1/* ssl/t1_lib.c */ 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 3 * All rights reserved. 4 * 5 * This package is an SSL implementation written 6 * by Eric Young (eay@cryptsoft.com). 7 * The implementation was written so as to conform with Netscapes SSL. 8 * 9 * This library is free for commercial and non-commercial use as long as 10 * the following conditions are aheared to. The following conditions 11 * apply to all code found in this distribution, be it the RC4, RSA, 12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 13 * included with this distribution is covered by the same copyright terms 14 * except that the holder is Tim Hudson (tjh@cryptsoft.com). 15 * 16 * Copyright remains Eric Young's, and as such any Copyright notices in 17 * the code are not to be removed. 18 * If this package is used in a product, Eric Young should be given attribution 19 * as the author of the parts of the library used. 20 * This can be in the form of a textual message at program startup or 21 * in documentation (online or textual) provided with the package. 22 * 23 * Redistribution and use in source and binary forms, with or without 24 * modification, are permitted provided that the following conditions 25 * are met: 26 * 1. Redistributions of source code must retain the copyright 27 * notice, this list of conditions and the following disclaimer. 28 * 2. Redistributions in binary form must reproduce the above copyright 29 * notice, this list of conditions and the following disclaimer in the 30 * documentation and/or other materials provided with the distribution. 31 * 3. All advertising materials mentioning features or use of this software 32 * must display the following acknowledgement: 33 * "This product includes cryptographic software written by 34 * Eric Young (eay@cryptsoft.com)" 35 * The word 'cryptographic' can be left out if the rouines from the library 36 * being used are not cryptographic related :-). 37 * 4. If you include any Windows specific code (or a derivative thereof) from 38 * the apps directory (application code) you must include an acknowledgement: 39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 40 * 41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 51 * SUCH DAMAGE. 52 * 53 * The licence and distribution terms for any publically available version or 54 * derivative of this code cannot be changed. i.e. this code cannot simply be 55 * copied and put under another distribution licence 56 * [including the GNU Public Licence.] 57 */ 58 59#include <stdio.h> 60#include <openssl/objects.h> 61#include <openssl/evp.h> 62#include <openssl/hmac.h> 63#include <openssl/ocsp.h> 64#include "ssl_locl.h" 65 66const char tls1_version_str[]="TLSv1" OPENSSL_VERSION_PTEXT; 67 68#ifndef OPENSSL_NO_TLSEXT 69static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen, 70 const unsigned char *sess_id, int sesslen, 71 SSL_SESSION **psess); 72#endif 73 74SSL3_ENC_METHOD TLSv1_enc_data={ 75 tls1_enc, 76 tls1_mac, 77 tls1_setup_key_block, 78 tls1_generate_master_secret, 79 tls1_change_cipher_state, 80 tls1_final_finish_mac, 81 TLS1_FINISH_MAC_LENGTH, 82 tls1_cert_verify_mac, 83 TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE, 84 TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE, 85 tls1_alert_code, 86 }; 87 88long tls1_default_timeout(void) 89 { 90 /* 2 hours, the 24 hours mentioned in the TLSv1 spec 91 * is way too long for http, the cache would over fill */ 92 return(60*60*2); 93 } 94 95IMPLEMENT_tls1_meth_func(tlsv1_base_method, 96 ssl_undefined_function, 97 ssl_undefined_function, 98 ssl_bad_method) 99 100int tls1_new(SSL *s) 101 { 102 if (!ssl3_new(s)) return(0); 103 s->method->ssl_clear(s); 104 return(1); 105 } 106 107void