155714Skris/* ssl/t1_lib.c */ 255714Skris/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 355714Skris * All rights reserved. 455714Skris * 555714Skris * This package is an SSL implementation written 655714Skris * by Eric Young (eay@cryptsoft.com). 755714Skris * The implementation was written so as to conform with Netscapes SSL. 8280304Sjkim * 955714Skris * This library is free for commercial and non-commercial use as long as 1055714Skris * the following conditions are aheared to. The following conditions 1155714Skris * apply to all code found in this distribution, be it the RC4, RSA, 1255714Skris * lhash, DES, etc., code; not just the SSL code. The SSL documentation 1355714Skris * included with this distribution is covered by the same copyright terms 1455714Skris * except that the holder is Tim Hudson (tjh@cryptsoft.com). 15280304Sjkim * 1655714Skris * Copyright remains Eric Young's, and as such any Copyright notices in 1755714Skris * the code are not to be removed. 1855714Skris * If this package is used in a product, Eric Young should be given attribution 1955714Skris * as the author of the parts of the library used. 2055714Skris * This can be in the form of a textual message at program startup or 2155714Skris * in documentation (online or textual) provided with the package. 22280304Sjkim * 2355714Skris * Redistribution and use in source and binary forms, with or without 2455714Skris * modification, are permitted provided that the following conditions 2555714Skris * are met: 2655714Skris * 1. Redistributions of source code must retain the copyright 2755714Skris * notice, this list of conditions and the following disclaimer. 2855714Skris * 2. Redistributions in binary form must reproduce the above copyright 2955714Skris * notice, this list of conditions and the following disclaimer in the 3055714Skris * documentation and/or other materials provided with the distribution. 3155714Skris * 3. All advertising materials mentioning features or use of this software 3255714Skris * must display the following acknowledgement: 3355714Skris * "This product includes cryptographic software written by 3455714Skris * Eric Young (eay@cryptsoft.com)" 3555714Skris * The word 'cryptographic' can be left out if the rouines from the library 3655714Skris * being used are not cryptographic related :-). 37280304Sjkim * 4. If you include any Windows specific code (or a derivative thereof) from 3855714Skris * the apps directory (application code) you must include an acknowledgement: 3955714Skris * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 40280304Sjkim * 4155714Skris * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 4255714Skris * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 4355714Skris * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 4455714Skris * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 4555714Skris * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 4655714Skris * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 4755714Skris * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 4855714Skris * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 4955714Skris * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 5055714Skris * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 5155714Skris * SUCH DAMAGE. 52280304Sjkim * 5355714Skris * The licence and distribution terms for any publically available version or 5455714Skris * derivative of this code cannot be changed. i.e. this code cannot simply be 5555714Skris * copied and put under another distribution licence 5655714Skris * [including the GNU Public Licence.] 5755714Skris */ 58238405Sjkim/* ==================================================================== 59238405Sjkim * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved. 60238405Sjkim * 61238405Sjkim * Redistribution and use in source and binary forms, with or without 62238405Sjkim * modification, are permitted provided that the following conditions 63238405Sjkim * are met: 64238405Sjkim * 65238405Sjkim * 1. Redistributions of source code must retain the above copyright 66280304Sjkim * notice, this list of conditions and the following disclaimer. 67238405Sjkim * 68238405Sjkim * 2. Redistributions in binary form must reproduce the above copyright 69238405Sjkim * notice, this list of conditions and the following disclaimer in 70238405Sjkim * the documentation and/or other materials provided with the 71238405Sjkim * distribution. 72238405Sjkim * 73238405Sjkim * 3. All advertising materials mentioning features or use of this 74238405Sjkim * software must display the following acknowledgment: 75238405Sjkim * "This product includes software developed by the OpenSSL Project 76238405Sjkim * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 77238405Sjkim * 78238405Sjkim * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 79238405Sjkim * endorse or promote products derived from this software without 80238405Sjkim * prior written permission. For written permission, please contact 81238405Sjkim * openssl-core@openssl.org. 82238405Sjkim * 83238405Sjkim * 5. Products derived from this software may not be called "OpenSSL" 84238405Sjkim * nor may "OpenSSL" appear in their names without prior written 85238405Sjkim * permission of the OpenSSL Project. 86238405Sjkim * 87238405Sjkim * 6. Redistributions of any form whatsoever must retain the following 88238405Sjkim * acknowledgment: 89238405Sjkim * "This product includes software developed by the OpenSSL Project 90238405Sjkim * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 91238405Sjkim * 92238405Sjkim * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 93238405Sjkim * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 94238405Sjkim * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 95238405Sjkim * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 96238405Sjkim * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 97238405Sjkim * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 98238405Sjkim * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 99238405Sjkim * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 100238405Sjkim * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 101238405Sjkim * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 102238405Sjkim * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 103238405Sjkim * OF THE POSSIBILITY OF SUCH DAMAGE. 104238405Sjkim * ==================================================================== 105238405Sjkim * 106238405Sjkim * This product includes cryptographic software written by Eric Young 107238405Sjkim * (eay@cryptsoft.com). This product includes software written by Tim 108238405Sjkim * Hudson (tjh@cryptsoft.com). 109238405Sjkim * 110238405Sjkim */ 11155714Skris 11255714Skris#include <stdio.h> 11355714Skris#include <openssl/objects.h> 114194206Ssimon#include <openssl/evp.h> 115194206Ssimon#include <openssl/hmac.h> 116194206Ssimon#include <openssl/ocsp.h> 117238405Sjkim#include <openssl/rand.h> 11855714Skris#include "ssl_locl.h" 11955714Skris 120280304Sjkimconst char tls1_version_str[] = "TLSv1" OPENSSL_VERSION_PTEXT; 12155714Skris 122194206Ssimon#ifndef OPENSSL_NO_TLSEXT 123194206Ssimonstatic int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen, 124280304Sjkim const unsigned char *sess_id, int sesslen, 125280304Sjkim SSL_SESSION **psess); 126194206Ssimon#endif 127194206Ssimon 128280304SjkimSSL3_ENC_METHOD TLSv1_enc_data = { 129280304Sjkim tls1_enc, 130280304Sjkim tls1_mac, 131280304Sjkim tls1_setup_key_block, 132280304Sjkim tls1_generate_master_secret, 133280304Sjkim tls1_change_cipher_state, 134280304Sjkim tls1_final_finish_mac, 135280304Sjkim TLS1_FINISH_MAC_LENGTH, 136280304Sjkim tls1_cert_verify_mac, 137280304Sjkim TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE, 138280304Sjkim TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE, 139280304Sjkim tls1_alert_code, 140280304Sjkim tls1_export_keying_material, 141280304Sjkim}; 14255714Skris 143160814Ssimonlong tls1_default_timeout(void) 144280304Sjkim{ 145280304Sjkim /* 146280304Sjkim * 2 hours, the 24 hours mentioned in the TLSv1 spec is way too long for 147280304Sjkim * http, the cache would over fill 148280304Sjkim */ 149280304Sjkim return (60 * 60 * 2); 150280304Sjkim} 15155714Skris 15255714Skrisint tls1_new(SSL *s) 153280304Sjkim{ 154280304Sjkim if (!ssl3_new(s)) 155280304Sjkim return (0); 156280304Sjkim s->method->ssl_clear(s); 157280304Sjkim return (1); 158280304Sjkim} 15955714Skris 16055714Skrisvoid tls1_free(SSL *s) 161280304Sjkim{ 162238405Sjkim#ifndef OPENSSL_NO_TLSEXT 163280304Sjkim if (s->tlsext_session_ticket) { 164280304Sjkim OPENSSL_free(s->tlsext_session_ticket); 165280304Sjkim } 166280304Sjkim#endif /* OPENSSL_NO_TLSEXT */ 167280304Sjkim ssl3_free(s); 168280304Sjkim} 16955714Skris 17055714Skrisvoid tls1_clear(SSL *s) 171280304Sjkim{ 172280304Sjkim ssl3_clear(s); 173280304Sjkim s->version = s->method->version; 174280304Sjkim} 17555714Skris 176238405Sjkim#ifndef OPENSSL_NO_EC 177238405Sjkim 178280304Sjkimstatic int nid_list[] = { 179280304Sjkim NID_sect163k1, /* sect163k1 (1) */ 180280304Sjkim NID_sect163r1, /* sect163r1 (2) */ 181280304Sjkim NID_sect163r2, /* sect163r2 (3) */ 182280304Sjkim NID_sect193r1, /* sect193r1 (4) */ 183280304Sjkim NID_sect193r2, /* sect193r2 (5) */ 184280304Sjkim NID_sect233k1, /* sect233k1 (6) */ 185280304Sjkim NID_sect233r1, /* sect233r1 (7) */ 186280304Sjkim NID_sect239k1, /* sect239k1 (8) */ 187280304Sjkim NID_sect283k1, /* sect283k1 (9) */ 188280304Sjkim NID_sect283r1, /* sect283r1 (10) */ 189280304Sjkim NID_sect409k1, /* sect409k1 (11) */ 190280304Sjkim NID_sect409r1, /* sect409r1 (12) */ 191280304Sjkim NID_sect571k1, /* sect571k1 (13) */ 192280304Sjkim NID_sect571r1, /* sect571r1 (14) */ 193280304Sjkim NID_secp160k1, /* secp160k1 (15) */ 194280304Sjkim NID_secp160r1, /* secp160r1 (16) */ 195280304Sjkim NID_secp160r2, /* secp160r2 (17) */ 196280304Sjkim NID_secp192k1, /* secp192k1 (18) */ 197280304Sjkim NID_X9_62_prime192v1, /* secp192r1 (19) */ 198280304Sjkim NID_secp224k1, /* secp224k1 (20) */ 199280304Sjkim NID_secp224r1, /* secp224r1 (21) */ 200280304Sjkim NID_secp256k1, /* secp256k1 (22) */ 201280304Sjkim NID_X9_62_prime256v1, /* secp256r1 (23) */ 202280304Sjkim NID_secp384r1, /* secp384r1 (24) */ 203280304Sjkim NID_secp521r1 /* secp521r1 (25) */ 204280304Sjkim}; 205238405Sjkim 206280304Sjkimstatic int pref_list[] = { 207280304Sjkim# ifndef OPENSSL_NO_EC2M 208280304Sjkim NID_sect571r1, /* sect571r1 (14) */ 209280304Sjkim NID_sect571k1, /* sect571k1 (13) */ 210280304Sjkim# endif 211280304Sjkim NID_secp521r1, /* secp521r1 (25) */ 212280304Sjkim# ifndef OPENSSL_NO_EC2M 213280304Sjkim NID_sect409k1, /* sect409k1 (11) */ 214280304Sjkim NID_sect409r1, /* sect409r1 (12) */ 215280304Sjkim# endif 216280304Sjkim NID_secp384r1, /* secp384r1 (24) */ 217280304Sjkim# ifndef OPENSSL_NO_EC2M 218280304Sjkim NID_sect283k1, /* sect283k1 (9) */ 219280304Sjkim NID_sect283r1, /* sect283r1 (10) */ 220280304Sjkim# endif 221280304Sjkim NID_secp256k1, /* secp256k1 (22) */ 222280304Sjkim NID_X9_62_prime256v1, /* secp256r1 (23) */ 223280304Sjkim# ifndef OPENSSL_NO_EC2M 224280304Sjkim NID_sect239k1, /* sect239k1 (8) */ 225280304Sjkim NID_sect233k1, /* sect233k1 (6) */ 226280304Sjkim NID_sect233r1, /* sect233r1 (7) */ 227280304Sjkim# endif 228280304Sjkim NID_secp224k1, /* secp224k1 (20) */ 229280304Sjkim NID_secp224r1, /* secp224r1 (21) */ 230280304Sjkim# ifndef OPENSSL_NO_EC2M 231280304Sjkim NID_sect193r1, /* sect193r1 (4) */ 232280304Sjkim NID_sect193r2, /* sect193r2 (5) */ 233280304Sjkim# endif 234280304Sjkim NID_secp192k1, /* secp192k1 (18) */ 235280304Sjkim NID_X9_62_prime192v1, /* secp192r1 (19) */ 236280304Sjkim# ifndef OPENSSL_NO_EC2M 237280304Sjkim NID_sect163k1, /* sect163k1 (1) */ 238280304Sjkim NID_sect163r1, /* sect163r1 (2) */ 239280304Sjkim NID_sect163r2, /* sect163r2 (3) */ 240280304Sjkim# endif 241280304Sjkim NID_secp160k1, /* secp160k1 (15) */ 242280304Sjkim NID_secp160r1, /* secp160r1 (16) */ 243280304Sjkim NID_secp160r2, /* secp160r2 (17) */ 244280304Sjkim}; 245238405Sjkim 246238405Sjkimint tls1_ec_curve_id2nid(int curve_id) 247280304Sjkim{ 248280304Sjkim /* ECC curves from RFC 4492 */ 249280304Sjkim if ((curve_id < 1) || ((unsigned int)curve_id > 250280304Sjkim sizeof(nid_list) / sizeof(nid_list[0]))) 251280304Sjkim return 0; 252280304Sjkim return nid_list[curve_id - 1]; 253280304Sjkim} 25459191Skris 255238405Sjkimint tls1_ec_nid2curve_id(int nid) 256280304Sjkim{ 257280304Sjkim /* ECC curves from RFC 4492 */ 258280304Sjkim switch (nid) { 259280304Sjkim case NID_sect163k1: /* sect163k1 (1) */ 260280304Sjkim return 1; 261280304Sjkim case NID_sect163r1: /* sect163r1 (2) */ 262280304Sjkim return 2; 263280304Sjkim case NID_sect163r2: /* sect163r2 (3) */ 264280304Sjkim return 3; 265280304Sjkim case NID_sect193r1: /* sect193r1 (4) */ 266280304Sjkim return 4; 267280304Sjkim case NID_sect193r2: /* sect193r2 (5) */ 268280304Sjkim return 5; 269280304Sjkim case NID_sect233k1: /* sect233k1 (6) */ 270280304Sjkim return 6; 271280304Sjkim case NID_sect233r1: /* sect233r1 (7) */ 272280304Sjkim return 7; 273280304Sjkim case NID_sect239k1: /* sect239k1 (8) */ 274280304Sjkim return 8; 275280304Sjkim case NID_sect283k1: /* sect283k1 (9) */ 276280304Sjkim return 9; 277280304Sjkim case NID_sect283r1: /* sect283r1 (10) */ 278280304Sjkim return 10; 279280304Sjkim case NID_sect409k1: /* sect409k1 (11) */ 280280304Sjkim return 11; 281280304Sjkim case NID_sect409r1: /* sect409r1 (12) */ 282280304Sjkim return 12; 283280304Sjkim case NID_sect571k1: /* sect571k1 (13) */ 284280304Sjkim return 13; 285280304Sjkim case NID_sect571r1: /* sect571r1 (14) */ 286280304Sjkim return 14; 287280304Sjkim case NID_secp160k1: /* secp160k1 (15) */ 288280304Sjkim return 15; 289280304Sjkim case NID_secp160r1: /* secp160r1 (16) */ 290280304Sjkim return 16; 291280304Sjkim case NID_secp160r2: /* secp160r2 (17) */ 292280304Sjkim return 17; 293280304Sjkim case NID_secp192k1: /* secp192k1 (18) */ 294280304Sjkim return 18; 295280304Sjkim case NID_X9_62_prime192v1: /* secp192r1 (19) */ 296280304Sjkim return 19; 297280304Sjkim case NID_secp224k1: /* secp224k1 (20) */ 298280304Sjkim return 20; 299280304Sjkim case NID_secp224r1: /* secp224r1 (21) */ 300280304Sjkim return 21; 301280304Sjkim case NID_secp256k1: /* secp256k1 (22) */ 302280304Sjkim return 22; 303280304Sjkim case NID_X9_62_prime256v1: /* secp256r1 (23) */ 304280304Sjkim return 23; 305280304Sjkim case NID_secp384r1: /* secp384r1 (24) */ 306280304Sjkim return 24; 307280304Sjkim case NID_secp521r1: /* secp521r1 (25) */ 308280304Sjkim return 25; 309280304Sjkim default: 310280304Sjkim return 0; 311280304Sjkim } 312280304Sjkim} 313280304Sjkim#endif /* OPENSSL_NO_EC */ 314238405Sjkim 315238405Sjkim#ifndef OPENSSL_NO_TLSEXT 316238405Sjkim 317280304Sjkim/* 318280304Sjkim * List of supported signature algorithms and hashes. Should make this 319238405Sjkim * customisable at some point, for now include everything we support. 