openssl/ssl/t1_lib.c - Issue 9254031: Upgrade chrome's OpenSSL to same version Android ships with.

Side by Side Diff: openssl/ssl/t1_lib.c

Issue 9254031: Upgrade chrome's OpenSSL to same version Android ships with. (Closed) Base URL: http://src.chromium.org/svn/trunk/deps/third_party/openssl/

Patch Set: '' Created 8 years, 11 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch | Annotate | Revision Log

OLD	NEW
1 /* ssl/t1_lib.c */	1 /* ssl/t1_lib.c */

2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)

3 * All rights reserved.	3 * All rights reserved.

4 *	4 *

5 * This package is an SSL implementation written	5 * This package is an SSL implementation written

6 * by Eric Young (eay@cryptsoft.com).	6 * by Eric Young (eay@cryptsoft.com).

7 * The implementation was written so as to conform with Netscapes SSL.	7 * The implementation was written so as to conform with Netscapes SSL.

8 *	8 *

9 * This library is free for commercial and non-commercial use as long as	9 * This library is free for commercial and non-commercial use as long as

10 * the following conditions are aheared to. The following conditions	10 * the following conditions are aheared to. The following conditions

(...skipping 37 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT	48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT

49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY	49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY

50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF	50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF

51 * SUCH DAMAGE.	51 * SUCH DAMAGE.

52 *	52 *

53 * The licence and distribution terms for any publically available version or	53 * The licence and distribution terms for any publically available version or

54 * derivative of this code cannot be changed. i.e. this code cannot simply be	54 * derivative of this code cannot be changed. i.e. this code cannot simply be

55 * copied and put under another distribution licence	55 * copied and put under another distribution licence

56 * [including the GNU Public Licence.]	56 * [including the GNU Public Licence.]

57 */	57 */

	58 /* ====================================================================

	59 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.

	60 *

	61 * Redistribution and use in source and binary forms, with or without

	62 * modification, are permitted provided that the following conditions

	63 * are met:

	64 *

	65 * 1. Redistributions of source code must retain the above copyright

	66 * notice, this list of conditions and the following disclaimer.

	67 *

	68 * 2. Redistributions in binary form must reproduce the above copyright

	69 * notice, this list of conditions and the following disclaimer in

	70 * the documentation and/or other materials provided with the

	71 * distribution.

	72 *

	73 * 3. All advertising materials mentioning features or use of this

	74 * software must display the following acknowledgment:

	75 * "This product includes software developed by the OpenSSL Project

	76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"

	77 *

	78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to

	79 * endorse or promote products derived from this software without

	80 * prior written permission. For written permission, please contact

	81 * openssl-core@openssl.org.

	82 *

	83 * 5. Products derived from this software may not be called "OpenSSL"

	84 * nor may "OpenSSL" appear in their names without prior written

	85 * permission of the OpenSSL Project.

	86 *

	87 * 6. Redistributions of any form whatsoever must retain the following

	88 * acknowledgment:

	89 * "This product includes software developed by the OpenSSL Project

	90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"

	91 *

	92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY

	93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

	94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR

	95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR

	96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,

	97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT

	98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;

	99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

	100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,

	101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)

	102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED

	103 * OF THE POSSIBILITY OF SUCH DAMAGE.

	104 * ====================================================================

	105 *

	106 * This product includes cryptographic software written by Eric Young

	107 * (eay@cryptsoft.com). This product includes software written by Tim

	108 * Hudson (tjh@cryptsoft.com).

	109 *

	110 */

58	111

59 #include <stdio.h>	112 #include <stdio.h>

60 #include <openssl/objects.h>	113 #include <openssl/objects.h>

61 #include <openssl/evp.h>	114 #include <openssl/evp.h>

62 #include <openssl/hmac.h>	115 #include <openssl/hmac.h>

63 #include <openssl/ocsp.h>	116 #include <openssl/ocsp.h>

64 #include "ssl_locl.h"	117 #include "ssl_locl.h"

65 #include "fnv1a64.h"

66	118

67 const char tls1_version_str[]="TLSv1" OPENSSL_VERSION_PTEXT;	119 const char tls1_version_str[]="TLSv1" OPENSSL_VERSION_PTEXT;

68	120

69 #ifndef OPENSSL_NO_TLSEXT	121 #ifndef OPENSSL_NO_TLSEXT

70 static int tls_decrypt_ticket(SSL s, const unsigned char tick, int ticklen,	122 static int tls_decrypt_ticket(SSL s, const unsigned char tick, int ticklen,

71 const unsigned char *sess_id, int sesslen,	123 const unsigned char *sess_id, int sesslen,

72 SSL_SESSION **psess);	124 SSL_SESSION **psess);

73 #endif	125 #endif

74	126

75 SSL3_ENC_METHOD TLSv1_enc_data={	127 SSL3_ENC_METHOD TLSv1_enc_data={

(...skipping 10 matching lines...) Expand all Loading...
86 tls1_alert_code,	138 tls1_alert_code,

87 };	139 };

88	140

89 long tls1_default_timeout(void)	141 long tls1_default_timeout(void)

90 {	142 {

91 /* 2 hours, the 24 hours mentioned in the TLSv1 spec	143 /* 2 hours, the 24 hours mentioned in the TLSv1 spec

92 * is way too long for http, the cache would over fill */	144 * is way too long for http, the cache would over fill */

93 return(60602);	145 return(60602);

94 }	146 }

95	147

96 IMPLEMENT_tls1_meth_func(tlsv1_base_method,

97 ssl_undefined_function,

98 ssl_undefined_function,

99 ssl_bad_method)

100

101 int tls1_new(SSL *s)	148 int tls1_new(SSL *s)

102 {	149 {

103 if (!ssl3_new(s)) return(0);	150 if (!ssl3_new(s)) return(0);

104 s->method->ssl_clear(s);	151 s->method->ssl_clear(s);

105 return(1);	152 return(1);

106 }	153 }

107	154

108 void tls1_free(SSL *s)	155 void tls1_free(SSL *s)

109 {	156 {

	157 #ifndef OPENSSL_NO_TLSEXT

	158 if (s->tlsext_session_ticket)

	159 {

	160 OPENSSL_free(s->tlsext_session_ticket);

	161 }

	162 #endif /* OPENSSL_NO_TLSEXT */

110 ssl3_free(s);	163 ssl3_free(s);

111 }	164 }

112	165

113 void tls1_clear(SSL *s)	166 void tls1_clear(SSL *s)

114 {	167 {

115 ssl3_clear(s);	168 ssl3_clear(s);

116 s->version=TLS1_VERSION;	169 s->version=TLS1_VERSION;

117 }	170 }

118	171

119 #if 0	172 #ifndef OPENSSL_NO_EC

120 long tls1_ctrl(SSL s, int cmd, long larg, char parg)	173 static int nid_list[] =

121 {	174 {

122 » return(0);	175 » » NID_sect163k1, /* sect163k1 (1) */

	176 » » NID_sect163r1, /* sect163r1 (2) */

	177 » » NID_sect163r2, /* sect163r2 (3) */

	178 » » NID_sect193r1, /* sect193r1 (4) */

	179 » » NID_sect193r2, /* sect193r2 (5) */

	180 » » NID_sect233k1, /* sect233k1 (6) */

	181 » » NID_sect233r1, /* sect233r1 (7) */

	182 » » NID_sect239k1, /* sect239k1 (8) */

	183 » » NID_sect283k1, /* sect283k1 (9) */

	184 » » NID_sect283r1, /* sect283r1 (10) */

	185 » » NID_sect409k1, /* sect409k1 (11) */

	186 » » NID_sect409r1, /* sect409r1 (12) */

	187 » » NID_sect571k1, /* sect571k1 (13) */

	188 » » NID_sect571r1, /* sect571r1 (14) */

	189 » » NID_secp160k1, /* secp160k1 (15) */

	190 » » NID_secp160r1, /* secp160r1 (16) */

	191 » » NID_secp160r2, /* secp160r2 (17) */

	192 » » NID_secp192k1, /* secp192k1 (18) */

	193 » » NID_X9_62_prime192v1, /* secp192r1 (19) */

	194 » » NID_secp224k1, /* secp224k1 (20) */

	195 » » NID_secp224r1, /* secp224r1 (21) */

	196 » » NID_secp256k1, /* secp256k1 (22) */

	197 » » NID_X9_62_prime256v1, /* secp256r1 (23) */

	198 » » NID_secp384r1, /* secp384r1 (24) */

	199 » » NID_secp521r1 /* secp521r1 (25) */»

	200 » };

	201 »

	202 int tls1_ec_curve_id2nid(int curve_id)

	203 » {

	204 » /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */

	205 » if ((curve_id < 1) \|\| ((unsigned int)curve_id >

	206 » » » » sizeof(nid_list)/sizeof(nid_list[0])))

	207 » » return 0;

	208 » return nid_list[curve_id-1];

123 }	209 }

124	210

125 long tls1_callback_ctrl(SSL s, int cmd, void (*fp)())	211 int tls1_ec_nid2curve_id(int nid)

126 {	212 {

127 » return(0);	213 » /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */

	214 » switch (nid)

	215 » » {

	216 » case NID_sect163k1: /* sect163k1 (1) */

	217 » » return 1;

	218 » case NID_sect163r1: /* sect163r1 (2) */

	219 » » return 2;

	220 » case NID_sect163r2: /* sect163r2 (3) */

	221 » » return 3;

	222 » case NID_sect193r1: /* sect193r1 (4) */

	223 » » return 4;

	224 » case NID_sect193r2: /* sect193r2 (5) */

	225 » » return 5;

	226 » case NID_sect233k1: /* sect233k1 (6) */

	227 » » return 6;

	228 » case NID_sect233r1: /* sect233r1 (7) */

	229 » » return 7;

	230 » case NID_sect239k1: /* sect239k1 (8) */

	231 » » return 8;

	232 » case NID_sect283k1: /* sect283k1 (9) */

	233 » » return 9;

	234 » case NID_sect283r1: /* sect283r1 (10) */

	235 » » return 10;

	236 » case NID_sect409k1: /* sect409k1 (11) */

	237 » » return 11;

	238 » case NID_sect409r1: /* sect409r1 (12) */

	239 » » return 12;

	240 » case NID_sect571k1: /* sect571k1 (13) */

	241 » » return 13;

	242 » case NID_sect571r1: /* sect571r1 (14) */

	243 » » return 14;

	244 » case NID_secp160k1: /* secp160k1 (15) */

	245 » » return 15;

	246 » case NID_secp160r1: /* secp160r1 (16) */

	247 » » return 16;

	248 » case NID_secp160r2: /* secp160r2 (17) */

	249 » » return 17;

	250 » case NID_secp192k1: /* secp192k1 (18) */

	251 » » return 18;

	252 » case NID_X9_62_prime192v1: /* secp192r1 (19) */

	253 » » return 19;

	254 » case NID_secp224k1: /* secp224k1 (20) */

	255 » » return 20;

	256 » case NID_secp224r1: /* secp224r1 (21) */

	257 » » return 21;

	258 » case NID_secp256k1: /* secp256k1 (22) */

	259 » » return 22;

	260 » case NID_X9_62_prime256v1: /* secp256r1 (23) */

	261 » » return 23;

	262 » case NID_secp384r1: /* secp384r1 (24) */

	263 » » return 24;

	264 » case NID_secp521r1: /* secp521r1 (25) */»

	265 » » return 25;

	266 » default:

	267 » » return 0;

	268 » » }

128 }	269 }

129 #endif	270 #endif /* OPENSSL_NO_EC */

130	271

131 #ifndef OPENSSL_NO_TLSEXT	272 #ifndef OPENSSL_NO_TLSEXT

132 unsigned char ssl_add_clienthello_tlsext(SSL s, unsigned char p, unsigned cha r limit)	273 unsigned char ssl_add_clienthello_tlsext(SSL s, unsigned char p, unsigned cha r limit)

133 {	274 {

134 int extdatalen=0;	275 int extdatalen=0;

135 unsigned char *ret = p;	276 unsigned char *ret = p;

136	277

137 /* don't add extensions for SSLv3 unless doing secure renegotiation */	278 /* don't add extensions for SSLv3 unless doing secure renegotiation */

138 if (s->client_version == SSL3_VERSION	279 if (s->client_version == SSL3_VERSION

139 && !s->s3->send_connection_binding)	280 && !s->s3->send_connection_binding)

(...skipping 11 matching lines...) Expand all Loading...
151	292

152 /* check for enough space.	293 /* check for enough space.

