summaryrefslogtreecommitdiff
path: root/src/lib/libssl/t1_lib.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/lib/libssl/t1_lib.c')
-rw-r--r--src/lib/libssl/t1_lib.c994
1 files changed, 0 insertions, 994 deletions
diff --git a/src/lib/libssl/t1_lib.c b/src/lib/libssl/t1_lib.c
deleted file mode 100644
index 3cb2d8a113..0000000000
--- a/src/lib/libssl/t1_lib.c
+++ /dev/null
@@ -1,994 +0,0 @@
1/* $OpenBSD: t1_lib.c,v 1.182 2021/07/01 17:53:39 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58/* ====================================================================
59 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
60 *
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
63 * are met:
64 *
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
67 *
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
71 * distribution.
72 *
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77 *
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
82 *
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
86 *
87 * 6. Redistributions of any form whatsoever must retain the following
88 * acknowledgment:
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91 *
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
105 *
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
109 *
110 */
111
112#include <stdio.h>
113
114#include <openssl/evp.h>
115#include <openssl/hmac.h>
116#include <openssl/objects.h>
117#include <openssl/ocsp.h>
118
119#include "bytestring.h"
120#include "ssl_locl.h"
121#include "ssl_sigalgs.h"
122#include "ssl_tlsext.h"
123
124static int tls_decrypt_ticket(SSL *s, CBS *ticket, int *alert,
125 SSL_SESSION **psess);
126
127int
128tls1_new(SSL *s)
129{
130 if (!ssl3_new(s))
131 return (0);
132 s->method->ssl_clear(s);
133 return (1);
134}
135
136void
137tls1_free(SSL *s)
138{
139 if (s == NULL)
140 return;
141
142 free(s->internal->tlsext_session_ticket);
143 ssl3_free(s);
144}
145
146void
147tls1_clear(SSL *s)
148{
149 ssl3_clear(s);
150 s->version = s->method->version;
151}
152
153static const int nid_list[] = {
154 NID_sect163k1, /* sect163k1 (1) */
155 NID_sect163r1, /* sect163r1 (2) */
156 NID_sect163r2, /* sect163r2 (3) */
157 NID_sect193r1, /* sect193r1 (4) */
158 NID_sect193r2, /* sect193r2 (5) */
159 NID_sect233k1, /* sect233k1 (6) */
160 NID_sect233r1, /* sect233r1 (7) */
161 NID_sect239k1, /* sect239k1 (8) */
162 NID_sect283k1, /* sect283k1 (9) */
163 NID_sect283r1, /* sect283r1 (10) */
164 NID_sect409k1, /* sect409k1 (11) */
165 NID_sect409r1, /* sect409r1 (12) */
166 NID_sect571k1, /* sect571k1 (13) */
167 NID_sect571r1, /* sect571r1 (14) */
168 NID_secp160k1, /* secp160k1 (15) */
169 NID_secp160r1, /* secp160r1 (16) */
170 NID_secp160r2, /* secp160r2 (17) */
171 NID_secp192k1, /* secp192k1 (18) */
172 NID_X9_62_prime192v1, /* secp192r1 (19) */
173 NID_secp224k1, /* secp224k1 (20) */
174 NID_secp224r1, /* secp224r1 (21) */
175 NID_secp256k1, /* secp256k1 (22) */
176 NID_X9_62_prime256v1, /* secp256r1 (23) */
177 NID_secp384r1, /* secp384r1 (24) */
178 NID_secp521r1, /* secp521r1 (25) */
179 NID_brainpoolP256r1, /* brainpoolP256r1 (26) */
180 NID_brainpoolP384r1, /* brainpoolP384r1 (27) */
181 NID_brainpoolP512r1, /* brainpoolP512r1 (28) */
182 NID_X25519, /* X25519 (29) */
183};
184
185#if 0
186static const uint8_t ecformats_list[] = {
187 TLSEXT_ECPOINTFORMAT_uncompressed,
188 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime,
189 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2
190};
191#endif
192
193static const uint8_t ecformats_default[] = {
194 TLSEXT_ECPOINTFORMAT_uncompressed,
195};
196
197#if 0
198static const uint16_t eccurves_list[] = {
