cryptlib  3.4.1
 All Classes Namespaces Files Functions Variables Typedefs Enumerations Enumerator Properties Macros
ssl_ext.c
Go to the documentation of this file.
1 /****************************************************************************
2 * *
3 * cryptlib TLS Extension Management *
4 * Copyright Peter Gutmann 1998-2011 *
5 * *
6 ****************************************************************************/
7 
8 #if defined( INC_ALL )
9  #include "crypt.h"
10  #include "misc_rw.h"
11  #include "session.h"
12  #include "ssl.h"
13 #else
14  #include "crypt.h"
15  #include "enc_dec/misc_rw.h"
16  #include "session/session.h"
17  #include "session/ssl.h"
18 #endif /* Compiler-specific includes */
19 
20 #ifdef USE_SSL
21 
22 /****************************************************************************
23 * *
24 * TLS Extension Definitions *
25 * *
26 ****************************************************************************/
27 
28 /* TLS extension information. Further types are defined at
29  http://www.iana.org/assignments/tls-extensiontype-values.
30 
31  We specify distinct minimum and maximum lengths for client- and server-
32  side use (so minLengthClient is the minimum length that a client can
33  send). A value of CRYPT_ERROR means that this extension isn't valid when
34  sent by the client or server */
35 
36 typedef struct {
37  const int type; /* Extension type */
38  const int minLengthClient, minLengthServer; /* Min.length */
39  const int maxLength; /* Max.length */
40  const char *typeName; /* Name for error messages */
41  } EXT_CHECK_INFO;
42 
43 static const EXT_CHECK_INFO extCheckInfoTbl[] = {
44  /* Server name indication (SNI), RFC 4366:
45 
46  uint16 listLen
47  byte nameType
48  uint16 nameLen
49  byte[] name */
50  { TLS_EXT_SERVER_NAME, 1, 0, 8192,
51  "server name indication" },
52 
53  /* Maximm fragment length, RFC 4366:
54 
55  byte fragmentLength */
56  { TLS_EXT_MAX_FRAGMENT_LENTH, 1, 1, 1,
57  "fragment length" },
58 
59  /* Client certificate URL. This dangerous extension allows a client to
60  direct a server to grope around in arbitrary external (and untrusted)
61  URLs trying to locate certificates, provinding a convenient mechanism
62  for bounce attacks and all manner of similar firewall/trusted-host
63  subversion problems:
64 
65  byte chainType
66  uint16 urlAndHashList
67  uint16 urlLen
68  byte[] url
69  byte hashPresent
70  byte[20] hash -- If hashPresent flag set */
71  { TLS_EXT_CLIENT_CERTIFICATE_URL,
72  1 + UINT16_SIZE + UINT16_SIZE + MIN_URL_SIZE + 1, CRYPT_ERROR, 8192,
73  "client certificate URL" },
74 
75  /* Trusted CA certificate(s), RFC 4366. This allows a client to specify
76  which CA certificates it trusts and by extension which server
77  certificates it trusts, supposedly to reduce handshake messages in
78  constrained clients. Since the server usually has only a single
79  certificate signed by a single CA, specifying the CAs that the client
80  trusts doesn't serve much purpose:
81 
82  uint16 caList
83  byte idType
84  [ choice of keyHash, certHash, or DN, another
85  ASN.1-as-TLS structure ] */
86  { TLS_EXT_TRUSTED_CA_KEYS, UINT16_SIZE + 1, CRYPT_ERROR, 8192,
87  "trusted CA" },
88 
89  /* Truncate the HMAC to a nonstandard 80 bits (rather than the de
90  facto IPsec cargo-cult standard of 96 bits), RFC 4366 */
91  { TLS_EXT_TRUNCATED_HMAC, 0, 0, 0,
92  "truncated HMAC" },
93 
94  /* OCSP status request, RFC 4366. Another bounce-attack enabler, this
95  time on both the server and an OCSP responder:
96 
97  byte statusType
98  uint16 ocspResponderList
99  uint16 responderLength
100  byte[] responder
101  uint16 extensionLength
102  byte[] extensions */
103  { TLS_EXT_STATUS_REQUEST,
104  1 + UINT16_SIZE + UINT16_SIZE + MIN_URL_SIZE + UINT16_SIZE, CRYPT_ERROR, 8192,
105  "OCSP status request" },
106 
107  /* User mapping. Used with a complex RFC 4680 mechanism (the extension
108  itself is in RFC 4681):
109 
110  byte mappingLength
111  byte[] mapping */
112  { TLS_EXT_USER_MAPPING, 1 + 1, CRYPT_ERROR, 1 + 255,
113  "user-mapping" },
114 
115  /* Authorisation exteniosn. From an experimental RFC for adding
116  additional authorisation data to the TLS handshake, RFC 5878:
117 
118  byte authzFormatsList
119  byte authzFormatType
120 
121  with the additional authorisation data being carried in the
122  SupplementalData handshake message */
123  { TLS_EXT_CLIENT_AUTHZ, 1 + 1, CRYPT_ERROR, 1 + 255,
124  "client-authz" },
125  { TLS_EXT_SERVER_AUTHZ, CRYPT_ERROR, 1 + 1, 1 + 255,
126  "server-authz" },
127 
128  /* OpenPGP key. From an experimental (later informational) RFC with
129  support for OpenPGP keys, RFC 5081/6091:
130 
131  byte certTypeListLength
132  byte[] certTypeList */
133  { TLS_EXT_CERTTYPE, 1 + 1, CRYPT_ERROR, 1 + 255,
134  "cert-type (OpenPGP keying)" },
135 
136  /* Supported ECC curve IDs, RFC 4492 modified by RFC 5246/TLS 1.2:
137 
138  uint16 namedCurveListLength
139  uint16[] namedCurve */
140  { TLS_EXT_ELLIPTIC_CURVES, UINT16_SIZE + UINT16_SIZE, CRYPT_ERROR, 512,
141  "ECDH/ECDSA curve ID" },
142 
143  /* Supported ECC point formats, RFC 4492 modified by RFC 5246/TLS 1.2:
144 
145  byte pointFormatListLength
146  byte[] pointFormat */
147  { TLS_EXT_EC_POINT_FORMATS, 1 + 1, 1 + 1, 255,
148  "ECDH/ECDSA point format" },
149 
150  /* SRP user name, RFC 5054:
151 
152  byte userNameLength
153  byte[] userName */
154  { TLS_EXT_SRP, 1 + 1, CRYPT_ERROR, 1 + 255,
155  "SRP username" },
156 
157  /* Signature algorithms, RFC 5246/TLS 1.2:
158 
159  uint16 algorithmListLength
160  byte hashAlgo
161  byte sigAlgo */
162  { TLS_EXT_SIGNATURE_ALGORITHMS, UINT16_SIZE + 1 + 1, CRYPT_ERROR, 512,
163  "signature algorithm" },
164 
165  /* Session ticket, RFC 4507/5077. The client can send a zero-length
166  session ticket to indicate that it supports the extension but doesn't
167  have a session ticket yet, and the server can send a zero-length
168  ticket to indicate that it'll send the client a new ticket later in
169  the handshake. Confusing this even more, the specification says that
170  the client sends "a zero-length ticket" but the server sends "a
171  zero-length extension". The original specification, RFC 4507, was
172  later updated by a second version, RFC 5077, that makes explicit (via
173  Appendix A) the fact that there's no "ticket length" field in the
174  extension, so that the entire extension consists of the opaque ticket
175  data:
176 
177  byte[] sessionTicket (implicit size) */
178  { TLS_EXT_SESSIONTICKET, 0, 0, 8192,
179  "session ticket" },
180 
181  /* Secure renegotiation indication, RFC 5746. See the comment below for
182  why we (apparently) support this even though we don't do
183  renegotiation. We give the length as one, corresponding to zero-
