projects / dragonfly.git / blob
? search:


b225bb3c8761a75da035ba398b9d739105c5483a
[dragonfly.git] / crypto / libressl / ssl / t1_lib.c
1 /* $OpenBSD: t1_lib.c,v 1.86 2016/03/10 23:21:46 mmcc Exp $ */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3  * All rights reserved.
4  *
5  * This package is an SSL implementation written
6  * by Eric Young (eay@cryptsoft.com).
7  * The implementation was written so as to conform with Netscapes SSL.
8  *
9  * This library is free for commercial and non-commercial use as long as
10  * the following conditions are aheared to.  The following conditions
11  * apply to all code found in this distribution, be it the RC4, RSA,
12  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
13  * included with this distribution is covered by the same copyright terms
14  * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15  *
16  * Copyright remains Eric Young's, and as such any Copyright notices in
17  * the code are not to be removed.
18  * If this package is used in a product, Eric Young should be given attribution
19  * as the author of the parts of the library used.
20  * This can be in the form of a textual message at program startup or
21  * in documentation (online or textual) provided with the package.
22  *
23  * Redistribution and use in source and binary forms, with or without
24  * modification, are permitted provided that the following conditions
25  * are met:
26  * 1. Redistributions of source code must retain the copyright
27  *    notice, this list of conditions and the following disclaimer.
28  * 2. Redistributions in binary form must reproduce the above copyright
29  *    notice, this list of conditions and the following disclaimer in the
30  *    documentation and/or other materials provided with the distribution.
31  * 3. All advertising materials mentioning features or use of this software
32  *    must display the following acknowledgement:
33  *    "This product includes cryptographic software written by
34  *     Eric Young (eay@cryptsoft.com)"
35  *    The word 'cryptographic' can be left out if the rouines from the library
36  *    being used are not cryptographic related :-).
37  * 4. If you include any Windows specific code (or a derivative thereof) from
38  *    the apps directory (application code) you must include an acknowledgement:
39  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40  *
41  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51  * SUCH DAMAGE.
52  *
53  * The licence and distribution terms for any publically available version or
54  * derivative of this code cannot be changed.  i.e. this code cannot simply be
55  * copied and put under another distribution licence
56  * [including the GNU Public Licence.]
57  */
58 /* ====================================================================
59  * Copyright (c) 1998-2007 The OpenSSL Project.  All rights reserved.
60  *
61  * Redistribution and use in source and binary forms, with or without
62  * modification, are permitted provided that the following conditions
63  * are met:
64  *
65  * 1. Redistributions of source code must retain the above copyright
66  *    notice, this list of conditions and the following disclaimer.
67  *
68  * 2. Redistributions in binary form must reproduce the above copyright
69  *    notice, this list of conditions and the following disclaimer in
70  *    the documentation and/or other materials provided with the
71  *    distribution.
72  *
73  * 3. All advertising materials mentioning features or use of this
74  *    software must display the following acknowledgment:
75  *    "This product includes software developed by the OpenSSL Project
76  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77  *
78  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79  *    endorse or promote products derived from this software without
80  *    prior written permission. For written permission, please contact
81  *    openssl-core@openssl.org.
82  *
83  * 5. Products derived from this software may not be called "OpenSSL"
84  *    nor may "OpenSSL" appear in their names without prior written
85  *    permission of the OpenSSL Project.
86  *
87  * 6. Redistributions of any form whatsoever must retain the following
88  *    acknowledgment:
89  *    "This product includes software developed by the OpenSSL Project
90  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91  *
92  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
96  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103  * OF THE POSSIBILITY OF SUCH DAMAGE.
104  * ====================================================================
105  *
106  * This product includes cryptographic software written by Eric Young
107  * (eay@cryptsoft.com).  This product includes software written by Tim
108  * Hudson (tjh@cryptsoft.com).
109  *
110  */
111
112 #include <stdio.h>
113
114 #include <openssl/evp.h>
115 #include <openssl/hmac.h>
116 #include <openssl/objects.h>
117 #include <openssl/ocsp.h>
118
119 #include "ssl_locl.h"
120 #include "bytestring.h"
121
122 static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen,
123     const unsigned char *sess_id, int sesslen,
124     SSL_SESSION **psess);
125
126 SSL3_ENC_METHOD TLSv1_enc_data = {
127         .enc = tls1_enc,
128         .mac = tls1_mac,
129         .setup_key_block = tls1_setup_key_block,
130         .generate_master_secret = tls1_generate_master_secret,
131         .change_cipher_state = tls1_change_cipher_state,
132         .final_finish_mac = tls1_final_finish_mac,
133         .finish_mac_length = TLS1_FINISH_MAC_LENGTH,
134         .cert_verify_mac = tls1_cert_verify_mac,
135         .client_finished_label = TLS_MD_CLIENT_FINISH_CONST,
136         .client_finished_label_len = TLS_MD_CLIENT_FINISH_CONST_SIZE,
137         .server_finished_label = TLS_MD_SERVER_FINISH_CONST,
138         .server_finished_label_len = TLS_MD_SERVER_FINISH_CONST_SIZE,
139         .alert_value = tls1_alert_code,
140         .export_keying_material = tls1_export_keying_material,
141         .enc_flags = 0,
142 };
143
144 SSL3_ENC_METHOD TLSv1_1_enc_data = {
145         .enc = tls1_enc,
146         .mac = tls1_mac,
147         .setup_key_block = tls1_setup_key_block,
148         .generate_master_secret = tls1_generate_master_secret,
149         .change_cipher_state = tls1_change_cipher_state,
150         .final_finish_mac = tls1_final_finish_mac,
151         .finish_mac_length = TLS1_FINISH_MAC_LENGTH,
152         .cert_verify_mac = tls1_cert_verify_mac,
153         .client_finished_label = TLS_MD_CLIENT_FINISH_CONST,
154         .client_finished_label_len = TLS_MD_CLIENT_FINISH_CONST_SIZE,
155         .server_finished_label = TLS_MD_SERVER_FINISH_CONST,
156         .server_finished_label_len = TLS_MD_SERVER_FINISH_CONST_SIZE,
157         .alert_value = tls1_alert_code,
158         .export_keying_material = tls1_export_keying_material,
159         .enc_flags = SSL_ENC_FLAG_EXPLICIT_IV,
160 };
161
162 SSL3_ENC_METHOD TLSv1_2_enc_data = {
163         .enc = tls1_enc,
164         .mac = tls1_mac,
165         .setup_key_block = tls1_setup_key_block,
166         .generate_master_secret = tls1_generate_master_secret,
167         .change_cipher_state = tls1_change_cipher_state,
168         .final_finish_mac = tls1_final_finish_mac,
169         .finish_mac_length = TLS1_FINISH_MAC_LENGTH,
170         .cert_verify_mac = tls1_cert_verify_mac,
171         .client_finished_label = TLS_MD_CLIENT_FINISH_CONST,
172         .client_finished_label_len = TLS_MD_CLIENT_FINISH_CONST_SIZE,
173         .server_finished_label = TLS_MD_SERVER_FINISH_CONST,
174         .server_finished_label_len = TLS_MD_SERVER_FINISH_CONST_SIZE,
175         .alert_value = tls1_alert_code,
176         .export_keying_material = tls1_export_keying_material,
177         .enc_flags = SSL_ENC_FLAG_EXPLICIT_IV|SSL_ENC_FLAG_SIGALGS|
178             SSL_ENC_FLAG_SHA256_PRF|SSL_ENC_FLAG_TLS1_2_CIPHERS,
179 };
180
181 long
182 tls1_default_timeout(void)
183 {
184         /* 2 hours, the 24 hours mentioned in the TLSv1 spec
185          * is way too long for http, the cache would over fill */
186         return (60 * 60 * 2);
187 }
188
189 int
190 tls1_new(SSL *s)
191 {
192         if (!ssl3_new(s))
193                 return (0);
194         s->method->ssl_clear(s);
195         return (1);
196 }
197
198 void
199 tls1_free(SSL *s)
200 {
201         if (s == NULL)
202                 return;
203
204         free(s->tlsext_session_ticket);
205         ssl3_free(s);
206 }
207
208 void
209 tls1_clear(SSL *s)
210 {
211         ssl3_clear(s);
212         s->version = s->method->version;
213 }
214
215
216 static int nid_list[] = {
217         NID_sect163k1,          /* sect163k1 (1) */
218         NID_sect163r1,          /* sect163r1 (2) */
219         NID_sect163r2,          /* sect163r2 (3) */
220         NID_sect193r1,          /* sect193r1 (4) */
221         NID_sect193r2,          /* sect193r2 (5) */
222         NID_sect233k1,          /* sect233k1 (6) */
223         NID_sect233r1,          /* sect233r1 (7) */
224         NID_sect239k1,          /* sect239k1 (8) */
225         NID_sect283k1,          /* sect283k1 (9) */
226         NID_sect283r1,          /* sect283r1 (10) */
227         NID_sect409k1,          /* sect409k1 (11) */
228         NID_sect409r1,          /* sect409r1 (12) */
229         NID_sect571k1,          /* sect571k1 (13) */
230         NID_sect571r1,          /* sect571r1 (14) */
231         NID_secp160k1,          /* secp160k1 (15) */
232         NID_secp160r1,          /* secp160r1 (16) */
233         NID_secp160r2,          /* secp160r2 (17) */
234         NID_secp192k1,          /* secp192k1 (18) */
235         NID_X9_62_prime192v1,   /* secp192r1 (19) */
236         NID_secp224k1,          /* secp224k1 (20) */
237         NID_secp224r1,          /* secp224r1 (21) */
238         NID_secp256k1,          /* secp256k1 (22) */
239         NID_X9_62_prime256v1,   /* secp256r1 (23) */
240         NID_secp384r1,          /* secp384r1 (24) */
241         NID_secp521r1,          /* secp521r1 (25) */
242         NID_brainpoolP256r1,    /* brainpoolP256r1 (26) */
243         NID_brainpoolP384r1,    /* brainpoolP384r1 (27) */
244         NID_brainpoolP512r1     /* brainpoolP512r1 (28) */
245 };
246
247 static const uint8_t ecformats_default[] = {
248         TLSEXT_ECPOINTFORMAT_uncompressed,
249         TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime,
250         TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2
251 };
252
253 static const uint16_t eccurves_default[] = {
254         14,                     /* sect571r1 (14) */
255         13,                     /* sect571k1 (13) */
256         25,                     /* secp521r1 (25) */
257         28,                     /* brainpool512r1 (28) */
258         11,                     /* sect409k1 (11) */
259         12,                     /* sect409r1 (12) */
260         27,                     /* brainpoolP384r1 (27) */
261         24,                     /* secp384r1 (24) */
262         9,                      /* sect283k1 (9) */
263         10,                     /* sect283r1 (10) */
264         26,                     /* brainpoolP256r1 (26) */
265         22,                     /* secp256k1 (22) */
266         23,                     /* secp256r1 (23) */
267         8,                      /* sect239k1 (8) */
268         6,                      /* sect233k1 (6) */
269         7,                      /* sect233r1 (7) */
270         20,                     /* secp224k1 (20) */
271         21,                     /* secp224r1 (21) */
272         4,                      /* sect193r1 (4) */
273         5,                      /* sect193r2 (5) */
274         18,                     /* secp192k1 (18) */
275         19,                     /* secp192r1 (19) */
276         1,                      /* sect163k1 (1) */
277         2,                      /* sect163r1 (2) */
278         3,                      /* sect163r2 (3) */
279         15,                     /* secp160k1 (15) */
280         16,                     /* secp160r1 (16) */
281         17,                     /* secp160r2 (17) */
282 };
283
284 int
285 tls1_ec_curve_id2nid(uint16_t curve_id)
286 {
287         /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
288         if ((curve_id < 1) ||
289             ((unsigned int)curve_id > sizeof(nid_list) / sizeof(nid_list[0])))
290                 return 0;
291         return nid_list[curve_id - 1];
292 }
293
294 uint16_t
295 tls1_ec_nid2curve_id(int nid)
296 {
297         /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
298         switch (nid) {
299         case NID_sect163k1: /* sect163k1 (1) */
300                 return 1;
301         case NID_sect163r1: /* sect163r1 (2) */
302                 return 2;
303         case NID_sect163r2: /* sect163r2 (3) */
304                 return 3;
305         case NID_sect193r1: /* sect193r1 (4) */
306                 return 4;
307         case NID_sect193r2: /* sect193r2 (5) */
308                 return 5;
309         case NID_sect233k1: /* sect233k1 (6) */
310                 return 6;
311         case NID_sect233r1: /* sect233r1 (7) */
312                 return 7;
313         case NID_sect239k1: /* sect239k1 (8) */
314                 return 8;
315         case NID_sect283k1: /* sect283k1 (9) */
316                 return 9;
317         case NID_sect283r1: /* sect283r1 (10) */
318                 return 10;
319         case NID_sect409k1: /* sect409k1 (11) */
320                 return 11;
321         case NID_sect409r1: /* sect409r1 (12) */
322                 return 12;
323         case NID_sect571k1: /* sect571k1 (13) */
324                 return 13;
325         case NID_sect571r1: /* sect571r1 (14) */
326                 return 14;
327         case NID_secp160k1: /* secp160k1 (15) */
328                 return 15;
329         case NID_secp160r1: /* secp160r1 (16) */
330                 return 16;
331         case NID_secp160r2: /* secp160r2 (17) */
332                 return 17;
333         case NID_secp192k1: /* secp192k1 (18) */
334                 return 18;
335         case NID_X9_62_prime192v1: /* secp192r1 (19) */
336                 return 19;
337         case NID_secp224k1: /* secp224k1 (20) */
338                 return 20;
339         case NID_secp224r1: /* secp224r1 (21) */
340                 return 21;
341         case NID_secp256k1: /* secp256k1 (22) */
342                 return 22;
343         case NID_X9_62_prime256v1: /* secp256r1 (23) */
344                 return 23;
345         case NID_secp384r1: /* secp384r1 (24) */
346                 return 24;
347         case NID_secp521r1: /* secp521r1 (25) */
348                 return 25;
349         case NID_brainpoolP256r1: /* brainpoolP256r1 (26) */
350                 return 26;
351         case NID_brainpoolP384r1: /* brainpoolP384r1 (27) */
352                 return 27;
353         case NID_brainpoolP512r1: /* brainpoolP512r1 (28) */
354                 return 28;
355         default:
356                 return 0;
357         }
358 }
359
360 /*
361  * Return the appropriate format list. If client_formats is non-zero, return
362  * the client/session formats. Otherwise return the custom format list if one
363  * exists, or the default formats if a custom list has not been specified.
