1 /* ssl/t1_lib.c */ 2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 3 * All rights reserved. 4 * 5 * This package is an SSL implementation written 6 * by Eric Young (eay@cryptsoft.com). 7 * The implementation was written so as to conform with Netscapes SSL. 8 * 9 * This library is free for commercial and non-commercial use as long as 10 * the following conditions are aheared to. The following conditions 11 * apply to all code found in this distribution, be it the RC4, RSA, 12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 13 * included with this distribution is covered by the same copyright terms 14 * except that the holder is Tim Hudson (tjh@cryptsoft.com). 15 * 16 * Copyright remains Eric Young's, and as such any Copyright notices in 17 * the code are not to be removed. 18 * If this package is used in a product, Eric Young should be given attribution 19 * as the author of the parts of the library used. 20 * This can be in the form of a textual message at program startup or 21 * in documentation (online or textual) provided with the package. 22 * 23 * Redistribution and use in source and binary forms, with or without 24 * modification, are permitted provided that the following conditions 25 * are met: 26 * 1. Redistributions of source code must retain the copyright 27 * notice, this list of conditions and the following disclaimer. 28 * 2. Redistributions in binary form must reproduce the above copyright 29 * notice, this list of conditions and the following disclaimer in the 30 * documentation and/or other materials provided with the distribution. 31 * 3. All advertising materials mentioning features or use of this software 32 * must display the following acknowledgement: 33 * "This product includes cryptographic software written by 34 * Eric Young (eay@cryptsoft.com)" 35 * The word 'cryptographic' can be left out if the rouines from the library 36 * being used are not cryptographic related :-). 37 * 4. If you include any Windows specific code (or a derivative thereof) from 38 * the apps directory (application code) you must include an acknowledgement: 39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 40 * 41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 51 * SUCH DAMAGE. 52 * 53 * The licence and distribution terms for any publically available version or 54 * derivative of this code cannot be changed. i.e. this code cannot simply be 55 * copied and put under another distribution licence 56 * [including the GNU Public Licence.] 57 */ 58 59 #include <stdio.h> 60 #include <openssl/objects.h> 61 #include <openssl/evp.h> 62 #include <openssl/hmac.h> 63 #include <openssl/ocsp.h> 64 #include "ssl_locl.h" 65 66 const char tls1_version_str[]="TLSv1" OPENSSL_VERSION_PTEXT; 67 68 #ifndef OPENSSL_NO_TLSEXT 69 static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen, 70 const unsigned char *sess_id, int sesslen, 71 SSL_SESSION **psess); 72 #endif 73 74 SSL3_ENC_METHOD TLSv1_enc_data={ 75 tls1_enc, 76 tls1_mac, 77 tls1_setup_key_block, 78 tls1_generate_master_secret, 79 tls1_change_cipher_state, 80 tls1_final_finish_mac, 81 TLS1_FINISH_MAC_LENGTH, 82 tls1_cert_verify_mac, 83 TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE, 84 TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE, 85 tls1_alert_code, 86 }; 87 88 long tls1_default_timeout(void) 89 { 90 /* 2 hours, the 24 hours mentioned in the TLSv1 spec 91 * is way too long for http, the cache would over fill */ 92 return(60*60*2); 93 } 94 95 IMPLEMENT_tls1_meth_func(tlsv1_base_method, 96 ssl_undefined_function, 97 ssl_undefined_function, 98 ssl_bad_method) 99 100 int tls1_new(SSL *s) 101 { 102 if (!ssl3_new(s)) return(0); 103 s->method->ssl_clear(s); 104 return(1); 105 } 