184  length content, the one is for the single-byte length field in the
185  extension itself, set to a value of zero. It can in theory be larger
186  as part of the secure renegotiation process but this would be an
187  indication of an attack since we don't do renegotiation */
188  { TLS_EXT_SECURE_RENEG, 1, 1, 1,
189  "secure renegotiation" },
190 
191  /* End-of-list marker */
192  { CRYPT_ERROR, 0, 0, 0, NULL }, { CRYPT_ERROR, 0, 0, 0, NULL }
193  };
194 
195 /* In addition to the variable-format extenions above we also support the
196  secure-renegotiation extension. This is a strange extension to support
197  because cryptlib doesn't do renegotiation, but we have to send it at the
198  client side in order to avoid being attacked via a (non-cryptlib) server
199  that's vulnerable, and we have to process it on the server side in order
200  to not appear to be a vulnerable server (sigh) */
201 
202 #define RENEG_EXT_SIZE 5
203 #define RENEG_EXT_DATA "\xFF\x01\x00\x01\x00"
204 
205 /****************************************************************************
206 * *
207 * Read TLS Extensions *
208 * *
209 ****************************************************************************/
210 
211 /* Process the list of preferred (or at least supported) ECC curves. This
212  is a somewhat problematic extension because it applies to any use of ECC,
213  so if (for some reason) the server wants to use a P256 ECDH key with a
214  P521 ECDSA signing key then it has to verify that the client reports that
215  it supports both P256 and P521. Since our limiting factor is the ECDSA
216  key that we use for signing, we require that the client report support
217  for the curve that matches our signing key. Support for the
218  corresponding ECDH curve is automatic, since we support all curves for
219  ECDH that are supported for ECDSA:
220 
221  uint16 namedCurveListLength
222  uint16[] namedCurve */
223 
224 CHECK_RETVAL STDC_NONNULL_ARG( ( 1, 2, 4, 5 ) ) \
225 static int processSupportedCurveID( INOUT SESSION_INFO *sessionInfoPtr,
226  INOUT STREAM *stream,
227  IN_LENGTH_SHORT_Z const int extLength,
228  OUT_ENUM_OPT( CRYPT_ECCCURVE ) \
229  CRYPT_ECCCURVE_TYPE *preferredCurveIdPtr,
230  OUT_BOOL BOOLEAN *extErrorInfoSet )
231  {
232  static const MAP_TABLE curveIDTbl[] = {
233  { TLS_CURVE_SECP192R1, CRYPT_ECCCURVE_P192 },
234  { TLS_CURVE_SECP224R1, CRYPT_ECCCURVE_P224 },
235  { TLS_CURVE_SECP256R1, CRYPT_ECCCURVE_P256 },
236  { TLS_CURVE_SECP384R1, CRYPT_ECCCURVE_P384 },
237  { TLS_CURVE_SECP521R1, CRYPT_ECCCURVE_P521 },
238  { CRYPT_ERROR, 0 }, { CRYPT_ERROR, 0 }
239  };
240  static const MAP_TABLE curveSizeTbl[] = {
241  { CRYPT_ECCCURVE_P192, bitsToBytes( 192 ) },
242  { CRYPT_ECCCURVE_P224, bitsToBytes( 224 ) },
243  { CRYPT_ECCCURVE_P256, bitsToBytes( 256 ) },
244  { CRYPT_ECCCURVE_P384, bitsToBytes( 384 ) },
245  { CRYPT_ECCCURVE_P521, bitsToBytes( 521 ) },
246  { CRYPT_ERROR, 0 }, { CRYPT_ERROR, 0 }
247  };
248  CRYPT_ECCCURVE_TYPE preferredCurveID = CRYPT_ECCCURVE_NONE;
249  int listLen, keySize, i, status;
250 #ifdef CONFIG_SUITEB_TESTS
251  int curvesSeen = 0;
252 #endif /* CONFIG_SUITEB_TESTS */
253 
254  assert( isWritePtr( sessionInfoPtr, sizeof( SESSION_INFO ) ) );
255  assert( isWritePtr( stream, sizeof( STREAM ) ) );
256  assert( isWritePtr( preferredCurveIdPtr, \
257  sizeof( CRYPT_ECCCURVE_TYPE ) ) );
258 
259  REQUIRES( extLength >= 0 && extLength < MAX_INTLENGTH_SHORT );
260 
261  /* Clear return values */
262  *preferredCurveIdPtr = CRYPT_ECCCURVE_NONE;
263  *extErrorInfoSet = FALSE;
264 
265  /* Get the size of the server's signing key to bound the curve size */
266  status = krnlSendMessage( sessionInfoPtr->privateKey,
267  IMESSAGE_GETATTRIBUTE, &keySize,
268  CRYPT_CTXINFO_KEYSIZE );
269  if( cryptStatusError( status ) )
270  return( status );
271 
272  /* Read and check the ECC curve list header */
273  status = listLen = readUint16( stream );
274  if( cryptStatusError( status ) )
275  return( status );
276  if( listLen != extLength - UINT16_SIZE || \
277  listLen < UINT16_SIZE || listLen > 256 || \
278  ( listLen % UINT16_SIZE ) != 0 )
279  return( CRYPT_ERROR_BADDATA );
280 
281  /* Read the list of curve IDs, recording the most preferred one */
282  for( i = 0; i < listLen / UINT16_SIZE; i++ )
283  {
284  int value, curveID, curveSize;
285 
286  status = value = readUint16( stream );
287  if( cryptStatusError( status ) )
288  return( status );
289  status = mapValue( value, &curveID, curveIDTbl,
290  FAILSAFE_ARRAYSIZE( curveIDTbl, MAP_TABLE ) );
291  if( cryptStatusError( status ) )
292  continue; /* Unrecognised curve type */
293  status = mapValue( curveID, &curveSize, curveSizeTbl,
294  FAILSAFE_ARRAYSIZE( curveSizeTbl, MAP_TABLE ) );
295  ENSURES( cryptStatusOK( status ) );
296 #ifdef CONFIG_SUITEB
297  if( sessionInfoPtr->protocolFlags & SSL_PFLAG_SUITEB )
298  {
299  const int suiteBinfo = \
300  sessionInfoPtr->protocolFlags & SSL_PFLAG_SUITEB;
301 
302  /* Suite B only allows P256 and P384. At the 128-bit level both
303  P256 and P384 are allowed, at the 256-bit level only P384 is
304  allowed */
305  if( curveID != CRYPT_ECCCURVE_P256 && \
306  curveID != CRYPT_ECCCURVE_P384 )
307  continue;
308  if( suiteBinfo == SSL_PFLAG_SUITEB_256 && \
309  curveID == CRYPT_ECCCURVE_P256 )
310  continue;
311  #ifdef CONFIG_SUITEB_TESTS
312  if( suiteBTestValue == SUITEB_TEST_BOTHCURVES )
313  {
314  /* We're checking whether the client sends both curve IDs,
315  remember which ones we've seen so far */
316  if( curveID == CRYPT_ECCCURVE_P256 )
317  curvesSeen |= 1;
318  if( curveID == CRYPT_ECCCURVE_P384 )
319  curvesSeen |= 2;
320  }
321  #endif /* CONFIG_SUITEB_TESTS */
322  }
323 #endif /* CONFIG_SUITEB */
324 
325  /* Make sure that the curve matches the server's signing key */
326  if( curveSize != keySize )
327  continue;
328 
329  /* We've got a matching curve, remember it. In theory we could exit
330  at this point but we continue anyway to clear the remainder of
331  the data */
332  preferredCurveID = curveID;
333  }
334 #ifdef CONFIG_SUITEB_TESTS
335  /* If we're checking for the presence of both P256 and P384 as supported
336  elliptic curves and we don't see them, complain */
337  if( suiteBTestValue == SUITEB_TEST_BOTHCURVES && curvesSeen != 3 )
338  {
339  *extErrorInfoSet = TRUE;
340  retExt( CRYPT_ERROR_INVALID,
341  ( CRYPT_ERROR_INVALID, SESSION_ERRINFO,
342  "Supported elliptic curves extension should have "
343  "contained both P256 and P384 but didn't" ) );
344  }
345 #endif /* CONFIG_SUITEB_TESTS */
346 
347  *preferredCurveIdPtr = preferredCurveID;
348 
349  return( CRYPT_OK );
350  }
351 
352 /* Process the list of signature algorithms that the client can accept.
