File: | src/lib/libssl/t1_lib.c |
Warning: | line 585, column 7 Although the value stored to 'rv' is used in the enclosing expression, the value is never actually read from 'rv' |
Press '?' to see keyboard shortcuts
Keyboard shortcuts:
1 | /* $OpenBSD: t1_lib.c,v 1.185 2022/01/08 12:43:44 jsing Exp $ */ |
2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
3 | * All rights reserved. |
4 | * |
5 | * This package is an SSL implementation written |
6 | * by Eric Young (eay@cryptsoft.com). |
7 | * The implementation was written so as to conform with Netscapes SSL. |
8 | * |
9 | * This library is free for commercial and non-commercial use as long as |
10 | * the following conditions are aheared to. The following conditions |
11 | * apply to all code found in this distribution, be it the RC4, RSA, |
12 | * lhash, DES, etc., code; not just the SSL code. The SSL documentation |
13 | * included with this distribution is covered by the same copyright terms |
14 | * except that the holder is Tim Hudson (tjh@cryptsoft.com). |
15 | * |
16 | * Copyright remains Eric Young's, and as such any Copyright notices in |
17 | * the code are not to be removed. |
18 | * If this package is used in a product, Eric Young should be given attribution |
19 | * as the author of the parts of the library used. |
20 | * This can be in the form of a textual message at program startup or |
21 | * in documentation (online or textual) provided with the package. |
22 | * |
23 | * Redistribution and use in source and binary forms, with or without |
24 | * modification, are permitted provided that the following conditions |
25 | * are met: |
26 | * 1. Redistributions of source code must retain the copyright |
27 | * notice, this list of conditions and the following disclaimer. |
28 | * 2. Redistributions in binary form must reproduce the above copyright |
29 | * notice, this list of conditions and the following disclaimer in the |
30 | * documentation and/or other materials provided with the distribution. |
31 | * 3. All advertising materials mentioning features or use of this software |
32 | * must display the following acknowledgement: |
33 | * "This product includes cryptographic software written by |
34 | * Eric Young (eay@cryptsoft.com)" |
35 | * The word 'cryptographic' can be left out if the rouines from the library |
36 | * being used are not cryptographic related :-). |
37 | * 4. If you include any Windows specific code (or a derivative thereof) from |
38 | * the apps directory (application code) you must include an acknowledgement: |
39 | * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" |
40 | * |
41 | * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND |
42 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
43 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE |
44 | * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE |
45 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL |
46 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS |
47 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) |
48 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT |
49 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY |
50 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF |
51 | * SUCH DAMAGE. |
52 | * |
53 | * The licence and distribution terms for any publically available version or |
54 | * derivative of this code cannot be changed. i.e. this code cannot simply be |
55 | * copied and put under another distribution licence |
56 | * [including the GNU Public Licence.] |
57 | */ |
58 | /* ==================================================================== |
59 | * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved. |
60 | * |
61 | * Redistribution and use in source and binary forms, with or without |
62 | * modification, are permitted provided that the following conditions |
63 | * are met: |
64 | * |
65 | * 1. Redistributions of source code must retain the above copyright |
66 | * notice, this list of conditions and the following disclaimer. |
67 | * |
68 | * 2. Redistributions in binary form must reproduce the above copyright |
69 | * notice, this list of conditions and the following disclaimer in |
70 | * the documentation and/or other materials provided with the |
71 | * distribution. |
72 | * |
73 | * 3. All advertising materials mentioning features or use of this |
74 | * software must display the following acknowledgment: |
75 | * "This product includes software developed by the OpenSSL Project |
76 | * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" |
77 | * |
