1 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
2 * All rights reserved.
3 *
4 * This package is an SSL implementation written
5 * by Eric Young (eay@cryptsoft.com).
6 * The implementation was written so as to conform with Netscapes SSL.
7 *
8 * This library is free for commercial and non-commercial use as long as
9 * the following conditions are aheared to. The following conditions
10 * apply to all code found in this distribution, be it the RC4, RSA,
11 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
12 * included with this distribution is covered by the same copyright terms
13 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
14 *
15 * Copyright remains Eric Young's, and as such any Copyright notices in
16 * the code are not to be removed.
17 * If this package is used in a product, Eric Young should be given attribution
18 * as the author of the parts of the library used.
19 * This can be in the form of a textual message at program startup or
20 * in documentation (online or textual) provided with the package.
21 *
22 * Redistribution and use in source and binary forms, with or without
23 * modification, are permitted provided that the following conditions
24 * are met:
25 * 1. Redistributions of source code must retain the copyright
26 * notice, this list of conditions and the following disclaimer.
27 * 2. Redistributions in binary form must reproduce the above copyright
28 * notice, this list of conditions and the following disclaimer in the
29 * documentation and/or other materials provided with the distribution.
30 * 3. All advertising materials mentioning features or use of this software
31 * must display the following acknowledgement:
32 * "This product includes cryptographic software written by
33 * Eric Young (eay@cryptsoft.com)"
34 * The word 'cryptographic' can be left out if the rouines from the library
35 * being used are not cryptographic related :-).
36 * 4. If you include any Windows specific code (or a derivative thereof) from
37 * the apps directory (application code) you must include an acknowledgement:
38 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
39 *
40 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
41 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
43 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
44 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
45 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
46 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
48 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
49 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
50 * SUCH DAMAGE.
51 *
52 * The licence and distribution terms for any publically available version or
53 * derivative of this code cannot be changed. i.e. this code cannot simply be
54 * copied and put under another distribution licence
55 * [including the GNU Public Licence.]
56 */
57 /* ====================================================================
58 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
59 *
60 * Redistribution and use in source and binary forms, with or without
61 * modification, are permitted provided that the following conditions
62 * are met:
63 *
64 * 1. Redistributions of source code must retain the above copyright
65 * notice, this list of conditions and the following disclaimer.
66 *
67 * 2. Redistributions in binary form must reproduce the above copyright
68 * notice, this list of conditions and the following disclaimer in
69 * the documentation and/or other materials provided with the
70 * distribution.
71 *
72 * 3. All advertising materials mentioning features or use of this
73 * software must display the following acknowledgment:
74 * "This product includes software developed by the OpenSSL Project
75 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
76 *
77 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
78 * endorse or promote products derived from this software without
79 * prior written permission. For written permission, please contact
80 * openssl-core@openssl.org.
81 *
82 * 5. Products derived from this software may not be called "OpenSSL"
83 * nor may "OpenSSL" appear in their names without prior written
84 * permission of the OpenSSL Project.
85 *
86 * 6. Redistributions of any form whatsoever must retain the following
87 * acknowledgment:
88 * "This product includes software developed by the OpenSSL Project
89 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
90 *
91 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
92 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
93 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
94 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
95 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
96 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
97 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
98 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
99 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
100 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
101 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
102 * OF THE POSSIBILITY OF SUCH DAMAGE.
103 * ====================================================================
104 *
105 * This product includes cryptographic software written by Eric Young
106 * (eay@cryptsoft.com). This product includes software written by Tim
107 * Hudson (tjh@cryptsoft.com). */
108
109 #include <assert.h>
110 #include <stdio.h>
111 #include <stdlib.h>
112 #include <string.h>
113
114 #include <openssl/bytestring.h>
115 #include <openssl/err.h>
116 #include <openssl/evp.h>
117 #include <openssl/hmac.h>
118 #include <openssl/mem.h>
119 #include <openssl/obj.h>
120 #include <openssl/rand.h>
121
122 #include "internal.h"
123
124
125 static int tls_decrypt_ticket(SSL *s, const uint8_t *tick, int ticklen,
126 const uint8_t *sess_id, int sesslen,
127 SSL_SESSION **psess);
128 static int ssl_check_clienthello_tlsext(SSL *s);
129 static int ssl_check_serverhello_tlsext(SSL *s);
130
131 const SSL3_ENC_METHOD TLSv1_enc_data = {
132 tls1_prf,
133 tls1_setup_key_block,
134 tls1_generate_master_secret,
135 tls1_change_cipher_state,
136 tls1_final_finish_mac,
137 tls1_cert_verify_mac,
138 TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE,
139 TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE,
140 tls1_alert_code,
141 tls1_export_keying_material,
142 0,
143 };
144
145 const SSL3_ENC_METHOD TLSv1_1_enc_data = {
146 tls1_prf,
147 tls1_setup_key_block,
148 tls1_generate_master_secret,
149 tls1_change_cipher_state,
150 tls1_final_finish_mac,
151 tls1_cert_verify_mac,
152 TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE,
153 TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE,
154 tls1_alert_code,
155 tls1_export_keying_material,
156 SSL_ENC_FLAG_EXPLICIT_IV,
157 };
158
159 const SSL3_ENC_METHOD TLSv1_2_enc_data = {
160 tls1_prf,
161 tls1_setup_key_block,
162 tls1_generate_master_secret,
163 tls1_change_cipher_state,
164 tls1_final_finish_mac,
165 tls1_cert_verify_mac,
166 TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE,
167 TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE,
168 tls1_alert_code,
169 tls1_export_keying_material,
170 SSL_ENC_FLAG_EXPLICIT_IV|SSL_ENC_FLAG_SIGALGS|SSL_ENC_FLAG_SHA256_PRF
171 |SSL_ENC_FLAG_TLS1_2_CIPHERS,
172 };
173
compare_uint16_t(const void * p1,const void * p2)174 static int compare_uint16_t(const void *p1, const void *p2) {
175 uint16_t u1 = *((const uint16_t *)p1);
176 uint16_t u2 = *((const uint16_t *)p2);
177 if (u1 < u2) {
178 return -1;
179 } else if (u1 > u2) {
180 return 1;
181 } else {
182 return 0;
183 }
184 }
185
186 /* Per http://tools.ietf.org/html/rfc5246#section-7.4.1.4, there may not be
187 * more than one extension of the same type in a ClientHello or ServerHello.
188 * This function does an initial scan over the extensions block to filter those
189 * out. */
tls1_check_duplicate_extensions(const CBS * cbs)190 static int tls1_check_duplicate_extensions(const CBS *cbs) {
191 CBS extensions = *cbs;
192 size_t num_extensions = 0, i = 0;
193 uint16_t *extension_types = NULL;
194 int ret = 0;
195
196 /* First pass: count the extensions. */
197 while (CBS_len(&extensions) > 0) {
198 uint16_t type;
199 CBS extension;
200
201 if (!CBS_get_u16(&extensions, &type) ||
202 !CBS_get_u16_length_prefixed(&extensions, &extension)) {
203 goto done;
204 }
205
206 num_extensions++;
207 }
208
209 if (num_extensions == 0) {
210 return 1;
211 }
212
213 extension_types =
214 (uint16_t *)OPENSSL_malloc(sizeof(uint16_t) * num_extensions);
215 if (extension_types == NULL) {
216 OPENSSL_PUT_ERROR(SSL, tls1_check_duplicate_extensions,
217 ERR_R_MALLOC_FAILURE);
218 goto done;
219 }
220
221 /* Second pass: gather the extension types. */
222 extensions = *cbs;
223 for (i = 0; i < num_extensions; i++) {
224 CBS extension;
225
226 if (!CBS_get_u16(&extensions, &extension_types[i]) ||
227 !CBS_get_u16_length_prefixed(&extensions, &extension)) {
228 /* This should not happen. */
229 goto done;
230 }
231 }
232 assert(CBS_len(&extensions) == 0);
233
234 /* Sort the extensions and make sure there are no duplicates. */
235 qsort(extension_types, num_extensions, sizeof(uint16_t), compare_uint16_t);
236 for (i = 1; i < num_extensions; i++) {
237 if (extension_types[i - 1] == extension_types[i]) {
238 goto done;
239 }
240 }
241
242 ret = 1;
243
244 done:
245 OPENSSL_free(extension_types);
246 return ret;
247 }
248
ssl_early_callback_init(struct ssl_early_callback_ctx * ctx)249 char ssl_early_callback_init(struct ssl_early_callback_ctx *ctx) {
250 CBS client_hello, session_id, cipher_suites, compression_methods, extensions;
251
252 CBS_init(&client_hello, ctx->client_hello, ctx->client_hello_len);
253
254 if (/* Skip client version. */
255 !CBS_skip(&client_hello, 2) ||
256 /* Skip client nonce. */
257 !CBS_skip(&client_hello, 32) ||
258 /* Extract session_id. */
259 !CBS_get_u8_length_prefixed(&client_hello, &session_id)) {
260 return 0;
261 }
262
263 ctx->session_id = CBS_data(&session_id);
264 ctx->session_id_len = CBS_len(&session_id);
265
266 /* Skip past DTLS cookie */
267 if (SSL_IS_DTLS(ctx->ssl)) {
268 CBS cookie;
269
270 if (!CBS_get_u8_length_prefixed(&client_hello, &cookie)) {
271 return 0;
272 }
273 }
274
275 /* Extract cipher_suites. */
276 if (!CBS_get_u16_length_prefixed(&client_hello, &cipher_suites) ||
277 CBS_len(&cipher_suites) < 2 || (CBS_len(&cipher_suites) & 1) != 0) {
278 return 0;
279 }
280 ctx->cipher_suites = CBS_data(&cipher_suites);
281 ctx->cipher_suites_len = CBS_len(&cipher_suites);
282
283 /* Extract compression_methods. */
284 if (!CBS_get_u8_length_prefixed(&client_hello, &compression_methods) ||
285 CBS_len(&compression_methods) < 1) {
286 return 0;
287 }
288 ctx->compression_methods = CBS_data(&compression_methods);
289 ctx->compression_methods_len = CBS_len(&compression_methods);
290
291 /* If the ClientHello ends here then it's valid, but doesn't have any
292 * extensions. (E.g. SSLv3.) */
293 if (CBS_len(&client_hello) == 0) {
294 ctx->extensions = NULL;
295 ctx->extensions_len = 0;
296 return 1;
297 }
298
299 /* Extract extensions and check it is valid. */
300 if (!CBS_get_u16_length_prefixed(&client_hello, &extensions) ||
301 !tls1_check_duplicate_extensions(&extensions) ||
