OLD | NEW |
1 /* ssl/t1_lib.c */ | 1 /* ssl/t1_lib.c */ |
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
3 * All rights reserved. | 3 * All rights reserved. |
4 * | 4 * |
5 * This package is an SSL implementation written | 5 * This package is an SSL implementation written |
6 * by Eric Young (eay@cryptsoft.com). | 6 * by Eric Young (eay@cryptsoft.com). |
7 * The implementation was written so as to conform with Netscapes SSL. | 7 * The implementation was written so as to conform with Netscapes SSL. |
8 * | 8 * |
9 * This library is free for commercial and non-commercial use as long as | 9 * This library is free for commercial and non-commercial use as long as |
10 * the following conditions are aheared to. The following conditions | 10 * the following conditions are aheared to. The following conditions |
(...skipping 37 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT | 48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT |
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY | 49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY |
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF | 50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF |
51 * SUCH DAMAGE. | 51 * SUCH DAMAGE. |
52 * | 52 * |
53 * The licence and distribution terms for any publically available version or | 53 * The licence and distribution terms for any publically available version or |
54 * derivative of this code cannot be changed. i.e. this code cannot simply be | 54 * derivative of this code cannot be changed. i.e. this code cannot simply be |
55 * copied and put under another distribution licence | 55 * copied and put under another distribution licence |
56 * [including the GNU Public Licence.] | 56 * [including the GNU Public Licence.] |
57 */ | 57 */ |
| 58 /* ==================================================================== |
| 59 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved. |
| 60 * |
| 61 * Redistribution and use in source and binary forms, with or without |
| 62 * modification, are permitted provided that the following conditions |
| 63 * are met: |
| 64 * |
| 65 * 1. Redistributions of source code must retain the above copyright |
| 66 * notice, this list of conditions and the following disclaimer. |
| 67 * |
| 68 * 2. Redistributions in binary form must reproduce the above copyright |
| 69 * notice, this list of conditions and the following disclaimer in |
| 70 * the documentation and/or other materials provided with the |
| 71 * distribution. |
| 72 * |
| 73 * 3. All advertising materials mentioning features or use of this |
| 74 * software must display the following acknowledgment: |
| 75 * "This product includes software developed by the OpenSSL Project |
| 76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" |
| 77 * |
| 78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to |
| 79 * endorse or promote products derived from this software without |
| 80 * prior written permission. For written permission, please contact |
| 81 * openssl-core@openssl.org. |
| 82 * |
| 83 * 5. Products derived from this software may not be called "OpenSSL" |
| 84 * nor may "OpenSSL" appear in their names without prior written |
| 85 * permission of the OpenSSL Project. |
| 86 * |
| 87 * 6. Redistributions of any form whatsoever must retain the following |
| 88 * acknowledgment: |
| 89 * "This product includes software developed by the OpenSSL Project |
| 90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)" |
| 91 * |
| 92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY |
| 93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
| 94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR |
| 95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR |
| 96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, |
| 97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT |
| 98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; |
| 99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) |
| 100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, |
| 101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) |
| 102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED |
| 103 * OF THE POSSIBILITY OF SUCH DAMAGE. |
| 104 * ==================================================================== |
| 105 * |
| 106 * This product includes cryptographic software written by Eric Young |
| 107 * (eay@cryptsoft.com). This product includes software written by Tim |
| 108 * Hudson (tjh@cryptsoft.com). |
| 109 * |
| 110 */ |
58 | 111 |
59 #include <stdio.h> | 112 #include <stdio.h> |
60 #include <openssl/objects.h> | 113 #include <openssl/objects.h> |
61 #include <openssl/evp.h> | 114 #include <openssl/evp.h> |
62 #include <openssl/hmac.h> | 115 #include <openssl/hmac.h> |
63 #include <openssl/ocsp.h> | 116 #include <openssl/ocsp.h> |
64 #include "ssl_locl.h" | 117 #include "ssl_locl.h" |
65 #include "fnv1a64.h" | |
66 | 118 |
67 const char tls1_version_str[]="TLSv1" OPENSSL_VERSION_PTEXT; | 119 const char tls1_version_str[]="TLSv1" OPENSSL_VERSION_PTEXT; |
68 | 120 |
69 #ifndef OPENSSL_NO_TLSEXT | 121 #ifndef OPENSSL_NO_TLSEXT |
70 static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen, | 122 static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen, |
71 const unsigned char *sess_id, int sesslen, | 123 const unsigned char *sess_id, int sesslen, |
72 SSL_SESSION **psess); | 124 SSL_SESSION **psess); |
73 #endif | 125 #endif |
74 | 126 |
75 SSL3_ENC_METHOD TLSv1_enc_data={ | 127 SSL3_ENC_METHOD TLSv1_enc_data={ |
(...skipping 10 matching lines...) Expand all Loading... |
86 tls1_alert_code, | 138 tls1_alert_code, |
87 }; | 139 }; |
88 | 140 |
89 long tls1_default_timeout(void) | 141 long tls1_default_timeout(void) |
90 { | 142 { |
91 /* 2 hours, the 24 hours mentioned in the TLSv1 spec | 143 /* 2 hours, the 24 hours mentioned in the TLSv1 spec |
92 * is way too long for http, the cache would over fill */ | 144 * is way too long for http, the cache would over fill */ |
93 return(60*60*2); | 145 return(60*60*2); |
94 } | 146 } |
95 | 147 |
96 IMPLEMENT_tls1_meth_func(tlsv1_base_method, | |
97 ssl_undefined_function, | |
98 ssl_undefined_function, | |
99 ssl_bad_method) | |
100 | |
101 int tls1_new(SSL *s) | 148 int tls1_new(SSL *s) |
102 { | 149 { |
103 if (!ssl3_new(s)) return(0); | 150 if (!ssl3_new(s)) return(0); |
104 s->method->ssl_clear(s); | 151 s->method->ssl_clear(s); |
105 return(1); | 152 return(1); |
106 } | 153 } |
107 | 154 |
108 void tls1_free(SSL *s) | 155 void tls1_free(SSL *s) |
109 { | 156 { |
| 157 #ifndef OPENSSL_NO_TLSEXT |
| 158 if (s->tlsext_session_ticket) |
| 159 { |
| 160 OPENSSL_free(s->tlsext_session_ticket); |
| 161 } |
| 162 #endif /* OPENSSL_NO_TLSEXT */ |
110 ssl3_free(s); | 163 ssl3_free(s); |
111 } | 164 } |
112 | 165 |
113 void tls1_clear(SSL *s) | 166 void tls1_clear(SSL *s) |
114 { | 167 { |
115 ssl3_clear(s); | 168 ssl3_clear(s); |
116 s->version=TLS1_VERSION; | 169 s->version=TLS1_VERSION; |
117 } | 170 } |
118 | 171 |
119 #if 0 | 172 #ifndef OPENSSL_NO_EC |
120 long tls1_ctrl(SSL *s, int cmd, long larg, char *parg) | 173 static int nid_list[] = |
121 { | 174 { |
122 » return(0); | 175 » » NID_sect163k1, /* sect163k1 (1) */ |
| 176 » » NID_sect163r1, /* sect163r1 (2) */ |
| 177 » » NID_sect163r2, /* sect163r2 (3) */ |
| 178 » » NID_sect193r1, /* sect193r1 (4) */ |
| 179 » » NID_sect193r2, /* sect193r2 (5) */ |
| 180 » » NID_sect233k1, /* sect233k1 (6) */ |
| 181 » » NID_sect233r1, /* sect233r1 (7) */ |
| 182 » » NID_sect239k1, /* sect239k1 (8) */ |
| 183 » » NID_sect283k1, /* sect283k1 (9) */ |
| 184 » » NID_sect283r1, /* sect283r1 (10) */ |
| 185 » » NID_sect409k1, /* sect409k1 (11) */ |
| 186 » » NID_sect409r1, /* sect409r1 (12) */ |
| 187 » » NID_sect571k1, /* sect571k1 (13) */ |
| 188 » » NID_sect571r1, /* sect571r1 (14) */ |
| 189 » » NID_secp160k1, /* secp160k1 (15) */ |
| 190 » » NID_secp160r1, /* secp160r1 (16) */ |
| 191 » » NID_secp160r2, /* secp160r2 (17) */ |
| 192 » » NID_secp192k1, /* secp192k1 (18) */ |
| 193 » » NID_X9_62_prime192v1, /* secp192r1 (19) */ |
| 194 » » NID_secp224k1, /* secp224k1 (20) */ |
| 195 » » NID_secp224r1, /* secp224r1 (21) */ |
| 196 » » NID_secp256k1, /* secp256k1 (22) */ |
| 197 » » NID_X9_62_prime256v1, /* secp256r1 (23) */ |
| 198 » » NID_secp384r1, /* secp384r1 (24) */ |
| 199 » » NID_secp521r1 /* secp521r1 (25) */» |
| 200 » }; |
| 201 » |
| 202 int tls1_ec_curve_id2nid(int curve_id) |
| 203 » { |
| 204 » /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */ |
| 205 » if ((curve_id < 1) || ((unsigned int)curve_id > |
| 206 » » » » sizeof(nid_list)/sizeof(nid_list[0]))) |
| 207 » » return 0; |
| 208 » return nid_list[curve_id-1]; |
123 } | 209 } |
124 | 210 |
125 long tls1_callback_ctrl(SSL *s, int cmd, void *(*fp)()) | 211 int tls1_ec_nid2curve_id(int nid) |
126 { | 212 { |
127 » return(0); | 213 » /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */ |
| 214 » switch (nid) |
| 215 » » { |
| 216 » case NID_sect163k1: /* sect163k1 (1) */ |
| 217 » » return 1; |
| 218 » case NID_sect163r1: /* sect163r1 (2) */ |
| 219 » » return 2; |
| 220 » case NID_sect163r2: /* sect163r2 (3) */ |
| 221 » » return 3; |
| 222 » case NID_sect193r1: /* sect193r1 (4) */ |
| 223 » » return 4; |
| 224 » case NID_sect193r2: /* sect193r2 (5) */ |
| 225 » » return 5; |
| 226 » case NID_sect233k1: /* sect233k1 (6) */ |
| 227 » » return 6; |
| 228 » case NID_sect233r1: /* sect233r1 (7) */ |
| 229 » » return 7; |
| 230 » case NID_sect239k1: /* sect239k1 (8) */ |
| 231 » » return 8; |
| 232 » case NID_sect283k1: /* sect283k1 (9) */ |
| 233 » » return 9; |
