1 /* $OpenBSD: t1_lib.c,v 1.204 2025/01/18 14:17:05 tb Exp $ */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58 /* ====================================================================
59 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
60 *
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
63 * are met:
64 *
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
67 *
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
71 * distribution.
72 *
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77 *
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
82 *
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
86 *
87 * 6. Redistributions of any form whatsoever must retain the following
88 * acknowledgment:
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91 *
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
105 *
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
109 *
110 */
111
112 #include <stdio.h>
113
114 #include <openssl/evp.h>
115 #include <openssl/hmac.h>
116 #include <openssl/objects.h>
117 #include <openssl/ocsp.h>
118
119 #include "bytestring.h"
120 #include "ssl_local.h"
121 #include "ssl_sigalgs.h"
122 #include "ssl_tlsext.h"
123
124 static int tls_decrypt_ticket(SSL *s, CBS *ticket, int *alert,
125 SSL_SESSION **psess);
126
127 int
tls1_new(SSL * s)128 tls1_new(SSL *s)
129 {
130 if (!ssl3_new(s))
131 return 0;
132 s->method->ssl_clear(s);
133 return 1;
134 }
135
136 void
tls1_free(SSL * s)137 tls1_free(SSL *s)
138 {
139 if (s == NULL)
140 return;
141
142 free(s->tlsext_session_ticket);
143 ssl3_free(s);
144 }
145
146 void
tls1_clear(SSL * s)147 tls1_clear(SSL *s)
148 {
149 ssl3_clear(s);
150 s->version = s->method->version;
151 }
152
153 struct supported_group {
154 int nid;
155 int bits;
156 };
157
158 /*
159 * Supported groups (formerly known as named curves)
160 * https://www.iana.org/assignments/tls-parameters/#tls-parameters-8
161 */
162 static const struct supported_group nid_list[] = {
163 [1] = {
164 .nid = NID_sect163k1,
165 .bits = 80,
166 },
167 [2] = {
168 .nid = NID_sect163r1,
169 .bits = 80,
170 },
171 [3] = {
172 .nid = NID_sect163r2,
173 .bits = 80,
174 },
175 [4] = {
176 .nid = NID_sect193r1,
177 .bits = 80,
178 },
179 [5] = {
180 .nid = NID_sect193r2,
181 .bits = 80,
182 },
183 [6] = {
184 .nid = NID_sect233k1,
185 .bits = 112,
186 },
187 [7] = {
188 .nid = NID_sect233r1,
189 .bits = 112,
190 },
191 [8] = {
192 .nid = NID_sect239k1,
193 .bits = 112,
194 },
195 [9] = {
196 .nid = NID_sect283k1,
197 .bits = 128,
198 },
199 [10] = {
200 .nid = NID_sect283r1,
201 .bits = 128,
202 },
203 [11] = {
204 .nid = NID_sect409k1,
205 .bits = 192,
206 },
207 [12] = {
208 .nid = NID_sect409r1,
209 .bits = 192,
210 },
211 [13] = {
212 .nid = NID_sect571k1,
213 .bits = 256,
214 },
215 [14] = {
216 .nid = NID_sect571r1,
217 .bits = 256,
218 },
219 [15] = {
220 .nid = NID_secp160k1,
221 .bits = 80,
222 },
223 [16] = {
224 .nid = NID_secp160r1,
225 .bits = 80,
226 },
227 [17] = {
228 .nid = NID_secp160r2,
229 .bits = 80,
230 },
231 [18] = {
232 .nid = NID_secp192k1,
233 .bits = 80,
234 },
235 [19] = {
236 .nid = NID_X9_62_prime192v1, /* aka secp192r1 */
237 .bits = 80,
238 },
239 [20] = {
240 .nid = NID_secp224k1,
241 .bits = 112,
242 },
243 [21] = {
244 .nid = NID_secp224r1,
245 .bits = 112,
246 },
247 [22] = {
248 .nid = NID_secp256k1,
249 .bits = 128,
250 },
251 [23] = {
252 .nid = NID_X9_62_prime256v1, /* aka secp256r1 */
253 .bits = 128,
254 },
255 [24] = {
256 .nid = NID_secp384r1,
257 .bits = 192,
258 },
259 [25] = {
260 .nid = NID_secp521r1,
261 .bits = 256,
262 },
263 [26] = {
264 .nid = NID_brainpoolP256r1,
265 .bits = 128,
266 },
267 [27] = {
268 .nid = NID_brainpoolP384r1,
269 .bits = 192,
270 },
271 [28] = {
272 .nid = NID_brainpoolP512r1,
273 .bits = 256,
274 },
275 [29] = {
