1 /* ssl/t1_lib.c */ 2 /* Copyright (C) 1995-1998 Eric Young (eay (at) cryptsoft.com) 3 * All rights reserved. 4 * 5 * This package is an SSL implementation written 6 * by Eric Young (eay (at) cryptsoft.com). 7 * The implementation was written so as to conform with Netscapes SSL. 8 * 9 * This library is free for commercial and non-commercial use as long as 10 * the following conditions are aheared to. The following conditions 11 * apply to all code found in this distribution, be it the RC4, RSA, 12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 13 * included with this distribution is covered by the same copyright terms 14 * except that the holder is Tim Hudson (tjh (at) cryptsoft.com). 15 * 16 * Copyright remains Eric Young's, and as such any Copyright notices in 17 * the code are not to be removed. 18 * If this package is used in a product, Eric Young should be given attribution 19 * as the author of the parts of the library used. 20 * This can be in the form of a textual message at program startup or 21 * in documentation (online or textual) provided with the package. 22 * 23 * Redistribution and use in source and binary forms, with or without 24 * modification, are permitted provided that the following conditions 25 * are met: 26 * 1. Redistributions of source code must retain the copyright 27 * notice, this list of conditions and the following disclaimer. 28 * 2. Redistributions in binary form must reproduce the above copyright 29 * notice, this list of conditions and the following disclaimer in the 30 * documentation and/or other materials provided with the distribution. 31 * 3. All advertising materials mentioning features or use of this software 32 * must display the following acknowledgement: 33 * "This product includes cryptographic software written by 34 * Eric Young (eay (at) cryptsoft.com)" 35 * The word 'cryptographic' can be left out if the rouines from the library 36 * being used are not cryptographic related :-). 37 * 4. If you include any Windows specific code (or a derivative thereof) from 38 * the apps directory (application code) you must include an acknowledgement: 39 * "This product includes software written by Tim Hudson (tjh (at) cryptsoft.com)" 40 * 41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 51 * SUCH DAMAGE. 52 * 53 * The licence and distribution terms for any publically available version or 54 * derivative of this code cannot be changed. i.e. this code cannot simply be 55 * copied and put under another distribution licence 56 * [including the GNU Public Licence.] 57 */ 58 /* ==================================================================== 59 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved. 60 * 61 * Redistribution and use in source and binary forms, with or without 62 * modification, are permitted provided that the following conditions 63 * are met: 64 * 65 * 1. Redistributions of source code must retain the above copyright 66 * notice, this list of conditions and the following disclaimer. 67 * 68 * 2. Redistributions in binary form must reproduce the above copyright 69 * notice, this list of conditions and the following disclaimer in 70 * the documentation and/or other materials provided with the 71 * distribution. 72 * 73 * 3. All advertising materials mentioning features or use of this 74 * software must display the following acknowledgment: 75 * "This product includes software developed by the OpenSSL Project 76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 77 * 78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 79 * endorse or promote products derived from this software without 80 * prior written permission. For written permission, please contact 81 * openssl-core (at) openssl.org. 82 * 83 * 5. Products derived from this software may not be called "OpenSSL" 84 * nor may "OpenSSL" appear in their names without prior written 85 * permission of the OpenSSL Project. 86 * 87 * 6. Redistributions of any form whatsoever must retain the following 88 * acknowledgment: 89 * "This product includes software developed by the OpenSSL Project 90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 91 * 92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 103 * OF THE POSSIBILITY OF SUCH DAMAGE. 104 * ==================================================================== 105 * 106 * This product includes cryptographic software written by Eric Young 107 * (eay (at) cryptsoft.com). This product includes software written by Tim 108 * Hudson (tjh (at) cryptsoft.com). 109 * 110 */ 111 112 #include <stdio.h> 113 #include <openssl/objects.h> 114 #include <openssl/evp.h> 115 #include <openssl/hmac.h> 116 #include <openssl/ocsp.h> 117 #include <openssl/rand.h> 118 #include "ssl_locl.h" 119 120 const char tls1_version_str[]="TLSv1" OPENSSL_VERSION_PTEXT; 121 122 #ifndef OPENSSL_NO_TLSEXT 123 static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen, 124 const unsigned char *sess_id, int sesslen, 125 SSL_SESSION **psess); 126 #endif 127 128 SSL3_ENC_METHOD TLSv1_enc_data={ 129 tls1_enc, 130 tls1_mac, 131 tls1_setup_key_block, 132 tls1_generate_master_secret, 133 tls1_change_cipher_state, 134 tls1_final_finish_mac, 135 TLS1_FINISH_MAC_LENGTH, 136 tls1_cert_verify_mac, 137 TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE, 138 TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE, 139 tls1_alert_code, 140 tls1_export_keying_material, 141 }; 142 143 long tls1_default_timeout(void) 144 { 145 /* 2 hours, the 24 hours mentioned in the TLSv1 spec 146 * is way too long for http, the cache would over fill */ 147 return(60*60*2); 148 } 149 150 int tls1_new(SSL *s) 151 { 152 if (!ssl3_new(s)) return(0); 153 s->method->ssl_clear(s); 154 return(1); 155 } 156 157 void tls1_free(SSL *s) 158 { 159 #ifndef OPENSSL_NO_TLSEXT 160 if (s->tlsext_session_ticket) 161 { 162 OPENSSL_free(s->tlsext_session_ticket); 163 } 164 #endif /* OPENSSL_NO_TLSEXT */ 165 ssl3_free(s); 166 } 167 168 void tls1_clear(SSL *s) 169 { 170 ssl3_clear(s); 171 s->version = s->method->version; 172 } 173 174 #ifndef OPENSSL_NO_EC 175 176 static int nid_list[] = 177 { 178 NID_sect163k1, /* sect163k1 (1) */ 179 NID_sect163r1, /* sect163r1 (2) */ 180 NID_sect163r2, /* sect163r2 (3) */ 181 NID_sect193r1, /* sect193r1 (4) */ 182 NID_sect193r2, /* sect193r2 (5) */ 183 NID_sect233k1, /* sect233k1 (6) */ 184 NID_sect233r1, /* sect233r1 (7) */ 185 NID_sect239k1, /* sect239k1 (8) */ 186 NID_sect283k1, /* sect283k1 (9) */ 187 NID_sect283r1, /* sect283r1 (10) */ 188 NID_sect409k1, /* sect409k1 (11) */ 189 NID_sect409r1, /* sect409r1 (12) */ 190 NID_sect571k1, /* sect571k1 (13) */ 191 NID_sect571r1, /* sect571r1 (14) */ 192 NID_secp160k1, /* secp160k1 (15) */ 193 NID_secp160r1, /* secp160r1 (16) */ 194 NID_secp160r2, /* secp160r2 (17) */ 195 NID_secp192k1, /* secp192k1 (18) */ 196 NID_X9_62_prime192v1, /* secp192r1 (19) */ 197 NID_secp224k1, /* secp224k1 (20) */ 198 NID_secp224r1, /* secp224r1 (21) */ 199 NID_secp256k1, /* secp256k1 (22) */ 200 NID_X9_62_prime256v1, /* secp256r1 (23) */ 201 NID_secp384r1, /* secp384r1 (24) */ 202 NID_secp521r1 /* secp521r1 (25) */ 203 }; 204 205 static int pref_list[] = 206 { 207 NID_sect571r1, /* sect571r1 (14) */ 208 NID_sect571k1, /* sect571k1 (13) */ 209 NID_secp521r1, /* secp521r1 (25) */ 210 NID_sect409k1, /* sect409k1 (11) */ 211 NID_sect409r1, /* sect409r1 (12) */ 212 NID_secp384r1, /* secp384r1 (24) */ 213 NID_sect283k1, /* sect283k1 (9) */ 214 NID_sect283r1, /* sect283r1 (10) */ 215 NID_secp256k1, /* secp256k1 (22) */ 216 NID_X9_62_prime256v1, /* secp256r1 (23) */ 217 NID_sect239k1, /* sect239k1 (8) */ 218 NID_sect233k1, /* sect233k1 (6) */ 219 NID_sect233r1, /* sect233r1 (7) */ 220 NID_secp224k1, /* secp224k1 (20) */ 221 NID_secp224r1, /* secp224r1 (21) */ 222 NID_sect193r1, /* sect193r1 (4) */ 223 NID_sect193r2, /* sect193r2 (5) */ 224 NID_secp192k1, /* secp192k1 (18) */ 225 NID_X9_62_prime192v1, /* secp192r1 (19) */ 226 NID_sect163k1, /* sect163k1 (1) */ 227 NID_sect163r1, /* sect163r1 (2) */ 228 NID_sect163r2, /* sect163r2 (3) */ 229 NID_secp160k1, /* secp160k1 (15) */ 230 NID_secp160r1, /* secp160r1 (16) */ 231 NID_secp160r2, /* secp160r2 (17) */ 232 }; 233 234 int tls1_ec_curve_id2nid(int curve_id) 235 { 236 /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */ 237 if ((curve_id < 1) || ((unsigned int)curve_id > 238 sizeof(nid_list)/sizeof(nid_list[0]))) 239 return 0; 240 return nid_list[curve_id-1]; 241 } 242 243 int tls1_ec_nid2curve_id(int nid) 244 { 245 /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */ 246 switch (nid) 247 { 248 case NID_sect163k1: /* sect163k1 (1) */ 249 return 1; 250 case NID_sect163r1: /* sect163r1 (2) */ 251 return 2; 252 case NID_sect163r2: /* sect163r2 (3) */ 253 return 3; 254 case NID_sect193r1: /* sect193r1 (4) */ 255 return 4; 256 case NID_sect193r2: /* sect193r2 (5) */ 257 return 5; 258 case NID_sect233k1: /* sect233k1 (6) */ 259 return 6; 260 case NID_sect233r1: /* sect233r1 (7) */ 261 return 7; 262 case NID_sect239k1: /* sect239k1 (8) */ 263 return 8; 264 case NID_sect283k1: /* sect283k1 (9) */ 265 return 9; 266 case NID_sect283r1: /* sect283r1 (10) */ 267 return 10; 268 case NID_sect409k1: /* sect409k1 (11) */ 269 return 11; 270 case NID_sect409r1: /* sect409r1 (12) */ 271 return 12; 272 case NID_sect571k1: /* sect571k1 (13) */ 273 return 13; 274 case NID_sect571r1: /* sect571r1 (14) */ 275 return 14; 276 case NID_secp160k1: /* secp160k1 (15) */ 277 return 15; 278 case NID_secp160r1: /* secp160r1 (16) */ 279 return 16; 280 case NID_secp160r2: /* secp160r2 (17) */ 281 return 17; 282 case NID_secp192k1: /* secp192k1 (18) */ 283 return 18; 284 case NID_X9_62_prime192v1: /* secp192r1 (19) */ 285 return 19; 286 case NID_secp224k1: /* secp224k1 (20) */ 287 return 20; 288 case NID_secp224r1: /* secp224r1 (21) */ 289 return 21; 290 case NID_secp256k1: /* secp256k1 (22) */ 291 return 22; 292 case NID_X9_62_prime256v1: /* secp256r1 (23) */ 293 return 23; 294 case NID_secp384r1: /* secp384r1 (24) */ 295 return 24; 296 case NID_secp521r1: /* secp521r1 (25) */ 297 return 25; 298 default: 299 return 0; 300 } 301 } 302 #endif /* OPENSSL_NO_EC */ 303 304 #ifndef OPENSSL_NO_TLSEXT 305 306 /* List of supported signature algorithms and hashes. Should make this 307 * customisable at some point, for now include everything we support. 