174664626SKris Kennaway /* ssl/t1_lib.c */ 274664626SKris Kennaway /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 374664626SKris Kennaway * All rights reserved. 474664626SKris Kennaway * 574664626SKris Kennaway * This package is an SSL implementation written 674664626SKris Kennaway * by Eric Young (eay@cryptsoft.com). 774664626SKris Kennaway * The implementation was written so as to conform with Netscapes SSL. 874664626SKris Kennaway * 974664626SKris Kennaway * This library is free for commercial and non-commercial use as long as 1074664626SKris Kennaway * the following conditions are aheared to. The following conditions 1174664626SKris Kennaway * apply to all code found in this distribution, be it the RC4, RSA, 1274664626SKris Kennaway * lhash, DES, etc., code; not just the SSL code. The SSL documentation 1374664626SKris Kennaway * included with this distribution is covered by the same copyright terms 1474664626SKris Kennaway * except that the holder is Tim Hudson (tjh@cryptsoft.com). 1574664626SKris Kennaway * 1674664626SKris Kennaway * Copyright remains Eric Young's, and as such any Copyright notices in 1774664626SKris Kennaway * the code are not to be removed. 1874664626SKris Kennaway * If this package is used in a product, Eric Young should be given attribution 1974664626SKris Kennaway * as the author of the parts of the library used. 2074664626SKris Kennaway * This can be in the form of a textual message at program startup or 2174664626SKris Kennaway * in documentation (online or textual) provided with the package. 2274664626SKris Kennaway * 2374664626SKris Kennaway * Redistribution and use in source and binary forms, with or without 2474664626SKris Kennaway * modification, are permitted provided that the following conditions 2574664626SKris Kennaway * are met: 2674664626SKris Kennaway * 1. Redistributions of source code must retain the copyright 2774664626SKris Kennaway * notice, this list of conditions and the following disclaimer. 2874664626SKris Kennaway * 2. Redistributions in binary form must reproduce the above copyright 2974664626SKris Kennaway * notice, this list of conditions and the following disclaimer in the 3074664626SKris Kennaway * documentation and/or other materials provided with the distribution. 3174664626SKris Kennaway * 3. All advertising materials mentioning features or use of this software 3274664626SKris Kennaway * must display the following acknowledgement: 3374664626SKris Kennaway * "This product includes cryptographic software written by 3474664626SKris Kennaway * Eric Young (eay@cryptsoft.com)" 3574664626SKris Kennaway * The word 'cryptographic' can be left out if the rouines from the library 3674664626SKris Kennaway * being used are not cryptographic related :-). 3774664626SKris Kennaway * 4. If you include any Windows specific code (or a derivative thereof) from 3874664626SKris Kennaway * the apps directory (application code) you must include an acknowledgement: 3974664626SKris Kennaway * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 4074664626SKris Kennaway * 4174664626SKris Kennaway * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 4274664626SKris Kennaway * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 4374664626SKris Kennaway * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 4474664626SKris Kennaway * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 4574664626SKris Kennaway * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 4674664626SKris Kennaway * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 4774664626SKris Kennaway * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 4874664626SKris Kennaway * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 4974664626SKris Kennaway * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 5074664626SKris Kennaway * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 5174664626SKris Kennaway * SUCH DAMAGE. 5274664626SKris Kennaway * 5374664626SKris Kennaway * The licence and distribution terms for any publically available version or 5474664626SKris Kennaway * derivative of this code cannot be changed. i.e. this code cannot simply be 5574664626SKris Kennaway * copied and put under another distribution licence 5674664626SKris Kennaway * [including the GNU Public Licence.] 5774664626SKris Kennaway */ 581f13597dSJung-uk Kim /* ==================================================================== 591f13597dSJung-uk Kim * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved. 601f13597dSJung-uk Kim * 611f13597dSJung-uk Kim * Redistribution and use in source and binary forms, with or without 621f13597dSJung-uk Kim * modification, are permitted provided that the following conditions 631f13597dSJung-uk Kim * are met: 641f13597dSJung-uk Kim * 651f13597dSJung-uk Kim * 1. Redistributions of source code must retain the above copyright 661f13597dSJung-uk Kim * notice, this list of conditions and the following disclaimer. 671f13597dSJung-uk Kim * 681f13597dSJung-uk Kim * 2. Redistributions in binary form must reproduce the above copyright 691f13597dSJung-uk Kim * notice, this list of conditions and the following disclaimer in 701f13597dSJung-uk Kim * the documentation and/or other materials provided with the 711f13597dSJung-uk Kim * distribution. 721f13597dSJung-uk Kim * 731f13597dSJung-uk Kim * 3. All advertising materials mentioning features or use of this 741f13597dSJung-uk Kim * software must display the following acknowledgment: 751f13597dSJung-uk Kim * "This product includes software developed by the OpenSSL Project 761f13597dSJung-uk Kim * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 771f13597dSJung-uk Kim * 781f13597dSJung-uk Kim * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 791f13597dSJung-uk Kim * endorse or promote products derived from this software without 801f13597dSJung-uk Kim * prior written permission. For written permission, please contact 811f13597dSJung-uk Kim * openssl-core@openssl.org. 821f13597dSJung-uk Kim * 831f13597dSJung-uk Kim * 5. Products derived from this software may not be called "OpenSSL" 841f13597dSJung-uk Kim * nor may "OpenSSL" appear in their names without prior written 851f13597dSJung-uk Kim * permission of the OpenSSL Project. 861f13597dSJung-uk Kim * 871f13597dSJung-uk Kim * 6. Redistributions of any form whatsoever must retain the following 881f13597dSJung-uk Kim * acknowledgment: 891f13597dSJung-uk Kim * "This product includes software developed by the OpenSSL Project 901f13597dSJung-uk Kim * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 911f13597dSJung-uk Kim * 921f13597dSJung-uk Kim * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 931f13597dSJung-uk Kim * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 941f13597dSJung-uk Kim * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 951f13597dSJung-uk Kim * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 961f13597dSJung-uk Kim * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 971f13597dSJung-uk Kim * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 981f13597dSJung-uk Kim * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 991f13597dSJung-uk Kim * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 1001f13597dSJung-uk Kim * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 1011f13597dSJung-uk Kim * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 1021f13597dSJung-uk Kim * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 1031f13597dSJung-uk Kim * OF THE POSSIBILITY OF SUCH DAMAGE. 1041f13597dSJung-uk Kim * ==================================================================== 1051f13597dSJung-uk Kim * 1061f13597dSJung-uk Kim * This product includes cryptographic software written by Eric Young 1071f13597dSJung-uk Kim * (eay@cryptsoft.com). This product includes software written by Tim 1081f13597dSJung-uk Kim * Hudson (tjh@cryptsoft.com). 1091f13597dSJung-uk Kim * 1101f13597dSJung-uk Kim */ 11174664626SKris Kennaway 11274664626SKris Kennaway #include <stdio.h> 11374664626SKris Kennaway #include <openssl/objects.h> 114db522d3aSSimon L. B. Nielsen #include <openssl/evp.h> 115db522d3aSSimon L. B. Nielsen #include <openssl/hmac.h> 116db522d3aSSimon L. B. Nielsen #include <openssl/ocsp.h> 1171f13597dSJung-uk Kim #include <openssl/rand.h> 11874664626SKris Kennaway #include "ssl_locl.h" 11974664626SKris Kennaway 1205471f83eSSimon L. B. Nielsen const char tls1_version_str[]="TLSv1" OPENSSL_VERSION_PTEXT; 12174664626SKris Kennaway 122db522d3aSSimon L. B. Nielsen #ifndef OPENSSL_NO_TLSEXT 123db522d3aSSimon L. B. Nielsen static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen, 124db522d3aSSimon L. B. Nielsen const unsigned char *sess_id, int sesslen, 125db522d3aSSimon L. B. Nielsen SSL_SESSION **psess); 126db522d3aSSimon L. B. Nielsen #endif 127db522d3aSSimon L. B. Nielsen 1283b4e3dcbSSimon L. B. Nielsen SSL3_ENC_METHOD TLSv1_enc_data={ 12974664626SKris Kennaway tls1_enc, 13074664626SKris Kennaway tls1_mac, 13174664626SKris Kennaway tls1_setup_key_block, 13274664626SKris Kennaway tls1_generate_master_secret, 13374664626SKris Kennaway tls1_change_cipher_state, 13474664626SKris Kennaway tls1_final_finish_mac, 13574664626SKris Kennaway TLS1_FINISH_MAC_LENGTH, 13674664626SKris Kennaway tls1_cert_verify_mac, 13774664626SKris Kennaway TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE, 13874664626SKris Kennaway TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE, 13974664626SKris Kennaway tls1_alert_code, 1401f13597dSJung-uk Kim tls1_export_keying_material, 14174664626SKris Kennaway }; 14274664626SKris Kennaway 1433b4e3dcbSSimon L. B. Nielsen long tls1_default_timeout(void) 14474664626SKris Kennaway { 14574664626SKris Kennaway /* 2 hours, the 24 hours mentioned in the TLSv1 spec 14674664626SKris Kennaway * is way too long for http, the cache would over fill */ 14774664626SKris Kennaway return(60*60*2); 14874664626SKris Kennaway } 14974664626SKris Kennaway 15074664626SKris Kennaway int tls1_new(SSL *s) 15174664626SKris Kennaway { 15274664626SKris Kennaway if (!ssl3_new(s)) return(0); 15374664626SKris Kennaway s->method->ssl_clear(s); 15474664626SKris Kennaway return(1); 15574664626SKris Kennaway } 15674664626SKris Kennaway 15774664626SKris Kennaway void tls1_free(SSL *s) 15874664626SKris Kennaway { 1591f13597dSJung-uk Kim #ifndef OPENSSL_NO_TLSEXT 1601f13597dSJung-uk Kim if (s->tlsext_session_ticket) 1611f13597dSJung-uk Kim { 1621f13597dSJung-uk Kim OPENSSL_free(s->tlsext_session_ticket); 1631f13597dSJung-uk Kim } 1641f13597dSJung-uk Kim #endif /* OPENSSL_NO_TLSEXT */ 16574664626SKris Kennaway ssl3_free(s); 16674664626SKris Kennaway } 16774664626SKris Kennaway 16874664626SKris Kennaway void tls1_clear(SSL *s) 16974664626SKris Kennaway { 17074664626SKris Kennaway ssl3_clear(s); 1711f13597dSJung-uk Kim s->version = s->method->version; 17274664626SKris Kennaway } 17374664626SKris Kennaway 1741f13597dSJung-uk Kim #ifndef OPENSSL_NO_EC 1751f13597dSJung-uk Kim 1761f13597dSJung-uk Kim static int nid_list[] = 17774664626SKris Kennaway { 1781f13597dSJung-uk Kim NID_sect163k1, /* sect163k1 (1) */ 1791f13597dSJung-uk Kim NID_sect163r1, /* sect163r1 (2) */ 1801f13597dSJung-uk Kim NID_sect163r2, /* sect163r2 (3) */ 1811f13597dSJung-uk Kim NID_sect193r1, /* sect193r1 (4) */ 1821f13597dSJung-uk Kim NID_sect193r2, /* sect193r2 (5) */ 1831f13597dSJung-uk Kim NID_sect233k1, /* sect233k1 (6) */ 1841f13597dSJung-uk Kim NID_sect233r1, /* sect233r1 (7) */ 1851f13597dSJung-uk Kim NID_sect239k1, /* sect239k1 (8) */ 1861f13597dSJung-uk Kim NID_sect283k1, /* sect283k1 (9) */ 1871f13597dSJung-uk Kim NID_sect283r1, /* sect283r1 (10) */ 1881f13597dSJung-uk Kim NID_sect409k1, /* sect409k1 (11) */ 1891f13597dSJung-uk Kim NID_sect409r1, /* sect409r1 (12) */ 1901f13597dSJung-uk Kim NID_sect571k1, /* sect571k1 (13) */ 1911f13597dSJung-uk Kim NID_sect571r1, /* sect571r1 (14) */ 1921f13597dSJung-uk Kim NID_secp160k1, /* secp160k1 (15) */ 1931f13597dSJung-uk Kim NID_secp160r1, /* secp160r1 (16) */ 1941f13597dSJung-uk Kim NID_secp160r2, /* secp160r2 (17) */ 1951f13597dSJung-uk Kim NID_secp192k1, /* secp192k1 (18) */ 1961f13597dSJung-uk Kim NID_X9_62_prime192v1, /* secp192r1 (19) */ 1971f13597dSJung-uk Kim NID_secp224k1, /* secp224k1 (20) */ 1981f13597dSJung-uk Kim NID_secp224r1, /* secp224r1 (21) */ 1991f13597dSJung-uk Kim NID_secp256k1, /* secp256k1 (22) */ 2001f13597dSJung-uk Kim NID_X9_62_prime256v1, /* secp256r1 (23) */ 2011f13597dSJung-uk Kim NID_secp384r1, /* secp384r1 (24) */ 2021f13597dSJung-uk Kim NID_secp521r1 /* secp521r1 (25) */ 2031f13597dSJung-uk Kim }; 2041f13597dSJung-uk Kim 2051f13597dSJung-uk Kim static int pref_list[] = 2061f13597dSJung-uk Kim { 2071f13597dSJung-uk Kim NID_sect571r1, /* sect571r1 (14) */ 2081f13597dSJung-uk Kim NID_sect571k1, /* sect571k1 (13) */ 2091f13597dSJung-uk Kim NID_secp521r1, /* secp521r1 (25) */ 2101f13597dSJung-uk Kim NID_sect409k1, /* sect409k1 (11) */ 2111f13597dSJung-uk Kim NID_sect409r1, /* sect409r1 (12) */ 2121f13597dSJung-uk Kim NID_secp384r1, /* secp384r1 (24) */ 2131f13597dSJung-uk Kim NID_sect283k1, /* sect283k1 (9) */ 2141f13597dSJung-uk Kim NID_sect283r1, /* sect283r1 (10) */ 2151f13597dSJung-uk Kim NID_secp256k1, /* secp256k1 (22) */ 2161f13597dSJung-uk Kim NID_X9_62_prime256v1, /* secp256r1 (23) */ 2171f13597dSJung-uk Kim NID_sect239k1, /* sect239k1 (8) */ 2181f13597dSJung-uk Kim NID_sect233k1, /* sect233k1 (6) */ 2191f13597dSJung-uk Kim NID_sect233r1, /* sect233r1 (7) */ 2201f13597dSJung-uk Kim NID_secp224k1, /* secp224k1 (20) */ 2211f13597dSJung-uk Kim NID_secp224r1, /* secp224r1 (21) */ 2221f13597dSJung-uk Kim NID_sect193r1, /* sect193r1 (4) */ 2231f13597dSJung-uk Kim NID_sect193r2, /* sect193r2 (5) */ 2241f13597dSJung-uk Kim NID_secp192k1, /* secp192k1 (18) */ 2251f13597dSJung-uk Kim NID_X9_62_prime192v1, /* secp192r1 (19) */ 2261f13597dSJung-uk Kim NID_sect163k1, /* sect163k1 (1) */ 2271f13597dSJung-uk Kim NID_sect163r1, /* sect163r1 (2) */ 2281f13597dSJung-uk Kim NID_sect163r2, /* sect163r2 (3) */ 2291f13597dSJung-uk Kim NID_secp160k1, /* secp160k1 (15) */ 2301f13597dSJung-uk Kim NID_secp160r1, /* secp160r1 (16) */ 2311f13597dSJung-uk Kim NID_secp160r2, /* secp160r2 (17) */ 2321f13597dSJung-uk Kim }; 2331f13597dSJung-uk Kim 2341f13597dSJung-uk Kim int tls1_ec_curve_id2nid(int curve_id) 2351f13597dSJung-uk Kim { 2361f13597dSJung-uk Kim /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */ 2371f13597dSJung-uk Kim if ((curve_id < 1) || ((unsigned int)curve_id > 2381f13597dSJung-uk Kim sizeof(nid_list)/sizeof(nid_list[0]))) 2391f13597dSJung-uk Kim return 0; 2401f13597dSJung-uk Kim return nid_list[curve_id-1]; 24174664626SKris Kennaway } 242f579bf8eSKris Kennaway 2431f13597dSJung-uk Kim int tls1_ec_nid2curve_id(int nid) 244f579bf8eSKris Kennaway { 2451f13597dSJung-uk Kim /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */ 2461f13597dSJung-uk Kim switch (nid) 2471f13597dSJung-uk Kim { 2481f13597dSJung-uk Kim case NID_sect163k1: /* sect163k1 (1) */ 2491f13597dSJung-uk Kim return 1; 2501f13597dSJung-uk Kim case NID_sect163r1: /* sect163r1 (2) */ 2511f13597dSJung-uk Kim return 2; 2521f13597dSJung-uk Kim case NID_sect163r2: /* sect163r2 (3) */ 2531f13597dSJung-uk Kim return 3; 2541f13597dSJung-uk Kim case NID_sect193r1: /* sect193r1 (4) */ 2551f13597dSJung-uk Kim return 4; 2561f13597dSJung-uk Kim case NID_sect193r2: /* sect193r2 (5) */ 2571f13597dSJung-uk Kim return 5; 2581f13597dSJung-uk Kim case NID_sect233k1: /* sect233k1 (6) */ 2591f13597dSJung-uk Kim return 6; 2601f13597dSJung-uk Kim case NID_sect233r1: /* sect233r1 (7) */ 2611f13597dSJung-uk Kim return 7; 2621f13597dSJung-uk Kim case NID_sect239k1: /* sect239k1 (8) */ 2631f13597dSJung-uk Kim return 8; 2641f13597dSJung-uk Kim case NID_sect283k1: /* sect283k1 (9) */ 2651f13597dSJung-uk Kim return 9; 2661f13597dSJung-uk Kim case NID_sect283r1: /* sect283r1 (10) */ 2671f13597dSJung-uk Kim return 10; 2681f13597dSJung-uk Kim case NID_sect409k1: /* sect409k1 (11) */ 2691f13597dSJung-uk Kim return 11; 2701f13597dSJung-uk Kim case NID_sect409r1: /* sect409r1 (12) */ 2711f13597dSJung-uk Kim return 12; 2721f13597dSJung-uk Kim case NID_sect571k1: /* sect571k1 (13) */ 2731f13597dSJung-uk Kim return 13; 2741f13597dSJung-uk Kim case NID_sect571r1: /* sect571r1 (14) */ 2751f13597dSJung-uk Kim return 14; 2761f13597dSJung-uk Kim case NID_secp160k1: /* secp160k1 (15) */ 2771f13597dSJung-uk Kim return 15; 2781f13597dSJung-uk Kim case NID_secp160r1: /* secp160r1 (16) */ 2791f13597dSJung-uk Kim return 16; 2801f13597dSJung-uk Kim case NID_secp160r2: /* secp160r2 (17) */ 2811f13597dSJung-uk Kim return 17; 2821f13597dSJung-uk Kim case NID_secp192k1: /* secp192k1 (18) */ 2831f13597dSJung-uk Kim return 18; 2841f13597dSJung-uk Kim case NID_X9_62_prime192v1: /* secp192r1 (19) */ 2851f13597dSJung-uk Kim return 19; 2861f13597dSJung-uk Kim case NID_secp224k1: /* secp224k1 (20) */ 2871f13597dSJung-uk Kim return 20; 2881f13597dSJung-uk Kim case NID_secp224r1: /* secp224r1 (21) */ 2891f13597dSJung-uk Kim return 21; 2901f13597dSJung-uk Kim case NID_secp256k1: /* secp256k1 (22) */ 2911f13597dSJung-uk Kim return 22; 2921f13597dSJung-uk Kim case NID_X9_62_prime256v1: /* secp256r1 (23) */ 2931f13597dSJung-uk Kim return 23; 2941f13597dSJung-uk Kim case NID_secp384r1: /* secp384r1 (24) */ 2951f13597dSJung-uk Kim return 24; 2961f13597dSJung-uk Kim case NID_secp521r1: /* secp521r1 (25) */ 2971f13597dSJung-uk Kim return 25; 2981f13597dSJung-uk Kim default: 2991f13597dSJung-uk Kim return 0; 300f579bf8eSKris Kennaway } 3011f13597dSJung-uk Kim } 3021f13597dSJung-uk Kim #endif /* OPENSSL_NO_EC */ 303db522d3aSSimon L. B. Nielsen 304db522d3aSSimon L. B. Nielsen #ifndef OPENSSL_NO_TLSEXT 3051f13597dSJung-uk Kim 3061f13597dSJung-uk Kim /* List of supported signature algorithms and hashes. Should make this 3071f13597dSJung-uk Kim * customisable at some point, for now include everything we support. 