summaryrefslogtreecommitdiff
path: root/src/lib/libssl/t1_lib.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/lib/libssl/t1_lib.c')
-rw-r--r--src/lib/libssl/t1_lib.c269
1 files changed, 61 insertions, 208 deletions
diff --git a/src/lib/libssl/t1_lib.c b/src/lib/libssl/t1_lib.c
index bddffd92cc..a649dafba9 100644
--- a/src/lib/libssl/t1_lib.c
+++ b/src/lib/libssl/t1_lib.c
@@ -342,11 +342,19 @@ static unsigned char tls12_sigalgs[] = {
342#ifndef OPENSSL_NO_SHA 342#ifndef OPENSSL_NO_SHA
343 tlsext_sigalg(TLSEXT_hash_sha1) 343 tlsext_sigalg(TLSEXT_hash_sha1)
344#endif 344#endif
345#ifndef OPENSSL_NO_MD5
346 tlsext_sigalg_rsa(TLSEXT_hash_md5)
347#endif
345}; 348};
346 349
347int tls12_get_req_sig_algs(SSL *s, unsigned char *p) 350int tls12_get_req_sig_algs(SSL *s, unsigned char *p)
348 { 351 {
349 size_t slen = sizeof(tls12_sigalgs); 352 size_t slen = sizeof(tls12_sigalgs);
353#ifdef OPENSSL_FIPS
354 /* If FIPS mode don't include MD5 which is last */
355 if (FIPS_mode())
356 slen -= 2;
357#endif
350 if (p) 358 if (p)
351 memcpy(p, tls12_sigalgs, slen); 359 memcpy(p, tls12_sigalgs, slen);
352 return (int)slen; 360 return (int)slen;
@@ -641,7 +649,6 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned cha
641 } 649 }
642#endif 650#endif
643 651
644#ifndef OPENSSL_NO_SRTP
645 if(SSL_get_srtp_profiles(s)) 652 if(SSL_get_srtp_profiles(s))
646 { 653 {
647 int el; 654 int el;
@@ -660,37 +667,6 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned cha
660 } 667 }
661 ret += el; 668 ret += el;
662 } 669 }
663#endif
664
665#ifdef TLSEXT_TYPE_padding
666 /* Add padding to workaround bugs in F5 terminators.
667 * See https://tools.ietf.org/html/draft-agl-tls-padding-03
668 *
669 * NB: because this code works out the length of all existing
670 * extensions it MUST always appear last.
671 */
672 {
673 int hlen = ret - (unsigned char *)s->init_buf->data;
674 /* The code in s23_clnt.c to build ClientHello messages includes the
675 * 5-byte record header in the buffer, while the code in s3_clnt.c does
676 * not. */
677 if (s->state == SSL23_ST_CW_CLNT_HELLO_A)
678 hlen -= 5;
679 if (hlen > 0xff && hlen < 0x200)
680 {
681 hlen = 0x200 - hlen;
682 if (hlen >= 4)
683 hlen -= 4;
684 else
685 hlen = 0;
686
687 s2n(TLSEXT_TYPE_padding, ret);
688 s2n(hlen, ret);
689 memset(ret, 0, hlen);
690 ret += hlen;
691 }
692 }
693#endif
694 670
695 if ((extdatalen = ret-p-2)== 0) 671 if ((extdatalen = ret-p-2)== 0)
696 return p; 672 return p;
@@ -805,7 +781,6 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned cha
805 } 781 }
806#endif 782#endif
807 783
808#ifndef OPENSSL_NO_SRTP
809 if(s->srtp_profile) 784 if(s->srtp_profile)
810 { 785 {
811 int el; 786 int el;
@@ -824,7 +799,6 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned cha
824 } 799 }
825 ret+=el; 800 ret+=el;
826 } 801 }
827#endif
828 802
829 if (((s->s3->tmp.new_cipher->id & 0xFFFF)==0x80 || (s->s3->tmp.new_cipher->id & 0xFFFF)==0x81) 803 if (((s->s3->tmp.new_cipher->id & 0xFFFF)==0x80 || (s->s3->tmp.new_cipher->id & 0xFFFF)==0x81)
830 && (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG)) 804 && (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG))
@@ -888,89 +862,6 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned cha
888 return ret; 862 return ret;
889 } 863 }
890 864
891#ifndef OPENSSL_NO_EC
892/* ssl_check_for_safari attempts to fingerprint Safari using OS X
893 * SecureTransport using the TLS extension block in |d|, of length |n|.