302 CBS_len(&client_hello) != 0) {
303 return 0;
304 }
305 ctx->extensions = CBS_data(&extensions);
306 ctx->extensions_len = CBS_len(&extensions);
307
308 return 1;
309 }
310
SSL_early_callback_ctx_extension_get(const struct ssl_early_callback_ctx * ctx,uint16_t extension_type,const uint8_t ** out_data,size_t * out_len)311 char SSL_early_callback_ctx_extension_get(
312 const struct ssl_early_callback_ctx *ctx, uint16_t extension_type,
313 const uint8_t **out_data, size_t *out_len) {
314 CBS extensions;
315
316 CBS_init(&extensions, ctx->extensions, ctx->extensions_len);
317
318 while (CBS_len(&extensions) != 0) {
319 uint16_t type;
320 CBS extension;
321
322 /* Decode the next extension. */
323 if (!CBS_get_u16(&extensions, &type) ||
324 !CBS_get_u16_length_prefixed(&extensions, &extension)) {
325 return 0;
326 }
327
328 if (type == extension_type) {
329 *out_data = CBS_data(&extension);
330 *out_len = CBS_len(&extension);
331 return 1;
332 }
333 }
334
335 return 0;
336 }
337
338 struct tls_curve {
339 uint16_t curve_id;
340 int nid;
341 };
342
343 /* ECC curves from RFC4492. */
344 static const struct tls_curve tls_curves[] = {
345 {21, NID_secp224r1},
346 {23, NID_X9_62_prime256v1},
347 {24, NID_secp384r1},
348 {25, NID_secp521r1},
349 };
350
351 static const uint8_t ecformats_default[] = {
352 TLSEXT_ECPOINTFORMAT_uncompressed,
353 };
354
355 static const uint16_t eccurves_default[] = {
356 23, /* X9_62_prime256v1 */
357 24, /* secp384r1 */
358 #if defined(ANDROID)
359 25, /* secp521r1 */
360 #endif
361 };
362
tls1_ec_curve_id2nid(uint16_t curve_id)363 int tls1_ec_curve_id2nid(uint16_t curve_id) {
364 size_t i;
365 for (i = 0; i < sizeof(tls_curves) / sizeof(tls_curves[0]); i++) {
366 if (curve_id == tls_curves[i].curve_id) {
367 return tls_curves[i].nid;
368 }
369 }
370 return NID_undef;
371 }
372
tls1_ec_nid2curve_id(uint16_t * out_curve_id,int nid)373 int tls1_ec_nid2curve_id(uint16_t *out_curve_id, int nid) {
374 size_t i;
375 for (i = 0; i < sizeof(tls_curves) / sizeof(tls_curves[0]); i++) {
376 if (nid == tls_curves[i].nid) {
377 *out_curve_id = tls_curves[i].curve_id;
378 return 1;
379 }
380 }
381 return 0;
382 }
383
384 /* tls1_get_curvelist sets |*out_curve_ids| and |*out_curve_ids_len| to the
385 * list of allowed curve IDs. If |get_peer_curves| is non-zero, return the
386 * peer's curve list. Otherwise, return the preferred list. */
tls1_get_curvelist(SSL * s,int get_peer_curves,const uint16_t ** out_curve_ids,size_t * out_curve_ids_len)387 static void tls1_get_curvelist(SSL *s, int get_peer_curves,
388 const uint16_t **out_curve_ids,
389 size_t *out_curve_ids_len) {
390 if (get_peer_curves) {
391 /* Only clients send a curve list, so this function is only called
392 * on the server. */
393 assert(s->server);
394 *out_curve_ids = s->s3->tmp.peer_ellipticcurvelist;
395 *out_curve_ids_len = s->s3->tmp.peer_ellipticcurvelist_length;
396 return;
397 }
398
399 *out_curve_ids = s->tlsext_ellipticcurvelist;
400 *out_curve_ids_len = s->tlsext_ellipticcurvelist_length;
401 if (!*out_curve_ids) {
402 *out_curve_ids = eccurves_default;
403 *out_curve_ids_len = sizeof(eccurves_default) / sizeof(eccurves_default[0]);
404 }
405 }
406
tls1_check_curve(SSL * s,CBS * cbs,uint16_t * out_curve_id)407 int tls1_check_curve(SSL *s, CBS *cbs, uint16_t *out_curve_id) {
408 uint8_t curve_type;
409 uint16_t curve_id;
410 const uint16_t *curves;
411 size_t curves_len, i;
412
413 /* Only support named curves. */
414 if (!CBS_get_u8(cbs, &curve_type) ||
415 curve_type != NAMED_CURVE_TYPE ||
416 !CBS_get_u16(cbs, &curve_id)) {
417 return 0;
418 }
419
420 tls1_get_curvelist(s, 0, &curves, &curves_len);
421 for (i = 0; i < curves_len; i++) {
422 if (curve_id == curves[i]) {
423 *out_curve_id = curve_id;
424 return 1;
425 }
426 }
427
428 return 0;
429 }
430
tls1_get_shared_curve(SSL * s)431 int tls1_get_shared_curve(SSL *s) {
432 const uint16_t *curves, *peer_curves, *pref, *supp;
433 size_t curves_len, peer_curves_len, pref_len, supp_len, i, j;
434
435 /* Can't do anything on client side */
436 if (s->server == 0) {
437 return NID_undef;
438 }
439
440 tls1_get_curvelist(s, 0 /* local curves */, &curves, &curves_len);
441 tls1_get_curvelist(s, 1 /* peer curves */, &peer_curves, &peer_curves_len);
442
443 if (peer_curves_len == 0) {
444 /* Clients are not required to send a supported_curves extension. In this
445 * case, the server is free to pick any curve it likes. See RFC 4492,
446 * section 4, paragraph 3. */
447 return (curves_len == 0) ? NID_undef : tls1_ec_curve_id2nid(curves[0]);
448 }
449
450 if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) {
451 pref = curves;
452 pref_len = curves_len;
453 supp = peer_curves;
454 supp_len = peer_curves_len;
455 } else {
456 pref = peer_curves;
457 pref_len = peer_curves_len;
458 supp = curves;
459 supp_len = curves_len;
460 }
461
462 for (i = 0; i < pref_len; i++) {
463 for (j = 0; j < supp_len; j++) {
464 if (pref[i] == supp[j]) {
465 return tls1_ec_curve_id2nid(pref[i]);
466 }
467 }
468 }
469
470 return NID_undef;
471 }
472
tls1_set_curves(uint16_t ** out_curve_ids,size_t * out_curve_ids_len,const int * curves,size_t ncurves)473 int tls1_set_curves(uint16_t **out_curve_ids, size_t *out_curve_ids_len,
474 const int *curves, size_t ncurves) {
475 uint16_t *curve_ids;
476 size_t i;
477
478 curve_ids = (uint16_t *)OPENSSL_malloc(ncurves * sizeof(uint16_t));
479 if (curve_ids == NULL) {
480 return 0;
481 }
482
483 for (i = 0; i < ncurves; i++) {
484 if (!tls1_ec_nid2curve_id(&curve_ids[i], curves[i])) {
485 OPENSSL_free(curve_ids);
486 return 0;
487 }
488 }
489
490 OPENSSL_free(*out_curve_ids);
491 *out_curve_ids = curve_ids;
492 *out_curve_ids_len = ncurves;
493
494 return 1;
495 }
496
497 /* tls1_curve_params_from_ec_key sets |*out_curve_id| and |*out_comp_id| to the
498 * TLS curve ID and point format, respectively, for |ec|. It returns one on
499 * success and zero on failure. */
tls1_curve_params_from_ec_key(uint16_t * out_curve_id,uint8_t * out_comp_id,EC_KEY * ec)500 static int tls1_curve_params_from_ec_key(uint16_t *out_curve_id,
501 uint8_t *out_comp_id, EC_KEY *ec) {
502 int nid;
503 uint16_t id;
504 const EC_GROUP *grp;
505
506 if (ec == NULL) {
507 return 0;
508 }
509
510 grp = EC_KEY_get0_group(ec);
511 if (grp == NULL) {
512 return 0;
513 }
514
515 /* Determine curve ID */
516 nid = EC_GROUP_get_curve_name(grp);
517 if (!tls1_ec_nid2curve_id(&id, nid)) {
518 return 0;
519 }
520
521 /* Set the named curve ID. Arbitrary explicit curves are not supported. */
522 *out_curve_id = id;
523
524 if (out_comp_id) {
525 if (EC_KEY_get0_public_key(ec) == NULL) {
526 return 0;
527 }
528 if (EC_KEY_get_conv_form(ec) == POINT_CONVERSION_COMPRESSED) {
529 *out_comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
530 } else {
531 *out_comp_id = TLSEXT_ECPOINTFORMAT_uncompressed;
532 }
533 }
534
535 return 1;
536 }
537
538 /* tls1_check_point_format returns one if |comp_id| is consistent with the
539 * peer's point format preferences. */
tls1_check_point_format(SSL * s,uint8_t comp_id)540 static int tls1_check_point_format(SSL *s, uint8_t comp_id) {
541 uint8_t *p = s->s3->tmp.peer_ecpointformatlist;
542 size_t plen = s->s3->tmp.peer_ecpointformatlist_length;
543 size_t i;
544
545 /* If point formats extension present check it, otherwise everything is
546 * supported (see RFC4492). */
547 if (p == NULL) {
548 return 1;
549 }
550
551 for (i = 0; i < plen; i++) {
552 if (comp_id == p[i]) {
553 return 1;
554 }
555 }
556
557 return 0;
558 }
559
560 /* tls1_check_curve_id returns one if |curve_id| is consistent with both our
561 * and the peer's curve preferences. Note: if called as the client, only our
562 * preferences are checked; the peer (the server) does not send preferences. */
tls1_check_curve_id(SSL * s,uint16_t curve_id)563 static int tls1_check_curve_id(SSL *s, uint16_t curve_id) {
564 const uint16_t *curves;
565 size_t curves_len, i, get_peer_curves;
566
567 /* Check against our list, then the peer's list. */
568 for (get_peer_curves = 0; get_peer_curves <= 1; get_peer_curves++) {
569 if (get_peer_curves && !s->server) {
570 /* Servers do not present a preference list so, if we are a client, only
571 * check our list. */
572 continue;
573 }
574
575 tls1_get_curvelist(s, get_peer_curves, &curves, &curves_len);
576 if (get_peer_curves && curves_len == 0) {
577 /* Clients are not required to send a supported_curves extension. In this
578 * case, the server is free to pick any curve it likes. See RFC 4492,
579 * section 4, paragraph 3. */
580 continue;
581 }
582 for (i = 0; i < curves_len; i++) {
583 if (curves[i] == curve_id) {
584 break;
585 }
586 }
587
588 if (i == curves_len) {
589 return 0;
590 }
591 }
592
593 return 1;
594 }
595
tls1_get_formatlist(SSL * s,const uint8_t ** pformats,size_t * pformatslen)596 static void tls1_get_formatlist(SSL *s, const uint8_t **pformats,
597 size_t *pformatslen) {
598 /* If we have a custom point format list use it otherwise use default */
599 if (s->tlsext_ecpointformatlist) {
600 *pformats = s->tlsext_ecpointformatlist;
601 *pformatslen = s->tlsext_ecpointformatlist_length;
602 } else {
603 *pformats = ecformats_default;
604 *pformatslen = sizeof(ecformats_default);
605 }
606 }
607
tls1_check_ec_cert(SSL * s,X509 * x)608 int tls1_check_ec_cert(SSL *s, X509 *x) {
609 int ret = 0;
610 EVP_PKEY *pkey = X509_get_pubkey(x);
611 uint16_t curve_id;
612 uint8_t comp_id;
613
614 if (!pkey ||
615 pkey->type != EVP_PKEY_EC ||
616 !tls1_curve_params_from_ec_key(&curve_id, &comp_id, pkey->pkey.ec) ||
617 !tls1_check_curve_id(s, curve_id) ||
618 !tls1_check_point_format(s, comp_id)) {
619 goto done;
620 }
621
622 ret = 1;
623
624 done:
625 EVP_PKEY_free(pkey);
626 return ret;
627 }
628
tls1_check_ec_tmp_key(SSL * s)629 int tls1_check_ec_tmp_key(SSL *s) {
630 if (s->cert->ecdh_nid != NID_undef) {
631 /* If the curve is preconfigured, ECDH is acceptable iff the peer supports
632 * the curve. */
633 uint16_t curve_id;
634 return tls1_ec_nid2curve_id(&curve_id, s->cert->ecdh_nid) &&
635 tls1_check_curve_id(s, curve_id);
636 }
637
638 if (s->cert->ecdh_tmp_cb != NULL) {
639 /* Assume the callback will provide an acceptable curve. */
640 return 1;
641 }
642
643 /* Otherwise, the curve gets selected automatically. ECDH is acceptable iff
644 * there is a shared curve. */
645 return tls1_get_shared_curve(s) != NID_undef;
646 }
647
648 /* List of supported signature algorithms and hashes. Should make this
649 * customisable at some point, for now include everything we support. */
650
651 #define tlsext_sigalg_rsa(md) md, TLSEXT_signature_rsa,
652
653 #define tlsext_sigalg_ecdsa(md) md, TLSEXT_signature_ecdsa,
654
655 #define tlsext_sigalg(md) tlsext_sigalg_rsa(md) tlsext_sigalg_ecdsa(md)
656
657 static const uint8_t tls12_sigalgs[] = {
658 tlsext_sigalg(TLSEXT_hash_sha512)
659 tlsext_sigalg(TLSEXT_hash_sha384)
660 tlsext_sigalg(TLSEXT_hash_sha256)
661 tlsext_sigalg(TLSEXT_hash_sha224)
662 tlsext_sigalg(TLSEXT_hash_sha1)
663 };
664
tls12_get_psigalgs(SSL * s,const uint8_t ** psigs)665 size_t tls12_get_psigalgs(SSL *s, const uint8_t **psigs) {
666 /* If server use client authentication sigalgs if not NULL */
667 if (s->server && s->cert->client_sigalgs) {
668 *psigs = s->cert->client_sigalgs;
669 return s->cert->client_sigalgslen;
