/src/libressl/ssl/t1_lib.c
Line | Count | Source (jump to first uncovered line) |
1 | | /* $OpenBSD: t1_lib.c,v 1.204 2025/01/18 14:17:05 tb Exp $ */ |
2 | | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
3 | | * All rights reserved. |
4 | | * |
5 | | * This package is an SSL implementation written |
6 | | * by Eric Young (eay@cryptsoft.com). |
7 | | * The implementation was written so as to conform with Netscapes SSL. |
8 | | * |
9 | | * This library is free for commercial and non-commercial use as long as |
10 | | * the following conditions are aheared to. The following conditions |
11 | | * apply to all code found in this distribution, be it the RC4, RSA, |
12 | | * lhash, DES, etc., code; not just the SSL code. The SSL documentation |
13 | | * included with this distribution is covered by the same copyright terms |
14 | | * except that the holder is Tim Hudson (tjh@cryptsoft.com). |
15 | | * |
16 | | * Copyright remains Eric Young's, and as such any Copyright notices in |
17 | | * the code are not to be removed. |
18 | | * If this package is used in a product, Eric Young should be given attribution |
19 | | * as the author of the parts of the library used. |
20 | | * This can be in the form of a textual message at program startup or |
21 | | * in documentation (online or textual) provided with the package. |
22 | | * |
23 | | * Redistribution and use in source and binary forms, with or without |
24 | | * modification, are permitted provided that the following conditions |
25 | | * are met: |
26 | | * 1. Redistributions of source code must retain the copyright |
27 | | * notice, this list of conditions and the following disclaimer. |
28 | | * 2. Redistributions in binary form must reproduce the above copyright |
29 | | * notice, this list of conditions and the following disclaimer in the |
30 | | * documentation and/or other materials provided with the distribution. |
31 | | * 3. All advertising materials mentioning features or use of this software |
32 | | * must display the following acknowledgement: |
33 | | * "This product includes cryptographic software written by |
34 | | * Eric Young (eay@cryptsoft.com)" |
35 | | * The word 'cryptographic' can be left out if the rouines from the library |
36 | | * being used are not cryptographic related :-). |
37 | | * 4. If you include any Windows specific code (or a derivative thereof) from |
38 | | * the apps directory (application code) you must include an acknowledgement: |
39 | | * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" |
40 | | * |
41 | | * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND |
42 | | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
43 | | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE |
44 | | * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE |
45 | | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL |
46 | | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS |
47 | | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) |
48 | | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT |
49 | | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY |
50 | | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF |
51 | | * SUCH DAMAGE. |
52 | | * |
53 | | * The licence and distribution terms for any publically available version or |
54 | | * derivative of this code cannot be changed. i.e. this code cannot simply be |
55 | | * copied and put under another distribution licence |
56 | | * [including the GNU Public Licence.] |
57 | | */ |
58 | | /* ==================================================================== |
59 | | * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved. |
60 | | * |
61 | | * Redistribution and use in source and binary forms, with or without |
62 | | * modification, are permitted provided that the following conditions |
63 | | * are met: |
64 | | * |
65 | | * 1. Redistributions of source code must retain the above copyright |
66 | | * notice, this list of conditions and the following disclaimer. |
67 | | * |
68 | | * 2. Redistributions in binary form must reproduce the above copyright |
69 | | * notice, this list of conditions and the following disclaimer in |
70 | | * the documentation and/or other materials provided with the |
71 | | * distribution. |
72 | | * |
73 | | * 3. All advertising materials mentioning features or use of this |
74 | | * software must display the following acknowledgment: |
75 | | * "This product includes software developed by the OpenSSL Project |
76 | | * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" |
77 | | * |
78 | | * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to |
79 | | * endorse or promote products derived from this software without |
80 | | * prior written permission. For written permission, please contact |
81 | | * openssl-core@openssl.org. |
82 | | * |
83 | | * 5. Products derived from this software may not be called "OpenSSL" |
84 | | * nor may "OpenSSL" appear in their names without prior written |