3081f13597dSJung-uk Kim */ 3091f13597dSJung-uk Kim 3101f13597dSJung-uk Kim #ifdef OPENSSL_NO_RSA 3111f13597dSJung-uk Kim #define tlsext_sigalg_rsa(md) /* */ 3121f13597dSJung-uk Kim #else 3131f13597dSJung-uk Kim #define tlsext_sigalg_rsa(md) md, TLSEXT_signature_rsa, 3141f13597dSJung-uk Kim #endif 3151f13597dSJung-uk Kim 3161f13597dSJung-uk Kim #ifdef OPENSSL_NO_DSA 3171f13597dSJung-uk Kim #define tlsext_sigalg_dsa(md) /* */ 3181f13597dSJung-uk Kim #else 3191f13597dSJung-uk Kim #define tlsext_sigalg_dsa(md) md, TLSEXT_signature_dsa, 3201f13597dSJung-uk Kim #endif 3211f13597dSJung-uk Kim 3221f13597dSJung-uk Kim #ifdef OPENSSL_NO_ECDSA 3231f13597dSJung-uk Kim #define tlsext_sigalg_ecdsa(md) /* */ 3241f13597dSJung-uk Kim #else 3251f13597dSJung-uk Kim #define tlsext_sigalg_ecdsa(md) md, TLSEXT_signature_ecdsa, 3261f13597dSJung-uk Kim #endif 3271f13597dSJung-uk Kim 3281f13597dSJung-uk Kim #define tlsext_sigalg(md) \ 3291f13597dSJung-uk Kim tlsext_sigalg_rsa(md) \ 3301f13597dSJung-uk Kim tlsext_sigalg_dsa(md) \ 3311f13597dSJung-uk Kim tlsext_sigalg_ecdsa(md) 3321f13597dSJung-uk Kim 3331f13597dSJung-uk Kim static unsigned char tls12_sigalgs[] = { 3341f13597dSJung-uk Kim #ifndef OPENSSL_NO_SHA512 3351f13597dSJung-uk Kim tlsext_sigalg(TLSEXT_hash_sha512) 3361f13597dSJung-uk Kim tlsext_sigalg(TLSEXT_hash_sha384) 3371f13597dSJung-uk Kim #endif 3381f13597dSJung-uk Kim #ifndef OPENSSL_NO_SHA256 3391f13597dSJung-uk Kim tlsext_sigalg(TLSEXT_hash_sha256) 3401f13597dSJung-uk Kim tlsext_sigalg(TLSEXT_hash_sha224) 3411f13597dSJung-uk Kim #endif 3421f13597dSJung-uk Kim #ifndef OPENSSL_NO_SHA 3431f13597dSJung-uk Kim tlsext_sigalg(TLSEXT_hash_sha1) 3441f13597dSJung-uk Kim #endif 3451f13597dSJung-uk Kim }; 3461f13597dSJung-uk Kim 3471f13597dSJung-uk Kim int tls12_get_req_sig_algs(SSL *s, unsigned char *p) 3481f13597dSJung-uk Kim { 3491f13597dSJung-uk Kim size_t slen = sizeof(tls12_sigalgs); 3501f13597dSJung-uk Kim if (p) 3511f13597dSJung-uk Kim memcpy(p, tls12_sigalgs, slen); 3521f13597dSJung-uk Kim return (int)slen; 3531f13597dSJung-uk Kim } 3541f13597dSJung-uk Kim 355*a93cbc2bSJung-uk Kim unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf, unsigned char *limit) 356db522d3aSSimon L. B. Nielsen { 357db522d3aSSimon L. B. Nielsen int extdatalen=0; 358*a93cbc2bSJung-uk Kim unsigned char *orig = buf; 359*a93cbc2bSJung-uk Kim unsigned char *ret = buf; 360db522d3aSSimon L. B. Nielsen 3616a599222SSimon L. B. Nielsen /* don't add extensions for SSLv3 unless doing secure renegotiation */ 3626a599222SSimon L. B. Nielsen if (s->client_version == SSL3_VERSION 3636a599222SSimon L. B. Nielsen && !s->s3->send_connection_binding) 364*a93cbc2bSJung-uk Kim return orig; 3656a599222SSimon L. B. Nielsen 366db522d3aSSimon L. B. Nielsen ret+=2; 367db522d3aSSimon L. B. Nielsen 368db522d3aSSimon L. B. Nielsen if (ret>=limit) return NULL; /* this really never occurs, but ... */ 369db522d3aSSimon L. B. Nielsen 370db522d3aSSimon L. B. Nielsen if (s->tlsext_hostname != NULL) 371db522d3aSSimon L. B. Nielsen { 372db522d3aSSimon L. B. Nielsen /* Add TLS extension servername to the Client Hello message */ 373db522d3aSSimon L. B. Nielsen unsigned long size_str; 374db522d3aSSimon L. B. Nielsen long lenmax; 375db522d3aSSimon L. B. Nielsen 376db522d3aSSimon L. B. Nielsen /* check for enough space. 377db522d3aSSimon L. B. Nielsen 4 for the servername type and entension length 378db522d3aSSimon L. B. Nielsen 2 for servernamelist length 379db522d3aSSimon L. B. Nielsen 1 for the hostname type 380db522d3aSSimon L. B. Nielsen 2 for hostname length 381db522d3aSSimon L. B. Nielsen + hostname length 382db522d3aSSimon L. B. Nielsen */ 383db522d3aSSimon L. B. Nielsen 384db522d3aSSimon L. B. Nielsen if ((lenmax = limit - ret - 9) < 0 385db522d3aSSimon L. B. Nielsen || (size_str = strlen(s->tlsext_hostname)) > (unsigned long)lenmax) 386db522d3aSSimon L. B. Nielsen return NULL; 387db522d3aSSimon L. B. Nielsen 388db522d3aSSimon L. B. Nielsen /* extension type and length */ 389db522d3aSSimon L. B. Nielsen s2n(TLSEXT_TYPE_server_name,ret); 390db522d3aSSimon L. B. Nielsen s2n(size_str+5,ret); 391db522d3aSSimon L. B. Nielsen 392db522d3aSSimon L. B. Nielsen /* length of servername list */ 393db522d3aSSimon L. B. Nielsen s2n(size_str+3,ret); 394db522d3aSSimon L. B. Nielsen 395db522d3aSSimon L. B. Nielsen /* hostname type, length and hostname */ 396db522d3aSSimon L. B. Nielsen *(ret++) = (unsigned char) TLSEXT_NAMETYPE_host_name; 397db522d3aSSimon L. B. Nielsen s2n(size_str,ret); 398db522d3aSSimon L. B. Nielsen memcpy(ret, s->tlsext_hostname, size_str); 399db522d3aSSimon L. B. Nielsen ret+=size_str; 400db522d3aSSimon L. B. Nielsen } 401db522d3aSSimon L. B. Nielsen 4026a599222SSimon L. B. Nielsen /* Add RI if renegotiating */ 4031f13597dSJung-uk Kim if (s->renegotiate) 4046a599222SSimon L. B. Nielsen { 4056a599222SSimon L. B. Nielsen int el; 4066a599222SSimon L. B. Nielsen 4076a599222SSimon L. B. Nielsen if(!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0)) 4086a599222SSimon L. B. Nielsen { 4096a599222SSimon L. B. Nielsen SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); 4106a599222SSimon L. B. Nielsen return NULL; 4116a599222SSimon L. B. Nielsen } 4126a599222SSimon L. B. Nielsen 413*a93cbc2bSJung-uk Kim if((limit - ret - 4 - el) < 0) return NULL; 4146a599222SSimon L. B. Nielsen 4156a599222SSimon L. B. Nielsen s2n(TLSEXT_TYPE_renegotiate,ret); 4166a599222SSimon L. B. Nielsen s2n(el,ret); 4176a599222SSimon L. B. Nielsen 4186a599222SSimon L. B. Nielsen if(!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el)) 4196a599222SSimon L. B. Nielsen { 4206a599222SSimon L. B. Nielsen SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); 4216a599222SSimon L. B. Nielsen return NULL; 4226a599222SSimon L. B. Nielsen } 4236a599222SSimon L. B. Nielsen 4246a599222SSimon L. B. Nielsen ret += el; 4256a599222SSimon L. B. Nielsen } 4266a599222SSimon L. B. Nielsen 4271f13597dSJung-uk Kim #ifndef OPENSSL_NO_SRP 4281f13597dSJung-uk Kim /* Add SRP username if there is one */ 4291f13597dSJung-uk Kim if (s->srp_ctx.login != NULL) 4301f13597dSJung-uk Kim { /* Add TLS extension SRP username to the Client Hello message */ 4311f13597dSJung-uk Kim 4321f13597dSJung-uk Kim int login_len = strlen(s->srp_ctx.login); 4331f13597dSJung-uk Kim if (login_len > 255 || login_len == 0) 4341f13597dSJung-uk Kim { 4351f13597dSJung-uk Kim SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); 4361f13597dSJung-uk Kim return NULL; 4371f13597dSJung-uk Kim } 4381f13597dSJung-uk Kim 4391f13597dSJung-uk Kim /* check for enough space. 4401f13597dSJung-uk Kim 4 for the srp type type and entension length 4411f13597dSJung-uk Kim 1 for the srp user identity 4421f13597dSJung-uk Kim + srp user identity length 4431f13597dSJung-uk Kim */ 4441f13597dSJung-uk Kim if ((limit - ret - 5 - login_len) < 0) return NULL; 4451f13597dSJung-uk Kim 4461f13597dSJung-uk Kim /* fill in the extension */ 4471f13597dSJung-uk Kim s2n(TLSEXT_TYPE_srp,ret); 4481f13597dSJung-uk Kim s2n(login_len+1,ret); 4491f13597dSJung-uk Kim (*ret++) = (unsigned char) login_len; 4501f13597dSJung-uk Kim memcpy(ret, s->srp_ctx.login, login_len); 4511f13597dSJung-uk Kim ret+=login_len; 4521f13597dSJung-uk Kim } 4531f13597dSJung-uk Kim #endif 4541f13597dSJung-uk Kim 4551f13597dSJung-uk Kim #ifndef OPENSSL_NO_EC 456*a93cbc2bSJung-uk Kim if (s->tlsext_ecpointformatlist != NULL) 4571f13597dSJung-uk Kim { 4581f13597dSJung-uk Kim /* Add TLS extension ECPointFormats to the ClientHello message */ 4591f13597dSJung-uk Kim long lenmax; 4601f13597dSJung-uk Kim 4611f13597dSJung-uk Kim if ((lenmax = limit - ret - 5) < 0) return NULL; 4621f13597dSJung-uk Kim if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax) return NULL; 4631f13597dSJung-uk Kim if (s->tlsext_ecpointformatlist_length > 255) 4641f13597dSJung-uk Kim { 4651f13597dSJung-uk Kim SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); 4661f13597dSJung-uk Kim return NULL; 4671f13597dSJung-uk Kim } 4681f13597dSJung-uk Kim 4691f13597dSJung-uk Kim s2n(TLSEXT_TYPE_ec_point_formats,ret); 4701f13597dSJung-uk Kim s2n(s->tlsext_ecpointformatlist_length + 1,ret); 4711f13597dSJung-uk Kim *(ret++) = (unsigned char) s->tlsext_ecpointformatlist_length; 4721f13597dSJung-uk Kim memcpy(ret, s->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist_length); 4731f13597dSJung-uk Kim ret+=s->tlsext_ecpointformatlist_length; 4741f13597dSJung-uk Kim } 475*a93cbc2bSJung-uk Kim if (s->tlsext_ellipticcurvelist != NULL) 4761f13597dSJung-uk Kim { 4771f13597dSJung-uk Kim /* Add TLS extension EllipticCurves to the ClientHello message */ 4781f13597dSJung-uk Kim long lenmax; 4791f13597dSJung-uk Kim 4801f13597dSJung-uk Kim if ((lenmax = limit - ret - 6) < 0) return NULL; 4811f13597dSJung-uk Kim if (s->tlsext_ellipticcurvelist_length > (unsigned long)lenmax) return NULL; 4821f13597dSJung-uk Kim if (s->tlsext_ellipticcurvelist_length > 65532) 4831f13597dSJung-uk Kim { 4841f13597dSJung-uk Kim SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); 4851f13597dSJung-uk Kim return NULL; 4861f13597dSJung-uk Kim } 4871f13597dSJung-uk Kim 4881f13597dSJung-uk Kim s2n(TLSEXT_TYPE_elliptic_curves,ret); 4891f13597dSJung-uk Kim s2n(s->tlsext_ellipticcurvelist_length + 2, ret); 4901f13597dSJung-uk Kim 4911f13597dSJung-uk Kim /* NB: draft-ietf-tls-ecc-12.txt uses a one-byte prefix for 4921f13597dSJung-uk Kim * elliptic_curve_list, but the examples use two bytes. 4931f13597dSJung-uk Kim * http://www1.ietf.org/mail-archive/web/tls/current/msg00538.html 4941f13597dSJung-uk Kim * resolves this to two bytes. 4951f13597dSJung-uk Kim */ 4961f13597dSJung-uk Kim s2n(s->tlsext_ellipticcurvelist_length, ret); 4971f13597dSJung-uk Kim memcpy(ret, s->tlsext_ellipticcurvelist, s->tlsext_ellipticcurvelist_length); 4981f13597dSJung-uk Kim ret+=s->tlsext_ellipticcurvelist_length; 4991f13597dSJung-uk Kim } 5001f13597dSJung-uk Kim #endif /* OPENSSL_NO_EC */ 5016a599222SSimon L. B. Nielsen 502db522d3aSSimon L. B. Nielsen if (!(SSL_get_options(s) & SSL_OP_NO_TICKET)) 503db522d3aSSimon L. B. Nielsen { 504db522d3aSSimon L. B. Nielsen int ticklen; 5056a599222SSimon L. B. Nielsen if (!s->new_session && s->session && s->session->tlsext_tick) 506db522d3aSSimon L. B. Nielsen ticklen = s->session->tlsext_ticklen; 5071f13597dSJung-uk Kim else if (s->session && s->tlsext_session_ticket && 5081f13597dSJung-uk Kim s->tlsext_session_ticket->data) 5091f13597dSJung-uk Kim { 5101f13597dSJung-uk Kim ticklen = s->tlsext_session_ticket->length; 5111f13597dSJung-uk Kim s->session->tlsext_tick = OPENSSL_malloc(ticklen); 5121f13597dSJung-uk Kim if (!s->session->tlsext_tick) 5131f13597dSJung-uk Kim return NULL; 5141f13597dSJung-uk Kim memcpy(s->session->tlsext_tick, 5151f13597dSJung-uk Kim s->tlsext_session_ticket->data, 5161f13597dSJung-uk Kim ticklen); 5171f13597dSJung-uk Kim s->session->tlsext_ticklen = ticklen; 5181f13597dSJung-uk Kim } 519db522d3aSSimon L. B. Nielsen else 520db522d3aSSimon L. B. Nielsen ticklen = 0; 5211f13597dSJung-uk Kim if (ticklen == 0 && s->tlsext_session_ticket && 5221f13597dSJung-uk Kim s->tlsext_session_ticket->data == NULL) 5231f13597dSJung-uk Kim goto skip_ext; 524db522d3aSSimon L. B. Nielsen /* Check for enough room 2 for extension type, 2 for len 525db522d3aSSimon L. B. Nielsen * rest for ticket 526db522d3aSSimon L. B. Nielsen */ 5271f13597dSJung-uk Kim if ((long)(limit - ret - 4 - ticklen) < 0) return NULL; 528db522d3aSSimon L. B. Nielsen s2n(TLSEXT_TYPE_session_ticket,ret); 529db522d3aSSimon L. B. Nielsen s2n(ticklen,ret); 530db522d3aSSimon L. B. Nielsen if (ticklen) 531db522d3aSSimon L. B. Nielsen { 532db522d3aSSimon L. B. Nielsen memcpy(ret, s->session->tlsext_tick, ticklen); 533db522d3aSSimon L. B. Nielsen ret += ticklen; 534db522d3aSSimon L. B. Nielsen } 535db522d3aSSimon L. B. Nielsen } 5361f13597dSJung-uk Kim skip_ext: 5371f13597dSJung-uk Kim 5381f13597dSJung-uk Kim if (TLS1_get_client_version(s) >= TLS1_2_VERSION) 5391f13597dSJung-uk Kim { 5401f13597dSJung-uk Kim if ((size_t)(limit - ret) < sizeof(tls12_sigalgs) + 6) 5411f13597dSJung-uk Kim return NULL; 5421f13597dSJung-uk Kim s2n(TLSEXT_TYPE_signature_algorithms,ret); 5431f13597dSJung-uk Kim s2n(sizeof(tls12_sigalgs) + 2, ret); 5441f13597dSJung-uk Kim s2n(sizeof(tls12_sigalgs), ret); 5451f13597dSJung-uk Kim memcpy(ret, tls12_sigalgs, sizeof(tls12_sigalgs)); 5461f13597dSJung-uk Kim ret += sizeof(tls12_sigalgs); 5471f13597dSJung-uk Kim } 5481f13597dSJung-uk Kim 5491f13597dSJung-uk Kim #ifdef TLSEXT_TYPE_opaque_prf_input 5501f13597dSJung-uk Kim if (s->s3->client_opaque_prf_input != NULL && 5511f13597dSJung-uk Kim s->version != DTLS1_VERSION) 5521f13597dSJung-uk Kim { 5531f13597dSJung-uk Kim size_t col = s->s3->client_opaque_prf_input_len; 5541f13597dSJung-uk Kim 5551f13597dSJung-uk Kim if ((long)(limit - ret - 6 - col < 0)) 5561f13597dSJung-uk Kim return NULL; 5571f13597dSJung-uk Kim if (col > 0xFFFD) /* can't happen */ 5581f13597dSJung-uk Kim return NULL; 5591f13597dSJung-uk Kim 5601f13597dSJung-uk Kim s2n(TLSEXT_TYPE_opaque_prf_input, ret); 5611f13597dSJung-uk Kim s2n(col + 2, ret); 5621f13597dSJung-uk Kim s2n(col, ret); 5631f13597dSJung-uk Kim memcpy(ret, s->s3->client_opaque_prf_input, col); 5641f13597dSJung-uk Kim ret += col; 5651f13597dSJung-uk Kim } 5661f13597dSJung-uk Kim #endif 567db522d3aSSimon L. B. Nielsen 5686a599222SSimon L. B. Nielsen if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp && 5696a599222SSimon L. B. Nielsen s->version != DTLS1_VERSION) 570db522d3aSSimon L. B. Nielsen { 571db522d3aSSimon L. B. Nielsen int i; 572db522d3aSSimon L. B. Nielsen long extlen, idlen, itmp; 573db522d3aSSimon L. B. Nielsen OCSP_RESPID *id; 574db522d3aSSimon L. B. Nielsen 575db522d3aSSimon L. B. Nielsen idlen = 0; 576db522d3aSSimon L. B. Nielsen for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) 577db522d3aSSimon L. B. Nielsen { 578db522d3aSSimon L. B. Nielsen id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i); 579db522d3aSSimon L. B. Nielsen itmp = i2d_OCSP_RESPID(id, NULL); 580db522d3aSSimon L. B. Nielsen if (itmp <= 0) 581db522d3aSSimon L. B. Nielsen return NULL; 582db522d3aSSimon L. B. Nielsen idlen += itmp + 2; 583db522d3aSSimon L. B. Nielsen } 584db522d3aSSimon L. B. Nielsen 585db522d3aSSimon L. B. Nielsen if (s->tlsext_ocsp_exts) 586db522d3aSSimon L. B. Nielsen { 587db522d3aSSimon L. B. Nielsen extlen = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, NULL); 588db522d3aSSimon L. B. Nielsen if (extlen < 0) 589db522d3aSSimon L. B. Nielsen return NULL; 590db522d3aSSimon L. B. Nielsen } 591db522d3aSSimon L. B. Nielsen else 592db522d3aSSimon L. B. Nielsen extlen = 0; 593db522d3aSSimon L. B. Nielsen 594db522d3aSSimon L. B. Nielsen if ((long)(limit - ret - 7 - extlen - idlen) < 0) return NULL; 595db522d3aSSimon L. B. Nielsen s2n(TLSEXT_TYPE_status_request, ret); 596db522d3aSSimon L. B. Nielsen if (extlen + idlen > 0xFFF0) 597db522d3aSSimon L. B. Nielsen return NULL; 598db522d3aSSimon L. B. Nielsen s2n(extlen + idlen + 5, ret); 599db522d3aSSimon L. B. Nielsen *(ret++) = TLSEXT_STATUSTYPE_ocsp; 600db522d3aSSimon L. B. Nielsen s2n(idlen, ret); 601db522d3aSSimon L. B. Nielsen for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) 602db522d3aSSimon L. B. Nielsen { 603db522d3aSSimon L. B. Nielsen /* save position of id len */ 604db522d3aSSimon L. B. Nielsen unsigned char *q = ret; 605db522d3aSSimon L. B. Nielsen id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i); 606db522d3aSSimon L. B. Nielsen /* skip over id len */ 607db522d3aSSimon L. B. Nielsen ret += 2; 608db522d3aSSimon L. B. Nielsen itmp = i2d_OCSP_RESPID(id, &ret); 609db522d3aSSimon L. B. Nielsen /* write id len */ 610db522d3aSSimon L. B. Nielsen s2n(itmp, q); 611db522d3aSSimon L. B. Nielsen } 612db522d3aSSimon L. B. Nielsen s2n(extlen, ret); 613db522d3aSSimon L. B. Nielsen if (extlen > 0) 614db522d3aSSimon L. B. Nielsen i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret); 615db522d3aSSimon L. B. Nielsen } 616db522d3aSSimon L. B. Nielsen 6171f13597dSJung-uk Kim #ifndef OPENSSL_NO_HEARTBEATS 6181f13597dSJung-uk Kim /* Add Heartbeat extension */ 61994ad176cSJung-uk Kim if ((limit - ret - 4 - 1) < 0) 62094ad176cSJung-uk Kim return NULL; 6211f13597dSJung-uk Kim s2n(TLSEXT_TYPE_heartbeat,ret); 6221f13597dSJung-uk Kim s2n(1,ret); 6231f13597dSJung-uk Kim /* Set mode: 6241f13597dSJung-uk Kim * 1: peer may send requests 6251f13597dSJung-uk Kim * 2: peer not allowed to send requests 6261f13597dSJung-uk Kim */ 6271f13597dSJung-uk Kim if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS) 6281f13597dSJung-uk Kim *(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS; 6291f13597dSJung-uk Kim else 6301f13597dSJung-uk Kim *(ret++) = SSL_TLSEXT_HB_ENABLED; 6311f13597dSJung-uk Kim #endif 6321f13597dSJung-uk Kim 6331f13597dSJung-uk Kim #ifndef OPENSSL_NO_NEXTPROTONEG 6341f13597dSJung-uk Kim if (s->ctx->next_proto_select_cb && !s->s3->tmp.finish_md_len) 6351f13597dSJung-uk Kim { 6361f13597dSJung-uk Kim /* The client advertises an emtpy extension to indicate its 6371f13597dSJung-uk Kim * support for Next Protocol Negotiation */ 6381f13597dSJung-uk Kim if (limit - ret - 4 < 0) 6391f13597dSJung-uk Kim return NULL; 6401f13597dSJung-uk Kim s2n(TLSEXT_TYPE_next_proto_neg,ret); 6411f13597dSJung-uk Kim s2n(0,ret); 6421f13597dSJung-uk Kim } 6431f13597dSJung-uk Kim #endif 6441f13597dSJung-uk Kim 64509286989SJung-uk Kim #ifndef OPENSSL_NO_SRTP 6461f13597dSJung-uk Kim if(SSL_get_srtp_profiles(s)) 6471f13597dSJung-uk Kim { 6481f13597dSJung-uk Kim int el; 6491f13597dSJung-uk Kim 6501f13597dSJung-uk Kim ssl_add_clienthello_use_srtp_ext(s, 0, &el, 0); 6511f13597dSJung-uk Kim 652*a93cbc2bSJung-uk Kim if((limit - ret - 4 - el) < 0) return NULL; 6531f13597dSJung-uk Kim 6541f13597dSJung-uk Kim s2n(TLSEXT_TYPE_use_srtp,ret); 6551f13597dSJung-uk Kim s2n(el,ret); 6561f13597dSJung-uk Kim 6571f13597dSJung-uk Kim if(ssl_add_clienthello_use_srtp_ext(s, ret, &el, el)) 6581f13597dSJung-uk Kim { 6591f13597dSJung-uk Kim SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); 6601f13597dSJung-uk Kim return NULL; 6611f13597dSJung-uk Kim } 6621f13597dSJung-uk Kim ret += el; 6631f13597dSJung-uk Kim } 66409286989SJung-uk Kim #endif 665560ede85SJung-uk Kim /* Add padding to workaround bugs in F5 terminators. 