670 } else if (s->cert->conf_sigalgs) {
671 *psigs = s->cert->conf_sigalgs;
672 return s->cert->conf_sigalgslen;
673 } else {
674 *psigs = tls12_sigalgs;
675 return sizeof(tls12_sigalgs);
676 }
677 }
678
679 /* tls12_check_peer_sigalg parses a SignatureAndHashAlgorithm out of |cbs|. It
680 * checks it is consistent with |s|'s sent supported signature algorithms and,
681 * if so, writes the relevant digest into |*out_md| and returns 1. Otherwise it
682 * returns 0 and writes an alert into |*out_alert|. */
tls12_check_peer_sigalg(const EVP_MD ** out_md,int * out_alert,SSL * s,CBS * cbs,EVP_PKEY * pkey)683 int tls12_check_peer_sigalg(const EVP_MD **out_md, int *out_alert, SSL *s,
684 CBS *cbs, EVP_PKEY *pkey) {
685 const uint8_t *sent_sigs;
686 size_t sent_sigslen, i;
687 int sigalg = tls12_get_sigid(pkey);
688 uint8_t hash, signature;
689
690 /* Should never happen */
691 if (sigalg == -1) {
692 OPENSSL_PUT_ERROR(SSL, tls12_check_peer_sigalg, ERR_R_INTERNAL_ERROR);
693 *out_alert = SSL_AD_INTERNAL_ERROR;
694 return 0;
695 }
696
697 if (!CBS_get_u8(cbs, &hash) ||
698 !CBS_get_u8(cbs, &signature)) {
699 OPENSSL_PUT_ERROR(SSL, tls12_check_peer_sigalg, SSL_R_DECODE_ERROR);
700 *out_alert = SSL_AD_DECODE_ERROR;
701 return 0;
702 }
703
704 /* Check key type is consistent with signature */
705 if (sigalg != signature) {
706 OPENSSL_PUT_ERROR(SSL, tls12_check_peer_sigalg, SSL_R_WRONG_SIGNATURE_TYPE);
707 *out_alert = SSL_AD_ILLEGAL_PARAMETER;
708 return 0;
709 }
710
711 if (pkey->type == EVP_PKEY_EC) {
712 uint16_t curve_id;
713 uint8_t comp_id;
714 /* Check compression and curve matches extensions */
715 if (!tls1_curve_params_from_ec_key(&curve_id, &comp_id, pkey->pkey.ec)) {
716 *out_alert = SSL_AD_INTERNAL_ERROR;
717 return 0;
718 }
719
720 if (s->server && (!tls1_check_curve_id(s, curve_id) ||
721 !tls1_check_point_format(s, comp_id))) {
722 OPENSSL_PUT_ERROR(SSL, tls12_check_peer_sigalg, SSL_R_WRONG_CURVE);
723 *out_alert = SSL_AD_ILLEGAL_PARAMETER;
724 return 0;
725 }
726 }
727
728 /* Check signature matches a type we sent */
729 sent_sigslen = tls12_get_psigalgs(s, &sent_sigs);
730 for (i = 0; i < sent_sigslen; i += 2, sent_sigs += 2) {
731 if (hash == sent_sigs[0] && signature == sent_sigs[1]) {
732 break;
733 }
734 }
735
736 /* Allow fallback to SHA-1. */
737 if (i == sent_sigslen && hash != TLSEXT_hash_sha1) {
738 OPENSSL_PUT_ERROR(SSL, tls12_check_peer_sigalg, SSL_R_WRONG_SIGNATURE_TYPE);
739 *out_alert = SSL_AD_ILLEGAL_PARAMETER;
740 return 0;
741 }
742
743 *out_md = tls12_get_hash(hash);
744 if (*out_md == NULL) {
745 OPENSSL_PUT_ERROR(SSL, tls12_check_peer_sigalg, SSL_R_UNKNOWN_DIGEST);
746 *out_alert = SSL_AD_ILLEGAL_PARAMETER;
747 return 0;
748 }
749
750 return 1;
751 }
752
753 /* Get a mask of disabled algorithms: an algorithm is disabled if it isn't
754 * supported or doesn't appear in supported signature algorithms. Unlike
755 * ssl_cipher_get_disabled this applies to a specific session and not global
756 * settings. */
ssl_set_client_disabled(SSL * s)757 void ssl_set_client_disabled(SSL *s) {
758 CERT *c = s->cert;
759 const uint8_t *sigalgs;
760 size_t i, sigalgslen;
761 int have_rsa = 0, have_ecdsa = 0;
762 c->mask_a = 0;
763 c->mask_k = 0;
764
765 /* Don't allow TLS 1.2 only ciphers if we don't suppport them */
766 if (!SSL_CLIENT_USE_TLS1_2_CIPHERS(s)) {
767 c->mask_ssl = SSL_TLSV1_2;
768 } else {
769 c->mask_ssl = 0;
770 }
771
772 /* Now go through all signature algorithms seeing if we support any for RSA,
773 * DSA, ECDSA. Do this for all versions not just TLS 1.2. */
774 sigalgslen = tls12_get_psigalgs(s, &sigalgs);
775 for (i = 0; i < sigalgslen; i += 2, sigalgs += 2) {
776 switch (sigalgs[1]) {
777 case TLSEXT_signature_rsa:
778 have_rsa = 1;
779 break;
780
781 case TLSEXT_signature_ecdsa:
782 have_ecdsa = 1;
783 break;
784 }
785 }
786
787 /* Disable auth if we don't include any appropriate signature algorithms. */
788 if (!have_rsa) {
789 c->mask_a |= SSL_aRSA;
790 }
791 if (!have_ecdsa) {
792 c->mask_a |= SSL_aECDSA;
793 }
794
795 /* with PSK there must be client callback set */
796 if (!s->psk_client_callback) {
797 c->mask_a |= SSL_aPSK;
798 c->mask_k |= SSL_kPSK;
799 }
800 }
801
802 /* header_len is the length of the ClientHello header written so far, used to
803 * compute padding. It does not include the record header. Pass 0 if no padding
804 * is to be done. */
ssl_add_clienthello_tlsext(SSL * s,uint8_t * buf,uint8_t * limit,size_t header_len)805 uint8_t *ssl_add_clienthello_tlsext(SSL *s, uint8_t *buf, uint8_t *limit,
806 size_t header_len) {
807 int extdatalen = 0;
808 uint8_t *ret = buf;
809 uint8_t *orig = buf;
810 /* See if we support any ECC ciphersuites */
811 int using_ecc = 0;
812
813 if (s->version >= TLS1_VERSION || SSL_IS_DTLS(s)) {
814 size_t i;
815 uint32_t alg_k, alg_a;
816 STACK_OF(SSL_CIPHER) *cipher_stack = SSL_get_ciphers(s);
817
818 for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++) {
819 const SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i);
820
821 alg_k = c->algorithm_mkey;
822 alg_a = c->algorithm_auth;
823 if ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA)) {
824 using_ecc = 1;
825 break;
826 }
827 }
828 }
829
830 /* don't add extensions for SSLv3 unless doing secure renegotiation */
831 if (s->client_version == SSL3_VERSION && !s->s3->send_connection_binding) {
832 return orig;
833 }
834
835 ret += 2;
836
837 if (ret >= limit) {
838 return NULL; /* should never occur. */
839 }
840
841 if (s->tlsext_hostname != NULL) {
842 /* Add TLS extension servername to the Client Hello message */
843 unsigned long size_str;
844 long lenmax;
845
846 /* check for enough space.
847 4 for the servername type and entension length
848 2 for servernamelist length
849 1 for the hostname type
850 2 for hostname length
851 + hostname length */
852
853 lenmax = limit - ret - 9;
854 size_str = strlen(s->tlsext_hostname);
855 if (lenmax < 0 || size_str > (unsigned long)lenmax) {
856 return NULL;
857 }
858
859 /* extension type and length */
860 s2n(TLSEXT_TYPE_server_name, ret);
861 s2n(size_str + 5, ret);
862
863 /* length of servername list */
864 s2n(size_str + 3, ret);
865
866 /* hostname type, length and hostname */
867 *(ret++) = (uint8_t)TLSEXT_NAMETYPE_host_name;
868 s2n(size_str, ret);
869 memcpy(ret, s->tlsext_hostname, size_str);
870 ret += size_str;
871 }
872
873 /* Add RI if renegotiating */
874 if (s->s3->initial_handshake_complete) {
875 int el;
876
877 if (!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0)) {
878 OPENSSL_PUT_ERROR(SSL, ssl_add_clienthello_tlsext, ERR_R_INTERNAL_ERROR);
879 return NULL;
880 }
881
882 if ((limit - ret - 4 - el) < 0) {
883 return NULL;
884 }
885
886 s2n(TLSEXT_TYPE_renegotiate, ret);
887 s2n(el, ret);
888
889 if (!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el)) {
890 OPENSSL_PUT_ERROR(SSL, ssl_add_clienthello_tlsext, ERR_R_INTERNAL_ERROR);
891 return NULL;
892 }
893
894 ret += el;
895 }
896
897 /* Add extended master secret. */
898 if (s->version != SSL3_VERSION) {
899 if (limit - ret - 4 < 0) {
900 return NULL;
901 }
902 s2n(TLSEXT_TYPE_extended_master_secret, ret);
903 s2n(0, ret);
904 }
905
906 if (!(SSL_get_options(s) & SSL_OP_NO_TICKET)) {
907 int ticklen = 0;
908 /* Renegotiation does not participate in session resumption. However, still
909 * advertise the extension to avoid potentially breaking servers which carry
910 * over the state from the previous handshake, such as OpenSSL servers
911 * without upstream's 3c3f0259238594d77264a78944d409f2127642c4. */
912 if (!s->s3->initial_handshake_complete && s->session != NULL &&
913 s->session->tlsext_tick != NULL) {
914 ticklen = s->session->tlsext_ticklen;
915 }
916
917 /* Check for enough room 2 for extension type, 2 for len rest for
918 * ticket. */
919 if ((long)(limit - ret - 4 - ticklen) < 0) {
920 return NULL;
921 }
922 s2n(TLSEXT_TYPE_session_ticket, ret);
923 s2n(ticklen, ret);
924 if (ticklen) {
925 memcpy(ret, s->session->tlsext_tick, ticklen);
926 ret += ticklen;
927 }
928 }
929
930 if (ssl3_version_from_wire(s, s->client_version) >= TLS1_2_VERSION) {
931 size_t salglen;
932 const uint8_t *salg;
933 salglen = tls12_get_psigalgs(s, &salg);
934 if ((size_t)(limit - ret) < salglen + 6) {
935 return NULL;
936 }
937 s2n(TLSEXT_TYPE_signature_algorithms, ret);
938 s2n(salglen + 2, ret);
939 s2n(salglen, ret);
940 memcpy(ret, salg, salglen);
941 ret += salglen;
942 }
943
944 if (s->ocsp_stapling_enabled) {
945 /* The status_request extension is excessively extensible at every layer.
946 * On the client, only support requesting OCSP responses with an empty
947 * responder_id_list and no extensions. */
948 if (limit - ret - 4 - 1 - 2 - 2 < 0) {
949 return NULL;
950 }
951
952 s2n(TLSEXT_TYPE_status_request, ret);
953 s2n(1 + 2 + 2, ret);
954 /* status_type */
955 *(ret++) = TLSEXT_STATUSTYPE_ocsp;
956 /* responder_id_list - empty */
957 s2n(0, ret);
958 /* request_extensions - empty */
959 s2n(0, ret);
960 }
961
962 if (s->ctx->next_proto_select_cb && !s->s3->initial_handshake_complete &&
963 !SSL_IS_DTLS(s)) {
964 /* The client advertises an emtpy extension to indicate its support for
965 * Next Protocol Negotiation */
966 if (limit - ret - 4 < 0) {
967 return NULL;
968 }
969 s2n(TLSEXT_TYPE_next_proto_neg, ret);
970 s2n(0, ret);
971 }
972
973 if (s->signed_cert_timestamps_enabled) {
974 /* The client advertises an empty extension to indicate its support for
975 * certificate timestamps. */
976 if (limit - ret - 4 < 0) {
977 return NULL;
978 }
979 s2n(TLSEXT_TYPE_certificate_timestamp, ret);
980 s2n(0, ret);
981 }
982
983 if (s->alpn_client_proto_list && !s->s3->initial_handshake_complete) {
984 if ((size_t)(limit - ret) < 6 + s->alpn_client_proto_list_len) {
985 return NULL;
986 }
987 s2n(TLSEXT_TYPE_application_layer_protocol_negotiation, ret);
988 s2n(2 + s->alpn_client_proto_list_len, ret);
989 s2n(s->alpn_client_proto_list_len, ret);
990 memcpy(ret, s->alpn_client_proto_list, s->alpn_client_proto_list_len);
991 ret += s->alpn_client_proto_list_len;
992 }
993
994 if (s->tlsext_channel_id_enabled && !SSL_IS_DTLS(s)) {
995 /* The client advertises an emtpy extension to indicate its support for
996 * Channel ID. */
997 if (limit - ret - 4 < 0) {
998 return NULL;
999 }
1000 if (s->ctx->tlsext_channel_id_enabled_new) {
1001 s2n(TLSEXT_TYPE_channel_id_new, ret);
1002 } else {
1003 s2n(TLSEXT_TYPE_channel_id, ret);
1004 }
1005 s2n(0, ret);
1006 }
1007
1008 if (SSL_get_srtp_profiles(s)) {
1009 int el;
1010
1011 ssl_add_clienthello_use_srtp_ext(s, 0, &el, 0);
1012
1013 if ((limit - ret - 4 - el) < 0) {
1014 return NULL;
1015 }
1016
1017 s2n(TLSEXT_TYPE_use_srtp, ret);
1018 s2n(el, ret);
1019
1020 if (!ssl_add_clienthello_use_srtp_ext(s, ret, &el, el)) {
1021 OPENSSL_PUT_ERROR(SSL, ssl_add_clienthello_tlsext, ERR_R_INTERNAL_ERROR);
1022 return NULL;
1023 }
1024 ret += el;
1025 }
1026
1027 if (using_ecc) {
1028 /* Add TLS extension ECPointFormats to the ClientHello message */
1029 long lenmax;
1030 const uint8_t *formats;
1031 const uint16_t *curves;
1032 size_t formats_len, curves_len, i;
1033
1034 tls1_get_formatlist(s, &formats, &formats_len);
1035
1036 lenmax = limit - ret - 5;
1037 if (lenmax < 0) {
1038 return NULL;
1039 }
1040 if (formats_len > (size_t)lenmax) {
1041 return NULL;