153 4 for the servername type and entension length	294 4 for the servername type and entension length

154 2 for servernamelist length	295 2 for servernamelist length

155 1 for the hostname type	296 1 for the hostname type

156 2 for hostname length	297 2 for hostname length

157 + hostname length	298 + hostname length

158 */	299 */

159	300

160 if ((lenmax = limit - ret - 9) < 0	301 if ((lenmax = limit - ret - 9) < 0

161 » » \|\| (size_str = strlen(s->tlsext_hostname)) > (unsigned long)lenm ax)	302 » » \|\| (size_str = strlen(s->tlsext_hostname)) > (unsigned long) lenmax)

162 return NULL;	303 return NULL;

163	304

164 /* extension type and length */	305 /* extension type and length */

165 s2n(TLSEXT_TYPE_server_name,ret);	306 s2n(TLSEXT_TYPE_server_name,ret);

166 s2n(size_str+5,ret);	307 s2n(size_str+5,ret);

167	308

168 /* length of servername list */	309 /* length of servername list */

169 s2n(size_str+3,ret);	310 s2n(size_str+3,ret);

170	311

171 /* hostname type, length and hostname */	312 /* hostname type, length and hostname */

172 *(ret++) = (unsigned char) TLSEXT_NAMETYPE_host_name;	313 *(ret++) = (unsigned char) TLSEXT_NAMETYPE_host_name;

173 s2n(size_str,ret);	314 s2n(size_str,ret);

174 memcpy(ret, s->tlsext_hostname, size_str);	315 memcpy(ret, s->tlsext_hostname, size_str);

175 ret+=size_str;	316 ret+=size_str;

	317 }

176	318

177 }

178

179 /* Add RI if renegotiating */	319 /* Add RI if renegotiating */

180 if (s->new_session)	320 if (s->new_session)

181 {	321 {

182 int el;	322 int el;

183	323

184 if(!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0))	324 if(!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0))

185 {	325 {

186 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);	326 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);

187 return NULL;	327 return NULL;

188 }	328 }

189	329

190 if((limit - p - 4 - el) < 0) return NULL;	330 if((limit - p - 4 - el) < 0) return NULL;

191	331

192 s2n(TLSEXT_TYPE_renegotiate,ret);	332 s2n(TLSEXT_TYPE_renegotiate,ret);

193 s2n(el,ret);	333 s2n(el,ret);

194	334

195 if(!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el))	335 if(!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el))

196 {	336 {

197 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);	337 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);

198 return NULL;	338 return NULL;

199 }	339 }

200	340

201 ret += el;	341 ret += el;

202 }	342 }

203	343

204	344 #ifndef OPENSSL_NO_EC

	345 » if (s->tlsext_ecpointformatlist != NULL &&

	346 » s->version != DTLS1_VERSION)

	347 » » {

	348 » » /* Add TLS extension ECPointFormats to the ClientHello message * /

	349 » » long lenmax;

	350

	351 » » if ((lenmax = limit - ret - 5) < 0) return NULL;

	352 » » if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax) return NULL;

	353 » » if (s->tlsext_ecpointformatlist_length > 255)

	354 » » » {

	355 » » » SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ ERROR);

	356 » » » return NULL;

	357 » » » }

	358 » »

	359 » » s2n(TLSEXT_TYPE_ec_point_formats,ret);

	360 » » s2n(s->tlsext_ecpointformatlist_length + 1,ret);

	361 » » *(ret++) = (unsigned char) s->tlsext_ecpointformatlist_length;

	362 » » memcpy(ret, s->tlsext_ecpointformatlist, s->tlsext_ecpointformat list_length);

	363 » » ret+=s->tlsext_ecpointformatlist_length;

	364 » » }

	365 » if (s->tlsext_ellipticcurvelist != NULL &&

	366 » s->version != DTLS1_VERSION)

	367 » » {

	368 » » /* Add TLS extension EllipticCurves to the ClientHello message * /

	369 » » long lenmax;

	370

	371 » » if ((lenmax = limit - ret - 6) < 0) return NULL;

	372 » » if (s->tlsext_ellipticcurvelist_length > (unsigned long)lenmax) return NULL;

	373 » » if (s->tlsext_ellipticcurvelist_length > 65532)

	374 » » » {

	375 » » » SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ ERROR);

	376 » » » return NULL;

	377 » » » }

	378 » »

	379 » » s2n(TLSEXT_TYPE_elliptic_curves,ret);

	380 » » s2n(s->tlsext_ellipticcurvelist_length + 2, ret);

	381

	382 » » /* NB: draft-ietf-tls-ecc-12.txt uses a one-byte prefix for

	383 » » * elliptic_curve_list, but the examples use two bytes.

	384 » » * http://www1.ietf.org/mail-archive/web/tls/current/msg00538.ht ml

	385 » » * resolves this to two bytes.

	386 » » */

	387 » » s2n(s->tlsext_ellipticcurvelist_length, ret);

	388 » » memcpy(ret, s->tlsext_ellipticcurvelist, s->tlsext_ellipticcurve list_length);

	389 » » ret+=s->tlsext_ellipticcurvelist_length;

	390 » » }

	391 #endif /* OPENSSL_NO_EC */

	392

205 if (!(SSL_get_options(s) & SSL_OP_NO_TICKET))	393 if (!(SSL_get_options(s) & SSL_OP_NO_TICKET))

206 {	394 {

207 int ticklen;	395 int ticklen;

208 if (!s->new_session && s->session && s->session->tlsext_tick)	396 if (!s->new_session && s->session && s->session->tlsext_tick)

209 ticklen = s->session->tlsext_ticklen;	397 ticklen = s->session->tlsext_ticklen;

	398 else if (s->session && s->tlsext_session_ticket &&

	399 s->tlsext_session_ticket->data)

	400 {

	401 ticklen = s->tlsext_session_ticket->length;

	402 s->session->tlsext_tick = OPENSSL_malloc(ticklen);

	403 if (!s->session->tlsext_tick)

	404 return NULL;

	405 memcpy(s->session->tlsext_tick,

	406 s->tlsext_session_ticket->data,

	407 ticklen);

	408 s->session->tlsext_ticklen = ticklen;

	409 }

210 else	410 else

211 ticklen = 0;	411 ticklen = 0;

	412 if (ticklen == 0 && s->tlsext_session_ticket &&

	413 s->tlsext_session_ticket->data == NULL)

	414 goto skip_ext;

212 /* Check for enough room 2 for extension type, 2 for len	415 /* Check for enough room 2 for extension type, 2 for len

213 * rest for ticket	416 * rest for ticket

214 */	417 */

215 » » if (limit - ret - 4 - ticklen < 0)	418 » » if ((long)(limit - ret - 4 - ticklen) < 0) return NULL;

216 » » » return NULL;

217 s2n(TLSEXT_TYPE_session_ticket,ret);	419 s2n(TLSEXT_TYPE_session_ticket,ret);

218 s2n(ticklen,ret);	420 s2n(ticklen,ret);

219 if (ticklen)	421 if (ticklen)

220 {	422 {

221 memcpy(ret, s->session->tlsext_tick, ticklen);	423 memcpy(ret, s->session->tlsext_tick, ticklen);

222 ret += ticklen;	424 ret += ticklen;

223 }	425 }

224 }	426 }

	427 skip_ext:

	428

	429 #ifdef TLSEXT_TYPE_opaque_prf_input

	430 if (s->s3->client_opaque_prf_input != NULL &&

	431 s->version != DTLS1_VERSION)

	432 {

	433 size_t col = s->s3->client_opaque_prf_input_len;

	434

	435 if ((long)(limit - ret - 6 - col < 0))

	436 return NULL;

	437 if (col > 0xFFFD) /* can't happen */

	438 return NULL;

	439

	440 s2n(TLSEXT_TYPE_opaque_prf_input, ret);

	441 s2n(col + 2, ret);

	442 s2n(col, ret);

	443 memcpy(ret, s->s3->client_opaque_prf_input, col);

	444 ret += col;

	445 }

	446 #endif

225	447

226 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp &&	448 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp &&

227 s->version != DTLS1_VERSION)	449 s->version != DTLS1_VERSION)

228 {	450 {

229 int i;	451 int i;

230 long extlen, idlen, itmp;	452 long extlen, idlen, itmp;

231 OCSP_RESPID *id;	453 OCSP_RESPID *id;

232	454

233 idlen = 0;	455 idlen = 0;

234 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++)	456 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++)

(...skipping 30 matching lines...) Expand all Loading...
265 ret += 2;	487 ret += 2;

266 itmp = i2d_OCSP_RESPID(id, &ret);	488 itmp = i2d_OCSP_RESPID(id, &ret);

267 /* write id len */	489 /* write id len */

268 s2n(itmp, q);	490 s2n(itmp, q);

269 }	491 }

270 s2n(extlen, ret);	492 s2n(extlen, ret);

271 if (extlen > 0)	493 if (extlen > 0)

272 i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret);	494 i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret);

273 }	495 }

274	496

275 » if (s->ctx->next_proto_select_cb)	497 #ifndef OPENSSL_NO_NEXTPROTONEG

	498 » if (s->ctx->next_proto_select_cb && !s->s3->tmp.finish_md_len)

276 {	499 {

277 /* The client advertises an emtpy extension to indicate its	500 /* The client advertises an emtpy extension to indicate its

278 * support for Next Protocol Negotiation */	501 * support for Next Protocol Negotiation */

279 if (limit - ret - 4 < 0)	502 if (limit - ret - 4 < 0)

280 return NULL;	503 return NULL;

281 s2n(TLSEXT_TYPE_next_proto_neg,ret);	504 s2n(TLSEXT_TYPE_next_proto_neg,ret);

