155714Skris/* ssl/t1_lib.c */ 255714Skris/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 355714Skris * All rights reserved. 455714Skris * 555714Skris * This package is an SSL implementation written 655714Skris * by Eric Young (eay@cryptsoft.com). 755714Skris * The implementation was written so as to conform with Netscapes SSL. 8296341Sdelphij * 955714Skris * This library is free for commercial and non-commercial use as long as 1055714Skris * the following conditions are aheared to. The following conditions 1155714Skris * apply to all code found in this distribution, be it the RC4, RSA, 1255714Skris * lhash, DES, etc., code; not just the SSL code. The SSL documentation 1355714Skris * included with this distribution is covered by the same copyright terms 1455714Skris * except that the holder is Tim Hudson (tjh@cryptsoft.com). 15296341Sdelphij * 1655714Skris * Copyright remains Eric Young's, and as such any Copyright notices in 1755714Skris * the code are not to be removed. 1855714Skris * If this package is used in a product, Eric Young should be given attribution 1955714Skris * as the author of the parts of the library used. 2055714Skris * This can be in the form of a textual message at program startup or 2155714Skris * in documentation (online or textual) provided with the package. 22296341Sdelphij * 2355714Skris * Redistribution and use in source and binary forms, with or without 2455714Skris * modification, are permitted provided that the following conditions 2555714Skris * are met: 2655714Skris * 1. Redistributions of source code must retain the copyright 2755714Skris * notice, this list of conditions and the following disclaimer. 2855714Skris * 2. Redistributions in binary form must reproduce the above copyright 2955714Skris * notice, this list of conditions and the following disclaimer in the 3055714Skris * documentation and/or other materials provided with the distribution. 3155714Skris * 3. All advertising materials mentioning features or use of this software 3255714Skris * must display the following acknowledgement: 3355714Skris * "This product includes cryptographic software written by 3455714Skris * Eric Young (eay@cryptsoft.com)" 3555714Skris * The word 'cryptographic' can be left out if the rouines from the library 3655714Skris * being used are not cryptographic related :-). 37296341Sdelphij * 4. If you include any Windows specific code (or a derivative thereof) from 3855714Skris * the apps directory (application code) you must include an acknowledgement: 3955714Skris * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 40296341Sdelphij * 4155714Skris * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 4255714Skris * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 4355714Skris * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 4455714Skris * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 4555714Skris * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 4655714Skris * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 4755714Skris * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 4855714Skris * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 4955714Skris * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 5055714Skris * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 5155714Skris * SUCH DAMAGE. 52296341Sdelphij * 5355714Skris * The licence and distribution terms for any publically available version or 5455714Skris * derivative of this code cannot be changed. i.e. this code cannot simply be 5555714Skris * copied and put under another distribution licence 5655714Skris * [including the GNU Public Licence.] 5755714Skris */ 58238405Sjkim/* ==================================================================== 59238405Sjkim * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved. 60238405Sjkim * 61238405Sjkim * Redistribution and use in source and binary forms, with or without 62238405Sjkim * modification, are permitted provided that the following conditions 63238405Sjkim * are met: 64238405Sjkim * 65238405Sjkim * 1. Redistributions of source code must retain the above copyright 66296341Sdelphij * notice, this list of conditions and the following disclaimer. 67238405Sjkim * 68238405Sjkim * 2. Redistributions in binary form must reproduce the above copyright 69238405Sjkim * notice, this list of conditions and the following disclaimer in 70238405Sjkim * the documentation and/or other materials provided with the 71238405Sjkim * distribution. 72238405Sjkim * 73238405Sjkim * 3. All advertising materials mentioning features or use of this 74238405Sjkim * software must display the following acknowledgment: 75238405Sjkim * "This product includes software developed by the OpenSSL Project 76238405Sjkim * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 77238405Sjkim * 78238405Sjkim * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 79238405Sjkim * endorse or promote products derived from this software without 80238405Sjkim * prior written permission. For written permission, please contact 81238405Sjkim * openssl-core@openssl.org. 82238405Sjkim * 83238405Sjkim * 5. Products derived from this software may not be called "OpenSSL" 84238405Sjkim * nor may "OpenSSL" appear in their names without prior written 85238405Sjkim * permission of the OpenSSL Project. 86238405Sjkim * 87238405Sjkim * 6. Redistributions of any form whatsoever must retain the following 88238405Sjkim * acknowledgment: 89238405Sjkim * "This product includes software developed by the OpenSSL Project 90238405Sjkim * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 91238405Sjkim * 92238405Sjkim * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 93238405Sjkim * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 94238405Sjkim * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 95238405Sjkim * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 96238405Sjkim * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 97238405Sjkim * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 98238405Sjkim * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 99238405Sjkim * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 100238405Sjkim * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 101238405Sjkim * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 102238405Sjkim * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 103238405Sjkim * OF THE POSSIBILITY OF SUCH DAMAGE. 104238405Sjkim * ==================================================================== 105238405Sjkim * 106238405Sjkim * This product includes cryptographic software written by Eric Young 107238405Sjkim * (eay@cryptsoft.com). This product includes software written by Tim 108238405Sjkim * Hudson (tjh@cryptsoft.com). 109238405Sjkim * 110238405Sjkim */ 11155714Skris 11255714Skris#include <stdio.h> 11355714Skris#include <openssl/objects.h> 114194206Ssimon#include <openssl/evp.h> 115194206Ssimon#include <openssl/hmac.h> 116194206Ssimon#include <openssl/ocsp.h> 117238405Sjkim#include <openssl/rand.h> 11855714Skris#include "ssl_locl.h" 11955714Skris 120296341Sdelphijconst char tls1_version_str[] = "TLSv1" OPENSSL_VERSION_PTEXT; 12155714Skris 122194206Ssimon#ifndef OPENSSL_NO_TLSEXT 123194206Ssimonstatic int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen, 124296341Sdelphij const unsigned char *sess_id, int sesslen, 125296341Sdelphij SSL_SESSION **psess); 126194206Ssimon#endif 127194206Ssimon 128296341SdelphijSSL3_ENC_METHOD TLSv1_enc_data = { 129296341Sdelphij tls1_enc, 130296341Sdelphij tls1_mac, 131296341Sdelphij tls1_setup_key_block, 132296341Sdelphij tls1_generate_master_secret, 133296341Sdelphij tls1_change_cipher_state, 134296341Sdelphij tls1_final_finish_mac, 135296341Sdelphij TLS1_FINISH_MAC_LENGTH, 136296341Sdelphij tls1_cert_verify_mac, 137296341Sdelphij TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE, 138296341Sdelphij TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE, 139296341Sdelphij tls1_alert_code, 140296341Sdelphij tls1_export_keying_material, 141296341Sdelphij}; 14255714Skris 143160814Ssimonlong tls1_default_timeout(void) 144296341Sdelphij{ 145296341Sdelphij /* 146296341Sdelphij * 2 hours, the 24 hours mentioned in the TLSv1 spec is way too long for 147296341Sdelphij * http, the cache would over fill 148296341Sdelphij */ 149296341Sdelphij return (60 * 60 * 2); 150296341Sdelphij} 15155714Skris 15255714Skrisint tls1_new(SSL *s) 153296341Sdelphij{ 154296341Sdelphij if (!ssl3_new(s)) 155296341Sdelphij return (0); 156296341Sdelphij s->method->ssl_clear(s); 157296341Sdelphij return (1); 158296341Sdelphij} 15955714Skris 16055714Skrisvoid tls1_free(SSL *s) 161296341Sdelphij{ 162238405Sjkim#ifndef OPENSSL_NO_TLSEXT 163296341Sdelphij if (s->tlsext_session_ticket) { 164296341Sdelphij OPENSSL_free(s->tlsext_session_ticket); 165296341Sdelphij } 166296341Sdelphij#endif /* OPENSSL_NO_TLSEXT */ 167296341Sdelphij ssl3_free(s); 168296341Sdelphij} 16955714Skris 17055714Skrisvoid tls1_clear(SSL *s) 171296341Sdelphij{ 172296341Sdelphij ssl3_clear(s); 173296341Sdelphij s->version = s->method->version; 174296341Sdelphij} 17555714Skris 176238405Sjkim#ifndef OPENSSL_NO_EC 177238405Sjkim 178296341Sdelphijstatic int nid_list[] = { 179296341Sdelphij NID_sect163k1, /* sect163k1 (1) */ 180296341Sdelphij NID_sect163r1, /* sect163r1 (2) */ 181296341Sdelphij NID_sect163r2, /* sect163r2 (3) */ 182296341Sdelphij NID_sect193r1, /* sect193r1 (4) */ 183296341Sdelphij NID_sect193r2, /* sect193r2 (5) */ 184296341Sdelphij NID_sect233k1, /* sect233k1 (6) */ 185296341Sdelphij NID_sect233r1, /* sect233r1 (7) */ 186296341Sdelphij NID_sect239k1, /* sect239k1 (8) */ 187296341Sdelphij NID_sect283k1, /* sect283k1 (9) */ 188296341Sdelphij NID_sect283r1, /* sect283r1 (10) */ 189296341Sdelphij NID_sect409k1, /* sect409k1 (11) */ 190296341Sdelphij NID_sect409r1, /* sect409r1 (12) */ 191296341Sdelphij NID_sect571k1, /* sect571k1 (13) */ 192296341Sdelphij NID_sect571r1, /* sect571r1 (14) */ 193296341Sdelphij NID_secp160k1, /* secp160k1 (15) */ 194296341Sdelphij NID_secp160r1, /* secp160r1 (16) */ 195296341Sdelphij NID_secp160r2, /* secp160r2 (17) */ 196296341Sdelphij NID_secp192k1, /* secp192k1 (18) */ 197296341Sdelphij NID_X9_62_prime192v1, /* secp192r1 (19) */ 198296341Sdelphij NID_secp224k1, /* secp224k1 (20) */ 199296341Sdelphij NID_secp224r1, /* secp224r1 (21) */ 200296341Sdelphij NID_secp256k1, /* secp256k1 (22) */ 201296341Sdelphij NID_X9_62_prime256v1, /* secp256r1 (23) */ 202296341Sdelphij NID_secp384r1, /* secp384r1 (24) */ 203296341Sdelphij NID_secp521r1 /* secp521r1 (25) */ 204296341Sdelphij}; 205238405Sjkim 206296341Sdelphijstatic int pref_list[] = { 207296341Sdelphij# ifndef OPENSSL_NO_EC2M 208296341Sdelphij NID_sect571r1, /* sect571r1 (14) */ 209296341Sdelphij NID_sect571k1, /* sect571k1 (13) */ 210296341Sdelphij# endif 211296341Sdelphij NID_secp521r1, /* secp521r1 (25) */ 212296341Sdelphij# ifndef OPENSSL_NO_EC2M 213296341Sdelphij NID_sect409k1, /* sect409k1 (11) */ 214296341Sdelphij NID_sect409r1, /* sect409r1 (12) */ 215296341Sdelphij# endif 216296341Sdelphij NID_secp384r1, /* secp384r1 (24) */ 217296341Sdelphij# ifndef OPENSSL_NO_EC2M 218296341Sdelphij NID_sect283k1, /* sect283k1 (9) */ 219296341Sdelphij NID_sect283r1, /* sect283r1 (10) */ 220296341Sdelphij# endif 221296341Sdelphij NID_secp256k1, /* secp256k1 (22) */ 222296341Sdelphij NID_X9_62_prime256v1, /* secp256r1 (23) */ 223296341Sdelphij# ifndef OPENSSL_NO_EC2M 224296341Sdelphij NID_sect239k1, /* sect239k1 (8) */ 225296341Sdelphij NID_sect233k1, /* sect233k1 (6) */ 226296341Sdelphij NID_sect233r1, /* sect233r1 (7) */ 227296341Sdelphij# endif 228296341Sdelphij NID_secp224k1, /* secp224k1 (20) */ 229296341Sdelphij NID_secp224r1, /* secp224r1 (21) */ 230296341Sdelphij# ifndef OPENSSL_NO_EC2M 231296341Sdelphij NID_sect193r1, /* sect193r1 (4) */ 232296341Sdelphij NID_sect193r2, /* sect193r2 (5) */ 233296341Sdelphij# endif 234296341Sdelphij NID_secp192k1, /* secp192k1 (18) */ 235296341Sdelphij NID_X9_62_prime192v1, /* secp192r1 (19) */ 236296341Sdelphij# ifndef OPENSSL_NO_EC2M 237296341Sdelphij NID_sect163k1, /* sect163k1 (1) */ 238296341Sdelphij NID_sect163r1, /* sect163r1 (2) */ 239296341Sdelphij NID_sect163r2, /* sect163r2 (3) */ 240296341Sdelphij# endif 241296341Sdelphij NID_secp160k1, /* secp160k1 (15) */ 242296341Sdelphij NID_secp160r1, /* secp160r1 (16) */ 243296341Sdelphij NID_secp160r2, /* secp160r2 (17) */ 244296341Sdelphij}; 245238405Sjkim 246238405Sjkimint tls1_ec_curve_id2nid(int curve_id) 247296341Sdelphij{ 248296341Sdelphij /* ECC curves from RFC 4492 */ 249296341Sdelphij if ((curve_id < 1) || ((unsigned int)curve_id > 250296341Sdelphij sizeof(nid_list) / sizeof(nid_list[0]))) 251296341Sdelphij return 0; 252296341Sdelphij return nid_list[curve_id - 1]; 253296341Sdelphij} 25459191Skris 255238405Sjkimint tls1_ec_nid2curve_id(int nid) 256296341Sdelphij{ 257296341Sdelphij /* ECC curves from RFC 4492 */ 258296341Sdelphij switch (nid) { 259296341Sdelphij case NID_sect163k1: /* sect163k1 (1) */ 260296341Sdelphij return 1; 261296341Sdelphij case NID_sect163r1: /* sect163r1 (2) */ 262296341Sdelphij return 2; 263296341Sdelphij case NID_sect163r2: /* sect163r2 (3) */ 264296341Sdelphij return 3; 265296341Sdelphij case NID_sect193r1: /* sect193r1 (4) */ 266296341Sdelphij return 4; 267296341Sdelphij case NID_sect193r2: /* sect193r2 (5) */ 268296341Sdelphij return 5; 269296341Sdelphij case NID_sect233k1: /* sect233k1 (6) */ 270296341Sdelphij return 6; 271296341Sdelphij case NID_sect233r1: /* sect233r1 (7) */ 272296341Sdelphij return 7; 273296341Sdelphij case NID_sect239k1: /* sect239k1 (8) */ 274296341Sdelphij return 8; 275296341Sdelphij case NID_sect283k1: /* sect283k1 (9) */ 276296341Sdelphij return 9; 277296341Sdelphij case NID_sect283r1: /* sect283r1 (10) */ 278296341Sdelphij return 10; 279296341Sdelphij case NID_sect409k1: /* sect409k1 (11) */ 280296341Sdelphij return 11; 281296341Sdelphij case NID_sect409r1: /* sect409r1 (12) */ 282296341Sdelphij return 12; 283296341Sdelphij case NID_sect571k1: /* sect571k1 (13) */ 284296341Sdelphij return 13; 285296341Sdelphij case NID_sect571r1: /* sect571r1 (14) */ 286296341Sdelphij return 14; 287296341Sdelphij case NID_secp160k1: /* secp160k1 (15) */ 288296341Sdelphij return 15; 289296341Sdelphij case NID_secp160r1: /* secp160r1 (16) */ 290296341Sdelphij return 16; 291296341Sdelphij case NID_secp160r2: /* secp160r2 (17) */ 292296341Sdelphij return 17; 293296341Sdelphij case NID_secp192k1: /* secp192k1 (18) */ 294296341Sdelphij return 18; 295296341Sdelphij case NID_X9_62_prime192v1: /* secp192r1 (19) */ 296296341Sdelphij return 19; 297296341Sdelphij case NID_secp224k1: /* secp224k1 (20) */ 298296341Sdelphij return 20; 299296341Sdelphij case NID_secp224r1: /* secp224r1 (21) */ 300296341Sdelphij return 21; 301296341Sdelphij case NID_secp256k1: /* secp256k1 (22) */ 302296341Sdelphij return 22; 303296341Sdelphij case NID_X9_62_prime256v1: /* secp256r1 (23) */ 304296341Sdelphij return 23; 305296341Sdelphij case NID_secp384r1: /* secp384r1 (24) */ 306296341Sdelphij return 24; 307296341Sdelphij case NID_secp521r1: /* secp521r1 (25) */ 308296341Sdelphij return 25; 309296341Sdelphij default: 310296341Sdelphij return 0; 311296341Sdelphij } 312296341Sdelphij} 313296341Sdelphij#endif /* OPENSSL_NO_EC */ 314238405Sjkim 315238405Sjkim#ifndef OPENSSL_NO_TLSEXT 316238405Sjkim 317296341Sdelphij/* 318296341Sdelphij * List of supported signature algorithms and hashes. Should make this 319238405Sjkim * customisable at some point, for now include everything we support. 