1 /* ssl/t1_lib.c */ 2 /* Copyright (C) 1995-1998 Eric Young (eay (at) cryptsoft.com) 3 * All rights reserved. 4 * 5 * This package is an SSL implementation written 6 * by Eric Young (eay (at) cryptsoft.com). 7 * The implementation was written so as to conform with Netscapes SSL. 8 * 9 * This library is free for commercial and non-commercial use as long as 10 * the following conditions are aheared to. The following conditions 11 * apply to all code found in this distribution, be it the RC4, RSA, 12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 13 * included with this distribution is covered by the same copyright terms 14 * except that the holder is Tim Hudson (tjh (at) cryptsoft.com). 15 * 16 * Copyright remains Eric Young's, and as such any Copyright notices in 17 * the code are not to be removed. 18 * If this package is used in a product, Eric Young should be given attribution 19 * as the author of the parts of the library used. 20 * This can be in the form of a textual message at program startup or 21 * in documentation (online or textual) provided with the package. 22 * 23 * Redistribution and use in source and binary forms, with or without 24 * modification, are permitted provided that the following conditions 25 * are met: 26 * 1. Redistributions of source code must retain the copyright 27 * notice, this list of conditions and the following disclaimer. 28 * 2. Redistributions in binary form must reproduce the above copyright 29 * notice, this list of conditions and the following disclaimer in the 30 * documentation and/or other materials provided with the distribution. 31 * 3. All advertising materials mentioning features or use of this software 32 * must display the following acknowledgement: 33 * "This product includes cryptographic software written by 34 * Eric Young (eay (at) cryptsoft.com)" 35 * The word 'cryptographic' can be left out if the rouines from the library 36 * being used are not cryptographic related :-). 37 * 4. If you include any Windows specific code (or a derivative thereof) from 38 * the apps directory (application code) you must include an acknowledgement: 39 * "This product includes software written by Tim Hudson (tjh (at) cryptsoft.com)" 40 * 41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 51 * SUCH DAMAGE. 52 * 53 * The licence and distribution terms for any publically available version or 54 * derivative of this code cannot be changed. i.e. this code cannot simply be 55 * copied and put under another distribution licence 56 * [including the GNU Public Licence.] 57 */ 58 /* ==================================================================== 59 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved. 60 * 61 * Redistribution and use in source and binary forms, with or without 62 * modification, are permitted provided that the following conditions 63 * are met: 64 * 65 * 1. Redistributions of source code must retain the above copyright 66 * notice, this list of conditions and the following disclaimer. 67 * 68 * 2. Redistributions in binary form must reproduce the above copyright 69 * notice, this list of conditions and the following disclaimer in 70 * the documentation and/or other materials provided with the 71 * distribution. 72 * 73 * 3. All advertising materials mentioning features or use of this 74 * software must display the following acknowledgment: 75 * "This product includes software developed by the OpenSSL Project 76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 77 * 78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 79 * endorse or promote products derived from this software without 80 * prior written permission. For written permission, please contact 81 * openssl-core (at) openssl.org. 82 * 83 * 5. Products derived from this software may not be called "OpenSSL" 84 * nor may "OpenSSL" appear in their names without prior written 85 * permission of the OpenSSL Project. 86 * 87 * 6. Redistributions of any form whatsoever must retain the following 88 * acknowledgment: 89 * "This product includes software developed by the OpenSSL Project 90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 91 * 92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 103 * OF THE POSSIBILITY OF SUCH DAMAGE. 104 * ==================================================================== 105 * 106 * This product includes cryptographic software written by Eric Young 107 * (eay (at) cryptsoft.com). This product includes software written by Tim 108 * Hudson (tjh (at) cryptsoft.com). 109 * 110 */ 111 112 #include <stdio.h> 113 #include <openssl/objects.h> 114 #include <openssl/evp.h> 115 #include <openssl/hmac.h> 116 #include <openssl/ocsp.h> 117 #include <openssl/rand.h> 118 #include "ssl_locl.h" 119 120 const char tls1_version_str[]="TLSv1" OPENSSL_VERSION_PTEXT; 121 122 #ifndef OPENSSL_NO_TLSEXT 123 static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen, 124 const unsigned char *sess_id, int sesslen, 125 SSL_SESSION **psess); 126 #endif 127 128 SSL3_ENC_METHOD TLSv1_enc_data={ 129 tls1_enc, 130 tls1_mac, 131 tls1_setup_key_block, 132 tls1_generate_master_secret, 133 tls1_change_cipher_state, 134 tls1_final_finish_mac, 135 TLS1_FINISH_MAC_LENGTH, 136 tls1_cert_verify_mac, 137 TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE, 138 TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE, 139 tls1_alert_code, 140 tls1_export_keying_material, 141 }; 142 143 long tls1_default_timeout(void) 144 { 145 /* 2 hours, the 24 hours mentioned in the TLSv1 spec 146 * is way too long for http, the cache would over fill */ 147 return(60*60*2); 148 } 149 150 int tls1_new(SSL *s) 151 { 152 if (!ssl3_new(s)) return(0); 153 s->method->ssl_clear(s); 154 return(1); 155 } 156 157 void tls1_free(SSL *s) 158 { 159 #ifndef OPENSSL_NO_TLSEXT 160 if (s->tlsext_session_ticket) 161 { 162 OPENSSL_free(s->tlsext_session_ticket); 163 } 164 #endif /* OPENSSL_NO_TLSEXT */ 165 ssl3_free(s); 166 } 167 168 void tls1_clear(SSL *s) 169 { 170 ssl3_clear(s); 171 s->version = s->method->version; 172 } 173 174 #ifndef OPENSSL_NO_EC 175 176 static int nid_list[] = 177 { 178 NID_sect163k1, /* sect163k1 (1) */ 179 NID_sect163r1, /* sect163r1 (2) */ 180 NID_sect163r2, /* sect163r2 (3) */ 181 NID_sect193r1, /* sect193r1 (4) */ 182 NID_sect193r2, /* sect193r2 (5) */ 183 NID_sect233k1, /* sect233k1 (6) */ 184 NID_sect233r1, /* sect233r1 (7) */ 185 NID_sect239k1, /* sect239k1 (8) */ 186 NID_sect283k1, /* sect283k1 (9) */ 187 NID_sect283r1, /* sect283r1 (10) */ 188 NID_sect409k1, /* sect409k1 (11) */ 189 NID_sect409r1, /* sect409r1 (12) */ 190 NID_sect571k1, /* sect571k1 (13) */ 191 NID_sect571r1, /* sect571r1 (14) */ 192 NID_secp160k1, /* secp160k1 (15) */ 193 NID_secp160r1, /* secp160r1 (16) */ 194 NID_secp160r2, /* secp160r2 (17) */ 195 NID_secp192k1, /* secp192k1 (18) */ 196 NID_X9_62_prime192v1, /* secp192r1 (19) */ 197 NID_secp224k1, /* secp224k1 (20) */ 198 NID_secp224r1, /* secp224r1 (21) */ 199 NID_secp256k1, /* secp256k1 (22) */ 200 NID_X9_62_prime256v1, /* secp256r1 (23) */ 201 NID_secp384r1, /* secp384r1 (24) */ 202 NID_secp521r1 /* secp521r1 (25) */ 203 }; 204 205 static int pref_list[] = 206 { 207 NID_sect571r1, /* sect571r1 (14) */ 208 NID_sect571k1, /* sect571k1 (13) */ 209 NID_secp521r1, /* secp521r1 (25) */ 210 NID_sect409k1, /* sect409k1 (11) */ 211 NID_sect409r1, /* sect409r1 (12) */ 212 NID_secp384r1, /* secp384r1 (24) */ 213 NID_sect283k1, /* sect283k1 (9) */ 214 NID_sect283r1, /* sect283r1 (10) */ 215 NID_secp256k1, /* secp256k1 (22) */ 216 NID_X9_62_prime256v1, /* secp256r1 (23) */ 217 NID_sect239k1, /* sect239k1 (8) */ 218 NID_sect233k1, /* sect233k1 (6) */ 219 NID_sect233r1, /* sect233r1 (7) */ 220 NID_secp224k1, /* secp224k1 (20) */ 221 NID_secp224r1, /* secp224r1 (21) */ 222 NID_sect193r1, /* sect193r1 (4) */ 223 NID_sect193r2, /* sect193r2 (5) */ 224 NID_secp192k1, /* secp192k1 (18) */ 225 NID_X9_62_prime192v1, /* secp192r1 (19) */ 226 NID_sect163k1, /* sect163k1 (1) */ 227 NID_sect163r1, /* sect163r1 (2) */ 228 NID_sect163r2, /* sect163r2 (3) */ 229 NID_secp160k1, /* secp160k1 (15) */ 230 NID_secp160r1, /* secp160r1 (16) */ 231 NID_secp160r2, /* secp160r2 (17) */ 232 }; 233 234 int tls1_ec_curve_id2nid(int curve_id) 235 { 236 /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */ 237 if ((curve_id < 1) || ((unsigned int)curve_id > 238 sizeof(nid_list)/sizeof(nid_list[0]))) 239 return 0; 240 return nid_list[curve_id-1]; 241 } 242 243 int tls1_ec_nid2curve_id(int nid) 244 { 245 /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */ 246 switch (nid) 247 { 248 case NID_sect163k1: /* sect163k1 (1) */ 249 return 1; 250 case NID_sect163r1: /* sect163r1 (2) */ 251 return 2; 252 case NID_sect163r2: /* sect163r2 (3) */ 253 return 3; 254 case NID_sect193r1: /* sect193r1 (4) */ 255 return 4; 256 case NID_sect193r2: /* sect193r2 (5) */ 257 return 5; 258 case NID_sect233k1: /* sect233k1 (6) */ 259 return 6; 260 case NID_sect233r1: /* sect233r1 (7) */ 261 return 7; 262 case NID_sect239k1: /* sect239k1 (8) */ 263 return 8; 264 case NID_sect283k1: /* sect283k1 (9) */ 265 return 9; 266 case NID_sect283r1: /* sect283r1 (10) */ 267 return 10; 268 case NID_sect409k1: /* sect409k1 (11) */ 269 return 11; 270 case NID_sect409r1: /* sect409r1 (12) */ 271 return 12; 272 case NID_sect571k1: /* sect571k1 (13) */ 273 return 13; 274 case NID_sect571r1: /* sect571r1 (14) */ 275 return 14; 276 case NID_secp160k1: /* secp160k1 (15) */ 277 return 15; 278 case NID_secp160r1: /* secp160r1 (16) */ 279 return 16; 280 case NID_secp160r2: /* secp160r2 (17) */ 281 return 17; 282 case NID_secp192k1: /* secp192k1 (18) */ 283 return 18; 284 case NID_X9_62_prime192v1: /* secp192r1 (19) */ 285 return 19; 286 case NID_secp224k1: /* secp224k1 (20) */ 287 return 20; 288 case NID_secp224r1: /* secp224r1 (21) */ 289 return 21; 290 case NID_secp256k1: /* secp256k1 (22) */ 291 return 22; 292 case NID_X9_62_prime256v1: /* secp256r1 (23) */ 293 return 23; 294 case NID_secp384r1: /* secp384r1 (24) */ 295 return 24; 296 case NID_secp521r1: /* secp521r1 (25) */ 297 return 25; 298 default: 299 return 0; 300 } 301 } 302 #endif /* OPENSSL_NO_EC */ 303 304 #ifndef OPENSSL_NO_TLSEXT 305 306 /* List of supported signature algorithms and hashes. Should make this 307 * customisable at some point, for now include everything we support. 