282 s2n(0,ret);	505 s2n(0,ret);

283 }	506 }

	507 #endif

284	508

285 if ((extdatalen = ret-p-2)== 0)	509 if ((extdatalen = ret-p-2)== 0)

286 return p;	510 return p;

287	511

288 s2n(extdatalen,p);	512 s2n(extdatalen,p);

289 return ret;	513 return ret;

290 }	514 }

291	515

292 unsigned char ssl_add_serverhello_tlsext(SSL s, unsigned char p, unsigned cha r limit)	516 unsigned char ssl_add_serverhello_tlsext(SSL s, unsigned char p, unsigned cha r limit)

293 {	517 {

294 int extdatalen=0;	518 int extdatalen=0;

295 unsigned char *ret = p;	519 unsigned char *ret = p;

296 » char next_proto_neg_seen;	520 #ifndef OPENSSL_NO_NEXTPROTONEG

	521 » int next_proto_neg_seen;

	522 #endif

297	523

298 /* don't add extensions for SSLv3, unless doing secure renegotiation */	524 /* don't add extensions for SSLv3, unless doing secure renegotiation */

299 if (s->version == SSL3_VERSION && !s->s3->send_connection_binding)	525 if (s->version == SSL3_VERSION && !s->s3->send_connection_binding)

300 return p;	526 return p;

301	527

302 ret+=2;	528 ret+=2;

303 if (ret>=limit) return NULL; /* this really never occurs, but ... */	529 if (ret>=limit) return NULL; /* this really never occurs, but ... */

304	530

305 if (!s->hit && s->servername_done == 1 && s->session->tlsext_hostname != NULL)	531 if (!s->hit && s->servername_done == 1 && s->session->tlsext_hostname != NULL)

306 {	532 {

307 » » if (limit - ret - 4 < 0) return NULL;	533 » » if ((long)(limit - ret - 4) < 0) return NULL;

308	534

309 s2n(TLSEXT_TYPE_server_name,ret);	535 s2n(TLSEXT_TYPE_server_name,ret);

310 s2n(0,ret);	536 s2n(0,ret);

311 }	537 }

312	538

313 if(s->s3->send_connection_binding)	539 if(s->s3->send_connection_binding)

314 {	540 {

315 int el;	541 int el;

316	542

317 if(!ssl_add_serverhello_renegotiate_ext(s, 0, &el, 0))	543 if(!ssl_add_serverhello_renegotiate_ext(s, 0, &el, 0))

318 {	544 {

319 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);	545 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);

320 return NULL;	546 return NULL;

321 }	547 }

322	548

323 if((limit - p - 4 - el) < 0) return NULL;	549 if((limit - p - 4 - el) < 0) return NULL;

324	550

325 s2n(TLSEXT_TYPE_renegotiate,ret);	551 s2n(TLSEXT_TYPE_renegotiate,ret);

326 s2n(el,ret);	552 s2n(el,ret);

327	553

328 if(!ssl_add_serverhello_renegotiate_ext(s, ret, &el, el))	554 if(!ssl_add_serverhello_renegotiate_ext(s, ret, &el, el))

329 {	555 {

330 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);	556 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);

331 return NULL;	557 return NULL;

332 }	558 }

333	559

334 ret += el;	560 ret += el;

335 }	561 }

336 »	562

	563 #ifndef OPENSSL_NO_EC

	564 » if (s->tlsext_ecpointformatlist != NULL &&

	565 » s->version != DTLS1_VERSION)

	566 » » {

	567 » » /* Add TLS extension ECPointFormats to the ServerHello message * /

	568 » » long lenmax;

	569

	570 » » if ((lenmax = limit - ret - 5) < 0) return NULL;

	571 » » if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax) return NULL;

	572 » » if (s->tlsext_ecpointformatlist_length > 255)

	573 » » » {

	574 » » » SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ ERROR);

	575 » » » return NULL;

	576 » » » }

	577 » »

	578 » » s2n(TLSEXT_TYPE_ec_point_formats,ret);

	579 » » s2n(s->tlsext_ecpointformatlist_length + 1,ret);

	580 » » *(ret++) = (unsigned char) s->tlsext_ecpointformatlist_length;

	581 » » memcpy(ret, s->tlsext_ecpointformatlist, s->tlsext_ecpointformat list_length);

	582 » » ret+=s->tlsext_ecpointformatlist_length;

	583

	584 » » }

	585 » /* Currently the server should not respond with a SupportedCurves extens ion */

	586 #endif /* OPENSSL_NO_EC */

	587

337 if (s->tlsext_ticket_expected	588 if (s->tlsext_ticket_expected

338 && !(SSL_get_options(s) & SSL_OP_NO_TICKET))	589 && !(SSL_get_options(s) & SSL_OP_NO_TICKET))

339 {	590 {

340 » » if (limit - ret - 4 < 0) return NULL;	591 » » if ((long)(limit - ret - 4) < 0) return NULL;

341 s2n(TLSEXT_TYPE_session_ticket,ret);	592 s2n(TLSEXT_TYPE_session_ticket,ret);

342 s2n(0,ret);	593 s2n(0,ret);

343 }	594 }

344	595

345 if (s->tlsext_status_expected)	596 if (s->tlsext_status_expected)

346 {	597 {

347 if ((long)(limit - ret - 4) < 0) return NULL;	598 if ((long)(limit - ret - 4) < 0) return NULL;

348 s2n(TLSEXT_TYPE_status_request,ret);	599 s2n(TLSEXT_TYPE_status_request,ret);

349 s2n(0,ret);	600 s2n(0,ret);

350 }	601 }

351	602

	603 #ifdef TLSEXT_TYPE_opaque_prf_input

	604 if (s->s3->server_opaque_prf_input != NULL &&

	605 s->version != DTLS1_VERSION)

	606 {

	607 size_t sol = s->s3->server_opaque_prf_input_len;

	608

	609 if ((long)(limit - ret - 6 - sol) < 0)

	610 return NULL;

	611 if (sol > 0xFFFD) /* can't happen */

	612 return NULL;

	613

	614 s2n(TLSEXT_TYPE_opaque_prf_input, ret);

	615 s2n(sol + 2, ret);

	616 s2n(sol, ret);

	617 memcpy(ret, s->s3->server_opaque_prf_input, sol);

	618 ret += sol;

	619 }

	620 #endif

	621 if (((s->s3->tmp.new_cipher->id & 0xFFFF)==0x80 \|\| (s->s3->tmp.new_ciphe r->id & 0xFFFF)==0x81)

	622 && (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG))

	623 { const unsigned char cryptopro_ext[36] = {

	624 0xfd, 0xe8, /65000/

	625 0x00, 0x20, /32 bytes length/

	626 0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85,

	627 0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06,

	628 0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08,

	629 0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17};

	630 if (limit-ret<36) return NULL;

	631 memcpy(ret,cryptopro_ext,36);

	632 ret+=36;

	633

	634 }

	635

	636 #ifndef OPENSSL_NO_NEXTPROTONEG

352 next_proto_neg_seen = s->s3->next_proto_neg_seen;	637 next_proto_neg_seen = s->s3->next_proto_neg_seen;

353 s->s3->next_proto_neg_seen = 0;	638 s->s3->next_proto_neg_seen = 0;

354 if (next_proto_neg_seen && s->ctx->next_protos_advertised_cb)	639 if (next_proto_neg_seen && s->ctx->next_protos_advertised_cb)

355 {	640 {

356 const unsigned char *npa;	641 const unsigned char *npa;

357 unsigned int npalen;	642 unsigned int npalen;

358 int r;	643 int r;

359	644

360 r = s->ctx->next_protos_advertised_cb(s, &npa, &npalen, s->ctx-> next_protos_advertised_cb_arg);	645 r = s->ctx->next_protos_advertised_cb(s, &npa, &npalen, s->ctx-> next_protos_advertised_cb_arg);

361 if (r == SSL_TLSEXT_ERR_OK)	646 if (r == SSL_TLSEXT_ERR_OK)

362 {	647 {

363 if ((long)(limit - ret - 4 - npalen) < 0) return NULL;	648 if ((long)(limit - ret - 4 - npalen) < 0) return NULL;

364 s2n(TLSEXT_TYPE_next_proto_neg,ret);	649 s2n(TLSEXT_TYPE_next_proto_neg,ret);

365 s2n(npalen,ret);	650 s2n(npalen,ret);

366 memcpy(ret, npa, npalen);	651 memcpy(ret, npa, npalen);

367 ret += npalen;	652 ret += npalen;

368 s->s3->next_proto_neg_seen = 1;	653 s->s3->next_proto_neg_seen = 1;

369 }	654 }

370 }	655 }

371	656 #endif

372 » if (s->s3->snap_start_ext_seen)

373 » » {

374 » » if ((long)(limit - ret - 14) < 0) return NULL;

375 » » s2n(TLSEXT_TYPE_snap_start,ret);

376 » » s2n(10,ret); /* extension length */

377 » » memcpy(ret, s->ctx->snap_start_orbit, 8);

378 » » ret += 8;

379 » » /* This is the ciphersuite that we would pick in the event of a

380 » » * Snap Start handshake. (Maybe the server wants to do EDH

381 » » * unless the client is Snap Start capable). At the moment we

382 » » * don't have any logic to pick a different cipher suite so we

383 » » * repeat the choice from the ServerHello. */

384 » » s2n(s->s3->tmp.new_cipher->id & 0xffff,ret);

385 » » }

386	657

387 if ((extdatalen = ret-p-2)== 0)	658 if ((extdatalen = ret-p-2)== 0)

388 return p;	659 return p;

389	660

390 s2n(extdatalen,p);	661 s2n(extdatalen,p);

391 return ret;	662 return ret;

392 }	663 }

393	664

394

395 static int ssl_hash_snap_start_client_hello(SSL* s,

396 const char* data,

397 unsigned len,

398 unsigned ext_len)

399 {

400 /* We walk the ClientHello from the beginning, writing

401 * adjusted lengths into \|b\| and hashing as we go.