320238405Sjkim */ 321238405Sjkim 322296341Sdelphij# ifdef OPENSSL_NO_RSA 323296341Sdelphij# define tlsext_sigalg_rsa(md) /* */ 324296341Sdelphij# else 325296341Sdelphij# define tlsext_sigalg_rsa(md) md, TLSEXT_signature_rsa, 326296341Sdelphij# endif 327194206Ssimon 328296341Sdelphij# ifdef OPENSSL_NO_DSA 329296341Sdelphij# define tlsext_sigalg_dsa(md) /* */ 330296341Sdelphij# else 331296341Sdelphij# define tlsext_sigalg_dsa(md) md, TLSEXT_signature_dsa, 332296341Sdelphij# endif 333238405Sjkim 334296341Sdelphij# ifdef OPENSSL_NO_ECDSA 335296341Sdelphij# define tlsext_sigalg_ecdsa(md) 336296341Sdelphij /* */ 337296341Sdelphij# else 338296341Sdelphij# define tlsext_sigalg_ecdsa(md) md, TLSEXT_signature_ecdsa, 339296341Sdelphij# endif 340238405Sjkim 341296341Sdelphij# define tlsext_sigalg(md) \ 342296341Sdelphij tlsext_sigalg_rsa(md) \ 343296341Sdelphij tlsext_sigalg_dsa(md) \ 344296341Sdelphij tlsext_sigalg_ecdsa(md) 345238405Sjkim 346238405Sjkimstatic unsigned char tls12_sigalgs[] = { 347296341Sdelphij# ifndef OPENSSL_NO_SHA512 348296341Sdelphij tlsext_sigalg(TLSEXT_hash_sha512) 349296341Sdelphij tlsext_sigalg(TLSEXT_hash_sha384) 350296341Sdelphij# endif 351296341Sdelphij# ifndef OPENSSL_NO_SHA256 352296341Sdelphij tlsext_sigalg(TLSEXT_hash_sha256) 353296341Sdelphij tlsext_sigalg(TLSEXT_hash_sha224) 354296341Sdelphij# endif 355296341Sdelphij# ifndef OPENSSL_NO_SHA 356296341Sdelphij tlsext_sigalg(TLSEXT_hash_sha1) 357296341Sdelphij# endif 358238405Sjkim}; 359238405Sjkim 360238405Sjkimint tls12_get_req_sig_algs(SSL *s, unsigned char *p) 361296341Sdelphij{ 362296341Sdelphij size_t slen = sizeof(tls12_sigalgs); 363296341Sdelphij if (p) 364296341Sdelphij memcpy(p, tls12_sigalgs, slen); 365296341Sdelphij return (int)slen; 366296341Sdelphij} 367238405Sjkim 368296341Sdelphijunsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf, 369296341Sdelphij unsigned char *limit) 370296341Sdelphij{ 371296341Sdelphij int extdatalen = 0; 372296341Sdelphij unsigned char *orig = buf; 373296341Sdelphij unsigned char *ret = buf; 374194206Ssimon 375296341Sdelphij /* don't add extensions for SSLv3 unless doing secure renegotiation */ 376296341Sdelphij if (s->client_version == SSL3_VERSION && !s->s3->send_connection_binding) 377296341Sdelphij return orig; 378205128Ssimon 379296341Sdelphij ret += 2; 380194206Ssimon 381296341Sdelphij if (ret >= limit) 382296341Sdelphij return NULL; /* this really never occurs, but ... */ 383194206Ssimon 384296341Sdelphij if (s->tlsext_hostname != NULL) { 385296341Sdelphij /* Add TLS extension servername to the Client Hello message */ 386296341Sdelphij unsigned long size_str; 387296341Sdelphij long lenmax; 388194206Ssimon 389296341Sdelphij /*- 390296341Sdelphij * check for enough space. 391296341Sdelphij * 4 for the servername type and entension length 392296341Sdelphij * 2 for servernamelist length 393296341Sdelphij * 1 for the hostname type 394296341Sdelphij * 2 for hostname length 395296341Sdelphij * + hostname length 396296341Sdelphij */ 397194206Ssimon 398296341Sdelphij if ((lenmax = limit - ret - 9) < 0 399296341Sdelphij || (size_str = 400296341Sdelphij strlen(s->tlsext_hostname)) > (unsigned long)lenmax) 401296341Sdelphij return NULL; 402194206Ssimon 403296341Sdelphij /* extension type and length */ 404296341Sdelphij s2n(TLSEXT_TYPE_server_name, ret); 405296341Sdelphij s2n(size_str + 5, ret); 406205128Ssimon 407296341Sdelphij /* length of servername list */ 408296341Sdelphij s2n(size_str + 3, ret); 409205128Ssimon 410296341Sdelphij /* hostname type, length and hostname */ 411296341Sdelphij *(ret++) = (unsigned char)TLSEXT_NAMETYPE_host_name; 412296341Sdelphij s2n(size_str, ret); 413296341Sdelphij memcpy(ret, s->tlsext_hostname, size_str); 414296341Sdelphij ret += size_str; 415296341Sdelphij } 416296341Sdelphij 417296341Sdelphij /* Add RI if renegotiating */ 418296341Sdelphij if (s->renegotiate) { 419296341Sdelphij int el; 420296341Sdelphij 421296341Sdelphij if (!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0)) { 422296341Sdelphij SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); 423296341Sdelphij return NULL; 424205128Ssimon } 425205128Ssimon 426296341Sdelphij if ((limit - ret - 4 - el) < 0) 427296341Sdelphij return NULL; 428238405Sjkim 429296341Sdelphij s2n(TLSEXT_TYPE_renegotiate, ret); 430296341Sdelphij s2n(el, ret); 431238405Sjkim 432296341Sdelphij if (!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el)) { 433296341Sdelphij SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); 434296341Sdelphij return NULL; 435296341Sdelphij } 436238405Sjkim 437296341Sdelphij ret += el; 438296341Sdelphij } 439296341Sdelphij# ifndef OPENSSL_NO_SRP 440296341Sdelphij /* Add SRP username if there is one */ 441296341Sdelphij if (s->srp_ctx.login != NULL) { /* Add TLS extension SRP username to the 442296341Sdelphij * Client Hello message */ 443238405Sjkim 444296341Sdelphij int login_len = strlen(s->srp_ctx.login); 445296341Sdelphij if (login_len > 255 || login_len == 0) { 446296341Sdelphij SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); 447296341Sdelphij return NULL; 448296341Sdelphij } 449238405Sjkim 450296341Sdelphij /*- 451296341Sdelphij * check for enough space. 452296341Sdelphij * 4 for the srp type type and entension length 453296341Sdelphij * 1 for the srp user identity 454296341Sdelphij * + srp user identity length 455296341Sdelphij */ 456296341Sdelphij if ((limit - ret - 5 - login_len) < 0) 457296341Sdelphij return NULL; 458238405Sjkim 459296341Sdelphij /* fill in the extension */ 460296341Sdelphij s2n(TLSEXT_TYPE_srp, ret); 461296341Sdelphij s2n(login_len + 1, ret); 462296341Sdelphij (*ret++) = (unsigned char)login_len; 463296341Sdelphij memcpy(ret, s->srp_ctx.login, login_len); 464296341Sdelphij ret += login_len; 465296341Sdelphij } 466296341Sdelphij# endif 467238405Sjkim 468296341Sdelphij# ifndef OPENSSL_NO_EC 469296341Sdelphij if (s->tlsext_ecpointformatlist != NULL) { 470296341Sdelphij /* 471296341Sdelphij * Add TLS extension ECPointFormats to the ClientHello message 472296341Sdelphij */ 473296341Sdelphij long lenmax; 474238405Sjkim 475296341Sdelphij if ((lenmax = limit - ret - 5) < 0) 476296341Sdelphij return NULL; 477296341Sdelphij if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax) 478296341Sdelphij return NULL; 479296341Sdelphij if (s->tlsext_ecpointformatlist_length > 255) { 480296341Sdelphij SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); 481296341Sdelphij return NULL; 482296341Sdelphij } 483194206Ssimon 484296341Sdelphij s2n(TLSEXT_TYPE_ec_point_formats, ret); 485296341Sdelphij s2n(s->tlsext_ecpointformatlist_length + 1, ret); 486296341Sdelphij *(ret++) = (unsigned char)s->tlsext_ecpointformatlist_length; 487296341Sdelphij memcpy(ret, s->tlsext_ecpointformatlist, 488296341Sdelphij s->tlsext_ecpointformatlist_length); 489296341Sdelphij ret += s->tlsext_ecpointformatlist_length; 490296341Sdelphij } 491296341Sdelphij if (s->tlsext_ellipticcurvelist != NULL) { 492296341Sdelphij /* 493296341Sdelphij * Add TLS extension EllipticCurves to the ClientHello message 494296341Sdelphij */ 495296341Sdelphij long lenmax; 496238405Sjkim 497296341Sdelphij if ((lenmax = limit - ret - 6) < 0) 498296341Sdelphij return NULL; 499296341Sdelphij if (s->tlsext_ellipticcurvelist_length > (unsigned long)lenmax) 500296341Sdelphij return NULL; 501296341Sdelphij if (s->tlsext_ellipticcurvelist_length > 65532) { 502296341Sdelphij SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); 503296341Sdelphij return NULL; 504296341Sdelphij } 505238405Sjkim 506296341Sdelphij s2n(TLSEXT_TYPE_elliptic_curves, ret); 507296341Sdelphij s2n(s->tlsext_ellipticcurvelist_length + 2, ret); 508238405Sjkim 509296341Sdelphij s2n(s->tlsext_ellipticcurvelist_length, ret); 510296341Sdelphij memcpy(ret, s->tlsext_ellipticcurvelist, 511296341Sdelphij s->tlsext_ellipticcurvelist_length); 512296341Sdelphij ret += s->tlsext_ellipticcurvelist_length; 513296341Sdelphij } 514296341Sdelphij# endif /* OPENSSL_NO_EC */ 515194206Ssimon 516296341Sdelphij if (!(SSL_get_options(s) & SSL_OP_NO_TICKET)) { 517296341Sdelphij int ticklen; 518296341Sdelphij if (!s->new_session && s->session && s->session->tlsext_tick) 519296341Sdelphij ticklen = s->session->tlsext_ticklen; 520296341Sdelphij else if (s->session && s->tlsext_session_ticket && 521296341Sdelphij s->tlsext_session_ticket->data) { 522296341Sdelphij ticklen = s->tlsext_session_ticket->length; 523296341Sdelphij s->session->tlsext_tick = OPENSSL_malloc(ticklen); 524296341Sdelphij if (!s->session->tlsext_tick) 525296341Sdelphij return NULL; 526296341Sdelphij memcpy(s->session->tlsext_tick, 527296341Sdelphij s->tlsext_session_ticket->data, ticklen); 528296341Sdelphij s->session->tlsext_ticklen = ticklen; 529296341Sdelphij } else 530296341Sdelphij ticklen = 0; 531296341Sdelphij if (ticklen == 0 && s->tlsext_session_ticket && 532296341Sdelphij s->tlsext_session_ticket->data == NULL) 533296341Sdelphij goto skip_ext; 534296341Sdelphij /* 535296341Sdelphij * Check for enough room 2 for extension type, 2 for len rest for 536296341Sdelphij * ticket 537296341Sdelphij */ 538296341Sdelphij if ((long)(limit - ret - 4 - ticklen) < 0) 539296341Sdelphij return NULL; 540296341Sdelphij s2n(TLSEXT_TYPE_session_ticket, ret); 541296341Sdelphij s2n(ticklen, ret); 542296341Sdelphij if (ticklen) { 543296341Sdelphij memcpy(ret, s->session->tlsext_tick, ticklen); 544296341Sdelphij ret += ticklen; 545296341Sdelphij } 546296341Sdelphij } 547296341Sdelphij skip_ext: 548194206Ssimon 549296341Sdelphij if (TLS1_get_client_version(s) >= TLS1_2_VERSION) { 550296341Sdelphij if ((size_t)(limit - ret) < sizeof(tls12_sigalgs) + 6) 551296341Sdelphij return NULL; 552296341Sdelphij s2n(TLSEXT_TYPE_signature_algorithms, ret); 553296341Sdelphij s2n(sizeof(tls12_sigalgs) + 2, ret); 554296341Sdelphij s2n(sizeof(tls12_sigalgs), ret); 555296341Sdelphij memcpy(ret, tls12_sigalgs, sizeof(tls12_sigalgs)); 556296341Sdelphij ret += sizeof(tls12_sigalgs); 557296341Sdelphij } 558296341Sdelphij# ifdef TLSEXT_TYPE_opaque_prf_input 559296341Sdelphij if (s->s3->client_opaque_prf_input != NULL && s->version != DTLS1_VERSION) { 560296341Sdelphij size_t col = s->s3->client_opaque_prf_input_len; 561194206Ssimon 562296341Sdelphij if ((long)(limit - ret - 6 - col < 0)) 563296341Sdelphij return NULL; 564296341Sdelphij if (col > 0xFFFD) /* can't happen */ 565296341Sdelphij return NULL; 566238405Sjkim 567296341Sdelphij s2n(TLSEXT_TYPE_opaque_prf_input, ret); 568296341Sdelphij s2n(col + 2, ret); 569296341Sdelphij s2n(col, ret); 570296341Sdelphij memcpy(ret, s->s3->client_opaque_prf_input, col); 571296341Sdelphij ret += col; 572296341Sdelphij } 573296341Sdelphij# endif 574238405Sjkim 575296341Sdelphij if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp && 576296341Sdelphij s->version != DTLS1_VERSION) { 577296341Sdelphij int i; 578296341Sdelphij long extlen, idlen, itmp; 579296341Sdelphij OCSP_RESPID *id; 580238405Sjkim 581296341Sdelphij idlen = 0; 582296341Sdelphij for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) { 583296341Sdelphij id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i); 584296341Sdelphij itmp = i2d_OCSP_RESPID(id, NULL); 585296341Sdelphij if (itmp <= 0) 586296341Sdelphij return NULL; 587296341Sdelphij idlen += itmp + 2; 588296341Sdelphij } 589238405Sjkim 590296341Sdelphij if (s->tlsext_ocsp_exts) { 591296341Sdelphij extlen = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, NULL); 592296341Sdelphij if (extlen < 0) 593296341Sdelphij return NULL; 594296341Sdelphij } else 595296341Sdelphij extlen = 0; 596238405Sjkim 597296341Sdelphij if ((long)(limit - ret - 7 - extlen - idlen) < 0) 598296341Sdelphij return NULL; 599296341Sdelphij s2n(TLSEXT_TYPE_status_request, ret); 600296341Sdelphij if (extlen + idlen > 0xFFF0) 601296341Sdelphij return NULL; 602296341Sdelphij s2n(extlen + idlen + 5, ret); 603296341Sdelphij *(ret++) = TLSEXT_STATUSTYPE_ocsp; 604296341Sdelphij s2n(idlen, ret); 605296341Sdelphij for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) { 606296341Sdelphij /* save position of id len */ 607296341Sdelphij unsigned char *q = ret; 608296341Sdelphij id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i); 609296341Sdelphij /* skip over id len */ 610296341Sdelphij ret += 2; 611296341Sdelphij itmp = i2d_OCSP_RESPID(id, &ret); 612296341Sdelphij /* write id len */ 613296341Sdelphij s2n(itmp, q); 614296341Sdelphij } 615296341Sdelphij s2n(extlen, ret); 616296341Sdelphij if (extlen > 0) 617296341Sdelphij i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret); 618296341Sdelphij } 619296341Sdelphij# ifndef OPENSSL_NO_HEARTBEATS 620296341Sdelphij /* Add Heartbeat extension */ 621296341Sdelphij if ((limit - ret - 4 - 1) < 0) 622296341Sdelphij return NULL; 623296341Sdelphij s2n(TLSEXT_TYPE_heartbeat, ret); 624296341Sdelphij s2n(1, ret); 625296341Sdelphij /*- 626296341Sdelphij * Set mode: 627296341Sdelphij * 1: peer may send requests 628296341Sdelphij * 2: peer not allowed to send requests 629296341Sdelphij */ 630296341Sdelphij if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS) 631296341Sdelphij *(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS; 632296341Sdelphij else 633296341Sdelphij *(ret++) = SSL_TLSEXT_HB_ENABLED; 634296341Sdelphij# endif 635264331Sjkim 636296341Sdelphij# ifndef OPENSSL_NO_NEXTPROTONEG 637296341Sdelphij if (s->ctx->next_proto_select_cb && !s->s3->tmp.finish_md_len) { 638296341Sdelphij /* 639296341Sdelphij * The client advertises an emtpy extension to indicate its support 640296341Sdelphij * for Next Protocol Negotiation 641296341Sdelphij */ 642296341Sdelphij if (limit - ret - 4 < 0) 643296341Sdelphij return NULL; 644296341Sdelphij s2n(TLSEXT_TYPE_next_proto_neg, ret); 645296341Sdelphij s2n(0, ret); 646296341Sdelphij } 647296341Sdelphij# endif 648264331Sjkim 649296341Sdelphij# ifndef OPENSSL_NO_SRTP 650296341Sdelphij if (SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s)) { 651296341Sdelphij int el; 652194206Ssimon 653296341Sdelphij ssl_add_clienthello_use_srtp_ext(s, 0, &el, 0); 