308 */ 309 310 #ifdef OPENSSL_NO_RSA 311 #define tlsext_sigalg_rsa(md) /* */ 312 #else 313 #define tlsext_sigalg_rsa(md) md, TLSEXT_signature_rsa, 314 #endif 315 316 #ifdef OPENSSL_NO_DSA 317 #define tlsext_sigalg_dsa(md) /* */ 318 #else 319 #define tlsext_sigalg_dsa(md) md, TLSEXT_signature_dsa, 320 #endif 321 322 #ifdef OPENSSL_NO_ECDSA 323 #define tlsext_sigalg_ecdsa(md) /* */ 324 #else 325 #define tlsext_sigalg_ecdsa(md) md, TLSEXT_signature_ecdsa, 326 #endif 327 328 #define tlsext_sigalg(md) \ 329 tlsext_sigalg_rsa(md) \ 330 tlsext_sigalg_dsa(md) \ 331 tlsext_sigalg_ecdsa(md) 332 333 static unsigned char tls12_sigalgs[] = { 334 #ifndef OPENSSL_NO_SHA512 335 tlsext_sigalg(TLSEXT_hash_sha512) 336 tlsext_sigalg(TLSEXT_hash_sha384) 337 #endif 338 #ifndef OPENSSL_NO_SHA256 339 tlsext_sigalg(TLSEXT_hash_sha256) 340 tlsext_sigalg(TLSEXT_hash_sha224) 341 #endif 342 #ifndef OPENSSL_NO_SHA 343 tlsext_sigalg(TLSEXT_hash_sha1) 344 #endif 345 #ifndef OPENSSL_NO_MD5 346 tlsext_sigalg_rsa(TLSEXT_hash_md5) 347 #endif 348 }; 349 350 int tls12_get_req_sig_algs(SSL *s, unsigned char *p) 351 { 352 size_t slen = sizeof(tls12_sigalgs); 353 #ifdef OPENSSL_FIPS 354 /* If FIPS mode don't include MD5 which is last */ 355 if (FIPS_mode()) 356 slen -= 2; 357 #endif 358 if (p) 359 memcpy(p, tls12_sigalgs, slen); 360 return (int)slen; 361 } 362 363 unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit) 364 { 365 int extdatalen=0; 366 unsigned char *ret = p; 367 368 /* don't add extensions for SSLv3 unless doing secure renegotiation */ 369 if (s->client_version == SSL3_VERSION 370 && !s->s3->send_connection_binding) 371 return p; 372 373 ret+=2; 374 375 if (ret>=limit) return NULL; /* this really never occurs, but ... */ 376 377 if (s->tlsext_hostname != NULL) 378 { 379 /* Add TLS extension servername to the Client Hello message */ 380 unsigned long size_str; 381 long lenmax; 382 383 /* check for enough space. 384 4 for the servername type and entension length 385 2 for servernamelist length 386 1 for the hostname type 387 2 for hostname length 388 + hostname length 389 */ 390 391 if ((lenmax = limit - ret - 9) < 0 392 || (size_str = strlen(s->tlsext_hostname)) > (unsigned long)lenmax) 393 return NULL; 394 395 /* extension type and length */ 396 s2n(TLSEXT_TYPE_server_name,ret); 397 s2n(size_str+5,ret); 398 399 /* length of servername list */ 400 s2n(size_str+3,ret); 401 402 /* hostname type, length and hostname */ 403 *(ret++) = (unsigned char) TLSEXT_NAMETYPE_host_name; 404 s2n(size_str,ret); 405 memcpy(ret, s->tlsext_hostname, size_str); 406 ret+=size_str; 407 } 408 409 /* Add RI if renegotiating */ 410 if (s->renegotiate) 411 { 412 int el; 413 414 if(!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0)) 415 { 416 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); 417 return NULL; 418 } 419 420 if((limit - p - 4 - el) < 0) return NULL; 421 422 s2n(TLSEXT_TYPE_renegotiate,ret); 423 s2n(el,ret); 424 425 if(!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el)) 426 { 427 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); 428 return NULL; 429 } 430 431 ret += el; 432 } 433 434 #ifndef OPENSSL_NO_SRP 435 /* Add SRP username if there is one */ 436 if (s->srp_ctx.login != NULL) 437 { /* Add TLS extension SRP username to the Client Hello message */ 438 439 int login_len = strlen(s->srp_ctx.login); 440 if (login_len > 255 || login_len == 0) 441 { 442 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); 443 return NULL; 444 } 445 446 /* check for enough space. 447 4 for the srp type type and entension length 448 1 for the srp user identity 449 + srp user identity length 450 */ 451 if ((limit - ret - 5 - login_len) < 0) return NULL; 452 453 /* fill in the extension */ 454 s2n(TLSEXT_TYPE_srp,ret); 455 s2n(login_len+1,ret); 456 (*ret++) = (unsigned char) login_len; 457 memcpy(ret, s->srp_ctx.login, login_len); 458 ret+=login_len; 459 } 460 #endif 461 462 #ifndef OPENSSL_NO_EC 463 if (s->tlsext_ecpointformatlist != NULL && 464 s->version != DTLS1_VERSION) 465 { 466 /* Add TLS extension ECPointFormats to the ClientHello message */ 467 long lenmax; 468 469 if ((lenmax = limit - ret - 5) < 0) return NULL; 470 if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax) return NULL; 471 if (s->tlsext_ecpointformatlist_length > 255) 472 { 473 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); 474 return NULL; 475 } 476 477 s2n(TLSEXT_TYPE_ec_point_formats,ret); 478 s2n(s->tlsext_ecpointformatlist_length + 1,ret); 479 *(ret++) = (unsigned char) s->tlsext_ecpointformatlist_length; 480 memcpy(ret, s->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist_length); 481 ret+=s->tlsext_ecpointformatlist_length; 482 } 483 if (s->tlsext_ellipticcurvelist != NULL && 484 s->version != DTLS1_VERSION) 485 { 486 /* Add TLS extension EllipticCurves to the ClientHello message */ 487 long lenmax; 488 489 if ((lenmax = limit - ret - 6) < 0) return NULL; 490 if (s->tlsext_ellipticcurvelist_length > (unsigned long)lenmax) return NULL; 491 if (s->tlsext_ellipticcurvelist_length > 65532) 492 { 493 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); 494 return NULL; 495 } 496 497 s2n(TLSEXT_TYPE_elliptic_curves,ret); 498 s2n(s->tlsext_ellipticcurvelist_length + 2, ret); 499 500 /* NB: draft-ietf-tls-ecc-12.txt uses a one-byte prefix for 501 * elliptic_curve_list, but the examples use two bytes. 502 * http://www1.ietf.org/mail-archive/web/tls/current/msg00538.html 503 * resolves this to two bytes. 504 */ 505 s2n(s->tlsext_ellipticcurvelist_length, ret); 506 memcpy(ret, s->tlsext_ellipticcurvelist, s->tlsext_ellipticcurvelist_length); 507 ret+=s->tlsext_ellipticcurvelist_length; 508 } 509 #endif /* OPENSSL_NO_EC */ 510 511 if (!(SSL_get_options(s) & SSL_OP_NO_TICKET)) 512 { 513 int ticklen; 514 if (!s->new_session && s->session && s->session->tlsext_tick) 515 ticklen = s->session->tlsext_ticklen; 516 else if (s->session && s->tlsext_session_ticket && 517 s->tlsext_session_ticket->data) 518 { 519 ticklen = s->tlsext_session_ticket->length; 520 s->session->tlsext_tick = OPENSSL_malloc(ticklen); 521 if (!s->session->tlsext_tick) 522 return NULL; 523 memcpy(s->session->tlsext_tick, 524 s->tlsext_session_ticket->data, 525 ticklen); 526 s->session->tlsext_ticklen = ticklen; 527 } 528 else 529 ticklen = 0; 530 if (ticklen == 0 && s->tlsext_session_ticket && 531 s->tlsext_session_ticket->data == NULL) 532 goto skip_ext; 533 /* Check for enough room 2 for extension type, 2 for len 534 * rest for ticket 535 */ 536 if ((long)(limit - ret - 4 - ticklen) < 0) return NULL; 537 s2n(TLSEXT_TYPE_session_ticket,ret); 538 s2n(ticklen,ret); 539 if (ticklen) 540 { 541 memcpy(ret, s->session->tlsext_tick, ticklen); 542 ret += ticklen; 543 } 544 } 545 skip_ext: 546 547 if (TLS1_get_client_version(s) >= TLS1_2_VERSION) 548 { 549 if ((size_t)(limit - ret) < sizeof(tls12_sigalgs) + 6) 550 return NULL; 551 s2n(TLSEXT_TYPE_signature_algorithms,ret); 552 s2n(sizeof(tls12_sigalgs) + 2, ret); 553 s2n(sizeof(tls12_sigalgs), ret); 554 memcpy(ret, tls12_sigalgs, sizeof(tls12_sigalgs)); 555 ret += sizeof(tls12_sigalgs); 556 } 557 558 #ifdef TLSEXT_TYPE_opaque_prf_input 559 if (s->s3->client_opaque_prf_input != NULL && 560 s->version != DTLS1_VERSION) 561 { 562 size_t col = s->s3->client_opaque_prf_input_len; 563 564 if ((long)(limit - ret - 6 - col < 0)) 565 return NULL; 566 if (col > 0xFFFD) /* can't happen */ 567 return NULL; 568 569 s2n(TLSEXT_TYPE_opaque_prf_input, ret); 570 s2n(col + 2, ret); 571 s2n(col, ret); 572 memcpy(ret, s->s3->client_opaque_prf_input, col); 573 ret += col; 574 } 575 #endif 576 577 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp && 578 s->version != DTLS1_VERSION) 579 { 580 int i; 581 long extlen, idlen, itmp; 582 OCSP_RESPID *id; 583 584 idlen = 0; 585 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) 586 { 587 id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i); 588 itmp = i2d_OCSP_RESPID(id, NULL); 589 if (itmp <= 0) 590 return NULL; 591 idlen += itmp + 2; 592 } 593 594 if (s->tlsext_ocsp_exts) 595 { 596 extlen = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, NULL); 597 if (extlen < 0) 598 return NULL; 599 } 600 else 601 extlen = 0; 602 603 if ((long)(limit - ret - 7 - extlen - idlen) < 0) return NULL; 604 s2n(TLSEXT_TYPE_status_request, ret); 605 if (extlen + idlen > 0xFFF0) 606 return NULL; 607 s2n(extlen + idlen + 5, ret); 608 *(ret++) = TLSEXT_STATUSTYPE_ocsp; 609 s2n(idlen, ret); 610 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) 611 { 612 /* save position of id len */ 613 unsigned char *q = ret; 614 id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i); 615 /* skip over id len */ 616 ret += 2; 617 itmp = i2d_OCSP_RESPID(id, &ret); 618 /* write id len */ 619 s2n(itmp, q); 620 } 621 s2n(extlen, ret); 622 if (extlen > 0) 623 i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret); 624 } 625 626 #ifndef OPENSSL_NO_HEARTBEATS 627 /* Add Heartbeat extension */ 628 s2n(TLSEXT_TYPE_heartbeat,ret); 