]> git.ipfire.org Git - thirdparty/openssl.git/blame - ssl/t1_lib.c
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
PR: 2533
[thirdparty/openssl.git] / ssl / t1_lib.c
CommitLineData
58964a49
RE		 1/* ssl/t1_lib.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
f1fd4544 58/* ====================================================================
52b8dad8 59 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
f1fd4544
BM		 60 *
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
63 * are met:
64 *
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
67 *
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
71 * distribution.
72 *
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77 *
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
82 *
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
86 *
87 * 6. Redistributions of any form whatsoever must retain the following
88 * acknowledgment:
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91 *
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
105 *
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
109 *
110 */
58964a49
RE		 111
112#include <stdio.h>
ec577822 113#include <openssl/objects.h>
6434abbf
DSH		 114#include <openssl/evp.h>
115#include <openssl/hmac.h>
67c8e7f4 116#include <openssl/ocsp.h>
58964a49
RE		 117#include "ssl_locl.h"
118
42182852 119const char tls1_version_str[]="TLSv1" OPENSSL_VERSION_PTEXT;
58964a49 120
367eb1f1 121#ifndef OPENSSL_NO_TLSEXT
6434abbf
DSH		 122static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen,
123 const unsigned char *sess_id, int sesslen,
124 SSL_SESSION **psess);
367eb1f1 125#endif
6434abbf 126
f3b656b2 127SSL3_ENC_METHOD TLSv1_enc_data={
58964a49
RE		 128 tls1_enc,
129 tls1_mac,
130 tls1_setup_key_block,
131 tls1_generate_master_secret,
132 tls1_change_cipher_state,
133 tls1_final_finish_mac,
134 TLS1_FINISH_MAC_LENGTH,
135 tls1_cert_verify_mac,
136 TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE,
137 TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE,
138 tls1_alert_code,
139 };
140
f3b656b2 141long tls1_default_timeout(void)
58964a49
RE		 142 {
143 /* 2 hours, the 24 hours mentioned in the TLSv1 spec
144 * is way too long for http, the cache would over fill */
145 return(60*60*2);
146 }
147
6b691a5c 148int tls1_new(SSL *s)
58964a49
RE		 149 {
150 if (!ssl3_new(s)) return(0);
151 s->method->ssl_clear(s);
152 return(1);
153 }
154
6b691a5c 155void tls1_free(SSL *s)
58964a49 156 {
12bf56c0
DSH		 157#ifndef OPENSSL_NO_TLSEXT
158 if (s->tlsext_session_ticket)
159 {
160 OPENSSL_free(s->tlsext_session_ticket);
161 }
162#endif /* OPENSSL_NO_TLSEXT */
58964a49
RE		 163 ssl3_free(s);
164 }
165
6b691a5c 166void tls1_clear(SSL *s)
58964a49
RE		 167 {
168 ssl3_clear(s);
637f374a 169 s->version = s->method->version;
58964a49
RE		 170 }
171
525de5d3
DSH		 172#ifndef OPENSSL_NO_EC
173static int nid_list[] =
174 {
175 NID_sect163k1, /* sect163k1 (1) */
176 NID_sect163r1, /* sect163r1 (2) */
177 NID_sect163r2, /* sect163r2 (3) */
178 NID_sect193r1, /* sect193r1 (4) */
179 NID_sect193r2, /* sect193r2 (5) */
180 NID_sect233k1, /* sect233k1 (6) */
181 NID_sect233r1, /* sect233r1 (7) */
182 NID_sect239k1, /* sect239k1 (8) */
183 NID_sect283k1, /* sect283k1 (9) */
184 NID_sect283r1, /* sect283r1 (10) */
185 NID_sect409k1, /* sect409k1 (11) */
186 NID_sect409r1, /* sect409r1 (12) */
187 NID_sect571k1, /* sect571k1 (13) */
188 NID_sect571r1, /* sect571r1 (14) */
189 NID_secp160k1, /* secp160k1 (15) */
190 NID_secp160r1, /* secp160r1 (16) */
191 NID_secp160r2, /* secp160r2 (17) */
192 NID_secp192k1, /* secp192k1 (18) */
193 NID_X9_62_prime192v1, /* secp192r1 (19) */
194 NID_secp224k1, /* secp224k1 (20) */
195 NID_secp224r1, /* secp224r1 (21) */
196 NID_secp256k1, /* secp256k1 (22) */
197 NID_X9_62_prime256v1, /* secp256r1 (23) */
198 NID_secp384r1, /* secp384r1 (24) */
199 NID_secp521r1 /* secp521r1 (25) */
200 };
201
202int tls1_ec_curve_id2nid(int curve_id)
203 {
204 /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
1e26a8ba
GT		 205 if ((curve_id < 1) || ((unsigned int)curve_id >
206 sizeof(nid_list)/sizeof(nid_list[0])))
207 return 0;
525de5d3
DSH		 208 return nid_list[curve_id-1];
209 }
210
211int tls1_ec_nid2curve_id(int nid)
212 {
213 /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
214 switch (nid)
215 {
216 case NID_sect163k1: /* sect163k1 (1) */
217 return 1;
218 case NID_sect163r1: /* sect163r1 (2) */
219 return 2;
220 case NID_sect163r2: /* sect163r2 (3) */
221 return 3;
222 case NID_sect193r1: /* sect193r1 (4) */
223 return 4;
224 case NID_sect193r2: /* sect193r2 (5) */
225 return 5;
226 case NID_sect233k1: /* sect233k1 (6) */
227 return 6;
228 case NID_sect233r1: /* sect233r1 (7) */
229 return 7;
230 case NID_sect239k1: /* sect239k1 (8) */
231 return 8;
232 case NID_sect283k1: /* sect283k1 (9) */
233 return 9;
234 case NID_sect283r1: /* sect283r1 (10) */
235 return 10;
236 case NID_sect409k1: /* sect409k1 (11) */
237 return 11;
238 case NID_sect409r1: /* sect409r1 (12) */
239 return 12;
240 case NID_sect571k1: /* sect571k1 (13) */
241 return 13;
242 case NID_sect571r1: /* sect571r1 (14) */
243 return 14;
244 case NID_secp160k1: /* secp160k1 (15) */
245 return 15;
246 case NID_secp160r1: /* secp160r1 (16) */
247 return 16;
248 case NID_secp160r2: /* secp160r2 (17) */
249 return 17;
250 case NID_secp192k1: /* secp192k1 (18) */
251 return 18;
252 case NID_X9_62_prime192v1: /* secp192r1 (19) */
253 return 19;
254 case NID_secp224k1: /* secp224k1 (20) */
255 return 20;
256 case NID_secp224r1: /* secp224r1 (21) */
257 return 21;
258 case NID_secp256k1: /* secp256k1 (22) */
259 return 22;
260 case NID_X9_62_prime256v1: /* secp256r1 (23) */
261 return 23;
262 case NID_secp384r1: /* secp384r1 (24) */
263 return 24;
264 case NID_secp521r1: /* secp521r1 (25) */
265 return 25;
266 default:
267 return 0;
268 }
269 }
270#endif /* OPENSSL_NO_EC */
f1fd4544 271
ed3883d2 272#ifndef OPENSSL_NO_TLSEXT
fc101f88
DSH		 273
274/* List of supported signature algorithms and hashes. Should make this
275 * customisable at some point, for now include everything we support.
276 */
277
278#ifdef OPENSSL_NO_RSA
279#define tlsext_sigalg_rsa(md) /* */
280#else
281#define tlsext_sigalg_rsa(md) md, TLSEXT_signature_rsa,
282#endif
283
284#ifdef OPENSSL_NO_DSA
285#define tlsext_sigalg_dsa(md) /* */
286#else
287#define tlsext_sigalg_dsa(md) md, TLSEXT_signature_dsa,
288#endif
289
290#ifdef OPENSSL_NO_ECDSA
291#define tlsext_sigalg_ecdsa(md) /* */
292#else
293#define tlsext_sigalg_ecdsa(md) md, TLSEXT_signature_dsa,
294#endif
295
296#define tlsext_sigalg(md) \
297 tlsext_sigalg_rsa(md) \
298 tlsext_sigalg_dsa(md) \
299 tlsext_sigalg_ecdsa(md)
300
301static unsigned char tls12_sigalgs[] = {
302#ifndef OPENSSL_NO_SHA512
303 tlsext_sigalg(TLSEXT_hash_sha512)
304 tlsext_sigalg(TLSEXT_hash_sha384)
305#endif
306#ifndef OPENSSL_NO_SHA256
307 tlsext_sigalg(TLSEXT_hash_sha256)
308 tlsext_sigalg(TLSEXT_hash_sha224)
309#endif
310#ifndef OPENSSL_NO_SHA
311 tlsext_sigalg(TLSEXT_hash_sha1)
312#endif
313#ifndef OPENSSL_NO_MD5
314 tlsext_sigalg_rsa(TLSEXT_hash_md5)
315#endif
316};
317
f37f20ff
DSH		 318int tls12_get_req_sig_algs(SSL *s, unsigned char *p)
319 {
320 if (p)
321 memcpy(p, tls12_sigalgs, sizeof(tls12_sigalgs));
322 return (int)sizeof(tls12_sigalgs);
323 }
fc101f88 324
f1fd4544
BM		 325unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
326 {
ed3883d2
BM		 327 int extdatalen=0;
328 unsigned char *ret = p;
329
13f6d57b
DSH		 330 /* don't add extensions for SSLv3 unless doing secure renegotiation */
331 if (s->client_version == SSL3_VERSION
332 && !s->s3->send_connection_binding)
5f8f94a6
DSH		 333 return p;
334
ed3883d2
BM		 335 ret+=2;
336
337 if (ret>=limit) return NULL; /* this really never occurs, but ... */
6434abbf 338
a70183bc 339 if (s->tlsext_hostname != NULL)
f1fd4544 340 {
ed3883d2
BM		 341 /* Add TLS extension servername to the Client Hello message */
342 unsigned long size_str;
343 long lenmax;
344
a70183bc 345 /* check for enough space.