85 | | * permission of the OpenSSL Project. |
86 | | * |
87 | | * 6. Redistributions of any form whatsoever must retain the following |
88 | | * acknowledgment: |
89 | | * "This product includes software developed by the OpenSSL Project |
90 | | * for use in the OpenSSL Toolkit (http://www.openssl.org/)" |
91 | | * |
92 | | * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY |
93 | | * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
94 | | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR |
95 | | * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR |
96 | | * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, |
97 | | * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT |
98 | | * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; |
99 | | * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) |
100 | | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, |
101 | | * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) |
102 | | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED |
103 | | * OF THE POSSIBILITY OF SUCH DAMAGE. |
104 | | * ==================================================================== |
105 | | * |
106 | | * This product includes cryptographic software written by Eric Young |
107 | | * (eay@cryptsoft.com). This product includes software written by Tim |
108 | | * Hudson (tjh@cryptsoft.com). |
109 | | * |
110 | | */ |
111 | | |
112 | | #include <stdio.h> |
113 | | |
114 | | #include <openssl/evp.h> |
115 | | #include <openssl/hmac.h> |
116 | | #include <openssl/objects.h> |
117 | | #include <openssl/ocsp.h> |
118 | | |
119 | | #include "bytestring.h" |
120 | | #include "ssl_local.h" |
121 | | #include "ssl_sigalgs.h" |
122 | | #include "ssl_tlsext.h" |
123 | | |
124 | | static int tls_decrypt_ticket(SSL *s, CBS *ticket, int *alert, |
125 | | SSL_SESSION **psess); |
126 | | |
127 | | int |
128 | | tls1_new(SSL *s) |
129 | 9.47k | { |
130 | 9.47k | if (!ssl3_new(s)) |
131 | 0 | return 0; |
132 | 9.47k | s->method->ssl_clear(s); |
133 | 9.47k | return 1; |
134 | 9.47k | } |
135 | | |
136 | | void |
137 | | tls1_free(SSL *s) |
138 | 9.47k | { |
139 | 9.47k | if (s == NULL) |
140 | 0 | return; |
141 | | |
142 | 9.47k | free(s->tlsext_session_ticket); |
143 | 9.47k | ssl3_free(s); |
144 | 9.47k | } |
145 | | |
146 | | void |
147 | | tls1_clear(SSL *s) |
148 | 28.4k | { |
149 | 28.4k | ssl3_clear(s); |
150 | 28.4k | s->version = s->method->version; |
151 | 28.4k | } |
152 | | |
153 | | struct supported_group { |
154 | | int nid; |
155 | | int bits; |
156 | | }; |
157 | | |
158 | | /* |
159 | | * Supported groups (formerly known as named curves) |
160 | | * https://www.iana.org/assignments/tls-parameters/#tls-parameters-8 |
161 | | */ |
162 | | static const struct supported_group nid_list[] = { |
163 | | [1] = { |
164 | | .nid = NID_sect163k1, |
165 | | .bits = 80, |
166 | | }, |
167 | | [2] = { |
168 | | .nid = NID_sect163r1, |
169 | | .bits = 80, |
170 | | }, |
171 | | [3] = { |
172 | | .nid = NID_sect163r2, |
173 | | .bits = 80, |
174 | | }, |
175 | | [4] = { |
176 | | .nid = NID_sect193r1, |
177 | | .bits = 80, |
178 | | }, |
179 | | [5] = { |
180 | | .nid = NID_sect193r2, |
181 | | .bits = 80, |
182 | | }, |
183 | | [6] = { |
184 | | .nid = NID_sect233k1, |
185 | | .bits = 112, |
186 | | }, |
187 | | [7] = { |
188 | | .nid = NID_sect233r1, |
189 | | .bits = 112, |
190 | | }, |
191 | | [8] = { |
192 | | .nid = NID_sect239k1, |
193 | | .bits = 112, |
194 | | }, |
195 | | [9] = { |
196 | | .nid = NID_sect283k1, |
197 | | .bits = 128, |
198 | | }, |
199 | | [10] = { |
200 | | .nid = NID_sect283r1, |
201 | | .bits = 128, |
202 | | }, |
203 | | [11] = { |
204 | | .nid = NID_sect409k1, |
205 | | .bits = 192, |
206 | | }, |
207 | | [12] = { |
208 | | .nid = NID_sect409r1, |
209 | | .bits = 192, |
210 | | }, |
211 | | [13] = { |
212 | | .nid = NID_sect571k1, |
213 | | .bits = 256, |
214 | | }, |
215 | | [14] = { |
216 | | .nid = NID_sect571r1, |
217 | | .bits = 256, |
218 | | }, |
219 | | [15] = { |
220 | | .nid = NID_secp160k1, |
221 | | .bits = 80, |
222 | | }, |
223 | | [16] = { |
224 | | .nid = NID_secp160r1, |
225 | | .bits = 80, |
226 | | }, |
227 | | [17] = { |
228 | | .nid = NID_secp160r2, |
229 | | .bits = 80, |
230 | | }, |
231 | | [18] = { |
232 | | .nid = NID_secp192k1, |
233 | | .bits = 80, |
234 | | }, |
235 | | [19] = { |
236 | | .nid = NID_X9_62_prime192v1, /* aka secp192r1 */ |
237 | | .bits = 80, |
238 | | }, |
239 | | [20] = { |
240 | | .nid = NID_secp224k1, |
241 | | .bits = 112, |
242 | | }, |
243 | | [21] = { |
244 | | .nid = NID_secp224r1, |
245 | | .bits = 112, |
246 | | }, |
247 | | [22] = { |
248 | | .nid = NID_secp256k1, |
249 | | .bits = 128, |
250 | | }, |
251 | | [23] = { |
252 | | .nid = NID_X9_62_prime256v1, /* aka secp256r1 */ |
253 | | .bits = 128, |
254 | | }, |
255 | | [24] = { |
256 | | .nid = NID_secp384r1, |
257 | | .bits = 192, |
258 | | }, |
259 | | [25] = { |
260 | | .nid = NID_secp521r1, |
261 | | .bits = 256, |
262 | | }, |
263 | | [26] = { |