629 s2n(1,ret); 630 /* Set mode: 631 * 1: peer may send requests 632 * 2: peer not allowed to send requests 633 */ 634 if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS) 635 *(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS; 636 else 637 *(ret++) = SSL_TLSEXT_HB_ENABLED; 638 #endif 639 640 #ifndef OPENSSL_NO_NEXTPROTONEG 641 if (s->ctx->next_proto_select_cb && !s->s3->tmp.finish_md_len) 642 { 643 /* The client advertises an emtpy extension to indicate its 644 * support for Next Protocol Negotiation */ 645 if (limit - ret - 4 < 0) 646 return NULL; 647 s2n(TLSEXT_TYPE_next_proto_neg,ret); 648 s2n(0,ret); 649 } 650 #endif 651 652 if (s->tlsext_channel_id_enabled) 653 { 654 /* The client advertises an emtpy extension to indicate its 655 * support for Channel ID. */ 656 if (limit - ret - 4 < 0) 657 return NULL; 658 s2n(TLSEXT_TYPE_channel_id,ret); 659 s2n(0,ret); 660 } 661 662 #ifndef OPENSSL_NO_SRTP 663 if(SSL_get_srtp_profiles(s)) 664 { 665 int el; 666 667 ssl_add_clienthello_use_srtp_ext(s, 0, &el, 0); 668 669 if((limit - p - 4 - el) < 0) return NULL; 670 671 s2n(TLSEXT_TYPE_use_srtp,ret); 672 s2n(el,ret); 673 674 if(ssl_add_clienthello_use_srtp_ext(s, ret, &el, el)) 675 { 676 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); 677 return NULL; 678 } 679 ret += el; 680 } 681 #endif 682 683 if ((extdatalen = ret-p-2)== 0) 684 return p; 685 686 s2n(extdatalen,p); 687 return ret; 688 } 689 690 unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit) 691 { 692 int extdatalen=0; 693 unsigned char *ret = p; 694 #ifndef OPENSSL_NO_NEXTPROTONEG 695 int next_proto_neg_seen; 696 #endif 697 698 /* don't add extensions for SSLv3, unless doing secure renegotiation */ 699 if (s->version == SSL3_VERSION && !s->s3->send_connection_binding) 700 return p; 701 702 ret+=2; 703 if (ret>=limit) return NULL; /* this really never occurs, but ... */ 704 705 if (!s->hit && s->servername_done == 1 && s->session->tlsext_hostname != NULL) 706 { 707 if ((long)(limit - ret - 4) < 0) return NULL; 708 709 s2n(TLSEXT_TYPE_server_name,ret); 710 s2n(0,ret); 711 } 712 713 if(s->s3->send_connection_binding) 714 { 715 int el; 716 717 if(!ssl_add_serverhello_renegotiate_ext(s, 0, &el, 0)) 718 { 719 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); 720 return NULL; 721 } 722 723 if((limit - p - 4 - el) < 0) return NULL; 724 725 s2n(TLSEXT_TYPE_renegotiate,ret); 726 s2n(el,ret); 727 728 if(!ssl_add_serverhello_renegotiate_ext(s, ret, &el, el)) 729 { 730 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); 731 return NULL; 732 } 733 734 ret += el; 735 } 736 737 #ifndef OPENSSL_NO_EC 738 if (s->tlsext_ecpointformatlist != NULL && 739 s->version != DTLS1_VERSION) 740 { 741 /* Add TLS extension ECPointFormats to the ServerHello message */ 742 long lenmax; 743 744 if ((lenmax = limit - ret - 5) < 0) return NULL; 745 if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax) return NULL; 746 if (s->tlsext_ecpointformatlist_length > 255) 747 { 748 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); 749 return NULL; 750 } 751 752 s2n(TLSEXT_TYPE_ec_point_formats,ret); 753 s2n(s->tlsext_ecpointformatlist_length + 1,ret); 754 *(ret++) = (unsigned char) s->tlsext_ecpointformatlist_length; 755 memcpy(ret, s->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist_length); 756 ret+=s->tlsext_ecpointformatlist_length; 757 758 } 759 /* Currently the server should not respond with a SupportedCurves extension */ 760 #endif /* OPENSSL_NO_EC */ 761 762 if (s->tlsext_ticket_expected 763 && !(SSL_get_options(s) & SSL_OP_NO_TICKET)) 764 { 765 if ((long)(limit - ret - 4) < 0) return NULL; 766 s2n(TLSEXT_TYPE_session_ticket,ret); 767 s2n(0,ret); 768 } 769 770 if (s->tlsext_status_expected) 771 { 772 if ((long)(limit - ret - 4) < 0) return NULL; 773 s2n(TLSEXT_TYPE_status_request,ret); 774 s2n(0,ret); 775 } 776 777 #ifdef TLSEXT_TYPE_opaque_prf_input 778 if (s->s3->server_opaque_prf_input != NULL && 779 s->version != DTLS1_VERSION) 780 { 781 size_t sol = s->s3->server_opaque_prf_input_len; 782 783 if ((long)(limit - ret - 6 - sol) < 0) 784 return NULL; 785 if (sol > 0xFFFD) /* can't happen */ 786 return NULL; 787 788 s2n(TLSEXT_TYPE_opaque_prf_input, ret); 789 s2n(sol + 2, ret); 790 s2n(sol, ret); 791 memcpy(ret, s->s3->server_opaque_prf_input, sol); 792 ret += sol; 793 } 794 #endif 795 796 #ifndef OPENSSL_NO_SRTP 797 if(s->srtp_profile) 798 { 799 int el; 800 801 ssl_add_serverhello_use_srtp_ext(s, 0, &el, 0); 802 803 if((limit - p - 4 - el) < 0) return NULL; 804 805 s2n(TLSEXT_TYPE_use_srtp,ret); 806 s2n(el,ret); 807 808 if(ssl_add_serverhello_use_srtp_ext(s, ret, &el, el)) 809 { 810 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); 811 return NULL; 812 } 813 ret+=el; 814 } 815 #endif 816 817 if (((s->s3->tmp.new_cipher->id & 0xFFFF)==0x80 || (s->s3->tmp.new_cipher->id & 0xFFFF)==0x81) 818 && (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG)) 819 { const unsigned char cryptopro_ext[36] = { 820 0xfd, 0xe8, /*65000*/ 821 0x00, 0x20, /*32 bytes length*/ 822 0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85, 823 0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06, 824 0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08, 825 0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17}; 826 if (limit-ret<36) return NULL; 827 memcpy(ret,cryptopro_ext,36); 828 ret+=36; 829 830 } 831 832 #ifndef OPENSSL_NO_HEARTBEATS 833 /* Add Heartbeat extension if we've received one */ 834 if (s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED) 835 { 836 s2n(TLSEXT_TYPE_heartbeat,ret); 837 s2n(1,ret); 838 /* Set mode: 839 * 1: peer may send requests 840 * 2: peer not allowed to send requests 841 */ 842 if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS) 843 *(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS; 844 else 845 *(ret++) = SSL_TLSEXT_HB_ENABLED; 846 847 } 848 #endif 849 850 #ifndef OPENSSL_NO_NEXTPROTONEG 851 next_proto_neg_seen = s->s3->next_proto_neg_seen; 852 s->s3->next_proto_neg_seen = 0; 853 if (next_proto_neg_seen && s->ctx->next_protos_advertised_cb) 854 { 855 const unsigned char *npa; 856 unsigned int npalen; 857 int r; 858 859 r = s->ctx->next_protos_advertised_cb(s, &npa, &npalen, s->ctx->next_protos_advertised_cb_arg); 860 if (r == SSL_TLSEXT_ERR_OK) 861 { 862 if ((long)(limit - ret - 4 - npalen) < 0) return NULL; 863 s2n(TLSEXT_TYPE_next_proto_neg,ret); 864 s2n(npalen,ret); 865 memcpy(ret, npa, npalen); 866 ret += npalen; 867 s->s3->next_proto_neg_seen = 1; 868 } 869 } 870 #endif 871 872 /* If the client advertised support for Channel ID, and we have it 873 * enabled, then we want to echo it back. */ 874 if (s->s3->tlsext_channel_id_valid) 875 { 876 if (limit - ret - 4 < 0) 877 return NULL; 878 s2n(TLSEXT_TYPE_channel_id,ret); 879 s2n(0,ret); 880 } 881 882 if ((extdatalen = ret-p-2)== 0) 883 return p; 884 885 s2n(extdatalen,p); 886 return ret; 887 } 888 889 int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al) 890 { 891 unsigned short type; 892 unsigned short size; 893 unsigned short len; 894 unsigned char *data = *p; 895 int renegotiate_seen = 0; 896 int sigalg_seen = 0; 897 898 s->servername_done = 0; 899 s->tlsext_status_type = -1; 900 #ifndef OPENSSL_NO_NEXTPROTONEG 901 s->s3->next_proto_neg_seen = 0; 902 #endif 903 904 #ifndef OPENSSL_NO_HEARTBEATS 905 s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED | 906 SSL_TLSEXT_HB_DONT_SEND_REQUESTS); 907 #endif 908 909 if (data >= (d+n-2)) 910 goto ri_check; 911 n2s(data,len); 912 913 if (data > (d+n-len)) 914 goto ri_check; 915 916 while (data <= (d+n-4)) 917 { 918 n2s(data,type); 919 n2s(data,size); 920 921 if (data+size > (d+n)) 922 goto ri_check; 923 #if 0 924 fprintf(stderr,"Received extension type %d size %d\n",type,size); 925 #endif 926 if (s->tlsext_debug_cb) 927 s->tlsext_debug_cb(s, 0, type, data, size, 928 s->tlsext_debug_arg); 929 /* The servername extension is treated as follows: 930 931 - Only the hostname type is supported with a maximum length of 255. 932 - The servername is rejected if too long or if it contains zeros, 933 in which case an fatal alert is generated. 934 - The servername field is maintained together with the session cache. 935 - When a session is resumed, the servername call back invoked in order 936 to allow the application to position itself to the right context. 937 - The servername is acknowledged if it is new for a session or when 938 it is identical to a previously used for the same session. 939 Applications can control the behaviour. They can at any time 940 set a 'desirable' servername for a new SSL object. This can be the 941 case for example with HTTPS when a Host: header field is received and 942 a renegotiation is requested. In this case, a possible servername 943 presented in the new client hello is only acknowledged if it matches 944 the value of the Host: field. 945 - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION 946 if they provide for changing an explicit servername context for the session, 947 i.e. when the session has been established with a servername extension. 948 - On session reconnect, the servername extension may be absent. 