tls1_free(SSL *s) 108 { 109 ssl3_free(s); 110 } 111 112void tls1_clear(SSL *s) 113 { 114 ssl3_clear(s); 115 s->version=TLS1_VERSION; 116 } 117 118#if 0 119long tls1_ctrl(SSL *s, int cmd, long larg, char *parg) 120 { 121 return(0); 122 } 123 124long tls1_callback_ctrl(SSL *s, int cmd, void *(*fp)()) 125 { 126 return(0); 127 } 128#endif 129 130#ifndef OPENSSL_NO_TLSEXT 131unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit) 132 { 133 int extdatalen=0; 134 unsigned char *ret = p; 135 136 /* don't add extensions for SSLv3 unless doing secure renegotiation */ 137 if (s->client_version == SSL3_VERSION 138 && !s->s3->send_connection_binding) 139 return p; 140 141 ret+=2; 142 143 if (ret>=limit) return NULL; /* this really never occurs, but ... */ 144 145 if (s->tlsext_hostname != NULL) 146 { 147 /* Add TLS extension servername to the Client Hello message */ 148 unsigned long size_str; 149 long lenmax; 150 151 /* check for enough space. 152 4 for the servername type and entension length 153 2 for servernamelist length 154 1 for the hostname type 155 2 for hostname length 156 + hostname length 157 */ 158 159 if ((lenmax = limit - ret - 9) < 0 160 || (size_str = strlen(s->tlsext_hostname)) > (unsigned long)lenmax) 161 return NULL; 162 163 /* extension type and length */ 164 s2n(TLSEXT_TYPE_server_name,ret); 165 s2n(size_str+5,ret); 166 167 /* length of servername list */ 168 s2n(size_str+3,ret); 169 170 /* hostname type, length and hostname */ 171 *(ret++) = (unsigned char) TLSEXT_NAMETYPE_host_name; 172 s2n(size_str,ret); 173 memcpy(ret, s->tlsext_hostname, size_str); 174 ret+=size_str; 175 176 } 177 178 /* Add RI if renegotiating */ 179 if (s->new_session) 180 { 181 int el; 182 183 if(!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0)) 184 { 185 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); 186 return NULL; 187 } 188 189 if((limit - p - 4 - el) < 0) return NULL; 190 191 s2n(TLSEXT_TYPE_renegotiate,ret); 192 s2n(el,ret); 193 194 if(!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el)) 195 { 196 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); 197 return NULL; 198 } 199 200 ret += el; 201 } 202 203 204 if (!(SSL_get_options(s) & SSL_OP_NO_TICKET)) 205 { 206 int ticklen; 207 if (!s->new_session && s->session && s->session->tlsext_tick) 208 ticklen = s->session->tlsext_ticklen; 209 else 210 ticklen = 0; 211 /* Check for enough room 2 for extension type, 2 for len 212 * rest for ticket 213 */ 214 if (limit - ret - 4 - ticklen < 0) 215 return NULL; 216 s2n(TLSEXT_TYPE_session_ticket,ret); 217 s2n(ticklen,ret); 218 if (ticklen) 219 { 220 memcpy(ret, s->session->tlsext_tick, ticklen); 221 ret += ticklen; 222 } 223 } 224 225 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp && 226 s->version != DTLS1_VERSION) 227 { 228 int i; 229 long extlen, idlen, itmp; 230 OCSP_RESPID *id; 231 232 idlen = 0; 233 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) 234 { 235 id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i); 236 itmp = i2d_OCSP_RESPID(id, NULL); 237 if (itmp <= 0) 238 return NULL; 239 idlen += itmp + 2; 240 } 241 242 if (s->tlsext_ocsp_exts) 243 { 244 extlen = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, NULL); 245 if (extlen < 0) 246 return NULL; 247 } 248 else 249 extlen = 0; 250 251 if ((long)(limit - ret - 7 - extlen - idlen) < 0) return NULL; 252 s2n(TLSEXT_TYPE_status_request, ret); 253 if (extlen + idlen > 0xFFF0) 254 return NULL; 255 s2n(extlen + idlen + 5, ret); 256 *(ret++) = TLSEXT_STATUSTYPE_ocsp; 257 s2n(idlen, ret); 258 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) 259 { 260 /* save position of id len */ 261 unsigned char *q = ret; 262 id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i); 