]> git.ipfire.org Git - thirdparty/openssl.git/blame - ssl/t1_lib.c
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
oops, revert wrong patch
[thirdparty/openssl.git] / ssl / t1_lib.c
CommitLineData
58964a49
RE		 1/* ssl/t1_lib.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
f1fd4544 58/* ====================================================================
52b8dad8 59 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
f1fd4544
BM		 60 *
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
63 * are met:
64 *
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
67 *
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
71 * distribution.
72 *
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77 *
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
82 *
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
86 *
87 * 6. Redistributions of any form whatsoever must retain the following
88 * acknowledgment:
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91 *
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
105 *
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
109 *
110 */
58964a49
RE		 111
112#include <stdio.h>
ec577822 113#include <openssl/objects.h>
6434abbf
DSH		 114#include <openssl/evp.h>
115#include <openssl/hmac.h>
67c8e7f4 116#include <openssl/ocsp.h>
4817504d 117#include <openssl/rand.h>
58964a49
RE		 118#include "ssl_locl.h"
119
42182852 120const char tls1_version_str[]="TLSv1" OPENSSL_VERSION_PTEXT;
58964a49 121
367eb1f1 122#ifndef OPENSSL_NO_TLSEXT
6434abbf
DSH		 123static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen,
124 const unsigned char *sess_id, int sesslen,
125 SSL_SESSION **psess);
367eb1f1 126#endif
6434abbf 127
f3b656b2 128SSL3_ENC_METHOD TLSv1_enc_data={
58964a49
RE		 129 tls1_enc,
130 tls1_mac,
131 tls1_setup_key_block,
132 tls1_generate_master_secret,
133 tls1_change_cipher_state,
134 tls1_final_finish_mac,
135 TLS1_FINISH_MAC_LENGTH,
136 tls1_cert_verify_mac,
137 TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE,
138 TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE,
139 tls1_alert_code,
e0af0405 140 tls1_export_keying_material,
58964a49
RE		 141 };
142
f3b656b2 143long tls1_default_timeout(void)
58964a49
RE		 144 {
145 /* 2 hours, the 24 hours mentioned in the TLSv1 spec
146 * is way too long for http, the cache would over fill */
147 return(60*60*2);
148 }
149
6b691a5c 150int tls1_new(SSL *s)
58964a49
RE		 151 {
152 if (!ssl3_new(s)) return(0);
153 s->method->ssl_clear(s);
154 return(1);
155 }
156
6b691a5c 157void tls1_free(SSL *s)
58964a49 158 {
12bf56c0
DSH		 159#ifndef OPENSSL_NO_TLSEXT
160 if (s->tlsext_session_ticket)
161 {
162 OPENSSL_free(s->tlsext_session_ticket);
163 }
164#endif /* OPENSSL_NO_TLSEXT */
58964a49
RE		 165 ssl3_free(s);
166 }
167
6b691a5c 168void tls1_clear(SSL *s)
58964a49
RE		 169 {
170 ssl3_clear(s);
637f374a 171 s->version = s->method->version;
58964a49
RE		 172 }
173
525de5d3 174#ifndef OPENSSL_NO_EC
eda3766b 175
525de5d3
DSH		 176static int nid_list[] =
177 {
178 NID_sect163k1, /* sect163k1 (1) */
179 NID_sect163r1, /* sect163r1 (2) */
180 NID_sect163r2, /* sect163r2 (3) */
181 NID_sect193r1, /* sect193r1 (4) */
182 NID_sect193r2, /* sect193r2 (5) */
183 NID_sect233k1, /* sect233k1 (6) */
184 NID_sect233r1, /* sect233r1 (7) */
185 NID_sect239k1, /* sect239k1 (8) */
186 NID_sect283k1, /* sect283k1 (9) */
187 NID_sect283r1, /* sect283r1 (10) */
188 NID_sect409k1, /* sect409k1 (11) */
189 NID_sect409r1, /* sect409r1 (12) */
190 NID_sect571k1, /* sect571k1 (13) */
191 NID_sect571r1, /* sect571r1 (14) */
192 NID_secp160k1, /* secp160k1 (15) */
193 NID_secp160r1, /* secp160r1 (16) */
194 NID_secp160r2, /* secp160r2 (17) */
195 NID_secp192k1, /* secp192k1 (18) */
196 NID_X9_62_prime192v1, /* secp192r1 (19) */
197 NID_secp224k1, /* secp224k1 (20) */
198 NID_secp224r1, /* secp224r1 (21) */
199 NID_secp256k1, /* secp256k1 (22) */
200 NID_X9_62_prime256v1, /* secp256r1 (23) */
201 NID_secp384r1, /* secp384r1 (24) */
202 NID_secp521r1 /* secp521r1 (25) */
203 };
eda3766b
DSH		 204
205static int pref_list[] =
206 {
207 NID_sect571r1, /* sect571r1 (14) */
208 NID_sect571k1, /* sect571k1 (13) */
209 NID_secp521r1, /* secp521r1 (25) */
210 NID_sect409k1, /* sect409k1 (11) */
211 NID_sect409r1, /* sect409r1 (12) */
212 NID_secp384r1, /* secp384r1 (24) */
213 NID_sect283k1, /* sect283k1 (9) */
214 NID_sect283r1, /* sect283r1 (10) */
215 NID_secp256k1, /* secp256k1 (22) */
216 NID_X9_62_prime256v1, /* secp256r1 (23) */
217 NID_sect239k1, /* sect239k1 (8) */
218 NID_sect233k1, /* sect233k1 (6) */
219 NID_sect233r1, /* sect233r1 (7) */
220 NID_secp224k1, /* secp224k1 (20) */
221 NID_secp224r1, /* secp224r1 (21) */
222 NID_sect193r1, /* sect193r1 (4) */
223 NID_sect193r2, /* sect193r2 (5) */
224 NID_secp192k1, /* secp192k1 (18) */
225 NID_X9_62_prime192v1, /* secp192r1 (19) */
226 NID_sect163k1, /* sect163k1 (1) */
227 NID_sect163r1, /* sect163r1 (2) */
228 NID_sect163r2, /* sect163r2 (3) */
229 NID_secp160k1, /* secp160k1 (15) */
230 NID_secp160r1, /* secp160r1 (16) */
231 NID_secp160r2, /* secp160r2 (17) */
232 };
233
525de5d3
DSH		 234int tls1_ec_curve_id2nid(int curve_id)
235 {
236 /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
1e26a8ba
GT		 237 if ((curve_id < 1) || ((unsigned int)curve_id >
238 sizeof(nid_list)/sizeof(nid_list[0])))
239 return 0;
525de5d3
DSH		 240 return nid_list[curve_id-1];
241 }
242
243int tls1_ec_nid2curve_id(int nid)
244 {
245 /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
246 switch (nid)
247 {
248 case NID_sect163k1: /* sect163k1 (1) */
249 return 1;
250 case NID_sect163r1: /* sect163r1 (2) */
251 return 2;
252 case NID_sect163r2: /* sect163r2 (3) */
253 return 3;
254 case NID_sect193r1: /* sect193r1 (4) */
255 return 4;
256 case NID_sect193r2: /* sect193r2 (5) */
257 return 5;
258 case NID_sect233k1: /* sect233k1 (6) */
259 return 6;
260 case NID_sect233r1: /* sect233r1 (7) */
261 return 7;
262 case NID_sect239k1: /* sect239k1 (8) */
263 return 8;
264 case NID_sect283k1: /* sect283k1 (9) */
265 return 9;
266 case NID_sect283r1: /* sect283r1 (10) */
267 return 10;
268 case NID_sect409k1: /* sect409k1 (11) */
269 return 11;
270 case NID_sect409r1: /* sect409r1 (12) */
271 return 12;
272 case NID_sect571k1: /* sect571k1 (13) */
273 return 13;
274 case NID_sect571r1: /* sect571r1 (14) */
275 return 14;
276 case NID_secp160k1: /* secp160k1 (15) */
277 return 15;
278 case NID_secp160r1: /* secp160r1 (16) */
279 return 16;
280 case NID_secp160r2: /* secp160r2 (17) */
281 return 17;
282 case NID_secp192k1: /* secp192k1 (18) */
283 return 18;
284 case NID_X9_62_prime192v1: /* secp192r1 (19) */
285 return 19;
286 case NID_secp224k1: /* secp224k1 (20) */
287 return 20;
288 case NID_secp224r1: /* secp224r1 (21) */
289 return 21;
290 case NID_secp256k1: /* secp256k1 (22) */
291 return 22;
292 case NID_X9_62_prime256v1: /* secp256r1 (23) */
293 return 23;
294 case NID_secp384r1: /* secp384r1 (24) */
295 return 24;
296 case NID_secp521r1: /* secp521r1 (25) */
297 return 25;
298 default:
299 return 0;
300 }
301 }
302#endif /* OPENSSL_NO_EC */
f1fd4544 303
ed3883d2 304#ifndef OPENSSL_NO_TLSEXT
fc101f88
DSH		 305
306/* List of supported signature algorithms and hashes. Should make this
307 * customisable at some point, for now include everything we support.
308 */
309
310#ifdef OPENSSL_NO_RSA
311#define tlsext_sigalg_rsa(md) /* */
312#else
313#define tlsext_sigalg_rsa(md) md, TLSEXT_signature_rsa,
314#endif
315
316#ifdef OPENSSL_NO_DSA
317#define tlsext_sigalg_dsa(md) /* */
318#else
319#define tlsext_sigalg_dsa(md) md, TLSEXT_signature_dsa,
320#endif
321
322#ifdef OPENSSL_NO_ECDSA
323#define tlsext_sigalg_ecdsa(md) /* */
324#else
654ac273 325#define tlsext_sigalg_ecdsa(md) md, TLSEXT_signature_ecdsa,
fc101f88
DSH		 326#endif
327
328#define tlsext_sigalg(md) \
329 tlsext_sigalg_rsa(md) \
330 tlsext_sigalg_dsa(md) \
331 tlsext_sigalg_ecdsa(md)
332
333static unsigned char tls12_sigalgs[] = {
334#ifndef OPENSSL_NO_SHA512
335 tlsext_sigalg(TLSEXT_hash_sha512)
336 tlsext_sigalg(TLSEXT_hash_sha384)
337#endif
338#ifndef OPENSSL_NO_SHA256
339 tlsext_sigalg(TLSEXT_hash_sha256)
340 tlsext_sigalg(TLSEXT_hash_sha224)
341#endif
342#ifndef OPENSSL_NO_SHA
343 tlsext_sigalg(TLSEXT_hash_sha1)
344#endif
345#ifndef OPENSSL_NO_MD5
346 tlsext_sigalg_rsa(TLSEXT_hash_md5)
347#endif
348};
349
f37f20ff
DSH		 350int tls12_get_req_sig_algs(SSL *s, unsigned char *p)
351 {
ebc5e72f
DSH		 352 size_t slen = sizeof(tls12_sigalgs);
353#ifdef OPENSSL_FIPS
354 /* If FIPS mode don't include MD5 which is last */
355 if (FIPS_mode())
356 slen -= 2;
357#endif
f37f20ff 358 if (p)
ebc5e72f
DSH		 359 memcpy(p, tls12_sigalgs, slen);
360 return (int)slen;
f37f20ff 361 }
fc101f88 362
f1fd4544
BM		 363unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
364 {
ed3883d2
BM		 365 int extdatalen=0;
366 unsigned char *ret = p;
367
13f6d57b
DSH		 368 /* don't add extensions for SSLv3 unless doing secure renegotiation */
369 if (s->client_version == SSL3_VERSION
370 && !s->s3->send_connection_binding)
5f8f94a6
DSH		 371 return p;
372
ed3883d2
BM		 373 ret+=2;
374
375 if (ret>=limit) return NULL; /* this really never occurs, but ... */
6434abbf 376
a70183bc 377 if (s->tlsext_hostname != NULL)
f1fd4544 378 {
ed3883d2
BM		 379 /* Add TLS extension servername to the Client Hello message */
380 unsigned long size_str;
381 long lenmax;
382
a70183bc 383 /* check for enough space.