264 | | .nid = NID_brainpoolP256r1, |
265 | | .bits = 128, |
266 | | }, |
267 | | [27] = { |
268 | | .nid = NID_brainpoolP384r1, |
269 | | .bits = 192, |
270 | | }, |
271 | | [28] = { |
272 | | .nid = NID_brainpoolP512r1, |
273 | | .bits = 256, |
274 | | }, |
275 | | [29] = { |
276 | | .nid = NID_X25519, |
277 | | .bits = 128, |
278 | | }, |
279 | | }; |
280 | | |
281 | 250k | #define NID_LIST_LEN (sizeof(nid_list) / sizeof(nid_list[0])) |
282 | | |
283 | | #if 0 |
284 | | static const uint8_t ecformats_list[] = { |
285 | | TLSEXT_ECPOINTFORMAT_uncompressed, |
286 | | TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime, |
287 | | TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2 |
288 | | }; |
289 | | #endif |
290 | | |
291 | | static const uint8_t ecformats_default[] = { |
292 | | TLSEXT_ECPOINTFORMAT_uncompressed, |
293 | | }; |
294 | | |
295 | | #if 0 |
296 | | static const uint16_t ecgroups_list[] = { |
297 | | 29, /* X25519 (29) */ |
298 | | 14, /* sect571r1 (14) */ |
299 | | 13, /* sect571k1 (13) */ |
300 | | 25, /* secp521r1 (25) */ |
301 | | 28, /* brainpoolP512r1 (28) */ |
302 | | 11, /* sect409k1 (11) */ |
303 | | 12, /* sect409r1 (12) */ |
304 | | 27, /* brainpoolP384r1 (27) */ |
305 | | 24, /* secp384r1 (24) */ |
306 | | 9, /* sect283k1 (9) */ |
307 | | 10, /* sect283r1 (10) */ |
308 | | 26, /* brainpoolP256r1 (26) */ |
309 | | 22, /* secp256k1 (22) */ |
310 | | 23, /* secp256r1 (23) */ |
311 | | 8, /* sect239k1 (8) */ |
312 | | 6, /* sect233k1 (6) */ |
313 | | 7, /* sect233r1 (7) */ |
314 | | 20, /* secp224k1 (20) */ |
315 | | 21, /* secp224r1 (21) */ |
316 | | 4, /* sect193r1 (4) */ |
317 | | 5, /* sect193r2 (5) */ |
318 | | 18, /* secp192k1 (18) */ |
319 | | 19, /* secp192r1 (19) */ |
320 | | 1, /* sect163k1 (1) */ |
321 | | 2, /* sect163r1 (2) */ |
322 | | 3, /* sect163r2 (3) */ |
323 | | 15, /* secp160k1 (15) */ |
324 | | 16, /* secp160r1 (16) */ |
325 | | 17, /* secp160r2 (17) */ |
326 | | }; |
327 | | #endif |
328 | | |
329 | | static const uint16_t ecgroups_client_default[] = { |
330 | | 29, /* X25519 (29) */ |
331 | | 23, /* secp256r1 (23) */ |
332 | | 24, /* secp384r1 (24) */ |
333 | | 25, /* secp521r1 (25) */ |
334 | | }; |
335 | | |
336 | | static const uint16_t ecgroups_server_default[] = { |
337 | | 29, /* X25519 (29) */ |
338 | | 23, /* secp256r1 (23) */ |
339 | | 24, /* secp384r1 (24) */ |
340 | | }; |
341 | | |
342 | | int |
343 | | tls1_ec_group_id2nid(uint16_t group_id, int *out_nid) |
344 | 38.9k | { |
345 | 38.9k | int nid; |
346 | | |
347 | 38.9k | if (group_id >= NID_LIST_LEN) |
348 | 0 | return 0; |
349 | | |
350 | 38.9k | if ((nid = nid_list[group_id].nid) == 0) |
351 | 0 | return 0; |
352 | | |
353 | 38.9k | *out_nid = nid; |
354 | | |
355 | 38.9k | return 1; |
356 | 38.9k | } |
357 | | |
358 | | int |
359 | | tls1_ec_group_id2bits(uint16_t group_id, int *out_bits) |
360 | 29.1k | { |
361 | 29.1k | int bits; |
362 | | |
363 | 29.1k | if (group_id >= NID_LIST_LEN) |
364 | 313 | return 0; |
365 | | |
366 | 28.8k | if ((bits = nid_list[group_id].bits) == 0) |
367 | 12 | return 0; |
368 | | |
369 | 28.8k | *out_bits = bits; |
370 | | |
371 | 28.8k | return 1; |
372 | 28.8k | } |
373 | | |
374 | | int |
375 | | tls1_ec_nid2group_id(int nid, uint16_t *out_group_id) |
376 | 7.51k | { |
377 | 7.51k | uint16_t group_id; |
378 | | |
379 | 7.51k | if (nid == 0) |
380 | 0 | return 0; |
381 | | |
382 | 181k | for (group_id = 0; group_id < NID_LIST_LEN; group_id++) { |
383 | 181k | if (nid_list[group_id].nid == nid) { |
384 | 7.51k | *out_group_id = group_id; |
385 | 7.51k | return 1; |
386 | 7.51k | } |
387 | 181k | } |
388 | | |
389 | 0 | return 0; |
390 | 7.51k | } |
391 | | |
392 | | /* |
393 | | * Return the appropriate format list. If client_formats is non-zero, return |
394 | | * the client/session formats. Otherwise return the custom format list if one |
395 | | * exists, or the default formats if a custom list has not been specified. |
396 | | */ |
397 | | void |
398 | | tls1_get_formatlist(const SSL *s, int client_formats, const uint8_t **pformats, |
399 | | size_t *pformatslen) |
400 | 11.7k | { |
401 | 11.7k | if (client_formats != 0) { |
402 | 6.00k | *pformats = s->session->tlsext_ecpointformatlist; |
403 | 6.00k | *pformatslen = s->session->tlsext_ecpointformatlist_length; |
404 | 6.00k | return; |
405 | 6.00k | } |
406 | | |
407 | 5.70k | *pformats = s->tlsext_ecpointformatlist; |
408 | 5.70k | *pformatslen = s->tlsext_ecpointformatlist_length; |
409 | 5.70k | if (*pformats == NULL) { |
410 | 5.70k | *pformats = ecformats_default; |
411 | 5.70k | *pformatslen = sizeof(ecformats_default); |
412 | 5.70k | } |
413 | 5.70k | } |
414 | | |
415 | | /* |
416 | | * Return the appropriate group list. If client_groups is non-zero, return |
417 | | * the client/session groups. Otherwise return the custom group list if one |
418 | | * exists, or the default groups if a custom list has not been specified. |
419 | | */ |
420 | | void |
421 | | tls1_get_group_list(const SSL *s, int client_groups, const uint16_t **pgroups, |
