OLD | NEW |
| (Empty) |
1 /* ssl/t1_lib.c */ | |
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | |
3 * All rights reserved. | |
4 * | |
5 * This package is an SSL implementation written | |
6 * by Eric Young (eay@cryptsoft.com). | |
7 * The implementation was written so as to conform with Netscapes SSL. | |
8 * | |
9 * This library is free for commercial and non-commercial use as long as | |
10 * the following conditions are aheared to. The following conditions | |
11 * apply to all code found in this distribution, be it the RC4, RSA, | |
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation | |
13 * included with this distribution is covered by the same copyright terms | |
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com). | |
15 * | |
16 * Copyright remains Eric Young's, and as such any Copyright notices in | |
17 * the code are not to be removed. | |
18 * If this package is used in a product, Eric Young should be given attribution | |
19 * as the author of the parts of the library used. | |
20 * This can be in the form of a textual message at program startup or | |
21 * in documentation (online or textual) provided with the package. | |
22 * | |
23 * Redistribution and use in source and binary forms, with or without | |
24 * modification, are permitted provided that the following conditions | |
25 * are met: | |
26 * 1. Redistributions of source code must retain the copyright | |
27 * notice, this list of conditions and the following disclaimer. | |
28 * 2. Redistributions in binary form must reproduce the above copyright | |
29 * notice, this list of conditions and the following disclaimer in the | |
30 * documentation and/or other materials provided with the distribution. | |
31 * 3. All advertising materials mentioning features or use of this software | |
32 * must display the following acknowledgement: | |
33 * "This product includes cryptographic software written by | |
34 * Eric Young (eay@cryptsoft.com)" | |
35 * The word 'cryptographic' can be left out if the rouines from the library | |
36 * being used are not cryptographic related :-). | |
37 * 4. If you include any Windows specific code (or a derivative thereof) from | |
38 * the apps directory (application code) you must include an acknowledgement: | |
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" | |
40 * | |
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND | |
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | |
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE | |
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE | |
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL | |
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS | |
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | |
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT | |
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY | |
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF | |
51 * SUCH DAMAGE. | |
52 * | |
53 * The licence and distribution terms for any publically available version or | |
54 * derivative of this code cannot be changed. i.e. this code cannot simply be | |
55 * copied and put under another distribution licence | |
56 * [including the GNU Public Licence.] | |
57 */ | |
58 /* ==================================================================== | |
59 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved. | |
60 * | |
61 * Redistribution and use in source and binary forms, with or without | |
62 * modification, are permitted provided that the following conditions | |
63 * are met: | |
64 * | |
65 * 1. Redistributions of source code must retain the above copyright | |
66 * notice, this list of conditions and the following disclaimer. | |
67 * | |
68 * 2. Redistributions in binary form must reproduce the above copyright | |
69 * notice, this list of conditions and the following disclaimer in | |
70 * the documentation and/or other materials provided with the | |
71 * distribution. | |
72 * | |
73 * 3. All advertising materials mentioning features or use of this | |
74 * software must display the following acknowledgment: | |
75 * "This product includes software developed by the OpenSSL Project | |
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" | |
77 * | |
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to | |
79 * endorse or promote products derived from this software without | |
80 * prior written permission. For written permission, please contact | |
81 * openssl-core@openssl.org. | |
82 * | |
83 * 5. Products derived from this software may not be called "OpenSSL" | |
84 * nor may "OpenSSL" appear in their names without prior written | |
85 * permission of the OpenSSL Project. | |
86 * | |
87 * 6. Redistributions of any form whatsoever must retain the following | |
88 * acknowledgment: | |
89 * "This product includes software developed by the OpenSSL Project | |
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)" | |
91 * | |
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY | |
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | |
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR | |
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR | |
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, | |
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT | |
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; | |
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | |
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, | |
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) | |
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED | |
103 * OF THE POSSIBILITY OF SUCH DAMAGE. | |
104 * ==================================================================== | |
105 * | |
106 * This product includes cryptographic software written by Eric Young | |
107 * (eay@cryptsoft.com). This product includes software written by Tim | |
108 * Hudson (tjh@cryptsoft.com). | |
109 * | |
110 */ | |
111 | |
112 #include <stdio.h> | |
113 #include <openssl/objects.h> | |
114 #include <openssl/evp.h> | |
115 #include <openssl/hmac.h> | |
116 #include <openssl/ocsp.h> | |
117 #include <openssl/rand.h> | |
118 #include "ssl_locl.h" | |
119 | |
120 const char tls1_version_str[]="TLSv1" OPENSSL_VERSION_PTEXT; | |
121 | |
122 #ifndef OPENSSL_NO_TLSEXT | |
123 static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen, | |
124 const unsigned char *sess_id, int sesslen, | |
125 SSL_SESSION **psess); | |
126 #endif | |
127 | |
128 SSL3_ENC_METHOD TLSv1_enc_data={ | |
129 tls1_enc, | |
130 tls1_mac, | |
131 tls1_setup_key_block, | |
132 tls1_generate_master_secret, | |
133 tls1_change_cipher_state, | |
134 tls1_final_finish_mac, | |
135 TLS1_FINISH_MAC_LENGTH, | |
136 tls1_cert_verify_mac, | |
137 TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE, | |
138 TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE, | |
139 tls1_alert_code, | |
140 tls1_export_keying_material, | |
141 }; | |
142 | |
143 long tls1_default_timeout(void) | |
144 { | |
145 /* 2 hours, the 24 hours mentioned in the TLSv1 spec | |
146 * is way too long for http, the cache would over fill */ | |
147 return(60*60*2); | |
148 } | |
149 | |
150 int tls1_new(SSL *s) | |
151 { | |
152 if (!ssl3_new(s)) return(0); | |
153 s->method->ssl_clear(s); | |
154 return(1); | |
155 } | |
156 | |
157 void tls1_free(SSL *s) | |
158 { | |
159 #ifndef OPENSSL_NO_TLSEXT | |
160 if (s->tlsext_session_ticket) | |
161 { | |
162 OPENSSL_free(s->tlsext_session_ticket); | |
163 } | |
164 #endif /* OPENSSL_NO_TLSEXT */ | |
165 ssl3_free(s); | |
166 } | |
167 | |
168 void tls1_clear(SSL *s) | |
169 { | |
170 ssl3_clear(s); | |
171 s->version = s->method->version; | |
172 } | |
173 | |
174 #ifndef OPENSSL_NO_EC | |
175 | |
176 static int nid_list[] = | |
177 { | |
178 NID_sect163k1, /* sect163k1 (1) */ | |
179 NID_sect163r1, /* sect163r1 (2) */ | |
180 NID_sect163r2, /* sect163r2 (3) */ | |
181 NID_sect193r1, /* sect193r1 (4) */ | |
182 NID_sect193r2, /* sect193r2 (5) */ | |
183 NID_sect233k1, /* sect233k1 (6) */ | |
184 NID_sect233r1, /* sect233r1 (7) */ | |
185 NID_sect239k1, /* sect239k1 (8) */ | |
186 NID_sect283k1, /* sect283k1 (9) */ | |
187 NID_sect283r1, /* sect283r1 (10) */ | |
188 NID_sect409k1, /* sect409k1 (11) */ | |
189 NID_sect409r1, /* sect409r1 (12) */ | |
190 NID_sect571k1, /* sect571k1 (13) */ | |
191 NID_sect571r1, /* sect571r1 (14) */ | |
192 NID_secp160k1, /* secp160k1 (15) */ | |
193 NID_secp160r1, /* secp160r1 (16) */ | |
194 NID_secp160r2, /* secp160r2 (17) */ | |
195 NID_secp192k1, /* secp192k1 (18) */ | |
196 NID_X9_62_prime192v1, /* secp192r1 (19) */ | |
197 NID_secp224k1, /* secp224k1 (20) */ | |
198 NID_secp224r1, /* secp224r1 (21) */ | |
199 NID_secp256k1, /* secp256k1 (22) */ | |
200 NID_X9_62_prime256v1, /* secp256r1 (23) */ | |
201 NID_secp384r1, /* secp384r1 (24) */ | |
202 NID_secp521r1 /* secp521r1 (25) */ | |
203 }; | |
204 | |
205 /* We support only the elliptic curves that are also supported by NSS | |
206 * to improve compatibility with sites that don't accept large ClientHellos. | |
207 */ | |
208 static int pref_list[] = | |
209 { | |
210 NID_secp521r1, /* secp521r1 (25) */ | |
211 NID_secp384r1, /* secp384r1 (24) */ | |
212 NID_X9_62_prime256v1, /* secp256r1 (23) */ | |
213 }; | |
214 | |
215 int tls1_ec_curve_id2nid(int curve_id) | |
216 { | |
217 /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */ | |
218 if ((curve_id < 1) || ((unsigned int)curve_id > | |
219 sizeof(nid_list)/sizeof(nid_list[0]))) | |
220 return 0; | |
221 return nid_list[curve_id-1]; | |
222 } | |
223 | |
224 int tls1_ec_nid2curve_id(int nid) | |
225 { | |
226 /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */ | |
227 switch (nid) | |
228 { | |
229 case NID_sect163k1: /* sect163k1 (1) */ | |
230 return 1; | |
231 case NID_sect163r1: /* sect163r1 (2) */ | |
232 return 2; | |
233 case NID_sect163r2: /* sect163r2 (3) */ | |
234 return 3; | |
235 case NID_sect193r1: /* sect193r1 (4) */ | |
236 return 4; | |
237 case NID_sect193r2: /* sect193r2 (5) */ | |
238 return 5; | |
239 case NID_sect233k1: /* sect233k1 (6) */ | |
240 return 6; | |
241 case NID_sect233r1: /* sect233r1 (7) */ | |
242 return 7; | |
243 case NID_sect239k1: /* sect239k1 (8) */ | |
244 return 8; | |
245 case NID_sect283k1: /* sect283k1 (9) */ | |
246 return 9; | |
247 case NID_sect283r1: /* sect283r1 (10) */ | |
248 return 10; | |
249 case NID_sect409k1: /* sect409k1 (11) */ | |
250 return 11; | |
251 case NID_sect409r1: /* sect409r1 (12) */ | |
252 return 12; | |
253 case NID_sect571k1: /* sect571k1 (13) */ | |
254 return 13; | |
255 case NID_sect571r1: /* sect571r1 (14) */ | |
256 return 14; | |
257 case NID_secp160k1: /* secp160k1 (15) */ | |
258 return 15; | |
259 case NID_secp160r1: /* secp160r1 (16) */ | |
260 return 16; | |
261 case NID_secp160r2: /* secp160r2 (17) */ | |
262 return 17; | |
263 case NID_secp192k1: /* secp192k1 (18) */ | |
264 return 18; | |
265 case NID_X9_62_prime192v1: /* secp192r1 (19) */ | |
266 return 19; | |
267 case NID_secp224k1: /* secp224k1 (20) */ | |
268 return 20; | |
269 case NID_secp224r1: /* secp224r1 (21) */ | |
270 return 21; | |
271 case NID_secp256k1: /* secp256k1 (22) */ | |
272 return 22; | |
273 case NID_X9_62_prime256v1: /* secp256r1 (23) */ | |
274 return 23; | |
275 case NID_secp384r1: /* secp384r1 (24) */ | |
276 return 24; | |
277 case NID_secp521r1: /* secp521r1 (25) */ | |
278 return 25; | |
279 default: | |
280 return 0; | |
281 } | |
282 } | |
