]> git.ipfire.org Git - thirdparty/openssl.git/blob - ssl/t1_lib.c
projects / thirdparty / openssl.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Update from stable branch.
[thirdparty/openssl.git] / ssl / t1_lib.c
1 /* ssl/t1_lib.c */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58 /* ====================================================================
59 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
60 *
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
63 * are met:
64 *
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
67 *
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
71 * distribution.
72 *
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77 *
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
82 *
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
86 *
87 * 6. Redistributions of any form whatsoever must retain the following
88 * acknowledgment:
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91 *
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
105 *
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
109 *
110 */
111
112 #include <stdio.h>
113 #include <openssl/objects.h>
114 #include <openssl/evp.h>
115 #include <openssl/hmac.h>
116 #include <openssl/ocsp.h>
117 #include "ssl_locl.h"
118
119 const char tls1_version_str[]="TLSv1" OPENSSL_VERSION_PTEXT;
120
121 #ifndef OPENSSL_NO_TLSEXT
122 static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen,
123 const unsigned char *sess_id, int sesslen,
124 SSL_SESSION **psess);
125 #endif
126
127 SSL3_ENC_METHOD TLSv1_enc_data={
128 tls1_enc,
129 tls1_mac,
130 tls1_setup_key_block,
131 tls1_generate_master_secret,
132 tls1_change_cipher_state,
133 tls1_final_finish_mac,
134 TLS1_FINISH_MAC_LENGTH,
135 tls1_cert_verify_mac,
136 TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE,
137 TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE,
138 tls1_alert_code,
139 };
140
141 long tls1_default_timeout(void)
142 {
143 /* 2 hours, the 24 hours mentioned in the TLSv1 spec
144 * is way too long for http, the cache would over fill */
145 return(60*60*2);
146 }
147
148 int tls1_new(SSL *s)
149 {
150 if (!ssl3_new(s)) return(0);
151 s->method->ssl_clear(s);
152 return(1);
153 }
154
155 void tls1_free(SSL *s)
156 {
157 ssl3_free(s);
158 }
159
160 void tls1_clear(SSL *s)
161 {
162 ssl3_clear(s);
163 s->version=TLS1_VERSION;
164 }
165
166 #ifndef OPENSSL_NO_EC
167 static int nid_list[] =
168 {
169 NID_sect163k1, /* sect163k1 (1) */
170 NID_sect163r1, /* sect163r1 (2) */
171 NID_sect163r2, /* sect163r2 (3) */
172 NID_sect193r1, /* sect193r1 (4) */
173 NID_sect193r2, /* sect193r2 (5) */
174 NID_sect233k1, /* sect233k1 (6) */
175 NID_sect233r1, /* sect233r1 (7) */
176 NID_sect239k1, /* sect239k1 (8) */
177 NID_sect283k1, /* sect283k1 (9) */
178 NID_sect283r1, /* sect283r1 (10) */
179 NID_sect409k1, /* sect409k1 (11) */
180 NID_sect409r1, /* sect409r1 (12) */
181 NID_sect571k1, /* sect571k1 (13) */
182 NID_sect571r1, /* sect571r1 (14) */
183 NID_secp160k1, /* secp160k1 (15) */
184 NID_secp160r1, /* secp160r1 (16) */
185 NID_secp160r2, /* secp160r2 (17) */
186 NID_secp192k1, /* secp192k1 (18) */
187 NID_X9_62_prime192v1, /* secp192r1 (19) */
188 NID_secp224k1, /* secp224k1 (20) */
189 NID_secp224r1, /* secp224r1 (21) */
190 NID_secp256k1, /* secp256k1 (22) */
191 NID_X9_62_prime256v1, /* secp256r1 (23) */
192 NID_secp384r1, /* secp384r1 (24) */
193 NID_secp521r1 /* secp521r1 (25) */
194 };
195
196 int tls1_ec_curve_id2nid(int curve_id)
197 {
198 /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
199 if ((curve_id < 1) || ((unsigned int)curve_id >
200 sizeof(nid_list)/sizeof(nid_list[0])))
201 return 0;
202 return nid_list[curve_id-1];
203 }
204
205 int tls1_ec_nid2curve_id(int nid)
206 {
207 /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
208 switch (nid)
209 {
210 case NID_sect163k1: /* sect163k1 (1) */
211 return 1;
212 case NID_sect163r1: /* sect163r1 (2) */
213 return 2;
214 case NID_sect163r2: /* sect163r2 (3) */
215 return 3;
216 case NID_sect193r1: /* sect193r1 (4) */
217 return 4;
218 case NID_sect193r2: /* sect193r2 (5) */
219 return 5;
220 case NID_sect233k1: /* sect233k1 (6) */
221 return 6;
222 case NID_sect233r1: /* sect233r1 (7) */
223 return 7;
224 case NID_sect239k1: /* sect239k1 (8) */
225 return 8;
226 case NID_sect283k1: /* sect283k1 (9) */
227 return 9;
228 case NID_sect283r1: /* sect283r1 (10) */
229 return 10;
230 case NID_sect409k1: /* sect409k1 (11) */
231 return 11;
232 case NID_sect409r1: /* sect409r1 (12) */
233 return 12;
234 case NID_sect571k1: /* sect571k1 (13) */
235 return 13;
236 case NID_sect571r1: /* sect571r1 (14) */
237 return 14;
238 case NID_secp160k1: /* secp160k1 (15) */
239 return 15;
240 case NID_secp160r1: /* secp160r1 (16) */
241 return 16;
242 case NID_secp160r2: /* secp160r2 (17) */
243 return 17;
244 case NID_secp192k1: /* secp192k1 (18) */
245 return 18;
246 case NID_X9_62_prime192v1: /* secp192r1 (19) */
247 return 19;
248 case NID_secp224k1: /* secp224k1 (20) */
249 return 20;
250 case NID_secp224r1: /* secp224r1 (21) */
251 return 21;
252 case NID_secp256k1: /* secp256k1 (22) */
253 return 22;
254 case NID_X9_62_prime256v1: /* secp256r1 (23) */
255 return 23;
256 case NID_secp384r1: /* secp384r1 (24) */
257 return 24;
258 case NID_secp521r1: /* secp521r1 (25) */
259 return 25;
260 default:
261 return 0;
262 }
263 }
264 #endif /* OPENSSL_NO_EC */
265
266 #ifndef OPENSSL_NO_TLSEXT
267 unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
268 {
269 int extdatalen=0;
270 unsigned char *ret = p;
271
272 ret+=2;
273
274 if (ret>=limit) return NULL; /* this really never occurs, but ... */
275
276 if (s->tlsext_hostname != NULL)
277 {
278 /* Add TLS extension servername to the Client Hello message */
279 unsigned long size_str;
280 long lenmax;
281
282 /* check for enough space.
