1 /*-
2 * SSLsplit - transparent SSL/TLS interception
3 * https://www.roe.ch/SSLsplit
4 *
5 * Copyright (c) 2009-2019, Daniel Roethlisberger <daniel@roe.ch>.
6 * All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions are met:
10 * 1. Redistributions of source code must retain the above copyright notice,
11 * this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright notice,
13 * this list of conditions and the following disclaimer in the documentation
14 * and/or other materials provided with the distribution.
15 *
16 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDER AND CONTRIBUTORS ``AS IS''
17 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
18 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
19 * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
20 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
21 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
22 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
23 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
24 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
25 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
26 * POSSIBILITY OF SUCH DAMAGE.
27 */
28
29 #include "ssl.h"
30
31 #include "log.h"
32 #include "defaults.h"
33 #include "attrib.h"
34
35 #include <sys/types.h>
36 #include <fcntl.h>
37 #include <unistd.h>
38 #include <stdio.h>
39 #include <string.h>
40 #include <limits.h>
41
42 #include <openssl/crypto.h>
43 #ifndef OPENSSL_NO_ENGINE
44 #include <openssl/engine.h>
45 #endif /* !OPENSSL_NO_ENGINE */
46 #include <openssl/ssl.h>
47 #include <openssl/err.h>
48 #include <openssl/rand.h>
49 #ifndef OPENSSL_NO_DH
50 #include <openssl/dh.h>
51 #endif /* !OPENSSL_NO_DH */
52 #include <openssl/x509.h>
53 #include <openssl/x509v3.h>
54 #include <openssl/ocsp.h>
55
56
57 /*
58 * Collection of helper functions on top of the OpenSSL API.
59 */
60
61
62 /*
63 * Workaround for bug in OpenSSL 1.0.0k and 1.0.1e
64 * http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=703031
65 * http://openssl.6102.n7.nabble.com/NULL-ptr-deref-when-calling-SSL-get-certificate-with-1-0-0k-td43636.html
66 */
67 #if (OPENSSL_VERSION_NUMBER == 0x0090819fL) || \
68 (OPENSSL_VERSION_NUMBER == 0x100000bfL) || \
69 (OPENSSL_VERSION_NUMBER == 0x1000105fL)
70 /*
71 * OpenSSL internal declarations from ssl_locl.h, reduced to what is needed.
72 */
73 struct cert_pkey_st {
74 X509 *x509;
75 /*
76 EVP_PKEY *privatekey;
77 const EVP_MD *digest;
78 */
79 };
80 struct cert_st {
81 struct cert_pkey_st *key;
82 /* ... */
83 };
84
85 /*
86 * Replacement function for SSL_get_certificate().
87 */
88 X509 *
ssl_ssl_cert_get(SSL * s)89 ssl_ssl_cert_get(SSL *s)
90 {
91 return s->cert ? s->cert->key->x509 : NULL;
92 }
93 #endif /* OpenSSL 0.9.8y, 1.0.0k or 1.0.1e */
94
95 #if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER)
96 int
DH_set0_pqg(DH * dh,BIGNUM * p,BIGNUM * q,BIGNUM * g)97 DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g)
98 {
99 /*
100 * If the fields p and g in d are NULL, the corresponding input
101 * parameters MUST be non-NULL. q may remain NULL.
102 */
103 if ((dh->p == NULL && p == NULL) || (dh->g == NULL && g == NULL))
104 return 0;
105
106 if (p != NULL) {
107 BN_free(dh->p);
108 dh->p = p;
109 }
110 if (q != NULL) {
111 BN_free(dh->q);
112 dh->q = q;
113 dh->length = BN_num_bits(q);
114 }
115 if (g != NULL) {
116 BN_free(dh->g);
117 dh->g = g;
118 }
119
120 return 1;
121 }
122 #endif
123
124
125 /*
126 * Print OpenSSL version and build-time configuration to standard error and
127 * return.
128 */
129 void
ssl_openssl_version(void)130 ssl_openssl_version(void)
131 {
132 fprintf(stderr, "compiled against %s (%lx)\n",
133 OPENSSL_VERSION_TEXT,
134 (long unsigned int)OPENSSL_VERSION_NUMBER);
135 fprintf(stderr, "rtlinked against %s (%lx)\n",
136 SSLeay_version(SSLEAY_VERSION),
137 SSLeay());
138 if ((OPENSSL_VERSION_NUMBER ^ SSLeay()) & 0xfffff000L) {
139 fprintf(stderr, "---------------------------------------"
140 "---------------------------------------\n");
141 fprintf(stderr, "WARNING: OpenSSL version mismatch may "
142 "lead to crashes or other problems!\n");
143 fprintf(stderr, "If there are multiple versions of "
144 "OpenSSL available, make sure to use\n");
145 fprintf(stderr, "the same version of the library at "
146 "runtime as well as for compiling against.\n");
147 fprintf(stderr, "---------------------------------------"
148 "---------------------------------------\n");
149 }
150 #ifdef LIBRESSL_VERSION_NUMBER
151 fprintf(stderr, "OpenSSL API provided by LibreSSL: %s (%lx)\n",
152 LIBRESSL_VERSION_TEXT,
153 (long unsigned int)LIBRESSL_VERSION_NUMBER);
154 #endif /* LIBRESSL_VERSION_NUMBER */
155 #ifdef OPENSSL_IS_BORINGSSL
156 fprintf(stderr, "OpenSSL API provided by BoringSSL\n")
157 #endif /* OPENSSL_IS_BORINGSSL */
158 #ifndef OPENSSL_NO_TLSEXT
159 fprintf(stderr, "OpenSSL has support for TLS extensions\n"
160 "TLS Server Name Indication (SNI) supported\n");
161 #else /* OPENSSL_NO_TLSEXT */
162 fprintf(stderr, "OpenSSL has no support for TLS extensions\n"
163 "TLS Server Name Indication (SNI) not supported\n");
164 #endif /* OPENSSL_NO_TLSEXT */
165 #ifdef OPENSSL_THREADS
166 #ifndef OPENSSL_NO_THREADID
167 fprintf(stderr, "OpenSSL is thread-safe with THREADID\n");
168 #else /* OPENSSL_NO_THREADID */
169 fprintf(stderr, "OpenSSL is thread-safe without THREADID\n");
170 #endif /* OPENSSL_NO_THREADID */
171 #else /* !OPENSSL_THREADS */
172 fprintf(stderr, "OpenSSL is not thread-safe\n");
173 #endif /* !OPENSSL_THREADS */
174 #ifndef OPENSSL_NO_ENGINE
175 fprintf(stderr, "OpenSSL has engine support\n");
176 #else /* OPENSSL_NO_ENGINE */
177 fprintf(stderr, "OpenSSL has no engine support\n");
178 #endif /* OPENSSL_NO_ENGINE */
179 #ifdef SSL_MODE_RELEASE_BUFFERS
180 fprintf(stderr, "Using SSL_MODE_RELEASE_BUFFERS\n");
181 #else /* !SSL_MODE_RELEASE_BUFFERS */
182 fprintf(stderr, "Not using SSL_MODE_RELEASE_BUFFERS\n");
183 #endif /* !SSL_MODE_RELEASE_BUFFERS */
184 #if (OPENSSL_VERSION_NUMBER == 0x0090819fL) || \
185 (OPENSSL_VERSION_NUMBER == 0x100000bfL) || \
186 (OPENSSL_VERSION_NUMBER == 0x1000105fL)
187 fprintf(stderr, "Using direct access workaround when loading certs\n");
188 #endif /* OpenSSL 0.9.8y, 1.0.0k or 1.0.1e */
189
190 fprintf(stderr, "SSL/TLS protocol availability: %s\n",
191 SSL_PROTO_SUPPORT_S);
192
193 fprintf(stderr, "SSL/TLS algorithm availability:");
194 #ifndef OPENSSL_NO_SHA0
195 fprintf(stderr, " SHA0");
196 #else /* !OPENSSL_NO_SHA0 */
197 fprintf(stderr, " !SHA0");
198 #endif /* !OPENSSL_NO_SHA0 */
199 #ifndef OPENSSL_NO_RSA
200 fprintf(stderr, " RSA");
201 #else /* !OPENSSL_NO_RSA */
202 fprintf(stderr, " !RSA");
203 #endif /* !OPENSSL_NO_RSA */
204 #ifndef OPENSSL_NO_DSA
205 fprintf(stderr, " DSA");
206 #else /* !OPENSSL_NO_DSA */
207 fprintf(stderr, " !DSA");
208 #endif /* !OPENSSL_NO_DSA */
209 #ifndef OPENSSL_NO_ECDSA
210 fprintf(stderr, " ECDSA");
211 #else /* !OPENSSL_NO_ECDSA */
212 fprintf(stderr, " !ECDSA");
213 #endif /* !OPENSSL_NO_ECDSA */
214 #ifndef OPENSSL_NO_DH
215 fprintf(stderr, " DH");
216 #else /* !OPENSSL_NO_DH */
217 fprintf(stderr, " !DH");
218 #endif /* !OPENSSL_NO_DH */
219 #ifndef OPENSSL_NO_ECDH
220 fprintf(stderr, " ECDH");
221 #else /* !OPENSSL_NO_ECDH */
222 fprintf(stderr, " !ECDH");
223 #endif /* !OPENSSL_NO_ECDH */
224 #ifndef OPENSSL_NO_EC
225 fprintf(stderr, " EC");
226 #else /* !OPENSSL_NO_EC */
227 fprintf(stderr, " !EC");
228 #endif /* !OPENSSL_NO_EC */
229 fprintf(stderr, "\n");
230
231 fprintf(stderr, "OpenSSL option availability:");
232 #ifdef SSL_OP_NO_COMPRESSION
233 fprintf(stderr, " SSL_OP_NO_COMPRESSION");
234 #else /* !SSL_OP_NO_COMPRESSION */
235 fprintf(stderr, " !SSL_OP_NO_COMPRESSION");
236 #endif /* SSL_OP_NO_COMPRESSION */
237 #ifdef SSL_OP_NO_TICKET
238 fprintf(stderr, " SSL_OP_NO_TICKET");
239 #else /* !SSL_OP_NO_TICKET */
240 fprintf(stderr, " !SSL_OP_NO_TICKET");
241 #endif /* SSL_OP_NO_TICKET */
242 #ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
243 fprintf(stderr, " SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION");
244 #else /* !SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION */
245 fprintf(stderr, " !SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION");
246 #endif /* !SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION */
247 #ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
248 fprintf(stderr, " SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS");
249 #else /* !SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS */
250 fprintf(stderr, " !SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS");
251 #endif /* !SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS */
252 #ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
253 fprintf(stderr, " SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION");
254 #else /* !SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION */
255 fprintf(stderr, " !SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION");
256 #endif /* !SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION */
257 #ifdef SSL_OP_TLS_ROLLBACK_BUG
258 fprintf(stderr, " SSL_OP_TLS_ROLLBACK_BUG");
259 #else /* !SSL_OP_TLS_ROLLBACK_BUG */
260 fprintf(stderr, " !SSL_OP_TLS_ROLLBACK_BUG");
261 #endif /* !SSL_OP_TLS_ROLLBACK_BUG */
262 fprintf(stderr, "\n");
263 }
264
265 /*
266 * 1 if OpenSSL has been initialized, 0 if not. When calling a _load()
267 * function the first time, OpenSSL will automatically be initialized.
268 * Not protected by a mutex and thus not thread-safe.
269 */
270 static int ssl_initialized = 0;
271
272 #if defined(OPENSSL_THREADS) && ((OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER))
273 struct CRYPTO_dynlock_value {
274 pthread_mutex_t mutex;
275 };
276 static pthread_mutex_t *ssl_mutex;
277 static int ssl_mutex_num;
278
279 /*
280 * OpenSSL thread-safety locking callback, #1.
281 */
282 static void
ssl_thr_locking_cb(int mode,int type,UNUSED const char * file,UNUSED int line)283 ssl_thr_locking_cb(int mode, int type, UNUSED const char *file,
284 UNUSED int line) {
285 if (type < ssl_mutex_num) {
286 if (mode & CRYPTO_LOCK)
287 pthread_mutex_lock(&ssl_mutex[type]);
288 else
289 pthread_mutex_unlock(&ssl_mutex[type]);
290 }
291 }
292
293 /*
294 * OpenSSL thread-safety locking callback, #2.
295 */
296 static struct CRYPTO_dynlock_value *
ssl_thr_dyn_create_cb(UNUSED const char * file,UNUSED int line)297 ssl_thr_dyn_create_cb(UNUSED const char *file, UNUSED int line)
298 {
299 struct CRYPTO_dynlock_value *dl;
300
301 if ((dl = malloc(sizeof(struct CRYPTO_dynlock_value)))) {
302 if (pthread_mutex_init(&dl->mutex, NULL)) {
303 free(dl);
304 return NULL;
305 }
306 }
307 return dl;
308 }
309
310 /*
311 * OpenSSL thread-safety locking callback, #3.
