Blame - ssl/t1_lib.c - third_party/openssl

blob: dc0396cfaab26fe317f73b36799ae8f1add9181f [file] [log] [blame]

Ralf S. Engelschall	58964a4	1998-12-21 10:56:39 +0000	[diff] [blame]	1	/* ssl/t1_lib.c */
				2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
				3	* All rights reserved.
				4	*
				5	* This package is an SSL implementation written
				6	* by Eric Young (eay@cryptsoft.com).
				7	* The implementation was written so as to conform with Netscapes SSL.
				8	*
				9	* This library is free for commercial and non-commercial use as long as
				10	* the following conditions are aheared to. The following conditions
				11	* apply to all code found in this distribution, be it the RC4, RSA,
				12	* lhash, DES, etc., code; not just the SSL code. The SSL documentation
				13	* included with this distribution is covered by the same copyright terms
				14	* except that the holder is Tim Hudson (tjh@cryptsoft.com).
				15	*
				16	* Copyright remains Eric Young's, and as such any Copyright notices in
				17	* the code are not to be removed.
				18	* If this package is used in a product, Eric Young should be given attribution
				19	* as the author of the parts of the library used.
				20	* This can be in the form of a textual message at program startup or
				21	* in documentation (online or textual) provided with the package.
				22	*
				23	* Redistribution and use in source and binary forms, with or without
				24	* modification, are permitted provided that the following conditions
				25	* are met:
				26	* 1. Redistributions of source code must retain the copyright
				27	* notice, this list of conditions and the following disclaimer.
				28	* 2. Redistributions in binary form must reproduce the above copyright
				29	* notice, this list of conditions and the following disclaimer in the
				30	* documentation and/or other materials provided with the distribution.
				31	* 3. All advertising materials mentioning features or use of this software
				32	* must display the following acknowledgement:
				33	* "This product includes cryptographic software written by
				34	* Eric Young (eay@cryptsoft.com)"
				35	* The word 'cryptographic' can be left out if the rouines from the library
				36	* being used are not cryptographic related :-).
				37	* 4. If you include any Windows specific code (or a derivative thereof) from
				38	* the apps directory (application code) you must include an acknowledgement:
				39	* "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
				40	*
				41	* THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
				42	* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
				43	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
				44	* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
				45	* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
				46	* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
				47	* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
				48	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
				49	* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
				50	* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
				51	* SUCH DAMAGE.
				52	*
				53	* The licence and distribution terms for any publically available version or
				54	* derivative of this code cannot be changed. i.e. this code cannot simply be
				55	* copied and put under another distribution licence
				56	* [including the GNU Public Licence.]
				57	*/
Bodo Möller	f1fd454	2006-01-03 03:27:19 +0000	[diff] [blame]	58	/* ====================================================================
Bodo Möller	52b8dad	2007-02-17 06:45:38 +0000	[diff] [blame]	59	* Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
Bodo Möller	f1fd454	2006-01-03 03:27:19 +0000	[diff] [blame]	60	*
				61	* Redistribution and use in source and binary forms, with or without
				62	* modification, are permitted provided that the following conditions
				63	* are met:
				64	*
				65	* 1. Redistributions of source code must retain the above copyright
				66	* notice, this list of conditions and the following disclaimer.
				67	*
				68	* 2. Redistributions in binary form must reproduce the above copyright
				69	* notice, this list of conditions and the following disclaimer in
				70	* the documentation and/or other materials provided with the
				71	* distribution.
				72	*
				73	* 3. All advertising materials mentioning features or use of this
				74	* software must display the following acknowledgment:
				75	* "This product includes software developed by the OpenSSL Project
				76	* for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
				77	*
				78	* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
				79	* endorse or promote products derived from this software without
				80	* prior written permission. For written permission, please contact
				81	* openssl-core@openssl.org.
				82	*
				83	* 5. Products derived from this software may not be called "OpenSSL"
				84	* nor may "OpenSSL" appear in their names without prior written
				85	* permission of the OpenSSL Project.
				86	*
				87	* 6. Redistributions of any form whatsoever must retain the following
				88	* acknowledgment:
				89	* "This product includes software developed by the OpenSSL Project
				90	* for use in the OpenSSL Toolkit (http://www.openssl.org/)"
				91	*
				92	* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
				93	* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
				94	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
				95	* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
				96	* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
				97	* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
				98	* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
				99	* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
				100	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
				101	* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
				102	* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
				103	* OF THE POSSIBILITY OF SUCH DAMAGE.
				104	* ====================================================================
				105	*
				106	* This product includes cryptographic software written by Eric Young
				107	* (eay@cryptsoft.com). This product includes software written by Tim
				108	* Hudson (tjh@cryptsoft.com).
				109	*
				110	*/
Ralf S. Engelschall	58964a4	1998-12-21 10:56:39 +0000	[diff] [blame]	111
				112	#include <stdio.h>
Bodo Möller	ec57782	1999-04-23 22:13:45 +0000	[diff] [blame]	113	#include <openssl/objects.h>
Dr. Stephen Henson	6434abb	2007-08-11 23:18:29 +0000	[diff] [blame]	114	#include <openssl/evp.h>
				115	#include <openssl/hmac.h>
Dr. Stephen Henson	67c8e7f	2007-09-26 21:56:59 +0000	[diff] [blame]	116	#include <openssl/ocsp.h>
Ralf S. Engelschall	58964a4	1998-12-21 10:56:39 +0000	[diff] [blame]	117	#include "ssl_locl.h"
				118
Dr. Stephen Henson	4218285	2007-01-21 16:06:05 +0000	[diff] [blame]	119	const char tls1_version_str[]="TLSv1" OPENSSL_VERSION_PTEXT;
Ralf S. Engelschall	58964a4	1998-12-21 10:56:39 +0000	[diff] [blame]	120
Dr. Stephen Henson	367eb1f	2007-08-12 18:56:14 +0000	[diff] [blame]	121	#ifndef OPENSSL_NO_TLSEXT
Dr. Stephen Henson	6434abb	2007-08-11 23:18:29 +0000	[diff] [blame]	122	static int tls_decrypt_ticket(SSL s, const unsigned char tick, int ticklen,
				123	const unsigned char *sess_id, int sesslen,
				124	SSL_SESSION **psess);
Dr. Stephen Henson	367eb1f	2007-08-12 18:56:14 +0000	[diff] [blame]	125	#endif
Dr. Stephen Henson	6434abb	2007-08-11 23:18:29 +0000	[diff] [blame]	126
Dr. Stephen Henson	f3b656b	2005-08-05 23:56:11 +0000	[diff] [blame]	127	SSL3_ENC_METHOD TLSv1_enc_data={
Ralf S. Engelschall	58964a4	1998-12-21 10:56:39 +0000	[diff] [blame]	128	tls1_enc,
				129	tls1_mac,
				130	tls1_setup_key_block,
				131	tls1_generate_master_secret,
				132	tls1_change_cipher_state,
				133	tls1_final_finish_mac,
				134	TLS1_FINISH_MAC_LENGTH,
				135	tls1_cert_verify_mac,
				136	TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE,
				137	TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE,
				138	tls1_alert_code,
				139	};
				140
Dr. Stephen Henson	f3b656b	2005-08-05 23:56:11 +0000	[diff] [blame]	141	long tls1_default_timeout(void)
Ralf S. Engelschall	58964a4	1998-12-21 10:56:39 +0000	[diff] [blame]	142	{
				143	/* 2 hours, the 24 hours mentioned in the TLSv1 spec
				144	* is way too long for http, the cache would over fill */
				145	return(60602);
				146	}
				147
Ulf Möller	6b691a5	1999-04-19 21:31:43 +0000	[diff] [blame]	148	int tls1_new(SSL *s)
Ralf S. Engelschall	58964a4	1998-12-21 10:56:39 +0000	[diff] [blame]	149	{
				150	if (!ssl3_new(s)) return(0);
				151	s->method->ssl_clear(s);
				152	return(1);
				153	}
				154
Ulf Möller	6b691a5	1999-04-19 21:31:43 +0000	[diff] [blame]	155	void tls1_free(SSL *s)
