search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
tzdata: update to 2018g
[unleashed.git] / lib / libssl / t1_lib.c
blob0a00e4da7fb6ecdcf22a4d5460cbe4293ccb24bf
1 /* $OpenBSD: t1_lib.c,v 1.144 2018/08/24 18:10:25 jsing Exp $ */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58 /* ====================================================================
59 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
60 *
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
63 * are met:
64 *
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
67 *
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
71 * distribution.
72 *
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77 *
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
82 *
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
86 *
87 * 6. Redistributions of any form whatsoever must retain the following
88 * acknowledgment:
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91 *
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
105 *
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
109 *
110 */
111
112 #include <stdio.h>
113
114 #include <openssl/evp.h>
115 #include <openssl/hmac.h>
116 #include <openssl/objects.h>
117 #include <openssl/ocsp.h>
118
119 #include "ssl_locl.h"
120
121 #include "bytestring.h"
122 #include "ssl_tlsext.h"
123
124 static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen,
125 const unsigned char *sess_id, int sesslen,
126 SSL_SESSION **psess);
127
128 SSL3_ENC_METHOD TLSv1_enc_data = {
129 .enc = tls1_enc,
130 .enc_flags = 0,
131 };
132
133 SSL3_ENC_METHOD TLSv1_1_enc_data = {
134 .enc = tls1_enc,
135 .enc_flags = SSL_ENC_FLAG_EXPLICIT_IV,
136 };
137
138 SSL3_ENC_METHOD TLSv1_2_enc_data = {
139 .enc = tls1_enc,
140 .enc_flags = SSL_ENC_FLAG_EXPLICIT_IV|SSL_ENC_FLAG_SIGALGS|
141 SSL_ENC_FLAG_SHA256_PRF|SSL_ENC_FLAG_TLS1_2_CIPHERS,
142 };
143
144 long
145 tls1_default_timeout(void)
146 {
147 /* 2 hours, the 24 hours mentioned in the TLSv1 spec
148 * is way too long for http, the cache would over fill */
149 return (60 * 60 * 2);
150 }
151
152 int
153 tls1_new(SSL *s)
154 {
155 if (!ssl3_new(s))
156 return (0);
157 s->method->internal->ssl_clear(s);
158 return (1);
159 }
160
161 void
162 tls1_free(SSL *s)
163 {
164 if (s == NULL)
165 return;
166
167 free(s->internal->tlsext_session_ticket);
168 ssl3_free(s);
169 }
170
171 void
172 tls1_clear(SSL *s)
173 {
174 ssl3_clear(s);
175 s->version = s->method->internal->version;
176 }
177
178 static int nid_list[] = {
179 NID_sect163k1, /* sect163k1 (1) */
180 NID_sect163r1, /* sect163r1 (2) */
181 NID_sect163r2, /* sect163r2 (3) */
182 NID_sect193r1, /* sect193r1 (4) */
183 NID_sect193r2, /* sect193r2 (5) */
184 NID_sect233k1, /* sect233k1 (6) */
185 NID_sect233r1, /* sect233r1 (7) */
186 NID_sect239k1, /* sect239k1 (8) */
187 NID_sect283k1, /* sect283k1 (9) */
188 NID_sect283r1, /* sect283r1 (10) */
189 NID_sect409k1, /* sect409k1 (11) */
190 NID_sect409r1, /* sect409r1 (12) */
191 NID_sect571k1, /* sect571k1 (13) */
192 NID_sect571r1, /* sect571r1 (14) */
193 NID_secp160k1, /* secp160k1 (15) */
194 NID_secp160r1, /* secp160r1 (16) */
195 NID_secp160r2, /* secp160r2 (17) */
196 NID_secp192k1, /* secp192k1 (18) */
197 NID_X9_62_prime192v1, /* secp192r1 (19) */
198 NID_secp224k1, /* secp224k1 (20) */
199 NID_secp224r1, /* secp224r1 (21) */
200 NID_secp256k1, /* secp256k1 (22) */
201 NID_X9_62_prime256v1, /* secp256r1 (23) */
202 NID_secp384r1, /* secp384r1 (24) */
203 NID_secp521r1, /* secp521r1 (25) */
204 NID_brainpoolP256r1, /* brainpoolP256r1 (26) */
205 NID_brainpoolP384r1, /* brainpoolP384r1 (27) */
206 NID_brainpoolP512r1, /* brainpoolP512r1 (28) */
207 NID_X25519, /* X25519 (29) */
208 };
209
210 #if 0
211 static const uint8_t ecformats_list[] = {
212 TLSEXT_ECPOINTFORMAT_uncompressed,
213 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime,
214 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2
215 };
216 #endif
217
218 static const uint8_t ecformats_default[] = {
219 TLSEXT_ECPOINTFORMAT_uncompressed,
220 };
221
222 #if 0
223 static const uint16_t eccurves_list[] = {
224 29, /* X25519 (29) */
225 14, /* sect571r1 (14) */