199 29, /* X25519 (29) */
200 14, /* sect571r1 (14) */
201 13, /* sect571k1 (13) */
202 25, /* secp521r1 (25) */
203 28, /* brainpoolP512r1 (28) */
204 11, /* sect409k1 (11) */
205 12, /* sect409r1 (12) */
206 27, /* brainpoolP384r1 (27) */
207 24, /* secp384r1 (24) */
208 9, /* sect283k1 (9) */
209 10, /* sect283r1 (10) */
210 26, /* brainpoolP256r1 (26) */
211 22, /* secp256k1 (22) */
212 23, /* secp256r1 (23) */
213 8, /* sect239k1 (8) */
214 6, /* sect233k1 (6) */
215 7, /* sect233r1 (7) */
216 20, /* secp224k1 (20) */
217 21, /* secp224r1 (21) */
218 4, /* sect193r1 (4) */
219 5, /* sect193r2 (5) */
220 18, /* secp192k1 (18) */
221 19, /* secp192r1 (19) */
222 1, /* sect163k1 (1) */
223 2, /* sect163r1 (2) */
224 3, /* sect163r2 (3) */
225 15, /* secp160k1 (15) */
226 16, /* secp160r1 (16) */
227 17, /* secp160r2 (17) */
228};
229#endif
230
231static const uint16_t eccurves_client_default[] = {
232 29, /* X25519 (29) */
233 23, /* secp256r1 (23) */
234 24, /* secp384r1 (24) */
235 25, /* secp521r1 (25) */
236};
237
238static const uint16_t eccurves_server_default[] = {
239 29, /* X25519 (29) */
240 23, /* secp256r1 (23) */
241 24, /* secp384r1 (24) */
242};
243
244int
245tls1_ec_curve_id2nid(const uint16_t curve_id)
246{
247 /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
248 if ((curve_id < 1) ||
249 ((unsigned int)curve_id > sizeof(nid_list) / sizeof(nid_list[0])))
250 return 0;
251 return nid_list[curve_id - 1];
252}
253
254uint16_t
255tls1_ec_nid2curve_id(const int nid)
256{
257 /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
258 switch (nid) {
259 case NID_sect163k1: /* sect163k1 (1) */
260 return 1;
261 case NID_sect163r1: /* sect163r1 (2) */
262 return 2;
263 case NID_sect163r2: /* sect163r2 (3) */
264 return 3;
265 case NID_sect193r1: /* sect193r1 (4) */
266 return 4;
267 case NID_sect193r2: /* sect193r2 (5) */
268 return 5;
269 case NID_sect233k1: /* sect233k1 (6) */
270 return 6;
271 case NID_sect233r1: /* sect233r1 (7) */
272 return 7;
273 case NID_sect239k1: /* sect239k1 (8) */
274 return 8;
275 case NID_sect283k1: /* sect283k1 (9) */
276 return 9;
277 case NID_sect283r1: /* sect283r1 (10) */
278 return 10;
279 case NID_sect409k1: /* sect409k1 (11) */
280 return 11;
281 case NID_sect409r1: /* sect409r1 (12) */
282 return 12;
283 case NID_sect571k1: /* sect571k1 (13) */
284 return 13;
285 case NID_sect571r1: /* sect571r1 (14) */
286 return 14;
287 case NID_secp160k1: /* secp160k1 (15) */
288 return 15;
289 case NID_secp160r1: /* secp160r1 (16) */
290 return 16;
291 case NID_secp160r2: /* secp160r2 (17) */
292 return 17;
293 case NID_secp192k1: /* secp192k1 (18) */
294 return 18;
295 case NID_X9_62_prime192v1: /* secp192r1 (19) */
296 return 19;
297 case NID_secp224k1: /* secp224k1 (20) */
298 return 20;
299 case NID_secp224r1: /* secp224r1 (21) */
300 return 21;
301 case NID_secp256k1: /* secp256k1 (22) */
302 return 22;
303 case NID_X9_62_prime256v1: /* secp256r1 (23) */
304 return 23;
305 case NID_secp384r1: /* secp384r1 (24) */
306 return 24;
307 case NID_secp521r1: /* secp521r1 (25) */
308 return 25;
309 case NID_brainpoolP256r1: /* brainpoolP256r1 (26) */
310 return 26;
311 case NID_brainpoolP384r1: /* brainpoolP384r1 (27) */
312 return 27;
313 case NID_brainpoolP512r1: /* brainpoolP512r1 (28) */
314 return 28;
315 case NID_X25519: /* X25519 (29) */
316 return 29;
317 default:
318 return 0;
319 }
320}
321
322/*
323 * Return the appropriate format list. If client_formats is non-zero, return
324 * the client/session formats. Otherwise return the custom format list if one
325 * exists, or the default formats if a custom list has not been specified.