Ralf S. Engelschall	58964a4	1998-12-21 10:56:39 +0000	[diff] [blame]	156	{
				157	ssl3_free(s);
				158	}
				159
Ulf Möller	6b691a5	1999-04-19 21:31:43 +0000	[diff] [blame]	160	void tls1_clear(SSL *s)
Ralf S. Engelschall	58964a4	1998-12-21 10:56:39 +0000	[diff] [blame]	161	{
				162	ssl3_clear(s);
				163	s->version=TLS1_VERSION;
				164	}
				165
Dr. Stephen Henson	525de5d	2007-08-12 23:59:05 +0000	[diff] [blame]	166	#ifndef OPENSSL_NO_EC
				167	static int nid_list[] =
				168	{
				169	NID_sect163k1, /* sect163k1 (1) */
				170	NID_sect163r1, /* sect163r1 (2) */
				171	NID_sect163r2, /* sect163r2 (3) */
				172	NID_sect193r1, /* sect193r1 (4) */
				173	NID_sect193r2, /* sect193r2 (5) */
				174	NID_sect233k1, /* sect233k1 (6) */
				175	NID_sect233r1, /* sect233r1 (7) */
				176	NID_sect239k1, /* sect239k1 (8) */
				177	NID_sect283k1, /* sect283k1 (9) */
				178	NID_sect283r1, /* sect283r1 (10) */
				179	NID_sect409k1, /* sect409k1 (11) */
				180	NID_sect409r1, /* sect409r1 (12) */
				181	NID_sect571k1, /* sect571k1 (13) */
				182	NID_sect571r1, /* sect571r1 (14) */
				183	NID_secp160k1, /* secp160k1 (15) */
				184	NID_secp160r1, /* secp160r1 (16) */
				185	NID_secp160r2, /* secp160r2 (17) */
				186	NID_secp192k1, /* secp192k1 (18) */
				187	NID_X9_62_prime192v1, /* secp192r1 (19) */
				188	NID_secp224k1, /* secp224k1 (20) */
				189	NID_secp224r1, /* secp224r1 (21) */
				190	NID_secp256k1, /* secp256k1 (22) */
				191	NID_X9_62_prime256v1, /* secp256r1 (23) */
				192	NID_secp384r1, /* secp384r1 (24) */
				193	NID_secp521r1 /* secp521r1 (25) */
				194	};
				195
				196	int tls1_ec_curve_id2nid(int curve_id)
				197	{
				198	/* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
Geoff Thorpe	1e26a8b	2008-03-16 21:05:46 +0000	[diff] [blame]	199	if ((curve_id < 1) \|\| ((unsigned int)curve_id >
				200	sizeof(nid_list)/sizeof(nid_list[0])))
				201	return 0;
Dr. Stephen Henson	525de5d	2007-08-12 23:59:05 +0000	[diff] [blame]	202	return nid_list[curve_id-1];
				203	}
				204
				205	int tls1_ec_nid2curve_id(int nid)
				206	{
				207	/* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
				208	switch (nid)
				209	{
				210	case NID_sect163k1: /* sect163k1 (1) */
				211	return 1;
				212	case NID_sect163r1: /* sect163r1 (2) */
				213	return 2;
				214	case NID_sect163r2: /* sect163r2 (3) */
				215	return 3;
				216	case NID_sect193r1: /* sect193r1 (4) */
				217	return 4;
				218	case NID_sect193r2: /* sect193r2 (5) */
				219	return 5;
				220	case NID_sect233k1: /* sect233k1 (6) */
				221	return 6;
				222	case NID_sect233r1: /* sect233r1 (7) */
				223	return 7;
				224	case NID_sect239k1: /* sect239k1 (8) */
				225	return 8;
				226	case NID_sect283k1: /* sect283k1 (9) */
				227	return 9;
				228	case NID_sect283r1: /* sect283r1 (10) */
				229	return 10;
				230	case NID_sect409k1: /* sect409k1 (11) */
				231	return 11;
				232	case NID_sect409r1: /* sect409r1 (12) */
				233	return 12;
				234	case NID_sect571k1: /* sect571k1 (13) */
				235	return 13;
				236	case NID_sect571r1: /* sect571r1 (14) */
				237	return 14;
				238	case NID_secp160k1: /* secp160k1 (15) */
				239	return 15;
				240	case NID_secp160r1: /* secp160r1 (16) */
				241	return 16;
				242	case NID_secp160r2: /* secp160r2 (17) */
				243	return 17;
				244	case NID_secp192k1: /* secp192k1 (18) */
				245	return 18;
				246	case NID_X9_62_prime192v1: /* secp192r1 (19) */
				247	return 19;
				248	case NID_secp224k1: /* secp224k1 (20) */
				249	return 20;
				250	case NID_secp224r1: /* secp224r1 (21) */
				251	return 21;
				252	case NID_secp256k1: /* secp256k1 (22) */
				253	return 22;
				254	case NID_X9_62_prime256v1: /* secp256r1 (23) */
				255	return 23;
				256	case NID_secp384r1: /* secp384r1 (24) */
				257	return 24;
				258	case NID_secp521r1: /* secp521r1 (25) */
				259	return 25;
				260	default:
				261	return 0;
				262	}
				263	}
				264	#endif /* OPENSSL_NO_EC */
Bodo Möller	f1fd454	2006-01-03 03:27:19 +0000	[diff] [blame]	265
Bodo Möller	ed3883d	2006-01-02 23:14:37 +0000	[diff] [blame]	266	#ifndef OPENSSL_NO_TLSEXT
Bodo Möller	f1fd454	2006-01-03 03:27:19 +0000	[diff] [blame]	267	unsigned char ssl_add_clienthello_tlsext(SSL s, unsigned char p, unsigned char limit)
				268	{
Bodo Möller	ed3883d	2006-01-02 23:14:37 +0000	[diff] [blame]	269	int extdatalen=0;
				270	unsigned char *ret = p;
				271
				272	ret+=2;
				273
				274	if (ret>=limit) return NULL; /* this really never occurs, but ... */
Dr. Stephen Henson	6434abb	2007-08-11 23:18:29 +0000	[diff] [blame]	275
Bodo Möller	a70183b	2006-03-30 02:53:30 +0000	[diff] [blame]	276	if (s->tlsext_hostname != NULL)
Bodo Möller	f1fd454	2006-01-03 03:27:19 +0000	[diff] [blame]	277	{
Bodo Möller	ed3883d	2006-01-02 23:14:37 +0000	[diff] [blame]	278	/* Add TLS extension servername to the Client Hello message */
				279	unsigned long size_str;
				280	long lenmax;
				281
Bodo Möller	a70183b	2006-03-30 02:53:30 +0000	[diff] [blame]	282	/* check for enough space.
Bodo Möller	52b8dad	2007-02-17 06:45:38 +0000	[diff] [blame]	283	4 for the servername type and entension length
				284	2 for servernamelist length
				285	1 for the hostname type
				286	2 for hostname length
				287	+ hostname length
Bodo Möller	a70183b	2006-03-30 02:53:30 +0000	[diff] [blame]	288	*/
Bodo Möller	52b8dad	2007-02-17 06:45:38 +0000	[diff] [blame]	289
Bodo Möller	761772d	2007-09-21 06:54:24 +0000	[diff] [blame]	290	if ((lenmax = limit - ret - 9) < 0
				291	\|\| (size_str = strlen(s->tlsext_hostname)) > (unsigned long)lenmax)
Bodo Möller	a70183b	2006-03-30 02:53:30 +0000	[diff] [blame]	292	return NULL;
				293
				294	/* extension type and length */
				295	s2n(TLSEXT_TYPE_server_name,ret);
				296	s2n(size_str+5,ret);
Bodo Möller	f1fd454	2006-01-03 03:27:19 +0000	[diff] [blame]	297
Bodo Möller	a70183b	2006-03-30 02:53:30 +0000	[diff] [blame]	298	/* length of servername list */
Bodo Möller	ed3883d	2006-01-02 23:14:37 +0000	[diff] [blame]	299	s2n(size_str+3,ret);
Bodo Möller	a70183b	2006-03-30 02:53:30 +0000	[diff] [blame]	300
				301	/* hostname type, length and hostname */
Bodo Möller	f1fd454	2006-01-03 03:27:19 +0000	[diff] [blame]	302	*(ret++) = (unsigned char) TLSEXT_NAMETYPE_host_name;
Bodo Möller	ed3883d	2006-01-02 23:14:37 +0000	[diff] [blame]	303	s2n(size_str,ret);
Bodo Möller	ed3883d	2006-01-02 23:14:37 +0000	[diff] [blame]	304	memcpy(ret, s->tlsext_hostname, size_str);
				305	ret+=size_str;
Bodo Möller	f1fd454	2006-01-03 03:27:19 +0000	[diff] [blame]	306	}
Bodo Möller	761772d	2007-09-21 06:54:24 +0000	[diff] [blame]	307
Bodo Möller	36ca4ba	2006-03-11 23:46:37 +0000	[diff] [blame]	308	#ifndef OPENSSL_NO_EC
				309	if (s->tlsext_ecpointformatlist != NULL)
				310	{
				311	/* Add TLS extension ECPointFormats to the ClientHello message */
				312	long lenmax;
				313
Bodo Möller	761772d	2007-09-21 06:54:24 +0000	[diff] [blame]	314	if ((lenmax = limit - ret - 5) < 0) return NULL;
Bodo Möller	36ca4ba	2006-03-11 23:46:37 +0000	[diff] [blame]	315	if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax) return NULL;
Bodo Möller	019fdc7	2006-03-13 09:55:06 +0000	[diff] [blame]	316	if (s->tlsext_ecpointformatlist_length > 255)
				317	{
				318	SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
				319	return NULL;
				320	}
Bodo Möller	36ca4ba	2006-03-11 23:46:37 +0000	[diff] [blame]	321
				322	s2n(TLSEXT_TYPE_ec_point_formats,ret);
				323	s2n(s->tlsext_ecpointformatlist_length + 1,ret);
				324	*(ret++) = (unsigned char) s->tlsext_ecpointformatlist_length;
				325	memcpy(ret, s->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist_length);
				326	ret+=s->tlsext_ecpointformatlist_length;
				327	}
Bodo Möller	3327372	2006-03-30 02:44:56 +0000	[diff] [blame]	328	if (s->tlsext_ellipticcurvelist != NULL)
				329	{
				330	/* Add TLS extension EllipticCurves to the ClientHello message */
				331	long lenmax;
				332
Bodo Möller	761772d	2007-09-21 06:54:24 +0000	[diff] [blame]	333	if ((lenmax = limit - ret - 6) < 0) return NULL;
Bodo Möller	3327372	2006-03-30 02:44:56 +0000	[diff] [blame]	334	if (s->tlsext_ellipticcurvelist_length > (unsigned long)lenmax) return NULL;
Bodo Möller	a4974de	2006-04-03 14:11:23 +0000	[diff] [blame]	335	if (s->tlsext_ellipticcurvelist_length > 65532)
Bodo Möller	3327372	2006-03-30 02:44:56 +0000	[diff] [blame]	336	{
				337	SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
				338	return NULL;
				339	}
				340
				341	s2n(TLSEXT_TYPE_elliptic_curves,ret);
Bodo Möller	a123c55	2006-04-03 13:07:18 +0000	[diff] [blame]	342	s2n(s->tlsext_ellipticcurvelist_length + 2, ret);
Bodo Möller	a4974de	2006-04-03 14:11:23 +0000	[diff] [blame]	343
				344	/* NB: draft-ietf-tls-ecc-12.txt uses a one-byte prefix for
				345	* elliptic_curve_list, but the examples use two bytes.
				346	* http://www1.ietf.org/mail-archive/web/tls/current/msg00538.html
				347	* resolves this to two bytes.