226 13, /* sect571k1 (13) */
227 25, /* secp521r1 (25) */
228 28, /* brainpoolP512r1 (28) */
229 11, /* sect409k1 (11) */
230 12, /* sect409r1 (12) */
231 27, /* brainpoolP384r1 (27) */
232 24, /* secp384r1 (24) */
233 9, /* sect283k1 (9) */
234 10, /* sect283r1 (10) */
235 26, /* brainpoolP256r1 (26) */
236 22, /* secp256k1 (22) */
237 23, /* secp256r1 (23) */
238 8, /* sect239k1 (8) */
239 6, /* sect233k1 (6) */
240 7, /* sect233r1 (7) */
241 20, /* secp224k1 (20) */
242 21, /* secp224r1 (21) */
243 4, /* sect193r1 (4) */
244 5, /* sect193r2 (5) */
245 18, /* secp192k1 (18) */
246 19, /* secp192r1 (19) */
247 1, /* sect163k1 (1) */
248 2, /* sect163r1 (2) */
249 3, /* sect163r2 (3) */
250 15, /* secp160k1 (15) */
251 16, /* secp160r1 (16) */
252 17, /* secp160r2 (17) */
253 };
254 #endif
255
256 static const uint16_t eccurves_default[] = {
257 29, /* X25519 (29) */
258 23, /* secp256r1 (23) */
259 24, /* secp384r1 (24) */
260 };
261
262 int
263 tls1_ec_curve_id2nid(const uint16_t curve_id)
264 {
265 /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
266 if ((curve_id < 1) ||
267 ((unsigned int)curve_id > sizeof(nid_list) / sizeof(nid_list[0])))
268 return 0;
269 return nid_list[curve_id - 1];
270 }
271
272 uint16_t
273 tls1_ec_nid2curve_id(const int nid)
274 {
275 /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
276 switch (nid) {
277 case NID_sect163k1: /* sect163k1 (1) */
278 return 1;
279 case NID_sect163r1: /* sect163r1 (2) */
280 return 2;
281 case NID_sect163r2: /* sect163r2 (3) */
282 return 3;
283 case NID_sect193r1: /* sect193r1 (4) */
284 return 4;
285 case NID_sect193r2: /* sect193r2 (5) */
286 return 5;
287 case NID_sect233k1: /* sect233k1 (6) */
288 return 6;
289 case NID_sect233r1: /* sect233r1 (7) */
290 return 7;
291 case NID_sect239k1: /* sect239k1 (8) */
292 return 8;
293 case NID_sect283k1: /* sect283k1 (9) */
294 return 9;
295 case NID_sect283r1: /* sect283r1 (10) */
296 return 10;
297 case NID_sect409k1: /* sect409k1 (11) */
298 return 11;
299 case NID_sect409r1: /* sect409r1 (12) */
300 return 12;
301 case NID_sect571k1: /* sect571k1 (13) */
302 return 13;
303 case NID_sect571r1: /* sect571r1 (14) */
304 return 14;
305 case NID_secp160k1: /* secp160k1 (15) */
306 return 15;
307 case NID_secp160r1: /* secp160r1 (16) */
308 return 16;
309 case NID_secp160r2: /* secp160r2 (17) */
310 return 17;
311 case NID_secp192k1: /* secp192k1 (18) */
312 return 18;
313 case NID_X9_62_prime192v1: /* secp192r1 (19) */
314 return 19;
315 case NID_secp224k1: /* secp224k1 (20) */
316 return 20;
317 case NID_secp224r1: /* secp224r1 (21) */
318 return 21;
319 case NID_secp256k1: /* secp256k1 (22) */
320 return 22;
321 case NID_X9_62_prime256v1: /* secp256r1 (23) */
322 return 23;
323 case NID_secp384r1: /* secp384r1 (24) */
324 return 24;
325 case NID_secp521r1: /* secp521r1 (25) */
326 return 25;
327 case NID_brainpoolP256r1: /* brainpoolP256r1 (26) */
328 return 26;
329 case NID_brainpoolP384r1: /* brainpoolP384r1 (27) */
330 return 27;
331 case NID_brainpoolP512r1: /* brainpoolP512r1 (28) */
332 return 28;
333 case NID_X25519: /* X25519 (29) */
334 return 29;
335 default:
336 return 0;
337 }
338 }
339
340 /*
341 * Return the appropriate format list. If client_formats is non-zero, return
342 * the client/session formats. Otherwise return the custom format list if one
343 * exists, or the default formats if a custom list has not been specified.
344 */
345 void
346 tls1_get_formatlist(SSL *s, int client_formats, const uint8_t **pformats,
347 size_t *pformatslen)
348 {
349 if (client_formats != 0) {
350 *pformats = SSI(s)->tlsext_ecpointformatlist;
351 *pformatslen = SSI(s)->tlsext_ecpointformatlist_length;
352 return;
353 }
354
355 *pformats = s->internal->tlsext_ecpointformatlist;
356 *pformatslen = s->internal->tlsext_ecpointformatlist_length;
357 if (*pformats == NULL) {
358 *pformats = ecformats_default;
359 *pformatslen = sizeof(ecformats_default);
360 }
361 }
362
363 /*
364 * Return the appropriate curve list. If client_curves is non-zero, return
365 * the client/session curves. Otherwise return the custom curve list if one
366 * exists, or the default curves if a custom list has not been specified.
