155714Skris/* ssl/t1_lib.c */ 255714Skris/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 355714Skris * All rights reserved. 455714Skris * 555714Skris * This package is an SSL implementation written 655714Skris * by Eric Young (eay@cryptsoft.com). 755714Skris * The implementation was written so as to conform with Netscapes SSL. 855714Skris * 955714Skris * This library is free for commercial and non-commercial use as long as 1055714Skris * the following conditions are aheared to. The following conditions 1155714Skris * apply to all code found in this distribution, be it the RC4, RSA, 1255714Skris * lhash, DES, etc., code; not just the SSL code. The SSL documentation 1355714Skris * included with this distribution is covered by the same copyright terms 1455714Skris * except that the holder is Tim Hudson (tjh@cryptsoft.com). 1555714Skris * 1655714Skris * Copyright remains Eric Young's, and as such any Copyright notices in 1755714Skris * the code are not to be removed. 1855714Skris * If this package is used in a product, Eric Young should be given attribution 1955714Skris * as the author of the parts of the library used. 2055714Skris * This can be in the form of a textual message at program startup or 2155714Skris * in documentation (online or textual) provided with the package. 2255714Skris * 2355714Skris * Redistribution and use in source and binary forms, with or without 2455714Skris * modification, are permitted provided that the following conditions 2555714Skris * are met: 2655714Skris * 1. Redistributions of source code must retain the copyright 2755714Skris * notice, this list of conditions and the following disclaimer. 2855714Skris * 2. Redistributions in binary form must reproduce the above copyright 2955714Skris * notice, this list of conditions and the following disclaimer in the 3055714Skris * documentation and/or other materials provided with the distribution. 3155714Skris * 3. All advertising materials mentioning features or use of this software 3255714Skris * must display the following acknowledgement: 3355714Skris * "This product includes cryptographic software written by 3455714Skris * Eric Young (eay@cryptsoft.com)" 3555714Skris * The word 'cryptographic' can be left out if the rouines from the library 3655714Skris * being used are not cryptographic related :-). 3755714Skris * 4. If you include any Windows specific code (or a derivative thereof) from 3855714Skris * the apps directory (application code) you must include an acknowledgement: 3955714Skris * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 4055714Skris * 4155714Skris * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 4255714Skris * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 4355714Skris * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 4455714Skris * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 4555714Skris * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 4655714Skris * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 4755714Skris * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 4855714Skris * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 4955714Skris * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 5055714Skris * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 5155714Skris * SUCH DAMAGE. 5255714Skris * 5355714Skris * The licence and distribution terms for any publically available version or 5455714Skris * derivative of this code cannot be changed. i.e. this code cannot simply be 5555714Skris * copied and put under another distribution licence 5655714Skris * [including the GNU Public Licence.] 5755714Skris */ 58238405Sjkim/* ==================================================================== 59238405Sjkim * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved. 60238405Sjkim * 61238405Sjkim * Redistribution and use in source and binary forms, with or without 62238405Sjkim * modification, are permitted provided that the following conditions 63238405Sjkim * are met: 64238405Sjkim * 65238405Sjkim * 1. Redistributions of source code must retain the above copyright 66238405Sjkim * notice, this list of conditions and the following disclaimer. 67238405Sjkim * 68238405Sjkim * 2. Redistributions in binary form must reproduce the above copyright 69238405Sjkim * notice, this list of conditions and the following disclaimer in 70238405Sjkim * the documentation and/or other materials provided with the 71238405Sjkim * distribution. 72238405Sjkim * 73238405Sjkim * 3. All advertising materials mentioning features or use of this 74238405Sjkim * software must display the following acknowledgment: 75238405Sjkim * "This product includes software developed by the OpenSSL Project 76238405Sjkim * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 77238405Sjkim * 78238405Sjkim * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 79238405Sjkim * endorse or promote products derived from this software without 80238405Sjkim * prior written permission. For written permission, please contact 81238405Sjkim * openssl-core@openssl.org. 82238405Sjkim * 83238405Sjkim * 5. Products derived from this software may not be called "OpenSSL" 84238405Sjkim * nor may "OpenSSL" appear in their names without prior written 85238405Sjkim * permission of the OpenSSL Project. 86238405Sjkim * 87238405Sjkim * 6. Redistributions of any form whatsoever must retain the following 88238405Sjkim * acknowledgment: 89238405Sjkim * "This product includes software developed by the OpenSSL Project 90238405Sjkim * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 91238405Sjkim * 92238405Sjkim * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 93238405Sjkim * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 94238405Sjkim * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 95238405Sjkim * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 96238405Sjkim * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 97238405Sjkim * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 98238405Sjkim * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 99238405Sjkim * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 100238405Sjkim * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 101238405Sjkim * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 102238405Sjkim * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 103238405Sjkim * OF THE POSSIBILITY OF SUCH DAMAGE. 104238405Sjkim * ==================================================================== 105238405Sjkim * 106238405Sjkim * This product includes cryptographic software written by Eric Young 107238405Sjkim * (eay@cryptsoft.com). This product includes software written by Tim 108238405Sjkim * Hudson (tjh@cryptsoft.com). 109238405Sjkim * 110238405Sjkim */ 11155714Skris 11255714Skris#include <stdio.h> 11355714Skris#include <openssl/objects.h> 114194206Ssimon#include <openssl/evp.h> 115194206Ssimon#include <openssl/hmac.h> 116194206Ssimon#include <openssl/ocsp.h> 117238405Sjkim#include <openssl/rand.h> 11855714Skris#include "ssl_locl.h" 11955714Skris 120167612Ssimonconst char tls1_version_str[]="TLSv1" OPENSSL_VERSION_PTEXT; 12155714Skris 122194206Ssimon#ifndef OPENSSL_NO_TLSEXT 123194206Ssimonstatic int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen, 124194206Ssimon const unsigned char *sess_id, int sesslen, 125194206Ssimon SSL_SESSION **psess); 126194206Ssimon#endif 127194206Ssimon 128160814SsimonSSL3_ENC_METHOD TLSv1_enc_data={ 12955714Skris tls1_enc, 13055714Skris tls1_mac, 13155714Skris tls1_setup_key_block, 13255714Skris tls1_generate_master_secret, 13355714Skris tls1_change_cipher_state, 13455714Skris tls1_final_finish_mac, 13555714Skris TLS1_FINISH_MAC_LENGTH, 13655714Skris tls1_cert_verify_mac, 13755714Skris TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE, 13855714Skris TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE, 13955714Skris tls1_alert_code, 140238405Sjkim tls1_export_keying_material, 14155714Skris }; 14255714Skris 143160814Ssimonlong tls1_default_timeout(void) 14455714Skris { 14555714Skris /* 2 hours, the 24 hours mentioned in the TLSv1 spec 14655714Skris * is way too long for http, the cache would over fill */ 14755714Skris return(60*60*2); 14855714Skris } 14955714Skris 15055714Skrisint tls1_new(SSL *s) 15155714Skris { 15255714Skris if (!ssl3_new(s)) return(0); 15355714Skris s->method->ssl_clear(s); 15455714Skris return(1); 15555714Skris } 15655714Skris 15755714Skrisvoid tls1_free(SSL *s) 15855714Skris { 159238405Sjkim#ifndef OPENSSL_NO_TLSEXT 160238405Sjkim if (s->tlsext_session_ticket) 161238405Sjkim { 162238405Sjkim OPENSSL_free(s->tlsext_session_ticket); 163238405Sjkim } 164238405Sjkim#endif /* OPENSSL_NO_TLSEXT */ 16555714Skris ssl3_free(s); 16655714Skris } 16755714Skris 16855714Skrisvoid tls1_clear(SSL *s) 16955714Skris { 17055714Skris ssl3_clear(s); 171238405Sjkim s->version = s->method->version; 17255714Skris } 17355714Skris 174238405Sjkim#ifndef OPENSSL_NO_EC 175238405Sjkim 176238405Sjkimstatic int nid_list[] = 17755714Skris { 178238405Sjkim NID_sect163k1, /* sect163k1 (1) */ 179238405Sjkim NID_sect163r1, /* sect163r1 (2) */ 180238405Sjkim NID_sect163r2, /* sect163r2 (3) */ 181238405Sjkim NID_sect193r1, /* sect193r1 (4) */ 182238405Sjkim NID_sect193r2, /* sect193r2 (5) */ 183238405Sjkim NID_sect233k1, /* sect233k1 (6) */ 184238405Sjkim NID_sect233r1, /* sect233r1 (7) */ 185238405Sjkim NID_sect239k1, /* sect239k1 (8) */ 186238405Sjkim NID_sect283k1, /* sect283k1 (9) */ 187238405Sjkim NID_sect283r1, /* sect283r1 (10) */ 188238405Sjkim NID_sect409k1, /* sect409k1 (11) */ 189238405Sjkim NID_sect409r1, /* sect409r1 (12) */ 190238405Sjkim NID_sect571k1, /* sect571k1 (13) */ 191238405Sjkim NID_sect571r1, /* sect571r1 (14) */ 192238405Sjkim NID_secp160k1, /* secp160k1 (15) */ 193238405Sjkim NID_secp160r1, /* secp160r1 (16) */ 194238405Sjkim NID_secp160r2, /* secp160r2 (17) */ 195238405Sjkim NID_secp192k1, /* secp192k1 (18) */ 196238405Sjkim NID_X9_62_prime192v1, /* secp192r1 (19) */ 197238405Sjkim NID_secp224k1, /* secp224k1 (20) */ 198238405Sjkim NID_secp224r1, /* secp224r1 (21) */ 199238405Sjkim NID_secp256k1, /* secp256k1 (22) */ 200238405Sjkim NID_X9_62_prime256v1, /* secp256r1 (23) */ 201238405Sjkim NID_secp384r1, /* secp384r1 (24) */ 202238405Sjkim NID_secp521r1 /* secp521r1 (25) */ 203238405Sjkim }; 204238405Sjkim 205238405Sjkimstatic int pref_list[] = 206238405Sjkim { 207279264Sdelphij#ifndef OPENSSL_NO_EC2M 208238405Sjkim NID_sect571r1, /* sect571r1 (14) */ 209238405Sjkim NID_sect571k1, /* sect571k1 (13) */ 210279264Sdelphij#endif 211238405Sjkim NID_secp521r1, /* secp521r1 (25) */ 212279264Sdelphij#ifndef OPENSSL_NO_EC2M 213238405Sjkim NID_sect409k1, /* sect409k1 (11) */ 214238405Sjkim NID_sect409r1, /* sect409r1 (12) */ 215279264Sdelphij#endif 216238405Sjkim NID_secp384r1, /* secp384r1 (24) */ 217279264Sdelphij#ifndef OPENSSL_NO_EC2M 218238405Sjkim NID_sect283k1, /* sect283k1 (9) */ 219238405Sjkim NID_sect283r1, /* sect283r1 (10) */ 220279264Sdelphij#endif 221238405Sjkim NID_secp256k1, /* secp256k1 (22) */ 222238405Sjkim NID_X9_62_prime256v1, /* secp256r1 (23) */ 223279264Sdelphij#ifndef OPENSSL_NO_EC2M 224238405Sjkim NID_sect239k1, /* sect239k1 (8) */ 225238405Sjkim NID_sect233k1, /* sect233k1 (6) */ 226238405Sjkim NID_sect233r1, /* sect233r1 (7) */ 227279264Sdelphij#endif 228238405Sjkim NID_secp224k1, /* secp224k1 (20) */ 229238405Sjkim NID_secp224r1, /* secp224r1 (21) */ 230279264Sdelphij#ifndef OPENSSL_NO_EC2M 231238405Sjkim NID_sect193r1, /* sect193r1 (4) */ 232238405Sjkim NID_sect193r2, /* sect193r2 (5) */ 233279264Sdelphij#endif 234238405Sjkim NID_secp192k1, /* secp192k1 (18) */ 235238405Sjkim NID_X9_62_prime192v1, /* secp192r1 (19) */ 236279264Sdelphij#ifndef OPENSSL_NO_EC2M 237238405Sjkim NID_sect163k1, /* sect163k1 (1) */ 238238405Sjkim NID_sect163r1, /* sect163r1 (2) */ 239238405Sjkim NID_sect163r2, /* sect163r2 (3) */ 240279264Sdelphij#endif 241238405Sjkim NID_secp160k1, /* secp160k1 (15) */ 242238405Sjkim NID_secp160r1, /* secp160r1 (16) */ 243238405Sjkim NID_secp160r2, /* secp160r2 (17) */ 244238405Sjkim }; 245238405Sjkim 246238405Sjkimint tls1_ec_curve_id2nid(int curve_id) 247238405Sjkim { 248279264Sdelphij /* ECC curves from RFC 4492 */ 249238405Sjkim if ((curve_id < 1) || ((unsigned int)curve_id > 250238405Sjkim sizeof(nid_list)/sizeof(nid_list[0]))) 251238405Sjkim return 0; 252238405Sjkim return nid_list[curve_id-1]; 25355714Skris } 25459191Skris 255238405Sjkimint tls1_ec_nid2curve_id(int nid) 25659191Skris { 257279264Sdelphij /* ECC curves from RFC 4492 */ 258238405Sjkim switch (nid) 259238405Sjkim { 260238405Sjkim case NID_sect163k1: /* sect163k1 (1) */ 261238405Sjkim return 1; 262238405Sjkim case NID_sect163r1: /* sect163r1 (2) */ 263238405Sjkim return 2; 264238405Sjkim case NID_sect163r2: /* sect163r2 (3) */ 265238405Sjkim return 3; 266238405Sjkim case NID_sect193r1: /* sect193r1 (4) */ 267238405Sjkim return 4; 268238405Sjkim case NID_sect193r2: /* sect193r2 (5) */ 269238405Sjkim return 5; 270238405Sjkim case NID_sect233k1: /* sect233k1 (6) */ 271238405Sjkim return 6; 272238405Sjkim case NID_sect233r1: /* sect233r1 (7) */ 273238405Sjkim return 7; 274238405Sjkim case NID_sect239k1: /* sect239k1 (8) */ 275238405Sjkim return 8; 276238405Sjkim case NID_sect283k1: /* sect283k1 (9) */ 277238405Sjkim return 9; 278238405Sjkim case NID_sect283r1: /* sect283r1 (10) */ 279238405Sjkim return 10; 280238405Sjkim case NID_sect409k1: /* sect409k1 (11) */ 281238405Sjkim return 11; 282238405Sjkim case NID_sect409r1: /* sect409r1 (12) */ 283238405Sjkim return 12; 284238405Sjkim case NID_sect571k1: /* sect571k1 (13) */ 285238405Sjkim return 13; 286238405Sjkim case NID_sect571r1: /* sect571r1 (14) */ 287238405Sjkim return 14; 288238405Sjkim case NID_secp160k1: /* secp160k1 (15) */ 289238405Sjkim return 15; 290238405Sjkim case NID_secp160r1: /* secp160r1 (16) */ 291238405Sjkim return 16; 292238405Sjkim case NID_secp160r2: /* secp160r2 (17) */ 293238405Sjkim return 17; 294238405Sjkim case NID_secp192k1: /* secp192k1 (18) */ 295238405Sjkim return 18; 296238405Sjkim case NID_X9_62_prime192v1: /* secp192r1 (19) */ 297238405Sjkim return 19; 298238405Sjkim case NID_secp224k1: /* secp224k1 (20) */ 299238405Sjkim return 20; 300238405Sjkim case NID_secp224r1: /* secp224r1 (21) */ 301238405Sjkim return 21; 302238405Sjkim case NID_secp256k1: /* secp256k1 (22) */ 303238405Sjkim return 22; 304238405Sjkim case NID_X9_62_prime256v1: /* secp256r1 (23) */ 305238405Sjkim return 23; 306238405Sjkim case NID_secp384r1: /* secp384r1 (24) */ 307238405Sjkim return 24; 308238405Sjkim case NID_secp521r1: /* secp521r1 (25) */ 309238405Sjkim return 25; 310238405Sjkim default: 311238405Sjkim return 0; 312238405Sjkim } 31359191Skris } 314238405Sjkim#endif /* OPENSSL_NO_EC */ 315238405Sjkim 316238405Sjkim#ifndef OPENSSL_NO_TLSEXT 317238405Sjkim 318238405Sjkim/* List of supported signature algorithms and hashes. Should make this 319238405Sjkim * customisable at some point, for now include everything we support. 