				348	*/
Bodo Möller	a123c55	2006-04-03 13:07:18 +0000	[diff] [blame]	349	s2n(s->tlsext_ellipticcurvelist_length, ret);
Bodo Möller	3327372	2006-03-30 02:44:56 +0000	[diff] [blame]	350	memcpy(ret, s->tlsext_ellipticcurvelist, s->tlsext_ellipticcurvelist_length);
				351	ret+=s->tlsext_ellipticcurvelist_length;
				352	}
Bodo Möller	36ca4ba	2006-03-11 23:46:37 +0000	[diff] [blame]	353	#endif /* OPENSSL_NO_EC */
Richard Levitte	d3442bc	2000-02-20 23:43:02 +0000	[diff] [blame]	354
Dr. Stephen Henson	6434abb	2007-08-11 23:18:29 +0000	[diff] [blame]	355	if (!(SSL_get_options(s) & SSL_OP_NO_TICKET))
				356	{
				357	int ticklen;
				358	if (s->session && s->session->tlsext_tick)
				359	ticklen = s->session->tlsext_ticklen;
				360	else
				361	ticklen = 0;
				362	/* Check for enough room 2 for extension type, 2 for len
				363	* rest for ticket
				364	*/
Bodo Möller	761772d	2007-09-21 06:54:24 +0000	[diff] [blame]	365	if ((long)(limit - ret - 4 - ticklen) < 0) return NULL;
Dr. Stephen Henson	6434abb	2007-08-11 23:18:29 +0000	[diff] [blame]	366	s2n(TLSEXT_TYPE_session_ticket,ret);
				367	s2n(ticklen,ret);
				368	if (ticklen)
				369	{
				370	memcpy(ret, s->session->tlsext_tick, ticklen);
				371	ret += ticklen;
				372	}
				373	}
				374
Bodo Möller	761772d	2007-09-21 06:54:24 +0000	[diff] [blame]	375	#ifdef TLSEXT_TYPE_opaque_prf_input
				376	if (s->s3->client_opaque_prf_input != NULL)
				377	{
				378	size_t col = s->s3->client_opaque_prf_input_len;
				379
				380	if ((long)(limit - ret - 6 - col < 0))
				381	return NULL;
				382	if (col > 0xFFFD) /* can't happen */
				383	return NULL;
				384
				385	s2n(TLSEXT_TYPE_opaque_prf_input, ret);
				386	s2n(col + 2, ret);
				387	s2n(col, ret);
				388	memcpy(ret, s->s3->client_opaque_prf_input, col);
				389	ret += col;
				390	}
				391	#endif
				392
Dr. Stephen Henson	67c8e7f	2007-09-26 21:56:59 +0000	[diff] [blame]	393	if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp)
				394	{
				395	int i;
				396	long extlen, idlen, itmp;
				397	OCSP_RESPID *id;
				398
				399	idlen = 0;
				400	for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++)
				401	{
				402	id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
				403	itmp = i2d_OCSP_RESPID(id, NULL);
				404	if (itmp <= 0)
				405	return NULL;
				406	idlen += itmp + 2;
				407	}
				408
				409	if (s->tlsext_ocsp_exts)
				410	{
				411	extlen = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, NULL);
				412	if (extlen < 0)
				413	return NULL;
				414	}
				415	else
				416	extlen = 0;
				417
				418	if ((long)(limit - ret - 7 - extlen - idlen) < 0) return NULL;
				419	s2n(TLSEXT_TYPE_status_request, ret);
				420	if (extlen + idlen > 0xFFF0)
				421	return NULL;
				422	s2n(extlen + idlen + 5, ret);
				423	*(ret++) = TLSEXT_STATUSTYPE_ocsp;
				424	s2n(idlen, ret);
				425	for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++)
				426	{
				427	/* save position of id len */
				428	unsigned char *q = ret;
				429	id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
				430	/* skip over id len */
				431	ret += 2;
				432	itmp = i2d_OCSP_RESPID(id, &ret);
				433	/* write id len */
				434	s2n(itmp, q);
				435	}
				436	s2n(extlen, ret);
				437	if (extlen > 0)
				438	i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret);
				439	}
				440
Bodo Möller	ed3883d	2006-01-02 23:14:37 +0000	[diff] [blame]	441	if ((extdatalen = ret-p-2)== 0)
				442	return p;
				443
				444	s2n(extdatalen,p);
				445	return ret;
Bodo Möller	52b8dad	2007-02-17 06:45:38 +0000	[diff] [blame]	446	}
Bodo Möller	ed3883d	2006-01-02 23:14:37 +0000	[diff] [blame]	447
Bodo Möller	f1fd454	2006-01-03 03:27:19 +0000	[diff] [blame]	448	unsigned char ssl_add_serverhello_tlsext(SSL s, unsigned char p, unsigned char limit)
				449	{
Bodo Möller	ed3883d	2006-01-02 23:14:37 +0000	[diff] [blame]	450	int extdatalen=0;
				451	unsigned char *ret = p;
Bodo Möller	ed3883d	2006-01-02 23:14:37 +0000	[diff] [blame]	452
Bodo Möller	a13c20f	2006-01-09 19:49:05 +0000	[diff] [blame]	453	ret+=2;
Bodo Möller	ed3883d	2006-01-02 23:14:37 +0000	[diff] [blame]	454	if (ret>=limit) return NULL; /* this really never occurs, but ... */
				455
Bodo Möller	a13c20f	2006-01-09 19:49:05 +0000	[diff] [blame]	456	if (!s->hit && s->servername_done == 1 && s->session->tlsext_hostname != NULL)
Bodo Möller	f1fd454	2006-01-03 03:27:19 +0000	[diff] [blame]	457	{
Bodo Möller	761772d	2007-09-21 06:54:24 +0000	[diff] [blame]	458	if ((long)(limit - ret - 4) < 0) return NULL;
Bodo Möller	ed3883d	2006-01-02 23:14:37 +0000	[diff] [blame]	459
				460	s2n(TLSEXT_TYPE_server_name,ret);
				461	s2n(0,ret);
Bodo Möller	f1fd454	2006-01-03 03:27:19 +0000	[diff] [blame]	462	}
Bodo Möller	36ca4ba	2006-03-11 23:46:37 +0000	[diff] [blame]	463	#ifndef OPENSSL_NO_EC
				464	if (s->tlsext_ecpointformatlist != NULL)
				465	{
				466	/* Add TLS extension ECPointFormats to the ServerHello message */
				467	long lenmax;
				468
Bodo Möller	761772d	2007-09-21 06:54:24 +0000	[diff] [blame]	469	if ((lenmax = limit - ret - 5) < 0) return NULL;
Bodo Möller	36ca4ba	2006-03-11 23:46:37 +0000	[diff] [blame]	470	if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax) return NULL;
Bodo Möller	019fdc7	2006-03-13 09:55:06 +0000	[diff] [blame]	471	if (s->tlsext_ecpointformatlist_length > 255)
				472	{
				473	SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
				474	return NULL;
				475	}
Bodo Möller	36ca4ba	2006-03-11 23:46:37 +0000	[diff] [blame]	476
				477	s2n(TLSEXT_TYPE_ec_point_formats,ret);
				478	s2n(s->tlsext_ecpointformatlist_length + 1,ret);
				479	*(ret++) = (unsigned char) s->tlsext_ecpointformatlist_length;
				480	memcpy(ret, s->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist_length);
				481	ret+=s->tlsext_ecpointformatlist_length;
Bodo Möller	a70183b	2006-03-30 02:53:30 +0000	[diff] [blame]	482
Bodo Möller	36ca4ba	2006-03-11 23:46:37 +0000	[diff] [blame]	483	}
Bodo Möller	3327372	2006-03-30 02:44:56 +0000	[diff] [blame]	484	/* Currently the server should not respond with a SupportedCurves extension */
Bodo Möller	36ca4ba	2006-03-11 23:46:37 +0000	[diff] [blame]	485	#endif /* OPENSSL_NO_EC */
Dr. Stephen Henson	67c8e7f	2007-09-26 21:56:59 +0000	[diff] [blame]	486
Dr. Stephen Henson	6434abb	2007-08-11 23:18:29 +0000	[diff] [blame]	487	if (s->tlsext_ticket_expected
				488	&& !(SSL_get_options(s) & SSL_OP_NO_TICKET))
				489	{
Bodo Möller	761772d	2007-09-21 06:54:24 +0000	[diff] [blame]	490	if ((long)(limit - ret - 4) < 0) return NULL;
Dr. Stephen Henson	6434abb	2007-08-11 23:18:29 +0000	[diff] [blame]	491	s2n(TLSEXT_TYPE_session_ticket,ret);
				492	s2n(0,ret);
				493	}
Bodo Möller	761772d	2007-09-21 06:54:24 +0000	[diff] [blame]	494
Dr. Stephen Henson	67c8e7f	2007-09-26 21:56:59 +0000	[diff] [blame]	495	if (s->tlsext_status_expected)
				496	{
				497	if ((long)(limit - ret - 4) < 0) return NULL;
				498	s2n(TLSEXT_TYPE_status_request,ret);
				499	s2n(0,ret);
				500	}
				501
Bodo Möller	761772d	2007-09-21 06:54:24 +0000	[diff] [blame]	502	#ifdef TLSEXT_TYPE_opaque_prf_input
				503	if (s->s3->server_opaque_prf_input != NULL)
				504	{
				505	size_t sol = s->s3->server_opaque_prf_input_len;
Dr. Stephen Henson	6434abb	2007-08-11 23:18:29 +0000	[diff] [blame]	506
Bodo Möller	761772d	2007-09-21 06:54:24 +0000	[diff] [blame]	507	if ((long)(limit - ret - 6 - sol) < 0)
				508	return NULL;
				509	if (sol > 0xFFFD) /* can't happen */
				510	return NULL;
				511
				512	s2n(TLSEXT_TYPE_opaque_prf_input, ret);
				513	s2n(sol + 2, ret);
				514	s2n(sol, ret);
				515	memcpy(ret, s->s3->server_opaque_prf_input, sol);
				516	ret += sol;
				517	}
				518	#endif
Dr. Stephen Henson	0e1dba9	2007-10-26 12:06:36 +0000	[diff] [blame]	519	if (((s->s3->tmp.new_cipher->id & 0xFFFF)==0x80 \|\| (s->s3->tmp.new_cipher->id & 0xFFFF)==0x81)
				520	&& (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG))
				521	{ const unsigned char cryptopro_ext[36] = {
				522	0xfd, 0xe8, /65000/
				523	0x00, 0x20, /32 bytes length/
				524	0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85,
				525	0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06,
				526	0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08,
				527	0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17};
				528	if (limit-ret<36) return NULL;
				529	memcpy(ret,cryptopro_ext,36);
				530	ret+=36;
				531
				532	}
Bodo Möller	761772d	2007-09-21 06:54:24 +0000	[diff] [blame]	533
Bodo Möller	ed3883d	2006-01-02 23:14:37 +0000	[diff] [blame]	534	if ((extdatalen = ret-p-2)== 0)
				535	return p;
				536
				537	s2n(extdatalen,p);
				538	return ret;
Bodo Möller	52b8dad	2007-02-17 06:45:38 +0000	[diff] [blame]	539	}
Bodo Möller	ed3883d	2006-01-02 23:14:37 +0000	[diff] [blame]	540
Bodo Möller	f1fd454	2006-01-03 03:27:19 +0000	[diff] [blame]	541	int ssl_parse_clienthello_tlsext(SSL s, unsigned char p, unsigned char d, int n, int *al)
				542	{
Bodo Möller	ed3883d	2006-01-02 23:14:37 +0000	[diff] [blame]	543	unsigned short type;
				544	unsigned short size;
				545	unsigned short len;
Bodo Möller	f1fd454	2006-01-03 03:27:19 +0000	[diff] [blame]	546	unsigned char data = p;
Bodo Möller	a13c20f	2006-01-09 19:49:05 +0000	[diff] [blame]	547	s->servername_done = 0;
Dr. Stephen Henson	67c8e7f	2007-09-26 21:56:59 +0000	[diff] [blame]	548	s->tlsext_status_type = -1;
Bodo Möller	ed3883d	2006-01-02 23:14:37 +0000	[diff] [blame]	549
				550	if (data >= (d+n-2))
Bodo Möller	f1fd454	2006-01-03 03:27:19 +0000	[diff] [blame]	551	return 1;
Bodo Möller	ed3883d	2006-01-02 23:14:37 +0000	[diff] [blame]	552	n2s(data,len);
				553
Bodo Möller	52b8dad	2007-02-17 06:45:38 +0000	[diff] [blame]	554	if (data > (d+n-len))
Bodo Möller	f1fd454	2006-01-03 03:27:19 +0000	[diff] [blame]	555	return 1;
Bodo Möller	ed3883d	2006-01-02 23:14:37 +0000	[diff] [blame]	556
Bodo Möller	f1fd454	2006-01-03 03:27:19 +0000	[diff] [blame]	557	while (data <= (d+n-4))
				558	{
Bodo Möller	ed3883d	2006-01-02 23:14:37 +0000	[diff] [blame]	559	n2s(data,type);
				560	n2s(data,size);
				561
				562	if (data+size > (d+n))
Bodo Möller	f1fd454	2006-01-03 03:27:19 +0000	[diff] [blame]	563	return 1;
Dr. Stephen Henson	8e3b2db	2008-04-25 11:33:32 +0000	[diff] [blame]	564	#if 0
Dr. Stephen Henson	0e1dba9	2007-10-26 12:06:36 +0000	[diff] [blame]	565	fprintf(stderr,"Received extension type %d size %d\n",type,size);
Dr. Stephen Henson	8e3b2db	2008-04-25 11:33:32 +0000	[diff] [blame]	566	#endif
Dr. Stephen Henson	6434abb	2007-08-11 23:18:29 +0000	[diff] [blame]	567	if (s->tlsext_debug_cb)
				568	s->tlsext_debug_cb(s, 0, type, data, size,
				569	s->tlsext_debug_arg);
Bodo Möller	a13c20f	2006-01-09 19:49:05 +0000	[diff] [blame]	570	/* The servername extension is treated as follows:
				571
				572	- Only the hostname type is supported with a maximum length of 255.
