2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
58 /* ====================================================================
59 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
87 * 6. Redistributions of any form whatsoever must retain the following
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
113 #include <openssl/objects.h>
114 #include <openssl/evp.h>
115 #include <openssl/hmac.h>
116 #include <openssl/ocsp.h>
117 #include "ssl_locl.h"
119 const char tls1_version_str
[]="TLSv1" OPENSSL_VERSION_PTEXT
;
121 #ifndef OPENSSL_NO_TLSEXT
122 static int tls_decrypt_ticket(SSL
*s
, const unsigned char *tick
, int ticklen
,
123 const unsigned char *sess_id
, int sesslen
,
124 SSL_SESSION
**psess
);
127 SSL3_ENC_METHOD TLSv1_enc_data
={
130 tls1_setup_key_block
,
131 tls1_generate_master_secret
,
132 tls1_change_cipher_state
,
133 tls1_final_finish_mac
,
134 TLS1_FINISH_MAC_LENGTH
,
135 tls1_cert_verify_mac
,
136 TLS_MD_CLIENT_FINISH_CONST
,TLS_MD_CLIENT_FINISH_CONST_SIZE
,
137 TLS_MD_SERVER_FINISH_CONST
,TLS_MD_SERVER_FINISH_CONST_SIZE
,
141 long tls1_default_timeout(void)
143 /* 2 hours, the 24 hours mentioned in the TLSv1 spec
144 * is way too long for http, the cache would over fill */
150 if (!ssl3_new(s
)) return(0);
151 s
->method
->ssl_clear(s
);
155 void tls1_free(SSL
*s
)
160 void tls1_clear(SSL
*s
)
163 s
->version
=TLS1_VERSION
;
166 #ifndef OPENSSL_NO_EC
167 static int nid_list
[] =
169 NID_sect163k1
, /* sect163k1 (1) */
170 NID_sect163r1
, /* sect163r1 (2) */
171 NID_sect163r2
, /* sect163r2 (3) */
172 NID_sect193r1
, /* sect193r1 (4) */
173 NID_sect193r2
, /* sect193r2 (5) */
174 NID_sect233k1
, /* sect233k1 (6) */
175 NID_sect233r1
, /* sect233r1 (7) */
176 NID_sect239k1
, /* sect239k1 (8) */
177 NID_sect283k1
, /* sect283k1 (9) */
178 NID_sect283r1
, /* sect283r1 (10) */
179 NID_sect409k1
, /* sect409k1 (11) */
180 NID_sect409r1
, /* sect409r1 (12) */
181 NID_sect571k1
, /* sect571k1 (13) */
182 NID_sect571r1
, /* sect571r1 (14) */
183 NID_secp160k1
, /* secp160k1 (15) */
184 NID_secp160r1
, /* secp160r1 (16) */
185 NID_secp160r2
, /* secp160r2 (17) */
186 NID_secp192k1
, /* secp192k1 (18) */
187 NID_X9_62_prime192v1
, /* secp192r1 (19) */
188 NID_secp224k1
, /* secp224k1 (20) */
189 NID_secp224r1
, /* secp224r1 (21) */
190 NID_secp256k1
, /* secp256k1 (22) */
191 NID_X9_62_prime256v1
, /* secp256r1 (23) */
192 NID_secp384r1
, /* secp384r1 (24) */
193 NID_secp521r1
/* secp521r1 (25) */
196 int tls1_ec_curve_id2nid(int curve_id
)
198 /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
199 if ((curve_id
< 1) || ((unsigned int)curve_id
>
200 sizeof(nid_list
)/sizeof(nid_list
[0])))
202 return nid_list
[curve_id
-1];
205 int tls1_ec_nid2curve_id(int nid
)
207 /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
210 case NID_sect163k1
: /* sect163k1 (1) */
212 case NID_sect163r1
: /* sect163r1 (2) */
214 case NID_sect163r2
: /* sect163r2 (3) */
216 case NID_sect193r1
: /* sect193r1 (4) */
218 case NID_sect193r2
: /* sect193r2 (5) */
220 case NID_sect233k1
: /* sect233k1 (6) */
222 case NID_sect233r1
: /* sect233r1 (7) */
224 case NID_sect239k1
: /* sect239k1 (8) */
226 case NID_sect283k1
: /* sect283k1 (9) */
228 case NID_sect283r1
: /* sect283r1 (10) */
230 case NID_sect409k1
: /* sect409k1 (11) */
232 case NID_sect409r1
: /* sect409r1 (12) */
234 case NID_sect571k1
: /* sect571k1 (13) */
236 case NID_sect571r1
: /* sect571r1 (14) */
238 case NID_secp160k1
: /* secp160k1 (15) */
240 case NID_secp160r1
: /* secp160r1 (16) */
242 case NID_secp160r2
: /* secp160r2 (17) */
244 case NID_secp192k1
: /* secp192k1 (18) */
246 case NID_X9_62_prime192v1
: /* secp192r1 (19) */
248 case NID_secp224k1
: /* secp224k1 (20) */
250 case NID_secp224r1
: /* secp224r1 (21) */
252 case NID_secp256k1
: /* secp256k1 (22) */
254 case NID_X9_62_prime256v1
: /* secp256r1 (23) */
256 case NID_secp384r1
: /* secp384r1 (24) */
258 case NID_secp521r1
: /* secp521r1 (25) */
264 #endif /* OPENSSL_NO_EC */
266 #ifndef OPENSSL_NO_TLSEXT
267 unsigned char *ssl_add_clienthello_tlsext(SSL
*s
, unsigned char *p
, unsigned char *limit
)
270 unsigned char *ret
= p
;
274 if (ret
>=limit
) return NULL
; /* this really never occurs, but ... */
276 if (s
->tlsext_hostname
!= NULL
)
278 /* Add TLS extension servername to the Client Hello message */
279 unsigned long size_str
;
282 /* check for enough space.
