OpenSSL  1.0.1c
 All Classes Files Functions Variables Typedefs Enumerations Enumerator Macros
t1_lib.c
Go to the documentation of this file.
1 /* ssl/t1_lib.c */
2 /* Copyright (C) 1995-1998 Eric Young ([email protected])
3  * All rights reserved.
4  *
5  * This package is an SSL implementation written
6  * by Eric Young ([email protected]).
7  * The implementation was written so as to conform with Netscapes SSL.
8  *
9  * This library is free for commercial and non-commercial use as long as
10  * the following conditions are aheared to. The following conditions
11  * apply to all code found in this distribution, be it the RC4, RSA,
12  * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13  * included with this distribution is covered by the same copyright terms
14  * except that the holder is Tim Hudson ([email protected]).
15  *
16  * Copyright remains Eric Young's, and as such any Copyright notices in
17  * the code are not to be removed.
18  * If this package is used in a product, Eric Young should be given attribution
19  * as the author of the parts of the library used.
20  * This can be in the form of a textual message at program startup or
21  * in documentation (online or textual) provided with the package.
22  *
23  * Redistribution and use in source and binary forms, with or without
24  * modification, are permitted provided that the following conditions
25  * are met:
26  * 1. Redistributions of source code must retain the copyright
27  * notice, this list of conditions and the following disclaimer.
28  * 2. Redistributions in binary form must reproduce the above copyright
29  * notice, this list of conditions and the following disclaimer in the
30  * documentation and/or other materials provided with the distribution.
31  * 3. All advertising materials mentioning features or use of this software
32  * must display the following acknowledgement:
33  * "This product includes cryptographic software written by
34  * Eric Young ([email protected])"
35  * The word 'cryptographic' can be left out if the rouines from the library
36  * being used are not cryptographic related :-).
37  * 4. If you include any Windows specific code (or a derivative thereof) from
38  * the apps directory (application code) you must include an acknowledgement:
39  * "This product includes software written by Tim Hudson ([email protected])"
40  *
41  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44  * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51  * SUCH DAMAGE.
52  *
53  * The licence and distribution terms for any publically available version or
54  * derivative of this code cannot be changed. i.e. this code cannot simply be
55  * copied and put under another distribution licence
56  * [including the GNU Public Licence.]
57  */
58 /* ====================================================================
59  * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
60  *
61  * Redistribution and use in source and binary forms, with or without
62  * modification, are permitted provided that the following conditions
63  * are met:
64  *
65  * 1. Redistributions of source code must retain the above copyright
66  * notice, this list of conditions and the following disclaimer.
67  *
68  * 2. Redistributions in binary form must reproduce the above copyright
69  * notice, this list of conditions and the following disclaimer in
70  * the documentation and/or other materials provided with the
71  * distribution.
72  *
73  * 3. All advertising materials mentioning features or use of this
74  * software must display the following acknowledgment:
75  * "This product includes software developed by the OpenSSL Project
76  * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77  *
78  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79  * endorse or promote products derived from this software without
80  * prior written permission. For written permission, please contact
81  * [email protected].
82  *
83  * 5. Products derived from this software may not be called "OpenSSL"
84  * nor may "OpenSSL" appear in their names without prior written
85  * permission of the OpenSSL Project.
86  *
87  * 6. Redistributions of any form whatsoever must retain the following
88  * acknowledgment:
89  * "This product includes software developed by the OpenSSL Project
90  * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91  *
92  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95  * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103  * OF THE POSSIBILITY OF SUCH DAMAGE.
104  * ====================================================================
105  *
106  * This product includes cryptographic software written by Eric Young
107  * ([email protected]). This product includes software written by Tim
108  * Hudson ([email protected]).
109  *
110  */
111 
112 #include <stdio.h>
113 #include <openssl/objects.h>
114 #include <openssl/evp.h>
115 #include <openssl/hmac.h>
116 #include <openssl/ocsp.h>
117 #include <openssl/rand.h>
118 #include "ssl_locl.h"
119 
120 const char tls1_version_str[]="TLSv1" OPENSSL_VERSION_PTEXT;
121 
122 #ifndef OPENSSL_NO_TLSEXT
123 static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen,
124  const unsigned char *sess_id, int sesslen,
125  SSL_SESSION **psess);
126 #endif
127 
128 SSL3_ENC_METHOD TLSv1_enc_data={
129  tls1_enc,
130  tls1_mac,
131  tls1_setup_key_block,
132  tls1_generate_master_secret,
133  tls1_change_cipher_state,
134  tls1_final_finish_mac,
135  TLS1_FINISH_MAC_LENGTH,
136  tls1_cert_verify_mac,
137  TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE,
138  TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE,
139  tls1_alert_code,
140  tls1_export_keying_material,
141  };
142 
143 long tls1_default_timeout(void)
144  {
145  /* 2 hours, the 24 hours mentioned in the TLSv1 spec
146  * is way too long for http, the cache would over fill */
147  return(60*60*2);
148  }
149 
150 int tls1_new(SSL *s)
151  {
152  if (!ssl3_new(s)) return(0);
153  s->method->ssl_clear(s);
154  return(1);
155  }
156 
157 void tls1_free(SSL *s)
158  {
159 #ifndef OPENSSL_NO_TLSEXT
160  if (s->tlsext_session_ticket)
161  {
162  OPENSSL_free(s->tlsext_session_ticket);
163  }
164 #endif /* OPENSSL_NO_TLSEXT */
165  ssl3_free(s);
166  }
167 
168 void tls1_clear(SSL *s)
169  {
170  ssl3_clear(s);
171  s->version = s->method->version;
172  }
