]>
Commit | Line | Data |
---|---|---|
58964a49 RE |
1 | /* ssl/t1_lib.c */ |
2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | |
3 | * All rights reserved. | |
4 | * | |
5 | * This package is an SSL implementation written | |
6 | * by Eric Young (eay@cryptsoft.com). | |
7 | * The implementation was written so as to conform with Netscapes SSL. | |
8 | * | |
9 | * This library is free for commercial and non-commercial use as long as | |
10 | * the following conditions are aheared to. The following conditions | |
11 | * apply to all code found in this distribution, be it the RC4, RSA, | |
12 | * lhash, DES, etc., code; not just the SSL code. The SSL documentation | |
13 | * included with this distribution is covered by the same copyright terms | |
14 | * except that the holder is Tim Hudson (tjh@cryptsoft.com). | |
15 | * | |
16 | * Copyright remains Eric Young's, and as such any Copyright notices in | |
17 | * the code are not to be removed. | |
18 | * If this package is used in a product, Eric Young should be given attribution | |
19 | * as the author of the parts of the library used. | |
20 | * This can be in the form of a textual message at program startup or | |
21 | * in documentation (online or textual) provided with the package. | |
22 | * | |
23 | * Redistribution and use in source and binary forms, with or without | |
24 | * modification, are permitted provided that the following conditions | |
25 | * are met: | |
26 | * 1. Redistributions of source code must retain the copyright | |
27 | * notice, this list of conditions and the following disclaimer. | |
28 | * 2. Redistributions in binary form must reproduce the above copyright | |
29 | * notice, this list of conditions and the following disclaimer in the | |
30 | * documentation and/or other materials provided with the distribution. | |
31 | * 3. All advertising materials mentioning features or use of this software | |
32 | * must display the following acknowledgement: | |
33 | * "This product includes cryptographic software written by | |
34 | * Eric Young (eay@cryptsoft.com)" | |
35 | * The word 'cryptographic' can be left out if the rouines from the library | |
36 | * being used are not cryptographic related :-). | |
37 | * 4. If you include any Windows specific code (or a derivative thereof) from | |
38 | * the apps directory (application code) you must include an acknowledgement: | |
39 | * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" | |
40 | * | |
41 | * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND | |
42 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | |
43 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE | |
44 | * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE | |
45 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL | |
46 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS | |
47 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | |
48 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT | |
49 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY | |
50 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF | |
51 | * SUCH DAMAGE. | |
52 | * | |
53 | * The licence and distribution terms for any publically available version or | |
54 | * derivative of this code cannot be changed. i.e. this code cannot simply be | |
55 | * copied and put under another distribution licence | |
56 | * [including the GNU Public Licence.] | |
57 | */ | |
f1fd4544 BM |
58 | /* ==================================================================== |
59 | * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved. | |
60 | * | |
61 | * Redistribution and use in source and binary forms, with or without | |
62 | * modification, are permitted provided that the following conditions | |
63 | * are met: | |
64 | * | |
65 | * 1. Redistributions of source code must retain the above copyright | |
66 | * notice, this list of conditions and the following disclaimer. | |
67 | * | |
68 | * 2. Redistributions in binary form must reproduce the above copyright | |
69 | * notice, this list of conditions and the following disclaimer in | |
70 | * the documentation and/or other materials provided with the | |
