t1_lib.c revision d9e397b599b13d642138480a28c14db7a136bf05
1/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2 * All rights reserved. 3 * 4 * This package is an SSL implementation written 5 * by Eric Young (eay@cryptsoft.com). 6 * The implementation was written so as to conform with Netscapes SSL. 7 * 8 * This library is free for commercial and non-commercial use as long as 9 * the following conditions are aheared to. The following conditions 10 * apply to all code found in this distribution, be it the RC4, RSA, 11 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 12 * included with this distribution is covered by the same copyright terms 13 * except that the holder is Tim Hudson (tjh@cryptsoft.com). 14 * 15 * Copyright remains Eric Young's, and as such any Copyright notices in 16 * the code are not to be removed. 17 * If this package is used in a product, Eric Young should be given attribution 18 * as the author of the parts of the library used. 19 * This can be in the form of a textual message at program startup or 20 * in documentation (online or textual) provided with the package. 21 * 22 * Redistribution and use in source and binary forms, with or without 23 * modification, are permitted provided that the following conditions 24 * are met: 25 * 1. Redistributions of source code must retain the copyright 26 * notice, this list of conditions and the following disclaimer. 27 * 2. Redistributions in binary form must reproduce the above copyright 28 * notice, this list of conditions and the following disclaimer in the 29 * documentation and/or other materials provided with the distribution. 30 * 3. All advertising materials mentioning features or use of this software 31 * must display the following acknowledgement: 32 * "This product includes cryptographic software written by 33 * Eric Young (eay@cryptsoft.com)" 34 * The word 'cryptographic' can be left out if the rouines from the library 35 * being used are not cryptographic related :-). 36 * 4. If you include any Windows specific code (or a derivative thereof) from 37 * the apps directory (application code) you must include an acknowledgement: 38 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 39 * 40 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 41 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 43 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 44 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 45 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 46 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 48 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 49 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 50 * SUCH DAMAGE. 51 * 52 * The licence and distribution terms for any publically available version or 53 * derivative of this code cannot be changed. i.e. this code cannot simply be 54 * copied and put under another distribution licence 55 * [including the GNU Public Licence.] 56 */ 57/* ==================================================================== 58 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved. 59 * 60 * Redistribution and use in source and binary forms, with or without 61 * modification, are permitted provided that the following conditions 62 * are met: 63 * 64 * 1. Redistributions of source code must retain the above copyright 65 * notice, this list of conditions and the following disclaimer. 66 * 67 * 2. Redistributions in binary form must reproduce the above copyright 68 * notice, this list of conditions and the following disclaimer in 69 * the documentation and/or other materials provided with the 70 * distribution. 71 * 72 * 3. All advertising materials mentioning features or use of this 73 * software must display the following acknowledgment: 74 * "This product includes software developed by the OpenSSL Project 75 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 76 * 77 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 78 * endorse or promote products derived from this software without 79 * prior written permission. For written permission, please contact 80 * openssl-core@openssl.org. 81 * 82 * 5. Products derived from this software may not be called "OpenSSL" 83 * nor may "OpenSSL" appear in their names without prior written 84 * permission of the OpenSSL Project. 85 * 86 * 6. Redistributions of any form whatsoever must retain the following 87 * acknowledgment: 88 * "This product includes software developed by the OpenSSL Project 89 * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 90 * 91 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 92 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 93 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 94 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 95 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 96 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 97 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 98 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 99 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 100 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 101 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 102 * OF THE POSSIBILITY OF SUCH DAMAGE. 103 * ==================================================================== 104 * 105 * This product includes cryptographic software written by Eric Young 106 * (eay@cryptsoft.com). This product includes software written by Tim 107 * Hudson (tjh@cryptsoft.com). */ 108 109#include <stdio.h> 110#include <stdlib.h> 111#include <assert.h> 112 113#include <openssl/bytestring.h> 114#include <openssl/evp.h> 115#include <openssl/hmac.h> 116#include <openssl/mem.h> 117#include <openssl/obj.h> 118#include <openssl/rand.h> 119 120#include "ssl_locl.h" 121 122 123static int tls_decrypt_ticket(SSL *s, const uint8_t *tick, int ticklen, 124 const uint8_t *sess_id, int sesslen, 125 SSL_SESSION **psess); 126static int ssl_check_clienthello_tlsext(SSL *s); 127static int ssl_check_serverhello_tlsext(SSL *s); 128 129const SSL3_ENC_METHOD TLSv1_enc_data = { 130 tls1_enc, 131 tls1_prf, 132 tls1_setup_key_block, 133 tls1_generate_master_secret, 134 tls1_change_cipher_state, 135 tls1_final_finish_mac, 136 TLS1_FINISH_MAC_LENGTH, 137 tls1_cert_verify_mac, 138 TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE, 139 TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE, 140 tls1_alert_code, 141 tls1_export_keying_material, 142 0, 143 SSL3_HM_HEADER_LENGTH, 144 ssl3_set_handshake_header, 145 ssl3_handshake_write, 146}; 147 148const SSL3_ENC_METHOD TLSv1_1_enc_data = { 149 tls1_enc, 150 tls1_prf, 151 tls1_setup_key_block, 152 tls1_generate_master_secret, 153 tls1_change_cipher_state, 154 tls1_final_finish_mac, 155 TLS1_FINISH_MAC_LENGTH, 156 tls1_cert_verify_mac, 157 TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE, 158 TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE, 159 tls1_alert_code, 160 tls1_export_keying_material, 161 SSL_ENC_FLAG_EXPLICIT_IV, 162 SSL3_HM_HEADER_LENGTH, 163 ssl3_set_handshake_header, 164 ssl3_handshake_write, 165}; 166 167const SSL3_ENC_METHOD TLSv1_2_enc_data = { 168 tls1_enc, 169 tls1_prf, 170 tls1_setup_key_block, 171 tls1_generate_master_secret, 172 tls1_change_cipher_state, 173 tls1_final_finish_mac, 174 TLS1_FINISH_MAC_LENGTH, 175 tls1_cert_verify_mac, 176 TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE, 177 TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE, 178 tls1_alert_code, 179 tls1_export_keying_material, 180 SSL_ENC_FLAG_EXPLICIT_IV|SSL_ENC_FLAG_SIGALGS|SSL_ENC_FLAG_SHA256_PRF 181 |SSL_ENC_FLAG_TLS1_2_CIPHERS, 182 SSL3_HM_HEADER_LENGTH, 183 ssl3_set_handshake_header, 184 ssl3_handshake_write, 185}; 186 187static int compare_uint16_t(const void *p1, const void *p2) { 188 uint16_t u1 = *((const uint16_t *)p1); 189 uint16_t u2 = *((const uint16_t *)p2); 190 if (u1 < u2) { 191 return -1; 192 } else if (u1 > u2) { 193 return 1; 194 } else { 195 return 0; 196 } 197} 198 199/* Per http://tools.ietf.org/html/rfc5246#section-7.4.1.4, there may not be 200 * more than one extension of the same type in a ClientHello or ServerHello. 201 * This function does an initial scan over the extensions block to filter those 202 * out. */ 203static int tls1_check_duplicate_extensions(const CBS *cbs) { 204 CBS extensions = *cbs; 205 size_t num_extensions = 0, i = 0; 206 uint16_t *extension_types = NULL; 207 int ret = 0; 208 209 /* First pass: count the extensions. */ 210 while (CBS_len(&extensions) > 0) { 211 uint16_t type; 212 CBS extension; 213 214 if (!CBS_get_u16(&extensions, &type) || 215 !CBS_get_u16_length_prefixed(&extensions, &extension)) { 216 goto done; 217 } 218 219 num_extensions++; 220 } 221 222 if (num_extensions == 0) { 223 return 1; 224 } 225 226 extension_types = 227 (uint16_t *)OPENSSL_malloc(sizeof(uint16_t) * num_extensions); 228 if (extension_types == NULL) { 229 OPENSSL_PUT_ERROR(SSL, tls1_check_duplicate_extensions, 230 ERR_R_MALLOC_FAILURE); 231 goto done; 232 } 233 234 /* Second pass: gather the extension types. */ 235 extensions = *cbs; 236 for (i = 0; i < num_extensions; i++) { 237 CBS extension; 238 239 if (!CBS_get_u16(&extensions, &extension_types[i]) || 240 !CBS_get_u16_length_prefixed(&extensions, &extension)) { 241 /* This should not happen. */ 242 goto done; 243 } 244 } 245 assert(CBS_len(&extensions) == 0); 246 247 /* Sort the extensions and make sure there are no duplicates. */ 248 qsort(extension_types, num_extensions, sizeof(uint16_t), compare_uint16_t); 249 for (i = 1; i < num_extensions; i++) { 250 if (extension_types[i - 1] == extension_types[i]) { 251 goto done; 252 } 253 } 254 255 ret = 1; 256 257done: 258 if (extension_types) 259 OPENSSL_free(extension_types); 260 return ret; 261} 262 263char ssl_early_callback_init(struct ssl_early_callback_ctx *ctx) { 264 CBS client_hello, session_id, cipher_suites, compression_methods, extensions; 265 266 CBS_init(&client_hello, ctx->client_hello, ctx->client_hello_len); 267 268 if (/* Skip client version. */ 269 !CBS_skip(&client_hello, 2) || 270 /* Skip client nonce. */ 271 !CBS_skip(&client_hello, 32) || 272 /* Extract session_id. */ 