367 */
368 void
369 tls1_get_curvelist(SSL *s, int client_curves, const uint16_t **pcurves,
370 size_t *pcurveslen)
371 {
372 if (client_curves != 0) {
373 *pcurves = SSI(s)->tlsext_supportedgroups;
374 *pcurveslen = SSI(s)->tlsext_supportedgroups_length;
375 return;
376 }
377
378 *pcurves = s->internal->tlsext_supportedgroups;
379 *pcurveslen = s->internal->tlsext_supportedgroups_length;
380 if (*pcurves == NULL) {
381 *pcurves = eccurves_default;
382 *pcurveslen = sizeof(eccurves_default) / 2;
383 }
384 }
385
386 int
387 tls1_set_groups(uint16_t **out_group_ids, size_t *out_group_ids_len,
388 const int *groups, size_t ngroups)
389 {
390 uint16_t *group_ids;
391 size_t i;
392
393 group_ids = calloc(ngroups, sizeof(uint16_t));
394 if (group_ids == NULL)
395 return 0;
396
397 for (i = 0; i < ngroups; i++) {
398 group_ids[i] = tls1_ec_nid2curve_id(groups[i]);
399 if (group_ids[i] == 0) {
400 free(group_ids);
401 return 0;
402 }
403 }
404
405 free(*out_group_ids);
406 *out_group_ids = group_ids;
407 *out_group_ids_len = ngroups;
408
409 return 1;
410 }
411
412 int
413 tls1_set_groups_list(uint16_t **out_group_ids, size_t *out_group_ids_len,
414 const char *groups)
415 {
416 uint16_t *new_group_ids, *group_ids = NULL;
417 size_t ngroups = 0;
418 char *gs, *p, *q;
419 int nid;
420
421 if ((gs = strdup(groups)) == NULL)
422 return 0;
423
424 q = gs;
425 while ((p = strsep(&q, ":")) != NULL) {
426 nid = OBJ_sn2nid(p);
427 if (nid == NID_undef)
428 nid = OBJ_ln2nid(p);
429 if (nid == NID_undef)
430 nid = EC_curve_nist2nid(p);
431 if (nid == NID_undef)
432 goto err;
433
434 if ((new_group_ids = reallocarray(group_ids, ngroups + 1,
435 sizeof(uint16_t))) == NULL)
436 goto err;
437 group_ids = new_group_ids;
438
439 group_ids[ngroups] = tls1_ec_nid2curve_id(nid);
440 if (group_ids[ngroups] == 0)
441 goto err;
442
443 ngroups++;
444 }
445
446 free(gs);
447 free(*out_group_ids);
448 *out_group_ids = group_ids;
449 *out_group_ids_len = ngroups;
450
451 return 1;
452
453 err:
454 free(gs);
455 free(group_ids);
456
457 return 0;
458 }
459
460 /* Check that a curve is one of our preferences. */
461 int
462 tls1_check_curve(SSL *s, const uint16_t curve_id)
463 {
464 const uint16_t *curves;
465 size_t curveslen, i;
466
467 tls1_get_curvelist(s, 0, &curves, &curveslen);
468
469 for (i = 0; i < curveslen; i++) {
470 if (curves[i] == curve_id)
471 return (1);
472 }
473 return (0);
474 }
475
476 int
477 tls1_get_shared_curve(SSL *s)
478 {
479 size_t preflen, supplen, i, j;
480 const uint16_t *pref, *supp;
481 unsigned long server_pref;
482
483 /* Cannot do anything on the client side. */
484 if (s->server == 0)
485 return (NID_undef);
486
487 /* Return first preference shared curve. */
488 server_pref = (s->internal->options & SSL_OP_CIPHER_SERVER_PREFERENCE);
489 tls1_get_curvelist(s, (server_pref == 0), &pref, &preflen);
490 tls1_get_curvelist(s, (server_pref != 0), &supp, &supplen);
491
492 for (i = 0; i < preflen; i++) {
493 for (j = 0; j < supplen; j++) {
494 if (pref[i] == supp[j])
495 return (tls1_ec_curve_id2nid(pref[i]));
496 }
497 }
498 return (NID_undef);
499 }
500
501 /* For an EC key set TLS ID and required compression based on parameters. */
502 static int
503 tls1_set_ec_id(uint16_t *curve_id, uint8_t *comp_id, EC_KEY *ec)
504 {
505 const EC_GROUP *grp;
506 const EC_METHOD *meth;
507 int is_prime = 0;
508 int nid, id;
509
510 if (ec == NULL)
511 return (0);
512
513 /* Determine if it is a prime field. */
514 if ((grp = EC_KEY_get0_group(ec)) == NULL)
515 return (0);
516 if ((meth = EC_GROUP_method_of(grp)) == NULL)
517 return (0);
518 if (EC_METHOD_get_field_type(meth) == NID_X9_62_prime_field)
519 is_prime = 1;
520
521 /* Determine curve ID. */
522 nid = EC_GROUP_get_curve_name(grp);
523 id = tls1_ec_nid2curve_id(nid);
524
525 /* If we have an ID set it, otherwise set arbitrary explicit curve. */
526 if (id != 0)
527 *curve_id = id;
528 else
529 *curve_id = is_prime ? 0xff01 : 0xff02;
530
531 /* Specify the compression identifier. */
532 if (comp_id != NULL) {
533 if (EC_KEY_get0_public_key(ec) == NULL)
534 return (0);
535
536 if (EC_KEY_get_conv_form(ec) == POINT_CONVERSION_COMPRESSED) {
537 *comp_id = is_prime ?