173 
174 #ifndef OPENSSL_NO_EC
175 
176 static int nid_list[] =
177  {
178  NID_sect163k1, /* sect163k1 (1) */
179  NID_sect163r1, /* sect163r1 (2) */
180  NID_sect163r2, /* sect163r2 (3) */
181  NID_sect193r1, /* sect193r1 (4) */
182  NID_sect193r2, /* sect193r2 (5) */
183  NID_sect233k1, /* sect233k1 (6) */
184  NID_sect233r1, /* sect233r1 (7) */
185  NID_sect239k1, /* sect239k1 (8) */
186  NID_sect283k1, /* sect283k1 (9) */
187  NID_sect283r1, /* sect283r1 (10) */
188  NID_sect409k1, /* sect409k1 (11) */
189  NID_sect409r1, /* sect409r1 (12) */
190  NID_sect571k1, /* sect571k1 (13) */
191  NID_sect571r1, /* sect571r1 (14) */
192  NID_secp160k1, /* secp160k1 (15) */
193  NID_secp160r1, /* secp160r1 (16) */
194  NID_secp160r2, /* secp160r2 (17) */
195  NID_secp192k1, /* secp192k1 (18) */
196  NID_X9_62_prime192v1, /* secp192r1 (19) */
197  NID_secp224k1, /* secp224k1 (20) */
198  NID_secp224r1, /* secp224r1 (21) */
199  NID_secp256k1, /* secp256k1 (22) */
200  NID_X9_62_prime256v1, /* secp256r1 (23) */
201  NID_secp384r1, /* secp384r1 (24) */
202  NID_secp521r1 /* secp521r1 (25) */
203  };
204 
205 static int pref_list[] =
206  {
207  NID_sect571r1, /* sect571r1 (14) */
208  NID_sect571k1, /* sect571k1 (13) */
209  NID_secp521r1, /* secp521r1 (25) */
210  NID_sect409k1, /* sect409k1 (11) */
211  NID_sect409r1, /* sect409r1 (12) */
212  NID_secp384r1, /* secp384r1 (24) */
213  NID_sect283k1, /* sect283k1 (9) */
214  NID_sect283r1, /* sect283r1 (10) */
215  NID_secp256k1, /* secp256k1 (22) */
216  NID_X9_62_prime256v1, /* secp256r1 (23) */
217  NID_sect239k1, /* sect239k1 (8) */
218  NID_sect233k1, /* sect233k1 (6) */
219  NID_sect233r1, /* sect233r1 (7) */
220  NID_secp224k1, /* secp224k1 (20) */
221  NID_secp224r1, /* secp224r1 (21) */
222  NID_sect193r1, /* sect193r1 (4) */
223  NID_sect193r2, /* sect193r2 (5) */
224  NID_secp192k1, /* secp192k1 (18) */
225  NID_X9_62_prime192v1, /* secp192r1 (19) */
226  NID_sect163k1, /* sect163k1 (1) */
227  NID_sect163r1, /* sect163r1 (2) */
228  NID_sect163r2, /* sect163r2 (3) */
229  NID_secp160k1, /* secp160k1 (15) */
230  NID_secp160r1, /* secp160r1 (16) */
231  NID_secp160r2, /* secp160r2 (17) */
232  };
233 
234 int tls1_ec_curve_id2nid(int curve_id)
235  {
236  /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
237  if ((curve_id < 1) || ((unsigned int)curve_id >
238  sizeof(nid_list)/sizeof(nid_list[0])))
239  return 0;
240  return nid_list[curve_id-1];
241  }
242 
243 int tls1_ec_nid2curve_id(int nid)
244  {
245  /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
246  switch (nid)
247  {
248  case NID_sect163k1: /* sect163k1 (1) */
249  return 1;
250  case NID_sect163r1: /* sect163r1 (2) */
251  return 2;
252  case NID_sect163r2: /* sect163r2 (3) */
253  return 3;
254  case NID_sect193r1: /* sect193r1 (4) */
255  return 4;
256  case NID_sect193r2: /* sect193r2 (5) */
257  return 5;
258  case NID_sect233k1: /* sect233k1 (6) */
259  return 6;
260  case NID_sect233r1: /* sect233r1 (7) */
261  return 7;
262  case NID_sect239k1: /* sect239k1 (8) */
263  return 8;
264  case NID_sect283k1: /* sect283k1 (9) */
265  return 9;
266  case NID_sect283r1: /* sect283r1 (10) */
267  return 10;
268  case NID_sect409k1: /* sect409k1 (11) */
269  return 11;
270  case NID_sect409r1: /* sect409r1 (12) */
271  return 12;
272  case NID_sect571k1: /* sect571k1 (13) */
273  return 13;
274  case NID_sect571r1: /* sect571r1 (14) */
275  return 14;
276  case NID_secp160k1: /* secp160k1 (15) */
277  return 15;
278  case NID_secp160r1: /* secp160r1 (16) */
279  return 16;
280  case NID_secp160r2: /* secp160r2 (17) */
281  return 17;
282  case NID_secp192k1: /* secp192k1 (18) */
283  return 18;
284  case NID_X9_62_prime192v1: /* secp192r1 (19) */
285  return 19;
286  case NID_secp224k1: /* secp224k1 (20) */
287  return 20;
288  case NID_secp224r1: /* secp224r1 (21) */
289  return 21;
290  case NID_secp256k1: /* secp256k1 (22) */
291  return 22;
292  case NID_X9_62_prime256v1: /* secp256r1 (23) */
293  return 23;
294  case NID_secp384r1: /* secp384r1 (24) */
295  return 24;
296  case NID_secp521r1: /* secp521r1 (25) */
297  return 25;
298  default:
299  return 0;
300  }
301  }
302 #endif /* OPENSSL_NO_EC */
303 
304 #ifndef OPENSSL_NO_TLSEXT
305 
306 /* List of supported signature algorithms and hashes. Should make this
307  * customisable at some point, for now include everything we support.
308  */
309 
310 #ifdef OPENSSL_NO_RSA
311 #define tlsext_sigalg_rsa(md) /* */
312 #else
313 #define tlsext_sigalg_rsa(md) md, TLSEXT_signature_rsa,
314 #endif
315 
316 #ifdef OPENSSL_NO_DSA
317 #define tlsext_sigalg_dsa(md) /* */
318 #else
319 #define tlsext_sigalg_dsa(md) md, TLSEXT_signature_dsa,
320 #endif
321 
322 #ifdef OPENSSL_NO_ECDSA
323 #define tlsext_sigalg_ecdsa(md) /* */
324 #else
325 #define tlsext_sigalg_ecdsa(md) md, TLSEXT_signature_ecdsa,
326 #endif
327 
328 #define tlsext_sigalg(md) \
329  tlsext_sigalg_rsa(md) \
330  tlsext_sigalg_dsa(md) \
331  tlsext_sigalg_ecdsa(md)
332 
333 static unsigned char tls12_sigalgs[] = {
334 #ifndef OPENSSL_NO_SHA512
335  tlsext_sigalg(TLSEXT_hash_sha512)
336  tlsext_sigalg(TLSEXT_hash_sha384)
337 #endif
338 #ifndef OPENSSL_NO_SHA256
339  tlsext_sigalg(TLSEXT_hash_sha256)
340  tlsext_sigalg(TLSEXT_hash_sha224)
341 #endif
342 #ifndef OPENSSL_NO_SHA
343  tlsext_sigalg(TLSEXT_hash_sha1)
344 #endif
345 #ifndef OPENSSL_NO_MD5
346  tlsext_sigalg_rsa(TLSEXT_hash_md5)
347 #endif
348 };
349 
350 int tls12_get_req_sig_algs(SSL *s, unsigned char *p)
351  {
352  size_t slen = sizeof(tls12_sigalgs);
353 #ifdef OPENSSL_FIPS
354  /* If FIPS mode don't include MD5 which is last */
355  if (FIPS_mode())
356  slen -= 2;
357 #endif
358  if (p)
359  memcpy(p, tls12_sigalgs, slen);
360  return (int)slen;
361  }
362 
363 unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
364  {
365  int extdatalen=0;
366  unsigned char *ret = p;
367 
368  /* don't add extensions for SSLv3 unless doing secure renegotiation */
369  if (s->client_version == SSL3_VERSION
370  && !s->s3->send_connection_binding)
371  return p;
372 
373  ret+=2;
374 
375  if (ret>=limit) return NULL; /* this really never occurs, but ... */
376 
377  if (s->tlsext_hostname != NULL)
378  {
379  /* Add TLS extension servername to the Client Hello message */
380  unsigned long size_str;
381  long lenmax;
382 
383  /* check for enough space.