1042 }
1043 if (formats_len > 255) {
1044 OPENSSL_PUT_ERROR(SSL, ssl_add_clienthello_tlsext, ERR_R_INTERNAL_ERROR);
1045 return NULL;
1046 }
1047
1048 s2n(TLSEXT_TYPE_ec_point_formats, ret);
1049 s2n(formats_len + 1, ret);
1050 *(ret++) = (uint8_t)formats_len;
1051 memcpy(ret, formats, formats_len);
1052 ret += formats_len;
1053
1054 /* Add TLS extension EllipticCurves to the ClientHello message */
1055 tls1_get_curvelist(s, 0, &curves, &curves_len);
1056
1057 lenmax = limit - ret - 6;
1058 if (lenmax < 0) {
1059 return NULL;
1060 }
1061 if (curves_len * 2 > (size_t)lenmax) {
1062 return NULL;
1063 }
1064 if (curves_len * 2 > 65532) {
1065 OPENSSL_PUT_ERROR(SSL, ssl_add_clienthello_tlsext, ERR_R_INTERNAL_ERROR);
1066 return NULL;
1067 }
1068
1069 s2n(TLSEXT_TYPE_elliptic_curves, ret);
1070 s2n((curves_len * 2) + 2, ret);
1071
1072 s2n(curves_len * 2, ret);
1073 for (i = 0; i < curves_len; i++) {
1074 s2n(curves[i], ret);
1075 }
1076 }
1077
1078 if (header_len > 0) {
1079 size_t clienthello_minsize = 0;
1080 header_len += ret - orig;
1081 if (header_len > 0xff && header_len < 0x200) {
1082 /* Add padding to workaround bugs in F5 terminators. See
1083 * https://tools.ietf.org/html/draft-agl-tls-padding-03
1084 *
1085 * NB: because this code works out the length of all existing extensions
1086 * it MUST always appear last. */
1087 clienthello_minsize = 0x200;
1088 }
1089 if (s->fastradio_padding) {
1090 /* Pad the ClientHello record to 1024 bytes to fast forward the radio
1091 * into DCH (high data rate) state in 3G networks. Note that when
1092 * fastradio_padding is enabled, even if the header_len is less than 255
1093 * bytes, the padding will be applied regardless. This is slightly
1094 * different from the TLS padding extension suggested in
1095 * https://tools.ietf.org/html/draft-agl-tls-padding-03 */
1096 clienthello_minsize = 0x400;
1097 }
1098 if (header_len < clienthello_minsize) {
1099 size_t padding_len = clienthello_minsize - header_len;
1100 /* Extensions take at least four bytes to encode. Always include least
1101 * one byte of data if including the extension. WebSphere Application
1102 * Server 7.0 is intolerant to the last extension being zero-length. */
1103 if (padding_len >= 4 + 1) {
1104 padding_len -= 4;
1105 } else {
1106 padding_len = 1;
1107 }
1108
1109 if (limit - ret - 4 - (long)padding_len < 0) {
1110 return NULL;
1111 }
1112
1113 s2n(TLSEXT_TYPE_padding, ret);
1114 s2n(padding_len, ret);
1115 memset(ret, 0, padding_len);
1116 ret += padding_len;
1117 }
1118 }
1119
1120 extdatalen = ret - orig - 2;
1121 if (extdatalen == 0) {
1122 return orig;
1123 }
1124
1125 s2n(extdatalen, orig);
1126 return ret;
1127 }
1128
ssl_add_serverhello_tlsext(SSL * s,uint8_t * buf,uint8_t * limit)1129 uint8_t *ssl_add_serverhello_tlsext(SSL *s, uint8_t *buf, uint8_t *limit) {
1130 int extdatalen = 0;
1131 uint8_t *orig = buf;
1132 uint8_t *ret = buf;
1133 int next_proto_neg_seen;
1134 uint32_t alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
1135 uint32_t alg_a = s->s3->tmp.new_cipher->algorithm_auth;
1136 int using_ecc = (alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA);
1137 using_ecc = using_ecc && (s->s3->tmp.peer_ecpointformatlist != NULL);
1138
1139 /* don't add extensions for SSLv3, unless doing secure renegotiation */
1140 if (s->version == SSL3_VERSION && !s->s3->send_connection_binding) {
1141 return orig;
1142 }
1143
1144 ret += 2;
1145 if (ret >= limit) {
1146 return NULL; /* should never happen. */
1147 }
1148
1149 if (!s->hit && s->should_ack_sni && s->session->tlsext_hostname != NULL) {
1150 if ((long)(limit - ret - 4) < 0) {
1151 return NULL;
1152 }
1153
1154 s2n(TLSEXT_TYPE_server_name, ret);
1155 s2n(0, ret);
1156 }
1157
1158 if (s->s3->send_connection_binding) {
1159 int el;
1160
1161 if (!ssl_add_serverhello_renegotiate_ext(s, 0, &el, 0)) {
1162 OPENSSL_PUT_ERROR(SSL, ssl_add_serverhello_tlsext, ERR_R_INTERNAL_ERROR);
1163 return NULL;
1164 }
1165
1166 if ((limit - ret - 4 - el) < 0) {
1167 return NULL;
1168 }
1169
1170 s2n(TLSEXT_TYPE_renegotiate, ret);
1171 s2n(el, ret);
1172
1173 if (!ssl_add_serverhello_renegotiate_ext(s, ret, &el, el)) {
1174 OPENSSL_PUT_ERROR(SSL, ssl_add_serverhello_tlsext, ERR_R_INTERNAL_ERROR);
1175 return NULL;
1176 }
1177
1178 ret += el;
1179 }
1180
1181 if (s->s3->tmp.extended_master_secret) {
1182 if ((long)(limit - ret - 4) < 0) {
1183 return NULL;
1184 }
1185
1186 s2n(TLSEXT_TYPE_extended_master_secret, ret);
1187 s2n(0, ret);
1188 }
1189
1190 if (using_ecc) {
1191 const uint8_t *plist;
1192 size_t plistlen;
1193 /* Add TLS extension ECPointFormats to the ServerHello message */
1194 long lenmax;
1195
1196 tls1_get_formatlist(s, &plist, &plistlen);
1197
1198 lenmax = limit - ret - 5;
1199 if (lenmax < 0) {
1200 return NULL;
1201 }
1202 if (plistlen > (size_t)lenmax) {
1203 return NULL;
1204 }
1205 if (plistlen > 255) {
1206 OPENSSL_PUT_ERROR(SSL, ssl_add_serverhello_tlsext, ERR_R_INTERNAL_ERROR);
1207 return NULL;
1208 }
1209
1210 s2n(TLSEXT_TYPE_ec_point_formats, ret);
1211 s2n(plistlen + 1, ret);
1212 *(ret++) = (uint8_t)plistlen;
1213 memcpy(ret, plist, plistlen);
1214 ret += plistlen;
1215 }
1216 /* Currently the server should not respond with a SupportedCurves extension */
1217
1218 if (s->tlsext_ticket_expected && !(SSL_get_options(s) & SSL_OP_NO_TICKET)) {
1219 if ((long)(limit - ret - 4) < 0) {
1220 return NULL;
1221 }
1222 s2n(TLSEXT_TYPE_session_ticket, ret);
1223 s2n(0, ret);
1224 }
1225
1226 if (s->s3->tmp.certificate_status_expected) {
1227 if ((long)(limit - ret - 4) < 0) {
1228 return NULL;
1229 }
1230 s2n(TLSEXT_TYPE_status_request, ret);
1231 s2n(0, ret);
1232 }
1233
1234 if (s->srtp_profile) {
1235 int el;
1236
1237 ssl_add_serverhello_use_srtp_ext(s, 0, &el, 0);
1238
1239 if ((limit - ret - 4 - el) < 0) {
1240 return NULL;
1241 }
1242
1243 s2n(TLSEXT_TYPE_use_srtp, ret);
1244 s2n(el, ret);
1245
1246 if (!ssl_add_serverhello_use_srtp_ext(s, ret, &el, el)) {
1247 OPENSSL_PUT_ERROR(SSL, ssl_add_serverhello_tlsext, ERR_R_INTERNAL_ERROR);
1248 return NULL;
1249 }
1250 ret += el;
1251 }
1252
1253 next_proto_neg_seen = s->s3->next_proto_neg_seen;
1254 s->s3->next_proto_neg_seen = 0;
1255 if (next_proto_neg_seen && s->ctx->next_protos_advertised_cb) {
1256 const uint8_t *npa;
1257 unsigned int npalen;
1258 int r;
1259
1260 r = s->ctx->next_protos_advertised_cb(
1261 s, &npa, &npalen, s->ctx->next_protos_advertised_cb_arg);
1262 if (r == SSL_TLSEXT_ERR_OK) {
1263 if ((long)(limit - ret - 4 - npalen) < 0) {
1264 return NULL;
1265 }
1266 s2n(TLSEXT_TYPE_next_proto_neg, ret);
1267 s2n(npalen, ret);
1268 memcpy(ret, npa, npalen);
1269 ret += npalen;
1270 s->s3->next_proto_neg_seen = 1;
1271 }
1272 }
1273
1274 if (s->s3->alpn_selected) {
1275 const uint8_t *selected = s->s3->alpn_selected;
1276 size_t len = s->s3->alpn_selected_len;
1277
1278 if ((long)(limit - ret - 4 - 2 - 1 - len) < 0) {
1279 return NULL;
1280 }
1281 s2n(TLSEXT_TYPE_application_layer_protocol_negotiation, ret);
1282 s2n(3 + len, ret);
1283 s2n(1 + len, ret);
1284 *ret++ = len;
1285 memcpy(ret, selected, len);
1286 ret += len;
1287 }
1288
1289 /* If the client advertised support for Channel ID, and we have it
1290 * enabled, then we want to echo it back. */
1291 if (s->s3->tlsext_channel_id_valid) {
1292 if (limit - ret - 4 < 0) {
1293 return NULL;
1294 }
1295 if (s->s3->tlsext_channel_id_new) {
1296 s2n(TLSEXT_TYPE_channel_id_new, ret);
1297 } else {
1298 s2n(TLSEXT_TYPE_channel_id, ret);
1299 }
1300 s2n(0, ret);
1301 }
1302
1303 extdatalen = ret - orig - 2;
1304 if (extdatalen == 0) {
1305 return orig;
1306 }
1307
1308 s2n(extdatalen, orig);
1309 return ret;
1310 }
1311
1312 /* tls1_alpn_handle_client_hello is called to process the ALPN extension in a
1313 * ClientHello.
1314 * cbs: the contents of the extension, not including the type and length.
1315 * out_alert: a pointer to the alert value to send in the event of a zero
1316 * return.
1317 *
1318 * returns: 1 on success. */
tls1_alpn_handle_client_hello(SSL * s,CBS * cbs,int * out_alert)1319 static int tls1_alpn_handle_client_hello(SSL *s, CBS *cbs, int *out_alert) {
1320 CBS protocol_name_list, protocol_name_list_copy;
1321 const uint8_t *selected;
1322 uint8_t selected_len;
1323 int r;
1324
1325 if (s->ctx->alpn_select_cb == NULL) {
1326 return 1;
1327 }
1328
1329 if (!CBS_get_u16_length_prefixed(cbs, &protocol_name_list) ||
1330 CBS_len(cbs) != 0 || CBS_len(&protocol_name_list) < 2) {
1331 goto parse_error;
1332 }
1333
1334 /* Validate the protocol list. */
1335 protocol_name_list_copy = protocol_name_list;
1336 while (CBS_len(&protocol_name_list_copy) > 0) {
1337 CBS protocol_name;
1338
1339 if (!CBS_get_u8_length_prefixed(&protocol_name_list_copy, &protocol_name)) {
1340 goto parse_error;
1341 }
1342 }
1343
1344 r = s->ctx->alpn_select_cb(
1345 s, &selected, &selected_len, CBS_data(&protocol_name_list),
1346 CBS_len(&protocol_name_list), s->ctx->alpn_select_cb_arg);
1347 if (r == SSL_TLSEXT_ERR_OK) {
1348 OPENSSL_free(s->s3->alpn_selected);
1349 s->s3->alpn_selected = BUF_memdup(selected, selected_len);
1350 if (!s->s3->alpn_selected) {
1351 *out_alert = SSL_AD_INTERNAL_ERROR;
1352 return 0;
1353 }
1354 s->s3->alpn_selected_len = selected_len;
1355 }
1356
1357 return 1;
1358
1359 parse_error:
1360 *out_alert = SSL_AD_DECODE_ERROR;
1361 return 0;
1362 }
1363
ssl_scan_clienthello_tlsext(SSL * s,CBS * cbs,int * out_alert)1364 static int ssl_scan_clienthello_tlsext(SSL *s, CBS *cbs, int *out_alert) {
1365 int renegotiate_seen = 0;
1366 CBS extensions;
1367
1368 s->should_ack_sni = 0;
1369 s->srtp_profile = NULL;
1370 s->s3->next_proto_neg_seen = 0;
1371 s->s3->tmp.certificate_status_expected = 0;
1372 s->s3->tmp.extended_master_secret = 0;
1373
1374 OPENSSL_free(s->s3->alpn_selected);
1375 s->s3->alpn_selected = NULL;
1376
1377 /* Clear any signature algorithms extension received */
1378 OPENSSL_free(s->cert->peer_sigalgs);
1379 s->cert->peer_sigalgs = NULL;
1380 s->cert->peer_sigalgslen = 0;
1381
1382 /* Clear any shared signature algorithms */
1383 OPENSSL_free(s->cert->shared_sigalgs);
1384 s->cert->shared_sigalgs = NULL;
1385 s->cert->shared_sigalgslen = 0;
1386
1387 /* Clear ECC extensions */
1388 OPENSSL_free(s->s3->tmp.peer_ecpointformatlist);
1389 s->s3->tmp.peer_ecpointformatlist = NULL;
1390 s->s3->tmp.peer_ecpointformatlist_length = 0;
1391
1392 OPENSSL_free(s->s3->tmp.peer_ellipticcurvelist);
1393 s->s3->tmp.peer_ellipticcurvelist = NULL;
1394 s->s3->tmp.peer_ellipticcurvelist_length = 0;
1395
1396 /* There may be no extensions. */
1397 if (CBS_len(cbs) == 0) {
1398 goto ri_check;
1399 }
1400
1401 /* Decode the extensions block and check it is valid. */
1402 if (!CBS_get_u16_length_prefixed(cbs, &extensions) ||
1403 !tls1_check_duplicate_extensions(&extensions)) {
1404 *out_alert = SSL_AD_DECODE_ERROR;
1405 return 0;
1406 }
1407
1408 while (CBS_len(&extensions) != 0) {
1409 uint16_t type;
1410 CBS extension;
1411
1412 /* Decode the next extension. */
1413 if (!CBS_get_u16(&extensions, &type) ||
1414 !CBS_get_u16_length_prefixed(&extensions, &extension)) {
1415 *out_alert = SSL_AD_DECODE_ERROR;
1416 return 0;
1417 }
1418
1419 /* The servername extension is treated as follows:
1420
1421 - Only the hostname type is supported with a maximum length of 255.
