1 /* $OpenBSD: t1_lib.c,v 1.168 2020/07/07 19:31:11 jsing Exp $ */ 2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 3 * All rights reserved. 4 * 5 * This package is an SSL implementation written 6 * by Eric Young (eay@cryptsoft.com). 7 * The implementation was written so as to conform with Netscapes SSL. 8 * 9 * This library is free for commercial and non-commercial use as long as 10 * the following conditions are aheared to. The following conditions 11 * apply to all code found in this distribution, be it the RC4, RSA, 12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 13 * included with this distribution is covered by the same copyright terms 14 * except that the holder is Tim Hudson (tjh@cryptsoft.com). 15 * 16 * Copyright remains Eric Young's, and as such any Copyright notices in 17 * the code are not to be removed. 18 * If this package is used in a product, Eric Young should be given attribution 19 * as the author of the parts of the library used. 20 * This can be in the form of a textual message at program startup or 21 * in documentation (online or textual) provided with the package. 22 * 23 * Redistribution and use in source and binary forms, with or without 24 * modification, are permitted provided that the following conditions 25 * are met: 26 * 1. Redistributions of source code must retain the copyright 27 * notice, this list of conditions and the following disclaimer. 28 * 2. Redistributions in binary form must reproduce the above copyright 29 * notice, this list of conditions and the following disclaimer in the 30 * documentation and/or other materials provided with the distribution. 31 * 3. All advertising materials mentioning features or use of this software 32 * must display the following acknowledgement: 33 * "This product includes cryptographic software written by 34 * Eric Young (eay@cryptsoft.com)" 35 * The word 'cryptographic' can be left out if the rouines from the library 36 * being used are not cryptographic related :-). 37 * 4. If you include any Windows specific code (or a derivative thereof) from 38 * the apps directory (application code) you must include an acknowledgement: 39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 40 * 41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 51 * SUCH DAMAGE. 52 * 53 * The licence and distribution terms for any publically available version or 54 * derivative of this code cannot be changed. i.e. this code cannot simply be 55 * copied and put under another distribution licence 56 * [including the GNU Public Licence.] 57 */ 58 /* ==================================================================== 59 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved. 60 * 61 * Redistribution and use in source and binary forms, with or without 62 * modification, are permitted provided that the following conditions 63 * are met: 64 * 65 * 1. Redistributions of source code must retain the above copyright 66 * notice, this list of conditions and the following disclaimer. 67 * 68 * 2. Redistributions in binary form must reproduce the above copyright 69 * notice, this list of conditions and the following disclaimer in 70 * the documentation and/or other materials provided with the 71 * distribution. 72 * 73 * 3. All advertising materials mentioning features or use of this 74 * software must display the following acknowledgment: 75 * "This product includes software developed by the OpenSSL Project 76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 77 * 78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 79 * endorse or promote products derived from this software without 80 * prior written permission. For written permission, please contact 81 * openssl-core@openssl.org. 82 * 83 * 5. Products derived from this software may not be called "OpenSSL" 84 * nor may "OpenSSL" appear in their names without prior written 85 * permission of the OpenSSL Project. 