]> git.ipfire.org Git - thirdparty/openssl.git/blob - ssl/t1_lib.c
projects / thirdparty / openssl.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Run util/openssl-format-source -v -c .
[thirdparty/openssl.git] / ssl / t1_lib.c
1 /* ssl/t1_lib.c */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59 #include <stdio.h>
60 #include <openssl/objects.h>
61 #include <openssl/evp.h>
62 #include <openssl/hmac.h>
63 #include <openssl/ocsp.h>
64 #include "ssl_locl.h"
65
66 const char tls1_version_str[] = "TLSv1" OPENSSL_VERSION_PTEXT;
67
68 #ifndef OPENSSL_NO_TLSEXT
69 static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen,
70 const unsigned char *sess_id, int sesslen,
71 SSL_SESSION **psess);
72 #endif
73
74 SSL3_ENC_METHOD TLSv1_enc_data = {
75 tls1_enc,
76 tls1_mac,
77 tls1_setup_key_block,
78 tls1_generate_master_secret,
79 tls1_change_cipher_state,
80 tls1_final_finish_mac,
81 TLS1_FINISH_MAC_LENGTH,
82 tls1_cert_verify_mac,
83 TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
84 TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
85 tls1_alert_code,
86 };
87
88 long tls1_default_timeout(void)
89 {
90 /*
91 * 2 hours, the 24 hours mentioned in the TLSv1 spec is way too long for
92 * http, the cache would over fill
93 */
94 return (60 * 60 * 2);
95 }
96
97 IMPLEMENT_tls1_meth_func(tlsv1_base_method,
98 ssl_undefined_function,
99 ssl_undefined_function, ssl_bad_method)
100
101 int tls1_new(SSL *s)
102 {
103 if (!ssl3_new(s))
104 return (0);
105 s->method->ssl_clear(s);
106 return (1);
107 }
108
109 void tls1_free(SSL *s)
110 {
111 ssl3_free(s);
112 }
113
114 void tls1_clear(SSL *s)
115 {
116 ssl3_clear(s);
117 s->version = TLS1_VERSION;
118 }
119
120 #if 0
121 long tls1_ctrl(SSL *s, int cmd, long larg, char *parg)
122 {
123 return (0);
124 }
125
126 long tls1_callback_ctrl(SSL *s, int cmd, void *(*fp) ())
127 {
128 return (0);
129 }
130 #endif
131
132 #ifndef OPENSSL_NO_TLSEXT
133 unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p,
134 unsigned char *limit)
135 {
136 int extdatalen = 0;
137 unsigned char *ret = p;
138
139 /* don't add extensions for SSLv3 unless doing secure renegotiation */
140 if (s->client_version == SSL3_VERSION && !s->s3->send_connection_binding)
141 return p;
142
143 ret += 2;
144
145 if (ret >= limit)
146 return NULL; /* this really never occurs, but ... */
147
148 if (s->tlsext_hostname != NULL) {
149 /* Add TLS extension servername to the Client Hello message */
150 unsigned long size_str;
151 long lenmax;
152
153 /*-
154 * check for enough space.