364  */
365 static void
366 tls1_get_formatlist(SSL *s, int client_formats, const uint8_t **pformats,
367     size_t *pformatslen)
368 {
369         if (client_formats != 0) {
370                 *pformats = s->session->tlsext_ecpointformatlist;
371                 *pformatslen = s->session->tlsext_ecpointformatlist_length;
372                 return;
373         }
374
375         *pformats = s->tlsext_ecpointformatlist;
376         *pformatslen = s->tlsext_ecpointformatlist_length;
377         if (*pformats == NULL) {
378                 *pformats = ecformats_default;
379                 *pformatslen = sizeof(ecformats_default);
380         }
381 }
382
383 /*
384  * Return the appropriate curve list. If client_curves is non-zero, return
385  * the client/session curves. Otherwise return the custom curve list if one
386  * exists, or the default curves if a custom list has not been specified.
387  */
388 static void
389 tls1_get_curvelist(SSL *s, int client_curves, const uint16_t **pcurves,
390     size_t *pcurveslen)
391 {
392         if (client_curves != 0) {
393                 *pcurves = s->session->tlsext_ellipticcurvelist;
394                 *pcurveslen = s->session->tlsext_ellipticcurvelist_length;
395                 return;
396         }
397
398         *pcurves = s->tlsext_ellipticcurvelist;
399         *pcurveslen = s->tlsext_ellipticcurvelist_length;
400         if (*pcurves == NULL) {
401                 *pcurves = eccurves_default;
402                 *pcurveslen = sizeof(eccurves_default) / 2;
403         }
404 }
405
406 /* Check that a curve is one of our preferences. */
407 int
408 tls1_check_curve(SSL *s, const unsigned char *p, size_t len)
409 {
410         CBS cbs;
411         const uint16_t *curves;
412         size_t curveslen, i;
413         uint8_t type;
414         uint16_t cid;
415
416         CBS_init(&cbs, p, len);
417
418         /* Only named curves are supported. */
419         if (CBS_len(&cbs) != 3 ||
420             !CBS_get_u8(&cbs, &type) ||
421             type != NAMED_CURVE_TYPE ||
422             !CBS_get_u16(&cbs, &cid))
423                 return (0);
424
425         tls1_get_curvelist(s, 0, &curves, &curveslen);
426
427         for (i = 0; i < curveslen; i++) {
428                 if (curves[i] == cid)
429                         return (1);
430         }
431         return (0);
432 }
433
434 int
435 tls1_get_shared_curve(SSL *s)
436 {
437         size_t preflen, supplen, i, j;
438         const uint16_t *pref, *supp;
439         unsigned long server_pref;
440
441         /* Cannot do anything on the client side. */
442         if (s->server == 0)
443                 return (NID_undef);
444
445         /* Return first preference shared curve. */
446         server_pref = (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE);
447         tls1_get_curvelist(s, (server_pref == 0), &pref, &preflen);
448         tls1_get_curvelist(s, (server_pref != 0), &supp, &supplen);
449
450         for (i = 0; i < preflen; i++) {
451                 for (j = 0; j < supplen; j++) {
452                         if (pref[i] == supp[j])
453                                 return (tls1_ec_curve_id2nid(pref[i]));
454                 }
455         }
456         return (NID_undef);
457 }
458
459 /* For an EC key set TLS ID and required compression based on parameters. */
460 static int
461 tls1_set_ec_id(uint16_t *curve_id, uint8_t *comp_id, EC_KEY *ec)
462 {
463         const EC_GROUP *grp;
464         const EC_METHOD *meth;
465         int is_prime = 0;
466         int nid, id;
467
468         if (ec == NULL)
469                 return (0);
470
471         /* Determine if it is a prime field. */
472         if ((grp = EC_KEY_get0_group(ec)) == NULL)
473                 return (0);
474         if ((meth = EC_GROUP_method_of(grp)) == NULL)
475                 return (0);
476         if (EC_METHOD_get_field_type(meth) == NID_X9_62_prime_field)
477                 is_prime = 1;
478
479         /* Determine curve ID. */
480         nid = EC_GROUP_get_curve_name(grp);
481         id = tls1_ec_nid2curve_id(nid);
482
483         /* If we have an ID set it, otherwise set arbitrary explicit curve. */
484         if (id != 0)
485                 *curve_id = id;
486         else
487                 *curve_id = is_prime ? 0xff01 : 0xff02;
488
489         /* Specify the compression identifier. */
490         if (comp_id != NULL) {
491                 if (EC_KEY_get0_public_key(ec) == NULL)
492                         return (0);
493
494                 if (EC_KEY_get_conv_form(ec) == POINT_CONVERSION_COMPRESSED) {
495                         *comp_id = is_prime ?
496                             TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime :
497                             TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
498                 } else {
499                         *comp_id = TLSEXT_ECPOINTFORMAT_uncompressed;
500                 }
501         }
502         return (1);
503 }
504
505 /* Check that an EC key is compatible with extensions. */
506 static int
507 tls1_check_ec_key(SSL *s, const uint16_t *curve_id, const uint8_t *comp_id)
508 {
509         size_t curveslen, formatslen, i;
510         const uint16_t *curves;
511         const uint8_t *formats;
512
513         /*
514          * Check point formats extension if present, otherwise everything
515          * is supported (see RFC4492).
516          */
517         tls1_get_formatlist(s, 1, &formats, &formatslen);
518         if (comp_id != NULL && formats != NULL) {
519                 for (i = 0; i < formatslen; i++) {
520                         if (formats[i] == *comp_id)
521                                 break;
522                 }
523                 if (i == formatslen)
524                         return (0);
525         }
526
527         /*
528          * Check curve list if present, otherwise everything is supported.
529          */
530         tls1_get_curvelist(s, 1, &curves, &curveslen);
531         if (curve_id != NULL && curves != NULL) {
532                 for (i = 0; i < curveslen; i++) {
533                         if (curves[i] == *curve_id)
534                                 break;
535                 }
536                 if (i == curveslen)
537                         return (0);
538         }
539
540         return (1);
541 }
542
543 /* Check EC server key is compatible with client extensions. */
544 int
545 tls1_check_ec_server_key(SSL *s)
546 {
547         CERT_PKEY *cpk = s->cert->pkeys + SSL_PKEY_ECC;
548         uint16_t curve_id;
549         uint8_t comp_id;
550         EVP_PKEY *pkey;
551         int rv;
552
553         if (cpk->x509 == NULL || cpk->privatekey == NULL)
554                 return (0);
555         if ((pkey = X509_get_pubkey(cpk->x509)) == NULL)
556                 return (0);
557         rv = tls1_set_ec_id(&curve_id, &comp_id, pkey->pkey.ec);
558         EVP_PKEY_free(pkey);
559         if (rv != 1)
560                 return (0);
561
562         return tls1_check_ec_key(s, &curve_id, &comp_id);
563 }
564
565 /* Check EC temporary key is compatible with client extensions. */
566 int
567 tls1_check_ec_tmp_key(SSL *s)
568 {
569         EC_KEY *ec = s->cert->ecdh_tmp;
570         uint16_t curve_id;
571
572         if (s->cert->ecdh_tmp_auto != 0) {
573                 /* Need a shared curve. */
574                 if (tls1_get_shared_curve(s) != NID_undef)
575                         return (1);
576                 return (0);
577         }
578
579         if (ec == NULL) {
580                 if (s->cert->ecdh_tmp_cb != NULL)
581                         return (1);
582                 return (0);
583         }
584         if (tls1_set_ec_id(&curve_id, NULL, ec) != 1)
585                 return (0);
586
587         return tls1_check_ec_key(s, &curve_id, NULL);
588 }
589
590 /*
591  * List of supported signature algorithms and hashes. Should make this
592  * customisable at some point, for now include everything we support.