				573	- The servername is rejected if too long or if it contains zeros,
				574	in which case an fatal alert is generated.
				575	- The servername field is maintained together with the session cache.
				576	- When a session is resumed, the servername call back invoked in order
				577	to allow the application to position itself to the right context.
				578	- The servername is acknowledged if it is new for a session or when
				579	it is identical to a previously used for the same session.
				580	Applications can control the behaviour. They can at any time
				581	set a 'desirable' servername for a new SSL object. This can be the
				582	case for example with HTTPS when a Host: header field is received and
				583	a renegotiation is requested. In this case, a possible servername
				584	presented in the new client hello is only acknowledged if it matches
				585	the value of the Host: field.
				586	- Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
				587	if they provide for changing an explicit servername context for the session,
				588	i.e. when the session has been established with a servername extension.
				589	- On session reconnect, the servername extension may be absent.
				590
				591	*/
				592
Bodo Möller	f1fd454	2006-01-03 03:27:19 +0000	[diff] [blame]	593	if (type == TLSEXT_TYPE_server_name)
				594	{
Bodo Möller	a70183b	2006-03-30 02:53:30 +0000	[diff] [blame]	595	unsigned char *sdata;
Bodo Möller	ed3883d	2006-01-02 23:14:37 +0000	[diff] [blame]	596	int servname_type;
Bodo Möller	a70183b	2006-03-30 02:53:30 +0000	[diff] [blame]	597	int dsize;
				598
				599	if (size < 2)
Bodo Möller	f1fd454	2006-01-03 03:27:19 +0000	[diff] [blame]	600	{
Bodo Möller	a70183b	2006-03-30 02:53:30 +0000	[diff] [blame]	601	*al = SSL_AD_DECODE_ERROR;
				602	return 0;
				603	}
				604	n2s(data,dsize);
Bodo Möller	52b8dad	2007-02-17 06:45:38 +0000	[diff] [blame]	605	size -= 2;
Bodo Möller	a70183b	2006-03-30 02:53:30 +0000	[diff] [blame]	606	if (dsize > size )
				607	{
				608	*al = SSL_AD_DECODE_ERROR;
				609	return 0;
				610	}
				611
				612	sdata = data;
				613	while (dsize > 3)
				614	{
				615	servname_type = *(sdata++);
Bodo Möller	ed3883d	2006-01-02 23:14:37 +0000	[diff] [blame]	616	n2s(sdata,len);
Bodo Möller	a70183b	2006-03-30 02:53:30 +0000	[diff] [blame]	617	dsize -= 3;
				618
				619	if (len > dsize)
Bodo Möller	f1fd454	2006-01-03 03:27:19 +0000	[diff] [blame]	620	{
				621	*al = SSL_AD_DECODE_ERROR;
				622	return 0;
				623	}
Bodo Möller	a70183b	2006-03-30 02:53:30 +0000	[diff] [blame]	624	if (s->servername_done == 0)
Bodo Möller	f1fd454	2006-01-03 03:27:19 +0000	[diff] [blame]	625	switch (servname_type)
				626	{
				627	case TLSEXT_NAMETYPE_host_name:
Bodo Möller	52b8dad	2007-02-17 06:45:38 +0000	[diff] [blame]	628	if (s->session->tlsext_hostname == NULL)
Bodo Möller	f1fd454	2006-01-03 03:27:19 +0000	[diff] [blame]	629	{
Bodo Möller	a13c20f	2006-01-09 19:49:05 +0000	[diff] [blame]	630	if (len > TLSEXT_MAXLEN_host_name \|\|
Bodo Möller	ed3883d	2006-01-02 23:14:37 +0000	[diff] [blame]	631	((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL))
Bodo Möller	f1fd454	2006-01-03 03:27:19 +0000	[diff] [blame]	632	{
				633	*al = TLS1_AD_UNRECOGNIZED_NAME;
				634	return 0;
				635	}
Bodo Möller	ed3883d	2006-01-02 23:14:37 +0000	[diff] [blame]	636	memcpy(s->session->tlsext_hostname, sdata, len);
Bodo Möller	a13c20f	2006-01-09 19:49:05 +0000	[diff] [blame]	637	s->session->tlsext_hostname[len]='\0';
				638	if (strlen(s->session->tlsext_hostname) != len) {
				639	OPENSSL_free(s->session->tlsext_hostname);
Bodo Möller	40a7062	2008-05-28 22:15:48 +0000	[diff] [blame]	640	s->session->tlsext_hostname = NULL;
Bodo Möller	a13c20f	2006-01-09 19:49:05 +0000	[diff] [blame]	641	*al = TLS1_AD_UNRECOGNIZED_NAME;
				642	return 0;
Bodo Möller	f1fd454	2006-01-03 03:27:19 +0000	[diff] [blame]	643	}
Bodo Möller	a13c20f	2006-01-09 19:49:05 +0000	[diff] [blame]	644	s->servername_done = 1;
				645
Bodo Möller	a13c20f	2006-01-09 19:49:05 +0000	[diff] [blame]	646	}
				647	else
				648	s->servername_done = strlen(s->session->tlsext_hostname) == len
Richard Levitte	6b9e941	2006-01-14 11:49:24 +0000	[diff] [blame]	649	&& strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0;
Bodo Möller	a13c20f	2006-01-09 19:49:05 +0000	[diff] [blame]	650
Bodo Möller	ed3883d	2006-01-02 23:14:37 +0000	[diff] [blame]	651	break;
Bodo Möller	f1fd454	2006-01-03 03:27:19 +0000	[diff] [blame]	652
Bodo Möller	ed3883d	2006-01-02 23:14:37 +0000	[diff] [blame]	653	default:
				654	break;
Bodo Möller	f1fd454	2006-01-03 03:27:19 +0000	[diff] [blame]	655	}
Bodo Möller	52b8dad	2007-02-17 06:45:38 +0000	[diff] [blame]	656
Bodo Möller	a70183b	2006-03-30 02:53:30 +0000	[diff] [blame]	657	dsize -= len;
Bodo Möller	f1fd454	2006-01-03 03:27:19 +0000	[diff] [blame]	658	}
Bodo Möller	a70183b	2006-03-30 02:53:30 +0000	[diff] [blame]	659	if (dsize != 0)
				660	{
				661	*al = SSL_AD_DECODE_ERROR;
				662	return 0;
				663	}
				664
Bodo Möller	ed3883d	2006-01-02 23:14:37 +0000	[diff] [blame]	665	}
Bodo Möller	ed3883d	2006-01-02 23:14:37 +0000	[diff] [blame]	666
Bodo Möller	36ca4ba	2006-03-11 23:46:37 +0000	[diff] [blame]	667	#ifndef OPENSSL_NO_EC
				668	else if (type == TLSEXT_TYPE_ec_point_formats)
				669	{
				670	unsigned char *sdata = data;
				671	int ecpointformatlist_length = *(sdata++);
Bodo Möller	36ca4ba	2006-03-11 23:46:37 +0000	[diff] [blame]	672
				673	if (ecpointformatlist_length != size - 1)
				674	{
				675	*al = TLS1_AD_DECODE_ERROR;
				676	return 0;
				677	}
				678	s->session->tlsext_ecpointformatlist_length = 0;
Bodo Möller	b6acb8d	2006-03-13 01:24:38 +0000	[diff] [blame]	679	if (s->session->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->session->tlsext_ecpointformatlist);
Bodo Möller	36ca4ba	2006-03-11 23:46:37 +0000	[diff] [blame]	680	if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
				681	{
				682	*al = TLS1_AD_INTERNAL_ERROR;
				683	return 0;
				684	}
				685	s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
				686	memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
				687	#if 0
				688	fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ecpointformatlist (length=%i) ", s->session->tlsext_ecpointformatlist_length);
				689	sdata = s->session->tlsext_ecpointformatlist;
				690	for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
				691	fprintf(stderr,"%i ",*(sdata++));
				692	fprintf(stderr,"\n");
				693	#endif
				694	}
Bodo Möller	3327372	2006-03-30 02:44:56 +0000	[diff] [blame]	695	else if (type == TLSEXT_TYPE_elliptic_curves)
				696	{
				697	unsigned char *sdata = data;
				698	int ellipticcurvelist_length = (*(sdata++) << 8);
				699	ellipticcurvelist_length += (*(sdata++));
				700
				701	if (ellipticcurvelist_length != size - 2)
				702	{
				703	*al = TLS1_AD_DECODE_ERROR;
				704	return 0;
				705	}
				706	s->session->tlsext_ellipticcurvelist_length = 0;
				707	if (s->session->tlsext_ellipticcurvelist != NULL) OPENSSL_free(s->session->tlsext_ellipticcurvelist);
				708	if ((s->session->tlsext_ellipticcurvelist = OPENSSL_malloc(ellipticcurvelist_length)) == NULL)
				709	{
				710	*al = TLS1_AD_INTERNAL_ERROR;
				711	return 0;
				712	}
				713	s->session->tlsext_ellipticcurvelist_length = ellipticcurvelist_length;
				714	memcpy(s->session->tlsext_ellipticcurvelist, sdata, ellipticcurvelist_length);
				715	#if 0
				716	fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ellipticcurvelist (length=%i) ", s->session->tlsext_ellipticcurvelist_length);
				717	sdata = s->session->tlsext_ellipticcurvelist;
				718	for (i = 0; i < s->session->tlsext_ellipticcurvelist_length; i++)
				719	fprintf(stderr,"%i ",*(sdata++));
				720	fprintf(stderr,"\n");
				721	#endif
				722	}
Nils Larsch	c6a27f0	2006-03-15 19:17:56 +0000	[diff] [blame]	723	#endif /* OPENSSL_NO_EC */
Bodo Möller	761772d	2007-09-21 06:54:24 +0000	[diff] [blame]	724	#ifdef TLSEXT_TYPE_opaque_prf_input
				725	else if (type == TLSEXT_TYPE_opaque_prf_input)
				726	{
				727	unsigned char *sdata = data;
				728
				729	if (size < 2)
				730	{
				731	*al = SSL_AD_DECODE_ERROR;
				732	return 0;
				733	}
				734	n2s(sdata, s->s3->client_opaque_prf_input_len);
				735	if (s->s3->client_opaque_prf_input_len != size - 2)
