2 * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
11 #include "../ssl_locl.h"
12 #include "statem_locl.h"
15 * Parse the server's renegotiation binding and abort if it's not right
17 int tls_parse_server_renegotiate(SSL *s, PACKET *pkt, int *al)
19 size_t expected_len = s->s3->previous_client_finished_len
20 + s->s3->previous_server_finished_len;
22 const unsigned char *data;
24 /* Check for logic errors */
25 assert(expected_len == 0 || s->s3->previous_client_finished_len != 0);
26 assert(expected_len == 0 || s->s3->previous_server_finished_len != 0);
28 /* Parse the length byte */
29 if (!PACKET_get_1_len(pkt, &ilen)) {
30 SSLerr(SSL_F_TLS_PARSE_SERVER_RENEGOTIATE,
31 SSL_R_RENEGOTIATION_ENCODING_ERR);
32 *al = SSL_AD_ILLEGAL_PARAMETER;
36 /* Consistency check */
37 if (PACKET_remaining(pkt) != ilen) {
38 SSLerr(SSL_F_TLS_PARSE_SERVER_RENEGOTIATE,
39 SSL_R_RENEGOTIATION_ENCODING_ERR);
40 *al = SSL_AD_ILLEGAL_PARAMETER;
44 /* Check that the extension matches */
45 if (ilen != expected_len) {
46 SSLerr(SSL_F_TLS_PARSE_SERVER_RENEGOTIATE,
47 SSL_R_RENEGOTIATION_MISMATCH);
48 *al = SSL_AD_HANDSHAKE_FAILURE;
52 if (!PACKET_get_bytes(pkt, &data, s->s3->previous_client_finished_len)
53 || memcmp(data, s->s3->previous_client_finished,
54 s->s3->previous_client_finished_len) != 0) {
55 SSLerr(SSL_F_TLS_PARSE_SERVER_RENEGOTIATE,
56 SSL_R_RENEGOTIATION_MISMATCH);
57 *al = SSL_AD_HANDSHAKE_FAILURE;
61 if (!PACKET_get_bytes(pkt, &data, s->s3->previous_server_finished_len)
62 || memcmp(data, s->s3->previous_server_finished,
63 s->s3->previous_server_finished_len) != 0) {
64 SSLerr(SSL_F_TLS_PARSE_SERVER_RENEGOTIATE,
65 SSL_R_RENEGOTIATION_MISMATCH);
66 *al = SSL_AD_ILLEGAL_PARAMETER;
69 s->s3->send_connection_binding = 1;
74 int tls_parse_server_server_name(SSL *s, PACKET *pkt, int *al)
76 if (s->tlsext_hostname == NULL || PACKET_remaining(pkt) > 0) {
77 *al = SSL_AD_UNRECOGNIZED_NAME;
82 if (s->session->tlsext_hostname != NULL) {
83 *al = SSL_AD_INTERNAL_ERROR;
86 s->session->tlsext_hostname = OPENSSL_strdup(s->tlsext_hostname);
87 if (s->session->tlsext_hostname == NULL) {
88 *al = SSL_AD_INTERNAL_ERROR;
97 int tls_parse_server_ec_pt_formats(SSL *s, PACKET *pkt, int *al)
99 unsigned int ecpointformatlist_length;
100 PACKET ecptformatlist;
102 if (!PACKET_as_length_prefixed_1(pkt, &ecptformatlist)) {
103 *al = SSL_AD_DECODE_ERROR;
107 ecpointformatlist_length = PACKET_remaining(&ecptformatlist);
108 s->session->tlsext_ecpointformatlist_length = 0;
110 OPENSSL_free(s->session->tlsext_ecpointformatlist);
111 s->session->tlsext_ecpointformatlist =
112 OPENSSL_malloc(ecpointformatlist_length);
113 if (s->session->tlsext_ecpointformatlist == NULL) {
114 *al = SSL_AD_INTERNAL_ERROR;