273 !CBS_get_u8_length_prefixed(&client_hello, &session_id)) { 274 return 0; 275 } 276 277 ctx->session_id = CBS_data(&session_id); 278 ctx->session_id_len = CBS_len(&session_id); 279 280 /* Skip past DTLS cookie */ 281 if (SSL_IS_DTLS(ctx->ssl)) { 282 CBS cookie; 283 284 if (!CBS_get_u8_length_prefixed(&client_hello, &cookie)) { 285 return 0; 286 } 287 } 288 289 /* Extract cipher_suites. */ 290 if (!CBS_get_u16_length_prefixed(&client_hello, &cipher_suites) || 291 CBS_len(&cipher_suites) < 2 || (CBS_len(&cipher_suites) & 1) != 0) { 292 return 0; 293 } 294 ctx->cipher_suites = CBS_data(&cipher_suites); 295 ctx->cipher_suites_len = CBS_len(&cipher_suites); 296 297 /* Extract compression_methods. */ 298 if (!CBS_get_u8_length_prefixed(&client_hello, &compression_methods) || 299 CBS_len(&compression_methods) < 1) { 300 return 0; 301 } 302 ctx->compression_methods = CBS_data(&compression_methods); 303 ctx->compression_methods_len = CBS_len(&compression_methods); 304 305 /* If the ClientHello ends here then it's valid, but doesn't have any 306 * extensions. (E.g. SSLv3.) */ 307 if (CBS_len(&client_hello) == 0) { 308 ctx->extensions = NULL; 309 ctx->extensions_len = 0; 310 return 1; 311 } 312 313 /* Extract extensions and check it is valid. */ 314 if (!CBS_get_u16_length_prefixed(&client_hello, &extensions) || 315 !tls1_check_duplicate_extensions(&extensions) || 316 CBS_len(&client_hello) != 0) { 317 return 0; 318 } 319 ctx->extensions = CBS_data(&extensions); 320 ctx->extensions_len = CBS_len(&extensions); 321 322 return 1; 323} 324 325char SSL_early_callback_ctx_extension_get( 326 const struct ssl_early_callback_ctx *ctx, uint16_t extension_type, 327 const uint8_t **out_data, size_t *out_len) { 328 CBS extensions; 329 330 CBS_init(&extensions, ctx->extensions, ctx->extensions_len); 331 332 while (CBS_len(&extensions) != 0) { 333 uint16_t type; 334 CBS extension; 335 336 /* Decode the next extension. */ 337 if (!CBS_get_u16(&extensions, &type) || 338 !CBS_get_u16_length_prefixed(&extensions, &extension)) { 339 return 0; 340 } 341 342 if (type == extension_type) { 343 *out_data = CBS_data(&extension); 344 *out_len = CBS_len(&extension); 345 return 1; 346 } 347 } 348 349 return 0; 350} 351 352struct tls_curve { 353 uint16_t curve_id; 354 int nid; 355}; 356 357/* ECC curves from RFC4492. */ 358static const struct tls_curve tls_curves[] = { 359 {21, NID_secp224r1}, 360 {23, NID_X9_62_prime256v1}, 361 {24, NID_secp384r1}, 362 {25, NID_secp521r1}, 363}; 364 365static const uint8_t ecformats_default[] = { 366 TLSEXT_ECPOINTFORMAT_uncompressed, 367}; 368 369static const uint16_t eccurves_default[] = { 370 23, /* X9_64_prime256v1 */ 371 24, /* secp384r1 */ 372}; 373 374int tls1_ec_curve_id2nid(uint16_t curve_id) { 375 size_t i; 376 for (i = 0; i < sizeof(tls_curves) / sizeof(tls_curves[0]); i++) { 377 if (curve_id == tls_curves[i].curve_id) { 378 return tls_curves[i].nid; 379 } 380 } 381 return NID_undef; 382} 383 384int tls1_ec_nid2curve_id(uint16_t *out_curve_id, int nid) { 385 size_t i; 386 for (i = 0; i < sizeof(tls_curves) / sizeof(tls_curves[0]); i++) { 387 if (nid == tls_curves[i].nid) { 388 *out_curve_id = tls_curves[i].curve_id; 389 return 1; 390 } 391 } 392 return 0; 393} 394 395/* tls1_get_curvelist sets |*out_curve_ids| and |*out_curve_ids_len| to the 396 * list of allowed curve IDs. If |get_peer_curves| is non-zero, return the 397 * peer's curve list. Otherwise, return the preferred list. */ 398static void tls1_get_curvelist(SSL *s, int get_peer_curves, 399 const uint16_t **out_curve_ids, 400 size_t *out_curve_ids_len) { 401 if (get_peer_curves) { 402 *out_curve_ids = s->s3->tmp.peer_ellipticcurvelist; 403 *out_curve_ids_len = s->s3->tmp.peer_ellipticcurvelist_length; 404 return; 405 } 406 407 *out_curve_ids = s->tlsext_ellipticcurvelist; 408 *out_curve_ids_len = s->tlsext_ellipticcurvelist_length; 409 if (!*out_curve_ids) { 410 *out_curve_ids = eccurves_default; 411 *out_curve_ids_len = sizeof(eccurves_default) / sizeof(eccurves_default[0]); 412 } 413} 414 415int tls1_check_curve(SSL *s, CBS *cbs, uint16_t *out_curve_id) { 416 uint8_t curve_type; 417 uint16_t curve_id; 418 const uint16_t *curves; 419 size_t curves_len, i; 420 421 /* Only support named curves. */ 422 if (!CBS_get_u8(cbs, &curve_type) || 423 curve_type != NAMED_CURVE_TYPE || 424 !CBS_get_u16(cbs, &curve_id)) { 425 return 0; 426 } 427 428 tls1_get_curvelist(s, 0, &curves, &curves_len); 429 for (i = 0; i < curves_len; i++) { 430 if (curve_id == curves[i]) { 431 *out_curve_id = curve_id; 432 return 1; 433 } 434 } 435 436 return 0; 437} 438 439int tls1_get_shared_curve(SSL *s) { 440 const uint16_t *pref, *supp; 441 size_t preflen, supplen, i, j; 442 443 /* Can't do anything on client side */ 444 if (s->server == 0) { 445 return NID_undef; 446 } 447 448 /* Return first preference shared curve */ 449 tls1_get_curvelist(s, !!(s->options & SSL_OP_CIPHER_SERVER_PREFERENCE), &supp, 450 &supplen); 451 tls1_get_curvelist(s, !(s->options & SSL_OP_CIPHER_SERVER_PREFERENCE), &pref, 452 &preflen); 453 454 for (i = 0; i < preflen; i++) { 455 for (j = 0; j < supplen; j++) { 456 if (pref[i] == supp[j]) { 457 return tls1_ec_curve_id2nid(pref[i]); 458 } 459 } 460 } 461 462 return NID_undef; 463} 464 465int tls1_set_curves(uint16_t **out_curve_ids, size_t *out_curve_ids_len, 466 const int *curves, size_t ncurves) { 467 uint16_t *curve_ids; 468 size_t i; 469 470 curve_ids = (uint16_t *)OPENSSL_malloc(ncurves * sizeof(uint16_t)); 471 if (curve_ids == NULL) { 472 return 0; 473 } 474 475 for (i = 0; i < ncurves; i++) { 476 if (!tls1_ec_nid2curve_id(&curve_ids[i], curves[i])) { 477 OPENSSL_free(curve_ids); 478 return 0; 479 } 480 } 481 482 if (*out_curve_ids) { 483 OPENSSL_free(*out_curve_ids); 484 } 485 *out_curve_ids = curve_ids; 486 *out_curve_ids_len = ncurves; 487 488 return 1; 489} 490 491/* tls1_curve_params_from_ec_key sets |*out_curve_id| and |*out_comp_id| to the 492 * TLS curve ID and point format, respectively, for |ec|. It returns one on 493 * success and zero on failure. */ 494static int tls1_curve_params_from_ec_key(uint16_t *out_curve_id, 495 uint8_t *out_comp_id, EC_KEY *ec) { 496 int nid; 497 uint16_t id; 498 const EC_GROUP *grp; 499 500 if (ec == NULL) { 501 return 0; 502 } 503 504 grp = EC_KEY_get0_group(ec); 505 if (grp == NULL) { 506 return 0; 507 } 508 509 /* Determine curve ID */ 510 nid = EC_GROUP_get_curve_name(grp); 511 if (!tls1_ec_nid2curve_id(&id, nid)) { 512 return 0; 513 } 514 515 /* Set the named curve ID. Arbitrary explicit curves are not supported. */ 516 *out_curve_id = id; 517 518 if (out_comp_id) { 519 if (EC_KEY_get0_public_key(ec) == NULL) { 520 return 0; 521 } 522 if (EC_KEY_get_conv_form(ec) == POINT_CONVERSION_COMPRESSED) { 523 *out_comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime; 524 } else { 525 *out_comp_id = TLSEXT_ECPOINTFORMAT_uncompressed; 526 } 527 } 528 529 return 1; 530} 531 532/* tls1_check_point_format returns one if |comp_id| is consistent with the 533 * peer's point format preferences. */ 534static int tls1_check_point_format(SSL *s, uint8_t comp_id) { 535 uint8_t *p = s->s3->tmp.peer_ecpointformatlist; 536 size_t plen = s->s3->tmp.peer_ecpointformatlist_length; 537 size_t i; 538 539 /* If point formats extension present check it, otherwise everything is 540 * supported (see RFC4492). */ 541 if (p == NULL) { 542 return 1; 543 } 544 545 for (i = 0; i < plen; i++) { 546 if (comp_id == p[i]) { 547 return 1; 548 } 549 } 550 551 return 0; 552} 553 554/* tls1_check_curve_id returns one if |curve_id| is consistent with both our 555 * and the peer's curve preferences. Note: if called as the client, only our 556 * preferences are checked; the peer (the server) does not send preferences. */ 557static int tls1_check_curve_id(SSL *s, uint16_t curve_id) { 558 const uint16_t *curves; 559 size_t curves_len, i, j; 560 561 /* Check against our list, then the peer's list. */ 562 for (j = 0; j <= 1; j++) { 563 tls1_get_curvelist(s, j, &curves, &curves_len); 564 for (i = 0; i < curves_len; i++) { 565 if (curves[i] == curve_id) { 566 break; 567 } 568 } 569 570 if (i == curves_len) { 571 return 0; 572 } 573 574 /* Servers do not present a preference list so, if we are a client, only 575 * check our list. */ 576 if (!s->server) { 577 return 1; 578 } 579 } 580 581 return 1; 582} 583 584static void tls1_get_formatlist(SSL *s, const uint8_t **pformats, 585 size_t *pformatslen) { 586 /* If we have a custom point format list use it otherwise use default */ 587 if (s->tlsext_ecpointformatlist) { 588 *pformats = s->tlsext_ecpointformatlist; 589 *pformatslen = s->tlsext_ecpointformatlist_length; 590 } else { 591 *pformats = ecformats_default; 592 *pformatslen = sizeof(ecformats_default); 593 } 594} 595 596int tls1_check_ec_cert(SSL *s, X509 *x) { 597 int ret = 0; 598 EVP_PKEY *pkey = X509_get_pubkey(x); 599 uint16_t curve_id; 600 uint8_t comp_id; 601 602 if (!pkey || 603 pkey->type != EVP_PKEY_EC || 604 !tls1_curve_params_from_ec_key(&curve_id, &comp_id, pkey->pkey.ec) || 605 !tls1_check_curve_id(s, curve_id) || 606 !tls1_check_point_format(s, comp_id)) { 607 goto done; 608 } 609 610 ret = 1; 611 612done: 613 if (pkey) { 614 EVP_PKEY_free(pkey); 615 } 616 return ret; 617} 618 619int tls1_check_ec_tmp_key(SSL *s) { 620 uint16_t curve_id; 621 EC_KEY *ec = s->cert->ecdh_tmp; 622 623 if (s->cert->ecdh_tmp_auto) { 624 /* Need a shared curve */ 625 return tls1_get_shared_curve(s) != NID_undef; 626 } 627 628 if (!ec) { 629 if (s->cert->ecdh_tmp_cb) { 630 return 1; 631 } 632 return 0; 633 } 634 635 return tls1_curve_params_from_ec_key(&curve_id, NULL, ec) && 636 tls1_check_curve_id(s, curve_id); 637} 638 639/* List of supported signature algorithms and hashes. Should make this 640 * customisable at some point, for now include everything we support. */ 641 642#define tlsext_sigalg_rsa(md) md, TLSEXT_signature_rsa, 643 644#define tlsext_sigalg_ecdsa(md) md, TLSEXT_signature_ecdsa, 645 646#define tlsext_sigalg(md) tlsext_sigalg_rsa(md) tlsext_sigalg_ecdsa(md) 647 648static const uint8_t tls12_sigalgs[] = { 649 tlsext_sigalg(TLSEXT_hash_sha512) 650 