summaryrefslogtreecommitdiff
path: root/src/lib/libssl/t1_lib.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/lib/libssl/t1_lib.c')
-rw-r--r--src/lib/libssl/t1_lib.c269
1 files changed, 208 insertions, 61 deletions
diff --git a/src/lib/libssl/t1_lib.c b/src/lib/libssl/t1_lib.c
index a649dafba9..bddffd92cc 100644
--- a/src/lib/libssl/t1_lib.c
+++ b/src/lib/libssl/t1_lib.c
@@ -342,19 +342,11 @@ static unsigned char tls12_sigalgs[] = {
342#ifndef OPENSSL_NO_SHA 342#ifndef OPENSSL_NO_SHA
343 tlsext_sigalg(TLSEXT_hash_sha1) 343 tlsext_sigalg(TLSEXT_hash_sha1)
344#endif 344#endif
345#ifndef OPENSSL_NO_MD5
346 tlsext_sigalg_rsa(TLSEXT_hash_md5)
347#endif
348}; 345};
349 346
350int tls12_get_req_sig_algs(SSL *s, unsigned char *p) 347int tls12_get_req_sig_algs(SSL *s, unsigned char *p)
351 { 348 {
352 size_t slen = sizeof(tls12_sigalgs); 349 size_t slen = sizeof(tls12_sigalgs);
353#ifdef OPENSSL_FIPS
354 /* If FIPS mode don't include MD5 which is last */
355 if (FIPS_mode())
356 slen -= 2;
357#endif
358 if (p) 350 if (p)
359 memcpy(p, tls12_sigalgs, slen); 351 memcpy(p, tls12_sigalgs, slen);
360 return (int)slen; 352 return (int)slen;
@@ -649,6 +641,7 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned cha
649 } 641 }
650#endif 642#endif
651 643
644#ifndef OPENSSL_NO_SRTP
652 if(SSL_get_srtp_profiles(s)) 645 if(SSL_get_srtp_profiles(s))
653 { 646 {
654 int el; 647 int el;
@@ -667,6 +660,37 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned cha
667 } 660 }
668 ret += el; 661 ret += el;
669 } 662 }
663#endif
664
665#ifdef TLSEXT_TYPE_padding
666 /* Add padding to workaround bugs in F5 terminators.
667 * See https://tools.ietf.org/html/draft-agl-tls-padding-03
668 *
669 * NB: because this code works out the length of all existing
670 * extensions it MUST always appear last.
671 */
672 {
673 int hlen = ret - (unsigned char *)s->init_buf->data;
674 /* The code in s23_clnt.c to build ClientHello messages includes the
675 * 5-byte record header in the buffer, while the code in s3_clnt.c does
676 * not. */
677 if (s->state == SSL23_ST_CW_CLNT_HELLO_A)
678 hlen -= 5;
679 if (hlen > 0xff && hlen < 0x200)
680 {
681 hlen = 0x200 - hlen;
682 if (hlen >= 4)
683 hlen -= 4;
684 else
685 hlen = 0;
686
687 s2n(TLSEXT_TYPE_padding, ret);
688 s2n(hlen, ret);
689 memset(ret, 0, hlen);
690 ret += hlen;
691 }
692 }
693#endif
670 694
671 if ((extdatalen = ret-p-2)== 0) 695 if ((extdatalen = ret-p-2)== 0)
672 return p; 696 return p;
@@ -781,6 +805,7 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned cha
781 } 805 }
782#endif 806#endif
783 807
808#ifndef OPENSSL_NO_SRTP
784 if(s->srtp_profile) 809 if(s->srtp_profile)
785 { 810 {
786 int el; 811 int el;
@@ -799,6 +824,7 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned cha
799 } 824 }
800 ret+=el; 825 ret+=el;
801 } 826 }
827#endif
802 828
803 if (((s->s3->tmp.new_cipher->id & 0xFFFF)==0x80 || (s->s3->tmp.new_cipher->id & 0xFFFF)==0x81) 829 if (((s->s3->tmp.new_cipher->id & 0xFFFF)==0x80 || (s->s3->tmp.new_cipher->id & 0xFFFF)==0x81)
804 && (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG)) 830 && (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG))
@@ -862,6 +888,89 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned cha
862 return ret; 888 return ret;
863 } 889 }
864 890
891#ifndef OPENSSL_NO_EC
892/* ssl_check_for_safari attempts to fingerprint Safari using OS X
893 * SecureTransport using the TLS extension block in |d|, of length |n|.
