155714Skris/* ssl/t1_lib.c */ 255714Skris/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 355714Skris * All rights reserved. 455714Skris * 555714Skris * This package is an SSL implementation written 655714Skris * by Eric Young (eay@cryptsoft.com). 755714Skris * The implementation was written so as to conform with Netscapes SSL. 8296465Sdelphij * 955714Skris * This library is free for commercial and non-commercial use as long as 1055714Skris * the following conditions are aheared to. The following conditions 1155714Skris * apply to all code found in this distribution, be it the RC4, RSA, 1255714Skris * lhash, DES, etc., code; not just the SSL code. The SSL documentation 1355714Skris * included with this distribution is covered by the same copyright terms 1455714Skris * except that the holder is Tim Hudson (tjh@cryptsoft.com). 15296465Sdelphij * 1655714Skris * Copyright remains Eric Young's, and as such any Copyright notices in 1755714Skris * the code are not to be removed. 1855714Skris * If this package is used in a product, Eric Young should be given attribution 1955714Skris * as the author of the parts of the library used. 2055714Skris * This can be in the form of a textual message at program startup or 2155714Skris * in documentation (online or textual) provided with the package. 22296465Sdelphij * 2355714Skris * Redistribution and use in source and binary forms, with or without 2455714Skris * modification, are permitted provided that the following conditions 2555714Skris * are met: 2655714Skris * 1. Redistributions of source code must retain the copyright 2755714Skris * notice, this list of conditions and the following disclaimer. 2855714Skris * 2. Redistributions in binary form must reproduce the above copyright 2955714Skris * notice, this list of conditions and the following disclaimer in the 3055714Skris * documentation and/or other materials provided with the distribution. 3155714Skris * 3. All advertising materials mentioning features or use of this software 3255714Skris * must display the following acknowledgement: 3355714Skris * "This product includes cryptographic software written by 3455714Skris * Eric Young (eay@cryptsoft.com)" 3555714Skris * The word 'cryptographic' can be left out if the rouines from the library 3655714Skris * being used are not cryptographic related :-). 37296465Sdelphij * 4. If you include any Windows specific code (or a derivative thereof) from 3855714Skris * the apps directory (application code) you must include an acknowledgement: 3955714Skris * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 40296465Sdelphij * 4155714Skris * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 4255714Skris * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 4355714Skris * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 4455714Skris * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 4555714Skris * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 4655714Skris * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 4755714Skris * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 4855714Skris * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 4955714Skris * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 5055714Skris * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 5155714Skris * SUCH DAMAGE. 52296465Sdelphij * 5355714Skris * The licence and distribution terms for any publically available version or 5455714Skris * derivative of this code cannot be changed. i.e. this code cannot simply be 5555714Skris * copied and put under another distribution licence 5655714Skris * [including the GNU Public Licence.] 5755714Skris */ 5855714Skris 5955714Skris#include <stdio.h> 6055714Skris#include <openssl/objects.h> 61194206Ssimon#include <openssl/evp.h> 62194206Ssimon#include <openssl/hmac.h> 63194206Ssimon#include <openssl/ocsp.h> 6455714Skris#include "ssl_locl.h" 6555714Skris 66296465Sdelphijconst char tls1_version_str[] = "TLSv1" OPENSSL_VERSION_PTEXT; 6755714Skris 68194206Ssimon#ifndef OPENSSL_NO_TLSEXT 69194206Ssimonstatic int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen, 70296465Sdelphij const unsigned char *sess_id, int sesslen, 71296465Sdelphij SSL_SESSION **psess); 72194206Ssimon#endif 73194206Ssimon 74296465SdelphijSSL3_ENC_METHOD TLSv1_enc_data = { 75296465Sdelphij tls1_enc, 76296465Sdelphij tls1_mac, 77296465Sdelphij tls1_setup_key_block, 78296465Sdelphij tls1_generate_master_secret, 79296465Sdelphij tls1_change_cipher_state, 80296465Sdelphij tls1_final_finish_mac, 81296465Sdelphij TLS1_FINISH_MAC_LENGTH, 82296465Sdelphij tls1_cert_verify_mac, 83296465Sdelphij TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE, 84296465Sdelphij TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE, 85296465Sdelphij tls1_alert_code, 86296465Sdelphij}; 8755714Skris 88160814Ssimonlong tls1_default_timeout(void) 89296465Sdelphij{ 90296465Sdelphij /* 91296465Sdelphij * 2 hours, the 24 hours mentioned in the TLSv1 spec is way too long for 92296465Sdelphij * http, the cache would over fill 93296465Sdelphij */ 94296465Sdelphij return (60 * 60 * 2); 95296465Sdelphij} 9655714Skris 97160814SsimonIMPLEMENT_tls1_meth_func(tlsv1_base_method, 98296465Sdelphij ssl_undefined_function, 99296465Sdelphij ssl_undefined_function, ssl_bad_method) 10055714Skris 10155714Skrisint tls1_new(SSL *s) 102296465Sdelphij{ 103296465Sdelphij if (!ssl3_new(s)) 104296465Sdelphij return (0); 105296465Sdelphij s->method->ssl_clear(s); 106296465Sdelphij return (1); 107296465Sdelphij} 10855714Skris 10955714Skrisvoid tls1_free(SSL *s) 110296465Sdelphij{ 111296465Sdelphij ssl3_free(s); 112296465Sdelphij} 11355714Skris 11455714Skrisvoid tls1_clear(SSL *s) 115296465Sdelphij{ 116296465Sdelphij ssl3_clear(s); 117296465Sdelphij s->version = TLS1_VERSION; 118296465Sdelphij} 