t1_lib.c revision 284295
1/* ssl/t1_lib.c */ 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 3 * All rights reserved. 4 * 5 * This package is an SSL implementation written 6 * by Eric Young (eay@cryptsoft.com). 7 * The implementation was written so as to conform with Netscapes SSL. 8 * 9 * This library is free for commercial and non-commercial use as long as 10 * the following conditions are aheared to. The following conditions 11 * apply to all code found in this distribution, be it the RC4, RSA, 12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 13 * included with this distribution is covered by the same copyright terms 14 * except that the holder is Tim Hudson (tjh@cryptsoft.com). 15 * 16 * Copyright remains Eric Young's, and as such any Copyright notices in 17 * the code are not to be removed. 18 * If this package is used in a product, Eric Young should be given attribution 19 * as the author of the parts of the library used. 20 * This can be in the form of a textual message at program startup or 21 * in documentation (online or textual) provided with the package. 22 * 23 * Redistribution and use in source and binary forms, with or without 24 * modification, are permitted provided that the following conditions 25 * are met: 26 * 1. Redistributions of source code must retain the copyright 27 * notice, this list of conditions and the following disclaimer. 28 * 2. Redistributions in binary form must reproduce the above copyright 29 * notice, this list of conditions and the following disclaimer in the 30 * documentation and/or other materials provided with the distribution. 31 * 3. All advertising materials mentioning features or use of this software 32 * must display the following acknowledgement: 33 * "This product includes cryptographic software written by 34 * Eric Young (eay@cryptsoft.com)" 35 * The word 'cryptographic' can be left out if the rouines from the library 36 * being used are not cryptographic related :-). 37 * 4. If you include any Windows specific code (or a derivative thereof) from 38 * the apps directory (application code) you must include an acknowledgement: 39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 40 * 41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 51 * SUCH DAMAGE. 52 * 53 * The licence and distribution terms for any publically available version or 54 * derivative of this code cannot be changed. i.e. this code cannot simply be 55 * copied and put under another distribution licence 56 * [including the GNU Public Licence.] 57 */ 58/* ==================================================================== 59 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved. 60 * 61 * Redistribution and use in source and binary forms, with or without 62 * modification, are permitted provided that the following conditions 63 * are met: 64 * 65 * 1. Redistributions of source code must retain the above copyright 66 * notice, this list of conditions and the following disclaimer. 67 * 68 * 2. Redistributions in binary form must reproduce the above copyright 69 * notice, this list of conditions and the following disclaimer in 70 * the documentation and/or other materials provided with the 71 * distribution. 72 * 73 * 3. All advertising materials mentioning features or use of this 74 * software must display the following acknowledgment: 75 * "This product includes software developed by the OpenSSL Project 76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 77 * 78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 79 * endorse or promote products derived from this software without 80 * prior written permission. For written permission, please contact 81 * openssl-core@openssl.org. 82 * 83 * 5. Products derived from this software may not be called "OpenSSL" 84 * nor may "OpenSSL" appear in their names without prior written 85 * permission of the OpenSSL Project. 86 * 87 * 6. Redistributions of any form whatsoever must retain the following 88 * acknowledgment: 89 * "This product includes software developed by the OpenSSL Project 90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 91 * 92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 103 * OF THE POSSIBILITY OF SUCH DAMAGE. 104 * ==================================================================== 105 * 106 * This product includes cryptographic software written by Eric Young 107 * (eay@cryptsoft.com). This product includes software written by Tim 108 * Hudson (tjh@cryptsoft.com). 109 * 110 */ 111 112#include <stdio.h> 113#include <openssl/objects.h> 114#include <openssl/evp.h> 115#include <openssl/hmac.h> 116#include <openssl/ocsp.h> 117#include <openssl/rand.h> 118#include "ssl_locl.h" 119 120const char tls1_version_str[]="TLSv1" OPENSSL_VERSION_PTEXT; 121 122#ifndef OPENSSL_NO_TLSEXT 123static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen, 124 const unsigned char *sess_id, int sesslen, 125 SSL_SESSION **psess); 126#endif 127 128SSL3_ENC_METHOD TLSv1_enc_data={ 129 tls1_enc, 130 tls1_mac, 131 tls1_setup_key_block, 132 tls1_generate_master_secret, 133 tls1_change_cipher_state, 134 tls1_final_finish_mac, 135 TLS1_FINISH_MAC_LENGTH, 136 tls1_cert_verify_mac, 137 TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE, 138 TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE, 139 tls1_alert_code, 140 tls1_export_keying_material, 141 }; 142 143long tls1_default_timeout(void) 144 { 145 /* 2 hours, the 24 hours mentioned in the TLSv1 spec 146 * is way too long for http, the cache would over fill */ 147 return(60*60*2); 148 } 149 150int tls1_new(SSL *s) 151 { 152 if (!ssl3_new(s)) return(0); 153 s->method->ssl_clear(s); 154 return(1); 155 } 156 157void tls1_free(SSL *s) 158 { 159#ifndef OPENSSL_NO_TLSEXT 160 if (s->tlsext_session_ticket) 161 { 162 OPENSSL_free(s->tlsext_session_ticket); 163 } 164#endif /* OPENSSL_NO_TLSEXT */ 165 ssl3_free(s); 166 } 167 168void tls1_clear(SSL *s) 169 { 170 ssl3_clear(s); 171 s->version = s->method->version; 172 } 173 174#ifndef OPENSSL_NO_EC 175 176static int nid_list[] = 177 { 178 NID_sect163k1, /* sect163k1 (1) */ 179 NID_sect163r1, /* sect163r1 (2) */ 180 NID_sect163r2, /* sect163r2 (3) */ 181 NID_sect193r1, /* sect193r1 (4) */ 182 NID_sect193r2, /* sect193r2 (5) */ 183 NID_sect233k1, /* sect233k1 (6) */ 184 NID_sect233r1, /* sect233r1 (7) */ 185 NID_sect239k1, /* sect239k1 (8) */ 186 NID_sect283k1, /* sect283k1 (9) */ 187 NID_sect283r1, /* sect283r1 (10) */ 188 NID_sect409k1, /* sect409k1 (11) */ 189 NID_sect409r1, /* sect409r1 (12) */ 190 NID_sect571k1, /* sect571k1 (13) */ 191 NID_sect571r1, /* sect571r1 (14) */ 192 NID_secp160k1, /* secp160k1 (15) */ 193 NID_secp160r1, /* secp160r1 (16) */ 194 NID_secp160r2, /* secp160r2 (17) */ 195 NID_secp192k1, /* secp192k1 (18) */ 196 NID_X9_62_prime192v1, /* secp192r1 (19) */ 197 NID_secp224k1, /* secp224k1 (20) */ 198 NID_secp224r1, /* secp224r1 (21) */ 199 NID_secp256k1, /* secp256k1 (22) */ 200 NID_X9_62_prime256v1, /* secp256r1 (23) */ 201 NID_secp384r1, /* secp384r1 (24) */ 202 NID_secp521r1 /* secp521r1 (25) */ 203 }; 204 205static int pref_list[] = 206 { 207#ifndef OPENSSL_NO_EC2M 208 NID_sect571r1, /* sect571r1 (14) */ 209 NID_sect571k1, /* sect571k1 (13) */ 210#endif 211 NID_secp521r1, /* secp521r1 (25) */ 212#ifndef OPENSSL_NO_EC2M 213 NID_sect409k1, /* sect409k1 (11) */ 214 NID_sect409r1, /* sect409r1 (12) */ 215#endif 216 NID_secp384r1, /* secp384r1 (24) */ 217#ifndef OPENSSL_NO_EC2M 218 NID_sect283k1, /* sect283k1 (9) */ 219 NID_sect283r1, /* sect283r1 (10) */ 220#endif 221 NID_secp256k1, /* secp256k1 (22) */ 222 NID_X9_62_prime256v1, /* secp256r1 (23) */ 223#ifndef OPENSSL_NO_EC2M 224 NID_sect239k1, /* sect239k1 (8) */ 225 NID_sect233k1, /* sect233k1 (6) */ 226 NID_sect233r1, /* sect233r1 (7) */ 227#endif 228 NID_secp224k1, /* secp224k1 (20) */ 229 NID_secp224r1, /* secp224r1 (21) */ 230#ifndef OPENSSL_NO_EC2M 231 NID_sect193r1, /* sect193r1 (4) */ 232 NID_sect193r2, /* sect193r2 (5) */ 233#endif 234 NID_secp192k1, /* secp192k1 (18) */ 235 NID_X9_62_prime192v1, /* secp192r1 (19) */ 236#ifndef OPENSSL_NO_EC2M 237 NID_sect163k1, /* sect163k1 (1) */ 238 NID_sect163r1, /* sect163r1 (2) */ 239 NID_sect163r2, /* sect163r2 (3) */ 240#endif 241 NID_secp160k1, /* secp160k1 (15) */ 242 NID_secp160r1, /* secp160r1 (16) */ 243 NID_secp160r2, /* secp160r2 (17) */ 244 }; 245 246int tls1_ec_curve_id2nid(int curve_id) 247 { 248 /* ECC curves from RFC 4492 */ 249 if ((curve_id < 1) || ((unsigned int)curve_id > 250 sizeof(nid_list)/sizeof(nid_list[0]))) 251 return 0; 252 return nid_list[curve_id-1]; 253 } 254 255int tls1_ec_nid2curve_id(int nid) 256 { 257 /* ECC curves from RFC 4492 */ 258 switch (nid) 259 { 260 case NID_sect163k1: /* sect163k1 (1) */ 261 return 1; 262 case NID_sect163r1: /* sect163r1 (2) */ 263 return 2; 264 case NID_sect163r2: /* sect163r2 (3) */ 265 return 3; 266 case NID_sect193r1: /* sect193r1 (4) */ 267 return 4; 268 case NID_sect193r2: /* sect193r2 (5) */ 269 return 5; 270 case NID_sect233k1: /* sect233k1 (6) */ 271 return 6; 272 case NID_sect233r1: /* sect233r1 (7) */ 273 return 7; 274 case NID_sect239k1: /* sect239k1 (8) */ 275 return 8; 276 case NID_sect283k1: /* sect283k1 (9) */ 277 return 9; 278 case NID_sect283r1: /* sect283r1 (10) */ 279 return 10; 280 case NID_sect409k1: /* sect409k1 (11) */ 281 return 11; 282 case NID_sect409r1: /* sect409r1 (12) */ 283 return 12; 284 case NID_sect571k1: /* sect571k1 (13) */ 285 return 13; 286 case NID_sect571r1: /* sect571r1 (14) */ 287 return 14; 288 case NID_secp160k1: /* secp160k1 (15) */ 289 return 15; 290 case NID_secp160r1: /* secp160r1 (16) */ 291 return 16; 292 case NID_secp160r2: /* secp160r2 (17) */ 293 return 17; 294 case NID_secp192k1: /* secp192k1 (18) */ 295 return 18; 296 case NID_X9_62_prime192v1: /* secp192r1 (19) */ 297 return 19; 298 case NID_secp224k1: /* secp224k1 (20) */ 299 return 20; 300 case NID_secp224r1: /* secp224r1 (21) */ 301 return 21; 302 case NID_secp256k1: /* secp256k1 (22) */ 303 return 22; 304 case NID_X9_62_prime256v1: /* secp256r1 (23) */ 305 return 23; 306 case NID_secp384r1: /* secp384r1 (24) */ 307 return 24; 308 case NID_secp521r1: /* secp521r1 (25) */ 309 return 25; 310 default: 311 return 0; 312 } 313 } 314#endif /* OPENSSL_NO_EC */ 315 316#ifndef OPENSSL_NO_TLSEXT 317 318/* List of supported signature algorithms and hashes. Should make this 319 * customisable at some point, for now include everything we support. 