| 234 » case NID_sect283r1: /* sect283r1 (10) */ |
| 235 » » return 10; |
| 236 » case NID_sect409k1: /* sect409k1 (11) */ |
| 237 » » return 11; |
| 238 » case NID_sect409r1: /* sect409r1 (12) */ |
| 239 » » return 12; |
| 240 » case NID_sect571k1: /* sect571k1 (13) */ |
| 241 » » return 13; |
| 242 » case NID_sect571r1: /* sect571r1 (14) */ |
| 243 » » return 14; |
| 244 » case NID_secp160k1: /* secp160k1 (15) */ |
| 245 » » return 15; |
| 246 » case NID_secp160r1: /* secp160r1 (16) */ |
| 247 » » return 16; |
| 248 » case NID_secp160r2: /* secp160r2 (17) */ |
| 249 » » return 17; |
| 250 » case NID_secp192k1: /* secp192k1 (18) */ |
| 251 » » return 18; |
| 252 » case NID_X9_62_prime192v1: /* secp192r1 (19) */ |
| 253 » » return 19; |
| 254 » case NID_secp224k1: /* secp224k1 (20) */ |
| 255 » » return 20; |
| 256 » case NID_secp224r1: /* secp224r1 (21) */ |
| 257 » » return 21; |
| 258 » case NID_secp256k1: /* secp256k1 (22) */ |
| 259 » » return 22; |
| 260 » case NID_X9_62_prime256v1: /* secp256r1 (23) */ |
| 261 » » return 23; |
| 262 » case NID_secp384r1: /* secp384r1 (24) */ |
| 263 » » return 24; |
| 264 » case NID_secp521r1: /* secp521r1 (25) */» |
| 265 » » return 25; |
| 266 » default: |
| 267 » » return 0; |
| 268 » » } |
128 } | 269 } |
129 #endif | 270 #endif /* OPENSSL_NO_EC */ |
130 | 271 |
131 #ifndef OPENSSL_NO_TLSEXT | 272 #ifndef OPENSSL_NO_TLSEXT |
132 unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned cha
r *limit) | 273 unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned cha
r *limit) |
133 { | 274 { |
134 int extdatalen=0; | 275 int extdatalen=0; |
135 unsigned char *ret = p; | 276 unsigned char *ret = p; |
136 | 277 |
137 /* don't add extensions for SSLv3 unless doing secure renegotiation */ | 278 /* don't add extensions for SSLv3 unless doing secure renegotiation */ |
138 if (s->client_version == SSL3_VERSION | 279 if (s->client_version == SSL3_VERSION |
139 && !s->s3->send_connection_binding) | 280 && !s->s3->send_connection_binding) |
(...skipping 11 matching lines...) Expand all Loading... |
151 | 292 |
152 /* check for enough space. | 293 /* check for enough space. |
153 4 for the servername type and entension length | 294 4 for the servername type and entension length |
154 2 for servernamelist length | 295 2 for servernamelist length |
155 1 for the hostname type | 296 1 for the hostname type |
156 2 for hostname length | 297 2 for hostname length |
157 + hostname length | 298 + hostname length |
158 */ | 299 */ |
159 | 300 |
160 if ((lenmax = limit - ret - 9) < 0 | 301 if ((lenmax = limit - ret - 9) < 0 |
161 » » || (size_str = strlen(s->tlsext_hostname)) > (unsigned long)lenm
ax) | 302 » » || (size_str = strlen(s->tlsext_hostname)) > (unsigned long)
lenmax) |
162 return NULL; | 303 return NULL; |
163 | 304 |
164 /* extension type and length */ | 305 /* extension type and length */ |
165 s2n(TLSEXT_TYPE_server_name,ret); | 306 s2n(TLSEXT_TYPE_server_name,ret); |
166 s2n(size_str+5,ret); | 307 s2n(size_str+5,ret); |
167 | 308 |
168 /* length of servername list */ | 309 /* length of servername list */ |
169 s2n(size_str+3,ret); | 310 s2n(size_str+3,ret); |
170 | 311 |
171 /* hostname type, length and hostname */ | 312 /* hostname type, length and hostname */ |
172 *(ret++) = (unsigned char) TLSEXT_NAMETYPE_host_name; | 313 *(ret++) = (unsigned char) TLSEXT_NAMETYPE_host_name; |
173 s2n(size_str,ret); | 314 s2n(size_str,ret); |
174 memcpy(ret, s->tlsext_hostname, size_str); | 315 memcpy(ret, s->tlsext_hostname, size_str); |
175 ret+=size_str; | 316 ret+=size_str; |
| 317 } |
176 | 318 |
177 } | |
178 | |
179 /* Add RI if renegotiating */ | 319 /* Add RI if renegotiating */ |
180 if (s->new_session) | 320 if (s->new_session) |
181 { | 321 { |
182 int el; | 322 int el; |
183 | 323 |
184 if(!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0)) | 324 if(!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0)) |
185 { | 325 { |
186 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); | 326 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); |
187 return NULL; | 327 return NULL; |
188 } | 328 } |
189 | 329 |
190 if((limit - p - 4 - el) < 0) return NULL; | 330 if((limit - p - 4 - el) < 0) return NULL; |
191 | 331 |
192 s2n(TLSEXT_TYPE_renegotiate,ret); | 332 s2n(TLSEXT_TYPE_renegotiate,ret); |
193 s2n(el,ret); | 333 s2n(el,ret); |
194 | 334 |
195 if(!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el)) | 335 if(!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el)) |
196 { | 336 { |
197 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); | 337 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); |
198 return NULL; | 338 return NULL; |
199 } | 339 } |
200 | 340 |
201 ret += el; | 341 ret += el; |
202 } | 342 } |
203 | 343 |
204 | 344 #ifndef OPENSSL_NO_EC |
| 345 » if (s->tlsext_ecpointformatlist != NULL && |
| 346 » s->version != DTLS1_VERSION) |
| 347 » » { |
| 348 » » /* Add TLS extension ECPointFormats to the ClientHello message *
/ |
| 349 » » long lenmax; |
| 350 |
| 351 » » if ((lenmax = limit - ret - 5) < 0) return NULL; |
| 352 » » if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax)
return NULL; |
| 353 » » if (s->tlsext_ecpointformatlist_length > 255) |
| 354 » » » { |
| 355 » » » SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_
ERROR); |
| 356 » » » return NULL; |
| 357 » » » } |
| 358 » » |
| 359 » » s2n(TLSEXT_TYPE_ec_point_formats,ret); |
| 360 » » s2n(s->tlsext_ecpointformatlist_length + 1,ret); |
| 361 » » *(ret++) = (unsigned char) s->tlsext_ecpointformatlist_length; |
| 362 » » memcpy(ret, s->tlsext_ecpointformatlist, s->tlsext_ecpointformat
list_length); |
| 363 » » ret+=s->tlsext_ecpointformatlist_length; |
| 364 » » } |
| 365 » if (s->tlsext_ellipticcurvelist != NULL && |
| 366 » s->version != DTLS1_VERSION) |
| 367 » » { |
| 368 » » /* Add TLS extension EllipticCurves to the ClientHello message *
/ |
| 369 » » long lenmax; |
| 370 |
| 371 » » if ((lenmax = limit - ret - 6) < 0) return NULL; |
| 372 » » if (s->tlsext_ellipticcurvelist_length > (unsigned long)lenmax)
return NULL; |
| 373 » » if (s->tlsext_ellipticcurvelist_length > 65532) |
| 374 » » » { |
| 375 » » » SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_
ERROR); |
| 376 » » » return NULL; |
| 377 » » » } |
| 378 » » |
| 379 » » s2n(TLSEXT_TYPE_elliptic_curves,ret); |
| 380 » » s2n(s->tlsext_ellipticcurvelist_length + 2, ret); |
| 381 |
| 382 » » /* NB: draft-ietf-tls-ecc-12.txt uses a one-byte prefix for |
| 383 » » * elliptic_curve_list, but the examples use two bytes. |
| 384 » » * http://www1.ietf.org/mail-archive/web/tls/current/msg00538.ht
ml |
| 385 » » * resolves this to two bytes. |
| 386 » » */ |
| 387 » » s2n(s->tlsext_ellipticcurvelist_length, ret); |
| 388 » » memcpy(ret, s->tlsext_ellipticcurvelist, s->tlsext_ellipticcurve
list_length); |
| 389 » » ret+=s->tlsext_ellipticcurvelist_length; |
| 390 » » } |
| 391 #endif /* OPENSSL_NO_EC */ |
| 392 |
205 if (!(SSL_get_options(s) & SSL_OP_NO_TICKET)) | 393 if (!(SSL_get_options(s) & SSL_OP_NO_TICKET)) |
206 { | 394 { |
207 int ticklen; | 395 int ticklen; |
208 if (!s->new_session && s->session && s->session->tlsext_tick) | 396 if (!s->new_session && s->session && s->session->tlsext_tick) |
209 ticklen = s->session->tlsext_ticklen; | 397 ticklen = s->session->tlsext_ticklen; |
| 398 else if (s->session && s->tlsext_session_ticket && |
| 399 s->tlsext_session_ticket->data) |
| 400 { |
| 401 ticklen = s->tlsext_session_ticket->length; |
| 402 s->session->tlsext_tick = OPENSSL_malloc(ticklen); |
| 403 if (!s->session->tlsext_tick) |
| 404 return NULL; |
| 405 memcpy(s->session->tlsext_tick, |
| 406 s->tlsext_session_ticket->data, |
| 407 ticklen); |
| 408 s->session->tlsext_ticklen = ticklen; |
| 409 } |
210 else | 410 else |
211 ticklen = 0; | 411 ticklen = 0; |
| 412 if (ticklen == 0 && s->tlsext_session_ticket && |
| 413 s->tlsext_session_ticket->data == NULL) |
| 414 goto skip_ext; |
212 /* Check for enough room 2 for extension type, 2 for len | 415 /* Check for enough room 2 for extension type, 2 for len |
213 * rest for ticket | 416 * rest for ticket |
214 */ | 417 */ |
215 » » if (limit - ret - 4 - ticklen < 0) | 418 » » if ((long)(limit - ret - 4 - ticklen) < 0) return NULL; |
216 » » » return NULL; | |
217 s2n(TLSEXT_TYPE_session_ticket,ret); | 419 s2n(TLSEXT_TYPE_session_ticket,ret); |
218 s2n(ticklen,ret); | 420 s2n(ticklen,ret); |
219 if (ticklen) | 421 if (ticklen) |
220 { | 422 { |
221 memcpy(ret, s->session->tlsext_tick, ticklen); | 423 memcpy(ret, s->session->tlsext_tick, ticklen); |
222 ret += ticklen; | 424 ret += ticklen; |
223 } | 425 } |
224 } | 426 } |
| 427 skip_ext: |
| 428 |
| 429 #ifdef TLSEXT_TYPE_opaque_prf_input |
| 430 if (s->s3->client_opaque_prf_input != NULL && |
| 431 s->version != DTLS1_VERSION) |
| 432 { |
| 433 size_t col = s->s3->client_opaque_prf_input_len; |
| 434 |
| 435 if ((long)(limit - ret - 6 - col < 0)) |
| 436 return NULL; |
| 437 if (col > 0xFFFD) /* can't happen */ |
| 438 return NULL; |
| 439 |
| 440 s2n(TLSEXT_TYPE_opaque_prf_input, ret); |
| 441 s2n(col + 2, ret); |
| 442 s2n(col, ret); |
| 443 memcpy(ret, s->s3->client_opaque_prf_input, col); |
| 444 ret += col; |
| 445 } |
| 446 #endif |
225 | 447 |
226 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp && | 448 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp && |
227 s->version != DTLS1_VERSION) | 449 s->version != DTLS1_VERSION) |
228 { | 450 { |
229 int i; | 451 int i; |
230 long extlen, idlen, itmp; | 452 long extlen, idlen, itmp; |
231 OCSP_RESPID *id; | 453 OCSP_RESPID *id; |
232 | 454 |