384  4 for the servername type and entension length
385  2 for servernamelist length
386  1 for the hostname type
387  2 for hostname length
388  + hostname length
389  */
390 
391  if ((lenmax = limit - ret - 9) < 0
392  || (size_str = strlen(s->tlsext_hostname)) > (unsigned long)lenmax)
393  return NULL;
394 
395  /* extension type and length */
396  s2n(TLSEXT_TYPE_server_name,ret);
397  s2n(size_str+5,ret);
398 
399  /* length of servername list */
400  s2n(size_str+3,ret);
401 
402  /* hostname type, length and hostname */
403  *(ret++) = (unsigned char) TLSEXT_NAMETYPE_host_name;
404  s2n(size_str,ret);
405  memcpy(ret, s->tlsext_hostname, size_str);
406  ret+=size_str;
407  }
408 
409  /* Add RI if renegotiating */
410  if (s->renegotiate)
411  {
412  int el;
413 
414  if(!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0))
415  {
416  SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
417  return NULL;
418  }
419 
420  if((limit - p - 4 - el) < 0) return NULL;
421 
422  s2n(TLSEXT_TYPE_renegotiate,ret);
423  s2n(el,ret);
424 
425  if(!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el))
426  {
427  SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
428  return NULL;
429  }
430 
431  ret += el;
432  }
433 
434 #ifndef OPENSSL_NO_SRP
435  /* Add SRP username if there is one */
436  if (s->srp_ctx.login != NULL)
437  { /* Add TLS extension SRP username to the Client Hello message */
438 
439  int login_len = strlen(s->srp_ctx.login);
440  if (login_len > 255 || login_len == 0)
441  {
442  SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
443  return NULL;
444  }
445 
446  /* check for enough space.
447  4 for the srp type type and entension length
448  1 for the srp user identity
449  + srp user identity length
450  */
451  if ((limit - ret - 5 - login_len) < 0) return NULL;
452 
453  /* fill in the extension */
454  s2n(TLSEXT_TYPE_srp,ret);
455  s2n(login_len+1,ret);
456  (*ret++) = (unsigned char) login_len;
457  memcpy(ret, s->srp_ctx.login, login_len);
458  ret+=login_len;
459  }
460 #endif
461 
462 #ifndef OPENSSL_NO_EC
463  if (s->tlsext_ecpointformatlist != NULL &&
464  s->version != DTLS1_VERSION)
465  {
466  /* Add TLS extension ECPointFormats to the ClientHello message */
467  long lenmax;
468 
469  if ((lenmax = limit - ret - 5) < 0) return NULL;
470  if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax) return NULL;
471  if (s->tlsext_ecpointformatlist_length > 255)
472  {
473  SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
474  return NULL;
475  }
476 
477  s2n(TLSEXT_TYPE_ec_point_formats,ret);
478  s2n(s->tlsext_ecpointformatlist_length + 1,ret);
479  *(ret++) = (unsigned char) s->tlsext_ecpointformatlist_length;
480  memcpy(ret, s->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist_length);
481  ret+=s->tlsext_ecpointformatlist_length;
482  }
483  if (s->tlsext_ellipticcurvelist != NULL &&
484  s->version != DTLS1_VERSION)
485  {
486  /* Add TLS extension EllipticCurves to the ClientHello message */
487  long lenmax;
488 
489  if ((lenmax = limit - ret - 6) < 0) return NULL;
490  if (s->tlsext_ellipticcurvelist_length > (unsigned long)lenmax) return NULL;
491  if (s->tlsext_ellipticcurvelist_length > 65532)
492  {
493  SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
494  return NULL;
495  }
496 
497  s2n(TLSEXT_TYPE_elliptic_curves,ret);
498  s2n(s->tlsext_ellipticcurvelist_length + 2, ret);
499 
500  /* NB: draft-ietf-tls-ecc-12.txt uses a one-byte prefix for
501  * elliptic_curve_list, but the examples use two bytes.
502  * http://www1.ietf.org/mail-archive/web/tls/current/msg00538.html
503  * resolves this to two bytes.