308 */ 309 310 #ifdef OPENSSL_NO_RSA 311 #define tlsext_sigalg_rsa(md) /* */ 312 #else 313 #define tlsext_sigalg_rsa(md) md, TLSEXT_signature_rsa, 314 #endif 315 316 #ifdef OPENSSL_NO_DSA 317 #define tlsext_sigalg_dsa(md) /* */ 318 #else 319 #define tlsext_sigalg_dsa(md) md, TLSEXT_signature_dsa, 320 #endif 321 322 #ifdef OPENSSL_NO_ECDSA 323 #define tlsext_sigalg_ecdsa(md) /* */ 324 #else 325 #define tlsext_sigalg_ecdsa(md) md, TLSEXT_signature_ecdsa, 326 #endif 327 328 #define tlsext_sigalg(md) \ 329 tlsext_sigalg_rsa(md) \ 330 tlsext_sigalg_dsa(md) \ 331 tlsext_sigalg_ecdsa(md) 332 333 static unsigned char tls12_sigalgs[] = { 334 #ifndef OPENSSL_NO_SHA512 335 tlsext_sigalg(TLSEXT_hash_sha512) 336 tlsext_sigalg(TLSEXT_hash_sha384) 337 #endif 338 #ifndef OPENSSL_NO_SHA256 339 tlsext_sigalg(TLSEXT_hash_sha256) 340 tlsext_sigalg(TLSEXT_hash_sha224) 341 #endif 342 #ifndef OPENSSL_NO_SHA 343 tlsext_sigalg(TLSEXT_hash_sha1) 344 #endif 345 #ifndef OPENSSL_NO_MD5 346 tlsext_sigalg_rsa(TLSEXT_hash_md5) 347 #endif 348 }; 349 350 int tls12_get_req_sig_algs(SSL *s, unsigned char *p) 351 { 352 size_t slen = sizeof(tls12_sigalgs); 353 #ifdef OPENSSL_FIPS 354 /* If FIPS mode don't include MD5 which is last */ 355 if (FIPS_mode()) 356 slen -= 2; 357 #endif 358 if (p) 359 memcpy(p, tls12_sigalgs, slen); 360 return (int)slen; 361 } 362 363 unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit) 364 { 365 int extdatalen=0; 366 unsigned char *ret = p; 367 368 /* don't add extensions for SSLv3 unless doing secure renegotiation */ 369 if (s->client_version == SSL3_VERSION 370 && !s->s3->send_connection_binding) 371 return p; 372 373 ret+=2; 374 375 if (ret>=limit) return NULL; /* this really never occurs, but ... */ 376 377 if (s->tlsext_hostname != NULL) 378 { 379 /* Add TLS extension servername to the Client Hello message */ 380 unsigned long size_str; 381 long lenmax; 382 383 /* check for enough space. 384 4 for the servername type and entension length 385 2 for servernamelist length 386 1 for the hostname type 387 2 for hostname length 388 + hostname length 389 */ 390 391 if ((lenmax = limit - ret - 9) < 0 392 || (size_str = strlen(s->tlsext_hostname)) > (unsigned long)lenmax) 393 return NULL; 394 395 /* extension type and length */ 396 s2n(TLSEXT_TYPE_server_name,ret); 397 s2n(size_str+5,ret); 398 399 /* length of servername list */ 400 s2n(size_str+3,ret); 401 402 /* hostname type, length and hostname */ 403 *(ret++) = (unsigned char) TLSEXT_NAMETYPE_host_name; 404 s2n(size_str,ret); 405 memcpy(ret, s->tlsext_hostname, size_str); 406 ret+=size_str; 407 } 408 409 /* Add RI if renegotiating */ 410 if (s->renegotiate) 411 { 412 int el; 413 414 if(!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0)) 415 { 416 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); 417 return NULL; 418 } 419 420 if((limit - p - 4 - el) < 0) return NULL; 421 422 s2n(TLSEXT_TYPE_renegotiate,ret); 423 s2n(el,ret); 424 425 if(!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el)) 426 { 427 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); 428 return NULL; 429 } 430 431 ret += el; 432 } 433 434 #ifndef OPENSSL_NO_SRP 435 /* Add SRP username if there is one */ 436 if (s->srp_ctx.login != NULL) 437 { /* Add TLS extension SRP username to the Client Hello message */ 438 439 int login_len = strlen(s->srp_ctx.login); 440 if (login_len > 255 || login_len == 0) 441 { 442 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); 443 return NULL; 444 } 445 446 /* check for enough space. 447 4 for the srp type type and entension length 448 1 for the srp user identity 449 + srp user identity length 450 */ 451 if ((limit - ret - 5 - login_len) < 0) return NULL; 452 453 /* fill in the extension */ 454 s2n(TLSEXT_TYPE_srp,ret); 455 s2n(login_len+1,ret); 456 (*ret++) = (unsigned char) login_len; 457 memcpy(ret, s->srp_ctx.login, login_len); 458 ret+=login_len; 459 } 460 #endif 461 462 #ifndef OPENSSL_NO_EC 463 if (s->tlsext_ecpointformatlist != NULL && 464 s->version != DTLS1_VERSION) 465 { 466 /* Add TLS extension ECPointFormats to the ClientHello message */ 467 long lenmax; 468 469 if ((lenmax = limit - ret - 5) < 0) return NULL; 470 if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax) return NULL; 471 if (s->tlsext_ecpointformatlist_length > 255) 472 { 473 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); 474 return NULL; 475 } 476 477 s2n(TLSEXT_TYPE_ec_point_formats,ret); 478 s2n(s->tlsext_ecpointformatlist_length + 1,ret); 479 *(ret++) = (unsigned char) s->tlsext_ecpointformatlist_length; 480 memcpy(ret, s->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist_length); 481 ret+=s->tlsext_ecpointformatlist_length; 482 } 483 if (s->tlsext_ellipticcurvelist != NULL && 484 s->version != DTLS1_VERSION) 485 { 486 /* Add TLS extension EllipticCurves to the ClientHello message */ 487 long lenmax; 488 489 if ((lenmax = limit - ret - 6) < 0) return NULL; 490 if (s->tlsext_ellipticcurvelist_length > (unsigned long)lenmax) return NULL; 491 if (s->tlsext_ellipticcurvelist_length > 65532) 492 { 493 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); 494 return NULL; 495 } 496 497 s2n(TLSEXT_TYPE_elliptic_curves,ret); 498 s2n(s->tlsext_ellipticcurvelist_length + 2, ret); 499 500 /* NB: draft-ietf-tls-ecc-12.txt uses a one-byte prefix for 501 * elliptic_curve_list, but the examples use two bytes. 502 * http://www1.ietf.org/mail-archive/web/tls/current/msg00538.html 503 * resolves this to two bytes. 504 */ 505 s2n(s->tlsext_ellipticcurvelist_length, ret); 506 memcpy(ret, s->tlsext_ellipticcurvelist, s->tlsext_ellipticcurvelist_length); 507 ret+=s->tlsext_ellipticcurvelist_length; 508 } 509 #endif /* OPENSSL_NO_EC */ 510 511 if (!(SSL_get_options(s) & SSL_OP_NO_TICKET)) 512 { 513 int ticklen; 514 if (!s->new_session && s->session && s->session->tlsext_tick) 515 ticklen = s->session->tlsext_ticklen; 516 else if (s->session && s->tlsext_session_ticket && 517 s->tlsext_session_ticket->data) 518 { 519 ticklen = s->tlsext_session_ticket->length; 520 s->session->tlsext_tick = OPENSSL_malloc(ticklen); 521 if (!s->session->tlsext_tick) 522 return NULL; 523 memcpy(s->session->tlsext_tick, 524 s->tlsext_session_ticket->data, 525 ticklen); 526 s->session->tlsext_ticklen = ticklen; 527 } 528 else 529 ticklen = 0; 530 if (ticklen == 0 && s->tlsext_session_ticket && 531 s->tlsext_session_ticket->data == NULL) 532 goto skip_ext; 533 /* Check for enough room 2 for extension type, 2 for len 534 * rest for ticket 535 */ 536 if ((long)(limit - ret - 4 - ticklen) < 0) return NULL; 537 s2n(TLSEXT_TYPE_session_ticket,ret); 538 s2n(ticklen,ret); 539 if (ticklen) 540 { 541 memcpy(ret, s->session->tlsext_tick, ticklen); 542 ret += ticklen; 543 } 544 } 545 skip_ext: 546 547 if (TLS1_get_client_version(s) >= TLS1_2_VERSION) 548 { 549 if ((size_t)(limit - ret) < sizeof(tls12_sigalgs) + 6) 550 return NULL; 551 s2n(TLSEXT_TYPE_signature_algorithms,ret); 552 s2n(sizeof(tls12_sigalgs) + 2, ret); 553 s2n(sizeof(tls12_sigalgs), ret); 554 memcpy(ret, tls12_sigalgs, sizeof(tls12_sigalgs)); 555 ret += sizeof(tls12_sigalgs); 556 } 557 558 #ifdef TLSEXT_TYPE_opaque_prf_input 559 if (s->s3->client_opaque_prf_input != NULL && 560 s->version != DTLS1_VERSION) 561 { 562 size_t col = s->s3->client_opaque_prf_input_len; 563 564 if ((long)(limit - ret - 6 - col < 0)) 565 return NULL; 566 if (col > 0xFFFD) /* can't happen */ 567 return NULL; 568 569 s2n(TLSEXT_TYPE_opaque_prf_input, ret); 570 s2n(col + 2, ret); 571 s2n(col, ret); 572 memcpy(ret, s->s3->client_opaque_prf_input, col); 573 ret += col; 574 } 575 #endif 576 577 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp && 578 s->version != DTLS1_VERSION) 579 { 580 int i; 581 long extlen, idlen, itmp; 582 OCSP_RESPID *id; 583 584 idlen = 0; 585 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) 586 { 587 id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i); 588 itmp = i2d_OCSP_RESPID(id, NULL); 589 if (itmp <= 0) 590 return NULL; 591 idlen += itmp + 2; 592 } 593 594 if (s->tlsext_ocsp_exts) 595 { 596 extlen = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, NULL); 597 if (extlen < 0) 598 return NULL; 599 } 600 else 601 extlen = 0; 602 603 if ((long)(limit - ret - 7 - extlen - idlen) < 0) return NULL; 604 s2n(TLSEXT_TYPE_status_request, ret); 605 if (extlen + idlen > 0xFFF0) 606 return NULL; 607 s2n(extlen + idlen + 5, ret); 608 *(ret++) = TLSEXT_STATUSTYPE_ocsp; 609 s2n(idlen, ret); 610 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) 611 { 612 /* save position of id len */ 613 unsigned char *q = ret; 614 id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i); 615 /* skip over id len */ 616 ret += 2; 617 itmp = i2d_OCSP_RESPID(id, &ret); 618 /* write id len */ 619 s2n(itmp, q); 620 } 621 s2n(extlen, ret); 622 if (extlen > 0) 623 i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret); 624 } 625 626 #ifndef OPENSSL_NO_HEARTBEATS 627 /* Add Heartbeat extension */ 628 s2n(TLSEXT_TYPE_heartbeat,ret); 629 s2n(1,ret); 630 /* Set mode: 631 * 1: peer may send requests 632 * 2: peer not allowed to send requests 633 */ 634 if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS) 635 *(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS; 636 else 637 *(ret++) = SSL_TLSEXT_HB_ENABLED; 638 #endif 639 640 #ifndef OPENSSL_NO_NEXTPROTONEG 641 if (s->ctx->next_proto_select_cb && !s->s3->tmp.finish_md_len) 642 { 643 /* The client advertises an emtpy extension to indicate its 644 * support for Next Protocol Negotiation */ 645 if (limit - ret - 4 < 0) 646 return NULL; 647 s2n(TLSEXT_TYPE_next_proto_neg,ret); 648 s2n(0,ret); 649 } 650 #endif 651 652 if (s->tlsext_channel_id_enabled) 653 { 654 /* The client advertises an emtpy extension to indicate its 655 * support for Channel ID. */ 656 if (limit - ret - 4 < 0) 657 return NULL; 658 s2n(TLSEXT_TYPE_channel_id,ret); 659 s2n(0,ret); 660 } 661 662 if (s->alpn_client_proto_list && !s->s3->tmp.finish_md_len) 