894 * Safari, since 10.6, sends exactly these extensions, in this order:
895 * SNI,
896 * elliptic_curves
897 * ec_point_formats
898 *
899 * We wish to fingerprint Safari because they broke ECDHE-ECDSA support in 10.8,
900 * but they advertise support. So enabling ECDHE-ECDSA ciphers breaks them.
901 * Sadly we cannot differentiate 10.6, 10.7 and 10.8.4 (which work), from
902 * 10.8..10.8.3 (which don't work).
903 */
904static void ssl_check_for_safari(SSL *s, const unsigned char *data, const unsigned char *d, int n) {
905 unsigned short type, size;
906 static const unsigned char kSafariExtensionsBlock[] = {
907 0x00, 0x0a, /* elliptic_curves extension */
908 0x00, 0x08, /* 8 bytes */
909 0x00, 0x06, /* 6 bytes of curve ids */
910 0x00, 0x17, /* P-256 */
911 0x00, 0x18, /* P-384 */
912 0x00, 0x19, /* P-521 */
913
914 0x00, 0x0b, /* ec_point_formats */
915 0x00, 0x02, /* 2 bytes */
916 0x01, /* 1 point format */
917 0x00, /* uncompressed */
918 };
919
920 /* The following is only present in TLS 1.2 */
921 static const unsigned char kSafariTLS12ExtensionsBlock[] = {
922 0x00, 0x0d, /* signature_algorithms */
923 0x00, 0x0c, /* 12 bytes */
924 0x00, 0x0a, /* 10 bytes */
925 0x05, 0x01, /* SHA-384/RSA */
926 0x04, 0x01, /* SHA-256/RSA */
927 0x02, 0x01, /* SHA-1/RSA */
928 0x04, 0x03, /* SHA-256/ECDSA */
929 0x02, 0x03, /* SHA-1/ECDSA */
930 };
931
932 if (data >= (d+n-2))
933 return;
934 data += 2;
935
936 if (data > (d+n-4))
937 return;
938 n2s(data,type);
939 n2s(data,size);
940
941 if (type != TLSEXT_TYPE_server_name)
942 return;
943
944 if (data+size > d+n)
945 return;
946 data += size;
947
948 if (TLS1_get_client_version(s) >= TLS1_2_VERSION)
949 {
950 const size_t len1 = sizeof(kSafariExtensionsBlock);
951 const size_t len2 = sizeof(kSafariTLS12ExtensionsBlock);
952
953 if (data + len1 + len2 != d+n)
954 return;
955 if (memcmp(data, kSafariExtensionsBlock, len1) != 0)
956 return;
957 if (memcmp(data + len1, kSafariTLS12ExtensionsBlock, len2) != 0)
958 return;
959 }
960 else
961 {
962 const size_t len = sizeof(kSafariExtensionsBlock);
963
964 if (data + len != d+n)
965 return;
966 if (memcmp(data, kSafariExtensionsBlock, len) != 0)
967 return;
968 }
969
970 s->s3->is_probably_safari = 1;
971}
972#endif /* !OPENSSL_NO_EC */
973
974int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al) 865int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
975 { 866 {
976 unsigned short type; 867 unsigned short type;
@@ -991,11 +882,6 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
991 SSL_TLSEXT_HB_DONT_SEND_REQUESTS); 882 SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
992#endif 883#endif
993 884
994#ifndef OPENSSL_NO_EC
995 if (s->options & SSL_OP_SAFARI_ECDHE_ECDSA_BUG)
996 ssl_check_for_safari(s, data, d, n);
997#endif /* !OPENSSL_NO_EC */
998
999 if (data >= (d+n-2)) 885 if (data >= (d+n-2))
1000 goto ri_check; 886 goto ri_check;
1001 n2s(data,len); 887 n2s(data,len);
@@ -1191,8 +1077,7 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
1191 int ellipticcurvelist_length = (*(sdata++) << 8); 1077 int ellipticcurvelist_length = (*(sdata++) << 8);
1192 ellipticcurvelist_length += (*(sdata++)); 1078 ellipticcurvelist_length += (*(sdata++));
1193 1079
1194 if (ellipticcurvelist_length != size - 2 || 1080 if (ellipticcurvelist_length != size - 2)