283 4 for the servername type and entension length
284 2 for servernamelist length
285 1 for the hostname type
286 2 for hostname length
287 + hostname length
288 */
289
290 if ((lenmax = limit - ret - 9) < 0
291 || (size_str = strlen(s->tlsext_hostname)) > (unsigned long)lenmax)
292 return NULL;
293
294 /* extension type and length */
295 s2n(TLSEXT_TYPE_server_name,ret);
296 s2n(size_str+5,ret);
297
298 /* length of servername list */
299 s2n(size_str+3,ret);
300
301 /* hostname type, length and hostname */
302 *(ret++) = (unsigned char) TLSEXT_NAMETYPE_host_name;
303 s2n(size_str,ret);
304 memcpy(ret, s->tlsext_hostname, size_str);
305 ret+=size_str;
306 }
307
308 #ifndef OPENSSL_NO_EC
309 if (s->tlsext_ecpointformatlist != NULL)
310 {
311 /* Add TLS extension ECPointFormats to the ClientHello message */
312 long lenmax;
313
314 if ((lenmax = limit - ret - 5) < 0) return NULL;
315 if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax) return NULL;
316 if (s->tlsext_ecpointformatlist_length > 255)
317 {
318 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
319 return NULL;
320 }
321
322 s2n(TLSEXT_TYPE_ec_point_formats,ret);
323 s2n(s->tlsext_ecpointformatlist_length + 1,ret);
324 *(ret++) = (unsigned char) s->tlsext_ecpointformatlist_length;
325 memcpy(ret, s->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist_length);
326 ret+=s->tlsext_ecpointformatlist_length;
327 }
328 if (s->tlsext_ellipticcurvelist != NULL)
329 {
330 /* Add TLS extension EllipticCurves to the ClientHello message */
331 long lenmax;
332
333 if ((lenmax = limit - ret - 6) < 0) return NULL;
334 if (s->tlsext_ellipticcurvelist_length > (unsigned long)lenmax) return NULL;
335 if (s->tlsext_ellipticcurvelist_length > 65532)
336 {
337 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
338 return NULL;
339 }
340
341 s2n(TLSEXT_TYPE_elliptic_curves,ret);
342 s2n(s->tlsext_ellipticcurvelist_length + 2, ret);
343
344 /* NB: draft-ietf-tls-ecc-12.txt uses a one-byte prefix for
345 * elliptic_curve_list, but the examples use two bytes.
346 * http://www1.ietf.org/mail-archive/web/tls/current/msg00538.html
347 * resolves this to two bytes.
348 */
349 s2n(s->tlsext_ellipticcurvelist_length, ret);
350 memcpy(ret, s->tlsext_ellipticcurvelist, s->tlsext_ellipticcurvelist_length);
351 ret+=s->tlsext_ellipticcurvelist_length;
352 }
353 #endif /* OPENSSL_NO_EC */
354
355 if (!(SSL_get_options(s) & SSL_OP_NO_TICKET))
356 {
357 int ticklen;
358 if (s->session && s->session->tlsext_tick)
359 ticklen = s->session->tlsext_ticklen;
360 else
361 ticklen = 0;
362 /* Check for enough room 2 for extension type, 2 for len
363 * rest for ticket
364 */
365 if ((long)(limit - ret - 4 - ticklen) < 0) return NULL;
366 s2n(TLSEXT_TYPE_session_ticket,ret);
367 s2n(ticklen,ret);
368 if (ticklen)
369 {
370 memcpy(ret, s->session->tlsext_tick, ticklen);
371 ret += ticklen;
372 }
373 }
374
375 #ifdef TLSEXT_TYPE_opaque_prf_input
376 if (s->s3->client_opaque_prf_input != NULL)
377 {
378 size_t col = s->s3->client_opaque_prf_input_len;
379
380 if ((long)(limit - ret - 6 - col < 0))
381 return NULL;
382 if (col > 0xFFFD) /* can't happen */
383 return NULL;
384
385 s2n(TLSEXT_TYPE_opaque_prf_input, ret);
386 s2n(col + 2, ret);
387 s2n(col, ret);
388 memcpy(ret, s->s3->client_opaque_prf_input, col);
389 ret += col;
390 }
391 #endif
392
393 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp)
394 {
395 int i;
396 long extlen, idlen, itmp;
397 OCSP_RESPID *id;
398
399 idlen = 0;
400 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++)
401 {
402 id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
403 itmp = i2d_OCSP_RESPID(id, NULL);
404 if (itmp <= 0)
405 return NULL;
406 idlen += itmp + 2;
407 }
408
409 if (s->tlsext_ocsp_exts)
410 {
411 extlen = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, NULL);
412 if (extlen < 0)
413 return NULL;
414 }
415 else
416 extlen = 0;
417
418 if ((long)(limit - ret - 7 - extlen - idlen) < 0) return NULL;
419 s2n(TLSEXT_TYPE_status_request, ret);
420 if (extlen + idlen > 0xFFF0)
421 return NULL;
422 s2n(extlen + idlen + 5, ret);
423 *(ret++) = TLSEXT_STATUSTYPE_ocsp;
424 s2n(idlen, ret);
425 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++)
426 {
427 /* save position of id len */
428 unsigned char *q = ret;
429 id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
430 /* skip over id len */
431 ret += 2;
432 itmp = i2d_OCSP_RESPID(id, &ret);
433 /* write id len */
434 s2n(itmp, q);
435 }
436 s2n(extlen, ret);
437 if (extlen > 0)
438 i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret);
439 }
440
441 if ((extdatalen = ret-p-2)== 0)
442 return p;
443
444 s2n(extdatalen,p);
445 return ret;
446 }
447