312 */
313 static void
ssl_thr_dyn_lock_cb(int mode,struct CRYPTO_dynlock_value * dl,UNUSED const char * file,UNUSED int line)314 ssl_thr_dyn_lock_cb(int mode, struct CRYPTO_dynlock_value *dl,
315 UNUSED const char *file, UNUSED int line)
316 {
317 if (mode & CRYPTO_LOCK) {
318 pthread_mutex_lock(&dl->mutex);
319 } else {
320 pthread_mutex_unlock(&dl->mutex);
321 }
322 }
323
324 /*
325 * OpenSSL thread-safety locking callback, #4.
326 */
327 static void
ssl_thr_dyn_destroy_cb(struct CRYPTO_dynlock_value * dl,UNUSED const char * file,UNUSED int line)328 ssl_thr_dyn_destroy_cb(struct CRYPTO_dynlock_value *dl,
329 UNUSED const char *file, UNUSED int line)
330 {
331 pthread_mutex_destroy(&dl->mutex);
332 free(dl);
333 }
334
335 #ifdef OPENSSL_NO_THREADID
336 /*
337 * OpenSSL thread-safety thread ID callback, legacy version.
338 */
339 static unsigned long
ssl_thr_id_cb(void)340 ssl_thr_id_cb(void) {
341 return (unsigned long) pthread_self();
342 }
343 #else /* !OPENSSL_NO_THREADID */
344 /*
345 * OpenSSL thread-safety thread ID callback, up-to-date version.
346 */
347 static void
ssl_thr_id_cb(CRYPTO_THREADID * id)348 ssl_thr_id_cb(CRYPTO_THREADID *id)
349 {
350 CRYPTO_THREADID_set_numeric(id, (unsigned long) pthread_self());
351 }
352 #endif /* !OPENSSL_NO_THREADID */
353 #endif /* OPENSSL_THREADS */
354
355 /*
356 * Initialize OpenSSL and verify the random number generator works.
357 * Returns -1 on failure, 0 on success.
358 */
359 int
ssl_init(void)360 ssl_init(void)
361 {
362 #ifndef PURIFY
363 int fd;
364 #endif /* !PURIFY */
365 char buf[256];
366
367 if (ssl_initialized)
368 return 0;
369
370 /* general initialization */
371 #if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && !defined(LIBRESSL_VERSION_NUMBER)
372 OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG
373 #ifndef OPENSSL_NO_ENGINE
374 |OPENSSL_INIT_ENGINE_ALL_BUILTIN
375 #endif /* !OPENSSL_NO_ENGINE */
376 , NULL);
377 OPENSSL_init_ssl(0, NULL);
378 #else /* OPENSSL_VERSION_NUMBER < 0x10100000L */
379 SSL_library_init();
380 #endif /* OPENSSL_VERSION_NUMBER < 0x10100000L */
381
382 #ifdef PURIFY
383 CRYPTO_malloc_init();
384 CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
385 #endif /* PURIFY */
386 SSL_load_error_strings();
387 OpenSSL_add_all_algorithms();
388 #if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER)
389 OPENSSL_config(NULL);
390 #endif /* OPENSSL_VERSION_NUMBER < 0x10100000L */
391
392 /* thread-safety */
393 #if defined(OPENSSL_THREADS) && ((OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER))
394 ssl_mutex_num = CRYPTO_num_locks();
395 ssl_mutex = malloc(ssl_mutex_num * sizeof(*ssl_mutex));
396 for (int i = 0; i < ssl_mutex_num; i++) {
397 if (pthread_mutex_init(&ssl_mutex[i], NULL)) {
398 log_err_printf("Failed to initialize mutex\n");
399 return -1;
400 }
401 }
402 CRYPTO_set_locking_callback(ssl_thr_locking_cb);
403 CRYPTO_set_dynlock_create_callback(ssl_thr_dyn_create_cb);
404 CRYPTO_set_dynlock_lock_callback(ssl_thr_dyn_lock_cb);
405 CRYPTO_set_dynlock_destroy_callback(ssl_thr_dyn_destroy_cb);
406 #ifdef OPENSSL_NO_THREADID
407 CRYPTO_set_id_callback(ssl_thr_id_cb);
408 #else /* !OPENSSL_NO_THREADID */
409 CRYPTO_THREADID_set_callback(ssl_thr_id_cb);
410 #endif /* !OPENSSL_NO_THREADID */
411 #endif /* OPENSSL_THREADS && OPENSSL_VERSION_NUMBER < 0x10100000L */
412
413 /* randomness */
414 #ifndef PURIFY
415 if ((fd = open("/dev/urandom", O_RDONLY)) == -1) {
416 log_err_printf("Error opening /dev/urandom for reading: %s\n",
417 strerror(errno));
418 return -1;
419 }
420 while (!RAND_status()) {
421 if (read(fd, buf, sizeof(buf)) == -1) {
422 log_err_printf("Error reading from /dev/urandom: %s\n",
423 strerror(errno));
424 close(fd);
425 return -1;
426 }
427 RAND_seed(buf, sizeof(buf));
428 }
429 close(fd);
430 if (!RAND_poll()) {
431 log_err_printf("RAND_poll() failed.\n");
432 return -1;
433 }
434 #else /* PURIFY */
435 log_err_printf("Warning: not seeding OpenSSL RAND due to PURITY!\n");
436 memset(buf, 0, sizeof(buf));
437 while (!RAND_status()) {
438 RAND_seed(buf, sizeof(buf));
439 }
440 #endif /* PURIFY */
441
442 #ifdef USE_FOOTPRINT_HACKS
443 /* HACK: disable compression by zeroing the global comp algo stack.
444 * This lowers the per-connection memory footprint by ~500k. */
445 STACK_OF(SSL_COMP)* comp_methods = SSL_COMP_get_compression_methods();
446 sk_SSL_COMP_zero(comp_methods);
447 #endif /* USE_FOOTPRINT_HACKS */
448
449 ssl_initialized = 1;
450 return 0;
451 }
452
453 /*
454 * Re-initialize OpenSSL after forking. Returns 0 on success, -1 on failure.
455 */
456 int
ssl_reinit(void)457 ssl_reinit(void)
458 {
459 if (!ssl_initialized)
460 return 0;
461
462 #if defined(OPENSSL_THREADS) && ((OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER))
463 for (int i = 0; i < ssl_mutex_num; i++) {
464 if (pthread_mutex_init(&ssl_mutex[i], NULL)) {
465 return -1;
466 }
467 }
468 #endif /* OPENSSL_THREADS */
469
470 return 0;
471 }
472
473 /*
474 * Deinitialize OpenSSL and free as much memory as possible.
475 * Some 10k-100k will still remain resident no matter what.
476 */
477 void
ssl_fini(void)478 ssl_fini(void)
479 {
480 if (!ssl_initialized)
481 return;
482
483 #if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER)
484 ERR_remove_state(0); /* current thread */
485 #endif
486
487 #if defined(OPENSSL_THREADS) && \
488 ((OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER))
489 CRYPTO_set_locking_callback(NULL);
490 CRYPTO_set_dynlock_create_callback(NULL);
491 CRYPTO_set_dynlock_lock_callback(NULL);
492 CRYPTO_set_dynlock_destroy_callback(NULL);
493 #ifdef OPENSSL_NO_THREADID
494 CRYPTO_set_id_callback(NULL);
495 #else /* !OPENSSL_NO_THREADID */
496 CRYPTO_THREADID_set_callback(NULL);
497 #endif /* !OPENSSL_NO_THREADID */
498 for (int i = 0; i < ssl_mutex_num; i++) {
499 pthread_mutex_destroy(&ssl_mutex[i]);
500 }
501 free(ssl_mutex);
502 #endif
503
504 #if !defined(OPENSSL_NO_ENGINE) && \
505 ((OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER))
506 ENGINE_cleanup();
507 #endif /* !OPENSSL_NO_ENGINE && OPENSSL_VERSION_NUMBER < 0x10100000L */
508 CONF_modules_finish();
509 CONF_modules_unload(1);
510 CONF_modules_free();
511
512 EVP_cleanup();
513 ERR_free_strings();
514 CRYPTO_cleanup_all_ex_data();
515
516 ssl_initialized = 0;
517 }
518
519 /*
520 * Look up an OpenSSL engine by ID or by full path and load it as default
521 * engine. This works globally, not on specific SSL_CTX or SSL instances.
522 * OpenSSL must already have been initialized when calling this function.
523 * Returns 0 on success, -1 on failure.
524 */
525 #ifndef OPENSSL_NO_ENGINE
526 int
ssl_engine(const char * name)527 ssl_engine(const char *name) {
528 ENGINE *engine;
529
530 engine = ENGINE_by_id(name);
531 if (!engine)
532 return -1;
533
534 if (!ENGINE_set_default(engine, ENGINE_METHOD_ALL))
535 return -1;
536 return 0;
537 }
538 #endif /* !OPENSSL_NO_ENGINE */
539
540 /*
541 * Format raw SHA1 hash into newly allocated string, with or without colons.
542 */
543 char *
ssl_sha1_to_str(unsigned char * rawhash,int colons)544 ssl_sha1_to_str(unsigned char *rawhash, int colons)
545 {
546 char *str;
547 int rv;
548
549 rv = asprintf(&str, colons ?
550 "%02X:%02X:%02X:%02X:%02X:%02X:%02X:%02X:%02X:%02X:"
551 "%02X:%02X:%02X:%02X:%02X:%02X:%02X:%02X:%02X:%02X" :
552 "%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X"
553 "%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X",
554 rawhash[ 0], rawhash[ 1], rawhash[ 2], rawhash[ 3],
555 rawhash[ 4], rawhash[ 5], rawhash[ 6], rawhash[ 7],
556 rawhash[ 8], rawhash[ 9], rawhash[10], rawhash[11],
557 rawhash[12], rawhash[13], rawhash[14], rawhash[15],
558 rawhash[16], rawhash[17], rawhash[18], rawhash[19]);
559 if (rv == -1)
560 return NULL;
561 return str;
562 }
563
564 /*
565 * Format SSL state into newly allocated string.
566 * Returns pointer to string that must be freed by caller, or NULL on error.
567 */
568 char *
ssl_ssl_state_to_str(SSL * ssl)569 ssl_ssl_state_to_str(SSL *ssl)
570 {
571 char *str = NULL;
572 int rv;
573
574 rv = asprintf(&str, "%08x = %s%s%04x = %s (%s) [%s]",
575 SSL_get_state(ssl),
576 (SSL_get_state(ssl) & SSL_ST_CONNECT) ? "SSL_ST_CONNECT|" : "",
577 (SSL_get_state(ssl) & SSL_ST_ACCEPT) ? "SSL_ST_ACCEPT|" : "",
578 SSL_get_state(ssl) & SSL_ST_MASK,
579 SSL_state_string(ssl),
580 SSL_state_string_long(ssl),
581 SSL_is_server(ssl) ? "accept socket" : "connect socket");
582
583 return (rv < 0) ? NULL : str;
584 }
585
586 /*
587 * Generates a NSS key log format compatible string containing the client
588 * random and the master key, intended to be used to decrypt externally
589 * captured network traffic using tools like Wireshark.
590 *
591 * Only supports the CLIENT_RANDOM method (SSL 3.0 - TLS 1.2).