1195 ellipticcurvelist_length < 1)
1196 { 1081 {
1197 *al = TLS1_AD_DECODE_ERROR; 1082 *al = TLS1_AD_DECODE_ERROR;
1198 return 0; 1083 return 0;
@@ -1291,7 +1176,7 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
1291 } 1176 }
1292 } 1177 }
1293 else if (type == TLSEXT_TYPE_status_request && 1178 else if (type == TLSEXT_TYPE_status_request &&
1294 s->version != DTLS1_VERSION) 1179 s->version != DTLS1_VERSION && s->ctx->tlsext_status_cb)
1295 { 1180 {
1296 1181
1297 if (size < 5) 1182 if (size < 5)
@@ -1443,14 +1328,12 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
1443#endif 1328#endif
1444 1329
1445 /* session ticket processed earlier */ 1330 /* session ticket processed earlier */
1446#ifndef OPENSSL_NO_SRTP
1447 else if (type == TLSEXT_TYPE_use_srtp) 1331 else if (type == TLSEXT_TYPE_use_srtp)
1448 { 1332 {
1449 if(ssl_parse_clienthello_use_srtp_ext(s, data, size, 1333 if(ssl_parse_clienthello_use_srtp_ext(s, data, size,
1450 al)) 1334 al))
1451 return 0; 1335 return 0;
1452 } 1336 }
1453#endif
1454 1337
1455 data+=size; 1338 data+=size;
1456 } 1339 }
@@ -1550,8 +1433,7 @@ int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
1550 unsigned char *sdata = data; 1433 unsigned char *sdata = data;
1551 int ecpointformatlist_length = *(sdata++); 1434 int ecpointformatlist_length = *(sdata++);
1552 1435
1553 if (ecpointformatlist_length != size - 1 || 1436 if (ecpointformatlist_length != size - 1)
1554 ecpointformatlist_length < 1)
1555 { 1437 {
1556 *al = TLS1_AD_DECODE_ERROR; 1438 *al = TLS1_AD_DECODE_ERROR;
1557 return 0; 1439 return 0;
@@ -1645,7 +1527,7 @@ int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
1645 unsigned char selected_len; 1527 unsigned char selected_len;
1646 1528
1647 /* We must have requested it. */ 1529 /* We must have requested it. */
1648 if (s->ctx->next_proto_select_cb == NULL) 1530 if ((s->ctx->next_proto_select_cb == NULL))
1649 { 1531 {
1650 *al = TLS1_AD_UNSUPPORTED_EXTENSION; 1532 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
1651 return 0; 1533 return 0;
@@ -1695,14 +1577,12 @@ int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
1695 } 1577 }
1696 } 1578 }
1697#endif 1579#endif
1698#ifndef OPENSSL_NO_SRTP
1699 else if (type == TLSEXT_TYPE_use_srtp) 1580 else if (type == TLSEXT_TYPE_use_srtp)
1700 { 1581 {
1701 if(ssl_parse_serverhello_use_srtp_ext(s, data, size, 1582 if(ssl_parse_serverhello_use_srtp_ext(s, data, size,
1702 al)) 1583 al))
1703 return 0; 1584 return 0;
1704 } 1585 }
1705#endif
1706 1586
1707 data+=size; 1587 data+=size;
1708 } 1588 }
@@ -1883,7 +1763,7 @@ int ssl_prepare_serverhello_tlsext(SSL *s)
1883 return 1; 1763 return 1;
1884 } 1764 }
1885 1765
1886int ssl_check_clienthello_tlsext_early(SSL *s) 1766int ssl_check_clienthello_tlsext(SSL *s)
1887 { 1767 {
1888 int ret=SSL_TLSEXT_ERR_NOACK; 1768 int ret=SSL_TLSEXT_ERR_NOACK;
1889 int al = SSL_AD_UNRECOGNIZED_NAME; 1769 int al = SSL_AD_UNRECOGNIZED_NAME;
@@ -1902,12 +1782,42 @@ int ssl_check_clienthello_tlsext_early(SSL *s)
1902 else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0) 1782 else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)
1903 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg); 1783 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
1904 1784
1785 /* If status request then ask callback what to do.