448 unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
449 {
450 int extdatalen=0;
451 unsigned char *ret = p;
452
453 ret+=2;
454 if (ret>=limit) return NULL; /* this really never occurs, but ... */
455
456 if (!s->hit && s->servername_done == 1 && s->session->tlsext_hostname != NULL)
457 {
458 if ((long)(limit - ret - 4) < 0) return NULL;
459
460 s2n(TLSEXT_TYPE_server_name,ret);
461 s2n(0,ret);
462 }
463 #ifndef OPENSSL_NO_EC
464 if (s->tlsext_ecpointformatlist != NULL)
465 {
466 /* Add TLS extension ECPointFormats to the ServerHello message */
467 long lenmax;
468
469 if ((lenmax = limit - ret - 5) < 0) return NULL;
470 if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax) return NULL;
471 if (s->tlsext_ecpointformatlist_length > 255)
472 {
473 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
474 return NULL;
475 }
476
477 s2n(TLSEXT_TYPE_ec_point_formats,ret);
478 s2n(s->tlsext_ecpointformatlist_length + 1,ret);
479 *(ret++) = (unsigned char) s->tlsext_ecpointformatlist_length;
480 memcpy(ret, s->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist_length);
481 ret+=s->tlsext_ecpointformatlist_length;
482
483 }
484 /* Currently the server should not respond with a SupportedCurves extension */
485 #endif /* OPENSSL_NO_EC */
486
487 if (s->tlsext_ticket_expected
488 && !(SSL_get_options(s) & SSL_OP_NO_TICKET))
489 {
490 if ((long)(limit - ret - 4) < 0) return NULL;
491 s2n(TLSEXT_TYPE_session_ticket,ret);
492 s2n(0,ret);
493 }
494
495 if (s->tlsext_status_expected)
496 {
497 if ((long)(limit - ret - 4) < 0) return NULL;
498 s2n(TLSEXT_TYPE_status_request,ret);
499 s2n(0,ret);
500 }
501
502 #ifdef TLSEXT_TYPE_opaque_prf_input
503 if (s->s3->server_opaque_prf_input != NULL)
504 {
505 size_t sol = s->s3->server_opaque_prf_input_len;
506
507 if ((long)(limit - ret - 6 - sol) < 0)
508 return NULL;
509 if (sol > 0xFFFD) /* can't happen */
510 return NULL;
511
512 s2n(TLSEXT_TYPE_opaque_prf_input, ret);
513 s2n(sol + 2, ret);
514 s2n(sol, ret);
515 memcpy(ret, s->s3->server_opaque_prf_input, sol);
516 ret += sol;
517 }
518 #endif
519 if (((s->s3->tmp.new_cipher->id & 0xFFFF)==0x80 || (s->s3->tmp.new_cipher->id & 0xFFFF)==0x81)
520 && (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG))
521 { const unsigned char cryptopro_ext[36] = {
522 0xfd, 0xe8, /*65000*/
523 0x00, 0x20, /*32 bytes length*/
524 0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85,
525 0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06,
526 0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08,
527 0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17};
528 if (limit-ret<36) return NULL;
529 memcpy(ret,cryptopro_ext,36);
530 ret+=36;
531
532 }
533
534 if ((extdatalen = ret-p-2)== 0)
535 return p;
536
537 s2n(extdatalen,p);
538 return ret;
539 }
540
541 int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
542 {
543 unsigned short type;
544 unsigned short size;
545 unsigned short len;
546 unsigned char *data = *p;
547 s->servername_done = 0;
548 s->tlsext_status_type = -1;
549
550 if (data >= (d+n-2))
551 return 1;
552 n2s(data,len);
553
554 if (data > (d+n-len))
555 return 1;
556
557 while (data <= (d+n-4))
558 {
559 n2s(data,type);
560 n2s(data,size);
561
562 if (data+size > (d+n))
563 return 1;
564 #if 0
565 fprintf(stderr,"Received extension type %d size %d\n",type,size);
566 #endif
567 if (s->tlsext_debug_cb)
568 s->tlsext_debug_cb(s, 0, type, data, size,
569 s->tlsext_debug_arg);
570 /* The servername extension is treated as follows:
571
572 - Only the hostname type is supported with a maximum length of 255.
573 - The servername is rejected if too long or if it contains zeros,
574 in which case an fatal alert is generated.
575 - The servername field is maintained together with the session cache.
576 - When a session is resumed, the servername call back invoked in order
577 to allow the application to position itself to the right context.
578 - The servername is acknowledged if it is new for a session or when
579 it is identical to a previously used for the same session.
580 Applications can control the behaviour. They can at any time
581 set a 'desirable' servername for a new SSL object. This can be the
582 case for example with HTTPS when a Host: header field is received and
583 a renegotiation is requested. In this case, a possible servername
584 presented in the new client hello is only acknowledged if it matches
585 the value of the Host: field.
586 - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
587 if they provide for changing an explicit servername context for the session,
588 i.e. when the session has been established with a servername extension.
589 - On session reconnect, the servername extension may be absent.