276 .nid = NID_X25519,
277 .bits = 128,
278 },
279 };
280
281 #define NID_LIST_LEN (sizeof(nid_list) / sizeof(nid_list[0]))
282
283 #if 0
284 static const uint8_t ecformats_list[] = {
285 TLSEXT_ECPOINTFORMAT_uncompressed,
286 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime,
287 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2
288 };
289 #endif
290
291 static const uint8_t ecformats_default[] = {
292 TLSEXT_ECPOINTFORMAT_uncompressed,
293 };
294
295 #if 0
296 static const uint16_t ecgroups_list[] = {
297 29, /* X25519 (29) */
298 14, /* sect571r1 (14) */
299 13, /* sect571k1 (13) */
300 25, /* secp521r1 (25) */
301 28, /* brainpoolP512r1 (28) */
302 11, /* sect409k1 (11) */
303 12, /* sect409r1 (12) */
304 27, /* brainpoolP384r1 (27) */
305 24, /* secp384r1 (24) */
306 9, /* sect283k1 (9) */
307 10, /* sect283r1 (10) */
308 26, /* brainpoolP256r1 (26) */
309 22, /* secp256k1 (22) */
310 23, /* secp256r1 (23) */
311 8, /* sect239k1 (8) */
312 6, /* sect233k1 (6) */
313 7, /* sect233r1 (7) */
314 20, /* secp224k1 (20) */
315 21, /* secp224r1 (21) */
316 4, /* sect193r1 (4) */
317 5, /* sect193r2 (5) */
318 18, /* secp192k1 (18) */
319 19, /* secp192r1 (19) */
320 1, /* sect163k1 (1) */
321 2, /* sect163r1 (2) */
322 3, /* sect163r2 (3) */
323 15, /* secp160k1 (15) */
324 16, /* secp160r1 (16) */
325 17, /* secp160r2 (17) */
326 };
327 #endif
328
329 static const uint16_t ecgroups_client_default[] = {
330 29, /* X25519 (29) */
331 23, /* secp256r1 (23) */
332 24, /* secp384r1 (24) */
333 25, /* secp521r1 (25) */
334 };
335
336 static const uint16_t ecgroups_server_default[] = {
337 29, /* X25519 (29) */
338 23, /* secp256r1 (23) */
339 24, /* secp384r1 (24) */
340 };
341
342 int
tls1_ec_group_id2nid(uint16_t group_id,int * out_nid)343 tls1_ec_group_id2nid(uint16_t group_id, int *out_nid)
344 {
345 int nid;
346
347 if (group_id >= NID_LIST_LEN)
348 return 0;
349
350 if ((nid = nid_list[group_id].nid) == 0)
351 return 0;
352
353 *out_nid = nid;
354
355 return 1;
356 }
357
358 int
tls1_ec_group_id2bits(uint16_t group_id,int * out_bits)359 tls1_ec_group_id2bits(uint16_t group_id, int *out_bits)
360 {
361 int bits;
362
363 if (group_id >= NID_LIST_LEN)
364 return 0;
365
366 if ((bits = nid_list[group_id].bits) == 0)
367 return 0;
368
369 *out_bits = bits;
370
371 return 1;
372 }
373
374 int
tls1_ec_nid2group_id(int nid,uint16_t * out_group_id)375 tls1_ec_nid2group_id(int nid, uint16_t *out_group_id)
376 {
377 uint16_t group_id;
378
379 if (nid == 0)
380 return 0;
381
382 for (group_id = 0; group_id < NID_LIST_LEN; group_id++) {
383 if (nid_list[group_id].nid == nid) {
384 *out_group_id = group_id;
385 return 1;
386 }
387 }
388
389 return 0;
390 }
391
392 /*
393 * Return the appropriate format list. If client_formats is non-zero, return
394 * the client/session formats. Otherwise return the custom format list if one
395 * exists, or the default formats if a custom list has not been specified.
396 */
397 void
tls1_get_formatlist(const SSL * s,int client_formats,const uint8_t ** pformats,size_t * pformatslen)398 tls1_get_formatlist(const SSL *s, int client_formats, const uint8_t **pformats,
399 size_t *pformatslen)
400 {
401 if (client_formats != 0) {
402 *pformats = s->session->tlsext_ecpointformatlist;
403 *pformatslen = s->session->tlsext_ecpointformatlist_length;
404 return;
405 }
406
407 *pformats = s->tlsext_ecpointformatlist;
408 *pformatslen = s->tlsext_ecpointformatlist_length;
409 if (*pformats == NULL) {
410 *pformats = ecformats_default;
411 *pformatslen = sizeof(ecformats_default);
412 }
413 }
414
415 /*
416 * Return the appropriate group list. If client_groups is non-zero, return
417 * the client/session groups. Otherwise return the custom group list if one
418 * exists, or the default groups if a custom list has not been specified.