663 { 664 if ((size_t)(limit - ret) < 6 + s->alpn_client_proto_list_len) 665 return NULL; 666 s2n(TLSEXT_TYPE_application_layer_protocol_negotiation,ret); 667 s2n(2 + s->alpn_client_proto_list_len,ret); 668 s2n(s->alpn_client_proto_list_len,ret); 669 memcpy(ret, s->alpn_client_proto_list, 670 s->alpn_client_proto_list_len); 671 ret += s->alpn_client_proto_list_len; 672 } 673 674 #ifndef OPENSSL_NO_SRTP 675 if(SSL_get_srtp_profiles(s)) 676 { 677 int el; 678 679 ssl_add_clienthello_use_srtp_ext(s, 0, &el, 0); 680 681 if((limit - p - 4 - el) < 0) return NULL; 682 683 s2n(TLSEXT_TYPE_use_srtp,ret); 684 s2n(el,ret); 685 686 if(ssl_add_clienthello_use_srtp_ext(s, ret, &el, el)) 687 { 688 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); 689 return NULL; 690 } 691 ret += el; 692 } 693 #endif 694 695 if ((extdatalen = ret-p-2)== 0) 696 return p; 697 698 s2n(extdatalen,p); 699 return ret; 700 } 701 702 unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit) 703 { 704 int extdatalen=0; 705 unsigned char *ret = p; 706 #ifndef OPENSSL_NO_NEXTPROTONEG 707 int next_proto_neg_seen; 708 #endif 709 710 /* don't add extensions for SSLv3, unless doing secure renegotiation */ 711 if (s->version == SSL3_VERSION && !s->s3->send_connection_binding) 712 return p; 713 714 ret+=2; 715 if (ret>=limit) return NULL; /* this really never occurs, but ... */ 716 717 if (!s->hit && s->servername_done == 1 && s->session->tlsext_hostname != NULL) 718 { 719 if ((long)(limit - ret - 4) < 0) return NULL; 720 721 s2n(TLSEXT_TYPE_server_name,ret); 722 s2n(0,ret); 723 } 724 725 if(s->s3->send_connection_binding) 726 { 727 int el; 728 729 if(!ssl_add_serverhello_renegotiate_ext(s, 0, &el, 0)) 730 { 731 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); 732 return NULL; 733 } 734 735 if((limit - p - 4 - el) < 0) return NULL; 736 737 s2n(TLSEXT_TYPE_renegotiate,ret); 738 s2n(el,ret); 739 740 if(!ssl_add_serverhello_renegotiate_ext(s, ret, &el, el)) 741 { 742 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); 743 return NULL; 744 } 745 746 ret += el; 747 } 748 749 #ifndef OPENSSL_NO_EC 750 if (s->tlsext_ecpointformatlist != NULL && 751 s->version != DTLS1_VERSION) 752 { 753 /* Add TLS extension ECPointFormats to the ServerHello message */ 754 long lenmax; 755 756 if ((lenmax = limit - ret - 5) < 0) return NULL; 757 if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax) return NULL; 758 if (s->tlsext_ecpointformatlist_length > 255) 759 { 760 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); 761 return NULL; 762 } 763 764 s2n(TLSEXT_TYPE_ec_point_formats,ret); 765 s2n(s->tlsext_ecpointformatlist_length + 1,ret); 766 *(ret++) = (unsigned char) s->tlsext_ecpointformatlist_length; 767 memcpy(ret, s->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist_length); 768 ret+=s->tlsext_ecpointformatlist_length; 769 770 } 771 /* Currently the server should not respond with a SupportedCurves extension */ 772 #endif /* OPENSSL_NO_EC */ 773 774 if (s->tlsext_ticket_expected 775 && !(SSL_get_options(s) & SSL_OP_NO_TICKET)) 776 { 777 if ((long)(limit - ret - 4) < 0) return NULL; 778 s2n(TLSEXT_TYPE_session_ticket,ret); 779 s2n(0,ret); 780 } 781 782 if (s->tlsext_status_expected) 783 { 784 if ((long)(limit - ret - 4) < 0) return NULL; 785 s2n(TLSEXT_TYPE_status_request,ret); 786 s2n(0,ret); 787 } 788 789 #ifdef TLSEXT_TYPE_opaque_prf_input 790 if (s->s3->server_opaque_prf_input != NULL && 791 s->version != DTLS1_VERSION) 792 { 793 size_t sol = s->s3->server_opaque_prf_input_len; 794 795 if ((long)(limit - ret - 6 - sol) < 0) 796 return NULL; 797 if (sol > 0xFFFD) /* can't happen */ 798 return NULL; 799 800 s2n(TLSEXT_TYPE_opaque_prf_input, ret); 801 s2n(sol + 2, ret); 802 s2n(sol, ret); 803 memcpy(ret, s->s3->server_opaque_prf_input, sol); 804 ret += sol; 805 } 806 #endif 807 808 #ifndef OPENSSL_NO_SRTP 809 if(s->srtp_profile) 810 { 811 int el; 812 813 ssl_add_serverhello_use_srtp_ext(s, 0, &el, 0); 814 815 if((limit - p - 4 - el) < 0) return NULL; 816 817 s2n(TLSEXT_TYPE_use_srtp,ret); 818 s2n(el,ret); 819 820 if(ssl_add_serverhello_use_srtp_ext(s, ret, &el, el)) 821 { 822 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); 823 return NULL; 824 } 825 ret+=el; 826 } 827 #endif 828 829 if (((s->s3->tmp.new_cipher->id & 0xFFFF)==0x80 || (s->s3->tmp.new_cipher->id & 0xFFFF)==0x81) 830 && (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG)) 831 { const unsigned char cryptopro_ext[36] = { 832 0xfd, 0xe8, /*65000*/ 833 0x00, 0x20, /*32 bytes length*/ 834 0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85, 835 0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06, 836 0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08, 837 0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17}; 838 if (limit-ret<36) return NULL; 839 memcpy(ret,cryptopro_ext,36); 840 ret+=36; 841 842 } 843 844 #ifndef OPENSSL_NO_HEARTBEATS 845 /* Add Heartbeat extension if we've received one */ 846 if (s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED) 847 { 848 s2n(TLSEXT_TYPE_heartbeat,ret); 849 s2n(1,ret); 850 /* Set mode: 851 * 1: peer may send requests 852 * 2: peer not allowed to send requests 853 */ 854 if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS) 855 *(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS; 856 else 857 *(ret++) = SSL_TLSEXT_HB_ENABLED; 858 859 } 860 #endif 861 862 #ifndef OPENSSL_NO_NEXTPROTONEG 863 next_proto_neg_seen = s->s3->next_proto_neg_seen; 864 s->s3->next_proto_neg_seen = 0; 865 if (next_proto_neg_seen && s->ctx->next_protos_advertised_cb) 866 { 867 const unsigned char *npa; 868 unsigned int npalen; 869 int r; 870 871 r = s->ctx->next_protos_advertised_cb(s, &npa, &npalen, s->ctx->next_protos_advertised_cb_arg); 872 if (r == SSL_TLSEXT_ERR_OK) 873 { 874 if ((long)(limit - ret - 4 - npalen) < 0) return NULL; 875 s2n(TLSEXT_TYPE_next_proto_neg,ret); 876 s2n(npalen,ret); 877 memcpy(ret, npa, npalen); 878 ret += npalen; 879 s->s3->next_proto_neg_seen = 1; 880 } 881 } 882 #endif 883 884 /* If the client advertised support for Channel ID, and we have it 885 * enabled, then we want to echo it back. */ 886 if (s->s3->tlsext_channel_id_valid) 887 { 888 if (limit - ret - 4 < 0) 889 return NULL; 890 s2n(TLSEXT_TYPE_channel_id,ret); 891 s2n(0,ret); 892 } 893 894 if (s->s3->alpn_selected) 895 { 896 const unsigned char *selected = s->s3->alpn_selected; 897 unsigned len = s->s3->alpn_selected_len; 898 899 if ((long)(limit - ret - 4 - 2 - 1 - len) < 0) 900 return NULL; 901 s2n(TLSEXT_TYPE_application_layer_protocol_negotiation,ret); 902 s2n(3 + len,ret); 903 s2n(1 + len,ret); 904 *ret++ = len; 905 memcpy(ret, selected, len); 906 ret += len; 907 } 908 909 if ((extdatalen = ret-p-2)== 0) 910 return p; 911 912 s2n(extdatalen,p); 913 return ret; 914 } 915 916 /* tls1_alpn_handle_client_hello is called to process the ALPN extension in a 917 * ClientHello. 918 * data: the contents of the extension, not including the type and length. 919 * data_len: the number of bytes in |data| 920 * al: a pointer to the alert value to send in the event of a non-zero 921 * return. 922 * 923 * returns: 0 on success. */ 924 static int tls1_alpn_handle_client_hello(SSL *s, const unsigned char *data, 925 unsigned data_len, int *al) 926 { 927 unsigned i; 928 unsigned proto_len; 929 const unsigned char *selected; 930 unsigned char selected_len; 931 int r; 932 933 if (s->ctx->alpn_select_cb == NULL) 934 return 0; 935 936 if (data_len < 2) 937 goto parse_error; 938 939 /* data should contain a uint16 length followed by a series of 8-bit, 940 * length-prefixed strings. */ 941 i = ((unsigned) data[0]) << 8 | 942 ((unsigned) data[1]); 943 data_len -= 2; 944 data += 2; 945 if (data_len != i) 946 goto parse_error; 947 948 if (data_len < 2) 949 goto parse_error; 950 951 for (i = 0; i < data_len;) 952 { 953 proto_len = data[i]; 954 i++; 955 956 if (proto_len == 0) 957 goto parse_error; 958 959 if (i + proto_len < i || i + proto_len > data_len) 960 goto parse_error; 961 962 i += proto_len; 963 } 964 965 r = s->ctx->alpn_select_cb(s, &selected, &selected_len, data, data_len, 966 s->ctx->alpn_select_cb_arg); 967 if (r == SSL_TLSEXT_ERR_OK) { 968 if (s->s3->alpn_selected) 969 OPENSSL_free(s->s3->alpn_selected); 970 s->s3->alpn_selected = OPENSSL_malloc(selected_len); 971 if (!s->s3->alpn_selected) 972 { 973 *al = SSL_AD_INTERNAL_ERROR; 974 return -1; 975 } 976 memcpy(s->s3->alpn_selected, selected, selected_len); 977 s->s3->alpn_selected_len = selected_len; 978 } 979 return 0; 980 981 parse_error: 982 *al = SSL_AD_DECODE_ERROR; 983 return -1; 984 } 985 986 int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al) 987 { 988 unsigned short type; 989 unsigned short size; 990 unsigned short len; 991 unsigned char *data = *p; 992 int renegotiate_seen = 0; 993 int sigalg_seen = 0; 994 995 s->servername_done = 0; 996 s->tlsext_status_type = -1; 997 998 /* Reset TLS 1.2 digest functions to defaults because they don't carry 999 * over to a renegotiation. */ 1000 s->s3->digest_rsa = NULL; 1001 s->s3->digest_dsa = NULL; 1002 s->s3->digest_ecdsa = NULL; 1003 1004 #ifndef OPENSSL_NO_NEXTPROTONEG 1005 s->s3->next_proto_neg_seen = 0; 1006 #endif 1007 1008 if (s->s3->alpn_selected) 1009 { 1010 OPENSSL_free(s->s3->alpn_selected); 1011 s->s3->alpn_selected = NULL; 1012 } 1013 1014 #ifndef OPENSSL_NO_HEARTBEATS 1015 s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED | 1016 SSL_TLSEXT_HB_DONT_SEND_REQUESTS); 1017 #endif 1018 1019 if (data >= (d+n-2)) 1020 goto ri_check; 1021 n2s(data,len); 1022 1023 if (data > (d+n-len)) 1024 goto ri_check; 1025 1026 while (data <= (d+n-4)) 1027 { 1028 n2s(data,type); 1029 n2s(data,size); 1030 1031 if (data+size > (d+n)) 1032 goto ri_check; 1033 #if 0 1034 fprintf(stderr,"Received extension type %d size %d\n",type,size); 1035 #endif 1036 if (s->tlsext_debug_cb) 1037 s->tlsext_debug_cb(s, 0, type, data, size, 1038 s->tlsext_debug_arg); 1039 /* The servername extension is treated as follows: 1040 1041 - Only the hostname type is supported with a maximum length of 255. 1042 - The servername is rejected if too long or if it contains zeros, 1043 in which case an fatal alert is generated. 