320238405Sjkim */ 321238405Sjkim 322238405Sjkim#ifdef OPENSSL_NO_RSA 323238405Sjkim#define tlsext_sigalg_rsa(md) /* */ 324238405Sjkim#else 325238405Sjkim#define tlsext_sigalg_rsa(md) md, TLSEXT_signature_rsa, 32655714Skris#endif 327194206Ssimon 328238405Sjkim#ifdef OPENSSL_NO_DSA 329238405Sjkim#define tlsext_sigalg_dsa(md) /* */ 330238405Sjkim#else 331238405Sjkim#define tlsext_sigalg_dsa(md) md, TLSEXT_signature_dsa, 332238405Sjkim#endif 333238405Sjkim 334238405Sjkim#ifdef OPENSSL_NO_ECDSA 335238405Sjkim#define tlsext_sigalg_ecdsa(md) /* */ 336238405Sjkim#else 337238405Sjkim#define tlsext_sigalg_ecdsa(md) md, TLSEXT_signature_ecdsa, 338238405Sjkim#endif 339238405Sjkim 340238405Sjkim#define tlsext_sigalg(md) \ 341238405Sjkim tlsext_sigalg_rsa(md) \ 342238405Sjkim tlsext_sigalg_dsa(md) \ 343238405Sjkim tlsext_sigalg_ecdsa(md) 344238405Sjkim 345238405Sjkimstatic unsigned char tls12_sigalgs[] = { 346238405Sjkim#ifndef OPENSSL_NO_SHA512 347238405Sjkim tlsext_sigalg(TLSEXT_hash_sha512) 348238405Sjkim tlsext_sigalg(TLSEXT_hash_sha384) 349238405Sjkim#endif 350238405Sjkim#ifndef OPENSSL_NO_SHA256 351238405Sjkim tlsext_sigalg(TLSEXT_hash_sha256) 352238405Sjkim tlsext_sigalg(TLSEXT_hash_sha224) 353238405Sjkim#endif 354238405Sjkim#ifndef OPENSSL_NO_SHA 355238405Sjkim tlsext_sigalg(TLSEXT_hash_sha1) 356238405Sjkim#endif 357238405Sjkim}; 358238405Sjkim 359238405Sjkimint tls12_get_req_sig_algs(SSL *s, unsigned char *p) 360238405Sjkim { 361238405Sjkim size_t slen = sizeof(tls12_sigalgs); 362238405Sjkim if (p) 363238405Sjkim memcpy(p, tls12_sigalgs, slen); 364238405Sjkim return (int)slen; 365238405Sjkim } 366238405Sjkim 367279264Sdelphijunsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf, unsigned char *limit) 368194206Ssimon { 369194206Ssimon int extdatalen=0; 370279264Sdelphij unsigned char *orig = buf; 371279264Sdelphij unsigned char *ret = buf; 372194206Ssimon 373205128Ssimon /* don't add extensions for SSLv3 unless doing secure renegotiation */ 374205128Ssimon if (s->client_version == SSL3_VERSION 375205128Ssimon && !s->s3->send_connection_binding) 376279264Sdelphij return orig; 377205128Ssimon 378194206Ssimon ret+=2; 379194206Ssimon 380194206Ssimon if (ret>=limit) return NULL; /* this really never occurs, but ... */ 381194206Ssimon 382194206Ssimon if (s->tlsext_hostname != NULL) 383194206Ssimon { 384194206Ssimon /* Add TLS extension servername to the Client Hello message */ 385194206Ssimon unsigned long size_str; 386194206Ssimon long lenmax; 387194206Ssimon 388194206Ssimon /* check for enough space. 389194206Ssimon 4 for the servername type and entension length 390194206Ssimon 2 for servernamelist length 391194206Ssimon 1 for the hostname type 392194206Ssimon 2 for hostname length 393194206Ssimon + hostname length 394194206Ssimon */ 395194206Ssimon 396194206Ssimon if ((lenmax = limit - ret - 9) < 0 397238405Sjkim || (size_str = strlen(s->tlsext_hostname)) > (unsigned long)lenmax) 398194206Ssimon return NULL; 399194206Ssimon 400194206Ssimon /* extension type and length */ 401194206Ssimon s2n(TLSEXT_TYPE_server_name,ret); 402194206Ssimon s2n(size_str+5,ret); 403194206Ssimon 404194206Ssimon /* length of servername list */ 405194206Ssimon s2n(size_str+3,ret); 406194206Ssimon 407194206Ssimon /* hostname type, length and hostname */ 408194206Ssimon *(ret++) = (unsigned char) TLSEXT_NAMETYPE_host_name; 409194206Ssimon s2n(size_str,ret); 410194206Ssimon memcpy(ret, s->tlsext_hostname, size_str); 411194206Ssimon ret+=size_str; 412238405Sjkim } 413194206Ssimon 414205128Ssimon /* Add RI if renegotiating */ 415238405Sjkim if (s->renegotiate) 416205128Ssimon { 417205128Ssimon int el; 418205128Ssimon 419205128Ssimon if(!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0)) 420205128Ssimon { 421205128Ssimon SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); 422205128Ssimon return NULL; 423205128Ssimon } 424194206Ssimon 425279264Sdelphij if((limit - ret - 4 - el) < 0) return NULL; 426205128Ssimon 427205128Ssimon s2n(TLSEXT_TYPE_renegotiate,ret); 428205128Ssimon s2n(el,ret); 429205128Ssimon 430205128Ssimon if(!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el)) 431205128Ssimon { 432205128Ssimon SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); 433205128Ssimon return NULL; 434205128Ssimon } 435205128Ssimon 436205128Ssimon ret += el; 437205128Ssimon } 438205128Ssimon 439238405Sjkim#ifndef OPENSSL_NO_SRP 440238405Sjkim /* Add SRP username if there is one */ 441238405Sjkim if (s->srp_ctx.login != NULL) 442238405Sjkim { /* Add TLS extension SRP username to the Client Hello message */ 443238405Sjkim 444238405Sjkim int login_len = strlen(s->srp_ctx.login); 445238405Sjkim if (login_len > 255 || login_len == 0) 446238405Sjkim { 447238405Sjkim SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); 448238405Sjkim return NULL; 449238405Sjkim } 450238405Sjkim 451238405Sjkim /* check for enough space. 452238405Sjkim 4 for the srp type type and entension length 453238405Sjkim 1 for the srp user identity 454238405Sjkim + srp user identity length 455238405Sjkim */ 456238405Sjkim if ((limit - ret - 5 - login_len) < 0) return NULL; 457238405Sjkim 458238405Sjkim /* fill in the extension */ 459238405Sjkim s2n(TLSEXT_TYPE_srp,ret); 460238405Sjkim s2n(login_len+1,ret); 461238405Sjkim (*ret++) = (unsigned char) login_len; 462238405Sjkim memcpy(ret, s->srp_ctx.login, login_len); 463238405Sjkim ret+=login_len; 464238405Sjkim } 465238405Sjkim#endif 466238405Sjkim 467238405Sjkim#ifndef OPENSSL_NO_EC 468279264Sdelphij if (s->tlsext_ecpointformatlist != NULL) 469238405Sjkim { 470238405Sjkim /* Add TLS extension ECPointFormats to the ClientHello message */ 471238405Sjkim long lenmax; 472238405Sjkim 473238405Sjkim if ((lenmax = limit - ret - 5) < 0) return NULL; 474238405Sjkim if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax) return NULL; 475238405Sjkim if (s->tlsext_ecpointformatlist_length > 255) 476238405Sjkim { 477238405Sjkim SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); 478238405Sjkim return NULL; 479238405Sjkim } 480238405Sjkim 481238405Sjkim s2n(TLSEXT_TYPE_ec_point_formats,ret); 482238405Sjkim s2n(s->tlsext_ecpointformatlist_length + 1,ret); 483238405Sjkim *(ret++) = (unsigned char) s->tlsext_ecpointformatlist_length; 484238405Sjkim memcpy(ret, s->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist_length); 485238405Sjkim ret+=s->tlsext_ecpointformatlist_length; 486238405Sjkim } 487279264Sdelphij if (s->tlsext_ellipticcurvelist != NULL) 488238405Sjkim { 489238405Sjkim /* Add TLS extension EllipticCurves to the ClientHello message */ 490238405Sjkim long lenmax; 491238405Sjkim 492238405Sjkim if ((lenmax = limit - ret - 6) < 0) return NULL; 493238405Sjkim if (s->tlsext_ellipticcurvelist_length > (unsigned long)lenmax) return NULL; 494238405Sjkim if (s->tlsext_ellipticcurvelist_length > 65532) 495238405Sjkim { 496238405Sjkim SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); 497238405Sjkim return NULL; 498238405Sjkim } 499238405Sjkim 500238405Sjkim s2n(TLSEXT_TYPE_elliptic_curves,ret); 501238405Sjkim s2n(s->tlsext_ellipticcurvelist_length + 2, ret); 502238405Sjkim 503238405Sjkim s2n(s->tlsext_ellipticcurvelist_length, ret); 504238405Sjkim memcpy(ret, s->tlsext_ellipticcurvelist, s->tlsext_ellipticcurvelist_length); 505238405Sjkim ret+=s->tlsext_ellipticcurvelist_length; 506238405Sjkim } 507238405Sjkim#endif /* OPENSSL_NO_EC */ 508238405Sjkim 509194206Ssimon if (!(SSL_get_options(s) & SSL_OP_NO_TICKET)) 510194206Ssimon { 511194206Ssimon int ticklen; 512205128Ssimon if (!s->new_session && s->session && s->session->tlsext_tick) 513194206Ssimon ticklen = s->session->tlsext_ticklen; 514238405Sjkim else if (s->session && s->tlsext_session_ticket && 515238405Sjkim s->tlsext_session_ticket->data) 516238405Sjkim { 517238405Sjkim ticklen = s->tlsext_session_ticket->length; 518238405Sjkim s->session->tlsext_tick = OPENSSL_malloc(ticklen); 519238405Sjkim if (!s->session->tlsext_tick) 520238405Sjkim return NULL; 521238405Sjkim memcpy(s->session->tlsext_tick, 522238405Sjkim s->tlsext_session_ticket->data, 523238405Sjkim ticklen); 524238405Sjkim s->session->tlsext_ticklen = ticklen; 525238405Sjkim } 526194206Ssimon else 527194206Ssimon ticklen = 0; 528238405Sjkim if (ticklen == 0 && s->tlsext_session_ticket && 529238405Sjkim s->tlsext_session_ticket->data == NULL) 530238405Sjkim goto skip_ext; 531194206Ssimon /* Check for enough room 2 for extension type, 2 for len 532194206Ssimon * rest for ticket 533194206Ssimon */ 534238405Sjkim if ((long)(limit - ret - 4 - ticklen) < 0) return NULL; 535194206Ssimon s2n(TLSEXT_TYPE_session_ticket,ret); 536194206Ssimon s2n(ticklen,ret); 537194206Ssimon if (ticklen) 538194206Ssimon { 539194206Ssimon memcpy(ret, s->session->tlsext_tick, ticklen); 540194206Ssimon ret += ticklen; 541194206Ssimon } 542194206Ssimon } 543238405Sjkim skip_ext: 544194206Ssimon 545238405Sjkim if (TLS1_get_client_version(s) >= TLS1_2_VERSION) 546238405Sjkim { 547238405Sjkim if ((size_t)(limit - ret) < sizeof(tls12_sigalgs) + 6) 548238405Sjkim return NULL; 549238405Sjkim s2n(TLSEXT_TYPE_signature_algorithms,ret); 550238405Sjkim s2n(sizeof(tls12_sigalgs) + 2, ret); 551238405Sjkim s2n(sizeof(tls12_sigalgs), ret); 552238405Sjkim memcpy(ret, tls12_sigalgs, sizeof(tls12_sigalgs)); 553238405Sjkim ret += sizeof(tls12_sigalgs); 554238405Sjkim } 555238405Sjkim 556238405Sjkim#ifdef TLSEXT_TYPE_opaque_prf_input 557238405Sjkim if (s->s3->client_opaque_prf_input != NULL && 558238405Sjkim s->version != DTLS1_VERSION) 559238405Sjkim { 560238405Sjkim size_t col = s->s3->client_opaque_prf_input_len; 561238405Sjkim 562238405Sjkim if ((long)(limit - ret - 6 - col < 0)) 563238405Sjkim return NULL; 564238405Sjkim if (col > 0xFFFD) /* can't happen */ 565238405Sjkim return NULL; 566238405Sjkim 567238405Sjkim s2n(TLSEXT_TYPE_opaque_prf_input, ret); 568238405Sjkim s2n(col + 2, ret); 569238405Sjkim s2n(col, ret); 570238405Sjkim memcpy(ret, s->s3->client_opaque_prf_input, col); 571238405Sjkim ret += col; 572238405Sjkim } 573238405Sjkim#endif 574238405Sjkim 575205128Ssimon if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp && 576205128Ssimon s->version != DTLS1_VERSION) 577194206Ssimon { 578194206Ssimon int i; 579194206Ssimon long extlen, idlen, itmp; 580194206Ssimon OCSP_RESPID *id; 581194206Ssimon 582194206Ssimon idlen = 0; 583194206Ssimon for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) 584194206Ssimon { 585194206Ssimon id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i); 586194206Ssimon itmp = i2d_OCSP_RESPID(id, NULL); 587194206Ssimon if (itmp <= 0) 588194206Ssimon return NULL; 589194206Ssimon idlen += itmp + 2; 590194206Ssimon } 591194206Ssimon 592194206Ssimon if (s->tlsext_ocsp_exts) 593194206Ssimon { 594194206Ssimon extlen = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, NULL); 595194206Ssimon if (extlen < 0) 596194206Ssimon return NULL; 597194206Ssimon } 598194206Ssimon else 599194206Ssimon extlen = 0; 600194206Ssimon 601194206Ssimon if ((long)(limit - ret - 7 - extlen - idlen) < 0) return NULL; 602194206Ssimon s2n(TLSEXT_TYPE_status_request, ret); 603194206Ssimon if (extlen + idlen > 0xFFF0) 604194206Ssimon return NULL; 605194206Ssimon s2n(extlen + idlen + 5, ret); 606194206Ssimon *(ret++) = TLSEXT_STATUSTYPE_ocsp; 607194206Ssimon s2n(idlen, ret); 608194206Ssimon for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) 609194206Ssimon { 610194206Ssimon /* save position of id len */ 611194206Ssimon unsigned char *q = ret; 612194206Ssimon id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i); 613194206Ssimon /* skip over id len */ 614194206Ssimon ret += 2; 615194206Ssimon itmp = i2d_OCSP_RESPID(id, &ret); 616194206Ssimon /* write id len */ 617194206Ssimon s2n(itmp, q); 618194206Ssimon } 619194206Ssimon s2n(extlen, ret); 620194206Ssimon if (extlen > 0) 621194206Ssimon i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret); 622194206Ssimon } 623194206Ssimon 624238405Sjkim#ifndef OPENSSL_NO_HEARTBEATS 625238405Sjkim /* Add Heartbeat extension */ 626279264Sdelphij if ((limit - ret - 4 - 1) < 0) 627279264Sdelphij return NULL; 628238405Sjkim s2n(TLSEXT_TYPE_heartbeat,ret); 629238405Sjkim s2n(1,ret); 630238405Sjkim /* Set mode: 631238405Sjkim * 1: peer may send requests 632238405Sjkim * 2: peer not allowed to send requests 633238405Sjkim */ 634238405Sjkim if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS) 635238405Sjkim *(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS; 636238405Sjkim else 637238405Sjkim *(ret++) = SSL_TLSEXT_HB_ENABLED; 638238405Sjkim#endif 639238405Sjkim 640238405Sjkim#ifndef OPENSSL_NO_NEXTPROTONEG 641238405Sjkim if (s->ctx->next_proto_select_cb && !s->s3->tmp.finish_md_len) 642238405Sjkim { 643238405Sjkim /* The client advertises an emtpy extension to indicate its 644238405Sjkim * support for Next Protocol Negotiation */ 645238405Sjkim if (limit - ret - 4 < 0) 646238405Sjkim return NULL; 647238405Sjkim s2n(TLSEXT_TYPE_next_proto_neg,ret); 648238405Sjkim s2n(0,ret); 649238405Sjkim } 650238405Sjkim#endif 651238405Sjkim 652246772Sjkim#ifndef OPENSSL_NO_SRTP 653273415Sdelphij if(SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s)) 654238405Sjkim { 655238405Sjkim int el; 656238405Sjkim 657238405Sjkim ssl_add_clienthello_use_srtp_ext(s, 0, &el, 0); 658238405Sjkim 659279264Sdelphij if((limit - ret - 4 - el) < 0) return NULL; 660238405Sjkim 661238405Sjkim s2n(TLSEXT_TYPE_use_srtp,ret); 662238405Sjkim s2n(el,ret); 663238405Sjkim 664238405Sjkim if(ssl_add_clienthello_use_srtp_ext(s, ret, &el, el)) 665238405Sjkim { 666238405Sjkim SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); 667238405Sjkim return NULL; 668238405Sjkim } 669238405Sjkim ret += el; 670238405Sjkim } 671246772Sjkim#endif 672279264Sdelphij /* Add padding to workaround bugs in F5 terminators. 