1 /* ssl/t1_lib.c */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58 /* ====================================================================
59 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
60 *
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
63 * are met:
64 *
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
67 *
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
71 * distribution.
72 *
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77 *
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
82 *
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
86 *
87 * 6. Redistributions of any form whatsoever must retain the following
88 * acknowledgment:
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91 *
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
105 *
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
109 *
110 */
111
112 #include <stdio.h>
113 #include <openssl/objects.h>
114 #include <openssl/evp.h>
115 #include <openssl/hmac.h>
116 #include <openssl/ocsp.h>
117 #include <openssl/rand.h>
118 #include "ssl_locl.h"
119
120 const char tls1_version_str[]="TLSv1" OPENSSL_VERSION_PTEXT;
121
122 #ifndef OPENSSL_NO_TLSEXT
123 static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen,
124 const unsigned char *sess_id, int sesslen,
125 SSL_SESSION **psess);
126 #endif
127
128 SSL3_ENC_METHOD TLSv1_enc_data={
129 tls1_enc,
130 tls1_mac,
131 tls1_setup_key_block,
132 tls1_generate_master_secret,
133 tls1_change_cipher_state,
134 tls1_final_finish_mac,
135 TLS1_FINISH_MAC_LENGTH,
136 tls1_cert_verify_mac,
137 TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE,
138 TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE,
139 tls1_alert_code,
140 tls1_export_keying_material,
141 };
142
tls1_default_timeout(void)143 long tls1_default_timeout(void)
144 {
145 /* 2 hours, the 24 hours mentioned in the TLSv1 spec
146 * is way too long for http, the cache would over fill */
147 return(60*60*2);
148 }
149
tls1_new(SSL * s)150 int tls1_new(SSL *s)
151 {
152 if (!ssl3_new(s)) return(0);
153 s->method->ssl_clear(s);
154 return(1);
155 }
156
tls1_free(SSL * s)157 void tls1_free(SSL *s)
158 {
159 #ifndef OPENSSL_NO_TLSEXT
160 if (s->tlsext_session_ticket)
161 {
162 OPENSSL_free(s->tlsext_session_ticket);
163 }
164 #endif /* OPENSSL_NO_TLSEXT */
165 ssl3_free(s);
166 }
167
tls1_clear(SSL * s)168 void tls1_clear(SSL *s)
169 {
170 ssl3_clear(s);
171 s->version = s->method->version;
172 }
173
174 #ifndef OPENSSL_NO_EC
175
176 static int nid_list[] =
177 {
178 NID_sect163k1, /* sect163k1 (1) */
179 NID_sect163r1, /* sect163r1 (2) */
180 NID_sect163r2, /* sect163r2 (3) */
181 NID_sect193r1, /* sect193r1 (4) */
182 NID_sect193r2, /* sect193r2 (5) */
183 NID_sect233k1, /* sect233k1 (6) */
184 NID_sect233r1, /* sect233r1 (7) */
185 NID_sect239k1, /* sect239k1 (8) */
186 NID_sect283k1, /* sect283k1 (9) */
187 NID_sect283r1, /* sect283r1 (10) */
188 NID_sect409k1, /* sect409k1 (11) */
189 NID_sect409r1, /* sect409r1 (12) */
190 NID_sect571k1, /* sect571k1 (13) */
191 NID_sect571r1, /* sect571r1 (14) */
192 NID_secp160k1, /* secp160k1 (15) */
193 NID_secp160r1, /* secp160r1 (16) */
194 NID_secp160r2, /* secp160r2 (17) */
195 NID_secp192k1, /* secp192k1 (18) */
196 NID_X9_62_prime192v1, /* secp192r1 (19) */
197 NID_secp224k1, /* secp224k1 (20) */
198 NID_secp224r1, /* secp224r1 (21) */
199 NID_secp256k1, /* secp256k1 (22) */
200 NID_X9_62_prime256v1, /* secp256r1 (23) */
201 NID_secp384r1, /* secp384r1 (24) */
202 NID_secp521r1 /* secp521r1 (25) */
203 };
204
205 static int pref_list[] =
206 {
207 NID_sect571r1, /* sect571r1 (14) */
208 NID_sect571k1, /* sect571k1 (13) */
209 NID_secp521r1, /* secp521r1 (25) */
210 NID_sect409k1, /* sect409k1 (11) */
211 NID_sect409r1, /* sect409r1 (12) */
212 NID_secp384r1, /* secp384r1 (24) */
213 NID_sect283k1, /* sect283k1 (9) */
214 NID_sect283r1, /* sect283r1 (10) */
215 NID_secp256k1, /* secp256k1 (22) */
216 NID_X9_62_prime256v1, /* secp256r1 (23) */
217 NID_sect239k1, /* sect239k1 (8) */
218 NID_sect233k1, /* sect233k1 (6) */
219 NID_sect233r1, /* sect233r1 (7) */
220 NID_secp224k1, /* secp224k1 (20) */
221 NID_secp224r1, /* secp224r1 (21) */
222 NID_sect193r1, /* sect193r1 (4) */
223 NID_sect193r2, /* sect193r2 (5) */
224 NID_secp192k1, /* secp192k1 (18) */
225 NID_X9_62_prime192v1, /* secp192r1 (19) */
226 NID_sect163k1, /* sect163k1 (1) */
227 NID_sect163r1, /* sect163r1 (2) */
228 NID_sect163r2, /* sect163r2 (3) */
229 NID_secp160k1, /* secp160k1 (15) */
230 NID_secp160r1, /* secp160r1 (16) */
231 NID_secp160r2, /* secp160r2 (17) */
232 };
233
tls1_ec_curve_id2nid(int curve_id)234 int tls1_ec_curve_id2nid(int curve_id)
235 {
236 /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
237 if ((curve_id < 1) || ((unsigned int)curve_id >
238 sizeof(nid_list)/sizeof(nid_list[0])))
239 return 0;
240 return nid_list[curve_id-1];
241 }
242
tls1_ec_nid2curve_id(int nid)243 int tls1_ec_nid2curve_id(int nid)
244 {
245 /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
246 switch (nid)
247 {
248 case NID_sect163k1: /* sect163k1 (1) */
249 return 1;
250 case NID_sect163r1: /* sect163r1 (2) */
251 return 2;
252 case NID_sect163r2: /* sect163r2 (3) */
253 return 3;
254 case NID_sect193r1: /* sect193r1 (4) */
255 return 4;
256 case NID_sect193r2: /* sect193r2 (5) */
257 return 5;
258 case NID_sect233k1: /* sect233k1 (6) */
259 return 6;
260 case NID_sect233r1: /* sect233r1 (7) */
261 return 7;
262 case NID_sect239k1: /* sect239k1 (8) */
263 return 8;
264 case NID_sect283k1: /* sect283k1 (9) */
265 return 9;
266 case NID_sect283r1: /* sect283r1 (10) */
267 return 10;
268 case NID_sect409k1: /* sect409k1 (11) */
269 return 11;
270 case NID_sect409r1: /* sect409r1 (12) */
271 return 12;
272 case NID_sect571k1: /* sect571k1 (13) */
273 return 13;
274 case NID_sect571r1: /* sect571r1 (14) */
275 return 14;
276 case NID_secp160k1: /* secp160k1 (15) */
277 return 15;
278 case NID_secp160r1: /* secp160r1 (16) */
279 return 16;
280 case NID_secp160r2: /* secp160r2 (17) */
281 return 17;
282 case NID_secp192k1: /* secp192k1 (18) */
283 return 18;
284 case NID_X9_62_prime192v1: /* secp192r1 (19) */
285 return 19;
286 case NID_secp224k1: /* secp224k1 (20) */
287 return 20;
288 case NID_secp224r1: /* secp224r1 (21) */
289 return 21;
290 case NID_secp256k1: /* secp256k1 (22) */
291 return 22;
292 case NID_X9_62_prime256v1: /* secp256r1 (23) */
293 return 23;
294 case NID_secp384r1: /* secp384r1 (24) */
295 return 24;
296 case NID_secp521r1: /* secp521r1 (25) */
297 return 25;
298 default:
299 return 0;
300 }
301 }
302 #endif /* OPENSSL_NO_EC */
303
304 #ifndef OPENSSL_NO_TLSEXT
305
306 /* List of supported signature algorithms and hashes. Should make this
307 * customisable at some point, for now include everything we support.
308 */
309
310 #ifdef OPENSSL_NO_RSA
311 #define tlsext_sigalg_rsa(md) /* */
312 #else
313 #define tlsext_sigalg_rsa(md) md, TLSEXT_signature_rsa,
314 #endif
315
316 #ifdef OPENSSL_NO_DSA
317 #define tlsext_sigalg_dsa(md) /* */
318 #else
319 #define tlsext_sigalg_dsa(md) md, TLSEXT_signature_dsa,
320 #endif
321
322 #ifdef OPENSSL_NO_ECDSA
323 #define tlsext_sigalg_ecdsa(md) /* */
324 #else
325 #define tlsext_sigalg_ecdsa(md) md, TLSEXT_signature_ecdsa,
326 #endif
327
328 #define tlsext_sigalg(md) \
329 tlsext_sigalg_rsa(md) \
330 tlsext_sigalg_dsa(md) \
331 tlsext_sigalg_ecdsa(md)
332
333 static unsigned char tls12_sigalgs[] = {
334 #ifndef OPENSSL_NO_SHA512
335 tlsext_sigalg(TLSEXT_hash_sha512)
336 tlsext_sigalg(TLSEXT_hash_sha384)
337 #endif
338 #ifndef OPENSSL_NO_SHA256
339 tlsext_sigalg(TLSEXT_hash_sha256)
340 tlsext_sigalg(TLSEXT_hash_sha224)
341 #endif
342 #ifndef OPENSSL_NO_SHA
343 tlsext_sigalg(TLSEXT_hash_sha1)
344 #endif
345 #ifndef OPENSSL_NO_MD5
346 tlsext_sigalg_rsa(TLSEXT_hash_md5)
347 #endif
348 };
349
tls12_get_req_sig_algs(SSL * s,unsigned char * p)350 int tls12_get_req_sig_algs(SSL *s, unsigned char *p)
351 {
352 size_t slen = sizeof(tls12_sigalgs);
353 #ifdef OPENSSL_FIPS
354 /* If FIPS mode don't include MD5 which is last */
355 if (FIPS_mode())
356 slen -= 2;
357 #endif
358 if (p)
359 memcpy(p, tls12_sigalgs, slen);
360 return (int)slen;
361 }
362
ssl_add_clienthello_tlsext(SSL * s,unsigned char * p,unsigned char * limit)363 unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
364 {
365 int extdatalen=0;
366 unsigned char *ret = p;
367
368 /* don't add extensions for SSLv3 unless doing secure renegotiation */
369 if (s->client_version == SSL3_VERSION
370 && !s->s3->send_connection_binding)
371 return p;
372
373 ret+=2;
374
375 if (ret>=limit) return NULL; /* this really never occurs, but ... */
376
377 if (s->tlsext_hostname != NULL)
378 {
379 /* Add TLS extension servername to the Client Hello message */
380 unsigned long size_str;
381 long lenmax;
382
383 /* check for enough space.