592 *
593 * https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/Key_Log_Format
594 */
595 char *
ssl_ssl_masterkey_to_str(SSL * ssl)596 ssl_ssl_masterkey_to_str(SSL *ssl)
597 {
598 char *str = NULL;
599 int rv;
600 unsigned char *k, *r;
601 #if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && !defined(LIBRESSL_VERSION_NUMBER)
602 unsigned char kbuf[48], rbuf[32];
603 k = &kbuf[0];
604 r = &rbuf[0];
605 SSL_SESSION_get_master_key(SSL_get0_session(ssl), k, sizeof(kbuf));
606 SSL_get_client_random(ssl, r, sizeof(rbuf));
607 #else /* OPENSSL_VERSION_NUMBER < 0x10100000L */
608 k = ssl->session->master_key;
609 r = ssl->s3->client_random;
610 #endif /* OPENSSL_VERSION_NUMBER < 0x10100000L */
611 rv = asprintf(&str,
612 "CLIENT_RANDOM "
613 "%02X%02X%02X%02X%02X%02X%02X%02X"
614 "%02X%02X%02X%02X%02X%02X%02X%02X"
615 "%02X%02X%02X%02X%02X%02X%02X%02X"
616 "%02X%02X%02X%02X%02X%02X%02X%02X"
617 " "
618 "%02X%02X%02X%02X%02X%02X%02X%02X"
619 "%02X%02X%02X%02X%02X%02X%02X%02X"
620 "%02X%02X%02X%02X%02X%02X%02X%02X"
621 "%02X%02X%02X%02X%02X%02X%02X%02X"
622 "%02X%02X%02X%02X%02X%02X%02X%02X"
623 "%02X%02X%02X%02X%02X%02X%02X%02X"
624 "\n",
625 r[ 0], r[ 1], r[ 2], r[ 3], r[ 4], r[ 5], r[ 6], r[ 7],
626 r[ 8], r[ 9], r[10], r[11], r[12], r[13], r[14], r[15],
627 r[16], r[17], r[18], r[19], r[20], r[21], r[22], r[23],
628 r[24], r[25], r[26], r[27], r[28], r[29], r[30], r[31],
629 k[ 0], k[ 1], k[ 2], k[ 3], k[ 4], k[ 5], k[ 6], k[ 7],
630 k[ 8], k[ 9], k[10], k[11], k[12], k[13], k[14], k[15],
631 k[16], k[17], k[18], k[19], k[20], k[21], k[22], k[23],
632 k[24], k[25], k[26], k[27], k[28], k[29], k[30], k[31],
633 k[32], k[33], k[34], k[35], k[36], k[37], k[38], k[39],
634 k[40], k[41], k[42], k[43], k[44], k[45], k[46], k[47]);
635
636 return (rv < 0) ? NULL : str;
637 }
638
639 #ifndef OPENSSL_NO_DH
640 static unsigned char dh_g[] = { 0x02 };
641 static unsigned char dh512_p[] = {
642 0xAB, 0xC0, 0x34, 0x16, 0x95, 0x8B, 0x57, 0xE5, 0x5C, 0xB3, 0x4E, 0x6E,
643 0x16, 0x0B, 0x35, 0xC5, 0x6A, 0xCC, 0x4F, 0xD3, 0xE5, 0x46, 0xE2, 0x23,
644 0x6A, 0x5B, 0xBB, 0x5D, 0x3D, 0x52, 0xEA, 0xCE, 0x4F, 0x7D, 0xCA, 0xFF,
645 0xB4, 0x8B, 0xC9, 0x78, 0xDC, 0xA0, 0xFC, 0xBE, 0xF3, 0xB5, 0xE6, 0x61,
646 0xA6, 0x6D, 0x58, 0xFC, 0xA0, 0x0F, 0xF7, 0x9B, 0x97, 0xE6, 0xC7, 0xE8,
647 0x1F, 0xCD, 0x16, 0x73 };
648 static unsigned char dh1024_p[] = {
649 0x99, 0x28, 0x34, 0x48, 0x9E, 0xB7, 0xD1, 0x4F, 0x0D, 0x17, 0x09, 0x97,
650 0xB9, 0x9B, 0x20, 0xFE, 0xE5, 0x65, 0xE0, 0xE2, 0x56, 0x37, 0x80, 0xA2,
651 0x9F, 0x2C, 0x2D, 0x87, 0x10, 0x58, 0x39, 0xAD, 0xF3, 0xC5, 0xA9, 0x08,
652 0x24, 0xC7, 0xAA, 0xA9, 0x29, 0x3A, 0x13, 0xDF, 0x4E, 0x0A, 0x6D, 0x11,
653 0x39, 0xB1, 0x1C, 0x3F, 0xFE, 0xFE, 0x0A, 0x5E, 0xAD, 0x2E, 0x5C, 0x10,
654 0x97, 0x38, 0xAC, 0xE8, 0xEB, 0xAA, 0x4A, 0xA1, 0xC0, 0x5C, 0x1D, 0x27,
655 0x65, 0x9C, 0xC8, 0x53, 0xAC, 0x35, 0xDD, 0x84, 0x1F, 0x47, 0x0E, 0x04,
656 0xF1, 0x90, 0x61, 0x62, 0x2E, 0x29, 0x2C, 0xC6, 0x28, 0x91, 0x6D, 0xF0,
657 0xE2, 0x5E, 0xCE, 0x60, 0x3E, 0xF7, 0xF8, 0x37, 0x99, 0x4D, 0x9F, 0xFB,
658 0x68, 0xEC, 0x7F, 0x9D, 0x32, 0x74, 0xD1, 0xAA, 0xD4, 0x4C, 0xF5, 0xCD,
659 0xC2, 0xD7, 0xD7, 0xAC, 0xDA, 0x69, 0xF5, 0x2B };
660 static unsigned char dh2048_p[] = {
661 0xAB, 0x88, 0x97, 0xCA, 0xF1, 0xE1, 0x60, 0x39, 0xFA, 0xB1, 0xA8, 0x7D,
662 0xB3, 0x7A, 0x38, 0x08, 0xF0, 0x7A, 0x3D, 0x21, 0xC4, 0xE6, 0xB8, 0x32,
663 0x3D, 0xAB, 0x0F, 0xE7, 0x8C, 0xA1, 0x59, 0x47, 0xB2, 0x0A, 0x7A, 0x3A,
664 0x20, 0x2A, 0x1B, 0xD4, 0xBA, 0xFC, 0x4C, 0xC5, 0xEE, 0xA2, 0xB9, 0xB9,
665 0x65, 0x47, 0xCC, 0x13, 0x99, 0xD7, 0xA6, 0xCA, 0xFF, 0x23, 0x05, 0x91,
666 0xAB, 0x5C, 0x82, 0xB8, 0xB4, 0xFD, 0xB1, 0x2E, 0x5B, 0x0F, 0x8E, 0x03,
667 0x3C, 0x23, 0xD6, 0x6A, 0xE2, 0x83, 0x95, 0xD2, 0x8E, 0xEB, 0xDF, 0x3A,
668 0xAF, 0x89, 0xF0, 0xA0, 0x14, 0x09, 0x12, 0xF6, 0x54, 0x54, 0x93, 0xF4,
669 0xD4, 0x41, 0x56, 0x7A, 0x0E, 0x56, 0x20, 0x1F, 0x1D, 0xBA, 0x3F, 0x07,
670 0xD2, 0x89, 0x1B, 0x40, 0xD0, 0x1C, 0x08, 0xDF, 0x00, 0x7F, 0x34, 0xF4,
671 0x28, 0x4E, 0xF7, 0x53, 0x8D, 0x4A, 0x00, 0xC3, 0xC0, 0x89, 0x9E, 0x63,
672 0x96, 0xE9, 0x52, 0xDF, 0xA5, 0x2C, 0x00, 0x4E, 0xB0, 0x82, 0x6A, 0x10,
673 0x28, 0x8D, 0xB9, 0xE7, 0x7A, 0xCB, 0xC3, 0xD6, 0xC1, 0xC0, 0x4D, 0x91,
674 0xC4, 0x6F, 0xD3, 0x99, 0xD1, 0x86, 0x71, 0x67, 0x0A, 0xA1, 0xFC, 0xF4,
675 0x7D, 0x40, 0x88, 0x8D, 0xAC, 0xCB, 0xBC, 0xEA, 0x17, 0x85, 0x0B, 0xC6,
676 0x12, 0x3E, 0x4A, 0xB9, 0x60, 0x74, 0x93, 0x54, 0x14, 0x39, 0x10, 0xBF,
677 0x21, 0xB0, 0x8B, 0xB1, 0x55, 0x3F, 0xBB, 0x6A, 0x1F, 0x42, 0x82, 0x0A,
678 0x40, 0x3A, 0x15, 0xCD, 0xD3, 0x79, 0xD0, 0x02, 0xA4, 0xF5, 0x79, 0x78,
679 0x03, 0xBD, 0x47, 0xCC, 0xD5, 0x08, 0x6A, 0x46, 0xAE, 0x36, 0xE4, 0xCD,
680 0xB1, 0x17, 0x48, 0x30, 0xB4, 0x02, 0xBC, 0x50, 0x68, 0xE3, 0xA2, 0x76,
681 0xD0, 0x5C, 0xB9, 0xE6, 0xBE, 0x4C, 0xFD, 0x50, 0xEF, 0xD0, 0x3F, 0x39,
682 0x4F, 0x53, 0x16, 0x3B };
683 static unsigned char dh4096_p[] = {
684 0xB1, 0xCC, 0x09, 0x86, 0xEE, 0xF9, 0xB9, 0xC9, 0xB9, 0x87, 0xC4, 0xB9,
685 0xD7, 0x31, 0x95, 0x84, 0x94, 0x65, 0xED, 0x82, 0x64, 0x11, 0xA7, 0x0A,
686 0xFE, 0xC2, 0x60, 0xAE, 0x7C, 0x74, 0xFB, 0x72, 0x8F, 0x0D, 0xA6, 0xDD,
687 0x02, 0x49, 0x5B, 0x69, 0xD6, 0x96, 0x05, 0xBE, 0x5E, 0x9B, 0x09, 0x83,
688 0xD8, 0xF3, 0x91, 0x55, 0x30, 0x86, 0x97, 0x6C, 0x48, 0x7B, 0x99, 0x82,
689 0xCC, 0x1E, 0x1E, 0x25, 0xE6, 0x25, 0xCC, 0xA3, 0x66, 0xDE, 0x8A, 0x78,
690 0xEE, 0x7F, 0x4F, 0x86, 0x95, 0x06, 0xBE, 0x64, 0x86, 0xFD, 0x60, 0x6A,
691 0x3F, 0x0D, 0x8F, 0x62, 0x17, 0x89, 0xDB, 0xE1, 0x01, 0xC1, 0x75, 0x3A,
692 0x78, 0x42, 0xA8, 0x26, 0xEC, 0x00, 0x78, 0xF3, 0xDA, 0x40, 0x8D, 0x0D,
693 0x4D, 0x53, 0x82, 0xD7, 0x21, 0xC8, 0x46, 0xC9, 0xE3, 0x80, 0xB4, 0xCF,
694 0xEA, 0x46, 0x85, 0xE9, 0xC4, 0x9D, 0xD0, 0xC0, 0x4D, 0x27, 0x0F, 0xF8,
695 0x34, 0x3B, 0x86, 0x8F, 0xFC, 0x40, 0x56, 0x49, 0x64, 0x76, 0x61, 0xBC,
696 0x35, 0x6A, 0xB8, 0xC5, 0x32, 0x19, 0x00, 0x5E, 0x21, 0x1C, 0x34, 0xCB,
697 0x74, 0x5B, 0x60, 0x85, 0x8C, 0x38, 0x52, 0x50, 0x4D, 0xAA, 0x25, 0xE4,
698 0x1A, 0xE6, 0xE4, 0xDF, 0x0A, 0xD2, 0x8F, 0x2B, 0xD1, 0x35, 0xC7, 0x92,
699 0x7D, 0x6F, 0x54, 0x61, 0x8E, 0x3F, 0xFB, 0xE2, 0xC8, 0x81, 0xD0, 0xAC,
700 0x64, 0xE2, 0xA8, 0x30, 0xEA, 0x8E, 0xAD, 0xFE, 0xC0, 0x9E, 0x0B, 0xBF,
701 0x34, 0xAC, 0x79, 0x96, 0x38, 0x31, 0x1E, 0xEA, 0xF2, 0x7E, 0xEE, 0x0A,
702 0x10, 0x34, 0x7C, 0x1A, 0x30, 0x5F, 0xAF, 0x96, 0x2F, 0x7F, 0xB5, 0x1D,
703 0xA7, 0x3D, 0x35, 0x7A, 0x30, 0x70, 0x40, 0xE7, 0xD6, 0x22, 0x1E, 0xD0,
704 0x9A, 0x34, 0xC7, 0x6B, 0xE4, 0xF1, 0x78, 0xED, 0xD9, 0xCD, 0x18, 0xBF,
705 0x2A, 0x1A, 0x98, 0xB7, 0x6C, 0x6E, 0x18, 0x40, 0xB5, 0xBE, 0xDF, 0xE4,
706 0x78, 0x8E, 0x34, 0xB2, 0x7B, 0xE5, 0x88, 0xE6, 0xFD, 0x24, 0xBD, 0xBB,
707 0x2E, 0x30, 0x72, 0x54, 0xC7, 0xF4, 0xA0, 0xF1, 0x25, 0xFF, 0xB1, 0x37,
708 0x42, 0x07, 0x8C, 0xF2, 0xB9, 0xA1, 0xA4, 0xA7, 0x76, 0x39, 0xB8, 0x11,
709 0x17, 0xF3, 0xA8, 0x2E, 0x78, 0x68, 0xF4, 0xBF, 0x98, 0x25, 0x59, 0x17,
710 0x59, 0x9B, 0x0D, 0x0B, 0x9B, 0xE3, 0x0F, 0xFF, 0xDC, 0xC8, 0x47, 0x21,
711 0xE1, 0x0B, 0x9A, 0x44, 0x79, 0xC7, 0x5F, 0x8E, 0x83, 0x1E, 0x04, 0xA1,
712 0xB2, 0x9F, 0x9B, 0xFC, 0xB3, 0x4E, 0xD9, 0xF9, 0x8F, 0x03, 0xBC, 0x0A,
713 0x04, 0x00, 0x5C, 0x59, 0xB7, 0x51, 0xAA, 0x75, 0xF8, 0x7A, 0x03, 0x07,
714 0x81, 0x6D, 0x67, 0x3E, 0x28, 0x37, 0xE4, 0x74, 0x5B, 0x8C, 0x2A, 0x4B,
715 0x6C, 0x10, 0x92, 0x75, 0xA5, 0x79, 0x4B, 0x6D, 0x30, 0xB7, 0x6E, 0xD6,
716 0x9E, 0x16, 0xC2, 0x87, 0x69, 0x34, 0xFE, 0xD7, 0x2A, 0x4F, 0xD6, 0xC0,
717 0xF3, 0xCD, 0x9C, 0x46, 0xED, 0xC0, 0xB2, 0x84, 0x8D, 0x7E, 0x93, 0xD2,
718 0xE9, 0xBE, 0x59, 0x18, 0x92, 0xC1, 0x2C, 0xD6, 0x6C, 0x71, 0x50, 0xA1,
719 0x98, 0xDA, 0xD1, 0xAC, 0xDB, 0x88, 0x40, 0x1F, 0x69, 0xDC, 0xDB, 0xB2,
720 0xA0, 0x90, 0x01, 0x8E, 0x12, 0xD6, 0x40, 0x1A, 0x8E, 0xC5, 0x69, 0x9C,
721 0x91, 0x67, 0xAC, 0xD8, 0x4C, 0x27, 0xCD, 0x08, 0xB8, 0x32, 0x97, 0xE1,
722 0x13, 0x0C, 0xFF, 0xB1, 0x06, 0x65, 0x03, 0x98, 0x6F, 0x9E, 0xF7, 0xB8,
723 0xA8, 0x75, 0xBA, 0x59, 0xFD, 0x23, 0x98, 0x94, 0x80, 0x9C, 0xA7, 0x46,
724 0x32, 0x98, 0x28, 0x7A, 0x0A, 0x3A, 0xA6, 0x95, 0x16, 0x6A, 0x52, 0x8E,
725 0x8F, 0x2C, 0xC9, 0x49, 0xB7, 0x59, 0x99, 0x2A, 0xE6, 0xCA, 0x82, 0x88,
726 0x36, 0xD3, 0x2B, 0xA4, 0x73, 0xFA, 0x89, 0xBB,
727 };
728
729 /*
730 * OpenSSL temporary DH callback which loads DH parameters from static memory.