320238405Sjkim */ 321238405Sjkim 322280304Sjkim# ifdef OPENSSL_NO_RSA 323280304Sjkim# define tlsext_sigalg_rsa(md) /* */ 324280304Sjkim# else 325280304Sjkim# define tlsext_sigalg_rsa(md) md, TLSEXT_signature_rsa, 326280304Sjkim# endif 327194206Ssimon 328280304Sjkim# ifdef OPENSSL_NO_DSA 329280304Sjkim# define tlsext_sigalg_dsa(md) /* */ 330280304Sjkim# else 331280304Sjkim# define tlsext_sigalg_dsa(md) md, TLSEXT_signature_dsa, 332280304Sjkim# endif 333238405Sjkim 334280304Sjkim# ifdef OPENSSL_NO_ECDSA 335280304Sjkim# define tlsext_sigalg_ecdsa(md) 336280304Sjkim /* */ 337280304Sjkim# else 338280304Sjkim# define tlsext_sigalg_ecdsa(md) md, TLSEXT_signature_ecdsa, 339280304Sjkim# endif 340238405Sjkim 341280304Sjkim# define tlsext_sigalg(md) \ 342280304Sjkim tlsext_sigalg_rsa(md) \ 343280304Sjkim tlsext_sigalg_dsa(md) \ 344280304Sjkim tlsext_sigalg_ecdsa(md) 345238405Sjkim 346238405Sjkimstatic unsigned char tls12_sigalgs[] = { 347280304Sjkim# ifndef OPENSSL_NO_SHA512 348280304Sjkim tlsext_sigalg(TLSEXT_hash_sha512) 349280304Sjkim tlsext_sigalg(TLSEXT_hash_sha384) 350280304Sjkim# endif 351280304Sjkim# ifndef OPENSSL_NO_SHA256 352280304Sjkim tlsext_sigalg(TLSEXT_hash_sha256) 353280304Sjkim tlsext_sigalg(TLSEXT_hash_sha224) 354280304Sjkim# endif 355280304Sjkim# ifndef OPENSSL_NO_SHA 356280304Sjkim tlsext_sigalg(TLSEXT_hash_sha1) 357280304Sjkim# endif 358238405Sjkim}; 359238405Sjkim 360238405Sjkimint tls12_get_req_sig_algs(SSL *s, unsigned char *p) 361280304Sjkim{ 362280304Sjkim size_t slen = sizeof(tls12_sigalgs); 363280304Sjkim if (p) 364280304Sjkim memcpy(p, tls12_sigalgs, slen); 365280304Sjkim return (int)slen; 366280304Sjkim} 367238405Sjkim 368280304Sjkimunsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf, 369280304Sjkim unsigned char *limit) 370280304Sjkim{ 371280304Sjkim int extdatalen = 0; 372280304Sjkim unsigned char *orig = buf; 373280304Sjkim unsigned char *ret = buf; 374194206Ssimon 375280304Sjkim /* don't add extensions for SSLv3 unless doing secure renegotiation */ 376280304Sjkim if (s->client_version == SSL3_VERSION && !s->s3->send_connection_binding) 377280304Sjkim return orig; 378205128Ssimon 379280304Sjkim ret += 2; 380194206Ssimon 381280304Sjkim if (ret >= limit) 382280304Sjkim return NULL; /* this really never occurs, but ... */ 383194206Ssimon 384280304Sjkim if (s->tlsext_hostname != NULL) { 385280304Sjkim /* Add TLS extension servername to the Client Hello message */ 386280304Sjkim unsigned long size_str; 387280304Sjkim long lenmax; 388194206Ssimon 389280304Sjkim /*- 390280304Sjkim * check for enough space. 391280304Sjkim * 4 for the servername type and entension length 392280304Sjkim * 2 for servernamelist length 393280304Sjkim * 1 for the hostname type 394280304Sjkim * 2 for hostname length 395280304Sjkim * + hostname length 396280304Sjkim */ 397194206Ssimon 398280304Sjkim if ((lenmax = limit - ret - 9) < 0 399280304Sjkim || (size_str = 400280304Sjkim strlen(s->tlsext_hostname)) > (unsigned long)lenmax) 401280304Sjkim return NULL; 402194206Ssimon 403280304Sjkim /* extension type and length */ 404280304Sjkim s2n(TLSEXT_TYPE_server_name, ret); 405280304Sjkim s2n(size_str + 5, ret); 406205128Ssimon 407280304Sjkim /* length of servername list */ 408280304Sjkim s2n(size_str + 3, ret); 409205128Ssimon 410280304Sjkim /* hostname type, length and hostname */ 411280304Sjkim *(ret++) = (unsigned char)TLSEXT_NAMETYPE_host_name; 412280304Sjkim s2n(size_str, ret); 413280304Sjkim memcpy(ret, s->tlsext_hostname, size_str); 414280304Sjkim ret += size_str; 415280304Sjkim } 416280304Sjkim 417280304Sjkim /* Add RI if renegotiating */ 418280304Sjkim if (s->renegotiate) { 419280304Sjkim int el; 420280304Sjkim 421280304Sjkim if (!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0)) { 422280304Sjkim SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); 423280304Sjkim return NULL; 424205128Ssimon } 425205128Ssimon 426280304Sjkim if ((limit - ret - 4 - el) < 0) 427280304Sjkim return NULL; 428238405Sjkim 429280304Sjkim s2n(TLSEXT_TYPE_renegotiate, ret); 430280304Sjkim s2n(el, ret); 431238405Sjkim 432280304Sjkim if (!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el)) { 433280304Sjkim SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); 434280304Sjkim return NULL; 435280304Sjkim } 436238405Sjkim 437280304Sjkim ret += el; 438280304Sjkim } 439280304Sjkim# ifndef OPENSSL_NO_SRP 440280304Sjkim /* Add SRP username if there is one */ 441280304Sjkim if (s->srp_ctx.login != NULL) { /* Add TLS extension SRP username to the 442280304Sjkim * Client Hello message */ 443238405Sjkim 444280304Sjkim int login_len = strlen(s->srp_ctx.login); 445280304Sjkim if (login_len > 255 || login_len == 0) { 446280304Sjkim SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); 447280304Sjkim return NULL; 448280304Sjkim } 449238405Sjkim 450280304Sjkim /*- 451280304Sjkim * check for enough space. 452280304Sjkim * 4 for the srp type type and entension length 453280304Sjkim * 1 for the srp user identity 454280304Sjkim * + srp user identity length 455280304Sjkim */ 456280304Sjkim if ((limit - ret - 5 - login_len) < 0) 457280304Sjkim return NULL; 458238405Sjkim 459280304Sjkim /* fill in the extension */ 460280304Sjkim s2n(TLSEXT_TYPE_srp, ret); 461280304Sjkim s2n(login_len + 1, ret); 462280304Sjkim (*ret++) = (unsigned char)login_len; 463280304Sjkim memcpy(ret, s->srp_ctx.login, login_len); 464280304Sjkim ret += login_len; 465280304Sjkim } 466280304Sjkim# endif 467238405Sjkim 468280304Sjkim# ifndef OPENSSL_NO_EC 469280304Sjkim if (s->tlsext_ecpointformatlist != NULL) { 470280304Sjkim /* 471280304Sjkim * Add TLS extension ECPointFormats to the ClientHello message 472280304Sjkim */ 473280304Sjkim long lenmax; 474238405Sjkim 475280304Sjkim if ((lenmax = limit - ret - 5) < 0) 476280304Sjkim return NULL; 477280304Sjkim if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax) 478280304Sjkim return NULL; 479280304Sjkim if (s->tlsext_ecpointformatlist_length > 255) { 480280304Sjkim SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); 481280304Sjkim return NULL; 482280304Sjkim } 483194206Ssimon 484280304Sjkim s2n(TLSEXT_TYPE_ec_point_formats, ret); 485280304Sjkim s2n(s->tlsext_ecpointformatlist_length + 1, ret); 486280304Sjkim *(ret++) = (unsigned char)s->tlsext_ecpointformatlist_length; 487280304Sjkim memcpy(ret, s->tlsext_ecpointformatlist, 488280304Sjkim s->tlsext_ecpointformatlist_length); 489280304Sjkim ret += s->tlsext_ecpointformatlist_length; 490280304Sjkim } 491280304Sjkim if (s->tlsext_ellipticcurvelist != NULL) { 492280304Sjkim /* 493280304Sjkim * Add TLS extension EllipticCurves to the ClientHello message 494280304Sjkim */ 495280304Sjkim long lenmax; 496238405Sjkim 497280304Sjkim if ((lenmax = limit - ret - 6) < 0) 498280304Sjkim return NULL; 499280304Sjkim if (s->tlsext_ellipticcurvelist_length > (unsigned long)lenmax) 500280304Sjkim return NULL; 501280304Sjkim if (s->tlsext_ellipticcurvelist_length > 65532) { 502280304Sjkim SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); 503280304Sjkim return NULL; 504280304Sjkim } 505238405Sjkim 506280304Sjkim s2n(TLSEXT_TYPE_elliptic_curves, ret); 507280304Sjkim s2n(s->tlsext_ellipticcurvelist_length + 2, ret); 508238405Sjkim 509280304Sjkim s2n(s->tlsext_ellipticcurvelist_length, ret); 510280304Sjkim memcpy(ret, s->tlsext_ellipticcurvelist, 511280304Sjkim s->tlsext_ellipticcurvelist_length); 512280304Sjkim ret += s->tlsext_ellipticcurvelist_length; 513280304Sjkim } 514280304Sjkim# endif /* OPENSSL_NO_EC */ 515194206Ssimon 516280304Sjkim if (!(SSL_get_options(s) & SSL_OP_NO_TICKET)) { 517280304Sjkim int ticklen; 518280304Sjkim if (!s->new_session && s->session && s->session->tlsext_tick) 519280304Sjkim ticklen = s->session->tlsext_ticklen; 520280304Sjkim else if (s->session && s->tlsext_session_ticket && 521280304Sjkim s->tlsext_session_ticket->data) { 522280304Sjkim ticklen = s->tlsext_session_ticket->length; 523280304Sjkim s->session->tlsext_tick = OPENSSL_malloc(ticklen); 524280304Sjkim if (!s->session->tlsext_tick) 525280304Sjkim return NULL; 526280304Sjkim memcpy(s->session->tlsext_tick, 527280304Sjkim s->tlsext_session_ticket->data, ticklen); 528280304Sjkim s->session->tlsext_ticklen = ticklen; 529280304Sjkim } else 530280304Sjkim ticklen = 0; 531280304Sjkim if (ticklen == 0 && s->tlsext_session_ticket && 532280304Sjkim s->tlsext_session_ticket->data == NULL) 533280304Sjkim goto skip_ext; 534280304Sjkim /* 535280304Sjkim * Check for enough room 2 for extension type, 2 for len rest for 536280304Sjkim * ticket 537280304Sjkim */ 538280304Sjkim if ((long)(limit - ret - 4 - ticklen) < 0) 539280304Sjkim return NULL; 540280304Sjkim s2n(TLSEXT_TYPE_session_ticket, ret); 541280304Sjkim s2n(ticklen, ret); 542280304Sjkim if (ticklen) { 543280304Sjkim memcpy(ret, s->session->tlsext_tick, ticklen); 544280304Sjkim ret += ticklen; 545280304Sjkim } 546280304Sjkim } 547280304Sjkim skip_ext: 548194206Ssimon 549280304Sjkim if (TLS1_get_client_version(s) >= TLS1_2_VERSION) { 550280304Sjkim if ((size_t)(limit - ret) < sizeof(tls12_sigalgs) + 6) 551280304Sjkim return NULL; 552280304Sjkim s2n(TLSEXT_TYPE_signature_algorithms, ret); 553280304Sjkim s2n(sizeof(tls12_sigalgs) + 2, ret); 554280304Sjkim s2n(sizeof(tls12_sigalgs), ret); 555280304Sjkim memcpy(ret, tls12_sigalgs, sizeof(tls12_sigalgs)); 556280304Sjkim ret += sizeof(tls12_sigalgs); 557280304Sjkim } 558280304Sjkim# ifdef TLSEXT_TYPE_opaque_prf_input 559280304Sjkim if (s->s3->client_opaque_prf_input != NULL && s->version != DTLS1_VERSION) { 560280304Sjkim size_t col = s->s3->client_opaque_prf_input_len; 561194206Ssimon 562280304Sjkim if ((long)(limit - ret - 6 - col < 0)) 563280304Sjkim return NULL; 564280304Sjkim if (col > 0xFFFD) /* can't happen */ 565280304Sjkim return NULL; 566238405Sjkim 567280304Sjkim s2n(TLSEXT_TYPE_opaque_prf_input, ret); 568280304Sjkim s2n(col + 2, ret); 569280304Sjkim s2n(col, ret); 570280304Sjkim memcpy(ret, s->s3->client_opaque_prf_input, col); 571280304Sjkim ret += col; 572280304Sjkim } 573280304Sjkim# endif 574238405Sjkim 575280304Sjkim if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp && 576280304Sjkim s->version != DTLS1_VERSION) { 577280304Sjkim int i; 578280304Sjkim long extlen, idlen, itmp; 579280304Sjkim OCSP_RESPID *id; 580238405Sjkim 581280304Sjkim idlen = 0; 582280304Sjkim for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) { 583280304Sjkim id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i); 584280304Sjkim itmp = i2d_OCSP_RESPID(id, NULL); 585280304Sjkim if (itmp <= 0) 586280304Sjkim return NULL; 587280304Sjkim idlen += itmp + 2; 588280304Sjkim } 589238405Sjkim 590280304Sjkim if (s->tlsext_ocsp_exts) { 591280304Sjkim extlen = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, NULL); 592280304Sjkim if (extlen < 0) 593280304Sjkim return NULL; 594280304Sjkim } else 595280304Sjkim extlen = 0; 596238405Sjkim 597280304Sjkim if ((long)(limit - ret - 7 - extlen - idlen) < 0) 598280304Sjkim return NULL; 599280304Sjkim s2n(TLSEXT_TYPE_status_request, ret); 600280304Sjkim if (extlen + idlen > 0xFFF0) 601280304Sjkim return NULL; 602280304Sjkim s2n(extlen + idlen + 5, ret); 603280304Sjkim *(ret++) = TLSEXT_STATUSTYPE_ocsp; 604280304Sjkim s2n(idlen, ret); 605280304Sjkim for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) { 606280304Sjkim /* save position of id len */ 607280304Sjkim unsigned char *q = ret; 608280304Sjkim id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i); 609280304Sjkim /* skip over id len */ 610280304Sjkim ret += 2; 611280304Sjkim itmp = i2d_OCSP_RESPID(id, &ret); 612280304Sjkim /* write id len */ 613280304Sjkim s2n(itmp, q); 614280304Sjkim } 615280304Sjkim s2n(extlen, ret); 616280304Sjkim if (extlen > 0) 617280304Sjkim i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret); 618280304Sjkim } 619280304Sjkim# ifndef OPENSSL_NO_HEARTBEATS 620280304Sjkim /* Add Heartbeat extension */ 621280304Sjkim if ((limit - ret - 4 - 1) < 0) 622280304Sjkim return NULL; 623280304Sjkim s2n(TLSEXT_TYPE_heartbeat, ret); 624280304Sjkim s2n(1, ret); 625280304Sjkim /*- 626280304Sjkim * Set mode: 627280304Sjkim * 1: peer may send requests 628280304Sjkim * 2: peer not allowed to send requests 629280304Sjkim */ 630280304Sjkim if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS) 631280304Sjkim *(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS; 632280304Sjkim else 633280304Sjkim *(ret++) = SSL_TLSEXT_HB_ENABLED; 634280304Sjkim# endif 635264331Sjkim 636280304Sjkim# ifndef OPENSSL_NO_NEXTPROTONEG 637280304Sjkim if (s->ctx->next_proto_select_cb && !s->s3->tmp.finish_md_len) { 638280304Sjkim /* 639280304Sjkim * The client advertises an emtpy extension to indicate its support 640280304Sjkim * for Next Protocol Negotiation 641280304Sjkim */ 642280304Sjkim if (limit - ret - 4 < 0) 643280304Sjkim return NULL; 644280304Sjkim s2n(TLSEXT_TYPE_next_proto_neg, ret); 645280304Sjkim s2n(0, ret); 646280304Sjkim } 647280304Sjkim# endif 648264331Sjkim 