419 */
420 void
tls1_get_group_list(const SSL * s,int client_groups,const uint16_t ** pgroups,size_t * pgroupslen)421 tls1_get_group_list(const SSL *s, int client_groups, const uint16_t **pgroups,
422 size_t *pgroupslen)
423 {
424 if (client_groups != 0) {
425 *pgroups = s->session->tlsext_supportedgroups;
426 *pgroupslen = s->session->tlsext_supportedgroups_length;
427 return;
428 }
429
430 *pgroups = s->tlsext_supportedgroups;
431 *pgroupslen = s->tlsext_supportedgroups_length;
432 if (*pgroups != NULL)
433 return;
434
435 if (!s->server) {
436 *pgroups = ecgroups_client_default;
437 *pgroupslen = sizeof(ecgroups_client_default) / 2;
438 } else {
439 *pgroups = ecgroups_server_default;
440 *pgroupslen = sizeof(ecgroups_server_default) / 2;
441 }
442 }
443
444 static int
tls1_get_group_lists(const SSL * ssl,const uint16_t ** pref,size_t * preflen,const uint16_t ** supp,size_t * supplen)445 tls1_get_group_lists(const SSL *ssl, const uint16_t **pref, size_t *preflen,
446 const uint16_t **supp, size_t *supplen)
447 {
448 unsigned long server_pref;
449
450 /* Cannot do anything on the client side. */
451 if (!ssl->server)
452 return 0;
453
454 server_pref = (ssl->options & SSL_OP_CIPHER_SERVER_PREFERENCE);
455 tls1_get_group_list(ssl, (server_pref == 0), pref, preflen);
456 tls1_get_group_list(ssl, (server_pref != 0), supp, supplen);
457
458 return 1;
459 }
460
461 static int
tls1_group_id_present(uint16_t group_id,const uint16_t * list,size_t list_len)462 tls1_group_id_present(uint16_t group_id, const uint16_t *list, size_t list_len)
463 {
464 size_t i;
465
466 for (i = 0; i < list_len; i++) {
467 if (group_id == list[i])
468 return 1;
469 }
470
471 return 0;
472 }
473
474 int
tls1_count_shared_groups(const SSL * ssl,size_t * out_count)475 tls1_count_shared_groups(const SSL *ssl, size_t *out_count)
476 {
477 size_t count, preflen, supplen, i;
478 const uint16_t *pref, *supp;
479
480 if (!tls1_get_group_lists(ssl, &pref, &preflen, &supp, &supplen))
481 return 0;
482
483 count = 0;
484 for (i = 0; i < preflen; i++) {
485 if (!tls1_group_id_present(pref[i], supp, supplen))
486 continue;
487
488 if (!ssl_security_shared_group(ssl, pref[i]))
489 continue;
490
491 count++;
492 }
493
494 *out_count = count;
495
496 return 1;
497 }
498
499 static int
tls1_group_by_index(const SSL * ssl,size_t n,int * out_nid,int (* ssl_security_fn)(const SSL *,uint16_t))500 tls1_group_by_index(const SSL *ssl, size_t n, int *out_nid,
501 int (*ssl_security_fn)(const SSL *, uint16_t))
502 {
503 size_t count, preflen, supplen, i;
504 const uint16_t *pref, *supp;
505
506 if (!tls1_get_group_lists(ssl, &pref, &preflen, &supp, &supplen))
507 return 0;
508
509 count = 0;
510 for (i = 0; i < preflen; i++) {
511 if (!tls1_group_id_present(pref[i], supp, supplen))
512 continue;
513
514 if (!ssl_security_fn(ssl, pref[i]))
515 continue;
516
517 if (count++ == n)
518 return tls1_ec_group_id2nid(pref[i], out_nid);
519 }
520
521 return 0;
522 }
523
524 int
tls1_get_shared_group_by_index(const SSL * ssl,size_t index,int * out_nid)525 tls1_get_shared_group_by_index(const SSL *ssl, size_t index, int *out_nid)
526 {
527 return tls1_group_by_index(ssl, index, out_nid,
528 ssl_security_shared_group);
529 }
530
531 int
tls1_get_supported_group(const SSL * ssl,int * out_nid)532 tls1_get_supported_group(const SSL *ssl, int *out_nid)
533 {
534 return tls1_group_by_index(ssl, 0, out_nid,
