t1_lib.c 26 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850
  1. /* ssl/t1_lib.c */
  2. /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  3. * All rights reserved.
  4. *
  5. * This package is an SSL implementation written
  6. * by Eric Young (eay@cryptsoft.com).
  7. * The implementation was written so as to conform with Netscapes SSL.
  8. *
  9. * This library is free for commercial and non-commercial use as long as
  10. * the following conditions are aheared to. The following conditions
  11. * apply to all code found in this distribution, be it the RC4, RSA,
  12. * lhash, DES, etc., code; not just the SSL code. The SSL documentation
  13. * included with this distribution is covered by the same copyright terms
  14. * except that the holder is Tim Hudson (tjh@cryptsoft.com).
  15. *
  16. * Copyright remains Eric Young's, and as such any Copyright notices in
  17. * the code are not to be removed.
  18. * If this package is used in a product, Eric Young should be given attribution
  19. * as the author of the parts of the library used.
  20. * This can be in the form of a textual message at program startup or
  21. * in documentation (online or textual) provided with the package.
  22. *
  23. * Redistribution and use in source and binary forms, with or without
  24. * modification, are permitted provided that the following conditions
  25. * are met:
  26. * 1. Redistributions of source code must retain the copyright
  27. * notice, this list of conditions and the following disclaimer.
  28. * 2. Redistributions in binary form must reproduce the above copyright
  29. * notice, this list of conditions and the following disclaimer in the
  30. * documentation and/or other materials provided with the distribution.
  31. * 3. All advertising materials mentioning features or use of this software
  32. * must display the following acknowledgement:
  33. * "This product includes cryptographic software written by
  34. * Eric Young (eay@cryptsoft.com)"
  35. * The word 'cryptographic' can be left out if the rouines from the library
  36. * being used are not cryptographic related :-).
  37. * 4. If you include any Windows specific code (or a derivative thereof) from
  38. * the apps directory (application code) you must include an acknowledgement:
  39. * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
  40. *
  41. * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
  42. * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  43. * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  44. * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
  45. * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  46. * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  47. * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  48. * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  49. * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  50. * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  51. * SUCH DAMAGE.
  52. *
  53. * The licence and distribution terms for any publically available version or
  54. * derivative of this code cannot be changed. i.e. this code cannot simply be
  55. * copied and put under another distribution licence
  56. * [including the GNU Public Licence.]
  57. */
  58. /* ====================================================================
  59. * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved.
  60. *
  61. * Redistribution and use in source and binary forms, with or without
  62. * modification, are permitted provided that the following conditions
  63. * are met:
  64. *
  65. * 1. Redistributions of source code must retain the above copyright
  66. * notice, this list of conditions and the following disclaimer.
  67. *
  68. * 2. Redistributions in binary form must reproduce the above copyright
  69. * notice, this list of conditions and the following disclaimer in
  70. * the documentation and/or other materials provided with the
  71. * distribution.
  72. *
  73. * 3. All advertising materials mentioning features or use of this
  74. * software must display the following acknowledgment:
  75. * "This product includes software developed by the OpenSSL Project
  76. * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
  77. *
  78. * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
  79. * endorse or promote products derived from this software without
  80. * prior written permission. For written permission, please contact
  81. * openssl-core@openssl.org.
  82. *
  83. * 5. Products derived from this software may not be called "OpenSSL"
  84. * nor may "OpenSSL" appear in their names without prior written
  85. * permission of the OpenSSL Project.
  86. *
  87. * 6. Redistributions of any form whatsoever must retain the following
  88. * acknowledgment:
  89. * "This product includes software developed by the OpenSSL Project
  90. * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
  91. *
  92. * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
  93. * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  94. * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
  95. * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
  96. * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
  97. * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
  98. * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
  99. * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  100. * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
  101. * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
  102. * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
  103. * OF THE POSSIBILITY OF SUCH DAMAGE.