649280304Sjkim# ifndef OPENSSL_NO_SRTP 650280304Sjkim if (SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s)) { 651280304Sjkim int el; 652194206Ssimon 653280304Sjkim ssl_add_clienthello_use_srtp_ext(s, 0, &el, 0); 654194206Ssimon 655280304Sjkim if ((limit - ret - 4 - el) < 0) 656280304Sjkim return NULL; 657194206Ssimon 658280304Sjkim s2n(TLSEXT_TYPE_use_srtp, ret); 659280304Sjkim s2n(el, ret); 660194206Ssimon 661280304Sjkim if (ssl_add_clienthello_use_srtp_ext(s, ret, &el, el)) { 662280304Sjkim SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); 663280304Sjkim return NULL; 664280304Sjkim } 665280304Sjkim ret += el; 666280304Sjkim } 667280304Sjkim# endif 668280304Sjkim /* 669280304Sjkim * Add padding to workaround bugs in F5 terminators. See 670280304Sjkim * https://tools.ietf.org/html/draft-agl-tls-padding-03 NB: because this 671280304Sjkim * code works out the length of all existing extensions it MUST always 672280304Sjkim * appear last. 673280304Sjkim */ 674280304Sjkim if (s->options & SSL_OP_TLSEXT_PADDING) { 675280304Sjkim int hlen = ret - (unsigned char *)s->init_buf->data; 676280304Sjkim /* 677280304Sjkim * The code in s23_clnt.c to build ClientHello messages includes the 678280304Sjkim * 5-byte record header in the buffer, while the code in s3_clnt.c 679280304Sjkim * does not. 680280304Sjkim */ 681280304Sjkim if (s->state == SSL23_ST_CW_CLNT_HELLO_A) 682280304Sjkim hlen -= 5; 683280304Sjkim if (hlen > 0xff && hlen < 0x200) { 684280304Sjkim hlen = 0x200 - hlen; 685280304Sjkim if (hlen >= 4) 686280304Sjkim hlen -= 4; 687280304Sjkim else 688280304Sjkim hlen = 0; 689194206Ssimon 690280304Sjkim s2n(TLSEXT_TYPE_padding, ret); 691280304Sjkim s2n(hlen, ret); 692280304Sjkim memset(ret, 0, hlen); 693280304Sjkim ret += hlen; 694280304Sjkim } 695280304Sjkim } 696205128Ssimon 697280304Sjkim if ((extdatalen = ret - orig - 2) == 0) 698280304Sjkim return orig; 699205128Ssimon 700280304Sjkim s2n(extdatalen, orig); 701280304Sjkim return ret; 702280304Sjkim} 703205128Ssimon 704280304Sjkimunsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *buf, 705280304Sjkim unsigned char *limit) 706280304Sjkim{ 707280304Sjkim int extdatalen = 0; 708280304Sjkim unsigned char *orig = buf; 709280304Sjkim unsigned char *ret = buf; 710280304Sjkim# ifndef OPENSSL_NO_NEXTPROTONEG 711280304Sjkim int next_proto_neg_seen; 712280304Sjkim# endif 713205128Ssimon 714280304Sjkim /* 715280304Sjkim * don't add extensions for SSLv3, unless doing secure renegotiation 716280304Sjkim */ 717280304Sjkim if (s->version == SSL3_VERSION && !s->s3->send_connection_binding) 718280304Sjkim return orig; 719280304Sjkim 720280304Sjkim ret += 2; 721280304Sjkim if (ret >= limit) 722280304Sjkim return NULL; /* this really never occurs, but ... */ 723280304Sjkim 724280304Sjkim if (!s->hit && s->servername_done == 1 725280304Sjkim && s->session->tlsext_hostname != NULL) { 726280304Sjkim if ((long)(limit - ret - 4) < 0) 727280304Sjkim return NULL; 728280304Sjkim 729280304Sjkim s2n(TLSEXT_TYPE_server_name, ret); 730280304Sjkim s2n(0, ret); 731280304Sjkim } 732280304Sjkim 733280304Sjkim if (s->s3->send_connection_binding) { 734280304Sjkim int el; 735280304Sjkim 736280304Sjkim if (!ssl_add_serverhello_renegotiate_ext(s, 0, &el, 0)) { 737280304Sjkim SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); 738280304Sjkim return NULL; 739205128Ssimon } 740238405Sjkim 741280304Sjkim if ((limit - ret - 4 - el) < 0) 742280304Sjkim return NULL; 743238405Sjkim 744280304Sjkim s2n(TLSEXT_TYPE_renegotiate, ret); 745280304Sjkim s2n(el, ret); 746238405Sjkim 747280304Sjkim if (!ssl_add_serverhello_renegotiate_ext(s, ret, &el, el)) { 748280304Sjkim SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); 749280304Sjkim return NULL; 750280304Sjkim } 751238405Sjkim 752280304Sjkim ret += el; 753280304Sjkim } 754280304Sjkim# ifndef OPENSSL_NO_EC 755280304Sjkim if (s->tlsext_ecpointformatlist != NULL) { 756280304Sjkim /* 757280304Sjkim * Add TLS extension ECPointFormats to the ServerHello message 758280304Sjkim */ 759280304Sjkim long lenmax; 760194206Ssimon 761280304Sjkim if ((lenmax = limit - ret - 5) < 0) 762280304Sjkim return NULL; 763280304Sjkim if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax) 764280304Sjkim return NULL; 765280304Sjkim if (s->tlsext_ecpointformatlist_length > 255) { 766280304Sjkim SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); 767280304Sjkim return NULL; 768280304Sjkim } 769194206Ssimon 770280304Sjkim s2n(TLSEXT_TYPE_ec_point_formats, ret); 771280304Sjkim s2n(s->tlsext_ecpointformatlist_length + 1, ret); 772280304Sjkim *(ret++) = (unsigned char)s->tlsext_ecpointformatlist_length; 773280304Sjkim memcpy(ret, s->tlsext_ecpointformatlist, 774280304Sjkim s->tlsext_ecpointformatlist_length); 775280304Sjkim ret += s->tlsext_ecpointformatlist_length; 776238405Sjkim 777280304Sjkim } 778280304Sjkim /* 779280304Sjkim * Currently the server should not respond with a SupportedCurves 780280304Sjkim * extension 781280304Sjkim */ 782280304Sjkim# endif /* OPENSSL_NO_EC */ 783238405Sjkim 784280304Sjkim if (s->tlsext_ticket_expected && !(SSL_get_options(s) & SSL_OP_NO_TICKET)) { 785280304Sjkim if ((long)(limit - ret - 4) < 0) 786280304Sjkim return NULL; 787280304Sjkim s2n(TLSEXT_TYPE_session_ticket, ret); 788280304Sjkim s2n(0, ret); 789280304Sjkim } 790238405Sjkim 791280304Sjkim if (s->tlsext_status_expected) { 792280304Sjkim if ((long)(limit - ret - 4) < 0) 793280304Sjkim return NULL; 794280304Sjkim s2n(TLSEXT_TYPE_status_request, ret); 795280304Sjkim s2n(0, ret); 796280304Sjkim } 797280304Sjkim# ifdef TLSEXT_TYPE_opaque_prf_input 798280304Sjkim if (s->s3->server_opaque_prf_input != NULL && s->version != DTLS1_VERSION) { 799280304Sjkim size_t sol = s->s3->server_opaque_prf_input_len; 800238405Sjkim 801280304Sjkim if ((long)(limit - ret - 6 - sol) < 0) 802280304Sjkim return NULL; 803280304Sjkim if (sol > 0xFFFD) /* can't happen */ 804280304Sjkim return NULL; 805238405Sjkim 806280304Sjkim s2n(TLSEXT_TYPE_opaque_prf_input, ret); 807280304Sjkim s2n(sol + 2, ret); 808280304Sjkim s2n(sol, ret); 809280304Sjkim memcpy(ret, s->s3->server_opaque_prf_input, sol); 810280304Sjkim ret += sol; 811280304Sjkim } 812280304Sjkim# endif 813238405Sjkim 814280304Sjkim# ifndef OPENSSL_NO_SRTP 815280304Sjkim if (SSL_IS_DTLS(s) && s->srtp_profile) { 816280304Sjkim int el; 817238405Sjkim 818280304Sjkim ssl_add_serverhello_use_srtp_ext(s, 0, &el, 0); 819238405Sjkim 820280304Sjkim if ((limit - ret - 4 - el) < 0) 821280304Sjkim return NULL; 822238405Sjkim 823280304Sjkim s2n(TLSEXT_TYPE_use_srtp, ret); 824280304Sjkim s2n(el, ret); 825238405Sjkim 826280304Sjkim if (ssl_add_serverhello_use_srtp_ext(s, ret, &el, el)) { 827280304Sjkim SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); 828280304Sjkim return NULL; 829280304Sjkim } 830280304Sjkim ret += el; 831280304Sjkim } 832280304Sjkim# endif 833238405Sjkim 834280304Sjkim if (((s->s3->tmp.new_cipher->id & 0xFFFF) == 0x80 835280304Sjkim || (s->s3->tmp.new_cipher->id & 0xFFFF) == 0x81) 836280304Sjkim && (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG)) { 837280304Sjkim const unsigned char cryptopro_ext[36] = { 838280304Sjkim 0xfd, 0xe8, /* 65000 */ 839280304Sjkim 0x00, 0x20, /* 32 bytes length */ 840280304Sjkim 0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85, 841280304Sjkim 0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06, 842280304Sjkim 0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08, 843280304Sjkim 0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17 844280304Sjkim }; 845280304Sjkim if (limit - ret < 36) 846280304Sjkim return NULL; 847280304Sjkim memcpy(ret, cryptopro_ext, 36); 848280304Sjkim ret += 36; 849238405Sjkim 850280304Sjkim } 851280304Sjkim# ifndef OPENSSL_NO_HEARTBEATS 852280304Sjkim /* Add Heartbeat extension if we've received one */ 853280304Sjkim if (s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED) { 854280304Sjkim if ((limit - ret - 4 - 1) < 0) 855280304Sjkim return NULL; 856280304Sjkim s2n(TLSEXT_TYPE_heartbeat, ret); 857280304Sjkim s2n(1, ret); 858280304Sjkim /*- 859280304Sjkim * Set mode: 860280304Sjkim * 1: peer may send requests 861280304Sjkim * 2: peer not allowed to send requests 862280304Sjkim */ 863280304Sjkim if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS) 864280304Sjkim *(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS; 865280304Sjkim else 866280304Sjkim *(ret++) = SSL_TLSEXT_HB_ENABLED; 867194206Ssimon 868280304Sjkim } 869280304Sjkim# endif 870194206Ssimon 871280304Sjkim# ifndef OPENSSL_NO_NEXTPROTONEG 872280304Sjkim next_proto_neg_seen = s->s3->next_proto_neg_seen; 873280304Sjkim s->s3->next_proto_neg_seen = 0; 874280304Sjkim if (next_proto_neg_seen && s->ctx->next_protos_advertised_cb) { 875280304Sjkim const unsigned char *npa; 876280304Sjkim unsigned int npalen; 877280304Sjkim int r; 878280304Sjkim 879280304Sjkim r = s->ctx->next_protos_advertised_cb(s, &npa, &npalen, 880280304Sjkim s-> 881280304Sjkim ctx->next_protos_advertised_cb_arg); 882280304Sjkim if (r == SSL_TLSEXT_ERR_OK) { 883280304Sjkim if ((long)(limit - ret - 4 - npalen) < 0) 884280304Sjkim return NULL; 885280304Sjkim s2n(TLSEXT_TYPE_next_proto_neg, ret); 886280304Sjkim s2n(npalen, ret); 887280304Sjkim memcpy(ret, npa, npalen); 888280304Sjkim ret += npalen; 889280304Sjkim s->s3->next_proto_neg_seen = 1; 890280304Sjkim } 891280304Sjkim } 892280304Sjkim# endif 893280304Sjkim 894280304Sjkim if ((extdatalen = ret - orig - 2) == 0) 895280304Sjkim return orig; 896280304Sjkim 897280304Sjkim s2n(extdatalen, orig); 898280304Sjkim return ret; 899280304Sjkim} 900280304Sjkim 901280304Sjkim# ifndef OPENSSL_NO_EC 902280304Sjkim/*- 903280304Sjkim * ssl_check_for_safari attempts to fingerprint Safari using OS X 904264331Sjkim * SecureTransport using the TLS extension block in |d|, of length |n|. 905264331Sjkim * Safari, since 10.6, sends exactly these extensions, in this order: 906264331Sjkim * SNI, 907264331Sjkim * elliptic_curves 908264331Sjkim * ec_point_formats 909264331Sjkim * 910264331Sjkim * We wish to fingerprint Safari because they broke ECDHE-ECDSA support in 10.8, 911264331Sjkim * but they advertise support. So enabling ECDHE-ECDSA ciphers breaks them. 912264331Sjkim * Sadly we cannot differentiate 10.6, 10.7 and 10.8.4 (which work), from 913264331Sjkim * 10.8..10.8.3 (which don't work). 914264331Sjkim */ 915280304Sjkimstatic void ssl_check_for_safari(SSL *s, const unsigned char *data, 916291721Sjkim const unsigned char *limit) 917280304Sjkim{ 918280304Sjkim unsigned short type, size; 919280304Sjkim static const unsigned char kSafariExtensionsBlock[] = { 920280304Sjkim 0x00, 0x0a, /* elliptic_curves extension */ 921280304Sjkim 0x00, 0x08, /* 8 bytes */ 922280304Sjkim 0x00, 0x06, /* 6 bytes of curve ids */ 923280304Sjkim 0x00, 0x17, /* P-256 */ 924280304Sjkim 0x00, 0x18, /* P-384 */ 925280304Sjkim 0x00, 0x19, /* P-521 */ 926264331Sjkim 927280304Sjkim 0x00, 0x0b, /* ec_point_formats */ 928280304Sjkim 0x00, 0x02, /* 2 bytes */ 929280304Sjkim 0x01, /* 1 point format */ 930280304Sjkim 0x00, /* uncompressed */ 931280304Sjkim }; 932264331Sjkim 933280304Sjkim /* The following is only present in TLS 1.2 */ 934280304Sjkim static const unsigned char kSafariTLS12ExtensionsBlock[] = { 935280304Sjkim 0x00, 0x0d, /* signature_algorithms */ 936280304Sjkim 0x00, 0x0c, /* 12 bytes */ 937280304Sjkim 0x00, 0x0a, /* 10 bytes */ 938280304Sjkim 0x05, 0x01, /* SHA-384/RSA */ 939280304Sjkim 0x04, 0x01, /* SHA-256/RSA */ 940280304Sjkim 0x02, 0x01, /* SHA-1/RSA */ 941280304Sjkim 0x04, 0x03, /* SHA-256/ECDSA */ 942280304Sjkim 0x02, 0x03, /* SHA-1/ECDSA */ 943280304Sjkim }; 944264331Sjkim 945306196Sjkim if (limit - data <= 2) 946280304Sjkim return; 947280304Sjkim data += 2; 948264331Sjkim 949306196Sjkim if (limit - data < 4) 950280304Sjkim return; 951280304Sjkim n2s(data, type); 952280304Sjkim n2s(data, size); 953264331Sjkim 954280304Sjkim if (type != TLSEXT_TYPE_server_name) 955280304Sjkim return; 956264331Sjkim 957306196Sjkim if (limit - data < size) 958280304Sjkim return; 959280304Sjkim data += size; 960264331Sjkim 961280304Sjkim if (TLS1_get_client_version(s) >= TLS1_2_VERSION) { 962280304Sjkim const size_t len1 = sizeof(kSafariExtensionsBlock); 963280304Sjkim const size_t len2 = sizeof(kSafariTLS12ExtensionsBlock); 964264331Sjkim 965306196Sjkim if (limit - data != (int)(len1 + len2)) 966280304Sjkim return; 967280304Sjkim if (memcmp(data, kSafariExtensionsBlock, len1) != 0) 968280304Sjkim return; 969280304Sjkim if (memcmp(data + len1, kSafariTLS12ExtensionsBlock, len2) != 0) 970280304Sjkim return; 971280304Sjkim } else { 972280304Sjkim const size_t len = sizeof(kSafariExtensionsBlock); 973264331Sjkim 974306196Sjkim if (limit - data != (int)(len)) 975280304Sjkim return; 976280304Sjkim if (memcmp(data, kSafariExtensionsBlock, len) != 0) 977280304Sjkim return; 978280304Sjkim } 979264331Sjkim 980280304Sjkim s->s3->is_probably_safari = 1; 981264331Sjkim} 982280304Sjkim# endif /* !OPENSSL_NO_EC */ 983264331Sjkim 984291721Sjkimint ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, 985291721Sjkim unsigned char *limit, int *al) 986280304Sjkim{ 987280304Sjkim unsigned short type; 988280304Sjkim unsigned short size; 989280304Sjkim unsigned short len; 990280304Sjkim unsigned char *data = *p; 991280304Sjkim int renegotiate_seen = 0; 992280304Sjkim int sigalg_seen = 0; 993205128Ssimon 994280304Sjkim s->servername_done = 0; 995280304Sjkim s->tlsext_status_type = -1; 996280304Sjkim# ifndef OPENSSL_NO_NEXTPROTONEG 997280304Sjkim s->s3->next_proto_neg_seen = 0; 998280304Sjkim# endif 999194206Ssimon 1000280304Sjkim# ifndef OPENSSL_NO_HEARTBEATS 1001280304Sjkim s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED | 1002280304Sjkim SSL_TLSEXT_HB_DONT_SEND_REQUESTS); 1003280304Sjkim# endif 1004238405Sjkim 1005280304Sjkim# ifndef OPENSSL_NO_EC 1006280304Sjkim if (s->options & SSL_OP_SAFARI_ECDHE_ECDSA_BUG) 1007291721Sjkim ssl_check_for_safari(s, data, limit); 1008280304Sjkim# endif /* !OPENSSL_NO_EC */ 1009264331Sjkim 1010280304Sjkim# ifndef OPENSSL_NO_SRP 1011280304Sjkim if (s->srp_ctx.login != NULL) { 1012280304Sjkim OPENSSL_free(s->srp_ctx.login); 1013280304Sjkim s->srp_ctx.login = NULL; 1014280304Sjkim } 1015280304Sjkim# endif 1016276864Sjkim 1017280304Sjkim s->srtp_profile = NULL; 1018276864Sjkim 1019291721Sjkim if (data == limit) 1020284330Sjkim goto ri_check; 1021284330Sjkim 1022306196Sjkim if (limit - data < 2) 1023284330Sjkim goto err; 1024284330Sjkim 1025280304Sjkim n2s(data, len); 1026194206Ssimon 1027306196Sjkim if (limit - data != len) 1028284285Sjkim goto err; 1029194206Ssimon 1030306196Sjkim while (limit - data >= 4) { 1031280304Sjkim n2s(data, type); 1032280304Sjkim n2s(data, size); 1033194206Ssimon 1034306196Sjkim if (limit - data < size) 1035284285Sjkim goto err; 1036280304Sjkim# if 0 1037280304Sjkim fprintf(stderr, "Received extension type %d size %d\n", type, size); 1038280304Sjkim# endif 1039280304Sjkim if (s->tlsext_debug_cb) 1040280304Sjkim s->tlsext_debug_cb(s, 0, type, data, size, s->tlsext_debug_arg); 1041280304Sjkim/*- 1042280304Sjkim * The servername extension is treated as follows: 1043280304Sjkim * 1044280304Sjkim * - Only the hostname type is supported with a maximum length of 255. 