1 /* ssl/t1_lib.c */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58 /* ====================================================================
59 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
60 *
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
63 * are met:
64 *
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
67 *
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
71 * distribution.
72 *
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77 *
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
82 *
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
86 *
87 * 6. Redistributions of any form whatsoever must retain the following
88 * acknowledgment:
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91 *
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
105 *
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
109 *
110 */
111
112 #include <stdio.h>
113 #include <openssl/objects.h>
114 #include <openssl/evp.h>
115 #include <openssl/hmac.h>
116 #include <openssl/ocsp.h>
117 #include <openssl/rand.h>
118 #include "ssl_locl.h"
119
120 const char tls1_version_str[]="TLSv1" OPENSSL_VERSION_PTEXT;
121
122 #ifndef OPENSSL_NO_TLSEXT
123 static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen,
124 const unsigned char *sess_id, int sesslen,
125 SSL_SESSION **psess);
126 #endif
127
128 SSL3_ENC_METHOD TLSv1_enc_data={
129 tls1_enc,
130 tls1_mac,
131 tls1_setup_key_block,
132 tls1_generate_master_secret,
133 tls1_change_cipher_state,
134 tls1_final_finish_mac,
135 TLS1_FINISH_MAC_LENGTH,
136 tls1_cert_verify_mac,
137 TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE,
138 TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE,
139 tls1_alert_code,
140 tls1_export_keying_material,
141 };
142
tls1_default_timeout(void)143 long tls1_default_timeout(void)
144 {
145 /* 2 hours, the 24 hours mentioned in the TLSv1 spec
146 * is way too long for http, the cache would over fill */
147 return(60*60*2);
148 }
149
tls1_new(SSL * s)150 int tls1_new(SSL *s)
151 {
152 if (!ssl3_new(s)) return(0);
153 s->method->ssl_clear(s);
154 return(1);
155 }
156
tls1_free(SSL * s)157 void tls1_free(SSL *s)
158 {
159 #ifndef OPENSSL_NO_TLSEXT
160 if (s->tlsext_session_ticket)
161 {
162 OPENSSL_free(s->tlsext_session_ticket);
163 }
164 #endif /* OPENSSL_NO_TLSEXT */
165 ssl3_free(s);
166 }
167
tls1_clear(SSL * s)168 void tls1_clear(SSL *s)
169 {
170 ssl3_clear(s);
171 s->version = s->method->version;
172 }
173
174 #ifndef OPENSSL_NO_EC
175
176 static int nid_list[] =
177 {
178 NID_sect163k1, /* sect163k1 (1) */
179 NID_sect163r1, /* sect163r1 (2) */
180 NID_sect163r2, /* sect163r2 (3) */
181 NID_sect193r1, /* sect193r1 (4) */
182 NID_sect193r2, /* sect193r2 (5) */
183 NID_sect233k1, /* sect233k1 (6) */
184 NID_sect233r1, /* sect233r1 (7) */
185 NID_sect239k1, /* sect239k1 (8) */
186 NID_sect283k1, /* sect283k1 (9) */
187 NID_sect283r1, /* sect283r1 (10) */
188 NID_sect409k1, /* sect409k1 (11) */
189 NID_sect409r1, /* sect409r1 (12) */
190 NID_sect571k1, /* sect571k1 (13) */
191 NID_sect571r1, /* sect571r1 (14) */
192 NID_secp160k1, /* secp160k1 (15) */
193 NID_secp160r1, /* secp160r1 (16) */
194 NID_secp160r2, /* secp160r2 (17) */
195 NID_secp192k1, /* secp192k1 (18) */
196 NID_X9_62_prime192v1, /* secp192r1 (19) */
197 NID_secp224k1, /* secp224k1 (20) */
198 NID_secp224r1, /* secp224r1 (21) */
199 NID_secp256k1, /* secp256k1 (22) */
200 NID_X9_62_prime256v1, /* secp256r1 (23) */
201 NID_secp384r1, /* secp384r1 (24) */
202 NID_secp521r1 /* secp521r1 (25) */
203 };
204
205 static int pref_list[] =
206 {
207 NID_sect571r1, /* sect571r1 (14) */
208 NID_sect571k1, /* sect571k1 (13) */
209 NID_secp521r1, /* secp521r1 (25) */
210 NID_sect409k1, /* sect409k1 (11) */
211 NID_sect409r1, /* sect409r1 (12) */
212 NID_secp384r1, /* secp384r1 (24) */
213 NID_sect283k1, /* sect283k1 (9) */
214 NID_sect283r1, /* sect283r1 (10) */
215 NID_secp256k1, /* secp256k1 (22) */
216 NID_X9_62_prime256v1, /* secp256r1 (23) */
217 NID_sect239k1, /* sect239k1 (8) */
218 NID_sect233k1, /* sect233k1 (6) */
219 NID_sect233r1, /* sect233r1 (7) */
220 NID_secp224k1, /* secp224k1 (20) */
221 NID_secp224r1, /* secp224r1 (21) */
222 NID_sect193r1, /* sect193r1 (4) */
223 NID_sect193r2, /* sect193r2 (5) */
224 NID_secp192k1, /* secp192k1 (18) */
225 NID_X9_62_prime192v1, /* secp192r1 (19) */
226 NID_sect163k1, /* sect163k1 (1) */
227 NID_sect163r1, /* sect163r1 (2) */
228 NID_sect163r2, /* sect163r2 (3) */
229 NID_secp160k1, /* secp160k1 (15) */
230 NID_secp160r1, /* secp160r1 (16) */
231 NID_secp160r2, /* secp160r2 (17) */
232 };
233
tls1_ec_curve_id2nid(int curve_id)234 int tls1_ec_curve_id2nid(int curve_id)
235 {
236 /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
237 if ((curve_id < 1) || ((unsigned int)curve_id >
238 sizeof(nid_list)/sizeof(nid_list[0])))
239 return 0;
240 return nid_list[curve_id-1];
241 }
242
tls1_ec_nid2curve_id(int nid)243 int tls1_ec_nid2curve_id(int nid)
244 {
245 /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
246 switch (nid)
247 {
248 case NID_sect163k1: /* sect163k1 (1) */
249 return 1;
250 case NID_sect163r1: /* sect163r1 (2) */
251 return 2;
252 case NID_sect163r2: /* sect163r2 (3) */
253 return 3;
254 case NID_sect193r1: /* sect193r1 (4) */
255 return 4;
256 case NID_sect193r2: /* sect193r2 (5) */
257 return 5;
258 case NID_sect233k1: /* sect233k1 (6) */
259 return 6;
260 case NID_sect233r1: /* sect233r1 (7) */
261 return 7;
262 case NID_sect239k1: /* sect239k1 (8) */
263 return 8;
264 case NID_sect283k1: /* sect283k1 (9) */
265 return 9;
266 case NID_sect283r1: /* sect283r1 (10) */
267 return 10;
268 case NID_sect409k1: /* sect409k1 (11) */
269 return 11;
270 case NID_sect409r1: /* sect409r1 (12) */
271 return 12;
272 case NID_sect571k1: /* sect571k1 (13) */
273 return 13;
274 case NID_sect571r1: /* sect571r1 (14) */
275 return 14;
276 case NID_secp160k1: /* secp160k1 (15) */
277 return 15;
278 case NID_secp160r1: /* secp160r1 (16) */
279 return 16;
280 case NID_secp160r2: /* secp160r2 (17) */
281 return 17;
282 case NID_secp192k1: /* secp192k1 (18) */
283 return 18;
284 case NID_X9_62_prime192v1: /* secp192r1 (19) */
285 return 19;
286 case NID_secp224k1: /* secp224k1 (20) */
287 return 20;
288 case NID_secp224r1: /* secp224r1 (21) */
289 return 21;
290 case NID_secp256k1: /* secp256k1 (22) */
291 return 22;
292 case NID_X9_62_prime256v1: /* secp256r1 (23) */
293 return 23;
294 case NID_secp384r1: /* secp384r1 (24) */
295 return 24;
296 case NID_secp521r1: /* secp521r1 (25) */
297 return 25;
298 default:
299 return 0;
300 }
301 }
302 #endif /* OPENSSL_NO_EC */
303
304 #ifndef OPENSSL_NO_TLSEXT
305
306 /* List of supported signature algorithms and hashes. Should make this
307 * customisable at some point, for now include everything we support.
308 */
309
310 #ifdef OPENSSL_NO_RSA
311 #define tlsext_sigalg_rsa(md) /* */
312 #else
313 #define tlsext_sigalg_rsa(md) md, TLSEXT_signature_rsa,
314 #endif
315
316 #ifdef OPENSSL_NO_DSA
317 #define tlsext_sigalg_dsa(md) /* */
318 #else
319 #define tlsext_sigalg_dsa(md) md, TLSEXT_signature_dsa,
320 #endif
321
322 #ifdef OPENSSL_NO_ECDSA
323 #define tlsext_sigalg_ecdsa(md) /* */
324 #else
325 #define tlsext_sigalg_ecdsa(md) md, TLSEXT_signature_ecdsa,
326 #endif
327
328 #define tlsext_sigalg(md) \
329 tlsext_sigalg_rsa(md) \
330 tlsext_sigalg_dsa(md) \
331 tlsext_sigalg_ecdsa(md)
332
333 static unsigned char tls12_sigalgs[] = {
334 #ifndef OPENSSL_NO_SHA512
335 tlsext_sigalg(TLSEXT_hash_sha512)
336 tlsext_sigalg(TLSEXT_hash_sha384)
337 #endif
338 #ifndef OPENSSL_NO_SHA256
339 tlsext_sigalg(TLSEXT_hash_sha256)
340 tlsext_sigalg(TLSEXT_hash_sha224)
341 #endif
342 #ifndef OPENSSL_NO_SHA
343 tlsext_sigalg(TLSEXT_hash_sha1)
344 #endif
345 #ifndef OPENSSL_NO_MD5
346 tlsext_sigalg_rsa(TLSEXT_hash_md5)
347 #endif
348 };
349
tls12_get_req_sig_algs(SSL * s,unsigned char * p)350 int tls12_get_req_sig_algs(SSL *s, unsigned char *p)
351 {
352 size_t slen = sizeof(tls12_sigalgs);
353 #ifdef OPENSSL_FIPS
354 /* If FIPS mode don't include MD5 which is last */
355 if (FIPS_mode())
356 slen -= 2;
357 #endif
358 if (p)
359 memcpy(p, tls12_sigalgs, slen);
360 return (int)slen;
361 }
362
ssl_add_clienthello_tlsext(SSL * s,unsigned char * p,unsigned char * limit)363 unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
364 {
365 int extdatalen=0;
366 unsigned char *ret = p;
367
368 /* don't add extensions for SSLv3 unless doing secure renegotiation */
369 if (s->client_version == SSL3_VERSION
370 && !s->s3->send_connection_binding)
371 return p;
372
373 ret+=2;
374
375 if (ret>=limit) return NULL; /* this really never occurs, but ... */
376
377 if (s->tlsext_hostname != NULL)
378 {
379 /* Add TLS extension servername to the Client Hello message */
380 unsigned long size_str;
381 long lenmax;
382
383 /* check for enough space.