326 */
327void
328tls1_get_formatlist(SSL *s, int client_formats, const uint8_t **pformats,
329 size_t *pformatslen)
330{
331 if (client_formats != 0) {
332 *pformats = SSI(s)->tlsext_ecpointformatlist;
333 *pformatslen = SSI(s)->tlsext_ecpointformatlist_length;
334 return;
335 }
336
337 *pformats = s->internal->tlsext_ecpointformatlist;
338 *pformatslen = s->internal->tlsext_ecpointformatlist_length;
339 if (*pformats == NULL) {
340 *pformats = ecformats_default;
341 *pformatslen = sizeof(ecformats_default);
342 }
343}
344
345/*
346 * Return the appropriate group list. If client_groups is non-zero, return
347 * the client/session groups. Otherwise return the custom group list if one
348 * exists, or the default groups if a custom list has not been specified.
349 */
350void
351tls1_get_group_list(SSL *s, int client_groups, const uint16_t **pgroups,
352 size_t *pgroupslen)
353{
354 if (client_groups != 0) {
355 *pgroups = SSI(s)->tlsext_supportedgroups;
356 *pgroupslen = SSI(s)->tlsext_supportedgroups_length;
357 return;
358 }
359
360 *pgroups = s->internal->tlsext_supportedgroups;
361 *pgroupslen = s->internal->tlsext_supportedgroups_length;
362 if (*pgroups != NULL)
363 return;
364
365 if (!s->server) {
366 *pgroups = eccurves_client_default;
367 *pgroupslen = sizeof(eccurves_client_default) / 2;
368 } else {
369 *pgroups = eccurves_server_default;
370 *pgroupslen = sizeof(eccurves_server_default) / 2;
371 }
372}
373
374int
375tls1_set_groups(uint16_t **out_group_ids, size_t *out_group_ids_len,
376 const int *groups, size_t ngroups)
377{
378 uint16_t *group_ids;
379 size_t i;
380
381 group_ids = calloc(ngroups, sizeof(uint16_t));
382 if (group_ids == NULL)
383 return 0;
384
385 for (i = 0; i < ngroups; i++) {
386 group_ids[i] = tls1_ec_nid2curve_id(groups[i]);
387 if (group_ids[i] == 0) {
388 free(group_ids);
389 return 0;
390 }
391 }
392
393 free(*out_group_ids);
394 *out_group_ids = group_ids;
395 *out_group_ids_len = ngroups;
396
397 return 1;
398}
399
400int
401tls1_set_group_list(uint16_t **out_group_ids, size_t *out_group_ids_len,
402 const char *groups)
403{
404 uint16_t *new_group_ids, *group_ids = NULL;
405 size_t ngroups = 0;
406 char *gs, *p, *q;
407 int nid;
408
409 if ((gs = strdup(groups)) == NULL)
410 return 0;
411
412 q = gs;
413 while ((p = strsep(&q, ":")) != NULL) {
414 nid = OBJ_sn2nid(p);
415 if (nid == NID_undef)
416 nid = OBJ_ln2nid(p);
417 if (nid == NID_undef)
418 nid = EC_curve_nist2nid(p);
419 if (nid == NID_undef)
420 goto err;
421
422 if ((new_group_ids = reallocarray(group_ids, ngroups + 1,
423 sizeof(uint16_t))) == NULL)
424 goto err;
425 group_ids = new_group_ids;
426
427 group_ids[ngroups] = tls1_ec_nid2curve_id(nid);
428 if (group_ids[ngroups] == 0)
429 goto err;
430
431 ngroups++;
432 }
433
434 free(gs);
435 free(*out_group_ids);
436 *out_group_ids = group_ids;
437 *out_group_ids_len = ngroups;
438
439 return 1;
440
441 err:
442 free(gs);
443 free(group_ids);
444
445 return 0;
446}
447
448/* Check that a curve is one of our preferences. */