283 #endif /* OPENSSL_NO_EC */ | |
284 | |
285 #ifndef OPENSSL_NO_TLSEXT | |
286 | |
287 /* List of supported signature algorithms and hashes. Should make this | |
288 * customisable at some point, for now include everything we support. | |
289 */ | |
290 | |
291 #ifdef OPENSSL_NO_RSA | |
292 #define tlsext_sigalg_rsa(md) /* */ | |
293 #else | |
294 #define tlsext_sigalg_rsa(md) md, TLSEXT_signature_rsa, | |
295 #endif | |
296 | |
297 #ifdef OPENSSL_NO_DSA | |
298 #define tlsext_sigalg_dsa(md) /* */ | |
299 #else | |
300 #define tlsext_sigalg_dsa(md) md, TLSEXT_signature_dsa, | |
301 #endif | |
302 | |
303 #ifdef OPENSSL_NO_ECDSA | |
304 #define tlsext_sigalg_ecdsa(md) /* */ | |
305 #else | |
306 #define tlsext_sigalg_ecdsa(md) md, TLSEXT_signature_ecdsa, | |
307 #endif | |
308 | |
309 #define tlsext_sigalg(md) \ | |
310 tlsext_sigalg_rsa(md) \ | |
311 tlsext_sigalg_dsa(md) \ | |
312 tlsext_sigalg_ecdsa(md) | |
313 | |
314 static unsigned char tls12_sigalgs[] = { | |
315 #ifndef OPENSSL_NO_SHA512 | |
316 tlsext_sigalg(TLSEXT_hash_sha512) | |
317 tlsext_sigalg(TLSEXT_hash_sha384) | |
318 #endif | |
319 #ifndef OPENSSL_NO_SHA256 | |
320 tlsext_sigalg(TLSEXT_hash_sha256) | |
321 tlsext_sigalg(TLSEXT_hash_sha224) | |
322 #endif | |
323 #ifndef OPENSSL_NO_SHA | |
324 tlsext_sigalg(TLSEXT_hash_sha1) | |
325 #endif | |
326 #ifndef OPENSSL_NO_MD5 | |
327 tlsext_sigalg_rsa(TLSEXT_hash_md5) | |
328 #endif | |
329 }; | |
330 | |
331 int tls12_get_req_sig_algs(SSL *s, unsigned char *p) | |
332 { | |
333 size_t slen = sizeof(tls12_sigalgs); | |
334 #ifdef OPENSSL_FIPS | |
335 /* If FIPS mode don't include MD5 which is last */ | |
336 if (FIPS_mode()) | |
337 slen -= 2; | |
338 #endif | |
339 if (p) | |
340 memcpy(p, tls12_sigalgs, slen); | |
341 return (int)slen; | |
342 } | |
343 | |
344 /* header_len is the length of the ClientHello header written so far, used to | |
345 * compute padding. It does not include the record header. Pass 0 if no padding | |
346 * is to be done. */ | |
347 unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf, unsigned c
har *limit, size_t header_len) | |
348 { | |
349 int extdatalen=0; | |
350 unsigned char *orig = buf; | |
351 unsigned char *ret = buf; | |
352 | |
353 /* don't add extensions for SSLv3 unless doing secure renegotiation */ | |
354 if (s->client_version == SSL3_VERSION | |
355 && !s->s3->send_connection_binding) | |
356 return orig; | |
357 | |
358 ret+=2; | |
359 | |
360 if (ret>=limit) return NULL; /* this really never occurs, but ... */ | |
361 | |
362 if (s->tlsext_hostname != NULL) | |
363 { | |
364 /* Add TLS extension servername to the Client Hello message */ | |
365 unsigned long size_str; | |
366 long lenmax; | |
367 | |
368 /* check for enough space. | |
369 4 for the servername type and entension length | |
370 2 for servernamelist length | |
371 1 for the hostname type | |
372 2 for hostname length | |
373 + hostname length | |
374 */ | |
375 | |
376 if ((lenmax = limit - ret - 9) < 0 | |
377 || (size_str = strlen(s->tlsext_hostname)) > (unsigned long)
lenmax) | |
378 return NULL; | |
379 | |
380 /* extension type and length */ | |
381 s2n(TLSEXT_TYPE_server_name,ret); | |
382 s2n(size_str+5,ret); | |
383 | |
384 /* length of servername list */ | |
385 s2n(size_str+3,ret); | |
386 | |
387 /* hostname type, length and hostname */ | |
388 *(ret++) = (unsigned char) TLSEXT_NAMETYPE_host_name; | |
389 s2n(size_str,ret); | |
390 memcpy(ret, s->tlsext_hostname, size_str); | |
391 ret+=size_str; | |
392 } | |
393 | |
394 /* Add RI if renegotiating */ | |
395 if (s->renegotiate) | |
396 { | |
397 int el; | |
398 | |
399 if(!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0)) | |
400 { | |
401 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); | |
402 return NULL; | |
403 } | |
404 | |
405 if((limit - ret - 4 - el) < 0) return NULL; | |
406 | |
407 s2n(TLSEXT_TYPE_renegotiate,ret); | |
408 s2n(el,ret); | |
409 | |
410 if(!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el)) | |
411 { | |
412 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); | |
413 return NULL; | |
414 } | |
415 | |
416 ret += el; | |
417 } | |
418 | |
419 #ifndef OPENSSL_NO_SRP | |
420 /* Add SRP username if there is one */ | |
421 if (s->srp_ctx.login != NULL) | |
422 { /* Add TLS extension SRP username to the Client Hello message
*/ | |
423 | |
424 int login_len = strlen(s->srp_ctx.login); | |
425 if (login_len > 255 || login_len == 0) | |
426 { | |
427 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_
ERROR); | |
428 return NULL; | |
429 } | |
430 | |
431 /* check for enough space. | |
432 4 for the srp type type and entension length | |
433 1 for the srp user identity | |
434 + srp user identity length | |
435 */ | |
436 if ((limit - ret - 5 - login_len) < 0) return NULL; | |
437 | |
438 /* fill in the extension */ | |
439 s2n(TLSEXT_TYPE_srp,ret); | |
440 s2n(login_len+1,ret); | |
441 (*ret++) = (unsigned char) login_len; | |
442 memcpy(ret, s->srp_ctx.login, login_len); | |
443 ret+=login_len; | |
444 } | |
445 #endif | |
446 | |
447 if (!(SSL_get_options(s) & SSL_OP_NO_TICKET)) | |
448 { | |
449 int ticklen; | |
450 if (!s->new_session && s->session && s->session->tlsext_tick) | |
451 ticklen = s->session->tlsext_ticklen; | |
452 else if (s->session && s->tlsext_session_ticket && | |
453 s->tlsext_session_ticket->data) | |
454 { | |
455 ticklen = s->tlsext_session_ticket->length; | |
456 s->session->tlsext_tick = OPENSSL_malloc(ticklen); | |
457 if (!s->session->tlsext_tick) | |
458 return NULL; | |
459 memcpy(s->session->tlsext_tick, | |
460 s->tlsext_session_ticket->data, | |
461 ticklen); | |
462 s->session->tlsext_ticklen = ticklen; | |
463 } | |
464 else | |
465 ticklen = 0; | |
466 if (ticklen == 0 && s->tlsext_session_ticket && | |
467 s->tlsext_session_ticket->data == NULL) | |
468 goto skip_ext; | |
469 /* Check for enough room 2 for extension type, 2 for len | |
470 * rest for ticket | |
471 */ | |
472 if ((long)(limit - ret - 4 - ticklen) < 0) return NULL; | |
473 s2n(TLSEXT_TYPE_session_ticket,ret); | |
474 s2n(ticklen,ret); | |
475 if (ticklen) | |
476 { | |
477 memcpy(ret, s->session->tlsext_tick, ticklen); | |
478 ret += ticklen; | |
479 } | |
480 } | |
481 skip_ext: | |
482 | |
483 if (TLS1_get_client_version(s) >= TLS1_2_VERSION) | |
484 { | |
485 if ((size_t)(limit - ret) < sizeof(tls12_sigalgs) + 6) | |
486 return NULL; | |
487 s2n(TLSEXT_TYPE_signature_algorithms,ret); | |
488 s2n(sizeof(tls12_sigalgs) + 2, ret); | |
489 s2n(sizeof(tls12_sigalgs), ret); | |
490 memcpy(ret, tls12_sigalgs, sizeof(tls12_sigalgs)); | |
491 ret += sizeof(tls12_sigalgs); | |
492 } | |
493 | |
494 #ifdef TLSEXT_TYPE_opaque_prf_input | |
495 if (s->s3->client_opaque_prf_input != NULL && | |
496 s->version != DTLS1_VERSION) | |
497 { | |
498 size_t col = s->s3->client_opaque_prf_input_len; | |
499 | |
500 if ((long)(limit - ret - 6 - col < 0)) | |
501 return NULL; | |
502 if (col > 0xFFFD) /* can't happen */ | |
503 return NULL; | |
504 | |
505 s2n(TLSEXT_TYPE_opaque_prf_input, ret); | |
506 s2n(col + 2, ret); | |
507 s2n(col, ret); | |
508 memcpy(ret, s->s3->client_opaque_prf_input, col); | |
509 ret += col; | |
510 } | |
511 #endif | |
512 | |
513 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp && | |
514 s->version != DTLS1_VERSION) | |
515 { | |
516 int i; | |
517 long extlen, idlen, itmp; | |
518 OCSP_RESPID *id; | |
519 | |
520 idlen = 0; | |
521 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) | |
522 { | |
523 id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i); | |
524 itmp = i2d_OCSP_RESPID(id, NULL); | |
525 if (itmp <= 0) | |
526 return NULL; | |
527 idlen += itmp + 2; | |
528 } | |
529 | |
530 if (s->tlsext_ocsp_exts) | |
531 { | |
532 extlen = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, NULL); | |
533 if (extlen < 0) | |
534 return NULL; | |
535 } | |
536 else | |
537 extlen = 0; | |
538 | |
539 if ((long)(limit - ret - 7 - extlen - idlen) < 0) return NULL; | |
540 s2n(TLSEXT_TYPE_status_request, ret); | |
541 if (extlen + idlen > 0xFFF0) | |
542 return NULL; | |
543 s2n(extlen + idlen + 5, ret); | |
544 *(ret++) = TLSEXT_STATUSTYPE_ocsp; | |
545 s2n(idlen, ret); | |
546 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) | |
547 { | |
548 /* save position of id len */ | |
549 unsigned char *q = ret; | |
550 id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i); | |
551 /* skip over id len */ | |
552 ret += 2; | |
553 itmp = i2d_OCSP_RESPID(id, &ret); | |
554 /* write id len */ | |
555 s2n(itmp, q); | |
556 } | |
557 s2n(extlen, ret); | |
558 if (extlen > 0) | |
559 i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret); | |
560 } | |
561 | |
562 #ifndef OPENSSL_NO_HEARTBEATS | |
563 /* Add Heartbeat extension */ | |
564 s2n(TLSEXT_TYPE_heartbeat,ret); | |
565 s2n(1,ret); | |
566 /* Set mode: | |
567 * 1: peer may send requests | |
568 * 2: peer not allowed to send requests | |
569 */ | |
570 if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS) | |
571 *(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS; | |
572 else | |
573 *(ret++) = SSL_TLSEXT_HB_ENABLED; | |
574 #endif | |
575 | |
576 #ifndef OPENSSL_NO_NEXTPROTONEG | |
577 if (s->ctx->next_proto_select_cb && !s->s3->tmp.finish_md_len) | |
578 { | |
579 /* The client advertises an emtpy extension to indicate its | |
580 * support for Next Protocol Negotiation */ | |
581 if (limit - ret - 4 < 0) | |
582 return NULL; | |
583 s2n(TLSEXT_TYPE_next_proto_neg,ret); | |
584 s2n(0,ret); | |
585 } | |
586 #endif | |
587 | |
588 if (s->tlsext_channel_id_enabled) | |
589 { | |
590 /* The client advertises an emtpy extension to indicate its | |
591 * support for Channel ID. */ | |
592 if (limit - ret - 4 < 0) | |
593 return NULL; | |
594 s2n(TLSEXT_TYPE_channel_id,ret); | |
595 s2n(0,ret); | |
596 } | |
597 | |
598 #ifndef OPENSSL_NO_SRTP | |
599 if(SSL_get_srtp_profiles(s)) | |
600 { | |
601 int el; | |
602 | |
603 ssl_add_clienthello_use_srtp_ext(s, 0, &el, 0); | |
604 | |
605 if((limit - ret - 4 - el) < 0) return NULL; | |
606 | |
607 s2n(TLSEXT_TYPE_use_srtp,ret); | |
608 s2n(el,ret); | |
609 | |
610 if(ssl_add_clienthello_use_srtp_ext(s, ret, &el, el)) | |
611 { | |
612 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_
ERROR); | |
613 return NULL; | |
614 } | |
615 ret += el; | |
616 } | |
617 #endif | |
618 | |
619 #ifndef OPENSSL_NO_EC | |
620 /* WebSphere Application Server 7.0 is intolerant to the last extension | |
621 * being zero-length. ECC extensions are non-empty and not dropped until | |
622 * fallback to SSL3, at which point all extensions are gone. */ | |
623 if (s->tlsext_ecpointformatlist != NULL && | |
624 s->version != DTLS1_VERSION) | |
625 { | |
626 /* Add TLS extension ECPointFormats to the ClientHello message *
/ | |
627 long lenmax; | |
628 | |
629 if ((lenmax = limit - ret - 5) < 0) return NULL; | |
630 if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax)
return NULL; | |
631 if (s->tlsext_ecpointformatlist_length > 255) | |
632 { | |
633 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_
ERROR); | |
634 return NULL; | |
635 } | |
636 | |
637 s2n(TLSEXT_TYPE_ec_point_formats,ret); | |
638 s2n(s->tlsext_ecpointformatlist_length + 1,ret); | |
639 *(ret++) = (unsigned char) s->tlsext_ecpointformatlist_length; | |
640 memcpy(ret, s->tlsext_ecpointformatlist, s->tlsext_ecpointformat
list_length); | |
641 ret+=s->tlsext_ecpointformatlist_length; | |
642 } | |
643 if (s->tlsext_ellipticcurvelist != NULL && | |