233 idlen = 0; | 455 idlen = 0; |
234 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) | 456 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) |
(...skipping 30 matching lines...) Expand all Loading... |
265 ret += 2; | 487 ret += 2; |
266 itmp = i2d_OCSP_RESPID(id, &ret); | 488 itmp = i2d_OCSP_RESPID(id, &ret); |
267 /* write id len */ | 489 /* write id len */ |
268 s2n(itmp, q); | 490 s2n(itmp, q); |
269 } | 491 } |
270 s2n(extlen, ret); | 492 s2n(extlen, ret); |
271 if (extlen > 0) | 493 if (extlen > 0) |
272 i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret); | 494 i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret); |
273 } | 495 } |
274 | 496 |
275 » if (s->ctx->next_proto_select_cb) | 497 #ifndef OPENSSL_NO_NEXTPROTONEG |
| 498 » if (s->ctx->next_proto_select_cb && !s->s3->tmp.finish_md_len) |
276 { | 499 { |
277 /* The client advertises an emtpy extension to indicate its | 500 /* The client advertises an emtpy extension to indicate its |
278 * support for Next Protocol Negotiation */ | 501 * support for Next Protocol Negotiation */ |
279 if (limit - ret - 4 < 0) | 502 if (limit - ret - 4 < 0) |
280 return NULL; | 503 return NULL; |
281 s2n(TLSEXT_TYPE_next_proto_neg,ret); | 504 s2n(TLSEXT_TYPE_next_proto_neg,ret); |
282 s2n(0,ret); | 505 s2n(0,ret); |
283 } | 506 } |
| 507 #endif |
284 | 508 |
285 if ((extdatalen = ret-p-2)== 0) | 509 if ((extdatalen = ret-p-2)== 0) |
286 return p; | 510 return p; |
287 | 511 |
288 s2n(extdatalen,p); | 512 s2n(extdatalen,p); |
289 return ret; | 513 return ret; |
290 } | 514 } |
291 | 515 |
292 unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned cha
r *limit) | 516 unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned cha
r *limit) |
293 { | 517 { |
294 int extdatalen=0; | 518 int extdatalen=0; |
295 unsigned char *ret = p; | 519 unsigned char *ret = p; |
296 » char next_proto_neg_seen; | 520 #ifndef OPENSSL_NO_NEXTPROTONEG |
| 521 » int next_proto_neg_seen; |
| 522 #endif |
297 | 523 |
298 /* don't add extensions for SSLv3, unless doing secure renegotiation */ | 524 /* don't add extensions for SSLv3, unless doing secure renegotiation */ |
299 if (s->version == SSL3_VERSION && !s->s3->send_connection_binding) | 525 if (s->version == SSL3_VERSION && !s->s3->send_connection_binding) |
300 return p; | 526 return p; |
301 | 527 |
302 ret+=2; | 528 ret+=2; |
303 if (ret>=limit) return NULL; /* this really never occurs, but ... */ | 529 if (ret>=limit) return NULL; /* this really never occurs, but ... */ |
304 | 530 |
305 if (!s->hit && s->servername_done == 1 && s->session->tlsext_hostname !=
NULL) | 531 if (!s->hit && s->servername_done == 1 && s->session->tlsext_hostname !=
NULL) |
306 { | 532 { |
307 » » if (limit - ret - 4 < 0) return NULL; | 533 » » if ((long)(limit - ret - 4) < 0) return NULL; |
308 | 534 |
309 s2n(TLSEXT_TYPE_server_name,ret); | 535 s2n(TLSEXT_TYPE_server_name,ret); |
310 s2n(0,ret); | 536 s2n(0,ret); |
311 } | 537 } |
312 | 538 |
313 if(s->s3->send_connection_binding) | 539 if(s->s3->send_connection_binding) |
314 { | 540 { |
315 int el; | 541 int el; |
316 | 542 |
317 if(!ssl_add_serverhello_renegotiate_ext(s, 0, &el, 0)) | 543 if(!ssl_add_serverhello_renegotiate_ext(s, 0, &el, 0)) |
318 { | 544 { |
319 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); | 545 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); |
320 return NULL; | 546 return NULL; |
321 } | 547 } |
322 | 548 |
323 if((limit - p - 4 - el) < 0) return NULL; | 549 if((limit - p - 4 - el) < 0) return NULL; |
324 | 550 |
325 s2n(TLSEXT_TYPE_renegotiate,ret); | 551 s2n(TLSEXT_TYPE_renegotiate,ret); |
326 s2n(el,ret); | 552 s2n(el,ret); |
327 | 553 |
328 if(!ssl_add_serverhello_renegotiate_ext(s, ret, &el, el)) | 554 if(!ssl_add_serverhello_renegotiate_ext(s, ret, &el, el)) |
329 { | 555 { |
330 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); | 556 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); |
331 return NULL; | 557 return NULL; |
332 } | 558 } |
333 | 559 |
334 ret += el; | 560 ret += el; |
335 } | 561 } |
336 » | 562 |
| 563 #ifndef OPENSSL_NO_EC |
| 564 » if (s->tlsext_ecpointformatlist != NULL && |
| 565 » s->version != DTLS1_VERSION) |
| 566 » » { |
| 567 » » /* Add TLS extension ECPointFormats to the ServerHello message *
/ |
| 568 » » long lenmax; |
| 569 |
| 570 » » if ((lenmax = limit - ret - 5) < 0) return NULL; |
| 571 » » if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax)
return NULL; |
| 572 » » if (s->tlsext_ecpointformatlist_length > 255) |
| 573 » » » { |
| 574 » » » SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_
ERROR); |
| 575 » » » return NULL; |
| 576 » » » } |
| 577 » » |
| 578 » » s2n(TLSEXT_TYPE_ec_point_formats,ret); |
| 579 » » s2n(s->tlsext_ecpointformatlist_length + 1,ret); |
| 580 » » *(ret++) = (unsigned char) s->tlsext_ecpointformatlist_length; |
| 581 » » memcpy(ret, s->tlsext_ecpointformatlist, s->tlsext_ecpointformat
list_length); |
| 582 » » ret+=s->tlsext_ecpointformatlist_length; |
| 583 |
| 584 » » } |
| 585 » /* Currently the server should not respond with a SupportedCurves extens
ion */ |
| 586 #endif /* OPENSSL_NO_EC */ |
| 587 |
337 if (s->tlsext_ticket_expected | 588 if (s->tlsext_ticket_expected |
338 && !(SSL_get_options(s) & SSL_OP_NO_TICKET)) | 589 && !(SSL_get_options(s) & SSL_OP_NO_TICKET)) |
339 { | 590 { |
340 » » if (limit - ret - 4 < 0) return NULL; | 591 » » if ((long)(limit - ret - 4) < 0) return NULL; |
341 s2n(TLSEXT_TYPE_session_ticket,ret); | 592 s2n(TLSEXT_TYPE_session_ticket,ret); |
342 s2n(0,ret); | 593 s2n(0,ret); |
343 } | 594 } |
344 | 595 |
345 if (s->tlsext_status_expected) | 596 if (s->tlsext_status_expected) |
346 { | 597 { |
347 if ((long)(limit - ret - 4) < 0) return NULL; | 598 if ((long)(limit - ret - 4) < 0) return NULL; |
348 s2n(TLSEXT_TYPE_status_request,ret); | 599 s2n(TLSEXT_TYPE_status_request,ret); |
349 s2n(0,ret); | 600 s2n(0,ret); |
350 } | 601 } |
351 | 602 |
| 603 #ifdef TLSEXT_TYPE_opaque_prf_input |
| 604 if (s->s3->server_opaque_prf_input != NULL && |
| 605 s->version != DTLS1_VERSION) |
| 606 { |
| 607 size_t sol = s->s3->server_opaque_prf_input_len; |
| 608 |
| 609 if ((long)(limit - ret - 6 - sol) < 0) |
| 610 return NULL; |
| 611 if (sol > 0xFFFD) /* can't happen */ |
| 612 return NULL; |
| 613 |
| 614 s2n(TLSEXT_TYPE_opaque_prf_input, ret); |
| 615 s2n(sol + 2, ret); |
| 616 s2n(sol, ret); |
| 617 memcpy(ret, s->s3->server_opaque_prf_input, sol); |
| 618 ret += sol; |
| 619 } |
| 620 #endif |
| 621 if (((s->s3->tmp.new_cipher->id & 0xFFFF)==0x80 || (s->s3->tmp.new_ciphe
r->id & 0xFFFF)==0x81) |
| 622 && (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG)) |
| 623 { const unsigned char cryptopro_ext[36] = { |
| 624 0xfd, 0xe8, /*65000*/ |
| 625 0x00, 0x20, /*32 bytes length*/ |
| 626 0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85, |
| 627 0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06, |
| 628 0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08, |
| 629 0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17}; |
| 630 if (limit-ret<36) return NULL; |
| 631 memcpy(ret,cryptopro_ext,36); |
| 632 ret+=36; |
| 633 |
| 634 } |
| 635 |
| 636 #ifndef OPENSSL_NO_NEXTPROTONEG |
352 next_proto_neg_seen = s->s3->next_proto_neg_seen; | 637 next_proto_neg_seen = s->s3->next_proto_neg_seen; |
353 s->s3->next_proto_neg_seen = 0; | 638 s->s3->next_proto_neg_seen = 0; |
354 if (next_proto_neg_seen && s->ctx->next_protos_advertised_cb) | 639 if (next_proto_neg_seen && s->ctx->next_protos_advertised_cb) |
355 { | 640 { |
356 const unsigned char *npa; | 641 const unsigned char *npa; |
357 unsigned int npalen; | 642 unsigned int npalen; |
358 int r; | 643 int r; |
359 | 644 |
360 r = s->ctx->next_protos_advertised_cb(s, &npa, &npalen, s->ctx->
next_protos_advertised_cb_arg); | 645 r = s->ctx->next_protos_advertised_cb(s, &npa, &npalen, s->ctx->
next_protos_advertised_cb_arg); |
361 if (r == SSL_TLSEXT_ERR_OK) | 646 if (r == SSL_TLSEXT_ERR_OK) |
362 { | 647 { |
363 if ((long)(limit - ret - 4 - npalen) < 0) return NULL; | 648 if ((long)(limit - ret - 4 - npalen) < 0) return NULL; |
364 s2n(TLSEXT_TYPE_next_proto_neg,ret); | 649 s2n(TLSEXT_TYPE_next_proto_neg,ret); |
365 s2n(npalen,ret); | 650 s2n(npalen,ret); |
366 memcpy(ret, npa, npalen); | 651 memcpy(ret, npa, npalen); |
367 ret += npalen; | 652 ret += npalen; |
368 s->s3->next_proto_neg_seen = 1; | 653 s->s3->next_proto_neg_seen = 1; |
369 } | 654 } |
370 } | 655 } |
371 | 656 #endif |
372 » if (s->s3->snap_start_ext_seen) | |
373 » » { | |
374 » » if ((long)(limit - ret - 14) < 0) return NULL; | |
375 » » s2n(TLSEXT_TYPE_snap_start,ret); | |
376 » » s2n(10,ret); /* extension length */ | |
377 » » memcpy(ret, s->ctx->snap_start_orbit, 8); | |
378 » » ret += 8; | |
379 » » /* This is the ciphersuite that we would pick in the event of a | |
380 » » * Snap Start handshake. (Maybe the server wants to do EDH | |
381 » » * unless the client is Snap Start capable). At the moment we | |
382 » » * don't have any logic to pick a different cipher suite so we | |
383 » » * repeat the choice from the ServerHello. */ | |
384 » » s2n(s->s3->tmp.new_cipher->id & 0xffff,ret); | |
385 » » } | |
386 | 657 |
387 if ((extdatalen = ret-p-2)== 0) | 658 if ((extdatalen = ret-p-2)== 0) |
388 return p; | 659 return p; |
389 | 660 |
390 s2n(extdatalen,p); | 661 s2n(extdatalen,p); |
391 return ret; | 662 return ret; |
392 } | 663 } |
393 | 664 |
394 | |
395 static int ssl_hash_snap_start_client_hello(SSL* s, | |
396 const char* data, | |
397 unsigned len, | |
398 unsigned ext_len) | |
399 { | |