593  */
594
595 static unsigned char tls12_sigalgs[] = {
596         TLSEXT_hash_sha512, TLSEXT_signature_rsa,
597         TLSEXT_hash_sha512, TLSEXT_signature_dsa,
598         TLSEXT_hash_sha512, TLSEXT_signature_ecdsa,
599 #ifndef OPENSSL_NO_GOST
600         TLSEXT_hash_streebog_512, TLSEXT_signature_gostr12_512,
601 #endif
602
603         TLSEXT_hash_sha384, TLSEXT_signature_rsa,
604         TLSEXT_hash_sha384, TLSEXT_signature_dsa,
605         TLSEXT_hash_sha384, TLSEXT_signature_ecdsa,
606
607         TLSEXT_hash_sha256, TLSEXT_signature_rsa,
608         TLSEXT_hash_sha256, TLSEXT_signature_dsa,
609         TLSEXT_hash_sha256, TLSEXT_signature_ecdsa,
610
611 #ifndef OPENSSL_NO_GOST
612         TLSEXT_hash_streebog_256, TLSEXT_signature_gostr12_256,
613         TLSEXT_hash_gost94, TLSEXT_signature_gostr01,
614 #endif
615
616         TLSEXT_hash_sha224, TLSEXT_signature_rsa,
617         TLSEXT_hash_sha224, TLSEXT_signature_dsa,
618         TLSEXT_hash_sha224, TLSEXT_signature_ecdsa,
619
620         TLSEXT_hash_sha1, TLSEXT_signature_rsa,
621         TLSEXT_hash_sha1, TLSEXT_signature_dsa,
622         TLSEXT_hash_sha1, TLSEXT_signature_ecdsa,
623 };
624
625 int
626 tls12_get_req_sig_algs(SSL *s, unsigned char *p)
627 {
628         size_t slen = sizeof(tls12_sigalgs);
629
630         if (p)
631                 memcpy(p, tls12_sigalgs, slen);
632         return (int)slen;
633 }
634
635 unsigned char *
636 ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
637 {
638         int extdatalen = 0;
639         unsigned char *ret = p;
640         int using_ecc = 0;
641
642         /* See if we support any ECC ciphersuites. */
643         if (s->version != DTLS1_VERSION && s->version >= TLS1_VERSION) {
644                 STACK_OF(SSL_CIPHER) *cipher_stack = SSL_get_ciphers(s);
645                 unsigned long alg_k, alg_a;
646                 int i;
647
648                 for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++) {
649                         SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i);
650
651                         alg_k = c->algorithm_mkey;
652                         alg_a = c->algorithm_auth;
653
654                         if ((alg_k & (SSL_kECDHE|SSL_kECDHr|SSL_kECDHe) ||
655                             (alg_a & SSL_aECDSA))) {
656                                 using_ecc = 1;
657                                 break;
658                         }
659                 }
660         }
661
662         ret += 2;
663
664         if (ret >= limit)
665                 return NULL; /* this really never occurs, but ... */
666
667         if (s->tlsext_hostname != NULL) {
668                 /* Add TLS extension servername to the Client Hello message */
669                 size_t size_str, lenmax;
670
671                 /* check for enough space.
672                    4 for the servername type and extension length
673                    2 for servernamelist length
674                    1 for the hostname type
675                    2 for hostname length
676                    + hostname length
677                 */
678
679                 if ((size_t)(limit - ret) < 9)
680                         return NULL;
681
682                 lenmax = limit - ret - 9;
683                 if ((size_str = strlen(s->tlsext_hostname)) > lenmax)
684                         return NULL;
685
686                 /* extension type and length */
687                 s2n(TLSEXT_TYPE_server_name, ret);
688
689                 s2n(size_str + 5, ret);
690
691                 /* length of servername list */
692                 s2n(size_str + 3, ret);
693
694                 /* hostname type, length and hostname */
695                 *(ret++) = (unsigned char) TLSEXT_NAMETYPE_host_name;
696                 s2n(size_str, ret);
697                 memcpy(ret, s->tlsext_hostname, size_str);
698                 ret += size_str;
699         }
700
701         /* Add RI if renegotiating */
702         if (s->renegotiate) {
703                 int el;
704
705                 if (!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0)) {
706                         SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT,
707                             ERR_R_INTERNAL_ERROR);
708                         return NULL;
709                 }
710
711                 if ((size_t)(limit - ret) < 4 + el)
712                         return NULL;
713
714                 s2n(TLSEXT_TYPE_renegotiate, ret);
715                 s2n(el, ret);
716
717                 if (!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el)) {
718                         SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT,
719                             ERR_R_INTERNAL_ERROR);
720                         return NULL;
721                 }
722
723                 ret += el;
724         }
725
726         if (using_ecc) {
727                 size_t curveslen, formatslen, lenmax;
728                 const uint16_t *curves;
729                 const uint8_t *formats;
730                 int i;
731
732                 /*
733                  * Add TLS extension ECPointFormats to the ClientHello message.
734                  */
735                 tls1_get_formatlist(s, 0, &formats, &formatslen);
736
737                 if ((size_t)(limit - ret) < 5)
738                         return NULL;
739
740                 lenmax = limit - ret - 5;
741                 if (formatslen > lenmax)
742                         return NULL;
743                 if (formatslen > 255) {
744                         SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT,
745                             ERR_R_INTERNAL_ERROR);
746                         return NULL;
747                 }
748
749                 s2n(TLSEXT_TYPE_ec_point_formats, ret);
750                 s2n(formatslen + 1, ret);
751                 *(ret++) = (unsigned char)formatslen;
752                 memcpy(ret, formats, formatslen);
753                 ret += formatslen;
754
755                 /*
756                  * Add TLS extension EllipticCurves to the ClientHello message.
757                  */
758                 tls1_get_curvelist(s, 0, &curves, &curveslen);
759
760                 if ((size_t)(limit - ret) < 6)
761                         return NULL;
762
763                 lenmax = limit - ret - 6;
764                 if (curveslen > lenmax)
765                         return NULL;
766                 if (curveslen > 65532) {
767                         SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT,
768                             ERR_R_INTERNAL_ERROR);
769                         return NULL;
770                 }
771
772                 s2n(TLSEXT_TYPE_elliptic_curves, ret);
773                 s2n((curveslen * 2) + 2, ret);
774
775                 /* NB: draft-ietf-tls-ecc-12.txt uses a one-byte prefix for
776                  * elliptic_curve_list, but the examples use two bytes.
777                  * https://www1.ietf.org/mail-archive/web/tls/current/msg00538.html
778                  * resolves this to two bytes.
779                  */
780                 s2n(curveslen * 2, ret);
781                 for (i = 0; i < curveslen; i++)
782                         s2n(curves[i], ret);
783         }
784
785         if (!(SSL_get_options(s) & SSL_OP_NO_TICKET)) {
786                 int ticklen;
787                 if (!s->new_session && s->session && s->session->tlsext_tick)
788                         ticklen = s->session->tlsext_ticklen;
789                 else if (s->session && s->tlsext_session_ticket &&
790                     s->tlsext_session_ticket->data) {
791                         ticklen = s->tlsext_session_ticket->length;
792                         s->session->tlsext_tick = malloc(ticklen);
793                         if (!s->session->tlsext_tick)
794                                 return NULL;
795                         memcpy(s->session->tlsext_tick,
796                             s->tlsext_session_ticket->data, ticklen);
797                         s->session->tlsext_ticklen = ticklen;
798                 } else
799                         ticklen = 0;
800                 if (ticklen == 0 && s->tlsext_session_ticket &&
801                     s->tlsext_session_ticket->data == NULL)
802                         goto skip_ext;
803                 /* Check for enough room 2 for extension type, 2 for len
804                  * rest for ticket
805                  */
806                 if ((size_t)(limit - ret) < 4 + ticklen)
807                         return NULL;
808                 s2n(TLSEXT_TYPE_session_ticket, ret);
809
810                 s2n(ticklen, ret);
811                 if (ticklen) {
812                         memcpy(ret, s->session->tlsext_tick, ticklen);
813                         ret += ticklen;
814                 }
815         }
816 skip_ext:
817
818         if (TLS1_get_client_version(s) >= TLS1_2_VERSION) {
819                 if ((size_t)(limit - ret) < sizeof(tls12_sigalgs) + 6)
820                         return NULL;
821
822                 s2n(TLSEXT_TYPE_signature_algorithms, ret);
823                 s2n(sizeof(tls12_sigalgs) + 2, ret);
824                 s2n(sizeof(tls12_sigalgs), ret);
825                 memcpy(ret, tls12_sigalgs, sizeof(tls12_sigalgs));
826                 ret += sizeof(tls12_sigalgs);
827         }
828
829         if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp &&
830             s->version != DTLS1_VERSION) {
831                 int i;
832                 long extlen, idlen, itmp;
833                 OCSP_RESPID *id;
834
835                 idlen = 0;
836                 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) {
837                         id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
838                         itmp = i2d_OCSP_RESPID(id, NULL);
839                         if (itmp <= 0)
840                                 return NULL;
841                         idlen += itmp + 2;
842                 }
843
844                 if (s->tlsext_ocsp_exts) {
845                         extlen = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, NULL);
846                         if (extlen < 0)
847                                 return NULL;
848                 } else
849                         extlen = 0;
850
851                 if ((size_t)(limit - ret) < 7 + extlen + idlen)
852                         return NULL;
853                 s2n(TLSEXT_TYPE_status_request, ret);
854                 if (extlen + idlen > 0xFFF0)
855                         return NULL;
856                 s2n(extlen + idlen + 5, ret);
857                 *(ret++) = TLSEXT_STATUSTYPE_ocsp;
858                 s2n(idlen, ret);
859                 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) {
860                         /* save position of id len */
861                         unsigned char *q = ret;
862                         id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
863                         /* skip over id len */
864                         ret += 2;
865                         itmp = i2d_OCSP_RESPID(id, &ret);
866                         /* write id len */
867                         s2n(itmp, q);
868                 }
869                 s2n(extlen, ret);
870                 if (extlen > 0)
871                         i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret);
872         }
873
874         if (s->ctx->next_proto_select_cb && !s->s3->tmp.finish_md_len) {
875                 /* The client advertises an emtpy extension to indicate its
876                  * support for Next Protocol Negotiation */
877                 if ((size_t)(limit - ret) < 4)
878                         return NULL;
879                 s2n(TLSEXT_TYPE_next_proto_neg, ret);
880                 s2n(0, ret);
881         }
882
883         if (s->alpn_client_proto_list != NULL &&
884             s->s3->tmp.finish_md_len == 0) {
885                 if ((size_t)(limit - ret) < 6 + s->alpn_client_proto_list_len)
886                         return (NULL);
887                 s2n(TLSEXT_TYPE_application_layer_protocol_negotiation, ret);
888                 s2n(2 + s->alpn_client_proto_list_len, ret);
889                 s2n(s->alpn_client_proto_list_len, ret);
890                 memcpy(ret, s->alpn_client_proto_list,
891                     s->alpn_client_proto_list_len);
892                 ret += s->alpn_client_proto_list_len;
893         }
894
895 #ifndef OPENSSL_NO_SRTP
896         if (SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s)) {
897                 int el;
898
899                 ssl_add_clienthello_use_srtp_ext(s, 0, &el, 0);
900
901                 if ((size_t)(limit - ret) < 4 + el)
902                         return NULL;
903
904                 s2n(TLSEXT_TYPE_use_srtp, ret);
905                 s2n(el, ret);
906
907                 if (ssl_add_clienthello_use_srtp_ext(s, ret, &el, el)) {
908                         SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT,
909                             ERR_R_INTERNAL_ERROR);
910                         return NULL;
911                 }
912                 ret += el;
913         }
914 #endif
915
916         /*
917          * Add padding to workaround bugs in F5 terminators.