52b8dad8
BM		 384 4 for the servername type and entension length
385 2 for servernamelist length
386 1 for the hostname type
387 2 for hostname length
388 + hostname length
a70183bc 389 */
52b8dad8 390
761772d7
BM		 391 if ((lenmax = limit - ret - 9) < 0
392 || (size_str = strlen(s->tlsext_hostname)) > (unsigned long)lenmax)
a70183bc
BM		 393 return NULL;
394
395 /* extension type and length */
396 s2n(TLSEXT_TYPE_server_name,ret);
397 s2n(size_str+5,ret);
f1fd4544 398
a70183bc 399 /* length of servername list */
ed3883d2 400 s2n(size_str+3,ret);
a70183bc
BM		 401
402 /* hostname type, length and hostname */
f1fd4544 403 *(ret++) = (unsigned char) TLSEXT_NAMETYPE_host_name;
ed3883d2 404 s2n(size_str,ret);
ed3883d2
BM		 405 memcpy(ret, s->tlsext_hostname, size_str);
406 ret+=size_str;
f1fd4544 407 }
761772d7 408
423c66f1 409 /* Add RI if renegotiating */
bdd53508 410 if (s->renegotiate)
423c66f1 411 {
860c3dd1
DSH		 412 int el;
413
414 if(!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0))
415 {
416 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
417 return NULL;
418 }
419
420 if((limit - p - 4 - el) < 0) return NULL;
421
422 s2n(TLSEXT_TYPE_renegotiate,ret);
423 s2n(el,ret);
424
425 if(!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el))
426 {
427 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
428 return NULL;
429 }
430
431 ret += el;
432 }
433
edc032b5
BL		 434#ifndef OPENSSL_NO_SRP
435#define MIN(x,y) (((x)<(y))?(x):(y))
436 /* we add SRP username the first time only if we have one! */
437 if (s->srp_ctx.login != NULL)
438 {/* Add TLS extension SRP username to the Client Hello message */
439 int login_len = MIN(strlen(s->srp_ctx.login) + 1, 255);
440 long lenmax;
441
442 if ((lenmax = limit - ret - 5) < 0) return NULL;
443 if (login_len > lenmax) return NULL;
444 if (login_len > 255)
445 {
446 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
447 return NULL;
448 }
449 s2n(TLSEXT_TYPE_srp,ret);
450 s2n(login_len+1,ret);
451
452 (*ret++) = (unsigned char) MIN(strlen(s->srp_ctx.login), 254);
453 memcpy(ret, s->srp_ctx.login, MIN(strlen(s->srp_ctx.login), 254));
454 ret+=login_len;
455 }
456#endif
457
36ca4ba6 458#ifndef OPENSSL_NO_EC
8025e251
DSH		 459 if (s->tlsext_ecpointformatlist != NULL &&
460 s->version != DTLS1_VERSION)
36ca4ba6
BM		 461 {
462 /* Add TLS extension ECPointFormats to the ClientHello message */
463 long lenmax;
464
761772d7 465 if ((lenmax = limit - ret - 5) < 0) return NULL;
36ca4ba6 466 if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax) return NULL;
019fdc78
BM		 467 if (s->tlsext_ecpointformatlist_length > 255)
468 {
469 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
470 return NULL;
471 }
36ca4ba6
BM		 472
473 s2n(TLSEXT_TYPE_ec_point_formats,ret);
474 s2n(s->tlsext_ecpointformatlist_length + 1,ret);
475 *(ret++) = (unsigned char) s->tlsext_ecpointformatlist_length;
476 memcpy(ret, s->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist_length);
477 ret+=s->tlsext_ecpointformatlist_length;
478 }
8025e251
DSH		 479 if (s->tlsext_ellipticcurvelist != NULL &&
480 s->version != DTLS1_VERSION)
33273721
BM		 481 {
482 /* Add TLS extension EllipticCurves to the ClientHello message */
483 long lenmax;
484
761772d7 485 if ((lenmax = limit - ret - 6) < 0) return NULL;
33273721 486 if (s->tlsext_ellipticcurvelist_length > (unsigned long)lenmax) return NULL;
a4974de9 487 if (s->tlsext_ellipticcurvelist_length > 65532)
33273721
BM		 488 {
489 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
490 return NULL;
491 }
492
493 s2n(TLSEXT_TYPE_elliptic_curves,ret);
a123c552 494 s2n(s->tlsext_ellipticcurvelist_length + 2, ret);
a4974de9
BM		 495
496 /* NB: draft-ietf-tls-ecc-12.txt uses a one-byte prefix for
497 * elliptic_curve_list, but the examples use two bytes.
498 * http://www1.ietf.org/mail-archive/web/tls/current/msg00538.html
499 * resolves this to two bytes.
500 */
a123c552 501 s2n(s->tlsext_ellipticcurvelist_length, ret);
33273721
BM		 502 memcpy(ret, s->tlsext_ellipticcurvelist, s->tlsext_ellipticcurvelist_length);
503 ret+=s->tlsext_ellipticcurvelist_length;
504 }
36ca4ba6 505#endif /* OPENSSL_NO_EC */
d3442bc7 506
6434abbf
DSH		 507 if (!(SSL_get_options(s) & SSL_OP_NO_TICKET))
508 {
509 int ticklen;
7ba3838a 510 if (!s->new_session && s->session && s->session->tlsext_tick)
6434abbf 511 ticklen = s->session->tlsext_ticklen;
12bf56c0
DSH		 512 else if (s->session && s->tlsext_session_ticket &&
513 s->tlsext_session_ticket->data)
514 {
515 ticklen = s->tlsext_session_ticket->length;
516 s->session->tlsext_tick = OPENSSL_malloc(ticklen);
517 if (!s->session->tlsext_tick)
518 return NULL;
519 memcpy(s->session->tlsext_tick,
520 s->tlsext_session_ticket->data,
521 ticklen);
522 s->session->tlsext_ticklen = ticklen;
523 }
6434abbf
DSH		 524 else
525 ticklen = 0;
12bf56c0
DSH		 526 if (ticklen == 0 && s->tlsext_session_ticket &&
527 s->tlsext_session_ticket->data == NULL)
528 goto skip_ext;
6434abbf
DSH		 529 /* Check for enough room 2 for extension type, 2 for len
530 * rest for ticket
531 */
761772d7 532 if ((long)(limit - ret - 4 - ticklen) < 0) return NULL;
6434abbf
DSH		 533 s2n(TLSEXT_TYPE_session_ticket,ret);
534 s2n(ticklen,ret);
535 if (ticklen)
536 {
537 memcpy(ret, s->session->tlsext_tick, ticklen);
538 ret += ticklen;
539 }
540 }
12bf56c0 541 skip_ext:
6434abbf 542
238b6361 543 if (TLS1_get_version(s) >= TLS1_2_VERSION)
a2f9200f 544 {
fc101f88 545 if ((size_t)(limit - ret) < sizeof(tls12_sigalgs) + 6)
a2f9200f
DSH		 546 return NULL;
547 s2n(TLSEXT_TYPE_signature_algorithms,ret);
fc101f88
DSH		 548 s2n(sizeof(tls12_sigalgs) + 2, ret);
549 s2n(sizeof(tls12_sigalgs), ret);
550 memcpy(ret, tls12_sigalgs, sizeof(tls12_sigalgs));
551 ret += sizeof(tls12_sigalgs);
a2f9200f
DSH		 552 }
553
761772d7 554#ifdef TLSEXT_TYPE_opaque_prf_input
8025e251
DSH		 555 if (s->s3->client_opaque_prf_input != NULL &&
556 s->version != DTLS1_VERSION)
761772d7
BM		 557 {
558 size_t col = s->s3->client_opaque_prf_input_len;
559
560 if ((long)(limit - ret - 6 - col < 0))
561 return NULL;
562 if (col > 0xFFFD) /* can't happen */
563 return NULL;
564
565 s2n(TLSEXT_TYPE_opaque_prf_input, ret);
566 s2n(col + 2, ret);
567 s2n(col, ret);
568 memcpy(ret, s->s3->client_opaque_prf_input, col);
569 ret += col;
570 }
571#endif
572
8025e251
DSH		 573 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp &&
574 s->version != DTLS1_VERSION)
67c8e7f4
DSH		 575 {
576 int i;
577 long extlen, idlen, itmp;
578 OCSP_RESPID *id;
579
580 idlen = 0;
581 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++)
582 {
583 id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
584 itmp = i2d_OCSP_RESPID(id, NULL);
585 if (itmp <= 0)
586 return NULL;
587 idlen += itmp + 2;
588 }
589
590 if (s->tlsext_ocsp_exts)
591 {
592 extlen = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, NULL);
593 if (extlen < 0)
594 return NULL;
595 }
596 else
597 extlen = 0;
598
599 if ((long)(limit - ret - 7 - extlen - idlen) < 0) return NULL;
600 s2n(TLSEXT_TYPE_status_request, ret);
601 if (extlen + idlen > 0xFFF0)
602 return NULL;
603 s2n(extlen + idlen + 5, ret);
604 *(ret++) = TLSEXT_STATUSTYPE_ocsp;
605 s2n(idlen, ret);
606 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++)
607 {
608 /* save position of id len */
609 unsigned char *q = ret;
610 id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
611 /* skip over id len */
612 ret += 2;
613 itmp = i2d_OCSP_RESPID(id, &ret);
614 /* write id len */
615 s2n(itmp, q);
616 }
617 s2n(extlen, ret);
618 if (extlen > 0)
619 i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret);
620 }
621
4817504d
DSH		 622#ifndef OPENSSL_NO_HEARTBEATS
623 /* Add Heartbeat extension */
624 s2n(TLSEXT_TYPE_heartbeat,ret);
625 s2n(1,ret);
626 /* Set mode:
627 * 1: peer may send requests
628 * 2: peer not allowed to send requests
629 */
630 if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS)
631 *(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
632 else
633 *(ret++) = SSL_TLSEXT_HB_ENABLED;
634#endif
635
bf48836c 636#ifndef OPENSSL_NO_NEXTPROTONEG
ee2ffc27
BL		 637 if (s->ctx->next_proto_select_cb && !s->s3->tmp.finish_md_len)
638 {
639 /* The client advertises an emtpy extension to indicate its
640 * support for Next Protocol Negotiation */
641 if (limit - ret - 4 < 0)
642 return NULL;
643 s2n(TLSEXT_TYPE_next_proto_neg,ret);
644 s2n(0,ret);
645 }
646#endif
647
333f926d
BL		 648 if(SSL_get_srtp_profiles(s))
649 {
650 int el;
651
652 ssl_add_clienthello_use_srtp_ext(s, 0, &el, 0);
653
654 if((limit - p - 4 - el) < 0) return NULL;
655
656 s2n(TLSEXT_TYPE_use_srtp,ret);
