1 /* ssl/t1_lib.c */ 2 /* Copyright (C) 1995-1998 Eric Young (eay (at) cryptsoft.com) 3 * All rights reserved. 4 * 5 * This package is an SSL implementation written 6 * by Eric Young (eay (at) cryptsoft.com). 7 * The implementation was written so as to conform with Netscapes SSL. 8 * 9 * This library is free for commercial and non-commercial use as long as 10 * the following conditions are aheared to. The following conditions 11 * apply to all code found in this distribution, be it the RC4, RSA, 12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 13 * included with this distribution is covered by the same copyright terms 14 * except that the holder is Tim Hudson (tjh (at) cryptsoft.com). 15 * 16 * Copyright remains Eric Young's, and as such any Copyright notices in 17 * the code are not to be removed. 18 * If this package is used in a product, Eric Young should be given attribution 19 * as the author of the parts of the library used. 20 * This can be in the form of a textual message at program startup or 21 * in documentation (online or textual) provided with the package. 22 * 23 * Redistribution and use in source and binary forms, with or without 24 * modification, are permitted provided that the following conditions 25 * are met: 26 * 1. Redistributions of source code must retain the copyright 27 * notice, this list of conditions and the following disclaimer. 28 * 2. Redistributions in binary form must reproduce the above copyright 29 * notice, this list of conditions and the following disclaimer in the 30 * documentation and/or other materials provided with the distribution. 31 * 3. All advertising materials mentioning features or use of this software 32 * must display the following acknowledgement: 33 * "This product includes cryptographic software written by 34 * Eric Young (eay (at) cryptsoft.com)" 35 * The word 'cryptographic' can be left out if the rouines from the library 36 * being used are not cryptographic related :-). 37 * 4. If you include any Windows specific code (or a derivative thereof) from 38 * the apps directory (application code) you must include an acknowledgement: 39 * "This product includes software written by Tim Hudson (tjh (at) cryptsoft.com)" 40 * 41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 51 * SUCH DAMAGE. 52 * 53 * The licence and distribution terms for any publically available version or 54 * derivative of this code cannot be changed. i.e. this code cannot simply be 55 * copied and put under another distribution licence 56 * [including the GNU Public Licence.] 57 */ 58 59 #include <stdio.h> 60 #include <openssl/objects.h> 61 #include <openssl/evp.h> 62 #include <openssl/hmac.h> 63 #include <openssl/ocsp.h> 64 #include "ssl_locl.h" 65 66 const char tls1_version_str[]="TLSv1" OPENSSL_VERSION_PTEXT; 67 68 #ifndef OPENSSL_NO_TLSEXT 69 static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen, 70 const unsigned char *sess_id, int sesslen, 71 SSL_SESSION **psess); 72 #endif 73 74 SSL3_ENC_METHOD TLSv1_enc_data={ 75 tls1_enc, 76 tls1_mac, 77 tls1_setup_key_block, 78 tls1_generate_master_secret, 79 tls1_change_cipher_state, 80 tls1_final_finish_mac, 81 TLS1_FINISH_MAC_LENGTH, 82 tls1_cert_verify_mac, 83 TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE, 84 TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE, 85 tls1_alert_code, 86 }; 87 88 long tls1_default_timeout(void) 89 { 90 /* 2 hours, the 24 hours mentioned in the TLSv1 spec 91 * is way too long for http, the cache would over fill */ 92 return(60*60*2); 93 } 94 95 IMPLEMENT_tls1_meth_func(tlsv1_base_method, 96 ssl_undefined_function, 97 ssl_undefined_function, 98 ssl_bad_method) 99 100 int