1/* ssl/t1_lib.c */ 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 3 * All rights reserved. 4 * 5 * This package is an SSL implementation written 6 * by Eric Young (eay@cryptsoft.com). 7 * The implementation was written so as to conform with Netscapes SSL. 8 * 9 * This library is free for commercial and non-commercial use as long as 10 * the following conditions are aheared to. The following conditions 11 * apply to all code found in this distribution, be it the RC4, RSA, 12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 13 * included with this distribution is covered by the same copyright terms 14 * except that the holder is Tim Hudson (tjh@cryptsoft.com). 15 * 16 * Copyright remains Eric Young's, and as such any Copyright notices in 17 * the code are not to be removed. 18 * If this package is used in a product, Eric Young should be given attribution 19 * as the author of the parts of the library used. 20 * This can be in the form of a textual message at program startup or 21 * in documentation (online or textual) provided with the package. 22 * 23 * Redistribution and use in source and binary forms, with or without 24 * modification, are permitted provided that the following conditions 25 * are met: 26 * 1. Redistributions of source code must retain the copyright 27 * notice, this list of conditions and the following disclaimer. 28 * 2. Redistributions in binary form must reproduce the above copyright 29 * notice, this list of conditions and the following disclaimer in the 30 * documentation and/or other materials provided with the distribution. 31 * 3. All advertising materials mentioning features or use of this software 32 * must display the following acknowledgement: 33 * "This product includes cryptographic software written by 34 * Eric Young (eay@cryptsoft.com)" 35 * The word 'cryptographic' can be left out if the rouines from the library 36 * being used are not cryptographic related :-). 37 * 4. If you include any Windows specific code (or a derivative thereof) from 38 * the apps directory (application code) you must include an acknowledgement: 39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 40 * 41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 51 * SUCH DAMAGE. 52 * 53 * The licence and distribution terms for any publically available version or 54 * derivative of this code cannot be changed. i.e. this code cannot simply be 55 * copied and put under another distribution licence 56 * [including the GNU Public Licence.] 57 */ 58/* ==================================================================== 59 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved. 60 * 61 * Redistribution and use in source and binary forms, with or without 62 * modification, are permitted provided that the following conditions 63 * are met: 64 * 65 * 1. Redistributions of source code must retain the above copyright 66 * notice, this list of conditions and the following disclaimer. 67 * 68 * 2. Redistributions in binary form must reproduce the above copyright 69 * notice, this list of conditions and the following disclaimer in 70 * the documentation and/or other materials provided with the 71 * distribution. 72 * 73 * 3. All advertising materials mentioning features or use of this 74 * software must display the following acknowledgment: 75 * "This product includes software developed by the OpenSSL Project 76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 77 * 78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 79 * endorse or promote products derived from this software without 80 * prior written permission. For written permission, please contact 81 * openssl-core@openssl.org. 82 * 83 * 5. Products derived from this software may not be called "OpenSSL" 84 * nor may "OpenSSL" appear in their names without prior written 85 * permission of the OpenSSL Project. 86 * 87 * 6. Redistributions of any form whatsoever must retain the following 88 * acknowledgment: 89 * "This product includes software developed by the OpenSSL Project 90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 91 * 92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 103 * OF THE POSSIBILITY OF SUCH DAMAGE. 104 * ==================================================================== 105 * 106 * This product includes cryptographic software written by Eric Young 107 * (eay@cryptsoft.com). This product includes software written by Tim 108 * Hudson (tjh@cryptsoft.com). 109 * 110 */ 111 112#include <stdio.h> 113#include <openssl/objects.h> 114#include <openssl/evp.h> 115#include <openssl/hmac.h> 116#include <openssl/ocsp.h> 117#include "ssl_locl.h" 118 119const char tls1_version_str[]="TLSv1" OPENSSL_VERSION_PTEXT; 120 121#ifndef OPENSSL_NO_TLSEXT 122static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen, 123 const unsigned char *sess_id, int sesslen, 124 SSL_SESSION **psess); 125#endif 126 127SSL3_ENC_METHOD TLSv1_enc_data={ 128 tls1_enc, 129 tls1_mac, 130 tls1_setup_key_block, 131 tls1_generate_master_secret, 132 tls1_change_cipher_state, 133 tls1_final_finish_mac, 134 TLS1_FINISH_MAC_LENGTH, 135 tls1_cert_verify_mac, 136 TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE, 137 TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE, 138 tls1_alert_code, 139 }; 140 141long tls1_default_timeout(void) 142 { 143 /* 2 hours, the 24 hours mentioned in the TLSv1 spec 144 * is way too long for http, the cache would over fill */ 145 return(60*60*2); 146 } 147 148int tls1_new(SSL *s) 149 { 150 if (!ssl3_new(s)) return(0); 151 s->method->ssl_clear(s); 152 return(1); 153 } 154 155void tls1_free(SSL *s) 156 { 157#ifndef OPENSSL_NO_TLSEXT 158 if (s->tlsext_session_ticket) 159 { 160 OPENSSL_free(s->tlsext_session_ticket); 161 } 162#endif /* OPENSSL_NO_TLSEXT */ 163 ssl3_free(s); 164 } 165 166void tls1_clear(SSL *s) 167 { 168 ssl3_clear(s); 169 s->version=TLS1_VERSION; 170 } 171 172#ifndef OPENSSL_NO_EC 173static int nid_list[] = 174 { 175 NID_sect163k1, /* sect163k1 (1) */ 176 NID_sect163r1, /* sect163r1 (2) */ 177 NID_sect163r2, /* sect163r2 (3) */ 178 NID_sect193r1, /* sect193r1 (4) */ 179 NID_sect193r2, /* sect193r2 (5) */ 180 NID_sect233k1, /* sect233k1 (6) */ 181 NID_sect233r1, /* sect233r1 (7) */ 182 NID_sect239k1, /* sect239k1 (8) */ 183 NID_sect283k1, /* sect283k1 (9) */ 184 NID_sect283r1, /* sect283r1 (10) */ 185 NID_sect409k1, /* sect409k1 (11) */ 186 NID_sect409r1, /* sect409r1 (12) */ 187 NID_sect571k1, /* sect571k1 (13) */ 188 NID_sect571r1, /* sect571r1 (14) */ 189 NID_secp160k1, /* secp160k1 (15) */ 190 NID_secp160r1, /* secp160r1 (16) */ 191 NID_secp160r2, /* secp160r2 (17) */ 192 NID_secp192k1, /* secp192k1 (18) */ 193 NID_X9_62_prime192v1, /* secp192r1 (19) */ 194 NID_secp224k1, /* secp224k1 (20) */ 195 NID_secp224r1, /* secp224r1 (21) */ 196 NID_secp256k1, /* secp256k1 (22) */ 197 NID_X9_62_prime256v1, /* secp256r1 (23) */ 198 NID_secp384r1, /* secp384r1 (24) */ 199 NID_secp521r1 /* secp521r1 (25) */ 200 }; 201 202int tls1_ec_curve_id2nid(int curve_id) 203 { 204 /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */ 205 if ((curve_id < 1) || ((unsigned int)curve_id > 206 sizeof(nid_list)/sizeof(nid_list[0]))) 207 return 0; 208 return nid_list[curve_id-1]; 209 } 210 211int tls1_ec_nid2curve_id(int nid) 212 { 213 /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */ 214 switch (nid) 215 { 216 case NID_sect163k1: /* sect163k1 (1) */ 217 return 1; 218 case NID_sect163r1: /* sect163r1 (2) */ 219 return 2; 220 case NID_sect163r2: /* sect163r2 (3) */ 221 return 3; 222 case NID_sect193r1: /* sect193r1 (4) */ 223 return 4; 224 case NID_sect193r2: /* sect193r2 (5) */ 225 return 5; 226 case NID_sect233k1: /* sect233k1 (6) */ 227 return 6; 228 case NID_sect233r1: /* sect233r1 (7) */ 229 return 7; 230 case NID_sect239k1: /* sect239k1 (8) */ 231 return 8; 232 case NID_sect283k1: /* sect283k1 (9) */ 233 return 9; 234 case NID_sect283r1: /* sect283r1 (10) */ 235 return 10; 236 case NID_sect409k1: /* sect409k1 (11) */ 237 return 11; 238 case NID_sect409r1: /* sect409r1 (12) */ 239 return 12; 240 case NID_sect571k1: /* sect571k1 (13) */ 241 return 13; 242 case NID_sect571r1: /* sect571r1 (14) */ 243 return 14; 244 case NID_secp160k1: /* secp160k1 (15) */ 245 return 15; 246 case NID_secp160r1: /* secp160r1 (16) */ 247 return 16; 248 case NID_secp160r2: /* secp160r2 (17) */ 249 return 17; 250 case NID_secp192k1: /* secp192k1 (18) */ 251 return 18; 252 case NID_X9_62_prime192v1: /* secp192r1 (19) */ 253 return 19; 254 case NID_secp224k1: /* secp224k1 (20) */ 255 return 20; 256 case NID_secp224r1: /* secp224r1 (21) */ 257 return 21; 258 case NID_secp256k1: /* secp256k1 (22) */ 259 return 22; 260 case NID_X9_62_prime256v1: /* secp256r1 (23) */ 261 return 23; 262 case NID_secp384r1: /* secp384r1 (24) */ 263 return 24; 264 case NID_secp521r1: /* secp521r1 (25) */ 265 return 25; 266 default: 267 return 0; 268 } 269 } 270#endif /* OPENSSL_NO_EC */ 271 272#ifndef OPENSSL_NO_TLSEXT 273unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit) 274 { 275 int extdatalen=0; 276 unsigned char *ret = p; 277 278 /* don't add extensions for SSLv3 unless doing secure renegotiation */ 279 if (s->client_version == SSL3_VERSION 280 && !s->s3->send_connection_binding) 281 return p; 282 283 ret+=2; 284 285 if (ret>=limit) return NULL; /* this really never occurs, but ... */ 286 287 if (s->tlsext_hostname != NULL) 288 { 289 /* Add TLS extension servername to the Client Hello message */ 290 unsigned long size_str; 291 long lenmax; 292 293 /* check for enough space. 294 4 for the servername type and entension length 295 2 for servernamelist length 296 1 for the hostname type 297 2 for hostname length 298 + hostname length 299 */ 300 301 if ((lenmax = limit - ret - 9) < 0 302 || (size_str = strlen(s->tlsext_hostname)) > (unsigned long)lenmax) 303 return NULL; 304 305 /* extension type and length */ 306 s2n(TLSEXT_TYPE_server_name,ret); 307 s2n(size_str+5,ret); 308 309 /* length of servername list */ 310 s2n(size_str+3,ret); 311 312 /* hostname type, length and hostname */ 313 *(ret++) = (unsigned char) TLSEXT_NAMETYPE_host_name; 314 s2n(size_str,ret); 315 memcpy(ret, s->tlsext_hostname, size_str); 316 ret+=size_str; 317 } 318 319 /* Add RI if renegotiating */ 320 if (s->new_session) 321 { 322 int el; 323 324 if(!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0)) 325 { 326 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); 327 return NULL; 328 } 329 330 if((limit - p - 4 - el) < 0) return NULL; 331 332 s2n(TLSEXT_TYPE_renegotiate,ret); 333 s2n(el,ret); 334 335 if(!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el)) 336 { 337 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); 338 return NULL; 339 } 340 341 ret += el; 342 } 343 344#ifndef OPENSSL_NO_EC 345 if (s->tlsext_ecpointformatlist != NULL) 346 { 347 /* Add TLS extension ECPointFormats to the ClientHello message */ 348 long lenmax; 349 350 if ((lenmax = limit - ret - 5) < 0) return NULL; 351 if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax) return NULL; 352 if (s->tlsext_ecpointformatlist_length > 255) 353 { 354 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); 355 return NULL; 356 } 357 358 s2n(TLSEXT_TYPE_ec_point_formats,ret); 359 s2n(s->tlsext_ecpointformatlist_length + 1,ret); 360 *(ret++) = (unsigned char) s->tlsext_ecpointformatlist_length; 361 memcpy(ret, s->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist_length); 362 ret+=s->tlsext_ecpointformatlist_length; 363 } 364 if (s->tlsext_ellipticcurvelist != NULL) 365 { 366 /* Add TLS extension EllipticCurves to the ClientHello message */ 367 long lenmax; 368 369 if ((lenmax = limit - ret - 6) < 0) return NULL; 370 if (s->tlsext_ellipticcurvelist_length > (unsigned long)lenmax) return NULL; 371 if (s->tlsext_ellipticcurvelist_length > 65532) 372 { 373 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); 374 return NULL; 375 } 376 377 s2n(TLSEXT_TYPE_elliptic_curves,ret); 378 s2n(s->tlsext_ellipticcurvelist_length + 2, ret); 379 380 /* NB: draft-ietf-tls-ecc-12.txt uses a one-byte prefix for 381 * elliptic_curve_list, but the examples use two bytes. 382 * http://www1.ietf.org/mail-archive/web/tls/current/msg00538.html 383 * resolves this to two bytes. 384 */ 385 s2n(s->tlsext_ellipticcurvelist_length, ret); 386 memcpy(ret, s->tlsext_ellipticcurvelist, s->tlsext_ellipticcurvelist_length); 387 ret+=s->tlsext_ellipticcurvelist_length; 388 } 389#endif /* OPENSSL_NO_EC */ 390 391 if (!(SSL_get_options(s) & SSL_OP_NO_TICKET)) 392 { 393 int ticklen; 394 if (!s->new_session && s->session && s->session->tlsext_tick) 395 ticklen = s->session->tlsext_ticklen; 396 else if (s->session && s->tlsext_session_ticket && 397 s->tlsext_session_ticket->data) 398 { 399 ticklen = s->tlsext_session_ticket->length; 400 s->session->tlsext_tick = OPENSSL_malloc(ticklen); 401 if (!s->session->tlsext_tick) 402 return NULL; 403 memcpy(s->session->tlsext_tick, 404 s->tlsext_session_ticket->data, 405 ticklen); 406 s->session->tlsext_ticklen = ticklen; 407 } 408 else 409 ticklen = 0; 410 if (ticklen == 0 && s->tlsext_session_ticket && 411 s->tlsext_session_ticket->data == NULL) 412 goto skip_ext; 413 /* Check for enough room 2 for extension type, 2 for len 414 * rest for ticket 415 */ 416 if ((long)(limit - ret - 4 - ticklen) < 0) return NULL; 417 s2n(TLSEXT_TYPE_session_ticket,ret); 418 s2n(ticklen,ret); 419 if (ticklen) 420 { 421 memcpy(ret, s->session->tlsext_tick, ticklen); 422 ret += ticklen; 423 } 424 } 425 skip_ext: 426 427#ifdef TLSEXT_TYPE_opaque_prf_input 428 if (s->s3->client_opaque_prf_input != NULL && 429 s->version != DTLS1_VERSION) 