78 | * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to |
79 | * endorse or promote products derived from this software without |
80 | * prior written permission. For written permission, please contact |
81 | * openssl-core@openssl.org. |
82 | * |
83 | * 5. Products derived from this software may not be called "OpenSSL" |
84 | * nor may "OpenSSL" appear in their names without prior written |
85 | * permission of the OpenSSL Project. |
86 | * |
87 | * 6. Redistributions of any form whatsoever must retain the following |
88 | * acknowledgment: |
89 | * "This product includes software developed by the OpenSSL Project |
90 | * for use in the OpenSSL Toolkit (http://www.openssl.org/)" |
91 | * |
92 | * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY |
93 | * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
94 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR |
95 | * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR |
96 | * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, |
97 | * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT |
98 | * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; |
99 | * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) |
100 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, |
101 | * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) |
102 | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED |
103 | * OF THE POSSIBILITY OF SUCH DAMAGE. |
104 | * ==================================================================== |
105 | * |
106 | * This product includes cryptographic software written by Eric Young |
107 | * (eay@cryptsoft.com). This product includes software written by Tim |
108 | * Hudson (tjh@cryptsoft.com). |
109 | * |
110 | */ |
111 | |
112 | #include <stdio.h> |
113 | |
114 | #include <openssl/evp.h> |
115 | #include <openssl/hmac.h> |
116 | #include <openssl/objects.h> |
117 | #include <openssl/ocsp.h> |
118 | |
119 | #include "bytestring.h" |
120 | #include "ssl_locl.h" |
121 | #include "ssl_sigalgs.h" |
122 | #include "ssl_tlsext.h" |
123 | |
124 | static int tls_decrypt_ticket(SSL *s, CBS *ticket, int *alert, |
125 | SSL_SESSION **psess); |
126 | |
127 | int |
128 | tls1_new(SSL *s) |
129 | { |
130 | if (!ssl3_new(s)) |
131 | return (0); |
132 | s->method->ssl_clear(s); |
133 | return (1); |
134 | } |
135 | |
136 | void |
137 | tls1_free(SSL *s) |
138 | { |
139 | if (s == NULL((void*)0)) |
140 | return; |
141 | |
142 | free(s->internal->tlsext_session_ticket); |
143 | ssl3_free(s); |
144 | } |
145 | |
146 | void |
147 | tls1_clear(SSL *s) |
148 | { |
149 | ssl3_clear(s); |
150 | s->version = s->method->version; |
151 | } |
152 | |
153 | static const int nid_list[] = { |
154 | NID_sect163k1721, /* sect163k1 (1) */ |
155 | NID_sect163r1722, /* sect163r1 (2) */ |
156 | NID_sect163r2723, /* sect163r2 (3) */ |
157 | NID_sect193r1724, /* sect193r1 (4) */ |
158 | NID_sect193r2725, /* sect193r2 (5) */ |
159 | NID_sect233k1726, /* sect233k1 (6) */ |
160 | NID_sect233r1727, /* sect233r1 (7) */ |
161 | NID_sect239k1728, /* sect239k1 (8) */ |
162 | NID_sect283k1729, /* sect283k1 (9) */ |
163 | NID_sect283r1730, /* sect283r1 (10) */ |
164 | NID_sect409k1731, /* sect409k1 (11) */ |
165 | NID_sect409r1732, /* sect409r1 (12) */ |
166 | NID_sect571k1733, /* sect571k1 (13) */ |
167 | NID_sect571r1734, /* sect571r1 (14) */ |
168 | NID_secp160k1708, /* secp160k1 (15) */ |
169 | NID_secp160r1709, /* secp160r1 (16) */ |
170 | NID_secp160r2710, /* secp160r2 (17) */ |
171 | NID_secp192k1711, /* secp192k1 (18) */ |
172 | NID_X9_62_prime192v1409, /* secp192r1 (19) */ |
173 | NID_secp224k1712, /* secp224k1 (20) */ |
174 | NID_secp224r1713, /* secp224r1 (21) */ |
175 | NID_secp256k1714, /* secp256k1 (22) */ |
176 | NID_X9_62_prime256v1415, /* secp256r1 (23) */ |
177 | NID_secp384r1715, /* secp384r1 (24) */ |
178 | NID_secp521r1716, /* secp521r1 (25) */ |
179 | NID_brainpoolP256r1928, /* brainpoolP256r1 (26) */ |
180 | NID_brainpoolP384r1932, /* brainpoolP384r1 (27) */ |
181 | NID_brainpoolP512r1934, /* brainpoolP512r1 (28) */ |
182 | NID_X25519950, /* X25519 (29) */ |
183 | }; |
184 | |
185 | #if 0 |
186 | static const uint8_t ecformats_list[] = { |
187 | TLSEXT_ECPOINTFORMAT_uncompressed0, |
188 | TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime1, |
189 | TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char22 |
190 | }; |
191 | #endif |
192 | |
193 | static const uint8_t ecformats_default[] = { |
194 | TLSEXT_ECPOINTFORMAT_uncompressed0, |
195 | }; |
196 | |
197 | #if 0 |