657 s2n(el,ret);
658
659 if(ssl_add_clienthello_use_srtp_ext(s, ret, &el, el))
660 {
661 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
662 return NULL;
663 }
664 ret += el;
665 }
666
ed3883d2
BM		 667 if ((extdatalen = ret-p-2)== 0)
668 return p;
669
670 s2n(extdatalen,p);
671 return ret;
52b8dad8 672 }
ed3883d2 673
f1fd4544
BM		 674unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
675 {
ed3883d2
BM		 676 int extdatalen=0;
677 unsigned char *ret = p;
bf48836c
BL		 678#ifndef OPENSSL_NO_NEXTPROTONEG
679 int next_proto_neg_seen;
ee2ffc27 680#endif
ed3883d2 681
13f6d57b
DSH		 682 /* don't add extensions for SSLv3, unless doing secure renegotiation */
683 if (s->version == SSL3_VERSION && !s->s3->send_connection_binding)
5f8f94a6
DSH		 684 return p;
685
a13c20f6 686 ret+=2;
ed3883d2
BM		 687 if (ret>=limit) return NULL; /* this really never occurs, but ... */
688
a13c20f6 689 if (!s->hit && s->servername_done == 1 && s->session->tlsext_hostname != NULL)
f1fd4544 690 {
761772d7 691 if ((long)(limit - ret - 4) < 0) return NULL;
ed3883d2
BM		 692
693 s2n(TLSEXT_TYPE_server_name,ret);
694 s2n(0,ret);
f1fd4544 695 }
860c3dd1 696
8025e251 697 if(s->s3->send_connection_binding)
860c3dd1
DSH		 698 {
699 int el;
700
701 if(!ssl_add_serverhello_renegotiate_ext(s, 0, &el, 0))
702 {
703 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
704 return NULL;
705 }
706
707 if((limit - p - 4 - el) < 0) return NULL;
708
709 s2n(TLSEXT_TYPE_renegotiate,ret);
710 s2n(el,ret);
711
712 if(!ssl_add_serverhello_renegotiate_ext(s, ret, &el, el))
713 {
714 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
715 return NULL;
716 }
717
718 ret += el;
719 }
720
36ca4ba6 721#ifndef OPENSSL_NO_EC
8025e251
DSH		 722 if (s->tlsext_ecpointformatlist != NULL &&
723 s->version != DTLS1_VERSION)
36ca4ba6
BM		 724 {
725 /* Add TLS extension ECPointFormats to the ServerHello message */
726 long lenmax;
727
761772d7 728 if ((lenmax = limit - ret - 5) < 0) return NULL;
36ca4ba6 729 if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax) return NULL;
019fdc78
BM		 730 if (s->tlsext_ecpointformatlist_length > 255)
731 {
732 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
733 return NULL;
734 }
36ca4ba6
BM		 735
736 s2n(TLSEXT_TYPE_ec_point_formats,ret);
737 s2n(s->tlsext_ecpointformatlist_length + 1,ret);
738 *(ret++) = (unsigned char) s->tlsext_ecpointformatlist_length;
739 memcpy(ret, s->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist_length);
740 ret+=s->tlsext_ecpointformatlist_length;
a70183bc 741
36ca4ba6 742 }
33273721 743 /* Currently the server should not respond with a SupportedCurves extension */
36ca4ba6 744#endif /* OPENSSL_NO_EC */
67c8e7f4 745
6434abbf
DSH		 746 if (s->tlsext_ticket_expected
747 && !(SSL_get_options(s) & SSL_OP_NO_TICKET))
748 {
761772d7 749 if ((long)(limit - ret - 4) < 0) return NULL;
6434abbf
DSH		 750 s2n(TLSEXT_TYPE_session_ticket,ret);
751 s2n(0,ret);
752 }
761772d7 753
67c8e7f4
DSH		 754 if (s->tlsext_status_expected)
755 {
756 if ((long)(limit - ret - 4) < 0) return NULL;
757 s2n(TLSEXT_TYPE_status_request,ret);
758 s2n(0,ret);
759 }
760
761772d7 761#ifdef TLSEXT_TYPE_opaque_prf_input
8025e251
DSH		 762 if (s->s3->server_opaque_prf_input != NULL &&
763 s->version != DTLS1_VERSION)
761772d7
BM		 764 {
765 size_t sol = s->s3->server_opaque_prf_input_len;
6434abbf 766
761772d7
BM		 767 if ((long)(limit - ret - 6 - sol) < 0)
768 return NULL;
769 if (sol > 0xFFFD) /* can't happen */
770 return NULL;
771
772 s2n(TLSEXT_TYPE_opaque_prf_input, ret);
773 s2n(sol + 2, ret);
774 s2n(sol, ret);
775 memcpy(ret, s->s3->server_opaque_prf_input, sol);
776 ret += sol;
777 }
778#endif
333f926d
BL		 779
780 if(s->srtp_profile)
781 {
782 int el;
783
784 ssl_add_serverhello_use_srtp_ext(s, 0, &el, 0);
785
786 if((limit - p - 4 - el) < 0) return NULL;
787
788 s2n(TLSEXT_TYPE_use_srtp,ret);
789 s2n(el,ret);
790
791 if(ssl_add_serverhello_use_srtp_ext(s, ret, &el, el))
792 {
7a236261 793 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
333f926d
BL		 794 return NULL;
795 }
796 ret+=el;
797 }
798
0e1dba93
DSH		 799 if (((s->s3->tmp.new_cipher->id & 0xFFFF)==0x80 || (s->s3->tmp.new_cipher->id & 0xFFFF)==0x81)
800 && (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG))
801 { const unsigned char cryptopro_ext[36] = {
802 0xfd, 0xe8, /*65000*/
803 0x00, 0x20, /*32 bytes length*/
804 0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85,
805 0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06,
806 0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08,
807 0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17};
808 if (limit-ret<36) return NULL;
809 memcpy(ret,cryptopro_ext,36);
810 ret+=36;
811
812 }
761772d7 813
4817504d 814#ifndef OPENSSL_NO_HEARTBEATS
5733919d
DSH		 815 /* Add Heartbeat extension if we've received one */
816 if (s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED)
817 {
818 s2n(TLSEXT_TYPE_heartbeat,ret);
819 s2n(1,ret);
820 /* Set mode:
821 * 1: peer may send requests
822 * 2: peer not allowed to send requests
823 */
824 if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS)
825 *(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
826 else
827 *(ret++) = SSL_TLSEXT_HB_ENABLED;
828 }
4817504d
DSH		 829#endif
830
bf48836c 831#ifndef OPENSSL_NO_NEXTPROTONEG
ee2ffc27
BL		 832 next_proto_neg_seen = s->s3->next_proto_neg_seen;
833 s->s3->next_proto_neg_seen = 0;
834 if (next_proto_neg_seen && s->ctx->next_protos_advertised_cb)
835 {
836 const unsigned char *npa;
837 unsigned int npalen;
838 int r;
839
840 r = s->ctx->next_protos_advertised_cb(s, &npa, &npalen, s->ctx->next_protos_advertised_cb_arg);
841 if (r == SSL_TLSEXT_ERR_OK)
842 {
843 if ((long)(limit - ret - 4 - npalen) < 0) return NULL;
844 s2n(TLSEXT_TYPE_next_proto_neg,ret);
845 s2n(npalen,ret);
846 memcpy(ret, npa, npalen);
847 ret += npalen;
848 s->s3->next_proto_neg_seen = 1;
849 }
850 }
851#endif
852
ed3883d2
BM		 853 if ((extdatalen = ret-p-2)== 0)
854 return p;
855
856 s2n(extdatalen,p);
857 return ret;
52b8dad8 858 }
ed3883d2 859
f1fd4544
BM		 860int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
861 {
ed3883d2
BM		 862 unsigned short type;
863 unsigned short size;
864 unsigned short len;
f1fd4544 865 unsigned char *data = *p;
860c3dd1 866 int renegotiate_seen = 0;
6b7be581 867 int sigalg_seen = 0;
860c3dd1 868
a13c20f6 869 s->servername_done = 0;
67c8e7f4 870 s->tlsext_status_type = -1;
6f31dd72
BM		 871#ifndef OPENSSL_NO_NEXTPROTONEG
872 s->s3->next_proto_neg_seen = 0;
873#endif
ed3883d2 874
4817504d
DSH		 875#ifndef OPENSSL_NO_HEARTBEATS
876 s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED |
877 SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
878#endif
879
ed3883d2 880 if (data >= (d+n-2))
c27c9cb4 881 goto ri_check;
ed3883d2
BM		 882 n2s(data,len);
883
52b8dad8 884 if (data > (d+n-len))
c27c9cb4 885 goto ri_check;
ed3883d2 886
f1fd4544
BM		 887 while (data <= (d+n-4))
888 {
ed3883d2
BM		 889 n2s(data,type);
890 n2s(data,size);
891
892 if (data+size > (d+n))
c27c9cb4 893 goto ri_check;
8e3b2dbb 894#if 0
0e1dba93 895 fprintf(stderr,"Received extension type %d size %d\n",type,size);
8e3b2dbb 896#endif
6434abbf
DSH		 897 if (s->tlsext_debug_cb)
898 s->tlsext_debug_cb(s, 0, type, data, size,
899 s->tlsext_debug_arg);
a13c20f6
BM		 900/* The servername extension is treated as follows:
901
902 - Only the hostname type is supported with a maximum length of 255.
903 - The servername is rejected if too long or if it contains zeros,
904 in which case an fatal alert is generated.
905 - The servername field is maintained together with the session cache.
906 - When a session is resumed, the servername call back invoked in order
907 to allow the application to position itself to the right context.
908 - The servername is acknowledged if it is new for a session or when
909 it is identical to a previously used for the same session.
910 Applications can control the behaviour. They can at any time
911 set a 'desirable' servername for a new SSL object. This can be the
912 case for example with HTTPS when a Host: header field is received and
913 a renegotiation is requested. In this case, a possible servername
914 presented in the new client hello is only acknowledged if it matches
915 the value of the Host: field.
916 - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
917 if they provide for changing an explicit servername context for the session,
918 i.e. when the session has been established with a servername extension.
919 - On session reconnect, the servername extension may be absent.
