/src/libressl/ssl/t1_lib.c
Line | Count | Source (jump to first uncovered line) |
1 | | /* $OpenBSD: t1_lib.c,v 1.193 2022/07/03 08:15:52 tb Exp $ */ |
2 | | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
3 | | * All rights reserved. |
4 | | * |
5 | | * This package is an SSL implementation written |
6 | | * by Eric Young (eay@cryptsoft.com). |
7 | | * The implementation was written so as to conform with Netscapes SSL. |
8 | | * |
9 | | * This library is free for commercial and non-commercial use as long as |
10 | | * the following conditions are aheared to. The following conditions |
11 | | * apply to all code found in this distribution, be it the RC4, RSA, |
12 | | * lhash, DES, etc., code; not just the SSL code. The SSL documentation |
13 | | * included with this distribution is covered by the same copyright terms |
14 | | * except that the holder is Tim Hudson (tjh@cryptsoft.com). |
15 | | * |
16 | | * Copyright remains Eric Young's, and as such any Copyright notices in |
17 | | * the code are not to be removed. |
18 | | * If this package is used in a product, Eric Young should be given attribution |
19 | | * as the author of the parts of the library used. |
20 | | * This can be in the form of a textual message at program startup or |
21 | | * in documentation (online or textual) provided with the package. |
22 | | * |
23 | | * Redistribution and use in source and binary forms, with or without |
24 | | * modification, are permitted provided that the following conditions |
25 | | * are met: |
26 | | * 1. Redistributions of source code must retain the copyright |
27 | | * notice, this list of conditions and the following disclaimer. |
28 | | * 2. Redistributions in binary form must reproduce the above copyright |
29 | | * notice, this list of conditions and the following disclaimer in the |
30 | | * documentation and/or other materials provided with the distribution. |
31 | | * 3. All advertising materials mentioning features or use of this software |
32 | | * must display the following acknowledgement: |
33 | | * "This product includes cryptographic software written by |
34 | | * Eric Young (eay@cryptsoft.com)" |
35 | | * The word 'cryptographic' can be left out if the rouines from the library |
36 | | * being used are not cryptographic related :-). |
37 | | * 4. If you include any Windows specific code (or a derivative thereof) from |
38 | | * the apps directory (application code) you must include an acknowledgement: |
39 | | * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" |
40 | | * |
41 | | * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND |
42 | | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
43 | | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE |
44 | | * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE |
45 | | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL |
46 | | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS |
47 | | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) |
48 | | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT |
49 | | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY |
50 | | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF |
51 | | * SUCH DAMAGE. |
52 | | * |
53 | | * The licence and distribution terms for any publically available version or |
54 | | * derivative of this code cannot be changed. i.e. this code cannot simply be |
55 | | * copied and put under another distribution licence |
56 | | * [including the GNU Public Licence.] |
57 | | */ |
58 | | /* ==================================================================== |
59 | | * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved. |
60 | | * |
61 | | * Redistribution and use in source and binary forms, with or without |
62 | | * modification, are permitted provided that the following conditions |
63 | | * are met: |
64 | | * |
65 | | * 1. Redistributions of source code must retain the above copyright |
66 | | * notice, this list of conditions and the following disclaimer. |
67 | | * |
68 | | * 2. Redistributions in binary form must reproduce the above copyright |
69 | | * notice, this list of conditions and the following disclaimer in |
70 | | * the documentation and/or other materials provided with the |
71 | | * distribution. |
72 | | * |
73 | | * 3. All advertising materials mentioning features or use of this |
74 | | * software must display the following acknowledgment: |
75 | | * "This product includes software developed by the OpenSSL Project |
76 | | * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" |
77 | | * |
78 | | * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to |
79 | | * endorse or promote products derived from this software without |
80 | | * prior written permission. For written permission, please contact |