1044 - The servername field is maintained together with the session cache. 1045 - When a session is resumed, the servername call back invoked in order 1046 to allow the application to position itself to the right context. 1047 - The servername is acknowledged if it is new for a session or when 1048 it is identical to a previously used for the same session. 1049 Applications can control the behaviour. They can at any time 1050 set a 'desirable' servername for a new SSL object. This can be the 1051 case for example with HTTPS when a Host: header field is received and 1052 a renegotiation is requested. In this case, a possible servername 1053 presented in the new client hello is only acknowledged if it matches 1054 the value of the Host: field. 1055 - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION 1056 if they provide for changing an explicit servername context for the session, 1057 i.e. when the session has been established with a servername extension. 1058 - On session reconnect, the servername extension may be absent. 1059 1060 */ 1061 1062 if (type == TLSEXT_TYPE_server_name) 1063 { 1064 unsigned char *sdata; 1065 int servname_type; 1066 int dsize; 1067 1068 if (size < 2) 1069 { 1070 *al = SSL_AD_DECODE_ERROR; 1071 return 0; 1072 } 1073 n2s(data,dsize); 1074 size -= 2; 1075 if (dsize > size ) 1076 { 1077 *al = SSL_AD_DECODE_ERROR; 1078 return 0; 1079 } 1080 1081 sdata = data; 1082 while (dsize > 3) 1083 { 1084 servname_type = *(sdata++); 1085 n2s(sdata,len); 1086 dsize -= 3; 1087 1088 if (len > dsize) 1089 { 1090 *al = SSL_AD_DECODE_ERROR; 1091 return 0; 1092 } 1093 if (s->servername_done == 0) 1094 switch (servname_type) 1095 { 1096 case TLSEXT_NAMETYPE_host_name: 1097 if (!s->hit) 1098 { 1099 if(s->session->tlsext_hostname) 1100 { 1101 *al = SSL_AD_DECODE_ERROR; 1102 return 0; 1103 } 1104 if (len > TLSEXT_MAXLEN_host_name) 1105 { 1106 *al = TLS1_AD_UNRECOGNIZED_NAME; 1107 return 0; 1108 } 1109 if ((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL) 1110 { 1111 *al = TLS1_AD_INTERNAL_ERROR; 1112 return 0; 1113 } 1114 memcpy(s->session->tlsext_hostname, sdata, len); 1115 s->session->tlsext_hostname[len]='\0'; 1116 if (strlen(s->session->tlsext_hostname) != len) { 1117 OPENSSL_free(s->session->tlsext_hostname); 1118 s->session->tlsext_hostname = NULL; 1119 *al = TLS1_AD_UNRECOGNIZED_NAME; 1120 return 0; 1121 } 1122 s->servername_done = 1; 1123 1124 } 1125 else 1126 s->servername_done = s->session->tlsext_hostname 1127 && strlen(s->session->tlsext_hostname) == len 1128 && strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0; 1129 1130 break; 1131 1132 default: 1133 break; 1134 } 1135 1136 dsize -= len; 1137 } 1138 if (dsize != 0) 1139 { 1140 *al = SSL_AD_DECODE_ERROR; 1141 return 0; 1142 } 1143 1144 } 1145 #ifndef OPENSSL_NO_SRP 1146 else if (type == TLSEXT_TYPE_srp) 1147 { 1148 if (size <= 0 || ((len = data[0])) != (size -1)) 1149 { 1150 *al = SSL_AD_DECODE_ERROR; 1151 return 0; 1152 } 1153 if (s->srp_ctx.login != NULL) 1154 { 1155 *al = SSL_AD_DECODE_ERROR; 1156 return 0; 1157 } 1158 if ((s->srp_ctx.login = OPENSSL_malloc(len+1)) == NULL) 1159 return -1; 1160 memcpy(s->srp_ctx.login, &data[1], len); 1161 s->srp_ctx.login[len]='\0'; 1162 1163 if (strlen(s->srp_ctx.login) != len) 1164 { 1165 *al = SSL_AD_DECODE_ERROR; 1166 return 0; 1167 } 1168 } 1169 #endif 1170 1171 #ifndef OPENSSL_NO_EC 1172 else if (type == TLSEXT_TYPE_ec_point_formats && 1173 s->version != DTLS1_VERSION) 1174 { 1175 unsigned char *sdata = data; 1176 int ecpointformatlist_length = *(sdata++); 1177 1178 if (ecpointformatlist_length != size - 1) 1179 { 1180 *al = TLS1_AD_DECODE_ERROR; 1181 return 0; 1182 } 1183 if (!s->hit) 1184 { 1185 if(s->session->tlsext_ecpointformatlist) 1186 { 1187 OPENSSL_free(s->session->tlsext_ecpointformatlist); 1188 s->session->tlsext_ecpointformatlist = NULL; 1189 } 1190 s->session->tlsext_ecpointformatlist_length = 0; 1191 if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL) 1192 { 1193 *al = TLS1_AD_INTERNAL_ERROR; 1194 return 0; 1195 } 1196 s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length; 1197 memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length); 1198 } 1199 #if 0 1200 fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ecpointformatlist (length=%i) ", s->session->tlsext_ecpointformatlist_length); 1201 sdata = s->session->tlsext_ecpointformatlist; 1202 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++) 1203 fprintf(stderr,"%i ",*(sdata++)); 1204 fprintf(stderr,"\n"); 1205 #endif 1206 } 1207 else if (type == TLSEXT_TYPE_elliptic_curves && 1208 s->version != DTLS1_VERSION) 1209 { 1210 unsigned char *sdata = data; 1211 int ellipticcurvelist_length = (*(sdata++) << 8); 1212 ellipticcurvelist_length += (*(sdata++)); 1213 1214 if (ellipticcurvelist_length != size - 2 || 1215 ellipticcurvelist_length < 1) 1216 { 1217 *al = TLS1_AD_DECODE_ERROR; 1218 return 0; 1219 } 1220 if (!s->hit) 1221 { 1222 if(s->session->tlsext_ellipticcurvelist) 1223 { 1224 *al = TLS1_AD_DECODE_ERROR; 1225 return 0; 1226 } 1227 s->session->tlsext_ellipticcurvelist_length = 0; 1228 if ((s->session->tlsext_ellipticcurvelist = OPENSSL_malloc(ellipticcurvelist_length)) == NULL) 1229 { 1230 *al = TLS1_AD_INTERNAL_ERROR; 1231 return 0; 1232 } 1233 s->session->tlsext_ellipticcurvelist_length = ellipticcurvelist_length; 1234 memcpy(s->session->tlsext_ellipticcurvelist, sdata, ellipticcurvelist_length); 1235 } 1236 #if 0 1237 fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ellipticcurvelist (length=%i) ", s->session->tlsext_ellipticcurvelist_length); 1238 sdata = s->session->tlsext_ellipticcurvelist; 1239 for (i = 0; i < s->session->tlsext_ellipticcurvelist_length; i++) 1240 fprintf(stderr,"%i ",*(sdata++)); 1241 fprintf(stderr,"\n"); 1242 #endif 1243 } 1244 #endif /* OPENSSL_NO_EC */ 1245 #ifdef TLSEXT_TYPE_opaque_prf_input 1246 else if (type == TLSEXT_TYPE_opaque_prf_input && 1247 s->version != DTLS1_VERSION) 1248 { 1249 unsigned char *sdata = data; 1250 1251 if (size < 2) 1252 { 1253 *al = SSL_AD_DECODE_ERROR; 1254 return 0; 1255 } 1256 n2s(sdata, s->s3->client_opaque_prf_input_len); 1257 if (s->s3->client_opaque_prf_input_len != size - 2) 1258 { 1259 *al = SSL_AD_DECODE_ERROR; 1260 return 0; 1261 } 1262 1263 if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */ 1264 OPENSSL_free(s->s3->client_opaque_prf_input); 1265 if (s->s3->client_opaque_prf_input_len == 0) 1266 s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */ 1267 else 1268 s->s3->client_opaque_prf_input = BUF_memdup(sdata, s->s3->client_opaque_prf_input_len); 1269 if (s->s3->client_opaque_prf_input == NULL) 1270 { 1271 *al = TLS1_AD_INTERNAL_ERROR; 1272 return 0; 1273 } 1274 } 1275 #endif 1276 else if (type == TLSEXT_TYPE_session_ticket) 1277 { 1278 if (s->tls_session_ticket_ext_cb && 1279 !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg)) 1280 { 1281 *al = TLS1_AD_INTERNAL_ERROR; 1282 return 0; 1283 } 1284 } 1285 else if (type == TLSEXT_TYPE_renegotiate) 1286 { 1287 if(!ssl_parse_clienthello_renegotiate_ext(s, data, size, al)) 1288 return 0; 1289 renegotiate_seen = 1; 1290 } 1291 else if (type == TLSEXT_TYPE_signature_algorithms) 1292 { 1293 int dsize; 1294 if (sigalg_seen || size < 2) 1295 { 1296 *al = SSL_AD_DECODE_ERROR; 1297 return 0; 1298 } 1299 sigalg_seen = 1; 1300 n2s(data,dsize); 1301 size -= 2; 1302 if (dsize != size || dsize & 1) 1303 { 1304 *al = SSL_AD_DECODE_ERROR; 1305 return 0; 1306 } 1307 tls1_process_sigalgs(s, data, dsize); 1308 } 1309 else if (type == TLSEXT_TYPE_status_request && 1310 s->version != DTLS1_VERSION && s->ctx->tlsext_status_cb) 1311 { 1312 1313 if (size < 5) 1314 { 1315 *al = SSL_AD_DECODE_ERROR; 1316 return 0; 1317 } 1318 1319 s->tlsext_status_type = *data++; 1320 size--; 1321 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp) 1322 { 1323 const unsigned char *sdata; 1324 int dsize; 1325 /* Read in responder_id_list */ 1326 n2s(data,dsize); 1327 size -= 2; 1328 if (dsize > size ) 1329 { 1330 *al = SSL_AD_DECODE_ERROR; 1331 return 0; 1332 } 1333 while (dsize > 0) 1334 { 1335 OCSP_RESPID *id; 1336 int idsize; 1337 if (dsize < 4) 1338 { 1339 *al = SSL_AD_DECODE_ERROR; 1340 return 0; 1341 } 1342 n2s(data, idsize); 1343 dsize -= 2 + idsize; 1344 size -= 2 + idsize; 1345 if (dsize < 0) 1346 { 1347 *al = SSL_AD_DECODE_ERROR; 1348 return 0; 1349 } 1350 sdata = data; 1351 data += idsize; 1352 id = d2i_OCSP_RESPID(NULL, 1353 &sdata, idsize); 1354 if (!id) 1355 { 1356 *al = SSL_AD_DECODE_ERROR; 1357 return 0; 1358 } 1359 if (data != sdata) 1360 { 1361 OCSP_RESPID_free(id); 1362 *al = SSL_AD_DECODE_ERROR; 1363 return 0; 1364 } 1365 if (!s->tlsext_ocsp_ids 1366 && !(s->tlsext_ocsp_ids = 1367 sk_OCSP_RESPID_new_null())) 1368 { 1369 OCSP_RESPID_free(id); 1370 *al = SSL_AD_INTERNAL_ERROR; 1371 return 0; 1372 } 1373 if (!sk_OCSP_RESPID_push( 1374 s->tlsext_ocsp_ids, id)) 1375 { 1376 OCSP_RESPID_free(id); 1377 *al = SSL_AD_INTERNAL_ERROR; 1378 return 0; 1379 } 1380 } 1381 1382 /* Read in request_extensions */ 1383 if (size < 2) 1384 { 1385 *al = SSL_AD_DECODE_ERROR; 1386 return 0; 1387 } 1388 n2s(data,dsize); 1389 size -= 2; 1390 if (dsize != size) 1391 { 1392 *al = SSL_AD_DECODE_ERROR; 1393 return 0; 1394 } 1395 sdata = data; 1396 if (dsize > 0) 1397 { 1398 if (s->tlsext_ocsp_exts) 1399 { 1400 sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts, 1401 X509_EXTENSION_free); 1402 } 1403 1404 s->tlsext_ocsp_exts = 1405 d2i_X509_EXTENSIONS(NULL, 1406 &sdata, dsize); 1407 if (!s->tlsext_ocsp_exts 1408 || (data + dsize != sdata)) 1409 { 1410 *al = SSL_AD_DECODE_ERROR; 1411 return 0; 1412 } 1413 } 1414 } 1415 /* We don't know what to do with any other type 1416 * so ignore it. 1417 */ 1418 else 1419 s->tlsext_status_type = -1; 1420 } 1421 #ifndef OPENSSL_NO_HEARTBEATS 1422 else if (type == TLSEXT_TYPE_heartbeat) 1423 { 1424 switch(data[0]) 1425 { 1426 case 0x01: /* Client allows us to send HB requests */ 1427 s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED; 1428 break; 1429 case 0x02: /* Client doesn't accept HB requests */ 1430 s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED; 1431 s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS; 1432 break; 1433 default: *al = SSL_AD_ILLEGAL_PARAMETER; 1434 return 0; 1435 } 1436 } 1437 #endif 1438 #ifndef OPENSSL_NO_NEXTPROTONEG 1439 else if (type == TLSEXT_TYPE_next_proto_neg && 1440 s->s3->tmp.finish_md_len == 0 && 1441 s->s3->alpn_selected == NULL) 1442 { 1443 /* We shouldn't accept this extension on a 1444 * renegotiation. 