949 950 */ 951 952 if (type == TLSEXT_TYPE_server_name) 953 { 954 unsigned char *sdata; 955 int servname_type; 956 int dsize; 957 958 if (size < 2) 959 { 960 *al = SSL_AD_DECODE_ERROR; 961 return 0; 962 } 963 n2s(data,dsize); 964 size -= 2; 965 if (dsize > size ) 966 { 967 *al = SSL_AD_DECODE_ERROR; 968 return 0; 969 } 970 971 sdata = data; 972 while (dsize > 3) 973 { 974 servname_type = *(sdata++); 975 n2s(sdata,len); 976 dsize -= 3; 977 978 if (len > dsize) 979 { 980 *al = SSL_AD_DECODE_ERROR; 981 return 0; 982 } 983 if (s->servername_done == 0) 984 switch (servname_type) 985 { 986 case TLSEXT_NAMETYPE_host_name: 987 if (!s->hit) 988 { 989 if(s->session->tlsext_hostname) 990 { 991 *al = SSL_AD_DECODE_ERROR; 992 return 0; 993 } 994 if (len > TLSEXT_MAXLEN_host_name) 995 { 996 *al = TLS1_AD_UNRECOGNIZED_NAME; 997 return 0; 998 } 999 if ((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL) 1000 { 1001 *al = TLS1_AD_INTERNAL_ERROR; 1002 return 0; 1003 } 1004 memcpy(s->session->tlsext_hostname, sdata, len); 1005 s->session->tlsext_hostname[len]='\0'; 1006 if (strlen(s->session->tlsext_hostname) != len) { 1007 OPENSSL_free(s->session->tlsext_hostname); 1008 s->session->tlsext_hostname = NULL; 1009 *al = TLS1_AD_UNRECOGNIZED_NAME; 1010 return 0; 1011 } 1012 s->servername_done = 1; 1013 1014 } 1015 else 1016 s->servername_done = s->session->tlsext_hostname 1017 && strlen(s->session->tlsext_hostname) == len 1018 && strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0; 1019 1020 break; 1021 1022 default: 1023 break; 1024 } 1025 1026 dsize -= len; 1027 } 1028 if (dsize != 0) 1029 { 1030 *al = SSL_AD_DECODE_ERROR; 1031 return 0; 1032 } 1033 1034 } 1035 #ifndef OPENSSL_NO_SRP 1036 else if (type == TLSEXT_TYPE_srp) 1037 { 1038 if (size <= 0 || ((len = data[0])) != (size -1)) 1039 { 1040 *al = SSL_AD_DECODE_ERROR; 1041 return 0; 1042 } 1043 if (s->srp_ctx.login != NULL) 1044 { 1045 *al = SSL_AD_DECODE_ERROR; 1046 return 0; 1047 } 1048 if ((s->srp_ctx.login = OPENSSL_malloc(len+1)) == NULL) 1049 return -1; 1050 memcpy(s->srp_ctx.login, &data[1], len); 1051 s->srp_ctx.login[len]='\0'; 1052 1053 if (strlen(s->srp_ctx.login) != len) 1054 { 1055 *al = SSL_AD_DECODE_ERROR; 1056 return 0; 1057 } 1058 } 1059 #endif 1060 1061 #ifndef OPENSSL_NO_EC 1062 else if (type == TLSEXT_TYPE_ec_point_formats && 1063 s->version != DTLS1_VERSION) 1064 { 1065 unsigned char *sdata = data; 1066 int ecpointformatlist_length = *(sdata++); 1067 1068 if (ecpointformatlist_length != size - 1) 1069 { 1070 *al = TLS1_AD_DECODE_ERROR; 1071 return 0; 1072 } 1073 if (!s->hit) 1074 { 1075 if(s->session->tlsext_ecpointformatlist) 1076 { 1077 OPENSSL_free(s->session->tlsext_ecpointformatlist); 1078 s->session->tlsext_ecpointformatlist = NULL; 1079 } 1080 s->session->tlsext_ecpointformatlist_length = 0; 1081 if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL) 1082 { 1083 *al = TLS1_AD_INTERNAL_ERROR; 1084 return 0; 1085 } 1086 s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length; 1087 memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length); 1088 } 1089 #if 0 1090 fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ecpointformatlist (length=%i) ", s->session->tlsext_ecpointformatlist_length); 1091 sdata = s->session->tlsext_ecpointformatlist; 1092 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++) 1093 fprintf(stderr,"%i ",*(sdata++)); 1094 fprintf(stderr,"\n"); 1095 #endif 1096 } 1097 else if (type == TLSEXT_TYPE_elliptic_curves && 1098 s->version != DTLS1_VERSION) 1099 { 1100 unsigned char *sdata = data; 1101 int ellipticcurvelist_length = (*(sdata++) << 8); 1102 ellipticcurvelist_length += (*(sdata++)); 1103 1104 if (ellipticcurvelist_length != size - 2 || 1105 ellipticcurvelist_length < 1) 1106 { 1107 *al = TLS1_AD_DECODE_ERROR; 1108 return 0; 1109 } 1110 if (!s->hit) 1111 { 1112 if(s->session->tlsext_ellipticcurvelist) 1113 { 1114 *al = TLS1_AD_DECODE_ERROR; 1115 return 0; 1116 } 1117 s->session->tlsext_ellipticcurvelist_length = 0; 1118 if ((s->session->tlsext_ellipticcurvelist = OPENSSL_malloc(ellipticcurvelist_length)) == NULL) 1119 { 1120 *al = TLS1_AD_INTERNAL_ERROR; 1121 return 0; 1122 } 1123 s->session->tlsext_ellipticcurvelist_length = ellipticcurvelist_length; 1124 memcpy(s->session->tlsext_ellipticcurvelist, sdata, ellipticcurvelist_length); 1125 } 1126 #if 0 1127 fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ellipticcurvelist (length=%i) ", s->session->tlsext_ellipticcurvelist_length); 1128 sdata = s->session->tlsext_ellipticcurvelist; 1129 for (i = 0; i < s->session->tlsext_ellipticcurvelist_length; i++) 1130 fprintf(stderr,"%i ",*(sdata++)); 1131 fprintf(stderr,"\n"); 1132 #endif 1133 } 1134 #endif /* OPENSSL_NO_EC */ 1135 #ifdef TLSEXT_TYPE_opaque_prf_input 1136 else if (type == TLSEXT_TYPE_opaque_prf_input && 1137 s->version != DTLS1_VERSION) 1138 { 1139 unsigned char *sdata = data; 1140 1141 if (size < 2) 1142 { 1143 *al = SSL_AD_DECODE_ERROR; 1144 return 0; 1145 } 1146 n2s(sdata, s->s3->client_opaque_prf_input_len); 1147 if (s->s3->client_opaque_prf_input_len != size - 2) 1148 { 1149 *al = SSL_AD_DECODE_ERROR; 1150 return 0; 1151 } 1152 1153 if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */ 1154 OPENSSL_free(s->s3->client_opaque_prf_input); 1155 if (s->s3->client_opaque_prf_input_len == 0) 1156 s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */ 1157 else 1158 s->s3->client_opaque_prf_input = BUF_memdup(sdata, s->s3->client_opaque_prf_input_len); 1159 if (s->s3->client_opaque_prf_input == NULL) 1160 { 1161 *al = TLS1_AD_INTERNAL_ERROR; 1162 return 0; 1163 } 1164 } 1165 #endif 1166 else if (type == TLSEXT_TYPE_session_ticket) 1167 { 1168 if (s->tls_session_ticket_ext_cb && 1169 !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg)) 1170 { 1171 *al = TLS1_AD_INTERNAL_ERROR; 1172 return 0; 1173 } 1174 } 1175 else if (type == TLSEXT_TYPE_renegotiate) 1176 { 1177 if(!ssl_parse_clienthello_renegotiate_ext(s, data, size, al)) 1178 return 0; 1179 renegotiate_seen = 1; 1180 } 1181 else if (type == TLSEXT_TYPE_signature_algorithms) 1182 { 1183 int dsize; 1184 if (sigalg_seen || size < 2) 1185 { 1186 *al = SSL_AD_DECODE_ERROR; 1187 return 0; 1188 } 1189 sigalg_seen = 1; 1190 n2s(data,dsize); 1191 size -= 2; 1192 if (dsize != size || dsize & 1) 1193 { 1194 *al = SSL_AD_DECODE_ERROR; 1195 return 0; 1196 } 1197 if (!tls1_process_sigalgs(s, data, dsize)) 1198 { 1199 *al = SSL_AD_DECODE_ERROR; 1200 return 0; 1201 } 1202 } 1203 else if (type == TLSEXT_TYPE_status_request && 1204 s->version != DTLS1_VERSION && s->ctx->tlsext_status_cb) 1205 { 1206 1207 if (size < 5) 1208 { 1209 *al = SSL_AD_DECODE_ERROR; 1210 return 0; 1211 } 1212 1213 s->tlsext_status_type = *data++; 1214 size--; 1215 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp) 1216 { 1217 const unsigned char *sdata; 1218 int dsize; 1219 /* Read in responder_id_list */ 1220 n2s(data,dsize); 1221 size -= 2; 1222 if (dsize > size ) 1223 { 1224 *al = SSL_AD_DECODE_ERROR; 1225 return 0; 1226 } 1227 while (dsize > 0) 1228 { 1229 OCSP_RESPID *id; 1230 int idsize; 1231 if (dsize < 4) 1232 { 1233 *al = SSL_AD_DECODE_ERROR; 1234 return 0; 1235 } 1236 n2s(data, idsize); 1237 dsize -= 2 + idsize; 1238 size -= 2 + idsize; 1239 if (dsize < 0) 1240 { 1241 *al = SSL_AD_DECODE_ERROR; 1242 return 0; 1243 } 1244 sdata = data; 1245 data += idsize; 1246 id = d2i_OCSP_RESPID(NULL, 1247 &sdata, idsize); 1248 if (!id) 1249 { 1250 *al = SSL_AD_DECODE_ERROR; 1251 return 0; 1252 } 1253 if (data != sdata) 1254 { 1255 OCSP_RESPID_free(id); 1256 *al = SSL_AD_DECODE_ERROR; 1257 return 0; 1258 } 1259 if (!s->tlsext_ocsp_ids 1260 && !(s->tlsext_ocsp_ids = 1261 sk_OCSP_RESPID_new_null())) 1262 { 1263 OCSP_RESPID_free(id); 1264 *al = SSL_AD_INTERNAL_ERROR; 1265 return 0; 1266 } 1267 if (!sk_OCSP_RESPID_push( 1268 s->tlsext_ocsp_ids, id)) 1269 { 1270 OCSP_RESPID_free(id); 1271 *al = SSL_AD_INTERNAL_ERROR; 1272 return 0; 1273 } 1274 } 1275 1276 /* Read in request_extensions */ 1277 if (size < 2) 1278 { 1279 *al = SSL_AD_DECODE_ERROR; 1280 return 0; 1281 } 1282 n2s(data,dsize); 1283 size -= 2; 1284 if (dsize != size) 1285 { 1286 *al = SSL_AD_DECODE_ERROR; 1287 return 0; 1288 } 1289 sdata = data; 1290 if (dsize > 0) 1291 { 1292 if (s->tlsext_ocsp_exts) 1293 { 1294 sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts, 1295 X509_EXTENSION_free); 1296 } 1297 1298 s->tlsext_ocsp_exts = 1299 d2i_X509_EXTENSIONS(NULL, 1300 &sdata, dsize); 1301 if (!s->tlsext_ocsp_exts 1302 || (data + dsize != sdata)) 1303 { 1304 *al = SSL_AD_DECODE_ERROR; 1305 return 0; 1306 } 1307 } 1308 } 1309 /* We don't know what to do with any other type 1310 * so ignore it. 1311 */ 1312 else 1313 s->tlsext_status_type = -1; 1314 } 1315 #ifndef OPENSSL_NO_HEARTBEATS 1316 else if (type == TLSEXT_TYPE_heartbeat) 1317 { 1318 switch(data[0]) 1319 { 1320 case 0x01: /* Client allows us to send HB requests */ 1321 s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED; 1322 break; 1323 case 0x02: /* Client doesn't accept HB requests */ 1324 s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED; 1325 s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS; 1326 break; 1327 default: *al = SSL_AD_ILLEGAL_PARAMETER; 1328 return 0; 1329 } 1330 } 1331 #endif 1332 #ifndef OPENSSL_NO_NEXTPROTONEG 1333 else if (type == TLSEXT_TYPE_next_proto_neg && 1334 s->s3->tmp.finish_md_len == 0) 1335 { 1336 /* We shouldn't accept this extension on a 1337 * renegotiation. 1338 * 1339 * s->new_session will be set on renegotiation, but we 1340 * probably shouldn't rely that it couldn't be set on 1341 * the initial renegotation too in certain cases (when 1342 * there's some other reason to disallow resuming an 1343 * earlier session -- the current code won't be doing 1344 * anything like that, but this might change). 