283 4 for the servername type and entension length
284 2 for servernamelist length
285 1 for the hostname type
286 2 for hostname length
290 if ((lenmax
= limit
- ret
- 9) < 0
291 || (size_str
= strlen(s
->tlsext_hostname
)) > (unsigned long)lenmax
)
294 /* extension type and length */
295 s2n(TLSEXT_TYPE_server_name
,ret
);
298 /* length of servername list */
301 /* hostname type, length and hostname */
302 *(ret
++) = (unsigned char) TLSEXT_NAMETYPE_host_name
;
304 memcpy(ret
, s
->tlsext_hostname
, size_str
);
308 #ifndef OPENSSL_NO_EC
309 if (s
->tlsext_ecpointformatlist
!= NULL
)
311 /* Add TLS extension ECPointFormats to the ClientHello message */
314 if ((lenmax
= limit
- ret
- 5) < 0) return NULL
;
315 if (s
->tlsext_ecpointformatlist_length
> (unsigned long)lenmax
) return NULL
;
316 if (s
->tlsext_ecpointformatlist_length
> 255)
318 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT
, ERR_R_INTERNAL_ERROR
);
322 s2n(TLSEXT_TYPE_ec_point_formats
,ret
);
323 s2n(s
->tlsext_ecpointformatlist_length
+ 1,ret
);
324 *(ret
++) = (unsigned char) s
->tlsext_ecpointformatlist_length
;
325 memcpy(ret
, s
->tlsext_ecpointformatlist
, s
->tlsext_ecpointformatlist_length
);
326 ret
+=s
->tlsext_ecpointformatlist_length
;
328 if (s
->tlsext_ellipticcurvelist
!= NULL
)
330 /* Add TLS extension EllipticCurves to the ClientHello message */
333 if ((lenmax
= limit
- ret
- 6) < 0) return NULL
;
334 if (s
->tlsext_ellipticcurvelist_length
> (unsigned long)lenmax
) return NULL
;
335 if (s
->tlsext_ellipticcurvelist_length
> 65532)
337 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT
, ERR_R_INTERNAL_ERROR
);
341 s2n(TLSEXT_TYPE_elliptic_curves
,ret
);
342 s2n(s
->tlsext_ellipticcurvelist_length
+ 2, ret
);
344 /* NB: draft-ietf-tls-ecc-12.txt uses a one-byte prefix for
345 * elliptic_curve_list, but the examples use two bytes.
346 * http://www1.ietf.org/mail-archive/web/tls/current/msg00538.html
347 * resolves this to two bytes.
349 s2n(s
->tlsext_ellipticcurvelist_length
, ret
);
350 memcpy(ret
, s
->tlsext_ellipticcurvelist
, s
->tlsext_ellipticcurvelist_length
);
351 ret
+=s
->tlsext_ellipticcurvelist_length
;
353 #endif /* OPENSSL_NO_EC */
355 if (!(SSL_get_options(s
) & SSL_OP_NO_TICKET
))
358 if (s
->session
&& s
->session
->tlsext_tick
)
359 ticklen
= s
->session
->tlsext_ticklen
;
362 /* Check for enough room 2 for extension type, 2 for len
365 if ((long)(limit
- ret
- 4 - ticklen
) < 0) return NULL
;
366 s2n(TLSEXT_TYPE_session_ticket
,ret
);
370 memcpy(ret
, s
->session
->tlsext_tick
, ticklen
);
375 #ifdef TLSEXT_TYPE_opaque_prf_input
376 if (s
->s3
->client_opaque_prf_input
!= NULL
)
378 size_t col
= s
->s3
->client_opaque_prf_input_len
;
380 if ((long)(limit
- ret
- 6 - col
< 0))
382 if (col
> 0xFFFD) /* can't happen */
385 s2n(TLSEXT_TYPE_opaque_prf_input
, ret
);
388 memcpy(ret
, s
->s3
->client_opaque_prf_input
, col
);
393 if (s
->tlsext_status_type
== TLSEXT_STATUSTYPE_ocsp
)
396 long extlen
, idlen
, itmp
;
400 for (i
= 0; i
< sk_OCSP_RESPID_num(s
->tlsext_ocsp_ids
); i
++)
402 id
= sk_OCSP_RESPID_value(s
->tlsext_ocsp_ids
, i
);
403 itmp
= i2d_OCSP_RESPID(id
, NULL
);
409 if (s
->tlsext_ocsp_exts
)
411 extlen
= i2d_X509_EXTENSIONS(s
->tlsext_ocsp_exts
, NULL
);
418 if ((long)(limit
- ret
- 7 - extlen
- idlen
) < 0) return NULL
;
419 s2n(TLSEXT_TYPE_status_request
, ret
);
420 if (extlen
+ idlen
> 0xFFF0)
422 s2n(extlen
+ idlen
+ 5, ret
);
423 *(ret
++) = TLSEXT_STATUSTYPE_ocsp
;
425 for (i
= 0; i
< sk_OCSP_RESPID_num(s
->tlsext_ocsp_ids
); i
++)
427 /* save position of id len */
428 unsigned char *q
= ret
;
429 id
= sk_OCSP_RESPID_value(s
->tlsext_ocsp_ids
, i
);
430 /* skip over id len */
432 itmp
= i2d_OCSP_RESPID(id
, &ret
);
438 i2d_X509_EXTENSIONS(s
->tlsext_ocsp_exts
, &ret
);
441 if ((extdatalen
= ret
-p
-2)== 0)
448 unsigned char *ssl_add_serverhello_tlsext(SSL
*s
, unsigned char *p
, unsigned char *limit
)
451 unsigned char *ret
= p
;
454 if (ret
>=limit
) return NULL
; /* this really never occurs, but ... */
456 if (!s
->hit