118 s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
120 if (!PACKET_copy_bytes(&ecptformatlist,
121 s->session->tlsext_ecpointformatlist,
122 ecpointformatlist_length)) {
123 *al = SSL_AD_INTERNAL_ERROR;
132 int tls_parse_server_session_ticket(SSL *s, PACKET *pkt, int *al)
134 if (s->tls_session_ticket_ext_cb &&
135 !s->tls_session_ticket_ext_cb(s, PACKET_data(pkt),
136 PACKET_remaining(pkt),
137 s->tls_session_ticket_ext_cb_arg)) {
138 *al = SSL_AD_INTERNAL_ERROR;
141 if (!tls_use_ticket(s) || PACKET_remaining(pkt) > 0) {
142 *al = SSL_AD_UNSUPPORTED_EXTENSION;
145 s->tlsext_ticket_expected = 1;
150 int tls_parse_server_status_request(SSL *s, PACKET *pkt, int *al)
153 * MUST be empty and only sent if we've requested a status
156 if (s->tlsext_status_type == -1 || PACKET_remaining(pkt) > 0) {
157 *al = SSL_AD_UNSUPPORTED_EXTENSION;
160 /* Set flag to expect CertificateStatus message */
161 s->tlsext_status_expected = 1;
167 #ifndef OPENSSL_NO_CT
168 int tls_parse_server_sct(SSL *s, PACKET *pkt, int *al)
171 * Only take it if we asked for it - i.e if there is no CT validation
172 * callback set, then a custom extension MAY be processing it, so we
173 * need to let control continue to flow to that.
175 if (s->ct_validation_callback != NULL) {
176 size_t size = PACKET_remaining(pkt);
178 /* Simply copy it off for later processing */
179 if (s->tlsext_scts != NULL) {
180 OPENSSL_free(s->tlsext_scts);
181 s->tlsext_scts = NULL;
183 s->tlsext_scts_len = size;
185 s->tlsext_scts = OPENSSL_malloc(size);
186 if (s->tlsext_scts == NULL
187 || !PACKET_copy_bytes(pkt, s->tlsext_scts, size)) {
188 *al = SSL_AD_INTERNAL_ERROR;
193 if (custom_ext_parse(s, 0, TLSEXT_TYPE_signed_certificate_timestamp,
194 PACKET_data(pkt), PACKET_remaining(pkt), al) <= 0)
203 #ifndef OPENSSL_NO_NEXTPROTONEG
205 * ssl_next_proto_validate validates a Next Protocol Negotiation block. No
206 * elements of zero length are allowed and the set of elements must exactly
207 * fill the length of the block. Returns 1 on success or 0 on failure.
209 static int ssl_next_proto_validate(PACKET *pkt)
213 while (PACKET_remaining(pkt)) {
214 if (!PACKET_get_length_prefixed_1(pkt, &tmp_protocol)
215 || PACKET_remaining(&tmp_protocol) == 0)
222 int tls_parse_server_npn(SSL *s, PACKET *pkt, int *al)
224 unsigned char *selected;
225 unsigned char selected_len;
228 if (s->s3->tmp.finish_md_len != 0)
231 /* We must have requested it. */
232 if (s->ctx->next_proto_select_cb == NULL) {
233 *al = SSL_AD_UNSUPPORTED_EXTENSION;
236 /* The data must be valid */
238 if (!ssl_next_proto_validate(&tmppkt)) {
239 *al = SSL_AD_DECODE_ERROR;
242 if (s->ctx->next_proto_select_cb(s, &selected, &selected_len,
244 PACKET_remaining(pkt),
245 s->ctx->next_proto_select_cb_arg) !=