tlsext_sigalg(TLSEXT_hash_sha384) 651 tlsext_sigalg(TLSEXT_hash_sha256) 652 tlsext_sigalg(TLSEXT_hash_sha224) 653 tlsext_sigalg(TLSEXT_hash_sha1) 654}; 655 656size_t tls12_get_psigalgs(SSL *s, const uint8_t **psigs) { 657 /* If server use client authentication sigalgs if not NULL */ 658 if (s->server && s->cert->client_sigalgs) { 659 *psigs = s->cert->client_sigalgs; 660 return s->cert->client_sigalgslen; 661 } else if (s->cert->conf_sigalgs) { 662 *psigs = s->cert->conf_sigalgs; 663 return s->cert->conf_sigalgslen; 664 } else { 665 *psigs = tls12_sigalgs; 666 return sizeof(tls12_sigalgs); 667 } 668} 669 670/* tls12_check_peer_sigalg parses a SignatureAndHashAlgorithm out of |cbs|. It 671 * checks it is consistent with |s|'s sent supported signature algorithms and, 672 * if so, writes the relevant digest into |*out_md| and returns 1. Otherwise it 673 * returns 0 and writes an alert into |*out_alert|. */ 674int tls12_check_peer_sigalg(const EVP_MD **out_md, int *out_alert, SSL *s, 675 CBS *cbs, EVP_PKEY *pkey) { 676 const uint8_t *sent_sigs; 677 size_t sent_sigslen, i; 678 int sigalg = tls12_get_sigid(pkey); 679 uint8_t hash, signature; 680 681 /* Should never happen */ 682 if (sigalg == -1) { 683 OPENSSL_PUT_ERROR(SSL, tls12_check_peer_sigalg, ERR_R_INTERNAL_ERROR); 684 *out_alert = SSL_AD_INTERNAL_ERROR; 685 return 0; 686 } 687 688 if (!CBS_get_u8(cbs, &hash) || 689 !CBS_get_u8(cbs, &signature)) { 690 OPENSSL_PUT_ERROR(SSL, tls12_check_peer_sigalg, SSL_R_DECODE_ERROR); 691 *out_alert = SSL_AD_DECODE_ERROR; 692 return 0; 693 } 694 695 /* Check key type is consistent with signature */ 696 if (sigalg != signature) { 697 OPENSSL_PUT_ERROR(SSL, tls12_check_peer_sigalg, SSL_R_WRONG_SIGNATURE_TYPE); 698 *out_alert = SSL_AD_ILLEGAL_PARAMETER; 699 return 0; 700 } 701 702 if (pkey->type == EVP_PKEY_EC) { 703 uint16_t curve_id; 704 uint8_t comp_id; 705 /* Check compression and curve matches extensions */ 706 if (!tls1_curve_params_from_ec_key(&curve_id, &comp_id, pkey->pkey.ec)) { 707 *out_alert = SSL_AD_INTERNAL_ERROR; 708 return 0; 709 } 710 711 if (s->server && (!tls1_check_curve_id(s, curve_id) || 712 !tls1_check_point_format(s, comp_id))) { 713 OPENSSL_PUT_ERROR(SSL, tls12_check_peer_sigalg, SSL_R_WRONG_CURVE); 714 *out_alert = SSL_AD_ILLEGAL_PARAMETER; 715 return 0; 716 } 717 } 718 719 /* Check signature matches a type we sent */ 720 sent_sigslen = tls12_get_psigalgs(s, &sent_sigs); 721 for (i = 0; i < sent_sigslen; i += 2, sent_sigs += 2) { 722 if (hash == sent_sigs[0] && signature == sent_sigs[1]) { 723 break; 724 } 725 } 726 727 /* Allow fallback to SHA-1. */ 728 if (i == sent_sigslen && hash != TLSEXT_hash_sha1) { 729 OPENSSL_PUT_ERROR(SSL, tls12_check_peer_sigalg, SSL_R_WRONG_SIGNATURE_TYPE); 730 *out_alert = SSL_AD_ILLEGAL_PARAMETER; 731 return 0; 732 } 733 734 *out_md = tls12_get_hash(hash); 735 if (*out_md == NULL) { 736 OPENSSL_PUT_ERROR(SSL, tls12_check_peer_sigalg, SSL_R_UNKNOWN_DIGEST); 737 *out_alert = SSL_AD_ILLEGAL_PARAMETER; 738 return 0; 739 } 740 741 return 1; 742} 743 744/* Get a mask of disabled algorithms: an algorithm is disabled if it isn't 745 * supported or doesn't appear in supported signature algorithms. Unlike 746 * ssl_cipher_get_disabled this applies to a specific session and not global 747 * settings. */ 748void ssl_set_client_disabled(SSL *s) { 749 CERT *c = s->cert; 750 const uint8_t *sigalgs; 751 size_t i, sigalgslen; 752 int have_rsa = 0, have_ecdsa = 0; 753 c->mask_a = 0; 754 c->mask_k = 0; 755 756 /* Don't allow TLS 1.2 only ciphers if we don't suppport them */ 757 if (!SSL_CLIENT_USE_TLS1_2_CIPHERS(s)) { 758 c->mask_ssl = SSL_TLSV1_2; 759 } else { 760 c->mask_ssl = 0; 761 } 762 763 /* Now go through all signature algorithms seeing if we support any for RSA, 764 * DSA, ECDSA. Do this for all versions not just TLS 1.2. */ 765 sigalgslen = tls12_get_psigalgs(s, &sigalgs); 766 for (i = 0; i < sigalgslen; i += 2, sigalgs += 2) { 767 switch (sigalgs[1]) { 768 case TLSEXT_signature_rsa: 769 have_rsa = 1; 770 break; 771 772 case TLSEXT_signature_ecdsa: 773 have_ecdsa = 1; 774 break; 775 } 776 } 777 778 /* Disable auth if we don't include any appropriate signature algorithms. */ 779 if (!have_rsa) { 780 c->mask_a |= SSL_aRSA; 781 } 782 if (!have_ecdsa) { 783 c->mask_a |= SSL_aECDSA; 784 } 785 786 /* with PSK there must be client callback set */ 787 if (!s->psk_client_callback) { 788 c->mask_a |= SSL_aPSK; 789 c->mask_k |= SSL_kPSK; 790 } 791} 792 793/* header_len is the length of the ClientHello header written so far, used to 794 * compute padding. It does not include the record header. Pass 0 if no padding 795 * is to be done. */ 796uint8_t *ssl_add_clienthello_tlsext(SSL *s, uint8_t *buf, uint8_t *limit, 797 size_t header_len) { 798 int extdatalen = 0; 799 uint8_t *ret = buf; 800 uint8_t *orig = buf; 801 /* See if we support any ECC ciphersuites */ 802 int using_ecc = 0; 803 804 if (s->version >= TLS1_VERSION || SSL_IS_DTLS(s)) { 805 size_t i; 806 unsigned long alg_k, alg_a; 807 STACK_OF(SSL_CIPHER) *cipher_stack = SSL_get_ciphers(s); 808 809 for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++) { 810 const SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i); 811 812 alg_k = c->algorithm_mkey; 813 alg_a = c->algorithm_auth; 814 if ((alg_k & SSL_kEECDH) || (alg_a & SSL_aECDSA)) { 815 using_ecc = 1; 816 break; 817 } 818 } 819 } 820 821 /* don't add extensions for SSLv3 unless doing secure renegotiation */ 822 if (s->client_version == SSL3_VERSION && !s->s3->send_connection_binding) { 823 return orig; 824 } 825 826 ret += 2; 827 828 if (ret >= limit) { 829 return NULL; /* should never occur. */ 830 } 831 832 if (s->tlsext_hostname != NULL) { 833 /* Add TLS extension servername to the Client Hello message */ 834 unsigned long size_str; 835 long lenmax; 836 837 /* check for enough space. 838 4 for the servername type and entension length 839 2 for servernamelist length 840 1 for the hostname type 841 2 for hostname length 842 + hostname length */ 843 844 lenmax = limit - ret - 9; 845 size_str = strlen(s->tlsext_hostname); 846 if (lenmax < 0 || size_str > (unsigned long)lenmax) { 847 return NULL; 848 } 849 850 /* extension type and length */ 851 s2n(TLSEXT_TYPE_server_name, ret); 852 s2n(size_str + 5, ret); 853 854 /* length of servername list */ 855 s2n(size_str + 3, ret); 856 857 /* hostname type, length and hostname */ 858 *(ret++) = (uint8_t)TLSEXT_NAMETYPE_host_name; 859 s2n(size_str, ret); 860 memcpy(ret, s->tlsext_hostname, size_str); 861 ret += size_str; 862 } 863 864 /* Add RI if renegotiating */ 865 if (s->renegotiate) { 866 int el; 867 868 if (!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0)) { 869 OPENSSL_PUT_ERROR(SSL, ssl_add_clienthello_tlsext, ERR_R_INTERNAL_ERROR); 870 return NULL; 871 } 872 873 if ((limit - ret - 4 - el) < 0) { 874 return NULL; 875 } 876 877 s2n(TLSEXT_TYPE_renegotiate, ret); 878 s2n(el, ret); 879 880 if (!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el)) { 881 OPENSSL_PUT_ERROR(SSL, ssl_add_clienthello_tlsext, ERR_R_INTERNAL_ERROR); 882 return NULL; 883 } 884 885 ret += el; 886 } 887 888 /* Add extended master secret. */ 889 if (s->version != SSL3_VERSION) { 890 if (limit - ret - 4 < 0) { 891 return NULL; 892 } 893 s2n(TLSEXT_TYPE_extended_master_secret, ret); 894 s2n(0, ret); 895 } 896 897 if (!(SSL_get_options(s) & SSL_OP_NO_TICKET)) { 898 int ticklen = 0; 899 if (!s->new_session && s->session && s->session->tlsext_tick) { 900 ticklen = s->session->tlsext_ticklen; 901 } 902 903 /* Check for enough room 2 for extension type, 2 for len rest for 904 * ticket. */ 905 if ((long)(limit - ret - 4 - ticklen) < 0) { 906 return NULL; 907 } 908 s2n(TLSEXT_TYPE_session_ticket, ret); 909 s2n(ticklen, ret); 910 if (ticklen) { 911 memcpy(ret, s->session->tlsext_tick, ticklen); 912 ret += ticklen; 913 } 914 } 915 916 if (ssl3_version_from_wire(s, s->client_version) >= TLS1_2_VERSION) { 917 size_t salglen; 918 const uint8_t *salg; 919 salglen = tls12_get_psigalgs(s, &salg); 920 if ((size_t)(limit - ret) < salglen + 6) { 921 return NULL; 922 } 923 s2n(TLSEXT_TYPE_signature_algorithms, ret); 924 s2n(salglen + 2, ret); 925 s2n(salglen, ret); 926 memcpy(ret, salg, salglen); 927 ret += salglen; 928 } 929 930 if (s->ocsp_stapling_enabled) { 931 /* The status_request extension is excessively extensible at every layer. 932 * On the client, only support requesting OCSP responses with an empty 933 * responder_id_list and no extensions. */ 934 if (limit - ret - 4 - 1 - 2 - 2 < 0) { 935 return NULL; 936 } 937 938 s2n(TLSEXT_TYPE_status_request, ret); 939 s2n(1 + 2 + 2, ret); 940 /* status_type */ 941 *(ret++) = TLSEXT_STATUSTYPE_ocsp; 942 /* responder_id_list - empty */ 943 s2n(0, ret); 944 /* request_extensions - empty */ 945 s2n(0, ret); 946 } 947 948 if (s->ctx->next_proto_select_cb && !s->s3->tmp.finish_md_len && 949 !SSL_IS_DTLS(s)) { 950 /* The client advertises an emtpy extension to indicate its support for 951 * Next Protocol Negotiation */ 952 if (limit - ret - 4 < 0) { 953 return NULL; 954 } 955 s2n(TLSEXT_TYPE_next_proto_neg, ret); 956 s2n(0, ret); 957 } 958 959 if (s->signed_cert_timestamps_enabled && !s->s3->tmp.finish_md_len) { 960 /* The client advertises an empty extension to indicate its support for 961 * certificate timestamps. */ 962 if (limit - ret - 4 < 0) { 963 return NULL; 964 } 965 s2n(TLSEXT_TYPE_certificate_timestamp, ret); 966 s2n(0, ret); 967 } 968 969 if (s->alpn_client_proto_list && !s->s3->tmp.finish_md_len) { 970 if ((size_t)(limit - ret) < 6 + s->alpn_client_proto_list_len) { 971 return NULL; 972 } 973 s2n(TLSEXT_TYPE_application_layer_protocol_negotiation, ret); 974 s2n(2 + s->alpn_client_proto_list_len, ret); 975 s2n(s->alpn_client_proto_list_len, ret); 976 memcpy(ret, s->alpn_client_proto_list, s->alpn_client_proto_list_len); 977 ret += s->alpn_client_proto_list_len; 978 } 979 980 if (s->tlsext_channel_id_enabled && !SSL_IS_DTLS(s)) { 981 /* The client advertises an emtpy extension to indicate its support for 982 * Channel ID. */ 983 if (limit - ret - 4 < 0) { 984 return NULL; 985 } 986 if (s->ctx->tlsext_channel_id_enabled_new) { 987 