1045280304Sjkim * - The servername is rejected if too long or if it contains zeros, 1046280304Sjkim * in which case an fatal alert is generated. 1047280304Sjkim * - The servername field is maintained together with the session cache. 1048280304Sjkim * - When a session is resumed, the servername call back invoked in order 1049280304Sjkim * to allow the application to position itself to the right context. 1050280304Sjkim * - The servername is acknowledged if it is new for a session or when 1051280304Sjkim * it is identical to a previously used for the same session. 1052280304Sjkim * Applications can control the behaviour. They can at any time 1053280304Sjkim * set a 'desirable' servername for a new SSL object. This can be the 1054280304Sjkim * case for example with HTTPS when a Host: header field is received and 1055280304Sjkim * a renegotiation is requested. In this case, a possible servername 1056280304Sjkim * presented in the new client hello is only acknowledged if it matches 1057280304Sjkim * the value of the Host: field. 1058280304Sjkim * - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION 1059280304Sjkim * if they provide for changing an explicit servername context for the 1060280304Sjkim * session, i.e. when the session has been established with a servername 1061280304Sjkim * extension. 1062280304Sjkim * - On session reconnect, the servername extension may be absent. 1063280304Sjkim * 1064280304Sjkim */ 1065194206Ssimon 1066280304Sjkim if (type == TLSEXT_TYPE_server_name) { 1067280304Sjkim unsigned char *sdata; 1068280304Sjkim int servname_type; 1069280304Sjkim int dsize; 1070194206Ssimon 1071284285Sjkim if (size < 2) 1072284285Sjkim goto err; 1073280304Sjkim n2s(data, dsize); 1074280304Sjkim size -= 2; 1075284285Sjkim if (dsize > size) 1076284285Sjkim goto err; 1077194206Ssimon 1078280304Sjkim sdata = data; 1079280304Sjkim while (dsize > 3) { 1080280304Sjkim servname_type = *(sdata++); 1081280304Sjkim n2s(sdata, len); 1082280304Sjkim dsize -= 3; 1083194206Ssimon 1084284285Sjkim if (len > dsize) 1085284285Sjkim goto err; 1086284285Sjkim 1087280304Sjkim if (s->servername_done == 0) 1088280304Sjkim switch (servname_type) { 1089280304Sjkim case TLSEXT_NAMETYPE_host_name: 1090280304Sjkim if (!s->hit) { 1091284285Sjkim if (s->session->tlsext_hostname) 1092284285Sjkim goto err; 1093284285Sjkim 1094280304Sjkim if (len > TLSEXT_MAXLEN_host_name) { 1095280304Sjkim *al = TLS1_AD_UNRECOGNIZED_NAME; 1096280304Sjkim return 0; 1097280304Sjkim } 1098280304Sjkim if ((s->session->tlsext_hostname = 1099280304Sjkim OPENSSL_malloc(len + 1)) == NULL) { 1100280304Sjkim *al = TLS1_AD_INTERNAL_ERROR; 1101280304Sjkim return 0; 1102280304Sjkim } 1103280304Sjkim memcpy(s->session->tlsext_hostname, sdata, len); 1104280304Sjkim s->session->tlsext_hostname[len] = '\0'; 1105280304Sjkim if (strlen(s->session->tlsext_hostname) != len) { 1106280304Sjkim OPENSSL_free(s->session->tlsext_hostname); 1107280304Sjkim s->session->tlsext_hostname = NULL; 1108280304Sjkim *al = TLS1_AD_UNRECOGNIZED_NAME; 1109280304Sjkim return 0; 1110280304Sjkim } 1111280304Sjkim s->servername_done = 1; 1112194206Ssimon 1113280304Sjkim } else 1114280304Sjkim s->servername_done = s->session->tlsext_hostname 1115280304Sjkim && strlen(s->session->tlsext_hostname) == len 1116280304Sjkim && strncmp(s->session->tlsext_hostname, 1117280304Sjkim (char *)sdata, len) == 0; 1118194206Ssimon 1119280304Sjkim break; 1120194206Ssimon 1121280304Sjkim default: 1122280304Sjkim break; 1123280304Sjkim } 1124194206Ssimon 1125280304Sjkim dsize -= len; 1126280304Sjkim } 1127284285Sjkim if (dsize != 0) 1128284285Sjkim goto err; 1129238405Sjkim 1130280304Sjkim } 1131280304Sjkim# ifndef OPENSSL_NO_SRP 1132280304Sjkim else if (type == TLSEXT_TYPE_srp) { 1133284285Sjkim if (size == 0 || ((len = data[0])) != (size - 1)) 1134284285Sjkim goto err; 1135284285Sjkim if (s->srp_ctx.login != NULL) 1136284285Sjkim goto err; 1137280304Sjkim if ((s->srp_ctx.login = OPENSSL_malloc(len + 1)) == NULL) 1138280304Sjkim return -1; 1139280304Sjkim memcpy(s->srp_ctx.login, &data[1], len); 1140280304Sjkim s->srp_ctx.login[len] = '\0'; 1141238405Sjkim 1142284285Sjkim if (strlen(s->srp_ctx.login) != len) 1143284285Sjkim goto err; 1144280304Sjkim } 1145280304Sjkim# endif 1146238405Sjkim 1147280304Sjkim# ifndef OPENSSL_NO_EC 1148280304Sjkim else if (type == TLSEXT_TYPE_ec_point_formats) { 1149280304Sjkim unsigned char *sdata = data; 1150280304Sjkim int ecpointformatlist_length = *(sdata++); 1151238405Sjkim 1152284285Sjkim if (ecpointformatlist_length != size - 1) 1153284285Sjkim goto err; 1154280304Sjkim if (!s->hit) { 1155280304Sjkim if (s->session->tlsext_ecpointformatlist) { 1156280304Sjkim OPENSSL_free(s->session->tlsext_ecpointformatlist); 1157280304Sjkim s->session->tlsext_ecpointformatlist = NULL; 1158280304Sjkim } 1159280304Sjkim s->session->tlsext_ecpointformatlist_length = 0; 1160280304Sjkim if ((s->session->tlsext_ecpointformatlist = 1161280304Sjkim OPENSSL_malloc(ecpointformatlist_length)) == NULL) { 1162280304Sjkim *al = TLS1_AD_INTERNAL_ERROR; 1163280304Sjkim return 0; 1164280304Sjkim } 1165280304Sjkim s->session->tlsext_ecpointformatlist_length = 1166280304Sjkim ecpointformatlist_length; 1167280304Sjkim memcpy(s->session->tlsext_ecpointformatlist, sdata, 1168280304Sjkim ecpointformatlist_length); 1169280304Sjkim } 1170280304Sjkim# if 0 1171280304Sjkim fprintf(stderr, 1172280304Sjkim "ssl_parse_clienthello_tlsext s->session->tlsext_ecpointformatlist (length=%i) ", 1173280304Sjkim s->session->tlsext_ecpointformatlist_length); 1174280304Sjkim sdata = s->session->tlsext_ecpointformatlist; 1175280304Sjkim for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++) 1176280304Sjkim fprintf(stderr, "%i ", *(sdata++)); 1177280304Sjkim fprintf(stderr, "\n"); 1178280304Sjkim# endif 1179280304Sjkim } else if (type == TLSEXT_TYPE_elliptic_curves) { 1180280304Sjkim unsigned char *sdata = data; 1181280304Sjkim int ellipticcurvelist_length = (*(sdata++) << 8); 1182280304Sjkim ellipticcurvelist_length += (*(sdata++)); 1183238405Sjkim 1184280304Sjkim if (ellipticcurvelist_length != size - 2 || 1185280304Sjkim ellipticcurvelist_length < 1 || 1186280304Sjkim /* Each NamedCurve is 2 bytes. */ 1187284285Sjkim ellipticcurvelist_length & 1) 1188284285Sjkim goto err; 1189284285Sjkim 1190280304Sjkim if (!s->hit) { 1191284285Sjkim if (s->session->tlsext_ellipticcurvelist) 1192284285Sjkim goto err; 1193284285Sjkim 1194280304Sjkim s->session->tlsext_ellipticcurvelist_length = 0; 1195280304Sjkim if ((s->session->tlsext_ellipticcurvelist = 1196280304Sjkim OPENSSL_malloc(ellipticcurvelist_length)) == NULL) { 1197280304Sjkim *al = TLS1_AD_INTERNAL_ERROR; 1198280304Sjkim return 0; 1199280304Sjkim } 1200280304Sjkim s->session->tlsext_ellipticcurvelist_length = 1201280304Sjkim ellipticcurvelist_length; 1202280304Sjkim memcpy(s->session->tlsext_ellipticcurvelist, sdata, 1203280304Sjkim ellipticcurvelist_length); 1204280304Sjkim } 1205280304Sjkim# if 0 1206280304Sjkim fprintf(stderr, 1207280304Sjkim "ssl_parse_clienthello_tlsext s->session->tlsext_ellipticcurvelist (length=%i) ", 1208280304Sjkim s->session->tlsext_ellipticcurvelist_length); 1209280304Sjkim sdata = s->session->tlsext_ellipticcurvelist; 1210280304Sjkim for (i = 0; i < s->session->tlsext_ellipticcurvelist_length; i++) 1211280304Sjkim fprintf(stderr, "%i ", *(sdata++)); 1212280304Sjkim fprintf(stderr, "\n"); 1213280304Sjkim# endif 1214280304Sjkim } 1215280304Sjkim# endif /* OPENSSL_NO_EC */ 1216280304Sjkim# ifdef TLSEXT_TYPE_opaque_prf_input 1217280304Sjkim else if (type == TLSEXT_TYPE_opaque_prf_input && 1218280304Sjkim s->version != DTLS1_VERSION) { 1219280304Sjkim unsigned char *sdata = data; 1220194206Ssimon 1221280304Sjkim if (size < 2) { 1222280304Sjkim *al = SSL_AD_DECODE_ERROR; 1223280304Sjkim return 0; 1224280304Sjkim } 1225280304Sjkim n2s(sdata, s->s3->client_opaque_prf_input_len); 1226280304Sjkim if (s->s3->client_opaque_prf_input_len != size - 2) { 1227280304Sjkim *al = SSL_AD_DECODE_ERROR; 1228280304Sjkim return 0; 1229280304Sjkim } 1230194206Ssimon 1231280304Sjkim if (s->s3->client_opaque_prf_input != NULL) { 1232280304Sjkim /* shouldn't really happen */ 1233280304Sjkim OPENSSL_free(s->s3->client_opaque_prf_input); 1234280304Sjkim } 1235237657Sjkim 1236280304Sjkim /* dummy byte just to get non-NULL */ 1237280304Sjkim if (s->s3->client_opaque_prf_input_len == 0) 1238280304Sjkim s->s3->client_opaque_prf_input = OPENSSL_malloc(1); 1239280304Sjkim else 1240280304Sjkim s->s3->client_opaque_prf_input = 1241280304Sjkim BUF_memdup(sdata, s->s3->client_opaque_prf_input_len); 1242280304Sjkim if (s->s3->client_opaque_prf_input == NULL) { 1243280304Sjkim *al = TLS1_AD_INTERNAL_ERROR; 1244280304Sjkim return 0; 1245280304Sjkim } 1246280304Sjkim } 1247280304Sjkim# endif 1248280304Sjkim else if (type == TLSEXT_TYPE_session_ticket) { 1249280304Sjkim if (s->tls_session_ticket_ext_cb && 1250280304Sjkim !s->tls_session_ticket_ext_cb(s, data, size, 1251280304Sjkim s->tls_session_ticket_ext_cb_arg)) 1252280304Sjkim { 1253280304Sjkim *al = TLS1_AD_INTERNAL_ERROR; 1254280304Sjkim return 0; 1255280304Sjkim } 1256280304Sjkim } else if (type == TLSEXT_TYPE_renegotiate) { 1257280304Sjkim if (!ssl_parse_clienthello_renegotiate_ext(s, data, size, al)) 1258280304Sjkim return 0; 1259280304Sjkim renegotiate_seen = 1; 1260280304Sjkim } else if (type == TLSEXT_TYPE_signature_algorithms) { 1261280304Sjkim int dsize; 1262284285Sjkim if (sigalg_seen || size < 2) 1263284285Sjkim goto err; 1264280304Sjkim sigalg_seen = 1; 1265280304Sjkim n2s(data, dsize); 1266280304Sjkim size -= 2; 1267284285Sjkim if (dsize != size || dsize & 1) 1268284285Sjkim goto err; 1269284285Sjkim if (!tls1_process_sigalgs(s, data, dsize)) 1270284285Sjkim goto err; 1271280304Sjkim } else if (type == TLSEXT_TYPE_status_request && 1272280304Sjkim s->version != DTLS1_VERSION) { 1273205128Ssimon 1274284285Sjkim if (size < 5) 1275284285Sjkim goto err; 1276238405Sjkim 1277280304Sjkim s->tlsext_status_type = *data++; 1278280304Sjkim size--; 1279280304Sjkim if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp) { 1280280304Sjkim const unsigned char *sdata; 1281280304Sjkim int dsize; 1282280304Sjkim /* Read in responder_id_list */ 1283280304Sjkim n2s(data, dsize); 1284280304Sjkim size -= 2; 1285284285Sjkim if (dsize > size) 1286284285Sjkim goto err; 1287306196Sjkim 1288306196Sjkim /* 1289306196Sjkim * We remove any OCSP_RESPIDs from a previous handshake 1290306196Sjkim * to prevent unbounded memory growth - CVE-2016-6304 1291306196Sjkim */ 1292306196Sjkim sk_OCSP_RESPID_pop_free(s->tlsext_ocsp_ids, 1293306196Sjkim OCSP_RESPID_free); 1294306196Sjkim if (dsize > 0) { 1295306196Sjkim s->tlsext_ocsp_ids = sk_OCSP_RESPID_new_null(); 1296306196Sjkim if (s->tlsext_ocsp_ids == NULL) { 1297306196Sjkim *al = SSL_AD_INTERNAL_ERROR; 1298306196Sjkim return 0; 1299306196Sjkim } 1300306196Sjkim } else { 1301306196Sjkim s->tlsext_ocsp_ids = NULL; 1302306196Sjkim } 1303306196Sjkim 1304280304Sjkim while (dsize > 0) { 1305280304Sjkim OCSP_RESPID *id; 1306280304Sjkim int idsize; 1307284285Sjkim if (dsize < 4) 1308284285Sjkim goto err; 1309280304Sjkim n2s(data, idsize); 1310280304Sjkim dsize -= 2 + idsize; 1311280304Sjkim size -= 2 + idsize; 1312284285Sjkim if (dsize < 0) 1313284285Sjkim goto err; 1314280304Sjkim sdata = data; 1315280304Sjkim data += idsize; 1316280304Sjkim id = d2i_OCSP_RESPID(NULL, &sdata, idsize); 1317284285Sjkim if (!id) 1318284285Sjkim goto err; 1319280304Sjkim if (data != sdata) { 1320280304Sjkim OCSP_RESPID_free(id); 1321284285Sjkim goto err; 1322280304Sjkim } 1323280304Sjkim if (!sk_OCSP_RESPID_push(s->tlsext_ocsp_ids, id)) { 1324280304Sjkim OCSP_RESPID_free(id); 1325280304Sjkim *al = SSL_AD_INTERNAL_ERROR; 1326280304Sjkim return 0; 1327280304Sjkim } 1328280304Sjkim } 1329194206Ssimon 1330280304Sjkim /* Read in request_extensions */ 1331284285Sjkim if (size < 2) 1332284285Sjkim goto err; 1333280304Sjkim n2s(data, dsize); 1334280304Sjkim size -= 2; 1335284285Sjkim if (dsize != size) 1336284285Sjkim goto err; 1337280304Sjkim sdata = data; 1338280304Sjkim if (dsize > 0) { 1339280304Sjkim if (s->tlsext_ocsp_exts) { 1340280304Sjkim sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts, 1341280304Sjkim X509_EXTENSION_free); 1342280304Sjkim } 1343194206Ssimon 1344280304Sjkim s->tlsext_ocsp_exts = 1345280304Sjkim d2i_X509_EXTENSIONS(NULL, &sdata, dsize); 1346284285Sjkim if (!s->tlsext_ocsp_exts || (data + dsize != sdata)) 1347284285Sjkim goto err; 1348280304Sjkim } 1349280304Sjkim } 1350280304Sjkim /* 1351280304Sjkim * We don't know what to do with any other type * so ignore it. 1352280304Sjkim */ 1353280304Sjkim else 1354280304Sjkim s->tlsext_status_type = -1; 1355280304Sjkim } 1356280304Sjkim# ifndef OPENSSL_NO_HEARTBEATS 1357280304Sjkim else if (type == TLSEXT_TYPE_heartbeat) { 1358280304Sjkim switch (data[0]) { 1359280304Sjkim case 0x01: /* Client allows us to send HB requests */ 1360280304Sjkim s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED; 1361280304Sjkim break; 1362280304Sjkim case 0x02: /* Client doesn't accept HB requests */ 1363280304Sjkim s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED; 1364280304Sjkim s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS; 1365280304Sjkim break; 1366280304Sjkim default: 1367280304Sjkim *al = SSL_AD_ILLEGAL_PARAMETER; 1368280304Sjkim return 0; 1369280304Sjkim } 1370280304Sjkim } 1371280304Sjkim# endif 1372280304Sjkim# ifndef OPENSSL_NO_NEXTPROTONEG 1373280304Sjkim else if (type == TLSEXT_TYPE_next_proto_neg && 1374280304Sjkim s->s3->tmp.finish_md_len == 0) { 1375280304Sjkim /*- 1376280304Sjkim * We shouldn't accept this extension on a 1377280304Sjkim * renegotiation. 