400 /* We walk the ClientHello from the beginning, writing | |
401 * adjusted lengths into |b| and hashing as we go. | |
402 * | |
403 * The resulting ClientHello is going to be shorter by the length of | |
404 * this extension, which is |ext_len + 4| (two bytes for the type and tw
o for | |
405 * the length). */ | |
406 | |
407 const unsigned char *p; | |
408 unsigned remaining; | |
409 unsigned char b[3], *c; | |
410 unsigned long l; | |
411 | |
412 p = (unsigned char*) data; | |
413 remaining = len; | |
414 /* Handshake header: type */ | |
415 if (!remaining) | |
416 return 0; | |
417 ssl3_finish_mac(s, p, 1); | |
418 p++; | |
419 remaining--; | |
420 /* Handshake header: length */ | |
421 if (remaining < 3) | |
422 return 0; | |
423 n2l3(p, l); | |
424 l -= ext_len + 4; | |
425 c = b; | |
426 l2n3(l, c); | |
427 ssl3_finish_mac(s, b, 3); | |
428 remaining -= 3; | |
429 /* ClientHello: version and random */ | |
430 if (remaining < 34) | |
431 return 0; | |
432 ssl3_finish_mac(s, p, 34); | |
433 p += 34; | |
434 remaining -= 34; | |
435 /* ClientHello: session id length */ | |
436 if (!remaining) | |
437 return 0; | |
438 l = *p; | |
439 ssl3_finish_mac(s, p, 1); | |
440 p++; | |
441 remaining--; | |
442 /* ClientHello: session id */ | |
443 if (remaining < l) | |
444 return 0; | |
445 ssl3_finish_mac(s, p, l); | |
446 p += l; | |
447 remaining -= l; | |
448 /* ClientHello: cipher suites length */ | |
449 if (remaining < 2) | |
450 return 0; | |
451 ssl3_finish_mac(s, p, 2); | |
452 n2s(p, l); | |
453 remaining -= 2; | |
454 /* ClientHello: cipher suites */ | |
455 if (remaining < l) | |
456 return 0; | |
457 ssl3_finish_mac(s, p, l); | |
458 p += l; | |
459 remaining -= l; | |
460 /* ClientHello: compression methods length */ | |
461 if (!remaining) | |
462 return 0; | |
463 l = *p; | |
464 ssl3_finish_mac(s, p, 1); | |
465 p++; | |
466 remaining--; | |
467 /* ClientHello: compression methods */ | |
468 if (remaining < l) | |
469 return 0; | |
470 ssl3_finish_mac(s, p, l); | |
471 p += l; | |
472 remaining -= l; | |
473 /* ClientHello: extensions length (must exist given that we're already | |
474 * parsing the extensions from it */ | |
475 if (remaining < 2) | |
476 return 0; | |
477 n2s(p, l); | |
478 remaining -= 2; | |
479 if (l != remaining || l < ext_len + 4) | |
480 return 0; | |
481 l -= ext_len + 4; | |
482 c = b; | |
483 s2n(l, c); | |
484 ssl3_finish_mac(s, b, 2); | |
485 | |
486 while (remaining) | |
487 { | |
488 unsigned long extension_type, extension_len; | |
489 if (remaining < 4) | |
490 return 0; | |
491 n2s(p, extension_type); | |
492 n2s(p, extension_len); | |
493 remaining -= 4; | |
494 if (remaining < extension_len) | |
495 return 0; | |
496 if (extension_type != TLSEXT_TYPE_snap_start) | |
497 ssl3_finish_mac(s, p - 4, extension_len + 4); | |
498 p += extension_len; | |
499 remaining -= extension_len; | |
500 } | |
501 | |
502 return 1; | |
503 } | |
504 | |
505 static char ssl_parse_snap_start_tlsext(SSL *s, const unsigned char *data, unsig
ned short len) | |
506 { | |
507 ptrdiff_t extension_offset = data - (unsigned char *) s->init_buf->data; | |
508 | |
509 if (len > 0 && len < 36) | |
510 return 0; | |
511 s->s3->snap_start_ext_seen = 1; | |
512 if (len == 0) | |
513 return 1; | |
514 | |
515 fnv1a64_init((FNV1A64*) s->s3->response_hash); | |
516 | |
517 /* We need to make a copy of the ClientHello because we'll be hashing a | |
518 * modified version. However, if we enter recovery then we need to hash | |
519 * the unchanged message. | |
520 * | |
521 * We are adding 4 bytes to the length here because we're including the | |
522 * handshake header. */ | |
523 s->s3->snap_start_client_hello.left = s->init_num + 4; | |
524 s->s3->snap_start_client_hello.offset = 0; | |
525 s->s3->snap_start_client_hello.buf = OPENSSL_malloc(s->init_num + 4); | |
526 if (!s->s3->snap_start_client_hello.buf) | |
527 { | |
528 /* If we're out of memory then we pretend that we | |
529 * didn't see the extension. */ | |
530 s->s3->snap_start_ext_seen = 0; | |
531 return 1; | |
532 } | |
533 | |
534 memcpy(s->s3->snap_start_client_hello.buf, s->init_buf->data, s->init_nu
m + 4); | |
535 memcpy(s->s3->server_random, s->s3->client_random, 4); /* time */ | |
536 memcpy(s->s3->server_random + 4, data, 28); /* orbit and random bytes */ | |
537 memcpy(s->s3->predicted_response_hash, data + 28, 8); | |
538 | |
539 /* Point snap_start_records to within the copy of the ClientHello */ | |
540 s->s3->snap_start_records.offset = 0; | |
541 s->s3->snap_start_records.left = len - 36; | |
542 s->s3->snap_start_records.buf = s->s3->snap_start_client_hello.buf + ext
ension_offset + 36; | |
543 | |
544 /* Reset the handshake hash */ | |
545 ssl3_init_finished_mac(s); | |
546 | |
547 /* Need to hash the ClientHello as if the snap start extension wasn't | |
548 * included. */ | |
549 if (!ssl_hash_snap_start_client_hello( | |
550 s, | |
551 s->init_buf->data, | |
552 s->init_num + 4 /* four bytes of handshake header */, | |
553 len)) | |
554 { | |
555 return 0; | |
556 } | |
557 | |
558 s->s3->snap_start_requested = 1; | |
559 return 1; | |
560 } | |
561 | |
562 int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
t n, int *al) | 665 int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
t n, int *al) |
563 { | 666 { |
564 unsigned short type; | 667 unsigned short type; |
565 unsigned short size; | 668 unsigned short size; |
566 unsigned short len; | 669 unsigned short len; |
567 unsigned char *data = *p; | 670 unsigned char *data = *p; |
568 int renegotiate_seen = 0; | 671 int renegotiate_seen = 0; |
569 | 672 |
570 s->servername_done = 0; | 673 s->servername_done = 0; |
571 s->tlsext_status_type = -1; | 674 s->tlsext_status_type = -1; |
572 | 675 |
573 if (data >= (d+n-2)) | 676 if (data >= (d+n-2)) |
574 goto ri_check; | 677 goto ri_check; |
575 | |
576 n2s(data,len); | 678 n2s(data,len); |
577 | 679 |
578 if (data > (d+n-len)) | 680 if (data > (d+n-len)) |
579 goto ri_check; | 681 goto ri_check; |
580 | 682 |
581 while (data <= (d+n-4)) | 683 while (data <= (d+n-4)) |
582 { | 684 { |
583 n2s(data,type); | 685 n2s(data,type); |
584 n2s(data,size); | 686 n2s(data,size); |
585 | 687 |
586 if (data+size > (d+n)) | 688 if (data+size > (d+n)) |
587 goto ri_check; | 689 goto ri_check; |
588 | 690 #if 0 |
| 691 » » fprintf(stderr,"Received extension type %d size %d\n",type,size)
; |
| 692 #endif |
589 if (s->tlsext_debug_cb) | 693 if (s->tlsext_debug_cb) |
590 s->tlsext_debug_cb(s, 0, type, data, size, | 694 s->tlsext_debug_cb(s, 0, type, data, size, |
591 s->tlsext_debug_arg); | 695 s->tlsext_debug_arg); |
592 /* The servername extension is treated as follows: | 696 /* The servername extension is treated as follows: |
593 | 697 |
594 - Only the hostname type is supported with a maximum length of 255. | 698 - Only the hostname type is supported with a maximum length of 255. |
595 - The servername is rejected if too long or if it contains zeros, | 699 - The servername is rejected if too long or if it contains zeros, |
596 in which case an fatal alert is generated. | 700 in which case an fatal alert is generated. |
597 - The servername field is maintained together with the session cache. | 701 - The servername field is maintained together with the session cache. |
598 - When a session is resumed, the servername call back invoked in order | 702 - When a session is resumed, the servername call back invoked in order |
(...skipping 41 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
640 | 744 |
641 if (len > dsize) | 745 if (len > dsize) |
642 { | 746 { |
643 *al = SSL_AD_DECODE_ERROR; | 747 *al = SSL_AD_DECODE_ERROR; |
644 return 0; | 748 return 0; |
645 } | 749 } |
646 if (s->servername_done == 0) | 750 if (s->servername_done == 0) |
647 switch (servname_type) | 751 switch (servname_type) |
648 { | 752 { |
649 case TLSEXT_NAMETYPE_host_name: | 753 case TLSEXT_NAMETYPE_host_name: |
650 » » » » » if (s->session->tlsext_hostname == NULL) | 754 » » » » » if (!s->hit) |
651 { | 755 { |
652 » » » » » » if (len > TLSEXT_MAXLEN_host_nam
e || | 756 » » » » » » if(s->session->tlsext_hostname) |
653 » » » » » » » ((s->session->tlsext_hos
tname = OPENSSL_malloc(len+1)) == NULL)) | 757 » » » » » » » { |
| 758 » » » » » » » *al = SSL_AD_DECODE_ERRO
R; |
| 759 » » » » » » » return 0; |
| 760 » » » » » » » } |
| 761 » » » » » » if (len > TLSEXT_MAXLEN_host_nam
e) |
654 { | 762 { |
655 *al = TLS1_AD_UNRECOGNIZ
ED_NAME; | 763 *al = TLS1_AD_UNRECOGNIZ
ED_NAME; |
656 return 0; | 764 return 0; |
657 } | 765 } |
| 766 if ((s->session->tlsext_hostname
= OPENSSL_malloc(len+1)) == NULL) |
| 767 { |
| 768 *al = TLS1_AD_INTERNAL_E
RROR; |
| 769 return 0; |
| 770 } |
658 memcpy(s->session->tlsext_hostna
me, sdata, len); | 771 memcpy(s->session->tlsext_hostna
me, sdata, len); |
659 s->session->tlsext_hostname[len]
='\0'; | 772 s->session->tlsext_hostname[len]
='\0'; |
660 if (strlen(s->session->tlsext_ho
stname) != len) { | 773 if (strlen(s->session->tlsext_ho
stname) != len) { |
661 OPENSSL_free(s->session-
>tlsext_hostname); | 774 OPENSSL_free(s->session-
>tlsext_hostname); |
662 s->session->tlsext_hostn
ame = NULL; | 775 s->session->tlsext_hostn
ame = NULL; |
663 *al = TLS1_AD_UNRECOGNIZ
ED_NAME; | 776 *al = TLS1_AD_UNRECOGNIZ
ED_NAME; |
664 return 0; | 777 return 0; |
665 } | 778 } |
666 s->servername_done = 1; | 779 s->servername_done = 1; |
667 | 780 |
668 } | 781 } |
669 else | 782 else |
670 » » » » » » s->servername_done = strlen(s->s
ession->tlsext_hostname) == len | 783 » » » » » » s->servername_done = s->session-
>tlsext_hostname |
| 784 » » » » » » » && strlen(s->session->tl