1422 - The servername is rejected if too long or if it contains zeros, in
1423 which case an fatal alert is generated.
1424 - The servername field is maintained together with the session cache.
1425 - When a session is resumed, the servername call back invoked in order
1426 to allow the application to position itself to the right context.
1427 - The servername is acknowledged if it is new for a session or when
1428 it is identical to a previously used for the same session.
1429 Applications can control the behaviour. They can at any time
1430 set a 'desirable' servername for a new SSL object. This can be the
1431 case for example with HTTPS when a Host: header field is received and
1432 a renegotiation is requested. In this case, a possible servername
1433 presented in the new client hello is only acknowledged if it matches
1434 the value of the Host: field.
1435 - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
1436 if they provide for changing an explicit servername context for the
1437 session,
1438 i.e. when the session has been established with a servername extension.
1439 - On session reconnect, the servername extension may be absent. */
1440
1441 if (type == TLSEXT_TYPE_server_name) {
1442 CBS server_name_list;
1443 char have_seen_host_name = 0;
1444
1445 if (!CBS_get_u16_length_prefixed(&extension, &server_name_list) ||
1446 CBS_len(&server_name_list) < 1 || CBS_len(&extension) != 0) {
1447 *out_alert = SSL_AD_DECODE_ERROR;
1448 return 0;
1449 }
1450
1451 /* Decode each ServerName in the extension. */
1452 while (CBS_len(&server_name_list) > 0) {
1453 uint8_t name_type;
1454 CBS host_name;
1455
1456 /* Decode the NameType. */
1457 if (!CBS_get_u8(&server_name_list, &name_type)) {
1458 *out_alert = SSL_AD_DECODE_ERROR;
1459 return 0;
1460 }
1461
1462 /* Only host_name is supported. */
1463 if (name_type != TLSEXT_NAMETYPE_host_name) {
1464 continue;
1465 }
1466
1467 if (have_seen_host_name) {
1468 /* The ServerNameList MUST NOT contain more than one name of the same
1469 * name_type. */
1470 *out_alert = SSL_AD_DECODE_ERROR;
1471 return 0;
1472 }
1473
1474 have_seen_host_name = 1;
1475
1476 if (!CBS_get_u16_length_prefixed(&server_name_list, &host_name) ||
1477 CBS_len(&host_name) < 1) {
1478 *out_alert = SSL_AD_DECODE_ERROR;
1479 return 0;
1480 }
1481
1482 if (CBS_len(&host_name) > TLSEXT_MAXLEN_host_name ||
1483 CBS_contains_zero_byte(&host_name)) {
1484 *out_alert = SSL_AD_UNRECOGNIZED_NAME;
1485 return 0;
1486 }
1487
1488 if (!s->hit) {
1489 assert(s->session->tlsext_hostname == NULL);
1490 if (s->session->tlsext_hostname) {
1491 /* This should be impossible. */
1492 *out_alert = SSL_AD_DECODE_ERROR;
1493 return 0;
1494 }
1495
1496 /* Copy the hostname as a string. */
1497 if (!CBS_strdup(&host_name, &s->session->tlsext_hostname)) {
1498 *out_alert = SSL_AD_INTERNAL_ERROR;
1499 return 0;
1500 }
1501
1502 s->should_ack_sni = 1;
1503 }
1504 }
1505 } else if (type == TLSEXT_TYPE_ec_point_formats) {
1506 CBS ec_point_format_list;
1507
1508 if (!CBS_get_u8_length_prefixed(&extension, &ec_point_format_list) ||
1509 CBS_len(&extension) != 0) {
1510 *out_alert = SSL_AD_DECODE_ERROR;
1511 return 0;
1512 }
1513
1514 if (!CBS_stow(&ec_point_format_list, &s->s3->tmp.peer_ecpointformatlist,
1515 &s->s3->tmp.peer_ecpointformatlist_length)) {
1516 *out_alert = SSL_AD_INTERNAL_ERROR;
1517 return 0;
1518 }
1519 } else if (type == TLSEXT_TYPE_elliptic_curves) {
1520 CBS elliptic_curve_list;
1521 size_t i, num_curves;
1522
1523 if (!CBS_get_u16_length_prefixed(&extension, &elliptic_curve_list) ||
1524 CBS_len(&elliptic_curve_list) == 0 ||
1525 (CBS_len(&elliptic_curve_list) & 1) != 0 ||
1526 CBS_len(&extension) != 0) {
1527 *out_alert = SSL_AD_DECODE_ERROR;
1528 return 0;
1529 }
1530
1531 OPENSSL_free(s->s3->tmp.peer_ellipticcurvelist);
1532 s->s3->tmp.peer_ellipticcurvelist_length = 0;
1533
1534 s->s3->tmp.peer_ellipticcurvelist =
1535 (uint16_t *)OPENSSL_malloc(CBS_len(&elliptic_curve_list));
1536
1537 if (s->s3->tmp.peer_ellipticcurvelist == NULL) {
1538 *out_alert = SSL_AD_INTERNAL_ERROR;
1539 return 0;
1540 }
1541
1542 num_curves = CBS_len(&elliptic_curve_list) / 2;
1543 for (i = 0; i < num_curves; i++) {
1544 if (!CBS_get_u16(&elliptic_curve_list,
1545 &s->s3->tmp.peer_ellipticcurvelist[i])) {
1546 *out_alert = SSL_AD_INTERNAL_ERROR;
1547 return 0;
1548 }
1549 }
1550
1551 if (CBS_len(&elliptic_curve_list) != 0) {
1552 *out_alert = SSL_AD_INTERNAL_ERROR;
1553 return 0;
1554 }
1555
1556 s->s3->tmp.peer_ellipticcurvelist_length = num_curves;
1557 } else if (type == TLSEXT_TYPE_renegotiate) {
1558 if (!ssl_parse_clienthello_renegotiate_ext(s, &extension, out_alert)) {
1559 return 0;
1560 }
1561 renegotiate_seen = 1;
1562 } else if (type == TLSEXT_TYPE_signature_algorithms) {
1563 CBS supported_signature_algorithms;
1564
1565 if (!CBS_get_u16_length_prefixed(&extension,
1566 &supported_signature_algorithms) ||
1567 CBS_len(&extension) != 0) {
1568 *out_alert = SSL_AD_DECODE_ERROR;
1569 return 0;
1570 }
1571
1572 /* Ensure the signature algorithms are non-empty. It contains a list of
1573 * SignatureAndHashAlgorithms which are two bytes each. */
1574 if (CBS_len(&supported_signature_algorithms) == 0 ||
1575 (CBS_len(&supported_signature_algorithms) % 2) != 0) {
1576 *out_alert = SSL_AD_DECODE_ERROR;
1577 return 0;
1578 }
1579
1580 if (!tls1_process_sigalgs(s, &supported_signature_algorithms)) {
1581 *out_alert = SSL_AD_DECODE_ERROR;
1582 return 0;
1583 }
1584 /* If sigalgs received and no shared algorithms fatal error. */
1585 if (s->cert->peer_sigalgs && !s->cert->shared_sigalgs) {
1586 OPENSSL_PUT_ERROR(SSL, ssl_scan_clienthello_tlsext,
1587 SSL_R_NO_SHARED_SIGATURE_ALGORITHMS);
1588 *out_alert = SSL_AD_ILLEGAL_PARAMETER;
1589 return 0;
1590 }
1591 } else if (type == TLSEXT_TYPE_next_proto_neg &&
1592 !s->s3->initial_handshake_complete &&
1593 s->s3->alpn_selected == NULL && !SSL_IS_DTLS(s)) {
1594 /* The extension must be empty. */
1595 if (CBS_len(&extension) != 0) {
1596 *out_alert = SSL_AD_DECODE_ERROR;
1597 return 0;
1598 }
1599 s->s3->next_proto_neg_seen = 1;
1600 } else if (type == TLSEXT_TYPE_application_layer_protocol_negotiation &&
1601 s->ctx->alpn_select_cb && !s->s3->initial_handshake_complete) {
1602 if (!tls1_alpn_handle_client_hello(s, &extension, out_alert)) {
1603 return 0;
1604 }
1605 /* ALPN takes precedence over NPN. */
1606 s->s3->next_proto_neg_seen = 0;
1607 } else if (type == TLSEXT_TYPE_channel_id && s->tlsext_channel_id_enabled &&
1608 !SSL_IS_DTLS(s)) {
1609 /* The extension must be empty. */
1610 if (CBS_len(&extension) != 0) {
1611 *out_alert = SSL_AD_DECODE_ERROR;
1612 return 0;
1613 }
1614
1615 s->s3->tlsext_channel_id_valid = 1;
1616 } else if (type == TLSEXT_TYPE_channel_id_new &&
1617 s->tlsext_channel_id_enabled && !SSL_IS_DTLS(s)) {
1618 /* The extension must be empty. */
1619 if (CBS_len(&extension) != 0) {
1620 *out_alert = SSL_AD_DECODE_ERROR;
1621 return 0;
1622 }
1623
1624 s->s3->tlsext_channel_id_valid = 1;
1625 s->s3->tlsext_channel_id_new = 1;
1626 } else if (type == TLSEXT_TYPE_use_srtp) {
1627 if (!ssl_parse_clienthello_use_srtp_ext(s, &extension, out_alert)) {
1628 return 0;
1629 }
1630 } else if (type == TLSEXT_TYPE_extended_master_secret &&
1631 s->version != SSL3_VERSION) {
1632 if (CBS_len(&extension) != 0) {
1633 *out_alert = SSL_AD_DECODE_ERROR;
1634 return 0;
1635 }
1636
1637 s->s3->tmp.extended_master_secret = 1;
1638 }
1639 }
1640
1641 ri_check:
1642 /* Need RI if renegotiating */
1643
1644 if (!renegotiate_seen && s->s3->initial_handshake_complete &&
1645 !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) {
1646 *out_alert = SSL_AD_HANDSHAKE_FAILURE;
1647 OPENSSL_PUT_ERROR(SSL, ssl_scan_clienthello_tlsext,
1648 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
1649 return 0;
1650 }
1651
1652 return 1;
1653 }
1654
ssl_parse_clienthello_tlsext(SSL * s,CBS * cbs)1655 int ssl_parse_clienthello_tlsext(SSL *s, CBS *cbs) {
1656 int alert = -1;
1657 if (ssl_scan_clienthello_tlsext(s, cbs, &alert) <= 0) {
1658 ssl3_send_alert(s, SSL3_AL_FATAL, alert);
1659 return 0;
1660 }
1661
1662 if (ssl_check_clienthello_tlsext(s) <= 0) {
1663 OPENSSL_PUT_ERROR(SSL, ssl_parse_clienthello_tlsext,
1664 SSL_R_CLIENTHELLO_TLSEXT);
1665 return 0;
1666 }
1667
1668 return 1;
1669 }
1670
1671 /* ssl_next_proto_validate validates a Next Protocol Negotiation block. No
1672 * elements of zero length are allowed and the set of elements must exactly
1673 * fill the length of the block. */
ssl_next_proto_validate(const CBS * cbs)1674 static char ssl_next_proto_validate(const CBS *cbs) {
1675 CBS copy = *cbs;
1676
1677 while (CBS_len(©) != 0) {
1678 CBS proto;
1679 if (!CBS_get_u8_length_prefixed(©, &proto) || CBS_len(&proto) == 0) {
1680 return 0;
1681 }
1682 }
1683
1684 return 1;
1685 }
1686
ssl_scan_serverhello_tlsext(SSL * s,CBS * cbs,int * out_alert)1687 static int ssl_scan_serverhello_tlsext(SSL *s, CBS *cbs, int *out_alert) {
1688 int tlsext_servername = 0;
1689 int renegotiate_seen = 0;
1690 CBS extensions;
1691
1692 /* TODO(davidben): Move all of these to some per-handshake state that gets
1693 * systematically reset on a new handshake; perhaps allocate it fresh each
1694 * time so it's not even kept around post-handshake. */
1695 s->s3->next_proto_neg_seen = 0;
1696 s->tlsext_ticket_expected = 0;
1697 s->s3->tmp.certificate_status_expected = 0;
1698 s->s3->tmp.extended_master_secret = 0;
1699 s->srtp_profile = NULL;
1700
1701 OPENSSL_free(s->s3->alpn_selected);
1702 s->s3->alpn_selected = NULL;
1703
1704 /* Clear ECC extensions */
1705 OPENSSL_free(s->s3->tmp.peer_ecpointformatlist);
1706 s->s3->tmp.peer_ecpointformatlist = NULL;
1707 s->s3->tmp.peer_ecpointformatlist_length = 0;
1708
1709 /* There may be no extensions. */
1710 if (CBS_len(cbs) == 0) {
1711 goto ri_check;
1712 }
1713
1714 /* Decode the extensions block and check it is valid. */
1715 if (!CBS_get_u16_length_prefixed(cbs, &extensions) ||
1716 !tls1_check_duplicate_extensions(&extensions)) {