918          * See https://tools.ietf.org/html/draft-agl-tls-padding-03
919          *
920          * Note that this seems to trigger issues with IronPort SMTP
921          * appliances.
922          *
923          * NB: because this code works out the length of all existing
924          * extensions it MUST always appear last.
925          */
926         if (s->options & SSL_OP_TLSEXT_PADDING) {
927                 int hlen = ret - (unsigned char *)s->init_buf->data;
928
929                 /*
930                  * The code in s23_clnt.c to build ClientHello messages
931                  * includes the 5-byte record header in the buffer, while the
932                  * code in s3_clnt.c does not.
933                  */
934                 if (s->state == SSL23_ST_CW_CLNT_HELLO_A)
935                         hlen -= 5;
936                 if (hlen > 0xff && hlen < 0x200) {
937                         hlen = 0x200 - hlen;
938                         if (hlen >= 4)
939                                 hlen -= 4;
940                         else
941                                 hlen = 0;
942
943                         s2n(TLSEXT_TYPE_padding, ret);
944                         s2n(hlen, ret);
945                         memset(ret, 0, hlen);
946                         ret += hlen;
947                 }
948         }
949
950         if ((extdatalen = ret - p - 2) == 0)
951                 return p;
952
953         s2n(extdatalen, p);
954         return ret;
955 }
956
957 unsigned char *
958 ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
959 {
960         int using_ecc, extdatalen = 0;
961         unsigned long alg_a, alg_k;
962         unsigned char *ret = p;
963         int next_proto_neg_seen;
964
965         alg_a = s->s3->tmp.new_cipher->algorithm_auth;
966         alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
967         using_ecc = (alg_k & (SSL_kECDHE|SSL_kECDHr|SSL_kECDHe) ||
968             alg_a & SSL_aECDSA) &&
969             s->session->tlsext_ecpointformatlist != NULL;
970
971         ret += 2;
972         if (ret >= limit)
973                 return NULL; /* this really never occurs, but ... */
974
975         if (!s->hit && s->servername_done == 1 &&
976             s->session->tlsext_hostname != NULL) {
977                 if ((size_t)(limit - ret) < 4)
978                         return NULL;
979
980                 s2n(TLSEXT_TYPE_server_name, ret);
981                 s2n(0, ret);
982         }
983
984         if (s->s3->send_connection_binding) {
985                 int el;
986
987                 if (!ssl_add_serverhello_renegotiate_ext(s, 0, &el, 0)) {
988                         SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT,
989                             ERR_R_INTERNAL_ERROR);
990                         return NULL;
991                 }
992
993                 if ((size_t)(limit - ret) < 4 + el)
994                         return NULL;
995
996                 s2n(TLSEXT_TYPE_renegotiate, ret);
997                 s2n(el, ret);
998
999                 if (!ssl_add_serverhello_renegotiate_ext(s, ret, &el, el)) {
1000                         SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT,
1001                             ERR_R_INTERNAL_ERROR);
1002                         return NULL;
1003                 }
1004
1005                 ret += el;
1006         }
1007
1008         if (using_ecc && s->version != DTLS1_VERSION) {
1009                 const unsigned char *formats;
1010                 size_t formatslen, lenmax;
1011
1012                 /*
1013                  * Add TLS extension ECPointFormats to the ServerHello message.
1014                  */
1015                 tls1_get_formatlist(s, 0, &formats, &formatslen);
1016
1017                 if ((size_t)(limit - ret) < 5)
1018                         return NULL;
1019
1020                 lenmax = limit - ret - 5;
1021                 if (formatslen > lenmax)
1022                         return NULL;
1023                 if (formatslen > 255) {
1024                         SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT,
1025                             ERR_R_INTERNAL_ERROR);
1026                         return NULL;
1027                 }
1028
1029                 s2n(TLSEXT_TYPE_ec_point_formats, ret);
1030                 s2n(formatslen + 1, ret);
1031                 *(ret++) = (unsigned char)formatslen;
1032                 memcpy(ret, formats, formatslen);
1033                 ret += formatslen;
1034         }
1035
1036         /*
1037          * Currently the server should not respond with a SupportedCurves
1038          * extension.
1039          */
1040
1041         if (s->tlsext_ticket_expected &&
1042             !(SSL_get_options(s) & SSL_OP_NO_TICKET)) {
1043                 if ((size_t)(limit - ret) < 4)
1044                         return NULL;
1045
1046                 s2n(TLSEXT_TYPE_session_ticket, ret);
1047                 s2n(0, ret);
1048         }
1049
1050         if (s->tlsext_status_expected) {
1051                 if ((size_t)(limit - ret) < 4)
1052                         return NULL;
1053
1054                 s2n(TLSEXT_TYPE_status_request, ret);
1055                 s2n(0, ret);
1056         }
1057
1058 #ifndef OPENSSL_NO_SRTP
1059         if (SSL_IS_DTLS(s) && s->srtp_profile) {
1060                 int el;
1061
1062                 ssl_add_serverhello_use_srtp_ext(s, 0, &el, 0);
1063
1064                 if ((size_t)(limit - ret) < 4 + el)
1065                         return NULL;
1066
1067                 s2n(TLSEXT_TYPE_use_srtp, ret);
1068                 s2n(el, ret);
1069
1070                 if (ssl_add_serverhello_use_srtp_ext(s, ret, &el, el)) {
1071                         SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT,
1072                             ERR_R_INTERNAL_ERROR);
1073                         return NULL;
1074                 }
1075                 ret += el;
1076         }
1077 #endif
1078
1079         if (((s->s3->tmp.new_cipher->id & 0xFFFF) == 0x80 ||
1080             (s->s3->tmp.new_cipher->id & 0xFFFF) == 0x81) &&
1081             (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG)) {
1082                 static const unsigned char cryptopro_ext[36] = {
1083                         0xfd, 0xe8, /*65000*/
1084                         0x00, 0x20, /*32 bytes length*/
1085                         0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85,
1086                         0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06,
1087                         0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08,
1088                         0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17
1089                 };
1090                 if ((size_t)(limit - ret) < sizeof(cryptopro_ext))
1091                         return NULL;
1092                 memcpy(ret, cryptopro_ext, sizeof(cryptopro_ext));
1093                 ret += sizeof(cryptopro_ext);
1094         }
1095
1096         next_proto_neg_seen = s->s3->next_proto_neg_seen;
1097         s->s3->next_proto_neg_seen = 0;
1098         if (next_proto_neg_seen && s->ctx->next_protos_advertised_cb) {
1099                 const unsigned char *npa;
1100                 unsigned int npalen;
1101                 int r;
1102
1103                 r = s->ctx->next_protos_advertised_cb(s, &npa, &npalen,
1104                     s->ctx->next_protos_advertised_cb_arg);
1105                 if (r == SSL_TLSEXT_ERR_OK) {
1106                         if ((size_t)(limit - ret) < 4 + npalen)
1107                                 return NULL;
1108                         s2n(TLSEXT_TYPE_next_proto_neg, ret);
1109                         s2n(npalen, ret);
1110                         memcpy(ret, npa, npalen);
1111                         ret += npalen;
1112                         s->s3->next_proto_neg_seen = 1;
1113                 }
1114         }
1115
1116         if (s->s3->alpn_selected != NULL) {
1117                 const unsigned char *selected = s->s3->alpn_selected;
1118                 unsigned int len = s->s3->alpn_selected_len;
1119
1120                 if ((long)(limit - ret - 4 - 2 - 1 - len) < 0)
1121                         return (NULL);
1122                 s2n(TLSEXT_TYPE_application_layer_protocol_negotiation, ret);
1123                 s2n(3 + len, ret);
1124                 s2n(1 + len, ret);
1125                 *ret++ = len;
1126                 memcpy(ret, selected, len);
1127                 ret += len;
1128         }
1129
1130         if ((extdatalen = ret - p - 2) == 0)
1131                 return p;
1132
1133         s2n(extdatalen, p);
1134         return ret;
1135 }
1136
1137 /*
1138  * tls1_alpn_handle_client_hello is called to process the ALPN extension in a
1139  * ClientHello.
1140  *   data: the contents of the extension, not including the type and length.
1141  *   data_len: the number of bytes in data.
1142  *   al: a pointer to the alert value to send in the event of a non-zero
1143  *       return.
1144  *   returns: 1 on success.
1145  */
1146 static int
1147 tls1_alpn_handle_client_hello(SSL *s, const unsigned char *data,
1148     unsigned int data_len, int *al)
1149 {
1150         CBS cbs, proto_name_list, alpn;
1151         const unsigned char *selected;
1152         unsigned char selected_len;
1153         int r;
1154
1155         if (s->ctx->alpn_select_cb == NULL)
1156                 return (1);
1157
1158         if (data_len < 2)
1159                 goto parse_error;
1160
1161         CBS_init(&cbs, data, data_len);
1162
1163         /*
1164          * data should contain a uint16 length followed by a series of 8-bit,
1165          * length-prefixed strings.
1166          */
1167         if (!CBS_get_u16_length_prefixed(&cbs, &alpn) ||
1168             CBS_len(&alpn) < 2 ||
1169             CBS_len(&cbs) != 0)
1170                 goto parse_error;
1171
1172         /* Validate data before sending to callback. */
1173         CBS_dup(&alpn, &proto_name_list);
1174         while (CBS_len(&proto_name_list) > 0) {
1175                 CBS proto_name;
1176
1177                 if (!CBS_get_u8_length_prefixed(&proto_name_list, &proto_name) ||
1178                     CBS_len(&proto_name) == 0)
1179                         goto parse_error;
1180         }
1181
1182         r = s->ctx->alpn_select_cb(s, &selected, &selected_len,
1183             CBS_data(&alpn), CBS_len(&alpn), s->ctx->alpn_select_cb_arg);
1184         if (r == SSL_TLSEXT_ERR_OK) {
1185                 free(s->s3->alpn_selected);
1186                 if ((s->s3->alpn_selected = malloc(selected_len)) == NULL) {
1187                         *al = SSL_AD_INTERNAL_ERROR;
1188                         return (-1);
1189                 }
1190                 memcpy(s->s3->alpn_selected, selected, selected_len);
1191                 s->s3->alpn_selected_len = selected_len;
1192         }
1193
1194         return (1);
1195
1196 parse_error:
1197         *al = SSL_AD_DECODE_ERROR;
1198         return (0);
1199 }
1200
1201 int
1202 ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d,
1203     int n, int *al)
1204 {
1205         unsigned short type;
1206         unsigned short size;
1207         unsigned short len;
1208         unsigned char *data = *p;
1209         int renegotiate_seen = 0;
1210         int sigalg_seen = 0;
1211
1212         s->servername_done = 0;
1213         s->tlsext_status_type = -1;
1214         s->s3->next_proto_neg_seen = 0;
1215         free(s->s3->alpn_selected);
1216         s->s3->alpn_selected = NULL;
1217
1218         if (data >= (d + n - 2))
1219                 goto ri_check;
1220         n2s(data, len);
1221
1222         if (data > (d + n - len))
1223                 goto ri_check;
1224
1225         while (data <= (d + n - 4)) {
1226                 n2s(data, type);
1227                 n2s(data, size);
1228
1229                 if (data + size > (d + n))
1230                         goto ri_check;
1231                 if (s->tlsext_debug_cb)
1232                         s->tlsext_debug_cb(s, 0, type, data, size,
1233                             s->tlsext_debug_arg);
1234 /* The servername extension is treated as follows:
1235
1236    - Only the hostname type is supported with a maximum length of 255.