155 * 4 for the servername type and entension length
156 * 2 for servernamelist length
157 * 1 for the hostname type
158 * 2 for hostname length
159 * + hostname length
160 */
161
162 if ((lenmax = limit - ret - 9) < 0
163 || (size_str =
164 strlen(s->tlsext_hostname)) > (unsigned long)lenmax)
165 return NULL;
166
167 /* extension type and length */
168 s2n(TLSEXT_TYPE_server_name, ret);
169 s2n(size_str + 5, ret);
170
171 /* length of servername list */
172 s2n(size_str + 3, ret);
173
174 /* hostname type, length and hostname */
175 *(ret++) = (unsigned char)TLSEXT_NAMETYPE_host_name;
176 s2n(size_str, ret);
177 memcpy(ret, s->tlsext_hostname, size_str);
178 ret += size_str;
179
180 }
181
182 /* Add RI if renegotiating */
183 if (s->new_session) {
184 int el;
185
186 if (!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0)) {
187 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
188 return NULL;
189 }
190
191 if ((limit - p - 4 - el) < 0)
192 return NULL;
193
194 s2n(TLSEXT_TYPE_renegotiate, ret);
195 s2n(el, ret);
196
197 if (!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el)) {
198 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
199 return NULL;
200 }
201
202 ret += el;
203 }
204
205 if (!(SSL_get_options(s) & SSL_OP_NO_TICKET)) {
206 int ticklen;
207 if (!s->new_session && s->session && s->session->tlsext_tick)
208 ticklen = s->session->tlsext_ticklen;
209 else
210 ticklen = 0;
211 /*
212 * Check for enough room 2 for extension type, 2 for len rest for
213 * ticket
214 */
215 if (limit - ret - 4 - ticklen < 0)
216 return NULL;
217 s2n(TLSEXT_TYPE_session_ticket, ret);
218 s2n(ticklen, ret);
219 if (ticklen) {
220 memcpy(ret, s->session->tlsext_tick, ticklen);
221 ret += ticklen;
222 }
223 }
224
225 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp &&
226 s->version != DTLS1_VERSION) {
227 int i;
228 long extlen, idlen, itmp;
229 OCSP_RESPID *id;
230
231 idlen = 0;
232 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) {
233 id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
234 itmp = i2d_OCSP_RESPID(id, NULL);
235 if (itmp <= 0)
236 return NULL;
237 idlen += itmp + 2;
238 }
239
240 if (s->tlsext_ocsp_exts) {
241 extlen = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, NULL);
242 if (extlen < 0)
243 return NULL;
244 } else
245 extlen = 0;
246
247 if ((long)(limit - ret - 7 - extlen - idlen) < 0)
248 return NULL;
249 s2n(TLSEXT_TYPE_status_request, ret);
250 if (extlen + idlen > 0xFFF0)
251 return NULL;
252 s2n(extlen + idlen + 5, ret);
253 *(ret++) = TLSEXT_STATUSTYPE_ocsp;
254 s2n(idlen, ret);
255 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) {
256 /* save position of id len */
257 unsigned char *q = ret;
258 id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
259 /* skip over id len */
260 ret += 2;
261 itmp = i2d_OCSP_RESPID(id, &ret);
262 /* write id len */
263 s2n(itmp, q);
264 }
265 s2n(extlen, ret);
266 if (extlen > 0)
267 i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret);
268 }
269
270 if ((extdatalen = ret - p - 2) == 0)
271 return p;
272
273 s2n(extdatalen, p);
274 return ret;
275 }
276
277 unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p,
278 unsigned char *limit)
279 {
280 int extdatalen = 0;
281 unsigned char *ret = p;
282
283 /*
284 * don't add extensions for SSLv3, unless doing secure renegotiation
285 */
286 if (s->version == SSL3_VERSION && !s->s3->send_connection_binding)
287 return p;
288
289 ret += 2;
290 if (ret >= limit)
291 return NULL; /* this really never occurs, but ... */
292
293 if (!s->hit && s->servername_done == 1
294 && s->session->tlsext_hostname != NULL) {
295 if (limit - ret - 4 < 0)
296 return NULL;
297
298 s2n(TLSEXT_TYPE_server_name, ret);
299 s2n(0, ret);
300 }
301
302 if (s->s3->send_connection_binding) {
303 int el;
304
305 if (!ssl_add_serverhello_renegotiate_ext(s, 0, &el, 0)) {
306 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
307 return NULL;
308 }
309
310 if ((limit - p - 4 - el) < 0)
311 return NULL;
312
313 s2n(TLSEXT_TYPE_renegotiate, ret);
314 s2n(el, ret);
315
316 if (!ssl_add_serverhello_renegotiate_ext(s, ret, &el, el)) {
317 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
318 return NULL;
319 }
320
321 ret += el;
322 }
323
324 if (s->tlsext_ticket_expected && !(SSL_get_options(s) & SSL_OP_NO_TICKET)) {
325 if (limit - ret - 4 < 0)
326 return NULL;
327 s2n(TLSEXT_TYPE_session_ticket, ret);
328 s2n(0, ret);
329 }
330
331 if (s->tlsext_status_expected) {
332 if ((long)(limit - ret - 4) < 0)
333 return NULL;
334 s2n(TLSEXT_TYPE_status_request, ret);
335 s2n(0, ret);
336 }
337
338 if ((extdatalen = ret - p - 2) == 0)
339 return p;
340
341 s2n(extdatalen, p);
342 return ret;
343 }
344
345 # ifndef OPENSSL_NO_EC
346 /*-
347 * ssl_check_for_safari attempts to fingerprint Safari using OS X
348 * SecureTransport using the TLS extension block in |d|, of length |n|.