71 | * distribution. | |
72 | * | |
73 | * 3. All advertising materials mentioning features or use of this | |
74 | * software must display the following acknowledgment: | |
75 | * "This product includes software developed by the OpenSSL Project | |
76 | * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" | |
77 | * | |
78 | * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to | |
79 | * endorse or promote products derived from this software without | |
80 | * prior written permission. For written permission, please contact | |
81 | * openssl-core@openssl.org. | |
82 | * | |
83 | * 5. Products derived from this software may not be called "OpenSSL" | |
84 | * nor may "OpenSSL" appear in their names without prior written | |
85 | * permission of the OpenSSL Project. | |
86 | * | |
87 | * 6. Redistributions of any form whatsoever must retain the following | |
88 | * acknowledgment: | |
89 | * "This product includes software developed by the OpenSSL Project | |
90 | * for use in the OpenSSL Toolkit (http://www.openssl.org/)" | |
91 | * | |
92 | * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY | |
93 | * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | |
94 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR | |
95 | * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR | |
96 | * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, | |
97 | * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT | |
98 | * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; | |
99 | * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | |
100 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, | |
101 | * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) | |
102 | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED | |
103 | * OF THE POSSIBILITY OF SUCH DAMAGE. | |
104 | * ==================================================================== | |
105 | * | |
106 | * This product includes cryptographic software written by Eric Young | |
107 | * (eay@cryptsoft.com). This product includes software written by Tim | |
108 | * Hudson (tjh@cryptsoft.com). | |
109 | * | |
110 | */ | |
58964a49 RE |
111 | |
112 | #include <stdio.h> | |
ec577822 | 113 | #include <openssl/objects.h> |
58964a49 RE |
114 | #include "ssl_locl.h" |
115 | ||
9d1a01be | 116 | const char *tls1_version_str="TLSv1" OPENSSL_VERSION_PTEXT; |
58964a49 | 117 | |
f3b656b2 | 118 | SSL3_ENC_METHOD TLSv1_enc_data={ |
58964a49 RE |
119 | tls1_enc, |
120 | tls1_mac, | |
121 | tls1_setup_key_block, | |
122 | tls1_generate_master_secret, | |
123 | tls1_change_cipher_state, | |
124 | tls1_final_finish_mac, | |
125 | TLS1_FINISH_MAC_LENGTH, | |
126 | tls1_cert_verify_mac, | |
127 | TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE, | |
128 | TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE, | |
129 | tls1_alert_code, | |
130 | }; | |
131 | ||
f3b656b2 | 132 | long tls1_default_timeout(void) |
58964a49 RE |
133 | { |
134 | /* 2 hours, the 24 hours mentioned in the TLSv1 spec | |
135 | * is way too long for http, the cache would over fill */ | |
136 | return(60*60*2); | |
137 | } | |
138 | ||
6b691a5c | 139 | int tls1_new(SSL *s) |
58964a49 RE |
140 | { |
141 | if (!ssl3_new(s)) return(0); | |
142 | s->method->ssl_clear(s); | |
143 | return(1); | |
144 | } | |
145 | ||
6b691a5c | 146 | void tls1_free(SSL *s) |
58964a49 RE |
147 | { |
148 | ssl3_free(s); | |
149 | } | |
150 | ||
6b691a5c | 151 | void tls1_clear(SSL *s) |
58964a49 RE |
152 | { |
153 | ssl3_clear(s); | |
154 | s->version=TLS1_VERSION; | |
155 | } | |
156 | ||
f1fd4544 | 157 | |
ed3883d2 | 158 | #ifndef OPENSSL_NO_TLSEXT |
f1fd4544 BM |
159 | unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit) |
160 | { | |
ed3883d2 BM |
161 | int extdatalen=0; |
162 | unsigned char *ret = p; | |
163 | ||
164 | ret+=2; | |
165 | ||
166 | if (ret>=limit) return NULL; /* this really never occurs, but ... */ | |
f1fd4544 BM |
167 | if (s->servername_done == 0 && s->tlsext_hostname != NULL) |
168 | { | |
ed3883d2 BM |
169 | /* Add TLS extension servername to the Client Hello message */ |
170 | unsigned long size_str; | |
171 | long lenmax; | |
172 | ||