538 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime :
539 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
540 } else {
541 *comp_id = TLSEXT_ECPOINTFORMAT_uncompressed;
542 }
543 }
544 return (1);
545 }
546
547 /* Check that an EC key is compatible with extensions. */
548 static int
549 tls1_check_ec_key(SSL *s, const uint16_t *curve_id, const uint8_t *comp_id)
550 {
551 size_t curveslen, formatslen, i;
552 const uint16_t *curves;
553 const uint8_t *formats;
554
555 /*
556 * Check point formats extension if present, otherwise everything
557 * is supported (see RFC4492).
558 */
559 tls1_get_formatlist(s, 1, &formats, &formatslen);
560 if (comp_id != NULL && formats != NULL) {
561 for (i = 0; i < formatslen; i++) {
562 if (formats[i] == *comp_id)
563 break;
564 }
565 if (i == formatslen)
566 return (0);
567 }
568
569 /*
570 * Check curve list if present, otherwise everything is supported.
571 */
572 tls1_get_curvelist(s, 1, &curves, &curveslen);
573 if (curve_id != NULL && curves != NULL) {
574 for (i = 0; i < curveslen; i++) {
575 if (curves[i] == *curve_id)
576 break;
577 }
578 if (i == curveslen)
579 return (0);
580 }
581
582 return (1);
583 }
584
585 /* Check EC server key is compatible with client extensions. */
586 int
587 tls1_check_ec_server_key(SSL *s)
588 {
589 CERT_PKEY *cpk = s->cert->pkeys + SSL_PKEY_ECC;
590 uint16_t curve_id;
591 uint8_t comp_id;
592 EVP_PKEY *pkey;
593 int rv;
594
595 if (cpk->x509 == NULL || cpk->privatekey == NULL)
596 return (0);
597 if ((pkey = X509_get_pubkey(cpk->x509)) == NULL)
598 return (0);
599 rv = tls1_set_ec_id(&curve_id, &comp_id, pkey->pkey.ec);
600 EVP_PKEY_free(pkey);
601 if (rv != 1)
602 return (0);
603
604 return tls1_check_ec_key(s, &curve_id, &comp_id);
605 }
606
607 /* Check EC temporary key is compatible with client extensions. */
608 int
609 tls1_check_ec_tmp_key(SSL *s)
610 {
611 EC_KEY *ec = s->cert->ecdh_tmp;
612 uint16_t curve_id;
613
614 /* Need a shared curve. */
615 if (tls1_get_shared_curve(s) != NID_undef)
616 return (1);
617
618 if (ec == NULL)
619 return (0);
620
621 if (tls1_set_ec_id(&curve_id, NULL, ec) != 1)
622 return (0);
623
624 return tls1_check_ec_key(s, &curve_id, NULL);
625 }
626
627 /*
628 * List of supported signature algorithms and hashes. Should make this
629 * customisable at some point, for now include everything we support.
630 */
631
632 static unsigned char tls12_sigalgs[] = {
633 TLSEXT_hash_sha512, TLSEXT_signature_rsa,
634 TLSEXT_hash_sha512, TLSEXT_signature_ecdsa,
635 #ifndef OPENSSL_NO_GOST
636 TLSEXT_hash_streebog_512, TLSEXT_signature_gostr12_512,
637 #endif
638
639 TLSEXT_hash_sha384, TLSEXT_signature_rsa,
640 TLSEXT_hash_sha384, TLSEXT_signature_ecdsa,
641
642 TLSEXT_hash_sha256, TLSEXT_signature_rsa,
643 TLSEXT_hash_sha256, TLSEXT_signature_ecdsa,
644
645 #ifndef OPENSSL_NO_GOST
646 TLSEXT_hash_streebog_256, TLSEXT_signature_gostr12_256,
647 TLSEXT_hash_gost94, TLSEXT_signature_gostr01,
648 #endif
649
650 TLSEXT_hash_sha224, TLSEXT_signature_rsa,
651 TLSEXT_hash_sha224, TLSEXT_signature_ecdsa,
652
653 TLSEXT_hash_sha1, TLSEXT_signature_rsa,
654 TLSEXT_hash_sha1, TLSEXT_signature_ecdsa,
655 };
656
657 void
658 tls12_get_req_sig_algs(SSL *s, unsigned char **sigalgs, size_t *sigalgs_len)
659 {
660 *sigalgs = tls12_sigalgs;
661 *sigalgs_len = sizeof(tls12_sigalgs);
662 }
663
664 int
665 ssl_check_clienthello_tlsext_early(SSL *s)
666 {
667 int ret = SSL_TLSEXT_ERR_NOACK;
668 int al = SSL_AD_UNRECOGNIZED_NAME;
669
670 /* The handling of the ECPointFormats extension is done elsewhere, namely in
671 * ssl3_choose_cipher in s3_lib.c.
672 */
673 /* The handling of the EllipticCurves extension is done elsewhere, namely in
674 * ssl3_choose_cipher in s3_lib.c.