644 s->version != DTLS1_VERSION) | |
645 { | |
646 /* Add TLS extension EllipticCurves to the ClientHello message *
/ | |
647 long lenmax; | |
648 | |
649 if ((lenmax = limit - ret - 6) < 0) return NULL; | |
650 if (s->tlsext_ellipticcurvelist_length > (unsigned long)lenmax)
return NULL; | |
651 if (s->tlsext_ellipticcurvelist_length > 65532) | |
652 { | |
653 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_
ERROR); | |
654 return NULL; | |
655 } | |
656 | |
657 s2n(TLSEXT_TYPE_elliptic_curves,ret); | |
658 s2n(s->tlsext_ellipticcurvelist_length + 2, ret); | |
659 | |
660 /* NB: draft-ietf-tls-ecc-12.txt uses a one-byte prefix for | |
661 * elliptic_curve_list, but the examples use two bytes. | |
662 * http://www1.ietf.org/mail-archive/web/tls/current/msg00538.ht
ml | |
663 * resolves this to two bytes. | |
664 */ | |
665 s2n(s->tlsext_ellipticcurvelist_length, ret); | |
666 memcpy(ret, s->tlsext_ellipticcurvelist, s->tlsext_ellipticcurve
list_length); | |
667 ret+=s->tlsext_ellipticcurvelist_length; | |
668 } | |
669 #endif /* OPENSSL_NO_EC */ | |
670 | |
671 /* Add padding to workaround bugs in F5 terminators. | |
672 * See https://tools.ietf.org/html/draft-agl-tls-padding-02 */ | |
673 if (header_len > 0) | |
674 { | |
675 header_len += ret - orig; | |
676 if (header_len > 0xff && header_len < 0x200) | |
677 { | |
678 size_t padding_len = 0x200 - header_len; | |
679 /* Extensions take at least four bytes to encode. Always | |
680 * include least one byte of data if including the | |
681 * extension. WebSphere Application Server 7.0 is | |
682 * intolerant to the last extension being zero-length. *
/ | |
683 if (padding_len >= 4 + 1) | |
684 padding_len -= 4; | |
685 else | |
686 padding_len = 1; | |
687 if (limit - ret - 4 - (long)padding_len < 0) | |
688 return NULL; | |
689 | |
690 s2n(TLSEXT_TYPE_padding, ret); | |
691 s2n(padding_len, ret); | |
692 memset(ret, 0, padding_len); | |
693 ret += padding_len; | |
694 } | |
695 } | |
696 | |
697 | |
698 if ((extdatalen = ret-orig-2)== 0) | |
699 return orig; | |
700 | |
701 s2n(extdatalen, orig); | |
702 return ret; | |
703 } | |
704 | |
705 unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *buf, unsigned c
har *limit) | |
706 { | |
707 int extdatalen=0; | |
708 unsigned char *orig = buf; | |
709 unsigned char *ret = buf; | |
710 #ifndef OPENSSL_NO_NEXTPROTONEG | |
711 int next_proto_neg_seen; | |
712 #endif | |
713 | |
714 /* don't add extensions for SSLv3, unless doing secure renegotiation */ | |
715 if (s->version == SSL3_VERSION && !s->s3->send_connection_binding) | |
716 return orig; | |
717 | |
718 ret+=2; | |
719 if (ret>=limit) return NULL; /* this really never occurs, but ... */ | |
720 | |
721 if (!s->hit && s->servername_done == 1 && s->session->tlsext_hostname !=
NULL) | |
722 { | |
723 if ((long)(limit - ret - 4) < 0) return NULL; | |
724 | |
725 s2n(TLSEXT_TYPE_server_name,ret); | |
726 s2n(0,ret); | |
727 } | |
728 | |
729 if(s->s3->send_connection_binding) | |
730 { | |
731 int el; | |
732 | |
733 if(!ssl_add_serverhello_renegotiate_ext(s, 0, &el, 0)) | |
734 { | |
735 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); | |
736 return NULL; | |
737 } | |
738 | |
739 if((limit - ret - 4 - el) < 0) return NULL; | |
740 | |
741 s2n(TLSEXT_TYPE_renegotiate,ret); | |
742 s2n(el,ret); | |
743 | |
744 if(!ssl_add_serverhello_renegotiate_ext(s, ret, &el, el)) | |
745 { | |
746 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); | |
747 return NULL; | |
748 } | |
749 | |
750 ret += el; | |
751 } | |
752 | |
753 #ifndef OPENSSL_NO_EC | |
754 if (s->tlsext_ecpointformatlist != NULL && | |
755 s->version != DTLS1_VERSION) | |
756 { | |
757 /* Add TLS extension ECPointFormats to the ServerHello message *
/ | |
758 long lenmax; | |
759 | |
760 if ((lenmax = limit - ret - 5) < 0) return NULL; | |
761 if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax)
return NULL; | |
762 if (s->tlsext_ecpointformatlist_length > 255) | |
763 { | |
764 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_
ERROR); | |
765 return NULL; | |
766 } | |
767 | |
768 s2n(TLSEXT_TYPE_ec_point_formats,ret); | |
769 s2n(s->tlsext_ecpointformatlist_length + 1,ret); | |
770 *(ret++) = (unsigned char) s->tlsext_ecpointformatlist_length; | |
771 memcpy(ret, s->tlsext_ecpointformatlist, s->tlsext_ecpointformat
list_length); | |
772 ret+=s->tlsext_ecpointformatlist_length; | |
773 | |
774 } | |
775 /* Currently the server should not respond with a SupportedCurves extens
ion */ | |
776 #endif /* OPENSSL_NO_EC */ | |
777 | |
778 if (s->tlsext_ticket_expected | |
779 && !(SSL_get_options(s) & SSL_OP_NO_TICKET)) | |
780 { | |
781 if ((long)(limit - ret - 4) < 0) return NULL; | |
782 s2n(TLSEXT_TYPE_session_ticket,ret); | |
783 s2n(0,ret); | |
784 } | |
785 | |
786 if (s->tlsext_status_expected) | |
787 { | |
788 if ((long)(limit - ret - 4) < 0) return NULL; | |
789 s2n(TLSEXT_TYPE_status_request,ret); | |
790 s2n(0,ret); | |
791 } | |
792 | |
793 #ifdef TLSEXT_TYPE_opaque_prf_input | |
794 if (s->s3->server_opaque_prf_input != NULL && | |
795 s->version != DTLS1_VERSION) | |
796 { | |
797 size_t sol = s->s3->server_opaque_prf_input_len; | |
798 | |
799 if ((long)(limit - ret - 6 - sol) < 0) | |
800 return NULL; | |
801 if (sol > 0xFFFD) /* can't happen */ | |
802 return NULL; | |
803 | |
804 s2n(TLSEXT_TYPE_opaque_prf_input, ret); | |
805 s2n(sol + 2, ret); | |
806 s2n(sol, ret); | |
807 memcpy(ret, s->s3->server_opaque_prf_input, sol); | |
808 ret += sol; | |
809 } | |
810 #endif | |
811 | |
812 #ifndef OPENSSL_NO_SRTP | |
813 if(s->srtp_profile) | |
814 { | |
815 int el; | |
816 | |
817 ssl_add_serverhello_use_srtp_ext(s, 0, &el, 0); | |
818 | |
819 if((limit - ret - 4 - el) < 0) return NULL; | |
820 | |
821 s2n(TLSEXT_TYPE_use_srtp,ret); | |
822 s2n(el,ret); | |
823 | |
824 if(ssl_add_serverhello_use_srtp_ext(s, ret, &el, el)) | |
825 { | |
826 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_
ERROR); | |
827 return NULL; | |
828 } | |
829 ret+=el; | |
830 } | |
831 #endif | |
832 | |
833 if (((s->s3->tmp.new_cipher->id & 0xFFFF)==0x80 || (s->s3->tmp.new_ciphe
r->id & 0xFFFF)==0x81) | |
834 && (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG)) | |
835 { const unsigned char cryptopro_ext[36] = { | |
836 0xfd, 0xe8, /*65000*/ | |
837 0x00, 0x20, /*32 bytes length*/ | |
838 0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85, | |
839 0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06, | |
840 0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08, | |
841 0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17}; | |
842 if (limit-ret<36) return NULL; | |
843 memcpy(ret,cryptopro_ext,36); | |
844 ret+=36; | |
845 | |
846 } | |
847 | |
848 #ifndef OPENSSL_NO_HEARTBEATS | |
849 /* Add Heartbeat extension if we've received one */ | |
850 if (s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED) | |
851 { | |
852 s2n(TLSEXT_TYPE_heartbeat,ret); | |
853 s2n(1,ret); | |
854 /* Set mode: | |
855 * 1: peer may send requests | |
856 * 2: peer not allowed to send requests | |
857 */ | |
858 if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS) | |
859 *(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS; | |
860 else | |
861 *(ret++) = SSL_TLSEXT_HB_ENABLED; | |
862 | |
863 } | |
864 #endif | |
865 | |
866 #ifndef OPENSSL_NO_NEXTPROTONEG | |
867 next_proto_neg_seen = s->s3->next_proto_neg_seen; | |
868 s->s3->next_proto_neg_seen = 0; | |
869 if (next_proto_neg_seen && s->ctx->next_protos_advertised_cb) | |
870 { | |
871 const unsigned char *npa; | |
872 unsigned int npalen; | |
873 int r; | |
874 | |
875 r = s->ctx->next_protos_advertised_cb(s, &npa, &npalen, s->ctx->
next_protos_advertised_cb_arg); | |
876 if (r == SSL_TLSEXT_ERR_OK) | |
877 { | |
878 if ((long)(limit - ret - 4 - npalen) < 0) return NULL; | |
879 s2n(TLSEXT_TYPE_next_proto_neg,ret); | |
880 s2n(npalen,ret); | |
881 memcpy(ret, npa, npalen); | |
882 ret += npalen; | |
883 s->s3->next_proto_neg_seen = 1; | |
884 } | |
885 } | |
886 #endif | |
887 | |
888 /* If the client advertised support for Channel ID, and we have it | |
889 * enabled, then we want to echo it back. */ | |
890 if (s->s3->tlsext_channel_id_valid) | |
891 { | |
892 if (limit - ret - 4 < 0) | |
893 return NULL; | |
894 s2n(TLSEXT_TYPE_channel_id,ret); | |
895 s2n(0,ret); | |
896 } | |
897 | |
898 if ((extdatalen = ret-orig-2)== 0) | |
899 return orig; | |
900 | |
901 s2n(extdatalen, orig); | |
902 return ret; | |
903 } | |
904 | |
905 int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
t n, int *al) | |
906 { | |
907 unsigned short type; | |
908 unsigned short size; | |
909 unsigned short len; | |
910 unsigned char *data = *p; | |
911 int renegotiate_seen = 0; | |
912 int sigalg_seen = 0; | |
913 | |
914 s->servername_done = 0; | |
915 s->tlsext_status_type = -1; | |
916 #ifndef OPENSSL_NO_NEXTPROTONEG | |
917 s->s3->next_proto_neg_seen = 0; | |
918 #endif | |
919 | |
920 #ifndef OPENSSL_NO_HEARTBEATS | |
921 s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED | | |
922 SSL_TLSEXT_HB_DONT_SEND_REQUESTS); | |
923 #endif | |
924 | |
925 if (data >= (d+n-2)) | |
926 goto ri_check; | |
927 n2s(data,len); | |
928 | |
929 if (data > (d+n-len)) | |
930 goto ri_check; | |
931 | |
932 while (data <= (d+n-4)) | |
933 { | |
934 n2s(data,type); | |
935 n2s(data,size); | |
936 | |
937 if (data+size > (d+n)) | |
938 goto ri_check; | |
939 #if 0 | |
940 fprintf(stderr,"Received extension type %d size %d\n",type,size)
; | |
941 #endif | |
942 if (s->tlsext_debug_cb) | |
943 s->tlsext_debug_cb(s, 0, type, data, size, | |
944 s->tlsext_debug_arg); | |
945 /* The servername extension is treated as follows: | |
946 | |
947 - Only the hostname type is supported with a maximum length of 255. | |
948 - The servername is rejected if too long or if it contains zeros, | |
949 in which case an fatal alert is generated. | |
950 - The servername field is maintained together with the session cache. | |
951 - When a session is resumed, the servername call back invoked in order | |
952 to allow the application to position itself to the right context. | |
953 - The servername is acknowledged if it is new for a session or when | |
954 it is identical to a previously used for the same session. | |
955 Applications can control the behaviour. They can at any time | |
956 set a 'desirable' servername for a new SSL object. This can be the | |
957 case for example with HTTPS when a Host: header field is received and | |
958 a renegotiation is requested. In this case, a possible servername | |
959 presented in the new client hello is only acknowledged if it matches | |
960 the value of the Host: field. | |
961 - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION | |
962 if they provide for changing an explicit servername context for the session
, | |
963 i.e. when the session has been established with a servername extension. | |
964 - On session reconnect, the servername extension may be absent. | |
965 | |
966 */ | |
967 | |
968 if (type == TLSEXT_TYPE_server_name) | |
969 { | |
970 unsigned char *sdata; | |
971 int servname_type; | |
972 int dsize; | |
973 | |
974 if (size < 2) | |
975 { | |
976 *al = SSL_AD_DECODE_ERROR; | |
977 return 0; | |
978 } | |
979 n2s(data,dsize); | |
980 size -= 2; | |
981 if (dsize > size ) | |
982 { | |
983 *al = SSL_AD_DECODE_ERROR; | |
984 return 0; | |
985 } | |
986 | |
987 sdata = data; | |
988 while (dsize > 3) | |
989 { | |
