
706 else
707 *comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
708 } else
709 *comp_id = TLSEXT_ECPOINTFORMAT_uncompressed;
710 }
711 return 1;
712}
713
Dr. Stephen Hensonfd2b65c2012-04-04 14:41:01 +0000[diff] [blame]714/* Check an EC key is compatible with extensions */
715static int tls1_check_ec_key(SSL *s,
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]716 unsigned char *curve_id, unsigned char *comp_id)
717{
718 const unsigned char *pformats, *pcurves;
719 size_t num_formats, num_curves, i;
720 int j;
721 /*
722 * If point formats extension present check it, otherwise everything is
723 * supported (see RFC4492).
724 */
725 if (comp_id && s->session->tlsext_ecpointformatlist) {
726 pformats = s->session->tlsext_ecpointformatlist;
727 num_formats = s->session->tlsext_ecpointformatlist_length;
728 for (i = 0; i < num_formats; i++, pformats++) {
729 if (*comp_id == *pformats)
730 break;
731 }
732 if (i == num_formats)
733 return 0;
734 }
735 if (!curve_id)
736 return 1;
737 /* Check curve is consistent with client and server preferences */
738 for (j = 0; j <= 1; j++) {
739 if (!tls1_get_curvelist(s, j, &pcurves, &num_curves))
740 return 0;
Matt Caswellb79d2412015-03-20 15:10:16 +0000[diff] [blame]741 if (j == 1 && num_curves == 0) {
742 /*
743 * If we've not received any curves then skip this check.
744 * RFC 4492 does not require the supported elliptic curves extension
745 * so if it is not sent we can just choose any curve.
746 * It is invalid to send an empty list in the elliptic curves
747 * extension, so num_curves == 0 always means no extension.
748 */
749 break;
750 }
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]751 for (i = 0; i < num_curves; i++, pcurves += 2) {
752 if (pcurves[0] == curve_id[0] && pcurves[1] == curve_id[1])
753 break;
754 }
755 if (i == num_curves)
756 return 0;
757 /* For clients can only check sent curve list */
758 if (!s->server)
759 break;
760 }
761 return 1;
762}
Dr. Stephen Hensond61ff832012-06-28 12:45:49 +0000[diff] [blame]763
Dr. Stephen Henson5087afa2012-11-26 18:38:10 +0000[diff] [blame]764static void tls1_get_formatlist(SSL *s, const unsigned char **pformats,
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]765 size_t *num_formats)
766{
767 /*
768 * If we have a custom point format list use it otherwise use default
769 */
770 if (s->tlsext_ecpointformatlist) {
771 *pformats = s->tlsext_ecpointformatlist;
772 *num_formats = s->tlsext_ecpointformatlist_length;
773 } else {
774 *pformats = ecformats_default;
775 /* For Suite B we don't support char2 fields */
776 if (tls1_suiteb(s))
777 *num_formats = sizeof(ecformats_default) - 1;
778 else
779 *num_formats = sizeof(ecformats_default);
780 }
781}
Dr. Stephen Henson5087afa2012-11-26 18:38:10 +0000[diff] [blame]782
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]783/*
784 * Check cert parameters compatible with extensions: currently just checks EC
785 * certificates have compatible curves and compression.
Dr. Stephen Hensond61ff832012-06-28 12:45:49 +0000[diff] [blame]786 */
Dr. Stephen Henson2ea80352012-08-15 15:15:05 +0000[diff] [blame]787static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md)
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]788{
789 unsigned char comp_id, curve_id[2];
790 EVP_PKEY *pkey;
791 int rv;
Dr. Stephen Henson8382fd32015-12-20 00:32:36 +0000[diff] [blame]792 pkey = X509_get0_pubkey(x);
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]793 if (!pkey)
794 return 0;
795 /* If not EC nothing to do */
Dr. Stephen Henson8382fd32015-12-20 00:32:36 +0000[diff] [blame]796 if (pkey->type != EVP_PKEY_EC)
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]797 return 1;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]798 rv = tls1_set_ec_id(curve_id, &comp_id, pkey->pkey.ec);
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]799 if (!rv)
800 return 0;
801 /*
802 * Can't check curve_id for client certs as we don't have a supported
803 * curves extension.
804 */
805 rv = tls1_check_ec_key(s, s->server ? curve_id : NULL, &comp_id);
806 if (!rv)
807 return 0;
808 /*
809 * Special case for suite B. We *MUST* sign using SHA256+P-256 or
810 * SHA384+P-384, adjust digest if necessary.
811 */
812 if (set_ee_md && tls1_suiteb(s)) {
813 int check_md;
814 size_t i;
815 CERT *c = s->cert;
816 if (curve_id[0])
817 return 0;
818 /* Check to see we have necessary signing algorithm */
819 if (curve_id[1] == TLSEXT_curve_P_256)
820 check_md = NID_ecdsa_with_SHA256;
821 else if (curve_id[1] == TLSEXT_curve_P_384)
822 check_md = NID_ecdsa_with_SHA384;
823 else
824 return 0; /* Should never happen */
825 for (i = 0; i < c->shared_sigalgslen; i++)
826 if (check_md == c->shared_sigalgs[i].signandhash_nid)
827 break;
828 if (i == c->shared_sigalgslen)
829 return 0;
830 if (set_ee_md == 2) {
831 if (check_md == NID_ecdsa_with_SHA256)
Dr. Stephen Hensond376e572015-05-12 18:56:39 +0100[diff] [blame]832 s->s3->tmp.md[SSL_PKEY_ECC] = EVP_sha256();
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]833 else
Dr. Stephen Hensond376e572015-05-12 18:56:39 +0100[diff] [blame]834 s->s3->tmp.md[SSL_PKEY_ECC] = EVP_sha384();
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]835 }
836 }
837 return rv;
838}
839
Rich Salz10bf4fc2015-03-10 19:09:27 -0400[diff] [blame]840# ifndef OPENSSL_NO_EC
Kurt Roeckx6977e8e2015-12-04 22:25:11 +0100[diff] [blame]841/*
842 * tls1_check_ec_tmp_key - Check EC temporary key compatiblity
843 * @s: SSL connection
844 * @cid: Cipher ID we're considering using
845 *
846 * Checks that the kECDHE cipher suite we're considering using
847 * is compatible with the client extensions.
848 *
849 * Returns 0 when the cipher can't be used or 1 when it can.
850 */
Dr. Stephen Henson2ea80352012-08-15 15:15:05 +0000[diff] [blame]851int tls1_check_ec_tmp_key(SSL *s, unsigned long cid)
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]852{
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]853# ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
854 /* Allow any curve: not just those peer supports */
855 if (s->cert->cert_flags & SSL_CERT_FLAG_BROKEN_PROTOCOL)
856 return 1;
857# endif
858 /*
859 * If Suite B, AES128 MUST use P-256 and AES256 MUST use P-384, no other
860 * curves permitted.
861 */
862 if (tls1_suiteb(s)) {
Kurt Roeckx6977e8e2015-12-04 22:25:11 +0100[diff] [blame]863 unsigned char curve_id[2];
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]864 /* Curve to check determined by ciphersuite */
865 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
866 curve_id[1] = TLSEXT_curve_P_256;
867 else if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)
868 curve_id[1] = TLSEXT_curve_P_384;
869 else
870 return 0;
871 curve_id[0] = 0;
872 /* Check this curve is acceptable */
873 if (!tls1_check_ec_key(s, curve_id, NULL))
874 return 0;
Kurt Roeckxfe6ef242015-12-04 22:30:36 +0100[diff] [blame]875 return 1;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]876 }
Kurt Roeckxfe6ef242015-12-04 22:30:36 +0100[diff] [blame]877 /* Need a shared curve */
878 if (tls1_shared_curve(s, 0))
879 return 1;
Kurt Roeckx6977e8e2015-12-04 22:25:11 +0100[diff] [blame]880 return 0;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]881}
Rich Salz10bf4fc2015-03-10 19:09:27 -0400[diff] [blame]882# endif /* OPENSSL_NO_EC */
Dr. Stephen Hensond0595f12012-03-28 15:05:04 +0000[diff] [blame]883
Dr. Stephen Henson14536c82013-08-17 17:40:08 +0100[diff] [blame]884#else
885
886static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md)
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]887{
888 return 1;
889}
Dr. Stephen Henson14536c82013-08-17 17:40:08 +0100[diff] [blame]890
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]891#endif /* OPENSSL_NO_EC */
Bodo Möllerf1fd4542006-01-03 03:27:19 +0000[diff] [blame]892
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]893/*
894 * List of supported signature algorithms and hashes. Should make this
Dr. Stephen Hensonfc101f82011-05-11 16:33:28 +0000[diff] [blame]895 * customisable at some point, for now include everything we support.
896 */
897
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]898#ifdef OPENSSL_NO_RSA
899# define tlsext_sigalg_rsa(md) /* */
900#else
901# define tlsext_sigalg_rsa(md) md, TLSEXT_signature_rsa,
902#endif
Dr. Stephen Hensonfc101f82011-05-11 16:33:28 +0000[diff] [blame]903
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]904#ifdef OPENSSL_NO_DSA
905# define tlsext_sigalg_dsa(md) /* */
906#else
907# define tlsext_sigalg_dsa(md) md, TLSEXT_signature_dsa,
908#endif
Dr. Stephen Hensonfc101f82011-05-11 16:33:28 +0000[diff] [blame]909
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]910#ifdef OPENSSL_NO_EC
911# define tlsext_sigalg_ecdsa(md) /* */
912#else
913# define tlsext_sigalg_ecdsa(md) md, TLSEXT_signature_ecdsa,
914#endif
Dr. Stephen Hensonfc101f82011-05-11 16:33:28 +0000[diff] [blame]915
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]916#define tlsext_sigalg(md) \
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]917 tlsext_sigalg_rsa(md) \
918 tlsext_sigalg_dsa(md) \
919 tlsext_sigalg_ecdsa(md)
Dr. Stephen Hensonfc101f82011-05-11 16:33:28 +0000[diff] [blame]920
Cristian Rodríguezd97ed212014-04-20 18:41:15 -0300[diff] [blame]921static const unsigned char tls12_sigalgs[] = {
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]922 tlsext_sigalg(TLSEXT_hash_sha512)
923 tlsext_sigalg(TLSEXT_hash_sha384)
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]924 tlsext_sigalg(TLSEXT_hash_sha256)
925 tlsext_sigalg(TLSEXT_hash_sha224)
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]926 tlsext_sigalg(TLSEXT_hash_sha1)
Dmitry Belyavskye44380a2015-11-17 15:32:30 +0000[diff] [blame]927#ifndef OPENSSL_NO_GOST
928 TLSEXT_hash_gostr3411, TLSEXT_signature_gostr34102001,
929 TLSEXT_hash_gostr34112012_256, TLSEXT_signature_gostr34102012_256,
930 TLSEXT_hash_gostr34112012_512, TLSEXT_signature_gostr34102012_512
931#endif
Dr. Stephen Hensonfc101f82011-05-11 16:33:28 +0000[diff] [blame]932};
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]933
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]934#ifndef OPENSSL_NO_EC
Cristian Rodríguezd97ed212014-04-20 18:41:15 -0300[diff] [blame]935static const unsigned char suiteb_sigalgs[] = {
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]936 tlsext_sigalg_ecdsa(TLSEXT_hash_sha256)
937 tlsext_sigalg_ecdsa(TLSEXT_hash_sha384)
Dr. Stephen Henson2ea80352012-08-15 15:15:05 +0000[diff] [blame]938};
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]939#endif
Dr. Stephen Hensonb7bfe692012-07-18 14:09:46 +0000[diff] [blame]940size_t tls12_get_psigalgs(SSL *s, const unsigned char **psigs)
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]941{
942 /*
943 * If Suite B mode use Suite B sigalgs only, ignore any other
944 * preferences.
945 */
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]946#ifndef OPENSSL_NO_EC
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]947 switch (tls1_suiteb(s)) {
948 case SSL_CERT_FLAG_SUITEB_128_LOS:
949 *psigs = suiteb_sigalgs;
950 return sizeof(suiteb_sigalgs);
Dr. Stephen Henson2ea80352012-08-15 15:15:05 +0000[diff] [blame]951
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]952 case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY:
953 *psigs = suiteb_sigalgs;
954 return 2;
Dr. Stephen Henson2ea80352012-08-15 15:15:05 +0000[diff] [blame]955
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]956 case SSL_CERT_FLAG_SUITEB_192_LOS:
957 *psigs = suiteb_sigalgs + 2;
958 return 2;
959 }
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]960#endif
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]961 /* If server use client authentication sigalgs if not NULL */
962 if (s->server && s->cert->client_sigalgs) {
963 *psigs = s->cert->client_sigalgs;
964 return s->cert->client_sigalgslen;
965 } else if (s->cert->conf_sigalgs) {
966 *psigs = s->cert->conf_sigalgs;
967 return s->cert->conf_sigalgslen;
968 } else {
969 *psigs = tls12_sigalgs;
970 return sizeof(tls12_sigalgs);
971 }
972}
973
974/*
975 * Check signature algorithm is consistent with sent supported signature
Dr. Stephen Hensonec4a50b2012-07-24 18:11:27 +0000[diff] [blame]976 * algorithms and if so return relevant digest.
977 */
978int tls12_check_peer_sigalg(const EVP_MD **pmd, SSL *s,
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]979 const unsigned char *sig, EVP_PKEY *pkey)
980{
981 const unsigned char *sent_sigs;
982 size_t sent_sigslen, i;
983 int sigalg = tls12_get_sigid(pkey);
984 /* Should never happen */
985 if (sigalg == -1)
986 return -1;
987 /* Check key type is consistent with signature */
988 if (sigalg != (int)sig[1]) {
989 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_SIGNATURE_TYPE);
990 return 0;
991 }
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]992#ifndef OPENSSL_NO_EC
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]993 if (pkey->type == EVP_PKEY_EC) {
994 unsigned char curve_id[2], comp_id;
995 /* Check compression and curve matches extensions */
996 if (!tls1_set_ec_id(curve_id, &comp_id, pkey->pkey.ec))
997 return 0;
998 if (!s->server && !tls1_check_ec_key(s, curve_id, &comp_id)) {
999 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_CURVE);
1000 return 0;
1001 }
1002 /* If Suite B only P-384+SHA384 or P-256+SHA-256 allowed */
1003 if (tls1_suiteb(s)) {
1004 if (curve_id[0])
1005 return 0;
1006 if (curve_id[1] == TLSEXT_curve_P_256) {
1007 if (sig[0] != TLSEXT_hash_sha256) {
1008 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG,
1009 SSL_R_ILLEGAL_SUITEB_DIGEST);
1010 return 0;
1011 }
1012 } else if (curve_id[1] == TLSEXT_curve_P_384) {
1013 if (sig[0] != TLSEXT_hash_sha384) {
1014 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG,
1015 SSL_R_ILLEGAL_SUITEB_DIGEST);
1016 return 0;
1017 }
1018 } else
1019 return 0;
1020 }
1021 } else if (tls1_suiteb(s))
1022 return 0;
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]1023#endif
Dr. Stephen Henson2ea80352012-08-15 15:15:05 +0000[diff] [blame]1024
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1025 /* Check signature matches a type we sent */
1026 sent_sigslen = tls12_get_psigalgs(s, &sent_sigs);
1027 for (i = 0; i < sent_sigslen; i += 2, sent_sigs += 2) {
1028 if (sig[0] == sent_sigs[0] && sig[1] == sent_sigs[1])
1029 break;
1030 }
1031 /* Allow fallback to SHA1 if not strict mode */
1032 if (i == sent_sigslen
1033 && (sig[0] != TLSEXT_hash_sha1
1034 || s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)) {
1035 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_SIGNATURE_TYPE);
1036 return 0;
1037 }
1038 *pmd = tls12_get_hash(sig[0]);
1039 if (*pmd == NULL) {
1040 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_UNKNOWN_DIGEST);
1041 return 0;
1042 }
1043 /* Make sure security callback allows algorithm */
1044 if (!ssl_security(s, SSL_SECOP_SIGALG_CHECK,
1045 EVP_MD_size(*pmd) * 4, EVP_MD_type(*pmd),
1046 (void *)sig)) {
1047 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_SIGNATURE_TYPE);
1048 return 0;
1049 }
1050 /*
1051 * Store the digest used so applications can retrieve it if they wish.
1052 */
Dr. Stephen Hensond376e572015-05-12 18:56:39 +0100[diff] [blame]1053 s->s3->tmp.peer_md = *pmd;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1054 return 1;
1055}
Dr. Stephen Hensonb362cca2013-12-15 13:32:24 +0000[diff] [blame]1056
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1057/*
1058 * Get a mask of disabled algorithms: an algorithm is disabled if it isn't
1059 * supported or doesn't appear in supported signature algorithms. Unlike
1060 * ssl_cipher_get_disabled this applies to a specific session and not global
1061 * settings.
Dr. Stephen Hensonb7bfe692012-07-18 14:09:46 +0000[diff] [blame]1062 */
1063void ssl_set_client_disabled(SSL *s)
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1064{
Dr. Stephen Henson4d69f9e2015-05-18 23:29:57 +0100[diff] [blame]1065 s->s3->tmp.mask_a = 0;
1066 s->s3->tmp.mask_k = 0;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1067 /* Don't allow TLS 1.2 only ciphers if we don't suppport them */
1068 if (!SSL_CLIENT_USE_TLS1_2_CIPHERS(s))
Dr. Stephen Henson4d69f9e2015-05-18 23:29:57 +0100[diff] [blame]1069 s->s3->tmp.mask_ssl = SSL_TLSV1_2;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1070 else
Dr. Stephen Henson4d69f9e2015-05-18 23:29:57 +0100[diff] [blame]1071 s->s3->tmp.mask_ssl = 0;
Dr. Stephen Henson2b573382015-11-13 14:37:24 +0000[diff] [blame]1072 /* Disable TLS 1.0 ciphers if using SSL v3 */
1073 if (s->client_version == SSL3_VERSION)
1074 s->s3->tmp.mask_ssl |= SSL_TLSV1;
Dr. Stephen Henson4d69f9e2015-05-18 23:29:57 +0100[diff] [blame]1075 ssl_set_sig_mask(&s->s3->tmp.mask_a, s, SSL_SECOP_SIGALG_MASK);
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1076 /*
1077 * Disable static DH if we don't include any appropriate signature
1078 * algorithms.
1079 */
Dr. Stephen Henson4d69f9e2015-05-18 23:29:57 +0100[diff] [blame]1080 if (s->s3->tmp.mask_a & SSL_aRSA)
Dr. Stephen Hensonbc71f912015-12-15 23:57:18 +0000[diff] [blame]1081 s->s3->tmp.mask_k |= SSL_kECDHr;
Dr. Stephen Henson4d69f9e2015-05-18 23:29:57 +0100[diff] [blame]1082 if (s->s3->tmp.mask_a & SSL_aECDSA)
1083 s->s3->tmp.mask_k |= SSL_kECDHe;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1084# ifndef OPENSSL_NO_PSK
1085 /* with PSK there must be client callback set */
1086 if (!s->psk_client_callback) {
Dr. Stephen Henson4d69f9e2015-05-18 23:29:57 +0100[diff] [blame]1087 s->s3->tmp.mask_a |= SSL_aPSK;
Dr. Stephen Hensonfe5eef32015-06-28 17:01:07 +0100[diff] [blame]1088 s->s3->tmp.mask_k |= SSL_PSK;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1089 }
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]1090#endif /* OPENSSL_NO_PSK */
1091#ifndef OPENSSL_NO_SRP
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1092 if (!(s->srp_ctx.srp_Mask & SSL_kSRP)) {
Dr. Stephen Henson4d69f9e2015-05-18 23:29:57 +0100[diff] [blame]1093 s->s3->tmp.mask_a |= SSL_aSRP;
1094 s->s3->tmp.mask_k |= SSL_kSRP;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1095 }
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]1096#endif
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1097}
Dr. Stephen Hensonfc101f82011-05-11 16:33:28 +0000[diff] [blame]1098
Dr. Stephen Hensonb362cca2013-12-15 13:32:24 +0000[diff] [blame]1099int ssl_cipher_disabled(SSL *s, const SSL_CIPHER *c, int op)
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1100{
Dr. Stephen Henson4d69f9e2015-05-18 23:29:57 +0100[diff] [blame]1101 if (c->algorithm_ssl & s->s3->tmp.mask_ssl
1102 || c->algorithm_mkey & s->s3->tmp.mask_k
1103 || c->algorithm_auth & s->s3->tmp.mask_a)
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1104 return 1;
1105 return !ssl_security(s, op, c->strength_bits, 0, (void *)c);
1106}
Dr. Stephen Hensonb362cca2013-12-15 13:32:24 +0000[diff] [blame]1107
1108static int tls_use_ticket(SSL *s)
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1109{
1110 if (s->options & SSL_OP_NO_TICKET)
1111 return 0;
1112 return ssl_security(s, SSL_SECOP_TICKET, 0, 0, NULL);
1113}
Dr. Stephen Henson8b8e5be2014-01-14 14:55:21 +0000[diff] [blame]1114
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1115unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf,
1116 unsigned char *limit, int *al)
1117{
1118 int extdatalen = 0;
1119 unsigned char *orig = buf;
1120 unsigned char *ret = buf;
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]1121#ifndef OPENSSL_NO_EC
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1122 /* See if we support any ECC ciphersuites */
1123 int using_ecc = 0;
1124 if (s->version >= TLS1_VERSION || SSL_IS_DTLS(s)) {
1125 int i;
1126 unsigned long alg_k, alg_a;
1127 STACK_OF(SSL_CIPHER) *cipher_stack = SSL_get_ciphers(s);
Dr. Stephen Hensond0595f12012-03-28 15:05:04 +0000[diff] [blame]1128
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1129 for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++) {
Dr. Stephen Henson4a640fb2015-12-23 00:47:28 +0000[diff] [blame]1130 const SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i);
Dr. Stephen Hensond0595f12012-03-28 15:05:04 +0000[diff] [blame]1131
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1132 alg_k = c->algorithm_mkey;
1133 alg_a = c->algorithm_auth;
Dr. Stephen Henson13be69f2015-06-30 16:39:41 +0100[diff] [blame]1134 if ((alg_k & (SSL_kECDHE | SSL_kECDHr | SSL_kECDHe | SSL_kECDHEPSK)
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1135 || (alg_a & SSL_aECDSA))) {
1136 using_ecc = 1;
1137 break;
1138 }
Dr. Stephen Henson5a3d8ee2014-11-03 17:47:11 +0000[diff] [blame]1139 }
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1140 }
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]1141#endif
Dr. Stephen Henson5a3d8ee2014-11-03 17:47:11 +0000[diff] [blame]1142
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1143 ret += 2;
Bodo Möllered3883d2006-01-02 23:14:37 +0000[diff] [blame]1144
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1145 if (ret >= limit)
1146 return NULL; /* this really never occurs, but ... */
Bodo Möller761772d2007-09-21 06:54:24 +0000[diff] [blame]1147
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1148 /* Add RI if renegotiating */
1149 if (s->renegotiate) {
1150 int el;
Ben Laurieedc032b2011-03-12 17:01:19 +0000[diff] [blame]1151
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1152 if (!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0)) {
1153 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1154 return NULL;
Dr. Stephen Henson860c3dd2009-11-11 14:51:19 +0000[diff] [blame]1155 }
1156
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1157 if ((limit - ret - 4 - el) < 0)
1158 return NULL;
Dr. Stephen Henson5a3d8ee2014-11-03 17:47:11 +0000[diff] [blame]1159
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1160 s2n(TLSEXT_TYPE_renegotiate, ret);
1161 s2n(el, ret);
Dr. Stephen Henson5a3d8ee2014-11-03 17:47:11 +0000[diff] [blame]1162
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1163 if (!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el)) {
1164 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1165 return NULL;
1166 }
Dr. Stephen Henson5a3d8ee2014-11-03 17:47:11 +0000[diff] [blame]1167
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1168 ret += el;
1169 }
1170 /* Only add RI for SSLv3 */
1171 if (s->client_version == SSL3_VERSION)
1172 goto done;
Bodo Möller36ca4ba2006-03-11 23:46:37 +0000[diff] [blame]1173
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1174 if (s->tlsext_hostname != NULL) {
1175 /* Add TLS extension servername to the Client Hello message */
1176 unsigned long size_str;
1177 long lenmax;
Dr. Stephen Henson5087afa2012-11-26 18:38:10 +0000[diff] [blame]1178
Matt Caswell50e735f2015-01-05 11:30:03 +0000[diff] [blame]1179 /*-
1180 * check for enough space.