198 | static const uint16_t eccurves_list[] = { |
199 | 29, /* X25519 (29) */ |
200 | 14, /* sect571r1 (14) */ |
201 | 13, /* sect571k1 (13) */ |
202 | 25, /* secp521r1 (25) */ |
203 | 28, /* brainpoolP512r1 (28) */ |
204 | 11, /* sect409k1 (11) */ |
205 | 12, /* sect409r1 (12) */ |
206 | 27, /* brainpoolP384r1 (27) */ |
207 | 24, /* secp384r1 (24) */ |
208 | 9, /* sect283k1 (9) */ |
209 | 10, /* sect283r1 (10) */ |
210 | 26, /* brainpoolP256r1 (26) */ |
211 | 22, /* secp256k1 (22) */ |
212 | 23, /* secp256r1 (23) */ |
213 | 8, /* sect239k1 (8) */ |
214 | 6, /* sect233k1 (6) */ |
215 | 7, /* sect233r1 (7) */ |
216 | 20, /* secp224k1 (20) */ |
217 | 21, /* secp224r1 (21) */ |
218 | 4, /* sect193r1 (4) */ |
219 | 5, /* sect193r2 (5) */ |
220 | 18, /* secp192k1 (18) */ |
221 | 19, /* secp192r1 (19) */ |
222 | 1, /* sect163k1 (1) */ |
223 | 2, /* sect163r1 (2) */ |
224 | 3, /* sect163r2 (3) */ |
225 | 15, /* secp160k1 (15) */ |
226 | 16, /* secp160r1 (16) */ |
227 | 17, /* secp160r2 (17) */ |
228 | }; |
229 | #endif |
230 | |
231 | static const uint16_t eccurves_client_default[] = { |
232 | 29, /* X25519 (29) */ |
233 | 23, /* secp256r1 (23) */ |
234 | 24, /* secp384r1 (24) */ |
235 | 25, /* secp521r1 (25) */ |
236 | }; |
237 | |
238 | static const uint16_t eccurves_server_default[] = { |
239 | 29, /* X25519 (29) */ |
240 | 23, /* secp256r1 (23) */ |
241 | 24, /* secp384r1 (24) */ |
242 | }; |
243 | |
244 | int |
245 | tls1_ec_curve_id2nid(const uint16_t curve_id) |
246 | { |
247 | /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */ |
248 | if ((curve_id < 1) || |
249 | ((unsigned int)curve_id > sizeof(nid_list) / sizeof(nid_list[0]))) |
250 | return 0; |
251 | return nid_list[curve_id - 1]; |
252 | } |
253 | |
254 | uint16_t |
255 | tls1_ec_nid2curve_id(const int nid) |
256 | { |
257 | /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */ |
258 | switch (nid) { |
259 | case NID_sect163k1721: /* sect163k1 (1) */ |
260 | return 1; |
261 | case NID_sect163r1722: /* sect163r1 (2) */ |
262 | return 2; |
263 | case NID_sect163r2723: /* sect163r2 (3) */ |
264 | return 3; |
265 | case NID_sect193r1724: /* sect193r1 (4) */ |
266 | return 4; |
267 | case NID_sect193r2725: /* sect193r2 (5) */ |
268 | return 5; |
269 | case NID_sect233k1726: /* sect233k1 (6) */ |
270 | return 6; |
271 | case NID_sect233r1727: /* sect233r1 (7) */ |
272 | return 7; |
273 | case NID_sect239k1728: /* sect239k1 (8) */ |
274 | return 8; |
275 | case NID_sect283k1729: /* sect283k1 (9) */ |
276 | return 9; |
277 | case NID_sect283r1730: /* sect283r1 (10) */ |
278 | return 10; |
279 | case NID_sect409k1731: /* sect409k1 (11) */ |
280 | return 11; |
281 | case NID_sect409r1732: /* sect409r1 (12) */ |
282 | return 12; |
283 | case NID_sect571k1733: /* sect571k1 (13) */ |
284 | return 13; |
285 | case NID_sect571r1734: /* sect571r1 (14) */ |
286 | return 14; |
287 | case NID_secp160k1708: /* secp160k1 (15) */ |
288 | return 15; |
289 | case NID_secp160r1709: /* secp160r1 (16) */ |
290 | return 16; |
291 | case NID_secp160r2710: /* secp160r2 (17) */ |
292 | return 17; |
293 | case NID_secp192k1711: /* secp192k1 (18) */ |
294 | return 18; |
295 | case NID_X9_62_prime192v1409: /* secp192r1 (19) */ |
296 | return 19; |
297 | case NID_secp224k1712: /* secp224k1 (20) */ |
298 | return 20; |
299 | case NID_secp224r1713: /* secp224r1 (21) */ |
300 | return 21; |
301 | case NID_secp256k1714: /* secp256k1 (22) */ |
302 | return 22; |
303 | case NID_X9_62_prime256v1415: /* secp256r1 (23) */ |
304 | return 23; |
305 | case NID_secp384r1715: /* secp384r1 (24) */ |
306 | return 24; |
307 | case NID_secp521r1716: /* secp521r1 (25) */ |
308 | return 25; |
309 | case NID_brainpoolP256r1928: /* brainpoolP256r1 (26) */ |
310 | return 26; |
311 | case NID_brainpoolP384r1932: /* brainpoolP384r1 (27) */ |
312 | return 27; |
313 | case NID_brainpoolP512r1934: /* brainpoolP512r1 (28) */ |
314 | return 28; |
315 | case NID_X25519950: /* X25519 (29) */ |
316 | return 29; |
317 | default: |
318 | return 0; |
319 | } |
320 | } |
321 | |
322 | /* |
323 | * Return the appropriate format list. If client_formats is non-zero, return |
324 | * the client/session formats. Otherwise return the custom format list if one |
325 | * exists, or the default formats if a custom list has not been specified. |
326 | */ |
327 | void |
328 | tls1_get_formatlist(SSL *s, int client_formats, const uint8_t **pformats, |
329 | size_t *pformatslen) |
330 | { |
331 | if (client_formats != 0) { |
332 | *pformats = s->session->tlsext_ecpointformatlist; |