s2n(TLSEXT_TYPE_channel_id_new, ret); 988 } else { 989 s2n(TLSEXT_TYPE_channel_id, ret); 990 } 991 s2n(0, ret); 992 } 993 994 if (SSL_get_srtp_profiles(s)) { 995 int el; 996 997 ssl_add_clienthello_use_srtp_ext(s, 0, &el, 0); 998 999 if ((limit - ret - 4 - el) < 0) { 1000 return NULL; 1001 } 1002 1003 s2n(TLSEXT_TYPE_use_srtp, ret); 1004 s2n(el, ret); 1005 1006 if (!ssl_add_clienthello_use_srtp_ext(s, ret, &el, el)) { 1007 OPENSSL_PUT_ERROR(SSL, ssl_add_clienthello_tlsext, ERR_R_INTERNAL_ERROR); 1008 return NULL; 1009 } 1010 ret += el; 1011 } 1012 1013 if (using_ecc) { 1014 /* Add TLS extension ECPointFormats to the ClientHello message */ 1015 long lenmax; 1016 const uint8_t *formats; 1017 const uint16_t *curves; 1018 size_t formats_len, curves_len, i; 1019 1020 tls1_get_formatlist(s, &formats, &formats_len); 1021 1022 lenmax = limit - ret - 5; 1023 if (lenmax < 0) { 1024 return NULL; 1025 } 1026 if (formats_len > (size_t)lenmax) { 1027 return NULL; 1028 } 1029 if (formats_len > 255) { 1030 OPENSSL_PUT_ERROR(SSL, ssl_add_clienthello_tlsext, ERR_R_INTERNAL_ERROR); 1031 return NULL; 1032 } 1033 1034 s2n(TLSEXT_TYPE_ec_point_formats, ret); 1035 s2n(formats_len + 1, ret); 1036 *(ret++) = (uint8_t)formats_len; 1037 memcpy(ret, formats, formats_len); 1038 ret += formats_len; 1039 1040 /* Add TLS extension EllipticCurves to the ClientHello message */ 1041 tls1_get_curvelist(s, 0, &curves, &curves_len); 1042 1043 lenmax = limit - ret - 6; 1044 if (lenmax < 0) { 1045 return NULL; 1046 } 1047 if (curves_len * 2 > (size_t)lenmax) { 1048 return NULL; 1049 } 1050 if (curves_len * 2 > 65532) { 1051 OPENSSL_PUT_ERROR(SSL, ssl_add_clienthello_tlsext, ERR_R_INTERNAL_ERROR); 1052 return NULL; 1053 } 1054 1055 s2n(TLSEXT_TYPE_elliptic_curves, ret); 1056 s2n((curves_len * 2) + 2, ret); 1057 1058 s2n(curves_len * 2, ret); 1059 for (i = 0; i < curves_len; i++) { 1060 s2n(curves[i], ret); 1061 } 1062 } 1063 1064 if (header_len > 0) { 1065 size_t clienthello_minsize = 0; 1066 header_len += ret - orig; 1067 if (header_len > 0xff && header_len < 0x200) { 1068 /* Add padding to workaround bugs in F5 terminators. See 1069 * https://tools.ietf.org/html/draft-agl-tls-padding-03 1070 * 1071 * NB: because this code works out the length of all existing extensions 1072 * it MUST always appear last. */ 1073 clienthello_minsize = 0x200; 1074 } 1075 if (s->fastradio_padding) { 1076 /* Pad the ClientHello record to 1024 bytes to fast forward the radio 1077 * into DCH (high data rate) state in 3G networks. Note that when 1078 * fastradio_padding is enabled, even if the header_len is less than 255 1079 * bytes, the padding will be applied regardless. This is slightly 1080 * different from the TLS padding extension suggested in 1081 * https://tools.ietf.org/html/draft-agl-tls-padding-03 */ 1082 clienthello_minsize = 0x400; 1083 } 1084 if (header_len < clienthello_minsize) { 1085 size_t padding_len = clienthello_minsize - header_len; 1086 /* Extensions take at least four bytes to encode. Always include least 1087 * one byte of data if including the extension. WebSphere Application 1088 * Server 7.0 is intolerant to the last extension being zero-length. */ 1089 if (padding_len >= 4 + 1) { 1090 padding_len -= 4; 1091 } else { 1092 padding_len = 1; 1093 } 1094 1095 if (limit - ret - 4 - (long)padding_len < 0) { 1096 return NULL; 1097 } 1098 1099 s2n(TLSEXT_TYPE_padding, ret); 1100 s2n(padding_len, ret); 1101 memset(ret, 0, padding_len); 1102 ret += padding_len; 1103 } 1104 } 1105 1106 extdatalen = ret - orig - 2; 1107 if (extdatalen == 0) { 1108 return orig; 1109 } 1110 1111 s2n(extdatalen, orig); 1112 return ret; 1113} 1114 1115uint8_t *ssl_add_serverhello_tlsext(SSL *s, uint8_t *buf, uint8_t *limit) { 1116 int extdatalen = 0; 1117 uint8_t *orig = buf; 1118 uint8_t *ret = buf; 1119 int next_proto_neg_seen; 1120 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey; 1121 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth; 1122 int using_ecc = (alg_k & SSL_kEECDH) || (alg_a & SSL_aECDSA); 1123 using_ecc = using_ecc && (s->s3->tmp.peer_ecpointformatlist != NULL); 1124 1125 /* don't add extensions for SSLv3, unless doing secure renegotiation */ 1126 if (s->version == SSL3_VERSION && !s->s3->send_connection_binding) { 1127 return orig; 1128 } 1129 1130 ret += 2; 1131 if (ret >= limit) { 1132 return NULL; /* should never happen. */ 1133 } 1134 1135 if (!s->hit && s->should_ack_sni && s->session->tlsext_hostname != NULL) { 1136 if ((long)(limit - ret - 4) < 0) { 1137 return NULL; 1138 } 1139 1140 s2n(TLSEXT_TYPE_server_name, ret); 1141 s2n(0, ret); 1142 } 1143 1144 if (s->s3->send_connection_binding) { 1145 int el; 1146 1147 if (!ssl_add_serverhello_renegotiate_ext(s, 0, &el, 0)) { 1148 OPENSSL_PUT_ERROR(SSL, ssl_add_serverhello_tlsext, ERR_R_INTERNAL_ERROR); 1149 return NULL; 1150 } 1151 1152 if ((limit - ret - 4 - el) < 0) { 1153 return NULL; 1154 } 1155 1156 s2n(TLSEXT_TYPE_renegotiate, ret); 1157 s2n(el, ret); 1158 1159 if (!ssl_add_serverhello_renegotiate_ext(s, ret, &el, el)) { 1160 OPENSSL_PUT_ERROR(SSL, ssl_add_serverhello_tlsext, ERR_R_INTERNAL_ERROR); 1161 return NULL; 1162 } 1163 1164 ret += el; 1165 } 1166 1167 if (s->s3->tmp.extended_master_secret) { 1168 if ((long)(limit - ret - 4) < 0) { 1169 return NULL; 1170 } 1171 1172 s2n(TLSEXT_TYPE_extended_master_secret, ret); 1173 s2n(0, ret); 1174 } 1175 1176 if (using_ecc) { 1177 const uint8_t *plist; 1178 size_t plistlen; 1179 /* Add TLS extension ECPointFormats to the ServerHello message */ 1180 long lenmax; 1181 1182 tls1_get_formatlist(s, &plist, &plistlen); 1183 1184 lenmax = limit - ret - 5; 1185 if (lenmax < 0) { 1186 return NULL; 1187 } 1188 if (plistlen > (size_t)lenmax) { 1189 return NULL; 1190 } 1191 if (plistlen > 255) { 1192 OPENSSL_PUT_ERROR(SSL, ssl_add_serverhello_tlsext, ERR_R_INTERNAL_ERROR); 1193 return NULL; 1194 } 1195 1196 s2n(TLSEXT_TYPE_ec_point_formats, ret); 1197 s2n(plistlen + 1, ret); 1198 *(ret++) = (uint8_t)plistlen; 1199 memcpy(ret, plist, plistlen); 1200 ret += plistlen; 1201 } 1202 /* Currently the server should not respond with a SupportedCurves extension */ 1203 1204 if (s->tlsext_ticket_expected && !(SSL_get_options(s) & SSL_OP_NO_TICKET)) { 1205 if ((long)(limit - ret - 4) < 0) { 1206 return NULL; 1207 } 1208 s2n(TLSEXT_TYPE_session_ticket, ret); 1209 s2n(0, ret); 1210 } 1211 1212 if (s->s3->tmp.certificate_status_expected) { 1213 if ((long)(limit - ret - 4) < 0) { 1214 return NULL; 1215 } 1216 s2n(TLSEXT_TYPE_status_request, ret); 1217 s2n(0, ret); 1218 } 1219 1220 if (s->srtp_profile) { 1221 int el; 1222 1223 ssl_add_serverhello_use_srtp_ext(s, 0, &el, 0); 1224 1225 if ((limit - ret - 4 - el) < 0) { 1226 return NULL; 1227 } 1228 1229 s2n(TLSEXT_TYPE_use_srtp, ret); 1230 s2n(el, ret); 1231 1232 if (!ssl_add_serverhello_use_srtp_ext(s, ret, &el, el)) { 1233 OPENSSL_PUT_ERROR(SSL, ssl_add_serverhello_tlsext, ERR_R_INTERNAL_ERROR); 1234 return NULL; 1235 } 1236 ret += el; 1237 } 1238 1239 next_proto_neg_seen = s->s3->next_proto_neg_seen; 1240 s->s3->next_proto_neg_seen = 0; 1241 if (next_proto_neg_seen && s->ctx->next_protos_advertised_cb) { 1242 const uint8_t *npa; 1243 unsigned int npalen; 1244 int r; 1245 1246 r = s->ctx->next_protos_advertised_cb( 1247 s, &npa, &npalen, s->ctx->next_protos_advertised_cb_arg); 1248 if (r == SSL_TLSEXT_ERR_OK) { 1249 if ((long)(limit - ret - 4 - npalen) < 0) { 1250 return NULL; 1251 } 1252 s2n(TLSEXT_TYPE_next_proto_neg, ret); 1253 s2n(npalen, ret); 1254 memcpy(ret, npa, npalen); 1255 ret += npalen; 1256 s->s3->next_proto_neg_seen = 1; 1257 } 1258 } 1259 1260 if (s->s3->alpn_selected) { 1261 const uint8_t *selected = s->s3->alpn_selected; 1262 size_t len = s->s3->alpn_selected_len; 1263 1264 if ((long)(limit - ret - 4 - 2 - 1 - len) < 0) { 1265 return NULL; 1266 } 1267 s2n(TLSEXT_TYPE_application_layer_protocol_negotiation, ret); 1268 s2n(3 + len, ret); 1269 s2n(1 + len, ret); 1270 *ret++ = len; 1271 memcpy(ret, selected, len); 1272 ret += len; 1273 } 1274 1275 /* If the client advertised support for Channel ID, and we have it 1276 * enabled, then we want to echo it back. */ 1277 if (s->s3->tlsext_channel_id_valid) { 1278 if (limit - ret - 4 < 0) { 1279 return NULL; 1280 } 1281 if (s->s3->tlsext_channel_id_new) { 1282 s2n(TLSEXT_TYPE_channel_id_new, ret); 1283 } else { 1284 s2n(TLSEXT_TYPE_channel_id, ret); 1285 } 1286 s2n(0, ret); 1287 } 1288 1289 extdatalen = ret - orig - 2; 1290 if (extdatalen == 0) { 1291 return orig; 1292 } 1293 1294 s2n(extdatalen, orig); 1295 return ret; 1296} 1297 1298/* tls1_alpn_handle_client_hello is called to process the ALPN extension in a 1299 * ClientHello. 1300 * cbs: the contents of the extension, not including the type and length. 1301 * out_alert: a pointer to the alert value to send in the event of a zero 1302 * return. 