&& s
->servername_done
== 1 && s
->session
->tlsext_hostname
!= NULL
)
458 if ((long)(limit
- ret
- 4) < 0) return NULL
;
460 s2n(TLSEXT_TYPE_server_name
,ret
);
463 #ifndef OPENSSL_NO_EC
464 if (s
->tlsext_ecpointformatlist
!= NULL
)
466 /* Add TLS extension ECPointFormats to the ServerHello message */
469 if ((lenmax
= limit
- ret
- 5) < 0) return NULL
;
470 if (s
->tlsext_ecpointformatlist_length
> (unsigned long)lenmax
) return NULL
;
471 if (s
->tlsext_ecpointformatlist_length
> 255)
473 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT
, ERR_R_INTERNAL_ERROR
);
477 s2n(TLSEXT_TYPE_ec_point_formats
,ret
);
478 s2n(s
->tlsext_ecpointformatlist_length
+ 1,ret
);
479 *(ret
++) = (unsigned char) s
->tlsext_ecpointformatlist_length
;
480 memcpy(ret
, s
->tlsext_ecpointformatlist
, s
->tlsext_ecpointformatlist_length
);
481 ret
+=s
->tlsext_ecpointformatlist_length
;
484 /* Currently the server should not respond with a SupportedCurves extension */
485 #endif /* OPENSSL_NO_EC */
487 if (s
->tlsext_ticket_expected
488 && !(SSL_get_options(s
) & SSL_OP_NO_TICKET
))
490 if ((long)(limit
- ret
- 4) < 0) return NULL
;
491 s2n(TLSEXT_TYPE_session_ticket
,ret
);
495 if (s
->tlsext_status_expected
)
497 if ((long)(limit
- ret
- 4) < 0) return NULL
;
498 s2n(TLSEXT_TYPE_status_request
,ret
);
502 #ifdef TLSEXT_TYPE_opaque_prf_input
503 if (s
->s3
->server_opaque_prf_input
!= NULL
)
505 size_t sol
= s
->s3
->server_opaque_prf_input_len
;
507 if ((long)(limit
- ret
- 6 - sol
) < 0)
509 if (sol
> 0xFFFD) /* can't happen */
512 s2n(TLSEXT_TYPE_opaque_prf_input
, ret
);
515 memcpy(ret
, s
->s3
->server_opaque_prf_input
, sol
);
519 if (((s
->s3
->tmp
.new_cipher
->id
& 0xFFFF)==0x80 || (s
->s3
->tmp
.new_cipher
->id
& 0xFFFF)==0x81)
520 && (SSL_get_options(s
) & SSL_OP_CRYPTOPRO_TLSEXT_BUG
))
521 { const unsigned char cryptopro_ext
[36] = {
522 0xfd, 0xe8, /*65000*/
523 0x00, 0x20, /*32 bytes length*/
524 0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85,
525 0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06,
526 0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08,
527 0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17};
528 if (limit
-ret
<36) return NULL
;
529 memcpy(ret
,cryptopro_ext
,36);
534 if ((extdatalen
= ret
-p
-2)== 0)
541 int ssl_parse_clienthello_tlsext(SSL
*s
, unsigned char **p
, unsigned char *d
, int n
, int *al
)
546 unsigned char *data
= *p
;
547 s
->servername_done
= 0;
548 s
->tlsext_status_type
= -1;
554 if (data
> (d
+n
-len
))
557 while (data
<= (d
+n
-4))
562 if (data
+size
> (d
+n
))
565 fprintf(stderr
,"Received extension type %d size %d\n",type
,size
);
567 if (s
->tlsext_debug_cb
)
568 s
->tlsext_debug_cb(s
, 0, type
, data
, size
,
569 s
->tlsext_debug_arg
);
570 /* The servername extension is treated as follows:
572 - Only the hostname type is supported with a maximum length of 255.
573 - The servername is rejected if too long or if it contains zeros,
574 in which case an fatal alert is generated.
575 - The servername field is maintained together with the session cache.
576 - When a session is resumed, the servername call back invoked in order
577 to allow the application to position itself to the right context.
578 - The servername is acknowledged if it is new for a session or when
579 it is identical to a previously used for the same session.
580 Applications can control the behaviour. They can at any time
581 set a 'desirable' servername for a new SSL object. This can be the
582 case for example with HTTPS when a Host: header field is received and
583 a renegotiation is requested. In this case, a possible servername
584 presented in the new client hello is only acknowledged if it matches
585 the value of the Host: field.
586 - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
587 if they provide for changing an explicit servername context for the session,
588 i.e. when the session has been established with a servername extension.
589 - On session reconnect, the servername extension may be absent.