590
591 */
592
593 if (type == TLSEXT_TYPE_server_name)
594 {
595 unsigned char *sdata;
596 int servname_type;
597 int dsize;
598
599 if (size < 2)
600 {
601 *al = SSL_AD_DECODE_ERROR;
602 return 0;
603 }
604 n2s(data,dsize);
605 size -= 2;
606 if (dsize > size )
607 {
608 *al = SSL_AD_DECODE_ERROR;
609 return 0;
610 }
611
612 sdata = data;
613 while (dsize > 3)
614 {
615 servname_type = *(sdata++);
616 n2s(sdata,len);
617 dsize -= 3;
618
619 if (len > dsize)
620 {
621 *al = SSL_AD_DECODE_ERROR;
622 return 0;
623 }
624 if (s->servername_done == 0)
625 switch (servname_type)
626 {
627 case TLSEXT_NAMETYPE_host_name:
628 if (s->session->tlsext_hostname == NULL)
629 {
630 if (len > TLSEXT_MAXLEN_host_name ||
631 ((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL))
632 {
633 *al = TLS1_AD_UNRECOGNIZED_NAME;
634 return 0;
635 }
636 memcpy(s->session->tlsext_hostname, sdata, len);
637 s->session->tlsext_hostname[len]='\0';
638 if (strlen(s->session->tlsext_hostname) != len) {
639 OPENSSL_free(s->session->tlsext_hostname);
640 *al = TLS1_AD_UNRECOGNIZED_NAME;
641 return 0;
642 }
643 s->servername_done = 1;
644
645 }
646 else
647 s->servername_done = strlen(s->session->tlsext_hostname) == len
648 && strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0;
649
650 break;
651
652 default:
653 break;
654 }
655
656 dsize -= len;
657 }
658 if (dsize != 0)
659 {
660 *al = SSL_AD_DECODE_ERROR;
661 return 0;
662 }
663
664 }
665
666 #ifndef OPENSSL_NO_EC
667 else if (type == TLSEXT_TYPE_ec_point_formats)
668 {
669 unsigned char *sdata = data;
670 int ecpointformatlist_length = *(sdata++);
671
672 if (ecpointformatlist_length != size - 1)
673 {
674 *al = TLS1_AD_DECODE_ERROR;
675 return 0;
676 }
677 s->session->tlsext_ecpointformatlist_length = 0;
678 if (s->session->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->session->tlsext_ecpointformatlist);
679 if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
680 {
681 *al = TLS1_AD_INTERNAL_ERROR;
682 return 0;
683 }
684 s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
685 memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
686 #if 0
687 fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ecpointformatlist (length=%i) ", s->session->tlsext_ecpointformatlist_length);
688 sdata = s->session->tlsext_ecpointformatlist;
689 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
690 fprintf(stderr,"%i ",*(sdata++));
691 fprintf(stderr,"\n");
692 #endif
693 }
694 else if (type == TLSEXT_TYPE_elliptic_curves)
695 {
696 unsigned char *sdata = data;
697 int ellipticcurvelist_length = (*(sdata++) << 8);
698 ellipticcurvelist_length += (*(sdata++));
699
700 if (ellipticcurvelist_length != size - 2)
701 {
702 *al = TLS1_AD_DECODE_ERROR;
703 return 0;
704 }
705 s->session->tlsext_ellipticcurvelist_length = 0;
706 if (s->session->tlsext_ellipticcurvelist != NULL) OPENSSL_free(s->session->tlsext_ellipticcurvelist);
707 if ((s->session->tlsext_ellipticcurvelist = OPENSSL_malloc(ellipticcurvelist_length)) == NULL)
708 {
709 *al = TLS1_AD_INTERNAL_ERROR;
710 return 0;
711 }
712 s->session->tlsext_ellipticcurvelist_length = ellipticcurvelist_length;
713 memcpy(s->session->tlsext_ellipticcurvelist, sdata, ellipticcurvelist_length);
714 #if 0
715 fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ellipticcurvelist (length=%i) ", s->session->tlsext_ellipticcurvelist_length);
716 sdata = s->session->tlsext_ellipticcurvelist;
717 for (i = 0; i < s->session->tlsext_ellipticcurvelist_length; i++)
718 fprintf(stderr,"%i ",*(sdata++));
719 fprintf(stderr,"\n");
720 #endif
721 }
722 #endif /* OPENSSL_NO_EC */
723 #ifdef TLSEXT_TYPE_opaque_prf_input
724 else if (type == TLSEXT_TYPE_opaque_prf_input)
725 {
726 unsigned char *sdata = data;
727
728 if (size < 2)
729 {
730 *al = SSL_AD_DECODE_ERROR;
731 return 0;
732 }
733 n2s(sdata, s->s3->client_opaque_prf_input_len);
734 if (s->s3->client_opaque_prf_input_len != size - 2)
735 {
736 *al = SSL_AD_DECODE_ERROR;
737 return 0;
738 }
739
740 if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */
741 OPENSSL_free(s->s3->client_opaque_prf_input);
742 if (s->s3->client_opaque_prf_input_len == 0)
743 s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
744 else
745 s->s3->client_opaque_prf_input = BUF_memdup(sdata, s->s3->client_opaque_prf_input_len);
746 if (s->s3->client_opaque_prf_input == NULL)
747 {
748 *al = TLS1_AD_INTERNAL_ERROR;
749 return 0;
750 }
751 }
752 #endif
753 else if (type == TLSEXT_TYPE_status_request
754 && s->ctx->tlsext_status_cb)
755 {
756
757 if (size < 5)
758 {
759 *al = SSL_AD_DECODE_ERROR;
760 return 0;
761 }
762
763 s->tlsext_status_type = *data++;
764 size--;
765 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp)
766 {
767 const unsigned char *sdata;
768 int dsize;
769 /* Read in responder_id_list */
770 n2s(data,dsize);
771 size -= 2;
772 if (dsize > size )
773 {
774 *al = SSL_AD_DECODE_ERROR;
775 return 0;
776 }
777 while (dsize > 0)
778 {
779 OCSP_RESPID *id;
780 int idsize;
781 if (dsize < 4)
782 {
783 *al = SSL_AD_DECODE_ERROR;
784 return 0;
785 }
786 n2s(data, idsize);
787 dsize -= 2 + idsize;
788 if (dsize < 0)
789 {
790 *al = SSL_AD_DECODE_ERROR;
791 return 0;
792 }
793 sdata = data;
794 data += idsize;
795 id = d2i_OCSP_RESPID(NULL,
796 &sdata, idsize);
797 if (!id)
798 {
799 *al = SSL_AD_DECODE_ERROR;
800 return 0;
801 }
802 if (data != sdata)
803 {
804 OCSP_RESPID_free(id);
805 *al = SSL_AD_DECODE_ERROR;
806 return 0;
807 }
808 if (!s->tlsext_ocsp_ids
809 && !(s->tlsext_ocsp_ids =
810 sk_OCSP_RESPID_new_null()))
811 {
812 OCSP_RESPID_free(id);
813 *al = SSL_AD_INTERNAL_ERROR;
814 return 0;
815 }
816 if (!sk_OCSP_RESPID_push(
817 s->tlsext_ocsp_ids, id))
818 {
819 OCSP_RESPID_free(id);
820 *al = SSL_AD_INTERNAL_ERROR;
821 return 0;
822 }
823 }
824
825 /* Read in request_extensions */
826 n2s(data,dsize);
827 size -= 2;
828 if (dsize > size)
829 {
830 *al = SSL_AD_DECODE_ERROR;
831 return 0;
832 }
833 sdata = data;
834 if (dsize > 0)
835 {
836 s->tlsext_ocsp_exts =
837 d2i_X509_EXTENSIONS(NULL,
838 &sdata, dsize);
839 if (!s->tlsext_ocsp_exts
840 || (data + dsize != sdata))
841 {
842 *al = SSL_AD_DECODE_ERROR;
843 return 0;
844 }
845 }
846 }
847 /* We don't know what to do with any other type
848 * so ignore it.