666560ede85SJung-uk Kim * See https://tools.ietf.org/html/draft-agl-tls-padding-03 667560ede85SJung-uk Kim * 668560ede85SJung-uk Kim * NB: because this code works out the length of all existing 669560ede85SJung-uk Kim * extensions it MUST always appear last. 670560ede85SJung-uk Kim */ 67194ad176cSJung-uk Kim if (s->options & SSL_OP_TLSEXT_PADDING) 672560ede85SJung-uk Kim { 673560ede85SJung-uk Kim int hlen = ret - (unsigned char *)s->init_buf->data; 67494ad176cSJung-uk Kim /* The code in s23_clnt.c to build ClientHello messages 67594ad176cSJung-uk Kim * includes the 5-byte record header in the buffer, while 67694ad176cSJung-uk Kim * the code in s3_clnt.c does not. 67794ad176cSJung-uk Kim */ 678560ede85SJung-uk Kim if (s->state == SSL23_ST_CW_CLNT_HELLO_A) 679560ede85SJung-uk Kim hlen -= 5; 680560ede85SJung-uk Kim if (hlen > 0xff && hlen < 0x200) 681560ede85SJung-uk Kim { 682560ede85SJung-uk Kim hlen = 0x200 - hlen; 683560ede85SJung-uk Kim if (hlen >= 4) 684560ede85SJung-uk Kim hlen -= 4; 685560ede85SJung-uk Kim else 686560ede85SJung-uk Kim hlen = 0; 687560ede85SJung-uk Kim 688560ede85SJung-uk Kim s2n(TLSEXT_TYPE_padding, ret); 689560ede85SJung-uk Kim s2n(hlen, ret); 690560ede85SJung-uk Kim memset(ret, 0, hlen); 691560ede85SJung-uk Kim ret += hlen; 692560ede85SJung-uk Kim } 693560ede85SJung-uk Kim } 694560ede85SJung-uk Kim 695*a93cbc2bSJung-uk Kim if ((extdatalen = ret-orig-2)== 0) 696*a93cbc2bSJung-uk Kim return orig; 697db522d3aSSimon L. B. Nielsen 698*a93cbc2bSJung-uk Kim s2n(extdatalen, orig); 699db522d3aSSimon L. B. Nielsen return ret; 700db522d3aSSimon L. B. Nielsen } 701db522d3aSSimon L. B. Nielsen 702*a93cbc2bSJung-uk Kim unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *buf, unsigned char *limit) 703db522d3aSSimon L. B. Nielsen { 704db522d3aSSimon L. B. Nielsen int extdatalen=0; 705*a93cbc2bSJung-uk Kim unsigned char *orig = buf; 706*a93cbc2bSJung-uk Kim unsigned char *ret = buf; 7071f13597dSJung-uk Kim #ifndef OPENSSL_NO_NEXTPROTONEG 7081f13597dSJung-uk Kim int next_proto_neg_seen; 7091f13597dSJung-uk Kim #endif 710db522d3aSSimon L. B. Nielsen 7116a599222SSimon L. B. Nielsen /* don't add extensions for SSLv3, unless doing secure renegotiation */ 7126a599222SSimon L. B. Nielsen if (s->version == SSL3_VERSION && !s->s3->send_connection_binding) 713*a93cbc2bSJung-uk Kim return orig; 7146a599222SSimon L. B. Nielsen 715db522d3aSSimon L. B. Nielsen ret+=2; 716db522d3aSSimon L. B. Nielsen if (ret>=limit) return NULL; /* this really never occurs, but ... */ 717db522d3aSSimon L. B. Nielsen 718db522d3aSSimon L. B. Nielsen if (!s->hit && s->servername_done == 1 && s->session->tlsext_hostname != NULL) 719db522d3aSSimon L. B. Nielsen { 7201f13597dSJung-uk Kim if ((long)(limit - ret - 4) < 0) return NULL; 721db522d3aSSimon L. B. Nielsen 722db522d3aSSimon L. B. Nielsen s2n(TLSEXT_TYPE_server_name,ret); 723db522d3aSSimon L. B. Nielsen s2n(0,ret); 724db522d3aSSimon L. B. Nielsen } 725db522d3aSSimon L. B. Nielsen 7266a599222SSimon L. B. Nielsen if(s->s3->send_connection_binding) 7276a599222SSimon L. B. Nielsen { 7286a599222SSimon L. B. Nielsen int el; 7296a599222SSimon L. B. Nielsen 7306a599222SSimon L. B. Nielsen if(!ssl_add_serverhello_renegotiate_ext(s, 0, &el, 0)) 7316a599222SSimon L. B. Nielsen { 7326a599222SSimon L. B. Nielsen SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); 7336a599222SSimon L. B. Nielsen return NULL; 7346a599222SSimon L. B. Nielsen } 7356a599222SSimon L. B. Nielsen 736*a93cbc2bSJung-uk Kim if((limit - ret - 4 - el) < 0) return NULL; 7376a599222SSimon L. B. Nielsen 7386a599222SSimon L. B. Nielsen s2n(TLSEXT_TYPE_renegotiate,ret); 7396a599222SSimon L. B. Nielsen s2n(el,ret); 7406a599222SSimon L. B. Nielsen 7416a599222SSimon L. B. Nielsen if(!ssl_add_serverhello_renegotiate_ext(s, ret, &el, el)) 7426a599222SSimon L. B. Nielsen { 7436a599222SSimon L. B. Nielsen SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); 7446a599222SSimon L. B. Nielsen return NULL; 7456a599222SSimon L. B. Nielsen } 7466a599222SSimon L. B. Nielsen 7476a599222SSimon L. B. Nielsen ret += el; 7486a599222SSimon L. B. Nielsen } 7496a599222SSimon L. B. Nielsen 7501f13597dSJung-uk Kim #ifndef OPENSSL_NO_EC 751*a93cbc2bSJung-uk Kim if (s->tlsext_ecpointformatlist != NULL) 7521f13597dSJung-uk Kim { 7531f13597dSJung-uk Kim /* Add TLS extension ECPointFormats to the ServerHello message */ 7541f13597dSJung-uk Kim long lenmax; 7551f13597dSJung-uk Kim 7561f13597dSJung-uk Kim if ((lenmax = limit - ret - 5) < 0) return NULL; 7571f13597dSJung-uk Kim if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax) return NULL; 7581f13597dSJung-uk Kim if (s->tlsext_ecpointformatlist_length > 255) 7591f13597dSJung-uk Kim { 7601f13597dSJung-uk Kim SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); 7611f13597dSJung-uk Kim return NULL; 7621f13597dSJung-uk Kim } 7631f13597dSJung-uk Kim 7641f13597dSJung-uk Kim s2n(TLSEXT_TYPE_ec_point_formats,ret); 7651f13597dSJung-uk Kim s2n(s->tlsext_ecpointformatlist_length + 1,ret); 7661f13597dSJung-uk Kim *(ret++) = (unsigned char) s->tlsext_ecpointformatlist_length; 7671f13597dSJung-uk Kim memcpy(ret, s->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist_length); 7681f13597dSJung-uk Kim ret+=s->tlsext_ecpointformatlist_length; 7691f13597dSJung-uk Kim 7701f13597dSJung-uk Kim } 7711f13597dSJung-uk Kim /* Currently the server should not respond with a SupportedCurves extension */ 7721f13597dSJung-uk Kim #endif /* OPENSSL_NO_EC */ 7731f13597dSJung-uk Kim 774db522d3aSSimon L. B. Nielsen if (s->tlsext_ticket_expected 775db522d3aSSimon L. B. Nielsen && !(SSL_get_options(s) & SSL_OP_NO_TICKET)) 776db522d3aSSimon L. B. Nielsen { 7771f13597dSJung-uk Kim if ((long)(limit - ret - 4) < 0) return NULL; 778db522d3aSSimon L. B. Nielsen s2n(TLSEXT_TYPE_session_ticket,ret); 779db522d3aSSimon L. B. Nielsen s2n(0,ret); 780db522d3aSSimon L. B. Nielsen } 781db522d3aSSimon L. B. Nielsen 782db522d3aSSimon L. B. Nielsen if (s->tlsext_status_expected) 783db522d3aSSimon L. B. Nielsen { 784db522d3aSSimon L. B. Nielsen if ((long)(limit - ret - 4) < 0) return NULL; 785db522d3aSSimon L. B. Nielsen s2n(TLSEXT_TYPE_status_request,ret); 786db522d3aSSimon L. B. Nielsen s2n(0,ret); 787db522d3aSSimon L. B. Nielsen } 788db522d3aSSimon L. B. Nielsen 7891f13597dSJung-uk Kim #ifdef TLSEXT_TYPE_opaque_prf_input 7901f13597dSJung-uk Kim if (s->s3->server_opaque_prf_input != NULL && 7911f13597dSJung-uk Kim s->version != DTLS1_VERSION) 7921f13597dSJung-uk Kim { 7931f13597dSJung-uk Kim size_t sol = s->s3->server_opaque_prf_input_len; 7941f13597dSJung-uk Kim 7951f13597dSJung-uk Kim if ((long)(limit - ret - 6 - sol) < 0) 7961f13597dSJung-uk Kim return NULL; 7971f13597dSJung-uk Kim if (sol > 0xFFFD) /* can't happen */ 7981f13597dSJung-uk Kim return NULL; 7991f13597dSJung-uk Kim 8001f13597dSJung-uk Kim s2n(TLSEXT_TYPE_opaque_prf_input, ret); 8011f13597dSJung-uk Kim s2n(sol + 2, ret); 8021f13597dSJung-uk Kim s2n(sol, ret); 8031f13597dSJung-uk Kim memcpy(ret, s->s3->server_opaque_prf_input, sol); 8041f13597dSJung-uk Kim ret += sol; 8051f13597dSJung-uk Kim } 8061f13597dSJung-uk Kim #endif 8071f13597dSJung-uk Kim 80809286989SJung-uk Kim #ifndef OPENSSL_NO_SRTP 8091f13597dSJung-uk Kim if(s->srtp_profile) 8101f13597dSJung-uk Kim { 8111f13597dSJung-uk Kim int el; 8121f13597dSJung-uk Kim 8131f13597dSJung-uk Kim ssl_add_serverhello_use_srtp_ext(s, 0, &el, 0); 8141f13597dSJung-uk Kim 815*a93cbc2bSJung-uk Kim if((limit - ret - 4 - el) < 0) return NULL; 8161f13597dSJung-uk Kim 8171f13597dSJung-uk Kim s2n(TLSEXT_TYPE_use_srtp,ret); 8181f13597dSJung-uk Kim s2n(el,ret); 8191f13597dSJung-uk Kim 8201f13597dSJung-uk Kim if(ssl_add_serverhello_use_srtp_ext(s, ret, &el, el)) 8211f13597dSJung-uk Kim { 8221f13597dSJung-uk Kim SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); 8231f13597dSJung-uk Kim return NULL; 8241f13597dSJung-uk Kim } 8251f13597dSJung-uk Kim ret+=el; 8261f13597dSJung-uk Kim } 82709286989SJung-uk Kim #endif 8281f13597dSJung-uk Kim 8291f13597dSJung-uk Kim if (((s->s3->tmp.new_cipher->id & 0xFFFF)==0x80 || (s->s3->tmp.new_cipher->id & 0xFFFF)==0x81) 8301f13597dSJung-uk Kim && (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG)) 8311f13597dSJung-uk Kim { const unsigned char cryptopro_ext[36] = { 8321f13597dSJung-uk Kim 0xfd, 0xe8, /*65000*/ 8331f13597dSJung-uk Kim 0x00, 0x20, /*32 bytes length*/ 8341f13597dSJung-uk Kim 0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85, 8351f13597dSJung-uk Kim 0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06, 8361f13597dSJung-uk Kim 0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08, 8371f13597dSJung-uk Kim 0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17}; 8381f13597dSJung-uk Kim if (limit-ret<36) return NULL; 8391f13597dSJung-uk Kim memcpy(ret,cryptopro_ext,36); 8401f13597dSJung-uk Kim ret+=36; 8411f13597dSJung-uk Kim 8421f13597dSJung-uk Kim } 8431f13597dSJung-uk Kim 8441f13597dSJung-uk Kim #ifndef OPENSSL_NO_HEARTBEATS 8451f13597dSJung-uk Kim /* Add Heartbeat extension if we've received one */ 8461f13597dSJung-uk Kim if (s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED) 8471f13597dSJung-uk Kim { 84894ad176cSJung-uk Kim if ((limit - ret - 4 - 1) < 0) 84994ad176cSJung-uk Kim return NULL; 8501f13597dSJung-uk Kim s2n(TLSEXT_TYPE_heartbeat,ret); 8511f13597dSJung-uk Kim s2n(1,ret); 8521f13597dSJung-uk Kim /* Set mode: 8531f13597dSJung-uk Kim * 1: peer may send requests 8541f13597dSJung-uk Kim * 2: peer not allowed to send requests 8551f13597dSJung-uk Kim */ 8561f13597dSJung-uk Kim if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS) 8571f13597dSJung-uk Kim *(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS; 8581f13597dSJung-uk Kim else 8591f13597dSJung-uk Kim *(ret++) = SSL_TLSEXT_HB_ENABLED; 8601f13597dSJung-uk Kim 8611f13597dSJung-uk Kim } 8621f13597dSJung-uk Kim #endif 8631f13597dSJung-uk Kim 8641f13597dSJung-uk Kim #ifndef OPENSSL_NO_NEXTPROTONEG 8651f13597dSJung-uk Kim next_proto_neg_seen = s->s3->next_proto_neg_seen; 8661f13597dSJung-uk Kim s->s3->next_proto_neg_seen = 0; 8671f13597dSJung-uk Kim if (next_proto_neg_seen && s->ctx->next_protos_advertised_cb) 8681f13597dSJung-uk Kim { 8691f13597dSJung-uk Kim const unsigned char *npa; 8701f13597dSJung-uk Kim unsigned int npalen; 8711f13597dSJung-uk Kim int r; 8721f13597dSJung-uk Kim 8731f13597dSJung-uk Kim r = s->ctx->next_protos_advertised_cb(s, &npa, &npalen, s->ctx->next_protos_advertised_cb_arg); 8741f13597dSJung-uk Kim if (r == SSL_TLSEXT_ERR_OK) 8751f13597dSJung-uk Kim { 8761f13597dSJung-uk Kim if ((long)(limit - ret - 4 - npalen) < 0) return NULL; 8771f13597dSJung-uk Kim s2n(TLSEXT_TYPE_next_proto_neg,ret); 8781f13597dSJung-uk Kim s2n(npalen,ret); 8791f13597dSJung-uk Kim memcpy(ret, npa, npalen); 8801f13597dSJung-uk Kim ret += npalen; 8811f13597dSJung-uk Kim s->s3->next_proto_neg_seen = 1; 8821f13597dSJung-uk Kim } 8831f13597dSJung-uk Kim } 8841f13597dSJung-uk Kim #endif 8851f13597dSJung-uk Kim 886*a93cbc2bSJung-uk Kim if ((extdatalen = ret-orig-2)== 0) 887*a93cbc2bSJung-uk Kim return orig; 888db522d3aSSimon L. B. Nielsen 889*a93cbc2bSJung-uk Kim s2n(extdatalen, orig); 890db522d3aSSimon L. B. Nielsen return ret; 891db522d3aSSimon L. B. Nielsen } 892db522d3aSSimon L. B. Nielsen 893de78d5d8SJung-uk Kim #ifndef OPENSSL_NO_EC 894de78d5d8SJung-uk Kim /* ssl_check_for_safari attempts to fingerprint Safari using OS X 895de78d5d8SJung-uk Kim * SecureTransport using the TLS extension block in |d|, of length |n|. 896de78d5d8SJung-uk Kim * Safari, since 10.6, sends exactly these extensions, in this order: 897de78d5d8SJung-uk Kim * SNI, 898de78d5d8SJung-uk Kim * elliptic_curves 899de78d5d8SJung-uk Kim * ec_point_formats 900de78d5d8SJung-uk Kim * 901de78d5d8SJung-uk Kim * We wish to fingerprint Safari because they broke ECDHE-ECDSA support in 10.8, 902de78d5d8SJung-uk Kim * but they advertise support. So enabling ECDHE-ECDSA ciphers breaks them. 903de78d5d8SJung-uk Kim * Sadly we cannot differentiate 10.6, 10.7 and 10.8.4 (which work), from 904de78d5d8SJung-uk Kim * 10.8..10.8.3 (which don't work). 905de78d5d8SJung-uk Kim */ 906de78d5d8SJung-uk Kim static void ssl_check_for_safari(SSL *s, const unsigned char *data, const unsigned char *d, int n) { 907de78d5d8SJung-uk Kim unsigned short type, size; 908de78d5d8SJung-uk Kim static const unsigned char kSafariExtensionsBlock[] = { 909de78d5d8SJung-uk Kim 0x00, 0x0a, /* elliptic_curves extension */ 910de78d5d8SJung-uk Kim 0x00, 0x08, /* 8 bytes */ 911de78d5d8SJung-uk Kim 0x00, 0x06, /* 6 bytes of curve ids */ 912de78d5d8SJung-uk Kim 0x00, 0x17, /* P-256 */ 913de78d5d8SJung-uk Kim 0x00, 0x18, /* P-384 */ 914de78d5d8SJung-uk Kim 0x00, 0x19, /* P-521 */ 915de78d5d8SJung-uk Kim 916de78d5d8SJung-uk Kim 0x00, 0x0b, /* ec_point_formats */ 917de78d5d8SJung-uk Kim 0x00, 0x02, /* 2 bytes */ 918de78d5d8SJung-uk Kim 0x01, /* 1 point format */ 919de78d5d8SJung-uk Kim 0x00, /* uncompressed */ 920de78d5d8SJung-uk Kim }; 921de78d5d8SJung-uk Kim 922de78d5d8SJung-uk Kim /* The following is only present in TLS 1.2 */ 923de78d5d8SJung-uk Kim static const unsigned char kSafariTLS12ExtensionsBlock[] = { 924de78d5d8SJung-uk Kim 0x00, 0x0d, /* signature_algorithms */ 925de78d5d8SJung-uk Kim 0x00, 0x0c, /* 12 bytes */ 926de78d5d8SJung-uk Kim 0x00, 0x0a, /* 10 bytes */ 927de78d5d8SJung-uk Kim 0x05, 0x01, /* SHA-384/RSA */ 928de78d5d8SJung-uk Kim 0x04, 0x01, /* SHA-256/RSA */ 929de78d5d8SJung-uk Kim 0x02, 0x01, /* SHA-1/RSA */ 930de78d5d8SJung-uk Kim 0x04, 0x03, /* SHA-256/ECDSA */ 931de78d5d8SJung-uk Kim 0x02, 0x03, /* SHA-1/ECDSA */ 932de78d5d8SJung-uk Kim }; 933de78d5d8SJung-uk Kim 934de78d5d8SJung-uk Kim if (data >= (d+n-2)) 935de78d5d8SJung-uk Kim return; 936de78d5d8SJung-uk Kim data += 2; 937de78d5d8SJung-uk Kim 938de78d5d8SJung-uk Kim if (data > (d+n-4)) 939de78d5d8SJung-uk Kim return; 940de78d5d8SJung-uk Kim n2s(data,type); 941de78d5d8SJung-uk Kim n2s(data,size); 942de78d5d8SJung-uk Kim 943de78d5d8SJung-uk Kim if (type != TLSEXT_TYPE_server_name) 944de78d5d8SJung-uk Kim return; 945de78d5d8SJung-uk Kim 946de78d5d8SJung-uk Kim if (data+size > d+n) 947de78d5d8SJung-uk Kim return; 948de78d5d8SJung-uk Kim data += size; 949de78d5d8SJung-uk Kim 950de78d5d8SJung-uk Kim if (TLS1_get_client_version(s) >= TLS1_2_VERSION) 951de78d5d8SJung-uk Kim { 952de78d5d8SJung-uk Kim const size_t len1 = sizeof(kSafariExtensionsBlock); 953de78d5d8SJung-uk Kim const size_t len2 = sizeof(kSafariTLS12ExtensionsBlock); 954de78d5d8SJung-uk Kim 955de78d5d8SJung-uk Kim if (data + len1 + len2 != d+n) 956de78d5d8SJung-uk Kim return; 957de78d5d8SJung-uk Kim if (memcmp(data, kSafariExtensionsBlock, len1) != 0) 958de78d5d8SJung-uk Kim return; 959de78d5d8SJung-uk Kim if (memcmp(data + len1, kSafariTLS12ExtensionsBlock, len2) != 0) 960de78d5d8SJung-uk Kim return; 961de78d5d8SJung-uk Kim } 962de78d5d8SJung-uk Kim else 963de78d5d8SJung-uk Kim { 964de78d5d8SJung-uk Kim const size_t len = sizeof(kSafariExtensionsBlock); 965de78d5d8SJung-uk Kim 966de78d5d8SJung-uk Kim if (data + len != d+n) 967de78d5d8SJung-uk Kim return; 968de78d5d8SJung-uk Kim if (memcmp(data, kSafariExtensionsBlock, len) != 0) 969de78d5d8SJung-uk Kim return; 970de78d5d8SJung-uk Kim } 971de78d5d8SJung-uk Kim 972de78d5d8SJung-uk Kim s->s3->is_probably_safari = 1; 973de78d5d8SJung-uk Kim } 974de78d5d8SJung-uk Kim #endif /* !OPENSSL_NO_EC */ 975de78d5d8SJung-uk Kim 976db522d3aSSimon L. B. Nielsen int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al) 977db522d3aSSimon L. B. Nielsen { 978db522d3aSSimon L. B. Nielsen unsigned short type; 979db522d3aSSimon L. B. Nielsen unsigned short size; 980db522d3aSSimon L. B. Nielsen unsigned short len; 981db522d3aSSimon L. B. Nielsen unsigned char *data = *p; 9826a599222SSimon L. B. Nielsen int renegotiate_seen = 0; 9831f13597dSJung-uk Kim int sigalg_seen = 0; 9846a599222SSimon L. B. Nielsen 985db522d3aSSimon L. B. Nielsen s->servername_done = 0; 986db522d3aSSimon L. B. Nielsen s->tlsext_status_type = -1; 9871f13597dSJung-uk Kim #ifndef OPENSSL_NO_NEXTPROTONEG 9881f13597dSJung-uk Kim s->s3->next_proto_neg_seen = 0; 9891f13597dSJung-uk Kim #endif 9901f13597dSJung-uk Kim 9911f13597dSJung-uk Kim #ifndef OPENSSL_NO_HEARTBEATS 9921f13597dSJung-uk Kim s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED | 9931f13597dSJung-uk Kim SSL_TLSEXT_HB_DONT_SEND_REQUESTS); 9941f13597dSJung-uk Kim #endif 995db522d3aSSimon L. B. Nielsen 996de78d5d8SJung-uk Kim #ifndef OPENSSL_NO_EC 997de78d5d8SJung-uk Kim if (s->options & SSL_OP_SAFARI_ECDHE_ECDSA_BUG) 998de78d5d8SJung-uk Kim ssl_check_for_safari(s, data, d, n); 999de78d5d8SJung-uk Kim #endif /* !OPENSSL_NO_EC */ 1000de78d5d8SJung-uk Kim 1001db522d3aSSimon L. B. Nielsen if (data >= (d+n-2)) 10026a599222SSimon L. B. Nielsen goto ri_check; 1003db522d3aSSimon L. B. Nielsen n2s(data,len); 1004db522d3aSSimon L. B. Nielsen 1005db522d3aSSimon L. B. Nielsen if (data > (d+n-len)) 10066a599222SSimon L. B. Nielsen goto ri_check; 1007db522d3aSSimon L. B. Nielsen 1008db522d3aSSimon L. B. Nielsen while (data <= (d+n-4)) 1009db522d3aSSimon L. B. Nielsen { 1010db522d3aSSimon L. B. Nielsen n2s(data,type); 1011db522d3aSSimon L. B. Nielsen n2s(data,size); 1012db522d3aSSimon L. B. Nielsen 1013db522d3aSSimon L. B. Nielsen if (data+size > (d+n)) 10146a599222SSimon L. B. Nielsen goto ri_check; 10151f13597dSJung-uk Kim #if 0 10161f13597dSJung-uk Kim fprintf(stderr,"Received extension type %d size %d\n",type,size); 10171f13597dSJung-uk Kim #endif 1018db522d3aSSimon L. B. Nielsen if (s->tlsext_debug_cb) 1019db522d3aSSimon L. B. Nielsen s->tlsext_debug_cb(s, 0, type, data, size, 1020db522d3aSSimon L. B. Nielsen s->tlsext_debug_arg); 1021db522d3aSSimon L. B. Nielsen /* The servername extension is treated as follows: 1022db522d3aSSimon L. B. Nielsen 1023db522d3aSSimon L. B. Nielsen - Only the hostname type is supported with a maximum length of 255. 