384 4 for the servername type and entension length
385 2 for servernamelist length
386 1 for the hostname type
387 2 for hostname length
388 + hostname length
389 */
390
391 if ((lenmax = limit - ret - 9) < 0
392 || (size_str = strlen(s->tlsext_hostname)) > (unsigned long)lenmax)
393 return NULL;
394
395 /* extension type and length */
396 s2n(TLSEXT_TYPE_server_name,ret);
397 s2n(size_str+5,ret);
398
399 /* length of servername list */
400 s2n(size_str+3,ret);
401
402 /* hostname type, length and hostname */
403 *(ret++) = (unsigned char) TLSEXT_NAMETYPE_host_name;
404 s2n(size_str,ret);
405 memcpy(ret, s->tlsext_hostname, size_str);
406 ret+=size_str;
407 }
408
409 /* Add RI if renegotiating */
410 if (s->renegotiate)
411 {
412 int el;
413
414 if(!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0))
415 {
416 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
417 return NULL;
418 }
419
420 if((limit - p - 4 - el) < 0) return NULL;
421
422 s2n(TLSEXT_TYPE_renegotiate,ret);
423 s2n(el,ret);
424
425 if(!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el))
426 {
427 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
428 return NULL;
429 }
430
431 ret += el;
432 }
433
434 #ifndef OPENSSL_NO_SRP
435 /* Add SRP username if there is one */
436 if (s->srp_ctx.login != NULL)
437 { /* Add TLS extension SRP username to the Client Hello message */
438
439 int login_len = strlen(s->srp_ctx.login);
440 if (login_len > 255 || login_len == 0)
441 {
442 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
443 return NULL;
444 }
445
446 /* check for enough space.
447 4 for the srp type type and entension length
448 1 for the srp user identity
449 + srp user identity length
450 */
451 if ((limit - ret - 5 - login_len) < 0) return NULL;
452
453 /* fill in the extension */
454 s2n(TLSEXT_TYPE_srp,ret);
455 s2n(login_len+1,ret);
456 (*ret++) = (unsigned char) login_len;
457 memcpy(ret, s->srp_ctx.login, login_len);
458 ret+=login_len;
459 }
460 #endif
461
462 #ifndef OPENSSL_NO_EC
463 if (s->tlsext_ecpointformatlist != NULL &&
464 s->version != DTLS1_VERSION)
465 {
466 /* Add TLS extension ECPointFormats to the ClientHello message */
467 long lenmax;
468
469 if ((lenmax = limit - ret - 5) < 0) return NULL;
470 if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax) return NULL;
471 if (s->tlsext_ecpointformatlist_length > 255)
472 {
473 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
474 return NULL;
475 }
476
477 s2n(TLSEXT_TYPE_ec_point_formats,ret);
478 s2n(s->tlsext_ecpointformatlist_length + 1,ret);
479 *(ret++) = (unsigned char) s->tlsext_ecpointformatlist_length;
480 memcpy(ret, s->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist_length);
481 ret+=s->tlsext_ecpointformatlist_length;
482 }
483 if (s->tlsext_ellipticcurvelist != NULL &&
484 s->version != DTLS1_VERSION)
485 {
486 /* Add TLS extension EllipticCurves to the ClientHello message */
487 long lenmax;
488
489 if ((lenmax = limit - ret - 6) < 0) return NULL;
490 if (s->tlsext_ellipticcurvelist_length > (unsigned long)lenmax) return NULL;
491 if (s->tlsext_ellipticcurvelist_length > 65532)
492 {
493 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
494 return NULL;
495 }
496
497 s2n(TLSEXT_TYPE_elliptic_curves,ret);
498 s2n(s->tlsext_ellipticcurvelist_length + 2, ret);
499
500 /* NB: draft-ietf-tls-ecc-12.txt uses a one-byte prefix for
501 * elliptic_curve_list, but the examples use two bytes.
502 * http://www1.ietf.org/mail-archive/web/tls/current/msg00538.html
503 * resolves this to two bytes.
504 */
505 s2n(s->tlsext_ellipticcurvelist_length, ret);
506 memcpy(ret, s->tlsext_ellipticcurvelist, s->tlsext_ellipticcurvelist_length);
507 ret+=s->tlsext_ellipticcurvelist_length;
508 }
509 #endif /* OPENSSL_NO_EC */
510
511 if (!(SSL_get_options(s) & SSL_OP_NO_TICKET))
512 {
513 int ticklen;
514 if (!s->new_session && s->session && s->session->tlsext_tick)
515 ticklen = s->session->tlsext_ticklen;
516 else if (s->session && s->tlsext_session_ticket &&
517 s->tlsext_session_ticket->data)
518 {
519 ticklen = s->tlsext_session_ticket->length;
520 s->session->tlsext_tick = OPENSSL_malloc(ticklen);
521 if (!s->session->tlsext_tick)
522 return NULL;
523 memcpy(s->session->tlsext_tick,
524 s->tlsext_session_ticket->data,
525 ticklen);
526 s->session->tlsext_ticklen = ticklen;
527 }
528 else
529 ticklen = 0;
530 if (ticklen == 0 && s->tlsext_session_ticket &&
531 s->tlsext_session_ticket->data == NULL)
532 goto skip_ext;
533 /* Check for enough room 2 for extension type, 2 for len
534 * rest for ticket
535 */
536 if ((long)(limit - ret - 4 - ticklen) < 0) return NULL;
537 s2n(TLSEXT_TYPE_session_ticket,ret);
538 s2n(ticklen,ret);
539 if (ticklen)
540 {
541 memcpy(ret, s->session->tlsext_tick, ticklen);
542 ret += ticklen;
543 }
544 }
545 skip_ext:
546
547 if (TLS1_get_client_version(s) >= TLS1_2_VERSION)
548 {
549 if ((size_t)(limit - ret) < sizeof(tls12_sigalgs) + 6)
550 return NULL;
551 s2n(TLSEXT_TYPE_signature_algorithms,ret);
552 s2n(sizeof(tls12_sigalgs) + 2, ret);
553 s2n(sizeof(tls12_sigalgs), ret);
554 memcpy(ret, tls12_sigalgs, sizeof(tls12_sigalgs));
555 ret += sizeof(tls12_sigalgs);
556 }
557
558 #ifdef TLSEXT_TYPE_opaque_prf_input
559 if (s->s3->client_opaque_prf_input != NULL &&
560 s->version != DTLS1_VERSION)
561 {
562 size_t col = s->s3->client_opaque_prf_input_len;
563
564 if ((long)(limit - ret - 6 - col < 0))
565 return NULL;
566 if (col > 0xFFFD) /* can't happen */
567 return NULL;
568
569 s2n(TLSEXT_TYPE_opaque_prf_input, ret);
570 s2n(col + 2, ret);
571 s2n(col, ret);
572 memcpy(ret, s->s3->client_opaque_prf_input, col);
573 ret += col;
574 }
575 #endif
576
577 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp &&
578 s->version != DTLS1_VERSION)
579 {
580 int i;
581 long extlen, idlen, itmp;
582 OCSP_RESPID *id;
583
584 idlen = 0;
585 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++)
586 {
587 id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
588 itmp = i2d_OCSP_RESPID(id, NULL);
589 if (itmp <= 0)
590 return NULL;
591 idlen += itmp + 2;
592 }
593
594 if (s->tlsext_ocsp_exts)
595 {
596 extlen = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, NULL);
597 if (extlen < 0)
598 return NULL;
599 }
600 else
601 extlen = 0;
602
603 if ((long)(limit - ret - 7 - extlen - idlen) < 0) return NULL;
604 s2n(TLSEXT_TYPE_status_request, ret);
605 if (extlen + idlen > 0xFFF0)
606 return NULL;
607 s2n(extlen + idlen + 5, ret);
608 *(ret++) = TLSEXT_STATUSTYPE_ocsp;
609 s2n(idlen, ret);
610 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++)
611 {
612 /* save position of id len */
613 unsigned char *q = ret;
614 id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
615 /* skip over id len */
616 ret += 2;
617 itmp = i2d_OCSP_RESPID(id, &ret);
618 /* write id len */
619 s2n(itmp, q);
620 }
621 s2n(extlen, ret);
622 if (extlen > 0)
623 i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret);
624 }
625
626 #ifndef OPENSSL_NO_HEARTBEATS
627 /* Add Heartbeat extension */
628 s2n(TLSEXT_TYPE_heartbeat,ret);
629 s2n(1,ret);
630 /* Set mode:
631 * 1: peer may send requests
632 * 2: peer not allowed to send requests
633 */
634 if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS)
635 *(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
636 else
637 *(ret++) = SSL_TLSEXT_HB_ENABLED;
638 #endif
639
640 #ifndef OPENSSL_NO_NEXTPROTONEG
641 if (s->ctx->next_proto_select_cb && !s->s3->tmp.finish_md_len)
642 {
643 /* The client advertises an emtpy extension to indicate its
644 * support for Next Protocol Negotiation */
645 if (limit - ret - 4 < 0)
646 return NULL;
647 s2n(TLSEXT_TYPE_next_proto_neg,ret);
648 s2n(0,ret);
649 }
650 #endif
651
652 if (s->tlsext_channel_id_enabled)
653 {
654 /* The client advertises an emtpy extension to indicate its
655 * support for Channel ID. */
656 if (limit - ret - 4 < 0)
657 return NULL;
658 s2n(TLSEXT_TYPE_channel_id,ret);
659 s2n(0,ret);
660 }
661
662 if (s->alpn_client_proto_list && !s->s3->tmp.finish_md_len)
663 {
664 if ((size_t)(limit - ret) < 6 + s->alpn_client_proto_list_len)
665 return NULL;
666 s2n(TLSEXT_TYPE_application_layer_protocol_negotiation,ret);
667 s2n(2 + s->alpn_client_proto_list_len,ret);
668 s2n(s->alpn_client_proto_list_len,ret);
669 memcpy(ret, s->alpn_client_proto_list,
670 s->alpn_client_proto_list_len);
671 ret += s->alpn_client_proto_list_len;
672 }
673
674 #ifndef OPENSSL_NO_SRTP
675 if(SSL_get_srtp_profiles(s))
676 {
677 int el;
678
679 ssl_add_clienthello_use_srtp_ext(s, 0, &el, 0);
680
681 if((limit - p - 4 - el) < 0) return NULL;
682
683 s2n(TLSEXT_TYPE_use_srtp,ret);
684 s2n(el,ret);
685
686 if(ssl_add_clienthello_use_srtp_ext(s, ret, &el, el))
687 {
688 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
689 return NULL;
690 }
691 ret += el;
692 }
693 #endif
694
695 if ((extdatalen = ret-p-2)== 0)
696 return p;
697
698 s2n(extdatalen,p);
699 return ret;
700 }
701
ssl_add_serverhello_tlsext(SSL * s,unsigned char * p,unsigned char * limit)702 unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
703 {
704 int extdatalen=0;
705 unsigned char *ret = p;
706 #ifndef OPENSSL_NO_NEXTPROTONEG
707 int next_proto_neg_seen;
708 #endif
709
710 /* don't add extensions for SSLv3, unless doing secure renegotiation */
711 if (s->version == SSL3_VERSION && !s->s3->send_connection_binding)
712 return p;
713
714 ret+=2;
715 if (ret>=limit) return NULL; /* this really never occurs, but ... */
716
717 if (!s->hit && s->servername_done == 1 && s->session->tlsext_hostname != NULL)
718 {
719 if ((long)(limit - ret - 4) < 0) return NULL;
720
721 s2n(TLSEXT_TYPE_server_name,ret);
722 s2n(0,ret);
723 }
724
725 if(s->s3->send_connection_binding)
726 {
727 int el;
728