tls1_new(SSL *s) 101 { 102 if (!ssl3_new(s)) return(0); 103 s->method->ssl_clear(s); 104 return(1); 105 } 106 107 void tls1_free(SSL *s) 108 { 109 ssl3_free(s); 110 } 111 112 void tls1_clear(SSL *s) 113 { 114 ssl3_clear(s); 115 s->version=TLS1_VERSION; 116 } 117 118 #if 0 119 long tls1_ctrl(SSL *s, int cmd, long larg, char *parg) 120 { 121 return(0); 122 } 123 124 long tls1_callback_ctrl(SSL *s, int cmd, void *(*fp)()) 125 { 126 return(0); 127 } 128 #endif 129 130 #ifndef OPENSSL_NO_TLSEXT 131 unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit) 132 { 133 int extdatalen=0; 134 unsigned char *ret = p; 135 136 /* don't add extensions for SSLv3 unless doing secure renegotiation */ 137 if (s->client_version == SSL3_VERSION 138 && !s->s3->send_connection_binding) 139 return p; 140 141 ret+=2; 142 143 if (ret>=limit) return NULL; /* this really never occurs, but ... */ 144 145 if (s->tlsext_hostname != NULL) 146 { 147 /* Add TLS extension servername to the Client Hello message */ 148 unsigned long size_str; 149 long lenmax; 150 151 /* check for enough space. 152 4 for the servername type and entension length 153 2 for servernamelist length 154 1 for the hostname type 155 2 for hostname length 156 + hostname length 157 */ 158 159 if ((lenmax = limit - ret - 9) < 0 160 || (size_str = strlen(s->tlsext_hostname)) > (unsigned long)lenmax) 161 return NULL; 162 163 /* extension type and length */ 164 s2n(TLSEXT_TYPE_server_name,ret); 165 s2n(size_str+5,ret); 166 167 /* length of servername list */ 168 s2n(size_str+3,ret); 169 170 /* hostname type, length and hostname */ 171 *(ret++) = (unsigned char) TLSEXT_NAMETYPE_host_name; 172 s2n(size_str,ret); 173 memcpy(ret, s->tlsext_hostname, size_str); 174 ret+=size_str; 175 176 } 177 178 /* Add RI if renegotiating */ 179 if (s->new_session) 180 { 181 int el; 182 183 if(!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0)) 184 { 185 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); 186 return NULL; 187 } 188 189 if((limit - p - 4 - el) < 0) return NULL; 190 191 s2n(TLSEXT_TYPE_renegotiate,ret); 192 s2n(el,ret); 193 194 if(!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el)) 195 { 196 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); 197 return NULL; 198 } 199 200 ret += el; 201 } 202 203 204 if (!(SSL_get_options(s) & SSL_OP_NO_TICKET)) 205 { 206 int ticklen; 207 if (!s->new_session && s->session && s->session->tlsext_tick) 208 ticklen = s->session->tlsext_ticklen; 209 else 210 ticklen = 0; 211 /* Check for enough room 2 for extension type, 2 for len 212 * rest for ticket 213 */ 214 if (limit - ret - 4 - ticklen < 0) 215 return NULL; 216 s2n(TLSEXT_TYPE_session_ticket,ret); 217 s2n(ticklen,ret); 218 if (ticklen) 219 { 220 memcpy(ret, s->session->tlsext_tick, ticklen); 221 ret += ticklen; 222 } 223 } 224 225 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp && 226 s->version != DTLS1_VERSION) 227 { 228 int i; 229 long extlen, idlen, itmp; 230 OCSP_RESPID *id; 231 232 idlen = 0; 233 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) 234 { 235 id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i); 236 itmp = i2d_OCSP_RESPID(id, NULL); 237 if (itmp <= 0) 238 return NULL; 239 idlen += itmp + 2; 240 } 241 242 if (s->tlsext_ocsp_exts) 243 { 244 extlen = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, NULL); 245 if (extlen < 0) 246 return NULL; 247 } 248 else 249 extlen = 0; 250 251 if ((long)(limit - ret - 7 - extlen - idlen) < 0) return NULL; 252 s2n(TLSEXT_TYPE_status_request, ret); 253 if (extlen + idlen > 0xFFF0) 254 return NULL; 255 s2n(extlen + idlen + 5, ret); 256 *(ret++) = TLSEXT_STATUSTYPE_ocsp; 257 s2n(idlen, ret); 258 