2
0

t1_lib.c 52 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058105910601061106210631064106510661067106810691070107110721073107410751076107710781079108010811082108310841085108610871088108910901091109210931094109510961097109810991100110111021103110411051106110711081109111011111112111311141115111611171118111911201121112211231124112511261127112811291130113111321133113411351136113711381139114011411142114311441145114611471148114911501151115211531154115511561157115811591160116111621163116411651166116711681169117011711172117311741175117611771178117911801181118211831184118511861187118811891190119111921193119411951196119711981199120012011202120312041205120612071208120912101211121212131214121512161217121812191220122112221223122412251226122712281229123012311232123312341235123612371238123912401241124212431244124512461247124812491250125112521253125412551256125712581259126012611262126312641265126612671268126912701271127212731274127512761277127812791280128112821283128412851286128712881289129012911292129312941295129612971298129913001301130213031304130513061307130813091310131113121313131413151316131713181319132013211322132313241325132613271328132913301331133213331334133513361337133813391340134113421343134413451346134713481349135013511352135313541355135613571358135913601361136213631364136513661367136813691370137113721373137413751376137713781379138013811382138313841385138613871388138913901391139213931394139513961397139813991400140114021403140414051406140714081409141014111412141314141415141614171418141914201421142214231424142514261427142814291430143114321433143414351436143714381439144014411442144314441445144614471448144914501451145214531454145514561457145814591460146114621463146414651466146714681469147014711472147314741475147614771478147914801481148214831484148514861487148814891490149114921493149414951496149714981499150015011502150315041505150615071508150915101511151215131514151515161517151815191520152115221523152415251526152715281529153015311532153315341535153615371538153915401541154215431544154515461547154815491550155115521553155415551556155715581559156015611562156315641565156615671568156915701571157215731574157515761577157815791580158115821583158415851586158715881589159015911592159315941595159615971598159916001601160216031604160516061607160816091610161116121613161416151616161716181619162016211622162316241625162616271628162916301631163216331634163516361637163816391640164116421643164416451646164716481649165016511652165316541655165616571658165916601661166216631664166516661667166816691670167116721673167416751676167716781679168016811682168316841685168616871688168916901691169216931694169516961697169816991700170117021703170417051706170717081709171017111712171317141715171617171718171917201721172217231724172517261727172817291730173117321733173417351736173717381739174017411742174317441745174617471748174917501751175217531754175517561757175817591760176117621763176417651766176717681769177017711772177317741775177617771778177917801781178217831784178517861787178817891790179117921793179417951796179717981799180018011802180318041805180618071808180918101811181218131814181518161817181818191820182118221823182418251826182718281829183018311832183318341835183618371838183918401841184218431844184518461847184818491850185118521853
  1. /* ssl/t1_lib.c */
  2. /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  3. * All rights reserved.
  4. *
  5. * This package is an SSL implementation written
  6. * by Eric Young (eay@cryptsoft.com).
  7. * The implementation was written so as to conform with Netscapes SSL.
  8. *
  9. * This library is free for commercial and non-commercial use as long as
  10. * the following conditions are aheared to. The following conditions
  11. * apply to all code found in this distribution, be it the RC4, RSA,
  12. * lhash, DES, etc., code; not just the SSL code. The SSL documentation
  13. * included with this distribution is covered by the same copyright terms
  14. * except that the holder is Tim Hudson (tjh@cryptsoft.com).
  15. *
  16. * Copyright remains Eric Young's, and as such any Copyright notices in
  17. * the code are not to be removed.
  18. * If this package is used in a product, Eric Young should be given attribution
  19. * as the author of the parts of the library used.
  20. * This can be in the form of a textual message at program startup or
  21. * in documentation (online or textual) provided with the package.
  22. *
  23. * Redistribution and use in source and binary forms, with or without
  24. * modification, are permitted provided that the following conditions
  25. * are met:
  26. * 1. Redistributions of source code must retain the copyright
  27. * notice, this list of conditions and the following disclaimer.
  28. * 2. Redistributions in binary form must reproduce the above copyright
  29. * notice, this list of conditions and the following disclaimer in the
  30. * documentation and/or other materials provided with the distribution.
  31. * 3. All advertising materials mentioning features or use of this software
  32. * must display the following acknowledgement:
  33. * "This product includes cryptographic software written by
  34. * Eric Young (eay@cryptsoft.com)"
  35. * The word 'cryptographic' can be left out if the rouines from the library
  36. * being used are not cryptographic related :-).
  37. * 4. If you include any Windows specific code (or a derivative thereof) from
  38. * the apps directory (application code) you must include an acknowledgement:
  39. * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
  40. *
  41. * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
  42. * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  43. * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  44. * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
  45. * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  46. * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  47. * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  48. * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  49. * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  50. * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  51. * SUCH DAMAGE.
  52. *
  53. * The licence and distribution terms for any publically available version or
  54. * derivative of this code cannot be changed. i.e. this code cannot simply be
  55. * copied and put under another distribution licence
  56. * [including the GNU Public Licence.]
  57. */
  58. /* ====================================================================
  59. * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
  60. *
  61. * Redistribution and use in source and binary forms, with or without
  62. * modification, are permitted provided that the following conditions
  63. * are met:
  64. *
  65. * 1. Redistributions of source code must retain the above copyright
  66. * notice, this list of conditions and the following disclaimer.
  67. *
  68. * 2. Redistributions in binary form must reproduce the above copyright
  69. * notice, this list of conditions and the following disclaimer in
  70. * the documentation and/or other materials provided with the
  71. * distribution.
  72. *
  73. * 3. All advertising materials mentioning features or use of this
  74. * software must display the following acknowledgment:
  75. * "This product includes software developed by the OpenSSL Project
  76. * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
  77. *
  78. * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
  79. * endorse or promote products derived from this software without
  80. * prior written permission. For written permission, please contact
  81. * openssl-core@openssl.org.
  82. *
  83. * 5. Products derived from this software may not be called "OpenSSL"
  84. * nor may "OpenSSL" appear in their names without prior written
  85. * permission of the OpenSSL Project.
  86. *
  87. * 6. Redistributions of any form whatsoever must retain the following
  88. * acknowledgment:
  89. * "This product includes software developed by the OpenSSL Project
  90. * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
  91. *
  92. * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
  93. * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  94. * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
  95. * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
  96. * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
  97. * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
  98. * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
  99. * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  100. * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
  101. * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
  102. * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
  103. * OF THE POSSIBILITY OF SUCH DAMAGE.
  104. * ====================================================================
  105. *
  106. * This product includes cryptographic software written by Eric Young
  107. * (eay@cryptsoft.com). This product includes software written by Tim
  108. * Hudson (tjh@cryptsoft.com).