1303 * 1304 * returns: 1 on success. */ 1305static int tls1_alpn_handle_client_hello(SSL *s, CBS *cbs, int *out_alert) { 1306 CBS protocol_name_list, protocol_name_list_copy; 1307 const uint8_t *selected; 1308 uint8_t selected_len; 1309 int r; 1310 1311 if (s->ctx->alpn_select_cb == NULL) { 1312 return 1; 1313 } 1314 1315 if (!CBS_get_u16_length_prefixed(cbs, &protocol_name_list) || 1316 CBS_len(cbs) != 0 || CBS_len(&protocol_name_list) < 2) { 1317 goto parse_error; 1318 } 1319 1320 /* Validate the protocol list. */ 1321 protocol_name_list_copy = protocol_name_list; 1322 while (CBS_len(&protocol_name_list_copy) > 0) { 1323 CBS protocol_name; 1324 1325 if (!CBS_get_u8_length_prefixed(&protocol_name_list_copy, &protocol_name)) { 1326 goto parse_error; 1327 } 1328 } 1329 1330 r = s->ctx->alpn_select_cb( 1331 s, &selected, &selected_len, CBS_data(&protocol_name_list), 1332 CBS_len(&protocol_name_list), s->ctx->alpn_select_cb_arg); 1333 if (r == SSL_TLSEXT_ERR_OK) { 1334 if (s->s3->alpn_selected) { 1335 OPENSSL_free(s->s3->alpn_selected); 1336 } 1337 s->s3->alpn_selected = BUF_memdup(selected, selected_len); 1338 if (!s->s3->alpn_selected) { 1339 *out_alert = SSL_AD_INTERNAL_ERROR; 1340 return 0; 1341 } 1342 s->s3->alpn_selected_len = selected_len; 1343 } 1344 1345 return 1; 1346 1347parse_error: 1348 *out_alert = SSL_AD_DECODE_ERROR; 1349 return 0; 1350} 1351 1352static int ssl_scan_clienthello_tlsext(SSL *s, CBS *cbs, int *out_alert) { 1353 int renegotiate_seen = 0; 1354 CBS extensions; 1355 1356 s->should_ack_sni = 0; 1357 s->srtp_profile = NULL; 1358 s->s3->next_proto_neg_seen = 0; 1359 s->s3->tmp.certificate_status_expected = 0; 1360 s->s3->tmp.extended_master_secret = 0; 1361 1362 if (s->s3->alpn_selected) { 1363 OPENSSL_free(s->s3->alpn_selected); 1364 s->s3->alpn_selected = NULL; 1365 } 1366 1367 /* Clear any signature algorithms extension received */ 1368 if (s->cert->peer_sigalgs) { 1369 OPENSSL_free(s->cert->peer_sigalgs); 1370 s->cert->peer_sigalgs = NULL; 1371 } 1372 1373 /* Clear any shared signature algorithms */ 1374 if (s->cert->shared_sigalgs) { 1375 OPENSSL_free(s->cert->shared_sigalgs); 1376 s->cert->shared_sigalgs = NULL; 1377 } 1378 1379 /* Clear ECC extensions */ 1380 if (s->s3->tmp.peer_ecpointformatlist != 0) { 1381 OPENSSL_free(s->s3->tmp.peer_ecpointformatlist); 1382 s->s3->tmp.peer_ecpointformatlist = NULL; 1383 s->s3->tmp.peer_ecpointformatlist_length = 0; 1384 } 1385 1386 if (s->s3->tmp.peer_ellipticcurvelist != 0) { 1387 OPENSSL_free(s->s3->tmp.peer_ellipticcurvelist); 1388 s->s3->tmp.peer_ellipticcurvelist = NULL; 1389 s->s3->tmp.peer_ellipticcurvelist_length = 0; 1390 } 1391 1392 /* There may be no extensions. */ 1393 if (CBS_len(cbs) == 0) { 1394 goto ri_check; 1395 } 1396 1397 /* Decode the extensions block and check it is valid. */ 1398 if (!CBS_get_u16_length_prefixed(cbs, &extensions) || 1399 !tls1_check_duplicate_extensions(&extensions)) { 1400 *out_alert = SSL_AD_DECODE_ERROR; 1401 return 0; 1402 } 1403 1404 while (CBS_len(&extensions) != 0) { 1405 uint16_t type; 1406 CBS extension; 1407 1408 /* Decode the next extension. */ 1409 if (!CBS_get_u16(&extensions, &type) || 1410 !CBS_get_u16_length_prefixed(&extensions, &extension)) { 1411 *out_alert = SSL_AD_DECODE_ERROR; 1412 return 0; 1413 } 1414 1415 if (s->tlsext_debug_cb) { 1416 s->tlsext_debug_cb(s, 0, type, (uint8_t *)CBS_data(&extension), 1417 CBS_len(&extension), s->tlsext_debug_arg); 1418 } 1419 1420 /* The servername extension is treated as follows: 1421 1422 - Only the hostname type is supported with a maximum length of 255. 1423 - The servername is rejected if too long or if it contains zeros, in 1424 which case an fatal alert is generated. 1425 - The servername field is maintained together with the session cache. 1426 - When a session is resumed, the servername call back invoked in order 1427 to allow the application to position itself to the right context. 1428 - The servername is acknowledged if it is new for a session or when 1429 it is identical to a previously used for the same session. 1430 Applications can control the behaviour. They can at any time 1431 set a 'desirable' servername for a new SSL object. This can be the 1432 case for example with HTTPS when a Host: header field is received and 1433 a renegotiation is requested. In this case, a possible servername 1434 presented in the new client hello is only acknowledged if it matches 1435 the value of the Host: field. 1436 - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION 1437 if they provide for changing an explicit servername context for the 1438 session, 1439 i.e. when the session has been established with a servername extension. 1440 - On session reconnect, the servername extension may be absent. */ 1441 1442 if (type == TLSEXT_TYPE_server_name) { 1443 CBS server_name_list; 1444 char have_seen_host_name = 0; 1445 1446 if (!CBS_get_u16_length_prefixed(&extension, &server_name_list) || 1447 CBS_len(&server_name_list) < 1 || CBS_len(&extension) != 0) { 1448 *out_alert = SSL_AD_DECODE_ERROR; 1449 return 0; 1450 } 1451 1452 /* Decode each ServerName in the extension. */ 1453 while (CBS_len(&server_name_list) > 0) { 1454 uint8_t name_type; 1455 CBS host_name; 1456 1457 /* Decode the NameType. */ 1458 if (!CBS_get_u8(&server_name_list, &name_type)) { 1459 *out_alert = SSL_AD_DECODE_ERROR; 1460 return 0; 1461 } 1462 1463 /* Only host_name is supported. */ 1464 if (name_type != TLSEXT_NAMETYPE_host_name) { 1465 continue; 1466 } 1467 1468 if (have_seen_host_name) { 1469 /* The ServerNameList MUST NOT contain more than one name of the same 1470 * name_type. */ 1471 *out_alert = SSL_AD_DECODE_ERROR; 1472 return 0; 1473 } 1474 1475 have_seen_host_name = 1; 1476 1477 if (!CBS_get_u16_length_prefixed(&server_name_list, &host_name) || 1478 CBS_len(&host_name) < 1) { 1479 *out_alert = SSL_AD_DECODE_ERROR; 1480 return 0; 1481 } 1482 1483 if (CBS_len(&host_name) > TLSEXT_MAXLEN_host_name || 1484 CBS_contains_zero_byte(&host_name)) { 1485 *out_alert = SSL_AD_UNRECOGNIZED_NAME; 1486 return 0; 1487 } 1488 1489 if (!s->hit) { 1490 assert(s->session->tlsext_hostname == NULL); 1491 if (s->session->tlsext_hostname) { 1492 /* This should be impossible. */ 1493 *out_alert = SSL_AD_DECODE_ERROR; 1494 return 0; 1495 } 1496 1497 /* Copy the hostname as a string. */ 1498 if (!CBS_strdup(&host_name, &s->session->tlsext_hostname)) { 1499 *out_alert = SSL_AD_INTERNAL_ERROR; 1500 return 0; 1501 } 1502 1503 s->should_ack_sni = 1; 1504 } 1505 } 1506 } else if (type == TLSEXT_TYPE_ec_point_formats) { 1507 CBS ec_point_format_list; 1508 1509 if (!CBS_get_u8_length_prefixed(&extension, &ec_point_format_list) || 1510 CBS_len(&extension) != 0) { 1511 *out_alert = SSL_AD_DECODE_ERROR; 1512 return 0; 1513 } 1514 1515 if (!CBS_stow(&ec_point_format_list, &s->s3->tmp.peer_ecpointformatlist, 1516 &s->s3->tmp.peer_ecpointformatlist_length)) { 1517 *out_alert = SSL_AD_INTERNAL_ERROR; 1518 return 0; 1519 } 1520 } else if (type == TLSEXT_TYPE_elliptic_curves) { 1521 CBS elliptic_curve_list; 1522 size_t i, num_curves; 1523 1524 if (!CBS_get_u16_length_prefixed(&extension, &elliptic_curve_list) || 1525 CBS_len(&elliptic_curve_list) == 0 || 1526 (CBS_len(&elliptic_curve_list) & 1) != 0 || 1527 CBS_len(&extension) != 0) { 1528 *out_alert = SSL_AD_DECODE_ERROR; 1529 return 0; 1530 } 1531 1532 if (s->s3->tmp.peer_ellipticcurvelist) { 1533 OPENSSL_free(s->s3->tmp.peer_ellipticcurvelist); 1534 s->s3->tmp.peer_ellipticcurvelist_length = 0; 1535 } 1536 1537 s->s3->tmp.peer_ellipticcurvelist = 1538 (uint16_t *)OPENSSL_malloc(CBS_len(&elliptic_curve_list)); 1539 1540 if (s->s3->tmp.peer_ellipticcurvelist == NULL) { 1541 *out_alert = SSL_AD_INTERNAL_ERROR; 1542 return 0; 1543 } 1544 1545 num_curves = CBS_len(&elliptic_curve_list) / 2; 1546 for (i = 0; i < num_curves; i++) { 1547 if (!CBS_get_u16(&elliptic_curve_list, 1548 &s->s3->tmp.peer_ellipticcurvelist[i])) { 1549 *out_alert = SSL_AD_INTERNAL_ERROR; 1550 return 0; 1551 } 1552 } 1553 1554 if (CBS_len(&elliptic_curve_list) != 0) { 1555 *out_alert = SSL_AD_INTERNAL_ERROR; 1556 return 0; 1557 } 1558 1559 s->s3->tmp.peer_ellipticcurvelist_length = num_curves; 1560 } else if (type == TLSEXT_TYPE_renegotiate) { 1561 if (!ssl_parse_clienthello_renegotiate_ext(s, &extension, out_alert)) { 1562 return 0; 1563 } 1564 renegotiate_seen = 1; 1565 } else if (type == TLSEXT_TYPE_signature_algorithms) { 1566 CBS supported_signature_algorithms; 1567 1568 if (!CBS_get_u16_length_prefixed(&extension, 1569 &supported_signature_algorithms) || 1570 CBS_len(&extension) != 0) { 1571 *out_alert = SSL_AD_DECODE_ERROR; 1572 return 0; 1573 } 1574 1575 /* Ensure the signature algorithms are non-empty. It contains a list of 1576 * SignatureAndHashAlgorithms which are two bytes each. */ 1577 if (CBS_len(&supported_signature_algorithms) == 0 || 1578 (CBS_len(&supported_signature_algorithms) % 2) != 0) { 1579 *out_alert = SSL_AD_DECODE_ERROR; 1580 return 0; 1581 } 1582 1583 if (!tls1_process_sigalgs(s, &supported_signature_algorithms)) { 1584 *out_alert = SSL_AD_DECODE_ERROR; 1585 return 0; 1586 } 1587 /* If sigalgs received and no shared algorithms fatal error. */ 1588 if (s->cert->peer_sigalgs && !s->cert->shared_sigalgs) { 1589 OPENSSL_PUT_ERROR(SSL, ssl_add_serverhello_tlsext, 1590 SSL_R_NO_SHARED_SIGATURE_ALGORITHMS); 1591 *out_alert = SSL_AD_ILLEGAL_PARAMETER; 1592 return 0; 1593 } 1594 } else if (type == TLSEXT_TYPE_next_proto_neg && 1595 s->s3->tmp.finish_md_len == 0 && s->s3->alpn_selected == NULL && 1596 !SSL_IS_DTLS(s)) { 1597 /* The extension must be empty. */ 1598 if (CBS_len(&extension) != 0) { 1599 *out_alert = SSL_AD_DECODE_ERROR; 1600 return 0; 1601 } 1602 1603 /* We shouldn't accept this extension on a renegotiation. 1604 * 1605 * s->new_session will be set on renegotiation, but we probably shouldn't 1606 * rely that it couldn't be set on the initial renegotation too in 1607 * certain cases (when there's some other reason to disallow resuming an 1608 * earlier session -- the current code won't be doing anything like that, 1609 * but this might change). 1610 1611 * A valid sign that there's been a previous handshake in this connection 1612 * is if s->s3->tmp.finish_md_len > 0. (We are talking about a check 1613 * that will happen in the Hello protocol round, well before a new 1614 * Finished message could have been computed.) */ 1615 s->s3->next_proto_neg_seen = 1; 1616 } else if (type == TLSEXT_TYPE_application_layer_protocol_negotiation && 1617 s->ctx->alpn_select_cb && s->s3->tmp.finish_md_len == 0) { 1618 if (!tls1_alpn_handle_client_hello(s, &extension, out_alert)) { 1619 return 0; 1620 } 1621 /* ALPN takes precedence over NPN. */ 1622 s->s3->next_proto_neg_seen = 0; 1623 } else if (type == TLSEXT_TYPE_channel_id && s->tlsext_channel_id_enabled && 1624 !SSL_IS_DTLS(s)) { 1625 /* The extension must be empty. */ 1626 if (CBS_len(&extension) != 0) { 1627 *out_alert = SSL_AD_DECODE_ERROR; 1628 return 0; 1629 } 1630 1631 s->s3->tlsext_channel_id_valid = 1; 1632 } else if (type == TLSEXT_TYPE_channel_id_new && 1633 s->tlsext_channel_id_enabled && !SSL_IS_DTLS(s)) { 1634 /* The extension must be empty. */ 1635 if (CBS_len(&extension) != 0) { 1636 *out_alert = SSL_AD_DECODE_ERROR; 1637 return 0; 1638 } 1639 1640 s->s3->tlsext_channel_id_valid = 1; 1641 s->s3->tlsext_channel_id_new = 1; 1642 } else if (type == TLSEXT_TYPE_use_srtp) { 1643 if (!ssl_parse_clienthello_use_srtp_ext(s, &extension, out_alert)) { 1644 return 0; 1645 } 1646 } else if (type == TLSEXT_TYPE_extended_master_secret && 1647 s->version != SSL3_VERSION) { 1648 if (CBS_len(&extension) != 0) { 1649 *out_alert = SSL_AD_DECODE_ERROR; 1650 return 0; 1651 } 1652 1653 s->s3->tmp.extended_master_secret = 1; 1654 } 1655 } 1656 1657ri_check: 1658 /* Need RI if renegotiating */ 1659 1660 if (!renegotiate_seen && s->renegotiate && 1661 !