263 /* skip over id len */ 264 ret += 2; 265 itmp = i2d_OCSP_RESPID(id, &ret); 266 /* write id len */ 267 s2n(itmp, q); 268 } 269 s2n(extlen, ret); 270 if (extlen > 0) 271 i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret); 272 } 273 274 if ((extdatalen = ret-p-2)== 0) 275 return p; 276 277 s2n(extdatalen,p); 278 return ret; 279 } 280 281unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit) 282 { 283 int extdatalen=0; 284 unsigned char *ret = p; 285 286 /* don't add extensions for SSLv3, unless doing secure renegotiation */ 287 if (s->version == SSL3_VERSION && !s->s3->send_connection_binding) 288 return p; 289 290 ret+=2; 291 if (ret>=limit) return NULL; /* this really never occurs, but ... */ 292 293 if (!s->hit && s->servername_done == 1 && s->session->tlsext_hostname != NULL) 294 { 295 if (limit - ret - 4 < 0) return NULL; 296 297 s2n(TLSEXT_TYPE_server_name,ret); 298 s2n(0,ret); 299 } 300 301 if(s->s3->send_connection_binding) 302 { 303 int el; 304 305 if(!ssl_add_serverhello_renegotiate_ext(s, 0, &el, 0)) 306 { 307 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); 308 return NULL; 309 } 310 311 if((limit - p - 4 - el) < 0) return NULL; 312 313 s2n(TLSEXT_TYPE_renegotiate,ret); 314 s2n(el,ret); 315 316 if(!ssl_add_serverhello_renegotiate_ext(s, ret, &el, el)) 317 { 318 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); 319 return NULL; 320 } 321 322 ret += el; 323 } 324 325 if (s->tlsext_ticket_expected 326 && !(SSL_get_options(s) & SSL_OP_NO_TICKET)) 327 { 328 if (limit - ret - 4 < 0) return NULL; 329 s2n(TLSEXT_TYPE_session_ticket,ret); 330 s2n(0,ret); 331 } 332 333 if (s->tlsext_status_expected) 334 { 335 if ((long)(limit - ret - 4) < 0) return NULL; 336 s2n(TLSEXT_TYPE_status_request,ret); 337 s2n(0,ret); 338 } 339 340 if ((extdatalen = ret-p-2)== 0) 341 return p; 342 343 s2n(extdatalen,p); 344 return ret; 345 } 346 347#ifndef OPENSSL_NO_EC 348/* ssl_check_for_safari attempts to fingerprint Safari using OS X 349 * SecureTransport using the TLS extension block in |d|, of length |n|. 350 * Safari, since 10.6, sends exactly these extensions, in this order: 351 * SNI, 352 * elliptic_curves 353 * ec_point_formats 354 * 355 * We wish to fingerprint Safari because they broke ECDHE-ECDSA support in 10.8, 356 * but they advertise support. So enabling ECDHE-ECDSA ciphers breaks them. 357 * Sadly we cannot differentiate 10.6, 10.7 and 10.8.4 (which work), from 358 * 10.8..10.8.3 (which don't work). 359 */ 360static void ssl_check_for_safari(SSL *s, const unsigned char *data, const unsigned char *d, int n) { 361 unsigned short type, size; 362 static const unsigned char kSafariExtensionsBlock[] = { 363 0x00, 0x0a, /* elliptic_curves extension */ 364 0x00, 0x08, /* 8 bytes */ 365 0x00, 0x06, /* 6 bytes of curve ids */ 366 0x00, 0x17, /* P-256 */ 367 0x00, 0x18, /* P-384 */ 368 0x00, 0x19, /* P-521 */ 369 370 0x00, 0x0b, /* ec_point_formats */ 371 0x00, 0x02, /* 2 bytes */ 372 0x01, /* 1 point format */ 373 0x00, /* uncompressed */ 374 }; 375 376 /* The following is only present in TLS 1.2 */ 377 static const unsigned char kSafariTLS12ExtensionsBlock[] = { 378 0x00, 0x0d, /* signature_algorithms */ 379 0x00, 0x0c, /* 12 bytes */ 380 0x00, 0x0a, /* 10 bytes */ 381 0x05, 0x01, /* SHA-384/RSA */ 382 0x04, 0x01, /* SHA-256/RSA */ 383 0x02, 0x01, /* SHA-1/RSA */ 384 0x04, 0x03, /* SHA-256/ECDSA */ 385 0x02, 0x03, /* SHA-1/ECDSA */ 386 }; 387 388 if (data >= (d+n-2)) 389 return; 390 data += 2; 391 392 if (data > (d+n-4)) 393 return; 394 n2s(data,type); 395 n2s(data,size); 396 397 if (type != TLSEXT_TYPE_server_name) 398 return; 399 400 if (data+size > d+n) 401 return; 402 data += size; 403 404 if (TLS1_get_client_version(s) >= TLS1_2_VERSION) 