849 */
850 else
851 s->tlsext_status_type = -1;
852 }
853
854 /* session ticket processed earlier */
855 data+=size;
856 }
857
858 *p = data;
859 return 1;
860 }
861
862 int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
863 {
864 unsigned short type;
865 unsigned short size;
866 unsigned short len;
867 unsigned char *data = *p;
868
869 int tlsext_servername = 0;
870
871 if (data >= (d+n-2))
872 return 1;
873
874 n2s(data,len);
875
876 while(data <= (d+n-4))
877 {
878 n2s(data,type);
879 n2s(data,size);
880
881 if (data+size > (d+n))
882 return 1;
883
884 if (s->tlsext_debug_cb)
885 s->tlsext_debug_cb(s, 1, type, data, size,
886 s->tlsext_debug_arg);
887
888 if (type == TLSEXT_TYPE_server_name)
889 {
890 if (s->tlsext_hostname == NULL || size > 0)
891 {
892 *al = TLS1_AD_UNRECOGNIZED_NAME;
893 return 0;
894 }
895 tlsext_servername = 1;
896 }
897
898 #ifndef OPENSSL_NO_EC
899 else if (type == TLSEXT_TYPE_ec_point_formats)
900 {
901 unsigned char *sdata = data;
902 int ecpointformatlist_length = *(sdata++);
903
904 if (ecpointformatlist_length != size - 1)
905 {
906 *al = TLS1_AD_DECODE_ERROR;
907 return 0;
908 }
909 s->session->tlsext_ecpointformatlist_length = 0;
910 if (s->session->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->session->tlsext_ecpointformatlist);
911 if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
912 {
913 *al = TLS1_AD_INTERNAL_ERROR;
914 return 0;
915 }
916 s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
917 memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
918 #if 0
919 fprintf(stderr,"ssl_parse_serverhello_tlsext s->session->tlsext_ecpointformatlist ");
920 sdata = s->session->tlsext_ecpointformatlist;
921 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
922 fprintf(stderr,"%i ",*(sdata++));
923 fprintf(stderr,"\n");
924 #endif
925 }
926 #endif /* OPENSSL_NO_EC */
927
928 else if (type == TLSEXT_TYPE_session_ticket)
929 {
930 if ((SSL_get_options(s) & SSL_OP_NO_TICKET)
931 || (size > 0))
932 {
933 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
934 return 0;
935 }
936 s->tlsext_ticket_expected = 1;
937 }
938 #ifdef TLSEXT_TYPE_opaque_prf_input
939 else if (type == TLSEXT_TYPE_opaque_prf_input)
940 {
941 unsigned char *sdata = data;
942
943 if (size < 2)
944 {
945 *al = SSL_AD_DECODE_ERROR;
946 return 0;
947 }
948 n2s(sdata, s->s3->server_opaque_prf_input_len);
949 if (s->s3->server_opaque_prf_input_len != size - 2)
950 {
951 *al = SSL_AD_DECODE_ERROR;
952 return 0;
953 }
954
955 if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */
956 OPENSSL_free(s->s3->server_opaque_prf_input);
957 if (s->s3->server_opaque_prf_input_len == 0)
958 s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
959 else
960 s->s3->server_opaque_prf_input = BUF_memdup(sdata, s->s3->server_opaque_prf_input_len);
961
962 if (s->s3->server_opaque_prf_input == NULL)
963 {
964 *al = TLS1_AD_INTERNAL_ERROR;
965 return 0;
966 }
967 }
968 #endif
969 else if (type == TLSEXT_TYPE_status_request)
970 {
971 /* MUST be empty and only sent if we've requested
972 * a status request message.
973 */
974 if ((s->tlsext_status_type == -1) || (size > 0))
975 {
976 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
977 return 0;
978 }
979 /* Set flag to expect CertificateStatus message */
980 s->tlsext_status_expected = 1;
981 }
982
983 data+=size;
984 }
985
986 if (data != d+n)
987 {
988 *al = SSL_AD_DECODE_ERROR;
989 return 0;
990 }
991
992 if (!s->hit && tlsext_servername == 1)
993 {
994 if (s->tlsext_hostname)
995 {
996 if (s->session->tlsext_hostname == NULL)
997 {
998 s->session->tlsext_hostname = BUF_strdup(s->tlsext_hostname);
999 if (!s->session->tlsext_hostname)
1000 {
1001 *al = SSL_AD_UNRECOGNIZED_NAME;
1002 return 0;
1003 }
1004 }
1005 else
1006 {
1007 *al = SSL_AD_DECODE_ERROR;
1008 return 0;
1009 }
1010 }
1011 }
1012
1013 *p = data;
1014 return 1;
1015 }
1016
1017
1018 int ssl_prepare_clienthello_tlsext(SSL *s)
1019 {
1020 #ifndef OPENSSL_NO_EC
1021 /* If we are client and using an elliptic curve cryptography cipher suite, send the point formats
1022 * and elliptic curves we support.