349 * Safari, since 10.6, sends exactly these extensions, in this order:
350 * SNI,
351 * elliptic_curves
352 * ec_point_formats
353 *
354 * We wish to fingerprint Safari because they broke ECDHE-ECDSA support in 10.8,
355 * but they advertise support. So enabling ECDHE-ECDSA ciphers breaks them.
356 * Sadly we cannot differentiate 10.6, 10.7 and 10.8.4 (which work), from
357 * 10.8..10.8.3 (which don't work).
358 */
359 static void ssl_check_for_safari(SSL *s, const unsigned char *data,
360 const unsigned char *d, int n)
361 {
362 unsigned short type, size;
363 static const unsigned char kSafariExtensionsBlock[] = {
364 0x00, 0x0a, /* elliptic_curves extension */
365 0x00, 0x08, /* 8 bytes */
366 0x00, 0x06, /* 6 bytes of curve ids */
367 0x00, 0x17, /* P-256 */
368 0x00, 0x18, /* P-384 */
369 0x00, 0x19, /* P-521 */
370
371 0x00, 0x0b, /* ec_point_formats */
372 0x00, 0x02, /* 2 bytes */
373 0x01, /* 1 point format */
374 0x00, /* uncompressed */
375 };
376
377 /* The following is only present in TLS 1.2 */
378 static const unsigned char kSafariTLS12ExtensionsBlock[] = {
379 0x00, 0x0d, /* signature_algorithms */
380 0x00, 0x0c, /* 12 bytes */
381 0x00, 0x0a, /* 10 bytes */
382 0x05, 0x01, /* SHA-384/RSA */
383 0x04, 0x01, /* SHA-256/RSA */
384 0x02, 0x01, /* SHA-1/RSA */
385 0x04, 0x03, /* SHA-256/ECDSA */
386 0x02, 0x03, /* SHA-1/ECDSA */
387 };
388
389 if (data >= (d + n - 2))
390 return;
391 data += 2;
392
393 if (data > (d + n - 4))
394 return;
395 n2s(data, type);
396 n2s(data, size);
397
398 if (type != TLSEXT_TYPE_server_name)
399 return;
400
401 if (data + size > d + n)
402 return;
403 data += size;
404
405 if (TLS1_get_client_version(s) >= TLS1_2_VERSION) {
406 const size_t len1 = sizeof(kSafariExtensionsBlock);
407 const size_t len2 = sizeof(kSafariTLS12ExtensionsBlock);
408
409 if (data + len1 + len2 != d + n)
410 return;
411 if (memcmp(data, kSafariExtensionsBlock, len1) != 0)
412 return;
413 if (memcmp(data + len1, kSafariTLS12ExtensionsBlock, len2) != 0)
414 return;
415 } else {
416 const size_t len = sizeof(kSafariExtensionsBlock);
417
418 if (data + len != d + n)
419 return;
420 if (memcmp(data, kSafariExtensionsBlock, len) != 0)
421 return;
422 }
423
424 s->s3->is_probably_safari = 1;
425 }
426 # endif /* !OPENSSL_NO_EC */
427
428 int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d,
429 int n, int *al)
430 {
431 unsigned short type;
432 unsigned short size;
433 unsigned short len;
434 unsigned char *data = *p;
435 int renegotiate_seen = 0;
436
437 s->servername_done = 0;
438 s->tlsext_status_type = -1;
439
440 # ifndef OPENSSL_NO_EC
441 if (s->options & SSL_OP_SAFARI_ECDHE_ECDSA_BUG)
442 ssl_check_for_safari(s, data, d, n);
443 # endif /* !OPENSSL_NO_EC */
444
445 if (data >= (d + n - 2))
446 goto ri_check;
447
448 n2s(data, len);
449
450 if (data > (d + n - len))
451 goto ri_check;
452
453 while (data <= (d + n - 4)) {
454 n2s(data, type);
455 n2s(data, size);
456
457 if (data + size > (d + n))
458 goto ri_check;
459
460 if (s->tlsext_debug_cb)
461 s->tlsext_debug_cb(s, 0, type, data, size, s->tlsext_debug_arg);
462 /*-
463 * The servername extension is treated as follows:
464 *
465 * - Only the hostname type is supported with a maximum length of 255.