673279264Sdelphij * See https://tools.ietf.org/html/draft-agl-tls-padding-03 674279264Sdelphij * 675279264Sdelphij * NB: because this code works out the length of all existing 676279264Sdelphij * extensions it MUST always appear last. 677279264Sdelphij */ 678279264Sdelphij if (s->options & SSL_OP_TLSEXT_PADDING) 679279264Sdelphij { 680279264Sdelphij int hlen = ret - (unsigned char *)s->init_buf->data; 681279264Sdelphij /* The code in s23_clnt.c to build ClientHello messages 682279264Sdelphij * includes the 5-byte record header in the buffer, while 683279264Sdelphij * the code in s3_clnt.c does not. 684279264Sdelphij */ 685279264Sdelphij if (s->state == SSL23_ST_CW_CLNT_HELLO_A) 686279264Sdelphij hlen -= 5; 687279264Sdelphij if (hlen > 0xff && hlen < 0x200) 688279264Sdelphij { 689279264Sdelphij hlen = 0x200 - hlen; 690279264Sdelphij if (hlen >= 4) 691279264Sdelphij hlen -= 4; 692279264Sdelphij else 693279264Sdelphij hlen = 0; 694238405Sjkim 695279264Sdelphij s2n(TLSEXT_TYPE_padding, ret); 696279264Sdelphij s2n(hlen, ret); 697279264Sdelphij memset(ret, 0, hlen); 698279264Sdelphij ret += hlen; 699279264Sdelphij } 700279264Sdelphij } 701194206Ssimon 702279264Sdelphij if ((extdatalen = ret-orig-2)== 0) 703279264Sdelphij return orig; 704279264Sdelphij 705279264Sdelphij s2n(extdatalen, orig); 706194206Ssimon return ret; 707194206Ssimon } 708194206Ssimon 709279264Sdelphijunsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *buf, unsigned char *limit) 710194206Ssimon { 711194206Ssimon int extdatalen=0; 712279264Sdelphij unsigned char *orig = buf; 713279264Sdelphij unsigned char *ret = buf; 714238405Sjkim#ifndef OPENSSL_NO_NEXTPROTONEG 715238405Sjkim int next_proto_neg_seen; 716238405Sjkim#endif 717194206Ssimon 718205128Ssimon /* don't add extensions for SSLv3, unless doing secure renegotiation */ 719205128Ssimon if (s->version == SSL3_VERSION && !s->s3->send_connection_binding) 720279264Sdelphij return orig; 721205128Ssimon 722194206Ssimon ret+=2; 723194206Ssimon if (ret>=limit) return NULL; /* this really never occurs, but ... */ 724194206Ssimon 725194206Ssimon if (!s->hit && s->servername_done == 1 && s->session->tlsext_hostname != NULL) 726194206Ssimon { 727238405Sjkim if ((long)(limit - ret - 4) < 0) return NULL; 728194206Ssimon 729194206Ssimon s2n(TLSEXT_TYPE_server_name,ret); 730194206Ssimon s2n(0,ret); 731194206Ssimon } 732205128Ssimon 733205128Ssimon if(s->s3->send_connection_binding) 734205128Ssimon { 735205128Ssimon int el; 736205128Ssimon 737205128Ssimon if(!ssl_add_serverhello_renegotiate_ext(s, 0, &el, 0)) 738205128Ssimon { 739205128Ssimon SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); 740205128Ssimon return NULL; 741205128Ssimon } 742205128Ssimon 743279264Sdelphij if((limit - ret - 4 - el) < 0) return NULL; 744205128Ssimon 745205128Ssimon s2n(TLSEXT_TYPE_renegotiate,ret); 746205128Ssimon s2n(el,ret); 747205128Ssimon 748205128Ssimon if(!ssl_add_serverhello_renegotiate_ext(s, ret, &el, el)) 749205128Ssimon { 750205128Ssimon SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); 751205128Ssimon return NULL; 752205128Ssimon } 753205128Ssimon 754205128Ssimon ret += el; 755205128Ssimon } 756238405Sjkim 757238405Sjkim#ifndef OPENSSL_NO_EC 758279264Sdelphij if (s->tlsext_ecpointformatlist != NULL) 759238405Sjkim { 760238405Sjkim /* Add TLS extension ECPointFormats to the ServerHello message */ 761238405Sjkim long lenmax; 762238405Sjkim 763238405Sjkim if ((lenmax = limit - ret - 5) < 0) return NULL; 764238405Sjkim if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax) return NULL; 765238405Sjkim if (s->tlsext_ecpointformatlist_length > 255) 766238405Sjkim { 767238405Sjkim SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); 768238405Sjkim return NULL; 769238405Sjkim } 770238405Sjkim 771238405Sjkim s2n(TLSEXT_TYPE_ec_point_formats,ret); 772238405Sjkim s2n(s->tlsext_ecpointformatlist_length + 1,ret); 773238405Sjkim *(ret++) = (unsigned char) s->tlsext_ecpointformatlist_length; 774238405Sjkim memcpy(ret, s->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist_length); 775238405Sjkim ret+=s->tlsext_ecpointformatlist_length; 776238405Sjkim 777238405Sjkim } 778238405Sjkim /* Currently the server should not respond with a SupportedCurves extension */ 779238405Sjkim#endif /* OPENSSL_NO_EC */ 780238405Sjkim 781194206Ssimon if (s->tlsext_ticket_expected 782194206Ssimon && !(SSL_get_options(s) & SSL_OP_NO_TICKET)) 783194206Ssimon { 784238405Sjkim if ((long)(limit - ret - 4) < 0) return NULL; 785194206Ssimon s2n(TLSEXT_TYPE_session_ticket,ret); 786194206Ssimon s2n(0,ret); 787194206Ssimon } 788194206Ssimon 789194206Ssimon if (s->tlsext_status_expected) 790194206Ssimon { 791194206Ssimon if ((long)(limit - ret - 4) < 0) return NULL; 792194206Ssimon s2n(TLSEXT_TYPE_status_request,ret); 793194206Ssimon s2n(0,ret); 794194206Ssimon } 795194206Ssimon 796238405Sjkim#ifdef TLSEXT_TYPE_opaque_prf_input 797238405Sjkim if (s->s3->server_opaque_prf_input != NULL && 798238405Sjkim s->version != DTLS1_VERSION) 799238405Sjkim { 800238405Sjkim size_t sol = s->s3->server_opaque_prf_input_len; 801238405Sjkim 802238405Sjkim if ((long)(limit - ret - 6 - sol) < 0) 803238405Sjkim return NULL; 804238405Sjkim if (sol > 0xFFFD) /* can't happen */ 805238405Sjkim return NULL; 806238405Sjkim 807238405Sjkim s2n(TLSEXT_TYPE_opaque_prf_input, ret); 808238405Sjkim s2n(sol + 2, ret); 809238405Sjkim s2n(sol, ret); 810238405Sjkim memcpy(ret, s->s3->server_opaque_prf_input, sol); 811238405Sjkim ret += sol; 812238405Sjkim } 813238405Sjkim#endif 814238405Sjkim 815246772Sjkim#ifndef OPENSSL_NO_SRTP 816273415Sdelphij if(SSL_IS_DTLS(s) && s->srtp_profile) 817238405Sjkim { 818238405Sjkim int el; 819238405Sjkim 820238405Sjkim ssl_add_serverhello_use_srtp_ext(s, 0, &el, 0); 821238405Sjkim 822279264Sdelphij if((limit - ret - 4 - el) < 0) return NULL; 823238405Sjkim 824238405Sjkim s2n(TLSEXT_TYPE_use_srtp,ret); 825238405Sjkim s2n(el,ret); 826238405Sjkim 827238405Sjkim if(ssl_add_serverhello_use_srtp_ext(s, ret, &el, el)) 828238405Sjkim { 829238405Sjkim SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); 830238405Sjkim return NULL; 831238405Sjkim } 832238405Sjkim ret+=el; 833238405Sjkim } 834246772Sjkim#endif 835238405Sjkim 836238405Sjkim if (((s->s3->tmp.new_cipher->id & 0xFFFF)==0x80 || (s->s3->tmp.new_cipher->id & 0xFFFF)==0x81) 837238405Sjkim && (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG)) 838238405Sjkim { const unsigned char cryptopro_ext[36] = { 839238405Sjkim 0xfd, 0xe8, /*65000*/ 840238405Sjkim 0x00, 0x20, /*32 bytes length*/ 841238405Sjkim 0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85, 842238405Sjkim 0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06, 843238405Sjkim 0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08, 844238405Sjkim 0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17}; 845238405Sjkim if (limit-ret<36) return NULL; 846238405Sjkim memcpy(ret,cryptopro_ext,36); 847238405Sjkim ret+=36; 848238405Sjkim 849238405Sjkim } 850238405Sjkim 851238405Sjkim#ifndef OPENSSL_NO_HEARTBEATS 852238405Sjkim /* Add Heartbeat extension if we've received one */ 853238405Sjkim if (s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED) 854238405Sjkim { 855279264Sdelphij if ((limit - ret - 4 - 1) < 0) 856279264Sdelphij return NULL; 857238405Sjkim s2n(TLSEXT_TYPE_heartbeat,ret); 858238405Sjkim s2n(1,ret); 859238405Sjkim /* Set mode: 860238405Sjkim * 1: peer may send requests 861238405Sjkim * 2: peer not allowed to send requests 862238405Sjkim */ 863238405Sjkim if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS) 864238405Sjkim *(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS; 865238405Sjkim else 866238405Sjkim *(ret++) = SSL_TLSEXT_HB_ENABLED; 867238405Sjkim 868238405Sjkim } 869238405Sjkim#endif 870238405Sjkim 871238405Sjkim#ifndef OPENSSL_NO_NEXTPROTONEG 872238405Sjkim next_proto_neg_seen = s->s3->next_proto_neg_seen; 873238405Sjkim s->s3->next_proto_neg_seen = 0; 874238405Sjkim if (next_proto_neg_seen && s->ctx->next_protos_advertised_cb) 875238405Sjkim { 876238405Sjkim const unsigned char *npa; 877238405Sjkim unsigned int npalen; 878238405Sjkim int r; 879238405Sjkim 880238405Sjkim r = s->ctx->next_protos_advertised_cb(s, &npa, &npalen, s->ctx->next_protos_advertised_cb_arg); 881238405Sjkim if (r == SSL_TLSEXT_ERR_OK) 882238405Sjkim { 883238405Sjkim if ((long)(limit - ret - 4 - npalen) < 0) return NULL; 884238405Sjkim s2n(TLSEXT_TYPE_next_proto_neg,ret); 885238405Sjkim s2n(npalen,ret); 886238405Sjkim memcpy(ret, npa, npalen); 887238405Sjkim ret += npalen; 888238405Sjkim s->s3->next_proto_neg_seen = 1; 889238405Sjkim } 890238405Sjkim } 891238405Sjkim#endif 892238405Sjkim 893279264Sdelphij if ((extdatalen = ret-orig-2)== 0) 894279264Sdelphij return orig; 895194206Ssimon 896279264Sdelphij s2n(extdatalen, orig); 897194206Ssimon return ret; 898194206Ssimon } 899194206Ssimon 900279264Sdelphij#ifndef OPENSSL_NO_EC 901279264Sdelphij/* ssl_check_for_safari attempts to fingerprint Safari using OS X 902279264Sdelphij * SecureTransport using the TLS extension block in |d|, of length |n|. 903279264Sdelphij * Safari, since 10.6, sends exactly these extensions, in this order: 904279264Sdelphij * SNI, 905279264Sdelphij * elliptic_curves 906279264Sdelphij * ec_point_formats 907279264Sdelphij * 908279264Sdelphij * We wish to fingerprint Safari because they broke ECDHE-ECDSA support in 10.8, 909279264Sdelphij * but they advertise support. So enabling ECDHE-ECDSA ciphers breaks them. 910279264Sdelphij * Sadly we cannot differentiate 10.6, 10.7 and 10.8.4 (which work), from 911279264Sdelphij * 10.8..10.8.3 (which don't work). 912279264Sdelphij */ 913279264Sdelphijstatic void ssl_check_for_safari(SSL *s, const unsigned char *data, const unsigned char *d, int n) { 914279264Sdelphij unsigned short type, size; 915279264Sdelphij static const unsigned char kSafariExtensionsBlock[] = { 916279264Sdelphij 0x00, 0x0a, /* elliptic_curves extension */ 917279264Sdelphij 0x00, 0x08, /* 8 bytes */ 918279264Sdelphij 0x00, 0x06, /* 6 bytes of curve ids */ 919279264Sdelphij 0x00, 0x17, /* P-256 */ 920279264Sdelphij 0x00, 0x18, /* P-384 */ 921279264Sdelphij 0x00, 0x19, /* P-521 */ 922279264Sdelphij 923279264Sdelphij 0x00, 0x0b, /* ec_point_formats */ 924279264Sdelphij 0x00, 0x02, /* 2 bytes */ 925279264Sdelphij 0x01, /* 1 point format */ 926279264Sdelphij 0x00, /* uncompressed */ 927279264Sdelphij }; 928279264Sdelphij 929279264Sdelphij /* The following is only present in TLS 1.2 */ 930279264Sdelphij static const unsigned char kSafariTLS12ExtensionsBlock[] = { 931279264Sdelphij 0x00, 0x0d, /* signature_algorithms */ 932279264Sdelphij 0x00, 0x0c, /* 12 bytes */ 933279264Sdelphij 0x00, 0x0a, /* 10 bytes */ 934279264Sdelphij 0x05, 0x01, /* SHA-384/RSA */ 935279264Sdelphij 0x04, 0x01, /* SHA-256/RSA */ 936279264Sdelphij 0x02, 0x01, /* SHA-1/RSA */ 937279264Sdelphij 0x04, 0x03, /* SHA-256/ECDSA */ 938279264Sdelphij 0x02, 0x03, /* SHA-1/ECDSA */ 939279264Sdelphij }; 940279264Sdelphij 941279264Sdelphij if (data >= (d+n-2)) 942279264Sdelphij return; 943279264Sdelphij data += 2; 944279264Sdelphij 945279264Sdelphij if (data > (d+n-4)) 946279264Sdelphij return; 947279264Sdelphij n2s(data,type); 948279264Sdelphij n2s(data,size); 949279264Sdelphij 950279264Sdelphij if (type != TLSEXT_TYPE_server_name) 951279264Sdelphij return; 952279264Sdelphij 953279264Sdelphij if (data+size > d+n) 954279264Sdelphij return; 955279264Sdelphij data += size; 956279264Sdelphij 957279264Sdelphij if (TLS1_get_client_version(s) >= TLS1_2_VERSION) 958279264Sdelphij { 959279264Sdelphij const size_t len1 = sizeof(kSafariExtensionsBlock); 960279264Sdelphij const size_t len2 = sizeof(kSafariTLS12ExtensionsBlock); 961279264Sdelphij 962279264Sdelphij if (data + len1 + len2 != d+n) 963279264Sdelphij return; 964279264Sdelphij if (memcmp(data, kSafariExtensionsBlock, len1) != 0) 965279264Sdelphij return; 966279264Sdelphij if (memcmp(data + len1, kSafariTLS12ExtensionsBlock, len2) != 0) 967279264Sdelphij return; 968279264Sdelphij } 969279264Sdelphij else 970279264Sdelphij { 971279264Sdelphij const size_t len = sizeof(kSafariExtensionsBlock); 972279264Sdelphij 973279264Sdelphij if (data + len != d+n) 974279264Sdelphij return; 975279264Sdelphij if (memcmp(data, kSafariExtensionsBlock, len) != 0) 976279264Sdelphij return; 977279264Sdelphij } 978279264Sdelphij 979279264Sdelphij s->s3->is_probably_safari = 1; 980279264Sdelphij} 981279264Sdelphij#endif /* !OPENSSL_NO_EC */ 982279264Sdelphij 983194206Ssimonint ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al) 984194206Ssimon { 985194206Ssimon unsigned short type; 986194206Ssimon unsigned short size; 987194206Ssimon unsigned short len; 988194206Ssimon unsigned char *data = *p; 989205128Ssimon int renegotiate_seen = 0; 990238405Sjkim int sigalg_seen = 0; 991205128Ssimon 992194206Ssimon s->servername_done = 0; 993194206Ssimon s->tlsext_status_type = -1; 994238405Sjkim#ifndef OPENSSL_NO_NEXTPROTONEG 995238405Sjkim s->s3->next_proto_neg_seen = 0; 996238405Sjkim#endif 997194206Ssimon 998238405Sjkim#ifndef OPENSSL_NO_HEARTBEATS 999238405Sjkim s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED | 1000238405Sjkim SSL_TLSEXT_HB_DONT_SEND_REQUESTS); 1001238405Sjkim#endif 1002238405Sjkim 1003279264Sdelphij#ifndef OPENSSL_NO_EC 1004279264Sdelphij if (s->options & SSL_OP_SAFARI_ECDHE_ECDSA_BUG) 1005279264Sdelphij ssl_check_for_safari(s, data, d, n); 1006279264Sdelphij#endif /* !OPENSSL_NO_EC */ 1007279264Sdelphij 1008279264Sdelphij#ifndef OPENSSL_NO_SRP 1009279264Sdelphij if (s->srp_ctx.login != NULL) 1010279264Sdelphij { 1011279264Sdelphij OPENSSL_free(s->srp_ctx.login); 1012279264Sdelphij s->srp_ctx.login = NULL; 1013279264Sdelphij } 1014279264Sdelphij#endif 1015279264Sdelphij 1016279264Sdelphij s->srtp_profile = NULL; 1017279264Sdelphij 1018194206Ssimon if (data >= (d+n-2)) 1019205128Ssimon goto ri_check; 1020194206Ssimon n2s(data,len); 1021194206Ssimon 1022194206Ssimon if (data > (d+n-len)) 1023205128Ssimon goto ri_check; 1024194206Ssimon 1025194206Ssimon while (data <= (d+n-4)) 1026194206Ssimon { 1027194206Ssimon n2s(data,type); 1028194206Ssimon n2s(data,size); 1029194206Ssimon 1030194206Ssimon if (data+size > (d+n)) 1031205128Ssimon goto ri_check; 1032238405Sjkim#if 0 1033238405Sjkim fprintf(stderr,"Received extension type %d size %d\n",type,size); 1034238405Sjkim#endif 1035194206Ssimon if (s->tlsext_debug_cb) 1036194206Ssimon s->tlsext_debug_cb(s, 0, type, data, size, 1037194206Ssimon s->tlsext_debug_arg); 1038194206Ssimon/* The servername extension is treated as follows: 1039194206Ssimon 1040194206Ssimon - Only the hostname type is supported with a maximum length of 255. 