1023 */
1024 int using_ecc = 0;
1025 int i;
1026 unsigned char *j;
1027 unsigned long alg_k, alg_a;
1028 STACK_OF(SSL_CIPHER) *cipher_stack = SSL_get_ciphers(s);
1029
1030 for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++)
1031 {
1032 SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i);
1033
1034 alg_k = c->algorithm_mkey;
1035 alg_a = c->algorithm_auth;
1036 if ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe) || (alg_a & SSL_aECDSA)))
1037 {
1038 using_ecc = 1;
1039 break;
1040 }
1041 }
1042 using_ecc = using_ecc && (s->version == TLS1_VERSION);
1043 if (using_ecc)
1044 {
1045 if (s->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->tlsext_ecpointformatlist);
1046 if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(3)) == NULL)
1047 {
1048 SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
1049 return -1;
1050 }
1051 s->tlsext_ecpointformatlist_length = 3;
1052 s->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_uncompressed;
1053 s->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
1054 s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
1055
1056 /* we support all named elliptic curves in draft-ietf-tls-ecc-12 */
1057 if (s->tlsext_ellipticcurvelist != NULL) OPENSSL_free(s->tlsext_ellipticcurvelist);
1058 s->tlsext_ellipticcurvelist_length = sizeof(nid_list)/sizeof(nid_list[0]) * 2;
1059 if ((s->tlsext_ellipticcurvelist = OPENSSL_malloc(s->tlsext_ellipticcurvelist_length)) == NULL)
1060 {
1061 s->tlsext_ellipticcurvelist_length = 0;
1062 SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
1063 return -1;
1064 }
1065 for (i = 1, j = s->tlsext_ellipticcurvelist; (unsigned int)i <=
1066 sizeof(nid_list)/sizeof(nid_list[0]); i++)
1067 s2n(i,j);
1068 }
1069 #endif /* OPENSSL_NO_EC */
1070
1071 #ifdef TLSEXT_TYPE_opaque_prf_input
1072 {
1073 int r = 1;
1074
1075 if (s->ctx->tlsext_opaque_prf_input_callback != 0)
1076 {
1077 r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg);
1078 if (!r)
1079 return -1;
1080 }
1081
1082 if (s->tlsext_opaque_prf_input != NULL)
1083 {
1084 if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */
1085 OPENSSL_free(s->s3->client_opaque_prf_input);
1086
1087 if (s->tlsext_opaque_prf_input_len == 0)
1088 s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
1089 else
1090 s->s3->client_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len);
1091 if (s->s3->client_opaque_prf_input == NULL)
1092 {
1093 SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
1094 return -1;
1095 }
1096 s->s3->client_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
1097 }
1098
1099 if (r == 2)
1100 /* at callback's request, insist on receiving an appropriate server opaque PRF input */
1101 s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
1102 }
1103 #endif
1104
1105 return 1;
1106 }
1107
1108 int ssl_prepare_serverhello_tlsext(SSL *s)
1109 {
1110 #ifndef OPENSSL_NO_EC
1111 /* If we are server and using an ECC cipher suite, send the point formats we support
1112 * if the client sent us an ECPointsFormat extension. Note that the server is not
1113 * supposed to send an EllipticCurves extension.
1114 */
1115
1116 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
1117 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
1118 int using_ecc = (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA);
1119 using_ecc = using_ecc && (s->session->tlsext_ecpointformatlist != NULL);
1120
1121 if (using_ecc)
1122 {
1123 if (s->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->tlsext_ecpointformatlist);
1124 if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(3)) == NULL)
1125 {
1126 SSLerr(SSL_F_SSL_PREPARE_SERVERHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
1127 return -1;
1128 }
1129 s->tlsext_ecpointformatlist_length = 3;
1130 s->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_uncompressed;
1131 s->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
1132 s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
1133 }
1134 #endif /* OPENSSL_NO_EC */
1135
1136 return 1;
1137 }
1138
1139 int ssl_check_clienthello_tlsext(SSL *s)
1140 {
1141 int ret=SSL_TLSEXT_ERR_NOACK;
1142 int al = SSL_AD_UNRECOGNIZED_NAME;
1143
1144 #ifndef OPENSSL_NO_EC
1145 /* The handling of the ECPointFormats extension is done elsewhere, namely in
1146 * ssl3_choose_cipher in s3_lib.c.
1147 */
1148 /* The handling of the EllipticCurves extension is done elsewhere, namely in
1149 * ssl3_choose_cipher in s3_lib.c.
1150 */
1151 #endif
1152
1153 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
1154 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
1155 else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)
1156 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
1157
1158 /* If status request then ask callback what to do.
1159 * Note: this must be called after servername callbacks in case
1160 * the certificate has changed.