405 { 406 const size_t len1 = sizeof(kSafariExtensionsBlock); 407 const size_t len2 = sizeof(kSafariTLS12ExtensionsBlock); 408 409 if (data + len1 + len2 != d+n) 410 return; 411 if (memcmp(data, kSafariExtensionsBlock, len1) != 0) 412 return; 413 if (memcmp(data + len1, kSafariTLS12ExtensionsBlock, len2) != 0) 414 return; 415 } 416 else 417 { 418 const size_t len = sizeof(kSafariExtensionsBlock); 419 420 if (data + len != d+n) 421 return; 422 if (memcmp(data, kSafariExtensionsBlock, len) != 0) 423 return; 424 } 425 426 s->s3->is_probably_safari = 1; 427} 428#endif /* !OPENSSL_NO_EC */ 429 430int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al) 431 { 432 unsigned short type; 433 unsigned short size; 434 unsigned short len; 435 unsigned char *data = *p; 436 int renegotiate_seen = 0; 437 438 s->servername_done = 0; 439 s->tlsext_status_type = -1; 440 441#ifndef OPENSSL_NO_EC 442 if (s->options & SSL_OP_SAFARI_ECDHE_ECDSA_BUG) 443 ssl_check_for_safari(s, data, d, n); 444#endif /* !OPENSSL_NO_EC */ 445 446 if (data >= (d+n-2)) 447 goto ri_check; 448 449 n2s(data,len); 450 451 if (data > (d+n-len)) 452 goto ri_check; 453 454 while (data <= (d+n-4)) 455 { 456 n2s(data,type); 457 n2s(data,size); 458 459 if (data+size > (d+n)) 460 goto ri_check; 461 462 if (s->tlsext_debug_cb) 463 s->tlsext_debug_cb(s, 0, type, data, size, 464 s->tlsext_debug_arg); 465/* The servername extension is treated as follows: 466 467 - Only the hostname type is supported with a maximum length of 255. 468 - The servername is rejected if too long or if it contains zeros, 469 in which case an fatal alert is generated. 470 - The servername field is maintained together with the session cache. 471 - When a session is resumed, the servername call back invoked in order 472 to allow the application to position itself to the right context. 473 - The servername is acknowledged if it is new for a session or when 474 it is identical to a previously used for the same session. 475 Applications can control the behaviour. They can at any time 476 set a 'desirable' servername for a new SSL object. This can be the 477 case for example with HTTPS when a Host: header field is received and 478 a renegotiation is requested. In this case, a possible servername 479 presented in the new client hello is only acknowledged if it matches 480 the value of the Host: field. 481 - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION 482 if they provide for changing an explicit servername context for the session, 483 i.e. when the session has been established with a servername extension. 484 - On session reconnect, the servername extension may be absent. 485 486*/ 487 488 if (type == TLSEXT_TYPE_server_name) 489 { 490 unsigned char *sdata; 491 int servname_type; 492 int dsize; 493 494 if (size < 2) 495 { 496 *al = SSL_AD_DECODE_ERROR; 497 return 0; 498 } 499 n2s(data,dsize); 500 size -= 2; 501 if (dsize > size ) 502 { 503 *al = SSL_AD_DECODE_ERROR; 504 return 0; 505 } 506 507 sdata = data; 508 while (dsize > 3) 509 { 510 servname_type = *(sdata++); 511 n2s(sdata,len); 512 dsize -= 3; 513 514 if (len > dsize) 515 { 516 *al = SSL_AD_DECODE_ERROR; 517 return 0; 518 } 519 if (s->servername_done == 0) 520 switch (servname_type) 521 { 522 case TLSEXT_NAMETYPE_host_name: 523 if (!s->hit) 524 { 525 if(s->session->tlsext_hostname) 526 { 527 *al = SSL_AD_DECODE_ERROR; 528 return 0; 529 } 530 if (len > TLSEXT_MAXLEN_host_name) 531 { 532 *al = TLS1_AD_UNRECOGNIZED_NAME; 533 return 0; 534 } 535 if ((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL) 536 { 537 *al = TLS1_AD_INTERNAL_ERROR; 538 return 0; 539 } 540 memcpy(s->session->tlsext_hostname, sdata, len); 541 s->session->tlsext_hostname[len]='\0'; 