384 4 for the servername type and entension length
385 2 for servernamelist length
386 1 for the hostname type
387 2 for hostname length
388 + hostname length
389 */
390
391 if ((lenmax = limit - ret - 9) < 0
392 || (size_str = strlen(s->tlsext_hostname)) > (unsigned long)lenmax)
393 return NULL;
394
395 /* extension type and length */
396 s2n(TLSEXT_TYPE_server_name,ret);
397 s2n(size_str+5,ret);
398
399 /* length of servername list */
400 s2n(size_str+3,ret);
401
402 /* hostname type, length and hostname */
403 *(ret++) = (unsigned char) TLSEXT_NAMETYPE_host_name;
404 s2n(size_str,ret);
405 memcpy(ret, s->tlsext_hostname, size_str);
406 ret+=size_str;
407 }
408
409 /* Add RI if renegotiating */
410 if (s->renegotiate)
411 {
412 int el;
413
414 if(!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0))
415 {
416 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
417 return NULL;
418 }
419
420 if((limit - p - 4 - el) < 0) return NULL;
421
422 s2n(TLSEXT_TYPE_renegotiate,ret);
423 s2n(el,ret);
424
425 if(!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el))
426 {
427 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
428 return NULL;
429 }
430
431 ret += el;
432 }
433
434 #ifndef OPENSSL_NO_SRP
435 /* Add SRP username if there is one */
436 if (s->srp_ctx.login != NULL)
437 { /* Add TLS extension SRP username to the Client Hello message */
438
439 int login_len = strlen(s->srp_ctx.login);
440 if (login_len > 255 || login_len == 0)
441 {
442 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
443 return NULL;
444 }
445
446 /* check for enough space.
447 4 for the srp type type and entension length
448 1 for the srp user identity
449 + srp user identity length
450 */
451 if ((limit - ret - 5 - login_len) < 0) return NULL;
452
453 /* fill in the extension */
454 s2n(TLSEXT_TYPE_srp,ret);
455 s2n(login_len+1,ret);
456 (*ret++) = (unsigned char) login_len;
457 memcpy(ret, s->srp_ctx.login, login_len);
458 ret+=login_len;
459 }
460 #endif
461
462 #ifndef OPENSSL_NO_EC
463 if (s->tlsext_ecpointformatlist != NULL &&
464 s->version != DTLS1_VERSION)
465 {
466 /* Add TLS extension ECPointFormats to the ClientHello message */
467 long lenmax;
468
469 if ((lenmax = limit - ret - 5) < 0) return NULL;
470 if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax) return NULL;
471 if (s->tlsext_ecpointformatlist_length > 255)
472 {
473 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
474 return NULL;
475 }
476
477 s2n(TLSEXT_TYPE_ec_point_formats,ret);
478 s2n(s->tlsext_ecpointformatlist_length + 1,ret);
479 *(ret++) = (unsigned char) s->tlsext_ecpointformatlist_length;
480 memcpy(ret, s->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist_length);
481 ret+=s->tlsext_ecpointformatlist_length;
482 }
483 if (s->tlsext_ellipticcurvelist != NULL &&
484 s->version != DTLS1_VERSION)
485 {
486 /* Add TLS extension EllipticCurves to the ClientHello message */
487 long lenmax;
488
489 if ((lenmax = limit - ret - 6) < 0) return NULL;
490 if (s->tlsext_ellipticcurvelist_length > (unsigned long)lenmax) return NULL;
491 if (s->tlsext_ellipticcurvelist_length > 65532)
492 {
493 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
494 return NULL;
495 }
496
497 s2n(TLSEXT_TYPE_elliptic_curves,ret);
498 s2n(s->tlsext_ellipticcurvelist_length + 2, ret);
499
500 /* NB: draft-ietf-tls-ecc-12.txt uses a one-byte prefix for
501 * elliptic_curve_list, but the examples use two bytes.
502 * http://www1.ietf.org/mail-archive/web/tls/current/msg00538.html
503 * resolves this to two bytes.
504 */
505 s2n(s->tlsext_ellipticcurvelist_length, ret);
506 memcpy(ret, s->tlsext_ellipticcurvelist, s->tlsext_ellipticcurvelist_length);
507 ret+=s->tlsext_ellipticcurvelist_length;
508 }
509 #endif /* OPENSSL_NO_EC */
510
511 if (!(SSL_get_options(s) & SSL_OP_NO_TICKET))
512 {
513 int ticklen;
514 if (!s->new_session && s->session && s->session->tlsext_tick)
515 ticklen = s->session->tlsext_ticklen;
516 else if (s->session && s->tlsext_session_ticket &&
517 s->tlsext_session_ticket->data)
518 {
519 ticklen = s->tlsext_session_ticket->length;
520 s->session->tlsext_tick = OPENSSL_malloc(ticklen);
521 if (!s->session->tlsext_tick)
522 return NULL;
523 memcpy(s->session->tlsext_tick,
524 s->tlsext_session_ticket->data,
525 ticklen);
526 s->session->tlsext_ticklen = ticklen;
527 }
528 else
529 ticklen = 0;
530 if (ticklen == 0 && s->tlsext_session_ticket &&
531 s->tlsext_session_ticket->data == NULL)
532 goto skip_ext;
533 /* Check for enough room 2 for extension type, 2 for len
534 * rest for ticket
535 */
536 if ((long)(limit - ret - 4 - ticklen) < 0) return NULL;
537 s2n(TLSEXT_TYPE_session_ticket,ret);
538 s2n(ticklen,ret);
539 if (ticklen)
540 {
541 memcpy(ret, s->session->tlsext_tick, ticklen);
542 ret += ticklen;
543 }
544 }
545 skip_ext:
546
547 if (TLS1_get_client_version(s) >= TLS1_2_VERSION)
548 {
549 if ((size_t)(limit - ret) < sizeof(tls12_sigalgs) + 6)
550 return NULL;
551 s2n(TLSEXT_TYPE_signature_algorithms,ret);
552 s2n(sizeof(tls12_sigalgs) + 2, ret);
553 s2n(sizeof(tls12_sigalgs), ret);
554 memcpy(ret, tls12_sigalgs, sizeof(tls12_sigalgs));
555 ret += sizeof(tls12_sigalgs);
556 }
557
558 #ifdef TLSEXT_TYPE_opaque_prf_input
559 if (s->s3->client_opaque_prf_input != NULL &&
560 s->version != DTLS1_VERSION)
561 {
562 size_t col = s->s3->client_opaque_prf_input_len;
563
564 if ((long)(limit - ret - 6 - col < 0))
565 return NULL;
566 if (col > 0xFFFD) /* can't happen */
567 return NULL;
568
569 s2n(TLSEXT_TYPE_opaque_prf_input, ret);
570 s2n(col + 2, ret);
571 s2n(col, ret);
572 memcpy(ret, s->s3->client_opaque_prf_input, col);
573 ret += col;
574 }
575 #endif
576
577 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp &&
578 s->version != DTLS1_VERSION)
579 {
580 int i;
581 long extlen, idlen, itmp;
582 OCSP_RESPID *id;
583
584 idlen = 0;
585 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++)
586 {
587 id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
588 itmp = i2d_OCSP_RESPID(id, NULL);
589 if (itmp <= 0)
590 return NULL;
591 idlen += itmp + 2;
592 }
593
594 if (s->tlsext_ocsp_exts)
595 {
596 extlen = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, NULL);
597 if (extlen < 0)
598 return NULL;
599 }
600 else
601 extlen = 0;
602
603 if ((long)(limit - ret - 7 - extlen - idlen) < 0) return NULL;
604 s2n(TLSEXT_TYPE_status_request, ret);
605 if (extlen + idlen > 0xFFF0)
606 return NULL;
607 s2n(extlen + idlen + 5, ret);
608 *(ret++) = TLSEXT_STATUSTYPE_ocsp;
609 s2n(idlen, ret);
610 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++)
611 {
612 /* save position of id len */
613 unsigned char *q = ret;
614 id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
615 /* skip over id len */
616 ret += 2;
617 itmp = i2d_OCSP_RESPID(id, &ret);
618 /* write id len */
619 s2n(itmp, q);
620 }
621 s2n(extlen, ret);
622 if (extlen > 0)
623 i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret);
624 }
625
626 #ifndef OPENSSL_NO_HEARTBEATS
627 /* Add Heartbeat extension */
628 s2n(TLSEXT_TYPE_heartbeat,ret);
629 s2n(1,ret);
630 /* Set mode:
631 * 1: peer may send requests
632 * 2: peer not allowed to send requests
633 */
634 if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS)
635 *(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
636 else
637 *(ret++) = SSL_TLSEXT_HB_ENABLED;
638 #endif
639
640 #ifndef OPENSSL_NO_NEXTPROTONEG
641 if (s->ctx->next_proto_select_cb && !s->s3->tmp.finish_md_len)
642 {
643 /* The client advertises an emtpy extension to indicate its
644 * support for Next Protocol Negotiation */
645 if (limit - ret - 4 < 0)
646 return NULL;
647 s2n(TLSEXT_TYPE_next_proto_neg,ret);
648 s2n(0,ret);
649 }
650 #endif
651
652 if (s->tlsext_channel_id_enabled)
653 {
654 /* The client advertises an emtpy extension to indicate its
655 * support for Channel ID. */
656 if (limit - ret - 4 < 0)
657 return NULL;
658 s2n(TLSEXT_TYPE_channel_id,ret);
659 s2n(0,ret);
660 }
661
662 #ifndef OPENSSL_NO_SRTP
663 if(SSL_get_srtp_profiles(s))
664 {
665 int el;
666
667 ssl_add_clienthello_use_srtp_ext(s, 0, &el, 0);
668
669 if((limit - p - 4 - el) < 0) return NULL;
670
671 s2n(TLSEXT_TYPE_use_srtp,ret);
672 s2n(el,ret);
673
674 if(ssl_add_clienthello_use_srtp_ext(s, ret, &el, el))
675 {
676 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
677 return NULL;
678 }
679 ret += el;
680 }
681 #endif
682
683 if ((extdatalen = ret-p-2)== 0)
684 return p;
685
686 s2n(extdatalen,p);
687 return ret;
688 }
689
ssl_add_serverhello_tlsext(SSL * s,unsigned char * p,unsigned char * limit)690 unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
691 {
692 int extdatalen=0;
693 unsigned char *ret = p;
694 #ifndef OPENSSL_NO_NEXTPROTONEG