				736	{
				737	*al = SSL_AD_DECODE_ERROR;
				738	return 0;
				739	}
				740
				741	if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */
				742	OPENSSL_free(s->s3->client_opaque_prf_input);
Bodo Möller	02c27b1	2007-09-23 11:30:53 +0000	[diff] [blame]	743	if (s->s3->client_opaque_prf_input_len == 0)
				744	s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
				745	else
				746	s->s3->client_opaque_prf_input = BUF_memdup(sdata, s->s3->client_opaque_prf_input_len);
Bodo Möller	761772d	2007-09-21 06:54:24 +0000	[diff] [blame]	747	if (s->s3->client_opaque_prf_input == NULL)
				748	{
				749	*al = TLS1_AD_INTERNAL_ERROR;
				750	return 0;
				751	}
				752	}
				753	#endif
Dr. Stephen Henson	67c8e7f	2007-09-26 21:56:59 +0000	[diff] [blame]	754	else if (type == TLSEXT_TYPE_status_request
				755	&& s->ctx->tlsext_status_cb)
				756	{
				757
				758	if (size < 5)
				759	{
				760	*al = SSL_AD_DECODE_ERROR;
				761	return 0;
				762	}
				763
				764	s->tlsext_status_type = *data++;
				765	size--;
				766	if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp)
				767	{
				768	const unsigned char *sdata;
				769	int dsize;
				770	/* Read in responder_id_list */
				771	n2s(data,dsize);
				772	size -= 2;
				773	if (dsize > size )
				774	{
				775	*al = SSL_AD_DECODE_ERROR;
				776	return 0;
				777	}
				778	while (dsize > 0)
				779	{
				780	OCSP_RESPID *id;
				781	int idsize;
				782	if (dsize < 4)
				783	{
				784	*al = SSL_AD_DECODE_ERROR;
				785	return 0;
				786	}
				787	n2s(data, idsize);
				788	dsize -= 2 + idsize;
				789	if (dsize < 0)
				790	{
				791	*al = SSL_AD_DECODE_ERROR;
				792	return 0;
				793	}
				794	sdata = data;
				795	data += idsize;
				796	id = d2i_OCSP_RESPID(NULL,
				797	&sdata, idsize);
				798	if (!id)
				799	{
				800	*al = SSL_AD_DECODE_ERROR;
				801	return 0;
				802	}
				803	if (data != sdata)
				804	{
				805	OCSP_RESPID_free(id);
				806	*al = SSL_AD_DECODE_ERROR;
				807	return 0;
				808	}
				809	if (!s->tlsext_ocsp_ids
				810	&& !(s->tlsext_ocsp_ids =
				811	sk_OCSP_RESPID_new_null()))
				812	{
				813	OCSP_RESPID_free(id);
				814	*al = SSL_AD_INTERNAL_ERROR;
				815	return 0;
				816	}
				817	if (!sk_OCSP_RESPID_push(
				818	s->tlsext_ocsp_ids, id))
				819	{
				820	OCSP_RESPID_free(id);
				821	*al = SSL_AD_INTERNAL_ERROR;
				822	return 0;
				823	}
				824	}
				825
				826	/* Read in request_extensions */
				827	n2s(data,dsize);
				828	size -= 2;
				829	if (dsize > size)
				830	{
				831	*al = SSL_AD_DECODE_ERROR;
				832	return 0;
				833	}
				834	sdata = data;
				835	if (dsize > 0)
				836	{
				837	s->tlsext_ocsp_exts =
				838	d2i_X509_EXTENSIONS(NULL,
				839	&sdata, dsize);
				840	if (!s->tlsext_ocsp_exts
				841	\|\| (data + dsize != sdata))
				842	{
				843	*al = SSL_AD_DECODE_ERROR;
				844	return 0;
				845	}
				846	}
				847	}
				848	/* We don't know what to do with any other type
				849	* so ignore it.
				850	*/
				851	else
				852	s->tlsext_status_type = -1;
				853	}
Bodo Möller	761772d	2007-09-21 06:54:24 +0000	[diff] [blame]	854
Dr. Stephen Henson	6434abb	2007-08-11 23:18:29 +0000	[diff] [blame]	855	/* session ticket processed earlier */
				856	data+=size;
Bodo Möller	f1fd454	2006-01-03 03:27:19 +0000	[diff] [blame]	857	}
Dr. Stephen Henson	6434abb	2007-08-11 23:18:29 +0000	[diff] [blame]	858
Bodo Möller	f1fd454	2006-01-03 03:27:19 +0000	[diff] [blame]	859	*p = data;
				860	return 1;
Bodo Möller	52b8dad	2007-02-17 06:45:38 +0000	[diff] [blame]	861	}
Bodo Möller	f1fd454	2006-01-03 03:27:19 +0000	[diff] [blame]	862
				863	int ssl_parse_serverhello_tlsext(SSL s, unsigned char p, unsigned char d, int n, int *al)
				864	{
Bodo Möller	ed3883d	2006-01-02 23:14:37 +0000	[diff] [blame]	865	unsigned short type;
				866	unsigned short size;
				867	unsigned short len;
				868	unsigned char data = p;
				869
				870	int tlsext_servername = 0;
				871
				872	if (data >= (d+n-2))
Bodo Möller	f1fd454	2006-01-03 03:27:19 +0000	[diff] [blame]	873	return 1;
Bodo Möller	ed3883d	2006-01-02 23:14:37 +0000	[diff] [blame]	874
				875	n2s(data,len);
				876
Bodo Möller	f1fd454	2006-01-03 03:27:19 +0000	[diff] [blame]	877	while(data <= (d+n-4))
				878	{
Bodo Möller	ed3883d	2006-01-02 23:14:37 +0000	[diff] [blame]	879	n2s(data,type);
				880	n2s(data,size);
				881
				882	if (data+size > (d+n))
Bodo Möller	f1fd454	2006-01-03 03:27:19 +0000	[diff] [blame]	883	return 1;
Bodo Möller	ed3883d	2006-01-02 23:14:37 +0000	[diff] [blame]	884
Dr. Stephen Henson	6434abb	2007-08-11 23:18:29 +0000	[diff] [blame]	885	if (s->tlsext_debug_cb)
				886	s->tlsext_debug_cb(s, 1, type, data, size,
				887	s->tlsext_debug_arg);
				888
Bodo Möller	f1fd454	2006-01-03 03:27:19 +0000	[diff] [blame]	889	if (type == TLSEXT_TYPE_server_name)
				890	{
				891	if (s->tlsext_hostname == NULL \|\| size > 0)
				892	{
				893	*al = TLS1_AD_UNRECOGNIZED_NAME;
				894	return 0;
				895	}
Bodo Möller	ed3883d	2006-01-02 23:14:37 +0000	[diff] [blame]	896	tlsext_servername = 1;
Bodo Möller	f1fd454	2006-01-03 03:27:19 +0000	[diff] [blame]	897	}
Bodo Möller	ed3883d	2006-01-02 23:14:37 +0000	[diff] [blame]	898
Bodo Möller	36ca4ba	2006-03-11 23:46:37 +0000	[diff] [blame]	899	#ifndef OPENSSL_NO_EC
				900	else if (type == TLSEXT_TYPE_ec_point_formats)
				901	{
				902	unsigned char *sdata = data;
				903	int ecpointformatlist_length = *(sdata++);
Bodo Möller	36ca4ba	2006-03-11 23:46:37 +0000	[diff] [blame]	904
				905	if (ecpointformatlist_length != size - 1)
				906	{
				907	*al = TLS1_AD_DECODE_ERROR;
				908	return 0;
				909	}
				910	s->session->tlsext_ecpointformatlist_length = 0;
Bodo Möller	b6acb8d	2006-03-13 01:24:38 +0000	[diff] [blame]	911	if (s->session->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->session->tlsext_ecpointformatlist);
Bodo Möller	36ca4ba	2006-03-11 23:46:37 +0000	[diff] [blame]	912	if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
				913	{
				914	*al = TLS1_AD_INTERNAL_ERROR;
				915	return 0;
				916	}
				917	s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
				918	memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
				919	#if 0
				920	fprintf(stderr,"ssl_parse_serverhello_tlsext s->session->tlsext_ecpointformatlist ");
				921	sdata = s->session->tlsext_ecpointformatlist;
				922	for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
				923	fprintf(stderr,"%i ",*(sdata++));
				924	fprintf(stderr,"\n");
				925	#endif
				926	}
Nils Larsch	c6a27f0	2006-03-15 19:17:56 +0000	[diff] [blame]	927	#endif /* OPENSSL_NO_EC */
Dr. Stephen Henson	6434abb	2007-08-11 23:18:29 +0000	[diff] [blame]	928
				929	else if (type == TLSEXT_TYPE_session_ticket)
				930	{
				931	if ((SSL_get_options(s) & SSL_OP_NO_TICKET)
				932	\|\| (size > 0))
				933	{
				934	*al = TLS1_AD_UNSUPPORTED_EXTENSION;
				935	return 0;
				936	}
				937	s->tlsext_ticket_expected = 1;
				938	}
Bodo Möller	761772d	2007-09-21 06:54:24 +0000	[diff] [blame]	939	#ifdef TLSEXT_TYPE_opaque_prf_input
				940	else if (type == TLSEXT_TYPE_opaque_prf_input)
				941	{
				942	unsigned char *sdata = data;
				943
				944	if (size < 2)
				945	{
				946	*al = SSL_AD_DECODE_ERROR;
				947	return 0;
				948	}
				949	n2s(sdata, s->s3->server_opaque_prf_input_len);
				950	if (s->s3->server_opaque_prf_input_len != size - 2)
				951	{
				952	*al = SSL_AD_DECODE_ERROR;
				953	return 0;
				954	}
				955
				956	if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */
				957	OPENSSL_free(s->s3->server_opaque_prf_input);
Bodo Möller	02c27b1	2007-09-23 11:30:53 +0000	[diff] [blame]	958	if (s->s3->server_opaque_prf_input_len == 0)
				959	s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
				960	else
				961	s->s3->server_opaque_prf_input = BUF_memdup(sdata, s->s3->server_opaque_prf_input_len);
Bodo Möller	761772d	2007-09-21 06:54:24 +0000	[diff] [blame]	962
				963	if (s->s3->server_opaque_prf_input == NULL)
				964	{
				965	*al = TLS1_AD_INTERNAL_ERROR;
				966	return 0;
				967	}
				968	}
				969	#endif
Dr. Stephen Henson	67c8e7f	2007-09-26 21:56:59 +0000	[diff] [blame]	970	else if (type == TLSEXT_TYPE_status_request)
				971	{
				972	/* MUST be empty and only sent if we've requested
				973	* a status request message.
