1 /* $OpenBSD: t1_lib.c,v 1.195 2022/08/17 18:45:25 tb Exp $ */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
58 /* ====================================================================
59 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
87 * 6. Redistributions of any form whatsoever must retain the following
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
114 #include <openssl/evp.h>
115 #include <openssl/hmac.h>
116 #include <openssl/objects.h>
117 #include <openssl/ocsp.h>
119 #include "bytestring.h"
120 #include "ssl_locl.h"
121 #include "ssl_sigalgs.h"
122 #include "ssl_tlsext.h"
124 static int tls_decrypt_ticket(SSL
*s
, CBS
*ticket
, int *alert
,
125 SSL_SESSION
**psess
);
132 s
->method
->ssl_clear(s
);
142 free(s
->internal
->tlsext_session_ticket
);
150 s
->version
= s
->method
->version
;
153 struct supported_group
{
159 * Supported groups (formerly known as named curves)
160 * https://www.iana.org/assignments/tls-parameters/#tls-parameters-8
162 static const struct supported_group nid_list
[] = {
164 .nid
= NID_sect163k1
,
168 .nid
= NID_sect163r1
,
172 .nid
= NID_sect163r2
,
176 .nid
= NID_sect193r1
,
180 .nid
= NID_sect193r2
,
184 .nid
= NID_sect233k1
,
188 .nid
= NID_sect233r1
,
192 .nid
= NID_sect239k1
,
196 .nid
= NID_sect283k1
,
200 .nid
= NID_sect283r1
,
204 .nid
= NID_sect409k1
,
208 .nid
= NID_sect409r1
,
212 .nid
= NID_sect571k1
,
216 .nid
= NID_sect571r1
,
220 .nid
= NID_secp160k1
,
224 .nid
= NID_secp160r1
,
228 .nid
= NID_secp160r2
,
232 .nid
= NID_secp192k1
,
236 .nid
= NID_X9_62_prime192v1
, /* aka secp192r1 */
240 .nid
= NID_secp224k1
,
244 .nid
= NID_secp224r1
,
248 .nid
= NID_secp256k1
,
252 .nid
= NID_X9_62_prime256v1
, /* aka secp256r1 */
256 .nid
= NID_secp384r1
,
260 .nid
= NID_secp521r1
,
264 .nid
= NID_brainpoolP256r1
,
268 .nid
= NID_brainpoolP384r1
,
272 .nid
= NID_brainpoolP512r1
,
281 #define NID_LIST_LEN (sizeof(nid_list) / sizeof(nid_list[0]))
284 static const uint8_t ecformats_list
[] = {
285 TLSEXT_ECPOINTFORMAT_uncompressed
,
286 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime
,
287 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2
291 static const uint8_t ecformats_default
[] = {
292 TLSEXT_ECPOINTFORMAT_uncompressed
,
296 static const uint16_t ecgroups_list
[] = {
297 29, /* X25519 (29) */
298 14, /* sect571r1 (14) */
299 13, /* sect571k1 (13) */
300 25, /* secp521r1 (25) */
301 28, /* brainpoolP512r1 (28) */
302 11, /* sect409k1 (11) */
303 12, /* sect409r1 (12) */
304 27, /* brainpoolP384r1 (27) */
305 24, /* secp384r1 (24) */
306 9, /* sect283k1 (9) */
307 10, /* sect283r1 (10) */
308 26, /* brainpoolP256r1 (26) */
309 22, /* secp256k1 (22) */
310 23, /* secp256r1 (23) */
311 8, /* sect239k1 (8) */
312 6, /* sect233k1 (6) */
313 7, /* sect233r1 (7) */
314 20, /* secp224k1 (20) */
315 21, /* secp224r1 (21) */
316 4, /* sect193r1 (4) */
317 5, /* sect193r2 (5) */
318 18, /* secp192k1 (18) */
319 19, /* secp192r1 (19) */
320 1, /* sect163k1 (1) */
321 2, /* sect163r1 (2) */
322 3, /* sect163r2 (3) */
323 15, /* secp160k1 (15) */
324 16, /* secp160r1 (16) */
325 17, /* secp160r2 (17) */
329 static const uint16_t ecgroups_client_default
[] = {
330 29, /* X25519 (29) */
331 23, /* secp256r1 (23) */
332 24, /* secp384r1 (24) */
333 25, /* secp521r1 (25) */
336 static const uint16_t ecgroups_server_default
[] = {
337 29, /* X25519 (29) */
338 23, /* secp256r1 (23) */
339 24, /* secp384r1 (24) */
343 tls1_ec_group_id2nid(uint16_t group_id
, int *out_nid
)
347 if (group_id
>= NID_LIST_LEN
)
350 if ((nid
= nid_list
[group_id
].nid
) == 0)
359 tls1_ec_group_id2bits(uint16_t group_id
, int *out_bits
)
363 if (group_id
>= NID_LIST_LEN
)
366 if ((bits
= nid_list
[group_id
].bits
) == 0)
375 tls1_ec_nid2group_id(int nid
, uint16_t *out_group_id
)
382 for (group_id
= 0; group_id
< NID_LIST_LEN
; group_id
++) {
383 if (nid_list
[group_id
].nid
== nid
) {
384 *out_group_id
= group_id
;
393 * Return the appropriate format list. If client_formats is non-zero, return
394 * the client/session formats. Otherwise return the custom format list if one
395 * exists, or the default formats if a custom list has not been specified.