86 * 87 * 6. Redistributions of any form whatsoever must retain the following 88 * acknowledgment: 89 * "This product includes software developed by the OpenSSL Project 90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 91 * 92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 103 * OF THE POSSIBILITY OF SUCH DAMAGE. 104 * ==================================================================== 105 * 106 * This product includes cryptographic software written by Eric Young 107 * (eay@cryptsoft.com). This product includes software written by Tim 108 * Hudson (tjh@cryptsoft.com). 109 * 110 */ 111 112 #include <stdio.h> 113 114 #include <openssl/evp.h> 115 #include <openssl/hmac.h> 116 #include <openssl/objects.h> 117 #include <openssl/ocsp.h> 118 119 #include "ssl_locl.h" 120 121 #include "bytestring.h" 122 #include "ssl_sigalgs.h" 123 #include "ssl_tlsext.h" 124 125 static int tls_decrypt_ticket(SSL *s, CBS *session_id, CBS *ticket, 126 SSL_SESSION **psess); 127 128 SSL3_ENC_METHOD TLSv1_enc_data = { 129 .enc_flags = 0, 130 }; 131 132 SSL3_ENC_METHOD TLSv1_1_enc_data = { 133 .enc_flags = SSL_ENC_FLAG_EXPLICIT_IV, 134 }; 135 136 SSL3_ENC_METHOD TLSv1_2_enc_data = { 137 .enc_flags = SSL_ENC_FLAG_EXPLICIT_IV|SSL_ENC_FLAG_SIGALGS| 138 SSL_ENC_FLAG_SHA256_PRF|SSL_ENC_FLAG_TLS1_2_CIPHERS, 139 }; 140 141 int 142 tls1_new(SSL *s) 143 { 144 if (!ssl3_new(s)) 145 return (0); 146 s->method->internal->ssl_clear(s); 147 return (1); 148 } 149 150 void 151 tls1_free(SSL *s) 152 { 153 if (s == NULL) 154 return; 155 156 free(s->internal->tlsext_session_ticket); 157 ssl3_free(s); 158 } 159 160 void 161 tls1_clear(SSL *s) 162 { 163 ssl3_clear(s); 164 s->version = s->method->internal->version; 165 } 166 167 static int nid_list[] = { 168 NID_sect163k1, /* sect163k1 (1) */ 169 NID_sect163r1, /* sect163r1 (2) */ 170 NID_sect163r2, /* sect163r2 (3) */ 171 NID_sect193r1, /* sect193r1 (4) */ 172 NID_sect193r2, /* sect193r2 (5) */ 173 NID_sect233k1, /* sect233k1 (6) */ 174 NID_sect233r1, /* sect233r1 (7) */ 175 NID_sect239k1, /* sect239k1 (8) */ 176 NID_sect283k1, /* sect283k1 (9) */ 177 NID_sect283r1, /* sect283r1 (10) */ 178 NID_sect409k1, /* sect409k1 (11) */ 179 NID_sect409r1, /* sect409r1 (12) */ 180 NID_sect571k1, /* sect571k1 (13) */ 181 NID_sect571r1, /* sect571r1 (14) */ 182 NID_secp160k1, /* secp160k1 (15) */ 183 NID_secp160r1, /* secp160r1 (16) */ 184 NID_secp160r2, /* secp160r2 (17) */ 185 NID_secp192k1, /* secp192k1 (18) */ 186 NID_X9_62_prime192v1, /* secp192r1 (19) */ 187 NID_secp224k1, /* secp224k1 (20) */ 188 NID_secp224r1, /* secp224r1 (21) */ 189 NID_secp256k1, /* secp256k1 (22) */ 190 NID_X9_62_prime256v1, /* secp256r1 (23) */ 191 NID_secp384r1, /* secp384r1 (24) */ 192 NID_secp521r1, /* secp521r1 (25) */ 193 NID_brainpoolP256r1, /* brainpoolP256r1 (26) */ 194 NID_brainpoolP384r1, /* brainpoolP384r1 (27) */ 195 NID_brainpoolP512r1, /* brainpoolP512r1 (28) */ 196 NID_X25519, /* X25519 (29) */ 197 }; 198 199 #if 0 200 static const uint8_t ecformats_list[] = { 201 TLSEXT_ECPOINTFORMAT_uncompressed, 202 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime, 203 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2 204 }; 205 #endif 206 207 static const uint8_t ecformats_default[] = { 208 TLSEXT_ECPOINTFORMAT_uncompressed, 209 }; 210 211 #if 0 212 static const uint16_t eccurves_list[] = { 213 29, /* X25519 (29) */ 214 14, /* sect571r1 (14) */ 215 13, /* sect571k1 (13) */ 216 25, /* secp521r1 (25) */ 217 28, /* brainpoolP512r1 (28) */ 218 11, /* sect409k1 (11) */ 219 12, /* sect409r1 (12) */ 220 27, /* brainpoolP384r1 (27) */ 221 24, /* secp384r1 (24) */ 222 9, /* sect283k1 (9) */ 223 10, /* sect283r1 (10) */ 224 26, /* brainpoolP256r1 (26) */ 225 22, /* secp256k1 (22) */ 226 