1237    - The servername is rejected if too long or if it contains zeros,
1238      in which case an fatal alert is generated.
1239    - The servername field is maintained together with the session cache.
1240    - When a session is resumed, the servername call back invoked in order
1241      to allow the application to position itself to the right context.
1242    - The servername is acknowledged if it is new for a session or when
1243      it is identical to a previously used for the same session.
1244      Applications can control the behaviour.  They can at any time
1245      set a 'desirable' servername for a new SSL object. This can be the
1246      case for example with HTTPS when a Host: header field is received and
1247      a renegotiation is requested. In this case, a possible servername
1248      presented in the new client hello is only acknowledged if it matches
1249      the value of the Host: field.
1250    - Applications must  use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
1251      if they provide for changing an explicit servername context for the session,
1252      i.e. when the session has been established with a servername extension.
1253    - On session reconnect, the servername extension may be absent.
1254
1255 */
1256
1257                 if (type == TLSEXT_TYPE_server_name) {
1258                         unsigned char *sdata;
1259                         int servname_type;
1260                         int dsize;
1261
1262                         if (size < 2) {
1263                                 *al = SSL_AD_DECODE_ERROR;
1264                                 return 0;
1265                         }
1266                         n2s(data, dsize);
1267
1268                         size -= 2;
1269                         if (dsize > size) {
1270                                 *al = SSL_AD_DECODE_ERROR;
1271                                 return 0;
1272                         }
1273
1274                         sdata = data;
1275                         while (dsize > 3) {
1276                                 servname_type = *(sdata++);
1277
1278                                 n2s(sdata, len);
1279                                 dsize -= 3;
1280
1281                                 if (len > dsize) {
1282                                         *al = SSL_AD_DECODE_ERROR;
1283                                         return 0;
1284                                 }
1285                                 if (s->servername_done == 0)
1286                                         switch (servname_type) {
1287                                         case TLSEXT_NAMETYPE_host_name:
1288                                                 if (!s->hit) {
1289                                                         if (s->session->tlsext_hostname) {
1290                                                                 *al = SSL_AD_DECODE_ERROR;
1291                                                                 return 0;
1292                                                         }
1293                                                         if (len > TLSEXT_MAXLEN_host_name) {
1294                                                                 *al = TLS1_AD_UNRECOGNIZED_NAME;
1295                                                                 return 0;
1296                                                         }
1297                                                         if ((s->session->tlsext_hostname =
1298                                                             malloc(len + 1)) == NULL) {
1299                                                                 *al = TLS1_AD_INTERNAL_ERROR;
1300                                                                 return 0;
1301                                                         }
1302                                                         memcpy(s->session->tlsext_hostname, sdata, len);
1303                                                         s->session->tlsext_hostname[len] = '\0';
1304                                                         if (strlen(s->session->tlsext_hostname) != len) {
1305                                                                 free(s->session->tlsext_hostname);
1306                                                                 s->session->tlsext_hostname = NULL;
1307                                                                 *al = TLS1_AD_UNRECOGNIZED_NAME;
1308                                                                 return 0;
1309                                                         }
1310                                                         s->servername_done = 1;
1311
1312
1313                                                 } else {
1314                                                         s->servername_done = s->session->tlsext_hostname &&
1315                                                             strlen(s->session->tlsext_hostname) == len &&
1316                                                             strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0;
1317                                                 }
1318                                                 break;
1319
1320                                         default:
1321                                                 break;
1322                                         }
1323
1324                                 dsize -= len;
1325                         }
1326                         if (dsize != 0) {
1327                                 *al = SSL_AD_DECODE_ERROR;
1328                                 return 0;
1329                         }
1330
1331                 }
1332
1333                 else if (type == TLSEXT_TYPE_ec_point_formats &&
1334                     s->version != DTLS1_VERSION) {
1335                         unsigned char *sdata = data;
1336                         size_t formatslen;
1337                         uint8_t *formats;
1338
1339                         if (size < 1) {
1340                                 *al = TLS1_AD_DECODE_ERROR;
1341                                 return 0;
1342                         }
1343                         formatslen = *(sdata++);
1344                         if (formatslen != size - 1) {
1345                                 *al = TLS1_AD_DECODE_ERROR;
1346                                 return 0;
1347                         }
1348
1349                         if (!s->hit) {
1350                                 free(s->session->tlsext_ecpointformatlist);
1351                                 s->session->tlsext_ecpointformatlist = NULL;
1352                                 s->session->tlsext_ecpointformatlist_length = 0;
1353
1354                                 if ((formats = reallocarray(NULL, formatslen,
1355                                     sizeof(uint8_t))) == NULL) {
1356                                         *al = TLS1_AD_INTERNAL_ERROR;
1357                                         return 0;
1358                                 }
1359                                 memcpy(formats, sdata, formatslen);
1360                                 s->session->tlsext_ecpointformatlist = formats;
1361                                 s->session->tlsext_ecpointformatlist_length =
1362                                     formatslen;
1363                         }
1364                 } else if (type == TLSEXT_TYPE_elliptic_curves &&
1365                     s->version != DTLS1_VERSION) {
1366                         unsigned char *sdata = data;
1367                         size_t curveslen, i;
1368                         uint16_t *curves;
1369
1370                         if (size < 2) {
1371                                 *al = TLS1_AD_DECODE_ERROR;
1372                                 return 0;
1373                         }
1374                         n2s(sdata, curveslen);
1375                         if (curveslen != size - 2 || curveslen % 2 != 0) {
1376                                 *al = TLS1_AD_DECODE_ERROR;
1377                                 return 0;
1378                         }
1379                         curveslen /= 2;
1380
1381                         if (!s->hit) {
1382                                 if (s->session->tlsext_ellipticcurvelist) {
1383                                         *al = TLS1_AD_DECODE_ERROR;
1384                                         return 0;
1385                                 }
1386                                 s->session->tlsext_ellipticcurvelist_length = 0;
1387                                 if ((curves = reallocarray(NULL, curveslen,
1388                                     sizeof(uint16_t))) == NULL) {
1389                                         *al = TLS1_AD_INTERNAL_ERROR;
1390                                         return 0;
1391                                 }
1392                                 for (i = 0; i < curveslen; i++)
1393                                         n2s(sdata, curves[i]);
1394                                 s->session->tlsext_ellipticcurvelist = curves;
1395                                 s->session->tlsext_ellipticcurvelist_length = curveslen;
1396                         }
1397                 }
1398                 else if (type == TLSEXT_TYPE_session_ticket) {
1399                         if (s->tls_session_ticket_ext_cb &&
1400                             !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg)) {
1401                                 *al = TLS1_AD_INTERNAL_ERROR;
1402                                 return 0;
1403                         }
1404                 } else if (type == TLSEXT_TYPE_renegotiate) {
1405                         if (!ssl_parse_clienthello_renegotiate_ext(s, data, size, al))
1406                                 return 0;
1407                         renegotiate_seen = 1;
1408                 } else if (type == TLSEXT_TYPE_signature_algorithms) {
1409                         int dsize;
1410                         if (sigalg_seen || size < 2) {
1411                                 *al = SSL_AD_DECODE_ERROR;
1412                                 return 0;
1413                         }
1414                         sigalg_seen = 1;
1415                         n2s(data, dsize);
1416                         size -= 2;
1417                         if (dsize != size || dsize & 1) {
1418                                 *al = SSL_AD_DECODE_ERROR;
1419                                 return 0;
1420                         }
1421                         if (!tls1_process_sigalgs(s, data, dsize)) {
1422                                 *al = SSL_AD_DECODE_ERROR;
1423                                 return 0;
1424                         }
1425                 } else if (type == TLSEXT_TYPE_status_request &&
1426                     s->version != DTLS1_VERSION) {
1427
1428                         if (size < 5) {
1429                                 *al = SSL_AD_DECODE_ERROR;
1430                                 return 0;
1431                         }
1432
1433                         s->tlsext_status_type = *data++;
1434                         size--;
1435                         if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp) {
1436                                 const unsigned char *sdata;
1437                                 int dsize;
1438                                 /* Read in responder_id_list */
1439                                 n2s(data, dsize);
1440                                 size -= 2;
1441                                 if (dsize > size  ) {
1442                                         *al = SSL_AD_DECODE_ERROR;
1443                                         return 0;
1444                                 }
1445                                 while (dsize > 0) {
1446                                         OCSP_RESPID *id;
1447                                         int idsize;
1448                                         if (dsize < 4) {
1449                                                 *al = SSL_AD_DECODE_ERROR;
1450                                                 return 0;
1451                                         }
1452                                         n2s(data, idsize);
1453                                         dsize -= 2 + idsize;
1454                                         size -= 2 + idsize;
1455                                         if (dsize < 0) {
1456                                                 *al = SSL_AD_DECODE_ERROR;
1457                                                 return 0;
1458                                         }
1459                                         sdata = data;
1460                                         data += idsize;
1461                                         id = d2i_OCSP_RESPID(NULL,
1462                                             &sdata, idsize);
1463                                         if (!id) {
1464                                                 *al = SSL_AD_DECODE_ERROR;
1465                                                 return 0;
1466                                         }
1467                                         if (data != sdata) {
1468                                                 OCSP_RESPID_free(id);
1469                                                 *al = SSL_AD_DECODE_ERROR;
1470                                                 return 0;
1471                                         }
1472                                         if (!s->tlsext_ocsp_ids &&
1473                                             !(s->tlsext_ocsp_ids =
1474                                             sk_OCSP_RESPID_new_null())) {
1475                                                 OCSP_RESPID_free(id);
1476                                                 *al = SSL_AD_INTERNAL_ERROR;
1477                                                 return 0;
1478                                         }
1479                                         if (!sk_OCSP_RESPID_push(
1480                                             s->tlsext_ocsp_ids, id)) {
1481                                                 OCSP_RESPID_free(id);
1482                                                 *al = SSL_AD_INTERNAL_ERROR;
1483                                                 return 0;
1484                                         }
1485                                 }
1486
1487                                 /* Read in request_extensions */
1488                                 if (size < 2) {
1489                                         *al = SSL_AD_DECODE_ERROR;
1490                                         return 0;
1491                                 }
1492                                 n2s(data, dsize);
1493                                 size -= 2;
1494                                 if (dsize != size) {
1495                                         *al = SSL_AD_DECODE_ERROR;
1496                                         return 0;
1497                                 }
1498                                 sdata = data;
1499                                 if (dsize > 0) {
1500                                         if (s->tlsext_ocsp_exts) {
1501                                                 sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts,
1502                                                     X509_EXTENSION_free);
1503                                         }
1504
1505                                         s->tlsext_ocsp_exts =
1506                                             d2i_X509_EXTENSIONS(NULL,
1507                                             &sdata, dsize);
1508                                         if (!s->tlsext_ocsp_exts ||
1509                                                     (data + dsize != sdata)) {
1510                                                 *al = SSL_AD_DECODE_ERROR;
1511                                                 return 0;
1512                                         }
1513                                 }
1514                         } else {
1515                                 /* We don't know what to do with any other type
1516                                 * so ignore it.
1517                                 */
1518                                 s->tlsext_status_type = -1;
1519                         }
1520                 }
1521                 else if (type == TLSEXT_TYPE_next_proto_neg &&
1522                     s->s3->tmp.finish_md_len == 0 &&
1523                     s->s3->alpn_selected == NULL) {
1524                         /* We shouldn't accept this extension on a
1525                          * renegotiation.