320 */ 321 322#ifdef OPENSSL_NO_RSA 323#define tlsext_sigalg_rsa(md) /* */ 324#else 325#define tlsext_sigalg_rsa(md) md, TLSEXT_signature_rsa, 326#endif 327 328#ifdef OPENSSL_NO_DSA 329#define tlsext_sigalg_dsa(md) /* */ 330#else 331#define tlsext_sigalg_dsa(md) md, TLSEXT_signature_dsa, 332#endif 333 334#ifdef OPENSSL_NO_ECDSA 335#define tlsext_sigalg_ecdsa(md) /* */ 336#else 337#define tlsext_sigalg_ecdsa(md) md, TLSEXT_signature_ecdsa, 338#endif 339 340#define tlsext_sigalg(md) \ 341 tlsext_sigalg_rsa(md) \ 342 tlsext_sigalg_dsa(md) \ 343 tlsext_sigalg_ecdsa(md) 344 345static unsigned char tls12_sigalgs[] = { 346#ifndef OPENSSL_NO_SHA512 347 tlsext_sigalg(TLSEXT_hash_sha512) 348 tlsext_sigalg(TLSEXT_hash_sha384) 349#endif 350#ifndef OPENSSL_NO_SHA256 351 tlsext_sigalg(TLSEXT_hash_sha256) 352 tlsext_sigalg(TLSEXT_hash_sha224) 353#endif 354#ifndef OPENSSL_NO_SHA 355 tlsext_sigalg(TLSEXT_hash_sha1) 356#endif 357}; 358 359int tls12_get_req_sig_algs(SSL *s, unsigned char *p) 360 { 361 size_t slen = sizeof(tls12_sigalgs); 362 if (p) 363 memcpy(p, tls12_sigalgs, slen); 364 return (int)slen; 365 } 366 367unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf, unsigned char *limit) 368 { 369 int extdatalen=0; 370 unsigned char *orig = buf; 371 unsigned char *ret = buf; 372 373 /* don't add extensions for SSLv3 unless doing secure renegotiation */ 374 if (s->client_version == SSL3_VERSION 375 && !s->s3->send_connection_binding) 376 return orig; 377 378 ret+=2; 379 380 if (ret>=limit) return NULL; /* this really never occurs, but ... */ 381 382 if (s->tlsext_hostname != NULL) 383 { 384 /* Add TLS extension servername to the Client Hello message */ 385 unsigned long size_str; 386 long lenmax; 387 388 /* check for enough space. 389 4 for the servername type and entension length 390 2 for servernamelist length 391 1 for the hostname type 392 2 for hostname length 393 + hostname length 394 */ 395 396 if ((lenmax = limit - ret - 9) < 0 397 || (size_str = strlen(s->tlsext_hostname)) > (unsigned long)lenmax) 398 return NULL; 399 400 /* extension type and length */ 401 s2n(TLSEXT_TYPE_server_name,ret); 402 s2n(size_str+5,ret); 403 404 /* length of servername list */ 405 s2n(size_str+3,ret); 406 407 /* hostname type, length and hostname */ 408 *(ret++) = (unsigned char) TLSEXT_NAMETYPE_host_name; 409 s2n(size_str,ret); 410 memcpy(ret, s->tlsext_hostname, size_str); 411 ret+=size_str; 412 } 413 414 /* Add RI if renegotiating */ 415 if (s->renegotiate) 416 { 417 int el; 418 419 if(!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0)) 420 { 421 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); 422 return NULL; 423 } 424 425 if((limit - ret - 4 - el) < 0) return NULL; 426 427 s2n(TLSEXT_TYPE_renegotiate,ret); 428 s2n(el,ret); 429 430 if(!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el)) 431 { 432 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); 433 return NULL; 434 } 435 436 ret += el; 437 } 438 439#ifndef OPENSSL_NO_SRP 440 /* Add SRP username if there is one */ 441 if (s->srp_ctx.login != NULL) 442 { /* Add TLS extension SRP username to the Client Hello message */ 443 444 int login_len = strlen(s->srp_ctx.login); 445 if (login_len > 255 || login_len == 0) 446 { 447 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); 448 return NULL; 449 } 450 451 /* check for enough space. 452 4 for the srp type type and entension length 453 1 for the srp user identity 454 + srp user identity length 455 */ 456 if ((limit - ret - 5 - login_len) < 0) return NULL; 457 458 /* fill in the extension */ 459 s2n(TLSEXT_TYPE_srp,ret); 460 s2n(login_len+1,ret); 461 (*ret++) = (unsigned char) login_len; 462 memcpy(ret, s->srp_ctx.login, login_len); 463 ret+=login_len; 464 } 465#endif 466 467#ifndef OPENSSL_NO_EC 468 if (s->tlsext_ecpointformatlist != NULL) 469 { 470 /* Add TLS extension ECPointFormats to the ClientHello message */ 471 long lenmax; 472 473 if ((lenmax = limit - ret - 5) < 0) return NULL; 474 if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax) return NULL; 475 if (s->tlsext_ecpointformatlist_length > 255) 476 { 477 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); 478 return NULL; 479 } 480 481 s2n(TLSEXT_TYPE_ec_point_formats,ret); 482 s2n(s->tlsext_ecpointformatlist_length + 1,ret); 483 *(ret++) = (unsigned char) s->tlsext_ecpointformatlist_length; 484 memcpy(ret, s->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist_length); 485 ret+=s->tlsext_ecpointformatlist_length; 486 } 487 if (s->tlsext_ellipticcurvelist != NULL) 488 { 489 /* Add TLS extension EllipticCurves to the ClientHello message */ 490 long lenmax; 491 492 if ((lenmax = limit - ret - 6) < 0) return NULL; 493 if (s->tlsext_ellipticcurvelist_length > (unsigned long)lenmax) return NULL; 494 if (s->tlsext_ellipticcurvelist_length > 65532) 495 { 496 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); 497 return NULL; 498 } 499 500 s2n(TLSEXT_TYPE_elliptic_curves,ret); 501 s2n(s->tlsext_ellipticcurvelist_length + 2, ret); 502 503 s2n(s->tlsext_ellipticcurvelist_length, ret); 504 memcpy(ret, s->tlsext_ellipticcurvelist, s->tlsext_ellipticcurvelist_length); 505 ret+=s->tlsext_ellipticcurvelist_length; 506 } 507#endif /* OPENSSL_NO_EC */ 508 509 if (!(SSL_get_options(s) & SSL_OP_NO_TICKET)) 510 { 511 int ticklen; 512 if (!s->new_session && s->session && s->session->tlsext_tick) 513 ticklen = s->session->tlsext_ticklen; 514 else if (s->session && s->tlsext_session_ticket && 515 s->tlsext_session_ticket->data) 516 { 517 ticklen = s->tlsext_session_ticket->length; 518 s->session->tlsext_tick = OPENSSL_malloc(ticklen); 519 if (!s->session->tlsext_tick) 520 return NULL; 521 memcpy(s->session->tlsext_tick, 522 s->tlsext_session_ticket->data, 523 ticklen); 524 s->session->tlsext_ticklen = ticklen; 525 } 526 else 527 ticklen = 0; 528 if (ticklen == 0 && s->tlsext_session_ticket && 529 s->tlsext_session_ticket->data == NULL) 530 goto skip_ext; 531 /* Check for enough room 2 for extension type, 2 for len 532 * rest for ticket 533 */ 534 if ((long)(limit - ret - 4 - ticklen) < 0) return NULL; 535 s2n(TLSEXT_TYPE_session_ticket,ret); 536 s2n(ticklen,ret); 537 if (ticklen) 538 { 539 memcpy(ret, s->session->tlsext_tick, ticklen); 540 ret += ticklen; 541 } 542 } 543 skip_ext: 544 545 if (TLS1_get_client_version(s) >= TLS1_2_VERSION) 546 { 547 if ((size_t)(limit - ret) < sizeof(tls12_sigalgs) + 6) 548 return NULL; 549 s2n(TLSEXT_TYPE_signature_algorithms,ret); 550 s2n(sizeof(tls12_sigalgs) + 2, ret); 551 s2n(sizeof(tls12_sigalgs), ret); 552 memcpy(ret, tls12_sigalgs, sizeof(tls12_sigalgs)); 553 ret += sizeof(tls12_sigalgs); 554 } 555 556#ifdef TLSEXT_TYPE_opaque_prf_input 557 if (s->s3->client_opaque_prf_input != NULL && 558 s->version != DTLS1_VERSION) 559 { 560 size_t col = s->s3->client_opaque_prf_input_len; 561 562 if ((long)(limit - ret - 6 - col < 0)) 563 return NULL; 564 if (col > 0xFFFD) /* can't happen */ 565 return NULL; 566 567 s2n(TLSEXT_TYPE_opaque_prf_input, ret); 568 s2n(col + 2, ret); 569 s2n(col, ret); 570 memcpy(ret, s->s3->client_opaque_prf_input, col); 571 ret += col; 572 } 573#endif 574 575 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp && 576 s->version != DTLS1_VERSION) 577 { 578 int i; 579 long extlen, idlen, itmp; 580 OCSP_RESPID *id; 581 582 idlen = 0; 583 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) 584 { 585 id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i); 586 itmp = i2d_OCSP_RESPID(id, NULL); 587 if (itmp <= 0) 588 return NULL; 589 idlen += itmp + 2; 590 } 591 592 if (s->tlsext_ocsp_exts) 593 { 594 extlen = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, NULL); 595 if (extlen < 0) 596 return NULL; 597 } 598 else 599 extlen = 0; 600 601 if ((long)(limit - ret - 7 - extlen - idlen) < 0) return NULL; 602 s2n(TLSEXT_TYPE_status_request, ret); 603 if (extlen + idlen > 0xFFF0) 604 return NULL; 605 s2n(extlen + idlen + 5, ret); 606 *(ret++) = TLSEXT_STATUSTYPE_ocsp; 607 s2n(idlen, ret); 608 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) 609 { 610 /* save position of id len */ 611 unsigned char *q = ret; 612 id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i); 613 /* skip over id len */ 614 ret += 2; 615 itmp = i2d_OCSP_RESPID(id, &ret); 616 /* write id len */ 617 s2n(itmp, q); 618 } 619 s2n(extlen, ret); 620 if (extlen > 0) 621 i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret); 622 } 623 624#ifndef OPENSSL_NO_HEARTBEATS 625 /* Add Heartbeat extension */ 626 if ((limit - ret - 4 - 1) < 0) 627 return NULL; 628 s2n(TLSEXT_TYPE_heartbeat,ret); 629 s2n(1,ret); 630 /* Set mode: 631 * 1: peer may send requests 632 * 2: peer not allowed to send requests 633 */ 634 if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS) 635 *(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS; 636 else 637 *(ret++) = SSL_TLSEXT_HB_ENABLED; 638#endif 639 640#ifndef OPENSSL_NO_NEXTPROTONEG 641 if (s->ctx->next_proto_select_cb && !s->s3->tmp.finish_md_len) 642 { 643 /* The client advertises an emtpy extension to indicate its 644 * support for Next Protocol Negotiation */ 645 if (limit - ret - 4 < 0) 646 return NULL; 647 s2n(TLSEXT_TYPE_next_proto_neg,ret); 648 s2n(0,ret); 649 } 650#endif 651 652#ifndef OPENSSL_NO_SRTP 653 if(SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s)) 654 { 655 int el; 656 657 ssl_add_clienthello_use_srtp_ext(s, 0, &el, 0); 658 659 if((limit - ret - 4 - el) < 0) return NULL; 660 661 s2n(TLSEXT_TYPE_use_srtp,ret); 662 s2n(el,ret); 663 664 if(ssl_add_clienthello_use_srtp_ext(s, ret, &el, el)) 665 { 666 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); 667 return NULL; 668 } 669 ret += el; 670 } 671#endif 672 /* Add padding to workaround bugs in F5 terminators. 