  104. * ====================================================================
  105. *
  106. * This product includes cryptographic software written by Eric Young
  107. * (eay@cryptsoft.com). This product includes software written by Tim
  108. * Hudson (tjh@cryptsoft.com).
  109. *
  110. */
  111. #include <stdio.h>
  112. #include <openssl/objects.h>
  113. #include "ssl_locl.h"
  114. const char *tls1_version_str="TLSv1" OPENSSL_VERSION_PTEXT;
  115. SSL3_ENC_METHOD TLSv1_enc_data={
  116. tls1_enc,
  117. tls1_mac,
  118. tls1_setup_key_block,
  119. tls1_generate_master_secret,
  120. tls1_change_cipher_state,
  121. tls1_final_finish_mac,
  122. TLS1_FINISH_MAC_LENGTH,
  123. tls1_cert_verify_mac,
  124. TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE,
  125. TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE,
  126. tls1_alert_code,
  127. };
  128. long tls1_default_timeout(void)
  129. {
  130. /* 2 hours, the 24 hours mentioned in the TLSv1 spec
  131. * is way too long for http, the cache would over fill */
  132. return(60*60*2);
  133. }
  134. int tls1_new(SSL *s)
  135. {
  136. if (!ssl3_new(s)) return(0);
  137. s->method->ssl_clear(s);
  138. return(1);
  139. }
  140. void tls1_free(SSL *s)
  141. {
  142. ssl3_free(s);
  143. }
  144. void tls1_clear(SSL *s)
  145. {
  146. ssl3_clear(s);
  147. s->version=TLS1_VERSION;
  148. }
  149. #ifndef OPENSSL_NO_TLSEXT
  150. unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
  151. {
  152. int extdatalen=0;
  153. unsigned char *ret = p;
  154. ret+=2;
  155. if (ret>=limit) return NULL; /* this really never occurs, but ... */
  156. if (s->tlsext_hostname != NULL)
  157. {
  158. /* Add TLS extension servername to the Client Hello message */
  159. unsigned long size_str;
  160. long lenmax;
  161. /* check for enough space.
  162. 4 for the servername type and entension length
  163. 2 for servernamelist length
  164. 1 for the hostname type
  165. 2 for hostname length
  166. + hostname length
  167. */
  168. if ((lenmax = limit - p - 9) < 0
  169. || (size_str = strlen(s->tlsext_hostname)) > (unsigned long)lenmax)
  170. return NULL;
  171. /* extension type and length */
  172. s2n(TLSEXT_TYPE_server_name,ret);
  173. s2n(size_str+5,ret);
  174. /* length of servername list */
  175. s2n(size_str+3,ret);
  176. /* hostname type, length and hostname */
  177. *(ret++) = (unsigned char) TLSEXT_NAMETYPE_host_name;
  178. s2n(size_str,ret);
  179. memcpy(ret, s->tlsext_hostname, size_str);
  180. ret+=size_str;
  181. }
  182. #ifndef OPENSSL_NO_EC
  183. if (s->tlsext_ecpointformatlist != NULL)
  184. {
  185. /* Add TLS extension ECPointFormats to the ClientHello message */
  186. long lenmax;
  187. if ((lenmax = limit - p - 5) < 0) return NULL;
  188. if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax) return NULL;
  189. if (s->tlsext_ecpointformatlist_length > 255)
  190. {
  191. SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
  192. return NULL;
  193. }
  194. s2n(TLSEXT_TYPE_ec_point_formats,ret);
  195. s2n(s->tlsext_ecpointformatlist_length + 1,ret);
  196. *(ret++) = (unsigned char) s->tlsext_ecpointformatlist_length;
  197. memcpy(ret, s->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist_length);
  198. ret+=s->tlsext_ecpointformatlist_length;
  199. }
  200. if (s->tlsext_ellipticcurvelist != NULL)
  201. {
  202. /* Add TLS extension EllipticCurves to the ClientHello message */
  203. long lenmax;
  204. if ((lenmax = limit - p - 6) < 0) return NULL;
  205. if (s->tlsext_ellipticcurvelist_length > (unsigned long)lenmax) return NULL;
  206. if (s->tlsext_ellipticcurvelist_length > 65532)
  207. {
  208. SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
  209. return NULL;
  210. }
  211. s2n(TLSEXT_TYPE_elliptic_curves,ret);
  212. s2n(s->tlsext_ellipticcurvelist_length + 2, ret);
  213. /* NB: draft-ietf-tls-ecc-12.txt uses a one-byte prefix for
  214. * elliptic_curve_list, but the examples use two bytes.