449int
450tls1_check_curve(SSL *s, const uint16_t curve_id)
451{
452 const uint16_t *groups;
453 size_t groupslen, i;
454
455 tls1_get_group_list(s, 0, &groups, &groupslen);
456
457 for (i = 0; i < groupslen; i++) {
458 if (groups[i] == curve_id)
459 return (1);
460 }
461 return (0);
462}
463
464int
465tls1_get_shared_curve(SSL *s)
466{
467 size_t preflen, supplen, i, j;
468 const uint16_t *pref, *supp;
469 unsigned long server_pref;
470
471 /* Cannot do anything on the client side. */
472 if (s->server == 0)
473 return (NID_undef);
474
475 /* Return first preference shared curve. */
476 server_pref = (s->internal->options & SSL_OP_CIPHER_SERVER_PREFERENCE);
477 tls1_get_group_list(s, (server_pref == 0), &pref, &preflen);
478 tls1_get_group_list(s, (server_pref != 0), &supp, &supplen);
479
480 for (i = 0; i < preflen; i++) {
481 for (j = 0; j < supplen; j++) {
482 if (pref[i] == supp[j])
483 return (tls1_ec_curve_id2nid(pref[i]));
484 }
485 }
486 return (NID_undef);
487}
488
489/* For an EC key set TLS ID and required compression based on parameters. */
490static int
491tls1_set_ec_id(uint16_t *curve_id, uint8_t *comp_id, EC_KEY *ec)
492{
493 const EC_GROUP *grp;
494 const EC_METHOD *meth;
495 int prime_field;
496 int nid;
497
498 if (ec == NULL)
499 return (0);
500
501 /* Determine whether the curve is defined over a prime field. */
502 if ((grp = EC_KEY_get0_group(ec)) == NULL)
503 return (0);
504 if ((meth = EC_GROUP_method_of(grp)) == NULL)
505 return (0);
506 prime_field = (EC_METHOD_get_field_type(meth) == NID_X9_62_prime_field);
507
508 /* Determine curve ID - NID_undef results in a curve ID of zero. */
509 nid = EC_GROUP_get_curve_name(grp);
510 /* If we have an ID set it, otherwise set arbitrary explicit curve. */
511 if ((*curve_id = tls1_ec_nid2curve_id(nid)) == 0)
512 *curve_id = prime_field ? 0xff01 : 0xff02;
513
514 if (comp_id == NULL)
515 return (1);
516
517 /* Specify the compression identifier. */
518 if (EC_KEY_get0_public_key(ec) == NULL)
519 return (0);
520 *comp_id = TLSEXT_ECPOINTFORMAT_uncompressed;
521 if (EC_KEY_get_conv_form(ec) == POINT_CONVERSION_COMPRESSED) {
522 *comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
523 if (prime_field)
524 *comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
525 }
526
527 return (1);
528}
529
530/* Check that an EC key is compatible with extensions. */
531static int
532tls1_check_ec_key(SSL *s, const uint16_t *curve_id, const uint8_t *comp_id)
533{
534 size_t groupslen, formatslen, i;
535 const uint16_t *groups;
536 const uint8_t *formats;
537
538 /*
539 * Check point formats extension if present, otherwise everything
540 * is supported (see RFC4492).
541 */
542 tls1_get_formatlist(s, 1, &formats, &formatslen);
543 if (comp_id != NULL && formats != NULL) {
544 for (i = 0; i < formatslen; i++) {
545 if (formats[i] == *comp_id)
546 break;
547 }
548 if (i == formatslen)
549 return (0);
550 }
551
552 /*
553 * Check curve list if present, otherwise everything is supported.