23, /* secp256r1 (23) */ 227 8, /* sect239k1 (8) */ 228 6, /* sect233k1 (6) */ 229 7, /* sect233r1 (7) */ 230 20, /* secp224k1 (20) */ 231 21, /* secp224r1 (21) */ 232 4, /* sect193r1 (4) */ 233 5, /* sect193r2 (5) */ 234 18, /* secp192k1 (18) */ 235 19, /* secp192r1 (19) */ 236 1, /* sect163k1 (1) */ 237 2, /* sect163r1 (2) */ 238 3, /* sect163r2 (3) */ 239 15, /* secp160k1 (15) */ 240 16, /* secp160r1 (16) */ 241 17, /* secp160r2 (17) */ 242 }; 243 #endif 244 245 static const uint16_t eccurves_default[] = { 246 29, /* X25519 (29) */ 247 23, /* secp256r1 (23) */ 248 24, /* secp384r1 (24) */ 249 }; 250 251 int 252 tls1_ec_curve_id2nid(const uint16_t curve_id) 253 { 254 /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */ 255 if ((curve_id < 1) || 256 ((unsigned int)curve_id > sizeof(nid_list) / sizeof(nid_list[0]))) 257 return 0; 258 return nid_list[curve_id - 1]; 259 } 260 261 uint16_t 262 tls1_ec_nid2curve_id(const int nid) 263 { 264 /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */ 265 switch (nid) { 266 case NID_sect163k1: /* sect163k1 (1) */ 267 return 1; 268 case NID_sect163r1: /* sect163r1 (2) */ 269 return 2; 270 case NID_sect163r2: /* sect163r2 (3) */ 271 return 3; 272 case NID_sect193r1: /* sect193r1 (4) */ 273 return 4; 274 case NID_sect193r2: /* sect193r2 (5) */ 275 return 5; 276 case NID_sect233k1: /* sect233k1 (6) */ 277 return 6; 278 case NID_sect233r1: /* sect233r1 (7) */ 279 return 7; 280 case NID_sect239k1: /* sect239k1 (8) */ 281 return 8; 282 case NID_sect283k1: /* sect283k1 (9) */ 283 return 9; 284 case NID_sect283r1: /* sect283r1 (10) */ 285 return 10; 286 case NID_sect409k1: /* sect409k1 (11) */ 287 return 11; 288 case NID_sect409r1: /* sect409r1 (12) */ 289 return 12; 290 case NID_sect571k1: /* sect571k1 (13) */ 291 return 13; 292 case NID_sect571r1: /* sect571r1 (14) */ 293 return 14; 294 case NID_secp160k1: /* secp160k1 (15) */ 295 return 15; 296 case NID_secp160r1: /* secp160r1 (16) */ 297 return 16; 298 case NID_secp160r2: /* secp160r2 (17) */ 299 return 17; 300 case NID_secp192k1: /* secp192k1 (18) */ 301 return 18; 302 case NID_X9_62_prime192v1: /* secp192r1 (19) */ 303 return 19; 304 case NID_secp224k1: /* secp224k1 (20) */ 305 return 20; 306 case NID_secp224r1: /* secp224r1 (21) */ 307 return 21; 308 case NID_secp256k1: /* secp256k1 (22) */ 309 return 22; 310 case NID_X9_62_prime256v1: /* secp256r1 (23) */ 311 return 23; 312 case NID_secp384r1: /* secp384r1 (24) */ 313 return 24; 314 case NID_secp521r1: /* secp521r1 (25) */ 315 return 25; 316 case NID_brainpoolP256r1: /* brainpoolP256r1 (26) */ 317 return 26; 318 case NID_brainpoolP384r1: /* brainpoolP384r1 (27) */ 319 return 27; 320 case NID_brainpoolP512r1: /* brainpoolP512r1 (28) */ 321 return 28; 322 case NID_X25519: /* X25519 (29) */ 323 return 29; 324 default: 325 return 0; 326 } 327 } 328 329 /* 330 * Return the appropriate format list. If client_formats is non-zero, return 331 * the client/session formats. Otherwise return the custom format list if one 332 * exists, or the default formats if a custom list has not been specified. 333 */ 334 void 335 tls1_get_formatlist(SSL *s, int client_formats, const uint8_t **pformats, 336 size_t *pformatslen) 337 { 338 if (client_formats != 0) { 339 *pformats = SSI(s)->tlsext_ecpointformatlist; 340 *pformatslen = SSI(s)->tlsext_ecpointformatlist_length; 341 return; 342 } 343 344 *pformats = s->internal->tlsext_ecpointformatlist; 345 *pformatslen = s->internal->tlsext_ecpointformatlist_length; 346 if (*pformats == NULL) { 347 *pformats = ecformats_default; 348 *pformatslen = sizeof(ecformats_default); 349 } 350 } 351 352 /* 353 * Return the appropriate group list. If client_groups is non-zero, return 354 * the client/session groups. Otherwise return the custom group list if one 355 * exists, or the default groups if a custom list has not been specified. 