333 | *pformatslen = s->session->tlsext_ecpointformatlist_length; |
334 | return; |
335 | } |
336 | |
337 | *pformats = s->internal->tlsext_ecpointformatlist; |
338 | *pformatslen = s->internal->tlsext_ecpointformatlist_length; |
339 | if (*pformats == NULL((void*)0)) { |
340 | *pformats = ecformats_default; |
341 | *pformatslen = sizeof(ecformats_default); |
342 | } |
343 | } |
344 | |
345 | /* |
346 | * Return the appropriate group list. If client_groups is non-zero, return |
347 | * the client/session groups. Otherwise return the custom group list if one |
348 | * exists, or the default groups if a custom list has not been specified. |
349 | */ |
350 | void |
351 | tls1_get_group_list(SSL *s, int client_groups, const uint16_t **pgroups, |
352 | size_t *pgroupslen) |
353 | { |
354 | if (client_groups != 0) { |
355 | *pgroups = s->session->tlsext_supportedgroups; |
356 | *pgroupslen = s->session->tlsext_supportedgroups_length; |
357 | return; |
358 | } |
359 | |
360 | *pgroups = s->internal->tlsext_supportedgroups; |
361 | *pgroupslen = s->internal->tlsext_supportedgroups_length; |
362 | if (*pgroups != NULL((void*)0)) |
363 | return; |
364 | |
365 | if (!s->server) { |
366 | *pgroups = eccurves_client_default; |
367 | *pgroupslen = sizeof(eccurves_client_default) / 2; |
368 | } else { |
369 | *pgroups = eccurves_server_default; |
370 | *pgroupslen = sizeof(eccurves_server_default) / 2; |
371 | } |
372 | } |
373 | |
374 | int |
375 | tls1_set_groups(uint16_t **out_group_ids, size_t *out_group_ids_len, |
376 | const int *groups, size_t ngroups) |
377 | { |
378 | uint16_t *group_ids; |
379 | size_t i; |
380 | |
381 | group_ids = calloc(ngroups, sizeof(uint16_t)); |
382 | if (group_ids == NULL((void*)0)) |
383 | return 0; |
384 | |
385 | for (i = 0; i < ngroups; i++) { |
386 | group_ids[i] = tls1_ec_nid2curve_id(groups[i]); |
387 | if (group_ids[i] == 0) { |
388 | free(group_ids); |
389 | return 0; |
390 | } |
391 | } |
392 | |
393 | free(*out_group_ids); |
394 | *out_group_ids = group_ids; |
395 | *out_group_ids_len = ngroups; |
396 | |
397 | return 1; |
398 | } |
399 | |
400 | int |
401 | tls1_set_group_list(uint16_t **out_group_ids, size_t *out_group_ids_len, |
402 | const char *groups) |
403 | { |
404 | uint16_t *new_group_ids, *group_ids = NULL((void*)0); |
405 | size_t ngroups = 0; |
406 | char *gs, *p, *q; |
407 | int nid; |
408 | |
409 | if ((gs = strdup(groups)) == NULL((void*)0)) |
410 | return 0; |
411 | |
412 | q = gs; |
413 | while ((p = strsep(&q, ":")) != NULL((void*)0)) { |
414 | nid = OBJ_sn2nid(p); |
415 | if (nid == NID_undef0) |
416 | nid = OBJ_ln2nid(p); |
417 | if (nid == NID_undef0) |
418 | nid = EC_curve_nist2nid(p); |
419 | if (nid == NID_undef0) |
420 | goto err; |
421 | |
422 | if ((new_group_ids = reallocarray(group_ids, ngroups + 1, |
423 | sizeof(uint16_t))) == NULL((void*)0)) |
424 | goto err; |
425 | group_ids = new_group_ids; |
426 | |
427 | group_ids[ngroups] = tls1_ec_nid2curve_id(nid); |
428 | if (group_ids[ngroups] == 0) |
429 | goto err; |
430 | |
431 | ngroups++; |
432 | } |
433 | |
434 | free(gs); |
435 | free(*out_group_ids); |
436 | *out_group_ids = group_ids; |
437 | *out_group_ids_len = ngroups; |
438 | |
439 | return 1; |
440 | |
441 | err: |
442 | free(gs); |
443 | free(group_ids); |
444 | |
445 | return 0; |
446 | } |
447 | |
448 | /* Check that a curve is one of our preferences. */ |
449 | int |
450 | tls1_check_curve(SSL *s, const uint16_t curve_id) |
451 | { |
452 | const uint16_t *groups; |
453 | size_t groupslen, i; |
454 | |
455 | tls1_get_group_list(s, 0, &groups, &groupslen); |
456 | |
457 | for (i = 0; i < groupslen; i++) { |
458 | if (groups[i] == curve_id) |
459 | return (1); |
460 | } |
461 | return (0); |
462 | } |
463 | |
464 | int |
465 | tls1_get_shared_curve(SSL *s) |
466 | { |
467 | size_t preflen, supplen, i, j; |
468 | const uint16_t *pref, *supp; |
469 | unsigned long server_pref; |
470 | |
471 | /* Cannot do anything on the client side. */ |
472 | if (s->server == 0) |
473 | return (NID_undef0); |
474 | |
475 | /* Return first preference shared curve. */ |
476 | server_pref = (s->internal->options & SSL_OP_CIPHER_SERVER_PREFERENCE0x00400000L); |
477 | tls1_get_group_list(s, (server_pref == 0), &pref, &preflen); |
478 | tls1_get_group_list(s, (server_pref != 0), &supp, &supplen); |
479 | |
480 | for (i = 0; i < preflen; i++) { |
481 | for (j = 0; j < supplen; j++) { |
482 | if (pref[i] == supp[j]) |
483 | return (tls1_ec_curve_id2nid(pref[i])); |
484 | } |
485 | } |
486 | return (NID_undef0); |
487 | } |
488 | |