542 if (strlen(s->session->tlsext_hostname) != len) { 543 OPENSSL_free(s->session->tlsext_hostname); 544 s->session->tlsext_hostname = NULL; 545 *al = TLS1_AD_UNRECOGNIZED_NAME; 546 return 0; 547 } 548 s->servername_done = 1; 549 550 } 551 else 552 s->servername_done = s->session->tlsext_hostname 553 && strlen(s->session->tlsext_hostname) == len 554 && strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0; 555 556 break; 557 558 default: 559 break; 560 } 561 562 dsize -= len; 563 } 564 if (dsize != 0) 565 { 566 *al = SSL_AD_DECODE_ERROR; 567 return 0; 568 } 569 570 } 571 else if (type == TLSEXT_TYPE_renegotiate) 572 { 573 if(!ssl_parse_clienthello_renegotiate_ext(s, data, size, al)) 574 return 0; 575 renegotiate_seen = 1; 576 } 577 else if (type == TLSEXT_TYPE_status_request && 578 s->version != DTLS1_VERSION && s->ctx->tlsext_status_cb) 579 { 580 581 if (size < 5) 582 { 583 *al = SSL_AD_DECODE_ERROR; 584 return 0; 585 } 586 587 s->tlsext_status_type = *data++; 588 size--; 589 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp) 590 { 591 const unsigned char *sdata; 592 int dsize; 593 /* Read in responder_id_list */ 594 n2s(data,dsize); 595 size -= 2; 596 if (dsize > size ) 597 { 598 *al = SSL_AD_DECODE_ERROR; 599 return 0; 600 } 601 while (dsize > 0) 602 { 603 OCSP_RESPID *id; 604 int idsize; 605 if (dsize < 4) 606 { 607 *al = SSL_AD_DECODE_ERROR; 608 return 0; 609 } 610 n2s(data, idsize); 611 dsize -= 2 + idsize; 612 size -= 2 + idsize; 613 if (dsize < 0) 614 { 615 *al = SSL_AD_DECODE_ERROR; 616 return 0; 617 } 618 sdata = data; 619 data += idsize; 620 id = d2i_OCSP_RESPID(NULL, 621 &sdata, idsize); 622 if (!id) 623 { 624 *al = SSL_AD_DECODE_ERROR; 625 return 0; 626 } 627 if (data != sdata) 628 { 629 OCSP_RESPID_free(id); 630 *al = SSL_AD_DECODE_ERROR; 631 return 0; 632 } 633 if (!s->tlsext_ocsp_ids 634 && !(s->tlsext_ocsp_ids = 635 sk_OCSP_RESPID_new_null())) 636 { 637 OCSP_RESPID_free(id); 638 *al = SSL_AD_INTERNAL_ERROR; 639 return 0; 640 } 641 if (!sk_OCSP_RESPID_push( 642 s->tlsext_ocsp_ids, id)) 643 { 644 OCSP_RESPID_free(id); 645 *al = SSL_AD_INTERNAL_ERROR; 646 return 0; 647 } 648 } 649 650 /* Read in request_extensions */ 651 if (size < 2) 652 { 653 *al = SSL_AD_DECODE_ERROR; 654 return 0; 655 } 656 n2s(data,dsize); 657 size -= 2; 658 if (dsize != size) 659 { 660 *al = SSL_AD_DECODE_ERROR; 661 return 0; 662 } 663 sdata = data; 664 if (dsize > 0) 665 { 666 if (s->tlsext_ocsp_exts) 667 { 668 sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts, 669 X509_EXTENSION_free); 670 } 671 672 s->tlsext_ocsp_exts = 673 d2i_X509_EXTENSIONS(NULL, 674 &sdata, dsize); 675 if (!s->tlsext_ocsp_exts 676 || (data + dsize != sdata)) 677 { 678 *al = SSL_AD_DECODE_ERROR; 679 return 0; 680 } 681 } 682 } 683 /* We don't know what to do with any other type 684 * so ignore it. 685 */ 686 else 687 s->tlsext_status_type = -1; 688 } 689 690 /* session ticket processed earlier */ 691 692 data+=size; 693 } 694 *p = data; 695 696 ri_check: 697 698 /* Need RI if renegotiating */ 699 700 if (!renegotiate_seen && s->new_session && 701 !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) 702 { 703 *al = SSL_AD_HANDSHAKE_FAILURE; 704 SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT, 705 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); 706 return 0; 707 } 708 709 return 1; 710 } 711 712int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al) 713 { 714 unsigned short length; 715 unsigned short type; 716 unsigned short size; 717 unsigned char *data = *p; 718 int tlsext_servername = 0; 719 int renegotiate_seen = 0; 720 721 if (data >= (d+n-2)) 722 goto ri_check; 723 724 n2s(data,length); 725 if (data+length != d+n) 726 { 727 *al = SSL_AD_DECODE_ERROR; 728 return 0; 729 } 730 731 while(data <= (d+n-4)) 732 { 733 n2s(data,type); 734 n2s(data,size); 735 736 if (data+size > (d+n)) 737 goto ri_check; 738 739 if (s->tlsext_debug_cb) 740 s->tlsext_debug_cb(s, 1, type, data, size, 741 s->tlsext_debug_arg); 742 743 if (type == TLSEXT_TYPE_server_name) 744 { 745 if (s->tlsext_hostname == NULL || size > 0) 746 { 747 *al = TLS1_AD_UNRECOGNIZED_NAME; 748 return 0; 749 } 750 tlsext_servername = 1; 751 } 752 else if (type == TLSEXT_TYPE_session_ticket) 753 { 754 if ((SSL_get_options(s) & SSL_OP_NO_TICKET) 755 || (size > 0)) 756 { 757 *al = TLS1_AD_UNSUPPORTED_EXTENSION; 758 return 0; 759 } 760 s->tlsext_ticket_expected = 1; 761 } 762 else if (type == TLSEXT_TYPE_status_request && 763 s->version != DTLS1_VERSION) 764 { 765 /* MUST be empty and only sent if we've requested 766 * a status request message. 767 */ 768 if ((s->tlsext_status_type == -1) || (size > 0)) 769 { 770 *al = TLS1_AD_UNSUPPORTED_EXTENSION; 771 return 0; 772 } 773 /* Set flag to expect CertificateStatus message */ 774 s->tlsext_status_expected = 1; 775 } 776 else if (type == TLSEXT_TYPE_renegotiate) 777 { 778 if(!ssl_parse_serverhello_renegotiate_ext(s, data, size, al)) 779 return 0; 780 renegotiate_seen = 1; 781 } 782 data+=size; 783 } 784 785 if (data != d+n) 786 { 787 *al = SSL_AD_DECODE_ERROR; 788 return 0; 789 } 790 791 if (!s->hit && tlsext_servername == 1) 792 { 793 if (s->tlsext_hostname) 794 { 795 if (s->session->tlsext_hostname == NULL) 796 { 797 s->session->tlsext_hostname = BUF_strdup(s->tlsext_hostname); 798 if (!s->session->tlsext_hostname) 799 { 800 *al = SSL_AD_UNRECOGNIZED_NAME; 801 return 0; 802 } 803 } 804 else 805 { 806 *al = SSL_AD_DECODE_ERROR; 807 return 0; 808 } 809 } 810 } 811 812 *p = data; 813 814 ri_check: 815 816 /* Determine if we need to see RI. Strictly speaking if we want to 817 * avoid an attack we should *always* see RI even on initial server 818 * hello because the client doesn't see any renegotiation during an 819 * attack. However this would mean we could not connect to any server 820 * which doesn't support RI so for the immediate future tolerate RI 821 * absence on initial connect only. 822 */ 823 if (!renegotiate_seen 824 && !(s->options & SSL_OP_LEGACY_SERVER_CONNECT) 825 && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) 826 { 827 *al = SSL_AD_HANDSHAKE_FAILURE; 828 SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT, 829 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); 830 return 0; 831 } 832 833 return 1; 834 } 835 836int ssl_check_clienthello_tlsext_early(SSL *s) 837 { 838 int ret=SSL_TLSEXT_ERR_NOACK; 839 int al = SSL_AD_UNRECOGNIZED_NAME; 840 841 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) 842 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg); 843 else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0) 844 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg); 845 846 switch (ret) 847 { 848 case SSL_TLSEXT_ERR_ALERT_FATAL: 849 ssl3_send_alert(s, SSL3_AL_FATAL, al); 850 return -1; 851 852 case SSL_TLSEXT_ERR_ALERT_WARNING: 853 ssl3_send_alert(s, SSL3_AL_WARNING, al); 854 return 1; 855 856 case SSL_TLSEXT_ERR_NOACK: 857 s->servername_done = 0; 858 859 default: 860 return 1; 861 } 862 } 863 864int ssl_check_clienthello_tlsext_late(SSL *s) 865 { 866 int ret = SSL_TLSEXT_ERR_OK; 867 int al; 868 869 /* If status request then ask callback what to do. 870 * Note: this must be called after servername callbacks in case 871 * the certificate has changed, and must be called after the cipher 872 * has been chosen because this may influence which certificate is sent 873 */ 874 if (s->tlsext_status_type != -1 && s->ctx && s->ctx->tlsext_status_cb) 