920
921*/
922
f1fd4544
BM		 923 if (type == TLSEXT_TYPE_server_name)
924 {
a70183bc 925 unsigned char *sdata;
ed3883d2 926 int servname_type;
a70183bc
BM		 927 int dsize;
928
929 if (size < 2)
930 {
931 *al = SSL_AD_DECODE_ERROR;
932 return 0;
933 }
934 n2s(data,dsize);
52b8dad8 935 size -= 2;
a70183bc 936 if (dsize > size )
f1fd4544 937 {
a70183bc
BM		 938 *al = SSL_AD_DECODE_ERROR;
939 return 0;
940 }
941
942 sdata = data;
943 while (dsize > 3)
944 {
945 servname_type = *(sdata++);
ed3883d2 946 n2s(sdata,len);
a70183bc
BM		 947 dsize -= 3;
948
949 if (len > dsize)
f1fd4544
BM		 950 {
951 *al = SSL_AD_DECODE_ERROR;
952 return 0;
953 }
a70183bc 954 if (s->servername_done == 0)
f1fd4544
BM		 955 switch (servname_type)
956 {
957 case TLSEXT_NAMETYPE_host_name:
732d31be 958 if (!s->hit)
f1fd4544 959 {
732d31be
DSH		 960 if(s->session->tlsext_hostname)
961 {
962 *al = SSL_AD_DECODE_ERROR;
963 return 0;
964 }
965 if (len > TLSEXT_MAXLEN_host_name)
f1fd4544
BM		 966 {
967 *al = TLS1_AD_UNRECOGNIZED_NAME;
968 return 0;
969 }
732d31be
DSH		 970 if ((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL)
971 {
972 *al = TLS1_AD_INTERNAL_ERROR;
973 return 0;
974 }
ed3883d2 975 memcpy(s->session->tlsext_hostname, sdata, len);
a13c20f6
BM		 976 s->session->tlsext_hostname[len]='\0';
977 if (strlen(s->session->tlsext_hostname) != len) {
978 OPENSSL_free(s->session->tlsext_hostname);
40a70628 979 s->session->tlsext_hostname = NULL;
a13c20f6
BM		 980 *al = TLS1_AD_UNRECOGNIZED_NAME;
981 return 0;
f1fd4544 982 }
a13c20f6
BM		 983 s->servername_done = 1;
984
a13c20f6
BM		 985 }
986 else
732d31be
DSH		 987 s->servername_done = s->session->tlsext_hostname
988 && strlen(s->session->tlsext_hostname) == len
6b9e941e 989 && strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0;
a13c20f6 990
ed3883d2 991 break;
f1fd4544 992
ed3883d2
BM		 993 default:
994 break;
f1fd4544 995 }
52b8dad8 996
a70183bc 997 dsize -= len;
f1fd4544 998 }
a70183bc
BM		 999 if (dsize != 0)
1000 {
1001 *al = SSL_AD_DECODE_ERROR;
1002 return 0;
1003 }
1004
ed3883d2 1005 }
edc032b5
BL		 1006#ifndef OPENSSL_NO_SRP
1007 else if (type == TLSEXT_TYPE_srp)
1008 {
1009 if (size > 0)
1010 {
1011 len = data[0];
1012 if ((s->srp_ctx.login = OPENSSL_malloc(len+1)) == NULL)
1013 return -1;
1014 memcpy(s->srp_ctx.login, &data[1], len);
1015 s->srp_ctx.login[len]='\0';
1016 }
1017 }
1018#endif
ed3883d2 1019
36ca4ba6 1020#ifndef OPENSSL_NO_EC
8025e251
DSH		 1021 else if (type == TLSEXT_TYPE_ec_point_formats &&
1022 s->version != DTLS1_VERSION)
36ca4ba6
BM		 1023 {
1024 unsigned char *sdata = data;
1025 int ecpointformatlist_length = *(sdata++);
36ca4ba6
BM		 1026
1027 if (ecpointformatlist_length != size - 1)
1028 {
1029 *al = TLS1_AD_DECODE_ERROR;
1030 return 0;
1031 }
732d31be 1032 if (!s->hit)
36ca4ba6 1033 {
732d31be
DSH		 1034 if(s->session->tlsext_ecpointformatlist)
1035 {
7d5686d3
DSH		 1036 OPENSSL_free(s->session->tlsext_ecpointformatlist);
1037 s->session->tlsext_ecpointformatlist = NULL;
732d31be
DSH		 1038 }
1039 s->session->tlsext_ecpointformatlist_length = 0;
1040 if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
1041 {
1042 *al = TLS1_AD_INTERNAL_ERROR;
1043 return 0;
1044 }
1045 s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
1046 memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
36ca4ba6 1047 }
36ca4ba6
BM		 1048#if 0
1049 fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ecpointformatlist (length=%i) ", s->session->tlsext_ecpointformatlist_length);
1050 sdata = s->session->tlsext_ecpointformatlist;
1051 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
1052 fprintf(stderr,"%i ",*(sdata++));
1053 fprintf(stderr,"\n");
33273721
BM		 1054#endif
1055 }
8025e251
DSH		 1056 else if (type == TLSEXT_TYPE_elliptic_curves &&
1057 s->version != DTLS1_VERSION)
33273721
BM		 1058 {
1059 unsigned char *sdata = data;
1060 int ellipticcurvelist_length = (*(sdata++) << 8);
1061 ellipticcurvelist_length += (*(sdata++));
1062
1063 if (ellipticcurvelist_length != size - 2)
1064 {
1065 *al = TLS1_AD_DECODE_ERROR;
1066 return 0;
1067 }
732d31be 1068 if (!s->hit)
33273721 1069 {
732d31be
DSH		 1070 if(s->session->tlsext_ellipticcurvelist)
1071 {
1072 *al = TLS1_AD_DECODE_ERROR;
1073 return 0;
1074 }
1075 s->session->tlsext_ellipticcurvelist_length = 0;
1076 if ((s->session->tlsext_ellipticcurvelist = OPENSSL_malloc(ellipticcurvelist_length)) == NULL)
1077 {
1078 *al = TLS1_AD_INTERNAL_ERROR;
1079 return 0;
1080 }
1081 s->session->tlsext_ellipticcurvelist_length = ellipticcurvelist_length;
1082 memcpy(s->session->tlsext_ellipticcurvelist, sdata, ellipticcurvelist_length);
33273721 1083 }
33273721
BM		 1084#if 0
1085 fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ellipticcurvelist (length=%i) ", s->session->tlsext_ellipticcurvelist_length);
1086 sdata = s->session->tlsext_ellipticcurvelist;
1087 for (i = 0; i < s->session->tlsext_ellipticcurvelist_length; i++)
1088 fprintf(stderr,"%i ",*(sdata++));
1089 fprintf(stderr,"\n");
36ca4ba6
BM		 1090#endif
1091 }
c6a27f01 1092#endif /* OPENSSL_NO_EC */
761772d7 1093#ifdef TLSEXT_TYPE_opaque_prf_input
8025e251
DSH		 1094 else if (type == TLSEXT_TYPE_opaque_prf_input &&
1095 s->version != DTLS1_VERSION)
761772d7
BM		 1096 {
1097 unsigned char *sdata = data;
1098
1099 if (size < 2)
1100 {
1101 *al = SSL_AD_DECODE_ERROR;
1102 return 0;
1103 }
1104 n2s(sdata, s->s3->client_opaque_prf_input_len);
1105 if (s->s3->client_opaque_prf_input_len != size - 2)
1106 {
1107 *al = SSL_AD_DECODE_ERROR;
1108 return 0;
1109 }
1110
1111 if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */
1112 OPENSSL_free(s->s3->client_opaque_prf_input);
02c27b11
BM		 1113 if (s->s3->client_opaque_prf_input_len == 0)
1114 s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
1115 else
1116 s->s3->client_opaque_prf_input = BUF_memdup(sdata, s->s3->client_opaque_prf_input_len);
761772d7
BM		 1117 if (s->s3->client_opaque_prf_input == NULL)
1118 {
1119 *al = TLS1_AD_INTERNAL_ERROR;
1120 return 0;
1121 }
1122 }
1123#endif
12bf56c0
DSH		 1124 else if (type == TLSEXT_TYPE_session_ticket)
1125 {
1126 if (s->tls_session_ticket_ext_cb &&
1127 !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg))
1128 {
1129 *al = TLS1_AD_INTERNAL_ERROR;
1130 return 0;
1131 }
1132 }
860c3dd1
DSH		 1133 else if (type == TLSEXT_TYPE_renegotiate)
1134 {
1135 if(!ssl_parse_clienthello_renegotiate_ext(s, data, size, al))
1136 return 0;
1137 renegotiate_seen = 1;
1138 }
6b7be581
DSH		 1139 else if (type == TLSEXT_TYPE_signature_algorithms)
1140 {
1141 int dsize;
1142 if (sigalg_seen || size < 2)
1143 {
1144 *al = SSL_AD_DECODE_ERROR;
1145 return 0;
1146 }
1147 sigalg_seen = 1;
1148 n2s(data,dsize);
1149 size -= 2;
1150 if (dsize != size || dsize & 1)
1151 {
1152 *al = SSL_AD_DECODE_ERROR;
1153 return 0;
1154 }
1155 if (!tls1_process_sigalgs(s, data, dsize))
1156 {
1157 *al = SSL_AD_DECODE_ERROR;
1158 return 0;
1159 }
1160 }
8025e251
DSH		 1161 else if (type == TLSEXT_TYPE_status_request &&
1162 s->version != DTLS1_VERSION && s->ctx->tlsext_status_cb)
67c8e7f4
DSH		 1163 {
1164
1165 if (size < 5)
1166 {
1167 *al = SSL_AD_DECODE_ERROR;
1168 return 0;
1169 }
1170
1171 s->tlsext_status_type = *data++;
1172 size--;
1173 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp)
1174 {
1175 const unsigned char *sdata;
1176 int dsize;
1177 /* Read in responder_id_list */
1178 n2s(data,dsize);
1179 size -= 2;
1180 if (dsize > size )
1181 {
1182 *al = SSL_AD_DECODE_ERROR;
1183 return 0;
1184 }
1185 while (dsize > 0)
1186 {
1187 OCSP_RESPID *id;
1188 int idsize;
1189 if (dsize < 4)
1190 {
1191 *al = SSL_AD_DECODE_ERROR;
1192 return 0;
1193 }
1194 n2s(data, idsize);
1195 dsize -= 2 + idsize;
9770924f 1196 size -= 2 + idsize;
67c8e7f4
DSH		 1197 if (dsize < 0)
1198 {
1199 *al = SSL_AD_DECODE_ERROR;
1200 return 0;
1201 }
1202 sdata = data;
1203 data += idsize;
1204 id = d2i_OCSP_RESPID(NULL,
1205 &sdata, idsize);
1206 if (!id)
1207 {
1208 *al = SSL_AD_DECODE_ERROR;
1209 return 0;
1210 }
1211 if (data != sdata)
1212 {
1213 OCSP_RESPID_free(id);
1214 *al = SSL_AD_DECODE_ERROR;
1215 return 0;
1216 }
1217 if (!s->tlsext_ocsp_ids
1218 && !(s->tlsext_ocsp_ids =
1219 sk_OCSP_RESPID_new_null()))
1220 {
1221 OCSP_RESPID_free(id);
1222 *al = SSL_AD_INTERNAL_ERROR;
1223 return 0;
1224 }
1225 if (!sk_OCSP_RESPID_push(
1226 s->tlsext_ocsp_ids, id))
1227 {
1228 OCSP_RESPID_free(id);
1229 *al = SSL_AD_INTERNAL_ERROR;
1230 return 0;
1231 }
1232 }
1233
1234 /* Read in request_extensions */
9770924f
BM		 1235 if (size < 2)
1236 {
1237 *al = SSL_AD_DECODE_ERROR;
1238 return 0;
1239 }
67c8e7f4
DSH		 1240 n2s(data,dsize);
1241 size -= 2;
9770924f 1242 if (dsize != size)
67c8e7f4
DSH		 1243 {
1244 *al = SSL_AD_DECODE_ERROR;
1245 return 0;
1246 }
1247 sdata = data;
1248 if (dsize > 0)
1249 {
1250 s->tlsext_ocsp_exts =
1251 d2i_X509_EXTENSIONS(NULL,
1252 &sdata, dsize);
1253 if (!s->tlsext_ocsp_exts
1254 || (data + dsize != sdata))
1255 {
1256 *al = SSL_AD_DECODE_ERROR;
1257 return 0;
1258 }
1259 }
1260 }
1261 /* We don't know what to do with any other type
1262 * so ignore it.
1263 */
1264 else
1265 s->tlsext_status_type = -1;
1266 }
4817504d
DSH		 1267#ifndef OPENSSL_NO_HEARTBEATS
1268 else if (type == TLSEXT_TYPE_heartbeat)
1269 {
1270 switch(data[0])
1271 {
1272 case 0x01: /* Client allows us to send HB requests */
1273 s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
1274 break;
1275 case 0x02: /* Client doesn't accept HB requests */
1276 s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
1277 s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
1278 break;
1279 }
1280 }
1281#endif
bf48836c 1282#ifndef OPENSSL_NO_NEXTPROTONEG
ee2ffc27
BL		 1283 else if (type == TLSEXT_TYPE_next_proto_neg &&
1284 s->s3->tmp.finish_md_len == 0)
1285 {
1286 /* We shouldn't accept this extension on a
1287 * renegotiation.
1288 *
1289 * s->new_session will be set on renegotiation, but we
1290 * probably shouldn't rely that it couldn't be set on
1291 * the initial renegotation too in certain cases (when
1292 * there's some other reason to disallow resuming an
1293 * earlier session -- the current code won't be doing
1294 * anything like that, but this might change).