52b8dad8
BM		 346 4 for the servername type and entension length
347 2 for servernamelist length
348 1 for the hostname type
349 2 for hostname length
350 + hostname length
a70183bc 351 */
52b8dad8 352
761772d7
BM		 353 if ((lenmax = limit - ret - 9) < 0
354 || (size_str = strlen(s->tlsext_hostname)) > (unsigned long)lenmax)
a70183bc
BM		 355 return NULL;
356
357 /* extension type and length */
358 s2n(TLSEXT_TYPE_server_name,ret);
359 s2n(size_str+5,ret);
f1fd4544 360
a70183bc 361 /* length of servername list */
ed3883d2 362 s2n(size_str+3,ret);
a70183bc
BM		 363
364 /* hostname type, length and hostname */
f1fd4544 365 *(ret++) = (unsigned char) TLSEXT_NAMETYPE_host_name;
ed3883d2 366 s2n(size_str,ret);
ed3883d2
BM		 367 memcpy(ret, s->tlsext_hostname, size_str);
368 ret+=size_str;
f1fd4544 369 }
761772d7 370
423c66f1 371 /* Add RI if renegotiating */
bdd53508 372 if (s->renegotiate)
423c66f1 373 {
860c3dd1
DSH		 374 int el;
375
376 if(!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0))
377 {
378 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
379 return NULL;
380 }
381
382 if((limit - p - 4 - el) < 0) return NULL;
383
384 s2n(TLSEXT_TYPE_renegotiate,ret);
385 s2n(el,ret);
386
387 if(!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el))
388 {
389 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
390 return NULL;
391 }
392
393 ret += el;
394 }
395
edc032b5
BL		 396#ifndef OPENSSL_NO_SRP
397#define MIN(x,y) (((x)<(y))?(x):(y))
398 /* we add SRP username the first time only if we have one! */
399 if (s->srp_ctx.login != NULL)
400 {/* Add TLS extension SRP username to the Client Hello message */
401 int login_len = MIN(strlen(s->srp_ctx.login) + 1, 255);
402 long lenmax;
403
404 if ((lenmax = limit - ret - 5) < 0) return NULL;
405 if (login_len > lenmax) return NULL;
406 if (login_len > 255)
407 {
408 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
409 return NULL;
410 }
411 s2n(TLSEXT_TYPE_srp,ret);
412 s2n(login_len+1,ret);
413
414 (*ret++) = (unsigned char) MIN(strlen(s->srp_ctx.login), 254);
415 memcpy(ret, s->srp_ctx.login, MIN(strlen(s->srp_ctx.login), 254));
416 ret+=login_len;
417 }
418#endif
419
36ca4ba6 420#ifndef OPENSSL_NO_EC
8025e251
DSH		 421 if (s->tlsext_ecpointformatlist != NULL &&
422 s->version != DTLS1_VERSION)
36ca4ba6
BM		 423 {
424 /* Add TLS extension ECPointFormats to the ClientHello message */
425 long lenmax;
426
761772d7 427 if ((lenmax = limit - ret - 5) < 0) return NULL;
36ca4ba6 428 if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax) return NULL;
019fdc78
BM		 429 if (s->tlsext_ecpointformatlist_length > 255)
430 {
431 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
432 return NULL;
433 }
36ca4ba6
BM		 434
435 s2n(TLSEXT_TYPE_ec_point_formats,ret);
436 s2n(s->tlsext_ecpointformatlist_length + 1,ret);
437 *(ret++) = (unsigned char) s->tlsext_ecpointformatlist_length;
438 memcpy(ret, s->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist_length);
439 ret+=s->tlsext_ecpointformatlist_length;
440 }
8025e251
DSH		 441 if (s->tlsext_ellipticcurvelist != NULL &&
442 s->version != DTLS1_VERSION)
33273721
BM		 443 {
444 /* Add TLS extension EllipticCurves to the ClientHello message */
445 long lenmax;
446
761772d7 447 if ((lenmax = limit - ret - 6) < 0) return NULL;
33273721 448 if (s->tlsext_ellipticcurvelist_length > (unsigned long)lenmax) return NULL;
a4974de9 449 if (s->tlsext_ellipticcurvelist_length > 65532)
33273721
BM		 450 {
451 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
452 return NULL;
453 }
454
455 s2n(TLSEXT_TYPE_elliptic_curves,ret);
a123c552 456 s2n(s->tlsext_ellipticcurvelist_length + 2, ret);
a4974de9
BM		 457
458 /* NB: draft-ietf-tls-ecc-12.txt uses a one-byte prefix for
459 * elliptic_curve_list, but the examples use two bytes.
460 * http://www1.ietf.org/mail-archive/web/tls/current/msg00538.html
461 * resolves this to two bytes.
462 */
a123c552 463 s2n(s->tlsext_ellipticcurvelist_length, ret);
33273721
BM		 464 memcpy(ret, s->tlsext_ellipticcurvelist, s->tlsext_ellipticcurvelist_length);
465 ret+=s->tlsext_ellipticcurvelist_length;
466 }
36ca4ba6 467#endif /* OPENSSL_NO_EC */
d3442bc7 468
6434abbf
DSH		 469 if (!(SSL_get_options(s) & SSL_OP_NO_TICKET))
470 {
471 int ticklen;
7ba3838a 472 if (!s->new_session && s->session && s->session->tlsext_tick)
6434abbf 473 ticklen = s->session->tlsext_ticklen;
12bf56c0
DSH		 474 else if (s->session && s->tlsext_session_ticket &&
475 s->tlsext_session_ticket->data)
476 {
477 ticklen = s->tlsext_session_ticket->length;
478 s->session->tlsext_tick = OPENSSL_malloc(ticklen);
479 if (!s->session->tlsext_tick)
480 return NULL;
481 memcpy(s->session->tlsext_tick,
482 s->tlsext_session_ticket->data,
483 ticklen);
484 s->session->tlsext_ticklen = ticklen;
485 }
6434abbf
DSH		 486 else
487 ticklen = 0;
12bf56c0
DSH		 488 if (ticklen == 0 && s->tlsext_session_ticket &&
489 s->tlsext_session_ticket->data == NULL)
490 goto skip_ext;
6434abbf
DSH		 491 /* Check for enough room 2 for extension type, 2 for len
492 * rest for ticket
493 */
761772d7 494 if ((long)(limit - ret - 4 - ticklen) < 0) return NULL;
6434abbf
DSH		 495 s2n(TLSEXT_TYPE_session_ticket,ret);
496 s2n(ticklen,ret);
497 if (ticklen)
498 {
499 memcpy(ret, s->session->tlsext_tick, ticklen);
500 ret += ticklen;
501 }
502 }
12bf56c0 503 skip_ext:
6434abbf 504
238b6361 505 if (TLS1_get_version(s) >= TLS1_2_VERSION)
a2f9200f 506 {
fc101f88 507 if ((size_t)(limit - ret) < sizeof(tls12_sigalgs) + 6)
a2f9200f
DSH		 508 return NULL;
509 s2n(TLSEXT_TYPE_signature_algorithms,ret);
fc101f88
DSH		 510 s2n(sizeof(tls12_sigalgs) + 2, ret);
511 s2n(sizeof(tls12_sigalgs), ret);
512 memcpy(ret, tls12_sigalgs, sizeof(tls12_sigalgs));
513 ret += sizeof(tls12_sigalgs);
a2f9200f
DSH		 514 }
515
761772d7 516#ifdef TLSEXT_TYPE_opaque_prf_input
8025e251
DSH		 517 if (s->s3->client_opaque_prf_input != NULL &&
518 s->version != DTLS1_VERSION)
761772d7
BM		 519 {
520 size_t col = s->s3->client_opaque_prf_input_len;
521
522 if ((long)(limit - ret - 6 - col < 0))
523 return NULL;
524 if (col > 0xFFFD) /* can't happen */
525 return NULL;
526
527 s2n(TLSEXT_TYPE_opaque_prf_input, ret);
528 s2n(col + 2, ret);
529 s2n(col, ret);
530 memcpy(ret, s->s3->client_opaque_prf_input, col);
531 ret += col;
532 }
533#endif
534
8025e251
DSH		 535 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp &&
536 s->version != DTLS1_VERSION)
67c8e7f4
DSH		 537 {
538 int i;
539 long extlen, idlen, itmp;
540 OCSP_RESPID *id;
541
542 idlen = 0;
543 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++)
544 {
545 id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
546 itmp = i2d_OCSP_RESPID(id, NULL);
547 if (itmp <= 0)
548 return NULL;
549 idlen += itmp + 2;
550 }
551
552 if (s->tlsext_ocsp_exts)
553 {
554 extlen = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, NULL);
555 if (extlen < 0)
556 return NULL;
557 }
558 else
559 extlen = 0;
560
561 if ((long)(limit - ret - 7 - extlen - idlen) < 0) return NULL;
562 s2n(TLSEXT_TYPE_status_request, ret);
563 if (extlen + idlen > 0xFFF0)
564 return NULL;
565 s2n(extlen + idlen + 5, ret);
566 *(ret++) = TLSEXT_STATUSTYPE_ocsp;
567 s2n(idlen, ret);
568 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++)
569 {
570 /* save position of id len */
571 unsigned char *q = ret;
572 id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
573 /* skip over id len */
574 ret += 2;
575 itmp = i2d_OCSP_RESPID(id, &ret);
576 /* write id len */
577 s2n(itmp, q);
578 }
579 s2n(extlen, ret);
580 if (extlen > 0)