422 | | size_t *pgroupslen) |
423 | 26.1k | { |
424 | 26.1k | if (client_groups != 0) { |
425 | 9.85k | *pgroups = s->session->tlsext_supportedgroups; |
426 | 9.85k | *pgroupslen = s->session->tlsext_supportedgroups_length; |
427 | 9.85k | return; |
428 | 9.85k | } |
429 | | |
430 | 16.2k | *pgroups = s->tlsext_supportedgroups; |
431 | 16.2k | *pgroupslen = s->tlsext_supportedgroups_length; |
432 | 16.2k | if (*pgroups != NULL) |
433 | 0 | return; |
434 | | |
435 | 16.2k | if (!s->server) { |
436 | 12.4k | *pgroups = ecgroups_client_default; |
437 | 12.4k | *pgroupslen = sizeof(ecgroups_client_default) / 2; |
438 | 12.4k | } else { |
439 | 3.85k | *pgroups = ecgroups_server_default; |
440 | 3.85k | *pgroupslen = sizeof(ecgroups_server_default) / 2; |
441 | 3.85k | } |
442 | 16.2k | } |
443 | | |
444 | | static int |
445 | | tls1_get_group_lists(const SSL *ssl, const uint16_t **pref, size_t *preflen, |
446 | | const uint16_t **supp, size_t *supplen) |
447 | 3.58k | { |
448 | 3.58k | unsigned long server_pref; |
449 | | |
450 | | /* Cannot do anything on the client side. */ |
451 | 3.58k | if (!ssl->server) |
452 | 0 | return 0; |
453 | | |
454 | 3.58k | server_pref = (ssl->options & SSL_OP_CIPHER_SERVER_PREFERENCE); |
455 | 3.58k | tls1_get_group_list(ssl, (server_pref == 0), pref, preflen); |
456 | 3.58k | tls1_get_group_list(ssl, (server_pref != 0), supp, supplen); |
457 | | |
458 | 3.58k | return 1; |
459 | 3.58k | } |
460 | | |
461 | | static int |
462 | | tls1_group_id_present(uint16_t group_id, const uint16_t *list, size_t list_len) |
463 | 3.86k | { |
464 | 3.86k | size_t i; |
465 | | |
466 | 9.86k | for (i = 0; i < list_len; i++) { |
467 | 9.13k | if (group_id == list[i]) |
468 | 3.14k | return 1; |
469 | 9.13k | } |
470 | | |
471 | 722 | return 0; |
472 | 3.86k | } |
473 | | |
474 | | int |
475 | | tls1_count_shared_groups(const SSL *ssl, size_t *out_count) |
476 | 0 | { |
477 | 0 | size_t count, preflen, supplen, i; |
478 | 0 | const uint16_t *pref, *supp; |
479 | |
|
480 | 0 | if (!tls1_get_group_lists(ssl, &pref, &preflen, &supp, &supplen)) |
481 | 0 | return 0; |
482 | | |
483 | 0 | count = 0; |
484 | 0 | for (i = 0; i < preflen; i++) { |
485 | 0 | if (!tls1_group_id_present(pref[i], supp, supplen)) |
486 | 0 | continue; |
487 | | |
488 | 0 | if (!ssl_security_shared_group(ssl, pref[i])) |
489 | 0 | continue; |
490 | | |
491 | 0 | count++; |
492 | 0 | } |
493 | |
|
494 | 0 | *out_count = count; |
495 | |
|
496 | 0 | return 1; |
497 | 0 | } |
498 | | |
499 | | static int |
500 | | tls1_group_by_index(const SSL *ssl, size_t n, int *out_nid, |
501 | | int (*ssl_security_fn)(const SSL *, uint16_t)) |
502 | 3.58k | { |
503 | 3.58k | size_t count, preflen, supplen, i; |
504 | 3.58k | const uint16_t *pref, *supp; |
505 | | |
506 | 3.58k | if (!tls1_get_group_lists(ssl, &pref, &preflen, &supp, &supplen)) |
507 | 0 | return 0; |
508 | | |
509 | 3.58k | count = 0; |
510 | 4.30k | for (i = 0; i < preflen; i++) { |
511 | 3.86k | if (!tls1_group_id_present(pref[i], supp, supplen)) |
512 | 722 | continue; |
513 | | |
514 | 3.14k | if (!ssl_security_fn(ssl, pref[i])) |
515 | 0 | continue; |
516 | | |
517 | 3.14k | if (count++ == n) |
518 | 3.14k | return tls1_ec_group_id2nid(pref[i], out_nid); |
519 | 3.14k | } |
520 | | |
521 | 439 | return 0; |
522 | 3.58k | } |
523 | | |
524 | | int |
525 | | tls1_get_shared_group_by_index(const SSL *ssl, size_t index, int *out_nid) |
526 | 0 | { |
527 | 0 | return tls1_group_by_index(ssl, index, out_nid, |
528 | 0 | ssl_security_shared_group); |
529 | 0 | } |
530 | | |
531 | | int |
532 | | tls1_get_supported_group(const SSL *ssl, int *out_nid) |
533 | 3.58k | { |
534 | 3.58k | return tls1_group_by_index(ssl, 0, out_nid, |
535 | 3.58k | ssl_security_supported_group); |
536 | 3.58k | } |
537 | | |
538 | | int |
539 | | tls1_set_groups(uint16_t **out_group_ids, size_t *out_group_ids_len, |
540 | | const int *groups, size_t ngroups) |
541 | 0 | { |
542 | 0 | uint16_t *group_ids; |
543 | 0 | size_t i; |
544 | |
|
545 | 0 | if ((group_ids = calloc(ngroups, sizeof(uint16_t))) == NULL) |
546 | 0 | return 0; |
547 | | |
548 | 0 | for (i = 0; i < ngroups; i++) { |
549 | 0 | if (!tls1_ec_nid2group_id(groups[i], &group_ids[i])) { |
550 | 0 | free(group_ids); |
551 | 0 | return 0; |
552 | 0 | } |
553 | 0 | } |
554 | | |
555 | 0 | free(*out_group_ids); |
556 | 0 | *out_group_ids = group_ids; |
557 | 0 | *out_group_ids_len = ngroups; |
558 | |
|
559 | 0 | return 1; |
560 | 0 | } |
561 | | |
562 | | int |
563 | | tls1_set_group_list(uint16_t **out_group_ids, size_t *out_group_ids_len, |
564 | | const char *groups) |
565 | 0 | { |
566 | 0 | uint16_t *new_group_ids, *group_ids = NULL; |
567 | 0 | size_t ngroups = 0; |
568 | 0 | char *gs, *p, *q; |
569 | 0 | int nid; |
570 | |
|
571 | 0 | if ((gs = strdup(groups)) == NULL) |
572 | 0 | return 0; |
573 | | |
574 | 0 | q = gs; |
575 | 0 | while ((p = strsep(&q, ":")) != NULL) { |
576 | 0 | nid = OBJ_sn2nid(p); |