593 if (type
== TLSEXT_TYPE_server_name
)
595 unsigned char *sdata
;
601 *al
= SSL_AD_DECODE_ERROR
;
608 *al
= SSL_AD_DECODE_ERROR
;
615 servname_type
= *(sdata
++);
621 *al
= SSL_AD_DECODE_ERROR
;
624 if (s
->servername_done
== 0)
625 switch (servname_type
)
627 case TLSEXT_NAMETYPE_host_name
:
628 if (s
->session
->tlsext_hostname
== NULL
)
630 if (len
> TLSEXT_MAXLEN_host_name
||
631 ((s
->session
->tlsext_hostname
= OPENSSL_malloc(len
+1)) == NULL
))
633 *al
= TLS1_AD_UNRECOGNIZED_NAME
;
636 memcpy(s
->session
->tlsext_hostname
, sdata
, len
);
637 s
->session
->tlsext_hostname
[len
]='\0';
638 if (strlen(s
->session
->tlsext_hostname
) != len
) {
639 OPENSSL_free(s
->session
->tlsext_hostname
);
640 *al
= TLS1_AD_UNRECOGNIZED_NAME
;
643 s
->servername_done
= 1;
647 s
->servername_done
= strlen(s
->session
->tlsext_hostname
) == len
648 && strncmp(s
->session
->tlsext_hostname
, (char *)sdata
, len
) == 0;
660 *al
= SSL_AD_DECODE_ERROR
;
666 #ifndef OPENSSL_NO_EC
667 else if (type
== TLSEXT_TYPE_ec_point_formats
)
669 unsigned char *sdata
= data
;
670 int ecpointformatlist_length
= *(sdata
++);
672 if (ecpointformatlist_length
!= size
- 1)
674 *al
= TLS1_AD_DECODE_ERROR
;
677 s
->session
->tlsext_ecpointformatlist_length
= 0;
678 if (s
->session
->tlsext_ecpointformatlist
!= NULL
) OPENSSL_free(s
->session
->tlsext_ecpointformatlist
);
679 if ((s
->session
->tlsext_ecpointformatlist
= OPENSSL_malloc(ecpointformatlist_length
)) == NULL
)
681 *al
= TLS1_AD_INTERNAL_ERROR
;
684 s
->session
->tlsext_ecpointformatlist_length
= ecpointformatlist_length
;
685 memcpy(s
->session
->tlsext_ecpointformatlist
, sdata
, ecpointformatlist_length
);
687 fprintf(stderr
,"ssl_parse_clienthello_tlsext s->session->tlsext_ecpointformatlist (length=%i) ", s
->session
->tlsext_ecpointformatlist_length
);
688 sdata
= s
->session
->tlsext_ecpointformatlist
;
689 for (i
= 0; i
< s
->session
->tlsext_ecpointformatlist_length
; i
++)
690 fprintf(stderr
,"%i ",*(sdata
++));
691 fprintf(stderr
,"\n");
694 else if (type
== TLSEXT_TYPE_elliptic_curves
)
696 unsigned char *sdata
= data
;
697 int ellipticcurvelist_length
= (*(sdata
++) << 8);
698 ellipticcurvelist_length
+= (*(sdata
++));
700 if (ellipticcurvelist_length
!= size
- 2)
702 *al
= TLS1_AD_DECODE_ERROR
;
705 s
->session
->tlsext_ellipticcurvelist_length
= 0;
706 if (s
->session
->tlsext_ellipticcurvelist
!= NULL
) OPENSSL_free(s
->session
->tlsext_ellipticcurvelist
);
707 if ((s
->session
->tlsext_ellipticcurvelist
= OPENSSL_malloc(ellipticcurvelist_length
)) == NULL
)
709 *al
= TLS1_AD_INTERNAL_ERROR
;
712 s
->session
->tlsext_ellipticcurvelist_length
= ellipticcurvelist_length
;
713 memcpy(s
->session
->tlsext_ellipticcurvelist
, sdata
, ellipticcurvelist_length
);
715 fprintf(stderr
,"ssl_parse_clienthello_tlsext s->session->tlsext_ellipticcurvelist (length=%i) ", s
->session
->tlsext_ellipticcurvelist_length
);
716 sdata
= s
->session
->tlsext_ellipticcurvelist
;
717 for (i
= 0; i
< s
->session
->tlsext_ellipticcurvelist_length
; i
++)
718 fprintf(stderr
,"%i ",*(sdata
++));
719 fprintf(stderr
,"\n");
722 #endif /* OPENSSL_NO_EC */
723 #ifdef TLSEXT_TYPE_opaque_prf_input
724 else if (type
== TLSEXT_TYPE_opaque_prf_input
)
726 unsigned char *sdata
= data
;
730 *al
= SSL_AD_DECODE_ERROR
;
733 n2s(sdata
, s
->s3
->client_opaque_prf_input_len
);
734 if (s
->s3
->client_opaque_prf_input_len
!= size
- 2)
736 *al
= SSL_AD_DECODE_ERROR
;
740 if (s
->s3
->client_opaque_prf_input
!= NULL
) /* shouldn't really happen */
741 OPENSSL_free(s
->s3
->client_opaque_prf_input
);
742 if (s
->s3
->client_opaque_prf_input_len
== 0)
743 s
->s3
->client_opaque_prf_input
= OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
745 s
->s3
->client_opaque_prf_input
= BUF_memdup(sdata
, s
->s3
->client_opaque_prf_input_len
);
746 if (s
->s3
->client_opaque_prf_input
== NULL
)
748 *al
= TLS1_AD_INTERNAL_ERROR
;
753 else if (type
== TLSEXT_TYPE_status_request
754 && s
->ctx
->tlsext_status_cb
)
759 *al
= SSL_AD_DECODE_ERROR
;
763 s
->tlsext_status_type
= *data
++;
765 if (s
->tlsext_status_type
== TLSEXT_STATUSTYPE_ocsp
)
767 const unsigned char *sdata
;
769 /* Read in responder_id_list */