581 i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret);
582 }
583
bf48836c 584#ifndef OPENSSL_NO_NEXTPROTONEG
ee2ffc27
BL		 585 if (s->ctx->next_proto_select_cb && !s->s3->tmp.finish_md_len)
586 {
587 /* The client advertises an emtpy extension to indicate its
588 * support for Next Protocol Negotiation */
589 if (limit - ret - 4 < 0)
590 return NULL;
591 s2n(TLSEXT_TYPE_next_proto_neg,ret);
592 s2n(0,ret);
593 }
594#endif
595
ed3883d2
BM		 596 if ((extdatalen = ret-p-2)== 0)
597 return p;
598
599 s2n(extdatalen,p);
600 return ret;
52b8dad8 601 }
ed3883d2 602
f1fd4544
BM		 603unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
604 {
ed3883d2
BM		 605 int extdatalen=0;
606 unsigned char *ret = p;
bf48836c
BL		 607#ifndef OPENSSL_NO_NEXTPROTONEG
608 int next_proto_neg_seen;
ee2ffc27 609#endif
ed3883d2 610
13f6d57b
DSH		 611 /* don't add extensions for SSLv3, unless doing secure renegotiation */
612 if (s->version == SSL3_VERSION && !s->s3->send_connection_binding)
5f8f94a6
DSH		 613 return p;
614
a13c20f6 615 ret+=2;
ed3883d2
BM		 616 if (ret>=limit) return NULL; /* this really never occurs, but ... */
617
a13c20f6 618 if (!s->hit && s->servername_done == 1 && s->session->tlsext_hostname != NULL)
f1fd4544 619 {
761772d7 620 if ((long)(limit - ret - 4) < 0) return NULL;
ed3883d2
BM		 621
622 s2n(TLSEXT_TYPE_server_name,ret);
623 s2n(0,ret);
f1fd4544 624 }
860c3dd1 625
8025e251 626 if(s->s3->send_connection_binding)
860c3dd1
DSH		 627 {
628 int el;
629
630 if(!ssl_add_serverhello_renegotiate_ext(s, 0, &el, 0))
631 {
632 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
633 return NULL;
634 }
635
636 if((limit - p - 4 - el) < 0) return NULL;
637
638 s2n(TLSEXT_TYPE_renegotiate,ret);
639 s2n(el,ret);
640
641 if(!ssl_add_serverhello_renegotiate_ext(s, ret, &el, el))
642 {
643 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
644 return NULL;
645 }
646
647 ret += el;
648 }
649
36ca4ba6 650#ifndef OPENSSL_NO_EC
8025e251
DSH		 651 if (s->tlsext_ecpointformatlist != NULL &&
652 s->version != DTLS1_VERSION)
36ca4ba6
BM		 653 {
654 /* Add TLS extension ECPointFormats to the ServerHello message */
655 long lenmax;
656
761772d7 657 if ((lenmax = limit - ret - 5) < 0) return NULL;
36ca4ba6 658 if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax) return NULL;
019fdc78
BM		 659 if (s->tlsext_ecpointformatlist_length > 255)
660 {
661 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
662 return NULL;
663 }
36ca4ba6
BM		 664
665 s2n(TLSEXT_TYPE_ec_point_formats,ret);
666 s2n(s->tlsext_ecpointformatlist_length + 1,ret);
667 *(ret++) = (unsigned char) s->tlsext_ecpointformatlist_length;
668 memcpy(ret, s->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist_length);
669 ret+=s->tlsext_ecpointformatlist_length;
a70183bc 670
36ca4ba6 671 }
33273721 672 /* Currently the server should not respond with a SupportedCurves extension */
36ca4ba6 673#endif /* OPENSSL_NO_EC */
67c8e7f4 674
6434abbf
DSH		 675 if (s->tlsext_ticket_expected
676 && !(SSL_get_options(s) & SSL_OP_NO_TICKET))
677 {
761772d7 678 if ((long)(limit - ret - 4) < 0) return NULL;
6434abbf
DSH		 679 s2n(TLSEXT_TYPE_session_ticket,ret);
680 s2n(0,ret);
681 }
761772d7 682
67c8e7f4
DSH		 683 if (s->tlsext_status_expected)
684 {
685 if ((long)(limit - ret - 4) < 0) return NULL;
686 s2n(TLSEXT_TYPE_status_request,ret);
687 s2n(0,ret);
688 }
689
761772d7 690#ifdef TLSEXT_TYPE_opaque_prf_input
8025e251
DSH		 691 if (s->s3->server_opaque_prf_input != NULL &&
692 s->version != DTLS1_VERSION)
761772d7
BM		 693 {
694 size_t sol = s->s3->server_opaque_prf_input_len;
6434abbf 695
761772d7
BM		 696 if ((long)(limit - ret - 6 - sol) < 0)
697 return NULL;
698 if (sol > 0xFFFD) /* can't happen */
699 return NULL;
700
701 s2n(TLSEXT_TYPE_opaque_prf_input, ret);
702 s2n(sol + 2, ret);
703 s2n(sol, ret);
704 memcpy(ret, s->s3->server_opaque_prf_input, sol);
705 ret += sol;
706 }
707#endif
0e1dba93
DSH		 708 if (((s->s3->tmp.new_cipher->id & 0xFFFF)==0x80 || (s->s3->tmp.new_cipher->id & 0xFFFF)==0x81)
709 && (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG))
710 { const unsigned char cryptopro_ext[36] = {
711 0xfd, 0xe8, /*65000*/
712 0x00, 0x20, /*32 bytes length*/
713 0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85,
714 0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06,
715 0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08,
716 0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17};
717 if (limit-ret<36) return NULL;
718 memcpy(ret,cryptopro_ext,36);
719 ret+=36;
720
721 }
761772d7 722
bf48836c 723#ifndef OPENSSL_NO_NEXTPROTONEG
ee2ffc27
BL		 724 next_proto_neg_seen = s->s3->next_proto_neg_seen;
725 s->s3->next_proto_neg_seen = 0;
726 if (next_proto_neg_seen && s->ctx->next_protos_advertised_cb)
727 {
728 const unsigned char *npa;
729 unsigned int npalen;
730 int r;
731
732 r = s->ctx->next_protos_advertised_cb(s, &npa, &npalen, s->ctx->next_protos_advertised_cb_arg);
733 if (r == SSL_TLSEXT_ERR_OK)
734 {
735 if ((long)(limit - ret - 4 - npalen) < 0) return NULL;
736 s2n(TLSEXT_TYPE_next_proto_neg,ret);
737 s2n(npalen,ret);
738 memcpy(ret, npa, npalen);
739 ret += npalen;
740 s->s3->next_proto_neg_seen = 1;
741 }
742 }
743#endif
744
ed3883d2
BM		 745 if ((extdatalen = ret-p-2)== 0)
746 return p;
747
748 s2n(extdatalen,p);
749 return ret;
52b8dad8 750 }
ed3883d2 751
f1fd4544
BM		 752int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
753 {
ed3883d2
BM		 754 unsigned short type;
755 unsigned short size;
756 unsigned short len;
f1fd4544 757 unsigned char *data = *p;
860c3dd1 758 int renegotiate_seen = 0;
6b7be581 759 int sigalg_seen = 0;
860c3dd1 760
a13c20f6 761 s->servername_done = 0;
67c8e7f4 762 s->tlsext_status_type = -1;
ed3883d2
BM		 763
764 if (data >= (d+n-2))
c27c9cb4 765 goto ri_check;
ed3883d2
BM		 766 n2s(data,len);
767
52b8dad8 768 if (data > (d+n-len))
c27c9cb4 769 goto ri_check;
ed3883d2 770
f1fd4544
BM		 771 while (data <= (d+n-4))
772 {
ed3883d2
BM		 773 n2s(data,type);
774 n2s(data,size);
775
776 if (data+size > (d+n))
c27c9cb4 777 goto ri_check;
8e3b2dbb 778#if 0
0e1dba93 779 fprintf(stderr,"Received extension type %d size %d\n",type,size);
8e3b2dbb 780#endif
6434abbf
DSH		 781 if (s->tlsext_debug_cb)
782 s->tlsext_debug_cb(s, 0, type, data, size,
783 s->tlsext_debug_arg);
a13c20f6
BM		 784/* The servername extension is treated as follows:
785
786 - Only the hostname type is supported with a maximum length of 255.
787 - The servername is rejected if too long or if it contains zeros,
788 in which case an fatal alert is generated.
789 - The servername field is maintained together with the session cache.
790 - When a session is resumed, the servername call back invoked in order
791 to allow the application to position itself to the right context.
792 - The servername is acknowledged if it is new for a session or when
793 it is identical to a previously used for the same session.
794 Applications can control the behaviour. They can at any time
795 set a 'desirable' servername for a new SSL object. This can be the
796 case for example with HTTPS when a Host: header field is received and
797 a renegotiation is requested. In this case, a possible servername
798 presented in the new client hello is only acknowledged if it matches
799 the value of the Host: field.
800 - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
801 if they provide for changing an explicit servername context for the session,
802 i.e. when the session has been established with a servername extension.
803 - On session reconnect, the servername extension may be absent.
