t1_lib.c 35 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044104510461047104810491050105110521053105410551056105710581059106010611062106310641065106610671068106910701071107210731074107510761077107810791080108110821083108410851086108710881089109010911092109310941095109610971098
  1. /* ssl/t1_lib.c */
  2. /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  3. * All rights reserved.
  4. *
  5. * This package is an SSL implementation written
  6. * by Eric Young (eay@cryptsoft.com).
  7. * The implementation was written so as to conform with Netscapes SSL.
  8. *
  9. * This library is free for commercial and non-commercial use as long as
  10. * the following conditions are aheared to. The following conditions
  11. * apply to all code found in this distribution, be it the RC4, RSA,
  12. * lhash, DES, etc., code; not just the SSL code. The SSL documentation
  13. * included with this distribution is covered by the same copyright terms
  14. * except that the holder is Tim Hudson (tjh@cryptsoft.com).
  15. *
  16. * Copyright remains Eric Young's, and as such any Copyright notices in
  17. * the code are not to be removed.
  18. * If this package is used in a product, Eric Young should be given attribution
  19. * as the author of the parts of the library used.
  20. * This can be in the form of a textual message at program startup or
  21. * in documentation (online or textual) provided with the package.
  22. *
  23. * Redistribution and use in source and binary forms, with or without
  24. * modification, are permitted provided that the following conditions
  25. * are met:
  26. * 1. Redistributions of source code must retain the copyright
  27. * notice, this list of conditions and the following disclaimer.
  28. * 2. Redistributions in binary form must reproduce the above copyright
  29. * notice, this list of conditions and the following disclaimer in the
  30. * documentation and/or other materials provided with the distribution.
  31. * 3. All advertising materials mentioning features or use of this software
  32. * must display the following acknowledgement:
  33. * "This product includes cryptographic software written by
  34. * Eric Young (eay@cryptsoft.com)"
  35. * The word 'cryptographic' can be left out if the rouines from the library
  36. * being used are not cryptographic related :-).
  37. * 4. If you include any Windows specific code (or a derivative thereof) from
  38. * the apps directory (application code) you must include an acknowledgement:
  39. * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
  40. *
  41. * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
  42. * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  43. * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  44. * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
  45. * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  46. * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  47. * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  48. * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  49. * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  50. * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  51. * SUCH DAMAGE.
  52. *
  53. * The licence and distribution terms for any publically available version or
  54. * derivative of this code cannot be changed. i.e. this code cannot simply be
  55. * copied and put under another distribution licence
  56. * [including the GNU Public Licence.]
  57. */
  58. #include <stdio.h>
  59. #include <openssl/objects.h>
  60. #include <openssl/evp.h>
  61. #include <openssl/hmac.h>
  62. #include <openssl/ocsp.h>
  63. #include "ssl_locl.h"
  64. const char tls1_version_str[] = "TLSv1" OPENSSL_VERSION_PTEXT;
  65. #ifndef OPENSSL_NO_TLSEXT
  66. static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen,
  67. const unsigned char *sess_id, int sesslen,
  68. SSL_SESSION **psess);
  69. #endif
  70. SSL3_ENC_METHOD TLSv1_enc_data = {
  71. tls1_enc,
  72. tls1_mac,
  73. tls1_setup_key_block,
  74. tls1_generate_master_secret,
  75. tls1_change_cipher_state,
  76. tls1_final_finish_mac,
  77. TLS1_FINISH_MAC_LENGTH,
  78. tls1_cert_verify_mac,
  79. TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
  80. TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
  81. tls1_alert_code,
  82. };
  83. long tls1_default_timeout(void)
  84. {
  85. /*
  86. * 2 hours, the 24 hours mentioned in the TLSv1 spec is way too long for
  87. * http, the cache would over fill
  88. */
  89. return (60 * 60 * 2);
  90. }
  91. IMPLEMENT_tls1_meth_func(tlsv1_base_method,
  92. ssl_undefined_function,
  93. ssl_undefined_function, ssl_bad_method)
  94. int tls1_new(SSL *s)
  95. {
  96. if (!ssl3_new(s))
  97. return (0);
  98. s->method->ssl_clear(s);
  99. return (1);
  100. }
  101. void tls1_free(SSL *s)
  102. {
  103. ssl3_free(s);
  104. }
  105. void tls1_clear(SSL *s)
  106. {
  107. ssl3_clear(s);
  108. s->version = TLS1_VERSION;
  109. }
  110. #if 0
  111. long tls1_ctrl(SSL *s, int cmd, long larg, char *parg)
  112. {
  113. return (0);
  114. }
  115. long tls1_callback_ctrl(SSL *s, int cmd, void *(*fp) ())
  116. {
  117. return (0);
  118. }
  119. #endif
  120. #ifndef OPENSSL_NO_TLSEXT
  121. unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p,
  122. unsigned char *limit)
  123. {
  124. int extdatalen = 0;
  125. unsigned char *ret = p;
  126. /* don't add extensions for SSLv3 unless doing secure renegotiation */
  127. if (s->client_version == SSL3_VERSION && !s->s3->send_connection_binding)
  128. return p;
  129. ret += 2;
  130. if (ret >= limit)
  131. return NULL; /* this really never occurs, but ... */
  132. if (s->tlsext_hostname != NULL) {
  133. /* Add TLS extension servername to the Client Hello message */
  134. unsigned long size_str;
  135. long lenmax;
  136. /*-
  137. * check for enough space.
