t1_lib.c revision 306230
1/* ssl/t1_lib.c */ 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 3 * All rights reserved. 4 * 5 * This package is an SSL implementation written 6 * by Eric Young (eay@cryptsoft.com). 7 * The implementation was written so as to conform with Netscapes SSL. 8 * 9 * This library is free for commercial and non-commercial use as long as 10 * the following conditions are aheared to. The following conditions 11 * apply to all code found in this distribution, be it the RC4, RSA, 12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 13 * included with this distribution is covered by the same copyright terms 14 * except that the holder is Tim Hudson (tjh@cryptsoft.com). 15 * 16 * Copyright remains Eric Young's, and as such any Copyright notices in 17 * the code are not to be removed. 18 * If this package is used in a product, Eric Young should be given attribution 19 * as the author of the parts of the library used. 20 * This can be in the form of a textual message at program startup or 21 * in documentation (online or textual) provided with the package. 22 * 23 * Redistribution and use in source and binary forms, with or without 24 * modification, are permitted provided that the following conditions 25 * are met: 26 * 1. Redistributions of source code must retain the copyright 27 * notice, this list of conditions and the following disclaimer. 28 * 2. Redistributions in binary form must reproduce the above copyright 29 * notice, this list of conditions and the following disclaimer in the 30 * documentation and/or other materials provided with the distribution. 31 * 3. All advertising materials mentioning features or use of this software 32 * must display the following acknowledgement: 33 * "This product includes cryptographic software written by 34 * Eric Young (eay@cryptsoft.com)" 35 * The word 'cryptographic' can be left out if the rouines from the library 36 * being used are not cryptographic related :-). 37 * 4. If you include any Windows specific code (or a derivative thereof) from 38 * the apps directory (application code) you must include an acknowledgement: 39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 40 * 41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 51 * SUCH DAMAGE. 52 * 53 * The licence and distribution terms for any publically available version or 54 * derivative of this code cannot be changed. i.e. this code cannot simply be 55 * copied and put under another distribution licence 56 * [including the GNU Public Licence.] 57 */ 58 59#include <stdio.h> 60#include <openssl/objects.h> 61#include <openssl/evp.h> 62#include <openssl/hmac.h> 63#include <openssl/ocsp.h> 64#include "ssl_locl.h" 65 66const char tls1_version_str[] = "TLSv1" OPENSSL_VERSION_PTEXT; 67 68#ifndef OPENSSL_NO_TLSEXT 69static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen, 70 const unsigned char *sess_id, int sesslen, 71 SSL_SESSION **psess); 72#endif 73 74SSL3_ENC_METHOD TLSv1_enc_data = { 75 tls1_enc, 76 tls1_mac, 77 tls1_setup_key_block, 78 tls1_generate_master_secret, 79 tls1_change_cipher_state, 80 tls1_final_finish_mac, 81 TLS1_FINISH_MAC_LENGTH, 82 tls1_cert_verify_mac, 83 TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE, 84 TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE, 85 tls1_alert_code, 86}; 87 88long tls1_default_timeout(void) 89{ 90 /* 91 * 2 hours, the 24 hours mentioned in the TLSv1 spec is way too long for 92 * http, the cache would over fill 93 */ 94 return (60 * 60 * 2); 95} 96 97IMPLEMENT_tls1_meth_func(tlsv1_base_method, 98 ssl_undefined_function, 99 ssl_undefined_function, ssl_bad_method) 100 101int tls1_new(SSL *s) 102{ 103 if (!ssl3_new(s)) 104 return (0); 105 s->method->ssl_clear(s); 106 return (1); 107} 108 109void tls1_free(SSL *s) 110{ 111 ssl3_free(s); 112} 113 114void tls1_clear(SSL *s) 115{ 116 ssl3_clear(s); 117 s->version = TLS1_VERSION; 118} 119 120#if 0 121long tls1_ctrl(SSL *s, int cmd, long larg, char *parg) 122{ 123 return (0); 124} 125 126long tls1_callback_ctrl(SSL *s, int cmd, void *(*fp) ()) 127{ 128 return (0); 129} 130#endif 131 132#ifndef OPENSSL_NO_TLSEXT 133unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, 134 unsigned char *limit) 135{ 136 int extdatalen = 0; 137 unsigned char *ret = p; 138 139 /* don't add extensions for SSLv3 unless doing secure renegotiation */ 140 if (s->client_version == SSL3_VERSION && !s->s3->send_connection_binding) 141 return p; 142 143 ret += 2; 144 145 if (ret >= limit) 146 return NULL; /* this really never occurs, but ... */ 147 148 if (s->tlsext_hostname != NULL) { 149 /* Add TLS extension servername to the Client Hello message */ 150 unsigned long size_str; 151 long lenmax; 152 153 /*- 154 * check for enough space. 155 * 4 for the servername type and entension length 156 * 2 for servernamelist length 157 * 1 for the hostname type 158 * 2 for hostname length 159 * + hostname length 160 */ 161 162 if ((lenmax = limit - ret - 9) < 0 163 || (size_str = 164 strlen(s->tlsext_hostname)) > (unsigned long)lenmax) 165 return NULL; 166 167 /* extension type and length */ 168 s2n(TLSEXT_TYPE_server_name, ret); 169 s2n(size_str + 5, ret); 170 171 /* length of servername list */ 172 s2n(size_str + 3, ret); 173 174 /* hostname type, length and hostname */ 175 *(ret++) = (unsigned char)TLSEXT_NAMETYPE_host_name; 176 s2n(size_str, ret); 177 memcpy(ret, s->tlsext_hostname, size_str); 178 ret += size_str; 179 180 } 181 182 /* Add RI if renegotiating */ 183 if (s->new_session) { 184 int el; 185 186 if (!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0)) { 187 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); 188 return NULL; 189 } 190 191 if ((limit - p - 4 - el) < 0) 192 return NULL; 193 194 s2n(TLSEXT_TYPE_renegotiate, ret); 195 s2n(el, ret); 196 197 if (!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el)) { 198 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); 199 return NULL; 200 } 201 202 ret += el; 203 } 204 205 if (!(SSL_get_options(s) & SSL_OP_NO_TICKET)) { 206 int ticklen; 207 if (!s->new_session && s->session && s->session->tlsext_tick) 208 ticklen = s->session->tlsext_ticklen; 209 else 210 ticklen = 0; 211 /* 212 * Check for enough room 2 for extension type, 2 for len rest for 213 * ticket 214 */ 215 if (limit - ret - 4 - ticklen < 0) 216 return NULL; 217 s2n(TLSEXT_TYPE_session_ticket, ret); 218 s2n(ticklen, ret); 219 if (ticklen) { 220 memcpy(ret, s->session->tlsext_tick, ticklen); 221 ret += ticklen; 222 } 223 } 224 225 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp && 226 s->version != DTLS1_VERSION) { 227 int i; 228 long extlen, idlen, itmp; 229 OCSP_RESPID *id; 230 231 idlen = 0; 232 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) { 233 id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i); 234 itmp = i2d_OCSP_RESPID(id, NULL); 235 if (itmp <= 0) 236 return NULL; 237 idlen += itmp + 2; 238 } 239 240 if (s->tlsext_ocsp_exts) { 241 extlen = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, NULL); 242 if (extlen < 0) 243 return NULL; 244 } else 245 extlen = 0; 246 247 if ((long)(limit - ret - 7 - extlen - idlen) < 0) 248 return NULL; 249 s2n(TLSEXT_TYPE_status_request, ret); 250 if (extlen + idlen > 0xFFF0) 251 return NULL; 252 s2n(extlen + idlen + 5, ret); 253 *(ret++) = TLSEXT_STATUSTYPE_ocsp; 254 s2n(idlen, ret); 255 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) { 256 /* save position of id len */ 257 unsigned char *q = ret; 258 id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i); 259 /* skip over id len */ 260 ret += 2; 261 itmp = i2d_OCSP_RESPID(id, &ret); 262 /* write id len */ 263 s2n(itmp, q); 264 } 265 