81 | | * openssl-core@openssl.org. |
82 | | * |
83 | | * 5. Products derived from this software may not be called "OpenSSL" |
84 | | * nor may "OpenSSL" appear in their names without prior written |
85 | | * permission of the OpenSSL Project. |
86 | | * |
87 | | * 6. Redistributions of any form whatsoever must retain the following |
88 | | * acknowledgment: |
89 | | * "This product includes software developed by the OpenSSL Project |
90 | | * for use in the OpenSSL Toolkit (http://www.openssl.org/)" |
91 | | * |
92 | | * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY |
93 | | * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
94 | | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR |
95 | | * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR |
96 | | * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, |
97 | | * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT |
98 | | * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; |
99 | | * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) |
100 | | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, |
101 | | * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) |
102 | | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED |
103 | | * OF THE POSSIBILITY OF SUCH DAMAGE. |
104 | | * ==================================================================== |
105 | | * |
106 | | * This product includes cryptographic software written by Eric Young |
107 | | * (eay@cryptsoft.com). This product includes software written by Tim |
108 | | * Hudson (tjh@cryptsoft.com). |
109 | | * |
110 | | */ |
111 | | |
112 | | #include <stdio.h> |
113 | | |
114 | | #include <openssl/evp.h> |
115 | | #include <openssl/hmac.h> |
116 | | #include <openssl/objects.h> |
117 | | #include <openssl/ocsp.h> |
118 | | |
119 | | #include "bytestring.h" |
120 | | #include "ssl_locl.h" |
121 | | #include "ssl_sigalgs.h" |
122 | | #include "ssl_tlsext.h" |
123 | | |
124 | | static int tls_decrypt_ticket(SSL *s, CBS *ticket, int *alert, |
125 | | SSL_SESSION **psess); |
126 | | |
127 | | int |
128 | | tls1_new(SSL *s) |
129 | 0 | { |
130 | 0 | if (!ssl3_new(s)) |
131 | 0 | return (0); |
132 | 0 | s->method->ssl_clear(s); |
133 | 0 | return (1); |
134 | 0 | } |
135 | | |
136 | | void |
137 | | tls1_free(SSL *s) |
138 | 0 | { |
139 | 0 | if (s == NULL) |
140 | 0 | return; |
141 | | |
142 | 0 | free(s->internal->tlsext_session_ticket); |
143 | 0 | ssl3_free(s); |
144 | 0 | } |
145 | | |
146 | | void |
147 | | tls1_clear(SSL *s) |
148 | 0 | { |
149 | 0 | ssl3_clear(s); |
150 | 0 | s->version = s->method->version; |
151 | 0 | } |
152 | | |
153 | | struct supported_group { |
154 | | int nid; |
155 | | int bits; |
156 | | }; |
157 | | |
158 | | /* |
159 | | * Supported groups (formerly known as named curves) |
160 | | * https://www.iana.org/assignments/tls-parameters/#tls-parameters-8 |
161 | | */ |
162 | | static const struct supported_group nid_list[] = { |
163 | | [1] = { |
164 | | .nid = NID_sect163k1, |
165 | | .bits = 80, |
166 | | }, |
167 | | [2] = { |
168 | | .nid = NID_sect163r1, |
169 | | .bits = 80, |
170 | | }, |
171 | | [3] = { |
172 | | .nid = NID_sect163r2, |
173 | | .bits = 80, |
174 | | }, |
175 | | [4] = { |
176 | | .nid = NID_sect193r1, |
177 | | .bits = 80, |
178 | | }, |
179 | | [5] = { |
180 | | .nid = NID_sect193r2, |
181 | | .bits = 80, |
182 | | }, |
183 | | [6] = { |
184 | | .nid = NID_sect233k1, |
185 | | .bits = 112, |
186 | | }, |
187 | | [7] = { |
188 | | .nid = NID_sect233r1, |
189 | | .bits = 112, |
190 | | }, |
191 | | [8] = { |
192 | | .nid = NID_sect239k1, |
193 | | .bits = 112, |
194 | | }, |
195 | | [9] = { |
196 | | .nid = NID_sect283k1, |
197 | | .bits = 128, |
198 | | }, |
199 | | [10] = { |
200 | | .nid = NID_sect283r1, |
201 | | .bits = 128, |
202 | | }, |
203 | | [11] = { |
204 | | .nid = NID_sect409k1, |
205 | | .bits = 192, |
206 | | }, |
207 | | [12] = { |
208 | | .nid = NID_sect409r1, |
209 | | .bits = 192, |
210 | | }, |
211 | | [13] = { |
212 | | .nid = NID_sect571k1, |
213 | | .bits = 256, |
214 | | }, |
215 | | [14] = { |
216 | | .nid = NID_sect571r1, |
217 | | .bits = 256, |
218 | | }, |
219 | | [15] = { |
220 | | .nid = NID_secp160k1, |
221 | | .bits = 80, |
222 | | }, |
223 | | [16] = { |
224 | | .nid = NID_secp160r1, |
225 | | .bits = 80, |
226 | | }, |
227 | | [17] = { |
228 | | .nid = NID_secp160r2, |
229 | | .bits = 80, |
230 | | }, |
231 | | [18] = { |
232 | | .nid = NID_secp192k1, |
233 | | .bits = 80, |
234 | | }, |
235 | | [19] = { |
236 | | .nid = NID_X9_62_prime192v1, /* aka secp192r1 */ |
237 | | .bits = 80, |
238 | | }, |
239 | | [20] = { |
240 | | .nid = NID_secp224k1, |
241 | | .bits = 112, |
242 | | }, |
243 | | [21] = { |
244 | | .nid = NID_secp224r1, |
245 | | .bits = 112, |
246 | | }, |
247 | | [22] = { |
248 | | .nid = NID_secp256k1, |