1445 * 1446 * s->new_session will be set on renegotiation, but we 1447 * probably shouldn't rely that it couldn't be set on 1448 * the initial renegotation too in certain cases (when 1449 * there's some other reason to disallow resuming an 1450 * earlier session -- the current code won't be doing 1451 * anything like that, but this might change). 1452 1453 * A valid sign that there's been a previous handshake 1454 * in this connection is if s->s3->tmp.finish_md_len > 1455 * 0. (We are talking about a check that will happen 1456 * in the Hello protocol round, well before a new 1457 * Finished message could have been computed.) */ 1458 s->s3->next_proto_neg_seen = 1; 1459 } 1460 #endif 1461 1462 else if (type == TLSEXT_TYPE_channel_id && s->tlsext_channel_id_enabled) 1463 s->s3->tlsext_channel_id_valid = 1; 1464 1465 else if (type == TLSEXT_TYPE_application_layer_protocol_negotiation && 1466 s->ctx->alpn_select_cb && 1467 s->s3->tmp.finish_md_len == 0) 1468 { 1469 if (tls1_alpn_handle_client_hello(s, data, size, al) != 0) 1470 return 0; 1471 /* ALPN takes precedence over NPN. */ 1472 s->s3->next_proto_neg_seen = 0; 1473 } 1474 1475 /* session ticket processed earlier */ 1476 #ifndef OPENSSL_NO_SRTP 1477 else if (type == TLSEXT_TYPE_use_srtp) 1478 { 1479 if(ssl_parse_clienthello_use_srtp_ext(s, data, size, 1480 al)) 1481 return 0; 1482 } 1483 #endif 1484 1485 data+=size; 1486 } 1487 1488 *p = data; 1489 1490 ri_check: 1491 1492 /* Need RI if renegotiating */ 1493 1494 if (!renegotiate_seen && s->renegotiate && 1495 !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) 1496 { 1497 *al = SSL_AD_HANDSHAKE_FAILURE; 1498 SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT, 1499 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); 1500 return 0; 1501 } 1502 1503 return 1; 1504 } 1505 1506 #ifndef OPENSSL_NO_NEXTPROTONEG 1507 /* ssl_next_proto_validate validates a Next Protocol Negotiation block. No 1508 * elements of zero length are allowed and the set of elements must exactly fill 1509 * the length of the block. */ 1510 static char ssl_next_proto_validate(unsigned char *d, unsigned len) 1511 { 1512 unsigned int off = 0; 1513 1514 while (off < len) 1515 { 1516 if (d[off] == 0) 1517 return 0; 1518 off += d[off]; 1519 off++; 1520 } 1521 1522 return off == len; 1523 } 1524 #endif 1525 1526 int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al) 1527 { 1528 unsigned short length; 1529 unsigned short type; 1530 unsigned short size; 1531 unsigned char *data = *p; 1532 int tlsext_servername = 0; 1533 int renegotiate_seen = 0; 1534 1535 #ifndef OPENSSL_NO_NEXTPROTONEG 1536 s->s3->next_proto_neg_seen = 0; 1537 #endif 1538 1539 if (s->s3->alpn_selected) 1540 { 1541 OPENSSL_free(s->s3->alpn_selected); 1542 s->s3->alpn_selected = NULL; 1543 } 1544 1545 #ifndef OPENSSL_NO_HEARTBEATS 1546 s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED | 1547 SSL_TLSEXT_HB_DONT_SEND_REQUESTS); 1548 #endif 1549 1550 if (data >= (d+n-2)) 1551 goto ri_check; 1552 1553 n2s(data,length); 1554 if (data+length != d+n) 1555 { 1556 *al = SSL_AD_DECODE_ERROR; 1557 return 0; 1558 } 1559 1560 while(data <= (d+n-4)) 1561 { 1562 n2s(data,type); 1563 n2s(data,size); 1564 1565 if (data+size > (d+n)) 1566 goto ri_check; 1567 1568 if (s->tlsext_debug_cb) 1569 s->tlsext_debug_cb(s, 1, type, data, size, 1570 s->tlsext_debug_arg); 1571 1572 if (type == TLSEXT_TYPE_server_name) 1573 { 1574 if (s->tlsext_hostname == NULL || size > 0) 1575 { 1576 *al = TLS1_AD_UNRECOGNIZED_NAME; 1577 return 0; 1578 } 1579 tlsext_servername = 1; 1580 } 1581 1582 #ifndef OPENSSL_NO_EC 1583 else if (type == TLSEXT_TYPE_ec_point_formats && 1584 s->version != DTLS1_VERSION) 1585 { 1586 unsigned char *sdata = data; 1587 int ecpointformatlist_length = *(sdata++); 1588 1589 if (ecpointformatlist_length != size - 1 || 1590 ecpointformatlist_length < 1) 1591 { 1592 *al = TLS1_AD_DECODE_ERROR; 1593 return 0; 1594 } 1595 s->session->tlsext_ecpointformatlist_length = 0; 1596 if (s->session->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->session->tlsext_ecpointformatlist); 1597 if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL) 1598 { 1599 *al = TLS1_AD_INTERNAL_ERROR; 1600 return 0; 1601 } 1602 s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length; 1603 memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length); 1604 #if 0 1605 fprintf(stderr,"ssl_parse_serverhello_tlsext s->session->tlsext_ecpointformatlist "); 1606 sdata = s->session->tlsext_ecpointformatlist; 1607 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++) 1608 fprintf(stderr,"%i ",*(sdata++)); 1609 fprintf(stderr,"\n"); 1610 #endif 1611 } 1612 #endif /* OPENSSL_NO_EC */ 1613 1614 else if (type == TLSEXT_TYPE_session_ticket) 1615 { 1616 if (s->tls_session_ticket_ext_cb && 1617 !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg)) 1618 { 1619 *al = TLS1_AD_INTERNAL_ERROR; 1620 return 0; 1621 } 1622 if ((SSL_get_options(s) & SSL_OP_NO_TICKET) 1623 || (size > 0)) 1624 { 1625 *al = TLS1_AD_UNSUPPORTED_EXTENSION; 1626 return 0; 1627 } 1628 s->tlsext_ticket_expected = 1; 1629 } 1630 #ifdef TLSEXT_TYPE_opaque_prf_input 1631 else if (type == TLSEXT_TYPE_opaque_prf_input && 1632 s->version != DTLS1_VERSION) 1633 { 1634 unsigned char *sdata = data; 1635 1636 if (size < 2) 1637 { 1638 *al = SSL_AD_DECODE_ERROR; 1639 return 0; 1640 } 1641 n2s(sdata, s->s3->server_opaque_prf_input_len); 1642 if (s->s3->server_opaque_prf_input_len != size - 2) 1643 { 1644 *al = SSL_AD_DECODE_ERROR; 1645 return 0; 1646 } 1647 1648 if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */ 1649 OPENSSL_free(s->s3->server_opaque_prf_input); 1650 if (s->s3->server_opaque_prf_input_len == 0) 1651 s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */ 1652 else 1653 s->s3->server_opaque_prf_input = BUF_memdup(sdata, s->s3->server_opaque_prf_input_len); 1654 1655 if (s->s3->server_opaque_prf_input == NULL) 1656 { 1657 *al = TLS1_AD_INTERNAL_ERROR; 1658 return 0; 1659 } 1660 } 1661 #endif 1662 else if (type == TLSEXT_TYPE_status_request && 1663 s->version != DTLS1_VERSION) 1664 { 1665 /* MUST be empty and only sent if we've requested 1666 * a status request message. 1667 */ 1668 if ((s->tlsext_status_type == -1) || (size > 0)) 1669 { 1670 *al = TLS1_AD_UNSUPPORTED_EXTENSION; 1671 return 0; 1672 } 1673 /* Set flag to expect CertificateStatus message */ 1674 s->tlsext_status_expected = 1; 1675 } 1676 #ifndef OPENSSL_NO_NEXTPROTONEG 1677 else if (type == TLSEXT_TYPE_next_proto_neg && 1678 s->s3->tmp.finish_md_len == 0) 1679 { 1680 unsigned char *selected; 1681 unsigned char selected_len; 1682 1683 /* We must have requested it. */ 1684 if (s->ctx->next_proto_select_cb == NULL) 1685 { 1686 *al = TLS1_AD_UNSUPPORTED_EXTENSION; 1687 return 0; 1688 } 1689 /* The data must be valid */ 1690 if (!ssl_next_proto_validate(data, size)) 1691 { 1692 *al = TLS1_AD_DECODE_ERROR; 1693 return 0; 1694 } 1695 if (s->ctx->next_proto_select_cb(s, &selected, &selected_len, data, size, s->ctx->next_proto_select_cb_arg) != SSL_TLSEXT_ERR_OK) 1696 { 1697 *al = TLS1_AD_INTERNAL_ERROR; 1698 return 0; 1699 } 1700 s->next_proto_negotiated = OPENSSL_malloc(selected_len); 1701 if (!s->next_proto_negotiated) 1702 { 1703 *al = TLS1_AD_INTERNAL_ERROR; 1704 return 0; 1705 } 1706 memcpy(s->next_proto_negotiated, selected, selected_len); 1707 s->next_proto_negotiated_len = selected_len; 1708 s->s3->next_proto_neg_seen = 1; 1709 } 1710 #endif 1711 else if (type == TLSEXT_TYPE_channel_id) 1712 s->s3->tlsext_channel_id_valid = 1; 1713 1714 else if (type == TLSEXT_TYPE_application_layer_protocol_negotiation) 1715 { 1716 unsigned len; 1717 1718 /* We must have requested it. */ 1719 if (s->alpn_client_proto_list == NULL) 1720 { 1721 *al = TLS1_AD_UNSUPPORTED_EXTENSION; 1722 return 0; 1723 } 1724 if (size < 4) 1725 { 1726 *al = TLS1_AD_DECODE_ERROR; 1727 return 0; 1728 } 1729 /* The extension data consists of: 1730 * uint16 list_length 1731 * uint8 proto_length; 1732 * uint8 proto[proto_length]; */ 1733 len = data[0]; 1734 len <<= 8; 1735 len |= data[1]; 1736 if (len != (unsigned) size - 2) 1737 { 1738 *al = TLS1_AD_DECODE_ERROR; 1739 return 0; 1740 } 1741 len = data[2]; 1742 if (len != (unsigned) size - 3) 1743 { 1744 *al = TLS1_AD_DECODE_ERROR; 1745 return 0; 1746 } 1747 if (s->s3->alpn_selected) 1748 OPENSSL_free(s->s3->alpn_selected); 1749 s->s3->alpn_selected = OPENSSL_malloc(len); 1750 if (!s->s3->alpn_selected) 1751 { 1752 *al = TLS1_AD_INTERNAL_ERROR; 1753 return 0; 1754 } 1755 memcpy(s->s3->alpn_selected, data + 3, len); 1756 s->s3->alpn_selected_len = len; 1757 } 1758 1759 else if (type == TLSEXT_TYPE_renegotiate) 1760 { 1761 if(!ssl_parse_serverhello_renegotiate_ext(s, data, size, al)) 1762 return 0; 1763 renegotiate_seen = 1; 1764 } 1765 #ifndef OPENSSL_NO_HEARTBEATS 1766 else if (type == TLSEXT_TYPE_heartbeat) 1767 { 1768 switch(data[0]) 1769 { 1770 case 0x01: /* Server allows us to send HB requests */ 1771 s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED; 1772 break; 1773 case 0x02: /* Server doesn't accept HB requests */ 1774 s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED; 1775 s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS; 1776 break; 1777 default: *al = SSL_AD_ILLEGAL_PARAMETER; 1778 return 0; 1779 } 1780 } 1781 #endif 1782 #ifndef OPENSSL_NO_SRTP 1783 else if (type == TLSEXT_TYPE_use_srtp) 1784 { 1785 if(ssl_parse_serverhello_use_srtp_ext(s, data, size, 1786 al)) 1787 return 0; 1788 } 1789 #endif 1790 1791 data+=size; 1792 } 1793 1794 if (data != d+n) 1795 { 1796 *al = SSL_AD_DECODE_ERROR; 1797 return 0; 1798 } 1799 1800 if (!s->hit && tlsext_servername == 1) 1801 { 1802 if (s->tlsext_hostname) 1803 { 1804 if (s->session->tlsext_hostname == NULL) 1805 { 1806 s->session->tlsext_hostname = BUF_strdup(s->tlsext_hostname); 1807 if (!s->session->tlsext_hostname) 1808 { 1809 *al = SSL_AD_UNRECOGNIZED_NAME; 1810 return 0; 1811 } 1812 } 1813 else 1814 { 1815 *al = SSL_AD_DECODE_ERROR; 1816 return 0; 1817 } 1818 } 1819 } 1820 1821 *p = data; 1822 1823 ri_check: 1824 1825 /* Determine if we need to see RI. Strictly speaking if we want to 1826 * avoid an attack we should *always* see RI even on initial server 1827 * hello because the client doesn't see any renegotiation during an 1828 * attack. However this would mean we could not connect to any server 1829 * which doesn't support RI so for the immediate future tolerate RI 1830 * absence on initial connect only. 1831 */ 1832 if (!renegotiate_seen 1833 && !