729 if(!ssl_add_serverhello_renegotiate_ext(s, 0, &el, 0))
730 {
731 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
732 return NULL;
733 }
734
735 if((limit - p - 4 - el) < 0) return NULL;
736
737 s2n(TLSEXT_TYPE_renegotiate,ret);
738 s2n(el,ret);
739
740 if(!ssl_add_serverhello_renegotiate_ext(s, ret, &el, el))
741 {
742 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
743 return NULL;
744 }
745
746 ret += el;
747 }
748
749 #ifndef OPENSSL_NO_EC
750 if (s->tlsext_ecpointformatlist != NULL &&
751 s->version != DTLS1_VERSION)
752 {
753 /* Add TLS extension ECPointFormats to the ServerHello message */
754 long lenmax;
755
756 if ((lenmax = limit - ret - 5) < 0) return NULL;
757 if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax) return NULL;
758 if (s->tlsext_ecpointformatlist_length > 255)
759 {
760 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
761 return NULL;
762 }
763
764 s2n(TLSEXT_TYPE_ec_point_formats,ret);
765 s2n(s->tlsext_ecpointformatlist_length + 1,ret);
766 *(ret++) = (unsigned char) s->tlsext_ecpointformatlist_length;
767 memcpy(ret, s->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist_length);
768 ret+=s->tlsext_ecpointformatlist_length;
769
770 }
771 /* Currently the server should not respond with a SupportedCurves extension */
772 #endif /* OPENSSL_NO_EC */
773
774 if (s->tlsext_ticket_expected
775 && !(SSL_get_options(s) & SSL_OP_NO_TICKET))
776 {
777 if ((long)(limit - ret - 4) < 0) return NULL;
778 s2n(TLSEXT_TYPE_session_ticket,ret);
779 s2n(0,ret);
780 }
781
782 if (s->tlsext_status_expected)
783 {
784 if ((long)(limit - ret - 4) < 0) return NULL;
785 s2n(TLSEXT_TYPE_status_request,ret);
786 s2n(0,ret);
787 }
788
789 #ifdef TLSEXT_TYPE_opaque_prf_input
790 if (s->s3->server_opaque_prf_input != NULL &&
791 s->version != DTLS1_VERSION)
792 {
793 size_t sol = s->s3->server_opaque_prf_input_len;
794
795 if ((long)(limit - ret - 6 - sol) < 0)
796 return NULL;
797 if (sol > 0xFFFD) /* can't happen */
798 return NULL;
799
800 s2n(TLSEXT_TYPE_opaque_prf_input, ret);
801 s2n(sol + 2, ret);
802 s2n(sol, ret);
803 memcpy(ret, s->s3->server_opaque_prf_input, sol);
804 ret += sol;
805 }
806 #endif
807
808 #ifndef OPENSSL_NO_SRTP
809 if(s->srtp_profile)
810 {
811 int el;
812
813 ssl_add_serverhello_use_srtp_ext(s, 0, &el, 0);
814
815 if((limit - p - 4 - el) < 0) return NULL;
816
817 s2n(TLSEXT_TYPE_use_srtp,ret);
818 s2n(el,ret);
819
820 if(ssl_add_serverhello_use_srtp_ext(s, ret, &el, el))
821 {
822 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
823 return NULL;
824 }
825 ret+=el;
826 }
827 #endif
828
829 if (((s->s3->tmp.new_cipher->id & 0xFFFF)==0x80 || (s->s3->tmp.new_cipher->id & 0xFFFF)==0x81)
830 && (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG))
831 { const unsigned char cryptopro_ext[36] = {
832 0xfd, 0xe8, /*65000*/
833 0x00, 0x20, /*32 bytes length*/
834 0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85,
835 0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06,
836 0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08,
837 0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17};
838 if (limit-ret<36) return NULL;
839 memcpy(ret,cryptopro_ext,36);
840 ret+=36;
841
842 }
843
844 #ifndef OPENSSL_NO_HEARTBEATS
845 /* Add Heartbeat extension if we've received one */
846 if (s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED)
847 {
848 s2n(TLSEXT_TYPE_heartbeat,ret);
849 s2n(1,ret);
850 /* Set mode:
851 * 1: peer may send requests
852 * 2: peer not allowed to send requests
853 */
854 if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS)
855 *(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
856 else
857 *(ret++) = SSL_TLSEXT_HB_ENABLED;
858
859 }
860 #endif
861
862 #ifndef OPENSSL_NO_NEXTPROTONEG
863 next_proto_neg_seen = s->s3->next_proto_neg_seen;
864 s->s3->next_proto_neg_seen = 0;
865 if (next_proto_neg_seen && s->ctx->next_protos_advertised_cb)
866 {
867 const unsigned char *npa;
868 unsigned int npalen;
869 int r;
870
871 r = s->ctx->next_protos_advertised_cb(s, &npa, &npalen, s->ctx->next_protos_advertised_cb_arg);
872 if (r == SSL_TLSEXT_ERR_OK)
873 {
874 if ((long)(limit - ret - 4 - npalen) < 0) return NULL;
875 s2n(TLSEXT_TYPE_next_proto_neg,ret);
876 s2n(npalen,ret);
877 memcpy(ret, npa, npalen);
878 ret += npalen;
879 s->s3->next_proto_neg_seen = 1;
880 }
881 }
882 #endif
883
884 /* If the client advertised support for Channel ID, and we have it
885 * enabled, then we want to echo it back. */
886 if (s->s3->tlsext_channel_id_valid)
887 {
888 if (limit - ret - 4 < 0)
889 return NULL;
890 s2n(TLSEXT_TYPE_channel_id,ret);
891 s2n(0,ret);
892 }
893
894 if (s->s3->alpn_selected)
895 {
896 const unsigned char *selected = s->s3->alpn_selected;
897 unsigned len = s->s3->alpn_selected_len;
898
899 if ((long)(limit - ret - 4 - 2 - 1 - len) < 0)
900 return NULL;
901 s2n(TLSEXT_TYPE_application_layer_protocol_negotiation,ret);
902 s2n(3 + len,ret);
903 s2n(1 + len,ret);
904 *ret++ = len;
905 memcpy(ret, selected, len);
906 ret += len;
907 }
908
909 if ((extdatalen = ret-p-2)== 0)
910 return p;
911
912 s2n(extdatalen,p);
913 return ret;
914 }
915
916 /* tls1_alpn_handle_client_hello is called to process the ALPN extension in a
917 * ClientHello.
918 * data: the contents of the extension, not including the type and length.
919 * data_len: the number of bytes in |data|
920 * al: a pointer to the alert value to send in the event of a non-zero
921 * return.
922 *
923 * returns: 0 on success. */
tls1_alpn_handle_client_hello(SSL * s,const unsigned char * data,unsigned data_len,int * al)924 static int tls1_alpn_handle_client_hello(SSL *s, const unsigned char *data,
925 unsigned data_len, int *al)
926 {
927 unsigned i;
928 unsigned proto_len;
929 const unsigned char *selected;
930 unsigned char selected_len;
931 int r;
932
933 if (s->ctx->alpn_select_cb == NULL)
934 return 0;
935
936 if (data_len < 2)
937 goto parse_error;
938
939 /* data should contain a uint16 length followed by a series of 8-bit,
940 * length-prefixed strings. */
941 i = ((unsigned) data[0]) << 8 |
942 ((unsigned) data[1]);
943 data_len -= 2;
944 data += 2;
945 if (data_len != i)
946 goto parse_error;
947
948 if (data_len < 2)
949 goto parse_error;
950
951 for (i = 0; i < data_len;)
952 {
953 proto_len = data[i];
954 i++;
955
956 if (proto_len == 0)
957 goto parse_error;
958
959 if (i + proto_len < i || i + proto_len > data_len)
960 goto parse_error;
961
962 i += proto_len;
963 }
964
965 r = s->ctx->alpn_select_cb(s, &selected, &selected_len, data, data_len,
966 s->ctx->alpn_select_cb_arg);
967 if (r == SSL_TLSEXT_ERR_OK) {
968 if (s->s3->alpn_selected)
969 OPENSSL_free(s->s3->alpn_selected);
970 s->s3->alpn_selected = OPENSSL_malloc(selected_len);
971 if (!s->s3->alpn_selected)
972 {
973 *al = SSL_AD_INTERNAL_ERROR;
974 return -1;
975 }
976 memcpy(s->s3->alpn_selected, selected, selected_len);
977 s->s3->alpn_selected_len = selected_len;
978 }
979 return 0;
980
981 parse_error:
982 *al = SSL_AD_DECODE_ERROR;
983 return -1;
984 }
985
ssl_parse_clienthello_tlsext(SSL * s,unsigned char ** p,unsigned char * d,int n,int * al)986 int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
987 {
988 unsigned short type;
989 unsigned short size;
990 unsigned short len;
991 unsigned char *data = *p;
992 int renegotiate_seen = 0;
993 int sigalg_seen = 0;
994
995 s->servername_done = 0;
996 s->tlsext_status_type = -1;
997
998 /* Reset TLS 1.2 digest functions to defaults because they don't carry
999 * over to a renegotiation. */
1000 s->s3->digest_rsa = NULL;
1001 s->s3->digest_dsa = NULL;
1002 s->s3->digest_ecdsa = NULL;
1003
1004 #ifndef OPENSSL_NO_NEXTPROTONEG
1005 s->s3->next_proto_neg_seen = 0;
1006 #endif
1007
1008 if (s->s3->alpn_selected)
1009 {
1010 OPENSSL_free(s->s3->alpn_selected);
1011 s->s3->alpn_selected = NULL;
1012 }
1013
1014 #ifndef OPENSSL_NO_HEARTBEATS
1015 s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED |
1016 SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
1017 #endif
1018
1019 if (data >= (d+n-2))
1020 goto ri_check;
1021 n2s(data,len);
1022
1023 if (data > (d+n-len))
1024 goto ri_check;
1025
1026 while (data <= (d+n-4))
1027 {
1028 n2s(data,type);
1029 n2s(data,size);
1030
1031 if (data+size > (d+n))
1032 goto ri_check;
1033 #if 0
1034 fprintf(stderr,"Received extension type %d size %d\n",type,size);
1035 #endif
1036 if (s->tlsext_debug_cb)
1037 s->tlsext_debug_cb(s, 0, type, data, size,
1038 s->tlsext_debug_arg);
1039 /* The servername extension is treated as follows:
1040
1041 - Only the hostname type is supported with a maximum length of 255.
1042 - The servername is rejected if too long or if it contains zeros,
1043 in which case an fatal alert is generated.
1044 - The servername field is maintained together with the session cache.
1045 - When a session is resumed, the servername call back invoked in order
1046 to allow the application to position itself to the right context.
1047 - The servername is acknowledged if it is new for a session or when
1048 it is identical to a previously used for the same session.
1049 Applications can control the behaviour. They can at any time
1050 set a 'desirable' servername for a new SSL object. This can be the
1051 case for example with HTTPS when a Host: header field is received and
1052 a renegotiation is requested. In this case, a possible servername
1053 presented in the new client hello is only acknowledged if it matches
1054 the value of the Host: field.
1055 - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
1056 if they provide for changing an explicit servername context for the session,
1057 i.e. when the session has been established with a servername extension.
1058 - On session reconnect, the servername extension may be absent.