804
805*/
806
f1fd4544
BM		 807 if (type == TLSEXT_TYPE_server_name)
808 {
a70183bc 809 unsigned char *sdata;
ed3883d2 810 int servname_type;
a70183bc
BM		 811 int dsize;
812
813 if (size < 2)
814 {
815 *al = SSL_AD_DECODE_ERROR;
816 return 0;
817 }
818 n2s(data,dsize);
52b8dad8 819 size -= 2;
a70183bc 820 if (dsize > size )
f1fd4544 821 {
a70183bc
BM		 822 *al = SSL_AD_DECODE_ERROR;
823 return 0;
824 }
825
826 sdata = data;
827 while (dsize > 3)
828 {
829 servname_type = *(sdata++);
ed3883d2 830 n2s(sdata,len);
a70183bc
BM		 831 dsize -= 3;
832
833 if (len > dsize)
f1fd4544
BM		 834 {
835 *al = SSL_AD_DECODE_ERROR;
836 return 0;
837 }
a70183bc 838 if (s->servername_done == 0)
f1fd4544
BM		 839 switch (servname_type)
840 {
841 case TLSEXT_NAMETYPE_host_name:
732d31be 842 if (!s->hit)
f1fd4544 843 {
732d31be
DSH		 844 if(s->session->tlsext_hostname)
845 {
846 *al = SSL_AD_DECODE_ERROR;
847 return 0;
848 }
849 if (len > TLSEXT_MAXLEN_host_name)
f1fd4544
BM		 850 {
851 *al = TLS1_AD_UNRECOGNIZED_NAME;
852 return 0;
853 }
732d31be
DSH		 854 if ((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL)
855 {
856 *al = TLS1_AD_INTERNAL_ERROR;
857 return 0;
858 }
ed3883d2 859 memcpy(s->session->tlsext_hostname, sdata, len);
a13c20f6
BM		 860 s->session->tlsext_hostname[len]='\0';
861 if (strlen(s->session->tlsext_hostname) != len) {
862 OPENSSL_free(s->session->tlsext_hostname);
40a70628 863 s->session->tlsext_hostname = NULL;
a13c20f6
BM		 864 *al = TLS1_AD_UNRECOGNIZED_NAME;
865 return 0;
f1fd4544 866 }
a13c20f6
BM		 867 s->servername_done = 1;
868
a13c20f6
BM		 869 }
870 else
732d31be
DSH		 871 s->servername_done = s->session->tlsext_hostname
872 && strlen(s->session->tlsext_hostname) == len
6b9e941e 873 && strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0;
a13c20f6 874
ed3883d2 875 break;
f1fd4544 876
ed3883d2
BM		 877 default:
878 break;
f1fd4544 879 }
52b8dad8 880
a70183bc 881 dsize -= len;
f1fd4544 882 }
a70183bc
BM		 883 if (dsize != 0)
884 {
885 *al = SSL_AD_DECODE_ERROR;
886 return 0;
887 }
888
ed3883d2 889 }
edc032b5
BL		 890#ifndef OPENSSL_NO_SRP
891 else if (type == TLSEXT_TYPE_srp)
892 {
893 if (size > 0)
894 {
895 len = data[0];
896 if ((s->srp_ctx.login = OPENSSL_malloc(len+1)) == NULL)
897 return -1;
898 memcpy(s->srp_ctx.login, &data[1], len);
899 s->srp_ctx.login[len]='\0';
900 }
901 }
902#endif
ed3883d2 903
36ca4ba6 904#ifndef OPENSSL_NO_EC
8025e251
DSH		 905 else if (type == TLSEXT_TYPE_ec_point_formats &&
906 s->version != DTLS1_VERSION)
36ca4ba6
BM		 907 {
908 unsigned char *sdata = data;
909 int ecpointformatlist_length = *(sdata++);
36ca4ba6
BM		 910
911 if (ecpointformatlist_length != size - 1)
912 {
913 *al = TLS1_AD_DECODE_ERROR;
914 return 0;
915 }
732d31be 916 if (!s->hit)
36ca4ba6 917 {
732d31be
DSH		 918 if(s->session->tlsext_ecpointformatlist)
919 {
7d5686d3
DSH		 920 OPENSSL_free(s->session->tlsext_ecpointformatlist);
921 s->session->tlsext_ecpointformatlist = NULL;
732d31be
DSH		 922 }
923 s->session->tlsext_ecpointformatlist_length = 0;
924 if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
925 {
926 *al = TLS1_AD_INTERNAL_ERROR;
927 return 0;
928 }
929 s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
930 memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
36ca4ba6 931 }
36ca4ba6
BM		 932#if 0
933 fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ecpointformatlist (length=%i) ", s->session->tlsext_ecpointformatlist_length);
934 sdata = s->session->tlsext_ecpointformatlist;
935 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
936 fprintf(stderr,"%i ",*(sdata++));
937 fprintf(stderr,"\n");
33273721
BM		 938#endif
939 }
8025e251
DSH		 940 else if (type == TLSEXT_TYPE_elliptic_curves &&
941 s->version != DTLS1_VERSION)
33273721
BM		 942 {
943 unsigned char *sdata = data;
944 int ellipticcurvelist_length = (*(sdata++) << 8);
945 ellipticcurvelist_length += (*(sdata++));
946
947 if (ellipticcurvelist_length != size - 2)
948 {
949 *al = TLS1_AD_DECODE_ERROR;
950 return 0;
951 }
732d31be 952 if (!s->hit)
33273721 953 {
732d31be
DSH		 954 if(s->session->tlsext_ellipticcurvelist)
955 {
956 *al = TLS1_AD_DECODE_ERROR;
957 return 0;
958 }
959 s->session->tlsext_ellipticcurvelist_length = 0;
960 if ((s->session->tlsext_ellipticcurvelist = OPENSSL_malloc(ellipticcurvelist_length)) == NULL)
961 {
962 *al = TLS1_AD_INTERNAL_ERROR;
963 return 0;
964 }
965 s->session->tlsext_ellipticcurvelist_length = ellipticcurvelist_length;
966 memcpy(s->session->tlsext_ellipticcurvelist, sdata, ellipticcurvelist_length);
33273721 967 }
33273721
BM		 968#if 0
969 fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ellipticcurvelist (length=%i) ", s->session->tlsext_ellipticcurvelist_length);
970 sdata = s->session->tlsext_ellipticcurvelist;
971 for (i = 0; i < s->session->tlsext_ellipticcurvelist_length; i++)
972 fprintf(stderr,"%i ",*(sdata++));
973 fprintf(stderr,"\n");
36ca4ba6
BM		 974#endif
975 }
c6a27f01 976#endif /* OPENSSL_NO_EC */
761772d7 977#ifdef TLSEXT_TYPE_opaque_prf_input
8025e251
DSH		 978 else if (type == TLSEXT_TYPE_opaque_prf_input &&
979 s->version != DTLS1_VERSION)
761772d7
BM		 980 {
981 unsigned char *sdata = data;
982
983 if (size < 2)
984 {
985 *al = SSL_AD_DECODE_ERROR;
986 return 0;
987 }
988 n2s(sdata, s->s3->client_opaque_prf_input_len);
989 if (s->s3->client_opaque_prf_input_len != size - 2)
990 {
991 *al = SSL_AD_DECODE_ERROR;
992 return 0;
993 }
994
995 if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */
996 OPENSSL_free(s->s3->client_opaque_prf_input);
02c27b11
BM		 997 if (s->s3->client_opaque_prf_input_len == 0)
998 s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
999 else
1000 s->s3->client_opaque_prf_input = BUF_memdup(sdata, s->s3->client_opaque_prf_input_len);
761772d7
BM		 1001 if (s->s3->client_opaque_prf_input == NULL)
1002 {
1003 *al = TLS1_AD_INTERNAL_ERROR;
1004 return 0;
1005 }
1006 }
1007#endif
12bf56c0
DSH		 1008 else if (type == TLSEXT_TYPE_session_ticket)
1009 {
1010 if (s->tls_session_ticket_ext_cb &&
1011 !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg))
1012 {
1013 *al = TLS1_AD_INTERNAL_ERROR;
1014 return 0;
1015 }
1016 }
860c3dd1
DSH		 1017 else if (type == TLSEXT_TYPE_renegotiate)
1018 {
1019 if(!ssl_parse_clienthello_renegotiate_ext(s, data, size, al))
1020 return 0;
1021 renegotiate_seen = 1;
1022 }
6b7be581
DSH		 1023 else if (type == TLSEXT_TYPE_signature_algorithms)
1024 {
1025 int dsize;
1026 if (sigalg_seen || size < 2)
1027 {
1028 *al = SSL_AD_DECODE_ERROR;
1029 return 0;
1030 }
1031 sigalg_seen = 1;
1032 n2s(data,dsize);
1033 size -= 2;
1034 if (dsize != size || dsize & 1)
1035 {
1036 *al = SSL_AD_DECODE_ERROR;
1037 return 0;
1038 }
1039 if (!tls1_process_sigalgs(s, data, dsize))
1040 {
1041 *al = SSL_AD_DECODE_ERROR;
1042 return 0;
1043 }
1044 }
8025e251
DSH		 1045 else if (type == TLSEXT_TYPE_status_request &&
1046 s->version != DTLS1_VERSION && s->ctx->tlsext_status_cb)
67c8e7f4
DSH		 1047 {
1048
1049 if (size < 5)
1050 {
1051 *al = SSL_AD_DECODE_ERROR;
1052 return 0;
1053 }
1054
1055 s->tlsext_status_type = *data++;
1056 size--;
1057 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp)
1058 {
1059 const unsigned char *sdata;
1060 int dsize;
1061 /* Read in responder_id_list */
1062 n2s(data,dsize);
1063 size -= 2;
1064 if (dsize > size )
1065 {
1066 *al = SSL_AD_DECODE_ERROR;
1067 return 0;
1068 }
1069 while (dsize > 0)
1070 {
1071 OCSP_RESPID *id;
1072 int idsize;
1073 if (dsize < 4)
1074 {
1075 *al = SSL_AD_DECODE_ERROR;
1076 return 0;
1077 }
1078 n2s(data, idsize);
1079 dsize -= 2 + idsize;
9770924f 1080 size -= 2 + idsize;
67c8e7f4
DSH		 1081 if (dsize < 0)
1082 {
1083 *al = SSL_AD_DECODE_ERROR;
1084 return 0;
1085 }
1086 sdata = data;
1087 data += idsize;
1088 id = d2i_OCSP_RESPID(NULL,
1089 &sdata, idsize);
1090 if (!id)
1091 {
1092 *al = SSL_AD_DECODE_ERROR;
1093 return 0;
1094 }
1095 if (data != sdata)
1096 {
1097 OCSP_RESPID_free(id);
1098 *al = SSL_AD_DECODE_ERROR;
1099 return 0;
1100 }
1101 if (!s->tlsext_ocsp_ids
1102 && !(s->tlsext_ocsp_ids =
1103 sk_OCSP_RESPID_new_null()))
1104 {
1105 OCSP_RESPID_free(id);
1106 *al = SSL_AD_INTERNAL_ERROR;
1107 return 0;
1108 }
1109 if (!sk_OCSP_RESPID_push(
1110 s->tlsext_ocsp_ids, id))
1111 {
1112 OCSP_RESPID_free(id);
1113 *al = SSL_AD_INTERNAL_ERROR;
1114 return 0;
1115 }
1116 }
1117
1118 /* Read in request_extensions */
9770924f
BM		 1119 if (size < 2)
1120 {
1121 *al = SSL_AD_DECODE_ERROR;
1122 return 0;
1123 }
67c8e7f4
DSH		 1124 n2s(data,dsize);
1125 size -= 2;
9770924f 1126 if (dsize != size)
67c8e7f4
DSH		 1127 {
1128 *al = SSL_AD_DECODE_ERROR;
1129 return 0;
1130 }
1131 sdata = data;
1132 if (dsize > 0)
1133 {
1134 s->tlsext_ocsp_exts =
1135 d2i_X509_EXTENSIONS(NULL,
1136 &sdata, dsize);
1137 if (!s->tlsext_ocsp_exts
1138 || (data + dsize != sdata))
1139 {
1140 *al = SSL_AD_DECODE_ERROR;
1141 return 0;
1142 }
1143 }
1144 }
1145 /* We don't know what to do with any other type
1146 * so ignore it.