1041194206Ssimon - The servername is rejected if too long or if it contains zeros, 1042194206Ssimon in which case an fatal alert is generated. 1043194206Ssimon - The servername field is maintained together with the session cache. 1044194206Ssimon - When a session is resumed, the servername call back invoked in order 1045194206Ssimon to allow the application to position itself to the right context. 1046194206Ssimon - The servername is acknowledged if it is new for a session or when 1047194206Ssimon it is identical to a previously used for the same session. 1048194206Ssimon Applications can control the behaviour. They can at any time 1049194206Ssimon set a 'desirable' servername for a new SSL object. This can be the 1050194206Ssimon case for example with HTTPS when a Host: header field is received and 1051194206Ssimon a renegotiation is requested. In this case, a possible servername 1052194206Ssimon presented in the new client hello is only acknowledged if it matches 1053194206Ssimon the value of the Host: field. 1054194206Ssimon - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION 1055194206Ssimon if they provide for changing an explicit servername context for the session, 1056194206Ssimon i.e. when the session has been established with a servername extension. 1057194206Ssimon - On session reconnect, the servername extension may be absent. 1058194206Ssimon 1059194206Ssimon*/ 1060194206Ssimon 1061194206Ssimon if (type == TLSEXT_TYPE_server_name) 1062194206Ssimon { 1063194206Ssimon unsigned char *sdata; 1064194206Ssimon int servname_type; 1065194206Ssimon int dsize; 1066194206Ssimon 1067194206Ssimon if (size < 2) 1068194206Ssimon { 1069194206Ssimon *al = SSL_AD_DECODE_ERROR; 1070194206Ssimon return 0; 1071194206Ssimon } 1072194206Ssimon n2s(data,dsize); 1073194206Ssimon size -= 2; 1074194206Ssimon if (dsize > size ) 1075194206Ssimon { 1076194206Ssimon *al = SSL_AD_DECODE_ERROR; 1077194206Ssimon return 0; 1078194206Ssimon } 1079194206Ssimon 1080194206Ssimon sdata = data; 1081194206Ssimon while (dsize > 3) 1082194206Ssimon { 1083194206Ssimon servname_type = *(sdata++); 1084194206Ssimon n2s(sdata,len); 1085194206Ssimon dsize -= 3; 1086194206Ssimon 1087194206Ssimon if (len > dsize) 1088194206Ssimon { 1089194206Ssimon *al = SSL_AD_DECODE_ERROR; 1090194206Ssimon return 0; 1091194206Ssimon } 1092194206Ssimon if (s->servername_done == 0) 1093194206Ssimon switch (servname_type) 1094194206Ssimon { 1095194206Ssimon case TLSEXT_NAMETYPE_host_name: 1096215697Ssimon if (!s->hit) 1097194206Ssimon { 1098215697Ssimon if(s->session->tlsext_hostname) 1099194206Ssimon { 1100215697Ssimon *al = SSL_AD_DECODE_ERROR; 1101215697Ssimon return 0; 1102215697Ssimon } 1103215697Ssimon if (len > TLSEXT_MAXLEN_host_name) 1104215697Ssimon { 1105194206Ssimon *al = TLS1_AD_UNRECOGNIZED_NAME; 1106194206Ssimon return 0; 1107194206Ssimon } 1108215697Ssimon if ((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL) 1109215697Ssimon { 1110215697Ssimon *al = TLS1_AD_INTERNAL_ERROR; 1111215697Ssimon return 0; 1112215697Ssimon } 1113194206Ssimon memcpy(s->session->tlsext_hostname, sdata, len); 1114194206Ssimon s->session->tlsext_hostname[len]='\0'; 1115194206Ssimon if (strlen(s->session->tlsext_hostname) != len) { 1116194206Ssimon OPENSSL_free(s->session->tlsext_hostname); 1117194206Ssimon s->session->tlsext_hostname = NULL; 1118194206Ssimon *al = TLS1_AD_UNRECOGNIZED_NAME; 1119194206Ssimon return 0; 1120194206Ssimon } 1121194206Ssimon s->servername_done = 1; 1122194206Ssimon 1123194206Ssimon } 1124194206Ssimon else 1125215697Ssimon s->servername_done = s->session->tlsext_hostname 1126215697Ssimon && strlen(s->session->tlsext_hostname) == len 1127194206Ssimon && strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0; 1128194206Ssimon 1129194206Ssimon break; 1130194206Ssimon 1131194206Ssimon default: 1132194206Ssimon break; 1133194206Ssimon } 1134194206Ssimon 1135194206Ssimon dsize -= len; 1136194206Ssimon } 1137194206Ssimon if (dsize != 0) 1138194206Ssimon { 1139194206Ssimon *al = SSL_AD_DECODE_ERROR; 1140194206Ssimon return 0; 1141194206Ssimon } 1142194206Ssimon 1143194206Ssimon } 1144238405Sjkim#ifndef OPENSSL_NO_SRP 1145238405Sjkim else if (type == TLSEXT_TYPE_srp) 1146238405Sjkim { 1147238405Sjkim if (size <= 0 || ((len = data[0])) != (size -1)) 1148238405Sjkim { 1149238405Sjkim *al = SSL_AD_DECODE_ERROR; 1150238405Sjkim return 0; 1151238405Sjkim } 1152238405Sjkim if (s->srp_ctx.login != NULL) 1153238405Sjkim { 1154238405Sjkim *al = SSL_AD_DECODE_ERROR; 1155238405Sjkim return 0; 1156238405Sjkim } 1157238405Sjkim if ((s->srp_ctx.login = OPENSSL_malloc(len+1)) == NULL) 1158238405Sjkim return -1; 1159238405Sjkim memcpy(s->srp_ctx.login, &data[1], len); 1160238405Sjkim s->srp_ctx.login[len]='\0'; 1161238405Sjkim 1162238405Sjkim if (strlen(s->srp_ctx.login) != len) 1163238405Sjkim { 1164238405Sjkim *al = SSL_AD_DECODE_ERROR; 1165238405Sjkim return 0; 1166238405Sjkim } 1167238405Sjkim } 1168238405Sjkim#endif 1169238405Sjkim 1170238405Sjkim#ifndef OPENSSL_NO_EC 1171279264Sdelphij else if (type == TLSEXT_TYPE_ec_point_formats) 1172238405Sjkim { 1173238405Sjkim unsigned char *sdata = data; 1174238405Sjkim int ecpointformatlist_length = *(sdata++); 1175238405Sjkim 1176238405Sjkim if (ecpointformatlist_length != size - 1) 1177238405Sjkim { 1178238405Sjkim *al = TLS1_AD_DECODE_ERROR; 1179238405Sjkim return 0; 1180238405Sjkim } 1181238405Sjkim if (!s->hit) 1182238405Sjkim { 1183238405Sjkim if(s->session->tlsext_ecpointformatlist) 1184238405Sjkim { 1185238405Sjkim OPENSSL_free(s->session->tlsext_ecpointformatlist); 1186238405Sjkim s->session->tlsext_ecpointformatlist = NULL; 1187238405Sjkim } 1188238405Sjkim s->session->tlsext_ecpointformatlist_length = 0; 1189238405Sjkim if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL) 1190238405Sjkim { 1191238405Sjkim *al = TLS1_AD_INTERNAL_ERROR; 1192238405Sjkim return 0; 1193238405Sjkim } 1194238405Sjkim s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length; 1195238405Sjkim memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length); 1196238405Sjkim } 1197238405Sjkim#if 0 1198238405Sjkim fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ecpointformatlist (length=%i) ", s->session->tlsext_ecpointformatlist_length); 1199238405Sjkim sdata = s->session->tlsext_ecpointformatlist; 1200238405Sjkim for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++) 1201238405Sjkim fprintf(stderr,"%i ",*(sdata++)); 1202238405Sjkim fprintf(stderr,"\n"); 1203238405Sjkim#endif 1204238405Sjkim } 1205279264Sdelphij else if (type == TLSEXT_TYPE_elliptic_curves) 1206238405Sjkim { 1207238405Sjkim unsigned char *sdata = data; 1208238405Sjkim int ellipticcurvelist_length = (*(sdata++) << 8); 1209238405Sjkim ellipticcurvelist_length += (*(sdata++)); 1210238405Sjkim 1211246772Sjkim if (ellipticcurvelist_length != size - 2 || 1212279264Sdelphij ellipticcurvelist_length < 1 || 1213279264Sdelphij /* Each NamedCurve is 2 bytes. */ 1214279264Sdelphij ellipticcurvelist_length & 1) 1215238405Sjkim { 1216238405Sjkim *al = TLS1_AD_DECODE_ERROR; 1217238405Sjkim return 0; 1218238405Sjkim } 1219238405Sjkim if (!s->hit) 1220238405Sjkim { 1221238405Sjkim if(s->session->tlsext_ellipticcurvelist) 1222238405Sjkim { 1223238405Sjkim *al = TLS1_AD_DECODE_ERROR; 1224238405Sjkim return 0; 1225238405Sjkim } 1226238405Sjkim s->session->tlsext_ellipticcurvelist_length = 0; 1227238405Sjkim if ((s->session->tlsext_ellipticcurvelist = OPENSSL_malloc(ellipticcurvelist_length)) == NULL) 1228238405Sjkim { 1229238405Sjkim *al = TLS1_AD_INTERNAL_ERROR; 1230238405Sjkim return 0; 1231238405Sjkim } 1232238405Sjkim s->session->tlsext_ellipticcurvelist_length = ellipticcurvelist_length; 1233238405Sjkim memcpy(s->session->tlsext_ellipticcurvelist, sdata, ellipticcurvelist_length); 1234238405Sjkim } 1235238405Sjkim#if 0 1236238405Sjkim fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ellipticcurvelist (length=%i) ", s->session->tlsext_ellipticcurvelist_length); 1237238405Sjkim sdata = s->session->tlsext_ellipticcurvelist; 1238238405Sjkim for (i = 0; i < s->session->tlsext_ellipticcurvelist_length; i++) 1239238405Sjkim fprintf(stderr,"%i ",*(sdata++)); 1240238405Sjkim fprintf(stderr,"\n"); 1241238405Sjkim#endif 1242238405Sjkim } 1243238405Sjkim#endif /* OPENSSL_NO_EC */ 1244238405Sjkim#ifdef TLSEXT_TYPE_opaque_prf_input 1245238405Sjkim else if (type == TLSEXT_TYPE_opaque_prf_input && 1246238405Sjkim s->version != DTLS1_VERSION) 1247238405Sjkim { 1248238405Sjkim unsigned char *sdata = data; 1249238405Sjkim 1250238405Sjkim if (size < 2) 1251238405Sjkim { 1252238405Sjkim *al = SSL_AD_DECODE_ERROR; 1253238405Sjkim return 0; 1254238405Sjkim } 1255238405Sjkim n2s(sdata, s->s3->client_opaque_prf_input_len); 1256238405Sjkim if (s->s3->client_opaque_prf_input_len != size - 2) 1257238405Sjkim { 1258238405Sjkim *al = SSL_AD_DECODE_ERROR; 1259238405Sjkim return 0; 1260238405Sjkim } 1261238405Sjkim 1262238405Sjkim if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */ 1263238405Sjkim OPENSSL_free(s->s3->client_opaque_prf_input); 1264238405Sjkim if (s->s3->client_opaque_prf_input_len == 0) 1265238405Sjkim s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */ 1266238405Sjkim else 1267238405Sjkim s->s3->client_opaque_prf_input = BUF_memdup(sdata, s->s3->client_opaque_prf_input_len); 1268238405Sjkim if (s->s3->client_opaque_prf_input == NULL) 1269238405Sjkim { 1270238405Sjkim *al = TLS1_AD_INTERNAL_ERROR; 1271238405Sjkim return 0; 1272238405Sjkim } 1273238405Sjkim } 1274238405Sjkim#endif 1275238405Sjkim else if (type == TLSEXT_TYPE_session_ticket) 1276238405Sjkim { 1277238405Sjkim if (s->tls_session_ticket_ext_cb && 1278238405Sjkim !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg)) 1279238405Sjkim { 1280238405Sjkim *al = TLS1_AD_INTERNAL_ERROR; 1281238405Sjkim return 0; 1282238405Sjkim } 1283238405Sjkim } 1284205128Ssimon else if (type == TLSEXT_TYPE_renegotiate) 1285194206Ssimon { 1286205128Ssimon if(!ssl_parse_clienthello_renegotiate_ext(s, data, size, al)) 1287205128Ssimon return 0; 1288205128Ssimon renegotiate_seen = 1; 1289205128Ssimon } 1290238405Sjkim else if (type == TLSEXT_TYPE_signature_algorithms) 1291238405Sjkim { 1292238405Sjkim int dsize; 1293238405Sjkim if (sigalg_seen || size < 2) 1294238405Sjkim { 1295238405Sjkim *al = SSL_AD_DECODE_ERROR; 1296238405Sjkim return 0; 1297238405Sjkim } 1298238405Sjkim sigalg_seen = 1; 1299238405Sjkim n2s(data,dsize); 1300238405Sjkim size -= 2; 1301238405Sjkim if (dsize != size || dsize & 1) 1302238405Sjkim { 1303238405Sjkim *al = SSL_AD_DECODE_ERROR; 1304238405Sjkim return 0; 1305238405Sjkim } 1306238405Sjkim if (!tls1_process_sigalgs(s, data, dsize)) 1307238405Sjkim { 1308238405Sjkim *al = SSL_AD_DECODE_ERROR; 1309238405Sjkim return 0; 1310238405Sjkim } 1311238405Sjkim } 1312205128Ssimon else if (type == TLSEXT_TYPE_status_request && 1313279264Sdelphij s->version != DTLS1_VERSION) 1314205128Ssimon { 1315194206Ssimon 1316194206Ssimon if (size < 5) 1317194206Ssimon { 1318194206Ssimon *al = SSL_AD_DECODE_ERROR; 1319194206Ssimon return 0; 1320194206Ssimon } 1321194206Ssimon 1322194206Ssimon s->tlsext_status_type = *data++; 1323194206Ssimon size--; 1324194206Ssimon if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp) 1325194206Ssimon { 1326194206Ssimon const unsigned char *sdata; 1327194206Ssimon int dsize; 1328194206Ssimon /* Read in responder_id_list */ 1329194206Ssimon n2s(data,dsize); 1330194206Ssimon size -= 2; 1331194206Ssimon if (dsize > size ) 1332194206Ssimon { 1333194206Ssimon *al = SSL_AD_DECODE_ERROR; 1334194206Ssimon return 0; 1335194206Ssimon } 1336194206Ssimon while (dsize > 0) 1337194206Ssimon { 1338194206Ssimon OCSP_RESPID *id; 1339194206Ssimon int idsize; 1340194206Ssimon if (dsize < 4) 1341194206Ssimon { 1342194206Ssimon *al = SSL_AD_DECODE_ERROR; 1343194206Ssimon return 0; 1344194206Ssimon } 1345194206Ssimon n2s(data, idsize); 1346194206Ssimon dsize -= 2 + idsize; 1347218625Ssimon size -= 2 + idsize; 1348194206Ssimon if (dsize < 0) 1349194206Ssimon { 1350194206Ssimon *al = SSL_AD_DECODE_ERROR; 1351194206Ssimon return 0; 1352194206Ssimon } 1353194206Ssimon sdata = data; 1354194206Ssimon data += idsize; 1355194206Ssimon id = d2i_OCSP_RESPID(NULL, 1356194206Ssimon &sdata, idsize); 1357194206Ssimon if (!id) 1358194206Ssimon { 1359194206Ssimon *al = SSL_AD_DECODE_ERROR; 1360194206Ssimon return 0; 1361194206Ssimon } 1362194206Ssimon if (data != sdata) 1363194206Ssimon { 1364194206Ssimon OCSP_RESPID_free(id); 1365194206Ssimon *al = SSL_AD_DECODE_ERROR; 1366194206Ssimon return 0; 1367194206Ssimon } 1368194206Ssimon if (!s->tlsext_ocsp_ids 1369194206Ssimon && !