577 | 0 | if (nid == NID_undef) |
578 | 0 | nid = OBJ_ln2nid(p); |
579 | 0 | if (nid == NID_undef) |
580 | 0 | nid = EC_curve_nist2nid(p); |
581 | 0 | if (nid == NID_undef) |
582 | 0 | goto err; |
583 | | |
584 | 0 | if ((new_group_ids = reallocarray(group_ids, ngroups + 1, |
585 | 0 | sizeof(uint16_t))) == NULL) |
586 | 0 | goto err; |
587 | 0 | group_ids = new_group_ids; |
588 | |
|
589 | 0 | if (!tls1_ec_nid2group_id(nid, &group_ids[ngroups])) |
590 | 0 | goto err; |
591 | | |
592 | 0 | ngroups++; |
593 | 0 | } |
594 | | |
595 | 0 | free(gs); |
596 | 0 | free(*out_group_ids); |
597 | 0 | *out_group_ids = group_ids; |
598 | 0 | *out_group_ids_len = ngroups; |
599 | |
|
600 | 0 | return 1; |
601 | | |
602 | 0 | err: |
603 | 0 | free(gs); |
604 | 0 | free(group_ids); |
605 | |
|
606 | 0 | return 0; |
607 | 0 | } |
608 | | |
609 | | /* Check that a group is one of our preferences. */ |
610 | | int |
611 | | tls1_check_group(SSL *s, uint16_t group_id) |
612 | 1.10k | { |
613 | 1.10k | const uint16_t *groups; |
614 | 1.10k | size_t groupslen, i; |
615 | | |
616 | 1.10k | tls1_get_group_list(s, 0, &groups, &groupslen); |
617 | | |
618 | 2.83k | for (i = 0; i < groupslen; i++) { |
619 | 2.82k | if (!ssl_security_supported_group(s, groups[i])) |
620 | 0 | continue; |
621 | 2.82k | if (groups[i] == group_id) |
622 | 1.09k | return 1; |
623 | 2.82k | } |
624 | 10 | return 0; |
625 | 1.10k | } |
626 | | |
627 | | /* For an EC key set TLS ID and required compression based on parameters. */ |
628 | | static int |
629 | | tls1_set_ec_id(uint16_t *group_id, uint8_t *comp_id, EC_KEY *ec) |
630 | 6.00k | { |
631 | 6.00k | const EC_GROUP *group; |
632 | 6.00k | int nid; |
633 | | |
634 | 6.00k | if ((group = EC_KEY_get0_group(ec)) == NULL) |
635 | 0 | return 0; |
636 | | |
637 | | /* Determine group ID. */ |
638 | 6.00k | nid = EC_GROUP_get_curve_name(group); |
639 | 6.00k | if (!tls1_ec_nid2group_id(nid, group_id)) |
640 | 0 | return 0; |
641 | | |
642 | | /* Specify the compression identifier. */ |
643 | 6.00k | if (EC_KEY_get0_public_key(ec) == NULL) |
644 | 0 | return 0; |
645 | 6.00k | *comp_id = TLSEXT_ECPOINTFORMAT_uncompressed; |
646 | 6.00k | if (EC_KEY_get_conv_form(ec) == POINT_CONVERSION_COMPRESSED) { |
647 | 0 | *comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime; |
648 | 0 | } |
649 | | |
650 | 6.00k | return 1; |
651 | 6.00k | } |
652 | | |
653 | | /* Check that an EC key is compatible with extensions. */ |
654 | | static int |
655 | | tls1_check_ec_key(SSL *s, const uint16_t group_id, const uint8_t comp_id) |
656 | 6.00k | { |
657 | 6.00k | size_t groupslen, formatslen, i; |
658 | 6.00k | const uint16_t *groups; |
659 | 6.00k | const uint8_t *formats; |
660 | | |
661 | | /* |
662 | | * Check point formats extension if present, otherwise everything |
663 | | * is supported (see RFC4492). |
664 | | */ |
665 | 6.00k | tls1_get_formatlist(s, 1, &formats, &formatslen); |
666 | 6.00k | if (formats != NULL) { |
667 | 886 | for (i = 0; i < formatslen; i++) { |
668 | 886 | if (formats[i] == comp_id) |
669 | 325 | break; |
670 | 886 | } |
671 | 325 | if (i == formatslen) |
672 | 0 | return 0; |
673 | 325 | } |
674 | | |
675 | | /* |
676 | | * Check group list if present, otherwise everything is supported. |
677 | | */ |
678 | 6.00k | tls1_get_group_list(s, 1, &groups, &groupslen); |
679 | 6.00k | if (groups != NULL) { |
680 | 5.07k | for (i = 0; i < groupslen; i++) { |
681 | 4.62k | if (groups[i] == group_id) |
682 | 312 | break; |
683 | 4.62k | } |
684 | 762 | if (i == groupslen) |
685 | 450 | return 0; |
686 | 762 | } |
687 | | |
688 | 5.55k | return 1; |
689 | 6.00k | } |
690 | | |
691 | | /* Check EC server key is compatible with client extensions. */ |
692 | | int |
693 | | tls1_check_ec_server_key(SSL *s) |
694 | 6.00k | { |
695 | 6.00k | SSL_CERT_PKEY *cpk = s->cert->pkeys + SSL_PKEY_ECC; |
696 | 6.00k | uint16_t group_id; |
697 | 6.00k | uint8_t comp_id; |
698 | 6.00k | EC_KEY *eckey; |
699 | 6.00k | EVP_PKEY *pkey; |
700 | | |
701 | 6.00k | if (cpk->x509 == NULL || cpk->privatekey == NULL) |
702 | 0 | return 0; |
703 | 6.00k | if ((pkey = X509_get0_pubkey(cpk->x509)) == NULL) |
704 | 0 | return 0; |
705 | 6.00k | if ((eckey = EVP_PKEY_get0_EC_KEY(pkey)) == NULL) |
706 | 0 | return 0; |
707 | 6.00k | if (!tls1_set_ec_id(&group_id, &comp_id, eckey)) |
708 | 0 | return 0; |
709 | | |
710 | 6.00k | return tls1_check_ec_key(s, group_id, comp_id); |
711 | 6.00k | } |
712 | | |
713 | | int |
714 | | ssl_check_clienthello_tlsext_early(SSL *s) |
715 | 1.89k | { |
716 | 1.89k | int ret = SSL_TLSEXT_ERR_NOACK; |
717 | 1.89k | int al = SSL_AD_UNRECOGNIZED_NAME; |
718 | | |
719 | | /* The handling of the ECPointFormats extension is done elsewhere, namely in |
720 | | * ssl3_choose_cipher in s3_lib.c. |
721 | | */ |
722 | | /* The handling of the EllipticCurves extension is done elsewhere, namely in |
723 | | * ssl3_choose_cipher in s3_lib.c. |
724 | | */ |
725 | | |
726 | 1.89k | if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) |