1059
1060 */
1061
1062 if (type == TLSEXT_TYPE_server_name)
1063 {
1064 unsigned char *sdata;
1065 int servname_type;
1066 int dsize;
1067
1068 if (size < 2)
1069 {
1070 *al = SSL_AD_DECODE_ERROR;
1071 return 0;
1072 }
1073 n2s(data,dsize);
1074 size -= 2;
1075 if (dsize > size )
1076 {
1077 *al = SSL_AD_DECODE_ERROR;
1078 return 0;
1079 }
1080
1081 sdata = data;
1082 while (dsize > 3)
1083 {
1084 servname_type = *(sdata++);
1085 n2s(sdata,len);
1086 dsize -= 3;
1087
1088 if (len > dsize)
1089 {
1090 *al = SSL_AD_DECODE_ERROR;
1091 return 0;
1092 }
1093 if (s->servername_done == 0)
1094 switch (servname_type)
1095 {
1096 case TLSEXT_NAMETYPE_host_name:
1097 if (!s->hit)
1098 {
1099 if(s->session->tlsext_hostname)
1100 {
1101 *al = SSL_AD_DECODE_ERROR;
1102 return 0;
1103 }
1104 if (len > TLSEXT_MAXLEN_host_name)
1105 {
1106 *al = TLS1_AD_UNRECOGNIZED_NAME;
1107 return 0;
1108 }
1109 if ((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL)
1110 {
1111 *al = TLS1_AD_INTERNAL_ERROR;
1112 return 0;
1113 }
1114 memcpy(s->session->tlsext_hostname, sdata, len);
1115 s->session->tlsext_hostname[len]='\0';
1116 if (strlen(s->session->tlsext_hostname) != len) {
1117 OPENSSL_free(s->session->tlsext_hostname);
1118 s->session->tlsext_hostname = NULL;
1119 *al = TLS1_AD_UNRECOGNIZED_NAME;
1120 return 0;
1121 }
1122 s->servername_done = 1;
1123
1124 }
1125 else
1126 s->servername_done = s->session->tlsext_hostname
1127 && strlen(s->session->tlsext_hostname) == len
1128 && strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0;
1129
1130 break;
1131
1132 default:
1133 break;
1134 }
1135
1136 dsize -= len;
1137 }
1138 if (dsize != 0)
1139 {
1140 *al = SSL_AD_DECODE_ERROR;
1141 return 0;
1142 }
1143
1144 }
1145 #ifndef OPENSSL_NO_SRP
1146 else if (type == TLSEXT_TYPE_srp)
1147 {
1148 if (size <= 0 || ((len = data[0])) != (size -1))
1149 {
1150 *al = SSL_AD_DECODE_ERROR;
1151 return 0;
1152 }
1153 if (s->srp_ctx.login != NULL)
1154 {
1155 *al = SSL_AD_DECODE_ERROR;
1156 return 0;
1157 }
1158 if ((s->srp_ctx.login = OPENSSL_malloc(len+1)) == NULL)
1159 return -1;
1160 memcpy(s->srp_ctx.login, &data[1], len);
1161 s->srp_ctx.login[len]='\0';
1162
1163 if (strlen(s->srp_ctx.login) != len)
1164 {
1165 *al = SSL_AD_DECODE_ERROR;
1166 return 0;
1167 }
1168 }
1169 #endif
1170
1171 #ifndef OPENSSL_NO_EC
1172 else if (type == TLSEXT_TYPE_ec_point_formats &&
1173 s->version != DTLS1_VERSION)
1174 {
1175 unsigned char *sdata = data;
1176 int ecpointformatlist_length = *(sdata++);
1177
1178 if (ecpointformatlist_length != size - 1)
1179 {
1180 *al = TLS1_AD_DECODE_ERROR;
1181 return 0;
1182 }
1183 if (!s->hit)
1184 {
1185 if(s->session->tlsext_ecpointformatlist)
1186 {
1187 OPENSSL_free(s->session->tlsext_ecpointformatlist);
1188 s->session->tlsext_ecpointformatlist = NULL;
1189 }
1190 s->session->tlsext_ecpointformatlist_length = 0;
1191 if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
1192 {
1193 *al = TLS1_AD_INTERNAL_ERROR;
1194 return 0;
1195 }
1196 s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
1197 memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
1198 }
1199 #if 0
1200 fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ecpointformatlist (length=%i) ", s->session->tlsext_ecpointformatlist_length);
1201 sdata = s->session->tlsext_ecpointformatlist;
1202 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
1203 fprintf(stderr,"%i ",*(sdata++));
1204 fprintf(stderr,"\n");
1205 #endif
1206 }
1207 else if (type == TLSEXT_TYPE_elliptic_curves &&
1208 s->version != DTLS1_VERSION)
1209 {
1210 unsigned char *sdata = data;
1211 int ellipticcurvelist_length = (*(sdata++) << 8);
1212 ellipticcurvelist_length += (*(sdata++));
1213
1214 if (ellipticcurvelist_length != size - 2 ||
1215 ellipticcurvelist_length < 1)
1216 {
1217 *al = TLS1_AD_DECODE_ERROR;
1218 return 0;
1219 }
1220 if (!s->hit)
1221 {
1222 if(s->session->tlsext_ellipticcurvelist)
1223 {
1224 *al = TLS1_AD_DECODE_ERROR;
1225 return 0;
1226 }
1227 s->session->tlsext_ellipticcurvelist_length = 0;
1228 if ((s->session->tlsext_ellipticcurvelist = OPENSSL_malloc(ellipticcurvelist_length)) == NULL)
1229 {
1230 *al = TLS1_AD_INTERNAL_ERROR;
1231 return 0;
1232 }
1233 s->session->tlsext_ellipticcurvelist_length = ellipticcurvelist_length;
1234 memcpy(s->session->tlsext_ellipticcurvelist, sdata, ellipticcurvelist_length);
1235 }
1236 #if 0
1237 fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ellipticcurvelist (length=%i) ", s->session->tlsext_ellipticcurvelist_length);
1238 sdata = s->session->tlsext_ellipticcurvelist;
1239 for (i = 0; i < s->session->tlsext_ellipticcurvelist_length; i++)
1240 fprintf(stderr,"%i ",*(sdata++));
1241 fprintf(stderr,"\n");
1242 #endif
1243 }
1244 #endif /* OPENSSL_NO_EC */
1245 #ifdef TLSEXT_TYPE_opaque_prf_input
1246 else if (type == TLSEXT_TYPE_opaque_prf_input &&
1247 s->version != DTLS1_VERSION)
1248 {
1249 unsigned char *sdata = data;
1250
1251 if (size < 2)
1252 {
1253 *al = SSL_AD_DECODE_ERROR;
1254 return 0;
1255 }
1256 n2s(sdata, s->s3->client_opaque_prf_input_len);
1257 if (s->s3->client_opaque_prf_input_len != size - 2)
1258 {
1259 *al = SSL_AD_DECODE_ERROR;
1260 return 0;
1261 }
1262
1263 if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */
1264 OPENSSL_free(s->s3->client_opaque_prf_input);
1265 if (s->s3->client_opaque_prf_input_len == 0)
1266 s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
1267 else
1268 s->s3->client_opaque_prf_input = BUF_memdup(sdata, s->s3->client_opaque_prf_input_len);
1269 if (s->s3->client_opaque_prf_input == NULL)
1270 {
1271 *al = TLS1_AD_INTERNAL_ERROR;
1272 return 0;
1273 }
1274 }
1275 #endif
1276 else if (type == TLSEXT_TYPE_session_ticket)
1277 {
1278 if (s->tls_session_ticket_ext_cb &&
1279 !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg))
1280 {
1281 *al = TLS1_AD_INTERNAL_ERROR;
1282 return 0;
1283 }
1284 }
1285 else if (type == TLSEXT_TYPE_renegotiate)
1286 {
1287 if(!ssl_parse_clienthello_renegotiate_ext(s, data, size, al))
1288 return 0;
1289 renegotiate_seen = 1;
1290 }
1291 else if (type == TLSEXT_TYPE_signature_algorithms)
1292 {
1293 int dsize;
1294 if (sigalg_seen || size < 2)
1295 {
1296 *al = SSL_AD_DECODE_ERROR;
1297 return 0;
1298 }
1299 sigalg_seen = 1;
1300 n2s(data,dsize);
1301 size -= 2;
1302 if (dsize != size || dsize & 1)
1303 {
1304 *al = SSL_AD_DECODE_ERROR;
1305 return 0;
1306 }
1307 tls1_process_sigalgs(s, data, dsize);
1308 }
1309 else if (type == TLSEXT_TYPE_status_request &&
1310 s->version != DTLS1_VERSION && s->ctx->tlsext_status_cb)
1311 {
1312
1313 if (size < 5)
1314 {
1315 *al = SSL_AD_DECODE_ERROR;
1316 return 0;
1317 }
1318
1319 s->tlsext_status_type = *data++;
1320 size--;
1321 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp)
1322 {
1323 const unsigned char *sdata;
1324 int dsize;
1325 /* Read in responder_id_list */
1326 n2s(data,dsize);
1327 size -= 2;
1328 if (dsize > size )
1329 {
1330 *al = SSL_AD_DECODE_ERROR;
1331 return 0;
1332 }
1333 while (dsize > 0)
1334 {
1335 OCSP_RESPID *id;
1336 int idsize;
1337 if (dsize < 4)
1338 {
1339 *al = SSL_AD_DECODE_ERROR;
1340 return 0;
1341 }
1342 n2s(data, idsize);
1343 dsize -= 2 + idsize;
1344 size -= 2 + idsize;
1345 if (dsize < 0)
1346 {
1347 *al = SSL_AD_DECODE_ERROR;
1348 return 0;
1349 }
1350 sdata = data;
1351 data += idsize;
1352 id = d2i_OCSP_RESPID(NULL,
1353 &sdata, idsize);
1354 if (!id)
1355 {
1356 *al = SSL_AD_DECODE_ERROR;
1357 return 0;
1358 }
1359 if (data != sdata)
1360 {
1361 OCSP_RESPID_free(id);
1362 *al = SSL_AD_DECODE_ERROR;
1363 return 0;
1364 }
1365 if (!s->tlsext_ocsp_ids
1366 && !(s->tlsext_ocsp_ids =
1367 sk_OCSP_RESPID_new_null()))
1368 {
1369 OCSP_RESPID_free(id);
1370 *al = SSL_AD_INTERNAL_ERROR;
1371 return 0;
1372 }
1373 if (!sk_OCSP_RESPID_push(
1374 s->tlsext_ocsp_ids, id))
1375 {
1376 OCSP_RESPID_free(id);
1377 *al = SSL_AD_INTERNAL_ERROR;
1378 return 0;
1379 }
1380 }
1381
1382 /* Read in request_extensions */
1383 if (size < 2)
1384 {
1385 *al = SSL_AD_DECODE_ERROR;
1386 return 0;
1387 }
1388 n2s(data,dsize);
1389 size -= 2;
1390 if (dsize != size)
1391 {
1392 *al = SSL_AD_DECODE_ERROR;
1393 return 0;
1394 }
1395 sdata = data;
1396 if (dsize > 0)
1397 {
1398 if (s->tlsext_ocsp_exts)
1399 {
1400 sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts,
1401 X509_EXTENSION_free);
1402 }
1403
1404 s->tlsext_ocsp_exts =
1405 d2i_X509_EXTENSIONS(NULL,
1406 &sdata, dsize);
1407 if (!s->tlsext_ocsp_exts
1408 || (data + dsize != sdata))
1409 {
1410 *al = SSL_AD_DECODE_ERROR;
1411 return 0;
1412 }
1413 }
1414 }
1415 /* We don't know what to do with any other type
1416 * so ignore it.
1417 */
1418 else
1419 s->tlsext_status_type = -1;
1420 }
1421 #ifndef OPENSSL_NO_HEARTBEATS
1422 else if (type == TLSEXT_TYPE_heartbeat)
1423 {
1424 switch(data[0])
1425 {
1426 case 0x01: /* Client allows us to send HB requests */
1427 s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
1428 break;
1429 case 0x02: /* Client doesn't accept HB requests */
1430 s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
1431 s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
1432 break;
1433 default: *al = SSL_AD_ILLEGAL_PARAMETER;
1434 return 0;
1435 }
1436 }
1437 #endif
1438 #ifndef OPENSSL_NO_NEXTPROTONEG
1439 else if (type == TLSEXT_TYPE_next_proto_neg &&
1440 s->s3->tmp.finish_md_len == 0 &&
1441 s->s3->alpn_selected == NULL)
1442 {
1443 /* We shouldn't accept this extension on a
1444 * renegotiation.
1445 *
1446 * s->new_session will be set on renegotiation, but we
1447 * probably shouldn't rely that it couldn't be set on
1448 * the initial renegotation too in certain cases (when
1449 * there's some other reason to disallow resuming an
1450 * earlier session -- the current code won't be doing
1451 * anything like that, but this might change).