675 */
676
677 if (s->ctx != NULL && s->ctx->internal->tlsext_servername_callback != 0)
678 ret = s->ctx->internal->tlsext_servername_callback(s, &al,
679 s->ctx->internal->tlsext_servername_arg);
680 else if (s->initial_ctx != NULL && s->initial_ctx->internal->tlsext_servername_callback != 0)
681 ret = s->initial_ctx->internal->tlsext_servername_callback(s, &al,
682 s->initial_ctx->internal->tlsext_servername_arg);
683
684 switch (ret) {
685 case SSL_TLSEXT_ERR_ALERT_FATAL:
686 ssl3_send_alert(s, SSL3_AL_FATAL, al);
687 return -1;
688 case SSL_TLSEXT_ERR_ALERT_WARNING:
689 ssl3_send_alert(s, SSL3_AL_WARNING, al);
690 return 1;
691 case SSL_TLSEXT_ERR_NOACK:
692 s->internal->servername_done = 0;
693 default:
694 return 1;
695 }
696 }
697
698 int
699 ssl_check_clienthello_tlsext_late(SSL *s)
700 {
701 int ret = SSL_TLSEXT_ERR_OK;
702 int al = 0; /* XXX gcc3 */
703
704 /* If status request then ask callback what to do.
705 * Note: this must be called after servername callbacks in case
706 * the certificate has changed, and must be called after the cipher
707 * has been chosen because this may influence which certificate is sent
708 */
709 if ((s->tlsext_status_type != -1) &&
710 s->ctx && s->ctx->internal->tlsext_status_cb) {
711 int r;
712 CERT_PKEY *certpkey;
713 certpkey = ssl_get_server_send_pkey(s);
714 /* If no certificate can't return certificate status */
715 if (certpkey == NULL) {
716 s->internal->tlsext_status_expected = 0;
717 return 1;
718 }
719 /* Set current certificate to one we will use so
720 * SSL_get_certificate et al can pick it up.
721 */
722 s->cert->key = certpkey;
723 r = s->ctx->internal->tlsext_status_cb(s,
724 s->ctx->internal->tlsext_status_arg);
725 switch (r) {
726 /* We don't want to send a status request response */
727 case SSL_TLSEXT_ERR_NOACK:
728 s->internal->tlsext_status_expected = 0;
729 break;
730 /* status request response should be sent */
731 case SSL_TLSEXT_ERR_OK:
732 if (s->internal->tlsext_ocsp_resp)
733 s->internal->tlsext_status_expected = 1;
734 else
735 s->internal->tlsext_status_expected = 0;
736 break;
737 /* something bad happened */
738 case SSL_TLSEXT_ERR_ALERT_FATAL:
739 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
740 al = SSL_AD_INTERNAL_ERROR;
741 goto err;
742 }
743 } else
744 s->internal->tlsext_status_expected = 0;
745
746 err:
747 switch (ret) {
748 case SSL_TLSEXT_ERR_ALERT_FATAL:
749 ssl3_send_alert(s, SSL3_AL_FATAL, al);
750 return -1;
751 case SSL_TLSEXT_ERR_ALERT_WARNING:
752 ssl3_send_alert(s, SSL3_AL_WARNING, al);
753 return 1;
754 default:
755 return 1;
756 }
757 }
758
759 int
760 ssl_check_serverhello_tlsext(SSL *s)
761 {
762 int ret = SSL_TLSEXT_ERR_NOACK;
763 int al = SSL_AD_UNRECOGNIZED_NAME;
764
765 ret = SSL_TLSEXT_ERR_OK;
766
767 if (s->ctx != NULL && s->ctx->internal->tlsext_servername_callback != 0)
768 ret = s->ctx->internal->tlsext_servername_callback(s, &al,
769 s->ctx->internal->tlsext_servername_arg);
770 else if (s->initial_ctx != NULL && s->initial_ctx->internal->tlsext_servername_callback != 0)
771 ret = s->initial_ctx->internal->tlsext_servername_callback(s, &al,
772 s->initial_ctx->internal->tlsext_servername_arg);
773
774 /* If we've requested certificate status and we wont get one
775 * tell the callback
776 */
777 if ((s->tlsext_status_type != -1) && !(s->internal->tlsext_status_expected) &&
778 s->ctx && s->ctx->internal->tlsext_status_cb) {
779 int r;
780 /* Set resp to NULL, resplen to -1 so callback knows
781 * there is no response.
782 */
783 free(s->internal->tlsext_ocsp_resp);
784 s->internal->tlsext_ocsp_resp = NULL;
785 s->internal->tlsext_ocsp_resplen = -1;
786 r = s->ctx->internal->tlsext_status_cb(s,
787 s->ctx->internal->tlsext_status_arg);
788 if (r == 0) {
789 al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE;
790 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
791 }
792 if (r < 0) {
793 al = SSL_AD_INTERNAL_ERROR;
794 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
795 }
796 }
797
798 switch (ret) {
799 case SSL_TLSEXT_ERR_ALERT_FATAL:
800 ssl3_send_alert(s, SSL3_AL_FATAL, al);
801
802 return -1;
803 case SSL_TLSEXT_ERR_ALERT_WARNING:
804 ssl3_send_alert(s, SSL3_AL_WARNING, al);
805
806 return 1;
807 case SSL_TLSEXT_ERR_NOACK:
808 s->internal->servername_done = 0;
809 default:
810 return 1;
811 }
812 }
813
814 /* Since the server cache lookup is done early on in the processing of the
815 * ClientHello, and other operations depend on the result, we need to handle
816 * any TLS session ticket extension at the same time.
817 *
818 * session_id: points at the session ID in the ClientHello.
819 * session_id_len: the length of the session ID.
820 * ext_block: a CBS for the ClientHello extensions block.