249 | | .bits = 128, |
250 | | }, |
251 | | [23] = { |
252 | | .nid = NID_X9_62_prime256v1, /* aka secp256r1 */ |
253 | | .bits = 128, |
254 | | }, |
255 | | [24] = { |
256 | | .nid = NID_secp384r1, |
257 | | .bits = 192, |
258 | | }, |
259 | | [25] = { |
260 | | .nid = NID_secp521r1, |
261 | | .bits = 256, |
262 | | }, |
263 | | [26] = { |
264 | | .nid = NID_brainpoolP256r1, |
265 | | .bits = 128, |
266 | | }, |
267 | | [27] = { |
268 | | .nid = NID_brainpoolP384r1, |
269 | | .bits = 192, |
270 | | }, |
271 | | [28] = { |
272 | | .nid = NID_brainpoolP512r1, |
273 | | .bits = 256, |
274 | | }, |
275 | | [29] = { |
276 | | .nid = NID_X25519, |
277 | | .bits = 128, |
278 | | }, |
279 | | }; |
280 | | |
281 | 0 | #define NID_LIST_LEN (sizeof(nid_list) / sizeof(nid_list[0])) |
282 | | |
283 | | #if 0 |
284 | | static const uint8_t ecformats_list[] = { |
285 | | TLSEXT_ECPOINTFORMAT_uncompressed, |
286 | | TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime, |
287 | | TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2 |
288 | | }; |
289 | | #endif |
290 | | |
291 | | static const uint8_t ecformats_default[] = { |
292 | | TLSEXT_ECPOINTFORMAT_uncompressed, |
293 | | }; |
294 | | |
295 | | #if 0 |
296 | | static const uint16_t ecgroups_list[] = { |
297 | | 29, /* X25519 (29) */ |
298 | | 14, /* sect571r1 (14) */ |
299 | | 13, /* sect571k1 (13) */ |
300 | | 25, /* secp521r1 (25) */ |
301 | | 28, /* brainpoolP512r1 (28) */ |
302 | | 11, /* sect409k1 (11) */ |
303 | | 12, /* sect409r1 (12) */ |
304 | | 27, /* brainpoolP384r1 (27) */ |
305 | | 24, /* secp384r1 (24) */ |
306 | | 9, /* sect283k1 (9) */ |
307 | | 10, /* sect283r1 (10) */ |
308 | | 26, /* brainpoolP256r1 (26) */ |
309 | | 22, /* secp256k1 (22) */ |
310 | | 23, /* secp256r1 (23) */ |
311 | | 8, /* sect239k1 (8) */ |
312 | | 6, /* sect233k1 (6) */ |
313 | | 7, /* sect233r1 (7) */ |
314 | | 20, /* secp224k1 (20) */ |
315 | | 21, /* secp224r1 (21) */ |
316 | | 4, /* sect193r1 (4) */ |
317 | | 5, /* sect193r2 (5) */ |
318 | | 18, /* secp192k1 (18) */ |
319 | | 19, /* secp192r1 (19) */ |
320 | | 1, /* sect163k1 (1) */ |
321 | | 2, /* sect163r1 (2) */ |
322 | | 3, /* sect163r2 (3) */ |
323 | | 15, /* secp160k1 (15) */ |
324 | | 16, /* secp160r1 (16) */ |
325 | | 17, /* secp160r2 (17) */ |
326 | | }; |
327 | | #endif |
328 | | |
329 | | static const uint16_t ecgroups_client_default[] = { |
330 | | 29, /* X25519 (29) */ |
331 | | 23, /* secp256r1 (23) */ |
332 | | 24, /* secp384r1 (24) */ |
333 | | 25, /* secp521r1 (25) */ |
334 | | }; |
335 | | |
336 | | static const uint16_t ecgroups_server_default[] = { |
337 | | 29, /* X25519 (29) */ |
338 | | 23, /* secp256r1 (23) */ |
339 | | 24, /* secp384r1 (24) */ |
340 | | }; |
341 | | |
342 | | int |
343 | | tls1_ec_group_id2nid(uint16_t group_id, int *out_nid) |
344 | 0 | { |
345 | 0 | int nid; |
346 | |
|
347 | 0 | if (group_id >= NID_LIST_LEN) |
348 | 0 | return 0; |
349 | | |
350 | 0 | if ((nid = nid_list[group_id].nid) == 0) |
351 | 0 | return 0; |
352 | | |
353 | 0 | *out_nid = nid; |
354 | |
|
355 | 0 | return 1; |
356 | 0 | } |
357 | | |
358 | | int |
359 | | tls1_ec_group_id2bits(uint16_t group_id, int *out_bits) |
360 | 0 | { |
361 | 0 | int bits; |
362 | |
|
363 | 0 | if (group_id >= NID_LIST_LEN) |
364 | 0 | return 0; |
365 | | |
366 | 0 | if ((bits = nid_list[group_id].bits) == 0) |
367 | 0 | return 0; |
368 | | |
369 | 0 | *out_bits = bits; |
370 | |
|
371 | 0 | return 1; |
372 | 0 | } |
373 | | |
374 | | int |
375 | | tls1_ec_nid2group_id(int nid, uint16_t *out_group_id) |
376 | 0 | { |
377 | 0 | uint16_t group_id; |
378 | |
|
379 | 0 | if (nid == 0) |
380 | 0 | return 0; |
381 | | |
382 | 0 | for (group_id = 0; group_id < NID_LIST_LEN; group_id++) { |
383 | 0 | if (nid_list[group_id].nid == nid) { |
384 | 0 | *out_group_id = group_id; |
385 | 0 | return 1; |
386 | 0 | } |
387 | 0 | } |
388 | | |
389 | 0 | return 0; |
390 | 0 | } |
391 | | |
392 | | /* |
393 | | * Return the appropriate format list. If client_formats is non-zero, return |
394 | | * the client/session formats. Otherwise return the custom format list if one |
395 | | * exists, or the default formats if a custom list has not been specified. |
396 | | */ |
397 | | void |
398 | | tls1_get_formatlist(SSL *s, int client_formats, const uint8_t **pformats, |
399 | | size_t *pformatslen) |
400 | 0 | { |
401 | 0 | if (client_formats != 0) { |
402 | 0 | *pformats = s->session->tlsext_ecpointformatlist; |
403 | 0 | *pformatslen = s->session->tlsext_ecpointformatlist_length; |
404 | 0 | return; |
405 | 0 | } |
406 | | |
407 | 0 | *pformats = s->internal->tlsext_ecpointformatlist; |
408 | 0 | *pformatslen = s->internal->tlsext_ecpointformatlist_length; |
409 | 0 | if (*pformats == NULL) { |
410 | 0 | *pformats = ecformats_default; |