1717 *out_alert = SSL_AD_DECODE_ERROR;
1718 return 0;
1719 }
1720
1721 while (CBS_len(&extensions) != 0) {
1722 uint16_t type;
1723 CBS extension;
1724
1725 /* Decode the next extension. */
1726 if (!CBS_get_u16(&extensions, &type) ||
1727 !CBS_get_u16_length_prefixed(&extensions, &extension)) {
1728 *out_alert = SSL_AD_DECODE_ERROR;
1729 return 0;
1730 }
1731
1732 if (type == TLSEXT_TYPE_server_name) {
1733 /* The extension must be empty. */
1734 if (CBS_len(&extension) != 0) {
1735 *out_alert = SSL_AD_DECODE_ERROR;
1736 return 0;
1737 }
1738
1739 /* We must have sent it in ClientHello. */
1740 if (s->tlsext_hostname == NULL) {
1741 *out_alert = SSL_AD_UNSUPPORTED_EXTENSION;
1742 return 0;
1743 }
1744
1745 tlsext_servername = 1;
1746 } else if (type == TLSEXT_TYPE_ec_point_formats) {
1747 CBS ec_point_format_list;
1748
1749 if (!CBS_get_u8_length_prefixed(&extension, &ec_point_format_list) ||
1750 CBS_len(&extension) != 0) {
1751 *out_alert = SSL_AD_DECODE_ERROR;
1752 return 0;
1753 }
1754
1755 if (!CBS_stow(&ec_point_format_list, &s->s3->tmp.peer_ecpointformatlist,
1756 &s->s3->tmp.peer_ecpointformatlist_length)) {
1757 *out_alert = SSL_AD_INTERNAL_ERROR;
1758 return 0;
1759 }
1760 } else if (type == TLSEXT_TYPE_session_ticket) {
1761 if ((SSL_get_options(s) & SSL_OP_NO_TICKET) || CBS_len(&extension) > 0) {
1762 *out_alert = SSL_AD_UNSUPPORTED_EXTENSION;
1763 return 0;
1764 }
1765
1766 s->tlsext_ticket_expected = 1;
1767 } else if (type == TLSEXT_TYPE_status_request) {
1768 /* The extension MUST be empty and may only sent if we've requested a
1769 * status request message. */
1770 if (CBS_len(&extension) != 0) {
1771 *out_alert = SSL_AD_DECODE_ERROR;
1772 return 0;
1773 }
1774
1775 if (!s->ocsp_stapling_enabled) {
1776 *out_alert = SSL_AD_UNSUPPORTED_EXTENSION;
1777 return 0;
1778 }
1779
1780 /* Set a flag to expect a CertificateStatus message */
1781 s->s3->tmp.certificate_status_expected = 1;
1782 } else if (type == TLSEXT_TYPE_next_proto_neg &&
1783 !s->s3->initial_handshake_complete && !SSL_IS_DTLS(s)) {
1784 uint8_t *selected;
1785 uint8_t selected_len;
1786
1787 /* We must have requested it. */
1788 if (s->ctx->next_proto_select_cb == NULL) {
1789 *out_alert = SSL_AD_UNSUPPORTED_EXTENSION;
1790 return 0;
1791 }
1792
1793 /* The data must be valid. */
1794 if (!ssl_next_proto_validate(&extension)) {
1795 *out_alert = SSL_AD_DECODE_ERROR;
1796 return 0;
1797 }
1798
1799 if (s->ctx->next_proto_select_cb(
1800 s, &selected, &selected_len, CBS_data(&extension),
1801 CBS_len(&extension),
1802 s->ctx->next_proto_select_cb_arg) != SSL_TLSEXT_ERR_OK) {
1803 *out_alert = SSL_AD_INTERNAL_ERROR;
1804 return 0;
1805 }
1806
1807 s->next_proto_negotiated = BUF_memdup(selected, selected_len);
1808 if (s->next_proto_negotiated == NULL) {
1809 *out_alert = SSL_AD_INTERNAL_ERROR;
1810 return 0;
1811 }
1812
1813 s->next_proto_negotiated_len = selected_len;
1814 s->s3->next_proto_neg_seen = 1;
1815 } else if (type == TLSEXT_TYPE_application_layer_protocol_negotiation &&
1816 !s->s3->initial_handshake_complete) {
1817 CBS protocol_name_list, protocol_name;
1818
1819 /* We must have requested it. */
1820 if (s->alpn_client_proto_list == NULL) {
1821 *out_alert = SSL_AD_UNSUPPORTED_EXTENSION;
1822 return 0;
1823 }
1824
1825 /* The extension data consists of a ProtocolNameList which must have
1826 * exactly one ProtocolName. Each of these is length-prefixed. */
1827 if (!CBS_get_u16_length_prefixed(&extension, &protocol_name_list) ||
1828 CBS_len(&extension) != 0 ||
1829 !CBS_get_u8_length_prefixed(&protocol_name_list, &protocol_name) ||
1830 CBS_len(&protocol_name_list) != 0) {
1831 *out_alert = SSL_AD_DECODE_ERROR;
1832 return 0;
1833 }
1834
1835 if (!CBS_stow(&protocol_name, &s->s3->alpn_selected,
1836 &s->s3->alpn_selected_len)) {
1837 *out_alert = SSL_AD_INTERNAL_ERROR;
1838 return 0;
1839 }
1840 } else if (type == TLSEXT_TYPE_channel_id && !SSL_IS_DTLS(s)) {
1841 if (CBS_len(&extension) != 0) {
1842 *out_alert = SSL_AD_DECODE_ERROR;
1843 return 0;
1844 }
1845
1846 s->s3->tlsext_channel_id_valid = 1;
1847 } else if (type == TLSEXT_TYPE_channel_id_new && !SSL_IS_DTLS(s)) {
1848 if (CBS_len(&extension) != 0) {
1849 *out_alert = SSL_AD_DECODE_ERROR;
1850 return 0;
1851 }
1852
1853 s->s3->tlsext_channel_id_valid = 1;
1854 s->s3->tlsext_channel_id_new = 1;
1855 } else if (type == TLSEXT_TYPE_certificate_timestamp) {
1856 if (CBS_len(&extension) == 0) {
1857 *out_alert = SSL_AD_DECODE_ERROR;
1858 return 0;
1859 }
1860
1861 /* Session resumption uses the original session information. */
1862 if (!s->hit &&
1863 !CBS_stow(&extension, &s->session->tlsext_signed_cert_timestamp_list,
1864 &s->session->tlsext_signed_cert_timestamp_list_length)) {
1865 *out_alert = SSL_AD_INTERNAL_ERROR;
1866 return 0;
1867 }
1868 } else if (type == TLSEXT_TYPE_renegotiate) {
1869 if (!ssl_parse_serverhello_renegotiate_ext(s, &extension, out_alert)) {
1870 return 0;
1871 }
1872
1873 renegotiate_seen = 1;
1874 } else if (type == TLSEXT_TYPE_use_srtp) {
1875 if (!ssl_parse_serverhello_use_srtp_ext(s, &extension, out_alert)) {
1876 return 0;
1877 }
1878 } else if (type == TLSEXT_TYPE_extended_master_secret) {
1879 if (/* It is invalid for the server to select EMS and
1880 SSLv3. */
1881 s->version == SSL3_VERSION || CBS_len(&extension) != 0) {
1882 *out_alert = SSL_AD_DECODE_ERROR;
1883 return 0;
1884 }
1885
1886 s->s3->tmp.extended_master_secret = 1;
1887 }
1888 }
1889
1890 if (!s->hit && tlsext_servername == 1 && s->tlsext_hostname) {
1891 if (s->session->tlsext_hostname == NULL) {
1892 s->session->tlsext_hostname = BUF_strdup(s->tlsext_hostname);
1893 if (!s->session->tlsext_hostname) {
1894 *out_alert = SSL_AD_UNRECOGNIZED_NAME;
1895 return 0;
1896 }
1897 } else {
1898 *out_alert = SSL_AD_DECODE_ERROR;
1899 return 0;
1900 }
1901 }
1902
1903 ri_check:
1904 /* Determine if we need to see RI. Strictly speaking if we want to avoid an
1905 * attack we should *always* see RI even on initial server hello because the
1906 * client doesn't see any renegotiation during an attack. However this would
1907 * mean we could not connect to any server which doesn't support RI so for
1908 * the immediate future tolerate RI absence on initial connect only. */
1909 if (!renegotiate_seen && !(s->options & SSL_OP_LEGACY_SERVER_CONNECT) &&
1910 !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) {
1911 *out_alert = SSL_AD_HANDSHAKE_FAILURE;
1912 OPENSSL_PUT_ERROR(SSL, ssl_scan_serverhello_tlsext,
1913 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
1914 return 0;
1915 }
1916
1917 return 1;
1918 }
1919
ssl_prepare_clienthello_tlsext(SSL * s)1920 int ssl_prepare_clienthello_tlsext(SSL *s) { return 1; }
1921
ssl_prepare_serverhello_tlsext(SSL * s)1922 int ssl_prepare_serverhello_tlsext(SSL *s) { return 1; }
1923
ssl_check_clienthello_tlsext(SSL * s)1924 static int ssl_check_clienthello_tlsext(SSL *s) {
1925 int ret = SSL_TLSEXT_ERR_NOACK;
1926 int al = SSL_AD_UNRECOGNIZED_NAME;
1927
1928 /* The handling of the ECPointFormats extension is done elsewhere, namely in
1929 * ssl3_choose_cipher in s3_lib.c. */
1930
1931 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) {
1932 ret = s->ctx->tlsext_servername_callback(s, &al,
1933 s->ctx->tlsext_servername_arg);
1934 } else if (s->initial_ctx != NULL &&
1935 s->initial_ctx->tlsext_servername_callback != 0) {
1936 ret = s->initial_ctx->tlsext_servername_callback(
1937 s, &al, s->initial_ctx->tlsext_servername_arg);
1938 }
1939
1940 switch (ret) {
1941 case SSL_TLSEXT_ERR_ALERT_FATAL:
1942 ssl3_send_alert(s, SSL3_AL_FATAL, al);
1943 return -1;
1944
1945 case SSL_TLSEXT_ERR_ALERT_WARNING:
1946 ssl3_send_alert(s, SSL3_AL_WARNING, al);
1947 return 1;
1948
1949 case SSL_TLSEXT_ERR_NOACK:
1950 s->should_ack_sni = 0;
1951 return 1;
1952
1953 default:
1954 return 1;
1955 }
1956 }
1957
ssl_check_serverhello_tlsext(SSL * s)1958 static int ssl_check_serverhello_tlsext(SSL *s) {
1959 int ret = SSL_TLSEXT_ERR_NOACK;
1960 int al = SSL_AD_UNRECOGNIZED_NAME;
1961
1962 /* If we are client and using an elliptic curve cryptography cipher suite,
1963 * then if server returns an EC point formats lists extension it must contain
1964 * uncompressed. */
1965 uint32_t alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
1966 uint32_t alg_a = s->s3->tmp.new_cipher->algorithm_auth;
1967 if (((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA)) &&
1968 !tls1_check_point_format(s, TLSEXT_ECPOINTFORMAT_uncompressed)) {
1969 OPENSSL_PUT_ERROR(SSL, ssl_check_serverhello_tlsext,
1970 SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
1971 return -1;
1972 }
1973 ret = SSL_TLSEXT_ERR_OK;
1974
1975 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) {
1976 ret = s->ctx->tlsext_servername_callback(s, &al,
1977 s->ctx->tlsext_servername_arg);
1978 } else if (s->initial_ctx != NULL &&
1979 s->initial_ctx->tlsext_servername_callback != 0) {
1980 ret = s->initial_ctx->tlsext_servername_callback(
1981 s, &al, s->initial_ctx->tlsext_servername_arg);
1982 }
1983
1984 switch (ret) {
1985 case SSL_TLSEXT_ERR_ALERT_FATAL:
1986 ssl3_send_alert(s, SSL3_AL_FATAL, al);
1987 return -1;
1988
1989 case SSL_TLSEXT_ERR_ALERT_WARNING:
1990 ssl3_send_alert(s, SSL3_AL_WARNING, al);
1991 return 1;
1992
1993 default:
1994 return 1;
1995 }
1996 }
1997
ssl_parse_serverhello_tlsext(SSL * s,CBS * cbs)1998 int ssl_parse_serverhello_tlsext(SSL *s, CBS *cbs) {
1999 int alert = -1;
2000 if (s->version < SSL3_VERSION) {
2001 return 1;
2002 }
2003
2004 if (ssl_scan_serverhello_tlsext(s, cbs, &alert) <= 0) {
2005 ssl3_send_alert(s, SSL3_AL_FATAL, alert);
2006 return 0;
2007 }
2008
2009 if (ssl_check_serverhello_tlsext(s) <= 0) {
2010 OPENSSL_PUT_ERROR(SSL, ssl_parse_serverhello_tlsext,
2011 SSL_R_SERVERHELLO_TLSEXT);
2012 return 0;
2013 }
2014
2015 return 1;
2016 }
2017
2018 /* Since the server cache lookup is done early on in the processing of the
2019 * ClientHello, and other operations depend on the result, we need to handle
2020 * any TLS session ticket extension at the same time.