821 * ret: (output) on return, if a ticket was decrypted, then this is set to
822 * point to the resulting session.
823 *
824 * If s->internal->tls_session_secret_cb is set then we are expecting a pre-shared key
825 * ciphersuite, in which case we have no use for session tickets and one will
826 * never be decrypted, nor will s->internal->tlsext_ticket_expected be set to 1.
827 *
828 * Returns:
829 * -1: fatal error, either from parsing or decrypting the ticket.
830 * 0: no ticket was found (or was ignored, based on settings).
831 * 1: a zero length extension was found, indicating that the client supports
832 * session tickets but doesn't currently have one to offer.
833 * 2: either s->internal->tls_session_secret_cb was set, or a ticket was offered but
834 * couldn't be decrypted because of a non-fatal error.
835 * 3: a ticket was successfully decrypted and *ret was set.
836 *
837 * Side effects:
838 * Sets s->internal->tlsext_ticket_expected to 1 if the server will have to issue
839 * a new session ticket to the client because the client indicated support
840 * (and s->internal->tls_session_secret_cb is NULL) but the client either doesn't have
841 * a session ticket or we couldn't use the one it gave us, or if
842 * s->ctx->tlsext_ticket_key_cb asked to renew the client's ticket.
843 * Otherwise, s->internal->tlsext_ticket_expected is set to 0.
844 */
845 int
846 tls1_process_ticket(SSL *s, const unsigned char *session_id, int session_id_len,
847 CBS *ext_block, SSL_SESSION **ret)
848 {
849 CBS extensions;
850
851 s->internal->tlsext_ticket_expected = 0;
852 *ret = NULL;
853
854 /*
855 * If tickets disabled behave as if no ticket present to permit stateful
856 * resumption.
857 */
858 if (SSL_get_options(s) & SSL_OP_NO_TICKET)
859 return 0;
860
861 /*
862 * An empty extensions block is valid, but obviously does not contain
863 * a session ticket.
864 */
865 if (CBS_len(ext_block) == 0)
866 return 0;
867
868 if (!CBS_get_u16_length_prefixed(ext_block, &extensions))
869 return -1;
870
871 while (CBS_len(&extensions) > 0) {
872 uint16_t ext_type;
873 CBS ext_data;
874
875 if (!CBS_get_u16(&extensions, &ext_type) ||
876 !CBS_get_u16_length_prefixed(&extensions, &ext_data))
877 return -1;
878
879 if (ext_type == TLSEXT_TYPE_session_ticket) {
880 int r;
881 if (CBS_len(&ext_data) == 0) {
882 /* The client will accept a ticket but doesn't
883 * currently have one. */
884 s->internal->tlsext_ticket_expected = 1;
885 return 1;
886 }
887 if (s->internal->tls_session_secret_cb != NULL) {
888 /* Indicate that the ticket couldn't be
889 * decrypted rather than generating the session
890 * from ticket now, trigger abbreviated
891 * handshake based on external mechanism to
892 * calculate the master secret later. */
893 return 2;
894 }
895
896 r = tls_decrypt_ticket(s, CBS_data(&ext_data),
897 CBS_len(&ext_data), session_id, session_id_len, ret);
898
899 switch (r) {
900 case 2: /* ticket couldn't be decrypted */
901 s->internal->tlsext_ticket_expected = 1;
902 return 2;
903 case 3: /* ticket was decrypted */
904 return r;
905 case 4: /* ticket decrypted but need to renew */
906 s->internal->tlsext_ticket_expected = 1;
907 return 3;
908 default: /* fatal error */
909 return -1;
910 }
911 }
912 }
913 return 0;
914 }
915
916 /* tls_decrypt_ticket attempts to decrypt a session ticket.
917 *
918 * etick: points to the body of the session ticket extension.
919 * eticklen: the length of the session tickets extenion.
920 * sess_id: points at the session ID.
921 * sesslen: the length of the session ID.
922 * psess: (output) on return, if a ticket was decrypted, then this is set to
923 * point to the resulting session.
924 *
925 * Returns:
926 * -1: fatal error, either from parsing or decrypting the ticket.
927 * 2: the ticket couldn't be decrypted.
928 * 3: a ticket was successfully decrypted and *psess was set.
929 * 4: same as 3, but the ticket needs to be renewed.
930 */
931 static int
932 tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen,
933 const unsigned char *sess_id, int sesslen, SSL_SESSION **psess)
934 {
935 SSL_SESSION *sess;
936 unsigned char *sdec;
937 const unsigned char *p;
938 int slen, mlen, renew_ticket = 0;
939 unsigned char tick_hmac[EVP_MAX_MD_SIZE];
940 HMAC_CTX hctx;
941 EVP_CIPHER_CTX ctx;
942 SSL_CTX *tctx = s->initial_ctx;
943
944 /*
945 * The API guarantees EVP_MAX_IV_LENGTH bytes of space for
946 * the iv to tlsext_ticket_key_cb(). Since the total space
947 * required for a session cookie is never less than this,
948 * this check isn't too strict. The exact check comes later.