106 107 void tls1_free(SSL *s) 108 { 109 ssl3_free(s); 110 } 111 112 void tls1_clear(SSL *s) 113 { 114 ssl3_clear(s); 115 s->version=TLS1_VERSION; 116 } 117 118 #if 0 119 long tls1_ctrl(SSL *s, int cmd, long larg, char *parg) 120 { 121 return(0); 122 } 123 124 long tls1_callback_ctrl(SSL *s, int cmd, void *(*fp)()) 125 { 126 return(0); 127 } 128 #endif 129 130 #ifndef OPENSSL_NO_TLSEXT 131 unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit) 132 { 133 int extdatalen=0; 134 unsigned char *ret = p; 135 136 /* don't add extensions for SSLv3 unless doing secure renegotiation */ 137 if (s->client_version == SSL3_VERSION 138 && !s->s3->send_connection_binding) 139 return p; 140 141 ret+=2; 142 143 if (ret>=limit) return NULL; /* this really never occurs, but ... */ 144 145 if (s->tlsext_hostname != NULL) 146 { 147 /* Add TLS extension servername to the Client Hello message */ 148 unsigned long size_str; 149 long lenmax; 150 151 /* check for enough space. 152 4 for the servername type and entension length 153 2 for servernamelist length 154 1 for the hostname type 155 2 for hostname length 156 + hostname length 157 */ 158 159 if ((lenmax = limit - ret - 9) < 0 160 || (size_str = strlen(s->tlsext_hostname)) > (unsigned long)lenmax) 161 return NULL; 162 163 /* extension type and length */ 164 s2n(TLSEXT_TYPE_server_name,ret); 165 s2n(size_str+5,ret); 166 167 /* length of servername list */ 168 s2n(size_str+3,ret); 169 170 /* hostname type, length and hostname */ 171 *(ret++) = (unsigned char) TLSEXT_NAMETYPE_host_name; 172 s2n(size_str,ret); 173 memcpy(ret, s->tlsext_hostname, size_str); 174 ret+=size_str; 175 176 } 177 178 /* Add RI if renegotiating */ 179 if (s->new_session) 180 { 181 int el; 182 183 if(!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0)) 184 { 185 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); 186 return NULL; 187 } 188 189 if((limit - p - 4 - el) < 0) return NULL; 190 191 s2n(TLSEXT_TYPE_renegotiate,ret); 192 s2n(el,ret); 193 194 if(!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el)) 195 { 196 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); 197 return NULL; 198 } 199 200 ret += el; 201 } 202 203 204 if (!(SSL_get_options(s) & SSL_OP_NO_TICKET)) 205 { 206 int ticklen; 207 if (!s->new_session && s->session && s->session->tlsext_tick) 208 ticklen = s->session->tlsext_ticklen; 209 else 210 ticklen = 0; 211 /* Check for enough room 2 for extension type, 2 for len 212 * rest for ticket 213 */ 214 if (limit - ret - 4 - ticklen < 0) 215 return NULL; 216 s2n(TLSEXT_TYPE_session_ticket,ret); 217 s2n(ticklen,ret); 218 if (ticklen) 219 { 220 memcpy(ret, s->session->tlsext_tick, ticklen); 221 ret += ticklen; 222 } 223 } 224 225 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp && 226 s->version != DTLS1_VERSION) 227 { 228 int i; 229 long extlen, idlen, itmp; 230 OCSP_RESPID *id; 231 232 idlen = 0; 233 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) 234 { 235 id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i); 236 itmp = i2d_OCSP_RESPID(id, NULL); 237 if (itmp <= 0) 238 return NULL; 239 idlen += itmp + 2; 240 } 241 242 if (s->tlsext_ocsp_exts) 243 { 244 extlen = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, NULL); 245 if (extlen < 0) 246 return NULL; 247 } 248 else 249 extlen = 0; 250 251 if ((long)(limit - ret - 7 - extlen - idlen) < 0) return NULL; 252 s2n(TLSEXT_TYPE_status_request, ret); 253 if (extlen + idlen > 0xFFF0) 254 return NULL; 255 s2n(extlen + idlen + 5, ret); 256 *(ret++) = TLSEXT_STATUSTYPE_ocsp; 257 s2n(idlen, ret); 258 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) 259 { 260 /* save position of id len */ 261 unsigned char *q = ret; 262 id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i); 