695 int next_proto_neg_seen;
696 #endif
697
698 /* don't add extensions for SSLv3, unless doing secure renegotiation */
699 if (s->version == SSL3_VERSION && !s->s3->send_connection_binding)
700 return p;
701
702 ret+=2;
703 if (ret>=limit) return NULL; /* this really never occurs, but ... */
704
705 if (!s->hit && s->servername_done == 1 && s->session->tlsext_hostname != NULL)
706 {
707 if ((long)(limit - ret - 4) < 0) return NULL;
708
709 s2n(TLSEXT_TYPE_server_name,ret);
710 s2n(0,ret);
711 }
712
713 if(s->s3->send_connection_binding)
714 {
715 int el;
716
717 if(!ssl_add_serverhello_renegotiate_ext(s, 0, &el, 0))
718 {
719 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
720 return NULL;
721 }
722
723 if((limit - p - 4 - el) < 0) return NULL;
724
725 s2n(TLSEXT_TYPE_renegotiate,ret);
726 s2n(el,ret);
727
728 if(!ssl_add_serverhello_renegotiate_ext(s, ret, &el, el))
729 {
730 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
731 return NULL;
732 }
733
734 ret += el;
735 }
736
737 #ifndef OPENSSL_NO_EC
738 if (s->tlsext_ecpointformatlist != NULL &&
739 s->version != DTLS1_VERSION)
740 {
741 /* Add TLS extension ECPointFormats to the ServerHello message */
742 long lenmax;
743
744 if ((lenmax = limit - ret - 5) < 0) return NULL;
745 if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax) return NULL;
746 if (s->tlsext_ecpointformatlist_length > 255)
747 {
748 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
749 return NULL;
750 }
751
752 s2n(TLSEXT_TYPE_ec_point_formats,ret);
753 s2n(s->tlsext_ecpointformatlist_length + 1,ret);
754 *(ret++) = (unsigned char) s->tlsext_ecpointformatlist_length;
755 memcpy(ret, s->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist_length);
756 ret+=s->tlsext_ecpointformatlist_length;
757
758 }
759 /* Currently the server should not respond with a SupportedCurves extension */
760 #endif /* OPENSSL_NO_EC */
761
762 if (s->tlsext_ticket_expected
763 && !(SSL_get_options(s) & SSL_OP_NO_TICKET))
764 {
765 if ((long)(limit - ret - 4) < 0) return NULL;
766 s2n(TLSEXT_TYPE_session_ticket,ret);
767 s2n(0,ret);
768 }
769
770 if (s->tlsext_status_expected)
771 {
772 if ((long)(limit - ret - 4) < 0) return NULL;
773 s2n(TLSEXT_TYPE_status_request,ret);
774 s2n(0,ret);
775 }
776
777 #ifdef TLSEXT_TYPE_opaque_prf_input
778 if (s->s3->server_opaque_prf_input != NULL &&
779 s->version != DTLS1_VERSION)
780 {
781 size_t sol = s->s3->server_opaque_prf_input_len;
782
783 if ((long)(limit - ret - 6 - sol) < 0)
784 return NULL;
785 if (sol > 0xFFFD) /* can't happen */
786 return NULL;
787
788 s2n(TLSEXT_TYPE_opaque_prf_input, ret);
789 s2n(sol + 2, ret);
790 s2n(sol, ret);
791 memcpy(ret, s->s3->server_opaque_prf_input, sol);
792 ret += sol;
793 }
794 #endif
795
796 #ifndef OPENSSL_NO_SRTP
797 if(s->srtp_profile)
798 {
799 int el;
800
801 ssl_add_serverhello_use_srtp_ext(s, 0, &el, 0);
802
803 if((limit - p - 4 - el) < 0) return NULL;
804
805 s2n(TLSEXT_TYPE_use_srtp,ret);
806 s2n(el,ret);
807
808 if(ssl_add_serverhello_use_srtp_ext(s, ret, &el, el))
809 {
810 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
811 return NULL;
812 }
813 ret+=el;
814 }
815 #endif
816
817 if (((s->s3->tmp.new_cipher->id & 0xFFFF)==0x80 || (s->s3->tmp.new_cipher->id & 0xFFFF)==0x81)
818 && (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG))
819 { const unsigned char cryptopro_ext[36] = {
820 0xfd, 0xe8, /*65000*/
821 0x00, 0x20, /*32 bytes length*/
822 0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85,
823 0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06,
824 0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08,
825 0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17};
826 if (limit-ret<36) return NULL;
827 memcpy(ret,cryptopro_ext,36);
828 ret+=36;
829
830 }
831
832 #ifndef OPENSSL_NO_HEARTBEATS
833 /* Add Heartbeat extension if we've received one */
834 if (s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED)
835 {
836 s2n(TLSEXT_TYPE_heartbeat,ret);
837 s2n(1,ret);
838 /* Set mode:
839 * 1: peer may send requests
840 * 2: peer not allowed to send requests
841 */
842 if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS)
843 *(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
844 else
845 *(ret++) = SSL_TLSEXT_HB_ENABLED;
846
847 }
848 #endif
849
850 #ifndef OPENSSL_NO_NEXTPROTONEG
851 next_proto_neg_seen = s->s3->next_proto_neg_seen;
852 s->s3->next_proto_neg_seen = 0;
853 if (next_proto_neg_seen && s->ctx->next_protos_advertised_cb)
854 {
855 const unsigned char *npa;
856 unsigned int npalen;
857 int r;
858
859 r = s->ctx->next_protos_advertised_cb(s, &npa, &npalen, s->ctx->next_protos_advertised_cb_arg);
860 if (r == SSL_TLSEXT_ERR_OK)
861 {
862 if ((long)(limit - ret - 4 - npalen) < 0) return NULL;
863 s2n(TLSEXT_TYPE_next_proto_neg,ret);
864 s2n(npalen,ret);
865 memcpy(ret, npa, npalen);
866 ret += npalen;
867 s->s3->next_proto_neg_seen = 1;
868 }
869 }
870 #endif
871
872 /* If the client advertised support for Channel ID, and we have it
873 * enabled, then we want to echo it back. */
874 if (s->s3->tlsext_channel_id_valid)
875 {
876 if (limit - ret - 4 < 0)
877 return NULL;
878 s2n(TLSEXT_TYPE_channel_id,ret);
879 s2n(0,ret);
880 }
881
882 if ((extdatalen = ret-p-2)== 0)
883 return p;
884
885 s2n(extdatalen,p);
886 return ret;
887 }
888
ssl_parse_clienthello_tlsext(SSL * s,unsigned char ** p,unsigned char * d,int n,int * al)889 int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
890 {
891 unsigned short type;
892 unsigned short size;
893 unsigned short len;
894 unsigned char *data = *p;
895 int renegotiate_seen = 0;
896 int sigalg_seen = 0;
897
898 s->servername_done = 0;
899 s->tlsext_status_type = -1;
900 #ifndef OPENSSL_NO_NEXTPROTONEG
901 s->s3->next_proto_neg_seen = 0;
902 #endif
903
904 #ifndef OPENSSL_NO_HEARTBEATS
905 s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED |
906 SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
907 #endif
908
909 if (data >= (d+n-2))
910 goto ri_check;
911 n2s(data,len);
912
913 if (data > (d+n-len))
914 goto ri_check;
915
916 while (data <= (d+n-4))
917 {
918 n2s(data,type);
919 n2s(data,size);
920
921 if (data+size > (d+n))
922 goto ri_check;
923 #if 0
924 fprintf(stderr,"Received extension type %d size %d\n",type,size);
925 #endif
926 if (s->tlsext_debug_cb)
927 s->tlsext_debug_cb(s, 0, type, data, size,
928 s->tlsext_debug_arg);
929 /* The servername extension is treated as follows:
930
931 - Only the hostname type is supported with a maximum length of 255.
932 - The servername is rejected if too long or if it contains zeros,
933 in which case an fatal alert is generated.
934 - The servername field is maintained together with the session cache.
935 - When a session is resumed, the servername call back invoked in order
936 to allow the application to position itself to the right context.
937 - The servername is acknowledged if it is new for a session or when
938 it is identical to a previously used for the same session.
939 Applications can control the behaviour. They can at any time
940 set a 'desirable' servername for a new SSL object. This can be the
941 case for example with HTTPS when a Host: header field is received and
942 a renegotiation is requested. In this case, a possible servername
943 presented in the new client hello is only acknowledged if it matches
944 the value of the Host: field.
945 - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
946 if they provide for changing an explicit servername context for the session,
947 i.e. when the session has been established with a servername extension.
948 - On session reconnect, the servername extension may be absent.
949
950 */
951
952 if (type == TLSEXT_TYPE_server_name)
953 {
954 unsigned char *sdata;
955 int servname_type;
956 int dsize;
957
958 if (size < 2)
959 {
960 *al = SSL_AD_DECODE_ERROR;
961 return 0;
962 }
963 n2s(data,dsize);
964 size -= 2;
965 if (dsize > size )
966 {
967 *al = SSL_AD_DECODE_ERROR;
968 return 0;
969 }
970
971 sdata = data;
972 while (dsize > 3)
973 {
974 servname_type = *(sdata++);
975 n2s(sdata,len);
976 dsize -= 3;
977
978 if (len > dsize)
979 {
980 *al = SSL_AD_DECODE_ERROR;
981 return 0;
982 }
983 if (s->servername_done == 0)
984 switch (servname_type)
985 {
986 case TLSEXT_NAMETYPE_host_name:
987 if (!s->hit)
988 {
989 if(s->session->tlsext_hostname)
990 {
991 *al = SSL_AD_DECODE_ERROR;
992 return 0;
993 }
994 if (len > TLSEXT_MAXLEN_host_name)
995 {
996 *al = TLS1_AD_UNRECOGNIZED_NAME;
997 return 0;
998 }
999 if ((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL)
1000 {
1001 *al = TLS1_AD_INTERNAL_ERROR;
1002 return 0;
1003 }
1004 memcpy(s->session->tlsext_hostname, sdata, len);
1005 s->session->tlsext_hostname[len]='\0';