894 * Safari, since 10.6, sends exactly these extensions, in this order:
895 * SNI,
896 * elliptic_curves
897 * ec_point_formats
898 *
899 * We wish to fingerprint Safari because they broke ECDHE-ECDSA support in 10.8,
900 * but they advertise support. So enabling ECDHE-ECDSA ciphers breaks them.
901 * Sadly we cannot differentiate 10.6, 10.7 and 10.8.4 (which work), from
902 * 10.8..10.8.3 (which don't work).
903 */
904static void ssl_check_for_safari(SSL *s, const unsigned char *data, const unsigned char *d, int n) {
905 unsigned short type, size;
906 static const unsigned char kSafariExtensionsBlock[] = {
907 0x00, 0x0a, /* elliptic_curves extension */
908 0x00, 0x08, /* 8 bytes */
909 0x00, 0x06, /* 6 bytes of curve ids */
910 0x00, 0x17, /* P-256 */
911 0x00, 0x18, /* P-384 */
912 0x00, 0x19, /* P-521 */
913
914 0x00, 0x0b, /* ec_point_formats */
915 0x00, 0x02, /* 2 bytes */
916 0x01, /* 1 point format */
917 0x00, /* uncompressed */
918 };
919
920 /* The following is only present in TLS 1.2 */
921 static const unsigned char kSafariTLS12ExtensionsBlock[] = {
922 0x00, 0x0d, /* signature_algorithms */
923 0x00, 0x0c, /* 12 bytes */
924 0x00, 0x0a, /* 10 bytes */
925 0x05, 0x01, /* SHA-384/RSA */
926 0x04, 0x01, /* SHA-256/RSA */
927 0x02, 0x01, /* SHA-1/RSA */
928 0x04, 0x03, /* SHA-256/ECDSA */
929 0x02, 0x03, /* SHA-1/ECDSA */
930 };
931
932 if (data >= (d+n-2))
933 return;
934 data += 2;
935
936 if (data > (d+n-4))
937 return;
938 n2s(data,type);
939 n2s(data,size);
940
941 if (type != TLSEXT_TYPE_server_name)
942 return;
943
944 if (data+size > d+n)
945 return;
946 data += size;
947
948 if (TLS1_get_client_version(s) >= TLS1_2_VERSION)
949 {
950 const size_t len1 = sizeof(kSafariExtensionsBlock);
951 const size_t len2 = sizeof(kSafariTLS12ExtensionsBlock);
952
953 if (data + len1 + len2 != d+n)
954 return;
955 if (memcmp(data, kSafariExtensionsBlock, len1) != 0)
956 return;
957 if (memcmp(data + len1, kSafariTLS12ExtensionsBlock, len2) != 0)
958 return;
959 }
960 else
961 {
962 const size_t len = sizeof(kSafariExtensionsBlock);
963
964 if (data + len != d+n)
965 return;
966 if (memcmp(data, kSafariExtensionsBlock, len) != 0)
967 return;
968 }
969
970 s->s3->is_probably_safari = 1;
971}
972#endif /* !OPENSSL_NO_EC */
973
865int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al) 974int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
866 { 975 {
867 unsigned short type; 976 unsigned short type;
@@ -882,6 +991,11 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
882 SSL_TLSEXT_HB_DONT_SEND_REQUESTS); 991 SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
883#endif 992#endif
884 993
994#ifndef OPENSSL_NO_EC
995 if (s->options & SSL_OP_SAFARI_ECDHE_ECDSA_BUG)
996 ssl_check_for_safari(s, data, d, n);
997#endif /* !OPENSSL_NO_EC */
998
885 if (data >= (d+n-2)) 999 if (data >= (d+n-2))
886 goto ri_check; 1000 goto ri_check;
887 n2s(data,len); 1001 n2s(data,len);
@@ -1077,7 +1191,8 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
1077 int ellipticcurvelist_length = (*(sdata++) << 8); 1191 int ellipticcurvelist_length = (*(sdata++) << 8);
1078 ellipticcurvelist_length += (*(sdata++)); 1192 ellipticcurvelist_length += (*(sdata++));
1079 1193
1080 if (ellipticcurvelist_length != size - 2) 1194 if (ellipticcurvelist_length != size - 2 ||