263 /* skip over id len */ 264 ret += 2; 265 itmp = i2d_OCSP_RESPID(id, &ret); 266 /* write id len */ 267 s2n(itmp, q); 268 } 269 s2n(extlen, ret); 270 if (extlen > 0) 271 i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret); 272 } 273 274 if ((extdatalen = ret-p-2)== 0) 275 return p; 276 277 s2n(extdatalen,p); 278 return ret; 279 } 280 281 unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit) 282 { 283 int extdatalen=0; 284 unsigned char *ret = p; 285 286 /* don't add extensions for SSLv3, unless doing secure renegotiation */ 287 if (s->version == SSL3_VERSION && !s->s3->send_connection_binding) 288 return p; 289 290 ret+=2; 291 if (ret>=limit) return NULL; /* this really never occurs, but ... */ 292 293 if (!s->hit && s->servername_done == 1 && s->session->tlsext_hostname != NULL) 294 { 295 if (limit - ret - 4 < 0) return NULL; 296 297 s2n(TLSEXT_TYPE_server_name,ret); 298 s2n(0,ret); 299 } 300 301 if(s->s3->send_connection_binding) 302 { 303 int el; 304 305 if(!ssl_add_serverhello_renegotiate_ext(s, 0, &el, 0)) 306 { 307 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); 308 return NULL; 309 } 310 311 if((limit - p - 4 - el) < 0) return NULL; 312 313 s2n(TLSEXT_TYPE_renegotiate,ret); 314 s2n(el,ret); 315 316 if(!ssl_add_serverhello_renegotiate_ext(s, ret, &el, el)) 317 { 318 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); 319 return NULL; 320 } 321 322 ret += el; 323 } 324 325 if (s->tlsext_ticket_expected 326 && !(SSL_get_options(s) & SSL_OP_NO_TICKET)) 327 { 328 if (limit - ret - 4 < 0) return NULL; 329 s2n(TLSEXT_TYPE_session_ticket,ret); 330 s2n(0,ret); 331 } 332 333 if (s->tlsext_status_expected) 334 { 335 if ((long)(limit - ret - 4) < 0) return NULL; 336 s2n(TLSEXT_TYPE_status_request,ret); 337 s2n(0,ret); 338 } 339 340 if ((extdatalen = ret-p-2)== 0) 341 return p; 342 343 s2n(extdatalen,p); 344 return ret; 345 } 346 347 int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al) 348 { 349 unsigned short type; 350 unsigned short size; 351 unsigned short len; 352 unsigned char *data = *p; 353 int renegotiate_seen = 0; 354 355 s->servername_done = 0; 356 s->tlsext_status_type = -1; 357 358 if (data >= (d+n-2)) 359 goto ri_check; 360 361 n2s(data,len); 362 363 if (data > (d+n-len)) 364 goto ri_check; 365 366 while (data <= (d+n-4)) 367 { 368 n2s(data,type); 369 n2s(data,size); 370 371 if (data+size > (d+n)) 372 goto ri_check; 373 374 if (s->tlsext_debug_cb) 375 s->tlsext_debug_cb(s, 0, type, data, size, 376 s->tlsext_debug_arg); 377 /* The servername extension is treated as follows: 378 379 - Only the hostname type is supported with a maximum length of 255. 380 - The servername is rejected if too long or if it contains zeros, 381 in which case an fatal alert is generated. 382 - The servername field is maintained together with the session cache. 383 - When a session is resumed, the servername call back invoked in order 384 to allow the application to position itself to the right context. 385 - The servername is acknowledged if it is new for a session or when 386 it is identical to a previously used for the same session. 387 Applications can control the behaviour. They can at any time 388 set a 'desirable' servername for a new SSL object. This can be the 389 case for example with HTTPS when a Host: header field is received and 390 a renegotiation is requested. In this case, a possible servername 391 presented in the new client hello is only acknowledged if it matches 392 the value of the Host: field. 393 - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION 394 if they provide for changing an explicit servername context for the session, 395 i.e. when the session has been established with a servername extension. 