  138. * 4 for the servername type and entension length
  139. * 2 for servernamelist length
  140. * 1 for the hostname type
  141. * 2 for hostname length
  142. * + hostname length
  143. */
  144. if ((lenmax = limit - ret - 9) < 0
  145. || (size_str =
  146. strlen(s->tlsext_hostname)) > (unsigned long)lenmax)
  147. return NULL;
  148. /* extension type and length */
  149. s2n(TLSEXT_TYPE_server_name, ret);
  150. s2n(size_str + 5, ret);
  151. /* length of servername list */
  152. s2n(size_str + 3, ret);
  153. /* hostname type, length and hostname */
  154. *(ret++) = (unsigned char)TLSEXT_NAMETYPE_host_name;
  155. s2n(size_str, ret);
  156. memcpy(ret, s->tlsext_hostname, size_str);
  157. ret += size_str;
  158. }
  159. /* Add RI if renegotiating */
  160. if (s->new_session) {
  161. int el;
  162. if (!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0)) {
  163. SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
  164. return NULL;
  165. }
  166. if ((limit - p - 4 - el) < 0)
  167. return NULL;
  168. s2n(TLSEXT_TYPE_renegotiate, ret);
  169. s2n(el, ret);
  170. if (!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el)) {
  171. SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
  172. return NULL;
  173. }
  174. ret += el;
  175. }
  176. if (!(SSL_get_options(s) & SSL_OP_NO_TICKET)) {
  177. int ticklen;
  178. if (!s->new_session && s->session && s->session->tlsext_tick)
  179. ticklen = s->session->tlsext_ticklen;
  180. else
  181. ticklen = 0;
  182. /*
  183. * Check for enough room 2 for extension type, 2 for len rest for
  184. * ticket
  185. */
  186. if (limit - ret - 4 - ticklen < 0)
  187. return NULL;
  188. s2n(TLSEXT_TYPE_session_ticket, ret);
  189. s2n(ticklen, ret);
  190. if (ticklen) {
  191. memcpy(ret, s->session->tlsext_tick, ticklen);
  192. ret += ticklen;
  193. }
  194. }
  195. if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp &&
  196. s->version != DTLS1_VERSION) {
  197. int i;
  198. long extlen, idlen, itmp;
  199. OCSP_RESPID *id;
  200. idlen = 0;
  201. for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) {
  202. id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
  203. itmp = i2d_OCSP_RESPID(id, NULL);
  204. if (itmp <= 0)
  205. return NULL;
  206. idlen += itmp + 2;
  207. }
  208. if (s->tlsext_ocsp_exts) {
  209. extlen = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, NULL);
  210. if (extlen < 0)
  211. return NULL;
  212. } else
  213. extlen = 0;
  214. if ((long)(limit - ret - 7 - extlen - idlen) < 0)
  215. return NULL;
  216. s2n(TLSEXT_TYPE_status_request, ret);
  217. if (extlen + idlen > 0xFFF0)
  218. return NULL;
  219. s2n(extlen + idlen + 5, ret);
  220. *(ret++) = TLSEXT_STATUSTYPE_ocsp;
  221. s2n(idlen, ret);
  222. for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) {
  223. /* save position of id len */
  224. unsigned char *q = ret;
  225. id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
  226. /* skip over id len */
  227. ret += 2;
  228. itmp = i2d_OCSP_RESPID(id, &ret);
  229. /* write id len */
  230. s2n(itmp, q);
  231. }
  232. s2n(extlen, ret);
  233. if (extlen > 0)
  234. i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret);
  235. }
  236. if ((extdatalen = ret - p - 2) == 0)
  237. return p;
  238. s2n(extdatalen, p);
  239. return ret;
  240. }
  241. unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p,
  242. unsigned char *limit)
  243. {
  244. int extdatalen = 0;
  245. unsigned char *ret = p;
  246. /*
  247. * don't add extensions for SSLv3, unless doing secure renegotiation
  248. */
  249. if (s->version == SSL3_VERSION && !s->s3->send_connection_binding)
  250. return p;
  251. ret += 2;
  252. if (ret >= limit)
  253. return NULL; /* this really never occurs, but ... */
  254. if (!s->hit && s->servername_done == 1
  255. && s->session->tlsext_hostname != NULL) {
  256. if (limit - ret - 4 < 0)
  257. return NULL;
  258. s2n(TLSEXT_TYPE_server_name, ret);
  259. s2n(0, ret);
  260. }
  261. if (s->s3->send_connection_binding) {
  262. int el;
  263. if (!ssl_add_serverhello_renegotiate_ext(s, 0, &el, 0)) {
  264. SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
  265. return NULL;
  266. }
  267. if ((limit - p - 4 - el) < 0)
  268. return NULL;
  269. s2n(TLSEXT_TYPE_renegotiate, ret);