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) { 1662 *out_alert = SSL_AD_HANDSHAKE_FAILURE; 1663 OPENSSL_PUT_ERROR(SSL, ssl_scan_clienthello_tlsext, 1664 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); 1665 return 0; 1666 } 1667 1668 return 1; 1669} 1670 1671int ssl_parse_clienthello_tlsext(SSL *s, CBS *cbs) { 1672 int alert = -1; 1673 if (ssl_scan_clienthello_tlsext(s, cbs, &alert) <= 0) { 1674 ssl3_send_alert(s, SSL3_AL_FATAL, alert); 1675 return 0; 1676 } 1677 1678 if (ssl_check_clienthello_tlsext(s) <= 0) { 1679 OPENSSL_PUT_ERROR(SSL, ssl_parse_clienthello_tlsext, 1680 SSL_R_CLIENTHELLO_TLSEXT); 1681 return 0; 1682 } 1683 1684 return 1; 1685} 1686 1687/* ssl_next_proto_validate validates a Next Protocol Negotiation block. No 1688 * elements of zero length are allowed and the set of elements must exactly 1689 * fill the length of the block. */ 1690static char ssl_next_proto_validate(const CBS *cbs) { 1691 CBS copy = *cbs; 1692 1693 while (CBS_len(©) != 0) { 1694 CBS proto; 1695 if (!CBS_get_u8_length_prefixed(©, &proto) || CBS_len(&proto) == 0) { 1696 return 0; 1697 } 1698 } 1699 1700 return 1; 1701} 1702 1703static int ssl_scan_serverhello_tlsext(SSL *s, CBS *cbs, int *out_alert) { 1704 int tlsext_servername = 0; 1705 int renegotiate_seen = 0; 1706 CBS extensions; 1707 1708 /* TODO(davidben): Move all of these to some per-handshake state that gets 1709 * systematically reset on a new handshake; perhaps allocate it fresh each 1710 * time so it's not even kept around post-handshake. */ 1711 s->s3->next_proto_neg_seen = 0; 1712 s->tlsext_ticket_expected = 0; 1713 s->s3->tmp.certificate_status_expected = 0; 1714 s->s3->tmp.extended_master_secret = 0; 1715 s->srtp_profile = NULL; 1716 1717 if (s->s3->alpn_selected) { 1718 OPENSSL_free(s->s3->alpn_selected); 1719 s->s3->alpn_selected = NULL; 1720 } 1721 1722 /* Clear ECC extensions */ 1723 if (s->s3->tmp.peer_ecpointformatlist != 0) { 1724 OPENSSL_free(s->s3->tmp.peer_ecpointformatlist); 1725 s->s3->tmp.peer_ecpointformatlist = NULL; 1726 s->s3->tmp.peer_ecpointformatlist_length = 0; 1727 } 1728 1729 /* There may be no extensions. */ 1730 if (CBS_len(cbs) == 0) { 1731 goto ri_check; 1732 } 1733 1734 /* Decode the extensions block and check it is valid. */ 1735 if (!CBS_get_u16_length_prefixed(cbs, &extensions) || 1736 !tls1_check_duplicate_extensions(&extensions)) { 1737 *out_alert = SSL_AD_DECODE_ERROR; 1738 return 0; 1739 } 1740 1741 while (CBS_len(&extensions) != 0) { 1742 uint16_t type; 1743 CBS extension; 1744 1745 /* Decode the next extension. */ 1746 if (!CBS_get_u16(&extensions, &type) || 1747 !CBS_get_u16_length_prefixed(&extensions, &extension)) { 1748 *out_alert = SSL_AD_DECODE_ERROR; 1749 return 0; 1750 } 1751 1752 if (s->tlsext_debug_cb) { 1753 s->tlsext_debug_cb(s, 1, type, (uint8_t *)CBS_data(&extension), 1754 CBS_len(&extension), s->tlsext_debug_arg); 1755 } 1756 1757 if (type == TLSEXT_TYPE_server_name) { 1758 /* The extension must be empty. */ 1759 if (CBS_len(&extension) != 0) { 1760 *out_alert = SSL_AD_DECODE_ERROR; 1761 return 0; 1762 } 1763 1764 /* We must have sent it in ClientHello. */ 1765 if (s->tlsext_hostname == NULL) { 1766 *out_alert = SSL_AD_UNSUPPORTED_EXTENSION; 1767 return 0; 1768 } 1769 1770 tlsext_servername = 1; 1771 } else if (type == TLSEXT_TYPE_ec_point_formats) { 1772 CBS ec_point_format_list; 1773 1774 if (!CBS_get_u8_length_prefixed(&extension, &ec_point_format_list) || 1775 CBS_len(&extension) != 0) { 1776 *out_alert = SSL_AD_DECODE_ERROR; 1777 return 0; 1778 } 1779 1780 if (!CBS_stow(&ec_point_format_list, &s->s3->tmp.peer_ecpointformatlist, 1781 &s->s3->tmp.peer_ecpointformatlist_length)) { 1782 *out_alert = SSL_AD_INTERNAL_ERROR; 1783 return 0; 1784 } 1785 } else if (type == TLSEXT_TYPE_session_ticket) { 1786 if ((SSL_get_options(s) & SSL_OP_NO_TICKET) || CBS_len(&extension) > 0) { 1787 *out_alert = SSL_AD_UNSUPPORTED_EXTENSION; 1788 return 0; 1789 } 1790 1791 s->tlsext_ticket_expected = 1; 1792 } else if (type == TLSEXT_TYPE_status_request) { 1793 /* The extension MUST be empty and may only sent if we've requested a 1794 * status request message. */ 1795 if (CBS_len(&extension) != 0) { 1796 *out_alert = SSL_AD_DECODE_ERROR; 1797 return 0; 1798 } 1799 1800 if (!s->ocsp_stapling_enabled) { 1801 *out_alert = SSL_AD_UNSUPPORTED_EXTENSION; 1802 return 0; 1803 } 1804 1805 /* Set a flag to expect a CertificateStatus message */ 1806 s->s3->tmp.certificate_status_expected = 1; 1807 } else if (type == TLSEXT_TYPE_next_proto_neg && 1808 s->s3->tmp.finish_md_len == 0 && 1809 !SSL_IS_DTLS(s)) { 1810 uint8_t *selected; 1811 uint8_t selected_len; 1812 1813 /* We must have requested it. */ 1814 if (s->ctx->next_proto_select_cb == NULL) { 1815 *out_alert = SSL_AD_UNSUPPORTED_EXTENSION; 1816 return 0; 1817 } 1818 1819 /* The data must be valid. */ 1820 if (!ssl_next_proto_validate(&extension)) { 1821 *out_alert = SSL_AD_DECODE_ERROR; 1822 return 0; 1823 } 1824 1825 if (s->ctx->next_proto_select_cb( 1826 s, &selected, &selected_len, CBS_data(&extension), 1827 CBS_len(&extension), 1828 s->ctx->next_proto_select_cb_arg) != SSL_TLSEXT_ERR_OK) { 1829 *out_alert = SSL_AD_INTERNAL_ERROR; 1830 return 0; 1831 } 1832 1833 s->next_proto_negotiated = BUF_memdup(selected, selected_len); 1834 if (s->next_proto_negotiated == NULL) { 1835 *out_alert = SSL_AD_INTERNAL_ERROR; 1836 return 0; 1837 } 1838 1839 s->next_proto_negotiated_len = selected_len; 1840 s->s3->next_proto_neg_seen = 1; 1841 } else if (type == TLSEXT_TYPE_application_layer_protocol_negotiation) { 1842 CBS protocol_name_list, protocol_name; 1843 1844 /* We must have requested it. */ 1845 if (s->alpn_client_proto_list == NULL) { 1846 *out_alert = SSL_AD_UNSUPPORTED_EXTENSION; 1847 return 0; 1848 } 1849 1850 /* The extension data consists of a ProtocolNameList which must have 1851 * exactly one ProtocolName. Each of these is length-prefixed. */ 1852 if (!CBS_get_u16_length_prefixed(&extension, &protocol_name_list) || 1853 CBS_len(&extension) != 0 || 1854 !CBS_get_u8_length_prefixed(&protocol_name_list, &protocol_name) || 1855 CBS_len(&protocol_name_list) != 0) { 1856 *out_alert = SSL_AD_DECODE_ERROR; 1857 return 0; 1858 } 1859 1860 if (!CBS_stow(&protocol_name, &s->s3->alpn_selected, 1861 &s->s3->alpn_selected_len)) { 1862 *out_alert = SSL_AD_INTERNAL_ERROR; 1863 return 0; 1864 } 1865 } else if (type == TLSEXT_TYPE_channel_id && !SSL_IS_DTLS(s)) { 1866 if (CBS_len(&extension) != 0) { 1867 *out_alert = SSL_AD_DECODE_ERROR; 1868 return 0; 1869 } 1870 1871 s->s3->tlsext_channel_id_valid = 1; 1872 } else if (type == TLSEXT_TYPE_channel_id_new && !SSL_IS_DTLS(s)) { 1873 if (CBS_len(&extension) != 0) { 1874 *out_alert = SSL_AD_DECODE_ERROR; 1875 return 0; 1876 } 1877 1878 s->s3->tlsext_channel_id_valid = 1; 1879 s->s3->tlsext_channel_id_new = 1; 1880 } else if (type == TLSEXT_TYPE_certificate_timestamp) { 1881 if (CBS_len(&extension) == 0) { 1882 *out_alert = SSL_AD_DECODE_ERROR; 1883 return 0; 1884 } 1885 1886 /* Session resumption uses the original session information. */ 1887 if (!s->hit && 1888 !CBS_stow(&extension, &s->session->tlsext_signed_cert_timestamp_list, 1889 &s->session->tlsext_signed_cert_timestamp_list_length)) { 1890 *out_alert = SSL_AD_INTERNAL_ERROR; 1891 return 0; 1892 } 1893 } else if (type == TLSEXT_TYPE_renegotiate) { 1894 if (!ssl_parse_serverhello_renegotiate_ext(s, &extension, out_alert)) { 1895 return 0; 1896 } 1897 1898 renegotiate_seen = 1; 1899 } else if (type == TLSEXT_TYPE_use_srtp) { 1900 if (!ssl_parse_serverhello_use_srtp_ext(s, &extension, out_alert)) { 1901 return 0; 1902 } 1903 } else if (type == TLSEXT_TYPE_extended_master_secret) { 1904 if (/* It is invalid for the server to select EMS and 1905 SSLv3. */ 1906 s->version == SSL3_VERSION || CBS_len(&extension) != 0) { 1907 *out_alert = SSL_AD_DECODE_ERROR; 1908 return 0; 1909 } 1910 1911 s->s3->tmp.extended_master_secret = 1; 1912 } 1913 } 1914 1915 if (!s->hit && tlsext_servername == 1 && s->tlsext_hostname) { 1916 if (s->session->tlsext_hostname == NULL) { 1917 s->session->tlsext_hostname = BUF_strdup(s->tlsext_hostname); 1918 if (!s->session->tlsext_hostname) { 1919 *out_alert = SSL_AD_UNRECOGNIZED_NAME; 1920 return 0; 1921 } 1922 } else { 1923 *out_alert = SSL_AD_DECODE_ERROR; 1924 return 0; 1925 } 1926 } 1927 1928ri_check: 1929 /* Determine if we need to see RI. Strictly speaking if we want to avoid an 1930 * attack we should *always* see RI even on initial server hello because the 1931 * client doesn't see any renegotiation during an attack. However this would 1932 * mean we could not connect to any server which doesn't support RI so for 1933 * the immediate future tolerate RI absence on initial connect only. */ 1934 if (!renegotiate_seen && !(s->options & SSL_OP_LEGACY_SERVER_CONNECT) && 1935 !