489 | /* For an EC key set TLS ID and required compression based on parameters. */ |
490 | static int |
491 | tls1_set_ec_id(uint16_t *curve_id, uint8_t *comp_id, EC_KEY *ec) |
492 | { |
493 | const EC_GROUP *grp; |
494 | const EC_METHOD *meth; |
495 | int prime_field; |
496 | int nid; |
497 | |
498 | if (ec == NULL((void*)0)) |
499 | return (0); |
500 | |
501 | /* Determine whether the curve is defined over a prime field. */ |
502 | if ((grp = EC_KEY_get0_group(ec)) == NULL((void*)0)) |
503 | return (0); |
504 | if ((meth = EC_GROUP_method_of(grp)) == NULL((void*)0)) |
505 | return (0); |
506 | prime_field = (EC_METHOD_get_field_type(meth) == NID_X9_62_prime_field406); |
507 | |
508 | /* Determine curve ID - NID_undef results in a curve ID of zero. */ |
509 | nid = EC_GROUP_get_curve_name(grp); |
510 | /* If we have an ID set it, otherwise set arbitrary explicit curve. */ |
511 | if ((*curve_id = tls1_ec_nid2curve_id(nid)) == 0) |
512 | *curve_id = prime_field ? 0xff01 : 0xff02; |
513 | |
514 | if (comp_id == NULL((void*)0)) |
515 | return (1); |
516 | |
517 | /* Specify the compression identifier. */ |
518 | if (EC_KEY_get0_public_key(ec) == NULL((void*)0)) |
519 | return (0); |
520 | *comp_id = TLSEXT_ECPOINTFORMAT_uncompressed0; |
521 | if (EC_KEY_get_conv_form(ec) == POINT_CONVERSION_COMPRESSED) { |
522 | *comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char22; |
523 | if (prime_field) |
524 | *comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime1; |
525 | } |
526 | |
527 | return (1); |
528 | } |
529 | |
530 | /* Check that an EC key is compatible with extensions. */ |
531 | static int |
532 | tls1_check_ec_key(SSL *s, const uint16_t *curve_id, const uint8_t *comp_id) |
533 | { |
534 | size_t groupslen, formatslen, i; |
535 | const uint16_t *groups; |
536 | const uint8_t *formats; |
537 | |
538 | /* |
539 | * Check point formats extension if present, otherwise everything |
540 | * is supported (see RFC4492). |
541 | */ |
542 | tls1_get_formatlist(s, 1, &formats, &formatslen); |
543 | if (comp_id != NULL((void*)0) && formats != NULL((void*)0)) { |
544 | for (i = 0; i < formatslen; i++) { |
545 | if (formats[i] == *comp_id) |
546 | break; |
547 | } |
548 | if (i == formatslen) |
549 | return (0); |
550 | } |
551 | |
552 | /* |
553 | * Check curve list if present, otherwise everything is supported. |
554 | */ |
555 | tls1_get_group_list(s, 1, &groups, &groupslen); |
556 | if (curve_id != NULL((void*)0) && groups != NULL((void*)0)) { |
557 | for (i = 0; i < groupslen; i++) { |
558 | if (groups[i] == *curve_id) |
559 | break; |
560 | } |
561 | if (i == groupslen) |
562 | return (0); |
563 | } |
564 | |
565 | return (1); |
566 | } |
567 | |
568 | /* Check EC server key is compatible with client extensions. */ |
569 | int |
570 | tls1_check_ec_server_key(SSL *s) |
571 | { |
572 | SSL_CERT_PKEY *cpk = s->cert->pkeys + SSL_PKEY_ECC1; |
573 | uint16_t curve_id; |
574 | uint8_t comp_id; |
575 | EC_KEY *eckey; |
576 | EVP_PKEY *pkey; |
577 | int rv; |
578 | |
579 | if (cpk->x509 == NULL((void*)0) || cpk->privatekey == NULL((void*)0)) |
580 | return (0); |
581 | if ((pkey = X509_get0_pubkey(cpk->x509)) == NULL((void*)0)) |
582 | return (0); |
583 | if ((eckey = EVP_PKEY_get0_EC_KEY(pkey)) == NULL((void*)0)) |
584 | return (0); |
585 | if ((rv = tls1_set_ec_id(&curve_id, &comp_id, eckey)) != 1) |
Although the value stored to 'rv' is used in the enclosing expression, the value is never actually read from 'rv' | |
586 | return (0); |
587 | |
588 | return tls1_check_ec_key(s, &curve_id, &comp_id); |
589 | } |
590 | |
591 | int |
592 | ssl_check_clienthello_tlsext_early(SSL *s) |
593 | { |
594 | int ret = SSL_TLSEXT_ERR_NOACK3; |
595 | int al = SSL_AD_UNRECOGNIZED_NAME112; |
596 | |
597 | /* The handling of the ECPointFormats extension is done elsewhere, namely in |
598 | * ssl3_choose_cipher in s3_lib.c. |
599 | */ |
600 | /* The handling of the EllipticCurves extension is done elsewhere, namely in |
601 | * ssl3_choose_cipher in s3_lib.c. |
602 | */ |
603 | |
604 | if (s->ctx != NULL((void*)0) && s->ctx->internal->tlsext_servername_callback != 0) |
605 | ret = s->ctx->internal->tlsext_servername_callback(s, &al, |
606 | s->ctx->internal->tlsext_servername_arg); |
607 | else if (s->initial_ctx != NULL((void*)0) && s->initial_ctx->internal->tlsext_servername_callback != 0) |
608 | ret = s->initial_ctx->internal->tlsext_servername_callback(s, &al, |
609 | s->initial_ctx->internal->tlsext_servername_arg); |
610 | |
611 | switch (ret) { |
612 | case SSL_TLSEXT_ERR_ALERT_FATAL2: |