949 */
950 if (eticklen < 16 + EVP_MAX_IV_LENGTH)
951 return 2;
952
953 /* Initialize session ticket encryption and HMAC contexts */
954 HMAC_CTX_init(&hctx);
955 EVP_CIPHER_CTX_init(&ctx);
956 if (tctx->internal->tlsext_ticket_key_cb) {
957 unsigned char *nctick = (unsigned char *)etick;
958 int rv = tctx->internal->tlsext_ticket_key_cb(s,
959 nctick, nctick + 16, &ctx, &hctx, 0);
960 if (rv < 0) {
961 HMAC_CTX_cleanup(&hctx);
962 EVP_CIPHER_CTX_cleanup(&ctx);
963 return -1;
964 }
965 if (rv == 0) {
966 HMAC_CTX_cleanup(&hctx);
967 EVP_CIPHER_CTX_cleanup(&ctx);
968 return 2;
969 }
970 if (rv == 2)
971 renew_ticket = 1;
972 } else {
973 /* Check key name matches */
974 if (timingsafe_memcmp(etick,
975 tctx->internal->tlsext_tick_key_name, 16))
976 return 2;
977 HMAC_Init_ex(&hctx, tctx->internal->tlsext_tick_hmac_key,
978 16, tlsext_tick_md(), NULL);
979 EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL,
980 tctx->internal->tlsext_tick_aes_key, etick + 16);
981 }
982
983 /*
984 * Attempt to process session ticket, first conduct sanity and
985 * integrity checks on ticket.
986 */
987 mlen = HMAC_size(&hctx);
988 if (mlen < 0) {
989 HMAC_CTX_cleanup(&hctx);
990 EVP_CIPHER_CTX_cleanup(&ctx);
991 return -1;
992 }
993
994 /* Sanity check ticket length: must exceed keyname + IV + HMAC */
995 if (eticklen <= 16 + EVP_CIPHER_CTX_iv_length(&ctx) + mlen) {
996 HMAC_CTX_cleanup(&hctx);
997 EVP_CIPHER_CTX_cleanup(&ctx);
998 return 2;
999 }
1000 eticklen -= mlen;
1001
1002 /* Check HMAC of encrypted ticket */
1003 if (HMAC_Update(&hctx, etick, eticklen) <= 0 ||
1004 HMAC_Final(&hctx, tick_hmac, NULL) <= 0) {
1005 HMAC_CTX_cleanup(&hctx);
1006 EVP_CIPHER_CTX_cleanup(&ctx);
1007 return -1;
1008 }
1009
1010 HMAC_CTX_cleanup(&hctx);
1011 if (timingsafe_memcmp(tick_hmac, etick + eticklen, mlen)) {
1012 EVP_CIPHER_CTX_cleanup(&ctx);
1013 return 2;
1014 }
1015
1016 /* Attempt to decrypt session data */
1017 /* Move p after IV to start of encrypted ticket, update length */
1018 p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx);
1019 eticklen -= 16 + EVP_CIPHER_CTX_iv_length(&ctx);
1020 sdec = malloc(eticklen);
1021 if (sdec == NULL ||
1022 EVP_DecryptUpdate(&ctx, sdec, &slen, p, eticklen) <= 0) {
1023 free(sdec);
1024 EVP_CIPHER_CTX_cleanup(&ctx);
1025 return -1;
1026 }
1027 if (EVP_DecryptFinal_ex(&ctx, sdec + slen, &mlen) <= 0) {
1028 free(sdec);
1029 EVP_CIPHER_CTX_cleanup(&ctx);
1030 return 2;
1031 }
1032 slen += mlen;
1033 EVP_CIPHER_CTX_cleanup(&ctx);
1034 p = sdec;
1035
1036 sess = d2i_SSL_SESSION(NULL, &p, slen);
1037 free(sdec);
1038 if (sess) {
1039 /* The session ID, if non-empty, is used by some clients to
1040 * detect that the ticket has been accepted. So we copy it to
1041 * the session structure. If it is empty set length to zero
1042 * as required by standard.