411 | 0 | *pformatslen = sizeof(ecformats_default); |
412 | 0 | } |
413 | 0 | } |
414 | | |
415 | | /* |
416 | | * Return the appropriate group list. If client_groups is non-zero, return |
417 | | * the client/session groups. Otherwise return the custom group list if one |
418 | | * exists, or the default groups if a custom list has not been specified. |
419 | | */ |
420 | | void |
421 | | tls1_get_group_list(SSL *s, int client_groups, const uint16_t **pgroups, |
422 | | size_t *pgroupslen) |
423 | 0 | { |
424 | 0 | if (client_groups != 0) { |
425 | 0 | *pgroups = s->session->tlsext_supportedgroups; |
426 | 0 | *pgroupslen = s->session->tlsext_supportedgroups_length; |
427 | 0 | return; |
428 | 0 | } |
429 | | |
430 | 0 | *pgroups = s->internal->tlsext_supportedgroups; |
431 | 0 | *pgroupslen = s->internal->tlsext_supportedgroups_length; |
432 | 0 | if (*pgroups != NULL) |
433 | 0 | return; |
434 | | |
435 | 0 | if (!s->server) { |
436 | 0 | *pgroups = ecgroups_client_default; |
437 | 0 | *pgroupslen = sizeof(ecgroups_client_default) / 2; |
438 | 0 | } else { |
439 | 0 | *pgroups = ecgroups_server_default; |
440 | 0 | *pgroupslen = sizeof(ecgroups_server_default) / 2; |
441 | 0 | } |
442 | 0 | } |
443 | | |
444 | | int |
445 | | tls1_set_groups(uint16_t **out_group_ids, size_t *out_group_ids_len, |
446 | | const int *groups, size_t ngroups) |
447 | 0 | { |
448 | 0 | uint16_t *group_ids; |
449 | 0 | size_t i; |
450 | |
|
451 | 0 | if ((group_ids = calloc(ngroups, sizeof(uint16_t))) == NULL) |
452 | 0 | return 0; |
453 | | |
454 | 0 | for (i = 0; i < ngroups; i++) { |
455 | 0 | if (!tls1_ec_nid2group_id(groups[i], &group_ids[i])) { |
456 | 0 | free(group_ids); |
457 | 0 | return 0; |
458 | 0 | } |
459 | 0 | } |
460 | | |
461 | 0 | free(*out_group_ids); |
462 | 0 | *out_group_ids = group_ids; |
463 | 0 | *out_group_ids_len = ngroups; |
464 | |
|
465 | 0 | return 1; |
466 | 0 | } |
467 | | |
468 | | int |
469 | | tls1_set_group_list(uint16_t **out_group_ids, size_t *out_group_ids_len, |
470 | | const char *groups) |
471 | 0 | { |
472 | 0 | uint16_t *new_group_ids, *group_ids = NULL; |
473 | 0 | size_t ngroups = 0; |
474 | 0 | char *gs, *p, *q; |
475 | 0 | int nid; |
476 | |
|
477 | 0 | if ((gs = strdup(groups)) == NULL) |
478 | 0 | return 0; |
479 | | |
480 | 0 | q = gs; |
481 | 0 | while ((p = strsep(&q, ":")) != NULL) { |
482 | 0 | nid = OBJ_sn2nid(p); |
483 | 0 | if (nid == NID_undef) |
484 | 0 | nid = OBJ_ln2nid(p); |
485 | 0 | if (nid == NID_undef) |
486 | 0 | nid = EC_curve_nist2nid(p); |
487 | 0 | if (nid == NID_undef) |
488 | 0 | goto err; |
489 | | |
490 | 0 | if ((new_group_ids = reallocarray(group_ids, ngroups + 1, |
491 | 0 | sizeof(uint16_t))) == NULL) |
492 | 0 | goto err; |
493 | 0 | group_ids = new_group_ids; |
494 | |
|
495 | 0 | if (!tls1_ec_nid2group_id(nid, &group_ids[ngroups])) |
496 | 0 | goto err; |
497 | | |
498 | 0 | ngroups++; |
499 | 0 | } |
500 | | |
501 | 0 | free(gs); |
502 | 0 | free(*out_group_ids); |
503 | 0 | *out_group_ids = group_ids; |
504 | 0 | *out_group_ids_len = ngroups; |
505 | |
|
506 | 0 | return 1; |
507 | | |
508 | 0 | err: |
509 | 0 | free(gs); |
510 | 0 | free(group_ids); |
511 | |
|
512 | 0 | return 0; |
513 | 0 | } |
514 | | |
515 | | /* Check that a group is one of our preferences. */ |
516 | | int |
517 | | tls1_check_group(SSL *s, uint16_t group_id) |
518 | 0 | { |
519 | 0 | const uint16_t *groups; |
520 | 0 | size_t groupslen, i; |
521 | |
|
522 | 0 | tls1_get_group_list(s, 0, &groups, &groupslen); |
523 | |
|
524 | 0 | for (i = 0; i < groupslen; i++) { |
525 | 0 | if (!ssl_security_supported_group(s, groups[i])) |
526 | 0 | continue; |
527 | 0 | if (groups[i] == group_id) |
528 | 0 | return 1; |
529 | 0 | } |
530 | 0 | return 0; |
531 | 0 | } |
532 | | |
533 | | int |
534 | | tls1_get_supported_group(SSL *s, int *out_nid) |
535 | 0 | { |
536 | 0 | size_t preflen, supplen, i, j; |
537 | 0 | const uint16_t *pref, *supp; |
538 | 0 | unsigned long server_pref; |
539 | | |
540 | | /* Cannot do anything on the client side. */ |
541 | 0 | if (s->server == 0) |
542 | 0 | return 0; |
543 | | |
544 | | /* Return first preference supported group. */ |
545 | 0 | server_pref = (s->internal->options & SSL_OP_CIPHER_SERVER_PREFERENCE); |
546 | 0 | tls1_get_group_list(s, (server_pref == 0), &pref, &preflen); |
547 | 0 | tls1_get_group_list(s, (server_pref != 0), &supp, &supplen); |
548 | |
|
549 | 0 | for (i = 0; i < preflen; i++) { |
550 | 0 | if (!ssl_security_supported_group(s, pref[i])) |
551 | 0 | continue; |
552 | 0 | for (j = 0; j < supplen; j++) { |
553 | 0 | if (pref[i] == supp[j]) |
554 | 0 | return tls1_ec_group_id2nid(pref[i], out_nid); |
555 | 0 | } |
556 | 0 | } |
557 | 0 | return 0; |
558 | 0 | } |
559 | | |
560 | | /* For an EC key set TLS ID and required compression based on parameters. */ |