466 * - The servername is rejected if too long or if it contains zeros,
467 * in which case an fatal alert is generated.
468 * - The servername field is maintained together with the session cache.
469 * - When a session is resumed, the servername call back invoked in order
470 * to allow the application to position itself to the right context.
471 * - The servername is acknowledged if it is new for a session or when
472 * it is identical to a previously used for the same session.
473 * Applications can control the behaviour. They can at any time
474 * set a 'desirable' servername for a new SSL object. This can be the
475 * case for example with HTTPS when a Host: header field is received and
476 * a renegotiation is requested. In this case, a possible servername
477 * presented in the new client hello is only acknowledged if it matches
478 * the value of the Host: field.
479 * - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
480 * if they provide for changing an explicit servername context for the
481 * session, i.e. when the session has been established with a servername
482 * extension.
483 * - On session reconnect, the servername extension may be absent.
484 *
485 */
486
487 if (type == TLSEXT_TYPE_server_name) {
488 unsigned char *sdata;
489 int servname_type;
490 int dsize;
491
492 if (size < 2) {
493 *al = SSL_AD_DECODE_ERROR;
494 return 0;
495 }
496 n2s(data, dsize);
497 size -= 2;
498 if (dsize > size) {
499 *al = SSL_AD_DECODE_ERROR;
500 return 0;
501 }
502
503 sdata = data;
504 while (dsize > 3) {
505 servname_type = *(sdata++);
506 n2s(sdata, len);
507 dsize -= 3;
508
509 if (len > dsize) {
510 *al = SSL_AD_DECODE_ERROR;
511 return 0;
512 }
513 if (s->servername_done == 0)
514 switch (servname_type) {
515 case TLSEXT_NAMETYPE_host_name:
516 if (!s->hit) {
517 if (s->session->tlsext_hostname) {
518 *al = SSL_AD_DECODE_ERROR;
519 return 0;
520 }
521 if (len > TLSEXT_MAXLEN_host_name) {
522 *al = TLS1_AD_UNRECOGNIZED_NAME;
523 return 0;
524 }
525 if ((s->session->tlsext_hostname =
526 OPENSSL_malloc(len + 1)) == NULL) {
527 *al = TLS1_AD_INTERNAL_ERROR;
528 return 0;
529 }
530 memcpy(s->session->tlsext_hostname, sdata, len);
531 s->session->tlsext_hostname[len] = '\0';
532 if (strlen(s->session->tlsext_hostname) != len) {
533 OPENSSL_free(s->session->tlsext_hostname);
534 s->session->tlsext_hostname = NULL;
535 *al = TLS1_AD_UNRECOGNIZED_NAME;
536 return 0;
537 }
538 s->servername_done = 1;
539
540 } else
541 s->servername_done = s->session->tlsext_hostname
542 && strlen(s->session->tlsext_hostname) == len
543 && strncmp(s->session->tlsext_hostname,
544 (char *)sdata, len) == 0;
545
546 break;
547
548 default:
549 break;
550 }
551
552 dsize -= len;
553 }
554 if (dsize != 0) {
555 *al = SSL_AD_DECODE_ERROR;
556 return 0;
557 }
558
559 } else if (type == TLSEXT_TYPE_renegotiate) {
560 if (!ssl_parse_clienthello_renegotiate_ext(s, data, size, al))
561 return 0;
562 renegotiate_seen = 1;
563 } else if (type == TLSEXT_TYPE_status_request &&
564 s->version != DTLS1_VERSION && s->ctx->tlsext_status_cb) {
565
566 if (size < 5) {
567 *al = SSL_AD_DECODE_ERROR;
568 return 0;
569 }
570
571 s->tlsext_status_type = *data++;
572 size--;
573 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp) {
574 const unsigned char *sdata;
575 int dsize;
576 /* Read in responder_id_list */
577 n2s(data, dsize);