398 tls1_get_formatlist(const SSL
*s
, int client_formats
, const uint8_t **pformats
,
401 if (client_formats
!= 0) {
402 *pformats
= s
->session
->tlsext_ecpointformatlist
;
403 *pformatslen
= s
->session
->tlsext_ecpointformatlist_length
;
407 *pformats
= s
->internal
->tlsext_ecpointformatlist
;
408 *pformatslen
= s
->internal
->tlsext_ecpointformatlist_length
;
409 if (*pformats
== NULL
) {
410 *pformats
= ecformats_default
;
411 *pformatslen
= sizeof(ecformats_default
);
416 * Return the appropriate group list. If client_groups is non-zero, return
417 * the client/session groups. Otherwise return the custom group list if one
418 * exists, or the default groups if a custom list has not been specified.
421 tls1_get_group_list(const SSL
*s
, int client_groups
, const uint16_t **pgroups
,
424 if (client_groups
!= 0) {
425 *pgroups
= s
->session
->tlsext_supportedgroups
;
426 *pgroupslen
= s
->session
->tlsext_supportedgroups_length
;
430 *pgroups
= s
->internal
->tlsext_supportedgroups
;
431 *pgroupslen
= s
->internal
->tlsext_supportedgroups_length
;
432 if (*pgroups
!= NULL
)
436 *pgroups
= ecgroups_client_default
;
437 *pgroupslen
= sizeof(ecgroups_client_default
) / 2;
439 *pgroups
= ecgroups_server_default
;
440 *pgroupslen
= sizeof(ecgroups_server_default
) / 2;
445 tls1_get_group_lists(const SSL
*ssl
, const uint16_t **pref
, size_t *preflen
,
446 const uint16_t **supp
, size_t *supplen
)
448 unsigned long server_pref
;
450 /* Cannot do anything on the client side. */
454 server_pref
= (ssl
->internal
->options
& SSL_OP_CIPHER_SERVER_PREFERENCE
);
455 tls1_get_group_list(ssl
, (server_pref
== 0), pref
, preflen
);
456 tls1_get_group_list(ssl
, (server_pref
!= 0), supp
, supplen
);
462 tls1_group_id_present(uint16_t group_id
, const uint16_t *list
, size_t list_len
)
466 for (i
= 0; i
< list_len
; i
++) {
467 if (group_id
== list
[i
])
475 tls1_count_shared_groups(const SSL
*ssl
, size_t *out_count
)
477 size_t count
, preflen
, supplen
, i
;
478 const uint16_t *pref
, *supp
;
480 if (!tls1_get_group_lists(ssl
, &pref
, &preflen
, &supp
, &supplen
))
484 for (i
= 0; i
< preflen
; i
++) {
485 if (!tls1_group_id_present(pref
[i
], supp
, supplen
))
488 if (!ssl_security_shared_group(ssl
, pref
[i
]))
500 tls1_group_by_index(const SSL
*ssl
, size_t n
, int *out_nid
,
501 int (*ssl_security_fn
)(const SSL
*, uint16_t))
503 size_t count
, preflen
, supplen
, i
;
504 const uint16_t *pref
, *supp
;
506 if (!tls1_get_group_lists(ssl
, &pref
, &preflen
, &supp
, &supplen
))
510 for (i
= 0; i
< preflen
; i
++) {
511 if (!tls1_group_id_present(pref
[i
], supp
, supplen
))
514 if (!ssl_security_fn(ssl
, pref
[i
]))
518 return tls1_ec_group_id2nid(pref
[i
], out_nid
);
525 tls1_get_shared_group_by_index(const SSL
*ssl
, size_t index
, int *out_nid
)
527 return tls1_group_by_index(ssl
, index
, out_nid
,