774 *al
= SSL_AD_DECODE_ERROR
;
783 *al
= SSL_AD_DECODE_ERROR
;
790 *al
= SSL_AD_DECODE_ERROR
;
795 id
= d2i_OCSP_RESPID(NULL
,
799 *al
= SSL_AD_DECODE_ERROR
;
804 OCSP_RESPID_free(id
);
805 *al
= SSL_AD_DECODE_ERROR
;
808 if (!s
->tlsext_ocsp_ids
809 && !(s
->tlsext_ocsp_ids
=
810 sk_OCSP_RESPID_new_null()))
812 OCSP_RESPID_free(id
);
813 *al
= SSL_AD_INTERNAL_ERROR
;
816 if (!sk_OCSP_RESPID_push(
817 s
->tlsext_ocsp_ids
, id
))
819 OCSP_RESPID_free(id
);
820 *al
= SSL_AD_INTERNAL_ERROR
;
825 /* Read in request_extensions */
830 *al
= SSL_AD_DECODE_ERROR
;
836 s
->tlsext_ocsp_exts
=
837 d2i_X509_EXTENSIONS(NULL
,
839 if (!s
->tlsext_ocsp_exts
840 || (data
+ dsize
!= sdata
))
842 *al
= SSL_AD_DECODE_ERROR
;
847 /* We don't know what to do with any other type
851 s
->tlsext_status_type
= -1;
854 /* session ticket processed earlier */
862 int ssl_parse_serverhello_tlsext(SSL
*s
, unsigned char **p
, unsigned char *d
, int n
, int *al
)
867 unsigned char *data
= *p
;
869 int tlsext_servername
= 0;
876 while(data
<= (d
+n
-4))
881 if (data
+size
> (d
+n
))
884 if (s
->tlsext_debug_cb
)
885 s
->tlsext_debug_cb(s
, 1, type
, data
, size
,
886 s
->tlsext_debug_arg
);
888 if (type
== TLSEXT_TYPE_server_name
)
890 if (s
->tlsext_hostname
== NULL
|| size
> 0)
892 *al
= TLS1_AD_UNRECOGNIZED_NAME
;
895 tlsext_servername
= 1;
898 #ifndef OPENSSL_NO_EC
899 else if (type
== TLSEXT_TYPE_ec_point_formats
)
901 unsigned char *sdata
= data
;
902 int ecpointformatlist_length
= *(sdata
++);
904 if (ecpointformatlist_length
!= size
- 1)
906 *al
= TLS1_AD_DECODE_ERROR
;
909 s
->session
->tlsext_ecpointformatlist_length
= 0;
910 if (s
->session
->tlsext_ecpointformatlist
!= NULL
) OPENSSL_free(s
->session
->tlsext_ecpointformatlist
);
911 if ((s
->session
->tlsext_ecpointformatlist
= OPENSSL_malloc(ecpointformatlist_length
)) == NULL
)
913 *al
= TLS1_AD_INTERNAL_ERROR
;
916 s
->session
->tlsext_ecpointformatlist_length
= ecpointformatlist_length
;
917 memcpy(s
->session
->tlsext_ecpointformatlist
, sdata
, ecpointformatlist_length
);
919 fprintf(stderr
,"ssl_parse_serverhello_tlsext s->session->tlsext_ecpointformatlist ");
920 sdata
= s
->session
->tlsext_ecpointformatlist
;
921 for (i
= 0; i
< s
->session
->tlsext_ecpointformatlist_length
; i
++)
922 fprintf(stderr
,"%i ",*(sdata
++));
923 fprintf(stderr
,"\n");
926 #endif /* OPENSSL_NO_EC */
928 else if (type
== TLSEXT_TYPE_session_ticket
)
930 if ((SSL_get_options(s
) & SSL_OP_NO_TICKET
)
933 *al
= TLS1_AD_UNSUPPORTED_EXTENSION
;
936 s
->tlsext_ticket_expected
= 1;
938 #ifdef TLSEXT_TYPE_opaque_prf_input
939 else if (type
== TLSEXT_TYPE_opaque_prf_input
)
941 unsigned char *sdata
= data
;
945 *al
= SSL_AD_DECODE_ERROR
;
948 n2s(sdata
, s
->s3
->server_opaque_prf_input_len
);
949 if (s
->s3
->server_opaque_prf_input_len
!= size
- 2)
951 *al
= SSL_AD_DECODE_ERROR
;
955 if (s
->s3
->server_opaque_prf_input
!= NULL
) /* shouldn't really happen */
956 OPENSSL_free(s
->s3
->server_opaque_prf_input
);
957 if (s
->s3
->server_opaque_prf_input_len
== 0)
958 s
->s3
->server_opaque_prf_input
= OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
960 s
->s3
->server_opaque_prf_input
= BUF_memdup(sdata
, s
->s3
->server_opaque_prf_input_len
);
962 if (s
->s3
->server_opaque_prf_input
== NULL
)
964 *al
= TLS1_AD_INTERNAL_ERROR
;
969 else if (type
== TLSEXT_TYPE_status_request
)
971 /* MUST be empty and only sent if we've requested
972 * a status request message.
974 if ((s
->tlsext_status_type
== -1) || (size
> 0))
976 *al
= TLS1_AD_UNSUPPORTED_EXTENSION
;
979 /* Set flag to expect CertificateStatus message */
980 s
->tlsext_status_expected
= 1;
988 *al
= SSL_AD_DECODE_ERROR
;
992 if (!s
->hit
&& tlsext_servername
== 1)
994 if (s
->tlsext_hostname
)
996 if (s
->session
->tlsext_hostname
== NULL
)
998 s
->session
->tlsext_hostname
= BUF_strdup(s
->tlsext_hostname
);
999 if (!s
->session
->tlsext_hostname
)
1001 *al
= SSL_AD_UNRECOGNIZED_NAME
;
1007 *al
= SSL_AD_DECODE_ERROR
;
1018 int ssl_prepare_clienthello_tlsext(SSL
*s
)
1020 #ifndef OPENSSL_NO_EC
1021 /* If we are client and using an elliptic curve cryptography cipher suite, send the point formats
1022 * and elliptic curves we support.