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) 259 { 260 /* save position of id len */ 261 unsigned char *q = ret; 262 id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i); 263 /* skip over id len */ 264 ret += 2; 265 itmp = i2d_OCSP_RESPID(id, &ret); 266 /* write id len */ 267 s2n(itmp, q); 268 } 269 s2n(extlen, ret); 270 if (extlen > 0) 271 i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret); 272 } 273 274 if ((extdatalen = ret-p-2)== 0) 275 return p; 276 277 s2n(extdatalen,p); 278 return ret; 279 } 280 281 unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit) 282 { 283 int extdatalen=0; 284 unsigned char *ret = p; 285 286 /* don't add extensions for SSLv3, unless doing secure renegotiation */ 287 if (s->version == SSL3_VERSION && !s->s3->send_connection_binding) 288 return p; 289 290 ret+=2; 291 if (ret>=limit) return NULL; /* this really never occurs, but ... */ 292 293 if (!s->hit && s->servername_done == 1 && s->session->tlsext_hostname != NULL) 294 { 295 if (limit - ret - 4 < 0) return NULL; 296 297 s2n(TLSEXT_TYPE_server_name,ret); 298 s2n(0,ret); 299 } 300 301 if(s->s3->send_connection_binding) 302 { 303 int el; 304 305 if(!ssl_add_serverhello_renegotiate_ext(s, 0, &el, 0)) 306 { 307 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); 308 return NULL; 309 } 310 311 if((limit - p - 4 - el) < 0) return NULL; 312 313 s2n(TLSEXT_TYPE_renegotiate,ret); 314 s2n(el,ret); 315 316 if(!ssl_add_serverhello_renegotiate_ext(s, ret, &el, el)) 317 { 318 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); 319 return NULL; 320 } 321 322 ret += el; 323 } 324 325 if (s->tlsext_ticket_expected 326 && !(SSL_get_options(s) & SSL_OP_NO_TICKET)) 327 { 328 if (limit - ret - 4 < 0) return NULL; 329 s2n(TLSEXT_TYPE_session_ticket,ret); 330 s2n(0,ret); 331 } 332 333 if (s->tlsext_status_expected) 334 { 335 if ((long)(limit - ret - 4) < 0) return NULL; 336 s2n(TLSEXT_TYPE_status_request,ret); 337 s2n(0,ret); 338 } 339 340 if ((extdatalen = ret-p-2)== 0) 341 return p; 342 343 s2n(extdatalen,p); 344 return ret; 345 } 346 347 int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al) 348 { 349 unsigned short type; 350 unsigned short size; 351 unsigned short len; 352 unsigned char *data = *p; 353 int renegotiate_seen = 0; 354 355 s->servername_done = 0; 356 s->tlsext_status_type = -1; 357 358 if (data >= (d+n-2)) 359 goto ri_check; 360 361 n2s(data,len); 362 363 if (data > (d+n-len)) 364 goto ri_check; 365 366 while (data <= (d+n-4)) 367 { 368 n2s(data,type); 369 n2s(data,size); 370 371 if (data+size > (d+n)) 372 goto ri_check; 373 374 if (s->tlsext_debug_cb) 375 s->tlsext_debug_cb(s, 0, type, data, size, 376 s->tlsext_debug_arg); 377 /* The servername extension is treated as follows: 378 379 - Only the hostname type is supported with a maximum length of 255. 380 - The servername is rejected if too long or if it contains zeros, 381 in which case an fatal alert is generated. 382 - The servername field is maintained together with the session cache. 383 - When a session is resumed, the servername call back invoked in order 384 to allow the application to position itself to the right context. 385 - The servername is acknowledged if it is new for a session or when 386 it is identical to a previously used for the same session. 387 Applications can control the behaviour. They can at any time 388 set a 'desirable' servername for a new SSL object. This can be the 389 case for example with HTTPS when a Host: header field is received and 390 a renegotiation is requested. In this case, a possible servername 391 presented in the new client hello is only acknowledged if it matches 392 the value of the Host: field. 