504  */
505  s2n(s->tlsext_ellipticcurvelist_length, ret);
506  memcpy(ret, s->tlsext_ellipticcurvelist, s->tlsext_ellipticcurvelist_length);
507  ret+=s->tlsext_ellipticcurvelist_length;
508  }
509 #endif /* OPENSSL_NO_EC */
510 
511  if (!(SSL_get_options(s) & SSL_OP_NO_TICKET))
512  {
513  int ticklen;
514  if (!s->new_session && s->session && s->session->tlsext_tick)
515  ticklen = s->session->tlsext_ticklen;
516  else if (s->session && s->tlsext_session_ticket &&
517  s->tlsext_session_ticket->data)
518  {
519  ticklen = s->tlsext_session_ticket->length;
520  s->session->tlsext_tick = OPENSSL_malloc(ticklen);
521  if (!s->session->tlsext_tick)
522  return NULL;
523  memcpy(s->session->tlsext_tick,
524  s->tlsext_session_ticket->data,
525  ticklen);
526  s->session->tlsext_ticklen = ticklen;
527  }
528  else
529  ticklen = 0;
530  if (ticklen == 0 && s->tlsext_session_ticket &&
531  s->tlsext_session_ticket->data == NULL)
532  goto skip_ext;
533  /* Check for enough room 2 for extension type, 2 for len
534  * rest for ticket
535  */
536  if ((long)(limit - ret - 4 - ticklen) < 0) return NULL;
537  s2n(TLSEXT_TYPE_session_ticket,ret);
538  s2n(ticklen,ret);
539  if (ticklen)
540  {
541  memcpy(ret, s->session->tlsext_tick, ticklen);
542  ret += ticklen;
543  }
544  }
545  skip_ext:
546 
547  if (TLS1_get_client_version(s) >= TLS1_2_VERSION)
548  {
549  if ((size_t)(limit - ret) < sizeof(tls12_sigalgs) + 6)
550  return NULL;
551  s2n(TLSEXT_TYPE_signature_algorithms,ret);
552  s2n(sizeof(tls12_sigalgs) + 2, ret);
553  s2n(sizeof(tls12_sigalgs), ret);
554  memcpy(ret, tls12_sigalgs, sizeof(tls12_sigalgs));
555  ret += sizeof(tls12_sigalgs);
556  }
557 
558 #ifdef TLSEXT_TYPE_opaque_prf_input
559  if (s->s3->client_opaque_prf_input != NULL &&
560  s->version != DTLS1_VERSION)
561  {
562  size_t col = s->s3->client_opaque_prf_input_len;
563 
564  if ((long)(limit - ret - 6 - col < 0))
565  return NULL;
566  if (col > 0xFFFD) /* can't happen */
567  return NULL;
568 
569  s2n(TLSEXT_TYPE_opaque_prf_input, ret);
570  s2n(col + 2, ret);
571  s2n(col, ret);
572  memcpy(ret, s->s3->client_opaque_prf_input, col);
573  ret += col;
574  }
575 #endif
576 
577  if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp &&
578  s->version != DTLS1_VERSION)
579  {
580  int i;
581  long extlen, idlen, itmp;
582  OCSP_RESPID *id;
583 
584  idlen = 0;
585  for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++)
586  {
587  id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
588  itmp = i2d_OCSP_RESPID(id, NULL);
589  if (itmp <= 0)
590  return NULL;
591  idlen += itmp + 2;
592  }
593 
594  if (s->tlsext_ocsp_exts)
595  {
596  extlen = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, NULL);
597  if (extlen < 0)
598  return NULL;
599  }
600  else
601  extlen = 0;
602 
603  if ((long)(limit - ret - 7 - extlen - idlen) < 0) return NULL;
604  s2n(TLSEXT_TYPE_status_request, ret);
605  if (extlen + idlen > 0xFFF0)
606  return NULL;
607  s2n(extlen + idlen + 5, ret);
608  *(ret++) = TLSEXT_STATUSTYPE_ocsp;
609  s2n(idlen, ret);
610  for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++)
611  {
612  /* save position of id len */
613  unsigned char *q = ret;
614  id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
615  /* skip over id len */
616  ret += 2;
617  itmp = i2d_OCSP_RESPID(id, &ret);
618  /* write id len */
619  s2n(itmp, q);
620  }
621  s2n(extlen, ret);
622  if (extlen > 0)
623  i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret);
624  }
625 
626 #ifndef OPENSSL_NO_HEARTBEATS
627  /* Add Heartbeat extension */
628  s2n(TLSEXT_TYPE_heartbeat,ret);
629  s2n(1,ret);
630  /* Set mode:
631  * 1: peer may send requests
632  * 2: peer not allowed to send requests
633  */
634  if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS)
635  *(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
636  else
637  *(ret++) = SSL_TLSEXT_HB_ENABLED;
638 #endif
639 
640 #ifndef OPENSSL_NO_NEXTPROTONEG
641  if (s->ctx->next_proto_select_cb && !s->s3->tmp.finish_md_len)
642  {
643  /* The client advertises an emtpy extension to indicate its
644  * support for Next Protocol Negotiation */
645  if (limit - ret - 4 < 0)
646  return NULL;
647  s2n(TLSEXT_TYPE_next_proto_neg,ret);
648  s2n(0,ret);
649  }
650 #endif
651 
652  if(SSL_get_srtp_profiles(s))
653  {
654  int el;
655 
656  ssl_add_clienthello_use_srtp_ext(s, 0, &el, 0);
657 
658  if((limit - p - 4 - el) < 0) return NULL;
659 
660  s2n(TLSEXT_TYPE_use_srtp,ret);
661  s2n(el,ret);
662 
663  if(ssl_add_clienthello_use_srtp_ext(s, ret, &el, el))
664  {
665  SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
666  return NULL;
667  }
668  ret += el;
669  }
670 
671  if ((extdatalen = ret-p-2)== 0)
672  return p;
673 
674  s2n(extdatalen,p);
675  return ret;
676  }
677 
678 unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
679  {
680  int extdatalen=0;
681  unsigned char *ret = p;
682 #ifndef OPENSSL_NO_NEXTPROTONEG
683  int next_proto_neg_seen;
684 #endif
685 
686  /* don't add extensions for SSLv3, unless doing secure renegotiation */
687  if (s->version == SSL3_VERSION && !s->s3->send_connection_binding)
688  return p;
689 
690  ret+=2;
691  if (ret>=limit) return NULL; /* this really never occurs, but ... */
692 
693  if (!s->hit && s->servername_done == 1 && s->session->tlsext_hostname != NULL)
694  {
695  if ((long)(limit - ret - 4) < 0) return NULL;
696 
697  s2n(TLSEXT_TYPE_server_name,ret);
698  s2n(0,ret);
699  }
700 
701  if(s->s3->send_connection_binding)
702  {
703  int el;
704 
705  if(!ssl_add_serverhello_renegotiate_ext(s, 0, &el, 0))
706  {
707  SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
708  return NULL;
709  }
710 
711  if((limit - p - 4 - el) < 0) return NULL;
712 
713  s2n(TLSEXT_TYPE_renegotiate,ret);
714  s2n(el,ret);
715 
716  if(!ssl_add_serverhello_renegotiate_ext(s, ret, &el, el))
717  {
718  SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
719  return NULL;
720  }
721 
722  ret += el;
723  }
724 
725 #ifndef OPENSSL_NO_EC
726  if (s->tlsext_ecpointformatlist != NULL &&