578 size -= 2;
579 if (dsize > size) {
580 *al = SSL_AD_DECODE_ERROR;
581 return 0;
582 }
583 while (dsize > 0) {
584 OCSP_RESPID *id;
585 int idsize;
586 if (dsize < 4) {
587 *al = SSL_AD_DECODE_ERROR;
588 return 0;
589 }
590 n2s(data, idsize);
591 dsize -= 2 + idsize;
592 size -= 2 + idsize;
593 if (dsize < 0) {
594 *al = SSL_AD_DECODE_ERROR;
595 return 0;
596 }
597 sdata = data;
598 data += idsize;
599 id = d2i_OCSP_RESPID(NULL, &sdata, idsize);
600 if (!id) {
601 *al = SSL_AD_DECODE_ERROR;
602 return 0;
603 }
604 if (data != sdata) {
605 OCSP_RESPID_free(id);
606 *al = SSL_AD_DECODE_ERROR;
607 return 0;
608 }
609 if (!s->tlsext_ocsp_ids
610 && !(s->tlsext_ocsp_ids =
611 sk_OCSP_RESPID_new_null())) {
612 OCSP_RESPID_free(id);
613 *al = SSL_AD_INTERNAL_ERROR;
614 return 0;
615 }
616 if (!sk_OCSP_RESPID_push(s->tlsext_ocsp_ids, id)) {
617 OCSP_RESPID_free(id);
618 *al = SSL_AD_INTERNAL_ERROR;
619 return 0;
620 }
621 }
622
623 /* Read in request_extensions */
624 if (size < 2) {
625 *al = SSL_AD_DECODE_ERROR;
626 return 0;
627 }
628 n2s(data, dsize);
629 size -= 2;
630 if (dsize != size) {
631 *al = SSL_AD_DECODE_ERROR;
632 return 0;
633 }
634 sdata = data;
635 if (dsize > 0) {
636 if (s->tlsext_ocsp_exts) {
637 sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts,
638 X509_EXTENSION_free);
639 }
640
641 s->tlsext_ocsp_exts =
642 d2i_X509_EXTENSIONS(NULL, &sdata, dsize);
643 if (!s->tlsext_ocsp_exts || (data + dsize != sdata)) {
644 *al = SSL_AD_DECODE_ERROR;
645 return 0;
646 }
647 }
648 }
649 /*
650 * We don't know what to do with any other type * so ignore it.
651 */
652 else
653 s->tlsext_status_type = -1;
654 }
655
656 /* session ticket processed earlier */
657
658 data += size;
659 }
660 *p = data;
661
662 ri_check:
663
664 /* Need RI if renegotiating */
665
666 if (!renegotiate_seen && s->new_session &&
667 !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) {
668 *al = SSL_AD_HANDSHAKE_FAILURE;
669 SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT,
670 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
671 return 0;
672 }
673
674 return 1;
675 }
676
677 int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d,
678 int n, int *al)
679 {
680 unsigned short length;
681 unsigned short type;
682 unsigned short size;
683 unsigned char *data = *p;
684 int tlsext_servername = 0;
685 int renegotiate_seen = 0;
686
687 if (data >= (d + n - 2))
688 goto ri_check;
689
690 n2s(data, length);
691 if (data + length != d + n) {
692 *al = SSL_AD_DECODE_ERROR;
693 return 0;
694 }
695
696 while (data <= (d + n - 4)) {
697 n2s(data, type);
698 n2s(data, size);
699
700 if (data + size > (d + n))
701 goto ri_check;
702
703 if (s->tlsext_debug_cb)
704 s->tlsext_debug_cb(s, 1, type, data, size, s->tlsext_debug_arg);
705
706 if (type == TLSEXT_TYPE_server_name) {
707 if (s->tlsext_hostname == NULL || size > 0) {
708 *al = TLS1_AD_UNRECOGNIZED_NAME;
709 return 0;
710 }
711 tlsext_servername = 1;
712 } else if (type == TLSEXT_TYPE_session_ticket) {
713 if ((SSL_get_options(s) & SSL_OP_NO_TICKET)
714 || (size > 0)) {
715 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
716 return 0;
717 }
718 s->tlsext_ticket_expected = 1;
719 } else if (type == TLSEXT_TYPE_status_request &&
720 s->version != DTLS1_VERSION) {
721 /*
722 * MUST be empty and only sent if we've requested a status
723 * request message.