  109. *
  110. */
  111. #include <stdio.h>
  112. #include <openssl/objects.h>
  113. #include <openssl/evp.h>
  114. #include <openssl/hmac.h>
  115. #include <openssl/ocsp.h>
  116. #include "ssl_locl.h"
  117. const char tls1_version_str[]="TLSv1" OPENSSL_VERSION_PTEXT;
  118. #ifndef OPENSSL_NO_TLSEXT
  119. static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen,
  120. const unsigned char *sess_id, int sesslen,
  121. SSL_SESSION **psess);
  122. #endif
  123. SSL3_ENC_METHOD TLSv1_enc_data={
  124. tls1_enc,
  125. tls1_mac,
  126. tls1_setup_key_block,
  127. tls1_generate_master_secret,
  128. tls1_change_cipher_state,
  129. tls1_final_finish_mac,
  130. TLS1_FINISH_MAC_LENGTH,
  131. tls1_cert_verify_mac,
  132. TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE,
  133. TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE,
  134. tls1_alert_code,
  135. };
  136. long tls1_default_timeout(void)
  137. {
  138. /* 2 hours, the 24 hours mentioned in the TLSv1 spec
  139. * is way too long for http, the cache would over fill */
  140. return(60*60*2);
  141. }
  142. int tls1_new(SSL *s)
  143. {
  144. if (!ssl3_new(s)) return(0);
  145. s->method->ssl_clear(s);
  146. return(1);
  147. }
  148. void tls1_free(SSL *s)
  149. {
  150. #ifndef OPENSSL_NO_TLSEXT
  151. if (s->tlsext_session_ticket)
  152. {
  153. OPENSSL_free(s->tlsext_session_ticket);
  154. }
  155. #endif /* OPENSSL_NO_TLSEXT */
  156. ssl3_free(s);
  157. }
  158. void tls1_clear(SSL *s)
  159. {
  160. ssl3_clear(s);
  161. s->version = s->method->version;
  162. }
  163. #ifndef OPENSSL_NO_EC
  164. static int nid_list[] =
  165. {
  166. NID_sect163k1, /* sect163k1 (1) */
  167. NID_sect163r1, /* sect163r1 (2) */
  168. NID_sect163r2, /* sect163r2 (3) */
  169. NID_sect193r1, /* sect193r1 (4) */
  170. NID_sect193r2, /* sect193r2 (5) */
  171. NID_sect233k1, /* sect233k1 (6) */
  172. NID_sect233r1, /* sect233r1 (7) */
  173. NID_sect239k1, /* sect239k1 (8) */
  174. NID_sect283k1, /* sect283k1 (9) */
  175. NID_sect283r1, /* sect283r1 (10) */
  176. NID_sect409k1, /* sect409k1 (11) */
  177. NID_sect409r1, /* sect409r1 (12) */
  178. NID_sect571k1, /* sect571k1 (13) */
  179. NID_sect571r1, /* sect571r1 (14) */
  180. NID_secp160k1, /* secp160k1 (15) */
  181. NID_secp160r1, /* secp160r1 (16) */
  182. NID_secp160r2, /* secp160r2 (17) */
  183. NID_secp192k1, /* secp192k1 (18) */
  184. NID_X9_62_prime192v1, /* secp192r1 (19) */
  185. NID_secp224k1, /* secp224k1 (20) */
  186. NID_secp224r1, /* secp224r1 (21) */
  187. NID_secp256k1, /* secp256k1 (22) */
  188. NID_X9_62_prime256v1, /* secp256r1 (23) */
  189. NID_secp384r1, /* secp384r1 (24) */
  190. NID_secp521r1 /* secp521r1 (25) */
  191. };
  192. int tls1_ec_curve_id2nid(int curve_id)
  193. {
  194. /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
  195. if ((curve_id < 1) || ((unsigned int)curve_id >
  196. sizeof(nid_list)/sizeof(nid_list[0])))
  197. return 0;
  198. return nid_list[curve_id-1];
  199. }
  200. int tls1_ec_nid2curve_id(int nid)
  201. {
  202. /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
  203. switch (nid)
  204. {
  205. case NID_sect163k1: /* sect163k1 (1) */
  206. return 1;
  207. case NID_sect163r1: /* sect163r1 (2) */
  208. return 2;
  209. case NID_sect163r2: /* sect163r2 (3) */
  210. return 3;
  211. case NID_sect193r1: /* sect193r1 (4) */
  212. return 4;
  213. case NID_sect193r2: /* sect193r2 (5) */
  214. return 5;
  215. case NID_sect233k1: /* sect233k1 (6) */
  216. return 6;
  217. case NID_sect233r1: /* sect233r1 (7) */
  218. return 7;
  219. case NID_sect239k1: /* sect239k1 (8) */
  220. return 8;
  221. case NID_sect283k1: /* sect283k1 (9) */
  222. return 9;
  223. case NID_sect283r1: /* sect283r1 (10) */
  224. return 10;
  225. case NID_sect409k1: /* sect409k1 (11) */
  226. return 11;
  227. case NID_sect409r1: /* sect409r1 (12) */
  228. return 12;
  229. case NID_sect571k1: /* sect571k1 (13) */
  230. return 13;
  231. case NID_sect571r1: /* sect571r1 (14) */
  232. return 14;
  233. case NID_secp160k1: /* secp160k1 (15) */
  234. return 15;
  235. case NID_secp160r1: /* secp160r1 (16) */
  236. return 16;
  237. case NID_secp160r2: /* secp160r2 (17) */
  238. return 17;
  239. case NID_secp192k1: /* secp192k1 (18) */
  240. return 18;
  241. case NID_X9_62_prime192v1: /* secp192r1 (19) */
  242. return 19;
  243. case NID_secp224k1: /* secp224k1 (20) */
  244. return 20;
  245. case NID_secp224r1: /* secp224r1 (21) */
  246. return 21;
  247. case NID_secp256k1: /* secp256k1 (22) */
  248. return 22;
  249. case NID_X9_62_prime256v1: /* secp256r1 (23) */
  250. return 23;
  251. case NID_secp384r1: /* secp384r1 (24) */
  252. return 24;
  253. case NID_secp521r1: /* secp521r1 (25) */
  254. return 25;
  255. default:
  256. return 0;
  257. }
  258. }
  259. #endif /* OPENSSL_NO_EC */
  260. #ifndef OPENSSL_NO_TLSEXT
  261. unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
  262. {
  263. int extdatalen=0;
  264. unsigned char *ret = p;
  265. /* don't add extensions for SSLv3 unless doing secure renegotiation */
  266. if (s->client_version == SSL3_VERSION
  267. && !s->s3->send_connection_binding)
  268. return p;
  269. ret+=2;
  270. if (ret>=limit) return NULL; /* this really never occurs, but ... */
  271. if (s->tlsext_hostname != NULL)
  272. {
  273. /* Add TLS extension servername to the Client Hello message */
  274. unsigned long size_str;
  275. long lenmax;
  276. /* check for enough space.
  277. 4 for the servername type and entension length
  278. 2 for servernamelist length
  279. 1 for the hostname type
  280. 2 for hostname length
  281. + hostname length
  282. */
  283. if ((lenmax = limit - ret - 9) < 0
  284. || (size_str = strlen(s->tlsext_hostname)) > (unsigned long)lenmax)
  285. return NULL;
  286. /* extension type and length */
  287. s2n(TLSEXT_TYPE_server_name,ret);
  288. s2n(size_str+5,ret);
  289. /* length of servername list */
  290. s2n(size_str+3,ret);
  291. /* hostname type, length and hostname */
  292. *(ret++) = (unsigned char) TLSEXT_NAMETYPE_host_name;
  293. s2n(size_str,ret);
  294. memcpy(ret, s->tlsext_hostname, size_str);
  295. ret+=size_str;
  296. }
  297. /* Add RI if renegotiating */
  298. if (s->renegotiate)
  299. {
  300. int el;
  301. if(!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0))
  302. {
  303. SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
  304. return NULL;
  305. }
  306. if((limit - p - 4 - el) < 0) return NULL;
  307. s2n(TLSEXT_TYPE_renegotiate,ret);
  308. s2n(el,ret);
  309. if(!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el))
  310. {
  311. SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
  312. return NULL;
  313. }
  314. ret += el;
  315. }
  316. #ifndef OPENSSL_NO_EC
  317. if (s->tlsext_ecpointformatlist != NULL &&
  318. s->version != DTLS1_VERSION)
  319. {
  320. /* Add TLS extension ECPointFormats to the ClientHello message */
  321. long lenmax;
  322. if ((lenmax = limit - ret - 5) < 0) return NULL;
  323. if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax) return NULL;
  324. if (s->tlsext_ecpointformatlist_length > 255)
  325. {
  326. SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
  327. return NULL;
  328. }
  329. s2n(TLSEXT_TYPE_ec_point_formats,ret);
  330. s2n(s->tlsext_ecpointformatlist_length + 1,ret);
  331. *(ret++) = (unsigned char) s->tlsext_ecpointformatlist_length;
  332. memcpy(ret, s->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist_length);
  333. ret+=s->tlsext_ecpointformatlist_length;
  334. }
  335. if (s->tlsext_ellipticcurvelist != NULL &&
  336. s->version != DTLS1_VERSION)
  337. {
  338. /* Add TLS extension EllipticCurves to the ClientHello message */
  339. long lenmax;
  340. if ((lenmax = limit - ret - 6) < 0) return NULL;
  341. if (s->tlsext_ellipticcurvelist_length > (unsigned long)lenmax) return NULL;
  342. if (s->tlsext_ellipticcurvelist_length > 65532)
  343. {
  344. SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
  345. return NULL;
  346. }
  347. s2n(TLSEXT_TYPE_elliptic_curves,ret);
  348. s2n(s->tlsext_ellipticcurvelist_length + 2, ret);
  349. /* NB: draft-ietf-tls-ecc-12.txt uses a one-byte prefix for
  350. * elliptic_curve_list, but the examples use two bytes.
  351. * http://www1.ietf.org/mail-archive/web/tls/current/msg00538.html
  352. * resolves this to two bytes.