1345 1346 * A valid sign that there's been a previous handshake 1347 * in this connection is if s->s3->tmp.finish_md_len > 1348 * 0. (We are talking about a check that will happen 1349 * in the Hello protocol round, well before a new 1350 * Finished message could have been computed.) */ 1351 s->s3->next_proto_neg_seen = 1; 1352 } 1353 #endif 1354 1355 else if (type == TLSEXT_TYPE_channel_id && s->tlsext_channel_id_enabled) 1356 s->s3->tlsext_channel_id_valid = 1; 1357 1358 /* session ticket processed earlier */ 1359 #ifndef OPENSSL_NO_SRTP 1360 else if (type == TLSEXT_TYPE_use_srtp) 1361 { 1362 if(ssl_parse_clienthello_use_srtp_ext(s, data, size, 1363 al)) 1364 return 0; 1365 } 1366 #endif 1367 1368 data+=size; 1369 } 1370 1371 *p = data; 1372 1373 ri_check: 1374 1375 /* Need RI if renegotiating */ 1376 1377 if (!renegotiate_seen && s->renegotiate && 1378 !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) 1379 { 1380 *al = SSL_AD_HANDSHAKE_FAILURE; 1381 SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT, 1382 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); 1383 return 0; 1384 } 1385 1386 return 1; 1387 } 1388 1389 #ifndef OPENSSL_NO_NEXTPROTONEG 1390 /* ssl_next_proto_validate validates a Next Protocol Negotiation block. No 1391 * elements of zero length are allowed and the set of elements must exactly fill 1392 * the length of the block. */ 1393 static char ssl_next_proto_validate(unsigned char *d, unsigned len) 1394 { 1395 unsigned int off = 0; 1396 1397 while (off < len) 1398 { 1399 if (d[off] == 0) 1400 return 0; 1401 off += d[off]; 1402 off++; 1403 } 1404 1405 return off == len; 1406 } 1407 #endif 1408 1409 int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al) 1410 { 1411 unsigned short length; 1412 unsigned short type; 1413 unsigned short size; 1414 unsigned char *data = *p; 1415 int tlsext_servername = 0; 1416 int renegotiate_seen = 0; 1417 1418 #ifndef OPENSSL_NO_NEXTPROTONEG 1419 s->s3->next_proto_neg_seen = 0; 1420 #endif 1421 1422 #ifndef OPENSSL_NO_HEARTBEATS 1423 s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED | 1424 SSL_TLSEXT_HB_DONT_SEND_REQUESTS); 1425 #endif 1426 1427 if (data >= (d+n-2)) 1428 goto ri_check; 1429 1430 n2s(data,length); 1431 if (data+length != d+n) 1432 { 1433 *al = SSL_AD_DECODE_ERROR; 1434 return 0; 1435 } 1436 1437 while(data <= (d+n-4)) 1438 { 1439 n2s(data,type); 1440 n2s(data,size); 1441 1442 if (data+size > (d+n)) 1443 goto ri_check; 1444 1445 if (s->tlsext_debug_cb) 1446 s->tlsext_debug_cb(s, 1, type, data, size, 1447 s->tlsext_debug_arg); 1448 1449 if (type == TLSEXT_TYPE_server_name) 1450 { 1451 if (s->tlsext_hostname == NULL || size > 0) 1452 { 1453 *al = TLS1_AD_UNRECOGNIZED_NAME; 1454 return 0; 1455 } 1456 tlsext_servername = 1; 1457 } 1458 1459 #ifndef OPENSSL_NO_EC 1460 else if (type == TLSEXT_TYPE_ec_point_formats && 1461 s->version != DTLS1_VERSION) 1462 { 1463 unsigned char *sdata = data; 1464 int ecpointformatlist_length = *(sdata++); 1465 1466 if (ecpointformatlist_length != size - 1 || 1467 ecpointformatlist_length < 1) 1468 { 1469 *al = TLS1_AD_DECODE_ERROR; 1470 return 0; 1471 } 1472 s->session->tlsext_ecpointformatlist_length = 0; 1473 if (s->session->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->session->tlsext_ecpointformatlist); 1474 if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL) 1475 { 1476 *al = TLS1_AD_INTERNAL_ERROR; 1477 return 0; 1478 } 1479 s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length; 1480 memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length); 1481 #if 0 1482 fprintf(stderr,"ssl_parse_serverhello_tlsext s->session->tlsext_ecpointformatlist "); 1483 sdata = s->session->tlsext_ecpointformatlist; 1484 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++) 1485 fprintf(stderr,"%i ",*(sdata++)); 1486 fprintf(stderr,"\n"); 1487 #endif 1488 } 1489 #endif /* OPENSSL_NO_EC */ 1490 1491 else if (type == TLSEXT_TYPE_session_ticket) 1492 { 1493 if (s->tls_session_ticket_ext_cb && 1494 !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg)) 1495 { 1496 *al = TLS1_AD_INTERNAL_ERROR; 1497 return 0; 1498 } 1499 if ((SSL_get_options(s) & SSL_OP_NO_TICKET) 1500 || (size > 0)) 1501 { 1502 *al = TLS1_AD_UNSUPPORTED_EXTENSION; 1503 return 0; 1504 } 1505 s->tlsext_ticket_expected = 1; 1506 } 1507 #ifdef TLSEXT_TYPE_opaque_prf_input 1508 else if (type == TLSEXT_TYPE_opaque_prf_input && 1509 s->version != DTLS1_VERSION) 1510 { 1511 unsigned char *sdata = data; 1512 1513 if (size < 2) 1514 { 1515 *al = SSL_AD_DECODE_ERROR; 1516 return 0; 1517 } 1518 n2s(sdata, s->s3->server_opaque_prf_input_len); 1519 if (s->s3->server_opaque_prf_input_len != size - 2) 1520 { 1521 *al = SSL_AD_DECODE_ERROR; 1522 return 0; 1523 } 1524 1525 if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */ 1526 OPENSSL_free(s->s3->server_opaque_prf_input); 1527 if (s->s3->server_opaque_prf_input_len == 0) 1528 s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */ 1529 else 1530 s->s3->server_opaque_prf_input = BUF_memdup(sdata, s->s3->server_opaque_prf_input_len); 1531 1532 if (s->s3->server_opaque_prf_input == NULL) 1533 { 1534 *al = TLS1_AD_INTERNAL_ERROR; 1535 return 0; 1536 } 1537 } 1538 #endif 1539 else if (type == TLSEXT_TYPE_status_request && 1540 s->version != DTLS1_VERSION) 1541 { 1542 /* MUST be empty and only sent if we've requested 1543 * a status request message. 1544 */ 1545 if ((s->tlsext_status_type == -1) || (size > 0)) 1546 { 1547 *al = TLS1_AD_UNSUPPORTED_EXTENSION; 1548 return 0; 1549 } 1550 /* Set flag to expect CertificateStatus message */ 1551 s->tlsext_status_expected = 1; 1552 } 1553 #ifndef OPENSSL_NO_NEXTPROTONEG 1554 else if (type == TLSEXT_TYPE_next_proto_neg && 1555 s->s3->tmp.finish_md_len == 0) 1556 { 1557 unsigned char *selected; 1558 unsigned char selected_len; 1559 1560 /* We must have requested it. */ 1561 if (s->ctx->next_proto_select_cb == NULL) 1562 { 1563 *al = TLS1_AD_UNSUPPORTED_EXTENSION; 1564 return 0; 1565 } 1566 /* The data must be valid */ 1567 if (!ssl_next_proto_validate(data, size)) 1568 { 1569 *al = TLS1_AD_DECODE_ERROR; 1570 return 0; 1571 } 1572 if (s->ctx->next_proto_select_cb(s, &selected, &selected_len, data, size, s->ctx->next_proto_select_cb_arg) != SSL_TLSEXT_ERR_OK) 1573 { 1574 *al = TLS1_AD_INTERNAL_ERROR; 1575 return 0; 1576 } 1577 s->next_proto_negotiated = OPENSSL_malloc(selected_len); 1578 if (!s->next_proto_negotiated) 1579 { 1580 *al = TLS1_AD_INTERNAL_ERROR; 1581 return 0; 1582 } 1583 memcpy(s->next_proto_negotiated, selected, selected_len); 1584 s->next_proto_negotiated_len = selected_len; 1585 s->s3->next_proto_neg_seen = 1; 1586 } 1587 #endif 1588 else if (type == TLSEXT_TYPE_channel_id) 1589 s->s3->tlsext_channel_id_valid = 1; 1590 1591 else if (type == TLSEXT_TYPE_renegotiate) 1592 { 1593 if(!ssl_parse_serverhello_renegotiate_ext(s, data, size, al)) 1594 return 0; 1595 renegotiate_seen = 1; 1596 } 1597 #ifndef OPENSSL_NO_HEARTBEATS 1598 else if (type == TLSEXT_TYPE_heartbeat) 1599 { 1600 switch(data[0]) 1601 { 1602 case 0x01: /* Server allows us to send HB requests */ 1603 s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED; 1604 break; 1605 case 0x02: /* Server doesn't accept HB requests */ 1606 s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED; 1607 s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS; 1608 break; 1609 default: *al = SSL_AD_ILLEGAL_PARAMETER; 1610 return 0; 1611 } 1612 } 1613 #endif 1614 #ifndef OPENSSL_NO_SRTP 1615 else if (type == TLSEXT_TYPE_use_srtp) 1616 { 1617 if(ssl_parse_serverhello_use_srtp_ext(s, data, size, 1618 al)) 1619 return 0; 1620 } 1621 #endif 1622 1623 data+=size; 1624 } 1625 1626 if (data != d+n) 1627 { 1628 *al = SSL_AD_DECODE_ERROR; 1629 return 0; 1630 } 1631 1632 if (!s->hit && tlsext_servername == 1) 1633 { 1634 if (s->tlsext_hostname) 1635 { 1636 if (s->session->tlsext_hostname == NULL) 1637 { 1638 s->session->tlsext_hostname = BUF_strdup(s->tlsext_hostname); 1639 if (!s->session->tlsext_hostname) 1640 { 1641 *al = SSL_AD_UNRECOGNIZED_NAME; 1642 return 0; 1643 } 1644 } 1645 else 1646 { 1647 *al = SSL_AD_DECODE_ERROR; 1648 return 0; 1649 } 1650 } 1651 } 1652 1653 *p = data; 1654 1655 ri_check: 1656 1657 /* Determine if we need to see RI. Strictly speaking if we want to 1658 * avoid an attack we should *always* see RI even on initial server 1659 * hello because the client doesn't see any renegotiation during an 1660 * attack. However this would mean we could not connect to any server 1661 * which doesn't support RI so for the immediate future tolerate RI 1662 * absence on initial connect only. 1663 */ 1664 if (!renegotiate_seen 1665 && !(s->options & SSL_OP_LEGACY_SERVER_CONNECT) 1666 && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) 1667 { 1668 *al = SSL_AD_HANDSHAKE_FAILURE; 1669 SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT, 1670 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); 1671 return 0; 1672 } 1673 1674 return 1; 1675 } 1676 1677 1678 int ssl_prepare_clienthello_tlsext(SSL *s) 1679 { 1680 #ifndef OPENSSL_NO_EC 1681 /* If we are client and using an elliptic curve cryptography cipher suite, send the point formats 1682 * and elliptic curves we support. 