724 */
725 if ((s->tlsext_status_type == -1) || (size > 0)) {
726 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
727 return 0;
728 }
729 /* Set flag to expect CertificateStatus message */
730 s->tlsext_status_expected = 1;
731 } else if (type == TLSEXT_TYPE_renegotiate) {
732 if (!ssl_parse_serverhello_renegotiate_ext(s, data, size, al))
733 return 0;
734 renegotiate_seen = 1;
735 }
736 data += size;
737 }
738
739 if (data != d + n) {
740 *al = SSL_AD_DECODE_ERROR;
741 return 0;
742 }
743
744 if (!s->hit && tlsext_servername == 1) {
745 if (s->tlsext_hostname) {
746 if (s->session->tlsext_hostname == NULL) {
747 s->session->tlsext_hostname = BUF_strdup(s->tlsext_hostname);
748 if (!s->session->tlsext_hostname) {
749 *al = SSL_AD_UNRECOGNIZED_NAME;
750 return 0;
751 }
752 } else {
753 *al = SSL_AD_DECODE_ERROR;
754 return 0;
755 }
756 }
757 }
758
759 *p = data;
760
761 ri_check:
762
763 /*
764 * Determine if we need to see RI. Strictly speaking if we want to avoid
765 * an attack we should *always* see RI even on initial server hello
766 * because the client doesn't see any renegotiation during an attack.
767 * However this would mean we could not connect to any server which
768 * doesn't support RI so for the immediate future tolerate RI absence on
769 * initial connect only.
770 */
771 if (!renegotiate_seen && !(s->options & SSL_OP_LEGACY_SERVER_CONNECT)
772 && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) {
773 *al = SSL_AD_HANDSHAKE_FAILURE;
774 SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT,
775 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
776 return 0;
777 }
778
779 return 1;
780 }
781
782 int ssl_check_clienthello_tlsext_early(SSL *s)
783 {
784 int ret = SSL_TLSEXT_ERR_NOACK;
785 int al = SSL_AD_UNRECOGNIZED_NAME;
786
787 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
788 ret =
789 s->ctx->tlsext_servername_callback(s, &al,
790 s->ctx->tlsext_servername_arg);
791 else if (s->initial_ctx != NULL
792 && s->initial_ctx->tlsext_servername_callback != 0)
793 ret =
794 s->initial_ctx->tlsext_servername_callback(s, &al,
795 s->
796 initial_ctx->tlsext_servername_arg);
797
798 switch (ret) {
799 case SSL_TLSEXT_ERR_ALERT_FATAL:
800 ssl3_send_alert(s, SSL3_AL_FATAL, al);
801 return -1;
802
803 case SSL_TLSEXT_ERR_ALERT_WARNING:
804 ssl3_send_alert(s, SSL3_AL_WARNING, al);
805 return 1;
806
807 case SSL_TLSEXT_ERR_NOACK:
808 s->servername_done = 0;
809
810 default:
811 return 1;
812 }
813 }
814
815 int ssl_check_clienthello_tlsext_late(SSL *s)
816 {
817 int ret = SSL_TLSEXT_ERR_OK;
818 int al;
819
820 /*
821 * If status request then ask callback what to do. Note: this must be
822 * called after servername callbacks in case the certificate has
823 * changed, and must be called after the cipher has been chosen because
824 * this may influence which certificate is sent
825 */
826 if (s->tlsext_status_type != -1 && s->ctx && s->ctx->tlsext_status_cb) {
827 int r;
828 CERT_PKEY *certpkey;
829 certpkey = ssl_get_server_send_pkey(s);
830 /* If no certificate can't return certificate status */
831 if (certpkey == NULL) {
832 s->tlsext_status_expected = 0;
833 return 1;
834 }
835 /*
836 * Set current certificate to one we will use so SSL_get_certificate
837 * et al can pick it up.