1024db522d3aSSimon L. B. Nielsen - The servername is rejected if too long or if it contains zeros, 1025db522d3aSSimon L. B. Nielsen in which case an fatal alert is generated. 1026db522d3aSSimon L. B. Nielsen - The servername field is maintained together with the session cache. 1027db522d3aSSimon L. B. Nielsen - When a session is resumed, the servername call back invoked in order 1028db522d3aSSimon L. B. Nielsen to allow the application to position itself to the right context. 1029db522d3aSSimon L. B. Nielsen - The servername is acknowledged if it is new for a session or when 1030db522d3aSSimon L. B. Nielsen it is identical to a previously used for the same session. 1031db522d3aSSimon L. B. Nielsen Applications can control the behaviour. They can at any time 1032db522d3aSSimon L. B. Nielsen set a 'desirable' servername for a new SSL object. This can be the 1033db522d3aSSimon L. B. Nielsen case for example with HTTPS when a Host: header field is received and 1034db522d3aSSimon L. B. Nielsen a renegotiation is requested. In this case, a possible servername 1035db522d3aSSimon L. B. Nielsen presented in the new client hello is only acknowledged if it matches 1036db522d3aSSimon L. B. Nielsen the value of the Host: field. 1037db522d3aSSimon L. B. Nielsen - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION 1038db522d3aSSimon L. B. Nielsen if they provide for changing an explicit servername context for the session, 1039db522d3aSSimon L. B. Nielsen i.e. when the session has been established with a servername extension. 1040db522d3aSSimon L. B. Nielsen - On session reconnect, the servername extension may be absent. 1041db522d3aSSimon L. B. Nielsen 1042db522d3aSSimon L. B. Nielsen */ 1043db522d3aSSimon L. B. Nielsen 1044db522d3aSSimon L. B. Nielsen if (type == TLSEXT_TYPE_server_name) 1045db522d3aSSimon L. B. Nielsen { 1046db522d3aSSimon L. B. Nielsen unsigned char *sdata; 1047db522d3aSSimon L. B. Nielsen int servname_type; 1048db522d3aSSimon L. B. Nielsen int dsize; 1049db522d3aSSimon L. B. Nielsen 1050db522d3aSSimon L. B. Nielsen if (size < 2) 1051db522d3aSSimon L. B. Nielsen { 1052db522d3aSSimon L. B. Nielsen *al = SSL_AD_DECODE_ERROR; 1053db522d3aSSimon L. B. Nielsen return 0; 1054db522d3aSSimon L. B. Nielsen } 1055db522d3aSSimon L. B. Nielsen n2s(data,dsize); 1056db522d3aSSimon L. B. Nielsen size -= 2; 1057db522d3aSSimon L. B. Nielsen if (dsize > size ) 1058db522d3aSSimon L. B. Nielsen { 1059db522d3aSSimon L. B. Nielsen *al = SSL_AD_DECODE_ERROR; 1060db522d3aSSimon L. B. Nielsen return 0; 1061db522d3aSSimon L. B. Nielsen } 1062db522d3aSSimon L. B. Nielsen 1063db522d3aSSimon L. B. Nielsen sdata = data; 1064db522d3aSSimon L. B. Nielsen while (dsize > 3) 1065db522d3aSSimon L. B. Nielsen { 1066db522d3aSSimon L. B. Nielsen servname_type = *(sdata++); 1067db522d3aSSimon L. B. Nielsen n2s(sdata,len); 1068db522d3aSSimon L. B. Nielsen dsize -= 3; 1069db522d3aSSimon L. B. Nielsen 1070db522d3aSSimon L. B. Nielsen if (len > dsize) 1071db522d3aSSimon L. B. Nielsen { 1072db522d3aSSimon L. B. Nielsen *al = SSL_AD_DECODE_ERROR; 1073db522d3aSSimon L. B. Nielsen return 0; 1074db522d3aSSimon L. B. Nielsen } 1075db522d3aSSimon L. B. Nielsen if (s->servername_done == 0) 1076db522d3aSSimon L. B. Nielsen switch (servname_type) 1077db522d3aSSimon L. B. Nielsen { 1078db522d3aSSimon L. B. Nielsen case TLSEXT_NAMETYPE_host_name: 1079a3ddd25aSSimon L. B. Nielsen if (!s->hit) 1080db522d3aSSimon L. B. Nielsen { 1081a3ddd25aSSimon L. B. Nielsen if(s->session->tlsext_hostname) 1082a3ddd25aSSimon L. B. Nielsen { 1083a3ddd25aSSimon L. B. Nielsen *al = SSL_AD_DECODE_ERROR; 1084a3ddd25aSSimon L. B. Nielsen return 0; 1085a3ddd25aSSimon L. B. Nielsen } 1086a3ddd25aSSimon L. B. Nielsen if (len > TLSEXT_MAXLEN_host_name) 1087db522d3aSSimon L. B. Nielsen { 1088db522d3aSSimon L. B. Nielsen *al = TLS1_AD_UNRECOGNIZED_NAME; 1089db522d3aSSimon L. B. Nielsen return 0; 1090db522d3aSSimon L. B. Nielsen } 1091a3ddd25aSSimon L. B. Nielsen if ((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL) 1092a3ddd25aSSimon L. B. Nielsen { 1093a3ddd25aSSimon L. B. Nielsen *al = TLS1_AD_INTERNAL_ERROR; 1094a3ddd25aSSimon L. B. Nielsen return 0; 1095a3ddd25aSSimon L. B. Nielsen } 1096db522d3aSSimon L. B. Nielsen memcpy(s->session->tlsext_hostname, sdata, len); 1097db522d3aSSimon L. B. Nielsen s->session->tlsext_hostname[len]='\0'; 1098db522d3aSSimon L. B. Nielsen if (strlen(s->session->tlsext_hostname) != len) { 1099db522d3aSSimon L. B. Nielsen OPENSSL_free(s->session->tlsext_hostname); 1100db522d3aSSimon L. B. Nielsen s->session->tlsext_hostname = NULL; 1101db522d3aSSimon L. B. Nielsen *al = TLS1_AD_UNRECOGNIZED_NAME; 1102db522d3aSSimon L. B. Nielsen return 0; 1103db522d3aSSimon L. B. Nielsen } 1104db522d3aSSimon L. B. Nielsen s->servername_done = 1; 1105db522d3aSSimon L. B. Nielsen 1106db522d3aSSimon L. B. Nielsen } 1107db522d3aSSimon L. B. Nielsen else 1108a3ddd25aSSimon L. B. Nielsen s->servername_done = s->session->tlsext_hostname 1109a3ddd25aSSimon L. B. Nielsen && strlen(s->session->tlsext_hostname) == len 1110db522d3aSSimon L. B. Nielsen && strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0; 1111db522d3aSSimon L. B. Nielsen 1112db522d3aSSimon L. B. Nielsen break; 1113db522d3aSSimon L. B. Nielsen 1114db522d3aSSimon L. B. Nielsen default: 1115db522d3aSSimon L. B. Nielsen break; 1116db522d3aSSimon L. B. Nielsen } 1117db522d3aSSimon L. B. Nielsen 1118db522d3aSSimon L. B. Nielsen dsize -= len; 1119db522d3aSSimon L. B. Nielsen } 1120db522d3aSSimon L. B. Nielsen if (dsize != 0) 1121db522d3aSSimon L. B. Nielsen { 1122db522d3aSSimon L. B. Nielsen *al = SSL_AD_DECODE_ERROR; 1123db522d3aSSimon L. B. Nielsen return 0; 1124db522d3aSSimon L. B. Nielsen } 1125db522d3aSSimon L. B. Nielsen 1126db522d3aSSimon L. B. Nielsen } 11271f13597dSJung-uk Kim #ifndef OPENSSL_NO_SRP 11281f13597dSJung-uk Kim else if (type == TLSEXT_TYPE_srp) 11291f13597dSJung-uk Kim { 11301f13597dSJung-uk Kim if (size <= 0 || ((len = data[0])) != (size -1)) 11311f13597dSJung-uk Kim { 11321f13597dSJung-uk Kim *al = SSL_AD_DECODE_ERROR; 11331f13597dSJung-uk Kim return 0; 11341f13597dSJung-uk Kim } 11351f13597dSJung-uk Kim if (s->srp_ctx.login != NULL) 11361f13597dSJung-uk Kim { 11371f13597dSJung-uk Kim *al = SSL_AD_DECODE_ERROR; 11381f13597dSJung-uk Kim return 0; 11391f13597dSJung-uk Kim } 11401f13597dSJung-uk Kim if ((s->srp_ctx.login = OPENSSL_malloc(len+1)) == NULL) 11411f13597dSJung-uk Kim return -1; 11421f13597dSJung-uk Kim memcpy(s->srp_ctx.login, &data[1], len); 11431f13597dSJung-uk Kim s->srp_ctx.login[len]='\0'; 11441f13597dSJung-uk Kim 11451f13597dSJung-uk Kim if (strlen(s->srp_ctx.login) != len) 11461f13597dSJung-uk Kim { 11471f13597dSJung-uk Kim *al = SSL_AD_DECODE_ERROR; 11481f13597dSJung-uk Kim return 0; 11491f13597dSJung-uk Kim } 11501f13597dSJung-uk Kim } 11511f13597dSJung-uk Kim #endif 11521f13597dSJung-uk Kim 11531f13597dSJung-uk Kim #ifndef OPENSSL_NO_EC 1154*a93cbc2bSJung-uk Kim else if (type == TLSEXT_TYPE_ec_point_formats) 11551f13597dSJung-uk Kim { 11561f13597dSJung-uk Kim unsigned char *sdata = data; 11571f13597dSJung-uk Kim int ecpointformatlist_length = *(sdata++); 11581f13597dSJung-uk Kim 11591f13597dSJung-uk Kim if (ecpointformatlist_length != size - 1) 11601f13597dSJung-uk Kim { 11611f13597dSJung-uk Kim *al = TLS1_AD_DECODE_ERROR; 11621f13597dSJung-uk Kim return 0; 11631f13597dSJung-uk Kim } 11641f13597dSJung-uk Kim if (!s->hit) 11651f13597dSJung-uk Kim { 11661f13597dSJung-uk Kim if(s->session->tlsext_ecpointformatlist) 11671f13597dSJung-uk Kim { 11681f13597dSJung-uk Kim OPENSSL_free(s->session->tlsext_ecpointformatlist); 11691f13597dSJung-uk Kim s->session->tlsext_ecpointformatlist = NULL; 11701f13597dSJung-uk Kim } 11711f13597dSJung-uk Kim s->session->tlsext_ecpointformatlist_length = 0; 11721f13597dSJung-uk Kim if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL) 11731f13597dSJung-uk Kim { 11741f13597dSJung-uk Kim *al = TLS1_AD_INTERNAL_ERROR; 11751f13597dSJung-uk Kim return 0; 11761f13597dSJung-uk Kim } 11771f13597dSJung-uk Kim s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length; 11781f13597dSJung-uk Kim memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length); 11791f13597dSJung-uk Kim } 11801f13597dSJung-uk Kim #if 0 11811f13597dSJung-uk Kim fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ecpointformatlist (length=%i) ", s->session->tlsext_ecpointformatlist_length); 11821f13597dSJung-uk Kim sdata = s->session->tlsext_ecpointformatlist; 11831f13597dSJung-uk Kim for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++) 11841f13597dSJung-uk Kim fprintf(stderr,"%i ",*(sdata++)); 11851f13597dSJung-uk Kim fprintf(stderr,"\n"); 11861f13597dSJung-uk Kim #endif 11871f13597dSJung-uk Kim } 1188*a93cbc2bSJung-uk Kim else if (type == TLSEXT_TYPE_elliptic_curves) 11891f13597dSJung-uk Kim { 11901f13597dSJung-uk Kim unsigned char *sdata = data; 11911f13597dSJung-uk Kim int ellipticcurvelist_length = (*(sdata++) << 8); 11921f13597dSJung-uk Kim ellipticcurvelist_length += (*(sdata++)); 11931f13597dSJung-uk Kim 119409286989SJung-uk Kim if (ellipticcurvelist_length != size - 2 || 119509286989SJung-uk Kim ellipticcurvelist_length < 1) 11961f13597dSJung-uk Kim { 11971f13597dSJung-uk Kim *al = TLS1_AD_DECODE_ERROR; 11981f13597dSJung-uk Kim return 0; 11991f13597dSJung-uk Kim } 12001f13597dSJung-uk Kim if (!s->hit) 12011f13597dSJung-uk Kim { 12021f13597dSJung-uk Kim if(s->session->tlsext_ellipticcurvelist) 12031f13597dSJung-uk Kim { 12041f13597dSJung-uk Kim *al = TLS1_AD_DECODE_ERROR; 12051f13597dSJung-uk Kim return 0; 12061f13597dSJung-uk Kim } 12071f13597dSJung-uk Kim s->session->tlsext_ellipticcurvelist_length = 0; 12081f13597dSJung-uk Kim if ((s->session->tlsext_ellipticcurvelist = OPENSSL_malloc(ellipticcurvelist_length)) == NULL) 12091f13597dSJung-uk Kim { 12101f13597dSJung-uk Kim *al = TLS1_AD_INTERNAL_ERROR; 12111f13597dSJung-uk Kim return 0; 12121f13597dSJung-uk Kim } 12131f13597dSJung-uk Kim s->session->tlsext_ellipticcurvelist_length = ellipticcurvelist_length; 12141f13597dSJung-uk Kim memcpy(s->session->tlsext_ellipticcurvelist, sdata, ellipticcurvelist_length); 12151f13597dSJung-uk Kim } 12161f13597dSJung-uk Kim #if 0 12171f13597dSJung-uk Kim fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ellipticcurvelist (length=%i) ", s->session->tlsext_ellipticcurvelist_length); 12181f13597dSJung-uk Kim sdata = s->session->tlsext_ellipticcurvelist; 12191f13597dSJung-uk Kim for (i = 0; i < s->session->tlsext_ellipticcurvelist_length; i++) 12201f13597dSJung-uk Kim fprintf(stderr,"%i ",*(sdata++)); 12211f13597dSJung-uk Kim fprintf(stderr,"\n"); 12221f13597dSJung-uk Kim #endif 12231f13597dSJung-uk Kim } 12241f13597dSJung-uk Kim #endif /* OPENSSL_NO_EC */ 12251f13597dSJung-uk Kim #ifdef TLSEXT_TYPE_opaque_prf_input 12261f13597dSJung-uk Kim else if (type == TLSEXT_TYPE_opaque_prf_input && 12271f13597dSJung-uk Kim s->version != DTLS1_VERSION) 12281f13597dSJung-uk Kim { 12291f13597dSJung-uk Kim unsigned char *sdata = data; 12301f13597dSJung-uk Kim 12311f13597dSJung-uk Kim if (size < 2) 12321f13597dSJung-uk Kim { 12331f13597dSJung-uk Kim *al = SSL_AD_DECODE_ERROR; 12341f13597dSJung-uk Kim return 0; 12351f13597dSJung-uk Kim } 12361f13597dSJung-uk Kim n2s(sdata, s->s3->client_opaque_prf_input_len); 12371f13597dSJung-uk Kim if (s->s3->client_opaque_prf_input_len != size - 2) 12381f13597dSJung-uk Kim { 12391f13597dSJung-uk Kim *al = SSL_AD_DECODE_ERROR; 12401f13597dSJung-uk Kim return 0; 12411f13597dSJung-uk Kim } 12421f13597dSJung-uk Kim 12431f13597dSJung-uk Kim if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */ 12441f13597dSJung-uk Kim OPENSSL_free(s->s3->client_opaque_prf_input); 12451f13597dSJung-uk Kim if (s->s3->client_opaque_prf_input_len == 0) 12461f13597dSJung-uk Kim s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */ 12471f13597dSJung-uk Kim else 12481f13597dSJung-uk Kim s->s3->client_opaque_prf_input = BUF_memdup(sdata, s->s3->client_opaque_prf_input_len); 12491f13597dSJung-uk Kim if (s->s3->client_opaque_prf_input == NULL) 12501f13597dSJung-uk Kim { 12511f13597dSJung-uk Kim *al = TLS1_AD_INTERNAL_ERROR; 12521f13597dSJung-uk Kim return 0; 12531f13597dSJung-uk Kim } 12541f13597dSJung-uk Kim } 12551f13597dSJung-uk Kim #endif 12561f13597dSJung-uk Kim else if (type == TLSEXT_TYPE_session_ticket) 12571f13597dSJung-uk Kim { 12581f13597dSJung-uk Kim if (s->tls_session_ticket_ext_cb && 12591f13597dSJung-uk Kim !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg)) 12601f13597dSJung-uk Kim { 12611f13597dSJung-uk Kim *al = TLS1_AD_INTERNAL_ERROR; 12621f13597dSJung-uk Kim return 0; 12631f13597dSJung-uk Kim } 12641f13597dSJung-uk Kim } 12656a599222SSimon L. B. Nielsen else if (type == TLSEXT_TYPE_renegotiate) 12666a599222SSimon L. B. Nielsen { 12676a599222SSimon L. B. Nielsen if(!ssl_parse_clienthello_renegotiate_ext(s, data, size, al)) 12686a599222SSimon L. B. Nielsen return 0; 12696a599222SSimon L. B. Nielsen renegotiate_seen = 1; 12706a599222SSimon L. B. Nielsen } 12711f13597dSJung-uk Kim else if (type == TLSEXT_TYPE_signature_algorithms) 12721f13597dSJung-uk Kim { 12731f13597dSJung-uk Kim int dsize; 12741f13597dSJung-uk Kim if (sigalg_seen || size < 2) 12751f13597dSJung-uk Kim { 12761f13597dSJung-uk Kim *al = SSL_AD_DECODE_ERROR; 12771f13597dSJung-uk Kim return 0; 12781f13597dSJung-uk Kim } 12791f13597dSJung-uk Kim sigalg_seen = 1; 12801f13597dSJung-uk Kim n2s(data,dsize); 12811f13597dSJung-uk Kim size -= 2; 12821f13597dSJung-uk Kim if (dsize != size || dsize & 1) 12831f13597dSJung-uk Kim { 12841f13597dSJung-uk Kim *al = SSL_AD_DECODE_ERROR; 12851f13597dSJung-uk Kim return 0; 12861f13597dSJung-uk Kim } 12871f13597dSJung-uk Kim if (!tls1_process_sigalgs(s, data, dsize)) 12881f13597dSJung-uk Kim { 12891f13597dSJung-uk Kim *al = SSL_AD_DECODE_ERROR; 12901f13597dSJung-uk Kim return 0; 12911f13597dSJung-uk Kim } 12921f13597dSJung-uk Kim } 12936a599222SSimon L. B. Nielsen else if (type == TLSEXT_TYPE_status_request && 1294560ede85SJung-uk Kim s->version != DTLS1_VERSION) 1295db522d3aSSimon L. B. Nielsen { 1296db522d3aSSimon L. B. Nielsen 1297db522d3aSSimon L. B. Nielsen if (size < 5) 1298db522d3aSSimon L. B. Nielsen { 1299db522d3aSSimon L. B. Nielsen *al = SSL_AD_DECODE_ERROR; 1300db522d3aSSimon L. B. Nielsen return 0; 1301db522d3aSSimon L. B. Nielsen } 1302db522d3aSSimon L. B. Nielsen 1303db522d3aSSimon L. B. Nielsen s->tlsext_status_type = *data++; 1304db522d3aSSimon L. B. Nielsen size--; 1305db522d3aSSimon L. B. Nielsen if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp) 1306db522d3aSSimon L. B. Nielsen { 1307db522d3aSSimon L. B. Nielsen const unsigned char *sdata; 1308db522d3aSSimon L. B. Nielsen int dsize; 1309db522d3aSSimon L. B. Nielsen /* Read in responder_id_list */ 1310db522d3aSSimon L. B. Nielsen n2s(data,dsize); 1311db522d3aSSimon L. B. Nielsen size -= 2; 1312db522d3aSSimon L. B. Nielsen if (dsize > size ) 1313db522d3aSSimon L. B. Nielsen { 1314db522d3aSSimon L. B. Nielsen *al = SSL_AD_DECODE_ERROR; 1315db522d3aSSimon L. B. Nielsen return 0; 1316db522d3aSSimon L. B. Nielsen } 1317db522d3aSSimon L. B. Nielsen while (dsize > 0) 1318db522d3aSSimon L. B. Nielsen { 1319db522d3aSSimon L. B. Nielsen OCSP_RESPID *id; 1320db522d3aSSimon L. B. Nielsen int idsize; 1321db522d3aSSimon L. B. Nielsen if (dsize < 4) 1322db522d3aSSimon L. B. Nielsen { 1323db522d3aSSimon L. B. Nielsen *al = SSL_AD_DECODE_ERROR; 1324db522d3aSSimon L. B. Nielsen return 0; 1325db522d3aSSimon L. B. Nielsen } 1326db522d3aSSimon L. B. Nielsen n2s(data, idsize); 1327db522d3aSSimon L. B. Nielsen dsize -= 2 + idsize; 13280a704568SSimon L. B. Nielsen size -= 2 + idsize; 1329db522d3aSSimon L. B. Nielsen if (dsize < 0) 1330db522d3aSSimon L. B. Nielsen { 1331db522d3aSSimon L. B. Nielsen *al = SSL_AD_DECODE_ERROR; 1332db522d3aSSimon L. B. Nielsen return 0; 1333db522d3aSSimon L. B. Nielsen } 1334db522d3aSSimon L. B. Nielsen sdata = data; 1335db522d3aSSimon L. B. Nielsen data += idsize; 1336db522d3aSSimon L. B. Nielsen id = d2i_OCSP_RESPID(NULL, 1337db522d3aSSimon L. B. Nielsen &sdata, idsize); 1338db522d3aSSimon L. B. Nielsen if (!id) 1339db522d3aSSimon L. B. Nielsen { 1340db522d3aSSimon L. B. Nielsen *al = SSL_AD_DECODE_ERROR; 1341db522d3aSSimon L. B. Nielsen return 0; 1342db522d3aSSimon L. B. Nielsen } 1343db522d3aSSimon L. B. Nielsen if (data != sdata) 1344db522d3aSSimon L. B. Nielsen { 1345db522d3aSSimon L. B. Nielsen OCSP_RESPID_free(id); 1346db522d3aSSimon L. B. Nielsen *al = SSL_AD_DECODE_ERROR; 1347db522d3aSSimon L. B. Nielsen return 0; 1348db522d3aSSimon L. B. Nielsen } 1349db522d3aSSimon L. B. Nielsen if (!s->tlsext_ocsp_ids 1350db522d3aSSimon L. B. Nielsen && !