  270. s2n(el, ret);
  271. if (!ssl_add_serverhello_renegotiate_ext(s, ret, &el, el)) {
  272. SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
  273. return NULL;
  274. }
  275. ret += el;
  276. }
  277. if (s->tlsext_ticket_expected && !(SSL_get_options(s) & SSL_OP_NO_TICKET)) {
  278. if (limit - ret - 4 < 0)
  279. return NULL;
  280. s2n(TLSEXT_TYPE_session_ticket, ret);
  281. s2n(0, ret);
  282. }
  283. if (s->tlsext_status_expected) {
  284. if ((long)(limit - ret - 4) < 0)
  285. return NULL;
  286. s2n(TLSEXT_TYPE_status_request, ret);
  287. s2n(0, ret);
  288. }
  289. if ((extdatalen = ret - p - 2) == 0)
  290. return p;
  291. s2n(extdatalen, p);
  292. return ret;
  293. }
  294. # ifndef OPENSSL_NO_EC
  295. /*-
  296. * ssl_check_for_safari attempts to fingerprint Safari using OS X
  297. * SecureTransport using the TLS extension block in |d|, of length |n|.
  298. * Safari, since 10.6, sends exactly these extensions, in this order:
  299. * SNI,
  300. * elliptic_curves
  301. * ec_point_formats
  302. *
  303. * We wish to fingerprint Safari because they broke ECDHE-ECDSA support in 10.8,
  304. * but they advertise support. So enabling ECDHE-ECDSA ciphers breaks them.
  305. * Sadly we cannot differentiate 10.6, 10.7 and 10.8.4 (which work), from
  306. * 10.8..10.8.3 (which don't work).
  307. */
  308. static void ssl_check_for_safari(SSL *s, const unsigned char *data,
  309. const unsigned char *d, int n)
  310. {
  311. unsigned short type, size;
  312. static const unsigned char kSafariExtensionsBlock[] = {
  313. 0x00, 0x0a, /* elliptic_curves extension */
  314. 0x00, 0x08, /* 8 bytes */
  315. 0x00, 0x06, /* 6 bytes of curve ids */
  316. 0x00, 0x17, /* P-256 */
  317. 0x00, 0x18, /* P-384 */
  318. 0x00, 0x19, /* P-521 */
  319. 0x00, 0x0b, /* ec_point_formats */
  320. 0x00, 0x02, /* 2 bytes */
  321. 0x01, /* 1 point format */
  322. 0x00, /* uncompressed */
  323. };
  324. /* The following is only present in TLS 1.2 */
  325. static const unsigned char kSafariTLS12ExtensionsBlock[] = {
  326. 0x00, 0x0d, /* signature_algorithms */
  327. 0x00, 0x0c, /* 12 bytes */
  328. 0x00, 0x0a, /* 10 bytes */
  329. 0x05, 0x01, /* SHA-384/RSA */
  330. 0x04, 0x01, /* SHA-256/RSA */
  331. 0x02, 0x01, /* SHA-1/RSA */
  332. 0x04, 0x03, /* SHA-256/ECDSA */
  333. 0x02, 0x03, /* SHA-1/ECDSA */
  334. };
  335. if (data >= (d + n - 2))
  336. return;
  337. data += 2;
  338. if (data > (d + n - 4))
  339. return;
  340. n2s(data, type);
  341. n2s(data, size);
  342. if (type != TLSEXT_TYPE_server_name)
  343. return;
  344. if (data + size > d + n)
  345. return;
  346. data += size;
  347. if (TLS1_get_client_version(s) >= TLS1_2_VERSION) {
  348. const size_t len1 = sizeof(kSafariExtensionsBlock);
  349. const size_t len2 = sizeof(kSafariTLS12ExtensionsBlock);
  350. if (data + len1 + len2 != d + n)
  351. return;
  352. if (memcmp(data, kSafariExtensionsBlock, len1) != 0)
  353. return;
  354. if (memcmp(data + len1, kSafariTLS12ExtensionsBlock, len2) != 0)
  355. return;
  356. } else {
  357. const size_t len = sizeof(kSafariExtensionsBlock);
  358. if (data + len != d + n)
  359. return;
  360. if (memcmp(data, kSafariExtensionsBlock, len) != 0)
  361. return;
  362. }
  363. s->s3->is_probably_safari = 1;
  364. }
  365. # endif /* !OPENSSL_NO_EC */
  366. int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d,
  367. int n, int *al)
  368. {
  369. unsigned short type;
  370. unsigned short size;
  371. unsigned short len;
  372. unsigned char *data = *p;
  373. int renegotiate_seen = 0;
  374. s->servername_done = 0;
  375. s->tlsext_status_type = -1;
  376. # ifndef OPENSSL_NO_EC
  377. if (s->options & SSL_OP_SAFARI_ECDHE_ECDSA_BUG)
  378. ssl_check_for_safari(s, data, d, n);
  379. # endif /* !OPENSSL_NO_EC */
  380. if (data >= (d + n - 2))
  381. goto ri_check;
  382. n2s(data, len);
  383. if (data > (d + n - len))
  384. goto ri_check;
  385. while (data <= (d + n - 4)) {
  386. n2s(data, type);
  387. n2s(data, size);
  388. if (data + size > (d + n))
  389. goto ri_check;
  390. if (s->tlsext_debug_cb)
  391. s->tlsext_debug_cb(s, 0, type, data, size, s->tlsext_debug_arg);
  392. /*-
  393. * The servername extension is treated as follows:
  394. *
  395. * - Only the hostname type is supported with a maximum length of 255.