673 * See https://tools.ietf.org/html/draft-agl-tls-padding-03 674 * 675 * NB: because this code works out the length of all existing 676 * extensions it MUST always appear last. 677 */ 678 if (s->options & SSL_OP_TLSEXT_PADDING) 679 { 680 int hlen = ret - (unsigned char *)s->init_buf->data; 681 /* The code in s23_clnt.c to build ClientHello messages 682 * includes the 5-byte record header in the buffer, while 683 * the code in s3_clnt.c does not. 684 */ 685 if (s->state == SSL23_ST_CW_CLNT_HELLO_A) 686 hlen -= 5; 687 if (hlen > 0xff && hlen < 0x200) 688 { 689 hlen = 0x200 - hlen; 690 if (hlen >= 4) 691 hlen -= 4; 692 else 693 hlen = 0; 694 695 s2n(TLSEXT_TYPE_padding, ret); 696 s2n(hlen, ret); 697 memset(ret, 0, hlen); 698 ret += hlen; 699 } 700 } 701 702 if ((extdatalen = ret-orig-2)== 0) 703 return orig; 704 705 s2n(extdatalen, orig); 706 return ret; 707 } 708 709unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *buf, unsigned char *limit) 710 { 711 int extdatalen=0; 712 unsigned char *orig = buf; 713 unsigned char *ret = buf; 714#ifndef OPENSSL_NO_NEXTPROTONEG 715 int next_proto_neg_seen; 716#endif 717 718 /* don't add extensions for SSLv3, unless doing secure renegotiation */ 719 if (s->version == SSL3_VERSION && !s->s3->send_connection_binding) 720 return orig; 721 722 ret+=2; 723 if (ret>=limit) return NULL; /* this really never occurs, but ... */ 724 725 if (!s->hit && s->servername_done == 1 && s->session->tlsext_hostname != NULL) 726 { 727 if ((long)(limit - ret - 4) < 0) return NULL; 728 729 s2n(TLSEXT_TYPE_server_name,ret); 730 s2n(0,ret); 731 } 732 733 if(s->s3->send_connection_binding) 734 { 735 int el; 736 737 if(!ssl_add_serverhello_renegotiate_ext(s, 0, &el, 0)) 738 { 739 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); 740 return NULL; 741 } 742 743 if((limit - ret - 4 - el) < 0) return NULL; 744 745 s2n(TLSEXT_TYPE_renegotiate,ret); 746 s2n(el,ret); 747 748 if(!ssl_add_serverhello_renegotiate_ext(s, ret, &el, el)) 749 { 750 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); 751 return NULL; 752 } 753 754 ret += el; 755 } 756 757#ifndef OPENSSL_NO_EC 758 if (s->tlsext_ecpointformatlist != NULL) 759 { 760 /* Add TLS extension ECPointFormats to the ServerHello message */ 761 long lenmax; 762 763 if ((lenmax = limit - ret - 5) < 0) return NULL; 764 if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax) return NULL; 765 if (s->tlsext_ecpointformatlist_length > 255) 766 { 767 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); 768 return NULL; 769 } 770 771 s2n(TLSEXT_TYPE_ec_point_formats,ret); 772 s2n(s->tlsext_ecpointformatlist_length + 1,ret); 773 *(ret++) = (unsigned char) s->tlsext_ecpointformatlist_length; 774 memcpy(ret, s->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist_length); 775 ret+=s->tlsext_ecpointformatlist_length; 776 777 } 778 /* Currently the server should not respond with a SupportedCurves extension */ 779#endif /* OPENSSL_NO_EC */ 780 781 if (s->tlsext_ticket_expected 782 && !(SSL_get_options(s) & SSL_OP_NO_TICKET)) 783 { 784 if ((long)(limit - ret - 4) < 0) return NULL; 785 s2n(TLSEXT_TYPE_session_ticket,ret); 786 s2n(0,ret); 787 } 788 789 if (s->tlsext_status_expected) 790 { 791 if ((long)(limit - ret - 4) < 0) return NULL; 792 s2n(TLSEXT_TYPE_status_request,ret); 793 s2n(0,ret); 794 } 795 796#ifdef TLSEXT_TYPE_opaque_prf_input 797 if (s->s3->server_opaque_prf_input != NULL && 798 s->version != DTLS1_VERSION) 799 { 800 size_t sol = s->s3->server_opaque_prf_input_len; 801 802 if ((long)(limit - ret - 6 - sol) < 0) 803 return NULL; 804 if (sol > 0xFFFD) /* can't happen */ 805 return NULL; 806 807 s2n(TLSEXT_TYPE_opaque_prf_input, ret); 808 s2n(sol + 2, ret); 809 s2n(sol, ret); 810 memcpy(ret, s->s3->server_opaque_prf_input, sol); 811 ret += sol; 812 } 813#endif 814 815#ifndef OPENSSL_NO_SRTP 816 if(SSL_IS_DTLS(s) && s->srtp_profile) 817 { 818 int el; 819 820 ssl_add_serverhello_use_srtp_ext(s, 0, &el, 0); 821 822 if((limit - ret - 4 - el) < 0) return NULL; 823 824 s2n(TLSEXT_TYPE_use_srtp,ret); 825 s2n(el,ret); 826 827 if(ssl_add_serverhello_use_srtp_ext(s, ret, &el, el)) 828 { 829 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); 830 return NULL; 831 } 832 ret+=el; 833 } 834#endif 835 836 if (((s->s3->tmp.new_cipher->id & 0xFFFF)==0x80 || (s->s3->tmp.new_cipher->id & 0xFFFF)==0x81) 837 && (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG)) 838 { const unsigned char cryptopro_ext[36] = { 839 0xfd, 0xe8, /*65000*/ 840 0x00, 0x20, /*32 bytes length*/ 841 0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85, 842 0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06, 843 0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08, 844 0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17}; 845 if (limit-ret<36) return NULL; 846 memcpy(ret,cryptopro_ext,36); 847 ret+=36; 848 849 } 850 851#ifndef OPENSSL_NO_HEARTBEATS 852 /* Add Heartbeat extension if we've received one */ 853 if (s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED) 854 { 855 if ((limit - ret - 4 - 1) < 0) 856 return NULL; 857 s2n(TLSEXT_TYPE_heartbeat,ret); 858 s2n(1,ret); 859 /* Set mode: 860 * 1: peer may send requests 861 * 2: peer not allowed to send requests 862 */ 863 if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS) 864 *(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS; 865 else 866 *(ret++) = SSL_TLSEXT_HB_ENABLED; 867 868 } 869#endif 870 871#ifndef OPENSSL_NO_NEXTPROTONEG 872 next_proto_neg_seen = s->s3->next_proto_neg_seen; 873 s->s3->next_proto_neg_seen = 0; 874 if (next_proto_neg_seen && s->ctx->next_protos_advertised_cb) 875 { 876 const unsigned char *npa; 877 unsigned int npalen; 878 int r; 879 880 r = s->ctx->next_protos_advertised_cb(s, &npa, &npalen, s->ctx->next_protos_advertised_cb_arg); 881 if (r == SSL_TLSEXT_ERR_OK) 882 { 883 if ((long)(limit - ret - 4 - npalen) < 0) return NULL; 884 s2n(TLSEXT_TYPE_next_proto_neg,ret); 885 s2n(npalen,ret); 886 memcpy(ret, npa, npalen); 887 ret += npalen; 888 s->s3->next_proto_neg_seen = 1; 889 } 890 } 891#endif 892 893 if ((extdatalen = ret-orig-2)== 0) 894 return orig; 895 896 s2n(extdatalen, orig); 897 return ret; 898 } 899 900#ifndef OPENSSL_NO_EC 901/* ssl_check_for_safari attempts to fingerprint Safari using OS X 902 * SecureTransport using the TLS extension block in |d|, of length |n|. 903 * Safari, since 10.6, sends exactly these extensions, in this order: 904 * SNI, 905 * elliptic_curves 906 * ec_point_formats 907 * 908 * We wish to fingerprint Safari because they broke ECDHE-ECDSA support in 10.8, 909 * but they advertise support. So enabling ECDHE-ECDSA ciphers breaks them. 910 * Sadly we cannot differentiate 10.6, 10.7 and 10.8.4 (which work), from 911 * 10.8..10.8.3 (which don't work). 912 */ 913static void ssl_check_for_safari(SSL *s, const unsigned char *data, const unsigned char *d, int n) { 914 unsigned short type, size; 915 static const unsigned char kSafariExtensionsBlock[] = { 916 0x00, 0x0a, /* elliptic_curves extension */ 917 0x00, 0x08, /* 8 bytes */ 918 0x00, 0x06, /* 6 bytes of curve ids */ 919 0x00, 0x17, /* P-256 */ 920 0x00, 0x18, /* P-384 */ 921 0x00, 0x19, /* P-521 */ 922 923 0x00, 0x0b, /* ec_point_formats */ 924 0x00, 0x02, /* 2 bytes */ 925 0x01, /* 1 point format */ 926 0x00, /* uncompressed */ 927 }; 928 929 /* The following is only present in TLS 1.2 */ 930 static const unsigned char kSafariTLS12ExtensionsBlock[] = { 931 0x00, 0x0d, /* signature_algorithms */ 932 0x00, 0x0c, /* 12 bytes */ 933 0x00, 0x0a, /* 10 bytes */ 934 0x05, 0x01, /* SHA-384/RSA */ 935 0x04, 0x01, /* SHA-256/RSA */ 936 0x02, 0x01, /* SHA-1/RSA */ 937 0x04, 0x03, /* SHA-256/ECDSA */ 938 0x02, 0x03, /* SHA-1/ECDSA */ 939 }; 940 941 if (data >= (d+n-2)) 942 return; 943 data += 2; 944 945 if (data > (d+n-4)) 946 return; 947 n2s(data,type); 948 n2s(data,size); 949 950 if (type != TLSEXT_TYPE_server_name) 951 return; 952 953 if (data+size > d+n) 954 return; 955 data += size; 956 957 if (TLS1_get_client_version(s) >= TLS1_2_VERSION) 958 { 959 const size_t len1 = sizeof(kSafariExtensionsBlock); 960 const size_t len2 = sizeof(kSafariTLS12ExtensionsBlock); 961 962 if (data + len1 + len2 != d+n) 963 return; 964 if (memcmp(data, kSafariExtensionsBlock, len1) != 0) 965 return; 966 if (memcmp(data + len1, kSafariTLS12ExtensionsBlock, len2) != 0) 967 return; 968 } 969 else 970 { 971 const size_t len = sizeof(kSafariExtensionsBlock); 972 973 if (data + len != d+n) 974 return; 975 if (memcmp(data, kSafariExtensionsBlock, len) != 0) 976 return; 977 } 978 979 s->s3->is_probably_safari = 1; 980} 981#endif /* !OPENSSL_NO_EC */ 982 983int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al) 984 { 985 unsigned short type; 986 unsigned short size; 987 unsigned short len; 988 unsigned char *data = *p; 989 int renegotiate_seen = 0; 990 int sigalg_seen = 0; 991 992 s->servername_done = 0; 993 s->tlsext_status_type = -1; 994#ifndef OPENSSL_NO_NEXTPROTONEG 995 s->s3->next_proto_neg_seen = 0; 996#endif 997 998#ifndef OPENSSL_NO_HEARTBEATS 999 s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED | 1000 SSL_TLSEXT_HB_DONT_SEND_REQUESTS); 1001#endif 1002 1003#ifndef OPENSSL_NO_EC 1004 if (s->options & SSL_OP_SAFARI_ECDHE_ECDSA_BUG) 1005 ssl_check_for_safari(s, data, d, n); 1006#endif /* !OPENSSL_NO_EC */ 1007 1008#ifndef OPENSSL_NO_SRP 1009 if (s->srp_ctx.login != NULL) 1010 { 1011 OPENSSL_free(s->srp_ctx.login); 1012 s->srp_ctx.login = NULL; 1013 } 1014#endif 1015 1016 s->srtp_profile = NULL; 1017 1018 if (data >= (d + n - 2)) { 1019 if (data != d + n) 1020 goto err; 1021 else 1022 goto ri_check; 1023 } 1024 n2s(data,len); 1025 1026 if (data > (d+n-len)) 1027 goto err; 1028 1029 while (data <= (d+n-4)) 1030 { 1031 n2s(data,type); 1032 n2s(data,size); 1033 1034 if (data+size > (d+n)) 1035 goto err; 1036#if 0 1037 fprintf(stderr,"Received extension type %d size %d\n",type,size); 1038#endif 1039 if (s->tlsext_debug_cb) 1040 s->tlsext_debug_cb(s, 0, type, data, size, 1041 s->tlsext_debug_arg); 1042/* The servername extension is treated as follows: 1043 1044 - Only the hostname type is supported with a maximum length of 255. 