1 /* ssl/t1_lib.c */ 2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 3 * All rights reserved. 4 * 5 * This package is an SSL implementation written 6 * by Eric Young (eay@cryptsoft.com). 7 * The implementation was written so as to conform with Netscapes SSL. 8 * 9 * This library is free for commercial and non-commercial use as long as 10 * the following conditions are aheared to. The following conditions 11 * apply to all code found in this distribution, be it the RC4, RSA, 12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 13 * included with this distribution is covered by the same copyright terms 14 * except that the holder is Tim Hudson (tjh@cryptsoft.com). 15 * 16 * Copyright remains Eric Young's, and as such any Copyright notices in 17 * the code are not to be removed. 18 * If this package is used in a product, Eric Young should be given attribution 19 * as the author of the parts of the library used. 20 * This can be in the form of a textual message at program startup or 21 * in documentation (online or textual) provided with the package. 22 * 23 * Redistribution and use in source and binary forms, with or without 24 * modification, are permitted provided that the following conditions 25 * are met: 26 * 1. Redistributions of source code must retain the copyright 27 * notice, this list of conditions and the following disclaimer. 28 * 2. Redistributions in binary form must reproduce the above copyright 29 * notice, this list of conditions and the following disclaimer in the 30 * documentation and/or other materials provided with the distribution. 31 * 3. All advertising materials mentioning features or use of this software 32 * must display the following acknowledgement: 33 * "This product includes cryptographic software written by 34 * Eric Young (eay@cryptsoft.com)" 35 * The word 'cryptographic' can be left out if the rouines from the library 36 * being used are not cryptographic related :-). 37 * 4. If you include any Windows specific code (or a derivative thereof) from 38 * the apps directory (application code) you must include an acknowledgement: 39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 40 * 41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 51 * SUCH DAMAGE. 52 * 53 * The licence and distribution terms for any publically available version or 54 * derivative of this code cannot be changed. i.e. this code cannot simply be 55 * copied and put under another distribution licence 56 * [including the GNU Public Licence.] 57 */ 58 59 #include <stdio.h> 60 #include <openssl/objects.h> 61 #include <openssl/evp.h> 62 #include <openssl/hmac.h> 63 #include <openssl/ocsp.h> 64 #include "ssl_locl.h" 65 66 const char tls1_version_str[]="TLSv1" OPENSSL_VERSION_PTEXT; 67 68 #ifndef OPENSSL_NO_TLSEXT 69 static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen, 70 const unsigned char *sess_id, int sesslen, 71 SSL_SESSION **psess); 72 #endif 73 74 SSL3_ENC_METHOD TLSv1_enc_data={ 75 tls1_enc, 76 tls1_mac, 77 tls1_setup_key_block, 78 tls1_generate_master_secret, 79 tls1_change_cipher_state, 80 tls1_final_finish_mac, 81 TLS1_FINISH_MAC_LENGTH, 82 tls1_cert_verify_mac, 83 TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE, 84 TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE, 85 tls1_alert_code, 86 }; 87 88 long tls1_default_timeout(void) 89 { 90 /* 2 hours, the 24 hours mentioned in the TLSv1 spec 91 * is way too long for http, the cache would over fill */ 92 return(60*60*2); 93 } 94 95 IMPLEMENT_tls1_meth_func(tlsv1_base_method, 96 ssl_undefined_function, 97 ssl_undefined_function, 98 ssl_bad_method) 99 100 int tls1_new(SSL *s) 101 { 102 if (!ssl3_new(s)) return(0); 103 s->method->ssl_clear(s); 104 