561 | | static int |
562 | | tls1_set_ec_id(uint16_t *group_id, uint8_t *comp_id, EC_KEY *ec) |
563 | 0 | { |
564 | 0 | const EC_GROUP *grp; |
565 | 0 | const EC_METHOD *meth; |
566 | 0 | int prime_field; |
567 | 0 | int nid; |
568 | |
|
569 | 0 | if (ec == NULL) |
570 | 0 | return (0); |
571 | | |
572 | | /* Determine whether the group is defined over a prime field. */ |
573 | 0 | if ((grp = EC_KEY_get0_group(ec)) == NULL) |
574 | 0 | return (0); |
575 | 0 | if ((meth = EC_GROUP_method_of(grp)) == NULL) |
576 | 0 | return (0); |
577 | 0 | prime_field = (EC_METHOD_get_field_type(meth) == NID_X9_62_prime_field); |
578 | | |
579 | | /* Determine group ID. */ |
580 | 0 | nid = EC_GROUP_get_curve_name(grp); |
581 | | /* If we have an ID set it, otherwise set arbitrary explicit group. */ |
582 | 0 | if (!tls1_ec_nid2group_id(nid, group_id)) |
583 | 0 | *group_id = prime_field ? 0xff01 : 0xff02; |
584 | |
|
585 | 0 | if (comp_id == NULL) |
586 | 0 | return (1); |
587 | | |
588 | | /* Specify the compression identifier. */ |
589 | 0 | if (EC_KEY_get0_public_key(ec) == NULL) |
590 | 0 | return (0); |
591 | 0 | *comp_id = TLSEXT_ECPOINTFORMAT_uncompressed; |
592 | 0 | if (EC_KEY_get_conv_form(ec) == POINT_CONVERSION_COMPRESSED) { |
593 | 0 | *comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2; |
594 | 0 | if (prime_field) |
595 | 0 | *comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime; |
596 | 0 | } |
597 | |
|
598 | 0 | return (1); |
599 | 0 | } |
600 | | |
601 | | /* Check that an EC key is compatible with extensions. */ |
602 | | static int |
603 | | tls1_check_ec_key(SSL *s, const uint16_t *group_id, const uint8_t *comp_id) |
604 | 0 | { |
605 | 0 | size_t groupslen, formatslen, i; |
606 | 0 | const uint16_t *groups; |
607 | 0 | const uint8_t *formats; |
608 | | |
609 | | /* |
610 | | * Check point formats extension if present, otherwise everything |
611 | | * is supported (see RFC4492). |
612 | | */ |
613 | 0 | tls1_get_formatlist(s, 1, &formats, &formatslen); |
614 | 0 | if (comp_id != NULL && formats != NULL) { |
615 | 0 | for (i = 0; i < formatslen; i++) { |
616 | 0 | if (formats[i] == *comp_id) |
617 | 0 | break; |
618 | 0 | } |
619 | 0 | if (i == formatslen) |
620 | 0 | return (0); |
621 | 0 | } |
622 | | |
623 | | /* |
624 | | * Check group list if present, otherwise everything is supported. |
625 | | */ |
626 | 0 | tls1_get_group_list(s, 1, &groups, &groupslen); |
627 | 0 | if (group_id != NULL && groups != NULL) { |
628 | 0 | for (i = 0; i < groupslen; i++) { |
629 | 0 | if (groups[i] == *group_id) |
630 | 0 | break; |
631 | 0 | } |
632 | 0 | if (i == groupslen) |
633 | 0 | return (0); |
634 | 0 | } |
635 | | |
636 | 0 | return (1); |
637 | 0 | } |
638 | | |
639 | | /* Check EC server key is compatible with client extensions. */ |
640 | | int |
641 | | tls1_check_ec_server_key(SSL *s) |
642 | 0 | { |
643 | 0 | SSL_CERT_PKEY *cpk = s->cert->pkeys + SSL_PKEY_ECC; |
644 | 0 | uint16_t group_id; |
645 | 0 | uint8_t comp_id; |
646 | 0 | EC_KEY *eckey; |
647 | 0 | EVP_PKEY *pkey; |
648 | |
|
649 | 0 | if (cpk->x509 == NULL || cpk->privatekey == NULL) |
650 | 0 | return (0); |
651 | 0 | if ((pkey = X509_get0_pubkey(cpk->x509)) == NULL) |
652 | 0 | return (0); |
653 | 0 | if ((eckey = EVP_PKEY_get0_EC_KEY(pkey)) == NULL) |
654 | 0 | return (0); |
655 | 0 | if (!tls1_set_ec_id(&group_id, &comp_id, eckey)) |
656 | 0 | return (0); |
657 | | |
658 | 0 | return tls1_check_ec_key(s, &group_id, &comp_id); |
659 | 0 | } |
660 | | |
661 | | int |
662 | | ssl_check_clienthello_tlsext_early(SSL *s) |
663 | 0 | { |
664 | 0 | int ret = SSL_TLSEXT_ERR_NOACK; |
665 | 0 | int al = SSL_AD_UNRECOGNIZED_NAME; |
666 | | |
667 | | /* The handling of the ECPointFormats extension is done elsewhere, namely in |
668 | | * ssl3_choose_cipher in s3_lib.c. |
669 | | */ |
670 | | /* The handling of the EllipticCurves extension is done elsewhere, namely in |
671 | | * ssl3_choose_cipher in s3_lib.c. |
672 | | */ |
673 | |
|
674 | 0 | if (s->ctx != NULL && s->ctx->internal->tlsext_servername_callback != 0) |
675 | 0 | ret = s->ctx->internal->tlsext_servername_callback(s, &al, |
676 | 0 | s->ctx->internal->tlsext_servername_arg); |
677 | 0 | else if (s->initial_ctx != NULL && s->initial_ctx->internal->tlsext_servername_callback != 0) |
678 | 0 | ret = s->initial_ctx->internal->tlsext_servername_callback(s, &al, |
679 | 0 | s->initial_ctx->internal->tlsext_servername_arg); |
680 | |
|
681 | 0 | switch (ret) { |
682 | 0 | case SSL_TLSEXT_ERR_ALERT_FATAL: |
683 | 0 | ssl3_send_alert(s, SSL3_AL_FATAL, al); |
684 | 0 | return -1; |
685 | 0 | case SSL_TLSEXT_ERR_ALERT_WARNING: |
686 | 0 | ssl3_send_alert(s, SSL3_AL_WARNING, al); |
687 | 0 | return 1; |
688 | 0 | case SSL_TLSEXT_ERR_NOACK: |