554 */
555 tls1_get_group_list(s, 1, &groups, &groupslen);
556 if (curve_id != NULL && groups != NULL) {
557 for (i = 0; i < groupslen; i++) {
558 if (groups[i] == *curve_id)
559 break;
560 }
561 if (i == groupslen)
562 return (0);
563 }
564
565 return (1);
566}
567
568/* Check EC server key is compatible with client extensions. */
569int
570tls1_check_ec_server_key(SSL *s)
571{
572 CERT_PKEY *cpk = s->cert->pkeys + SSL_PKEY_ECC;
573 uint16_t curve_id;
574 uint8_t comp_id;
575 EVP_PKEY *pkey;
576 int rv;
577
578 if (cpk->x509 == NULL || cpk->privatekey == NULL)
579 return (0);
580 if ((pkey = X509_get_pubkey(cpk->x509)) == NULL)
581 return (0);
582 rv = tls1_set_ec_id(&curve_id, &comp_id, pkey->pkey.ec);
583 EVP_PKEY_free(pkey);
584 if (rv != 1)
585 return (0);
586
587 return tls1_check_ec_key(s, &curve_id, &comp_id);
588}
589
590int
591ssl_check_clienthello_tlsext_early(SSL *s)
592{
593 int ret = SSL_TLSEXT_ERR_NOACK;
594 int al = SSL_AD_UNRECOGNIZED_NAME;
595
596 /* The handling of the ECPointFormats extension is done elsewhere, namely in
597 * ssl3_choose_cipher in s3_lib.c.
598 */
599 /* The handling of the EllipticCurves extension is done elsewhere, namely in
600 * ssl3_choose_cipher in s3_lib.c.
601 */
602
603 if (s->ctx != NULL && s->ctx->internal->tlsext_servername_callback != 0)
604 ret = s->ctx->internal->tlsext_servername_callback(s, &al,
605 s->ctx->internal->tlsext_servername_arg);
606 else if (s->initial_ctx != NULL && s->initial_ctx->internal->tlsext_servername_callback != 0)
607 ret = s->initial_ctx->internal->tlsext_servername_callback(s, &al,
608 s->initial_ctx->internal->tlsext_servername_arg);
609
610 switch (ret) {
611 case SSL_TLSEXT_ERR_ALERT_FATAL:
612 ssl3_send_alert(s, SSL3_AL_FATAL, al);
613 return -1;
614 case SSL_TLSEXT_ERR_ALERT_WARNING:
615 ssl3_send_alert(s, SSL3_AL_WARNING, al);
616 return 1;
617 case SSL_TLSEXT_ERR_NOACK:
618 default:
619 return 1;
620 }
621}
622
623int
624ssl_check_clienthello_tlsext_late(SSL *s)
625{
626 int ret = SSL_TLSEXT_ERR_OK;
627 int al = 0; /* XXX gcc3 */
628
629 /* If status request then ask callback what to do.
630 * Note: this must be called after servername callbacks in case
631 * the certificate has changed, and must be called after the cipher
632 * has been chosen because this may influence which certificate is sent
633 */
634 if ((s->tlsext_status_type != -1) &&
635 s->ctx && s->ctx->internal->tlsext_status_cb) {
636 int r;
637 CERT_PKEY *certpkey;
638 certpkey = ssl_get_server_send_pkey(s);
639 /* If no certificate can't return certificate status */
640 if (certpkey == NULL) {
641 s->internal->tlsext_status_expected = 0;
642 return 1;
643 }
644 /* Set current certificate to one we will use so
645 * SSL_get_certificate et al can pick it up.