1006 if (strlen(s->session->tlsext_hostname) != len) {
1007 OPENSSL_free(s->session->tlsext_hostname);
1008 s->session->tlsext_hostname = NULL;
1009 *al = TLS1_AD_UNRECOGNIZED_NAME;
1010 return 0;
1011 }
1012 s->servername_done = 1;
1013
1014 }
1015 else
1016 s->servername_done = s->session->tlsext_hostname
1017 && strlen(s->session->tlsext_hostname) == len
1018 && strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0;
1019
1020 break;
1021
1022 default:
1023 break;
1024 }
1025
1026 dsize -= len;
1027 }
1028 if (dsize != 0)
1029 {
1030 *al = SSL_AD_DECODE_ERROR;
1031 return 0;
1032 }
1033
1034 }
1035 #ifndef OPENSSL_NO_SRP
1036 else if (type == TLSEXT_TYPE_srp)
1037 {
1038 if (size <= 0 || ((len = data[0])) != (size -1))
1039 {
1040 *al = SSL_AD_DECODE_ERROR;
1041 return 0;
1042 }
1043 if (s->srp_ctx.login != NULL)
1044 {
1045 *al = SSL_AD_DECODE_ERROR;
1046 return 0;
1047 }
1048 if ((s->srp_ctx.login = OPENSSL_malloc(len+1)) == NULL)
1049 return -1;
1050 memcpy(s->srp_ctx.login, &data[1], len);
1051 s->srp_ctx.login[len]='\0';
1052
1053 if (strlen(s->srp_ctx.login) != len)
1054 {
1055 *al = SSL_AD_DECODE_ERROR;
1056 return 0;
1057 }
1058 }
1059 #endif
1060
1061 #ifndef OPENSSL_NO_EC
1062 else if (type == TLSEXT_TYPE_ec_point_formats &&
1063 s->version != DTLS1_VERSION)
1064 {
1065 unsigned char *sdata = data;
1066 int ecpointformatlist_length = *(sdata++);
1067
1068 if (ecpointformatlist_length != size - 1)
1069 {
1070 *al = TLS1_AD_DECODE_ERROR;
1071 return 0;
1072 }
1073 if (!s->hit)
1074 {
1075 if(s->session->tlsext_ecpointformatlist)
1076 {
1077 OPENSSL_free(s->session->tlsext_ecpointformatlist);
1078 s->session->tlsext_ecpointformatlist = NULL;
1079 }
1080 s->session->tlsext_ecpointformatlist_length = 0;
1081 if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
1082 {
1083 *al = TLS1_AD_INTERNAL_ERROR;
1084 return 0;
1085 }
1086 s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
1087 memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
1088 }
1089 #if 0
1090 fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ecpointformatlist (length=%i) ", s->session->tlsext_ecpointformatlist_length);
1091 sdata = s->session->tlsext_ecpointformatlist;
1092 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
1093 fprintf(stderr,"%i ",*(sdata++));
1094 fprintf(stderr,"\n");
1095 #endif
1096 }
1097 else if (type == TLSEXT_TYPE_elliptic_curves &&
1098 s->version != DTLS1_VERSION)
1099 {
1100 unsigned char *sdata = data;
1101 int ellipticcurvelist_length = (*(sdata++) << 8);
1102 ellipticcurvelist_length += (*(sdata++));
1103
1104 if (ellipticcurvelist_length != size - 2 ||
1105 ellipticcurvelist_length < 1)
1106 {
1107 *al = TLS1_AD_DECODE_ERROR;
1108 return 0;
1109 }
1110 if (!s->hit)
1111 {
1112 if(s->session->tlsext_ellipticcurvelist)
1113 {
1114 *al = TLS1_AD_DECODE_ERROR;
1115 return 0;
1116 }
1117 s->session->tlsext_ellipticcurvelist_length = 0;
1118 if ((s->session->tlsext_ellipticcurvelist = OPENSSL_malloc(ellipticcurvelist_length)) == NULL)
1119 {
1120 *al = TLS1_AD_INTERNAL_ERROR;
1121 return 0;
1122 }
1123 s->session->tlsext_ellipticcurvelist_length = ellipticcurvelist_length;
1124 memcpy(s->session->tlsext_ellipticcurvelist, sdata, ellipticcurvelist_length);
1125 }
1126 #if 0
1127 fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ellipticcurvelist (length=%i) ", s->session->tlsext_ellipticcurvelist_length);
1128 sdata = s->session->tlsext_ellipticcurvelist;
1129 for (i = 0; i < s->session->tlsext_ellipticcurvelist_length; i++)
1130 fprintf(stderr,"%i ",*(sdata++));
1131 fprintf(stderr,"\n");
1132 #endif
1133 }
1134 #endif /* OPENSSL_NO_EC */
1135 #ifdef TLSEXT_TYPE_opaque_prf_input
1136 else if (type == TLSEXT_TYPE_opaque_prf_input &&
1137 s->version != DTLS1_VERSION)
1138 {
1139 unsigned char *sdata = data;
1140
1141 if (size < 2)
1142 {
1143 *al = SSL_AD_DECODE_ERROR;
1144 return 0;
1145 }
1146 n2s(sdata, s->s3->client_opaque_prf_input_len);
1147 if (s->s3->client_opaque_prf_input_len != size - 2)
1148 {
1149 *al = SSL_AD_DECODE_ERROR;
1150 return 0;
1151 }
1152
1153 if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */
1154 OPENSSL_free(s->s3->client_opaque_prf_input);
1155 if (s->s3->client_opaque_prf_input_len == 0)
1156 s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
1157 else
1158 s->s3->client_opaque_prf_input = BUF_memdup(sdata, s->s3->client_opaque_prf_input_len);
1159 if (s->s3->client_opaque_prf_input == NULL)
1160 {
1161 *al = TLS1_AD_INTERNAL_ERROR;
1162 return 0;
1163 }
1164 }
1165 #endif
1166 else if (type == TLSEXT_TYPE_session_ticket)
1167 {
1168 if (s->tls_session_ticket_ext_cb &&
1169 !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg))
1170 {
1171 *al = TLS1_AD_INTERNAL_ERROR;
1172 return 0;
1173 }
1174 }
1175 else if (type == TLSEXT_TYPE_renegotiate)
1176 {
1177 if(!ssl_parse_clienthello_renegotiate_ext(s, data, size, al))
1178 return 0;
1179 renegotiate_seen = 1;
1180 }
1181 else if (type == TLSEXT_TYPE_signature_algorithms)
1182 {
1183 int dsize;
1184 if (sigalg_seen || size < 2)
1185 {
1186 *al = SSL_AD_DECODE_ERROR;
1187 return 0;
1188 }
1189 sigalg_seen = 1;
1190 n2s(data,dsize);
1191 size -= 2;
1192 if (dsize != size || dsize & 1)
1193 {
1194 *al = SSL_AD_DECODE_ERROR;
1195 return 0;
1196 }
1197 if (!tls1_process_sigalgs(s, data, dsize))
1198 {
1199 *al = SSL_AD_DECODE_ERROR;
1200 return 0;
1201 }
1202 }
1203 else if (type == TLSEXT_TYPE_status_request &&
1204 s->version != DTLS1_VERSION && s->ctx->tlsext_status_cb)
1205 {
1206
1207 if (size < 5)
1208 {
1209 *al = SSL_AD_DECODE_ERROR;
1210 return 0;
1211 }
1212
1213 s->tlsext_status_type = *data++;
1214 size--;
1215 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp)
1216 {
1217 const unsigned char *sdata;
1218 int dsize;
1219 /* Read in responder_id_list */
1220 n2s(data,dsize);
1221 size -= 2;
1222 if (dsize > size )
1223 {
1224 *al = SSL_AD_DECODE_ERROR;
1225 return 0;
1226 }
1227 while (dsize > 0)
1228 {
1229 OCSP_RESPID *id;
1230 int idsize;
1231 if (dsize < 4)
1232 {
1233 *al = SSL_AD_DECODE_ERROR;
1234 return 0;
1235 }
1236 n2s(data, idsize);
1237 dsize -= 2 + idsize;
1238 size -= 2 + idsize;
1239 if (dsize < 0)
1240 {
1241 *al = SSL_AD_DECODE_ERROR;
1242 return 0;
1243 }
1244 sdata = data;
1245 data += idsize;
1246 id = d2i_OCSP_RESPID(NULL,
1247 &sdata, idsize);
1248 if (!id)
1249 {
1250 *al = SSL_AD_DECODE_ERROR;
1251 return 0;
1252 }
1253 if (data != sdata)
1254 {
1255 OCSP_RESPID_free(id);
1256 *al = SSL_AD_DECODE_ERROR;
1257 return 0;
1258 }
1259 if (!s->tlsext_ocsp_ids
1260 && !(s->tlsext_ocsp_ids =
1261 sk_OCSP_RESPID_new_null()))
1262 {
1263 OCSP_RESPID_free(id);
1264 *al = SSL_AD_INTERNAL_ERROR;
1265 return 0;
1266 }
1267 if (!sk_OCSP_RESPID_push(
1268 s->tlsext_ocsp_ids, id))
1269 {
1270 OCSP_RESPID_free(id);
1271 *al = SSL_AD_INTERNAL_ERROR;
1272 return 0;
1273 }
1274 }
1275
1276 /* Read in request_extensions */
1277 if (size < 2)
1278 {
1279 *al = SSL_AD_DECODE_ERROR;
1280 return 0;
1281 }
1282 n2s(data,dsize);
1283 size -= 2;
1284 if (dsize != size)
1285 {
1286 *al = SSL_AD_DECODE_ERROR;
1287 return 0;
1288 }
1289 sdata = data;
1290 if (dsize > 0)
1291 {
1292 if (s->tlsext_ocsp_exts)
1293 {
1294 sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts,
1295 X509_EXTENSION_free);
1296 }
1297
1298 s->tlsext_ocsp_exts =
1299 d2i_X509_EXTENSIONS(NULL,
1300 &sdata, dsize);
1301 if (!s->tlsext_ocsp_exts
1302 || (data + dsize != sdata))
1303 {
1304 *al = SSL_AD_DECODE_ERROR;
1305 return 0;
1306 }
1307 }
1308 }
1309 /* We don't know what to do with any other type
1310 * so ignore it.
1311 */
1312 else
1313 s->tlsext_status_type = -1;
1314 }
1315 #ifndef OPENSSL_NO_HEARTBEATS
1316 else if (type == TLSEXT_TYPE_heartbeat)
1317 {
1318 switch(data[0])
1319 {
1320 case 0x01: /* Client allows us to send HB requests */
1321 s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
1322 break;
1323 case 0x02: /* Client doesn't accept HB requests */
1324 s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
1325 s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
1326 break;
1327 default: *al = SSL_AD_ILLEGAL_PARAMETER;
1328 return 0;
1329 }
1330 }
1331 #endif
1332 #ifndef OPENSSL_NO_NEXTPROTONEG
1333 else if (type == TLSEXT_TYPE_next_proto_neg &&
1334 s->s3->tmp.finish_md_len == 0)
1335 {
1336 /* We shouldn't accept this extension on a
1337 * renegotiation.
1338 *
1339 * s->new_session will be set on renegotiation, but we
1340 * probably shouldn't rely that it couldn't be set on
1341 * the initial renegotation too in certain cases (when
1342 * there's some other reason to disallow resuming an
1343 * earlier session -- the current code won't be doing
1344 * anything like that, but this might change).