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) { 1936 *out_alert = SSL_AD_HANDSHAKE_FAILURE; 1937 OPENSSL_PUT_ERROR(SSL, ssl_scan_serverhello_tlsext, 1938 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); 1939 return 0; 1940 } 1941 1942 return 1; 1943} 1944 1945int ssl_prepare_clienthello_tlsext(SSL *s) { return 1; } 1946 1947int ssl_prepare_serverhello_tlsext(SSL *s) { return 1; } 1948 1949static int ssl_check_clienthello_tlsext(SSL *s) { 1950 int ret = SSL_TLSEXT_ERR_NOACK; 1951 int al = SSL_AD_UNRECOGNIZED_NAME; 1952 1953 /* The handling of the ECPointFormats extension is done elsewhere, namely in 1954 * ssl3_choose_cipher in s3_lib.c. */ 1955 1956 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) { 1957 ret = s->ctx->tlsext_servername_callback(s, &al, 1958 s->ctx->tlsext_servername_arg); 1959 } else if (s->initial_ctx != NULL && 1960 s->initial_ctx->tlsext_servername_callback != 0) { 1961 ret = s->initial_ctx->tlsext_servername_callback( 1962 s, &al, s->initial_ctx->tlsext_servername_arg); 1963 } 1964 1965 switch (ret) { 1966 case SSL_TLSEXT_ERR_ALERT_FATAL: 1967 ssl3_send_alert(s, SSL3_AL_FATAL, al); 1968 return -1; 1969 1970 case SSL_TLSEXT_ERR_ALERT_WARNING: 1971 ssl3_send_alert(s, SSL3_AL_WARNING, al); 1972 return 1; 1973 1974 case SSL_TLSEXT_ERR_NOACK: 1975 s->should_ack_sni = 0; 1976 return 1; 1977 1978 default: 1979 return 1; 1980 } 1981} 1982 1983static int ssl_check_serverhello_tlsext(SSL *s) { 1984 int ret = SSL_TLSEXT_ERR_NOACK; 1985 int al = SSL_AD_UNRECOGNIZED_NAME; 1986 1987 /* If we are client and using an elliptic curve cryptography cipher suite, 1988 * then if server returns an EC point formats lists extension it must contain 1989 * uncompressed. */ 1990 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey; 1991 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth; 1992 if (((alg_k & SSL_kEECDH) || (alg_a & SSL_aECDSA)) && 1993 !tls1_check_point_format(s, TLSEXT_ECPOINTFORMAT_uncompressed)) { 1994 OPENSSL_PUT_ERROR(SSL, ssl_check_serverhello_tlsext, 1995 SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST); 1996 return -1; 1997 } 1998 ret = SSL_TLSEXT_ERR_OK; 1999 2000 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) { 2001 ret = s->ctx->tlsext_servername_callback(s, &al, 2002 s->ctx->tlsext_servername_arg); 2003 } else if (s->initial_ctx != NULL && 2004 s->initial_ctx->tlsext_servername_callback != 0) { 2005 ret = s->initial_ctx->tlsext_servername_callback( 2006 s, &al, s->initial_ctx->tlsext_servername_arg); 2007 } 2008 2009 switch (ret) { 2010 case SSL_TLSEXT_ERR_ALERT_FATAL: 2011 ssl3_send_alert(s, SSL3_AL_FATAL, al); 2012 return -1; 2013 2014 case SSL_TLSEXT_ERR_ALERT_WARNING: 2015 ssl3_send_alert(s, SSL3_AL_WARNING, al); 2016 return 1; 2017 2018 default: 2019 return 1; 2020 } 2021} 2022 2023int ssl_parse_serverhello_tlsext(SSL *s, CBS *cbs) { 2024 int alert = -1; 2025 if (s->version < SSL3_VERSION) { 2026 return 1; 2027 } 2028 2029 if (ssl_scan_serverhello_tlsext(s, cbs, &alert) <= 0) { 2030 ssl3_send_alert(s, SSL3_AL_FATAL, alert); 2031 return 0; 2032 } 2033 2034 if (ssl_check_serverhello_tlsext(s) <= 0) { 2035 OPENSSL_PUT_ERROR(SSL, ssl_parse_serverhello_tlsext, 2036 SSL_R_SERVERHELLO_TLSEXT); 2037 return 0; 2038 } 2039 2040 return 1; 2041} 2042 2043/* Since the server cache lookup is done early on in the processing of the 2044 * ClientHello, and other operations depend on the result, we need to handle 2045 * any TLS session ticket extension at the same time. 2046 * 2047 * ctx: contains the early callback context, which is the result of a 2048 * shallow parse of the ClientHello. 2049 * ret: (output) on return, if a ticket was decrypted, then this is set to 2050 * point to the resulting session. 2051 * 2052 * Returns: 2053 * -1: fatal error, either from parsing or decrypting the ticket. 2054 * 0: no ticket was found (or was ignored, based on settings). 2055 * 1: a zero length extension was found, indicating that the client supports 2056 * session tickets but doesn't currently have one to offer. 2057 * 2: a ticket was offered but couldn't be decrypted because of a non-fatal 2058 * error. 2059 * 3: a ticket was successfully decrypted and *ret was set. 2060 * 2061 * Side effects: 2062 * Sets s->tlsext_ticket_expected to 1 if the server will have to issue 2063 * a new session ticket to the client because the client indicated support 2064 * but the client either doesn't have a session ticket or we couldn't use 2065 * the one it gave us, or if s->ctx->tlsext_ticket_key_cb asked to renew 2066 * the client's ticket. Otherwise, s->tlsext_ticket_expected is set to 0. 2067 */ 2068int tls1_process_ticket(SSL *s, const struct ssl_early_callback_ctx *ctx, 2069 SSL_SESSION **ret) { 2070 *ret = NULL; 2071 s->tlsext_ticket_expected = 0; 2072 const uint8_t *data; 2073 size_t len; 2074 int r; 2075 2076 /* If tickets disabled behave as if no ticket present to permit stateful 2077 * resumption. */ 2078 if ((SSL_get_options(s) & SSL_OP_NO_TICKET) || 2079 (s->version <= SSL3_VERSION && !ctx->extensions) || 2080 !SSL_early_callback_ctx_extension_get(ctx, TLSEXT_TYPE_session_ticket, 2081 &data, &len)) { 2082 return 0; 2083 } 2084 2085 if (len == 0) { 2086 /* The client will accept a ticket but doesn't currently have one. */ 2087 s->tlsext_ticket_expected = 1; 2088 return 1; 2089 } 2090 2091 r = tls_decrypt_ticket(s, data, len, ctx->session_id, ctx->session_id_len, 2092 ret); 2093 switch (r) { 2094 case 2: /* ticket couldn't be decrypted */ 2095 s->tlsext_ticket_expected = 1; 2096 return 2; 2097 2098 case 3: /* ticket was decrypted */ 2099 return r; 2100 2101 case 4: /* ticket decrypted but need to renew */ 2102 s->tlsext_ticket_expected = 1; 2103 return 3; 2104 2105 default: /* fatal error */ 2106 return -1; 2107 } 2108} 2109 2110/* tls_decrypt_ticket attempts to decrypt a session ticket. 2111 * 2112 * etick: points to the body of the session ticket extension. 2113 * eticklen: the length of the session tickets extenion. 2114 * sess_id: points at the session ID. 2115 * sesslen: the length of the session ID. 2116 * psess: (output) on return, if a ticket was decrypted, then this is set to 2117 * point to the resulting session. 2118 * 2119 * Returns: 2120 * -1: fatal error, either from parsing or decrypting the ticket. 2121 * 2: the ticket couldn't be decrypted. 2122 * 3: a ticket was successfully decrypted and *psess was set. 2123 * 4: same as 3, but the ticket needs to be renewed. */ 2124static int tls_decrypt_ticket(SSL *s, const uint8_t *etick, int eticklen, 2125 const uint8_t *sess_id, int sesslen, 2126 SSL_SESSION **psess) { 2127 SSL_SESSION *sess; 2128 uint8_t *sdec; 2129 const uint8_t *p; 2130 int slen, mlen, renew_ticket = 0; 2131 uint8_t tick_hmac[EVP_MAX_MD_SIZE]; 2132 HMAC_CTX hctx; 2133 EVP_CIPHER_CTX ctx; 2134 SSL_CTX *tctx = s->initial_ctx; 2135 2136 /* Need at least keyname + iv + some encrypted data */ 2137 if (eticklen < 48) { 2138 return 2; 2139 } 2140 2141 /* Initialize session ticket encryption and HMAC contexts */ 2142 HMAC_CTX_init(&hctx); 2143 EVP_CIPHER_CTX_init(&ctx); 2144 if (tctx->tlsext_ticket_key_cb) { 2145 uint8_t *nctick = (uint8_t *)etick; 2146 int rv = tctx->tlsext_ticket_key_cb(s, nctick, nctick + 16, &ctx, &hctx, 0); 2147 if (rv < 0) { 2148 return -1; 2149 } 2150 if (rv == 0) { 2151 return 2; 2152 } 2153 if (rv == 2) { 2154 renew_ticket = 1; 2155 } 2156 } else { 2157 /* Check key name matches */ 2158 if (memcmp(etick, tctx->tlsext_tick_key_name, 16)) { 2159 return 2; 2160 } 2161 if (!HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16, tlsext_tick_md(), 2162 NULL) || 2163 !EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL, 2164 tctx->tlsext_tick_aes_key, etick + 16)) { 2165 HMAC_CTX_cleanup(&hctx); 2166 EVP_CIPHER_CTX_cleanup(&ctx); 2167 return -1; 2168 } 2169 } 2170 2171 /* Attempt to process session ticket, first conduct sanity and integrity 2172 * checks on ticket. */ 2173 mlen = HMAC_size(&hctx); 2174 if (mlen < 0) { 2175 HMAC_CTX_cleanup(&hctx); 2176 EVP_CIPHER_CTX_cleanup(&ctx); 2177 return -1; 2178 } 2179 eticklen -= mlen; 2180 /* Check HMAC of encrypted ticket */ 2181 HMAC_Update(&hctx, etick, eticklen); 2182 HMAC_Final(&hctx, tick_hmac, NULL); 2183 HMAC_CTX_cleanup(&hctx); 2184 if (CRYPTO_memcmp(tick_hmac, etick + eticklen, mlen)) { 2185 EVP_CIPHER_CTX_cleanup(&ctx); 2186 return 2; 2187 } 2188 2189 /* Attempt to decrypt session data */ 2190 /* Move p after IV to start of encrypted ticket, update length */ 2191 p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx); 2192 eticklen -= 16 + EVP_CIPHER_CTX_iv_length(&ctx); 2193 sdec = OPENSSL_malloc(eticklen); 2194 if (!sdec) { 2195 EVP_CIPHER_CTX_cleanup(&ctx); 2196 return -1; 2197 } 2198 EVP_DecryptUpdate(&ctx, sdec, &slen, p, eticklen); 2199 if (EVP_DecryptFinal_ex(&ctx, sdec + slen, &mlen) <= 0) { 2200 EVP_CIPHER_CTX_cleanup(&ctx); 2201 OPENSSL_free(sdec); 2202 return 2; 2203 } 2204 slen += mlen; 2205 EVP_CIPHER_CTX_cleanup(&ctx); 2206 p = sdec; 2207 2208 sess = d2i_SSL_SESSION(NULL, &p, slen); 2209 OPENSSL_free(sdec); 2210 if (sess) { 2211 /* The session ID, if non-empty, is used by some clients to detect that the 2212 * ticket has been accepted. So we copy it to the session structure. If it 2213 * is empty set length to zero as required by standard. */ 2214 if (sesslen) { 2215 memcpy(sess->session_id, sess_id, sesslen); 2216 } 2217 sess->session_id_length = sesslen; 2218 *psess = sess; 2219 if (renew_ticket) { 2220 return 4; 2221 } 2222 return 3; 2223 } 2224 2225 ERR_clear_error(); 2226 /* For session parse failure, indicate that we need to send a new ticket. */ 2227 return 2; 2228} 2229 2230/* Tables to translate from NIDs to TLS v1.2 ids */ 2231typedef struct { 2232 int nid; 2233 int id; 2234} tls12_lookup; 2235 2236static const tls12_lookup tls12_md[] = {{NID_md5, TLSEXT_hash_md5}, 2237 {NID_sha1, TLSEXT_hash_sha1}, 2238 {NID_sha224, TLSEXT_hash_sha224}, 2239 {NID_sha256, TLSEXT_hash_sha256}, 2240 {NID_sha384, TLSEXT_hash_sha384}, 2241 {NID_sha512, TLSEXT_hash_sha512}}; 2242 2243static const tls12_lookup tls12_sig[] = {{EVP_PKEY_RSA, TLSEXT_signature_rsa}, 2244 {EVP_PKEY_EC, TLSEXT_signature_ecdsa}}; 2245 2246static int tls12_find_id(int nid, const tls12_lookup *table, size_t tlen) { 2247 size_t i; 2248 for (i = 0; i < tlen; i++) { 2249 if (table[i].nid == nid) { 2250 return table[i].id; 2251 } 2252 } 2253 2254 return -1; 2255} 2256 2257static int tls12_find_nid(int id, const tls12_lookup *table, size_t tlen) { 2258 size_t i; 2259 for (i = 0; i < tlen; i++) { 2260 if (table[i].id == id) { 2261 return table[i].nid; 2262 } 2263 } 2264 2265 return NID_undef; 2266} 2267 2268int tls12_get_sigandhash(uint8_t *p, const EVP_PKEY *pk, const EVP_MD *md) { 2269 int sig_id, md_id; 2270 2271 if (!md) { 2272 return 0; 2273 } 2274 2275 md_id = tls12_find_id(EVP_MD_type(md), tls12_md, 2276 sizeof(tls12_md) / sizeof(tls12_lookup)); 2277 if (md_id == -1) { 2278 return 0; 2279 } 2280 2281 sig_id = tls12_get_sigid(pk); 2282 if (sig_id == -1) { 2283 return 0; 2284 } 2285 2286 p[0] = (uint8_t)md_id; 2287 