731 */
732 DH *
ssl_tmp_dh_callback(UNUSED SSL * s,int is_export,int keylength)733 ssl_tmp_dh_callback(UNUSED SSL *s, int is_export, int keylength)
734 {
735 DH *dh;
736 int rv = 0;
737
738 if (!(dh = DH_new())) {
739 log_err_printf("DH_new() failed\n");
740 return NULL;
741 }
742 switch (keylength) {
743 case 512:
744 rv = DH_set0_pqg(dh,
745 BN_bin2bn(dh512_p, sizeof(dh512_p), NULL),
746 NULL,
747 BN_bin2bn(dh_g, sizeof(dh_g), NULL));
748 break;
749 case 1024:
750 rv = DH_set0_pqg(dh,
751 BN_bin2bn(dh1024_p, sizeof(dh1024_p), NULL),
752 NULL,
753 BN_bin2bn(dh_g, sizeof(dh_g), NULL));
754 break;
755 case 2048:
756 rv = DH_set0_pqg(dh,
757 BN_bin2bn(dh2048_p, sizeof(dh2048_p), NULL),
758 NULL,
759 BN_bin2bn(dh_g, sizeof(dh_g), NULL));
760 break;
761 case 4096:
762 rv = DH_set0_pqg(dh,
763 BN_bin2bn(dh4096_p, sizeof(dh4096_p), NULL),
764 NULL,
765 BN_bin2bn(dh_g, sizeof(dh_g), NULL));
766 break;
767 default:
768 log_err_printf("Unhandled DH keylength %i%s\n",
769 keylength,
770 (is_export ? " (export)" : ""));
771 DH_free(dh);
772 return NULL;
773 }
774 if (!rv) {
775 log_err_printf("Failed to load DH p and g from memory\n");
776 DH_free(dh);
777 return NULL;
778 }
779 return(dh);
780 }
781
782 /*
783 * Load DH parameters from a PEM file.
784 * Not thread-safe.
785 */
786 DH *
ssl_dh_load(const char * filename)787 ssl_dh_load(const char *filename)
788 {
789 DH *dh;
790 FILE *fh;
791
792 if (ssl_init() == -1)
793 return NULL;
794
795 if (!(fh = fopen(filename, "r"))) {
796 return NULL;
797 }
798 dh = PEM_read_DHparams(fh, NULL, NULL, NULL);
799 fclose(fh);
800 return dh;
801 }
802 #endif /* !OPENSSL_NO_DH */
803
804 #ifndef OPENSSL_NO_EC
805 /*
806 * Load an Elliptic Curve by name. If curvename is NULL, a default curve is
807 * loaded.
808 */
809 EC_KEY *
ssl_ec_by_name(const char * curvename)810 ssl_ec_by_name(const char *curvename)
811 {
812 int nid;
813
814 if (!curvename)
815 curvename = DFLT_CURVE;
816
817 if ((nid = OBJ_sn2nid(curvename)) == NID_undef) {
818 return NULL;
819 }
820 return EC_KEY_new_by_curve_name(nid);
821 }
822 #endif /* !OPENSSL_NO_EC */
823
824 /*
825 * Add a X509v3 extension to a certificate and handle errors.
826 * Returns -1 on errors, 0 on success.
827 */
828 int
ssl_x509_v3ext_add(X509V3_CTX * ctx,X509 * crt,char * k,char * v)829 ssl_x509_v3ext_add(X509V3_CTX *ctx, X509 *crt, char *k, char *v)
830 {
831 X509_EXTENSION *ext;
832
833 if (!(ext = X509V3_EXT_conf(NULL, ctx, k, v))) {
834 return -1;
835 }
836 if (X509_add_ext(crt, ext, -1) != 1) {
837 X509_EXTENSION_free(ext);
838 return -1;
839 }
840 X509_EXTENSION_free(ext);
841 return 0;
842 }
843
844 /*
845 * Copy a X509v3 extension from one certificate to another.
846 * If the extension is not present in the original certificate,
847 * the extension will not be added to the destination certificate.
848 * Returns 1 if ext was copied, 0 if not present in origcrt, -1 on error.
849 */
850 int
ssl_x509_v3ext_copy_by_nid(X509 * crt,X509 * origcrt,int nid)851 ssl_x509_v3ext_copy_by_nid(X509 *crt, X509 *origcrt, int nid)
852 {
853 X509_EXTENSION *ext;
854 int pos;
855
856 pos = X509_get_ext_by_NID(origcrt, nid, -1);
857 if (pos == -1)
858 return 0;
859 ext = X509_get_ext(origcrt, pos);
860 if (!ext)
861 return -1;
862 if (X509_add_ext(crt, ext, -1) != 1)
863 return -1;
864 return 1;
865 }
866
867 /*
868 * Best effort randomness generator.
869 * Not for real life cryptography applications.
870 * Returns 0 on success, -1 on failure.
871 */
872 int
ssl_rand(void * p,size_t sz)873 ssl_rand(void *p, size_t sz)
874 {
875 int rv;
876
877 #if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER)
878 rv = RAND_pseudo_bytes((unsigned char*)p, sz);
879 if (rv == 1)
880 return 0;
881 #endif /* OPENSSL_VERSION_NUMBER < 0x10100000L */
882 rv = RAND_bytes((unsigned char*)p, sz);
883 if (rv == 1)
884 return 0;
885 return -1;
886 }
887
888 /*
889 * Copy the serial number from src certificate to dst certificate
890 * and modify it by a random offset.
891 * If reading the serial fails for some reason, generate a new
892 * random serial and store it in the dst certificate.
893 * Using the same serial is not a good idea since some SSL stacks
894 * check for duplicate certificate serials.
895 * Returns 0 on success, -1 on error.
896 */
897 int
ssl_x509_serial_copyrand(X509 * dstcrt,X509 * srccrt)898 ssl_x509_serial_copyrand(X509 *dstcrt, X509 *srccrt)
899 {
900 ASN1_INTEGER *srcptr, *dstptr;
901 BIGNUM *bnserial;
902 unsigned int rand;
903 int rv;
904
905 #ifndef PURIFY
906 rv = ssl_rand(&rand, sizeof(rand));
907 #else /* PURIFY */
908 rand = 0xF001;
909 rv = 0;
910 #endif /* PURIFY */
911 dstptr = X509_get_serialNumber(dstcrt);
912 srcptr = X509_get_serialNumber(srccrt);
913 if ((rv == -1) || !dstptr || !srcptr)
914 return -1;
915 bnserial = ASN1_INTEGER_to_BN(srcptr, NULL);
916 if (!bnserial) {
917 /* random 32-bit serial */
918 ASN1_INTEGER_set(dstptr, rand);
919 } else {
920 /* original serial plus random 32-bit offset */
921 BN_add_word(bnserial, rand);
922 BN_to_ASN1_INTEGER(bnserial, dstptr);
923 BN_free(bnserial);
924 }
925 return 0;
926 }
927
928 /*
929 * Returns the appropriate key usage strings for the type of server key.
930 * Return value should conceptually be const, but OpenSSL does not use const
931 * appropriately.
932 */
933 static char *
ssl_key_usage_for_key(EVP_PKEY * key)934 ssl_key_usage_for_key(EVP_PKEY *key)
935 {
936 switch (EVP_PKEY_type(EVP_PKEY_base_id(key))) {
937 #ifndef OPENSSL_NO_RSA
938 case EVP_PKEY_RSA:
939 return "keyEncipherment,digitalSignature";
940 #endif /* !OPENSSL_NO_RSA */
941 #ifndef OPENSSL_NO_DH
942 case EVP_PKEY_DH:
943 return "keyAgreement";
944 #endif /* !OPENSSL_NO_DH */
945 #ifndef OPENSSL_NO_DSA
946 case EVP_PKEY_DSA:
947 return "digitalSignature";
948 #endif /* !OPENSSL_NO_DSA */
949 #ifndef OPENSSL_NO_ECDSA
950 case EVP_PKEY_EC:
951 return "digitalSignature,keyAgreement";
952 #endif /* !OPENSSL_NO_ECDSA */
953 default:
954 return "keyEncipherment,keyAgreement,digitalSignature";
955 }
956 }
957
958 /*
959 * Create a fake X509v3 certificate, signed by the provided CA,
960 * based on the original certificate retrieved from the real server.
961 * The returned certificate is created using X509_new() and thus must
962 * be freed by the caller using X509_free().
963 * The optional argument extraname is added to subjectAltNames if provided.