s2n(extlen, ret); 266 if (extlen > 0) 267 i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret); 268 } 269 270 if ((extdatalen = ret - p - 2) == 0) 271 return p; 272 273 s2n(extdatalen, p); 274 return ret; 275} 276 277unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, 278 unsigned char *limit) 279{ 280 int extdatalen = 0; 281 unsigned char *ret = p; 282 283 /* 284 * don't add extensions for SSLv3, unless doing secure renegotiation 285 */ 286 if (s->version == SSL3_VERSION && !s->s3->send_connection_binding) 287 return p; 288 289 ret += 2; 290 if (ret >= limit) 291 return NULL; /* this really never occurs, but ... */ 292 293 if (!s->hit && s->servername_done == 1 294 && s->session->tlsext_hostname != NULL) { 295 if (limit - ret - 4 < 0) 296 return NULL; 297 298 s2n(TLSEXT_TYPE_server_name, ret); 299 s2n(0, ret); 300 } 301 302 if (s->s3->send_connection_binding) { 303 int el; 304 305 if (!ssl_add_serverhello_renegotiate_ext(s, 0, &el, 0)) { 306 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); 307 return NULL; 308 } 309 310 if ((limit - p - 4 - el) < 0) 311 return NULL; 312 313 s2n(TLSEXT_TYPE_renegotiate, ret); 314 s2n(el, ret); 315 316 if (!ssl_add_serverhello_renegotiate_ext(s, ret, &el, el)) { 317 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); 318 return NULL; 319 } 320 321 ret += el; 322 } 323 324 if (s->tlsext_ticket_expected && !(SSL_get_options(s) & SSL_OP_NO_TICKET)) { 325 if (limit - ret - 4 < 0) 326 return NULL; 327 s2n(TLSEXT_TYPE_session_ticket, ret); 328 s2n(0, ret); 329 } 330 331 if (s->tlsext_status_expected) { 332 if ((long)(limit - ret - 4) < 0) 333 return NULL; 334 s2n(TLSEXT_TYPE_status_request, ret); 335 s2n(0, ret); 336 } 337 338 if ((extdatalen = ret - p - 2) == 0) 339 return p; 340 341 s2n(extdatalen, p); 342 return ret; 343} 344 345# ifndef OPENSSL_NO_EC 346/*- 347 * ssl_check_for_safari attempts to fingerprint Safari using OS X 348 * SecureTransport using the TLS extension block in |d|, of length |n|. 349 * Safari, since 10.6, sends exactly these extensions, in this order: 350 * SNI, 351 * elliptic_curves 352 * ec_point_formats 353 * 354 * We wish to fingerprint Safari because they broke ECDHE-ECDSA support in 10.8, 355 * but they advertise support. So enabling ECDHE-ECDSA ciphers breaks them. 356 * Sadly we cannot differentiate 10.6, 10.7 and 10.8.4 (which work), from 357 * 10.8..10.8.3 (which don't work). 358 */ 359static void ssl_check_for_safari(SSL *s, const unsigned char *data, 360 const unsigned char *limit) 361{ 362 unsigned short type, size; 363 static const unsigned char kSafariExtensionsBlock[] = { 364 0x00, 0x0a, /* elliptic_curves extension */ 365 0x00, 0x08, /* 8 bytes */ 366 0x00, 0x06, /* 6 bytes of curve ids */ 367 0x00, 0x17, /* P-256 */ 368 0x00, 0x18, /* P-384 */ 369 0x00, 0x19, /* P-521 */ 370 371 0x00, 0x0b, /* ec_point_formats */ 372 0x00, 0x02, /* 2 bytes */ 373 0x01, /* 1 point format */ 374 0x00, /* uncompressed */ 375 }; 376 377 /* The following is only present in TLS 1.2 */ 378 static const unsigned char kSafariTLS12ExtensionsBlock[] = { 379 0x00, 0x0d, /* signature_algorithms */ 380 0x00, 0x0c, /* 12 bytes */ 381 0x00, 0x0a, /* 10 bytes */ 382 0x05, 0x01, /* SHA-384/RSA */ 383 0x04, 0x01, /* SHA-256/RSA */ 384 0x02, 0x01, /* SHA-1/RSA */ 385 0x04, 0x03, /* SHA-256/ECDSA */ 386 0x02, 0x03, /* SHA-1/ECDSA */ 387 }; 388 389 if (limit - data <= 2) 390 return; 391 data += 2; 392 393 if (limit - data < 4) 394 return; 395 n2s(data, type); 396 n2s(data, size); 397 398 if (type != TLSEXT_TYPE_server_name) 399 return; 400 401 if (limit - data < size) 402 return; 403 data += size; 404 405 if (TLS1_get_client_version(s) >= TLS1_2_VERSION) { 406 const size_t len1 = sizeof(kSafariExtensionsBlock); 407 const size_t len2 = sizeof(kSafariTLS12ExtensionsBlock); 408 409 if (limit - data != (int)(len1 + len2)) 410 return; 411 if (memcmp(data, kSafariExtensionsBlock, len1) != 0) 412 return; 413 if (memcmp(data + len1, kSafariTLS12ExtensionsBlock, len2) != 0) 414 return; 415 } else { 416 const size_t len = sizeof(kSafariExtensionsBlock); 417 418 if (limit - data != (int)(len)) 419 return; 420 if (memcmp(data, kSafariExtensionsBlock, len) != 0) 421 return; 422 } 423 424 s->s3->is_probably_safari = 1; 425} 426# endif /* !OPENSSL_NO_EC */ 427 428int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, 429 unsigned char *limit, int *al) 430{ 431 unsigned short type; 432 unsigned short size; 433 unsigned short len; 434 unsigned char *data = *p; 435 int renegotiate_seen = 0; 436 437 s->servername_done = 0; 438 s->tlsext_status_type = -1; 439 440# ifndef OPENSSL_NO_EC 441 if (s->options & SSL_OP_SAFARI_ECDHE_ECDSA_BUG) 442 ssl_check_for_safari(s, data, limit); 443# endif /* !OPENSSL_NO_EC */ 444 445 if (data == limit) 446 goto ri_check; 447 448 if (limit - data < 2) 449 goto err; 450 451 n2s(data, len); 452 453 if (limit - data != len) 454 goto err; 455 456 while (limit - data >= 4) { 457 n2s(data, type); 458 n2s(data, size); 459 460 if (limit - data < size) 461 goto err; 462 if (s->tlsext_debug_cb) 463 s->tlsext_debug_cb(s, 0, type, data, size, s->tlsext_debug_arg); 464/*- 465 * The servername extension is treated as follows: 466 * 467 * - Only the hostname type is supported with a maximum length of 255. 468 * - The servername is rejected if too long or if it contains zeros, 469 * in which case an fatal alert is generated. 470 * - The servername field is maintained together with the session cache. 471 * - When a session is resumed, the servername call back invoked in order 472 * to allow the application to position itself to the right context. 473 * - The servername is acknowledged if it is new for a session or when 474 * it is identical to a previously used for the same session. 475 * Applications can control the behaviour. They can at any time 476 * set a 'desirable' servername for a new SSL object. This can be the 477 * case for example with HTTPS when a Host: header field is received and 478 * a renegotiation is requested. In this case, a possible servername 479 * presented in the new client hello is only acknowledged if it matches 480 * the value of the Host: field. 481 * - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION 482 * if they provide for changing an explicit servername context for the 483 * session, i.e. when the session has been established with a servername 484 * extension. 485 * - On session reconnect, the servername extension may be absent. 486 * 487 */ 488 489 if (type == TLSEXT_TYPE_server_name) { 490 unsigned char *sdata; 491 int servname_type; 492 int dsize; 493 494 if (size < 2) { 495 *al = SSL_AD_DECODE_ERROR; 496 return 0; 497 } 498 n2s(data, dsize); 499 size -= 2; 500 if (dsize > size) { 501 *al = SSL_AD_DECODE_ERROR; 502 return 0; 503 } 504 505 sdata = data; 506 while (dsize > 3) { 507 servname_type = *(sdata++); 508 n2s(sdata, len); 509 dsize -= 3; 510 511 if (len > dsize) { 512 *al = SSL_AD_DECODE_ERROR; 513 return 0; 514 } 515 if (s->servername_done == 0) 516 switch (servname_type) { 517 case TLSEXT_NAMETYPE_host_name: 518 if (!s->hit) { 519 if (s->session->tlsext_hostname) { 520 *al = SSL_AD_DECODE_ERROR; 521 return 0; 522 } 523 if (len > TLSEXT_MAXLEN_host_name) { 524 *al = TLS1_AD_UNRECOGNIZED_NAME; 525 return 0; 526 } 527 if ((s->session->tlsext_hostname = 528 OPENSSL_malloc(len + 1)) == NULL) { 529 *al = TLS1_AD_INTERNAL_ERROR; 530 return 0; 531 } 532 memcpy(s->session->tlsext_hostname, sdata, len); 533 s->session->tlsext_hostname[len] = '\0'; 534 if (strlen(s->session->tlsext_hostname) != len) { 535 OPENSSL_free(s->session->tlsext_hostname); 536 s->session->tlsext_hostname = NULL; 537 *al = TLS1_AD_UNRECOGNIZED_NAME; 538 