356 */ 357 void 358 tls1_get_group_list(SSL *s, int client_groups, const uint16_t **pgroups, 359 size_t *pgroupslen) 360 { 361 if (client_groups != 0) { 362 *pgroups = SSI(s)->tlsext_supportedgroups; 363 *pgroupslen = SSI(s)->tlsext_supportedgroups_length; 364 return; 365 } 366 367 *pgroups = s->internal->tlsext_supportedgroups; 368 *pgroupslen = s->internal->tlsext_supportedgroups_length; 369 if (*pgroups == NULL) { 370 *pgroups = eccurves_default; 371 *pgroupslen = sizeof(eccurves_default) / 2; 372 } 373 } 374 375 int 376 tls1_set_groups(uint16_t **out_group_ids, size_t *out_group_ids_len, 377 const int *groups, size_t ngroups) 378 { 379 uint16_t *group_ids; 380 size_t i; 381 382 group_ids = calloc(ngroups, sizeof(uint16_t)); 383 if (group_ids == NULL) 384 return 0; 385 386 for (i = 0; i < ngroups; i++) { 387 group_ids[i] = tls1_ec_nid2curve_id(groups[i]); 388 if (group_ids[i] == 0) { 389 free(group_ids); 390 return 0; 391 } 392 } 393 394 free(*out_group_ids); 395 *out_group_ids = group_ids; 396 *out_group_ids_len = ngroups; 397 398 return 1; 399 } 400 401 int 402 tls1_set_group_list(uint16_t **out_group_ids, size_t *out_group_ids_len, 403 const char *groups) 404 { 405 uint16_t *new_group_ids, *group_ids = NULL; 406 size_t ngroups = 0; 407 char *gs, *p, *q; 408 int nid; 409 410 if ((gs = strdup(groups)) == NULL) 411 return 0; 412 413 q = gs; 414 while ((p = strsep(&q, ":")) != NULL) { 415 nid = OBJ_sn2nid(p); 416 if (nid == NID_undef) 417 nid = OBJ_ln2nid(p); 418 if (nid == NID_undef) 419 nid = EC_curve_nist2nid(p); 420 if (nid == NID_undef) 421 goto err; 422 423 if ((new_group_ids = reallocarray(group_ids, ngroups + 1, 424 sizeof(uint16_t))) == NULL) 425 goto err; 426 group_ids = new_group_ids; 427 428 group_ids[ngroups] = tls1_ec_nid2curve_id(nid); 429 if (group_ids[ngroups] == 0) 430 goto err; 431 432 ngroups++; 433 } 434 435 free(gs); 436 free(*out_group_ids); 437 *out_group_ids = group_ids; 438 *out_group_ids_len = ngroups; 439 440 return 1; 441 442 err: 443 free(gs); 444 free(group_ids); 445 446 return 0; 447 } 448 449 /* Check that a curve is one of our preferences. */ 450 int 451 tls1_check_curve(SSL *s, const uint16_t curve_id) 452 { 453 const uint16_t *groups; 454 size_t groupslen, i; 455 456 tls1_get_group_list(s, 0, &groups, &groupslen); 457 458 for (i = 0; i < groupslen; i++) { 459 if (groups[i] == curve_id) 460 return (1); 461 } 462 return (0); 463 } 464 465 int 466 tls1_get_shared_curve(SSL *s) 467 { 468 size_t preflen, supplen, i, j; 469 const uint16_t *pref, *supp; 470 unsigned long server_pref; 471 472 /* Cannot do anything on the client side. */ 473 if (s->server == 0) 474 return (NID_undef); 475 476 /* Return first preference shared curve. */ 477 server_pref = (s->internal->options & SSL_OP_CIPHER_SERVER_PREFERENCE); 478 tls1_get_group_list(s, (server_pref == 0), &pref, &preflen); 479 tls1_get_group_list(s, (server_pref != 0), &supp, &supplen); 480 481 for (i = 0; i < preflen; i++) { 482 for (j = 0; j < supplen; j++) { 483 if (pref[i] == supp[j]) 484 return (tls1_ec_curve_id2nid(pref[i])); 485 } 486 } 487 return (NID_undef); 488 } 489 490 /* For an EC key set TLS ID and required compression based on parameters. */ 491 static int 492 tls1_set_ec_id(uint16_t *curve_id, uint8_t *comp_id, EC_KEY *ec) 493 { 494 const EC_GROUP *grp; 495 const EC_METHOD *meth; 496 int is_prime = 0; 497 int nid, id; 498 499 if (ec == NULL) 500 return (0); 501 502 /* Determine if it is a prime field. */ 503 if ((grp = EC_KEY_get0_group(ec)) == NULL) 504 return (0); 505 if ((meth = EC_GROUP_method_of(grp)) == NULL) 506 return (0); 507 if (EC_METHOD_get_field_type(meth) == NID_X9_62_prime_field) 508 is_prime = 1; 509 510 /* Determine curve ID. */ 511 nid = EC_GROUP_get_curve_name(grp); 512 id = tls1_ec_nid2curve_id(nid); 513 514 /* If we have an ID set it, otherwise set arbitrary explicit curve. */ 515 if (id != 0) 516 *curve_id = id; 517 else 518 *curve_id = is_prime ? 