654194206Ssimon 655296341Sdelphij if ((limit - ret - 4 - el) < 0) 656296341Sdelphij return NULL; 657194206Ssimon 658296341Sdelphij s2n(TLSEXT_TYPE_use_srtp, ret); 659296341Sdelphij s2n(el, ret); 660194206Ssimon 661296341Sdelphij if (ssl_add_clienthello_use_srtp_ext(s, ret, &el, el)) { 662296341Sdelphij SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); 663296341Sdelphij return NULL; 664296341Sdelphij } 665296341Sdelphij ret += el; 666296341Sdelphij } 667296341Sdelphij# endif 668296341Sdelphij /* 669296341Sdelphij * Add padding to workaround bugs in F5 terminators. See 670296341Sdelphij * https://tools.ietf.org/html/draft-agl-tls-padding-03 NB: because this 671296341Sdelphij * code works out the length of all existing extensions it MUST always 672296341Sdelphij * appear last. 673296341Sdelphij */ 674296341Sdelphij if (s->options & SSL_OP_TLSEXT_PADDING) { 675296341Sdelphij int hlen = ret - (unsigned char *)s->init_buf->data; 676296341Sdelphij /* 677296341Sdelphij * The code in s23_clnt.c to build ClientHello messages includes the 678296341Sdelphij * 5-byte record header in the buffer, while the code in s3_clnt.c 679296341Sdelphij * does not. 680296341Sdelphij */ 681296341Sdelphij if (s->state == SSL23_ST_CW_CLNT_HELLO_A) 682296341Sdelphij hlen -= 5; 683296341Sdelphij if (hlen > 0xff && hlen < 0x200) { 684296341Sdelphij hlen = 0x200 - hlen; 685296341Sdelphij if (hlen >= 4) 686296341Sdelphij hlen -= 4; 687296341Sdelphij else 688296341Sdelphij hlen = 0; 689194206Ssimon 690296341Sdelphij s2n(TLSEXT_TYPE_padding, ret); 691296341Sdelphij s2n(hlen, ret); 692296341Sdelphij memset(ret, 0, hlen); 693296341Sdelphij ret += hlen; 694296341Sdelphij } 695296341Sdelphij } 696205128Ssimon 697296341Sdelphij if ((extdatalen = ret - orig - 2) == 0) 698296341Sdelphij return orig; 699205128Ssimon 700296341Sdelphij s2n(extdatalen, orig); 701296341Sdelphij return ret; 702296341Sdelphij} 703205128Ssimon 704296341Sdelphijunsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *buf, 705296341Sdelphij unsigned char *limit) 706296341Sdelphij{ 707296341Sdelphij int extdatalen = 0; 708296341Sdelphij unsigned char *orig = buf; 709296341Sdelphij unsigned char *ret = buf; 710296341Sdelphij# ifndef OPENSSL_NO_NEXTPROTONEG 711296341Sdelphij int next_proto_neg_seen; 712296341Sdelphij# endif 713205128Ssimon 714296341Sdelphij /* 715296341Sdelphij * don't add extensions for SSLv3, unless doing secure renegotiation 716296341Sdelphij */ 717296341Sdelphij if (s->version == SSL3_VERSION && !s->s3->send_connection_binding) 718296341Sdelphij return orig; 719296341Sdelphij 720296341Sdelphij ret += 2; 721296341Sdelphij if (ret >= limit) 722296341Sdelphij return NULL; /* this really never occurs, but ... */ 723296341Sdelphij 724296341Sdelphij if (!s->hit && s->servername_done == 1 725296341Sdelphij && s->session->tlsext_hostname != NULL) { 726296341Sdelphij if ((long)(limit - ret - 4) < 0) 727296341Sdelphij return NULL; 728296341Sdelphij 729296341Sdelphij s2n(TLSEXT_TYPE_server_name, ret); 730296341Sdelphij s2n(0, ret); 731296341Sdelphij } 732296341Sdelphij 733296341Sdelphij if (s->s3->send_connection_binding) { 734296341Sdelphij int el; 735296341Sdelphij 736296341Sdelphij if (!ssl_add_serverhello_renegotiate_ext(s, 0, &el, 0)) { 737296341Sdelphij SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); 738296341Sdelphij return NULL; 739205128Ssimon } 740238405Sjkim 741296341Sdelphij if ((limit - ret - 4 - el) < 0) 742296341Sdelphij return NULL; 743238405Sjkim 744296341Sdelphij s2n(TLSEXT_TYPE_renegotiate, ret); 745296341Sdelphij s2n(el, ret); 746238405Sjkim 747296341Sdelphij if (!ssl_add_serverhello_renegotiate_ext(s, ret, &el, el)) { 748296341Sdelphij SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); 749296341Sdelphij return NULL; 750296341Sdelphij } 751238405Sjkim 752296341Sdelphij ret += el; 753296341Sdelphij } 754296341Sdelphij# ifndef OPENSSL_NO_EC 755296341Sdelphij if (s->tlsext_ecpointformatlist != NULL) { 756296341Sdelphij /* 757296341Sdelphij * Add TLS extension ECPointFormats to the ServerHello message 758296341Sdelphij */ 759296341Sdelphij long lenmax; 760194206Ssimon 761296341Sdelphij if ((lenmax = limit - ret - 5) < 0) 762296341Sdelphij return NULL; 763296341Sdelphij if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax) 764296341Sdelphij return NULL; 765296341Sdelphij if (s->tlsext_ecpointformatlist_length > 255) { 766296341Sdelphij SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); 767296341Sdelphij return NULL; 768296341Sdelphij } 769194206Ssimon 770296341Sdelphij s2n(TLSEXT_TYPE_ec_point_formats, ret); 771296341Sdelphij s2n(s->tlsext_ecpointformatlist_length + 1, ret); 772296341Sdelphij *(ret++) = (unsigned char)s->tlsext_ecpointformatlist_length; 773296341Sdelphij memcpy(ret, s->tlsext_ecpointformatlist, 774296341Sdelphij s->tlsext_ecpointformatlist_length); 775296341Sdelphij ret += s->tlsext_ecpointformatlist_length; 776238405Sjkim 777296341Sdelphij } 778296341Sdelphij /* 779296341Sdelphij * Currently the server should not respond with a SupportedCurves 780296341Sdelphij * extension 781296341Sdelphij */ 782296341Sdelphij# endif /* OPENSSL_NO_EC */ 783238405Sjkim 784296341Sdelphij if (s->tlsext_ticket_expected && !(SSL_get_options(s) & SSL_OP_NO_TICKET)) { 785296341Sdelphij if ((long)(limit - ret - 4) < 0) 786296341Sdelphij return NULL; 787296341Sdelphij s2n(TLSEXT_TYPE_session_ticket, ret); 788296341Sdelphij s2n(0, ret); 789296341Sdelphij } 790238405Sjkim 791296341Sdelphij if (s->tlsext_status_expected) { 792296341Sdelphij if ((long)(limit - ret - 4) < 0) 793296341Sdelphij return NULL; 794296341Sdelphij s2n(TLSEXT_TYPE_status_request, ret); 795296341Sdelphij s2n(0, ret); 796296341Sdelphij } 797296341Sdelphij# ifdef TLSEXT_TYPE_opaque_prf_input 798296341Sdelphij if (s->s3->server_opaque_prf_input != NULL && s->version != DTLS1_VERSION) { 799296341Sdelphij size_t sol = s->s3->server_opaque_prf_input_len; 800238405Sjkim 801296341Sdelphij if ((long)(limit - ret - 6 - sol) < 0) 802296341Sdelphij return NULL; 803296341Sdelphij if (sol > 0xFFFD) /* can't happen */ 804296341Sdelphij return NULL; 805238405Sjkim 806296341Sdelphij s2n(TLSEXT_TYPE_opaque_prf_input, ret); 807296341Sdelphij s2n(sol + 2, ret); 808296341Sdelphij s2n(sol, ret); 809296341Sdelphij memcpy(ret, s->s3->server_opaque_prf_input, sol); 810296341Sdelphij ret += sol; 811296341Sdelphij } 812296341Sdelphij# endif 813238405Sjkim 814296341Sdelphij# ifndef OPENSSL_NO_SRTP 815296341Sdelphij if (SSL_IS_DTLS(s) && s->srtp_profile) { 816296341Sdelphij int el; 817238405Sjkim 818296341Sdelphij ssl_add_serverhello_use_srtp_ext(s, 0, &el, 0); 819238405Sjkim 820296341Sdelphij if ((limit - ret - 4 - el) < 0) 821296341Sdelphij return NULL; 822238405Sjkim 823296341Sdelphij s2n(TLSEXT_TYPE_use_srtp, ret); 824296341Sdelphij s2n(el, ret); 825238405Sjkim 826296341Sdelphij if (ssl_add_serverhello_use_srtp_ext(s, ret, &el, el)) { 827296341Sdelphij SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); 828296341Sdelphij return NULL; 829296341Sdelphij } 830296341Sdelphij ret += el; 831296341Sdelphij } 832296341Sdelphij# endif 833238405Sjkim 834296341Sdelphij if (((s->s3->tmp.new_cipher->id & 0xFFFF) == 0x80 835296341Sdelphij || (s->s3->tmp.new_cipher->id & 0xFFFF) == 0x81) 836296341Sdelphij && (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG)) { 837296341Sdelphij const unsigned char cryptopro_ext[36] = { 838296341Sdelphij 0xfd, 0xe8, /* 65000 */ 839296341Sdelphij 0x00, 0x20, /* 32 bytes length */ 840296341Sdelphij 0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85, 841296341Sdelphij 0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06, 842296341Sdelphij 0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08, 843296341Sdelphij 0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17 844296341Sdelphij }; 845296341Sdelphij if (limit - ret < 36) 846296341Sdelphij return NULL; 847296341Sdelphij memcpy(ret, cryptopro_ext, 36); 848296341Sdelphij ret += 36; 849238405Sjkim 850296341Sdelphij } 851296341Sdelphij# ifndef OPENSSL_NO_HEARTBEATS 852296341Sdelphij /* Add Heartbeat extension if we've received one */ 853296341Sdelphij if (s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED) { 854296341Sdelphij if ((limit - ret - 4 - 1) < 0) 855296341Sdelphij return NULL; 856296341Sdelphij s2n(TLSEXT_TYPE_heartbeat, ret); 857296341Sdelphij s2n(1, ret); 858296341Sdelphij /*- 859296341Sdelphij * Set mode: 860296341Sdelphij * 1: peer may send requests 861296341Sdelphij * 2: peer not allowed to send requests 862296341Sdelphij */ 863296341Sdelphij if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS) 864296341Sdelphij *(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS; 865296341Sdelphij else 866296341Sdelphij *(ret++) = SSL_TLSEXT_HB_ENABLED; 867194206Ssimon 868296341Sdelphij } 869296341Sdelphij# endif 870194206Ssimon 871296341Sdelphij# ifndef OPENSSL_NO_NEXTPROTONEG 872296341Sdelphij next_proto_neg_seen = s->s3->next_proto_neg_seen; 873296341Sdelphij s->s3->next_proto_neg_seen = 0; 874296341Sdelphij if (next_proto_neg_seen && s->ctx->next_protos_advertised_cb) { 875296341Sdelphij const unsigned char *npa; 876296341Sdelphij unsigned int npalen; 877296341Sdelphij int r; 878296341Sdelphij 879296341Sdelphij r = s->ctx->next_protos_advertised_cb(s, &npa, &npalen, 880296341Sdelphij s-> 881296341Sdelphij ctx->next_protos_advertised_cb_arg); 882296341Sdelphij if (r == SSL_TLSEXT_ERR_OK) { 883296341Sdelphij if ((long)(limit - ret - 4 - npalen) < 0) 884296341Sdelphij return NULL; 885296341Sdelphij s2n(TLSEXT_TYPE_next_proto_neg, ret); 886296341Sdelphij s2n(npalen, ret); 887296341Sdelphij memcpy(ret, npa, npalen); 888296341Sdelphij ret += npalen; 889296341Sdelphij s->s3->next_proto_neg_seen = 1; 890296341Sdelphij } 891296341Sdelphij } 892296341Sdelphij# endif 893296341Sdelphij 894296341Sdelphij if ((extdatalen = ret - orig - 2) == 0) 895296341Sdelphij return orig; 896296341Sdelphij 897296341Sdelphij s2n(extdatalen, orig); 898296341Sdelphij return ret; 899296341Sdelphij} 900296341Sdelphij 901296341Sdelphij# ifndef OPENSSL_NO_EC 902296341Sdelphij/*- 903296341Sdelphij * ssl_check_for_safari attempts to fingerprint Safari using OS X 904264331Sjkim * SecureTransport using the TLS extension block in |d|, of length |n|. 905264331Sjkim * Safari, since 10.6, sends exactly these extensions, in this order: 906264331Sjkim * SNI, 907264331Sjkim * elliptic_curves 908264331Sjkim * ec_point_formats 909264331Sjkim * 910264331Sjkim * We wish to fingerprint Safari because they broke ECDHE-ECDSA support in 10.8, 911264331Sjkim * but they advertise support. So enabling ECDHE-ECDSA ciphers breaks them. 912264331Sjkim * Sadly we cannot differentiate 10.6, 10.7 and 10.8.4 (which work), from 913264331Sjkim * 10.8..10.8.3 (which don't work). 914264331Sjkim */ 915296341Sdelphijstatic void ssl_check_for_safari(SSL *s, const unsigned char *data, 916306230Sdelphij const unsigned char *limit) 917296341Sdelphij{ 918296341Sdelphij unsigned short type, size; 919296341Sdelphij static const unsigned char kSafariExtensionsBlock[] = { 920296341Sdelphij 0x00, 0x0a, /* elliptic_curves extension */ 921296341Sdelphij 0x00, 0x08, /* 8 bytes */ 922296341Sdelphij 0x00, 0x06, /* 6 bytes of curve ids */ 923296341Sdelphij 0x00, 0x17, /* P-256 */ 924296341Sdelphij 0x00, 0x18, /* P-384 */ 925296341Sdelphij 0x00, 0x19, /* P-521 */ 926264331Sjkim 927296341Sdelphij 0x00, 0x0b, /* ec_point_formats */ 928296341Sdelphij 0x00, 0x02, /* 2 bytes */ 929296341Sdelphij 0x01, /* 1 point format */ 930296341Sdelphij 0x00, /* uncompressed */ 931296341Sdelphij }; 932264331Sjkim 933296341Sdelphij /* The following is only present in TLS 1.2 */ 934296341Sdelphij static const unsigned char kSafariTLS12ExtensionsBlock[] = { 935296341Sdelphij 0x00, 0x0d, /* signature_algorithms */ 936296341Sdelphij 0x00, 0x0c, /* 12 bytes */ 937296341Sdelphij 0x00, 0x0a, /* 10 bytes */ 938296341Sdelphij 0x05, 0x01, /* SHA-384/RSA */ 939296341Sdelphij 0x04, 0x01, /* SHA-256/RSA */ 940296341Sdelphij 0x02, 0x01, /* SHA-1/RSA */ 941296341Sdelphij 0x04, 0x03, /* SHA-256/ECDSA */ 942296341Sdelphij 0x02, 0x03, /* SHA-1/ECDSA */ 943296341Sdelphij }; 944264331Sjkim 945306230Sdelphij if (limit - data <= 2) 946296341Sdelphij return; 947296341Sdelphij data += 2; 948264331Sjkim 949306230Sdelphij if (limit - data < 4) 950296341Sdelphij return; 951296341Sdelphij n2s(data, type); 952296341Sdelphij n2s(data, size); 953264331Sjkim 954296341Sdelphij if (type != TLSEXT_TYPE_server_name) 955296341Sdelphij return; 956264331Sjkim 957306230Sdelphij if (limit - data < size) 958296341Sdelphij return; 959296341Sdelphij data += size; 960264331Sjkim 961296341Sdelphij if (TLS1_get_client_version(s) >= TLS1_2_VERSION) { 962296341Sdelphij const size_t len1 = sizeof(kSafariExtensionsBlock); 963296341Sdelphij const size_t len2 = sizeof(kSafariTLS12ExtensionsBlock); 964264331Sjkim 965306230Sdelphij if (limit - data != (int)(len1 + len2)) 966296341Sdelphij return; 967296341Sdelphij if (memcmp(data, kSafariExtensionsBlock, len1) != 0) 968296341Sdelphij return; 969296341Sdelphij if (memcmp(data + len1, kSafariTLS12ExtensionsBlock, len2) != 0) 970296341Sdelphij return; 971296341Sdelphij } else { 972296341Sdelphij const size_t len = sizeof(kSafariExtensionsBlock); 973264331Sjkim 974306230Sdelphij if (limit - data != (int)(len)) 975296341Sdelphij return; 976296341Sdelphij if (memcmp(data, kSafariExtensionsBlock, len) != 0) 977296341Sdelphij return; 978296341Sdelphij } 979264331Sjkim 980296341Sdelphij s->s3->is_probably_safari = 1; 981264331Sjkim} 982296341Sdelphij# endif /* !OPENSSL_NO_EC */ 983264331Sjkim 984306230Sdelphijint ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, 985306230Sdelphij unsigned char *limit, int *al) 986296341Sdelphij{ 987296341Sdelphij unsigned short type; 988296341Sdelphij unsigned short size; 989296341Sdelphij unsigned short len; 990296341Sdelphij unsigned char *data = *p; 991296341Sdelphij int renegotiate_seen = 0; 992296341Sdelphij int sigalg_seen = 0; 993205128Ssimon 994296341Sdelphij s->servername_done = 0; 995296341Sdelphij s->tlsext_status_type = -1; 996296341Sdelphij# ifndef OPENSSL_NO_NEXTPROTONEG 997296341Sdelphij s->s3->next_proto_neg_seen = 0; 998296341Sdelphij# endif 999194206Ssimon 1000296341Sdelphij# ifndef OPENSSL_NO_HEARTBEATS 1001296341Sdelphij s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED | 1002296341Sdelphij SSL_TLSEXT_HB_DONT_SEND_REQUESTS); 1003296341Sdelphij# endif 1004238405Sjkim 1005296341Sdelphij# ifndef OPENSSL_NO_EC 1006296341Sdelphij if (s->options & SSL_OP_SAFARI_ECDHE_ECDSA_BUG) 1007306230Sdelphij ssl_check_for_safari(s, data, limit); 1008296341Sdelphij# endif /* !OPENSSL_NO_EC */ 1009264331Sjkim 1010296341Sdelphij# ifndef OPENSSL_NO_SRP 1011296341Sdelphij if (s->srp_ctx.login != NULL) { 1012296341Sdelphij OPENSSL_free(s->srp_ctx.login); 1013296341Sdelphij s->srp_ctx.login = NULL; 1014296341Sdelphij } 1015296341Sdelphij# endif 1016279264Sdelphij 1017296341Sdelphij s->srtp_profile = NULL; 1018279264Sdelphij 1019306230Sdelphij if (data == limit) 1020296341Sdelphij goto ri_check; 1021194206Ssimon 1022306230Sdelphij if (limit - data < 2) 1023296341Sdelphij goto err; 1024194206Ssimon 1025296341Sdelphij n2s(data, len); 1026194206Ssimon 1027306230Sdelphij if (limit - data != len) 1028296341Sdelphij goto err; 1029194206Ssimon 1030306230Sdelphij while (limit - data >= 4) { 1031296341Sdelphij n2s(data, type); 1032296341Sdelphij n2s(data, size); 1033194206Ssimon 1034306230Sdelphij if (limit - data < size) 1035296341Sdelphij goto err; 1036296341Sdelphij# if 0 1037296341Sdelphij fprintf(stderr, "Received extension type %d size %d\n", type, size); 1038296341Sdelphij# endif 1039296341Sdelphij if (s->tlsext_debug_cb) 1040296341Sdelphij s->tlsext_debug_cb(s, 0, type, data, size, s->tlsext_debug_arg); 1041296341Sdelphij/*- 1042296341Sdelphij * The servername extension is treated as follows: 1043296341Sdelphij * 1044296341Sdelphij * - Only the hostname type is supported with a maximum length of 255. 