964 */
965 X509 *
ssl_x509_forge(X509 * cacrt,EVP_PKEY * cakey,X509 * origcrt,EVP_PKEY * key,const char * extraname,const char * crlurl)966 ssl_x509_forge(X509 *cacrt, EVP_PKEY *cakey, X509 *origcrt, EVP_PKEY *key,
967 const char *extraname, const char *crlurl)
968 {
969 X509_NAME *subject, *issuer;
970 GENERAL_NAMES *names;
971 GENERAL_NAME *gn;
972 X509 *crt;
973 int rv;
974
975 subject = X509_get_subject_name(origcrt);
976 issuer = X509_get_subject_name(cacrt);
977 if (!subject || !issuer)
978 return NULL;
979
980 crt = X509_new();
981 if (!crt)
982 return NULL;
983
984 if (!X509_set_version(crt, 0x02) ||
985 !X509_set_subject_name(crt, subject) ||
986 !X509_set_issuer_name(crt, issuer) ||
987 ssl_x509_serial_copyrand(crt, origcrt) == -1 ||
988 !X509_gmtime_adj(X509_get_notBefore(crt), (long)-60*60*24) ||
989 !X509_gmtime_adj(X509_get_notAfter(crt), (long)60*60*24*364) ||
990 !X509_set_pubkey(crt, key))
991 goto errout;
992
993 /* add standard v3 extensions; cf. RFC 2459 */
994
995 X509V3_CTX ctx;
996 X509V3_set_ctx(&ctx, cacrt, crt, NULL, NULL, 0);
997 if (ssl_x509_v3ext_add(&ctx, crt, "subjectKeyIdentifier",
998 "hash") == -1 ||
999 ssl_x509_v3ext_add(&ctx, crt, "authorityKeyIdentifier",
1000 "keyid,issuer:always") == -1)
1001 goto errout;
1002
1003 rv = ssl_x509_v3ext_copy_by_nid(crt, origcrt,
1004 NID_basic_constraints);
1005 if (rv == 0)
1006 rv = ssl_x509_v3ext_add(&ctx, crt, "basicConstraints",
1007 "CA:FALSE");
1008 if (rv == -1)
1009 goto errout;
1010
1011 /* key usage depends on the key type, do not copy from original */
1012 rv = ssl_x509_v3ext_add(&ctx, crt, "keyUsage",
1013 ssl_key_usage_for_key(key));
1014 if (rv == -1)
1015 goto errout;
1016
1017 rv = ssl_x509_v3ext_copy_by_nid(crt, origcrt,
1018 NID_ext_key_usage);
1019 if (rv == 0)
1020 rv = ssl_x509_v3ext_add(&ctx, crt, "extendedKeyUsage",
1021 "serverAuth");
1022 if (rv == -1)
1023 goto errout;
1024
1025 if (crlurl) {
1026 char *crlurlval;
1027 if (asprintf(&crlurlval, "URI:%s", crlurl) < 0)
1028 goto errout;
1029 if (ssl_x509_v3ext_add(&ctx, crt, "crlDistributionPoints",
1030 crlurlval) == -1) {
1031 free(crlurlval);
1032 goto errout;
1033 }
1034 free(crlurlval);
1035 }
1036
1037 if (!extraname) {
1038 /* no extraname provided: copy original subjectAltName ext */
1039 if (ssl_x509_v3ext_copy_by_nid(crt, origcrt,
1040 NID_subject_alt_name) == -1)
1041 goto errout;
1042 } else {
1043 names = X509_get_ext_d2i(origcrt, NID_subject_alt_name, 0, 0);
1044 if (!names) {
1045 /* no subjectAltName present: add new one */
1046 char *cfval;
1047 if (asprintf(&cfval, "DNS:%s", extraname) < 0)
1048 goto errout;
1049 if (ssl_x509_v3ext_add(&ctx, crt, "subjectAltName",
1050 cfval) == -1) {
1051 free(cfval);
1052 goto errout;
1053 }
1054 free(cfval);
1055 } else {
1056 /* add extraname to original subjectAltName
1057 * and add it to the new certificate */
1058 gn = GENERAL_NAME_new();
1059 if (!gn)
1060 goto errout2;
1061 gn->type = GEN_DNS;
1062 gn->d.dNSName = ASN1_IA5STRING_new();
1063 if (!gn->d.dNSName)
1064 goto errout3;
1065 ASN1_STRING_set(gn->d.dNSName,
1066 (unsigned char *)extraname,
1067 strlen(extraname));
1068 sk_GENERAL_NAME_push(names, gn);
1069 X509_EXTENSION *ext = X509V3_EXT_i2d(
1070 NID_subject_alt_name, 0, names);
1071 if (!X509_add_ext(crt, ext, -1)) {
1072 if (ext) {
1073 X509_EXTENSION_free(ext);
1074 }
1075 goto errout3;
1076 }
1077 X509_EXTENSION_free(ext);
1078 sk_GENERAL_NAME_pop_free(names, GENERAL_NAME_free);
1079 }
1080 }
1081 #ifdef DEBUG_CERTIFICATE
1082 ssl_x509_v3ext_add(&ctx, crt, "nsComment", "Generated by " PKGLABEL);
1083 #endif /* DEBUG_CERTIFICATE */
1084
1085 const EVP_MD *md;
1086 switch (EVP_PKEY_type(EVP_PKEY_base_id(cakey))) {
1087 #ifndef OPENSSL_NO_RSA
1088 case EVP_PKEY_RSA:
1089 switch (X509_get_signature_nid(origcrt)) {
1090 case NID_md5WithRSAEncryption:
1091 md = EVP_md5();
1092 break;
1093 case NID_ripemd160WithRSA:
1094 md = EVP_ripemd160();
1095 break;
1096 case NID_sha1WithRSAEncryption:
1097 md = EVP_sha1();
1098 break;
1099 case NID_sha224WithRSAEncryption:
1100 md = EVP_sha224();
1101 break;
1102 case NID_sha256WithRSAEncryption:
1103 md = EVP_sha256();
1104 break;
1105 case NID_sha384WithRSAEncryption:
1106 md = EVP_sha384();
1107 break;
1108 case NID_sha512WithRSAEncryption:
1109 md = EVP_sha512();
1110 break;
1111 #ifndef OPENSSL_NO_SHA0
1112 case NID_shaWithRSAEncryption:
1113 md = EVP_sha();
1114 break;
1115 #endif /* !OPENSSL_NO_SHA0 */
1116 default:
1117 md = EVP_sha256();
1118 break;
1119 }
1120 break;
1121 #endif /* !OPENSSL_NO_RSA */
1122 #ifndef OPENSSL_NO_DSA
1123 case EVP_PKEY_DSA:
1124 switch (X509_get_signature_nid(origcrt)) {
1125 case NID_dsaWithSHA1:
1126 case NID_dsaWithSHA1_2:
1127 md = EVP_sha1();
1128 break;
1129 case NID_dsa_with_SHA224:
1130 md = EVP_sha224();
1131 break;
1132 case NID_dsa_with_SHA256:
1133 md = EVP_sha256();
1134 break;
1135 #ifndef OPENSSL_NO_SHA0
1136 case NID_dsaWithSHA:
1137 md = EVP_sha();
1138 break;
1139 #endif /* !OPENSSL_NO_SHA0 */
1140 default:
1141 md = EVP_sha256();
1142 break;
1143 }
1144 break;
1145 #endif /* !OPENSSL_NO_DSA */
1146 #ifndef OPENSSL_NO_ECDSA
1147 case EVP_PKEY_EC:
1148 switch (X509_get_signature_nid(origcrt)) {
1149 case NID_ecdsa_with_SHA1:
1150 md = EVP_sha1();
1151 break;
1152 case NID_ecdsa_with_SHA224:
1153 md = EVP_sha224();
1154 break;
1155 case NID_ecdsa_with_SHA256:
1156 md = EVP_sha256();
1157 break;
1158 case NID_ecdsa_with_SHA384:
1159 md = EVP_sha384();
1160 break;
1161 case NID_ecdsa_with_SHA512:
1162 md = EVP_sha512();
1163 break;
1164 default:
1165 md = EVP_sha256();
1166 break;
1167 }
1168 break;
1169 #endif /* !OPENSSL_NO_ECDSA */
1170 default:
1171 goto errout;
1172 }
1173 if (!X509_sign(crt, cakey, md))
1174 goto errout;
1175
1176 return crt;
1177
1178 errout3:
1179 GENERAL_NAME_free(gn);
1180 errout2:
1181 sk_GENERAL_NAME_pop_free(names, GENERAL_NAME_free);
1182 errout:
1183 X509_free(crt);
1184 return NULL;
1185 }
1186
1187 /*
1188 * Load a X509 certificate chain from a PEM file.
1189 * Returns the first certificate in *crt and all subsequent certificates in
1190 * *chain. If crt is NULL, the first certificate is prepended to *chain
1191 * instead of returned separately. If *chain is NULL, a new stack of X509*
1192 * is created in *chain, else the certs are pushed onto an existing stack.
1193 * Returns -1 on error.
1194 * Not thread-safe.
1195 *
1196 * By accessing (SSLCTX*)->extra_certs directly on OpenSSL before 1.0.2, we
1197 * depend on OpenSSL internals in this function. OpenSSL 1.0.2 introduced
1198 * the SSL_get0_chain_certs() API for accessing the certificate chain.
1199 */
1200 int
ssl_x509chain_load(X509 ** crt,STACK_OF (X509)** chain,const char * filename)1201 ssl_x509chain_load(X509 **crt, STACK_OF(X509) **chain, const char *filename)
1202 {
1203 X509 *tmpcrt;
1204 SSL_CTX *tmpctx;
1205 SSL *tmpssl;
1206 STACK_OF(X509) *tmpchain;
1207 int rv;
1208
1209 if (ssl_init() == -1)
1210 return -1;
1211
1212 tmpctx = SSL_CTX_new(SSLv23_server_method());
1213 if (!tmpctx)
1214 goto leave1;
1215
1216 rv = SSL_CTX_use_certificate_chain_file(tmpctx, filename);
1217 if (rv != 1)
1218 goto leave2;
1219 tmpssl = SSL_new(tmpctx);
1220 if (!tmpssl)
1221 goto leave2;
1222
1223 tmpcrt = SSL_get_certificate(tmpssl);
1224 if (!tmpcrt)
1225 goto leave3;
1226
1227 if (!*chain) {
1228 *chain = sk_X509_new_null();
1229 if (!*chain)
1230 goto leave3;
1231 }
1232
1233 #if (OPENSSL_VERSION_NUMBER < 0x1000200fL) || (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x20902000L)
1234 tmpchain = tmpctx->extra_certs;
1235 #else /* OpenSSL >= 1.0.2 || LIBRESSL_VERSION_NUMBER >= 0x20902000L */
1236 rv = SSL_CTX_get0_chain_certs(tmpctx, &tmpchain);
1237 if (rv != 1)
1238 goto leave3;
1239 #endif /* OpenSSL >= 1.0.2 */
1240
1241 if (crt) {
1242 *crt = tmpcrt;
1243 } else {
1244 sk_X509_push(*chain, tmpcrt);
1245 }
1246 ssl_x509_refcount_inc(tmpcrt);
1247
1248 for (int i = 0; i < sk_X509_num(tmpchain); i++) {
1249 tmpcrt = sk_X509_value(tmpchain, i);
1250 ssl_x509_refcount_inc(tmpcrt);
1251 sk_X509_push(*chain, tmpcrt);
1252 }
1253 SSL_free(tmpssl);
1254 SSL_CTX_free(tmpctx);
1255 return 0;
1256
1257 leave3:
1258 SSL_free(tmpssl);
1259 leave2:
1260 SSL_CTX_free(tmpctx);
1261 leave1:
1262 return -1;
1263 }
1264
1265 /*
1266 * Use a X509 certificate chain for an SSL context.
1267 * Copies the certificate stack to the SSL_CTX internal data structures
1268 * and increases reference counts accordingly.
1269 */
1270 int
ssl_x509chain_use(SSL_CTX * sslctx,X509 * crt,STACK_OF (X509)* chain)1271 ssl_x509chain_use(SSL_CTX *sslctx, X509 *crt, STACK_OF(X509) *chain)
1272 {
1273 if (SSL_CTX_use_certificate(sslctx, crt) != 1)
1274 return -1;
1275
1276 for (int i = 0; i < sk_X509_num(chain); i++) {
1277 X509 *tmpcrt;
1278
1279 tmpcrt = sk_X509_value(chain, i);
1280 ssl_x509_refcount_inc(tmpcrt);
1281 if (SSL_CTX_add_extra_chain_cert(sslctx, tmpcrt) != 1)
1282 return -1;
1283 }
1284 return 0;
1285 }
1286
1287 /*
1288 * Load a X509 certificate from a PEM file.
1289 * Returned X509 must be freed using X509_free() by the caller.
1290 * Not thread-safe.
1291 */
1292 X509 *
ssl_x509_load(const char * filename)1293 ssl_x509_load(const char *filename)
1294 {
1295 X509 *crt = NULL;
1296 SSL_CTX *tmpctx;
1297 SSL *tmpssl;
1298 int rv;
1299
1300 if (ssl_init() == -1)
1301 return NULL;
1302
1303 tmpctx = SSL_CTX_new(SSLv23_server_method());
1304 if (!tmpctx)
1305 goto leave1;
1306 rv = SSL_CTX_use_certificate_file(tmpctx, filename, SSL_FILETYPE_PEM);
1307 if (rv != 1)
1308 goto leave2;
1309 tmpssl = SSL_new(tmpctx);
1310 if (!tmpssl)
1311 goto leave2;
1312 crt = SSL_get_certificate(tmpssl);
1313 if (crt)
1314 ssl_x509_refcount_inc(crt);
1315 SSL_free(tmpssl);
1316 leave2:
1317 SSL_CTX_free(tmpctx);
1318 leave1:
1319 return crt;
1320 }
1321
1322 /*
1323 * Load a private key from a PEM file.
1324 * Returned EVP_PKEY must be freed using EVP_PKEY_free() by the caller.
1325 * Not thread-safe.
1326 */
1327 EVP_PKEY *
ssl_key_load(const char * filename)1328 ssl_key_load(const char *filename)
1329 {
1330 EVP_PKEY *key = NULL;
1331 SSL_CTX *tmpctx;
1332 SSL *tmpssl;
1333 int rv;
1334
1335 if (ssl_init() == -1)
1336 return NULL;
1337
1338 tmpctx = SSL_CTX_new(SSLv23_server_method());
1339 if (!tmpctx)
1340 goto leave1;
1341 rv = SSL_CTX_use_PrivateKey_file(tmpctx, filename, SSL_FILETYPE_PEM);
1342 if (rv != 1)
1343 goto leave2;
1344 tmpssl = SSL_new(tmpctx);
1345 if (!tmpssl)
1346 goto leave2;
1347 key = SSL_get_privatekey(tmpssl);
1348 if (key)
1349 ssl_key_refcount_inc(key);
1350 SSL_free(tmpssl);
1351 leave2:
1352 SSL_CTX_free(tmpctx);
1353 leave1:
1354 return key;
1355 }
1356
1357 /*
1358 * Generate a new RSA key.
1359 * Returned EVP_PKEY must be freed using EVP_PKEY_free() by the caller.