430 { 431 size_t col = s->s3->client_opaque_prf_input_len; 432 433 if ((long)(limit - ret - 6 - col < 0)) 434 return NULL; 435 if (col > 0xFFFD) /* can't happen */ 436 return NULL; 437 438 s2n(TLSEXT_TYPE_opaque_prf_input, ret); 439 s2n(col + 2, ret); 440 s2n(col, ret); 441 memcpy(ret, s->s3->client_opaque_prf_input, col); 442 ret += col; 443 } 444#endif 445 446 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp && 447 s->version != DTLS1_VERSION) 448 { 449 int i; 450 long extlen, idlen, itmp; 451 OCSP_RESPID *id; 452 453 idlen = 0; 454 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) 455 { 456 id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i); 457 itmp = i2d_OCSP_RESPID(id, NULL); 458 if (itmp <= 0) 459 return NULL; 460 idlen += itmp + 2; 461 } 462 463 if (s->tlsext_ocsp_exts) 464 { 465 extlen = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, NULL); 466 if (extlen < 0) 467 return NULL; 468 } 469 else 470 extlen = 0; 471 472 if ((long)(limit - ret - 7 - extlen - idlen) < 0) return NULL; 473 s2n(TLSEXT_TYPE_status_request, ret); 474 if (extlen + idlen > 0xFFF0) 475 return NULL; 476 s2n(extlen + idlen + 5, ret); 477 *(ret++) = TLSEXT_STATUSTYPE_ocsp; 478 s2n(idlen, ret); 479 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) 480 { 481 /* save position of id len */ 482 unsigned char *q = ret; 483 id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i); 484 /* skip over id len */ 485 ret += 2; 486 itmp = i2d_OCSP_RESPID(id, &ret); 487 /* write id len */ 488 s2n(itmp, q); 489 } 490 s2n(extlen, ret); 491 if (extlen > 0) 492 i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret); 493 } 494 495 if ((extdatalen = ret-p-2)== 0) 496 return p; 497 498 s2n(extdatalen,p); 499 return ret; 500 } 501 502unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit) 503 { 504 int extdatalen=0; 505 unsigned char *ret = p; 506 507 /* don't add extensions for SSLv3, unless doing secure renegotiation */ 508 if (s->version == SSL3_VERSION && !s->s3->send_connection_binding) 509 return p; 510 511 ret+=2; 512 if (ret>=limit) return NULL; /* this really never occurs, but ... */ 513 514 if (!s->hit && s->servername_done == 1 && s->session->tlsext_hostname != NULL) 515 { 516 if ((long)(limit - ret - 4) < 0) return NULL; 517 518 s2n(TLSEXT_TYPE_server_name,ret); 519 s2n(0,ret); 520 } 521 522 if(s->s3->send_connection_binding) 523 { 524 int el; 525 526 if(!ssl_add_serverhello_renegotiate_ext(s, 0, &el, 0)) 527 { 528 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); 529 return NULL; 530 } 531 532 if((limit - p - 4 - el) < 0) return NULL; 533 534 s2n(TLSEXT_TYPE_renegotiate,ret); 535 s2n(el,ret); 536 537 if(!ssl_add_serverhello_renegotiate_ext(s, ret, &el, el)) 538 { 539 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); 540 return NULL; 541 } 542 543 ret += el; 544 } 545 546#ifndef OPENSSL_NO_EC 547 if (s->tlsext_ecpointformatlist != NULL) 548 { 549 /* Add TLS extension ECPointFormats to the ServerHello message */ 550 long lenmax; 551 552 if ((lenmax = limit - ret - 5) < 0) return NULL; 553 if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax) return NULL; 554 if (s->tlsext_ecpointformatlist_length > 255) 555 { 556 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); 557 return NULL; 558 } 559 560 s2n(TLSEXT_TYPE_ec_point_formats,ret); 561 s2n(s->tlsext_ecpointformatlist_length + 1,ret); 562 *(ret++) = (unsigned char) s->tlsext_ecpointformatlist_length; 563 memcpy(ret, s->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist_length); 564 ret+=s->tlsext_ecpointformatlist_length; 565 566 } 567 /* Currently the server should not respond with a SupportedCurves extension */ 568#endif /* OPENSSL_NO_EC */ 569 570 if (s->tlsext_ticket_expected 571 && !(SSL_get_options(s) & SSL_OP_NO_TICKET)) 572 { 573 if ((long)(limit - ret - 4) < 0) return NULL; 574 s2n(TLSEXT_TYPE_session_ticket,ret); 575 s2n(0,ret); 576 } 577 578 if (s->tlsext_status_expected) 579 { 580 if ((long)(limit - ret - 4) < 0) return NULL; 581 s2n(TLSEXT_TYPE_status_request,ret); 582 s2n(0,ret); 583 } 584 585#ifdef TLSEXT_TYPE_opaque_prf_input 586 if (s->s3->server_opaque_prf_input != NULL && 587 s->version != DTLS1_VERSION) 588 { 589 size_t sol = s->s3->server_opaque_prf_input_len; 590 591 if ((long)(limit - ret - 6 - sol) < 0) 592 return NULL; 593 if (sol > 0xFFFD) /* can't happen */ 594 return NULL; 595 596 s2n(TLSEXT_TYPE_opaque_prf_input, ret); 597 s2n(sol + 2, ret); 598 s2n(sol, ret); 599 memcpy(ret, s->s3->server_opaque_prf_input, sol); 600 ret += sol; 601 } 602#endif 603 if (((s->s3->tmp.new_cipher->id & 0xFFFF)==0x80 || (s->s3->tmp.new_cipher->id & 0xFFFF)==0x81) 604 && (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG)) 605 { const unsigned char cryptopro_ext[36] = { 606 0xfd, 0xe8, /*65000*/ 607 0x00, 0x20, /*32 bytes length*/ 608 0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85, 609 0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06, 610 0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08, 611 0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17}; 612 if (limit-ret<36) return NULL; 613 memcpy(ret,cryptopro_ext,36); 614 ret+=36; 615 616 } 617 618 if ((extdatalen = ret-p-2)== 0) 619 return p; 620 621 s2n(extdatalen,p); 622 return ret; 623 } 624 625#ifndef OPENSSL_NO_EC 626/* ssl_check_for_safari attempts to fingerprint Safari using OS X 627 * SecureTransport using the TLS extension block in |d|, of length |n|. 628 * Safari, since 10.6, sends exactly these extensions, in this order: 629 * SNI, 630 * elliptic_curves 631 * ec_point_formats 632 * 633 * We wish to fingerprint Safari because they broke ECDHE-ECDSA support in 10.8, 634 * but they advertise support. So enabling ECDHE-ECDSA ciphers breaks them. 635 * Sadly we cannot differentiate 10.6, 10.7 and 10.8.4 (which work), from 636 * 10.8..10.8.3 (which don't work). 