1683 */ 1684 int using_ecc = 0; 1685 int i; 1686 unsigned char *j; 1687 unsigned long alg_k, alg_a; 1688 STACK_OF(SSL_CIPHER) *cipher_stack = SSL_get_ciphers(s); 1689 1690 for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++) 1691 { 1692 SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i); 1693 1694 alg_k = c->algorithm_mkey; 1695 alg_a = c->algorithm_auth; 1696 if ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe) || (alg_a & SSL_aECDSA))) 1697 { 1698 using_ecc = 1; 1699 break; 1700 } 1701 } 1702 using_ecc = using_ecc && (s->version >= TLS1_VERSION); 1703 if (using_ecc) 1704 { 1705 if (s->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->tlsext_ecpointformatlist); 1706 if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(3)) == NULL) 1707 { 1708 SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE); 1709 return -1; 1710 } 1711 s->tlsext_ecpointformatlist_length = 3; 1712 s->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_uncompressed; 1713 s->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime; 1714 s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2; 1715 1716 /* we support all named elliptic curves in draft-ietf-tls-ecc-12 */ 1717 if (s->tlsext_ellipticcurvelist != NULL) OPENSSL_free(s->tlsext_ellipticcurvelist); 1718 s->tlsext_ellipticcurvelist_length = sizeof(pref_list)/sizeof(pref_list[0]) * 2; 1719 if ((s->tlsext_ellipticcurvelist = OPENSSL_malloc(s->tlsext_ellipticcurvelist_length)) == NULL) 1720 { 1721 s->tlsext_ellipticcurvelist_length = 0; 1722 SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE); 1723 return -1; 1724 } 1725 for (i = 0, j = s->tlsext_ellipticcurvelist; (unsigned int)i < 1726 sizeof(pref_list)/sizeof(pref_list[0]); i++) 1727 { 1728 int id = tls1_ec_nid2curve_id(pref_list[i]); 1729 s2n(id,j); 1730 } 1731 } 1732 #endif /* OPENSSL_NO_EC */ 1733 1734 #ifdef TLSEXT_TYPE_opaque_prf_input 1735 { 1736 int r = 1; 1737 1738 if (s->ctx->tlsext_opaque_prf_input_callback != 0) 1739 { 1740 r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg); 1741 if (!r) 1742 return -1; 1743 } 1744 1745 if (s->tlsext_opaque_prf_input != NULL) 1746 { 1747 if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */ 1748 OPENSSL_free(s->s3->client_opaque_prf_input); 1749 1750 if (s->tlsext_opaque_prf_input_len == 0) 1751 s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */ 1752 else 1753 s->s3->client_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len); 1754 if (s->s3->client_opaque_prf_input == NULL) 1755 { 1756 SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE); 1757 return -1; 1758 } 1759 s->s3->client_opaque_prf_input_len = s->tlsext_opaque_prf_input_len; 1760 } 1761 1762 if (r == 2) 1763 /* at callback's request, insist on receiving an appropriate server opaque PRF input */ 1764 s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len; 1765 } 1766 #endif 1767 1768 return 1; 1769 } 1770 1771 int ssl_prepare_serverhello_tlsext(SSL *s) 1772 { 1773 #ifndef OPENSSL_NO_EC 1774 /* If we are server and using an ECC cipher suite, send the point formats we support 1775 * if the client sent us an ECPointsFormat extension. Note that the server is not 1776 * supposed to send an EllipticCurves extension. 1777 */ 1778 1779 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey; 1780 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth; 1781 int using_ecc = (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA); 1782 using_ecc = using_ecc && (s->session->tlsext_ecpointformatlist != NULL); 1783 1784 if (using_ecc) 1785 { 1786 if (s->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->tlsext_ecpointformatlist); 1787 if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(3)) == NULL) 1788 { 1789 SSLerr(SSL_F_SSL_PREPARE_SERVERHELLO_TLSEXT,ERR_R_MALLOC_FAILURE); 1790 return -1; 1791 } 1792 s->tlsext_ecpointformatlist_length = 3; 1793 s->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_uncompressed; 1794 s->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime; 1795 s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2; 1796 } 1797 #endif /* OPENSSL_NO_EC */ 1798 1799 return 1; 1800 } 1801 1802 int ssl_check_clienthello_tlsext_early(SSL *s) 1803 { 1804 int ret=SSL_TLSEXT_ERR_NOACK; 1805 int al = SSL_AD_UNRECOGNIZED_NAME; 1806 1807 #ifndef OPENSSL_NO_EC 1808 /* The handling of the ECPointFormats extension is done elsewhere, namely in 1809 * ssl3_choose_cipher in s3_lib.c. 1810 */ 1811 /* The handling of the EllipticCurves extension is done elsewhere, namely in 1812 * ssl3_choose_cipher in s3_lib.c. 1813 */ 1814 #endif 1815 1816 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) 1817 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg); 1818 else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0) 1819 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg); 1820 1821 #ifdef TLSEXT_TYPE_opaque_prf_input 1822 { 1823 /* This sort of belongs into ssl_prepare_serverhello_tlsext(), 1824 * but we might be sending an alert in response to the client hello, 1825 * so this has to happen here in 1826 * ssl_check_clienthello_tlsext_early(). */ 1827 1828 int r = 1; 1829 1830 if (s->ctx->tlsext_opaque_prf_input_callback != 0) 1831 { 1832 r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg); 1833 if (!r) 1834 { 1835 ret = SSL_TLSEXT_ERR_ALERT_FATAL; 1836 al = SSL_AD_INTERNAL_ERROR; 1837 goto err; 1838 } 1839 } 1840 1841 if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */ 1842 OPENSSL_free(s->s3->server_opaque_prf_input); 1843 s->s3->server_opaque_prf_input = NULL; 1844 1845 if (s->tlsext_opaque_prf_input != NULL) 1846 { 1847 if (s->s3->client_opaque_prf_input != NULL && 1848 s->s3->client_opaque_prf_input_len == s->tlsext_opaque_prf_input_len) 1849 { 1850 /* can only use this extension if we have a server opaque PRF input 1851 * of the same length as the client opaque PRF input! */ 1852 1853 if (s->tlsext_opaque_prf_input_len == 0) 1854 s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */ 1855 else 1856 s->s3->server_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len); 1857 if (s->s3->server_opaque_prf_input == NULL) 1858 { 1859 ret = SSL_TLSEXT_ERR_ALERT_FATAL; 1860 al = SSL_AD_INTERNAL_ERROR; 1861 goto err; 1862 } 1863 s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len; 1864 } 1865 } 1866 1867 if (r == 2 && s->s3->server_opaque_prf_input == NULL) 1868 { 1869 /* The callback wants to enforce use of the extension, 1870 * but we can't do that with the client opaque PRF input; 1871 * abort the handshake. 1872 */ 1873 ret = SSL_TLSEXT_ERR_ALERT_FATAL; 1874 al = SSL_AD_HANDSHAKE_FAILURE; 1875 } 1876 } 1877 1878 err: 1879 #endif 1880 switch (ret) 1881 { 1882 case SSL_TLSEXT_ERR_ALERT_FATAL: 1883 ssl3_send_alert(s,SSL3_AL_FATAL,al); 1884 return -1; 1885 1886 case SSL_TLSEXT_ERR_ALERT_WARNING: 1887 ssl3_send_alert(s,SSL3_AL_WARNING,al); 1888 return 1; 1889 1890 case SSL_TLSEXT_ERR_NOACK: 1891 s->servername_done=0; 1892 default: 1893 return 1; 1894 } 1895 } 1896 1897 int ssl_check_clienthello_tlsext_late(SSL *s) 1898 { 1899 int ret = SSL_TLSEXT_ERR_OK; 1900 int al; 1901 1902 /* If status request then ask callback what to do. 1903 * Note: this must be called after servername callbacks in case 1904 * the certificate has changed, and must be called after the cipher 1905 * has been chosen because this may influence which certificate is sent 1906 */ 1907 if ((s->tlsext_status_type != -1) && s->ctx && s->ctx->tlsext_status_cb) 1908 { 1909 int r; 1910 CERT_PKEY *certpkey; 1911 certpkey = ssl_get_server_send_pkey(s); 1912 /* If no certificate can't return certificate status */ 1913 if (certpkey == NULL) 1914 { 1915 s->tlsext_status_expected = 0; 1916 return 1; 1917 } 1918 /* Set current certificate to one we will use so 1919 * SSL_get_certificate et al can pick it up. 1920 */ 1921 s->cert->key = certpkey; 1922 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg); 1923 switch (r) 1924 { 1925 /* We don't want to send a status request response */ 1926 case SSL_TLSEXT_ERR_NOACK: 1927 s->tlsext_status_expected = 0; 1928 break; 1929 /* status request response should be sent */ 1930 case SSL_TLSEXT_ERR_OK: 1931 if (s->tlsext_ocsp_resp) 1932 s->tlsext_status_expected = 1; 1933 else 1934 s->tlsext_status_expected = 0; 1935 break; 1936 /* something bad happened */ 1937 case SSL_TLSEXT_ERR_ALERT_FATAL: 1938 ret = SSL_TLSEXT_ERR_ALERT_FATAL; 1939 al = SSL_AD_INTERNAL_ERROR; 1940 goto err; 1941 } 1942 } 1943 else 1944 s->tlsext_status_expected = 0; 1945 1946 err: 1947 switch (ret) 1948 { 1949 case SSL_TLSEXT_ERR_ALERT_FATAL: 1950 ssl3_send_alert(s,SSL3_AL_FATAL,al); 1951 return -1; 1952 1953 case SSL_TLSEXT_ERR_ALERT_WARNING: 1954 ssl3_send_alert(s,SSL3_AL_WARNING,al); 1955 return 1; 1956 1957 default: 1958 return 1; 1959 } 1960 } 1961 1962 int ssl_check_serverhello_tlsext(SSL *s) 1963 { 1964 int ret=SSL_TLSEXT_ERR_NOACK; 1965 int al = SSL_AD_UNRECOGNIZED_NAME; 1966 1967 #ifndef OPENSSL_NO_EC 1968 /* If we are client and using an elliptic curve cryptography cipher 1969 * suite, then if server returns an EC point formats lists extension 1970 * it must contain uncompressed. 1971 */ 1972 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey; 1973 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth; 1974 if ((s->tlsext_ecpointformatlist != NULL) && (s->tlsext_ecpointformatlist_length > 0) && 1975 (s->session->tlsext_ecpointformatlist != NULL) && (s->session->tlsext_ecpointformatlist_length > 0) && 1976 ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA))) 1977 { 1978 /* we are using an ECC cipher */ 1979 size_t i; 1980 unsigned char *list; 1981 int found_uncompressed = 0; 1982 list = s->session->tlsext_ecpointformatlist; 1983 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++) 1984 { 1985 if (*(list++) == TLSEXT_ECPOINTFORMAT_uncompressed) 1986 { 1987 found_uncompressed = 1; 1988 break; 1989 } 1990 } 1991 if (!found_uncompressed) 1992 { 1993 SSLerr(SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT,SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST); 1994 return -1; 1995 } 1996 } 1997 ret = SSL_TLSEXT_ERR_OK; 1998 #endif /* OPENSSL_NO_EC */ 1999 2000 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) 2001 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg); 2002 else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0) 2003 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg); 2004 2005 #ifdef TLSEXT_TYPE_opaque_prf_input 2006 if (s->s3->server_opaque_prf_input_len > 0) 2007 { 2008 /* This case may indicate that we, as a client, want to insist on using opaque PRF inputs. 