				974	*/
				975	if ((s->tlsext_status_type == -1) \|\| (size > 0))
				976	{
				977	*al = TLS1_AD_UNSUPPORTED_EXTENSION;
				978	return 0;
				979	}
				980	/* Set flag to expect CertificateStatus message */
				981	s->tlsext_status_expected = 1;
				982	}
Bodo Möller	761772d	2007-09-21 06:54:24 +0000	[diff] [blame]	983
Bodo Möller	ed3883d	2006-01-02 23:14:37 +0000	[diff] [blame]	984	data+=size;
Bodo Möller	f1fd454	2006-01-03 03:27:19 +0000	[diff] [blame]	985	}
Bodo Möller	ed3883d	2006-01-02 23:14:37 +0000	[diff] [blame]	986
				987	if (data != d+n)
Bodo Möller	f1fd454	2006-01-03 03:27:19 +0000	[diff] [blame]	988	{
				989	*al = SSL_AD_DECODE_ERROR;
				990	return 0;
				991	}
Bodo Möller	ed3883d	2006-01-02 23:14:37 +0000	[diff] [blame]	992
Bodo Möller	f1fd454	2006-01-03 03:27:19 +0000	[diff] [blame]	993	if (!s->hit && tlsext_servername == 1)
				994	{
				995	if (s->tlsext_hostname)
				996	{
				997	if (s->session->tlsext_hostname == NULL)
				998	{
Bodo Möller	ed3883d	2006-01-02 23:14:37 +0000	[diff] [blame]	999	s->session->tlsext_hostname = BUF_strdup(s->tlsext_hostname);
				1000	if (!s->session->tlsext_hostname)
Bodo Möller	f1fd454	2006-01-03 03:27:19 +0000	[diff] [blame]	1001	{
				1002	*al = SSL_AD_UNRECOGNIZED_NAME;
				1003	return 0;
				1004	}
				1005	}
				1006	else
				1007	{
				1008	*al = SSL_AD_DECODE_ERROR;
				1009	return 0;
				1010	}
Bodo Möller	ed3883d	2006-01-02 23:14:37 +0000	[diff] [blame]	1011	}
Bodo Möller	f1fd454	2006-01-03 03:27:19 +0000	[diff] [blame]	1012	}
				1013
Bodo Möller	ed3883d	2006-01-02 23:14:37 +0000	[diff] [blame]	1014	*p = data;
Bodo Möller	f1fd454	2006-01-03 03:27:19 +0000	[diff] [blame]	1015	return 1;
Bodo Möller	52b8dad	2007-02-17 06:45:38 +0000	[diff] [blame]	1016	}
Bodo Möller	ed3883d	2006-01-02 23:14:37 +0000	[diff] [blame]	1017
Bodo Möller	b2172f4	2006-04-03 11:56:30 +0000	[diff] [blame]	1018
Bodo Möller	36ca4ba	2006-03-11 23:46:37 +0000	[diff] [blame]	1019	int ssl_prepare_clienthello_tlsext(SSL *s)
				1020	{
				1021	#ifndef OPENSSL_NO_EC
Bodo Möller	3327372	2006-03-30 02:44:56 +0000	[diff] [blame]	1022	/* If we are client and using an elliptic curve cryptography cipher suite, send the point formats
				1023	* and elliptic curves we support.
Bodo Möller	36ca4ba	2006-03-11 23:46:37 +0000	[diff] [blame]	1024	*/
				1025	int using_ecc = 0;
				1026	int i;
Bodo Möller	3327372	2006-03-30 02:44:56 +0000	[diff] [blame]	1027	unsigned char *j;
Bodo Möller	52b8dad	2007-02-17 06:45:38 +0000	[diff] [blame]	1028	unsigned long alg_k, alg_a;
Bodo Möller	36ca4ba	2006-03-11 23:46:37 +0000	[diff] [blame]	1029	STACK_OF(SSL_CIPHER) *cipher_stack = SSL_get_ciphers(s);
Bodo Möller	52b8dad	2007-02-17 06:45:38 +0000	[diff] [blame]	1030
Bodo Möller	36ca4ba	2006-03-11 23:46:37 +0000	[diff] [blame]	1031	for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++)
				1032	{
Bodo Möller	52b8dad	2007-02-17 06:45:38 +0000	[diff] [blame]	1033	SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i);
				1034
				1035	alg_k = c->algorithm_mkey;
				1036	alg_a = c->algorithm_auth;
				1037	if ((alg_k & (SSL_kEECDH\|SSL_kECDHr\|SSL_kECDHe) \|\| (alg_a & SSL_aECDSA)))
Bodo Möller	36ca4ba	2006-03-11 23:46:37 +0000	[diff] [blame]	1038	{
				1039	using_ecc = 1;
				1040	break;
				1041	}
Bodo Möller	36ca4ba	2006-03-11 23:46:37 +0000	[diff] [blame]	1042	}
				1043	using_ecc = using_ecc && (s->version == TLS1_VERSION);
				1044	if (using_ecc)
				1045	{
Bodo Möller	b6acb8d	2006-03-13 01:24:38 +0000	[diff] [blame]	1046	if (s->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->tlsext_ecpointformatlist);
				1047	if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(3)) == NULL)
Bodo Möller	36ca4ba	2006-03-11 23:46:37 +0000	[diff] [blame]	1048	{
Bodo Möller	a291745	2007-04-24 01:06:19 +0000	[diff] [blame]	1049	SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
Bodo Möller	36ca4ba	2006-03-11 23:46:37 +0000	[diff] [blame]	1050	return -1;
				1051	}
Bodo Möller	b6acb8d	2006-03-13 01:24:38 +0000	[diff] [blame]	1052	s->tlsext_ecpointformatlist_length = 3;
				1053	s->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_uncompressed;
				1054	s->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
				1055	s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
Bodo Möller	b2172f4	2006-04-03 11:56:30 +0000	[diff] [blame]	1056
Bodo Möller	3327372	2006-03-30 02:44:56 +0000	[diff] [blame]	1057	/* we support all named elliptic curves in draft-ietf-tls-ecc-12 */
				1058	if (s->tlsext_ellipticcurvelist != NULL) OPENSSL_free(s->tlsext_ellipticcurvelist);
Bodo Möller	b2172f4	2006-04-03 11:56:30 +0000	[diff] [blame]	1059	s->tlsext_ellipticcurvelist_length = sizeof(nid_list)/sizeof(nid_list[0]) * 2;
				1060	if ((s->tlsext_ellipticcurvelist = OPENSSL_malloc(s->tlsext_ellipticcurvelist_length)) == NULL)
Bodo Möller	3327372	2006-03-30 02:44:56 +0000	[diff] [blame]	1061	{
Bodo Möller	b2172f4	2006-04-03 11:56:30 +0000	[diff] [blame]	1062	s->tlsext_ellipticcurvelist_length = 0;
Bodo Möller	a291745	2007-04-24 01:06:19 +0000	[diff] [blame]	1063	SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
Bodo Möller	3327372	2006-03-30 02:44:56 +0000	[diff] [blame]	1064	return -1;
				1065	}
Geoff Thorpe	1e26a8b	2008-03-16 21:05:46 +0000	[diff] [blame]	1066	for (i = 1, j = s->tlsext_ellipticcurvelist; (unsigned int)i <=
				1067	sizeof(nid_list)/sizeof(nid_list[0]); i++)
Bodo Möller	b2172f4	2006-04-03 11:56:30 +0000	[diff] [blame]	1068	s2n(i,j);
Bodo Möller	36ca4ba	2006-03-11 23:46:37 +0000	[diff] [blame]	1069	}
				1070	#endif /* OPENSSL_NO_EC */
Bodo Möller	761772d	2007-09-21 06:54:24 +0000	[diff] [blame]	1071
				1072	#ifdef TLSEXT_TYPE_opaque_prf_input
				1073	{
				1074	int r = 1;
				1075
				1076	if (s->ctx->tlsext_opaque_prf_input_callback != 0)
				1077	{
				1078	r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg);
				1079	if (!r)
				1080	return -1;
				1081	}
				1082
				1083	if (s->tlsext_opaque_prf_input != NULL)
				1084	{
				1085	if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */
				1086	OPENSSL_free(s->s3->client_opaque_prf_input);
				1087
Bodo Möller	02c27b1	2007-09-23 11:30:53 +0000	[diff] [blame]	1088	if (s->tlsext_opaque_prf_input_len == 0)
				1089	s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
				1090	else
				1091	s->s3->client_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len);
Bodo Möller	761772d	2007-09-21 06:54:24 +0000	[diff] [blame]	1092	if (s->s3->client_opaque_prf_input == NULL)
				1093	{
				1094	SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
				1095	return -1;
				1096	}
				1097	s->s3->client_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
				1098	}
				1099
				1100	if (r == 2)
				1101	/* at callback's request, insist on receiving an appropriate server opaque PRF input */
				1102	s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
				1103	}
				1104	#endif
				1105
Bodo Möller	36ca4ba	2006-03-11 23:46:37 +0000	[diff] [blame]	1106	return 1;
Bodo Möller	52b8dad	2007-02-17 06:45:38 +0000	[diff] [blame]	1107	}
Bodo Möller	36ca4ba	2006-03-11 23:46:37 +0000	[diff] [blame]	1108
				1109	int ssl_prepare_serverhello_tlsext(SSL *s)
				1110	{
				1111	#ifndef OPENSSL_NO_EC
Bodo Möller	b6acb8d	2006-03-13 01:24:38 +0000	[diff] [blame]	1112	/* If we are server and using an ECC cipher suite, send the point formats we support
Bodo Möller	3327372	2006-03-30 02:44:56 +0000	[diff] [blame]	1113	* if the client sent us an ECPointsFormat extension. Note that the server is not
				1114	* supposed to send an EllipticCurves extension.
Bodo Möller	36ca4ba	2006-03-11 23:46:37 +0000	[diff] [blame]	1115	*/
Bodo Möller	36ca4ba	2006-03-11 23:46:37 +0000	[diff] [blame]	1116
Bodo Möller	52b8dad	2007-02-17 06:45:38 +0000	[diff] [blame]	1117	unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
				1118	unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
				1119	int using_ecc = (alg_k & (SSL_kEECDH\|SSL_kECDHr\|SSL_kECDHe)) \|\| (alg_a & SSL_aECDSA);
				1120	using_ecc = using_ecc && (s->session->tlsext_ecpointformatlist != NULL);
				1121
Bodo Möller	36ca4ba	2006-03-11 23:46:37 +0000	[diff] [blame]	1122	if (using_ecc)
				1123	{
Bodo Möller	b6acb8d	2006-03-13 01:24:38 +0000	[diff] [blame]	1124	if (s->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->tlsext_ecpointformatlist);
				1125	if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(3)) == NULL)
Bodo Möller	36ca4ba	2006-03-11 23:46:37 +0000	[diff] [blame]	1126	{
Bodo Möller	a291745	2007-04-24 01:06:19 +0000	[diff] [blame]	1127	SSLerr(SSL_F_SSL_PREPARE_SERVERHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
Bodo Möller	36ca4ba	2006-03-11 23:46:37 +0000	[diff] [blame]	1128	return -1;
				1129	}
Bodo Möller	b6acb8d	2006-03-13 01:24:38 +0000	[diff] [blame]	1130	s->tlsext_ecpointformatlist_length = 3;
				1131	s->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_uncompressed;
				1132	s->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
				1133	s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
Bodo Möller	36ca4ba	2006-03-11 23:46:37 +0000	[diff] [blame]	1134	}
				1135	#endif /* OPENSSL_NO_EC */
Bodo Möller	761772d	2007-09-21 06:54:24 +0000	[diff] [blame]	1136
Bodo Möller	36ca4ba	2006-03-11 23:46:37 +0000	[diff] [blame]	1137	return 1;
Bodo Möller	52b8dad	2007-02-17 06:45:38 +0000	[diff] [blame]	1138	}
Bodo Möller	36ca4ba	2006-03-11 23:46:37 +0000	[diff] [blame]	1139
				1140	int ssl_check_clienthello_tlsext(SSL *s)
Bodo Möller	f1fd454	2006-01-03 03:27:19 +0000	[diff] [blame]	1141	{
Bodo Möller	241520e	2006-01-11 06:10:40 +0000	[diff] [blame]	1142	int ret=SSL_TLSEXT_ERR_NOACK;
Bodo Möller	58ece83	2006-01-13 09:21:10 +0000	[diff] [blame]	1143	int al = SSL_AD_UNRECOGNIZED_NAME;
Bodo Möller	241520e	2006-01-11 06:10:40 +0000	[diff] [blame]	1144
Bodo Möller	36ca4ba	2006-03-11 23:46:37 +0000	[diff] [blame]	1145	#ifndef OPENSSL_NO_EC
Bodo Möller	3327372	2006-03-30 02:44:56 +0000	[diff] [blame]	1146	/* The handling of the ECPointFormats extension is done elsewhere, namely in
				1147	* ssl3_choose_cipher in s3_lib.c.