353  This is a complex and confusing TLS 1.2+ extension with weird
354  requirements attached to it, for example if the client indicates hash
355  algorithm X then the server (section 7.4.2) has to somehow produce a
356  certificate chain signed only using that hash algorithm, as if a
357  particular algorithm choice for TLS use could somehow dictate what
358  algorithms the CA and certificate-processing library that's being used
359  will provide (in addition the spec is rather confused on this issue,
360  giving it first as a MUST and then a paragraph later as a SHOULD). This
361  also makes some certificate signature algorithms like RSA-PSS impossible
362  even if the hash algorithm used is supported by both the TLS and
363  certificate library, because TLS only allows the specification of PKCS
364  #1 v1.5 signatures. What's worse, it creates a situation from which
365  there's no recovery because in the case of a problem all that the server
366  can say is "failed", but not "try again using this algorithm", while
367  returning certificates or a signature with the server's available
368  algorithm (ignoring the requirement to summarily abort the handshake in
369  the case of a mismatch) at least tells the client what the problem is.
370 
371  To avoid this mess we assume that everyone can do SHA-256, the TLS 1.2
372  default. A poll of TLS implementers in early 2011 indicated that
373  everyone else ignores this requirement as well (one implementer described
374  the requirement as "that is not just shooting yourself in the foot, that
375  is shooting 'the whole nine yards' (the entire ammunition belt) in your
376  foot"), so we're pretty safe here. Since the extension isn't valid for
377  earlier versions, we ignore it if we're not using TLS 1.2+:
378 
379  uint16 algorithmListLength
380  byte hashAlgo
381  byte sigAlgo */
382 
383 CHECK_RETVAL STDC_NONNULL_ARG( ( 1, 2, 3, 5 ) ) \
384 static int processSignatureAlgos( INOUT SESSION_INFO *sessionInfoPtr,
385  INOUT SSL_HANDSHAKE_INFO *handshakeInfo,
386  INOUT STREAM *stream,
387  IN_LENGTH_SHORT_Z const int extLength,
388  OUT_BOOL BOOLEAN *extErrorInfoSet )
389  {
390 #ifdef CONFIG_SUITEB
391  static const MAP_TABLE curveSizeTbl[] = {
392  { bitsToBytes( 256 ), TLS_HASHALGO_SHA2 },
393  { bitsToBytes( 384 ), TLS_HASHALGO_SHA384 },
394  { CRYPT_ERROR, 0 }, { CRYPT_ERROR, 0 }
395  };
396  const int suiteBinfo = sessionInfoPtr->protocolFlags & SSL_PFLAG_SUITEB;
397  int keySize, hashType;
398  #ifdef CONFIG_SUITEB_TESTS
399  int hashesSeen = 0;
400  #endif /* CONFIG_SUITEB_TESTS */
401 #endif /* CONFIG_SUITEB */
402  int listLen, status;
403 
404  assert( isWritePtr( sessionInfoPtr, sizeof( SESSION_INFO ) ) );
405  assert( isWritePtr( handshakeInfo, sizeof( SSL_HANDSHAKE_INFO ) ) );
406  assert( isWritePtr( stream, sizeof( STREAM ) ) );
407 
408  REQUIRES( extLength >= 0 && extLength < MAX_INTLENGTH_SHORT );
409 
410  /* Clear return values */
411  *extErrorInfoSet = FALSE;
412 
413  /* Read and check the signature algorithm list header */
414  status = listLen = readUint16( stream );
415  if( cryptStatusError( status ) )
416  return( status );
417  if( listLen != extLength - UINT16_SIZE || \
418  listLen < 1 + 1 || listLen > 64 + 64 || \
419  ( listLen % UINT16_SIZE ) != 0 )
420  return( CRYPT_ERROR_BADDATA );
421 
422  /* If we're not using TLS 1.2+, skip the extension */
423  if( sessionInfoPtr->version < SSL_MINOR_VERSION_TLS12 )
424  return( sSkip( stream, listLen ) );
425 
426  /* For the more strict handling requirements in Suite B only 256- or
427  384-bit algorithms are allowed at the 128-bit level and only 384-bit
428  algorithms are allowed at the 256-bit level */
429 #ifdef CONFIG_SUITEB
430  /* If we're not running in Suite B mode then there are no additional
431  checks required */
432  if( !suiteBinfo )
433  {
434  handshakeInfo->keyexSigHashAlgo = CRYPT_ALGO_SHA2;
435 
436  return( sSkip( stream, listLen ) );
437  }
438 
439  /* Get the size of the server's signing key to try and match the
440  client's preferred hash size */
441  status = krnlSendMessage( sessionInfoPtr->privateKey,
442  IMESSAGE_GETATTRIBUTE, &keySize,
443  CRYPT_CTXINFO_KEYSIZE );
444  if( cryptStatusError( status ) )
445  return( status );
446  status = mapValue( keySize, &hashType, curveSizeTbl,
447  FAILSAFE_ARRAYSIZE( curveSizeTbl, MAP_TABLE ) );
448  if( cryptStatusError( status ) )
449  {
450  /* Suite B only allows P256 and P384 keys (checked by the higher-
451  level code when we add the server key) so we should never get to
452  this situation */
453  return( status );
454  }
455  handshakeInfo->keyexSigHashAlgo = CRYPT_ALGO_NONE;
456 
457  /* Read the hash and signature algorithms and choose the best one to
458  use */
459  for( ; listLen > 0; listLen -= 1 + 1 )
460  {
461  int hashAlgo, sigAlgo;
462 
463  /* Read the hash and signature algorithm and make sure that it's one
464  that we can use. At the 128-bit level both SHA256 and SHA384 are
465  allowed, at the 256-bit level only SHA384 is allowed */
466  hashAlgo = sgetc( stream ); /* Hash algorithm */
467  status = sigAlgo = sgetc( stream ); /* Sig.algorithm */
468  if( cryptStatusError( status ) )
469  return( status );
470  if( sigAlgo != TLS_SIGALGO_ECDSA || \
471  ( hashAlgo != TLS_HASHALGO_SHA2 && \
472  hashAlgo != TLS_HASHALGO_SHA384 ) )
473  continue;
474  if( suiteBinfo == SSL_PFLAG_SUITEB_256 && \
475  hashAlgo != TLS_HASHALGO_SHA384 )
476  continue;
477  #ifdef CONFIG_SUITEB_TESTS
478  if( suiteBTestValue == SUITEB_TEST_BOTHSIGALGOS )
479  {
480  /* We're checking whether the client sends both hash algorithm
481  IDs, remember which ones we've seen so far */
482  if( hashAlgo == TLS_HASHALGO_SHA2 )
483  hashesSeen |= 1;
484  if( hashAlgo == TLS_HASHALGO_SHA384 )
485  hashesSeen |= 2;
486  }
487  #endif /* CONFIG_SUITEB_TESTS */
488 
489  /* In addition to the general validity checks, the hash type also has
490  to match the server's key size */
491  if( hashType != hashAlgo )
492  continue;
493 
494  /* We've found one that we can use, set the appropriate variant.