1147 */
1148 else
1149 s->tlsext_status_type = -1;
1150 }
bf48836c 1151#ifndef OPENSSL_NO_NEXTPROTONEG
ee2ffc27
BL		 1152 else if (type == TLSEXT_TYPE_next_proto_neg &&
1153 s->s3->tmp.finish_md_len == 0)
1154 {
1155 /* We shouldn't accept this extension on a
1156 * renegotiation.
1157 *
1158 * s->new_session will be set on renegotiation, but we
1159 * probably shouldn't rely that it couldn't be set on
1160 * the initial renegotation too in certain cases (when
1161 * there's some other reason to disallow resuming an
1162 * earlier session -- the current code won't be doing
1163 * anything like that, but this might change).
1164
1165 * A valid sign that there's been a previous handshake
1166 * in this connection is if s->s3->tmp.finish_md_len >
1167 * 0. (We are talking about a check that will happen
1168 * in the Hello protocol round, well before a new
1169 * Finished message could have been computed.) */
1170 s->s3->next_proto_neg_seen = 1;
1171 }
1172#endif
761772d7 1173
6434abbf
DSH		 1174 /* session ticket processed earlier */
1175 data+=size;
f1fd4544 1176 }
6434abbf 1177
f1fd4544 1178 *p = data;
c27c9cb4
DSH		 1179
1180 ri_check:
1181
1182 /* Need RI if renegotiating */
1183
bdd53508 1184 if (!renegotiate_seen && s->renegotiate &&
c27c9cb4
DSH		 1185 !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
1186 {
fbed9f81 1187 *al = SSL_AD_HANDSHAKE_FAILURE;
c27c9cb4
DSH		 1188 SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT,
1189 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
1190 return 0;
1191 }
1192
f1fd4544 1193 return 1;
52b8dad8 1194 }
f1fd4544 1195
bf48836c 1196#ifndef OPENSSL_NO_NEXTPROTONEG
ee2ffc27
BL		 1197/* ssl_next_proto_validate validates a Next Protocol Negotiation block. No
1198 * elements of zero length are allowed and the set of elements must exactly fill
1199 * the length of the block. */
bf48836c 1200static int ssl_next_proto_validate(unsigned char *d, unsigned len)
ee2ffc27
BL		 1201 {
1202 unsigned int off = 0;
1203
1204 while (off < len)
1205 {
1206 if (d[off] == 0)
1207 return 0;
1208 off += d[off];
1209 off++;
1210 }
1211
1212 return off == len;
1213 }
1214#endif
1215
f1fd4544
BM		 1216int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
1217 {
c8bbd98a 1218 unsigned short length;
ed3883d2
BM		 1219 unsigned short type;
1220 unsigned short size;
ed3883d2 1221 unsigned char *data = *p;
ed3883d2 1222 int tlsext_servername = 0;
860c3dd1 1223 int renegotiate_seen = 0;
ed3883d2
BM		 1224
1225 if (data >= (d+n-2))
c27c9cb4 1226 goto ri_check;
ed3883d2 1227
c8bbd98a
BL		 1228 n2s(data,length);
1229 if (data+length != d+n)
1230 {
1231 *al = SSL_AD_DECODE_ERROR;
1232 return 0;
1233 }
ed3883d2 1234
f1fd4544
BM		 1235 while(data <= (d+n-4))
1236 {
ed3883d2
BM		 1237 n2s(data,type);
1238 n2s(data,size);
1239
1240 if (data+size > (d+n))
c27c9cb4 1241 goto ri_check;
f1fd4544 1242
6434abbf
DSH		 1243 if (s->tlsext_debug_cb)
1244 s->tlsext_debug_cb(s, 1, type, data, size,
1245 s->tlsext_debug_arg);
1246
f1fd4544
BM		 1247 if (type == TLSEXT_TYPE_server_name)
1248 {
1249 if (s->tlsext_hostname == NULL || size > 0)
1250 {
1251 *al = TLS1_AD_UNRECOGNIZED_NAME;
1252 return 0;
1253 }
ed3883d2 1254 tlsext_servername = 1;
f1fd4544 1255 }
ed3883d2 1256
36ca4ba6 1257#ifndef OPENSSL_NO_EC
8025e251
DSH		 1258 else if (type == TLSEXT_TYPE_ec_point_formats &&
1259 s->version != DTLS1_VERSION)
36ca4ba6
BM		 1260 {
1261 unsigned char *sdata = data;
1262 int ecpointformatlist_length = *(sdata++);
36ca4ba6
BM		 1263
1264 if (ecpointformatlist_length != size - 1)
1265 {
1266 *al = TLS1_AD_DECODE_ERROR;
1267 return 0;
1268 }
1269 s->session->tlsext_ecpointformatlist_length = 0;
b6acb8d0 1270 if (s->session->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->session->tlsext_ecpointformatlist);
36ca4ba6
BM		 1271 if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
1272 {
1273 *al = TLS1_AD_INTERNAL_ERROR;
1274 return 0;
1275 }
1276 s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
1277 memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
1278#if 0
1279 fprintf(stderr,"ssl_parse_serverhello_tlsext s->session->tlsext_ecpointformatlist ");
1280 sdata = s->session->tlsext_ecpointformatlist;
1281 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
1282 fprintf(stderr,"%i ",*(sdata++));
1283 fprintf(stderr,"\n");
1284#endif
1285 }
c6a27f01 1286#endif /* OPENSSL_NO_EC */
6434abbf
DSH		 1287
1288 else if (type == TLSEXT_TYPE_session_ticket)
1289 {
12bf56c0
DSH		 1290 if (s->tls_session_ticket_ext_cb &&
1291 !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg))
1292 {
1293 *al = TLS1_AD_INTERNAL_ERROR;
1294 return 0;
1295 }
6434abbf
DSH		 1296 if ((SSL_get_options(s) & SSL_OP_NO_TICKET)
1297 || (size > 0))
1298 {
1299 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
1300 return 0;
1301 }
1302 s->tlsext_ticket_expected = 1;
1303 }
761772d7 1304#ifdef TLSEXT_TYPE_opaque_prf_input
8025e251
DSH		 1305 else if (type == TLSEXT_TYPE_opaque_prf_input &&
1306 s->version != DTLS1_VERSION)
761772d7
BM		 1307 {
1308 unsigned char *sdata = data;
1309
1310 if (size < 2)
1311 {
1312 *al = SSL_AD_DECODE_ERROR;
1313 return 0;
1314 }
1315 n2s(sdata, s->s3->server_opaque_prf_input_len);
1316 if (s->s3->server_opaque_prf_input_len != size - 2)
1317 {
1318 *al = SSL_AD_DECODE_ERROR;
1319 return 0;
1320 }
1321
1322 if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */
1323 OPENSSL_free(s->s3->server_opaque_prf_input);
02c27b11
BM		 1324 if (s->s3->server_opaque_prf_input_len == 0)
1325 s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
1326 else
1327 s->s3->server_opaque_prf_input = BUF_memdup(sdata, s->s3->server_opaque_prf_input_len);
761772d7
BM		 1328
1329 if (s->s3->server_opaque_prf_input == NULL)
1330 {
1331 *al = TLS1_AD_INTERNAL_ERROR;
1332 return 0;
1333 }
1334 }
1335#endif
8025e251
DSH		 1336 else if (type == TLSEXT_TYPE_status_request &&
1337 s->version != DTLS1_VERSION)
67c8e7f4
DSH		 1338 {
1339 /* MUST be empty and only sent if we've requested
1340 * a status request message.
1341 */
1342 if ((s->tlsext_status_type == -1) || (size > 0))
1343 {
1344 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
1345 return 0;
1346 }
1347 /* Set flag to expect CertificateStatus message */
1348 s->tlsext_status_expected = 1;
1349 }
bf48836c 1350#ifndef OPENSSL_NO_NEXTPROTONEG
ee2ffc27
BL		 1351 else if (type == TLSEXT_TYPE_next_proto_neg)
1352 {
1353 unsigned char *selected;
1354 unsigned char selected_len;
1355
1356 /* We must have requested it. */
1357 if ((s->ctx->next_proto_select_cb == NULL))
1358 {
1359 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
1360 return 0;
1361 }
1362 /* The data must be valid */
1363 if (!ssl_next_proto_validate(data, size))
1364 {
1365 *al = TLS1_AD_DECODE_ERROR;
1366 return 0;
1367 }
1368 if (s->ctx->next_proto_select_cb(s, &selected, &selected_len, data, size, s->ctx->next_proto_select_cb_arg) != SSL_TLSEXT_ERR_OK)
1369 {
1370 *al = TLS1_AD_INTERNAL_ERROR;
1371 return 0;
1372 }
1373 s->next_proto_negotiated = OPENSSL_malloc(selected_len);
1374 if (!s->next_proto_negotiated)
1375 {
1376 *al = TLS1_AD_INTERNAL_ERROR;
1377 return 0;
1378 }
1379 memcpy(s->next_proto_negotiated, selected, selected_len);
1380 s->next_proto_negotiated_len = selected_len;
1381 }
1382#endif
860c3dd1
DSH		 1383 else if (type == TLSEXT_TYPE_renegotiate)
1384 {
1385 if(!ssl_parse_serverhello_renegotiate_ext(s, data, size, al))
1386 return 0;
1387 renegotiate_seen = 1;
1388 }
ed3883d2 1389 data+=size;
f1fd4544 1390 }
ed3883d2
BM		 1391
1392 if (data != d+n)
f1fd4544
BM		 1393 {
1394 *al = SSL_AD_DECODE_ERROR;
1395 return 0;
1396 }
ed3883d2 1397
f1fd4544
BM		 1398 if (!s->hit && tlsext_servername == 1)
1399 {
1400 if (s->tlsext_hostname)
1401 {
1402 if (s->session->tlsext_hostname == NULL)
1403 {
ed3883d2
BM		 1404 s->session->tlsext_hostname = BUF_strdup(s->tlsext_hostname);
1405 if (!s->session->tlsext_hostname)
f1fd4544
BM		 1406 {
1407 *al = SSL_AD_UNRECOGNIZED_NAME;
1408 return 0;
1409 }
1410 }
1411 else
1412 {
1413 *al = SSL_AD_DECODE_ERROR;
1414 return 0;
1415 }
ed3883d2 1416 }
f1fd4544 1417 }
ed3883d2 1418
f1fd4544 1419 *p = data;
c27c9cb4
DSH		 1420
1421 ri_check:
1422
1423 /* Determine if we need to see RI. Strictly speaking if we want to
1424 * avoid an attack we should *always* see RI even on initial server
1425 * hello because the client doesn't see any renegotiation during an
1426 * attack. However this would mean we could not connect to any server
1427 * which doesn't support RI so for the immediate future tolerate RI
1428 * absence on initial connect only.