  353. */
  354. s2n(s->tlsext_ellipticcurvelist_length, ret);
  355. memcpy(ret, s->tlsext_ellipticcurvelist, s->tlsext_ellipticcurvelist_length);
  356. ret+=s->tlsext_ellipticcurvelist_length;
  357. }
  358. #endif /* OPENSSL_NO_EC */
  359. if (!(SSL_get_options(s) & SSL_OP_NO_TICKET))
  360. {
  361. int ticklen;
  362. if (!s->new_session && s->session && s->session->tlsext_tick)
  363. ticklen = s->session->tlsext_ticklen;
  364. else if (s->session && s->tlsext_session_ticket &&
  365. s->tlsext_session_ticket->data)
  366. {
  367. ticklen = s->tlsext_session_ticket->length;
  368. s->session->tlsext_tick = OPENSSL_malloc(ticklen);
  369. if (!s->session->tlsext_tick)
  370. return NULL;
  371. memcpy(s->session->tlsext_tick,
  372. s->tlsext_session_ticket->data,
  373. ticklen);
  374. s->session->tlsext_ticklen = ticklen;
  375. }
  376. else
  377. ticklen = 0;
  378. if (ticklen == 0 && s->tlsext_session_ticket &&
  379. s->tlsext_session_ticket->data == NULL)
  380. goto skip_ext;
  381. /* Check for enough room 2 for extension type, 2 for len
  382. * rest for ticket
  383. */
  384. if ((long)(limit - ret - 4 - ticklen) < 0) return NULL;
  385. s2n(TLSEXT_TYPE_session_ticket,ret);
  386. s2n(ticklen,ret);
  387. if (ticklen)
  388. {
  389. memcpy(ret, s->session->tlsext_tick, ticklen);
  390. ret += ticklen;
  391. }
  392. }
  393. skip_ext:
  394. #ifdef TLSEXT_TYPE_opaque_prf_input
  395. if (s->s3->client_opaque_prf_input != NULL &&
  396. s->version != DTLS1_VERSION)
  397. {
  398. size_t col = s->s3->client_opaque_prf_input_len;
  399. if ((long)(limit - ret - 6 - col < 0))
  400. return NULL;
  401. if (col > 0xFFFD) /* can't happen */
  402. return NULL;
  403. s2n(TLSEXT_TYPE_opaque_prf_input, ret);
  404. s2n(col + 2, ret);
  405. s2n(col, ret);
  406. memcpy(ret, s->s3->client_opaque_prf_input, col);
  407. ret += col;
  408. }
  409. #endif
  410. if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp &&
  411. s->version != DTLS1_VERSION)
  412. {
  413. int i;
  414. long extlen, idlen, itmp;
  415. OCSP_RESPID *id;
  416. idlen = 0;
  417. for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++)
  418. {
  419. id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
  420. itmp = i2d_OCSP_RESPID(id, NULL);
  421. if (itmp <= 0)
  422. return NULL;
  423. idlen += itmp + 2;
  424. }
  425. if (s->tlsext_ocsp_exts)
  426. {
  427. extlen = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, NULL);
  428. if (extlen < 0)
  429. return NULL;
  430. }
  431. else
  432. extlen = 0;
  433. if ((long)(limit - ret - 7 - extlen - idlen) < 0) return NULL;
  434. s2n(TLSEXT_TYPE_status_request, ret);
  435. if (extlen + idlen > 0xFFF0)
  436. return NULL;
  437. s2n(extlen + idlen + 5, ret);
  438. *(ret++) = TLSEXT_STATUSTYPE_ocsp;
  439. s2n(idlen, ret);
  440. for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++)
  441. {
  442. /* save position of id len */
  443. unsigned char *q = ret;
  444. id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
  445. /* skip over id len */
  446. ret += 2;
  447. itmp = i2d_OCSP_RESPID(id, &ret);
  448. /* write id len */
  449. s2n(itmp, q);
  450. }
  451. s2n(extlen, ret);
  452. if (extlen > 0)
  453. i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret);
  454. }
  455. #ifndef OPENSSL_NO_NEXTPROTONEG
  456. if (s->ctx->next_proto_select_cb && !s->s3->tmp.finish_md_len)
  457. {
  458. /* The client advertises an emtpy extension to indicate its
  459. * support for Next Protocol Negotiation */
  460. if (limit - ret - 4 < 0)
  461. return NULL;
  462. s2n(TLSEXT_TYPE_next_proto_neg,ret);
  463. s2n(0,ret);
  464. }
  465. #endif
  466. if ((extdatalen = ret-p-2)== 0)
  467. return p;
  468. s2n(extdatalen,p);
  469. return ret;
  470. }
  471. unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
  472. {
  473. int extdatalen=0;
  474. unsigned char *ret = p;
  475. #ifndef OPENSSL_NO_NEXTPROTONEG
  476. int next_proto_neg_seen;
  477. #endif
  478. /* don't add extensions for SSLv3, unless doing secure renegotiation */
  479. if (s->version == SSL3_VERSION && !s->s3->send_connection_binding)
  480. return p;
  481. ret+=2;
  482. if (ret>=limit) return NULL; /* this really never occurs, but ... */
  483. if (!s->hit && s->servername_done == 1 && s->session->tlsext_hostname != NULL)
  484. {
  485. if ((long)(limit - ret - 4) < 0) return NULL;
  486. s2n(TLSEXT_TYPE_server_name,ret);
  487. s2n(0,ret);
  488. }
  489. if(s->s3->send_connection_binding)
  490. {
  491. int el;
  492. if(!ssl_add_serverhello_renegotiate_ext(s, 0, &el, 0))
  493. {
  494. SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
  495. return NULL;
  496. }
  497. if((limit - p - 4 - el) < 0) return NULL;
  498. s2n(TLSEXT_TYPE_renegotiate,ret);
  499. s2n(el,ret);
  500. if(!ssl_add_serverhello_renegotiate_ext(s, ret, &el, el))
  501. {
  502. SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
  503. return NULL;
  504. }
  505. ret += el;
  506. }
  507. #ifndef OPENSSL_NO_EC
  508. if (s->tlsext_ecpointformatlist != NULL &&
  509. s->version != DTLS1_VERSION)
  510. {
  511. /* Add TLS extension ECPointFormats to the ServerHello message */
  512. long lenmax;
  513. if ((lenmax = limit - ret - 5) < 0) return NULL;
  514. if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax) return NULL;
  515. if (s->tlsext_ecpointformatlist_length > 255)
  516. {
  517. SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
  518. return NULL;
  519. }
  520. s2n(TLSEXT_TYPE_ec_point_formats,ret);
  521. s2n(s->tlsext_ecpointformatlist_length + 1,ret);
  522. *(ret++) = (unsigned char) s->tlsext_ecpointformatlist_length;
  523. memcpy(ret, s->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist_length);
  524. ret+=s->tlsext_ecpointformatlist_length;
  525. }
  526. /* Currently the server should not respond with a SupportedCurves extension */
  527. #endif /* OPENSSL_NO_EC */
  528. if (s->tlsext_ticket_expected
  529. && !(SSL_get_options(s) & SSL_OP_NO_TICKET))
  530. {
  531. if ((long)(limit - ret - 4) < 0) return NULL;
  532. s2n(TLSEXT_TYPE_session_ticket,ret);
  533. s2n(0,ret);
  534. }
  535. if (s->tlsext_status_expected)
  536. {
  537. if ((long)(limit - ret - 4) < 0) return NULL;
  538. s2n(TLSEXT_TYPE_status_request,ret);
  539. s2n(0,ret);
  540. }
  541. #ifdef TLSEXT_TYPE_opaque_prf_input
  542. if (s->s3->server_opaque_prf_input != NULL &&
  543. s->version != DTLS1_VERSION)
  544. {
  545. size_t sol = s->s3->server_opaque_prf_input_len;
  546. if ((long)(limit - ret - 6 - sol) < 0)
  547. return NULL;
  548. if (sol > 0xFFFD) /* can't happen */
  549. return NULL;
  550. s2n(TLSEXT_TYPE_opaque_prf_input, ret);
  551. s2n(sol + 2, ret);
  552. s2n(sol, ret);
  553. memcpy(ret, s->s3->server_opaque_prf_input, sol);
  554. ret += sol;
  555. }
  556. #endif
  557. if (((s->s3->tmp.new_cipher->id & 0xFFFF)==0x80 || (s->s3->tmp.new_cipher->id & 0xFFFF)==0x81)
  558. && (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG))
  559. { const unsigned char cryptopro_ext[36] = {
  560. 0xfd, 0xe8, /*65000*/
  561. 0x00, 0x20, /*32 bytes length*/
  562. 0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85,
  563. 0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06,
  564. 0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08,
  565. 0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17};
  566. if (limit-ret<36) return NULL;
  567. memcpy(ret,cryptopro_ext,36);
  568. ret+=36;
  569. }
  570. #ifndef OPENSSL_NO_NEXTPROTONEG
  571. next_proto_neg_seen = s->s3->next_proto_neg_seen;
  572. s->s3->next_proto_neg_seen = 0;
  573. if (next_proto_neg_seen && s->ctx->next_protos_advertised_cb)
  574. {
  575. const unsigned char *npa;
  576. unsigned int npalen;
  577. int r;
  578. r = s->ctx->next_protos_advertised_cb(s, &npa, &npalen, s->ctx->next_protos_advertised_cb_arg);
  579. if (r == SSL_TLSEXT_ERR_OK)
  580. {
  581. if ((long)(limit - ret - 4 - npalen) < 0) return NULL;
  582. s2n(TLSEXT_TYPE_next_proto_neg,ret);
  583. s2n(npalen,ret);
  584. memcpy(ret, npa, npalen);
  585. ret += npalen;
  586. s->s3->next_proto_neg_seen = 1;
  587. }
  588. }
  589. #endif
  590. if ((extdatalen = ret-p-2)== 0)
  591. return p;
  592. s2n(extdatalen,p);
  593. return ret;
  594. }
  595. int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
  596. {
  597. unsigned short type;
  598. unsigned short size;
  599. unsigned short len;
  600. unsigned char *data = *p;
  601. int renegotiate_seen = 0;
  602. s->servername_done = 0;
  603. s->tlsext_status_type = -1;
  604. if (data >= (d+n-2))
  605. goto ri_check;
  606. n2s(data,len);
  607. if (data > (d+n-len))
  608. goto ri_check;
  609. while (data <= (d+n-4))
  610. {
  611. n2s(data,type);
  612. n2s(data,size);
  613. if (data+size > (d+n))
  614. goto ri_check;
  615. #if 0
  616. fprintf(stderr,"Received extension type %d size %d\n",type,size);
  617. #endif
  618. if (s->tlsext_debug_cb)
  619. s->tlsext_debug_cb(s, 0, type, data, size,
  620. s->tlsext_debug_arg);
  621. /* The servername extension is treated as follows:
  622. - Only the hostname type is supported with a maximum length of 255.