return(1); 105 } 106 107 void tls1_free(SSL *s) 108 { 109 ssl3_free(s); 110 } 111 112 void tls1_clear(SSL *s) 113 { 114 ssl3_clear(s); 115 s->version=TLS1_VERSION; 116 } 117 118 #if 0 119 long tls1_ctrl(SSL *s, int cmd, long larg, char *parg) 120 { 121 return(0); 122 } 123 124 long tls1_callback_ctrl(SSL *s, int cmd, void *(*fp)()) 125 { 126 return(0); 127 } 128 #endif 129 130 #ifndef OPENSSL_NO_TLSEXT 131 unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit) 132 { 133 int extdatalen=0; 134 unsigned char *ret = p; 135 136 /* don't add extensions for SSLv3 unless doing secure renegotiation */ 137 if (s->client_version == SSL3_VERSION 138 && !s->s3->send_connection_binding) 139 return p; 140 141 ret+=2; 142 143 if (ret>=limit) return NULL; /* this really never occurs, but ... */ 144 145 if (s->tlsext_hostname != NULL) 146 { 147 /* Add TLS extension servername to the Client Hello message */ 148 unsigned long size_str; 149 long lenmax; 150 151 /* check for enough space. 152 4 for the servername type and entension length 153 2 for servernamelist length 154 1 for the hostname type 155 2 for hostname length 156 + hostname length 157 */ 158 159 if ((lenmax = limit - ret - 9) < 0 160 || (size_str = strlen(s->tlsext_hostname)) > (unsigned long)lenmax) 161 return NULL; 162 163 /* extension type and length */ 164 s2n(TLSEXT_TYPE_server_name,ret); 165 s2n(size_str+5,ret); 166 167 /* length of servername list */ 168 s2n(size_str+3,ret); 169 170 /* hostname type, length and hostname */ 171 *(ret++) = (unsigned char) TLSEXT_NAMETYPE_host_name; 172 s2n(size_str,ret); 173 memcpy(ret, s->tlsext_hostname, size_str); 174 ret+=size_str; 175 176 } 177 178 /* Add RI if renegotiating */ 179 if (s->new_session) 180 { 181 int el; 182 183 if(!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0)) 184 { 185 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); 186 return NULL; 187 } 188 189 if((limit - p - 4 - el) < 0) return NULL; 190 191 s2n(TLSEXT_TYPE_renegotiate,ret); 192 s2n(el,ret); 193 194 if(!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el)) 195 { 196 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); 197 return NULL; 198 } 199 200 ret += el; 201 } 202 203 204 if (!(SSL_get_options(s) & SSL_OP_NO_TICKET)) 205 { 206 int ticklen; 207 if (!s->new_session && s->session && s->session->tlsext_tick) 208 ticklen = s->session->tlsext_ticklen; 209 else 210 ticklen = 0; 211 /* Check for enough room 2 for extension type, 2 for len 212 * rest for ticket 213 */ 214 if (limit - ret - 4 - ticklen < 0) 215 return NULL; 216 s2n(TLSEXT_TYPE_session_ticket,ret); 217 s2n(ticklen,ret); 218 if (ticklen) 219 { 220 memcpy(ret, s->session->tlsext_tick, ticklen); 221 ret += ticklen; 222 } 223 } 224 225 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp && 226 s->version != DTLS1_VERSION) 227 { 228 int i; 229 long extlen, idlen, itmp; 230 OCSP_RESPID *id; 231 232 idlen = 0; 233 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) 234 { 235 id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i); 236 itmp = i2d_OCSP_RESPID(id, NULL); 237 if (itmp <= 0) 238 return NULL; 239 idlen += itmp + 2; 240 } 241 242 if (s->tlsext_ocsp_exts) 243 { 244 extlen = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, NULL); 245 if (extlen < 0) 246 return NULL; 247 } 248 else 249 extlen = 0; 250 251 if ((long)(limit - ret - 7 - extlen - idlen) < 0) return NULL; 252 s2n(TLSEXT_TYPE_status_request, ret); 253 if (extlen + idlen > 0xFFF0) 254 return NULL; 255 s2n(extlen + idlen + 5, ret); 256 *(ret++) = TLSEXT_STATUSTYPE_ocsp; 257 s2n(idlen, ret); 258 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) 259 { 260 /* save position of id len */ 261 unsigned char *q = ret; 262 