1181 * 4 for the servername type and entension length
1182 * 2 for servernamelist length
1183 * 1 for the hostname type
1184 * 2 for hostname length
1185 * + hostname length
1186 */
Bodo Möllera70183b2006-03-30 02:53:30 +0000[diff] [blame]1187
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1188 if ((lenmax = limit - ret - 9) < 0
1189 || (size_str =
1190 strlen(s->tlsext_hostname)) > (unsigned long)lenmax)
1191 return NULL;
Dr. Stephen Henson67c8e7f2007-09-26 21:56:59 +0000[diff] [blame]1192
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1193 /* extension type and length */
1194 s2n(TLSEXT_TYPE_server_name, ret);
1195 s2n(size_str + 5, ret);
Bodo Möller761772d2007-09-21 06:54:24 +0000[diff] [blame]1196
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1197 /* length of servername list */
1198 s2n(size_str + 3, ret);
Dr. Stephen Henson67c8e7f2007-09-26 21:56:59 +0000[diff] [blame]1199
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1200 /* hostname type, length and hostname */
1201 *(ret++) = (unsigned char)TLSEXT_NAMETYPE_host_name;
1202 s2n(size_str, ret);
1203 memcpy(ret, s->tlsext_hostname, size_str);
1204 ret += size_str;
1205 }
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]1206#ifndef OPENSSL_NO_SRP
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1207 /* Add SRP username if there is one */
1208 if (s->srp_ctx.login != NULL) { /* Add TLS extension SRP username to the
1209 * Client Hello message */
Bodo Möller761772d2007-09-21 06:54:24 +0000[diff] [blame]1210
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1211 int login_len = strlen(s->srp_ctx.login);
1212 if (login_len > 255 || login_len == 0) {
1213 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1214 return NULL;
1215 }
Ben Laurie333f9262011-11-15 22:59:20 +0000[diff] [blame]1216
Matt Caswell50e735f2015-01-05 11:30:03 +0000[diff] [blame]1217 /*-
1218 * check for enough space.
1219 * 4 for the srp type type and entension length
1220 * 1 for the srp user identity
1221 * + srp user identity length
1222 */
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1223 if ((limit - ret - 5 - login_len) < 0)
1224 return NULL;
Ben Laurie333f9262011-11-15 22:59:20 +0000[diff] [blame]1225
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1226 /* fill in the extension */
1227 s2n(TLSEXT_TYPE_srp, ret);
1228 s2n(login_len + 1, ret);
1229 (*ret++) = (unsigned char)login_len;
1230 memcpy(ret, s->srp_ctx.login, login_len);
1231 ret += login_len;
1232 }
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]1233#endif
Ben Laurie333f9262011-11-15 22:59:20 +0000[diff] [blame]1234
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]1235#ifndef OPENSSL_NO_EC
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1236 if (using_ecc) {
1237 /*
1238 * Add TLS extension ECPointFormats to the ClientHello message
1239 */
1240 long lenmax;
1241 const unsigned char *pcurves, *pformats;
1242 size_t num_curves, num_formats, curves_list_len;
1243 size_t i;
1244 unsigned char *etmp;
Ben Laurie333f9262011-11-15 22:59:20 +0000[diff] [blame]1245
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1246 tls1_get_formatlist(s, &pformats, &num_formats);
Ben Laurie333f9262011-11-15 22:59:20 +0000[diff] [blame]1247
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1248 if ((lenmax = limit - ret - 5) < 0)
1249 return NULL;
1250 if (num_formats > (size_t)lenmax)
1251 return NULL;
1252 if (num_formats > 255) {
1253 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1254 return NULL;
1255 }
Dr. Stephen Henson0e1dba92007-10-26 12:06:36 +0000[diff] [blame]1256
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1257 s2n(TLSEXT_TYPE_ec_point_formats, ret);
1258 /* The point format list has 1-byte length. */
1259 s2n(num_formats + 1, ret);
1260 *(ret++) = (unsigned char)num_formats;
1261 memcpy(ret, pformats, num_formats);
1262 ret += num_formats;
Bodo Möller761772d2007-09-21 06:54:24 +0000[diff] [blame]1263
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1264 /*
1265 * Add TLS extension EllipticCurves to the ClientHello message
1266 */
1267 pcurves = s->tlsext_ellipticcurvelist;
1268 if (!tls1_get_curvelist(s, 0, &pcurves, &num_curves))
1269 return NULL;
Dr. Stephen Henson192540b2012-01-05 00:23:17 +0000[diff] [blame]1270
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1271 if ((lenmax = limit - ret - 6) < 0)
1272 return NULL;
1273 if (num_curves > (size_t)lenmax / 2)
1274 return NULL;
1275 if (num_curves > 65532 / 2) {
1276 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1277 return NULL;
1278 }
Dr. Stephen Henson48175042011-12-31 22:59:57 +0000[diff] [blame]1279
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1280 s2n(TLSEXT_TYPE_elliptic_curves, ret);
1281 etmp = ret + 4;
1282 /* Copy curve ID if supported */
1283 for (i = 0; i < num_curves; i++, pcurves += 2) {
1284 if (tls_curve_allowed(s, pcurves, SSL_SECOP_CURVE_SUPPORTED)) {
1285 *etmp++ = pcurves[0];
1286 *etmp++ = pcurves[1];
1287 }
1288 }
Ben Laurieee2ffc22010-07-28 10:06:55 +0000[diff] [blame]1289
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1290 curves_list_len = etmp - ret - 4;
Trevora398f822013-05-12 18:55:27 -0700[diff] [blame]1291
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1292 s2n(curves_list_len + 2, ret);
1293 s2n(curves_list_len, ret);
1294 ret += curves_list_len;
1295 }
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]1296#endif /* OPENSSL_NO_EC */
Adam Langley6f017a82013-04-15 18:07:47 -0400[diff] [blame]1297
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1298 if (tls_use_ticket(s)) {
1299 int ticklen;
1300 if (!s->new_session && s->session && s->session->tlsext_tick)
1301 ticklen = s->session->tlsext_ticklen;
1302 else if (s->session && s->tlsext_session_ticket &&
1303 s->tlsext_session_ticket->data) {
1304 ticklen = s->tlsext_session_ticket->length;
1305 s->session->tlsext_tick = OPENSSL_malloc(ticklen);
Matt Caswella71edf32015-10-30 10:05:53 +0000[diff] [blame]1306 if (s->session->tlsext_tick == NULL)
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1307 return NULL;
1308 memcpy(s->session->tlsext_tick,
1309 s->tlsext_session_ticket->data, ticklen);
1310 s->session->tlsext_ticklen = ticklen;
1311 } else
1312 ticklen = 0;
1313 if (ticklen == 0 && s->tlsext_session_ticket &&
1314 s->tlsext_session_ticket->data == NULL)
1315 goto skip_ext;
1316 /*
1317 * Check for enough room 2 for extension type, 2 for len rest for
1318 * ticket
1319 */
1320 if ((long)(limit - ret - 4 - ticklen) < 0)
1321 return NULL;
1322 s2n(TLSEXT_TYPE_session_ticket, ret);
1323 s2n(ticklen, ret);
1324 if (ticklen) {
1325 memcpy(ret, s->session->tlsext_tick, ticklen);
1326 ret += ticklen;
1327 }
1328 }
1329 skip_ext:
Adam Langley6f017a82013-04-15 18:07:47 -0400[diff] [blame]1330
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1331 if (SSL_USE_SIGALGS(s)) {
1332 size_t salglen;
1333 const unsigned char *salg;
1334 unsigned char *etmp;
1335 salglen = tls12_get_psigalgs(s, &salg);
1336 if ((size_t)(limit - ret) < salglen + 6)
1337 return NULL;
1338 s2n(TLSEXT_TYPE_signature_algorithms, ret);
1339 etmp = ret;
1340 /* Skip over lengths for now */
1341 ret += 4;
1342 salglen = tls12_copy_sigalgs(s, ret, salg, salglen);
1343 /* Fill in lengths */
1344 s2n(salglen + 2, etmp);
1345 s2n(salglen, etmp);
1346 ret += salglen;
1347 }
Bodo Möllered3883d2006-01-02 23:14:37 +0000[diff] [blame]1348
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1349 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp) {
1350 int i;
1351 long extlen, idlen, itmp;
1352 OCSP_RESPID *id;
1353
1354 idlen = 0;
1355 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) {
1356 id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
1357 itmp = i2d_OCSP_RESPID(id, NULL);
1358 if (itmp <= 0)
1359 return NULL;
1360 idlen += itmp + 2;
1361 }
1362
1363 if (s->tlsext_ocsp_exts) {
1364 extlen = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, NULL);
1365 if (extlen < 0)
1366 return NULL;
1367 } else
1368 extlen = 0;
1369
1370 if ((long)(limit - ret - 7 - extlen - idlen) < 0)
1371 return NULL;
1372 s2n(TLSEXT_TYPE_status_request, ret);
1373 if (extlen + idlen > 0xFFF0)
1374 return NULL;
1375 s2n(extlen + idlen + 5, ret);
1376 *(ret++) = TLSEXT_STATUSTYPE_ocsp;
1377 s2n(idlen, ret);
1378 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) {
1379 /* save position of id len */
1380 unsigned char *q = ret;
1381 id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
1382 /* skip over id len */
1383 ret += 2;
1384 itmp = i2d_OCSP_RESPID(id, &ret);
1385 /* write id len */
1386 s2n(itmp, q);
1387 }
1388 s2n(extlen, ret);
1389 if (extlen > 0)
1390 i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret);
1391 }
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]1392#ifndef OPENSSL_NO_HEARTBEATS
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1393 /* Add Heartbeat extension */
1394 if ((limit - ret - 4 - 1) < 0)
1395 return NULL;
1396 s2n(TLSEXT_TYPE_heartbeat, ret);
1397 s2n(1, ret);
Matt Caswell50e735f2015-01-05 11:30:03 +0000[diff] [blame]1398 /*-
1399 * Set mode:
1400 * 1: peer may send requests
1401 * 2: peer not allowed to send requests
1402 */
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1403 if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS)
1404 *(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
1405 else
1406 *(ret++) = SSL_TLSEXT_HB_ENABLED;
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]1407#endif
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1408
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]1409#ifndef OPENSSL_NO_NEXTPROTONEG
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1410 if (s->ctx->next_proto_select_cb && !s->s3->tmp.finish_md_len) {
1411 /*
1412 * The client advertises an emtpy extension to indicate its support
1413 * for Next Protocol Negotiation
1414 */
1415 if (limit - ret - 4 < 0)
1416 return NULL;
1417 s2n(TLSEXT_TYPE_next_proto_neg, ret);
1418 s2n(0, ret);
1419 }
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]1420#endif
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1421
1422 if (s->alpn_client_proto_list && !s->s3->tmp.finish_md_len) {
1423 if ((size_t)(limit - ret) < 6 + s->alpn_client_proto_list_len)
1424 return NULL;
1425 s2n(TLSEXT_TYPE_application_layer_protocol_negotiation, ret);
1426 s2n(2 + s->alpn_client_proto_list_len, ret);
1427 s2n(s->alpn_client_proto_list_len, ret);
1428 memcpy(ret, s->alpn_client_proto_list, s->alpn_client_proto_list_len);
1429 ret += s->alpn_client_proto_list_len;
1430 }
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]1431#ifndef OPENSSL_NO_SRTP
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1432 if (SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s)) {
1433 int el;
1434
Matt Caswell69f68232015-03-06 14:37:17 +0000[diff] [blame]1435 /* Returns 0 on success!! */
1436 if (ssl_add_clienthello_use_srtp_ext(s, 0, &el, 0)) {
1437 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1438 return NULL;
1439 }
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1440
1441 if ((limit - ret - 4 - el) < 0)
1442 return NULL;
1443
1444 s2n(TLSEXT_TYPE_use_srtp, ret);
1445 s2n(el, ret);
1446
1447 if (ssl_add_clienthello_use_srtp_ext(s, ret, &el, el)) {
1448 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1449 return NULL;
1450 }
1451 ret += el;
1452 }
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]1453#endif
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1454 custom_ext_init(&s->cert->cli_ext);
1455 /* Add custom TLS Extensions to ClientHello */
1456 if (!custom_ext_add(s, 0, &ret, limit, al))
1457 return NULL;
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]1458#ifdef TLSEXT_TYPE_encrypt_then_mac
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1459 s2n(TLSEXT_TYPE_encrypt_then_mac, ret);
1460 s2n(0, ret);
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]1461#endif
Dr. Stephen Hensonddc06b32015-01-23 02:45:13 +0000[diff] [blame]1462 s2n(TLSEXT_TYPE_extended_master_secret, ret);
1463 s2n(0, ret);
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1464
1465 /*
1466 * Add padding to workaround bugs in F5 terminators. See
1467 * https://tools.ietf.org/html/draft-agl-tls-padding-03 NB: because this
1468 * code works out the length of all existing extensions it MUST always
1469 * appear last.
1470 */
1471 if (s->options & SSL_OP_TLSEXT_PADDING) {
1472 int hlen = ret - (unsigned char *)s->init_buf->data;
Matt Caswella3680c82015-03-31 13:57:46 +0100[diff] [blame]1473
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1474 if (hlen > 0xff && hlen < 0x200) {
1475 hlen = 0x200 - hlen;
1476 if (hlen >= 4)
1477 hlen -= 4;
1478 else
1479 hlen = 0;
1480
1481 s2n(TLSEXT_TYPE_padding, ret);
1482 s2n(hlen, ret);
1483 memset(ret, 0, hlen);
1484 ret += hlen;
1485 }
1486 }
1487
1488 done:
1489
1490 if ((extdatalen = ret - orig - 2) == 0)
1491 return orig;
1492
1493 s2n(extdatalen, orig);
1494 return ret;
1495}
1496
1497unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *buf,
1498 unsigned char *limit, int *al)
1499{
1500 int extdatalen = 0;
1501 unsigned char *orig = buf;
1502 unsigned char *ret = buf;
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]1503#ifndef OPENSSL_NO_NEXTPROTONEG
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1504 int next_proto_neg_seen;
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]1505#endif
1506#ifndef OPENSSL_NO_EC
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1507 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
1508 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
1509 int using_ecc = (alg_k & (SSL_kECDHE | SSL_kECDHr | SSL_kECDHe))
1510 || (alg_a & SSL_aECDSA);
1511 using_ecc = using_ecc && (s->session->tlsext_ecpointformatlist != NULL);
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]1512#endif
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1513
1514 ret += 2;
1515 if (ret >= limit)
1516 return NULL; /* this really never occurs, but ... */
1517
1518 if (s->s3->send_connection_binding) {
1519 int el;
1520
1521 if (!ssl_add_serverhello_renegotiate_ext(s, 0, &el, 0)) {
1522 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1523 return NULL;
1524 }
1525
1526 if ((limit - ret - 4 - el) < 0)
1527 return NULL;
1528
1529 s2n(TLSEXT_TYPE_renegotiate, ret);
1530 s2n(el, ret);
1531
1532 if (!ssl_add_serverhello_renegotiate_ext(s, ret, &el, el)) {
1533 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1534 return NULL;
1535 }
1536
1537 ret += el;
1538 }
1539
1540 /* Only add RI for SSLv3 */
1541 if (s->version == SSL3_VERSION)
1542 goto done;
1543
1544 if (!s->hit && s->servername_done == 1
1545 && s->session->tlsext_hostname != NULL) {
1546 if ((long)(limit - ret - 4) < 0)
1547 return NULL;
1548
1549 s2n(TLSEXT_TYPE_server_name, ret);
1550 s2n(0, ret);
1551 }
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]1552#ifndef OPENSSL_NO_EC
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1553 if (using_ecc) {
1554 const unsigned char *plist;
1555 size_t plistlen;
1556 /*
1557 * Add TLS extension ECPointFormats to the ServerHello message
1558 */
1559 long lenmax;
1560
1561 tls1_get_formatlist(s, &plist, &plistlen);
1562
1563 if ((lenmax = limit - ret - 5) < 0)
1564 return NULL;
1565 if (plistlen > (size_t)lenmax)
1566 return NULL;
1567 if (plistlen > 255) {
1568 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1569 return NULL;
1570 }
1571
1572 s2n(TLSEXT_TYPE_ec_point_formats, ret);
1573 s2n(plistlen + 1, ret);
1574 *(ret++) = (unsigned char)plistlen;
1575 memcpy(ret, plist, plistlen);
1576 ret += plistlen;
1577
1578 }
1579 /*
1580 * Currently the server should not respond with a SupportedCurves
1581 * extension
1582 */
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]1583#endif /* OPENSSL_NO_EC */
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1584
1585 if (s->tlsext_ticket_expected && tls_use_ticket(s)) {
1586 if ((long)(limit - ret - 4) < 0)
1587 return NULL;
1588 s2n(TLSEXT_TYPE_session_ticket, ret);
1589 s2n(0, ret);
1590 }
1591
1592 if (s->tlsext_status_expected) {
1593 if ((long)(limit - ret - 4) < 0)
1594 return NULL;
1595 s2n(TLSEXT_TYPE_status_request, ret);
1596 s2n(0, ret);
1597 }
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1598
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]1599#ifndef OPENSSL_NO_SRTP
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1600 if (SSL_IS_DTLS(s) && s->srtp_profile) {
1601 int el;
1602
Matt Caswell69f68232015-03-06 14:37:17 +0000[diff] [blame]1603 /* Returns 0 on success!! */
Viktor Dukhovni61986d32015-04-16 01:50:03 -0400[diff] [blame]1604 if (ssl_add_serverhello_use_srtp_ext(s, 0, &el, 0)) {
Matt Caswell69f68232015-03-06 14:37:17 +0000[diff] [blame]1605 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1606 return NULL;
1607 }
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1608 if ((limit - ret - 4 - el) < 0)
1609 return NULL;
1610
1611 s2n(TLSEXT_TYPE_use_srtp, ret);
1612 s2n(el, ret);
1613
1614 if (ssl_add_serverhello_use_srtp_ext(s, ret, &el, el)) {
1615 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1616 return NULL;
1617 }
1618 ret += el;
1619 }
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]1620#endif
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1621
1622 if (((s->s3->tmp.new_cipher->id & 0xFFFF) == 0x80
1623 || (s->s3->tmp.new_cipher->id & 0xFFFF) == 0x81)
1624 && (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG)) {
1625 const unsigned char cryptopro_ext[36] = {
1626 0xfd, 0xe8, /* 65000 */
1627 0x00, 0x20, /* 32 bytes length */
1628 0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85,
1629 0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06,
1630 0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08,
1631 0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17
1632 };
1633 if (limit - ret < 36)
1634 return NULL;
1635 memcpy(ret, cryptopro_ext, 36);
1636 ret += 36;
1637
1638 }
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]1639#ifndef OPENSSL_NO_HEARTBEATS
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1640 /* Add Heartbeat extension if we've received one */
1641 if (s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED) {
1642 if ((limit - ret - 4 - 1) < 0)
1643 return NULL;
1644 s2n(TLSEXT_TYPE_heartbeat, ret);
1645 s2n(1, ret);
Matt Caswell50e735f2015-01-05 11:30:03 +0000[diff] [blame]1646 /*-
1647 * Set mode:
1648 * 1: peer may send requests
1649 * 2: peer not allowed to send requests
1650 */
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1651 if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS)
1652 *(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
1653 else
1654 *(ret++) = SSL_TLSEXT_HB_ENABLED;
1655
1656 }
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]1657#endif
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1658
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]1659#ifndef OPENSSL_NO_NEXTPROTONEG
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1660 next_proto_neg_seen = s->s3->next_proto_neg_seen;
1661 s->s3->next_proto_neg_seen = 0;
1662 if (next_proto_neg_seen && s->ctx->next_protos_advertised_cb) {
1663 const unsigned char *npa;
1664 unsigned int npalen;
1665 int r;
1666
1667 r = s->ctx->next_protos_advertised_cb(s, &npa, &npalen,
1668 s->
1669 ctx->next_protos_advertised_cb_arg);
1670 if (r == SSL_TLSEXT_ERR_OK) {
1671 if ((long)(limit - ret - 4 - npalen) < 0)
1672 return NULL;
1673 s2n(TLSEXT_TYPE_next_proto_neg, ret);
1674 s2n(npalen, ret);
1675 memcpy(ret, npa, npalen);
1676 ret += npalen;
1677 s->s3->next_proto_neg_seen = 1;
1678 }
1679 }
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]1680#endif
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1681 if (!custom_ext_add(s, 1, &ret, limit, al))
1682 return NULL;
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]1683#ifdef TLSEXT_TYPE_encrypt_then_mac
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1684 if (s->s3->flags & TLS1_FLAGS_ENCRYPT_THEN_MAC) {
1685 /*
1686 * Don't use encrypt_then_mac if AEAD or RC4 might want to disable
1687 * for other cases too.
1688 */
1689 if (s->s3->tmp.new_cipher->algorithm_mac == SSL_AEAD
Dmitry Belyavskye44380a2015-11-17 15:32:30 +0000[diff] [blame]1690 || s->s3->tmp.new_cipher->algorithm_enc == SSL_RC4
1691 || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT
1692 || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT12)
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1693 s->s3->flags &= ~TLS1_FLAGS_ENCRYPT_THEN_MAC;
1694 else {
1695 s2n(TLSEXT_TYPE_encrypt_then_mac, ret);
1696 s2n(0, ret);
1697 }
1698 }
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]1699#endif
Dr. Stephen Hensone7f0d922015-12-04 19:48:15 +0000[diff] [blame]1700 if (s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) {
Dr. Stephen Hensonddc06b32015-01-23 02:45:13 +0000[diff] [blame]1701 s2n(TLSEXT_TYPE_extended_master_secret, ret);
1702 s2n(0, ret);
1703 }
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1704
1705 if (s->s3->alpn_selected) {
1706 const unsigned char *selected = s->s3->alpn_selected;
1707 unsigned len = s->s3->alpn_selected_len;
1708
1709 if ((long)(limit - ret - 4 - 2 - 1 - len) < 0)
1710 return NULL;
1711 s2n(TLSEXT_TYPE_application_layer_protocol_negotiation, ret);
1712 s2n(3 + len, ret);
1713 s2n(1 + len, ret);
1714 *ret++ = len;
1715 memcpy(ret, selected, len);
1716 ret += len;
1717 }
1718
1719 done:
1720
1721 if ((extdatalen = ret - orig - 2) == 0)
1722 return orig;
1723
1724 s2n(extdatalen, orig);
1725 return ret;
1726}
1727
1728/*
1729 * tls1_alpn_handle_client_hello is called to process the ALPN extension in a
1730 * ClientHello. data: the contents of the extension, not including the type
1731 * and length. data_len: the number of bytes in |data| al: a pointer to the
1732 * alert value to send in the event of a non-zero return. returns: 0 on
1733 * success.
1734 */
Matt Caswell9ceb2422015-04-16 10:06:25 +0100[diff] [blame]1735static int tls1_alpn_handle_client_hello(SSL *s, PACKET *pkt, int *al)
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1736{
Matt Caswell9ceb2422015-04-16 10:06:25 +0100[diff] [blame]1737 unsigned int data_len;
1738 unsigned int proto_len;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1739 const unsigned char *selected;
Matt Caswell9ceb2422015-04-16 10:06:25 +0100[diff] [blame]1740 unsigned char *data;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1741 unsigned char selected_len;
1742 int r;
Adam Langley6f017a82013-04-15 18:07:47 -0400[diff] [blame]1743
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1744 if (s->ctx->alpn_select_cb == NULL)
1745 return 0;
Adam Langley6f017a82013-04-15 18:07:47 -0400[diff] [blame]1746
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1747 /*
1748 * data should contain a uint16 length followed by a series of 8-bit,
1749 * length-prefixed strings.