1045 - The servername is rejected if too long or if it contains zeros, 1046 in which case an fatal alert is generated. 1047 - The servername field is maintained together with the session cache. 1048 - When a session is resumed, the servername call back invoked in order 1049 to allow the application to position itself to the right context. 1050 - The servername is acknowledged if it is new for a session or when 1051 it is identical to a previously used for the same session. 1052 Applications can control the behaviour. They can at any time 1053 set a 'desirable' servername for a new SSL object. This can be the 1054 case for example with HTTPS when a Host: header field is received and 1055 a renegotiation is requested. In this case, a possible servername 1056 presented in the new client hello is only acknowledged if it matches 1057 the value of the Host: field. 1058 - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION 1059 if they provide for changing an explicit servername context for the session, 1060 i.e. when the session has been established with a servername extension. 1061 - On session reconnect, the servername extension may be absent. 1062 1063*/ 1064 1065 if (type == TLSEXT_TYPE_server_name) 1066 { 1067 unsigned char *sdata; 1068 int servname_type; 1069 int dsize; 1070 1071 if (size < 2) 1072 goto err; 1073 n2s(data,dsize); 1074 size -= 2; 1075 if (dsize > size ) 1076 goto err; 1077 1078 sdata = data; 1079 while (dsize > 3) 1080 { 1081 servname_type = *(sdata++); 1082 n2s(sdata,len); 1083 dsize -= 3; 1084 1085 if (len > dsize) 1086 goto err; 1087 if (s->servername_done == 0) 1088 switch (servname_type) 1089 { 1090 case TLSEXT_NAMETYPE_host_name: 1091 if (!s->hit) 1092 { 1093 if(s->session->tlsext_hostname) 1094 goto err; 1095 if (len > TLSEXT_MAXLEN_host_name) 1096 { 1097 *al = TLS1_AD_UNRECOGNIZED_NAME; 1098 return 0; 1099 } 1100 if ((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL) 1101 { 1102 *al = TLS1_AD_INTERNAL_ERROR; 1103 return 0; 1104 } 1105 memcpy(s->session->tlsext_hostname, sdata, len); 1106 s->session->tlsext_hostname[len]='\0'; 1107 if (strlen(s->session->tlsext_hostname) != len) { 1108 OPENSSL_free(s->session->tlsext_hostname); 1109 s->session->tlsext_hostname = NULL; 1110 *al = TLS1_AD_UNRECOGNIZED_NAME; 1111 return 0; 1112 } 1113 s->servername_done = 1; 1114 1115 } 1116 else 1117 s->servername_done = s->session->tlsext_hostname 1118 && strlen(s->session->tlsext_hostname) == len 1119 && strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0; 1120 1121 break; 1122 1123 default: 1124 break; 1125 } 1126 1127 dsize -= len; 1128 } 1129 if (dsize != 0) 1130 goto err; 1131 1132 } 1133#ifndef OPENSSL_NO_SRP 1134 else if (type == TLSEXT_TYPE_srp) 1135 { 1136 if (size <= 0 || ((len = data[0])) != (size -1)) 1137 goto err; 1138 if (s->srp_ctx.login != NULL) 1139 goto err; 1140 if ((s->srp_ctx.login = OPENSSL_malloc(len+1)) == NULL) 1141 return -1; 1142 memcpy(s->srp_ctx.login, &data[1], len); 1143 s->srp_ctx.login[len]='\0'; 1144 1145 if (strlen(s->srp_ctx.login) != len) 1146 goto err; 1147 } 1148#endif 1149 1150#ifndef OPENSSL_NO_EC 1151 else if (type == TLSEXT_TYPE_ec_point_formats) 1152 { 1153 unsigned char *sdata = data; 1154 int ecpointformatlist_length = *(sdata++); 1155 1156 if (ecpointformatlist_length != size - 1) 1157 goto err; 1158 if (!s->hit) 1159 { 1160 if(s->session->tlsext_ecpointformatlist) 1161 { 1162 OPENSSL_free(s->session->tlsext_ecpointformatlist); 1163 s->session->tlsext_ecpointformatlist = NULL; 1164 } 1165 s->session->tlsext_ecpointformatlist_length = 0; 1166 if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL) 1167 { 1168 *al = TLS1_AD_INTERNAL_ERROR; 1169 return 0; 1170 } 1171 s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length; 1172 memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length); 1173 } 1174#if 0 1175 fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ecpointformatlist (length=%i) ", s->session->tlsext_ecpointformatlist_length); 1176 sdata = s->session->tlsext_ecpointformatlist; 1177 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++) 1178 fprintf(stderr,"%i ",*(sdata++)); 1179 fprintf(stderr,"\n"); 1180#endif 1181 } 1182 else if (type == TLSEXT_TYPE_elliptic_curves) 1183 { 1184 unsigned char *sdata = data; 1185 int ellipticcurvelist_length = (*(sdata++) << 8); 1186 ellipticcurvelist_length += (*(sdata++)); 1187 1188 if (ellipticcurvelist_length != size - 2 || 1189 ellipticcurvelist_length < 1 || 1190 /* Each NamedCurve is 2 bytes. */ 1191 ellipticcurvelist_length & 1) 1192 goto err; 1193 if (!s->hit) 1194 { 1195 if(s->session->tlsext_ellipticcurvelist) 1196 goto err; 1197 1198 s->session->tlsext_ellipticcurvelist_length = 0; 1199 if ((s->session->tlsext_ellipticcurvelist = OPENSSL_malloc(ellipticcurvelist_length)) == NULL) 1200 { 1201 *al = TLS1_AD_INTERNAL_ERROR; 1202 return 0; 1203 } 1204 s->session->tlsext_ellipticcurvelist_length = ellipticcurvelist_length; 1205 memcpy(s->session->tlsext_ellipticcurvelist, sdata, ellipticcurvelist_length); 1206 } 1207#if 0 1208 fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ellipticcurvelist (length=%i) ", s->session->tlsext_ellipticcurvelist_length); 1209 sdata = s->session->tlsext_ellipticcurvelist; 1210 for (i = 0; i < s->session->tlsext_ellipticcurvelist_length; i++) 1211 fprintf(stderr,"%i ",*(sdata++)); 1212 fprintf(stderr,"\n"); 1213#endif 1214 } 1215#endif /* OPENSSL_NO_EC */ 1216#ifdef TLSEXT_TYPE_opaque_prf_input 1217 else if (type == TLSEXT_TYPE_opaque_prf_input && 1218 s->version != DTLS1_VERSION) 1219 { 1220 unsigned char *sdata = data; 1221 1222 if (size < 2) 1223 { 1224 *al = SSL_AD_DECODE_ERROR; 1225 return 0; 1226 } 1227 n2s(sdata, s->s3->client_opaque_prf_input_len); 1228 if (s->s3->client_opaque_prf_input_len != size - 2) 1229 { 1230 *al = SSL_AD_DECODE_ERROR; 1231 return 0; 1232 } 1233 1234 if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */ 1235 OPENSSL_free(s->s3->client_opaque_prf_input); 1236 if (s->s3->client_opaque_prf_input_len == 0) 1237 s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */ 1238 else 1239 s->s3->client_opaque_prf_input = BUF_memdup(sdata, s->s3->client_opaque_prf_input_len); 1240 if (s->s3->client_opaque_prf_input == NULL) 1241 { 1242 *al = TLS1_AD_INTERNAL_ERROR; 1243 return 0; 1244 } 1245 } 1246#endif 1247 else if (type == TLSEXT_TYPE_session_ticket) 1248 { 1249 if (s->tls_session_ticket_ext_cb && 1250 !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg)) 1251 { 1252 *al = TLS1_AD_INTERNAL_ERROR; 1253 return 0; 1254 } 1255 } 1256 else if (type == TLSEXT_TYPE_renegotiate) 1257 { 1258 if(!ssl_parse_clienthello_renegotiate_ext(s, data, size, al)) 1259 return 0; 1260 renegotiate_seen = 1; 1261 } 1262 else if (type == TLSEXT_TYPE_signature_algorithms) 1263 { 1264 int dsize; 1265 if (sigalg_seen || size < 2) 1266 goto err; 1267 sigalg_seen = 1; 1268 n2s(data,dsize); 1269 size -= 2; 1270 if (dsize != size || dsize & 1) 1271 goto err; 1272 if (!tls1_process_sigalgs(s, data, dsize)) 1273 goto err; 1274 } 1275 else if (type == TLSEXT_TYPE_status_request && 1276 s->version != DTLS1_VERSION) 1277 { 1278 1279 if (size < 5) 1280 goto err; 1281 1282 s->tlsext_status_type = *data++; 1283 size--; 1284 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp) 1285 { 1286 const unsigned char *sdata; 1287 int dsize; 1288 /* Read in responder_id_list */ 1289 n2s(data,dsize); 1290 size -= 2; 1291 if (dsize > size ) 1292 goto err; 1293 while (dsize > 0) 1294 { 1295 OCSP_RESPID *id; 1296 int idsize; 1297 if (dsize < 4) 1298 goto err; 1299 n2s(data, idsize); 1300 dsize -= 2 + idsize; 1301 size -= 2 + idsize; 1302 if (dsize < 0) 1303 goto err; 1304 sdata = data; 1305 data += idsize; 1306 id = d2i_OCSP_RESPID(NULL, 1307 &sdata, idsize); 1308 if (!id) 1309 goto err; 1310 if (data != sdata) 1311 { 1312 OCSP_RESPID_free(id); 1313 goto err; 1314 } 1315 if (!s->tlsext_ocsp_ids 1316 && !(s->tlsext_ocsp_ids = 1317 sk_OCSP_RESPID_new_null())) 1318 { 1319 OCSP_RESPID_free(id); 1320 *al = SSL_AD_INTERNAL_ERROR; 1321 return 0; 1322 } 1323 if (!sk_OCSP_RESPID_push( 1324 s->tlsext_ocsp_ids, id)) 1325 { 1326 OCSP_RESPID_free(id); 1327 *al = SSL_AD_INTERNAL_ERROR; 1328 return 0; 1329 } 1330 } 1331 1332 /* Read in request_extensions */ 1333 if (size < 2) 1334 goto err; 1335 n2s(data,dsize); 1336 size -= 2; 1337 if (dsize != size) 1338 goto err; 1339 sdata = data; 1340 if (dsize > 0) 1341 { 1342 if (s->tlsext_ocsp_exts) 1343 { 1344 sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts, 1345 X509_EXTENSION_free); 1346 } 1347 1348 s->tlsext_ocsp_exts = 1349 d2i_X509_EXTENSIONS(NULL, 1350 &sdata, dsize); 1351 if (!s->tlsext_ocsp_exts 1352 || (data + dsize != sdata)) 1353 goto err; 1354 } 1355 } 1356 /* We don't know what to do with any other type 1357 * so ignore it. 1358 */ 1359 else 1360 s->tlsext_status_type = -1; 1361 } 1362#ifndef OPENSSL_NO_HEARTBEATS 1363 else if (type == TLSEXT_TYPE_heartbeat) 1364 { 1365 switch(data[0]) 1366 { 1367 case 0x01: /* Client allows us to send HB requests */ 1368 s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED; 1369 break; 1370 case 0x02: /* Client doesn't accept HB requests */ 1371 s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED; 1372 s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS; 1373 break; 1374 default: *al = SSL_AD_ILLEGAL_PARAMETER; 1375 return 0; 1376 } 1377 } 1378#endif 1379#ifndef OPENSSL_NO_NEXTPROTONEG 1380 else if (type == TLSEXT_TYPE_next_proto_neg && 1381 s->s3->tmp.finish_md_len == 0) 1382 { 1383 /* We shouldn't accept this extension on a 1384 * renegotiation. 