(s->options & SSL_OP_LEGACY_SERVER_CONNECT) 1834 && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) 1835 { 1836 *al = SSL_AD_HANDSHAKE_FAILURE; 1837 SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT, 1838 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); 1839 return 0; 1840 } 1841 1842 return 1; 1843 } 1844 1845 1846 int ssl_prepare_clienthello_tlsext(SSL *s) 1847 { 1848 #ifndef OPENSSL_NO_EC 1849 /* If we are client and using an elliptic curve cryptography cipher suite, send the point formats 1850 * and elliptic curves we support. 1851 */ 1852 int using_ecc = 0; 1853 int i; 1854 unsigned char *j; 1855 unsigned long alg_k, alg_a; 1856 STACK_OF(SSL_CIPHER) *cipher_stack = SSL_get_ciphers(s); 1857 1858 for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++) 1859 { 1860 SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i); 1861 1862 alg_k = c->algorithm_mkey; 1863 alg_a = c->algorithm_auth; 1864 if ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe) || (alg_a & SSL_aECDSA))) 1865 { 1866 using_ecc = 1; 1867 break; 1868 } 1869 } 1870 using_ecc = using_ecc && (s->version >= TLS1_VERSION); 1871 if (using_ecc) 1872 { 1873 if (s->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->tlsext_ecpointformatlist); 1874 if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(3)) == NULL) 1875 { 1876 SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE); 1877 return -1; 1878 } 1879 s->tlsext_ecpointformatlist_length = 3; 1880 s->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_uncompressed; 1881 s->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime; 1882 s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2; 1883 1884 /* we support all named elliptic curves in draft-ietf-tls-ecc-12 */ 1885 if (s->tlsext_ellipticcurvelist != NULL) OPENSSL_free(s->tlsext_ellipticcurvelist); 1886 s->tlsext_ellipticcurvelist_length = sizeof(pref_list)/sizeof(pref_list[0]) * 2; 1887 if ((s->tlsext_ellipticcurvelist = OPENSSL_malloc(s->tlsext_ellipticcurvelist_length)) == NULL) 1888 { 1889 s->tlsext_ellipticcurvelist_length = 0; 1890 SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE); 1891 return -1; 1892 } 1893 for (i = 0, j = s->tlsext_ellipticcurvelist; (unsigned int)i < 1894 sizeof(pref_list)/sizeof(pref_list[0]); i++) 1895 { 1896 int id = tls1_ec_nid2curve_id(pref_list[i]); 1897 s2n(id,j); 1898 } 1899 } 1900 #endif /* OPENSSL_NO_EC */ 1901 1902 #ifdef TLSEXT_TYPE_opaque_prf_input 1903 { 1904 int r = 1; 1905 1906 if (s->ctx->tlsext_opaque_prf_input_callback != 0) 1907 { 1908 r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg); 1909 if (!r) 1910 return -1; 1911 } 1912 1913 if (s->tlsext_opaque_prf_input != NULL) 1914 { 1915 if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */ 1916 OPENSSL_free(s->s3->client_opaque_prf_input); 1917 1918 if (s->tlsext_opaque_prf_input_len == 0) 1919 s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */ 1920 else 1921 s->s3->client_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len); 1922 if (s->s3->client_opaque_prf_input == NULL) 1923 { 1924 SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE); 1925 return -1; 1926 } 1927 s->s3->client_opaque_prf_input_len = s->tlsext_opaque_prf_input_len; 1928 } 1929 1930 if (r == 2) 1931 /* at callback's request, insist on receiving an appropriate server opaque PRF input */ 1932 s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len; 1933 } 1934 #endif 1935 1936 return 1; 1937 } 1938 1939 int ssl_prepare_serverhello_tlsext(SSL *s) 1940 { 1941 #ifndef OPENSSL_NO_EC 1942 /* If we are server and using an ECC cipher suite, send the point formats we support 1943 * if the client sent us an ECPointsFormat extension. Note that the server is not 1944 * supposed to send an EllipticCurves extension. 1945 */ 1946 1947 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey; 1948 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth; 1949 int using_ecc = (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA); 1950 using_ecc = using_ecc && (s->session->tlsext_ecpointformatlist != NULL); 1951 1952 if (using_ecc) 1953 { 1954 if (s->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->tlsext_ecpointformatlist); 1955 if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(3)) == NULL) 1956 { 1957 SSLerr(SSL_F_SSL_PREPARE_SERVERHELLO_TLSEXT,ERR_R_MALLOC_FAILURE); 1958 return -1; 1959 } 1960 s->tlsext_ecpointformatlist_length = 3; 1961 s->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_uncompressed; 1962 s->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime; 1963 s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2; 1964 } 1965 #endif /* OPENSSL_NO_EC */ 1966 1967 return 1; 1968 } 1969 1970 int ssl_check_clienthello_tlsext_early(SSL *s) 1971 { 1972 int ret=SSL_TLSEXT_ERR_NOACK; 1973 int al = SSL_AD_UNRECOGNIZED_NAME; 1974 1975 #ifndef OPENSSL_NO_EC 1976 /* The handling of the ECPointFormats extension is done elsewhere, namely in 1977 * ssl3_choose_cipher in s3_lib.c. 1978 */ 1979 /* The handling of the EllipticCurves extension is done elsewhere, namely in 1980 * ssl3_choose_cipher in s3_lib.c. 1981 */ 1982 #endif 1983 1984 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) 1985 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg); 1986 else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0) 1987 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg); 1988 1989 #ifdef TLSEXT_TYPE_opaque_prf_input 1990 { 1991 /* This sort of belongs into ssl_prepare_serverhello_tlsext(), 1992 * but we might be sending an alert in response to the client hello, 1993 * so this has to happen here in 1994 * ssl_check_clienthello_tlsext_early(). */ 1995 1996 int r = 1; 1997 1998 if (s->ctx->tlsext_opaque_prf_input_callback != 0) 1999 { 2000 r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg); 2001 if (!r) 2002 { 2003 ret = SSL_TLSEXT_ERR_ALERT_FATAL; 2004 al = SSL_AD_INTERNAL_ERROR; 2005 goto err; 2006 } 2007 } 2008 2009 if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */ 2010 OPENSSL_free(s->s3->server_opaque_prf_input); 2011 s->s3->server_opaque_prf_input = NULL; 2012 2013 if (s->tlsext_opaque_prf_input != NULL) 2014 { 2015 if (s->s3->client_opaque_prf_input != NULL && 2016 s->s3->client_opaque_prf_input_len == s->tlsext_opaque_prf_input_len) 2017 { 2018 /* can only use this extension if we have a server opaque PRF input 2019 * of the same length as the client opaque PRF input! */ 2020 2021 if (s->tlsext_opaque_prf_input_len == 0) 2022 s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */ 2023 else 2024 s->s3->server_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len); 2025 if (s->s3->server_opaque_prf_input == NULL) 2026 { 2027 ret = SSL_TLSEXT_ERR_ALERT_FATAL; 2028 al = SSL_AD_INTERNAL_ERROR; 2029 goto err; 2030 } 2031 s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len; 2032 } 2033 } 2034 2035 if (r == 2 && s->s3->server_opaque_prf_input == NULL) 2036 { 2037 /* The callback wants to enforce use of the extension, 2038 * but we can't do that with the client opaque PRF input; 2039 * abort the handshake. 2040 */ 2041 ret = SSL_TLSEXT_ERR_ALERT_FATAL; 2042 al = SSL_AD_HANDSHAKE_FAILURE; 2043 } 2044 } 2045 2046 err: 2047 #endif 2048 switch (ret) 2049 { 2050 case SSL_TLSEXT_ERR_ALERT_FATAL: 2051 ssl3_send_alert(s,SSL3_AL_FATAL,al); 2052 return -1; 2053 2054 case SSL_TLSEXT_ERR_ALERT_WARNING: 2055 ssl3_send_alert(s,SSL3_AL_WARNING,al); 2056 return 1; 2057 2058 case SSL_TLSEXT_ERR_NOACK: 2059 s->servername_done=0; 2060 default: 2061 return 1; 2062 } 2063 } 2064 2065 int ssl_check_clienthello_tlsext_late(SSL *s) 2066 { 2067 int ret = SSL_TLSEXT_ERR_OK; 2068 int al; 2069 2070 /* If status request then ask callback what to do. 2071 * Note: this must be called after servername callbacks in case 2072 * the certificate has changed, and must be called after the cipher 2073 * has been chosen because this may influence which certificate is sent 2074 */ 2075 if ((s->tlsext_status_type != -1) && s->ctx && s->ctx->tlsext_status_cb) 2076 { 2077 int r; 2078 CERT_PKEY *certpkey; 2079 certpkey = ssl_get_server_send_pkey(s); 2080 /* If no certificate can't return certificate status */ 2081 if (certpkey == NULL) 2082 { 2083 s->tlsext_status_expected = 0; 2084 return 1; 2085 } 2086 /* Set current certificate to one we will use so 2087 * SSL_get_certificate et al can pick it up. 2088 */ 2089 s->cert->key = certpkey; 2090 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg); 2091 switch (r) 2092 { 2093 /* We don't want to send a status request response */ 2094 case SSL_TLSEXT_ERR_NOACK: 2095 s->tlsext_status_expected = 0; 2096 break; 2097 /* status request response should be sent */ 2098 case SSL_TLSEXT_ERR_OK: 2099 if (s->tlsext_ocsp_resp) 2100 s->tlsext_status_expected = 1; 2101 else 2102 s->tlsext_status_expected = 0; 2103 break; 2104 /* something bad happened */ 2105 case SSL_TLSEXT_ERR_ALERT_FATAL: 2106 ret = SSL_TLSEXT_ERR_ALERT_FATAL; 2107 al = SSL_AD_INTERNAL_ERROR; 2108 goto err; 2109 } 2110 } 2111 else 2112 s->tlsext_status_expected = 0; 2113 2114 err: 2115 switch (ret) 2116 { 2117 case SSL_TLSEXT_ERR_ALERT_FATAL: 2118 ssl3_send_alert(s,SSL3_AL_FATAL,al); 2119 return -1; 2120 2121 case SSL_TLSEXT_ERR_ALERT_WARNING: 2122 ssl3_send_alert(s,SSL3_AL_WARNING,al); 2123 return 1; 2124 2125 default: 2126 return 1; 2127 } 2128 } 2129 2130 int ssl_check_serverhello_tlsext(SSL *s) 2131 { 2132 int ret=SSL_TLSEXT_ERR_NOACK; 2133 int al = SSL_AD_UNRECOGNIZED_NAME; 2134 2135 #ifndef OPENSSL_NO_EC 2136 /* If we are client and using an elliptic curve cryptography cipher 2137 * suite, then if server returns an EC point formats lists extension 2138 * it must contain uncompressed. 