				1148	*/
				1149	/* The handling of the EllipticCurves extension is done elsewhere, namely in
				1150	* ssl3_choose_cipher in s3_lib.c.
Bodo Möller	36ca4ba	2006-03-11 23:46:37 +0000	[diff] [blame]	1151	*/
				1152	#endif
				1153
				1154	if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
				1155	ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
				1156	else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)
				1157	ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
				1158
Dr. Stephen Henson	67c8e7f	2007-09-26 21:56:59 +0000	[diff] [blame]	1159	/* If status request then ask callback what to do.
				1160	* Note: this must be called after servername callbacks in case
				1161	* the certificate has changed.
				1162	*/
				1163	if ((s->tlsext_status_type != -1) && s->ctx->tlsext_status_cb)
				1164	{
				1165	int r;
				1166	r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
				1167	switch (r)
				1168	{
				1169	/* We don't want to send a status request response */
				1170	case SSL_TLSEXT_ERR_NOACK:
				1171	s->tlsext_status_expected = 0;
				1172	break;
				1173	/* status request response should be sent */
				1174	case SSL_TLSEXT_ERR_OK:
				1175	if (s->tlsext_ocsp_resp)
				1176	s->tlsext_status_expected = 1;
				1177	else
				1178	s->tlsext_status_expected = 0;
				1179	break;
				1180	/* something bad happened */
				1181	case SSL_TLSEXT_ERR_ALERT_FATAL:
				1182	ret = SSL_TLSEXT_ERR_ALERT_FATAL;
				1183	al = SSL_AD_INTERNAL_ERROR;
				1184	goto err;
				1185	}
				1186	}
				1187	else
				1188	s->tlsext_status_expected = 0;
Bodo Möller	761772d	2007-09-21 06:54:24 +0000	[diff] [blame]	1189
				1190	#ifdef TLSEXT_TYPE_opaque_prf_input
				1191	{
				1192	/* This sort of belongs into ssl_prepare_serverhello_tlsext(),
				1193	* but we might be sending an alert in response to the client hello,
				1194	* so this has to happen here in ssl_check_clienthello_tlsext(). */
				1195
				1196	int r = 1;
				1197
				1198	if (s->ctx->tlsext_opaque_prf_input_callback != 0)
				1199	{
				1200	r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg);
				1201	if (!r)
				1202	{
				1203	ret = SSL_TLSEXT_ERR_ALERT_FATAL;
				1204	al = SSL_AD_INTERNAL_ERROR;
				1205	goto err;
				1206	}
				1207	}
				1208
				1209	if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */
				1210	OPENSSL_free(s->s3->server_opaque_prf_input);
				1211	s->s3->server_opaque_prf_input = NULL;
				1212
				1213	if (s->tlsext_opaque_prf_input != NULL)
				1214	{
				1215	if (s->s3->client_opaque_prf_input != NULL &&
				1216	s->s3->client_opaque_prf_input_len == s->tlsext_opaque_prf_input_len)
				1217	{
				1218	/* can only use this extension if we have a server opaque PRF input
				1219	* of the same length as the client opaque PRF input! */
				1220
Bodo Möller	02c27b1	2007-09-23 11:30:53 +0000	[diff] [blame]	1221	if (s->tlsext_opaque_prf_input_len == 0)
				1222	s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
				1223	else
				1224	s->s3->server_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len);
Bodo Möller	761772d	2007-09-21 06:54:24 +0000	[diff] [blame]	1225	if (s->s3->server_opaque_prf_input == NULL)
				1226	{
				1227	ret = SSL_TLSEXT_ERR_ALERT_FATAL;
				1228	al = SSL_AD_INTERNAL_ERROR;
				1229	goto err;
				1230	}
				1231	s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
				1232	}
				1233	}
				1234
				1235	if (r == 2 && s->s3->server_opaque_prf_input == NULL)
				1236	{
				1237	/* The callback wants to enforce use of the extension,
				1238	* but we can't do that with the client opaque PRF input;
				1239	* abort the handshake.
				1240	*/
				1241	ret = SSL_TLSEXT_ERR_ALERT_FATAL;
				1242	al = SSL_AD_HANDSHAKE_FAILURE;
				1243	}
				1244	}
Bodo Möller	761772d	2007-09-21 06:54:24 +0000	[diff] [blame]	1245
Dr. Stephen Henson	67c8e7f	2007-09-26 21:56:59 +0000	[diff] [blame]	1246	#endif
Bodo Möller	761772d	2007-09-21 06:54:24 +0000	[diff] [blame]	1247	err:
Bodo Möller	52b8dad	2007-02-17 06:45:38 +0000	[diff] [blame]	1248	switch (ret)
				1249	{
Bodo Möller	36ca4ba	2006-03-11 23:46:37 +0000	[diff] [blame]	1250	case SSL_TLSEXT_ERR_ALERT_FATAL:
				1251	ssl3_send_alert(s,SSL3_AL_FATAL,al);
				1252	return -1;
				1253
				1254	case SSL_TLSEXT_ERR_ALERT_WARNING:
				1255	ssl3_send_alert(s,SSL3_AL_WARNING,al);
				1256	return 1;
				1257
				1258	case SSL_TLSEXT_ERR_NOACK:
				1259	s->servername_done=0;
				1260	default:
				1261	return 1;
Bodo Möller	52b8dad	2007-02-17 06:45:38 +0000	[diff] [blame]	1262	}
Bodo Möller	36ca4ba	2006-03-11 23:46:37 +0000	[diff] [blame]	1263	}
Bodo Möller	36ca4ba	2006-03-11 23:46:37 +0000	[diff] [blame]	1264
				1265	int ssl_check_serverhello_tlsext(SSL *s)
				1266	{
				1267	int ret=SSL_TLSEXT_ERR_NOACK;
				1268	int al = SSL_AD_UNRECOGNIZED_NAME;
				1269
				1270	#ifndef OPENSSL_NO_EC
				1271	/* If we are client and using an elliptic curve cryptography cipher suite, then server
				1272	* must return a an EC point formats lists containing uncompressed.
				1273	*/
Bodo Möller	52b8dad	2007-02-17 06:45:38 +0000	[diff] [blame]	1274	unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
				1275	unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
Bodo Möller	36ca4ba	2006-03-11 23:46:37 +0000	[diff] [blame]	1276	if ((s->tlsext_ecpointformatlist != NULL) && (s->tlsext_ecpointformatlist_length > 0) &&
Bodo Möller	52b8dad	2007-02-17 06:45:38 +0000	[diff] [blame]	1277	((alg_k & (SSL_kEECDH\|SSL_kECDHr\|SSL_kECDHe)) \|\| (alg_a & SSL_aECDSA)))
Bodo Möller	36ca4ba	2006-03-11 23:46:37 +0000	[diff] [blame]	1278	{
				1279	/* we are using an ECC cipher */
Nils Larsch	90bdfd9	2006-03-13 22:07:05 +0000	[diff] [blame]	1280	size_t i;
Bodo Möller	36ca4ba	2006-03-11 23:46:37 +0000	[diff] [blame]	1281	unsigned char *list;
				1282	int found_uncompressed = 0;
Richard Levitte	a4ff392	2006-03-15 09:57:16 +0000	[diff] [blame]	1283	if ((s->session->tlsext_ecpointformatlist == NULL) \|\| (s->session->tlsext_ecpointformatlist_length == 0))
Bodo Möller	36ca4ba	2006-03-11 23:46:37 +0000	[diff] [blame]	1284	{
Bodo Möller	a291745	2007-04-24 01:06:19 +0000	[diff] [blame]	1285	SSLerr(SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT,SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
Bodo Möller	36ca4ba	2006-03-11 23:46:37 +0000	[diff] [blame]	1286	return -1;
				1287	}
Richard Levitte	b9865f1	2006-03-13 12:37:19 +0000	[diff] [blame]	1288	list = s->session->tlsext_ecpointformatlist;
Bodo Möller	36ca4ba	2006-03-11 23:46:37 +0000	[diff] [blame]	1289	for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
				1290	{
				1291	if (*(list++) == TLSEXT_ECPOINTFORMAT_uncompressed)
				1292	{
				1293	found_uncompressed = 1;
				1294	break;
				1295	}
				1296	}
				1297	if (!found_uncompressed)
				1298	{
Bodo Möller	a291745	2007-04-24 01:06:19 +0000	[diff] [blame]	1299	SSLerr(SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT,SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
Bodo Möller	36ca4ba	2006-03-11 23:46:37 +0000	[diff] [blame]	1300	return -1;
				1301	}
				1302	}
				1303	ret = SSL_TLSEXT_ERR_OK;
				1304	#endif /* OPENSSL_NO_EC */
				1305
Bodo Möller	241520e	2006-01-11 06:10:40 +0000	[diff] [blame]	1306	if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
Bodo Möller	58ece83	2006-01-13 09:21:10 +0000	[diff] [blame]	1307	ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
Bodo Möller	241520e	2006-01-11 06:10:40 +0000	[diff] [blame]	1308	else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)
Bodo Möller	58ece83	2006-01-13 09:21:10 +0000	[diff] [blame]	1309	ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
Bodo Möller	241520e	2006-01-11 06:10:40 +0000	[diff] [blame]	1310
Bodo Möller	761772d	2007-09-21 06:54:24 +0000	[diff] [blame]	1311	#ifdef TLSEXT_TYPE_opaque_prf_input
				1312	if (s->s3->server_opaque_prf_input_len > 0)
				1313	{
				1314	/* This case may indicate that we, as a client, want to insist on using opaque PRF inputs.