1385 * 1386 * s->new_session will be set on renegotiation, but we 1387 * probably shouldn't rely that it couldn't be set on 1388 * the initial renegotation too in certain cases (when 1389 * there's some other reason to disallow resuming an 1390 * earlier session -- the current code won't be doing 1391 * anything like that, but this might change). 1392 1393 * A valid sign that there's been a previous handshake 1394 * in this connection is if s->s3->tmp.finish_md_len > 1395 * 0. (We are talking about a check that will happen 1396 * in the Hello protocol round, well before a new 1397 * Finished message could have been computed.) */ 1398 s->s3->next_proto_neg_seen = 1; 1399 } 1400#endif 1401 1402 /* session ticket processed earlier */ 1403#ifndef OPENSSL_NO_SRTP 1404 else if (SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s) 1405 && type == TLSEXT_TYPE_use_srtp) 1406 { 1407 if(ssl_parse_clienthello_use_srtp_ext(s, data, size, 1408 al)) 1409 return 0; 1410 } 1411#endif 1412 1413 data+=size; 1414 } 1415 1416 /* Spurious data on the end */ 1417 if (data != d + n) 1418 goto err; 1419 1420 *p = data; 1421 1422 ri_check: 1423 1424 /* Need RI if renegotiating */ 1425 1426 if (!renegotiate_seen && s->renegotiate && 1427 !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) 1428 { 1429 *al = SSL_AD_HANDSHAKE_FAILURE; 1430 SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT, 1431 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); 1432 return 0; 1433 } 1434 1435 return 1; 1436err: 1437 *al = SSL_AD_DECODE_ERROR; 1438 return 0; 1439} 1440 1441#ifndef OPENSSL_NO_NEXTPROTONEG 1442/* ssl_next_proto_validate validates a Next Protocol Negotiation block. No 1443 * elements of zero length are allowed and the set of elements must exactly fill 1444 * the length of the block. */ 1445static char ssl_next_proto_validate(unsigned char *d, unsigned len) 1446 { 1447 unsigned int off = 0; 1448 1449 while (off < len) 1450 { 1451 if (d[off] == 0) 1452 return 0; 1453 off += d[off]; 1454 off++; 1455 } 1456 1457 return off == len; 1458 } 1459#endif 1460 1461int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al) 1462 { 1463 unsigned short length; 1464 unsigned short type; 1465 unsigned short size; 1466 unsigned char *data = *p; 1467 int tlsext_servername = 0; 1468 int renegotiate_seen = 0; 1469 1470#ifndef OPENSSL_NO_NEXTPROTONEG 1471 s->s3->next_proto_neg_seen = 0; 1472#endif 1473 s->tlsext_ticket_expected = 0; 1474 1475#ifndef OPENSSL_NO_HEARTBEATS 1476 s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED | 1477 SSL_TLSEXT_HB_DONT_SEND_REQUESTS); 1478#endif 1479 1480 if (data >= (d+n-2)) 1481 goto ri_check; 1482 1483 n2s(data,length); 1484 if (data+length != d+n) 1485 { 1486 *al = SSL_AD_DECODE_ERROR; 1487 return 0; 1488 } 1489 1490 while(data <= (d+n-4)) 1491 { 1492 n2s(data,type); 1493 n2s(data,size); 1494 1495 if (data+size > (d+n)) 1496 goto ri_check; 1497 1498 if (s->tlsext_debug_cb) 1499 s->tlsext_debug_cb(s, 1, type, data, size, 1500 s->tlsext_debug_arg); 1501 1502 if (type == TLSEXT_TYPE_server_name) 1503 { 1504 if (s->tlsext_hostname == NULL || size > 0) 1505 { 1506 *al = TLS1_AD_UNRECOGNIZED_NAME; 1507 return 0; 1508 } 1509 tlsext_servername = 1; 1510 } 1511 1512#ifndef OPENSSL_NO_EC 1513 else if (type == TLSEXT_TYPE_ec_point_formats) 1514 { 1515 unsigned char *sdata = data; 1516 int ecpointformatlist_length = *(sdata++); 1517 1518 if (ecpointformatlist_length != size - 1 || 1519 ecpointformatlist_length < 1) 1520 { 1521 *al = TLS1_AD_DECODE_ERROR; 1522 return 0; 1523 } 1524 if (!s->hit) 1525 { 1526 s->session->tlsext_ecpointformatlist_length = 0; 1527 if (s->session->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->session->tlsext_ecpointformatlist); 1528 if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL) 1529 { 1530 *al = TLS1_AD_INTERNAL_ERROR; 1531 return 0; 1532 } 1533 s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length; 1534 memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length); 1535 } 1536#if 0 1537 fprintf(stderr,"ssl_parse_serverhello_tlsext s->session->tlsext_ecpointformatlist "); 1538 sdata = s->session->tlsext_ecpointformatlist; 1539 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++) 1540 fprintf(stderr,"%i ",*(sdata++)); 1541 fprintf(stderr,"\n"); 1542#endif 1543 } 1544#endif /* OPENSSL_NO_EC */ 1545 1546 else if (type == TLSEXT_TYPE_session_ticket) 1547 { 1548 if (s->tls_session_ticket_ext_cb && 1549 !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg)) 1550 { 1551 *al = TLS1_AD_INTERNAL_ERROR; 1552 return 0; 1553 } 1554 if ((SSL_get_options(s) & SSL_OP_NO_TICKET) 1555 || (size > 0)) 1556 { 1557 *al = TLS1_AD_UNSUPPORTED_EXTENSION; 1558 return 0; 1559 } 1560 s->tlsext_ticket_expected = 1; 1561 } 1562#ifdef TLSEXT_TYPE_opaque_prf_input 1563 else if (type == TLSEXT_TYPE_opaque_prf_input && 1564 s->version != DTLS1_VERSION) 1565 { 1566 unsigned char *sdata = data; 1567 1568 if (size < 2) 1569 { 1570 *al = SSL_AD_DECODE_ERROR; 1571 return 0; 1572 } 1573 n2s(sdata, s->s3->server_opaque_prf_input_len); 1574 if (s->s3->server_opaque_prf_input_len != size - 2) 1575 { 1576 *al = SSL_AD_DECODE_ERROR; 1577 return 0; 1578 } 1579 1580 if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */ 1581 OPENSSL_free(s->s3->server_opaque_prf_input); 1582 if (s->s3->server_opaque_prf_input_len == 0) 1583 s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */ 1584 else 1585 s->s3->server_opaque_prf_input = BUF_memdup(sdata, s->s3->server_opaque_prf_input_len); 1586 1587 if (s->s3->server_opaque_prf_input == NULL) 1588 { 1589 *al = TLS1_AD_INTERNAL_ERROR; 1590 return 0; 1591 } 1592 } 1593#endif 1594 else if (type == TLSEXT_TYPE_status_request && 1595 s->version != DTLS1_VERSION) 1596 { 1597 /* MUST be empty and only sent if we've requested 1598 * a status request message. 1599 */ 1600 if ((s->tlsext_status_type == -1) || (size > 0)) 1601 { 1602 *al = TLS1_AD_UNSUPPORTED_EXTENSION; 1603 return 0; 1604 } 1605 /* Set flag to expect CertificateStatus message */ 1606 s->tlsext_status_expected = 1; 1607 } 1608#ifndef OPENSSL_NO_NEXTPROTONEG 1609 else if (type == TLSEXT_TYPE_next_proto_neg && 1610 s->s3->tmp.finish_md_len == 0) 1611 { 1612 unsigned char *selected; 1613 unsigned char selected_len; 1614 1615 /* We must have requested it. */ 1616 if (s->ctx->next_proto_select_cb == NULL) 1617 { 1618 *al = TLS1_AD_UNSUPPORTED_EXTENSION; 1619 return 0; 1620 } 1621 /* The data must be valid */ 1622 if (!ssl_next_proto_validate(data, size)) 1623 { 1624 *al = TLS1_AD_DECODE_ERROR; 1625 return 0; 1626 } 1627 if (s->ctx->next_proto_select_cb(s, &selected, &selected_len, data, size, s->ctx->next_proto_select_cb_arg) != SSL_TLSEXT_ERR_OK) 1628 { 1629 *al = TLS1_AD_INTERNAL_ERROR; 1630 return 0; 1631 } 1632 s->next_proto_negotiated = OPENSSL_malloc(selected_len); 1633 if (!s->next_proto_negotiated) 1634 { 1635 *al = TLS1_AD_INTERNAL_ERROR; 1636 return 0; 1637 } 1638 memcpy(s->next_proto_negotiated, selected, selected_len); 1639 s->next_proto_negotiated_len = selected_len; 1640 s->s3->next_proto_neg_seen = 1; 1641 } 1642#endif 1643 else if (type == TLSEXT_TYPE_renegotiate) 1644 { 1645 if(!ssl_parse_serverhello_renegotiate_ext(s, data, size, al)) 1646 return 0; 1647 renegotiate_seen = 1; 1648 } 1649#ifndef OPENSSL_NO_HEARTBEATS 1650 else if (type == TLSEXT_TYPE_heartbeat) 1651 { 1652 switch(data[0]) 1653 { 1654 case 0x01: /* Server allows us to send HB requests */ 1655 s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED; 1656 break; 1657 case 0x02: /* Server doesn't accept HB requests */ 1658 s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED; 1659 s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS; 1660 break; 1661 default: *al = SSL_AD_ILLEGAL_PARAMETER; 1662 return 0; 1663 } 1664 } 1665#endif 1666#ifndef OPENSSL_NO_SRTP 1667 else if (SSL_IS_DTLS(s) && type == TLSEXT_TYPE_use_srtp) 1668 { 1669 if(ssl_parse_serverhello_use_srtp_ext(s, data, size, 1670 al)) 1671 return 0; 1672 } 1673#endif 1674 1675 data+=size; 1676 } 1677 1678 if (data != d+n) 1679 { 1680 *al = SSL_AD_DECODE_ERROR; 1681 return 0; 1682 } 1683 1684 if (!s->hit && tlsext_servername == 1) 1685 { 1686 if (s->tlsext_hostname) 1687 { 1688 if (s->session->tlsext_hostname == NULL) 1689 { 1690 s->session->tlsext_hostname = BUF_strdup(s->tlsext_hostname); 1691 if (!s->session->tlsext_hostname) 1692 { 1693 *al = SSL_AD_UNRECOGNIZED_NAME; 1694 return 0; 1695 } 1696 } 1697 else 1698 { 1699 *al = SSL_AD_DECODE_ERROR; 1700 return 0; 1701 } 1702 } 1703 } 1704 1705 *p = data; 1706 1707 ri_check: 1708 1709 /* Determine if we need to see RI. Strictly speaking if we want to 1710 * avoid an attack we should *always* see RI even on initial server 1711 * hello because the client doesn't see any renegotiation during an 1712 * attack. However this would mean we could not connect to any server 1713 * which doesn't support RI so for the immediate future tolerate RI 1714 * absence on initial connect only. 1715 */ 1716 if (!renegotiate_seen 1717 && !