1295
1296 * A valid sign that there's been a previous handshake
1297 * in this connection is if s->s3->tmp.finish_md_len >
1298 * 0. (We are talking about a check that will happen
1299 * in the Hello protocol round, well before a new
1300 * Finished message could have been computed.) */
1301 s->s3->next_proto_neg_seen = 1;
1302 }
1303#endif
761772d7 1304
6434abbf 1305 /* session ticket processed earlier */
333f926d
BL		 1306 else if (type == TLSEXT_TYPE_use_srtp)
1307 {
1308 if(ssl_parse_clienthello_use_srtp_ext(s, data, size,
1309 al))
1310 return 0;
1311 }
1312
6434abbf 1313 data+=size;
f1fd4544 1314 }
6434abbf 1315
f1fd4544 1316 *p = data;
c27c9cb4
DSH		 1317
1318 ri_check:
1319
1320 /* Need RI if renegotiating */
1321
bdd53508 1322 if (!renegotiate_seen && s->renegotiate &&
c27c9cb4
DSH		 1323 !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
1324 {
fbed9f81 1325 *al = SSL_AD_HANDSHAKE_FAILURE;
c27c9cb4
DSH		 1326 SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT,
1327 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
1328 return 0;
1329 }
1330
f1fd4544 1331 return 1;
52b8dad8 1332 }
f1fd4544 1333
bf48836c 1334#ifndef OPENSSL_NO_NEXTPROTONEG
ee2ffc27
BL		 1335/* ssl_next_proto_validate validates a Next Protocol Negotiation block. No
1336 * elements of zero length are allowed and the set of elements must exactly fill
1337 * the length of the block. */
bf48836c 1338static int ssl_next_proto_validate(unsigned char *d, unsigned len)
ee2ffc27
BL		 1339 {
1340 unsigned int off = 0;
1341
1342 while (off < len)
1343 {
1344 if (d[off] == 0)
1345 return 0;
1346 off += d[off];
1347 off++;
1348 }
1349
1350 return off == len;
1351 }
1352#endif
1353
f1fd4544
BM		 1354int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
1355 {
c8bbd98a 1356 unsigned short length;
ed3883d2
BM		 1357 unsigned short type;
1358 unsigned short size;
ed3883d2 1359 unsigned char *data = *p;
ed3883d2 1360 int tlsext_servername = 0;
860c3dd1 1361 int renegotiate_seen = 0;
ed3883d2 1362
6f31dd72
BM		 1363#ifndef OPENSSL_NO_NEXTPROTONEG
1364 s->s3->next_proto_neg_seen = 0;
1365#endif
1366
4817504d
DSH		 1367#ifndef OPENSSL_NO_HEARTBEATS
1368 s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED |
1369 SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
1370#endif
1371
ed3883d2 1372 if (data >= (d+n-2))
c27c9cb4 1373 goto ri_check;
ed3883d2 1374
c8bbd98a
BL		 1375 n2s(data,length);
1376 if (data+length != d+n)
1377 {
1378 *al = SSL_AD_DECODE_ERROR;
1379 return 0;
1380 }
ed3883d2 1381
f1fd4544
BM		 1382 while(data <= (d+n-4))
1383 {
ed3883d2
BM		 1384 n2s(data,type);
1385 n2s(data,size);
1386
1387 if (data+size > (d+n))
c27c9cb4 1388 goto ri_check;
f1fd4544 1389
6434abbf
DSH		 1390 if (s->tlsext_debug_cb)
1391 s->tlsext_debug_cb(s, 1, type, data, size,
1392 s->tlsext_debug_arg);
1393
f1fd4544
BM		 1394 if (type == TLSEXT_TYPE_server_name)
1395 {
1396 if (s->tlsext_hostname == NULL || size > 0)
1397 {
1398 *al = TLS1_AD_UNRECOGNIZED_NAME;
1399 return 0;
1400 }
ed3883d2 1401 tlsext_servername = 1;
f1fd4544 1402 }
ed3883d2 1403
36ca4ba6 1404#ifndef OPENSSL_NO_EC
8025e251
DSH		 1405 else if (type == TLSEXT_TYPE_ec_point_formats &&
1406 s->version != DTLS1_VERSION)
36ca4ba6
BM		 1407 {
1408 unsigned char *sdata = data;
1409 int ecpointformatlist_length = *(sdata++);
36ca4ba6
BM		 1410
1411 if (ecpointformatlist_length != size - 1)
1412 {
1413 *al = TLS1_AD_DECODE_ERROR;
1414 return 0;
1415 }
1416 s->session->tlsext_ecpointformatlist_length = 0;
b6acb8d0 1417 if (s->session->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->session->tlsext_ecpointformatlist);
36ca4ba6
BM		 1418 if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
1419 {
1420 *al = TLS1_AD_INTERNAL_ERROR;
1421 return 0;
1422 }
1423 s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
1424 memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
1425#if 0
1426 fprintf(stderr,"ssl_parse_serverhello_tlsext s->session->tlsext_ecpointformatlist ");
1427 sdata = s->session->tlsext_ecpointformatlist;
1428 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
1429 fprintf(stderr,"%i ",*(sdata++));
1430 fprintf(stderr,"\n");
1431#endif
1432 }
c6a27f01 1433#endif /* OPENSSL_NO_EC */
6434abbf
DSH		 1434
1435 else if (type == TLSEXT_TYPE_session_ticket)
1436 {
12bf56c0
DSH		 1437 if (s->tls_session_ticket_ext_cb &&
1438 !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg))
1439 {
1440 *al = TLS1_AD_INTERNAL_ERROR;
1441 return 0;
1442 }
6434abbf
DSH		 1443 if ((SSL_get_options(s) & SSL_OP_NO_TICKET)
1444 || (size > 0))
1445 {
1446 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
1447 return 0;
1448 }
1449 s->tlsext_ticket_expected = 1;
1450 }
761772d7 1451#ifdef TLSEXT_TYPE_opaque_prf_input
8025e251
DSH		 1452 else if (type == TLSEXT_TYPE_opaque_prf_input &&
1453 s->version != DTLS1_VERSION)
761772d7
BM		 1454 {
1455 unsigned char *sdata = data;
1456
1457 if (size < 2)
1458 {
1459 *al = SSL_AD_DECODE_ERROR;
1460 return 0;
1461 }
1462 n2s(sdata, s->s3->server_opaque_prf_input_len);
1463 if (s->s3->server_opaque_prf_input_len != size - 2)
1464 {
1465 *al = SSL_AD_DECODE_ERROR;
1466 return 0;
1467 }
1468
1469 if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */
1470 OPENSSL_free(s->s3->server_opaque_prf_input);
02c27b11
BM		 1471 if (s->s3->server_opaque_prf_input_len == 0)
1472 s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
1473 else
1474 s->s3->server_opaque_prf_input = BUF_memdup(sdata, s->s3->server_opaque_prf_input_len);
761772d7
BM		 1475
1476 if (s->s3->server_opaque_prf_input == NULL)
1477 {
1478 *al = TLS1_AD_INTERNAL_ERROR;
1479 return 0;
1480 }
1481 }
1482#endif
8025e251
DSH		 1483 else if (type == TLSEXT_TYPE_status_request &&
1484 s->version != DTLS1_VERSION)
67c8e7f4
DSH		 1485 {
1486 /* MUST be empty and only sent if we've requested
1487 * a status request message.
1488 */
1489 if ((s->tlsext_status_type == -1) || (size > 0))
1490 {
1491 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
1492 return 0;
1493 }
1494 /* Set flag to expect CertificateStatus message */
1495 s->tlsext_status_expected = 1;
1496 }
bf48836c 1497#ifndef OPENSSL_NO_NEXTPROTONEG
6f31dd72
BM		 1498 else if (type == TLSEXT_TYPE_next_proto_neg &&
1499 s->s3->tmp.finish_md_len == 0)
ee2ffc27
BL		 1500 {
1501 unsigned char *selected;
1502 unsigned char selected_len;
1503
1504 /* We must have requested it. */
1505 if ((s->ctx->next_proto_select_cb == NULL))
1506 {
1507 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
1508 return 0;
1509 }
1510 /* The data must be valid */
1511 if (!ssl_next_proto_validate(data, size))
1512 {
1513 *al = TLS1_AD_DECODE_ERROR;
1514 return 0;
1515 }
1516 if (s->ctx->next_proto_select_cb(s, &selected, &selected_len, data, size, s->ctx->next_proto_select_cb_arg) != SSL_TLSEXT_ERR_OK)
1517 {
1518 *al = TLS1_AD_INTERNAL_ERROR;
1519 return 0;
1520 }
1521 s->next_proto_negotiated = OPENSSL_malloc(selected_len);
1522 if (!s->next_proto_negotiated)
1523 {
1524 *al = TLS1_AD_INTERNAL_ERROR;
1525 return 0;
1526 }
1527 memcpy(s->next_proto_negotiated, selected, selected_len);
1528 s->next_proto_negotiated_len = selected_len;
6f31dd72 1529 s->s3->next_proto_neg_seen = 1;
ee2ffc27
BL		 1530 }
1531#endif
860c3dd1
DSH		 1532 else if (type == TLSEXT_TYPE_renegotiate)
1533 {
1534 if(!ssl_parse_serverhello_renegotiate_ext(s, data, size, al))
1535 return 0;
1536 renegotiate_seen = 1;
1537 }
4817504d
DSH		 1538#ifndef OPENSSL_NO_HEARTBEATS
1539 else if (type == TLSEXT_TYPE_heartbeat)
1540 {
1541 switch(data[0])
1542 {
1543 case 0x01: /* Server allows us to send HB requests */
1544 s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
1545 break;
1546 case 0x02: /* Server doesn't accept HB requests */
1547 s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
1548 s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
1549 break;
1550 }
1551 }
1552#endif
333f926d
BL		 1553 else if (type == TLSEXT_TYPE_use_srtp)
1554 {
1555 if(ssl_parse_serverhello_use_srtp_ext(s, data, size,
1556 al))
1557 return 0;
1558 }
1559
ed3883d2 1560 data+=size;
f1fd4544 1561 }
ed3883d2
BM		 1562
1563 if (data != d+n)
f1fd4544
BM		 1564 {
1565 *al = SSL_AD_DECODE_ERROR;
1566 return 0;
1567 }
ed3883d2 1568
f1fd4544
BM		 1569 if (!s->hit && tlsext_servername == 1)
1570 {
1571 if (s->tlsext_hostname)
1572 {
1573 if (s->session->tlsext_hostname == NULL)
1574 {
ed3883d2
BM		 1575 s->session->tlsext_hostname = BUF_strdup(s->tlsext_hostname);
1576 if (!s->session->tlsext_hostname)
f1fd4544
BM		 1577 {
1578 *al = SSL_AD_UNRECOGNIZED_NAME;
1579 return 0;
1580 }
1581 }
1582 else
1583 {
1584 *al = SSL_AD_DECODE_ERROR;
1585 return 0;
1586 }
ed3883d2 1587 }
f1fd4544 1588 }
ed3883d2 1589
f1fd4544 1590 *p = data;
c27c9cb4
DSH		 1591
1592 ri_check:
1593
1594 /* Determine if we need to see RI. Strictly speaking if we want to
1595 * avoid an attack we should *always* see RI even on initial server
1596 * hello because the client doesn't see any renegotiation during an
1597 * attack. However this would mean we could not connect to any server
1598 * which doesn't support RI so for the immediate future tolerate RI
1599 * absence on initial connect only.
1600 */
c2c49969
DSH		 1601 if (!renegotiate_seen
1602 && !(s->options & SSL_OP_LEGACY_SERVER_CONNECT)
ef51b4b9 1603 && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
c27c9cb4 1604 {
fbed9f81 1605 *al = SSL_AD_HANDSHAKE_FAILURE;
c27c9cb4
DSH		 1606 SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT,
1607 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
1608 return 0;
1609 }
1610
f1fd4544 1611 return 1;
52b8dad8 1612 }
ed3883d2 1613
b2172f4f 1614
36ca4ba6
BM		 1615int ssl_prepare_clienthello_tlsext(SSL *s)
1616 {
1617#ifndef OPENSSL_NO_EC
33273721
BM		 1618 /* If we are client and using an elliptic curve cryptography cipher suite, send the point formats
1619 * and elliptic curves we support.