1195 ellipticcurvelist_length < 1)
1081 { 1196 {
1082 *al = TLS1_AD_DECODE_ERROR; 1197 *al = TLS1_AD_DECODE_ERROR;
1083 return 0; 1198 return 0;
@@ -1176,7 +1291,7 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
1176 } 1291 }
1177 } 1292 }
1178 else if (type == TLSEXT_TYPE_status_request && 1293 else if (type == TLSEXT_TYPE_status_request &&
1179 s->version != DTLS1_VERSION && s->ctx->tlsext_status_cb) 1294 s->version != DTLS1_VERSION)
1180 { 1295 {
1181 1296
1182 if (size < 5) 1297 if (size < 5)
@@ -1328,12 +1443,14 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
1328#endif 1443#endif
1329 1444
1330 /* session ticket processed earlier */ 1445 /* session ticket processed earlier */
1446#ifndef OPENSSL_NO_SRTP
1331 else if (type == TLSEXT_TYPE_use_srtp) 1447 else if (type == TLSEXT_TYPE_use_srtp)
1332 { 1448 {
1333 if(ssl_parse_clienthello_use_srtp_ext(s, data, size, 1449 if(ssl_parse_clienthello_use_srtp_ext(s, data, size,
1334 al)) 1450 al))
1335 return 0; 1451 return 0;
1336 } 1452 }
1453#endif
1337 1454
1338 data+=size; 1455 data+=size;
1339 } 1456 }
@@ -1433,7 +1550,8 @@ int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
1433 unsigned char *sdata = data; 1550 unsigned char *sdata = data;
1434 int ecpointformatlist_length = *(sdata++); 1551 int ecpointformatlist_length = *(sdata++);
1435 1552
1436 if (ecpointformatlist_length != size - 1) 1553 if (ecpointformatlist_length != size - 1 ||
1554 ecpointformatlist_length < 1)
1437 { 1555 {
1438 *al = TLS1_AD_DECODE_ERROR; 1556 *al = TLS1_AD_DECODE_ERROR;
1439 return 0; 1557 return 0;
@@ -1527,7 +1645,7 @@ int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
1527 unsigned char selected_len; 1645 unsigned char selected_len;
1528 1646
1529 /* We must have requested it. */ 1647 /* We must have requested it. */
1530 if ((s->ctx->next_proto_select_cb == NULL)) 1648 if (s->ctx->next_proto_select_cb == NULL)
1531 { 1649 {
1532 *al = TLS1_AD_UNSUPPORTED_EXTENSION; 1650 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
1533 return 0; 1651 return 0;
@@ -1577,12 +1695,14 @@ int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
1577 } 1695 }
1578 } 1696 }
1579#endif 1697#endif
1698#ifndef OPENSSL_NO_SRTP
1580 else if (type == TLSEXT_TYPE_use_srtp) 1699 else if (type == TLSEXT_TYPE_use_srtp)
1581 { 1700 {
1582 if(ssl_parse_serverhello_use_srtp_ext(s, data, size, 1701 if(ssl_parse_serverhello_use_srtp_ext(s, data, size,
1583 al)) 1702 al))
1584 return 0; 1703 return 0;
1585 } 1704 }
1705#endif
1586 1706
1587 data+=size; 1707 data+=size;
1588 } 1708 }
@@ -1763,7 +1883,7 @@ int ssl_prepare_serverhello_tlsext(SSL *s)
1763 return 1; 1883 return 1;
1764 } 1884 }
1765 1885
1766int ssl_check_clienthello_tlsext(SSL *s) 1886int ssl_check_clienthello_tlsext_early(SSL *s)
1767 { 1887 {
1768 int ret=SSL_TLSEXT_ERR_NOACK; 1888 int ret=SSL_TLSEXT_ERR_NOACK;
1769 int al = SSL_AD_UNRECOGNIZED_NAME; 1889 int al = SSL_AD_UNRECOGNIZED_NAME;
@@ -1782,42 +1902,12 @@ int ssl_check_clienthello_tlsext(SSL *s)
1782 else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0) 1902 else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)
1783 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg); 1903 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
1784 1904
1785 /* If status request then ask callback what to do.