(s->options & SSL_OP_LEGACY_SERVER_CONNECT) 1718 && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) 1719 { 1720 *al = SSL_AD_HANDSHAKE_FAILURE; 1721 SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT, 1722 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); 1723 return 0; 1724 } 1725 1726 return 1; 1727 } 1728 1729 1730int ssl_prepare_clienthello_tlsext(SSL *s) 1731 { 1732#ifndef OPENSSL_NO_EC 1733 /* If we are client and using an elliptic curve cryptography cipher suite, send the point formats 1734 * and elliptic curves we support. 1735 */ 1736 int using_ecc = 0; 1737 int i; 1738 unsigned char *j; 1739 unsigned long alg_k, alg_a; 1740 STACK_OF(SSL_CIPHER) *cipher_stack = SSL_get_ciphers(s); 1741 1742 for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++) 1743 { 1744 SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i); 1745 1746 alg_k = c->algorithm_mkey; 1747 alg_a = c->algorithm_auth; 1748 if ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe) || (alg_a & SSL_aECDSA))) 1749 { 1750 using_ecc = 1; 1751 break; 1752 } 1753 } 1754 using_ecc = using_ecc && (s->version >= TLS1_VERSION); 1755 if (using_ecc) 1756 { 1757 if (s->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->tlsext_ecpointformatlist); 1758 if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(3)) == NULL) 1759 { 1760 SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE); 1761 return -1; 1762 } 1763 s->tlsext_ecpointformatlist_length = 3; 1764 s->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_uncompressed; 1765 s->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime; 1766 s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2; 1767 1768 /* we support all named elliptic curves in RFC 4492 */ 1769 if (s->tlsext_ellipticcurvelist != NULL) OPENSSL_free(s->tlsext_ellipticcurvelist); 1770 s->tlsext_ellipticcurvelist_length = sizeof(pref_list)/sizeof(pref_list[0]) * 2; 1771 if ((s->tlsext_ellipticcurvelist = OPENSSL_malloc(s->tlsext_ellipticcurvelist_length)) == NULL) 1772 { 1773 s->tlsext_ellipticcurvelist_length = 0; 1774 SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE); 1775 return -1; 1776 } 1777 for (i = 0, j = s->tlsext_ellipticcurvelist; (unsigned int)i < 1778 sizeof(pref_list)/sizeof(pref_list[0]); i++) 1779 { 1780 int id = tls1_ec_nid2curve_id(pref_list[i]); 1781 s2n(id,j); 1782 } 1783 } 1784#endif /* OPENSSL_NO_EC */ 1785 1786#ifdef TLSEXT_TYPE_opaque_prf_input 1787 { 1788 int r = 1; 1789 1790 if (s->ctx->tlsext_opaque_prf_input_callback != 0) 1791 { 1792 r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg); 1793 if (!r) 1794 return -1; 1795 } 1796 1797 if (s->tlsext_opaque_prf_input != NULL) 1798 { 1799 if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */ 1800 OPENSSL_free(s->s3->client_opaque_prf_input); 1801 1802 if (s->tlsext_opaque_prf_input_len == 0) 1803 s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */ 1804 else 1805 s->s3->client_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len); 1806 if (s->s3->client_opaque_prf_input == NULL) 1807 { 1808 SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE); 1809 return -1; 1810 } 1811 s->s3->client_opaque_prf_input_len = s->tlsext_opaque_prf_input_len; 1812 } 1813 1814 if (r == 2) 1815 /* at callback's request, insist on receiving an appropriate server opaque PRF input */ 1816 s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len; 1817 } 1818#endif 1819 1820 return 1; 1821 } 1822 1823int ssl_prepare_serverhello_tlsext(SSL *s) 1824 { 1825#ifndef OPENSSL_NO_EC 1826 /* If we are server and using an ECC cipher suite, send the point formats we support 1827 * if the client sent us an ECPointsFormat extension. Note that the server is not 1828 * supposed to send an EllipticCurves extension. 1829 */ 1830 1831 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey; 1832 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth; 1833 int using_ecc = (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA); 1834 using_ecc = using_ecc && (s->session->tlsext_ecpointformatlist != NULL); 1835 1836 if (using_ecc) 1837 { 1838 if (s->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->tlsext_ecpointformatlist); 1839 if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(3)) == NULL) 1840 { 1841 SSLerr(SSL_F_SSL_PREPARE_SERVERHELLO_TLSEXT,ERR_R_MALLOC_FAILURE); 1842 return -1; 1843 } 1844 s->tlsext_ecpointformatlist_length = 3; 1845 s->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_uncompressed; 1846 s->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime; 1847 s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2; 1848 } 1849#endif /* OPENSSL_NO_EC */ 1850 1851 return 1; 1852 } 1853 1854int ssl_check_clienthello_tlsext_early(SSL *s) 1855 { 1856 int ret=SSL_TLSEXT_ERR_NOACK; 1857 int al = SSL_AD_UNRECOGNIZED_NAME; 1858 1859#ifndef OPENSSL_NO_EC 1860 /* The handling of the ECPointFormats extension is done elsewhere, namely in 1861 * ssl3_choose_cipher in s3_lib.c. 1862 */ 1863 /* The handling of the EllipticCurves extension is done elsewhere, namely in 1864 * ssl3_choose_cipher in s3_lib.c. 1865 */ 1866#endif 1867 1868 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) 1869 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg); 1870 else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0) 1871 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg); 1872 1873#ifdef TLSEXT_TYPE_opaque_prf_input 1874 { 1875 /* This sort of belongs into ssl_prepare_serverhello_tlsext(), 1876 * but we might be sending an alert in response to the client hello, 1877 * so this has to happen here in 1878 * ssl_check_clienthello_tlsext_early(). */ 1879 1880 int r = 1; 1881 1882 if (s->ctx->tlsext_opaque_prf_input_callback != 0) 1883 { 1884 r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg); 1885 if (!r) 1886 { 1887 ret = SSL_TLSEXT_ERR_ALERT_FATAL; 1888 al = SSL_AD_INTERNAL_ERROR; 1889 goto err; 1890 } 1891 } 1892 1893 if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */ 1894 OPENSSL_free(s->s3->server_opaque_prf_input); 1895 s->s3->server_opaque_prf_input = NULL; 1896 1897 if (s->tlsext_opaque_prf_input != NULL) 1898 { 1899 if (s->s3->client_opaque_prf_input != NULL && 1900 s->s3->client_opaque_prf_input_len == s->tlsext_opaque_prf_input_len) 1901 { 1902 /* can only use this extension if we have a server opaque PRF input 1903 * of the same length as the client opaque PRF input! */ 1904 1905 if (s->tlsext_opaque_prf_input_len == 0) 1906 s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */ 1907 else 1908 s->s3->server_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len); 1909 if (s->s3->server_opaque_prf_input == NULL) 1910 { 1911 ret = SSL_TLSEXT_ERR_ALERT_FATAL; 1912 al = SSL_AD_INTERNAL_ERROR; 1913 goto err; 1914 } 1915 s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len; 1916 } 1917 } 1918 1919 if (r == 2 && s->s3->server_opaque_prf_input == NULL) 1920 { 1921 /* The callback wants to enforce use of the extension, 1922 * but we can't do that with the client opaque PRF input; 1923 * abort the handshake. 1924 */ 1925 ret = SSL_TLSEXT_ERR_ALERT_FATAL; 1926 al = SSL_AD_HANDSHAKE_FAILURE; 1927 } 1928 } 1929 1930 err: 1931#endif 1932 switch (ret) 1933 { 1934 case SSL_TLSEXT_ERR_ALERT_FATAL: 1935 ssl3_send_alert(s,SSL3_AL_FATAL,al); 1936 return -1; 1937 1938 case SSL_TLSEXT_ERR_ALERT_WARNING: 1939 ssl3_send_alert(s,SSL3_AL_WARNING,al); 1940 return 1; 1941 1942 case SSL_TLSEXT_ERR_NOACK: 1943 s->servername_done=0; 1944 default: 1945 return 1; 1946 } 1947 } 1948 1949int ssl_check_clienthello_tlsext_late(SSL *s) 1950 { 1951 int ret = SSL_TLSEXT_ERR_OK; 1952 int al; 1953 1954 /* If status request then ask callback what to do. 1955 * Note: this must be called after servername callbacks in case 1956 * the certificate has changed, and must be called after the cipher 1957 * has been chosen because this may influence which certificate is sent 1958 */ 1959 if ((s->tlsext_status_type != -1) && s->ctx && s->ctx->tlsext_status_cb) 1960 { 1961 int r; 1962 CERT_PKEY *certpkey; 1963 certpkey = ssl_get_server_send_pkey(s); 1964 /* If no certificate can't return certificate status */ 1965 if (certpkey == NULL) 1966 { 1967 s->tlsext_status_expected = 0; 1968 return 1; 1969 } 1970 /* Set current certificate to one we will use so 1971 * SSL_get_certificate et al can pick it up. 1972 */ 1973 s->cert->key = certpkey; 1974 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg); 1975 switch (r) 1976 { 1977 /* We don't want to send a status request response */ 1978 case SSL_TLSEXT_ERR_NOACK: 1979 s->tlsext_status_expected = 0; 1980 break; 1981 /* status request response should be sent */ 1982 case SSL_TLSEXT_ERR_OK: 1983 if (s->tlsext_ocsp_resp) 1984 s->tlsext_status_expected = 1; 1985 else 1986 s->tlsext_status_expected = 0; 1987 break; 1988 /* something bad happened */ 1989 case SSL_TLSEXT_ERR_ALERT_FATAL: 1990 ret = SSL_TLSEXT_ERR_ALERT_FATAL; 1991 al = SSL_AD_INTERNAL_ERROR; 1992 goto err; 1993 } 1994 } 1995 else 1996 s->tlsext_status_expected = 0; 1997 1998 err: 1999 switch (ret) 2000 { 2001 case SSL_TLSEXT_ERR_ALERT_FATAL: 2002 ssl3_send_alert(s,SSL3_AL_FATAL,al); 2003 return -1; 2004 2005 case SSL_TLSEXT_ERR_ALERT_WARNING: 2006 ssl3_send_alert(s,SSL3_AL_WARNING,al); 2007 return 1; 2008 2009 default: 2010 return 1; 2011 } 2012 } 2013 2014int ssl_check_serverhello_tlsext(SSL *s) 2015 { 2016 int ret=SSL_TLSEXT_ERR_NOACK; 2017 int al = SSL_AD_UNRECOGNIZED_NAME; 2018 2019#ifndef OPENSSL_NO_EC 2020 /* If we are client and using an elliptic curve cryptography cipher 2021 * suite, then if server returns an EC point formats lists extension 2022 * it must contain uncompressed. 