402 *

403 * The resulting ClientHello is going to be shorter by the length of

404 * this extension, which is \|ext_len + 4\| (two bytes for the type and tw o for

405 * the length). */

406

407 const unsigned char *p;

408 unsigned remaining;

409 unsigned char b[3], *c;

410 unsigned long l;

411

412 p = (unsigned char*) data;

413 remaining = len;

414 /* Handshake header: type */

415 if (!remaining)

416 return 0;

417 ssl3_finish_mac(s, p, 1);

418 p++;

419 remaining--;

420 /* Handshake header: length */

421 if (remaining < 3)

422 return 0;

423 n2l3(p, l);

424 l -= ext_len + 4;

425 c = b;

426 l2n3(l, c);

427 ssl3_finish_mac(s, b, 3);

428 remaining -= 3;

429 /* ClientHello: version and random */

430 if (remaining < 34)

431 return 0;

432 ssl3_finish_mac(s, p, 34);

433 p += 34;

434 remaining -= 34;

435 /* ClientHello: session id length */

436 if (!remaining)

437 return 0;

438 l = *p;

439 ssl3_finish_mac(s, p, 1);

440 p++;

441 remaining--;

442 /* ClientHello: session id */

443 if (remaining < l)

444 return 0;

445 ssl3_finish_mac(s, p, l);

446 p += l;

447 remaining -= l;

448 /* ClientHello: cipher suites length */

449 if (remaining < 2)

450 return 0;

451 ssl3_finish_mac(s, p, 2);

452 n2s(p, l);

453 remaining -= 2;

454 /* ClientHello: cipher suites */

455 if (remaining < l)

456 return 0;

457 ssl3_finish_mac(s, p, l);

458 p += l;

459 remaining -= l;

460 /* ClientHello: compression methods length */

461 if (!remaining)

462 return 0;

463 l = *p;

464 ssl3_finish_mac(s, p, 1);

465 p++;

466 remaining--;

467 /* ClientHello: compression methods */

468 if (remaining < l)

469 return 0;

470 ssl3_finish_mac(s, p, l);

471 p += l;

472 remaining -= l;

473 /* ClientHello: extensions length (must exist given that we're already

474 * parsing the extensions from it */

475 if (remaining < 2)

476 return 0;

477 n2s(p, l);

478 remaining -= 2;

479 if (l != remaining \|\| l < ext_len + 4)

480 return 0;

481 l -= ext_len + 4;

482 c = b;

483 s2n(l, c);

484 ssl3_finish_mac(s, b, 2);

485

486 while (remaining)

487 {

488 unsigned long extension_type, extension_len;

489 if (remaining < 4)

490 return 0;

491 n2s(p, extension_type);

492 n2s(p, extension_len);

493 remaining -= 4;

494 if (remaining < extension_len)

495 return 0;

496 if (extension_type != TLSEXT_TYPE_snap_start)

497 ssl3_finish_mac(s, p - 4, extension_len + 4);

498 p += extension_len;

499 remaining -= extension_len;

500 }

501

502 return 1;

503 }

504

505 static char ssl_parse_snap_start_tlsext(SSL s, const unsigned char data, unsig ned short len)

506 {

507 ptrdiff_t extension_offset = data - (unsigned char *) s->init_buf->data;

508

509 if (len > 0 && len < 36)

510 return 0;

511 s->s3->snap_start_ext_seen = 1;

512 if (len == 0)

513 return 1;

514

515 fnv1a64_init((FNV1A64*) s->s3->response_hash);

516

517 /* We need to make a copy of the ClientHello because we'll be hashing a

518 * modified version. However, if we enter recovery then we need to hash

519 * the unchanged message.

520 *

521 * We are adding 4 bytes to the length here because we're including the

522 * handshake header. */

523 s->s3->snap_start_client_hello.left = s->init_num + 4;

524 s->s3->snap_start_client_hello.offset = 0;

525 s->s3->snap_start_client_hello.buf = OPENSSL_malloc(s->init_num + 4);

526 if (!s->s3->snap_start_client_hello.buf)

527 {

528 /* If we're out of memory then we pretend that we

529 * didn't see the extension. */

530 s->s3->snap_start_ext_seen = 0;

531 return 1;

532 }

533

534 memcpy(s->s3->snap_start_client_hello.buf, s->init_buf->data, s->init_nu m + 4);

535 memcpy(s->s3->server_random, s->s3->client_random, 4); /* time */

536 memcpy(s->s3->server_random + 4, data, 28); /* orbit and random bytes */

537 memcpy(s->s3->predicted_response_hash, data + 28, 8);

538

539 /* Point snap_start_records to within the copy of the ClientHello */

540 s->s3->snap_start_records.offset = 0;

541 s->s3->snap_start_records.left = len - 36;

542 s->s3->snap_start_records.buf = s->s3->snap_start_client_hello.buf + ext ension_offset + 36;

543

544 /* Reset the handshake hash */

545 ssl3_init_finished_mac(s);

546

547 /* Need to hash the ClientHello as if the snap start extension wasn't

548 * included. */

549 if (!ssl_hash_snap_start_client_hello(

550 s,

551 s->init_buf->data,

552 s->init_num + 4 /* four bytes of handshake header */,

553 len))

554 {

555 return 0;

556 }

557

558 s->s3->snap_start_requested = 1;

559 return 1;

560 }

561

562 int ssl_parse_clienthello_tlsext(SSL s, unsigned char p, unsigned char d, in t n, int *al)	665 int ssl_parse_clienthello_tlsext(SSL s, unsigned char p, unsigned char d, in t n, int *al)

563 {	666 {

564 unsigned short type;	667 unsigned short type;

565 unsigned short size;	668 unsigned short size;

566 unsigned short len;	669 unsigned short len;

567 unsigned char data = p;	670 unsigned char data = p;

568 int renegotiate_seen = 0;	671 int renegotiate_seen = 0;

569	672

570 s->servername_done = 0;	673 s->servername_done = 0;

571 s->tlsext_status_type = -1;	674 s->tlsext_status_type = -1;

572	675

573 if (data >= (d+n-2))	676 if (data >= (d+n-2))

574 goto ri_check;	677 goto ri_check;

575

576 n2s(data,len);	678 n2s(data,len);

577	679

578 if (data > (d+n-len))	680 if (data > (d+n-len))

579 goto ri_check;	681 goto ri_check;

580	682

581 while (data <= (d+n-4))	683 while (data <= (d+n-4))

582 {	684 {

583 n2s(data,type);	685 n2s(data,type);

584 n2s(data,size);	686 n2s(data,size);

585	687

586 if (data+size > (d+n))	688 if (data+size > (d+n))

587 goto ri_check;	689 goto ri_check;

588	690 #if 0

	691 » » fprintf(stderr,"Received extension type %d size %d\n",type,size) ;

	692 #endif

589 if (s->tlsext_debug_cb)	693 if (s->tlsext_debug_cb)

590 s->tlsext_debug_cb(s, 0, type, data, size,	694 s->tlsext_debug_cb(s, 0, type, data, size,

591 s->tlsext_debug_arg);	695 s->tlsext_debug_arg);

592 /* The servername extension is treated as follows:	696 /* The servername extension is treated as follows:

593	697

594 - Only the hostname type is supported with a maximum length of 255.	698 - Only the hostname type is supported with a maximum length of 255.

595 - The servername is rejected if too long or if it contains zeros,	699 - The servername is rejected if too long or if it contains zeros,

596 in which case an fatal alert is generated.	700 in which case an fatal alert is generated.

597 - The servername field is maintained together with the session cache.	701 - The servername field is maintained together with the session cache.

598 - When a session is resumed, the servername call back invoked in order	702 - When a session is resumed, the servername call back invoked in order

(...skipping 41 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
640	744

641 if (len > dsize)	745 if (len > dsize)

642 {	746 {

643 *al = SSL_AD_DECODE_ERROR;	747 *al = SSL_AD_DECODE_ERROR;

644 return 0;	748 return 0;

645 }	749 }

646 if (s->servername_done == 0)	750 if (s->servername_done == 0)

647 switch (servname_type)	751 switch (servname_type)

648 {	752 {

649 case TLSEXT_NAMETYPE_host_name:	753 case TLSEXT_NAMETYPE_host_name:

650 » » » » » if (s->session->tlsext_hostname == NULL)	754 » » » » » if (!s->hit)

651 {	755 {

652 » » » » » » if (len > TLSEXT_MAXLEN_host_nam e \|\|	756 » » » » » » if(s->session->tlsext_hostname)

653 » » » » » » » ((s->session->tlsext_hos tname = OPENSSL_malloc(len+1)) == NULL))	757 » » » » » » » {

	758 » » » » » » » *al = SSL_AD_DECODE_ERRO R;

	759 » » » » » » » return 0;

	760 » » » » » » » }

	761 » » » » » » if (len > TLSEXT_MAXLEN_host_nam e)

654 {	762 {

655 *al = TLS1_AD_UNRECOGNIZ ED_NAME;	763 *al = TLS1_AD_UNRECOGNIZ ED_NAME;

656 return 0;	764 return 0;

657 }	765 }

	766 if ((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL)

	767 {

	768 *al = TLS1_AD_INTERNAL_E RROR;

	769 return 0;

	770 }

658 memcpy(s->session->tlsext_hostna me, sdata, len);	771 memcpy(s->session->tlsext_hostna me, sdata, len);

659 s->session->tlsext_hostname[len] ='\0';	772 s->session->tlsext_hostname[len] ='\0';

660 if (strlen(s->session->tlsext_ho stname) != len) {	773 if (strlen(s->session->tlsext_ho stname) != len) {

661 OPENSSL_free(s->session- >tlsext_hostname);	774 OPENSSL_free(s->session- >tlsext_hostname);

662 s->session->tlsext_hostn ame = NULL;	775 s->session->tlsext_hostn ame = NULL;

663 *al = TLS1_AD_UNRECOGNIZ ED_NAME;	776 *al = TLS1_AD_UNRECOGNIZ ED_NAME;

664 return 0;	777 return 0;

665 }	778 }

666 s->servername_done = 1;	779 s->servername_done = 1;

667	780

668 }	781 }

669 else	782 else

670 » » » » » » s->servername_done = strlen(s->s ession->tlsext_hostname) == len	783 » » » » » » s->servername_done = s->session- >tlsext_hostname

	784 » » » » » » » && strlen(s->session->tl sext_hostname) == len

671 && strncmp(s->session->t lsext_hostname, (char *)sdata, len) == 0;	785 && strncmp(s->session->t lsext_hostname, (char *)sdata, len) == 0;

672	786

673 break;	787 break;

674	788

675 default:	789 default:

676 break;	790 break;

677 }	791 }

678	792

679 dsize -= len;	793 dsize -= len;

680 }	794 }

681 if (dsize != 0)	795 if (dsize != 0)

682 {	796 {

683 *al = SSL_AD_DECODE_ERROR;	797 *al = SSL_AD_DECODE_ERROR;

684 return 0;	798 return 0;

685 }	799 }

686	800

687 }	801 }

	802

	803 #ifndef OPENSSL_NO_EC

	804 else if (type == TLSEXT_TYPE_ec_point_formats &&

	805 s->version != DTLS1_VERSION)

	806 {

	807 unsigned char *sdata = data;

	808 int ecpointformatlist_length = *(sdata++);

	809

	810 if (ecpointformatlist_length != size - 1)

	811 {

	812 *al = TLS1_AD_DECODE_ERROR;

	813 return 0;

	814 }

	815 if (!s->hit)

	816 {

	817 if(s->session->tlsext_ecpointformatlist)

	818 {

	819 OPENSSL_free(s->session->tlsext_ecpointf ormatlist);

	820 s->session->tlsext_ecpointformatlist = N ULL;

	821 }

	822 s->session->tlsext_ecpointformatlist_length = 0;

	823 if ((s->session->tlsext_ecpointformatlist = OPEN SSL_malloc(ecpointformatlist_length)) == NULL)

	824 {

	825 *al = TLS1_AD_INTERNAL_ERROR;

	826 return 0;

	827 }

	828 s->session->tlsext_ecpointformatlist_length = ec pointformatlist_length;

	829 memcpy(s->session->tlsext_ecpointformatlist, sda ta, ecpointformatlist_length);