(s->tlsext_ocsp_ids = 1370194206Ssimon sk_OCSP_RESPID_new_null())) 1371194206Ssimon { 1372194206Ssimon OCSP_RESPID_free(id); 1373194206Ssimon *al = SSL_AD_INTERNAL_ERROR; 1374194206Ssimon return 0; 1375194206Ssimon } 1376194206Ssimon if (!sk_OCSP_RESPID_push( 1377194206Ssimon s->tlsext_ocsp_ids, id)) 1378194206Ssimon { 1379194206Ssimon OCSP_RESPID_free(id); 1380194206Ssimon *al = SSL_AD_INTERNAL_ERROR; 1381194206Ssimon return 0; 1382194206Ssimon } 1383194206Ssimon } 1384194206Ssimon 1385194206Ssimon /* Read in request_extensions */ 1386218625Ssimon if (size < 2) 1387218625Ssimon { 1388218625Ssimon *al = SSL_AD_DECODE_ERROR; 1389218625Ssimon return 0; 1390218625Ssimon } 1391194206Ssimon n2s(data,dsize); 1392194206Ssimon size -= 2; 1393218625Ssimon if (dsize != size) 1394194206Ssimon { 1395194206Ssimon *al = SSL_AD_DECODE_ERROR; 1396194206Ssimon return 0; 1397194206Ssimon } 1398194206Ssimon sdata = data; 1399194206Ssimon if (dsize > 0) 1400194206Ssimon { 1401237657Sjkim if (s->tlsext_ocsp_exts) 1402237657Sjkim { 1403237657Sjkim sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts, 1404237657Sjkim X509_EXTENSION_free); 1405237657Sjkim } 1406237657Sjkim 1407194206Ssimon s->tlsext_ocsp_exts = 1408194206Ssimon d2i_X509_EXTENSIONS(NULL, 1409194206Ssimon &sdata, dsize); 1410194206Ssimon if (!s->tlsext_ocsp_exts 1411194206Ssimon || (data + dsize != sdata)) 1412194206Ssimon { 1413194206Ssimon *al = SSL_AD_DECODE_ERROR; 1414194206Ssimon return 0; 1415194206Ssimon } 1416194206Ssimon } 1417194206Ssimon } 1418194206Ssimon /* We don't know what to do with any other type 1419194206Ssimon * so ignore it. 1420194206Ssimon */ 1421194206Ssimon else 1422194206Ssimon s->tlsext_status_type = -1; 1423194206Ssimon } 1424238405Sjkim#ifndef OPENSSL_NO_HEARTBEATS 1425238405Sjkim else if (type == TLSEXT_TYPE_heartbeat) 1426238405Sjkim { 1427238405Sjkim switch(data[0]) 1428238405Sjkim { 1429238405Sjkim case 0x01: /* Client allows us to send HB requests */ 1430238405Sjkim s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED; 1431238405Sjkim break; 1432238405Sjkim case 0x02: /* Client doesn't accept HB requests */ 1433238405Sjkim s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED; 1434238405Sjkim s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS; 1435238405Sjkim break; 1436238405Sjkim default: *al = SSL_AD_ILLEGAL_PARAMETER; 1437238405Sjkim return 0; 1438238405Sjkim } 1439238405Sjkim } 1440238405Sjkim#endif 1441238405Sjkim#ifndef OPENSSL_NO_NEXTPROTONEG 1442238405Sjkim else if (type == TLSEXT_TYPE_next_proto_neg && 1443238405Sjkim s->s3->tmp.finish_md_len == 0) 1444238405Sjkim { 1445238405Sjkim /* We shouldn't accept this extension on a 1446238405Sjkim * renegotiation. 1447238405Sjkim * 1448238405Sjkim * s->new_session will be set on renegotiation, but we 1449238405Sjkim * probably shouldn't rely that it couldn't be set on 1450238405Sjkim * the initial renegotation too in certain cases (when 1451238405Sjkim * there's some other reason to disallow resuming an 1452238405Sjkim * earlier session -- the current code won't be doing 1453238405Sjkim * anything like that, but this might change). 1454205128Ssimon 1455238405Sjkim * A valid sign that there's been a previous handshake 1456238405Sjkim * in this connection is if s->s3->tmp.finish_md_len > 1457238405Sjkim * 0. (We are talking about a check that will happen 1458238405Sjkim * in the Hello protocol round, well before a new 1459238405Sjkim * Finished message could have been computed.) */ 1460238405Sjkim s->s3->next_proto_neg_seen = 1; 1461238405Sjkim } 1462238405Sjkim#endif 1463238405Sjkim 1464194206Ssimon /* session ticket processed earlier */ 1465246772Sjkim#ifndef OPENSSL_NO_SRTP 1466273415Sdelphij else if (SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s) 1467273415Sdelphij && type == TLSEXT_TYPE_use_srtp) 1468246772Sjkim { 1469238405Sjkim if(ssl_parse_clienthello_use_srtp_ext(s, data, size, 1470238405Sjkim al)) 1471238405Sjkim return 0; 1472246772Sjkim } 1473246772Sjkim#endif 1474194206Ssimon 1475238405Sjkim data+=size; 1476194206Ssimon } 1477238405Sjkim 1478205128Ssimon *p = data; 1479194206Ssimon 1480205128Ssimon ri_check: 1481205128Ssimon 1482205128Ssimon /* Need RI if renegotiating */ 1483205128Ssimon 1484238405Sjkim if (!renegotiate_seen && s->renegotiate && 1485205128Ssimon !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) 1486205128Ssimon { 1487205128Ssimon *al = SSL_AD_HANDSHAKE_FAILURE; 1488205128Ssimon SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT, 1489205128Ssimon SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); 1490205128Ssimon return 0; 1491205128Ssimon } 1492205128Ssimon 1493194206Ssimon return 1; 1494194206Ssimon } 1495194206Ssimon 1496238405Sjkim#ifndef OPENSSL_NO_NEXTPROTONEG 1497238405Sjkim/* ssl_next_proto_validate validates a Next Protocol Negotiation block. No 1498238405Sjkim * elements of zero length are allowed and the set of elements must exactly fill 1499238405Sjkim * the length of the block. */ 1500238405Sjkimstatic char ssl_next_proto_validate(unsigned char *d, unsigned len) 1501238405Sjkim { 1502238405Sjkim unsigned int off = 0; 1503238405Sjkim 1504238405Sjkim while (off < len) 1505238405Sjkim { 1506238405Sjkim if (d[off] == 0) 1507238405Sjkim return 0; 1508238405Sjkim off += d[off]; 1509238405Sjkim off++; 1510238405Sjkim } 1511238405Sjkim 1512238405Sjkim return off == len; 1513238405Sjkim } 1514238405Sjkim#endif 1515238405Sjkim 1516194206Ssimonint ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al) 1517194206Ssimon { 1518215697Ssimon unsigned short length; 1519194206Ssimon unsigned short type; 1520194206Ssimon unsigned short size; 1521194206Ssimon unsigned char *data = *p; 1522194206Ssimon int tlsext_servername = 0; 1523205128Ssimon int renegotiate_seen = 0; 1524194206Ssimon 1525238405Sjkim#ifndef OPENSSL_NO_NEXTPROTONEG 1526238405Sjkim s->s3->next_proto_neg_seen = 0; 1527238405Sjkim#endif 1528279264Sdelphij s->tlsext_ticket_expected = 0; 1529238405Sjkim 1530238405Sjkim#ifndef OPENSSL_NO_HEARTBEATS 1531238405Sjkim s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED | 1532238405Sjkim SSL_TLSEXT_HB_DONT_SEND_REQUESTS); 1533238405Sjkim#endif 1534238405Sjkim 1535194206Ssimon if (data >= (d+n-2)) 1536205128Ssimon goto ri_check; 1537194206Ssimon 1538215697Ssimon n2s(data,length); 1539215697Ssimon if (data+length != d+n) 1540215697Ssimon { 1541215697Ssimon *al = SSL_AD_DECODE_ERROR; 1542215697Ssimon return 0; 1543215697Ssimon } 1544194206Ssimon 1545194206Ssimon while(data <= (d+n-4)) 1546194206Ssimon { 1547194206Ssimon n2s(data,type); 1548194206Ssimon n2s(data,size); 1549194206Ssimon 1550194206Ssimon if (data+size > (d+n)) 1551205128Ssimon goto ri_check; 1552194206Ssimon 1553194206Ssimon if (s->tlsext_debug_cb) 1554194206Ssimon s->tlsext_debug_cb(s, 1, type, data, size, 1555194206Ssimon s->tlsext_debug_arg); 1556194206Ssimon 1557194206Ssimon if (type == TLSEXT_TYPE_server_name) 1558194206Ssimon { 1559194206Ssimon if (s->tlsext_hostname == NULL || size > 0) 1560194206Ssimon { 1561194206Ssimon *al = TLS1_AD_UNRECOGNIZED_NAME; 1562194206Ssimon return 0; 1563194206Ssimon } 1564194206Ssimon tlsext_servername = 1; 1565194206Ssimon } 1566238405Sjkim 1567238405Sjkim#ifndef OPENSSL_NO_EC 1568279264Sdelphij else if (type == TLSEXT_TYPE_ec_point_formats) 1569238405Sjkim { 1570238405Sjkim unsigned char *sdata = data; 1571238405Sjkim int ecpointformatlist_length = *(sdata++); 1572238405Sjkim 1573246772Sjkim if (ecpointformatlist_length != size - 1 || 1574246772Sjkim ecpointformatlist_length < 1) 1575238405Sjkim { 1576238405Sjkim *al = TLS1_AD_DECODE_ERROR; 1577238405Sjkim return 0; 1578238405Sjkim } 1579271304Sdelphij if (!s->hit) 1580238405Sjkim { 1581271304Sdelphij s->session->tlsext_ecpointformatlist_length = 0; 1582271304Sdelphij if (s->session->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->session->tlsext_ecpointformatlist); 1583271304Sdelphij if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL) 1584271304Sdelphij { 1585271304Sdelphij *al = TLS1_AD_INTERNAL_ERROR; 1586271304Sdelphij return 0; 1587271304Sdelphij } 1588271304Sdelphij s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length; 1589271304Sdelphij memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length); 1590238405Sjkim } 1591238405Sjkim#if 0 1592238405Sjkim fprintf(stderr,"ssl_parse_serverhello_tlsext s->session->tlsext_ecpointformatlist "); 1593238405Sjkim sdata = s->session->tlsext_ecpointformatlist; 1594238405Sjkim for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++) 1595238405Sjkim fprintf(stderr,"%i ",*(sdata++)); 1596238405Sjkim fprintf(stderr,"\n"); 1597238405Sjkim#endif 1598238405Sjkim } 1599238405Sjkim#endif /* OPENSSL_NO_EC */ 1600238405Sjkim 1601194206Ssimon else if (type == TLSEXT_TYPE_session_ticket) 1602194206Ssimon { 1603238405Sjkim if (s->tls_session_ticket_ext_cb && 1604238405Sjkim !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg)) 1605238405Sjkim { 1606238405Sjkim *al = TLS1_AD_INTERNAL_ERROR; 1607238405Sjkim return 0; 1608238405Sjkim } 1609194206Ssimon if ((SSL_get_options(s) & SSL_OP_NO_TICKET) 1610194206Ssimon || (size > 0)) 1611194206Ssimon { 1612194206Ssimon *al = TLS1_AD_UNSUPPORTED_EXTENSION; 1613194206Ssimon return 0; 1614194206Ssimon } 1615194206Ssimon s->tlsext_ticket_expected = 1; 1616194206Ssimon } 1617238405Sjkim#ifdef TLSEXT_TYPE_opaque_prf_input 1618238405Sjkim else if (type == TLSEXT_TYPE_opaque_prf_input && 1619238405Sjkim s->version != DTLS1_VERSION) 1620238405Sjkim { 1621238405Sjkim unsigned char *sdata = data; 1622238405Sjkim 1623238405Sjkim if (size < 2) 1624238405Sjkim { 1625238405Sjkim *al = SSL_AD_DECODE_ERROR; 1626238405Sjkim return 0; 1627238405Sjkim } 1628238405Sjkim n2s(sdata, s->s3->server_opaque_prf_input_len); 1629238405Sjkim if (s->s3->server_opaque_prf_input_len != size - 2) 1630238405Sjkim { 1631238405Sjkim *al = SSL_AD_DECODE_ERROR; 1632238405Sjkim return 0; 1633238405Sjkim } 1634238405Sjkim 1635238405Sjkim if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */ 1636238405Sjkim OPENSSL_free(s->s3->server_opaque_prf_input); 1637238405Sjkim if (s->s3->server_opaque_prf_input_len == 0) 1638238405Sjkim s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */ 1639238405Sjkim else 1640238405Sjkim s->s3->server_opaque_prf_input = BUF_memdup(sdata, s->s3->server_opaque_prf_input_len); 1641238405Sjkim 1642238405Sjkim if (s->s3->server_opaque_prf_input == NULL) 1643238405Sjkim { 1644238405Sjkim *al = TLS1_AD_INTERNAL_ERROR; 1645238405Sjkim return 0; 1646238405Sjkim } 1647238405Sjkim } 1648238405Sjkim#endif 1649205128Ssimon else if (type == TLSEXT_TYPE_status_request && 1650205128Ssimon s->version != DTLS1_VERSION) 1651194206Ssimon { 1652194206Ssimon /* MUST be empty and only sent if we've requested 1653194206Ssimon * a status request message. 1654194206Ssimon */ 1655194206Ssimon if ((s->tlsext_status_type == -1) || (size > 0)) 1656194206Ssimon { 1657194206Ssimon *al = TLS1_AD_UNSUPPORTED_EXTENSION; 1658194206Ssimon return 0; 1659194206Ssimon } 1660194206Ssimon /* Set flag to expect CertificateStatus message */ 1661194206Ssimon s->tlsext_status_expected = 1; 1662194206Ssimon } 1663238405Sjkim#ifndef OPENSSL_NO_NEXTPROTONEG 1664238405Sjkim else if (type == TLSEXT_TYPE_next_proto_neg && 1665238405Sjkim s->s3->tmp.finish_md_len == 0) 1666238405Sjkim { 1667238405Sjkim unsigned char *selected; 1668238405Sjkim unsigned char selected_len; 1669238405Sjkim 1670238405Sjkim /* We must have requested it. */ 1671246772Sjkim if (s->ctx->next_proto_select_cb == NULL) 1672238405Sjkim { 1673238405Sjkim *al = TLS1_AD_UNSUPPORTED_EXTENSION; 1674238405Sjkim return 0; 1675238405Sjkim } 1676238405Sjkim /* The data must be valid */ 1677238405Sjkim if (!ssl_next_proto_validate(data, size)) 1678238405Sjkim { 1679238405Sjkim *al = TLS1_AD_DECODE_ERROR; 1680238405Sjkim return 0; 1681238405Sjkim } 1682238405Sjkim if (s->ctx->next_proto_select_cb(s, &selected, &selected_len, data, size, s->ctx->next_proto_select_cb_arg) != SSL_TLSEXT_ERR_OK) 1683238405Sjkim { 1684238405Sjkim *al = TLS1_AD_INTERNAL_ERROR; 1685238405Sjkim return 0; 1686238405Sjkim } 1687238405Sjkim s->next_proto_negotiated = OPENSSL_malloc(selected_len); 1688238405Sjkim if (!s->next_proto_negotiated) 1689238405Sjkim { 1690238405Sjkim *al = TLS1_AD_INTERNAL_ERROR; 1691238405Sjkim return 0; 1692238405Sjkim } 1693238405Sjkim memcpy(s->next_proto_negotiated, selected, selected_len); 1694238405Sjkim s->next_proto_negotiated_len = selected_len; 1695238405Sjkim s->s3->next_proto_neg_seen = 1; 1696238405Sjkim } 1697238405Sjkim#endif 1698205128Ssimon else if (type == TLSEXT_TYPE_renegotiate) 1699205128Ssimon { 1700205128Ssimon if(!ssl_parse_serverhello_renegotiate_ext(s, data, size, al)) 1701205128Ssimon return 0; 1702205128Ssimon renegotiate_seen = 1; 1703205128Ssimon } 1704238405Sjkim#ifndef OPENSSL_NO_HEARTBEATS 1705238405Sjkim else if (type == TLSEXT_TYPE_heartbeat) 1706238405Sjkim { 1707238405Sjkim switch(data[0]) 1708238405Sjkim { 1709238405Sjkim case 0x01: /* Server allows us to send HB requests */ 1710238405Sjkim s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED; 1711238405Sjkim break; 1712238405Sjkim case 0x02: /* Server doesn't accept HB requests */ 1713238405Sjkim s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED; 1714238405Sjkim s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS; 1715238405Sjkim break; 1716238405Sjkim default: *al = SSL_AD_ILLEGAL_PARAMETER; 1717238405Sjkim return 0; 1718238405Sjkim } 1719238405Sjkim } 1720238405Sjkim#endif 1721246772Sjkim#ifndef OPENSSL_NO_SRTP 1722273415Sdelphij else if (SSL_IS_DTLS(s) && type == TLSEXT_TYPE_use_srtp) 1723246772Sjkim { 1724238405Sjkim if(ssl_parse_serverhello_use_srtp_ext(s, data, size, 1725238405Sjkim al)) 1726238405Sjkim return 0; 1727246772Sjkim } 1728246772Sjkim#endif 1729238405Sjkim 1730194206Ssimon data+=size; 1731194206Ssimon } 1732194206Ssimon 1733194206Ssimon if (data != d+n) 1734194206Ssimon { 1735194206Ssimon *al = SSL_AD_DECODE_ERROR; 1736194206Ssimon return 0; 1737194206Ssimon } 1738194206Ssimon 1739194206Ssimon if (!s->hit && tlsext_servername == 1) 1740194206Ssimon { 1741194206Ssimon if (s->tlsext_hostname) 1742194206Ssimon { 1743194206Ssimon if (s->session->tlsext_hostname == NULL) 1744194206Ssimon { 1745194206Ssimon s->session->tlsext_hostname = BUF_strdup(s->tlsext_hostname); 1746194206Ssimon if (!s->session->tlsext_hostname) 1747194206Ssimon { 1748194206Ssimon *al = SSL_AD_UNRECOGNIZED_NAME; 1749194206Ssimon return 0; 1750194206Ssimon } 1751194206Ssimon } 1752194206Ssimon else 1753194206Ssimon { 1754194206Ssimon *al = SSL_AD_DECODE_ERROR; 1755194206Ssimon return 0; 1756194206Ssimon } 1757194206Ssimon } 1758194206Ssimon } 1759194206Ssimon 1760194206Ssimon *p = data; 1761205128Ssimon 1762205128Ssimon ri_check: 1763205128Ssimon 1764205128Ssimon /* Determine if we need to see RI. Strictly speaking if we want to 1765205128Ssimon * avoid an attack we should *always* see RI even on initial server 1766205128Ssimon * hello because the client doesn't see any renegotiation during an 1767205128Ssimon * attack. However this would mean we could not connect to any server 1768205128Ssimon * which doesn't support RI so for the immediate future tolerate RI 1769205128Ssimon * absence on initial connect only. 1770205128Ssimon */ 1771205128Ssimon if (!renegotiate_seen 1772205128Ssimon && !