528 ssl_security_shared_group
);
532 tls1_get_supported_group(const SSL
*ssl
, int *out_nid
)
534 return tls1_group_by_index(ssl
, 0, out_nid
,
535 ssl_security_supported_group
);
539 tls1_set_groups(uint16_t **out_group_ids
, size_t *out_group_ids_len
,
540 const int *groups
, size_t ngroups
)
545 if ((group_ids
= calloc(ngroups
, sizeof(uint16_t))) == NULL
)
548 for (i
= 0; i
< ngroups
; i
++) {
549 if (!tls1_ec_nid2group_id(groups
[i
], &group_ids
[i
])) {
555 free(*out_group_ids
);
556 *out_group_ids
= group_ids
;
557 *out_group_ids_len
= ngroups
;
563 tls1_set_group_list(uint16_t **out_group_ids
, size_t *out_group_ids_len
,
566 uint16_t *new_group_ids
, *group_ids
= NULL
;
571 if ((gs
= strdup(groups
)) == NULL
)
575 while ((p
= strsep(&q
, ":")) != NULL
) {
577 if (nid
== NID_undef
)
579 if (nid
== NID_undef
)
580 nid
= EC_curve_nist2nid(p
);
581 if (nid
== NID_undef
)
584 if ((new_group_ids
= reallocarray(group_ids
, ngroups
+ 1,
585 sizeof(uint16_t))) == NULL
)
587 group_ids
= new_group_ids
;
589 if (!tls1_ec_nid2group_id(nid
, &group_ids
[ngroups
]))
596 free(*out_group_ids
);
597 *out_group_ids
= group_ids
;
598 *out_group_ids_len
= ngroups
;
609 /* Check that a group is one of our preferences. */
611 tls1_check_group(SSL
*s
, uint16_t group_id
)
613 const uint16_t *groups
;
616 tls1_get_group_list(s
, 0, &groups
, &groupslen
);
618 for (i
= 0; i
< groupslen
; i
++) {
619 if (!ssl_security_supported_group(s
, groups
[i
]))
621 if (groups
[i
] == group_id
)
627 /* For an EC key set TLS ID and required compression based on parameters. */
629 tls1_set_ec_id(uint16_t *group_id
, uint8_t *comp_id
, EC_KEY
*ec
)
632 const EC_METHOD
*meth
;
639 /* Determine whether the group is defined over a prime field. */
640 if ((grp
= EC_KEY_get0_group(ec
)) == NULL
)
642 if ((meth
= EC_GROUP_method_of(grp
)) == NULL
)
644 prime_field
= (EC_METHOD_get_field_type(meth
) == NID_X9_62_prime_field
);
646 /* Determine group ID. */
647 nid
= EC_GROUP_get_curve_name(grp
);
648 /* If we have an ID set it, otherwise set arbitrary explicit group. */
649 if (!tls1_ec_nid2group_id(nid
, group_id
))
650 *group_id
= prime_field
? 0xff01 : 0xff02;
655 /* Specify the compression identifier. */
656 if (EC_KEY_get0_public_key(ec
) == NULL
)
658 *comp_id
= TLSEXT_ECPOINTFORMAT_uncompressed
;
659 if (EC_KEY_get_conv_form(ec
) == POINT_CONVERSION_COMPRESSED
) {
660 *comp_id
= TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2
;
662 *comp_id
= TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime
;
668 /* Check that an EC key is compatible with extensions. */
670 tls1_check_ec_key(SSL
*s
, const uint16_t *group_id
, const uint8_t *comp_id
)
672 size_t groupslen
, formatslen
, i
;
673 const uint16_t *groups
;
674 const uint8_t *formats
;
677 * Check point formats extension if present, otherwise everything
678 * is supported (see RFC4492).