173 | if ((lenmax = limit - p - 7) < 0) return NULL; | |
174 | if ((size_str = strlen(s->tlsext_hostname)) > (unsigned long)lenmax) return NULL; | |
f1fd4544 | 175 | |
ed3883d2 BM |
176 | s2n(TLSEXT_TYPE_server_name,ret); |
177 | s2n(size_str+3,ret); | |
f1fd4544 | 178 | *(ret++) = (unsigned char) TLSEXT_NAMETYPE_host_name; |
ed3883d2 BM |
179 | s2n(size_str,ret); |
180 | ||
181 | memcpy(ret, s->tlsext_hostname, size_str); | |
182 | ret+=size_str; | |
f1fd4544 | 183 | } |
36ca4ba6 BM |
184 | #ifndef OPENSSL_NO_EC |
185 | if (s->tlsext_ecpointformatlist != NULL) | |
186 | { | |
187 | /* Add TLS extension ECPointFormats to the ClientHello message */ | |
188 | long lenmax; | |
189 | ||
190 | if ((lenmax = limit - p - 5) < 0) return NULL; | |
191 | if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax) return NULL; | |
019fdc78 BM |
192 | if (s->tlsext_ecpointformatlist_length > 255) |
193 | { | |
194 | SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); | |
195 | return NULL; | |
196 | } | |
36ca4ba6 BM |
197 | |
198 | s2n(TLSEXT_TYPE_ec_point_formats,ret); | |
199 | s2n(s->tlsext_ecpointformatlist_length + 1,ret); | |
200 | *(ret++) = (unsigned char) s->tlsext_ecpointformatlist_length; | |
201 | memcpy(ret, s->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist_length); | |
202 | ret+=s->tlsext_ecpointformatlist_length; | |
203 | } | |
33273721 BM |
204 | if (s->tlsext_ellipticcurvelist != NULL) |
205 | { | |
206 | /* Add TLS extension EllipticCurves to the ClientHello message */ | |
207 | long lenmax; | |
208 | ||
209 | if ((lenmax = limit - p - 5) < 0) return NULL; | |
210 | if (s->tlsext_ellipticcurvelist_length > (unsigned long)lenmax) return NULL; | |
211 | if (s->tlsext_ellipticcurvelist_length > 255) | |
212 | { | |
213 | SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); | |
214 | return NULL; | |
215 | } | |
216 | ||
217 | s2n(TLSEXT_TYPE_elliptic_curves,ret); | |
218 | s2n(s->tlsext_ellipticcurvelist_length + 2,ret); | |
219 | *(ret++) = (unsigned char) ((s->tlsext_ellipticcurvelist_length >> 8) & 0xFF); | |
220 | *(ret++) = (unsigned char) (s->tlsext_ellipticcurvelist_length & 0xFF); | |
221 | memcpy(ret, s->tlsext_ellipticcurvelist, s->tlsext_ellipticcurvelist_length); | |
222 | ret+=s->tlsext_ellipticcurvelist_length; | |
223 | } | |
36ca4ba6 | 224 | #endif /* OPENSSL_NO_EC */ |
d3442bc7 | 225 | |
ed3883d2 BM |
226 | if ((extdatalen = ret-p-2)== 0) |
227 | return p; | |
228 | ||
229 | s2n(extdatalen,p); | |
230 | return ret; | |
ed3883d2 BM |
231 | } |
232 | ||
f1fd4544 BM |
233 | unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit) |
234 | { | |
ed3883d2 BM |
235 | int extdatalen=0; |
236 | unsigned char *ret = p; | |
ed3883d2 | 237 | |
a13c20f6 | 238 | ret+=2; |
ed3883d2 BM |
239 | if (ret>=limit) return NULL; /* this really never occurs, but ... */ |
240 | ||
a13c20f6 | 241 | if (!s->hit && s->servername_done == 1 && s->session->tlsext_hostname != NULL) |
f1fd4544 | 242 | { |
ed3883d2 BM |
243 | if (limit - p - 4 < 0) return NULL; |
244 | ||
245 | s2n(TLSEXT_TYPE_server_name,ret); | |
246 | s2n(0,ret); | |
f1fd4544 | 247 | } |
36ca4ba6 BM |
248 | #ifndef OPENSSL_NO_EC |
249 | if (s->tlsext_ecpointformatlist != NULL) | |
250 | { | |
251 | /* Add TLS extension ECPointFormats to the ServerHello message */ | |
252 | long lenmax; | |
253 | ||
254 | if ((lenmax = limit - p - 5) < 0) return NULL; | |
255 | if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax) return NULL; | |
019fdc78 BM |
256 | if (s->tlsext_ecpointformatlist_length > 255) |
257 | { | |
258 | SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); | |
259 | return NULL; | |
260 | } | |
36ca4ba6 BM |
261 | |
262 | s2n(TLSEXT_TYPE_ec_point_formats,ret); | |
263 | s2n(s->tlsext_ecpointformatlist_length + 1,ret); | |
264 | *(ret++) = (unsigned char) s->tlsext_ecpointformatlist_length; | |
265 | memcpy(ret, s->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist_length); | |
266 | ret+=s->tlsext_ecpointformatlist_length; | |
267 | } | |
33273721 | 268 | /* Currently the server should not respond with a SupportedCurves extension */ |
36ca4ba6 | 269 | #endif /* OPENSSL_NO_EC */ |
ed3883d2 BM |
270 | |
271 | if ((extdatalen = ret-p-2)== 0) | |