  396. * - The servername is rejected if too long or if it contains zeros,
  397. * in which case an fatal alert is generated.
  398. * - The servername field is maintained together with the session cache.
  399. * - When a session is resumed, the servername call back invoked in order
  400. * to allow the application to position itself to the right context.
  401. * - The servername is acknowledged if it is new for a session or when
  402. * it is identical to a previously used for the same session.
  403. * Applications can control the behaviour. They can at any time
  404. * set a 'desirable' servername for a new SSL object. This can be the
  405. * case for example with HTTPS when a Host: header field is received and
  406. * a renegotiation is requested. In this case, a possible servername
  407. * presented in the new client hello is only acknowledged if it matches
  408. * the value of the Host: field.
  409. * - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
  410. * if they provide for changing an explicit servername context for the
  411. * session, i.e. when the session has been established with a servername
  412. * extension.
  413. * - On session reconnect, the servername extension may be absent.
  414. *
  415. */
  416. if (type == TLSEXT_TYPE_server_name) {
  417. unsigned char *sdata;
  418. int servname_type;
  419. int dsize;
  420. if (size < 2) {
  421. *al = SSL_AD_DECODE_ERROR;
  422. return 0;
  423. }
  424. n2s(data, dsize);
  425. size -= 2;
  426. if (dsize > size) {
  427. *al = SSL_AD_DECODE_ERROR;
  428. return 0;
  429. }
  430. sdata = data;
  431. while (dsize > 3) {
  432. servname_type = *(sdata++);
  433. n2s(sdata, len);
  434. dsize -= 3;
  435. if (len > dsize) {
  436. *al = SSL_AD_DECODE_ERROR;
  437. return 0;
  438. }
  439. if (s->servername_done == 0)
  440. switch (servname_type) {
  441. case TLSEXT_NAMETYPE_host_name:
  442. if (!s->hit) {
  443. if (s->session->tlsext_hostname) {
  444. *al = SSL_AD_DECODE_ERROR;
  445. return 0;
  446. }
  447. if (len > TLSEXT_MAXLEN_host_name) {
  448. *al = TLS1_AD_UNRECOGNIZED_NAME;
  449. return 0;
  450. }
  451. if ((s->session->tlsext_hostname =
  452. OPENSSL_malloc(len + 1)) == NULL) {
  453. *al = TLS1_AD_INTERNAL_ERROR;
  454. return 0;
  455. }
  456. memcpy(s->session->tlsext_hostname, sdata, len);
  457. s->session->tlsext_hostname[len] = '\0';
  458. if (strlen(s->session->tlsext_hostname) != len) {
  459. OPENSSL_free(s->session->tlsext_hostname);
  460. s->session->tlsext_hostname = NULL;
  461. *al = TLS1_AD_UNRECOGNIZED_NAME;
  462. return 0;
  463. }
  464. s->servername_done = 1;
  465. } else
  466. s->servername_done = s->session->tlsext_hostname
  467. && strlen(s->session->tlsext_hostname) == len
  468. && strncmp(s->session->tlsext_hostname,
  469. (char *)sdata, len) == 0;
  470. break;
  471. default:
  472. break;
  473. }
  474. dsize -= len;
  475. }
  476. if (dsize != 0) {
  477. *al = SSL_AD_DECODE_ERROR;
  478. return 0;
  479. }
  480. } else if (type == TLSEXT_TYPE_renegotiate) {
  481. if (!ssl_parse_clienthello_renegotiate_ext(s, data, size, al))
  482. return 0;
  483. renegotiate_seen = 1;
  484. } else if (type == TLSEXT_TYPE_status_request &&
  485. s->version != DTLS1_VERSION && s->ctx->tlsext_status_cb) {
  486. if (size < 5) {
  487. *al = SSL_AD_DECODE_ERROR;
  488. return 0;
  489. }
  490. s->tlsext_status_type = *data++;
  491. size--;
  492. if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp) {
  493. const unsigned char *sdata;
  494. int dsize;
  495. /* Read in responder_id_list */
  496. n2s(data, dsize);
  497. size -= 2;