680 tls1_get_formatlist(s
, 1, &formats
, &formatslen
);
681 if (comp_id
!= NULL
&& formats
!= NULL
) {
682 for (i
= 0; i
< formatslen
; i
++) {
683 if (formats
[i
] == *comp_id
)
691 * Check group list if present, otherwise everything is supported.
693 tls1_get_group_list(s
, 1, &groups
, &groupslen
);
694 if (group_id
!= NULL
&& groups
!= NULL
) {
695 for (i
= 0; i
< groupslen
; i
++) {
696 if (groups
[i
] == *group_id
)
706 /* Check EC server key is compatible with client extensions. */
708 tls1_check_ec_server_key(SSL
*s
)
710 SSL_CERT_PKEY
*cpk
= s
->cert
->pkeys
+ SSL_PKEY_ECC
;
716 if (cpk
->x509
== NULL
|| cpk
->privatekey
== NULL
)
718 if ((pkey
= X509_get0_pubkey(cpk
->x509
)) == NULL
)
720 if ((eckey
= EVP_PKEY_get0_EC_KEY(pkey
)) == NULL
)
722 if (!tls1_set_ec_id(&group_id
, &comp_id
, eckey
))
725 return tls1_check_ec_key(s
, &group_id
, &comp_id
);
729 ssl_check_clienthello_tlsext_early(SSL
*s
)
731 int ret
= SSL_TLSEXT_ERR_NOACK
;
732 int al
= SSL_AD_UNRECOGNIZED_NAME
;
734 /* The handling of the ECPointFormats extension is done elsewhere, namely in
735 * ssl3_choose_cipher in s3_lib.c.
737 /* The handling of the EllipticCurves extension is done elsewhere, namely in
738 * ssl3_choose_cipher in s3_lib.c.
741 if (s
->ctx
!= NULL
&& s
->ctx
->internal
->tlsext_servername_callback
!= 0)
742 ret
= s
->ctx
->internal
->tlsext_servername_callback(s
, &al
,
743 s
->ctx
->internal
->tlsext_servername_arg
);
744 else if (s
->initial_ctx
!= NULL
&& s
->initial_ctx
->internal
->tlsext_servername_callback
!= 0)
745 ret
= s
->initial_ctx
->internal
->tlsext_servername_callback(s
, &al
,
746 s
->initial_ctx
->internal
->tlsext_servername_arg
);
749 case SSL_TLSEXT_ERR_ALERT_FATAL
:
750 ssl3_send_alert(s
, SSL3_AL_FATAL
, al
);
752 case SSL_TLSEXT_ERR_ALERT_WARNING
:
753 ssl3_send_alert(s
, SSL3_AL_WARNING
, al
);
755 case SSL_TLSEXT_ERR_NOACK
:
762 ssl_check_clienthello_tlsext_late(SSL
*s
)
764 int ret
= SSL_TLSEXT_ERR_OK
;
765 int al
= 0; /* XXX gcc3 */
767 /* If status request then ask callback what to do.
768 * Note: this must be called after servername callbacks in case
769 * the certificate has changed, and must be called after the cipher
770 * has been chosen because this may influence which certificate is sent
772 if ((s
->tlsext_status_type
!= -1) &&
773 s
->ctx
&& s
->ctx
->internal
->tlsext_status_cb
) {
775 SSL_CERT_PKEY
*certpkey
;
776 certpkey
= ssl_get_server_send_pkey(s
);
777 /* If no certificate can't return certificate status */
778 if (certpkey
== NULL
) {
779 s
->internal
->tlsext_status_expected
= 0;
782 /* Set current certificate to one we will use so
783 * SSL_get_certificate et al can pick it up.