id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i); 263 /* skip over id len */ 264 ret += 2; 265 itmp = i2d_OCSP_RESPID(id, &ret); 266 /* write id len */ 267 s2n(itmp, q); 268 } 269 s2n(extlen, ret); 270 if (extlen > 0) 271 i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret); 272 } 273 274 if ((extdatalen = ret-p-2)== 0) 275 return p; 276 277 s2n(extdatalen,p); 278 return ret; 279 } 280 281 unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit) 282 { 283 int extdatalen=0; 284 unsigned char *ret = p; 285 286 /* don't add extensions for SSLv3, unless doing secure renegotiation */ 287 if (s->version == SSL3_VERSION && !s->s3->send_connection_binding) 288 return p; 289 290 ret+=2; 291 if (ret>=limit) return NULL; /* this really never occurs, but ... */ 292 293 if (!s->hit && s->servername_done == 1 && s->session->tlsext_hostname != NULL) 294 { 295 if (limit - ret - 4 < 0) return NULL; 296 297 s2n(TLSEXT_TYPE_server_name,ret); 298 s2n(0,ret); 299 } 300 301 if(s->s3->send_connection_binding) 302 { 303 int el; 304 305 if(!ssl_add_serverhello_renegotiate_ext(s, 0, &el, 0)) 306 { 307 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); 308 return NULL; 309 } 310 311 if((limit - p - 4 - el) < 0) return NULL; 312 313 s2n(TLSEXT_TYPE_renegotiate,ret); 314 s2n(el,ret); 315 316 if(!ssl_add_serverhello_renegotiate_ext(s, ret, &el, el)) 317 { 318 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); 319 return NULL; 320 } 321 322 ret += el; 323 } 324 325 if (s->tlsext_ticket_expected 326 && !(SSL_get_options(s) & SSL_OP_NO_TICKET)) 327 { 328 if (limit - ret - 4 < 0) return NULL; 329 s2n(TLSEXT_TYPE_session_ticket,ret); 330 s2n(0,ret); 331 } 332 333 if (s->tlsext_status_expected) 334 { 335 if ((long)(limit - ret - 4) < 0) return NULL; 336 s2n(TLSEXT_TYPE_status_request,ret); 337 s2n(0,ret); 338 } 339 340 if ((extdatalen = ret-p-2)== 0) 341 return p; 342 343 s2n(extdatalen,p); 344 return ret; 345 } 346 347 int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al) 348 { 349 unsigned short type; 350 unsigned short size; 351 unsigned short len; 352 unsigned char *data = *p; 353 int renegotiate_seen = 0; 354 355 s->servername_done = 0; 356 s->tlsext_status_type = -1; 357 358 if (data >= (d+n-2)) 359 goto ri_check; 360 361 n2s(data,len); 362 363 if (data > (d+n-len)) 364 goto ri_check; 365 366 while (data <= (d+n-4)) 367 { 368 n2s(data,type); 369 n2s(data,size); 370 371 if (data+size > (d+n)) 372 goto ri_check; 373 374 if (s->tlsext_debug_cb) 375 s->tlsext_debug_cb(s, 0, type, data, size, 376 s->tlsext_debug_arg); 377 /* The servername extension is treated as follows: 378 379 - Only the hostname type is supported with a maximum length of 255. 380 - The servername is rejected if too long or if it contains zeros, 381 in which case an fatal alert is generated. 382 - The servername field is maintained together with the session cache. 383 - When a session is resumed, the servername call back invoked in order 384 to allow the application to position itself to the right context. 385 - The servername is acknowledged if it is new for a session or when 386 it is identical to a previously used for the same session. 387 Applications can control the behaviour. They can at any time 388 set a 'desirable' servername for a new SSL object. This can be the 389 case for example with HTTPS when a Host: header field is received and 390 a renegotiation is requested. In this case, a possible servername 391 presented in the new client hello is only acknowledged if it matches 392 the value of the Host: field. 393 - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION 394 if they provide for changing an explicit servername context for the session, 395 i.e. when the session has been established with a servername extension. 