1045296341Sdelphij * - The servername is rejected if too long or if it contains zeros, 1046296341Sdelphij * in which case an fatal alert is generated. 1047296341Sdelphij * - The servername field is maintained together with the session cache. 1048296341Sdelphij * - When a session is resumed, the servername call back invoked in order 1049296341Sdelphij * to allow the application to position itself to the right context. 1050296341Sdelphij * - The servername is acknowledged if it is new for a session or when 1051296341Sdelphij * it is identical to a previously used for the same session. 1052296341Sdelphij * Applications can control the behaviour. They can at any time 1053296341Sdelphij * set a 'desirable' servername for a new SSL object. This can be the 1054296341Sdelphij * case for example with HTTPS when a Host: header field is received and 1055296341Sdelphij * a renegotiation is requested. In this case, a possible servername 1056296341Sdelphij * presented in the new client hello is only acknowledged if it matches 1057296341Sdelphij * the value of the Host: field. 1058296341Sdelphij * - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION 1059296341Sdelphij * if they provide for changing an explicit servername context for the 1060296341Sdelphij * session, i.e. when the session has been established with a servername 1061296341Sdelphij * extension. 1062296341Sdelphij * - On session reconnect, the servername extension may be absent. 1063296341Sdelphij * 1064296341Sdelphij */ 1065194206Ssimon 1066296341Sdelphij if (type == TLSEXT_TYPE_server_name) { 1067296341Sdelphij unsigned char *sdata; 1068296341Sdelphij int servname_type; 1069296341Sdelphij int dsize; 1070194206Ssimon 1071296341Sdelphij if (size < 2) 1072296341Sdelphij goto err; 1073296341Sdelphij n2s(data, dsize); 1074296341Sdelphij size -= 2; 1075296341Sdelphij if (dsize > size) 1076296341Sdelphij goto err; 1077194206Ssimon 1078296341Sdelphij sdata = data; 1079296341Sdelphij while (dsize > 3) { 1080296341Sdelphij servname_type = *(sdata++); 1081296341Sdelphij n2s(sdata, len); 1082296341Sdelphij dsize -= 3; 1083194206Ssimon 1084296341Sdelphij if (len > dsize) 1085296341Sdelphij goto err; 1086194206Ssimon 1087296341Sdelphij if (s->servername_done == 0) 1088296341Sdelphij switch (servname_type) { 1089296341Sdelphij case TLSEXT_NAMETYPE_host_name: 1090296341Sdelphij if (!s->hit) { 1091296341Sdelphij if (s->session->tlsext_hostname) 1092296341Sdelphij goto err; 1093194206Ssimon 1094296341Sdelphij if (len > TLSEXT_MAXLEN_host_name) { 1095296341Sdelphij *al = TLS1_AD_UNRECOGNIZED_NAME; 1096296341Sdelphij return 0; 1097296341Sdelphij } 1098296341Sdelphij if ((s->session->tlsext_hostname = 1099296341Sdelphij OPENSSL_malloc(len + 1)) == NULL) { 1100296341Sdelphij *al = TLS1_AD_INTERNAL_ERROR; 1101296341Sdelphij return 0; 1102296341Sdelphij } 1103296341Sdelphij memcpy(s->session->tlsext_hostname, sdata, len); 1104296341Sdelphij s->session->tlsext_hostname[len] = '\0'; 1105296341Sdelphij if (strlen(s->session->tlsext_hostname) != len) { 1106296341Sdelphij OPENSSL_free(s->session->tlsext_hostname); 1107296341Sdelphij s->session->tlsext_hostname = NULL; 1108296341Sdelphij *al = TLS1_AD_UNRECOGNIZED_NAME; 1109296341Sdelphij return 0; 1110296341Sdelphij } 1111296341Sdelphij s->servername_done = 1; 1112238405Sjkim 1113296341Sdelphij } else 1114296341Sdelphij s->servername_done = s->session->tlsext_hostname 1115296341Sdelphij && strlen(s->session->tlsext_hostname) == len 1116296341Sdelphij && strncmp(s->session->tlsext_hostname, 1117296341Sdelphij (char *)sdata, len) == 0; 1118238405Sjkim 1119296341Sdelphij break; 1120238405Sjkim 1121296341Sdelphij default: 1122296341Sdelphij break; 1123296341Sdelphij } 1124284295Sdelphij 1125296341Sdelphij dsize -= len; 1126296341Sdelphij } 1127296341Sdelphij if (dsize != 0) 1128296341Sdelphij goto err; 1129238405Sjkim 1130296341Sdelphij } 1131296341Sdelphij# ifndef OPENSSL_NO_SRP 1132296341Sdelphij else if (type == TLSEXT_TYPE_srp) { 1133296341Sdelphij if (size == 0 || ((len = data[0])) != (size - 1)) 1134296341Sdelphij goto err; 1135296341Sdelphij if (s->srp_ctx.login != NULL) 1136296341Sdelphij goto err; 1137296341Sdelphij if ((s->srp_ctx.login = OPENSSL_malloc(len + 1)) == NULL) 1138296341Sdelphij return -1; 1139296341Sdelphij memcpy(s->srp_ctx.login, &data[1], len); 1140296341Sdelphij s->srp_ctx.login[len] = '\0'; 1141238405Sjkim 1142296341Sdelphij if (strlen(s->srp_ctx.login) != len) 1143296341Sdelphij goto err; 1144296341Sdelphij } 1145296341Sdelphij# endif 1146194206Ssimon 1147296341Sdelphij# ifndef OPENSSL_NO_EC 1148296341Sdelphij else if (type == TLSEXT_TYPE_ec_point_formats) { 1149296341Sdelphij unsigned char *sdata = data; 1150296341Sdelphij int ecpointformatlist_length = *(sdata++); 1151296341Sdelphij 1152296341Sdelphij if (ecpointformatlist_length != size - 1) 1153296341Sdelphij goto err; 1154296341Sdelphij if (!s->hit) { 1155296341Sdelphij if (s->session->tlsext_ecpointformatlist) { 1156296341Sdelphij OPENSSL_free(s->session->tlsext_ecpointformatlist); 1157296341Sdelphij s->session->tlsext_ecpointformatlist = NULL; 1158296341Sdelphij } 1159296341Sdelphij s->session->tlsext_ecpointformatlist_length = 0; 1160296341Sdelphij if ((s->session->tlsext_ecpointformatlist = 1161296341Sdelphij OPENSSL_malloc(ecpointformatlist_length)) == NULL) { 1162296341Sdelphij *al = TLS1_AD_INTERNAL_ERROR; 1163296341Sdelphij return 0; 1164296341Sdelphij } 1165296341Sdelphij s->session->tlsext_ecpointformatlist_length = 1166296341Sdelphij ecpointformatlist_length; 1167296341Sdelphij memcpy(s->session->tlsext_ecpointformatlist, sdata, 1168296341Sdelphij ecpointformatlist_length); 1169296341Sdelphij } 1170296341Sdelphij# if 0 1171296341Sdelphij fprintf(stderr, 1172296341Sdelphij "ssl_parse_clienthello_tlsext s->session->tlsext_ecpointformatlist (length=%i) ", 1173296341Sdelphij s->session->tlsext_ecpointformatlist_length); 1174296341Sdelphij sdata = s->session->tlsext_ecpointformatlist; 1175296341Sdelphij for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++) 1176296341Sdelphij fprintf(stderr, "%i ", *(sdata++)); 1177296341Sdelphij fprintf(stderr, "\n"); 1178296341Sdelphij# endif 1179296341Sdelphij } else if (type == TLSEXT_TYPE_elliptic_curves) { 1180296341Sdelphij unsigned char *sdata = data; 1181296341Sdelphij int ellipticcurvelist_length = (*(sdata++) << 8); 1182296341Sdelphij ellipticcurvelist_length += (*(sdata++)); 1183296341Sdelphij 1184296341Sdelphij if (ellipticcurvelist_length != size - 2 || 1185296341Sdelphij ellipticcurvelist_length < 1 || 1186296341Sdelphij /* Each NamedCurve is 2 bytes. */ 1187296341Sdelphij ellipticcurvelist_length & 1) 1188296341Sdelphij goto err; 1189296341Sdelphij 1190296341Sdelphij if (!s->hit) { 1191296341Sdelphij if (s->session->tlsext_ellipticcurvelist) 1192296341Sdelphij goto err; 1193296341Sdelphij 1194296341Sdelphij s->session->tlsext_ellipticcurvelist_length = 0; 1195296341Sdelphij if ((s->session->tlsext_ellipticcurvelist = 1196296341Sdelphij OPENSSL_malloc(ellipticcurvelist_length)) == NULL) { 1197296341Sdelphij *al = TLS1_AD_INTERNAL_ERROR; 1198296341Sdelphij return 0; 1199296341Sdelphij } 1200296341Sdelphij s->session->tlsext_ellipticcurvelist_length = 1201296341Sdelphij ellipticcurvelist_length; 1202296341Sdelphij memcpy(s->session->tlsext_ellipticcurvelist, sdata, 1203296341Sdelphij ellipticcurvelist_length); 1204296341Sdelphij } 1205296341Sdelphij# if 0 1206296341Sdelphij fprintf(stderr, 1207296341Sdelphij "ssl_parse_clienthello_tlsext s->session->tlsext_ellipticcurvelist (length=%i) ", 1208296341Sdelphij s->session->tlsext_ellipticcurvelist_length); 1209296341Sdelphij sdata = s->session->tlsext_ellipticcurvelist; 1210296341Sdelphij for (i = 0; i < s->session->tlsext_ellipticcurvelist_length; i++) 1211296341Sdelphij fprintf(stderr, "%i ", *(sdata++)); 1212296341Sdelphij fprintf(stderr, "\n"); 1213296341Sdelphij# endif 1214296341Sdelphij } 1215296341Sdelphij# endif /* OPENSSL_NO_EC */ 1216296341Sdelphij# ifdef TLSEXT_TYPE_opaque_prf_input 1217296341Sdelphij else if (type == TLSEXT_TYPE_opaque_prf_input && 1218296341Sdelphij s->version != DTLS1_VERSION) { 1219296341Sdelphij unsigned char *sdata = data; 1220296341Sdelphij 1221296341Sdelphij if (size < 2) { 1222296341Sdelphij *al = SSL_AD_DECODE_ERROR; 1223296341Sdelphij return 0; 1224296341Sdelphij } 1225296341Sdelphij n2s(sdata, s->s3->client_opaque_prf_input_len); 1226296341Sdelphij if (s->s3->client_opaque_prf_input_len != size - 2) { 1227296341Sdelphij *al = SSL_AD_DECODE_ERROR; 1228296341Sdelphij return 0; 1229296341Sdelphij } 1230296341Sdelphij 1231296341Sdelphij if (s->s3->client_opaque_prf_input != NULL) { 1232296341Sdelphij /* shouldn't really happen */ 1233296341Sdelphij OPENSSL_free(s->s3->client_opaque_prf_input); 1234296341Sdelphij } 1235296341Sdelphij 1236296341Sdelphij /* dummy byte just to get non-NULL */ 1237296341Sdelphij if (s->s3->client_opaque_prf_input_len == 0) 1238296341Sdelphij s->s3->client_opaque_prf_input = OPENSSL_malloc(1); 1239296341Sdelphij else 1240296341Sdelphij s->s3->client_opaque_prf_input = 1241296341Sdelphij BUF_memdup(sdata, s->s3->client_opaque_prf_input_len); 1242296341Sdelphij if (s->s3->client_opaque_prf_input == NULL) { 1243296341Sdelphij *al = TLS1_AD_INTERNAL_ERROR; 1244296341Sdelphij return 0; 1245296341Sdelphij } 1246296341Sdelphij } 1247296341Sdelphij# endif 1248296341Sdelphij else if (type == TLSEXT_TYPE_session_ticket) { 1249296341Sdelphij if (s->tls_session_ticket_ext_cb && 1250296341Sdelphij !s->tls_session_ticket_ext_cb(s, data, size, 1251296341Sdelphij s->tls_session_ticket_ext_cb_arg)) 1252296341Sdelphij { 1253296341Sdelphij *al = TLS1_AD_INTERNAL_ERROR; 1254296341Sdelphij return 0; 1255296341Sdelphij } 1256296341Sdelphij } else if (type == TLSEXT_TYPE_renegotiate) { 1257296341Sdelphij if (!ssl_parse_clienthello_renegotiate_ext(s, data, size, al)) 1258296341Sdelphij return 0; 1259296341Sdelphij renegotiate_seen = 1; 1260296341Sdelphij } else if (type == TLSEXT_TYPE_signature_algorithms) { 1261296341Sdelphij int dsize; 1262296341Sdelphij if (sigalg_seen || size < 2) 1263296341Sdelphij goto err; 1264296341Sdelphij sigalg_seen = 1; 1265296341Sdelphij n2s(data, dsize); 1266296341Sdelphij size -= 2; 1267296341Sdelphij if (dsize != size || dsize & 1) 1268296341Sdelphij goto err; 1269296341Sdelphij if (!tls1_process_sigalgs(s, data, dsize)) 1270296341Sdelphij goto err; 1271296341Sdelphij } else if (type == TLSEXT_TYPE_status_request && 1272296341Sdelphij s->version != DTLS1_VERSION) { 1273296341Sdelphij 1274296341Sdelphij if (size < 5) 1275296341Sdelphij goto err; 1276296341Sdelphij 1277296341Sdelphij s->tlsext_status_type = *data++; 1278296341Sdelphij size--; 1279296341Sdelphij if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp) { 1280296341Sdelphij const unsigned char *sdata; 1281296341Sdelphij int dsize; 1282296341Sdelphij /* Read in responder_id_list */ 1283296341Sdelphij n2s(data, dsize); 1284296341Sdelphij size -= 2; 1285296341Sdelphij if (dsize > size) 1286296341Sdelphij goto err; 1287306230Sdelphij 1288306230Sdelphij /* 1289306230Sdelphij * We remove any OCSP_RESPIDs from a previous handshake 1290306230Sdelphij * to prevent unbounded memory growth - CVE-2016-6304 1291306230Sdelphij */ 1292306230Sdelphij sk_OCSP_RESPID_pop_free(s->tlsext_ocsp_ids, 1293306230Sdelphij OCSP_RESPID_free); 1294306230Sdelphij if (dsize > 0) { 1295306230Sdelphij s->tlsext_ocsp_ids = sk_OCSP_RESPID_new_null(); 1296306230Sdelphij if (s->tlsext_ocsp_ids == NULL) { 1297306230Sdelphij *al = SSL_AD_INTERNAL_ERROR; 1298306230Sdelphij return 0; 1299306230Sdelphij } 1300306230Sdelphij } else { 1301306230Sdelphij s->tlsext_ocsp_ids = NULL; 1302306230Sdelphij } 1303306230Sdelphij 1304296341Sdelphij while (dsize > 0) { 1305296341Sdelphij OCSP_RESPID *id; 1306296341Sdelphij int idsize; 1307296341Sdelphij if (dsize < 4) 1308284295Sdelphij goto err; 1309296341Sdelphij n2s(data, idsize); 1310296341Sdelphij dsize -= 2 + idsize; 1311296341Sdelphij size -= 2 + idsize; 1312296341Sdelphij if (dsize < 0) 1313296341Sdelphij goto err; 1314296341Sdelphij sdata = data; 1315296341Sdelphij data += idsize; 1316296341Sdelphij id = d2i_OCSP_RESPID(NULL, &sdata, idsize); 1317296341Sdelphij if (!id) 1318296341Sdelphij goto err; 1319296341Sdelphij if (data != sdata) { 1320296341Sdelphij OCSP_RESPID_free(id); 1321296341Sdelphij goto err; 1322296341Sdelphij } 1323296341Sdelphij if (!sk_OCSP_RESPID_push(s->tlsext_ocsp_ids, id)) { 1324296341Sdelphij OCSP_RESPID_free(id); 1325296341Sdelphij *al = SSL_AD_INTERNAL_ERROR; 1326296341Sdelphij return 0; 1327296341Sdelphij } 1328296341Sdelphij } 1329194206Ssimon 1330296341Sdelphij /* Read in request_extensions */ 1331296341Sdelphij if (size < 2) 1332296341Sdelphij goto err; 1333296341Sdelphij n2s(data, dsize); 1334296341Sdelphij size -= 2; 1335296341Sdelphij if (dsize != size) 1336296341Sdelphij goto err; 1337296341Sdelphij sdata = data; 1338296341Sdelphij if (dsize > 0) { 1339296341Sdelphij if (s->tlsext_ocsp_exts) { 1340296341Sdelphij sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts, 1341296341Sdelphij X509_EXTENSION_free); 1342296341Sdelphij } 1343237657Sjkim 1344296341Sdelphij s->tlsext_ocsp_exts = 1345296341Sdelphij d2i_X509_EXTENSIONS(NULL, &sdata, dsize); 1346296341Sdelphij if (!s->tlsext_ocsp_exts || (data + dsize != sdata)) 1347296341Sdelphij goto err; 1348296341Sdelphij } 1349296341Sdelphij } 1350296341Sdelphij /* 1351296341Sdelphij * We don't know what to do with any other type * so ignore it. 1352296341Sdelphij */ 1353296341Sdelphij else 1354296341Sdelphij s->tlsext_status_type = -1; 1355296341Sdelphij } 1356296341Sdelphij# ifndef OPENSSL_NO_HEARTBEATS 1357296341Sdelphij else if (type == TLSEXT_TYPE_heartbeat) { 1358296341Sdelphij switch (data[0]) { 1359296341Sdelphij case 0x01: /* Client allows us to send HB requests */ 1360296341Sdelphij s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED; 1361296341Sdelphij break; 1362296341Sdelphij case 0x02: /* Client doesn't accept HB requests */ 1363296341Sdelphij s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED; 1364296341Sdelphij s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS; 1365296341Sdelphij break; 1366296341Sdelphij default: 1367296341Sdelphij *al = SSL_AD_ILLEGAL_PARAMETER; 1368296341Sdelphij return 0; 1369296341Sdelphij } 1370296341Sdelphij } 1371296341Sdelphij# endif 1372296341Sdelphij# ifndef OPENSSL_NO_NEXTPROTONEG 1373296341Sdelphij else if (type == TLSEXT_TYPE_next_proto_neg && 1374296341Sdelphij s->s3->tmp.finish_md_len == 0) { 1375296341Sdelphij /*- 1376296341Sdelphij * We shouldn't accept this extension on a 1377296341Sdelphij * renegotiation. 