875 { 876 int r; 877 CERT_PKEY *certpkey; 878 certpkey = ssl_get_server_send_pkey(s); 879 /* If no certificate can't return certificate status */ 880 if (certpkey == NULL) 881 { 882 s->tlsext_status_expected = 0; 883 return 1; 884 } 885 /* Set current certificate to one we will use so 886 * SSL_get_certificate et al can pick it up. 887 */ 888 s->cert->key = certpkey; 889 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg); 890 switch (r) 891 { 892 /* We don't want to send a status request response */ 893 case SSL_TLSEXT_ERR_NOACK: 894 s->tlsext_status_expected = 0; 895 break; 896 /* status request response should be sent */ 897 case SSL_TLSEXT_ERR_OK: 898 if (s->tlsext_ocsp_resp) 899 s->tlsext_status_expected = 1; 900 else 901 s->tlsext_status_expected = 0; 902 break; 903 /* something bad happened */ 904 case SSL_TLSEXT_ERR_ALERT_FATAL: 905 ret = SSL_TLSEXT_ERR_ALERT_FATAL; 906 al = SSL_AD_INTERNAL_ERROR; 907 goto err; 908 } 909 } 910 else 911 s->tlsext_status_expected = 0; 912 913 err: 914 switch (ret) 915 { 916 case SSL_TLSEXT_ERR_ALERT_FATAL: 917 ssl3_send_alert(s,SSL3_AL_FATAL,al); 918 return -1; 919 920 case SSL_TLSEXT_ERR_ALERT_WARNING: 921 ssl3_send_alert(s,SSL3_AL_WARNING,al); 922 return 1; 923 924 default: 925 return 1; 926 } 927 } 928 929int ssl_check_serverhello_tlsext(SSL *s) 930 { 931 int ret=SSL_TLSEXT_ERR_NOACK; 932 int al = SSL_AD_UNRECOGNIZED_NAME; 933 934 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) 935 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg); 936 else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0) 937 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg); 938 939 /* If we've requested certificate status and we wont get one 940 * tell the callback 941 */ 942 if ((s->tlsext_status_type != -1) && !(s->tlsext_status_expected) 943 && s->ctx->tlsext_status_cb) 944 { 945 int r; 946 /* Set resp to NULL, resplen to -1 so callback knows 947 * there is no response. 948 */ 949 if (s->tlsext_ocsp_resp) 950 { 951 OPENSSL_free(s->tlsext_ocsp_resp); 952 s->tlsext_ocsp_resp = NULL; 953 } 954 s->tlsext_ocsp_resplen = -1; 955 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg); 956 if (r == 0) 957 { 958 al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE; 959 ret = SSL_TLSEXT_ERR_ALERT_FATAL; 960 } 961 if (r < 0) 962 { 963 al = SSL_AD_INTERNAL_ERROR; 964 ret = SSL_TLSEXT_ERR_ALERT_FATAL; 965 } 966 } 967 968 switch (ret) 969 { 970 case SSL_TLSEXT_ERR_ALERT_FATAL: 971 ssl3_send_alert(s,SSL3_AL_FATAL,al); 972 return -1; 973 974 case SSL_TLSEXT_ERR_ALERT_WARNING: 975 ssl3_send_alert(s,SSL3_AL_WARNING,al); 976 return 1; 977 978 case SSL_TLSEXT_ERR_NOACK: 979 s->servername_done=0; 980 default: 981 return 1; 982 } 983 } 984 985/* Since the server cache lookup is done early on in the processing of client 986 * hello and other operations depend on the result we need to handle any TLS 987 * session ticket extension at the same time. 988 */ 989 990int tls1_process_ticket(SSL *s, unsigned char *session_id, int len, 991 const unsigned char *limit, SSL_SESSION **ret) 992 { 993 /* Point after session ID in client hello */ 994 const unsigned char *p = session_id + len; 995 unsigned short i; 996 997 /* If tickets disabled behave as if no ticket present 998 * to permit stateful resumption. 