sext_hostname) == len |
671 && strncmp(s->session->t
lsext_hostname, (char *)sdata, len) == 0; | 785 && strncmp(s->session->t
lsext_hostname, (char *)sdata, len) == 0; |
672 | 786 |
673 break; | 787 break; |
674 | 788 |
675 default: | 789 default: |
676 break; | 790 break; |
677 } | 791 } |
678 | 792 |
679 dsize -= len; | 793 dsize -= len; |
680 } | 794 } |
681 if (dsize != 0) | 795 if (dsize != 0) |
682 { | 796 { |
683 *al = SSL_AD_DECODE_ERROR; | 797 *al = SSL_AD_DECODE_ERROR; |
684 return 0; | 798 return 0; |
685 } | 799 } |
686 | 800 |
687 } | 801 } |
| 802 |
| 803 #ifndef OPENSSL_NO_EC |
| 804 else if (type == TLSEXT_TYPE_ec_point_formats && |
| 805 s->version != DTLS1_VERSION) |
| 806 { |
| 807 unsigned char *sdata = data; |
| 808 int ecpointformatlist_length = *(sdata++); |
| 809 |
| 810 if (ecpointformatlist_length != size - 1) |
| 811 { |
| 812 *al = TLS1_AD_DECODE_ERROR; |
| 813 return 0; |
| 814 } |
| 815 if (!s->hit) |
| 816 { |
| 817 if(s->session->tlsext_ecpointformatlist) |
| 818 { |
| 819 OPENSSL_free(s->session->tlsext_ecpointf
ormatlist); |
| 820 s->session->tlsext_ecpointformatlist = N
ULL; |
| 821 } |
| 822 s->session->tlsext_ecpointformatlist_length = 0; |
| 823 if ((s->session->tlsext_ecpointformatlist = OPEN
SSL_malloc(ecpointformatlist_length)) == NULL) |
| 824 { |
| 825 *al = TLS1_AD_INTERNAL_ERROR; |
| 826 return 0; |
| 827 } |
| 828 s->session->tlsext_ecpointformatlist_length = ec
pointformatlist_length; |
| 829 memcpy(s->session->tlsext_ecpointformatlist, sda
ta, ecpointformatlist_length); |
| 830 } |
| 831 #if 0 |
| 832 fprintf(stderr,"ssl_parse_clienthello_tlsext s->session-
>tlsext_ecpointformatlist (length=%i) ", s->session->tlsext_ecpointformatlist_le
ngth); |
| 833 sdata = s->session->tlsext_ecpointformatlist; |
| 834 for (i = 0; i < s->session->tlsext_ecpointformatlist_len
gth; i++) |
| 835 fprintf(stderr,"%i ",*(sdata++)); |
| 836 fprintf(stderr,"\n"); |
| 837 #endif |
| 838 } |
| 839 else if (type == TLSEXT_TYPE_elliptic_curves && |
| 840 s->version != DTLS1_VERSION) |
| 841 { |
| 842 unsigned char *sdata = data; |
| 843 int ellipticcurvelist_length = (*(sdata++) << 8); |
| 844 ellipticcurvelist_length += (*(sdata++)); |
| 845 |
| 846 if (ellipticcurvelist_length != size - 2) |
| 847 { |
| 848 *al = TLS1_AD_DECODE_ERROR; |
| 849 return 0; |
| 850 } |
| 851 if (!s->hit) |
| 852 { |
| 853 if(s->session->tlsext_ellipticcurvelist) |
| 854 { |
| 855 *al = TLS1_AD_DECODE_ERROR; |
| 856 return 0; |
| 857 } |
| 858 s->session->tlsext_ellipticcurvelist_length = 0; |
| 859 if ((s->session->tlsext_ellipticcurvelist = OPEN
SSL_malloc(ellipticcurvelist_length)) == NULL) |
| 860 { |
| 861 *al = TLS1_AD_INTERNAL_ERROR; |
| 862 return 0; |
| 863 } |
| 864 s->session->tlsext_ellipticcurvelist_length = el
lipticcurvelist_length; |
| 865 memcpy(s->session->tlsext_ellipticcurvelist, sda
ta, ellipticcurvelist_length); |
| 866 } |
| 867 #if 0 |
| 868 fprintf(stderr,"ssl_parse_clienthello_tlsext s->session-
>tlsext_ellipticcurvelist (length=%i) ", s->session->tlsext_ellipticcurvelist_le
ngth); |
| 869 sdata = s->session->tlsext_ellipticcurvelist; |
| 870 for (i = 0; i < s->session->tlsext_ellipticcurvelist_len
gth; i++) |
| 871 fprintf(stderr,"%i ",*(sdata++)); |
| 872 fprintf(stderr,"\n"); |
| 873 #endif |
| 874 } |
| 875 #endif /* OPENSSL_NO_EC */ |
| 876 #ifdef TLSEXT_TYPE_opaque_prf_input |
| 877 else if (type == TLSEXT_TYPE_opaque_prf_input && |
| 878 s->version != DTLS1_VERSION) |
| 879 { |
| 880 unsigned char *sdata = data; |
| 881 |
| 882 if (size < 2) |
| 883 { |
| 884 *al = SSL_AD_DECODE_ERROR; |
| 885 return 0; |
| 886 } |
| 887 n2s(sdata, s->s3->client_opaque_prf_input_len); |
| 888 if (s->s3->client_opaque_prf_input_len != size - 2) |
| 889 { |
| 890 *al = SSL_AD_DECODE_ERROR; |
| 891 return 0; |
| 892 } |
| 893 |
| 894 if (s->s3->client_opaque_prf_input != NULL) /* shouldn't
really happen */ |
| 895 OPENSSL_free(s->s3->client_opaque_prf_input); |
| 896 if (s->s3->client_opaque_prf_input_len == 0) |
| 897 s->s3->client_opaque_prf_input = OPENSSL_malloc(
1); /* dummy byte just to get non-NULL */ |
| 898 else |
| 899 s->s3->client_opaque_prf_input = BUF_memdup(sdat
a, s->s3->client_opaque_prf_input_len); |
| 900 if (s->s3->client_opaque_prf_input == NULL) |
| 901 { |
| 902 *al = TLS1_AD_INTERNAL_ERROR; |
| 903 return 0; |
| 904 } |
| 905 } |
| 906 #endif |
| 907 else if (type == TLSEXT_TYPE_session_ticket) |
| 908 { |
| 909 if (s->tls_session_ticket_ext_cb && |
| 910 !s->tls_session_ticket_ext_cb(s, data, size, s->tls_
session_ticket_ext_cb_arg)) |
| 911 { |
| 912 *al = TLS1_AD_INTERNAL_ERROR; |
| 913 return 0; |
| 914 } |
| 915 } |
688 else if (type == TLSEXT_TYPE_renegotiate) | 916 else if (type == TLSEXT_TYPE_renegotiate) |
689 { | 917 { |
690 if(!ssl_parse_clienthello_renegotiate_ext(s, data, size,
al)) | 918 if(!ssl_parse_clienthello_renegotiate_ext(s, data, size,
al)) |
691 return 0; | 919 return 0; |
692 renegotiate_seen = 1; | 920 renegotiate_seen = 1; |
693 } | 921 } |
694 else if (type == TLSEXT_TYPE_status_request && | 922 else if (type == TLSEXT_TYPE_status_request && |
695 s->version != DTLS1_VERSION && s->ctx->tlsext_status_cb
) | 923 s->version != DTLS1_VERSION && s->ctx->tlsext_status_cb
) |
696 { | 924 { |
697 | 925 |
(...skipping 21 matching lines...) Expand all Loading... |
719 { | 947 { |
720 OCSP_RESPID *id; | 948 OCSP_RESPID *id; |
721 int idsize; | 949 int idsize; |
722 if (dsize < 4) | 950 if (dsize < 4) |
723 { | 951 { |
724 *al = SSL_AD_DECODE_ERROR; | 952 *al = SSL_AD_DECODE_ERROR; |
725 return 0; | 953 return 0; |
726 } | 954 } |
727 n2s(data, idsize); | 955 n2s(data, idsize); |
728 dsize -= 2 + idsize; | 956 dsize -= 2 + idsize; |
| 957 size -= 2 + idsize; |
729 if (dsize < 0) | 958 if (dsize < 0) |
730 { | 959 { |
731 *al = SSL_AD_DECODE_ERROR; | 960 *al = SSL_AD_DECODE_ERROR; |
732 return 0; | 961 return 0; |
733 } | 962 } |
734 sdata = data; | 963 sdata = data; |
735 data += idsize; | 964 data += idsize; |
736 id = d2i_OCSP_RESPID(NULL, | 965 id = d2i_OCSP_RESPID(NULL, |
737 &sdata, idsize); | 966 &sdata, idsize); |
738 if (!id) | 967 if (!id) |
(...skipping 18 matching lines...) Expand all Loading... |
757 if (!sk_OCSP_RESPID_push( | 986 if (!sk_OCSP_RESPID_push( |
758 s->tlsext_ocsp_ids, id)) | 987 s->tlsext_ocsp_ids, id)) |
759 { | 988 { |
760 OCSP_RESPID_free(id); | 989 OCSP_RESPID_free(id); |
761 *al = SSL_AD_INTERNAL_ERROR; | 990 *al = SSL_AD_INTERNAL_ERROR; |
762 return 0; | 991 return 0; |
763 } | 992 } |
764 } | 993 } |
765 | 994 |
766 /* Read in request_extensions */ | 995 /* Read in request_extensions */ |
767 » » » » n2s(data,dsize); | 996 » » » » if (size < 2) |
768 » » » » size -= 2; | |
769 » » » » if (dsize > size) | |
770 { | 997 { |
771 *al = SSL_AD_DECODE_ERROR; | 998 *al = SSL_AD_DECODE_ERROR; |
772 return 0; | 999 return 0; |
| 1000 } |
| 1001 n2s(data,dsize); |
| 1002 size -= 2; |
| 1003 if (dsize != size) |
| 1004 { |
| 1005 *al = SSL_AD_DECODE_ERROR; |
| 1006 return 0; |
773 } | 1007 } |
774 sdata = data; | 1008 sdata = data; |
775 if (dsize > 0) | 1009 if (dsize > 0) |
776 { | 1010 { |
| 1011 if (s->tlsext_ocsp_exts) |
| 1012 { |
| 1013 sk_X509_EXTENSION_pop_free(s->tl
sext_ocsp_exts, |
| 1014 X509_
EXTENSION_free); |
| 1015 } |
| 1016 |
777 s->tlsext_ocsp_exts = | 1017 s->tlsext_ocsp_exts = |
778 d2i_X509_EXTENSIONS(NULL, | 1018 d2i_X509_EXTENSIONS(NULL, |
779 &sdata, dsize); | 1019 &sdata, dsize); |
780 if (!s->tlsext_ocsp_exts | 1020 if (!s->tlsext_ocsp_exts |
781 || (data + dsize != sdata)) | 1021 || (data + dsize != sdata)) |
782 { | 1022 { |
783 *al = SSL_AD_DECODE_ERROR; | 1023 *al = SSL_AD_DECODE_ERROR; |
784 return 0; | 1024 return 0; |
785 } | 1025 } |
786 } | 1026 } |
787 } | 1027 } |
788 /* We don't know what to do with any other type | 1028 /* We don't know what to do with any other type |
789 * so ignore it. | 1029 * so ignore it. |
790 */ | 1030 */ |
791 else | 1031 else |
792 s->tlsext_status_type = -1; | 1032 s->tlsext_status_type = -1; |
793 } | 1033 } |
794 » » else if (type == TLSEXT_TYPE_next_proto_neg) | 1034 #ifndef OPENSSL_NO_NEXTPROTONEG |
| 1035 » » else if (type == TLSEXT_TYPE_next_proto_neg && |
| 1036 s->s3->tmp.finish_md_len == 0) |
795 { | 1037 { |
796 /* We shouldn't accept this extension on a | 1038 /* We shouldn't accept this extension on a |
797 » » » * renegotiation, but we currently do. | 1039 » » » * renegotiation. |
798 * | 1040 * |
799 * s->new_session will be set on renegotiation, but we | 1041 * s->new_session will be set on renegotiation, but we |
800 * probably shouldn't rely that it couldn't be set on | 1042 * probably shouldn't rely that it couldn't be set on |
801 * the initial renegotation too in certain cases (when | 1043 * the initial renegotation too in certain cases (when |
802 * there's some other reason to disallow resuming an | 1044 * there's some other reason to disallow resuming an |
803 * earlier session -- the current code won't be doing | 1045 * earlier session -- the current code won't be doing |
804 * anything like that, but this might change). | 1046 * anything like that, but this might change). |
805 | 1047 |
806 * A valid sign that there's been a previous handshake | 1048 * A valid sign that there's been a previous handshake |
807 * in this connection is if s->s3->tmp.finish_md_len > | 1049 * in this connection is if s->s3->tmp.finish_md_len > |
808 * 0. (We are talking about a check that will happen | 1050 * 0. (We are talking about a check that will happen |
809 * in the Hello protocol round, well before a new | 1051 * in the Hello protocol round, well before a new |