11955714Skris 12055714Skris#if 0 12155714Skrislong tls1_ctrl(SSL *s, int cmd, long larg, char *parg) 122296465Sdelphij{ 123296465Sdelphij return (0); 124296465Sdelphij} 12559191Skris 126296465Sdelphijlong tls1_callback_ctrl(SSL *s, int cmd, void *(*fp) ()) 127296465Sdelphij{ 128296465Sdelphij return (0); 129296465Sdelphij} 13055714Skris#endif 131194206Ssimon 132194206Ssimon#ifndef OPENSSL_NO_TLSEXT 133296465Sdelphijunsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, 134296465Sdelphij unsigned char *limit) 135296465Sdelphij{ 136296465Sdelphij int extdatalen = 0; 137296465Sdelphij unsigned char *ret = p; 138194206Ssimon 139296465Sdelphij /* don't add extensions for SSLv3 unless doing secure renegotiation */ 140296465Sdelphij if (s->client_version == SSL3_VERSION && !s->s3->send_connection_binding) 141296465Sdelphij return p; 142205128Ssimon 143296465Sdelphij ret += 2; 144194206Ssimon 145296465Sdelphij if (ret >= limit) 146296465Sdelphij return NULL; /* this really never occurs, but ... */ 147194206Ssimon 148296465Sdelphij if (s->tlsext_hostname != NULL) { 149296465Sdelphij /* Add TLS extension servername to the Client Hello message */ 150296465Sdelphij unsigned long size_str; 151296465Sdelphij long lenmax; 152194206Ssimon 153296465Sdelphij /*- 154296465Sdelphij * check for enough space. 155296465Sdelphij * 4 for the servername type and entension length 156296465Sdelphij * 2 for servernamelist length 157296465Sdelphij * 1 for the hostname type 158296465Sdelphij * 2 for hostname length 159296465Sdelphij * + hostname length 160296465Sdelphij */ 161194206Ssimon 162296465Sdelphij if ((lenmax = limit - ret - 9) < 0 163296465Sdelphij || (size_str = 164296465Sdelphij strlen(s->tlsext_hostname)) > (unsigned long)lenmax) 165296465Sdelphij return NULL; 166194206Ssimon 167296465Sdelphij /* extension type and length */ 168296465Sdelphij s2n(TLSEXT_TYPE_server_name, ret); 169296465Sdelphij s2n(size_str + 5, ret); 170205128Ssimon 171296465Sdelphij /* length of servername list */ 172296465Sdelphij s2n(size_str + 3, ret); 173205128Ssimon 174296465Sdelphij /* hostname type, length and hostname */ 175296465Sdelphij *(ret++) = (unsigned char)TLSEXT_NAMETYPE_host_name; 176296465Sdelphij s2n(size_str, ret); 177296465Sdelphij memcpy(ret, s->tlsext_hostname, size_str); 178296465Sdelphij ret += size_str; 179296465Sdelphij 180296465Sdelphij } 181296465Sdelphij 182296465Sdelphij /* Add RI if renegotiating */ 183296465Sdelphij if (s->new_session) { 184296465Sdelphij int el; 185296465Sdelphij 186296465Sdelphij if (!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0)) { 187296465Sdelphij SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); 188296465Sdelphij return NULL; 189205128Ssimon } 190205128Ssimon 191296465Sdelphij if ((limit - p - 4 - el) < 0) 192296465Sdelphij return NULL; 193194206Ssimon 194296465Sdelphij s2n(TLSEXT_TYPE_renegotiate, ret); 195296465Sdelphij s2n(el, ret); 196194206Ssimon 197296465Sdelphij if (!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el)) { 198296465Sdelphij SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); 199296465Sdelphij return NULL; 200296465Sdelphij } 201194206Ssimon 202296465Sdelphij ret += el; 203296465Sdelphij } 204194206Ssimon 205296465Sdelphij if (!(SSL_get_options(s) & SSL_OP_NO_TICKET)) { 206296465Sdelphij int ticklen; 207296465Sdelphij if (!s->new_session && s->session && s->session->tlsext_tick) 208296465Sdelphij ticklen = s->session->tlsext_ticklen; 209296465Sdelphij else 210296465Sdelphij ticklen = 0; 211296465Sdelphij /* 212296465Sdelphij * Check for enough room 2 for extension type, 2 for len rest for 213296465Sdelphij * ticket 214296465Sdelphij */ 215296465Sdelphij if (limit - ret - 4 - ticklen < 0) 216296465Sdelphij return NULL; 217296465Sdelphij s2n(TLSEXT_TYPE_session_ticket, ret); 218296465Sdelphij s2n(ticklen, ret); 219296465Sdelphij if (ticklen) { 220296465Sdelphij memcpy(ret, s->session->tlsext_tick, ticklen); 221296465Sdelphij ret += ticklen; 222296465Sdelphij } 223296465Sdelphij } 224194206Ssimon 225296465Sdelphij if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp && 226296465Sdelphij s->version != DTLS1_VERSION) { 227296465Sdelphij int i; 228296465Sdelphij long extlen, idlen, itmp; 229296465Sdelphij OCSP_RESPID *id; 230194206Ssimon 231296465Sdelphij idlen = 0; 232296465Sdelphij for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) { 233296465Sdelphij id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i); 234296465Sdelphij itmp = i2d_OCSP_RESPID(id, NULL); 235296465Sdelphij if (itmp <= 0) 236296465Sdelphij return NULL; 237296465Sdelphij idlen += itmp + 2; 238296465Sdelphij } 239194206Ssimon 240296465Sdelphij if (s->tlsext_ocsp_exts) { 241296465Sdelphij extlen = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, NULL); 242296465Sdelphij if (extlen < 0) 243296465Sdelphij return NULL; 244296465Sdelphij } else 245296465Sdelphij extlen = 0; 246194206Ssimon 247296465Sdelphij if ((long)(limit - ret - 7 - extlen - idlen) < 0) 248296465Sdelphij return NULL; 249296465Sdelphij s2n(TLSEXT_TYPE_status_request, ret); 250296465Sdelphij if (extlen + idlen > 0xFFF0) 251296465Sdelphij return NULL; 252296465Sdelphij s2n(extlen + idlen + 5, ret); 253296465Sdelphij *(ret++) = TLSEXT_STATUSTYPE_ocsp; 254296465Sdelphij s2n(idlen, ret); 255296465Sdelphij for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) { 256296465Sdelphij /* save position of id len */ 257296465Sdelphij unsigned char *q = ret; 258296465Sdelphij id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i); 259296465Sdelphij /* skip over id len */ 260296465Sdelphij ret += 2; 261296465Sdelphij itmp = i2d_OCSP_RESPID(id, &ret); 262296465Sdelphij /* write id len */ 263296465Sdelphij s2n(itmp, q); 264296465Sdelphij } 265296465Sdelphij s2n(extlen, ret); 266296465Sdelphij