535 ssl_security_supported_group);
536 }
537
538 int
tls1_set_groups(uint16_t ** out_group_ids,size_t * out_group_ids_len,const int * groups,size_t ngroups)539 tls1_set_groups(uint16_t **out_group_ids, size_t *out_group_ids_len,
540 const int *groups, size_t ngroups)
541 {
542 uint16_t *group_ids;
543 size_t i;
544
545 if ((group_ids = calloc(ngroups, sizeof(uint16_t))) == NULL)
546 return 0;
547
548 for (i = 0; i < ngroups; i++) {
549 if (!tls1_ec_nid2group_id(groups[i], &group_ids[i])) {
550 free(group_ids);
551 return 0;
552 }
553 }
554
555 free(*out_group_ids);
556 *out_group_ids = group_ids;
557 *out_group_ids_len = ngroups;
558
559 return 1;
560 }
561
562 int
tls1_set_group_list(uint16_t ** out_group_ids,size_t * out_group_ids_len,const char * groups)563 tls1_set_group_list(uint16_t **out_group_ids, size_t *out_group_ids_len,
564 const char *groups)
565 {
566 uint16_t *new_group_ids, *group_ids = NULL;
567 size_t ngroups = 0;
568 char *gs, *p, *q;
569 int nid;
570
571 if ((gs = strdup(groups)) == NULL)
572 return 0;
573
574 q = gs;
575 while ((p = strsep(&q, ":")) != NULL) {
576 nid = OBJ_sn2nid(p);
577 if (nid == NID_undef)
578 nid = OBJ_ln2nid(p);
579 if (nid == NID_undef)
580 nid = EC_curve_nist2nid(p);
581 if (nid == NID_undef)
582 goto err;
583
584 if ((new_group_ids = reallocarray(group_ids, ngroups + 1,
585 sizeof(uint16_t))) == NULL)
586 goto err;
587 group_ids = new_group_ids;
588
589 if (!tls1_ec_nid2group_id(nid, &group_ids[ngroups]))
590 goto err;
591
592 ngroups++;
593 }
594
595 free(gs);
596 free(*out_group_ids);
597 *out_group_ids = group_ids;
598 *out_group_ids_len = ngroups;
599
600 return 1;
601
602 err:
603 free(gs);
604 free(group_ids);
605
606 return 0;
607 }
608
609 /* Check that a group is one of our preferences. */
610 int
tls1_check_group(SSL * s,uint16_t group_id)611 tls1_check_group(SSL *s, uint16_t group_id)
612 {
613 const uint16_t *groups;
614 size_t groupslen, i;
615
616 tls1_get_group_list(s, 0, &groups, &groupslen);
617
618 for (i = 0; i < groupslen; i++) {
619 if (!ssl_security_supported_group(s, groups[i]))
620 continue;
621 if (groups[i] == group_id)
622 return 1;
623 }
624 return 0;
625 }
626
627 /* For an EC key set TLS ID and required compression based on parameters. */
628 static int
tls1_set_ec_id(uint16_t * group_id,uint8_t * comp_id,EC_KEY * ec)629 tls1_set_ec_id(uint16_t *group_id, uint8_t *comp_id, EC_KEY *ec)
630 {
631 const EC_GROUP *group;
632 int nid;
633
634 if ((group = EC_KEY_get0_group(ec)) == NULL)
635 return 0;
636
637 /* Determine group ID. */
638 nid = EC_GROUP_get_curve_name(group);
639 if (!tls1_ec_nid2group_id(nid, group_id))
640 return 0;
641
642 /* Specify the compression identifier. */
643 if (EC_KEY_get0_public_key(ec) == NULL)
644 return 0;
645 *comp_id = TLSEXT_ECPOINTFORMAT_uncompressed;
646 if (EC_KEY_get_conv_form(ec) == POINT_CONVERSION_COMPRESSED) {
647 *comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
648 }
649
650 return 1;
651 }
652
653 /* Check that an EC key is compatible with extensions. */
654 static int
tls1_check_ec_key(SSL * s,const uint16_t group_id,const uint8_t comp_id)655 tls1_check_ec_key(SSL *s, const uint16_t group_id, const uint8_t comp_id)
656 {
657 size_t groupslen, formatslen, i;
658 const uint16_t *groups;
659 const uint8_t *formats;
660
661 /*
662 * Check point formats extension if present, otherwise everything
663 * is supported (see RFC4492).