1786 * Note: this must be called after servername callbacks in case
1787 * the certificate has changed.
1788 */
1789 if ((s->tlsext_status_type != -1) && s->ctx && s->ctx->tlsext_status_cb)
1790 {
1791 int r;
1792 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
1793 switch (r)
1794 {
1795 /* We don't want to send a status request response */
1796 case SSL_TLSEXT_ERR_NOACK:
1797 s->tlsext_status_expected = 0;
1798 break;
1799 /* status request response should be sent */
1800 case SSL_TLSEXT_ERR_OK:
1801 if (s->tlsext_ocsp_resp)
1802 s->tlsext_status_expected = 1;
1803 else
1804 s->tlsext_status_expected = 0;
1805 break;
1806 /* something bad happened */
1807 case SSL_TLSEXT_ERR_ALERT_FATAL:
1808 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1809 al = SSL_AD_INTERNAL_ERROR;
1810 goto err;
1811 }
1812 }
1813 else
1814 s->tlsext_status_expected = 0;
1815
1816#ifdef TLSEXT_TYPE_opaque_prf_input 1905#ifdef TLSEXT_TYPE_opaque_prf_input
1817 { 1906 {
1818 /* This sort of belongs into ssl_prepare_serverhello_tlsext(), 1907 /* This sort of belongs into ssl_prepare_serverhello_tlsext(),
1819 * but we might be sending an alert in response to the client hello, 1908 * but we might be sending an alert in response to the client hello,
1820 * so this has to happen here in ssl_check_clienthello_tlsext(). */ 1909 * so this has to happen here in
1910 * ssl_check_clienthello_tlsext_early(). */
1821 1911
1822 int r = 1; 1912 int r = 1;
1823 1913
@@ -1869,8 +1959,8 @@ int ssl_check_clienthello_tlsext(SSL *s)
1869 } 1959 }
1870 } 1960 }
1871 1961
1872#endif
1873 err: 1962 err:
1963#endif
1874 switch (ret) 1964 switch (ret)
1875 { 1965 {
1876 case SSL_TLSEXT_ERR_ALERT_FATAL: 1966 case SSL_TLSEXT_ERR_ALERT_FATAL:
@@ -1888,6 +1978,71 @@ int ssl_check_clienthello_tlsext(SSL *s)
1888 } 1978 }
1889 } 1979 }
1890 1980
1981int ssl_check_clienthello_tlsext_late(SSL *s)
1982 {
1983 int ret = SSL_TLSEXT_ERR_OK;
1984 int al;
1985
1986 /* If status request then ask callback what to do.
1987 * Note: this must be called after servername callbacks in case
1988 * the certificate has changed, and must be called after the cipher
1989 * has been chosen because this may influence which certificate is sent
1990 */
1991 if ((s->tlsext_status_type != -1) && s->ctx && s->ctx->tlsext_status_cb)
1992 {
1993 int r;
1994 CERT_PKEY *certpkey;
1995 certpkey = ssl_get_server_send_pkey(s);
1996 /* If no certificate can't return certificate status */
1997 if (certpkey == NULL)
1998 {
1999 s->tlsext_status_expected = 0;
2000 return 1;
2001 }
2002 /* Set current certificate to one we will use so
2003 * SSL_get_certificate et al can pick it up.