	830 }

	831 #if 0

	832 fprintf(stderr,"ssl_parse_clienthello_tlsext s->session- >tlsext_ecpointformatlist (length=%i) ", s->session->tlsext_ecpointformatlist_le ngth);

	833 sdata = s->session->tlsext_ecpointformatlist;

	834 for (i = 0; i < s->session->tlsext_ecpointformatlist_len gth; i++)

	835 fprintf(stderr,"%i ",*(sdata++));

	836 fprintf(stderr,"\n");

	837 #endif

	838 }

	839 else if (type == TLSEXT_TYPE_elliptic_curves &&

	840 s->version != DTLS1_VERSION)

	841 {

	842 unsigned char *sdata = data;

	843 int ellipticcurvelist_length = (*(sdata++) << 8);

	844 ellipticcurvelist_length += (*(sdata++));

	845

	846 if (ellipticcurvelist_length != size - 2)

	847 {

	848 *al = TLS1_AD_DECODE_ERROR;

	849 return 0;

	850 }

	851 if (!s->hit)

	852 {

	853 if(s->session->tlsext_ellipticcurvelist)

	854 {

	855 *al = TLS1_AD_DECODE_ERROR;

	856 return 0;

	857 }

	858 s->session->tlsext_ellipticcurvelist_length = 0;

	859 if ((s->session->tlsext_ellipticcurvelist = OPEN SSL_malloc(ellipticcurvelist_length)) == NULL)

	860 {

	861 *al = TLS1_AD_INTERNAL_ERROR;

	862 return 0;

	863 }

	864 s->session->tlsext_ellipticcurvelist_length = el lipticcurvelist_length;

	865 memcpy(s->session->tlsext_ellipticcurvelist, sda ta, ellipticcurvelist_length);

	866 }

	867 #if 0

	868 fprintf(stderr,"ssl_parse_clienthello_tlsext s->session- >tlsext_ellipticcurvelist (length=%i) ", s->session->tlsext_ellipticcurvelist_le ngth);

	869 sdata = s->session->tlsext_ellipticcurvelist;

	870 for (i = 0; i < s->session->tlsext_ellipticcurvelist_len gth; i++)

	871 fprintf(stderr,"%i ",*(sdata++));

	872 fprintf(stderr,"\n");

	873 #endif

	874 }

	875 #endif /* OPENSSL_NO_EC */

	876 #ifdef TLSEXT_TYPE_opaque_prf_input

	877 else if (type == TLSEXT_TYPE_opaque_prf_input &&

	878 s->version != DTLS1_VERSION)

	879 {

	880 unsigned char *sdata = data;

	881

	882 if (size < 2)

	883 {

	884 *al = SSL_AD_DECODE_ERROR;

	885 return 0;

	886 }

	887 n2s(sdata, s->s3->client_opaque_prf_input_len);

	888 if (s->s3->client_opaque_prf_input_len != size - 2)

	889 {

	890 *al = SSL_AD_DECODE_ERROR;

	891 return 0;

	892 }

	893

	894 if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */

	895 OPENSSL_free(s->s3->client_opaque_prf_input);

	896 if (s->s3->client_opaque_prf_input_len == 0)

	897 s->s3->client_opaque_prf_input = OPENSSL_malloc( 1); /* dummy byte just to get non-NULL */

	898 else

	899 s->s3->client_opaque_prf_input = BUF_memdup(sdat a, s->s3->client_opaque_prf_input_len);

	900 if (s->s3->client_opaque_prf_input == NULL)

	901 {

	902 *al = TLS1_AD_INTERNAL_ERROR;

	903 return 0;

	904 }

	905 }

	906 #endif

	907 else if (type == TLSEXT_TYPE_session_ticket)

	908 {

	909 if (s->tls_session_ticket_ext_cb &&

	910 !s->tls_session_ticket_ext_cb(s, data, size, s->tls_ session_ticket_ext_cb_arg))

	911 {

	912 *al = TLS1_AD_INTERNAL_ERROR;

	913 return 0;

	914 }

	915 }

688 else if (type == TLSEXT_TYPE_renegotiate)	916 else if (type == TLSEXT_TYPE_renegotiate)

689 {	917 {

690 if(!ssl_parse_clienthello_renegotiate_ext(s, data, size, al))	918 if(!ssl_parse_clienthello_renegotiate_ext(s, data, size, al))

691 return 0;	919 return 0;

692 renegotiate_seen = 1;	920 renegotiate_seen = 1;

693 }	921 }

694 else if (type == TLSEXT_TYPE_status_request &&	922 else if (type == TLSEXT_TYPE_status_request &&

695 s->version != DTLS1_VERSION && s->ctx->tlsext_status_cb )	923 s->version != DTLS1_VERSION && s->ctx->tlsext_status_cb )

696 {	924 {

697	925

(...skipping 21 matching lines...) Expand all Loading...
719 {	947 {

720 OCSP_RESPID *id;	948 OCSP_RESPID *id;

721 int idsize;	949 int idsize;

722 if (dsize < 4)	950 if (dsize < 4)

723 {	951 {

724 *al = SSL_AD_DECODE_ERROR;	952 *al = SSL_AD_DECODE_ERROR;

725 return 0;	953 return 0;

726 }	954 }

727 n2s(data, idsize);	955 n2s(data, idsize);

728 dsize -= 2 + idsize;	956 dsize -= 2 + idsize;

	957 size -= 2 + idsize;

729 if (dsize < 0)	958 if (dsize < 0)

730 {	959 {

731 *al = SSL_AD_DECODE_ERROR;	960 *al = SSL_AD_DECODE_ERROR;

732 return 0;	961 return 0;

733 }	962 }

734 sdata = data;	963 sdata = data;

735 data += idsize;	964 data += idsize;

736 id = d2i_OCSP_RESPID(NULL,	965 id = d2i_OCSP_RESPID(NULL,

737 &sdata, idsize);	966 &sdata, idsize);

738 if (!id)	967 if (!id)

(...skipping 18 matching lines...) Expand all Loading...
757 if (!sk_OCSP_RESPID_push(	986 if (!sk_OCSP_RESPID_push(

758 s->tlsext_ocsp_ids, id))	987 s->tlsext_ocsp_ids, id))

759 {	988 {

760 OCSP_RESPID_free(id);	989 OCSP_RESPID_free(id);

761 *al = SSL_AD_INTERNAL_ERROR;	990 *al = SSL_AD_INTERNAL_ERROR;

762 return 0;	991 return 0;

763 }	992 }

764 }	993 }

765	994

766 /* Read in request_extensions */	995 /* Read in request_extensions */

767 » » » » n2s(data,dsize);	996 » » » » if (size < 2)

768 » » » » size -= 2;

769 » » » » if (dsize > size)

770 {	997 {

771 *al = SSL_AD_DECODE_ERROR;	998 *al = SSL_AD_DECODE_ERROR;

772 return 0;	999 return 0;

	1000 }

	1001 n2s(data,dsize);

	1002 size -= 2;

	1003 if (dsize != size)

	1004 {

	1005 *al = SSL_AD_DECODE_ERROR;

	1006 return 0;

773 }	1007 }

774 sdata = data;	1008 sdata = data;

775 if (dsize > 0)	1009 if (dsize > 0)

776 {	1010 {

	1011 if (s->tlsext_ocsp_exts)

	1012 {

	1013 sk_X509_EXTENSION_pop_free(s->tl sext_ocsp_exts,

	1014 X509_ EXTENSION_free);

	1015 }

	1016

777 s->tlsext_ocsp_exts =	1017 s->tlsext_ocsp_exts =

778 d2i_X509_EXTENSIONS(NULL,	1018 d2i_X509_EXTENSIONS(NULL,

779 &sdata, dsize);	1019 &sdata, dsize);

780 if (!s->tlsext_ocsp_exts	1020 if (!s->tlsext_ocsp_exts

781 \|\| (data + dsize != sdata))	1021 \|\| (data + dsize != sdata))

782 {	1022 {

783 *al = SSL_AD_DECODE_ERROR;	1023 *al = SSL_AD_DECODE_ERROR;

784 return 0;	1024 return 0;

785 }	1025 }

786 }	1026 }

787 }	1027 }

788 /* We don't know what to do with any other type	1028 /* We don't know what to do with any other type

789 * so ignore it.	1029 * so ignore it.

790 */	1030 */

791 else	1031 else

792 s->tlsext_status_type = -1;	1032 s->tlsext_status_type = -1;

793 }	1033 }

794 » » else if (type == TLSEXT_TYPE_next_proto_neg)	1034 #ifndef OPENSSL_NO_NEXTPROTONEG

	1035 » » else if (type == TLSEXT_TYPE_next_proto_neg &&

	1036 s->s3->tmp.finish_md_len == 0)

795 {	1037 {

796 /* We shouldn't accept this extension on a	1038 /* We shouldn't accept this extension on a

797 » » » * renegotiation, but we currently do.	1039 » » » * renegotiation.

798 *	1040 *

799 * s->new_session will be set on renegotiation, but we	1041 * s->new_session will be set on renegotiation, but we

800 * probably shouldn't rely that it couldn't be set on	1042 * probably shouldn't rely that it couldn't be set on

801 * the initial renegotation too in certain cases (when	1043 * the initial renegotation too in certain cases (when

802 * there's some other reason to disallow resuming an	1044 * there's some other reason to disallow resuming an

803 * earlier session -- the current code won't be doing	1045 * earlier session -- the current code won't be doing

804 * anything like that, but this might change).	1046 * anything like that, but this might change).