  215. * http://www1.ietf.org/mail-archive/web/tls/current/msg00538.html
  216. * resolves this to two bytes.
  217. */
  218. s2n(s->tlsext_ellipticcurvelist_length, ret);
  219. memcpy(ret, s->tlsext_ellipticcurvelist, s->tlsext_ellipticcurvelist_length);
  220. ret+=s->tlsext_ellipticcurvelist_length;
  221. }
  222. #endif /* OPENSSL_NO_EC */
  223. if ((extdatalen = ret-p-2)== 0)
  224. return p;
  225. s2n(extdatalen,p);
  226. return ret;
  227. }
  228. unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
  229. {
  230. int extdatalen=0;
  231. unsigned char *ret = p;
  232. ret+=2;
  233. if (ret>=limit) return NULL; /* this really never occurs, but ... */
  234. if (!s->hit && s->servername_done == 1 && s->session->tlsext_hostname != NULL)
  235. {
  236. if (limit - p - 4 < 0) return NULL;
  237. s2n(TLSEXT_TYPE_server_name,ret);
  238. s2n(0,ret);
  239. }
  240. #ifndef OPENSSL_NO_EC
  241. if (s->tlsext_ecpointformatlist != NULL)
  242. {
  243. /* Add TLS extension ECPointFormats to the ServerHello message */
  244. long lenmax;
  245. if ((lenmax = limit - p - 5) < 0) return NULL;
  246. if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax) return NULL;
  247. if (s->tlsext_ecpointformatlist_length > 255)
  248. {
  249. SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
  250. return NULL;
  251. }
  252. s2n(TLSEXT_TYPE_ec_point_formats,ret);
  253. s2n(s->tlsext_ecpointformatlist_length + 1,ret);
  254. *(ret++) = (unsigned char) s->tlsext_ecpointformatlist_length;
  255. memcpy(ret, s->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist_length);
  256. ret+=s->tlsext_ecpointformatlist_length;
  257. }
  258. /* Currently the server should not respond with a SupportedCurves extension */
  259. #endif /* OPENSSL_NO_EC */
  260. if ((extdatalen = ret-p-2)== 0)
  261. return p;
  262. s2n(extdatalen,p);
  263. return ret;
  264. }
  265. int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
  266. {
  267. unsigned short type;
  268. unsigned short size;
  269. unsigned short len;
  270. unsigned char *data = *p;
  271. s->servername_done = 0;
  272. if (data >= (d+n-2))
  273. return 1;
  274. n2s(data,len);
  275. if (data > (d+n-len))
  276. return 1;
  277. while (data <= (d+n-4))
  278. {
  279. n2s(data,type);
  280. n2s(data,size);
  281. if (data+size > (d+n))
  282. return 1;
  283. /* The servername extension is treated as follows:
  284. - Only the hostname type is supported with a maximum length of 255.
  285. - The servername is rejected if too long or if it contains zeros,
  286. in which case an fatal alert is generated.
  287. - The servername field is maintained together with the session cache.
  288. - When a session is resumed, the servername call back invoked in order
  289. to allow the application to position itself to the right context.