2009 * So first verify that we really have a value from the server too. */ 2010 2011 if (s->s3->server_opaque_prf_input == NULL) 2012 { 2013 ret = SSL_TLSEXT_ERR_ALERT_FATAL; 2014 al = SSL_AD_HANDSHAKE_FAILURE; 2015 } 2016 2017 /* Anytime the server *has* sent an opaque PRF input, we need to check 2018 * that we have a client opaque PRF input of the same size. */ 2019 if (s->s3->client_opaque_prf_input == NULL || 2020 s->s3->client_opaque_prf_input_len != s->s3->server_opaque_prf_input_len) 2021 { 2022 ret = SSL_TLSEXT_ERR_ALERT_FATAL; 2023 al = SSL_AD_ILLEGAL_PARAMETER; 2024 } 2025 } 2026 #endif 2027 2028 /* If we've requested certificate status and we wont get one 2029 * tell the callback 2030 */ 2031 if ((s->tlsext_status_type != -1) && !(s->tlsext_status_expected) 2032 && s->ctx && s->ctx->tlsext_status_cb) 2033 { 2034 int r; 2035 /* Set resp to NULL, resplen to -1 so callback knows 2036 * there is no response. 2037 */ 2038 if (s->tlsext_ocsp_resp) 2039 { 2040 OPENSSL_free(s->tlsext_ocsp_resp); 2041 s->tlsext_ocsp_resp = NULL; 2042 } 2043 s->tlsext_ocsp_resplen = -1; 2044 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg); 2045 if (r == 0) 2046 { 2047 al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE; 2048 ret = SSL_TLSEXT_ERR_ALERT_FATAL; 2049 } 2050 if (r < 0) 2051 { 2052 al = SSL_AD_INTERNAL_ERROR; 2053 ret = SSL_TLSEXT_ERR_ALERT_FATAL; 2054 } 2055 } 2056 2057 switch (ret) 2058 { 2059 case SSL_TLSEXT_ERR_ALERT_FATAL: 2060 ssl3_send_alert(s,SSL3_AL_FATAL,al); 2061 return -1; 2062 2063 case SSL_TLSEXT_ERR_ALERT_WARNING: 2064 ssl3_send_alert(s,SSL3_AL_WARNING,al); 2065 return 1; 2066 2067 case SSL_TLSEXT_ERR_NOACK: 2068 s->servername_done=0; 2069 default: 2070 return 1; 2071 } 2072 } 2073 2074 /* Since the server cache lookup is done early on in the processing of the 2075 * ClientHello, and other operations depend on the result, we need to handle 2076 * any TLS session ticket extension at the same time. 2077 * 2078 * session_id: points at the session ID in the ClientHello. This code will 2079 * read past the end of this in order to parse out the session ticket 2080 * extension, if any. 2081 * len: the length of the session ID. 2082 * limit: a pointer to the first byte after the ClientHello. 2083 * ret: (output) on return, if a ticket was decrypted, then this is set to 2084 * point to the resulting session. 2085 * 2086 * If s->tls_session_secret_cb is set then we are expecting a pre-shared key 2087 * ciphersuite, in which case we have no use for session tickets and one will 2088 * never be decrypted, nor will s->tlsext_ticket_expected be set to 1. 2089 * 2090 * Returns: 2091 * -1: fatal error, either from parsing or decrypting the ticket. 2092 * 0: no ticket was found (or was ignored, based on settings). 2093 * 1: a zero length extension was found, indicating that the client supports 2094 * session tickets but doesn't currently have one to offer. 2095 * 2: either s->tls_session_secret_cb was set, or a ticket was offered but 2096 * couldn't be decrypted because of a non-fatal error. 2097 * 3: a ticket was successfully decrypted and *ret was set. 2098 * 2099 * Side effects: 2100 * Sets s->tlsext_ticket_expected to 1 if the server will have to issue 2101 * a new session ticket to the client because the client indicated support 2102 * (and s->tls_session_secret_cb is NULL) but the client either doesn't have 2103 * a session ticket or we couldn't use the one it gave us, or if 2104 * s->ctx->tlsext_ticket_key_cb asked to renew the client's ticket. 2105 * Otherwise, s->tlsext_ticket_expected is set to 0. 2106 */ 2107 int tls1_process_ticket(SSL *s, unsigned char *session_id, int len, 2108 const unsigned char *limit, SSL_SESSION **ret) 2109 { 2110 /* Point after session ID in client hello */ 2111 const unsigned char *p = session_id + len; 2112 unsigned short i; 2113 2114 *ret = NULL; 2115 s->tlsext_ticket_expected = 0; 2116 2117 /* If tickets disabled behave as if no ticket present 2118 * to permit stateful resumption. 2119 */ 2120 if (SSL_get_options(s) & SSL_OP_NO_TICKET) 2121 return 0; 2122 if ((s->version <= SSL3_VERSION) || !limit) 2123 return 0; 2124 if (p >= limit) 2125 return -1; 2126 /* Skip past DTLS cookie */ 2127 if (s->version == DTLS1_VERSION || s->version == DTLS1_BAD_VER) 2128 { 2129 i = *(p++); 2130 p+= i; 2131 if (p >= limit) 2132 return -1; 2133 } 2134 /* Skip past cipher list */ 2135 n2s(p, i); 2136 p+= i; 2137 if (p >= limit) 2138 return -1; 2139 /* Skip past compression algorithm list */ 2140 i = *(p++); 2141 p += i; 2142 if (p > limit) 2143 return -1; 2144 /* Now at start of extensions */ 2145 if ((p + 2) >= limit) 2146 return 0; 2147 n2s(p, i); 2148 while ((p + 4) <= limit) 2149 { 2150 unsigned short type, size; 2151 n2s(p, type); 2152 n2s(p, size); 2153 if (p + size > limit) 2154 return 0; 2155 if (type == TLSEXT_TYPE_session_ticket) 2156 { 2157 int r; 2158 if (size == 0) 2159 { 2160 /* The client will accept a ticket but doesn't 2161 * currently have one. */ 2162 s->tlsext_ticket_expected = 1; 2163 return 1; 2164 } 2165 if (s->tls_session_secret_cb) 2166 { 2167 /* Indicate that the ticket couldn't be 2168 * decrypted rather than generating the session 2169 * from ticket now, trigger abbreviated 2170 * handshake based on external mechanism to 2171 * calculate the master secret later. */ 2172 return 2; 2173 } 2174 r = tls_decrypt_ticket(s, p, size, session_id, len, ret); 2175 switch (r) 2176 { 2177 case 2: /* ticket couldn't be decrypted */ 2178 s->tlsext_ticket_expected = 1; 2179 return 2; 2180 case 3: /* ticket was decrypted */ 2181 return r; 2182 case 4: /* ticket decrypted but need to renew */ 2183 s->tlsext_ticket_expected = 1; 2184 return 3; 2185 default: /* fatal error */ 2186 return -1; 2187 } 2188 } 2189 p += size; 2190 } 2191 return 0; 2192 } 2193 2194 /* tls_decrypt_ticket attempts to decrypt a session ticket. 2195 * 2196 * etick: points to the body of the session ticket extension. 2197 * eticklen: the length of the session tickets extenion. 2198 * sess_id: points at the session ID. 2199 * sesslen: the length of the session ID. 2200 * psess: (output) on return, if a ticket was decrypted, then this is set to 2201 * point to the resulting session. 2202 * 2203 * Returns: 2204 * -1: fatal error, either from parsing or decrypting the ticket. 2205 * 2: the ticket couldn't be decrypted. 2206 * 3: a ticket was successfully decrypted and *psess was set. 2207 * 4: same as 3, but the ticket needs to be renewed. 2208 */ 2209 static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen, 2210 const unsigned char *sess_id, int sesslen, 2211 SSL_SESSION **psess) 2212 { 2213 SSL_SESSION *sess; 2214 unsigned char *sdec; 2215 const unsigned char *p; 2216 int slen, mlen, renew_ticket = 0; 2217 unsigned char tick_hmac[EVP_MAX_MD_SIZE]; 2218 HMAC_CTX hctx; 2219 EVP_CIPHER_CTX ctx; 2220 SSL_CTX *tctx = s->initial_ctx; 2221 /* Need at least keyname + iv + some encrypted data */ 2222 if (eticklen < 48) 2223 return 2; 2224 /* Initialize session ticket encryption and HMAC contexts */ 2225 HMAC_CTX_init(&hctx); 2226 EVP_CIPHER_CTX_init(&ctx); 2227 if (tctx->tlsext_ticket_key_cb) 2228 { 2229 unsigned char *nctick = (unsigned char *)etick; 2230 int rv = tctx->tlsext_ticket_key_cb(s, nctick, nctick + 16, 2231 &ctx, &hctx, 0); 2232 if (rv < 0) 2233 return -1; 2234 if (rv == 0) 2235 return 2; 2236 if (rv == 2) 2237 renew_ticket = 1; 2238 } 2239 else 2240 { 2241 /* Check key name matches */ 2242 if (memcmp(etick, tctx->tlsext_tick_key_name, 16)) 2243 return 2; 2244 HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16, 2245 tlsext_tick_md(), NULL); 2246 EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL, 2247 tctx->tlsext_tick_aes_key, etick + 16); 2248 } 2249 /* Attempt to process session ticket, first conduct sanity and 2250 * integrity checks on ticket. 2251 */ 2252 mlen = HMAC_size(&hctx); 2253 if (mlen < 0) 2254 { 2255 EVP_CIPHER_CTX_cleanup(&ctx); 2256 return -1; 2257 } 2258 eticklen -= mlen; 2259 /* Check HMAC of encrypted ticket */ 2260 HMAC_Update(&hctx, etick, eticklen); 2261 HMAC_Final(&hctx, tick_hmac, NULL); 2262 HMAC_CTX_cleanup(&hctx); 2263 if (CRYPTO_memcmp(tick_hmac, etick + eticklen, mlen)) 2264 return 2; 2265 /* Attempt to decrypt session data */ 2266 /* Move p after IV to start of encrypted ticket, update length */ 2267 p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx); 2268 eticklen -= 16 + EVP_CIPHER_CTX_iv_length(&ctx); 2269 sdec = OPENSSL_malloc(eticklen); 2270 if (!sdec) 2271 { 2272 EVP_CIPHER_CTX_cleanup(&ctx); 2273 return -1; 2274 } 2275 EVP_DecryptUpdate(&ctx, sdec, &slen, p, eticklen); 2276 if (EVP_DecryptFinal(&ctx, sdec + slen, &mlen) <= 0) 2277 return 2; 2278 slen += mlen; 2279 EVP_CIPHER_CTX_cleanup(&ctx); 2280 p = sdec; 2281 2282 sess = d2i_SSL_SESSION(NULL, &p, slen); 2283 OPENSSL_free(sdec); 2284 if (sess) 2285 { 2286 /* The session ID, if non-empty, is used by some clients to 2287 * detect that the ticket has been accepted. So we copy it to 2288 * the session structure. If it is empty set length to zero 2289 * as required by standard. 