785 s
->cert
->key
= certpkey
;
786 r
= s
->ctx
->internal
->tlsext_status_cb(s
,
787 s
->ctx
->internal
->tlsext_status_arg
);
789 /* We don't want to send a status request response */
790 case SSL_TLSEXT_ERR_NOACK
:
791 s
->internal
->tlsext_status_expected
= 0;
793 /* status request response should be sent */
794 case SSL_TLSEXT_ERR_OK
:
795 if (s
->internal
->tlsext_ocsp_resp
)
796 s
->internal
->tlsext_status_expected
= 1;
798 s
->internal
->tlsext_status_expected
= 0;
800 /* something bad happened */
801 case SSL_TLSEXT_ERR_ALERT_FATAL
:
802 ret
= SSL_TLSEXT_ERR_ALERT_FATAL
;
803 al
= SSL_AD_INTERNAL_ERROR
;
807 s
->internal
->tlsext_status_expected
= 0;
811 case SSL_TLSEXT_ERR_ALERT_FATAL
:
812 ssl3_send_alert(s
, SSL3_AL_FATAL
, al
);
814 case SSL_TLSEXT_ERR_ALERT_WARNING
:
815 ssl3_send_alert(s
, SSL3_AL_WARNING
, al
);
823 ssl_check_serverhello_tlsext(SSL
*s
)
825 int ret
= SSL_TLSEXT_ERR_NOACK
;
826 int al
= SSL_AD_UNRECOGNIZED_NAME
;
828 ret
= SSL_TLSEXT_ERR_OK
;
830 if (s
->ctx
!= NULL
&& s
->ctx
->internal
->tlsext_servername_callback
!= 0)
831 ret
= s
->ctx
->internal
->tlsext_servername_callback(s
, &al
,
832 s
->ctx
->internal
->tlsext_servername_arg
);
833 else if (s
->initial_ctx
!= NULL
&& s
->initial_ctx
->internal
->tlsext_servername_callback
!= 0)
834 ret
= s
->initial_ctx
->internal
->tlsext_servername_callback(s
, &al
,
835 s
->initial_ctx
->internal
->tlsext_servername_arg
);
837 /* If we've requested certificate status and we wont get one
840 if ((s
->tlsext_status_type
!= -1) && !(s
->internal
->tlsext_status_expected
) &&
841 s
->ctx
&& s
->ctx
->internal
->tlsext_status_cb
) {
844 free(s
->internal
->tlsext_ocsp_resp
);
845 s
->internal
->tlsext_ocsp_resp
= NULL
;
846 s
->internal
->tlsext_ocsp_resp_len
= 0;
848 r
= s
->ctx
->internal
->tlsext_status_cb(s
,
849 s
->ctx
->internal
->tlsext_status_arg
);
851 al
= SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE
;
852 ret
= SSL_TLSEXT_ERR_ALERT_FATAL
;
855 al
= SSL_AD_INTERNAL_ERROR
;
856 ret
= SSL_TLSEXT_ERR_ALERT_FATAL
;
861 case SSL_TLSEXT_ERR_ALERT_FATAL
:
862 ssl3_send_alert(s
, SSL3_AL_FATAL
, al
);
864 case SSL_TLSEXT_ERR_ALERT_WARNING
:
865 ssl3_send_alert(s
, SSL3_AL_WARNING
, al
);
867 case SSL_TLSEXT_ERR_NOACK
:
873 /* Since the server cache lookup is done early on in the processing of the
874 * ClientHello, and other operations depend on the result, we need to handle
875 * any TLS session ticket extension at the same time.
877 * ext_block: a CBS for the ClientHello extensions block.
878 * ret: (output) on return, if a ticket was decrypted, then this is set to
879 * point to the resulting session.
881 * If s->internal->tls_session_secret_cb is set then we are expecting a pre-shared key
882 * ciphersuite, in which case we have no use for session tickets and one will
883 * never be decrypted, nor will s->internal->tlsext_ticket_expected be set to 1.
886 * TLS1_TICKET_FATAL_ERROR: error from parsing or decrypting the ticket.
887 * TLS1_TICKET_NONE: no ticket was found (or was ignored, based on settings).
888 * TLS1_TICKET_EMPTY: a zero length extension was found, indicating that the
889 * client supports session tickets but doesn't currently have one to offer.
890 * TLS1_TICKET_NOT_DECRYPTED: either s->internal->tls_session_secret_cb was
891 * set, or a ticket was offered but couldn't be decrypted because of a
893 * TLS1_TICKET_DECRYPTED: a ticket was successfully decrypted and *ret was set.