(s->tlsext_ocsp_ids = 1351db522d3aSSimon L. B. Nielsen sk_OCSP_RESPID_new_null())) 1352db522d3aSSimon L. B. Nielsen { 1353db522d3aSSimon L. B. Nielsen OCSP_RESPID_free(id); 1354db522d3aSSimon L. B. Nielsen *al = SSL_AD_INTERNAL_ERROR; 1355db522d3aSSimon L. B. Nielsen return 0; 1356db522d3aSSimon L. B. Nielsen } 1357db522d3aSSimon L. B. Nielsen if (!sk_OCSP_RESPID_push( 1358db522d3aSSimon L. B. Nielsen s->tlsext_ocsp_ids, id)) 1359db522d3aSSimon L. B. Nielsen { 1360db522d3aSSimon L. B. Nielsen OCSP_RESPID_free(id); 1361db522d3aSSimon L. B. Nielsen *al = SSL_AD_INTERNAL_ERROR; 1362db522d3aSSimon L. B. Nielsen return 0; 1363db522d3aSSimon L. B. Nielsen } 1364db522d3aSSimon L. B. Nielsen } 1365db522d3aSSimon L. B. Nielsen 1366db522d3aSSimon L. B. Nielsen /* Read in request_extensions */ 13670a704568SSimon L. B. Nielsen if (size < 2) 13680a704568SSimon L. B. Nielsen { 13690a704568SSimon L. B. Nielsen *al = SSL_AD_DECODE_ERROR; 13700a704568SSimon L. B. Nielsen return 0; 13710a704568SSimon L. B. Nielsen } 1372db522d3aSSimon L. B. Nielsen n2s(data,dsize); 1373db522d3aSSimon L. B. Nielsen size -= 2; 13740a704568SSimon L. B. Nielsen if (dsize != size) 1375db522d3aSSimon L. B. Nielsen { 1376db522d3aSSimon L. B. Nielsen *al = SSL_AD_DECODE_ERROR; 1377db522d3aSSimon L. B. Nielsen return 0; 1378db522d3aSSimon L. B. Nielsen } 1379db522d3aSSimon L. B. Nielsen sdata = data; 1380db522d3aSSimon L. B. Nielsen if (dsize > 0) 1381db522d3aSSimon L. B. Nielsen { 138212de4ed2SJung-uk Kim if (s->tlsext_ocsp_exts) 138312de4ed2SJung-uk Kim { 138412de4ed2SJung-uk Kim sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts, 138512de4ed2SJung-uk Kim X509_EXTENSION_free); 138612de4ed2SJung-uk Kim } 138712de4ed2SJung-uk Kim 1388db522d3aSSimon L. B. Nielsen s->tlsext_ocsp_exts = 1389db522d3aSSimon L. B. Nielsen d2i_X509_EXTENSIONS(NULL, 1390db522d3aSSimon L. B. Nielsen &sdata, dsize); 1391db522d3aSSimon L. B. Nielsen if (!s->tlsext_ocsp_exts 1392db522d3aSSimon L. B. Nielsen || (data + dsize != sdata)) 1393db522d3aSSimon L. B. Nielsen { 1394db522d3aSSimon L. B. Nielsen *al = SSL_AD_DECODE_ERROR; 1395db522d3aSSimon L. B. Nielsen return 0; 1396db522d3aSSimon L. B. Nielsen } 1397db522d3aSSimon L. B. Nielsen } 1398db522d3aSSimon L. B. Nielsen } 1399db522d3aSSimon L. B. Nielsen /* We don't know what to do with any other type 1400db522d3aSSimon L. B. Nielsen * so ignore it. 1401db522d3aSSimon L. B. Nielsen */ 1402db522d3aSSimon L. B. Nielsen else 1403db522d3aSSimon L. B. Nielsen s->tlsext_status_type = -1; 1404db522d3aSSimon L. B. Nielsen } 14051f13597dSJung-uk Kim #ifndef OPENSSL_NO_HEARTBEATS 14061f13597dSJung-uk Kim else if (type == TLSEXT_TYPE_heartbeat) 14071f13597dSJung-uk Kim { 14081f13597dSJung-uk Kim switch(data[0]) 14091f13597dSJung-uk Kim { 14101f13597dSJung-uk Kim case 0x01: /* Client allows us to send HB requests */ 14111f13597dSJung-uk Kim s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED; 14121f13597dSJung-uk Kim break; 14131f13597dSJung-uk Kim case 0x02: /* Client doesn't accept HB requests */ 14141f13597dSJung-uk Kim s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED; 14151f13597dSJung-uk Kim s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS; 14161f13597dSJung-uk Kim break; 14171f13597dSJung-uk Kim default: *al = SSL_AD_ILLEGAL_PARAMETER; 14181f13597dSJung-uk Kim return 0; 14191f13597dSJung-uk Kim } 14201f13597dSJung-uk Kim } 14211f13597dSJung-uk Kim #endif 14221f13597dSJung-uk Kim #ifndef OPENSSL_NO_NEXTPROTONEG 14231f13597dSJung-uk Kim else if (type == TLSEXT_TYPE_next_proto_neg && 14241f13597dSJung-uk Kim s->s3->tmp.finish_md_len == 0) 14251f13597dSJung-uk Kim { 14261f13597dSJung-uk Kim /* We shouldn't accept this extension on a 14271f13597dSJung-uk Kim * renegotiation. 14281f13597dSJung-uk Kim * 14291f13597dSJung-uk Kim * s->new_session will be set on renegotiation, but we 14301f13597dSJung-uk Kim * probably shouldn't rely that it couldn't be set on 14311f13597dSJung-uk Kim * the initial renegotation too in certain cases (when 14321f13597dSJung-uk Kim * there's some other reason to disallow resuming an 14331f13597dSJung-uk Kim * earlier session -- the current code won't be doing 14341f13597dSJung-uk Kim * anything like that, but this might change). 14351f13597dSJung-uk Kim 14361f13597dSJung-uk Kim * A valid sign that there's been a previous handshake 14371f13597dSJung-uk Kim * in this connection is if s->s3->tmp.finish_md_len > 14381f13597dSJung-uk Kim * 0. (We are talking about a check that will happen 14391f13597dSJung-uk Kim * in the Hello protocol round, well before a new 14401f13597dSJung-uk Kim * Finished message could have been computed.) */ 14411f13597dSJung-uk Kim s->s3->next_proto_neg_seen = 1; 14421f13597dSJung-uk Kim } 14431f13597dSJung-uk Kim #endif 14446a599222SSimon L. B. Nielsen 1445db522d3aSSimon L. B. Nielsen /* session ticket processed earlier */ 144609286989SJung-uk Kim #ifndef OPENSSL_NO_SRTP 14471f13597dSJung-uk Kim else if (type == TLSEXT_TYPE_use_srtp) 14481f13597dSJung-uk Kim { 14491f13597dSJung-uk Kim if(ssl_parse_clienthello_use_srtp_ext(s, data, size, 14501f13597dSJung-uk Kim al)) 14511f13597dSJung-uk Kim return 0; 14521f13597dSJung-uk Kim } 145309286989SJung-uk Kim #endif 1454db522d3aSSimon L. B. Nielsen 1455db522d3aSSimon L. B. Nielsen data+=size; 1456db522d3aSSimon L. B. Nielsen } 14571f13597dSJung-uk Kim 1458db522d3aSSimon L. B. Nielsen *p = data; 14596a599222SSimon L. B. Nielsen 14606a599222SSimon L. B. Nielsen ri_check: 14616a599222SSimon L. B. Nielsen 14626a599222SSimon L. B. Nielsen /* Need RI if renegotiating */ 14636a599222SSimon L. B. Nielsen 14641f13597dSJung-uk Kim if (!renegotiate_seen && s->renegotiate && 14656a599222SSimon L. B. Nielsen !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) 14666a599222SSimon L. B. Nielsen { 14676a599222SSimon L. B. Nielsen *al = SSL_AD_HANDSHAKE_FAILURE; 14686a599222SSimon L. B. Nielsen SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT, 14696a599222SSimon L. B. Nielsen SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); 14706a599222SSimon L. B. Nielsen return 0; 14716a599222SSimon L. B. Nielsen } 14726a599222SSimon L. B. Nielsen 1473db522d3aSSimon L. B. Nielsen return 1; 1474db522d3aSSimon L. B. Nielsen } 1475db522d3aSSimon L. B. Nielsen 14761f13597dSJung-uk Kim #ifndef OPENSSL_NO_NEXTPROTONEG 14771f13597dSJung-uk Kim /* ssl_next_proto_validate validates a Next Protocol Negotiation block. No 14781f13597dSJung-uk Kim * elements of zero length are allowed and the set of elements must exactly fill 14791f13597dSJung-uk Kim * the length of the block. */ 14801f13597dSJung-uk Kim static char ssl_next_proto_validate(unsigned char *d, unsigned len) 14811f13597dSJung-uk Kim { 14821f13597dSJung-uk Kim unsigned int off = 0; 14831f13597dSJung-uk Kim 14841f13597dSJung-uk Kim while (off < len) 14851f13597dSJung-uk Kim { 14861f13597dSJung-uk Kim if (d[off] == 0) 14871f13597dSJung-uk Kim return 0; 14881f13597dSJung-uk Kim off += d[off]; 14891f13597dSJung-uk Kim off++; 14901f13597dSJung-uk Kim } 14911f13597dSJung-uk Kim 14921f13597dSJung-uk Kim return off == len; 14931f13597dSJung-uk Kim } 14941f13597dSJung-uk Kim #endif 14951f13597dSJung-uk Kim 1496db522d3aSSimon L. B. Nielsen int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al) 1497db522d3aSSimon L. B. Nielsen { 1498a3ddd25aSSimon L. B. Nielsen unsigned short length; 1499db522d3aSSimon L. B. Nielsen unsigned short type; 1500db522d3aSSimon L. B. Nielsen unsigned short size; 1501db522d3aSSimon L. B. Nielsen unsigned char *data = *p; 1502db522d3aSSimon L. B. Nielsen int tlsext_servername = 0; 15036a599222SSimon L. B. Nielsen int renegotiate_seen = 0; 1504db522d3aSSimon L. B. Nielsen 15051f13597dSJung-uk Kim #ifndef OPENSSL_NO_NEXTPROTONEG 15061f13597dSJung-uk Kim s->s3->next_proto_neg_seen = 0; 15071f13597dSJung-uk Kim #endif 15081f13597dSJung-uk Kim 15091f13597dSJung-uk Kim #ifndef OPENSSL_NO_HEARTBEATS 15101f13597dSJung-uk Kim s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED | 15111f13597dSJung-uk Kim SSL_TLSEXT_HB_DONT_SEND_REQUESTS); 15121f13597dSJung-uk Kim #endif 15131f13597dSJung-uk Kim 1514db522d3aSSimon L. B. Nielsen if (data >= (d+n-2)) 15156a599222SSimon L. B. Nielsen goto ri_check; 1516db522d3aSSimon L. B. Nielsen 1517a3ddd25aSSimon L. B. Nielsen n2s(data,length); 1518a3ddd25aSSimon L. B. Nielsen if (data+length != d+n) 1519a3ddd25aSSimon L. B. Nielsen { 1520a3ddd25aSSimon L. B. Nielsen *al = SSL_AD_DECODE_ERROR; 1521a3ddd25aSSimon L. B. Nielsen return 0; 1522a3ddd25aSSimon L. B. Nielsen } 1523db522d3aSSimon L. B. Nielsen 1524db522d3aSSimon L. B. Nielsen while(data <= (d+n-4)) 1525db522d3aSSimon L. B. Nielsen { 1526db522d3aSSimon L. B. Nielsen n2s(data,type); 1527db522d3aSSimon L. B. Nielsen n2s(data,size); 1528db522d3aSSimon L. B. Nielsen 1529db522d3aSSimon L. B. Nielsen if (data+size > (d+n)) 15306a599222SSimon L. B. Nielsen goto ri_check; 1531db522d3aSSimon L. B. Nielsen 1532db522d3aSSimon L. B. Nielsen if (s->tlsext_debug_cb) 1533db522d3aSSimon L. B. Nielsen s->tlsext_debug_cb(s, 1, type, data, size, 1534db522d3aSSimon L. B. Nielsen s->tlsext_debug_arg); 1535db522d3aSSimon L. B. Nielsen 1536db522d3aSSimon L. B. Nielsen if (type == TLSEXT_TYPE_server_name) 1537db522d3aSSimon L. B. Nielsen { 1538db522d3aSSimon L. B. Nielsen if (s->tlsext_hostname == NULL || size > 0) 1539db522d3aSSimon L. B. Nielsen { 1540db522d3aSSimon L. B. Nielsen *al = TLS1_AD_UNRECOGNIZED_NAME; 1541db522d3aSSimon L. B. Nielsen return 0; 1542db522d3aSSimon L. B. Nielsen } 1543db522d3aSSimon L. B. Nielsen tlsext_servername = 1; 1544db522d3aSSimon L. B. Nielsen } 15451f13597dSJung-uk Kim 15461f13597dSJung-uk Kim #ifndef OPENSSL_NO_EC 1547*a93cbc2bSJung-uk Kim else if (type == TLSEXT_TYPE_ec_point_formats) 15481f13597dSJung-uk Kim { 15491f13597dSJung-uk Kim unsigned char *sdata = data; 15501f13597dSJung-uk Kim int ecpointformatlist_length = *(sdata++); 15511f13597dSJung-uk Kim 155209286989SJung-uk Kim if (ecpointformatlist_length != size - 1 || 155309286989SJung-uk Kim ecpointformatlist_length < 1) 15541f13597dSJung-uk Kim { 15551f13597dSJung-uk Kim *al = TLS1_AD_DECODE_ERROR; 15561f13597dSJung-uk Kim return 0; 15571f13597dSJung-uk Kim } 1558*a93cbc2bSJung-uk Kim if (!s->hit) 1559*a93cbc2bSJung-uk Kim { 15601f13597dSJung-uk Kim s->session->tlsext_ecpointformatlist_length = 0; 15611f13597dSJung-uk Kim if (s->session->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->session->tlsext_ecpointformatlist); 15621f13597dSJung-uk Kim if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL) 15631f13597dSJung-uk Kim { 15641f13597dSJung-uk Kim *al = TLS1_AD_INTERNAL_ERROR; 15651f13597dSJung-uk Kim return 0; 15661f13597dSJung-uk Kim } 15671f13597dSJung-uk Kim s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length; 15681f13597dSJung-uk Kim memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length); 1569*a93cbc2bSJung-uk Kim } 15701f13597dSJung-uk Kim #if 0 15711f13597dSJung-uk Kim fprintf(stderr,"ssl_parse_serverhello_tlsext s->session->tlsext_ecpointformatlist "); 15721f13597dSJung-uk Kim sdata = s->session->tlsext_ecpointformatlist; 15731f13597dSJung-uk Kim for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++) 15741f13597dSJung-uk Kim fprintf(stderr,"%i ",*(sdata++)); 15751f13597dSJung-uk Kim fprintf(stderr,"\n"); 15761f13597dSJung-uk Kim #endif 15771f13597dSJung-uk Kim } 15781f13597dSJung-uk Kim #endif /* OPENSSL_NO_EC */ 15791f13597dSJung-uk Kim 1580db522d3aSSimon L. B. Nielsen else if (type == TLSEXT_TYPE_session_ticket) 1581db522d3aSSimon L. B. Nielsen { 15821f13597dSJung-uk Kim if (s->tls_session_ticket_ext_cb && 15831f13597dSJung-uk Kim !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg)) 15841f13597dSJung-uk Kim { 15851f13597dSJung-uk Kim *al = TLS1_AD_INTERNAL_ERROR; 15861f13597dSJung-uk Kim return 0; 15871f13597dSJung-uk Kim } 1588db522d3aSSimon L. B. Nielsen if ((SSL_get_options(s) & SSL_OP_NO_TICKET) 1589db522d3aSSimon L. B. Nielsen || (size > 0)) 1590db522d3aSSimon L. B. Nielsen { 1591db522d3aSSimon L. B. Nielsen *al = TLS1_AD_UNSUPPORTED_EXTENSION; 1592db522d3aSSimon L. B. Nielsen return 0; 1593db522d3aSSimon L. B. Nielsen } 1594db522d3aSSimon L. B. Nielsen s->tlsext_ticket_expected = 1; 1595db522d3aSSimon L. B. Nielsen } 15961f13597dSJung-uk Kim #ifdef TLSEXT_TYPE_opaque_prf_input 15971f13597dSJung-uk Kim else if (type == TLSEXT_TYPE_opaque_prf_input && 15981f13597dSJung-uk Kim s->version != DTLS1_VERSION) 15991f13597dSJung-uk Kim { 16001f13597dSJung-uk Kim unsigned char *sdata = data; 16011f13597dSJung-uk Kim 16021f13597dSJung-uk Kim if (size < 2) 16031f13597dSJung-uk Kim { 16041f13597dSJung-uk Kim *al = SSL_AD_DECODE_ERROR; 16051f13597dSJung-uk Kim return 0; 16061f13597dSJung-uk Kim } 16071f13597dSJung-uk Kim n2s(sdata, s->s3->server_opaque_prf_input_len); 16081f13597dSJung-uk Kim if (s->s3->server_opaque_prf_input_len != size - 2) 16091f13597dSJung-uk Kim { 16101f13597dSJung-uk Kim *al = SSL_AD_DECODE_ERROR; 16111f13597dSJung-uk Kim return 0; 16121f13597dSJung-uk Kim } 16131f13597dSJung-uk Kim 16141f13597dSJung-uk Kim if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */ 16151f13597dSJung-uk Kim OPENSSL_free(s->s3->server_opaque_prf_input); 16161f13597dSJung-uk Kim if (s->s3->server_opaque_prf_input_len == 0) 16171f13597dSJung-uk Kim s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */ 16181f13597dSJung-uk Kim else 16191f13597dSJung-uk Kim s->s3->server_opaque_prf_input = BUF_memdup(sdata, s->s3->server_opaque_prf_input_len); 16201f13597dSJung-uk Kim 16211f13597dSJung-uk Kim if (s->s3->server_opaque_prf_input == NULL) 16221f13597dSJung-uk Kim { 16231f13597dSJung-uk Kim *al = TLS1_AD_INTERNAL_ERROR; 16241f13597dSJung-uk Kim return 0; 16251f13597dSJung-uk Kim } 16261f13597dSJung-uk Kim } 16271f13597dSJung-uk Kim #endif 16286a599222SSimon L. B. Nielsen else if (type == TLSEXT_TYPE_status_request && 16296a599222SSimon L. B. Nielsen s->version != DTLS1_VERSION) 1630db522d3aSSimon L. B. Nielsen { 1631db522d3aSSimon L. B. Nielsen /* MUST be empty and only sent if we've requested 1632db522d3aSSimon L. B. Nielsen * a status request message. 1633db522d3aSSimon L. B. Nielsen */ 1634db522d3aSSimon L. B. Nielsen if ((s->tlsext_status_type == -1) || (size > 0)) 1635db522d3aSSimon L. B. Nielsen { 1636db522d3aSSimon L. B. Nielsen *al = TLS1_AD_UNSUPPORTED_EXTENSION; 1637db522d3aSSimon L. B. Nielsen return 0; 1638db522d3aSSimon L. B. Nielsen } 1639db522d3aSSimon L. B. Nielsen /* Set flag to expect CertificateStatus message */ 1640db522d3aSSimon L. B. Nielsen s->tlsext_status_expected = 1; 1641db522d3aSSimon L. B. Nielsen } 16421f13597dSJung-uk Kim #ifndef OPENSSL_NO_NEXTPROTONEG 16431f13597dSJung-uk Kim else if (type == TLSEXT_TYPE_next_proto_neg && 16441f13597dSJung-uk Kim s->s3->tmp.finish_md_len == 0) 16451f13597dSJung-uk Kim { 16461f13597dSJung-uk Kim unsigned char *selected; 16471f13597dSJung-uk Kim unsigned char selected_len; 16481f13597dSJung-uk Kim 16491f13597dSJung-uk Kim /* We must have requested it. */ 165009286989SJung-uk Kim if (s->ctx->next_proto_select_cb == NULL) 16511f13597dSJung-uk Kim { 16521f13597dSJung-uk Kim *al = TLS1_AD_UNSUPPORTED_EXTENSION; 16531f13597dSJung-uk Kim return 0; 16541f13597dSJung-uk Kim } 16551f13597dSJung-uk Kim /* The data must be valid */ 16561f13597dSJung-uk Kim if (!ssl_next_proto_validate(data, size)) 16571f13597dSJung-uk Kim { 16581f13597dSJung-uk Kim *al = TLS1_AD_DECODE_ERROR; 16591f13597dSJung-uk Kim return 0; 16601f13597dSJung-uk Kim } 16611f13597dSJung-uk Kim if (s->ctx->next_proto_select_cb(s, &selected, &selected_len, data, size, s->ctx->next_proto_select_cb_arg) != SSL_TLSEXT_ERR_OK) 16621f13597dSJung-uk Kim { 16631f13597dSJung-uk Kim *al = TLS1_AD_INTERNAL_ERROR; 16641f13597dSJung-uk Kim return 0; 16651f13597dSJung-uk Kim } 16661f13597dSJung-uk Kim s->next_proto_negotiated = OPENSSL_malloc(selected_len); 16671f13597dSJung-uk Kim if (!s->next_proto_negotiated) 16681f13597dSJung-uk Kim { 16691f13597dSJung-uk Kim *al = TLS1_AD_INTERNAL_ERROR; 16701f13597dSJung-uk Kim return 0; 16711f13597dSJung-uk Kim } 16721f13597dSJung-uk Kim memcpy(s->next_proto_negotiated, selected, selected_len); 16731f13597dSJung-uk Kim s->next_proto_negotiated_len = selected_len; 16741f13597dSJung-uk Kim s->s3->next_proto_neg_seen = 1; 16751f13597dSJung-uk Kim } 16761f13597dSJung-uk Kim #endif 16776a599222SSimon L. B. Nielsen else if (type == TLSEXT_TYPE_renegotiate) 16786a599222SSimon L. B. Nielsen { 16796a599222SSimon L. B. Nielsen if(!ssl_parse_serverhello_renegotiate_ext(s, data, size, al)) 16806a599222SSimon L. B. Nielsen return 0; 16816a599222SSimon L. B. Nielsen renegotiate_seen = 1; 16826a599222SSimon L. B. Nielsen } 16831f13597dSJung-uk Kim #ifndef OPENSSL_NO_HEARTBEATS 16841f13597dSJung-uk Kim else if (type == TLSEXT_TYPE_heartbeat) 16851f13597dSJung-uk Kim { 16861f13597dSJung-uk Kim switch(data[0]) 16871f13597dSJung-uk Kim { 16881f13597dSJung-uk Kim case 0x01: /* Server allows us to send HB requests */ 16891f13597dSJung-uk Kim s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED; 16901f13597dSJung-uk Kim break; 16911f13597dSJung-uk Kim case 0x02: /* Server doesn't accept HB requests */ 16921f13597dSJung-uk Kim s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED; 16931f13597dSJung-uk Kim s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS; 16941f13597dSJung-uk Kim break; 16951f13597dSJung-uk Kim default: *al = SSL_AD_ILLEGAL_PARAMETER; 16961f13597dSJung-uk Kim return 0; 16971f13597dSJung-uk Kim } 16981f13597dSJung-uk Kim } 16991f13597dSJung-uk Kim #endif 170009286989SJung-uk Kim #ifndef OPENSSL_NO_SRTP 17011f13597dSJung-uk Kim else if (type == TLSEXT_TYPE_use_srtp) 17021f13597dSJung-uk Kim { 17031f13597dSJung-uk Kim if(ssl_parse_serverhello_use_srtp_ext(s, data, size, 17041f13597dSJung-uk Kim al)) 17051f13597dSJung-uk Kim return 0; 17061f13597dSJung-uk Kim } 170709286989SJung-uk Kim #endif 17081f13597dSJung-uk Kim 1709db522d3aSSimon L. B. Nielsen data+=size; 1710db522d3aSSimon L. B. Nielsen } 1711db522d3aSSimon L. B. Nielsen 1712db522d3aSSimon L. B. Nielsen if (data != d+n) 1713db522d3aSSimon L. B. Nielsen { 1714db522d3aSSimon L. B. Nielsen *al = SSL_AD_DECODE_ERROR; 1715db522d3aSSimon L. B. Nielsen return 0; 1716db522d3aSSimon L. B. Nielsen } 1717db522d3aSSimon L. B. Nielsen 1718db522d3aSSimon L. B. Nielsen if (!s->hit && tlsext_servername == 1) 1719db522d3aSSimon L. B. Nielsen { 1720db522d3aSSimon L. B. Nielsen if (s->tlsext_hostname) 1721db522d3aSSimon L. B. Nielsen { 1722db522d3aSSimon L. B. Nielsen if (s->session->tlsext_hostname == NULL) 1723db522d3aSSimon L. B. Nielsen { 1724db522d3aSSimon L. B. Nielsen s->session->tlsext_hostname = BUF_strdup(s->tlsext_hostname); 1725db522d3aSSimon L. B. Nielsen if (!s->session->tlsext_hostname) 1726db522d3aSSimon L. B. Nielsen { 1727db522d3aSSimon L. B. Nielsen *al = SSL_AD_UNRECOGNIZED_NAME; 1728db522d3aSSimon L. B. Nielsen return 0; 1729db522d3aSSimon L. B. Nielsen } 1730db522d3aSSimon L. B. Nielsen } 1731db522d3aSSimon L. B. Nielsen else 1732db522d3aSSimon L. B. Nielsen { 1733db522d3aSSimon L. B. Nielsen *al = SSL_AD_DECODE_ERROR; 1734db522d3aSSimon L. B. Nielsen return 0; 1735db522d3aSSimon L. B. Nielsen } 1736db522d3aSSimon L. B. Nielsen } 1737db522d3aSSimon L. B. Nielsen } 1738db522d3aSSimon L. B. Nielsen 1739db522d3aSSimon L. B. Nielsen *p = data; 17406a599222SSimon L. B. Nielsen 17416a599222SSimon L. B. Nielsen ri_check: 17426a599222SSimon L. B. Nielsen 17436a599222SSimon L. B. Nielsen /* Determine if we need to see RI. Strictly speaking if we want to 17446a599222SSimon L. B. Nielsen * avoid an attack we should *always* see RI even on initial server 17456a599222SSimon L. B. Nielsen * hello because the client doesn't see any renegotiation during an 17466a599222SSimon L. B. Nielsen * attack. However this would mean we could not connect to any server 17476a599222SSimon L. B. Nielsen * which doesn't support RI so for the immediate future tolerate RI 17486a599222SSimon L. B. Nielsen * absence on initial connect only. 17496a599222SSimon L. B. Nielsen */ 17506a599222SSimon L. B. Nielsen if (!renegotiate_seen 17516a599222SSimon L. B. Nielsen && !