272 | return p; | |
273 | ||
274 | s2n(extdatalen,p); | |
275 | return ret; | |
ed3883d2 BM |
276 | } |
277 | ||
f1fd4544 BM |
278 | int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al) |
279 | { | |
ed3883d2 BM |
280 | unsigned short type; |
281 | unsigned short size; | |
282 | unsigned short len; | |
f1fd4544 | 283 | unsigned char *data = *p; |
a13c20f6 BM |
284 | #if 0 |
285 | fprintf(stderr,"ssl_parse_clienthello_tlsext %s\n",s->session->tlsext_hostname?s->session->tlsext_hostname:"NULL"); | |
286 | #endif | |
287 | s->servername_done = 0; | |
ed3883d2 BM |
288 | |
289 | if (data >= (d+n-2)) | |
f1fd4544 | 290 | return 1; |
ed3883d2 BM |
291 | n2s(data,len); |
292 | ||
293 | if (data > (d+n-len)) | |
f1fd4544 | 294 | return 1; |
ed3883d2 | 295 | |
f1fd4544 BM |
296 | while (data <= (d+n-4)) |
297 | { | |
ed3883d2 BM |
298 | n2s(data,type); |
299 | n2s(data,size); | |
300 | ||
301 | if (data+size > (d+n)) | |
f1fd4544 BM |
302 | return 1; |
303 | ||
a13c20f6 BM |
304 | /* The servername extension is treated as follows: |
305 | ||
306 | - Only the hostname type is supported with a maximum length of 255. | |
307 | - The servername is rejected if too long or if it contains zeros, | |
308 | in which case an fatal alert is generated. | |
309 | - The servername field is maintained together with the session cache. | |
310 | - When a session is resumed, the servername call back invoked in order | |
311 | to allow the application to position itself to the right context. | |
312 | - The servername is acknowledged if it is new for a session or when | |
313 | it is identical to a previously used for the same session. | |
314 | Applications can control the behaviour. They can at any time | |
315 | set a 'desirable' servername for a new SSL object. This can be the | |
316 | case for example with HTTPS when a Host: header field is received and | |
317 | a renegotiation is requested. In this case, a possible servername | |
318 | presented in the new client hello is only acknowledged if it matches | |
319 | the value of the Host: field. | |
320 | - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION | |
321 | if they provide for changing an explicit servername context for the session, | |
322 | i.e. when the session has been established with a servername extension. | |
323 | - On session reconnect, the servername extension may be absent. | |
324 | ||
325 | */ | |
326 | ||
f1fd4544 BM |
327 | if (type == TLSEXT_TYPE_server_name) |
328 | { | |
ed3883d2 BM |
329 | unsigned char *sdata = data; |
330 | int servname_type; | |
331 | int dsize = size-3 ; | |
332 | ||
f1fd4544 BM |
333 | if (dsize > 0 ) |
334 | { | |
ed3883d2 BM |
335 | servname_type = *(sdata++); |
336 | n2s(sdata,len); | |
337 | if (len != dsize) | |
f1fd4544 BM |
338 | { |
339 | *al = SSL_AD_DECODE_ERROR; | |
340 | return 0; | |
341 | } | |
ed3883d2 | 342 | |
f1fd4544 BM |
343 | switch (servname_type) |
344 | { | |
345 | case TLSEXT_NAMETYPE_host_name: | |
346 | if (s->session->tlsext_hostname == NULL) | |
347 | { | |
a13c20f6 | 348 | if (len > TLSEXT_MAXLEN_host_name || |
ed3883d2 | 349 | ((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL)) |
f1fd4544 BM |
350 | { |
351 | *al = TLS1_AD_UNRECOGNIZED_NAME; | |
352 | return 0; | |
353 | } | |
ed3883d2 | 354 | memcpy(s->session->tlsext_hostname, sdata, len); |
a13c20f6 BM |
355 | s->session->tlsext_hostname[len]='\0'; |
356 | if (strlen(s->session->tlsext_hostname) != len) { | |
357 | OPENSSL_free(s->session->tlsext_hostname); | |
358 | *al = TLS1_AD_UNRECOGNIZED_NAME; | |
359 | return 0; | |
f1fd4544 | 360 | } |
a13c20f6 BM |
361 | s->servername_done = 1; |
362 | ||
363 | #if 0 | |
364 | fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_hostname %s\n",s->session->tlsext_hostname); | |
365 | #endif | |
366 | } | |
367 | else | |
368 | s->servername_done = strlen(s->session->tlsext_hostname) == len | |
6b9e941e | 369 | && strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0; |
a13c20f6 | 370 | |
ed3883d2 | 371 | break; |
f1fd4544 | 372 | |
ed3883d2 BM |
373 | default: |
374 | break; | |
f1fd4544 | 375 | } |
ed3883d2 | 376 | |
f1fd4544 | 377 | } |
ed3883d2 | 378 | } |