1750 */
Matt Caswell9ceb2422015-04-16 10:06:25 +0100[diff] [blame]1751 if (!PACKET_get_net_2(pkt, &data_len)
1752 || PACKET_remaining(pkt) != data_len
1753 || !PACKET_peek_bytes(pkt, &data, data_len))
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1754 goto parse_error;
Adam Langley6f017a82013-04-15 18:07:47 -0400[diff] [blame]1755
Matt Caswell9ceb2422015-04-16 10:06:25 +0100[diff] [blame]1756 do {
1757 if (!PACKET_get_1(pkt, &proto_len)
1758 || proto_len == 0
1759 || !PACKET_forward(pkt, proto_len))
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1760 goto parse_error;
Matt Caswell9ceb2422015-04-16 10:06:25 +0100[diff] [blame]1761 } while (PACKET_remaining(pkt));
Adam Langley6f017a82013-04-15 18:07:47 -0400[diff] [blame]1762
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1763 r = s->ctx->alpn_select_cb(s, &selected, &selected_len, data, data_len,
1764 s->ctx->alpn_select_cb_arg);
1765 if (r == SSL_TLSEXT_ERR_OK) {
Rich Salzb548a1f2015-05-01 10:02:07 -0400[diff] [blame]1766 OPENSSL_free(s->s3->alpn_selected);
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1767 s->s3->alpn_selected = OPENSSL_malloc(selected_len);
Matt Caswella71edf32015-10-30 10:05:53 +0000[diff] [blame]1768 if (s->s3->alpn_selected == NULL) {
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1769 *al = SSL_AD_INTERNAL_ERROR;
1770 return -1;
1771 }
1772 memcpy(s->s3->alpn_selected, selected, selected_len);
1773 s->s3->alpn_selected_len = selected_len;
1774 }
1775 return 0;
Adam Langley6f017a82013-04-15 18:07:47 -0400[diff] [blame]1776
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1777 parse_error:
1778 *al = SSL_AD_DECODE_ERROR;
1779 return -1;
1780}
Adam Langley6f017a82013-04-15 18:07:47 -0400[diff] [blame]1781
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]1782#ifndef OPENSSL_NO_EC
Tim Hudson1d97c842014-12-28 12:48:40 +1000[diff] [blame]1783/*-
1784 * ssl_check_for_safari attempts to fingerprint Safari using OS X
Rob Stradlingdece3202013-09-05 13:09:03 +0100[diff] [blame]1785 * SecureTransport using the TLS extension block in |d|, of length |n|.
1786 * Safari, since 10.6, sends exactly these extensions, in this order:
1787 * SNI,
1788 * elliptic_curves
1789 * ec_point_formats
1790 *
1791 * We wish to fingerprint Safari because they broke ECDHE-ECDSA support in 10.8,
1792 * but they advertise support. So enabling ECDHE-ECDSA ciphers breaks them.
1793 * Sadly we cannot differentiate 10.6, 10.7 and 10.8.4 (which work), from
1794 * 10.8..10.8.3 (which don't work).
1795 */
Matt Caswell68a16622015-10-07 15:20:47 +0100[diff] [blame]1796static void ssl_check_for_safari(SSL *s, const PACKET *pkt)
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1797{
Matt Caswell9ceb2422015-04-16 10:06:25 +0100[diff] [blame]1798 unsigned int type, size;
1799 unsigned char *eblock1, *eblock2;
Matt Caswell68a16622015-10-07 15:20:47 +0100[diff] [blame]1800 PACKET tmppkt;
Matt Caswell9ceb2422015-04-16 10:06:25 +0100[diff] [blame]1801
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1802 static const unsigned char kSafariExtensionsBlock[] = {
1803 0x00, 0x0a, /* elliptic_curves extension */
1804 0x00, 0x08, /* 8 bytes */
1805 0x00, 0x06, /* 6 bytes of curve ids */
1806 0x00, 0x17, /* P-256 */
1807 0x00, 0x18, /* P-384 */
1808 0x00, 0x19, /* P-521 */
Rob Stradlingdece3202013-09-05 13:09:03 +0100[diff] [blame]1809
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1810 0x00, 0x0b, /* ec_point_formats */
1811 0x00, 0x02, /* 2 bytes */
1812 0x01, /* 1 point format */
1813 0x00, /* uncompressed */
1814 };
Rob Stradlingdece3202013-09-05 13:09:03 +0100[diff] [blame]1815
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1816 /* The following is only present in TLS 1.2 */
1817 static const unsigned char kSafariTLS12ExtensionsBlock[] = {
1818 0x00, 0x0d, /* signature_algorithms */
1819 0x00, 0x0c, /* 12 bytes */
1820 0x00, 0x0a, /* 10 bytes */
1821 0x05, 0x01, /* SHA-384/RSA */
1822 0x04, 0x01, /* SHA-256/RSA */
1823 0x02, 0x01, /* SHA-1/RSA */
1824 0x04, 0x03, /* SHA-256/ECDSA */
1825 0x02, 0x03, /* SHA-1/ECDSA */
1826 };
Rob Stradlingdece3202013-09-05 13:09:03 +0100[diff] [blame]1827
Matt Caswell68a16622015-10-07 15:20:47 +0100[diff] [blame]1828 tmppkt = *pkt;
1829
1830 if (!PACKET_forward(&tmppkt, 2)
1831 || !PACKET_get_net_2(&tmppkt, &type)
1832 || !PACKET_get_net_2(&tmppkt, &size)
1833 || !PACKET_forward(&tmppkt, size))
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1834 return;
Rob Stradlingdece3202013-09-05 13:09:03 +0100[diff] [blame]1835
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1836 if (type != TLSEXT_TYPE_server_name)
1837 return;
Rob Stradlingdece3202013-09-05 13:09:03 +0100[diff] [blame]1838
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1839 if (TLS1_get_client_version(s) >= TLS1_2_VERSION) {
1840 const size_t len1 = sizeof(kSafariExtensionsBlock);
1841 const size_t len2 = sizeof(kSafariTLS12ExtensionsBlock);
Rob Stradlingdece3202013-09-05 13:09:03 +0100[diff] [blame]1842
Matt Caswell68a16622015-10-07 15:20:47 +0100[diff] [blame]1843 if (!PACKET_get_bytes(&tmppkt, &eblock1, len1)
1844 || !PACKET_get_bytes(&tmppkt, &eblock2, len2)
1845 || PACKET_remaining(&tmppkt))
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1846 return;
Matt Caswell9ceb2422015-04-16 10:06:25 +0100[diff] [blame]1847 if (memcmp(eblock1, kSafariExtensionsBlock, len1) != 0)
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1848 return;
Matt Caswell9ceb2422015-04-16 10:06:25 +0100[diff] [blame]1849 if (memcmp(eblock2, kSafariTLS12ExtensionsBlock, len2) != 0)
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1850 return;
1851 } else {
1852 const size_t len = sizeof(kSafariExtensionsBlock);
Rob Stradlingdece3202013-09-05 13:09:03 +0100[diff] [blame]1853
Matt Caswell68a16622015-10-07 15:20:47 +0100[diff] [blame]1854 if (!PACKET_get_bytes(&tmppkt, &eblock1, len)
1855 || PACKET_remaining(&tmppkt))
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1856 return;
Matt Caswell9ceb2422015-04-16 10:06:25 +0100[diff] [blame]1857 if (memcmp(eblock1, kSafariExtensionsBlock, len) != 0)
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1858 return;
1859 }
Rob Stradlingdece3202013-09-05 13:09:03 +0100[diff] [blame]1860
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1861 s->s3->is_probably_safari = 1;
Rob Stradlingdece3202013-09-05 13:09:03 +0100[diff] [blame]1862}
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]1863#endif /* !OPENSSL_NO_EC */
Rob Stradlingdece3202013-09-05 13:09:03 +0100[diff] [blame]1864
Matt Caswell9ceb2422015-04-16 10:06:25 +0100[diff] [blame]1865static int ssl_scan_clienthello_tlsext(SSL *s, PACKET *pkt, int *al)
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1866{
Matt Caswell9ceb2422015-04-16 10:06:25 +0100[diff] [blame]1867 unsigned int type;
1868 unsigned int size;
1869 unsigned int len;
1870 unsigned char *data;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1871 int renegotiate_seen = 0;
Dr. Stephen Hensonecf4d662014-08-10 12:08:08 +0100[diff] [blame]1872
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1873 s->servername_done = 0;
1874 s->tlsext_status_type = -1;
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]1875#ifndef OPENSSL_NO_NEXTPROTONEG
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1876 s->s3->next_proto_neg_seen = 0;
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]1877#endif
Dr. Stephen Henson860c3dd2009-11-11 14:51:19 +0000[diff] [blame]1878
Rich Salzb548a1f2015-05-01 10:02:07 -0400[diff] [blame]1879 OPENSSL_free(s->s3->alpn_selected);
1880 s->s3->alpn_selected = NULL;
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]1881#ifndef OPENSSL_NO_HEARTBEATS
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1882 s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED |
1883 SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]1884#endif
Bodo Möllered3883d2006-01-02 23:14:37 +0000[diff] [blame]1885
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]1886#ifndef OPENSSL_NO_EC
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1887 if (s->options & SSL_OP_SAFARI_ECDHE_ECDSA_BUG)
Matt Caswell9ceb2422015-04-16 10:06:25 +0100[diff] [blame]1888 ssl_check_for_safari(s, pkt);
1889# endif /* !OPENSSL_NO_EC */
Adam Langley6f017a82013-04-15 18:07:47 -0400[diff] [blame]1890
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1891 /* Clear any signature algorithms extension received */
Dr. Stephen Henson76106e62015-05-12 17:17:37 +0100[diff] [blame]1892 OPENSSL_free(s->s3->tmp.peer_sigalgs);
1893 s->s3->tmp.peer_sigalgs = NULL;
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]1894#ifdef TLSEXT_TYPE_encrypt_then_mac
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1895 s->s3->flags &= ~TLS1_FLAGS_ENCRYPT_THEN_MAC;
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]1896#endif
Rob Stradlingdece3202013-09-05 13:09:03 +0100[diff] [blame]1897
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]1898#ifndef OPENSSL_NO_SRP
Rich Salzb548a1f2015-05-01 10:02:07 -0400[diff] [blame]1899 OPENSSL_free(s->srp_ctx.login);
1900 s->srp_ctx.login = NULL;
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]1901#endif
Rob Stradlingdece3202013-09-05 13:09:03 +0100[diff] [blame]1902
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1903 s->srtp_profile = NULL;
Dr. Stephen Henson48175042011-12-31 22:59:57 +0000[diff] [blame]1904
Matt Caswell9ceb2422015-04-16 10:06:25 +0100[diff] [blame]1905 if (PACKET_remaining(pkt) == 0)
Adam Langley1ae3fdb2015-06-12 08:05:49 +0100[diff] [blame]1906 goto ri_check;
1907
Matt Caswell9ceb2422015-04-16 10:06:25 +0100[diff] [blame]1908 if (!PACKET_get_net_2(pkt, &len))
Adam Langley1ae3fdb2015-06-12 08:05:49 +0100[diff] [blame]1909 goto err;
1910
Alessandro Ghedini52a48f92015-10-02 13:43:29 +0200[diff] [blame]1911 if (PACKET_remaining(pkt) != len)
1912 goto err;
1913
Matt Caswell9ceb2422015-04-16 10:06:25 +0100[diff] [blame]1914 while (PACKET_get_net_2(pkt, &type) && PACKET_get_net_2(pkt, &size)) {
1915 PACKET subpkt;
Dr. Stephen Henson5e3ff622013-03-22 17:12:33 +0000[diff] [blame]1916
Matt Caswell9ceb2422015-04-16 10:06:25 +0100[diff] [blame]1917 if (!PACKET_peek_bytes(pkt, &data, size))
Matt Caswell54e3ad02015-04-30 15:20:25 +0100[diff] [blame]1918 goto err;
Matt Caswell9ceb2422015-04-16 10:06:25 +0100[diff] [blame]1919
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1920 if (s->tlsext_debug_cb)
1921 s->tlsext_debug_cb(s, 0, type, data, size, s->tlsext_debug_arg);
Matt Caswell9ceb2422015-04-16 10:06:25 +0100[diff] [blame]1922
1923 if (!PACKET_get_sub_packet(pkt, &subpkt, size))
1924 goto err;
1925
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1926 if (type == TLSEXT_TYPE_renegotiate) {
Matt Caswell9ceb2422015-04-16 10:06:25 +0100[diff] [blame]1927 if (!ssl_parse_clienthello_renegotiate_ext(s, &subpkt, al))
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1928 return 0;
1929 renegotiate_seen = 1;
1930 } else if (s->version == SSL3_VERSION) {
1931 }
Tim Hudson1d97c842014-12-28 12:48:40 +1000[diff] [blame]1932/*-
1933 * The servername extension is treated as follows:
1934 *
1935 * - Only the hostname type is supported with a maximum length of 255.
1936 * - The servername is rejected if too long or if it contains zeros,
1937 * in which case an fatal alert is generated.
1938 * - The servername field is maintained together with the session cache.
1939 * - When a session is resumed, the servername call back invoked in order
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1940 * to allow the application to position itself to the right context.
1941 * - The servername is acknowledged if it is new for a session or when
1942 * it is identical to a previously used for the same session.
Tim Hudson1d97c842014-12-28 12:48:40 +1000[diff] [blame]1943 * Applications can control the behaviour. They can at any time
1944 * set a 'desirable' servername for a new SSL object. This can be the
1945 * case for example with HTTPS when a Host: header field is received and
1946 * a renegotiation is requested. In this case, a possible servername
1947 * presented in the new client hello is only acknowledged if it matches
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1948 * the value of the Host: field.
Tim Hudson1d97c842014-12-28 12:48:40 +1000[diff] [blame]1949 * - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1950 * if they provide for changing an explicit servername context for the
1951 * session, i.e. when the session has been established with a servername
1952 * extension.
1953 * - On session reconnect, the servername extension may be absent.
Tim Hudson1d97c842014-12-28 12:48:40 +1000[diff] [blame]1954 *
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1955 */
Bodo Möllera13c20f2006-01-09 19:49:05 +0000[diff] [blame]1956
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1957 else if (type == TLSEXT_TYPE_server_name) {
1958 unsigned char *sdata;
Matt Caswell9ceb2422015-04-16 10:06:25 +0100[diff] [blame]1959 unsigned int servname_type;
1960 unsigned int dsize;
1961 PACKET ssubpkt;
Bodo Möllera70183b2006-03-30 02:53:30 +0000[diff] [blame]1962
Matt Caswell9ceb2422015-04-16 10:06:25 +0100[diff] [blame]1963 if (!PACKET_get_net_2(&subpkt, &dsize)
1964 || !PACKET_get_sub_packet(&subpkt, &ssubpkt, dsize))
Matt Caswell54e3ad02015-04-30 15:20:25 +0100[diff] [blame]1965 goto err;
Bodo Möllera70183b2006-03-30 02:53:30 +0000[diff] [blame]1966
Matt Caswell9ceb2422015-04-16 10:06:25 +0100[diff] [blame]1967 while (PACKET_remaining(&ssubpkt) > 3) {
1968 if (!PACKET_get_1(&ssubpkt, &servname_type)
1969 || !PACKET_get_net_2(&ssubpkt, &len)
1970 || PACKET_remaining(&ssubpkt) < len)
Matt Caswell54e3ad02015-04-30 15:20:25 +0100[diff] [blame]1971 goto err;
1972
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1973 if (s->servername_done == 0)
1974 switch (servname_type) {
1975 case TLSEXT_NAMETYPE_host_name:
1976 if (!s->hit) {
Matt Caswell54e3ad02015-04-30 15:20:25 +0100[diff] [blame]1977 if (s->session->tlsext_hostname)
1978 goto err;
1979
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1980 if (len > TLSEXT_MAXLEN_host_name) {
1981 *al = TLS1_AD_UNRECOGNIZED_NAME;
1982 return 0;
1983 }
1984 if ((s->session->tlsext_hostname =
1985 OPENSSL_malloc(len + 1)) == NULL) {
1986 *al = TLS1_AD_INTERNAL_ERROR;
1987 return 0;
1988 }
Matt Caswell9ceb2422015-04-16 10:06:25 +0100[diff] [blame]1989 if (!PACKET_copy_bytes(&ssubpkt,
1990 (unsigned char *)s->session
1991 ->tlsext_hostname,
1992 len)) {
1993 *al = SSL_AD_DECODE_ERROR;
1994 return 0;
1995 }
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1996 s->session->tlsext_hostname[len] = '\0';
1997 if (strlen(s->session->tlsext_hostname) != len) {
1998 OPENSSL_free(s->session->tlsext_hostname);
1999 s->session->tlsext_hostname = NULL;
2000 *al = TLS1_AD_UNRECOGNIZED_NAME;
2001 return 0;
2002 }
2003 s->servername_done = 1;
Bodo Möllerf1fd4542006-01-03 03:27:19 +0000[diff] [blame]2004
Matt Caswell9ceb2422015-04-16 10:06:25 +0100[diff] [blame]2005 } else {
2006 if (!PACKET_get_bytes(&ssubpkt, &sdata, len)) {
2007 *al = SSL_AD_DECODE_ERROR;
2008 return 0;
2009 }
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2010 s->servername_done = s->session->tlsext_hostname
2011 && strlen(s->session->tlsext_hostname) == len
2012 && strncmp(s->session->tlsext_hostname,
2013 (char *)sdata, len) == 0;
Matt Caswell9ceb2422015-04-16 10:06:25 +0100[diff] [blame]2014 }
Bodo Möllera70183b2006-03-30 02:53:30 +0000[diff] [blame]2015
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2016 break;
Bodo Möllered3883d2006-01-02 23:14:37 +0000[diff] [blame]2017
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2018 default:
2019 break;
2020 }
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2021 }
Matt Caswell9ceb2422015-04-16 10:06:25 +0100[diff] [blame]2022 /* We shouldn't have any bytes left */
Matt Caswellbc6616a2015-08-03 17:20:47 +0100[diff] [blame]2023 if (PACKET_remaining(&ssubpkt) != 0)
Matt Caswell54e3ad02015-04-30 15:20:25 +0100[diff] [blame]2024 goto err;
Bodo Möller33273722006-03-30 02:44:56 +0000[diff] [blame]2025
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2026 }
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]2027#ifndef OPENSSL_NO_SRP
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2028 else if (type == TLSEXT_TYPE_srp) {
Matt Caswell9ceb2422015-04-16 10:06:25 +0100[diff] [blame]2029 if (!PACKET_get_1(&subpkt, &len)
2030 || s->srp_ctx.login != NULL)
Matt Caswell54e3ad02015-04-30 15:20:25 +0100[diff] [blame]2031 goto err;
Matt Caswell9ceb2422015-04-16 10:06:25 +0100[diff] [blame]2032
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2033 if ((s->srp_ctx.login = OPENSSL_malloc(len + 1)) == NULL)
2034 return -1;
Matt Caswell9ceb2422015-04-16 10:06:25 +0100[diff] [blame]2035 if (!PACKET_copy_bytes(&subpkt, (unsigned char *)s->srp_ctx.login,
2036 len))
2037 goto err;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2038 s->srp_ctx.login[len] = '\0';
Bodo Möller761772d2007-09-21 06:54:24 +0000[diff] [blame]2039
Matt Caswell9ceb2422015-04-16 10:06:25 +0100[diff] [blame]2040 if (strlen(s->srp_ctx.login) != len
2041 || PACKET_remaining(&subpkt))
Matt Caswell54e3ad02015-04-30 15:20:25 +0100[diff] [blame]2042 goto err;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2043 }
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]2044#endif
Bodo Möller761772d2007-09-21 06:54:24 +0000[diff] [blame]2045
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]2046#ifndef OPENSSL_NO_EC
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2047 else if (type == TLSEXT_TYPE_ec_point_formats) {
Matt Caswell9ceb2422015-04-16 10:06:25 +0100[diff] [blame]2048 unsigned int ecpointformatlist_length;
Dr. Stephen Henson67c8e7f2007-09-26 21:56:59 +0000[diff] [blame]2049
Matt Caswell9ceb2422015-04-16 10:06:25 +0100[diff] [blame]2050 if (!PACKET_get_1(&subpkt, &ecpointformatlist_length)
2051 || ecpointformatlist_length == 0)
Matt Caswell54e3ad02015-04-30 15:20:25 +0100[diff] [blame]2052 goto err;
Matt Caswell9ceb2422015-04-16 10:06:25 +0100[diff] [blame]2053
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2054 if (!s->hit) {
Rich Salzb548a1f2015-05-01 10:02:07 -0400[diff] [blame]2055 OPENSSL_free(s->session->tlsext_ecpointformatlist);
2056 s->session->tlsext_ecpointformatlist = NULL;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2057 s->session->tlsext_ecpointformatlist_length = 0;
2058 if ((s->session->tlsext_ecpointformatlist =
2059 OPENSSL_malloc(ecpointformatlist_length)) == NULL) {
2060 *al = TLS1_AD_INTERNAL_ERROR;
2061 return 0;
2062 }
2063 s->session->tlsext_ecpointformatlist_length =
2064 ecpointformatlist_length;
Matt Caswell9ceb2422015-04-16 10:06:25 +0100[diff] [blame]2065 if (!PACKET_copy_bytes(&subpkt,
2066 s->session->tlsext_ecpointformatlist,
2067 ecpointformatlist_length))
2068 goto err;
2069 } else if (!PACKET_forward(&subpkt, ecpointformatlist_length)) {
2070 goto err;
2071 }
2072 /* We should have consumed all the bytes by now */
2073 if (PACKET_remaining(&subpkt)) {
2074 *al = TLS1_AD_DECODE_ERROR;
2075 return 0;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2076 }
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2077 } else if (type == TLSEXT_TYPE_elliptic_curves) {
Matt Caswell9ceb2422015-04-16 10:06:25 +0100[diff] [blame]2078 unsigned int ellipticcurvelist_length;
Dr. Stephen Henson67c8e7f2007-09-26 21:56:59 +0000[diff] [blame]2079
Matt Caswell9ceb2422015-04-16 10:06:25 +0100[diff] [blame]2080 /* Each NamedCurve is 2 bytes and we must have at least 1 */
2081 if (!PACKET_get_net_2(&subpkt, &ellipticcurvelist_length)
2082 || ellipticcurvelist_length == 0
2083 || (ellipticcurvelist_length & 1) != 0)
2084 goto err;
Matt Caswell54e3ad02015-04-30 15:20:25 +0100[diff] [blame]2085
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2086 if (!s->hit) {
Matt Caswell54e3ad02015-04-30 15:20:25 +0100[diff] [blame]2087 if (s->session->tlsext_ellipticcurvelist)
2088 goto err;
2089
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2090 s->session->tlsext_ellipticcurvelist_length = 0;
2091 if ((s->session->tlsext_ellipticcurvelist =
2092 OPENSSL_malloc(ellipticcurvelist_length)) == NULL) {
2093 *al = TLS1_AD_INTERNAL_ERROR;
2094 return 0;
2095 }
2096 s->session->tlsext_ellipticcurvelist_length =
2097 ellipticcurvelist_length;
Matt Caswell9ceb2422015-04-16 10:06:25 +0100[diff] [blame]2098 if (!PACKET_copy_bytes(&subpkt,
2099 s->session->tlsext_ellipticcurvelist,
2100 ellipticcurvelist_length))
2101 goto err;
2102 } else if (!PACKET_forward(&subpkt, ellipticcurvelist_length)) {
2103 goto err;
2104 }
2105 /* We should have consumed all the bytes by now */
2106 if (PACKET_remaining(&subpkt)) {
2107 goto err;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2108 }
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2109 }
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]2110#endif /* OPENSSL_NO_EC */
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2111 else if (type == TLSEXT_TYPE_session_ticket) {
Matt Caswell9ceb2422015-04-16 10:06:25 +0100[diff] [blame]2112 if (!PACKET_forward(&subpkt, size)
2113 || (s->tls_session_ticket_ext_cb &&
2114 !s->tls_session_ticket_ext_cb(s, data, size,
2115 s->tls_session_ticket_ext_cb_arg))) {
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2116 *al = TLS1_AD_INTERNAL_ERROR;
2117 return 0;
2118 }
2119 } else if (type == TLSEXT_TYPE_signature_algorithms) {
Matt Caswell9ceb2422015-04-16 10:06:25 +0100[diff] [blame]2120 unsigned int dsize;
2121
2122 if (s->s3->tmp.peer_sigalgs
2123 || !PACKET_get_net_2(&subpkt, &dsize)
2124 || (dsize & 1) != 0
2125 || (dsize == 0)
2126 || !PACKET_get_bytes(&subpkt, &data, dsize)
Matt Caswellbc6616a2015-08-03 17:20:47 +0100[diff] [blame]2127 || PACKET_remaining(&subpkt) != 0
Matt Caswell9ceb2422015-04-16 10:06:25 +0100[diff] [blame]2128 || !tls1_save_sigalgs(s, data, dsize)) {
Matt Caswell54e3ad02015-04-30 15:20:25 +0100[diff] [blame]2129 goto err;
Matt Caswell9ceb2422015-04-16 10:06:25 +0100[diff] [blame]2130 }
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2131 } else if (type == TLSEXT_TYPE_status_request) {
Matt Caswell9ceb2422015-04-16 10:06:25 +0100[diff] [blame]2132 PACKET ssubpkt;
Trevora398f822013-05-12 18:55:27 -0700[diff] [blame]2133
Matt Caswell9ceb2422015-04-16 10:06:25 +0100[diff] [blame]2134 if (!PACKET_get_1(&subpkt,
2135 (unsigned int *)&s->tlsext_status_type))
Matt Caswell54e3ad02015-04-30 15:20:25 +0100[diff] [blame]2136 goto err;
Ben Lauriea9e1c502012-05-30 10:10:58 +0000[diff] [blame]2137
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2138 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp) {
2139 const unsigned char *sdata;
Matt Caswell9ceb2422015-04-16 10:06:25 +0100[diff] [blame]2140 unsigned int dsize;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2141 /* Read in responder_id_list */
Matt Caswell9ceb2422015-04-16 10:06:25 +0100[diff] [blame]2142 if (!PACKET_get_net_2(&subpkt, &dsize)
2143 || !PACKET_get_sub_packet(&subpkt, &ssubpkt, dsize))
Matt Caswell54e3ad02015-04-30 15:20:25 +0100[diff] [blame]2144 goto err;
Matt Caswell9ceb2422015-04-16 10:06:25 +0100[diff] [blame]2145
2146 while (PACKET_remaining(&ssubpkt)) {
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2147 OCSP_RESPID *id;
Matt Caswell9ceb2422015-04-16 10:06:25 +0100[diff] [blame]2148 unsigned int idsize;
2149
2150 if (PACKET_remaining(&ssubpkt) < 4
2151 || !PACKET_get_net_2(&ssubpkt, &idsize)
2152 || !PACKET_get_bytes(&ssubpkt, &data, idsize)) {
Matt Caswell54e3ad02015-04-30 15:20:25 +0100[diff] [blame]2153 goto err;
Matt Caswell9ceb2422015-04-16 10:06:25 +0100[diff] [blame]2154 }
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2155 sdata = data;
2156 data += idsize;
2157 id = d2i_OCSP_RESPID(NULL, &sdata, idsize);
Matt Caswell54e3ad02015-04-30 15:20:25 +0100[diff] [blame]2158 if (!id)
2159 goto err;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2160 if (data != sdata) {
2161 OCSP_RESPID_free(id);
Matt Caswell54e3ad02015-04-30 15:20:25 +0100[diff] [blame]2162 goto err;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2163 }
2164 if (!s->tlsext_ocsp_ids
2165 && !(s->tlsext_ocsp_ids =
2166 sk_OCSP_RESPID_new_null())) {
2167 OCSP_RESPID_free(id);
2168 *al = SSL_AD_INTERNAL_ERROR;
2169 return 0;
2170 }
2171 if (!sk_OCSP_RESPID_push(s->tlsext_ocsp_ids, id)) {
2172 OCSP_RESPID_free(id);
2173 *al = SSL_AD_INTERNAL_ERROR;
2174 return 0;
2175 }
2176 }
Dr. Stephen Hensonc27c9cb2009-12-14 13:56:04 +0000[diff] [blame]2177
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2178 /* Read in request_extensions */
Matt Caswell9ceb2422015-04-16 10:06:25 +0100[diff] [blame]2179 if (!PACKET_get_net_2(&subpkt, &dsize)
2180 || !PACKET_get_bytes(&subpkt, &data, dsize)
2181 || PACKET_remaining(&subpkt)) {
Matt Caswell54e3ad02015-04-30 15:20:25 +0100[diff] [blame]2182 goto err;
Matt Caswell9ceb2422015-04-16 10:06:25 +0100[diff] [blame]2183 }
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2184 sdata = data;
2185 if (dsize > 0) {
Rich Salz222561f2015-04-30 17:33:59 -0400[diff] [blame]2186 sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts,
2187 X509_EXTENSION_free);
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2188 s->tlsext_ocsp_exts =
2189 d2i_X509_EXTENSIONS(NULL, &sdata, dsize);
Matt Caswell54e3ad02015-04-30 15:20:25 +0100[diff] [blame]2190 if (!s->tlsext_ocsp_exts || (data + dsize != sdata))
2191 goto err;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2192 }
2193 }
2194 /*
2195 * We don't know what to do with any other type * so ignore it.