990 servname_type = *(sdata++); | |
991 n2s(sdata,len); | |
992 dsize -= 3; | |
993 | |
994 if (len > dsize) | |
995 { | |
996 *al = SSL_AD_DECODE_ERROR; | |
997 return 0; | |
998 } | |
999 if (s->servername_done == 0) | |
1000 switch (servname_type) | |
1001 { | |
1002 case TLSEXT_NAMETYPE_host_name: | |
1003 if (!s->hit) | |
1004 { | |
1005 if(s->session->tlsext_hostname) | |
1006 { | |
1007 *al = SSL_AD_DECODE_ERRO
R; | |
1008 return 0; | |
1009 } | |
1010 if (len > TLSEXT_MAXLEN_host_nam
e) | |
1011 { | |
1012 *al = TLS1_AD_UNRECOGNIZ
ED_NAME; | |
1013 return 0; | |
1014 } | |
1015 if ((s->session->tlsext_hostname
= OPENSSL_malloc(len+1)) == NULL) | |
1016 { | |
1017 *al = TLS1_AD_INTERNAL_E
RROR; | |
1018 return 0; | |
1019 } | |
1020 memcpy(s->session->tlsext_hostna
me, sdata, len); | |
1021 s->session->tlsext_hostname[len]
='\0'; | |
1022 if (strlen(s->session->tlsext_ho
stname) != len) { | |
1023 OPENSSL_free(s->session-
>tlsext_hostname); | |
1024 s->session->tlsext_hostn
ame = NULL; | |
1025 *al = TLS1_AD_UNRECOGNIZ
ED_NAME; | |
1026 return 0; | |
1027 } | |
1028 s->servername_done = 1; | |
1029 | |
1030 } | |
1031 else | |
1032 s->servername_done = s->session-
>tlsext_hostname | |
1033 && strlen(s->session->tl
sext_hostname) == len | |
1034 && strncmp(s->session->t
lsext_hostname, (char *)sdata, len) == 0; | |
1035 | |
1036 break; | |
1037 | |
1038 default: | |
1039 break; | |
1040 } | |
1041 | |
1042 dsize -= len; | |
1043 } | |
1044 if (dsize != 0) | |
1045 { | |
1046 *al = SSL_AD_DECODE_ERROR; | |
1047 return 0; | |
1048 } | |
1049 | |
1050 } | |
1051 #ifndef OPENSSL_NO_SRP | |
1052 else if (type == TLSEXT_TYPE_srp) | |
1053 { | |
1054 if (size <= 0 || ((len = data[0])) != (size -1)) | |
1055 { | |
1056 *al = SSL_AD_DECODE_ERROR; | |
1057 return 0; | |
1058 } | |
1059 if (s->srp_ctx.login != NULL) | |
1060 { | |
1061 *al = SSL_AD_DECODE_ERROR; | |
1062 return 0; | |
1063 } | |
1064 if ((s->srp_ctx.login = OPENSSL_malloc(len+1)) == NULL) | |
1065 return -1; | |
1066 memcpy(s->srp_ctx.login, &data[1], len); | |
1067 s->srp_ctx.login[len]='\0'; | |
1068 | |
1069 if (strlen(s->srp_ctx.login) != len) | |
1070 { | |
1071 *al = SSL_AD_DECODE_ERROR; | |
1072 return 0; | |
1073 } | |
1074 } | |
1075 #endif | |
1076 | |
1077 #ifndef OPENSSL_NO_EC | |
1078 else if (type == TLSEXT_TYPE_ec_point_formats && | |
1079 s->version != DTLS1_VERSION) | |
1080 { | |
1081 unsigned char *sdata = data; | |
1082 int ecpointformatlist_length = *(sdata++); | |
1083 | |
1084 if (ecpointformatlist_length != size - 1) | |
1085 { | |
1086 *al = TLS1_AD_DECODE_ERROR; | |
1087 return 0; | |
1088 } | |
1089 if (!s->hit) | |
1090 { | |
1091 if(s->session->tlsext_ecpointformatlist) | |
1092 { | |
1093 OPENSSL_free(s->session->tlsext_ecpointf
ormatlist); | |
1094 s->session->tlsext_ecpointformatlist = N
ULL; | |
1095 } | |
1096 s->session->tlsext_ecpointformatlist_length = 0; | |
1097 if ((s->session->tlsext_ecpointformatlist = OPEN
SSL_malloc(ecpointformatlist_length)) == NULL) | |
1098 { | |
1099 *al = TLS1_AD_INTERNAL_ERROR; | |
1100 return 0; | |
1101 } | |
1102 s->session->tlsext_ecpointformatlist_length = ec
pointformatlist_length; | |
1103 memcpy(s->session->tlsext_ecpointformatlist, sda
ta, ecpointformatlist_length); | |
1104 } | |
1105 #if 0 | |
1106 fprintf(stderr,"ssl_parse_clienthello_tlsext s->session-
>tlsext_ecpointformatlist (length=%i) ", s->session->tlsext_ecpointformatlist_le
ngth); | |
1107 sdata = s->session->tlsext_ecpointformatlist; | |
1108 for (i = 0; i < s->session->tlsext_ecpointformatlist_len
gth; i++) | |
1109 fprintf(stderr,"%i ",*(sdata++)); | |
1110 fprintf(stderr,"\n"); | |
1111 #endif | |
1112 } | |
1113 else if (type == TLSEXT_TYPE_elliptic_curves && | |
1114 s->version != DTLS1_VERSION) | |
1115 { | |
1116 unsigned char *sdata = data; | |
1117 int ellipticcurvelist_length = (*(sdata++) << 8); | |
1118 ellipticcurvelist_length += (*(sdata++)); | |
1119 | |
1120 if (ellipticcurvelist_length != size - 2 || | |
1121 ellipticcurvelist_length < 1) | |
1122 { | |
1123 *al = TLS1_AD_DECODE_ERROR; | |
1124 return 0; | |
1125 } | |
1126 if (!s->hit) | |
1127 { | |
1128 if(s->session->tlsext_ellipticcurvelist) | |
1129 { | |
1130 *al = TLS1_AD_DECODE_ERROR; | |
1131 return 0; | |
1132 } | |
1133 s->session->tlsext_ellipticcurvelist_length = 0; | |
1134 if ((s->session->tlsext_ellipticcurvelist = OPEN
SSL_malloc(ellipticcurvelist_length)) == NULL) | |
1135 { | |
1136 *al = TLS1_AD_INTERNAL_ERROR; | |
1137 return 0; | |
1138 } | |
1139 s->session->tlsext_ellipticcurvelist_length = el
lipticcurvelist_length; | |
1140 memcpy(s->session->tlsext_ellipticcurvelist, sda
ta, ellipticcurvelist_length); | |
1141 } | |
1142 #if 0 | |
1143 fprintf(stderr,"ssl_parse_clienthello_tlsext s->session-
>tlsext_ellipticcurvelist (length=%i) ", s->session->tlsext_ellipticcurvelist_le
ngth); | |
1144 sdata = s->session->tlsext_ellipticcurvelist; | |
1145 for (i = 0; i < s->session->tlsext_ellipticcurvelist_len
gth; i++) | |
1146 fprintf(stderr,"%i ",*(sdata++)); | |
1147 fprintf(stderr,"\n"); | |
1148 #endif | |
1149 } | |
1150 #endif /* OPENSSL_NO_EC */ | |
1151 #ifdef TLSEXT_TYPE_opaque_prf_input | |
1152 else if (type == TLSEXT_TYPE_opaque_prf_input && | |
1153 s->version != DTLS1_VERSION) | |
1154 { | |
1155 unsigned char *sdata = data; | |
1156 | |
1157 if (size < 2) | |
1158 { | |
1159 *al = SSL_AD_DECODE_ERROR; | |
1160 return 0; | |
1161 } | |
1162 n2s(sdata, s->s3->client_opaque_prf_input_len); | |
1163 if (s->s3->client_opaque_prf_input_len != size - 2) | |
1164 { | |
1165 *al = SSL_AD_DECODE_ERROR; | |
1166 return 0; | |
1167 } | |
1168 | |
1169 if (s->s3->client_opaque_prf_input != NULL) /* shouldn't
really happen */ | |
1170 OPENSSL_free(s->s3->client_opaque_prf_input); | |
1171 if (s->s3->client_opaque_prf_input_len == 0) | |
1172 s->s3->client_opaque_prf_input = OPENSSL_malloc(
1); /* dummy byte just to get non-NULL */ | |
1173 else | |
1174 s->s3->client_opaque_prf_input = BUF_memdup(sdat
a, s->s3->client_opaque_prf_input_len); | |
1175 if (s->s3->client_opaque_prf_input == NULL) | |
1176 { | |
1177 *al = TLS1_AD_INTERNAL_ERROR; | |
1178 return 0; | |
1179 } | |
1180 } | |
1181 #endif | |
1182 else if (type == TLSEXT_TYPE_session_ticket) | |
1183 { | |
1184 if (s->tls_session_ticket_ext_cb && | |
1185 !s->tls_session_ticket_ext_cb(s, data, size, s->tls_
session_ticket_ext_cb_arg)) | |
1186 { | |
1187 *al = TLS1_AD_INTERNAL_ERROR; | |
1188 return 0; | |
1189 } | |
1190 } | |
1191 else if (type == TLSEXT_TYPE_renegotiate) | |
1192 { | |
1193 if(!ssl_parse_clienthello_renegotiate_ext(s, data, size,
al)) | |
1194 return 0; | |
1195 renegotiate_seen = 1; | |
1196 } | |
1197 else if (type == TLSEXT_TYPE_signature_algorithms) | |
1198 { | |
1199 int dsize; | |
1200 if (sigalg_seen || size < 2) | |
1201 { | |
1202 *al = SSL_AD_DECODE_ERROR; | |
1203 return 0; | |
1204 } | |
1205 sigalg_seen = 1; | |
1206 n2s(data,dsize); | |
1207 size -= 2; | |
1208 if (dsize != size || dsize & 1) | |
1209 { | |
1210 *al = SSL_AD_DECODE_ERROR; | |
1211 return 0; | |
1212 } | |
1213 if (!tls1_process_sigalgs(s, data, dsize)) | |
1214 { | |
1215 *al = SSL_AD_DECODE_ERROR; | |
1216 return 0; | |
1217 } | |
1218 } | |
1219 else if (type == TLSEXT_TYPE_status_request && | |
1220 s->version != DTLS1_VERSION && s->ctx->tlsext_status_cb
) | |
1221 { | |
1222 | |
1223 if (size < 5) | |
1224 { | |
1225 *al = SSL_AD_DECODE_ERROR; | |
1226 return 0; | |
1227 } | |
1228 | |
1229 s->tlsext_status_type = *data++; | |
1230 size--; | |
1231 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp) | |
1232 { | |
1233 const unsigned char *sdata; | |
1234 int dsize; | |
1235 /* Read in responder_id_list */ | |
1236 n2s(data,dsize); | |
1237 size -= 2; | |
1238 if (dsize > size ) | |
1239 { | |
1240 *al = SSL_AD_DECODE_ERROR; | |
1241 return 0; | |
1242 } | |
1243 while (dsize > 0) | |
1244 { | |
1245 OCSP_RESPID *id; | |
1246 int idsize; | |
1247 if (dsize < 4) | |
1248 { | |
1249 *al = SSL_AD_DECODE_ERROR; | |
1250 return 0; | |
1251 } | |
1252 n2s(data, idsize); | |
1253 dsize -= 2 + idsize; | |
1254 size -= 2 + idsize; | |
1255 if (dsize < 0) | |
1256 { | |
1257 *al = SSL_AD_DECODE_ERROR; | |
1258 return 0; | |
1259 } | |
1260 sdata = data; | |
1261 data += idsize; | |
1262 id = d2i_OCSP_RESPID(NULL, | |
1263 &sdata, idsize); | |
1264 if (!id) | |
1265 { | |
1266 *al = SSL_AD_DECODE_ERROR; | |
1267 return 0; | |
1268 } | |
1269 if (data != sdata) | |
1270 { | |
1271 OCSP_RESPID_free(id); | |
1272 *al = SSL_AD_DECODE_ERROR; | |
1273 return 0; | |
1274 } | |
1275 if (!s->tlsext_ocsp_ids | |
1276 && !(s->tlsext_ocsp_ids = | |
1277 sk_OCSP_RESPID_new_null())) | |
1278 { | |
1279 OCSP_RESPID_free(id); | |
1280 *al = SSL_AD_INTERNAL_ERROR; | |
1281 return 0; | |
1282 } | |
1283 if (!sk_OCSP_RESPID_push( | |
1284 s->tlsext_ocsp_ids, id)) | |
1285 { | |
1286 OCSP_RESPID_free(id); | |
1287 *al = SSL_AD_INTERNAL_ERROR; | |
1288 return 0; | |
1289 } | |
1290 } | |
1291 | |
1292 /* Read in request_extensions */ | |
1293 if (size < 2) | |
1294 { | |
1295 *al = SSL_AD_DECODE_ERROR; | |
1296 return 0; | |
1297 } | |
1298 n2s(data,dsize); | |
1299 size -= 2; | |
1300 if (dsize != size) | |
1301 { | |
1302 *al = SSL_AD_DECODE_ERROR; | |
1303 return 0; | |
1304 } | |
1305 sdata = data; | |
1306 if (dsize > 0) | |
1307 { | |
1308 if (s->tlsext_ocsp_exts) | |
1309 { | |
1310 sk_X509_EXTENSION_pop_free(s->tl
sext_ocsp_exts, | |
1311 X509_
EXTENSION_free); | |
1312 } | |
1313 | |
1314 s->tlsext_ocsp_exts = | |
1315 d2i_X509_EXTENSIONS(NULL, | |
1316 &sdata, dsize); | |
1317 if (!s->tlsext_ocsp_exts | |
1318 || (data + dsize != sdata)) | |
1319 { | |
1320 *al = SSL_AD_DECODE_ERROR; | |
1321 return 0; | |
1322 } | |
1323 } | |
1324 } | |
1325 /* We don't know what to do with any other type | |
1326 * so ignore it. | |
1327 */ | |
1328 else | |
1329 s->tlsext_status_type = -1; | |
1330 } | |
1331 #ifndef OPENSSL_NO_HEARTBEATS | |
1332 else if (type == TLSEXT_TYPE_heartbeat) | |
1333 { | |
1334 switch(data[0]) | |
1335 { | |
1336 case 0x01: /* Client allows us to send HB r
equests */ | |
1337 s->tlsext_heartbeat |= S
SL_TLSEXT_HB_ENABLED; | |
1338 break; | |
1339 case 0x02: /* Client doesn't accept HB requ
ests */ | |
1340 s->tlsext_heartbeat |= S
SL_TLSEXT_HB_ENABLED; | |
1341 s->tlsext_heartbeat |= S
SL_TLSEXT_HB_DONT_SEND_REQUESTS; | |
1342 break; | |
1343 default: *al = SSL_AD_ILLEGAL_PARAMETER; | |
1344 return 0; | |
1345 } | |
1346 } | |
1347 #endif | |
1348 #ifndef OPENSSL_NO_NEXTPROTONEG | |
1349 else if (type == TLSEXT_TYPE_next_proto_neg && | |
1350 s->s3->tmp.finish_md_len == 0) | |
1351 { | |
1352 /* We shouldn't accept this extension on a | |
1353 * renegotiation. | |
1354 * | |
1355 * s->new_session will be set on renegotiation, but we | |
1356 * probably shouldn't rely that it couldn't be set on | |
1357 * the initial renegotation too in certain cases (when | |
1358 * there's some other reason to disallow resuming an | |
1359 * earlier session -- the current code won't be doing | |
1360 * anything like that, but this might change). | |
1361 | |
1362 * A valid sign that there's been a previous handshake | |
1363 * in this connection is if s->s3->tmp.finish_md_len > | |
1364 * 0. (We are talking about a check that will happen | |
1365 * in the Hello protocol round, well before a new | |
1366 * Finished message could have been computed.) */ | |
1367 s->s3->next_proto_neg_seen = 1; | |
1368 } | |
1369 #endif | |
1370 | |