727  s->version != DTLS1_VERSION)
728  {
729  /* Add TLS extension ECPointFormats to the ServerHello message */
730  long lenmax;
731 
732  if ((lenmax = limit - ret - 5) < 0) return NULL;
733  if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax) return NULL;
734  if (s->tlsext_ecpointformatlist_length > 255)
735  {
736  SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
737  return NULL;
738  }
739 
740  s2n(TLSEXT_TYPE_ec_point_formats,ret);
741  s2n(s->tlsext_ecpointformatlist_length + 1,ret);
742  *(ret++) = (unsigned char) s->tlsext_ecpointformatlist_length;
743  memcpy(ret, s->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist_length);
744  ret+=s->tlsext_ecpointformatlist_length;
745 
746  }
747  /* Currently the server should not respond with a SupportedCurves extension */
748 #endif /* OPENSSL_NO_EC */
749 
750  if (s->tlsext_ticket_expected
751  && !(SSL_get_options(s) & SSL_OP_NO_TICKET))
752  {
753  if ((long)(limit - ret - 4) < 0) return NULL;
754  s2n(TLSEXT_TYPE_session_ticket,ret);
755  s2n(0,ret);
756  }
757 
758  if (s->tlsext_status_expected)
759  {
760  if ((long)(limit - ret - 4) < 0) return NULL;
761  s2n(TLSEXT_TYPE_status_request,ret);
762  s2n(0,ret);
763  }
764 
765 #ifdef TLSEXT_TYPE_opaque_prf_input
766  if (s->s3->server_opaque_prf_input != NULL &&
767  s->version != DTLS1_VERSION)
768  {
769  size_t sol = s->s3->server_opaque_prf_input_len;
770 
771  if ((long)(limit - ret - 6 - sol) < 0)
772  return NULL;
773  if (sol > 0xFFFD) /* can't happen */
774  return NULL;
775 
776  s2n(TLSEXT_TYPE_opaque_prf_input, ret);
777  s2n(sol + 2, ret);
778  s2n(sol, ret);
779  memcpy(ret, s->s3->server_opaque_prf_input, sol);
780  ret += sol;
781  }
782 #endif
783 
784  if(s->srtp_profile)
785  {
786  int el;
787 
788  ssl_add_serverhello_use_srtp_ext(s, 0, &el, 0);
789 
790  if((limit - p - 4 - el) < 0) return NULL;
791 
792  s2n(TLSEXT_TYPE_use_srtp,ret);
793  s2n(el,ret);
794 
795  if(ssl_add_serverhello_use_srtp_ext(s, ret, &el, el))
796  {
797  SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
798  return NULL;
799  }
800  ret+=el;
801  }
802 
803  if (((s->s3->tmp.new_cipher->id & 0xFFFF)==0x80 || (s->s3->tmp.new_cipher->id & 0xFFFF)==0x81)
804  && (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG))
805  { const unsigned char cryptopro_ext[36] = {
806  0xfd, 0xe8, /*65000*/
807  0x00, 0x20, /*32 bytes length*/
808  0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85,
809  0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06,
810  0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08,
811  0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17};
812  if (limit-ret<36) return NULL;
813  memcpy(ret,cryptopro_ext,36);
814  ret+=36;
815 
816  }
817 
818 #ifndef OPENSSL_NO_HEARTBEATS
819  /* Add Heartbeat extension if we've received one */
820  if (s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED)
821  {
822  s2n(TLSEXT_TYPE_heartbeat,ret);
823  s2n(1,ret);
824  /* Set mode:
825  * 1: peer may send requests
826  * 2: peer not allowed to send requests
827  */
828  if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS)
829  *(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
830  else
831  *(ret++) = SSL_TLSEXT_HB_ENABLED;
832 
833  }
834 #endif
835 
836 #ifndef OPENSSL_NO_NEXTPROTONEG
837  next_proto_neg_seen = s->s3->next_proto_neg_seen;
838  s->s3->next_proto_neg_seen = 0;
839  if (next_proto_neg_seen && s->ctx->next_protos_advertised_cb)
840  {
841  const unsigned char *npa;
842  unsigned int npalen;
843  int r;
844 
845  r = s->ctx->next_protos_advertised_cb(s, &npa, &npalen, s->ctx->next_protos_advertised_cb_arg);
846  if (r == SSL_TLSEXT_ERR_OK)
847  {
848  if ((long)(limit - ret - 4 - npalen) < 0) return NULL;
849  s2n(TLSEXT_TYPE_next_proto_neg,ret);
850  s2n(npalen,ret);
851  memcpy(ret, npa, npalen);
852  ret += npalen;
853  s->s3->next_proto_neg_seen = 1;
854  }
855  }
856 #endif
857 
858  if ((extdatalen = ret-p-2)== 0)
859  return p;
860 
861  s2n(extdatalen,p);
862  return ret;
863  }
864 
865 int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
866  {
867  unsigned short type;
868  unsigned short size;
869  unsigned short len;
870  unsigned char *data = *p;
871  int renegotiate_seen = 0;
872  int sigalg_seen = 0;
873 
874  s->servername_done = 0;
875  s->tlsext_status_type = -1;
876 #ifndef OPENSSL_NO_NEXTPROTONEG
877  s->s3->next_proto_neg_seen = 0;
878 #endif
879 
880 #ifndef OPENSSL_NO_HEARTBEATS
881  s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED |
882  SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
883 #endif
884 
885  if (data >= (d+n-2))
886  goto ri_check;
887  n2s(data,len);
888 
889  if (data > (d+n-len))
890  goto ri_check;
891 
892  while (data <= (d+n-4))
893  {
894  n2s(data,type);
895  n2s(data,size);
896 
897  if (data+size > (d+n))
898  goto ri_check;
899 #if 0
900  fprintf(stderr,"Received extension type %d size %d\n",type,size);
901 #endif
902  if (s->tlsext_debug_cb)
903  s->tlsext_debug_cb(s, 0, type, data, size,
904  s->tlsext_debug_arg);
905 /* The servername extension is treated as follows:
906 
907  - Only the hostname type is supported with a maximum length of 255.
908  - The servername is rejected if too long or if it contains zeros,
909  in which case an fatal alert is generated.
910  - The servername field is maintained together with the session cache.
911  - When a session is resumed, the servername call back invoked in order
912  to allow the application to position itself to the right context.
913  - The servername is acknowledged if it is new for a session or when
914  it is identical to a previously used for the same session.
915  Applications can control the behaviour. They can at any time
916  set a 'desirable' servername for a new SSL object. This can be the
917  case for example with HTTPS when a Host: header field is received and
918  a renegotiation is requested. In this case, a possible servername
919  presented in the new client hello is only acknowledged if it matches
920  the value of the Host: field.