393 - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION 394 if they provide for changing an explicit servername context for the session, 395 i.e. when the session has been established with a servername extension. 396 - On session reconnect, the servername extension may be absent. 397 398 */ 399 400 if (type == TLSEXT_TYPE_server_name) 401 { 402 unsigned char *sdata; 403 int servname_type; 404 int dsize; 405 406 if (size < 2) 407 { 408 *al = SSL_AD_DECODE_ERROR; 409 return 0; 410 } 411 n2s(data,dsize); 412 size -= 2; 413 if (dsize > size ) 414 { 415 *al = SSL_AD_DECODE_ERROR; 416 return 0; 417 } 418 419 sdata = data; 420 while (dsize > 3) 421 { 422 servname_type = *(sdata++); 423 n2s(sdata,len); 424 dsize -= 3; 425 426 if (len > dsize) 427 { 428 *al = SSL_AD_DECODE_ERROR; 429 return 0; 430 } 431 if (s->servername_done == 0) 432 switch (servname_type) 433 { 434 case TLSEXT_NAMETYPE_host_name: 435 if (s->session->tlsext_hostname == NULL) 436 { 437 if (len > TLSEXT_MAXLEN_host_name || 438 ((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL)) 439 { 440 *al = TLS1_AD_UNRECOGNIZED_NAME; 441 return 0; 442 } 443 memcpy(s->session->tlsext_hostname, sdata, len); 444 s->session->tlsext_hostname[len]='\0'; 445 if (strlen(s->session->tlsext_hostname) != len) { 446 OPENSSL_free(s->session->tlsext_hostname); 447 s->session->tlsext_hostname = NULL; 448 *al = TLS1_AD_UNRECOGNIZED_NAME; 449 return 0; 450 } 451 s->servername_done = 1; 452 453 } 454 else 455 s->servername_done = strlen(s->session->tlsext_hostname) == len 456 && strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0; 457 458 break; 459 460 default: 461 break; 462 } 463 464 dsize -= len; 465 } 466 if (dsize != 0) 467 { 468 *al = SSL_AD_DECODE_ERROR; 469 return 0; 470 } 471 472 } 473 else if (type == TLSEXT_TYPE_renegotiate) 474 { 475 if(!ssl_parse_clienthello_renegotiate_ext(s, data, size, al)) 476 return 0; 477 renegotiate_seen = 1; 478 } 479 else if (type == TLSEXT_TYPE_status_request && 480 s->version != DTLS1_VERSION && s->ctx->tlsext_status_cb) 481 { 482 483 if (size < 5) 484 { 485 *al = SSL_AD_DECODE_ERROR; 486 return 0; 487 } 488 489 s->tlsext_status_type = *data++; 490 size--; 491 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp) 492 { 493 const unsigned char *sdata; 494 int dsize; 495 /* Read in responder_id_list */ 496 n2s(data,dsize); 497 size -= 2; 498 if (dsize > size ) 499 { 500 *al = SSL_AD_DECODE_ERROR; 501 return 0; 502 } 503 while (dsize > 0) 504 { 505 OCSP_RESPID *id; 506 int idsize; 507 if (dsize < 4) 508 { 509 *al = SSL_AD_DECODE_ERROR; 510 return 0; 511 } 512 n2s(data, idsize); 513 dsize -= 2 + idsize; 514 if (dsize < 0) 515 { 516 *al = SSL_AD_DECODE_ERROR; 517 return 0; 518 } 519 sdata = data; 520 data += idsize; 521 id = d2i_OCSP_RESPID(NULL, 522 &sdata, idsize); 523 if (!id) 524 { 525 *al = SSL_AD_DECODE_ERROR; 526 return 0; 527 } 528 if (data != sdata) 529 { 530 OCSP_RESPID_free(id); 531 *al = SSL_AD_DECODE_ERROR; 532 return 0; 533 } 534 if (!s->tlsext_ocsp_ids 535 && !(s->tlsext_ocsp_ids = 536 sk_OCSP_RESPID_new_null())) 537 { 538 OCSP_RESPID_free(id); 539 *al = SSL_AD_INTERNAL_ERROR; 540 return 0; 541 } 542 if (!sk_OCSP_RESPID_push( 543 s->tlsext_ocsp_ids, id)) 544 { 545 OCSP_RESPID_free(id); 546 *al = SSL_AD_INTERNAL_ERROR; 547 return 0; 548 } 549 } 550 551 /* Read in request_extensions */ 552 n2s(data,dsize); 553 size -= 2; 554 if (dsize > size) 555 { 556 *al = SSL_AD_DECODE_ERROR; 557 return 0; 558 } 559 sdata = data; 560 if (dsize > 0) 561 { 562 s->tlsext_ocsp_exts = 563 d2i_X509_EXTENSIONS(NULL, 564 &sdata, dsize); 565 if (!s->tlsext_ocsp_exts 566 || (data + dsize != sdata)) 567 { 568 *al = SSL_AD_DECODE_ERROR; 569 return 0; 570 } 571 } 572 } 573 /* We don't know what to do with any other type 574 * so ignore it. 575 */ 576 else 577 s->tlsext_status_type = -1; 578 } 579 580 /* session ticket processed earlier */ 581 582 data+=size; 583 } 584 *p = data; 585 586 ri_check: 587 588 /* Need RI if renegotiating */ 589 590 if (!renegotiate_seen && s->new_session && 591 !