805	1047

806 * A valid sign that there's been a previous handshake	1048 * A valid sign that there's been a previous handshake

807 * in this connection is if s->s3->tmp.finish_md_len >	1049 * in this connection is if s->s3->tmp.finish_md_len >

808 * 0. (We are talking about a check that will happen	1050 * 0. (We are talking about a check that will happen

809 * in the Hello protocol round, well before a new	1051 * in the Hello protocol round, well before a new

810 * Finished message could have been computed.) */	1052 * Finished message could have been computed.) */

811 s->s3->next_proto_neg_seen = 1;	1053 s->s3->next_proto_neg_seen = 1;

812 }	1054 }

813	1055 #endif

814 » » else if (type == TLSEXT_TYPE_snap_start && s->ctx->snap_start_or bit_valid)

815 » » » {

816 » » » if (ssl_parse_snap_start_tlsext(s, data, size) == 0)

817 » » » » return 0;

818 » » » }

819	1056

820 /* session ticket processed earlier */	1057 /* session ticket processed earlier */

821	1058 » » data+=size;

822 » » data+=size;» »

823 }	1059 }

	1060

824 *p = data;	1061 *p = data;

825	1062

826 ri_check:	1063 ri_check:

827	1064

828 /* Need RI if renegotiating */	1065 /* Need RI if renegotiating */

829	1066

830 if (!renegotiate_seen && s->new_session &&	1067 if (!renegotiate_seen && s->new_session &&

831 !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))	1068 !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))

832 {	1069 {

833 *al = SSL_AD_HANDSHAKE_FAILURE;	1070 *al = SSL_AD_HANDSHAKE_FAILURE;

834 SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT,	1071 SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT,

835 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);	1072 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);

836 return 0;	1073 return 0;

837 }	1074 }

838	1075

839 return 1;	1076 return 1;

840 }	1077 }

841	1078

	1079 #ifndef OPENSSL_NO_NEXTPROTONEG

842 /* ssl_next_proto_validate validates a Next Protocol Negotiation block. No	1080 /* ssl_next_proto_validate validates a Next Protocol Negotiation block. No

843 * elements of zero length are allowed and the set of elements must exactly fill	1081 * elements of zero length are allowed and the set of elements must exactly fill

844 * the length of the block. */	1082 * the length of the block. */

845 static char ssl_next_proto_validate(unsigned char *d, unsigned len)	1083 static int ssl_next_proto_validate(unsigned char *d, unsigned len)

846 {	1084 {

847 unsigned int off = 0;	1085 unsigned int off = 0;

848	1086

849 while (off < len)	1087 while (off < len)

850 {	1088 {

851 if (d[off] == 0)	1089 if (d[off] == 0)

852 return 0;	1090 return 0;

853 off += d[off];	1091 off += d[off];

854 off++;	1092 off++;

855 }	1093 }

856	1094

857 return off == len;	1095 return off == len;

858 }	1096 }

	1097 #endif

859	1098

860 int ssl_parse_serverhello_tlsext(SSL s, unsigned char p, unsigned char d, in t n, int *al)	1099 int ssl_parse_serverhello_tlsext(SSL s, unsigned char p, unsigned char d, in t n, int *al)

861 {	1100 {

	1101 unsigned short length;

862 unsigned short type;	1102 unsigned short type;

863 unsigned short size;	1103 unsigned short size;

864 unsigned short len;

865 unsigned char data = p;	1104 unsigned char data = p;

866 int tlsext_servername = 0;	1105 int tlsext_servername = 0;

867 int renegotiate_seen = 0;	1106 int renegotiate_seen = 0;

868	1107

869 if (data >= (d+n-2))	1108 if (data >= (d+n-2))

870 goto ri_check;	1109 goto ri_check;

871	1110

872 » n2s(data,len);	1111 » n2s(data,length);

	1112 » if (data+length != d+n)

	1113 » » {

	1114 » » *al = SSL_AD_DECODE_ERROR;

	1115 » » return 0;

	1116 » » }

873	1117

874 while(data <= (d+n-4))	1118 while(data <= (d+n-4))

875 {	1119 {

876 n2s(data,type);	1120 n2s(data,type);

877 n2s(data,size);	1121 n2s(data,size);

878	1122

879 if (data+size > (d+n))	1123 if (data+size > (d+n))

880 goto ri_check;	1124 goto ri_check;

881	1125

882 if (s->tlsext_debug_cb)	1126 if (s->tlsext_debug_cb)

883 s->tlsext_debug_cb(s, 1, type, data, size,	1127 s->tlsext_debug_cb(s, 1, type, data, size,

884 s->tlsext_debug_arg);	1128 s->tlsext_debug_arg);

885	1129

886 if (type == TLSEXT_TYPE_server_name)	1130 if (type == TLSEXT_TYPE_server_name)

887 {	1131 {

888 if (s->tlsext_hostname == NULL \|\| size > 0)	1132 if (s->tlsext_hostname == NULL \|\| size > 0)

889 {	1133 {

890 *al = TLS1_AD_UNRECOGNIZED_NAME;	1134 *al = TLS1_AD_UNRECOGNIZED_NAME;

891 return 0;	1135 return 0;

892 }	1136 }

893 tlsext_servername = 1;	1137 tlsext_servername = 1;

894 }	1138 }

	1139

	1140 #ifndef OPENSSL_NO_EC

	1141 else if (type == TLSEXT_TYPE_ec_point_formats &&

	1142 s->version != DTLS1_VERSION)

	1143 {

	1144 unsigned char *sdata = data;

	1145 int ecpointformatlist_length = *(sdata++);

	1146

	1147 if (ecpointformatlist_length != size - 1)

	1148 {

	1149 *al = TLS1_AD_DECODE_ERROR;

	1150 return 0;

	1151 }

	1152 s->session->tlsext_ecpointformatlist_length = 0;

	1153 if (s->session->tlsext_ecpointformatlist != NULL) OPENSS L_free(s->session->tlsext_ecpointformatlist);

	1154 if ((s->session->tlsext_ecpointformatlist = OPENSSL_mall oc(ecpointformatlist_length)) == NULL)

	1155 {

	1156 *al = TLS1_AD_INTERNAL_ERROR;

	1157 return 0;

	1158 }

	1159 s->session->tlsext_ecpointformatlist_length = ecpointfor matlist_length;

	1160 memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpo intformatlist_length);

	1161 #if 0

	1162 fprintf(stderr,"ssl_parse_serverhello_tlsext s->session- >tlsext_ecpointformatlist ");

	1163 sdata = s->session->tlsext_ecpointformatlist;

	1164 for (i = 0; i < s->session->tlsext_ecpointformatlist_len gth; i++)

	1165 fprintf(stderr,"%i ",*(sdata++));

	1166 fprintf(stderr,"\n");

	1167 #endif

	1168 }

	1169 #endif /* OPENSSL_NO_EC */

	1170

895 else if (type == TLSEXT_TYPE_session_ticket)	1171 else if (type == TLSEXT_TYPE_session_ticket)

896 {	1172 {

	1173 if (s->tls_session_ticket_ext_cb &&

	1174 !s->tls_session_ticket_ext_cb(s, data, size, s->tls_ session_ticket_ext_cb_arg))

	1175 {

	1176 *al = TLS1_AD_INTERNAL_ERROR;

	1177 return 0;

	1178 }

897 if ((SSL_get_options(s) & SSL_OP_NO_TICKET)	1179 if ((SSL_get_options(s) & SSL_OP_NO_TICKET)

898 \|\| (size > 0))	1180 \|\| (size > 0))

899 {	1181 {

900 *al = TLS1_AD_UNSUPPORTED_EXTENSION;	1182 *al = TLS1_AD_UNSUPPORTED_EXTENSION;

901 return 0;	1183 return 0;

902 }	1184 }

903 s->tlsext_ticket_expected = 1;	1185 s->tlsext_ticket_expected = 1;

904 }	1186 }

	1187 #ifdef TLSEXT_TYPE_opaque_prf_input

	1188 else if (type == TLSEXT_TYPE_opaque_prf_input &&

	1189 s->version != DTLS1_VERSION)

	1190 {

	1191 unsigned char *sdata = data;

	1192

	1193 if (size < 2)

	1194 {

	1195 *al = SSL_AD_DECODE_ERROR;

	1196 return 0;

	1197 }

	1198 n2s(sdata, s->s3->server_opaque_prf_input_len);

	1199 if (s->s3->server_opaque_prf_input_len != size - 2)

	1200 {

	1201 *al = SSL_AD_DECODE_ERROR;

	1202 return 0;

	1203 }

	1204

	1205 if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */

	1206 OPENSSL_free(s->s3->server_opaque_prf_input);

	1207 if (s->s3->server_opaque_prf_input_len == 0)

	1208 s->s3->server_opaque_prf_input = OPENSSL_malloc( 1); /* dummy byte just to get non-NULL */

	1209 else

	1210 s->s3->server_opaque_prf_input = BUF_memdup(sdat a, s->s3->server_opaque_prf_input_len);

	1211

	1212 if (s->s3->server_opaque_prf_input == NULL)

	1213 {

	1214 *al = TLS1_AD_INTERNAL_ERROR;

	1215 return 0;

	1216 }

	1217 }

	1218 #endif

905 else if (type == TLSEXT_TYPE_status_request &&	1219 else if (type == TLSEXT_TYPE_status_request &&

906 s->version != DTLS1_VERSION)	1220 s->version != DTLS1_VERSION)

907 {	1221 {

908 /* MUST be empty and only sent if we've requested	1222 /* MUST be empty and only sent if we've requested

909 * a status request message.	1223 * a status request message.

910 */	1224 */

911 if ((s->tlsext_status_type == -1) \|\| (size > 0))	1225 if ((s->tlsext_status_type == -1) \|\| (size > 0))

912 {	1226 {

913 *al = TLS1_AD_UNSUPPORTED_EXTENSION;	1227 *al = TLS1_AD_UNSUPPORTED_EXTENSION;

914 return 0;	1228 return 0;

915 }	1229 }

916 /* Set flag to expect CertificateStatus message */	1230 /* Set flag to expect CertificateStatus message */

917 s->tlsext_status_expected = 1;	1231 s->tlsext_status_expected = 1;

918 }	1232 }

	1233 #ifndef OPENSSL_NO_NEXTPROTONEG

919 else if (type == TLSEXT_TYPE_next_proto_neg)	1234 else if (type == TLSEXT_TYPE_next_proto_neg)

920 {	1235 {

921 unsigned char *selected;	1236 unsigned char *selected;

922 unsigned char selected_len;	1237 unsigned char selected_len;

923	1238

924 /* We must have requested it. */	1239 /* We must have requested it. */

925 if ((s->ctx->next_proto_select_cb == NULL))	1240 if ((s->ctx->next_proto_select_cb == NULL))

926 {	1241 {

927 *al = TLS1_AD_UNSUPPORTED_EXTENSION;	1242 *al = TLS1_AD_UNSUPPORTED_EXTENSION;

928 return 0;	1243 return 0;

(...skipping 11 matching lines...) Expand all Loading...
940 }	1255 }

941 s->next_proto_negotiated = OPENSSL_malloc(selected_len);	1256 s->next_proto_negotiated = OPENSSL_malloc(selected_len);

942 if (!s->next_proto_negotiated)	1257 if (!s->next_proto_negotiated)

943 {	1258 {

944 *al = TLS1_AD_INTERNAL_ERROR;	1259 *al = TLS1_AD_INTERNAL_ERROR;

945 return 0;	1260 return 0;

946 }	1261 }

947 memcpy(s->next_proto_negotiated, selected, selected_len) ;	1262 memcpy(s->next_proto_negotiated, selected, selected_len) ;

948 s->next_proto_negotiated_len = selected_len;	1263 s->next_proto_negotiated_len = selected_len;

949 }	1264 }

	1265 #endif

950 else if (type == TLSEXT_TYPE_renegotiate)	1266 else if (type == TLSEXT_TYPE_renegotiate)

951 {	1267 {

952 if(!ssl_parse_serverhello_renegotiate_ext(s, data, size, al))	1268 if(!ssl_parse_serverhello_renegotiate_ext(s, data, size, al))

953 return 0;	1269 return 0;

954 renegotiate_seen = 1;	1270 renegotiate_seen = 1;

955 }	1271 }

956 data+=size;	1272 data+=size;

957 }	1273 }

958	1274

959 if (data != d+n)	1275 if (data != d+n)

(...skipping 40 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
1000 {	1316 {

1001 *al = SSL_AD_HANDSHAKE_FAILURE;	1317 *al = SSL_AD_HANDSHAKE_FAILURE;

1002 SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT,	1318 SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT,

1003 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);	1319 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);

1004 return 0;	1320 return 0;

1005 }	1321 }

1006	1322

1007 return 1;	1323 return 1;

1008 }	1324 }

1009	1325

	1326

	1327 int ssl_prepare_clienthello_tlsext(SSL *s)

	1328 {

	1329 #ifndef OPENSSL_NO_EC

	1330 /* If we are client and using an elliptic curve cryptography cipher suit e, send the point formats

	1331 * and elliptic curves we support.