921  - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
922  if they provide for changing an explicit servername context for the session,
923  i.e. when the session has been established with a servername extension.
924  - On session reconnect, the servername extension may be absent.
925 
926 */
927 
928  if (type == TLSEXT_TYPE_server_name)
929  {
930  unsigned char *sdata;
931  int servname_type;
932  int dsize;
933 
934  if (size < 2)
935  {
936  *al = SSL_AD_DECODE_ERROR;
937  return 0;
938  }
939  n2s(data,dsize);
940  size -= 2;
941  if (dsize > size )
942  {
943  *al = SSL_AD_DECODE_ERROR;
944  return 0;
945  }
946 
947  sdata = data;
948  while (dsize > 3)
949  {
950  servname_type = *(sdata++);
951  n2s(sdata,len);
952  dsize -= 3;
953 
954  if (len > dsize)
955  {
956  *al = SSL_AD_DECODE_ERROR;
957  return 0;
958  }
959  if (s->servername_done == 0)
960  switch (servname_type)
961  {
962  case TLSEXT_NAMETYPE_host_name:
963  if (!s->hit)
964  {
965  if(s->session->tlsext_hostname)
966  {
967  *al = SSL_AD_DECODE_ERROR;
968  return 0;
969  }
970  if (len > TLSEXT_MAXLEN_host_name)
971  {
972  *al = TLS1_AD_UNRECOGNIZED_NAME;
973  return 0;
974  }
975  if ((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL)
976  {
977  *al = TLS1_AD_INTERNAL_ERROR;
978  return 0;
979  }
980  memcpy(s->session->tlsext_hostname, sdata, len);
981  s->session->tlsext_hostname[len]='\0';
982  if (strlen(s->session->tlsext_hostname) != len) {
983  OPENSSL_free(s->session->tlsext_hostname);
984  s->session->tlsext_hostname = NULL;
985  *al = TLS1_AD_UNRECOGNIZED_NAME;
986  return 0;
987  }
988  s->servername_done = 1;
989 
990  }
991  else
992  s->servername_done = s->session->tlsext_hostname
993  && strlen(s->session->tlsext_hostname) == len
994  && strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0;
995 
996  break;
997 
998  default:
999  break;
1000  }
1001 
1002  dsize -= len;
1003  }
1004  if (dsize != 0)
1005  {
1006  *al = SSL_AD_DECODE_ERROR;
1007  return 0;
1008  }
1009 
1010  }
1011 #ifndef OPENSSL_NO_SRP
1012  else if (type == TLSEXT_TYPE_srp)
1013  {
1014  if (size <= 0 || ((len = data[0])) != (size -1))
1015  {
1016  *al = SSL_AD_DECODE_ERROR;
1017  return 0;
1018  }
1019  if (s->srp_ctx.login != NULL)
1020  {
1021  *al = SSL_AD_DECODE_ERROR;
1022  return 0;
1023  }
1024  if ((s->srp_ctx.login = OPENSSL_malloc(len+1)) == NULL)
1025  return -1;
1026  memcpy(s->srp_ctx.login, &data[1], len);
1027  s->srp_ctx.login[len]='\0';
1028 
1029  if (strlen(s->srp_ctx.login) != len)
1030  {
1031  *al = SSL_AD_DECODE_ERROR;
1032  return 0;
1033  }
1034  }
1035 #endif
1036 
1037 #ifndef OPENSSL_NO_EC
1038  else if (type == TLSEXT_TYPE_ec_point_formats &&
1039  s->version != DTLS1_VERSION)
1040  {
1041  unsigned char *sdata = data;
1042  int ecpointformatlist_length = *(sdata++);
1043 
1044  if (ecpointformatlist_length != size - 1)
1045  {
1046  *al = TLS1_AD_DECODE_ERROR;
1047  return 0;
1048  }
1049  if (!s->hit)
1050  {
1051  if(s->session->tlsext_ecpointformatlist)
1052  {
1053  OPENSSL_free(s->session->tlsext_ecpointformatlist);
1054  s->session->tlsext_ecpointformatlist = NULL;
1055  }
1056  s->session->tlsext_ecpointformatlist_length = 0;
1057  if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
1058  {
1059  *al = TLS1_AD_INTERNAL_ERROR;
1060  return 0;
1061  }
1062  s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
1063  memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
1064  }
1065 #if 0
1066  fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ecpointformatlist (length=%i) ", s->session->tlsext_ecpointformatlist_length);
1067  sdata = s->session->tlsext_ecpointformatlist;
1068  for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
1069  fprintf(stderr,"%i ",*(sdata++));
1070  fprintf(stderr,"\n");
1071 #endif
1072  }
1073  else if (type == TLSEXT_TYPE_elliptic_curves &&
1074  s->version != DTLS1_VERSION)
1075  {
1076  unsigned char *sdata = data;
1077  int ellipticcurvelist_length = (*(sdata++) << 8);
1078  ellipticcurvelist_length += (*(sdata++));
1079 
1080  if (ellipticcurvelist_length != size - 2)
1081  {
1082  *al = TLS1_AD_DECODE_ERROR;
1083  return 0;
1084  }
1085  if (!s->hit)
1086  {
1087  if(s->session->tlsext_ellipticcurvelist)
1088  {
1089  *al = TLS1_AD_DECODE_ERROR;
1090  return 0;
1091  }
1092  s->session->tlsext_ellipticcurvelist_length = 0;
1093  if ((s->session->tlsext_ellipticcurvelist = OPENSSL_malloc(ellipticcurvelist_length)) == NULL)
1094  {
1095  *al = TLS1_AD_INTERNAL_ERROR;
1096  return 0;
1097  }
1098  s->session->tlsext_ellipticcurvelist_length = ellipticcurvelist_length;
1099  memcpy(s->session->tlsext_ellipticcurvelist, sdata, ellipticcurvelist_length);
1100  }
1101 #if 0
1102  fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ellipticcurvelist (length=%i) ", s->session->tlsext_ellipticcurvelist_length);
1103  sdata = s->session->tlsext_ellipticcurvelist;
1104  for (i = 0; i < s->session->tlsext_ellipticcurvelist_length; i++)
1105  fprintf(stderr,"%i ",*(sdata++));