0xff01 : 0xff02; 519 520 /* Specify the compression identifier. */ 521 if (comp_id != NULL) { 522 if (EC_KEY_get0_public_key(ec) == NULL) 523 return (0); 524 525 if (EC_KEY_get_conv_form(ec) == POINT_CONVERSION_COMPRESSED) { 526 *comp_id = is_prime ? 527 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime : 528 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2; 529 } else { 530 *comp_id = TLSEXT_ECPOINTFORMAT_uncompressed; 531 } 532 } 533 return (1); 534 } 535 536 /* Check that an EC key is compatible with extensions. */ 537 static int 538 tls1_check_ec_key(SSL *s, const uint16_t *curve_id, const uint8_t *comp_id) 539 { 540 size_t groupslen, formatslen, i; 541 const uint16_t *groups; 542 const uint8_t *formats; 543 544 /* 545 * Check point formats extension if present, otherwise everything 546 * is supported (see RFC4492). 547 */ 548 tls1_get_formatlist(s, 1, &formats, &formatslen); 549 if (comp_id != NULL && formats != NULL) { 550 for (i = 0; i < formatslen; i++) { 551 if (formats[i] == *comp_id) 552 break; 553 } 554 if (i == formatslen) 555 return (0); 556 } 557 558 /* 559 * Check curve list if present, otherwise everything is supported. 560 */ 561 tls1_get_group_list(s, 1, &groups, &groupslen); 562 if (curve_id != NULL && groups != NULL) { 563 for (i = 0; i < groupslen; i++) { 564 if (groups[i] == *curve_id) 565 break; 566 } 567 if (i == groupslen) 568 return (0); 569 } 570 571 return (1); 572 } 573 574 /* Check EC server key is compatible with client extensions. */ 575 int 576 tls1_check_ec_server_key(SSL *s) 577 { 578 CERT_PKEY *cpk = s->cert->pkeys + SSL_PKEY_ECC; 579 uint16_t curve_id; 580 uint8_t comp_id; 581 EVP_PKEY *pkey; 582 int rv; 583 584 if (cpk->x509 == NULL || cpk->privatekey == NULL) 585 return (0); 586 if ((pkey = X509_get_pubkey(cpk->x509)) == NULL) 587 return (0); 588 rv = tls1_set_ec_id(&curve_id, &comp_id, pkey->pkey.ec); 589 EVP_PKEY_free(pkey); 590 if (rv != 1) 591 return (0); 592 593 return tls1_check_ec_key(s, &curve_id, &comp_id); 594 } 595 596 int 597 ssl_check_clienthello_tlsext_early(SSL *s) 598 { 599 int ret = SSL_TLSEXT_ERR_NOACK; 600 int al = SSL_AD_UNRECOGNIZED_NAME; 601 602 /* The handling of the ECPointFormats extension is done elsewhere, namely in 603 * ssl3_choose_cipher in s3_lib.c. 604 */ 605 /* The handling of the EllipticCurves extension is done elsewhere, namely in 606 * ssl3_choose_cipher in s3_lib.c. 607 */ 608 609 if (s->ctx != NULL && s->ctx->internal->tlsext_servername_callback != 0) 610 ret = s->ctx->internal->tlsext_servername_callback(s, &al, 611 s->ctx->internal->tlsext_servername_arg); 612 else if (s->initial_ctx != NULL && s->initial_ctx->internal->tlsext_servername_callback != 0) 613 ret = s->initial_ctx->internal->tlsext_servername_callback(s, &al, 614 s->initial_ctx->internal->tlsext_servername_arg); 615 616 switch (ret) { 617 case SSL_TLSEXT_ERR_ALERT_FATAL: 618 ssl3_send_alert(s, SSL3_AL_FATAL, al); 619 return -1; 620 case SSL_TLSEXT_ERR_ALERT_WARNING: 621 ssl3_send_alert(s, SSL3_AL_WARNING, al); 622 return 1; 623 case SSL_TLSEXT_ERR_NOACK: 624 default: 625 return 1; 626 } 627 } 628 629 int 630 ssl_check_clienthello_tlsext_late(SSL *s) 631 { 632 int ret = SSL_TLSEXT_ERR_OK; 633 int al = 0; /* XXX gcc3 */ 634 635 /* If status request then ask callback what to do. 636 * Note: this must be called after servername callbacks in case 637 * the certificate has changed, and must be called after the cipher 638 * has been chosen because this may influence which certificate is sent 639 */ 640 if ((s->tlsext_status_type != -1) && 641 s->ctx && s->ctx->internal->tlsext_status_cb) { 642 int r; 643 CERT_PKEY *certpkey; 644 certpkey = ssl_get_server_send_pkey(s); 