	1332 */

	1333 int using_ecc = 0;

	1334 int i;

	1335 unsigned char *j;

	1336 unsigned long alg_k, alg_a;

	1337 STACK_OF(SSL_CIPHER) *cipher_stack = SSL_get_ciphers(s);

	1338

	1339 for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++)

	1340 {

	1341 SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i);

	1342

	1343 alg_k = c->algorithm_mkey;

	1344 alg_a = c->algorithm_auth;

	1345 if ((alg_k & (SSL_kEECDH\|SSL_kECDHr\|SSL_kECDHe) \|\| (alg_a & SSL_ aECDSA)))

	1346 {

	1347 using_ecc = 1;

	1348 break;

	1349 }

	1350 }

	1351 using_ecc = using_ecc && (s->version == TLS1_VERSION);

	1352 if (using_ecc)

	1353 {

	1354 if (s->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->tlsext_ ecpointformatlist);

	1355 if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(3)) == NULL)

	1356 {

	1357 SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC _FAILURE);

	1358 return -1;

	1359 }

	1360 s->tlsext_ecpointformatlist_length = 3;

	1361 s->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_uncompress ed;

	1362 s->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_ansiX962_c ompressed_prime;

	1363 s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_c ompressed_char2;

	1364

	1365 /* we support all named elliptic curves in draft-ietf-tls-ecc-12 */

	1366 if (s->tlsext_ellipticcurvelist != NULL) OPENSSL_free(s->tlsext_ ellipticcurvelist);

	1367 s->tlsext_ellipticcurvelist_length = sizeof(nid_list)/sizeof(nid _list[0]) * 2;

	1368 if ((s->tlsext_ellipticcurvelist = OPENSSL_malloc(s->tlsext_elli pticcurvelist_length)) == NULL)

	1369 {

	1370 s->tlsext_ellipticcurvelist_length = 0;

	1371 SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC _FAILURE);

	1372 return -1;

	1373 }

	1374 for (i = 1, j = s->tlsext_ellipticcurvelist; (unsigned int)i <=

	1375 sizeof(nid_list)/sizeof(nid_list[0]); i++)

	1376 s2n(i,j);

	1377 }

	1378 #endif /* OPENSSL_NO_EC */

	1379

	1380 #ifdef TLSEXT_TYPE_opaque_prf_input

	1381 {

	1382 int r = 1;

	1383

	1384 if (s->ctx->tlsext_opaque_prf_input_callback != 0)

	1385 {

	1386 r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg);

	1387 if (!r)

	1388 return -1;

	1389 }

	1390

	1391 if (s->tlsext_opaque_prf_input != NULL)

	1392 {

	1393 if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */

	1394 OPENSSL_free(s->s3->client_opaque_prf_input);

	1395

	1396 if (s->tlsext_opaque_prf_input_len == 0)

	1397 s->s3->client_opaque_prf_input = OPENSSL_malloc( 1); /* dummy byte just to get non-NULL */

	1398 else

	1399 s->s3->client_opaque_prf_input = BUF_memdup(s->t lsext_opaque_prf_input, s->tlsext_opaque_prf_input_len);

	1400 if (s->s3->client_opaque_prf_input == NULL)

	1401 {

	1402 SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_ R_MALLOC_FAILURE);

	1403 return -1;

	1404 }

	1405 s->s3->client_opaque_prf_input_len = s->tlsext_opaque_pr f_input_len;

	1406 }

	1407

	1408 if (r == 2)

	1409 /* at callback's request, insist on receiving an appropr iate server opaque PRF input */

	1410 s->s3->server_opaque_prf_input_len = s->tlsext_opaque_pr f_input_len;

	1411 }

	1412 #endif

	1413

	1414 return 1;

	1415 }

	1416

	1417 int ssl_prepare_serverhello_tlsext(SSL *s)

	1418 {

	1419 #ifndef OPENSSL_NO_EC

	1420 /* If we are server and using an ECC cipher suite, send the point format s we support

	1421 * if the client sent us an ECPointsFormat extension. Note that the ser ver is not

	1422 * supposed to send an EllipticCurves extension.

	1423 */

	1424

	1425 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;

	1426 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;

	1427 int using_ecc = (alg_k & (SSL_kEECDH\|SSL_kECDHr\|SSL_kECDHe)) \|\| (alg_a & SSL_aECDSA);

	1428 using_ecc = using_ecc && (s->session->tlsext_ecpointformatlist != NULL);

	1429

	1430 if (using_ecc)

	1431 {

	1432 if (s->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->tlsext_ ecpointformatlist);

	1433 if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(3)) == NULL)

	1434 {

	1435 SSLerr(SSL_F_SSL_PREPARE_SERVERHELLO_TLSEXT,ERR_R_MALLOC _FAILURE);

	1436 return -1;

	1437 }

	1438 s->tlsext_ecpointformatlist_length = 3;

	1439 s->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_uncompress ed;

	1440 s->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_ansiX962_c ompressed_prime;

	1441 s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_c ompressed_char2;

	1442 }

	1443 #endif /* OPENSSL_NO_EC */

	1444

	1445 return 1;

	1446 }

	1447

1010 int ssl_check_clienthello_tlsext(SSL *s)	1448 int ssl_check_clienthello_tlsext(SSL *s)

1011 {	1449 {

1012 int ret=SSL_TLSEXT_ERR_NOACK;	1450 int ret=SSL_TLSEXT_ERR_NOACK;

1013 int al = SSL_AD_UNRECOGNIZED_NAME;	1451 int al = SSL_AD_UNRECOGNIZED_NAME;

1014	1452

	1453 #ifndef OPENSSL_NO_EC

	1454 /* The handling of the ECPointFormats extension is done elsewhere, namel y in

	1455 * ssl3_choose_cipher in s3_lib.c.

	1456 */

	1457 /* The handling of the EllipticCurves extension is done elsewhere, namel y in

	1458 * ssl3_choose_cipher in s3_lib.c.

	1459 */

	1460 #endif

	1461

1015 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)	1462 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)

1016 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_ servername_arg);	1463 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_ servername_arg);

1017 else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_cal lback != 0)	1464 else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_cal lback != 0)

1018 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->init ial_ctx->tlsext_servername_arg);	1465 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->init ial_ctx->tlsext_servername_arg);

1019	1466

1020 /* If status request then ask callback what to do.	1467 /* If status request then ask callback what to do.

1021 * Note: this must be called after servername callbacks in case	1468 * Note: this must be called after servername callbacks in case

1022 * the certificate has changed.	1469 * the certificate has changed.

1023 */	1470 */

1024 » if ((s->tlsext_status_type != -1) && s->ctx->tlsext_status_cb)	1471 » if ((s->tlsext_status_type != -1) && s->ctx && s->ctx->tlsext_status_cb)

1025 {	1472 {

1026 int r;	1473 int r;

1027 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);	1474 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);

1028 switch (r)	1475 switch (r)

1029 {	1476 {

1030 /* We don't want to send a status request response */	1477 /* We don't want to send a status request response */

1031 case SSL_TLSEXT_ERR_NOACK:	1478 case SSL_TLSEXT_ERR_NOACK:

1032 s->tlsext_status_expected = 0;	1479 s->tlsext_status_expected = 0;

1033 break;	1480 break;

1034 /* status request response should be sent */	1481 /* status request response should be sent */

1035 case SSL_TLSEXT_ERR_OK:	1482 case SSL_TLSEXT_ERR_OK:

1036 if (s->tlsext_ocsp_resp)	1483 if (s->tlsext_ocsp_resp)

1037 s->tlsext_status_expected = 1;	1484 s->tlsext_status_expected = 1;

1038 else	1485 else

1039 s->tlsext_status_expected = 0;	1486 s->tlsext_status_expected = 0;

1040 break;	1487 break;

1041 /* something bad happened */	1488 /* something bad happened */

1042 case SSL_TLSEXT_ERR_ALERT_FATAL:	1489 case SSL_TLSEXT_ERR_ALERT_FATAL:

1043 ret = SSL_TLSEXT_ERR_ALERT_FATAL;	1490 ret = SSL_TLSEXT_ERR_ALERT_FATAL;

1044 al = SSL_AD_INTERNAL_ERROR;	1491 al = SSL_AD_INTERNAL_ERROR;

1045 goto err;	1492 goto err;

1046 }	1493 }

1047 }	1494 }

1048 else	1495 else

1049 s->tlsext_status_expected = 0;	1496 s->tlsext_status_expected = 0;

1050 » err:	1497

	1498 #ifdef TLSEXT_TYPE_opaque_prf_input

	1499 » {

	1500 » » /* This sort of belongs into ssl_prepare_serverhello_tlsext(),

	1501 » » * but we might be sending an alert in response to the client he llo,

	1502 » » * so this has to happen here in ssl_check_clienthello_tlsext(). */

	1503

	1504 » » int r = 1;

	1505 »

	1506 » » if (s->ctx->tlsext_opaque_prf_input_callback != 0)

	1507 » » » {

	1508 » » » r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg);

	1509 » » » if (!r)

	1510 » » » » {

	1511 » » » » ret = SSL_TLSEXT_ERR_ALERT_FATAL;

	1512 » » » » al = SSL_AD_INTERNAL_ERROR;

	1513 » » » » goto err;

	1514 » » » » }

	1515 » » » }

	1516

	1517 » » if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */

	1518 » » » OPENSSL_free(s->s3->server_opaque_prf_input);

	1519 » » s->s3->server_opaque_prf_input = NULL;

	1520

	1521 » » if (s->tlsext_opaque_prf_input != NULL)

	1522 » » » {

	1523 » » » if (s->s3->client_opaque_prf_input != NULL &&

	1524 » » » » s->s3->client_opaque_prf_input_len == s->tlsext_ opaque_prf_input_len)

	1525 » » » » {

	1526 » » » » /* can only use this extension if we have a serv er opaque PRF input

	1527 » » » » * of the same length as the client opaque PRF i nput! */

	1528

	1529 » » » » if (s->tlsext_opaque_prf_input_len == 0)

	1530 » » » » » s->s3->server_opaque_prf_input = OPENSSL _malloc(1); /* dummy byte just to get non-NULL */

	1531 » » » » else

	1532 » » » » » s->s3->server_opaque_prf_input = BUF_mem dup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len);

	1533 » » » » if (s->s3->server_opaque_prf_input == NULL)

	1534 » » » » » {

	1535 » » » » » ret = SSL_TLSEXT_ERR_ALERT_FATAL;

	1536 » » » » » al = SSL_AD_INTERNAL_ERROR;

	1537 » » » » » goto err;

	1538 » » » » » }

	1539 » » » » s->s3->server_opaque_prf_input_len = s->tlsext_o paque_prf_input_len;

	1540 » » » » }

	1541 » » » }

	1542

	1543 » » if (r == 2 && s->s3->server_opaque_prf_input == NULL)

	1544 » » » {

	1545 » » » /* The callback wants to enforce use of the extension,

	1546 » » » * but we can't do that with the client opaque PRF input ;

	1547 » » » * abort the handshake.