  623. - The servername is rejected if too long or if it contains zeros,
  624. in which case an fatal alert is generated.
  625. - The servername field is maintained together with the session cache.
  626. - When a session is resumed, the servername call back invoked in order
  627. to allow the application to position itself to the right context.
  628. - The servername is acknowledged if it is new for a session or when
  629. it is identical to a previously used for the same session.
  630. Applications can control the behaviour. They can at any time
  631. set a 'desirable' servername for a new SSL object. This can be the
  632. case for example with HTTPS when a Host: header field is received and
  633. a renegotiation is requested. In this case, a possible servername
  634. presented in the new client hello is only acknowledged if it matches
  635. the value of the Host: field.
  636. - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
  637. if they provide for changing an explicit servername context for the session,
  638. i.e. when the session has been established with a servername extension.
  639. - On session reconnect, the servername extension may be absent.
  640. */
  641. if (type == TLSEXT_TYPE_server_name)
  642. {
  643. unsigned char *sdata;
  644. int servname_type;
  645. int dsize;
  646. if (size < 2)
  647. {
  648. *al = SSL_AD_DECODE_ERROR;
  649. return 0;
  650. }
  651. n2s(data,dsize);
  652. size -= 2;
  653. if (dsize > size )
  654. {
  655. *al = SSL_AD_DECODE_ERROR;
  656. return 0;
  657. }
  658. sdata = data;
  659. while (dsize > 3)
  660. {
  661. servname_type = *(sdata++);
  662. n2s(sdata,len);
  663. dsize -= 3;
  664. if (len > dsize)
  665. {
  666. *al = SSL_AD_DECODE_ERROR;
  667. return 0;
  668. }
  669. if (s->servername_done == 0)
  670. switch (servname_type)
  671. {
  672. case TLSEXT_NAMETYPE_host_name:
  673. if (!s->hit)
  674. {
  675. if(s->session->tlsext_hostname)
  676. {
  677. *al = SSL_AD_DECODE_ERROR;
  678. return 0;
  679. }
  680. if (len > TLSEXT_MAXLEN_host_name)
  681. {
  682. *al = TLS1_AD_UNRECOGNIZED_NAME;
  683. return 0;
  684. }
  685. if ((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL)
  686. {
  687. *al = TLS1_AD_INTERNAL_ERROR;
  688. return 0;
  689. }
  690. memcpy(s->session->tlsext_hostname, sdata, len);
  691. s->session->tlsext_hostname[len]='\0';
  692. if (strlen(s->session->tlsext_hostname) != len) {
  693. OPENSSL_free(s->session->tlsext_hostname);
  694. s->session->tlsext_hostname = NULL;
  695. *al = TLS1_AD_UNRECOGNIZED_NAME;
  696. return 0;
  697. }
  698. s->servername_done = 1;
  699. }
  700. else
  701. s->servername_done = s->session->tlsext_hostname
  702. && strlen(s->session->tlsext_hostname) == len
  703. && strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0;
  704. break;
  705. default:
  706. break;
  707. }
  708. dsize -= len;
  709. }
  710. if (dsize != 0)
  711. {
  712. *al = SSL_AD_DECODE_ERROR;
  713. return 0;
  714. }
  715. }
  716. #ifndef OPENSSL_NO_EC
  717. else if (type == TLSEXT_TYPE_ec_point_formats &&
  718. s->version != DTLS1_VERSION)
  719. {
  720. unsigned char *sdata = data;
  721. int ecpointformatlist_length = *(sdata++);
  722. if (ecpointformatlist_length != size - 1)
  723. {
  724. *al = TLS1_AD_DECODE_ERROR;
  725. return 0;
  726. }
  727. if (!s->hit)
  728. {
  729. if(s->session->tlsext_ecpointformatlist)
  730. {
  731. OPENSSL_free(s->session->tlsext_ecpointformatlist);
  732. s->session->tlsext_ecpointformatlist = NULL;
  733. }
  734. s->session->tlsext_ecpointformatlist_length = 0;
  735. if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
  736. {
  737. *al = TLS1_AD_INTERNAL_ERROR;
  738. return 0;
  739. }
  740. s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
  741. memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
  742. }
  743. #if 0
  744. fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ecpointformatlist (length=%i) ", s->session->tlsext_ecpointformatlist_length);
  745. sdata = s->session->tlsext_ecpointformatlist;
  746. for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
  747. fprintf(stderr,"%i ",*(sdata++));
  748. fprintf(stderr,"\n");
  749. #endif
  750. }
  751. else if (type == TLSEXT_TYPE_elliptic_curves &&
  752. s->version != DTLS1_VERSION)
  753. {
  754. unsigned char *sdata = data;
  755. int ellipticcurvelist_length = (*(sdata++) << 8);
  756. ellipticcurvelist_length += (*(sdata++));
  757. if (ellipticcurvelist_length != size - 2)
  758. {
  759. *al = TLS1_AD_DECODE_ERROR;
  760. return 0;
  761. }
  762. if (!s->hit)
  763. {
  764. if(s->session->tlsext_ellipticcurvelist)
  765. {
  766. *al = TLS1_AD_DECODE_ERROR;
  767. return 0;
  768. }
  769. s->session->tlsext_ellipticcurvelist_length = 0;
  770. if ((s->session->tlsext_ellipticcurvelist = OPENSSL_malloc(ellipticcurvelist_length)) == NULL)
  771. {
  772. *al = TLS1_AD_INTERNAL_ERROR;
  773. return 0;
  774. }
  775. s->session->tlsext_ellipticcurvelist_length = ellipticcurvelist_length;
  776. memcpy(s->session->tlsext_ellipticcurvelist, sdata, ellipticcurvelist_length);
  777. }
  778. #if 0
  779. fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ellipticcurvelist (length=%i) ", s->session->tlsext_ellipticcurvelist_length);
  780. sdata = s->session->tlsext_ellipticcurvelist;
  781. for (i = 0; i < s->session->tlsext_ellipticcurvelist_length; i++)
  782. fprintf(stderr,"%i ",*(sdata++));
  783. fprintf(stderr,"\n");
  784. #endif
  785. }
  786. #endif /* OPENSSL_NO_EC */
  787. #ifdef TLSEXT_TYPE_opaque_prf_input
  788. else if (type == TLSEXT_TYPE_opaque_prf_input &&
  789. s->version != DTLS1_VERSION)
  790. {
  791. unsigned char *sdata = data;
  792. if (size < 2)
  793. {
  794. *al = SSL_AD_DECODE_ERROR;
  795. return 0;
  796. }
  797. n2s(sdata, s->s3->client_opaque_prf_input_len);
  798. if (s->s3->client_opaque_prf_input_len != size - 2)
  799. {
  800. *al = SSL_AD_DECODE_ERROR;
  801. return 0;
  802. }
  803. if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */
  804. OPENSSL_free(s->s3->client_opaque_prf_input);
  805. if (s->s3->client_opaque_prf_input_len == 0)
  806. s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
  807. else
  808. s->s3->client_opaque_prf_input = BUF_memdup(sdata, s->s3->client_opaque_prf_input_len);
  809. if (s->s3->client_opaque_prf_input == NULL)
  810. {
  811. *al = TLS1_AD_INTERNAL_ERROR;
  812. return 0;
  813. }
  814. }
  815. #endif
  816. else if (type == TLSEXT_TYPE_session_ticket)
  817. {
  818. if (s->tls_session_ticket_ext_cb &&
  819. !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg))
  820. {
  821. *al = TLS1_AD_INTERNAL_ERROR;
  822. return 0;
  823. }
  824. }
  825. else if (type == TLSEXT_TYPE_renegotiate)
  826. {
  827. if(!ssl_parse_clienthello_renegotiate_ext(s, data, size, al))
  828. return 0;
  829. renegotiate_seen = 1;
  830. }
  831. else if (type == TLSEXT_TYPE_status_request &&
  832. s->version != DTLS1_VERSION && s->ctx->tlsext_status_cb)
  833. {
  834. if (size < 5)
  835. {
  836. *al = SSL_AD_DECODE_ERROR;
  837. return 0;
  838. }
  839. s->tlsext_status_type = *data++;
  840. size--;
  841. if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp)
  842. {
  843. const unsigned char *sdata;
  844. int dsize;
  845. /* Read in responder_id_list */