1161 */
1162 if ((s->tlsext_status_type != -1) && s->ctx->tlsext_status_cb)
1163 {
1164 int r;
1165 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
1166 switch (r)
1167 {
1168 /* We don't want to send a status request response */
1169 case SSL_TLSEXT_ERR_NOACK:
1170 s->tlsext_status_expected = 0;
1171 break;
1172 /* status request response should be sent */
1173 case SSL_TLSEXT_ERR_OK:
1174 if (s->tlsext_ocsp_resp)
1175 s->tlsext_status_expected = 1;
1176 else
1177 s->tlsext_status_expected = 0;
1178 break;
1179 /* something bad happened */
1180 case SSL_TLSEXT_ERR_ALERT_FATAL:
1181 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1182 al = SSL_AD_INTERNAL_ERROR;
1183 goto err;
1184 }
1185 }
1186 else
1187 s->tlsext_status_expected = 0;
1188
1189 #ifdef TLSEXT_TYPE_opaque_prf_input
1190 {
1191 /* This sort of belongs into ssl_prepare_serverhello_tlsext(),
1192 * but we might be sending an alert in response to the client hello,
1193 * so this has to happen here in ssl_check_clienthello_tlsext(). */
1194
1195 int r = 1;
1196
1197 if (s->ctx->tlsext_opaque_prf_input_callback != 0)
1198 {
1199 r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg);
1200 if (!r)
1201 {
1202 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1203 al = SSL_AD_INTERNAL_ERROR;
1204 goto err;
1205 }
1206 }
1207
1208 if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */
1209 OPENSSL_free(s->s3->server_opaque_prf_input);
1210 s->s3->server_opaque_prf_input = NULL;
1211
1212 if (s->tlsext_opaque_prf_input != NULL)
1213 {
1214 if (s->s3->client_opaque_prf_input != NULL &&
1215 s->s3->client_opaque_prf_input_len == s->tlsext_opaque_prf_input_len)
1216 {
1217 /* can only use this extension if we have a server opaque PRF input
1218 * of the same length as the client opaque PRF input! */
1219
1220 if (s->tlsext_opaque_prf_input_len == 0)
1221 s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
1222 else
1223 s->s3->server_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len);
1224 if (s->s3->server_opaque_prf_input == NULL)
1225 {
1226 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1227 al = SSL_AD_INTERNAL_ERROR;
1228 goto err;
1229 }
1230 s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
1231 }
1232 }
1233
1234 if (r == 2 && s->s3->server_opaque_prf_input == NULL)
1235 {
1236 /* The callback wants to enforce use of the extension,
1237 * but we can't do that with the client opaque PRF input;
1238 * abort the handshake.
1239 */
1240 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1241 al = SSL_AD_HANDSHAKE_FAILURE;
1242 }
1243 }
1244
1245 #endif
1246 err:
1247 switch (ret)
1248 {
1249 case SSL_TLSEXT_ERR_ALERT_FATAL:
1250 ssl3_send_alert(s,SSL3_AL_FATAL,al);
1251 return -1;
1252
1253 case SSL_TLSEXT_ERR_ALERT_WARNING:
1254 ssl3_send_alert(s,SSL3_AL_WARNING,al);
1255 return 1;
1256
1257 case SSL_TLSEXT_ERR_NOACK:
1258 s->servername_done=0;
1259 default:
1260 return 1;
1261 }
1262 }
1263
1264 int ssl_check_serverhello_tlsext(SSL *s)
1265 {
1266 int ret=SSL_TLSEXT_ERR_NOACK;
1267 int al = SSL_AD_UNRECOGNIZED_NAME;
1268
1269 #ifndef OPENSSL_NO_EC
1270 /* If we are client and using an elliptic curve cryptography cipher suite, then server
1271 * must return a an EC point formats lists containing uncompressed.
1272 */
1273 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
1274 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
1275 if ((s->tlsext_ecpointformatlist != NULL) && (s->tlsext_ecpointformatlist_length > 0) &&
1276 ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA)))
1277 {
1278 /* we are using an ECC cipher */
1279 size_t i;
1280 unsigned char *list;
1281 int found_uncompressed = 0;
1282 if ((s->session->tlsext_ecpointformatlist == NULL) || (s->session->tlsext_ecpointformatlist_length == 0))
1283 {
1284 SSLerr(SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT,SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
1285 return -1;
1286 }
1287 list = s->session->tlsext_ecpointformatlist;
1288 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
1289 {
1290 if (*(list++) == TLSEXT_ECPOINTFORMAT_uncompressed)
1291 {
1292 found_uncompressed = 1;
1293 break;
1294 }
1295 }
1296 if (!found_uncompressed)
1297 {
1298 SSLerr(SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT,SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
1299 return -1;
1300 }
1301 }
1302 ret = SSL_TLSEXT_ERR_OK;
1303 #endif /* OPENSSL_NO_EC */
1304
1305 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
1306 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
1307 else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)
1308 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
1309
1310 #ifdef TLSEXT_TYPE_opaque_prf_input
1311 if (s->s3->server_opaque_prf_input_len > 0)
1312 {
1313 /* This case may indicate that we, as a client, want to insist on using opaque PRF inputs.
1314 * So first verify that we really have a value from the server too. */
1315
1316 if (s->s3->server_opaque_prf_input == NULL)
1317 {
1318 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1319 al = SSL_AD_HANDSHAKE_FAILURE;
1320 }
1321
1322 /* Anytime the server *has* sent an opaque PRF input, we need to check
1323 * that we have a client opaque PRF input of the same size. */
1324 if (s->s3->client_opaque_prf_input == NULL ||
1325 s->s3->client_opaque_prf_input_len != s->s3->server_opaque_prf_input_len)
1326 {
1327 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1328 al = SSL_AD_ILLEGAL_PARAMETER;
1329 }
1330 }
1331 #endif
1332
1333 /* If we've requested certificate status and we wont get one
1334 * tell the callback
1335 */
1336 if ((s->tlsext_status_type != -1) && !(s->tlsext_status_expected)
1337 && s->ctx->tlsext_status_cb)
1338 {
1339 int r;
1340 /* Set resp to NULL, resplen to -1 so callback knows
1341 * there is no response.
1342 */
1343 if (s->tlsext_ocsp_resp)
1344 {
1345 OPENSSL_free(s->tlsext_ocsp_resp);
1346 s->tlsext_ocsp_resp = NULL;
1347 }
1348 s->tlsext_ocsp_resplen = -1;
1349 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
1350 if (r == 0)
1351 {
1352 al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE;
1353 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1354 }
1355 if (r < 0)
1356 {
1357 al = SSL_AD_INTERNAL_ERROR;
1358 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1359 }
1360 }
1361
1362 switch (ret)
1363 {
1364 case SSL_TLSEXT_ERR_ALERT_FATAL:
1365 ssl3_send_alert(s,SSL3_AL_FATAL,al);
1366 return -1;
1367
1368 case SSL_TLSEXT_ERR_ALERT_WARNING:
1369 ssl3_send_alert(s,SSL3_AL_WARNING,al);
1370 return 1;
1371
1372 case SSL_TLSEXT_ERR_NOACK:
1373 s->servername_done=0;
1374 default:
1375 return 1;
1376 }
1377 }
1378
1379 /* Since the server cache lookup is done early on in the processing of client
1380 * hello and other operations depend on the result we need to handle any TLS
1381 * session ticket extension at the same time.