2021 *
2022 * ctx: contains the early callback context, which is the result of a
2023 * shallow parse of the ClientHello.
2024 * ret: (output) on return, if a ticket was decrypted, then this is set to
2025 * point to the resulting session.
2026 *
2027 * Returns:
2028 * -1: fatal error, either from parsing or decrypting the ticket.
2029 * 0: no ticket was found (or was ignored, based on settings).
2030 * 1: a zero length extension was found, indicating that the client supports
2031 * session tickets but doesn't currently have one to offer.
2032 * 2: a ticket was offered but couldn't be decrypted because of a non-fatal
2033 * error.
2034 * 3: a ticket was successfully decrypted and *ret was set.
2035 *
2036 * Side effects:
2037 * Sets s->tlsext_ticket_expected to 1 if the server will have to issue
2038 * a new session ticket to the client because the client indicated support
2039 * but the client either doesn't have a session ticket or we couldn't use
2040 * the one it gave us, or if s->ctx->tlsext_ticket_key_cb asked to renew
2041 * the client's ticket. Otherwise, s->tlsext_ticket_expected is set to 0.
2042 */
tls1_process_ticket(SSL * s,const struct ssl_early_callback_ctx * ctx,SSL_SESSION ** ret)2043 int tls1_process_ticket(SSL *s, const struct ssl_early_callback_ctx *ctx,
2044 SSL_SESSION **ret) {
2045 *ret = NULL;
2046 s->tlsext_ticket_expected = 0;
2047 const uint8_t *data;
2048 size_t len;
2049 int r;
2050
2051 /* If tickets disabled behave as if no ticket present to permit stateful
2052 * resumption. */
2053 if ((SSL_get_options(s) & SSL_OP_NO_TICKET) ||
2054 (s->version <= SSL3_VERSION && !ctx->extensions) ||
2055 !SSL_early_callback_ctx_extension_get(ctx, TLSEXT_TYPE_session_ticket,
2056 &data, &len)) {
2057 return 0;
2058 }
2059
2060 if (len == 0) {
2061 /* The client will accept a ticket but doesn't currently have one. */
2062 s->tlsext_ticket_expected = 1;
2063 return 1;
2064 }
2065
2066 r = tls_decrypt_ticket(s, data, len, ctx->session_id, ctx->session_id_len,
2067 ret);
2068 switch (r) {
2069 case 2: /* ticket couldn't be decrypted */
2070 s->tlsext_ticket_expected = 1;
2071 return 2;
2072
2073 case 3: /* ticket was decrypted */
2074 return r;
2075
2076 case 4: /* ticket decrypted but need to renew */
2077 s->tlsext_ticket_expected = 1;
2078 return 3;
2079
2080 default: /* fatal error */
2081 return -1;
2082 }
2083 }
2084
2085 /* tls_decrypt_ticket attempts to decrypt a session ticket.
2086 *
2087 * etick: points to the body of the session ticket extension.
2088 * eticklen: the length of the session tickets extenion.
2089 * sess_id: points at the session ID.
2090 * sesslen: the length of the session ID.
2091 * psess: (output) on return, if a ticket was decrypted, then this is set to
2092 * point to the resulting session.
2093 *
2094 * Returns:
2095 * -1: fatal error, either from parsing or decrypting the ticket.
2096 * 2: the ticket couldn't be decrypted.
2097 * 3: a ticket was successfully decrypted and *psess was set.
2098 * 4: same as 3, but the ticket needs to be renewed. */
tls_decrypt_ticket(SSL * s,const uint8_t * etick,int eticklen,const uint8_t * sess_id,int sesslen,SSL_SESSION ** psess)2099 static int tls_decrypt_ticket(SSL *s, const uint8_t *etick, int eticklen,
2100 const uint8_t *sess_id, int sesslen,
2101 SSL_SESSION **psess) {
2102 SSL_SESSION *sess;
2103 uint8_t *sdec;
2104 const uint8_t *p;
2105 int slen, mlen, renew_ticket = 0;
2106 uint8_t tick_hmac[EVP_MAX_MD_SIZE];
2107 HMAC_CTX hctx;
2108 EVP_CIPHER_CTX ctx;
2109 SSL_CTX *tctx = s->initial_ctx;
2110
2111 /* Ensure there is room for the key name and the largest IV
2112 * |tlsext_ticket_key_cb| may try to consume. The real limit may be lower, but
2113 * the maximum IV length should be well under the minimum size for the
2114 * session material and HMAC. */
2115 if (eticklen < 16 + EVP_MAX_IV_LENGTH) {
2116 return 2;
2117 }
2118
2119 /* Initialize session ticket encryption and HMAC contexts */
2120 HMAC_CTX_init(&hctx);
2121 EVP_CIPHER_CTX_init(&ctx);
2122 if (tctx->tlsext_ticket_key_cb) {
2123 uint8_t *nctick = (uint8_t *)etick;
2124 int rv = tctx->tlsext_ticket_key_cb(s, nctick, nctick + 16, &ctx, &hctx,
2125 0 /* decrypt */);
2126 if (rv < 0) {
2127 return -1;
2128 }
2129 if (rv == 0) {
2130 return 2;
2131 }
2132 if (rv == 2) {
2133 renew_ticket = 1;
2134 }
2135 } else {
2136 /* Check key name matches */
2137 if (memcmp(etick, tctx->tlsext_tick_key_name, 16)) {
2138 return 2;
2139 }
2140 if (!HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16, tlsext_tick_md(),
2141 NULL) ||
2142 !EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL,
2143 tctx->tlsext_tick_aes_key, etick + 16)) {
2144 HMAC_CTX_cleanup(&hctx);
2145 EVP_CIPHER_CTX_cleanup(&ctx);
2146 return -1;
2147 }
2148 }
2149
2150 /* First, check the MAC. The MAC is at the end of the ticket. */
2151 mlen = HMAC_size(&hctx);
2152 if ((size_t) eticklen < 16 + EVP_CIPHER_CTX_iv_length(&ctx) + 1 + mlen) {
2153 /* The ticket must be large enough for key name, IV, data, and MAC. */
2154 HMAC_CTX_cleanup(&hctx);
2155 EVP_CIPHER_CTX_cleanup(&ctx);
2156 return 2;
2157 }
2158 eticklen -= mlen;
2159 /* Check HMAC of encrypted ticket */
2160 HMAC_Update(&hctx, etick, eticklen);
2161 HMAC_Final(&hctx, tick_hmac, NULL);
2162 HMAC_CTX_cleanup(&hctx);
2163 if (CRYPTO_memcmp(tick_hmac, etick + eticklen, mlen)) {
2164 EVP_CIPHER_CTX_cleanup(&ctx);
2165 return 2;
2166 }
2167
2168 /* Attempt to decrypt session data */
2169 /* Move p after IV to start of encrypted ticket, update length */
2170 p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx);
2171 eticklen -= 16 + EVP_CIPHER_CTX_iv_length(&ctx);
2172 sdec = OPENSSL_malloc(eticklen);
2173 if (!sdec) {
2174 EVP_CIPHER_CTX_cleanup(&ctx);
2175 return -1;
2176 }
2177 EVP_DecryptUpdate(&ctx, sdec, &slen, p, eticklen);
2178 if (EVP_DecryptFinal_ex(&ctx, sdec + slen, &mlen) <= 0) {
2179 EVP_CIPHER_CTX_cleanup(&ctx);
2180 OPENSSL_free(sdec);
2181 return 2;
2182 }
2183 slen += mlen;
2184 EVP_CIPHER_CTX_cleanup(&ctx);
2185 p = sdec;
2186
2187 sess = d2i_SSL_SESSION(NULL, &p, slen);
2188 OPENSSL_free(sdec);
2189 if (sess) {
2190 /* The session ID, if non-empty, is used by some clients to detect that the
2191 * ticket has been accepted. So we copy it to the session structure. If it
2192 * is empty set length to zero as required by standard. */
2193 if (sesslen) {
2194 memcpy(sess->session_id, sess_id, sesslen);
2195 }
2196 sess->session_id_length = sesslen;
2197 *psess = sess;
2198 if (renew_ticket) {
2199 return 4;
2200 }
2201 return 3;
2202 }
2203
2204 ERR_clear_error();
2205 /* For session parse failure, indicate that we need to send a new ticket. */
2206 return 2;
2207 }
2208
2209 /* Tables to translate from NIDs to TLS v1.2 ids */
2210 typedef struct {
2211 int nid;
2212 int id;
2213 } tls12_lookup;
2214
2215 static const tls12_lookup tls12_md[] = {{NID_md5, TLSEXT_hash_md5},
2216 {NID_sha1, TLSEXT_hash_sha1},
2217 {NID_sha224, TLSEXT_hash_sha224},
2218 {NID_sha256, TLSEXT_hash_sha256},
2219 {NID_sha384, TLSEXT_hash_sha384},
2220 {NID_sha512, TLSEXT_hash_sha512}};
2221
2222 static const tls12_lookup tls12_sig[] = {{EVP_PKEY_RSA, TLSEXT_signature_rsa},
2223 {EVP_PKEY_EC, TLSEXT_signature_ecdsa}};
2224
tls12_find_id(int nid,const tls12_lookup * table,size_t tlen)2225 static int tls12_find_id(int nid, const tls12_lookup *table, size_t tlen) {
2226 size_t i;
2227 for (i = 0; i < tlen; i++) {
2228 if (table[i].nid == nid) {
2229 return table[i].id;
2230 }
2231 }
2232
2233 return -1;
2234 }
2235
tls12_find_nid(int id,const tls12_lookup * table,size_t tlen)2236 static int tls12_find_nid(int id, const tls12_lookup *table, size_t tlen) {
2237 size_t i;
2238 for (i = 0; i < tlen; i++) {
2239 if (table[i].id == id) {
2240 return table[i].nid;
2241 }
2242 }
2243
2244 return NID_undef;
2245 }
2246
tls12_get_sigandhash(uint8_t * p,const EVP_PKEY * pk,const EVP_MD * md)2247 int tls12_get_sigandhash(uint8_t *p, const EVP_PKEY *pk, const EVP_MD *md) {
2248 int sig_id, md_id;
2249
2250 if (!md) {
2251 return 0;
2252 }
2253
2254 md_id = tls12_find_id(EVP_MD_type(md), tls12_md,
2255 sizeof(tls12_md) / sizeof(tls12_lookup));
2256 if (md_id == -1) {
2257 return 0;
2258 }
2259
2260 sig_id = tls12_get_sigid(pk);
2261 if (sig_id == -1) {
2262 return 0;
2263 }
2264
2265 p[0] = (uint8_t)md_id;
2266 p[1] = (uint8_t)sig_id;
2267 return 1;
2268 }
2269
tls12_get_sigid(const EVP_PKEY * pk)2270 int tls12_get_sigid(const EVP_PKEY *pk) {
2271 return tls12_find_id(pk->type, tls12_sig,
2272 sizeof(tls12_sig) / sizeof(tls12_lookup));
2273 }
2274
tls12_get_hash(uint8_t hash_alg)2275 const EVP_MD *tls12_get_hash(uint8_t hash_alg) {
2276 switch (hash_alg) {
2277 case TLSEXT_hash_md5:
2278 return EVP_md5();
2279
2280 case TLSEXT_hash_sha1:
2281 return EVP_sha1();
2282
2283 case TLSEXT_hash_sha224:
2284 return EVP_sha224();
2285
2286 case TLSEXT_hash_sha256:
2287 return EVP_sha256();
2288
2289 case TLSEXT_hash_sha384:
2290 return EVP_sha384();
2291
2292 case TLSEXT_hash_sha512:
2293 return EVP_sha512();
2294
2295 default:
2296 return NULL;
2297 }
2298 }
2299
2300 /* tls12_get_pkey_type returns the EVP_PKEY type corresponding to TLS signature
2301 * algorithm |sig_alg|. It returns -1 if the type is unknown. */
tls12_get_pkey_type(uint8_t sig_alg)2302 static int tls12_get_pkey_type(uint8_t sig_alg) {
2303 switch (sig_alg) {
2304 case TLSEXT_signature_rsa:
2305 return EVP_PKEY_RSA;
2306
2307 case TLSEXT_signature_ecdsa:
2308 return EVP_PKEY_EC;
2309
2310 default:
2311 return -1;
2312 }
2313 }
2314
2315 /* Convert TLS 1.2 signature algorithm extension values into NIDs */