if (extlen > 0) 267296465Sdelphij i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret); 268296465Sdelphij } 269194206Ssimon 270296465Sdelphij if ((extdatalen = ret - p - 2) == 0) 271296465Sdelphij return p; 272205128Ssimon 273296465Sdelphij s2n(extdatalen, p); 274296465Sdelphij return ret; 275296465Sdelphij} 276205128Ssimon 277296465Sdelphijunsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, 278296465Sdelphij unsigned char *limit) 279296465Sdelphij{ 280296465Sdelphij int extdatalen = 0; 281296465Sdelphij unsigned char *ret = p; 282205128Ssimon 283296465Sdelphij /* 284296465Sdelphij * don't add extensions for SSLv3, unless doing secure renegotiation 285296465Sdelphij */ 286296465Sdelphij if (s->version == SSL3_VERSION && !s->s3->send_connection_binding) 287296465Sdelphij return p; 288205128Ssimon 289296465Sdelphij ret += 2; 290296465Sdelphij if (ret >= limit) 291296465Sdelphij return NULL; /* this really never occurs, but ... */ 292296465Sdelphij 293296465Sdelphij if (!s->hit && s->servername_done == 1 294296465Sdelphij && s->session->tlsext_hostname != NULL) { 295296465Sdelphij if (limit - ret - 4 < 0) 296296465Sdelphij return NULL; 297296465Sdelphij 298296465Sdelphij s2n(TLSEXT_TYPE_server_name, ret); 299296465Sdelphij s2n(0, ret); 300296465Sdelphij } 301296465Sdelphij 302296465Sdelphij if (s->s3->send_connection_binding) { 303296465Sdelphij int el; 304296465Sdelphij 305296465Sdelphij if (!ssl_add_serverhello_renegotiate_ext(s, 0, &el, 0)) { 306296465Sdelphij SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); 307296465Sdelphij return NULL; 308205128Ssimon } 309194206Ssimon 310296465Sdelphij if ((limit - p - 4 - el) < 0) 311296465Sdelphij return NULL; 312194206Ssimon 313296465Sdelphij s2n(TLSEXT_TYPE_renegotiate, ret); 314296465Sdelphij s2n(el, ret); 315194206Ssimon 316296465Sdelphij if (!ssl_add_serverhello_renegotiate_ext(s, ret, &el, el)) { 317296465Sdelphij SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); 318296465Sdelphij return NULL; 319296465Sdelphij } 320194206Ssimon 321296465Sdelphij ret += el; 322296465Sdelphij } 323296465Sdelphij 324296465Sdelphij if (s->tlsext_ticket_expected && !(SSL_get_options(s) & SSL_OP_NO_TICKET)) { 325296465Sdelphij if (limit - ret - 4 < 0) 326296465Sdelphij return NULL; 327296465Sdelphij s2n(TLSEXT_TYPE_session_ticket, ret); 328296465Sdelphij s2n(0, ret); 329296465Sdelphij } 330296465Sdelphij 331296465Sdelphij if (s->tlsext_status_expected) { 332296465Sdelphij if ((long)(limit - ret - 4) < 0) 333296465Sdelphij return NULL; 334296465Sdelphij s2n(TLSEXT_TYPE_status_request, ret); 335296465Sdelphij s2n(0, ret); 336296465Sdelphij } 337296465Sdelphij 338296465Sdelphij if ((extdatalen = ret - p - 2) == 0) 339296465Sdelphij return p; 340296465Sdelphij 341296465Sdelphij s2n(extdatalen, p); 342296465Sdelphij return ret; 343296465Sdelphij} 344296465Sdelphij 345296465Sdelphij# ifndef OPENSSL_NO_EC 346296465Sdelphij/*- 347296465Sdelphij * ssl_check_for_safari attempts to fingerprint Safari using OS X 348267285Sjkim * SecureTransport using the TLS extension block in |d|, of length |n|. 349267285Sjkim * Safari, since 10.6, sends exactly these extensions, in this order: 350267285Sjkim * SNI, 351267285Sjkim * elliptic_curves 352267285Sjkim * ec_point_formats 353267285Sjkim * 354267285Sjkim * We wish to fingerprint Safari because they broke ECDHE-ECDSA support in 10.8, 355267285Sjkim * but they advertise support. So enabling ECDHE-ECDSA ciphers breaks them. 356267285Sjkim * Sadly we cannot differentiate 10.6, 10.7 and 10.8.4 (which work), from 357267285Sjkim * 10.8..10.8.3 (which don't work). 358267285Sjkim */ 359296465Sdelphijstatic void ssl_check_for_safari(SSL *s, const unsigned char *data, 360306230Sdelphij const unsigned char *limit) 361296465Sdelphij{ 362296465Sdelphij unsigned short type, size; 363296465Sdelphij static const unsigned char kSafariExtensionsBlock[] = { 364296465Sdelphij 0x00, 0x0a, /* elliptic_curves extension */ 365296465Sdelphij 0x00, 0x08, /* 8 bytes */ 366296465Sdelphij 0x00, 0x06, /* 6 bytes of curve ids */ 367296465Sdelphij 0x00, 0x17, /* P-256 */ 368296465Sdelphij 0x00, 0x18, /* P-384 */ 369296465Sdelphij 0x00, 0x19, /* P-521 */ 370267285Sjkim 371296465Sdelphij 0x00, 0x0b, /* ec_point_formats */ 372296465Sdelphij 0x00, 0x02, /* 2 bytes */ 373296465Sdelphij 0x01, /* 1 point format */ 374296465Sdelphij 0x00, /* uncompressed */ 375296465Sdelphij }; 376267285Sjkim 377296465Sdelphij /* The following is only present in TLS 1.2 */ 378296465Sdelphij static const unsigned char kSafariTLS12ExtensionsBlock[] = { 379296465Sdelphij 0x00, 0x0d, /* signature_algorithms */ 380296465Sdelphij 0x00, 0x0c, /* 12 bytes */ 381296465Sdelphij 0x00, 0x0a, /* 10 bytes */ 382296465Sdelphij 0x05, 0x01, /* SHA-384/RSA */ 383296465Sdelphij 0x04, 0x01, /* SHA-256/RSA */ 384296465Sdelphij 0x02, 0x01, /* SHA-1/RSA */ 385296465Sdelphij 0x04, 0x03, /* SHA-256/ECDSA */ 386296465Sdelphij 0x02, 0x03, /* SHA-1/ECDSA */ 387296465Sdelphij }; 388267285Sjkim 389306230Sdelphij if (limit - data <= 2) 390296465Sdelphij return; 391296465Sdelphij data += 2; 392267285Sjkim 393306230Sdelphij if (limit - data < 4) 394296465Sdelphij return; 395296465Sdelphij n2s(data, type); 396296465Sdelphij n2s(data, size); 397267285Sjkim 398296465Sdelphij if (type != TLSEXT_TYPE_server_name) 399296465Sdelphij return; 400267285Sjkim 401306230Sdelphij if (limit - data < size) 402296465Sdelphij return; 403296465Sdelphij data += size; 404267285Sjkim 405296465Sdelphij if (TLS1_get_client_version(s) >= TLS1_2_VERSION) { 406296465Sdelphij const size_t len1 = sizeof(kSafariExtensionsBlock); 407296465Sdelphij const size_t len2 = sizeof(kSafariTLS12ExtensionsBlock); 408267285Sjkim 409306230Sdelphij if (limit - data != (int)(len1 + len2)) 410296465Sdelphij return; 411296465Sdelphij if (memcmp(data, kSafariExtensionsBlock, len1) != 0) 412296465Sdelphij return; 413296465Sdelphij if (memcmp(data + len1, kSafariTLS12ExtensionsBlock, len2) != 0) 414296465Sdelphij return; 415296465Sdelphij } else { 416296465Sdelphij const size_t len = sizeof(kSafariExtensionsBlock); 417267285Sjkim 418306230Sdelphij if (limit - data != (int)(len)) 419296465Sdelphij return; 420296465Sdelphij if (memcmp(data, kSafariExtensionsBlock, len) != 0) 421296465Sdelphij return; 422296465Sdelphij } 423267285Sjkim 424296465Sdelphij s->s3->is_probably_safari = 1; 425267285Sjkim} 426296465Sdelphij# endif /* !OPENSSL_NO_EC */ 427267285Sjkim 428306230Sdelphijint ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, 429306230Sdelphij unsigned char *limit, int *al) 430296465Sdelphij{ 431296465Sdelphij unsigned short type; 432296465Sdelphij unsigned short size; 433296465Sdelphij unsigned short len; 434296465Sdelphij unsigned char *data = *p; 435296465Sdelphij int renegotiate_seen = 0; 436205128Ssimon 437296465Sdelphij s->servername_done = 0; 438296465Sdelphij s->tlsext_status_type = -1; 439194206Ssimon 440296465Sdelphij# ifndef OPENSSL_NO_EC 441296465Sdelphij if (s->options & SSL_OP_SAFARI_ECDHE_ECDSA_BUG) 442306230Sdelphij ssl_check_for_safari(s, data, limit); 443296465Sdelphij# endif /* !OPENSSL_NO_EC */ 444267285Sjkim 445306230Sdelphij if (data == limit) 446296465Sdelphij goto ri_check; 447205128Ssimon 448306230Sdelphij if (limit - data < 2) 449306230Sdelphij goto err; 450306230Sdelphij 451296465Sdelphij n2s(data, len); 452194206Ssimon 453306230Sdelphij if (limit - data != len) 454306230Sdelphij goto err; 455194206Ssimon 456306230Sdelphij while (limit - data >= 4) { 457296465Sdelphij n2s(data, type); 458296465Sdelphij n2s(data, size); 459194206Ssimon 460306230Sdelphij if (limit - data < size) 461306230Sdelphij goto err; 462296465Sdelphij if (s->tlsext_debug_cb) 463296465Sdelphij s->tlsext_debug_cb(s, 0, type, data, size, s->tlsext_debug_arg); 464296465Sdelphij/*- 465296465Sdelphij * The servername extension is treated as follows: 466296465Sdelphij * 467296465Sdelphij * - Only the hostname type is supported with a maximum length of 255. 468296465Sdelphij * - The servername is rejected if too long or if it contains zeros, 469296465Sdelphij * in which case an fatal alert is generated. 470296465Sdelphij * - The servername field is maintained together with the session cache. 471296465Sdelphij * - When a session is resumed, the servername call back invoked in order 472296465Sdelphij * to allow the application to position itself to the right context. 473296465Sdelphij * - The servername is acknowledged if it is new for a session or when 474296465Sdelphij * it is identical to a previously used for the same session. 475296465Sdelphij * Applications can control the behaviour. They can at any time 476296465Sdelphij * set a 'desirable' servername for a new SSL object. This can be the 477296465Sdelphij * case for example with HTTPS when a Host: header field is received and 478296465Sdelphij * a renegotiation is requested. In this case, a possible servername 479296465Sdelphij * presented in the new client hello is only acknowledged if it matches 480296465Sdelphij * the value of the Host: field. 481296465Sdelphij * - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION 482296465Sdelphij * if they provide for changing an explicit servername context for the 483296465Sdelphij * session, i.e. when the session has been established with a servername 484296465Sdelphij * extension. 485296465Sdelphij * - On session reconnect, the servername extension may be absent. 486296465Sdelphij * 487296465Sdelphij */ 488194206Ssimon 489296465Sdelphij if (type == TLSEXT_TYPE_server_name) { 490296465Sdelphij unsigned char *sdata; 491296465Sdelphij int servname_type; 492296465Sdelphij int dsize; 493194206Ssimon 494296465Sdelphij if (size < 2) { 495296465Sdelphij *al = SSL_AD_DECODE_ERROR; 496296465Sdelphij return 0; 497296465Sdelphij } 498296465Sdelphij n2s(data, dsize); 499296465Sdelphij size -= 2; 500296465Sdelphij if (dsize > size) { 501296465Sdelphij *al = SSL_AD_DECODE_ERROR; 502296465Sdelphij return 0; 503296465Sdelphij } 504194206Ssimon 505296465Sdelphij sdata = data; 506296465Sdelphij while (dsize > 3) { 507296465Sdelphij servname_type = *(sdata++); 508296465Sdelphij n2s(sdata, len); 509296465Sdelphij dsize -= 3; 510194206Ssimon 511296465Sdelphij if (len > dsize) { 512296465Sdelphij *al = SSL_AD_DECODE_ERROR; 513296465Sdelphij return 0; 514296465Sdelphij } 515296465Sdelphij if (s->servername_done == 0) 516296465Sdelphij switch (servname_type) { 517296465Sdelphij case TLSEXT_NAMETYPE_host_name: 518296465Sdelphij if (!s->hit) { 519296465Sdelphij if (s->session->tlsext_hostname) { 520296465Sdelphij *al = SSL_AD_DECODE_ERROR; 521296465Sdelphij return 0; 522296465Sdelphij } 523296465Sdelphij if (len > TLSEXT_MAXLEN_host_name) { 524296465Sdelphij *al = TLS1_AD_UNRECOGNIZED_NAME; 525296465Sdelphij return 0; 526296465Sdelphij } 527296465Sdelphij if ((s->session->tlsext_hostname = 528296465Sdelphij OPENSSL_malloc(len + 1)) == NULL) { 529296465Sdelphij *al = TLS1_AD_INTERNAL_ERROR; 530296465Sdelphij return 0; 531296465Sdelphij } 532296465Sdelphij memcpy(s->session->tlsext_hostname, sdata, len); 533296465Sdelphij s->session->tlsext_hostname[len] = '\0'; 534296465Sdelphij if (strlen(s->session->tlsext_hostname) != len) { 535296465Sdelphij OPENSSL_free(s->session->tlsext_hostname); 536296465Sdelphij s->session->tlsext_hostname = NULL; 537296465Sdelphij *al = TLS1_AD_UNRECOGNIZED_NAME; 538296465Sdelphij return 0; 539296465Sdelphij } 540296465Sdelphij s->servername_done = 1; 541194206Ssimon 542296465Sdelphij } else 543296465Sdelphij s->servername_done = s->session->tlsext_hostname 544296465Sdelphij && strlen(s->session->tlsext_hostname) == len 