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) 592 { 593 *al = SSL_AD_HANDSHAKE_FAILURE; 594 SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT, 595 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); 596 return 0; 597 } 598 599 return 1; 600 } 601 602 int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al) 603 { 604 unsigned short type; 605 unsigned short size; 606 unsigned short len; 607 unsigned char *data = *p; 608 int tlsext_servername = 0; 609 int renegotiate_seen = 0; 610 611 if (data >= (d+n-2)) 612 goto ri_check; 613 614 n2s(data,len); 615 616 while(data <= (d+n-4)) 617 { 618 n2s(data,type); 619 n2s(data,size); 620 621 if (data+size > (d+n)) 622 goto ri_check; 623 624 if (s->tlsext_debug_cb) 625 s->tlsext_debug_cb(s, 1, type, data, size, 626 s->tlsext_debug_arg); 627 628 if (type == TLSEXT_TYPE_server_name) 629 { 630 if (s->tlsext_hostname == NULL || size > 0) 631 { 632 *al = TLS1_AD_UNRECOGNIZED_NAME; 633 return 0; 634 } 635 tlsext_servername = 1; 636 } 637 else if (type == TLSEXT_TYPE_session_ticket) 638 { 639 if ((SSL_get_options(s) & SSL_OP_NO_TICKET) 640 || (size > 0)) 641 { 642 *al = TLS1_AD_UNSUPPORTED_EXTENSION; 643 return 0; 644 } 645 s->tlsext_ticket_expected = 1; 646 } 647 else if (type == TLSEXT_TYPE_status_request && 648 s->version != DTLS1_VERSION) 649 { 650 /* MUST be empty and only sent if we've requested 651 * a status request message. 652 */ 653 if ((s->tlsext_status_type == -1) || (size > 0)) 654 { 655 *al = TLS1_AD_UNSUPPORTED_EXTENSION; 656 return 0; 657 } 658 /* Set flag to expect CertificateStatus message */ 659 s->tlsext_status_expected = 1; 660 } 661 else if (type == TLSEXT_TYPE_renegotiate) 662 { 663 if(!ssl_parse_serverhello_renegotiate_ext(s, data, size, al)) 664 return 0; 665 renegotiate_seen = 1; 666 } 667 data+=size; 668 } 669 670 if (data != d+n) 671 { 672 *al = SSL_AD_DECODE_ERROR; 673 return 0; 674 } 675 676 if (!s->hit && tlsext_servername == 1) 677 { 678 if (s->tlsext_hostname) 679 { 680 if (s->session->tlsext_hostname == NULL) 681 { 682 s->session->tlsext_hostname = BUF_strdup(s->tlsext_hostname); 683 if (!s->session->tlsext_hostname) 684 { 685 *al = SSL_AD_UNRECOGNIZED_NAME; 686 return 0; 687 } 688 } 689 else 690 { 691 *al = SSL_AD_DECODE_ERROR; 692 return 0; 693 } 694 } 695 } 696 697 *p = data; 698 699 ri_check: 700 701 /* Determine if we need to see RI. Strictly speaking if we want to 702 * avoid an attack we should *always* see RI even on initial server 703 * hello because the client doesn't see any renegotiation during an 704 * attack. However this would mean we could not connect to any server 705 * which doesn't support RI so for the immediate future tolerate RI 706 * absence on initial connect only. 707 */ 708 if (!renegotiate_seen 709 && !(s->options & SSL_OP_LEGACY_SERVER_CONNECT) 710 && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) 711 { 712 *al = SSL_AD_HANDSHAKE_FAILURE; 713 SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT, 714 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); 715 return 0; 716 } 717 718 return 1; 719 } 720 721 int ssl_check_clienthello_tlsext(SSL *s) 722 { 723 int ret=SSL_TLSEXT_ERR_NOACK; 724 int al = SSL_AD_UNRECOGNIZED_NAME; 725 726 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) 727 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg); 728 else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0) 729 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg); 730 731 /* If status request then ask callback what to do. 732 * Note: this must be called after servername callbacks in case 733 * the certificate has changed. 