1043 */
1044 if (sesslen)
1045 memcpy(sess->session_id, sess_id, sesslen);
1046 sess->session_id_length = sesslen;
1047 *psess = sess;
1048 if (renew_ticket)
1049 return 4;
1050 else
1051 return 3;
1052 }
1053 ERR_clear_error();
1054 /* For session parse failure, indicate that we need to send a new
1055 * ticket. */
1056 return 2;
1057 }
1058
1059 /* Tables to translate from NIDs to TLS v1.2 ids */
1060
1061 typedef struct {
1062 int nid;
1063 int id;
1064 } tls12_lookup;
1065
1066 static tls12_lookup tls12_md[] = {
1067 {NID_md5, TLSEXT_hash_md5},
1068 {NID_sha1, TLSEXT_hash_sha1},
1069 {NID_sha224, TLSEXT_hash_sha224},
1070 {NID_sha256, TLSEXT_hash_sha256},
1071 {NID_sha384, TLSEXT_hash_sha384},
1072 {NID_sha512, TLSEXT_hash_sha512},
1073 {NID_id_GostR3411_94, TLSEXT_hash_gost94},
1074 {NID_id_tc26_gost3411_2012_256, TLSEXT_hash_streebog_256},
1075 {NID_id_tc26_gost3411_2012_512, TLSEXT_hash_streebog_512}
1076 };
1077
1078 static tls12_lookup tls12_sig[] = {
1079 {EVP_PKEY_RSA, TLSEXT_signature_rsa},
1080 {EVP_PKEY_EC, TLSEXT_signature_ecdsa},
1081 {EVP_PKEY_GOSTR01, TLSEXT_signature_gostr01},
1082 };
1083
1084 static int
1085 tls12_find_id(int nid, tls12_lookup *table, size_t tlen)
1086 {
1087 size_t i;
1088 for (i = 0; i < tlen; i++) {
1089 if (table[i].nid == nid)
1090 return table[i].id;
1091 }
1092 return -1;
1093 }
1094
1095 int
1096 tls12_get_hashid(const EVP_MD *md)
1097 {
1098 if (md == NULL)
1099 return -1;
1100
1101 return tls12_find_id(EVP_MD_type(md), tls12_md,
1102 sizeof(tls12_md) / sizeof(tls12_lookup));
1103 }
1104
1105 int
1106 tls12_get_sigid(const EVP_PKEY *pk)
1107 {
1108 if (pk == NULL)
1109 return -1;
1110
1111 return tls12_find_id(pk->type, tls12_sig,
1112 sizeof(tls12_sig) / sizeof(tls12_lookup));
1113 }
1114
1115 int
1116 tls12_get_hashandsig(CBB *cbb, const EVP_PKEY *pk, const EVP_MD *md)
1117 {
1118 int hash_id, sig_id;
1119
1120 if ((hash_id = tls12_get_hashid(md)) == -1)
1121 return 0;
1122 if ((sig_id = tls12_get_sigid(pk)) == -1)
1123 return 0;
1124
1125 if (!CBB_add_u8(cbb, hash_id))
1126 return 0;
1127 if (!CBB_add_u8(cbb, sig_id))
1128 return 0;
1129
1130 return 1;
1131 }
1132
1133 const EVP_MD *
1134 tls12_get_hash(unsigned char hash_alg)
1135 {
1136 switch (hash_alg) {
1137 case TLSEXT_hash_sha1:
1138 return EVP_sha1();
1139 case TLSEXT_hash_sha224:
1140 return EVP_sha224();
1141 case TLSEXT_hash_sha256:
1142 return EVP_sha256();
1143 case TLSEXT_hash_sha384:
1144 return EVP_sha384();
1145 case TLSEXT_hash_sha512:
1146 return EVP_sha512();
1147 #ifndef OPENSSL_NO_GOST
1148 case TLSEXT_hash_gost94:
1149 return EVP_gostr341194();
1150 case TLSEXT_hash_streebog_256:
1151 return EVP_streebog256();
1152 case TLSEXT_hash_streebog_512:
1153 return EVP_streebog512();
1154 #endif
1155 default:
1156 return NULL;
1157 }
1158 }
1159
1160 /* Set preferred digest for each key type */
1161
1162 int
1163 tls1_process_sigalgs(SSL *s, CBS *cbs)
1164 {
1165 const EVP_MD *md;
1166 CERT *c = s->cert;
1167 int idx;
1168
1169 /* Extension ignored for inappropriate versions */
1170 if (!SSL_USE_SIGALGS(s))
1171 return 1;
1172
1173 /* Should never happen */
1174 if (c == NULL)
1175 return 0;
1176
1177 c->pkeys[SSL_PKEY_RSA_SIGN].digest = NULL;
1178 c->pkeys[SSL_PKEY_RSA_ENC].digest = NULL;
1179 c->pkeys[SSL_PKEY_ECC].digest = NULL;
1180 c->pkeys[SSL_PKEY_GOST01].digest = NULL;
1181
1182 while (CBS_len(cbs) > 0) {
1183 uint8_t hash_alg, sig_alg;
1184
1185 if (!CBS_get_u8(cbs, &hash_alg) || !CBS_get_u8(cbs, &sig_alg))
1186 return 0;
1187
1188 switch (sig_alg) {
1189 case TLSEXT_signature_rsa:
1190 idx = SSL_PKEY_RSA_SIGN;
1191 break;
1192 case TLSEXT_signature_ecdsa:
1193 idx = SSL_PKEY_ECC;
1194 break;
1195 case TLSEXT_signature_gostr01:
1196 case TLSEXT_signature_gostr12_256:
1197 case TLSEXT_signature_gostr12_512:
1198 idx = SSL_PKEY_GOST01;
1199 break;
1200 default:
1201 continue;
1202 }
1203
1204 if (c->pkeys[idx].digest == NULL) {
1205 md = tls12_get_hash(hash_alg);
1206 if (md) {
1207 c->pkeys[idx].digest = md;
1208 if (idx == SSL_PKEY_RSA_SIGN)
1209 c->pkeys[SSL_PKEY_RSA_ENC].digest = md;
1210 }
1211 }
1212
1213 }
1214
1215 /*
1216 * Set any remaining keys to default values. NOTE: if alg is not
1217 * supported it stays as NULL.
1218 */
1219 if (!c->pkeys[SSL_PKEY_RSA_SIGN].digest) {
1220 c->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1();
1221 c->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1();
1222 }
1223 if (!c->pkeys[SSL_PKEY_ECC].digest)
1224 c->pkeys[SSL_PKEY_ECC].digest = EVP_sha1();
1225 #ifndef OPENSSL_NO_GOST
1226 if (!c->pkeys[SSL_PKEY_GOST01].digest)
1227 c->pkeys[SSL_PKEY_GOST01].digest = EVP_gostr341194();
1228 #endif
1229 return 1;
1230 }
Unleashed OS