896 * Sets s->internal->tlsext_ticket_expected to 1 if the server will have to issue
897 * a new session ticket to the client because the client indicated support
898 * (and s->internal->tls_session_secret_cb is NULL) but the client either doesn't have
899 * a session ticket or we couldn't use the one it gave us, or if
900 * s->ctx->tlsext_ticket_key_cb asked to renew the client's ticket.
901 * Otherwise, s->internal->tlsext_ticket_expected is set to 0.
904 tls1_process_ticket(SSL
*s
, CBS
*ext_block
, int *alert
, SSL_SESSION
**ret
)
906 CBS extensions
, ext_data
;
907 uint16_t ext_type
= 0;
909 s
->internal
->tlsext_ticket_expected
= 0;
913 * If tickets disabled behave as if no ticket present to permit stateful
916 if (SSL_get_options(s
) & SSL_OP_NO_TICKET
)
917 return TLS1_TICKET_NONE
;
920 * An empty extensions block is valid, but obviously does not contain
923 if (CBS_len(ext_block
) == 0)
924 return TLS1_TICKET_NONE
;
926 if (!CBS_get_u16_length_prefixed(ext_block
, &extensions
)) {
927 *alert
= SSL_AD_DECODE_ERROR
;
928 return TLS1_TICKET_FATAL_ERROR
;
931 while (CBS_len(&extensions
) > 0) {
932 if (!CBS_get_u16(&extensions
, &ext_type
) ||
933 !CBS_get_u16_length_prefixed(&extensions
, &ext_data
)) {
934 *alert
= SSL_AD_DECODE_ERROR
;
935 return TLS1_TICKET_FATAL_ERROR
;
938 if (ext_type
== TLSEXT_TYPE_session_ticket
)
942 if (ext_type
!= TLSEXT_TYPE_session_ticket
)
943 return TLS1_TICKET_NONE
;
945 if (CBS_len(&ext_data
) == 0) {
947 * The client will accept a ticket but does not currently
950 s
->internal
->tlsext_ticket_expected
= 1;
951 return TLS1_TICKET_EMPTY
;
954 if (s
->internal
->tls_session_secret_cb
!= NULL
) {
956 * Indicate that the ticket could not be decrypted rather than
957 * generating the session from ticket now, trigger abbreviated
958 * handshake based on external mechanism to calculate the master
961 return TLS1_TICKET_NOT_DECRYPTED
;
964 return tls_decrypt_ticket(s
, &ext_data
, alert
, ret
);
967 /* tls_decrypt_ticket attempts to decrypt a session ticket.
969 * ticket: a CBS containing the body of the session ticket extension.
970 * psess: (output) on return, if a ticket was decrypted, then this is set to
971 * point to the resulting session.
974 * TLS1_TICKET_FATAL_ERROR: error from parsing or decrypting the ticket.
975 * TLS1_TICKET_NOT_DECRYPTED: the ticket couldn't be decrypted.
976 * TLS1_TICKET_DECRYPTED: a ticket was decrypted and *psess was set.
979 tls_decrypt_ticket(SSL
*s
, CBS
*ticket
, int *alert
, SSL_SESSION
**psess
)
981 CBS ticket_name
, ticket_iv
, ticket_encdata
, ticket_hmac
;
982 SSL_SESSION
*sess
= NULL
;
983 unsigned char *sdec
= NULL
;
985 const unsigned char *p
;
986 unsigned char hmac
[EVP_MAX_MD_SIZE
];
987 HMAC_CTX
*hctx
= NULL
;
988 EVP_CIPHER_CTX
*cctx
= NULL
;
989 SSL_CTX
*tctx
= s
->initial_ctx
;
991 int alert_desc
= SSL_AD_INTERNAL_ERROR
;
992 int ret
= TLS1_TICKET_FATAL_ERROR
;
996 if (!CBS_get_bytes(ticket
, &ticket_name
, 16))
1000 * Initialize session ticket encryption and HMAC contexts.