  290. - The servername is acknowledged if it is new for a session or when
  291. it is identical to a previously used for the same session.
  292. Applications can control the behaviour. They can at any time
  293. set a 'desirable' servername for a new SSL object. This can be the
  294. case for example with HTTPS when a Host: header field is received and
  295. a renegotiation is requested. In this case, a possible servername
  296. presented in the new client hello is only acknowledged if it matches
  297. the value of the Host: field.
  298. - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
  299. if they provide for changing an explicit servername context for the session,
  300. i.e. when the session has been established with a servername extension.
  301. - On session reconnect, the servername extension may be absent.
  302. */
  303. if (type == TLSEXT_TYPE_server_name)
  304. {
  305. unsigned char *sdata;
  306. int servname_type;
  307. int dsize;
  308. if (size < 2)
  309. {
  310. *al = SSL_AD_DECODE_ERROR;
  311. return 0;
  312. }
  313. n2s(data,dsize);
  314. size -= 2;
  315. if (dsize > size )
  316. {
  317. *al = SSL_AD_DECODE_ERROR;
  318. return 0;
  319. }
  320. sdata = data;
  321. while (dsize > 3)
  322. {
  323. servname_type = *(sdata++);
  324. n2s(sdata,len);
  325. dsize -= 3;
  326. if (len > dsize)
  327. {
  328. *al = SSL_AD_DECODE_ERROR;
  329. return 0;
  330. }
  331. if (s->servername_done == 0)
  332. switch (servname_type)
  333. {
  334. case TLSEXT_NAMETYPE_host_name:
  335. if (s->session->tlsext_hostname == NULL)
  336. {
  337. if (len > TLSEXT_MAXLEN_host_name ||
  338. ((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL))
  339. {
  340. *al = TLS1_AD_UNRECOGNIZED_NAME;
  341. return 0;
  342. }
  343. memcpy(s->session->tlsext_hostname, sdata, len);
  344. s->session->tlsext_hostname[len]='\0';
  345. if (strlen(s->session->tlsext_hostname) != len) {
  346. OPENSSL_free(s->session->tlsext_hostname);
  347. *al = TLS1_AD_UNRECOGNIZED_NAME;
  348. return 0;
  349. }
  350. s->servername_done = 1;
  351. }
  352. else
  353. s->servername_done = strlen(s->session->tlsext_hostname) == len
  354. && strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0;
  355. break;
  356. default:
  357. break;
  358. }
  359. dsize -= len;
  360. }
  361. if (dsize != 0)
  362. {
  363. *al = SSL_AD_DECODE_ERROR;
  364. return 0;
  365. }
  366. }
  367. #ifndef OPENSSL_NO_EC
  368. else if (type == TLSEXT_TYPE_ec_point_formats)
  369. {
  370. unsigned char *sdata = data;
  371. int ecpointformatlist_length = *(sdata++);
  372. if (ecpointformatlist_length != size - 1)
  373. {
  374. *al = TLS1_AD_DECODE_ERROR;
  375. return 0;
  376. }
  377. s->session->tlsext_ecpointformatlist_length = 0;
  378. if (s->session->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->session->tlsext_ecpointformatlist);
  379. if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
  380. {
  381. *al = TLS1_AD_INTERNAL_ERROR;
  382. return 0;
  383. }
  384. s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
  385. memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
  386. #if 0
  387. fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ecpointformatlist (length=%i) ", s->session->tlsext_ecpointformatlist_length);
  388. sdata = s->session->tlsext_ecpointformatlist;
  389. for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
  390. fprintf(stderr,"%i ",*(sdata++));
  391. fprintf(stderr,"\n");
  392. #endif
  393. }
  394. else if (type == TLSEXT_TYPE_elliptic_curves)