613 | ssl3_send_alert(s, SSL3_AL_FATAL2, al); |
614 | return -1; |
615 | case SSL_TLSEXT_ERR_ALERT_WARNING1: |
616 | ssl3_send_alert(s, SSL3_AL_WARNING1, al); |
617 | return 1; |
618 | case SSL_TLSEXT_ERR_NOACK3: |
619 | default: |
620 | return 1; |
621 | } |
622 | } |
623 | |
624 | int |
625 | ssl_check_clienthello_tlsext_late(SSL *s) |
626 | { |
627 | int ret = SSL_TLSEXT_ERR_OK0; |
628 | int al = 0; /* XXX gcc3 */ |
629 | |
630 | /* If status request then ask callback what to do. |
631 | * Note: this must be called after servername callbacks in case |
632 | * the certificate has changed, and must be called after the cipher |
633 | * has been chosen because this may influence which certificate is sent |
634 | */ |
635 | if ((s->tlsext_status_type != -1) && |
636 | s->ctx && s->ctx->internal->tlsext_status_cb) { |
637 | int r; |
638 | SSL_CERT_PKEY *certpkey; |
639 | certpkey = ssl_get_server_send_pkey(s); |
640 | /* If no certificate can't return certificate status */ |
641 | if (certpkey == NULL((void*)0)) { |
642 | s->internal->tlsext_status_expected = 0; |
643 | return 1; |
644 | } |
645 | /* Set current certificate to one we will use so |
646 | * SSL_get_certificate et al can pick it up. |
647 | */ |
648 | s->cert->key = certpkey; |
649 | r = s->ctx->internal->tlsext_status_cb(s, |
650 | s->ctx->internal->tlsext_status_arg); |
651 | switch (r) { |
652 | /* We don't want to send a status request response */ |
653 | case SSL_TLSEXT_ERR_NOACK3: |
654 | s->internal->tlsext_status_expected = 0; |
655 | break; |
656 | /* status request response should be sent */ |
657 | case SSL_TLSEXT_ERR_OK0: |
658 | if (s->internal->tlsext_ocsp_resp) |
659 | s->internal->tlsext_status_expected = 1; |
660 | else |
661 | s->internal->tlsext_status_expected = 0; |
662 | break; |
663 | /* something bad happened */ |
664 | case SSL_TLSEXT_ERR_ALERT_FATAL2: |
665 | ret = SSL_TLSEXT_ERR_ALERT_FATAL2; |
666 | al = SSL_AD_INTERNAL_ERROR80; |
667 | goto err; |
668 | } |
669 | } else |
670 | s->internal->tlsext_status_expected = 0; |
671 | |
672 | err: |
673 | switch (ret) { |
674 | case SSL_TLSEXT_ERR_ALERT_FATAL2: |
675 | ssl3_send_alert(s, SSL3_AL_FATAL2, al); |
676 | return -1; |
677 | case SSL_TLSEXT_ERR_ALERT_WARNING1: |
678 | ssl3_send_alert(s, SSL3_AL_WARNING1, al); |
679 | return 1; |
680 | default: |
681 | return 1; |
682 | } |
683 | } |
684 | |
685 | int |
686 | ssl_check_serverhello_tlsext(SSL *s) |
687 | { |
688 | int ret = SSL_TLSEXT_ERR_NOACK3; |
689 | int al = SSL_AD_UNRECOGNIZED_NAME112; |
690 | |
691 | ret = SSL_TLSEXT_ERR_OK0; |
692 | |
693 | if (s->ctx != NULL((void*)0) && s->ctx->internal->tlsext_servername_callback != 0) |
694 | ret = s->ctx->internal->tlsext_servername_callback(s, &al, |
695 | s->ctx->internal->tlsext_servername_arg); |
696 | else if (s->initial_ctx != NULL((void*)0) && s->initial_ctx->internal->tlsext_servername_callback != 0) |
697 | ret = s->initial_ctx->internal->tlsext_servername_callback(s, &al, |
698 | s->initial_ctx->internal->tlsext_servername_arg); |
699 | |
700 | /* If we've requested certificate status and we wont get one |
701 | * tell the callback |
702 | */ |
703 | if ((s->tlsext_status_type != -1) && !(s->internal->tlsext_status_expected) && |
704 | s->ctx && s->ctx->internal->tlsext_status_cb) { |
705 | int r; |
706 | |
707 | free(s->internal->tlsext_ocsp_resp); |
708 | s->internal->tlsext_ocsp_resp = NULL((void*)0); |
709 | s->internal->tlsext_ocsp_resp_len = 0; |
710 | |
711 | r = s->ctx->internal->tlsext_status_cb(s, |
712 | s->ctx->internal->tlsext_status_arg); |
713 | if (r == 0) { |
714 | al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE113; |
715 | ret = SSL_TLSEXT_ERR_ALERT_FATAL2; |
716 | } |
717 | if (r < 0) { |
718 | al = SSL_AD_INTERNAL_ERROR80; |
719 | ret = SSL_TLSEXT_ERR_ALERT_FATAL2; |
720 | } |
721 | } |
722 | |
723 | switch (ret) { |
724 | case SSL_TLSEXT_ERR_ALERT_FATAL2: |
725 | ssl3_send_alert(s, SSL3_AL_FATAL2, al); |
726 | return -1; |
727 | case SSL_TLSEXT_ERR_ALERT_WARNING1: |
728 | ssl3_send_alert(s, SSL3_AL_WARNING1, al); |
729 | return 1; |
730 | case SSL_TLSEXT_ERR_NOACK3: |
731 | default: |
732 | return 1; |
733 | } |
734 | } |
735 | |
736 | /* Since the server cache lookup is done early on in the processing of the |
737 | * ClientHello, and other operations depend on the result, we need to handle |
738 | * any TLS session ticket extension at the same time. |
739 | * |
740 | * ext_block: a CBS for the ClientHello extensions block. |
741 | * ret: (output) on return, if a ticket was decrypted, then this is set to |