  498. if (dsize > size) {
  499. *al = SSL_AD_DECODE_ERROR;
  500. return 0;
  501. }
  502. while (dsize > 0) {
  503. OCSP_RESPID *id;
  504. int idsize;
  505. if (dsize < 4) {
  506. *al = SSL_AD_DECODE_ERROR;
  507. return 0;
  508. }
  509. n2s(data, idsize);
  510. dsize -= 2 + idsize;
  511. size -= 2 + idsize;
  512. if (dsize < 0) {
  513. *al = SSL_AD_DECODE_ERROR;
  514. return 0;
  515. }
  516. sdata = data;
  517. data += idsize;
  518. id = d2i_OCSP_RESPID(NULL, &sdata, idsize);
  519. if (!id) {
  520. *al = SSL_AD_DECODE_ERROR;
  521. return 0;
  522. }
  523. if (data != sdata) {
  524. OCSP_RESPID_free(id);
  525. *al = SSL_AD_DECODE_ERROR;
  526. return 0;
  527. }
  528. if (!s->tlsext_ocsp_ids
  529. && !(s->tlsext_ocsp_ids =
  530. sk_OCSP_RESPID_new_null())) {
  531. OCSP_RESPID_free(id);
  532. *al = SSL_AD_INTERNAL_ERROR;
  533. return 0;
  534. }
  535. if (!sk_OCSP_RESPID_push(s->tlsext_ocsp_ids, id)) {
  536. OCSP_RESPID_free(id);
  537. *al = SSL_AD_INTERNAL_ERROR;
  538. return 0;
  539. }
  540. }
  541. /* Read in request_extensions */
  542. if (size < 2) {
  543. *al = SSL_AD_DECODE_ERROR;
  544. return 0;
  545. }
  546. n2s(data, dsize);
  547. size -= 2;
  548. if (dsize != size) {
  549. *al = SSL_AD_DECODE_ERROR;
  550. return 0;
  551. }
  552. sdata = data;
  553. if (dsize > 0) {
  554. if (s->tlsext_ocsp_exts) {
  555. sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts,
  556. X509_EXTENSION_free);
  557. }
  558. s->tlsext_ocsp_exts =
  559. d2i_X509_EXTENSIONS(NULL, &sdata, dsize);
  560. if (!s->tlsext_ocsp_exts || (data + dsize != sdata)) {
  561. *al = SSL_AD_DECODE_ERROR;
  562. return 0;
  563. }
  564. }
  565. }
  566. /*
  567. * We don't know what to do with any other type * so ignore it.
  568. */
  569. else
  570. s->tlsext_status_type = -1;
  571. }
  572. /* session ticket processed earlier */
  573. data += size;
  574. }
  575. *p = data;
  576. ri_check:
  577. /* Need RI if renegotiating */
  578. if (!renegotiate_seen && s->new_session &&
  579. !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) {
  580. *al = SSL_AD_HANDSHAKE_FAILURE;
  581. SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT,
  582. SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
  583. return 0;
  584. }
  585. return 1;
  586. }
  587. int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d,
  588. int n, int *al)
  589. {
  590. unsigned short length;
  591. unsigned short type;
  592. unsigned short size;
  593. unsigned char *data = *p;
  594. int tlsext_servername = 0;
  595. int renegotiate_seen = 0;
  596. if (data >= (d + n - 2))
  597. goto ri_check;
  598. n2s(data, length);
  599. if (data + length != d + n) {
  600. *al = SSL_AD_DECODE_ERROR;
  601. return 0;
  602. }
  603. while (data <= (d + n - 4)) {
  604. n2s(data, type);
  605. n2s(data, size);
  606. if (data + size > (d + n))
  607. goto ri_check;
  608. if (s->tlsext_debug_cb)
  609. s->tlsext_debug_cb(s, 1, type, data, size, s->tlsext_debug_arg);
  610. if (type == TLSEXT_TYPE_server_name) {
  611. if (s->tlsext_hostname == NULL || size > 0) {
  612. *al = TLS1_AD_UNRECOGNIZED_NAME;
  613. return 0;
  614. }
  615. tlsext_servername = 1;
  616. } else if (type == TLSEXT_TYPE_session_ticket) {
  617. if ((SSL_get_options(s) & SSL_OP_NO_TICKET)
  618. || (size > 0)) {
  619. *al = TLS1_AD_UNSUPPORTED_EXTENSION;
  620. return 0;
  621. }
  622. s->tlsext_ticket_expected = 1;
  623. } else if (type == TLSEXT_TYPE_status_request &&
  624. s->version != DTLS1_VERSION) {
  625. /*
  626. * MUST be empty and only sent if we've requested a status
  627. * request message.