(s->options & SSL_OP_LEGACY_SERVER_CONNECT) 17526a599222SSimon L. B. Nielsen && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) 17536a599222SSimon L. B. Nielsen { 17546a599222SSimon L. B. Nielsen *al = SSL_AD_HANDSHAKE_FAILURE; 17556a599222SSimon L. B. Nielsen SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT, 17566a599222SSimon L. B. Nielsen SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); 17576a599222SSimon L. B. Nielsen return 0; 17586a599222SSimon L. B. Nielsen } 17596a599222SSimon L. B. Nielsen 1760db522d3aSSimon L. B. Nielsen return 1; 1761db522d3aSSimon L. B. Nielsen } 1762db522d3aSSimon L. B. Nielsen 17631f13597dSJung-uk Kim 17641f13597dSJung-uk Kim int ssl_prepare_clienthello_tlsext(SSL *s) 17651f13597dSJung-uk Kim { 17661f13597dSJung-uk Kim #ifndef OPENSSL_NO_EC 17671f13597dSJung-uk Kim /* If we are client and using an elliptic curve cryptography cipher suite, send the point formats 17681f13597dSJung-uk Kim * and elliptic curves we support. 17691f13597dSJung-uk Kim */ 17701f13597dSJung-uk Kim int using_ecc = 0; 17711f13597dSJung-uk Kim int i; 17721f13597dSJung-uk Kim unsigned char *j; 17731f13597dSJung-uk Kim unsigned long alg_k, alg_a; 17741f13597dSJung-uk Kim STACK_OF(SSL_CIPHER) *cipher_stack = SSL_get_ciphers(s); 17751f13597dSJung-uk Kim 17761f13597dSJung-uk Kim for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++) 17771f13597dSJung-uk Kim { 17781f13597dSJung-uk Kim SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i); 17791f13597dSJung-uk Kim 17801f13597dSJung-uk Kim alg_k = c->algorithm_mkey; 17811f13597dSJung-uk Kim alg_a = c->algorithm_auth; 17821f13597dSJung-uk Kim if ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe) || (alg_a & SSL_aECDSA))) 17831f13597dSJung-uk Kim { 17841f13597dSJung-uk Kim using_ecc = 1; 17851f13597dSJung-uk Kim break; 17861f13597dSJung-uk Kim } 17871f13597dSJung-uk Kim } 17881f13597dSJung-uk Kim using_ecc = using_ecc && (s->version >= TLS1_VERSION); 17891f13597dSJung-uk Kim if (using_ecc) 17901f13597dSJung-uk Kim { 17911f13597dSJung-uk Kim if (s->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->tlsext_ecpointformatlist); 17921f13597dSJung-uk Kim if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(3)) == NULL) 17931f13597dSJung-uk Kim { 17941f13597dSJung-uk Kim SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE); 17951f13597dSJung-uk Kim return -1; 17961f13597dSJung-uk Kim } 17971f13597dSJung-uk Kim s->tlsext_ecpointformatlist_length = 3; 17981f13597dSJung-uk Kim s->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_uncompressed; 17991f13597dSJung-uk Kim s->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime; 18001f13597dSJung-uk Kim s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2; 18011f13597dSJung-uk Kim 18021f13597dSJung-uk Kim /* we support all named elliptic curves in draft-ietf-tls-ecc-12 */ 18031f13597dSJung-uk Kim if (s->tlsext_ellipticcurvelist != NULL) OPENSSL_free(s->tlsext_ellipticcurvelist); 18041f13597dSJung-uk Kim s->tlsext_ellipticcurvelist_length = sizeof(pref_list)/sizeof(pref_list[0]) * 2; 18051f13597dSJung-uk Kim if ((s->tlsext_ellipticcurvelist = OPENSSL_malloc(s->tlsext_ellipticcurvelist_length)) == NULL) 18061f13597dSJung-uk Kim { 18071f13597dSJung-uk Kim s->tlsext_ellipticcurvelist_length = 0; 18081f13597dSJung-uk Kim SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE); 18091f13597dSJung-uk Kim return -1; 18101f13597dSJung-uk Kim } 18111f13597dSJung-uk Kim for (i = 0, j = s->tlsext_ellipticcurvelist; (unsigned int)i < 18121f13597dSJung-uk Kim sizeof(pref_list)/sizeof(pref_list[0]); i++) 18131f13597dSJung-uk Kim { 18141f13597dSJung-uk Kim int id = tls1_ec_nid2curve_id(pref_list[i]); 18151f13597dSJung-uk Kim s2n(id,j); 18161f13597dSJung-uk Kim } 18171f13597dSJung-uk Kim } 18181f13597dSJung-uk Kim #endif /* OPENSSL_NO_EC */ 18191f13597dSJung-uk Kim 18201f13597dSJung-uk Kim #ifdef TLSEXT_TYPE_opaque_prf_input 18211f13597dSJung-uk Kim { 18221f13597dSJung-uk Kim int r = 1; 18231f13597dSJung-uk Kim 18241f13597dSJung-uk Kim if (s->ctx->tlsext_opaque_prf_input_callback != 0) 18251f13597dSJung-uk Kim { 18261f13597dSJung-uk Kim r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg); 18271f13597dSJung-uk Kim if (!r) 18281f13597dSJung-uk Kim return -1; 18291f13597dSJung-uk Kim } 18301f13597dSJung-uk Kim 18311f13597dSJung-uk Kim if (s->tlsext_opaque_prf_input != NULL) 18321f13597dSJung-uk Kim { 18331f13597dSJung-uk Kim if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */ 18341f13597dSJung-uk Kim OPENSSL_free(s->s3->client_opaque_prf_input); 18351f13597dSJung-uk Kim 18361f13597dSJung-uk Kim if (s->tlsext_opaque_prf_input_len == 0) 18371f13597dSJung-uk Kim s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */ 18381f13597dSJung-uk Kim else 18391f13597dSJung-uk Kim s->s3->client_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len); 18401f13597dSJung-uk Kim if (s->s3->client_opaque_prf_input == NULL) 18411f13597dSJung-uk Kim { 18421f13597dSJung-uk Kim SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE); 18431f13597dSJung-uk Kim return -1; 18441f13597dSJung-uk Kim } 18451f13597dSJung-uk Kim s->s3->client_opaque_prf_input_len = s->tlsext_opaque_prf_input_len; 18461f13597dSJung-uk Kim } 18471f13597dSJung-uk Kim 18481f13597dSJung-uk Kim if (r == 2) 18491f13597dSJung-uk Kim /* at callback's request, insist on receiving an appropriate server opaque PRF input */ 18501f13597dSJung-uk Kim s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len; 18511f13597dSJung-uk Kim } 18521f13597dSJung-uk Kim #endif 18531f13597dSJung-uk Kim 18541f13597dSJung-uk Kim return 1; 18551f13597dSJung-uk Kim } 18561f13597dSJung-uk Kim 18571f13597dSJung-uk Kim int ssl_prepare_serverhello_tlsext(SSL *s) 18581f13597dSJung-uk Kim { 18591f13597dSJung-uk Kim #ifndef OPENSSL_NO_EC 18601f13597dSJung-uk Kim /* If we are server and using an ECC cipher suite, send the point formats we support 18611f13597dSJung-uk Kim * if the client sent us an ECPointsFormat extension. Note that the server is not 18621f13597dSJung-uk Kim * supposed to send an EllipticCurves extension. 18631f13597dSJung-uk Kim */ 18641f13597dSJung-uk Kim 18651f13597dSJung-uk Kim unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey; 18661f13597dSJung-uk Kim unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth; 18671f13597dSJung-uk Kim int using_ecc = (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA); 18681f13597dSJung-uk Kim using_ecc = using_ecc && (s->session->tlsext_ecpointformatlist != NULL); 18691f13597dSJung-uk Kim 18701f13597dSJung-uk Kim if (using_ecc) 18711f13597dSJung-uk Kim { 18721f13597dSJung-uk Kim if (s->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->tlsext_ecpointformatlist); 18731f13597dSJung-uk Kim if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(3)) == NULL) 18741f13597dSJung-uk Kim { 18751f13597dSJung-uk Kim SSLerr(SSL_F_SSL_PREPARE_SERVERHELLO_TLSEXT,ERR_R_MALLOC_FAILURE); 18761f13597dSJung-uk Kim return -1; 18771f13597dSJung-uk Kim } 18781f13597dSJung-uk Kim s->tlsext_ecpointformatlist_length = 3; 18791f13597dSJung-uk Kim s->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_uncompressed; 18801f13597dSJung-uk Kim s->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime; 18811f13597dSJung-uk Kim s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2; 18821f13597dSJung-uk Kim } 18831f13597dSJung-uk Kim #endif /* OPENSSL_NO_EC */ 18841f13597dSJung-uk Kim 18851f13597dSJung-uk Kim return 1; 18861f13597dSJung-uk Kim } 18871f13597dSJung-uk Kim 188809286989SJung-uk Kim int ssl_check_clienthello_tlsext_early(SSL *s) 1889db522d3aSSimon L. B. Nielsen { 1890db522d3aSSimon L. B. Nielsen int ret=SSL_TLSEXT_ERR_NOACK; 1891db522d3aSSimon L. B. Nielsen int al = SSL_AD_UNRECOGNIZED_NAME; 1892db522d3aSSimon L. B. Nielsen 18931f13597dSJung-uk Kim #ifndef OPENSSL_NO_EC 18941f13597dSJung-uk Kim /* The handling of the ECPointFormats extension is done elsewhere, namely in 18951f13597dSJung-uk Kim * ssl3_choose_cipher in s3_lib.c. 18961f13597dSJung-uk Kim */ 18971f13597dSJung-uk Kim /* The handling of the EllipticCurves extension is done elsewhere, namely in 18981f13597dSJung-uk Kim * ssl3_choose_cipher in s3_lib.c. 18991f13597dSJung-uk Kim */ 19001f13597dSJung-uk Kim #endif 19011f13597dSJung-uk Kim 1902db522d3aSSimon L. B. Nielsen if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) 1903db522d3aSSimon L. B. Nielsen ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg); 1904db522d3aSSimon L. B. Nielsen else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0) 1905db522d3aSSimon L. B. Nielsen ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg); 1906db522d3aSSimon L. B. Nielsen 19071f13597dSJung-uk Kim #ifdef TLSEXT_TYPE_opaque_prf_input 19081f13597dSJung-uk Kim { 19091f13597dSJung-uk Kim /* This sort of belongs into ssl_prepare_serverhello_tlsext(), 19101f13597dSJung-uk Kim * but we might be sending an alert in response to the client hello, 191109286989SJung-uk Kim * so this has to happen here in 191209286989SJung-uk Kim * ssl_check_clienthello_tlsext_early(). */ 19131f13597dSJung-uk Kim 19141f13597dSJung-uk Kim int r = 1; 19151f13597dSJung-uk Kim 19161f13597dSJung-uk Kim if (s->ctx->tlsext_opaque_prf_input_callback != 0) 19171f13597dSJung-uk Kim { 19181f13597dSJung-uk Kim r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg); 19191f13597dSJung-uk Kim if (!r) 19201f13597dSJung-uk Kim { 19211f13597dSJung-uk Kim ret = SSL_TLSEXT_ERR_ALERT_FATAL; 19221f13597dSJung-uk Kim al = SSL_AD_INTERNAL_ERROR; 19231f13597dSJung-uk Kim goto err; 19241f13597dSJung-uk Kim } 19251f13597dSJung-uk Kim } 19261f13597dSJung-uk Kim 19271f13597dSJung-uk Kim if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */ 19281f13597dSJung-uk Kim OPENSSL_free(s->s3->server_opaque_prf_input); 19291f13597dSJung-uk Kim s->s3->server_opaque_prf_input = NULL; 19301f13597dSJung-uk Kim 19311f13597dSJung-uk Kim if (s->tlsext_opaque_prf_input != NULL) 19321f13597dSJung-uk Kim { 19331f13597dSJung-uk Kim if (s->s3->client_opaque_prf_input != NULL && 19341f13597dSJung-uk Kim s->s3->client_opaque_prf_input_len == s->tlsext_opaque_prf_input_len) 19351f13597dSJung-uk Kim { 19361f13597dSJung-uk Kim /* can only use this extension if we have a server opaque PRF input 19371f13597dSJung-uk Kim * of the same length as the client opaque PRF input! */ 19381f13597dSJung-uk Kim 19391f13597dSJung-uk Kim if (s->tlsext_opaque_prf_input_len == 0) 19401f13597dSJung-uk Kim s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */ 19411f13597dSJung-uk Kim else 19421f13597dSJung-uk Kim s->s3->server_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len); 19431f13597dSJung-uk Kim if (s->s3->server_opaque_prf_input == NULL) 19441f13597dSJung-uk Kim { 19451f13597dSJung-uk Kim ret = SSL_TLSEXT_ERR_ALERT_FATAL; 19461f13597dSJung-uk Kim al = SSL_AD_INTERNAL_ERROR; 19471f13597dSJung-uk Kim goto err; 19481f13597dSJung-uk Kim } 19491f13597dSJung-uk Kim s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len; 19501f13597dSJung-uk Kim } 19511f13597dSJung-uk Kim } 19521f13597dSJung-uk Kim 19531f13597dSJung-uk Kim if (r == 2 && s->s3->server_opaque_prf_input == NULL) 19541f13597dSJung-uk Kim { 19551f13597dSJung-uk Kim /* The callback wants to enforce use of the extension, 19561f13597dSJung-uk Kim * but we can't do that with the client opaque PRF input; 19571f13597dSJung-uk Kim * abort the handshake. 19581f13597dSJung-uk Kim */ 19591f13597dSJung-uk Kim ret = SSL_TLSEXT_ERR_ALERT_FATAL; 19601f13597dSJung-uk Kim al = SSL_AD_HANDSHAKE_FAILURE; 19611f13597dSJung-uk Kim } 19621f13597dSJung-uk Kim } 19631f13597dSJung-uk Kim 1964db522d3aSSimon L. B. Nielsen err: 196509286989SJung-uk Kim #endif 1966db522d3aSSimon L. B. Nielsen switch (ret) 1967db522d3aSSimon L. B. Nielsen { 1968db522d3aSSimon L. B. Nielsen case SSL_TLSEXT_ERR_ALERT_FATAL: 1969db522d3aSSimon L. B. Nielsen ssl3_send_alert(s,SSL3_AL_FATAL,al); 1970db522d3aSSimon L. B. Nielsen return -1; 1971db522d3aSSimon L. B. Nielsen 1972db522d3aSSimon L. B. Nielsen case SSL_TLSEXT_ERR_ALERT_WARNING: 1973db522d3aSSimon L. B. Nielsen ssl3_send_alert(s,SSL3_AL_WARNING,al); 1974db522d3aSSimon L. B. Nielsen return 1; 1975db522d3aSSimon L. B. Nielsen 1976db522d3aSSimon L. B. Nielsen case SSL_TLSEXT_ERR_NOACK: 1977db522d3aSSimon L. B. Nielsen s->servername_done=0; 1978db522d3aSSimon L. B. Nielsen default: 1979db522d3aSSimon L. B. Nielsen return 1; 1980db522d3aSSimon L. B. Nielsen } 1981db522d3aSSimon L. B. Nielsen } 1982db522d3aSSimon L. B. Nielsen 198309286989SJung-uk Kim int ssl_check_clienthello_tlsext_late(SSL *s) 198409286989SJung-uk Kim { 198509286989SJung-uk Kim int ret = SSL_TLSEXT_ERR_OK; 198609286989SJung-uk Kim int al; 198709286989SJung-uk Kim 198809286989SJung-uk Kim /* If status request then ask callback what to do. 198909286989SJung-uk Kim * Note: this must be called after servername callbacks in case 199009286989SJung-uk Kim * the certificate has changed, and must be called after the cipher 199109286989SJung-uk Kim * has been chosen because this may influence which certificate is sent 199209286989SJung-uk Kim */ 199309286989SJung-uk Kim if ((s->tlsext_status_type != -1) && s->ctx && s->ctx->tlsext_status_cb) 199409286989SJung-uk Kim { 199509286989SJung-uk Kim int r; 199609286989SJung-uk Kim CERT_PKEY *certpkey; 199709286989SJung-uk Kim certpkey = ssl_get_server_send_pkey(s); 199809286989SJung-uk Kim /* If no certificate can't return certificate status */ 199909286989SJung-uk Kim if (certpkey == NULL) 200009286989SJung-uk Kim { 200109286989SJung-uk Kim s->tlsext_status_expected = 0; 200209286989SJung-uk Kim return 1; 200309286989SJung-uk Kim } 200409286989SJung-uk Kim /* Set current certificate to one we will use so 200509286989SJung-uk Kim * SSL_get_certificate et al can pick it up. 200609286989SJung-uk Kim */ 200709286989SJung-uk Kim s->cert->key = certpkey; 200809286989SJung-uk Kim r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg); 200909286989SJung-uk Kim switch (r) 201009286989SJung-uk Kim { 201109286989SJung-uk Kim /* We don't want to send a status request response */ 201209286989SJung-uk Kim case SSL_TLSEXT_ERR_NOACK: 201309286989SJung-uk Kim s->tlsext_status_expected = 0; 201409286989SJung-uk Kim break; 201509286989SJung-uk Kim /* status request response should be sent */ 201609286989SJung-uk Kim case SSL_TLSEXT_ERR_OK: 201709286989SJung-uk Kim if (s->tlsext_ocsp_resp) 201809286989SJung-uk Kim s->tlsext_status_expected = 1; 201909286989SJung-uk Kim else 202009286989SJung-uk Kim s->tlsext_status_expected = 0; 202109286989SJung-uk Kim break; 202209286989SJung-uk Kim /* something bad happened */ 202309286989SJung-uk Kim case SSL_TLSEXT_ERR_ALERT_FATAL: 202409286989SJung-uk Kim ret = SSL_TLSEXT_ERR_ALERT_FATAL; 202509286989SJung-uk Kim al = SSL_AD_INTERNAL_ERROR; 202609286989SJung-uk Kim goto err; 202709286989SJung-uk Kim } 202809286989SJung-uk Kim } 202909286989SJung-uk Kim else 203009286989SJung-uk Kim s->tlsext_status_expected = 0; 203109286989SJung-uk Kim 203209286989SJung-uk Kim err: 203309286989SJung-uk Kim switch (ret) 203409286989SJung-uk Kim { 203509286989SJung-uk Kim case SSL_TLSEXT_ERR_ALERT_FATAL: 203609286989SJung-uk Kim ssl3_send_alert(s,SSL3_AL_FATAL,al); 203709286989SJung-uk Kim return -1; 203809286989SJung-uk Kim 203909286989SJung-uk Kim case SSL_TLSEXT_ERR_ALERT_WARNING: 204009286989SJung-uk Kim ssl3_send_alert(s,SSL3_AL_WARNING,al); 204109286989SJung-uk Kim return 1; 204209286989SJung-uk Kim 204309286989SJung-uk Kim default: 204409286989SJung-uk Kim return 1; 204509286989SJung-uk Kim } 204609286989SJung-uk Kim } 204709286989SJung-uk Kim 2048db522d3aSSimon L. B. Nielsen int ssl_check_serverhello_tlsext(SSL *s) 2049db522d3aSSimon L. B. Nielsen { 2050db522d3aSSimon L. B. Nielsen int ret=SSL_TLSEXT_ERR_NOACK; 2051db522d3aSSimon L. B. Nielsen int al = SSL_AD_UNRECOGNIZED_NAME; 2052db522d3aSSimon L. B. Nielsen 20531f13597dSJung-uk Kim #ifndef OPENSSL_NO_EC 20541f13597dSJung-uk Kim /* If we are client and using an elliptic curve cryptography cipher 20551f13597dSJung-uk Kim * suite, then if server returns an EC point formats lists extension 20561f13597dSJung-uk Kim * it must contain uncompressed. 