1526                          *
1527                          * s->new_session will be set on renegotiation, but we
1528                          * probably shouldn't rely that it couldn't be set on
1529                          * the initial renegotation too in certain cases (when
1530                          * there's some other reason to disallow resuming an
1531                          * earlier session -- the current code won't be doing
1532                          * anything like that, but this might change).
1533
1534                          * A valid sign that there's been a previous handshake
1535                          * in this connection is if s->s3->tmp.finish_md_len >
1536                          * 0.  (We are talking about a check that will happen
1537                          * in the Hello protocol round, well before a new
1538                          * Finished message could have been computed.) */
1539                         s->s3->next_proto_neg_seen = 1;
1540                 }
1541                 else if (type ==
1542                     TLSEXT_TYPE_application_layer_protocol_negotiation &&
1543                     s->ctx->alpn_select_cb != NULL &&
1544                     s->s3->tmp.finish_md_len == 0) {
1545                         if (tls1_alpn_handle_client_hello(s, data,
1546                             size, al) != 1)
1547                                 return (0);
1548                         /* ALPN takes precedence over NPN. */
1549                         s->s3->next_proto_neg_seen = 0;
1550                 }
1551
1552                 /* session ticket processed earlier */
1553 #ifndef OPENSSL_NO_SRTP
1554                 else if (SSL_IS_DTLS(s) && type == TLSEXT_TYPE_use_srtp) {
1555                         if (ssl_parse_clienthello_use_srtp_ext(s, data, size, al))
1556                                 return 0;
1557                 }
1558 #endif
1559
1560                 data += size;
1561         }
1562
1563         *p = data;
1564
1565 ri_check:
1566
1567         /* Need RI if renegotiating */
1568
1569         if (!renegotiate_seen && s->renegotiate) {
1570                 *al = SSL_AD_HANDSHAKE_FAILURE;
1571                 SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT,
1572                     SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
1573                 return 0;
1574         }
1575
1576         return 1;
1577 }
1578
1579 /*
1580  * ssl_next_proto_validate validates a Next Protocol Negotiation block. No
1581  * elements of zero length are allowed and the set of elements must exactly fill
1582  * the length of the block.
1583  */
1584 static char
1585 ssl_next_proto_validate(const unsigned char *d, unsigned int len)
1586 {
1587         CBS npn, value;
1588
1589         CBS_init(&npn, d, len);
1590         while (CBS_len(&npn) > 0) {
1591                 if (!CBS_get_u8_length_prefixed(&npn, &value) ||
1592                     CBS_len(&value) == 0)
1593                         return 0;
1594         }
1595         return 1;
1596 }
1597
1598 int
1599 ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d,
1600     int n, int *al)
1601 {
1602         unsigned short length;
1603         unsigned short type;
1604         unsigned short size;
1605         unsigned char *data = *p;
1606         int tlsext_servername = 0;
1607         int renegotiate_seen = 0;
1608
1609         s->s3->next_proto_neg_seen = 0;
1610         free(s->s3->alpn_selected);
1611         s->s3->alpn_selected = NULL;
1612
1613         if (data >= (d + n - 2))
1614                 goto ri_check;
1615
1616         n2s(data, length);
1617         if (data + length != d + n) {
1618                 *al = SSL_AD_DECODE_ERROR;
1619                 return 0;
1620         }
1621
1622         while (data <= (d + n - 4)) {
1623                 n2s(data, type);
1624                 n2s(data, size);
1625
1626                 if (data + size > (d + n))
1627                         goto ri_check;
1628
1629                 if (s->tlsext_debug_cb)
1630                         s->tlsext_debug_cb(s, 1, type, data, size,
1631                             s->tlsext_debug_arg);
1632
1633                 if (type == TLSEXT_TYPE_server_name) {
1634                         if (s->tlsext_hostname == NULL || size > 0) {
1635                                 *al = TLS1_AD_UNRECOGNIZED_NAME;
1636                                 return 0;
1637                         }
1638                         tlsext_servername = 1;
1639
1640                 }
1641                 else if (type == TLSEXT_TYPE_ec_point_formats &&
1642                     s->version != DTLS1_VERSION) {
1643                         unsigned char *sdata = data;
1644                         size_t formatslen;
1645                         uint8_t *formats;
1646
1647                         if (size < 1) {
1648                                 *al = TLS1_AD_DECODE_ERROR;
1649                                 return 0;
1650                         }
1651                         formatslen = *(sdata++);
1652                         if (formatslen != size - 1) {
1653                                 *al = TLS1_AD_DECODE_ERROR;
1654                                 return 0;
1655                         }
1656
1657                         if (!s->hit) {
1658                                 free(s->session->tlsext_ecpointformatlist);
1659                                 s->session->tlsext_ecpointformatlist = NULL;
1660                                 s->session->tlsext_ecpointformatlist_length = 0;
1661
1662                                 if ((formats = reallocarray(NULL, formatslen,
1663                                     sizeof(uint8_t))) == NULL) {
1664                                         *al = TLS1_AD_INTERNAL_ERROR;
1665                                         return 0;
1666                                 }
1667                                 memcpy(formats, sdata, formatslen);
1668                                 s->session->tlsext_ecpointformatlist = formats;
1669                                 s->session->tlsext_ecpointformatlist_length =
1670                                     formatslen;
1671                         }
1672                 }
1673                 else if (type == TLSEXT_TYPE_session_ticket) {
1674                         if (s->tls_session_ticket_ext_cb &&
1675                             !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg)) {
1676                                 *al = TLS1_AD_INTERNAL_ERROR;
1677                                 return 0;
1678                         }
1679                         if ((SSL_get_options(s) & SSL_OP_NO_TICKET) || (size > 0)) {
1680                                 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
1681                                 return 0;
1682                         }
1683                         s->tlsext_ticket_expected = 1;
1684                 }
1685                 else if (type == TLSEXT_TYPE_status_request &&
1686                     s->version != DTLS1_VERSION) {
1687                         /* MUST be empty and only sent if we've requested
1688                          * a status request message.
1689                          */
1690                         if ((s->tlsext_status_type == -1) || (size > 0)) {
1691                                 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
1692                                 return 0;
1693                         }
1694                         /* Set flag to expect CertificateStatus message */
1695                         s->tlsext_status_expected = 1;
1696                 }
1697                 else if (type == TLSEXT_TYPE_next_proto_neg &&
1698                     s->s3->tmp.finish_md_len == 0) {
1699                         unsigned char *selected;
1700                         unsigned char selected_len;
1701
1702                         /* We must have requested it. */
1703                         if (s->ctx->next_proto_select_cb == NULL) {
1704                                 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
1705                                 return 0;
1706                         }
1707                         /* The data must be valid */
1708                         if (!ssl_next_proto_validate(data, size)) {
1709                                 *al = TLS1_AD_DECODE_ERROR;
1710                                 return 0;
1711                         }
1712                         if (s->ctx->next_proto_select_cb(s, &selected, &selected_len, data, size, s->ctx->next_proto_select_cb_arg) != SSL_TLSEXT_ERR_OK) {
1713                                 *al = TLS1_AD_INTERNAL_ERROR;
1714                                 return 0;
1715                         }
1716                         s->next_proto_negotiated = malloc(selected_len);
1717                         if (!s->next_proto_negotiated) {
1718                                 *al = TLS1_AD_INTERNAL_ERROR;
1719                                 return 0;
1720                         }
1721                         memcpy(s->next_proto_negotiated, selected, selected_len);
1722                         s->next_proto_negotiated_len = selected_len;
1723                         s->s3->next_proto_neg_seen = 1;
1724                 }
1725                 else if (type ==
1726                     TLSEXT_TYPE_application_layer_protocol_negotiation) {
1727                         unsigned int len;
1728
1729                         /* We must have requested it. */
1730                         if (s->alpn_client_proto_list == NULL) {
1731                                 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
1732                                 return 0;
1733                         }
1734                         if (size < 4) {
1735                                 *al = TLS1_AD_DECODE_ERROR;
1736                                 return (0);
1737                         }
1738
1739                         /* The extension data consists of:
1740                          *   uint16 list_length
1741                          *   uint8 proto_length;
1742                          *   uint8 proto[proto_length]; */
1743                         len = ((unsigned int)data[0]) << 8 |
1744                             ((unsigned int)data[1]);
1745                         if (len != (unsigned int)size - 2) {
1746                                 *al = TLS1_AD_DECODE_ERROR;
1747                                 return (0);
1748                         }
1749                         len = data[2];
1750                         if (len != (unsigned int)size - 3) {
1751                                 *al = TLS1_AD_DECODE_ERROR;
1752                                 return (0);
1753                         }
1754                         free(s->s3->alpn_selected);
1755                         s->s3->alpn_selected = malloc(len);
1756                         if (s->s3->alpn_selected == NULL) {
1757                                 *al = TLS1_AD_INTERNAL_ERROR;
1758                                 return (0);
1759                         }
1760                         memcpy(s->s3->alpn_selected, data + 3, len);
1761                         s->s3->alpn_selected_len = len;
1762
1763                 } else if (type == TLSEXT_TYPE_renegotiate) {
1764                         if (!ssl_parse_serverhello_renegotiate_ext(s, data, size, al))
1765                                 return 0;
1766                         renegotiate_seen = 1;
1767                 }
1768 #ifndef OPENSSL_NO_SRTP
1769                 else if (SSL_IS_DTLS(s) && type == TLSEXT_TYPE_use_srtp) {
1770                         if (ssl_parse_serverhello_use_srtp_ext(s, data,
1771                             size, al))
1772                                 return 0;
1773                 }
1774 #endif
1775
1776                 data += size;
1777
1778         }
1779
1780         if (data != d + n) {
1781                 *al = SSL_AD_DECODE_ERROR;
1782                 return 0;
1783         }
1784
1785         if (!s->hit && tlsext_servername == 1) {
1786                 if (s->tlsext_hostname) {
1787                         if (s->session->tlsext_hostname == NULL) {
1788                                 s->session->tlsext_hostname =
1789                                     strdup(s->tlsext_hostname);
1790
1791                                 if (!s->session->tlsext_hostname) {
1792                                         *al = SSL_AD_UNRECOGNIZED_NAME;
1793                                         return 0;
1794                                 }
1795                         } else {
1796                                 *al = SSL_AD_DECODE_ERROR;
1797                                 return 0;
1798                         }
1799                 }
1800         }
1801
1802         *p = data;
1803
1804 ri_check:
1805
1806         /* Determine if we need to see RI. Strictly speaking if we want to
1807          * avoid an attack we should *always* see RI even on initial server
1808          * hello because the client doesn't see any renegotiation during an
1809          * attack. However this would mean we could not connect to any server
1810          * which doesn't support RI so for the immediate future tolerate RI
1811          * absence on initial connect only.
1812          */
1813         if (!renegotiate_seen && !(s->options & SSL_OP_LEGACY_SERVER_CONNECT)) {
1814                 *al = SSL_AD_HANDSHAKE_FAILURE;
1815                 SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT,
1816                     SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
1817                 return 0;
1818         }
1819
1820         return 1;
1821 }
1822
1823 int
1824 ssl_check_clienthello_tlsext_early(SSL *s)
1825 {
1826         int ret = SSL_TLSEXT_ERR_NOACK;
1827         int al = SSL_AD_UNRECOGNIZED_NAME;
1828
1829         /* The handling of the ECPointFormats extension is done elsewhere, namely in
1830          * ssl3_choose_cipher in s3_lib.c.