247 *al = SSL_AD_INTERNAL_ERROR;
251 * Could be non-NULL if server has sent multiple NPN extensions in
252 * a single Serverhello
254 OPENSSL_free(s->next_proto_negotiated);
255 s->next_proto_negotiated = OPENSSL_malloc(selected_len);
256 if (s->next_proto_negotiated == NULL) {
257 *al = SSL_AD_INTERNAL_ERROR;
261 memcpy(s->next_proto_negotiated, selected, selected_len);
262 s->next_proto_negotiated_len = selected_len;
263 s->s3->next_proto_neg_seen = 1;
269 int tls_parse_server_alpn(SSL *s, PACKET *pkt, int *al)
273 /* We must have requested it. */
274 if (!s->s3->alpn_sent) {
275 *al = SSL_AD_UNSUPPORTED_EXTENSION;
279 * The extension data consists of:
281 * uint8 proto_length;
282 * uint8 proto[proto_length];
284 if (!PACKET_get_net_2_len(pkt, &len)
285 || PACKET_remaining(pkt) != len || !PACKET_get_1_len(pkt, &len)
286 || PACKET_remaining(pkt) != len) {
287 *al = SSL_AD_DECODE_ERROR;
290 OPENSSL_free(s->s3->alpn_selected);
291 s->s3->alpn_selected = OPENSSL_malloc(len);
292 if (s->s3->alpn_selected == NULL) {
293 *al = SSL_AD_INTERNAL_ERROR;
296 if (!PACKET_copy_bytes(pkt, s->s3->alpn_selected, len)) {
297 *al = SSL_AD_DECODE_ERROR;
300 s->s3->alpn_selected_len = len;
305 #ifndef OPENSSL_NO_SRTP
306 int tls_parse_server_use_srtp(SSL *s, PACKET *pkt, int *al)
308 unsigned int id, ct, mki;
310 STACK_OF(SRTP_PROTECTION_PROFILE) *clnt;
311 SRTP_PROTECTION_PROFILE *prof;
313 if (!PACKET_get_net_2(pkt, &ct)
314 || ct != 2 || !PACKET_get_net_2(pkt, &id)
315 || !PACKET_get_1(pkt, &mki)
316 || PACKET_remaining(pkt) != 0) {
317 SSLerr(SSL_F_TLS_PARSE_SERVER_USE_SRTP,
318 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
319 *al = SSL_AD_DECODE_ERROR;
324 /* Must be no MKI, since we never offer one */
325 SSLerr(SSL_F_TLS_PARSE_SERVER_USE_SRTP, SSL_R_BAD_SRTP_MKI_VALUE);
326 *al = SSL_AD_ILLEGAL_PARAMETER;
330 clnt = SSL_get_srtp_profiles(s);
332 /* Throw an error if the server gave us an unsolicited extension */
334 SSLerr(SSL_F_TLS_PARSE_SERVER_USE_SRTP, SSL_R_NO_SRTP_PROFILES);
335 *al = SSL_AD_DECODE_ERROR;
340 * Check to see if the server gave us something we support (and
341 * presumably offered)
343 for (i = 0; i < sk_SRTP_PROTECTION_PROFILE_num(clnt); i++) {
344 prof = sk_SRTP_PROTECTION_PROFILE_value(clnt, i);
346 if (prof->id == id) {
347 s->srtp_profile = prof;
353 SSLerr(SSL_F_TLS_PARSE_SERVER_USE_SRTP,
354 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
355 *al = SSL_AD_DECODE_ERROR;
360 int tls_parse_server_etm(SSL *s, PACKET *pkt, int *al)
362 /* Ignore if inappropriate ciphersuite */
363 if (!(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC)
364 && s->s3->tmp.new_cipher->algorithm_mac != SSL_AEAD
365 && s->s3->tmp.new_cipher->algorithm_enc != SSL_RC4)