1371 else if (type == TLSEXT_TYPE_channel_id && s->tlsext_channel_id_
enabled) | |
1372 s->s3->tlsext_channel_id_valid = 1; | |
1373 | |
1374 /* session ticket processed earlier */ | |
1375 #ifndef OPENSSL_NO_SRTP | |
1376 else if (type == TLSEXT_TYPE_use_srtp) | |
1377 { | |
1378 if(ssl_parse_clienthello_use_srtp_ext(s, data, size, | |
1379 al)) | |
1380 return 0; | |
1381 } | |
1382 #endif | |
1383 | |
1384 data+=size; | |
1385 } | |
1386 | |
1387 *p = data; | |
1388 | |
1389 ri_check: | |
1390 | |
1391 /* Need RI if renegotiating */ | |
1392 | |
1393 if (!renegotiate_seen && s->renegotiate && | |
1394 !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) | |
1395 { | |
1396 *al = SSL_AD_HANDSHAKE_FAILURE; | |
1397 SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT, | |
1398 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); | |
1399 return 0; | |
1400 } | |
1401 | |
1402 return 1; | |
1403 } | |
1404 | |
1405 #ifndef OPENSSL_NO_NEXTPROTONEG | |
1406 /* ssl_next_proto_validate validates a Next Protocol Negotiation block. No | |
1407 * elements of zero length are allowed and the set of elements must exactly fill | |
1408 * the length of the block. */ | |
1409 static char ssl_next_proto_validate(unsigned char *d, unsigned len) | |
1410 { | |
1411 unsigned int off = 0; | |
1412 | |
1413 while (off < len) | |
1414 { | |
1415 if (d[off] == 0) | |
1416 return 0; | |
1417 off += d[off]; | |
1418 off++; | |
1419 } | |
1420 | |
1421 return off == len; | |
1422 } | |
1423 #endif | |
1424 | |
1425 int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
t n, int *al) | |
1426 { | |
1427 unsigned short length; | |
1428 unsigned short type; | |
1429 unsigned short size; | |
1430 unsigned char *data = *p; | |
1431 int tlsext_servername = 0; | |
1432 int renegotiate_seen = 0; | |
1433 | |
1434 #ifndef OPENSSL_NO_NEXTPROTONEG | |
1435 s->s3->next_proto_neg_seen = 0; | |
1436 #endif | |
1437 | |
1438 #ifndef OPENSSL_NO_HEARTBEATS | |
1439 s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED | | |
1440 SSL_TLSEXT_HB_DONT_SEND_REQUESTS); | |
1441 #endif | |
1442 | |
1443 if (data >= (d+n-2)) | |
1444 goto ri_check; | |
1445 | |
1446 n2s(data,length); | |
1447 if (data+length != d+n) | |
1448 { | |
1449 *al = SSL_AD_DECODE_ERROR; | |
1450 return 0; | |
1451 } | |
1452 | |
1453 while(data <= (d+n-4)) | |
1454 { | |
1455 n2s(data,type); | |
1456 n2s(data,size); | |
1457 | |
1458 if (data+size > (d+n)) | |
1459 goto ri_check; | |
1460 | |
1461 if (s->tlsext_debug_cb) | |
1462 s->tlsext_debug_cb(s, 1, type, data, size, | |
1463 s->tlsext_debug_arg); | |
1464 | |
1465 if (type == TLSEXT_TYPE_server_name) | |
1466 { | |
1467 if (s->tlsext_hostname == NULL || size > 0) | |
1468 { | |
1469 *al = TLS1_AD_UNRECOGNIZED_NAME; | |
1470 return 0; | |
1471 } | |
1472 tlsext_servername = 1; | |
1473 } | |
1474 | |
1475 #ifndef OPENSSL_NO_EC | |
1476 else if (type == TLSEXT_TYPE_ec_point_formats && | |
1477 s->version != DTLS1_VERSION) | |
1478 { | |
1479 unsigned char *sdata = data; | |
1480 int ecpointformatlist_length = *(sdata++); | |
1481 | |
1482 if (ecpointformatlist_length != size - 1 || | |
1483 ecpointformatlist_length < 1) | |
1484 { | |
1485 *al = TLS1_AD_DECODE_ERROR; | |
1486 return 0; | |
1487 } | |
1488 s->session->tlsext_ecpointformatlist_length = 0; | |
1489 if (s->session->tlsext_ecpointformatlist != NULL) OPENSS
L_free(s->session->tlsext_ecpointformatlist); | |
1490 if ((s->session->tlsext_ecpointformatlist = OPENSSL_mall
oc(ecpointformatlist_length)) == NULL) | |
1491 { | |
1492 *al = TLS1_AD_INTERNAL_ERROR; | |
1493 return 0; | |
1494 } | |
1495 s->session->tlsext_ecpointformatlist_length = ecpointfor
matlist_length; | |
1496 memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpo
intformatlist_length); | |
1497 #if 0 | |
1498 fprintf(stderr,"ssl_parse_serverhello_tlsext s->session-
>tlsext_ecpointformatlist "); | |
1499 sdata = s->session->tlsext_ecpointformatlist; | |
1500 for (i = 0; i < s->session->tlsext_ecpointformatlist_len
gth; i++) | |
1501 fprintf(stderr,"%i ",*(sdata++)); | |
1502 fprintf(stderr,"\n"); | |
1503 #endif | |
1504 } | |
1505 #endif /* OPENSSL_NO_EC */ | |
1506 | |
1507 else if (type == TLSEXT_TYPE_session_ticket) | |
1508 { | |
1509 if (s->tls_session_ticket_ext_cb && | |
1510 !s->tls_session_ticket_ext_cb(s, data, size, s->tls_
session_ticket_ext_cb_arg)) | |
1511 { | |
1512 *al = TLS1_AD_INTERNAL_ERROR; | |
1513 return 0; | |
1514 } | |
1515 if ((SSL_get_options(s) & SSL_OP_NO_TICKET) | |
1516 || (size > 0)) | |
1517 { | |
1518 *al = TLS1_AD_UNSUPPORTED_EXTENSION; | |
1519 return 0; | |
1520 } | |
1521 s->tlsext_ticket_expected = 1; | |
1522 } | |
1523 #ifdef TLSEXT_TYPE_opaque_prf_input | |
1524 else if (type == TLSEXT_TYPE_opaque_prf_input && | |
1525 s->version != DTLS1_VERSION) | |
1526 { | |
1527 unsigned char *sdata = data; | |
1528 | |
1529 if (size < 2) | |
1530 { | |
1531 *al = SSL_AD_DECODE_ERROR; | |
1532 return 0; | |
1533 } | |
1534 n2s(sdata, s->s3->server_opaque_prf_input_len); | |
1535 if (s->s3->server_opaque_prf_input_len != size - 2) | |
1536 { | |
1537 *al = SSL_AD_DECODE_ERROR; | |
1538 return 0; | |
1539 } | |
1540 | |
1541 if (s->s3->server_opaque_prf_input != NULL) /* shouldn't
really happen */ | |
1542 OPENSSL_free(s->s3->server_opaque_prf_input); | |
1543 if (s->s3->server_opaque_prf_input_len == 0) | |
1544 s->s3->server_opaque_prf_input = OPENSSL_malloc(
1); /* dummy byte just to get non-NULL */ | |
1545 else | |
1546 s->s3->server_opaque_prf_input = BUF_memdup(sdat
a, s->s3->server_opaque_prf_input_len); | |
1547 | |
1548 if (s->s3->server_opaque_prf_input == NULL) | |
1549 { | |
1550 *al = TLS1_AD_INTERNAL_ERROR; | |
1551 return 0; | |
1552 } | |
1553 } | |
1554 #endif | |
1555 else if (type == TLSEXT_TYPE_status_request && | |
1556 s->version != DTLS1_VERSION) | |
1557 { | |
1558 /* MUST be empty and only sent if we've requested | |
1559 * a status request message. | |
1560 */ | |
1561 if ((s->tlsext_status_type == -1) || (size > 0)) | |
1562 { | |
1563 *al = TLS1_AD_UNSUPPORTED_EXTENSION; | |
1564 return 0; | |
1565 } | |
1566 /* Set flag to expect CertificateStatus message */ | |
1567 s->tlsext_status_expected = 1; | |
1568 } | |
1569 #ifndef OPENSSL_NO_NEXTPROTONEG | |
1570 else if (type == TLSEXT_TYPE_next_proto_neg && | |
1571 s->s3->tmp.finish_md_len == 0) | |
1572 { | |
1573 unsigned char *selected; | |
1574 unsigned char selected_len; | |
1575 | |
1576 /* We must have requested it. */ | |
1577 if (s->ctx->next_proto_select_cb == NULL) | |
1578 { | |
1579 *al = TLS1_AD_UNSUPPORTED_EXTENSION; | |
1580 return 0; | |
1581 } | |
1582 /* The data must be valid */ | |
1583 if (!ssl_next_proto_validate(data, size)) | |
1584 { | |
1585 *al = TLS1_AD_DECODE_ERROR; | |
1586 return 0; | |
1587 } | |
1588 if (s->ctx->next_proto_select_cb(s, &selected, &selected
_len, data, size, s->ctx->next_proto_select_cb_arg) != SSL_TLSEXT_ERR_OK) | |
1589 { | |
1590 *al = TLS1_AD_INTERNAL_ERROR; | |
1591 return 0; | |
1592 } | |
1593 s->next_proto_negotiated = OPENSSL_malloc(selected_len); | |
1594 if (!s->next_proto_negotiated) | |
1595 { | |
1596 *al = TLS1_AD_INTERNAL_ERROR; | |
1597 return 0; | |
1598 } | |
1599 memcpy(s->next_proto_negotiated, selected, selected_len)
; | |
1600 s->next_proto_negotiated_len = selected_len; | |
1601 s->s3->next_proto_neg_seen = 1; | |
1602 } | |
1603 #endif | |
1604 else if (type == TLSEXT_TYPE_channel_id) | |
1605 s->s3->tlsext_channel_id_valid = 1; | |
1606 | |
1607 else if (type == TLSEXT_TYPE_renegotiate) | |
1608 { | |
1609 if(!ssl_parse_serverhello_renegotiate_ext(s, data, size,
al)) | |
1610 return 0; | |
1611 renegotiate_seen = 1; | |
1612 } | |
1613 #ifndef OPENSSL_NO_HEARTBEATS | |
1614 else if (type == TLSEXT_TYPE_heartbeat) | |
1615 { | |
1616 switch(data[0]) | |
1617 { | |
1618 case 0x01: /* Server allows us to send HB r
equests */ | |
1619 s->tlsext_heartbeat |= S
SL_TLSEXT_HB_ENABLED; | |
1620 break; | |
1621 case 0x02: /* Server doesn't accept HB requ
ests */ | |
1622 s->tlsext_heartbeat |= S
SL_TLSEXT_HB_ENABLED; | |
1623 s->tlsext_heartbeat |= S
SL_TLSEXT_HB_DONT_SEND_REQUESTS; | |
1624 break; | |
1625 default: *al = SSL_AD_ILLEGAL_PARAMETER; | |
1626 return 0; | |
1627 } | |
1628 } | |
1629 #endif | |
1630 #ifndef OPENSSL_NO_SRTP | |
1631 else if (type == TLSEXT_TYPE_use_srtp) | |
1632 { | |
1633 if(ssl_parse_serverhello_use_srtp_ext(s, data, size, | |
1634 al)) | |
1635 return 0; | |
1636 } | |
1637 #endif | |
1638 | |
1639 data+=size; | |
1640 } | |
1641 | |
1642 if (data != d+n) | |
1643 { | |
1644 *al = SSL_AD_DECODE_ERROR; | |
1645 return 0; | |
1646 } | |
1647 | |
1648 if (!s->hit && tlsext_servername == 1) | |
1649 { | |
1650 if (s->tlsext_hostname) | |
1651 { | |
1652 if (s->session->tlsext_hostname == NULL) | |
1653 { | |
1654 s->session->tlsext_hostname = BUF_strdup(s->tlse
xt_hostname); | |
1655 if (!s->session->tlsext_hostname) | |
1656 { | |
1657 *al = SSL_AD_UNRECOGNIZED_NAME; | |
1658 return 0; | |
1659 } | |
1660 } | |
1661 else | |
1662 { | |
1663 *al = SSL_AD_DECODE_ERROR; | |
1664 return 0; | |
1665 } | |
1666 } | |
1667 } | |
1668 | |
1669 *p = data; | |
1670 | |
1671 ri_check: | |
1672 | |
1673 /* Determine if we need to see RI. Strictly speaking if we want to | |
1674 * avoid an attack we should *always* see RI even on initial server | |
1675 * hello because the client doesn't see any renegotiation during an | |
1676 * attack. However this would mean we could not connect to any server | |
1677 * which doesn't support RI so for the immediate future tolerate RI | |
1678 * absence on initial connect only. | |
1679 */ | |
1680 if (!renegotiate_seen | |
1681 && !(s->options & SSL_OP_LEGACY_SERVER_CONNECT) | |
1682 && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) | |
1683 { | |
1684 *al = SSL_AD_HANDSHAKE_FAILURE; | |
1685 SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT, | |
1686 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); | |
1687 return 0; | |
1688 } | |
1689 | |
1690 return 1; | |
1691 } | |
1692 | |
1693 | |
1694 int ssl_prepare_clienthello_tlsext(SSL *s) | |
1695 { | |
1696 #ifndef OPENSSL_NO_EC | |
1697 /* If we are client and using an elliptic curve cryptography cipher suit
e, send the point formats | |
1698 * and elliptic curves we support. | |
1699 */ | |
1700 int using_ecc = 0; | |
1701 int i; | |
1702 unsigned char *j; | |
1703 unsigned long alg_k, alg_a; | |
1704 STACK_OF(SSL_CIPHER) *cipher_stack = SSL_get_ciphers(s); | |
1705 | |
1706 for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++) | |
1707 { | |
1708 SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i); | |
1709 | |
1710 alg_k = c->algorithm_mkey; | |
1711 alg_a = c->algorithm_auth; | |
1712 if ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe) || (alg_a & SSL_
aECDSA))) | |
1713 { | |
1714 using_ecc = 1; | |
1715 break; | |
1716 } | |
1717 } | |
1718 using_ecc = using_ecc && (s->version >= TLS1_VERSION); | |
1719 if (using_ecc) | |
1720 { | |
1721 if (s->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->tlsext_
ecpointformatlist); | |
1722 /* To save an additional 2 bytes in the ClientHello, we only adv
ertise support | |
1723 * for the only EC Point Format that NSS supports (instead of al
l 3). | |
1724 */ | |
1725 if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(1)) == NULL) | |
1726 { | |
1727 SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC
_FAILURE); | |
1728 return -1; | |
1729 } | |
1730 s->tlsext_ecpointformatlist_length = 1; | |