689 | 0 | default: |
690 | 0 | return 1; |
691 | 0 | } |
692 | 0 | } |
693 | | |
694 | | int |
695 | | ssl_check_clienthello_tlsext_late(SSL *s) |
696 | 0 | { |
697 | 0 | int ret = SSL_TLSEXT_ERR_OK; |
698 | 0 | int al = 0; /* XXX gcc3 */ |
699 | | |
700 | | /* If status request then ask callback what to do. |
701 | | * Note: this must be called after servername callbacks in case |
702 | | * the certificate has changed, and must be called after the cipher |
703 | | * has been chosen because this may influence which certificate is sent |
704 | | */ |
705 | 0 | if ((s->tlsext_status_type != -1) && |
706 | 0 | s->ctx && s->ctx->internal->tlsext_status_cb) { |
707 | 0 | int r; |
708 | 0 | SSL_CERT_PKEY *certpkey; |
709 | 0 | certpkey = ssl_get_server_send_pkey(s); |
710 | | /* If no certificate can't return certificate status */ |
711 | 0 | if (certpkey == NULL) { |
712 | 0 | s->internal->tlsext_status_expected = 0; |
713 | 0 | return 1; |
714 | 0 | } |
715 | | /* Set current certificate to one we will use so |
716 | | * SSL_get_certificate et al can pick it up. |
717 | | */ |
718 | 0 | s->cert->key = certpkey; |
719 | 0 | r = s->ctx->internal->tlsext_status_cb(s, |
720 | 0 | s->ctx->internal->tlsext_status_arg); |
721 | 0 | switch (r) { |
722 | | /* We don't want to send a status request response */ |
723 | 0 | case SSL_TLSEXT_ERR_NOACK: |
724 | 0 | s->internal->tlsext_status_expected = 0; |
725 | 0 | break; |
726 | | /* status request response should be sent */ |
727 | 0 | case SSL_TLSEXT_ERR_OK: |
728 | 0 | if (s->internal->tlsext_ocsp_resp) |
729 | 0 | s->internal->tlsext_status_expected = 1; |
730 | 0 | else |
731 | 0 | s->internal->tlsext_status_expected = 0; |
732 | 0 | break; |
733 | | /* something bad happened */ |
734 | 0 | case SSL_TLSEXT_ERR_ALERT_FATAL: |
735 | 0 | ret = SSL_TLSEXT_ERR_ALERT_FATAL; |
736 | 0 | al = SSL_AD_INTERNAL_ERROR; |
737 | 0 | goto err; |
738 | 0 | } |
739 | 0 | } else |
740 | 0 | s->internal->tlsext_status_expected = 0; |
741 | | |
742 | 0 | err: |
743 | 0 | switch (ret) { |
744 | 0 | case SSL_TLSEXT_ERR_ALERT_FATAL: |
745 | 0 | ssl3_send_alert(s, SSL3_AL_FATAL, al); |
746 | 0 | return -1; |
747 | 0 | case SSL_TLSEXT_ERR_ALERT_WARNING: |
748 | 0 | ssl3_send_alert(s, SSL3_AL_WARNING, al); |
749 | 0 | return 1; |
750 | 0 | default: |
751 | 0 | return 1; |
752 | 0 | } |
753 | 0 | } |
754 | | |
755 | | int |
756 | | ssl_check_serverhello_tlsext(SSL *s) |
757 | 0 | { |
758 | 0 | int ret = SSL_TLSEXT_ERR_NOACK; |
759 | 0 | int al = SSL_AD_UNRECOGNIZED_NAME; |
760 | |
|
761 | 0 | ret = SSL_TLSEXT_ERR_OK; |
762 | |
|
763 | 0 | if (s->ctx != NULL && s->ctx->internal->tlsext_servername_callback != 0) |
764 | 0 | ret = s->ctx->internal->tlsext_servername_callback(s, &al, |
765 | 0 | s->ctx->internal->tlsext_servername_arg); |
766 | 0 | else if (s->initial_ctx != NULL && s->initial_ctx->internal->tlsext_servername_callback != 0) |
767 | 0 | ret = s->initial_ctx->internal->tlsext_servername_callback(s, &al, |
768 | 0 | s->initial_ctx->internal->tlsext_servername_arg); |
769 | | |
770 | | /* If we've requested certificate status and we wont get one |
771 | | * tell the callback |
772 | | */ |
773 | 0 | if ((s->tlsext_status_type != -1) && !(s->internal->tlsext_status_expected) && |
774 | 0 | s->ctx && s->ctx->internal->tlsext_status_cb) { |
775 | 0 | int r; |
776 | |
|
777 | 0 | free(s->internal->tlsext_ocsp_resp); |
778 | 0 | s->internal->tlsext_ocsp_resp = NULL; |
779 | 0 | s->internal->tlsext_ocsp_resp_len = 0; |
780 | |
|
781 | 0 | r = s->ctx->internal->tlsext_status_cb(s, |
782 | 0 | s->ctx->internal->tlsext_status_arg); |
783 | 0 | if (r == 0) { |
784 | 0 | al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE; |
785 | 0 | ret = SSL_TLSEXT_ERR_ALERT_FATAL; |
786 | 0 | } |
787 | 0 | if (r < 0) { |
788 | 0 | al = SSL_AD_INTERNAL_ERROR; |
789 | 0 | ret = SSL_TLSEXT_ERR_ALERT_FATAL; |
790 | 0 | } |
791 | 0 | } |
792 | |
|
793 | 0 | switch (ret) { |
794 | 0 | case SSL_TLSEXT_ERR_ALERT_FATAL: |
795 | 0 | ssl3_send_alert(s, SSL3_AL_FATAL, al); |
796 | 0 | return -1; |
797 | 0 | case SSL_TLSEXT_ERR_ALERT_WARNING: |
798 | 0 | ssl3_send_alert(s, SSL3_AL_WARNING, al); |
799 | 0 | return 1; |
800 | 0 | case SSL_TLSEXT_ERR_NOACK: |
801 | 0 | default: |
802 | 0 | return 1; |
803 | 0 | } |
804 | 0 | } |
805 | | |
806 | | /* Since the server cache lookup is done early on in the processing of the |
807 | | * ClientHello, and other operations depend on the result, we need to handle |
808 | | * any TLS session ticket extension at the same time. |
809 | | * |
810 | | * ext_block: a CBS for the ClientHello extensions block. |
811 | | * ret: (output) on return, if a ticket was decrypted, then this is set to |
812 | | * point to the resulting session. |
813 | | * |
814 | | * If s->internal->tls_session_secret_cb is set then we are expecting a pre-shared key |