1452
1453 * A valid sign that there's been a previous handshake
1454 * in this connection is if s->s3->tmp.finish_md_len >
1455 * 0. (We are talking about a check that will happen
1456 * in the Hello protocol round, well before a new
1457 * Finished message could have been computed.) */
1458 s->s3->next_proto_neg_seen = 1;
1459 }
1460 #endif
1461
1462 else if (type == TLSEXT_TYPE_channel_id && s->tlsext_channel_id_enabled)
1463 s->s3->tlsext_channel_id_valid = 1;
1464
1465 else if (type == TLSEXT_TYPE_application_layer_protocol_negotiation &&
1466 s->ctx->alpn_select_cb &&
1467 s->s3->tmp.finish_md_len == 0)
1468 {
1469 if (tls1_alpn_handle_client_hello(s, data, size, al) != 0)
1470 return 0;
1471 /* ALPN takes precedence over NPN. */
1472 s->s3->next_proto_neg_seen = 0;
1473 }
1474
1475 /* session ticket processed earlier */
1476 #ifndef OPENSSL_NO_SRTP
1477 else if (type == TLSEXT_TYPE_use_srtp)
1478 {
1479 if(ssl_parse_clienthello_use_srtp_ext(s, data, size,
1480 al))
1481 return 0;
1482 }
1483 #endif
1484
1485 data+=size;
1486 }
1487
1488 *p = data;
1489
1490 ri_check:
1491
1492 /* Need RI if renegotiating */
1493
1494 if (!renegotiate_seen && s->renegotiate &&
1495 !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
1496 {
1497 *al = SSL_AD_HANDSHAKE_FAILURE;
1498 SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT,
1499 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
1500 return 0;
1501 }
1502
1503 return 1;
1504 }
1505
1506 #ifndef OPENSSL_NO_NEXTPROTONEG
1507 /* ssl_next_proto_validate validates a Next Protocol Negotiation block. No
1508 * elements of zero length are allowed and the set of elements must exactly fill
1509 * the length of the block. */
ssl_next_proto_validate(unsigned char * d,unsigned len)1510 static char ssl_next_proto_validate(unsigned char *d, unsigned len)
1511 {
1512 unsigned int off = 0;
1513
1514 while (off < len)
1515 {
1516 if (d[off] == 0)
1517 return 0;
1518 off += d[off];
1519 off++;
1520 }
1521
1522 return off == len;
1523 }
1524 #endif
1525
ssl_parse_serverhello_tlsext(SSL * s,unsigned char ** p,unsigned char * d,int n,int * al)1526 int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
1527 {
1528 unsigned short length;
1529 unsigned short type;
1530 unsigned short size;
1531 unsigned char *data = *p;
1532 int tlsext_servername = 0;
1533 int renegotiate_seen = 0;
1534
1535 #ifndef OPENSSL_NO_NEXTPROTONEG
1536 s->s3->next_proto_neg_seen = 0;
1537 #endif
1538
1539 if (s->s3->alpn_selected)
1540 {
1541 OPENSSL_free(s->s3->alpn_selected);
1542 s->s3->alpn_selected = NULL;
1543 }
1544
1545 #ifndef OPENSSL_NO_HEARTBEATS
1546 s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED |
1547 SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
1548 #endif
1549
1550 if (data >= (d+n-2))
1551 goto ri_check;
1552
1553 n2s(data,length);
1554 if (data+length != d+n)
1555 {
1556 *al = SSL_AD_DECODE_ERROR;
1557 return 0;
1558 }
1559
1560 while(data <= (d+n-4))
1561 {
1562 n2s(data,type);
1563 n2s(data,size);
1564
1565 if (data+size > (d+n))
1566 goto ri_check;
1567
1568 if (s->tlsext_debug_cb)
1569 s->tlsext_debug_cb(s, 1, type, data, size,
1570 s->tlsext_debug_arg);
1571
1572 if (type == TLSEXT_TYPE_server_name)
1573 {
1574 if (s->tlsext_hostname == NULL || size > 0)
1575 {
1576 *al = TLS1_AD_UNRECOGNIZED_NAME;
1577 return 0;
1578 }
1579 tlsext_servername = 1;
1580 }
1581
1582 #ifndef OPENSSL_NO_EC
1583 else if (type == TLSEXT_TYPE_ec_point_formats &&
1584 s->version != DTLS1_VERSION)
1585 {
1586 unsigned char *sdata = data;
1587 int ecpointformatlist_length = *(sdata++);
1588
1589 if (ecpointformatlist_length != size - 1 ||
1590 ecpointformatlist_length < 1)
1591 {
1592 *al = TLS1_AD_DECODE_ERROR;
1593 return 0;
1594 }
1595 s->session->tlsext_ecpointformatlist_length = 0;
1596 if (s->session->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->session->tlsext_ecpointformatlist);
1597 if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
1598 {
1599 *al = TLS1_AD_INTERNAL_ERROR;
1600 return 0;
1601 }
1602 s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
1603 memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
1604 #if 0
1605 fprintf(stderr,"ssl_parse_serverhello_tlsext s->session->tlsext_ecpointformatlist ");
1606 sdata = s->session->tlsext_ecpointformatlist;
1607 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
1608 fprintf(stderr,"%i ",*(sdata++));
1609 fprintf(stderr,"\n");
1610 #endif
1611 }
1612 #endif /* OPENSSL_NO_EC */
1613
1614 else if (type == TLSEXT_TYPE_session_ticket)
1615 {
1616 if (s->tls_session_ticket_ext_cb &&
1617 !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg))
1618 {
1619 *al = TLS1_AD_INTERNAL_ERROR;
1620 return 0;
1621 }
1622 if ((SSL_get_options(s) & SSL_OP_NO_TICKET)
1623 || (size > 0))
1624 {
1625 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
1626 return 0;
1627 }
1628 s->tlsext_ticket_expected = 1;
1629 }
1630 #ifdef TLSEXT_TYPE_opaque_prf_input
1631 else if (type == TLSEXT_TYPE_opaque_prf_input &&
1632 s->version != DTLS1_VERSION)
1633 {
1634 unsigned char *sdata = data;
1635
1636 if (size < 2)
1637 {
1638 *al = SSL_AD_DECODE_ERROR;
1639 return 0;
1640 }
1641 n2s(sdata, s->s3->server_opaque_prf_input_len);
1642 if (s->s3->server_opaque_prf_input_len != size - 2)
1643 {
1644 *al = SSL_AD_DECODE_ERROR;
1645 return 0;
1646 }
1647
1648 if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */
1649 OPENSSL_free(s->s3->server_opaque_prf_input);
1650 if (s->s3->server_opaque_prf_input_len == 0)
1651 s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
1652 else
1653 s->s3->server_opaque_prf_input = BUF_memdup(sdata, s->s3->server_opaque_prf_input_len);
1654
1655 if (s->s3->server_opaque_prf_input == NULL)
1656 {
1657 *al = TLS1_AD_INTERNAL_ERROR;
1658 return 0;
1659 }
1660 }
1661 #endif
1662 else if (type == TLSEXT_TYPE_status_request &&
1663 s->version != DTLS1_VERSION)
1664 {
1665 /* MUST be empty and only sent if we've requested
1666 * a status request message.
1667 */
1668 if ((s->tlsext_status_type == -1) || (size > 0))
1669 {
1670 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
1671 return 0;
1672 }
1673 /* Set flag to expect CertificateStatus message */
1674 s->tlsext_status_expected = 1;
1675 }
1676 #ifndef OPENSSL_NO_NEXTPROTONEG
1677 else if (type == TLSEXT_TYPE_next_proto_neg &&
1678 s->s3->tmp.finish_md_len == 0)
1679 {
1680 unsigned char *selected;
1681 unsigned char selected_len;
1682
1683 /* We must have requested it. */
1684 if (s->ctx->next_proto_select_cb == NULL)
1685 {
1686 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
1687 return 0;
1688 }
1689 /* The data must be valid */
1690 if (!ssl_next_proto_validate(data, size))
1691 {
1692 *al = TLS1_AD_DECODE_ERROR;
1693 return 0;
1694 }
1695 if (s->ctx->next_proto_select_cb(s, &selected, &selected_len, data, size, s->ctx->next_proto_select_cb_arg) != SSL_TLSEXT_ERR_OK)
1696 {
1697 *al = TLS1_AD_INTERNAL_ERROR;
1698 return 0;
1699 }
1700 s->next_proto_negotiated = OPENSSL_malloc(selected_len);
1701 if (!s->next_proto_negotiated)
1702 {
1703 *al = TLS1_AD_INTERNAL_ERROR;
1704 return 0;
1705 }
1706 memcpy(s->next_proto_negotiated, selected, selected_len);
1707 s->next_proto_negotiated_len = selected_len;
1708 s->s3->next_proto_neg_seen = 1;
1709 }
1710 #endif
1711 else if (type == TLSEXT_TYPE_channel_id)
1712 s->s3->tlsext_channel_id_valid = 1;
1713
1714 else if (type == TLSEXT_TYPE_application_layer_protocol_negotiation)
1715 {
1716 unsigned len;
1717
1718 /* We must have requested it. */
1719 if (s->alpn_client_proto_list == NULL)
1720 {
1721 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
1722 return 0;
1723 }
1724 if (size < 4)
1725 {
1726 *al = TLS1_AD_DECODE_ERROR;
1727 return 0;
1728 }
1729 /* The extension data consists of:
1730 * uint16 list_length
1731 * uint8 proto_length;
1732 * uint8 proto[proto_length]; */
1733 len = data[0];
1734 len <<= 8;
1735 len |= data[1];
1736 if (len != (unsigned) size - 2)
1737 {
1738 *al = TLS1_AD_DECODE_ERROR;
1739 return 0;
1740 }
1741 len = data[2];
1742 if (len != (unsigned) size - 3)
1743 {
1744 *al = TLS1_AD_DECODE_ERROR;
1745 return 0;
1746 }
1747 if (s->s3->alpn_selected)
1748 OPENSSL_free(s->s3->alpn_selected);
1749 s->s3->alpn_selected = OPENSSL_malloc(len);
1750 if (!s->s3->alpn_selected)
1751 {
1752 *al = TLS1_AD_INTERNAL_ERROR;
1753 return 0;
1754 }
1755 memcpy(s->s3->alpn_selected, data + 3, len);
1756 s->s3->alpn_selected_len = len;
1757 }
1758
1759 else if (type == TLSEXT_TYPE_renegotiate)
1760 {
1761 if(!ssl_parse_serverhello_renegotiate_ext(s, data, size, al))
1762 return 0;
1763 renegotiate_seen = 1;
1764 }
1765 #ifndef OPENSSL_NO_HEARTBEATS
1766 else if (type == TLSEXT_TYPE_heartbeat)
1767 {
1768 switch(data[0])
1769 {
1770 case 0x01: /* Server allows us to send HB requests */
1771 s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
1772 break;
1773 case 0x02: /* Server doesn't accept HB requests */
1774 s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
1775 s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
1776 break;
1777 default: *al = SSL_AD_ILLEGAL_PARAMETER;
1778 return 0;
1779 }
1780 }
1781 #endif
1782 #ifndef OPENSSL_NO_SRTP
1783 else if (type == TLSEXT_TYPE_use_srtp)
1784 {
1785 if(ssl_parse_serverhello_use_srtp_ext(s, data, size,
1786 al))
1787 return 0;
1788 }
1789 #endif
1790
1791 data+=size;
1792 }
1793
1794 if (data != d+n)
1795 {
1796 *al = SSL_AD_DECODE_ERROR;
1797 return 0;
1798 }
1799
1800 if (!s->hit && tlsext_servername == 1)
1801 {
1802 if (s->tlsext_hostname)
1803 {
1804 if (s->session->tlsext_hostname == NULL)
1805 {
1806 s->session->tlsext_hostname = BUF_strdup(s->tlsext_hostname);
1807 if (!s->session->tlsext_hostname)
1808 {
1809 *al = SSL_AD_UNRECOGNIZED_NAME;
1810 return 0;
1811 }
1812 }
1813 else
1814 {
1815 *al = SSL_AD_DECODE_ERROR;
1816 return 0;
1817 }
1818 }
1819 }
1820
1821 *p = data;
1822
1823 ri_check:
1824
1825 /* Determine if we need to see RI. Strictly speaking if we want to
1826 * avoid an attack we should *always* see RI even on initial server
1827 * hello because the client doesn't see any renegotiation during an
1828 * attack. However this would mean we could not connect to any server
1829 * which doesn't support RI so for the immediate future tolerate RI
1830 * absence on initial connect only.