20571f13597dSJung-uk Kim */ 20581f13597dSJung-uk Kim unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey; 20591f13597dSJung-uk Kim unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth; 20601f13597dSJung-uk Kim if ((s->tlsext_ecpointformatlist != NULL) && (s->tlsext_ecpointformatlist_length > 0) && 20611f13597dSJung-uk Kim (s->session->tlsext_ecpointformatlist != NULL) && (s->session->tlsext_ecpointformatlist_length > 0) && 20621f13597dSJung-uk Kim ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA))) 20631f13597dSJung-uk Kim { 20641f13597dSJung-uk Kim /* we are using an ECC cipher */ 20651f13597dSJung-uk Kim size_t i; 20661f13597dSJung-uk Kim unsigned char *list; 20671f13597dSJung-uk Kim int found_uncompressed = 0; 20681f13597dSJung-uk Kim list = s->session->tlsext_ecpointformatlist; 20691f13597dSJung-uk Kim for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++) 20701f13597dSJung-uk Kim { 20711f13597dSJung-uk Kim if (*(list++) == TLSEXT_ECPOINTFORMAT_uncompressed) 20721f13597dSJung-uk Kim { 20731f13597dSJung-uk Kim found_uncompressed = 1; 20741f13597dSJung-uk Kim break; 20751f13597dSJung-uk Kim } 20761f13597dSJung-uk Kim } 20771f13597dSJung-uk Kim if (!found_uncompressed) 20781f13597dSJung-uk Kim { 20791f13597dSJung-uk Kim SSLerr(SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT,SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST); 20801f13597dSJung-uk Kim return -1; 20811f13597dSJung-uk Kim } 20821f13597dSJung-uk Kim } 20831f13597dSJung-uk Kim ret = SSL_TLSEXT_ERR_OK; 20841f13597dSJung-uk Kim #endif /* OPENSSL_NO_EC */ 20851f13597dSJung-uk Kim 2086db522d3aSSimon L. B. Nielsen if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) 2087db522d3aSSimon L. B. Nielsen ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg); 2088db522d3aSSimon L. B. Nielsen else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0) 2089db522d3aSSimon L. B. Nielsen ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg); 2090db522d3aSSimon L. B. Nielsen 20911f13597dSJung-uk Kim #ifdef TLSEXT_TYPE_opaque_prf_input 20921f13597dSJung-uk Kim if (s->s3->server_opaque_prf_input_len > 0) 20931f13597dSJung-uk Kim { 20941f13597dSJung-uk Kim /* This case may indicate that we, as a client, want to insist on using opaque PRF inputs. 20951f13597dSJung-uk Kim * So first verify that we really have a value from the server too. */ 20961f13597dSJung-uk Kim 20971f13597dSJung-uk Kim if (s->s3->server_opaque_prf_input == NULL) 20981f13597dSJung-uk Kim { 20991f13597dSJung-uk Kim ret = SSL_TLSEXT_ERR_ALERT_FATAL; 21001f13597dSJung-uk Kim al = SSL_AD_HANDSHAKE_FAILURE; 21011f13597dSJung-uk Kim } 21021f13597dSJung-uk Kim 21031f13597dSJung-uk Kim /* Anytime the server *has* sent an opaque PRF input, we need to check 21041f13597dSJung-uk Kim * that we have a client opaque PRF input of the same size. */ 21051f13597dSJung-uk Kim if (s->s3->client_opaque_prf_input == NULL || 21061f13597dSJung-uk Kim s->s3->client_opaque_prf_input_len != s->s3->server_opaque_prf_input_len) 21071f13597dSJung-uk Kim { 21081f13597dSJung-uk Kim ret = SSL_TLSEXT_ERR_ALERT_FATAL; 21091f13597dSJung-uk Kim al = SSL_AD_ILLEGAL_PARAMETER; 21101f13597dSJung-uk Kim } 21111f13597dSJung-uk Kim } 21121f13597dSJung-uk Kim #endif 21131f13597dSJung-uk Kim 2114db522d3aSSimon L. B. Nielsen /* If we've requested certificate status and we wont get one 2115db522d3aSSimon L. B. Nielsen * tell the callback 2116db522d3aSSimon L. B. Nielsen */ 2117db522d3aSSimon L. B. Nielsen if ((s->tlsext_status_type != -1) && !(s->tlsext_status_expected) 21181f13597dSJung-uk Kim && s->ctx && s->ctx->tlsext_status_cb) 2119db522d3aSSimon L. B. Nielsen { 2120db522d3aSSimon L. B. Nielsen int r; 2121db522d3aSSimon L. B. Nielsen /* Set resp to NULL, resplen to -1 so callback knows 2122db522d3aSSimon L. B. Nielsen * there is no response. 2123db522d3aSSimon L. B. Nielsen */ 2124db522d3aSSimon L. B. Nielsen if (s->tlsext_ocsp_resp) 2125db522d3aSSimon L. B. Nielsen { 2126db522d3aSSimon L. B. Nielsen OPENSSL_free(s->tlsext_ocsp_resp); 2127db522d3aSSimon L. B. Nielsen s->tlsext_ocsp_resp = NULL; 2128db522d3aSSimon L. B. Nielsen } 2129db522d3aSSimon L. B. Nielsen s->tlsext_ocsp_resplen = -1; 2130db522d3aSSimon L. B. Nielsen r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg); 2131db522d3aSSimon L. B. Nielsen if (r == 0) 2132db522d3aSSimon L. B. Nielsen { 2133db522d3aSSimon L. B. Nielsen al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE; 2134db522d3aSSimon L. B. Nielsen ret = SSL_TLSEXT_ERR_ALERT_FATAL; 2135db522d3aSSimon L. B. Nielsen } 2136db522d3aSSimon L. B. Nielsen if (r < 0) 2137db522d3aSSimon L. B. Nielsen { 2138db522d3aSSimon L. B. Nielsen al = SSL_AD_INTERNAL_ERROR; 2139db522d3aSSimon L. B. Nielsen ret = SSL_TLSEXT_ERR_ALERT_FATAL; 2140db522d3aSSimon L. B. Nielsen } 2141db522d3aSSimon L. B. Nielsen } 2142db522d3aSSimon L. B. Nielsen 2143db522d3aSSimon L. B. Nielsen switch (ret) 2144db522d3aSSimon L. B. Nielsen { 2145db522d3aSSimon L. B. Nielsen case SSL_TLSEXT_ERR_ALERT_FATAL: 2146db522d3aSSimon L. B. Nielsen ssl3_send_alert(s,SSL3_AL_FATAL,al); 2147db522d3aSSimon L. B. Nielsen return -1; 2148db522d3aSSimon L. B. Nielsen 2149db522d3aSSimon L. B. Nielsen case SSL_TLSEXT_ERR_ALERT_WARNING: 2150db522d3aSSimon L. B. Nielsen ssl3_send_alert(s,SSL3_AL_WARNING,al); 2151db522d3aSSimon L. B. Nielsen return 1; 2152db522d3aSSimon L. B. Nielsen 2153db522d3aSSimon L. B. Nielsen case SSL_TLSEXT_ERR_NOACK: 2154db522d3aSSimon L. B. Nielsen s->servername_done=0; 2155db522d3aSSimon L. B. Nielsen default: 2156db522d3aSSimon L. B. Nielsen return 1; 2157db522d3aSSimon L. B. Nielsen } 2158db522d3aSSimon L. B. Nielsen } 2159db522d3aSSimon L. B. Nielsen 21601f13597dSJung-uk Kim /* Since the server cache lookup is done early on in the processing of the 21611f13597dSJung-uk Kim * ClientHello, and other operations depend on the result, we need to handle 21621f13597dSJung-uk Kim * any TLS session ticket extension at the same time. 21631f13597dSJung-uk Kim * 21641f13597dSJung-uk Kim * session_id: points at the session ID in the ClientHello. This code will 21651f13597dSJung-uk Kim * read past the end of this in order to parse out the session ticket 21661f13597dSJung-uk Kim * extension, if any. 21671f13597dSJung-uk Kim * len: the length of the session ID. 21681f13597dSJung-uk Kim * limit: a pointer to the first byte after the ClientHello. 21691f13597dSJung-uk Kim * ret: (output) on return, if a ticket was decrypted, then this is set to 21701f13597dSJung-uk Kim * point to the resulting session. 21711f13597dSJung-uk Kim * 21721f13597dSJung-uk Kim * If s->tls_session_secret_cb is set then we are expecting a pre-shared key 21731f13597dSJung-uk Kim * ciphersuite, in which case we have no use for session tickets and one will 21741f13597dSJung-uk Kim * never be decrypted, nor will s->tlsext_ticket_expected be set to 1. 21751f13597dSJung-uk Kim * 21761f13597dSJung-uk Kim * Returns: 21771f13597dSJung-uk Kim * -1: fatal error, either from parsing or decrypting the ticket. 21781f13597dSJung-uk Kim * 0: no ticket was found (or was ignored, based on settings). 21791f13597dSJung-uk Kim * 1: a zero length extension was found, indicating that the client supports 21801f13597dSJung-uk Kim * session tickets but doesn't currently have one to offer. 21811f13597dSJung-uk Kim * 2: either s->tls_session_secret_cb was set, or a ticket was offered but 21821f13597dSJung-uk Kim * couldn't be decrypted because of a non-fatal error. 21831f13597dSJung-uk Kim * 3: a ticket was successfully decrypted and *ret was set. 21841f13597dSJung-uk Kim * 21851f13597dSJung-uk Kim * Side effects: 21861f13597dSJung-uk Kim * Sets s->tlsext_ticket_expected to 1 if the server will have to issue 21871f13597dSJung-uk Kim * a new session ticket to the client because the client indicated support 21881f13597dSJung-uk Kim * (and s->tls_session_secret_cb is NULL) but the client either doesn't have 21891f13597dSJung-uk Kim * a session ticket or we couldn't use the one it gave us, or if 21901f13597dSJung-uk Kim * s->ctx->tlsext_ticket_key_cb asked to renew the client's ticket. 21911f13597dSJung-uk Kim * Otherwise, s->tlsext_ticket_expected is set to 0. 2192db522d3aSSimon L. B. Nielsen */ 2193db522d3aSSimon L. B. Nielsen int tls1_process_ticket(SSL *s, unsigned char *session_id, int len, 2194db522d3aSSimon L. B. Nielsen const unsigned char *limit, SSL_SESSION **ret) 2195db522d3aSSimon L. B. Nielsen { 2196db522d3aSSimon L. B. Nielsen /* Point after session ID in client hello */ 2197db522d3aSSimon L. B. Nielsen const unsigned char *p = session_id + len; 2198db522d3aSSimon L. B. Nielsen unsigned short i; 2199db522d3aSSimon L. B. Nielsen 22001f13597dSJung-uk Kim *ret = NULL; 22011f13597dSJung-uk Kim s->tlsext_ticket_expected = 0; 22021f13597dSJung-uk Kim 2203db522d3aSSimon L. B. Nielsen /* If tickets disabled behave as if no ticket present 2204db522d3aSSimon L. B. Nielsen * to permit stateful resumption. 2205db522d3aSSimon L. B. Nielsen */ 2206db522d3aSSimon L. B. Nielsen if (SSL_get_options(s) & SSL_OP_NO_TICKET) 22071f13597dSJung-uk Kim return 0; 2208db522d3aSSimon L. B. Nielsen if ((s->version <= SSL3_VERSION) || !limit) 22091f13597dSJung-uk Kim return 0; 2210db522d3aSSimon L. B. Nielsen if (p >= limit) 2211db522d3aSSimon L. B. Nielsen return -1; 22126a599222SSimon L. B. Nielsen /* Skip past DTLS cookie */ 22136a599222SSimon L. B. Nielsen if (s->version == DTLS1_VERSION || s->version == DTLS1_BAD_VER) 22146a599222SSimon L. B. Nielsen { 22156a599222SSimon L. B. Nielsen i = *(p++); 22166a599222SSimon L. B. Nielsen p+= i; 22176a599222SSimon L. B. Nielsen if (p >= limit) 22186a599222SSimon L. B. Nielsen return -1; 22196a599222SSimon L. B. Nielsen } 2220db522d3aSSimon L. B. Nielsen /* Skip past cipher list */ 2221db522d3aSSimon L. B. Nielsen n2s(p, i); 2222db522d3aSSimon L. B. Nielsen p+= i; 2223db522d3aSSimon L. B. Nielsen if (p >= limit) 2224db522d3aSSimon L. B. Nielsen return -1; 2225db522d3aSSimon L. B. Nielsen /* Skip past compression algorithm list */ 2226db522d3aSSimon L. B. Nielsen i = *(p++); 2227db522d3aSSimon L. B. Nielsen p += i; 2228db522d3aSSimon L. B. Nielsen if (p > limit) 2229db522d3aSSimon L. B. Nielsen return -1; 2230db522d3aSSimon L. B. Nielsen /* Now at start of extensions */ 2231db522d3aSSimon L. B. Nielsen if ((p + 2) >= limit) 22321f13597dSJung-uk Kim return 0; 2233db522d3aSSimon L. B. Nielsen n2s(p, i); 2234db522d3aSSimon L. B. Nielsen while ((p + 4) <= limit) 2235db522d3aSSimon L. B. Nielsen { 2236db522d3aSSimon L. B. Nielsen unsigned short type, size; 2237db522d3aSSimon L. B. Nielsen n2s(p, type); 2238db522d3aSSimon L. B. Nielsen n2s(p, size); 2239db522d3aSSimon L. B. Nielsen if (p + size > limit) 22401f13597dSJung-uk Kim return 0; 2241db522d3aSSimon L. B. Nielsen if (type == TLSEXT_TYPE_session_ticket) 2242db522d3aSSimon L. B. Nielsen { 22431f13597dSJung-uk Kim int r; 2244db522d3aSSimon L. B. Nielsen if (size == 0) 2245db522d3aSSimon L. B. Nielsen { 22461f13597dSJung-uk Kim /* The client will accept a ticket but doesn't 22471f13597dSJung-uk Kim * currently have one. */ 2248db522d3aSSimon L. B. Nielsen s->tlsext_ticket_expected = 1; 22491f13597dSJung-uk Kim return 1; 2250db522d3aSSimon L. B. Nielsen } 22511f13597dSJung-uk Kim if (s->tls_session_secret_cb) 22521f13597dSJung-uk Kim { 22531f13597dSJung-uk Kim /* Indicate that the ticket couldn't be 22541f13597dSJung-uk Kim * decrypted rather than generating the session 22551f13597dSJung-uk Kim * from ticket now, trigger abbreviated 22561f13597dSJung-uk Kim * handshake based on external mechanism to 22571f13597dSJung-uk Kim * calculate the master secret later. */ 22581f13597dSJung-uk Kim return 2; 22591f13597dSJung-uk Kim } 22601f13597dSJung-uk Kim r = tls_decrypt_ticket(s, p, size, session_id, len, ret); 22611f13597dSJung-uk Kim switch (r) 22621f13597dSJung-uk Kim { 22631f13597dSJung-uk Kim case 2: /* ticket couldn't be decrypted */ 22641f13597dSJung-uk Kim s->tlsext_ticket_expected = 1; 22651f13597dSJung-uk Kim return 2; 22661f13597dSJung-uk Kim case 3: /* ticket was decrypted */ 22671f13597dSJung-uk Kim return r; 22681f13597dSJung-uk Kim case 4: /* ticket decrypted but need to renew */ 22691f13597dSJung-uk Kim s->tlsext_ticket_expected = 1; 22701f13597dSJung-uk Kim return 3; 22711f13597dSJung-uk Kim default: /* fatal error */ 22721f13597dSJung-uk Kim return -1; 22731f13597dSJung-uk Kim } 2274db522d3aSSimon L. B. Nielsen } 2275db522d3aSSimon L. B. Nielsen p += size; 2276db522d3aSSimon L. B. Nielsen } 22771f13597dSJung-uk Kim return 0; 2278db522d3aSSimon L. B. Nielsen } 2279db522d3aSSimon L. B. Nielsen 22801f13597dSJung-uk Kim /* tls_decrypt_ticket attempts to decrypt a session ticket. 22811f13597dSJung-uk Kim * 22821f13597dSJung-uk Kim * etick: points to the body of the session ticket extension. 22831f13597dSJung-uk Kim * eticklen: the length of the session tickets extenion. 22841f13597dSJung-uk Kim * sess_id: points at the session ID. 22851f13597dSJung-uk Kim * sesslen: the length of the session ID. 22861f13597dSJung-uk Kim * psess: (output) on return, if a ticket was decrypted, then this is set to 22871f13597dSJung-uk Kim * point to the resulting session. 22881f13597dSJung-uk Kim * 22891f13597dSJung-uk Kim * Returns: 22901f13597dSJung-uk Kim * -1: fatal error, either from parsing or decrypting the ticket. 22911f13597dSJung-uk Kim * 2: the ticket couldn't be decrypted. 22921f13597dSJung-uk Kim * 3: a ticket was successfully decrypted and *psess was set. 22931f13597dSJung-uk Kim * 4: same as 3, but the ticket needs to be renewed. 22941f13597dSJung-uk Kim */ 2295db522d3aSSimon L. B. Nielsen static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen, 2296db522d3aSSimon L. B. Nielsen const unsigned char *sess_id, int sesslen, 2297db522d3aSSimon L. B. Nielsen SSL_SESSION **psess) 2298db522d3aSSimon L. B. Nielsen { 2299db522d3aSSimon L. B. Nielsen SSL_SESSION *sess; 2300db522d3aSSimon L. B. Nielsen unsigned char *sdec; 2301db522d3aSSimon L. B. Nielsen const unsigned char *p; 2302db522d3aSSimon L. B. Nielsen int slen, mlen, renew_ticket = 0; 2303db522d3aSSimon L. B. Nielsen unsigned char tick_hmac[EVP_MAX_MD_SIZE]; 2304db522d3aSSimon L. B. Nielsen HMAC_CTX hctx; 2305db522d3aSSimon L. B. Nielsen EVP_CIPHER_CTX ctx; 23066a599222SSimon L. B. Nielsen SSL_CTX *tctx = s->initial_ctx; 2307db522d3aSSimon L. B. Nielsen /* Need at least keyname + iv + some encrypted data */ 2308db522d3aSSimon L. B. Nielsen if (eticklen < 48) 23091f13597dSJung-uk Kim return 2; 2310db522d3aSSimon L. B. Nielsen /* Initialize session ticket encryption and HMAC contexts */ 2311db522d3aSSimon L. B. Nielsen HMAC_CTX_init(&hctx); 2312db522d3aSSimon L. B. Nielsen EVP_CIPHER_CTX_init(&ctx); 23136a599222SSimon L. B. Nielsen if (tctx->tlsext_ticket_key_cb) 2314db522d3aSSimon L. B. Nielsen { 2315db522d3aSSimon L. B. Nielsen unsigned char *nctick = (unsigned char *)etick; 23166a599222SSimon L. B. Nielsen int rv = tctx->tlsext_ticket_key_cb(s, nctick, nctick + 16, 2317db522d3aSSimon L. B. Nielsen &ctx, &hctx, 0); 2318db522d3aSSimon L. B. Nielsen if (rv < 0) 2319db522d3aSSimon L. B. Nielsen return -1; 2320db522d3aSSimon L. B. Nielsen if (rv == 0) 23211f13597dSJung-uk Kim return 2; 2322db522d3aSSimon L. B. Nielsen if (rv == 2) 2323db522d3aSSimon L. B. Nielsen renew_ticket = 1; 2324db522d3aSSimon L. B. Nielsen } 2325db522d3aSSimon L. B. Nielsen else 2326db522d3aSSimon L. B. Nielsen { 2327db522d3aSSimon L. B. Nielsen /* Check key name matches */ 23286a599222SSimon L. B. Nielsen if (memcmp(etick, tctx->tlsext_tick_key_name, 16)) 23291f13597dSJung-uk Kim return 2; 23306a599222SSimon L. B. Nielsen HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16, 2331db522d3aSSimon L. B. Nielsen tlsext_tick_md(), NULL); 2332db522d3aSSimon L. B. Nielsen EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL, 23336a599222SSimon L. B. Nielsen tctx->tlsext_tick_aes_key, etick + 16); 2334db522d3aSSimon L. B. Nielsen } 2335db522d3aSSimon L. B. Nielsen /* Attempt to process session ticket, first conduct sanity and 2336db522d3aSSimon L. B. Nielsen * integrity checks on ticket. 