366 s->s3->flags |= TLS1_FLAGS_ENCRYPT_THEN_MAC;
371 int tls_parse_server_ems(SSL *s, PACKET *pkt, int *al)
373 s->s3->flags |= TLS1_FLAGS_RECEIVED_EXTMS;
375 s->session->flags |= SSL_SESS_FLAG_EXTMS;
380 int tls_parse_server_key_share(SSL *s, PACKET *pkt, int *al)
382 unsigned int group_id;
384 EVP_PKEY *ckey = s->s3->tmp.pkey, *skey = NULL;
388 *al = SSL_AD_INTERNAL_ERROR;
389 SSLerr(SSL_F_TLS_PARSE_SERVER_KEY_SHARE, ERR_R_INTERNAL_ERROR);
393 if (!PACKET_get_net_2(pkt, &group_id)) {
394 *al = SSL_AD_HANDSHAKE_FAILURE;
395 SSLerr(SSL_F_TLS_PARSE_SERVER_KEY_SHARE, SSL_R_LENGTH_MISMATCH);
399 if (group_id != s->s3->group_id) {
401 * This isn't for the group that we sent in the original
404 *al = SSL_AD_HANDSHAKE_FAILURE;
405 SSLerr(SSL_F_TLS_PARSE_SERVER_KEY_SHARE, SSL_R_BAD_KEY_SHARE);
409 if (!PACKET_as_length_prefixed_2(pkt, &encoded_pt)
410 || PACKET_remaining(&encoded_pt) == 0) {
411 *al = SSL_AD_DECODE_ERROR;
412 SSLerr(SSL_F_TLS_PARSE_SERVER_KEY_SHARE, SSL_R_LENGTH_MISMATCH);
416 skey = ssl_generate_pkey(ckey);
418 *al = SSL_AD_INTERNAL_ERROR;
419 SSLerr(SSL_F_TLS_PARSE_SERVER_KEY_SHARE, ERR_R_MALLOC_FAILURE);
422 if (!EVP_PKEY_set1_tls_encodedpoint(skey, PACKET_data(&encoded_pt),
423 PACKET_remaining(&encoded_pt))) {
424 *al = SSL_AD_DECODE_ERROR;
425 SSLerr(SSL_F_TLS_PARSE_SERVER_KEY_SHARE, SSL_R_BAD_ECPOINT);
429 if (ssl_derive(s, ckey, skey, 1) == 0) {
430 *al = SSL_AD_INTERNAL_ERROR;
431 SSLerr(SSL_F_TLS_PARSE_SERVER_KEY_SHARE, ERR_R_INTERNAL_ERROR);
440 static int ssl_scan_serverhello_tlsext(SSL *s, PACKET *pkt, int *al)
442 size_t num_extensions = 0;
443 RAW_EXTENSION *extensions = NULL;
446 #ifndef OPENSSL_NO_NEXTPROTONEG
447 s->s3->next_proto_neg_seen = 0;
449 s->tlsext_ticket_expected = 0;
451 OPENSSL_free(s->s3->alpn_selected);
452 s->s3->alpn_selected = NULL;
454 s->s3->flags &= ~TLS1_FLAGS_ENCRYPT_THEN_MAC;
456 s->s3->flags &= ~TLS1_FLAGS_RECEIVED_EXTMS;
458 if (!PACKET_as_length_prefixed_2(pkt, &extpkt)) {
459 /* Extensions block may be completely absent in SSLv3 */
460 if (s->version != SSL3_VERSION || PACKET_remaining(pkt) != 0) {
461 *al = SSL_AD_DECODE_ERROR;
462 SSLerr(SSL_F_SSL_SCAN_SERVERHELLO_TLSEXT, SSL_R_BAD_LENGTH);
465 PACKET_null_init(&extpkt);
469 * TODO(TLS1.3): We give multiple contexts for now until we're ready to
470 * give something more specific
473 if (!tls_collect_extensions(s, &extpkt, EXT_TLS1_2_SERVER_HELLO
474 | EXT_TLS1_3_SERVER_HELLO
475 | EXT_TLS1_3_ENCRYPTED_EXTENSIONS
476 | EXT_TLS1_3_CERTIFICATE,
477 &extensions, &num_extensions, al))
481 * Determine if we need to see RI. Strictly speaking if we want to avoid
482 * an attack we should *always* see RI even on initial server hello
483 * because the client doesn't see any renegotiation during an attack.