396 - On session reconnect, the servername extension may be absent. 397 398 */ 399 400 if (type == TLSEXT_TYPE_server_name) 401 { 402 unsigned char *sdata; 403 int servname_type; 404 int dsize; 405 406 if (size < 2) 407 { 408 *al = SSL_AD_DECODE_ERROR; 409 return 0; 410 } 411 n2s(data,dsize); 412 size -= 2; 413 if (dsize > size ) 414 { 415 *al = SSL_AD_DECODE_ERROR; 416 return 0; 417 } 418 419 sdata = data; 420 while (dsize > 3) 421 { 422 servname_type = *(sdata++); 423 n2s(sdata,len); 424 dsize -= 3; 425 426 if (len > dsize) 427 { 428 *al = SSL_AD_DECODE_ERROR; 429 return 0; 430 } 431 if (s->servername_done == 0) 432 switch (servname_type) 433 { 434 case TLSEXT_NAMETYPE_host_name: 435 if (!s->hit) 436 { 437 if(s->session->tlsext_hostname) 438 { 439 *al = SSL_AD_DECODE_ERROR; 440 return 0; 441 } 442 if (len > TLSEXT_MAXLEN_host_name) 443 { 444 *al = TLS1_AD_UNRECOGNIZED_NAME; 445 return 0; 446 } 447 if ((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL) 448 { 449 *al = TLS1_AD_INTERNAL_ERROR; 450 return 0; 451 } 452 memcpy(s->session->tlsext_hostname, sdata, len); 453 s->session->tlsext_hostname[len]='\0'; 454 if (strlen(s->session->tlsext_hostname) != len) { 455 OPENSSL_free(s->session->tlsext_hostname); 456 s->session->tlsext_hostname = NULL; 457 *al = TLS1_AD_UNRECOGNIZED_NAME; 458 return 0; 459 } 460 s->servername_done = 1; 461 462 } 463 else 464 s->servername_done = s->session->tlsext_hostname 465 && strlen(s->session->tlsext_hostname) == len 466 && strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0; 467 468 break; 469 470 default: 471 break; 472 } 473 474 dsize -= len; 475 } 476 if (dsize != 0) 477 { 478 *al = SSL_AD_DECODE_ERROR; 479 return 0; 480 } 481 482 } 483 else if (type == TLSEXT_TYPE_renegotiate) 484 { 485 if(!ssl_parse_clienthello_renegotiate_ext(s, data, size, al)) 486 return 0; 487 renegotiate_seen = 1; 488 } 489 else if (type == TLSEXT_TYPE_status_request && 490 s->version != DTLS1_VERSION && s->ctx->tlsext_status_cb) 491 { 492 493 if (size < 5) 494 { 495 *al = SSL_AD_DECODE_ERROR; 496 return 0; 497 } 498 499 s->tlsext_status_type = *data++; 500 size--; 501 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp) 502 { 503 const unsigned char *sdata; 504 int dsize; 505 /* Read in responder_id_list */ 506 n2s(data,dsize); 507 size -= 2; 508 if (dsize > size ) 509 { 510 *al = SSL_AD_DECODE_ERROR; 511 return 0; 512 } 513 while (dsize > 0) 514 { 515 OCSP_RESPID *id; 516 int idsize; 517 if (dsize < 4) 518 { 519 *al = SSL_AD_DECODE_ERROR; 520 return 0; 521 } 522 n2s(data, idsize); 523 dsize -= 2 + idsize; 524 if (dsize < 0) 525 { 526 *al = SSL_AD_DECODE_ERROR; 527 return 0; 528 } 529 sdata = data; 530 data += idsize; 531 id = d2i_OCSP_RESPID(NULL, 532 &sdata, idsize); 533 if (!id) 534 { 535 *al = SSL_AD_DECODE_ERROR; 536 return 0; 537 } 538 if (data != sdata) 539 { 540 OCSP_RESPID_free(id); 541 *al = SSL_AD_DECODE_ERROR; 542 return 0; 543 } 544 if (!s->tlsext_ocsp_ids 545 && !(s->tlsext_ocsp_ids = 546 sk_OCSP_RESPID_new_null())) 547 { 548 OCSP_RESPID_free(id); 549 *al = SSL_AD_INTERNAL_ERROR; 550 return 0; 551 } 552 if (!sk_OCSP_RESPID_push( 553 s->tlsext_ocsp_ids, id)) 554 { 555 OCSP_RESPID_free(id); 556 *al = SSL_AD_INTERNAL_ERROR; 557 return 0; 558 } 559 } 560 561 /* Read in request_extensions */ 562 n2s(data,dsize); 563 size -= 2; 564 if (dsize > size) 565 { 566 *al = SSL_AD_DECODE_ERROR; 567 return 0; 568 } 569 sdata = data; 570 if (dsize > 0) 571 { 572 s->tlsext_ocsp_exts = 573 d2i_X509_EXTENSIONS(NULL, 574 &sdata, dsize); 575 if (!s->tlsext_ocsp_exts 576 || (data + dsize != sdata)) 577 { 578 *al = SSL_AD_DECODE_ERROR; 579 return 0; 580 } 581 } 582 } 583 /* We don't know what to do with any other type 584 * so ignore it. 585 */ 586 else 587 s->tlsext_status_type = -1; 588 } 589 590 /* session ticket processed earlier */ 591 592 data+=size; 593 } 594 *p = data; 595 596 ri_check: 597 598 /* Need RI if renegotiating */ 599 600 if (!renegotiate_seen && s->new_session && 601 !