1378280304Sjkim * 1379280304Sjkim * s->new_session will be set on renegotiation, but we 1380280304Sjkim * probably shouldn't rely that it couldn't be set on 1381280304Sjkim * the initial renegotation too in certain cases (when 1382280304Sjkim * there's some other reason to disallow resuming an 1383280304Sjkim * earlier session -- the current code won't be doing 1384280304Sjkim * anything like that, but this might change). 1385280304Sjkim * 1386280304Sjkim * A valid sign that there's been a previous handshake 1387280304Sjkim * in this connection is if s->s3->tmp.finish_md_len > 1388280304Sjkim * 0. (We are talking about a check that will happen 1389280304Sjkim * in the Hello protocol round, well before a new 1390280304Sjkim * Finished message could have been computed.) 1391280304Sjkim */ 1392280304Sjkim s->s3->next_proto_neg_seen = 1; 1393280304Sjkim } 1394280304Sjkim# endif 1395205128Ssimon 1396280304Sjkim /* session ticket processed earlier */ 1397280304Sjkim# ifndef OPENSSL_NO_SRTP 1398280304Sjkim else if (SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s) 1399280304Sjkim && type == TLSEXT_TYPE_use_srtp) { 1400280304Sjkim if (ssl_parse_clienthello_use_srtp_ext(s, data, size, al)) 1401280304Sjkim return 0; 1402280304Sjkim } 1403280304Sjkim# endif 1404205128Ssimon 1405280304Sjkim data += size; 1406280304Sjkim } 1407205128Ssimon 1408284285Sjkim /* Spurious data on the end */ 1409291721Sjkim if (data != limit) 1410284285Sjkim goto err; 1411284285Sjkim 1412280304Sjkim *p = data; 1413194206Ssimon 1414280304Sjkim ri_check: 1415280304Sjkim 1416280304Sjkim /* Need RI if renegotiating */ 1417280304Sjkim 1418280304Sjkim if (!renegotiate_seen && s->renegotiate && 1419280304Sjkim !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) { 1420280304Sjkim *al = SSL_AD_HANDSHAKE_FAILURE; 1421280304Sjkim SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT, 1422280304Sjkim SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); 1423280304Sjkim return 0; 1424280304Sjkim } 1425280304Sjkim 1426280304Sjkim return 1; 1427284285Sjkimerr: 1428284285Sjkim *al = SSL_AD_DECODE_ERROR; 1429284285Sjkim return 0; 1430280304Sjkim} 1431280304Sjkim 1432280304Sjkim# ifndef OPENSSL_NO_NEXTPROTONEG 1433280304Sjkim/* 1434280304Sjkim * ssl_next_proto_validate validates a Next Protocol Negotiation block. No 1435280304Sjkim * elements of zero length are allowed and the set of elements must exactly 1436280304Sjkim * fill the length of the block. 1437280304Sjkim */ 1438238405Sjkimstatic char ssl_next_proto_validate(unsigned char *d, unsigned len) 1439280304Sjkim{ 1440280304Sjkim unsigned int off = 0; 1441238405Sjkim 1442280304Sjkim while (off < len) { 1443280304Sjkim if (d[off] == 0) 1444280304Sjkim return 0; 1445280304Sjkim off += d[off]; 1446280304Sjkim off++; 1447280304Sjkim } 1448238405Sjkim 1449280304Sjkim return off == len; 1450280304Sjkim} 1451280304Sjkim# endif 1452238405Sjkim 1453280304Sjkimint ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, 1454280304Sjkim int n, int *al) 1455280304Sjkim{ 1456280304Sjkim unsigned short length; 1457280304Sjkim unsigned short type; 1458280304Sjkim unsigned short size; 1459280304Sjkim unsigned char *data = *p; 1460280304Sjkim int tlsext_servername = 0; 1461280304Sjkim int renegotiate_seen = 0; 1462194206Ssimon 1463280304Sjkim# ifndef OPENSSL_NO_NEXTPROTONEG 1464280304Sjkim s->s3->next_proto_neg_seen = 0; 1465280304Sjkim# endif 1466280304Sjkim s->tlsext_ticket_expected = 0; 1467238405Sjkim 1468280304Sjkim# ifndef OPENSSL_NO_HEARTBEATS 1469280304Sjkim s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED | 1470280304Sjkim SSL_TLSEXT_HB_DONT_SEND_REQUESTS); 1471280304Sjkim# endif 1472238405Sjkim 1473306196Sjkim if ((d + n) - data <= 2) 1474280304Sjkim goto ri_check; 1475194206Ssimon 1476280304Sjkim n2s(data, length); 1477306196Sjkim if ((d + n) - data != length) { 1478280304Sjkim *al = SSL_AD_DECODE_ERROR; 1479280304Sjkim return 0; 1480280304Sjkim } 1481194206Ssimon 1482306196Sjkim while ((d + n) - data >= 4) { 1483280304Sjkim n2s(data, type); 1484280304Sjkim n2s(data, size); 1485194206Ssimon 1486306196Sjkim if ((d + n) - data < size) 1487280304Sjkim goto ri_check; 1488194206Ssimon 1489280304Sjkim if (s->tlsext_debug_cb) 1490280304Sjkim s->tlsext_debug_cb(s, 1, type, data, size, s->tlsext_debug_arg); 1491194206Ssimon 1492280304Sjkim if (type == TLSEXT_TYPE_server_name) { 1493280304Sjkim if (s->tlsext_hostname == NULL || size > 0) { 1494280304Sjkim *al = TLS1_AD_UNRECOGNIZED_NAME; 1495280304Sjkim return 0; 1496280304Sjkim } 1497280304Sjkim tlsext_servername = 1; 1498280304Sjkim } 1499280304Sjkim# ifndef OPENSSL_NO_EC 1500280304Sjkim else if (type == TLSEXT_TYPE_ec_point_formats) { 1501280304Sjkim unsigned char *sdata = data; 1502280304Sjkim int ecpointformatlist_length = *(sdata++); 1503238405Sjkim 1504280304Sjkim if (ecpointformatlist_length != size - 1 || 1505280304Sjkim ecpointformatlist_length < 1) { 1506280304Sjkim *al = TLS1_AD_DECODE_ERROR; 1507280304Sjkim return 0; 1508280304Sjkim } 1509280304Sjkim if (!s->hit) { 1510280304Sjkim s->session->tlsext_ecpointformatlist_length = 0; 1511280304Sjkim if (s->session->tlsext_ecpointformatlist != NULL) 1512280304Sjkim OPENSSL_free(s->session->tlsext_ecpointformatlist); 1513280304Sjkim if ((s->session->tlsext_ecpointformatlist = 1514280304Sjkim OPENSSL_malloc(ecpointformatlist_length)) == NULL) { 1515280304Sjkim *al = TLS1_AD_INTERNAL_ERROR; 1516280304Sjkim return 0; 1517280304Sjkim } 1518280304Sjkim s->session->tlsext_ecpointformatlist_length = 1519280304Sjkim ecpointformatlist_length; 1520280304Sjkim memcpy(s->session->tlsext_ecpointformatlist, sdata, 1521280304Sjkim ecpointformatlist_length); 1522280304Sjkim } 1523280304Sjkim# if 0 1524280304Sjkim fprintf(stderr, 1525280304Sjkim "ssl_parse_serverhello_tlsext s->session->tlsext_ecpointformatlist "); 1526280304Sjkim sdata = s->session->tlsext_ecpointformatlist; 1527280304Sjkim for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++) 1528280304Sjkim fprintf(stderr, "%i ", *(sdata++)); 1529280304Sjkim fprintf(stderr, "\n"); 1530280304Sjkim# endif 1531280304Sjkim } 1532280304Sjkim# endif /* OPENSSL_NO_EC */ 1533238405Sjkim 1534280304Sjkim else if (type == TLSEXT_TYPE_session_ticket) { 1535280304Sjkim if (s->tls_session_ticket_ext_cb && 1536280304Sjkim !s->tls_session_ticket_ext_cb(s, data, size, 1537280304Sjkim s->tls_session_ticket_ext_cb_arg)) 1538280304Sjkim { 1539280304Sjkim *al = TLS1_AD_INTERNAL_ERROR; 1540280304Sjkim return 0; 1541280304Sjkim } 1542280304Sjkim if ((SSL_get_options(s) & SSL_OP_NO_TICKET) 1543280304Sjkim || (size > 0)) { 1544280304Sjkim *al = TLS1_AD_UNSUPPORTED_EXTENSION; 1545280304Sjkim return 0; 1546280304Sjkim } 1547280304Sjkim s->tlsext_ticket_expected = 1; 1548280304Sjkim } 1549280304Sjkim# ifdef TLSEXT_TYPE_opaque_prf_input 1550280304Sjkim else if (type == TLSEXT_TYPE_opaque_prf_input && 1551280304Sjkim s->version != DTLS1_VERSION) { 1552280304Sjkim unsigned char *sdata = data; 1553238405Sjkim 1554280304Sjkim if (size < 2) { 1555280304Sjkim *al = SSL_AD_DECODE_ERROR; 1556280304Sjkim return 0; 1557280304Sjkim } 1558280304Sjkim n2s(sdata, s->s3->server_opaque_prf_input_len); 1559280304Sjkim if (s->s3->server_opaque_prf_input_len != size - 2) { 1560280304Sjkim *al = SSL_AD_DECODE_ERROR; 1561280304Sjkim return 0; 1562280304Sjkim } 1563238405Sjkim 1564280304Sjkim if (s->s3->server_opaque_prf_input != NULL) { 1565280304Sjkim /* shouldn't really happen */ 1566280304Sjkim OPENSSL_free(s->s3->server_opaque_prf_input); 1567280304Sjkim } 1568280304Sjkim if (s->s3->server_opaque_prf_input_len == 0) { 1569280304Sjkim /* dummy byte just to get non-NULL */ 1570280304Sjkim s->s3->server_opaque_prf_input = OPENSSL_malloc(1); 1571280304Sjkim } else { 1572280304Sjkim s->s3->server_opaque_prf_input = 1573280304Sjkim BUF_memdup(sdata, s->s3->server_opaque_prf_input_len); 1574280304Sjkim } 1575238405Sjkim 1576280304Sjkim if (s->s3->server_opaque_prf_input == NULL) { 1577280304Sjkim *al = TLS1_AD_INTERNAL_ERROR; 1578280304Sjkim return 0; 1579280304Sjkim } 1580280304Sjkim } 1581280304Sjkim# endif 1582280304Sjkim else if (type == TLSEXT_TYPE_status_request && 1583280304Sjkim s->version != DTLS1_VERSION) { 1584280304Sjkim /* 1585280304Sjkim * MUST be empty and only sent if we've requested a status 1586280304Sjkim * request message. 1587280304Sjkim */ 1588280304Sjkim if ((s->tlsext_status_type == -1) || (size > 0)) { 1589280304Sjkim *al = TLS1_AD_UNSUPPORTED_EXTENSION; 1590280304Sjkim return 0; 1591280304Sjkim } 1592280304Sjkim /* Set flag to expect CertificateStatus message */ 1593280304Sjkim s->tlsext_status_expected = 1; 1594280304Sjkim } 1595280304Sjkim# ifndef OPENSSL_NO_NEXTPROTONEG 1596280304Sjkim else if (type == TLSEXT_TYPE_next_proto_neg && 1597280304Sjkim s->s3->tmp.finish_md_len == 0) { 1598280304Sjkim unsigned char *selected; 1599280304Sjkim unsigned char selected_len; 1600238405Sjkim 1601280304Sjkim /* We must have requested it. */ 1602280304Sjkim if (s->ctx->next_proto_select_cb == NULL) { 1603280304Sjkim *al = TLS1_AD_UNSUPPORTED_EXTENSION; 1604280304Sjkim return 0; 1605280304Sjkim } 1606280304Sjkim /* The data must be valid */ 1607280304Sjkim if (!ssl_next_proto_validate(data, size)) { 1608280304Sjkim *al = TLS1_AD_DECODE_ERROR; 1609280304Sjkim return 0; 1610280304Sjkim } 1611280304Sjkim if (s-> 1612280304Sjkim ctx->next_proto_select_cb(s, &selected, &selected_len, data, 1613280304Sjkim size, 1614280304Sjkim s->ctx->next_proto_select_cb_arg) != 1615280304Sjkim SSL_TLSEXT_ERR_OK) { 1616280304Sjkim *al = TLS1_AD_INTERNAL_ERROR; 1617280304Sjkim return 0; 1618280304Sjkim } 1619280304Sjkim s->next_proto_negotiated = OPENSSL_malloc(selected_len); 1620280304Sjkim if (!s->next_proto_negotiated) { 1621280304Sjkim *al = TLS1_AD_INTERNAL_ERROR; 1622280304Sjkim return 0; 1623280304Sjkim } 1624280304Sjkim memcpy(s->next_proto_negotiated, selected, selected_len); 1625280304Sjkim s->next_proto_negotiated_len = selected_len; 1626280304Sjkim s->s3->next_proto_neg_seen = 1; 1627280304Sjkim } 1628280304Sjkim# endif 1629280304Sjkim else if (type == TLSEXT_TYPE_renegotiate) { 1630280304Sjkim if (!ssl_parse_serverhello_renegotiate_ext(s, data, size, al)) 1631280304Sjkim return 0; 1632280304Sjkim renegotiate_seen = 1; 1633280304Sjkim } 1634280304Sjkim# ifndef OPENSSL_NO_HEARTBEATS 1635280304Sjkim else if (type == TLSEXT_TYPE_heartbeat) { 1636280304Sjkim switch (data[0]) { 1637280304Sjkim case 0x01: /* Server allows us to send HB requests */ 1638280304Sjkim s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED; 1639280304Sjkim break; 1640280304Sjkim case 0x02: /* Server doesn't accept HB requests */ 1641280304Sjkim s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED; 1642280304Sjkim s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS; 1643280304Sjkim break; 1644280304Sjkim default: 1645280304Sjkim *al = SSL_AD_ILLEGAL_PARAMETER; 1646280304Sjkim return 0; 1647280304Sjkim } 1648280304Sjkim } 1649280304Sjkim# endif 1650280304Sjkim# ifndef OPENSSL_NO_SRTP 1651280304Sjkim else if (SSL_IS_DTLS(s) && type == TLSEXT_TYPE_use_srtp) { 1652280304Sjkim if (ssl_parse_serverhello_use_srtp_ext(s, data, size, al)) 1653280304Sjkim return 0; 1654280304Sjkim } 1655280304Sjkim# endif 1656238405Sjkim 1657280304Sjkim data += size; 1658280304Sjkim } 1659194206Ssimon 1660280304Sjkim if (data != d + n) { 1661280304Sjkim *al = SSL_AD_DECODE_ERROR; 1662280304Sjkim return 0; 1663280304Sjkim } 1664194206Ssimon 1665280304Sjkim if (!s->hit && tlsext_servername == 1) { 1666280304Sjkim if (s->tlsext_hostname) { 1667280304Sjkim if (s->session->tlsext_hostname == NULL) { 1668280304Sjkim s->session->tlsext_hostname = BUF_strdup(s->tlsext_hostname); 1669280304Sjkim if (!s->session->tlsext_hostname) { 1670280304Sjkim *al = SSL_AD_UNRECOGNIZED_NAME; 1671280304Sjkim return 0; 1672280304Sjkim } 1673280304Sjkim } else { 1674280304Sjkim *al = SSL_AD_DECODE_ERROR; 1675280304Sjkim return 0; 1676280304Sjkim } 1677280304Sjkim } 1678280304Sjkim } 1679194206Ssimon 1680280304Sjkim *p = data; 1681205128Ssimon 1682280304Sjkim ri_check: 1683205128Ssimon 1684280304Sjkim /* 1685280304Sjkim * Determine if we need to see RI. Strictly speaking if we want to avoid 1686280304Sjkim * an attack we should *always* see RI even on initial server hello 1687280304Sjkim * because the client doesn't see any renegotiation during an attack. 1688280304Sjkim * However this would mean we could not connect to any server which 1689280304Sjkim * doesn't support RI so for the immediate future tolerate RI absence on 1690280304Sjkim * initial connect only. 1691280304Sjkim */ 1692280304Sjkim if (!renegotiate_seen && !(s->options & SSL_OP_LEGACY_SERVER_CONNECT) 1693280304Sjkim && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) { 1694280304Sjkim *al = SSL_AD_HANDSHAKE_FAILURE; 1695280304Sjkim SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT, 1696280304Sjkim SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); 1697280304Sjkim return 0; 1698280304Sjkim } 1699205128Ssimon 1700280304Sjkim return 1; 1701280304Sjkim} 1702194206Ssimon 1703238405Sjkimint ssl_prepare_clienthello_tlsext(SSL *s) 1704280304Sjkim{ 1705280304Sjkim# ifndef OPENSSL_NO_EC 1706280304Sjkim /* 1707280304Sjkim * If we are client and using an elliptic curve cryptography cipher 1708280304Sjkim * suite, send the point formats and elliptic curves we support. 