1429 */
c2c49969
DSH		 1430 if (!renegotiate_seen
1431 && !(s->options & SSL_OP_LEGACY_SERVER_CONNECT)
ef51b4b9 1432 && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
c27c9cb4 1433 {
fbed9f81 1434 *al = SSL_AD_HANDSHAKE_FAILURE;
c27c9cb4
DSH		 1435 SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT,
1436 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
1437 return 0;
1438 }
1439
f1fd4544 1440 return 1;
52b8dad8 1441 }
ed3883d2 1442
b2172f4f 1443
36ca4ba6
BM		 1444int ssl_prepare_clienthello_tlsext(SSL *s)
1445 {
1446#ifndef OPENSSL_NO_EC
33273721
BM		 1447 /* If we are client and using an elliptic curve cryptography cipher suite, send the point formats
1448 * and elliptic curves we support.
36ca4ba6
BM		 1449 */
1450 int using_ecc = 0;
1451 int i;
33273721 1452 unsigned char *j;
52b8dad8 1453 unsigned long alg_k, alg_a;
36ca4ba6 1454 STACK_OF(SSL_CIPHER) *cipher_stack = SSL_get_ciphers(s);
52b8dad8 1455
36ca4ba6
BM		 1456 for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++)
1457 {
52b8dad8
BM		 1458 SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i);
1459
1460 alg_k = c->algorithm_mkey;
1461 alg_a = c->algorithm_auth;
1462 if ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe) || (alg_a & SSL_aECDSA)))
36ca4ba6
BM		 1463 {
1464 using_ecc = 1;
1465 break;
1466 }
36ca4ba6 1467 }
290be870 1468 using_ecc = using_ecc && (s->version >= TLS1_VERSION);
36ca4ba6
BM		 1469 if (using_ecc)
1470 {
b6acb8d0
BM		 1471 if (s->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->tlsext_ecpointformatlist);
1472 if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(3)) == NULL)
36ca4ba6 1473 {
a291745e 1474 SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
36ca4ba6
BM		 1475 return -1;
1476 }
b6acb8d0
BM		 1477 s->tlsext_ecpointformatlist_length = 3;
1478 s->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_uncompressed;
1479 s->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
1480 s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
b2172f4f 1481
33273721
BM		 1482 /* we support all named elliptic curves in draft-ietf-tls-ecc-12 */
1483 if (s->tlsext_ellipticcurvelist != NULL) OPENSSL_free(s->tlsext_ellipticcurvelist);
b2172f4f
BM		 1484 s->tlsext_ellipticcurvelist_length = sizeof(nid_list)/sizeof(nid_list[0]) * 2;
1485 if ((s->tlsext_ellipticcurvelist = OPENSSL_malloc(s->tlsext_ellipticcurvelist_length)) == NULL)
33273721 1486 {
b2172f4f 1487 s->tlsext_ellipticcurvelist_length = 0;
a291745e 1488 SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
33273721
BM		 1489 return -1;
1490 }
1e26a8ba
GT		 1491 for (i = 1, j = s->tlsext_ellipticcurvelist; (unsigned int)i <=
1492 sizeof(nid_list)/sizeof(nid_list[0]); i++)
b2172f4f 1493 s2n(i,j);
36ca4ba6
BM		 1494 }
1495#endif /* OPENSSL_NO_EC */
761772d7
BM		 1496
1497#ifdef TLSEXT_TYPE_opaque_prf_input
1498 {
1499 int r = 1;
1500
1501 if (s->ctx->tlsext_opaque_prf_input_callback != 0)
1502 {
1503 r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg);
1504 if (!r)
1505 return -1;
1506 }
1507
1508 if (s->tlsext_opaque_prf_input != NULL)
1509 {
1510 if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */
1511 OPENSSL_free(s->s3->client_opaque_prf_input);
1512
02c27b11
BM		 1513 if (s->tlsext_opaque_prf_input_len == 0)
1514 s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
1515 else
1516 s->s3->client_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len);
761772d7
BM		 1517 if (s->s3->client_opaque_prf_input == NULL)
1518 {
1519 SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
1520 return -1;
1521 }
1522 s->s3->client_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
1523 }
1524
1525 if (r == 2)
1526 /* at callback's request, insist on receiving an appropriate server opaque PRF input */
1527 s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
1528 }
1529#endif
1530
36ca4ba6 1531 return 1;
52b8dad8 1532 }
36ca4ba6
BM		 1533
1534int ssl_prepare_serverhello_tlsext(SSL *s)
1535 {
1536#ifndef OPENSSL_NO_EC
b6acb8d0 1537 /* If we are server and using an ECC cipher suite, send the point formats we support
33273721
BM		 1538 * if the client sent us an ECPointsFormat extension. Note that the server is not
1539 * supposed to send an EllipticCurves extension.
36ca4ba6 1540 */
36ca4ba6 1541
52b8dad8
BM		 1542 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
1543 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
1544 int using_ecc = (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA);
1545 using_ecc = using_ecc && (s->session->tlsext_ecpointformatlist != NULL);
1546
36ca4ba6
BM		 1547 if (using_ecc)
1548 {
b6acb8d0
BM		 1549 if (s->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->tlsext_ecpointformatlist);
1550 if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(3)) == NULL)
36ca4ba6 1551 {
a291745e 1552 SSLerr(SSL_F_SSL_PREPARE_SERVERHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
36ca4ba6
BM		 1553 return -1;
1554 }
b6acb8d0
BM		 1555 s->tlsext_ecpointformatlist_length = 3;
1556 s->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_uncompressed;
1557 s->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
1558 s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
36ca4ba6
BM		 1559 }
1560#endif /* OPENSSL_NO_EC */
761772d7 1561
36ca4ba6 1562 return 1;
52b8dad8 1563 }
36ca4ba6
BM		 1564
1565int ssl_check_clienthello_tlsext(SSL *s)
f1fd4544 1566 {
241520e6 1567 int ret=SSL_TLSEXT_ERR_NOACK;
36ca4ba6
BM		 1568 int al = SSL_AD_UNRECOGNIZED_NAME;
1569
1570#ifndef OPENSSL_NO_EC
33273721
BM		 1571 /* The handling of the ECPointFormats extension is done elsewhere, namely in
1572 * ssl3_choose_cipher in s3_lib.c.
1573 */
1574 /* The handling of the EllipticCurves extension is done elsewhere, namely in
1575 * ssl3_choose_cipher in s3_lib.c.
36ca4ba6
BM		 1576 */
1577#endif
1578
1579 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
1580 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
1581 else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)
1582 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
1583
67c8e7f4
DSH		 1584 /* If status request then ask callback what to do.
1585 * Note: this must be called after servername callbacks in case
1586 * the certificate has changed.
1587 */
2bd45dc9 1588 if ((s->tlsext_status_type != -1) && s->ctx && s->ctx->tlsext_status_cb)
67c8e7f4
DSH		 1589 {
1590 int r;
1591 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
1592 switch (r)
1593 {
1594 /* We don't want to send a status request response */
1595 case SSL_TLSEXT_ERR_NOACK:
1596 s->tlsext_status_expected = 0;
1597 break;
1598 /* status request response should be sent */
1599 case SSL_TLSEXT_ERR_OK:
1600 if (s->tlsext_ocsp_resp)
1601 s->tlsext_status_expected = 1;
1602 else
1603 s->tlsext_status_expected = 0;
1604 break;
1605 /* something bad happened */
1606 case SSL_TLSEXT_ERR_ALERT_FATAL:
1607 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1608 al = SSL_AD_INTERNAL_ERROR;
1609 goto err;
1610 }
1611 }
1612 else
1613 s->tlsext_status_expected = 0;
761772d7
BM		 1614
1615#ifdef TLSEXT_TYPE_opaque_prf_input
1616 {
1617 /* This sort of belongs into ssl_prepare_serverhello_tlsext(),
1618 * but we might be sending an alert in response to the client hello,
1619 * so this has to happen here in ssl_check_clienthello_tlsext(). */
1620
1621 int r = 1;
1622
1623 if (s->ctx->tlsext_opaque_prf_input_callback != 0)
1624 {
1625 r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg);
1626 if (!r)
1627 {
1628 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1629 al = SSL_AD_INTERNAL_ERROR;
1630 goto err;
1631 }
1632 }
1633
1634 if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */
1635 OPENSSL_free(s->s3->server_opaque_prf_input);
1636 s->s3->server_opaque_prf_input = NULL;
1637
1638 if (s->tlsext_opaque_prf_input != NULL)
1639 {
1640 if (s->s3->client_opaque_prf_input != NULL &&
1641 s->s3->client_opaque_prf_input_len == s->tlsext_opaque_prf_input_len)
1642 {
1643 /* can only use this extension if we have a server opaque PRF input
1644 * of the same length as the client opaque PRF input! */
1645
02c27b11
BM		 1646 if (s->tlsext_opaque_prf_input_len == 0)
1647 s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
1648 else
1649 s->s3->server_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len);
761772d7
BM		 1650 if (s->s3->server_opaque_prf_input == NULL)
1651 {
1652 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1653 al = SSL_AD_INTERNAL_ERROR;
1654 goto err;
1655 }
1656 s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
1657 }
1658 }
1659
1660 if (r == 2 && s->s3->server_opaque_prf_input == NULL)
1661 {
1662 /* The callback wants to enforce use of the extension,
1663 * but we can't do that with the client opaque PRF input;
1664 * abort the handshake.