1786 * Note: this must be called after servername callbacks in case
1787 * the certificate has changed.
1788 */
1789 if ((s->tlsext_status_type != -1) && s->ctx && s->ctx->tlsext_status_cb)
1790 {
1791 int r;
1792 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
1793 switch (r)
1794 {
1795 /* We don't want to send a status request response */
1796 case SSL_TLSEXT_ERR_NOACK:
1797 s->tlsext_status_expected = 0;
1798 break;
1799 /* status request response should be sent */
1800 case SSL_TLSEXT_ERR_OK:
1801 if (s->tlsext_ocsp_resp)
1802 s->tlsext_status_expected = 1;
1803 else
1804 s->tlsext_status_expected = 0;
1805 break;
1806 /* something bad happened */
1807 case SSL_TLSEXT_ERR_ALERT_FATAL:
1808 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1809 al = SSL_AD_INTERNAL_ERROR;
1810 goto err;
1811 }
1812 }
1813 else
1814 s->tlsext_status_expected = 0;
1815
1905#ifdef TLSEXT_TYPE_opaque_prf_input 1816#ifdef TLSEXT_TYPE_opaque_prf_input
1906 { 1817 {
1907 /* This sort of belongs into ssl_prepare_serverhello_tlsext(), 1818 /* This sort of belongs into ssl_prepare_serverhello_tlsext(),
1908 * but we might be sending an alert in response to the client hello, 1819 * but we might be sending an alert in response to the client hello,
1909 * so this has to happen here in 1820 * so this has to happen here in ssl_check_clienthello_tlsext(). */
1910 * ssl_check_clienthello_tlsext_early(). */
1911 1821
1912 int r = 1; 1822 int r = 1;
1913 1823
@@ -1959,8 +1869,8 @@ int ssl_check_clienthello_tlsext_early(SSL *s)
1959 } 1869 }
1960 } 1870 }
1961 1871
1962 err:
1963#endif 1872#endif
1873 err:
1964 switch (ret) 1874 switch (ret)
1965 { 1875 {
1966 case SSL_TLSEXT_ERR_ALERT_FATAL: 1876 case SSL_TLSEXT_ERR_ALERT_FATAL:
@@ -1978,71 +1888,6 @@ int ssl_check_clienthello_tlsext_early(SSL *s)
1978 } 1888 }
1979 } 1889 }
1980 1890
1981int ssl_check_clienthello_tlsext_late(SSL *s)
1982 {
1983 int ret = SSL_TLSEXT_ERR_OK;
1984 int al;
1985
1986 /* If status request then ask callback what to do.
1987 * Note: this must be called after servername callbacks in case
1988 * the certificate has changed, and must be called after the cipher
1989 * has been chosen because this may influence which certificate is sent
1990 */
1991 if ((s->tlsext_status_type != -1) && s->ctx && s->ctx->tlsext_status_cb)
1992 {
1993 int r;
1994 CERT_PKEY *certpkey;
1995 certpkey = ssl_get_server_send_pkey(s);
1996 /* If no certificate can't return certificate status */
1997 if (certpkey == NULL)
1998 {
1999 s->tlsext_status_expected = 0;
2000 return 1;
2001 }
2002 /* Set current certificate to one we will use so
2003 * SSL_get_certificate et al can pick it up.