2196 */
2197 else
2198 s->tlsext_status_type = -1;
2199 }
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]2200#ifndef OPENSSL_NO_HEARTBEATS
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2201 else if (type == TLSEXT_TYPE_heartbeat) {
Matt Caswell9ceb2422015-04-16 10:06:25 +0100[diff] [blame]2202 unsigned int hbtype;
2203
2204 if (!PACKET_get_1(&subpkt, &hbtype)
2205 || PACKET_remaining(&subpkt)) {
2206 *al = SSL_AD_DECODE_ERROR;
2207 return 0;
2208 }
2209 switch (hbtype) {
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2210 case 0x01: /* Client allows us to send HB requests */
2211 s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
2212 break;
2213 case 0x02: /* Client doesn't accept HB requests */
2214 s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
2215 s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
2216 break;
2217 default:
2218 *al = SSL_AD_ILLEGAL_PARAMETER;
2219 return 0;
2220 }
2221 }
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]2222#endif
2223#ifndef OPENSSL_NO_NEXTPROTONEG
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2224 else if (type == TLSEXT_TYPE_next_proto_neg &&
2225 s->s3->tmp.finish_md_len == 0 &&
2226 s->s3->alpn_selected == NULL) {
Matt Caswell50e735f2015-01-05 11:30:03 +0000[diff] [blame]2227 /*-
2228 * We shouldn't accept this extension on a
2229 * renegotiation.
2230 *
2231 * s->new_session will be set on renegotiation, but we
2232 * probably shouldn't rely that it couldn't be set on
2233 * the initial renegotation too in certain cases (when
2234 * there's some other reason to disallow resuming an
2235 * earlier session -- the current code won't be doing
2236 * anything like that, but this might change).
2237 *
2238 * A valid sign that there's been a previous handshake
2239 * in this connection is if s->s3->tmp.finish_md_len >
2240 * 0. (We are talking about a check that will happen
2241 * in the Hello protocol round, well before a new
2242 * Finished message could have been computed.)
2243 */
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2244 s->s3->next_proto_neg_seen = 1;
2245 }
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]2246#endif
Dr. Stephen Hensonc27c9cb2009-12-14 13:56:04 +0000[diff] [blame]2247
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2248 else if (type == TLSEXT_TYPE_application_layer_protocol_negotiation &&
2249 s->ctx->alpn_select_cb && s->s3->tmp.finish_md_len == 0) {
Matt Caswell9ceb2422015-04-16 10:06:25 +0100[diff] [blame]2250 if (tls1_alpn_handle_client_hello(s, &subpkt, al) != 0)
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2251 return 0;
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]2252#ifndef OPENSSL_NO_NEXTPROTONEG
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2253 /* ALPN takes precedence over NPN. */
2254 s->s3->next_proto_neg_seen = 0;
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]2255#endif
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2256 }
Dr. Stephen Hensonc27c9cb2009-12-14 13:56:04 +0000[diff] [blame]2257
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2258 /* session ticket processed earlier */
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]2259#ifndef OPENSSL_NO_SRTP
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2260 else if (SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s)
2261 && type == TLSEXT_TYPE_use_srtp) {
Matt Caswell9ceb2422015-04-16 10:06:25 +0100[diff] [blame]2262 if (ssl_parse_clienthello_use_srtp_ext(s, &subpkt, al))
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2263 return 0;
2264 }
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]2265#endif
2266#ifdef TLSEXT_TYPE_encrypt_then_mac
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2267 else if (type == TLSEXT_TYPE_encrypt_then_mac)
2268 s->s3->flags |= TLS1_FLAGS_ENCRYPT_THEN_MAC;
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]2269#endif
Dr. Stephen Hensone7f0d922015-12-04 19:48:15 +0000[diff] [blame]2270 /*
2271 * Note: extended master secret extension handled in
2272 * tls_check_serverhello_tlsext_early()
2273 */
2274
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2275 /*
2276 * If this ClientHello extension was unhandled and this is a
2277 * nonresumed connection, check whether the extension is a custom
2278 * TLS Extension (has a custom_srv_ext_record), and if so call the
2279 * callback and record the extension number so that an appropriate
2280 * ServerHello may be later returned.
2281 */
2282 else if (!s->hit) {
2283 if (custom_ext_parse(s, 1, type, data, size, al) <= 0)
2284 return 0;
2285 }
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2286 }
Dr. Stephen Hensonb2284ed2012-04-06 11:18:40 +0000[diff] [blame]2287
Matt Caswell54e3ad02015-04-30 15:20:25 +0100[diff] [blame]2288 /* Spurious data on the end */
Matt Caswell9ceb2422015-04-16 10:06:25 +0100[diff] [blame]2289 if (PACKET_remaining(pkt) != 0)
Matt Caswell54e3ad02015-04-30 15:20:25 +0100[diff] [blame]2290 goto err;
2291
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2292 ri_check:
2293
2294 /* Need RI if renegotiating */
2295
2296 if (!renegotiate_seen && s->renegotiate &&
2297 !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) {
2298 *al = SSL_AD_HANDSHAKE_FAILURE;
2299 SSLerr(SSL_F_SSL_SCAN_CLIENTHELLO_TLSEXT,
2300 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
2301 return 0;
2302 }
2303
2304 return 1;
Matt Caswell54e3ad02015-04-30 15:20:25 +0100[diff] [blame]2305err:
2306 *al = SSL_AD_DECODE_ERROR;
2307 return 0;
Dr. Stephen Hensonb2284ed2012-04-06 11:18:40 +0000[diff] [blame]2308}
2309
Matt Caswell9ceb2422015-04-16 10:06:25 +0100[diff] [blame]2310int ssl_parse_clienthello_tlsext(SSL *s, PACKET *pkt)
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2311{
2312 int al = -1;
2313 custom_ext_init(&s->cert->srv_ext);
Matt Caswell9ceb2422015-04-16 10:06:25 +0100[diff] [blame]2314 if (ssl_scan_clienthello_tlsext(s, pkt, &al) <= 0) {
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2315 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2316 return 0;
2317 }
2318
2319 if (ssl_check_clienthello_tlsext_early(s) <= 0) {
2320 SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT, SSL_R_CLIENTHELLO_TLSEXT);
2321 return 0;
2322 }
2323 return 1;
2324}
2325
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]2326#ifndef OPENSSL_NO_NEXTPROTONEG
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2327/*
2328 * ssl_next_proto_validate validates a Next Protocol Negotiation block. No
2329 * elements of zero length are allowed and the set of elements must exactly
2330 * fill the length of the block.
2331 */
Matt Caswell50932c42015-08-04 17:36:02 +0100[diff] [blame]2332static char ssl_next_proto_validate(PACKET *pkt)
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2333{
Matt Caswell50932c42015-08-04 17:36:02 +0100[diff] [blame]2334 unsigned int len;
Ben Laurieee2ffc22010-07-28 10:06:55 +0000[diff] [blame]2335
Matt Caswell50932c42015-08-04 17:36:02 +0100[diff] [blame]2336 while (PACKET_remaining(pkt)) {
2337 if (!PACKET_get_1(pkt, &len)
2338 || !PACKET_forward(pkt, len))
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2339 return 0;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2340 }
Ben Laurieee2ffc22010-07-28 10:06:55 +0000[diff] [blame]2341
Matt Caswell50932c42015-08-04 17:36:02 +0100[diff] [blame]2342 return 1;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2343}
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]2344#endif
Ben Laurieee2ffc22010-07-28 10:06:55 +0000[diff] [blame]2345
Matt Caswell50932c42015-08-04 17:36:02 +0100[diff] [blame]2346static int ssl_scan_serverhello_tlsext(SSL *s, PACKET *pkt, int *al)
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2347{
Matt Caswell50932c42015-08-04 17:36:02 +0100[diff] [blame]2348 unsigned int length, type, size;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2349 int tlsext_servername = 0;
2350 int renegotiate_seen = 0;
Bodo Möllered3883d2006-01-02 23:14:37 +0000[diff] [blame]2351
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]2352#ifndef OPENSSL_NO_NEXTPROTONEG
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2353 s->s3->next_proto_neg_seen = 0;
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]2354#endif
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2355 s->tlsext_ticket_expected = 0;
Bodo Möller6f31dd72011-11-24 21:07:01 +0000[diff] [blame]2356
Rich Salzb548a1f2015-05-01 10:02:07 -0400[diff] [blame]2357 OPENSSL_free(s->s3->alpn_selected);
2358 s->s3->alpn_selected = NULL;
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]2359#ifndef OPENSSL_NO_HEARTBEATS
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2360 s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED |
2361 SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]2362#endif
Adam Langley6f017a82013-04-15 18:07:47 -0400[diff] [blame]2363
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]2364#ifdef TLSEXT_TYPE_encrypt_then_mac
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2365 s->s3->flags &= ~TLS1_FLAGS_ENCRYPT_THEN_MAC;
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]2366#endif
Dr. Stephen Henson48175042011-12-31 22:59:57 +0000[diff] [blame]2367
Dr. Stephen Hensone7f0d922015-12-04 19:48:15 +0000[diff] [blame]2368 s->s3->flags &= ~TLS1_FLAGS_RECEIVED_EXTMS;
2369
Matt Caswell50932c42015-08-04 17:36:02 +0100[diff] [blame]2370 if (!PACKET_get_net_2(pkt, &length))
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2371 goto ri_check;
Dr. Stephen Henson5e3ff622013-03-22 17:12:33 +0000[diff] [blame]2372
Matt Caswell50932c42015-08-04 17:36:02 +0100[diff] [blame]2373 if (PACKET_remaining(pkt) != length) {
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2374 *al = SSL_AD_DECODE_ERROR;
2375 return 0;
2376 }
Bodo Möllered3883d2006-01-02 23:14:37 +0000[diff] [blame]2377
Matt Caswell50932c42015-08-04 17:36:02 +0100[diff] [blame]2378 while (PACKET_get_net_2(pkt, &type) && PACKET_get_net_2(pkt, &size)) {
2379 unsigned char *data;
2380 PACKET spkt;
Bodo Möllered3883d2006-01-02 23:14:37 +0000[diff] [blame]2381
Matt Caswell50932c42015-08-04 17:36:02 +0100[diff] [blame]2382 if (!PACKET_get_sub_packet(pkt, &spkt, size)
2383 || !PACKET_peek_bytes(&spkt, &data, size))
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2384 goto ri_check;
Bodo Möllered3883d2006-01-02 23:14:37 +0000[diff] [blame]2385
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2386 if (s->tlsext_debug_cb)
2387 s->tlsext_debug_cb(s, 1, type, data, size, s->tlsext_debug_arg);
Bodo Möllered3883d2006-01-02 23:14:37 +0000[diff] [blame]2388
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2389 if (type == TLSEXT_TYPE_renegotiate) {
Matt Caswell50932c42015-08-04 17:36:02 +0100[diff] [blame]2390 if (!ssl_parse_serverhello_renegotiate_ext(s, &spkt, al))
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2391 return 0;
2392 renegotiate_seen = 1;
2393 } else if (s->version == SSL3_VERSION) {
2394 } else if (type == TLSEXT_TYPE_server_name) {
2395 if (s->tlsext_hostname == NULL || size > 0) {
2396 *al = TLS1_AD_UNRECOGNIZED_NAME;
2397 return 0;
2398 }
2399 tlsext_servername = 1;
2400 }
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]2401#ifndef OPENSSL_NO_EC
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2402 else if (type == TLSEXT_TYPE_ec_point_formats) {
Matt Caswell50932c42015-08-04 17:36:02 +0100[diff] [blame]2403 unsigned int ecpointformatlist_length;
2404 if (!PACKET_get_1(&spkt, &ecpointformatlist_length)
2405 || ecpointformatlist_length != size - 1) {
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2406 *al = TLS1_AD_DECODE_ERROR;
2407 return 0;
2408 }
2409 if (!s->hit) {
2410 s->session->tlsext_ecpointformatlist_length = 0;
Rich Salzb548a1f2015-05-01 10:02:07 -0400[diff] [blame]2411 OPENSSL_free(s->session->tlsext_ecpointformatlist);
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2412 if ((s->session->tlsext_ecpointformatlist =
2413 OPENSSL_malloc(ecpointformatlist_length)) == NULL) {
2414 *al = TLS1_AD_INTERNAL_ERROR;
2415 return 0;
2416 }
2417 s->session->tlsext_ecpointformatlist_length =
2418 ecpointformatlist_length;
Matt Caswell50932c42015-08-04 17:36:02 +0100[diff] [blame]2419 if (!PACKET_copy_bytes(&spkt,
2420 s->session->tlsext_ecpointformatlist,
2421 ecpointformatlist_length)) {
2422 *al = TLS1_AD_DECODE_ERROR;
2423 return 0;
2424 }
2425
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2426 }
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2427 }
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]2428#endif /* OPENSSL_NO_EC */
Dr. Stephen Henson5a3d8ee2014-11-03 17:47:11 +0000[diff] [blame]2429
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2430 else if (type == TLSEXT_TYPE_session_ticket) {
2431 if (s->tls_session_ticket_ext_cb &&
2432 !s->tls_session_ticket_ext_cb(s, data, size,
2433 s->tls_session_ticket_ext_cb_arg))
2434 {
2435 *al = TLS1_AD_INTERNAL_ERROR;
2436 return 0;
2437 }
2438 if (!tls_use_ticket(s) || (size > 0)) {
2439 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2440 return 0;
2441 }
2442 s->tlsext_ticket_expected = 1;
2443 }
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2444 else if (type == TLSEXT_TYPE_status_request) {
2445 /*
2446 * MUST be empty and only sent if we've requested a status
2447 * request message.
2448 */
2449 if ((s->tlsext_status_type == -1) || (size > 0)) {
2450 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2451 return 0;
2452 }
2453 /* Set flag to expect CertificateStatus message */
2454 s->tlsext_status_expected = 1;
2455 }
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]2456#ifndef OPENSSL_NO_NEXTPROTONEG
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2457 else if (type == TLSEXT_TYPE_next_proto_neg &&
2458 s->s3->tmp.finish_md_len == 0) {
2459 unsigned char *selected;
2460 unsigned char selected_len;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2461 /* We must have requested it. */
2462 if (s->ctx->next_proto_select_cb == NULL) {
2463 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2464 return 0;
2465 }
2466 /* The data must be valid */
Matt Caswell50932c42015-08-04 17:36:02 +0100[diff] [blame]2467 if (!ssl_next_proto_validate(&spkt)) {
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2468 *al = TLS1_AD_DECODE_ERROR;
2469 return 0;
2470 }
2471 if (s->
2472 ctx->next_proto_select_cb(s, &selected, &selected_len, data,
2473 size,
2474 s->ctx->next_proto_select_cb_arg) !=
2475 SSL_TLSEXT_ERR_OK) {
2476 *al = TLS1_AD_INTERNAL_ERROR;
2477 return 0;
2478 }
2479 s->next_proto_negotiated = OPENSSL_malloc(selected_len);
Matt Caswella71edf32015-10-30 10:05:53 +0000[diff] [blame]2480 if (s->next_proto_negotiated == NULL) {
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2481 *al = TLS1_AD_INTERNAL_ERROR;
2482 return 0;
2483 }
2484 memcpy(s->next_proto_negotiated, selected, selected_len);
2485 s->next_proto_negotiated_len = selected_len;
2486 s->s3->next_proto_neg_seen = 1;
2487 }
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]2488#endif
Bodo Möller761772d2007-09-21 06:54:24 +0000[diff] [blame]2489
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2490 else if (type == TLSEXT_TYPE_application_layer_protocol_negotiation) {
2491 unsigned len;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2492 /* We must have requested it. */
2493 if (s->alpn_client_proto_list == NULL) {
2494 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2495 return 0;
2496 }
Matt Caswell50e735f2015-01-05 11:30:03 +0000[diff] [blame]2497 /*-
2498 * The extension data consists of:
2499 * uint16 list_length
2500 * uint8 proto_length;
2501 * uint8 proto[proto_length];
2502 */
Matt Caswell50932c42015-08-04 17:36:02 +0100[diff] [blame]2503 if (!PACKET_get_net_2(&spkt, &len)
2504 || PACKET_remaining(&spkt) != len
2505 || !PACKET_get_1(&spkt, &len)
2506 || PACKET_remaining(&spkt) != len) {
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2507 *al = TLS1_AD_DECODE_ERROR;
2508 return 0;
2509 }
Rich Salzb548a1f2015-05-01 10:02:07 -0400[diff] [blame]2510 OPENSSL_free(s->s3->alpn_selected);
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2511 s->s3->alpn_selected = OPENSSL_malloc(len);
Matt Caswella71edf32015-10-30 10:05:53 +0000[diff] [blame]2512 if (s->s3->alpn_selected == NULL) {
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2513 *al = TLS1_AD_INTERNAL_ERROR;
2514 return 0;
2515 }
Matt Caswell50932c42015-08-04 17:36:02 +0100[diff] [blame]2516 if (!PACKET_copy_bytes(&spkt, s->s3->alpn_selected, len)) {
2517 *al = TLS1_AD_DECODE_ERROR;
2518 return 0;
2519 }
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2520 s->s3->alpn_selected_len = len;
2521 }
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]2522#ifndef OPENSSL_NO_HEARTBEATS
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2523 else if (type == TLSEXT_TYPE_heartbeat) {
Matt Caswell50932c42015-08-04 17:36:02 +0100[diff] [blame]2524 unsigned int hbtype;
2525 if (!PACKET_get_1(&spkt, &hbtype)) {
2526 *al = SSL_AD_DECODE_ERROR;
2527 return 0;
2528 }
2529 switch (hbtype) {
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2530 case 0x01: /* Server allows us to send HB requests */
2531 s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
2532 break;
2533 case 0x02: /* Server doesn't accept HB requests */
2534 s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
2535 s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
2536 break;
2537 default:
2538 *al = SSL_AD_ILLEGAL_PARAMETER;
2539 return 0;
2540 }
2541 }
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]2542#endif
2543#ifndef OPENSSL_NO_SRTP
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2544 else if (SSL_IS_DTLS(s) && type == TLSEXT_TYPE_use_srtp) {
Matt Caswell50932c42015-08-04 17:36:02 +0100[diff] [blame]2545 if (ssl_parse_serverhello_use_srtp_ext(s, &spkt, al))
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2546 return 0;
2547 }
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]2548#endif
2549#ifdef TLSEXT_TYPE_encrypt_then_mac
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2550 else if (type == TLSEXT_TYPE_encrypt_then_mac) {
2551 /* Ignore if inappropriate ciphersuite */
2552 if (s->s3->tmp.new_cipher->algorithm_mac != SSL_AEAD
2553 && s->s3->tmp.new_cipher->algorithm_enc != SSL_RC4)
2554 s->s3->flags |= TLS1_FLAGS_ENCRYPT_THEN_MAC;
2555 }
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]2556#endif
Dr. Stephen Hensonddc06b32015-01-23 02:45:13 +0000[diff] [blame]2557 else if (type == TLSEXT_TYPE_extended_master_secret) {
Dr. Stephen Hensone7f0d922015-12-04 19:48:15 +0000[diff] [blame]2558 s->s3->flags |= TLS1_FLAGS_RECEIVED_EXTMS;
Dr. Stephen Hensonddc06b32015-01-23 02:45:13 +0000[diff] [blame]2559 if (!s->hit)
2560 s->session->flags |= SSL_SESS_FLAG_EXTMS;
2561 }
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2562 /*
2563 * If this extension type was not otherwise handled, but matches a
2564 * custom_cli_ext_record, then send it to the c callback
2565 */
2566 else if (custom_ext_parse(s, 0, type, data, size, al) <= 0)
2567 return 0;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2568 }
Adam Langley6f017a82013-04-15 18:07:47 -0400[diff] [blame]2569
Matt Caswell50932c42015-08-04 17:36:02 +0100[diff] [blame]2570 if (PACKET_remaining(pkt) != 0) {
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2571 *al = SSL_AD_DECODE_ERROR;
2572 return 0;
2573 }
Bodo Möllered3883d2006-01-02 23:14:37 +0000[diff] [blame]2574
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2575 if (!s->hit && tlsext_servername == 1) {
2576 if (s->tlsext_hostname) {
2577 if (s->session->tlsext_hostname == NULL) {
Rich Salz7644a9a2015-12-16 16:12:24 -0500[diff] [blame]2578 s->session->tlsext_hostname = OPENSSL_strdup(s->tlsext_hostname);
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2579 if (!s->session->tlsext_hostname) {
2580 *al = SSL_AD_UNRECOGNIZED_NAME;
2581 return 0;
2582 }
2583 } else {
2584 *al = SSL_AD_DECODE_ERROR;
2585 return 0;
2586 }
2587 }
2588 }
Bodo Möllered3883d2006-01-02 23:14:37 +0000[diff] [blame]2589
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2590 ri_check:
Dr. Stephen Hensonc27c9cb2009-12-14 13:56:04 +0000[diff] [blame]2591
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2592 /*
2593 * Determine if we need to see RI. Strictly speaking if we want to avoid
2594 * an attack we should *always* see RI even on initial server hello
2595 * because the client doesn't see any renegotiation during an attack.