p[1] = (uint8_t)sig_id; 2288 return 1; 2289} 2290 2291int tls12_get_sigid(const EVP_PKEY *pk) { 2292 return tls12_find_id(pk->type, tls12_sig, 2293 sizeof(tls12_sig) / sizeof(tls12_lookup)); 2294} 2295 2296const EVP_MD *tls12_get_hash(uint8_t hash_alg) { 2297 switch (hash_alg) { 2298 case TLSEXT_hash_md5: 2299 return EVP_md5(); 2300 2301 case TLSEXT_hash_sha1: 2302 return EVP_sha1(); 2303 2304 case TLSEXT_hash_sha224: 2305 return EVP_sha224(); 2306 2307 case TLSEXT_hash_sha256: 2308 return EVP_sha256(); 2309 2310 case TLSEXT_hash_sha384: 2311 return EVP_sha384(); 2312 2313 case TLSEXT_hash_sha512: 2314 return EVP_sha512(); 2315 2316 default: 2317 return NULL; 2318 } 2319} 2320 2321/* tls12_get_pkey_type returns the EVP_PKEY type corresponding to TLS signature 2322 * algorithm |sig_alg|. It returns -1 if the type is unknown. */ 2323static int tls12_get_pkey_type(uint8_t sig_alg) { 2324 switch (sig_alg) { 2325 case TLSEXT_signature_rsa: 2326 return EVP_PKEY_RSA; 2327 2328 case TLSEXT_signature_ecdsa: 2329 return EVP_PKEY_EC; 2330 2331 default: 2332 return -1; 2333 } 2334} 2335 2336/* Convert TLS 1.2 signature algorithm extension values into NIDs */ 2337static void tls1_lookup_sigalg(int *phash_nid, int *psign_nid, 2338 int *psignhash_nid, const uint8_t *data) { 2339 int sign_nid = 0, hash_nid = 0; 2340 if (!phash_nid && !psign_nid && !psignhash_nid) { 2341 return; 2342 } 2343 2344 if (phash_nid || psignhash_nid) { 2345 hash_nid = tls12_find_nid(data[0], tls12_md, 2346 sizeof(tls12_md) / sizeof(tls12_lookup)); 2347 if (phash_nid) { 2348 *phash_nid = hash_nid; 2349 } 2350 } 2351 2352 if (psign_nid || psignhash_nid) { 2353 sign_nid = tls12_find_nid(data[1], tls12_sig, 2354 sizeof(tls12_sig) / sizeof(tls12_lookup)); 2355 if (psign_nid) { 2356 *psign_nid = sign_nid; 2357 } 2358 } 2359 2360 if (psignhash_nid) { 2361 if (sign_nid && hash_nid) { 2362 OBJ_find_sigid_by_algs(psignhash_nid, hash_nid, sign_nid); 2363 } else { 2364 *psignhash_nid = NID_undef; 2365 } 2366 } 2367} 2368 2369/* Given preference and allowed sigalgs set shared sigalgs */ 2370static int tls12_do_shared_sigalgs(TLS_SIGALGS *shsig, const uint8_t *pref, 2371 size_t preflen, const uint8_t *allow, 2372 size_t allowlen) { 2373 const uint8_t *ptmp, *atmp; 2374 size_t i, j, nmatch = 0; 2375 2376 for (i = 0, ptmp = pref; i < preflen; i += 2, ptmp += 2) { 2377 /* Skip disabled hashes or signature algorithms */ 2378 if (tls12_get_hash(ptmp[0]) == NULL || 2379 tls12_get_pkey_type(ptmp[1]) == -1) { 2380 continue; 2381 } 2382 2383 for (j = 0, atmp = allow; j < allowlen; j += 2, atmp += 2) { 2384 if (ptmp[0] == atmp[0] && ptmp[1] == atmp[1]) { 2385 nmatch++; 2386 if (shsig) { 2387 shsig->rhash = ptmp[0]; 2388 shsig->rsign = ptmp[1]; 2389 tls1_lookup_sigalg(&shsig->hash_nid, &shsig->sign_nid, 2390 &shsig->signandhash_nid, ptmp); 2391 shsig++; 2392 } 2393 2394 break; 2395 } 2396 } 2397 } 2398 2399 return nmatch; 2400} 2401 2402/* Set shared signature algorithms for SSL structures */ 2403static int tls1_set_shared_sigalgs(SSL *s) { 2404 const uint8_t *pref, *allow, *conf; 2405 size_t preflen, allowlen, conflen; 2406 size_t nmatch; 2407 TLS_SIGALGS *salgs = NULL; 2408 CERT *c = s->cert; 2409 2410 if (c->shared_sigalgs) { 2411 OPENSSL_free(c->shared_sigalgs); 2412 c->shared_sigalgs = NULL; 2413 } 2414 2415 /* If client use client signature algorithms if not NULL */ 2416 if (!s->server && c->client_sigalgs) { 2417 conf = c->client_sigalgs; 2418 conflen = c->client_sigalgslen; 2419 } else if (c->conf_sigalgs) { 2420 conf = c->conf_sigalgs; 2421 conflen = c->conf_sigalgslen; 2422 } else { 2423 conflen = tls12_get_psigalgs(s, &conf); 2424 } 2425 2426 if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) { 2427 pref = conf; 2428 preflen = conflen; 2429 allow = c->peer_sigalgs; 2430 allowlen = c->peer_sigalgslen; 2431 } else { 2432 allow = conf; 2433 allowlen = conflen; 2434 pref = c->peer_sigalgs; 2435 preflen = c->peer_sigalgslen; 2436 } 2437 2438 nmatch = tls12_do_shared_sigalgs(NULL, pref, preflen, allow, allowlen); 2439 if (!nmatch) { 2440 return 1; 2441 } 2442 2443 salgs = OPENSSL_malloc(nmatch * sizeof(TLS_SIGALGS)); 2444 if (!salgs) { 2445 return 0; 2446 } 2447 2448 nmatch = tls12_do_shared_sigalgs(salgs, pref, preflen, allow, allowlen); 2449 c->shared_sigalgs = salgs; 2450 c->shared_sigalgslen = nmatch; 2451 return 1; 2452} 2453 2454/* Set preferred digest for each key type */ 2455int tls1_process_sigalgs(SSL *s, const CBS *sigalgs) { 2456 CERT *c = s->cert; 2457 2458 /* Extension ignored for inappropriate versions */ 2459 if (!SSL_USE_SIGALGS(s)) { 2460 return 1; 2461 } 2462 2463 /* Length must be even */ 2464 if (CBS_len(sigalgs) % 2 != 0) { 2465 return 0; 2466 } 2467 2468 /* Should never happen */ 2469 if (!c) { 2470 return 0; 2471 } 2472 2473 if (!CBS_stow(sigalgs, &c->peer_sigalgs, &c->peer_sigalgslen)) { 2474 return 0; 2475 } 2476 2477 tls1_set_shared_sigalgs(s); 2478 return 1; 2479} 2480 2481const EVP_MD *tls1_choose_signing_digest(SSL *s, EVP_PKEY *pkey) { 2482 CERT *c = s->cert; 2483 int type = EVP_PKEY_id(pkey); 2484 size_t i; 2485 2486 /* Select the first shared digest supported by our key. */ 2487 for (i = 0; i < c->shared_sigalgslen; i++) { 2488 const EVP_MD *md = tls12_get_hash(c->shared_sigalgs[i].rhash); 2489 if (md == NULL || 2490 tls12_get_pkey_type(c->shared_sigalgs[i].rsign) != type || 2491 !EVP_PKEY_supports_digest(pkey, md)) { 2492 continue; 2493 } 2494 return md; 2495 } 2496 2497 /* If no suitable digest may be found, default to SHA-1. */ 2498 return EVP_sha1(); 2499} 2500 2501int SSL_get_sigalgs(SSL *s, int idx, int *psign, int *phash, int *psignhash, 2502 uint8_t *rsig, uint8_t *rhash) { 2503 const uint8_t *psig = s->cert->peer_sigalgs; 2504 2505 if (psig == NULL) { 2506 return 0; 2507 } 2508 2509 if (idx >= 0) { 2510 idx <<= 1; 2511 if (idx >= (int)s->cert->peer_sigalgslen) { 2512 return 0; 2513 } 2514 psig += idx; 2515 if (rhash) { 2516 *rhash = psig[0]; 2517 } 2518 if (rsig) { 2519 *rsig = psig[1]; 2520 } 2521 tls1_lookup_sigalg(phash, psign, psignhash, psig); 2522 } 2523 2524 return s->cert->peer_sigalgslen / 2; 2525} 2526 2527int SSL_get_shared_sigalgs(SSL *s, int idx, int *psign, int *phash, 2528 int *psignhash, uint8_t *rsig, uint8_t *rhash) { 2529 TLS_SIGALGS *shsigalgs = s->cert->shared_sigalgs; 2530 2531 if (!shsigalgs || idx >= (int)s->cert->shared_sigalgslen) { 2532 return 0; 2533 } 2534 2535 shsigalgs += idx; 2536 if (phash) { 2537 *phash = shsigalgs->hash_nid; 2538 } 2539 if (psign) { 2540 *psign = shsigalgs->sign_nid; 2541 } 2542 if (psignhash) { 2543 *psignhash = shsigalgs->signandhash_nid; 2544 } 2545 if (rsig) { 2546 *rsig = shsigalgs->rsign; 2547 } 2548 if (rhash) { 2549 *rhash = shsigalgs->rhash; 2550 } 2551 2552 return s->cert->shared_sigalgslen; 2553} 2554 2555/* tls1_channel_id_hash calculates the signed data for a Channel ID on the 2556 * given SSL connection and writes it to |md|. */ 2557int tls1_channel_id_hash(EVP_MD_CTX *md, SSL *s) { 2558 EVP_MD_CTX ctx; 2559 uint8_t temp_digest[EVP_MAX_MD_SIZE]; 2560 unsigned temp_digest_len; 2561 int i; 2562 static const char kClientIDMagic[] = "TLS Channel ID signature"; 2563 2564 if (s->s3->handshake_buffer && 2565 !ssl3_digest_cached_records(s, free_handshake_buffer)) { 2566 return 0; 2567 } 2568 2569 EVP_DigestUpdate(md, kClientIDMagic, sizeof(kClientIDMagic)); 2570 2571 if (s->hit && s->s3->tlsext_channel_id_new) { 2572 static const char kResumptionMagic[] = "Resumption"; 2573 EVP_DigestUpdate(md, kResumptionMagic, sizeof(kResumptionMagic)); 2574 if (s->session->original_handshake_hash_len == 0) { 2575 return 0; 2576 } 2577 EVP_DigestUpdate(md, s->session->original_handshake_hash, 2578 s->session->original_handshake_hash_len); 2579 } 2580 2581 EVP_MD_CTX_init(&ctx); 2582 for (i = 0; i < SSL_MAX_DIGEST; i++) { 2583 if (s->s3->handshake_dgst[i] == NULL) { 2584 continue; 2585 } 2586 EVP_MD_CTX_copy_ex(&ctx, s->s3->handshake_dgst[i]); 2587 EVP_DigestFinal_ex(&ctx, temp_digest, &temp_digest_len); 2588 EVP_DigestUpdate(md, temp_digest, temp_digest_len); 2589 } 2590 EVP_MD_CTX_cleanup(&ctx); 2591 2592 return 1; 2593} 2594 2595/* tls1_record_handshake_hashes_for_channel_id records the current handshake 2596 * hashes in |s->session| so that Channel ID resumptions can sign that data. */ 2597int tls1_record_handshake_hashes_for_channel_id(SSL *s) { 2598 int digest_len; 2599 /* This function should never be called for a resumed session because the 2600 * handshake hashes that we wish to record are for the original, full 2601 * handshake. */ 2602 if (s->hit) { 2603 return -1; 2604 } 2605 2606 /* It only makes sense to call this function if Channel IDs have been 2607 * negotiated. */ 2608 if (!s->s3->tlsext_channel_id_new) { 2609 return -1; 2610 } 2611 2612 digest_len = 2613 tls1_handshake_digest(s, s->session->original_handshake_hash, 2614 sizeof(s->session->original_handshake_hash)); 2615 if (digest_len < 0) { 2616 return -1; 2617 } 2618 2619 s->session->original_handshake_hash_len = digest_len; 2620 2621 return 1; 2622} 2623 2624int tls1_set_sigalgs(CERT *c, const int *psig_nids, size_t salglen, 2625 int client) { 2626 uint8_t *sigalgs, *sptr; 2627 int rhash, rsign; 2628 size_t i; 2629 2630 if (salglen & 1) { 2631 return 0; 2632 } 2633 2634 sigalgs = OPENSSL_malloc(salglen); 2635 if (sigalgs == NULL) { 2636 return 0; 2637 } 2638 2639 for (i = 0, sptr = sigalgs; i < salglen; i += 2) { 2640 rhash = tls12_find_id(*psig_nids++, tls12_md, 2641 sizeof(tls12_md) / sizeof(tls12_lookup)); 2642 rsign = tls12_find_id(*psig_nids++, tls12_sig, 2643 sizeof(tls12_sig) / sizeof(tls12_lookup)); 2644 2645 if (rhash == -1 || rsign == -1) { 2646 goto err; 2647 } 2648 *sptr++ = rhash; 2649 *sptr++ = rsign; 2650 } 2651 2652 if (client) { 2653 if (c->client_sigalgs) { 2654 OPENSSL_free(c->client_sigalgs); 2655 } 2656 c->client_sigalgs = sigalgs; 2657 c->client_sigalgslen = salglen; 2658 } else { 2659 if (c->conf_sigalgs) { 2660 OPENSSL_free(c->conf_sigalgs); 2661 } 2662 c->conf_sigalgs = sigalgs; 2663 c->conf_sigalgslen = salglen; 2664 } 2665 2666 return 1; 2667 2668err: 2669 OPENSSL_free(sigalgs); 2670 return 0; 2671} 2672