637 */ 638static void ssl_check_for_safari(SSL *s, const unsigned char *data, const unsigned char *d, int n) { 639 unsigned short type, size; 640 static const unsigned char kSafariExtensionsBlock[] = { 641 0x00, 0x0a, /* elliptic_curves extension */ 642 0x00, 0x08, /* 8 bytes */ 643 0x00, 0x06, /* 6 bytes of curve ids */ 644 0x00, 0x17, /* P-256 */ 645 0x00, 0x18, /* P-384 */ 646 0x00, 0x19, /* P-521 */ 647 648 0x00, 0x0b, /* ec_point_formats */ 649 0x00, 0x02, /* 2 bytes */ 650 0x01, /* 1 point format */ 651 0x00, /* uncompressed */ 652 }; 653 654 /* The following is only present in TLS 1.2 */ 655 static const unsigned char kSafariTLS12ExtensionsBlock[] = { 656 0x00, 0x0d, /* signature_algorithms */ 657 0x00, 0x0c, /* 12 bytes */ 658 0x00, 0x0a, /* 10 bytes */ 659 0x05, 0x01, /* SHA-384/RSA */ 660 0x04, 0x01, /* SHA-256/RSA */ 661 0x02, 0x01, /* SHA-1/RSA */ 662 0x04, 0x03, /* SHA-256/ECDSA */ 663 0x02, 0x03, /* SHA-1/ECDSA */ 664 }; 665 666 if (data >= (d+n-2)) 667 return; 668 data += 2; 669 670 if (data > (d+n-4)) 671 return; 672 n2s(data,type); 673 n2s(data,size); 674 675 if (type != TLSEXT_TYPE_server_name) 676 return; 677 678 if (data+size > d+n) 679 return; 680 data += size; 681 682 if (TLS1_get_client_version(s) >= TLS1_2_VERSION) 683 { 684 const size_t len1 = sizeof(kSafariExtensionsBlock); 685 const size_t len2 = sizeof(kSafariTLS12ExtensionsBlock); 686 687 if (data + len1 + len2 != d+n) 688 return; 689 if (memcmp(data, kSafariExtensionsBlock, len1) != 0) 690 return; 691 if (memcmp(data + len1, kSafariTLS12ExtensionsBlock, len2) != 0) 692 return; 693 } 694 else 695 { 696 const size_t len = sizeof(kSafariExtensionsBlock); 697 698 if (data + len != d+n) 699 return; 700 if (memcmp(data, kSafariExtensionsBlock, len) != 0) 701 return; 702 } 703 704 s->s3->is_probably_safari = 1; 705} 706#endif /* !OPENSSL_NO_EC */ 707 708int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al) 709 { 710 unsigned short type; 711 unsigned short size; 712 unsigned short len; 713 unsigned char *data = *p; 714 int renegotiate_seen = 0; 715 716 s->servername_done = 0; 717 s->tlsext_status_type = -1; 718 719#ifndef OPENSSL_NO_EC 720 if (s->options & SSL_OP_SAFARI_ECDHE_ECDSA_BUG) 721 ssl_check_for_safari(s, data, d, n); 722#endif /* !OPENSSL_NO_EC */ 723 724 if (data >= (d+n-2)) 725 goto ri_check; 726 n2s(data,len); 727 728 if (data > (d+n-len)) 729 goto ri_check; 730 731 while (data <= (d+n-4)) 732 { 733 n2s(data,type); 734 n2s(data,size); 735 736 if (data+size > (d+n)) 737 goto ri_check; 738#if 0 739 fprintf(stderr,"Received extension type %d size %d\n",type,size); 740#endif 741 if (s->tlsext_debug_cb) 742 s->tlsext_debug_cb(s, 0, type, data, size, 743 s->tlsext_debug_arg); 744/* The servername extension is treated as follows: 745 746 - Only the hostname type is supported with a maximum length of 255. 747 - The servername is rejected if too long or if it contains zeros, 748 in which case an fatal alert is generated. 749 - The servername field is maintained together with the session cache. 750 - When a session is resumed, the servername call back invoked in order 751 to allow the application to position itself to the right context. 752 - The servername is acknowledged if it is new for a session or when 753 it is identical to a previously used for the same session. 754 Applications can control the behaviour. They can at any time 755 set a 'desirable' servername for a new SSL object. This can be the 756 case for example with HTTPS when a Host: header field is received and 757 a renegotiation is requested. In this case, a possible servername 758 presented in the new client hello is only acknowledged if it matches 759 the value of the Host: field. 760 - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION 761 if they provide for changing an explicit servername context for the session, 762 i.e. when the session has been established with a servername extension. 763 - On session reconnect, the servername extension may be absent. 764 765*/ 766 767 if (type == TLSEXT_TYPE_server_name) 768 { 769 unsigned char *sdata; 770 int servname_type; 771 int dsize; 772 773 if (size < 2) 774 { 775 *al = SSL_AD_DECODE_ERROR; 776 return 0; 777 } 778 n2s(data,dsize); 779 size -= 2; 780 if (dsize > size ) 781 { 782 *al = SSL_AD_DECODE_ERROR; 783 return 0; 784 } 785 786 sdata = data; 787 while (dsize > 3) 788 { 789 servname_type = *(sdata++); 790 n2s(sdata,len); 791 dsize -= 3; 792 793 if (len > dsize) 794 { 795 *al = SSL_AD_DECODE_ERROR; 796 return 0; 797 } 798 if (s->servername_done == 0) 799 switch (servname_type) 800 { 801 case TLSEXT_NAMETYPE_host_name: 802 if (!s->hit) 803 { 804 if(s->session->tlsext_hostname) 805 { 806 *al = SSL_AD_DECODE_ERROR; 807 return 0; 808 } 809 if (len > TLSEXT_MAXLEN_host_name) 810 { 811 *al = TLS1_AD_UNRECOGNIZED_NAME; 812 return 0; 813 } 814 if ((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL) 815 { 816 *al = TLS1_AD_INTERNAL_ERROR; 817 return 0; 818 } 819 memcpy(s->session->tlsext_hostname, sdata, len); 820 s->session->tlsext_hostname[len]='\0'; 821 if (strlen(s->session->tlsext_hostname) != len) { 822 OPENSSL_free(s->session->tlsext_hostname); 823 s->session->tlsext_hostname = NULL; 824 *al = TLS1_AD_UNRECOGNIZED_NAME; 825 return 0; 826 } 827 s->servername_done = 1; 828 829 } 830 else 831 s->servername_done = s->session->tlsext_hostname 832 && strlen(s->session->tlsext_hostname) == len 833 && strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0; 834 835 break; 836 837 default: 838 break; 839 } 840 841 dsize -= len; 842 } 843 if (dsize != 0) 844 { 845 *al = SSL_AD_DECODE_ERROR; 846 return 0; 847 } 848 849 } 850 851#ifndef OPENSSL_NO_EC 852 else if (type == TLSEXT_TYPE_ec_point_formats) 853 { 854 unsigned char *sdata = data; 855 int ecpointformatlist_length = *(sdata++); 856 857 if (ecpointformatlist_length != size - 1) 858 { 859 *al = TLS1_AD_DECODE_ERROR; 860 return 0; 861 } 862 if (!s->hit) 863 { 864 if(s->session->tlsext_ecpointformatlist) 865 { 866 OPENSSL_free(s->session->tlsext_ecpointformatlist); 867 s->session->tlsext_ecpointformatlist = NULL; 868 } 869 s->session->tlsext_ecpointformatlist_length = 0; 870 if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL) 871 { 872 *al = TLS1_AD_INTERNAL_ERROR; 873 return 0; 874 } 875 s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length; 876 memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length); 877 } 878#if 0 879 fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ecpointformatlist (length=%i) ", s->session->tlsext_ecpointformatlist_length); 880 sdata = s->session->tlsext_ecpointformatlist; 881 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++) 882 fprintf(stderr,"%i ",*(sdata++)); 883 fprintf(stderr,"\n"); 884#endif 885 } 886 else if (type == TLSEXT_TYPE_elliptic_curves) 887 { 888 unsigned char *sdata = data; 889 int ellipticcurvelist_length = (*(sdata++) << 8); 890 ellipticcurvelist_length += (*(sdata++)); 891 892 if (ellipticcurvelist_length != size - 2 || 893 ellipticcurvelist_length < 1) 894 { 895 *al = TLS1_AD_DECODE_ERROR; 896 return 0; 897 } 898 if (!s->hit) 899 { 900 if(s->session->tlsext_ellipticcurvelist) 901 { 902 *al = TLS1_AD_DECODE_ERROR; 903 return 0; 904 } 905 s->session->tlsext_ellipticcurvelist_length = 0; 906 if ((s->session->tlsext_ellipticcurvelist = OPENSSL_malloc(ellipticcurvelist_length)) == NULL) 907 { 908 *al = TLS1_AD_INTERNAL_ERROR; 909 return 0; 910 } 911 s->session->tlsext_ellipticcurvelist_length = ellipticcurvelist_length; 912 memcpy(s->session->tlsext_ellipticcurvelist, sdata, ellipticcurvelist_length); 913 } 914#if 0 915 fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ellipticcurvelist (length=%i) ", s->session->tlsext_ellipticcurvelist_length); 916 sdata = s->session->tlsext_ellipticcurvelist; 917 for (i = 0; i < s->session->tlsext_ellipticcurvelist_length; i++) 918 fprintf(stderr,"%i ",*(sdata++)); 919 fprintf(stderr,"\n"); 920#endif 921 } 922#endif /* OPENSSL_NO_EC */ 923#ifdef TLSEXT_TYPE_opaque_prf_input 924 else if (type == TLSEXT_TYPE_opaque_prf_input && 925 s->version != DTLS1_VERSION) 926 { 927 unsigned char *sdata = data; 928 929 if (size < 2) 930 { 931 *al = SSL_AD_DECODE_ERROR; 932 return 0; 933 } 934 n2s(sdata, s->s3->client_opaque_prf_input_len); 935 if (s->s3->client_opaque_prf_input_len != size - 2) 936 { 937 *al = SSL_AD_DECODE_ERROR; 938 return 0; 939 } 940 941 if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */ 942 OPENSSL_free(s->s3->client_opaque_prf_input); 943 if (s->s3->client_opaque_prf_input_len == 0) 944 s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */ 945 else 946 s->s3->client_opaque_prf_input = BUF_memdup(sdata, s->s3->client_opaque_prf_input_len); 947 if (s->s3->client_opaque_prf_input == NULL) 948 { 949 *al = TLS1_AD_INTERNAL_ERROR; 950 return 0; 951 } 952 } 953#endif 954 else if (type == TLSEXT_TYPE_session_ticket) 955 { 956 if (s->tls_session_ticket_ext_cb && 957 !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg)) 958 { 959 *al = TLS1_AD_INTERNAL_ERROR; 960 return 0; 961 } 962 } 963 else if (type == TLSEXT_TYPE_renegotiate) 964 { 965 if(!ssl_parse_clienthello_renegotiate_ext(s, data, size, al)) 966 return 0; 967 renegotiate_seen = 1; 968 } 969 else if (type == TLSEXT_TYPE_status_request && 970 s->version != DTLS1_VERSION) 971 { 972 973 if (size < 5) 974 { 975 *al = SSL_AD_DECODE_ERROR; 976 return 0; 977 } 978 979 s->tlsext_status_type = *data++; 980 size--; 981 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp) 982 { 983 const unsigned char *sdata; 984 int dsize; 985 /* Read in responder_id_list */ 986 n2s(data,dsize); 987 size -= 2; 988 if (dsize > size ) 989 { 990 *al = SSL_AD_DECODE_ERROR; 991 return 0; 992 } 993 while (dsize > 0) 994 { 995 OCSP_RESPID *id; 996 int idsize; 997 if (dsize < 4) 998 { 999 *al = SSL_AD_DECODE_ERROR; 1000 return 0; 1001 } 1002 n2s(data, idsize); 1003 dsize -= 2 + idsize; 1004 size -= 2 + idsize; 1005 if (dsize < 0) 1006 { 1007 *al = SSL_AD_DECODE_ERROR; 1008 return 0; 1009 } 1010 sdata = data; 1011 data += idsize; 1012 id = d2i_OCSP_RESPID(NULL, 1013 &sdata, idsize); 1014 if (!id) 1015 { 1016 *al = SSL_AD_DECODE_ERROR; 1017 return 0; 1018 } 1019 if (data != sdata) 1020 { 1021 OCSP_RESPID_free(id); 1022 *al = SSL_AD_DECODE_ERROR; 1023 return 0; 1024 } 1025 if (!s->tlsext_ocsp_ids 1026 && !(s->tlsext_ocsp_ids = 1027 sk_OCSP_RESPID_new_null())) 1028 { 1029 OCSP_RESPID_free(id); 1030 *al = SSL_AD_INTERNAL_ERROR; 1031 return 0; 1032 } 1033 if (!sk_OCSP_RESPID_push( 1034 s->tlsext_ocsp_ids, id)) 1035 { 1036 OCSP_RESPID_free(id); 1037 *al = SSL_AD_INTERNAL_ERROR; 1038 return 0; 1039 } 1040 } 1041 1042 /* Read in request_extensions */ 1043 if (size < 2) 1044 { 1045 *al = SSL_AD_DECODE_ERROR; 1046 return 0; 1047 } 1048 n2s(data,dsize); 1049 size -= 2; 1050 if (dsize != size) 1051 { 1052 *al = SSL_AD_DECODE_ERROR; 1053 return 0; 1054 } 1055 sdata = data; 1056 if (dsize > 0) 1057 { 1058 if (s->tlsext_ocsp_exts) 1059 { 1060 sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts, 1061 X509_EXTENSION_free); 1062 } 1063 1064 s->tlsext_ocsp_exts = 1065 d2i_X509_EXTENSIONS(NULL, 1066 &sdata, dsize); 1067 if (!s->tlsext_ocsp_exts 1068 || (data + dsize != sdata)) 1069 { 1070 *al = SSL_AD_DECODE_ERROR; 1071 return 0; 1072 } 1073 } 1074 } 1075 /* We don't know what to do with any other type 1076 * so ignore it. 1077 */ 1078 else 1079 s->tlsext_status_type = -1; 1080 } 1081 1082 /* session ticket processed earlier */ 1083 data+=size; 1084 } 1085 1086 *p = data; 1087 1088 ri_check: 1089 1090 /* Need RI if renegotiating */ 1091 1092 if (!renegotiate_seen && s->new_session && 1093 !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) 1094 { 1095 *al = SSL_AD_HANDSHAKE_FAILURE; 1096 SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT, 1097 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); 1098 return 0; 1099 } 1100 1101 return 1; 1102 } 1103 1104int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al) 1105 { 1106 unsigned short length; 1107 unsigned short type; 1108 unsigned short size; 1109 unsigned char *data = *p; 1110 int tlsext_servername = 0; 1111 int renegotiate_seen = 0; 1112 1113 if (data >= (d+n-2)) 1114 goto ri_check; 1115 1116 n2s(data,length); 1117 if (data+length != d+n) 1118 { 1119 *al = SSL_AD_DECODE_ERROR; 1120 return 0; 1121 } 1122 1123 while(data <= (d+n-4)) 1124 { 1125 n2s(data,type); 1126 n2s(data,size); 1127 1128 if (data+size > (d+n)) 1129 goto ri_check; 1130 1131 if (s->tlsext_debug_cb) 1132 s->tlsext_debug_cb(s, 1, type, data, size, 1133 s->tlsext_debug_arg); 1134 1135 if (type == TLSEXT_TYPE_server_name) 1136 { 1137 if (s->tlsext_hostname == NULL || size > 0) 1138 { 1139 *al = TLS1_AD_UNRECOGNIZED_NAME; 1140 return 0; 1141 } 1142 tlsext_servername = 1; 1143 } 1144 1145#ifndef OPENSSL_NO_EC 1146 else if (type == TLSEXT_TYPE_ec_point_formats) 1147 { 1148 unsigned char *sdata = data; 1149 int ecpointformatlist_length = *(sdata++); 1150 1151 if (ecpointformatlist_length != size - 1 || 1152 ecpointformatlist_length < 1) 1153 { 1154 *al = TLS1_AD_DECODE_ERROR; 1155 return 0; 1156 } 1157 if (!s->hit) 1158 { 1159 s->session->tlsext_ecpointformatlist_length = 0; 1160 if (s->session->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->session->tlsext_ecpointformatlist); 1161 if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL) 1162 { 1163 *al = TLS1_AD_INTERNAL_ERROR; 1164 return 0; 1165 } 1166 s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length; 1167 memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length); 1168 } 1169#if 0 1170 fprintf(stderr,"ssl_parse_serverhello_tlsext s->session->tlsext_ecpointformatlist "); 1171 sdata = s->session->tlsext_ecpointformatlist; 1172 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++) 1173 fprintf(stderr,"%i ",*(sdata++)); 1174 fprintf(stderr,"\n"); 1175#endif 1176 } 1177#endif /* OPENSSL_NO_EC */ 1178 1179 else if (type == TLSEXT_TYPE_session_ticket) 1180 { 1181 if (s->tls_session_ticket_ext_cb && 1182 !