  395. {
  396. unsigned char *sdata = data;
  397. int ellipticcurvelist_length = (*(sdata++) << 8);
  398. ellipticcurvelist_length += (*(sdata++));
  399. if (ellipticcurvelist_length != size - 2)
  400. {
  401. *al = TLS1_AD_DECODE_ERROR;
  402. return 0;
  403. }
  404. s->session->tlsext_ellipticcurvelist_length = 0;
  405. if (s->session->tlsext_ellipticcurvelist != NULL) OPENSSL_free(s->session->tlsext_ellipticcurvelist);
  406. if ((s->session->tlsext_ellipticcurvelist = OPENSSL_malloc(ellipticcurvelist_length)) == NULL)
  407. {
  408. *al = TLS1_AD_INTERNAL_ERROR;
  409. return 0;
  410. }
  411. s->session->tlsext_ellipticcurvelist_length = ellipticcurvelist_length;
  412. memcpy(s->session->tlsext_ellipticcurvelist, sdata, ellipticcurvelist_length);
  413. #if 0
  414. fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ellipticcurvelist (length=%i) ", s->session->tlsext_ellipticcurvelist_length);
  415. sdata = s->session->tlsext_ellipticcurvelist;
  416. for (i = 0; i < s->session->tlsext_ellipticcurvelist_length; i++)
  417. fprintf(stderr,"%i ",*(sdata++));
  418. fprintf(stderr,"\n");
  419. #endif
  420. }
  421. #endif /* OPENSSL_NO_EC */
  422. data+=size;
  423. }
  424. *p = data;
  425. return 1;
  426. }
  427. int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
  428. {
  429. unsigned short type;
  430. unsigned short size;
  431. unsigned short len;
  432. unsigned char *data = *p;
  433. int tlsext_servername = 0;
  434. if (data >= (d+n-2))
  435. return 1;
  436. n2s(data,len);
  437. while(data <= (d+n-4))
  438. {
  439. n2s(data,type);
  440. n2s(data,size);
  441. if (data+size > (d+n))
  442. return 1;
  443. if (type == TLSEXT_TYPE_server_name)
  444. {
  445. if (s->tlsext_hostname == NULL || size > 0)
  446. {
  447. *al = TLS1_AD_UNRECOGNIZED_NAME;
  448. return 0;
  449. }
  450. tlsext_servername = 1;
  451. }
  452. #ifndef OPENSSL_NO_EC
  453. else if (type == TLSEXT_TYPE_ec_point_formats)
  454. {
  455. unsigned char *sdata = data;
  456. int ecpointformatlist_length = *(sdata++);
  457. if (ecpointformatlist_length != size - 1)
  458. {
  459. *al = TLS1_AD_DECODE_ERROR;
  460. return 0;
  461. }
  462. s->session->tlsext_ecpointformatlist_length = 0;
  463. if (s->session->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->session->tlsext_ecpointformatlist);
  464. if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
  465. {
  466. *al = TLS1_AD_INTERNAL_ERROR;
  467. return 0;
  468. }
  469. s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
  470. memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
  471. #if 0
  472. fprintf(stderr,"ssl_parse_serverhello_tlsext s->session->tlsext_ecpointformatlist ");
  473. sdata = s->session->tlsext_ecpointformatlist;
  474. for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
  475. fprintf(stderr,"%i ",*(sdata++));
  476. fprintf(stderr,"\n");
  477. #endif
  478. }
  479. #endif /* OPENSSL_NO_EC */
  480. data+=size;
  481. }
  482. if (data != d+n)
  483. {
  484. *al = SSL_AD_DECODE_ERROR;
  485. return 0;
  486. }
  487. if (!s->hit && tlsext_servername == 1)
  488. {
  489. if (s->tlsext_hostname)
  490. {
  491. if (s->session->tlsext_hostname == NULL)
  492. {
  493. s->session->tlsext_hostname = BUF_strdup(s->tlsext_hostname);
  494. if (!s->session->tlsext_hostname)
  495. {
  496. *al = SSL_AD_UNRECOGNIZED_NAME;
  497. return 0;
  498. }
  499. }
  500. else
  501. {
  502. *al = SSL_AD_DECODE_ERROR;
  503. return 0;
  504. }
  505. }
  506. }