646 */
647 s->cert->key = certpkey;
648 r = s->ctx->internal->tlsext_status_cb(s,
649 s->ctx->internal->tlsext_status_arg);
650 switch (r) {
651 /* We don't want to send a status request response */
652 case SSL_TLSEXT_ERR_NOACK:
653 s->internal->tlsext_status_expected = 0;
654 break;
655 /* status request response should be sent */
656 case SSL_TLSEXT_ERR_OK:
657 if (s->internal->tlsext_ocsp_resp)
658 s->internal->tlsext_status_expected = 1;
659 else
660 s->internal->tlsext_status_expected = 0;
661 break;
662 /* something bad happened */
663 case SSL_TLSEXT_ERR_ALERT_FATAL:
664 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
665 al = SSL_AD_INTERNAL_ERROR;
666 goto err;
667 }
668 } else
669 s->internal->tlsext_status_expected = 0;
670
671 err:
672 switch (ret) {
673 case SSL_TLSEXT_ERR_ALERT_FATAL:
674 ssl3_send_alert(s, SSL3_AL_FATAL, al);
675 return -1;
676 case SSL_TLSEXT_ERR_ALERT_WARNING:
677 ssl3_send_alert(s, SSL3_AL_WARNING, al);
678 return 1;
679 default:
680 return 1;
681 }
682}
683
684int
685ssl_check_serverhello_tlsext(SSL *s)
686{
687 int ret = SSL_TLSEXT_ERR_NOACK;
688 int al = SSL_AD_UNRECOGNIZED_NAME;
689
690 ret = SSL_TLSEXT_ERR_OK;
691
692 if (s->ctx != NULL && s->ctx->internal->tlsext_servername_callback != 0)
693 ret = s->ctx->internal->tlsext_servername_callback(s, &al,
694 s->ctx->internal->tlsext_servername_arg);
695 else if (s->initial_ctx != NULL && s->initial_ctx->internal->tlsext_servername_callback != 0)
696 ret = s->initial_ctx->internal->tlsext_servername_callback(s, &al,
697 s->initial_ctx->internal->tlsext_servername_arg);
698
699 /* If we've requested certificate status and we wont get one
700 * tell the callback
701 */
702 if ((s->tlsext_status_type != -1) && !(s->internal->tlsext_status_expected) &&
703 s->ctx && s->ctx->internal->tlsext_status_cb) {
704 int r;
705
706 free(s->internal->tlsext_ocsp_resp);
707 s->internal->tlsext_ocsp_resp = NULL;
708 s->internal->tlsext_ocsp_resp_len = 0;
709
710 r = s->ctx->internal->tlsext_status_cb(s,
711 s->ctx->internal->tlsext_status_arg);
712 if (r == 0) {
713 al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE;
714 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
715 }
716 if (r < 0) {
717 al = SSL_AD_INTERNAL_ERROR;
718 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
719 }
720 }
721
722 switch (ret) {
723 case SSL_TLSEXT_ERR_ALERT_FATAL:
724 ssl3_send_alert(s, SSL3_AL_FATAL, al);
725 return -1;
726 case SSL_TLSEXT_ERR_ALERT_WARNING:
727 ssl3_send_alert(s, SSL3_AL_WARNING, al);
728 return 1;
729 case SSL_TLSEXT_ERR_NOACK:
730 default:
731 return 1;
732 }
733}
734
735/* Since the server cache lookup is done early on in the processing of the
736 * ClientHello, and other operations depend on the result, we need to handle
737 * any TLS session ticket extension at the same time.
738 *
739 * ext_block: a CBS for the ClientHello extensions block.
740 * ret: (output) on return, if a ticket was decrypted, then this is set to
741 * point to the resulting session.
742 *
743 * If s->internal->tls_session_secret_cb is set then we are expecting a pre-shared key
744 * ciphersuite, in which case we have no use for session tickets and one will
745 * never be decrypted, nor will s->internal->tlsext_ticket_expected be set to 1.
746 *
747 * Returns:
748 * TLS1_TICKET_FATAL_ERROR: error from parsing or decrypting the ticket.
749 * TLS1_TICKET_NONE: no ticket was found (or was ignored, based on settings).
750 * TLS1_TICKET_EMPTY: a zero length extension was found, indicating that the
751 * client supports session tickets but doesn't currently have one to offer.
752 * TLS1_TICKET_NOT_DECRYPTED: either s->internal->tls_session_secret_cb was
753 * set, or a ticket was offered but couldn't be decrypted because of a
754 * non-fatal error.
755 * TLS1_TICKET_DECRYPTED: a ticket was successfully decrypted and *ret was set.
756 *
757 * Side effects:
758 * Sets s->internal->tlsext_ticket_expected to 1 if the server will have to issue
759 * a new session ticket to the client because the client indicated support
760 * (and s->internal->tls_session_secret_cb is NULL) but the client either doesn't have
761 * a session ticket or we couldn't use the one it gave us, or if
762 * s->ctx->tlsext_ticket_key_cb asked to renew the client's ticket.
763 * Otherwise, s->internal->tlsext_ticket_expected is set to 0.
764 */
765int
766tls1_process_ticket(SSL *s, CBS *ext_block, int *alert, SSL_SESSION **ret)
767{
768 CBS extensions, ext_data;
769 uint16_t ext_type = 0;
770
771 s->internal->tlsext_ticket_expected = 0;
772 *ret = NULL;
773
774 /*
775 * If tickets disabled behave as if no ticket present to permit stateful
776 * resumption.