396 - On session reconnect, the servername extension may be absent. 397 398 */ 399 400 if (type == TLSEXT_TYPE_server_name) 401 { 402 unsigned char *sdata; 403 int servname_type; 404 int dsize; 405 406 if (size < 2) 407 { 408 *al = SSL_AD_DECODE_ERROR; 409 return 0; 410 } 411 n2s(data,dsize); 412 size -= 2; 413 if (dsize > size ) 414 { 415 *al = SSL_AD_DECODE_ERROR; 416 return 0; 417 } 418 419 sdata = data; 420 while (dsize > 3) 421 { 422 servname_type = *(sdata++); 423 n2s(sdata,len); 424 dsize -= 3; 425 426 if (len > dsize) 427 { 428 *al = SSL_AD_DECODE_ERROR; 429 return 0; 430 } 431 if (s->servername_done == 0) 432 switch (servname_type) 433 { 434 case TLSEXT_NAMETYPE_host_name: 435 if (!s->hit) 436 { 437 if(s->session->tlsext_hostname) 438 { 439 *al = SSL_AD_DECODE_ERROR; 440 return 0; 441 } 442 if (len > TLSEXT_MAXLEN_host_name) 443 { 444 *al = TLS1_AD_UNRECOGNIZED_NAME; 445 return 0; 446 } 447 if ((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL) 448 { 449 *al = TLS1_AD_INTERNAL_ERROR; 450 return 0; 451 } 452 memcpy(s->session->tlsext_hostname, sdata, len); 453 s->session->tlsext_hostname[len]='\0'; 454 if (strlen(s->session->tlsext_hostname) != len) { 455 OPENSSL_free(s->session->tlsext_hostname); 456 s->session->tlsext_hostname = NULL; 457 *al = TLS1_AD_UNRECOGNIZED_NAME; 458 return 0; 459 } 460 s->servername_done = 1; 461 462 } 463 else 464 s->servername_done = s->session->tlsext_hostname 465 && strlen(s->session->tlsext_hostname) == len 466 && strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0; 467 468 break; 469 470 default: 471 break; 472 } 473 474 dsize -= len; 475 } 476 if (dsize != 0) 477 { 478 *al = SSL_AD_DECODE_ERROR; 479 return 0; 480 } 481 482 } 483 else if (type == TLSEXT_TYPE_renegotiate) 484 { 485 if(!ssl_parse_clienthello_renegotiate_ext(s, data, size, al)) 486 return 0; 487 renegotiate_seen = 1; 488 } 489 else if (type == TLSEXT_TYPE_status_request && 490 s->version != DTLS1_VERSION && s->ctx->tlsext_status_cb) 491 { 492 493 if (size < 5) 494 { 495 *al = SSL_AD_DECODE_ERROR; 496 return 0; 497 } 498 499 s->tlsext_status_type = *data++; 500 size--; 501 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp) 502 { 503 const unsigned char *sdata; 504 int dsize; 505 /* Read in responder_id_list */ 506 n2s(data,dsize); 507 size -= 2; 508 if (dsize > size ) 509 { 510 *al = SSL_AD_DECODE_ERROR; 511 return 0; 512 } 513 while (dsize > 0) 514 { 515 OCSP_RESPID *id; 516 int idsize; 517 if (dsize < 4) 518 { 519 *al = SSL_AD_DECODE_ERROR; 520 return 0; 521 } 522 n2s(data, idsize); 523 dsize -= 2 + idsize; 524 size -= 2 + idsize; 525 if (dsize < 0) 526 { 527 *al = SSL_AD_DECODE_ERROR; 528 return 0; 529 } 530 sdata = data; 531 data += idsize; 532 id = d2i_OCSP_RESPID(NULL, 533 &sdata, idsize); 534 if (!id) 535 { 536 *al = SSL_AD_DECODE_ERROR; 537 return 0; 538 } 539 if (data != sdata) 540 { 541 OCSP_RESPID_free(id); 542 *al = SSL_AD_DECODE_ERROR; 543 return 0; 544 } 545 if (!s->tlsext_ocsp_ids 546 && !(s->tlsext_ocsp_ids = 547 sk_OCSP_RESPID_new_null())) 548 { 549 OCSP_RESPID_free(id); 550 *al = SSL_AD_INTERNAL_ERROR; 551 return 0; 552 } 553 if (!sk_OCSP_RESPID_push( 554 s->tlsext_ocsp_ids, id)) 555 { 556 OCSP_RESPID_free(id); 557 *al = SSL_AD_INTERNAL_ERROR; 558 return 0; 559 } 560 } 561 562 /* Read in request_extensions */ 563 if (size < 2) 564 { 565 *al = SSL_AD_DECODE_ERROR; 566 return 0; 567 } 568 n2s(data,dsize); 569 size -= 2; 570 if (dsize != size) 571 { 572 *al = SSL_AD_DECODE_ERROR; 573 return 0; 574 } 575 sdata = data; 576 if (dsize > 0) 577 { 578 s->tlsext_ocsp_exts = 579 d2i_X509_EXTENSIONS(NULL, 580 &sdata, dsize); 581 if (!s->tlsext_ocsp_exts 582 || (data + dsize != sdata)) 583 { 584 *al = SSL_AD_DECODE_ERROR; 585 return 0; 586 } 587 } 588 } 589 /* We don't know what to do with any other type 590 * so ignore it. 591 */ 592 else 593 s->tlsext_status_type = -1; 594 } 595 596 /* session ticket processed earlier */ 597 598 data+=size; 599 } 600 *p = data; 601 602 ri_check: 603 604 /* Need RI if renegotiating */ 605 606 if (!renegotiate_seen && s->new_session && 607 !