1831 */
1832 if (!renegotiate_seen
1833 && !(s->options & SSL_OP_LEGACY_SERVER_CONNECT)
1834 && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
1835 {
1836 *al = SSL_AD_HANDSHAKE_FAILURE;
1837 SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT,
1838 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
1839 return 0;
1840 }
1841
1842 return 1;
1843 }
1844
1845
ssl_prepare_clienthello_tlsext(SSL * s)1846 int ssl_prepare_clienthello_tlsext(SSL *s)
1847 {
1848 #ifndef OPENSSL_NO_EC
1849 /* If we are client and using an elliptic curve cryptography cipher suite, send the point formats
1850 * and elliptic curves we support.
1851 */
1852 int using_ecc = 0;
1853 int i;
1854 unsigned char *j;
1855 unsigned long alg_k, alg_a;
1856 STACK_OF(SSL_CIPHER) *cipher_stack = SSL_get_ciphers(s);
1857
1858 for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++)
1859 {
1860 SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i);
1861
1862 alg_k = c->algorithm_mkey;
1863 alg_a = c->algorithm_auth;
1864 if ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe) || (alg_a & SSL_aECDSA)))
1865 {
1866 using_ecc = 1;
1867 break;
1868 }
1869 }
1870 using_ecc = using_ecc && (s->version >= TLS1_VERSION);
1871 if (using_ecc)
1872 {
1873 if (s->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->tlsext_ecpointformatlist);
1874 if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(3)) == NULL)
1875 {
1876 SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
1877 return -1;
1878 }
1879 s->tlsext_ecpointformatlist_length = 3;
1880 s->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_uncompressed;
1881 s->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
1882 s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
1883
1884 /* we support all named elliptic curves in draft-ietf-tls-ecc-12 */
1885 if (s->tlsext_ellipticcurvelist != NULL) OPENSSL_free(s->tlsext_ellipticcurvelist);
1886 s->tlsext_ellipticcurvelist_length = sizeof(pref_list)/sizeof(pref_list[0]) * 2;
1887 if ((s->tlsext_ellipticcurvelist = OPENSSL_malloc(s->tlsext_ellipticcurvelist_length)) == NULL)
1888 {
1889 s->tlsext_ellipticcurvelist_length = 0;
1890 SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
1891 return -1;
1892 }
1893 for (i = 0, j = s->tlsext_ellipticcurvelist; (unsigned int)i <
1894 sizeof(pref_list)/sizeof(pref_list[0]); i++)
1895 {
1896 int id = tls1_ec_nid2curve_id(pref_list[i]);
1897 s2n(id,j);
1898 }
1899 }
1900 #endif /* OPENSSL_NO_EC */
1901
1902 #ifdef TLSEXT_TYPE_opaque_prf_input
1903 {
1904 int r = 1;
1905
1906 if (s->ctx->tlsext_opaque_prf_input_callback != 0)
1907 {
1908 r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg);
1909 if (!r)
1910 return -1;
1911 }
1912
1913 if (s->tlsext_opaque_prf_input != NULL)
1914 {
1915 if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */
1916 OPENSSL_free(s->s3->client_opaque_prf_input);
1917
1918 if (s->tlsext_opaque_prf_input_len == 0)
1919 s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
1920 else
1921 s->s3->client_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len);
1922 if (s->s3->client_opaque_prf_input == NULL)
1923 {
1924 SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
1925 return -1;
1926 }
1927 s->s3->client_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
1928 }
1929
1930 if (r == 2)
1931 /* at callback's request, insist on receiving an appropriate server opaque PRF input */
1932 s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
1933 }
1934 #endif
1935
1936 return 1;
1937 }
1938
ssl_prepare_serverhello_tlsext(SSL * s)1939 int ssl_prepare_serverhello_tlsext(SSL *s)
1940 {
1941 #ifndef OPENSSL_NO_EC
1942 /* If we are server and using an ECC cipher suite, send the point formats we support
1943 * if the client sent us an ECPointsFormat extension. Note that the server is not
1944 * supposed to send an EllipticCurves extension.
1945 */
1946
1947 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
1948 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
1949 int using_ecc = (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA);
1950 using_ecc = using_ecc && (s->session->tlsext_ecpointformatlist != NULL);
1951
1952 if (using_ecc)
1953 {
1954 if (s->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->tlsext_ecpointformatlist);
1955 if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(3)) == NULL)
1956 {
1957 SSLerr(SSL_F_SSL_PREPARE_SERVERHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
1958 return -1;
1959 }
1960 s->tlsext_ecpointformatlist_length = 3;
1961 s->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_uncompressed;
1962 s->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
1963 s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
1964 }
1965 #endif /* OPENSSL_NO_EC */
1966
1967 return 1;
1968 }
1969
ssl_check_clienthello_tlsext_early(SSL * s)1970 int ssl_check_clienthello_tlsext_early(SSL *s)
1971 {
1972 int ret=SSL_TLSEXT_ERR_NOACK;
1973 int al = SSL_AD_UNRECOGNIZED_NAME;
1974
1975 #ifndef OPENSSL_NO_EC
1976 /* The handling of the ECPointFormats extension is done elsewhere, namely in
1977 * ssl3_choose_cipher in s3_lib.c.
1978 */
1979 /* The handling of the EllipticCurves extension is done elsewhere, namely in
1980 * ssl3_choose_cipher in s3_lib.c.
1981 */
1982 #endif
1983
1984 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
1985 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
1986 else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)
1987 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
1988
1989 #ifdef TLSEXT_TYPE_opaque_prf_input
1990 {
1991 /* This sort of belongs into ssl_prepare_serverhello_tlsext(),
1992 * but we might be sending an alert in response to the client hello,
1993 * so this has to happen here in
1994 * ssl_check_clienthello_tlsext_early(). */
1995
1996 int r = 1;
1997
1998 if (s->ctx->tlsext_opaque_prf_input_callback != 0)
1999 {
2000 r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg);
2001 if (!r)
2002 {
2003 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2004 al = SSL_AD_INTERNAL_ERROR;
2005 goto err;
2006 }
2007 }
2008
2009 if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */
2010 OPENSSL_free(s->s3->server_opaque_prf_input);
2011 s->s3->server_opaque_prf_input = NULL;
2012
2013 if (s->tlsext_opaque_prf_input != NULL)
2014 {
2015 if (s->s3->client_opaque_prf_input != NULL &&
2016 s->s3->client_opaque_prf_input_len == s->tlsext_opaque_prf_input_len)
2017 {
2018 /* can only use this extension if we have a server opaque PRF input
2019 * of the same length as the client opaque PRF input! */
2020
2021 if (s->tlsext_opaque_prf_input_len == 0)
2022 s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
2023 else
2024 s->s3->server_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len);
2025 if (s->s3->server_opaque_prf_input == NULL)
2026 {
2027 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2028 al = SSL_AD_INTERNAL_ERROR;
2029 goto err;
2030 }
2031 s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
2032 }
2033 }
2034
2035 if (r == 2 && s->s3->server_opaque_prf_input == NULL)
2036 {
2037 /* The callback wants to enforce use of the extension,
2038 * but we can't do that with the client opaque PRF input;
2039 * abort the handshake.
2040 */
2041 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2042 al = SSL_AD_HANDSHAKE_FAILURE;
2043 }
2044 }
2045
2046 err:
2047 #endif
2048 switch (ret)
2049 {
2050 case SSL_TLSEXT_ERR_ALERT_FATAL:
2051 ssl3_send_alert(s,SSL3_AL_FATAL,al);
2052 return -1;
2053
2054 case SSL_TLSEXT_ERR_ALERT_WARNING:
2055 ssl3_send_alert(s,SSL3_AL_WARNING,al);
2056 return 1;
2057
2058 case SSL_TLSEXT_ERR_NOACK:
2059 s->servername_done=0;
2060 default:
2061 return 1;
2062 }
2063 }
2064
ssl_check_clienthello_tlsext_late(SSL * s)2065 int ssl_check_clienthello_tlsext_late(SSL *s)
2066 {
2067 int ret = SSL_TLSEXT_ERR_OK;
2068 int al;
2069
2070 /* If status request then ask callback what to do.
2071 * Note: this must be called after servername callbacks in case
2072 * the certificate has changed, and must be called after the cipher
2073 * has been chosen because this may influence which certificate is sent
2074 */
2075 if ((s->tlsext_status_type != -1) && s->ctx && s->ctx->tlsext_status_cb)
2076 {
2077 int r;
2078 CERT_PKEY *certpkey;
2079 certpkey = ssl_get_server_send_pkey(s);
2080 /* If no certificate can't return certificate status */
2081 if (certpkey == NULL)
2082 {
2083 s->tlsext_status_expected = 0;
2084 return 1;
2085 }
2086 /* Set current certificate to one we will use so
2087 * SSL_get_certificate et al can pick it up.
2088 */
2089 s->cert->key = certpkey;
2090 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
2091 switch (r)
2092 {
2093 /* We don't want to send a status request response */
2094 case SSL_TLSEXT_ERR_NOACK:
2095 s->tlsext_status_expected = 0;
2096 break;
2097 /* status request response should be sent */
2098 case SSL_TLSEXT_ERR_OK:
2099 if (s->tlsext_ocsp_resp)
2100 s->tlsext_status_expected = 1;
2101 else
2102 s->tlsext_status_expected = 0;
2103 break;
2104 /* something bad happened */
2105 case SSL_TLSEXT_ERR_ALERT_FATAL:
2106 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2107 al = SSL_AD_INTERNAL_ERROR;
2108 goto err;
2109 }
2110 }
2111 else
2112 s->tlsext_status_expected = 0;
2113
2114 err:
2115 switch (ret)
2116 {
2117 case SSL_TLSEXT_ERR_ALERT_FATAL:
2118 ssl3_send_alert(s,SSL3_AL_FATAL,al);
2119 return -1;
2120
2121 case SSL_TLSEXT_ERR_ALERT_WARNING:
2122 ssl3_send_alert(s,SSL3_AL_WARNING,al);
2123 return 1;
2124
2125 default:
2126 return 1;
2127 }
2128 }
2129
ssl_check_serverhello_tlsext(SSL * s)2130 int ssl_check_serverhello_tlsext(SSL *s)
2131 {
2132 int ret=SSL_TLSEXT_ERR_NOACK;
2133 int al = SSL_AD_UNRECOGNIZED_NAME;
2134
2135 #ifndef OPENSSL_NO_EC
2136 /* If we are client and using an elliptic curve cryptography cipher
2137 * suite, then if server returns an EC point formats lists extension
2138 * it must contain uncompressed.
2139 */
2140 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
2141 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
2142 if ((s->tlsext_ecpointformatlist != NULL) && (s->tlsext_ecpointformatlist_length > 0) &&
2143 (s->session->tlsext_ecpointformatlist != NULL) && (s->session->tlsext_ecpointformatlist_length > 0) &&
2144 ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA)))
2145 {
2146 /* we are using an ECC cipher */
2147 size_t i;
2148 unsigned char *list;
2149 int found_uncompressed = 0;
2150 list = s->session->tlsext_ecpointformatlist;
2151 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
2152 {
2153 if (*(list++) == TLSEXT_ECPOINTFORMAT_uncompressed)
2154 {
2155 found_uncompressed = 1;
2156 break;
2157 }
2158 }
2159 if (!found_uncompressed)
2160 {
2161 SSLerr(SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT,SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
2162 return -1;
2163 }
2164 }
2165 ret = SSL_TLSEXT_ERR_OK;
2166 #endif /* OPENSSL_NO_EC */
2167
2168 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
2169 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
2170 else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)
2171 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
2172
2173 #ifdef TLSEXT_TYPE_opaque_prf_input
2174 if (s->s3->server_opaque_prf_input_len > 0)
2175 {
2176 /* This case may indicate that we, as a client, want to insist on using opaque PRF inputs.