1360 */
1361 EVP_PKEY *
ssl_key_genrsa(const int keysize)1362 ssl_key_genrsa(const int keysize)
1363 {
1364 EVP_PKEY *pkey;
1365 RSA *rsa;
1366
1367 #if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && !defined(LIBRESSL_VERSION_NUMBER)
1368 BIGNUM *bn;
1369 int rv;
1370 rsa = RSA_new();
1371 bn = BN_new();
1372 BN_dec2bn(&bn, "3");
1373 rv = RSA_generate_key_ex(rsa, keysize, bn, NULL);
1374 BN_free(bn);
1375 if (rv != 1) {
1376 RSA_free(rsa);
1377 return NULL;
1378 }
1379 #else /* OPENSSL_VERSION_NUMBER < 0x10100000L */
1380 rsa = RSA_generate_key(keysize, 3, NULL, NULL);
1381 if (!rsa)
1382 return NULL;
1383 #endif /* OPENSSL_VERSION_NUMBER < 0x10100000L */
1384 pkey = EVP_PKEY_new();
1385 EVP_PKEY_assign_RSA(pkey, rsa); /* does not increment refcount */
1386 return pkey;
1387 }
1388
1389 /*
1390 * Returns the subjectKeyIdentifier compatible key id of the public key.
1391 * keyid will receive a binary SHA-1 hash of SSL_KEY_IDSZ bytes.
1392 * Returns 0 on success, -1 on failure.
1393 */
1394 int
ssl_key_identifier_sha1(EVP_PKEY * key,unsigned char * keyid)1395 ssl_key_identifier_sha1(EVP_PKEY *key, unsigned char *keyid)
1396 {
1397 X509_PUBKEY *pubkey = NULL;
1398 const unsigned char *pk;
1399 int length;
1400
1401 /* X509_PUBKEY_set() will attempt to free pubkey if != NULL */
1402 if (X509_PUBKEY_set(&pubkey, key) != 1 || !pubkey)
1403 return -1;
1404 if (!X509_PUBKEY_get0_param(NULL, &pk, &length, NULL, pubkey))
1405 goto errout;
1406 if (!EVP_Digest(pk, length, keyid, NULL, EVP_sha1(), NULL))
1407 goto errout;
1408 X509_PUBKEY_free(pubkey);
1409 return 0;
1410
1411 errout:
1412 X509_PUBKEY_free(pubkey);
1413 return -1;
1414 }
1415
1416 /*
1417 * Returns the result of ssl_key_identifier_sha1() as hex characters with or
1418 * without colons in a newly allocated string.
1419 */
1420 char *
ssl_key_identifier(EVP_PKEY * key,int colons)1421 ssl_key_identifier(EVP_PKEY *key, int colons)
1422 {
1423 unsigned char id[SSL_KEY_IDSZ];
1424
1425 if (ssl_key_identifier_sha1(key, id) == -1)
1426 return NULL;
1427
1428 return ssl_sha1_to_str(id, colons);
1429 }
1430
1431 /*
1432 * Returns the one-line representation of the subject DN in a newly allocated
1433 * string which must be freed by the caller.
1434 */
1435 char *
ssl_x509_subject(X509 * crt)1436 ssl_x509_subject(X509 *crt)
1437 {
1438 return X509_NAME_oneline(X509_get_subject_name(crt), NULL, 0);
1439 }
1440
1441 /*
1442 * Parse the common name from the subject distinguished name.
1443 * Returns string allocated using malloc(), caller must free().
1444 * Returns NULL on errors.
1445 */
1446 char *
ssl_x509_subject_cn(X509 * crt,size_t * psz)1447 ssl_x509_subject_cn(X509 *crt, size_t *psz)
1448 {
1449 X509_NAME *ptr;
1450 char *cn;
1451 size_t sz;
1452
1453 ptr = X509_get_subject_name(crt); /* does not inc refcounts */
1454 if (!ptr)
1455 return NULL;
1456 sz = X509_NAME_get_text_by_NID(ptr, NID_commonName, NULL, 0) + 1;
1457 if ((sz == 0) || !(cn = malloc(sz)))
1458 return NULL;
1459 if (X509_NAME_get_text_by_NID(ptr, NID_commonName, cn, sz) == -1) {
1460 free(cn);
1461 return NULL;
1462 }
1463 *psz = sz;
1464 return cn;
1465 }
1466
1467 /*
1468 * Write the SHA1 fingerprint of certificate to fpr as SSL_X509_FPRSZ (20)
1469 * bytes long binary buffer.
1470 * Returns -1 on error, 0 on success.
1471 */
1472 int
ssl_x509_fingerprint_sha1(X509 * crt,unsigned char * fpr)1473 ssl_x509_fingerprint_sha1(X509 *crt, unsigned char *fpr)
1474 {
1475 unsigned int sz = SSL_X509_FPRSZ;
1476
1477 return X509_digest(crt, EVP_sha1(), fpr, &sz) ? 0 : -1;
1478 }
1479
1480 /*
1481 * Returns the result of ssl_x509_fingerprint_sha1() as hex characters with or
1482 * without colons in a newly allocated string.
1483 */
1484 char *
ssl_x509_fingerprint(X509 * crt,int colons)1485 ssl_x509_fingerprint(X509 *crt, int colons)
1486 {
1487 unsigned char fpr[SSL_X509_FPRSZ];
1488
1489 if (ssl_x509_fingerprint_sha1(crt, fpr) == -1)
1490 return NULL;
1491
1492 return ssl_sha1_to_str(fpr, colons);
1493 }
1494
1495 #ifndef OPENSSL_NO_DH
1496 /*
1497 * Increment the reference count of DH parameters in a thread-safe
1498 * manner.
1499 */
1500 void
ssl_dh_refcount_inc(DH * dh)1501 ssl_dh_refcount_inc(DH *dh)
1502 {
1503 #if defined(OPENSSL_THREADS) && ((OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER))
1504 CRYPTO_add(&dh->references, 1, CRYPTO_LOCK_DH);
1505 #else /* !OPENSSL_THREADS */
1506 DH_up_ref(dh);
1507 #endif /* !OPENSSL_THREADS */
1508 }
1509 #endif /* !OPENSSL_NO_DH */
1510
1511 /*
1512 * Increment the reference count of an X509 certificate in a thread-safe
1513 * manner.
1514 */
1515 void
ssl_key_refcount_inc(EVP_PKEY * key)1516 ssl_key_refcount_inc(EVP_PKEY *key)
1517 {
1518 #if defined(OPENSSL_THREADS) && ((OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER))
1519 CRYPTO_add(&key->references, 1, CRYPTO_LOCK_EVP_PKEY);
1520 #else /* !OPENSSL_THREADS */
1521 EVP_PKEY_up_ref(key);
1522 #endif /* !OPENSSL_THREADS */
1523 }
1524
1525 /*
1526 * Increment the reference count of an X509 certificate in a thread-safe
1527 * manner. This differs from X509_dup() in that it does not create new,
1528 * full copy of the certificate, but only increases the reference count.
1529 */
1530 void
ssl_x509_refcount_inc(X509 * crt)1531 ssl_x509_refcount_inc(X509 *crt)
1532 {
1533 #if defined(OPENSSL_THREADS) && ((OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER))
1534 CRYPTO_add(&crt->references, 1, CRYPTO_LOCK_X509);
1535 #else /* !OPENSSL_THREADS */
1536 X509_up_ref(crt);
1537 #endif /* !OPENSSL_THREADS */
1538 }
1539
1540 /*
1541 * Match a URL/URI hostname against a single certificate DNS name
1542 * using RFC 6125 rules (6.4.3 Checking of Wildcard Certificates):
1543 *
1544 * 1. The client SHOULD NOT attempt to match a presented identifier in
1545 * which the wildcard character comprises a label other than the
1546 * left-most label (e.g., do not match bar.*.example.net).
1547 *
1548 * 2. If the wildcard character is the only character of the left-most
1549 * label in the presented identifier, the client SHOULD NOT compare
1550 * against anything but the left-most label of the reference
1551 * identifier (e.g., *.example.com would match foo.example.com but
1552 * not bar.foo.example.com or example.com).
1553 *
1554 * 3. The client MAY match a presented identifier in which the wildcard
1555 * character is not the only character of the label (e.g.,
1556 * baz*.example.net and *baz.example.net and b*z.example.net would
1557 * be taken to match baz1.example.net and foobaz.example.net and
1558 * buzz.example.net, respectively). However, the client SHOULD NOT
1559 * attempt to match a presented identifier where the wildcard
1560 * character is embedded within an A-label or U-label [IDNA-DEFS] of
1561 * an internationalized domain name [IDNA-PROTO].
1562 *
1563 * The optional partial matching in rule 3 is not implemented.
1564 * Returns 1 on match, 0 on no match.
1565 */
1566 int
ssl_dnsname_match(const char * certname,size_t certnamesz,const char * hostname,size_t hostnamesz)1567 ssl_dnsname_match(const char *certname, size_t certnamesz,
1568 const char *hostname, size_t hostnamesz)
1569 {
1570 if (hostnamesz < certnamesz)
1571 return 0;
1572 if ((hostnamesz == certnamesz) &&
1573 !memcmp(certname, hostname, certnamesz))
1574 return 1;
1575 if (!memcmp(certname, "xn--", 4))
1576 return 0;
1577 if ((certnamesz == 1) && (certname[0] == '*') &&
1578 !memchr(hostname, '.', hostnamesz))
1579 return 1;
1580 if ((certnamesz > 2) && (certname[0] == '*') && (certname[1] == '.') &&
1581 !memcmp(&certname[1],
1582 &hostname[hostnamesz - (certnamesz - 1)],
1583 certnamesz - 1) &&
1584 (memchr(hostname, '.', hostnamesz) ==
1585 &hostname[hostnamesz - (certnamesz - 1)]))
1586 return 1;
1587 return 0;
1588 }
1589
1590 /*
1591 * Transform a NULL-terminated hostname into a matching wildcard hostname,
1592 * e.g. "test.example.org" -> "*.example.org".
1593 * Returns string which must be free()'d by the caller, or NULL on error.
1594 */
1595 char *
ssl_wildcardify(const char * hostname)1596 ssl_wildcardify(const char *hostname)
1597 {
1598 char *dot, *wildcarded;
1599 size_t dotsz;
1600
1601 if (!(dot = strchr(hostname, '.')))
1602 return strdup("*");
1603 dotsz = strlen(dot);
1604 if (!(wildcarded = malloc(dotsz + 2)))
1605 return NULL;
1606 wildcarded[0] = '*';
1607 for (size_t i = 0; i < dotsz; i++) {
1608 wildcarded[i+1] = dot[i];
1609 }
1610 wildcarded[dotsz+1] = '\0';
1611 return wildcarded;
1612 }
1613
1614 /*
1615 * Match DNS name against certificate subject CN and subjectAltNames DNS names.
1616 * Returns 1 if any name matches, 0 if none matches.
1617 */
1618 int
ssl_x509_names_match(X509 * crt,const char * dnsname)1619 ssl_x509_names_match(X509 *crt, const char *dnsname)
1620 {
1621 GENERAL_NAMES *altnames;
1622 char *cn;
1623 size_t cnsz, dnsnamesz;
1624
1625 dnsnamesz = strlen(dnsname);
1626
1627 cn = ssl_x509_subject_cn(crt, &cnsz);
1628 if (cn && ssl_dnsname_match(cn, cnsz, dnsname, dnsnamesz)) {
1629 free(cn);
1630 return 1;
1631 }
1632 if (cn) {
1633 free(cn);
1634 }
1635
1636 altnames = X509_get_ext_d2i(crt, NID_subject_alt_name, 0, 0);
1637 if (!altnames)
1638 return 0;
1639 for (int i = 0; i < sk_GENERAL_NAME_num(altnames); i++) {
1640 GENERAL_NAME *gn = sk_GENERAL_NAME_value(altnames, i);
1641 if (gn->type == GEN_DNS) {
1642 unsigned char *altname;
1643 int altnamesz;
1644 ASN1_STRING_to_UTF8(&altname, gn->d.dNSName);
1645 altnamesz = ASN1_STRING_length(gn->d.dNSName);
1646 if (altnamesz < 0)
1647 break;
1648 if (ssl_dnsname_match((char *)altname,
1649 (size_t)altnamesz,
1650 dnsname, dnsnamesz)) {
1651 OPENSSL_free((char*)altname);
1652 GENERAL_NAMES_free(altnames);
1653 return 1;
1654 }
1655 OPENSSL_free((char*)altname);
1656 }
1657 }
1658 GENERAL_NAMES_free(altnames);
1659 return 0;
1660 }
1661
1662 /*
1663 * Returns a NULL terminated array of pointers to all common names found
1664 * in the Subject DN CN and subjectAltNames extension (DNSName only).
1665 * Caller must free returned buffer and all pointers within.
1666 * Embedded NULL characters in hostnames are replaced with '!'.