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) 608 { 609 *al = SSL_AD_HANDSHAKE_FAILURE; 610 SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT, 611 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); 612 return 0; 613 } 614 615 return 1; 616 } 617 618 int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al) 619 { 620 unsigned short length; 621 unsigned short type; 622 unsigned short size; 623 unsigned char *data = *p; 624 int tlsext_servername = 0; 625 int renegotiate_seen = 0; 626 627 if (data >= (d+n-2)) 628 goto ri_check; 629 630 n2s(data,length); 631 if (data+length != d+n) 632 { 633 *al = SSL_AD_DECODE_ERROR; 634 return 0; 635 } 636 637 while(data <= (d+n-4)) 638 { 639 n2s(data,type); 640 n2s(data,size); 641 642 if (data+size > (d+n)) 643 goto ri_check; 644 645 if (s->tlsext_debug_cb) 646 s->tlsext_debug_cb(s, 1, type, data, size, 647 s->tlsext_debug_arg); 648 649 if (type == TLSEXT_TYPE_server_name) 650 { 651 if (s->tlsext_hostname == NULL || size > 0) 652 { 653 *al = TLS1_AD_UNRECOGNIZED_NAME; 654 return 0; 655 } 656 tlsext_servername = 1; 657 } 658 else if (type == TLSEXT_TYPE_session_ticket) 659 { 660 if ((SSL_get_options(s) & SSL_OP_NO_TICKET) 661 || (size > 0)) 662 { 663 *al = TLS1_AD_UNSUPPORTED_EXTENSION; 664 return 0; 665 } 666 s->tlsext_ticket_expected = 1; 667 } 668 else if (type == TLSEXT_TYPE_status_request && 669 s->version != DTLS1_VERSION) 670 { 671 /* MUST be empty and only sent if we've requested 672 * a status request message. 673 */ 674 if ((s->tlsext_status_type == -1) || (size > 0)) 675 { 676 *al = TLS1_AD_UNSUPPORTED_EXTENSION; 677 return 0; 678 } 679 /* Set flag to expect CertificateStatus message */ 680 s->tlsext_status_expected = 1; 681 } 682 else if (type == TLSEXT_TYPE_renegotiate) 683 { 684 if(!ssl_parse_serverhello_renegotiate_ext(s, data, size, al)) 685 return 0; 686 renegotiate_seen = 1; 687 } 688 data+=size; 689 } 690 691 if (data != d+n) 692 { 693 *al = SSL_AD_DECODE_ERROR; 694 return 0; 695 } 696 697 if (!s->hit && tlsext_servername == 1) 698 { 699 if (s->tlsext_hostname) 700 { 701 if (s->session->tlsext_hostname == NULL) 702 { 703 s->session->tlsext_hostname = BUF_strdup(s->tlsext_hostname); 704 if (!s->session->tlsext_hostname) 705 { 706 *al = SSL_AD_UNRECOGNIZED_NAME; 707 return 0; 708 } 709 } 710 else 711 { 712 *al = SSL_AD_DECODE_ERROR; 713 return 0; 714 } 715 } 716 } 717 718 *p = data; 719 720 ri_check: 721 722 /* Determine if we need to see RI. Strictly speaking if we want to 723 * avoid an attack we should *always* see RI even on initial server 724 * hello because the client doesn't see any renegotiation during an 725 * attack. However this would mean we could not connect to any server 726 * which doesn't support RI so for the immediate future tolerate RI 727 * absence on initial connect only. 728 */ 729 if (!renegotiate_seen 730 && !(s->options & SSL_OP_LEGACY_SERVER_CONNECT) 731 && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) 732 { 733 *al = SSL_AD_HANDSHAKE_FAILURE; 734 SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT, 735 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); 736 return 0; 737 } 738 739 return 1; 740 } 741 742 int ssl_check_clienthello_tlsext(SSL *s) 743 { 744 int ret=SSL_TLSEXT_ERR_NOACK; 745 int al = SSL_AD_UNRECOGNIZED_NAME; 746 747 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) 748 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg); 749 else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0) 750 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg); 751 752 /* If status request then ask callback what to do. 753 * Note: this must be called after servername callbacks in case 754 * the certificate has changed. 