815 | | * ciphersuite, in which case we have no use for session tickets and one will |
816 | | * never be decrypted, nor will s->internal->tlsext_ticket_expected be set to 1. |
817 | | * |
818 | | * Returns: |
819 | | * TLS1_TICKET_FATAL_ERROR: error from parsing or decrypting the ticket. |
820 | | * TLS1_TICKET_NONE: no ticket was found (or was ignored, based on settings). |
821 | | * TLS1_TICKET_EMPTY: a zero length extension was found, indicating that the |
822 | | * client supports session tickets but doesn't currently have one to offer. |
823 | | * TLS1_TICKET_NOT_DECRYPTED: either s->internal->tls_session_secret_cb was |
824 | | * set, or a ticket was offered but couldn't be decrypted because of a |
825 | | * non-fatal error. |
826 | | * TLS1_TICKET_DECRYPTED: a ticket was successfully decrypted and *ret was set. |
827 | | * |
828 | | * Side effects: |
829 | | * Sets s->internal->tlsext_ticket_expected to 1 if the server will have to issue |
830 | | * a new session ticket to the client because the client indicated support |
831 | | * (and s->internal->tls_session_secret_cb is NULL) but the client either doesn't have |
832 | | * a session ticket or we couldn't use the one it gave us, or if |
833 | | * s->ctx->tlsext_ticket_key_cb asked to renew the client's ticket. |
834 | | * Otherwise, s->internal->tlsext_ticket_expected is set to 0. |
835 | | */ |
836 | | int |
837 | | tls1_process_ticket(SSL *s, CBS *ext_block, int *alert, SSL_SESSION **ret) |
838 | 0 | { |
839 | 0 | CBS extensions, ext_data; |
840 | 0 | uint16_t ext_type = 0; |
841 | |
|
842 | 0 | s->internal->tlsext_ticket_expected = 0; |
843 | 0 | *ret = NULL; |
844 | | |
845 | | /* |
846 | | * If tickets disabled behave as if no ticket present to permit stateful |
847 | | * resumption. |
848 | | */ |
849 | 0 | if (SSL_get_options(s) & SSL_OP_NO_TICKET) |
850 | 0 | return TLS1_TICKET_NONE; |
851 | | |
852 | | /* |
853 | | * An empty extensions block is valid, but obviously does not contain |
854 | | * a session ticket. |
855 | | */ |
856 | 0 | if (CBS_len(ext_block) == 0) |
857 | 0 | return TLS1_TICKET_NONE; |
858 | | |
859 | 0 | if (!CBS_get_u16_length_prefixed(ext_block, &extensions)) { |
860 | 0 | *alert = SSL_AD_DECODE_ERROR; |
861 | 0 | return TLS1_TICKET_FATAL_ERROR; |
862 | 0 | } |
863 | | |
864 | 0 | while (CBS_len(&extensions) > 0) { |
865 | 0 | if (!CBS_get_u16(&extensions, &ext_type) || |
866 | 0 | !CBS_get_u16_length_prefixed(&extensions, &ext_data)) { |
867 | 0 | *alert = SSL_AD_DECODE_ERROR; |
868 | 0 | return TLS1_TICKET_FATAL_ERROR; |
869 | 0 | } |
870 | | |
871 | 0 | if (ext_type == TLSEXT_TYPE_session_ticket) |
872 | 0 | break; |
873 | 0 | } |
874 | | |
875 | 0 | if (ext_type != TLSEXT_TYPE_session_ticket) |
876 | 0 | return TLS1_TICKET_NONE; |
877 | | |
878 | 0 | if (CBS_len(&ext_data) == 0) { |
879 | | /* |
880 | | * The client will accept a ticket but does not currently |
881 | | * have one. |
882 | | */ |
883 | 0 | s->internal->tlsext_ticket_expected = 1; |
884 | 0 | return TLS1_TICKET_EMPTY; |
885 | 0 | } |
886 | | |
887 | 0 | if (s->internal->tls_session_secret_cb != NULL) { |
888 | | /* |
889 | | * Indicate that the ticket could not be decrypted rather than |
890 | | * generating the session from ticket now, trigger abbreviated |
891 | | * handshake based on external mechanism to calculate the master |
892 | | * secret later. |
893 | | */ |
894 | 0 | return TLS1_TICKET_NOT_DECRYPTED; |
895 | 0 | } |
896 | | |
897 | 0 | return tls_decrypt_ticket(s, &ext_data, alert, ret); |
898 | 0 | } |
899 | | |
900 | | /* tls_decrypt_ticket attempts to decrypt a session ticket. |
901 | | * |
902 | | * ticket: a CBS containing the body of the session ticket extension. |
903 | | * psess: (output) on return, if a ticket was decrypted, then this is set to |
904 | | * point to the resulting session. |
905 | | * |
906 | | * Returns: |
907 | | * TLS1_TICKET_FATAL_ERROR: error from parsing or decrypting the ticket. |
908 | | * TLS1_TICKET_NOT_DECRYPTED: the ticket couldn't be decrypted. |
909 | | * TLS1_TICKET_DECRYPTED: a ticket was decrypted and *psess was set. |
910 | | */ |
911 | | static int |
912 | | tls_decrypt_ticket(SSL *s, CBS *ticket, int *alert, SSL_SESSION **psess) |
913 | 0 | { |
914 | 0 | CBS ticket_name, ticket_iv, ticket_encdata, ticket_hmac; |
915 | 0 | SSL_SESSION *sess = NULL; |
916 | 0 | unsigned char *sdec = NULL; |
917 | 0 | size_t sdec_len = 0; |
918 | 0 | const unsigned char *p; |
919 | 0 | unsigned char hmac[EVP_MAX_MD_SIZE]; |
920 | 0 | HMAC_CTX *hctx = NULL; |
921 | 0 | EVP_CIPHER_CTX *cctx = NULL; |
922 | 0 | SSL_CTX *tctx = s->initial_ctx; |
923 | 0 | int slen, hlen; |
924 | 0 | int alert_desc = SSL_AD_INTERNAL_ERROR; |
925 | 0 | int ret = TLS1_TICKET_FATAL_ERROR; |
926 | |