1831          */
1832         /* The handling of the EllipticCurves extension is done elsewhere, namely in
1833          * ssl3_choose_cipher in s3_lib.c.
1834          */
1835
1836         if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
1837                 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
1838         else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)
1839                 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
1840
1841         switch (ret) {
1842         case SSL_TLSEXT_ERR_ALERT_FATAL:
1843                 ssl3_send_alert(s, SSL3_AL_FATAL, al);
1844                 return -1;
1845         case SSL_TLSEXT_ERR_ALERT_WARNING:
1846                 ssl3_send_alert(s, SSL3_AL_WARNING, al);
1847                 return 1;
1848         case SSL_TLSEXT_ERR_NOACK:
1849                 s->servername_done = 0;
1850         default:
1851                 return 1;
1852         }
1853 }
1854
1855 int
1856 ssl_check_clienthello_tlsext_late(SSL *s)
1857 {
1858         int ret = SSL_TLSEXT_ERR_OK;
1859         int al = 0;     /* XXX gcc3 */
1860
1861         /* If status request then ask callback what to do.
1862          * Note: this must be called after servername callbacks in case
1863          * the certificate has changed, and must be called after the cipher
1864          * has been chosen because this may influence which certificate is sent
1865          */
1866         if ((s->tlsext_status_type != -1) &&
1867             s->ctx && s->ctx->tlsext_status_cb) {
1868                 int r;
1869                 CERT_PKEY *certpkey;
1870                 certpkey = ssl_get_server_send_pkey(s);
1871                 /* If no certificate can't return certificate status */
1872                 if (certpkey == NULL) {
1873                         s->tlsext_status_expected = 0;
1874                         return 1;
1875                 }
1876                 /* Set current certificate to one we will use so
1877                  * SSL_get_certificate et al can pick it up.
1878                  */
1879                 s->cert->key = certpkey;
1880                 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
1881                 switch (r) {
1882                         /* We don't want to send a status request response */
1883                 case SSL_TLSEXT_ERR_NOACK:
1884                         s->tlsext_status_expected = 0;
1885                         break;
1886                         /* status request response should be sent */
1887                 case SSL_TLSEXT_ERR_OK:
1888                         if (s->tlsext_ocsp_resp)
1889                                 s->tlsext_status_expected = 1;
1890                         else
1891                                 s->tlsext_status_expected = 0;
1892                         break;
1893                         /* something bad happened */
1894                 case SSL_TLSEXT_ERR_ALERT_FATAL:
1895                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1896                         al = SSL_AD_INTERNAL_ERROR;
1897                         goto err;
1898                 }
1899         } else
1900                 s->tlsext_status_expected = 0;
1901
1902 err:
1903         switch (ret) {
1904         case SSL_TLSEXT_ERR_ALERT_FATAL:
1905                 ssl3_send_alert(s, SSL3_AL_FATAL, al);
1906                 return -1;
1907         case SSL_TLSEXT_ERR_ALERT_WARNING:
1908                 ssl3_send_alert(s, SSL3_AL_WARNING, al);
1909                 return 1;
1910         default:
1911                 return 1;
1912         }
1913 }
1914
1915 int
1916 ssl_check_serverhello_tlsext(SSL *s)
1917 {
1918         int ret = SSL_TLSEXT_ERR_NOACK;
1919         int al = SSL_AD_UNRECOGNIZED_NAME;
1920
1921         /* If we are client and using an elliptic curve cryptography cipher
1922          * suite, then if server returns an EC point formats lists extension
1923          * it must contain uncompressed.
1924          */
1925         unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
1926         unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
1927         if ((s->tlsext_ecpointformatlist != NULL) &&
1928             (s->tlsext_ecpointformatlist_length > 0) &&
1929             (s->session->tlsext_ecpointformatlist != NULL) &&
1930             (s->session->tlsext_ecpointformatlist_length > 0) &&
1931             ((alg_k & (SSL_kECDHE|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA))) {
1932                 /* we are using an ECC cipher */
1933                 size_t i;
1934                 unsigned char *list;
1935                 int found_uncompressed = 0;
1936                 list = s->session->tlsext_ecpointformatlist;
1937                 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++) {
1938                         if (*(list++) == TLSEXT_ECPOINTFORMAT_uncompressed) {
1939                                 found_uncompressed = 1;
1940                                 break;
1941                         }
1942                 }
1943                 if (!found_uncompressed) {
1944                         SSLerr(SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT, SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
1945                         return -1;
1946                 }
1947         }
1948         ret = SSL_TLSEXT_ERR_OK;
1949
1950         if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
1951                 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
1952         else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)
1953                 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
1954
1955         /* If we've requested certificate status and we wont get one
1956          * tell the callback
1957          */
1958         if ((s->tlsext_status_type != -1) && !(s->tlsext_status_expected) &&
1959             s->ctx && s->ctx->tlsext_status_cb) {
1960                 int r;
1961                 /* Set resp to NULL, resplen to -1 so callback knows
1962                  * there is no response.
1963                  */
1964                 free(s->tlsext_ocsp_resp);
1965                 s->tlsext_ocsp_resp = NULL;
1966                 s->tlsext_ocsp_resplen = -1;
1967                 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
1968                 if (r == 0) {
1969                         al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE;
1970                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1971                 }
1972                 if (r < 0) {
1973                         al = SSL_AD_INTERNAL_ERROR;
1974                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1975                 }
1976         }
1977
1978         switch (ret) {
1979         case SSL_TLSEXT_ERR_ALERT_FATAL:
1980                 ssl3_send_alert(s, SSL3_AL_FATAL, al);
1981
1982                 return -1;
1983         case SSL_TLSEXT_ERR_ALERT_WARNING:
1984                 ssl3_send_alert(s, SSL3_AL_WARNING, al);
1985
1986                 return 1;
1987         case SSL_TLSEXT_ERR_NOACK:
1988                 s->servername_done = 0;
1989         default:
1990                 return 1;
1991         }
1992 }
1993
1994 /* Since the server cache lookup is done early on in the processing of the
1995  * ClientHello, and other operations depend on the result, we need to handle
1996  * any TLS session ticket extension at the same time.
1997  *
1998  *   session_id: points at the session ID in the ClientHello. This code will
1999  *       read past the end of this in order to parse out the session ticket
2000  *       extension, if any.
2001  *   len: the length of the session ID.
2002  *   limit: a pointer to the first byte after the ClientHello.
2003  *   ret: (output) on return, if a ticket was decrypted, then this is set to
2004  *       point to the resulting session.
2005  *
2006  * If s->tls_session_secret_cb is set then we are expecting a pre-shared key
2007  * ciphersuite, in which case we have no use for session tickets and one will
2008  * never be decrypted, nor will s->tlsext_ticket_expected be set to 1.
2009  *
2010  * Returns:
2011  *   -1: fatal error, either from parsing or decrypting the ticket.
2012  *    0: no ticket was found (or was ignored, based on settings).
2013  *    1: a zero length extension was found, indicating that the client supports
2014  *       session tickets but doesn't currently have one to offer.
2015  *    2: either s->tls_session_secret_cb was set, or a ticket was offered but
2016  *       couldn't be decrypted because of a non-fatal error.
2017  *    3: a ticket was successfully decrypted and *ret was set.
2018  *
2019  * Side effects:
2020  *   Sets s->tlsext_ticket_expected to 1 if the server will have to issue
2021  *   a new session ticket to the client because the client indicated support
2022  *   (and s->tls_session_secret_cb is NULL) but the client either doesn't have
2023  *   a session ticket or we couldn't use the one it gave us, or if
2024  *   s->ctx->tlsext_ticket_key_cb asked to renew the client's ticket.
2025  *   Otherwise, s->tlsext_ticket_expected is set to 0.
2026  */
2027 int
2028 tls1_process_ticket(SSL *s, const unsigned char *session, int session_len,
2029     const unsigned char *limit, SSL_SESSION **ret)
2030 {
2031         /* Point after session ID in client hello */
2032         CBS session_id, cookie, cipher_list, compress_algo, extensions;
2033
2034         *ret = NULL;
2035         s->tlsext_ticket_expected = 0;
2036
2037         /* If tickets disabled behave as if no ticket present
2038          * to permit stateful resumption.
2039          */
2040         if (SSL_get_options(s) & SSL_OP_NO_TICKET)
2041                 return 0;
2042         if (!limit)
2043                 return 0;
2044
2045         if (limit < session)
2046                 return -1;
2047
2048         CBS_init(&session_id, session, limit - session);
2049
2050         /* Skip past the session id */
2051         if (!CBS_skip(&session_id, session_len))
2052                 return -1;
2053
2054         /* Skip past DTLS cookie */
2055         if (SSL_IS_DTLS(s)) {
2056                 if (!CBS_get_u8_length_prefixed(&session_id, &cookie))
2057                         return -1;
2058         }
2059
2060         /* Skip past cipher list */
2061         if (!CBS_get_u16_length_prefixed(&session_id, &cipher_list))
2062                 return -1;
2063
2064         /* Skip past compression algorithm list */
2065         if (!CBS_get_u8_length_prefixed(&session_id, &compress_algo))
2066                 return -1;
2067
2068         /* Now at start of extensions */
2069         if (CBS_len(&session_id) == 0)
2070                 return 0;
2071         if (!CBS_get_u16_length_prefixed(&session_id, &extensions))
2072                 return -1;
2073
2074         while (CBS_len(&extensions) > 0) {
2075                 CBS ext_data;
2076                 uint16_t ext_type;
2077
2078                 if (!CBS_get_u16(&extensions, &ext_type) ||
2079                     !CBS_get_u16_length_prefixed(&extensions, &ext_data))
2080                         return -1;
2081
2082                 if (ext_type == TLSEXT_TYPE_session_ticket) {
2083                         int r;
2084                         if (CBS_len(&ext_data) == 0) {
2085                                 /* The client will accept a ticket but doesn't
2086                                  * currently have one. */
2087                                 s->tlsext_ticket_expected = 1;
2088                                 return 1;
2089                         }
2090                         if (s->tls_session_secret_cb) {
2091                                 /* Indicate that the ticket couldn't be
2092                                  * decrypted rather than generating the session
2093                                  * from ticket now, trigger abbreviated
2094                                  * handshake based on external mechanism to
2095                                  * calculate the master secret later. */
2096                                 return 2;
2097                         }
2098
2099                         r = tls_decrypt_ticket(s, CBS_data(&ext_data),
2100                             CBS_len(&ext_data), session, session_len, ret);
2101
2102                         switch (r) {
2103                         case 2: /* ticket couldn't be decrypted */
2104                                 s->tlsext_ticket_expected = 1;
2105                                 return 2;
2106                         case 3: /* ticket was decrypted */
2107                                 return r;
2108                         case 4: /* ticket decrypted but need to renew */
2109                                 s->tlsext_ticket_expected = 1;
2110                                 return 3;
2111                         default: /* fatal error */
2112                                 return -1;
2113                         }
2114                 }
2115         }
2116         return 0;
2117 }
2118
2119 /* tls_decrypt_ticket attempts to decrypt a session ticket.
2120  *
2121  *   etick: points to the body of the session ticket extension.