1378296341Sdelphij * 1379296341Sdelphij * s->new_session will be set on renegotiation, but we 1380296341Sdelphij * probably shouldn't rely that it couldn't be set on 1381296341Sdelphij * the initial renegotation too in certain cases (when 1382296341Sdelphij * there's some other reason to disallow resuming an 1383296341Sdelphij * earlier session -- the current code won't be doing 1384296341Sdelphij * anything like that, but this might change). 1385296341Sdelphij * 1386296341Sdelphij * A valid sign that there's been a previous handshake 1387296341Sdelphij * in this connection is if s->s3->tmp.finish_md_len > 1388296341Sdelphij * 0. (We are talking about a check that will happen 1389296341Sdelphij * in the Hello protocol round, well before a new 1390296341Sdelphij * Finished message could have been computed.) 1391296341Sdelphij */ 1392296341Sdelphij s->s3->next_proto_neg_seen = 1; 1393296341Sdelphij } 1394296341Sdelphij# endif 1395205128Ssimon 1396296341Sdelphij /* session ticket processed earlier */ 1397296341Sdelphij# ifndef OPENSSL_NO_SRTP 1398296341Sdelphij else if (SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s) 1399296341Sdelphij && type == TLSEXT_TYPE_use_srtp) { 1400296341Sdelphij if (ssl_parse_clienthello_use_srtp_ext(s, data, size, al)) 1401296341Sdelphij return 0; 1402296341Sdelphij } 1403296341Sdelphij# endif 1404238405Sjkim 1405296341Sdelphij data += size; 1406296341Sdelphij } 1407194206Ssimon 1408284295Sdelphij /* Spurious data on the end */ 1409306230Sdelphij if (data != limit) 1410284295Sdelphij goto err; 1411284295Sdelphij 1412296341Sdelphij *p = data; 1413194206Ssimon 1414296341Sdelphij ri_check: 1415205128Ssimon 1416296341Sdelphij /* Need RI if renegotiating */ 1417205128Ssimon 1418296341Sdelphij if (!renegotiate_seen && s->renegotiate && 1419296341Sdelphij !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) { 1420296341Sdelphij *al = SSL_AD_HANDSHAKE_FAILURE; 1421296341Sdelphij SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT, 1422296341Sdelphij SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); 1423296341Sdelphij return 0; 1424296341Sdelphij } 1425205128Ssimon 1426296341Sdelphij return 1; 1427284295Sdelphijerr: 1428284295Sdelphij *al = SSL_AD_DECODE_ERROR; 1429284295Sdelphij return 0; 1430284295Sdelphij} 1431194206Ssimon 1432296341Sdelphij# ifndef OPENSSL_NO_NEXTPROTONEG 1433296341Sdelphij/* 1434296341Sdelphij * ssl_next_proto_validate validates a Next Protocol Negotiation block. No 1435296341Sdelphij * elements of zero length are allowed and the set of elements must exactly 1436296341Sdelphij * fill the length of the block. 1437296341Sdelphij */ 1438238405Sjkimstatic char ssl_next_proto_validate(unsigned char *d, unsigned len) 1439296341Sdelphij{ 1440296341Sdelphij unsigned int off = 0; 1441238405Sjkim 1442296341Sdelphij while (off < len) { 1443296341Sdelphij if (d[off] == 0) 1444296341Sdelphij return 0; 1445296341Sdelphij off += d[off]; 1446296341Sdelphij off++; 1447296341Sdelphij } 1448238405Sjkim 1449296341Sdelphij return off == len; 1450296341Sdelphij} 1451296341Sdelphij# endif 1452238405Sjkim 1453296341Sdelphijint ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, 1454296341Sdelphij int n, int *al) 1455296341Sdelphij{ 1456296341Sdelphij unsigned short length; 1457296341Sdelphij unsigned short type; 1458296341Sdelphij unsigned short size; 1459296341Sdelphij unsigned char *data = *p; 1460296341Sdelphij int tlsext_servername = 0; 1461296341Sdelphij int renegotiate_seen = 0; 1462194206Ssimon 1463296341Sdelphij# ifndef OPENSSL_NO_NEXTPROTONEG 1464296341Sdelphij s->s3->next_proto_neg_seen = 0; 1465296341Sdelphij# endif 1466296341Sdelphij s->tlsext_ticket_expected = 0; 1467238405Sjkim 1468296341Sdelphij# ifndef OPENSSL_NO_HEARTBEATS 1469296341Sdelphij s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED | 1470296341Sdelphij SSL_TLSEXT_HB_DONT_SEND_REQUESTS); 1471296341Sdelphij# endif 1472238405Sjkim 1473306230Sdelphij if ((d + n) - data <= 2) 1474296341Sdelphij goto ri_check; 1475194206Ssimon 1476296341Sdelphij n2s(data, length); 1477306230Sdelphij if ((d + n) - data != length) { 1478296341Sdelphij *al = SSL_AD_DECODE_ERROR; 1479296341Sdelphij return 0; 1480296341Sdelphij } 1481194206Ssimon 1482306230Sdelphij while ((d + n) - data >= 4) { 1483296341Sdelphij n2s(data, type); 1484296341Sdelphij n2s(data, size); 1485194206Ssimon 1486306230Sdelphij if ((d + n) - data < size) 1487296341Sdelphij goto ri_check; 1488194206Ssimon 1489296341Sdelphij if (s->tlsext_debug_cb) 1490296341Sdelphij s->tlsext_debug_cb(s, 1, type, data, size, s->tlsext_debug_arg); 1491194206Ssimon 1492296341Sdelphij if (type == TLSEXT_TYPE_server_name) { 1493296341Sdelphij if (s->tlsext_hostname == NULL || size > 0) { 1494296341Sdelphij *al = TLS1_AD_UNRECOGNIZED_NAME; 1495296341Sdelphij return 0; 1496296341Sdelphij } 1497296341Sdelphij tlsext_servername = 1; 1498296341Sdelphij } 1499296341Sdelphij# ifndef OPENSSL_NO_EC 1500296341Sdelphij else if (type == TLSEXT_TYPE_ec_point_formats) { 1501296341Sdelphij unsigned char *sdata = data; 1502296341Sdelphij int ecpointformatlist_length = *(sdata++); 1503238405Sjkim 1504296341Sdelphij if (ecpointformatlist_length != size - 1 || 1505296341Sdelphij ecpointformatlist_length < 1) { 1506296341Sdelphij *al = TLS1_AD_DECODE_ERROR; 1507296341Sdelphij return 0; 1508296341Sdelphij } 1509296341Sdelphij if (!s->hit) { 1510296341Sdelphij s->session->tlsext_ecpointformatlist_length = 0; 1511296341Sdelphij if (s->session->tlsext_ecpointformatlist != NULL) 1512296341Sdelphij OPENSSL_free(s->session->tlsext_ecpointformatlist); 1513296341Sdelphij if ((s->session->tlsext_ecpointformatlist = 1514296341Sdelphij OPENSSL_malloc(ecpointformatlist_length)) == NULL) { 1515296341Sdelphij *al = TLS1_AD_INTERNAL_ERROR; 1516296341Sdelphij return 0; 1517296341Sdelphij } 1518296341Sdelphij s->session->tlsext_ecpointformatlist_length = 1519296341Sdelphij ecpointformatlist_length; 1520296341Sdelphij memcpy(s->session->tlsext_ecpointformatlist, sdata, 1521296341Sdelphij ecpointformatlist_length); 1522296341Sdelphij } 1523296341Sdelphij# if 0 1524296341Sdelphij fprintf(stderr, 1525296341Sdelphij "ssl_parse_serverhello_tlsext s->session->tlsext_ecpointformatlist "); 1526296341Sdelphij sdata = s->session->tlsext_ecpointformatlist; 1527296341Sdelphij for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++) 1528296341Sdelphij fprintf(stderr, "%i ", *(sdata++)); 1529296341Sdelphij fprintf(stderr, "\n"); 1530296341Sdelphij# endif 1531296341Sdelphij } 1532296341Sdelphij# endif /* OPENSSL_NO_EC */ 1533238405Sjkim 1534296341Sdelphij else if (type == TLSEXT_TYPE_session_ticket) { 1535296341Sdelphij if (s->tls_session_ticket_ext_cb && 1536296341Sdelphij !s->tls_session_ticket_ext_cb(s, data, size, 1537296341Sdelphij s->tls_session_ticket_ext_cb_arg)) 1538296341Sdelphij { 1539296341Sdelphij *al = TLS1_AD_INTERNAL_ERROR; 1540296341Sdelphij return 0; 1541296341Sdelphij } 1542296341Sdelphij if ((SSL_get_options(s) & SSL_OP_NO_TICKET) 1543296341Sdelphij || (size > 0)) { 1544296341Sdelphij *al = TLS1_AD_UNSUPPORTED_EXTENSION; 1545296341Sdelphij return 0; 1546296341Sdelphij } 1547296341Sdelphij s->tlsext_ticket_expected = 1; 1548296341Sdelphij } 1549296341Sdelphij# ifdef TLSEXT_TYPE_opaque_prf_input 1550296341Sdelphij else if (type == TLSEXT_TYPE_opaque_prf_input && 1551296341Sdelphij s->version != DTLS1_VERSION) { 1552296341Sdelphij unsigned char *sdata = data; 1553238405Sjkim 1554296341Sdelphij if (size < 2) { 1555296341Sdelphij *al = SSL_AD_DECODE_ERROR; 1556296341Sdelphij return 0; 1557296341Sdelphij } 1558296341Sdelphij n2s(sdata, s->s3->server_opaque_prf_input_len); 1559296341Sdelphij if (s->s3->server_opaque_prf_input_len != size - 2) { 1560296341Sdelphij *al = SSL_AD_DECODE_ERROR; 1561296341Sdelphij return 0; 1562296341Sdelphij } 1563238405Sjkim 1564296341Sdelphij if (s->s3->server_opaque_prf_input != NULL) { 1565296341Sdelphij /* shouldn't really happen */ 1566296341Sdelphij OPENSSL_free(s->s3->server_opaque_prf_input); 1567296341Sdelphij } 1568296341Sdelphij if (s->s3->server_opaque_prf_input_len == 0) { 1569296341Sdelphij /* dummy byte just to get non-NULL */ 1570296341Sdelphij s->s3->server_opaque_prf_input = OPENSSL_malloc(1); 1571296341Sdelphij } else { 1572296341Sdelphij s->s3->server_opaque_prf_input = 1573296341Sdelphij BUF_memdup(sdata, s->s3->server_opaque_prf_input_len); 1574296341Sdelphij } 1575238405Sjkim 1576296341Sdelphij if (s->s3->server_opaque_prf_input == NULL) { 1577296341Sdelphij *al = TLS1_AD_INTERNAL_ERROR; 1578296341Sdelphij return 0; 1579296341Sdelphij } 1580296341Sdelphij } 1581296341Sdelphij# endif 1582296341Sdelphij else if (type == TLSEXT_TYPE_status_request && 1583296341Sdelphij s->version != DTLS1_VERSION) { 1584296341Sdelphij /* 1585296341Sdelphij * MUST be empty and only sent if we've requested a status 1586296341Sdelphij * request message. 1587296341Sdelphij */ 1588296341Sdelphij if ((s->tlsext_status_type == -1) || (size > 0)) { 1589296341Sdelphij *al = TLS1_AD_UNSUPPORTED_EXTENSION; 1590296341Sdelphij return 0; 1591296341Sdelphij } 1592296341Sdelphij /* Set flag to expect CertificateStatus message */ 1593296341Sdelphij s->tlsext_status_expected = 1; 1594296341Sdelphij } 1595296341Sdelphij# ifndef OPENSSL_NO_NEXTPROTONEG 1596296341Sdelphij else if (type == TLSEXT_TYPE_next_proto_neg && 1597296341Sdelphij s->s3->tmp.finish_md_len == 0) { 1598296341Sdelphij unsigned char *selected; 1599296341Sdelphij unsigned char selected_len; 1600238405Sjkim 1601296341Sdelphij /* We must have requested it. */ 1602296341Sdelphij if (s->ctx->next_proto_select_cb == NULL) { 1603296341Sdelphij *al = TLS1_AD_UNSUPPORTED_EXTENSION; 1604296341Sdelphij return 0; 1605296341Sdelphij } 1606296341Sdelphij /* The data must be valid */ 1607296341Sdelphij if (!ssl_next_proto_validate(data, size)) { 1608296341Sdelphij *al = TLS1_AD_DECODE_ERROR; 1609296341Sdelphij return 0; 1610296341Sdelphij } 1611296341Sdelphij if (s-> 1612296341Sdelphij ctx->next_proto_select_cb(s, &selected, &selected_len, data, 1613296341Sdelphij size, 1614296341Sdelphij s->ctx->next_proto_select_cb_arg) != 1615296341Sdelphij SSL_TLSEXT_ERR_OK) { 1616296341Sdelphij *al = TLS1_AD_INTERNAL_ERROR; 1617296341Sdelphij return 0; 1618296341Sdelphij } 1619296341Sdelphij s->next_proto_negotiated = OPENSSL_malloc(selected_len); 1620296341Sdelphij if (!s->next_proto_negotiated) { 1621296341Sdelphij *al = TLS1_AD_INTERNAL_ERROR; 1622296341Sdelphij return 0; 1623296341Sdelphij } 1624296341Sdelphij memcpy(s->next_proto_negotiated, selected, selected_len); 1625296341Sdelphij s->next_proto_negotiated_len = selected_len; 1626296341Sdelphij s->s3->next_proto_neg_seen = 1; 1627296341Sdelphij } 1628296341Sdelphij# endif 1629296341Sdelphij else if (type == TLSEXT_TYPE_renegotiate) { 1630296341Sdelphij if (!ssl_parse_serverhello_renegotiate_ext(s, data, size, al)) 1631296341Sdelphij return 0; 1632296341Sdelphij renegotiate_seen = 1; 1633296341Sdelphij } 1634296341Sdelphij# ifndef OPENSSL_NO_HEARTBEATS 1635296341Sdelphij else if (type == TLSEXT_TYPE_heartbeat) { 1636296341Sdelphij switch (data[0]) { 1637296341Sdelphij case 0x01: /* Server allows us to send HB requests */ 1638296341Sdelphij s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED; 1639296341Sdelphij break; 1640296341Sdelphij case 0x02: /* Server doesn't accept HB requests */ 1641296341Sdelphij s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED; 1642296341Sdelphij s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS; 1643296341Sdelphij break; 1644296341Sdelphij default: 1645296341Sdelphij *al = SSL_AD_ILLEGAL_PARAMETER; 1646296341Sdelphij return 0; 1647296341Sdelphij } 1648296341Sdelphij } 1649296341Sdelphij# endif 1650296341Sdelphij# ifndef OPENSSL_NO_SRTP 1651296341Sdelphij else if (SSL_IS_DTLS(s) && type == TLSEXT_TYPE_use_srtp) { 1652296341Sdelphij if (ssl_parse_serverhello_use_srtp_ext(s, data, size, al)) 1653296341Sdelphij return 0; 1654296341Sdelphij } 1655296341Sdelphij# endif 1656238405Sjkim 1657296341Sdelphij data += size; 1658296341Sdelphij } 1659194206Ssimon 1660296341Sdelphij if (data != d + n) { 1661296341Sdelphij *al = SSL_AD_DECODE_ERROR; 1662296341Sdelphij return 0; 1663296341Sdelphij } 1664194206Ssimon 1665296341Sdelphij if (!s->hit && tlsext_servername == 1) { 1666296341Sdelphij if (s->tlsext_hostname) { 1667296341Sdelphij if (s->session->tlsext_hostname == NULL) { 1668296341Sdelphij s->session->tlsext_hostname = BUF_strdup(s->tlsext_hostname); 1669296341Sdelphij if (!s->session->tlsext_hostname) { 1670296341Sdelphij *al = SSL_AD_UNRECOGNIZED_NAME; 1671296341Sdelphij return 0; 1672296341Sdelphij } 1673296341Sdelphij } else { 1674296341Sdelphij *al = SSL_AD_DECODE_ERROR; 1675296341Sdelphij return 0; 1676296341Sdelphij } 1677296341Sdelphij } 1678296341Sdelphij } 1679194206Ssimon 1680296341Sdelphij *p = data; 1681205128Ssimon 1682296341Sdelphij ri_check: 1683205128Ssimon 1684296341Sdelphij /* 1685296341Sdelphij * Determine if we need to see RI. Strictly speaking if we want to avoid 1686296341Sdelphij * an attack we should *always* see RI even on initial server hello 1687296341Sdelphij * because the client doesn't see any renegotiation during an attack. 1688296341Sdelphij * However this would mean we could not connect to any server which 1689296341Sdelphij * doesn't support RI so for the immediate future tolerate RI absence on 1690296341Sdelphij * initial connect only. 1691296341Sdelphij */ 1692296341Sdelphij if (!renegotiate_seen && !