545296465Sdelphij && strncmp(s->session->tlsext_hostname, 546296465Sdelphij (char *)sdata, len) == 0; 547194206Ssimon 548296465Sdelphij break; 549194206Ssimon 550296465Sdelphij default: 551296465Sdelphij break; 552296465Sdelphij } 553194206Ssimon 554296465Sdelphij dsize -= len; 555296465Sdelphij } 556296465Sdelphij if (dsize != 0) { 557296465Sdelphij *al = SSL_AD_DECODE_ERROR; 558296465Sdelphij return 0; 559296465Sdelphij } 560194206Ssimon 561296465Sdelphij } else if (type == TLSEXT_TYPE_renegotiate) { 562296465Sdelphij if (!ssl_parse_clienthello_renegotiate_ext(s, data, size, al)) 563296465Sdelphij return 0; 564296465Sdelphij renegotiate_seen = 1; 565296465Sdelphij } else if (type == TLSEXT_TYPE_status_request && 566296465Sdelphij s->version != DTLS1_VERSION && s->ctx->tlsext_status_cb) { 567194206Ssimon 568296465Sdelphij if (size < 5) { 569296465Sdelphij *al = SSL_AD_DECODE_ERROR; 570296465Sdelphij return 0; 571296465Sdelphij } 572237998Sjkim 573296465Sdelphij s->tlsext_status_type = *data++; 574296465Sdelphij size--; 575296465Sdelphij if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp) { 576296465Sdelphij const unsigned char *sdata; 577296465Sdelphij int dsize; 578296465Sdelphij /* Read in responder_id_list */ 579296465Sdelphij n2s(data, dsize); 580296465Sdelphij size -= 2; 581296465Sdelphij if (dsize > size) { 582296465Sdelphij *al = SSL_AD_DECODE_ERROR; 583296465Sdelphij return 0; 584296465Sdelphij } 585306230Sdelphij 586306230Sdelphij /* 587306230Sdelphij * We remove any OCSP_RESPIDs from a previous handshake 588306230Sdelphij * to prevent unbounded memory growth - CVE-2016-6304 589306230Sdelphij */ 590306230Sdelphij sk_OCSP_RESPID_pop_free(s->tlsext_ocsp_ids, 591306230Sdelphij OCSP_RESPID_free); 592306230Sdelphij if (dsize > 0) { 593306230Sdelphij s->tlsext_ocsp_ids = sk_OCSP_RESPID_new_null(); 594306230Sdelphij if (s->tlsext_ocsp_ids == NULL) { 595306230Sdelphij *al = SSL_AD_INTERNAL_ERROR; 596306230Sdelphij return 0; 597306230Sdelphij } 598306230Sdelphij } else { 599306230Sdelphij s->tlsext_ocsp_ids = NULL; 600306230Sdelphij } 601306230Sdelphij 602296465Sdelphij while (dsize > 0) { 603296465Sdelphij OCSP_RESPID *id; 604296465Sdelphij int idsize; 605296465Sdelphij if (dsize < 4) { 606296465Sdelphij *al = SSL_AD_DECODE_ERROR; 607296465Sdelphij return 0; 608296465Sdelphij } 609296465Sdelphij n2s(data, idsize); 610296465Sdelphij dsize -= 2 + idsize; 611296465Sdelphij size -= 2 + idsize; 612296465Sdelphij if (dsize < 0) { 613296465Sdelphij *al = SSL_AD_DECODE_ERROR; 614296465Sdelphij return 0; 615296465Sdelphij } 616296465Sdelphij sdata = data; 617296465Sdelphij data += idsize; 618296465Sdelphij id = d2i_OCSP_RESPID(NULL, &sdata, idsize); 619296465Sdelphij if (!id) { 620296465Sdelphij *al = SSL_AD_DECODE_ERROR; 621296465Sdelphij return 0; 622296465Sdelphij } 623296465Sdelphij if (data != sdata) { 624296465Sdelphij OCSP_RESPID_free(id); 625296465Sdelphij *al = SSL_AD_DECODE_ERROR; 626296465Sdelphij return 0; 627296465Sdelphij } 628296465Sdelphij if (!sk_OCSP_RESPID_push(s->tlsext_ocsp_ids, id)) { 629296465Sdelphij OCSP_RESPID_free(id); 630296465Sdelphij *al = SSL_AD_INTERNAL_ERROR; 631296465Sdelphij return 0; 632296465Sdelphij } 633296465Sdelphij } 634205128Ssimon 635296465Sdelphij /* Read in request_extensions */ 636296465Sdelphij if (size < 2) { 637296465Sdelphij *al = SSL_AD_DECODE_ERROR; 638296465Sdelphij return 0; 639296465Sdelphij } 640296465Sdelphij n2s(data, dsize); 641296465Sdelphij size -= 2; 642296465Sdelphij if (dsize != size) { 643296465Sdelphij *al = SSL_AD_DECODE_ERROR; 644296465Sdelphij return 0; 645296465Sdelphij } 646296465Sdelphij sdata = data; 647296465Sdelphij if (dsize > 0) { 648296465Sdelphij if (s->tlsext_ocsp_exts) { 649296465Sdelphij sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts, 650296465Sdelphij X509_EXTENSION_free); 651296465Sdelphij } 652194206Ssimon 653296465Sdelphij s->tlsext_ocsp_exts = 654296465Sdelphij d2i_X509_EXTENSIONS(NULL, &sdata, dsize); 655296465Sdelphij if (!s->tlsext_ocsp_exts || (data + dsize != sdata)) { 656296465Sdelphij *al = SSL_AD_DECODE_ERROR; 657296465Sdelphij return 0; 658296465Sdelphij } 659296465Sdelphij } 660296465Sdelphij } 661296465Sdelphij /* 662296465Sdelphij * We don't know what to do with any other type * so ignore it. 663296465Sdelphij */ 664296465Sdelphij else 665296465Sdelphij s->tlsext_status_type = -1; 666296465Sdelphij } 667194206Ssimon 668296465Sdelphij /* session ticket processed earlier */ 669205128Ssimon 670296465Sdelphij data += size; 671296465Sdelphij } 672296465Sdelphij *p = data; 673205128Ssimon 674296465Sdelphij ri_check: 675205128Ssimon 676296465Sdelphij /* Need RI if renegotiating */ 677194206Ssimon 678296465Sdelphij if (!renegotiate_seen && s->new_session && 679296465Sdelphij !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) { 680296465Sdelphij *al = SSL_AD_HANDSHAKE_FAILURE; 681296465Sdelphij SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT, 682296465Sdelphij SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); 683296465Sdelphij return 0; 684296465Sdelphij } 685194206Ssimon 686296465Sdelphij return 1; 687306230Sdelphij 688306230Sdelphijerr: 689306230Sdelphij *al = SSL_AD_DECODE_ERROR; 690306230Sdelphij return 0; 691296465Sdelphij} 692194206Ssimon 693296465Sdelphijint ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, 694296465Sdelphij int n, int *al) 695296465Sdelphij{ 696296465Sdelphij unsigned short length; 697296465Sdelphij unsigned short type; 698296465Sdelphij unsigned short size; 699296465Sdelphij unsigned char *data = *p; 700296465Sdelphij int tlsext_servername = 0; 701296465Sdelphij int renegotiate_seen = 0; 702194206Ssimon 703306230Sdelphij if ((d + n) - data <= 2) 704296465Sdelphij goto ri_check; 705194206Ssimon 706296465Sdelphij n2s(data, length); 