1027 unsigned long alg_k
, alg_a
;
1028 STACK_OF(SSL_CIPHER
) *cipher_stack
= SSL_get_ciphers(s
);
1030 for (i
= 0; i
< sk_SSL_CIPHER_num(cipher_stack
); i
++)
1032 SSL_CIPHER
*c
= sk_SSL_CIPHER_value(cipher_stack
, i
);
1034 alg_k
= c
->algorithm_mkey
;
1035 alg_a
= c
->algorithm_auth
;
1036 if ((alg_k
& (SSL_kEECDH
|SSL_kECDHr
|SSL_kECDHe
) || (alg_a
& SSL_aECDSA
)))
1042 using_ecc
= using_ecc
&& (s
->version
== TLS1_VERSION
);
1045 if (s
->tlsext_ecpointformatlist
!= NULL
) OPENSSL_free(s
->tlsext_ecpointformatlist
);
1046 if ((s
->tlsext_ecpointformatlist
= OPENSSL_malloc(3)) == NULL
)
1048 SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT
,ERR_R_MALLOC_FAILURE
);
1051 s
->tlsext_ecpointformatlist_length
= 3;
1052 s
->tlsext_ecpointformatlist
[0] = TLSEXT_ECPOINTFORMAT_uncompressed
;
1053 s
->tlsext_ecpointformatlist
[1] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime
;
1054 s
->tlsext_ecpointformatlist
[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2
;
1056 /* we support all named elliptic curves in draft-ietf-tls-ecc-12 */
1057 if (s
->tlsext_ellipticcurvelist
!= NULL
) OPENSSL_free(s
->tlsext_ellipticcurvelist
);
1058 s
->tlsext_ellipticcurvelist_length
= sizeof(nid_list
)/sizeof(nid_list
[0]) * 2;
1059 if ((s
->tlsext_ellipticcurvelist
= OPENSSL_malloc(s
->tlsext_ellipticcurvelist_length
)) == NULL
)
1061 s
->tlsext_ellipticcurvelist_length
= 0;
1062 SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT
,ERR_R_MALLOC_FAILURE
);
1065 for (i
= 1, j
= s
->tlsext_ellipticcurvelist
; (unsigned int)i
<=
1066 sizeof(nid_list
)/sizeof(nid_list
[0]); i
++)
1069 #endif /* OPENSSL_NO_EC */
1071 #ifdef TLSEXT_TYPE_opaque_prf_input
1075 if (s
->ctx
->tlsext_opaque_prf_input_callback
!= 0)
1077 r
= s
->ctx
->tlsext_opaque_prf_input_callback(s
, NULL
, 0, s
->ctx
->tlsext_opaque_prf_input_callback_arg
);
1082 if (s
->tlsext_opaque_prf_input
!= NULL
)
1084 if (s
->s3
->client_opaque_prf_input
!= NULL
) /* shouldn't really happen */
1085 OPENSSL_free(s
->s3
->client_opaque_prf_input
);
1087 if (s
->tlsext_opaque_prf_input_len
== 0)
1088 s
->s3
->client_opaque_prf_input
= OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
1090 s
->s3
->client_opaque_prf_input
= BUF_memdup(s
->tlsext_opaque_prf_input
, s
->tlsext_opaque_prf_input_len
);
1091 if (s
->s3
->client_opaque_prf_input
== NULL
)
1093 SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT
,ERR_R_MALLOC_FAILURE
);
1096 s
->s3
->client_opaque_prf_input_len
= s
->tlsext_opaque_prf_input_len
;
1100 /* at callback's request, insist on receiving an appropriate server opaque PRF input */
1101 s
->s3
->server_opaque_prf_input_len
= s
->tlsext_opaque_prf_input_len
;
1108 int ssl_prepare_serverhello_tlsext(SSL
*s
)
1110 #ifndef OPENSSL_NO_EC
1111 /* If we are server and using an ECC cipher suite, send the point formats we support
1112 * if the client sent us an ECPointsFormat extension. Note that the server is not
1113 * supposed to send an EllipticCurves extension.
1116 unsigned long alg_k
= s
->s3
->tmp
.new_cipher
->algorithm_mkey
;
1117 unsigned long alg_a
= s
->s3
->tmp
.new_cipher
->algorithm_auth
;
1118 int using_ecc
= (alg_k
& (SSL_kEECDH
|SSL_kECDHr
|SSL_kECDHe
)) || (alg_a
& SSL_aECDSA
);
1119 using_ecc
= using_ecc
&& (s
->session
->tlsext_ecpointformatlist
!= NULL
);
1123 if (s
->tlsext_ecpointformatlist
!= NULL
) OPENSSL_free(s
->tlsext_ecpointformatlist
);
1124 if ((s
->tlsext_ecpointformatlist
= OPENSSL_malloc(3)) == NULL
)
1126 SSLerr(SSL_F_SSL_PREPARE_SERVERHELLO_TLSEXT
,ERR_R_MALLOC_FAILURE
);
1129 s
->tlsext_ecpointformatlist_length
= 3;
1130 s
->tlsext_ecpointformatlist
[0] = TLSEXT_ECPOINTFORMAT_uncompressed
;
1131 s
->tlsext_ecpointformatlist
[1] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime
;
1132 s
->tlsext_ecpointformatlist
[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2
;
1134 #endif /* OPENSSL_NO_EC */
1139 int ssl_check_clienthello_tlsext(SSL
*s
)
1141 int ret
=SSL_TLSEXT_ERR_NOACK
;
1142 int al
= SSL_AD_UNRECOGNIZED_NAME
;
1144 #ifndef OPENSSL_NO_EC
1145 /* The handling of the ECPointFormats extension is done elsewhere, namely in
1146 * ssl3_choose_cipher in s3_lib.c.
1148 /* The handling of the EllipticCurves extension is done elsewhere, namely in
1149 * ssl3_choose_cipher in s3_lib.c.
1153 if (s
->ctx
!= NULL
&& s
->ctx
->tlsext_servername_callback
!= 0)
1154 ret
= s
->ctx
->tlsext_servername_callback(s
, &al
, s
->ctx
->tlsext_servername_arg
);
1155 else if (s
->initial_ctx
!= NULL
&& s
->initial_ctx
->tlsext_servername_callback
!= 0)
1156 ret
= s
->initial_ctx
->tlsext_servername_callback(s
, &al
, s
->initial_ctx
->tlsext_servername_arg
);
1158 /* If status request then ask callback what to do.
1159 * Note: this must be called after servername callbacks in case
1160 * the certificate has changed.