838 */
839 s->cert->key = certpkey;
840 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
841 switch (r) {
842 /* We don't want to send a status request response */
843 case SSL_TLSEXT_ERR_NOACK:
844 s->tlsext_status_expected = 0;
845 break;
846 /* status request response should be sent */
847 case SSL_TLSEXT_ERR_OK:
848 if (s->tlsext_ocsp_resp)
849 s->tlsext_status_expected = 1;
850 else
851 s->tlsext_status_expected = 0;
852 break;
853 /* something bad happened */
854 case SSL_TLSEXT_ERR_ALERT_FATAL:
855 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
856 al = SSL_AD_INTERNAL_ERROR;
857 goto err;
858 }
859 } else
860 s->tlsext_status_expected = 0;
861
862 err:
863 switch (ret) {
864 case SSL_TLSEXT_ERR_ALERT_FATAL:
865 ssl3_send_alert(s, SSL3_AL_FATAL, al);
866 return -1;
867
868 case SSL_TLSEXT_ERR_ALERT_WARNING:
869 ssl3_send_alert(s, SSL3_AL_WARNING, al);
870 return 1;
871
872 default:
873 return 1;
874 }
875 }
876
877 int ssl_check_serverhello_tlsext(SSL *s)
878 {
879 int ret = SSL_TLSEXT_ERR_NOACK;
880 int al = SSL_AD_UNRECOGNIZED_NAME;
881
882 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
883 ret =
884 s->ctx->tlsext_servername_callback(s, &al,
885 s->ctx->tlsext_servername_arg);
886 else if (s->initial_ctx != NULL
887 && s->initial_ctx->tlsext_servername_callback != 0)
888 ret =
889 s->initial_ctx->tlsext_servername_callback(s, &al,
890 s->
891 initial_ctx->tlsext_servername_arg);
892
893 /*
894 * If we've requested certificate status and we wont get one tell the
895 * callback
896 */
897 if ((s->tlsext_status_type != -1) && !(s->tlsext_status_expected)
898 && s->ctx->tlsext_status_cb) {
899 int r;
900 /*
901 * Set resp to NULL, resplen to -1 so callback knows there is no
902 * response.
903 */
904 if (s->tlsext_ocsp_resp) {
905 OPENSSL_free(s->tlsext_ocsp_resp);
906 s->tlsext_ocsp_resp = NULL;
907 }
908 s->tlsext_ocsp_resplen = -1;
909 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
910 if (r == 0) {
911 al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE;
912 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
913 }
914 if (r < 0) {
915 al = SSL_AD_INTERNAL_ERROR;
916 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
917 }
918 }
919
920 switch (ret) {
921 case SSL_TLSEXT_ERR_ALERT_FATAL:
922 ssl3_send_alert(s, SSL3_AL_FATAL, al);
923 return -1;
924
925 case SSL_TLSEXT_ERR_ALERT_WARNING:
926 ssl3_send_alert(s, SSL3_AL_WARNING, al);
927 return 1;
928
929 case SSL_TLSEXT_ERR_NOACK:
930 s->servername_done = 0;
931 default:
932 return 1;
933 }
934 }
935
936 /*
937 * Since the server cache lookup is done early on in the processing of client
938 * hello and other operations depend on the result we need to handle any TLS
939 * session ticket extension at the same time.
940 */
941
942 int tls1_process_ticket(SSL *s, unsigned char *session_id, int len,
943 const unsigned char *limit, SSL_SESSION **ret)
944 {
945 /* Point after session ID in client hello */
946 const unsigned char *p = session_id + len;
947 unsigned short i;
948
949 /*
950 * If tickets disabled behave as if no ticket present to permit stateful
951 * resumption.
952 */
953 if (SSL_get_options(s) & SSL_OP_NO_TICKET)
954 return 1;
955
956 if ((s->version <= SSL3_VERSION) || !limit)
957 return 1;
958 if (p >= limit)
959 return -1;
960 /* Skip past DTLS cookie */
961 if (s->version == DTLS1_VERSION || s->version == DTLS1_BAD_VER) {
962 i = *(p++);
963 p += i;
964 if (p >= limit)
965 return -1;
966 }
967 /* Skip past cipher list */
968 n2s(p, i);
969 p += i;
970 if (p >= limit)
971 return -1;
972 /* Skip past compression algorithm list */
973 i = *(p++);
974 p += i;
975 if (p > limit)
976 return -1;
977 /* Now at start of extensions */