645 /* If no certificate can't return certificate status */ 646 if (certpkey == NULL) { 647 s->internal->tlsext_status_expected = 0; 648 return 1; 649 } 650 /* Set current certificate to one we will use so 651 * SSL_get_certificate et al can pick it up. 652 */ 653 s->cert->key = certpkey; 654 r = s->ctx->internal->tlsext_status_cb(s, 655 s->ctx->internal->tlsext_status_arg); 656 switch (r) { 657 /* We don't want to send a status request response */ 658 case SSL_TLSEXT_ERR_NOACK: 659 s->internal->tlsext_status_expected = 0; 660 break; 661 /* status request response should be sent */ 662 case SSL_TLSEXT_ERR_OK: 663 if (s->internal->tlsext_ocsp_resp) 664 s->internal->tlsext_status_expected = 1; 665 else 666 s->internal->tlsext_status_expected = 0; 667 break; 668 /* something bad happened */ 669 case SSL_TLSEXT_ERR_ALERT_FATAL: 670 ret = SSL_TLSEXT_ERR_ALERT_FATAL; 671 al = SSL_AD_INTERNAL_ERROR; 672 goto err; 673 } 674 } else 675 s->internal->tlsext_status_expected = 0; 676 677 err: 678 switch (ret) { 679 case SSL_TLSEXT_ERR_ALERT_FATAL: 680 ssl3_send_alert(s, SSL3_AL_FATAL, al); 681 return -1; 682 case SSL_TLSEXT_ERR_ALERT_WARNING: 683 ssl3_send_alert(s, SSL3_AL_WARNING, al); 684 return 1; 685 default: 686 return 1; 687 } 688 } 689 690 int 691 ssl_check_serverhello_tlsext(SSL *s) 692 { 693 int ret = SSL_TLSEXT_ERR_NOACK; 694 int al = SSL_AD_UNRECOGNIZED_NAME; 695 696 ret = SSL_TLSEXT_ERR_OK; 697 698 if (s->ctx != NULL && s->ctx->internal->tlsext_servername_callback != 0) 699 ret = s->ctx->internal->tlsext_servername_callback(s, &al, 700 s->ctx->internal->tlsext_servername_arg); 701 else if (s->initial_ctx != NULL && s->initial_ctx->internal->tlsext_servername_callback != 0) 702 ret = s->initial_ctx->internal->tlsext_servername_callback(s, &al, 703 s->initial_ctx->internal->tlsext_servername_arg); 704 705 /* If we've requested certificate status and we wont get one 706 * tell the callback 707 */ 708 if ((s->tlsext_status_type != -1) && !(s->internal->tlsext_status_expected) && 709 s->ctx && s->ctx->internal->tlsext_status_cb) { 710 int r; 711 712 free(s->internal->tlsext_ocsp_resp); 713 s->internal->tlsext_ocsp_resp = NULL; 714 s->internal->tlsext_ocsp_resp_len = 0; 715 716 r = s->ctx->internal->tlsext_status_cb(s, 717 s->ctx->internal->tlsext_status_arg); 718 if (r == 0) { 719 al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE; 720 ret = SSL_TLSEXT_ERR_ALERT_FATAL; 721 } 722 if (r < 0) { 723 al = SSL_AD_INTERNAL_ERROR; 724 ret = SSL_TLSEXT_ERR_ALERT_FATAL; 725 } 726 } 727 728 switch (ret) { 729 case SSL_TLSEXT_ERR_ALERT_FATAL: 730 ssl3_send_alert(s, SSL3_AL_FATAL, al); 731 return -1; 732 case SSL_TLSEXT_ERR_ALERT_WARNING: 733 ssl3_send_alert(s, SSL3_AL_WARNING, al); 734 return 1; 735 case SSL_TLSEXT_ERR_NOACK: 736 default: 737 return 1; 738 } 739 } 740 741 /* Since the server cache lookup is done early on in the processing of the 742 * ClientHello, and other operations depend on the result, we need to handle 743 * any TLS session ticket extension at the same time. 744 * 745 * session_id: a CBS containing the session ID. 746 * ext_block: a CBS for the ClientHello extensions block. 747 * ret: (output) on return, if a ticket was decrypted, then this is set to 748 * point to the resulting session. 749 * 750 * If s->internal->tls_session_secret_cb is set then we are expecting a pre-shared key 751 * ciphersuite, in which case we have no use for session tickets and one will 752 * never be decrypted, nor will s->internal->tlsext_ticket_expected be set to 1. 753 * 754 * Returns: 755 * -1: fatal error, either from parsing or decrypting the ticket. 756 * 0: no ticket was found (or was ignored, based on settings). 757 * 1: a zero length extension was found, indicating that the client supports 758 * session tickets but doesn't currently have one to offer. 