755 */ 756 if ((s->tlsext_status_type != -1) && s->ctx->tlsext_status_cb) 757 { 758 int r; 759 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg); 760 switch (r) 761 { 762 /* We don't want to send a status request response */ 763 case SSL_TLSEXT_ERR_NOACK: 764 s->tlsext_status_expected = 0; 765 break; 766 /* status request response should be sent */ 767 case SSL_TLSEXT_ERR_OK: 768 if (s->tlsext_ocsp_resp) 769 s->tlsext_status_expected = 1; 770 else 771 s->tlsext_status_expected = 0; 772 break; 773 /* something bad happened */ 774 case SSL_TLSEXT_ERR_ALERT_FATAL: 775 ret = SSL_TLSEXT_ERR_ALERT_FATAL; 776 al = SSL_AD_INTERNAL_ERROR; 777 goto err; 778 } 779 } 780 else 781 s->tlsext_status_expected = 0; 782 err: 783 switch (ret) 784 { 785 case SSL_TLSEXT_ERR_ALERT_FATAL: 786 ssl3_send_alert(s,SSL3_AL_FATAL,al); 787 return -1; 788 789 case SSL_TLSEXT_ERR_ALERT_WARNING: 790 ssl3_send_alert(s,SSL3_AL_WARNING,al); 791 return 1; 792 793 case SSL_TLSEXT_ERR_NOACK: 794 s->servername_done=0; 795 default: 796 return 1; 797 } 798 } 799 800 int ssl_check_serverhello_tlsext(SSL *s) 801 { 802 int ret=SSL_TLSEXT_ERR_NOACK; 803 int al = SSL_AD_UNRECOGNIZED_NAME; 804 805 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) 806 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg); 807 else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0) 808 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg); 809 810 /* If we've requested certificate status and we wont get one 811 * tell the callback 812 */ 813 if ((s->tlsext_status_type != -1) && !(s->tlsext_status_expected) 814 && s->ctx->tlsext_status_cb) 815 { 816 int r; 817 /* Set resp to NULL, resplen to -1 so callback knows 818 * there is no response. 819 */ 820 if (s->tlsext_ocsp_resp) 821 { 822 OPENSSL_free(s->tlsext_ocsp_resp); 823 s->tlsext_ocsp_resp = NULL; 824 } 825 s->tlsext_ocsp_resplen = -1; 826 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg); 827 if (r == 0) 828 { 829 al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE; 830 ret = SSL_TLSEXT_ERR_ALERT_FATAL; 831 } 832 if (r < 0) 833 { 834 al = SSL_AD_INTERNAL_ERROR; 835 ret = SSL_TLSEXT_ERR_ALERT_FATAL; 836 } 837 } 838 839 switch (ret) 840 { 841 case SSL_TLSEXT_ERR_ALERT_FATAL: 842 ssl3_send_alert(s,SSL3_AL_FATAL,al); 843 return -1; 844 845 case SSL_TLSEXT_ERR_ALERT_WARNING: 846 ssl3_send_alert(s,SSL3_AL_WARNING,al); 847 return 1; 848 849 case SSL_TLSEXT_ERR_NOACK: 850 s->servername_done=0; 851 default: 852 return 1; 853 } 854 } 855 856 /* Since the server cache lookup is done early on in the processing of client 857 * hello and other operations depend on the result we need to handle any TLS 858 * session ticket extension at the same time. 859 */ 860 861 int tls1_process_ticket(SSL *s, unsigned char *session_id, int len, 862 const unsigned char *limit, SSL_SESSION **ret) 863 { 864 /* Point after session ID in client hello */ 865 const unsigned char *p = session_id + len; 866 unsigned short i; 867 868 /* If tickets disabled behave as if no ticket present 869 * to permit stateful resumption. 