2139 */ 2140 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey; 2141 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth; 2142 if ((s->tlsext_ecpointformatlist != NULL) && (s->tlsext_ecpointformatlist_length > 0) && 2143 (s->session->tlsext_ecpointformatlist != NULL) && (s->session->tlsext_ecpointformatlist_length > 0) && 2144 ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA))) 2145 { 2146 /* we are using an ECC cipher */ 2147 size_t i; 2148 unsigned char *list; 2149 int found_uncompressed = 0; 2150 list = s->session->tlsext_ecpointformatlist; 2151 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++) 2152 { 2153 if (*(list++) == TLSEXT_ECPOINTFORMAT_uncompressed) 2154 { 2155 found_uncompressed = 1; 2156 break; 2157 } 2158 } 2159 if (!found_uncompressed) 2160 { 2161 SSLerr(SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT,SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST); 2162 return -1; 2163 } 2164 } 2165 ret = SSL_TLSEXT_ERR_OK; 2166 #endif /* OPENSSL_NO_EC */ 2167 2168 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) 2169 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg); 2170 else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0) 2171 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg); 2172 2173 #ifdef TLSEXT_TYPE_opaque_prf_input 2174 if (s->s3->server_opaque_prf_input_len > 0) 2175 { 2176 /* This case may indicate that we, as a client, want to insist on using opaque PRF inputs. 2177 * So first verify that we really have a value from the server too. */ 2178 2179 if (s->s3->server_opaque_prf_input == NULL) 2180 { 2181 ret = SSL_TLSEXT_ERR_ALERT_FATAL; 2182 al = SSL_AD_HANDSHAKE_FAILURE; 2183 } 2184 2185 /* Anytime the server *has* sent an opaque PRF input, we need to check 2186 * that we have a client opaque PRF input of the same size. */ 2187 if (s->s3->client_opaque_prf_input == NULL || 2188 s->s3->client_opaque_prf_input_len != s->s3->server_opaque_prf_input_len) 2189 { 2190 ret = SSL_TLSEXT_ERR_ALERT_FATAL; 2191 al = SSL_AD_ILLEGAL_PARAMETER; 2192 } 2193 } 2194 #endif 2195 2196 /* If we've requested certificate status and we wont get one 2197 * tell the callback 2198 */ 2199 if ((s->tlsext_status_type != -1) && !(s->tlsext_status_expected) 2200 && s->ctx && s->ctx->tlsext_status_cb) 2201 { 2202 int r; 2203 /* Set resp to NULL, resplen to -1 so callback knows 2204 * there is no response. 2205 */ 2206 if (s->tlsext_ocsp_resp) 2207 { 2208 OPENSSL_free(s->tlsext_ocsp_resp); 2209 s->tlsext_ocsp_resp = NULL; 2210 } 2211 s->tlsext_ocsp_resplen = -1; 2212 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg); 2213 if (r == 0) 2214 { 2215 al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE; 2216 ret = SSL_TLSEXT_ERR_ALERT_FATAL; 2217 } 2218 if (r < 0) 2219 { 2220 al = SSL_AD_INTERNAL_ERROR; 2221 ret = SSL_TLSEXT_ERR_ALERT_FATAL; 2222 } 2223 } 2224 2225 switch (ret) 2226 { 2227 case SSL_TLSEXT_ERR_ALERT_FATAL: 2228 ssl3_send_alert(s,SSL3_AL_FATAL,al); 2229 return -1; 2230 2231 case SSL_TLSEXT_ERR_ALERT_WARNING: 2232 ssl3_send_alert(s,SSL3_AL_WARNING,al); 2233 return 1; 2234 2235 case SSL_TLSEXT_ERR_NOACK: 2236 s->servername_done=0; 2237 default: 2238 return 1; 2239 } 2240 } 2241 2242 /* Since the server cache lookup is done early on in the processing of the 2243 * ClientHello, and other operations depend on the result, we need to handle 2244 * any TLS session ticket extension at the same time. 2245 * 2246 * session_id: points at the session ID in the ClientHello. This code will 2247 * read past the end of this in order to parse out the session ticket 2248 * extension, if any. 2249 * len: the length of the session ID. 2250 * limit: a pointer to the first byte after the ClientHello. 2251 * ret: (output) on return, if a ticket was decrypted, then this is set to 2252 * point to the resulting session. 2253 * 2254 * If s->tls_session_secret_cb is set then we are expecting a pre-shared key 2255 * ciphersuite, in which case we have no use for session tickets and one will 2256 * never be decrypted, nor will s->tlsext_ticket_expected be set to 1. 2257 * 2258 * Returns: 2259 * -1: fatal error, either from parsing or decrypting the ticket. 2260 * 0: no ticket was found (or was ignored, based on settings). 2261 * 1: a zero length extension was found, indicating that the client supports 2262 * session tickets but doesn't currently have one to offer. 2263 * 2: either s->tls_session_secret_cb was set, or a ticket was offered but 2264 * couldn't be decrypted because of a non-fatal error. 2265 * 3: a ticket was successfully decrypted and *ret was set. 2266 * 2267 * Side effects: 2268 * Sets s->tlsext_ticket_expected to 1 if the server will have to issue 2269 * a new session ticket to the client because the client indicated support 2270 * (and s->tls_session_secret_cb is NULL) but the client either doesn't have 2271 * a session ticket or we couldn't use the one it gave us, or if 2272 * s->ctx->tlsext_ticket_key_cb asked to renew the client's ticket. 2273 * Otherwise, s->tlsext_ticket_expected is set to 0. 2274 */ 2275 int tls1_process_ticket(SSL *s, unsigned char *session_id, int len, 2276 const unsigned char *limit, SSL_SESSION **ret) 2277 { 2278 /* Point after session ID in client hello */ 2279 const unsigned char *p = session_id + len; 2280 unsigned short i; 2281 2282 *ret = NULL; 2283 s->tlsext_ticket_expected = 0; 2284 2285 /* If tickets disabled behave as if no ticket present 2286 * to permit stateful resumption. 2287 */ 2288 if (SSL_get_options(s) & SSL_OP_NO_TICKET) 2289 return 0; 2290 if ((s->version <= SSL3_VERSION) || !limit) 2291 return 0; 2292 if (p >= limit) 2293 return -1; 2294 /* Skip past DTLS cookie */ 2295 if (s->version == DTLS1_VERSION || s->version == DTLS1_BAD_VER) 2296 { 2297 i = *(p++); 2298 p+= i; 2299 if (p >= limit) 2300 return -1; 2301 } 2302 /* Skip past cipher list */ 2303 n2s(p, i); 2304 p+= i; 2305 if (p >= limit) 2306 return -1; 2307 /* Skip past compression algorithm list */ 2308 i = *(p++); 2309 p += i; 2310 if (p > limit) 2311 return -1; 2312 /* Now at start of extensions */ 2313 if ((p + 2) >= limit) 2314 return 0; 2315 n2s(p, i); 2316 while ((p + 4) <= limit) 2317 { 2318 unsigned short type, size; 2319 n2s(p, type); 2320 n2s(p, size); 2321 if (p + size > limit) 2322 return 0; 2323 if (type == TLSEXT_TYPE_session_ticket) 2324 { 2325 int r; 2326 if (size == 0) 2327 { 2328 /* The client will accept a ticket but doesn't 2329 * currently have one. */ 2330 s->tlsext_ticket_expected = 1; 2331 return 1; 2332 } 2333 if (s->tls_session_secret_cb) 2334 { 2335 /* Indicate that the ticket couldn't be 2336 * decrypted rather than generating the session 2337 * from ticket now, trigger abbreviated 2338 * handshake based on external mechanism to 2339 * calculate the master secret later. */ 2340 return 2; 2341 } 2342 r = tls_decrypt_ticket(s, p, size, session_id, len, ret); 2343 switch (r) 2344 { 2345 case 2: /* ticket couldn't be decrypted */ 2346 s->tlsext_ticket_expected = 1; 2347 return 2; 2348 case 3: /* ticket was decrypted */ 2349 return r; 2350 case 4: /* ticket decrypted but need to renew */ 2351 s->tlsext_ticket_expected = 1; 2352 return 3; 2353 default: /* fatal error */ 2354 return -1; 2355 } 2356 } 2357 p += size; 2358 } 2359 return 0; 2360 } 2361 2362 /* tls_decrypt_ticket attempts to decrypt a session ticket. 2363 * 2364 * etick: points to the body of the session ticket extension. 2365 * eticklen: the length of the session tickets extenion. 2366 * sess_id: points at the session ID. 2367 * sesslen: the length of the session ID. 2368 * psess: (output) on return, if a ticket was decrypted, then this is set to 2369 * point to the resulting session. 2370 * 2371 * Returns: 2372 * -1: fatal error, either from parsing or decrypting the ticket. 2373 * 2: the ticket couldn't be decrypted. 2374 * 3: a ticket was successfully decrypted and *psess was set. 2375 * 4: same as 3, but the ticket needs to be renewed. 2376 */ 2377 static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen, 2378 const unsigned char *sess_id, int sesslen, 2379 SSL_SESSION **psess) 2380 { 2381 SSL_SESSION *sess; 2382 unsigned char *sdec; 2383 const unsigned char *p; 2384 int slen, mlen, renew_ticket = 0; 2385 unsigned char tick_hmac[EVP_MAX_MD_SIZE]; 2386 HMAC_CTX hctx; 2387 EVP_CIPHER_CTX ctx; 2388 SSL_CTX *tctx = s->initial_ctx; 2389 /* Need at least keyname + iv + some encrypted data */ 2390 if (eticklen < 48) 2391 return 2; 2392 /* Initialize session ticket encryption and HMAC contexts */ 2393 HMAC_CTX_init(&hctx); 2394 EVP_CIPHER_CTX_init(&ctx); 2395 if (tctx->tlsext_ticket_key_cb) 2396 { 2397 unsigned char *nctick = (unsigned char *)etick; 2398 int rv = tctx->tlsext_ticket_key_cb(s, nctick, nctick + 16, 2399 &ctx, &hctx, 0); 2400 if (rv < 0) 2401 return -1; 2402 if (rv == 0) 2403 return 2; 2404 if (rv == 2) 2405 renew_ticket = 1; 2406 } 2407 else 2408 { 2409 /* Check key name matches */ 2410 if (memcmp(etick, tctx->tlsext_tick_key_name, 16)) 2411 return 2; 2412 HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16, 2413 tlsext_tick_md(), NULL); 2414 EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL, 2415 tctx->tlsext_tick_aes_key, etick + 16); 2416 } 2417 /* Attempt to process session ticket, first conduct sanity and 2418 * integrity checks on ticket. 