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) 602 { 603 *al = SSL_AD_HANDSHAKE_FAILURE; 604 SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT, 605 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); 606 return 0; 607 } 608 609 return 1; 610 } 611 612 int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al) 613 { 614 unsigned short length; 615 unsigned short type; 616 unsigned short size; 617 unsigned char *data = *p; 618 int tlsext_servername = 0; 619 int renegotiate_seen = 0; 620 621 if (data >= (d+n-2)) 622 goto ri_check; 623 624 n2s(data,length); 625 if (data+length != d+n) 626 { 627 *al = SSL_AD_DECODE_ERROR; 628 return 0; 629 } 630 631 while(data <= (d+n-4)) 632 { 633 n2s(data,type); 634 n2s(data,size); 635 636 if (data+size > (d+n)) 637 goto ri_check; 638 639 if (s->tlsext_debug_cb) 640 s->tlsext_debug_cb(s, 1, type, data, size, 641 s->tlsext_debug_arg); 642 643 if (type == TLSEXT_TYPE_server_name) 644 { 645 if (s->tlsext_hostname == NULL || size > 0) 646 { 647 *al = TLS1_AD_UNRECOGNIZED_NAME; 648 return 0; 649 } 650 tlsext_servername = 1; 651 } 652 else if (type == TLSEXT_TYPE_session_ticket) 653 { 654 if ((SSL_get_options(s) & SSL_OP_NO_TICKET) 655 || (size > 0)) 656 { 657 *al = TLS1_AD_UNSUPPORTED_EXTENSION; 658 return 0; 659 } 660 s->tlsext_ticket_expected = 1; 661 } 662 else if (type == TLSEXT_TYPE_status_request && 663 s->version != DTLS1_VERSION) 664 { 665 /* MUST be empty and only sent if we've requested 666 * a status request message. 667 */ 668 if ((s->tlsext_status_type == -1) || (size > 0)) 669 { 670 *al = TLS1_AD_UNSUPPORTED_EXTENSION; 671 return 0; 672 } 673 /* Set flag to expect CertificateStatus message */ 674 s->tlsext_status_expected = 1; 675 } 676 else if (type == TLSEXT_TYPE_renegotiate) 677 { 678 if(!ssl_parse_serverhello_renegotiate_ext(s, data, size, al)) 679 return 0; 680 renegotiate_seen = 1; 681 } 682 data+=size; 683 } 684 685 if (data != d+n) 686 { 687 *al = SSL_AD_DECODE_ERROR; 688 return 0; 689 } 690 691 if (!s->hit && tlsext_servername == 1) 692 { 693 if (s->tlsext_hostname) 694 { 695 if (s->session->tlsext_hostname == NULL) 696 { 697 s->session->tlsext_hostname = BUF_strdup(s->tlsext_hostname); 698 if (!s->session->tlsext_hostname) 699 { 700 *al = SSL_AD_UNRECOGNIZED_NAME; 701 return 0; 702 } 703 } 704 else 705 { 706 *al = SSL_AD_DECODE_ERROR; 707 return 0; 708 } 709 } 710 } 711 712 *p = data; 713 714 ri_check: 715 716 /* Determine if we need to see RI. Strictly speaking if we want to 717 * avoid an attack we should *always* see RI even on initial server 718 * hello because the client doesn't see any renegotiation during an 719 * attack. However this would mean we could not connect to any server 720 * which doesn't support RI so for the immediate future tolerate RI 721 * absence on initial connect only. 722 */ 723 if (!renegotiate_seen 724 && !(s->options & SSL_OP_LEGACY_SERVER_CONNECT) 725 && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) 726 { 727 *al = SSL_AD_HANDSHAKE_FAILURE; 728 SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT, 729 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); 730 return 0; 731 } 732 733 return 1; 734 } 735 736 int ssl_check_clienthello_tlsext(SSL *s) 737 { 738 int ret=SSL_TLSEXT_ERR_NOACK; 739 int al = SSL_AD_UNRECOGNIZED_NAME; 740 741 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) 742 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg); 743 else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0) 744 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg); 745 746 /* If status request then ask callback what to do. 747 * Note: this must be called after servername callbacks in case 748 * the certificate has changed. 