2596 * However this would mean we could not connect to any server which
2597 * doesn't support RI so for the immediate future tolerate RI absence on
2598 * initial connect only.
2599 */
2600 if (!renegotiate_seen && !(s->options & SSL_OP_LEGACY_SERVER_CONNECT)
2601 && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) {
2602 *al = SSL_AD_HANDSHAKE_FAILURE;
2603 SSLerr(SSL_F_SSL_SCAN_SERVERHELLO_TLSEXT,
2604 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
2605 return 0;
2606 }
Dr. Stephen Hensonc27c9cb2009-12-14 13:56:04 +0000[diff] [blame]2607
Dr. Stephen Hensone7f0d922015-12-04 19:48:15 +0000[diff] [blame]2608 if (s->hit) {
2609 /*
2610 * Check extended master secret extension is consistent with
2611 * original session.
2612 */
2613 if (!(s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) !=
2614 !(s->session->flags & SSL_SESS_FLAG_EXTMS)) {
2615 *al = SSL_AD_HANDSHAKE_FAILURE;
2616 SSLerr(SSL_F_SSL_SCAN_SERVERHELLO_TLSEXT, SSL_R_INCONSISTENT_EXTMS);
2617 return 0;
2618 }
2619 }
2620
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2621 return 1;
2622}
Bodo Möllerb2172f42006-04-03 11:56:30 +0000[diff] [blame]2623
Bodo Möller36ca4ba2006-03-11 23:46:37 +0000[diff] [blame]2624int ssl_prepare_clienthello_tlsext(SSL *s)
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2625{
Bodo Möller761772d2007-09-21 06:54:24 +0000[diff] [blame]2626
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2627 return 1;
2628}
Bodo Möller36ca4ba2006-03-11 23:46:37 +0000[diff] [blame]2629
2630int ssl_prepare_serverhello_tlsext(SSL *s)
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2631{
2632 return 1;
2633}
Bodo Möller36ca4ba2006-03-11 23:46:37 +0000[diff] [blame]2634
Ben Laurie2daceb02012-09-11 12:57:46 +0000[diff] [blame]2635static int ssl_check_clienthello_tlsext_early(SSL *s)
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2636{
2637 int ret = SSL_TLSEXT_ERR_NOACK;
2638 int al = SSL_AD_UNRECOGNIZED_NAME;
Bodo Möller241520e2006-01-11 06:10:40 +0000[diff] [blame]2639
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]2640#ifndef OPENSSL_NO_EC
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2641 /*
2642 * The handling of the ECPointFormats extension is done elsewhere, namely
2643 * in ssl3_choose_cipher in s3_lib.c.
2644 */
2645 /*
2646 * The handling of the EllipticCurves extension is done elsewhere, namely
2647 * in ssl3_choose_cipher in s3_lib.c.
2648 */
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]2649#endif
Bodo Möller36ca4ba2006-03-11 23:46:37 +0000[diff] [blame]2650
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2651 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
2652 ret =
2653 s->ctx->tlsext_servername_callback(s, &al,
2654 s->ctx->tlsext_servername_arg);
2655 else if (s->initial_ctx != NULL
2656 && s->initial_ctx->tlsext_servername_callback != 0)
2657 ret =
2658 s->initial_ctx->tlsext_servername_callback(s, &al,
2659 s->
2660 initial_ctx->tlsext_servername_arg);
Bodo Möller36ca4ba2006-03-11 23:46:37 +0000[diff] [blame]2661
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2662 switch (ret) {
2663 case SSL_TLSEXT_ERR_ALERT_FATAL:
2664 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2665 return -1;
Bodo Möller36ca4ba2006-03-11 23:46:37 +0000[diff] [blame]2666
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2667 case SSL_TLSEXT_ERR_ALERT_WARNING:
2668 ssl3_send_alert(s, SSL3_AL_WARNING, al);
2669 return 1;
2670
2671 case SSL_TLSEXT_ERR_NOACK:
2672 s->servername_done = 0;
2673 default:
2674 return 1;
2675 }
2676}
Dr. Stephen Hensond376e572015-05-12 18:56:39 +0100[diff] [blame]2677/* Initialise digests to default values */
Dr. Stephen Hensona0f63822015-11-24 00:08:35 +0000[diff] [blame]2678void ssl_set_default_md(SSL *s)
Dr. Stephen Hensond376e572015-05-12 18:56:39 +0100[diff] [blame]2679{
2680 const EVP_MD **pmd = s->s3->tmp.md;
2681#ifndef OPENSSL_NO_DSA
Dr. Stephen Henson152fbc22015-11-29 16:27:08 +0000[diff] [blame]2682 pmd[SSL_PKEY_DSA_SIGN] = ssl_md(SSL_MD_SHA1_IDX);
Dr. Stephen Hensond376e572015-05-12 18:56:39 +0100[diff] [blame]2683#endif
2684#ifndef OPENSSL_NO_RSA
Dr. Stephen Hensond18d31a2015-08-29 22:11:05 +0100[diff] [blame]2685 if (SSL_USE_SIGALGS(s))
Dr. Stephen Henson152fbc22015-11-29 16:27:08 +0000[diff] [blame]2686 pmd[SSL_PKEY_RSA_SIGN] = ssl_md(SSL_MD_SHA1_IDX);
Dr. Stephen Hensond18d31a2015-08-29 22:11:05 +0100[diff] [blame]2687 else
Dr. Stephen Henson152fbc22015-11-29 16:27:08 +0000[diff] [blame]2688 pmd[SSL_PKEY_RSA_SIGN] = ssl_md(SSL_MD_MD5_SHA1_IDX);
Dr. Stephen Hensond18d31a2015-08-29 22:11:05 +0100[diff] [blame]2689 pmd[SSL_PKEY_RSA_ENC] = pmd[SSL_PKEY_RSA_SIGN];
Dr. Stephen Hensond376e572015-05-12 18:56:39 +0100[diff] [blame]2690#endif
2691#ifndef OPENSSL_NO_EC
Dr. Stephen Henson152fbc22015-11-29 16:27:08 +0000[diff] [blame]2692 pmd[SSL_PKEY_ECC] = ssl_md(SSL_MD_SHA1_IDX);
Dr. Stephen Hensond376e572015-05-12 18:56:39 +0100[diff] [blame]2693#endif
Dmitry Belyavskye44380a2015-11-17 15:32:30 +0000[diff] [blame]2694#ifndef OPENSSL_NO_GOST
Dr. Stephen Henson152fbc22015-11-29 16:27:08 +0000[diff] [blame]2695 pmd[SSL_PKEY_GOST01] = ssl_md(SSL_MD_GOST94_IDX);
2696 pmd[SSL_PKEY_GOST12_256] = ssl_md(SSL_MD_GOST12_256_IDX);
2697 pmd[SSL_PKEY_GOST12_512] = ssl_md(SSL_MD_GOST12_512_IDX);
Dmitry Belyavskye44380a2015-11-17 15:32:30 +0000[diff] [blame]2698#endif
Dr. Stephen Hensond376e572015-05-12 18:56:39 +0100[diff] [blame]2699}
Bodo Möller36ca4ba2006-03-11 23:46:37 +0000[diff] [blame]2700
Dr. Stephen Hensone469af82014-11-17 16:52:59 +0000[diff] [blame]2701int tls1_set_server_sigalgs(SSL *s)
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2702{
2703 int al;
2704 size_t i;
2705 /* Clear any shared sigtnature algorithms */
Rich Salzb548a1f2015-05-01 10:02:07 -0400[diff] [blame]2706 OPENSSL_free(s->cert->shared_sigalgs);
2707 s->cert->shared_sigalgs = NULL;
2708 s->cert->shared_sigalgslen = 0;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2709 /* Clear certificate digests and validity flags */
2710 for (i = 0; i < SSL_PKEY_NUM; i++) {
Dr. Stephen Hensond376e572015-05-12 18:56:39 +0100[diff] [blame]2711 s->s3->tmp.md[i] = NULL;
Dr. Stephen Henson6383d312015-05-12 22:17:34 +0100[diff] [blame]2712 s->s3->tmp.valid_flags[i] = 0;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2713 }
Dr. Stephen Hensone469af82014-11-17 16:52:59 +0000[diff] [blame]2714
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2715 /* If sigalgs received process it. */
Dr. Stephen Henson76106e62015-05-12 17:17:37 +0100[diff] [blame]2716 if (s->s3->tmp.peer_sigalgs) {
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2717 if (!tls1_process_sigalgs(s)) {
2718 SSLerr(SSL_F_TLS1_SET_SERVER_SIGALGS, ERR_R_MALLOC_FAILURE);
2719 al = SSL_AD_INTERNAL_ERROR;
2720 goto err;
2721 }
2722 /* Fatal error is no shared signature algorithms */
2723 if (!s->cert->shared_sigalgs) {
2724 SSLerr(SSL_F_TLS1_SET_SERVER_SIGALGS,
2725 SSL_R_NO_SHARED_SIGATURE_ALGORITHMS);
2726 al = SSL_AD_ILLEGAL_PARAMETER;
2727 goto err;
2728 }
Dr. Stephen Hensond376e572015-05-12 18:56:39 +0100[diff] [blame]2729 } else {
2730 ssl_set_default_md(s);
2731 }
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2732 return 1;
2733 err:
2734 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2735 return 0;
2736}
Dr. Stephen Hensone469af82014-11-17 16:52:59 +0000[diff] [blame]2737
Ben Laurie2daceb02012-09-11 12:57:46 +0000[diff] [blame]2738int ssl_check_clienthello_tlsext_late(SSL *s)
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2739{
2740 int ret = SSL_TLSEXT_ERR_OK;
Gunnar Kudrjavets4c9b0a02015-05-06 10:16:55 +0100[diff] [blame]2741 int al = SSL_AD_INTERNAL_ERROR;
Ben Laurie2daceb02012-09-11 12:57:46 +0000[diff] [blame]2742
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2743 /*
2744 * If status request then ask callback what to do. Note: this must be
2745 * called after servername callbacks in case the certificate has changed,
2746 * and must be called after the cipher has been chosen because this may
2747 * influence which certificate is sent
2748 */
2749 if ((s->tlsext_status_type != -1) && s->ctx && s->ctx->tlsext_status_cb) {
2750 int r;
2751 CERT_PKEY *certpkey;
2752 certpkey = ssl_get_server_send_pkey(s);
2753 /* If no certificate can't return certificate status */
2754 if (certpkey == NULL) {
2755 s->tlsext_status_expected = 0;
2756 return 1;
2757 }
2758 /*
2759 * Set current certificate to one we will use so SSL_get_certificate
2760 * et al can pick it up.
2761 */
2762 s->cert->key = certpkey;
2763 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
2764 switch (r) {
2765 /* We don't want to send a status request response */
2766 case SSL_TLSEXT_ERR_NOACK:
2767 s->tlsext_status_expected = 0;
2768 break;
2769 /* status request response should be sent */
2770 case SSL_TLSEXT_ERR_OK:
2771 if (s->tlsext_ocsp_resp)
2772 s->tlsext_status_expected = 1;
2773 else
2774 s->tlsext_status_expected = 0;
2775 break;
2776 /* something bad happened */
2777 case SSL_TLSEXT_ERR_ALERT_FATAL:
2778 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2779 al = SSL_AD_INTERNAL_ERROR;
2780 goto err;
2781 }
2782 } else
2783 s->tlsext_status_expected = 0;
Ben Laurie2daceb02012-09-11 12:57:46 +0000[diff] [blame]2784
2785 err:
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2786 switch (ret) {
2787 case SSL_TLSEXT_ERR_ALERT_FATAL:
2788 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2789 return -1;
Ben Laurie2daceb02012-09-11 12:57:46 +0000[diff] [blame]2790
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2791 case SSL_TLSEXT_ERR_ALERT_WARNING:
2792 ssl3_send_alert(s, SSL3_AL_WARNING, al);
2793 return 1;
Ben Laurie2daceb02012-09-11 12:57:46 +0000[diff] [blame]2794
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2795 default:
2796 return 1;
2797 }
2798}
Ben Laurie2daceb02012-09-11 12:57:46 +0000[diff] [blame]2799
Bodo Möller36ca4ba2006-03-11 23:46:37 +0000[diff] [blame]2800int ssl_check_serverhello_tlsext(SSL *s)
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2801{
2802 int ret = SSL_TLSEXT_ERR_NOACK;
2803 int al = SSL_AD_UNRECOGNIZED_NAME;
Bodo Möller36ca4ba2006-03-11 23:46:37 +0000[diff] [blame]2804
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]2805#ifndef OPENSSL_NO_EC
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2806 /*
2807 * If we are client and using an elliptic curve cryptography cipher
2808 * suite, then if server returns an EC point formats lists extension it
2809 * must contain uncompressed.
2810 */
2811 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
2812 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
2813 if ((s->tlsext_ecpointformatlist != NULL)
2814 && (s->tlsext_ecpointformatlist_length > 0)
2815 && (s->session->tlsext_ecpointformatlist != NULL)
2816 && (s->session->tlsext_ecpointformatlist_length > 0)
2817 && ((alg_k & (SSL_kECDHE | SSL_kECDHr | SSL_kECDHe))
2818 || (alg_a & SSL_aECDSA))) {
2819 /* we are using an ECC cipher */
2820 size_t i;
2821 unsigned char *list;
2822 int found_uncompressed = 0;
2823 list = s->session->tlsext_ecpointformatlist;
2824 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++) {
2825 if (*(list++) == TLSEXT_ECPOINTFORMAT_uncompressed) {
2826 found_uncompressed = 1;
2827 break;
2828 }
2829 }
2830 if (!found_uncompressed) {
2831 SSLerr(SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT,
2832 SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
2833 return -1;
2834 }
2835 }
2836 ret = SSL_TLSEXT_ERR_OK;
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]2837#endif /* OPENSSL_NO_EC */
Bodo Möller36ca4ba2006-03-11 23:46:37 +0000[diff] [blame]2838
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2839 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
2840 ret =
2841 s->ctx->tlsext_servername_callback(s, &al,
2842 s->ctx->tlsext_servername_arg);
2843 else if (s->initial_ctx != NULL
2844 && s->initial_ctx->tlsext_servername_callback != 0)
2845 ret =
2846 s->initial_ctx->tlsext_servername_callback(s, &al,
2847 s->
2848 initial_ctx->tlsext_servername_arg);
Bodo Möller241520e2006-01-11 06:10:40 +0000[diff] [blame]2849
Matt Caswellb1931d42015-12-10 10:44:30 +0000[diff] [blame]2850 /*
2851 * Ensure we get sensible values passed to tlsext_status_cb in the event
2852 * that we don't receive a status message
2853 */
Matt Caswellbb1aaab2015-11-05 14:31:11 +0000[diff] [blame]2854 OPENSSL_free(s->tlsext_ocsp_resp);
2855 s->tlsext_ocsp_resp = NULL;
2856 s->tlsext_ocsp_resplen = -1;
Bodo Möller58ece832006-01-13 09:21:10 +0000[diff] [blame]2857
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2858 switch (ret) {
2859 case SSL_TLSEXT_ERR_ALERT_FATAL:
2860 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2861 return -1;
Bodo Möller33273722006-03-30 02:44:56 +0000[diff] [blame]2862
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2863 case SSL_TLSEXT_ERR_ALERT_WARNING:
2864 ssl3_send_alert(s, SSL3_AL_WARNING, al);
2865 return 1;
Dr. Stephen Henson09e4e4b2012-04-24 12:22:23 +0000[diff] [blame]2866
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2867 case SSL_TLSEXT_ERR_NOACK:
2868 s->servername_done = 0;
2869 default:
2870 return 1;
2871 }
2872}
2873
Matt Caswell50932c42015-08-04 17:36:02 +0100[diff] [blame]2874int ssl_parse_serverhello_tlsext(SSL *s, PACKET *pkt)
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2875{
2876 int al = -1;
2877 if (s->version < SSL3_VERSION)
2878 return 1;
Matt Caswell50932c42015-08-04 17:36:02 +0100[diff] [blame]2879 if (ssl_scan_serverhello_tlsext(s, pkt, &al) <= 0) {
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2880 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2881 return 0;
2882 }
2883
2884 if (ssl_check_serverhello_tlsext(s) <= 0) {
2885 SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT, SSL_R_SERVERHELLO_TLSEXT);
2886 return 0;
2887 }
2888 return 1;
Dr. Stephen Henson09e4e4b2012-04-24 12:22:23 +0000[diff] [blame]2889}
2890
Tim Hudson1d97c842014-12-28 12:48:40 +1000[diff] [blame]2891/*-
2892 * Since the server cache lookup is done early on in the processing of the
Dr. Stephen Hensone7f0d922015-12-04 19:48:15 +0000[diff] [blame]2893 * ClientHello and other operations depend on the result some extensions
2894 * need to be handled at the same time.
2895 *
2896 * Two extensions are currently handled, session ticket and extended master
2897 * secret.
Bodo Möllerc519e892011-09-05 13:36:23 +0000[diff] [blame]2898 *
Emilia Kasperb3e22722015-09-30 15:33:12 +0200[diff] [blame]2899 * session_id: ClientHello session ID.
2900 * ext: ClientHello extensions (including length prefix)
Bodo Möllerc519e892011-09-05 13:36:23 +0000[diff] [blame]2901 * ret: (output) on return, if a ticket was decrypted, then this is set to
2902 * point to the resulting session.
2903 *
2904 * If s->tls_session_secret_cb is set then we are expecting a pre-shared key
2905 * ciphersuite, in which case we have no use for session tickets and one will
2906 * never be decrypted, nor will s->tlsext_ticket_expected be set to 1.
2907 *
2908 * Returns:
2909 * -1: fatal error, either from parsing or decrypting the ticket.
2910 * 0: no ticket was found (or was ignored, based on settings).
2911 * 1: a zero length extension was found, indicating that the client supports
2912 * session tickets but doesn't currently have one to offer.
2913 * 2: either s->tls_session_secret_cb was set, or a ticket was offered but
2914 * couldn't be decrypted because of a non-fatal error.
2915 * 3: a ticket was successfully decrypted and *ret was set.
2916 *
2917 * Side effects:
2918 * Sets s->tlsext_ticket_expected to 1 if the server will have to issue
2919 * a new session ticket to the client because the client indicated support
2920 * (and s->tls_session_secret_cb is NULL) but the client either doesn't have
2921 * a session ticket or we couldn't use the one it gave us, or if
2922 * s->ctx->tlsext_ticket_key_cb asked to renew the client's ticket.
2923 * Otherwise, s->tlsext_ticket_expected is set to 0.
Dr. Stephen Hensone7f0d922015-12-04 19:48:15 +0000[diff] [blame]2924 *
2925 * For extended master secret flag is set if the extension is present.
2926 *
Dr. Stephen Henson6434abb2007-08-11 23:18:29 +0000[diff] [blame]2927 */
Dr. Stephen Hensone7f0d922015-12-04 19:48:15 +0000[diff] [blame]2928int tls_check_serverhello_tlsext_early(SSL *s, const PACKET *ext,
2929 const PACKET *session_id,
2930 SSL_SESSION **ret)
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2931{
Matt Caswell9ceb2422015-04-16 10:06:25 +0100[diff] [blame]2932 unsigned int i;
Emilia Kasperb3e22722015-09-30 15:33:12 +0200[diff] [blame]2933 PACKET local_ext = *ext;
Matt Caswell9ceb2422015-04-16 10:06:25 +0100[diff] [blame]2934 int retv = -1;
Dr. Stephen Hensone8da6a12008-09-03 22:17:11 +0000[diff] [blame]2935
Dr. Stephen Hensone7f0d922015-12-04 19:48:15 +0000[diff] [blame]2936 int have_ticket = 0;
2937 int use_ticket = tls_use_ticket(s);
2938
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2939 *ret = NULL;
2940 s->tlsext_ticket_expected = 0;
Dr. Stephen Hensone7f0d922015-12-04 19:48:15 +0000[diff] [blame]2941 s->s3->flags &= ~TLS1_FLAGS_RECEIVED_EXTMS;
Dr. Stephen Hensone8da6a12008-09-03 22:17:11 +0000[diff] [blame]2942
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2943 /*
2944 * If tickets disabled behave as if no ticket present to permit stateful
2945 * resumption.
2946 */
Matt Caswell9ceb2422015-04-16 10:06:25 +0100[diff] [blame]2947 if ((s->version <= SSL3_VERSION))
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2948 return 0;
Matt Caswell9ceb2422015-04-16 10:06:25 +0100[diff] [blame]2949
Emilia Kasperb3e22722015-09-30 15:33:12 +0200[diff] [blame]2950 if (!PACKET_get_net_2(&local_ext, &i)) {
Matt Caswell9ceb2422015-04-16 10:06:25 +0100[diff] [blame]2951 retv = 0;
2952 goto end;
2953 }
Emilia Kasperb3e22722015-09-30 15:33:12 +0200[diff] [blame]2954 while (PACKET_remaining(&local_ext) >= 4) {
Matt Caswell9ceb2422015-04-16 10:06:25 +0100[diff] [blame]2955 unsigned int type, size;
2956
Emilia Kasperb3e22722015-09-30 15:33:12 +0200[diff] [blame]2957 if (!PACKET_get_net_2(&local_ext, &type)
2958 || !PACKET_get_net_2(&local_ext, &size)) {
Matt Caswell9ceb2422015-04-16 10:06:25 +0100[diff] [blame]2959 /* Shouldn't ever happen */
2960 retv = -1;
2961 goto end;
2962 }
Emilia Kasperb3e22722015-09-30 15:33:12 +0200[diff] [blame]2963 if (PACKET_remaining(&local_ext) < size) {
Matt Caswell9ceb2422015-04-16 10:06:25 +0100[diff] [blame]2964 retv = 0;
2965 goto end;
2966 }
Dr. Stephen Hensone7f0d922015-12-04 19:48:15 +0000[diff] [blame]2967 if (type == TLSEXT_TYPE_session_ticket && use_ticket) {
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2968 int r;
Matt Caswell9ceb2422015-04-16 10:06:25 +0100[diff] [blame]2969 unsigned char *etick;
2970
Dr. Stephen Hensone7f0d922015-12-04 19:48:15 +0000[diff] [blame]2971 /* Duplicate extension */
2972 if (have_ticket != 0) {
2973 retv = -1;
2974 goto end;
2975 }
2976 have_ticket = 1;
2977
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2978 if (size == 0) {
2979 /*
2980 * The client will accept a ticket but doesn't currently have
2981 * one.
2982 */
2983 s->tlsext_ticket_expected = 1;
Matt Caswell9ceb2422015-04-16 10:06:25 +0100[diff] [blame]2984 retv = 1;
Dr. Stephen Hensone7f0d922015-12-04 19:48:15 +0000[diff] [blame]2985 continue;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2986 }
2987 if (s->tls_session_secret_cb) {
2988 /*
2989 * Indicate that the ticket couldn't be decrypted rather than
2990 * generating the session from ticket now, trigger
2991 * abbreviated handshake based on external mechanism to
2992 * calculate the master secret later.