1665 */
1666 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1667 al = SSL_AD_HANDSHAKE_FAILURE;
1668 }
1669 }
761772d7 1670
67c8e7f4 1671#endif
761772d7 1672 err:
52b8dad8
BM		 1673 switch (ret)
1674 {
36ca4ba6
BM		 1675 case SSL_TLSEXT_ERR_ALERT_FATAL:
1676 ssl3_send_alert(s,SSL3_AL_FATAL,al);
1677 return -1;
1678
1679 case SSL_TLSEXT_ERR_ALERT_WARNING:
1680 ssl3_send_alert(s,SSL3_AL_WARNING,al);
1681 return 1;
1682
1683 case SSL_TLSEXT_ERR_NOACK:
1684 s->servername_done=0;
1685 default:
1686 return 1;
52b8dad8 1687 }
36ca4ba6 1688 }
f1fd4544 1689
36ca4ba6
BM		 1690int ssl_check_serverhello_tlsext(SSL *s)
1691 {
1692 int ret=SSL_TLSEXT_ERR_NOACK;
58ece833 1693 int al = SSL_AD_UNRECOGNIZED_NAME;
241520e6 1694
36ca4ba6 1695#ifndef OPENSSL_NO_EC
d0205686
DSH		 1696 /* If we are client and using an elliptic curve cryptography cipher
1697 * suite, then if server returns an EC point formats lists extension
1698 * it must contain uncompressed.
36ca4ba6 1699 */
52b8dad8
BM		 1700 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
1701 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
36ca4ba6 1702 if ((s->tlsext_ecpointformatlist != NULL) && (s->tlsext_ecpointformatlist_length > 0) &&
d0205686 1703 (s->session->tlsext_ecpointformatlist != NULL) && (s->session->tlsext_ecpointformatlist_length > 0) &&
52b8dad8 1704 ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA)))
36ca4ba6
BM		 1705 {
1706 /* we are using an ECC cipher */
90bdfd97 1707 size_t i;
36ca4ba6
BM		 1708 unsigned char *list;
1709 int found_uncompressed = 0;
b9865f11 1710 list = s->session->tlsext_ecpointformatlist;
36ca4ba6
BM		 1711 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
1712 {
1713 if (*(list++) == TLSEXT_ECPOINTFORMAT_uncompressed)
1714 {
1715 found_uncompressed = 1;
1716 break;
1717 }
1718 }
1719 if (!found_uncompressed)
1720 {
a291745e 1721 SSLerr(SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT,SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
36ca4ba6
BM		 1722 return -1;
1723 }
1724 }
1725 ret = SSL_TLSEXT_ERR_OK;
1726#endif /* OPENSSL_NO_EC */
1727
241520e6 1728 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
58ece833 1729 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
241520e6 1730 else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)
58ece833 1731 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
241520e6 1732
761772d7
BM		 1733#ifdef TLSEXT_TYPE_opaque_prf_input
1734 if (s->s3->server_opaque_prf_input_len > 0)
1735 {
1736 /* This case may indicate that we, as a client, want to insist on using opaque PRF inputs.
1737 * So first verify that we really have a value from the server too. */
1738
1739 if (s->s3->server_opaque_prf_input == NULL)
1740 {
1741 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1742 al = SSL_AD_HANDSHAKE_FAILURE;
1743 }
1744
1745 /* Anytime the server *has* sent an opaque PRF input, we need to check
1746 * that we have a client opaque PRF input of the same size. */
1747 if (s->s3->client_opaque_prf_input == NULL ||
1748 s->s3->client_opaque_prf_input_len != s->s3->server_opaque_prf_input_len)
1749 {
1750 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1751 al = SSL_AD_ILLEGAL_PARAMETER;
1752 }
1753 }
1754#endif
1755
04e2ab2c
DSH		 1756 /* If we've requested certificate status and we wont get one
1757 * tell the callback
1758 */
1759 if ((s->tlsext_status_type != -1) && !(s->tlsext_status_expected)
121f9e74 1760 && s->ctx && s->ctx->tlsext_status_cb)
04e2ab2c
DSH		 1761 {
1762 int r;
1763 /* Set resp to NULL, resplen to -1 so callback knows
1764 * there is no response.
1765 */
1766 if (s->tlsext_ocsp_resp)
1767 {
1768 OPENSSL_free(s->tlsext_ocsp_resp);
1769 s->tlsext_ocsp_resp = NULL;
1770 }
1771 s->tlsext_ocsp_resplen = -1;
1772 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
1773 if (r == 0)
1774 {
1775 al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE;
1776 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1777 }
1778 if (r < 0)
1779 {
1780 al = SSL_AD_INTERNAL_ERROR;
1781 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1782 }
1783 }
1784
52b8dad8
BM		 1785 switch (ret)
1786 {
58ece833
BM		 1787 case SSL_TLSEXT_ERR_ALERT_FATAL:
1788 ssl3_send_alert(s,SSL3_AL_FATAL,al);
1789 return -1;
1790
1791 case SSL_TLSEXT_ERR_ALERT_WARNING:
1792 ssl3_send_alert(s,SSL3_AL_WARNING,al);
1793 return 1;
1794
1795 case SSL_TLSEXT_ERR_NOACK:
1796 s->servername_done=0;
1797 default:
1798 return 1;
52b8dad8 1799 }
f1fd4544 1800 }
33273721 1801
6434abbf
DSH		 1802/* Since the server cache lookup is done early on in the processing of client
1803 * hello and other operations depend on the result we need to handle any TLS
1804 * session ticket extension at the same time.
1805 */
1806
1807int tls1_process_ticket(SSL *s, unsigned char *session_id, int len,
1808 const unsigned char *limit, SSL_SESSION **ret)
1809 {
1810 /* Point after session ID in client hello */
1811 const unsigned char *p = session_id + len;
1812 unsigned short i;
e8da6a1d
DSH		 1813
1814 /* If tickets disabled behave as if no ticket present
1815 * to permit stateful resumption.
1816 */
1817 if (SSL_get_options(s) & SSL_OP_NO_TICKET)
1818 return 1;
1819
6434abbf
DSH		 1820 if ((s->version <= SSL3_VERSION) || !limit)
1821 return 1;
1822 if (p >= limit)
1823 return -1;
07a9d1a2
DSH		 1824 /* Skip past DTLS cookie */
1825 if (s->version == DTLS1_VERSION || s->version == DTLS1_BAD_VER)
1826 {
1827 i = *(p++);
1828 p+= i;
1829 if (p >= limit)
1830 return -1;
1831 }
6434abbf
DSH		 1832 /* Skip past cipher list */
1833 n2s(p, i);
1834 p+= i;
1835 if (p >= limit)
1836 return -1;
1837 /* Skip past compression algorithm list */
1838 i = *(p++);
1839 p += i;
1840 if (p > limit)
1841 return -1;
1842 /* Now at start of extensions */
1843 if ((p + 2) >= limit)
1844 return 1;
1845 n2s(p, i);
1846 while ((p + 4) <= limit)
1847 {
1848 unsigned short type, size;
1849 n2s(p, type);
1850 n2s(p, size);
1851 if (p + size > limit)
1852 return 1;
1853 if (type == TLSEXT_TYPE_session_ticket)
1854 {
1855 /* If tickets disabled indicate cache miss which will
1856 * trigger a full handshake
1857 */
1858 if (SSL_get_options(s) & SSL_OP_NO_TICKET)
e8da6a1d
DSH		 1859 return 1;
1860 /* If zero length note client will accept a ticket
6434abbf
DSH		 1861 * and indicate cache miss to trigger full handshake
1862 */
1863 if (size == 0)
1864 {
1865 s->tlsext_ticket_expected = 1;
1866 return 0; /* Cache miss */
1867 }
12bf56c0
DSH		 1868 if (s->tls_session_secret_cb)
1869 {
1870 /* Indicate cache miss here and instead of
1871 * generating the session from ticket now,
1872 * trigger abbreviated handshake based on
1873 * external mechanism to calculate the master
1874 * secret later. */
1875 return 0;
1876 }
6434abbf
DSH		 1877 return tls_decrypt_ticket(s, p, size, session_id, len,
1878 ret);
1879 }
1880 p += size;
1881 }
1882 return 1;
1883 }
1884
1885static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen,
1886 const unsigned char *sess_id, int sesslen,
1887 SSL_SESSION **psess)
1888 {
1889 SSL_SESSION *sess;
1890 unsigned char *sdec;
1891 const unsigned char *p;
8a2062fe 1892 int slen, mlen, renew_ticket = 0;
6434abbf
DSH		 1893 unsigned char tick_hmac[EVP_MAX_MD_SIZE];
1894 HMAC_CTX hctx;
1895 EVP_CIPHER_CTX ctx;
661dc143 1896 SSL_CTX *tctx = s->initial_ctx;
8a2062fe
DSH		 1897 /* Need at least keyname + iv + some encrypted data */
1898 if (eticklen < 48)
1899 goto tickerr;
1900 /* Initialize session ticket encryption and HMAC contexts */
1901 HMAC_CTX_init(&hctx);
1902 EVP_CIPHER_CTX_init(&ctx);
661dc143 1903 if (tctx->tlsext_ticket_key_cb)
8a2062fe
DSH		 1904 {
1905 unsigned char *nctick = (unsigned char *)etick;
661dc143 1906 int rv = tctx->tlsext_ticket_key_cb(s, nctick, nctick + 16,
8a2062fe
DSH		 1907 &ctx, &hctx, 0);
1908 if (rv < 0)
1909 return -1;
1910 if (rv == 0)
1911 goto tickerr;
1912 if (rv == 2)
1913 renew_ticket = 1;
1914 }
1915 else
1916 {
1917 /* Check key name matches */
661dc143 1918 if (memcmp(etick, tctx->tlsext_tick_key_name, 16))
8a2062fe 1919 goto tickerr;
661dc143 1920 HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16,
8a2062fe
DSH		 1921 tlsext_tick_md(), NULL);
1922 EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL,
661dc143 1923 tctx->tlsext_tick_aes_key, etick + 16);
8a2062fe 1924 }
6434abbf
DSH		 1925 /* Attempt to process session ticket, first conduct sanity and
1926 * integrity checks on ticket.