  846. n2s(data,dsize);
  847. size -= 2;
  848. if (dsize > size )
  849. {
  850. *al = SSL_AD_DECODE_ERROR;
  851. return 0;
  852. }
  853. while (dsize > 0)
  854. {
  855. OCSP_RESPID *id;
  856. int idsize;
  857. if (dsize < 4)
  858. {
  859. *al = SSL_AD_DECODE_ERROR;
  860. return 0;
  861. }
  862. n2s(data, idsize);
  863. dsize -= 2 + idsize;
  864. if (dsize < 0)
  865. {
  866. *al = SSL_AD_DECODE_ERROR;
  867. return 0;
  868. }
  869. sdata = data;
  870. data += idsize;
  871. id = d2i_OCSP_RESPID(NULL,
  872. &sdata, idsize);
  873. if (!id)
  874. {
  875. *al = SSL_AD_DECODE_ERROR;
  876. return 0;
  877. }
  878. if (data != sdata)
  879. {
  880. OCSP_RESPID_free(id);
  881. *al = SSL_AD_DECODE_ERROR;
  882. return 0;
  883. }
  884. if (!s->tlsext_ocsp_ids
  885. && !(s->tlsext_ocsp_ids =
  886. sk_OCSP_RESPID_new_null()))
  887. {
  888. OCSP_RESPID_free(id);
  889. *al = SSL_AD_INTERNAL_ERROR;
  890. return 0;
  891. }
  892. if (!sk_OCSP_RESPID_push(
  893. s->tlsext_ocsp_ids, id))
  894. {
  895. OCSP_RESPID_free(id);
  896. *al = SSL_AD_INTERNAL_ERROR;
  897. return 0;
  898. }
  899. }
  900. /* Read in request_extensions */
  901. n2s(data,dsize);
  902. size -= 2;
  903. if (dsize > size)
  904. {
  905. *al = SSL_AD_DECODE_ERROR;
  906. return 0;
  907. }
  908. sdata = data;
  909. if (dsize > 0)
  910. {
  911. s->tlsext_ocsp_exts =
  912. d2i_X509_EXTENSIONS(NULL,
  913. &sdata, dsize);
  914. if (!s->tlsext_ocsp_exts
  915. || (data + dsize != sdata))
  916. {
  917. *al = SSL_AD_DECODE_ERROR;
  918. return 0;
  919. }
  920. }
  921. }
  922. /* We don't know what to do with any other type
  923. * so ignore it.
  924. */
  925. else
  926. s->tlsext_status_type = -1;
  927. }
  928. #ifndef OPENSSL_NO_NEXTPROTONEG
  929. else if (type == TLSEXT_TYPE_next_proto_neg &&
  930. s->s3->tmp.finish_md_len == 0)
  931. {
  932. /* We shouldn't accept this extension on a
  933. * renegotiation.
  934. *
  935. * s->new_session will be set on renegotiation, but we
  936. * probably shouldn't rely that it couldn't be set on
  937. * the initial renegotation too in certain cases (when
  938. * there's some other reason to disallow resuming an
  939. * earlier session -- the current code won't be doing
  940. * anything like that, but this might change).
  941. * A valid sign that there's been a previous handshake
  942. * in this connection is if s->s3->tmp.finish_md_len >
  943. * 0. (We are talking about a check that will happen
  944. * in the Hello protocol round, well before a new
  945. * Finished message could have been computed.) */
  946. s->s3->next_proto_neg_seen = 1;
  947. }
  948. #endif
  949. /* session ticket processed earlier */
  950. data+=size;
  951. }
  952. *p = data;
  953. ri_check:
  954. /* Need RI if renegotiating */
  955. if (!renegotiate_seen && s->renegotiate &&
  956. !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
  957. {
  958. *al = SSL_AD_HANDSHAKE_FAILURE;
  959. SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT,
  960. SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
  961. return 0;
  962. }
  963. return 1;
  964. }
  965. #ifndef OPENSSL_NO_NEXTPROTONEG
  966. /* ssl_next_proto_validate validates a Next Protocol Negotiation block. No
  967. * elements of zero length are allowed and the set of elements must exactly fill
  968. * the length of the block. */
  969. static int ssl_next_proto_validate(unsigned char *d, unsigned len)
  970. {
  971. unsigned int off = 0;
  972. while (off < len)
  973. {
  974. if (d[off] == 0)
  975. return 0;
  976. off += d[off];
  977. off++;
  978. }
  979. return off == len;
  980. }
  981. #endif
  982. int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
  983. {
  984. unsigned short length;
  985. unsigned short type;
  986. unsigned short size;
  987. unsigned char *data = *p;
  988. int tlsext_servername = 0;
  989. int renegotiate_seen = 0;
  990. if (data >= (d+n-2))
  991. goto ri_check;
  992. n2s(data,length);
  993. if (data+length != d+n)
  994. {
  995. *al = SSL_AD_DECODE_ERROR;
  996. return 0;
  997. }
  998. while(data <= (d+n-4))
  999. {
  1000. n2s(data,type);
  1001. n2s(data,size);
  1002. if (data+size > (d+n))
  1003. goto ri_check;
  1004. if (s->tlsext_debug_cb)
  1005. s->tlsext_debug_cb(s, 1, type, data, size,
  1006. s->tlsext_debug_arg);
  1007. if (type == TLSEXT_TYPE_server_name)
  1008. {
  1009. if (s->tlsext_hostname == NULL || size > 0)
  1010. {
  1011. *al = TLS1_AD_UNRECOGNIZED_NAME;
  1012. return 0;
  1013. }
  1014. tlsext_servername = 1;
  1015. }
  1016. #ifndef OPENSSL_NO_EC
  1017. else if (type == TLSEXT_TYPE_ec_point_formats &&
  1018. s->version != DTLS1_VERSION)
  1019. {
  1020. unsigned char *sdata = data;
  1021. int ecpointformatlist_length = *(sdata++);
  1022. if (ecpointformatlist_length != size - 1)
  1023. {
  1024. *al = TLS1_AD_DECODE_ERROR;
  1025. return 0;
  1026. }
  1027. s->session->tlsext_ecpointformatlist_length = 0;
  1028. if (s->session->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->session->tlsext_ecpointformatlist);
  1029. if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
  1030. {
  1031. *al = TLS1_AD_INTERNAL_ERROR;
  1032. return 0;
  1033. }
  1034. s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
  1035. memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
  1036. #if 0
  1037. fprintf(stderr,"ssl_parse_serverhello_tlsext s->session->tlsext_ecpointformatlist ");
  1038. sdata = s->session->tlsext_ecpointformatlist;
  1039. for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
  1040. fprintf(stderr,"%i ",*(sdata++));
  1041. fprintf(stderr,"\n");
  1042. #endif
  1043. }
  1044. #endif /* OPENSSL_NO_EC */
  1045. else if (type == TLSEXT_TYPE_session_ticket)
  1046. {
  1047. if (s->tls_session_ticket_ext_cb &&
  1048. !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg))
  1049. {
  1050. *al = TLS1_AD_INTERNAL_ERROR;
  1051. return 0;
  1052. }
  1053. if ((SSL_get_options(s) & SSL_OP_NO_TICKET)
  1054. || (size > 0))
  1055. {
  1056. *al = TLS1_AD_UNSUPPORTED_EXTENSION;
  1057. return 0;
  1058. }
  1059. s->tlsext_ticket_expected = 1;
  1060. }
  1061. #ifdef TLSEXT_TYPE_opaque_prf_input
  1062. else if (type == TLSEXT_TYPE_opaque_prf_input &&
  1063. s->version != DTLS1_VERSION)
  1064. {
  1065. unsigned char *sdata = data;
  1066. if (size < 2)
  1067. {
  1068. *al = SSL_AD_DECODE_ERROR;
  1069. return 0;
  1070. }
  1071. n2s(sdata, s->s3->server_opaque_prf_input_len);
  1072. if (s->s3->server_opaque_prf_input_len != size - 2)
  1073. {
  1074. *al = SSL_AD_DECODE_ERROR;
  1075. return 0;
  1076. }
  1077. if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */
  1078. OPENSSL_free(s->s3->server_opaque_prf_input);
  1079. if (s->s3->server_opaque_prf_input_len == 0)
  1080. s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
  1081. else
  1082. s->s3->server_opaque_prf_input = BUF_memdup(sdata, s->s3->server_opaque_prf_input_len);
  1083. if (s->s3->server_opaque_prf_input == NULL)
  1084. {
  1085. *al = TLS1_AD_INTERNAL_ERROR;
  1086. return 0;
  1087. }
  1088. }
  1089. #endif
  1090. else if (type == TLSEXT_TYPE_status_request &&
  1091. s->version != DTLS1_VERSION)
  1092. {
  1093. /* MUST be empty and only sent if we've requested
  1094. * a status request message.