1382 */
1383
1384 int tls1_process_ticket(SSL *s, unsigned char *session_id, int len,
1385 const unsigned char *limit, SSL_SESSION **ret)
1386 {
1387 /* Point after session ID in client hello */
1388 const unsigned char *p = session_id + len;
1389 unsigned short i;
1390 if ((s->version <= SSL3_VERSION) || !limit)
1391 return 1;
1392 if (p >= limit)
1393 return -1;
1394 /* Skip past cipher list */
1395 n2s(p, i);
1396 p+= i;
1397 if (p >= limit)
1398 return -1;
1399 /* Skip past compression algorithm list */
1400 i = *(p++);
1401 p += i;
1402 if (p > limit)
1403 return -1;
1404 /* Now at start of extensions */
1405 if ((p + 2) >= limit)
1406 return 1;
1407 n2s(p, i);
1408 while ((p + 4) <= limit)
1409 {
1410 unsigned short type, size;
1411 n2s(p, type);
1412 n2s(p, size);
1413 if (p + size > limit)
1414 return 1;
1415 if (type == TLSEXT_TYPE_session_ticket)
1416 {
1417 /* If tickets disabled indicate cache miss which will
1418 * trigger a full handshake
1419 */
1420 if (SSL_get_options(s) & SSL_OP_NO_TICKET)
1421 return 0;
1422 /* If zero length not client will accept a ticket
1423 * and indicate cache miss to trigger full handshake
1424 */
1425 if (size == 0)
1426 {
1427 s->tlsext_ticket_expected = 1;
1428 return 0; /* Cache miss */
1429 }
1430 return tls_decrypt_ticket(s, p, size, session_id, len,
1431 ret);
1432 }
1433 p += size;
1434 }
1435 return 1;
1436 }
1437
1438 static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen,
1439 const unsigned char *sess_id, int sesslen,
1440 SSL_SESSION **psess)
1441 {
1442 SSL_SESSION *sess;
1443 unsigned char *sdec;
1444 const unsigned char *p;
1445 int slen, mlen, renew_ticket = 0;
1446 unsigned char tick_hmac[EVP_MAX_MD_SIZE];
1447 HMAC_CTX hctx;
1448 EVP_CIPHER_CTX ctx;
1449 /* Need at least keyname + iv + some encrypted data */
1450 if (eticklen < 48)
1451 goto tickerr;
1452 /* Initialize session ticket encryption and HMAC contexts */
1453 HMAC_CTX_init(&hctx);
1454 EVP_CIPHER_CTX_init(&ctx);
1455 if (s->ctx->tlsext_ticket_key_cb)
1456 {
1457 unsigned char *nctick = (unsigned char *)etick;
1458 int rv = s->ctx->tlsext_ticket_key_cb(s, nctick, nctick + 16,
1459 &ctx, &hctx, 0);
1460 if (rv < 0)
1461 return -1;
1462 if (rv == 0)
1463 goto tickerr;
1464 if (rv == 2)
1465 renew_ticket = 1;
1466 }
1467 else
1468 {
1469 /* Check key name matches */
1470 if (memcmp(etick, s->ctx->tlsext_tick_key_name, 16))
1471 goto tickerr;
1472 HMAC_Init_ex(&hctx, s->ctx->tlsext_tick_hmac_key, 16,
1473 tlsext_tick_md(), NULL);
1474 EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL,
1475 s->ctx->tlsext_tick_aes_key, etick + 16);
1476 }
1477 /* Attempt to process session ticket, first conduct sanity and
1478 * integrity checks on ticket.
1479 */
1480 mlen = HMAC_size(&hctx);
1481 eticklen -= mlen;
1482 /* Check HMAC of encrypted ticket */
1483 HMAC_Update(&hctx, etick, eticklen);
1484 HMAC_Final(&hctx, tick_hmac, NULL);
1485 HMAC_CTX_cleanup(&hctx);
1486 if (memcmp(tick_hmac, etick + eticklen, mlen))
1487 goto tickerr;
1488 /* Attempt to decrypt session data */
1489 /* Move p after IV to start of encrypted ticket, update length */
1490 p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx);
1491 eticklen -= 16 + EVP_CIPHER_CTX_iv_length(&ctx);
1492 sdec = OPENSSL_malloc(eticklen);
1493 if (!sdec)
1494 {
1495 EVP_CIPHER_CTX_cleanup(&ctx);
1496 return -1;
1497 }
1498 EVP_DecryptUpdate(&ctx, sdec, &slen, p, eticklen);
1499 if (EVP_DecryptFinal(&ctx, sdec + slen, &mlen) <= 0)
1500 goto tickerr;
1501 slen += mlen;
1502 EVP_CIPHER_CTX_cleanup(&ctx);
1503 p = sdec;
1504
1505 sess = d2i_SSL_SESSION(NULL, &p, slen);
1506 OPENSSL_free(sdec);
1507 if (sess)
1508 {
1509 /* The session ID if non-empty is used by some clients to
1510 * detect that the ticket has been accepted. So we copy it to
1511 * the session structure. If it is empty set length to zero
1512 * as required by standard.
1513 */
1514 if (sesslen)
1515 memcpy(sess->session_id, sess_id, sesslen);
1516 sess->session_id_length = sesslen;
1517 *psess = sess;
1518 s->tlsext_ticket_expected = renew_ticket;
1519 return 1;
1520 }
1521 /* If session decrypt failure indicate a cache miss and set state to
1522 * send a new ticket
1523 */
1524 tickerr:
1525 s->tlsext_ticket_expected = 1;
1526 return 0;
1527 }
1528
1529 #endif
A mirror of the official openssl repository