742 | * point to the resulting session. |
743 | * |
744 | * If s->internal->tls_session_secret_cb is set then we are expecting a pre-shared key |
745 | * ciphersuite, in which case we have no use for session tickets and one will |
746 | * never be decrypted, nor will s->internal->tlsext_ticket_expected be set to 1. |
747 | * |
748 | * Returns: |
749 | * TLS1_TICKET_FATAL_ERROR: error from parsing or decrypting the ticket. |
750 | * TLS1_TICKET_NONE: no ticket was found (or was ignored, based on settings). |
751 | * TLS1_TICKET_EMPTY: a zero length extension was found, indicating that the |
752 | * client supports session tickets but doesn't currently have one to offer. |
753 | * TLS1_TICKET_NOT_DECRYPTED: either s->internal->tls_session_secret_cb was |
754 | * set, or a ticket was offered but couldn't be decrypted because of a |
755 | * non-fatal error. |
756 | * TLS1_TICKET_DECRYPTED: a ticket was successfully decrypted and *ret was set. |
757 | * |
758 | * Side effects: |
759 | * Sets s->internal->tlsext_ticket_expected to 1 if the server will have to issue |
760 | * a new session ticket to the client because the client indicated support |
761 | * (and s->internal->tls_session_secret_cb is NULL) but the client either doesn't have |
762 | * a session ticket or we couldn't use the one it gave us, or if |
763 | * s->ctx->tlsext_ticket_key_cb asked to renew the client's ticket. |
764 | * Otherwise, s->internal->tlsext_ticket_expected is set to 0. |
765 | */ |
766 | int |
767 | tls1_process_ticket(SSL *s, CBS *ext_block, int *alert, SSL_SESSION **ret) |
768 | { |
769 | CBS extensions, ext_data; |
770 | uint16_t ext_type = 0; |
771 | |
772 | s->internal->tlsext_ticket_expected = 0; |
773 | *ret = NULL((void*)0); |
774 | |
775 | /* |
776 | * If tickets disabled behave as if no ticket present to permit stateful |
777 | * resumption. |
778 | */ |
779 | if (SSL_get_options(s)SSL_ctrl((s),32,0,((void*)0)) & SSL_OP_NO_TICKET0x00004000L) |
780 | return TLS1_TICKET_NONE0; |
781 | |
782 | /* |
783 | * An empty extensions block is valid, but obviously does not contain |
784 | * a session ticket. |
785 | */ |
786 | if (CBS_len(ext_block) == 0) |
787 | return TLS1_TICKET_NONE0; |
788 | |
789 | if (!CBS_get_u16_length_prefixed(ext_block, &extensions)) { |
790 | *alert = SSL_AD_DECODE_ERROR50; |
791 | return TLS1_TICKET_FATAL_ERROR-1; |
792 | } |
793 | |
794 | while (CBS_len(&extensions) > 0) { |
795 | if (!CBS_get_u16(&extensions, &ext_type) || |
796 | !CBS_get_u16_length_prefixed(&extensions, &ext_data)) { |
797 | *alert = SSL_AD_DECODE_ERROR50; |
798 | return TLS1_TICKET_FATAL_ERROR-1; |
799 | } |
800 | |
801 | if (ext_type == TLSEXT_TYPE_session_ticket35) |
802 | break; |
803 | } |
804 | |
805 | if (ext_type != TLSEXT_TYPE_session_ticket35) |
806 | return TLS1_TICKET_NONE0; |
807 | |
808 | if (CBS_len(&ext_data) == 0) { |
809 | /* |
810 | * The client will accept a ticket but does not currently |
811 | * have one. |
812 | */ |
813 | s->internal->tlsext_ticket_expected = 1; |
814 | return TLS1_TICKET_EMPTY1; |
815 | } |
816 | |
817 | if (s->internal->tls_session_secret_cb != NULL((void*)0)) { |
818 | /* |
819 | * Indicate that the ticket could not be decrypted rather than |
820 | * generating the session from ticket now, trigger abbreviated |
821 | * handshake based on external mechanism to calculate the master |
822 | * secret later. |
823 | */ |
824 | return TLS1_TICKET_NOT_DECRYPTED2; |
825 | } |
826 | |
827 | return tls_decrypt_ticket(s, &ext_data, alert, ret); |
828 | } |
829 | |
830 | /* tls_decrypt_ticket attempts to decrypt a session ticket. |
831 | * |
832 | * ticket: a CBS containing the body of the session ticket extension. |
833 | * psess: (output) on return, if a ticket was decrypted, then this is set to |
834 | * point to the resulting session. |
835 | * |
836 | * Returns: |
837 | * TLS1_TICKET_FATAL_ERROR: error from parsing or decrypting the ticket. |
838 | * TLS1_TICKET_NOT_DECRYPTED: the ticket couldn't be decrypted. |
839 | * TLS1_TICKET_DECRYPTED: a ticket was decrypted and *psess was set. |
840 | */ |
841 | static int |
842 | tls_decrypt_ticket(SSL *s, CBS *ticket, int *alert, SSL_SESSION **psess) |
843 | { |
844 | CBS ticket_name, ticket_iv, ticket_encdata, ticket_hmac; |
845 | SSL_SESSION *sess = NULL((void*)0); |
846 | unsigned char *sdec = NULL((void*)0); |
847 | size_t sdec_len = 0; |
848 | const unsigned char *p; |
849 | unsigned char hmac[EVP_MAX_MD_SIZE64]; |
850 | HMAC_CTX *hctx = NULL((void*)0); |
851 | EVP_CIPHER_CTX *cctx = NULL((void*)0); |