1345
1346 * A valid sign that there's been a previous handshake
1347 * in this connection is if s->s3->tmp.finish_md_len >
1348 * 0. (We are talking about a check that will happen
1349 * in the Hello protocol round, well before a new
1350 * Finished message could have been computed.) */
1351 s->s3->next_proto_neg_seen = 1;
1352 }
1353 #endif
1354
1355 else if (type == TLSEXT_TYPE_channel_id && s->tlsext_channel_id_enabled)
1356 s->s3->tlsext_channel_id_valid = 1;
1357
1358 /* session ticket processed earlier */
1359 #ifndef OPENSSL_NO_SRTP
1360 else if (type == TLSEXT_TYPE_use_srtp)
1361 {
1362 if(ssl_parse_clienthello_use_srtp_ext(s, data, size,
1363 al))
1364 return 0;
1365 }
1366 #endif
1367
1368 data+=size;
1369 }
1370
1371 *p = data;
1372
1373 ri_check:
1374
1375 /* Need RI if renegotiating */
1376
1377 if (!renegotiate_seen && s->renegotiate &&
1378 !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
1379 {
1380 *al = SSL_AD_HANDSHAKE_FAILURE;
1381 SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT,
1382 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
1383 return 0;
1384 }
1385
1386 return 1;
1387 }
1388
1389 #ifndef OPENSSL_NO_NEXTPROTONEG
1390 /* ssl_next_proto_validate validates a Next Protocol Negotiation block. No
1391 * elements of zero length are allowed and the set of elements must exactly fill
1392 * the length of the block. */
ssl_next_proto_validate(unsigned char * d,unsigned len)1393 static char ssl_next_proto_validate(unsigned char *d, unsigned len)
1394 {
1395 unsigned int off = 0;
1396
1397 while (off < len)
1398 {
1399 if (d[off] == 0)
1400 return 0;
1401 off += d[off];
1402 off++;
1403 }
1404
1405 return off == len;
1406 }
1407 #endif
1408
ssl_parse_serverhello_tlsext(SSL * s,unsigned char ** p,unsigned char * d,int n,int * al)1409 int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
1410 {
1411 unsigned short length;
1412 unsigned short type;
1413 unsigned short size;
1414 unsigned char *data = *p;
1415 int tlsext_servername = 0;
1416 int renegotiate_seen = 0;
1417
1418 #ifndef OPENSSL_NO_NEXTPROTONEG
1419 s->s3->next_proto_neg_seen = 0;
1420 #endif
1421
1422 #ifndef OPENSSL_NO_HEARTBEATS
1423 s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED |
1424 SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
1425 #endif
1426
1427 if (data >= (d+n-2))
1428 goto ri_check;
1429
1430 n2s(data,length);
1431 if (data+length != d+n)
1432 {
1433 *al = SSL_AD_DECODE_ERROR;
1434 return 0;
1435 }
1436
1437 while(data <= (d+n-4))
1438 {
1439 n2s(data,type);
1440 n2s(data,size);
1441
1442 if (data+size > (d+n))
1443 goto ri_check;
1444
1445 if (s->tlsext_debug_cb)
1446 s->tlsext_debug_cb(s, 1, type, data, size,
1447 s->tlsext_debug_arg);
1448
1449 if (type == TLSEXT_TYPE_server_name)
1450 {
1451 if (s->tlsext_hostname == NULL || size > 0)
1452 {
1453 *al = TLS1_AD_UNRECOGNIZED_NAME;
1454 return 0;
1455 }
1456 tlsext_servername = 1;
1457 }
1458
1459 #ifndef OPENSSL_NO_EC
1460 else if (type == TLSEXT_TYPE_ec_point_formats &&
1461 s->version != DTLS1_VERSION)
1462 {
1463 unsigned char *sdata = data;
1464 int ecpointformatlist_length = *(sdata++);
1465
1466 if (ecpointformatlist_length != size - 1 ||
1467 ecpointformatlist_length < 1)
1468 {
1469 *al = TLS1_AD_DECODE_ERROR;
1470 return 0;
1471 }
1472 s->session->tlsext_ecpointformatlist_length = 0;
1473 if (s->session->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->session->tlsext_ecpointformatlist);
1474 if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
1475 {
1476 *al = TLS1_AD_INTERNAL_ERROR;
1477 return 0;
1478 }
1479 s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
1480 memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
1481 #if 0
1482 fprintf(stderr,"ssl_parse_serverhello_tlsext s->session->tlsext_ecpointformatlist ");
1483 sdata = s->session->tlsext_ecpointformatlist;
1484 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
1485 fprintf(stderr,"%i ",*(sdata++));
1486 fprintf(stderr,"\n");
1487 #endif
1488 }
1489 #endif /* OPENSSL_NO_EC */
1490
1491 else if (type == TLSEXT_TYPE_session_ticket)
1492 {
1493 if (s->tls_session_ticket_ext_cb &&
1494 !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg))
1495 {
1496 *al = TLS1_AD_INTERNAL_ERROR;
1497 return 0;
1498 }
1499 if ((SSL_get_options(s) & SSL_OP_NO_TICKET)
1500 || (size > 0))
1501 {
1502 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
1503 return 0;
1504 }
1505 s->tlsext_ticket_expected = 1;
1506 }
1507 #ifdef TLSEXT_TYPE_opaque_prf_input
1508 else if (type == TLSEXT_TYPE_opaque_prf_input &&
1509 s->version != DTLS1_VERSION)
1510 {
1511 unsigned char *sdata = data;
1512
1513 if (size < 2)
1514 {
1515 *al = SSL_AD_DECODE_ERROR;
1516 return 0;
1517 }
1518 n2s(sdata, s->s3->server_opaque_prf_input_len);
1519 if (s->s3->server_opaque_prf_input_len != size - 2)
1520 {
1521 *al = SSL_AD_DECODE_ERROR;
1522 return 0;
1523 }
1524
1525 if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */
1526 OPENSSL_free(s->s3->server_opaque_prf_input);
1527 if (s->s3->server_opaque_prf_input_len == 0)
1528 s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
1529 else
1530 s->s3->server_opaque_prf_input = BUF_memdup(sdata, s->s3->server_opaque_prf_input_len);
1531
1532 if (s->s3->server_opaque_prf_input == NULL)
1533 {
1534 *al = TLS1_AD_INTERNAL_ERROR;
1535 return 0;
1536 }
1537 }
1538 #endif
1539 else if (type == TLSEXT_TYPE_status_request &&
1540 s->version != DTLS1_VERSION)
1541 {
1542 /* MUST be empty and only sent if we've requested
1543 * a status request message.
1544 */
1545 if ((s->tlsext_status_type == -1) || (size > 0))
1546 {
1547 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
1548 return 0;
1549 }
1550 /* Set flag to expect CertificateStatus message */
1551 s->tlsext_status_expected = 1;
1552 }
1553 #ifndef OPENSSL_NO_NEXTPROTONEG
1554 else if (type == TLSEXT_TYPE_next_proto_neg &&
1555 s->s3->tmp.finish_md_len == 0)
1556 {
1557 unsigned char *selected;
1558 unsigned char selected_len;
1559
1560 /* We must have requested it. */
1561 if (s->ctx->next_proto_select_cb == NULL)
1562 {
1563 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
1564 return 0;
1565 }
1566 /* The data must be valid */
1567 if (!ssl_next_proto_validate(data, size))
1568 {
1569 *al = TLS1_AD_DECODE_ERROR;
1570 return 0;
1571 }
1572 if (s->ctx->next_proto_select_cb(s, &selected, &selected_len, data, size, s->ctx->next_proto_select_cb_arg) != SSL_TLSEXT_ERR_OK)
1573 {
1574 *al = TLS1_AD_INTERNAL_ERROR;
1575 return 0;
1576 }
1577 s->next_proto_negotiated = OPENSSL_malloc(selected_len);
1578 if (!s->next_proto_negotiated)
1579 {
1580 *al = TLS1_AD_INTERNAL_ERROR;
1581 return 0;
1582 }
1583 memcpy(s->next_proto_negotiated, selected, selected_len);
1584 s->next_proto_negotiated_len = selected_len;
1585 s->s3->next_proto_neg_seen = 1;
1586 }
1587 #endif
1588 else if (type == TLSEXT_TYPE_channel_id)
1589 s->s3->tlsext_channel_id_valid = 1;
1590
1591 else if (type == TLSEXT_TYPE_renegotiate)
1592 {
1593 if(!ssl_parse_serverhello_renegotiate_ext(s, data, size, al))
1594 return 0;
1595 renegotiate_seen = 1;
1596 }
1597 #ifndef OPENSSL_NO_HEARTBEATS
1598 else if (type == TLSEXT_TYPE_heartbeat)
1599 {
1600 switch(data[0])
1601 {
1602 case 0x01: /* Server allows us to send HB requests */
1603 s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
1604 break;
1605 case 0x02: /* Server doesn't accept HB requests */
1606 s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
1607 s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
1608 break;
1609 default: *al = SSL_AD_ILLEGAL_PARAMETER;
1610 return 0;
1611 }
1612 }
1613 #endif
1614 #ifndef OPENSSL_NO_SRTP
1615 else if (type == TLSEXT_TYPE_use_srtp)
1616 {
1617 if(ssl_parse_serverhello_use_srtp_ext(s, data, size,
1618 al))
1619 return 0;
1620 }
1621 #endif
1622
1623 data+=size;
1624 }
1625
1626 if (data != d+n)
1627 {
1628 *al = SSL_AD_DECODE_ERROR;
1629 return 0;
1630 }
1631
1632 if (!s->hit && tlsext_servername == 1)
1633 {
1634 if (s->tlsext_hostname)
1635 {
1636 if (s->session->tlsext_hostname == NULL)
1637 {
1638 s->session->tlsext_hostname = BUF_strdup(s->tlsext_hostname);
1639 if (!s->session->tlsext_hostname)
1640 {
1641 *al = SSL_AD_UNRECOGNIZED_NAME;
1642 return 0;
1643 }
1644 }
1645 else
1646 {
1647 *al = SSL_AD_DECODE_ERROR;
1648 return 0;
1649 }
1650 }
1651 }
1652
1653 *p = data;
1654
1655 ri_check:
1656
1657 /* Determine if we need to see RI. Strictly speaking if we want to
1658 * avoid an attack we should *always* see RI even on initial server
1659 * hello because the client doesn't see any renegotiation during an
1660 * attack. However this would mean we could not connect to any server
1661 * which doesn't support RI so for the immediate future tolerate RI
1662 * absence on initial connect only.
1663 */
1664 if (!renegotiate_seen
1665 && !(s->options & SSL_OP_LEGACY_SERVER_CONNECT)
1666 && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
1667 {
1668 *al = SSL_AD_HANDSHAKE_FAILURE;
1669 SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT,
1670 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
1671 return 0;
1672 }
1673
1674 return 1;
1675 }
1676
1677
ssl_prepare_clienthello_tlsext(SSL * s)1678 int ssl_prepare_clienthello_tlsext(SSL *s)
1679 {
1680 #ifndef OPENSSL_NO_EC
1681 /* If we are client and using an elliptic curve cryptography cipher suite, send the point formats
1682 * and elliptic curves we support.
1683 */
1684 int using_ecc = 0;
1685 int i;
1686 unsigned char *j;
1687 unsigned long alg_k, alg_a;
1688 STACK_OF(SSL_CIPHER) *cipher_stack = SSL_get_ciphers(s);
1689
1690 for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++)
1691 {
1692 SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i);
1693
1694 alg_k = c->algorithm_mkey;
1695 alg_a = c->algorithm_auth;
1696 if ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe) || (alg_a & SSL_aECDSA)))
1697 {
1698 using_ecc = 1;
1699 break;
1700 }
1701 }
1702 using_ecc = using_ecc && (s->version >= TLS1_VERSION);
1703 if (using_ecc)
1704 {
1705 if (s->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->tlsext_ecpointformatlist);
1706 if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(3)) == NULL)
1707 {
1708 SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
1709 return -1;
1710 }
1711 s->tlsext_ecpointformatlist_length = 3;
1712 s->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_uncompressed;
1713 s->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
1714 s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
1715
1716 /* we support all named elliptic curves in draft-ietf-tls-ecc-12 */
1717 if (s->tlsext_ellipticcurvelist != NULL) OPENSSL_free(s->tlsext_ellipticcurvelist);
1718 s->tlsext_ellipticcurvelist_length = sizeof(pref_list)/sizeof(pref_list[0]) * 2;
1719 if ((s->tlsext_ellipticcurvelist = OPENSSL_malloc(s->tlsext_ellipticcurvelist_length)) == NULL)
1720 {
1721 s->tlsext_ellipticcurvelist_length = 0;
1722 SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
1723 return -1;
1724 }
1725 for (i = 0, j = s->tlsext_ellipticcurvelist; (unsigned int)i <
1726 sizeof(pref_list)/sizeof(pref_list[0]); i++)
1727 {
1728 int id = tls1_ec_nid2curve_id(pref_list[i]);
1729 s2n(id,j);
1730 }
1731 }
1732 #endif /* OPENSSL_NO_EC */
1733
1734 #ifdef TLSEXT_TYPE_opaque_prf_input
1735 {
1736 int r = 1;
1737
1738 if (s->ctx->tlsext_opaque_prf_input_callback != 0)
1739 {
1740 r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg);
1741 if (!r)
1742 return -1;
1743 }
1744
1745 if (s->tlsext_opaque_prf_input != NULL)
1746 {
1747 if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */
1748 OPENSSL_free(s->s3->client_opaque_prf_input);
1749
1750 if (s->tlsext_opaque_prf_input_len == 0)
1751 s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
1752 else
1753 s->s3->client_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len);
1754 if (s->s3->client_opaque_prf_input == NULL)
1755 {
1756 SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
1757 return -1;
1758 }
1759 s->s3->client_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
1760 }
1761
1762 if (r == 2)
1763 /* at callback's request, insist on receiving an appropriate server opaque PRF input */
1764 s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
1765 }
1766 #endif
1767
1768 return 1;
1769 }
1770
ssl_prepare_serverhello_tlsext(SSL * s)1771 int ssl_prepare_serverhello_tlsext(SSL *s)
1772 {
1773 #ifndef OPENSSL_NO_EC
1774 /* If we are server and using an ECC cipher suite, send the point formats we support
1775 * if the client sent us an ECPointsFormat extension. Note that the server is not
1776 * supposed to send an EllipticCurves extension.