1731 s->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_uncompress
ed; | |
1732 | |
1733 /* we only advertise support for elliptic curves in NSA Suite B
*/ | |
1734 if (s->tlsext_ellipticcurvelist != NULL) OPENSSL_free(s->tlsext_
ellipticcurvelist); | |
1735 s->tlsext_ellipticcurvelist_length = sizeof(pref_list)/sizeof(pr
ef_list[0]) * 2; | |
1736 if ((s->tlsext_ellipticcurvelist = OPENSSL_malloc(s->tlsext_elli
pticcurvelist_length)) == NULL) | |
1737 { | |
1738 s->tlsext_ellipticcurvelist_length = 0; | |
1739 SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC
_FAILURE); | |
1740 return -1; | |
1741 } | |
1742 for (i = 0, j = s->tlsext_ellipticcurvelist; (unsigned int)i < | |
1743 sizeof(pref_list)/sizeof(pref_list[0]); i++) | |
1744 { | |
1745 int id = tls1_ec_nid2curve_id(pref_list[i]); | |
1746 s2n(id,j); | |
1747 } | |
1748 } | |
1749 #endif /* OPENSSL_NO_EC */ | |
1750 | |
1751 #ifdef TLSEXT_TYPE_opaque_prf_input | |
1752 { | |
1753 int r = 1; | |
1754 | |
1755 if (s->ctx->tlsext_opaque_prf_input_callback != 0) | |
1756 { | |
1757 r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0,
s->ctx->tlsext_opaque_prf_input_callback_arg); | |
1758 if (!r) | |
1759 return -1; | |
1760 } | |
1761 | |
1762 if (s->tlsext_opaque_prf_input != NULL) | |
1763 { | |
1764 if (s->s3->client_opaque_prf_input != NULL) /* shouldn't
really happen */ | |
1765 OPENSSL_free(s->s3->client_opaque_prf_input); | |
1766 | |
1767 if (s->tlsext_opaque_prf_input_len == 0) | |
1768 s->s3->client_opaque_prf_input = OPENSSL_malloc(
1); /* dummy byte just to get non-NULL */ | |
1769 else | |
1770 s->s3->client_opaque_prf_input = BUF_memdup(s->t
lsext_opaque_prf_input, s->tlsext_opaque_prf_input_len); | |
1771 if (s->s3->client_opaque_prf_input == NULL) | |
1772 { | |
1773 SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_
R_MALLOC_FAILURE); | |
1774 return -1; | |
1775 } | |
1776 s->s3->client_opaque_prf_input_len = s->tlsext_opaque_pr
f_input_len; | |
1777 } | |
1778 | |
1779 if (r == 2) | |
1780 /* at callback's request, insist on receiving an appropr
iate server opaque PRF input */ | |
1781 s->s3->server_opaque_prf_input_len = s->tlsext_opaque_pr
f_input_len; | |
1782 } | |
1783 #endif | |
1784 | |
1785 return 1; | |
1786 } | |
1787 | |
1788 int ssl_prepare_serverhello_tlsext(SSL *s) | |
1789 { | |
1790 #ifndef OPENSSL_NO_EC | |
1791 /* If we are server and using an ECC cipher suite, send the point format
s we support | |
1792 * if the client sent us an ECPointsFormat extension. Note that the ser
ver is not | |
1793 * supposed to send an EllipticCurves extension. | |
1794 */ | |
1795 | |
1796 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey; | |
1797 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth; | |
1798 int using_ecc = (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a &
SSL_aECDSA); | |
1799 using_ecc = using_ecc && (s->session->tlsext_ecpointformatlist != NULL); | |
1800 | |
1801 if (using_ecc) | |
1802 { | |
1803 if (s->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->tlsext_
ecpointformatlist); | |
1804 if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(3)) == NULL) | |
1805 { | |
1806 SSLerr(SSL_F_SSL_PREPARE_SERVERHELLO_TLSEXT,ERR_R_MALLOC
_FAILURE); | |
1807 return -1; | |
1808 } | |
1809 s->tlsext_ecpointformatlist_length = 3; | |
1810 s->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_uncompress
ed; | |
1811 s->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_ansiX962_c
ompressed_prime; | |
1812 s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_c
ompressed_char2; | |
1813 } | |
1814 #endif /* OPENSSL_NO_EC */ | |
1815 | |
1816 return 1; | |
1817 } | |
1818 | |
1819 int ssl_check_clienthello_tlsext_early(SSL *s) | |
1820 { | |
1821 int ret=SSL_TLSEXT_ERR_NOACK; | |
1822 int al = SSL_AD_UNRECOGNIZED_NAME; | |
1823 | |
1824 #ifndef OPENSSL_NO_EC | |
1825 /* The handling of the ECPointFormats extension is done elsewhere, namel
y in | |
1826 * ssl3_choose_cipher in s3_lib.c. | |
1827 */ | |
1828 /* The handling of the EllipticCurves extension is done elsewhere, namel
y in | |
1829 * ssl3_choose_cipher in s3_lib.c. | |
1830 */ | |
1831 #endif | |
1832 | |
1833 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) | |
1834 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_
servername_arg); | |
1835 else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_cal
lback != 0) | |
1836 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->init
ial_ctx->tlsext_servername_arg); | |
1837 | |
1838 #ifdef TLSEXT_TYPE_opaque_prf_input | |
1839 { | |
1840 /* This sort of belongs into ssl_prepare_serverhello_tlsext(), | |
1841 * but we might be sending an alert in response to the client he
llo, | |
1842 * so this has to happen here in | |
1843 * ssl_check_clienthello_tlsext_early(). */ | |
1844 | |
1845 int r = 1; | |
1846 | |
1847 if (s->ctx->tlsext_opaque_prf_input_callback != 0) | |
1848 { | |
1849 r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0,
s->ctx->tlsext_opaque_prf_input_callback_arg); | |
1850 if (!r) | |
1851 { | |
1852 ret = SSL_TLSEXT_ERR_ALERT_FATAL; | |
1853 al = SSL_AD_INTERNAL_ERROR; | |
1854 goto err; | |
1855 } | |
1856 } | |
1857 | |
1858 if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really
happen */ | |
1859 OPENSSL_free(s->s3->server_opaque_prf_input); | |
1860 s->s3->server_opaque_prf_input = NULL; | |
1861 | |
1862 if (s->tlsext_opaque_prf_input != NULL) | |
1863 { | |
1864 if (s->s3->client_opaque_prf_input != NULL && | |
1865 s->s3->client_opaque_prf_input_len == s->tlsext_
opaque_prf_input_len) | |
1866 { | |
1867 /* can only use this extension if we have a serv
er opaque PRF input | |
1868 * of the same length as the client opaque PRF i
nput! */ | |
1869 | |
1870 if (s->tlsext_opaque_prf_input_len == 0) | |
1871 s->s3->server_opaque_prf_input = OPENSSL
_malloc(1); /* dummy byte just to get non-NULL */ | |
1872 else | |
1873 s->s3->server_opaque_prf_input = BUF_mem
dup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len); | |
1874 if (s->s3->server_opaque_prf_input == NULL) | |
1875 { | |
1876 ret = SSL_TLSEXT_ERR_ALERT_FATAL; | |
1877 al = SSL_AD_INTERNAL_ERROR; | |
1878 goto err; | |
1879 } | |
1880 s->s3->server_opaque_prf_input_len = s->tlsext_o
paque_prf_input_len; | |
1881 } | |
1882 } | |
1883 | |
1884 if (r == 2 && s->s3->server_opaque_prf_input == NULL) | |
1885 { | |
1886 /* The callback wants to enforce use of the extension, | |
1887 * but we can't do that with the client opaque PRF input
; | |
1888 * abort the handshake. | |
1889 */ | |
1890 ret = SSL_TLSEXT_ERR_ALERT_FATAL; | |
1891 al = SSL_AD_HANDSHAKE_FAILURE; | |
1892 } | |
1893 } | |
1894 | |
1895 err: | |
1896 #endif | |
1897 switch (ret) | |
1898 { | |
1899 case SSL_TLSEXT_ERR_ALERT_FATAL: | |
1900 ssl3_send_alert(s,SSL3_AL_FATAL,al); | |
1901 return -1; | |
1902 | |
1903 case SSL_TLSEXT_ERR_ALERT_WARNING: | |
1904 ssl3_send_alert(s,SSL3_AL_WARNING,al); | |
1905 return 1; | |
1906 | |
1907 case SSL_TLSEXT_ERR_NOACK: | |
1908 s->servername_done=0; | |
1909 default: | |
1910 return 1; | |
1911 } | |
1912 } | |
1913 | |
1914 int ssl_check_clienthello_tlsext_late(SSL *s) | |
1915 { | |
1916 int ret = SSL_TLSEXT_ERR_OK; | |
1917 int al; | |
1918 | |
1919 /* If status request then ask callback what to do. | |
1920 * Note: this must be called after servername callbacks in case | |
1921 * the certificate has changed, and must be called after the cipher | |
1922 * has been chosen because this may influence which certificate is sent | |
1923 */ | |
1924 if ((s->tlsext_status_type != -1) && s->ctx && s->ctx->tlsext_status_cb) | |
1925 { | |
1926 int r; | |
1927 CERT_PKEY *certpkey; | |
1928 certpkey = ssl_get_server_send_pkey(s); | |
1929 /* If no certificate can't return certificate status */ | |
1930 if (certpkey == NULL) | |
1931 { | |
1932 s->tlsext_status_expected = 0; | |
1933 return 1; | |
1934 } | |
1935 /* Set current certificate to one we will use so | |
1936 * SSL_get_certificate et al can pick it up. | |
1937 */ | |
1938 s->cert->key = certpkey; | |
1939 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg); | |
1940 switch (r) | |
1941 { | |
1942 /* We don't want to send a status request response */ | |
1943 case SSL_TLSEXT_ERR_NOACK: | |
1944 s->tlsext_status_expected = 0; | |
1945 break; | |
1946 /* status request response should be sent */ | |
1947 case SSL_TLSEXT_ERR_OK: | |
1948 if (s->tlsext_ocsp_resp) | |
1949 s->tlsext_status_expected = 1; | |
1950 else | |
1951 s->tlsext_status_expected = 0; | |
1952 break; | |
1953 /* something bad happened */ | |
1954 case SSL_TLSEXT_ERR_ALERT_FATAL: | |
1955 ret = SSL_TLSEXT_ERR_ALERT_FATAL; | |
1956 al = SSL_AD_INTERNAL_ERROR; | |
1957 goto err; | |
1958 } | |
1959 } | |
1960 else | |
1961 s->tlsext_status_expected = 0; | |
1962 | |
1963 err: | |
1964 switch (ret) | |
1965 { | |
1966 case SSL_TLSEXT_ERR_ALERT_FATAL: | |
1967 ssl3_send_alert(s,SSL3_AL_FATAL,al); | |
1968 return -1; | |
1969 | |
1970 case SSL_TLSEXT_ERR_ALERT_WARNING: | |
1971 ssl3_send_alert(s,SSL3_AL_WARNING,al); | |
1972 return 1; | |
1973 | |
1974 default: | |
1975 return 1; | |
1976 } | |
1977 } | |
1978 | |
1979 int ssl_check_serverhello_tlsext(SSL *s) | |
1980 { | |
1981 int ret=SSL_TLSEXT_ERR_NOACK; | |
1982 int al = SSL_AD_UNRECOGNIZED_NAME; | |
1983 | |
1984 #ifndef OPENSSL_NO_EC | |
1985 /* If we are client and using an elliptic curve cryptography cipher | |
1986 * suite, then if server returns an EC point formats lists extension | |
1987 * it must contain uncompressed. | |
1988 */ | |
1989 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey; | |
1990 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth; | |
1991 if ((s->tlsext_ecpointformatlist != NULL) && (s->tlsext_ecpointformatlis
t_length > 0) && | |
1992 (s->session->tlsext_ecpointformatlist != NULL) && (s->session->tlsex
t_ecpointformatlist_length > 0) && | |
1993 ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA
))) | |
1994 { | |
1995 /* we are using an ECC cipher */ | |
1996 size_t i; | |
1997 unsigned char *list; | |
1998 int found_uncompressed = 0; | |
1999 list = s->session->tlsext_ecpointformatlist; | |
2000 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++
) | |
2001 { | |
2002 if (*(list++) == TLSEXT_ECPOINTFORMAT_uncompressed) | |
2003 { | |
2004 found_uncompressed = 1; | |
2005 break; | |
2006 } | |
2007 } | |
2008 if (!found_uncompressed) | |
2009 { | |
2010 SSLerr(SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT,SSL_R_TLS_INVA
LID_ECPOINTFORMAT_LIST); | |
2011 return -1; | |
2012 } | |
2013 } | |
2014 ret = SSL_TLSEXT_ERR_OK; | |
2015 #endif /* OPENSSL_NO_EC */ | |
2016 | |
2017 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) | |
2018 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_
servername_arg); | |
2019 else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_cal
lback != 0) | |
2020 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->init
ial_ctx->tlsext_servername_arg); | |
2021 | |
2022 #ifdef TLSEXT_TYPE_opaque_prf_input | |
2023 if (s->s3->server_opaque_prf_input_len > 0) | |
2024 { | |
2025 /* This case may indicate that we, as a client, want to insist o
n using opaque PRF inputs. | |
2026 * So first verify that we really have a value from the server t
oo. */ | |
2027 | |
2028 if (s->s3->server_opaque_prf_input == NULL) | |
2029 { | |
2030 ret = SSL_TLSEXT_ERR_ALERT_FATAL; | |
2031 al = SSL_AD_HANDSHAKE_FAILURE; | |
2032 } | |
2033 | |