495  Note that since SHA384 is just a variant of SHA2, we always
496  choose this if it's available. Even if the order given is
497  { SHA384, SHA256 } the parameter value for the original SHA384
498  will remain set when SHA256 is subsequently read */
499  handshakeInfo->keyexSigHashAlgo = CRYPT_ALGO_SHA2;
500  if( hashAlgo == TLS_HASHALGO_SHA384 )
501  handshakeInfo->keyexSigHashAlgoParam = bitsToBytes( 384 );
502  }
503 
504  /* For Suite B the client must send either SHA256 or SHA384 as an
505  option */
506  if( handshakeInfo->keyexSigHashAlgo == CRYPT_ALGO_NONE )
507  {
508  *extErrorInfoSet = TRUE;
509  retExt( CRYPT_ERROR_INVALID,
510  ( CRYPT_ERROR_INVALID, SESSION_ERRINFO,
511  "Signature algorithms extension should have "
512  "contained %sP384/SHA384 but didn't",
513  ( suiteBinfo != SSL_PFLAG_SUITEB_256 ) ? \
514  "P256/SHA256 and/or " : "" ) );
515  }
516 #ifdef CONFIG_SUITEB_TESTS
517  /* If we're checking for the presence of both SHA256 and SHA384 as
518  supported hash algorithms and we don't see them, complain */
519  if( suiteBTestValue == SUITEB_TEST_BOTHSIGALGOS && hashesSeen != 3 )
520  {
521  *extErrorInfoSet = TRUE;
522  retExt( CRYPT_ERROR_INVALID,
523  ( CRYPT_ERROR_INVALID, SESSION_ERRINFO,
524  "Signature algortithms extension should have contained "
525  "both P256/SHA256 and P384/SHA384 but didn't" ) );
526  }
527 #endif /* CONFIG_SUITEB_TESTS */
528 
529  return( CRYPT_OK );
530 #else
531  handshakeInfo->keyexSigHashAlgo = CRYPT_ALGO_SHA2;
532 
533  return( sSkip( stream, listLen ) );
534 #endif /* CONFIG_SUITEB */
535  }
536 
537 /* Process a single extension. The internal structure of some of these
538  things shows that they were created by ASN.1 people... */
539 
540 CHECK_RETVAL STDC_NONNULL_ARG( ( 1, 2, 3, 6 ) ) \
541 static int processExtension( INOUT SESSION_INFO *sessionInfoPtr,
542  INOUT SSL_HANDSHAKE_INFO *handshakeInfo,
543  INOUT STREAM *stream,
544  IN_RANGE( 0, 65536 ) const int type,
545  IN_LENGTH_SHORT_Z const int extLength,
546  OUT_BOOL BOOLEAN *extErrorInfoSet )
547  {
548  int value, listLen, status;
549 
550  assert( isWritePtr( sessionInfoPtr, sizeof( SESSION_INFO ) ) );
551  assert( isWritePtr( handshakeInfo, sizeof( SSL_HANDSHAKE_INFO ) ) );
552  assert( isWritePtr( stream, sizeof( STREAM ) ) );
553 
554  REQUIRES( type >= 0 && type <= 65536 );
555  REQUIRES( extLength >= 0 && extLength < MAX_INTLENGTH_SHORT );
556 
557  /* Clear return values */
558  *extErrorInfoSet = FALSE;
559 
560  switch( type )
561  {
562  case TLS_EXT_SERVER_NAME:
563  /* Response: Send zero-length reply to peer:
564 
565  uint16 listLen
566  byte nameType
567  uint16 nameLen
568  byte[] name
569 
570  If we're the client and we sent this extension to the server
571  then the server may responed with a zero-length server-name
572  extension for no immediately obvious purpose (if the server
573  doesn't recognise the name then it's required to send an
574  'unrecognised-name' alert so any non-alert return means that
575  the value was accepted, but for some reason it's required to
576  send a zero-length response anyway), in which case we have to
577  special-case the check for this */
578  if( !isServer( sessionInfoPtr ) )
579  {
580  if( extLength <= 0 )
581  return( CRYPT_OK );
582  }
583  else
584  {
585  /* Remember that we've seen the server-name extension so that
586  we can send a zero-length reply to the client */
587  handshakeInfo->needSNIResponse = TRUE;
588  }
589  status = listLen = readUint16( stream );
590  if( cryptStatusError( status ) )
591  return( status );
592  if( listLen != extLength - UINT16_SIZE || \
593  listLen < 1 + UINT16_SIZE || \
594  listLen >= MAX_INTLENGTH_SHORT || \
595  ( listLen % UINT16_SIZE ) != 0 )
596  return( CRYPT_ERROR_BADDATA );
597 
598  /* Parsing of further SEQUENCE OF SEQUENCE data omitted */
599  return( sSkip( stream, listLen ) );
600 
601  case TLS_EXT_MAX_FRAGMENT_LENTH:
602  {
603 /* static const int fragmentTbl[] = \
604  { 0, 512, 1024, 2048, 4096, 8192, 16384, 16384 }; */
605 
606  /* Response: If fragment-size == 3...5, send same to peer. Note
607  that we also allow a fragment-size value of 5, which isn't
608  specified in the standard but should probably be present
609  since it would otherwise result in a missing value between
610  4096 and the default of 16384:
611 
612  byte fragmentLength */
613  status = value = sgetc( stream );
614  if( cryptStatusError( status ) )
615  return( status );
616  if( value < 1 || value > 5 )
617  return( CRYPT_ERROR_BADDATA );
618 
619 /* sessionInfoPtr->maxPacketSize = fragmentTbl[ value ]; */
620  return( CRYPT_OK );
621  }
622 
623  case TLS_EXT_ELLIPTIC_CURVES:
624  {
625  CRYPT_ECCCURVE_TYPE preferredCurveID;
626 
627  /* Read and process the list of preferred curves */
628  status = processSupportedCurveID( sessionInfoPtr, stream,
629  extLength, &preferredCurveID,
630  extErrorInfoSet );
631  if( cryptStatusError( status ) )
632  return( status );
633 
634  /* If we couldn't find a curve that we have in common with the
635  other side, disable the use of ECC algorithms. This is a
636  somewhat nasty failure mode because it means that something
637  like a buggy implementation that sends the wrong hello