2004 */
2005 s->cert->key = certpkey;
2006 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
2007 switch (r)
2008 {
2009 /* We don't want to send a status request response */
2010 case SSL_TLSEXT_ERR_NOACK:
2011 s->tlsext_status_expected = 0;
2012 break;
2013 /* status request response should be sent */
2014 case SSL_TLSEXT_ERR_OK:
2015 if (s->tlsext_ocsp_resp)
2016 s->tlsext_status_expected = 1;
2017 else
2018 s->tlsext_status_expected = 0;
2019 break;
2020 /* something bad happened */
2021 case SSL_TLSEXT_ERR_ALERT_FATAL:
2022 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2023 al = SSL_AD_INTERNAL_ERROR;
2024 goto err;
2025 }
2026 }
2027 else
2028 s->tlsext_status_expected = 0;
2029
2030 err:
2031 switch (ret)
2032 {
2033 case SSL_TLSEXT_ERR_ALERT_FATAL:
2034 ssl3_send_alert(s,SSL3_AL_FATAL,al);
2035 return -1;
2036
2037 case SSL_TLSEXT_ERR_ALERT_WARNING:
2038 ssl3_send_alert(s,SSL3_AL_WARNING,al);
2039 return 1;
2040
2041 default:
2042 return 1;
2043 }
2044 }
2045
2046int ssl_check_serverhello_tlsext(SSL *s) 1891int ssl_check_serverhello_tlsext(SSL *s)
2047 { 1892 {
2048 int ret=SSL_TLSEXT_ERR_NOACK; 1893 int ret=SSL_TLSEXT_ERR_NOACK;
@@ -2344,7 +2189,7 @@ static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen,
2344 HMAC_Update(&hctx, etick, eticklen); 2189 HMAC_Update(&hctx, etick, eticklen);
2345 HMAC_Final(&hctx, tick_hmac, NULL); 2190 HMAC_Final(&hctx, tick_hmac, NULL);
2346 HMAC_CTX_cleanup(&hctx); 2191 HMAC_CTX_cleanup(&hctx);
2347 if (CRYPTO_memcmp(tick_hmac, etick + eticklen, mlen)) 2192 if (timingsafe_bcmp(tick_hmac, etick + eticklen, mlen))
2348 return 2; 2193 return 2;
2349 /* Attempt to decrypt session data */ 2194 /* Attempt to decrypt session data */
2350 /* Move p after IV to start of encrypted ticket, update length */ 2195 /* Move p after IV to start of encrypted ticket, update length */
@@ -2474,6 +2319,14 @@ const EVP_MD *tls12_get_hash(unsigned char hash_alg)
2474 { 2319 {
2475 switch(hash_alg) 2320 switch(hash_alg)
2476 { 2321 {
2322#ifndef OPENSSL_NO_MD5
2323 case TLSEXT_hash_md5:
2324#ifdef OPENSSL_FIPS
2325 if (FIPS_mode())
2326 return NULL;
2327#endif
2328 return EVP_md5();
2329#endif
2477#ifndef OPENSSL_NO_SHA 2330#ifndef OPENSSL_NO_SHA
2478 case TLSEXT_hash_sha1: 2331 case TLSEXT_hash_sha1:
2479 return EVP_sha1(); 2332 return EVP_sha1();
@@ -2561,7 +2414,7 @@ int tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize)
2561 */ 2414 */
2562#ifndef OPENSSL_NO_DSA 2415#ifndef OPENSSL_NO_DSA
2563 if (!c->pkeys[SSL_PKEY_DSA_SIGN].digest) 2416 if (!c->pkeys[SSL_PKEY_DSA_SIGN].digest)
2564 c->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_sha1(); 2417 c->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_dss1();
2565#endif 2418#endif
2566#ifndef OPENSSL_NO_RSA 2419#ifndef OPENSSL_NO_RSA
2567 if (!c->pkeys[SSL_PKEY_RSA_SIGN].digest) 2420 if (!c->pkeys[SSL_PKEY_RSA_SIGN].digest)
@@ -2572,7 +2425,7 @@ int tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize)
2572#endif 2425#endif
2573#ifndef OPENSSL_NO_ECDSA 2426#ifndef OPENSSL_NO_ECDSA
2574 if (!c->pkeys[SSL_PKEY_ECC].digest) 2427 if (!c->pkeys[SSL_PKEY_ECC].digest)
2575 c->pkeys[SSL_PKEY_ECC].digest = EVP_sha1(); 2428 c->pkeys[SSL_PKEY_ECC].digest = EVP_ecdsa();
2576#endif 2429#endif
2577 return 1; 2430 return 1;
2578 } 2431 }
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-10-04 18:33:45 +0000