  628. */
  629. if ((s->tlsext_status_type == -1) || (size > 0)) {
  630. *al = TLS1_AD_UNSUPPORTED_EXTENSION;
  631. return 0;
  632. }
  633. /* Set flag to expect CertificateStatus message */
  634. s->tlsext_status_expected = 1;
  635. } else if (type == TLSEXT_TYPE_renegotiate) {
  636. if (!ssl_parse_serverhello_renegotiate_ext(s, data, size, al))
  637. return 0;
  638. renegotiate_seen = 1;
  639. }
  640. data += size;
  641. }
  642. if (data != d + n) {
  643. *al = SSL_AD_DECODE_ERROR;
  644. return 0;
  645. }
  646. if (!s->hit && tlsext_servername == 1) {
  647. if (s->tlsext_hostname) {
  648. if (s->session->tlsext_hostname == NULL) {
  649. s->session->tlsext_hostname = BUF_strdup(s->tlsext_hostname);
  650. if (!s->session->tlsext_hostname) {
  651. *al = SSL_AD_UNRECOGNIZED_NAME;
  652. return 0;
  653. }
  654. } else {
  655. *al = SSL_AD_DECODE_ERROR;
  656. return 0;
  657. }
  658. }
  659. }
  660. *p = data;
  661. ri_check:
  662. /*
  663. * Determine if we need to see RI. Strictly speaking if we want to avoid
  664. * an attack we should *always* see RI even on initial server hello
  665. * because the client doesn't see any renegotiation during an attack.
  666. * However this would mean we could not connect to any server which
  667. * doesn't support RI so for the immediate future tolerate RI absence on
  668. * initial connect only.
  669. */
  670. if (!renegotiate_seen && !(s->options & SSL_OP_LEGACY_SERVER_CONNECT)
  671. && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) {
  672. *al = SSL_AD_HANDSHAKE_FAILURE;
  673. SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT,
  674. SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
  675. return 0;
  676. }
  677. return 1;
  678. }
  679. int ssl_check_clienthello_tlsext_early(SSL *s)
  680. {
  681. int ret = SSL_TLSEXT_ERR_NOACK;
  682. int al = SSL_AD_UNRECOGNIZED_NAME;
  683. if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
  684. ret =
  685. s->ctx->tlsext_servername_callback(s, &al,
  686. s->ctx->tlsext_servername_arg);
  687. else if (s->initial_ctx != NULL
  688. && s->initial_ctx->tlsext_servername_callback != 0)
  689. ret =
  690. s->initial_ctx->tlsext_servername_callback(s, &al,
  691. s->
  692. initial_ctx->tlsext_servername_arg);
  693. switch (ret) {
  694. case SSL_TLSEXT_ERR_ALERT_FATAL:
  695. ssl3_send_alert(s, SSL3_AL_FATAL, al);
  696. return -1;
  697. case SSL_TLSEXT_ERR_ALERT_WARNING:
  698. ssl3_send_alert(s, SSL3_AL_WARNING, al);
  699. return 1;
  700. case SSL_TLSEXT_ERR_NOACK:
  701. s->servername_done = 0;
  702. default:
  703. return 1;
  704. }
  705. }
  706. int ssl_check_clienthello_tlsext_late(SSL *s)
  707. {
  708. int ret = SSL_TLSEXT_ERR_OK;
  709. int al;
  710. /*
  711. * If status request then ask callback what to do. Note: this must be
  712. * called after servername callbacks in case the certificate has
  713. * changed, and must be called after the cipher has been chosen because
  714. * this may influence which certificate is sent
  715. */
  716. if (s->tlsext_status_type != -1 && s->ctx && s->ctx->tlsext_status_cb) {
  717. int r;
  718. CERT_PKEY *certpkey;
  719. certpkey = ssl_get_server_send_pkey(s);
  720. /* If no certificate can't return certificate status */
  721. if (certpkey == NULL) {
  722. s->tlsext_status_expected = 0;
  723. return 1;
  724. }
  725. /*
  726. * Set current certificate to one we will use so SSL_get_certificate
  727. * et al can pick it up.