return 0; 539 } 540 s->servername_done = 1; 541 542 } else 543 s->servername_done = s->session->tlsext_hostname 544 && strlen(s->session->tlsext_hostname) == len 545 && strncmp(s->session->tlsext_hostname, 546 (char *)sdata, len) == 0; 547 548 break; 549 550 default: 551 break; 552 } 553 554 dsize -= len; 555 } 556 if (dsize != 0) { 557 *al = SSL_AD_DECODE_ERROR; 558 return 0; 559 } 560 561 } else if (type == TLSEXT_TYPE_renegotiate) { 562 if (!ssl_parse_clienthello_renegotiate_ext(s, data, size, al)) 563 return 0; 564 renegotiate_seen = 1; 565 } else if (type == TLSEXT_TYPE_status_request && 566 s->version != DTLS1_VERSION && s->ctx->tlsext_status_cb) { 567 568 if (size < 5) { 569 *al = SSL_AD_DECODE_ERROR; 570 return 0; 571 } 572 573 s->tlsext_status_type = *data++; 574 size--; 575 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp) { 576 const unsigned char *sdata; 577 int dsize; 578 /* Read in responder_id_list */ 579 n2s(data, dsize); 580 size -= 2; 581 if (dsize > size) { 582 *al = SSL_AD_DECODE_ERROR; 583 return 0; 584 } 585 586 /* 587 * We remove any OCSP_RESPIDs from a previous handshake 588 * to prevent unbounded memory growth - CVE-2016-6304 589 */ 590 sk_OCSP_RESPID_pop_free(s->tlsext_ocsp_ids, 591 OCSP_RESPID_free); 592 if (dsize > 0) { 593 s->tlsext_ocsp_ids = sk_OCSP_RESPID_new_null(); 594 if (s->tlsext_ocsp_ids == NULL) { 595 *al = SSL_AD_INTERNAL_ERROR; 596 return 0; 597 } 598 } else { 599 s->tlsext_ocsp_ids = NULL; 600 } 601 602 while (dsize > 0) { 603 OCSP_RESPID *id; 604 int idsize; 605 if (dsize < 4) { 606 *al = SSL_AD_DECODE_ERROR; 607 return 0; 608 } 609 n2s(data, idsize); 610 dsize -= 2 + idsize; 611 size -= 2 + idsize; 612 if (dsize < 0) { 613 *al = SSL_AD_DECODE_ERROR; 614 return 0; 615 } 616 sdata = data; 617 data += idsize; 618 id = d2i_OCSP_RESPID(NULL, &sdata, idsize); 619 if (!id) { 620 *al = SSL_AD_DECODE_ERROR; 621 return 0; 622 } 623 if (data != sdata) { 624 OCSP_RESPID_free(id); 625 *al = SSL_AD_DECODE_ERROR; 626 return 0; 627 } 628 if (!sk_OCSP_RESPID_push(s->tlsext_ocsp_ids, id)) { 629 OCSP_RESPID_free(id); 630 *al = SSL_AD_INTERNAL_ERROR; 631 return 0; 632 } 633 } 634 635 /* Read in request_extensions */ 636 if (size < 2) { 637 *al = SSL_AD_DECODE_ERROR; 638 return 0; 639 } 640 n2s(data, dsize); 641 size -= 2; 642 if (dsize != size) { 643 *al = SSL_AD_DECODE_ERROR; 644 return 0; 645 } 646 sdata = data; 647 if (dsize > 0) { 648 if (s->tlsext_ocsp_exts) { 649 sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts, 650 X509_EXTENSION_free); 651 } 652 653 s->tlsext_ocsp_exts = 654 d2i_X509_EXTENSIONS(NULL, &sdata, dsize); 655 if (!s->tlsext_ocsp_exts || (data + dsize != sdata)) { 656 *al = SSL_AD_DECODE_ERROR; 657 return 0; 658 } 659 } 660 } 661 /* 662 * We don't know what to do with any other type * so ignore it. 663 */ 664 else 665 s->tlsext_status_type = -1; 666 } 667 668 /* session ticket processed earlier */ 669 670 data += size; 671 } 672 *p = data; 673 674 ri_check: 675 676 /* Need RI if renegotiating */ 677 678 if (!renegotiate_seen && s->new_session && 679 !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) { 680 *al = SSL_AD_HANDSHAKE_FAILURE; 681 SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT, 682 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); 683 return 0; 684 } 685 686 return 1; 687 688err: 689 *al = SSL_AD_DECODE_ERROR; 690 return 0; 691} 692 693int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, 694 int n, int *al) 695{ 696 unsigned short length; 697 unsigned short type; 698 unsigned short size; 699 unsigned char *data = *p; 700 int tlsext_servername = 0; 701 int renegotiate_seen = 0; 702 703 if ((d + n) - data <= 2) 704 goto ri_check; 705 706 n2s(data, length); 707 if ((d + n) - data != length) { 708 *al = SSL_AD_DECODE_ERROR; 709 return 0; 710 } 711 712 while ((d + n) - data >= 4) { 713 n2s(data, type); 714 n2s(data, size); 715 716 if ((d + n) - data < size) 717 goto ri_check; 718 719 if (s->tlsext_debug_cb) 720 s->tlsext_debug_cb(s, 1, type, data, size, s->tlsext_debug_arg); 721 722 if (type == TLSEXT_TYPE_server_name) { 723 if (s->tlsext_hostname == NULL || size > 0) { 724 *al = TLS1_AD_UNRECOGNIZED_NAME; 725 return 0; 726 } 727 tlsext_servername = 1; 728 } else if (type == TLSEXT_TYPE_session_ticket) { 729 if ((SSL_get_options(s) & SSL_OP_NO_TICKET) 730 || (size > 0)) { 731 *al = TLS1_AD_UNSUPPORTED_EXTENSION; 732 return 0; 733 } 734 s->tlsext_ticket_expected = 1; 735 } else if (type == TLSEXT_TYPE_status_request && 736 s->version != DTLS1_VERSION) { 737 /* 738 * MUST be empty and only sent if we've requested a status 739 * request message. 740 */ 741 if ((s->tlsext_status_type == -1) || (size > 0)) { 742 *al = TLS1_AD_UNSUPPORTED_EXTENSION; 743 return 0; 744 } 745 /* Set flag to expect CertificateStatus message */ 746 s->tlsext_status_expected = 1; 747 } else if (type == TLSEXT_TYPE_renegotiate) { 748 if (!ssl_parse_serverhello_renegotiate_ext(s, data, size, al)) 749 return 0; 750 renegotiate_seen = 1; 751 } 752 data += size; 753 } 754 755 if (data != d + n) { 756 *al = SSL_AD_DECODE_ERROR; 757 return 0; 758 } 759 760 if (!s->hit && tlsext_servername == 1) { 761 if (s->tlsext_hostname) { 762 if (s->session->tlsext_hostname == NULL) { 763 s->session->tlsext_hostname = BUF_strdup(s->tlsext_hostname); 764 if (!s->session->tlsext_hostname) { 765 *al = SSL_AD_UNRECOGNIZED_NAME; 766 return 0; 767 } 768 } else { 769 *al = SSL_AD_DECODE_ERROR; 770 return 0; 771 } 772 } 773 } 774 775 *p = data; 776 777 ri_check: 778 779 /* 780 * Determine if we need to see RI. Strictly speaking if we want to avoid 781 * an attack we should *always* see RI even on initial server hello 782 * because the client doesn't see any renegotiation during an attack. 783 * However this would mean we could not connect to any server which 784 * doesn't support RI so for the immediate future tolerate RI absence on 785 * initial connect only. 786 */ 787 if (!renegotiate_seen && !(s->options & SSL_OP_LEGACY_SERVER_CONNECT) 788 && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) { 789 *al = SSL_AD_HANDSHAKE_FAILURE; 790 SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT, 791 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); 792 return 0; 793 } 794 795 return 1; 796} 797 798int ssl_check_clienthello_tlsext_early(SSL *s) 799{ 800 int ret = SSL_TLSEXT_ERR_NOACK; 801 int al = SSL_AD_UNRECOGNIZED_NAME; 802 803 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) 804 ret = 805 s->ctx->tlsext_servername_callback(s, &al, 806 s->ctx->tlsext_servername_arg); 807 else if (s->initial_ctx != NULL 808 && s->initial_ctx->tlsext_servername_callback != 0) 809 ret = 810 s->initial_ctx->tlsext_servername_callback(s, &al, 811 s-> 812 initial_ctx->tlsext_servername_arg); 813 814 switch (ret) { 815 case SSL_TLSEXT_ERR_ALERT_FATAL: 816 ssl3_send_alert(s, SSL3_AL_FATAL, al); 817 return -1; 818 819 case SSL_TLSEXT_ERR_ALERT_WARNING: 820 ssl3_send_alert(s, SSL3_AL_WARNING, al); 821 return 1; 822 823 case SSL_TLSEXT_ERR_NOACK: 824 s->servername_done = 0; 825 826 default: 827 return 1; 828 } 829} 830 831int ssl_check_clienthello_tlsext_late(SSL *s) 832{ 833 int ret = SSL_TLSEXT_ERR_OK; 834 int al; 835 836 /* 837 * If status request then ask callback what to do. Note: this must be 838 * called after servername callbacks in case the certificate has 839 * changed, and must be called after the cipher has been chosen because 840 * this may influence which certificate is sent 841 */ 842 if (s->tlsext_status_type != -1 && s->ctx && s->ctx->tlsext_status_cb) { 843 int r; 844 CERT_PKEY *certpkey; 845 certpkey = ssl_get_server_send_pkey(s); 846 /* If no certificate can't return