2337db522d3aSSimon L. B. Nielsen */ 2338db522d3aSSimon L. B. Nielsen mlen = HMAC_size(&hctx); 23391f13597dSJung-uk Kim if (mlen < 0) 23401f13597dSJung-uk Kim { 23411f13597dSJung-uk Kim EVP_CIPHER_CTX_cleanup(&ctx); 23421f13597dSJung-uk Kim return -1; 23431f13597dSJung-uk Kim } 2344db522d3aSSimon L. B. Nielsen eticklen -= mlen; 2345db522d3aSSimon L. B. Nielsen /* Check HMAC of encrypted ticket */ 2346db522d3aSSimon L. B. Nielsen HMAC_Update(&hctx, etick, eticklen); 2347db522d3aSSimon L. B. Nielsen HMAC_Final(&hctx, tick_hmac, NULL); 2348db522d3aSSimon L. B. Nielsen HMAC_CTX_cleanup(&hctx); 234909286989SJung-uk Kim if (CRYPTO_memcmp(tick_hmac, etick + eticklen, mlen)) 23501f13597dSJung-uk Kim return 2; 2351db522d3aSSimon L. B. Nielsen /* Attempt to decrypt session data */ 2352db522d3aSSimon L. B. Nielsen /* Move p after IV to start of encrypted ticket, update length */ 2353db522d3aSSimon L. B. Nielsen p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx); 2354db522d3aSSimon L. B. Nielsen eticklen -= 16 + EVP_CIPHER_CTX_iv_length(&ctx); 2355db522d3aSSimon L. B. Nielsen sdec = OPENSSL_malloc(eticklen); 2356db522d3aSSimon L. B. Nielsen if (!sdec) 2357db522d3aSSimon L. B. Nielsen { 2358db522d3aSSimon L. B. Nielsen EVP_CIPHER_CTX_cleanup(&ctx); 2359db522d3aSSimon L. B. Nielsen return -1; 2360db522d3aSSimon L. B. Nielsen } 2361db522d3aSSimon L. B. Nielsen EVP_DecryptUpdate(&ctx, sdec, &slen, p, eticklen); 2362db522d3aSSimon L. B. Nielsen if (EVP_DecryptFinal(&ctx, sdec + slen, &mlen) <= 0) 2363*a93cbc2bSJung-uk Kim { 2364*a93cbc2bSJung-uk Kim EVP_CIPHER_CTX_cleanup(&ctx); 2365*a93cbc2bSJung-uk Kim OPENSSL_free(sdec); 23661f13597dSJung-uk Kim return 2; 2367*a93cbc2bSJung-uk Kim } 2368db522d3aSSimon L. B. Nielsen slen += mlen; 2369db522d3aSSimon L. B. Nielsen EVP_CIPHER_CTX_cleanup(&ctx); 2370db522d3aSSimon L. B. Nielsen p = sdec; 2371db522d3aSSimon L. B. Nielsen 2372db522d3aSSimon L. B. Nielsen sess = d2i_SSL_SESSION(NULL, &p, slen); 2373db522d3aSSimon L. B. Nielsen OPENSSL_free(sdec); 2374db522d3aSSimon L. B. Nielsen if (sess) 2375db522d3aSSimon L. B. Nielsen { 23761f13597dSJung-uk Kim /* The session ID, if non-empty, is used by some clients to 2377db522d3aSSimon L. B. Nielsen * detect that the ticket has been accepted. So we copy it to 2378db522d3aSSimon L. B. Nielsen * the session structure. If it is empty set length to zero 2379db522d3aSSimon L. B. Nielsen * as required by standard. 2380db522d3aSSimon L. B. Nielsen */ 2381db522d3aSSimon L. B. Nielsen if (sesslen) 2382db522d3aSSimon L. B. Nielsen memcpy(sess->session_id, sess_id, sesslen); 2383db522d3aSSimon L. B. Nielsen sess->session_id_length = sesslen; 2384db522d3aSSimon L. B. Nielsen *psess = sess; 23851f13597dSJung-uk Kim if (renew_ticket) 23861f13597dSJung-uk Kim return 4; 23871f13597dSJung-uk Kim else 23881f13597dSJung-uk Kim return 3; 23891f13597dSJung-uk Kim } 23901f13597dSJung-uk Kim ERR_clear_error(); 23911f13597dSJung-uk Kim /* For session parse failure, indicate that we need to send a new 23921f13597dSJung-uk Kim * ticket. */ 23931f13597dSJung-uk Kim return 2; 23941f13597dSJung-uk Kim } 23951f13597dSJung-uk Kim 23961f13597dSJung-uk Kim /* Tables to translate from NIDs to TLS v1.2 ids */ 23971f13597dSJung-uk Kim 23981f13597dSJung-uk Kim typedef struct 23991f13597dSJung-uk Kim { 24001f13597dSJung-uk Kim int nid; 24011f13597dSJung-uk Kim int id; 24021f13597dSJung-uk Kim } tls12_lookup; 24031f13597dSJung-uk Kim 24041f13597dSJung-uk Kim static tls12_lookup tls12_md[] = { 24051f13597dSJung-uk Kim #ifndef OPENSSL_NO_MD5 24061f13597dSJung-uk Kim {NID_md5, TLSEXT_hash_md5}, 24071f13597dSJung-uk Kim #endif 24081f13597dSJung-uk Kim #ifndef OPENSSL_NO_SHA 24091f13597dSJung-uk Kim {NID_sha1, TLSEXT_hash_sha1}, 24101f13597dSJung-uk Kim #endif 24111f13597dSJung-uk Kim #ifndef OPENSSL_NO_SHA256 24121f13597dSJung-uk Kim {NID_sha224, TLSEXT_hash_sha224}, 24131f13597dSJung-uk Kim {NID_sha256, TLSEXT_hash_sha256}, 24141f13597dSJung-uk Kim #endif 24151f13597dSJung-uk Kim #ifndef OPENSSL_NO_SHA512 24161f13597dSJung-uk Kim {NID_sha384, TLSEXT_hash_sha384}, 24171f13597dSJung-uk Kim {NID_sha512, TLSEXT_hash_sha512} 24181f13597dSJung-uk Kim #endif 24191f13597dSJung-uk Kim }; 24201f13597dSJung-uk Kim 24211f13597dSJung-uk Kim static tls12_lookup tls12_sig[] = { 24221f13597dSJung-uk Kim #ifndef OPENSSL_NO_RSA 24231f13597dSJung-uk Kim {EVP_PKEY_RSA, TLSEXT_signature_rsa}, 24241f13597dSJung-uk Kim #endif 24251f13597dSJung-uk Kim #ifndef OPENSSL_NO_DSA 24261f13597dSJung-uk Kim {EVP_PKEY_DSA, TLSEXT_signature_dsa}, 24271f13597dSJung-uk Kim #endif 24281f13597dSJung-uk Kim #ifndef OPENSSL_NO_ECDSA 24291f13597dSJung-uk Kim {EVP_PKEY_EC, TLSEXT_signature_ecdsa} 24301f13597dSJung-uk Kim #endif 24311f13597dSJung-uk Kim }; 24321f13597dSJung-uk Kim 24331f13597dSJung-uk Kim static int tls12_find_id(int nid, tls12_lookup *table, size_t tlen) 24341f13597dSJung-uk Kim { 24351f13597dSJung-uk Kim size_t i; 24361f13597dSJung-uk Kim for (i = 0; i < tlen; i++) 24371f13597dSJung-uk Kim { 24381f13597dSJung-uk Kim if (table[i].nid == nid) 24391f13597dSJung-uk Kim return table[i].id; 24401f13597dSJung-uk Kim } 24411f13597dSJung-uk Kim return -1; 24421f13597dSJung-uk Kim } 24431f13597dSJung-uk Kim #if 0 24441f13597dSJung-uk Kim static int tls12_find_nid(int id, tls12_lookup *table, size_t tlen) 24451f13597dSJung-uk Kim { 24461f13597dSJung-uk Kim size_t i; 24471f13597dSJung-uk Kim for (i = 0; i < tlen; i++) 24481f13597dSJung-uk Kim { 24491f13597dSJung-uk Kim if (table[i].id == id) 24501f13597dSJung-uk Kim return table[i].nid; 24511f13597dSJung-uk Kim } 24521f13597dSJung-uk Kim return -1; 24531f13597dSJung-uk Kim } 24541f13597dSJung-uk Kim #endif 24551f13597dSJung-uk Kim 24561f13597dSJung-uk Kim int tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk, const EVP_MD *md) 24571f13597dSJung-uk Kim { 24581f13597dSJung-uk Kim int sig_id, md_id; 24591f13597dSJung-uk Kim if (!md) 24601f13597dSJung-uk Kim return 0; 24611f13597dSJung-uk Kim md_id = tls12_find_id(EVP_MD_type(md), tls12_md, 24621f13597dSJung-uk Kim sizeof(tls12_md)/sizeof(tls12_lookup)); 24631f13597dSJung-uk Kim if (md_id == -1) 24641f13597dSJung-uk Kim return 0; 24651f13597dSJung-uk Kim sig_id = tls12_get_sigid(pk); 24661f13597dSJung-uk Kim if (sig_id == -1) 24671f13597dSJung-uk Kim return 0; 24681f13597dSJung-uk Kim p[0] = (unsigned char)md_id; 24691f13597dSJung-uk Kim p[1] = (unsigned char)sig_id; 2470db522d3aSSimon L. B. Nielsen return 1; 2471db522d3aSSimon L. B. Nielsen } 24721f13597dSJung-uk Kim 24731f13597dSJung-uk Kim int tls12_get_sigid(const EVP_PKEY *pk) 24741f13597dSJung-uk Kim { 24751f13597dSJung-uk Kim return tls12_find_id(pk->type, tls12_sig, 24761f13597dSJung-uk Kim sizeof(tls12_sig)/sizeof(tls12_lookup)); 24771f13597dSJung-uk Kim } 24781f13597dSJung-uk Kim 24791f13597dSJung-uk Kim const EVP_MD *tls12_get_hash(unsigned char hash_alg) 24801f13597dSJung-uk Kim { 24811f13597dSJung-uk Kim switch(hash_alg) 24821f13597dSJung-uk Kim { 24831f13597dSJung-uk Kim #ifndef OPENSSL_NO_SHA 24841f13597dSJung-uk Kim case TLSEXT_hash_sha1: 24851f13597dSJung-uk Kim return EVP_sha1(); 24861f13597dSJung-uk Kim #endif 24871f13597dSJung-uk Kim #ifndef OPENSSL_NO_SHA256 24881f13597dSJung-uk Kim case TLSEXT_hash_sha224: 24891f13597dSJung-uk Kim return EVP_sha224(); 24901f13597dSJung-uk Kim 24911f13597dSJung-uk Kim case TLSEXT_hash_sha256: 24921f13597dSJung-uk Kim return EVP_sha256(); 24931f13597dSJung-uk Kim #endif 24941f13597dSJung-uk Kim #ifndef OPENSSL_NO_SHA512 24951f13597dSJung-uk Kim case TLSEXT_hash_sha384: 24961f13597dSJung-uk Kim return EVP_sha384(); 24971f13597dSJung-uk Kim 24981f13597dSJung-uk Kim case TLSEXT_hash_sha512: 24991f13597dSJung-uk Kim return EVP_sha512(); 25001f13597dSJung-uk Kim #endif 25011f13597dSJung-uk Kim default: 25021f13597dSJung-uk Kim return NULL; 25031f13597dSJung-uk Kim 25041f13597dSJung-uk Kim } 25051f13597dSJung-uk Kim } 25061f13597dSJung-uk Kim 25071f13597dSJung-uk Kim /* Set preferred digest for each key type */ 25081f13597dSJung-uk Kim 25091f13597dSJung-uk Kim int tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize) 25101f13597dSJung-uk Kim { 25111f13597dSJung-uk Kim int i, idx; 25121f13597dSJung-uk Kim const EVP_MD *md; 25131f13597dSJung-uk Kim CERT *c = s->cert; 25141f13597dSJung-uk Kim /* Extension ignored for TLS versions below 1.2 */ 25151f13597dSJung-uk Kim if (TLS1_get_version(s) < TLS1_2_VERSION) 25161f13597dSJung-uk Kim return 1; 25171f13597dSJung-uk Kim /* Should never happen */ 25181f13597dSJung-uk Kim if (!c) 25191f13597dSJung-uk Kim return 0; 25201f13597dSJung-uk Kim 25211f13597dSJung-uk Kim c->pkeys[SSL_PKEY_DSA_SIGN].digest = NULL; 25221f13597dSJung-uk Kim c->pkeys[SSL_PKEY_RSA_SIGN].digest = NULL; 25231f13597dSJung-uk Kim c->pkeys[SSL_PKEY_RSA_ENC].digest = NULL; 25241f13597dSJung-uk Kim c->pkeys[SSL_PKEY_ECC].digest = NULL; 25251f13597dSJung-uk Kim 25261f13597dSJung-uk Kim for (i = 0; i < dsize; i += 2) 25271f13597dSJung-uk Kim { 25281f13597dSJung-uk Kim unsigned char hash_alg = data[i], sig_alg = data[i+1]; 25291f13597dSJung-uk Kim 25301f13597dSJung-uk Kim switch(sig_alg) 25311f13597dSJung-uk Kim { 25321f13597dSJung-uk Kim #ifndef OPENSSL_NO_RSA 25331f13597dSJung-uk Kim case TLSEXT_signature_rsa: 25341f13597dSJung-uk Kim idx = SSL_PKEY_RSA_SIGN; 25351f13597dSJung-uk Kim break; 25361f13597dSJung-uk Kim #endif 25371f13597dSJung-uk Kim #ifndef OPENSSL_NO_DSA 25381f13597dSJung-uk Kim case TLSEXT_signature_dsa: 25391f13597dSJung-uk Kim idx = SSL_PKEY_DSA_SIGN; 25401f13597dSJung-uk Kim break; 25411f13597dSJung-uk Kim #endif 25421f13597dSJung-uk Kim #ifndef OPENSSL_NO_ECDSA 25431f13597dSJung-uk Kim case TLSEXT_signature_ecdsa: 25441f13597dSJung-uk Kim idx = SSL_PKEY_ECC; 25451f13597dSJung-uk Kim break; 25461f13597dSJung-uk Kim #endif 25471f13597dSJung-uk Kim default: 25481f13597dSJung-uk Kim continue; 25491f13597dSJung-uk Kim } 25501f13597dSJung-uk Kim 25511f13597dSJung-uk Kim if (c->pkeys[idx].digest == NULL) 25521f13597dSJung-uk Kim { 25531f13597dSJung-uk Kim md = tls12_get_hash(hash_alg); 25541f13597dSJung-uk Kim if (md) 25551f13597dSJung-uk Kim { 25561f13597dSJung-uk Kim c->pkeys[idx].digest = md; 25571f13597dSJung-uk Kim if (idx == SSL_PKEY_RSA_SIGN) 25581f13597dSJung-uk Kim c->pkeys[SSL_PKEY_RSA_ENC].digest = md; 25591f13597dSJung-uk Kim } 25601f13597dSJung-uk Kim } 25611f13597dSJung-uk Kim 25621f13597dSJung-uk Kim } 25631f13597dSJung-uk Kim 25641f13597dSJung-uk Kim 25651f13597dSJung-uk Kim /* Set any remaining keys to default values. NOTE: if alg is not 25661f13597dSJung-uk Kim * supported it stays as NULL. 2567db522d3aSSimon L. B. Nielsen */ 25681f13597dSJung-uk Kim #ifndef OPENSSL_NO_DSA 25691f13597dSJung-uk Kim if (!c->pkeys[SSL_PKEY_DSA_SIGN].digest) 257009286989SJung-uk Kim c->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_sha1(); 25711f13597dSJung-uk Kim #endif 25721f13597dSJung-uk Kim #ifndef OPENSSL_NO_RSA 25731f13597dSJung-uk Kim if (!c->pkeys[SSL_PKEY_RSA_SIGN].digest) 25741f13597dSJung-uk Kim { 25751f13597dSJung-uk Kim c->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1(); 25761f13597dSJung-uk Kim c->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1(); 25771f13597dSJung-uk Kim } 25781f13597dSJung-uk Kim #endif 25791f13597dSJung-uk Kim #ifndef OPENSSL_NO_ECDSA 25801f13597dSJung-uk Kim if (!c->pkeys[SSL_PKEY_ECC].digest) 258109286989SJung-uk Kim c->pkeys[SSL_PKEY_ECC].digest = EVP_sha1(); 25821f13597dSJung-uk Kim #endif 25831f13597dSJung-uk Kim return 1; 25841f13597dSJung-uk Kim } 25851f13597dSJung-uk Kim 25861f13597dSJung-uk Kim #endif 25871f13597dSJung-uk Kim 25881f13597dSJung-uk Kim #ifndef OPENSSL_NO_HEARTBEATS 25891f13597dSJung-uk Kim int 25901f13597dSJung-uk Kim tls1_process_heartbeat(SSL *s) 25911f13597dSJung-uk Kim { 25921f13597dSJung-uk Kim unsigned char *p = &s->s3->rrec.data[0], *pl; 25931f13597dSJung-uk Kim unsigned short hbtype; 25941f13597dSJung-uk Kim unsigned int payload; 25951f13597dSJung-uk Kim unsigned int padding = 16; /* Use minimum padding */ 25961f13597dSJung-uk Kim 25971f13597dSJung-uk Kim if (s->msg_callback) 25981f13597dSJung-uk Kim s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT, 25991f13597dSJung-uk Kim &s->s3->rrec.data[0], s->s3->rrec.length, 26001f13597dSJung-uk Kim s, s->msg_callback_arg); 26011f13597dSJung-uk Kim 260225bfde79SXin LI /* Read type and payload length first */ 260325bfde79SXin LI if (1 + 2 + 16 > s->s3->rrec.length) 260425bfde79SXin LI return 0; /* silently discard */ 260525bfde79SXin LI hbtype = *p++; 260625bfde79SXin LI n2s(p, payload); 260725bfde79SXin LI if (1 + 2 + payload + 16 > s->s3->rrec.length) 260825bfde79SXin LI return 0; /* silently discard per RFC 6520 sec. 4 */ 260925bfde79SXin LI pl = p; 261025bfde79SXin LI 26111f13597dSJung-uk Kim if (hbtype == TLS1_HB_REQUEST) 26121f13597dSJung-uk Kim { 26131f13597dSJung-uk Kim unsigned char *buffer, *bp; 26141f13597dSJung-uk Kim int r; 26151f13597dSJung-uk Kim 26161f13597dSJung-uk Kim /* Allocate memory for the response, size is 1 bytes 26171f13597dSJung-uk Kim * message type, plus 2 bytes payload length, plus 26181f13597dSJung-uk Kim * payload, plus padding 26191f13597dSJung-uk Kim */ 26201f13597dSJung-uk Kim buffer = OPENSSL_malloc(1 + 2 + payload + padding); 26211f13597dSJung-uk Kim bp = buffer; 26221f13597dSJung-uk Kim 26231f13597dSJung-uk Kim /* Enter response type, length and copy payload */ 26241f13597dSJung-uk Kim *bp++ = TLS1_HB_RESPONSE; 26251f13597dSJung-uk Kim s2n(payload, bp); 26261f13597dSJung-uk Kim memcpy(bp, pl, payload); 26271f13597dSJung-uk Kim bp += payload; 26281f13597dSJung-uk Kim /* Random padding */ 26291f13597dSJung-uk Kim RAND_pseudo_bytes(bp, padding); 26301f13597dSJung-uk Kim 26311f13597dSJung-uk Kim r = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, 3 + payload + padding); 26321f13597dSJung-uk Kim 26331f13597dSJung-uk Kim if (r >= 0 && s->msg_callback) 26341f13597dSJung-uk Kim s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT, 26351f13597dSJung-uk Kim buffer, 3 + payload + padding, 26361f13597dSJung-uk Kim s, s->msg_callback_arg); 26371f13597dSJung-uk Kim 26381f13597dSJung-uk Kim OPENSSL_free(buffer); 26391f13597dSJung-uk Kim 26401f13597dSJung-uk Kim if (r < 0) 26411f13597dSJung-uk Kim return r; 26421f13597dSJung-uk Kim } 26431f13597dSJung-uk Kim else if (hbtype == TLS1_HB_RESPONSE) 26441f13597dSJung-uk Kim { 26451f13597dSJung-uk Kim unsigned int seq; 26461f13597dSJung-uk Kim 26471f13597dSJung-uk Kim /* We only send sequence numbers (2 bytes unsigned int), 26481f13597dSJung-uk Kim * and 16 random bytes, so we just try to read the 26491f13597dSJung-uk Kim * sequence number */ 26501f13597dSJung-uk Kim n2s(pl, seq); 26511f13597dSJung-uk Kim 26521f13597dSJung-uk Kim if (payload == 18 && seq == s->tlsext_hb_seq) 26531f13597dSJung-uk Kim { 26541f13597dSJung-uk Kim s->tlsext_hb_seq++; 26551f13597dSJung-uk Kim s->tlsext_hb_pending = 0; 26561f13597dSJung-uk Kim } 26571f13597dSJung-uk Kim } 26581f13597dSJung-uk Kim 2659db522d3aSSimon L. B. Nielsen return 0; 2660db522d3aSSimon L. B. Nielsen } 2661db522d3aSSimon L. B. Nielsen 26621f13597dSJung-uk Kim int 26631f13597dSJung-uk Kim tls1_heartbeat(SSL *s) 26641f13597dSJung-uk Kim { 26651f13597dSJung-uk Kim unsigned char *buf, *p; 26661f13597dSJung-uk Kim int ret; 26671f13597dSJung-uk Kim unsigned int payload = 18; /* Sequence number + random bytes */ 26681f13597dSJung-uk Kim unsigned int padding = 16; /* Use minimum padding */ 26691f13597dSJung-uk Kim 26701f13597dSJung-uk Kim /* Only send if peer supports and accepts HB requests... */ 26711f13597dSJung-uk Kim if (!(s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED) || 26721f13597dSJung-uk Kim s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_SEND_REQUESTS) 26731f13597dSJung-uk Kim { 26741f13597dSJung-uk Kim SSLerr(SSL_F_TLS1_HEARTBEAT,SSL_R_TLS_HEARTBEAT_PEER_DOESNT_ACCEPT); 26751f13597dSJung-uk Kim return -1; 26761f13597dSJung-uk Kim } 26771f13597dSJung-uk Kim 26781f13597dSJung-uk Kim /* ...and there is none in flight yet... */ 26791f13597dSJung-uk Kim if (s->tlsext_hb_pending) 26801f13597dSJung-uk Kim { 26811f13597dSJung-uk Kim SSLerr(SSL_F_TLS1_HEARTBEAT,SSL_R_TLS_HEARTBEAT_PENDING); 26821f13597dSJung-uk Kim return -1; 26831f13597dSJung-uk Kim } 26841f13597dSJung-uk Kim 26851f13597dSJung-uk Kim /* ...and no handshake in progress. */ 26861f13597dSJung-uk Kim if (SSL_in_init(s) || s->in_handshake) 26871f13597dSJung-uk Kim { 26881f13597dSJung-uk Kim SSLerr(SSL_F_TLS1_HEARTBEAT,SSL_R_UNEXPECTED_MESSAGE); 26891f13597dSJung-uk Kim return -1; 26901f13597dSJung-uk Kim } 26911f13597dSJung-uk Kim 26921f13597dSJung-uk Kim /* Check if padding is too long, payload and padding 26931f13597dSJung-uk Kim * must not exceed 2^14 - 3 = 16381 bytes in total. 26941f13597dSJung-uk Kim */ 26951f13597dSJung-uk Kim OPENSSL_assert(payload + padding <= 16381); 26961f13597dSJung-uk Kim 26971f13597dSJung-uk Kim /* Create HeartBeat message, we just use a sequence number 26981f13597dSJung-uk Kim * as payload to distuingish different messages and add 26991f13597dSJung-uk Kim * some random stuff. 27001f13597dSJung-uk Kim * - Message Type, 1 byte 27011f13597dSJung-uk Kim * - Payload Length, 2 bytes (unsigned int) 27021f13597dSJung-uk Kim * - Payload, the sequence number (2 bytes uint) 27031f13597dSJung-uk Kim * - Payload, random bytes (16 bytes uint) 27041f13597dSJung-uk Kim * - Padding 27051f13597dSJung-uk Kim */ 27061f13597dSJung-uk Kim buf = OPENSSL_malloc(1 + 2 + payload + padding); 27071f13597dSJung-uk Kim p = buf; 27081f13597dSJung-uk Kim /* Message Type */ 27091f13597dSJung-uk Kim *p++ = TLS1_HB_REQUEST; 27101f13597dSJung-uk Kim /* Payload length (18 bytes here) */ 27111f13597dSJung-uk Kim s2n(payload, p); 27121f13597dSJung-uk Kim /* Sequence number */ 27131f13597dSJung-uk Kim s2n(s->tlsext_hb_seq, p); 27141f13597dSJung-uk Kim /* 16 random bytes */ 27151f13597dSJung-uk Kim RAND_pseudo_bytes(p, 16); 27161f13597dSJung-uk Kim p += 16; 27171f13597dSJung-uk Kim /* Random padding */ 27181f13597dSJung-uk Kim RAND_pseudo_bytes(p, padding); 27191f13597dSJung-uk Kim 27201f13597dSJung-uk Kim ret = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buf, 3 + payload + padding); 27211f13597dSJung-uk Kim if (ret >= 0) 27221f13597dSJung-uk Kim { 27231f13597dSJung-uk Kim if (s->msg_callback) 27241f13597dSJung-uk Kim s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT, 27251f13597dSJung-uk Kim buf, 3 + payload + padding, 27261f13597dSJung-uk Kim s, s->msg_callback_arg); 27271f13597dSJung-uk Kim 27281f13597dSJung-uk Kim s->tlsext_hb_pending = 1; 27291f13597dSJung-uk Kim } 27301f13597dSJung-uk Kim 27311f13597dSJung-uk Kim OPENSSL_free(buf); 27321f13597dSJung-uk Kim 27331f13597dSJung-uk Kim return ret; 27341f13597dSJung-uk Kim } 2735db522d3aSSimon L. B. Nielsen #endif 2736