  507. *p = data;
  508. return 1;
  509. }
  510. #ifndef OPENSSL_NO_EC
  511. static int nid_list[] =
  512. {
  513. NID_sect163k1, /* sect163k1 (1) */
  514. NID_sect163r1, /* sect163r1 (2) */
  515. NID_sect163r2, /* sect163r2 (3) */
  516. NID_sect193r1, /* sect193r1 (4) */
  517. NID_sect193r2, /* sect193r2 (5) */
  518. NID_sect233k1, /* sect233k1 (6) */
  519. NID_sect233r1, /* sect233r1 (7) */
  520. NID_sect239k1, /* sect239k1 (8) */
  521. NID_sect283k1, /* sect283k1 (9) */
  522. NID_sect283r1, /* sect283r1 (10) */
  523. NID_sect409k1, /* sect409k1 (11) */
  524. NID_sect409r1, /* sect409r1 (12) */
  525. NID_sect571k1, /* sect571k1 (13) */
  526. NID_sect571r1, /* sect571r1 (14) */
  527. NID_secp160k1, /* secp160k1 (15) */
  528. NID_secp160r1, /* secp160r1 (16) */
  529. NID_secp160r2, /* secp160r2 (17) */
  530. NID_secp192k1, /* secp192k1 (18) */
  531. NID_X9_62_prime192v1, /* secp192r1 (19) */
  532. NID_secp224k1, /* secp224k1 (20) */
  533. NID_secp224r1, /* secp224r1 (21) */
  534. NID_secp256k1, /* secp256k1 (22) */
  535. NID_X9_62_prime256v1, /* secp256r1 (23) */
  536. NID_secp384r1, /* secp384r1 (24) */
  537. NID_secp521r1 /* secp521r1 (25) */
  538. };
  539. int tls1_ec_curve_id2nid(int curve_id)
  540. {
  541. /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
  542. if ((curve_id < 1) || (curve_id > sizeof(nid_list)/sizeof(nid_list[0]))) return 0;
  543. return nid_list[curve_id-1];
  544. }
  545. int tls1_ec_nid2curve_id(int nid)
  546. {
  547. /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
  548. switch (nid)
  549. {
  550. case NID_sect163k1: /* sect163k1 (1) */
  551. return 1;
  552. case NID_sect163r1: /* sect163r1 (2) */
  553. return 2;
  554. case NID_sect163r2: /* sect163r2 (3) */
  555. return 3;
  556. case NID_sect193r1: /* sect193r1 (4) */
  557. return 4;
  558. case NID_sect193r2: /* sect193r2 (5) */
  559. return 5;
  560. case NID_sect233k1: /* sect233k1 (6) */
  561. return 6;
  562. case NID_sect233r1: /* sect233r1 (7) */
  563. return 7;
  564. case NID_sect239k1: /* sect239k1 (8) */
  565. return 8;
  566. case NID_sect283k1: /* sect283k1 (9) */
  567. return 9;
  568. case NID_sect283r1: /* sect283r1 (10) */
  569. return 10;
  570. case NID_sect409k1: /* sect409k1 (11) */
  571. return 11;
  572. case NID_sect409r1: /* sect409r1 (12) */
  573. return 12;
  574. case NID_sect571k1: /* sect571k1 (13) */
  575. return 13;
  576. case NID_sect571r1: /* sect571r1 (14) */
  577. return 14;
  578. case NID_secp160k1: /* secp160k1 (15) */
  579. return 15;
  580. case NID_secp160r1: /* secp160r1 (16) */
  581. return 16;
  582. case NID_secp160r2: /* secp160r2 (17) */
  583. return 17;
  584. case NID_secp192k1: /* secp192k1 (18) */
  585. return 18;
  586. case NID_X9_62_prime192v1: /* secp192r1 (19) */
  587. return 19;
  588. case NID_secp224k1: /* secp224k1 (20) */
  589. return 20;
  590. case NID_secp224r1: /* secp224r1 (21) */
  591. return 21;
  592. case NID_secp256k1: /* secp256k1 (22) */
  593. return 22;
  594. case NID_X9_62_prime256v1: /* secp256r1 (23) */
  595. return 23;
  596. case NID_secp384r1: /* secp384r1 (24) */
  597. return 24;
  598. case NID_secp521r1: /* secp521r1 (25) */
  599. return 25;
  600. default:
  601. return 0;
  602. }
  603. }
  604. #endif /* OPENSSL_NO_EC */
  605. int ssl_prepare_clienthello_tlsext(SSL *s)
  606. {
  607. #ifndef OPENSSL_NO_EC
  608. /* If we are client and using an elliptic curve cryptography cipher suite, send the point formats
  609. * and elliptic curves we support.