36ca4ba6
BM		 1620 */
1621 int using_ecc = 0;
1622 int i;
33273721 1623 unsigned char *j;
52b8dad8 1624 unsigned long alg_k, alg_a;
36ca4ba6 1625 STACK_OF(SSL_CIPHER) *cipher_stack = SSL_get_ciphers(s);
52b8dad8 1626
36ca4ba6
BM		 1627 for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++)
1628 {
52b8dad8
BM		 1629 SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i);
1630
1631 alg_k = c->algorithm_mkey;
1632 alg_a = c->algorithm_auth;
1633 if ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe) || (alg_a & SSL_aECDSA)))
36ca4ba6
BM		 1634 {
1635 using_ecc = 1;
1636 break;
1637 }
36ca4ba6 1638 }
290be870 1639 using_ecc = using_ecc && (s->version >= TLS1_VERSION);
36ca4ba6
BM		 1640 if (using_ecc)
1641 {
b6acb8d0
BM		 1642 if (s->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->tlsext_ecpointformatlist);
1643 if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(3)) == NULL)
36ca4ba6 1644 {
a291745e 1645 SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
36ca4ba6
BM		 1646 return -1;
1647 }
b6acb8d0
BM		 1648 s->tlsext_ecpointformatlist_length = 3;
1649 s->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_uncompressed;
1650 s->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
1651 s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
b2172f4f 1652
33273721
BM		 1653 /* we support all named elliptic curves in draft-ietf-tls-ecc-12 */
1654 if (s->tlsext_ellipticcurvelist != NULL) OPENSSL_free(s->tlsext_ellipticcurvelist);
eda3766b 1655 s->tlsext_ellipticcurvelist_length = sizeof(pref_list)/sizeof(pref_list[0]) * 2;
b2172f4f 1656 if ((s->tlsext_ellipticcurvelist = OPENSSL_malloc(s->tlsext_ellipticcurvelist_length)) == NULL)
33273721 1657 {
b2172f4f 1658 s->tlsext_ellipticcurvelist_length = 0;
a291745e 1659 SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
33273721
BM		 1660 return -1;
1661 }
eda3766b
DSH		 1662 for (i = 0, j = s->tlsext_ellipticcurvelist; (unsigned int)i <
1663 sizeof(pref_list)/sizeof(pref_list[0]); i++)
1664 {
1665 int id = tls1_ec_nid2curve_id(pref_list[i]);
1666 s2n(id,j);
1667 }
36ca4ba6
BM		 1668 }
1669#endif /* OPENSSL_NO_EC */
761772d7
BM		 1670
1671#ifdef TLSEXT_TYPE_opaque_prf_input
1672 {
1673 int r = 1;
1674
1675 if (s->ctx->tlsext_opaque_prf_input_callback != 0)
1676 {
1677 r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg);
1678 if (!r)
1679 return -1;
1680 }
1681
1682 if (s->tlsext_opaque_prf_input != NULL)
1683 {
1684 if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */
1685 OPENSSL_free(s->s3->client_opaque_prf_input);
1686
02c27b11
BM		 1687 if (s->tlsext_opaque_prf_input_len == 0)
1688 s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
1689 else
1690 s->s3->client_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len);
761772d7
BM		 1691 if (s->s3->client_opaque_prf_input == NULL)
1692 {
1693 SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
1694 return -1;
1695 }
1696 s->s3->client_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
1697 }
1698
1699 if (r == 2)
1700 /* at callback's request, insist on receiving an appropriate server opaque PRF input */
1701 s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
1702 }
1703#endif
1704
36ca4ba6 1705 return 1;
52b8dad8 1706 }
36ca4ba6
BM		 1707
1708int ssl_prepare_serverhello_tlsext(SSL *s)
1709 {
1710#ifndef OPENSSL_NO_EC
b6acb8d0 1711 /* If we are server and using an ECC cipher suite, send the point formats we support
33273721
BM		 1712 * if the client sent us an ECPointsFormat extension. Note that the server is not
1713 * supposed to send an EllipticCurves extension.
36ca4ba6 1714 */
36ca4ba6 1715
52b8dad8
BM		 1716 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
1717 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
1718 int using_ecc = (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA);
1719 using_ecc = using_ecc && (s->session->tlsext_ecpointformatlist != NULL);
1720
36ca4ba6
BM		 1721 if (using_ecc)
1722 {
b6acb8d0
BM		 1723 if (s->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->tlsext_ecpointformatlist);
1724 if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(3)) == NULL)
36ca4ba6 1725 {
a291745e 1726 SSLerr(SSL_F_SSL_PREPARE_SERVERHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
36ca4ba6
BM		 1727 return -1;
1728 }
b6acb8d0
BM		 1729 s->tlsext_ecpointformatlist_length = 3;
1730 s->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_uncompressed;
1731 s->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
1732 s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
36ca4ba6
BM		 1733 }
1734#endif /* OPENSSL_NO_EC */
761772d7 1735
36ca4ba6 1736 return 1;
52b8dad8 1737 }
36ca4ba6
BM		 1738
1739int ssl_check_clienthello_tlsext(SSL *s)
f1fd4544 1740 {
241520e6 1741 int ret=SSL_TLSEXT_ERR_NOACK;
36ca4ba6
BM		 1742 int al = SSL_AD_UNRECOGNIZED_NAME;
1743
1744#ifndef OPENSSL_NO_EC
33273721
BM		 1745 /* The handling of the ECPointFormats extension is done elsewhere, namely in
1746 * ssl3_choose_cipher in s3_lib.c.
1747 */
1748 /* The handling of the EllipticCurves extension is done elsewhere, namely in
1749 * ssl3_choose_cipher in s3_lib.c.
36ca4ba6
BM		 1750 */
1751#endif
1752
1753 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
1754 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
1755 else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)
1756 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
1757
67c8e7f4
DSH		 1758 /* If status request then ask callback what to do.
1759 * Note: this must be called after servername callbacks in case
1760 * the certificate has changed.
1761 */
2bd45dc9 1762 if ((s->tlsext_status_type != -1) && s->ctx && s->ctx->tlsext_status_cb)
67c8e7f4
DSH		 1763 {
1764 int r;
1765 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
1766 switch (r)
1767 {
1768 /* We don't want to send a status request response */
1769 case SSL_TLSEXT_ERR_NOACK:
1770 s->tlsext_status_expected = 0;
1771 break;
1772 /* status request response should be sent */
1773 case SSL_TLSEXT_ERR_OK:
1774 if (s->tlsext_ocsp_resp)
1775 s->tlsext_status_expected = 1;
1776 else
1777 s->tlsext_status_expected = 0;
1778 break;
1779 /* something bad happened */
1780 case SSL_TLSEXT_ERR_ALERT_FATAL:
1781 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1782 al = SSL_AD_INTERNAL_ERROR;
1783 goto err;
1784 }
1785 }
1786 else
1787 s->tlsext_status_expected = 0;
761772d7
BM		 1788
1789#ifdef TLSEXT_TYPE_opaque_prf_input
1790 {
1791 /* This sort of belongs into ssl_prepare_serverhello_tlsext(),
1792 * but we might be sending an alert in response to the client hello,
1793 * so this has to happen here in ssl_check_clienthello_tlsext(). */
1794
1795 int r = 1;
1796
1797 if (s->ctx->tlsext_opaque_prf_input_callback != 0)
1798 {
1799 r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg);
1800 if (!r)
1801 {
1802 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1803 al = SSL_AD_INTERNAL_ERROR;
1804 goto err;
1805 }
1806 }
1807
1808 if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */
1809 OPENSSL_free(s->s3->server_opaque_prf_input);
1810 s->s3->server_opaque_prf_input = NULL;
1811
1812 if (s->tlsext_opaque_prf_input != NULL)
1813 {
1814 if (s->s3->client_opaque_prf_input != NULL &&
1815 s->s3->client_opaque_prf_input_len == s->tlsext_opaque_prf_input_len)
1816 {
1817 /* can only use this extension if we have a server opaque PRF input
1818 * of the same length as the client opaque PRF input! */
1819
02c27b11
BM		 1820 if (s->tlsext_opaque_prf_input_len == 0)
1821 s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
1822 else
1823 s->s3->server_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len);
761772d7
BM		 1824 if (s->s3->server_opaque_prf_input == NULL)
1825 {
1826 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1827 al = SSL_AD_INTERNAL_ERROR;
1828 goto err;
1829 }
1830 s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
1831 }
1832 }
1833
1834 if (r == 2 && s->s3->server_opaque_prf_input == NULL)
1835 {
1836 /* The callback wants to enforce use of the extension,
1837 * but we can't do that with the client opaque PRF input;
1838 * abort the handshake.
1839 */
1840 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1841 al = SSL_AD_HANDSHAKE_FAILURE;
1842 }
1843 }
761772d7 1844
67c8e7f4 1845#endif
761772d7 1846 err:
52b8dad8
BM		 1847 switch (ret)
1848 {
36ca4ba6
BM		 1849 case SSL_TLSEXT_ERR_ALERT_FATAL:
1850 ssl3_send_alert(s,SSL3_AL_FATAL,al);
1851 return -1;
1852
1853 case SSL_TLSEXT_ERR_ALERT_WARNING:
1854 ssl3_send_alert(s,SSL3_AL_WARNING,al);
1855 return 1;
1856
1857 case SSL_TLSEXT_ERR_NOACK:
1858 s->servername_done=0;
1859 default:
1860 return 1;
52b8dad8 1861 }
36ca4ba6 1862 }
f1fd4544 1863
36ca4ba6
BM		 1864int ssl_check_serverhello_tlsext(SSL *s)
1865 {
1866 int ret=SSL_TLSEXT_ERR_NOACK;
58ece833 1867 int al = SSL_AD_UNRECOGNIZED_NAME;
241520e6 1868
36ca4ba6 1869#ifndef OPENSSL_NO_EC
d0205686
DSH		 1870 /* If we are client and using an elliptic curve cryptography cipher
1871 * suite, then if server returns an EC point formats lists extension
1872 * it must contain uncompressed.
36ca4ba6 1873 */
52b8dad8
BM		 1874 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
1875 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
36ca4ba6 1876 if ((s->tlsext_ecpointformatlist != NULL) && (s->tlsext_ecpointformatlist_length > 0) &&
d0205686 1877 (s->session->tlsext_ecpointformatlist != NULL) && (s->session->tlsext_ecpointformatlist_length > 0) &&
52b8dad8 1878 ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA)))
36ca4ba6
BM		 1879 {
1880 /* we are using an ECC cipher */
90bdfd97 1881 size_t i;
36ca4ba6
BM		 1882 unsigned char *list;
1883 int found_uncompressed = 0;
b9865f11 1884 list = s->session->tlsext_ecpointformatlist;
36ca4ba6
BM		 1885 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
1886 {
1887 if (*(list++) == TLSEXT_ECPOINTFORMAT_uncompressed)
1888 {
1889 found_uncompressed = 1;
1890 break;
1891 }
1892 }
1893 if (!found_uncompressed)
1894 {
a291745e 1895 SSLerr(SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT,SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
36ca4ba6
BM		 1896 return -1;
1897 }
1898 }
1899 ret = SSL_TLSEXT_ERR_OK;
1900#endif /* OPENSSL_NO_EC */
1901
241520e6 1902 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
58ece833 1903 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
241520e6 1904 else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)
58ece833 1905 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
241520e6 1906
761772d7
BM		 1907#ifdef TLSEXT_TYPE_opaque_prf_input
1908 if (s->s3->server_opaque_prf_input_len > 0)
1909 {
1910 /* This case may indicate that we, as a client, want to insist on using opaque PRF inputs.
1911 * So first verify that we really have a value from the server too. */
1912
1913 if (s->s3->server_opaque_prf_input == NULL)
1914 {
1915 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1916 al = SSL_AD_HANDSHAKE_FAILURE;
1917 }
1918
1919 /* Anytime the server *has* sent an opaque PRF input, we need to check
1920 * that we have a client opaque PRF input of the same size. */
1921 if (s->s3->client_opaque_prf_input == NULL ||
1922 s->s3->client_opaque_prf_input_len != s->s3->server_opaque_prf_input_len)
1923 {
1924 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1925 al = SSL_AD_ILLEGAL_PARAMETER;
1926 }
1927 }
1928#endif
1929
04e2ab2c
DSH		 1930 /* If we've requested certificate status and we wont get one
1931 * tell the callback
1932 */
1933 if ((s->tlsext_status_type != -1) && !(s->tlsext_status_expected)
121f9e74 1934 && s->ctx && s->ctx->tlsext_status_cb)
04e2ab2c
DSH		 1935 {
1936 int r;
1937 /* Set resp to NULL, resplen to -1 so callback knows
1938 * there is no response.