1777 */
1778
1779 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
1780 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
1781 int using_ecc = (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA);
1782 using_ecc = using_ecc && (s->session->tlsext_ecpointformatlist != NULL);
1783
1784 if (using_ecc)
1785 {
1786 if (s->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->tlsext_ecpointformatlist);
1787 if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(3)) == NULL)
1788 {
1789 SSLerr(SSL_F_SSL_PREPARE_SERVERHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
1790 return -1;
1791 }
1792 s->tlsext_ecpointformatlist_length = 3;
1793 s->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_uncompressed;
1794 s->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
1795 s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
1796 }
1797 #endif /* OPENSSL_NO_EC */
1798
1799 return 1;
1800 }
1801
ssl_check_clienthello_tlsext_early(SSL * s)1802 int ssl_check_clienthello_tlsext_early(SSL *s)
1803 {
1804 int ret=SSL_TLSEXT_ERR_NOACK;
1805 int al = SSL_AD_UNRECOGNIZED_NAME;
1806
1807 #ifndef OPENSSL_NO_EC
1808 /* The handling of the ECPointFormats extension is done elsewhere, namely in
1809 * ssl3_choose_cipher in s3_lib.c.
1810 */
1811 /* The handling of the EllipticCurves extension is done elsewhere, namely in
1812 * ssl3_choose_cipher in s3_lib.c.
1813 */
1814 #endif
1815
1816 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
1817 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
1818 else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)
1819 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
1820
1821 #ifdef TLSEXT_TYPE_opaque_prf_input
1822 {
1823 /* This sort of belongs into ssl_prepare_serverhello_tlsext(),
1824 * but we might be sending an alert in response to the client hello,
1825 * so this has to happen here in
1826 * ssl_check_clienthello_tlsext_early(). */
1827
1828 int r = 1;
1829
1830 if (s->ctx->tlsext_opaque_prf_input_callback != 0)
1831 {
1832 r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg);
1833 if (!r)
1834 {
1835 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1836 al = SSL_AD_INTERNAL_ERROR;
1837 goto err;
1838 }
1839 }
1840
1841 if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */
1842 OPENSSL_free(s->s3->server_opaque_prf_input);
1843 s->s3->server_opaque_prf_input = NULL;
1844
1845 if (s->tlsext_opaque_prf_input != NULL)
1846 {
1847 if (s->s3->client_opaque_prf_input != NULL &&
1848 s->s3->client_opaque_prf_input_len == s->tlsext_opaque_prf_input_len)
1849 {
1850 /* can only use this extension if we have a server opaque PRF input
1851 * of the same length as the client opaque PRF input! */
1852
1853 if (s->tlsext_opaque_prf_input_len == 0)
1854 s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
1855 else
1856 s->s3->server_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len);
1857 if (s->s3->server_opaque_prf_input == NULL)
1858 {
1859 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1860 al = SSL_AD_INTERNAL_ERROR;
1861 goto err;
1862 }
1863 s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
1864 }
1865 }
1866
1867 if (r == 2 && s->s3->server_opaque_prf_input == NULL)
1868 {
1869 /* The callback wants to enforce use of the extension,
1870 * but we can't do that with the client opaque PRF input;
1871 * abort the handshake.
1872 */
1873 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1874 al = SSL_AD_HANDSHAKE_FAILURE;
1875 }
1876 }
1877
1878 err:
1879 #endif
1880 switch (ret)
1881 {
1882 case SSL_TLSEXT_ERR_ALERT_FATAL:
1883 ssl3_send_alert(s,SSL3_AL_FATAL,al);
1884 return -1;
1885
1886 case SSL_TLSEXT_ERR_ALERT_WARNING:
1887 ssl3_send_alert(s,SSL3_AL_WARNING,al);
1888 return 1;
1889
1890 case SSL_TLSEXT_ERR_NOACK:
1891 s->servername_done=0;
1892 default:
1893 return 1;
1894 }
1895 }
1896
ssl_check_clienthello_tlsext_late(SSL * s)1897 int ssl_check_clienthello_tlsext_late(SSL *s)
1898 {
1899 int ret = SSL_TLSEXT_ERR_OK;
1900 int al;
1901
1902 /* If status request then ask callback what to do.
1903 * Note: this must be called after servername callbacks in case
1904 * the certificate has changed, and must be called after the cipher
1905 * has been chosen because this may influence which certificate is sent
1906 */
1907 if ((s->tlsext_status_type != -1) && s->ctx && s->ctx->tlsext_status_cb)
1908 {
1909 int r;
1910 CERT_PKEY *certpkey;
1911 certpkey = ssl_get_server_send_pkey(s);
1912 /* If no certificate can't return certificate status */
1913 if (certpkey == NULL)
1914 {
1915 s->tlsext_status_expected = 0;
1916 return 1;
1917 }
1918 /* Set current certificate to one we will use so
1919 * SSL_get_certificate et al can pick it up.
1920 */
1921 s->cert->key = certpkey;
1922 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
1923 switch (r)
1924 {
1925 /* We don't want to send a status request response */
1926 case SSL_TLSEXT_ERR_NOACK:
1927 s->tlsext_status_expected = 0;
1928 break;
1929 /* status request response should be sent */
1930 case SSL_TLSEXT_ERR_OK:
1931 if (s->tlsext_ocsp_resp)
1932 s->tlsext_status_expected = 1;
1933 else
1934 s->tlsext_status_expected = 0;
1935 break;
1936 /* something bad happened */
1937 case SSL_TLSEXT_ERR_ALERT_FATAL:
1938 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1939 al = SSL_AD_INTERNAL_ERROR;
1940 goto err;
1941 }
1942 }
1943 else
1944 s->tlsext_status_expected = 0;
1945
1946 err:
1947 switch (ret)
1948 {
1949 case SSL_TLSEXT_ERR_ALERT_FATAL:
1950 ssl3_send_alert(s,SSL3_AL_FATAL,al);
1951 return -1;
1952
1953 case SSL_TLSEXT_ERR_ALERT_WARNING:
1954 ssl3_send_alert(s,SSL3_AL_WARNING,al);
1955 return 1;
1956
1957 default:
1958 return 1;
1959 }
1960 }
1961
ssl_check_serverhello_tlsext(SSL * s)1962 int ssl_check_serverhello_tlsext(SSL *s)
1963 {
1964 int ret=SSL_TLSEXT_ERR_NOACK;
1965 int al = SSL_AD_UNRECOGNIZED_NAME;
1966
1967 #ifndef OPENSSL_NO_EC
1968 /* If we are client and using an elliptic curve cryptography cipher
1969 * suite, then if server returns an EC point formats lists extension
1970 * it must contain uncompressed.
1971 */
1972 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
1973 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
1974 if ((s->tlsext_ecpointformatlist != NULL) && (s->tlsext_ecpointformatlist_length > 0) &&
1975 (s->session->tlsext_ecpointformatlist != NULL) && (s->session->tlsext_ecpointformatlist_length > 0) &&
1976 ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA)))
1977 {
1978 /* we are using an ECC cipher */
1979 size_t i;
1980 unsigned char *list;
1981 int found_uncompressed = 0;
1982 list = s->session->tlsext_ecpointformatlist;
1983 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
1984 {
1985 if (*(list++) == TLSEXT_ECPOINTFORMAT_uncompressed)
1986 {
1987 found_uncompressed = 1;
1988 break;
1989 }
1990 }
1991 if (!found_uncompressed)
1992 {
1993 SSLerr(SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT,SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
1994 return -1;
1995 }
1996 }
1997 ret = SSL_TLSEXT_ERR_OK;
1998 #endif /* OPENSSL_NO_EC */
1999
2000 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
2001 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
2002 else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)
2003 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
2004
2005 #ifdef TLSEXT_TYPE_opaque_prf_input
2006 if (s->s3->server_opaque_prf_input_len > 0)
2007 {
2008 /* This case may indicate that we, as a client, want to insist on using opaque PRF inputs.
2009 * So first verify that we really have a value from the server too. */
2010
2011 if (s->s3->server_opaque_prf_input == NULL)
2012 {
2013 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2014 al = SSL_AD_HANDSHAKE_FAILURE;
2015 }
2016
2017 /* Anytime the server *has* sent an opaque PRF input, we need to check
2018 * that we have a client opaque PRF input of the same size. */
2019 if (s->s3->client_opaque_prf_input == NULL ||
2020 s->s3->client_opaque_prf_input_len != s->s3->server_opaque_prf_input_len)
2021 {
2022 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2023 al = SSL_AD_ILLEGAL_PARAMETER;
2024 }
2025 }
2026 #endif
2027
2028 /* If we've requested certificate status and we wont get one
2029 * tell the callback
2030 */
2031 if ((s->tlsext_status_type != -1) && !(s->tlsext_status_expected)
2032 && s->ctx && s->ctx->tlsext_status_cb)
2033 {
2034 int r;
2035 /* Set resp to NULL, resplen to -1 so callback knows
2036 * there is no response.
2037 */
2038 if (s->tlsext_ocsp_resp)
2039 {
2040 OPENSSL_free(s->tlsext_ocsp_resp);
2041 s->tlsext_ocsp_resp = NULL;
2042 }
2043 s->tlsext_ocsp_resplen = -1;
2044 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
2045 if (r == 0)
2046 {
2047 al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE;
2048 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2049 }
2050 if (r < 0)
2051 {
2052 al = SSL_AD_INTERNAL_ERROR;
2053 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2054 }
2055 }
2056
2057 switch (ret)
2058 {
2059 case SSL_TLSEXT_ERR_ALERT_FATAL:
2060 ssl3_send_alert(s,SSL3_AL_FATAL,al);
2061 return -1;
2062
2063 case SSL_TLSEXT_ERR_ALERT_WARNING:
2064 ssl3_send_alert(s,SSL3_AL_WARNING,al);
2065 return 1;
2066
2067 case SSL_TLSEXT_ERR_NOACK:
2068 s->servername_done=0;
2069 default:
2070 return 1;
2071 }
2072 }
2073
2074 /* Since the server cache lookup is done early on in the processing of the
2075 * ClientHello, and other operations depend on the result, we need to handle
2076 * any TLS session ticket extension at the same time.
2077 *
2078 * session_id: points at the session ID in the ClientHello. This code will
2079 * read past the end of this in order to parse out the session ticket
2080 * extension, if any.
2081 * len: the length of the session ID.
2082 * limit: a pointer to the first byte after the ClientHello.