2122  *   eticklen: the length of the session tickets extenion.
2123  *   sess_id: points at the session ID.
2124  *   sesslen: the length of the session ID.
2125  *   psess: (output) on return, if a ticket was decrypted, then this is set to
2126  *       point to the resulting session.
2127  *
2128  * Returns:
2129  *   -1: fatal error, either from parsing or decrypting the ticket.
2130  *    2: the ticket couldn't be decrypted.
2131  *    3: a ticket was successfully decrypted and *psess was set.
2132  *    4: same as 3, but the ticket needs to be renewed.
2133  */
2134 static int
2135 tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen,
2136     const unsigned char *sess_id, int sesslen, SSL_SESSION **psess)
2137 {
2138         SSL_SESSION *sess;
2139         unsigned char *sdec;
2140         const unsigned char *p;
2141         int slen, mlen, renew_ticket = 0;
2142         unsigned char tick_hmac[EVP_MAX_MD_SIZE];
2143         HMAC_CTX hctx;
2144         EVP_CIPHER_CTX ctx;
2145         SSL_CTX *tctx = s->initial_ctx;
2146         /* Need at least keyname + iv + some encrypted data */
2147         if (eticklen < 48)
2148                 return 2;
2149         /* Initialize session ticket encryption and HMAC contexts */
2150         HMAC_CTX_init(&hctx);
2151         EVP_CIPHER_CTX_init(&ctx);
2152         if (tctx->tlsext_ticket_key_cb) {
2153                 unsigned char *nctick = (unsigned char *)etick;
2154                 int rv = tctx->tlsext_ticket_key_cb(s, nctick, nctick + 16,
2155                     &ctx, &hctx, 0);
2156                 if (rv < 0) {
2157                         EVP_CIPHER_CTX_cleanup(&ctx);
2158                         return -1;
2159                 }
2160                 if (rv == 0) {
2161                         EVP_CIPHER_CTX_cleanup(&ctx);
2162                         return 2;
2163                 }
2164                 if (rv == 2)
2165                         renew_ticket = 1;
2166         } else {
2167                 /* Check key name matches */
2168                 if (timingsafe_memcmp(etick, tctx->tlsext_tick_key_name, 16))
2169                         return 2;
2170                 HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16,
2171                     tlsext_tick_md(), NULL);
2172                 EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL,
2173                     tctx->tlsext_tick_aes_key, etick + 16);
2174         }
2175         /* Attempt to process session ticket, first conduct sanity and
2176          * integrity checks on ticket.
2177          */
2178         mlen = HMAC_size(&hctx);
2179         if (mlen < 0) {
2180                 EVP_CIPHER_CTX_cleanup(&ctx);
2181                 return -1;
2182         }
2183         eticklen -= mlen;
2184         /* Check HMAC of encrypted ticket */
2185         HMAC_Update(&hctx, etick, eticklen);
2186         HMAC_Final(&hctx, tick_hmac, NULL);
2187         HMAC_CTX_cleanup(&hctx);
2188         if (timingsafe_memcmp(tick_hmac, etick + eticklen, mlen)) {
2189                 EVP_CIPHER_CTX_cleanup(&ctx);
2190                 return 2;
2191         }
2192         /* Attempt to decrypt session data */
2193         /* Move p after IV to start of encrypted ticket, update length */
2194         p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx);
2195         eticklen -= 16 + EVP_CIPHER_CTX_iv_length(&ctx);
2196         sdec = malloc(eticklen);
2197         if (!sdec) {
2198                 EVP_CIPHER_CTX_cleanup(&ctx);
2199                 return -1;
2200         }
2201         EVP_DecryptUpdate(&ctx, sdec, &slen, p, eticklen);
2202         if (EVP_DecryptFinal_ex(&ctx, sdec + slen, &mlen) <= 0) {
2203                 free(sdec);
2204                 EVP_CIPHER_CTX_cleanup(&ctx);
2205                 return 2;
2206         }
2207         slen += mlen;
2208         EVP_CIPHER_CTX_cleanup(&ctx);
2209         p = sdec;
2210
2211         sess = d2i_SSL_SESSION(NULL, &p, slen);
2212         free(sdec);
2213         if (sess) {
2214                 /* The session ID, if non-empty, is used by some clients to
2215                  * detect that the ticket has been accepted. So we copy it to
2216                  * the session structure. If it is empty set length to zero
2217                  * as required by standard.
2218                  */
2219                 if (sesslen)
2220                         memcpy(sess->session_id, sess_id, sesslen);
2221                 sess->session_id_length = sesslen;
2222                 *psess = sess;
2223                 if (renew_ticket)
2224                         return 4;
2225                 else
2226                         return 3;
2227         }
2228         ERR_clear_error();
2229         /* For session parse failure, indicate that we need to send a new
2230          * ticket. */
2231         return 2;
2232 }
2233
2234 /* Tables to translate from NIDs to TLS v1.2 ids */
2235
2236 typedef struct {
2237         int nid;
2238         int id;
2239 } tls12_lookup;
2240
2241 static tls12_lookup tls12_md[] = {
2242         {NID_md5, TLSEXT_hash_md5},
2243         {NID_sha1, TLSEXT_hash_sha1},
2244         {NID_sha224, TLSEXT_hash_sha224},
2245         {NID_sha256, TLSEXT_hash_sha256},
2246         {NID_sha384, TLSEXT_hash_sha384},
2247         {NID_sha512, TLSEXT_hash_sha512},
2248         {NID_id_GostR3411_94, TLSEXT_hash_gost94},
2249         {NID_id_tc26_gost3411_2012_256, TLSEXT_hash_streebog_256},
2250         {NID_id_tc26_gost3411_2012_512, TLSEXT_hash_streebog_512}
2251 };
2252
2253 static tls12_lookup tls12_sig[] = {
2254         {EVP_PKEY_RSA, TLSEXT_signature_rsa},
2255         {EVP_PKEY_DSA, TLSEXT_signature_dsa},
2256         {EVP_PKEY_EC, TLSEXT_signature_ecdsa},
2257         {EVP_PKEY_GOSTR01, TLSEXT_signature_gostr01},
2258 };
2259
2260 static int
2261 tls12_find_id(int nid, tls12_lookup *table, size_t tlen)
2262 {
2263         size_t i;
2264         for (i = 0; i < tlen; i++) {
2265                 if (table[i].nid == nid)
2266                         return table[i].id;
2267         }
2268         return -1;
2269 }
2270
2271 int
2272 tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk, const EVP_MD *md)
2273 {
2274         int sig_id, md_id;
2275         if (!md)
2276                 return 0;
2277         md_id = tls12_find_id(EVP_MD_type(md), tls12_md,
2278             sizeof(tls12_md) / sizeof(tls12_lookup));
2279         if (md_id == -1)
2280                 return 0;
2281         sig_id = tls12_get_sigid(pk);
2282         if (sig_id == -1)
2283                 return 0;
2284         p[0] = (unsigned char)md_id;
2285         p[1] = (unsigned char)sig_id;
2286         return 1;
2287 }
2288
2289 int
2290 tls12_get_sigid(const EVP_PKEY *pk)
2291 {
2292         return tls12_find_id(pk->type, tls12_sig,
2293             sizeof(tls12_sig) / sizeof(tls12_lookup));
2294 }
2295
2296 const EVP_MD *
2297 tls12_get_hash(unsigned char hash_alg)
2298 {
2299         switch (hash_alg) {
2300         case TLSEXT_hash_sha1:
2301                 return EVP_sha1();
2302         case TLSEXT_hash_sha224:
2303                 return EVP_sha224();
2304         case TLSEXT_hash_sha256:
2305                 return EVP_sha256();
2306         case TLSEXT_hash_sha384:
2307                 return EVP_sha384();
2308         case TLSEXT_hash_sha512:
2309                 return EVP_sha512();
2310 #ifndef OPENSSL_NO_GOST
2311         case TLSEXT_hash_gost94:
2312                 return EVP_gostr341194();
2313         case TLSEXT_hash_streebog_256:
2314                 return EVP_streebog256();
2315         case TLSEXT_hash_streebog_512:
2316                 return EVP_streebog512();
2317 #endif
2318         default:
2319                 return NULL;
2320         }
2321 }
2322
2323 /* Set preferred digest for each key type */
2324
2325 int
2326 tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize)
2327 {
2328         int idx;
2329         const EVP_MD *md;
2330         CERT *c = s->cert;
2331         CBS cbs;
2332
2333         /* Extension ignored for inappropriate versions */
2334         if (!SSL_USE_SIGALGS(s))
2335                 return 1;
2336
2337         /* Should never happen */
2338         if (!c || dsize < 0)
2339                 return 0;
2340
2341         CBS_init(&cbs, data, dsize);
2342
2343         c->pkeys[SSL_PKEY_DSA_SIGN].digest = NULL;
2344         c->pkeys[SSL_PKEY_RSA_SIGN].digest = NULL;
2345         c->pkeys[SSL_PKEY_RSA_ENC].digest = NULL;
2346         c->pkeys[SSL_PKEY_ECC].digest = NULL;
2347         c->pkeys[SSL_PKEY_GOST01].digest = NULL;
2348
2349         while (CBS_len(&cbs) > 0) {
2350                 uint8_t hash_alg, sig_alg;
2351
2352                 if (!CBS_get_u8(&cbs, &hash_alg) ||
2353                     !CBS_get_u8(&cbs, &sig_alg)) {
2354                         /* Should never happen */
2355                         return 0;
2356                 }
2357
2358                 switch (sig_alg) {
2359                 case TLSEXT_signature_rsa:
2360                         idx = SSL_PKEY_RSA_SIGN;
2361                         break;
2362                 case TLSEXT_signature_dsa:
2363                         idx = SSL_PKEY_DSA_SIGN;
2364                         break;
2365                 case TLSEXT_signature_ecdsa:
2366                         idx = SSL_PKEY_ECC;
2367                         break;
2368                 case TLSEXT_signature_gostr01:
2369                 case TLSEXT_signature_gostr12_256:
2370                 case TLSEXT_signature_gostr12_512:
2371                         idx = SSL_PKEY_GOST01;
2372                         break;
2373                 default:
2374                         continue;
2375                 }
2376
2377                 if (c->pkeys[idx].digest == NULL) {
2378                         md = tls12_get_hash(hash_alg);
2379                         if (md) {
2380                                 c->pkeys[idx].digest = md;
2381                                 if (idx == SSL_PKEY_RSA_SIGN)
2382                                         c->pkeys[SSL_PKEY_RSA_ENC].digest = md;
2383                         }
2384                 }
2385
2386         }
2387
2388         /* Set any remaining keys to default values. NOTE: if alg is not
2389          * supported it stays as NULL.
2390          */
2391         if (!c->pkeys[SSL_PKEY_DSA_SIGN].digest)
2392                 c->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_sha1();
2393         if (!c->pkeys[SSL_PKEY_RSA_SIGN].digest) {
2394                 c->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1();
2395                 c->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1();
2396         }
2397         if (!c->pkeys[SSL_PKEY_ECC].digest)
2398                 c->pkeys[SSL_PKEY_ECC].digest = EVP_sha1();
2399 #ifndef OPENSSL_NO_GOST
2400         if (!c->pkeys[SSL_PKEY_GOST01].digest)
2401                 c->pkeys[SSL_PKEY_GOST01].digest = EVP_gostr341194();
2402 #endif
2403         return 1;
2404 }
DragonFly Project Source