664 */
665 tls1_get_formatlist(s, 1, &formats, &formatslen);
666 if (formats != NULL) {
667 for (i = 0; i < formatslen; i++) {
668 if (formats[i] == comp_id)
669 break;
670 }
671 if (i == formatslen)
672 return 0;
673 }
674
675 /*
676 * Check group list if present, otherwise everything is supported.
677 */
678 tls1_get_group_list(s, 1, &groups, &groupslen);
679 if (groups != NULL) {
680 for (i = 0; i < groupslen; i++) {
681 if (groups[i] == group_id)
682 break;
683 }
684 if (i == groupslen)
685 return 0;
686 }
687
688 return 1;
689 }
690
691 /* Check EC server key is compatible with client extensions. */
692 int
tls1_check_ec_server_key(SSL * s)693 tls1_check_ec_server_key(SSL *s)
694 {
695 SSL_CERT_PKEY *cpk = s->cert->pkeys + SSL_PKEY_ECC;
696 uint16_t group_id;
697 uint8_t comp_id;
698 EC_KEY *eckey;
699 EVP_PKEY *pkey;
700
701 if (cpk->x509 == NULL || cpk->privatekey == NULL)
702 return 0;
703 if ((pkey = X509_get0_pubkey(cpk->x509)) == NULL)
704 return 0;
705 if ((eckey = EVP_PKEY_get0_EC_KEY(pkey)) == NULL)
706 return 0;
707 if (!tls1_set_ec_id(&group_id, &comp_id, eckey))
708 return 0;
709
710 return tls1_check_ec_key(s, group_id, comp_id);
711 }
712
713 int
ssl_check_clienthello_tlsext_early(SSL * s)714 ssl_check_clienthello_tlsext_early(SSL *s)
715 {
716 int ret = SSL_TLSEXT_ERR_NOACK;
717 int al = SSL_AD_UNRECOGNIZED_NAME;
718
719 /* The handling of the ECPointFormats extension is done elsewhere, namely in
720 * ssl3_choose_cipher in s3_lib.c.
721 */
722 /* The handling of the EllipticCurves extension is done elsewhere, namely in
723 * ssl3_choose_cipher in s3_lib.c.
724 */
725
726 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
727 ret = s->ctx->tlsext_servername_callback(s, &al,
728 s->ctx->tlsext_servername_arg);
729 else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)
730 ret = s->initial_ctx->tlsext_servername_callback(s, &al,
731 s->initial_ctx->tlsext_servername_arg);
732
733 switch (ret) {
734 case SSL_TLSEXT_ERR_ALERT_FATAL:
735 ssl3_send_alert(s, SSL3_AL_FATAL, al);
736 return -1;
737 case SSL_TLSEXT_ERR_ALERT_WARNING:
738 ssl3_send_alert(s, SSL3_AL_WARNING, al);
739 return 1;
740 case SSL_TLSEXT_ERR_NOACK:
741 default:
742 return 1;
743 }
744 }
745
746 int
ssl_check_clienthello_tlsext_late(SSL * s)747 ssl_check_clienthello_tlsext_late(SSL *s)
748 {
749 int ret = SSL_TLSEXT_ERR_OK;
750 int al = 0; /* XXX gcc3 */
751
752 /* If status request then ask callback what to do.
753 * Note: this must be called after servername callbacks in case
754 * the certificate has changed, and must be called after the cipher
755 * has been chosen because this may influence which certificate is sent
756 */
757 if ((s->tlsext_status_type != -1) &&
758 s->ctx && s->ctx->tlsext_status_cb) {
759 int r;
760 SSL_CERT_PKEY *certpkey;
761 certpkey = ssl_get_server_send_pkey(s);
762 /* If no certificate can't return certificate status */
763 if (certpkey == NULL) {
764 s->tlsext_status_expected = 0;
765 return 1;
766 }
767 /* Set current certificate to one we will use so
768 * SSL_get_certificate et al can pick it up.