(s->options & SSL_OP_LEGACY_SERVER_CONNECT) 1773205128Ssimon && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) 1774205128Ssimon { 1775205128Ssimon *al = SSL_AD_HANDSHAKE_FAILURE; 1776205128Ssimon SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT, 1777205128Ssimon SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); 1778205128Ssimon return 0; 1779205128Ssimon } 1780205128Ssimon 1781194206Ssimon return 1; 1782194206Ssimon } 1783194206Ssimon 1784238405Sjkim 1785238405Sjkimint ssl_prepare_clienthello_tlsext(SSL *s) 1786238405Sjkim { 1787238405Sjkim#ifndef OPENSSL_NO_EC 1788238405Sjkim /* If we are client and using an elliptic curve cryptography cipher suite, send the point formats 1789238405Sjkim * and elliptic curves we support. 1790238405Sjkim */ 1791238405Sjkim int using_ecc = 0; 1792238405Sjkim int i; 1793238405Sjkim unsigned char *j; 1794238405Sjkim unsigned long alg_k, alg_a; 1795238405Sjkim STACK_OF(SSL_CIPHER) *cipher_stack = SSL_get_ciphers(s); 1796238405Sjkim 1797238405Sjkim for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++) 1798238405Sjkim { 1799238405Sjkim SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i); 1800238405Sjkim 1801238405Sjkim alg_k = c->algorithm_mkey; 1802238405Sjkim alg_a = c->algorithm_auth; 1803238405Sjkim if ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe) || (alg_a & SSL_aECDSA))) 1804238405Sjkim { 1805238405Sjkim using_ecc = 1; 1806238405Sjkim break; 1807238405Sjkim } 1808238405Sjkim } 1809238405Sjkim using_ecc = using_ecc && (s->version >= TLS1_VERSION); 1810238405Sjkim if (using_ecc) 1811238405Sjkim { 1812238405Sjkim if (s->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->tlsext_ecpointformatlist); 1813238405Sjkim if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(3)) == NULL) 1814238405Sjkim { 1815238405Sjkim SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE); 1816238405Sjkim return -1; 1817238405Sjkim } 1818238405Sjkim s->tlsext_ecpointformatlist_length = 3; 1819238405Sjkim s->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_uncompressed; 1820238405Sjkim s->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime; 1821238405Sjkim s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2; 1822238405Sjkim 1823279264Sdelphij /* we support all named elliptic curves in RFC 4492 */ 1824238405Sjkim if (s->tlsext_ellipticcurvelist != NULL) OPENSSL_free(s->tlsext_ellipticcurvelist); 1825238405Sjkim s->tlsext_ellipticcurvelist_length = sizeof(pref_list)/sizeof(pref_list[0]) * 2; 1826238405Sjkim if ((s->tlsext_ellipticcurvelist = OPENSSL_malloc(s->tlsext_ellipticcurvelist_length)) == NULL) 1827238405Sjkim { 1828238405Sjkim s->tlsext_ellipticcurvelist_length = 0; 1829238405Sjkim SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE); 1830238405Sjkim return -1; 1831238405Sjkim } 1832238405Sjkim for (i = 0, j = s->tlsext_ellipticcurvelist; (unsigned int)i < 1833238405Sjkim sizeof(pref_list)/sizeof(pref_list[0]); i++) 1834238405Sjkim { 1835238405Sjkim int id = tls1_ec_nid2curve_id(pref_list[i]); 1836238405Sjkim s2n(id,j); 1837238405Sjkim } 1838238405Sjkim } 1839238405Sjkim#endif /* OPENSSL_NO_EC */ 1840238405Sjkim 1841238405Sjkim#ifdef TLSEXT_TYPE_opaque_prf_input 1842238405Sjkim { 1843238405Sjkim int r = 1; 1844238405Sjkim 1845238405Sjkim if (s->ctx->tlsext_opaque_prf_input_callback != 0) 1846238405Sjkim { 1847238405Sjkim r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg); 1848238405Sjkim if (!r) 1849238405Sjkim return -1; 1850238405Sjkim } 1851238405Sjkim 1852238405Sjkim if (s->tlsext_opaque_prf_input != NULL) 1853238405Sjkim { 1854238405Sjkim if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */ 1855238405Sjkim OPENSSL_free(s->s3->client_opaque_prf_input); 1856238405Sjkim 1857238405Sjkim if (s->tlsext_opaque_prf_input_len == 0) 1858238405Sjkim s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */ 1859238405Sjkim else 1860238405Sjkim s->s3->client_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len); 1861238405Sjkim if (s->s3->client_opaque_prf_input == NULL) 1862238405Sjkim { 1863238405Sjkim SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE); 1864238405Sjkim return -1; 1865238405Sjkim } 1866238405Sjkim s->s3->client_opaque_prf_input_len = s->tlsext_opaque_prf_input_len; 1867238405Sjkim } 1868238405Sjkim 1869238405Sjkim if (r == 2) 1870238405Sjkim /* at callback's request, insist on receiving an appropriate server opaque PRF input */ 1871238405Sjkim s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len; 1872238405Sjkim } 1873238405Sjkim#endif 1874238405Sjkim 1875238405Sjkim return 1; 1876238405Sjkim } 1877238405Sjkim 1878238405Sjkimint ssl_prepare_serverhello_tlsext(SSL *s) 1879238405Sjkim { 1880238405Sjkim#ifndef OPENSSL_NO_EC 1881238405Sjkim /* If we are server and using an ECC cipher suite, send the point formats we support 1882238405Sjkim * if the client sent us an ECPointsFormat extension. Note that the server is not 1883238405Sjkim * supposed to send an EllipticCurves extension. 1884238405Sjkim */ 1885238405Sjkim 1886238405Sjkim unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey; 1887238405Sjkim unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth; 1888238405Sjkim int using_ecc = (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA); 1889238405Sjkim using_ecc = using_ecc && (s->session->tlsext_ecpointformatlist != NULL); 1890238405Sjkim 1891238405Sjkim if (using_ecc) 1892238405Sjkim { 1893238405Sjkim if (s->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->tlsext_ecpointformatlist); 1894238405Sjkim if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(3)) == NULL) 1895238405Sjkim { 1896238405Sjkim SSLerr(SSL_F_SSL_PREPARE_SERVERHELLO_TLSEXT,ERR_R_MALLOC_FAILURE); 1897238405Sjkim return -1; 1898238405Sjkim } 1899238405Sjkim s->tlsext_ecpointformatlist_length = 3; 1900238405Sjkim s->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_uncompressed; 1901238405Sjkim s->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime; 1902238405Sjkim s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2; 1903238405Sjkim } 1904238405Sjkim#endif /* OPENSSL_NO_EC */ 1905238405Sjkim 1906238405Sjkim return 1; 1907238405Sjkim } 1908238405Sjkim 1909246772Sjkimint ssl_check_clienthello_tlsext_early(SSL *s) 1910194206Ssimon { 1911194206Ssimon int ret=SSL_TLSEXT_ERR_NOACK; 1912194206Ssimon int al = SSL_AD_UNRECOGNIZED_NAME; 1913194206Ssimon 1914238405Sjkim#ifndef OPENSSL_NO_EC 1915238405Sjkim /* The handling of the ECPointFormats extension is done elsewhere, namely in 1916238405Sjkim * ssl3_choose_cipher in s3_lib.c. 1917238405Sjkim */ 1918238405Sjkim /* The handling of the EllipticCurves extension is done elsewhere, namely in 1919238405Sjkim * ssl3_choose_cipher in s3_lib.c. 1920238405Sjkim */ 1921238405Sjkim#endif 1922238405Sjkim 1923194206Ssimon if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) 1924194206Ssimon ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg); 1925194206Ssimon else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0) 1926194206Ssimon ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg); 1927194206Ssimon 1928238405Sjkim#ifdef TLSEXT_TYPE_opaque_prf_input 1929238405Sjkim { 1930238405Sjkim /* This sort of belongs into ssl_prepare_serverhello_tlsext(), 1931238405Sjkim * but we might be sending an alert in response to the client hello, 1932246772Sjkim * so this has to happen here in 1933246772Sjkim * ssl_check_clienthello_tlsext_early(). */ 1934238405Sjkim 1935238405Sjkim int r = 1; 1936238405Sjkim 1937238405Sjkim if (s->ctx->tlsext_opaque_prf_input_callback != 0) 1938238405Sjkim { 1939238405Sjkim r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg); 1940238405Sjkim if (!r) 1941238405Sjkim { 1942238405Sjkim ret = SSL_TLSEXT_ERR_ALERT_FATAL; 1943238405Sjkim al = SSL_AD_INTERNAL_ERROR; 1944238405Sjkim goto err; 1945238405Sjkim } 1946238405Sjkim } 1947238405Sjkim 1948238405Sjkim if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */ 1949238405Sjkim OPENSSL_free(s->s3->server_opaque_prf_input); 1950238405Sjkim s->s3->server_opaque_prf_input = NULL; 1951238405Sjkim 1952238405Sjkim if (s->tlsext_opaque_prf_input != NULL) 1953238405Sjkim { 1954238405Sjkim if (s->s3->client_opaque_prf_input != NULL && 1955238405Sjkim s->s3->client_opaque_prf_input_len == s->tlsext_opaque_prf_input_len) 1956238405Sjkim { 1957238405Sjkim /* can only use this extension if we have a server opaque PRF input 1958238405Sjkim * of the same length as the client opaque PRF input! */ 1959238405Sjkim 1960238405Sjkim if (s->tlsext_opaque_prf_input_len == 0) 1961238405Sjkim s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */ 1962238405Sjkim else 1963238405Sjkim s->s3->server_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len); 1964238405Sjkim if (s->s3->server_opaque_prf_input == NULL) 1965238405Sjkim { 1966238405Sjkim ret = SSL_TLSEXT_ERR_ALERT_FATAL; 1967238405Sjkim al = SSL_AD_INTERNAL_ERROR; 1968238405Sjkim goto err; 1969238405Sjkim } 1970238405Sjkim s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len; 1971238405Sjkim } 1972238405Sjkim } 1973238405Sjkim 1974238405Sjkim if (r == 2 && s->s3->server_opaque_prf_input == NULL) 1975238405Sjkim { 1976238405Sjkim /* The callback wants to enforce use of the extension, 1977238405Sjkim * but we can't do that with the client opaque PRF input; 1978238405Sjkim * abort the handshake. 1979238405Sjkim */ 1980238405Sjkim ret = SSL_TLSEXT_ERR_ALERT_FATAL; 1981238405Sjkim al = SSL_AD_HANDSHAKE_FAILURE; 1982238405Sjkim } 1983238405Sjkim } 1984238405Sjkim 1985246772Sjkim err: 1986238405Sjkim#endif 1987194206Ssimon switch (ret) 1988194206Ssimon { 1989194206Ssimon case SSL_TLSEXT_ERR_ALERT_FATAL: 1990194206Ssimon ssl3_send_alert(s,SSL3_AL_FATAL,al); 1991194206Ssimon return -1; 1992194206Ssimon 1993194206Ssimon case SSL_TLSEXT_ERR_ALERT_WARNING: 1994194206Ssimon ssl3_send_alert(s,SSL3_AL_WARNING,al); 1995194206Ssimon return 1; 1996194206Ssimon 1997194206Ssimon case SSL_TLSEXT_ERR_NOACK: 1998194206Ssimon s->servername_done=0; 1999194206Ssimon default: 2000194206Ssimon return 1; 2001194206Ssimon } 2002194206Ssimon } 2003194206Ssimon 2004246772Sjkimint ssl_check_clienthello_tlsext_late(SSL *s) 2005246772Sjkim { 2006246772Sjkim int ret = SSL_TLSEXT_ERR_OK; 2007246772Sjkim int al; 2008246772Sjkim 2009246772Sjkim /* If status request then ask callback what to do. 2010246772Sjkim * Note: this must be called after servername callbacks in case 2011246772Sjkim * the certificate has changed, and must be called after the cipher 2012246772Sjkim * has been chosen because this may influence which certificate is sent 2013246772Sjkim */ 2014246772Sjkim if ((s->tlsext_status_type != -1) && s->ctx && s->ctx->tlsext_status_cb) 2015246772Sjkim { 2016246772Sjkim int r; 2017246772Sjkim CERT_PKEY *certpkey; 2018246772Sjkim certpkey = ssl_get_server_send_pkey(s); 2019246772Sjkim /* If no certificate can't return certificate status */ 2020246772Sjkim if (certpkey == NULL) 2021246772Sjkim { 2022246772Sjkim s->tlsext_status_expected = 0; 2023246772Sjkim return 1; 2024246772Sjkim } 2025246772Sjkim /* Set current certificate to one we will use so 2026246772Sjkim * SSL_get_certificate et al can pick it up. 2027246772Sjkim */ 2028246772Sjkim s->cert->key = certpkey; 2029246772Sjkim r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg); 2030246772Sjkim switch (r) 2031246772Sjkim { 2032246772Sjkim /* We don't want to send a status request response */ 2033246772Sjkim case SSL_TLSEXT_ERR_NOACK: 2034246772Sjkim s->tlsext_status_expected = 0; 2035246772Sjkim break; 2036246772Sjkim /* status request response should be sent */ 2037246772Sjkim case SSL_TLSEXT_ERR_OK: 2038246772Sjkim if (s->tlsext_ocsp_resp) 2039246772Sjkim s->tlsext_status_expected = 1; 2040246772Sjkim else 2041246772Sjkim s->tlsext_status_expected = 0; 2042246772Sjkim break; 2043246772Sjkim /* something bad happened */ 2044246772Sjkim case SSL_TLSEXT_ERR_ALERT_FATAL: 2045246772Sjkim ret = SSL_TLSEXT_ERR_ALERT_FATAL; 2046246772Sjkim al = SSL_AD_INTERNAL_ERROR; 2047246772Sjkim goto err; 2048246772Sjkim } 2049246772Sjkim } 2050246772Sjkim else 2051246772Sjkim s->tlsext_status_expected = 0; 2052246772Sjkim 2053246772Sjkim err: 2054246772Sjkim switch (ret) 2055246772Sjkim { 2056246772Sjkim case SSL_TLSEXT_ERR_ALERT_FATAL: 2057246772Sjkim ssl3_send_alert(s,SSL3_AL_FATAL,al); 2058246772Sjkim return -1; 2059246772Sjkim 2060246772Sjkim case SSL_TLSEXT_ERR_ALERT_WARNING: 2061246772Sjkim ssl3_send_alert(s,SSL3_AL_WARNING,al); 2062246772Sjkim return 1; 2063246772Sjkim 2064246772Sjkim default: 2065246772Sjkim return 1; 2066246772Sjkim } 2067246772Sjkim } 2068246772Sjkim 2069194206Ssimonint ssl_check_serverhello_tlsext(SSL *s) 2070194206Ssimon { 2071194206Ssimon int ret=SSL_TLSEXT_ERR_NOACK; 2072194206Ssimon int al = SSL_AD_UNRECOGNIZED_NAME; 2073194206Ssimon 2074238405Sjkim#ifndef OPENSSL_NO_EC 2075238405Sjkim /* If we are client and using an elliptic curve cryptography cipher 2076238405Sjkim * suite, then if server returns an EC point formats lists extension 2077238405Sjkim * it must contain uncompressed. 