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg)) 1183 { 1184 *al = TLS1_AD_INTERNAL_ERROR; 1185 return 0; 1186 } 1187 if ((SSL_get_options(s) & SSL_OP_NO_TICKET) 1188 || (size > 0)) 1189 { 1190 *al = TLS1_AD_UNSUPPORTED_EXTENSION; 1191 return 0; 1192 } 1193 s->tlsext_ticket_expected = 1; 1194 } 1195#ifdef TLSEXT_TYPE_opaque_prf_input 1196 else if (type == TLSEXT_TYPE_opaque_prf_input && 1197 s->version != DTLS1_VERSION) 1198 { 1199 unsigned char *sdata = data; 1200 1201 if (size < 2) 1202 { 1203 *al = SSL_AD_DECODE_ERROR; 1204 return 0; 1205 } 1206 n2s(sdata, s->s3->server_opaque_prf_input_len); 1207 if (s->s3->server_opaque_prf_input_len != size - 2) 1208 { 1209 *al = SSL_AD_DECODE_ERROR; 1210 return 0; 1211 } 1212 1213 if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */ 1214 OPENSSL_free(s->s3->server_opaque_prf_input); 1215 if (s->s3->server_opaque_prf_input_len == 0) 1216 s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */ 1217 else 1218 s->s3->server_opaque_prf_input = BUF_memdup(sdata, s->s3->server_opaque_prf_input_len); 1219 1220 if (s->s3->server_opaque_prf_input == NULL) 1221 { 1222 *al = TLS1_AD_INTERNAL_ERROR; 1223 return 0; 1224 } 1225 } 1226#endif 1227 else if (type == TLSEXT_TYPE_status_request && 1228 s->version != DTLS1_VERSION) 1229 { 1230 /* MUST be empty and only sent if we've requested 1231 * a status request message. 1232 */ 1233 if ((s->tlsext_status_type == -1) || (size > 0)) 1234 { 1235 *al = TLS1_AD_UNSUPPORTED_EXTENSION; 1236 return 0; 1237 } 1238 /* Set flag to expect CertificateStatus message */ 1239 s->tlsext_status_expected = 1; 1240 } 1241 else if (type == TLSEXT_TYPE_renegotiate) 1242 { 1243 if(!ssl_parse_serverhello_renegotiate_ext(s, data, size, al)) 1244 return 0; 1245 renegotiate_seen = 1; 1246 } 1247 data+=size; 1248 } 1249 1250 if (data != d+n) 1251 { 1252 *al = SSL_AD_DECODE_ERROR; 1253 return 0; 1254 } 1255 1256 if (!s->hit && tlsext_servername == 1) 1257 { 1258 if (s->tlsext_hostname) 1259 { 1260 if (s->session->tlsext_hostname == NULL) 1261 { 1262 s->session->tlsext_hostname = BUF_strdup(s->tlsext_hostname); 1263 if (!s->session->tlsext_hostname) 1264 { 1265 *al = SSL_AD_UNRECOGNIZED_NAME; 1266 return 0; 1267 } 1268 } 1269 else 1270 { 1271 *al = SSL_AD_DECODE_ERROR; 1272 return 0; 1273 } 1274 } 1275 } 1276 1277 *p = data; 1278 1279 ri_check: 1280 1281 /* Determine if we need to see RI. Strictly speaking if we want to 1282 * avoid an attack we should *always* see RI even on initial server 1283 * hello because the client doesn't see any renegotiation during an 1284 * attack. However this would mean we could not connect to any server 1285 * which doesn't support RI so for the immediate future tolerate RI 1286 * absence on initial connect only. 1287 */ 1288 if (!renegotiate_seen 1289 && !(s->options & SSL_OP_LEGACY_SERVER_CONNECT) 1290 && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) 1291 { 1292 *al = SSL_AD_HANDSHAKE_FAILURE; 1293 SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT, 1294 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); 1295 return 0; 1296 } 1297 1298 return 1; 1299 } 1300 1301 1302int ssl_prepare_clienthello_tlsext(SSL *s) 1303 { 1304#ifndef OPENSSL_NO_EC 1305 /* If we are client and using an elliptic curve cryptography cipher suite, send the point formats 1306 * and elliptic curves we support. 1307 */ 1308 int using_ecc = 0; 1309 int i; 1310 unsigned char *j; 1311 unsigned long alg_k, alg_a; 1312 STACK_OF(SSL_CIPHER) *cipher_stack = SSL_get_ciphers(s); 1313 1314 for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++) 1315 { 1316 SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i); 1317 1318 alg_k = c->algorithm_mkey; 1319 alg_a = c->algorithm_auth; 1320 if ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe) || (alg_a & SSL_aECDSA))) 1321 { 1322 using_ecc = 1; 1323 break; 1324 } 1325 } 1326 using_ecc = using_ecc && (s->version == TLS1_VERSION); 1327 if (using_ecc) 1328 { 1329 if (s->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->tlsext_ecpointformatlist); 1330 if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(3)) == NULL) 1331 { 1332 SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE); 1333 return -1; 1334 } 1335 s->tlsext_ecpointformatlist_length = 3; 1336 s->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_uncompressed; 1337 s->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime; 1338 s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2; 1339 1340 /* we support all named elliptic curves in draft-ietf-tls-ecc-12 */ 1341 if (s->tlsext_ellipticcurvelist != NULL) OPENSSL_free(s->tlsext_ellipticcurvelist); 1342 s->tlsext_ellipticcurvelist_length = sizeof(nid_list)/sizeof(nid_list[0]) * 2; 1343 if ((s->tlsext_ellipticcurvelist = OPENSSL_malloc(s->tlsext_ellipticcurvelist_length)) == NULL) 1344 { 1345 s->tlsext_ellipticcurvelist_length = 0; 1346 SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE); 1347 return -1; 1348 } 1349 for (i = 1, j = s->tlsext_ellipticcurvelist; (unsigned int)i <= 1350 sizeof(nid_list)/sizeof(nid_list[0]); i++) 1351 s2n(i,j); 1352 } 1353#endif /* OPENSSL_NO_EC */ 1354 1355#ifdef TLSEXT_TYPE_opaque_prf_input 1356 { 1357 int r = 1; 1358 1359 if (s->ctx->tlsext_opaque_prf_input_callback != 0) 1360 { 1361 r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg); 1362 if (!r) 1363 return -1; 1364 } 1365 1366 if (s->tlsext_opaque_prf_input != NULL) 1367 { 1368 if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */ 1369 OPENSSL_free(s->s3->client_opaque_prf_input); 1370 1371 if (s->tlsext_opaque_prf_input_len == 0) 1372 s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */ 1373 else 1374 s->s3->client_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len); 1375 if (s->s3->client_opaque_prf_input == NULL) 1376 { 1377 SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE); 1378 return -1; 1379 } 1380 s->s3->client_opaque_prf_input_len = s->tlsext_opaque_prf_input_len; 1381 } 1382 1383 if (r == 2) 1384 /* at callback's request, insist on receiving an appropriate server opaque PRF input */ 1385 s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len; 1386 } 1387#endif 1388 1389 return 1; 1390 } 1391 1392int ssl_prepare_serverhello_tlsext(SSL *s) 1393 { 1394#ifndef OPENSSL_NO_EC 1395 /* If we are server and using an ECC cipher suite, send the point formats we support 1396 * if the client sent us an ECPointsFormat extension. Note that the server is not 1397 * supposed to send an EllipticCurves extension. 