2034 /* Anytime the server *has* sent an opaque PRF input, we need to
check | |
2035 * that we have a client opaque PRF input of the same size. */ | |
2036 if (s->s3->client_opaque_prf_input == NULL || | |
2037 s->s3->client_opaque_prf_input_len != s->s3->server_opaque_p
rf_input_len) | |
2038 { | |
2039 ret = SSL_TLSEXT_ERR_ALERT_FATAL; | |
2040 al = SSL_AD_ILLEGAL_PARAMETER; | |
2041 } | |
2042 } | |
2043 #endif | |
2044 | |
2045 /* If we've requested certificate status and we wont get one | |
2046 * tell the callback | |
2047 */ | |
2048 if ((s->tlsext_status_type != -1) && !(s->tlsext_status_expected) | |
2049 && s->ctx && s->ctx->tlsext_status_cb) | |
2050 { | |
2051 int r; | |
2052 /* Set resp to NULL, resplen to -1 so callback knows | |
2053 * there is no response. | |
2054 */ | |
2055 if (s->tlsext_ocsp_resp) | |
2056 { | |
2057 OPENSSL_free(s->tlsext_ocsp_resp); | |
2058 s->tlsext_ocsp_resp = NULL; | |
2059 } | |
2060 s->tlsext_ocsp_resplen = -1; | |
2061 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg); | |
2062 if (r == 0) | |
2063 { | |
2064 al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE; | |
2065 ret = SSL_TLSEXT_ERR_ALERT_FATAL; | |
2066 } | |
2067 if (r < 0) | |
2068 { | |
2069 al = SSL_AD_INTERNAL_ERROR; | |
2070 ret = SSL_TLSEXT_ERR_ALERT_FATAL; | |
2071 } | |
2072 } | |
2073 | |
2074 switch (ret) | |
2075 { | |
2076 case SSL_TLSEXT_ERR_ALERT_FATAL: | |
2077 ssl3_send_alert(s,SSL3_AL_FATAL,al); | |
2078 return -1; | |
2079 | |
2080 case SSL_TLSEXT_ERR_ALERT_WARNING: | |
2081 ssl3_send_alert(s,SSL3_AL_WARNING,al); | |
2082 return 1; | |
2083 | |
2084 case SSL_TLSEXT_ERR_NOACK: | |
2085 s->servername_done=0; | |
2086 default: | |
2087 return 1; | |
2088 } | |
2089 } | |
2090 | |
2091 /* Since the server cache lookup is done early on in the processing of the | |
2092 * ClientHello, and other operations depend on the result, we need to handle | |
2093 * any TLS session ticket extension at the same time. | |
2094 * | |
2095 * session_id: points at the session ID in the ClientHello. This code will | |
2096 * read past the end of this in order to parse out the session ticket | |
2097 * extension, if any. | |
2098 * len: the length of the session ID. | |
2099 * limit: a pointer to the first byte after the ClientHello. | |
2100 * ret: (output) on return, if a ticket was decrypted, then this is set to | |
2101 * point to the resulting session. | |
2102 * | |
2103 * If s->tls_session_secret_cb is set then we are expecting a pre-shared key | |
2104 * ciphersuite, in which case we have no use for session tickets and one will | |
2105 * never be decrypted, nor will s->tlsext_ticket_expected be set to 1. | |
2106 * | |
2107 * Returns: | |
2108 * -1: fatal error, either from parsing or decrypting the ticket. | |
2109 * 0: no ticket was found (or was ignored, based on settings). | |
2110 * 1: a zero length extension was found, indicating that the client supports | |
2111 * session tickets but doesn't currently have one to offer. | |
2112 * 2: either s->tls_session_secret_cb was set, or a ticket was offered but | |
2113 * couldn't be decrypted because of a non-fatal error. | |
2114 * 3: a ticket was successfully decrypted and *ret was set. | |
2115 * | |
2116 * Side effects: | |
2117 * Sets s->tlsext_ticket_expected to 1 if the server will have to issue | |
2118 * a new session ticket to the client because the client indicated support | |
2119 * (and s->tls_session_secret_cb is NULL) but the client either doesn't have | |
2120 * a session ticket or we couldn't use the one it gave us, or if | |
2121 * s->ctx->tlsext_ticket_key_cb asked to renew the client's ticket. | |
2122 * Otherwise, s->tlsext_ticket_expected is set to 0. | |
2123 */ | |
2124 int tls1_process_ticket(SSL *s, unsigned char *session_id, int len, | |
2125 const unsigned char *limit, SSL_SESSION **ret) | |
2126 { | |
2127 /* Point after session ID in client hello */ | |
2128 const unsigned char *p = session_id + len; | |
2129 unsigned short i; | |
2130 | |
2131 *ret = NULL; | |
2132 s->tlsext_ticket_expected = 0; | |
2133 | |
2134 /* If tickets disabled behave as if no ticket present | |
2135 * to permit stateful resumption. | |
2136 */ | |
2137 if (SSL_get_options(s) & SSL_OP_NO_TICKET) | |
2138 return 0; | |
2139 if ((s->version <= SSL3_VERSION) || !limit) | |
2140 return 0; | |
2141 if (p >= limit) | |
2142 return -1; | |
2143 /* Skip past DTLS cookie */ | |
2144 if (s->version == DTLS1_VERSION || s->version == DTLS1_BAD_VER) | |
2145 { | |
2146 i = *(p++); | |
2147 p+= i; | |
2148 if (p >= limit) | |
2149 return -1; | |
2150 } | |
2151 /* Skip past cipher list */ | |
2152 n2s(p, i); | |
2153 p+= i; | |
2154 if (p >= limit) | |
2155 return -1; | |
2156 /* Skip past compression algorithm list */ | |
2157 i = *(p++); | |
2158 p += i; | |
2159 if (p > limit) | |
2160 return -1; | |
2161 /* Now at start of extensions */ | |
2162 if ((p + 2) >= limit) | |
2163 return 0; | |
2164 n2s(p, i); | |
2165 while ((p + 4) <= limit) | |
2166 { | |
2167 unsigned short type, size; | |
2168 n2s(p, type); | |
2169 n2s(p, size); | |
2170 if (p + size > limit) | |
2171 return 0; | |
2172 if (type == TLSEXT_TYPE_session_ticket) | |
2173 { | |
2174 int r; | |
2175 if (size == 0) | |
2176 { | |
2177 /* The client will accept a ticket but doesn't | |
2178 * currently have one. */ | |
2179 s->tlsext_ticket_expected = 1; | |
2180 return 1; | |
2181 } | |
2182 if (s->tls_session_secret_cb) | |
2183 { | |
2184 /* Indicate that the ticket couldn't be | |
2185 * decrypted rather than generating the session | |
2186 * from ticket now, trigger abbreviated | |
2187 * handshake based on external mechanism to | |
2188 * calculate the master secret later. */ | |
2189 return 2; | |
2190 } | |
2191 r = tls_decrypt_ticket(s, p, size, session_id, len, ret)
; | |
2192 switch (r) | |
2193 { | |
2194 case 2: /* ticket couldn't be decrypted */ | |
2195 s->tlsext_ticket_expected = 1; | |
2196 return 2; | |
2197 case 3: /* ticket was decrypted */ | |
2198 return r; | |
2199 case 4: /* ticket decrypted but need to renew */ | |
2200 s->tlsext_ticket_expected = 1; | |
2201 return 3; | |
2202 default: /* fatal error */ | |
2203 return -1; | |
2204 } | |
2205 } | |
2206 p += size; | |
2207 } | |
2208 return 0; | |
2209 } | |
2210 | |
2211 /* tls_decrypt_ticket attempts to decrypt a session ticket. | |
2212 * | |
2213 * etick: points to the body of the session ticket extension. | |
2214 * eticklen: the length of the session tickets extenion. | |
2215 * sess_id: points at the session ID. | |
2216 * sesslen: the length of the session ID. | |
2217 * psess: (output) on return, if a ticket was decrypted, then this is set to | |
2218 * point to the resulting session. | |
2219 * | |
2220 * Returns: | |
2221 * -1: fatal error, either from parsing or decrypting the ticket. | |
2222 * 2: the ticket couldn't be decrypted. | |
2223 * 3: a ticket was successfully decrypted and *psess was set. | |
2224 * 4: same as 3, but the ticket needs to be renewed. | |
2225 */ | |
2226 static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen, | |
2227 const unsigned char *sess_id, int sesslen, | |
2228 SSL_SESSION **psess) | |
2229 { | |
2230 SSL_SESSION *sess; | |
2231 unsigned char *sdec; | |
2232 const unsigned char *p; | |
2233 int slen, mlen, renew_ticket = 0; | |
2234 unsigned char tick_hmac[EVP_MAX_MD_SIZE]; | |
2235 HMAC_CTX hctx; | |
2236 EVP_CIPHER_CTX ctx; | |
2237 SSL_CTX *tctx = s->initial_ctx; | |
2238 /* Need at least keyname + iv + some encrypted data */ | |
2239 if (eticklen < 48) | |
2240 return 2; | |
2241 /* Initialize session ticket encryption and HMAC contexts */ | |
2242 HMAC_CTX_init(&hctx); | |
2243 EVP_CIPHER_CTX_init(&ctx); | |
2244 if (tctx->tlsext_ticket_key_cb) | |
2245 { | |
2246 unsigned char *nctick = (unsigned char *)etick; | |
2247 int rv = tctx->tlsext_ticket_key_cb(s, nctick, nctick + 16, | |
2248 &ctx, &hctx, 0); | |
2249 if (rv < 0) | |
2250 return -1; | |
2251 if (rv == 0) | |
2252 return 2; | |
2253 if (rv == 2) | |
2254 renew_ticket = 1; | |
2255 } | |
2256 else | |
2257 { | |
2258 /* Check key name matches */ | |
2259 if (memcmp(etick, tctx->tlsext_tick_key_name, 16)) | |
2260 return 2; | |
2261 HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16, | |
2262 tlsext_tick_md(), NULL); | |
2263 EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL, | |
2264 tctx->tlsext_tick_aes_key, etick + 16); | |
2265 } | |
2266 /* Attempt to process session ticket, first conduct sanity and | |
2267 * integrity checks on ticket. | |
2268 */ | |
2269 mlen = HMAC_size(&hctx); | |
2270 if (mlen < 0) | |
2271 { | |
2272 EVP_CIPHER_CTX_cleanup(&ctx); | |
2273 return -1; | |
2274 } | |
2275 eticklen -= mlen; | |
2276 /* Check HMAC of encrypted ticket */ | |
2277 HMAC_Update(&hctx, etick, eticklen); | |
2278 HMAC_Final(&hctx, tick_hmac, NULL); | |
2279 HMAC_CTX_cleanup(&hctx); | |
2280 if (CRYPTO_memcmp(tick_hmac, etick + eticklen, mlen)) | |
2281 return 2; | |
2282 /* Attempt to decrypt session data */ | |
2283 /* Move p after IV to start of encrypted ticket, update length */ | |
2284 p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx); | |
2285 eticklen -= 16 + EVP_CIPHER_CTX_iv_length(&ctx); | |
2286 sdec = OPENSSL_malloc(eticklen); | |
2287 if (!sdec) | |
2288 { | |
2289 EVP_CIPHER_CTX_cleanup(&ctx); | |
2290 return -1; | |
2291 } | |
2292 EVP_DecryptUpdate(&ctx, sdec, &slen, p, eticklen); | |
2293 if (EVP_DecryptFinal(&ctx, sdec + slen, &mlen) <= 0) | |
2294 return 2; | |
2295 slen += mlen; | |
2296 EVP_CIPHER_CTX_cleanup(&ctx); | |
2297 p = sdec; | |
2298 | |
2299 sess = d2i_SSL_SESSION(NULL, &p, slen); | |
2300 OPENSSL_free(sdec); | |
2301 if (sess) | |
2302 { | |
2303 /* The session ID, if non-empty, is used by some clients to | |
2304 * detect that the ticket has been accepted. So we copy it to | |
2305 * the session structure. If it is empty set length to zero | |
2306 * as required by standard. | |
2307 */ | |
2308 if (sesslen) | |
2309 memcpy(sess->session_id, sess_id, sesslen); | |
2310 sess->session_id_length = sesslen; | |
2311 *psess = sess; | |
2312 if (renew_ticket) | |
2313 return 4; | |
2314 else | |
2315 return 3; | |
2316 } | |
2317 ERR_clear_error(); | |
2318 /* For session parse failure, indicate that we need to send a new | |
2319 * ticket. */ | |
2320 return 2; | |
2321 } | |
2322 | |
2323 /* Tables to translate from NIDs to TLS v1.2 ids */ | |
2324 | |
2325 typedef struct | |
2326 { | |
2327 int nid; | |
2328 int id; | |
2329 } tls12_lookup; | |
2330 | |
2331 static tls12_lookup tls12_md[] = { | |
2332 #ifndef OPENSSL_NO_MD5 | |
2333 {NID_md5, TLSEXT_hash_md5}, | |
2334 #endif | |
2335 #ifndef OPENSSL_NO_SHA | |
2336 {NID_sha1, TLSEXT_hash_sha1}, | |
2337 #endif | |
2338 #ifndef OPENSSL_NO_SHA256 | |
2339 {NID_sha224, TLSEXT_hash_sha224}, | |
2340 {NID_sha256, TLSEXT_hash_sha256}, | |
2341 #endif | |
2342 #ifndef OPENSSL_NO_SHA512 | |
2343 {NID_sha384, TLSEXT_hash_sha384}, | |
2344 {NID_sha512, TLSEXT_hash_sha512} | |
2345 #endif | |
2346 }; | |
2347 | |
2348 static tls12_lookup tls12_sig[] = { | |
2349 #ifndef OPENSSL_NO_RSA | |
2350 {EVP_PKEY_RSA, TLSEXT_signature_rsa}, | |
2351 #endif | |
2352 #ifndef OPENSSL_NO_DSA | |
2353 {EVP_PKEY_DSA, TLSEXT_signature_dsa}, | |
2354 #endif | |
2355 #ifndef OPENSSL_NO_ECDSA | |
2356 {EVP_PKEY_EC, TLSEXT_signature_ecdsa} | |
2357 #endif | |
2358 }; | |
2359 | |
2360 static int tls12_find_id(int nid, tls12_lookup *table, size_t tlen) | |
2361 { | |
2362 size_t i; | |