2078238405Sjkim */ 2079238405Sjkim unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey; 2080238405Sjkim unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth; 2081238405Sjkim if ((s->tlsext_ecpointformatlist != NULL) && (s->tlsext_ecpointformatlist_length > 0) && 2082238405Sjkim (s->session->tlsext_ecpointformatlist != NULL) && (s->session->tlsext_ecpointformatlist_length > 0) && 2083238405Sjkim ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA))) 2084238405Sjkim { 2085238405Sjkim /* we are using an ECC cipher */ 2086238405Sjkim size_t i; 2087238405Sjkim unsigned char *list; 2088238405Sjkim int found_uncompressed = 0; 2089238405Sjkim list = s->session->tlsext_ecpointformatlist; 2090238405Sjkim for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++) 2091238405Sjkim { 2092238405Sjkim if (*(list++) == TLSEXT_ECPOINTFORMAT_uncompressed) 2093238405Sjkim { 2094238405Sjkim found_uncompressed = 1; 2095238405Sjkim break; 2096238405Sjkim } 2097238405Sjkim } 2098238405Sjkim if (!found_uncompressed) 2099238405Sjkim { 2100238405Sjkim SSLerr(SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT,SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST); 2101238405Sjkim return -1; 2102238405Sjkim } 2103238405Sjkim } 2104238405Sjkim ret = SSL_TLSEXT_ERR_OK; 2105238405Sjkim#endif /* OPENSSL_NO_EC */ 2106238405Sjkim 2107194206Ssimon if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) 2108194206Ssimon ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg); 2109194206Ssimon else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0) 2110194206Ssimon ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg); 2111194206Ssimon 2112238405Sjkim#ifdef TLSEXT_TYPE_opaque_prf_input 2113238405Sjkim if (s->s3->server_opaque_prf_input_len > 0) 2114238405Sjkim { 2115238405Sjkim /* This case may indicate that we, as a client, want to insist on using opaque PRF inputs. 2116238405Sjkim * So first verify that we really have a value from the server too. */ 2117238405Sjkim 2118238405Sjkim if (s->s3->server_opaque_prf_input == NULL) 2119238405Sjkim { 2120238405Sjkim ret = SSL_TLSEXT_ERR_ALERT_FATAL; 2121238405Sjkim al = SSL_AD_HANDSHAKE_FAILURE; 2122238405Sjkim } 2123238405Sjkim 2124238405Sjkim /* Anytime the server *has* sent an opaque PRF input, we need to check 2125238405Sjkim * that we have a client opaque PRF input of the same size. */ 2126238405Sjkim if (s->s3->client_opaque_prf_input == NULL || 2127238405Sjkim s->s3->client_opaque_prf_input_len != s->s3->server_opaque_prf_input_len) 2128238405Sjkim { 2129238405Sjkim ret = SSL_TLSEXT_ERR_ALERT_FATAL; 2130238405Sjkim al = SSL_AD_ILLEGAL_PARAMETER; 2131238405Sjkim } 2132238405Sjkim } 2133238405Sjkim#endif 2134238405Sjkim 2135194206Ssimon /* If we've requested certificate status and we wont get one 2136194206Ssimon * tell the callback 2137194206Ssimon */ 2138194206Ssimon if ((s->tlsext_status_type != -1) && !(s->tlsext_status_expected) 2139238405Sjkim && s->ctx && s->ctx->tlsext_status_cb) 2140194206Ssimon { 2141194206Ssimon int r; 2142194206Ssimon /* Set resp to NULL, resplen to -1 so callback knows 2143194206Ssimon * there is no response. 2144194206Ssimon */ 2145194206Ssimon if (s->tlsext_ocsp_resp) 2146194206Ssimon { 2147194206Ssimon OPENSSL_free(s->tlsext_ocsp_resp); 2148194206Ssimon s->tlsext_ocsp_resp = NULL; 2149194206Ssimon } 2150194206Ssimon s->tlsext_ocsp_resplen = -1; 2151194206Ssimon r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg); 2152194206Ssimon if (r == 0) 2153194206Ssimon { 2154194206Ssimon al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE; 2155194206Ssimon ret = SSL_TLSEXT_ERR_ALERT_FATAL; 2156194206Ssimon } 2157194206Ssimon if (r < 0) 2158194206Ssimon { 2159194206Ssimon al = SSL_AD_INTERNAL_ERROR; 2160194206Ssimon ret = SSL_TLSEXT_ERR_ALERT_FATAL; 2161194206Ssimon } 2162194206Ssimon } 2163194206Ssimon 2164194206Ssimon switch (ret) 2165194206Ssimon { 2166194206Ssimon case SSL_TLSEXT_ERR_ALERT_FATAL: 2167194206Ssimon ssl3_send_alert(s,SSL3_AL_FATAL,al); 2168194206Ssimon return -1; 2169194206Ssimon 2170194206Ssimon case SSL_TLSEXT_ERR_ALERT_WARNING: 2171194206Ssimon ssl3_send_alert(s,SSL3_AL_WARNING,al); 2172194206Ssimon return 1; 2173194206Ssimon 2174194206Ssimon case SSL_TLSEXT_ERR_NOACK: 2175194206Ssimon s->servername_done=0; 2176194206Ssimon default: 2177194206Ssimon return 1; 2178194206Ssimon } 2179194206Ssimon } 2180194206Ssimon 2181238405Sjkim/* Since the server cache lookup is done early on in the processing of the 2182238405Sjkim * ClientHello, and other operations depend on the result, we need to handle 2183238405Sjkim * any TLS session ticket extension at the same time. 2184238405Sjkim * 2185238405Sjkim * session_id: points at the session ID in the ClientHello. This code will 2186238405Sjkim * read past the end of this in order to parse out the session ticket 2187238405Sjkim * extension, if any. 2188238405Sjkim * len: the length of the session ID. 2189238405Sjkim * limit: a pointer to the first byte after the ClientHello. 2190238405Sjkim * ret: (output) on return, if a ticket was decrypted, then this is set to 2191238405Sjkim * point to the resulting session. 2192238405Sjkim * 2193238405Sjkim * If s->tls_session_secret_cb is set then we are expecting a pre-shared key 2194238405Sjkim * ciphersuite, in which case we have no use for session tickets and one will 2195238405Sjkim * never be decrypted, nor will s->tlsext_ticket_expected be set to 1. 2196238405Sjkim * 2197238405Sjkim * Returns: 2198238405Sjkim * -1: fatal error, either from parsing or decrypting the ticket. 2199238405Sjkim * 0: no ticket was found (or was ignored, based on settings). 2200238405Sjkim * 1: a zero length extension was found, indicating that the client supports 2201238405Sjkim * session tickets but doesn't currently have one to offer. 2202238405Sjkim * 2: either s->tls_session_secret_cb was set, or a ticket was offered but 2203238405Sjkim * couldn't be decrypted because of a non-fatal error. 2204238405Sjkim * 3: a ticket was successfully decrypted and *ret was set. 2205238405Sjkim * 2206238405Sjkim * Side effects: 2207238405Sjkim * Sets s->tlsext_ticket_expected to 1 if the server will have to issue 2208238405Sjkim * a new session ticket to the client because the client indicated support 2209238405Sjkim * (and s->tls_session_secret_cb is NULL) but the client either doesn't have 2210238405Sjkim * a session ticket or we couldn't use the one it gave us, or if 2211238405Sjkim * s->ctx->tlsext_ticket_key_cb asked to renew the client's ticket. 2212238405Sjkim * Otherwise, s->tlsext_ticket_expected is set to 0. 2213194206Ssimon */ 2214194206Ssimonint tls1_process_ticket(SSL *s, unsigned char *session_id, int len, 2215238405Sjkim const unsigned char *limit, SSL_SESSION **ret) 2216194206Ssimon { 2217194206Ssimon /* Point after session ID in client hello */ 2218194206Ssimon const unsigned char *p = session_id + len; 2219194206Ssimon unsigned short i; 2220194206Ssimon 2221238405Sjkim *ret = NULL; 2222238405Sjkim s->tlsext_ticket_expected = 0; 2223238405Sjkim 2224194206Ssimon /* If tickets disabled behave as if no ticket present 2225238405Sjkim * to permit stateful resumption. 2226238405Sjkim */ 2227194206Ssimon if (SSL_get_options(s) & SSL_OP_NO_TICKET) 2228238405Sjkim return 0; 2229194206Ssimon if ((s->version <= SSL3_VERSION) || !limit) 2230238405Sjkim return 0; 2231194206Ssimon if (p >= limit) 2232194206Ssimon return -1; 2233205128Ssimon /* Skip past DTLS cookie */ 2234205128Ssimon if (s->version == DTLS1_VERSION || s->version == DTLS1_BAD_VER) 2235205128Ssimon { 2236205128Ssimon i = *(p++); 2237205128Ssimon p+= i; 2238205128Ssimon if (p >= limit) 2239205128Ssimon return -1; 2240205128Ssimon } 2241194206Ssimon /* Skip past cipher list */ 2242194206Ssimon n2s(p, i); 2243194206Ssimon p+= i; 2244194206Ssimon if (p >= limit) 2245194206Ssimon return -1; 2246194206Ssimon /* Skip past compression algorithm list */ 2247194206Ssimon i = *(p++); 2248194206Ssimon p += i; 2249194206Ssimon if (p > limit) 2250194206Ssimon return -1; 2251194206Ssimon /* Now at start of extensions */ 2252194206Ssimon if ((p + 2) >= limit) 2253238405Sjkim return 0; 2254194206Ssimon n2s(p, i); 2255194206Ssimon while ((p + 4) <= limit) 2256194206Ssimon { 2257194206Ssimon unsigned short type, size; 2258194206Ssimon n2s(p, type); 2259194206Ssimon n2s(p, size); 2260194206Ssimon if (p + size > limit) 2261238405Sjkim return 0; 2262194206Ssimon if (type == TLSEXT_TYPE_session_ticket) 2263194206Ssimon { 2264238405Sjkim int r; 2265194206Ssimon if (size == 0) 2266194206Ssimon { 2267238405Sjkim /* The client will accept a ticket but doesn't 2268238405Sjkim * currently have one. */ 2269194206Ssimon s->tlsext_ticket_expected = 1; 2270238405Sjkim return 1; 2271194206Ssimon } 2272238405Sjkim if (s->tls_session_secret_cb) 2273238405Sjkim { 2274238405Sjkim /* Indicate that the ticket couldn't be 2275238405Sjkim * decrypted rather than generating the session 2276238405Sjkim * from ticket now, trigger abbreviated 2277238405Sjkim * handshake based on external mechanism to 2278238405Sjkim * calculate the master secret later. */ 2279238405Sjkim return 2; 2280238405Sjkim } 2281238405Sjkim r = tls_decrypt_ticket(s, p, size, session_id, len, ret); 2282238405Sjkim switch (r) 2283238405Sjkim { 2284238405Sjkim case 2: /* ticket couldn't be decrypted */ 2285238405Sjkim s->tlsext_ticket_expected = 1; 2286238405Sjkim return 2; 2287238405Sjkim case 3: /* ticket was decrypted */ 2288238405Sjkim return r; 2289238405Sjkim case 4: /* ticket decrypted but need to renew */ 2290238405Sjkim s->tlsext_ticket_expected = 1; 2291238405Sjkim return 3; 2292238405Sjkim default: /* fatal error */ 2293238405Sjkim return -1; 2294238405Sjkim } 2295194206Ssimon } 2296194206Ssimon p += size; 2297194206Ssimon } 2298238405Sjkim return 0; 2299194206Ssimon } 2300194206Ssimon 2301238405Sjkim/* tls_decrypt_ticket attempts to decrypt a session ticket. 2302238405Sjkim * 2303238405Sjkim * etick: points to the body of the session ticket extension. 2304238405Sjkim * eticklen: the length of the session tickets extenion. 2305238405Sjkim * sess_id: points at the session ID. 2306238405Sjkim * sesslen: the length of the session ID. 2307238405Sjkim * psess: (output) on return, if a ticket was decrypted, then this is set to 2308238405Sjkim * point to the resulting session. 2309238405Sjkim * 2310238405Sjkim * Returns: 2311238405Sjkim * -1: fatal error, either from parsing or decrypting the ticket. 2312238405Sjkim * 2: the ticket couldn't be decrypted. 2313238405Sjkim * 3: a ticket was successfully decrypted and *psess was set. 2314238405Sjkim * 4: same as 3, but the ticket needs to be renewed. 2315238405Sjkim */ 2316194206Ssimonstatic int tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen, 2317194206Ssimon const unsigned char *sess_id, int sesslen, 2318194206Ssimon SSL_SESSION **psess) 2319194206Ssimon { 2320194206Ssimon SSL_SESSION *sess; 2321194206Ssimon unsigned char *sdec; 2322194206Ssimon const unsigned char *p; 2323194206Ssimon int slen, mlen, renew_ticket = 0; 2324194206Ssimon unsigned char tick_hmac[EVP_MAX_MD_SIZE]; 2325194206Ssimon HMAC_CTX hctx; 2326194206Ssimon EVP_CIPHER_CTX ctx; 2327205128Ssimon SSL_CTX *tctx = s->initial_ctx; 2328194206Ssimon /* Need at least keyname + iv + some encrypted data */ 2329194206Ssimon if (eticklen < 48) 2330238405Sjkim return 2; 2331194206Ssimon /* Initialize session ticket encryption and HMAC contexts */ 2332194206Ssimon HMAC_CTX_init(&hctx); 2333194206Ssimon EVP_CIPHER_CTX_init(&ctx); 2334205128Ssimon if (tctx->tlsext_ticket_key_cb) 2335194206Ssimon { 2336194206Ssimon unsigned char *nctick = (unsigned char *)etick; 2337205128Ssimon int rv = tctx->tlsext_ticket_key_cb(s, nctick, nctick + 16, 2338194206Ssimon &ctx, &hctx, 0); 2339194206Ssimon if (rv < 0) 2340194206Ssimon return -1; 2341194206Ssimon if (rv == 0) 2342238405Sjkim return 2; 2343194206Ssimon if (rv == 2) 2344194206Ssimon renew_ticket = 1; 2345194206Ssimon } 2346194206Ssimon else 2347194206Ssimon { 2348194206Ssimon /* Check key name matches */ 2349205128Ssimon if (memcmp(etick, tctx->tlsext_tick_key_name, 16)) 2350238405Sjkim return 2; 2351205128Ssimon HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16, 2352194206Ssimon tlsext_tick_md(), NULL); 2353194206Ssimon EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL, 2354205128Ssimon tctx->tlsext_tick_aes_key, etick + 16); 2355194206Ssimon } 2356194206Ssimon /* Attempt to process session ticket, first conduct sanity and 2357238405Sjkim * integrity checks on ticket. 