734 */ 735 if ((s->tlsext_status_type != -1) && s->ctx->tlsext_status_cb) 736 { 737 int r; 738 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg); 739 switch (r) 740 { 741 /* We don't want to send a status request response */ 742 case SSL_TLSEXT_ERR_NOACK: 743 s->tlsext_status_expected = 0; 744 break; 745 /* status request response should be sent */ 746 case SSL_TLSEXT_ERR_OK: 747 if (s->tlsext_ocsp_resp) 748 s->tlsext_status_expected = 1; 749 else 750 s->tlsext_status_expected = 0; 751 break; 752 /* something bad happened */ 753 case SSL_TLSEXT_ERR_ALERT_FATAL: 754 ret = SSL_TLSEXT_ERR_ALERT_FATAL; 755 al = SSL_AD_INTERNAL_ERROR; 756 goto err; 757 } 758 } 759 else 760 s->tlsext_status_expected = 0; 761 err: 762 switch (ret) 763 { 764 case SSL_TLSEXT_ERR_ALERT_FATAL: 765 ssl3_send_alert(s,SSL3_AL_FATAL,al); 766 return -1; 767 768 case SSL_TLSEXT_ERR_ALERT_WARNING: 769 ssl3_send_alert(s,SSL3_AL_WARNING,al); 770 return 1; 771 772 case SSL_TLSEXT_ERR_NOACK: 773 s->servername_done=0; 774 default: 775 return 1; 776 } 777 } 778 779 int ssl_check_serverhello_tlsext(SSL *s) 780 { 781 int ret=SSL_TLSEXT_ERR_NOACK; 782 int al = SSL_AD_UNRECOGNIZED_NAME; 783 784 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) 785 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg); 786 else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0) 787 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg); 788 789 /* If we've requested certificate status and we wont get one 790 * tell the callback 791 */ 792 if ((s->tlsext_status_type != -1) && !(s->tlsext_status_expected) 793 && s->ctx->tlsext_status_cb) 794 { 795 int r; 796 /* Set resp to NULL, resplen to -1 so callback knows 797 * there is no response. 798 */ 799 if (s->tlsext_ocsp_resp) 800 { 801 OPENSSL_free(s->tlsext_ocsp_resp); 802 s->tlsext_ocsp_resp = NULL; 803 } 804 s->tlsext_ocsp_resplen = -1; 805 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg); 806 if (r == 0) 807 { 808 al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE; 809 ret = SSL_TLSEXT_ERR_ALERT_FATAL; 810 } 811 if (r < 0) 812 { 813 al = SSL_AD_INTERNAL_ERROR; 814 ret = SSL_TLSEXT_ERR_ALERT_FATAL; 815 } 816 } 817 818 switch (ret) 819 { 820 case SSL_TLSEXT_ERR_ALERT_FATAL: 821 ssl3_send_alert(s,SSL3_AL_FATAL,al); 822 return -1; 823 824 case SSL_TLSEXT_ERR_ALERT_WARNING: 825 ssl3_send_alert(s,SSL3_AL_WARNING,al); 826 return 1; 827 828 case SSL_TLSEXT_ERR_NOACK: 829 s->servername_done=0; 830 default: 831 return 1; 832 } 833 } 834 835 /* Since the server cache lookup is done early on in the processing of client 836 * hello and other operations depend on the result we need to handle any TLS 837 * session ticket extension at the same time. 838 */ 839 840 int tls1_process_ticket(SSL *s, unsigned char *session_id, int len, 841 const unsigned char *limit, SSL_SESSION **ret) 842 { 843 /* Point after session ID in client hello */ 844 const unsigned char *p = session_id + len; 845 unsigned short i; 846 847 /* If tickets disabled behave as if no ticket present 848 * to permit stateful resumption. 