638  extension (which is rather more likely than, say, an
639  implementation not supporting the de facto universal-standard
640  NIST curves) means that the crypto is quietly switched to
641  non-ECC with the user being none the wiser, but there's no
642  way for an implementation to negotiate ECC-only encryption */
643  if( preferredCurveID == CRYPT_ECCCURVE_NONE )
644  handshakeInfo->disableECC = TRUE;
645  else
646  handshakeInfo->eccCurveID = preferredCurveID;
647 
648  return( CRYPT_OK );
649  }
650 
651  case TLS_EXT_EC_POINT_FORMATS:
652  /* We don't really need to process this extension because every
653  implementation is required to support uncompressed points (it
654  also seems to be the universal standard that everyone uses by
655  default anyway) so all that we do is treat the presence of
656  the overall extension as an indicator that we should send
657  back our own one in the server hello:
658 
659  byte pointFormatListLength
660  byte[] pointFormat */
661  if( extLength > 0 )
662  {
663  status = sSkip( stream, extLength );
664  if( cryptStatusError( status ) )
665  return( status );
666  }
667  handshakeInfo->sendECCPointExtn = TRUE;
668 
669  return( CRYPT_OK );
670 
671  case TLS_EXT_SIGNATURE_ALGORITHMS:
672  /* Read and process the list of signature algorithms */
673  return( processSignatureAlgos( sessionInfoPtr, handshakeInfo,
674  stream, extLength,
675  extErrorInfoSet ) );
676 
677  case TLS_EXT_SECURE_RENEG:
678  /* If we get a nonzero length for this extension (the '1' is the
679  initial length byte at the start) then it's an indication of
680  an attack. The status code to return here is a bit
681  uncertain, but CRYPT_ERROR_INVALID seems to be the least
682  inappropriate */
683  if( extLength != 1 || sgetc( stream ) != 0 )
684  return( CRYPT_ERROR_INVALID );
685 
686  /* If we're the server, remember that we have to echo the
687  extension back to the client */
688  if( isServer( sessionInfoPtr ) )
689  handshakeInfo->needRenegResponse = TRUE;
690 
691  return( CRYPT_OK );
692 
693  default:
694  /* Default: Ignore the extension */
695  if( extLength > 0 )
696  {
697  status = sSkip( stream, extLength );
698  if( cryptStatusError( status ) )
699  return( status );
700  }
701 
702  return( CRYPT_OK );
703  }
704 
705  retIntError();
706  }
707 
708 /* Read TLS extensions */
709 
710 CHECK_RETVAL STDC_NONNULL_ARG( ( 1, 2, 3 ) ) \
711 int readExtensions( INOUT SESSION_INFO *sessionInfoPtr,
712  INOUT SSL_HANDSHAKE_INFO *handshakeInfo,
713  INOUT STREAM *stream,
714  IN_LENGTH_SHORT const int length )
715  {
716  const int endPos = stell( stream ) + length;
717  int minPayloadLength = 1, extListLen, noExtensions, status;
718 
719  assert( isWritePtr( sessionInfoPtr, sizeof( SESSION_INFO ) ) );
720  assert( isWritePtr( handshakeInfo, sizeof( SSL_HANDSHAKE_INFO ) ) );
721  assert( isWritePtr( stream, sizeof( STREAM ) ) );
722 
723  REQUIRES( length > 0 && length < MAX_INTLENGTH_SHORT );
724  REQUIRES( endPos > 0 && endPos < MAX_INTLENGTH_SHORT );
725 
726  /* If we're the client and we've sent a server-name extension to the
727  server, the server can optionally send back a zero-length server-name
728  extension for no immediately obvious purpose, in which case the
729  minimum payload length may be zero */
730  if( !isServer( sessionInfoPtr ) && \
731  sessionInfoPtr->version >= SSL_MINOR_VERSION_TLS )
732  minPayloadLength = 0;
733 
734  /* Read the extension header and make sure that it's valid:
735 
736  uint16 extListLen
737  uint16 extType
738  uint16 extLen
739  byte[] extData */
740  if( length < UINT16_SIZE + UINT16_SIZE + UINT16_SIZE + minPayloadLength )
741  {
742  retExt( CRYPT_ERROR_BADDATA,
743  ( CRYPT_ERROR_BADDATA, SESSION_ERRINFO,
744  "TLS hello contains %d bytes extraneous data", length ) );
745  }
746  status = extListLen = readUint16( stream );
747  if( cryptStatusError( status ) )
748  {
749  retExt( CRYPT_ERROR_BADDATA,
750  ( CRYPT_ERROR_BADDATA, SESSION_ERRINFO,
751  "Invalid TLS extension information" ) );
752  }
753  if( extListLen != length - UINT16_SIZE )
754  {
755  retExt( CRYPT_ERROR_BADDATA,
756  ( CRYPT_ERROR_BADDATA, SESSION_ERRINFO,
757  "Invalid TLS extension data length %d, should be %d",
758  extListLen, length - UINT16_SIZE ) );
759  }
760 
761  /* Process the extensions */
762  for( noExtensions = 0; stell( stream ) < endPos && \
763  noExtensions < FAILSAFE_ITERATIONS_MED;
764  noExtensions++ )
765  {
766  const EXT_CHECK_INFO *extCheckInfoPtr = NULL;
767  BOOLEAN extErrorInfoSet;
768  int type, extLen, i;
769 
770  /* Read the header for the next extension and get the extension-
771  checking information. The length check at this point is just a
772  generic sanity check, more specific checking is done once we've
773  got the extension type-specific information */
774  type = readUint16( stream );
775  status = extLen = readUint16( stream );
776  if( cryptStatusError( status ) || \
777  extLen < 0 || extLen > MAX_PACKET_SIZE )
778  {
779  retExt( CRYPT_ERROR_BADDATA,
780  ( CRYPT_ERROR_BADDATA, SESSION_ERRINFO,
781  "Invalid TLS extension list item header" ) );
782  }
783  for( i = 0; extCheckInfoTbl[ i ].type != CRYPT_ERROR && \
784  i < FAILSAFE_ARRAYSIZE( extCheckInfoTbl, EXT_CHECK_INFO );