1709280304Sjkim */ 1710280304Sjkim int using_ecc = 0; 1711280304Sjkim int i; 1712280304Sjkim unsigned char *j; 1713280304Sjkim unsigned long alg_k, alg_a; 1714280304Sjkim STACK_OF(SSL_CIPHER) *cipher_stack = SSL_get_ciphers(s); 1715238405Sjkim 1716280304Sjkim for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++) { 1717280304Sjkim SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i); 1718238405Sjkim 1719280304Sjkim alg_k = c->algorithm_mkey; 1720280304Sjkim alg_a = c->algorithm_auth; 1721280304Sjkim if ((alg_k & (SSL_kEECDH | SSL_kECDHr | SSL_kECDHe) 1722280304Sjkim || (alg_a & SSL_aECDSA))) { 1723280304Sjkim using_ecc = 1; 1724280304Sjkim break; 1725280304Sjkim } 1726280304Sjkim } 1727280304Sjkim using_ecc = using_ecc && (s->version >= TLS1_VERSION); 1728280304Sjkim if (using_ecc) { 1729280304Sjkim if (s->tlsext_ecpointformatlist != NULL) 1730280304Sjkim OPENSSL_free(s->tlsext_ecpointformatlist); 1731280304Sjkim if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(3)) == NULL) { 1732280304Sjkim SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT, 1733280304Sjkim ERR_R_MALLOC_FAILURE); 1734280304Sjkim return -1; 1735280304Sjkim } 1736280304Sjkim s->tlsext_ecpointformatlist_length = 3; 1737280304Sjkim s->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_uncompressed; 1738280304Sjkim s->tlsext_ecpointformatlist[1] = 1739280304Sjkim TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime; 1740280304Sjkim s->tlsext_ecpointformatlist[2] = 1741280304Sjkim TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2; 1742238405Sjkim 1743280304Sjkim /* we support all named elliptic curves in RFC 4492 */ 1744280304Sjkim if (s->tlsext_ellipticcurvelist != NULL) 1745280304Sjkim OPENSSL_free(s->tlsext_ellipticcurvelist); 1746280304Sjkim s->tlsext_ellipticcurvelist_length = 1747280304Sjkim sizeof(pref_list) / sizeof(pref_list[0]) * 2; 1748280304Sjkim if ((s->tlsext_ellipticcurvelist = 1749280304Sjkim OPENSSL_malloc(s->tlsext_ellipticcurvelist_length)) == NULL) { 1750280304Sjkim s->tlsext_ellipticcurvelist_length = 0; 1751280304Sjkim SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT, 1752280304Sjkim ERR_R_MALLOC_FAILURE); 1753280304Sjkim return -1; 1754280304Sjkim } 1755280304Sjkim for (i = 0, j = s->tlsext_ellipticcurvelist; (unsigned int)i < 1756280304Sjkim sizeof(pref_list) / sizeof(pref_list[0]); i++) { 1757280304Sjkim int id = tls1_ec_nid2curve_id(pref_list[i]); 1758280304Sjkim s2n(id, j); 1759280304Sjkim } 1760280304Sjkim } 1761280304Sjkim# endif /* OPENSSL_NO_EC */ 1762238405Sjkim 1763280304Sjkim# ifdef TLSEXT_TYPE_opaque_prf_input 1764280304Sjkim { 1765280304Sjkim int r = 1; 1766238405Sjkim 1767280304Sjkim if (s->ctx->tlsext_opaque_prf_input_callback != 0) { 1768280304Sjkim r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, 1769280304Sjkim s-> 1770280304Sjkim ctx->tlsext_opaque_prf_input_callback_arg); 1771280304Sjkim if (!r) 1772280304Sjkim return -1; 1773280304Sjkim } 1774238405Sjkim 1775280304Sjkim if (s->tlsext_opaque_prf_input != NULL) { 1776280304Sjkim if (s->s3->client_opaque_prf_input != NULL) { 1777280304Sjkim /* shouldn't really happen */ 1778280304Sjkim OPENSSL_free(s->s3->client_opaque_prf_input); 1779280304Sjkim } 1780238405Sjkim 1781280304Sjkim if (s->tlsext_opaque_prf_input_len == 0) { 1782280304Sjkim /* dummy byte just to get non-NULL */ 1783280304Sjkim s->s3->client_opaque_prf_input = OPENSSL_malloc(1); 1784280304Sjkim } else { 1785280304Sjkim s->s3->client_opaque_prf_input = 1786280304Sjkim BUF_memdup(s->tlsext_opaque_prf_input, 1787280304Sjkim s->tlsext_opaque_prf_input_len); 1788280304Sjkim } 1789280304Sjkim if (s->s3->client_opaque_prf_input == NULL) { 1790280304Sjkim SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT, 1791280304Sjkim ERR_R_MALLOC_FAILURE); 1792280304Sjkim return -1; 1793280304Sjkim } 1794280304Sjkim s->s3->client_opaque_prf_input_len = 1795280304Sjkim s->tlsext_opaque_prf_input_len; 1796280304Sjkim } 1797238405Sjkim 1798280304Sjkim if (r == 2) 1799280304Sjkim /* 1800280304Sjkim * at callback's request, insist on receiving an appropriate 1801280304Sjkim * server opaque PRF input 1802280304Sjkim */ 1803280304Sjkim s->s3->server_opaque_prf_input_len = 1804280304Sjkim s->tlsext_opaque_prf_input_len; 1805280304Sjkim } 1806280304Sjkim# endif 1807238405Sjkim 1808280304Sjkim return 1; 1809280304Sjkim} 1810280304Sjkim 1811238405Sjkimint ssl_prepare_serverhello_tlsext(SSL *s) 1812280304Sjkim{ 1813280304Sjkim# ifndef OPENSSL_NO_EC 1814280304Sjkim /* 1815280304Sjkim * If we are server and using an ECC cipher suite, send the point formats 1816280304Sjkim * we support if the client sent us an ECPointsFormat extension. Note 1817280304Sjkim * that the server is not supposed to send an EllipticCurves extension. 1818280304Sjkim */ 1819238405Sjkim 1820280304Sjkim unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey; 1821280304Sjkim unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth; 1822280304Sjkim int using_ecc = (alg_k & (SSL_kEECDH | SSL_kECDHr | SSL_kECDHe)) 1823280304Sjkim || (alg_a & SSL_aECDSA); 1824280304Sjkim using_ecc = using_ecc && (s->session->tlsext_ecpointformatlist != NULL); 1825238405Sjkim 1826280304Sjkim if (using_ecc) { 1827280304Sjkim if (s->tlsext_ecpointformatlist != NULL) 1828280304Sjkim OPENSSL_free(s->tlsext_ecpointformatlist); 1829280304Sjkim if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(3)) == NULL) { 1830280304Sjkim SSLerr(SSL_F_SSL_PREPARE_SERVERHELLO_TLSEXT, 1831280304Sjkim ERR_R_MALLOC_FAILURE); 1832280304Sjkim return -1; 1833280304Sjkim } 1834280304Sjkim s->tlsext_ecpointformatlist_length = 3; 1835280304Sjkim s->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_uncompressed; 1836280304Sjkim s->tlsext_ecpointformatlist[1] = 1837280304Sjkim TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime; 1838280304Sjkim s->tlsext_ecpointformatlist[2] = 1839280304Sjkim TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2; 1840280304Sjkim } 1841280304Sjkim# endif /* OPENSSL_NO_EC */ 1842238405Sjkim 1843280304Sjkim return 1; 1844280304Sjkim} 1845280304Sjkim 1846246772Sjkimint ssl_check_clienthello_tlsext_early(SSL *s) 1847280304Sjkim{ 1848280304Sjkim int ret = SSL_TLSEXT_ERR_NOACK; 1849280304Sjkim int al = SSL_AD_UNRECOGNIZED_NAME; 1850194206Ssimon 1851280304Sjkim# ifndef OPENSSL_NO_EC 1852280304Sjkim /* 1853280304Sjkim * The handling of the ECPointFormats extension is done elsewhere, namely 1854280304Sjkim * in ssl3_choose_cipher in s3_lib.c. 1855280304Sjkim */ 1856280304Sjkim /* 1857280304Sjkim * The handling of the EllipticCurves extension is done elsewhere, namely 1858280304Sjkim * in ssl3_choose_cipher in s3_lib.c. 1859280304Sjkim */ 1860280304Sjkim# endif 1861238405Sjkim 1862280304Sjkim if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) 1863280304Sjkim ret = 1864280304Sjkim s->ctx->tlsext_servername_callback(s, &al, 1865280304Sjkim s->ctx->tlsext_servername_arg); 1866280304Sjkim else if (s->initial_ctx != NULL 1867280304Sjkim && s->initial_ctx->tlsext_servername_callback != 0) 1868280304Sjkim ret = 1869280304Sjkim s->initial_ctx->tlsext_servername_callback(s, &al, 1870280304Sjkim s-> 1871280304Sjkim initial_ctx->tlsext_servername_arg); 1872194206Ssimon 1873280304Sjkim# ifdef TLSEXT_TYPE_opaque_prf_input 1874280304Sjkim { 1875280304Sjkim /* 1876280304Sjkim * This sort of belongs into ssl_prepare_serverhello_tlsext(), but we 1877280304Sjkim * might be sending an alert in response to the client hello, so this 1878280304Sjkim * has to happen here in ssl_check_clienthello_tlsext_early(). 1879280304Sjkim */ 1880238405Sjkim 1881280304Sjkim int r = 1; 1882238405Sjkim 1883280304Sjkim if (s->ctx->tlsext_opaque_prf_input_callback != 0) { 1884280304Sjkim r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, 1885280304Sjkim s-> 1886280304Sjkim ctx->tlsext_opaque_prf_input_callback_arg); 1887280304Sjkim if (!r) { 1888280304Sjkim ret = SSL_TLSEXT_ERR_ALERT_FATAL; 1889280304Sjkim al = SSL_AD_INTERNAL_ERROR; 1890280304Sjkim goto err; 1891280304Sjkim } 1892280304Sjkim } 1893238405Sjkim 1894280304Sjkim if (s->s3->server_opaque_prf_input != NULL) { 1895280304Sjkim /* shouldn't really happen */ 1896280304Sjkim OPENSSL_free(s->s3->server_opaque_prf_input); 1897280304Sjkim } 1898280304Sjkim s->s3->server_opaque_prf_input = NULL; 1899238405Sjkim 1900280304Sjkim if (s->tlsext_opaque_prf_input != NULL) { 1901280304Sjkim if (s->s3->client_opaque_prf_input != NULL && 1902280304Sjkim s->s3->client_opaque_prf_input_len == 1903280304Sjkim s->tlsext_opaque_prf_input_len) { 1904280304Sjkim /* 1905280304Sjkim * can only use this extension if we have a server opaque PRF 1906280304Sjkim * input of the same length as the client opaque PRF input! 1907280304Sjkim */ 1908238405Sjkim 1909280304Sjkim if (s->tlsext_opaque_prf_input_len == 0) { 1910280304Sjkim /* dummy byte just to get non-NULL */ 1911280304Sjkim s->s3->server_opaque_prf_input = OPENSSL_malloc(1); 1912280304Sjkim } else { 1913280304Sjkim s->s3->server_opaque_prf_input = 1914280304Sjkim BUF_memdup(s->tlsext_opaque_prf_input, 1915280304Sjkim s->tlsext_opaque_prf_input_len); 1916280304Sjkim } 1917280304Sjkim if (s->s3->server_opaque_prf_input == NULL) { 1918280304Sjkim ret = SSL_TLSEXT_ERR_ALERT_FATAL; 1919280304Sjkim al = SSL_AD_INTERNAL_ERROR; 1920280304Sjkim goto err; 1921280304Sjkim } 1922280304Sjkim s->s3->server_opaque_prf_input_len = 1923280304Sjkim s->tlsext_opaque_prf_input_len; 1924280304Sjkim } 1925280304Sjkim } 1926238405Sjkim 1927280304Sjkim if (r == 2 && s->s3->server_opaque_prf_input == NULL) { 1928280304Sjkim /* 1929280304Sjkim * The callback wants to enforce use of the extension, but we 1930280304Sjkim * can't do that with the client opaque PRF input; abort the 1931280304Sjkim * handshake. 1932280304Sjkim */ 1933280304Sjkim ret = SSL_TLSEXT_ERR_ALERT_FATAL; 1934280304Sjkim al = SSL_AD_HANDSHAKE_FAILURE; 1935280304Sjkim } 1936280304Sjkim } 1937280304Sjkim 1938246772Sjkim err: 1939280304Sjkim# endif 1940280304Sjkim switch (ret) { 1941280304Sjkim case SSL_TLSEXT_ERR_ALERT_FATAL: 1942280304Sjkim ssl3_send_alert(s, SSL3_AL_FATAL, al); 1943280304Sjkim return -1; 1944194206Ssimon 1945280304Sjkim case SSL_TLSEXT_ERR_ALERT_WARNING: 1946280304Sjkim ssl3_send_alert(s, SSL3_AL_WARNING, al); 1947280304Sjkim return 1; 1948194206Ssimon 1949280304Sjkim case SSL_TLSEXT_ERR_NOACK: 1950280304Sjkim s->servername_done = 0; 1951280304Sjkim default: 1952280304Sjkim return 1; 1953280304Sjkim } 1954280304Sjkim} 1955280304Sjkim 1956246772Sjkimint ssl_check_clienthello_tlsext_late(SSL *s) 1957280304Sjkim{ 1958280304Sjkim int ret = SSL_TLSEXT_ERR_OK; 1959280304Sjkim int al; 1960246772Sjkim 1961280304Sjkim /* 1962280304Sjkim * If status request then ask callback what to do. Note: this must be 1963280304Sjkim * called after servername callbacks in case the certificate has 1964280304Sjkim * changed, and must be called after the cipher has been chosen because 1965280304Sjkim * this may influence which certificate is sent 1966280304Sjkim */ 1967280304Sjkim if ((s->tlsext_status_type != -1) && s->ctx && s->ctx->tlsext_status_cb) { 1968280304Sjkim int r; 1969280304Sjkim CERT_PKEY *certpkey; 1970280304Sjkim certpkey = ssl_get_server_send_pkey(s); 1971280304Sjkim /* If no certificate can't return certificate status */ 1972280304Sjkim if (certpkey == NULL) { 1973280304Sjkim s->tlsext_status_expected = 0; 1974280304Sjkim return 1; 1975280304Sjkim } 1976280304Sjkim /* 1977280304Sjkim * Set current certificate to one we will use so SSL_get_certificate 1978280304Sjkim * et al can pick it up. 1979280304Sjkim */ 1980280304Sjkim s->cert->key = certpkey; 1981280304Sjkim r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg); 1982280304Sjkim switch (r) { 1983280304Sjkim /* We don't want to send a status request response */ 1984280304Sjkim case SSL_TLSEXT_ERR_NOACK: 1985280304Sjkim s->tlsext_status_expected = 0; 1986280304Sjkim break; 1987280304Sjkim /* status request response should be sent */ 1988280304Sjkim case SSL_TLSEXT_ERR_OK: 1989280304Sjkim if (s->tlsext_ocsp_resp) 1990280304Sjkim s->tlsext_status_expected = 1; 1991280304Sjkim else 1992280304Sjkim s->tlsext_status_expected = 0; 1993280304Sjkim break; 1994280304Sjkim /* something bad happened */ 1995280304Sjkim case SSL_TLSEXT_ERR_ALERT_FATAL: 1996280304Sjkim ret = SSL_TLSEXT_ERR_ALERT_FATAL; 1997280304Sjkim al = SSL_AD_INTERNAL_ERROR; 1998280304Sjkim goto err; 1999280304Sjkim } 2000280304Sjkim } else 2001280304Sjkim s->tlsext_status_expected = 0; 2002246772Sjkim 2003246772Sjkim err: 2004280304Sjkim switch (ret) { 2005280304Sjkim case SSL_TLSEXT_ERR_ALERT_FATAL: 2006280304Sjkim ssl3_send_alert(s, SSL3_AL_FATAL, al); 2007280304Sjkim return -1; 2008246772Sjkim 2009280304Sjkim case SSL_TLSEXT_ERR_ALERT_WARNING: 2010280304Sjkim ssl3_send_alert(s, SSL3_AL_WARNING, al); 2011280304Sjkim return 1; 2012246772Sjkim 2013280304Sjkim default: 2014280304Sjkim return 1; 2015280304Sjkim } 2016280304Sjkim} 2017246772Sjkim 2018194206Ssimonint ssl_check_serverhello_tlsext(SSL *s) 2019280304Sjkim{ 2020280304Sjkim int ret = SSL_TLSEXT_ERR_NOACK; 2021280304Sjkim int al = SSL_AD_UNRECOGNIZED_NAME; 2022194206Ssimon 2023280304Sjkim# ifndef OPENSSL_NO_EC 2024280304Sjkim /* 2025280304Sjkim * If we are client and using an elliptic curve cryptography cipher 2026280304Sjkim * suite, then if server returns an EC point formats lists extension it 2027280304Sjkim * must contain uncompressed. 