  1095. */
  1096. if ((s->tlsext_status_type == -1) || (size > 0))
  1097. {
  1098. *al = TLS1_AD_UNSUPPORTED_EXTENSION;
  1099. return 0;
  1100. }
  1101. /* Set flag to expect CertificateStatus message */
  1102. s->tlsext_status_expected = 1;
  1103. }
  1104. #ifndef OPENSSL_NO_NEXTPROTONEG
  1105. else if (type == TLSEXT_TYPE_next_proto_neg)
  1106. {
  1107. unsigned char *selected;
  1108. unsigned char selected_len;
  1109. /* We must have requested it. */
  1110. if ((s->ctx->next_proto_select_cb == NULL))
  1111. {
  1112. *al = TLS1_AD_UNSUPPORTED_EXTENSION;
  1113. return 0;
  1114. }
  1115. /* The data must be valid */
  1116. if (!ssl_next_proto_validate(data, size))
  1117. {
  1118. *al = TLS1_AD_DECODE_ERROR;
  1119. return 0;
  1120. }
  1121. if (s->ctx->next_proto_select_cb(s, &selected, &selected_len, data, size, s->ctx->next_proto_select_cb_arg) != SSL_TLSEXT_ERR_OK)
  1122. {
  1123. *al = TLS1_AD_INTERNAL_ERROR;
  1124. return 0;
  1125. }
  1126. s->next_proto_negotiated = OPENSSL_malloc(selected_len);
  1127. if (!s->next_proto_negotiated)
  1128. {
  1129. *al = TLS1_AD_INTERNAL_ERROR;
  1130. return 0;
  1131. }
  1132. memcpy(s->next_proto_negotiated, selected, selected_len);
  1133. s->next_proto_negotiated_len = selected_len;
  1134. }
  1135. #endif
  1136. else if (type == TLSEXT_TYPE_renegotiate)
  1137. {
  1138. if(!ssl_parse_serverhello_renegotiate_ext(s, data, size, al))
  1139. return 0;
  1140. renegotiate_seen = 1;
  1141. }
  1142. data+=size;
  1143. }
  1144. if (data != d+n)
  1145. {
  1146. *al = SSL_AD_DECODE_ERROR;
  1147. return 0;
  1148. }
  1149. if (!s->hit && tlsext_servername == 1)
  1150. {
  1151. if (s->tlsext_hostname)
  1152. {
  1153. if (s->session->tlsext_hostname == NULL)
  1154. {
  1155. s->session->tlsext_hostname = BUF_strdup(s->tlsext_hostname);
  1156. if (!s->session->tlsext_hostname)
  1157. {
  1158. *al = SSL_AD_UNRECOGNIZED_NAME;
  1159. return 0;
  1160. }
  1161. }
  1162. else
  1163. {
  1164. *al = SSL_AD_DECODE_ERROR;
  1165. return 0;
  1166. }
  1167. }
  1168. }
  1169. *p = data;
  1170. ri_check:
  1171. /* Determine if we need to see RI. Strictly speaking if we want to
  1172. * avoid an attack we should *always* see RI even on initial server
  1173. * hello because the client doesn't see any renegotiation during an
  1174. * attack. However this would mean we could not connect to any server
  1175. * which doesn't support RI so for the immediate future tolerate RI
  1176. * absence on initial connect only.
  1177. */
  1178. if (!renegotiate_seen
  1179. && !(s->options & SSL_OP_LEGACY_SERVER_CONNECT)
  1180. && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
  1181. {
  1182. *al = SSL_AD_HANDSHAKE_FAILURE;
  1183. SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT,
  1184. SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
  1185. return 0;
  1186. }
  1187. return 1;
  1188. }
  1189. int ssl_prepare_clienthello_tlsext(SSL *s)
  1190. {
  1191. #ifndef OPENSSL_NO_EC
  1192. /* If we are client and using an elliptic curve cryptography cipher suite, send the point formats
  1193. * and elliptic curves we support.
  1194. */
  1195. int using_ecc = 0;
  1196. int i;
  1197. unsigned char *j;
  1198. unsigned long alg_k, alg_a;
  1199. STACK_OF(SSL_CIPHER) *cipher_stack = SSL_get_ciphers(s);
  1200. for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++)
  1201. {
  1202. SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i);
  1203. alg_k = c->algorithm_mkey;
  1204. alg_a = c->algorithm_auth;
  1205. if ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe) || (alg_a & SSL_aECDSA)))
  1206. {
  1207. using_ecc = 1;
  1208. break;
  1209. }
  1210. }
  1211. using_ecc = using_ecc && (s->version >= TLS1_VERSION);
  1212. if (using_ecc)
  1213. {
  1214. if (s->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->tlsext_ecpointformatlist);
  1215. if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(3)) == NULL)
  1216. {
  1217. SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
  1218. return -1;
  1219. }
  1220. s->tlsext_ecpointformatlist_length = 3;
  1221. s->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_uncompressed;
  1222. s->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
  1223. s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
  1224. /* we support all named elliptic curves in draft-ietf-tls-ecc-12 */
  1225. if (s->tlsext_ellipticcurvelist != NULL) OPENSSL_free(s->tlsext_ellipticcurvelist);
  1226. s->tlsext_ellipticcurvelist_length = sizeof(nid_list)/sizeof(nid_list[0]) * 2;
  1227. if ((s->tlsext_ellipticcurvelist = OPENSSL_malloc(s->tlsext_ellipticcurvelist_length)) == NULL)
  1228. {
  1229. s->tlsext_ellipticcurvelist_length = 0;
  1230. SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
  1231. return -1;
  1232. }
  1233. for (i = 1, j = s->tlsext_ellipticcurvelist; (unsigned int)i <=
  1234. sizeof(nid_list)/sizeof(nid_list[0]); i++)
  1235. s2n(i,j);
  1236. }
  1237. #endif /* OPENSSL_NO_EC */
  1238. #ifdef TLSEXT_TYPE_opaque_prf_input
  1239. {
  1240. int r = 1;
  1241. if (s->ctx->tlsext_opaque_prf_input_callback != 0)
  1242. {
  1243. r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg);
  1244. if (!r)
  1245. return -1;
  1246. }
  1247. if (s->tlsext_opaque_prf_input != NULL)
  1248. {
  1249. if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */
  1250. OPENSSL_free(s->s3->client_opaque_prf_input);
  1251. if (s->tlsext_opaque_prf_input_len == 0)
  1252. s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
  1253. else
  1254. s->s3->client_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len);
  1255. if (s->s3->client_opaque_prf_input == NULL)
  1256. {
  1257. SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
  1258. return -1;
  1259. }
  1260. s->s3->client_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
  1261. }
  1262. if (r == 2)
  1263. /* at callback's request, insist on receiving an appropriate server opaque PRF input */
  1264. s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
  1265. }
  1266. #endif
  1267. return 1;
  1268. }
  1269. int ssl_prepare_serverhello_tlsext(SSL *s)
  1270. {
  1271. #ifndef OPENSSL_NO_EC
  1272. /* If we are server and using an ECC cipher suite, send the point formats we support
  1273. * if the client sent us an ECPointsFormat extension. Note that the server is not
  1274. * supposed to send an EllipticCurves extension.