2023 */ 2024 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey; 2025 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth; 2026 if ((s->tlsext_ecpointformatlist != NULL) && (s->tlsext_ecpointformatlist_length > 0) && 2027 (s->session->tlsext_ecpointformatlist != NULL) && (s->session->tlsext_ecpointformatlist_length > 0) && 2028 ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA))) 2029 { 2030 /* we are using an ECC cipher */ 2031 size_t i; 2032 unsigned char *list; 2033 int found_uncompressed = 0; 2034 list = s->session->tlsext_ecpointformatlist; 2035 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++) 2036 { 2037 if (*(list++) == TLSEXT_ECPOINTFORMAT_uncompressed) 2038 { 2039 found_uncompressed = 1; 2040 break; 2041 } 2042 } 2043 if (!found_uncompressed) 2044 { 2045 SSLerr(SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT,SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST); 2046 return -1; 2047 } 2048 } 2049 ret = SSL_TLSEXT_ERR_OK; 2050#endif /* OPENSSL_NO_EC */ 2051 2052 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) 2053 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg); 2054 else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0) 2055 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg); 2056 2057#ifdef TLSEXT_TYPE_opaque_prf_input 2058 if (s->s3->server_opaque_prf_input_len > 0) 2059 { 2060 /* This case may indicate that we, as a client, want to insist on using opaque PRF inputs. 2061 * So first verify that we really have a value from the server too. */ 2062 2063 if (s->s3->server_opaque_prf_input == NULL) 2064 { 2065 ret = SSL_TLSEXT_ERR_ALERT_FATAL; 2066 al = SSL_AD_HANDSHAKE_FAILURE; 2067 } 2068 2069 /* Anytime the server *has* sent an opaque PRF input, we need to check 2070 * that we have a client opaque PRF input of the same size. */ 2071 if (s->s3->client_opaque_prf_input == NULL || 2072 s->s3->client_opaque_prf_input_len != s->s3->server_opaque_prf_input_len) 2073 { 2074 ret = SSL_TLSEXT_ERR_ALERT_FATAL; 2075 al = SSL_AD_ILLEGAL_PARAMETER; 2076 } 2077 } 2078#endif 2079 2080 /* If we've requested certificate status and we wont get one 2081 * tell the callback 2082 */ 2083 if ((s->tlsext_status_type != -1) && !(s->tlsext_status_expected) 2084 && s->ctx && s->ctx->tlsext_status_cb) 2085 { 2086 int r; 2087 /* Set resp to NULL, resplen to -1 so callback knows 2088 * there is no response. 2089 */ 2090 if (s->tlsext_ocsp_resp) 2091 { 2092 OPENSSL_free(s->tlsext_ocsp_resp); 2093 s->tlsext_ocsp_resp = NULL; 2094 } 2095 s->tlsext_ocsp_resplen = -1; 2096 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg); 2097 if (r == 0) 2098 { 2099 al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE; 2100 ret = SSL_TLSEXT_ERR_ALERT_FATAL; 2101 } 2102 if (r < 0) 2103 { 2104 al = SSL_AD_INTERNAL_ERROR; 2105 ret = SSL_TLSEXT_ERR_ALERT_FATAL; 2106 } 2107 } 2108 2109 switch (ret) 2110 { 2111 case SSL_TLSEXT_ERR_ALERT_FATAL: 2112 ssl3_send_alert(s,SSL3_AL_FATAL,al); 2113 return -1; 2114 2115 case SSL_TLSEXT_ERR_ALERT_WARNING: 2116 ssl3_send_alert(s,SSL3_AL_WARNING,al); 2117 return 1; 2118 2119 case SSL_TLSEXT_ERR_NOACK: 2120 s->servername_done=0; 2121 default: 2122 return 1; 2123 } 2124 } 2125 2126/* Since the server cache lookup is done early on in the processing of the 2127 * ClientHello, and other operations depend on the result, we need to handle 2128 * any TLS session ticket extension at the same time. 2129 * 2130 * session_id: points at the session ID in the ClientHello. This code will 2131 * read past the end of this in order to parse out the session ticket 2132 * extension, if any. 2133 * len: the length of the session ID. 2134 * limit: a pointer to the first byte after the ClientHello. 2135 * ret: (output) on return, if a ticket was decrypted, then this is set to 2136 * point to the resulting session. 2137 * 2138 * If s->tls_session_secret_cb is set then we are expecting a pre-shared key 2139 * ciphersuite, in which case we have no use for session tickets and one will 2140 * never be decrypted, nor will s->tlsext_ticket_expected be set to 1. 2141 * 2142 * Returns: 2143 * -1: fatal error, either from parsing or decrypting the ticket. 2144 * 0: no ticket was found (or was ignored, based on settings). 2145 * 1: a zero length extension was found, indicating that the client supports 2146 * session tickets but doesn't currently have one to offer. 2147 * 2: either s->tls_session_secret_cb was set, or a ticket was offered but 2148 * couldn't be decrypted because of a non-fatal error. 2149 * 3: a ticket was successfully decrypted and *ret was set. 2150 * 2151 * Side effects: 2152 * Sets s->tlsext_ticket_expected to 1 if the server will have to issue 2153 * a new session ticket to the client because the client indicated support 2154 * (and s->tls_session_secret_cb is NULL) but the client either doesn't have 2155 * a session ticket or we couldn't use the one it gave us, or if 2156 * s->ctx->tlsext_ticket_key_cb asked to renew the client's ticket. 2157 * Otherwise, s->tlsext_ticket_expected is set to 0. 2158 */ 2159int tls1_process_ticket(SSL *s, unsigned char *session_id, int len, 2160 const unsigned char *limit, SSL_SESSION **ret) 2161 { 2162 /* Point after session ID in client hello */ 2163 const unsigned char *p = session_id + len; 2164 unsigned short i; 2165 2166 *ret = NULL; 2167 s->tlsext_ticket_expected = 0; 2168 2169 /* If tickets disabled behave as if no ticket present 2170 * to permit stateful resumption. 2171 */ 2172 if (SSL_get_options(s) & SSL_OP_NO_TICKET) 2173 return 0; 2174 if ((s->version <= SSL3_VERSION) || !limit) 2175 return 0; 2176 if (p >= limit) 2177 return -1; 2178 /* Skip past DTLS cookie */ 2179 if (s->version == DTLS1_VERSION || s->version == DTLS1_BAD_VER) 2180 { 2181 i = *(p++); 2182 p+= i; 2183 if (p >= limit) 2184 return -1; 2185 } 2186 /* Skip past cipher list */ 2187 n2s(p, i); 2188 p+= i; 2189 if (p >= limit) 2190 return -1; 2191 /* Skip past compression algorithm list */ 2192 i = *(p++); 2193 p += i; 2194 if (p > limit) 2195 return -1; 2196 /* Now at start of extensions */ 2197 if ((p + 2) >= limit) 2198 return 0; 2199 n2s(p, i); 2200 while ((p + 4) <= limit) 2201 { 2202 unsigned short type, size; 2203 n2s(p, type); 2204 n2s(p, size); 2205 if (p + size > limit) 2206 return 0; 2207 if (type == TLSEXT_TYPE_session_ticket) 2208 { 2209 int r; 2210 if (size == 0) 2211 { 2212 /* The client will accept a ticket but doesn't 2213 * currently have one. */ 2214 s->tlsext_ticket_expected = 1; 2215 return 1; 2216 } 2217 if (s->tls_session_secret_cb) 2218 { 2219 /* Indicate that the ticket couldn't be 2220 * decrypted rather than generating the session 2221 * from ticket now, trigger abbreviated 2222 * handshake based on external mechanism to 2223 * calculate the master secret later. */ 2224 return 2; 2225 } 2226 r = tls_decrypt_ticket(s, p, size, session_id, len, ret); 2227 switch (r) 2228 { 2229 case 2: /* ticket couldn't be decrypted */ 2230 s->tlsext_ticket_expected = 1; 2231 return 2; 2232 case 3: /* ticket was decrypted */ 2233 return r; 2234 case 4: /* ticket decrypted but need to renew */ 2235 s->tlsext_ticket_expected = 1; 2236 return 3; 2237 default: /* fatal error */ 2238 return -1; 2239 } 2240 } 2241 p += size; 2242 } 2243 return 0; 2244 } 2245 2246/* tls_decrypt_ticket attempts to decrypt a session ticket. 2247 * 2248 * etick: points to the body of the session ticket extension. 2249 * eticklen: the length of the session tickets extenion. 2250 * sess_id: points at the session ID. 2251 * sesslen: the length of the session ID. 2252 * psess: (output) on return, if a ticket was decrypted, then this is set to 2253 * point to the resulting session. 2254 * 2255 * Returns: 2256 * -1: fatal error, either from parsing or decrypting the ticket. 2257 * 2: the ticket couldn't be decrypted. 2258 * 3: a ticket was successfully decrypted and *psess was set. 2259 * 4: same as 3, but the ticket needs to be renewed. 2260 */ 2261static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen, 2262 const unsigned char *sess_id, int sesslen, 2263 SSL_SESSION **psess) 2264 { 2265 SSL_SESSION *sess; 2266 unsigned char *sdec; 2267 const unsigned char *p; 2268 int slen, mlen, renew_ticket = 0; 2269 unsigned char tick_hmac[EVP_MAX_MD_SIZE]; 2270 HMAC_CTX hctx; 2271 EVP_CIPHER_CTX ctx; 2272 SSL_CTX *tctx = s->initial_ctx; 2273 /* Need at least keyname + iv + some encrypted data */ 2274 if (eticklen < 48) 2275 return 2; 2276 /* Initialize session ticket encryption and HMAC contexts */ 2277 HMAC_CTX_init(&hctx); 2278 EVP_CIPHER_CTX_init(&ctx); 2279 if (tctx->tlsext_ticket_key_cb) 2280 { 2281 unsigned char *nctick = (unsigned char *)etick; 2282 int rv = tctx->tlsext_ticket_key_cb(s, nctick, nctick + 16, 2283 &ctx, &hctx, 0); 2284 if (rv < 0) 2285 return -1; 2286 if (rv == 0) 2287 return 2; 2288 if (rv == 2) 2289 renew_ticket = 1; 2290 } 2291 else 2292 { 2293 /* Check key name matches */ 2294 if (memcmp(etick, tctx->tlsext_tick_key_name, 16)) 2295 return 2; 2296 HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16, 2297 tlsext_tick_md(), NULL); 2298 EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL, 2299 tctx->tlsext_tick_aes_key, etick + 16); 2300 } 2301 /* Attempt to process session ticket, first conduct sanity and 2302 * integrity checks on ticket. 