1398 */ 1399 1400 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey; 1401 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth; 1402 int using_ecc = (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA); 1403 using_ecc = using_ecc && (s->session->tlsext_ecpointformatlist != NULL); 1404 1405 if (using_ecc) 1406 { 1407 if (s->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->tlsext_ecpointformatlist); 1408 if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(3)) == NULL) 1409 { 1410 SSLerr(SSL_F_SSL_PREPARE_SERVERHELLO_TLSEXT,ERR_R_MALLOC_FAILURE); 1411 return -1; 1412 } 1413 s->tlsext_ecpointformatlist_length = 3; 1414 s->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_uncompressed; 1415 s->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime; 1416 s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2; 1417 } 1418#endif /* OPENSSL_NO_EC */ 1419 1420 return 1; 1421 } 1422 1423int ssl_check_clienthello_tlsext_early(SSL *s) 1424 { 1425 int ret=SSL_TLSEXT_ERR_NOACK; 1426 int al = SSL_AD_UNRECOGNIZED_NAME; 1427 1428#ifndef OPENSSL_NO_EC 1429 /* The handling of the ECPointFormats extension is done elsewhere, namely in 1430 * ssl3_choose_cipher in s3_lib.c. 1431 */ 1432 /* The handling of the EllipticCurves extension is done elsewhere, namely in 1433 * ssl3_choose_cipher in s3_lib.c. 1434 */ 1435#endif 1436 1437 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) 1438 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg); 1439 else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0) 1440 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg); 1441 1442#ifdef TLSEXT_TYPE_opaque_prf_input 1443 { 1444 /* This sort of belongs into ssl_prepare_serverhello_tlsext(), 1445 * but we might be sending an alert in response to the client hello, 1446 * so this has to happen here in 1447 * ssl_check_clienthello_tlsext_early(). */ 1448 1449 int r = 1; 1450 1451 if (s->ctx->tlsext_opaque_prf_input_callback != 0) 1452 { 1453 r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg); 1454 if (!r) 1455 { 1456 ret = SSL_TLSEXT_ERR_ALERT_FATAL; 1457 al = SSL_AD_INTERNAL_ERROR; 1458 goto err; 1459 } 1460 } 1461 1462 if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */ 1463 OPENSSL_free(s->s3->server_opaque_prf_input); 1464 s->s3->server_opaque_prf_input = NULL; 1465 1466 if (s->tlsext_opaque_prf_input != NULL) 1467 { 1468 if (s->s3->client_opaque_prf_input != NULL && 1469 s->s3->client_opaque_prf_input_len == s->tlsext_opaque_prf_input_len) 1470 { 1471 /* can only use this extension if we have a server opaque PRF input 1472 * of the same length as the client opaque PRF input! */ 1473 1474 if (s->tlsext_opaque_prf_input_len == 0) 1475 s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */ 1476 else 1477 s->s3->server_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len); 1478 if (s->s3->server_opaque_prf_input == NULL) 1479 { 1480 ret = SSL_TLSEXT_ERR_ALERT_FATAL; 1481 al = SSL_AD_INTERNAL_ERROR; 1482 goto err; 1483 } 1484 s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len; 1485 } 1486 } 1487 1488 if (r == 2 && s->s3->server_opaque_prf_input == NULL) 1489 { 1490 /* The callback wants to enforce use of the extension, 1491 * but we can't do that with the client opaque PRF input; 1492 * abort the handshake. 1493 */ 1494 ret = SSL_TLSEXT_ERR_ALERT_FATAL; 1495 al = SSL_AD_HANDSHAKE_FAILURE; 1496 } 1497 } 1498 1499 err: 1500#endif 1501 switch (ret) 1502 { 1503 case SSL_TLSEXT_ERR_ALERT_FATAL: 1504 ssl3_send_alert(s,SSL3_AL_FATAL,al); 1505 return -1; 1506 1507 case SSL_TLSEXT_ERR_ALERT_WARNING: 1508 ssl3_send_alert(s,SSL3_AL_WARNING,al); 1509 return 1; 1510 1511 case SSL_TLSEXT_ERR_NOACK: 1512 s->servername_done=0; 1513 default: 1514 return 1; 1515 } 1516 } 1517 1518int ssl_check_clienthello_tlsext_late(SSL *s) 1519 { 1520 int ret = SSL_TLSEXT_ERR_OK; 1521 int al; 1522 1523 /* If status request then ask callback what to do. 1524 * Note: this must be called after servername callbacks in case 1525 * the certificate has changed, and must be called after the cipher 1526 * has been chosen because this may influence which certificate is sent 1527 */ 1528 if (s->tlsext_status_type != -1 && s->ctx && s->ctx->tlsext_status_cb) 1529 { 1530 int r; 1531 CERT_PKEY *certpkey; 1532 certpkey = ssl_get_server_send_pkey(s); 1533 /* If no certificate can't return certificate status */ 1534 if (certpkey == NULL) 1535 { 1536 s->tlsext_status_expected = 0; 1537 return 1; 1538 } 1539 /* Set current certificate to one we will use so 1540 * SSL_get_certificate et al can pick it up. 1541 */ 1542 s->cert->key = certpkey; 1543 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg); 1544 switch (r) 1545 { 1546 /* We don't want to send a status request response */ 1547 case SSL_TLSEXT_ERR_NOACK: 1548 s->tlsext_status_expected = 0; 1549 break; 1550 /* status request response should be sent */ 1551 case SSL_TLSEXT_ERR_OK: 1552 if (s->tlsext_ocsp_resp) 1553 s->tlsext_status_expected = 1; 1554 else 1555 s->tlsext_status_expected = 0; 1556 break; 1557 /* something bad happened */ 1558 case SSL_TLSEXT_ERR_ALERT_FATAL: 1559 ret = SSL_TLSEXT_ERR_ALERT_FATAL; 1560 al = SSL_AD_INTERNAL_ERROR; 1561 goto err; 1562 } 1563 } 1564 else 1565 s->tlsext_status_expected = 0; 1566 1567 err: 1568 switch (ret) 1569 { 1570 case SSL_TLSEXT_ERR_ALERT_FATAL: 1571 ssl3_send_alert(s, SSL3_AL_FATAL, al); 1572 return -1; 1573 1574 case SSL_TLSEXT_ERR_ALERT_WARNING: 1575 ssl3_send_alert(s, SSL3_AL_WARNING, al); 1576 return 1; 1577 1578 default: 1579 return 1; 1580 } 1581 } 1582 1583int ssl_check_serverhello_tlsext(SSL *s) 1584 { 1585 int ret=SSL_TLSEXT_ERR_NOACK; 1586 int al = SSL_AD_UNRECOGNIZED_NAME; 1587 1588#ifndef OPENSSL_NO_EC 1589 /* If we are client and using an elliptic curve cryptography cipher 1590 * suite, then if server returns an EC point formats lists extension 1591 * it must contain uncompressed. 1592 */ 1593 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey; 1594 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth; 1595 if ((s->tlsext_ecpointformatlist != NULL) && (s->tlsext_ecpointformatlist_length > 0) && 1596 (s->session->tlsext_ecpointformatlist != NULL) && (s->session->tlsext_ecpointformatlist_length > 0) && 1597 ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA))) 1598 { 1599 /* we are using an ECC cipher */ 1600 size_t i; 1601 unsigned char *list; 1602 int found_uncompressed = 0; 1603 list = s->session->tlsext_ecpointformatlist; 1604 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++) 1605 { 1606 if (*(list++) == TLSEXT_ECPOINTFORMAT_uncompressed) 1607 { 1608 found_uncompressed = 1; 1609 break; 1610 } 1611 } 1612 if (!found_uncompressed) 1613 { 1614 SSLerr(SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT,SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST); 1615 return -1; 1616 } 1617 } 1618 ret = SSL_TLSEXT_ERR_OK; 1619#endif /* OPENSSL_NO_EC */ 1620 1621 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) 1622 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg); 1623 else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0) 1624 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg); 1625 1626#ifdef TLSEXT_TYPE_opaque_prf_input 1627 if (s->s3->server_opaque_prf_input_len > 0) 1628 { 1629 /* This case may indicate that we, as a client, want to insist on using opaque PRF inputs. 