1667 */
1668 char **
ssl_x509_names(X509 * crt)1669 ssl_x509_names(X509 *crt)
1670 {
1671 GENERAL_NAMES *altnames;
1672 char *cn;
1673 size_t cnsz;
1674 char **res, **p;
1675 size_t count;
1676
1677 cn = ssl_x509_subject_cn(crt, &cnsz);
1678 altnames = X509_get_ext_d2i(crt, NID_subject_alt_name, NULL, NULL);
1679
1680 count = (altnames ? sk_GENERAL_NAME_num(altnames) : 0) + (cn ? 2 : 1);
1681 res = malloc(count * sizeof(char*));
1682 if (!res)
1683 return NULL;
1684 p = res;
1685 if (cn)
1686 *(p++) = cn;
1687 if (!altnames) {
1688 *p = NULL;
1689 return res;
1690 }
1691 for (int i = 0; i < sk_GENERAL_NAME_num(altnames); i++) {
1692 GENERAL_NAME *gn = sk_GENERAL_NAME_value(altnames, i);
1693 if (gn->type == GEN_DNS) {
1694 unsigned char *altname;
1695 int altnamesz;
1696
1697 ASN1_STRING_to_UTF8(&altname, gn->d.dNSName);
1698 if (!altname)
1699 break;
1700 altnamesz = ASN1_STRING_length(gn->d.dNSName);
1701 if (altnamesz < 0) {
1702 OPENSSL_free((char*)altname);
1703 break;
1704 }
1705 *p = malloc(altnamesz + 1);
1706 if (!*p) {
1707 OPENSSL_free((char*)altname);
1708 GENERAL_NAMES_free(altnames);
1709 for (p = res; *p; p++)
1710 free(*p);
1711 free(res);
1712 return NULL;
1713 }
1714 for (int j = 0; j < altnamesz; j++) {
1715 (*p)[j] = altname[j] ? altname[j] : '!';
1716 }
1717 (*p)[altnamesz] = '\0';
1718 OPENSSL_free((char*)altname);
1719 p++;
1720 }
1721 }
1722 *p = NULL;
1723 GENERAL_NAMES_free(altnames);
1724 return res;
1725 }
1726
1727 /*
1728 * Returns a printable representation of a certificate's common names found
1729 * in the Subject DN CN and subjectAltNames extension, separated by slashes.
1730 * Caller must free returned buffer.
1731 * Embedded NULL characters in hostnames are replaced with '!'.
1732 * If no CN and no subjectAltNames are found, returns "-".
1733 */
1734 char *
ssl_x509_names_to_str(X509 * crt)1735 ssl_x509_names_to_str(X509 *crt)
1736 {
1737 char **names;
1738 size_t sz;
1739 char *buf = NULL, *next;
1740
1741 names = ssl_x509_names(crt);
1742 if (!names)
1743 return strdup("-");
1744
1745 sz = 0;
1746 for (char **p = names; *p; p++) {
1747 sz += strlen(*p) + 1;
1748 }
1749 if (!sz) {
1750 buf = strdup("-");
1751 goto out1;
1752 }
1753
1754 if (!(buf = malloc(sz)))
1755 goto out2;
1756 next = buf;
1757 for (char **p = names; *p; p++) {
1758 char *src = *p;
1759 while (*src) {
1760 *next++ = *src++;
1761 }
1762 *next++ = '/';
1763 }
1764 *--next = '\0';
1765 out2:
1766 for (char **p = names; *p; p++)
1767 free(*p);
1768 out1:
1769 free(names);
1770 return buf;
1771 }
1772
1773 /*
1774 * Returns a zero-terminated buffer containing the ASN1 IA5 string.
1775 * Returned buffer must be free()'d by caller.
1776 */
1777 static char *
ssl_ia5string_strdup(ASN1_IA5STRING * ia5)1778 ssl_ia5string_strdup(ASN1_IA5STRING *ia5)
1779 {
1780 char *str;
1781
1782 if (!ia5 || !ia5->length)
1783 return NULL;
1784 str = malloc(ia5->length + 1);
1785 if (!str)
1786 return NULL;
1787 memcpy(str, ia5->data, ia5->length);
1788 str[ia5->length] = 0;
1789 return str;
1790 }
1791
1792 /*
1793 * Returns a NULL terminated array of pointers to copies of Authority
1794 * Information Access (AIA) URLs of a given type contained in the certificate.
1795 * Caller must free returned buffer and all pointers within.
1796 */
1797 char **
ssl_x509_aias(X509 * crt,const int type)1798 ssl_x509_aias(X509 *crt, const int type)
1799 {
1800 AUTHORITY_INFO_ACCESS *aias;
1801 char **res;
1802 int count, i, j;
1803
1804 aias = X509_get_ext_d2i(crt, NID_info_access, NULL, NULL);
1805 if (!aias || !(count = sk_ACCESS_DESCRIPTION_num(aias)))
1806 return NULL;
1807
1808 res = malloc((count + 1) * sizeof(char *));
1809 if (!res) {
1810 sk_ACCESS_DESCRIPTION_pop_free(aias, ACCESS_DESCRIPTION_free);
1811 return NULL;
1812 }
1813
1814 for (i = 0, j = 0; i < count; i++) {
1815 ACCESS_DESCRIPTION *aia;
1816
1817 aia = sk_ACCESS_DESCRIPTION_value(aias, i);
1818 if (aia &&
1819 OBJ_obj2nid(aia->method) == type &&
1820 aia->location->type == GEN_URI) {
1821 res[j] = ssl_ia5string_strdup(aia->location->d.ia5);
1822 if (res[j])
1823 j++;
1824 }
1825 }
1826 res[j] = NULL;
1827 sk_ACCESS_DESCRIPTION_pop_free(aias, ACCESS_DESCRIPTION_free);
1828 return res;
1829 }
1830
1831 /*
1832 * Returns a NULL terminated array of pointers to copies of Authority
1833 * Information Access (AIA) URLs of type OCSP contained in the certificate.
1834 * Caller must free returned buffer and all pointers within.
1835 */
1836 char **
ssl_x509_ocsps(X509 * crt)1837 ssl_x509_ocsps(X509 *crt)
1838 {
1839 return ssl_x509_aias(crt, NID_ad_OCSP);
1840 }
1841
1842 /*
1843 * Check whether the certificate is valid based on current time.
1844 * Return 1 if valid, 0 otherwise.
1845 */
1846 int
ssl_x509_is_valid(X509 * crt)1847 ssl_x509_is_valid(X509 *crt)
1848 {
1849 if (X509_cmp_current_time(X509_get_notAfter(crt)) <= 0)
1850 return 0;
1851 if (X509_cmp_current_time(X509_get_notBefore(crt)) > 0)
1852 return 0;
1853 return 1;
1854 }
1855
1856 /*
1857 * Print X509 certificate data to a newly allocated string.
1858 * Caller must free returned string.
1859 * Returns NULL on errors.
1860 */
1861 char *
ssl_x509_to_str(X509 * crt)1862 ssl_x509_to_str(X509 *crt)
1863 {
1864 BIO *bio;
1865 char *p, *ret;
1866 size_t sz;
1867
1868 bio = BIO_new(BIO_s_mem());
1869 if (!bio)
1870 return NULL;
1871 X509_print(bio, crt);
1872 sz = BIO_get_mem_data(bio, &p);
1873 if (!(ret = malloc(sz + 1))) {
1874 BIO_free(bio);
1875 return NULL;
1876 }
1877 memcpy(ret, p, sz);
1878 ret[sz] = '\0';
1879 BIO_free(bio);
1880 return ret;
1881 }
1882
1883 /*
1884 * Convert X509 certificate to PEM format in a newly allocated string.
1885 * Caller must free returned string.
1886 * Returns NULL on errors.
1887 */
1888 char *
ssl_x509_to_pem(X509 * crt)1889 ssl_x509_to_pem(X509 *crt)
1890 {
1891 BIO *bio;
1892 char *p, *ret;
1893 size_t sz;
1894
1895 bio = BIO_new(BIO_s_mem());
1896 if (!bio)
1897 return NULL;
1898 PEM_write_bio_X509(bio, crt);
1899 sz = BIO_get_mem_data(bio, &p);
1900 if (!(ret = malloc(sz + 1))) {
1901 BIO_free(bio);
1902 return NULL;
1903 }
1904 memcpy(ret, p, sz);
1905 ret[sz] = '\0';
1906 BIO_free(bio);
1907 return ret;
1908 }
1909
1910 /*
1911 * Print SSL_SESSION data to a newly allocated string.
1912 * Caller must free returned string.
1913 * Returns NULL on errors.
1914 */
1915 char *
ssl_session_to_str(SSL_SESSION * sess)1916 ssl_session_to_str(SSL_SESSION *sess)
1917 {
1918 BIO *bio;
1919 char *p, *ret;
1920 size_t sz;
1921
1922 bio = BIO_new(BIO_s_mem());
1923 if (!bio)
1924 return NULL;
1925 SSL_SESSION_print(bio, sess);
1926 sz = BIO_get_mem_data(bio, &p); /* sets p to internal buffer */
1927 if (!(ret = malloc(sz + 1))) {
1928 BIO_free(bio);
1929 return NULL;
1930 }
1931 memcpy(ret, p, sz);
1932 ret[sz] = '\0';
1933 BIO_free(bio);
1934 return ret;
1935 }
1936
1937 /*
1938 * Returns non-zero if the session timeout has not expired yet,
1939 * zero if the session has expired or an error occurred.
1940 */
1941 int
ssl_session_is_valid(SSL_SESSION * sess)1942 ssl_session_is_valid(SSL_SESSION *sess)
1943 {
1944 time_t curtimet;
1945 long curtime, timeout;
1946
1947 curtimet = time(NULL);
1948 if (curtimet == (time_t)-1)
1949 return 0;
1950 curtime = curtimet;
1951 if ((curtime < 0) || ((time_t)curtime != curtimet))
1952 return 0;
1953 timeout = SSL_SESSION_get_timeout(sess);
1954 if (curtime < timeout)
1955 return 0;
1956 return (SSL_SESSION_get_time(sess) > curtime - timeout);
1957 }
1958
1959 /*
1960 * Returns 1 if buf contains a DER encoded OCSP request which can be parsed.
1961 * Returns 0 otherwise.
1962 */
1963 int
ssl_is_ocspreq(const unsigned char * buf,size_t sz)1964 ssl_is_ocspreq(const unsigned char *buf, size_t sz)
1965 {
1966 OCSP_REQUEST *req;
1967 const unsigned char *p;
1968
1969 p = (const unsigned char *)buf;
1970 req = d2i_OCSP_REQUEST(NULL, &p, sz); /* increments p */
1971 if (!req)
1972 return 0;
1973 OCSP_REQUEST_free(req);
1974 return 1;
1975 }
1976
1977 /*
1978 * Ugly hack to manually parse a clientHello message from a memory buffer.
1979 * This is needed in order to be able to support SNI and STARTTLS.
1980 *
1981 * The OpenSSL SNI API only allows to read the indicated server name at the
1982 * time when we have to provide the server certificate. OpenSSL does not
1983 * allow to asynchronously read the indicated server name, wait for some
1984 * unrelated event to happen, and then later to provide the server certificate
1985 * to use and continue the handshake. Therefore we resort to parsing the
1986 * server name from the ClientHello manually before OpenSSL gets to work on it.
1987 *
1988 * For STARTTLS support in autossl mode, we need to peek into the buffer of
1989 * received octets and decide whether we have something that resembles a
1990 * (possibly incomplete) ClientHello message, so we can upgrade the connection
1991 * to SSL automatically.
1992 *
1993 * This function takes a buffer containing (part of) a ClientHello message as
1994 * seen on the network as input.
1995 *
1996 * Returns:
1997 * 1 if buf does not contain a complete ClientHello message;
1998 * *clienthello may point to the start of a truncated ClientHello message,
1999 * indicating that the caller should retry later with more bytes available
2000 * 0 if buf contains a complete ClientHello message;
2001 * *clienthello will point to the start of the complete ClientHello message
2002 *
2003 * If a servername pointer was supplied by the caller, and a server name
2004 * extension was found and parsed, the server name is returned in *servername
2005 * as a newly allocated string that must be freed by the caller. This may
2006 * only occur for a return value of 0.
2007 *
2008 * If search is non-zero, then the buffer will be searched for a ClientHello
2009 * message beginning at offsets >= 0, whereas if search is zero, only
2010 * ClientHello messages starting at offset 0 will be considered.
2011 *
2012 * This code currently supports SSL 2.0, SSL 3.0 and TLS 1.0-1.2.