  610. */
  611. int using_ecc = 0;
  612. int i;
  613. unsigned char *j;
  614. int algs;
  615. STACK_OF(SSL_CIPHER) *cipher_stack = SSL_get_ciphers(s);
  616. for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++)
  617. {
  618. algs = (sk_SSL_CIPHER_value(cipher_stack, i))->algorithms;
  619. if ((algs & SSL_kECDH) || (algs & SSL_kECDHE) || (algs & SSL_aECDSA))
  620. {
  621. using_ecc = 1;
  622. break;
  623. }
  624. }
  625. using_ecc = using_ecc && (s->version == TLS1_VERSION);
  626. if (using_ecc)
  627. {
  628. if (s->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->tlsext_ecpointformatlist);
  629. if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(3)) == NULL)
  630. {
  631. SSLerr(SSL_F_TLS1_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
  632. return -1;
  633. }
  634. s->tlsext_ecpointformatlist_length = 3;
  635. s->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_uncompressed;
  636. s->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
  637. s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
  638. /* we support all named elliptic curves in draft-ietf-tls-ecc-12 */
  639. if (s->tlsext_ellipticcurvelist != NULL) OPENSSL_free(s->tlsext_ellipticcurvelist);
  640. s->tlsext_ellipticcurvelist_length = sizeof(nid_list)/sizeof(nid_list[0]) * 2;
  641. if ((s->tlsext_ellipticcurvelist = OPENSSL_malloc(s->tlsext_ellipticcurvelist_length)) == NULL)
  642. {
  643. s->tlsext_ellipticcurvelist_length = 0;
  644. SSLerr(SSL_F_TLS1_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
  645. return -1;
  646. }
  647. for (i = 1, j = s->tlsext_ellipticcurvelist; i <= sizeof(nid_list)/sizeof(nid_list[0]); i++)
  648. s2n(i,j);
  649. }
  650. #endif /* OPENSSL_NO_EC */
  651. return 1;
  652. }
  653. int ssl_prepare_serverhello_tlsext(SSL *s)
  654. {
  655. #ifndef OPENSSL_NO_EC
  656. /* If we are server and using an ECC cipher suite, send the point formats we support
  657. * if the client sent us an ECPointsFormat extension. Note that the server is not
  658. * supposed to send an EllipticCurves extension.