certificate status */ 847 if (certpkey == NULL) { 848 s->tlsext_status_expected = 0; 849 return 1; 850 } 851 /* 852 * Set current certificate to one we will use so SSL_get_certificate 853 * et al can pick it up. 854 */ 855 s->cert->key = certpkey; 856 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg); 857 switch (r) { 858 /* We don't want to send a status request response */ 859 case SSL_TLSEXT_ERR_NOACK: 860 s->tlsext_status_expected = 0; 861 break; 862 /* status request response should be sent */ 863 case SSL_TLSEXT_ERR_OK: 864 if (s->tlsext_ocsp_resp) 865 s->tlsext_status_expected = 1; 866 else 867 s->tlsext_status_expected = 0; 868 break; 869 /* something bad happened */ 870 case SSL_TLSEXT_ERR_ALERT_FATAL: 871 ret = SSL_TLSEXT_ERR_ALERT_FATAL; 872 al = SSL_AD_INTERNAL_ERROR; 873 goto err; 874 } 875 } else 876 s->tlsext_status_expected = 0; 877 878 err: 879 switch (ret) { 880 case SSL_TLSEXT_ERR_ALERT_FATAL: 881 ssl3_send_alert(s, SSL3_AL_FATAL, al); 882 return -1; 883 884 case SSL_TLSEXT_ERR_ALERT_WARNING: 885 ssl3_send_alert(s, SSL3_AL_WARNING, al); 886 return 1; 887 888 default: 889 return 1; 890 } 891} 892 893int ssl_check_serverhello_tlsext(SSL *s) 894{ 895 int ret = SSL_TLSEXT_ERR_NOACK; 896 int al = SSL_AD_UNRECOGNIZED_NAME; 897 898 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) 899 ret = 900 s->ctx->tlsext_servername_callback(s, &al, 901 s->ctx->tlsext_servername_arg); 902 else if (s->initial_ctx != NULL 903 && s->initial_ctx->tlsext_servername_callback != 0) 904 ret = 905 s->initial_ctx->tlsext_servername_callback(s, &al, 906 s-> 907 initial_ctx->tlsext_servername_arg); 908 909 /* 910 * If we've requested certificate status and we wont get one tell the 911 * callback 912 */ 913 if ((s->tlsext_status_type != -1) && !(s->tlsext_status_expected) 914 && s->ctx->tlsext_status_cb) { 915 int r; 916 /* 917 * Set resp to NULL, resplen to -1 so callback knows there is no 918 * response. 919 */ 920 if (s->tlsext_ocsp_resp) { 921 OPENSSL_free(s->tlsext_ocsp_resp); 922 s->tlsext_ocsp_resp = NULL; 923 } 924 s->tlsext_ocsp_resplen = -1; 925 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg); 926 if (r == 0) { 927 al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE; 928 ret = SSL_TLSEXT_ERR_ALERT_FATAL; 929 } 930 if (r < 0) { 931 al = SSL_AD_INTERNAL_ERROR; 932 ret = SSL_TLSEXT_ERR_ALERT_FATAL; 933 } 934 } 935 936 switch (ret) { 937 case SSL_TLSEXT_ERR_ALERT_FATAL: 938 ssl3_send_alert(s, SSL3_AL_FATAL, al); 939 return -1; 940 941 case SSL_TLSEXT_ERR_ALERT_WARNING: 942 ssl3_send_alert(s, SSL3_AL_WARNING, al); 943 return 1; 944 945 case SSL_TLSEXT_ERR_NOACK: 946 s->servername_done = 0; 947 default: 948 return 1; 949 } 950} 951 952/* 953 * Since the server cache lookup is done early on in the processing of client 954 * hello and other operations depend on the result we need to handle any TLS 955 * session ticket extension at the same time. 956 */ 957 958int tls1_process_ticket(SSL *s, unsigned char *session_id, int len, 959 const unsigned char *limit, SSL_SESSION **ret) 960{ 961 /* Point after session ID in client hello */ 962 const unsigned char *p = session_id + len; 963 unsigned short i; 964 965 /* 966 * If tickets disabled behave as if no ticket present to permit stateful 967 * resumption. 