1939 */
1940 if (s->tlsext_ocsp_resp)
1941 {
1942 OPENSSL_free(s->tlsext_ocsp_resp);
1943 s->tlsext_ocsp_resp = NULL;
1944 }
1945 s->tlsext_ocsp_resplen = -1;
1946 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
1947 if (r == 0)
1948 {
1949 al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE;
1950 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1951 }
1952 if (r < 0)
1953 {
1954 al = SSL_AD_INTERNAL_ERROR;
1955 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1956 }
1957 }
1958
52b8dad8
BM		 1959 switch (ret)
1960 {
58ece833
BM		 1961 case SSL_TLSEXT_ERR_ALERT_FATAL:
1962 ssl3_send_alert(s,SSL3_AL_FATAL,al);
1963 return -1;
1964
1965 case SSL_TLSEXT_ERR_ALERT_WARNING:
1966 ssl3_send_alert(s,SSL3_AL_WARNING,al);
1967 return 1;
1968
1969 case SSL_TLSEXT_ERR_NOACK:
1970 s->servername_done=0;
1971 default:
1972 return 1;
52b8dad8 1973 }
f1fd4544 1974 }
33273721 1975
c519e89f
BM		 1976/* Since the server cache lookup is done early on in the processing of the
1977 * ClientHello, and other operations depend on the result, we need to handle
1978 * any TLS session ticket extension at the same time.
1979 *
1980 * session_id: points at the session ID in the ClientHello. This code will
1981 * read past the end of this in order to parse out the session ticket
1982 * extension, if any.
1983 * len: the length of the session ID.
1984 * limit: a pointer to the first byte after the ClientHello.
1985 * ret: (output) on return, if a ticket was decrypted, then this is set to
1986 * point to the resulting session.
1987 *
1988 * If s->tls_session_secret_cb is set then we are expecting a pre-shared key
1989 * ciphersuite, in which case we have no use for session tickets and one will
1990 * never be decrypted, nor will s->tlsext_ticket_expected be set to 1.
1991 *
1992 * Returns:
1993 * -1: fatal error, either from parsing or decrypting the ticket.
1994 * 0: no ticket was found (or was ignored, based on settings).
1995 * 1: a zero length extension was found, indicating that the client supports
1996 * session tickets but doesn't currently have one to offer.
1997 * 2: either s->tls_session_secret_cb was set, or a ticket was offered but
1998 * couldn't be decrypted because of a non-fatal error.
1999 * 3: a ticket was successfully decrypted and *ret was set.
2000 *
2001 * Side effects:
2002 * Sets s->tlsext_ticket_expected to 1 if the server will have to issue
2003 * a new session ticket to the client because the client indicated support
2004 * (and s->tls_session_secret_cb is NULL) but the client either doesn't have
2005 * a session ticket or we couldn't use the one it gave us, or if
2006 * s->ctx->tlsext_ticket_key_cb asked to renew the client's ticket.
2007 * Otherwise, s->tlsext_ticket_expected is set to 0.
6434abbf 2008 */
6434abbf 2009int tls1_process_ticket(SSL *s, unsigned char *session_id, int len,
c519e89f 2010 const unsigned char *limit, SSL_SESSION **ret)
6434abbf
DSH		 2011 {
2012 /* Point after session ID in client hello */
2013 const unsigned char *p = session_id + len;
2014 unsigned short i;
e8da6a1d 2015
c519e89f
BM		 2016 *ret = NULL;
2017 s->tlsext_ticket_expected = 0;
2018
e8da6a1d 2019 /* If tickets disabled behave as if no ticket present
c519e89f
BM		 2020 * to permit stateful resumption.
2021 */
e8da6a1d 2022 if (SSL_get_options(s) & SSL_OP_NO_TICKET)
c519e89f 2023 return 0;
6434abbf 2024 if ((s->version <= SSL3_VERSION) || !limit)
c519e89f 2025 return 0;
6434abbf
DSH		 2026 if (p >= limit)
2027 return -1;
07a9d1a2
DSH		 2028 /* Skip past DTLS cookie */
2029 if (s->version == DTLS1_VERSION || s->version == DTLS1_BAD_VER)
2030 {
2031 i = *(p++);
2032 p+= i;
2033 if (p >= limit)
2034 return -1;
2035 }
6434abbf
DSH		 2036 /* Skip past cipher list */
2037 n2s(p, i);
2038 p+= i;
2039 if (p >= limit)
2040 return -1;
2041 /* Skip past compression algorithm list */
2042 i = *(p++);
2043 p += i;
2044 if (p > limit)
2045 return -1;
2046 /* Now at start of extensions */
2047 if ((p + 2) >= limit)
c519e89f 2048 return 0;
6434abbf
DSH		 2049 n2s(p, i);
2050 while ((p + 4) <= limit)
2051 {
2052 unsigned short type, size;
2053 n2s(p, type);
2054 n2s(p, size);
2055 if (p + size > limit)
c519e89f 2056 return 0;
6434abbf
DSH		 2057 if (type == TLSEXT_TYPE_session_ticket)
2058 {
c519e89f 2059 int r;
6434abbf
DSH		 2060 if (size == 0)
2061 {
c519e89f
BM		 2062 /* The client will accept a ticket but doesn't
2063 * currently have one. */
6434abbf 2064 s->tlsext_ticket_expected = 1;
c519e89f 2065 return 1;
6434abbf 2066 }
12bf56c0
DSH		 2067 if (s->tls_session_secret_cb)
2068 {
c519e89f
BM		 2069 /* Indicate that the ticket couldn't be
2070 * decrypted rather than generating the session
2071 * from ticket now, trigger abbreviated
2072 * handshake based on external mechanism to
2073 * calculate the master secret later. */
2074 return 2;
2075 }
2076 r = tls_decrypt_ticket(s, p, size, session_id, len, ret);
2077 switch (r)
2078 {
2079 case 2: /* ticket couldn't be decrypted */
2080 s->tlsext_ticket_expected = 1;
2081 return 2;
2082 case 3: /* ticket was decrypted */
2083 return r;
2084 case 4: /* ticket decrypted but need to renew */
2085 s->tlsext_ticket_expected = 1;
2086 return 3;
2087 default: /* fatal error */
2088 return -1;
12bf56c0 2089 }
6434abbf
DSH		 2090 }
2091 p += size;
2092 }
c519e89f 2093 return 0;
6434abbf
DSH		 2094 }
2095
c519e89f
BM		 2096/* tls_decrypt_ticket attempts to decrypt a session ticket.
2097 *
2098 * etick: points to the body of the session ticket extension.
2099 * eticklen: the length of the session tickets extenion.
2100 * sess_id: points at the session ID.
2101 * sesslen: the length of the session ID.
2102 * psess: (output) on return, if a ticket was decrypted, then this is set to
2103 * point to the resulting session.
2104 *
2105 * Returns:
2106 * -1: fatal error, either from parsing or decrypting the ticket.
2107 * 2: the ticket couldn't be decrypted.
2108 * 3: a ticket was successfully decrypted and *psess was set.
2109 * 4: same as 3, but the ticket needs to be renewed.
2110 */
6434abbf
DSH		 2111static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen,
2112 const unsigned char *sess_id, int sesslen,
2113 SSL_SESSION **psess)
2114 {
2115 SSL_SESSION *sess;
2116 unsigned char *sdec;
2117 const unsigned char *p;
8a2062fe 2118 int slen, mlen, renew_ticket = 0;
6434abbf
DSH		 2119 unsigned char tick_hmac[EVP_MAX_MD_SIZE];
2120 HMAC_CTX hctx;
2121 EVP_CIPHER_CTX ctx;
661dc143 2122 SSL_CTX *tctx = s->initial_ctx;
8a2062fe
DSH		 2123 /* Need at least keyname + iv + some encrypted data */
2124 if (eticklen < 48)
c519e89f 2125 return 2;
8a2062fe
DSH		 2126 /* Initialize session ticket encryption and HMAC contexts */
2127 HMAC_CTX_init(&hctx);
2128 EVP_CIPHER_CTX_init(&ctx);
661dc143 2129 if (tctx->tlsext_ticket_key_cb)
8a2062fe
DSH		 2130 {
2131 unsigned char *nctick = (unsigned char *)etick;
661dc143 2132 int rv = tctx->tlsext_ticket_key_cb(s, nctick, nctick + 16,
8a2062fe
DSH		 2133 &ctx, &hctx, 0);
2134 if (rv < 0)
2135 return -1;
2136 if (rv == 0)
c519e89f 2137 return 2;
8a2062fe
DSH		 2138 if (rv == 2)
2139 renew_ticket = 1;
2140 }
2141 else
2142 {
2143 /* Check key name matches */
661dc143 2144 if (memcmp(etick, tctx->tlsext_tick_key_name, 16))
c519e89f 2145 return 2;
661dc143 2146 HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16,
8a2062fe
DSH		 2147 tlsext_tick_md(), NULL);
2148 EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL,
661dc143 2149 tctx->tlsext_tick_aes_key, etick + 16);
8a2062fe 2150 }
6434abbf 2151 /* Attempt to process session ticket, first conduct sanity and
c519e89f
BM		 2152 * integrity checks on ticket.
2153 */
8a2062fe 2154 mlen = HMAC_size(&hctx);
0eab41fb
BL		 2155 if (mlen < 0)
2156 {
2157 EVP_CIPHER_CTX_cleanup(&ctx);
2158 return -1;
2159 }
6434abbf 2160 eticklen -= mlen;
6434abbf 2161 /* Check HMAC of encrypted ticket */
6434abbf
DSH		 2162 HMAC_Update(&hctx, etick, eticklen);
2163 HMAC_Final(&hctx, tick_hmac, NULL);
2164 HMAC_CTX_cleanup(&hctx);
2165 if (memcmp(tick_hmac, etick + eticklen, mlen))
c519e89f 2166 return 2;
6434abbf 2167 /* Attempt to decrypt session data */
6434abbf 2168 /* Move p after IV to start of encrypted ticket, update length */
8a2062fe
DSH		 2169 p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx);
2170 eticklen -= 16 + EVP_CIPHER_CTX_iv_length(&ctx);
6434abbf
DSH		 2171 sdec = OPENSSL_malloc(eticklen);
2172 if (!sdec)
2173 {
2174 EVP_CIPHER_CTX_cleanup(&ctx);
2175 return -1;
2176 }
2177 EVP_DecryptUpdate(&ctx, sdec, &slen, p, eticklen);
2178 if (EVP_DecryptFinal(&ctx, sdec + slen, &mlen) <= 0)
c519e89f 2179 return 2;
6434abbf
DSH		 2180 slen += mlen;
2181 EVP_CIPHER_CTX_cleanup(&ctx);
2182 p = sdec;
c519e89f 2183
6434abbf
DSH		 2184 sess = d2i_SSL_SESSION(NULL, &p, slen);
2185 OPENSSL_free(sdec);
2186 if (sess)
2187 {
c519e89f
BM		 2188 /* The session ID, if non-empty, is used by some clients to
2189 * detect that the ticket has been accepted. So we copy it to
2190 * the session structure. If it is empty set length to zero
2191 * as required by standard.