749 */ 750 if ((s->tlsext_status_type != -1) && s->ctx->tlsext_status_cb) 751 { 752 int r; 753 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg); 754 switch (r) 755 { 756 /* We don't want to send a status request response */ 757 case SSL_TLSEXT_ERR_NOACK: 758 s->tlsext_status_expected = 0; 759 break; 760 /* status request response should be sent */ 761 case SSL_TLSEXT_ERR_OK: 762 if (s->tlsext_ocsp_resp) 763 s->tlsext_status_expected = 1; 764 else 765 s->tlsext_status_expected = 0; 766 break; 767 /* something bad happened */ 768 case SSL_TLSEXT_ERR_ALERT_FATAL: 769 ret = SSL_TLSEXT_ERR_ALERT_FATAL; 770 al = SSL_AD_INTERNAL_ERROR; 771 goto err; 772 } 773 } 774 else 775 s->tlsext_status_expected = 0; 776 err: 777 switch (ret) 778 { 779 case SSL_TLSEXT_ERR_ALERT_FATAL: 780 ssl3_send_alert(s,SSL3_AL_FATAL,al); 781 return -1; 782 783 case SSL_TLSEXT_ERR_ALERT_WARNING: 784 ssl3_send_alert(s,SSL3_AL_WARNING,al); 785 return 1; 786 787 case SSL_TLSEXT_ERR_NOACK: 788 s->servername_done=0; 789 default: 790 return 1; 791 } 792 } 793 794 int ssl_check_serverhello_tlsext(SSL *s) 795 { 796 int ret=SSL_TLSEXT_ERR_NOACK; 797 int al = SSL_AD_UNRECOGNIZED_NAME; 798 799 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) 800 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg); 801 else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0) 802 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg); 803 804 /* If we've requested certificate status and we wont get one 805 * tell the callback 806 */ 807 if ((s->tlsext_status_type != -1) && !(s->tlsext_status_expected) 808 && s->ctx->tlsext_status_cb) 809 { 810 int r; 811 /* Set resp to NULL, resplen to -1 so callback knows 812 * there is no response. 813 */ 814 if (s->tlsext_ocsp_resp) 815 { 816 OPENSSL_free(s->tlsext_ocsp_resp); 817 s->tlsext_ocsp_resp = NULL; 818 } 819 s->tlsext_ocsp_resplen = -1; 820 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg); 821 if (r == 0) 822 { 823 al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE; 824 ret = SSL_TLSEXT_ERR_ALERT_FATAL; 825 } 826 if (r < 0) 827 { 828 al = SSL_AD_INTERNAL_ERROR; 829 ret = SSL_TLSEXT_ERR_ALERT_FATAL; 830 } 831 } 832 833 switch (ret) 834 { 835 case SSL_TLSEXT_ERR_ALERT_FATAL: 836 ssl3_send_alert(s,SSL3_AL_FATAL,al); 837 return -1; 838 839 case SSL_TLSEXT_ERR_ALERT_WARNING: 840 ssl3_send_alert(s,SSL3_AL_WARNING,al); 841 return 1; 842 843 case SSL_TLSEXT_ERR_NOACK: 844 s->servername_done=0; 845 default: 846 return 1; 847 } 848 } 849 850 /* Since the server cache lookup is done early on in the processing of client 851 * hello and other operations depend on the result we need to handle any TLS 852 * session ticket extension at the same time. 853 */ 854 855 int tls1_process_ticket(SSL *s, unsigned char *session_id, int len, 856 const unsigned char *limit, SSL_SESSION **ret) 857 { 858 /* Point after session ID in client hello */ 859 const unsigned char *p = session_id + len; 860 unsigned short i; 861 862 /* If tickets disabled behave as if no ticket present 863 * to permit stateful resumption. 