1106  fprintf(stderr,"\n");
1107 #endif
1108  }
1109 #endif /* OPENSSL_NO_EC */
1110 #ifdef TLSEXT_TYPE_opaque_prf_input
1111  else if (type == TLSEXT_TYPE_opaque_prf_input &&
1112  s->version != DTLS1_VERSION)
1113  {
1114  unsigned char *sdata = data;
1115 
1116  if (size < 2)
1117  {
1118  *al = SSL_AD_DECODE_ERROR;
1119  return 0;
1120  }
1121  n2s(sdata, s->s3->client_opaque_prf_input_len);
1122  if (s->s3->client_opaque_prf_input_len != size - 2)
1123  {
1124  *al = SSL_AD_DECODE_ERROR;
1125  return 0;
1126  }
1127 
1128  if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */
1129  OPENSSL_free(s->s3->client_opaque_prf_input);
1130  if (s->s3->client_opaque_prf_input_len == 0)
1131  s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
1132  else
1133  s->s3->client_opaque_prf_input = BUF_memdup(sdata, s->s3->client_opaque_prf_input_len);
1134  if (s->s3->client_opaque_prf_input == NULL)
1135  {
1136  *al = TLS1_AD_INTERNAL_ERROR;
1137  return 0;
1138  }
1139  }
1140 #endif
1141  else if (type == TLSEXT_TYPE_session_ticket)
1142  {
1143  if (s->tls_session_ticket_ext_cb &&
1144  !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg))
1145  {
1146  *al = TLS1_AD_INTERNAL_ERROR;
1147  return 0;
1148  }
1149  }
1150  else if (type == TLSEXT_TYPE_renegotiate)
1151  {
1152  if(!ssl_parse_clienthello_renegotiate_ext(s, data, size, al))
1153  return 0;
1154  renegotiate_seen = 1;
1155  }
1156  else if (type == TLSEXT_TYPE_signature_algorithms)
1157  {
1158  int dsize;
1159  if (sigalg_seen || size < 2)
1160  {
1161  *al = SSL_AD_DECODE_ERROR;
1162  return 0;
1163  }
1164  sigalg_seen = 1;
1165  n2s(data,dsize);
1166  size -= 2;
1167  if (dsize != size || dsize & 1)
1168  {
1169  *al = SSL_AD_DECODE_ERROR;
1170  return 0;
1171  }
1172  if (!tls1_process_sigalgs(s, data, dsize))
1173  {
1174  *al = SSL_AD_DECODE_ERROR;
1175  return 0;
1176  }
1177  }
1178  else if (type == TLSEXT_TYPE_status_request &&
1179  s->version != DTLS1_VERSION && s->ctx->tlsext_status_cb)
1180  {
1181 
1182  if (size < 5)
1183  {
1184  *al = SSL_AD_DECODE_ERROR;
1185  return 0;
1186  }
1187 
1188  s->tlsext_status_type = *data++;
1189  size--;
1190  if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp)
1191  {
1192  const unsigned char *sdata;
1193  int dsize;
1194  /* Read in responder_id_list */
1195  n2s(data,dsize);
1196  size -= 2;
1197  if (dsize > size )
1198  {
1199  *al = SSL_AD_DECODE_ERROR;
1200  return 0;
1201  }
1202  while (dsize > 0)
1203  {
1204  OCSP_RESPID *id;
1205  int idsize;
1206  if (dsize < 4)
1207  {
1208  *al = SSL_AD_DECODE_ERROR;
1209  return 0;
1210  }
1211  n2s(data, idsize);
1212  dsize -= 2 + idsize;
1213  size -= 2 + idsize;
1214  if (dsize < 0)
1215  {
1216  *al = SSL_AD_DECODE_ERROR;
1217  return 0;
1218  }
1219  sdata = data;
1220  data += idsize;
1221  id = d2i_OCSP_RESPID(NULL,
1222  &sdata, idsize);
1223  if (!id)
1224  {
1225  *al = SSL_AD_DECODE_ERROR;
1226  return 0;
1227  }
1228  if (data != sdata)
1229  {
1230  OCSP_RESPID_free(id);
1231  *al = SSL_AD_DECODE_ERROR;
1232  return 0;
1233  }
1234  if (!s->tlsext_ocsp_ids
1235  && !(s->tlsext_ocsp_ids =
1236  sk_OCSP_RESPID_new_null()))
1237  {
1238  OCSP_RESPID_free(id);
1239  *al = SSL_AD_INTERNAL_ERROR;
1240  return 0;
1241  }
1242  if (!sk_OCSP_RESPID_push(
1243  s->tlsext_ocsp_ids, id))
1244  {
1245  OCSP_RESPID_free(id);
1246  *al = SSL_AD_INTERNAL_ERROR;
1247  return 0;
1248  }
1249  }
1250 
1251  /* Read in request_extensions */
1252  if (size < 2)
1253  {
1254  *al = SSL_AD_DECODE_ERROR;
1255  return 0;
1256  }
1257  n2s(data,dsize);
1258  size -= 2;
1259  if (dsize != size)
1260  {
1261  *al = SSL_AD_DECODE_ERROR;
1262  return 0;
1263  }
1264  sdata = data;
1265  if (dsize > 0)
1266  {
1267  if (s->tlsext_ocsp_exts)
1268  {
1269  sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts,
1270  X509_EXTENSION_free);
1271  }
1272 
1273  s->tlsext_ocsp_exts =
1274  d2i_X509_EXTENSIONS(NULL,
1275  &sdata, dsize);
1276  if (!s->tlsext_ocsp_exts
1277  || (data + dsize != sdata))
1278  {
1279  *al = SSL_AD_DECODE_ERROR;
1280  return 0;
1281  }
1282  }
1283  }
1284  /* We don't know what to do with any other type
1285  * so ignore it.
1286  */
1287  else
1288  s->tlsext_status_type = -1;
1289  }
1290 #ifndef OPENSSL_NO_HEARTBEATS
1291  else if (type == TLSEXT_TYPE_heartbeat)
1292  {
1293  switch(data[0])
1294  {
1295  case 0x01: /* Client allows us to send HB requests */
1296  s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
1297  break;
1298  case 0x02: /* Client doesn't accept HB requests */
1299  s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
1300  s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
1301  break;
1302  default: *al = SSL_AD_ILLEGAL_PARAMETER;
1303  return 0;
1304  }
1305  }
1306 #endif
1307 #ifndef OPENSSL_NO_NEXTPROTONEG
1308  else if (type == TLSEXT_TYPE_next_proto_neg &&
1309  s->s3->tmp.finish_md_len == 0)
1310  {
1311  /* We shouldn't accept this extension on a
1312  * renegotiation.