2993 */
Matt Caswell9ceb2422015-04-16 10:06:25 +0100[diff] [blame]2994 retv = 2;
Dr. Stephen Hensone7f0d922015-12-04 19:48:15 +0000[diff] [blame]2995 continue;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2996 }
Emilia Kasperb3e22722015-09-30 15:33:12 +0200[diff] [blame]2997 if (!PACKET_get_bytes(&local_ext, &etick, size)) {
Matt Caswell9ceb2422015-04-16 10:06:25 +0100[diff] [blame]2998 /* Shouldn't ever happen */
2999 retv = -1;
3000 goto end;
3001 }
Emilia Kasperb3e22722015-09-30 15:33:12 +0200[diff] [blame]3002 r = tls_decrypt_ticket(s, etick, size, PACKET_data(session_id),
3003 PACKET_remaining(session_id), ret);
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3004 switch (r) {
3005 case 2: /* ticket couldn't be decrypted */
3006 s->tlsext_ticket_expected = 1;
Matt Caswell9ceb2422015-04-16 10:06:25 +0100[diff] [blame]3007 retv = 2;
3008 break;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3009 case 3: /* ticket was decrypted */
Matt Caswell9ceb2422015-04-16 10:06:25 +0100[diff] [blame]3010 retv = r;
3011 break;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3012 case 4: /* ticket decrypted but need to renew */
3013 s->tlsext_ticket_expected = 1;
Matt Caswell9ceb2422015-04-16 10:06:25 +0100[diff] [blame]3014 retv = 3;
3015 break;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3016 default: /* fatal error */
Matt Caswell9ceb2422015-04-16 10:06:25 +0100[diff] [blame]3017 retv = -1;
3018 break;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3019 }
Dr. Stephen Hensone7f0d922015-12-04 19:48:15 +0000[diff] [blame]3020 continue;
Matt Caswellc83eda82015-08-13 10:04:23 +0100[diff] [blame]3021 } else {
Dr. Stephen Hensone7f0d922015-12-04 19:48:15 +0000[diff] [blame]3022 if (type == TLSEXT_TYPE_extended_master_secret)
3023 s->s3->flags |= TLS1_FLAGS_RECEIVED_EXTMS;
Emilia Kasperb3e22722015-09-30 15:33:12 +0200[diff] [blame]3024 if (!PACKET_forward(&local_ext, size)) {
Matt Caswellc83eda82015-08-13 10:04:23 +0100[diff] [blame]3025 retv = -1;
3026 goto end;
3027 }
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3028 }
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3029 }
Dr. Stephen Hensone7f0d922015-12-04 19:48:15 +0000[diff] [blame]3030 if (have_ticket == 0)
3031 retv = 0;
Matt Caswell9ceb2422015-04-16 10:06:25 +0100[diff] [blame]3032end:
Matt Caswell9ceb2422015-04-16 10:06:25 +0100[diff] [blame]3033 return retv;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3034}
Dr. Stephen Henson6434abb2007-08-11 23:18:29 +0000[diff] [blame]3035
Tim Hudson1d97c842014-12-28 12:48:40 +1000[diff] [blame]3036/*-
3037 * tls_decrypt_ticket attempts to decrypt a session ticket.
Bodo Möllerc519e892011-09-05 13:36:23 +0000[diff] [blame]3038 *
3039 * etick: points to the body of the session ticket extension.
3040 * eticklen: the length of the session tickets extenion.
3041 * sess_id: points at the session ID.
3042 * sesslen: the length of the session ID.
3043 * psess: (output) on return, if a ticket was decrypted, then this is set to
3044 * point to the resulting session.
3045 *
3046 * Returns:
Richard Levittebf7c6812015-11-30 13:44:28 +0100[diff] [blame]3047 * -2: fatal error, malloc failure.
Bodo Möllerc519e892011-09-05 13:36:23 +0000[diff] [blame]3048 * -1: fatal error, either from parsing or decrypting the ticket.
3049 * 2: the ticket couldn't be decrypted.
3050 * 3: a ticket was successfully decrypted and *psess was set.
3051 * 4: same as 3, but the ticket needs to be renewed.
3052 */
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3053static int tls_decrypt_ticket(SSL *s, const unsigned char *etick,
3054 int eticklen, const unsigned char *sess_id,
3055 int sesslen, SSL_SESSION **psess)
3056{
3057 SSL_SESSION *sess;
3058 unsigned char *sdec;
3059 const unsigned char *p;
3060 int slen, mlen, renew_ticket = 0;
3061 unsigned char tick_hmac[EVP_MAX_MD_SIZE];
Richard Levittebf7c6812015-11-30 13:44:28 +0100[diff] [blame]3062 HMAC_CTX *hctx = NULL;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3063 EVP_CIPHER_CTX ctx;
3064 SSL_CTX *tctx = s->initial_ctx;
3065 /* Need at least keyname + iv + some encrypted data */
3066 if (eticklen < 48)
3067 return 2;
3068 /* Initialize session ticket encryption and HMAC contexts */
Richard Levittebf7c6812015-11-30 13:44:28 +0100[diff] [blame]3069 hctx = HMAC_CTX_new();
3070 if (hctx == NULL)
3071 return -2;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3072 EVP_CIPHER_CTX_init(&ctx);
3073 if (tctx->tlsext_ticket_key_cb) {
3074 unsigned char *nctick = (unsigned char *)etick;
3075 int rv = tctx->tlsext_ticket_key_cb(s, nctick, nctick + 16,
Richard Levittebf7c6812015-11-30 13:44:28 +0100[diff] [blame]3076 &ctx, hctx, 0);
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3077 if (rv < 0)
3078 return -1;
3079 if (rv == 0)
3080 return 2;
3081 if (rv == 2)
3082 renew_ticket = 1;
3083 } else {
3084 /* Check key name matches */
3085 if (memcmp(etick, tctx->tlsext_tick_key_name, 16))
3086 return 2;
Richard Levittebf7c6812015-11-30 13:44:28 +0100[diff] [blame]3087 if (HMAC_Init_ex(hctx, tctx->tlsext_tick_hmac_key, 16,
Matt Caswell5f3d93e2015-11-06 16:31:21 +0000[diff] [blame]3088 EVP_sha256(), NULL) <= 0
3089 || EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL,
3090 tctx->tlsext_tick_aes_key,
3091 etick + 16) <= 0) {
3092 goto err;
3093 }
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3094 }
3095 /*
3096 * Attempt to process session ticket, first conduct sanity and integrity
3097 * checks on ticket.
3098 */
Richard Levittebf7c6812015-11-30 13:44:28 +0100[diff] [blame]3099 mlen = HMAC_size(hctx);
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3100 if (mlen < 0) {
Matt Caswell5f3d93e2015-11-06 16:31:21 +0000[diff] [blame]3101 goto err;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3102 }
3103 eticklen -= mlen;
3104 /* Check HMAC of encrypted ticket */
Richard Levittebf7c6812015-11-30 13:44:28 +0100[diff] [blame]3105 if (HMAC_Update(hctx, etick, eticklen) <= 0
3106 || HMAC_Final(hctx, tick_hmac, NULL) <= 0) {
Matt Caswell5f3d93e2015-11-06 16:31:21 +0000[diff] [blame]3107 goto err;
3108 }
Richard Levittebf7c6812015-11-30 13:44:28 +0100[diff] [blame]3109 HMAC_CTX_free(hctx);
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3110 if (CRYPTO_memcmp(tick_hmac, etick + eticklen, mlen)) {
3111 EVP_CIPHER_CTX_cleanup(&ctx);
3112 return 2;
3113 }
3114 /* Attempt to decrypt session data */
3115 /* Move p after IV to start of encrypted ticket, update length */
3116 p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx);
3117 eticklen -= 16 + EVP_CIPHER_CTX_iv_length(&ctx);
3118 sdec = OPENSSL_malloc(eticklen);
Matt Caswell5f3d93e2015-11-06 16:31:21 +0000[diff] [blame]3119 if (sdec == NULL
3120 || EVP_DecryptUpdate(&ctx, sdec, &slen, p, eticklen) <= 0) {
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3121 EVP_CIPHER_CTX_cleanup(&ctx);
3122 return -1;
3123 }
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3124 if (EVP_DecryptFinal(&ctx, sdec + slen, &mlen) <= 0) {
3125 EVP_CIPHER_CTX_cleanup(&ctx);
3126 OPENSSL_free(sdec);
3127 return 2;
3128 }
3129 slen += mlen;
3130 EVP_CIPHER_CTX_cleanup(&ctx);
3131 p = sdec;
Bodo Möllerc519e892011-09-05 13:36:23 +0000[diff] [blame]3132
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3133 sess = d2i_SSL_SESSION(NULL, &p, slen);
3134 OPENSSL_free(sdec);
3135 if (sess) {
3136 /*
3137 * The session ID, if non-empty, is used by some clients to detect
3138 * that the ticket has been accepted. So we copy it to the session
3139 * structure. If it is empty set length to zero as required by
3140 * standard.
3141 */
3142 if (sesslen)
3143 memcpy(sess->session_id, sess_id, sesslen);
3144 sess->session_id_length = sesslen;
3145 *psess = sess;
3146 if (renew_ticket)
3147 return 4;
3148 else
3149 return 3;
3150 }
3151 ERR_clear_error();
3152 /*
3153 * For session parse failure, indicate that we need to send a new ticket.
3154 */
3155 return 2;
Matt Caswell5f3d93e2015-11-06 16:31:21 +0000[diff] [blame]3156err:
3157 EVP_CIPHER_CTX_cleanup(&ctx);
Richard Levittebf7c6812015-11-30 13:44:28 +0100[diff] [blame]3158 HMAC_CTX_free(hctx);
Matt Caswell5f3d93e2015-11-06 16:31:21 +0000[diff] [blame]3159 return -1;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3160}
Dr. Stephen Henson6434abb2007-08-11 23:18:29 +0000[diff] [blame]3161
Dr. Stephen Henson6b7be582011-05-06 13:00:07 +0000[diff] [blame]3162/* Tables to translate from NIDs to TLS v1.2 ids */
3163
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3164typedef struct {
3165 int nid;
3166 int id;
3167} tls12_lookup;
Dr. Stephen Henson6b7be582011-05-06 13:00:07 +0000[diff] [blame]3168
Cristian Rodríguezd97ed212014-04-20 18:41:15 -0300[diff] [blame]3169static const tls12_lookup tls12_md[] = {
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3170 {NID_md5, TLSEXT_hash_md5},
3171 {NID_sha1, TLSEXT_hash_sha1},
3172 {NID_sha224, TLSEXT_hash_sha224},
3173 {NID_sha256, TLSEXT_hash_sha256},
3174 {NID_sha384, TLSEXT_hash_sha384},
Dmitry Belyavskye44380a2015-11-17 15:32:30 +0000[diff] [blame]3175 {NID_sha512, TLSEXT_hash_sha512},
3176 {NID_id_GostR3411_94, TLSEXT_hash_gostr3411},
3177 {NID_id_GostR3411_2012_256, TLSEXT_hash_gostr34112012_256},
3178 {NID_id_GostR3411_2012_512, TLSEXT_hash_gostr34112012_512},
Dr. Stephen Henson6b7be582011-05-06 13:00:07 +0000[diff] [blame]3179};
3180
Cristian Rodríguezd97ed212014-04-20 18:41:15 -0300[diff] [blame]3181static const tls12_lookup tls12_sig[] = {
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3182 {EVP_PKEY_RSA, TLSEXT_signature_rsa},
3183 {EVP_PKEY_DSA, TLSEXT_signature_dsa},
Dmitry Belyavskye44380a2015-11-17 15:32:30 +0000[diff] [blame]3184 {EVP_PKEY_EC, TLSEXT_signature_ecdsa},
3185 {NID_id_GostR3410_2001, TLSEXT_signature_gostr34102001},
3186 {NID_id_GostR3410_2012_256, TLSEXT_signature_gostr34102012_256},
3187 {NID_id_GostR3410_2012_512, TLSEXT_signature_gostr34102012_512}
Dr. Stephen Henson6b7be582011-05-06 13:00:07 +0000[diff] [blame]3188};
3189
Cristian Rodríguezd97ed212014-04-20 18:41:15 -0300[diff] [blame]3190static int tls12_find_id(int nid, const tls12_lookup *table, size_t tlen)
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3191{
3192 size_t i;
3193 for (i = 0; i < tlen; i++) {
3194 if (table[i].nid == nid)
3195 return table[i].id;
3196 }
3197 return -1;
3198}
Dr. Stephen Hensone7f8ff42012-03-06 14:28:21 +0000[diff] [blame]3199
Cristian Rodríguezd97ed212014-04-20 18:41:15 -0300[diff] [blame]3200static int tls12_find_nid(int id, const tls12_lookup *table, size_t tlen)
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3201{
3202 size_t i;
3203 for (i = 0; i < tlen; i++) {
3204 if ((table[i].id) == id)
3205 return table[i].nid;
3206 }
3207 return NID_undef;
3208}
Dr. Stephen Hensona2f92002011-05-09 15:44:01 +0000[diff] [blame]3209
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3210int tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk,
3211 const EVP_MD *md)
3212{
3213 int sig_id, md_id;
3214 if (!md)
3215 return 0;
Dr. Stephen Hensonb6eb9822015-05-02 18:30:00 +0100[diff] [blame]3216 md_id = tls12_find_id(EVP_MD_type(md), tls12_md, OSSL_NELEM(tls12_md));
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3217 if (md_id == -1)
3218 return 0;
3219 sig_id = tls12_get_sigid(pk);
3220 if (sig_id == -1)
3221 return 0;
3222 p[0] = (unsigned char)md_id;
3223 p[1] = (unsigned char)sig_id;
3224 return 1;
3225}
Dr. Stephen Henson6b7be582011-05-06 13:00:07 +0000[diff] [blame]3226
Dr. Stephen Hensona2f92002011-05-09 15:44:01 +0000[diff] [blame]3227int tls12_get_sigid(const EVP_PKEY *pk)
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3228{
Dr. Stephen Hensonb6eb9822015-05-02 18:30:00 +0100[diff] [blame]3229 return tls12_find_id(pk->type, tls12_sig, OSSL_NELEM(tls12_sig));
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3230}
Dr. Stephen Hensona2f92002011-05-09 15:44:01 +0000[diff] [blame]3231
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3232typedef struct {
3233 int nid;
3234 int secbits;
Dr. Stephen Henson7afd2312015-11-29 16:54:27 +0000[diff] [blame]3235 int md_idx;
Dmitry Belyavskye44380a2015-11-17 15:32:30 +0000[diff] [blame]3236 unsigned char tlsext_hash;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3237} tls12_hash_info;
Dr. Stephen Hensonb362cca2013-12-15 13:32:24 +0000[diff] [blame]3238
3239static const tls12_hash_info tls12_md_info[] = {
Dr. Stephen Henson7afd2312015-11-29 16:54:27 +0000[diff] [blame]3240 {NID_md5, 64, SSL_MD_MD5_IDX, TLSEXT_hash_md5},
3241 {NID_sha1, 80, SSL_MD_SHA1_IDX, TLSEXT_hash_sha1},
3242 {NID_sha224, 112, SSL_MD_SHA224_IDX, TLSEXT_hash_sha224},
3243 {NID_sha256, 128, SSL_MD_SHA256_IDX, TLSEXT_hash_sha256},
3244 {NID_sha384, 192, SSL_MD_SHA384_IDX, TLSEXT_hash_sha384},
3245 {NID_sha512, 256, SSL_MD_SHA512_IDX, TLSEXT_hash_sha512},
3246 {NID_id_GostR3411_94, 128, SSL_MD_GOST94_IDX, TLSEXT_hash_gostr3411},
3247 {NID_id_GostR3411_2012_256, 128, SSL_MD_GOST12_256_IDX, TLSEXT_hash_gostr34112012_256},
3248 {NID_id_GostR3411_2012_512, 256, SSL_MD_GOST12_512_IDX, TLSEXT_hash_gostr34112012_512},
Dr. Stephen Hensonb362cca2013-12-15 13:32:24 +0000[diff] [blame]3249};
3250
3251static const tls12_hash_info *tls12_get_hash_info(unsigned char hash_alg)
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3252{
Dmitry Belyavskye44380a2015-11-17 15:32:30 +0000[diff] [blame]3253 unsigned int i;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3254 if (hash_alg == 0)
3255 return NULL;
Dmitry Belyavskye44380a2015-11-17 15:32:30 +0000[diff] [blame]3256
3257 for (i=0; i < OSSL_NELEM(tls12_md_info); i++)
3258 {
3259 if (tls12_md_info[i].tlsext_hash == hash_alg)
3260 return tls12_md_info + i;
3261 }
3262
3263 return NULL;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3264}
Dr. Stephen Hensonb362cca2013-12-15 13:32:24 +0000[diff] [blame]3265
Dr. Stephen Hensona2f92002011-05-09 15:44:01 +0000[diff] [blame]3266const EVP_MD *tls12_get_hash(unsigned char hash_alg)
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3267{
3268 const tls12_hash_info *inf;
3269 if (hash_alg == TLSEXT_hash_md5 && FIPS_mode())
3270 return NULL;
3271 inf = tls12_get_hash_info(hash_alg);
Dr. Stephen Henson7afd2312015-11-29 16:54:27 +0000[diff] [blame]3272 if (!inf)
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3273 return NULL;
Dr. Stephen Henson7afd2312015-11-29 16:54:27 +0000[diff] [blame]3274 return ssl_md(inf->md_idx);
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3275}
Dr. Stephen Hensona2f92002011-05-09 15:44:01 +0000[diff] [blame]3276
Dr. Stephen Henson4453cd82012-06-25 14:32:30 +0000[diff] [blame]3277static int tls12_get_pkey_idx(unsigned char sig_alg)
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3278{
3279 switch (sig_alg) {
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]3280#ifndef OPENSSL_NO_RSA
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3281 case TLSEXT_signature_rsa:
3282 return SSL_PKEY_RSA_SIGN;
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]3283#endif
3284#ifndef OPENSSL_NO_DSA
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3285 case TLSEXT_signature_dsa:
3286 return SSL_PKEY_DSA_SIGN;
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]3287#endif
3288#ifndef OPENSSL_NO_EC
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3289 case TLSEXT_signature_ecdsa:
3290 return SSL_PKEY_ECC;
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]3291#endif
Dmitry Belyavskye44380a2015-11-17 15:32:30 +0000[diff] [blame]3292# ifndef OPENSSL_NO_GOST
3293 case TLSEXT_signature_gostr34102001:
3294 return SSL_PKEY_GOST01;
3295
3296 case TLSEXT_signature_gostr34102012_256:
3297 return SSL_PKEY_GOST12_256;
3298
3299 case TLSEXT_signature_gostr34102012_512:
3300 return SSL_PKEY_GOST12_512;
3301# endif
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3302 }
3303 return -1;
3304}
Dr. Stephen Henson4453cd82012-06-25 14:32:30 +0000[diff] [blame]3305
3306/* Convert TLS 1.2 signature algorithm extension values into NIDs */
3307static void tls1_lookup_sigalg(int *phash_nid, int *psign_nid,
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3308 int *psignhash_nid, const unsigned char *data)
3309{
Matt Caswell330dcb02015-11-11 10:44:07 +0000[diff] [blame]3310 int sign_nid = NID_undef, hash_nid = NID_undef;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3311 if (!phash_nid && !psign_nid && !psignhash_nid)
3312 return;
3313 if (phash_nid || psignhash_nid) {
Dr. Stephen Hensonb6eb9822015-05-02 18:30:00 +0100[diff] [blame]3314 hash_nid = tls12_find_nid(data[0], tls12_md, OSSL_NELEM(tls12_md));
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3315 if (phash_nid)
3316 *phash_nid = hash_nid;
3317 }
3318 if (psign_nid || psignhash_nid) {
Dr. Stephen Hensonb6eb9822015-05-02 18:30:00 +0100[diff] [blame]3319 sign_nid = tls12_find_nid(data[1], tls12_sig, OSSL_NELEM(tls12_sig));
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3320 if (psign_nid)
3321 *psign_nid = sign_nid;
3322 }
3323 if (psignhash_nid) {
Matt Caswell330dcb02015-11-11 10:44:07 +0000[diff] [blame]3324 if (sign_nid == NID_undef || hash_nid == NID_undef
3325 || OBJ_find_sigid_by_algs(psignhash_nid, hash_nid,
3326 sign_nid) <= 0)
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3327 *psignhash_nid = NID_undef;
3328 }
3329}
3330
Dr. Stephen Hensonb362cca2013-12-15 13:32:24 +0000[diff] [blame]3331/* Check to see if a signature algorithm is allowed */
3332static int tls12_sigalg_allowed(SSL *s, int op, const unsigned char *ptmp)
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3333{
3334 /* See if we have an entry in the hash table and it is enabled */
3335 const tls12_hash_info *hinf = tls12_get_hash_info(ptmp[0]);
Dr. Stephen Henson7afd2312015-11-29 16:54:27 +0000[diff] [blame]3336 if (hinf == NULL || ssl_md(hinf->md_idx) == NULL)
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3337 return 0;
3338 /* See if public key algorithm allowed */
3339 if (tls12_get_pkey_idx(ptmp[1]) == -1)
3340 return 0;
3341 /* Finally see if security callback allows it */
3342 return ssl_security(s, op, hinf->secbits, hinf->nid, (void *)ptmp);
3343}
Dr. Stephen Hensonb362cca2013-12-15 13:32:24 +0000[diff] [blame]3344
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3345/*
3346 * Get a mask of disabled public key algorithms based on supported signature
3347 * algorithms. For example if no signature algorithm supports RSA then RSA is
3348 * disabled.
Dr. Stephen Hensonb362cca2013-12-15 13:32:24 +0000[diff] [blame]3349 */
3350
Dr. Stephen Henson90d9e492015-11-05 16:14:17 +0000[diff] [blame]3351void ssl_set_sig_mask(uint32_t *pmask_a, SSL *s, int op)
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3352{
3353 const unsigned char *sigalgs;
3354 size_t i, sigalgslen;
3355 int have_rsa = 0, have_dsa = 0, have_ecdsa = 0;
3356 /*
3357 * Now go through all signature algorithms seeing if we support any for
3358 * RSA, DSA, ECDSA. Do this for all versions not just TLS 1.2. To keep
3359 * down calls to security callback only check if we have to.