759 * 2: either s->internal->tls_session_secret_cb was set, or a ticket was offered but 760 * couldn't be decrypted because of a non-fatal error. 761 * 3: a ticket was successfully decrypted and *ret was set. 762 * 763 * Side effects: 764 * Sets s->internal->tlsext_ticket_expected to 1 if the server will have to issue 765 * a new session ticket to the client because the client indicated support 766 * (and s->internal->tls_session_secret_cb is NULL) but the client either doesn't have 767 * a session ticket or we couldn't use the one it gave us, or if 768 * s->ctx->tlsext_ticket_key_cb asked to renew the client's ticket. 769 * Otherwise, s->internal->tlsext_ticket_expected is set to 0. 770 */ 771 int 772 tls1_process_ticket(SSL *s, CBS *session_id, CBS *ext_block, SSL_SESSION **ret) 773 { 774 CBS extensions, ext_data; 775 uint16_t ext_type = 0; 776 int r; 777 778 s->internal->tlsext_ticket_expected = 0; 779 *ret = NULL; 780 781 /* 782 * If tickets disabled behave as if no ticket present to permit stateful 783 * resumption. 784 */ 785 if (SSL_get_options(s) & SSL_OP_NO_TICKET) 786 return 0; 787 788 /* 789 * An empty extensions block is valid, but obviously does not contain 790 * a session ticket. 791 */ 792 if (CBS_len(ext_block) == 0) 793 return 0; 794 795 if (!CBS_get_u16_length_prefixed(ext_block, &extensions)) 796 return -1; 797 798 while (CBS_len(&extensions) > 0) { 799 if (!CBS_get_u16(&extensions, &ext_type) || 800 !CBS_get_u16_length_prefixed(&extensions, &ext_data)) 801 return -1; 802 803 if (ext_type == TLSEXT_TYPE_session_ticket) 804 break; 805 } 806 807 if (ext_type != TLSEXT_TYPE_session_ticket) 808 return 0; 809 810 if (CBS_len(&ext_data) == 0) { 811 /* 812 * The client will accept a ticket but does not currently 813 * have one. 814 */ 815 s->internal->tlsext_ticket_expected = 1; 816 return 1; 817 } 818 819 if (s->internal->tls_session_secret_cb != NULL) { 820 /* 821 * Indicate that the ticket could not be decrypted rather than 822 * generating the session from ticket now, trigger abbreviated 823 * handshake based on external mechanism to calculate the master 824 * secret later. 825 */ 826 return 2; 827 } 828 829 r = tls_decrypt_ticket(s, session_id, &ext_data, ret); 830 switch (r) { 831 case 2: /* ticket couldn't be decrypted */ 832 s->internal->tlsext_ticket_expected = 1; 833 return 2; 834 case 3: /* ticket was decrypted */ 835 return r; 836 case 4: /* ticket decrypted but need to renew */ 837 s->internal->tlsext_ticket_expected = 1; 838 return 3; 839 default: /* fatal error */ 840 return -1; 841 } 842 } 843 844 /* tls_decrypt_ticket attempts to decrypt a session ticket. 845 * 846 * session_id: a CBS containing the session ID. 847 * ticket: a CBS containing the body of the session ticket extension. 848 * psess: (output) on return, if a ticket was decrypted, then this is set to 849 * point to the resulting session. 850 * 851 * Returns: 852 * -1: fatal error, either from parsing or decrypting the ticket. 853 * 2: the ticket couldn't be decrypted. 854 * 3: a ticket was successfully decrypted and *psess was set. 855 * 4: same as 3, but the ticket needs to be renewed. 856 */ 857 static int 858 tls_decrypt_ticket(SSL *s, CBS *session_id, CBS *ticket, SSL_SESSION **psess) 859 { 860 CBS ticket_name, ticket_iv, ticket_encdata, ticket_hmac; 861 SSL_SESSION *sess = NULL; 862 unsigned char *sdec = NULL; 863 size_t sdec_len = 0; 864 size_t session_id_len; 865 const unsigned char *p; 866 unsigned char hmac[EVP_MAX_MD_SIZE]; 867 HMAC_CTX *hctx = NULL; 868 EVP_CIPHER_CTX *cctx = NULL; 869 SSL_CTX *tctx = s->initial_ctx; 870 int slen, hlen; 871 int renew_ticket = 0; 872 int ret = -1; 873 874 *psess = NULL; 875 876 if (!CBS_get_bytes(ticket, &ticket_name, 16)) 877 goto derr; 878 879 /* 880 * Initialize session ticket encryption and HMAC contexts. 