810 * Finished message could have been computed.) */ | 1052 * Finished message could have been computed.) */ |
811 s->s3->next_proto_neg_seen = 1; | 1053 s->s3->next_proto_neg_seen = 1; |
812 } | 1054 } |
813 | 1055 #endif |
814 » » else if (type == TLSEXT_TYPE_snap_start && s->ctx->snap_start_or
bit_valid) | |
815 » » » { | |
816 » » » if (ssl_parse_snap_start_tlsext(s, data, size) == 0) | |
817 » » » » return 0; | |
818 » » » } | |
819 | 1056 |
820 /* session ticket processed earlier */ | 1057 /* session ticket processed earlier */ |
821 | 1058 » » data+=size; |
822 » » data+=size;» » | |
823 } | 1059 } |
| 1060 |
824 *p = data; | 1061 *p = data; |
825 | 1062 |
826 ri_check: | 1063 ri_check: |
827 | 1064 |
828 /* Need RI if renegotiating */ | 1065 /* Need RI if renegotiating */ |
829 | 1066 |
830 if (!renegotiate_seen && s->new_session && | 1067 if (!renegotiate_seen && s->new_session && |
831 !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) | 1068 !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) |
832 { | 1069 { |
833 *al = SSL_AD_HANDSHAKE_FAILURE; | 1070 *al = SSL_AD_HANDSHAKE_FAILURE; |
834 SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT, | 1071 SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT, |
835 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); | 1072 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); |
836 return 0; | 1073 return 0; |
837 } | 1074 } |
838 | 1075 |
839 return 1; | 1076 return 1; |
840 } | 1077 } |
841 | 1078 |
| 1079 #ifndef OPENSSL_NO_NEXTPROTONEG |
842 /* ssl_next_proto_validate validates a Next Protocol Negotiation block. No | 1080 /* ssl_next_proto_validate validates a Next Protocol Negotiation block. No |
843 * elements of zero length are allowed and the set of elements must exactly fill | 1081 * elements of zero length are allowed and the set of elements must exactly fill |
844 * the length of the block. */ | 1082 * the length of the block. */ |
845 static char ssl_next_proto_validate(unsigned char *d, unsigned len) | 1083 static int ssl_next_proto_validate(unsigned char *d, unsigned len) |
846 { | 1084 { |
847 unsigned int off = 0; | 1085 unsigned int off = 0; |
848 | 1086 |
849 while (off < len) | 1087 while (off < len) |
850 { | 1088 { |
851 if (d[off] == 0) | 1089 if (d[off] == 0) |
852 return 0; | 1090 return 0; |
853 off += d[off]; | 1091 off += d[off]; |
854 off++; | 1092 off++; |
855 } | 1093 } |
856 | 1094 |
857 return off == len; | 1095 return off == len; |
858 } | 1096 } |
| 1097 #endif |
859 | 1098 |
860 int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
t n, int *al) | 1099 int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
t n, int *al) |
861 { | 1100 { |
| 1101 unsigned short length; |
862 unsigned short type; | 1102 unsigned short type; |
863 unsigned short size; | 1103 unsigned short size; |
864 unsigned short len; | |
865 unsigned char *data = *p; | 1104 unsigned char *data = *p; |
866 int tlsext_servername = 0; | 1105 int tlsext_servername = 0; |
867 int renegotiate_seen = 0; | 1106 int renegotiate_seen = 0; |
868 | 1107 |
869 if (data >= (d+n-2)) | 1108 if (data >= (d+n-2)) |
870 goto ri_check; | 1109 goto ri_check; |
871 | 1110 |
872 » n2s(data,len); | 1111 » n2s(data,length); |
| 1112 » if (data+length != d+n) |
| 1113 » » { |
| 1114 » » *al = SSL_AD_DECODE_ERROR; |
| 1115 » » return 0; |
| 1116 » » } |
873 | 1117 |
874 while(data <= (d+n-4)) | 1118 while(data <= (d+n-4)) |
875 { | 1119 { |
876 n2s(data,type); | 1120 n2s(data,type); |
877 n2s(data,size); | 1121 n2s(data,size); |
878 | 1122 |
879 if (data+size > (d+n)) | 1123 if (data+size > (d+n)) |
880 goto ri_check; | 1124 goto ri_check; |
881 | 1125 |
882 if (s->tlsext_debug_cb) | 1126 if (s->tlsext_debug_cb) |
883 s->tlsext_debug_cb(s, 1, type, data, size, | 1127 s->tlsext_debug_cb(s, 1, type, data, size, |
884 s->tlsext_debug_arg); | 1128 s->tlsext_debug_arg); |
885 | 1129 |
886 if (type == TLSEXT_TYPE_server_name) | 1130 if (type == TLSEXT_TYPE_server_name) |
887 { | 1131 { |
888 if (s->tlsext_hostname == NULL || size > 0) | 1132 if (s->tlsext_hostname == NULL || size > 0) |
889 { | 1133 { |
890 *al = TLS1_AD_UNRECOGNIZED_NAME; | 1134 *al = TLS1_AD_UNRECOGNIZED_NAME; |
891 return 0; | 1135 return 0; |
892 } | 1136 } |
893 tlsext_servername = 1; | 1137 tlsext_servername = 1; |
894 } | 1138 } |
| 1139 |
| 1140 #ifndef OPENSSL_NO_EC |
| 1141 else if (type == TLSEXT_TYPE_ec_point_formats && |
| 1142 s->version != DTLS1_VERSION) |
| 1143 { |
| 1144 unsigned char *sdata = data; |
| 1145 int ecpointformatlist_length = *(sdata++); |
| 1146 |
| 1147 if (ecpointformatlist_length != size - 1) |
| 1148 { |
| 1149 *al = TLS1_AD_DECODE_ERROR; |
| 1150 return 0; |
| 1151 } |
| 1152 s->session->tlsext_ecpointformatlist_length = 0; |
| 1153 if (s->session->tlsext_ecpointformatlist != NULL) OPENSS
L_free(s->session->tlsext_ecpointformatlist); |
| 1154 if ((s->session->tlsext_ecpointformatlist = OPENSSL_mall
oc(ecpointformatlist_length)) == NULL) |
| 1155 { |
| 1156 *al = TLS1_AD_INTERNAL_ERROR; |
| 1157 return 0; |
| 1158 } |
| 1159 s->session->tlsext_ecpointformatlist_length = ecpointfor
matlist_length; |
| 1160 memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpo
intformatlist_length); |
| 1161 #if 0 |
| 1162 fprintf(stderr,"ssl_parse_serverhello_tlsext s->session-
>tlsext_ecpointformatlist "); |
| 1163 sdata = s->session->tlsext_ecpointformatlist; |
| 1164 for (i = 0; i < s->session->tlsext_ecpointformatlist_len
gth; i++) |
| 1165 fprintf(stderr,"%i ",*(sdata++)); |
| 1166 fprintf(stderr,"\n"); |
| 1167 #endif |
| 1168 } |
| 1169 #endif /* OPENSSL_NO_EC */ |
| 1170 |
895 else if (type == TLSEXT_TYPE_session_ticket) | 1171 else if (type == TLSEXT_TYPE_session_ticket) |
896 { | 1172 { |
| 1173 if (s->tls_session_ticket_ext_cb && |
| 1174 !s->tls_session_ticket_ext_cb(s, data, size, s->tls_
session_ticket_ext_cb_arg)) |
| 1175 { |
| 1176 *al = TLS1_AD_INTERNAL_ERROR; |
| 1177 return 0; |
| 1178 } |
897 if ((SSL_get_options(s) & SSL_OP_NO_TICKET) | 1179 if ((SSL_get_options(s) & SSL_OP_NO_TICKET) |
898 || (size > 0)) | 1180 || (size > 0)) |
899 { | 1181 { |
900 *al = TLS1_AD_UNSUPPORTED_EXTENSION; | 1182 *al = TLS1_AD_UNSUPPORTED_EXTENSION; |
901 return 0; | 1183 return 0; |
902 } | 1184 } |
903 s->tlsext_ticket_expected = 1; | 1185 s->tlsext_ticket_expected = 1; |
904 } | 1186 } |
| 1187 #ifdef TLSEXT_TYPE_opaque_prf_input |
| 1188 else if (type == TLSEXT_TYPE_opaque_prf_input && |
| 1189 s->version != DTLS1_VERSION) |
| 1190 { |
| 1191 unsigned char *sdata = data; |
| 1192 |
| 1193 if (size < 2) |
| 1194 { |
| 1195 *al = SSL_AD_DECODE_ERROR; |
| 1196 return 0; |
| 1197 } |
| 1198 n2s(sdata, s->s3->server_opaque_prf_input_len); |
| 1199 if (s->s3->server_opaque_prf_input_len != size - 2) |
| 1200 { |
| 1201 *al = SSL_AD_DECODE_ERROR; |
| 1202 return 0; |
| 1203 } |
| 1204 |
| 1205 if (s->s3->server_opaque_prf_input != NULL) /* shouldn't
really happen */ |
| 1206 OPENSSL_free(s->s3->server_opaque_prf_input); |
| 1207 if (s->s3->server_opaque_prf_input_len == 0) |
| 1208 s->s3->server_opaque_prf_input = OPENSSL_malloc(
1); /* dummy byte just to get non-NULL */ |
| 1209 else |
| 1210 s->s3->server_opaque_prf_input = BUF_memdup(sdat
a, s->s3->server_opaque_prf_input_len); |
| 1211 |
| 1212 if (s->s3->server_opaque_prf_input == NULL) |
| 1213 { |
| 1214 *al = TLS1_AD_INTERNAL_ERROR; |
| 1215 return 0; |
| 1216 } |
| 1217 } |
| 1218 #endif |
905 else if (type == TLSEXT_TYPE_status_request && | 1219 else if (type == TLSEXT_TYPE_status_request && |
906 s->version != DTLS1_VERSION) | 1220 s->version != DTLS1_VERSION) |
907 { | 1221 { |
908 /* MUST be empty and only sent if we've requested | 1222 /* MUST be empty and only sent if we've requested |
909 * a status request message. | 1223 * a status request message. |
910 */ | 1224 */ |
911 if ((s->tlsext_status_type == -1) || (size > 0)) | 1225 if ((s->tlsext_status_type == -1) || (size > 0)) |
912 { | 1226 { |
913 *al = TLS1_AD_UNSUPPORTED_EXTENSION; | 1227 *al = TLS1_AD_UNSUPPORTED_EXTENSION; |
914 return 0; | 1228 return 0; |
915 } | 1229 } |
916 /* Set flag to expect CertificateStatus message */ | 1230 /* Set flag to expect CertificateStatus message */ |
917 s->tlsext_status_expected = 1; | 1231 s->tlsext_status_expected = 1; |
918 } | 1232 } |
| 1233 #ifndef OPENSSL_NO_NEXTPROTONEG |
919 else if (type == TLSEXT_TYPE_next_proto_neg) | 1234 else if (type == TLSEXT_TYPE_next_proto_neg) |
920 { | 1235 { |
921 unsigned char *selected; | 1236 unsigned char *selected; |
922 unsigned char selected_len; | 1237 unsigned char selected_len; |
923 | 1238 |
924 /* We must have requested it. */ | 1239 /* We must have requested it. */ |
925 if ((s->ctx->next_proto_select_cb == NULL)) | 1240 if ((s->ctx->next_proto_select_cb == NULL)) |
926 { | 1241 { |
927 *al = TLS1_AD_UNSUPPORTED_EXTENSION; | 1242 *al = TLS1_AD_UNSUPPORTED_EXTENSION; |
928 return 0; | 1243 return 0; |
(...skipping 11 matching lines...) Expand all Loading... |
940 } | 1255 } |
941 s->next_proto_negotiated = OPENSSL_malloc(selected_len); | 1256 s->next_proto_negotiated = OPENSSL_malloc(selected_len); |
942 if (!s->next_proto_negotiated) | 1257 if (!s->next_proto_negotiated) |
943 { | 1258 { |
944 *al = TLS1_AD_INTERNAL_ERROR; | 1259 *al = TLS1_AD_INTERNAL_ERROR; |
945 return 0; | 1260 return 0; |
946 } | 1261 } |
947 memcpy(s->next_proto_negotiated, selected, selected_len)
; | 1262 memcpy(s->next_proto_negotiated, selected, selected_len)
; |
948 s->next_proto_negotiated_len = selected_len; | 1263 s->next_proto_negotiated_len = selected_len; |
949 } | 1264 } |
| 1265 #endif |