2177 * So first verify that we really have a value from the server too. */
2178
2179 if (s->s3->server_opaque_prf_input == NULL)
2180 {
2181 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2182 al = SSL_AD_HANDSHAKE_FAILURE;
2183 }
2184
2185 /* Anytime the server *has* sent an opaque PRF input, we need to check
2186 * that we have a client opaque PRF input of the same size. */
2187 if (s->s3->client_opaque_prf_input == NULL ||
2188 s->s3->client_opaque_prf_input_len != s->s3->server_opaque_prf_input_len)
2189 {
2190 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2191 al = SSL_AD_ILLEGAL_PARAMETER;
2192 }
2193 }
2194 #endif
2195
2196 /* If we've requested certificate status and we wont get one
2197 * tell the callback
2198 */
2199 if ((s->tlsext_status_type != -1) && !(s->tlsext_status_expected)
2200 && s->ctx && s->ctx->tlsext_status_cb)
2201 {
2202 int r;
2203 /* Set resp to NULL, resplen to -1 so callback knows
2204 * there is no response.
2205 */
2206 if (s->tlsext_ocsp_resp)
2207 {
2208 OPENSSL_free(s->tlsext_ocsp_resp);
2209 s->tlsext_ocsp_resp = NULL;
2210 }
2211 s->tlsext_ocsp_resplen = -1;
2212 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
2213 if (r == 0)
2214 {
2215 al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE;
2216 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2217 }
2218 if (r < 0)
2219 {
2220 al = SSL_AD_INTERNAL_ERROR;
2221 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2222 }
2223 }
2224
2225 switch (ret)
2226 {
2227 case SSL_TLSEXT_ERR_ALERT_FATAL:
2228 ssl3_send_alert(s,SSL3_AL_FATAL,al);
2229 return -1;
2230
2231 case SSL_TLSEXT_ERR_ALERT_WARNING:
2232 ssl3_send_alert(s,SSL3_AL_WARNING,al);
2233 return 1;
2234
2235 case SSL_TLSEXT_ERR_NOACK:
2236 s->servername_done=0;
2237 default:
2238 return 1;
2239 }
2240 }
2241
2242 /* Since the server cache lookup is done early on in the processing of the
2243 * ClientHello, and other operations depend on the result, we need to handle
2244 * any TLS session ticket extension at the same time.
2245 *
2246 * session_id: points at the session ID in the ClientHello. This code will
2247 * read past the end of this in order to parse out the session ticket
2248 * extension, if any.
2249 * len: the length of the session ID.
2250 * limit: a pointer to the first byte after the ClientHello.
2251 * ret: (output) on return, if a ticket was decrypted, then this is set to
2252 * point to the resulting session.
2253 *
2254 * If s->tls_session_secret_cb is set then we are expecting a pre-shared key
2255 * ciphersuite, in which case we have no use for session tickets and one will
2256 * never be decrypted, nor will s->tlsext_ticket_expected be set to 1.
2257 *
2258 * Returns:
2259 * -1: fatal error, either from parsing or decrypting the ticket.
2260 * 0: no ticket was found (or was ignored, based on settings).
2261 * 1: a zero length extension was found, indicating that the client supports
2262 * session tickets but doesn't currently have one to offer.
2263 * 2: either s->tls_session_secret_cb was set, or a ticket was offered but
2264 * couldn't be decrypted because of a non-fatal error.
2265 * 3: a ticket was successfully decrypted and *ret was set.
2266 *
2267 * Side effects:
2268 * Sets s->tlsext_ticket_expected to 1 if the server will have to issue
2269 * a new session ticket to the client because the client indicated support
2270 * (and s->tls_session_secret_cb is NULL) but the client either doesn't have
2271 * a session ticket or we couldn't use the one it gave us, or if
2272 * s->ctx->tlsext_ticket_key_cb asked to renew the client's ticket.
2273 * Otherwise, s->tlsext_ticket_expected is set to 0.
2274 */
tls1_process_ticket(SSL * s,unsigned char * session_id,int len,const unsigned char * limit,SSL_SESSION ** ret)2275 int tls1_process_ticket(SSL *s, unsigned char *session_id, int len,
2276 const unsigned char *limit, SSL_SESSION **ret)
2277 {
2278 /* Point after session ID in client hello */
2279 const unsigned char *p = session_id + len;
2280 unsigned short i;
2281
2282 *ret = NULL;
2283 s->tlsext_ticket_expected = 0;
2284
2285 /* If tickets disabled behave as if no ticket present
2286 * to permit stateful resumption.
2287 */
2288 if (SSL_get_options(s) & SSL_OP_NO_TICKET)
2289 return 0;
2290 if ((s->version <= SSL3_VERSION) || !limit)
2291 return 0;
2292 if (p >= limit)
2293 return -1;
2294 /* Skip past DTLS cookie */
2295 if (s->version == DTLS1_VERSION || s->version == DTLS1_BAD_VER)
2296 {
2297 i = *(p++);
2298 p+= i;
2299 if (p >= limit)
2300 return -1;
2301 }
2302 /* Skip past cipher list */
2303 n2s(p, i);
2304 p+= i;
2305 if (p >= limit)
2306 return -1;
2307 /* Skip past compression algorithm list */
2308 i = *(p++);
2309 p += i;
2310 if (p > limit)
2311 return -1;
2312 /* Now at start of extensions */
2313 if ((p + 2) >= limit)
2314 return 0;
2315 n2s(p, i);
2316 while ((p + 4) <= limit)
2317 {
2318 unsigned short type, size;
2319 n2s(p, type);
2320 n2s(p, size);
2321 if (p + size > limit)
2322 return 0;
2323 if (type == TLSEXT_TYPE_session_ticket)
2324 {
2325 int r;
2326 if (size == 0)
2327 {
2328 /* The client will accept a ticket but doesn't
2329 * currently have one. */
2330 s->tlsext_ticket_expected = 1;
2331 return 1;
2332 }
2333 if (s->tls_session_secret_cb)
2334 {
2335 /* Indicate that the ticket couldn't be
2336 * decrypted rather than generating the session
2337 * from ticket now, trigger abbreviated
2338 * handshake based on external mechanism to
2339 * calculate the master secret later. */
2340 return 2;
2341 }
2342 r = tls_decrypt_ticket(s, p, size, session_id, len, ret);
2343 switch (r)
2344 {
2345 case 2: /* ticket couldn't be decrypted */
2346 s->tlsext_ticket_expected = 1;
2347 return 2;
2348 case 3: /* ticket was decrypted */
2349 return r;
2350 case 4: /* ticket decrypted but need to renew */
2351 s->tlsext_ticket_expected = 1;
2352 return 3;
2353 default: /* fatal error */
2354 return -1;
2355 }
2356 }
2357 p += size;
2358 }
2359 return 0;
2360 }
2361
2362 /* tls_decrypt_ticket attempts to decrypt a session ticket.
2363 *
2364 * etick: points to the body of the session ticket extension.
2365 * eticklen: the length of the session tickets extenion.
2366 * sess_id: points at the session ID.
2367 * sesslen: the length of the session ID.
2368 * psess: (output) on return, if a ticket was decrypted, then this is set to
2369 * point to the resulting session.
2370 *
2371 * Returns:
2372 * -1: fatal error, either from parsing or decrypting the ticket.
2373 * 2: the ticket couldn't be decrypted.
2374 * 3: a ticket was successfully decrypted and *psess was set.
2375 * 4: same as 3, but the ticket needs to be renewed.
2376 */
tls_decrypt_ticket(SSL * s,const unsigned char * etick,int eticklen,const unsigned char * sess_id,int sesslen,SSL_SESSION ** psess)2377 static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen,
2378 const unsigned char *sess_id, int sesslen,
2379 SSL_SESSION **psess)
2380 {
2381 SSL_SESSION *sess;
2382 unsigned char *sdec;
2383 const unsigned char *p;
2384 int slen, mlen, renew_ticket = 0;
2385 unsigned char tick_hmac[EVP_MAX_MD_SIZE];
2386 HMAC_CTX hctx;
2387 EVP_CIPHER_CTX ctx;
2388 SSL_CTX *tctx = s->initial_ctx;
2389 /* Need at least keyname + iv + some encrypted data */
2390 if (eticklen < 48)
2391 return 2;
2392 /* Initialize session ticket encryption and HMAC contexts */
2393 HMAC_CTX_init(&hctx);
2394 EVP_CIPHER_CTX_init(&ctx);
2395 if (tctx->tlsext_ticket_key_cb)
2396 {
2397 unsigned char *nctick = (unsigned char *)etick;
2398 int rv = tctx->tlsext_ticket_key_cb(s, nctick, nctick + 16,
2399 &ctx, &hctx, 0);
2400 if (rv < 0)
2401 return -1;
2402 if (rv == 0)
2403 return 2;
2404 if (rv == 2)
2405 renew_ticket = 1;
2406 }
2407 else
2408 {
2409 /* Check key name matches */
2410 if (memcmp(etick, tctx->tlsext_tick_key_name, 16))
2411 return 2;
2412 HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16,
2413 tlsext_tick_md(), NULL);
2414 EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL,
2415 tctx->tlsext_tick_aes_key, etick + 16);
2416 }
2417 /* Attempt to process session ticket, first conduct sanity and
2418 * integrity checks on ticket.
2419 */
2420 mlen = HMAC_size(&hctx);
2421 if (mlen < 0)
2422 {
2423 EVP_CIPHER_CTX_cleanup(&ctx);
2424 return -1;
2425 }
2426 eticklen -= mlen;
2427 /* Check HMAC of encrypted ticket */
2428 HMAC_Update(&hctx, etick, eticklen);
2429 HMAC_Final(&hctx, tick_hmac, NULL);
2430 HMAC_CTX_cleanup(&hctx);
2431 if (CRYPTO_memcmp(tick_hmac, etick + eticklen, mlen))
2432 return 2;
2433 /* Attempt to decrypt session data */
2434 /* Move p after IV to start of encrypted ticket, update length */
2435 p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx);
2436 eticklen -= 16 + EVP_CIPHER_CTX_iv_length(&ctx);
2437 sdec = OPENSSL_malloc(eticklen);
2438 if (!sdec)
2439 {
2440 EVP_CIPHER_CTX_cleanup(&ctx);
2441 return -1;
2442 }
2443 EVP_DecryptUpdate(&ctx, sdec, &slen, p, eticklen);
2444 if (EVP_DecryptFinal(&ctx, sdec + slen, &mlen) <= 0)
2445 return 2;
2446 slen += mlen;
2447 EVP_CIPHER_CTX_cleanup(&ctx);
2448 p = sdec;
2449
2450 sess = d2i_SSL_SESSION(NULL, &p, slen);
2451 OPENSSL_free(sdec);
2452 if (sess)
2453 {
2454 /* The session ID, if non-empty, is used by some clients to
2455 * detect that the ticket has been accepted. So we copy it to
2456 * the session structure. If it is empty set length to zero
2457 * as required by standard.