2290 */ 2291 if (sesslen) 2292 memcpy(sess->session_id, sess_id, sesslen); 2293 sess->session_id_length = sesslen; 2294 *psess = sess; 2295 if (renew_ticket) 2296 return 4; 2297 else 2298 return 3; 2299 } 2300 ERR_clear_error(); 2301 /* For session parse failure, indicate that we need to send a new 2302 * ticket. */ 2303 return 2; 2304 } 2305 2306 /* Tables to translate from NIDs to TLS v1.2 ids */ 2307 2308 typedef struct 2309 { 2310 int nid; 2311 int id; 2312 } tls12_lookup; 2313 2314 static tls12_lookup tls12_md[] = { 2315 #ifndef OPENSSL_NO_MD5 2316 {NID_md5, TLSEXT_hash_md5}, 2317 #endif 2318 #ifndef OPENSSL_NO_SHA 2319 {NID_sha1, TLSEXT_hash_sha1}, 2320 #endif 2321 #ifndef OPENSSL_NO_SHA256 2322 {NID_sha224, TLSEXT_hash_sha224}, 2323 {NID_sha256, TLSEXT_hash_sha256}, 2324 #endif 2325 #ifndef OPENSSL_NO_SHA512 2326 {NID_sha384, TLSEXT_hash_sha384}, 2327 {NID_sha512, TLSEXT_hash_sha512} 2328 #endif 2329 }; 2330 2331 static tls12_lookup tls12_sig[] = { 2332 #ifndef OPENSSL_NO_RSA 2333 {EVP_PKEY_RSA, TLSEXT_signature_rsa}, 2334 #endif 2335 #ifndef OPENSSL_NO_DSA 2336 {EVP_PKEY_DSA, TLSEXT_signature_dsa}, 2337 #endif 2338 #ifndef OPENSSL_NO_ECDSA 2339 {EVP_PKEY_EC, TLSEXT_signature_ecdsa} 2340 #endif 2341 }; 2342 2343 static int tls12_find_id(int nid, tls12_lookup *table, size_t tlen) 2344 { 2345 size_t i; 2346 for (i = 0; i < tlen; i++) 2347 { 2348 if (table[i].nid == nid) 2349 return table[i].id; 2350 } 2351 return -1; 2352 } 2353 #if 0 2354 static int tls12_find_nid(int id, tls12_lookup *table, size_t tlen) 2355 { 2356 size_t i; 2357 for (i = 0; i < tlen; i++) 2358 { 2359 if (table[i].id == id) 2360 return table[i].nid; 2361 } 2362 return -1; 2363 } 2364 #endif 2365 2366 int tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk, const EVP_MD *md) 2367 { 2368 int sig_id, md_id; 2369 if (!md) 2370 return 0; 2371 md_id = tls12_find_id(EVP_MD_type(md), tls12_md, 2372 sizeof(tls12_md)/sizeof(tls12_lookup)); 2373 if (md_id == -1) 2374 return 0; 2375 sig_id = tls12_get_sigid(pk); 2376 if (sig_id == -1) 2377 return 0; 2378 p[0] = (unsigned char)md_id; 2379 p[1] = (unsigned char)sig_id; 2380 return 1; 2381 } 2382 2383 int tls12_get_sigid(const EVP_PKEY *pk) 2384 { 2385 return tls12_find_id(pk->type, tls12_sig, 2386 sizeof(tls12_sig)/sizeof(tls12_lookup)); 2387 } 2388 2389 const EVP_MD *tls12_get_hash(unsigned char hash_alg) 2390 { 2391 switch(hash_alg) 2392 { 2393 #ifndef OPENSSL_NO_MD5 2394 case TLSEXT_hash_md5: 2395 #ifdef OPENSSL_FIPS 2396 if (FIPS_mode()) 2397 return NULL; 2398 #endif 2399 return EVP_md5(); 2400 #endif 2401 #ifndef OPENSSL_NO_SHA 2402 case TLSEXT_hash_sha1: 2403 return EVP_sha1(); 2404 #endif 2405 #ifndef OPENSSL_NO_SHA256 2406 case TLSEXT_hash_sha224: 2407 return EVP_sha224(); 2408 2409 case TLSEXT_hash_sha256: 2410 return EVP_sha256(); 2411 #endif 2412 #ifndef OPENSSL_NO_SHA512 2413 case TLSEXT_hash_sha384: 2414 return EVP_sha384(); 2415 2416 case TLSEXT_hash_sha512: 2417 return EVP_sha512(); 2418 #endif 2419 default: 2420 return NULL; 2421 2422 } 2423 } 2424 2425 /* Set preferred digest for each key type */ 2426 2427 int tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize) 2428 { 2429 int i, idx; 2430 const EVP_MD *md; 2431 CERT *c = s->cert; 2432 /* Extension ignored for TLS versions below 1.2 */ 2433 if (TLS1_get_version(s) < TLS1_2_VERSION) 2434 return 1; 2435 /* Should never happen */ 2436 if (!c) 2437 return 0; 2438 2439 c->pkeys[SSL_PKEY_DSA_SIGN].digest = NULL; 2440 c->pkeys[SSL_PKEY_RSA_SIGN].digest = NULL; 2441 c->pkeys[SSL_PKEY_RSA_ENC].digest = NULL; 2442 c->pkeys[SSL_PKEY_ECC].digest = NULL; 2443 2444 for (i = 0; i < dsize; i += 2) 2445 { 2446 unsigned char hash_alg = data[i], sig_alg = data[i+1]; 2447 2448 switch(sig_alg) 2449 { 2450 #ifndef OPENSSL_NO_RSA 2451 case TLSEXT_signature_rsa: 2452 idx = SSL_PKEY_RSA_SIGN; 2453 break; 2454 #endif 2455 #ifndef OPENSSL_NO_DSA 2456 case TLSEXT_signature_dsa: 2457 idx = SSL_PKEY_DSA_SIGN; 2458 break; 2459 #endif 2460 #ifndef OPENSSL_NO_ECDSA 2461 case TLSEXT_signature_ecdsa: 2462 idx = SSL_PKEY_ECC; 2463 break; 2464 #endif 2465 default: 2466 continue; 2467 } 2468 2469 if (c->pkeys[idx].digest == NULL) 2470 { 2471 md = tls12_get_hash(hash_alg); 2472 if (md) 2473 { 2474 c->pkeys[idx].digest = md; 2475 if (idx == SSL_PKEY_RSA_SIGN) 2476 c->pkeys[SSL_PKEY_RSA_ENC].digest = md; 2477 } 2478 } 2479 2480 } 2481 2482 2483 /* Set any remaining keys to default values. NOTE: if alg is not 2484 * supported it stays as NULL. 2485 */ 2486 #ifndef OPENSSL_NO_DSA 2487 if (!c->pkeys[SSL_PKEY_DSA_SIGN].digest) 2488 c->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_sha1(); 2489 #endif 2490 #ifndef OPENSSL_NO_RSA 2491 if (!c->pkeys[SSL_PKEY_RSA_SIGN].digest) 2492 { 2493 c->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1(); 2494 c->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1(); 2495 } 2496 #endif 2497 #ifndef OPENSSL_NO_ECDSA 2498 if (!c->pkeys[SSL_PKEY_ECC].digest) 2499 c->pkeys[SSL_PKEY_ECC].digest = EVP_sha1(); 2500 #endif 2501 return 1; 2502 } 2503 2504 #endif 2505 2506 #ifndef OPENSSL_NO_HEARTBEATS 2507 int 2508 tls1_process_heartbeat(SSL *s) 2509 { 2510 unsigned char *p = &s->s3->rrec.data[0], *pl; 2511 unsigned short hbtype; 2512 unsigned int payload; 2513 unsigned int padding = 16; /* Use minimum padding */ 2514 2515 /* Read type and payload length first */ 2516 hbtype = *p++; 2517 n2s(p, payload); 2518 pl = p; 2519 2520 if (s->msg_callback) 2521 s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT, 2522 &s->s3->rrec.data[0], s->s3->rrec.length, 2523 s, s->msg_callback_arg); 2524 2525 if (hbtype == TLS1_HB_REQUEST) 2526 { 2527 unsigned char *buffer, *bp; 2528 int r; 2529 2530 /* Allocate memory for the response, size is 1 bytes 2531 * message type, plus 2 bytes payload length, plus 2532 * payload, plus padding 2533 */ 2534 buffer = OPENSSL_malloc(1 + 2 + payload + padding); 2535 bp = buffer; 2536 2537 /* Enter response type, length and copy payload */ 2538 *bp++ = TLS1_HB_RESPONSE; 2539 s2n(payload, bp); 2540 memcpy(bp, pl, payload); 2541 bp += payload; 2542 /* Random padding */ 2543 RAND_pseudo_bytes(bp, padding); 2544 2545 r = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, 3 + payload + padding); 2546 2547 if (r >= 0 && s->msg_callback) 2548 s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT, 2549 buffer, 3 + payload + padding, 2550 s, s->msg_callback_arg); 2551 2552 OPENSSL_free(buffer); 2553 2554 if (r < 0) 2555 return r; 2556 } 2557 else if (hbtype == TLS1_HB_RESPONSE) 2558 { 2559 unsigned int seq; 2560 2561 /* We only send sequence numbers (2 bytes unsigned int), 2562 * and 16 random bytes, so we just try to read the 2563 * sequence number */ 2564 n2s(pl, seq); 2565 2566 if (payload == 18 && seq == s->tlsext_hb_seq) 2567 { 2568 s->tlsext_hb_seq++; 2569 s->tlsext_hb_pending = 0; 2570 } 2571 } 2572 2573 return 0; 2574 } 2575 2576 int 2577 tls1_heartbeat(SSL *s) 2578 { 2579 unsigned char *buf, *p; 2580 int ret; 2581 unsigned int payload = 18; /* Sequence number + random bytes */ 2582 unsigned int padding = 16; /* Use minimum padding */ 2583 2584 /* Only send if peer supports and accepts HB requests... */ 2585 if (!(s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED) || 2586 s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_SEND_REQUESTS) 2587 { 2588 SSLerr(SSL_F_TLS1_HEARTBEAT,SSL_R_TLS_HEARTBEAT_PEER_DOESNT_ACCEPT); 2589 return -1; 2590 } 2591 2592 /* ...and there is none in flight yet... */ 2593 if (s->tlsext_hb_pending) 2594 { 2595 SSLerr(SSL_F_TLS1_HEARTBEAT,SSL_R_TLS_HEARTBEAT_PENDING); 2596 return -1; 2597 } 2598 2599 /* ...and no handshake in progress. */ 2600 if (SSL_in_init(s) || s->in_handshake) 2601 { 2602 SSLerr(SSL_F_TLS1_HEARTBEAT,SSL_R_UNEXPECTED_MESSAGE); 2603 return -1; 2604 } 2605 2606 /* Check if padding is too long, payload and padding 2607 * must not exceed 2^14 - 3 = 16381 bytes in total. 2608 */ 2609 OPENSSL_assert(payload + padding <= 16381); 2610 2611 /* Create HeartBeat message, we just use a sequence number 2612 * as payload to distuingish different messages and add 2613 * some random stuff. 2614 * - Message Type, 1 byte 2615 * - Payload Length, 2 bytes (unsigned int) 2616 * - Payload, the sequence number (2 bytes uint) 2617 * - Payload, random bytes (16 bytes uint) 2618 * - Padding 2619 */ 2620 buf = OPENSSL_malloc(1 + 2 + payload + padding); 2621 p = buf; 2622 /* Message Type */ 2623 *p++ = TLS1_HB_REQUEST; 2624 /* Payload length (18 bytes here) */ 2625 s2n(payload, p); 2626 /* Sequence number */ 2627 s2n(s->tlsext_hb_seq, p); 2628 /* 16 random bytes */ 2629 RAND_pseudo_bytes(p, 16); 2630 p += 16; 2631 /* Random padding */ 2632 RAND_pseudo_bytes(p, padding); 2633 2634 ret = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buf, 3 + payload + padding); 2635 if (ret >= 0) 2636 { 2637 if (s->msg_callback) 2638 s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT, 2639 buf, 3 + payload + padding, 2640 s, s->msg_callback_arg); 2641 2642 s->tlsext_hb_pending = 1; 2643 } 2644 2645 OPENSSL_free(buf); 2646 2647 return ret; 2648 } 2649 #endif 2650 2651 #if !defined(OPENSSL_NO_TLSEXT) 2652 /* tls1_channel_id_hash calculates the signed data for a Channel ID on the given 2653 * SSL connection and writes it to |md|. 2654 */ 2655 int 2656 tls1_channel_id_hash(EVP_MD_CTX *md, SSL *s) 2657 { 2658 EVP_MD_CTX ctx; 2659 unsigned char temp_digest[EVP_MAX_MD_SIZE]; 2660 unsigned temp_digest_len; 2661 int i; 2662 static const char kClientIDMagic[] = "TLS Channel ID signature"; 2663 2664 if (s->s3->handshake_buffer) 2665 if (!ssl3_digest_cached_records(s)) 2666 return 0; 2667 2668 EVP_DigestUpdate(md, kClientIDMagic, sizeof(kClientIDMagic)); 2669 2670 EVP_MD_CTX_init(&ctx); 2671 for (i = 0; i < SSL_MAX_DIGEST; i++) 2672 { 2673 if (s->s3->handshake_dgst[i] == NULL) 2674 continue; 2675 EVP_MD_CTX_copy_ex(&ctx, s->s3->handshake_dgst[i]); 2676 EVP_DigestFinal_ex(&ctx, temp_digest, &temp_digest_len); 2677 EVP_DigestUpdate(md, temp_digest, temp_digest_len); 2678 } 2679 EVP_MD_CTX_cleanup(&ctx); 2680 2681 return 1; 2682 } 2683 #endif 2684