950 else if (type == TLSEXT_TYPE_renegotiate) | 1266 else if (type == TLSEXT_TYPE_renegotiate) |
951 { | 1267 { |
952 if(!ssl_parse_serverhello_renegotiate_ext(s, data, size,
al)) | 1268 if(!ssl_parse_serverhello_renegotiate_ext(s, data, size,
al)) |
953 return 0; | 1269 return 0; |
954 renegotiate_seen = 1; | 1270 renegotiate_seen = 1; |
955 } | 1271 } |
956 data+=size; | 1272 data+=size; |
957 } | 1273 } |
958 | 1274 |
959 if (data != d+n) | 1275 if (data != d+n) |
(...skipping 40 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1000 { | 1316 { |
1001 *al = SSL_AD_HANDSHAKE_FAILURE; | 1317 *al = SSL_AD_HANDSHAKE_FAILURE; |
1002 SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT, | 1318 SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT, |
1003 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); | 1319 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); |
1004 return 0; | 1320 return 0; |
1005 } | 1321 } |
1006 | 1322 |
1007 return 1; | 1323 return 1; |
1008 } | 1324 } |
1009 | 1325 |
| 1326 |
| 1327 int ssl_prepare_clienthello_tlsext(SSL *s) |
| 1328 { |
| 1329 #ifndef OPENSSL_NO_EC |
| 1330 /* If we are client and using an elliptic curve cryptography cipher suit
e, send the point formats |
| 1331 * and elliptic curves we support. |
| 1332 */ |
| 1333 int using_ecc = 0; |
| 1334 int i; |
| 1335 unsigned char *j; |
| 1336 unsigned long alg_k, alg_a; |
| 1337 STACK_OF(SSL_CIPHER) *cipher_stack = SSL_get_ciphers(s); |
| 1338 |
| 1339 for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++) |
| 1340 { |
| 1341 SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i); |
| 1342 |
| 1343 alg_k = c->algorithm_mkey; |
| 1344 alg_a = c->algorithm_auth; |
| 1345 if ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe) || (alg_a & SSL_
aECDSA))) |
| 1346 { |
| 1347 using_ecc = 1; |
| 1348 break; |
| 1349 } |
| 1350 } |
| 1351 using_ecc = using_ecc && (s->version == TLS1_VERSION); |
| 1352 if (using_ecc) |
| 1353 { |
| 1354 if (s->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->tlsext_
ecpointformatlist); |
| 1355 if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(3)) == NULL) |
| 1356 { |
| 1357 SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC
_FAILURE); |
| 1358 return -1; |
| 1359 } |
| 1360 s->tlsext_ecpointformatlist_length = 3; |
| 1361 s->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_uncompress
ed; |
| 1362 s->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_ansiX962_c
ompressed_prime; |
| 1363 s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_c
ompressed_char2; |
| 1364 |
| 1365 /* we support all named elliptic curves in draft-ietf-tls-ecc-12
*/ |
| 1366 if (s->tlsext_ellipticcurvelist != NULL) OPENSSL_free(s->tlsext_
ellipticcurvelist); |
| 1367 s->tlsext_ellipticcurvelist_length = sizeof(nid_list)/sizeof(nid
_list[0]) * 2; |
| 1368 if ((s->tlsext_ellipticcurvelist = OPENSSL_malloc(s->tlsext_elli
pticcurvelist_length)) == NULL) |
| 1369 { |
| 1370 s->tlsext_ellipticcurvelist_length = 0; |
| 1371 SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC
_FAILURE); |
| 1372 return -1; |
| 1373 } |
| 1374 for (i = 1, j = s->tlsext_ellipticcurvelist; (unsigned int)i <= |
| 1375 sizeof(nid_list)/sizeof(nid_list[0]); i++) |
| 1376 s2n(i,j); |
| 1377 } |
| 1378 #endif /* OPENSSL_NO_EC */ |
| 1379 |
| 1380 #ifdef TLSEXT_TYPE_opaque_prf_input |
| 1381 { |
| 1382 int r = 1; |
| 1383 |
| 1384 if (s->ctx->tlsext_opaque_prf_input_callback != 0) |
| 1385 { |
| 1386 r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0,
s->ctx->tlsext_opaque_prf_input_callback_arg); |
| 1387 if (!r) |
| 1388 return -1; |
| 1389 } |
| 1390 |
| 1391 if (s->tlsext_opaque_prf_input != NULL) |
| 1392 { |
| 1393 if (s->s3->client_opaque_prf_input != NULL) /* shouldn't
really happen */ |
| 1394 OPENSSL_free(s->s3->client_opaque_prf_input); |
| 1395 |
| 1396 if (s->tlsext_opaque_prf_input_len == 0) |
| 1397 s->s3->client_opaque_prf_input = OPENSSL_malloc(
1); /* dummy byte just to get non-NULL */ |
| 1398 else |
| 1399 s->s3->client_opaque_prf_input = BUF_memdup(s->t
lsext_opaque_prf_input, s->tlsext_opaque_prf_input_len); |
| 1400 if (s->s3->client_opaque_prf_input == NULL) |
| 1401 { |
| 1402 SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_
R_MALLOC_FAILURE); |
| 1403 return -1; |
| 1404 } |
| 1405 s->s3->client_opaque_prf_input_len = s->tlsext_opaque_pr
f_input_len; |
| 1406 } |
| 1407 |
| 1408 if (r == 2) |
| 1409 /* at callback's request, insist on receiving an appropr
iate server opaque PRF input */ |
| 1410 s->s3->server_opaque_prf_input_len = s->tlsext_opaque_pr
f_input_len; |
| 1411 } |
| 1412 #endif |
| 1413 |
| 1414 return 1; |
| 1415 } |
| 1416 |
| 1417 int ssl_prepare_serverhello_tlsext(SSL *s) |
| 1418 { |
| 1419 #ifndef OPENSSL_NO_EC |
| 1420 /* If we are server and using an ECC cipher suite, send the point format
s we support |
| 1421 * if the client sent us an ECPointsFormat extension. Note that the ser
ver is not |
| 1422 * supposed to send an EllipticCurves extension. |
| 1423 */ |
| 1424 |
| 1425 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey; |
| 1426 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth; |
| 1427 int using_ecc = (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a &
SSL_aECDSA); |
| 1428 using_ecc = using_ecc && (s->session->tlsext_ecpointformatlist != NULL); |
| 1429 |
| 1430 if (using_ecc) |
| 1431 { |
| 1432 if (s->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->tlsext_
ecpointformatlist); |
| 1433 if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(3)) == NULL) |
| 1434 { |
| 1435 SSLerr(SSL_F_SSL_PREPARE_SERVERHELLO_TLSEXT,ERR_R_MALLOC
_FAILURE); |
| 1436 return -1; |
| 1437 } |
| 1438 s->tlsext_ecpointformatlist_length = 3; |
| 1439 s->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_uncompress
ed; |
| 1440 s->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_ansiX962_c
ompressed_prime; |
| 1441 s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_c
ompressed_char2; |
| 1442 } |
| 1443 #endif /* OPENSSL_NO_EC */ |
| 1444 |
| 1445 return 1; |
| 1446 } |
| 1447 |
1010 int ssl_check_clienthello_tlsext(SSL *s) | 1448 int ssl_check_clienthello_tlsext(SSL *s) |
1011 { | 1449 { |
1012 int ret=SSL_TLSEXT_ERR_NOACK; | 1450 int ret=SSL_TLSEXT_ERR_NOACK; |
1013 int al = SSL_AD_UNRECOGNIZED_NAME; | 1451 int al = SSL_AD_UNRECOGNIZED_NAME; |
1014 | 1452 |
| 1453 #ifndef OPENSSL_NO_EC |
| 1454 /* The handling of the ECPointFormats extension is done elsewhere, namel
y in |
| 1455 * ssl3_choose_cipher in s3_lib.c. |
| 1456 */ |
| 1457 /* The handling of the EllipticCurves extension is done elsewhere, namel
y in |
| 1458 * ssl3_choose_cipher in s3_lib.c. |
| 1459 */ |
| 1460 #endif |
| 1461 |
1015 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) | 1462 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) |
1016 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_
servername_arg); | 1463 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_
servername_arg); |
1017 else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_cal
lback != 0) | 1464 else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_cal
lback != 0) |
1018 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->init
ial_ctx->tlsext_servername_arg); | 1465 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->init
ial_ctx->tlsext_servername_arg); |
1019 | 1466 |
1020 /* If status request then ask callback what to do. | 1467 /* If status request then ask callback what to do. |
1021 * Note: this must be called after servername callbacks in case | 1468 * Note: this must be called after servername callbacks in case |
1022 * the certificate has changed. | 1469 * the certificate has changed. |
1023 */ | 1470 */ |
1024 » if ((s->tlsext_status_type != -1) && s->ctx->tlsext_status_cb) | 1471 » if ((s->tlsext_status_type != -1) && s->ctx && s->ctx->tlsext_status_cb) |
1025 { | 1472 { |
1026 int r; | 1473 int r; |
1027 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg); | 1474 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg); |
1028 switch (r) | 1475 switch (r) |
1029 { | 1476 { |
1030 /* We don't want to send a status request response */ | 1477 /* We don't want to send a status request response */ |
1031 case SSL_TLSEXT_ERR_NOACK: | 1478 case SSL_TLSEXT_ERR_NOACK: |
1032 s->tlsext_status_expected = 0; | 1479 s->tlsext_status_expected = 0; |
1033 break; | 1480 break; |
1034 /* status request response should be sent */ | 1481 /* status request response should be sent */ |
1035 case SSL_TLSEXT_ERR_OK: | 1482 case SSL_TLSEXT_ERR_OK: |
1036 if (s->tlsext_ocsp_resp) | 1483 if (s->tlsext_ocsp_resp) |
1037 s->tlsext_status_expected = 1; | 1484 s->tlsext_status_expected = 1; |
1038 else | 1485 else |
1039 s->tlsext_status_expected = 0; | 1486 s->tlsext_status_expected = 0; |
1040 break; | 1487 break; |
1041 /* something bad happened */ | 1488 /* something bad happened */ |
1042 case SSL_TLSEXT_ERR_ALERT_FATAL: | 1489 case SSL_TLSEXT_ERR_ALERT_FATAL: |
1043 ret = SSL_TLSEXT_ERR_ALERT_FATAL; | 1490 ret = SSL_TLSEXT_ERR_ALERT_FATAL; |
1044 al = SSL_AD_INTERNAL_ERROR; | 1491 al = SSL_AD_INTERNAL_ERROR; |
1045 goto err; | 1492 goto err; |
1046 } | 1493 } |
1047 } | 1494 } |
1048 else | 1495 else |
1049 s->tlsext_status_expected = 0; | 1496 s->tlsext_status_expected = 0; |
1050 » err: | 1497 |
| 1498 #ifdef TLSEXT_TYPE_opaque_prf_input |
| 1499 » { |
| 1500 » » /* This sort of belongs into ssl_prepare_serverhello_tlsext(), |
| 1501 » » * but we might be sending an alert in response to the client he
llo, |
| 1502 » » * so this has to happen here in ssl_check_clienthello_tlsext().