769 */
770 s->cert->key = certpkey;
771 r = s->ctx->tlsext_status_cb(s,
772 s->ctx->tlsext_status_arg);
773 switch (r) {
774 /* We don't want to send a status request response */
775 case SSL_TLSEXT_ERR_NOACK:
776 s->tlsext_status_expected = 0;
777 break;
778 /* status request response should be sent */
779 case SSL_TLSEXT_ERR_OK:
780 if (s->tlsext_ocsp_resp)
781 s->tlsext_status_expected = 1;
782 else
783 s->tlsext_status_expected = 0;
784 break;
785 /* something bad happened */
786 case SSL_TLSEXT_ERR_ALERT_FATAL:
787 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
788 al = SSL_AD_INTERNAL_ERROR;
789 goto err;
790 }
791 } else
792 s->tlsext_status_expected = 0;
793
794 err:
795 switch (ret) {
796 case SSL_TLSEXT_ERR_ALERT_FATAL:
797 ssl3_send_alert(s, SSL3_AL_FATAL, al);
798 return -1;
799 case SSL_TLSEXT_ERR_ALERT_WARNING:
800 ssl3_send_alert(s, SSL3_AL_WARNING, al);
801 return 1;
802 default:
803 return 1;
804 }
805 }
806
807 int
ssl_check_serverhello_tlsext(SSL * s)808 ssl_check_serverhello_tlsext(SSL *s)
809 {
810 int ret = SSL_TLSEXT_ERR_NOACK;
811 int al = SSL_AD_UNRECOGNIZED_NAME;
812
813 ret = SSL_TLSEXT_ERR_OK;
814
815 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
816 ret = s->ctx->tlsext_servername_callback(s, &al,
817 s->ctx->tlsext_servername_arg);
818 else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)
819 ret = s->initial_ctx->tlsext_servername_callback(s, &al,
820 s->initial_ctx->tlsext_servername_arg);
821
822 /* If we've requested certificate status and we wont get one
823 * tell the callback
824 */
825 if ((s->tlsext_status_type != -1) && !(s->tlsext_status_expected) &&
826 s->ctx && s->ctx->tlsext_status_cb) {
827 int r;
828
829 free(s->tlsext_ocsp_resp);
830 s->tlsext_ocsp_resp = NULL;
831 s->tlsext_ocsp_resp_len = 0;
832
833 r = s->ctx->tlsext_status_cb(s,
834 s->ctx->tlsext_status_arg);
835 if (r == 0) {
836 al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE;
837 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
838 }
839 if (r < 0) {
840 al = SSL_AD_INTERNAL_ERROR;
841 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
842 }
843 }
844
845 switch (ret) {
846 case SSL_TLSEXT_ERR_ALERT_FATAL:
847 ssl3_send_alert(s, SSL3_AL_FATAL, al);
848 return -1;
849 case SSL_TLSEXT_ERR_ALERT_WARNING:
850 ssl3_send_alert(s, SSL3_AL_WARNING, al);
851 return 1;
852 case SSL_TLSEXT_ERR_NOACK:
853 default:
854 return 1;
855 }
856 }
857
858 /* Since the server cache lookup is done early on in the processing of the
859 * ClientHello, and other operations depend on the result, we need to handle
860 * any TLS session ticket extension at the same time.
861 *
862 * ext_block: a CBS for the ClientHello extensions block.
863 * ret: (output) on return, if a ticket was decrypted, then this is set to
864 * point to the resulting session.
865 *
866 * If s->tls_session_secret_cb is set then we are expecting a pre-shared key
867 * ciphersuite, in which case we have no use for session tickets and one will
868 * never be decrypted, nor will s->tlsext_ticket_expected be set to 1.
869 *
870 * Returns:
871 * TLS1_TICKET_FATAL_ERROR: error from parsing or decrypting the ticket.
872 * TLS1_TICKET_NONE: no ticket was found (or was ignored, based on settings).
873 * TLS1_TICKET_EMPTY: a zero length extension was found, indicating that the
874 * client supports session tickets but doesn't currently have one to offer.
875 * TLS1_TICKET_NOT_DECRYPTED: either s->tls_session_secret_cb was
876 * set, or a ticket was offered but couldn't be decrypted because of a
877 * non-fatal error.
878 * TLS1_TICKET_DECRYPTED: a ticket was successfully decrypted and *ret was set.
879 *
880 * Side effects:
881 * Sets s->tlsext_ticket_expected to 1 if the server will have to issue
882 * a new session ticket to the client because the client indicated support
883 * (and s->tls_session_secret_cb is NULL) but the client either doesn't have
884 * a session ticket or we couldn't use the one it gave us, or if
885 * s->ctx->tlsext_ticket_key_cb asked to renew the client's ticket.
886 * Otherwise, s->tlsext_ticket_expected is set to 0.
887 */
888 int
tls1_process_ticket(SSL * s,CBS * ext_block,int * alert,SSL_SESSION ** ret)889 tls1_process_ticket(SSL *s, CBS *ext_block, int *alert, SSL_SESSION **ret)
890 {
891 CBS extensions, ext_data;
892 uint16_t ext_type = 0;
893
894 s->tlsext_ticket_expected = 0;
895 *ret = NULL;
896
897 /*
898 * If tickets disabled behave as if no ticket present to permit stateful
899 * resumption.