999 */ 1000 if (SSL_get_options(s) & SSL_OP_NO_TICKET) 1001 return 1; 1002 1003 if ((s->version <= SSL3_VERSION) || !limit) 1004 return 1; 1005 if (p >= limit) 1006 return -1; 1007 /* Skip past DTLS cookie */ 1008 if (s->version == DTLS1_VERSION || s->version == DTLS1_BAD_VER) 1009 { 1010 i = *(p++); 1011 p+= i; 1012 if (p >= limit) 1013 return -1; 1014 } 1015 /* Skip past cipher list */ 1016 n2s(p, i); 1017 p+= i; 1018 if (p >= limit) 1019 return -1; 1020 /* Skip past compression algorithm list */ 1021 i = *(p++); 1022 p += i; 1023 if (p > limit) 1024 return -1; 1025 /* Now at start of extensions */ 1026 if ((p + 2) >= limit) 1027 return 1; 1028 n2s(p, i); 1029 while ((p + 4) <= limit) 1030 { 1031 unsigned short type, size; 1032 n2s(p, type); 1033 n2s(p, size); 1034 if (p + size > limit) 1035 return 1; 1036 if (type == TLSEXT_TYPE_session_ticket) 1037 { 1038 /* If zero length note client will accept a ticket 1039 * and indicate cache miss to trigger full handshake 1040 */ 1041 if (size == 0) 1042 { 1043 s->tlsext_ticket_expected = 1; 1044 return 0; /* Cache miss */ 1045 } 1046 return tls_decrypt_ticket(s, p, size, session_id, len, 1047 ret); 1048 } 1049 p += size; 1050 } 1051 return 1; 1052 } 1053 1054static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen, 1055 const unsigned char *sess_id, int sesslen, 1056 SSL_SESSION **psess) 1057 { 1058 SSL_SESSION *sess; 1059 unsigned char *sdec; 1060 const unsigned char *p; 1061 int slen, mlen, renew_ticket = 0; 1062 unsigned char tick_hmac[EVP_MAX_MD_SIZE]; 1063 HMAC_CTX hctx; 1064 EVP_CIPHER_CTX ctx; 1065 SSL_CTX *tctx = s->initial_ctx; 1066 /* Need at least keyname + iv + some encrypted data */ 1067 if (eticklen < 48) 1068 goto tickerr; 1069 /* Initialize session ticket encryption and HMAC contexts */ 1070 HMAC_CTX_init(&hctx); 1071 EVP_CIPHER_CTX_init(&ctx); 1072 if (tctx->tlsext_ticket_key_cb) 1073 { 1074 unsigned char *nctick = (unsigned char *)etick; 1075 int rv = tctx->tlsext_ticket_key_cb(s, nctick, nctick + 16, 1076 &ctx, &hctx, 0); 1077 if (rv < 0) 1078 return -1; 1079 if (rv == 0) 1080 goto tickerr; 1081 if (rv == 2) 1082 renew_ticket = 1; 1083 } 1084 else 1085 { 1086 /* Check key name matches */ 1087 if (memcmp(etick, tctx->tlsext_tick_key_name, 16)) 1088 goto tickerr; 1089 HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16, 1090 tlsext_tick_md(), NULL); 1091 EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL, 1092 tctx->tlsext_tick_aes_key, etick + 16); 1093 } 1094 /* Attempt to process session ticket, first conduct sanity and 1095 * integrity checks on ticket. 1096 */ 1097 mlen = HMAC_size(&hctx); 1098 eticklen -= mlen; 1099 /* Check HMAC of encrypted ticket */ 1100 HMAC_Update(&hctx, etick, eticklen); 1101 HMAC_Final(&hctx, tick_hmac, NULL); 1102 HMAC_CTX_cleanup(&hctx); 1103 if (CRYPTO_memcmp(tick_hmac, etick + eticklen, mlen)) 1104 goto tickerr; 1105 /* Attempt to decrypt session data */ 1106 /* Move p after IV to start of encrypted ticket, update length */ 1107 p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx); 1108 eticklen -= 16 + EVP_CIPHER_CTX_iv_length(&ctx); 1109 sdec = OPENSSL_malloc(eticklen); 1110 if (!sdec) 1111 { 1112 EVP_CIPHER_CTX_cleanup(&ctx); 1113 return -1; 1114 } 1115 EVP_DecryptUpdate(&ctx, sdec, &slen, p, eticklen); 1116 if (EVP_DecryptFinal(&ctx, sdec + slen, &mlen) <= 0) 1117 goto tickerr; 1118 slen += mlen; 1119 EVP_CIPHER_CTX_cleanup(&ctx); 1120 p = sdec; 1121 1122 sess = d2i_SSL_SESSION(NULL, &p, slen); 1123 OPENSSL_free(sdec); 1124 if (sess) 1125 { 1126 /* The session ID if non-empty is used by some clients to 1127 * detect that the ticket has been accepted. So we copy it to 1128 * the session structure. If it is empty set length to zero 1129 * as required by standard. 1130 */ 1131 if (sesslen) 1132 memcpy(sess->session_id, sess_id, sesslen); 1133 sess->session_id_length = sesslen; 1134 *psess = sess; 1135 s->tlsext_ticket_expected = renew_ticket; 1136 return 1; 1137 } 1138 /* If session decrypt failure indicate a cache miss and set state to 1139 * send a new ticket 1140 */ 1141 tickerr: 1142 s->tlsext_ticket_expected = 1; 1143 return 0; 1144 } 1145 1146#endif 1147