2028280304Sjkim */ 2029280304Sjkim unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey; 2030280304Sjkim unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth; 2031280304Sjkim if ((s->tlsext_ecpointformatlist != NULL) 2032280304Sjkim && (s->tlsext_ecpointformatlist_length > 0) 2033280304Sjkim && (s->session->tlsext_ecpointformatlist != NULL) 2034280304Sjkim && (s->session->tlsext_ecpointformatlist_length > 0) 2035280304Sjkim && ((alg_k & (SSL_kEECDH | SSL_kECDHr | SSL_kECDHe)) 2036280304Sjkim || (alg_a & SSL_aECDSA))) { 2037280304Sjkim /* we are using an ECC cipher */ 2038280304Sjkim size_t i; 2039280304Sjkim unsigned char *list; 2040280304Sjkim int found_uncompressed = 0; 2041280304Sjkim list = s->session->tlsext_ecpointformatlist; 2042280304Sjkim for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++) { 2043280304Sjkim if (*(list++) == TLSEXT_ECPOINTFORMAT_uncompressed) { 2044280304Sjkim found_uncompressed = 1; 2045280304Sjkim break; 2046280304Sjkim } 2047280304Sjkim } 2048280304Sjkim if (!found_uncompressed) { 2049280304Sjkim SSLerr(SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT, 2050280304Sjkim SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST); 2051280304Sjkim return -1; 2052280304Sjkim } 2053280304Sjkim } 2054280304Sjkim ret = SSL_TLSEXT_ERR_OK; 2055280304Sjkim# endif /* OPENSSL_NO_EC */ 2056238405Sjkim 2057280304Sjkim if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) 2058280304Sjkim ret = 2059280304Sjkim s->ctx->tlsext_servername_callback(s, &al, 2060280304Sjkim s->ctx->tlsext_servername_arg); 2061280304Sjkim else if (s->initial_ctx != NULL 2062280304Sjkim && s->initial_ctx->tlsext_servername_callback != 0) 2063280304Sjkim ret = 2064280304Sjkim s->initial_ctx->tlsext_servername_callback(s, &al, 2065280304Sjkim s-> 2066280304Sjkim initial_ctx->tlsext_servername_arg); 2067194206Ssimon 2068280304Sjkim# ifdef TLSEXT_TYPE_opaque_prf_input 2069280304Sjkim if (s->s3->server_opaque_prf_input_len > 0) { 2070280304Sjkim /* 2071280304Sjkim * This case may indicate that we, as a client, want to insist on 2072280304Sjkim * using opaque PRF inputs. So first verify that we really have a 2073280304Sjkim * value from the server too. 2074280304Sjkim */ 2075238405Sjkim 2076280304Sjkim if (s->s3->server_opaque_prf_input == NULL) { 2077280304Sjkim ret = SSL_TLSEXT_ERR_ALERT_FATAL; 2078280304Sjkim al = SSL_AD_HANDSHAKE_FAILURE; 2079280304Sjkim } 2080238405Sjkim 2081280304Sjkim /* 2082280304Sjkim * Anytime the server *has* sent an opaque PRF input, we need to 2083280304Sjkim * check that we have a client opaque PRF input of the same size. 2084280304Sjkim */ 2085280304Sjkim if (s->s3->client_opaque_prf_input == NULL || 2086280304Sjkim s->s3->client_opaque_prf_input_len != 2087280304Sjkim s->s3->server_opaque_prf_input_len) { 2088280304Sjkim ret = SSL_TLSEXT_ERR_ALERT_FATAL; 2089280304Sjkim al = SSL_AD_ILLEGAL_PARAMETER; 2090280304Sjkim } 2091280304Sjkim } 2092280304Sjkim# endif 2093194206Ssimon 2094295016Sjkim OPENSSL_free(s->tlsext_ocsp_resp); 2095295016Sjkim s->tlsext_ocsp_resp = NULL; 2096295016Sjkim s->tlsext_ocsp_resplen = -1; 2097280304Sjkim /* 2098280304Sjkim * If we've requested certificate status and we wont get one tell the 2099280304Sjkim * callback 2100280304Sjkim */ 2101280304Sjkim if ((s->tlsext_status_type != -1) && !(s->tlsext_status_expected) 2102295016Sjkim && !(s->hit) && s->ctx && s->ctx->tlsext_status_cb) { 2103280304Sjkim int r; 2104280304Sjkim /* 2105295016Sjkim * Call callback with resp == NULL and resplen == -1 so callback 2106295016Sjkim * knows there is no response 2107280304Sjkim */ 2108280304Sjkim r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg); 2109280304Sjkim if (r == 0) { 2110280304Sjkim al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE; 2111280304Sjkim ret = SSL_TLSEXT_ERR_ALERT_FATAL; 2112280304Sjkim } 2113280304Sjkim if (r < 0) { 2114280304Sjkim al = SSL_AD_INTERNAL_ERROR; 2115280304Sjkim ret = SSL_TLSEXT_ERR_ALERT_FATAL; 2116280304Sjkim } 2117280304Sjkim } 2118194206Ssimon 2119280304Sjkim switch (ret) { 2120280304Sjkim case SSL_TLSEXT_ERR_ALERT_FATAL: 2121280304Sjkim ssl3_send_alert(s, SSL3_AL_FATAL, al); 2122280304Sjkim return -1; 2123194206Ssimon 2124280304Sjkim case SSL_TLSEXT_ERR_ALERT_WARNING: 2125280304Sjkim ssl3_send_alert(s, SSL3_AL_WARNING, al); 2126280304Sjkim return 1; 2127280304Sjkim 2128280304Sjkim case SSL_TLSEXT_ERR_NOACK: 2129280304Sjkim s->servername_done = 0; 2130280304Sjkim default: 2131280304Sjkim return 1; 2132280304Sjkim } 2133280304Sjkim} 2134280304Sjkim 2135280304Sjkim/*- 2136280304Sjkim * Since the server cache lookup is done early on in the processing of the 2137238405Sjkim * ClientHello, and other operations depend on the result, we need to handle 2138238405Sjkim * any TLS session ticket extension at the same time. 2139238405Sjkim * 2140238405Sjkim * session_id: points at the session ID in the ClientHello. This code will 2141238405Sjkim * read past the end of this in order to parse out the session ticket 2142238405Sjkim * extension, if any. 2143238405Sjkim * len: the length of the session ID. 2144238405Sjkim * limit: a pointer to the first byte after the ClientHello. 2145238405Sjkim * ret: (output) on return, if a ticket was decrypted, then this is set to 2146238405Sjkim * point to the resulting session. 2147238405Sjkim * 2148238405Sjkim * If s->tls_session_secret_cb is set then we are expecting a pre-shared key 2149238405Sjkim * ciphersuite, in which case we have no use for session tickets and one will 2150238405Sjkim * never be decrypted, nor will s->tlsext_ticket_expected be set to 1. 2151238405Sjkim * 2152238405Sjkim * Returns: 2153238405Sjkim * -1: fatal error, either from parsing or decrypting the ticket. 2154238405Sjkim * 0: no ticket was found (or was ignored, based on settings). 2155238405Sjkim * 1: a zero length extension was found, indicating that the client supports 2156238405Sjkim * session tickets but doesn't currently have one to offer. 2157238405Sjkim * 2: either s->tls_session_secret_cb was set, or a ticket was offered but 2158238405Sjkim * couldn't be decrypted because of a non-fatal error. 2159238405Sjkim * 3: a ticket was successfully decrypted and *ret was set. 2160238405Sjkim * 2161238405Sjkim * Side effects: 2162238405Sjkim * Sets s->tlsext_ticket_expected to 1 if the server will have to issue 2163238405Sjkim * a new session ticket to the client because the client indicated support 2164238405Sjkim * (and s->tls_session_secret_cb is NULL) but the client either doesn't have 2165238405Sjkim * a session ticket or we couldn't use the one it gave us, or if 2166238405Sjkim * s->ctx->tlsext_ticket_key_cb asked to renew the client's ticket. 2167238405Sjkim * Otherwise, s->tlsext_ticket_expected is set to 0. 2168194206Ssimon */ 2169194206Ssimonint tls1_process_ticket(SSL *s, unsigned char *session_id, int len, 2170280304Sjkim const unsigned char *limit, SSL_SESSION **ret) 2171280304Sjkim{ 2172280304Sjkim /* Point after session ID in client hello */ 2173280304Sjkim const unsigned char *p = session_id + len; 2174280304Sjkim unsigned short i; 2175194206Ssimon 2176280304Sjkim *ret = NULL; 2177280304Sjkim s->tlsext_ticket_expected = 0; 2178238405Sjkim 2179280304Sjkim /* 2180280304Sjkim * If tickets disabled behave as if no ticket present to permit stateful 2181280304Sjkim * resumption. 2182280304Sjkim */ 2183280304Sjkim if (SSL_get_options(s) & SSL_OP_NO_TICKET) 2184280304Sjkim return 0; 2185280304Sjkim if ((s->version <= SSL3_VERSION) || !limit) 2186280304Sjkim return 0; 2187280304Sjkim if (p >= limit) 2188280304Sjkim return -1; 2189280304Sjkim /* Skip past DTLS cookie */ 2190280304Sjkim if (s->version == DTLS1_VERSION || s->version == DTLS1_BAD_VER) { 2191280304Sjkim i = *(p++); 2192306196Sjkim 2193306196Sjkim if (limit - p <= i) 2194306196Sjkim return -1; 2195306196Sjkim 2196280304Sjkim p += i; 2197280304Sjkim } 2198280304Sjkim /* Skip past cipher list */ 2199280304Sjkim n2s(p, i); 2200306196Sjkim if (limit - p <= i) 2201306196Sjkim return -1; 2202280304Sjkim p += i; 2203306196Sjkim 2204280304Sjkim /* Skip past compression algorithm list */ 2205280304Sjkim i = *(p++); 2206306196Sjkim if (limit - p < i) 2207306196Sjkim return -1; 2208280304Sjkim p += i; 2209306196Sjkim 2210280304Sjkim /* Now at start of extensions */ 2211306196Sjkim if (limit - p <= 2) 2212280304Sjkim return 0; 2213280304Sjkim n2s(p, i); 2214306196Sjkim while (limit - p >= 4) { 2215280304Sjkim unsigned short type, size; 2216280304Sjkim n2s(p, type); 2217280304Sjkim n2s(p, size); 2218306196Sjkim if (limit - p < size) 2219280304Sjkim return 0; 2220280304Sjkim if (type == TLSEXT_TYPE_session_ticket) { 2221280304Sjkim int r; 2222280304Sjkim if (size == 0) { 2223280304Sjkim /* 2224280304Sjkim * The client will accept a ticket but doesn't currently have 2225280304Sjkim * one. 2226280304Sjkim */ 2227280304Sjkim s->tlsext_ticket_expected = 1; 2228280304Sjkim return 1; 2229280304Sjkim } 2230280304Sjkim if (s->tls_session_secret_cb) { 2231280304Sjkim /* 2232280304Sjkim * Indicate that the ticket couldn't be decrypted rather than 2233280304Sjkim * generating the session from ticket now, trigger 2234280304Sjkim * abbreviated handshake based on external mechanism to 2235280304Sjkim * calculate the master secret later. 2236280304Sjkim */ 2237280304Sjkim return 2; 2238280304Sjkim } 2239280304Sjkim r = tls_decrypt_ticket(s, p, size, session_id, len, ret); 2240280304Sjkim switch (r) { 2241280304Sjkim case 2: /* ticket couldn't be decrypted */ 2242280304Sjkim s->tlsext_ticket_expected = 1; 2243280304Sjkim return 2; 2244280304Sjkim case 3: /* ticket was decrypted */ 2245280304Sjkim return r; 2246280304Sjkim case 4: /* ticket decrypted but need to renew */ 2247280304Sjkim s->tlsext_ticket_expected = 1; 2248280304Sjkim return 3; 2249280304Sjkim default: /* fatal error */ 2250280304Sjkim return -1; 2251280304Sjkim } 2252280304Sjkim } 2253280304Sjkim p += size; 2254280304Sjkim } 2255280304Sjkim return 0; 2256280304Sjkim} 2257194206Ssimon 2258280304Sjkim/*- 2259280304Sjkim * tls_decrypt_ticket attempts to decrypt a session ticket. 2260238405Sjkim * 2261238405Sjkim * etick: points to the body of the session ticket extension. 2262238405Sjkim * eticklen: the length of the session tickets extenion. 2263238405Sjkim * sess_id: points at the session ID. 2264238405Sjkim * sesslen: the length of the session ID. 2265238405Sjkim * psess: (output) on return, if a ticket was decrypted, then this is set to 2266238405Sjkim * point to the resulting session. 2267238405Sjkim * 2268238405Sjkim * Returns: 2269238405Sjkim * -1: fatal error, either from parsing or decrypting the ticket. 2270238405Sjkim * 2: the ticket couldn't be decrypted. 2271238405Sjkim * 3: a ticket was successfully decrypted and *psess was set. 2272238405Sjkim * 4: same as 3, but the ticket needs to be renewed. 2273238405Sjkim */ 2274280304Sjkimstatic int tls_decrypt_ticket(SSL *s, const unsigned char *etick, 2275280304Sjkim int eticklen, const unsigned char *sess_id, 2276280304Sjkim int sesslen, SSL_SESSION **psess) 2277280304Sjkim{ 2278280304Sjkim SSL_SESSION *sess; 2279280304Sjkim unsigned char *sdec; 2280280304Sjkim const unsigned char *p; 2281280304Sjkim int slen, mlen, renew_ticket = 0; 2282280304Sjkim unsigned char tick_hmac[EVP_MAX_MD_SIZE]; 2283280304Sjkim HMAC_CTX hctx; 2284280304Sjkim EVP_CIPHER_CTX ctx; 2285280304Sjkim SSL_CTX *tctx = s->initial_ctx; 2286306196Sjkim 2287280304Sjkim /* Initialize session ticket encryption and HMAC contexts */ 2288280304Sjkim HMAC_CTX_init(&hctx); 2289280304Sjkim EVP_CIPHER_CTX_init(&ctx); 2290280304Sjkim if (tctx->tlsext_ticket_key_cb) { 2291280304Sjkim unsigned char *nctick = (unsigned char *)etick; 2292280304Sjkim int rv = tctx->tlsext_ticket_key_cb(s, nctick, nctick + 16, 2293280304Sjkim &ctx, &hctx, 0); 2294280304Sjkim if (rv < 0) 2295280304Sjkim return -1; 2296280304Sjkim if (rv == 0) 2297280304Sjkim return 2; 2298280304Sjkim if (rv == 2) 2299280304Sjkim renew_ticket = 1; 2300280304Sjkim } else { 2301280304Sjkim /* Check key name matches */ 2302280304Sjkim if (memcmp(etick, tctx->tlsext_tick_key_name, 16)) 2303280304Sjkim return 2; 2304291721Sjkim if (HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16, 2305291721Sjkim tlsext_tick_md(), NULL) <= 0 2306291721Sjkim || EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL, 2307291721Sjkim tctx->tlsext_tick_aes_key, 2308291721Sjkim etick + 16) <= 0) { 2309291721Sjkim goto err; 2310291721Sjkim } 2311280304Sjkim } 2312280304Sjkim /* 2313280304Sjkim * Attempt to process session ticket, first conduct sanity and integrity 2314280304Sjkim * checks on ticket. 2315280304Sjkim */ 2316280304Sjkim mlen = HMAC_size(&hctx); 2317280304Sjkim if (mlen < 0) { 2318291721Sjkim goto err; 2319280304Sjkim } 2320306196Sjkim /* Sanity check ticket length: must exceed keyname + IV + HMAC */ 2321306196Sjkim if (eticklen <= 16 + EVP_CIPHER_CTX_iv_length(&ctx) + mlen) { 2322306196Sjkim HMAC_CTX_cleanup(&hctx); 2323306196Sjkim EVP_CIPHER_CTX_cleanup(&ctx); 2324306196Sjkim return 2; 2325306196Sjkim } 2326306196Sjkim 2327280304Sjkim eticklen -= mlen; 2328280304Sjkim /* Check HMAC of encrypted ticket */ 2329291721Sjkim if (HMAC_Update(&hctx, etick, eticklen) <= 0 2330291721Sjkim || HMAC_Final(&hctx, tick_hmac, NULL) <= 0) { 2331291721Sjkim goto err; 2332291721Sjkim } 2333280304Sjkim HMAC_CTX_cleanup(&hctx); 2334280304Sjkim if (CRYPTO_memcmp(tick_hmac, etick + eticklen, mlen)) { 2335280304Sjkim EVP_CIPHER_CTX_cleanup(&ctx); 2336280304Sjkim return 2; 2337280304Sjkim } 2338280304Sjkim /* Attempt to decrypt session data */ 2339280304Sjkim /* Move p after IV to start of encrypted ticket, update length */ 2340280304Sjkim p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx); 2341280304Sjkim eticklen -= 16 + EVP_CIPHER_CTX_iv_length(&ctx); 2342280304Sjkim sdec = OPENSSL_malloc(eticklen); 2343298999Sjkim if (sdec == NULL 2344298999Sjkim || EVP_DecryptUpdate(&ctx, sdec, &slen, p, eticklen) <= 0) { 2345280304Sjkim EVP_CIPHER_CTX_cleanup(&ctx); 2346298999Sjkim OPENSSL_free(sdec); 2347280304Sjkim return -1; 2348280304Sjkim } 2349280304Sjkim if (EVP_DecryptFinal(&ctx, sdec + slen, &mlen) <= 0) { 2350280304Sjkim EVP_CIPHER_CTX_cleanup(&ctx); 2351280304Sjkim OPENSSL_free(sdec); 2352280304Sjkim return 2; 2353280304Sjkim } 2354280304Sjkim slen += mlen; 2355280304Sjkim EVP_CIPHER_CTX_cleanup(&ctx); 2356280304Sjkim p = sdec; 2357238405Sjkim 2358280304Sjkim sess = d2i_SSL_SESSION(NULL, &p, slen); 2359280304Sjkim OPENSSL_free(sdec); 2360280304Sjkim if (sess) { 2361280304Sjkim /* 2362280304Sjkim * The session ID, if non-empty, is used by some clients to detect 2363280304Sjkim * that the ticket has been accepted. So we copy it to the session 2364280304Sjkim * structure. If it is empty set length to zero as required by 2365280304Sjkim * standard. 