(s->options & SSL_OP_LEGACY_SERVER_CONNECT) 1693296341Sdelphij && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) { 1694296341Sdelphij *al = SSL_AD_HANDSHAKE_FAILURE; 1695296341Sdelphij SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT, 1696296341Sdelphij SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); 1697296341Sdelphij return 0; 1698296341Sdelphij } 1699205128Ssimon 1700296341Sdelphij return 1; 1701296341Sdelphij} 1702194206Ssimon 1703238405Sjkimint ssl_prepare_clienthello_tlsext(SSL *s) 1704296341Sdelphij{ 1705296341Sdelphij# ifndef OPENSSL_NO_EC 1706296341Sdelphij /* 1707296341Sdelphij * If we are client and using an elliptic curve cryptography cipher 1708296341Sdelphij * suite, send the point formats and elliptic curves we support. 1709296341Sdelphij */ 1710296341Sdelphij int using_ecc = 0; 1711296341Sdelphij int i; 1712296341Sdelphij unsigned char *j; 1713296341Sdelphij unsigned long alg_k, alg_a; 1714296341Sdelphij STACK_OF(SSL_CIPHER) *cipher_stack = SSL_get_ciphers(s); 1715238405Sjkim 1716296341Sdelphij for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++) { 1717296341Sdelphij SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i); 1718238405Sjkim 1719296341Sdelphij alg_k = c->algorithm_mkey; 1720296341Sdelphij alg_a = c->algorithm_auth; 1721296341Sdelphij if ((alg_k & (SSL_kEECDH | SSL_kECDHr | SSL_kECDHe) 1722296341Sdelphij || (alg_a & SSL_aECDSA))) { 1723296341Sdelphij using_ecc = 1; 1724296341Sdelphij break; 1725296341Sdelphij } 1726296341Sdelphij } 1727296341Sdelphij using_ecc = using_ecc && (s->version >= TLS1_VERSION); 1728296341Sdelphij if (using_ecc) { 1729296341Sdelphij if (s->tlsext_ecpointformatlist != NULL) 1730296341Sdelphij OPENSSL_free(s->tlsext_ecpointformatlist); 1731296341Sdelphij if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(3)) == NULL) { 1732296341Sdelphij SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT, 1733296341Sdelphij ERR_R_MALLOC_FAILURE); 1734296341Sdelphij return -1; 1735296341Sdelphij } 1736296341Sdelphij s->tlsext_ecpointformatlist_length = 3; 1737296341Sdelphij s->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_uncompressed; 1738296341Sdelphij s->tlsext_ecpointformatlist[1] = 1739296341Sdelphij TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime; 1740296341Sdelphij s->tlsext_ecpointformatlist[2] = 1741296341Sdelphij TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2; 1742238405Sjkim 1743296341Sdelphij /* we support all named elliptic curves in RFC 4492 */ 1744296341Sdelphij if (s->tlsext_ellipticcurvelist != NULL) 1745296341Sdelphij OPENSSL_free(s->tlsext_ellipticcurvelist); 1746296341Sdelphij s->tlsext_ellipticcurvelist_length = 1747296341Sdelphij sizeof(pref_list) / sizeof(pref_list[0]) * 2; 1748296341Sdelphij if ((s->tlsext_ellipticcurvelist = 1749296341Sdelphij OPENSSL_malloc(s->tlsext_ellipticcurvelist_length)) == NULL) { 1750296341Sdelphij s->tlsext_ellipticcurvelist_length = 0; 1751296341Sdelphij SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT, 1752296341Sdelphij ERR_R_MALLOC_FAILURE); 1753296341Sdelphij return -1; 1754296341Sdelphij } 1755296341Sdelphij for (i = 0, j = s->tlsext_ellipticcurvelist; (unsigned int)i < 1756296341Sdelphij sizeof(pref_list) / sizeof(pref_list[0]); i++) { 1757296341Sdelphij int id = tls1_ec_nid2curve_id(pref_list[i]); 1758296341Sdelphij s2n(id, j); 1759296341Sdelphij } 1760296341Sdelphij } 1761296341Sdelphij# endif /* OPENSSL_NO_EC */ 1762238405Sjkim 1763296341Sdelphij# ifdef TLSEXT_TYPE_opaque_prf_input 1764296341Sdelphij { 1765296341Sdelphij int r = 1; 1766238405Sjkim 1767296341Sdelphij if (s->ctx->tlsext_opaque_prf_input_callback != 0) { 1768296341Sdelphij r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, 1769296341Sdelphij s-> 1770296341Sdelphij ctx->tlsext_opaque_prf_input_callback_arg); 1771296341Sdelphij if (!r) 1772296341Sdelphij return -1; 1773296341Sdelphij } 1774238405Sjkim 1775296341Sdelphij if (s->tlsext_opaque_prf_input != NULL) { 1776296341Sdelphij if (s->s3->client_opaque_prf_input != NULL) { 1777296341Sdelphij /* shouldn't really happen */ 1778296341Sdelphij OPENSSL_free(s->s3->client_opaque_prf_input); 1779296341Sdelphij } 1780238405Sjkim 1781296341Sdelphij if (s->tlsext_opaque_prf_input_len == 0) { 1782296341Sdelphij /* dummy byte just to get non-NULL */ 1783296341Sdelphij s->s3->client_opaque_prf_input = OPENSSL_malloc(1); 1784296341Sdelphij } else { 1785296341Sdelphij s->s3->client_opaque_prf_input = 1786296341Sdelphij BUF_memdup(s->tlsext_opaque_prf_input, 1787296341Sdelphij s->tlsext_opaque_prf_input_len); 1788296341Sdelphij } 1789296341Sdelphij if (s->s3->client_opaque_prf_input == NULL) { 1790296341Sdelphij SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT, 1791296341Sdelphij ERR_R_MALLOC_FAILURE); 1792296341Sdelphij return -1; 1793296341Sdelphij } 1794296341Sdelphij s->s3->client_opaque_prf_input_len = 1795296341Sdelphij s->tlsext_opaque_prf_input_len; 1796296341Sdelphij } 1797238405Sjkim 1798296341Sdelphij if (r == 2) 1799296341Sdelphij /* 1800296341Sdelphij * at callback's request, insist on receiving an appropriate 1801296341Sdelphij * server opaque PRF input 1802296341Sdelphij */ 1803296341Sdelphij s->s3->server_opaque_prf_input_len = 1804296341Sdelphij s->tlsext_opaque_prf_input_len; 1805296341Sdelphij } 1806296341Sdelphij# endif 1807238405Sjkim 1808296341Sdelphij return 1; 1809296341Sdelphij} 1810296341Sdelphij 1811238405Sjkimint ssl_prepare_serverhello_tlsext(SSL *s) 1812296341Sdelphij{ 1813296341Sdelphij# ifndef OPENSSL_NO_EC 1814296341Sdelphij /* 1815296341Sdelphij * If we are server and using an ECC cipher suite, send the point formats 1816296341Sdelphij * we support if the client sent us an ECPointsFormat extension. Note 1817296341Sdelphij * that the server is not supposed to send an EllipticCurves extension. 1818296341Sdelphij */ 1819238405Sjkim 1820296341Sdelphij unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey; 1821296341Sdelphij unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth; 1822296341Sdelphij int using_ecc = (alg_k & (SSL_kEECDH | SSL_kECDHr | SSL_kECDHe)) 1823296341Sdelphij || (alg_a & SSL_aECDSA); 1824296341Sdelphij using_ecc = using_ecc && (s->session->tlsext_ecpointformatlist != NULL); 1825238405Sjkim 1826296341Sdelphij if (using_ecc) { 1827296341Sdelphij if (s->tlsext_ecpointformatlist != NULL) 1828296341Sdelphij OPENSSL_free(s->tlsext_ecpointformatlist); 1829296341Sdelphij if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(3)) == NULL) { 1830296341Sdelphij SSLerr(SSL_F_SSL_PREPARE_SERVERHELLO_TLSEXT, 1831296341Sdelphij ERR_R_MALLOC_FAILURE); 1832296341Sdelphij return -1; 1833296341Sdelphij } 1834296341Sdelphij s->tlsext_ecpointformatlist_length = 3; 1835296341Sdelphij s->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_uncompressed; 1836296341Sdelphij s->tlsext_ecpointformatlist[1] = 1837296341Sdelphij TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime; 1838296341Sdelphij s->tlsext_ecpointformatlist[2] = 1839296341Sdelphij TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2; 1840296341Sdelphij } 1841296341Sdelphij# endif /* OPENSSL_NO_EC */ 1842238405Sjkim 1843296341Sdelphij return 1; 1844296341Sdelphij} 1845296341Sdelphij 1846246772Sjkimint ssl_check_clienthello_tlsext_early(SSL *s) 1847296341Sdelphij{ 1848296341Sdelphij int ret = SSL_TLSEXT_ERR_NOACK; 1849296341Sdelphij int al = SSL_AD_UNRECOGNIZED_NAME; 1850194206Ssimon 1851296341Sdelphij# ifndef OPENSSL_NO_EC 1852296341Sdelphij /* 1853296341Sdelphij * The handling of the ECPointFormats extension is done elsewhere, namely 1854296341Sdelphij * in ssl3_choose_cipher in s3_lib.c. 1855296341Sdelphij */ 1856296341Sdelphij /* 1857296341Sdelphij * The handling of the EllipticCurves extension is done elsewhere, namely 1858296341Sdelphij * in ssl3_choose_cipher in s3_lib.c. 1859296341Sdelphij */ 1860296341Sdelphij# endif 1861238405Sjkim 1862296341Sdelphij if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) 1863296341Sdelphij ret = 1864296341Sdelphij s->ctx->tlsext_servername_callback(s, &al, 1865296341Sdelphij s->ctx->tlsext_servername_arg); 1866296341Sdelphij else if (s->initial_ctx != NULL 1867296341Sdelphij && s->initial_ctx->tlsext_servername_callback != 0) 1868296341Sdelphij ret = 1869296341Sdelphij s->initial_ctx->tlsext_servername_callback(s, &al, 1870296341Sdelphij s-> 1871296341Sdelphij initial_ctx->tlsext_servername_arg); 1872194206Ssimon 1873296341Sdelphij# ifdef TLSEXT_TYPE_opaque_prf_input 1874296341Sdelphij { 1875296341Sdelphij /* 1876296341Sdelphij * This sort of belongs into ssl_prepare_serverhello_tlsext(), but we 1877296341Sdelphij * might be sending an alert in response to the client hello, so this 1878296341Sdelphij * has to happen here in ssl_check_clienthello_tlsext_early(). 1879296341Sdelphij */ 1880238405Sjkim 1881296341Sdelphij int r = 1; 1882238405Sjkim 1883296341Sdelphij if (s->ctx->tlsext_opaque_prf_input_callback != 0) { 1884296341Sdelphij r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, 1885296341Sdelphij s-> 1886296341Sdelphij ctx->tlsext_opaque_prf_input_callback_arg); 1887296341Sdelphij if (!r) { 1888296341Sdelphij ret = SSL_TLSEXT_ERR_ALERT_FATAL; 1889296341Sdelphij al = SSL_AD_INTERNAL_ERROR; 1890296341Sdelphij goto err; 1891296341Sdelphij } 1892296341Sdelphij } 1893238405Sjkim 1894296341Sdelphij if (s->s3->server_opaque_prf_input != NULL) { 1895296341Sdelphij /* shouldn't really happen */ 1896296341Sdelphij OPENSSL_free(s->s3->server_opaque_prf_input); 1897296341Sdelphij } 1898296341Sdelphij s->s3->server_opaque_prf_input = NULL; 1899238405Sjkim 1900296341Sdelphij if (s->tlsext_opaque_prf_input != NULL) { 1901296341Sdelphij if (s->s3->client_opaque_prf_input != NULL && 1902296341Sdelphij s->s3->client_opaque_prf_input_len == 1903296341Sdelphij s->tlsext_opaque_prf_input_len) { 1904296341Sdelphij /* 1905296341Sdelphij * can only use this extension if we have a server opaque PRF 1906296341Sdelphij * input of the same length as the client opaque PRF input! 1907296341Sdelphij */ 1908238405Sjkim 1909296341Sdelphij if (s->tlsext_opaque_prf_input_len == 0) { 1910296341Sdelphij /* dummy byte just to get non-NULL */ 1911296341Sdelphij s->s3->server_opaque_prf_input = OPENSSL_malloc(1); 1912296341Sdelphij } else { 1913296341Sdelphij s->s3->server_opaque_prf_input = 1914296341Sdelphij BUF_memdup(s->tlsext_opaque_prf_input, 1915296341Sdelphij s->tlsext_opaque_prf_input_len); 1916296341Sdelphij } 1917296341Sdelphij if (s->s3->server_opaque_prf_input == NULL) { 1918296341Sdelphij ret = SSL_TLSEXT_ERR_ALERT_FATAL; 1919296341Sdelphij al = SSL_AD_INTERNAL_ERROR; 1920296341Sdelphij goto err; 1921296341Sdelphij } 1922296341Sdelphij s->s3->server_opaque_prf_input_len = 1923296341Sdelphij s->tlsext_opaque_prf_input_len; 1924296341Sdelphij } 1925296341Sdelphij } 1926238405Sjkim 1927296341Sdelphij if (r == 2 && s->s3->server_opaque_prf_input == NULL) { 1928296341Sdelphij /* 1929296341Sdelphij * The callback wants to enforce use of the extension, but we 1930296341Sdelphij * can't do that with the client opaque PRF input; abort the 1931296341Sdelphij * handshake. 1932296341Sdelphij */ 1933296341Sdelphij ret = SSL_TLSEXT_ERR_ALERT_FATAL; 1934296341Sdelphij al = SSL_AD_HANDSHAKE_FAILURE; 1935296341Sdelphij } 1936296341Sdelphij } 1937296341Sdelphij 1938246772Sjkim err: 1939296341Sdelphij# endif 1940296341Sdelphij switch (ret) { 1941296341Sdelphij case SSL_TLSEXT_ERR_ALERT_FATAL: 1942296341Sdelphij ssl3_send_alert(s, SSL3_AL_FATAL, al); 1943296341Sdelphij return -1; 1944194206Ssimon 1945296341Sdelphij case SSL_TLSEXT_ERR_ALERT_WARNING: 1946296341Sdelphij ssl3_send_alert(s, SSL3_AL_WARNING, al); 1947296341Sdelphij return 1; 1948194206Ssimon 1949296341Sdelphij case SSL_TLSEXT_ERR_NOACK: 1950296341Sdelphij s->servername_done = 0; 1951296341Sdelphij default: 1952296341Sdelphij return 1; 1953296341Sdelphij } 1954296341Sdelphij} 1955296341Sdelphij 1956246772Sjkimint ssl_check_clienthello_tlsext_late(SSL *s) 1957296341Sdelphij{ 1958296341Sdelphij int ret = SSL_TLSEXT_ERR_OK; 1959296341Sdelphij int al; 1960246772Sjkim 1961296341Sdelphij /* 1962296341Sdelphij * If status request then ask callback what to do. Note: this must be 1963296341Sdelphij * called after servername callbacks in case the certificate has 1964296341Sdelphij * changed, and must be called after the cipher has been chosen because 1965296341Sdelphij * this may influence which certificate is sent 1966296341Sdelphij */ 1967296341Sdelphij if ((s->tlsext_status_type != -1) && s->ctx && s->ctx->tlsext_status_cb) { 1968296341Sdelphij int r; 1969296341Sdelphij CERT_PKEY *certpkey; 1970296341Sdelphij certpkey = ssl_get_server_send_pkey(s); 1971296341Sdelphij /* If no certificate can't return certificate status */ 1972296341Sdelphij if (certpkey == NULL) { 1973296341Sdelphij s->tlsext_status_expected = 0; 1974296341Sdelphij return 1; 1975296341Sdelphij } 1976296341Sdelphij /* 1977296341Sdelphij * Set current certificate to one we will use so SSL_get_certificate 1978296341Sdelphij * et al can pick it up. 1979296341Sdelphij */ 1980296341Sdelphij s->cert->key = certpkey; 1981296341Sdelphij r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg); 1982296341Sdelphij switch (r) { 1983296341Sdelphij /* We don't want to send a status request response */ 1984296341Sdelphij case SSL_TLSEXT_ERR_NOACK: 1985296341Sdelphij s->tlsext_status_expected = 0; 1986296341Sdelphij break; 1987296341Sdelphij /* status request response should be sent */ 1988296341Sdelphij case SSL_TLSEXT_ERR_OK: 1989296341Sdelphij if (s->tlsext_ocsp_resp) 1990296341Sdelphij s->tlsext_status_expected = 1; 1991296341Sdelphij else 1992296341Sdelphij s->tlsext_status_expected = 0; 1993296341Sdelphij break; 1994296341Sdelphij /* something bad happened */ 1995296341Sdelphij case SSL_TLSEXT_ERR_ALERT_FATAL: 1996296341Sdelphij ret = SSL_TLSEXT_ERR_ALERT_FATAL; 1997296341Sdelphij al = SSL_AD_INTERNAL_ERROR; 1998296341Sdelphij goto err; 1999296341Sdelphij } 2000296341Sdelphij } else 2001296341Sdelphij s->tlsext_status_expected = 0; 2002246772Sjkim 2003246772Sjkim err: 2004296341Sdelphij switch (ret) { 2005296341Sdelphij case SSL_TLSEXT_ERR_ALERT_FATAL: 2006296341Sdelphij ssl3_send_alert(s, SSL3_AL_FATAL, al); 2007296341Sdelphij return -1; 2008246772Sjkim 2009296341Sdelphij case SSL_TLSEXT_ERR_ALERT_WARNING: 2010296341Sdelphij ssl3_send_alert(s, SSL3_AL_WARNING, al); 2011296341Sdelphij return 1; 2012246772Sjkim 2013296341Sdelphij default: 2014296341Sdelphij return 1; 2015296341Sdelphij } 2016296341Sdelphij} 2017246772Sjkim 2018194206Ssimonint ssl_check_serverhello_tlsext(SSL *s) 2019296341Sdelphij{ 2020296341Sdelphij int ret = SSL_TLSEXT_ERR_NOACK; 2021296341Sdelphij int al = SSL_AD_UNRECOGNIZED_NAME; 2022194206Ssimon 2023296341Sdelphij# ifndef OPENSSL_NO_EC 2024296341Sdelphij /* 2025296341Sdelphij * If we are client and using an elliptic curve cryptography cipher 2026296341Sdelphij * suite, then if server returns an EC point formats lists extension it 2027296341Sdelphij * must contain uncompressed. 