2013 *
2014 * References:
2015 * draft-hickman-netscape-ssl-00: The SSL Protocol
2016 * RFC 6101: The Secure Sockets Layer (SSL) Protocol Version 3.0
2017 * RFC 2246: The TLS Protocol Version 1.0
2018 * RFC 3546: Transport Layer Security (TLS) Extensions
2019 * RFC 4346: The Transport Layer Security (TLS) Protocol Version 1.1
2020 * RFC 4366: Transport Layer Security (TLS) Extensions
2021 * RFC 5246: The Transport Layer Security (TLS) Protocol Version 1.2
2022 * RFC 6066: Transport Layer Security (TLS) Extensions: Extension Definitions
2023 */
2024 int
ssl_tls_clienthello_parse(const unsigned char * buf,ssize_t sz,int search,const unsigned char ** clienthello,char ** servername)2025 ssl_tls_clienthello_parse(const unsigned char *buf, ssize_t sz, int search,
2026 const unsigned char **clienthello, char **servername)
2027 {
2028 #ifdef DEBUG_CLIENTHELLO_PARSER
2029 #define DBG_printf(...) log_dbg_printf("ClientHello parser: " __VA_ARGS__)
2030 #else /* !DEBUG_CLIENTHELLO_PARSER */
2031 #define DBG_printf(...)
2032 #endif /* !DEBUG_CLIENTHELLO_PARSER */
2033 const unsigned char *p = buf;
2034 ssize_t n = sz;
2035 char *sn = NULL;
2036
2037 *clienthello = NULL;
2038
2039 DBG_printf("parsing buffer of sz %zd\n", sz);
2040
2041 do {
2042 if (*clienthello) {
2043 /*
2044 * Rewind after skipping an invalid ClientHello by
2045 * restarting the search one byte after the beginning
2046 * of the last candidate
2047 */
2048 p = (*clienthello) + 1;
2049 n = sz - (p - buf);
2050 if (sn) {
2051 free(sn);
2052 sn = NULL;
2053 }
2054 }
2055
2056 if (search) {
2057 /* Search for a potential ClientHello */
2058 while ((n > 0) && (*p != 0x16) && (*p != 0x80)) {
2059 p++; n--;
2060 }
2061 if (n <= 0) {
2062 /* Search completed without a match; reset
2063 * clienthello to NULL to indicate to the
2064 * caller that this buffer does not need to be
2065 * retried */
2066 DBG_printf("===> No match:"
2067 " rv 1, *clienthello NULL\n");
2068 *clienthello = NULL;
2069 return 1;
2070 }
2071 }
2072 *clienthello = p;
2073 DBG_printf("candidate at offset %td\n", p - buf);
2074
2075 DBG_printf("byte 0: %02x\n", *p);
2076 /* +0 0x80 +2 0x01 SSLv2 short header, clientHello;
2077 * +0 0x16 +1 0x03 SSLv3/TLSv1.x handshake, clientHello */
2078 if (*p == 0x80) {
2079 /* SSLv2 handled here */
2080 p++; n--;
2081
2082 if (n < 10) { /* length + 9 */
2083 DBG_printf("===> [SSLv2] Truncated:"
2084 " rv 1, *clienthello set\n");
2085 return 1;
2086 }
2087
2088 DBG_printf("length: %02x\n", p[0]);
2089 if (n - 1 < p[0]) {
2090 DBG_printf("===> [SSLv2] Truncated:"
2091 " rv 1, *clienthello set\n");
2092 return 1;
2093 }
2094 p++; n--;
2095
2096 DBG_printf("msgtype: %02x\n", p[0]);
2097 if (*p != 0x01)
2098 continue;
2099 p++; n--;
2100
2101 DBG_printf("version: %02x %02x\n", p[0], p[1]);
2102 /* byte order is actually swapped for SSLv2 */
2103 if (!(
2104 #ifdef HAVE_SSLV2
2105 (p[0] == 0x00 && p[1] == 0x02) ||
2106 #endif /* HAVE_SSLV2 */
2107 (p[0] == 0x03 && p[1] <= 0x03)))
2108 continue;
2109 p += 2; n -= 2;
2110
2111 DBG_printf("cipher-spec-len: %02x %02x\n", p[0], p[1]);
2112 ssize_t cipherspec_len = p[0] << 8 | p[1];
2113 p += 2; n -= 2;
2114
2115 DBG_printf("session-id-len: %02x %02x\n", p[0], p[1]);
2116 ssize_t sessionid_len = p[0] << 8 | p[1];
2117 p += 2; n -= 2;
2118
2119 DBG_printf("challenge-len: %02x %02x\n", p[0], p[1]);
2120 ssize_t challenge_len = p[0] << 8 | p[1];
2121 p += 2; n -= 2;
2122 if (challenge_len < 16 || challenge_len > 32)
2123 continue;
2124
2125 if (n < cipherspec_len
2126 + sessionid_len
2127 + challenge_len) {
2128 DBG_printf("===> [SSLv2] Truncated:"
2129 " rv 1, *clienthello set\n");
2130 return 1;
2131 }
2132
2133 p += cipherspec_len + sessionid_len + challenge_len;
2134 n -= cipherspec_len + sessionid_len + challenge_len;
2135 goto done_parsing;
2136 } else
2137 if (*p != 0x16) {
2138 /* this can only happen if search is 0 */
2139 DBG_printf("===> No match: rv 1, *clienthello NULL\n");
2140 *clienthello = NULL;
2141 return 1;
2142 }
2143 p++; n--;
2144
2145 if (n < 2) {
2146 DBG_printf("===> Truncated: rv 1, *clienthello set\n");
2147 return 1;
2148 }
2149 DBG_printf("version: %02x %02x\n", p[0], p[1]);
2150 /* This supports up to TLS 1.2 (0x03 0x03) and will need to be
2151 * updated for TLS 1.3 once that is standardized and still
2152 * compatible with this parser; remember to also update the
2153 * inner version check below */
2154 if (p[0] != 0x03 || p[1] > 0x03)
2155 continue;
2156 p += 2; n -= 2;
2157
2158 if (n < 2) {
2159 DBG_printf("===> Truncated: rv 1, *clienthello set\n");
2160 return 1;
2161 }
2162 DBG_printf("length: %02x %02x\n", p[0], p[1]);
2163 ssize_t recordlen = p[1] + (p[0] << 8);
2164 DBG_printf("recordlen=%zd\n", recordlen);
2165 p += 2; n -= 2;
2166 if (recordlen < 36) /* arbitrary size too small for a c-h */
2167 continue;
2168 if (n < recordlen) {
2169 DBG_printf("n < recordlen: n=%zd\n", n);
2170 DBG_printf("===> Truncated: rv 1, *clienthello set\n");
2171 return 1;
2172 }
2173
2174 /* from here we give up on a candidate if there is not enough
2175 * data available in the buffer, because we already checked the
2176 * availability of the whole record. */
2177
2178 if (n < 1)
2179 continue;
2180 DBG_printf("message type: %i\n", *p);
2181 if (*p != 0x01) /* message type: ClientHello */
2182 continue;
2183 p++; n--;
2184
2185 if (n < 3)
2186 continue;
2187 DBG_printf("message len: %02x %02x %02x\n", p[0], p[1], p[2]);
2188 ssize_t msglen = p[2] + (p[1] << 8) + (p[0] << 16);
2189 DBG_printf("msglen=%zd\n", msglen);
2190 p += 3; n -= 3;
2191 if (msglen < 32) /* arbitrary size too small for a c-h */
2192 continue;
2193 if (msglen != recordlen - 4) {
2194 DBG_printf("msglen != recordlen - 4\n");
2195 continue;
2196 }
2197 if (n < msglen)
2198 continue;
2199 n = msglen; /* only parse first message */
2200
2201 if (n < 2)
2202 continue;
2203 DBG_printf("clienthello version %02x %02x\n", p[0], p[1]);
2204 /* inner version check, see outer one above */
2205 if (p[0] != 0x03 || p[1] > 0x03)
2206 continue;
2207 p += 2; n -= 2;
2208
2209 if (n < 32)
2210 continue;
2211 DBG_printf("clienthello random %02x %02x %02x %02x ...\n",
2212 p[0], p[1], p[2], p[3]);
2213 DBG_printf("compare localtime: %08x\n",
2214 (unsigned int)time(NULL));
2215 p += 32; n -= 32;
2216
2217 if (n < 1)
2218 continue;
2219 DBG_printf("clienthello sidlen %02x\n", *p);
2220 ssize_t sidlen = *p; /* session id length, 0..32 */
2221 p += 1; n -= 1;
2222 if (n < sidlen)
2223 continue;
2224 p += sidlen; n -= sidlen;
2225
2226 if (n < 2)
2227 continue;
2228 DBG_printf("clienthello cipher suites length %02x %02x\n",
2229 p[0], p[1]);
2230 ssize_t suiteslen = p[1] + (p[0] << 8);
2231 p += 2; n -= 2;
2232 if (n < suiteslen)
2233 continue;
2234 p += suiteslen;
2235 n -= suiteslen;
2236
2237 if (n < 1)
2238 continue;
2239 DBG_printf("clienthello compress methods length %02x\n", *p);
2240 ssize_t compslen = *p;
2241 p++; n--;
2242 if (n < compslen)
2243 continue;
2244 p += compslen;
2245 n -= compslen;
2246
2247 /* begin of extensions */
2248
2249 if (n == 0) {
2250 /* valid ClientHello without extensions */
2251 DBG_printf("===> Match: rv 0, *clienthello set\n");
2252 if (servername)
2253 *servername = NULL;
2254 return 0;
2255 }
2256 if (n < 2)
2257 continue;
2258 DBG_printf("tlsexts length %02x %02x\n", p[0], p[1]);
2259 ssize_t tlsextslen = p[1] + (p[0] << 8);
2260 DBG_printf("tlsextslen %zd\n", tlsextslen);
2261 p += 2; n -= 2;
2262 if (n < tlsextslen)
2263 continue;
2264 n = tlsextslen; /* only parse exts, ignore trailing bits */
2265
2266 while (n > 0) {
2267 if (n < 4)
2268 goto continue_search;
2269 DBG_printf("tlsext type %02x %02x len %02x %02x\n",
2270 p[0], p[1], p[2], p[3]);
2271 unsigned short exttype = p[1] + (p[0] << 8);
2272 ssize_t extlen = p[3] + (p[2] << 8);
2273 p += 4; n -= 4;
2274 if (n < extlen)
2275 goto continue_search;
2276 switch (exttype) {
2277 case 0: {
2278 ssize_t extn = extlen;
2279 const unsigned char *extp = p;
2280
2281 if (extn < 2)
2282 goto continue_search;
2283 DBG_printf("list length %02x %02x\n",
2284 extp[0], extp[1]);
2285 ssize_t namelistlen = extp[1] + (extp[0] << 8);
2286 DBG_printf("namelistlen = %zd\n", namelistlen);
2287 extp += 2;
2288 extn -= 2;
2289
2290 if (namelistlen != extn)
2291 goto continue_search;
2292
2293 while (extn > 0) {
2294 if (extn < 3)
2295 goto continue_search;
2296 DBG_printf("ServerName type %02x"
2297 " len %02x %02x\n",
2298 extp[0], extp[1], extp[2]);
2299 unsigned char sntype = extp[0];
2300 ssize_t snlen = extp[2] + (extp[1]<<8);
2301 extp += 3;
2302 extn -= 3;
2303 if (snlen > extn)
2304 goto continue_search;
2305 if (snlen > TLSEXT_MAXLEN_host_name)
2306 goto continue_search;
2307 /*
2308 * We copy the first name only.
2309 * RFC 6066: "The ServerNameList MUST
2310 * NOT contain more than one name of
2311 * the same name_type."
2312 */
2313 if (servername &&
2314 sntype == 0 && sn == NULL) {
2315 sn = malloc(snlen + 1);
2316 memcpy(sn, extp, snlen);
2317 sn[snlen] = '\0';
2318 /* deliberately not checking
2319 * for malformed hostnames
2320 * containing invalid chars */
2321 }
2322 extp += snlen;
2323 extn -= snlen;
2324 }
2325 break;
2326 }
2327 default:
2328 DBG_printf("skipped\n");
2329 break;
2330 }
2331 p += extlen;
2332 n -= extlen;
2333 } /* while have more extensions */
2334
2335 done_parsing:
2336 ;
2337 #ifdef DEBUG_CLIENTHELLO_PARSER
2338 if (n > 0) {
2339 DBG_printf("unparsed next bytes %02x %02x %02x %02x\n",
2340 p[0], p[1], p[2], p[3]);
2341 }
2342 #endif /* DEBUG_CLIENTHELLO_PARSER */
2343 DBG_printf("%zd bytes unparsed\n", n);
2344
2345 /* Valid ClientHello with or without server name */
2346 DBG_printf("===> Match: rv 0, *clienthello set\n");
2347 if (servername)
2348 *servername = sn;
2349 return 0;
2350 continue_search:
2351 ;
2352 } while (search && n > 0);
2353
2354 /* No valid ClientHello messages found, not even a truncated one */
2355 DBG_printf("===> No match: rv 1, *clienthello NULL\n");
2356 *clienthello = NULL;
2357 if (sn) {
2358 free(sn);
2359 sn = NULL;
2360 }
2361 return 1;
2362 }
2363
2364 /* vim: set noet ft=c: */
2365