870 */ 871 if (SSL_get_options(s) & SSL_OP_NO_TICKET) 872 return 1; 873 874 if ((s->version <= SSL3_VERSION) || !limit) 875 return 1; 876 if (p >= limit) 877 return -1; 878 /* Skip past DTLS cookie */ 879 if (s->version == DTLS1_VERSION || s->version == DTLS1_BAD_VER) 880 { 881 i = *(p++); 882 p+= i; 883 if (p >= limit) 884 return -1; 885 } 886 /* Skip past cipher list */ 887 n2s(p, i); 888 p+= i; 889 if (p >= limit) 890 return -1; 891 /* Skip past compression algorithm list */ 892 i = *(p++); 893 p += i; 894 if (p > limit) 895 return -1; 896 /* Now at start of extensions */ 897 if ((p + 2) >= limit) 898 return 1; 899 n2s(p, i); 900 while ((p + 4) <= limit) 901 { 902 unsigned short type, size; 903 n2s(p, type); 904 n2s(p, size); 905 if (p + size > limit) 906 return 1; 907 if (type == TLSEXT_TYPE_session_ticket) 908 { 909 /* If zero length note client will accept a ticket 910 * and indicate cache miss to trigger full handshake 911 */ 912 if (size == 0) 913 { 914 s->tlsext_ticket_expected = 1; 915 return 0; /* Cache miss */ 916 } 917 return tls_decrypt_ticket(s, p, size, session_id, len, 918 ret); 919 } 920 p += size; 921 } 922 return 1; 923 } 924 925 static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen, 926 const unsigned char *sess_id, int sesslen, 927 SSL_SESSION **psess) 928 { 929 SSL_SESSION *sess; 930 unsigned char *sdec; 931 const unsigned char *p; 932 int slen, mlen, renew_ticket = 0; 933 unsigned char tick_hmac[EVP_MAX_MD_SIZE]; 934 HMAC_CTX hctx; 935 EVP_CIPHER_CTX ctx; 936 SSL_CTX *tctx = s->initial_ctx; 937 /* Need at least keyname + iv + some encrypted data */ 938 if (eticklen < 48) 939 goto tickerr; 940 /* Initialize session ticket encryption and HMAC contexts */ 941 HMAC_CTX_init(&hctx); 942 EVP_CIPHER_CTX_init(&ctx); 943 if (tctx->tlsext_ticket_key_cb) 944 { 945 unsigned char *nctick = (unsigned char *)etick; 946 int rv = tctx->tlsext_ticket_key_cb(s, nctick, nctick + 16, 947 &ctx, &hctx, 0); 948 if (rv < 0) 949 return -1; 950 if (rv == 0) 951 goto tickerr; 952 if (rv == 2) 953 renew_ticket = 1; 954 } 955 else 956 { 957 /* Check key name matches */ 958 if (memcmp(etick, tctx->tlsext_tick_key_name, 16)) 959 goto tickerr; 960 HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16, 961 tlsext_tick_md(), NULL); 962 EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL, 963 tctx->tlsext_tick_aes_key, etick + 16); 964 } 965 /* Attempt to process session ticket, first conduct sanity and 966 * integrity checks on ticket. 967 */ 968 mlen = HMAC_size(&hctx); 969 eticklen -= mlen; 970 /* Check HMAC of encrypted ticket */ 971 HMAC_Update(&hctx, etick, eticklen); 972 HMAC_Final(&hctx, tick_hmac, NULL); 973 HMAC_CTX_cleanup(&hctx); 974 if (memcmp(tick_hmac, etick + eticklen, mlen)) 975 goto tickerr; 976 /* Attempt to decrypt session data */ 977 /* Move p after IV to start of encrypted ticket, update length */ 978 p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx); 979 eticklen -= 16 + EVP_CIPHER_CTX_iv_length(&ctx); 980 sdec = OPENSSL_malloc(eticklen); 981 if (!sdec) 982 { 983 EVP_CIPHER_CTX_cleanup(&ctx); 984 return -1; 985 } 986 EVP_DecryptUpdate(&ctx, sdec, &slen, p, eticklen); 987 if (EVP_DecryptFinal(&ctx, sdec + slen, &mlen) <= 0) 988 goto tickerr; 989 slen += mlen; 990 EVP_CIPHER_CTX_cleanup(&ctx); 991 p = sdec; 992 993 sess = d2i_SSL_SESSION(NULL, &p, slen); 994 OPENSSL_free(sdec); 995 if (sess) 996 { 997 /* The session ID if non-empty is used by some clients to 998 * detect that the ticket has been accepted. So we copy it to 999 * the session structure. If it is empty set length to zero 1000 * as required by standard. 1001 */ 1002 if (sesslen) 1003 memcpy(sess->session_id, sess_id, sesslen); 1004 sess->session_id_length = sesslen; 1005 *psess = sess; 1006 s->tlsext_ticket_expected = renew_ticket; 1007 return 1; 1008 } 1009 /* If session decrypt failure indicate a cache miss and set state to 1010 * send a new ticket 1011 */ 1012 tickerr: 1013 s->tlsext_ticket_expected = 1; 1014 return 0; 1015 } 1016 1017 #endif 1018