1927 */
8a2062fe 1928 mlen = HMAC_size(&hctx);
0eab41fb
BL		 1929 if (mlen < 0)
1930 {
1931 EVP_CIPHER_CTX_cleanup(&ctx);
1932 return -1;
1933 }
6434abbf 1934 eticklen -= mlen;
6434abbf 1935 /* Check HMAC of encrypted ticket */
6434abbf
DSH		 1936 HMAC_Update(&hctx, etick, eticklen);
1937 HMAC_Final(&hctx, tick_hmac, NULL);
1938 HMAC_CTX_cleanup(&hctx);
1939 if (memcmp(tick_hmac, etick + eticklen, mlen))
1940 goto tickerr;
6434abbf 1941 /* Attempt to decrypt session data */
6434abbf 1942 /* Move p after IV to start of encrypted ticket, update length */
8a2062fe
DSH		 1943 p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx);
1944 eticklen -= 16 + EVP_CIPHER_CTX_iv_length(&ctx);
6434abbf
DSH		 1945 sdec = OPENSSL_malloc(eticklen);
1946 if (!sdec)
1947 {
1948 EVP_CIPHER_CTX_cleanup(&ctx);
1949 return -1;
1950 }
1951 EVP_DecryptUpdate(&ctx, sdec, &slen, p, eticklen);
1952 if (EVP_DecryptFinal(&ctx, sdec + slen, &mlen) <= 0)
1953 goto tickerr;
6434abbf
DSH		 1954 slen += mlen;
1955 EVP_CIPHER_CTX_cleanup(&ctx);
1956 p = sdec;
1957
1958 sess = d2i_SSL_SESSION(NULL, &p, slen);
1959 OPENSSL_free(sdec);
1960 if (sess)
1961 {
1962 /* The session ID if non-empty is used by some clients to
1963 * detect that the ticket has been accepted. So we copy it to
1964 * the session structure. If it is empty set length to zero
1965 * as required by standard.
1966 */
1967 if (sesslen)
1968 memcpy(sess->session_id, sess_id, sesslen);
1969 sess->session_id_length = sesslen;
1970 *psess = sess;
8a2062fe 1971 s->tlsext_ticket_expected = renew_ticket;
6434abbf
DSH		 1972 return 1;
1973 }
1974 /* If session decrypt failure indicate a cache miss and set state to
1975 * send a new ticket
1976 */
1977 tickerr:
1978 s->tlsext_ticket_expected = 1;
1979 return 0;
1980 }
6434abbf 1981
6b7be581
DSH		 1982/* Tables to translate from NIDs to TLS v1.2 ids */
1983
1984typedef struct
1985 {
1986 int nid;
1987 int id;
1988 } tls12_lookup;
1989
1990static tls12_lookup tls12_md[] = {
1991#ifndef OPENSSL_NO_MD5
1992 {NID_md5, TLSEXT_hash_md5},
1993#endif
1994#ifndef OPENSSL_NO_SHA
1995 {NID_sha1, TLSEXT_hash_sha1},
1996#endif
1997#ifndef OPENSSL_NO_SHA256
1998 {NID_sha224, TLSEXT_hash_sha224},
1999 {NID_sha256, TLSEXT_hash_sha256},
2000#endif
2001#ifndef OPENSSL_NO_SHA512
2002 {NID_sha384, TLSEXT_hash_sha384},
2003 {NID_sha512, TLSEXT_hash_sha512}
2004#endif
2005};
2006
2007static tls12_lookup tls12_sig[] = {
2008#ifndef OPENSSL_NO_RSA
2009 {EVP_PKEY_RSA, TLSEXT_signature_rsa},
2010#endif
2011#ifndef OPENSSL_NO_RSA
2012 {EVP_PKEY_DSA, TLSEXT_signature_dsa},
2013#endif
2014#ifndef OPENSSL_NO_ECDSA
2015 {EVP_PKEY_EC, TLSEXT_signature_ecdsa}
2016#endif
2017};
2018
2019static int tls12_find_id(int nid, tls12_lookup *table, size_t tlen)
2020 {
2021 size_t i;
2022 for (i = 0; i < tlen; i++)
2023 {
2024 if (table[i].nid == nid)
2025 return table[i].id;
2026 }
2027 return -1;
2028 }
2029#if 0
2030static int tls12_find_nid(int id, tls12_lookup *table, size_t tlen)
2031 {
2032 size_t i;
2033 for (i = 0; i < tlen; i++)
2034 {
2035 if (table[i].id == id)
2036 return table[i].nid;
2037 }
2038 return -1;
2039 }
2040#endif
a2f9200f
DSH		 2041
2042int tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk, const EVP_MD *md)
6b7be581
DSH		 2043 {
2044 int sig_id, md_id;
2045 md_id = tls12_find_id(EVP_MD_type(md), tls12_md,
2046 sizeof(tls12_md)/sizeof(tls12_lookup));
2047 if (md_id == -1)
2048 return 0;
a2f9200f 2049 sig_id = tls12_get_sigid(pk);
6b7be581
DSH		 2050 if (sig_id == -1)
2051 return 0;
2052 p[0] = (unsigned char)md_id;
2053 p[1] = (unsigned char)sig_id;
2054 return 1;
2055 }
2056
a2f9200f
DSH		 2057int tls12_get_sigid(const EVP_PKEY *pk)
2058 {
2059 return tls12_find_id(pk->type, tls12_sig,
2060 sizeof(tls12_sig)/sizeof(tls12_lookup));
2061 }
2062
2063const EVP_MD *tls12_get_hash(unsigned char hash_alg)
2064 {
2065 switch(hash_alg)
2066 {
2067#ifndef OPENSSL_NO_MD5
2068 case TLSEXT_hash_md5:
2069 return EVP_md5();
2070#endif
2071#ifndef OPENSSL_NO_SHA
2072 case TLSEXT_hash_sha1:
2073 return EVP_sha1();
2074#endif
2075#ifndef OPENSSL_NO_SHA256
2076 case TLSEXT_hash_sha224:
2077 return EVP_sha224();
2078
2079 case TLSEXT_hash_sha256:
2080 return EVP_sha256();
2081#endif
2082#ifndef OPENSSL_NO_SHA512
2083 case TLSEXT_hash_sha384:
2084 return EVP_sha384();
2085
2086 case TLSEXT_hash_sha512:
2087 return EVP_sha512();
2088#endif
2089 default:
2090 return NULL;
2091
2092 }
2093 }
2094
6b7be581
DSH		 2095/* Set preferred digest for each key type */
2096
8f829124 2097int tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize)
6b7be581
DSH		 2098 {
2099 int i, idx;
2100 const EVP_MD *md;
2101 CERT *c = s->cert;
2102 /* Extension ignored for TLS versions below 1.2 */
238b6361 2103 if (TLS1_get_version(s) < TLS1_2_VERSION)
6b7be581 2104 return 1;
8f829124
DSH		 2105 /* Should never happen */
2106 if (!c)
2107 return 0;
6b7be581
DSH		 2108
2109 c->pkeys[SSL_PKEY_DSA_SIGN].digest = NULL;
2110 c->pkeys[SSL_PKEY_RSA_SIGN].digest = NULL;
2111 c->pkeys[SSL_PKEY_RSA_ENC].digest = NULL;
2112 c->pkeys[SSL_PKEY_ECC].digest = NULL;
2113
2114 for (i = 0; i < dsize; i += 2)
2115 {
2116 unsigned char hash_alg = data[i], sig_alg = data[i+1];
2117
2118 switch(sig_alg)
2119 {
2120#ifndef OPENSSL_NO_RSA
2121 case TLSEXT_signature_rsa:
2122 idx = SSL_PKEY_RSA_SIGN;
2123 break;
2124#endif
2125#ifndef OPENSSL_NO_DSA
2126 case TLSEXT_signature_dsa:
2127 idx = SSL_PKEY_DSA_SIGN;
2128 break;
2129#endif
2130#ifndef OPENSSL_NO_ECDSA
2131 case TLSEXT_signature_ecdsa:
2132 idx = SSL_PKEY_ECC;
2133 break;
2134#endif
2135 default:
2136 continue;
2137 }
2138
a2f9200f 2139 if (c->pkeys[idx].digest == NULL)
6b7be581 2140 {
a2f9200f
DSH		 2141 md = tls12_get_hash(hash_alg);
2142 if (md)
2143 {
2144 c->pkeys[idx].digest = md;
2145 if (idx == SSL_PKEY_RSA_SIGN)
2146 c->pkeys[SSL_PKEY_RSA_ENC].digest = md;
2147 }
6b7be581
DSH		 2148 }
2149
6b7be581
DSH		 2150 }
2151
8f829124 2152
6b7be581
DSH		 2153 /* Set any remaining keys to default values. NOTE: if alg is not
2154 * supported it stays as NULL.
2155 */
2156#ifndef OPENSSL_NO_DSA
2157 if (!c->pkeys[SSL_PKEY_DSA_SIGN].digest)
2158 c->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_dss1();
2159#endif
2160#ifndef OPENSSL_NO_RSA
2161 if (!c->pkeys[SSL_PKEY_RSA_SIGN].digest)
2162 {
2163 c->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1();
2164 c->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1();
2165 }
2166#endif
2167#ifndef OPENSSL_NO_ECDSA
2168 if (!c->pkeys[SSL_PKEY_ECC].digest)
2169 c->pkeys[SSL_PKEY_ECC].digest = EVP_ecdsa();
2170#endif
2171 return 1;
2172 }
2173
6434abbf 2174#endif
A mirror of the official openssl repository