2458 */
2459 if (sesslen)
2460 memcpy(sess->session_id, sess_id, sesslen);
2461 sess->session_id_length = sesslen;
2462 *psess = sess;
2463 if (renew_ticket)
2464 return 4;
2465 else
2466 return 3;
2467 }
2468 ERR_clear_error();
2469 /* For session parse failure, indicate that we need to send a new
2470 * ticket. */
2471 return 2;
2472 }
2473
2474 /* Tables to translate from NIDs to TLS v1.2 ids */
2475
2476 typedef struct
2477 {
2478 int nid;
2479 int id;
2480 } tls12_lookup;
2481
2482 static tls12_lookup tls12_md[] = {
2483 #ifndef OPENSSL_NO_MD5
2484 {NID_md5, TLSEXT_hash_md5},
2485 #endif
2486 #ifndef OPENSSL_NO_SHA
2487 {NID_sha1, TLSEXT_hash_sha1},
2488 #endif
2489 #ifndef OPENSSL_NO_SHA256
2490 {NID_sha224, TLSEXT_hash_sha224},
2491 {NID_sha256, TLSEXT_hash_sha256},
2492 #endif
2493 #ifndef OPENSSL_NO_SHA512
2494 {NID_sha384, TLSEXT_hash_sha384},
2495 {NID_sha512, TLSEXT_hash_sha512}
2496 #endif
2497 };
2498
2499 static tls12_lookup tls12_sig[] = {
2500 #ifndef OPENSSL_NO_RSA
2501 {EVP_PKEY_RSA, TLSEXT_signature_rsa},
2502 #endif
2503 #ifndef OPENSSL_NO_DSA
2504 {EVP_PKEY_DSA, TLSEXT_signature_dsa},
2505 #endif
2506 #ifndef OPENSSL_NO_ECDSA
2507 {EVP_PKEY_EC, TLSEXT_signature_ecdsa}
2508 #endif
2509 };
2510
tls12_find_id(int nid,tls12_lookup * table,size_t tlen)2511 static int tls12_find_id(int nid, tls12_lookup *table, size_t tlen)
2512 {
2513 size_t i;
2514 for (i = 0; i < tlen; i++)
2515 {
2516 if (table[i].nid == nid)
2517 return table[i].id;
2518 }
2519 return -1;
2520 }
2521
tls12_get_sigandhash(unsigned char * p,const EVP_PKEY * pk,const EVP_MD * md)2522 int tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk, const EVP_MD *md)
2523 {
2524 int sig_id, md_id;
2525 if (!md)
2526 return 0;
2527 md_id = tls12_find_id(EVP_MD_type(md), tls12_md,
2528 sizeof(tls12_md)/sizeof(tls12_lookup));
2529 if (md_id == -1)
2530 return 0;
2531 sig_id = tls12_get_sigid(pk);
2532 if (sig_id == -1)
2533 return 0;
2534 p[0] = (unsigned char)md_id;
2535 p[1] = (unsigned char)sig_id;
2536 return 1;
2537 }
2538
2539 /* tls12_get_sigid returns the TLS 1.2 SignatureAlgorithm value corresponding
2540 * to the given public key, or -1 if not known. */
tls12_get_sigid(const EVP_PKEY * pk)2541 int tls12_get_sigid(const EVP_PKEY *pk)
2542 {
2543 return tls12_find_id(pk->type, tls12_sig,
2544 sizeof(tls12_sig)/sizeof(tls12_lookup));
2545 }
2546
tls12_get_hash(unsigned char hash_alg)2547 const EVP_MD *tls12_get_hash(unsigned char hash_alg)
2548 {
2549 switch(hash_alg)
2550 {
2551 #ifndef OPENSSL_NO_MD5
2552 case TLSEXT_hash_md5:
2553 #ifdef OPENSSL_FIPS
2554 if (FIPS_mode())
2555 return NULL;
2556 #endif
2557 return EVP_md5();
2558 #endif
2559 #ifndef OPENSSL_NO_SHA
2560 case TLSEXT_hash_sha1:
2561 return EVP_sha1();
2562 #endif
2563 #ifndef OPENSSL_NO_SHA256
2564 case TLSEXT_hash_sha224:
2565 return EVP_sha224();
2566
2567 case TLSEXT_hash_sha256:
2568 return EVP_sha256();
2569 #endif
2570 #ifndef OPENSSL_NO_SHA512
2571 case TLSEXT_hash_sha384:
2572 return EVP_sha384();
2573
2574 case TLSEXT_hash_sha512:
2575 return EVP_sha512();
2576 #endif
2577 default:
2578 return NULL;
2579
2580 }
2581 }
2582
2583 /* tls1_process_sigalgs processes a signature_algorithms extension and sets the
2584 * digest functions accordingly for each key type.
2585 *
2586 * See RFC 5246, section 7.4.1.4.1.
2587 *
2588 * data: points to the content of the extension, not including type and length
2589 * headers.
2590 * dsize: the number of bytes of |data|. Must be even.
2591 */
tls1_process_sigalgs(SSL * s,const unsigned char * data,int dsize)2592 void tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize)
2593 {
2594 int i;
2595 const EVP_MD *md, **digest_ptr;
2596 /* Extension ignored for TLS versions below 1.2 */
2597 if (TLS1_get_version(s) < TLS1_2_VERSION)
2598 return;
2599
2600 s->s3->digest_rsa = NULL;
2601 s->s3->digest_dsa = NULL;
2602 s->s3->digest_ecdsa = NULL;
2603
2604 for (i = 0; i < dsize; i += 2)
2605 {
2606 unsigned char hash_alg = data[i], sig_alg = data[i+1];
2607
2608 switch(sig_alg)
2609 {
2610 #ifndef OPENSSL_NO_RSA
2611 case TLSEXT_signature_rsa:
2612 digest_ptr = &s->s3->digest_rsa;
2613 break;
2614 #endif
2615 #ifndef OPENSSL_NO_DSA
2616 case TLSEXT_signature_dsa:
2617 digest_ptr = &s->s3->digest_dsa;
2618 break;
2619 #endif
2620 #ifndef OPENSSL_NO_ECDSA
2621 case TLSEXT_signature_ecdsa:
2622 digest_ptr = &s->s3->digest_ecdsa;
2623 break;
2624 #endif
2625 default:
2626 continue;
2627 }
2628
2629 if (*digest_ptr == NULL)
2630 {
2631 md = tls12_get_hash(hash_alg);
2632 if (md)
2633 *digest_ptr = md;
2634 }
2635
2636 }
2637 }
2638
2639 #endif
2640
2641 #ifndef OPENSSL_NO_HEARTBEATS
2642 int
tls1_process_heartbeat(SSL * s)2643 tls1_process_heartbeat(SSL *s)
2644 {
2645 unsigned char *p = &s->s3->rrec.data[0], *pl;
2646 unsigned short hbtype;
2647 unsigned int payload;
2648 unsigned int padding = 16; /* Use minimum padding */
2649
2650 /* Read type and payload length first */
2651 hbtype = *p++;
2652 n2s(p, payload);
2653 pl = p;
2654
2655 if (s->msg_callback)
2656 s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT,
2657 &s->s3->rrec.data[0], s->s3->rrec.length,
2658 s, s->msg_callback_arg);
2659
2660 if (hbtype == TLS1_HB_REQUEST)
2661 {
2662 unsigned char *buffer, *bp;
2663 int r;
2664
2665 /* Allocate memory for the response, size is 1 bytes
2666 * message type, plus 2 bytes payload length, plus
2667 * payload, plus padding
2668 */
2669 buffer = OPENSSL_malloc(1 + 2 + payload + padding);
2670 bp = buffer;
2671
2672 /* Enter response type, length and copy payload */
2673 *bp++ = TLS1_HB_RESPONSE;
2674 s2n(payload, bp);
2675 memcpy(bp, pl, payload);
2676 bp += payload;
2677 /* Random padding */
2678 RAND_pseudo_bytes(bp, padding);
2679
2680 r = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, 3 + payload + padding);
2681
2682 if (r >= 0 && s->msg_callback)
2683 s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT,
2684 buffer, 3 + payload + padding,
2685 s, s->msg_callback_arg);
2686
2687 OPENSSL_free(buffer);
2688
2689 if (r < 0)
2690 return r;
2691 }
2692 else if (hbtype == TLS1_HB_RESPONSE)
2693 {
2694 unsigned int seq;
2695
2696 /* We only send sequence numbers (2 bytes unsigned int),
2697 * and 16 random bytes, so we just try to read the
2698 * sequence number */
2699 n2s(pl, seq);
2700
2701 if (payload == 18 && seq == s->tlsext_hb_seq)
2702 {
2703 s->tlsext_hb_seq++;
2704 s->tlsext_hb_pending = 0;
2705 }
2706 }
2707
2708 return 0;
2709 }
2710
2711 int
tls1_heartbeat(SSL * s)2712 tls1_heartbeat(SSL *s)
2713 {
2714 unsigned char *buf, *p;
2715 int ret;
2716 unsigned int payload = 18; /* Sequence number + random bytes */
2717 unsigned int padding = 16; /* Use minimum padding */
2718
2719 /* Only send if peer supports and accepts HB requests... */
2720 if (!(s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED) ||
2721 s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_SEND_REQUESTS)
2722 {
2723 SSLerr(SSL_F_TLS1_HEARTBEAT,SSL_R_TLS_HEARTBEAT_PEER_DOESNT_ACCEPT);
2724 return -1;
2725 }
2726
2727 /* ...and there is none in flight yet... */
2728 if (s->tlsext_hb_pending)
2729 {
2730 SSLerr(SSL_F_TLS1_HEARTBEAT,SSL_R_TLS_HEARTBEAT_PENDING);
2731 return -1;
2732 }
2733
2734 /* ...and no handshake in progress. */
2735 if (SSL_in_init(s) || s->in_handshake)
2736 {
2737 SSLerr(SSL_F_TLS1_HEARTBEAT,SSL_R_UNEXPECTED_MESSAGE);
2738 return -1;
2739 }
2740
2741 /* Check if padding is too long, payload and padding
2742 * must not exceed 2^14 - 3 = 16381 bytes in total.
2743 */
2744 OPENSSL_assert(payload + padding <= 16381);
2745
2746 /* Create HeartBeat message, we just use a sequence number
2747 * as payload to distuingish different messages and add
2748 * some random stuff.
2749 * - Message Type, 1 byte
2750 * - Payload Length, 2 bytes (unsigned int)
2751 * - Payload, the sequence number (2 bytes uint)
2752 * - Payload, random bytes (16 bytes uint)
2753 * - Padding
2754 */
2755 buf = OPENSSL_malloc(1 + 2 + payload + padding);
2756 p = buf;
2757 /* Message Type */
2758 *p++ = TLS1_HB_REQUEST;
2759 /* Payload length (18 bytes here) */
2760 s2n(payload, p);
2761 /* Sequence number */
2762 s2n(s->tlsext_hb_seq, p);
2763 /* 16 random bytes */
2764 RAND_pseudo_bytes(p, 16);
2765 p += 16;
2766 /* Random padding */
2767 RAND_pseudo_bytes(p, padding);
2768
2769 ret = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buf, 3 + payload + padding);
2770 if (ret >= 0)
2771 {
2772 if (s->msg_callback)
2773 s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT,
2774 buf, 3 + payload + padding,
2775 s, s->msg_callback_arg);
2776
2777 s->tlsext_hb_pending = 1;
2778 }
2779
2780 OPENSSL_free(buf);
2781
2782 return ret;
2783 }
2784 #endif
2785
2786 #if !defined(OPENSSL_NO_TLSEXT)
2787 /* tls1_channel_id_hash calculates the signed data for a Channel ID on the given
2788 * SSL connection and writes it to |md|.
2789 */
2790 int
tls1_channel_id_hash(EVP_MD_CTX * md,SSL * s)2791 tls1_channel_id_hash(EVP_MD_CTX *md, SSL *s)
2792 {
2793 EVP_MD_CTX ctx;
2794 unsigned char temp_digest[EVP_MAX_MD_SIZE];
2795 unsigned temp_digest_len;
2796 int i;
2797 static const char kClientIDMagic[] = "TLS Channel ID signature";
2798
2799 if (s->s3->handshake_buffer)
2800 if (!ssl3_digest_cached_records(s))
2801 return 0;
2802
2803 EVP_DigestUpdate(md, kClientIDMagic, sizeof(kClientIDMagic));
2804
2805 EVP_MD_CTX_init(&ctx);
2806 for (i = 0; i < SSL_MAX_DIGEST; i++)
2807 {
2808 if (s->s3->handshake_dgst[i] == NULL)
2809 continue;
2810 EVP_MD_CTX_copy_ex(&ctx, s->s3->handshake_dgst[i]);
2811 EVP_DigestFinal_ex(&ctx, temp_digest, &temp_digest_len);
2812 EVP_DigestUpdate(md, temp_digest, temp_digest_len);
2813 }
2814 EVP_MD_CTX_cleanup(&ctx);
2815
2816 return 1;
2817 }
2818 #endif
2819