2083 * ret: (output) on return, if a ticket was decrypted, then this is set to
2084 * point to the resulting session.
2085 *
2086 * If s->tls_session_secret_cb is set then we are expecting a pre-shared key
2087 * ciphersuite, in which case we have no use for session tickets and one will
2088 * never be decrypted, nor will s->tlsext_ticket_expected be set to 1.
2089 *
2090 * Returns:
2091 * -1: fatal error, either from parsing or decrypting the ticket.
2092 * 0: no ticket was found (or was ignored, based on settings).
2093 * 1: a zero length extension was found, indicating that the client supports
2094 * session tickets but doesn't currently have one to offer.
2095 * 2: either s->tls_session_secret_cb was set, or a ticket was offered but
2096 * couldn't be decrypted because of a non-fatal error.
2097 * 3: a ticket was successfully decrypted and *ret was set.
2098 *
2099 * Side effects:
2100 * Sets s->tlsext_ticket_expected to 1 if the server will have to issue
2101 * a new session ticket to the client because the client indicated support
2102 * (and s->tls_session_secret_cb is NULL) but the client either doesn't have
2103 * a session ticket or we couldn't use the one it gave us, or if
2104 * s->ctx->tlsext_ticket_key_cb asked to renew the client's ticket.
2105 * Otherwise, s->tlsext_ticket_expected is set to 0.
2106 */
tls1_process_ticket(SSL * s,unsigned char * session_id,int len,const unsigned char * limit,SSL_SESSION ** ret)2107 int tls1_process_ticket(SSL *s, unsigned char *session_id, int len,
2108 const unsigned char *limit, SSL_SESSION **ret)
2109 {
2110 /* Point after session ID in client hello */
2111 const unsigned char *p = session_id + len;
2112 unsigned short i;
2113
2114 *ret = NULL;
2115 s->tlsext_ticket_expected = 0;
2116
2117 /* If tickets disabled behave as if no ticket present
2118 * to permit stateful resumption.
2119 */
2120 if (SSL_get_options(s) & SSL_OP_NO_TICKET)
2121 return 0;
2122 if ((s->version <= SSL3_VERSION) || !limit)
2123 return 0;
2124 if (p >= limit)
2125 return -1;
2126 /* Skip past DTLS cookie */
2127 if (s->version == DTLS1_VERSION || s->version == DTLS1_BAD_VER)
2128 {
2129 i = *(p++);
2130 p+= i;
2131 if (p >= limit)
2132 return -1;
2133 }
2134 /* Skip past cipher list */
2135 n2s(p, i);
2136 p+= i;
2137 if (p >= limit)
2138 return -1;
2139 /* Skip past compression algorithm list */
2140 i = *(p++);
2141 p += i;
2142 if (p > limit)
2143 return -1;
2144 /* Now at start of extensions */
2145 if ((p + 2) >= limit)
2146 return 0;
2147 n2s(p, i);
2148 while ((p + 4) <= limit)
2149 {
2150 unsigned short type, size;
2151 n2s(p, type);
2152 n2s(p, size);
2153 if (p + size > limit)
2154 return 0;
2155 if (type == TLSEXT_TYPE_session_ticket)
2156 {
2157 int r;
2158 if (size == 0)
2159 {
2160 /* The client will accept a ticket but doesn't
2161 * currently have one. */
2162 s->tlsext_ticket_expected = 1;
2163 return 1;
2164 }
2165 if (s->tls_session_secret_cb)
2166 {
2167 /* Indicate that the ticket couldn't be
2168 * decrypted rather than generating the session
2169 * from ticket now, trigger abbreviated
2170 * handshake based on external mechanism to
2171 * calculate the master secret later. */
2172 return 2;
2173 }
2174 r = tls_decrypt_ticket(s, p, size, session_id, len, ret);
2175 switch (r)
2176 {
2177 case 2: /* ticket couldn't be decrypted */
2178 s->tlsext_ticket_expected = 1;
2179 return 2;
2180 case 3: /* ticket was decrypted */
2181 return r;
2182 case 4: /* ticket decrypted but need to renew */
2183 s->tlsext_ticket_expected = 1;
2184 return 3;
2185 default: /* fatal error */
2186 return -1;
2187 }
2188 }
2189 p += size;
2190 }
2191 return 0;
2192 }
2193
2194 /* tls_decrypt_ticket attempts to decrypt a session ticket.
2195 *
2196 * etick: points to the body of the session ticket extension.
2197 * eticklen: the length of the session tickets extenion.
2198 * sess_id: points at the session ID.
2199 * sesslen: the length of the session ID.
2200 * psess: (output) on return, if a ticket was decrypted, then this is set to
2201 * point to the resulting session.
2202 *
2203 * Returns:
2204 * -1: fatal error, either from parsing or decrypting the ticket.
2205 * 2: the ticket couldn't be decrypted.
2206 * 3: a ticket was successfully decrypted and *psess was set.
2207 * 4: same as 3, but the ticket needs to be renewed.
2208 */
tls_decrypt_ticket(SSL * s,const unsigned char * etick,int eticklen,const unsigned char * sess_id,int sesslen,SSL_SESSION ** psess)2209 static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen,
2210 const unsigned char *sess_id, int sesslen,
2211 SSL_SESSION **psess)
2212 {
2213 SSL_SESSION *sess;
2214 unsigned char *sdec;
2215 const unsigned char *p;
2216 int slen, mlen, renew_ticket = 0;
2217 unsigned char tick_hmac[EVP_MAX_MD_SIZE];
2218 HMAC_CTX hctx;
2219 EVP_CIPHER_CTX ctx;
2220 SSL_CTX *tctx = s->initial_ctx;
2221 /* Need at least keyname + iv + some encrypted data */
2222 if (eticklen < 48)
2223 return 2;
2224 /* Initialize session ticket encryption and HMAC contexts */
2225 HMAC_CTX_init(&hctx);
2226 EVP_CIPHER_CTX_init(&ctx);
2227 if (tctx->tlsext_ticket_key_cb)
2228 {
2229 unsigned char *nctick = (unsigned char *)etick;
2230 int rv = tctx->tlsext_ticket_key_cb(s, nctick, nctick + 16,
2231 &ctx, &hctx, 0);
2232 if (rv < 0)
2233 return -1;
2234 if (rv == 0)
2235 return 2;
2236 if (rv == 2)
2237 renew_ticket = 1;
2238 }
2239 else
2240 {
2241 /* Check key name matches */
2242 if (memcmp(etick, tctx->tlsext_tick_key_name, 16))
2243 return 2;
2244 HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16,
2245 tlsext_tick_md(), NULL);
2246 EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL,
2247 tctx->tlsext_tick_aes_key, etick + 16);
2248 }
2249 /* Attempt to process session ticket, first conduct sanity and
2250 * integrity checks on ticket.
2251 */
2252 mlen = HMAC_size(&hctx);
2253 if (mlen < 0)
2254 {
2255 EVP_CIPHER_CTX_cleanup(&ctx);
2256 return -1;
2257 }
2258 eticklen -= mlen;
2259 /* Check HMAC of encrypted ticket */
2260 HMAC_Update(&hctx, etick, eticklen);
2261 HMAC_Final(&hctx, tick_hmac, NULL);
2262 HMAC_CTX_cleanup(&hctx);
2263 if (CRYPTO_memcmp(tick_hmac, etick + eticklen, mlen))
2264 return 2;
2265 /* Attempt to decrypt session data */
2266 /* Move p after IV to start of encrypted ticket, update length */
2267 p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx);
2268 eticklen -= 16 + EVP_CIPHER_CTX_iv_length(&ctx);
2269 sdec = OPENSSL_malloc(eticklen);
2270 if (!sdec)
2271 {
2272 EVP_CIPHER_CTX_cleanup(&ctx);
2273 return -1;
2274 }
2275 EVP_DecryptUpdate(&ctx, sdec, &slen, p, eticklen);
2276 if (EVP_DecryptFinal(&ctx, sdec + slen, &mlen) <= 0)
2277 return 2;
2278 slen += mlen;
2279 EVP_CIPHER_CTX_cleanup(&ctx);
2280 p = sdec;
2281
2282 sess = d2i_SSL_SESSION(NULL, &p, slen);
2283 OPENSSL_free(sdec);
2284 if (sess)
2285 {
2286 /* The session ID, if non-empty, is used by some clients to
2287 * detect that the ticket has been accepted. So we copy it to
2288 * the session structure. If it is empty set length to zero
2289 * as required by standard.