  1275. */
  1276. unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
  1277. unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
  1278. int using_ecc = (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA);
  1279. using_ecc = using_ecc && (s->session->tlsext_ecpointformatlist != NULL);
  1280. if (using_ecc)
  1281. {
  1282. if (s->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->tlsext_ecpointformatlist);
  1283. if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(3)) == NULL)
  1284. {
  1285. SSLerr(SSL_F_SSL_PREPARE_SERVERHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
  1286. return -1;
  1287. }
  1288. s->tlsext_ecpointformatlist_length = 3;
  1289. s->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_uncompressed;
  1290. s->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
  1291. s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
  1292. }
  1293. #endif /* OPENSSL_NO_EC */
  1294. return 1;
  1295. }
  1296. int ssl_check_clienthello_tlsext(SSL *s)
  1297. {
  1298. int ret=SSL_TLSEXT_ERR_NOACK;
  1299. int al = SSL_AD_UNRECOGNIZED_NAME;
  1300. #ifndef OPENSSL_NO_EC
  1301. /* The handling of the ECPointFormats extension is done elsewhere, namely in
  1302. * ssl3_choose_cipher in s3_lib.c.
  1303. */
  1304. /* The handling of the EllipticCurves extension is done elsewhere, namely in
  1305. * ssl3_choose_cipher in s3_lib.c.
  1306. */
  1307. #endif
  1308. if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
  1309. ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
  1310. else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)
  1311. ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
  1312. /* If status request then ask callback what to do.
  1313. * Note: this must be called after servername callbacks in case
  1314. * the certificate has changed.
  1315. */
  1316. if ((s->tlsext_status_type != -1) && s->ctx && s->ctx->tlsext_status_cb)
  1317. {
  1318. int r;
  1319. r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
  1320. switch (r)
  1321. {
  1322. /* We don't want to send a status request response */
  1323. case SSL_TLSEXT_ERR_NOACK:
  1324. s->tlsext_status_expected = 0;
  1325. break;
  1326. /* status request response should be sent */
  1327. case SSL_TLSEXT_ERR_OK:
  1328. if (s->tlsext_ocsp_resp)
  1329. s->tlsext_status_expected = 1;
  1330. else
  1331. s->tlsext_status_expected = 0;
  1332. break;
  1333. /* something bad happened */
  1334. case SSL_TLSEXT_ERR_ALERT_FATAL:
  1335. ret = SSL_TLSEXT_ERR_ALERT_FATAL;
  1336. al = SSL_AD_INTERNAL_ERROR;
  1337. goto err;
  1338. }
  1339. }
  1340. else
  1341. s->tlsext_status_expected = 0;
  1342. #ifdef TLSEXT_TYPE_opaque_prf_input
  1343. {
  1344. /* This sort of belongs into ssl_prepare_serverhello_tlsext(),
  1345. * but we might be sending an alert in response to the client hello,
  1346. * so this has to happen here in ssl_check_clienthello_tlsext(). */
  1347. int r = 1;
  1348. if (s->ctx->tlsext_opaque_prf_input_callback != 0)
  1349. {
  1350. r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg);
  1351. if (!r)
  1352. {
  1353. ret = SSL_TLSEXT_ERR_ALERT_FATAL;
  1354. al = SSL_AD_INTERNAL_ERROR;
  1355. goto err;
  1356. }
  1357. }
  1358. if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */
  1359. OPENSSL_free(s->s3->server_opaque_prf_input);
  1360. s->s3->server_opaque_prf_input = NULL;
  1361. if (s->tlsext_opaque_prf_input != NULL)
  1362. {
  1363. if (s->s3->client_opaque_prf_input != NULL &&
  1364. s->s3->client_opaque_prf_input_len == s->tlsext_opaque_prf_input_len)
  1365. {
  1366. /* can only use this extension if we have a server opaque PRF input
  1367. * of the same length as the client opaque PRF input! */
  1368. if (s->tlsext_opaque_prf_input_len == 0)
  1369. s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
  1370. else
  1371. s->s3->server_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len);
  1372. if (s->s3->server_opaque_prf_input == NULL)
  1373. {
  1374. ret = SSL_TLSEXT_ERR_ALERT_FATAL;
  1375. al = SSL_AD_INTERNAL_ERROR;
  1376. goto err;
  1377. }
  1378. s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
  1379. }
  1380. }
  1381. if (r == 2 && s->s3->server_opaque_prf_input == NULL)
  1382. {
  1383. /* The callback wants to enforce use of the extension,
  1384. * but we can't do that with the client opaque PRF input;
  1385. * abort the handshake.
  1386. */
  1387. ret = SSL_TLSEXT_ERR_ALERT_FATAL;
  1388. al = SSL_AD_HANDSHAKE_FAILURE;
  1389. }
  1390. }
  1391. #endif
  1392. err:
  1393. switch (ret)
  1394. {
  1395. case SSL_TLSEXT_ERR_ALERT_FATAL:
  1396. ssl3_send_alert(s,SSL3_AL_FATAL,al);
  1397. return -1;
  1398. case SSL_TLSEXT_ERR_ALERT_WARNING:
  1399. ssl3_send_alert(s,SSL3_AL_WARNING,al);
  1400. return 1;
  1401. case SSL_TLSEXT_ERR_NOACK:
  1402. s->servername_done=0;
  1403. default:
  1404. return 1;
  1405. }
  1406. }
  1407. int ssl_check_serverhello_tlsext(SSL *s)
  1408. {
  1409. int ret=SSL_TLSEXT_ERR_NOACK;
  1410. int al = SSL_AD_UNRECOGNIZED_NAME;
  1411. #ifndef OPENSSL_NO_EC
  1412. /* If we are client and using an elliptic curve cryptography cipher
  1413. * suite, then if server returns an EC point formats lists extension
  1414. * it must contain uncompressed.
  1415. */
  1416. unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
  1417. unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
  1418. if ((s->tlsext_ecpointformatlist != NULL) && (s->tlsext_ecpointformatlist_length > 0) &&
  1419. (s->session->tlsext_ecpointformatlist != NULL) && (s->session->tlsext_ecpointformatlist_length > 0) &&
  1420. ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA)))
  1421. {
  1422. /* we are using an ECC cipher */
  1423. size_t i;
  1424. unsigned char *list;
  1425. int found_uncompressed = 0;
  1426. list = s->session->tlsext_ecpointformatlist;
  1427. for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
  1428. {
  1429. if (*(list++) == TLSEXT_ECPOINTFORMAT_uncompressed)
  1430. {
  1431. found_uncompressed = 1;
  1432. break;
  1433. }
  1434. }
  1435. if (!found_uncompressed)
  1436. {
  1437. SSLerr(SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT,SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
  1438. return -1;
  1439. }
  1440. }
  1441. ret = SSL_TLSEXT_ERR_OK;
  1442. #endif /* OPENSSL_NO_EC */
  1443. if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
  1444. ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
  1445. else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)
  1446. ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
  1447. #ifdef TLSEXT_TYPE_opaque_prf_input
  1448. if (s->s3->server_opaque_prf_input_len > 0)
  1449. {
  1450. /* This case may indicate that we, as a client, want to insist on using opaque PRF inputs.
  1451. * So first verify that we really have a value from the server too. */
  1452. if (s->s3->server_opaque_prf_input == NULL)
  1453. {
  1454. ret = SSL_TLSEXT_ERR_ALERT_FATAL;
  1455. al = SSL_AD_HANDSHAKE_FAILURE;
  1456. }
  1457. /* Anytime the server *has* sent an opaque PRF input, we need to check
  1458. * that we have a client opaque PRF input of the same size. */
  1459. if (s->s3->client_opaque_prf_input == NULL ||
  1460. s->s3->client_opaque_prf_input_len != s->s3->server_opaque_prf_input_len)
  1461. {
  1462. ret = SSL_TLSEXT_ERR_ALERT_FATAL;
  1463. al = SSL_AD_ILLEGAL_PARAMETER;
  1464. }
  1465. }
  1466. #endif
  1467. /* If we've requested certificate status and we wont get one
  1468. * tell the callback
  1469. */
  1470. if ((s->tlsext_status_type != -1) && !(s->tlsext_status_expected)
  1471. && s->ctx && s->ctx->tlsext_status_cb)
  1472. {
  1473. int r;
  1474. /* Set resp to NULL, resplen to -1 so callback knows
  1475. * there is no response.