ed3883d2 | 379 | |
36ca4ba6 BM |
380 | #ifndef OPENSSL_NO_EC |
381 | else if (type == TLSEXT_TYPE_ec_point_formats) | |
382 | { | |
383 | unsigned char *sdata = data; | |
384 | int ecpointformatlist_length = *(sdata++); | |
36ca4ba6 BM |
385 | |
386 | if (ecpointformatlist_length != size - 1) | |
387 | { | |
388 | *al = TLS1_AD_DECODE_ERROR; | |
389 | return 0; | |
390 | } | |
391 | s->session->tlsext_ecpointformatlist_length = 0; | |
b6acb8d0 | 392 | if (s->session->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->session->tlsext_ecpointformatlist); |
36ca4ba6 BM |
393 | if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL) |
394 | { | |
395 | *al = TLS1_AD_INTERNAL_ERROR; | |
396 | return 0; | |
397 | } | |
398 | s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length; | |
399 | memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length); | |
400 | #if 0 | |
401 | fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ecpointformatlist (length=%i) ", s->session->tlsext_ecpointformatlist_length); | |
402 | sdata = s->session->tlsext_ecpointformatlist; | |
403 | for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++) | |
404 | fprintf(stderr,"%i ",*(sdata++)); | |
405 | fprintf(stderr,"\n"); | |
33273721 BM |
406 | #endif |
407 | } | |
408 | else if (type == TLSEXT_TYPE_elliptic_curves) | |
409 | { | |
410 | unsigned char *sdata = data; | |
411 | int ellipticcurvelist_length = (*(sdata++) << 8); | |
412 | ellipticcurvelist_length += (*(sdata++)); | |
413 | ||
414 | if (ellipticcurvelist_length != size - 2) | |
415 | { | |
416 | *al = TLS1_AD_DECODE_ERROR; | |
417 | return 0; | |
418 | } | |
419 | s->session->tlsext_ellipticcurvelist_length = 0; | |
420 | if (s->session->tlsext_ellipticcurvelist != NULL) OPENSSL_free(s->session->tlsext_ellipticcurvelist); | |
421 | if ((s->session->tlsext_ellipticcurvelist = OPENSSL_malloc(ellipticcurvelist_length)) == NULL) | |
422 | { | |
423 | *al = TLS1_AD_INTERNAL_ERROR; | |
424 | return 0; | |
425 | } | |
426 | s->session->tlsext_ellipticcurvelist_length = ellipticcurvelist_length; | |
427 | memcpy(s->session->tlsext_ellipticcurvelist, sdata, ellipticcurvelist_length); | |
428 | #if 0 | |
429 | fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ellipticcurvelist (length=%i) ", s->session->tlsext_ellipticcurvelist_length); | |
430 | sdata = s->session->tlsext_ellipticcurvelist; | |
431 | for (i = 0; i < s->session->tlsext_ellipticcurvelist_length; i++) | |
432 | fprintf(stderr,"%i ",*(sdata++)); | |
433 | fprintf(stderr,"\n"); | |
36ca4ba6 BM |
434 | #endif |
435 | } | |
c6a27f01 | 436 | #endif /* OPENSSL_NO_EC */ |
ed3883d2 | 437 | data+=size; |
f1fd4544 | 438 | } |
ed3883d2 | 439 | |
f1fd4544 BM |
440 | *p = data; |
441 | return 1; | |
ed3883d2 | 442 | } |
f1fd4544 BM |
443 | |
444 | int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al) | |
445 | { | |
ed3883d2 BM |
446 | unsigned short type; |
447 | unsigned short size; | |
448 | unsigned short len; | |
449 | unsigned char *data = *p; | |
450 | ||
451 | int tlsext_servername = 0; | |
452 | ||
453 | if (data >= (d+n-2)) | |
f1fd4544 | 454 | return 1; |
ed3883d2 BM |
455 | |
456 | n2s(data,len); | |
457 | ||
f1fd4544 BM |
458 | while(data <= (d+n-4)) |
459 | { | |
ed3883d2 BM |
460 | n2s(data,type); |
461 | n2s(data,size); | |
462 | ||
463 | if (data+size > (d+n)) | |
f1fd4544 BM |
464 | return 1; |
465 | ||
466 | if (type == TLSEXT_TYPE_server_name) | |
467 | { | |
468 | if (s->tlsext_hostname == NULL || size > 0) | |
469 | { | |
470 | *al = TLS1_AD_UNRECOGNIZED_NAME; | |
471 | return 0; | |
472 | } | |
ed3883d2 | 473 | tlsext_servername = 1; |
f1fd4544 | 474 | } |
ed3883d2 | 475 | |
36ca4ba6 BM |
476 | #ifndef OPENSSL_NO_EC |
477 | else if (type == TLSEXT_TYPE_ec_point_formats) | |
478 | { | |
479 | unsigned char *sdata = data; | |
480 | int ecpointformatlist_length = *(sdata++); | |
36ca4ba6 BM |
481 | |
482 | if (ecpointformatlist_length != size - 1) | |
483 | { | |
484 | *al = TLS1_AD_DECODE_ERROR; | |
485 | return 0; | |
486 | } | |
487 | s->session->tlsext_ecpointformatlist_length = 0; | |
b6acb8d0 | 488 | if (s->session->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->session->tlsext_ecpointformatlist); |