|
927 | 0 | *psess = NULL; |
928 | |
|
929 | 0 | if (!CBS_get_bytes(ticket, &ticket_name, 16)) |
930 | 0 | goto derr; |
931 | | |
932 | | /* |
933 | | * Initialize session ticket encryption and HMAC contexts. |
934 | | */ |
935 | 0 | if ((cctx = EVP_CIPHER_CTX_new()) == NULL) |
936 | 0 | goto err; |
937 | 0 | if ((hctx = HMAC_CTX_new()) == NULL) |
938 | 0 | goto err; |
939 | | |
940 | 0 | if (tctx->internal->tlsext_ticket_key_cb != NULL) { |
941 | 0 | int rv; |
942 | | |
943 | | /* |
944 | | * The API guarantees EVP_MAX_IV_LENGTH bytes of space for |
945 | | * the iv to tlsext_ticket_key_cb(). Since the total space |
946 | | * required for a session cookie is never less than this, |
947 | | * this check isn't too strict. The exact check comes later. |
948 | | */ |
949 | 0 | if (CBS_len(ticket) < EVP_MAX_IV_LENGTH) |
950 | 0 | goto derr; |
951 | | |
952 | 0 | if ((rv = tctx->internal->tlsext_ticket_key_cb(s, |
953 | 0 | (unsigned char *)CBS_data(&ticket_name), |
954 | 0 | (unsigned char *)CBS_data(ticket), cctx, hctx, 0)) < 0) |
955 | 0 | goto err; |
956 | 0 | if (rv == 0) |
957 | 0 | goto derr; |
958 | 0 | if (rv == 2) { |
959 | | /* Renew ticket. */ |
960 | 0 | s->internal->tlsext_ticket_expected = 1; |
961 | 0 | } |
962 | | |
963 | | /* |
964 | | * Now that the cipher context is initialised, we can extract |
965 | | * the IV since its length is known. |
966 | | */ |
967 | 0 | if (!CBS_get_bytes(ticket, &ticket_iv, |
968 | 0 | EVP_CIPHER_CTX_iv_length(cctx))) |
969 | 0 | goto derr; |
970 | 0 | } else { |
971 | | /* Check that the key name matches. */ |
972 | 0 | if (!CBS_mem_equal(&ticket_name, |
973 | 0 | tctx->internal->tlsext_tick_key_name, |
974 | 0 | sizeof(tctx->internal->tlsext_tick_key_name))) |
975 | 0 | goto derr; |
976 | 0 | if (!CBS_get_bytes(ticket, &ticket_iv, |
977 | 0 | EVP_CIPHER_iv_length(EVP_aes_128_cbc()))) |
978 | 0 | goto derr; |
979 | 0 | if (!EVP_DecryptInit_ex(cctx, EVP_aes_128_cbc(), NULL, |
980 | 0 | tctx->internal->tlsext_tick_aes_key, CBS_data(&ticket_iv))) |
981 | 0 | goto err; |
982 | 0 | if (!HMAC_Init_ex(hctx, tctx->internal->tlsext_tick_hmac_key, |
983 | 0 | sizeof(tctx->internal->tlsext_tick_hmac_key), EVP_sha256(), |
984 | 0 | NULL)) |
985 | 0 | goto err; |
986 | 0 | } |
987 | | |
988 | | /* |
989 | | * Attempt to process session ticket. |
990 | | */ |
991 | | |
992 | 0 | if ((hlen = HMAC_size(hctx)) < 0) |
993 | 0 | goto err; |
994 | | |
995 | 0 | if (hlen > CBS_len(ticket)) |
996 | 0 | goto derr; |
997 | 0 | if (!CBS_get_bytes(ticket, &ticket_encdata, CBS_len(ticket) - hlen)) |
998 | 0 | goto derr; |
999 | 0 | if (!CBS_get_bytes(ticket, &ticket_hmac, hlen)) |
1000 | 0 | goto derr; |
1001 | 0 | if (CBS_len(ticket) != 0) { |
1002 | 0 | alert_desc = SSL_AD_DECODE_ERROR; |
1003 | 0 | goto err; |
1004 | 0 | } |
1005 | | |
1006 | | /* Check HMAC of encrypted ticket. */ |
1007 | 0 | if (HMAC_Update(hctx, CBS_data(&ticket_name), |
1008 | 0 | CBS_len(&ticket_name)) <= 0) |
1009 | 0 | goto err; |
1010 | 0 | if (HMAC_Update(hctx, CBS_data(&ticket_iv), |
1011 | 0 | CBS_len(&ticket_iv)) <= 0) |
1012 | 0 | goto err; |
1013 | 0 | if (HMAC_Update(hctx, CBS_data(&ticket_encdata), |
1014 | 0 | CBS_len(&ticket_encdata)) <= 0) |
1015 | 0 | goto err; |
1016 | 0 | if (HMAC_Final(hctx, hmac, &hlen) <= 0) |
1017 | 0 | goto err; |
1018 | | |
1019 | 0 | if (!CBS_mem_equal(&ticket_hmac, hmac, hlen)) |
1020 | 0 | goto derr; |
1021 | | |
1022 | | /* Attempt to decrypt session data. */ |
1023 | 0 | sdec_len = CBS_len(&ticket_encdata); |
1024 | 0 | if ((sdec = calloc(1, sdec_len)) == NULL) |
1025 | 0 | goto err; |
1026 | 0 | if (EVP_DecryptUpdate(cctx, sdec, &slen, CBS_data(&ticket_encdata), |
1027 | 0 | CBS_len(&ticket_encdata)) <= 0) |
1028 | 0 | goto derr; |
1029 | 0 | if (EVP_DecryptFinal_ex(cctx, sdec + slen, &hlen) <= 0) |
1030 | 0 | goto derr; |
1031 | | |
1032 | 0 | slen += hlen; |
1033 | | |
1034 | | /* |
1035 | | * For session parse failures, indicate that we need to send a new |
1036 | | * ticket. |
1037 | | */ |
1038 | 0 | p = sdec; |
1039 | 0 | if ((sess = d2i_SSL_SESSION(NULL, &p, slen)) == NULL) |
1040 | 0 | goto derr; |
1041 | 0 | *psess = sess; |
1042 | 0 | sess = NULL; |
1043 | |
|
1044 | 0 | ret = TLS1_TICKET_DECRYPTED; |
1045 | 0 | goto done; |
1046 | | |
1047 | 0 | derr: |
1048 | 0 | ERR_clear_error(); |
1049 | 0 | s->internal->tlsext_ticket_expected = 1; |
1050 | 0 | ret = TLS1_TICKET_NOT_DECRYPTED; |
1051 | 0 | goto done; |
1052 | | |
1053 | 0 | err: |
1054 | 0 | *alert = alert_desc; |
1055 | 0 | ret = TLS1_TICKET_FATAL_ERROR; |
1056 | 0 | goto done; |
1057 | | |
1058 | 0 | done: |
1059 | 0 | freezero(sdec, sdec_len); |
1060 | 0 | EVP_CIPHER_CTX_free(cctx); |
1061 | 0 | HMAC_CTX_free(hctx); |
1062 | 0 | SSL_SESSION_free(sess); |
1063 | |
|
1064 | 0 | return ret; |
1065 | 0 | } |