849 */ 850 if (SSL_get_options(s) & SSL_OP_NO_TICKET) 851 return 1; 852 853 if ((s->version <= SSL3_VERSION) || !limit) 854 return 1; 855 if (p >= limit) 856 return -1; 857 /* Skip past DTLS cookie */ 858 if (s->version == DTLS1_VERSION || s->version == DTLS1_BAD_VER) 859 { 860 i = *(p++); 861 p+= i; 862 if (p >= limit) 863 return -1; 864 } 865 /* Skip past cipher list */ 866 n2s(p, i); 867 p+= i; 868 if (p >= limit) 869 return -1; 870 /* Skip past compression algorithm list */ 871 i = *(p++); 872 p += i; 873 if (p > limit) 874 return -1; 875 /* Now at start of extensions */ 876 if ((p + 2) >= limit) 877 return 1; 878 n2s(p, i); 879 while ((p + 4) <= limit) 880 { 881 unsigned short type, size; 882 n2s(p, type); 883 n2s(p, size); 884 if (p + size > limit) 885 return 1; 886 if (type == TLSEXT_TYPE_session_ticket) 887 { 888 /* If zero length note client will accept a ticket 889 * and indicate cache miss to trigger full handshake 890 */ 891 if (size == 0) 892 { 893 s->tlsext_ticket_expected = 1; 894 return 0; /* Cache miss */ 895 } 896 return tls_decrypt_ticket(s, p, size, session_id, len, 897 ret); 898 } 899 p += size; 900 } 901 return 1; 902 } 903 904 static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen, 905 const unsigned char *sess_id, int sesslen, 906 SSL_SESSION **psess) 907 { 908 SSL_SESSION *sess; 909 unsigned char *sdec; 910 const unsigned char *p; 911 int slen, mlen, renew_ticket = 0; 912 unsigned char tick_hmac[EVP_MAX_MD_SIZE]; 913 HMAC_CTX hctx; 914 EVP_CIPHER_CTX ctx; 915 SSL_CTX *tctx = s->initial_ctx; 916 /* Need at least keyname + iv + some encrypted data */ 917 if (eticklen < 48) 918 goto tickerr; 919 /* Initialize session ticket encryption and HMAC contexts */ 920 HMAC_CTX_init(&hctx); 921 EVP_CIPHER_CTX_init(&ctx); 922 if (tctx->tlsext_ticket_key_cb) 923 { 924 unsigned char *nctick = (unsigned char *)etick; 925 int rv = tctx->tlsext_ticket_key_cb(s, nctick, nctick + 16, 926 &ctx, &hctx, 0); 927 if (rv < 0) 928 return -1; 929 if (rv == 0) 930 goto tickerr; 931 if (rv == 2) 932 renew_ticket = 1; 933 } 934 else 935 { 936 /* Check key name matches */ 937 if (memcmp(etick, tctx->tlsext_tick_key_name, 16)) 938 goto tickerr; 939 HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16, 940 tlsext_tick_md(), NULL); 941 EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL, 942 tctx->tlsext_tick_aes_key, etick + 16); 943 } 944 /* Attempt to process session ticket, first conduct sanity and 945 * integrity checks on ticket. 946 */ 947 mlen = HMAC_size(&hctx); 948 eticklen -= mlen; 949 /* Check HMAC of encrypted ticket */ 950 HMAC_Update(&hctx, etick, eticklen); 951 HMAC_Final(&hctx, tick_hmac, NULL); 952 HMAC_CTX_cleanup(&hctx); 953 if (memcmp(tick_hmac, etick + eticklen, mlen)) 954 goto tickerr; 955 /* Attempt to decrypt session data */ 956 /* Move p after IV to start of encrypted ticket, update length */ 957 p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx); 958 eticklen -= 16 + EVP_CIPHER_CTX_iv_length(&ctx); 959 sdec = OPENSSL_malloc(eticklen); 960 if (!sdec) 961 { 962 EVP_CIPHER_CTX_cleanup(&ctx); 963 return -1; 964 } 965 EVP_DecryptUpdate(&ctx, sdec, &slen, p, eticklen); 966 if (EVP_DecryptFinal(&ctx, sdec + slen, &mlen) <= 0) 967 goto tickerr; 968 slen += mlen; 969 EVP_CIPHER_CTX_cleanup(&ctx); 970 p = sdec; 971 972 sess = d2i_SSL_SESSION(NULL, &p, slen); 973 OPENSSL_free(sdec); 974 if (sess) 975 { 976 /* The session ID if non-empty is used by some clients to 977 * detect that the ticket has been accepted. So we copy it to 978 * the session structure. If it is empty set length to zero 979 * as required by standard. 980 */ 981 if (sesslen) 982 memcpy(sess->session_id, sess_id, sesslen); 983 sess->session_id_length = sesslen; 984 *psess = sess; 985 s->tlsext_ticket_expected = renew_ticket; 986 return 1; 987 } 988 /* If session decrypt failure indicate a cache miss and set state to 989 * send a new ticket 990 */ 991 tickerr: 992 s->tlsext_ticket_expected = 1; 993 return 0; 994 } 995 996 #endif 997