484 * However this would mean we could not connect to any server which
485 * doesn't support RI so for the immediate future tolerate RI absence
487 if (!(s->options & SSL_OP_LEGACY_SERVER_CONNECT)
488 && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)
489 && tls_get_extension_by_type(extensions, num_extensions,
490 TLSEXT_TYPE_renegotiate) == NULL) {
491 *al = SSL_AD_HANDSHAKE_FAILURE;
492 SSLerr(SSL_F_SSL_SCAN_SERVERHELLO_TLSEXT,
493 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
497 if (!tls_parse_all_extensions(s, EXT_TLS1_2_SERVER_HELLO
498 | EXT_TLS1_3_SERVER_HELLO
499 | EXT_TLS1_3_ENCRYPTED_EXTENSIONS
500 | EXT_TLS1_3_CERTIFICATE,
501 extensions, num_extensions, al))
506 * Check extended master secret extension is consistent with
509 if (!(s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) !=
510 !(s->session->flags & SSL_SESS_FLAG_EXTMS)) {
511 *al = SSL_AD_HANDSHAKE_FAILURE;
512 SSLerr(SSL_F_SSL_SCAN_SERVERHELLO_TLSEXT, SSL_R_INCONSISTENT_EXTMS);
520 static int ssl_check_serverhello_tlsext(SSL *s)
522 int ret = SSL_TLSEXT_ERR_NOACK;
523 int al = SSL_AD_UNRECOGNIZED_NAME;
525 #ifndef OPENSSL_NO_EC
527 * If we are client and using an elliptic curve cryptography cipher
528 * suite, then if server returns an EC point formats lists extension it
529 * must contain uncompressed.
531 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
532 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
533 if ((s->tlsext_ecpointformatlist != NULL)
534 && (s->tlsext_ecpointformatlist_length > 0)
535 && (s->session->tlsext_ecpointformatlist != NULL)
536 && (s->session->tlsext_ecpointformatlist_length > 0)
537 && ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA))) {
538 /* we are using an ECC cipher */
541 int found_uncompressed = 0;
542 list = s->session->tlsext_ecpointformatlist;
543 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++) {
544 if (*(list++) == TLSEXT_ECPOINTFORMAT_uncompressed) {
545 found_uncompressed = 1;
549 if (!found_uncompressed) {
550 SSLerr(SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT,
551 SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
555 ret = SSL_TLSEXT_ERR_OK;
556 #endif /* OPENSSL_NO_EC */
558 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
560 s->ctx->tlsext_servername_callback(s, &al,
561 s->ctx->tlsext_servername_arg);
562 else if (s->initial_ctx != NULL
563 && s->initial_ctx->tlsext_servername_callback != 0)
565 s->initial_ctx->tlsext_servername_callback(s, &al,
567 initial_ctx->tlsext_servername_arg);
570 * Ensure we get sensible values passed to tlsext_status_cb in the event
571 * that we don't receive a status message
573 OPENSSL_free(s->tlsext_ocsp_resp);
574 s->tlsext_ocsp_resp = NULL;
575 s->tlsext_ocsp_resplen = 0;
578 case SSL_TLSEXT_ERR_ALERT_FATAL:
579 ssl3_send_alert(s, SSL3_AL_FATAL, al);
582 case SSL_TLSEXT_ERR_ALERT_WARNING:
583 ssl3_send_alert(s, SSL3_AL_WARNING, al);
586 case SSL_TLSEXT_ERR_NOACK:
587 s->servername_done = 0;
593 int ssl_parse_serverhello_tlsext(SSL *s, PACKET *pkt)
596 if (s->version < SSL3_VERSION)
598 if (ssl_scan_serverhello_tlsext(s, pkt, &al) <= 0) {
599 ssl3_send_alert(s, SSL3_AL_FATAL, al);
603 if (ssl_check_serverhello_tlsext(s) <= 0) {
604 SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT, SSL_R_SERVERHELLO_TLSEXT);