2419 */ 2420 mlen = HMAC_size(&hctx); 2421 if (mlen < 0) 2422 { 2423 EVP_CIPHER_CTX_cleanup(&ctx); 2424 return -1; 2425 } 2426 eticklen -= mlen; 2427 /* Check HMAC of encrypted ticket */ 2428 HMAC_Update(&hctx, etick, eticklen); 2429 HMAC_Final(&hctx, tick_hmac, NULL); 2430 HMAC_CTX_cleanup(&hctx); 2431 if (CRYPTO_memcmp(tick_hmac, etick + eticklen, mlen)) 2432 return 2; 2433 /* Attempt to decrypt session data */ 2434 /* Move p after IV to start of encrypted ticket, update length */ 2435 p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx); 2436 eticklen -= 16 + EVP_CIPHER_CTX_iv_length(&ctx); 2437 sdec = OPENSSL_malloc(eticklen); 2438 if (!sdec) 2439 { 2440 EVP_CIPHER_CTX_cleanup(&ctx); 2441 return -1; 2442 } 2443 EVP_DecryptUpdate(&ctx, sdec, &slen, p, eticklen); 2444 if (EVP_DecryptFinal(&ctx, sdec + slen, &mlen) <= 0) 2445 return 2; 2446 slen += mlen; 2447 EVP_CIPHER_CTX_cleanup(&ctx); 2448 p = sdec; 2449 2450 sess = d2i_SSL_SESSION(NULL, &p, slen); 2451 OPENSSL_free(sdec); 2452 if (sess) 2453 { 2454 /* The session ID, if non-empty, is used by some clients to 2455 * detect that the ticket has been accepted. So we copy it to 2456 * the session structure. If it is empty set length to zero 2457 * as required by standard. 2458 */ 2459 if (sesslen) 2460 memcpy(sess->session_id, sess_id, sesslen); 2461 sess->session_id_length = sesslen; 2462 *psess = sess; 2463 if (renew_ticket) 2464 return 4; 2465 else 2466 return 3; 2467 } 2468 ERR_clear_error(); 2469 /* For session parse failure, indicate that we need to send a new 2470 * ticket. */ 2471 return 2; 2472 } 2473 2474 /* Tables to translate from NIDs to TLS v1.2 ids */ 2475 2476 typedef struct 2477 { 2478 int nid; 2479 int id; 2480 } tls12_lookup; 2481 2482 static tls12_lookup tls12_md[] = { 2483 #ifndef OPENSSL_NO_MD5 2484 {NID_md5, TLSEXT_hash_md5}, 2485 #endif 2486 #ifndef OPENSSL_NO_SHA 2487 {NID_sha1, TLSEXT_hash_sha1}, 2488 #endif 2489 #ifndef OPENSSL_NO_SHA256 2490 {NID_sha224, TLSEXT_hash_sha224}, 2491 {NID_sha256, TLSEXT_hash_sha256}, 2492 #endif 2493 #ifndef OPENSSL_NO_SHA512 2494 {NID_sha384, TLSEXT_hash_sha384}, 2495 {NID_sha512, TLSEXT_hash_sha512} 2496 #endif 2497 }; 2498 2499 static tls12_lookup tls12_sig[] = { 2500 #ifndef OPENSSL_NO_RSA 2501 {EVP_PKEY_RSA, TLSEXT_signature_rsa}, 2502 #endif 2503 #ifndef OPENSSL_NO_DSA 2504 {EVP_PKEY_DSA, TLSEXT_signature_dsa}, 2505 #endif 2506 #ifndef OPENSSL_NO_ECDSA 2507 {EVP_PKEY_EC, TLSEXT_signature_ecdsa} 2508 #endif 2509 }; 2510 2511 static int tls12_find_id(int nid, tls12_lookup *table, size_t tlen) 2512 { 2513 size_t i; 2514 for (i = 0; i < tlen; i++) 2515 { 2516 if (table[i].nid == nid) 2517 return table[i].id; 2518 } 2519 return -1; 2520 } 2521 2522 int tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk, const EVP_MD *md) 2523 { 2524 int sig_id, md_id; 2525 if (!md) 2526 return 0; 2527 md_id = tls12_find_id(EVP_MD_type(md), tls12_md, 2528 sizeof(tls12_md)/sizeof(tls12_lookup)); 2529 if (md_id == -1) 2530 return 0; 2531 sig_id = tls12_get_sigid(pk); 2532 if (sig_id == -1) 2533 return 0; 2534 p[0] = (unsigned char)md_id; 2535 p[1] = (unsigned char)sig_id; 2536 return 1; 2537 } 2538 2539 /* tls12_get_sigid returns the TLS 1.2 SignatureAlgorithm value corresponding 2540 * to the given public key, or -1 if not known. */ 2541 int tls12_get_sigid(const EVP_PKEY *pk) 2542 { 2543 return tls12_find_id(pk->type, tls12_sig, 2544 sizeof(tls12_sig)/sizeof(tls12_lookup)); 2545 } 2546 2547 const EVP_MD *tls12_get_hash(unsigned char hash_alg) 2548 { 2549 switch(hash_alg) 2550 { 2551 #ifndef OPENSSL_NO_MD5 2552 case TLSEXT_hash_md5: 2553 #ifdef OPENSSL_FIPS 2554 if (FIPS_mode()) 2555 return NULL; 2556 #endif 2557 return EVP_md5(); 2558 #endif 2559 #ifndef OPENSSL_NO_SHA 2560 case TLSEXT_hash_sha1: 2561 return EVP_sha1(); 2562 #endif 2563 #ifndef OPENSSL_NO_SHA256 2564 case TLSEXT_hash_sha224: 2565 return EVP_sha224(); 2566 2567 case TLSEXT_hash_sha256: 2568 return EVP_sha256(); 2569 #endif 2570 #ifndef OPENSSL_NO_SHA512 2571 case TLSEXT_hash_sha384: 2572 return EVP_sha384(); 2573 2574 case TLSEXT_hash_sha512: 2575 return EVP_sha512(); 2576 #endif 2577 default: 2578 return NULL; 2579 2580 } 2581 } 2582 2583 /* tls1_process_sigalgs processes a signature_algorithms extension and sets the 2584 * digest functions accordingly for each key type. 2585 * 2586 * See RFC 5246, section 7.4.1.4.1. 2587 * 2588 * data: points to the content of the extension, not including type and length 2589 * headers. 2590 * dsize: the number of bytes of |data|. Must be even. 2591 */ 2592 void tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize) 2593 { 2594 int i; 2595 const EVP_MD *md, **digest_ptr; 2596 /* Extension ignored for TLS versions below 1.2 */ 2597 if (TLS1_get_version(s) < TLS1_2_VERSION) 2598 return; 2599 2600 s->s3->digest_rsa = NULL; 2601 s->s3->digest_dsa = NULL; 2602 s->s3->digest_ecdsa = NULL; 2603 2604 for (i = 0; i < dsize; i += 2) 2605 { 2606 unsigned char hash_alg = data[i], sig_alg = data[i+1]; 2607 2608 switch(sig_alg) 2609 { 2610 #ifndef OPENSSL_NO_RSA 2611 case TLSEXT_signature_rsa: 2612 digest_ptr = &s->s3->digest_rsa; 2613 break; 2614 #endif 2615 #ifndef OPENSSL_NO_DSA 2616 case TLSEXT_signature_dsa: 2617 digest_ptr = &s->s3->digest_dsa; 2618 break; 2619 #endif 2620 #ifndef OPENSSL_NO_ECDSA 2621 case TLSEXT_signature_ecdsa: 2622 digest_ptr = &s->s3->digest_ecdsa; 2623 break; 2624 #endif 2625 default: 2626 continue; 2627 } 2628 2629 if (*digest_ptr == NULL) 2630 { 2631 md = tls12_get_hash(hash_alg); 2632 if (md) 2633 *digest_ptr = md; 2634 } 2635 2636 } 2637 } 2638 2639 #endif 2640 2641 #ifndef OPENSSL_NO_HEARTBEATS 2642 int 2643 tls1_process_heartbeat(SSL *s) 2644 { 2645 unsigned char *p = &s->s3->rrec.data[0], *pl; 2646 unsigned short hbtype; 2647 unsigned int payload; 2648 unsigned int padding = 16; /* Use minimum padding */ 2649 2650 /* Read type and payload length first */ 2651 hbtype = *p++; 2652 n2s(p, payload); 2653 pl = p; 2654 2655 if (s->msg_callback) 2656 s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT, 2657 &s->s3->rrec.data[0], s->s3->rrec.length, 2658 s, s->msg_callback_arg); 2659 2660 if (hbtype == TLS1_HB_REQUEST) 2661 { 2662 unsigned char *buffer, *bp; 2663 int r; 2664 2665 /* Allocate memory for the response, size is 1 bytes 2666 * message type, plus 2 bytes payload length, plus 2667 * payload, plus padding 2668 */ 2669 buffer = OPENSSL_malloc(1 + 2 + payload + padding); 2670 bp = buffer; 2671 2672 /* Enter response type, length and copy payload */ 2673 *bp++ = TLS1_HB_RESPONSE; 2674 s2n(payload, bp); 2675 memcpy(bp, pl, payload); 2676 bp += payload; 2677 /* Random padding */ 2678 RAND_pseudo_bytes(bp, padding); 2679 2680 r = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, 3 + payload + padding); 2681 2682 if (r >= 0 && s->msg_callback) 2683 s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT, 2684 buffer, 3 + payload + padding, 2685 s, s->msg_callback_arg); 2686 2687 OPENSSL_free(buffer); 2688 2689 if (r < 0) 2690 return r; 2691 } 2692 else if (hbtype == TLS1_HB_RESPONSE) 2693 { 2694 unsigned int seq; 2695 2696 /* We only send sequence numbers (2 bytes unsigned int), 2697 * and 16 random bytes, so we just try to read the 2698 * sequence number */ 2699 n2s(pl, seq); 2700 2701 if (payload == 18 && seq == s->tlsext_hb_seq) 2702 { 2703 s->tlsext_hb_seq++; 2704 s->tlsext_hb_pending = 0; 2705 } 2706 } 2707 2708 return 0; 2709 } 2710 2711 int 2712 tls1_heartbeat(SSL *s) 2713 { 2714 unsigned char *buf, *p; 2715 int ret; 2716 unsigned int payload = 18; /* Sequence number + random bytes */ 2717 unsigned int padding = 16; /* Use minimum padding */ 2718 2719 /* Only send if peer supports and accepts HB requests... */ 2720 if (!(s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED) || 2721 s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_SEND_REQUESTS) 2722 { 2723 SSLerr(SSL_F_TLS1_HEARTBEAT,SSL_R_TLS_HEARTBEAT_PEER_DOESNT_ACCEPT); 2724 return -1; 2725 } 2726 2727 /* ...and there is none in flight yet... */ 2728 if (s->tlsext_hb_pending) 2729 { 2730 SSLerr(SSL_F_TLS1_HEARTBEAT,SSL_R_TLS_HEARTBEAT_PENDING); 2731 return -1; 2732 } 2733 2734 /* ...and no handshake in progress. */ 2735 if (SSL_in_init(s) || s->in_handshake) 2736 { 2737 SSLerr(SSL_F_TLS1_HEARTBEAT,SSL_R_UNEXPECTED_MESSAGE); 2738 return -1; 2739 } 2740 2741 /* Check if padding is too long, payload and padding 2742 * must not exceed 2^14 - 3 = 16381 bytes in total. 2743 */ 2744 OPENSSL_assert(payload + padding <= 16381); 2745 2746 /* Create HeartBeat message, we just use a sequence number 2747 * as payload to distuingish different messages and add 2748 * some random stuff. 2749 * - Message Type, 1 byte 2750 * - Payload Length, 2 bytes (unsigned int) 2751 * - Payload, the sequence number (2 bytes uint) 2752 * - Payload, random bytes (16 bytes uint) 2753 * - Padding 2754 */ 2755 buf = OPENSSL_malloc(1 + 2 + payload + padding); 2756 p = buf; 2757 /* Message Type */ 2758 *p++ = TLS1_HB_REQUEST; 2759 /* Payload length (18 bytes here) */ 2760 s2n(payload, p); 2761 /* Sequence number */ 2762 s2n(s->tlsext_hb_seq, p); 2763 /* 16 random bytes */ 2764 RAND_pseudo_bytes(p, 16); 2765 p += 16; 2766 /* Random padding */ 2767 RAND_pseudo_bytes(p, padding); 2768 2769 ret = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buf, 3 + payload + padding); 2770 if (ret >= 0) 2771 { 2772 if (s->msg_callback) 2773 s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT, 2774 buf, 3 + payload + padding, 2775 s, s->msg_callback_arg); 2776 2777 s->tlsext_hb_pending = 1; 2778 } 2779 2780 OPENSSL_free(buf); 2781 2782 return ret; 2783 } 2784 #endif 2785 2786 #if !defined(OPENSSL_NO_TLSEXT) 2787 /* tls1_channel_id_hash calculates the signed data for a Channel ID on the given 2788 * SSL connection and writes it to |md|. 2789 */ 2790 int 2791 tls1_channel_id_hash(EVP_MD_CTX *md, SSL *s) 2792 { 2793 EVP_MD_CTX ctx; 2794 unsigned char temp_digest[EVP_MAX_MD_SIZE]; 2795 unsigned temp_digest_len; 2796 int i; 2797 static const char kClientIDMagic[] = "TLS Channel ID signature"; 2798 2799 if (s->s3->handshake_buffer) 2800 if (!ssl3_digest_cached_records(s)) 2801 return 0; 2802 2803 EVP_DigestUpdate(md, kClientIDMagic, sizeof(kClientIDMagic)); 2804 2805 EVP_MD_CTX_init(&ctx); 2806 for (i = 0; i < SSL_MAX_DIGEST; i++) 2807 { 2808 if (s->s3->handshake_dgst[i] == NULL) 2809 continue; 2810 EVP_MD_CTX_copy_ex(&ctx, s->s3->handshake_dgst[i]); 2811 EVP_DigestFinal_ex(&ctx, temp_digest, &temp_digest_len); 2812 EVP_DigestUpdate(md, temp_digest, temp_digest_len); 2813 } 2814 EVP_MD_CTX_cleanup(&ctx); 2815 2816 return 1; 2817 } 2818 #endif 2819