3360 */
3361 sigalgslen = tls12_get_psigalgs(s, &sigalgs);
3362 for (i = 0; i < sigalgslen; i += 2, sigalgs += 2) {
3363 switch (sigalgs[1]) {
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]3364#ifndef OPENSSL_NO_RSA
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3365 case TLSEXT_signature_rsa:
3366 if (!have_rsa && tls12_sigalg_allowed(s, op, sigalgs))
3367 have_rsa = 1;
3368 break;
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]3369#endif
3370#ifndef OPENSSL_NO_DSA
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3371 case TLSEXT_signature_dsa:
3372 if (!have_dsa && tls12_sigalg_allowed(s, op, sigalgs))
3373 have_dsa = 1;
3374 break;
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]3375#endif
3376#ifndef OPENSSL_NO_EC
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3377 case TLSEXT_signature_ecdsa:
3378 if (!have_ecdsa && tls12_sigalg_allowed(s, op, sigalgs))
3379 have_ecdsa = 1;
3380 break;
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]3381#endif
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3382 }
3383 }
3384 if (!have_rsa)
3385 *pmask_a |= SSL_aRSA;
3386 if (!have_dsa)
3387 *pmask_a |= SSL_aDSS;
3388 if (!have_ecdsa)
3389 *pmask_a |= SSL_aECDSA;
3390}
Dr. Stephen Hensonb362cca2013-12-15 13:32:24 +0000[diff] [blame]3391
3392size_t tls12_copy_sigalgs(SSL *s, unsigned char *out,
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3393 const unsigned char *psig, size_t psiglen)
3394{
3395 unsigned char *tmpout = out;
3396 size_t i;
3397 for (i = 0; i < psiglen; i += 2, psig += 2) {
3398 if (tls12_sigalg_allowed(s, SSL_SECOP_SIGALG_SUPPORTED, psig)) {
3399 *tmpout++ = psig[0];
3400 *tmpout++ = psig[1];
3401 }
3402 }
3403 return tmpout - out;
3404}
Dr. Stephen Hensonb362cca2013-12-15 13:32:24 +0000[diff] [blame]3405
Dr. Stephen Henson4453cd82012-06-25 14:32:30 +0000[diff] [blame]3406/* Given preference and allowed sigalgs set shared sigalgs */
Dr. Stephen Hensonb362cca2013-12-15 13:32:24 +0000[diff] [blame]3407static int tls12_shared_sigalgs(SSL *s, TLS_SIGALGS *shsig,
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3408 const unsigned char *pref, size_t preflen,
3409 const unsigned char *allow, size_t allowlen)
3410{
3411 const unsigned char *ptmp, *atmp;
3412 size_t i, j, nmatch = 0;
3413 for (i = 0, ptmp = pref; i < preflen; i += 2, ptmp += 2) {
3414 /* Skip disabled hashes or signature algorithms */
3415 if (!tls12_sigalg_allowed(s, SSL_SECOP_SIGALG_SHARED, ptmp))
3416 continue;
3417 for (j = 0, atmp = allow; j < allowlen; j += 2, atmp += 2) {
3418 if (ptmp[0] == atmp[0] && ptmp[1] == atmp[1]) {
3419 nmatch++;
3420 if (shsig) {
3421 shsig->rhash = ptmp[0];
3422 shsig->rsign = ptmp[1];
3423 tls1_lookup_sigalg(&shsig->hash_nid,
3424 &shsig->sign_nid,
3425 &shsig->signandhash_nid, ptmp);
3426 shsig++;
3427 }
3428 break;
3429 }
3430 }
3431 }
3432 return nmatch;
3433}
Dr. Stephen Henson4453cd82012-06-25 14:32:30 +0000[diff] [blame]3434
3435/* Set shared signature algorithms for SSL structures */
3436static int tls1_set_shared_sigalgs(SSL *s)
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3437{
3438 const unsigned char *pref, *allow, *conf;
3439 size_t preflen, allowlen, conflen;
3440 size_t nmatch;
3441 TLS_SIGALGS *salgs = NULL;
3442 CERT *c = s->cert;
3443 unsigned int is_suiteb = tls1_suiteb(s);
Rich Salzb548a1f2015-05-01 10:02:07 -0400[diff] [blame]3444
3445 OPENSSL_free(c->shared_sigalgs);
3446 c->shared_sigalgs = NULL;
3447 c->shared_sigalgslen = 0;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3448 /* If client use client signature algorithms if not NULL */
3449 if (!s->server && c->client_sigalgs && !is_suiteb) {
3450 conf = c->client_sigalgs;
3451 conflen = c->client_sigalgslen;
3452 } else if (c->conf_sigalgs && !is_suiteb) {
3453 conf = c->conf_sigalgs;
3454 conflen = c->conf_sigalgslen;
3455 } else
3456 conflen = tls12_get_psigalgs(s, &conf);
3457 if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE || is_suiteb) {
3458 pref = conf;
3459 preflen = conflen;
Dr. Stephen Henson76106e62015-05-12 17:17:37 +0100[diff] [blame]3460 allow = s->s3->tmp.peer_sigalgs;
3461 allowlen = s->s3->tmp.peer_sigalgslen;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3462 } else {
3463 allow = conf;
3464 allowlen = conflen;
Dr. Stephen Henson76106e62015-05-12 17:17:37 +0100[diff] [blame]3465 pref = s->s3->tmp.peer_sigalgs;
3466 preflen = s->s3->tmp.peer_sigalgslen;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3467 }
3468 nmatch = tls12_shared_sigalgs(s, NULL, pref, preflen, allow, allowlen);
Dr. Stephen Henson34e3edb2015-03-03 13:20:57 +0000[diff] [blame]3469 if (nmatch) {
3470 salgs = OPENSSL_malloc(nmatch * sizeof(TLS_SIGALGS));
Matt Caswella71edf32015-10-30 10:05:53 +0000[diff] [blame]3471 if (salgs == NULL)
Dr. Stephen Henson34e3edb2015-03-03 13:20:57 +0000[diff] [blame]3472 return 0;
3473 nmatch = tls12_shared_sigalgs(s, salgs, pref, preflen, allow, allowlen);
3474 } else {
3475 salgs = NULL;
3476 }
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3477 c->shared_sigalgs = salgs;
3478 c->shared_sigalgslen = nmatch;
3479 return 1;
3480}
Dr. Stephen Henson4453cd82012-06-25 14:32:30 +0000[diff] [blame]3481
Dr. Stephen Henson6b7be582011-05-06 13:00:07 +0000[diff] [blame]3482/* Set preferred digest for each key type */
3483
Dr. Stephen Hensonc800c272014-10-09 20:37:27 +0100[diff] [blame]3484int tls1_save_sigalgs(SSL *s, const unsigned char *data, int dsize)
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3485{
3486 CERT *c = s->cert;
3487 /* Extension ignored for inappropriate versions */
3488 if (!SSL_USE_SIGALGS(s))
3489 return 1;
3490 /* Should never happen */
3491 if (!c)
3492 return 0;
Dr. Stephen Henson6b7be582011-05-06 13:00:07 +0000[diff] [blame]3493
Dr. Stephen Henson76106e62015-05-12 17:17:37 +0100[diff] [blame]3494 OPENSSL_free(s->s3->tmp.peer_sigalgs);
3495 s->s3->tmp.peer_sigalgs = OPENSSL_malloc(dsize);
3496 if (s->s3->tmp.peer_sigalgs == NULL)
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3497 return 0;
Dr. Stephen Henson76106e62015-05-12 17:17:37 +0100[diff] [blame]3498 s->s3->tmp.peer_sigalgslen = dsize;
3499 memcpy(s->s3->tmp.peer_sigalgs, data, dsize);
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3500 return 1;
3501}
Dr. Stephen Henson6b7be582011-05-06 13:00:07 +0000[diff] [blame]3502
Dr. Stephen Hensonc800c272014-10-09 20:37:27 +0100[diff] [blame]3503int tls1_process_sigalgs(SSL *s)
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3504{
3505 int idx;
3506 size_t i;
3507 const EVP_MD *md;
Dr. Stephen Hensond376e572015-05-12 18:56:39 +0100[diff] [blame]3508 const EVP_MD **pmd = s->s3->tmp.md;
Dr. Stephen Hensonf7d53482015-07-14 23:19:11 +0100[diff] [blame]3509 uint32_t *pvalid = s->s3->tmp.valid_flags;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3510 CERT *c = s->cert;
3511 TLS_SIGALGS *sigptr;
3512 if (!tls1_set_shared_sigalgs(s))
3513 return 0;
Dr. Stephen Henson4453cd82012-06-25 14:32:30 +0000[diff] [blame]3514
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]3515#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3516 if (s->cert->cert_flags & SSL_CERT_FLAG_BROKEN_PROTOCOL) {
3517 /*
3518 * Use first set signature preference to force message digest,
3519 * ignoring any peer preferences.
3520 */
3521 const unsigned char *sigs = NULL;
3522 if (s->server)
3523 sigs = c->conf_sigalgs;
3524 else
3525 sigs = c->client_sigalgs;
3526 if (sigs) {
3527 idx = tls12_get_pkey_idx(sigs[1]);
3528 md = tls12_get_hash(sigs[0]);
Dr. Stephen Hensond376e572015-05-12 18:56:39 +0100[diff] [blame]3529 pmd[idx] = md;
Dr. Stephen Henson6383d312015-05-12 22:17:34 +0100[diff] [blame]3530 pvalid[idx] = CERT_PKEY_EXPLICIT_SIGN;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3531 if (idx == SSL_PKEY_RSA_SIGN) {
Dr. Stephen Henson6383d312015-05-12 22:17:34 +0100[diff] [blame]3532 pvalid[SSL_PKEY_RSA_ENC] = CERT_PKEY_EXPLICIT_SIGN;
Dr. Stephen Hensond376e572015-05-12 18:56:39 +0100[diff] [blame]3533 pmd[SSL_PKEY_RSA_ENC] = md;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3534 }
3535 }
3536 }
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]3537#endif
Dr. Stephen Hensoned83ba52012-08-29 13:18:34 +0000[diff] [blame]3538
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3539 for (i = 0, sigptr = c->shared_sigalgs;
3540 i < c->shared_sigalgslen; i++, sigptr++) {
3541 idx = tls12_get_pkey_idx(sigptr->rsign);
Dr. Stephen Hensond376e572015-05-12 18:56:39 +0100[diff] [blame]3542 if (idx > 0 && pmd[idx] == NULL) {
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3543 md = tls12_get_hash(sigptr->rhash);
Dr. Stephen Hensond376e572015-05-12 18:56:39 +0100[diff] [blame]3544 pmd[idx] = md;
Dr. Stephen Henson6383d312015-05-12 22:17:34 +0100[diff] [blame]3545 pvalid[idx] = CERT_PKEY_EXPLICIT_SIGN;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3546 if (idx == SSL_PKEY_RSA_SIGN) {
Dr. Stephen Henson6383d312015-05-12 22:17:34 +0100[diff] [blame]3547 pvalid[SSL_PKEY_RSA_ENC] = CERT_PKEY_EXPLICIT_SIGN;
Dr. Stephen Hensond376e572015-05-12 18:56:39 +0100[diff] [blame]3548 pmd[SSL_PKEY_RSA_ENC] = md;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3549 }
3550 }
Dr. Stephen Henson6b7be582011-05-06 13:00:07 +0000[diff] [blame]3551
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3552 }
3553 /*
3554 * In strict mode leave unset digests as NULL to indicate we can't use
3555 * the certificate for signing.
3556 */
3557 if (!(s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)) {
3558 /*
3559 * Set any remaining keys to default values. NOTE: if alg is not
3560 * supported it stays as NULL.
3561 */
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]3562#ifndef OPENSSL_NO_DSA
Dr. Stephen Hensond376e572015-05-12 18:56:39 +0100[diff] [blame]3563 if (pmd[SSL_PKEY_DSA_SIGN] == NULL)
3564 pmd[SSL_PKEY_DSA_SIGN] = EVP_sha1();
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]3565#endif
3566#ifndef OPENSSL_NO_RSA
Dr. Stephen Hensond376e572015-05-12 18:56:39 +0100[diff] [blame]3567 if (pmd[SSL_PKEY_RSA_SIGN] == NULL) {
3568 pmd[SSL_PKEY_RSA_SIGN] = EVP_sha1();
3569 pmd[SSL_PKEY_RSA_ENC] = EVP_sha1();
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3570 }
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]3571#endif
3572#ifndef OPENSSL_NO_EC
Dr. Stephen Hensond376e572015-05-12 18:56:39 +0100[diff] [blame]3573 if (pmd[SSL_PKEY_ECC] == NULL)
3574 pmd[SSL_PKEY_ECC] = EVP_sha1();
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]3575#endif
Dmitry Belyavskye44380a2015-11-17 15:32:30 +0000[diff] [blame]3576# ifndef OPENSSL_NO_GOST
3577 if (pmd[SSL_PKEY_GOST01] == NULL)
3578 pmd[SSL_PKEY_GOST01] = EVP_get_digestbynid(NID_id_GostR3411_94);
3579 if (pmd[SSL_PKEY_GOST12_256] == NULL)
3580 pmd[SSL_PKEY_GOST12_256] = EVP_get_digestbynid(NID_id_GostR3411_2012_256);
3581 if (pmd[SSL_PKEY_GOST12_512] == NULL)
3582 pmd[SSL_PKEY_GOST12_512] = EVP_get_digestbynid(NID_id_GostR3411_2012_512);
3583# endif
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3584 }
3585 return 1;
3586}
Dr. Stephen Henson48175042011-12-31 22:59:57 +0000[diff] [blame]3587
Dr. Stephen Hensone7f8ff42012-03-06 14:28:21 +0000[diff] [blame]3588int SSL_get_sigalgs(SSL *s, int idx,
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3589 int *psign, int *phash, int *psignhash,
3590 unsigned char *rsig, unsigned char *rhash)
3591{
Dr. Stephen Henson76106e62015-05-12 17:17:37 +0100[diff] [blame]3592 const unsigned char *psig = s->s3->tmp.peer_sigalgs;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3593 if (psig == NULL)
3594 return 0;
3595 if (idx >= 0) {
3596 idx <<= 1;
Dr. Stephen Henson76106e62015-05-12 17:17:37 +0100[diff] [blame]3597 if (idx >= (int)s->s3->tmp.peer_sigalgslen)
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3598 return 0;
3599 psig += idx;
3600 if (rhash)
3601 *rhash = psig[0];
3602 if (rsig)
3603 *rsig = psig[1];
3604 tls1_lookup_sigalg(phash, psign, psignhash, psig);
3605 }
Dr. Stephen Henson76106e62015-05-12 17:17:37 +0100[diff] [blame]3606 return s->s3->tmp.peer_sigalgslen / 2;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3607}
Dr. Stephen Henson4453cd82012-06-25 14:32:30 +0000[diff] [blame]3608
3609int SSL_get_shared_sigalgs(SSL *s, int idx,
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3610 int *psign, int *phash, int *psignhash,
3611 unsigned char *rsig, unsigned char *rhash)
3612{
3613 TLS_SIGALGS *shsigalgs = s->cert->shared_sigalgs;
3614 if (!shsigalgs || idx >= (int)s->cert->shared_sigalgslen)
3615 return 0;
3616 shsigalgs += idx;
3617 if (phash)
3618 *phash = shsigalgs->hash_nid;
3619 if (psign)
3620 *psign = shsigalgs->sign_nid;
3621 if (psignhash)
3622 *psignhash = shsigalgs->signandhash_nid;
3623 if (rsig)
3624 *rsig = shsigalgs->rsign;
3625 if (rhash)
3626 *rhash = shsigalgs->rhash;
3627 return s->cert->shared_sigalgslen;
3628}
Dr. Stephen Hensone7f8ff42012-03-06 14:28:21 +0000[diff] [blame]3629
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]3630#ifndef OPENSSL_NO_HEARTBEATS
Matt Caswell2c60ed02015-02-02 15:47:39 +0000[diff] [blame]3631int tls1_process_heartbeat(SSL *s, unsigned char *p, unsigned int length)
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3632{
Matt Caswell2c60ed02015-02-02 15:47:39 +0000[diff] [blame]3633 unsigned char *pl;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3634 unsigned short hbtype;
3635 unsigned int payload;
3636 unsigned int padding = 16; /* Use minimum padding */
Dr. Stephen Henson48175042011-12-31 22:59:57 +0000[diff] [blame]3637
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3638 if (s->msg_callback)
3639 s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT,
Matt Caswell258f8722015-01-30 17:29:41 +0000[diff] [blame]3640 p, length,
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3641 s, s->msg_callback_arg);
Dr. Stephen Henson48175042011-12-31 22:59:57 +0000[diff] [blame]3642
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3643 /* Read type and payload length first */
Matt Caswell258f8722015-01-30 17:29:41 +0000[diff] [blame]3644 if (1 + 2 + 16 > length)
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3645 return 0; /* silently discard */
3646 hbtype = *p++;
3647 n2s(p, payload);
Matt Caswell258f8722015-01-30 17:29:41 +0000[diff] [blame]3648 if (1 + 2 + payload + 16 > length)
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3649 return 0; /* silently discard per RFC 6520 sec. 4 */
3650 pl = p;
Dr. Stephen Henson731f4312014-04-06 00:51:06 +0100[diff] [blame]3651
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3652 if (hbtype == TLS1_HB_REQUEST) {
3653 unsigned char *buffer, *bp;
3654 int r;
Dr. Stephen Henson48175042011-12-31 22:59:57 +0000[diff] [blame]3655
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3656 /*
3657 * Allocate memory for the response, size is 1 bytes message type,
3658 * plus 2 bytes payload length, plus payload, plus padding
3659 */
3660 buffer = OPENSSL_malloc(1 + 2 + payload + padding);
3661 if (buffer == NULL) {
3662 SSLerr(SSL_F_TLS1_PROCESS_HEARTBEAT, ERR_R_MALLOC_FAILURE);
3663 return -1;
3664 }
3665 bp = buffer;
Dr. Stephen Henson57cb0302012-02-27 16:38:24 +0000[diff] [blame]3666
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3667 /* Enter response type, length and copy payload */
3668 *bp++ = TLS1_HB_RESPONSE;
3669 s2n(payload, bp);
3670 memcpy(bp, pl, payload);
3671 bp += payload;
3672 /* Random padding */
Matt Caswell266483d2015-02-26 11:57:37 +0000[diff] [blame]3673 if (RAND_bytes(bp, padding) <= 0) {
3674 OPENSSL_free(buffer);
3675 return -1;
3676 }
Dr. Stephen Henson48175042011-12-31 22:59:57 +0000[diff] [blame]3677
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3678 r = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buffer,
3679 3 + payload + padding);
Dr. Stephen Henson48175042011-12-31 22:59:57 +0000[diff] [blame]3680
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3681 if (r >= 0 && s->msg_callback)
3682 s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT,
3683 buffer, 3 + payload + padding,
3684 s, s->msg_callback_arg);
Dr. Stephen Henson48175042011-12-31 22:59:57 +0000[diff] [blame]3685
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3686 OPENSSL_free(buffer);
Dr. Stephen Henson48175042011-12-31 22:59:57 +0000[diff] [blame]3687
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3688 if (r < 0)
3689 return r;
3690 } else if (hbtype == TLS1_HB_RESPONSE) {
3691 unsigned int seq;
Dr. Stephen Henson48175042011-12-31 22:59:57 +0000[diff] [blame]3692
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3693 /*
3694 * We only send sequence numbers (2 bytes unsigned int), and 16
3695 * random bytes, so we just try to read the sequence number
3696 */
3697 n2s(pl, seq);
Dr. Stephen Henson48175042011-12-31 22:59:57 +0000[diff] [blame]3698
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3699 if (payload == 18 && seq == s->tlsext_hb_seq) {
3700 s->tlsext_hb_seq++;
3701 s->tlsext_hb_pending = 0;
3702 }
3703 }
Dr. Stephen Henson48175042011-12-31 22:59:57 +0000[diff] [blame]3704
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3705 return 0;
3706}
Dr. Stephen Henson48175042011-12-31 22:59:57 +0000[diff] [blame]3707
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3708int tls1_heartbeat(SSL *s)
3709{
3710 unsigned char *buf, *p;
Matt Caswell266483d2015-02-26 11:57:37 +0000[diff] [blame]3711 int ret = -1;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3712 unsigned int payload = 18; /* Sequence number + random bytes */
3713 unsigned int padding = 16; /* Use minimum padding */
Dr. Stephen Henson48175042011-12-31 22:59:57 +0000[diff] [blame]3714
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3715 /* Only send if peer supports and accepts HB requests... */
3716 if (!(s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED) ||
3717 s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_SEND_REQUESTS) {
3718 SSLerr(SSL_F_TLS1_HEARTBEAT, SSL_R_TLS_HEARTBEAT_PEER_DOESNT_ACCEPT);
3719 return -1;
3720 }
Dr. Stephen Henson48175042011-12-31 22:59:57 +0000[diff] [blame]3721
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3722 /* ...and there is none in flight yet... */
3723 if (s->tlsext_hb_pending) {
3724 SSLerr(SSL_F_TLS1_HEARTBEAT, SSL_R_TLS_HEARTBEAT_PENDING);
3725 return -1;
3726 }
Dr. Stephen Henson48175042011-12-31 22:59:57 +0000[diff] [blame]3727
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3728 /* ...and no handshake in progress. */
Matt Caswell024f5432015-10-22 13:57:18 +0100[diff] [blame]3729 if (SSL_in_init(s) || ossl_statem_get_in_handshake(s)) {
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3730 SSLerr(SSL_F_TLS1_HEARTBEAT, SSL_R_UNEXPECTED_MESSAGE);
3731 return -1;
3732 }
Dr. Stephen Henson0f229cc2012-06-22 14:03:31 +0000[diff] [blame]3733
Matt Caswell50e735f2015-01-05 11:30:03 +0000[diff] [blame]3734 /*-
3735 * Create HeartBeat message, we just use a sequence number
3736 * as payload to distuingish different messages and add
3737 * some random stuff.
3738 * - Message Type, 1 byte
3739 * - Payload Length, 2 bytes (unsigned int)
3740 * - Payload, the sequence number (2 bytes uint)
3741 * - Payload, random bytes (16 bytes uint)
3742 * - Padding
3743 */
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3744 buf = OPENSSL_malloc(1 + 2 + payload + padding);
3745 if (buf == NULL) {
3746 SSLerr(SSL_F_TLS1_HEARTBEAT, ERR_R_MALLOC_FAILURE);
3747 return -1;
3748 }
3749 p = buf;
3750 /* Message Type */
3751 *p++ = TLS1_HB_REQUEST;
3752 /* Payload length (18 bytes here) */
3753 s2n(payload, p);
3754 /* Sequence number */
3755 s2n(s->tlsext_hb_seq, p);
3756 /* 16 random bytes */
Matt Caswell266483d2015-02-26 11:57:37 +0000[diff] [blame]3757 if (RAND_bytes(p, 16) <= 0) {
3758 SSLerr(SSL_F_TLS1_HEARTBEAT, ERR_R_INTERNAL_ERROR);
3759 goto err;
3760 }
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3761 p += 16;
3762 /* Random padding */
Matt Caswell266483d2015-02-26 11:57:37 +0000[diff] [blame]3763 if (RAND_bytes(p, padding) <= 0) {
3764 SSLerr(SSL_F_TLS1_HEARTBEAT, ERR_R_INTERNAL_ERROR);
3765 goto err;
3766 }
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3767
3768 ret = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buf, 3 + payload + padding);
3769 if (ret >= 0) {
3770 if (s->msg_callback)
3771 s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT,
3772 buf, 3 + payload + padding,
3773 s, s->msg_callback_arg);
3774
3775 s->tlsext_hb_pending = 1;
3776 }
3777
Matt Caswell266483d2015-02-26 11:57:37 +0000[diff] [blame]3778 err:
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3779 OPENSSL_free(buf);
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3780 return ret;
3781}
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]3782#endif
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3783
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]3784#define MAX_SIGALGLEN (TLSEXT_hash_num * TLSEXT_signature_num * 2)
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3785
3786typedef struct {
3787 size_t sigalgcnt;
3788 int sigalgs[MAX_SIGALGLEN];
3789} sig_cb_st;
Dr. Stephen Henson0f229cc2012-06-22 14:03:31 +0000[diff] [blame]3790
Dr. Stephen Henson431f4582015-07-23 14:57:42 +0100[diff] [blame]3791static void get_sigorhash(int *psig, int *phash, const char *str)
3792{
3793 if (strcmp(str, "RSA") == 0) {
3794 *psig = EVP_PKEY_RSA;
3795 } else if (strcmp(str, "DSA") == 0) {
3796 *psig = EVP_PKEY_DSA;
3797 } else if (strcmp(str, "ECDSA") == 0) {
3798 *psig = EVP_PKEY_EC;
3799 } else {
3800 *phash = OBJ_sn2nid(str);
3801 if (*phash == NID_undef)
3802 *phash = OBJ_ln2nid(str);
3803 }
3804}
3805
Dr. Stephen Henson0f229cc2012-06-22 14:03:31 +0000[diff] [blame]3806static int sig_cb(const char *elem, int len, void *arg)
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3807{
3808 sig_cb_st *sarg = arg;
3809 size_t i;
3810 char etmp[20], *p;
Dr. Stephen Henson431f4582015-07-23 14:57:42 +0100[diff] [blame]3811 int sig_alg = NID_undef, hash_alg = NID_undef;
Kurt Roeckx2747d732015-01-24 14:46:50 +0100[diff] [blame]3812 if (elem == NULL)
3813 return 0;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3814 if (sarg->sigalgcnt == MAX_SIGALGLEN)
3815 return 0;
3816 if (len > (int)(sizeof(etmp) - 1))
3817 return 0;
3818 memcpy(etmp, elem, len);
3819 etmp[len] = 0;
3820 p = strchr(etmp, '+');
3821 if (!p)
3822 return 0;
3823 *p = 0;
3824 p++;
3825 if (!*p)
3826 return 0;
Dr. Stephen Henson0f229cc2012-06-22 14:03:31 +0000[diff] [blame]3827
Dr. Stephen Henson431f4582015-07-23 14:57:42 +0100[diff] [blame]3828 get_sigorhash(&sig_alg, &hash_alg, etmp);
3829 get_sigorhash(&sig_alg, &hash_alg, p);
Dr. Stephen Henson0f229cc2012-06-22 14:03:31 +0000[diff] [blame]3830
Dr. Stephen Henson431f4582015-07-23 14:57:42 +0100[diff] [blame]3831 if (sig_alg == NID_undef || hash_alg == NID_undef)
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3832 return 0;
Dr. Stephen Henson0f229cc2012-06-22 14:03:31 +0000[diff] [blame]3833
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3834 for (i = 0; i < sarg->sigalgcnt; i += 2) {
3835 if (sarg->sigalgs[i] == sig_alg && sarg->sigalgs[i + 1] == hash_alg)
3836 return 0;
3837 }
3838 sarg->sigalgs[sarg->sigalgcnt++] = hash_alg;
3839 sarg->sigalgs[sarg->sigalgcnt++] = sig_alg;
3840 return 1;
3841}
Dr. Stephen Henson0f229cc2012-06-22 14:03:31 +0000[diff] [blame]3842
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3843/*
3844 * Set suppored signature algorithms based on a colon separated list of the
3845 * form sig+hash e.g. RSA+SHA512:DSA+SHA512
3846 */
Dr. Stephen Henson3dbc46d2012-07-03 12:51:14 +0000[diff] [blame]3847int tls1_set_sigalgs_list(CERT *c, const char *str, int client)
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3848{
3849 sig_cb_st sig;
3850 sig.sigalgcnt = 0;
3851 if (!CONF_parse_list(str, ':', 1, sig_cb, &sig))
3852 return 0;
3853 if (c == NULL)
3854 return 1;
3855 return tls1_set_sigalgs(c, sig.sigalgs, sig.sigalgcnt, client);
3856}
Dr. Stephen Henson0f229cc2012-06-22 14:03:31 +0000[diff] [blame]3857
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3858int tls1_set_sigalgs(CERT *c, const int *psig_nids, size_t salglen,
3859 int client)
3860{
3861 unsigned char *sigalgs, *sptr;
3862 int rhash, rsign;
3863 size_t i;
3864 if (salglen & 1)
3865 return 0;
3866 sigalgs = OPENSSL_malloc(salglen);
3867 if (sigalgs == NULL)
3868 return 0;
3869 for (i = 0, sptr = sigalgs; i < salglen; i += 2) {
Dr. Stephen Hensonb6eb9822015-05-02 18:30:00 +0100[diff] [blame]3870 rhash = tls12_find_id(*psig_nids++, tls12_md, OSSL_NELEM(tls12_md));
3871 rsign = tls12_find_id(*psig_nids++, tls12_sig, OSSL_NELEM(tls12_sig));
Dr. Stephen Henson0f229cc2012-06-22 14:03:31 +0000[diff] [blame]3872
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3873 if (rhash == -1 || rsign == -1)
3874 goto err;
3875 *sptr++ = rhash;
3876 *sptr++ = rsign;
3877 }
Dr. Stephen Henson0f229cc2012-06-22 14:03:31 +0000[diff] [blame]3878
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3879 if (client) {
Rich Salzb548a1f2015-05-01 10:02:07 -0400[diff] [blame]3880 OPENSSL_free(c->client_sigalgs);
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3881 c->client_sigalgs = sigalgs;
3882 c->client_sigalgslen = salglen;
3883 } else {
Rich Salzb548a1f2015-05-01 10:02:07 -0400[diff] [blame]3884 OPENSSL_free(c->conf_sigalgs);
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3885 c->conf_sigalgs = sigalgs;
3886 c->conf_sigalgslen = salglen;
3887 }
Dr. Stephen Henson0f229cc2012-06-22 14:03:31 +0000[diff] [blame]3888
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3889 return 1;
Dr. Stephen Henson0f229cc2012-06-22 14:03:31 +0000[diff] [blame]3890
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3891 err:
3892 OPENSSL_free(sigalgs);
3893 return 0;
3894}
Dr. Stephen Henson4453cd82012-06-25 14:32:30 +0000[diff] [blame]3895
Dr. Stephen Hensond61ff832012-06-28 12:45:49 +0000[diff] [blame]3896static int tls1_check_sig_alg(CERT *c, X509 *x, int default_nid)
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3897{
3898 int sig_nid;
3899 size_t i;
3900 if (default_nid == -1)
3901 return 1;
3902 sig_nid = X509_get_signature_nid(x);
3903 if (default_nid)
3904 return sig_nid == default_nid ? 1 : 0;
3905 for (i = 0; i < c->shared_sigalgslen; i++)
3906 if (sig_nid == c->shared_sigalgs[i].signandhash_nid)
3907 return 1;
3908 return 0;
3909}
3910
Dr. Stephen Henson6dbb6212012-07-27 13:39:23 +0000[diff] [blame]3911/* Check to see if a certificate issuer name matches list of CA names */
3912static int ssl_check_ca_name(STACK_OF(X509_NAME) *names, X509 *x)
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3913{
3914 X509_NAME *nm;
3915 int i;
3916 nm = X509_get_issuer_name(x);
3917 for (i = 0; i < sk_X509_NAME_num(names); i++) {
3918 if (!X509_NAME_cmp(nm, sk_X509_NAME_value(names, i)))
3919 return 1;
3920 }
3921 return 0;
3922}
Dr. Stephen Hensond61ff832012-06-28 12:45:49 +0000[diff] [blame]3923
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3924/*
3925 * Check certificate chain is consistent with TLS extensions and is usable by
3926 * server. This servers two purposes: it allows users to check chains before
3927 * passing them to the server and it allows the server to check chains before
3928 * attempting to use them.