727 | 0 | ret = s->ctx->tlsext_servername_callback(s, &al, |
728 | 0 | s->ctx->tlsext_servername_arg); |
729 | 1.89k | else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0) |
730 | 0 | ret = s->initial_ctx->tlsext_servername_callback(s, &al, |
731 | 0 | s->initial_ctx->tlsext_servername_arg); |
732 | | |
733 | 1.89k | switch (ret) { |
734 | 0 | case SSL_TLSEXT_ERR_ALERT_FATAL: |
735 | 0 | ssl3_send_alert(s, SSL3_AL_FATAL, al); |
736 | 0 | return -1; |
737 | 0 | case SSL_TLSEXT_ERR_ALERT_WARNING: |
738 | 0 | ssl3_send_alert(s, SSL3_AL_WARNING, al); |
739 | 0 | return 1; |
740 | 1.89k | case SSL_TLSEXT_ERR_NOACK: |
741 | 1.89k | default: |
742 | 1.89k | return 1; |
743 | 1.89k | } |
744 | 1.89k | } |
745 | | |
746 | | int |
747 | | ssl_check_clienthello_tlsext_late(SSL *s) |
748 | 1.69k | { |
749 | 1.69k | int ret = SSL_TLSEXT_ERR_OK; |
750 | 1.69k | int al = 0; /* XXX gcc3 */ |
751 | | |
752 | | /* If status request then ask callback what to do. |
753 | | * Note: this must be called after servername callbacks in case |
754 | | * the certificate has changed, and must be called after the cipher |
755 | | * has been chosen because this may influence which certificate is sent |
756 | | */ |
757 | 1.69k | if ((s->tlsext_status_type != -1) && |
758 | 1.69k | s->ctx && s->ctx->tlsext_status_cb) { |
759 | 0 | int r; |
760 | 0 | SSL_CERT_PKEY *certpkey; |
761 | 0 | certpkey = ssl_get_server_send_pkey(s); |
762 | | /* If no certificate can't return certificate status */ |
763 | 0 | if (certpkey == NULL) { |
764 | 0 | s->tlsext_status_expected = 0; |
765 | 0 | return 1; |
766 | 0 | } |
767 | | /* Set current certificate to one we will use so |
768 | | * SSL_get_certificate et al can pick it up. |
769 | | */ |
770 | 0 | s->cert->key = certpkey; |
771 | 0 | r = s->ctx->tlsext_status_cb(s, |
772 | 0 | s->ctx->tlsext_status_arg); |
773 | 0 | switch (r) { |
774 | | /* We don't want to send a status request response */ |
775 | 0 | case SSL_TLSEXT_ERR_NOACK: |
776 | 0 | s->tlsext_status_expected = 0; |
777 | 0 | break; |
778 | | /* status request response should be sent */ |
779 | 0 | case SSL_TLSEXT_ERR_OK: |
780 | 0 | if (s->tlsext_ocsp_resp) |
781 | 0 | s->tlsext_status_expected = 1; |
782 | 0 | else |
783 | 0 | s->tlsext_status_expected = 0; |
784 | 0 | break; |
785 | | /* something bad happened */ |
786 | 0 | case SSL_TLSEXT_ERR_ALERT_FATAL: |
787 | 0 | ret = SSL_TLSEXT_ERR_ALERT_FATAL; |
788 | 0 | al = SSL_AD_INTERNAL_ERROR; |
789 | 0 | goto err; |
790 | 0 | } |
791 | 0 | } else |
792 | 1.69k | s->tlsext_status_expected = 0; |
793 | | |
794 | 1.69k | err: |
795 | 1.69k | switch (ret) { |
796 | 0 | case SSL_TLSEXT_ERR_ALERT_FATAL: |
797 | 0 | ssl3_send_alert(s, SSL3_AL_FATAL, al); |
798 | 0 | return -1; |
799 | 0 | case SSL_TLSEXT_ERR_ALERT_WARNING: |
800 | 0 | ssl3_send_alert(s, SSL3_AL_WARNING, al); |
801 | 0 | return 1; |
802 | 1.69k | default: |
803 | 1.69k | return 1; |
804 | 1.69k | } |
805 | 1.69k | } |
806 | | |
807 | | int |
808 | | ssl_check_serverhello_tlsext(SSL *s) |
809 | 4.84k | { |
810 | 4.84k | int ret = SSL_TLSEXT_ERR_NOACK; |
811 | 4.84k | int al = SSL_AD_UNRECOGNIZED_NAME; |
812 | | |
813 | 4.84k | ret = SSL_TLSEXT_ERR_OK; |
814 | | |
815 | 4.84k | if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) |
816 | 0 | ret = s->ctx->tlsext_servername_callback(s, &al, |
817 | 0 | s->ctx->tlsext_servername_arg); |
818 | 4.84k | else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0) |
819 | 0 | ret = s->initial_ctx->tlsext_servername_callback(s, &al, |
820 | 0 | s->initial_ctx->tlsext_servername_arg); |
821 | | |
822 | | /* If we've requested certificate status and we wont get one |
823 | | * tell the callback |
824 | | */ |
825 | 4.84k | if ((s->tlsext_status_type != -1) && !(s->tlsext_status_expected) && |
826 | 4.84k | s->ctx && s->ctx->tlsext_status_cb) { |
827 | 0 | int r; |
828 | |
|
829 | 0 | free(s->tlsext_ocsp_resp); |
830 | 0 | s->tlsext_ocsp_resp = NULL; |
831 | 0 | s->tlsext_ocsp_resp_len = 0; |
832 | |
|
833 | 0 | r = s->ctx->tlsext_status_cb(s, |
834 | 0 | s->ctx->tlsext_status_arg); |
835 | 0 | if (r == 0) { |
836 | 0 | al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE; |
837 | 0 | ret = SSL_TLSEXT_ERR_ALERT_FATAL; |
838 | 0 | } |
839 | 0 | if (r < 0) { |
840 | 0 | al = SSL_AD_INTERNAL_ERROR; |
841 | 0 | ret = SSL_TLSEXT_ERR_ALERT_FATAL; |
842 | 0 | } |
843 | 0 | } |
844 | | |
845 | 4.84k | switch (ret) { |
846 | 0 | case SSL_TLSEXT_ERR_ALERT_FATAL: |
847 | 0 | ssl3_send_alert(s, SSL3_AL_FATAL, al); |
848 | 0 | return -1; |
849 | 0 | case SSL_TLSEXT_ERR_ALERT_WARNING: |
850 | 0 | ssl3_send_alert(s, SSL3_AL_WARNING, al); |
851 | 0 | return 1; |
852 | 0 | case SSL_TLSEXT_ERR_NOACK: |
853 | 4.84k | default: |
854 | 4.84k | return 1; |
855 | 4.84k | } |
856 | 4.84k | } |
857 | | |
858 | | /* Since the server cache lookup is done early on in the processing of the |
859 | | * ClientHello, and other operations depend on the result, we need to handle |