36ca4ba6 BM |
489 | if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL) |
490 | { | |
491 | *al = TLS1_AD_INTERNAL_ERROR; | |
492 | return 0; | |
493 | } | |
494 | s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length; | |
495 | memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length); | |
496 | #if 0 | |
497 | fprintf(stderr,"ssl_parse_serverhello_tlsext s->session->tlsext_ecpointformatlist "); | |
498 | sdata = s->session->tlsext_ecpointformatlist; | |
499 | for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++) | |
500 | fprintf(stderr,"%i ",*(sdata++)); | |
501 | fprintf(stderr,"\n"); | |
502 | #endif | |
503 | } | |
c6a27f01 | 504 | #endif /* OPENSSL_NO_EC */ |
ed3883d2 | 505 | data+=size; |
f1fd4544 | 506 | } |
ed3883d2 BM |
507 | |
508 | if (data != d+n) | |
f1fd4544 BM |
509 | { |
510 | *al = SSL_AD_DECODE_ERROR; | |
511 | return 0; | |
512 | } | |
ed3883d2 | 513 | |
f1fd4544 BM |
514 | if (!s->hit && tlsext_servername == 1) |
515 | { | |
516 | if (s->tlsext_hostname) | |
517 | { | |
518 | if (s->session->tlsext_hostname == NULL) | |
519 | { | |
ed3883d2 BM |
520 | s->session->tlsext_hostname = BUF_strdup(s->tlsext_hostname); |
521 | if (!s->session->tlsext_hostname) | |
f1fd4544 BM |
522 | { |
523 | *al = SSL_AD_UNRECOGNIZED_NAME; | |
524 | return 0; | |
525 | } | |
526 | } | |
527 | else | |
528 | { | |
529 | *al = SSL_AD_DECODE_ERROR; | |
530 | return 0; | |
531 | } | |
ed3883d2 | 532 | } |
f1fd4544 | 533 | } |
ed3883d2 | 534 | |
f1fd4544 BM |
535 | *p = data; |
536 | return 1; | |
ed3883d2 BM |
537 | } |
538 | ||
36ca4ba6 BM |
539 | int ssl_prepare_clienthello_tlsext(SSL *s) |
540 | { | |
541 | #ifndef OPENSSL_NO_EC | |
33273721 BM |
542 | /* If we are client and using an elliptic curve cryptography cipher suite, send the point formats |
543 | * and elliptic curves we support. | |
36ca4ba6 BM |
544 | */ |
545 | int using_ecc = 0; | |
546 | int i; | |
33273721 | 547 | unsigned char *j; |
36ca4ba6 BM |
548 | int algs; |
549 | STACK_OF(SSL_CIPHER) *cipher_stack = SSL_get_ciphers(s); | |
550 | for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++) | |
551 | { | |
552 | algs = (sk_SSL_CIPHER_value(cipher_stack, i))->algorithms; | |
553 | if ((algs & SSL_kECDH) || (algs & SSL_kECDHE) || (algs & SSL_aECDSA)) | |
554 | { | |
555 | using_ecc = 1; | |
556 | break; | |
557 | } | |
558 | ||
559 | } | |
560 | using_ecc = using_ecc && (s->version == TLS1_VERSION); | |
561 | if (using_ecc) | |
562 | { | |
b6acb8d0 BM |
563 | if (s->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->tlsext_ecpointformatlist); |
564 | if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(3)) == NULL) | |
36ca4ba6 BM |
565 | { |
566 | SSLerr(SSL_F_TLS1_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE); | |
567 | return -1; | |
568 | } | |
b6acb8d0 BM |
569 | s->tlsext_ecpointformatlist_length = 3; |
570 | s->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_uncompressed; | |
571 | s->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime; | |
572 | s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2; | |
33273721 BM |
573 | /* we support all named elliptic curves in draft-ietf-tls-ecc-12 */ |
574 | if (s->tlsext_ellipticcurvelist != NULL) OPENSSL_free(s->tlsext_ellipticcurvelist); | |
575 | if ((s->tlsext_ellipticcurvelist = OPENSSL_malloc(50)) == NULL) | |
576 | { | |
577 | SSLerr(SSL_F_TLS1_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE); | |
578 | return -1; | |
579 | } | |
580 | s->tlsext_ellipticcurvelist_length = 50; | |
581 | for (i = 1, j = s->tlsext_ellipticcurvelist; i <= 25; i++) | |
582 | { | |
583 | *(j++) = 0x00; | |
584 | *(j++) = i; | |
585 | } | |
36ca4ba6 BM |
586 | } |
587 | #endif /* OPENSSL_NO_EC */ | |
588 | return 1; | |
589 | } | |
590 | ||
591 | int ssl_prepare_serverhello_tlsext(SSL *s) | |
592 | { | |
593 | #ifndef OPENSSL_NO_EC | |
b6acb8d0 | 594 | /* If we are server and using an ECC cipher suite, send the point formats we support |
33273721 BM |
595 | * if the client sent us an ECPointsFormat extension. Note that the server is not |
596 | * supposed to send an EllipticCurves extension. | |