852 | SSL_CTX *tctx = s->initial_ctx; |
853 | int slen, hlen; |
854 | int alert_desc = SSL_AD_INTERNAL_ERROR80; |
855 | int ret = TLS1_TICKET_FATAL_ERROR-1; |
856 | |
857 | *psess = NULL((void*)0); |
858 | |
859 | if (!CBS_get_bytes(ticket, &ticket_name, 16)) |
860 | goto derr; |
861 | |
862 | /* |
863 | * Initialize session ticket encryption and HMAC contexts. |
864 | */ |
865 | if ((cctx = EVP_CIPHER_CTX_new()) == NULL((void*)0)) |
866 | goto err; |
867 | if ((hctx = HMAC_CTX_new()) == NULL((void*)0)) |
868 | goto err; |
869 | |
870 | if (tctx->internal->tlsext_ticket_key_cb != NULL((void*)0)) { |
871 | int rv; |
872 | |
873 | /* |
874 | * The API guarantees EVP_MAX_IV_LENGTH bytes of space for |
875 | * the iv to tlsext_ticket_key_cb(). Since the total space |
876 | * required for a session cookie is never less than this, |
877 | * this check isn't too strict. The exact check comes later. |
878 | */ |
879 | if (CBS_len(ticket) < EVP_MAX_IV_LENGTH16) |
880 | goto derr; |
881 | |
882 | if ((rv = tctx->internal->tlsext_ticket_key_cb(s, |
883 | (unsigned char *)CBS_data(&ticket_name), |
884 | (unsigned char *)CBS_data(ticket), cctx, hctx, 0)) < 0) |
885 | goto err; |
886 | if (rv == 0) |
887 | goto derr; |
888 | if (rv == 2) { |
889 | /* Renew ticket. */ |
890 | s->internal->tlsext_ticket_expected = 1; |
891 | } |
892 | |
893 | /* |
894 | * Now that the cipher context is initialised, we can extract |
895 | * the IV since its length is known. |
896 | */ |
897 | if (!CBS_get_bytes(ticket, &ticket_iv, |
898 | EVP_CIPHER_CTX_iv_length(cctx))) |
899 | goto derr; |
900 | } else { |
901 | /* Check that the key name matches. */ |
902 | if (!CBS_mem_equal(&ticket_name, |
903 | tctx->internal->tlsext_tick_key_name, |
904 | sizeof(tctx->internal->tlsext_tick_key_name))) |
905 | goto derr; |
906 | if (!CBS_get_bytes(ticket, &ticket_iv, |
907 | EVP_CIPHER_iv_length(EVP_aes_128_cbc()))) |
908 | goto derr; |
909 | if (!EVP_DecryptInit_ex(cctx, EVP_aes_128_cbc(), NULL((void*)0), |
910 | tctx->internal->tlsext_tick_aes_key, CBS_data(&ticket_iv))) |
911 | goto err; |
912 | if (!HMAC_Init_ex(hctx, tctx->internal->tlsext_tick_hmac_key, |
913 | sizeof(tctx->internal->tlsext_tick_hmac_key), EVP_sha256(), |
914 | NULL((void*)0))) |
915 | goto err; |
916 | } |
917 | |
918 | /* |
919 | * Attempt to process session ticket. |
920 | */ |
921 | |
922 | if ((hlen = HMAC_size(hctx)(EVP_MD_size(HMAC_CTX_get_md((hctx))))) < 0) |
923 | goto err; |
924 | |
925 | if (hlen > CBS_len(ticket)) |
926 | goto derr; |
927 | if (!CBS_get_bytes(ticket, &ticket_encdata, CBS_len(ticket) - hlen)) |
928 | goto derr; |
929 | if (!CBS_get_bytes(ticket, &ticket_hmac, hlen)) |
930 | goto derr; |
931 | if (CBS_len(ticket) != 0) { |
932 | alert_desc = SSL_AD_DECODE_ERROR50; |
933 | goto err; |
934 | } |
935 | |
936 | /* Check HMAC of encrypted ticket. */ |
937 | if (HMAC_Update(hctx, CBS_data(&ticket_name), |
938 | CBS_len(&ticket_name)) <= 0) |
939 | goto err; |
940 | if (HMAC_Update(hctx, CBS_data(&ticket_iv), |
941 | CBS_len(&ticket_iv)) <= 0) |
942 | goto err; |
943 | if (HMAC_Update(hctx, CBS_data(&ticket_encdata), |
944 | CBS_len(&ticket_encdata)) <= 0) |
945 | goto err; |
946 | if (HMAC_Final(hctx, hmac, &hlen) <= 0) |
947 | goto err; |
948 | |
949 | if (!CBS_mem_equal(&ticket_hmac, hmac, hlen)) |
950 | goto derr; |
951 | |
952 | /* Attempt to decrypt session data. */ |
953 | sdec_len = CBS_len(&ticket_encdata); |
954 | if ((sdec = calloc(1, sdec_len)) == NULL((void*)0)) |
955 | goto err; |
956 | if (EVP_DecryptUpdate(cctx, sdec, &slen, CBS_data(&ticket_encdata), |
957 | CBS_len(&ticket_encdata)) <= 0) |
958 | goto derr; |
959 | if (EVP_DecryptFinal_ex(cctx, sdec + slen, &hlen) <= 0) |
960 | goto derr; |
961 | |
962 | slen += hlen; |
963 | |
964 | /* |
965 | * For session parse failures, indicate that we need to send a new |
966 | * ticket. |
967 | */ |
968 | p = sdec; |
969 | if ((sess = d2i_SSL_SESSION(NULL((void*)0), &p, slen)) == NULL((void*)0)) |
970 | goto derr; |
971 | *psess = sess; |
972 | sess = NULL((void*)0); |
973 | |
974 | ret = TLS1_TICKET_DECRYPTED3; |
975 | goto done; |
976 | |
977 | derr: |
978 | ERR_clear_error(); |
979 | s->internal->tlsext_ticket_expected = 1; |
980 | ret = TLS1_TICKET_NOT_DECRYPTED2; |
981 | goto done; |
982 | |
983 | err: |
984 | *alert = alert_desc; |
985 | ret = TLS1_TICKET_FATAL_ERROR-1; |
986 | goto done; |
987 | |
988 | done: |
989 | freezero(sdec, sdec_len); |
990 | EVP_CIPHER_CTX_free(cctx); |
991 | HMAC_CTX_free(hctx); |
992 | SSL_SESSION_free(sess); |
993 | |
994 | return ret; |
995 | } |