				1315	* So first verify that we really have a value from the server too. */
				1316
				1317	if (s->s3->server_opaque_prf_input == NULL)
				1318	{
				1319	ret = SSL_TLSEXT_ERR_ALERT_FATAL;
				1320	al = SSL_AD_HANDSHAKE_FAILURE;
				1321	}
				1322
				1323	/* Anytime the server has sent an opaque PRF input, we need to check
				1324	* that we have a client opaque PRF input of the same size. */
				1325	if (s->s3->client_opaque_prf_input == NULL \|\|
				1326	s->s3->client_opaque_prf_input_len != s->s3->server_opaque_prf_input_len)
				1327	{
				1328	ret = SSL_TLSEXT_ERR_ALERT_FATAL;
				1329	al = SSL_AD_ILLEGAL_PARAMETER;
				1330	}
				1331	}
				1332	#endif
				1333
Dr. Stephen Henson	04e2ab2	2007-09-28 17:45:11 +0000	[diff] [blame]	1334	/* If we've requested certificate status and we wont get one
				1335	* tell the callback
				1336	*/
				1337	if ((s->tlsext_status_type != -1) && !(s->tlsext_status_expected)
				1338	&& s->ctx->tlsext_status_cb)
				1339	{
				1340	int r;
				1341	/* Set resp to NULL, resplen to -1 so callback knows
				1342	* there is no response.
				1343	*/
				1344	if (s->tlsext_ocsp_resp)
				1345	{
				1346	OPENSSL_free(s->tlsext_ocsp_resp);
				1347	s->tlsext_ocsp_resp = NULL;
				1348	}
				1349	s->tlsext_ocsp_resplen = -1;
				1350	r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
				1351	if (r == 0)
				1352	{
				1353	al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE;
				1354	ret = SSL_TLSEXT_ERR_ALERT_FATAL;
				1355	}
				1356	if (r < 0)
				1357	{
				1358	al = SSL_AD_INTERNAL_ERROR;
				1359	ret = SSL_TLSEXT_ERR_ALERT_FATAL;
				1360	}
				1361	}
				1362
Bodo Möller	52b8dad	2007-02-17 06:45:38 +0000	[diff] [blame]	1363	switch (ret)
				1364	{
Bodo Möller	58ece83	2006-01-13 09:21:10 +0000	[diff] [blame]	1365	case SSL_TLSEXT_ERR_ALERT_FATAL:
				1366	ssl3_send_alert(s,SSL3_AL_FATAL,al);
				1367	return -1;
				1368
				1369	case SSL_TLSEXT_ERR_ALERT_WARNING:
				1370	ssl3_send_alert(s,SSL3_AL_WARNING,al);
				1371	return 1;
				1372
				1373	case SSL_TLSEXT_ERR_NOACK:
				1374	s->servername_done=0;
				1375	default:
				1376	return 1;
Bodo Möller	52b8dad	2007-02-17 06:45:38 +0000	[diff] [blame]	1377	}
Bodo Möller	f1fd454	2006-01-03 03:27:19 +0000	[diff] [blame]	1378	}
Bodo Möller	3327372	2006-03-30 02:44:56 +0000	[diff] [blame]	1379
Dr. Stephen Henson	6434abb	2007-08-11 23:18:29 +0000	[diff] [blame]	1380	/* Since the server cache lookup is done early on in the processing of client
				1381	* hello and other operations depend on the result we need to handle any TLS
				1382	* session ticket extension at the same time.
				1383	*/
				1384
				1385	int tls1_process_ticket(SSL s, unsigned char session_id, int len,
				1386	const unsigned char limit, SSL_SESSION *ret)
				1387	{
				1388	/* Point after session ID in client hello */
				1389	const unsigned char *p = session_id + len;
				1390	unsigned short i;
Dr. Stephen Henson	e8da6a1	2008-09-03 22:17:11 +0000	[diff] [blame]	1391
				1392	/* If tickets disabled behave as if no ticket present
				1393	* to permit stateful resumption.
				1394	*/
				1395	if (SSL_get_options(s) & SSL_OP_NO_TICKET)
				1396	return 1;
				1397
Dr. Stephen Henson	6434abb	2007-08-11 23:18:29 +0000	[diff] [blame]	1398	if ((s->version <= SSL3_VERSION) \|\| !limit)
				1399	return 1;
				1400	if (p >= limit)
				1401	return -1;
				1402	/* Skip past cipher list */
				1403	n2s(p, i);
				1404	p+= i;
				1405	if (p >= limit)
				1406	return -1;
				1407	/* Skip past compression algorithm list */
				1408	i = *(p++);
				1409	p += i;
				1410	if (p > limit)
				1411	return -1;
				1412	/* Now at start of extensions */
				1413	if ((p + 2) >= limit)
				1414	return 1;
				1415	n2s(p, i);
				1416	while ((p + 4) <= limit)
				1417	{
				1418	unsigned short type, size;
				1419	n2s(p, type);
				1420	n2s(p, size);
				1421	if (p + size > limit)
				1422	return 1;
				1423	if (type == TLSEXT_TYPE_session_ticket)
				1424	{
				1425	/* If tickets disabled indicate cache miss which will
				1426	* trigger a full handshake
				1427	*/
				1428	if (SSL_get_options(s) & SSL_OP_NO_TICKET)
Dr. Stephen Henson	e8da6a1	2008-09-03 22:17:11 +0000	[diff] [blame]	1429	return 1;
				1430	/* If zero length note client will accept a ticket
Dr. Stephen Henson	6434abb	2007-08-11 23:18:29 +0000	[diff] [blame]	1431	* and indicate cache miss to trigger full handshake
				1432	*/
				1433	if (size == 0)
				1434	{
				1435	s->tlsext_ticket_expected = 1;
				1436	return 0; /* Cache miss */
				1437	}
				1438	return tls_decrypt_ticket(s, p, size, session_id, len,
				1439	ret);
				1440	}
				1441	p += size;
				1442	}
				1443	return 1;
				1444	}
				1445
				1446	static int tls_decrypt_ticket(SSL s, const unsigned char etick, int eticklen,
				1447	const unsigned char *sess_id, int sesslen,
				1448	SSL_SESSION **psess)
				1449	{
				1450	SSL_SESSION *sess;
				1451	unsigned char *sdec;
				1452	const unsigned char *p;
Dr. Stephen Henson	8a2062f	2008-04-30 16:14:02 +0000	[diff] [blame]	1453	int slen, mlen, renew_ticket = 0;
Dr. Stephen Henson	6434abb	2007-08-11 23:18:29 +0000	[diff] [blame]	1454	unsigned char tick_hmac[EVP_MAX_MD_SIZE];
				1455	HMAC_CTX hctx;
				1456	EVP_CIPHER_CTX ctx;
Dr. Stephen Henson	6434abb	2007-08-11 23:18:29 +0000	[diff] [blame]	1457	/* Need at least keyname + iv + some encrypted data */
				1458	if (eticklen < 48)
				1459	goto tickerr;
Dr. Stephen Henson	8a2062f	2008-04-30 16:14:02 +0000	[diff] [blame]	1460	/* Initialize session ticket encryption and HMAC contexts */
Dr. Stephen Henson	6434abb	2007-08-11 23:18:29 +0000	[diff] [blame]	1461	HMAC_CTX_init(&hctx);
Dr. Stephen Henson	8a2062f	2008-04-30 16:14:02 +0000	[diff] [blame]	1462	EVP_CIPHER_CTX_init(&ctx);
				1463	if (s->ctx->tlsext_ticket_key_cb)
				1464	{
				1465	unsigned char nctick = (unsigned char )etick;
				1466	int rv = s->ctx->tlsext_ticket_key_cb(s, nctick, nctick + 16,
				1467	&ctx, &hctx, 0);
				1468	if (rv < 0)
				1469	return -1;
				1470	if (rv == 0)
				1471	goto tickerr;
				1472	if (rv == 2)
				1473	renew_ticket = 1;
				1474	}
				1475	else
				1476	{
				1477	/* Check key name matches */
				1478	if (memcmp(etick, s->ctx->tlsext_tick_key_name, 16))
				1479	goto tickerr;
				1480	HMAC_Init_ex(&hctx, s->ctx->tlsext_tick_hmac_key, 16,
				1481	tlsext_tick_md(), NULL);
				1482	EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL,
				1483	s->ctx->tlsext_tick_aes_key, etick + 16);
				1484	}
				1485	/* Attempt to process session ticket, first conduct sanity and
				1486	* integrity checks on ticket.
				1487	*/
				1488	mlen = HMAC_size(&hctx);
				1489	eticklen -= mlen;
				1490	/* Check HMAC of encrypted ticket */
Dr. Stephen Henson	6434abb	2007-08-11 23:18:29 +0000	[diff] [blame]	1491	HMAC_Update(&hctx, etick, eticklen);
				1492	HMAC_Final(&hctx, tick_hmac, NULL);
				1493	HMAC_CTX_cleanup(&hctx);
				1494	if (memcmp(tick_hmac, etick + eticklen, mlen))
				1495	goto tickerr;
Dr. Stephen Henson	6434abb	2007-08-11 23:18:29 +0000	[diff] [blame]	1496	/* Attempt to decrypt session data */
Dr. Stephen Henson	6434abb	2007-08-11 23:18:29 +0000	[diff] [blame]	1497	/* Move p after IV to start of encrypted ticket, update length */
Dr. Stephen Henson	8a2062f	2008-04-30 16:14:02 +0000	[diff] [blame]	1498	p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx);
				1499	eticklen -= 16 + EVP_CIPHER_CTX_iv_length(&ctx);
Dr. Stephen Henson	6434abb	2007-08-11 23:18:29 +0000	[diff] [blame]	1500	sdec = OPENSSL_malloc(eticklen);
				1501	if (!sdec)
				1502	{
				1503	EVP_CIPHER_CTX_cleanup(&ctx);
				1504	return -1;
				1505	}
				1506	EVP_DecryptUpdate(&ctx, sdec, &slen, p, eticklen);
				1507	if (EVP_DecryptFinal(&ctx, sdec + slen, &mlen) <= 0)
				1508	goto tickerr;
Dr. Stephen Henson	6434abb	2007-08-11 23:18:29 +0000	[diff] [blame]	1509	slen += mlen;
				1510	EVP_CIPHER_CTX_cleanup(&ctx);
				1511	p = sdec;
				1512
				1513	sess = d2i_SSL_SESSION(NULL, &p, slen);
				1514	OPENSSL_free(sdec);
				1515	if (sess)
				1516	{
				1517	/* The session ID if non-empty is used by some clients to
				1518	* detect that the ticket has been accepted. So we copy it to
				1519	* the session structure. If it is empty set length to zero
				1520	* as required by standard.
				1521	*/
				1522	if (sesslen)
				1523	memcpy(sess->session_id, sess_id, sesslen);
				1524	sess->session_id_length = sesslen;
				1525	*psess = sess;
Dr. Stephen Henson	8a2062f	2008-04-30 16:14:02 +0000	[diff] [blame]	1526	s->tlsext_ticket_expected = renew_ticket;
Dr. Stephen Henson	6434abb	2007-08-11 23:18:29 +0000	[diff] [blame]	1527	return 1;
				1528	}
				1529	/* If session decrypt failure indicate a cache miss and set state to
				1530	* send a new ticket
				1531	*/
				1532	tickerr:
				1533	s->tlsext_ticket_expected = 1;
				1534	return 0;
				1535	}
Dr. Stephen Henson	6434abb	2007-08-11 23:18:29 +0000	[diff] [blame]	1536
				1537	#endif