36ca4ba6 | 597 | */ |
36ca4ba6 BM |
598 | int algs = s->s3->tmp.new_cipher->algorithms; |
599 | int using_ecc = (algs & SSL_kECDH) || (algs & SSL_kECDHE) || (algs & SSL_aECDSA); | |
600 | using_ecc = using_ecc && (s->session->tlsext_ecpointformatlist != NULL); | |
601 | ||
602 | if (using_ecc) | |
603 | { | |
b6acb8d0 BM |
604 | if (s->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->tlsext_ecpointformatlist); |
605 | if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(3)) == NULL) | |
36ca4ba6 BM |
606 | { |
607 | SSLerr(SSL_F_TLS1_PREPARE_SERVERHELLO_TLSEXT,ERR_R_MALLOC_FAILURE); | |
608 | return -1; | |
609 | } | |
b6acb8d0 BM |
610 | s->tlsext_ecpointformatlist_length = 3; |
611 | s->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_uncompressed; | |
612 | s->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime; | |
613 | s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2; | |
36ca4ba6 BM |
614 | } |
615 | #endif /* OPENSSL_NO_EC */ | |
616 | return 1; | |
617 | } | |
618 | ||
619 | int ssl_check_clienthello_tlsext(SSL *s) | |
f1fd4544 | 620 | { |
241520e6 | 621 | int ret=SSL_TLSEXT_ERR_NOACK; |
36ca4ba6 BM |
622 | int al = SSL_AD_UNRECOGNIZED_NAME; |
623 | ||
624 | #ifndef OPENSSL_NO_EC | |
33273721 BM |
625 | /* The handling of the ECPointFormats extension is done elsewhere, namely in |
626 | * ssl3_choose_cipher in s3_lib.c. | |
627 | */ | |
628 | /* The handling of the EllipticCurves extension is done elsewhere, namely in | |
629 | * ssl3_choose_cipher in s3_lib.c. | |
36ca4ba6 BM |
630 | */ |
631 | #endif | |
632 | ||
633 | if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) | |
634 | ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg); | |
635 | else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0) | |
636 | ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg); | |
637 | ||
638 | switch (ret) { | |
639 | case SSL_TLSEXT_ERR_ALERT_FATAL: | |
640 | ssl3_send_alert(s,SSL3_AL_FATAL,al); | |
641 | return -1; | |
642 | ||
643 | case SSL_TLSEXT_ERR_ALERT_WARNING: | |
644 | ssl3_send_alert(s,SSL3_AL_WARNING,al); | |
645 | return 1; | |
646 | ||
647 | case SSL_TLSEXT_ERR_NOACK: | |
648 | s->servername_done=0; | |
649 | default: | |
650 | return 1; | |
651 | } | |
652 | } | |
f1fd4544 | 653 | |
36ca4ba6 BM |
654 | int ssl_check_serverhello_tlsext(SSL *s) |
655 | { | |
656 | int ret=SSL_TLSEXT_ERR_NOACK; | |
58ece833 | 657 | int al = SSL_AD_UNRECOGNIZED_NAME; |
241520e6 | 658 | |
36ca4ba6 BM |
659 | #ifndef OPENSSL_NO_EC |
660 | /* If we are client and using an elliptic curve cryptography cipher suite, then server | |
661 | * must return a an EC point formats lists containing uncompressed. | |
662 | */ | |
663 | int algs = s->s3->tmp.new_cipher->algorithms; | |
664 | if ((s->tlsext_ecpointformatlist != NULL) && (s->tlsext_ecpointformatlist_length > 0) && | |
665 | ((algs & SSL_kECDH) || (algs & SSL_kECDHE) || (algs & SSL_aECDSA))) | |
666 | { | |
667 | /* we are using an ECC cipher */ | |
90bdfd97 | 668 | size_t i; |
36ca4ba6 BM |
669 | unsigned char *list; |
670 | int found_uncompressed = 0; | |
a4ff3925 | 671 | if ((s->session->tlsext_ecpointformatlist == NULL) || (s->session->tlsext_ecpointformatlist_length == 0)) |
36ca4ba6 BM |
672 | { |
673 | SSLerr(SSL_F_TLS1_CHECK_SERVERHELLO_TLSEXT,SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST); | |
674 | return -1; | |
675 | } | |
b9865f11 | 676 | list = s->session->tlsext_ecpointformatlist; |
36ca4ba6 BM |
677 | for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++) |
678 | { | |
679 | if (*(list++) == TLSEXT_ECPOINTFORMAT_uncompressed) | |
680 | { | |
681 | found_uncompressed = 1; | |
682 | break; | |
683 | } | |
684 | } | |
685 | if (!found_uncompressed) | |
686 | { | |
687 | SSLerr(SSL_F_TLS1_CHECK_SERVERHELLO_TLSEXT,SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST); | |
688 | return -1; | |
689 | } | |
690 | } | |
691 | ret = SSL_TLSEXT_ERR_OK; | |
692 | #endif /* OPENSSL_NO_EC */ | |
693 | ||
241520e6 | 694 | if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) |
58ece833 | 695 | ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg); |
241520e6 | 696 | else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0) |