  1476. */
  1477. if (s->tlsext_ocsp_resp)
  1478. {
  1479. OPENSSL_free(s->tlsext_ocsp_resp);
  1480. s->tlsext_ocsp_resp = NULL;
  1481. }
  1482. s->tlsext_ocsp_resplen = -1;
  1483. r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
  1484. if (r == 0)
  1485. {
  1486. al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE;
  1487. ret = SSL_TLSEXT_ERR_ALERT_FATAL;
  1488. }
  1489. if (r < 0)
  1490. {
  1491. al = SSL_AD_INTERNAL_ERROR;
  1492. ret = SSL_TLSEXT_ERR_ALERT_FATAL;
  1493. }
  1494. }
  1495. switch (ret)
  1496. {
  1497. case SSL_TLSEXT_ERR_ALERT_FATAL:
  1498. ssl3_send_alert(s,SSL3_AL_FATAL,al);
  1499. return -1;
  1500. case SSL_TLSEXT_ERR_ALERT_WARNING:
  1501. ssl3_send_alert(s,SSL3_AL_WARNING,al);
  1502. return 1;
  1503. case SSL_TLSEXT_ERR_NOACK:
  1504. s->servername_done=0;
  1505. default:
  1506. return 1;
  1507. }
  1508. }
  1509. /* Since the server cache lookup is done early on in the processing of client
  1510. * hello and other operations depend on the result we need to handle any TLS
  1511. * session ticket extension at the same time.
  1512. */
  1513. int tls1_process_ticket(SSL *s, unsigned char *session_id, int len,
  1514. const unsigned char *limit, SSL_SESSION **ret)
  1515. {
  1516. /* Point after session ID in client hello */
  1517. const unsigned char *p = session_id + len;
  1518. unsigned short i;
  1519. /* If tickets disabled behave as if no ticket present
  1520. * to permit stateful resumption.
  1521. */
  1522. if (SSL_get_options(s) & SSL_OP_NO_TICKET)
  1523. return 1;
  1524. if ((s->version <= SSL3_VERSION) || !limit)
  1525. return 1;
  1526. if (p >= limit)
  1527. return -1;
  1528. /* Skip past DTLS cookie */
  1529. if (s->version == DTLS1_VERSION || s->version == DTLS1_BAD_VER)
  1530. {
  1531. i = *(p++);
  1532. p+= i;
  1533. if (p >= limit)
  1534. return -1;
  1535. }
  1536. /* Skip past cipher list */
  1537. n2s(p, i);
  1538. p+= i;
  1539. if (p >= limit)
  1540. return -1;
  1541. /* Skip past compression algorithm list */
  1542. i = *(p++);
  1543. p += i;
  1544. if (p > limit)
  1545. return -1;
  1546. /* Now at start of extensions */
  1547. if ((p + 2) >= limit)
  1548. return 1;
  1549. n2s(p, i);
  1550. while ((p + 4) <= limit)
  1551. {
  1552. unsigned short type, size;
  1553. n2s(p, type);
  1554. n2s(p, size);
  1555. if (p + size > limit)
  1556. return 1;
  1557. if (type == TLSEXT_TYPE_session_ticket)
  1558. {
  1559. /* If tickets disabled indicate cache miss which will
  1560. * trigger a full handshake
  1561. */
  1562. if (SSL_get_options(s) & SSL_OP_NO_TICKET)
  1563. return 1;
  1564. /* If zero length note client will accept a ticket
  1565. * and indicate cache miss to trigger full handshake
  1566. */
  1567. if (size == 0)
  1568. {
  1569. s->tlsext_ticket_expected = 1;
  1570. return 0; /* Cache miss */
  1571. }
  1572. if (s->tls_session_secret_cb)
  1573. {
  1574. /* Indicate cache miss here and instead of
  1575. * generating the session from ticket now,
  1576. * trigger abbreviated handshake based on
  1577. * external mechanism to calculate the master
  1578. * secret later. */
  1579. return 0;
  1580. }
  1581. return tls_decrypt_ticket(s, p, size, session_id, len,
  1582. ret);
  1583. }
  1584. p += size;
  1585. }
  1586. return 1;
  1587. }
  1588. static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen,
  1589. const unsigned char *sess_id, int sesslen,
  1590. SSL_SESSION **psess)
  1591. {
  1592. SSL_SESSION *sess;
  1593. unsigned char *sdec;
  1594. const unsigned char *p;
  1595. int slen, mlen, renew_ticket = 0;
  1596. unsigned char tick_hmac[EVP_MAX_MD_SIZE];
  1597. HMAC_CTX hctx;
  1598. EVP_CIPHER_CTX ctx;
  1599. SSL_CTX *tctx = s->initial_ctx;
  1600. /* Need at least keyname + iv + some encrypted data */
  1601. if (eticklen < 48)
  1602. goto tickerr;
  1603. /* Initialize session ticket encryption and HMAC contexts */
  1604. HMAC_CTX_init(&hctx);
  1605. EVP_CIPHER_CTX_init(&ctx);
  1606. if (tctx->tlsext_ticket_key_cb)
  1607. {
  1608. unsigned char *nctick = (unsigned char *)etick;
  1609. int rv = tctx->tlsext_ticket_key_cb(s, nctick, nctick + 16,
  1610. &ctx, &hctx, 0);
  1611. if (rv < 0)
  1612. return -1;
  1613. if (rv == 0)
  1614. goto tickerr;
  1615. if (rv == 2)
  1616. renew_ticket = 1;
  1617. }
  1618. else
  1619. {
  1620. /* Check key name matches */
  1621. if (memcmp(etick, tctx->tlsext_tick_key_name, 16))
  1622. goto tickerr;
  1623. HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16,
  1624. tlsext_tick_md(), NULL);
  1625. EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL,
  1626. tctx->tlsext_tick_aes_key, etick + 16);
  1627. }
  1628. /* Attempt to process session ticket, first conduct sanity and
  1629. * integrity checks on ticket.
  1630. */
  1631. mlen = HMAC_size(&hctx);
  1632. if (mlen < 0)
  1633. {
  1634. EVP_CIPHER_CTX_cleanup(&ctx);
  1635. return -1;
  1636. }
  1637. eticklen -= mlen;
  1638. /* Check HMAC of encrypted ticket */
  1639. HMAC_Update(&hctx, etick, eticklen);
  1640. HMAC_Final(&hctx, tick_hmac, NULL);
  1641. HMAC_CTX_cleanup(&hctx);
  1642. if (memcmp(tick_hmac, etick + eticklen, mlen))
  1643. goto tickerr;
  1644. /* Attempt to decrypt session data */
  1645. /* Move p after IV to start of encrypted ticket, update length */
  1646. p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx);
  1647. eticklen -= 16 + EVP_CIPHER_CTX_iv_length(&ctx);
  1648. sdec = OPENSSL_malloc(eticklen);
  1649. if (!sdec)
  1650. {
  1651. EVP_CIPHER_CTX_cleanup(&ctx);
  1652. return -1;
  1653. }
  1654. EVP_DecryptUpdate(&ctx, sdec, &slen, p, eticklen);
  1655. if (EVP_DecryptFinal(&ctx, sdec + slen, &mlen) <= 0)
  1656. goto tickerr;
  1657. slen += mlen;
  1658. EVP_CIPHER_CTX_cleanup(&ctx);
  1659. p = sdec;
  1660. sess = d2i_SSL_SESSION(NULL, &p, slen);
  1661. OPENSSL_free(sdec);
  1662. if (sess)
  1663. {
  1664. /* The session ID if non-empty is used by some clients to
  1665. * detect that the ticket has been accepted. So we copy it to
  1666. * the session structure. If it is empty set length to zero
  1667. * as required by standard.
  1668. */
  1669. if (sesslen)
  1670. memcpy(sess->session_id, sess_id, sesslen);
  1671. sess->session_id_length = sesslen;
  1672. *psess = sess;
  1673. s->tlsext_ticket_expected = renew_ticket;
  1674. return 1;
  1675. }
  1676. /* If session decrypt failure indicate a cache miss and set state to
  1677. * send a new ticket
  1678. */
  1679. tickerr:
  1680. s->tlsext_ticket_expected = 1;
  1681. return 0;
  1682. }
  1683. #endif