1002 if ((cctx
= EVP_CIPHER_CTX_new()) == NULL
)
1004 if ((hctx
= HMAC_CTX_new()) == NULL
)
1007 if (tctx
->internal
->tlsext_ticket_key_cb
!= NULL
) {
1011 * The API guarantees EVP_MAX_IV_LENGTH bytes of space for
1012 * the iv to tlsext_ticket_key_cb(). Since the total space
1013 * required for a session cookie is never less than this,
1014 * this check isn't too strict. The exact check comes later.
1016 if (CBS_len(ticket
) < EVP_MAX_IV_LENGTH
)
1019 if ((rv
= tctx
->internal
->tlsext_ticket_key_cb(s
,
1020 (unsigned char *)CBS_data(&ticket_name
),
1021 (unsigned char *)CBS_data(ticket
), cctx
, hctx
, 0)) < 0)
1027 s
->internal
->tlsext_ticket_expected
= 1;
1031 * Now that the cipher context is initialised, we can extract
1032 * the IV since its length is known.
1034 if (!CBS_get_bytes(ticket
, &ticket_iv
,
1035 EVP_CIPHER_CTX_iv_length(cctx
)))
1038 /* Check that the key name matches. */
1039 if (!CBS_mem_equal(&ticket_name
,
1040 tctx
->internal
->tlsext_tick_key_name
,
1041 sizeof(tctx
->internal
->tlsext_tick_key_name
)))
1043 if (!CBS_get_bytes(ticket
, &ticket_iv
,
1044 EVP_CIPHER_iv_length(EVP_aes_128_cbc())))
1046 if (!EVP_DecryptInit_ex(cctx
, EVP_aes_128_cbc(), NULL
,
1047 tctx
->internal
->tlsext_tick_aes_key
, CBS_data(&ticket_iv
)))
1049 if (!HMAC_Init_ex(hctx
, tctx
->internal
->tlsext_tick_hmac_key
,
1050 sizeof(tctx
->internal
->tlsext_tick_hmac_key
), EVP_sha256(),
1056 * Attempt to process session ticket.
1059 if ((hlen
= HMAC_size(hctx
)) < 0)
1062 if (hlen
> CBS_len(ticket
))
1064 if (!CBS_get_bytes(ticket
, &ticket_encdata
, CBS_len(ticket
) - hlen
))
1066 if (!CBS_get_bytes(ticket
, &ticket_hmac
, hlen
))
1068 if (CBS_len(ticket
) != 0) {
1069 alert_desc
= SSL_AD_DECODE_ERROR
;
1073 /* Check HMAC of encrypted ticket. */
1074 if (HMAC_Update(hctx
, CBS_data(&ticket_name
),
1075 CBS_len(&ticket_name
)) <= 0)
1077 if (HMAC_Update(hctx
, CBS_data(&ticket_iv
),
1078 CBS_len(&ticket_iv
)) <= 0)
1080 if (HMAC_Update(hctx
, CBS_data(&ticket_encdata
),
1081 CBS_len(&ticket_encdata
)) <= 0)
1083 if (HMAC_Final(hctx
, hmac
, &hlen
) <= 0)
1086 if (!CBS_mem_equal(&ticket_hmac
, hmac
, hlen
))
1089 /* Attempt to decrypt session data. */
1090 sdec_len
= CBS_len(&ticket_encdata
);
1091 if ((sdec
= calloc(1, sdec_len
)) == NULL
)
1093 if (EVP_DecryptUpdate(cctx
, sdec
, &slen
, CBS_data(&ticket_encdata
),
1094 CBS_len(&ticket_encdata
)) <= 0)
1096 if (EVP_DecryptFinal_ex(cctx
, sdec
+ slen
, &hlen
) <= 0)
1102 * For session parse failures, indicate that we need to send a new
1106 if ((sess
= d2i_SSL_SESSION(NULL
, &p
, slen
)) == NULL
)
1111 ret
= TLS1_TICKET_DECRYPTED
;
1116 s
->internal
->tlsext_ticket_expected
= 1;
1117 ret
= TLS1_TICKET_NOT_DECRYPTED
;
1121 *alert
= alert_desc
;
1122 ret
= TLS1_TICKET_FATAL_ERROR
;
1126 freezero(sdec
, sdec_len
);
1127 EVP_CIPHER_CTX_free(cctx
);
1128 HMAC_CTX_free(hctx
);
1129 SSL_SESSION_free(sess
);