2028296341Sdelphij */ 2029296341Sdelphij unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey; 2030296341Sdelphij unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth; 2031296341Sdelphij if ((s->tlsext_ecpointformatlist != NULL) 2032296341Sdelphij && (s->tlsext_ecpointformatlist_length > 0) 2033296341Sdelphij && (s->session->tlsext_ecpointformatlist != NULL) 2034296341Sdelphij && (s->session->tlsext_ecpointformatlist_length > 0) 2035296341Sdelphij && ((alg_k & (SSL_kEECDH | SSL_kECDHr | SSL_kECDHe)) 2036296341Sdelphij || (alg_a & SSL_aECDSA))) { 2037296341Sdelphij /* we are using an ECC cipher */ 2038296341Sdelphij size_t i; 2039296341Sdelphij unsigned char *list; 2040296341Sdelphij int found_uncompressed = 0; 2041296341Sdelphij list = s->session->tlsext_ecpointformatlist; 2042296341Sdelphij for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++) { 2043296341Sdelphij if (*(list++) == TLSEXT_ECPOINTFORMAT_uncompressed) { 2044296341Sdelphij found_uncompressed = 1; 2045296341Sdelphij break; 2046296341Sdelphij } 2047296341Sdelphij } 2048296341Sdelphij if (!found_uncompressed) { 2049296341Sdelphij SSLerr(SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT, 2050296341Sdelphij SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST); 2051296341Sdelphij return -1; 2052296341Sdelphij } 2053296341Sdelphij } 2054296341Sdelphij ret = SSL_TLSEXT_ERR_OK; 2055296341Sdelphij# endif /* OPENSSL_NO_EC */ 2056238405Sjkim 2057296341Sdelphij if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) 2058296341Sdelphij ret = 2059296341Sdelphij s->ctx->tlsext_servername_callback(s, &al, 2060296341Sdelphij s->ctx->tlsext_servername_arg); 2061296341Sdelphij else if (s->initial_ctx != NULL 2062296341Sdelphij && s->initial_ctx->tlsext_servername_callback != 0) 2063296341Sdelphij ret = 2064296341Sdelphij s->initial_ctx->tlsext_servername_callback(s, &al, 2065296341Sdelphij s-> 2066296341Sdelphij initial_ctx->tlsext_servername_arg); 2067194206Ssimon 2068296341Sdelphij# ifdef TLSEXT_TYPE_opaque_prf_input 2069296341Sdelphij if (s->s3->server_opaque_prf_input_len > 0) { 2070296341Sdelphij /* 2071296341Sdelphij * This case may indicate that we, as a client, want to insist on 2072296341Sdelphij * using opaque PRF inputs. So first verify that we really have a 2073296341Sdelphij * value from the server too. 2074296341Sdelphij */ 2075238405Sjkim 2076296341Sdelphij if (s->s3->server_opaque_prf_input == NULL) { 2077296341Sdelphij ret = SSL_TLSEXT_ERR_ALERT_FATAL; 2078296341Sdelphij al = SSL_AD_HANDSHAKE_FAILURE; 2079296341Sdelphij } 2080238405Sjkim 2081296341Sdelphij /* 2082296341Sdelphij * Anytime the server *has* sent an opaque PRF input, we need to 2083296341Sdelphij * check that we have a client opaque PRF input of the same size. 2084296341Sdelphij */ 2085296341Sdelphij if (s->s3->client_opaque_prf_input == NULL || 2086296341Sdelphij s->s3->client_opaque_prf_input_len != 2087296341Sdelphij s->s3->server_opaque_prf_input_len) { 2088296341Sdelphij ret = SSL_TLSEXT_ERR_ALERT_FATAL; 2089296341Sdelphij al = SSL_AD_ILLEGAL_PARAMETER; 2090296341Sdelphij } 2091296341Sdelphij } 2092296341Sdelphij# endif 2093194206Ssimon 2094296341Sdelphij /* 2095296341Sdelphij * If we've requested certificate status and we wont get one tell the 2096296341Sdelphij * callback 2097296341Sdelphij */ 2098296341Sdelphij if ((s->tlsext_status_type != -1) && !(s->tlsext_status_expected) 2099296341Sdelphij && s->ctx && s->ctx->tlsext_status_cb) { 2100296341Sdelphij int r; 2101296341Sdelphij /* 2102296341Sdelphij * Set resp to NULL, resplen to -1 so callback knows there is no 2103296341Sdelphij * response. 2104296341Sdelphij */ 2105296341Sdelphij if (s->tlsext_ocsp_resp) { 2106296341Sdelphij OPENSSL_free(s->tlsext_ocsp_resp); 2107296341Sdelphij s->tlsext_ocsp_resp = NULL; 2108296341Sdelphij } 2109296341Sdelphij s->tlsext_ocsp_resplen = -1; 2110296341Sdelphij r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg); 2111296341Sdelphij if (r == 0) { 2112296341Sdelphij al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE; 2113296341Sdelphij ret = SSL_TLSEXT_ERR_ALERT_FATAL; 2114296341Sdelphij } 2115296341Sdelphij if (r < 0) { 2116296341Sdelphij al = SSL_AD_INTERNAL_ERROR; 2117296341Sdelphij ret = SSL_TLSEXT_ERR_ALERT_FATAL; 2118296341Sdelphij } 2119296341Sdelphij } 2120194206Ssimon 2121296341Sdelphij switch (ret) { 2122296341Sdelphij case SSL_TLSEXT_ERR_ALERT_FATAL: 2123296341Sdelphij ssl3_send_alert(s, SSL3_AL_FATAL, al); 2124296341Sdelphij return -1; 2125194206Ssimon 2126296341Sdelphij case SSL_TLSEXT_ERR_ALERT_WARNING: 2127296341Sdelphij ssl3_send_alert(s, SSL3_AL_WARNING, al); 2128296341Sdelphij return 1; 2129296341Sdelphij 2130296341Sdelphij case SSL_TLSEXT_ERR_NOACK: 2131296341Sdelphij s->servername_done = 0; 2132296341Sdelphij default: 2133296341Sdelphij return 1; 2134296341Sdelphij } 2135296341Sdelphij} 2136296341Sdelphij 2137296341Sdelphij/*- 2138296341Sdelphij * Since the server cache lookup is done early on in the processing of the 2139238405Sjkim * ClientHello, and other operations depend on the result, we need to handle 2140238405Sjkim * any TLS session ticket extension at the same time. 2141238405Sjkim * 2142238405Sjkim * session_id: points at the session ID in the ClientHello. This code will 2143238405Sjkim * read past the end of this in order to parse out the session ticket 2144238405Sjkim * extension, if any. 2145238405Sjkim * len: the length of the session ID. 2146238405Sjkim * limit: a pointer to the first byte after the ClientHello. 2147238405Sjkim * ret: (output) on return, if a ticket was decrypted, then this is set to 2148238405Sjkim * point to the resulting session. 2149238405Sjkim * 2150238405Sjkim * If s->tls_session_secret_cb is set then we are expecting a pre-shared key 2151238405Sjkim * ciphersuite, in which case we have no use for session tickets and one will 2152238405Sjkim * never be decrypted, nor will s->tlsext_ticket_expected be set to 1. 2153238405Sjkim * 2154238405Sjkim * Returns: 2155238405Sjkim * -1: fatal error, either from parsing or decrypting the ticket. 2156238405Sjkim * 0: no ticket was found (or was ignored, based on settings). 2157238405Sjkim * 1: a zero length extension was found, indicating that the client supports 2158238405Sjkim * session tickets but doesn't currently have one to offer. 2159238405Sjkim * 2: either s->tls_session_secret_cb was set, or a ticket was offered but 2160238405Sjkim * couldn't be decrypted because of a non-fatal error. 2161238405Sjkim * 3: a ticket was successfully decrypted and *ret was set. 2162238405Sjkim * 2163238405Sjkim * Side effects: 2164238405Sjkim * Sets s->tlsext_ticket_expected to 1 if the server will have to issue 2165238405Sjkim * a new session ticket to the client because the client indicated support 2166238405Sjkim * (and s->tls_session_secret_cb is NULL) but the client either doesn't have 2167238405Sjkim * a session ticket or we couldn't use the one it gave us, or if 2168238405Sjkim * s->ctx->tlsext_ticket_key_cb asked to renew the client's ticket. 2169238405Sjkim * Otherwise, s->tlsext_ticket_expected is set to 0. 2170194206Ssimon */ 2171194206Ssimonint tls1_process_ticket(SSL *s, unsigned char *session_id, int len, 2172296341Sdelphij const unsigned char *limit, SSL_SESSION **ret) 2173296341Sdelphij{ 2174296341Sdelphij /* Point after session ID in client hello */ 2175296341Sdelphij const unsigned char *p = session_id + len; 2176296341Sdelphij unsigned short i; 2177194206Ssimon 2178296341Sdelphij *ret = NULL; 2179296341Sdelphij s->tlsext_ticket_expected = 0; 2180238405Sjkim 2181296341Sdelphij /* 2182296341Sdelphij * If tickets disabled behave as if no ticket present to permit stateful 2183296341Sdelphij * resumption. 2184296341Sdelphij */ 2185296341Sdelphij if (SSL_get_options(s) & SSL_OP_NO_TICKET) 2186296341Sdelphij return 0; 2187296341Sdelphij if ((s->version <= SSL3_VERSION) || !limit) 2188296341Sdelphij return 0; 2189296341Sdelphij if (p >= limit) 2190296341Sdelphij return -1; 2191296341Sdelphij /* Skip past DTLS cookie */ 2192296341Sdelphij if (s->version == DTLS1_VERSION || s->version == DTLS1_BAD_VER) { 2193296341Sdelphij i = *(p++); 2194306230Sdelphij 2195306230Sdelphij if (limit - p <= i) 2196306230Sdelphij return -1; 2197306230Sdelphij 2198296341Sdelphij p += i; 2199296341Sdelphij } 2200296341Sdelphij /* Skip past cipher list */ 2201296341Sdelphij n2s(p, i); 2202306230Sdelphij if (limit - p <= i) 2203306230Sdelphij return -1; 2204296341Sdelphij p += i; 2205306230Sdelphij 2206296341Sdelphij /* Skip past compression algorithm list */ 2207296341Sdelphij i = *(p++); 2208306230Sdelphij if (limit - p < i) 2209306230Sdelphij return -1; 2210296341Sdelphij p += i; 2211306230Sdelphij 2212296341Sdelphij /* Now at start of extensions */ 2213306230Sdelphij if (limit - p <= 2) 2214296341Sdelphij return 0; 2215296341Sdelphij n2s(p, i); 2216306230Sdelphij while (limit - p >= 4) { 2217296341Sdelphij unsigned short type, size; 2218296341Sdelphij n2s(p, type); 2219296341Sdelphij n2s(p, size); 2220306230Sdelphij if (limit - p < size) 2221296341Sdelphij return 0; 2222296341Sdelphij if (type == TLSEXT_TYPE_session_ticket) { 2223296341Sdelphij int r; 2224296341Sdelphij if (size == 0) { 2225296341Sdelphij /* 2226296341Sdelphij * The client will accept a ticket but doesn't currently have 2227296341Sdelphij * one. 2228296341Sdelphij */ 2229296341Sdelphij s->tlsext_ticket_expected = 1; 2230296341Sdelphij return 1; 2231296341Sdelphij } 2232296341Sdelphij if (s->tls_session_secret_cb) { 2233296341Sdelphij /* 2234296341Sdelphij * Indicate that the ticket couldn't be decrypted rather than 2235296341Sdelphij * generating the session from ticket now, trigger 2236296341Sdelphij * abbreviated handshake based on external mechanism to 2237296341Sdelphij * calculate the master secret later. 2238296341Sdelphij */ 2239296341Sdelphij return 2; 2240296341Sdelphij } 2241296341Sdelphij r = tls_decrypt_ticket(s, p, size, session_id, len, ret); 2242296341Sdelphij switch (r) { 2243296341Sdelphij case 2: /* ticket couldn't be decrypted */ 2244296341Sdelphij s->tlsext_ticket_expected = 1; 2245296341Sdelphij return 2; 2246296341Sdelphij case 3: /* ticket was decrypted */ 2247296341Sdelphij return r; 2248296341Sdelphij case 4: /* ticket decrypted but need to renew */ 2249296341Sdelphij s->tlsext_ticket_expected = 1; 2250296341Sdelphij return 3; 2251296341Sdelphij default: /* fatal error */ 2252296341Sdelphij return -1; 2253296341Sdelphij } 2254296341Sdelphij } 2255296341Sdelphij p += size; 2256296341Sdelphij } 2257296341Sdelphij return 0; 2258296341Sdelphij} 2259194206Ssimon 2260296341Sdelphij/*- 2261296341Sdelphij * tls_decrypt_ticket attempts to decrypt a session ticket. 2262238405Sjkim * 2263238405Sjkim * etick: points to the body of the session ticket extension. 2264238405Sjkim * eticklen: the length of the session tickets extenion. 2265238405Sjkim * sess_id: points at the session ID. 2266238405Sjkim * sesslen: the length of the session ID. 2267238405Sjkim * psess: (output) on return, if a ticket was decrypted, then this is set to 2268238405Sjkim * point to the resulting session. 2269238405Sjkim * 2270238405Sjkim * Returns: 2271238405Sjkim * -1: fatal error, either from parsing or decrypting the ticket. 2272238405Sjkim * 2: the ticket couldn't be decrypted. 2273238405Sjkim * 3: a ticket was successfully decrypted and *psess was set. 2274238405Sjkim * 4: same as 3, but the ticket needs to be renewed. 2275238405Sjkim */ 2276296341Sdelphijstatic int tls_decrypt_ticket(SSL *s, const unsigned char *etick, 2277296341Sdelphij int eticklen, const unsigned char *sess_id, 2278296341Sdelphij int sesslen, SSL_SESSION **psess) 2279296341Sdelphij{ 2280296341Sdelphij SSL_SESSION *sess; 2281296341Sdelphij unsigned char *sdec; 2282296341Sdelphij const unsigned char *p; 2283296341Sdelphij int slen, mlen, renew_ticket = 0; 2284296341Sdelphij unsigned char tick_hmac[EVP_MAX_MD_SIZE]; 2285296341Sdelphij HMAC_CTX hctx; 2286296341Sdelphij EVP_CIPHER_CTX ctx; 2287296341Sdelphij SSL_CTX *tctx = s->initial_ctx; 2288306230Sdelphij 2289296341Sdelphij /* Initialize session ticket encryption and HMAC contexts */ 2290296341Sdelphij HMAC_CTX_init(&hctx); 2291296341Sdelphij EVP_CIPHER_CTX_init(&ctx); 2292296341Sdelphij if (tctx->tlsext_ticket_key_cb) { 2293296341Sdelphij unsigned char *nctick = (unsigned char *)etick; 2294296341Sdelphij int rv = tctx->tlsext_ticket_key_cb(s, nctick, nctick + 16, 2295296341Sdelphij &ctx, &hctx, 0); 2296296341Sdelphij if (rv < 0) 2297296341Sdelphij return -1; 2298296341Sdelphij if (rv == 0) 2299296341Sdelphij return 2; 2300296341Sdelphij if (rv == 2) 2301296341Sdelphij renew_ticket = 1; 2302296341Sdelphij } else { 2303296341Sdelphij /* Check key name matches */ 2304296341Sdelphij if (memcmp(etick, tctx->tlsext_tick_key_name, 16)) 2305296341Sdelphij return 2; 2306296341Sdelphij HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16, 2307296341Sdelphij tlsext_tick_md(), NULL); 2308296341Sdelphij EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL, 2309296341Sdelphij tctx->tlsext_tick_aes_key, etick + 16); 2310296341Sdelphij } 2311296341Sdelphij /* 2312296341Sdelphij * Attempt to process session ticket, first conduct sanity and integrity 2313296341Sdelphij * checks on ticket. 2314296341Sdelphij */ 2315296341Sdelphij mlen = HMAC_size(&hctx); 2316296341Sdelphij if (mlen < 0) { 2317296341Sdelphij EVP_CIPHER_CTX_cleanup(&ctx); 2318296341Sdelphij return -1; 2319296341Sdelphij } 2320306230Sdelphij /* Sanity check ticket length: must exceed keyname + IV + HMAC */ 2321306230Sdelphij if (eticklen <= 16 + EVP_CIPHER_CTX_iv_length(&ctx) + mlen) { 2322306230Sdelphij HMAC_CTX_cleanup(&hctx); 2323306230Sdelphij EVP_CIPHER_CTX_cleanup(&ctx); 2324306230Sdelphij return 2; 2325306230Sdelphij } 2326306230Sdelphij 2327296341Sdelphij eticklen -= mlen; 2328296341Sdelphij /* Check HMAC of encrypted ticket */ 2329296341Sdelphij HMAC_Update(&hctx, etick, eticklen); 2330296341Sdelphij HMAC_Final(&hctx, tick_hmac, NULL); 2331296341Sdelphij HMAC_CTX_cleanup(&hctx); 2332296341Sdelphij if (CRYPTO_memcmp(tick_hmac, etick + eticklen, mlen)) { 2333296341Sdelphij EVP_CIPHER_CTX_cleanup(&ctx); 2334296341Sdelphij return 2; 2335296341Sdelphij } 2336296341Sdelphij /* Attempt to decrypt session data */ 2337296341Sdelphij /* Move p after IV to start of encrypted ticket, update length */ 2338296341Sdelphij p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx); 2339296341Sdelphij eticklen -= 16 + EVP_CIPHER_CTX_iv_length(&ctx); 2340296341Sdelphij sdec = OPENSSL_malloc(eticklen); 2341296341Sdelphij if (!sdec) { 2342296341Sdelphij EVP_CIPHER_CTX_cleanup(&ctx); 2343296341Sdelphij return -1; 2344296341Sdelphij } 2345296341Sdelphij EVP_DecryptUpdate(&ctx, sdec, &slen, p, eticklen); 2346296341Sdelphij if (EVP_DecryptFinal(&ctx, sdec + slen, &mlen) <= 0) { 2347296341Sdelphij EVP_CIPHER_CTX_cleanup(&ctx); 2348296341Sdelphij OPENSSL_free(sdec); 2349296341Sdelphij return 2; 2350296341Sdelphij } 2351296341Sdelphij slen += mlen; 2352296341Sdelphij EVP_CIPHER_CTX_cleanup(&ctx); 2353296341Sdelphij p = sdec; 2354238405Sjkim 2355296341Sdelphij sess = d2i_SSL_SESSION(NULL, &p, slen); 2356296341Sdelphij OPENSSL_free(sdec); 2357296341Sdelphij if (sess) { 2358296341Sdelphij /* 2359296341Sdelphij * The session ID, if non-empty, is used by some clients to detect 2360296341Sdelphij * that the ticket has been accepted. So we copy it to the session 2361296341Sdelphij * structure. If it is empty set length to zero as required by 2362296341Sdelphij * standard. 