881 */ 882 if ((cctx = EVP_CIPHER_CTX_new()) == NULL) 883 goto err; 884 if ((hctx = HMAC_CTX_new()) == NULL) 885 goto err; 886 887 if (tctx->internal->tlsext_ticket_key_cb != NULL) { 888 int rv; 889 890 /* 891 * The API guarantees EVP_MAX_IV_LENGTH bytes of space for 892 * the iv to tlsext_ticket_key_cb(). Since the total space 893 * required for a session cookie is never less than this, 894 * this check isn't too strict. The exact check comes later. 895 */ 896 if (CBS_len(ticket) < EVP_MAX_IV_LENGTH) 897 goto derr; 898 899 if ((rv = tctx->internal->tlsext_ticket_key_cb(s, 900 (unsigned char *)CBS_data(&ticket_name), 901 (unsigned char *)CBS_data(ticket), cctx, hctx, 0)) < 0) 902 goto err; 903 if (rv == 0) 904 goto derr; 905 if (rv == 2) 906 renew_ticket = 1; 907 908 /* 909 * Now that the cipher context is initialised, we can extract 910 * the IV since its length is known. 911 */ 912 if (!CBS_get_bytes(ticket, &ticket_iv, 913 EVP_CIPHER_CTX_iv_length(cctx))) 914 goto derr; 915 } else { 916 /* Check that the key name matches. */ 917 if (!CBS_mem_equal(&ticket_name, 918 tctx->internal->tlsext_tick_key_name, 919 sizeof(tctx->internal->tlsext_tick_key_name))) 920 goto derr; 921 if (!CBS_get_bytes(ticket, &ticket_iv, 922 EVP_CIPHER_iv_length(EVP_aes_128_cbc()))) 923 goto derr; 924 if (!EVP_DecryptInit_ex(cctx, EVP_aes_128_cbc(), NULL, 925 tctx->internal->tlsext_tick_aes_key, CBS_data(&ticket_iv))) 926 goto err; 927 if (!HMAC_Init_ex(hctx, tctx->internal->tlsext_tick_hmac_key, 928 sizeof(tctx->internal->tlsext_tick_hmac_key), EVP_sha256(), 929 NULL)) 930 goto err; 931 } 932 933 /* 934 * Attempt to process session ticket. 935 */ 936 937 if ((hlen = HMAC_size(hctx)) < 0) 938 goto err; 939 940 if (hlen > CBS_len(ticket)) 941 goto derr; 942 if (!CBS_get_bytes(ticket, &ticket_encdata, CBS_len(ticket) - hlen)) 943 goto derr; 944 if (!CBS_get_bytes(ticket, &ticket_hmac, hlen)) 945 goto derr; 946 if (CBS_len(ticket) != 0) 947 goto err; 948 949 /* Check HMAC of encrypted ticket. */ 950 if (HMAC_Update(hctx, CBS_data(&ticket_name), 951 CBS_len(&ticket_name)) <= 0) 952 goto err; 953 if (HMAC_Update(hctx, CBS_data(&ticket_iv), 954 CBS_len(&ticket_iv)) <= 0) 955 goto err; 956 if (HMAC_Update(hctx, CBS_data(&ticket_encdata), 957 CBS_len(&ticket_encdata)) <= 0) 958 goto err; 959 if (HMAC_Final(hctx, hmac, &hlen) <= 0) 960 goto err; 961 962 if (!CBS_mem_equal(&ticket_hmac, hmac, hlen)) 963 goto derr; 964 965 /* Attempt to decrypt session data. */ 966 sdec_len = CBS_len(&ticket_encdata); 967 if ((sdec = calloc(1, sdec_len)) == NULL) 968 goto err; 969 if (EVP_DecryptUpdate(cctx, sdec, &slen, CBS_data(&ticket_encdata), 970 CBS_len(&ticket_encdata)) <= 0) 971 goto derr; 972 if (EVP_DecryptFinal_ex(cctx, sdec + slen, &hlen) <= 0) 973 goto derr; 974 975 slen += hlen; 976 977 /* 978 * For session parse failures, indicate that we need to send a new 979 * ticket. 980 */ 981 p = sdec; 982 if ((sess = d2i_SSL_SESSION(NULL, &p, slen)) == NULL) 983 goto derr; 984 985 /* 986 * The session ID, if non-empty, is used by some clients to detect that 987 * the ticket has been accepted. So we copy it to the session structure. 988 * If it is empty set length to zero as required by standard. 989 */ 990 if (!CBS_write_bytes(session_id, sess->session_id, 991 sizeof(sess->session_id), &session_id_len)) 992 goto err; 993 sess->session_id_length = (unsigned int)session_id_len; 994 995 *psess = sess; 996 sess = NULL; 997 998 if (renew_ticket) 999 ret = 4; 1000 else 1001 ret = 3; 1002 1003 goto done; 1004 1005 derr: 1006 ret = 2; 1007 goto done; 1008 1009 err: 1010 ret = -1; 1011 goto done; 1012 1013 done: 1014 freezero(sdec, sdec_len); 1015 EVP_CIPHER_CTX_free(cctx); 1016 HMAC_CTX_free(hctx); 1017 SSL_SESSION_free(sess); 1018 1019 if (ret == 2) 1020 ERR_clear_error(); 1021 1022 return ret; 1023 } 1024