968 */ 969 if (SSL_get_options(s) & SSL_OP_NO_TICKET) 970 return 1; 971 972 if ((s->version <= SSL3_VERSION) || !limit) 973 return 1; 974 if (p >= limit) 975 return -1; 976 /* Skip past DTLS cookie */ 977 if (s->version == DTLS1_VERSION || s->version == DTLS1_BAD_VER) { 978 i = *(p++); 979 980 if (limit - p <= i) 981 return -1; 982 983 p += i; 984 } 985 /* Skip past cipher list */ 986 n2s(p, i); 987 if (limit - p <= i) 988 return -1; 989 p += i; 990 991 /* Skip past compression algorithm list */ 992 i = *(p++); 993 if (limit - p < i) 994 return -1; 995 p += i; 996 997 /* Now at start of extensions */ 998 if (limit - p <= 2) 999 return 1; 1000 n2s(p, i); 1001 while (limit - p >= 4) { 1002 unsigned short type, size; 1003 n2s(p, type); 1004 n2s(p, size); 1005 if (limit - p < size) 1006 return 1; 1007 if (type == TLSEXT_TYPE_session_ticket) { 1008 /* 1009 * If zero length note client will accept a ticket and indicate 1010 * cache miss to trigger full handshake 1011 */ 1012 if (size == 0) { 1013 s->tlsext_ticket_expected = 1; 1014 return 0; /* Cache miss */ 1015 } 1016 return tls_decrypt_ticket(s, p, size, session_id, len, ret); 1017 } 1018 p += size; 1019 } 1020 return 1; 1021} 1022 1023static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, 1024 int eticklen, const unsigned char *sess_id, 1025 int sesslen, SSL_SESSION **psess) 1026{ 1027 SSL_SESSION *sess; 1028 unsigned char *sdec; 1029 const unsigned char *p; 1030 int slen, mlen, renew_ticket = 0; 1031 unsigned char tick_hmac[EVP_MAX_MD_SIZE]; 1032 HMAC_CTX hctx; 1033 EVP_CIPHER_CTX ctx; 1034 SSL_CTX *tctx = s->initial_ctx; 1035 1036 /* Initialize session ticket encryption and HMAC contexts */ 1037 HMAC_CTX_init(&hctx); 1038 EVP_CIPHER_CTX_init(&ctx); 1039 if (tctx->tlsext_ticket_key_cb) { 1040 unsigned char *nctick = (unsigned char *)etick; 1041 int rv = tctx->tlsext_ticket_key_cb(s, nctick, nctick + 16, 1042 &ctx, &hctx, 0); 1043 if (rv < 0) 1044 return -1; 1045 if (rv == 0) 1046 goto tickerr; 1047 if (rv == 2) 1048 renew_ticket = 1; 1049 } else { 1050 /* Check key name matches */ 1051 if (memcmp(etick, tctx->tlsext_tick_key_name, 16)) 1052 goto tickerr; 1053 HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16, 1054 tlsext_tick_md(), NULL); 1055 EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL, 1056 tctx->tlsext_tick_aes_key, etick + 16); 1057 } 1058 /* 1059 * Attempt to process session ticket, first conduct sanity and integrity 1060 * checks on ticket. 1061 */ 1062 mlen = HMAC_size(&hctx); 1063 /* Sanity check ticket length: must exceed keyname + IV + HMAC */ 1064 if (eticklen <= 16 + EVP_CIPHER_CTX_iv_length(&ctx) + mlen) { 1065 HMAC_CTX_cleanup(&hctx); 1066 EVP_CIPHER_CTX_cleanup(&ctx); 1067 return 2; 1068 } 1069 1070 eticklen -= mlen; 1071 /* Check HMAC of encrypted ticket */ 1072 HMAC_Update(&hctx, etick, eticklen); 1073 HMAC_Final(&hctx, tick_hmac, NULL); 1074 HMAC_CTX_cleanup(&hctx); 1075 if (CRYPTO_memcmp(tick_hmac, etick + eticklen, mlen)) { 1076 EVP_CIPHER_CTX_cleanup(&ctx); 1077 goto tickerr; 1078 } 1079 /* Attempt to decrypt session data */ 1080 /* Move p after IV to start of encrypted ticket, update length */ 1081 p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx); 1082 eticklen -= 16 + EVP_CIPHER_CTX_iv_length(&ctx); 1083 sdec = OPENSSL_malloc(eticklen); 1084 if (!sdec) { 1085 EVP_CIPHER_CTX_cleanup(&ctx); 1086 return -1; 1087 } 1088 EVP_DecryptUpdate(&ctx, sdec, &slen, p, eticklen); 1089 if (EVP_DecryptFinal(&ctx, sdec + slen, &mlen) <= 0) { 1090 EVP_CIPHER_CTX_cleanup(&ctx); 1091 OPENSSL_free(sdec); 1092 goto tickerr; 1093 } 1094 slen += mlen; 1095 EVP_CIPHER_CTX_cleanup(&ctx); 1096 p = sdec; 1097 1098 sess = d2i_SSL_SESSION(NULL, &p, slen); 1099 OPENSSL_free(sdec); 1100 if (sess) { 1101 /* 1102 * The session ID if non-empty is used by some clients to detect that 1103 * the ticket has been accepted. So we copy it to the session 1104 * structure. If it is empty set length to zero as required by 1105 * standard. 1106 */ 1107 if (sesslen) 1108 memcpy(sess->session_id, sess_id, sesslen); 1109 sess->session_id_length = sesslen; 1110 *psess = sess; 1111 s->tlsext_ticket_expected = renew_ticket; 1112 return 1; 1113 } 1114 /* 1115 * If session decrypt failure indicate a cache miss and set state to send 1116 * a new ticket 1117 */ 1118 tickerr: 1119 s->tlsext_ticket_expected = 1; 1120 return 0; 1121} 1122 1123#endif 1124