2192 */
6434abbf
DSH		 2193 if (sesslen)
2194 memcpy(sess->session_id, sess_id, sesslen);
2195 sess->session_id_length = sesslen;
2196 *psess = sess;
c519e89f
BM		 2197 if (renew_ticket)
2198 return 4;
2199 else
2200 return 3;
6434abbf 2201 }
c519e89f
BM		 2202 ERR_clear_error();
2203 /* For session parse failure, indicate that we need to send a new
2204 * ticket. */
2205 return 2;
6434abbf 2206 }
6434abbf 2207
6b7be581
DSH		 2208/* Tables to translate from NIDs to TLS v1.2 ids */
2209
2210typedef struct
2211 {
2212 int nid;
2213 int id;
2214 } tls12_lookup;
2215
2216static tls12_lookup tls12_md[] = {
2217#ifndef OPENSSL_NO_MD5
2218 {NID_md5, TLSEXT_hash_md5},
2219#endif
2220#ifndef OPENSSL_NO_SHA
2221 {NID_sha1, TLSEXT_hash_sha1},
2222#endif
2223#ifndef OPENSSL_NO_SHA256
2224 {NID_sha224, TLSEXT_hash_sha224},
2225 {NID_sha256, TLSEXT_hash_sha256},
2226#endif
2227#ifndef OPENSSL_NO_SHA512
2228 {NID_sha384, TLSEXT_hash_sha384},
2229 {NID_sha512, TLSEXT_hash_sha512}
2230#endif
2231};
2232
2233static tls12_lookup tls12_sig[] = {
2234#ifndef OPENSSL_NO_RSA
2235 {EVP_PKEY_RSA, TLSEXT_signature_rsa},
2236#endif
2237#ifndef OPENSSL_NO_RSA
2238 {EVP_PKEY_DSA, TLSEXT_signature_dsa},
2239#endif
2240#ifndef OPENSSL_NO_ECDSA
2241 {EVP_PKEY_EC, TLSEXT_signature_ecdsa}
2242#endif
2243};
2244
2245static int tls12_find_id(int nid, tls12_lookup *table, size_t tlen)
2246 {
2247 size_t i;
2248 for (i = 0; i < tlen; i++)
2249 {
2250 if (table[i].nid == nid)
2251 return table[i].id;
2252 }
2253 return -1;
2254 }
2255#if 0
2256static int tls12_find_nid(int id, tls12_lookup *table, size_t tlen)
2257 {
2258 size_t i;
2259 for (i = 0; i < tlen; i++)
2260 {
2261 if (table[i].id == id)
2262 return table[i].nid;
2263 }
2264 return -1;
2265 }
2266#endif
a2f9200f
DSH		 2267
2268int tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk, const EVP_MD *md)
6b7be581
DSH		 2269 {
2270 int sig_id, md_id;
2271 md_id = tls12_find_id(EVP_MD_type(md), tls12_md,
2272 sizeof(tls12_md)/sizeof(tls12_lookup));
2273 if (md_id == -1)
2274 return 0;
a2f9200f 2275 sig_id = tls12_get_sigid(pk);
6b7be581
DSH		 2276 if (sig_id == -1)
2277 return 0;
2278 p[0] = (unsigned char)md_id;
2279 p[1] = (unsigned char)sig_id;
2280 return 1;
2281 }
2282
a2f9200f
DSH		 2283int tls12_get_sigid(const EVP_PKEY *pk)
2284 {
2285 return tls12_find_id(pk->type, tls12_sig,
2286 sizeof(tls12_sig)/sizeof(tls12_lookup));
2287 }
2288
2289const EVP_MD *tls12_get_hash(unsigned char hash_alg)
2290 {
2291 switch(hash_alg)
2292 {
2293#ifndef OPENSSL_NO_MD5
2294 case TLSEXT_hash_md5:
ebc5e72f
DSH		 2295#ifdef OPENSSL_FIPS
2296 if (FIPS_mode())
2297 return NULL;
2298#endif
a2f9200f
DSH		 2299 return EVP_md5();
2300#endif
2301#ifndef OPENSSL_NO_SHA
2302 case TLSEXT_hash_sha1:
2303 return EVP_sha1();
2304#endif
2305#ifndef OPENSSL_NO_SHA256
2306 case TLSEXT_hash_sha224:
2307 return EVP_sha224();
2308
2309 case TLSEXT_hash_sha256:
2310 return EVP_sha256();
2311#endif
2312#ifndef OPENSSL_NO_SHA512
2313 case TLSEXT_hash_sha384:
2314 return EVP_sha384();
2315
2316 case TLSEXT_hash_sha512:
2317 return EVP_sha512();
2318#endif
2319 default:
2320 return NULL;
2321
2322 }
2323 }
2324
6b7be581
DSH		 2325/* Set preferred digest for each key type */
2326
8f829124 2327int tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize)
6b7be581
DSH		 2328 {
2329 int i, idx;
2330 const EVP_MD *md;
2331 CERT *c = s->cert;
2332 /* Extension ignored for TLS versions below 1.2 */
238b6361 2333 if (TLS1_get_version(s) < TLS1_2_VERSION)
6b7be581 2334 return 1;
8f829124
DSH		 2335 /* Should never happen */
2336 if (!c)
2337 return 0;
6b7be581
DSH		 2338
2339 c->pkeys[SSL_PKEY_DSA_SIGN].digest = NULL;
2340 c->pkeys[SSL_PKEY_RSA_SIGN].digest = NULL;
2341 c->pkeys[SSL_PKEY_RSA_ENC].digest = NULL;
2342 c->pkeys[SSL_PKEY_ECC].digest = NULL;
2343
2344 for (i = 0; i < dsize; i += 2)
2345 {
2346 unsigned char hash_alg = data[i], sig_alg = data[i+1];
2347
2348 switch(sig_alg)
2349 {
2350#ifndef OPENSSL_NO_RSA
2351 case TLSEXT_signature_rsa:
2352 idx = SSL_PKEY_RSA_SIGN;
2353 break;
2354#endif
2355#ifndef OPENSSL_NO_DSA
2356 case TLSEXT_signature_dsa:
2357 idx = SSL_PKEY_DSA_SIGN;
2358 break;
2359#endif
2360#ifndef OPENSSL_NO_ECDSA
2361 case TLSEXT_signature_ecdsa:
2362 idx = SSL_PKEY_ECC;
2363 break;
2364#endif
2365 default:
2366 continue;
2367 }
2368
a2f9200f 2369 if (c->pkeys[idx].digest == NULL)
6b7be581 2370 {
a2f9200f
DSH		 2371 md = tls12_get_hash(hash_alg);
2372 if (md)
2373 {
2374 c->pkeys[idx].digest = md;
2375 if (idx == SSL_PKEY_RSA_SIGN)
2376 c->pkeys[SSL_PKEY_RSA_ENC].digest = md;
2377 }
6b7be581
DSH		 2378 }
2379
6b7be581
DSH		 2380 }
2381
8f829124 2382
6b7be581
DSH		 2383 /* Set any remaining keys to default values. NOTE: if alg is not
2384 * supported it stays as NULL.
2385 */
2386#ifndef OPENSSL_NO_DSA
2387 if (!c->pkeys[SSL_PKEY_DSA_SIGN].digest)
2388 c->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_dss1();
2389#endif
2390#ifndef OPENSSL_NO_RSA
2391 if (!c->pkeys[SSL_PKEY_RSA_SIGN].digest)
2392 {
2393 c->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1();
2394 c->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1();
2395 }
2396#endif
2397#ifndef OPENSSL_NO_ECDSA
2398 if (!c->pkeys[SSL_PKEY_ECC].digest)
2399 c->pkeys[SSL_PKEY_ECC].digest = EVP_ecdsa();
2400#endif
2401 return 1;
2402 }
2403
6434abbf 2404#endif
4817504d
DSH		 2405
2406#ifndef OPENSSL_NO_HEARTBEATS
2407int
2408tls1_process_heartbeat(SSL *s)
2409 {
2410 unsigned char *p = &s->s3->rrec.data[0], *pl;
2411 unsigned short hbtype;
2412 unsigned int payload;
2413 unsigned int padding = 16; /* Use minimum padding */
2414
2415 /* Read type and payload length first */
2416 hbtype = *p++;
2417 n2s(p, payload);
2418 pl = p;
2419
2420 if (s->msg_callback)
2421 s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT,
2422 &s->s3->rrec.data[0], s->s3->rrec.length,
2423 s, s->msg_callback_arg);
2424
2425 if (hbtype == TLS1_HB_REQUEST)
2426 {
2427 unsigned char *buffer, *bp;
2428 int r;
2429
2430 /* Allocate memory for the response, size is 1 bytes
2431 * message type, plus 2 bytes payload length, plus
2432 * payload, plus padding
2433 */
2434 buffer = OPENSSL_malloc(1 + 2 + payload + padding);
2435 bp = buffer;
2436
2437 /* Enter response type, length and copy payload */
2438 *bp++ = TLS1_HB_RESPONSE;
2439 s2n(payload, bp);
2440 memcpy(bp, pl, payload);
2441
2442 r = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, 3 + payload + padding);
2443
2444 if (r >= 0 && s->msg_callback)
2445 s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT,
2446 buffer, 3 + payload + padding,
2447 s, s->msg_callback_arg);
2448
2449 OPENSSL_free(buffer);
2450
2451 if (r < 0)
2452 return r;
2453 }
2454 else if (hbtype == TLS1_HB_RESPONSE)
2455 {
2456 unsigned int seq;
2457
2458 /* We only send sequence numbers (2 bytes unsigned int),
2459 * and 16 random bytes, so we just try to read the
2460 * sequence number */
2461 n2s(pl, seq);
2462
2463 if (payload == 18 && seq == s->tlsext_hb_seq)
2464 {
2465 s->tlsext_hb_seq++;
2466 s->tlsext_hb_pending = 0;
2467 }
2468 }
2469
2470 return 0;
2471 }
2472
2473int
2474tls1_heartbeat(SSL *s)
2475 {
2476 unsigned char *buf, *p;
2477 int ret;
2478 unsigned int payload = 18; /* Sequence number + random bytes */
2479 unsigned int padding = 16; /* Use minimum padding */
2480
2481 /* Only send if peer supports and accepts HB requests... */
2482 if (!(s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED) ||
2483 s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_SEND_REQUESTS)
2484 {
2485 SSLerr(SSL_F_TLS1_HEARTBEAT,SSL_R_TLS_HEARTBEAT_PEER_DOESNT_ACCEPT);
2486 return -1;
2487 }
2488
2489 /* ...and there is none in flight yet... */
2490 if (s->tlsext_hb_pending)
2491 {
2492 SSLerr(SSL_F_TLS1_HEARTBEAT,SSL_R_TLS_HEARTBEAT_PENDING);
2493 return -1;
2494 }
2495
2496 /* ...and no handshake in progress. */
2497 if (SSL_in_init(s) || s->in_handshake)
2498 {
2499 SSLerr(SSL_F_TLS1_HEARTBEAT,SSL_R_UNEXPECTED_MESSAGE);
2500 return -1;
2501 }
2502
2503 /* Check if padding is too long, payload and padding
2504 * must not exceed 2^14 - 3 = 16381 bytes in total.
2505 */
2506 OPENSSL_assert(payload + padding <= 16381);
2507
2508 /* Create HeartBeat message, we just use a sequence number
2509 * as payload to distuingish different messages and add
2510 * some random stuff.
2511 * - Message Type, 1 byte
2512 * - Payload Length, 2 bytes (unsigned int)
2513 * - Payload, the sequence number (2 bytes uint)
2514 * - Payload, random bytes (16 bytes uint)
2515 * - Padding
2516 */
2517 buf = OPENSSL_malloc(1 + 2 + payload + padding);
2518 p = buf;
2519 /* Message Type */
2520 *p++ = TLS1_HB_REQUEST;
2521 /* Payload length (18 bytes here) */
2522 s2n(payload, p);
2523 /* Sequence number */
2524 s2n(s->tlsext_hb_seq, p);
2525 /* 16 random bytes */
2526 RAND_pseudo_bytes(p, 16);
2527 p += 16;
2528 /* Random padding */
2529 RAND_pseudo_bytes(p, padding);
2530
2531 ret = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buf, 3 + payload + padding);
2532 if (ret >= 0)
2533 {
2534 if (s->msg_callback)
2535 s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT,
2536 buf, 3 + payload + padding,
2537 s, s->msg_callback_arg);
2538
2539 s->tlsext_hb_pending = 1;
2540 }
2541
2542 OPENSSL_free(buf);
2543
2544 return ret;
2545 }
2546#endif
A mirror of the official openssl repository