785  i++ )
786  {
787  if( extCheckInfoTbl[ i ].type == type )
788  {
789  extCheckInfoPtr = &extCheckInfoTbl[ i ];
790  break;
791  }
792  }
793  ENSURES( i < FAILSAFE_ARRAYSIZE( extCheckInfoTbl, EXT_CHECK_INFO ) );
794  if( extCheckInfoPtr != NULL )
795  {
796  const int minLength = isServer( sessionInfoPtr ) ? \
797  extCheckInfoPtr->minLengthClient : \
798  extCheckInfoPtr->minLengthServer;
799 
800  /* Perform any necessary initial checking of the extension */
801  if( minLength == CRYPT_ERROR )
802  {
803  retExt( CRYPT_ERROR_BADDATA,
804  ( CRYPT_ERROR_BADDATA, SESSION_ERRINFO,
805  "Received disallowed TLS %s extension from %s",
806  extCheckInfoPtr->typeName,
807  isServer( sessionInfoPtr ) ? "server" : "client" ) );
808  }
809  if( extLen < minLength || extLen > extCheckInfoPtr->maxLength )
810  {
811  retExt( CRYPT_ERROR_BADDATA,
812  ( CRYPT_ERROR_BADDATA, SESSION_ERRINFO,
813  "Invalid TLS %s extension length %d, should be "
814  "%d...%d", extCheckInfoPtr->typeName, extLen,
815  minLength, extCheckInfoPtr->maxLength ) );
816  }
817  }
818  DEBUG_PRINT(( "Read extension %s (%d), length %d.\n",
819  ( extCheckInfoPtr != NULL ) ? \
820  extCheckInfoPtr->typeName : "<Unknown>", type, extLen ));
821  DEBUG_DUMP_STREAM( stream, stell( stream ), extLen );
822 
823  /* Process the extension data */
824  status = processExtension( sessionInfoPtr, handshakeInfo, stream,
825  type, extLen, &extErrorInfoSet );
826  if( cryptStatusError( status ) )
827  {
828  if( extErrorInfoSet )
829  return( status );
830  if( extCheckInfoPtr != NULL )
831  {
832  retExt( CRYPT_ERROR_BADDATA,
833  ( CRYPT_ERROR_BADDATA, SESSION_ERRINFO,
834  "Invalid TLS %s extension data",
835  extCheckInfoPtr->typeName ) );
836  }
837  retExt( CRYPT_ERROR_BADDATA,
838  ( CRYPT_ERROR_BADDATA, SESSION_ERRINFO,
839  "Invalid TLS extension data for extension "
840  "type %d", type ) );
841  }
842  }
843  if( noExtensions >= FAILSAFE_ITERATIONS_MED )
844  {
845  retExt( CRYPT_ERROR_OVERFLOW,
846  ( CRYPT_ERROR_OVERFLOW, SESSION_ERRINFO,
847  "Excessive number (%d) of TLS extensions encountered",
848  noExtensions ) );
849  }
850 
851  return( CRYPT_OK );
852  }
853 
854 /****************************************************************************
855 * *
856 * Write TLS Extensions *
857 * *
858 ****************************************************************************/
859 
860 /* Write the list of supported signature and hash algorithms as a
861  combinatorial explosion of { hash, sig } algorithm pairs (they're called
862  SignatureAndHashAlgorithm in the spec, but are actually encoded as
863  HashAndSignatureAlgorithm). This is used both for extensions and for the
864  TLS 1.2 signature format.
865 
866  This gets a bit complicated because we both have to emit the values in
867  preferred-algorithm order and some combinations aren't available, so
868  instead of simply iterating down two lists we have to exhaustively
869  enumerate each possible algorithm combination */
870 
871 CHECK_RETVAL STDC_NONNULL_ARG( ( 1 ) ) \
872 static int writeSigHashAlgoList( STREAM *stream )
873  {
874  typedef struct {
875  CRYPT_ALGO_TYPE sigAlgo, hashAlgo;
876  TLS_SIGALGO_TYPE tlsSigAlgoID;
877  TLS_HASHALGO_TYPE tlsHashAlgoID;
878  } SIG_HASH_INFO;
879  static const SIG_HASH_INFO algoTbl[] = {
880  { CRYPT_ALGO_RSA, CRYPT_ALGO_SHAng,
881  TLS_SIGALGO_RSA, 255 },
882  { CRYPT_ALGO_RSA, CRYPT_ALGO_SHA2,
883  TLS_SIGALGO_RSA, TLS_HASHALGO_SHA2 },
884  { CRYPT_ALGO_RSA, CRYPT_ALGO_SHA1,
885  TLS_SIGALGO_RSA, TLS_HASHALGO_SHA1 },
886  { CRYPT_ALGO_DSA, CRYPT_ALGO_SHAng,
887  TLS_SIGALGO_DSA, 255 },
888  { CRYPT_ALGO_DSA, CRYPT_ALGO_SHA2,
889  TLS_SIGALGO_DSA, TLS_HASHALGO_SHA2 },
890  { CRYPT_ALGO_DSA, CRYPT_ALGO_SHA1,
891  TLS_SIGALGO_DSA, TLS_HASHALGO_SHA1 },
892  { CRYPT_ALGO_ECDSA, CRYPT_ALGO_SHAng,
893  TLS_SIGALGO_ECDSA, 255 },
894 #ifdef CONFIG_SUITEB
895  { CRYPT_ALGO_ECDSA, CRYPT_ALGO_SHA2,
896  TLS_SIGALGO_ECDSA, TLS_HASHALGO_SHA384 },
897 #endif /* CONFIG_SUITEB */
898  { CRYPT_ALGO_ECDSA, CRYPT_ALGO_SHA2,
899  TLS_SIGALGO_ECDSA, TLS_HASHALGO_SHA2 },
900  { CRYPT_ALGO_ECDSA, CRYPT_ALGO_SHA1,
901  TLS_SIGALGO_ECDSA, TLS_HASHALGO_SHA1 },
902  { CRYPT_ALGO_NONE, CRYPT_ERROR }, { CRYPT_ALGO_NONE, CRYPT_ERROR }
903  };
904  BYTE algoList[ 32 + 8 ];
905  int algoIndex = 0, i;
906 
907  /* Determine which signature and hash algorithms are available for use */
908  for( i = 0; algoTbl[ i ].sigAlgo != CRYPT_ALGO_NONE && \
909  i < FAILSAFE_ARRAYSIZE( algoTbl, SIG_HASH_INFO ); i++ )
910  {
911  const CRYPT_ALGO_TYPE sigAlgo = algoTbl[ i ].sigAlgo;
912 
913  /* If the given signature algorithm isn't enabled, skip any further
914  occurrences of this algorithm */
915  if( !algoAvailable( sigAlgo ) )
916  {
917  while( algoTbl[ i ].sigAlgo == sigAlgo && \
918  i < FAILSAFE_ARRAYSIZE( algoTbl, SIG_HASH_INFO ) )
919  i++;
920  ENSURES( i < FAILSAFE_ARRAYSIZE( algoTbl, SIG_HASH_INFO ) );
921  i--; /* Adjust for increment also done in outer loop */
922 
923  continue;
924  }
925 
926  /* If the hash algorithm isn't enabled, skip this entry */
927  if( !algoAvailable( algoTbl[ i ].hashAlgo ) )
928  continue;
929 
930  /* Add the TLS IDs for this signature and hash algorithm combination.