2363296341Sdelphij */ 2364296341Sdelphij if (sesslen) 2365296341Sdelphij memcpy(sess->session_id, sess_id, sesslen); 2366296341Sdelphij sess->session_id_length = sesslen; 2367296341Sdelphij *psess = sess; 2368296341Sdelphij if (renew_ticket) 2369296341Sdelphij return 4; 2370296341Sdelphij else 2371296341Sdelphij return 3; 2372296341Sdelphij } 2373296341Sdelphij ERR_clear_error(); 2374296341Sdelphij /* 2375296341Sdelphij * For session parse failure, indicate that we need to send a new ticket. 2376296341Sdelphij */ 2377296341Sdelphij return 2; 2378296341Sdelphij} 2379238405Sjkim 2380238405Sjkim/* Tables to translate from NIDs to TLS v1.2 ids */ 2381238405Sjkim 2382296341Sdelphijtypedef struct { 2383296341Sdelphij int nid; 2384296341Sdelphij int id; 2385296341Sdelphij} tls12_lookup; 2386238405Sjkim 2387238405Sjkimstatic tls12_lookup tls12_md[] = { 2388296341Sdelphij# ifndef OPENSSL_NO_MD5 2389296341Sdelphij {NID_md5, TLSEXT_hash_md5}, 2390296341Sdelphij# endif 2391296341Sdelphij# ifndef OPENSSL_NO_SHA 2392296341Sdelphij {NID_sha1, TLSEXT_hash_sha1}, 2393296341Sdelphij# endif 2394296341Sdelphij# ifndef OPENSSL_NO_SHA256 2395296341Sdelphij {NID_sha224, TLSEXT_hash_sha224}, 2396296341Sdelphij {NID_sha256, TLSEXT_hash_sha256}, 2397296341Sdelphij# endif 2398296341Sdelphij# ifndef OPENSSL_NO_SHA512 2399296341Sdelphij {NID_sha384, TLSEXT_hash_sha384}, 2400296341Sdelphij {NID_sha512, TLSEXT_hash_sha512} 2401296341Sdelphij# endif 2402238405Sjkim}; 2403238405Sjkim 2404238405Sjkimstatic tls12_lookup tls12_sig[] = { 2405296341Sdelphij# ifndef OPENSSL_NO_RSA 2406296341Sdelphij {EVP_PKEY_RSA, TLSEXT_signature_rsa}, 2407296341Sdelphij# endif 2408296341Sdelphij# ifndef OPENSSL_NO_DSA 2409296341Sdelphij {EVP_PKEY_DSA, TLSEXT_signature_dsa}, 2410296341Sdelphij# endif 2411296341Sdelphij# ifndef OPENSSL_NO_ECDSA 2412296341Sdelphij {EVP_PKEY_EC, TLSEXT_signature_ecdsa} 2413296341Sdelphij# endif 2414238405Sjkim}; 2415238405Sjkim 2416238405Sjkimstatic int tls12_find_id(int nid, tls12_lookup *table, size_t tlen) 2417296341Sdelphij{ 2418296341Sdelphij size_t i; 2419296341Sdelphij for (i = 0; i < tlen; i++) { 2420296341Sdelphij if (table[i].nid == nid) 2421296341Sdelphij return table[i].id; 2422296341Sdelphij } 2423296341Sdelphij return -1; 2424296341Sdelphij} 2425296341Sdelphij 2426296341Sdelphij# if 0 2427238405Sjkimstatic int tls12_find_nid(int id, tls12_lookup *table, size_t tlen) 2428296341Sdelphij{ 2429296341Sdelphij size_t i; 2430296341Sdelphij for (i = 0; i < tlen; i++) { 2431296341Sdelphij if (table[i].id == id) 2432296341Sdelphij return table[i].nid; 2433296341Sdelphij } 2434296341Sdelphij return -1; 2435296341Sdelphij} 2436296341Sdelphij# endif 2437238405Sjkim 2438296341Sdelphijint tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk, 2439296341Sdelphij const EVP_MD *md) 2440296341Sdelphij{ 2441296341Sdelphij int sig_id, md_id; 2442296341Sdelphij if (!md) 2443296341Sdelphij return 0; 2444296341Sdelphij md_id = tls12_find_id(EVP_MD_type(md), tls12_md, 2445296341Sdelphij sizeof(tls12_md) / sizeof(tls12_lookup)); 2446296341Sdelphij if (md_id == -1) 2447296341Sdelphij return 0; 2448296341Sdelphij sig_id = tls12_get_sigid(pk); 2449296341Sdelphij if (sig_id == -1) 2450296341Sdelphij return 0; 2451296341Sdelphij p[0] = (unsigned char)md_id; 2452296341Sdelphij p[1] = (unsigned char)sig_id; 2453296341Sdelphij return 1; 2454296341Sdelphij} 2455238405Sjkim 2456238405Sjkimint tls12_get_sigid(const EVP_PKEY *pk) 2457296341Sdelphij{ 2458296341Sdelphij return tls12_find_id(pk->type, tls12_sig, 2459296341Sdelphij sizeof(tls12_sig) / sizeof(tls12_lookup)); 2460296341Sdelphij} 2461238405Sjkim 2462238405Sjkimconst EVP_MD *tls12_get_hash(unsigned char hash_alg) 2463296341Sdelphij{ 2464296341Sdelphij switch (hash_alg) { 2465296341Sdelphij# ifndef OPENSSL_NO_SHA 2466296341Sdelphij case TLSEXT_hash_sha1: 2467296341Sdelphij return EVP_sha1(); 2468296341Sdelphij# endif 2469296341Sdelphij# ifndef OPENSSL_NO_SHA256 2470296341Sdelphij case TLSEXT_hash_sha224: 2471296341Sdelphij return EVP_sha224(); 2472238405Sjkim 2473296341Sdelphij case TLSEXT_hash_sha256: 2474296341Sdelphij return EVP_sha256(); 2475296341Sdelphij# endif 2476296341Sdelphij# ifndef OPENSSL_NO_SHA512 2477296341Sdelphij case TLSEXT_hash_sha384: 2478296341Sdelphij return EVP_sha384(); 2479238405Sjkim 2480296341Sdelphij case TLSEXT_hash_sha512: 2481296341Sdelphij return EVP_sha512(); 2482296341Sdelphij# endif 2483296341Sdelphij default: 2484296341Sdelphij return NULL; 2485238405Sjkim 2486296341Sdelphij } 2487296341Sdelphij} 2488238405Sjkim 2489238405Sjkim/* Set preferred digest for each key type */ 2490238405Sjkim 2491238405Sjkimint tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize) 2492296341Sdelphij{ 2493296341Sdelphij int i, idx; 2494296341Sdelphij const EVP_MD *md; 2495296341Sdelphij CERT *c = s->cert; 2496296341Sdelphij /* Extension ignored for TLS versions below 1.2 */ 2497296341Sdelphij if (TLS1_get_version(s) < TLS1_2_VERSION) 2498296341Sdelphij return 1; 2499296341Sdelphij /* Should never happen */ 2500296341Sdelphij if (!c) 2501296341Sdelphij return 0; 2502238405Sjkim 2503296341Sdelphij c->pkeys[SSL_PKEY_DSA_SIGN].digest = NULL; 2504296341Sdelphij c->pkeys[SSL_PKEY_RSA_SIGN].digest = NULL; 2505296341Sdelphij c->pkeys[SSL_PKEY_RSA_ENC].digest = NULL; 2506296341Sdelphij c->pkeys[SSL_PKEY_ECC].digest = NULL; 2507238405Sjkim 2508296341Sdelphij for (i = 0; i < dsize; i += 2) { 2509296341Sdelphij unsigned char hash_alg = data[i], sig_alg = data[i + 1]; 2510238405Sjkim 2511296341Sdelphij switch (sig_alg) { 2512296341Sdelphij# ifndef OPENSSL_NO_RSA 2513296341Sdelphij case TLSEXT_signature_rsa: 2514296341Sdelphij idx = SSL_PKEY_RSA_SIGN; 2515296341Sdelphij break; 2516296341Sdelphij# endif 2517296341Sdelphij# ifndef OPENSSL_NO_DSA 2518296341Sdelphij case TLSEXT_signature_dsa: 2519296341Sdelphij idx = SSL_PKEY_DSA_SIGN; 2520296341Sdelphij break; 2521296341Sdelphij# endif 2522296341Sdelphij# ifndef OPENSSL_NO_ECDSA 2523296341Sdelphij case TLSEXT_signature_ecdsa: 2524296341Sdelphij idx = SSL_PKEY_ECC; 2525296341Sdelphij break; 2526296341Sdelphij# endif 2527296341Sdelphij default: 2528296341Sdelphij continue; 2529296341Sdelphij } 2530238405Sjkim 2531296341Sdelphij if (c->pkeys[idx].digest == NULL) { 2532296341Sdelphij md = tls12_get_hash(hash_alg); 2533296341Sdelphij if (md) { 2534296341Sdelphij c->pkeys[idx].digest = md; 2535296341Sdelphij if (idx == SSL_PKEY_RSA_SIGN) 2536296341Sdelphij c->pkeys[SSL_PKEY_RSA_ENC].digest = md; 2537296341Sdelphij } 2538296341Sdelphij } 2539238405Sjkim 2540296341Sdelphij } 2541238405Sjkim 2542296341Sdelphij /* 2543296341Sdelphij * Set any remaining keys to default values. NOTE: if alg is not 2544296341Sdelphij * supported it stays as NULL. 2545296341Sdelphij */ 2546296341Sdelphij# ifndef OPENSSL_NO_DSA 2547296341Sdelphij if (!c->pkeys[SSL_PKEY_DSA_SIGN].digest) 2548296341Sdelphij c->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_sha1(); 2549296341Sdelphij# endif 2550296341Sdelphij# ifndef OPENSSL_NO_RSA 2551296341Sdelphij if (!c->pkeys[SSL_PKEY_RSA_SIGN].digest) { 2552296341Sdelphij c->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1(); 2553296341Sdelphij c->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1(); 2554296341Sdelphij } 2555296341Sdelphij# endif 2556296341Sdelphij# ifndef OPENSSL_NO_ECDSA 2557296341Sdelphij if (!c->pkeys[SSL_PKEY_ECC].digest) 2558296341Sdelphij c->pkeys[SSL_PKEY_ECC].digest = EVP_sha1(); 2559296341Sdelphij# endif 2560296341Sdelphij return 1; 2561296341Sdelphij} 2562238405Sjkim 2563238405Sjkim#endif 2564238405Sjkim 2565238405Sjkim#ifndef OPENSSL_NO_HEARTBEATS 2566296341Sdelphijint tls1_process_heartbeat(SSL *s) 2567296341Sdelphij{ 2568296341Sdelphij unsigned char *p = &s->s3->rrec.data[0], *pl; 2569296341Sdelphij unsigned short hbtype; 2570296341Sdelphij unsigned int payload; 2571296341Sdelphij unsigned int padding = 16; /* Use minimum padding */ 2572238405Sjkim 2573296341Sdelphij if (s->msg_callback) 2574296341Sdelphij s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT, 2575296341Sdelphij &s->s3->rrec.data[0], s->s3->rrec.length, 2576296341Sdelphij s, s->msg_callback_arg); 2577264266Sdelphij 2578296341Sdelphij /* Read type and payload length first */ 2579296341Sdelphij if (1 + 2 + 16 > s->s3->rrec.length) 2580296341Sdelphij return 0; /* silently discard */ 2581296341Sdelphij hbtype = *p++; 2582296341Sdelphij n2s(p, payload); 2583296341Sdelphij if (1 + 2 + payload + 16 > s->s3->rrec.length) 2584296341Sdelphij return 0; /* silently discard per RFC 6520 sec. 4 */ 2585296341Sdelphij pl = p; 2586238405Sjkim 2587296341Sdelphij if (hbtype == TLS1_HB_REQUEST) { 2588296341Sdelphij unsigned char *buffer, *bp; 2589296341Sdelphij int r; 2590238405Sjkim 2591296341Sdelphij /* 2592296341Sdelphij * Allocate memory for the response, size is 1 bytes message type, 2593296341Sdelphij * plus 2 bytes payload length, plus payload, plus padding 2594296341Sdelphij */ 2595296341Sdelphij buffer = OPENSSL_malloc(1 + 2 + payload + padding); 2596296341Sdelphij bp = buffer; 2597238405Sjkim 2598296341Sdelphij /* Enter response type, length and copy payload */ 2599296341Sdelphij *bp++ = TLS1_HB_RESPONSE; 2600296341Sdelphij s2n(payload, bp); 2601296341Sdelphij memcpy(bp, pl, payload); 2602296341Sdelphij bp += payload; 2603296341Sdelphij /* Random padding */ 2604296341Sdelphij if (RAND_pseudo_bytes(bp, padding) < 0) { 2605296341Sdelphij OPENSSL_free(buffer); 2606296341Sdelphij return -1; 2607296341Sdelphij } 2608238405Sjkim 2609296341Sdelphij r = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, 2610296341Sdelphij 3 + payload + padding); 2611238405Sjkim 2612296341Sdelphij if (r >= 0 && s->msg_callback) 2613296341Sdelphij s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT, 2614296341Sdelphij buffer, 3 + payload + padding, 2615296341Sdelphij s, s->msg_callback_arg); 2616238405Sjkim 2617296341Sdelphij OPENSSL_free(buffer); 2618238405Sjkim 2619296341Sdelphij if (r < 0) 2620296341Sdelphij return r; 2621296341Sdelphij } else if (hbtype == TLS1_HB_RESPONSE) { 2622296341Sdelphij unsigned int seq; 2623194206Ssimon 2624296341Sdelphij /* 2625296341Sdelphij * We only send sequence numbers (2 bytes unsigned int), and 16 2626296341Sdelphij * random bytes, so we just try to read the sequence number 2627296341Sdelphij */ 2628296341Sdelphij n2s(pl, seq); 2629238405Sjkim 2630296341Sdelphij if (payload == 18 && seq == s->tlsext_hb_seq) { 2631296341Sdelphij s->tlsext_hb_seq++; 2632296341Sdelphij s->tlsext_hb_pending = 0; 2633296341Sdelphij } 2634296341Sdelphij } 2635238405Sjkim 2636296341Sdelphij return 0; 2637296341Sdelphij} 2638238405Sjkim 2639296341Sdelphijint tls1_heartbeat(SSL *s) 2640296341Sdelphij{ 2641296341Sdelphij unsigned char *buf, *p; 2642296341Sdelphij int ret = -1; 2643296341Sdelphij unsigned int payload = 18; /* Sequence number + random bytes */ 2644296341Sdelphij unsigned int padding = 16; /* Use minimum padding */ 2645238405Sjkim 2646296341Sdelphij /* Only send if peer supports and accepts HB requests... */ 2647296341Sdelphij if (!(s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED) || 2648296341Sdelphij s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_SEND_REQUESTS) { 2649296341Sdelphij SSLerr(SSL_F_TLS1_HEARTBEAT, SSL_R_TLS_HEARTBEAT_PEER_DOESNT_ACCEPT); 2650296341Sdelphij return -1; 2651296341Sdelphij } 2652238405Sjkim 2653296341Sdelphij /* ...and there is none in flight yet... */ 2654296341Sdelphij if (s->tlsext_hb_pending) { 2655296341Sdelphij SSLerr(SSL_F_TLS1_HEARTBEAT, SSL_R_TLS_HEARTBEAT_PENDING); 2656296341Sdelphij return -1; 2657296341Sdelphij } 2658238405Sjkim 2659296341Sdelphij /* ...and no handshake in progress. */ 2660296341Sdelphij if (SSL_in_init(s) || s->in_handshake) { 2661296341Sdelphij SSLerr(SSL_F_TLS1_HEARTBEAT, SSL_R_UNEXPECTED_MESSAGE); 2662296341Sdelphij return -1; 2663296341Sdelphij } 2664296341Sdelphij 2665296341Sdelphij /* 2666296341Sdelphij * Check if padding is too long, payload and padding must not exceed 2^14 2667296341Sdelphij * - 3 = 16381 bytes in total. 2668296341Sdelphij */ 2669296341Sdelphij OPENSSL_assert(payload + padding <= 16381); 2670296341Sdelphij 2671296341Sdelphij /*- 2672296341Sdelphij * Create HeartBeat message, we just use a sequence number 2673296341Sdelphij * as payload to distuingish different messages and add 2674296341Sdelphij * some random stuff. 2675296341Sdelphij * - Message Type, 1 byte 2676296341Sdelphij * - Payload Length, 2 bytes (unsigned int) 2677296341Sdelphij * - Payload, the sequence number (2 bytes uint) 2678296341Sdelphij * - Payload, random bytes (16 bytes uint) 2679296341Sdelphij * - Padding 2680296341Sdelphij */ 2681296341Sdelphij buf = OPENSSL_malloc(1 + 2 + payload + padding); 2682296341Sdelphij p = buf; 2683296341Sdelphij /* Message Type */ 2684296341Sdelphij *p++ = TLS1_HB_REQUEST; 2685296341Sdelphij /* Payload length (18 bytes here) */ 2686296341Sdelphij s2n(payload, p); 2687296341Sdelphij /* Sequence number */ 2688296341Sdelphij s2n(s->tlsext_hb_seq, p); 2689296341Sdelphij /* 16 random bytes */ 2690296341Sdelphij if (RAND_pseudo_bytes(p, 16) < 0) { 2691296341Sdelphij SSLerr(SSL_F_TLS1_HEARTBEAT, ERR_R_INTERNAL_ERROR); 2692296341Sdelphij goto err; 2693296341Sdelphij } 2694296341Sdelphij p += 16; 2695296341Sdelphij /* Random padding */ 2696296341Sdelphij if (RAND_pseudo_bytes(p, padding) < 0) { 2697296341Sdelphij SSLerr(SSL_F_TLS1_HEARTBEAT, ERR_R_INTERNAL_ERROR); 2698296341Sdelphij goto err; 2699296341Sdelphij } 2700296341Sdelphij 2701296341Sdelphij ret = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buf, 3 + payload + padding); 2702296341Sdelphij if (ret >= 0) { 2703296341Sdelphij if (s->msg_callback) 2704296341Sdelphij s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT, 2705296341Sdelphij buf, 3 + payload + padding, 2706296341Sdelphij s, s->msg_callback_arg); 2707296341Sdelphij 2708296341Sdelphij s->tlsext_hb_pending = 1; 2709296341Sdelphij } 2710296341Sdelphij 2711296341Sdelphijerr: 2712296341Sdelphij OPENSSL_free(buf); 2713296341Sdelphij 2714296341Sdelphij return ret; 2715296341Sdelphij} 2716194206Ssimon#endif 2717