978 if ((p + 2) >= limit)
979 return 1;
980 n2s(p, i);
981 while ((p + 4) <= limit) {
982 unsigned short type, size;
983 n2s(p, type);
984 n2s(p, size);
985 if (p + size > limit)
986 return 1;
987 if (type == TLSEXT_TYPE_session_ticket) {
988 /*
989 * If zero length note client will accept a ticket and indicate
990 * cache miss to trigger full handshake
991 */
992 if (size == 0) {
993 s->tlsext_ticket_expected = 1;
994 return 0; /* Cache miss */
995 }
996 return tls_decrypt_ticket(s, p, size, session_id, len, ret);
997 }
998 p += size;
999 }
1000 return 1;
1001 }
1002
1003 static int tls_decrypt_ticket(SSL *s, const unsigned char *etick,
1004 int eticklen, const unsigned char *sess_id,
1005 int sesslen, SSL_SESSION **psess)
1006 {
1007 SSL_SESSION *sess;
1008 unsigned char *sdec;
1009 const unsigned char *p;
1010 int slen, mlen, renew_ticket = 0;
1011 unsigned char tick_hmac[EVP_MAX_MD_SIZE];
1012 HMAC_CTX hctx;
1013 EVP_CIPHER_CTX ctx;
1014 SSL_CTX *tctx = s->initial_ctx;
1015 /* Need at least keyname + iv + some encrypted data */
1016 if (eticklen < 48)
1017 goto tickerr;
1018 /* Initialize session ticket encryption and HMAC contexts */
1019 HMAC_CTX_init(&hctx);
1020 EVP_CIPHER_CTX_init(&ctx);
1021 if (tctx->tlsext_ticket_key_cb) {
1022 unsigned char *nctick = (unsigned char *)etick;
1023 int rv = tctx->tlsext_ticket_key_cb(s, nctick, nctick + 16,
1024 &ctx, &hctx, 0);
1025 if (rv < 0)
1026 return -1;
1027 if (rv == 0)
1028 goto tickerr;
1029 if (rv == 2)
1030 renew_ticket = 1;
1031 } else {
1032 /* Check key name matches */
1033 if (memcmp(etick, tctx->tlsext_tick_key_name, 16))
1034 goto tickerr;
1035 HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16,
1036 tlsext_tick_md(), NULL);
1037 EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL,
1038 tctx->tlsext_tick_aes_key, etick + 16);
1039 }
1040 /*
1041 * Attempt to process session ticket, first conduct sanity and integrity
1042 * checks on ticket.
1043 */
1044 mlen = HMAC_size(&hctx);
1045 eticklen -= mlen;
1046 /* Check HMAC of encrypted ticket */
1047 HMAC_Update(&hctx, etick, eticklen);
1048 HMAC_Final(&hctx, tick_hmac, NULL);
1049 HMAC_CTX_cleanup(&hctx);
1050 if (CRYPTO_memcmp(tick_hmac, etick + eticklen, mlen)) {
1051 EVP_CIPHER_CTX_cleanup(&ctx);
1052 goto tickerr;
1053 }
1054 /* Attempt to decrypt session data */
1055 /* Move p after IV to start of encrypted ticket, update length */
1056 p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx);
1057 eticklen -= 16 + EVP_CIPHER_CTX_iv_length(&ctx);
1058 sdec = OPENSSL_malloc(eticklen);
1059 if (!sdec) {
1060 EVP_CIPHER_CTX_cleanup(&ctx);
1061 return -1;
1062 }
1063 EVP_DecryptUpdate(&ctx, sdec, &slen, p, eticklen);
1064 if (EVP_DecryptFinal(&ctx, sdec + slen, &mlen) <= 0) {
1065 EVP_CIPHER_CTX_cleanup(&ctx);
1066 OPENSSL_free(sdec);
1067 goto tickerr;
1068 }
1069 slen += mlen;
1070 EVP_CIPHER_CTX_cleanup(&ctx);
1071 p = sdec;
1072
1073 sess = d2i_SSL_SESSION(NULL, &p, slen);
1074 OPENSSL_free(sdec);
1075 if (sess) {
1076 /*
1077 * The session ID if non-empty is used by some clients to detect that
1078 * the ticket has been accepted. So we copy it to the session
1079 * structure. If it is empty set length to zero as required by
1080 * standard.
1081 */
1082 if (sesslen)
1083 memcpy(sess->session_id, sess_id, sesslen);
1084 sess->session_id_length = sesslen;
1085 *psess = sess;
1086 s->tlsext_ticket_expected = renew_ticket;
1087 return 1;
1088 }
1089 /*
1090 * If session decrypt failure indicate a cache miss and set state to send
1091 * a new ticket
1092 */
1093 tickerr:
1094 s->tlsext_ticket_expected = 1;
1095 return 0;
1096 }
1097
1098 #endif
A mirror of the official openssl repository