777 */
778 if (SSL_get_options(s) & SSL_OP_NO_TICKET)
779 return TLS1_TICKET_NONE;
780
781 /*
782 * An empty extensions block is valid, but obviously does not contain
783 * a session ticket.
784 */
785 if (CBS_len(ext_block) == 0)
786 return TLS1_TICKET_NONE;
787
788 if (!CBS_get_u16_length_prefixed(ext_block, &extensions)) {
789 *alert = SSL_AD_DECODE_ERROR;
790 return TLS1_TICKET_FATAL_ERROR;
791 }
792
793 while (CBS_len(&extensions) > 0) {
794 if (!CBS_get_u16(&extensions, &ext_type) ||
795 !CBS_get_u16_length_prefixed(&extensions, &ext_data)) {
796 *alert = SSL_AD_DECODE_ERROR;
797 return TLS1_TICKET_FATAL_ERROR;
798 }
799
800 if (ext_type == TLSEXT_TYPE_session_ticket)
801 break;
802 }
803
804 if (ext_type != TLSEXT_TYPE_session_ticket)
805 return TLS1_TICKET_NONE;
806
807 if (CBS_len(&ext_data) == 0) {
808 /*
809 * The client will accept a ticket but does not currently
810 * have one.
811 */
812 s->internal->tlsext_ticket_expected = 1;
813 return TLS1_TICKET_EMPTY;
814 }
815
816 if (s->internal->tls_session_secret_cb != NULL) {
817 /*
818 * Indicate that the ticket could not be decrypted rather than
819 * generating the session from ticket now, trigger abbreviated
820 * handshake based on external mechanism to calculate the master
821 * secret later.
822 */
823 return TLS1_TICKET_NOT_DECRYPTED;
824 }
825
826 return tls_decrypt_ticket(s, &ext_data, alert, ret);
827}
828
829/* tls_decrypt_ticket attempts to decrypt a session ticket.
830 *
831 * ticket: a CBS containing the body of the session ticket extension.
832 * psess: (output) on return, if a ticket was decrypted, then this is set to
833 * point to the resulting session.
834 *
835 * Returns:
836 * TLS1_TICKET_FATAL_ERROR: error from parsing or decrypting the ticket.
837 * TLS1_TICKET_NOT_DECRYPTED: the ticket couldn't be decrypted.
838 * TLS1_TICKET_DECRYPTED: a ticket was decrypted and *psess was set.
839 */
840static int
841tls_decrypt_ticket(SSL *s, CBS *ticket, int *alert, SSL_SESSION **psess)
842{
843 CBS ticket_name, ticket_iv, ticket_encdata, ticket_hmac;
844 SSL_SESSION *sess = NULL;
845 unsigned char *sdec = NULL;
846 size_t sdec_len = 0;
847 const unsigned char *p;
848 unsigned char hmac[EVP_MAX_MD_SIZE];
849 HMAC_CTX *hctx = NULL;
850 EVP_CIPHER_CTX *cctx = NULL;
851 SSL_CTX *tctx = s->initial_ctx;
852 int slen, hlen;
853 int alert_desc = SSL_AD_INTERNAL_ERROR;
854 int ret = TLS1_TICKET_FATAL_ERROR;
855
856 *psess = NULL;
857
858 if (!CBS_get_bytes(ticket, &ticket_name, 16))
859 goto derr;
860
861 /*
862 * Initialize session ticket encryption and HMAC contexts.
863 */
864 if ((cctx = EVP_CIPHER_CTX_new()) == NULL)
865 goto err;
866 if ((hctx = HMAC_CTX_new()) == NULL)
867 goto err;
868
869 if (tctx->internal->tlsext_ticket_key_cb != NULL) {
870 int rv;
871
872 /*
873 * The API guarantees EVP_MAX_IV_LENGTH bytes of space for
874 * the iv to tlsext_ticket_key_cb(). Since the total space
875 * required for a session cookie is never less than this,
876 * this check isn't too strict. The exact check comes later.