860 | | * any TLS session ticket extension at the same time. |
861 | | * |
862 | | * ext_block: a CBS for the ClientHello extensions block. |
863 | | * ret: (output) on return, if a ticket was decrypted, then this is set to |
864 | | * point to the resulting session. |
865 | | * |
866 | | * If s->tls_session_secret_cb is set then we are expecting a pre-shared key |
867 | | * ciphersuite, in which case we have no use for session tickets and one will |
868 | | * never be decrypted, nor will s->tlsext_ticket_expected be set to 1. |
869 | | * |
870 | | * Returns: |
871 | | * TLS1_TICKET_FATAL_ERROR: error from parsing or decrypting the ticket. |
872 | | * TLS1_TICKET_NONE: no ticket was found (or was ignored, based on settings). |
873 | | * TLS1_TICKET_EMPTY: a zero length extension was found, indicating that the |
874 | | * client supports session tickets but doesn't currently have one to offer. |
875 | | * TLS1_TICKET_NOT_DECRYPTED: either s->tls_session_secret_cb was |
876 | | * set, or a ticket was offered but couldn't be decrypted because of a |
877 | | * non-fatal error. |
878 | | * TLS1_TICKET_DECRYPTED: a ticket was successfully decrypted and *ret was set. |
879 | | * |
880 | | * Side effects: |
881 | | * Sets s->tlsext_ticket_expected to 1 if the server will have to issue |
882 | | * a new session ticket to the client because the client indicated support |
883 | | * (and s->tls_session_secret_cb is NULL) but the client either doesn't have |
884 | | * a session ticket or we couldn't use the one it gave us, or if |
885 | | * s->ctx->tlsext_ticket_key_cb asked to renew the client's ticket. |
886 | | * Otherwise, s->tlsext_ticket_expected is set to 0. |
887 | | */ |
888 | | int |
889 | | tls1_process_ticket(SSL *s, CBS *ext_block, int *alert, SSL_SESSION **ret) |
890 | 3.01k | { |
891 | 3.01k | CBS extensions, ext_data; |
892 | 3.01k | uint16_t ext_type = 0; |
893 | | |
894 | 3.01k | s->tlsext_ticket_expected = 0; |
895 | 3.01k | *ret = NULL; |
896 | | |
897 | | /* |
898 | | * If tickets disabled behave as if no ticket present to permit stateful |
899 | | * resumption. |
900 | | */ |
901 | 3.01k | if (SSL_get_options(s) & SSL_OP_NO_TICKET) |
902 | 0 | return TLS1_TICKET_NONE; |
903 | | |
904 | | /* |
905 | | * An empty extensions block is valid, but obviously does not contain |
906 | | * a session ticket. |
907 | | */ |
908 | 3.01k | if (CBS_len(ext_block) == 0) |
909 | 352 | return TLS1_TICKET_NONE; |
910 | | |
911 | 2.66k | if (!CBS_get_u16_length_prefixed(ext_block, &extensions)) { |
912 | 32 | *alert = SSL_AD_DECODE_ERROR; |
913 | 32 | return TLS1_TICKET_FATAL_ERROR; |
914 | 32 | } |
915 | | |
916 | 7.72k | while (CBS_len(&extensions) > 0) { |
917 | 5.20k | if (!CBS_get_u16(&extensions, &ext_type) || |
918 | 5.20k | !CBS_get_u16_length_prefixed(&extensions, &ext_data)) { |
919 | 18 | *alert = SSL_AD_DECODE_ERROR; |
920 | 18 | return TLS1_TICKET_FATAL_ERROR; |
921 | 18 | } |
922 | | |
923 | 5.18k | if (ext_type == TLSEXT_TYPE_session_ticket) |
924 | 90 | break; |
925 | 5.18k | } |
926 | | |
927 | 2.61k | if (ext_type != TLSEXT_TYPE_session_ticket) |
928 | 2.52k | return TLS1_TICKET_NONE; |
929 | | |
930 | 90 | if (CBS_len(&ext_data) == 0) { |
931 | | /* |
932 | | * The client will accept a ticket but does not currently |
933 | | * have one. |
934 | | */ |
935 | 40 | s->tlsext_ticket_expected = 1; |
936 | 40 | return TLS1_TICKET_EMPTY; |
937 | 40 | } |
938 | | |
939 | 50 | if (s->tls_session_secret_cb != NULL) { |
940 | | /* |
941 | | * Indicate that the ticket could not be decrypted rather than |
942 | | * generating the session from ticket now, trigger abbreviated |
943 | | * handshake based on external mechanism to calculate the master |
944 | | * secret later. |
945 | | */ |
946 | 0 | return TLS1_TICKET_NOT_DECRYPTED; |
947 | 0 | } |
948 | | |
949 | 50 | return tls_decrypt_ticket(s, &ext_data, alert, ret); |
950 | 50 | } |
951 | | |
952 | | /* tls_decrypt_ticket attempts to decrypt a session ticket. |
953 | | * |
954 | | * ticket: a CBS containing the body of the session ticket extension. |
955 | | * psess: (output) on return, if a ticket was decrypted, then this is set to |
956 | | * point to the resulting session. |
957 | | * |
958 | | * Returns: |
959 | | * TLS1_TICKET_FATAL_ERROR: error from parsing or decrypting the ticket. |
960 | | * TLS1_TICKET_NOT_DECRYPTED: the ticket couldn't be decrypted. |
961 | | * TLS1_TICKET_DECRYPTED: a ticket was decrypted and *psess was set. |
962 | | */ |
963 | | static int |
964 | | tls_decrypt_ticket(SSL *s, CBS *ticket, int *alert, SSL_SESSION **psess) |
965 | 50 | { |
966 | 50 | CBS ticket_name, ticket_iv, ticket_encdata, ticket_hmac; |
967 | 50 | SSL_SESSION *sess = NULL; |
968 | 50 | unsigned char *sdec = NULL; |
969 | 50 | size_t sdec_len = 0; |
970 | 50 | const unsigned char *p; |
971 | 50 | unsigned char hmac[EVP_MAX_MD_SIZE]; |
972 | 50 | HMAC_CTX *hctx = NULL; |
973 | 50 | EVP_CIPHER_CTX *cctx = NULL; |
974 | 50 | SSL_CTX *tctx = s->initial_ctx; |