*/ |
| 1503 |
| 1504 » » int r = 1; |
| 1505 » |
| 1506 » » if (s->ctx->tlsext_opaque_prf_input_callback != 0) |
| 1507 » » » { |
| 1508 » » » r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0,
s->ctx->tlsext_opaque_prf_input_callback_arg); |
| 1509 » » » if (!r) |
| 1510 » » » » { |
| 1511 » » » » ret = SSL_TLSEXT_ERR_ALERT_FATAL; |
| 1512 » » » » al = SSL_AD_INTERNAL_ERROR; |
| 1513 » » » » goto err; |
| 1514 » » » » } |
| 1515 » » » } |
| 1516 |
| 1517 » » if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really
happen */ |
| 1518 » » » OPENSSL_free(s->s3->server_opaque_prf_input); |
| 1519 » » s->s3->server_opaque_prf_input = NULL; |
| 1520 |
| 1521 » » if (s->tlsext_opaque_prf_input != NULL) |
| 1522 » » » { |
| 1523 » » » if (s->s3->client_opaque_prf_input != NULL && |
| 1524 » » » » s->s3->client_opaque_prf_input_len == s->tlsext_
opaque_prf_input_len) |
| 1525 » » » » { |
| 1526 » » » » /* can only use this extension if we have a serv
er opaque PRF input |
| 1527 » » » » * of the same length as the client opaque PRF i
nput! */ |
| 1528 |
| 1529 » » » » if (s->tlsext_opaque_prf_input_len == 0) |
| 1530 » » » » » s->s3->server_opaque_prf_input = OPENSSL
_malloc(1); /* dummy byte just to get non-NULL */ |
| 1531 » » » » else |
| 1532 » » » » » s->s3->server_opaque_prf_input = BUF_mem
dup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len); |
| 1533 » » » » if (s->s3->server_opaque_prf_input == NULL) |
| 1534 » » » » » { |
| 1535 » » » » » ret = SSL_TLSEXT_ERR_ALERT_FATAL; |
| 1536 » » » » » al = SSL_AD_INTERNAL_ERROR; |
| 1537 » » » » » goto err; |
| 1538 » » » » » } |
| 1539 » » » » s->s3->server_opaque_prf_input_len = s->tlsext_o
paque_prf_input_len; |
| 1540 » » » » } |
| 1541 » » » } |
| 1542 |
| 1543 » » if (r == 2 && s->s3->server_opaque_prf_input == NULL) |
| 1544 » » » { |
| 1545 » » » /* The callback wants to enforce use of the extension, |
| 1546 » » » * but we can't do that with the client opaque PRF input
; |
| 1547 » » » * abort the handshake. |
| 1548 » » » */ |
| 1549 » » » ret = SSL_TLSEXT_ERR_ALERT_FATAL; |
| 1550 » » » al = SSL_AD_HANDSHAKE_FAILURE; |
| 1551 » » » } |
| 1552 » } |
| 1553 |
| 1554 #endif |
| 1555 err: |
1051 switch (ret) | 1556 switch (ret) |
1052 { | 1557 { |
1053 case SSL_TLSEXT_ERR_ALERT_FATAL: | 1558 case SSL_TLSEXT_ERR_ALERT_FATAL: |
1054 ssl3_send_alert(s,SSL3_AL_FATAL,al); | 1559 ssl3_send_alert(s,SSL3_AL_FATAL,al); |
1055 return -1; | 1560 return -1; |
1056 | 1561 |
1057 case SSL_TLSEXT_ERR_ALERT_WARNING: | 1562 case SSL_TLSEXT_ERR_ALERT_WARNING: |
1058 ssl3_send_alert(s,SSL3_AL_WARNING,al); | 1563 ssl3_send_alert(s,SSL3_AL_WARNING,al); |
1059 return 1; | 1564 return 1; |
1060 | 1565 |
1061 case SSL_TLSEXT_ERR_NOACK: | 1566 case SSL_TLSEXT_ERR_NOACK: |
1062 s->servername_done=0; | 1567 s->servername_done=0; |
1063 default: | 1568 default: |
1064 return 1; | 1569 return 1; |
1065 } | 1570 } |
1066 } | 1571 } |
1067 | 1572 |
1068 int ssl_check_serverhello_tlsext(SSL *s) | 1573 int ssl_check_serverhello_tlsext(SSL *s) |
1069 { | 1574 { |
1070 int ret=SSL_TLSEXT_ERR_NOACK; | 1575 int ret=SSL_TLSEXT_ERR_NOACK; |
1071 int al = SSL_AD_UNRECOGNIZED_NAME; | 1576 int al = SSL_AD_UNRECOGNIZED_NAME; |
1072 | 1577 |
| 1578 #ifndef OPENSSL_NO_EC |
| 1579 /* If we are client and using an elliptic curve cryptography cipher |
| 1580 * suite, then if server returns an EC point formats lists extension |
| 1581 * it must contain uncompressed. |
| 1582 */ |
| 1583 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey; |
| 1584 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth; |
| 1585 if ((s->tlsext_ecpointformatlist != NULL) && (s->tlsext_ecpointformatlis
t_length > 0) && |
| 1586 (s->session->tlsext_ecpointformatlist != NULL) && (s->session->tlsex
t_ecpointformatlist_length > 0) && |
| 1587 ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA
))) |
| 1588 { |
| 1589 /* we are using an ECC cipher */ |
| 1590 size_t i; |
| 1591 unsigned char *list; |
| 1592 int found_uncompressed = 0; |
| 1593 list = s->session->tlsext_ecpointformatlist; |
| 1594 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++
) |
| 1595 { |
| 1596 if (*(list++) == TLSEXT_ECPOINTFORMAT_uncompressed) |
| 1597 { |
| 1598 found_uncompressed = 1; |
| 1599 break; |
| 1600 } |
| 1601 } |
| 1602 if (!found_uncompressed) |
| 1603 { |
| 1604 SSLerr(SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT,SSL_R_TLS_INVA
LID_ECPOINTFORMAT_LIST); |
| 1605 return -1; |
| 1606 } |
| 1607 } |
| 1608 ret = SSL_TLSEXT_ERR_OK; |
| 1609 #endif /* OPENSSL_NO_EC */ |
| 1610 |
1073 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) | 1611 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) |
1074 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_
servername_arg); | 1612 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_
servername_arg); |
1075 else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_cal
lback != 0) | 1613 else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_cal
lback != 0) |
1076 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->init
ial_ctx->tlsext_servername_arg); | 1614 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->init
ial_ctx->tlsext_servername_arg); |
1077 | 1615 |
| 1616 #ifdef TLSEXT_TYPE_opaque_prf_input |
| 1617 if (s->s3->server_opaque_prf_input_len > 0) |
| 1618 { |
| 1619 /* This case may indicate that we, as a client, want to insist o
n using opaque PRF inputs. |
| 1620 * So first verify that we really have a value from the server t
oo. */ |
| 1621 |
| 1622 if (s->s3->server_opaque_prf_input == NULL) |
| 1623 { |
| 1624 ret = SSL_TLSEXT_ERR_ALERT_FATAL; |
| 1625 al = SSL_AD_HANDSHAKE_FAILURE; |
| 1626 } |
| 1627 |
| 1628 /* Anytime the server *has* sent an opaque PRF input, we need to
check |
| 1629 * that we have a client opaque PRF input of the same size. */ |
| 1630 if (s->s3->client_opaque_prf_input == NULL || |
| 1631 s->s3->client_opaque_prf_input_len != s->s3->server_opaque_p
rf_input_len) |
| 1632 { |
| 1633 ret = SSL_TLSEXT_ERR_ALERT_FATAL; |
| 1634 al = SSL_AD_ILLEGAL_PARAMETER; |
| 1635 } |
| 1636 } |
| 1637 #endif |
| 1638 |
1078 /* If we've requested certificate status and we wont get one | 1639 /* If we've requested certificate status and we wont get one |
1079 * tell the callback | 1640 * tell the callback |
1080 */ | 1641 */ |
1081 if ((s->tlsext_status_type != -1) && !(s->tlsext_status_expected) | 1642 if ((s->tlsext_status_type != -1) && !(s->tlsext_status_expected) |
1082 » » » && s->ctx->tlsext_status_cb) | 1643 » » » && s->ctx && s->ctx->tlsext_status_cb) |
1083 { | 1644 { |
1084 int r; | 1645 int r; |
1085 /* Set resp to NULL, resplen to -1 so callback knows | 1646 /* Set resp to NULL, resplen to -1 so callback knows |
1086 * there is no response. | 1647 * there is no response. |
1087 */ | 1648 */ |
1088 if (s->tlsext_ocsp_resp) | 1649 if (s->tlsext_ocsp_resp) |
1089 { | 1650 { |
1090 OPENSSL_free(s->tlsext_ocsp_resp); | 1651 OPENSSL_free(s->tlsext_ocsp_resp); |
1091 s->tlsext_ocsp_resp = NULL; | 1652 s->tlsext_ocsp_resp = NULL; |
1092 } | 1653 } |
(...skipping 74 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1167 n2s(p, i); | 1728 n2s(p, i); |
1168 while ((p + 4) <= limit) | 1729 while ((p + 4) <= limit) |
1169 { | 1730 { |
1170 unsigned short type, size; | 1731 unsigned short type, size; |
1171 n2s(p, type); | 1732 n2s(p, type); |
1172 n2s(p, size); | 1733 n2s(p, size); |
1173 if (p + size > limit) | 1734 if (p + size > limit) |
1174 return 1; | 1735 return 1; |
1175 if (type == TLSEXT_TYPE_session_ticket) | 1736 if (type == TLSEXT_TYPE_session_ticket) |
1176 { | 1737 { |
| 1738 /* If tickets disabled indicate cache miss which will |
| 1739 * trigger a full handshake |
| 1740 */ |
| 1741 if (SSL_get_options(s) & SSL_OP_NO_TICKET) |
| 1742 return 1; |
1177 /* If zero length note client will accept a ticket | 1743 /* If zero length note client will accept a ticket |
1178 * and indicate cache miss to trigger full handshake | 1744 * and indicate cache miss to trigger full handshake |
1179 */ | 1745 */ |
1180 if (size == 0) | 1746 if (size == 0) |
1181 { | 1747 { |
1182 s->tlsext_ticket_expected = 1; | 1748 s->tlsext_ticket_expected = 1; |
1183 return 0; /* Cache miss */ | 1749 return 0; /* Cache miss */ |
1184 } | 1750 } |
| 1751 if (s->tls_session_secret_cb) |
| 1752 { |
| 1753 /* Indicate cache miss here and instead of |
| 1754 * generating the session from ticket now, |
| 1755 * trigger abbreviated handshake based on |
| 1756 * external mechanism to calculate the master |
| 1757 * secret later. */ |
| 1758 return 0; |
| 1759 } |
1185 return tls_decrypt_ticket(s, p, size, session_id, len, | 1760 return tls_decrypt_ticket(s, p, size, session_id, len, |
1186 ret); | 1761 ret); |
1187 } | 1762 } |
1188 p += size; | 1763 p += size; |
1189 } | 1764 } |
1190 return 1; | 1765 return 1; |
1191 } | 1766 } |
1192 | 1767 |
1193 static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen, | 1768 static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen, |
1194 const unsigned char *sess_id, int sesslen, | 1769 const unsigned char *sess_id, int sesslen, |
(...skipping 32 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1227 goto tickerr; | 1802 goto tickerr; |
1228 HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16, | 1803 HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16, |
1229 tlsext_tick_md(), NULL); | 1804 tlsext_tick_md(), NULL); |
1230 EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL, | 1805 EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL, |
1231 tctx->tlsext_tick_aes_key, etick + 16); | 1806 tctx->tlsext_tick_aes_key, etick + 16); |
1232 } | 1807 } |
1233 /* Attempt to process session ticket, first conduct sanity and | 1808 /* Attempt to process session ticket, first conduct sanity and |
1234 * integrity checks on ticket. | 1809 * integrity checks on ticket. |
1235 */ | 1810 */ |
1236 mlen = HMAC_size(&hctx); | 1811 mlen = HMAC_size(&hctx); |
| 1812 if (mlen < 0) |
| 1813 { |
| 1814 EVP_CIPHER_CTX_cleanup(&ctx); |
| 1815 return -1; |
| 1816 } |
1237 eticklen -= mlen; | 1817 eticklen -= mlen; |
1238 /* Check HMAC of encrypted ticket */ | 1818 /* Check HMAC of encrypted ticket */ |
1239 HMAC_Update(&hctx, etick, eticklen); | 1819 HMAC_Update(&hctx, etick, eticklen); |
1240 HMAC_Final(&hctx, tick_hmac, NULL); | 1820 HMAC_Final(&hctx, tick_hmac, NULL); |
1241 HMAC_CTX_cleanup(&hctx); | 1821 HMAC_CTX_cleanup(&hctx); |
1242 if (memcmp(tick_hmac, etick + eticklen, mlen)) | 1822 if (memcmp(tick_hmac, etick + eticklen, mlen)) |
1243 goto tickerr; | 1823 goto tickerr; |
1244 /* Attempt to decrypt session data */ | 1824 /* Attempt to decrypt session data */ |
1245 /* Move p after IV to start of encrypted ticket, update length */ | 1825 /* Move p after IV to start of encrypted ticket, update length */ |
1246 p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx); | 1826 p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx); |
(...skipping 29 matching lines...) Expand all Loading... |
1276 } | 1856 } |
1277 /* If session decrypt failure indicate a cache miss and set state to | 1857 /* If session decrypt failure indicate a cache miss and set state to |
1278 * send a new ticket | 1858 * send a new ticket |
1279 */ | 1859 */ |
1280 tickerr: | 1860 tickerr: |
1281 s->tlsext_ticket_expected = 1; | 1861 s->tlsext_ticket_expected = 1; |
1282 return 0; | 1862 return 0; |
1283 } | 1863 } |
1284 | 1864 |
1285 #endif | 1865 #endif |
OLD | NEW |