2358238405Sjkim */ 2359194206Ssimon mlen = HMAC_size(&hctx); 2360238405Sjkim if (mlen < 0) 2361238405Sjkim { 2362238405Sjkim EVP_CIPHER_CTX_cleanup(&ctx); 2363238405Sjkim return -1; 2364238405Sjkim } 2365194206Ssimon eticklen -= mlen; 2366194206Ssimon /* Check HMAC of encrypted ticket */ 2367194206Ssimon HMAC_Update(&hctx, etick, eticklen); 2368194206Ssimon HMAC_Final(&hctx, tick_hmac, NULL); 2369194206Ssimon HMAC_CTX_cleanup(&hctx); 2370246772Sjkim if (CRYPTO_memcmp(tick_hmac, etick + eticklen, mlen)) 2371273415Sdelphij { 2372273415Sdelphij EVP_CIPHER_CTX_cleanup(&ctx); 2373238405Sjkim return 2; 2374273415Sdelphij } 2375194206Ssimon /* Attempt to decrypt session data */ 2376194206Ssimon /* Move p after IV to start of encrypted ticket, update length */ 2377194206Ssimon p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx); 2378194206Ssimon eticklen -= 16 + EVP_CIPHER_CTX_iv_length(&ctx); 2379194206Ssimon sdec = OPENSSL_malloc(eticklen); 2380194206Ssimon if (!sdec) 2381194206Ssimon { 2382194206Ssimon EVP_CIPHER_CTX_cleanup(&ctx); 2383194206Ssimon return -1; 2384194206Ssimon } 2385194206Ssimon EVP_DecryptUpdate(&ctx, sdec, &slen, p, eticklen); 2386194206Ssimon if (EVP_DecryptFinal(&ctx, sdec + slen, &mlen) <= 0) 2387279264Sdelphij { 2388279264Sdelphij EVP_CIPHER_CTX_cleanup(&ctx); 2389279264Sdelphij OPENSSL_free(sdec); 2390238405Sjkim return 2; 2391279264Sdelphij } 2392194206Ssimon slen += mlen; 2393194206Ssimon EVP_CIPHER_CTX_cleanup(&ctx); 2394194206Ssimon p = sdec; 2395238405Sjkim 2396194206Ssimon sess = d2i_SSL_SESSION(NULL, &p, slen); 2397194206Ssimon OPENSSL_free(sdec); 2398194206Ssimon if (sess) 2399194206Ssimon { 2400238405Sjkim /* The session ID, if non-empty, is used by some clients to 2401238405Sjkim * detect that the ticket has been accepted. So we copy it to 2402238405Sjkim * the session structure. If it is empty set length to zero 2403238405Sjkim * as required by standard. 2404238405Sjkim */ 2405194206Ssimon if (sesslen) 2406194206Ssimon memcpy(sess->session_id, sess_id, sesslen); 2407194206Ssimon sess->session_id_length = sesslen; 2408194206Ssimon *psess = sess; 2409238405Sjkim if (renew_ticket) 2410238405Sjkim return 4; 2411238405Sjkim else 2412238405Sjkim return 3; 2413238405Sjkim } 2414238405Sjkim ERR_clear_error(); 2415238405Sjkim /* For session parse failure, indicate that we need to send a new 2416238405Sjkim * ticket. */ 2417238405Sjkim return 2; 2418238405Sjkim } 2419238405Sjkim 2420238405Sjkim/* Tables to translate from NIDs to TLS v1.2 ids */ 2421238405Sjkim 2422238405Sjkimtypedef struct 2423238405Sjkim { 2424238405Sjkim int nid; 2425238405Sjkim int id; 2426238405Sjkim } tls12_lookup; 2427238405Sjkim 2428238405Sjkimstatic tls12_lookup tls12_md[] = { 2429238405Sjkim#ifndef OPENSSL_NO_MD5 2430238405Sjkim {NID_md5, TLSEXT_hash_md5}, 2431238405Sjkim#endif 2432238405Sjkim#ifndef OPENSSL_NO_SHA 2433238405Sjkim {NID_sha1, TLSEXT_hash_sha1}, 2434238405Sjkim#endif 2435238405Sjkim#ifndef OPENSSL_NO_SHA256 2436238405Sjkim {NID_sha224, TLSEXT_hash_sha224}, 2437238405Sjkim {NID_sha256, TLSEXT_hash_sha256}, 2438238405Sjkim#endif 2439238405Sjkim#ifndef OPENSSL_NO_SHA512 2440238405Sjkim {NID_sha384, TLSEXT_hash_sha384}, 2441238405Sjkim {NID_sha512, TLSEXT_hash_sha512} 2442238405Sjkim#endif 2443238405Sjkim}; 2444238405Sjkim 2445238405Sjkimstatic tls12_lookup tls12_sig[] = { 2446238405Sjkim#ifndef OPENSSL_NO_RSA 2447238405Sjkim {EVP_PKEY_RSA, TLSEXT_signature_rsa}, 2448238405Sjkim#endif 2449238405Sjkim#ifndef OPENSSL_NO_DSA 2450238405Sjkim {EVP_PKEY_DSA, TLSEXT_signature_dsa}, 2451238405Sjkim#endif 2452238405Sjkim#ifndef OPENSSL_NO_ECDSA 2453238405Sjkim {EVP_PKEY_EC, TLSEXT_signature_ecdsa} 2454238405Sjkim#endif 2455238405Sjkim}; 2456238405Sjkim 2457238405Sjkimstatic int tls12_find_id(int nid, tls12_lookup *table, size_t tlen) 2458238405Sjkim { 2459238405Sjkim size_t i; 2460238405Sjkim for (i = 0; i < tlen; i++) 2461238405Sjkim { 2462238405Sjkim if (table[i].nid == nid) 2463238405Sjkim return table[i].id; 2464238405Sjkim } 2465238405Sjkim return -1; 2466238405Sjkim } 2467238405Sjkim#if 0 2468238405Sjkimstatic int tls12_find_nid(int id, tls12_lookup *table, size_t tlen) 2469238405Sjkim { 2470238405Sjkim size_t i; 2471238405Sjkim for (i = 0; i < tlen; i++) 2472238405Sjkim { 2473238405Sjkim if (table[i].id == id) 2474238405Sjkim return table[i].nid; 2475238405Sjkim } 2476238405Sjkim return -1; 2477238405Sjkim } 2478238405Sjkim#endif 2479238405Sjkim 2480238405Sjkimint tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk, const EVP_MD *md) 2481238405Sjkim { 2482238405Sjkim int sig_id, md_id; 2483238405Sjkim if (!md) 2484238405Sjkim return 0; 2485238405Sjkim md_id = tls12_find_id(EVP_MD_type(md), tls12_md, 2486238405Sjkim sizeof(tls12_md)/sizeof(tls12_lookup)); 2487238405Sjkim if (md_id == -1) 2488238405Sjkim return 0; 2489238405Sjkim sig_id = tls12_get_sigid(pk); 2490238405Sjkim if (sig_id == -1) 2491238405Sjkim return 0; 2492238405Sjkim p[0] = (unsigned char)md_id; 2493238405Sjkim p[1] = (unsigned char)sig_id; 2494238405Sjkim return 1; 2495238405Sjkim } 2496238405Sjkim 2497238405Sjkimint tls12_get_sigid(const EVP_PKEY *pk) 2498238405Sjkim { 2499238405Sjkim return tls12_find_id(pk->type, tls12_sig, 2500238405Sjkim sizeof(tls12_sig)/sizeof(tls12_lookup)); 2501238405Sjkim } 2502238405Sjkim 2503238405Sjkimconst EVP_MD *tls12_get_hash(unsigned char hash_alg) 2504238405Sjkim { 2505238405Sjkim switch(hash_alg) 2506238405Sjkim { 2507238405Sjkim#ifndef OPENSSL_NO_SHA 2508238405Sjkim case TLSEXT_hash_sha1: 2509238405Sjkim return EVP_sha1(); 2510238405Sjkim#endif 2511238405Sjkim#ifndef OPENSSL_NO_SHA256 2512238405Sjkim case TLSEXT_hash_sha224: 2513238405Sjkim return EVP_sha224(); 2514238405Sjkim 2515238405Sjkim case TLSEXT_hash_sha256: 2516238405Sjkim return EVP_sha256(); 2517238405Sjkim#endif 2518238405Sjkim#ifndef OPENSSL_NO_SHA512 2519238405Sjkim case TLSEXT_hash_sha384: 2520238405Sjkim return EVP_sha384(); 2521238405Sjkim 2522238405Sjkim case TLSEXT_hash_sha512: 2523238405Sjkim return EVP_sha512(); 2524238405Sjkim#endif 2525238405Sjkim default: 2526238405Sjkim return NULL; 2527238405Sjkim 2528238405Sjkim } 2529238405Sjkim } 2530238405Sjkim 2531238405Sjkim/* Set preferred digest for each key type */ 2532238405Sjkim 2533238405Sjkimint tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize) 2534238405Sjkim { 2535238405Sjkim int i, idx; 2536238405Sjkim const EVP_MD *md; 2537238405Sjkim CERT *c = s->cert; 2538238405Sjkim /* Extension ignored for TLS versions below 1.2 */ 2539238405Sjkim if (TLS1_get_version(s) < TLS1_2_VERSION) 2540194206Ssimon return 1; 2541238405Sjkim /* Should never happen */ 2542238405Sjkim if (!c) 2543238405Sjkim return 0; 2544238405Sjkim 2545238405Sjkim c->pkeys[SSL_PKEY_DSA_SIGN].digest = NULL; 2546238405Sjkim c->pkeys[SSL_PKEY_RSA_SIGN].digest = NULL; 2547238405Sjkim c->pkeys[SSL_PKEY_RSA_ENC].digest = NULL; 2548238405Sjkim c->pkeys[SSL_PKEY_ECC].digest = NULL; 2549238405Sjkim 2550238405Sjkim for (i = 0; i < dsize; i += 2) 2551238405Sjkim { 2552238405Sjkim unsigned char hash_alg = data[i], sig_alg = data[i+1]; 2553238405Sjkim 2554238405Sjkim switch(sig_alg) 2555238405Sjkim { 2556238405Sjkim#ifndef OPENSSL_NO_RSA 2557238405Sjkim case TLSEXT_signature_rsa: 2558238405Sjkim idx = SSL_PKEY_RSA_SIGN; 2559238405Sjkim break; 2560238405Sjkim#endif 2561238405Sjkim#ifndef OPENSSL_NO_DSA 2562238405Sjkim case TLSEXT_signature_dsa: 2563238405Sjkim idx = SSL_PKEY_DSA_SIGN; 2564238405Sjkim break; 2565238405Sjkim#endif 2566238405Sjkim#ifndef OPENSSL_NO_ECDSA 2567238405Sjkim case TLSEXT_signature_ecdsa: 2568238405Sjkim idx = SSL_PKEY_ECC; 2569238405Sjkim break; 2570238405Sjkim#endif 2571238405Sjkim default: 2572238405Sjkim continue; 2573238405Sjkim } 2574238405Sjkim 2575238405Sjkim if (c->pkeys[idx].digest == NULL) 2576238405Sjkim { 2577238405Sjkim md = tls12_get_hash(hash_alg); 2578238405Sjkim if (md) 2579238405Sjkim { 2580238405Sjkim c->pkeys[idx].digest = md; 2581238405Sjkim if (idx == SSL_PKEY_RSA_SIGN) 2582238405Sjkim c->pkeys[SSL_PKEY_RSA_ENC].digest = md; 2583238405Sjkim } 2584238405Sjkim } 2585238405Sjkim 2586194206Ssimon } 2587238405Sjkim 2588238405Sjkim 2589238405Sjkim /* Set any remaining keys to default values. NOTE: if alg is not 2590238405Sjkim * supported it stays as NULL. 2591238405Sjkim */ 2592238405Sjkim#ifndef OPENSSL_NO_DSA 2593238405Sjkim if (!c->pkeys[SSL_PKEY_DSA_SIGN].digest) 2594246772Sjkim c->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_sha1(); 2595238405Sjkim#endif 2596238405Sjkim#ifndef OPENSSL_NO_RSA 2597238405Sjkim if (!c->pkeys[SSL_PKEY_RSA_SIGN].digest) 2598238405Sjkim { 2599238405Sjkim c->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1(); 2600238405Sjkim c->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1(); 2601238405Sjkim } 2602238405Sjkim#endif 2603238405Sjkim#ifndef OPENSSL_NO_ECDSA 2604238405Sjkim if (!c->pkeys[SSL_PKEY_ECC].digest) 2605246772Sjkim c->pkeys[SSL_PKEY_ECC].digest = EVP_sha1(); 2606238405Sjkim#endif 2607238405Sjkim return 1; 2608238405Sjkim } 2609238405Sjkim 2610238405Sjkim#endif 2611238405Sjkim 2612238405Sjkim#ifndef OPENSSL_NO_HEARTBEATS 2613238405Sjkimint 2614238405Sjkimtls1_process_heartbeat(SSL *s) 2615238405Sjkim { 2616238405Sjkim unsigned char *p = &s->s3->rrec.data[0], *pl; 2617238405Sjkim unsigned short hbtype; 2618238405Sjkim unsigned int payload; 2619238405Sjkim unsigned int padding = 16; /* Use minimum padding */ 2620238405Sjkim 2621264267Sdelphij if (s->msg_callback) 2622264267Sdelphij s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT, 2623264267Sdelphij &s->s3->rrec.data[0], s->s3->rrec.length, 2624264267Sdelphij s, s->msg_callback_arg); 2625264267Sdelphij 2626238405Sjkim /* Read type and payload length first */ 2627264267Sdelphij if (1 + 2 + 16 > s->s3->rrec.length) 2628264267Sdelphij return 0; /* silently discard */ 2629238405Sjkim hbtype = *p++; 2630238405Sjkim n2s(p, payload); 2631264267Sdelphij if (1 + 2 + payload + 16 > s->s3->rrec.length) 2632264267Sdelphij return 0; /* silently discard per RFC 6520 sec. 4 */ 2633238405Sjkim pl = p; 2634238405Sjkim 2635238405Sjkim if (hbtype == TLS1_HB_REQUEST) 2636238405Sjkim { 2637238405Sjkim unsigned char *buffer, *bp; 2638238405Sjkim int r; 2639238405Sjkim 2640238405Sjkim /* Allocate memory for the response, size is 1 bytes 2641238405Sjkim * message type, plus 2 bytes payload length, plus 2642238405Sjkim * payload, plus padding 2643238405Sjkim */ 2644238405Sjkim buffer = OPENSSL_malloc(1 + 2 + payload + padding); 2645238405Sjkim bp = buffer; 2646238405Sjkim 2647238405Sjkim /* Enter response type, length and copy payload */ 2648238405Sjkim *bp++ = TLS1_HB_RESPONSE; 2649238405Sjkim s2n(payload, bp); 2650238405Sjkim memcpy(bp, pl, payload); 2651238405Sjkim bp += payload; 2652238405Sjkim /* Random padding */ 2653238405Sjkim RAND_pseudo_bytes(bp, padding); 2654238405Sjkim 2655238405Sjkim r = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, 3 + payload + padding); 2656238405Sjkim 2657238405Sjkim if (r >= 0 && s->msg_callback) 2658238405Sjkim s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT, 2659238405Sjkim buffer, 3 + payload + padding, 2660238405Sjkim s, s->msg_callback_arg); 2661238405Sjkim 2662238405Sjkim OPENSSL_free(buffer); 2663238405Sjkim 2664238405Sjkim if (r < 0) 2665238405Sjkim return r; 2666238405Sjkim } 2667238405Sjkim else if (hbtype == TLS1_HB_RESPONSE) 2668238405Sjkim { 2669238405Sjkim unsigned int seq; 2670238405Sjkim 2671238405Sjkim /* We only send sequence numbers (2 bytes unsigned int), 2672238405Sjkim * and 16 random bytes, so we just try to read the 2673238405Sjkim * sequence number */ 2674238405Sjkim n2s(pl, seq); 2675238405Sjkim 2676238405Sjkim if (payload == 18 && seq == s->tlsext_hb_seq) 2677238405Sjkim { 2678238405Sjkim s->tlsext_hb_seq++; 2679238405Sjkim s->tlsext_hb_pending = 0; 2680238405Sjkim } 2681238405Sjkim } 2682238405Sjkim 2683194206Ssimon return 0; 2684194206Ssimon } 2685194206Ssimon 2686238405Sjkimint 2687238405Sjkimtls1_heartbeat(SSL *s) 2688238405Sjkim { 2689238405Sjkim unsigned char *buf, *p; 2690238405Sjkim int ret; 2691238405Sjkim unsigned int payload = 18; /* Sequence number + random bytes */ 2692238405Sjkim unsigned int padding = 16; /* Use minimum padding */ 2693238405Sjkim 2694238405Sjkim /* Only send if peer supports and accepts HB requests... */ 2695238405Sjkim if (!(s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED) || 2696238405Sjkim s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_SEND_REQUESTS) 2697238405Sjkim { 2698238405Sjkim SSLerr(SSL_F_TLS1_HEARTBEAT,SSL_R_TLS_HEARTBEAT_PEER_DOESNT_ACCEPT); 2699238405Sjkim return -1; 2700238405Sjkim } 2701238405Sjkim 2702238405Sjkim /* ...and there is none in flight yet... */ 2703238405Sjkim if (s->tlsext_hb_pending) 2704238405Sjkim { 2705238405Sjkim SSLerr(SSL_F_TLS1_HEARTBEAT,SSL_R_TLS_HEARTBEAT_PENDING); 2706238405Sjkim return -1; 2707238405Sjkim } 2708238405Sjkim 2709238405Sjkim /* ...and no handshake in progress. */ 2710238405Sjkim if (SSL_in_init(s) || s->in_handshake) 2711238405Sjkim { 2712238405Sjkim SSLerr(SSL_F_TLS1_HEARTBEAT,SSL_R_UNEXPECTED_MESSAGE); 2713238405Sjkim return -1; 2714238405Sjkim } 2715238405Sjkim 2716238405Sjkim /* Check if padding is too long, payload and padding 2717238405Sjkim * must not exceed 2^14 - 3 = 16381 bytes in total. 2718238405Sjkim */ 2719238405Sjkim OPENSSL_assert(payload + padding <= 16381); 2720238405Sjkim 2721238405Sjkim /* Create HeartBeat message, we just use a sequence number 2722238405Sjkim * as payload to distuingish different messages and add 2723238405Sjkim * some random stuff. 2724238405Sjkim * - Message Type, 1 byte 2725238405Sjkim * - Payload Length, 2 bytes (unsigned int) 2726238405Sjkim * - Payload, the sequence number (2 bytes uint) 2727238405Sjkim * - Payload, random bytes (16 bytes uint) 2728238405Sjkim * - Padding 2729238405Sjkim */ 2730238405Sjkim buf = OPENSSL_malloc(1 + 2 + payload + padding); 2731238405Sjkim p = buf; 2732238405Sjkim /* Message Type */ 2733238405Sjkim *p++ = TLS1_HB_REQUEST; 2734238405Sjkim /* Payload length (18 bytes here) */ 2735238405Sjkim s2n(payload, p); 2736238405Sjkim /* Sequence number */ 2737238405Sjkim s2n(s->tlsext_hb_seq, p); 2738238405Sjkim /* 16 random bytes */ 2739238405Sjkim RAND_pseudo_bytes(p, 16); 2740238405Sjkim p += 16; 2741238405Sjkim /* Random padding */ 2742238405Sjkim RAND_pseudo_bytes(p, padding); 2743238405Sjkim 2744238405Sjkim ret = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buf, 3 + payload + padding); 2745238405Sjkim if (ret >= 0) 2746238405Sjkim { 2747238405Sjkim if (s->msg_callback) 2748238405Sjkim s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT, 2749238405Sjkim buf, 3 + payload + padding, 2750238405Sjkim s, s->msg_callback_arg); 2751238405Sjkim 2752238405Sjkim s->tlsext_hb_pending = 1; 2753238405Sjkim } 2754238405Sjkim 2755238405Sjkim OPENSSL_free(buf); 2756238405Sjkim 2757238405Sjkim return ret; 2758238405Sjkim } 2759194206Ssimon#endif 2760