877 */
878 if (CBS_len(ticket) < EVP_MAX_IV_LENGTH)
879 goto derr;
880
881 if ((rv = tctx->internal->tlsext_ticket_key_cb(s,
882 (unsigned char *)CBS_data(&ticket_name),
883 (unsigned char *)CBS_data(ticket), cctx, hctx, 0)) < 0)
884 goto err;
885 if (rv == 0)
886 goto derr;
887 if (rv == 2) {
888 /* Renew ticket. */
889 s->internal->tlsext_ticket_expected = 1;
890 }
891
892 /*
893 * Now that the cipher context is initialised, we can extract
894 * the IV since its length is known.
895 */
896 if (!CBS_get_bytes(ticket, &ticket_iv,
897 EVP_CIPHER_CTX_iv_length(cctx)))
898 goto derr;
899 } else {
900 /* Check that the key name matches. */
901 if (!CBS_mem_equal(&ticket_name,
902 tctx->internal->tlsext_tick_key_name,
903 sizeof(tctx->internal->tlsext_tick_key_name)))
904 goto derr;
905 if (!CBS_get_bytes(ticket, &ticket_iv,
906 EVP_CIPHER_iv_length(EVP_aes_128_cbc())))
907 goto derr;
908 if (!EVP_DecryptInit_ex(cctx, EVP_aes_128_cbc(), NULL,
909 tctx->internal->tlsext_tick_aes_key, CBS_data(&ticket_iv)))
910 goto err;
911 if (!HMAC_Init_ex(hctx, tctx->internal->tlsext_tick_hmac_key,
912 sizeof(tctx->internal->tlsext_tick_hmac_key), EVP_sha256(),
913 NULL))
914 goto err;
915 }
916
917 /*
918 * Attempt to process session ticket.
919 */
920
921 if ((hlen = HMAC_size(hctx)) < 0)
922 goto err;
923
924 if (hlen > CBS_len(ticket))
925 goto derr;
926 if (!CBS_get_bytes(ticket, &ticket_encdata, CBS_len(ticket) - hlen))
927 goto derr;
928 if (!CBS_get_bytes(ticket, &ticket_hmac, hlen))
929 goto derr;
930 if (CBS_len(ticket) != 0) {
931 alert_desc = SSL_AD_DECODE_ERROR;
932 goto err;
933 }
934
935 /* Check HMAC of encrypted ticket. */
936 if (HMAC_Update(hctx, CBS_data(&ticket_name),
937 CBS_len(&ticket_name)) <= 0)
938 goto err;
939 if (HMAC_Update(hctx, CBS_data(&ticket_iv),
940 CBS_len(&ticket_iv)) <= 0)
941 goto err;
942 if (HMAC_Update(hctx, CBS_data(&ticket_encdata),
943 CBS_len(&ticket_encdata)) <= 0)
944 goto err;
945 if (HMAC_Final(hctx, hmac, &hlen) <= 0)
946 goto err;
947
948 if (!CBS_mem_equal(&ticket_hmac, hmac, hlen))
949 goto derr;
950
951 /* Attempt to decrypt session data. */
952 sdec_len = CBS_len(&ticket_encdata);
953 if ((sdec = calloc(1, sdec_len)) == NULL)
954 goto err;
955 if (EVP_DecryptUpdate(cctx, sdec, &slen, CBS_data(&ticket_encdata),
956 CBS_len(&ticket_encdata)) <= 0)
957 goto derr;
958 if (EVP_DecryptFinal_ex(cctx, sdec + slen, &hlen) <= 0)
959 goto derr;
960
961 slen += hlen;
962
963 /*
964 * For session parse failures, indicate that we need to send a new
965 * ticket.
966 */
967 p = sdec;
968 if ((sess = d2i_SSL_SESSION(NULL, &p, slen)) == NULL)
969 goto derr;
970 *psess = sess;
971 sess = NULL;
972
973 ret = TLS1_TICKET_DECRYPTED;
974 goto done;
975
976 derr:
977 ERR_clear_error();
978 s->internal->tlsext_ticket_expected = 1;
979 ret = TLS1_TICKET_NOT_DECRYPTED;
980 goto done;
981
982 err:
983 *alert = alert_desc;
984 ret = TLS1_TICKET_FATAL_ERROR;
985 goto done;
986
987 done:
988 freezero(sdec, sdec_len);
989 EVP_CIPHER_CTX_free(cctx);
990 HMAC_CTX_free(hctx);
991 SSL_SESSION_free(sess);
992
993 return ret;
994}
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2026-02-12 17:30:55 +0000