tls1_lookup_sigalg(int * phash_nid,int * psign_nid,int * psignhash_nid,const uint8_t * data)2316 static void tls1_lookup_sigalg(int *phash_nid, int *psign_nid,
2317 int *psignhash_nid, const uint8_t *data) {
2318 int sign_nid = 0, hash_nid = 0;
2319 if (!phash_nid && !psign_nid && !psignhash_nid) {
2320 return;
2321 }
2322
2323 if (phash_nid || psignhash_nid) {
2324 hash_nid = tls12_find_nid(data[0], tls12_md,
2325 sizeof(tls12_md) / sizeof(tls12_lookup));
2326 if (phash_nid) {
2327 *phash_nid = hash_nid;
2328 }
2329 }
2330
2331 if (psign_nid || psignhash_nid) {
2332 sign_nid = tls12_find_nid(data[1], tls12_sig,
2333 sizeof(tls12_sig) / sizeof(tls12_lookup));
2334 if (psign_nid) {
2335 *psign_nid = sign_nid;
2336 }
2337 }
2338
2339 if (psignhash_nid) {
2340 if (sign_nid && hash_nid) {
2341 OBJ_find_sigid_by_algs(psignhash_nid, hash_nid, sign_nid);
2342 } else {
2343 *psignhash_nid = NID_undef;
2344 }
2345 }
2346 }
2347
2348 /* Given preference and allowed sigalgs set shared sigalgs */
tls12_do_shared_sigalgs(TLS_SIGALGS * shsig,const uint8_t * pref,size_t preflen,const uint8_t * allow,size_t allowlen)2349 static int tls12_do_shared_sigalgs(TLS_SIGALGS *shsig, const uint8_t *pref,
2350 size_t preflen, const uint8_t *allow,
2351 size_t allowlen) {
2352 const uint8_t *ptmp, *atmp;
2353 size_t i, j, nmatch = 0;
2354
2355 for (i = 0, ptmp = pref; i < preflen; i += 2, ptmp += 2) {
2356 /* Skip disabled hashes or signature algorithms */
2357 if (tls12_get_hash(ptmp[0]) == NULL ||
2358 tls12_get_pkey_type(ptmp[1]) == -1) {
2359 continue;
2360 }
2361
2362 for (j = 0, atmp = allow; j < allowlen; j += 2, atmp += 2) {
2363 if (ptmp[0] == atmp[0] && ptmp[1] == atmp[1]) {
2364 nmatch++;
2365 if (shsig) {
2366 shsig->rhash = ptmp[0];
2367 shsig->rsign = ptmp[1];
2368 tls1_lookup_sigalg(&shsig->hash_nid, &shsig->sign_nid,
2369 &shsig->signandhash_nid, ptmp);
2370 shsig++;
2371 }
2372
2373 break;
2374 }
2375 }
2376 }
2377
2378 return nmatch;
2379 }
2380
2381 /* Set shared signature algorithms for SSL structures */
tls1_set_shared_sigalgs(SSL * s)2382 static int tls1_set_shared_sigalgs(SSL *s) {
2383 const uint8_t *pref, *allow, *conf;
2384 size_t preflen, allowlen, conflen;
2385 size_t nmatch;
2386 TLS_SIGALGS *salgs = NULL;
2387 CERT *c = s->cert;
2388
2389 OPENSSL_free(c->shared_sigalgs);
2390 c->shared_sigalgs = NULL;
2391 c->shared_sigalgslen = 0;
2392
2393 /* If client use client signature algorithms if not NULL */
2394 if (!s->server && c->client_sigalgs) {
2395 conf = c->client_sigalgs;
2396 conflen = c->client_sigalgslen;
2397 } else if (c->conf_sigalgs) {
2398 conf = c->conf_sigalgs;
2399 conflen = c->conf_sigalgslen;
2400 } else {
2401 conflen = tls12_get_psigalgs(s, &conf);
2402 }
2403
2404 if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) {
2405 pref = conf;
2406 preflen = conflen;
2407 allow = c->peer_sigalgs;
2408 allowlen = c->peer_sigalgslen;
2409 } else {
2410 allow = conf;
2411 allowlen = conflen;
2412 pref = c->peer_sigalgs;
2413 preflen = c->peer_sigalgslen;
2414 }
2415
2416 nmatch = tls12_do_shared_sigalgs(NULL, pref, preflen, allow, allowlen);
2417 if (!nmatch) {
2418 return 1;
2419 }
2420
2421 salgs = OPENSSL_malloc(nmatch * sizeof(TLS_SIGALGS));
2422 if (!salgs) {
2423 return 0;
2424 }
2425
2426 nmatch = tls12_do_shared_sigalgs(salgs, pref, preflen, allow, allowlen);
2427 c->shared_sigalgs = salgs;
2428 c->shared_sigalgslen = nmatch;
2429 return 1;
2430 }
2431
2432 /* Set preferred digest for each key type */
tls1_process_sigalgs(SSL * s,const CBS * sigalgs)2433 int tls1_process_sigalgs(SSL *s, const CBS *sigalgs) {
2434 CERT *c = s->cert;
2435
2436 /* Extension ignored for inappropriate versions */
2437 if (!SSL_USE_SIGALGS(s)) {
2438 return 1;
2439 }
2440
2441 if (CBS_len(sigalgs) % 2 != 0 ||
2442 !CBS_stow(sigalgs, &c->peer_sigalgs, &c->peer_sigalgslen) ||
2443 !tls1_set_shared_sigalgs(s)) {
2444 return 0;
2445 }
2446
2447 return 1;
2448 }
2449
tls1_choose_signing_digest(SSL * s,EVP_PKEY * pkey)2450 const EVP_MD *tls1_choose_signing_digest(SSL *s, EVP_PKEY *pkey) {
2451 CERT *c = s->cert;
2452 int type = EVP_PKEY_id(pkey);
2453 size_t i;
2454
2455 /* Select the first shared digest supported by our key. */
2456 for (i = 0; i < c->shared_sigalgslen; i++) {
2457 const EVP_MD *md = tls12_get_hash(c->shared_sigalgs[i].rhash);
2458 if (md == NULL ||
2459 tls12_get_pkey_type(c->shared_sigalgs[i].rsign) != type ||
2460 !EVP_PKEY_supports_digest(pkey, md)) {
2461 continue;
2462 }
2463 return md;
2464 }
2465
2466 /* If no suitable digest may be found, default to SHA-1. */
2467 return EVP_sha1();
2468 }
2469
SSL_get_sigalgs(SSL * s,int idx,int * psign,int * phash,int * psignhash,uint8_t * rsig,uint8_t * rhash)2470 int SSL_get_sigalgs(SSL *s, int idx, int *psign, int *phash, int *psignhash,
2471 uint8_t *rsig, uint8_t *rhash) {
2472 const uint8_t *psig = s->cert->peer_sigalgs;
2473
2474 if (psig == NULL) {
2475 return 0;
2476 }
2477
2478 if (idx >= 0) {
2479 idx <<= 1;
2480 if (idx >= (int)s->cert->peer_sigalgslen) {
2481 return 0;
2482 }
2483 psig += idx;
2484 if (rhash) {
2485 *rhash = psig[0];
2486 }
2487 if (rsig) {
2488 *rsig = psig[1];
2489 }
2490 tls1_lookup_sigalg(phash, psign, psignhash, psig);
2491 }
2492
2493 return s->cert->peer_sigalgslen / 2;
2494 }
2495
SSL_get_shared_sigalgs(SSL * s,int idx,int * psign,int * phash,int * psignhash,uint8_t * rsig,uint8_t * rhash)2496 int SSL_get_shared_sigalgs(SSL *s, int idx, int *psign, int *phash,
2497 int *psignhash, uint8_t *rsig, uint8_t *rhash) {
2498 TLS_SIGALGS *shsigalgs = s->cert->shared_sigalgs;
2499
2500 if (!shsigalgs || idx >= (int)s->cert->shared_sigalgslen) {
2501 return 0;
2502 }
2503
2504 shsigalgs += idx;
2505 if (phash) {
2506 *phash = shsigalgs->hash_nid;
2507 }
2508 if (psign) {
2509 *psign = shsigalgs->sign_nid;
2510 }
2511 if (psignhash) {
2512 *psignhash = shsigalgs->signandhash_nid;
2513 }
2514 if (rsig) {
2515 *rsig = shsigalgs->rsign;
2516 }
2517 if (rhash) {
2518 *rhash = shsigalgs->rhash;
2519 }
2520
2521 return s->cert->shared_sigalgslen;
2522 }
2523
2524 /* tls1_channel_id_hash calculates the signed data for a Channel ID on the
2525 * given SSL connection and writes it to |md|. */
tls1_channel_id_hash(EVP_MD_CTX * md,SSL * s)2526 int tls1_channel_id_hash(EVP_MD_CTX *md, SSL *s) {
2527 EVP_MD_CTX ctx;
2528 uint8_t temp_digest[EVP_MAX_MD_SIZE];
2529 unsigned temp_digest_len;
2530 int i;
2531 static const char kClientIDMagic[] = "TLS Channel ID signature";
2532
2533 if (s->s3->handshake_buffer &&
2534 !ssl3_digest_cached_records(s, free_handshake_buffer)) {
2535 return 0;
2536 }
2537
2538 EVP_DigestUpdate(md, kClientIDMagic, sizeof(kClientIDMagic));
2539
2540 if (s->hit && s->s3->tlsext_channel_id_new) {
2541 static const char kResumptionMagic[] = "Resumption";
2542 EVP_DigestUpdate(md, kResumptionMagic, sizeof(kResumptionMagic));
2543 if (s->session->original_handshake_hash_len == 0) {
2544 return 0;
2545 }
2546 EVP_DigestUpdate(md, s->session->original_handshake_hash,
2547 s->session->original_handshake_hash_len);
2548 }
2549
2550 EVP_MD_CTX_init(&ctx);
2551 for (i = 0; i < SSL_MAX_DIGEST; i++) {
2552 if (s->s3->handshake_dgst[i] == NULL) {
2553 continue;
2554 }
2555 if (!EVP_MD_CTX_copy_ex(&ctx, s->s3->handshake_dgst[i])) {
2556 EVP_MD_CTX_cleanup(&ctx);
2557 return 0;
2558 }
2559 EVP_DigestFinal_ex(&ctx, temp_digest, &temp_digest_len);
2560 EVP_DigestUpdate(md, temp_digest, temp_digest_len);
2561 }
2562 EVP_MD_CTX_cleanup(&ctx);
2563
2564 return 1;
2565 }
2566
2567 /* tls1_record_handshake_hashes_for_channel_id records the current handshake
2568 * hashes in |s->session| so that Channel ID resumptions can sign that data. */
tls1_record_handshake_hashes_for_channel_id(SSL * s)2569 int tls1_record_handshake_hashes_for_channel_id(SSL *s) {
2570 int digest_len;
2571 /* This function should never be called for a resumed session because the
2572 * handshake hashes that we wish to record are for the original, full
2573 * handshake. */
2574 if (s->hit) {
2575 return -1;
2576 }
2577
2578 /* It only makes sense to call this function if Channel IDs have been
2579 * negotiated. */
2580 if (!s->s3->tlsext_channel_id_new) {
2581 return -1;
2582 }
2583
2584 digest_len =
2585 tls1_handshake_digest(s, s->session->original_handshake_hash,
2586 sizeof(s->session->original_handshake_hash));
2587 if (digest_len < 0) {
2588 return -1;
2589 }
2590
2591 s->session->original_handshake_hash_len = digest_len;
2592
2593 return 1;
2594 }
2595
tls1_set_sigalgs(CERT * c,const int * psig_nids,size_t salglen,int client)2596 int tls1_set_sigalgs(CERT *c, const int *psig_nids, size_t salglen,
2597 int client) {
2598 uint8_t *sigalgs, *sptr;
2599 int rhash, rsign;
2600 size_t i;
2601
2602 if (salglen & 1) {
2603 return 0;
2604 }
2605
2606 sigalgs = OPENSSL_malloc(salglen);
2607 if (sigalgs == NULL) {
2608 return 0;
2609 }
2610
2611 for (i = 0, sptr = sigalgs; i < salglen; i += 2) {
2612 rhash = tls12_find_id(*psig_nids++, tls12_md,
2613 sizeof(tls12_md) / sizeof(tls12_lookup));
2614 rsign = tls12_find_id(*psig_nids++, tls12_sig,
2615 sizeof(tls12_sig) / sizeof(tls12_lookup));
2616
2617 if (rhash == -1 || rsign == -1) {
2618 goto err;
2619 }
2620 *sptr++ = rhash;
2621 *sptr++ = rsign;
2622 }
2623
2624 if (client) {
2625 OPENSSL_free(c->client_sigalgs);
2626 c->client_sigalgs = sigalgs;
2627 c->client_sigalgslen = salglen;
2628 } else {
2629 OPENSSL_free(c->conf_sigalgs);
2630 c->conf_sigalgs = sigalgs;
2631 c->conf_sigalgslen = salglen;
2632 }
2633
2634 return 1;
2635
2636 err:
2637 OPENSSL_free(sigalgs);
2638 return 0;
2639 }
2640