2303 */ 2304 mlen = HMAC_size(&hctx); 2305 if (mlen < 0) 2306 { 2307 EVP_CIPHER_CTX_cleanup(&ctx); 2308 return -1; 2309 } 2310 eticklen -= mlen; 2311 /* Check HMAC of encrypted ticket */ 2312 HMAC_Update(&hctx, etick, eticklen); 2313 HMAC_Final(&hctx, tick_hmac, NULL); 2314 HMAC_CTX_cleanup(&hctx); 2315 if (CRYPTO_memcmp(tick_hmac, etick + eticklen, mlen)) 2316 { 2317 EVP_CIPHER_CTX_cleanup(&ctx); 2318 return 2; 2319 } 2320 /* Attempt to decrypt session data */ 2321 /* Move p after IV to start of encrypted ticket, update length */ 2322 p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx); 2323 eticklen -= 16 + EVP_CIPHER_CTX_iv_length(&ctx); 2324 sdec = OPENSSL_malloc(eticklen); 2325 if (!sdec) 2326 { 2327 EVP_CIPHER_CTX_cleanup(&ctx); 2328 return -1; 2329 } 2330 EVP_DecryptUpdate(&ctx, sdec, &slen, p, eticklen); 2331 if (EVP_DecryptFinal(&ctx, sdec + slen, &mlen) <= 0) 2332 { 2333 EVP_CIPHER_CTX_cleanup(&ctx); 2334 OPENSSL_free(sdec); 2335 return 2; 2336 } 2337 slen += mlen; 2338 EVP_CIPHER_CTX_cleanup(&ctx); 2339 p = sdec; 2340 2341 sess = d2i_SSL_SESSION(NULL, &p, slen); 2342 OPENSSL_free(sdec); 2343 if (sess) 2344 { 2345 /* The session ID, if non-empty, is used by some clients to 2346 * detect that the ticket has been accepted. So we copy it to 2347 * the session structure. If it is empty set length to zero 2348 * as required by standard. 2349 */ 2350 if (sesslen) 2351 memcpy(sess->session_id, sess_id, sesslen); 2352 sess->session_id_length = sesslen; 2353 *psess = sess; 2354 if (renew_ticket) 2355 return 4; 2356 else 2357 return 3; 2358 } 2359 ERR_clear_error(); 2360 /* For session parse failure, indicate that we need to send a new 2361 * ticket. */ 2362 return 2; 2363 } 2364 2365/* Tables to translate from NIDs to TLS v1.2 ids */ 2366 2367typedef struct 2368 { 2369 int nid; 2370 int id; 2371 } tls12_lookup; 2372 2373static tls12_lookup tls12_md[] = { 2374#ifndef OPENSSL_NO_MD5 2375 {NID_md5, TLSEXT_hash_md5}, 2376#endif 2377#ifndef OPENSSL_NO_SHA 2378 {NID_sha1, TLSEXT_hash_sha1}, 2379#endif 2380#ifndef OPENSSL_NO_SHA256 2381 {NID_sha224, TLSEXT_hash_sha224}, 2382 {NID_sha256, TLSEXT_hash_sha256}, 2383#endif 2384#ifndef OPENSSL_NO_SHA512 2385 {NID_sha384, TLSEXT_hash_sha384}, 2386 {NID_sha512, TLSEXT_hash_sha512} 2387#endif 2388}; 2389 2390static tls12_lookup tls12_sig[] = { 2391#ifndef OPENSSL_NO_RSA 2392 {EVP_PKEY_RSA, TLSEXT_signature_rsa}, 2393#endif 2394#ifndef OPENSSL_NO_DSA 2395 {EVP_PKEY_DSA, TLSEXT_signature_dsa}, 2396#endif 2397#ifndef OPENSSL_NO_ECDSA 2398 {EVP_PKEY_EC, TLSEXT_signature_ecdsa} 2399#endif 2400}; 2401 2402static int tls12_find_id(int nid, tls12_lookup *table, size_t tlen) 2403 { 2404 size_t i; 2405 for (i = 0; i < tlen; i++) 2406 { 2407 if (table[i].nid == nid) 2408 return table[i].id; 2409 } 2410 return -1; 2411 } 2412#if 0 2413static int tls12_find_nid(int id, tls12_lookup *table, size_t tlen) 2414 { 2415 size_t i; 2416 for (i = 0; i < tlen; i++) 2417 { 2418 if (table[i].id == id) 2419 return table[i].nid; 2420 } 2421 return -1; 2422 } 2423#endif 2424 2425int tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk, const EVP_MD *md) 2426 { 2427 int sig_id, md_id; 2428 if (!md) 2429 return 0; 2430 md_id = tls12_find_id(EVP_MD_type(md), tls12_md, 2431 sizeof(tls12_md)/sizeof(tls12_lookup)); 2432 if (md_id == -1) 2433 return 0; 2434 sig_id = tls12_get_sigid(pk); 2435 if (sig_id == -1) 2436 return 0; 2437 p[0] = (unsigned char)md_id; 2438 p[1] = (unsigned char)sig_id; 2439 return 1; 2440 } 2441 2442int tls12_get_sigid(const EVP_PKEY *pk) 2443 { 2444 return tls12_find_id(pk->type, tls12_sig, 2445 sizeof(tls12_sig)/sizeof(tls12_lookup)); 2446 } 2447 2448const EVP_MD *tls12_get_hash(unsigned char hash_alg) 2449 { 2450 switch(hash_alg) 2451 { 2452#ifndef OPENSSL_NO_SHA 2453 case TLSEXT_hash_sha1: 2454 return EVP_sha1(); 2455#endif 2456#ifndef OPENSSL_NO_SHA256 2457 case TLSEXT_hash_sha224: 2458 return EVP_sha224(); 2459 2460 case TLSEXT_hash_sha256: 2461 return EVP_sha256(); 2462#endif 2463#ifndef OPENSSL_NO_SHA512 2464 case TLSEXT_hash_sha384: 2465 return EVP_sha384(); 2466 2467 case TLSEXT_hash_sha512: 2468 return EVP_sha512(); 2469#endif 2470 default: 2471 return NULL; 2472 2473 } 2474 } 2475 2476/* Set preferred digest for each key type */ 2477 2478int tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize) 2479 { 2480 int i, idx; 2481 const EVP_MD *md; 2482 CERT *c = s->cert; 2483 /* Extension ignored for TLS versions below 1.2 */ 2484 if (TLS1_get_version(s) < TLS1_2_VERSION) 2485 return 1; 2486 /* Should never happen */ 2487 if (!c) 2488 return 0; 2489 2490 c->pkeys[SSL_PKEY_DSA_SIGN].digest = NULL; 2491 c->pkeys[SSL_PKEY_RSA_SIGN].digest = NULL; 2492 c->pkeys[SSL_PKEY_RSA_ENC].digest = NULL; 2493 c->pkeys[SSL_PKEY_ECC].digest = NULL; 2494 2495 for (i = 0; i < dsize; i += 2) 2496 { 2497 unsigned char hash_alg = data[i], sig_alg = data[i+1]; 2498 2499 switch(sig_alg) 2500 { 2501#ifndef OPENSSL_NO_RSA 2502 case TLSEXT_signature_rsa: 2503 idx = SSL_PKEY_RSA_SIGN; 2504 break; 2505#endif 2506#ifndef OPENSSL_NO_DSA 2507 case TLSEXT_signature_dsa: 2508 idx = SSL_PKEY_DSA_SIGN; 2509 break; 2510#endif 2511#ifndef OPENSSL_NO_ECDSA 2512 case TLSEXT_signature_ecdsa: 2513 idx = SSL_PKEY_ECC; 2514 break; 2515#endif 2516 default: 2517 continue; 2518 } 2519 2520 if (c->pkeys[idx].digest == NULL) 2521 { 2522 md = tls12_get_hash(hash_alg); 2523 if (md) 2524 { 2525 c->pkeys[idx].digest = md; 2526 if (idx == SSL_PKEY_RSA_SIGN) 2527 c->pkeys[SSL_PKEY_RSA_ENC].digest = md; 2528 } 2529 } 2530 2531 } 2532 2533 2534 /* Set any remaining keys to default values. NOTE: if alg is not 2535 * supported it stays as NULL. 2536 */ 2537#ifndef OPENSSL_NO_DSA 2538 if (!c->pkeys[SSL_PKEY_DSA_SIGN].digest) 2539 c->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_sha1(); 2540#endif 2541#ifndef OPENSSL_NO_RSA 2542 if (!c->pkeys[SSL_PKEY_RSA_SIGN].digest) 2543 { 2544 c->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1(); 2545 c->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1(); 2546 } 2547#endif 2548#ifndef OPENSSL_NO_ECDSA 2549 if (!c->pkeys[SSL_PKEY_ECC].digest) 2550 c->pkeys[SSL_PKEY_ECC].digest = EVP_sha1(); 2551#endif 2552 return 1; 2553 } 2554 2555#endif 2556 2557#ifndef OPENSSL_NO_HEARTBEATS 2558int 2559tls1_process_heartbeat(SSL *s) 2560 { 2561 unsigned char *p = &s->s3->rrec.data[0], *pl; 2562 unsigned short hbtype; 2563 unsigned int payload; 2564 unsigned int padding = 16; /* Use minimum padding */ 2565 2566 if (s->msg_callback) 2567 s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT, 2568 &s->s3->rrec.data[0], s->s3->rrec.length, 2569 s, s->msg_callback_arg); 2570 2571 /* Read type and payload length first */ 2572 if (1 + 2 + 16 > s->s3->rrec.length) 2573 return 0; /* silently discard */ 2574 hbtype = *p++; 2575 n2s(p, payload); 2576 if (1 + 2 + payload + 16 > s->s3->rrec.length) 2577 return 0; /* silently discard per RFC 6520 sec. 4 */ 2578 pl = p; 2579 2580 if (hbtype == TLS1_HB_REQUEST) 2581 { 2582 unsigned char *buffer, *bp; 2583 int r; 2584 2585 /* Allocate memory for the response, size is 1 bytes 2586 * message type, plus 2 bytes payload length, plus 2587 * payload, plus padding 2588 */ 2589 buffer = OPENSSL_malloc(1 + 2 + payload + padding); 2590 bp = buffer; 2591 2592 /* Enter response type, length and copy payload */ 2593 *bp++ = TLS1_HB_RESPONSE; 2594 s2n(payload, bp); 2595 memcpy(bp, pl, payload); 2596 bp += payload; 2597 /* Random padding */ 2598 RAND_pseudo_bytes(bp, padding); 2599 2600 r = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, 3 + payload + padding); 2601 2602 if (r >= 0 && s->msg_callback) 2603 s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT, 2604 buffer, 3 + payload + padding, 2605 s, s->msg_callback_arg); 2606 2607 OPENSSL_free(buffer); 2608 2609 if (r < 0) 2610 return r; 2611 } 2612 else if (hbtype == TLS1_HB_RESPONSE) 2613 { 2614 unsigned int seq; 2615 2616 /* We only send sequence numbers (2 bytes unsigned int), 2617 * and 16 random bytes, so we just try to read the 2618 * sequence number */ 2619 n2s(pl, seq); 2620 2621 if (payload == 18 && seq == s->tlsext_hb_seq) 2622 { 2623 s->tlsext_hb_seq++; 2624 s->tlsext_hb_pending = 0; 2625 } 2626 } 2627 2628 return 0; 2629 } 2630 2631int 2632tls1_heartbeat(SSL *s) 2633 { 2634 unsigned char *buf, *p; 2635 int ret; 2636 unsigned int payload = 18; /* Sequence number + random bytes */ 2637 unsigned int padding = 16; /* Use minimum padding */ 2638 2639 /* Only send if peer supports and accepts HB requests... */ 2640 if (!(s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED) || 2641 s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_SEND_REQUESTS) 2642 { 2643 SSLerr(SSL_F_TLS1_HEARTBEAT,SSL_R_TLS_HEARTBEAT_PEER_DOESNT_ACCEPT); 2644 return -1; 2645 } 2646 2647 /* ...and there is none in flight yet... */ 2648 if (s->tlsext_hb_pending) 2649 { 2650 SSLerr(SSL_F_TLS1_HEARTBEAT,SSL_R_TLS_HEARTBEAT_PENDING); 2651 return -1; 2652 } 2653 2654 /* ...and no handshake in progress. */ 2655 if (SSL_in_init(s) || s->in_handshake) 2656 { 2657 SSLerr(SSL_F_TLS1_HEARTBEAT,SSL_R_UNEXPECTED_MESSAGE); 2658 return -1; 2659 } 2660 2661 /* Check if padding is too long, payload and padding 2662 * must not exceed 2^14 - 3 = 16381 bytes in total. 2663 */ 2664 OPENSSL_assert(payload + padding <= 16381); 2665 2666 /* Create HeartBeat message, we just use a sequence number 2667 * as payload to distuingish different messages and add 2668 * some random stuff. 2669 * - Message Type, 1 byte 2670 * - Payload Length, 2 bytes (unsigned int) 2671 * - Payload, the sequence number (2 bytes uint) 2672 * - Payload, random bytes (16 bytes uint) 2673 * - Padding 2674 */ 2675 buf = OPENSSL_malloc(1 + 2 + payload + padding); 2676 p = buf; 2677 /* Message Type */ 2678 *p++ = TLS1_HB_REQUEST; 2679 /* Payload length (18 bytes here) */ 2680 s2n(payload, p); 2681 /* Sequence number */ 2682 s2n(s->tlsext_hb_seq, p); 2683 /* 16 random bytes */ 2684 RAND_pseudo_bytes(p, 16); 2685 p += 16; 2686 /* Random padding */ 2687 RAND_pseudo_bytes(p, padding); 2688 2689 ret = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buf, 3 + payload + padding); 2690 if (ret >= 0) 2691 { 2692 if (s->msg_callback) 2693 s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT, 2694 buf, 3 + payload + padding, 2695 s, s->msg_callback_arg); 2696 2697 s->tlsext_hb_pending = 1; 2698 } 2699 2700 OPENSSL_free(buf); 2701 2702 return ret; 2703 } 2704#endif 2705