2290 */
2291 if (sesslen)
2292 memcpy(sess->session_id, sess_id, sesslen);
2293 sess->session_id_length = sesslen;
2294 *psess = sess;
2295 if (renew_ticket)
2296 return 4;
2297 else
2298 return 3;
2299 }
2300 ERR_clear_error();
2301 /* For session parse failure, indicate that we need to send a new
2302 * ticket. */
2303 return 2;
2304 }
2305
2306 /* Tables to translate from NIDs to TLS v1.2 ids */
2307
2308 typedef struct
2309 {
2310 int nid;
2311 int id;
2312 } tls12_lookup;
2313
2314 static tls12_lookup tls12_md[] = {
2315 #ifndef OPENSSL_NO_MD5
2316 {NID_md5, TLSEXT_hash_md5},
2317 #endif
2318 #ifndef OPENSSL_NO_SHA
2319 {NID_sha1, TLSEXT_hash_sha1},
2320 #endif
2321 #ifndef OPENSSL_NO_SHA256
2322 {NID_sha224, TLSEXT_hash_sha224},
2323 {NID_sha256, TLSEXT_hash_sha256},
2324 #endif
2325 #ifndef OPENSSL_NO_SHA512
2326 {NID_sha384, TLSEXT_hash_sha384},
2327 {NID_sha512, TLSEXT_hash_sha512}
2328 #endif
2329 };
2330
2331 static tls12_lookup tls12_sig[] = {
2332 #ifndef OPENSSL_NO_RSA
2333 {EVP_PKEY_RSA, TLSEXT_signature_rsa},
2334 #endif
2335 #ifndef OPENSSL_NO_DSA
2336 {EVP_PKEY_DSA, TLSEXT_signature_dsa},
2337 #endif
2338 #ifndef OPENSSL_NO_ECDSA
2339 {EVP_PKEY_EC, TLSEXT_signature_ecdsa}
2340 #endif
2341 };
2342
tls12_find_id(int nid,tls12_lookup * table,size_t tlen)2343 static int tls12_find_id(int nid, tls12_lookup *table, size_t tlen)
2344 {
2345 size_t i;
2346 for (i = 0; i < tlen; i++)
2347 {
2348 if (table[i].nid == nid)
2349 return table[i].id;
2350 }
2351 return -1;
2352 }
2353 #if 0
2354 static int tls12_find_nid(int id, tls12_lookup *table, size_t tlen)
2355 {
2356 size_t i;
2357 for (i = 0; i < tlen; i++)
2358 {
2359 if (table[i].id == id)
2360 return table[i].nid;
2361 }
2362 return -1;
2363 }
2364 #endif
2365
tls12_get_sigandhash(unsigned char * p,const EVP_PKEY * pk,const EVP_MD * md)2366 int tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk, const EVP_MD *md)
2367 {
2368 int sig_id, md_id;
2369 if (!md)
2370 return 0;
2371 md_id = tls12_find_id(EVP_MD_type(md), tls12_md,
2372 sizeof(tls12_md)/sizeof(tls12_lookup));
2373 if (md_id == -1)
2374 return 0;
2375 sig_id = tls12_get_sigid(pk);
2376 if (sig_id == -1)
2377 return 0;
2378 p[0] = (unsigned char)md_id;
2379 p[1] = (unsigned char)sig_id;
2380 return 1;
2381 }
2382
tls12_get_sigid(const EVP_PKEY * pk)2383 int tls12_get_sigid(const EVP_PKEY *pk)
2384 {
2385 return tls12_find_id(pk->type, tls12_sig,
2386 sizeof(tls12_sig)/sizeof(tls12_lookup));
2387 }
2388
tls12_get_hash(unsigned char hash_alg)2389 const EVP_MD *tls12_get_hash(unsigned char hash_alg)
2390 {
2391 switch(hash_alg)
2392 {
2393 #ifndef OPENSSL_NO_MD5
2394 case TLSEXT_hash_md5:
2395 #ifdef OPENSSL_FIPS
2396 if (FIPS_mode())
2397 return NULL;
2398 #endif
2399 return EVP_md5();
2400 #endif
2401 #ifndef OPENSSL_NO_SHA
2402 case TLSEXT_hash_sha1:
2403 return EVP_sha1();
2404 #endif
2405 #ifndef OPENSSL_NO_SHA256
2406 case TLSEXT_hash_sha224:
2407 return EVP_sha224();
2408
2409 case TLSEXT_hash_sha256:
2410 return EVP_sha256();
2411 #endif
2412 #ifndef OPENSSL_NO_SHA512
2413 case TLSEXT_hash_sha384:
2414 return EVP_sha384();
2415
2416 case TLSEXT_hash_sha512:
2417 return EVP_sha512();
2418 #endif
2419 default:
2420 return NULL;
2421
2422 }
2423 }
2424
2425 /* Set preferred digest for each key type */
2426
tls1_process_sigalgs(SSL * s,const unsigned char * data,int dsize)2427 int tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize)
2428 {
2429 int i, idx;
2430 const EVP_MD *md;
2431 CERT *c = s->cert;
2432 /* Extension ignored for TLS versions below 1.2 */
2433 if (TLS1_get_version(s) < TLS1_2_VERSION)
2434 return 1;
2435 /* Should never happen */
2436 if (!c)
2437 return 0;
2438
2439 c->pkeys[SSL_PKEY_DSA_SIGN].digest = NULL;
2440 c->pkeys[SSL_PKEY_RSA_SIGN].digest = NULL;
2441 c->pkeys[SSL_PKEY_RSA_ENC].digest = NULL;
2442 c->pkeys[SSL_PKEY_ECC].digest = NULL;
2443
2444 for (i = 0; i < dsize; i += 2)
2445 {
2446 unsigned char hash_alg = data[i], sig_alg = data[i+1];
2447
2448 switch(sig_alg)
2449 {
2450 #ifndef OPENSSL_NO_RSA
2451 case TLSEXT_signature_rsa:
2452 idx = SSL_PKEY_RSA_SIGN;
2453 break;
2454 #endif
2455 #ifndef OPENSSL_NO_DSA
2456 case TLSEXT_signature_dsa:
2457 idx = SSL_PKEY_DSA_SIGN;
2458 break;
2459 #endif
2460 #ifndef OPENSSL_NO_ECDSA
2461 case TLSEXT_signature_ecdsa:
2462 idx = SSL_PKEY_ECC;
2463 break;
2464 #endif
2465 default:
2466 continue;
2467 }
2468
2469 if (c->pkeys[idx].digest == NULL)
2470 {
2471 md = tls12_get_hash(hash_alg);
2472 if (md)
2473 {
2474 c->pkeys[idx].digest = md;
2475 if (idx == SSL_PKEY_RSA_SIGN)
2476 c->pkeys[SSL_PKEY_RSA_ENC].digest = md;
2477 }
2478 }
2479
2480 }
2481
2482
2483 /* Set any remaining keys to default values. NOTE: if alg is not
2484 * supported it stays as NULL.
2485 */
2486 #ifndef OPENSSL_NO_DSA
2487 if (!c->pkeys[SSL_PKEY_DSA_SIGN].digest)
2488 c->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_sha1();
2489 #endif
2490 #ifndef OPENSSL_NO_RSA
2491 if (!c->pkeys[SSL_PKEY_RSA_SIGN].digest)
2492 {
2493 c->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1();
2494 c->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1();
2495 }
2496 #endif
2497 #ifndef OPENSSL_NO_ECDSA
2498 if (!c->pkeys[SSL_PKEY_ECC].digest)
2499 c->pkeys[SSL_PKEY_ECC].digest = EVP_sha1();
2500 #endif
2501 return 1;
2502 }
2503
2504 #endif
2505
2506 #ifndef OPENSSL_NO_HEARTBEATS
2507 int
tls1_process_heartbeat(SSL * s)2508 tls1_process_heartbeat(SSL *s)
2509 {
2510 unsigned char *p = &s->s3->rrec.data[0], *pl;
2511 unsigned short hbtype;
2512 unsigned int payload;
2513 unsigned int padding = 16; /* Use minimum padding */
2514
2515 /* Read type and payload length first */
2516 hbtype = *p++;
2517 n2s(p, payload);
2518 pl = p;
2519
2520 if (s->msg_callback)
2521 s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT,
2522 &s->s3->rrec.data[0], s->s3->rrec.length,
2523 s, s->msg_callback_arg);
2524
2525 if (hbtype == TLS1_HB_REQUEST)
2526 {
2527 unsigned char *buffer, *bp;
2528 int r;
2529
2530 /* Allocate memory for the response, size is 1 bytes
2531 * message type, plus 2 bytes payload length, plus
2532 * payload, plus padding
2533 */
2534 buffer = OPENSSL_malloc(1 + 2 + payload + padding);
2535 bp = buffer;
2536
2537 /* Enter response type, length and copy payload */
2538 *bp++ = TLS1_HB_RESPONSE;
2539 s2n(payload, bp);
2540 memcpy(bp, pl, payload);
2541 bp += payload;
2542 /* Random padding */
2543 RAND_pseudo_bytes(bp, padding);
2544
2545 r = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, 3 + payload + padding);
2546
2547 if (r >= 0 && s->msg_callback)
2548 s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT,
2549 buffer, 3 + payload + padding,
2550 s, s->msg_callback_arg);
2551
2552 OPENSSL_free(buffer);
2553
2554 if (r < 0)
2555 return r;
2556 }
2557 else if (hbtype == TLS1_HB_RESPONSE)
2558 {
2559 unsigned int seq;
2560
2561 /* We only send sequence numbers (2 bytes unsigned int),
2562 * and 16 random bytes, so we just try to read the
2563 * sequence number */
2564 n2s(pl, seq);
2565
2566 if (payload == 18 && seq == s->tlsext_hb_seq)
2567 {
2568 s->tlsext_hb_seq++;
2569 s->tlsext_hb_pending = 0;
2570 }
2571 }
2572
2573 return 0;
2574 }
2575
2576 int
tls1_heartbeat(SSL * s)2577 tls1_heartbeat(SSL *s)
2578 {
2579 unsigned char *buf, *p;
2580 int ret;
2581 unsigned int payload = 18; /* Sequence number + random bytes */
2582 unsigned int padding = 16; /* Use minimum padding */
2583
2584 /* Only send if peer supports and accepts HB requests... */
2585 if (!(s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED) ||
2586 s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_SEND_REQUESTS)
2587 {
2588 SSLerr(SSL_F_TLS1_HEARTBEAT,SSL_R_TLS_HEARTBEAT_PEER_DOESNT_ACCEPT);
2589 return -1;
2590 }
2591
2592 /* ...and there is none in flight yet... */
2593 if (s->tlsext_hb_pending)
2594 {
2595 SSLerr(SSL_F_TLS1_HEARTBEAT,SSL_R_TLS_HEARTBEAT_PENDING);
2596 return -1;
2597 }
2598
2599 /* ...and no handshake in progress. */
2600 if (SSL_in_init(s) || s->in_handshake)
2601 {
2602 SSLerr(SSL_F_TLS1_HEARTBEAT,SSL_R_UNEXPECTED_MESSAGE);
2603 return -1;
2604 }
2605
2606 /* Check if padding is too long, payload and padding
2607 * must not exceed 2^14 - 3 = 16381 bytes in total.
2608 */
2609 OPENSSL_assert(payload + padding <= 16381);
2610
2611 /* Create HeartBeat message, we just use a sequence number
2612 * as payload to distuingish different messages and add
2613 * some random stuff.
2614 * - Message Type, 1 byte
2615 * - Payload Length, 2 bytes (unsigned int)
2616 * - Payload, the sequence number (2 bytes uint)
2617 * - Payload, random bytes (16 bytes uint)
2618 * - Padding
2619 */
2620 buf = OPENSSL_malloc(1 + 2 + payload + padding);
2621 p = buf;
2622 /* Message Type */
2623 *p++ = TLS1_HB_REQUEST;
2624 /* Payload length (18 bytes here) */
2625 s2n(payload, p);
2626 /* Sequence number */
2627 s2n(s->tlsext_hb_seq, p);
2628 /* 16 random bytes */
2629 RAND_pseudo_bytes(p, 16);
2630 p += 16;
2631 /* Random padding */
2632 RAND_pseudo_bytes(p, padding);
2633
2634 ret = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buf, 3 + payload + padding);
2635 if (ret >= 0)
2636 {
2637 if (s->msg_callback)
2638 s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT,
2639 buf, 3 + payload + padding,
2640 s, s->msg_callback_arg);
2641
2642 s->tlsext_hb_pending = 1;
2643 }
2644
2645 OPENSSL_free(buf);
2646
2647 return ret;
2648 }
2649 #endif
2650
2651 #if !defined(OPENSSL_NO_TLSEXT)
2652 /* tls1_channel_id_hash calculates the signed data for a Channel ID on the given
2653 * SSL connection and writes it to |md|.
2654 */
2655 int
tls1_channel_id_hash(EVP_MD_CTX * md,SSL * s)2656 tls1_channel_id_hash(EVP_MD_CTX *md, SSL *s)
2657 {
2658 EVP_MD_CTX ctx;
2659 unsigned char temp_digest[EVP_MAX_MD_SIZE];
2660 unsigned temp_digest_len;
2661 int i;
2662 static const char kClientIDMagic[] = "TLS Channel ID signature";
2663
2664 if (s->s3->handshake_buffer)
2665 if (!ssl3_digest_cached_records(s))
2666 return 0;
2667
2668 EVP_DigestUpdate(md, kClientIDMagic, sizeof(kClientIDMagic));
2669
2670 EVP_MD_CTX_init(&ctx);
2671 for (i = 0; i < SSL_MAX_DIGEST; i++)
2672 {
2673 if (s->s3->handshake_dgst[i] == NULL)
2674 continue;
2675 EVP_MD_CTX_copy_ex(&ctx, s->s3->handshake_dgst[i]);
2676 EVP_DigestFinal_ex(&ctx, temp_digest, &temp_digest_len);
2677 EVP_DigestUpdate(md, temp_digest, temp_digest_len);
2678 }
2679 EVP_MD_CTX_cleanup(&ctx);
2680
2681 return 1;
2682 }
2683 #endif
2684