  659. */
  660. int algs = s->s3->tmp.new_cipher->algorithms;
  661. int using_ecc = (algs & SSL_kECDH) || (algs & SSL_kECDHE) || (algs & SSL_aECDSA);
  662. using_ecc = using_ecc && (s->session->tlsext_ecpointformatlist != NULL);
  663. if (using_ecc)
  664. {
  665. if (s->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->tlsext_ecpointformatlist);
  666. if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(3)) == NULL)
  667. {
  668. SSLerr(SSL_F_TLS1_PREPARE_SERVERHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
  669. return -1;
  670. }
  671. s->tlsext_ecpointformatlist_length = 3;
  672. s->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_uncompressed;
  673. s->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
  674. s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
  675. }
  676. #endif /* OPENSSL_NO_EC */
  677. return 1;
  678. }
  679. int ssl_check_clienthello_tlsext(SSL *s)
  680. {
  681. int ret=SSL_TLSEXT_ERR_NOACK;
  682. int al = SSL_AD_UNRECOGNIZED_NAME;
  683. #ifndef OPENSSL_NO_EC
  684. /* The handling of the ECPointFormats extension is done elsewhere, namely in
  685. * ssl3_choose_cipher in s3_lib.c.
  686. */
  687. /* The handling of the EllipticCurves extension is done elsewhere, namely in
  688. * ssl3_choose_cipher in s3_lib.c.
  689. */
  690. #endif
  691. if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
  692. ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
  693. else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)
  694. ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
  695. switch (ret) {
  696. case SSL_TLSEXT_ERR_ALERT_FATAL:
  697. ssl3_send_alert(s,SSL3_AL_FATAL,al);
  698. return -1;
  699. case SSL_TLSEXT_ERR_ALERT_WARNING:
  700. ssl3_send_alert(s,SSL3_AL_WARNING,al);
  701. return 1;
  702. case SSL_TLSEXT_ERR_NOACK:
  703. s->servername_done=0;
  704. default:
  705. return 1;
  706. }
  707. }
  708. int ssl_check_serverhello_tlsext(SSL *s)
  709. {
  710. int ret=SSL_TLSEXT_ERR_NOACK;
  711. int al = SSL_AD_UNRECOGNIZED_NAME;
  712. #ifndef OPENSSL_NO_EC
  713. /* If we are client and using an elliptic curve cryptography cipher suite, then server
  714. * must return a an EC point formats lists containing uncompressed.
  715. */
  716. int algs = s->s3->tmp.new_cipher->algorithms;
  717. if ((s->tlsext_ecpointformatlist != NULL) && (s->tlsext_ecpointformatlist_length > 0) &&
  718. ((algs & SSL_kECDH) || (algs & SSL_kECDHE) || (algs & SSL_aECDSA)))
  719. {
  720. /* we are using an ECC cipher */
  721. size_t i;
  722. unsigned char *list;
  723. int found_uncompressed = 0;
  724. if ((s->session->tlsext_ecpointformatlist == NULL) || (s->session->tlsext_ecpointformatlist_length == 0))
  725. {
  726. SSLerr(SSL_F_TLS1_CHECK_SERVERHELLO_TLSEXT,SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
  727. return -1;
  728. }
  729. list = s->session->tlsext_ecpointformatlist;
  730. for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
  731. {
  732. if (*(list++) == TLSEXT_ECPOINTFORMAT_uncompressed)
  733. {
  734. found_uncompressed = 1;
  735. break;
  736. }
  737. }
  738. if (!found_uncompressed)
  739. {
  740. SSLerr(SSL_F_TLS1_CHECK_SERVERHELLO_TLSEXT,SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
  741. return -1;
  742. }
  743. }
  744. ret = SSL_TLSEXT_ERR_OK;
  745. #endif /* OPENSSL_NO_EC */
  746. if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
  747. ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
  748. else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)
  749. ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
  750. switch (ret) {
  751. case SSL_TLSEXT_ERR_ALERT_FATAL:
  752. ssl3_send_alert(s,SSL3_AL_FATAL,al);
  753. return -1;
  754. case SSL_TLSEXT_ERR_ALERT_WARNING:
  755. ssl3_send_alert(s,SSL3_AL_WARNING,al);
  756. return 1;
  757. case SSL_TLSEXT_ERR_NOACK:
  758. s->servername_done=0;
  759. default:
  760. return 1;
  761. }
  762. }
  763. #endif