2363 for (i = 0; i < tlen; i++) | |
2364 { | |
2365 if (table[i].nid == nid) | |
2366 return table[i].id; | |
2367 } | |
2368 return -1; | |
2369 } | |
2370 #if 0 | |
2371 static int tls12_find_nid(int id, tls12_lookup *table, size_t tlen) | |
2372 { | |
2373 size_t i; | |
2374 for (i = 0; i < tlen; i++) | |
2375 { | |
2376 if (table[i].id == id) | |
2377 return table[i].nid; | |
2378 } | |
2379 return -1; | |
2380 } | |
2381 #endif | |
2382 | |
2383 int tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk, const EVP_MD *md) | |
2384 { | |
2385 int sig_id, md_id; | |
2386 if (!md) | |
2387 return 0; | |
2388 md_id = tls12_find_id(EVP_MD_type(md), tls12_md, | |
2389 sizeof(tls12_md)/sizeof(tls12_lookup)); | |
2390 if (md_id == -1) | |
2391 return 0; | |
2392 sig_id = tls12_get_sigid(pk); | |
2393 if (sig_id == -1) | |
2394 return 0; | |
2395 p[0] = (unsigned char)md_id; | |
2396 p[1] = (unsigned char)sig_id; | |
2397 return 1; | |
2398 } | |
2399 | |
2400 int tls12_get_sigid(const EVP_PKEY *pk) | |
2401 { | |
2402 return tls12_find_id(pk->type, tls12_sig, | |
2403 sizeof(tls12_sig)/sizeof(tls12_lookup)); | |
2404 } | |
2405 | |
2406 const EVP_MD *tls12_get_hash(unsigned char hash_alg) | |
2407 { | |
2408 switch(hash_alg) | |
2409 { | |
2410 #ifndef OPENSSL_NO_MD5 | |
2411 case TLSEXT_hash_md5: | |
2412 #ifdef OPENSSL_FIPS | |
2413 if (FIPS_mode()) | |
2414 return NULL; | |
2415 #endif | |
2416 return EVP_md5(); | |
2417 #endif | |
2418 #ifndef OPENSSL_NO_SHA | |
2419 case TLSEXT_hash_sha1: | |
2420 return EVP_sha1(); | |
2421 #endif | |
2422 #ifndef OPENSSL_NO_SHA256 | |
2423 case TLSEXT_hash_sha224: | |
2424 return EVP_sha224(); | |
2425 | |
2426 case TLSEXT_hash_sha256: | |
2427 return EVP_sha256(); | |
2428 #endif | |
2429 #ifndef OPENSSL_NO_SHA512 | |
2430 case TLSEXT_hash_sha384: | |
2431 return EVP_sha384(); | |
2432 | |
2433 case TLSEXT_hash_sha512: | |
2434 return EVP_sha512(); | |
2435 #endif | |
2436 default: | |
2437 return NULL; | |
2438 | |
2439 } | |
2440 } | |
2441 | |
2442 /* Set preferred digest for each key type */ | |
2443 | |
2444 int tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize) | |
2445 { | |
2446 int i, idx; | |
2447 const EVP_MD *md; | |
2448 CERT *c = s->cert; | |
2449 /* Extension ignored for TLS versions below 1.2 */ | |
2450 if (TLS1_get_version(s) < TLS1_2_VERSION) | |
2451 return 1; | |
2452 /* Should never happen */ | |
2453 if (!c) | |
2454 return 0; | |
2455 | |
2456 c->pkeys[SSL_PKEY_DSA_SIGN].digest = NULL; | |
2457 c->pkeys[SSL_PKEY_RSA_SIGN].digest = NULL; | |
2458 c->pkeys[SSL_PKEY_RSA_ENC].digest = NULL; | |
2459 c->pkeys[SSL_PKEY_ECC].digest = NULL; | |
2460 | |
2461 for (i = 0; i < dsize; i += 2) | |
2462 { | |
2463 unsigned char hash_alg = data[i], sig_alg = data[i+1]; | |
2464 | |
2465 switch(sig_alg) | |
2466 { | |
2467 #ifndef OPENSSL_NO_RSA | |
2468 case TLSEXT_signature_rsa: | |
2469 idx = SSL_PKEY_RSA_SIGN; | |
2470 break; | |
2471 #endif | |
2472 #ifndef OPENSSL_NO_DSA | |
2473 case TLSEXT_signature_dsa: | |
2474 idx = SSL_PKEY_DSA_SIGN; | |
2475 break; | |
2476 #endif | |
2477 #ifndef OPENSSL_NO_ECDSA | |
2478 case TLSEXT_signature_ecdsa: | |
2479 idx = SSL_PKEY_ECC; | |
2480 break; | |
2481 #endif | |
2482 default: | |
2483 continue; | |
2484 } | |
2485 | |
2486 if (c->pkeys[idx].digest == NULL) | |
2487 { | |
2488 md = tls12_get_hash(hash_alg); | |
2489 if (md) | |
2490 { | |
2491 c->pkeys[idx].digest = md; | |
2492 if (idx == SSL_PKEY_RSA_SIGN) | |
2493 c->pkeys[SSL_PKEY_RSA_ENC].digest = md; | |
2494 } | |
2495 } | |
2496 | |
2497 } | |
2498 | |
2499 | |
2500 /* Set any remaining keys to default values. NOTE: if alg is not | |
2501 * supported it stays as NULL. | |
2502 */ | |
2503 #ifndef OPENSSL_NO_DSA | |
2504 if (!c->pkeys[SSL_PKEY_DSA_SIGN].digest) | |
2505 c->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_sha1(); | |
2506 #endif | |
2507 #ifndef OPENSSL_NO_RSA | |
2508 if (!c->pkeys[SSL_PKEY_RSA_SIGN].digest) | |
2509 { | |
2510 c->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1(); | |
2511 c->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1(); | |
2512 } | |
2513 #endif | |
2514 #ifndef OPENSSL_NO_ECDSA | |
2515 if (!c->pkeys[SSL_PKEY_ECC].digest) | |
2516 c->pkeys[SSL_PKEY_ECC].digest = EVP_sha1(); | |
2517 #endif | |
2518 return 1; | |
2519 } | |
2520 | |
2521 #endif | |
2522 | |
2523 #ifndef OPENSSL_NO_HEARTBEATS | |
2524 int | |
2525 tls1_process_heartbeat(SSL *s) | |
2526 { | |
2527 unsigned char *p = &s->s3->rrec.data[0], *pl; | |
2528 unsigned short hbtype; | |
2529 unsigned int payload; | |
2530 unsigned int padding = 16; /* Use minimum padding */ | |
2531 | |
2532 /* Read type and payload length first */ | |
2533 hbtype = *p++; | |
2534 n2s(p, payload); | |
2535 pl = p; | |
2536 | |
2537 if (s->msg_callback) | |
2538 s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT, | |
2539 &s->s3->rrec.data[0], s->s3->rrec.length, | |
2540 s, s->msg_callback_arg); | |
2541 | |
2542 if (hbtype == TLS1_HB_REQUEST) | |
2543 { | |
2544 unsigned char *buffer, *bp; | |
2545 int r; | |
2546 | |
2547 /* Allocate memory for the response, size is 1 bytes | |
2548 * message type, plus 2 bytes payload length, plus | |
2549 * payload, plus padding | |
2550 */ | |
2551 buffer = OPENSSL_malloc(1 + 2 + payload + padding); | |
2552 bp = buffer; | |
2553 | |
2554 /* Enter response type, length and copy payload */ | |
2555 *bp++ = TLS1_HB_RESPONSE; | |
2556 s2n(payload, bp); | |
2557 memcpy(bp, pl, payload); | |
2558 bp += payload; | |
2559 /* Random padding */ | |
2560 RAND_pseudo_bytes(bp, padding); | |
2561 | |
2562 r = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, 3 + payload +
padding); | |
2563 | |
2564 if (r >= 0 && s->msg_callback) | |
2565 s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT, | |
2566 buffer, 3 + payload + padding, | |
2567 s, s->msg_callback_arg); | |
2568 | |
2569 OPENSSL_free(buffer); | |
2570 | |
2571 if (r < 0) | |
2572 return r; | |
2573 } | |
2574 else if (hbtype == TLS1_HB_RESPONSE) | |
2575 { | |
2576 unsigned int seq; | |
2577 | |
2578 /* We only send sequence numbers (2 bytes unsigned int), | |
2579 * and 16 random bytes, so we just try to read the | |
2580 * sequence number */ | |
2581 n2s(pl, seq); | |
2582 | |
2583 if (payload == 18 && seq == s->tlsext_hb_seq) | |
2584 { | |
2585 s->tlsext_hb_seq++; | |
2586 s->tlsext_hb_pending = 0; | |
2587 } | |
2588 } | |
2589 | |
2590 return 0; | |
2591 } | |
2592 | |
2593 int | |
2594 tls1_heartbeat(SSL *s) | |
2595 { | |
2596 unsigned char *buf, *p; | |
2597 int ret; | |
2598 unsigned int payload = 18; /* Sequence number + random bytes */ | |
2599 unsigned int padding = 16; /* Use minimum padding */ | |
2600 | |
2601 /* Only send if peer supports and accepts HB requests... */ | |
2602 if (!(s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED) || | |
2603 s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_SEND_REQUESTS) | |
2604 { | |
2605 SSLerr(SSL_F_TLS1_HEARTBEAT,SSL_R_TLS_HEARTBEAT_PEER_DOESNT_ACCE
PT); | |
2606 return -1; | |
2607 } | |
2608 | |
2609 /* ...and there is none in flight yet... */ | |
2610 if (s->tlsext_hb_pending) | |
2611 { | |
2612 SSLerr(SSL_F_TLS1_HEARTBEAT,SSL_R_TLS_HEARTBEAT_PENDING); | |
2613 return -1; | |
2614 } | |
2615 | |
2616 /* ...and no handshake in progress. */ | |
2617 if (SSL_in_init(s) || s->in_handshake) | |
2618 { | |
2619 SSLerr(SSL_F_TLS1_HEARTBEAT,SSL_R_UNEXPECTED_MESSAGE); | |
2620 return -1; | |
2621 } | |
2622 | |
2623 /* Check if padding is too long, payload and padding | |
2624 * must not exceed 2^14 - 3 = 16381 bytes in total. | |
2625 */ | |
2626 OPENSSL_assert(payload + padding <= 16381); | |
2627 | |
2628 /* Create HeartBeat message, we just use a sequence number | |
2629 * as payload to distuingish different messages and add | |
2630 * some random stuff. | |
2631 * - Message Type, 1 byte | |
2632 * - Payload Length, 2 bytes (unsigned int) | |
2633 * - Payload, the sequence number (2 bytes uint) | |
2634 * - Payload, random bytes (16 bytes uint) | |
2635 * - Padding | |
2636 */ | |
2637 buf = OPENSSL_malloc(1 + 2 + payload + padding); | |
2638 p = buf; | |
2639 /* Message Type */ | |
2640 *p++ = TLS1_HB_REQUEST; | |
2641 /* Payload length (18 bytes here) */ | |
2642 s2n(payload, p); | |
2643 /* Sequence number */ | |
2644 s2n(s->tlsext_hb_seq, p); | |
2645 /* 16 random bytes */ | |
2646 RAND_pseudo_bytes(p, 16); | |
2647 p += 16; | |
2648 /* Random padding */ | |
2649 RAND_pseudo_bytes(p, padding); | |
2650 | |
2651 ret = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buf, 3 + payload + padding)
; | |
2652 if (ret >= 0) | |
2653 { | |
2654 if (s->msg_callback) | |
2655 s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT, | |
2656 buf, 3 + payload + padding, | |
2657 s, s->msg_callback_arg); | |
2658 | |
2659 s->tlsext_hb_pending = 1; | |
2660 } | |
2661 | |
2662 OPENSSL_free(buf); | |
2663 | |
2664 return ret; | |
2665 } | |
2666 #endif | |
2667 | |
2668 #if !defined(OPENSSL_NO_TLSEXT) | |
2669 /* tls1_channel_id_hash calculates the signed data for a Channel ID on the given | |
2670 * SSL connection and writes it to |md|. | |
2671 */ | |
2672 int | |
2673 tls1_channel_id_hash(EVP_MD_CTX *md, SSL *s) | |
2674 { | |
2675 EVP_MD_CTX ctx; | |
2676 unsigned char temp_digest[EVP_MAX_MD_SIZE]; | |
2677 unsigned temp_digest_len; | |
2678 int i; | |
2679 static const char kClientIDMagic[] = "TLS Channel ID signature"; | |
2680 | |
2681 if (s->s3->handshake_buffer) | |
2682 if (!ssl3_digest_cached_records(s)) | |
2683 return 0; | |
2684 | |
2685 EVP_DigestUpdate(md, kClientIDMagic, sizeof(kClientIDMagic)); | |
2686 | |
2687 if (s->hit) | |
2688 { | |
2689 static const char kResumptionMagic[] = "Resumption"; | |
2690 EVP_DigestUpdate(md, kResumptionMagic, | |
2691 sizeof(kResumptionMagic)); | |
2692 if (s->session->original_handshake_hash_len == 0) | |
2693 return 0; | |
2694 EVP_DigestUpdate(md, s->session->original_handshake_hash, | |
2695 s->session->original_handshake_hash_len); | |
2696 } | |
2697 | |
2698 EVP_MD_CTX_init(&ctx); | |
2699 for (i = 0; i < SSL_MAX_DIGEST; i++) | |
2700 { | |
2701 if (s->s3->handshake_dgst[i] == NULL) | |
2702 continue; | |
2703 EVP_MD_CTX_copy_ex(&ctx, s->s3->handshake_dgst[i]); | |
2704 EVP_DigestFinal_ex(&ctx, temp_digest, &temp_digest_len); | |
2705 EVP_DigestUpdate(md, temp_digest, temp_digest_len); | |
2706 } | |
2707 EVP_MD_CTX_cleanup(&ctx); | |
2708 | |
2709 return 1; | |
2710 } | |
2711 #endif | |
2712 | |
2713 /* tls1_record_handshake_hashes_for_channel_id records the current handshake | |
2714 * hashes in |s->session| so that Channel ID resumptions can sign that data. */ | |
2715 int tls1_record_handshake_hashes_for_channel_id(SSL *s) | |
2716 { | |
2717 int digest_len; | |
2718 /* This function should never be called for a resumed session because | |
2719 * the handshake hashes that we wish to record are for the original, | |
2720 * full handshake. */ | |
2721 if (s->hit) | |
2722 return -1; | |
2723 /* It only makes sense to call this function if Channel IDs have been | |
2724 * negotiated. */ | |
2725 if (!s->s3->tlsext_channel_id_valid) | |
2726 return -1; | |
2727 | |
2728 digest_len = tls1_handshake_digest( | |
2729 s, s->session->original_handshake_hash, | |
2730 sizeof(s->session->original_handshake_hash)); | |
2731 if (digest_len < 0) | |
2732 return -1; | |
2733 | |
2734 s->session->original_handshake_hash_len = digest_len; | |
2735 | |
2736 return 1; | |
2737 } | |
OLD | NEW |