58ece833 | 697 | ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg); |
241520e6 | 698 | |
58ece833 BM |
699 | switch (ret) { |
700 | case SSL_TLSEXT_ERR_ALERT_FATAL: | |
701 | ssl3_send_alert(s,SSL3_AL_FATAL,al); | |
702 | return -1; | |
703 | ||
704 | case SSL_TLSEXT_ERR_ALERT_WARNING: | |
705 | ssl3_send_alert(s,SSL3_AL_WARNING,al); | |
706 | return 1; | |
707 | ||
708 | case SSL_TLSEXT_ERR_NOACK: | |
709 | s->servername_done=0; | |
710 | default: | |
711 | return 1; | |
f1fd4544 | 712 | } |
58ece833 | 713 | } |
58964a49 | 714 | #endif |
33273721 BM |
715 | |
716 | #ifndef OPENSSL_NO_EC | |
717 | int tls1_ec_curve_id2nid(int curve_id) | |
718 | { | |
719 | /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */ | |
720 | static int nid_list[26] = | |
721 | { | |
722 | 0, | |
723 | NID_sect163k1, /* sect163k1 (1) */ | |
724 | NID_sect163r1, /* sect163r1 (2) */ | |
725 | NID_sect163r2, /* sect163r2 (3) */ | |
726 | NID_sect193r1, /* sect193r1 (4) */ | |
727 | NID_sect193r2, /* sect193r2 (5) */ | |
728 | NID_sect233k1, /* sect233k1 (6) */ | |
729 | NID_sect233r1, /* sect233r1 (7) */ | |
730 | NID_sect239k1, /* sect239k1 (8) */ | |
731 | NID_sect283k1, /* sect283k1 (9) */ | |
732 | NID_sect283r1, /* sect283r1 (10) */ | |
733 | NID_sect409k1, /* sect409k1 (11) */ | |
734 | NID_sect409r1, /* sect409r1 (12) */ | |
735 | NID_sect571k1, /* sect571k1 (13) */ | |
736 | NID_sect571r1, /* sect571r1 (14) */ | |
737 | NID_secp160k1, /* secp160k1 (15) */ | |
738 | NID_secp160r1, /* secp160r1 (16) */ | |
739 | NID_secp160r2, /* secp160r2 (17) */ | |
740 | NID_secp192k1, /* secp192k1 (18) */ | |
741 | NID_X9_62_prime192v1, /* secp192r1 (19) */ | |
742 | NID_secp224k1, /* secp224k1 (20) */ | |
743 | NID_secp224r1, /* secp224r1 (21) */ | |
744 | NID_secp256k1, /* secp256k1 (22) */ | |
745 | NID_X9_62_prime256v1, /* secp256r1 (23) */ | |
746 | NID_secp384r1, /* secp384r1 (24) */ | |
747 | NID_secp521r1 /* secp521r1 (25) */ | |
748 | }; | |
749 | ||
750 | if ((curve_id < 1) || (curve_id > 25)) return 0; | |
751 | ||
752 | return nid_list[curve_id]; | |
753 | } | |
754 | ||
755 | int tls1_ec_nid2curve_id(int nid) | |
756 | { | |
757 | /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */ | |
758 | switch (nid) { | |
759 | case NID_sect163k1: /* sect163k1 (1) */ | |
760 | return 1; | |
761 | case NID_sect163r1: /* sect163r1 (2) */ | |
762 | return 2; | |
763 | case NID_sect163r2: /* sect163r2 (3) */ | |
764 | return 3; | |
765 | case NID_sect193r1: /* sect193r1 (4) */ | |
766 | return 4; | |
767 | case NID_sect193r2: /* sect193r2 (5) */ | |
768 | return 5; | |
769 | case NID_sect233k1: /* sect233k1 (6) */ | |
770 | return 6; | |
771 | case NID_sect233r1: /* sect233r1 (7) */ | |
772 | return 7; | |
773 | case NID_sect239k1: /* sect239k1 (8) */ | |
774 | return 8; | |
775 | case NID_sect283k1: /* sect283k1 (9) */ | |
776 | return 9; | |
777 | case NID_sect283r1: /* sect283r1 (10) */ | |
778 | return 10; | |
779 | case NID_sect409k1: /* sect409k1 (11) */ | |
780 | return 11; | |
781 | case NID_sect409r1: /* sect409r1 (12) */ | |
782 | return 12; | |
783 | case NID_sect571k1: /* sect571k1 (13) */ | |
784 | return 13; | |
785 | case NID_sect571r1: /* sect571r1 (14) */ | |
786 | return 14; | |
787 | case NID_secp160k1: /* secp160k1 (15) */ | |
788 | return 15; | |
789 | case NID_secp160r1: /* secp160r1 (16) */ | |
790 | return 16; | |
791 | case NID_secp160r2: /* secp160r2 (17) */ | |
792 | return 17; | |
793 | case NID_secp192k1: /* secp192k1 (18) */ | |
794 | return 18; | |
795 | case NID_X9_62_prime192v1: /* secp192r1 (19) */ | |
796 | return 19; | |
797 | case NID_secp224k1: /* secp224k1 (20) */ | |
798 | return 20; | |
799 | case NID_secp224r1: /* secp224r1 (21) */ | |
800 | return 21; | |
801 | case NID_secp256k1: /* secp256k1 (22) */ | |
802 | return 22; | |
803 | case NID_X9_62_prime256v1: /* secp256r1 (23) */ | |
804 | return 23; | |
805 | case NID_secp384r1: /* secp384r1 (24) */ | |
806 | return 24; | |
807 | case NID_secp521r1: /* secp521r1 (25) */ | |
808 | return 25; | |
809 | default: | |
810 | return 0; | |
811 | } | |
812 | } | |
813 | #endif /* OPENSSL_NO_EC */ |