  728. */
  729. s->cert->key = certpkey;
  730. r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
  731. switch (r) {
  732. /* We don't want to send a status request response */
  733. case SSL_TLSEXT_ERR_NOACK:
  734. s->tlsext_status_expected = 0;
  735. break;
  736. /* status request response should be sent */
  737. case SSL_TLSEXT_ERR_OK:
  738. if (s->tlsext_ocsp_resp)
  739. s->tlsext_status_expected = 1;
  740. else
  741. s->tlsext_status_expected = 0;
  742. break;
  743. /* something bad happened */
  744. case SSL_TLSEXT_ERR_ALERT_FATAL:
  745. ret = SSL_TLSEXT_ERR_ALERT_FATAL;
  746. al = SSL_AD_INTERNAL_ERROR;
  747. goto err;
  748. }
  749. } else
  750. s->tlsext_status_expected = 0;
  751. err:
  752. switch (ret) {
  753. case SSL_TLSEXT_ERR_ALERT_FATAL:
  754. ssl3_send_alert(s, SSL3_AL_FATAL, al);
  755. return -1;
  756. case SSL_TLSEXT_ERR_ALERT_WARNING:
  757. ssl3_send_alert(s, SSL3_AL_WARNING, al);
  758. return 1;
  759. default:
  760. return 1;
  761. }
  762. }
  763. int ssl_check_serverhello_tlsext(SSL *s)
  764. {
  765. int ret = SSL_TLSEXT_ERR_NOACK;
  766. int al = SSL_AD_UNRECOGNIZED_NAME;
  767. if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
  768. ret =
  769. s->ctx->tlsext_servername_callback(s, &al,
  770. s->ctx->tlsext_servername_arg);
  771. else if (s->initial_ctx != NULL
  772. && s->initial_ctx->tlsext_servername_callback != 0)
  773. ret =
  774. s->initial_ctx->tlsext_servername_callback(s, &al,
  775. s->
  776. initial_ctx->tlsext_servername_arg);
  777. /*
  778. * If we've requested certificate status and we wont get one tell the
  779. * callback
  780. */
  781. if ((s->tlsext_status_type != -1) && !(s->tlsext_status_expected)
  782. && s->ctx->tlsext_status_cb) {
  783. int r;
  784. /*
  785. * Set resp to NULL, resplen to -1 so callback knows there is no
  786. * response.
  787. */
  788. if (s->tlsext_ocsp_resp) {
  789. OPENSSL_free(s->tlsext_ocsp_resp);
  790. s->tlsext_ocsp_resp = NULL;
  791. }
  792. s->tlsext_ocsp_resplen = -1;
  793. r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
  794. if (r == 0) {
  795. al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE;
  796. ret = SSL_TLSEXT_ERR_ALERT_FATAL;
  797. }
  798. if (r < 0) {
  799. al = SSL_AD_INTERNAL_ERROR;
  800. ret = SSL_TLSEXT_ERR_ALERT_FATAL;
  801. }
  802. }
  803. switch (ret) {
  804. case SSL_TLSEXT_ERR_ALERT_FATAL:
  805. ssl3_send_alert(s, SSL3_AL_FATAL, al);
  806. return -1;
  807. case SSL_TLSEXT_ERR_ALERT_WARNING:
  808. ssl3_send_alert(s, SSL3_AL_WARNING, al);
  809. return 1;
  810. case SSL_TLSEXT_ERR_NOACK:
  811. s->servername_done = 0;
  812. default:
  813. return 1;
  814. }
  815. }
  816. /*
  817. * Since the server cache lookup is done early on in the processing of client
  818. * hello and other operations depend on the result we need to handle any TLS
  819. * session ticket extension at the same time.
  820. */
  821. int tls1_process_ticket(SSL *s, unsigned char *session_id, int len,
  822. const unsigned char *limit, SSL_SESSION **ret)
  823. {
  824. /* Point after session ID in client hello */
  825. const unsigned char *p = session_id + len;
  826. unsigned short i;
  827. /*
  828. * If tickets disabled behave as if no ticket present to permit stateful
  829. * resumption.