900 */
901 if (SSL_get_options(s) & SSL_OP_NO_TICKET)
902 return TLS1_TICKET_NONE;
903
904 /*
905 * An empty extensions block is valid, but obviously does not contain
906 * a session ticket.
907 */
908 if (CBS_len(ext_block) == 0)
909 return TLS1_TICKET_NONE;
910
911 if (!CBS_get_u16_length_prefixed(ext_block, &extensions)) {
912 *alert = SSL_AD_DECODE_ERROR;
913 return TLS1_TICKET_FATAL_ERROR;
914 }
915
916 while (CBS_len(&extensions) > 0) {
917 if (!CBS_get_u16(&extensions, &ext_type) ||
918 !CBS_get_u16_length_prefixed(&extensions, &ext_data)) {
919 *alert = SSL_AD_DECODE_ERROR;
920 return TLS1_TICKET_FATAL_ERROR;
921 }
922
923 if (ext_type == TLSEXT_TYPE_session_ticket)
924 break;
925 }
926
927 if (ext_type != TLSEXT_TYPE_session_ticket)
928 return TLS1_TICKET_NONE;
929
930 if (CBS_len(&ext_data) == 0) {
931 /*
932 * The client will accept a ticket but does not currently
933 * have one.
934 */
935 s->tlsext_ticket_expected = 1;
936 return TLS1_TICKET_EMPTY;
937 }
938
939 if (s->tls_session_secret_cb != NULL) {
940 /*
941 * Indicate that the ticket could not be decrypted rather than
942 * generating the session from ticket now, trigger abbreviated
943 * handshake based on external mechanism to calculate the master
944 * secret later.
945 */
946 return TLS1_TICKET_NOT_DECRYPTED;
947 }
948
949 return tls_decrypt_ticket(s, &ext_data, alert, ret);
950 }
951
952 /* tls_decrypt_ticket attempts to decrypt a session ticket.
953 *
954 * ticket: a CBS containing the body of the session ticket extension.
955 * psess: (output) on return, if a ticket was decrypted, then this is set to
956 * point to the resulting session.
957 *
958 * Returns:
959 * TLS1_TICKET_FATAL_ERROR: error from parsing or decrypting the ticket.
960 * TLS1_TICKET_NOT_DECRYPTED: the ticket couldn't be decrypted.
961 * TLS1_TICKET_DECRYPTED: a ticket was decrypted and *psess was set.
962 */
963 static int
tls_decrypt_ticket(SSL * s,CBS * ticket,int * alert,SSL_SESSION ** psess)964 tls_decrypt_ticket(SSL *s, CBS *ticket, int *alert, SSL_SESSION **psess)
965 {
966 CBS ticket_name, ticket_iv, ticket_encdata, ticket_hmac;
967 SSL_SESSION *sess = NULL;
968 unsigned char *sdec = NULL;
969 size_t sdec_len = 0;
970 const unsigned char *p;
971 unsigned char hmac[EVP_MAX_MD_SIZE];
972 HMAC_CTX *hctx = NULL;
973 EVP_CIPHER_CTX *cctx = NULL;
974 SSL_CTX *tctx = s->initial_ctx;
975 int slen, hlen, iv_len;
976 int alert_desc = SSL_AD_INTERNAL_ERROR;
977 int ret = TLS1_TICKET_FATAL_ERROR;
978
979 *psess = NULL;
980
981 if (!CBS_get_bytes(ticket, &ticket_name, 16))
982 goto derr;
983
984 /*
985 * Initialize session ticket encryption and HMAC contexts.
986 */
987 if ((cctx = EVP_CIPHER_CTX_new()) == NULL)
988 goto err;
989 if ((hctx = HMAC_CTX_new()) == NULL)
990 goto err;
991
992 if (tctx->tlsext_ticket_key_cb != NULL) {
993 int rv;
994
995 /*
996 * The API guarantees EVP_MAX_IV_LENGTH bytes of space for
997 * the iv to tlsext_ticket_key_cb(). Since the total space
998 * required for a session cookie is never less than this,
999 * this check isn't too strict. The exact check comes later.