2366280304Sjkim */ 2367280304Sjkim if (sesslen) 2368280304Sjkim memcpy(sess->session_id, sess_id, sesslen); 2369280304Sjkim sess->session_id_length = sesslen; 2370280304Sjkim *psess = sess; 2371280304Sjkim if (renew_ticket) 2372280304Sjkim return 4; 2373280304Sjkim else 2374280304Sjkim return 3; 2375280304Sjkim } 2376280304Sjkim ERR_clear_error(); 2377280304Sjkim /* 2378280304Sjkim * For session parse failure, indicate that we need to send a new ticket. 2379280304Sjkim */ 2380280304Sjkim return 2; 2381291721Sjkimerr: 2382291721Sjkim EVP_CIPHER_CTX_cleanup(&ctx); 2383291721Sjkim HMAC_CTX_cleanup(&hctx); 2384291721Sjkim return -1; 2385280304Sjkim} 2386238405Sjkim 2387238405Sjkim/* Tables to translate from NIDs to TLS v1.2 ids */ 2388238405Sjkim 2389280304Sjkimtypedef struct { 2390280304Sjkim int nid; 2391280304Sjkim int id; 2392280304Sjkim} tls12_lookup; 2393238405Sjkim 2394238405Sjkimstatic tls12_lookup tls12_md[] = { 2395280304Sjkim# ifndef OPENSSL_NO_MD5 2396280304Sjkim {NID_md5, TLSEXT_hash_md5}, 2397280304Sjkim# endif 2398280304Sjkim# ifndef OPENSSL_NO_SHA 2399280304Sjkim {NID_sha1, TLSEXT_hash_sha1}, 2400280304Sjkim# endif 2401280304Sjkim# ifndef OPENSSL_NO_SHA256 2402280304Sjkim {NID_sha224, TLSEXT_hash_sha224}, 2403280304Sjkim {NID_sha256, TLSEXT_hash_sha256}, 2404280304Sjkim# endif 2405280304Sjkim# ifndef OPENSSL_NO_SHA512 2406280304Sjkim {NID_sha384, TLSEXT_hash_sha384}, 2407280304Sjkim {NID_sha512, TLSEXT_hash_sha512} 2408280304Sjkim# endif 2409238405Sjkim}; 2410238405Sjkim 2411238405Sjkimstatic tls12_lookup tls12_sig[] = { 2412280304Sjkim# ifndef OPENSSL_NO_RSA 2413280304Sjkim {EVP_PKEY_RSA, TLSEXT_signature_rsa}, 2414280304Sjkim# endif 2415280304Sjkim# ifndef OPENSSL_NO_DSA 2416280304Sjkim {EVP_PKEY_DSA, TLSEXT_signature_dsa}, 2417280304Sjkim# endif 2418280304Sjkim# ifndef OPENSSL_NO_ECDSA 2419280304Sjkim {EVP_PKEY_EC, TLSEXT_signature_ecdsa} 2420280304Sjkim# endif 2421238405Sjkim}; 2422238405Sjkim 2423238405Sjkimstatic int tls12_find_id(int nid, tls12_lookup *table, size_t tlen) 2424280304Sjkim{ 2425280304Sjkim size_t i; 2426280304Sjkim for (i = 0; i < tlen; i++) { 2427280304Sjkim if (table[i].nid == nid) 2428280304Sjkim return table[i].id; 2429280304Sjkim } 2430280304Sjkim return -1; 2431280304Sjkim} 2432280304Sjkim 2433280304Sjkim# if 0 2434238405Sjkimstatic int tls12_find_nid(int id, tls12_lookup *table, size_t tlen) 2435280304Sjkim{ 2436280304Sjkim size_t i; 2437280304Sjkim for (i = 0; i < tlen; i++) { 2438280304Sjkim if (table[i].id == id) 2439280304Sjkim return table[i].nid; 2440280304Sjkim } 2441280304Sjkim return -1; 2442280304Sjkim} 2443280304Sjkim# endif 2444238405Sjkim 2445280304Sjkimint tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk, 2446280304Sjkim const EVP_MD *md) 2447280304Sjkim{ 2448280304Sjkim int sig_id, md_id; 2449280304Sjkim if (!md) 2450280304Sjkim return 0; 2451280304Sjkim md_id = tls12_find_id(EVP_MD_type(md), tls12_md, 2452280304Sjkim sizeof(tls12_md) / sizeof(tls12_lookup)); 2453280304Sjkim if (md_id == -1) 2454280304Sjkim return 0; 2455280304Sjkim sig_id = tls12_get_sigid(pk); 2456280304Sjkim if (sig_id == -1) 2457280304Sjkim return 0; 2458280304Sjkim p[0] = (unsigned char)md_id; 2459280304Sjkim p[1] = (unsigned char)sig_id; 2460280304Sjkim return 1; 2461280304Sjkim} 2462238405Sjkim 2463238405Sjkimint tls12_get_sigid(const EVP_PKEY *pk) 2464280304Sjkim{ 2465280304Sjkim return tls12_find_id(pk->type, tls12_sig, 2466280304Sjkim sizeof(tls12_sig) / sizeof(tls12_lookup)); 2467280304Sjkim} 2468238405Sjkim 2469238405Sjkimconst EVP_MD *tls12_get_hash(unsigned char hash_alg) 2470280304Sjkim{ 2471280304Sjkim switch (hash_alg) { 2472280304Sjkim# ifndef OPENSSL_NO_SHA 2473280304Sjkim case TLSEXT_hash_sha1: 2474280304Sjkim return EVP_sha1(); 2475280304Sjkim# endif 2476280304Sjkim# ifndef OPENSSL_NO_SHA256 2477280304Sjkim case TLSEXT_hash_sha224: 2478280304Sjkim return EVP_sha224(); 2479238405Sjkim 2480280304Sjkim case TLSEXT_hash_sha256: 2481280304Sjkim return EVP_sha256(); 2482280304Sjkim# endif 2483280304Sjkim# ifndef OPENSSL_NO_SHA512 2484280304Sjkim case TLSEXT_hash_sha384: 2485280304Sjkim return EVP_sha384(); 2486238405Sjkim 2487280304Sjkim case TLSEXT_hash_sha512: 2488280304Sjkim return EVP_sha512(); 2489280304Sjkim# endif 2490280304Sjkim default: 2491280304Sjkim return NULL; 2492238405Sjkim 2493280304Sjkim } 2494280304Sjkim} 2495238405Sjkim 2496238405Sjkim/* Set preferred digest for each key type */ 2497238405Sjkim 2498238405Sjkimint tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize) 2499280304Sjkim{ 2500280304Sjkim int i, idx; 2501280304Sjkim const EVP_MD *md; 2502280304Sjkim CERT *c = s->cert; 2503280304Sjkim /* Extension ignored for TLS versions below 1.2 */ 2504280304Sjkim if (TLS1_get_version(s) < TLS1_2_VERSION) 2505280304Sjkim return 1; 2506280304Sjkim /* Should never happen */ 2507280304Sjkim if (!c) 2508280304Sjkim return 0; 2509238405Sjkim 2510280304Sjkim c->pkeys[SSL_PKEY_DSA_SIGN].digest = NULL; 2511280304Sjkim c->pkeys[SSL_PKEY_RSA_SIGN].digest = NULL; 2512280304Sjkim c->pkeys[SSL_PKEY_RSA_ENC].digest = NULL; 2513280304Sjkim c->pkeys[SSL_PKEY_ECC].digest = NULL; 2514238405Sjkim 2515280304Sjkim for (i = 0; i < dsize; i += 2) { 2516280304Sjkim unsigned char hash_alg = data[i], sig_alg = data[i + 1]; 2517238405Sjkim 2518280304Sjkim switch (sig_alg) { 2519280304Sjkim# ifndef OPENSSL_NO_RSA 2520280304Sjkim case TLSEXT_signature_rsa: 2521280304Sjkim idx = SSL_PKEY_RSA_SIGN; 2522280304Sjkim break; 2523280304Sjkim# endif 2524280304Sjkim# ifndef OPENSSL_NO_DSA 2525280304Sjkim case TLSEXT_signature_dsa: 2526280304Sjkim idx = SSL_PKEY_DSA_SIGN; 2527280304Sjkim break; 2528280304Sjkim# endif 2529280304Sjkim# ifndef OPENSSL_NO_ECDSA 2530280304Sjkim case TLSEXT_signature_ecdsa: 2531280304Sjkim idx = SSL_PKEY_ECC; 2532280304Sjkim break; 2533280304Sjkim# endif 2534280304Sjkim default: 2535280304Sjkim continue; 2536280304Sjkim } 2537238405Sjkim 2538280304Sjkim if (c->pkeys[idx].digest == NULL) { 2539280304Sjkim md = tls12_get_hash(hash_alg); 2540280304Sjkim if (md) { 2541280304Sjkim c->pkeys[idx].digest = md; 2542280304Sjkim if (idx == SSL_PKEY_RSA_SIGN) 2543280304Sjkim c->pkeys[SSL_PKEY_RSA_ENC].digest = md; 2544280304Sjkim } 2545280304Sjkim } 2546238405Sjkim 2547280304Sjkim } 2548238405Sjkim 2549280304Sjkim /* 2550280304Sjkim * Set any remaining keys to default values. NOTE: if alg is not 2551280304Sjkim * supported it stays as NULL. 2552280304Sjkim */ 2553280304Sjkim# ifndef OPENSSL_NO_DSA 2554280304Sjkim if (!c->pkeys[SSL_PKEY_DSA_SIGN].digest) 2555280304Sjkim c->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_sha1(); 2556280304Sjkim# endif 2557280304Sjkim# ifndef OPENSSL_NO_RSA 2558280304Sjkim if (!c->pkeys[SSL_PKEY_RSA_SIGN].digest) { 2559280304Sjkim c->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1(); 2560280304Sjkim c->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1(); 2561280304Sjkim } 2562280304Sjkim# endif 2563280304Sjkim# ifndef OPENSSL_NO_ECDSA 2564280304Sjkim if (!c->pkeys[SSL_PKEY_ECC].digest) 2565280304Sjkim c->pkeys[SSL_PKEY_ECC].digest = EVP_sha1(); 2566280304Sjkim# endif 2567280304Sjkim return 1; 2568280304Sjkim} 2569238405Sjkim 2570238405Sjkim#endif 2571238405Sjkim 2572238405Sjkim#ifndef OPENSSL_NO_HEARTBEATS 2573280304Sjkimint tls1_process_heartbeat(SSL *s) 2574280304Sjkim{ 2575280304Sjkim unsigned char *p = &s->s3->rrec.data[0], *pl; 2576280304Sjkim unsigned short hbtype; 2577280304Sjkim unsigned int payload; 2578280304Sjkim unsigned int padding = 16; /* Use minimum padding */ 2579238405Sjkim 2580280304Sjkim if (s->msg_callback) 2581280304Sjkim s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT, 2582280304Sjkim &s->s3->rrec.data[0], s->s3->rrec.length, 2583280304Sjkim s, s->msg_callback_arg); 2584264266Sdelphij 2585280304Sjkim /* Read type and payload length first */ 2586280304Sjkim if (1 + 2 + 16 > s->s3->rrec.length) 2587280304Sjkim return 0; /* silently discard */ 2588280304Sjkim hbtype = *p++; 2589280304Sjkim n2s(p, payload); 2590280304Sjkim if (1 + 2 + payload + 16 > s->s3->rrec.length) 2591280304Sjkim return 0; /* silently discard per RFC 6520 sec. 4 */ 2592280304Sjkim pl = p; 2593238405Sjkim 2594280304Sjkim if (hbtype == TLS1_HB_REQUEST) { 2595280304Sjkim unsigned char *buffer, *bp; 2596280304Sjkim int r; 2597238405Sjkim 2598280304Sjkim /* 2599280304Sjkim * Allocate memory for the response, size is 1 bytes message type, 2600280304Sjkim * plus 2 bytes payload length, plus payload, plus padding 2601280304Sjkim */ 2602280304Sjkim buffer = OPENSSL_malloc(1 + 2 + payload + padding); 2603298999Sjkim if (buffer == NULL) 2604298999Sjkim return -1; 2605280304Sjkim bp = buffer; 2606238405Sjkim 2607280304Sjkim /* Enter response type, length and copy payload */ 2608280304Sjkim *bp++ = TLS1_HB_RESPONSE; 2609280304Sjkim s2n(payload, bp); 2610280304Sjkim memcpy(bp, pl, payload); 2611280304Sjkim bp += payload; 2612280304Sjkim /* Random padding */ 2613306196Sjkim if (RAND_bytes(bp, padding) <= 0) { 2614284285Sjkim OPENSSL_free(buffer); 2615284285Sjkim return -1; 2616284285Sjkim } 2617238405Sjkim 2618280304Sjkim r = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, 2619280304Sjkim 3 + payload + padding); 2620238405Sjkim 2621280304Sjkim if (r >= 0 && s->msg_callback) 2622280304Sjkim s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT, 2623280304Sjkim buffer, 3 + payload + padding, 2624280304Sjkim s, s->msg_callback_arg); 2625238405Sjkim 2626280304Sjkim OPENSSL_free(buffer); 2627238405Sjkim 2628280304Sjkim if (r < 0) 2629280304Sjkim return r; 2630280304Sjkim } else if (hbtype == TLS1_HB_RESPONSE) { 2631280304Sjkim unsigned int seq; 2632194206Ssimon 2633280304Sjkim /* 2634280304Sjkim * We only send sequence numbers (2 bytes unsigned int), and 16 2635280304Sjkim * random bytes, so we just try to read the sequence number 2636280304Sjkim */ 2637280304Sjkim n2s(pl, seq); 2638238405Sjkim 2639280304Sjkim if (payload == 18 && seq == s->tlsext_hb_seq) { 2640280304Sjkim s->tlsext_hb_seq++; 2641280304Sjkim s->tlsext_hb_pending = 0; 2642280304Sjkim } 2643280304Sjkim } 2644238405Sjkim 2645280304Sjkim return 0; 2646280304Sjkim} 2647238405Sjkim 2648280304Sjkimint tls1_heartbeat(SSL *s) 2649280304Sjkim{ 2650280304Sjkim unsigned char *buf, *p; 2651284285Sjkim int ret = -1; 2652280304Sjkim unsigned int payload = 18; /* Sequence number + random bytes */ 2653280304Sjkim unsigned int padding = 16; /* Use minimum padding */ 2654238405Sjkim 2655280304Sjkim /* Only send if peer supports and accepts HB requests... */ 2656280304Sjkim if (!(s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED) || 2657280304Sjkim s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_SEND_REQUESTS) { 2658280304Sjkim SSLerr(SSL_F_TLS1_HEARTBEAT, SSL_R_TLS_HEARTBEAT_PEER_DOESNT_ACCEPT); 2659280304Sjkim return -1; 2660280304Sjkim } 2661238405Sjkim 2662280304Sjkim /* ...and there is none in flight yet... */ 2663280304Sjkim if (s->tlsext_hb_pending) { 2664280304Sjkim SSLerr(SSL_F_TLS1_HEARTBEAT, SSL_R_TLS_HEARTBEAT_PENDING); 2665280304Sjkim return -1; 2666280304Sjkim } 2667238405Sjkim 2668280304Sjkim /* ...and no handshake in progress. */ 2669280304Sjkim if (SSL_in_init(s) || s->in_handshake) { 2670280304Sjkim SSLerr(SSL_F_TLS1_HEARTBEAT, SSL_R_UNEXPECTED_MESSAGE); 2671280304Sjkim return -1; 2672280304Sjkim } 2673280304Sjkim 2674280304Sjkim /* 2675280304Sjkim * Check if padding is too long, payload and padding must not exceed 2^14 2676280304Sjkim * - 3 = 16381 bytes in total. 2677280304Sjkim */ 2678280304Sjkim OPENSSL_assert(payload + padding <= 16381); 2679280304Sjkim 2680280304Sjkim /*- 2681280304Sjkim * Create HeartBeat message, we just use a sequence number 2682280304Sjkim * as payload to distuingish different messages and add 2683280304Sjkim * some random stuff. 2684280304Sjkim * - Message Type, 1 byte 2685280304Sjkim * - Payload Length, 2 bytes (unsigned int) 2686280304Sjkim * - Payload, the sequence number (2 bytes uint) 2687280304Sjkim * - Payload, random bytes (16 bytes uint) 2688280304Sjkim * - Padding 2689280304Sjkim */ 2690280304Sjkim buf = OPENSSL_malloc(1 + 2 + payload + padding); 2691280304Sjkim p = buf; 2692280304Sjkim /* Message Type */ 2693280304Sjkim *p++ = TLS1_HB_REQUEST; 2694280304Sjkim /* Payload length (18 bytes here) */ 2695280304Sjkim s2n(payload, p); 2696280304Sjkim /* Sequence number */ 2697280304Sjkim s2n(s->tlsext_hb_seq, p); 2698280304Sjkim /* 16 random bytes */ 2699306196Sjkim if (RAND_bytes(p, 16) <= 0) { 2700284285Sjkim SSLerr(SSL_F_TLS1_HEARTBEAT, ERR_R_INTERNAL_ERROR); 2701284285Sjkim goto err; 2702284285Sjkim } 2703280304Sjkim p += 16; 2704280304Sjkim /* Random padding */ 2705306196Sjkim if (RAND_bytes(p, padding) <= 0) { 2706284285Sjkim SSLerr(SSL_F_TLS1_HEARTBEAT, ERR_R_INTERNAL_ERROR); 2707284285Sjkim goto err; 2708284285Sjkim } 2709280304Sjkim 2710280304Sjkim ret = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buf, 3 + payload + padding); 2711280304Sjkim if (ret >= 0) { 2712280304Sjkim if (s->msg_callback) 2713280304Sjkim s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT, 2714280304Sjkim buf, 3 + payload + padding, 2715280304Sjkim s, s->msg_callback_arg); 2716280304Sjkim 2717280304Sjkim s->tlsext_hb_pending = 1; 2718280304Sjkim } 2719280304Sjkim 2720284285Sjkimerr: 2721280304Sjkim OPENSSL_free(buf); 2722280304Sjkim 2723280304Sjkim return ret; 2724280304Sjkim} 2725194206Ssimon#endif 2726