  830. */
  831. if (SSL_get_options(s) & SSL_OP_NO_TICKET)
  832. return 1;
  833. if ((s->version <= SSL3_VERSION) || !limit)
  834. return 1;
  835. if (p >= limit)
  836. return -1;
  837. /* Skip past DTLS cookie */
  838. if (s->version == DTLS1_VERSION || s->version == DTLS1_BAD_VER) {
  839. i = *(p++);
  840. p += i;
  841. if (p >= limit)
  842. return -1;
  843. }
  844. /* Skip past cipher list */
  845. n2s(p, i);
  846. p += i;
  847. if (p >= limit)
  848. return -1;
  849. /* Skip past compression algorithm list */
  850. i = *(p++);
  851. p += i;
  852. if (p > limit)
  853. return -1;
  854. /* Now at start of extensions */
  855. if ((p + 2) >= limit)
  856. return 1;
  857. n2s(p, i);
  858. while ((p + 4) <= limit) {
  859. unsigned short type, size;
  860. n2s(p, type);
  861. n2s(p, size);
  862. if (p + size > limit)
  863. return 1;
  864. if (type == TLSEXT_TYPE_session_ticket) {
  865. /*
  866. * If zero length note client will accept a ticket and indicate
  867. * cache miss to trigger full handshake
  868. */
  869. if (size == 0) {
  870. s->tlsext_ticket_expected = 1;
  871. return 0; /* Cache miss */
  872. }
  873. return tls_decrypt_ticket(s, p, size, session_id, len, ret);
  874. }
  875. p += size;
  876. }
  877. return 1;
  878. }
  879. static int tls_decrypt_ticket(SSL *s, const unsigned char *etick,
  880. int eticklen, const unsigned char *sess_id,
  881. int sesslen, SSL_SESSION **psess)
  882. {
  883. SSL_SESSION *sess;
  884. unsigned char *sdec;
  885. const unsigned char *p;
  886. int slen, mlen, renew_ticket = 0;
  887. unsigned char tick_hmac[EVP_MAX_MD_SIZE];
  888. HMAC_CTX hctx;
  889. EVP_CIPHER_CTX ctx;
  890. SSL_CTX *tctx = s->initial_ctx;
  891. /* Need at least keyname + iv + some encrypted data */
  892. if (eticklen < 48)
  893. goto tickerr;
  894. /* Initialize session ticket encryption and HMAC contexts */
  895. HMAC_CTX_init(&hctx);
  896. EVP_CIPHER_CTX_init(&ctx);
  897. if (tctx->tlsext_ticket_key_cb) {
  898. unsigned char *nctick = (unsigned char *)etick;
  899. int rv = tctx->tlsext_ticket_key_cb(s, nctick, nctick + 16,
  900. &ctx, &hctx, 0);
  901. if (rv < 0)
  902. return -1;
  903. if (rv == 0)
  904. goto tickerr;
  905. if (rv == 2)
  906. renew_ticket = 1;
  907. } else {
  908. /* Check key name matches */
  909. if (memcmp(etick, tctx->tlsext_tick_key_name, 16))
  910. goto tickerr;
  911. HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16,
  912. tlsext_tick_md(), NULL);
  913. EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL,
  914. tctx->tlsext_tick_aes_key, etick + 16);
  915. }
  916. /*
  917. * Attempt to process session ticket, first conduct sanity and integrity
  918. * checks on ticket.
  919. */
  920. mlen = HMAC_size(&hctx);
  921. eticklen -= mlen;
  922. /* Check HMAC of encrypted ticket */
  923. HMAC_Update(&hctx, etick, eticklen);
  924. HMAC_Final(&hctx, tick_hmac, NULL);
  925. HMAC_CTX_cleanup(&hctx);
  926. if (CRYPTO_memcmp(tick_hmac, etick + eticklen, mlen)) {
  927. EVP_CIPHER_CTX_cleanup(&ctx);
  928. goto tickerr;
  929. }
  930. /* Attempt to decrypt session data */
  931. /* Move p after IV to start of encrypted ticket, update length */
  932. p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx);
  933. eticklen -= 16 + EVP_CIPHER_CTX_iv_length(&ctx);
  934. sdec = OPENSSL_malloc(eticklen);
  935. if (!sdec) {
  936. EVP_CIPHER_CTX_cleanup(&ctx);
  937. return -1;
  938. }
  939. EVP_DecryptUpdate(&ctx, sdec, &slen, p, eticklen);
  940. if (EVP_DecryptFinal(&ctx, sdec + slen, &mlen) <= 0) {
  941. EVP_CIPHER_CTX_cleanup(&ctx);
  942. OPENSSL_free(sdec);
  943. goto tickerr;
  944. }
  945. slen += mlen;
  946. EVP_CIPHER_CTX_cleanup(&ctx);
  947. p = sdec;
  948. sess = d2i_SSL_SESSION(NULL, &p, slen);
  949. OPENSSL_free(sdec);
  950. if (sess) {
  951. /*
  952. * The session ID if non-empty is used by some clients to detect that
  953. * the ticket has been accepted. So we copy it to the session
  954. * structure. If it is empty set length to zero as required by
  955. * standard.
  956. */
  957. if (sesslen)
  958. memcpy(sess->session_id, sess_id, sesslen);
  959. sess->session_id_length = sesslen;
  960. *psess = sess;
  961. s->tlsext_ticket_expected = renew_ticket;
  962. return 1;
  963. }
  964. /*
  965. * If session decrypt failure indicate a cache miss and set state to send
  966. * a new ticket
  967. */
  968. tickerr:
  969. s->tlsext_ticket_expected = 1;
  970. return 0;
  971. }
  972. #endif