	1548 » » » */

	1549 » » » ret = SSL_TLSEXT_ERR_ALERT_FATAL;

	1550 » » » al = SSL_AD_HANDSHAKE_FAILURE;

	1551 » » » }

	1552 » }

	1553

	1554 #endif

	1555 err:

1051 switch (ret)	1556 switch (ret)

1052 {	1557 {

1053 case SSL_TLSEXT_ERR_ALERT_FATAL:	1558 case SSL_TLSEXT_ERR_ALERT_FATAL:

1054 ssl3_send_alert(s,SSL3_AL_FATAL,al);	1559 ssl3_send_alert(s,SSL3_AL_FATAL,al);

1055 return -1;	1560 return -1;

1056	1561

1057 case SSL_TLSEXT_ERR_ALERT_WARNING:	1562 case SSL_TLSEXT_ERR_ALERT_WARNING:

1058 ssl3_send_alert(s,SSL3_AL_WARNING,al);	1563 ssl3_send_alert(s,SSL3_AL_WARNING,al);

1059 return 1;	1564 return 1;

1060	1565

1061 case SSL_TLSEXT_ERR_NOACK:	1566 case SSL_TLSEXT_ERR_NOACK:

1062 s->servername_done=0;	1567 s->servername_done=0;

1063 default:	1568 default:

1064 return 1;	1569 return 1;

1065 }	1570 }

1066 }	1571 }

1067	1572

1068 int ssl_check_serverhello_tlsext(SSL *s)	1573 int ssl_check_serverhello_tlsext(SSL *s)

1069 {	1574 {

1070 int ret=SSL_TLSEXT_ERR_NOACK;	1575 int ret=SSL_TLSEXT_ERR_NOACK;

1071 int al = SSL_AD_UNRECOGNIZED_NAME;	1576 int al = SSL_AD_UNRECOGNIZED_NAME;

1072	1577

	1578 #ifndef OPENSSL_NO_EC

	1579 /* If we are client and using an elliptic curve cryptography cipher

	1580 * suite, then if server returns an EC point formats lists extension

	1581 * it must contain uncompressed.

	1582 */

	1583 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;

	1584 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;

	1585 if ((s->tlsext_ecpointformatlist != NULL) && (s->tlsext_ecpointformatlis t_length > 0) &&

	1586 (s->session->tlsext_ecpointformatlist != NULL) && (s->session->tlsex t_ecpointformatlist_length > 0) &&

	1587 ((alg_k & (SSL_kEECDH\|SSL_kECDHr\|SSL_kECDHe)) \|\| (alg_a & SSL_aECDSA )))

	1588 {

	1589 /* we are using an ECC cipher */

	1590 size_t i;

	1591 unsigned char *list;

	1592 int found_uncompressed = 0;

	1593 list = s->session->tlsext_ecpointformatlist;

	1594 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++ )

	1595 {

	1596 if (*(list++) == TLSEXT_ECPOINTFORMAT_uncompressed)

	1597 {

	1598 found_uncompressed = 1;

	1599 break;

	1600 }

	1601 }

	1602 if (!found_uncompressed)

	1603 {

	1604 SSLerr(SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT,SSL_R_TLS_INVA LID_ECPOINTFORMAT_LIST);

	1605 return -1;

	1606 }

	1607 }

	1608 ret = SSL_TLSEXT_ERR_OK;

	1609 #endif /* OPENSSL_NO_EC */

	1610

1073 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)	1611 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)

1074 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_ servername_arg);	1612 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_ servername_arg);

1075 else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_cal lback != 0)	1613 else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_cal lback != 0)

1076 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->init ial_ctx->tlsext_servername_arg);	1614 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->init ial_ctx->tlsext_servername_arg);

1077	1615

	1616 #ifdef TLSEXT_TYPE_opaque_prf_input

	1617 if (s->s3->server_opaque_prf_input_len > 0)

	1618 {

	1619 /* This case may indicate that we, as a client, want to insist o n using opaque PRF inputs.

	1620 * So first verify that we really have a value from the server t oo. */

	1621

	1622 if (s->s3->server_opaque_prf_input == NULL)

	1623 {

	1624 ret = SSL_TLSEXT_ERR_ALERT_FATAL;

	1625 al = SSL_AD_HANDSHAKE_FAILURE;

	1626 }

	1627

	1628 /* Anytime the server has sent an opaque PRF input, we need to check

	1629 * that we have a client opaque PRF input of the same size. */

	1630 if (s->s3->client_opaque_prf_input == NULL \|\|

	1631 s->s3->client_opaque_prf_input_len != s->s3->server_opaque_p rf_input_len)

	1632 {

	1633 ret = SSL_TLSEXT_ERR_ALERT_FATAL;

	1634 al = SSL_AD_ILLEGAL_PARAMETER;

	1635 }

	1636 }

	1637 #endif

	1638

1078 /* If we've requested certificate status and we wont get one	1639 /* If we've requested certificate status and we wont get one

1079 * tell the callback	1640 * tell the callback

1080 */	1641 */

1081 if ((s->tlsext_status_type != -1) && !(s->tlsext_status_expected)	1642 if ((s->tlsext_status_type != -1) && !(s->tlsext_status_expected)

1082 » » » && s->ctx->tlsext_status_cb)	1643 » » » && s->ctx && s->ctx->tlsext_status_cb)

1083 {	1644 {

1084 int r;	1645 int r;

1085 /* Set resp to NULL, resplen to -1 so callback knows	1646 /* Set resp to NULL, resplen to -1 so callback knows

1086 * there is no response.	1647 * there is no response.

1087 */	1648 */

1088 if (s->tlsext_ocsp_resp)	1649 if (s->tlsext_ocsp_resp)

1089 {	1650 {

1090 OPENSSL_free(s->tlsext_ocsp_resp);	1651 OPENSSL_free(s->tlsext_ocsp_resp);

1091 s->tlsext_ocsp_resp = NULL;	1652 s->tlsext_ocsp_resp = NULL;

1092 }	1653 }

(...skipping 74 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
1167 n2s(p, i);	1728 n2s(p, i);

1168 while ((p + 4) <= limit)	1729 while ((p + 4) <= limit)

1169 {	1730 {

1170 unsigned short type, size;	1731 unsigned short type, size;

1171 n2s(p, type);	1732 n2s(p, type);

1172 n2s(p, size);	1733 n2s(p, size);

1173 if (p + size > limit)	1734 if (p + size > limit)

1174 return 1;	1735 return 1;

1175 if (type == TLSEXT_TYPE_session_ticket)	1736 if (type == TLSEXT_TYPE_session_ticket)

1176 {	1737 {

	1738 /* If tickets disabled indicate cache miss which will

	1739 * trigger a full handshake

	1740 */

	1741 if (SSL_get_options(s) & SSL_OP_NO_TICKET)

	1742 return 1;

1177 /* If zero length note client will accept a ticket	1743 /* If zero length note client will accept a ticket

1178 * and indicate cache miss to trigger full handshake	1744 * and indicate cache miss to trigger full handshake

1179 */	1745 */

1180 if (size == 0)	1746 if (size == 0)

1181 {	1747 {

1182 s->tlsext_ticket_expected = 1;	1748 s->tlsext_ticket_expected = 1;

1183 return 0; /* Cache miss */	1749 return 0; /* Cache miss */

1184 }	1750 }

	1751 if (s->tls_session_secret_cb)

	1752 {

	1753 /* Indicate cache miss here and instead of

	1754 * generating the session from ticket now,

	1755 * trigger abbreviated handshake based on

	1756 * external mechanism to calculate the master

	1757 * secret later. */

	1758 return 0;

	1759 }

1185 return tls_decrypt_ticket(s, p, size, session_id, len,	1760 return tls_decrypt_ticket(s, p, size, session_id, len,

1186 ret);	1761 ret);

1187 }	1762 }

1188 p += size;	1763 p += size;

1189 }	1764 }

1190 return 1;	1765 return 1;

1191 }	1766 }

1192	1767

1193 static int tls_decrypt_ticket(SSL s, const unsigned char etick, int eticklen,	1768 static int tls_decrypt_ticket(SSL s, const unsigned char etick, int eticklen,

1194 const unsigned char *sess_id, int sesslen,	1769 const unsigned char *sess_id, int sesslen,

(...skipping 32 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
1227 goto tickerr;	1802 goto tickerr;

1228 HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16,	1803 HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16,

1229 tlsext_tick_md(), NULL);	1804 tlsext_tick_md(), NULL);

1230 EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL,	1805 EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL,

1231 tctx->tlsext_tick_aes_key, etick + 16);	1806 tctx->tlsext_tick_aes_key, etick + 16);

1232 }	1807 }

1233 /* Attempt to process session ticket, first conduct sanity and	1808 /* Attempt to process session ticket, first conduct sanity and

1234 * integrity checks on ticket.	1809 * integrity checks on ticket.

1235 */	1810 */

1236 mlen = HMAC_size(&hctx);	1811 mlen = HMAC_size(&hctx);

	1812 if (mlen < 0)

	1813 {

	1814 EVP_CIPHER_CTX_cleanup(&ctx);

	1815 return -1;

	1816 }

1237 eticklen -= mlen;	1817 eticklen -= mlen;

1238 /* Check HMAC of encrypted ticket */	1818 /* Check HMAC of encrypted ticket */

1239 HMAC_Update(&hctx, etick, eticklen);	1819 HMAC_Update(&hctx, etick, eticklen);

1240 HMAC_Final(&hctx, tick_hmac, NULL);	1820 HMAC_Final(&hctx, tick_hmac, NULL);

1241 HMAC_CTX_cleanup(&hctx);	1821 HMAC_CTX_cleanup(&hctx);

1242 if (memcmp(tick_hmac, etick + eticklen, mlen))	1822 if (memcmp(tick_hmac, etick + eticklen, mlen))

1243 goto tickerr;	1823 goto tickerr;

1244 /* Attempt to decrypt session data */	1824 /* Attempt to decrypt session data */

1245 /* Move p after IV to start of encrypted ticket, update length */	1825 /* Move p after IV to start of encrypted ticket, update length */

1246 p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx);	1826 p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx);

(...skipping 29 matching lines...) Expand all Loading...
1276 }	1856 }

1277 /* If session decrypt failure indicate a cache miss and set state to	1857 /* If session decrypt failure indicate a cache miss and set state to

1278 * send a new ticket	1858 * send a new ticket

1279 */	1859 */

1280 tickerr:	1860 tickerr:

1281 s->tlsext_ticket_expected = 1;	1861 s->tlsext_ticket_expected = 1;

1282 return 0;	1862 return 0;

1283 }	1863 }

1284	1864

1285 #endif	1865 #endif

OLD	NEW

« no previous file with comments | « openssl/ssl/t1_enc.c ('k') | openssl/ssl/t1_meth.c » ('j') | no next file with comments »