864 */ 865 if (SSL_get_options(s) & SSL_OP_NO_TICKET) 866 return 1; 867 868 if ((s->version <= SSL3_VERSION) || !limit) 869 return 1; 870 if (p >= limit) 871 return -1; 872 /* Skip past DTLS cookie */ 873 if (s->version == DTLS1_VERSION || s->version == DTLS1_BAD_VER) 874 { 875 i = *(p++); 876 p+= i; 877 if (p >= limit) 878 return -1; 879 } 880 /* Skip past cipher list */ 881 n2s(p, i); 882 p+= i; 883 if (p >= limit) 884 return -1; 885 /* Skip past compression algorithm list */ 886 i = *(p++); 887 p += i; 888 if (p > limit) 889 return -1; 890 /* Now at start of extensions */ 891 if ((p + 2) >= limit) 892 return 1; 893 n2s(p, i); 894 while ((p + 4) <= limit) 895 { 896 unsigned short type, size; 897 n2s(p, type); 898 n2s(p, size); 899 if (p + size > limit) 900 return 1; 901 if (type == TLSEXT_TYPE_session_ticket) 902 { 903 /* If zero length note client will accept a ticket 904 * and indicate cache miss to trigger full handshake 905 */ 906 if (size == 0) 907 { 908 s->tlsext_ticket_expected = 1; 909 return 0; /* Cache miss */ 910 } 911 return tls_decrypt_ticket(s, p, size, session_id, len, 912 ret); 913 } 914 p += size; 915 } 916 return 1; 917 } 918 919 static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen, 920 const unsigned char *sess_id, int sesslen, 921 SSL_SESSION **psess) 922 { 923 SSL_SESSION *sess; 924 unsigned char *sdec; 925 const unsigned char *p; 926 int slen, mlen, renew_ticket = 0; 927 unsigned char tick_hmac[EVP_MAX_MD_SIZE]; 928 HMAC_CTX hctx; 929 EVP_CIPHER_CTX ctx; 930 SSL_CTX *tctx = s->initial_ctx; 931 /* Need at least keyname + iv + some encrypted data */ 932 if (eticklen < 48) 933 goto tickerr; 934 /* Initialize session ticket encryption and HMAC contexts */ 935 HMAC_CTX_init(&hctx); 936 EVP_CIPHER_CTX_init(&ctx); 937 if (tctx->tlsext_ticket_key_cb) 938 { 939 unsigned char *nctick = (unsigned char *)etick; 940 int rv = tctx->tlsext_ticket_key_cb(s, nctick, nctick + 16, 941 &ctx, &hctx, 0); 942 if (rv < 0) 943 return -1; 944 if (rv == 0) 945 goto tickerr; 946 if (rv == 2) 947 renew_ticket = 1; 948 } 949 else 950 { 951 /* Check key name matches */ 952 if (memcmp(etick, tctx->tlsext_tick_key_name, 16)) 953 goto tickerr; 954 HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16, 955 tlsext_tick_md(), NULL); 956 EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL, 957 tctx->tlsext_tick_aes_key, etick + 16); 958 } 959 /* Attempt to process session ticket, first conduct sanity and 960 * integrity checks on ticket. 961 */ 962 mlen = HMAC_size(&hctx); 963 eticklen -= mlen; 964 /* Check HMAC of encrypted ticket */ 965 HMAC_Update(&hctx, etick, eticklen); 966 HMAC_Final(&hctx, tick_hmac, NULL); 967 HMAC_CTX_cleanup(&hctx); 968 if (memcmp(tick_hmac, etick + eticklen, mlen)) 969 goto tickerr; 970 /* Attempt to decrypt session data */ 971 /* Move p after IV to start of encrypted ticket, update length */ 972 p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx); 973 eticklen -= 16 + EVP_CIPHER_CTX_iv_length(&ctx); 974 sdec = OPENSSL_malloc(eticklen); 975 if (!sdec) 976 { 977 EVP_CIPHER_CTX_cleanup(&ctx); 978 return -1; 979 } 980 EVP_DecryptUpdate(&ctx, sdec, &slen, p, eticklen); 981 if (EVP_DecryptFinal(&ctx, sdec + slen, &mlen) <= 0) 982 goto tickerr; 983 slen += mlen; 984 EVP_CIPHER_CTX_cleanup(&ctx); 985 p = sdec; 986 987 sess = d2i_SSL_SESSION(NULL, &p, slen); 988 OPENSSL_free(sdec); 989 if (sess) 990 { 991 /* The session ID if non-empty is used by some clients to 992 * detect that the ticket has been accepted. So we copy it to 993 * the session structure. If it is empty set length to zero 994 * as required by standard. 995 */ 996 if (sesslen) 997 memcpy(sess->session_id, sess_id, sesslen); 998 sess->session_id_length = sesslen; 999 *psess = sess; 1000 s->tlsext_ticket_expected = renew_ticket; 1001 return 1; 1002 } 1003 /* If session decrypt failure indicate a cache miss and set state to 1004 * send a new ticket 1005 */ 1006 tickerr: 1007 s->tlsext_ticket_expected = 1; 1008 return 0; 1009 } 1010 1011 #endif 1012