931  Although the record is called SignatureAndHashAlgorithm, what's
932  written first is the hash algorithm and not the signature
933  algorithm */
934  algoList[ algoIndex++ ] = intToByte( algoTbl[ i ].tlsHashAlgoID );
935  algoList[ algoIndex++ ] = intToByte( algoTbl[ i ].tlsSigAlgoID );
936  ENSURES( algoIndex <= 32 );
937  }
938  ENSURES( i < FAILSAFE_ARRAYSIZE( algoTbl, SIG_HASH_INFO ) );
939 
940  /* Write the combination of hash and signature algorithms */
941  writeUint16( stream, algoIndex );
942  return( swrite( stream, algoList, algoIndex ) );
943  }
944 
945 /* Write the server name indication (SNI) */
946 
947 CHECK_RETVAL STDC_NONNULL_ARG( ( 1, 2 ) ) \
948 static int writeServerName( INOUT STREAM *stream,
949  INOUT SESSION_INFO *sessionInfoPtr )
950  {
951  const ATTRIBUTE_LIST *serverNamePtr = \
952  findSessionInfo( sessionInfoPtr->attributeList,
953  CRYPT_SESSINFO_SERVER_NAME );
954  URL_INFO urlInfo;
955  int status;
956 
957  assert( isWritePtr( stream, sizeof( STREAM ) ) );
958  assert( isWritePtr( sessionInfoPtr, sizeof( SESSION_INFO ) ) );
959 
960  REQUIRES( serverNamePtr != NULL );
961 
962  /* Extract the server FQDN from the overall server name value */
963  status = sNetParseURL( &urlInfo, serverNamePtr->value,
964  serverNamePtr->valueLength, URL_TYPE_HTTPS );
965  if( cryptStatusError( status ) )
966  return( status );
967 
968  /* Write the server name */
969  writeUint16( stream, 1 + UINT16_SIZE + urlInfo.hostLen );
970  sputc( stream, 0 ); /* Type = DNS name */
971  writeUint16( stream, urlInfo.hostLen );
972  return( swrite( stream, urlInfo.host, urlInfo.hostLen ) );
973  }
974 
975 /* Write TLS extensions */
976 
977 CHECK_RETVAL STDC_NONNULL_ARG( ( 1, 2 ) ) \
978 int writeClientExtensions( INOUT STREAM *stream,
979  INOUT SESSION_INFO *sessionInfoPtr )
980  {
981  STREAM nullStream;
982  const void *eccCurveInfoPtr = DUMMY_INIT_PTR;
983  int serverNameExtLen = DUMMY_INIT, sigHashHdrLen = 0, sigHashExtLen = 0;
984  int eccCurveTypeLen = DUMMY_INIT, eccInfoLen = 0, status;
985 
986  assert( isWritePtr( stream, sizeof( STREAM ) ) );
987  assert( isWritePtr( sessionInfoPtr, sizeof( SESSION_INFO ) ) );
988 
989  REQUIRES( sessionInfoPtr->version >= SSL_MINOR_VERSION_TLS );
990 
991  /* Determine the overall length of the extension data, first the server
992  name indication (SNI) */
993  sMemNullOpen( &nullStream );
994  status = writeServerName( &nullStream, sessionInfoPtr );
995  if( cryptStatusOK( status ) )
996  serverNameExtLen = stell( &nullStream );
997  sMemClose( &nullStream );
998  if( cryptStatusError( status ) )
999  return( status );
1000 
1001  /* Signature and hash algorithms. These are only used with TLS 1.2+ so
1002  we only write them if we're using these versions of the protocol */
1003  if( sessionInfoPtr->version >= SSL_MINOR_VERSION_TLS12 )
1004  {
1005  sMemNullOpen( &nullStream );
1006  status = writeSigHashAlgoList( &nullStream );
1007  if( cryptStatusOK( status ) )
1008  {
1009  sigHashHdrLen = UINT16_SIZE + UINT16_SIZE;
1010  sigHashExtLen = stell( &nullStream );
1011  }
1012  sMemClose( &nullStream );
1013  if( cryptStatusError( status ) )
1014  return( status );
1015  }
1016 
1017  /* ECC information. This is only sent if we're proposing ECC suites in
1018  the client hello */
1019  if( algoAvailable( CRYPT_ALGO_ECDH ) && \
1020  algoAvailable( CRYPT_ALGO_ECDSA ) )
1021  {
1022  static const BYTE eccCurveInfo[] = {
1023  0, TLS_CURVE_SECP521R1, 0, TLS_CURVE_SECP384R1,
1024  0, TLS_CURVE_SECP256R1, 0, TLS_CURVE_SECP224R1,
1025  0, TLS_CURVE_SECP192R1, 0, 0
1026  };
1027 
1028 #ifdef CONFIG_SUITEB
1029  if( sessionInfoPtr->protocolFlags & SSL_PFLAG_SUITEB )
1030  {
1031  static const BYTE eccCurveSuiteB128Info[] = {
1032  0, TLS_CURVE_SECP256R1, 0, TLS_CURVE_SECP384R1, 0, 0
1033  };
1034  static const BYTE eccCurveSuiteB256Info[] = {
1035  0, TLS_CURVE_SECP384R1, 0, 0
1036  };
1037  const int suiteBinfo = \
1038  sessionInfoPtr->protocolFlags & SSL_PFLAG_SUITEB;
1039 
1040  if( suiteBinfo == SSL_PFLAG_SUITEB_128 )
1041  {
1042  eccCurveInfoPtr = eccCurveSuiteB128Info;
1043  eccCurveTypeLen = 2 * UINT16_SIZE;
1044  }
1045  else
1046  {
1047  eccCurveInfoPtr = eccCurveSuiteB256Info;
1048  eccCurveTypeLen = UINT16_SIZE;
1049  }
1050  #ifdef CONFIG_SUITEB_TESTS
1051  /* In some cases for test purposes we have to send invalid ECC
1052  information */
1053  if( suiteBTestValue == SUITEB_TEST_CLIINVALIDCURVE )
1054  {
1055  static const BYTE eccCurveSuiteBInvalidInfo[] = {
1056  0, TLS_CURVE_SECP521R1, 0, 0, TLS_CURVE_SECP192R1, 0, 0
1057  };
1058 
1059  eccCurveInfoPtr = eccCurveSuiteBInvalidInfo;
1060  eccCurveTypeLen = 2 * UINT16_SIZE;
1061  }
1062  #endif /* CONFIG_SUITEB_TESTS */
1063  }
1064  else
1065 #endif /* CONFIG_SUITEB */
1066  {
1067  eccCurveInfoPtr = eccCurveInfo;
1068  eccCurveTypeLen = 5 * UINT16_SIZE;
1069  }
1070  eccInfoLen = UINT16_SIZE + UINT16_SIZE + \
1071  UINT16_SIZE + eccCurveTypeLen;
1072  eccInfoLen += UINT16_SIZE + UINT16_SIZE + 1 + 1;
1073  }
1074 
1075  /* Write the list of extensions */
1076  writeUint16( stream, UINT16_SIZE + UINT16_SIZE + serverNameExtLen + \
1077  RENEG_EXT_SIZE + sigHashHdrLen + sigHashExtLen + \
1078  eccInfoLen );
1079  writeUint16( stream, TLS_EXT_SERVER_NAME );
1080  writeUint16( stream, serverNameExtLen );
1081  status = writeServerName( stream, sessionInfoPtr );
1082  if( cryptStatusError( status ) )
1083  return( status );
1084  DEBUG_PRINT(( "Wrote extension server name indication (%d), length %d.\n",
1085  TLS_EXT_SERVER_NAME, serverNameExtLen ));
1086  DEBUG_DUMP_STREAM( stream, stell( stream ) - serverNameExtLen,