975 | 50 | int slen, hlen, iv_len; |
976 | 50 | int alert_desc = SSL_AD_INTERNAL_ERROR; |
977 | 50 | int ret = TLS1_TICKET_FATAL_ERROR; |
978 | | |
979 | 50 | *psess = NULL; |
980 | | |
981 | 50 | if (!CBS_get_bytes(ticket, &ticket_name, 16)) |
982 | 45 | goto derr; |
983 | | |
984 | | /* |
985 | | * Initialize session ticket encryption and HMAC contexts. |
986 | | */ |
987 | 5 | if ((cctx = EVP_CIPHER_CTX_new()) == NULL) |
988 | 0 | goto err; |
989 | 5 | if ((hctx = HMAC_CTX_new()) == NULL) |
990 | 0 | goto err; |
991 | | |
992 | 5 | if (tctx->tlsext_ticket_key_cb != NULL) { |
993 | 0 | int rv; |
994 | | |
995 | | /* |
996 | | * The API guarantees EVP_MAX_IV_LENGTH bytes of space for |
997 | | * the iv to tlsext_ticket_key_cb(). Since the total space |
998 | | * required for a session cookie is never less than this, |
999 | | * this check isn't too strict. The exact check comes later. |
1000 | | */ |
1001 | 0 | if (CBS_len(ticket) < EVP_MAX_IV_LENGTH) |
1002 | 0 | goto derr; |
1003 | | |
1004 | 0 | if ((rv = tctx->tlsext_ticket_key_cb(s, |
1005 | 0 | (unsigned char *)CBS_data(&ticket_name), |
1006 | 0 | (unsigned char *)CBS_data(ticket), cctx, hctx, 0)) < 0) |
1007 | 0 | goto err; |
1008 | 0 | if (rv == 0) |
1009 | 0 | goto derr; |
1010 | 0 | if (rv == 2) { |
1011 | | /* Renew ticket. */ |
1012 | 0 | s->tlsext_ticket_expected = 1; |
1013 | 0 | } |
1014 | |
|
1015 | 0 | if ((iv_len = EVP_CIPHER_CTX_iv_length(cctx)) < 0) |
1016 | 0 | goto err; |
1017 | | /* |
1018 | | * Now that the cipher context is initialised, we can extract |
1019 | | * the IV since its length is known. |
1020 | | */ |
1021 | 0 | if (!CBS_get_bytes(ticket, &ticket_iv, iv_len)) |
1022 | 0 | goto derr; |
1023 | 5 | } else { |
1024 | | /* Check that the key name matches. */ |
1025 | 5 | if (!CBS_mem_equal(&ticket_name, |
1026 | 5 | tctx->tlsext_tick_key_name, |
1027 | 5 | sizeof(tctx->tlsext_tick_key_name))) |
1028 | 5 | goto derr; |
1029 | 0 | if ((iv_len = EVP_CIPHER_iv_length(EVP_aes_128_cbc())) < 0) |
1030 | 0 | goto err; |
1031 | 0 | if (!CBS_get_bytes(ticket, &ticket_iv, iv_len)) |
1032 | 0 | goto derr; |
1033 | 0 | if (!EVP_DecryptInit_ex(cctx, EVP_aes_128_cbc(), NULL, |
1034 | 0 | tctx->tlsext_tick_aes_key, CBS_data(&ticket_iv))) |
1035 | 0 | goto err; |
1036 | 0 | if (!HMAC_Init_ex(hctx, tctx->tlsext_tick_hmac_key, |
1037 | 0 | sizeof(tctx->tlsext_tick_hmac_key), EVP_sha256(), |
1038 | 0 | NULL)) |
1039 | 0 | goto err; |
1040 | 0 | } |
1041 | | |
1042 | | /* |
1043 | | * Attempt to process session ticket. |
1044 | | */ |
1045 | | |
1046 | 0 | if ((hlen = HMAC_size(hctx)) < 0) |
1047 | 0 | goto err; |
1048 | | |
1049 | 0 | if (hlen > CBS_len(ticket)) |
1050 | 0 | goto derr; |
1051 | 0 | if (!CBS_get_bytes(ticket, &ticket_encdata, CBS_len(ticket) - hlen)) |
1052 | 0 | goto derr; |
1053 | 0 | if (!CBS_get_bytes(ticket, &ticket_hmac, hlen)) |
1054 | 0 | goto derr; |
1055 | 0 | if (CBS_len(ticket) != 0) { |
1056 | 0 | alert_desc = SSL_AD_DECODE_ERROR; |
1057 | 0 | goto err; |
1058 | 0 | } |
1059 | | |
1060 | | /* Check HMAC of encrypted ticket. */ |
1061 | 0 | if (HMAC_Update(hctx, CBS_data(&ticket_name), |
1062 | 0 | CBS_len(&ticket_name)) <= 0) |
1063 | 0 | goto err; |
1064 | 0 | if (HMAC_Update(hctx, CBS_data(&ticket_iv), |
1065 | 0 | CBS_len(&ticket_iv)) <= 0) |
1066 | 0 | goto err; |
1067 | 0 | if (HMAC_Update(hctx, CBS_data(&ticket_encdata), |
1068 | 0 | CBS_len(&ticket_encdata)) <= 0) |
1069 | 0 | goto err; |
1070 | 0 | if (HMAC_Final(hctx, hmac, &hlen) <= 0) |
1071 | 0 | goto err; |
1072 | | |
1073 | 0 | if (!CBS_mem_equal(&ticket_hmac, hmac, hlen)) |
1074 | 0 | goto derr; |
1075 | | |
1076 | | /* Attempt to decrypt session data. */ |
1077 | 0 | sdec_len = CBS_len(&ticket_encdata); |
1078 | 0 | if ((sdec = calloc(1, sdec_len)) == NULL) |
1079 | 0 | goto err; |
1080 | 0 | if (EVP_DecryptUpdate(cctx, sdec, &slen, CBS_data(&ticket_encdata), |
1081 | 0 | CBS_len(&ticket_encdata)) <= 0) |
1082 | 0 | goto derr; |
1083 | 0 | if (EVP_DecryptFinal_ex(cctx, sdec + slen, &hlen) <= 0) |
1084 | 0 | goto derr; |
1085 | | |
1086 | 0 | slen += hlen; |
1087 | | |
1088 | | /* |
1089 | | * For session parse failures, indicate that we need to send a new |
1090 | | * ticket. |
1091 | | */ |
1092 | 0 | p = sdec; |
1093 | 0 | if ((sess = d2i_SSL_SESSION(NULL, &p, slen)) == NULL) |
1094 | 0 | goto derr; |
1095 | 0 | *psess = sess; |
1096 | 0 | sess = NULL; |
1097 | |
|
1098 | 0 | ret = TLS1_TICKET_DECRYPTED; |
1099 | 0 | goto done; |
1100 | | |
1101 | 50 | derr: |
1102 | 50 | ERR_clear_error(); |
1103 | 50 | s->tlsext_ticket_expected = 1; |
1104 | 50 | ret = TLS1_TICKET_NOT_DECRYPTED; |
1105 | 50 | goto done; |
1106 | | |
1107 | 0 | err: |
1108 | 0 | *alert = alert_desc; |
1109 | 0 | ret = TLS1_TICKET_FATAL_ERROR; |
1110 | 0 | goto done; |
1111 | | |
1112 | 50 | done: |
1113 | 50 | freezero(sdec, sdec_len); |
1114 | 50 | EVP_CIPHER_CTX_free(cctx); |
1115 | 50 | HMAC_CTX_free(hctx); |
1116 | 50 | SSL_SESSION_free(sess); |
1117 | | |
1118 | 50 | return ret; |
1119 | 0 | } |