1162 if ((s
->tlsext_status_type
!= -1) && s
->ctx
->tlsext_status_cb
)
1165 r
= s
->ctx
->tlsext_status_cb(s
, s
->ctx
->tlsext_status_arg
);
1168 /* We don't want to send a status request response */
1169 case SSL_TLSEXT_ERR_NOACK
:
1170 s
->tlsext_status_expected
= 0;
1172 /* status request response should be sent */
1173 case SSL_TLSEXT_ERR_OK
:
1174 if (s
->tlsext_ocsp_resp
)
1175 s
->tlsext_status_expected
= 1;
1177 s
->tlsext_status_expected
= 0;
1179 /* something bad happened */
1180 case SSL_TLSEXT_ERR_ALERT_FATAL
:
1181 ret
= SSL_TLSEXT_ERR_ALERT_FATAL
;
1182 al
= SSL_AD_INTERNAL_ERROR
;
1187 s
->tlsext_status_expected
= 0;
1189 #ifdef TLSEXT_TYPE_opaque_prf_input
1191 /* This sort of belongs into ssl_prepare_serverhello_tlsext(),
1192 * but we might be sending an alert in response to the client hello,
1193 * so this has to happen here in ssl_check_clienthello_tlsext(). */
1197 if (s
->ctx
->tlsext_opaque_prf_input_callback
!= 0)
1199 r
= s
->ctx
->tlsext_opaque_prf_input_callback(s
, NULL
, 0, s
->ctx
->tlsext_opaque_prf_input_callback_arg
);
1202 ret
= SSL_TLSEXT_ERR_ALERT_FATAL
;
1203 al
= SSL_AD_INTERNAL_ERROR
;
1208 if (s
->s3
->server_opaque_prf_input
!= NULL
) /* shouldn't really happen */
1209 OPENSSL_free(s
->s3
->server_opaque_prf_input
);
1210 s
->s3
->server_opaque_prf_input
= NULL
;
1212 if (s
->tlsext_opaque_prf_input
!= NULL
)
1214 if (s
->s3
->client_opaque_prf_input
!= NULL
&&
1215 s
->s3
->client_opaque_prf_input_len
== s
->tlsext_opaque_prf_input_len
)
1217 /* can only use this extension if we have a server opaque PRF input
1218 * of the same length as the client opaque PRF input! */
1220 if (s
->tlsext_opaque_prf_input_len
== 0)
1221 s
->s3
->server_opaque_prf_input
= OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
1223 s
->s3
->server_opaque_prf_input
= BUF_memdup(s
->tlsext_opaque_prf_input
, s
->tlsext_opaque_prf_input_len
);
1224 if (s
->s3
->server_opaque_prf_input
== NULL
)
1226 ret
= SSL_TLSEXT_ERR_ALERT_FATAL
;
1227 al
= SSL_AD_INTERNAL_ERROR
;
1230 s
->s3
->server_opaque_prf_input_len
= s
->tlsext_opaque_prf_input_len
;
1234 if (r
== 2 && s
->s3
->server_opaque_prf_input
== NULL
)
1236 /* The callback wants to enforce use of the extension,
1237 * but we can't do that with the client opaque PRF input;
1238 * abort the handshake.
1240 ret
= SSL_TLSEXT_ERR_ALERT_FATAL
;
1241 al
= SSL_AD_HANDSHAKE_FAILURE
;
1249 case SSL_TLSEXT_ERR_ALERT_FATAL
:
1250 ssl3_send_alert(s
,SSL3_AL_FATAL
,al
);
1253 case SSL_TLSEXT_ERR_ALERT_WARNING
:
1254 ssl3_send_alert(s
,SSL3_AL_WARNING
,al
);
1257 case SSL_TLSEXT_ERR_NOACK
:
1258 s
->servername_done
=0;
1264 int ssl_check_serverhello_tlsext(SSL
*s
)
1266 int ret
=SSL_TLSEXT_ERR_NOACK
;
1267 int al
= SSL_AD_UNRECOGNIZED_NAME
;
1269 #ifndef OPENSSL_NO_EC
1270 /* If we are client and using an elliptic curve cryptography cipher suite, then server
1271 * must return a an EC point formats lists containing uncompressed.
1273 unsigned long alg_k
= s
->s3
->tmp
.new_cipher
->algorithm_mkey
;
1274 unsigned long alg_a
= s
->s3
->tmp
.new_cipher
->algorithm_auth
;
1275 if ((s
->tlsext_ecpointformatlist
!= NULL
) && (s
->tlsext_ecpointformatlist_length
> 0) &&
1276 ((alg_k
& (SSL_kEECDH
|SSL_kECDHr
|SSL_kECDHe
)) || (alg_a
& SSL_aECDSA
)))
1278 /* we are using an ECC cipher */
1280 unsigned char *list
;
1281 int found_uncompressed
= 0;
1282 if ((s
->session
->tlsext_ecpointformatlist
== NULL
) || (s
->session
->tlsext_ecpointformatlist_length
== 0))
1284 SSLerr(SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT
,SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST
);
1287 list
= s
->session
->tlsext_ecpointformatlist
;
1288 for (i
= 0; i
< s
->session
->tlsext_ecpointformatlist_length
; i
++)
1290 if (*(list
++) == TLSEXT_ECPOINTFORMAT_uncompressed
)
1292 found_uncompressed
= 1;
1296 if (!found_uncompressed
)
1298 SSLerr(SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT
,SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST
);
1302 ret
= SSL_TLSEXT_ERR_OK
;
1303 #endif /* OPENSSL_NO_EC */
1305 if (s
->ctx
!= NULL
&& s
->ctx
->tlsext_servername_callback
!= 0)
1306 ret
= s
->ctx
->tlsext_servername_callback(s
, &al
, s
->ctx
->tlsext_servername_arg
);
1307 else if (s
->initial_ctx
!= NULL
&& s
->initial_ctx
->tlsext_servername_callback
!= 0)
1308 ret
= s
->initial_ctx
->tlsext_servername_callback(s
, &al
, s
->initial_ctx
->tlsext_servername_arg
);
1310 #ifdef TLSEXT_TYPE_opaque_prf_input
1311 if (s
->s3
->server_opaque_prf_input_len
> 0)
1313 /* This case may indicate that we, as a client, want to insist on using opaque PRF inputs.
1314 * So first verify that we really have a value from the server too. */
1316 if (s
->s3
->server_opaque_prf_input
== NULL
)
1318 ret
= SSL_TLSEXT_ERR_ALERT_FATAL
;
1319 al
= SSL_AD_HANDSHAKE_FAILURE
;
1322 /* Anytime the server *has* sent an opaque PRF input, we need to check
1323 * that we have a client opaque PRF input of the same size. */
1324 if (s
->s3
->client_opaque_prf_input
== NULL
||
1325 s
->s3
->client_opaque_prf_input_len
!= s
->s3
->server_opaque_prf_input_len
)
1327 ret
= SSL_TLSEXT_ERR_ALERT_FATAL
;
1328 al
= SSL_AD_ILLEGAL_PARAMETER
;
1333 /* If we've requested certificate status and we wont get one
1336 if ((s
->tlsext_status_type
!= -1) && !(s
->tlsext_status_expected
)
1337 && s
->ctx
->tlsext_status_cb
)
1340 /* Set resp to NULL, resplen to -1 so callback knows
1341 * there is no response.