2004 */
2005 s->cert->key = certpkey;
2006 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
2007 switch (r)
2008 {
2009 /* We don't want to send a status request response */
2010 case SSL_TLSEXT_ERR_NOACK:
2011 s->tlsext_status_expected = 0;
2012 break;
2013 /* status request response should be sent */
2014 case SSL_TLSEXT_ERR_OK:
2015 if (s->tlsext_ocsp_resp)
2016 s->tlsext_status_expected = 1;
2017 else
2018 s->tlsext_status_expected = 0;
2019 break;
2020 /* something bad happened */
2021 case SSL_TLSEXT_ERR_ALERT_FATAL:
2022 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2023 al = SSL_AD_INTERNAL_ERROR;
2024 goto err;
2025 }
2026 }
2027 else
2028 s->tlsext_status_expected = 0;
2029
2030 err:
2031 switch (ret)
2032 {
2033 case SSL_TLSEXT_ERR_ALERT_FATAL:
2034 ssl3_send_alert(s,SSL3_AL_FATAL,al);
2035 return -1;
2036
2037 case SSL_TLSEXT_ERR_ALERT_WARNING:
2038 ssl3_send_alert(s,SSL3_AL_WARNING,al);
2039 return 1;
2040
2041 default:
2042 return 1;
2043 }
2044 }
2045
1891int ssl_check_serverhello_tlsext(SSL *s) 2046int ssl_check_serverhello_tlsext(SSL *s)
1892 { 2047 {
1893 int ret=SSL_TLSEXT_ERR_NOACK; 2048 int ret=SSL_TLSEXT_ERR_NOACK;
@@ -2189,7 +2344,7 @@ static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen,
2189 HMAC_Update(&hctx, etick, eticklen); 2344 HMAC_Update(&hctx, etick, eticklen);
2190 HMAC_Final(&hctx, tick_hmac, NULL); 2345 HMAC_Final(&hctx, tick_hmac, NULL);
2191 HMAC_CTX_cleanup(&hctx); 2346 HMAC_CTX_cleanup(&hctx);
2192 if (timingsafe_bcmp(tick_hmac, etick + eticklen, mlen)) 2347 if (CRYPTO_memcmp(tick_hmac, etick + eticklen, mlen))
2193 return 2; 2348 return 2;
2194 /* Attempt to decrypt session data */ 2349 /* Attempt to decrypt session data */
2195 /* Move p after IV to start of encrypted ticket, update length */ 2350 /* Move p after IV to start of encrypted ticket, update length */
@@ -2319,14 +2474,6 @@ const EVP_MD *tls12_get_hash(unsigned char hash_alg)
2319 { 2474 {
2320 switch(hash_alg) 2475 switch(hash_alg)
2321 { 2476 {
2322#ifndef OPENSSL_NO_MD5
2323 case TLSEXT_hash_md5:
2324#ifdef OPENSSL_FIPS
2325 if (FIPS_mode())
2326 return NULL;
2327#endif
2328 return EVP_md5();
2329#endif
2330#ifndef OPENSSL_NO_SHA 2477#ifndef OPENSSL_NO_SHA
2331 case TLSEXT_hash_sha1: 2478 case TLSEXT_hash_sha1:
2332 return EVP_sha1(); 2479 return EVP_sha1();
@@ -2414,7 +2561,7 @@ int tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize)
2414 */ 2561 */
2415#ifndef OPENSSL_NO_DSA 2562#ifndef OPENSSL_NO_DSA
2416 if (!c->pkeys[SSL_PKEY_DSA_SIGN].digest) 2563 if (!c->pkeys[SSL_PKEY_DSA_SIGN].digest)
2417 c->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_dss1(); 2564 c->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_sha1();
2418#endif 2565#endif
2419#ifndef OPENSSL_NO_RSA 2566#ifndef OPENSSL_NO_RSA
2420 if (!c->pkeys[SSL_PKEY_RSA_SIGN].digest) 2567 if (!c->pkeys[SSL_PKEY_RSA_SIGN].digest)
@@ -2425,7 +2572,7 @@ int tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize)
2425#endif 2572#endif
2426#ifndef OPENSSL_NO_ECDSA 2573#ifndef OPENSSL_NO_ECDSA
2427 if (!c->pkeys[SSL_PKEY_ECC].digest) 2574 if (!c->pkeys[SSL_PKEY_ECC].digest)
2428 c->pkeys[SSL_PKEY_ECC].digest = EVP_ecdsa(); 2575 c->pkeys[SSL_PKEY_ECC].digest = EVP_sha1();
2429#endif 2576#endif
2430 return 1; 2577 return 1;
2431 } 2578 }
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-04-26 08:57:31 +0000