1000 */
1001 if (CBS_len(ticket) < EVP_MAX_IV_LENGTH)
1002 goto derr;
1003
1004 if ((rv = tctx->tlsext_ticket_key_cb(s,
1005 (unsigned char *)CBS_data(&ticket_name),
1006 (unsigned char *)CBS_data(ticket), cctx, hctx, 0)) < 0)
1007 goto err;
1008 if (rv == 0)
1009 goto derr;
1010 if (rv == 2) {
1011 /* Renew ticket. */
1012 s->tlsext_ticket_expected = 1;
1013 }
1014
1015 if ((iv_len = EVP_CIPHER_CTX_iv_length(cctx)) < 0)
1016 goto err;
1017 /*
1018 * Now that the cipher context is initialised, we can extract
1019 * the IV since its length is known.
1020 */
1021 if (!CBS_get_bytes(ticket, &ticket_iv, iv_len))
1022 goto derr;
1023 } else {
1024 /* Check that the key name matches. */
1025 if (!CBS_mem_equal(&ticket_name,
1026 tctx->tlsext_tick_key_name,
1027 sizeof(tctx->tlsext_tick_key_name)))
1028 goto derr;
1029 if ((iv_len = EVP_CIPHER_iv_length(EVP_aes_128_cbc())) < 0)
1030 goto err;
1031 if (!CBS_get_bytes(ticket, &ticket_iv, iv_len))
1032 goto derr;
1033 if (!EVP_DecryptInit_ex(cctx, EVP_aes_128_cbc(), NULL,
1034 tctx->tlsext_tick_aes_key, CBS_data(&ticket_iv)))
1035 goto err;
1036 if (!HMAC_Init_ex(hctx, tctx->tlsext_tick_hmac_key,
1037 sizeof(tctx->tlsext_tick_hmac_key), EVP_sha256(),
1038 NULL))
1039 goto err;
1040 }
1041
1042 /*
1043 * Attempt to process session ticket.
1044 */
1045
1046 if ((hlen = HMAC_size(hctx)) < 0)
1047 goto err;
1048
1049 if (hlen > CBS_len(ticket))
1050 goto derr;
1051 if (!CBS_get_bytes(ticket, &ticket_encdata, CBS_len(ticket) - hlen))
1052 goto derr;
1053 if (!CBS_get_bytes(ticket, &ticket_hmac, hlen))
1054 goto derr;
1055 if (CBS_len(ticket) != 0) {
1056 alert_desc = SSL_AD_DECODE_ERROR;
1057 goto err;
1058 }
1059
1060 /* Check HMAC of encrypted ticket. */
1061 if (HMAC_Update(hctx, CBS_data(&ticket_name),
1062 CBS_len(&ticket_name)) <= 0)
1063 goto err;
1064 if (HMAC_Update(hctx, CBS_data(&ticket_iv),
1065 CBS_len(&ticket_iv)) <= 0)
1066 goto err;
1067 if (HMAC_Update(hctx, CBS_data(&ticket_encdata),
1068 CBS_len(&ticket_encdata)) <= 0)
1069 goto err;
1070 if (HMAC_Final(hctx, hmac, &hlen) <= 0)
1071 goto err;
1072
1073 if (!CBS_mem_equal(&ticket_hmac, hmac, hlen))
1074 goto derr;
1075
1076 /* Attempt to decrypt session data. */
1077 sdec_len = CBS_len(&ticket_encdata);
1078 if ((sdec = calloc(1, sdec_len)) == NULL)
1079 goto err;
1080 if (EVP_DecryptUpdate(cctx, sdec, &slen, CBS_data(&ticket_encdata),
1081 CBS_len(&ticket_encdata)) <= 0)
1082 goto derr;
1083 if (EVP_DecryptFinal_ex(cctx, sdec + slen, &hlen) <= 0)
1084 goto derr;
1085
1086 slen += hlen;
1087
1088 /*
1089 * For session parse failures, indicate that we need to send a new
1090 * ticket.
1091 */
1092 p = sdec;
1093 if ((sess = d2i_SSL_SESSION(NULL, &p, slen)) == NULL)
1094 goto derr;
1095 *psess = sess;
1096 sess = NULL;
1097
1098 ret = TLS1_TICKET_DECRYPTED;
1099 goto done;
1100
1101 derr:
1102 ERR_clear_error();
1103 s->tlsext_ticket_expected = 1;
1104 ret = TLS1_TICKET_NOT_DECRYPTED;
1105 goto done;
1106
1107 err:
1108 *alert = alert_desc;
1109 ret = TLS1_TICKET_FATAL_ERROR;
1110 goto done;
1111
1112 done:
1113 freezero(sdec, sdec_len);
1114 EVP_CIPHER_CTX_free(cctx);
1115 HMAC_CTX_free(hctx);
1116 SSL_SESSION_free(sess);
1117
1118 return ret;
1119 }
1120