707306230Sdelphij if ((d + n) - data != length) { 708296465Sdelphij *al = SSL_AD_DECODE_ERROR; 709296465Sdelphij return 0; 710296465Sdelphij } 711194206Ssimon 712306230Sdelphij while ((d + n) - data >= 4) { 713296465Sdelphij n2s(data, type); 714296465Sdelphij n2s(data, size); 715194206Ssimon 716306230Sdelphij if ((d + n) - data < size) 717296465Sdelphij goto ri_check; 718194206Ssimon 719296465Sdelphij if (s->tlsext_debug_cb) 720296465Sdelphij s->tlsext_debug_cb(s, 1, type, data, size, s->tlsext_debug_arg); 721194206Ssimon 722296465Sdelphij if (type == TLSEXT_TYPE_server_name) { 723296465Sdelphij if (s->tlsext_hostname == NULL || size > 0) { 724296465Sdelphij *al = TLS1_AD_UNRECOGNIZED_NAME; 725296465Sdelphij return 0; 726296465Sdelphij } 727296465Sdelphij tlsext_servername = 1; 728296465Sdelphij } else if (type == TLSEXT_TYPE_session_ticket) { 729296465Sdelphij if ((SSL_get_options(s) & SSL_OP_NO_TICKET) 730296465Sdelphij || (size > 0)) { 731296465Sdelphij *al = TLS1_AD_UNSUPPORTED_EXTENSION; 732296465Sdelphij return 0; 733296465Sdelphij } 734296465Sdelphij s->tlsext_ticket_expected = 1; 735296465Sdelphij } else if (type == TLSEXT_TYPE_status_request && 736296465Sdelphij s->version != DTLS1_VERSION) { 737296465Sdelphij /* 738296465Sdelphij * MUST be empty and only sent if we've requested a status 739296465Sdelphij * request message. 740296465Sdelphij */ 741296465Sdelphij if ((s->tlsext_status_type == -1) || (size > 0)) { 742296465Sdelphij *al = TLS1_AD_UNSUPPORTED_EXTENSION; 743296465Sdelphij return 0; 744296465Sdelphij } 745296465Sdelphij /* Set flag to expect CertificateStatus message */ 746296465Sdelphij s->tlsext_status_expected = 1; 747296465Sdelphij } else if (type == TLSEXT_TYPE_renegotiate) { 748296465Sdelphij if (!ssl_parse_serverhello_renegotiate_ext(s, data, size, al)) 749296465Sdelphij return 0; 750296465Sdelphij renegotiate_seen = 1; 751296465Sdelphij } 752296465Sdelphij data += size; 753296465Sdelphij } 754194206Ssimon 755296465Sdelphij if (data != d + n) { 756296465Sdelphij *al = SSL_AD_DECODE_ERROR; 757296465Sdelphij return 0; 758296465Sdelphij } 759205128Ssimon 760296465Sdelphij if (!s->hit && tlsext_servername == 1) { 761296465Sdelphij if (s->tlsext_hostname) { 762296465Sdelphij if (s->session->tlsext_hostname == NULL) { 763296465Sdelphij s->session->tlsext_hostname = BUF_strdup(s->tlsext_hostname); 764296465Sdelphij if (!s->session->tlsext_hostname) { 765296465Sdelphij *al = SSL_AD_UNRECOGNIZED_NAME; 766296465Sdelphij return 0; 767296465Sdelphij } 768296465Sdelphij } else { 769296465Sdelphij *al = SSL_AD_DECODE_ERROR; 770296465Sdelphij return 0; 771296465Sdelphij } 772296465Sdelphij } 773296465Sdelphij } 774205128Ssimon 775296465Sdelphij *p = data; 776205128Ssimon 777296465Sdelphij ri_check: 778194206Ssimon 779296465Sdelphij /* 780296465Sdelphij * Determine if we need to see RI. Strictly speaking if we want to avoid 781296465Sdelphij * an attack we should *always* see RI even on initial server hello 782296465Sdelphij * because the client doesn't see any renegotiation during an attack. 783296465Sdelphij * However this would mean we could not connect to any server which 784296465Sdelphij * doesn't support RI so for the immediate future tolerate RI absence on 785296465Sdelphij * initial connect only. 786296465Sdelphij */ 787296465Sdelphij if (!renegotiate_seen && !(s->options & SSL_OP_LEGACY_SERVER_CONNECT) 788296465Sdelphij && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) { 789296465Sdelphij *al = SSL_AD_HANDSHAKE_FAILURE; 790296465Sdelphij SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT, 791296465Sdelphij SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); 792296465Sdelphij return 0; 793296465Sdelphij } 794296465Sdelphij 795296465Sdelphij return 1; 796296465Sdelphij} 797296465Sdelphij 798248272Sdelphijint ssl_check_clienthello_tlsext_early(SSL *s) 799296465Sdelphij{ 800296465Sdelphij int ret = SSL_TLSEXT_ERR_NOACK; 801296465Sdelphij int al = SSL_AD_UNRECOGNIZED_NAME; 802194206Ssimon 803296465Sdelphij if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) 804296465Sdelphij ret = 805296465Sdelphij s->ctx->tlsext_servername_callback(s, &al, 806296465Sdelphij s->ctx->tlsext_servername_arg); 807296465Sdelphij else if (s->initial_ctx != NULL 808296465Sdelphij && s->initial_ctx->tlsext_servername_callback != 0) 809296465Sdelphij ret = 810296465Sdelphij s->initial_ctx->tlsext_servername_callback(s, &al, 811296465Sdelphij s-> 812296465Sdelphij initial_ctx->tlsext_servername_arg); 813194206Ssimon 814296465Sdelphij switch (ret) { 815296465Sdelphij case SSL_TLSEXT_ERR_ALERT_FATAL: 816296465Sdelphij ssl3_send_alert(s, SSL3_AL_FATAL, al); 817296465Sdelphij return -1; 818248272Sdelphij 819296465Sdelphij case SSL_TLSEXT_ERR_ALERT_WARNING: 820296465Sdelphij ssl3_send_alert(s, SSL3_AL_WARNING, al); 821296465Sdelphij return 1; 822248272Sdelphij 823296465Sdelphij case SSL_TLSEXT_ERR_NOACK: 824296465Sdelphij s->servername_done = 0; 825248272Sdelphij 826296465Sdelphij default: 827296465Sdelphij return 1; 828296465Sdelphij } 829296465Sdelphij} 830296465Sdelphij 831248272Sdelphijint ssl_check_clienthello_tlsext_late(SSL *s) 832296465Sdelphij{ 833296465Sdelphij int ret = SSL_TLSEXT_ERR_OK; 834296465Sdelphij int al; 835248272Sdelphij 836296465Sdelphij /* 837296465Sdelphij * If status request then ask callback what to do. Note: this must be 838296465Sdelphij * called after servername callbacks in case the certificate has 839296465Sdelphij * changed, and must be called after the cipher has been chosen because 840296465Sdelphij * this may influence which certificate is sent 841296465Sdelphij */ 842296465Sdelphij if (s->tlsext_status_type != -1 && s->ctx && s->ctx->tlsext_status_cb) { 843296465Sdelphij int r; 844296465Sdelphij CERT_PKEY *certpkey; 845296465Sdelphij certpkey = ssl_get_server_send_pkey(s); 846296465Sdelphij /* If no certificate can't return certificate status */ 847296465Sdelphij if (certpkey == NULL) { 848296465Sdelphij s->tlsext_status_expected = 0; 849296465Sdelphij return 1; 850296465Sdelphij } 851296465Sdelphij /* 852296465Sdelphij * Set current certificate to one we will use so SSL_get_certificate 853296465Sdelphij * et al can pick it up. 854296465Sdelphij */ 855296465Sdelphij s->cert->key = certpkey; 856296465Sdelphij r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg); 857296465Sdelphij switch (r) { 858296465Sdelphij /* We don't want to send a status request response */ 859296465Sdelphij case SSL_TLSEXT_ERR_NOACK: 860296465Sdelphij s->tlsext_status_expected = 0; 861296465Sdelphij break; 862296465Sdelphij /* status request response should be sent */ 863296465Sdelphij case SSL_TLSEXT_ERR_OK: 864296465Sdelphij if (s->tlsext_ocsp_resp) 865296465Sdelphij s->tlsext_status_expected = 1; 866296465Sdelphij else 867296465Sdelphij s->tlsext_status_expected = 0; 868296465Sdelphij break; 869296465Sdelphij /* something bad happened */ 870296465Sdelphij case SSL_TLSEXT_ERR_ALERT_FATAL: 871296465Sdelphij ret = SSL_TLSEXT_ERR_ALERT_FATAL; 872296465Sdelphij al = SSL_AD_INTERNAL_ERROR; 873296465Sdelphij goto err; 874296465Sdelphij } 875296465Sdelphij } else 876296465Sdelphij s->tlsext_status_expected = 0; 877248272Sdelphij 878248272Sdelphij err: 879296465Sdelphij switch (ret) { 880296465Sdelphij case SSL_TLSEXT_ERR_ALERT_FATAL: 881296465Sdelphij ssl3_send_alert(s, SSL3_AL_FATAL, al); 882296465Sdelphij return -1; 883194206Ssimon 884296465Sdelphij case SSL_TLSEXT_ERR_ALERT_WARNING: 885296465Sdelphij ssl3_send_alert(s, SSL3_AL_WARNING, al); 886296465Sdelphij return 1; 887248272Sdelphij 888296465Sdelphij default: 889296465Sdelphij return 1; 890296465Sdelphij } 891296465Sdelphij} 892194206Ssimon 893194206Ssimonint ssl_check_serverhello_tlsext(SSL *s) 894296465Sdelphij{ 895296465Sdelphij int ret = SSL_TLSEXT_ERR_NOACK; 896296465Sdelphij int al = SSL_AD_UNRECOGNIZED_NAME; 897194206Ssimon 898296465Sdelphij if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) 899296465Sdelphij ret = 900296465Sdelphij s->ctx->tlsext_servername_callback(s, &al, 901296465Sdelphij s->ctx->tlsext_servername_arg); 902296465Sdelphij else if (s->initial_ctx != NULL 903296465Sdelphij && s->initial_ctx->tlsext_servername_callback != 0) 904296465Sdelphij ret = 905296465Sdelphij s->initial_ctx->tlsext_servername_callback(s, &al, 906296465Sdelphij s-> 907296465Sdelphij initial_ctx->tlsext_servername_arg); 908194206Ssimon 909296465Sdelphij /* 910296465Sdelphij * If we've requested certificate status and we wont get one tell the 911296465Sdelphij * callback 912296465Sdelphij */ 913296465Sdelphij if ((s->tlsext_status_type != -1) && !(s->tlsext_status_expected) 914296465Sdelphij && s->ctx->tlsext_status_cb) { 915296465Sdelphij int r; 916296465Sdelphij /* 917296465Sdelphij * Set resp to NULL, resplen to -1 so callback knows there is no 918296465Sdelphij * response. 919296465Sdelphij */ 920296465Sdelphij if (s->tlsext_ocsp_resp) { 921296465Sdelphij OPENSSL_free(s->tlsext_ocsp_resp); 922296465Sdelphij s->tlsext_ocsp_resp = NULL; 923296465Sdelphij } 924296465Sdelphij s->tlsext_ocsp_resplen = -1; 925296465Sdelphij r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg); 926296465Sdelphij if (r == 0) { 927296465Sdelphij al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE; 928296465Sdelphij ret = SSL_TLSEXT_ERR_ALERT_FATAL; 929296465Sdelphij } 930296465Sdelphij if (r < 0) { 931296465Sdelphij al = SSL_AD_INTERNAL_ERROR; 932296465Sdelphij ret = SSL_TLSEXT_ERR_ALERT_FATAL; 933296465Sdelphij } 934296465Sdelphij } 935194206Ssimon 936296465Sdelphij switch (ret) { 937296465Sdelphij case SSL_TLSEXT_ERR_ALERT_FATAL: 938296465Sdelphij ssl3_send_alert(s, SSL3_AL_FATAL, al); 939296465Sdelphij return -1; 940194206Ssimon 941296465Sdelphij case SSL_TLSEXT_ERR_ALERT_WARNING: 942296465Sdelphij ssl3_send_alert(s, SSL3_AL_WARNING, al); 943296465Sdelphij return 1; 944194206Ssimon 945296465Sdelphij case SSL_TLSEXT_ERR_NOACK: 946296465Sdelphij s->servername_done = 0; 947296465Sdelphij default: 948296465Sdelphij return 1; 949296465Sdelphij } 950296465Sdelphij} 951296465Sdelphij 952296465Sdelphij/* 953296465Sdelphij * Since the server cache lookup is done early on in the processing of client 954194206Ssimon * hello and other operations depend on the result we need to handle any TLS 955194206Ssimon * session ticket extension at the same time. 956194206Ssimon */ 957194206Ssimon 958194206Ssimonint tls1_process_ticket(SSL *s, unsigned char *session_id, int len, 959296465Sdelphij const unsigned char *limit, SSL_SESSION **ret) 960296465Sdelphij{ 961296465Sdelphij /* Point after session ID in client hello */ 962296465Sdelphij const unsigned char *p = session_id + len; 963296465Sdelphij unsigned short i; 964194206Ssimon 965296465Sdelphij /* 966296465Sdelphij * If tickets disabled behave as if no ticket present to permit stateful 967296465Sdelphij * resumption. 