1087  serverNameExtLen );
1088  status = swrite( stream, RENEG_EXT_DATA, RENEG_EXT_SIZE );
1089  if( cryptStatusError( status ) )
1090  return( status );
1091  DEBUG_PRINT(( "Wrote extension secure renegotiation (%d), length 1.\n",
1092  TLS_EXT_SECURE_RENEG ));
1093  DEBUG_DUMP_STREAM( stream, stell( stream ) - 1, 1 );
1094  if( sigHashExtLen > 0 )
1095  {
1096  writeUint16( stream, TLS_EXT_SIGNATURE_ALGORITHMS );
1097  writeUint16( stream, sigHashExtLen );
1098  status = writeSigHashAlgoList( stream );
1099  if( cryptStatusError( status ) )
1100  return( status );
1101  DEBUG_PRINT(( "Wrote extension signature algorithm (%d), length %d.\n",
1102  TLS_EXT_SIGNATURE_ALGORITHMS, sigHashExtLen ));
1103  DEBUG_DUMP_STREAM( stream,
1104  stell( stream ) - sigHashExtLen, sigHashExtLen );
1105  }
1106  if( eccInfoLen > 0 )
1107  {
1108  /* Write the ECC curve type extension */
1109  writeUint16( stream, TLS_EXT_ELLIPTIC_CURVES );
1110  writeUint16( stream, UINT16_SIZE + eccCurveTypeLen );/* Ext.len */
1111  writeUint16( stream, eccCurveTypeLen ); /* Curve list len.*/
1112  status = swrite( stream, eccCurveInfoPtr, eccCurveTypeLen );
1113  if( cryptStatusError( status ) ) /* Curve list */
1114  return( status );
1115  DEBUG_PRINT(( "Wrote extension ECC curve type (%d), length %d.\n",
1116  TLS_EXT_ELLIPTIC_CURVES, eccCurveTypeLen ));
1117  DEBUG_DUMP_STREAM( stream,
1118  stell( stream ) - ( UINT16_SIZE + eccCurveTypeLen ),
1119  UINT16_SIZE + eccCurveTypeLen );
1120 
1121  /* Write the ECC point format extension */
1122  writeUint16( stream, TLS_EXT_EC_POINT_FORMATS );
1123  writeUint16( stream, 1 + 1 ); /* Extn. length */
1124  sputc( stream, 1 ); /* Point-format list len.*/
1125  status = sputc( stream, 0 ); /* Uncompressed points */
1126  if( cryptStatusError( status ) )
1127  return( status );
1128  DEBUG_PRINT(( "Wrote extension ECC point format (%d), length %d.\n",
1129  TLS_EXT_EC_POINT_FORMATS, 1 + 1 ));
1130  DEBUG_DUMP_STREAM( stream, stell( stream ) - 1 + 1, 1 + 1 );
1131  }
1132  return( status );
1133  }
1134 
1135 CHECK_RETVAL STDC_NONNULL_ARG( ( 1, 2 ) ) \
1136 int writeServerExtensions( INOUT STREAM *stream,
1137  INOUT SSL_HANDSHAKE_INFO *handshakeInfo )
1138  {
1139  int extListLen = 0, status;
1140 
1141  assert( isWritePtr( stream, sizeof( STREAM ) ) );
1142  assert( isWritePtr( handshakeInfo, sizeof( SSL_HANDSHAKE_INFO ) ) );
1143 
1144  /* Calculate the size of the extensions */
1145  if( isEccAlgo( handshakeInfo->keyexAlgo ) && \
1146  handshakeInfo->sendECCPointExtn )
1147  extListLen += UINT16_SIZE + UINT16_SIZE + 1 + 1;
1148  if( handshakeInfo->needSNIResponse )
1149  extListLen += UINT16_SIZE + UINT16_SIZE;
1150  if( handshakeInfo->needRenegResponse )
1151  extListLen += RENEG_EXT_SIZE;
1152  if( extListLen <= 0 )
1153  {
1154  /* No extensions to write, we're done */
1155  return( CRYPT_OK );
1156  }
1157 
1158  /* Write the overall extension list length */
1159  writeUint16( stream, extListLen );
1160 
1161  /* If the client sent an SNI extension then we have to acknowledge it
1162  with a zero-length SNI extension response. This is slightly
1163  dishonest because we haven't passed the SNI data back to the caller,
1164  but SNI will (at some point in the future) be sent by default by
1165  clients and since we're highly unlikely to be used with multihomed
1166  servers but likely to be used in oddball environments like ones
1167  without DNS we just accept any SNI and allow a connect. SNI is
1168  merely a courtesy notification to allow selection of the correct
1169  server certificate for multihomed servers with the actual virtual-
1170  host management being done via the HTTP Host: header, so not making
1171  use of it isn't a real problem */
1172  if( handshakeInfo->needSNIResponse )
1173  {
1174  writeUint16( stream, TLS_EXT_SERVER_NAME );
1175  status = writeUint16( stream, 0 );
1176  if( cryptStatusError( status ) )
1177  return( status );
1178  DEBUG_PRINT(( "Wrote extension extension server name indication (%d), "
1179  "length 0.\n", TLS_EXT_SERVER_NAME, 0 ));
1180  }
1181 
1182  /* If the client sent a secure-renegotiation indicator we have to send a
1183  response even though we don't support renegotiation. See the comment
1184  by extCheckInfoTbl for why this odd behaviour is necessary */
1185  if( handshakeInfo->needRenegResponse )
1186  {
1187  status = swrite( stream, RENEG_EXT_DATA, RENEG_EXT_SIZE );
1188  if( cryptStatusError( status ) )
1189  return( status );
1190  DEBUG_PRINT(( "Wrote extension secure renegotiation (%d), length 1.\n",
1191  TLS_EXT_SECURE_RENEG ));
1192  DEBUG_DUMP_STREAM( stream, stell( stream ) - 1, 1 );
1193  }
1194 
1195  /* If the client sent ECC extensions and we've negotiated an ECC cipher
1196  suite, send back the appropriate response. We don't have to send
1197  back the curve ID that we've chosen because this is communicated
1198  explicitly in the server keyex */
1199  if( isEccAlgo( handshakeInfo->keyexAlgo ) && \
1200  handshakeInfo->sendECCPointExtn )
1201  {
1202  writeUint16( stream, TLS_EXT_EC_POINT_FORMATS );
1203  writeUint16( stream, 1 + 1 ); /* Extn. length */
1204  sputc( stream, 1 ); /* Point-format list len.*/
1205  status = sputc( stream, 0 ); /* Uncompressed points */
1206  if( cryptStatusError( status ) )
1207  return( status );
1208  DEBUG_PRINT(( "Wrote extension ECC point format (%d), length %d.\n",
1209  TLS_EXT_EC_POINT_FORMATS, 1 + 1 ));
1210  DEBUG_DUMP_STREAM( stream, stell( stream ) - 1 + 1, 1 + 1 );
1211  }
1212 
1213  return( CRYPT_OK );
1214  }
1215 #endif /* USE_SSL */
Generated on Thu Jan 10 2013 10:00:53 for cryptlib by   doxygen 1.8.2