1343 if (s
->tlsext_ocsp_resp
)
1345 OPENSSL_free(s
->tlsext_ocsp_resp
);
1346 s
->tlsext_ocsp_resp
= NULL
;
1348 s
->tlsext_ocsp_resplen
= -1;
1349 r
= s
->ctx
->tlsext_status_cb(s
, s
->ctx
->tlsext_status_arg
);
1352 al
= SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE
;
1353 ret
= SSL_TLSEXT_ERR_ALERT_FATAL
;
1357 al
= SSL_AD_INTERNAL_ERROR
;
1358 ret
= SSL_TLSEXT_ERR_ALERT_FATAL
;
1364 case SSL_TLSEXT_ERR_ALERT_FATAL
:
1365 ssl3_send_alert(s
,SSL3_AL_FATAL
,al
);
1368 case SSL_TLSEXT_ERR_ALERT_WARNING
:
1369 ssl3_send_alert(s
,SSL3_AL_WARNING
,al
);
1372 case SSL_TLSEXT_ERR_NOACK
:
1373 s
->servername_done
=0;
1379 /* Since the server cache lookup is done early on in the processing of client
1380 * hello and other operations depend on the result we need to handle any TLS
1381 * session ticket extension at the same time.
1384 int tls1_process_ticket(SSL
*s
, unsigned char *session_id
, int len
,
1385 const unsigned char *limit
, SSL_SESSION
**ret
)
1387 /* Point after session ID in client hello */
1388 const unsigned char *p
= session_id
+ len
;
1390 if ((s
->version
<= SSL3_VERSION
) || !limit
)
1394 /* Skip past cipher list */
1399 /* Skip past compression algorithm list */
1404 /* Now at start of extensions */
1405 if ((p
+ 2) >= limit
)
1408 while ((p
+ 4) <= limit
)
1410 unsigned short type
, size
;
1413 if (p
+ size
> limit
)
1415 if (type
== TLSEXT_TYPE_session_ticket
)
1417 /* If tickets disabled indicate cache miss which will
1418 * trigger a full handshake
1420 if (SSL_get_options(s
) & SSL_OP_NO_TICKET
)
1422 /* If zero length not client will accept a ticket
1423 * and indicate cache miss to trigger full handshake
1427 s
->tlsext_ticket_expected
= 1;
1428 return 0; /* Cache miss */
1430 return tls_decrypt_ticket(s
, p
, size
, session_id
, len
,
1438 static int tls_decrypt_ticket(SSL
*s
, const unsigned char *etick
, int eticklen
,
1439 const unsigned char *sess_id
, int sesslen
,
1440 SSL_SESSION
**psess
)
1443 unsigned char *sdec
;
1444 const unsigned char *p
;
1445 int slen
, mlen
, renew_ticket
= 0;
1446 unsigned char tick_hmac
[EVP_MAX_MD_SIZE
];
1449 /* Need at least keyname + iv + some encrypted data */
1452 /* Initialize session ticket encryption and HMAC contexts */
1453 HMAC_CTX_init(&hctx
);
1454 EVP_CIPHER_CTX_init(&ctx
);
1455 if (s
->ctx
->tlsext_ticket_key_cb
)
1457 unsigned char *nctick
= (unsigned char *)etick
;
1458 int rv
= s
->ctx
->tlsext_ticket_key_cb(s
, nctick
, nctick
+ 16,
1469 /* Check key name matches */
1470 if (memcmp(etick
, s
->ctx
->tlsext_tick_key_name
, 16))
1472 HMAC_Init_ex(&hctx
, s
->ctx
->tlsext_tick_hmac_key
, 16,
1473 tlsext_tick_md(), NULL
);
1474 EVP_DecryptInit_ex(&ctx
, EVP_aes_128_cbc(), NULL
,
1475 s
->ctx
->tlsext_tick_aes_key
, etick
+ 16);
1477 /* Attempt to process session ticket, first conduct sanity and
1478 * integrity checks on ticket.
1480 mlen
= HMAC_size(&hctx
);
1482 /* Check HMAC of encrypted ticket */
1483 HMAC_Update(&hctx
, etick
, eticklen
);
1484 HMAC_Final(&hctx
, tick_hmac
, NULL
);
1485 HMAC_CTX_cleanup(&hctx
);
1486 if (memcmp(tick_hmac
, etick
+ eticklen
, mlen
))
1488 /* Attempt to decrypt session data */
1489 /* Move p after IV to start of encrypted ticket, update length */
1490 p
= etick
+ 16 + EVP_CIPHER_CTX_iv_length(&ctx
);
1491 eticklen
-= 16 + EVP_CIPHER_CTX_iv_length(&ctx
);
1492 sdec
= OPENSSL_malloc(eticklen
);
1495 EVP_CIPHER_CTX_cleanup(&ctx
);
1498 EVP_DecryptUpdate(&ctx
, sdec
, &slen
, p
, eticklen
);
1499 if (EVP_DecryptFinal(&ctx
, sdec
+ slen
, &mlen
) <= 0)
1502 EVP_CIPHER_CTX_cleanup(&ctx
);
1505 sess
= d2i_SSL_SESSION(NULL
, &p
, slen
);
1509 /* The session ID if non-empty is used by some clients to
1510 * detect that the ticket has been accepted. So we copy it to
1511 * the session structure. If it is empty set length to zero
1512 * as required by standard.
1515 memcpy(sess
->session_id
, sess_id
, sesslen
);
1516 sess
->session_id_length
= sesslen
;
1518 s
->tlsext_ticket_expected
= renew_ticket
;
1521 /* If session decrypt failure indicate a cache miss and set state to
1525 s
->tlsext_ticket_expected
= 1;