968296465Sdelphij */ 969296465Sdelphij if (SSL_get_options(s) & SSL_OP_NO_TICKET) 970296465Sdelphij return 1; 971194206Ssimon 972296465Sdelphij if ((s->version <= SSL3_VERSION) || !limit) 973296465Sdelphij return 1; 974296465Sdelphij if (p >= limit) 975296465Sdelphij return -1; 976296465Sdelphij /* Skip past DTLS cookie */ 977296465Sdelphij if (s->version == DTLS1_VERSION || s->version == DTLS1_BAD_VER) { 978296465Sdelphij i = *(p++); 979306230Sdelphij 980306230Sdelphij if (limit - p <= i) 981306230Sdelphij return -1; 982306230Sdelphij 983296465Sdelphij p += i; 984296465Sdelphij } 985296465Sdelphij /* Skip past cipher list */ 986296465Sdelphij n2s(p, i); 987306230Sdelphij if (limit - p <= i) 988306230Sdelphij return -1; 989296465Sdelphij p += i; 990306230Sdelphij 991296465Sdelphij /* Skip past compression algorithm list */ 992296465Sdelphij i = *(p++); 993306230Sdelphij if (limit - p < i) 994306230Sdelphij return -1; 995296465Sdelphij p += i; 996306230Sdelphij 997296465Sdelphij /* Now at start of extensions */ 998306230Sdelphij if (limit - p <= 2) 999296465Sdelphij return 1; 1000296465Sdelphij n2s(p, i); 1001306230Sdelphij while (limit - p >= 4) { 1002296465Sdelphij unsigned short type, size; 1003296465Sdelphij n2s(p, type); 1004296465Sdelphij n2s(p, size); 1005306230Sdelphij if (limit - p < size) 1006296465Sdelphij return 1; 1007296465Sdelphij if (type == TLSEXT_TYPE_session_ticket) { 1008296465Sdelphij /* 1009296465Sdelphij * If zero length note client will accept a ticket and indicate 1010296465Sdelphij * cache miss to trigger full handshake 1011296465Sdelphij */ 1012296465Sdelphij if (size == 0) { 1013296465Sdelphij s->tlsext_ticket_expected = 1; 1014296465Sdelphij return 0; /* Cache miss */ 1015296465Sdelphij } 1016296465Sdelphij return tls_decrypt_ticket(s, p, size, session_id, len, ret); 1017296465Sdelphij } 1018296465Sdelphij p += size; 1019296465Sdelphij } 1020296465Sdelphij return 1; 1021296465Sdelphij} 1022194206Ssimon 1023296465Sdelphijstatic int tls_decrypt_ticket(SSL *s, const unsigned char *etick, 1024296465Sdelphij int eticklen, const unsigned char *sess_id, 1025296465Sdelphij int sesslen, SSL_SESSION **psess) 1026296465Sdelphij{ 1027296465Sdelphij SSL_SESSION *sess; 1028296465Sdelphij unsigned char *sdec; 1029296465Sdelphij const unsigned char *p; 1030296465Sdelphij int slen, mlen, renew_ticket = 0; 1031296465Sdelphij unsigned char tick_hmac[EVP_MAX_MD_SIZE]; 1032296465Sdelphij HMAC_CTX hctx; 1033296465Sdelphij EVP_CIPHER_CTX ctx; 1034296465Sdelphij SSL_CTX *tctx = s->initial_ctx; 1035306230Sdelphij 1036296465Sdelphij /* Initialize session ticket encryption and HMAC contexts */ 1037296465Sdelphij HMAC_CTX_init(&hctx); 1038296465Sdelphij EVP_CIPHER_CTX_init(&ctx); 1039296465Sdelphij if (tctx->tlsext_ticket_key_cb) { 1040296465Sdelphij unsigned char *nctick = (unsigned char *)etick; 1041296465Sdelphij int rv = tctx->tlsext_ticket_key_cb(s, nctick, nctick + 16, 1042296465Sdelphij &ctx, &hctx, 0); 1043296465Sdelphij if (rv < 0) 1044296465Sdelphij return -1; 1045296465Sdelphij if (rv == 0) 1046296465Sdelphij goto tickerr; 1047296465Sdelphij if (rv == 2) 1048296465Sdelphij renew_ticket = 1; 1049296465Sdelphij } else { 1050296465Sdelphij /* Check key name matches */ 1051296465Sdelphij if (memcmp(etick, tctx->tlsext_tick_key_name, 16)) 1052296465Sdelphij goto tickerr; 1053296465Sdelphij HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16, 1054296465Sdelphij tlsext_tick_md(), NULL); 1055296465Sdelphij EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL, 1056296465Sdelphij tctx->tlsext_tick_aes_key, etick + 16); 1057296465Sdelphij } 1058296465Sdelphij /* 1059296465Sdelphij * Attempt to process session ticket, first conduct sanity and integrity 1060296465Sdelphij * checks on ticket. 1061296465Sdelphij */ 1062296465Sdelphij mlen = HMAC_size(&hctx); 1063306230Sdelphij /* Sanity check ticket length: must exceed keyname + IV + HMAC */ 1064306230Sdelphij if (eticklen <= 16 + EVP_CIPHER_CTX_iv_length(&ctx) + mlen) { 1065306230Sdelphij HMAC_CTX_cleanup(&hctx); 1066306230Sdelphij EVP_CIPHER_CTX_cleanup(&ctx); 1067306230Sdelphij return 2; 1068306230Sdelphij } 1069306230Sdelphij 1070296465Sdelphij eticklen -= mlen; 1071296465Sdelphij /* Check HMAC of encrypted ticket */ 1072296465Sdelphij HMAC_Update(&hctx, etick, eticklen); 1073296465Sdelphij HMAC_Final(&hctx, tick_hmac, NULL); 1074296465Sdelphij HMAC_CTX_cleanup(&hctx); 1075296465Sdelphij if (CRYPTO_memcmp(tick_hmac, etick + eticklen, mlen)) { 1076296465Sdelphij EVP_CIPHER_CTX_cleanup(&ctx); 1077296465Sdelphij goto tickerr; 1078296465Sdelphij } 1079296465Sdelphij /* Attempt to decrypt session data */ 1080296465Sdelphij /* Move p after IV to start of encrypted ticket, update length */ 1081296465Sdelphij p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx); 1082296465Sdelphij eticklen -= 16 + EVP_CIPHER_CTX_iv_length(&ctx); 1083296465Sdelphij sdec = OPENSSL_malloc(eticklen); 1084296465Sdelphij if (!sdec) { 1085296465Sdelphij EVP_CIPHER_CTX_cleanup(&ctx); 1086296465Sdelphij return -1; 1087296465Sdelphij } 1088296465Sdelphij EVP_DecryptUpdate(&ctx, sdec, &slen, p, eticklen); 1089296465Sdelphij if (EVP_DecryptFinal(&ctx, sdec + slen, &mlen) <= 0) { 1090296465Sdelphij EVP_CIPHER_CTX_cleanup(&ctx); 1091296465Sdelphij OPENSSL_free(sdec); 1092296465Sdelphij goto tickerr; 1093296465Sdelphij } 1094296465Sdelphij slen += mlen; 1095296465Sdelphij EVP_CIPHER_CTX_cleanup(&ctx); 1096296465Sdelphij p = sdec; 1097194206Ssimon 1098296465Sdelphij sess = d2i_SSL_SESSION(NULL, &p, slen); 1099296465Sdelphij OPENSSL_free(sdec); 1100296465Sdelphij if (sess) { 1101296465Sdelphij /* 1102296465Sdelphij * The session ID if non-empty is used by some clients to detect that 1103296465Sdelphij * the ticket has been accepted. So we copy it to the session 1104296465Sdelphij * structure. If it is empty set length to zero as required by 1105296465Sdelphij * standard. 1106296465Sdelphij */ 1107296465Sdelphij if (sesslen) 1108296465Sdelphij memcpy(sess->session_id, sess_id, sesslen); 1109296465Sdelphij sess->session_id_length = sesslen; 1110296465Sdelphij *psess = sess; 1111296465Sdelphij s->tlsext_ticket_expected = renew_ticket; 1112296465Sdelphij return 1; 1113296465Sdelphij } 1114296465Sdelphij /* 1115296465Sdelphij * If session decrypt failure indicate a cache miss and set state to send 1116296465Sdelphij * a new ticket 1117296465Sdelphij */ 1118296465Sdelphij tickerr: 1119296465Sdelphij s->tlsext_ticket_expected = 1; 1120296465Sdelphij return 0; 1121296465Sdelphij} 1122296465Sdelphij 1123194206Ssimon#endif 1124