1630 * So first verify that we really have a value from the server too. */ 1631 1632 if (s->s3->server_opaque_prf_input == NULL) 1633 { 1634 ret = SSL_TLSEXT_ERR_ALERT_FATAL; 1635 al = SSL_AD_HANDSHAKE_FAILURE; 1636 } 1637 1638 /* Anytime the server *has* sent an opaque PRF input, we need to check 1639 * that we have a client opaque PRF input of the same size. */ 1640 if (s->s3->client_opaque_prf_input == NULL || 1641 s->s3->client_opaque_prf_input_len != s->s3->server_opaque_prf_input_len) 1642 { 1643 ret = SSL_TLSEXT_ERR_ALERT_FATAL; 1644 al = SSL_AD_ILLEGAL_PARAMETER; 1645 } 1646 } 1647#endif 1648 1649 /* If we've requested certificate status and we wont get one 1650 * tell the callback 1651 */ 1652 if ((s->tlsext_status_type != -1) && !(s->tlsext_status_expected) 1653 && s->ctx && s->ctx->tlsext_status_cb) 1654 { 1655 int r; 1656 /* Set resp to NULL, resplen to -1 so callback knows 1657 * there is no response. 1658 */ 1659 if (s->tlsext_ocsp_resp) 1660 { 1661 OPENSSL_free(s->tlsext_ocsp_resp); 1662 s->tlsext_ocsp_resp = NULL; 1663 } 1664 s->tlsext_ocsp_resplen = -1; 1665 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg); 1666 if (r == 0) 1667 { 1668 al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE; 1669 ret = SSL_TLSEXT_ERR_ALERT_FATAL; 1670 } 1671 if (r < 0) 1672 { 1673 al = SSL_AD_INTERNAL_ERROR; 1674 ret = SSL_TLSEXT_ERR_ALERT_FATAL; 1675 } 1676 } 1677 1678 switch (ret) 1679 { 1680 case SSL_TLSEXT_ERR_ALERT_FATAL: 1681 ssl3_send_alert(s,SSL3_AL_FATAL,al); 1682 return -1; 1683 1684 case SSL_TLSEXT_ERR_ALERT_WARNING: 1685 ssl3_send_alert(s,SSL3_AL_WARNING,al); 1686 return 1; 1687 1688 case SSL_TLSEXT_ERR_NOACK: 1689 s->servername_done=0; 1690 default: 1691 return 1; 1692 } 1693 } 1694 1695/* Since the server cache lookup is done early on in the processing of client 1696 * hello and other operations depend on the result we need to handle any TLS 1697 * session ticket extension at the same time. 1698 */ 1699 1700int tls1_process_ticket(SSL *s, unsigned char *session_id, int len, 1701 const unsigned char *limit, SSL_SESSION **ret) 1702 { 1703 /* Point after session ID in client hello */ 1704 const unsigned char *p = session_id + len; 1705 unsigned short i; 1706 1707 /* If tickets disabled behave as if no ticket present 1708 * to permit stateful resumption. 1709 */ 1710 if (SSL_get_options(s) & SSL_OP_NO_TICKET) 1711 return 1; 1712 1713 if ((s->version <= SSL3_VERSION) || !limit) 1714 return 1; 1715 if (p >= limit) 1716 return -1; 1717 /* Skip past DTLS cookie */ 1718 if (s->version == DTLS1_VERSION || s->version == DTLS1_BAD_VER) 1719 { 1720 i = *(p++); 1721 p+= i; 1722 if (p >= limit) 1723 return -1; 1724 } 1725 /* Skip past cipher list */ 1726 n2s(p, i); 1727 p+= i; 1728 if (p >= limit) 1729 return -1; 1730 /* Skip past compression algorithm list */ 1731 i = *(p++); 1732 p += i; 1733 if (p > limit) 1734 return -1; 1735 /* Now at start of extensions */ 1736 if ((p + 2) >= limit) 1737 return 1; 1738 n2s(p, i); 1739 while ((p + 4) <= limit) 1740 { 1741 unsigned short type, size; 1742 n2s(p, type); 1743 n2s(p, size); 1744 if (p + size > limit) 1745 return 1; 1746 if (type == TLSEXT_TYPE_session_ticket) 1747 { 1748 /* If tickets disabled indicate cache miss which will 1749 * trigger a full handshake 1750 */ 1751 if (SSL_get_options(s) & SSL_OP_NO_TICKET) 1752 return 1; 1753 /* If zero length note client will accept a ticket 1754 * and indicate cache miss to trigger full handshake 1755 */ 1756 if (size == 0) 1757 { 1758 s->tlsext_ticket_expected = 1; 1759 return 0; /* Cache miss */ 1760 } 1761 if (s->tls_session_secret_cb) 1762 { 1763 /* Indicate cache miss here and instead of 1764 * generating the session from ticket now, 1765 * trigger abbreviated handshake based on 1766 * external mechanism to calculate the master 1767 * secret later. */ 1768 return 0; 1769 } 1770 return tls_decrypt_ticket(s, p, size, session_id, len, 1771 ret); 1772 } 1773 p += size; 1774 } 1775 return 1; 1776 } 1777 1778static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen, 1779 const unsigned char *sess_id, int sesslen, 1780 SSL_SESSION **psess) 1781 { 1782 SSL_SESSION *sess; 1783 unsigned char *sdec; 1784 const unsigned char *p; 1785 int slen, mlen, renew_ticket = 0; 1786 unsigned char tick_hmac[EVP_MAX_MD_SIZE]; 1787 HMAC_CTX hctx; 1788 EVP_CIPHER_CTX ctx; 1789 SSL_CTX *tctx = s->initial_ctx; 1790 /* Need at least keyname + iv + some encrypted data */ 1791 if (eticklen < 48) 1792 goto tickerr; 1793 /* Initialize session ticket encryption and HMAC contexts */ 1794 HMAC_CTX_init(&hctx); 1795 EVP_CIPHER_CTX_init(&ctx); 1796 if (tctx->tlsext_ticket_key_cb) 1797 { 1798 unsigned char *nctick = (unsigned char *)etick; 1799 int rv = tctx->tlsext_ticket_key_cb(s, nctick, nctick + 16, 1800 &ctx, &hctx, 0); 1801 if (rv < 0) 1802 return -1; 1803 if (rv == 0) 1804 goto tickerr; 1805 if (rv == 2) 1806 renew_ticket = 1; 1807 } 1808 else 1809 { 1810 /* Check key name matches */ 1811 if (memcmp(etick, tctx->tlsext_tick_key_name, 16)) 1812 goto tickerr; 1813 HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16, 1814 tlsext_tick_md(), NULL); 1815 EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL, 1816 tctx->tlsext_tick_aes_key, etick + 16); 1817 } 1818 /* Attempt to process session ticket, first conduct sanity and 1819 * integrity checks on ticket. 1820 */ 1821 mlen = HMAC_size(&hctx); 1822 if (mlen < 0) 1823 { 1824 EVP_CIPHER_CTX_cleanup(&ctx); 1825 return -1; 1826 } 1827 eticklen -= mlen; 1828 /* Check HMAC of encrypted ticket */ 1829 HMAC_Update(&hctx, etick, eticklen); 1830 HMAC_Final(&hctx, tick_hmac, NULL); 1831 HMAC_CTX_cleanup(&hctx); 1832 if (CRYPTO_memcmp(tick_hmac, etick + eticklen, mlen)) 1833 { 1834 EVP_CIPHER_CTX_cleanup(&ctx); 1835 goto tickerr; 1836 } 1837 /* Attempt to decrypt session data */ 1838 /* Move p after IV to start of encrypted ticket, update length */ 1839 p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx); 1840 eticklen -= 16 + EVP_CIPHER_CTX_iv_length(&ctx); 1841 sdec = OPENSSL_malloc(eticklen); 1842 if (!sdec) 1843 { 1844 EVP_CIPHER_CTX_cleanup(&ctx); 1845 return -1; 1846 } 1847 EVP_DecryptUpdate(&ctx, sdec, &slen, p, eticklen); 1848 if (EVP_DecryptFinal(&ctx, sdec + slen, &mlen) <= 0) 1849 { 1850 EVP_CIPHER_CTX_cleanup(&ctx); 1851 OPENSSL_free(sdec); 1852 goto tickerr; 1853 } 1854 slen += mlen; 1855 EVP_CIPHER_CTX_cleanup(&ctx); 1856 p = sdec; 1857 1858 sess = d2i_SSL_SESSION(NULL, &p, slen); 1859 OPENSSL_free(sdec); 1860 if (sess) 1861 { 1862 /* The session ID if non-empty is used by some clients to 1863 * detect that the ticket has been accepted. So we copy it to 1864 * the session structure. If it is empty set length to zero 1865 * as required by standard. 1866 */ 1867 if (sesslen) 1868 memcpy(sess->session_id, sess_id, sesslen); 1869 sess->session_id_length = sesslen; 1870 *psess = sess; 1871 s->tlsext_ticket_expected = renew_ticket; 1872 return 1; 1873 } 1874 /* If session decrypt failure indicate a cache miss and set state to 1875 * send a new ticket 1876 */ 1877 tickerr: 1878 s->tlsext_ticket_expected = 1; 1879 return 0; 1880 } 1881 1882#endif 1883