Dr. Stephen Hensond61ff832012-06-28 12:45:49 +0000[diff] [blame]3929 */
Dr. Stephen Henson6dbb6212012-07-27 13:39:23 +0000[diff] [blame]3930
3931/* Flags which need to be set for a certificate when stict mode not set */
3932
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]3933#define CERT_PKEY_VALID_FLAGS \
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3934 (CERT_PKEY_EE_SIGNATURE|CERT_PKEY_EE_PARAM)
Dr. Stephen Henson6dbb6212012-07-27 13:39:23 +0000[diff] [blame]3935/* Strict mode flags */
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]3936#define CERT_PKEY_STRICT_FLAGS \
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3937 (CERT_PKEY_VALID_FLAGS|CERT_PKEY_CA_SIGNATURE|CERT_PKEY_CA_PARAM \
3938 | CERT_PKEY_ISSUER_NAME|CERT_PKEY_CERT_TYPE)
Dr. Stephen Henson6dbb6212012-07-27 13:39:23 +0000[diff] [blame]3939
Dr. Stephen Hensond61ff832012-06-28 12:45:49 +0000[diff] [blame]3940int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain,
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3941 int idx)
3942{
3943 int i;
3944 int rv = 0;
3945 int check_flags = 0, strict_mode;
3946 CERT_PKEY *cpk = NULL;
3947 CERT *c = s->cert;
Dr. Stephen Hensonf7d53482015-07-14 23:19:11 +0100[diff] [blame]3948 uint32_t *pvalid;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3949 unsigned int suiteb_flags = tls1_suiteb(s);
3950 /* idx == -1 means checking server chains */
3951 if (idx != -1) {
3952 /* idx == -2 means checking client certificate chains */
3953 if (idx == -2) {
3954 cpk = c->key;
3955 idx = cpk - c->pkeys;
3956 } else
3957 cpk = c->pkeys + idx;
Dr. Stephen Henson6383d312015-05-12 22:17:34 +0100[diff] [blame]3958 pvalid = s->s3->tmp.valid_flags + idx;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3959 x = cpk->x509;
3960 pk = cpk->privatekey;
3961 chain = cpk->chain;
3962 strict_mode = c->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT;
3963 /* If no cert or key, forget it */
3964 if (!x || !pk)
3965 goto end;
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]3966#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3967 /* Allow any certificate to pass test */
3968 if (s->cert->cert_flags & SSL_CERT_FLAG_BROKEN_PROTOCOL) {
3969 rv = CERT_PKEY_STRICT_FLAGS | CERT_PKEY_EXPLICIT_SIGN |
3970 CERT_PKEY_VALID | CERT_PKEY_SIGN;
Dr. Stephen Henson6383d312015-05-12 22:17:34 +0100[diff] [blame]3971 *pvalid = rv;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3972 return rv;
3973 }
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]3974#endif
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3975 } else {
3976 if (!x || !pk)
Matt Caswelld813f9e2015-03-11 17:01:38 +0000[diff] [blame]3977 return 0;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3978 idx = ssl_cert_type(x, pk);
3979 if (idx == -1)
Matt Caswelld813f9e2015-03-11 17:01:38 +0000[diff] [blame]3980 return 0;
Dr. Stephen Henson6383d312015-05-12 22:17:34 +0100[diff] [blame]3981 pvalid = s->s3->tmp.valid_flags + idx;
3982
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3983 if (c->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)
3984 check_flags = CERT_PKEY_STRICT_FLAGS;
3985 else
3986 check_flags = CERT_PKEY_VALID_FLAGS;
3987 strict_mode = 1;
3988 }
Dr. Stephen Hensond61ff832012-06-28 12:45:49 +0000[diff] [blame]3989
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3990 if (suiteb_flags) {
3991 int ok;
3992 if (check_flags)
3993 check_flags |= CERT_PKEY_SUITEB;
3994 ok = X509_chain_check_suiteb(NULL, x, chain, suiteb_flags);
3995 if (ok == X509_V_OK)
3996 rv |= CERT_PKEY_SUITEB;
3997 else if (!check_flags)
3998 goto end;
3999 }
Dr. Stephen Henson6dbb6212012-07-27 13:39:23 +0000[diff] [blame]4000
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]4001 /*
4002 * Check all signature algorithms are consistent with signature
4003 * algorithms extension if TLS 1.2 or later and strict mode.
4004 */
4005 if (TLS1_get_version(s) >= TLS1_2_VERSION && strict_mode) {
4006 int default_nid;
4007 unsigned char rsign = 0;
Dr. Stephen Henson76106e62015-05-12 17:17:37 +0100[diff] [blame]4008 if (s->s3->tmp.peer_sigalgs)
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]4009 default_nid = 0;
4010 /* If no sigalgs extension use defaults from RFC5246 */
4011 else {
4012 switch (idx) {
4013 case SSL_PKEY_RSA_ENC:
4014 case SSL_PKEY_RSA_SIGN:
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]4015 rsign = TLSEXT_signature_rsa;
4016 default_nid = NID_sha1WithRSAEncryption;
4017 break;
Dr. Stephen Hensond61ff832012-06-28 12:45:49 +0000[diff] [blame]4018
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]4019 case SSL_PKEY_DSA_SIGN:
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]4020 rsign = TLSEXT_signature_dsa;
4021 default_nid = NID_dsaWithSHA1;
4022 break;
Dr. Stephen Hensond61ff832012-06-28 12:45:49 +0000[diff] [blame]4023
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]4024 case SSL_PKEY_ECC:
4025 rsign = TLSEXT_signature_ecdsa;
4026 default_nid = NID_ecdsa_with_SHA1;
4027 break;
Dr. Stephen Hensond61ff832012-06-28 12:45:49 +0000[diff] [blame]4028
Dmitry Belyavskye44380a2015-11-17 15:32:30 +0000[diff] [blame]4029 case SSL_PKEY_GOST01:
4030 rsign = TLSEXT_signature_gostr34102001;
4031 default_nid = NID_id_GostR3411_94_with_GostR3410_2001;
4032 break;
4033
4034 case SSL_PKEY_GOST12_256:
4035 rsign = TLSEXT_signature_gostr34102012_256;
4036 default_nid = NID_id_tc26_signwithdigest_gost3410_2012_256;
4037 break;
4038
4039 case SSL_PKEY_GOST12_512:
4040 rsign = TLSEXT_signature_gostr34102012_512;
4041 default_nid = NID_id_tc26_signwithdigest_gost3410_2012_512;
4042 break;
4043
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]4044 default:
4045 default_nid = -1;
4046 break;
4047 }
4048 }
4049 /*
4050 * If peer sent no signature algorithms extension and we have set
4051 * preferred signature algorithms check we support sha1.
4052 */
4053 if (default_nid > 0 && c->conf_sigalgs) {
4054 size_t j;
4055 const unsigned char *p = c->conf_sigalgs;
4056 for (j = 0; j < c->conf_sigalgslen; j += 2, p += 2) {
4057 if (p[0] == TLSEXT_hash_sha1 && p[1] == rsign)
4058 break;
4059 }
4060 if (j == c->conf_sigalgslen) {
4061 if (check_flags)
4062 goto skip_sigs;
4063 else
4064 goto end;
4065 }
4066 }
4067 /* Check signature algorithm of each cert in chain */
4068 if (!tls1_check_sig_alg(c, x, default_nid)) {
4069 if (!check_flags)
4070 goto end;
4071 } else
4072 rv |= CERT_PKEY_EE_SIGNATURE;
4073 rv |= CERT_PKEY_CA_SIGNATURE;
4074 for (i = 0; i < sk_X509_num(chain); i++) {
4075 if (!tls1_check_sig_alg(c, sk_X509_value(chain, i), default_nid)) {
4076 if (check_flags) {
4077 rv &= ~CERT_PKEY_CA_SIGNATURE;
4078 break;
4079 } else
4080 goto end;
4081 }
4082 }
4083 }
4084 /* Else not TLS 1.2, so mark EE and CA signing algorithms OK */
4085 else if (check_flags)
4086 rv |= CERT_PKEY_EE_SIGNATURE | CERT_PKEY_CA_SIGNATURE;
4087 skip_sigs:
4088 /* Check cert parameters are consistent */
4089 if (tls1_check_cert_param(s, x, check_flags ? 1 : 2))
4090 rv |= CERT_PKEY_EE_PARAM;
4091 else if (!check_flags)
4092 goto end;
4093 if (!s->server)
4094 rv |= CERT_PKEY_CA_PARAM;
4095 /* In strict mode check rest of chain too */
4096 else if (strict_mode) {
4097 rv |= CERT_PKEY_CA_PARAM;
4098 for (i = 0; i < sk_X509_num(chain); i++) {
4099 X509 *ca = sk_X509_value(chain, i);
4100 if (!tls1_check_cert_param(s, ca, 0)) {
4101 if (check_flags) {
4102 rv &= ~CERT_PKEY_CA_PARAM;
4103 break;
4104 } else
4105 goto end;
4106 }
4107 }
4108 }
4109 if (!s->server && strict_mode) {
4110 STACK_OF(X509_NAME) *ca_dn;
4111 int check_type = 0;
4112 switch (pk->type) {
4113 case EVP_PKEY_RSA:
4114 check_type = TLS_CT_RSA_SIGN;
4115 break;
4116 case EVP_PKEY_DSA:
4117 check_type = TLS_CT_DSS_SIGN;
4118 break;
4119 case EVP_PKEY_EC:
4120 check_type = TLS_CT_ECDSA_SIGN;
4121 break;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]4122 }
4123 if (check_type) {
4124 const unsigned char *ctypes;
4125 int ctypelen;
4126 if (c->ctypes) {
4127 ctypes = c->ctypes;
4128 ctypelen = (int)c->ctype_num;
4129 } else {
4130 ctypes = (unsigned char *)s->s3->tmp.ctype;
4131 ctypelen = s->s3->tmp.ctype_num;
4132 }
4133 for (i = 0; i < ctypelen; i++) {
4134 if (ctypes[i] == check_type) {
4135 rv |= CERT_PKEY_CERT_TYPE;
4136 break;
4137 }
4138 }
4139 if (!(rv & CERT_PKEY_CERT_TYPE) && !check_flags)
4140 goto end;
4141 } else
4142 rv |= CERT_PKEY_CERT_TYPE;
Dr. Stephen Henson6dbb6212012-07-27 13:39:23 +0000[diff] [blame]4143
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]4144 ca_dn = s->s3->tmp.ca_names;
Dr. Stephen Henson6dbb6212012-07-27 13:39:23 +0000[diff] [blame]4145
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]4146 if (!sk_X509_NAME_num(ca_dn))
4147 rv |= CERT_PKEY_ISSUER_NAME;
Dr. Stephen Henson6dbb6212012-07-27 13:39:23 +0000[diff] [blame]4148
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]4149 if (!(rv & CERT_PKEY_ISSUER_NAME)) {
4150 if (ssl_check_ca_name(ca_dn, x))
4151 rv |= CERT_PKEY_ISSUER_NAME;
4152 }
4153 if (!(rv & CERT_PKEY_ISSUER_NAME)) {
4154 for (i = 0; i < sk_X509_num(chain); i++) {
4155 X509 *xtmp = sk_X509_value(chain, i);
4156 if (ssl_check_ca_name(ca_dn, xtmp)) {
4157 rv |= CERT_PKEY_ISSUER_NAME;
4158 break;
4159 }
4160 }
4161 }
4162 if (!check_flags && !(rv & CERT_PKEY_ISSUER_NAME))
4163 goto end;
4164 } else
4165 rv |= CERT_PKEY_ISSUER_NAME | CERT_PKEY_CERT_TYPE;
Dr. Stephen Henson6dbb6212012-07-27 13:39:23 +0000[diff] [blame]4166
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]4167 if (!check_flags || (rv & check_flags) == check_flags)
4168 rv |= CERT_PKEY_VALID;
Dr. Stephen Henson6dbb6212012-07-27 13:39:23 +0000[diff] [blame]4169
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]4170 end:
Dr. Stephen Hensond61ff832012-06-28 12:45:49 +0000[diff] [blame]4171
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]4172 if (TLS1_get_version(s) >= TLS1_2_VERSION) {
Dr. Stephen Henson6383d312015-05-12 22:17:34 +0100[diff] [blame]4173 if (*pvalid & CERT_PKEY_EXPLICIT_SIGN)
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]4174 rv |= CERT_PKEY_EXPLICIT_SIGN | CERT_PKEY_SIGN;
Dr. Stephen Hensond376e572015-05-12 18:56:39 +0100[diff] [blame]4175 else if (s->s3->tmp.md[idx] != NULL)
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]4176 rv |= CERT_PKEY_SIGN;
4177 } else
4178 rv |= CERT_PKEY_SIGN | CERT_PKEY_EXPLICIT_SIGN;
Dr. Stephen Henson6dbb6212012-07-27 13:39:23 +0000[diff] [blame]4179
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]4180 /*
4181 * When checking a CERT_PKEY structure all flags are irrelevant if the
4182 * chain is invalid.
4183 */
4184 if (!check_flags) {
4185 if (rv & CERT_PKEY_VALID)
Dr. Stephen Henson6383d312015-05-12 22:17:34 +0100[diff] [blame]4186 *pvalid = rv;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]4187 else {
4188 /* Preserve explicit sign flag, clear rest */
Dr. Stephen Henson6383d312015-05-12 22:17:34 +0100[diff] [blame]4189 *pvalid &= CERT_PKEY_EXPLICIT_SIGN;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]4190 return 0;
4191 }
4192 }
4193 return rv;
4194}
Dr. Stephen Hensond61ff832012-06-28 12:45:49 +0000[diff] [blame]4195
4196/* Set validity of certificates in an SSL structure */
4197void tls1_set_cert_validity(SSL *s)
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]4198{
Matt Caswell17dd65e2015-03-24 15:10:15 +0000[diff] [blame]4199 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA_ENC);
4200 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA_SIGN);
4201 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DSA_SIGN);
Matt Caswell17dd65e2015-03-24 15:10:15 +0000[diff] [blame]4202 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_ECC);
Dmitry Belyavskye44380a2015-11-17 15:32:30 +0000[diff] [blame]4203 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_GOST01);
4204 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_GOST12_256);
4205 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_GOST12_512);
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]4206}
4207
Dr. Stephen Henson18d71582012-06-29 14:24:42 +0000[diff] [blame]4208/* User level utiity function to check a chain is suitable */
4209int SSL_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain)
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]4210{
4211 return tls1_check_chain(s, x, pk, chain, -1);
4212}
Dr. Stephen Hensond61ff832012-06-28 12:45:49 +0000[diff] [blame]4213
Dr. Stephen Henson09599b52014-01-22 16:22:48 +0000[diff] [blame]4214
4215#ifndef OPENSSL_NO_DH
4216DH *ssl_get_auto_dh(SSL *s)
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]4217{
4218 int dh_secbits = 80;
4219 if (s->cert->dh_tmp_auto == 2)
4220 return DH_get_1024_160();
Dr. Stephen Hensonadc55062015-06-28 17:01:52 +0100[diff] [blame]4221 if (s->s3->tmp.new_cipher->algorithm_auth & (SSL_aNULL | SSL_aPSK)) {
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]4222 if (s->s3->tmp.new_cipher->strength_bits == 256)
4223 dh_secbits = 128;
4224 else
4225 dh_secbits = 80;
4226 } else {
4227 CERT_PKEY *cpk = ssl_get_server_send_pkey(s);
4228 dh_secbits = EVP_PKEY_security_bits(cpk->privatekey);
4229 }
Dr. Stephen Henson09599b52014-01-22 16:22:48 +0000[diff] [blame]4230
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]4231 if (dh_secbits >= 128) {
4232 DH *dhp = DH_new();
Matt Caswella71edf32015-10-30 10:05:53 +0000[diff] [blame]4233 if (dhp == NULL)
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]4234 return NULL;
4235 dhp->g = BN_new();
Matt Caswella71edf32015-10-30 10:05:53 +0000[diff] [blame]4236 if (dhp->g != NULL)
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]4237 BN_set_word(dhp->g, 2);
4238 if (dh_secbits >= 192)
4239 dhp->p = get_rfc3526_prime_8192(NULL);
4240 else
4241 dhp->p = get_rfc3526_prime_3072(NULL);
Matt Caswella71edf32015-10-30 10:05:53 +0000[diff] [blame]4242 if (dhp->p == NULL || dhp->g == NULL) {
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]4243 DH_free(dhp);
4244 return NULL;
4245 }
4246 return dhp;
4247 }
4248 if (dh_secbits >= 112)
4249 return DH_get_2048_224();
4250 return DH_get_1024_160();
4251}
Dr. Stephen Henson09599b52014-01-22 16:22:48 +0000[diff] [blame]4252#endif
Dr. Stephen Hensonb362cca2013-12-15 13:32:24 +0000[diff] [blame]4253
4254static int ssl_security_cert_key(SSL *s, SSL_CTX *ctx, X509 *x, int op)
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]4255{
Dr. Stephen Henson72245f32015-12-30 13:34:53 +0000[diff] [blame]4256 int secbits = -1;
Dr. Stephen Henson8382fd32015-12-20 00:32:36 +0000[diff] [blame]4257 EVP_PKEY *pkey = X509_get0_pubkey(x);
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]4258 if (pkey) {
Dr. Stephen Henson72245f32015-12-30 13:34:53 +0000[diff] [blame]4259 /*
4260 * If no parameters this will return -1 and fail using the default
4261 * security callback for any non-zero security level. This will
4262 * reject keys which omit parameters but this only affects DSA and
4263 * omission of parameters is never (?) done in practice.
4264 */
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]4265 secbits = EVP_PKEY_security_bits(pkey);
Dr. Stephen Henson72245f32015-12-30 13:34:53 +0000[diff] [blame]4266 }
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]4267 if (s)
4268 return ssl_security(s, op, secbits, 0, x);
4269 else
4270 return ssl_ctx_security(ctx, op, secbits, 0, x);
4271}
Dr. Stephen Hensonb362cca2013-12-15 13:32:24 +0000[diff] [blame]4272
4273static int ssl_security_cert_sig(SSL *s, SSL_CTX *ctx, X509 *x, int op)
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]4274{
4275 /* Lookup signature algorithm digest */
4276 int secbits = -1, md_nid = NID_undef, sig_nid;
4277 sig_nid = X509_get_signature_nid(x);
4278 if (sig_nid && OBJ_find_sigid_algs(sig_nid, &md_nid, NULL)) {
4279 const EVP_MD *md;
4280 if (md_nid && (md = EVP_get_digestbynid(md_nid)))
4281 secbits = EVP_MD_size(md) * 4;
4282 }
4283 if (s)
4284 return ssl_security(s, op, secbits, md_nid, x);
4285 else
4286 return ssl_ctx_security(ctx, op, secbits, md_nid, x);
4287}
Dr. Stephen Hensonb362cca2013-12-15 13:32:24 +0000[diff] [blame]4288
4289int ssl_security_cert(SSL *s, SSL_CTX *ctx, X509 *x, int vfy, int is_ee)
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]4290{
4291 if (vfy)
4292 vfy = SSL_SECOP_PEER;
4293 if (is_ee) {
4294 if (!ssl_security_cert_key(s, ctx, x, SSL_SECOP_EE_KEY | vfy))
4295 return SSL_R_EE_KEY_TOO_SMALL;
4296 } else {
4297 if (!ssl_security_cert_key(s, ctx, x, SSL_SECOP_CA_KEY | vfy))
4298 return SSL_R_CA_KEY_TOO_SMALL;
4299 }
4300 if (!ssl_security_cert_sig(s, ctx, x, SSL_SECOP_CA_MD | vfy))
4301 return SSL_R_CA_MD_TOO_WEAK;
4302 return 1;
4303}
Dr. Stephen Hensonb362cca2013-12-15 13:32:24 +0000[diff] [blame]4304
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]4305/*
4306 * Check security of a chain, if sk includes the end entity certificate then
4307 * x is NULL. If vfy is 1 then we are verifying a peer chain and not sending
4308 * one to the peer. Return values: 1 if ok otherwise error code to use
Dr. Stephen Hensonb362cca2013-12-15 13:32:24 +0000[diff] [blame]4309 */
4310
4311int ssl_security_cert_chain(SSL *s, STACK_OF(X509) *sk, X509 *x, int vfy)
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]4312{
4313 int rv, start_idx, i;
4314 if (x == NULL) {
4315 x = sk_X509_value(sk, 0);
4316 start_idx = 1;
4317 } else
4318 start_idx = 0;
Dr. Stephen Hensonb362cca2013-12-15 13:32:24 +0000[diff] [blame]4319
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]4320 rv = ssl_security_cert(s, NULL, x, vfy, 1);
4321 if (rv != 1)
4322 return rv;
Dr. Stephen Hensonb362cca2013-12-15 13:32:24 +0000[diff] [blame]4323
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]4324 for (i = start_idx; i < sk_X509_num(sk); i++) {
4325 x = sk_X509_value(sk, i);
4326 rv = ssl_security_cert(s, NULL, x, vfy, 0);
4327 if (rv != 1)
4328 return rv;
4329 }
4330 return 1;
4331}