1313  *
1314  * s->new_session will be set on renegotiation, but we
1315  * probably shouldn't rely that it couldn't be set on
1316  * the initial renegotation too in certain cases (when
1317  * there's some other reason to disallow resuming an
1318  * earlier session -- the current code won't be doing
1319  * anything like that, but this might change).
1320 
1321  * A valid sign that there's been a previous handshake
1322  * in this connection is if s->s3->tmp.finish_md_len >
1323  * 0. (We are talking about a check that will happen
1324  * in the Hello protocol round, well before a new
1325  * Finished message could have been computed.) */
1326  s->s3->next_proto_neg_seen = 1;
1327  }
1328 #endif
1329 
1330  /* session ticket processed earlier */
1331  else if (type == TLSEXT_TYPE_use_srtp)
1332  {
1333  if(ssl_parse_clienthello_use_srtp_ext(s, data, size,
1334  al))
1335  return 0;
1336  }
1337 
1338  data+=size;
1339  }
1340 
1341  *p = data;
1342 
1343  ri_check:
1344 
1345  /* Need RI if renegotiating */
1346 
1347  if (!renegotiate_seen && s->renegotiate &&
1348  !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
1349  {
1350  *al = SSL_AD_HANDSHAKE_FAILURE;
1351  SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT,
1352  SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
1353  return 0;
1354  }
1355 
1356  return 1;
1357  }
1358 
1359 #ifndef OPENSSL_NO_NEXTPROTONEG
1360 /* ssl_next_proto_validate validates a Next Protocol Negotiation block. No
1361  * elements of zero length are allowed and the set of elements must exactly fill
1362  * the length of the block. */
1363 static char ssl_next_proto_validate(unsigned char *d, unsigned len)
1364  {
1365  unsigned int off = 0;
1366 
1367  while (off < len)
1368  {
1369  if (d[off] == 0)
1370  return 0;
1371  off += d[off];
1372  off++;
1373  }
1374 
1375  return off == len;
1376  }
1377 #endif
1378 
1379 int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
1380  {
1381  unsigned short length;
1382  unsigned short type;
1383  unsigned short size;
1384  unsigned char *data = *p;
1385  int tlsext_servername = 0;
1386  int renegotiate_seen = 0;
1387 
1388 #ifndef OPENSSL_NO_NEXTPROTONEG
1389  s->s3->next_proto_neg_seen = 0;
1390 #endif
1391 
1392 #ifndef OPENSSL_NO_HEARTBEATS
1393  s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED |
1394  SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
1395 #endif
1396 
1397  if (data >= (d+n-2))
1398  goto ri_check;
1399 
1400  n2s(data,length);
1401  if (data+length != d+n)
1402  {
1403  *al = SSL_AD_DECODE_ERROR;
1404  return 0;
1405  }
1406 
1407  while(data <= (d+n-4))
1408  {
1409  n2s(data,type);
1410  n2s(data,size);
1411 
1412  if (data+size > (d+n))
1413  goto ri_check;
1414 
1415  if (s->tlsext_debug_cb)
1416  s->tlsext_debug_cb(s, 1, type, data, size,
1417  s->tlsext_debug_arg);
1418 
1419  if (type == TLSEXT_TYPE_server_name)
1420  {
1421  if (s->tlsext_hostname == NULL || size > 0)
1422  {
1423  *al = TLS1_AD_UNRECOGNIZED_NAME;
1424  return 0;
1425  }
1426  tlsext_servername = 1;
1427  }
1428 
1429 #ifndef OPENSSL_NO_EC
1430  else if (type == TLSEXT_TYPE_ec_point_formats &&
1431  s->version != DTLS1_VERSION)
1432  {
1433  unsigned char *sdata = data;
1434  int ecpointformatlist_length = *(sdata++);
1435 
1436  if (ecpointformatlist_length != size - 1)
1437  {
1438  *al = TLS1_AD_DECODE_ERROR;
1439  return 0;
1440  }
1441  s->session->tlsext_ecpointformatlist_length = 0;
1442  if (s->session->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->session->tlsext_ecpointformatlist);
1443  if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
1444  {
1445  *al = TLS1_AD_INTERNAL_ERROR;
1446  return 0;
1447  }
1448  s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
1449  memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
1450 #if 0
1451  fprintf(stderr,"ssl_parse_serverhello_tlsext s->session->tlsext_ecpointformatlist ");
1452  sdata = s->session->tlsext_ecpointformatlist;
1453  for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
1454  fprintf(stderr,"%i ",*(sdata++));
1455  fprintf(stderr,"\n");
1456 #endif
1457  }
1458 #endif /* OPENSSL_NO_EC */
1459 
1460  else if (type == TLSEXT_TYPE_session_ticket)
1461  {
1462  if (s->tls_session_ticket_ext_cb &&
1463  !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg))
1464  {
1465  *al = TLS1_AD_INTERNAL_ERROR;
1466  return 0;
1467  }
1468  if ((SSL_get_options(s) & SSL_OP_NO_TICKET)
1469  || (size > 0))
1470  {
1471  *al = TLS1_AD_UNSUPPORTED_EXTENSION;
1472  return 0;
1473  }
1474  s->tlsext_ticket_expected = 1;
1475  }
1476 #ifdef TLSEXT_TYPE_opaque_prf_input
1477  else if (type == TLSEXT_TYPE_opaque_prf_input &&
1478  s->version != DTLS1_VERSION)
1479  {
1480  unsigned char *sdata = data;
1481 
1482  if (size < 2)
1483  {
1484  *al = SSL_AD_DECODE_ERROR;
1485  return 0;
1486  }
1487  n2s(sdata, s->s3->server_opaque_prf_input_len);
1488  if (s->s3->server_opaque_prf_input_len != size - 2)
1489  {
1490  *al = SSL_AD_DECODE_ERROR;
1491  return 0;
1492  }
1493 
1494  if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */
1495  OPENSSL_free(s->s3->server_opaque_prf_input);
1496  if (s->s3->server_opaque_prf_input_len == 0)
1497  s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
1498  else
1499  s->s3->server_opaque_prf_input = BUF_memdup(sdata, s->s3->server_opaque_prf_input_len);
1500 
1501  if (s->s3->server_opaque_prf_input == NULL)
1502  {
1503  *al = TLS1_AD_INTERNAL_ERROR;
1504  return 0;
1505  }
1506  }
1507 #endif
1508  else if (type == TLSEXT_TYPE_status_request &&
1509  s->version != DTLS1_VERSION)
1510  {
1511  /* MUST be empty and only sent if we've requested
1512  * a status request message.
1513  */
1514  if ((s->tlsext_status_type == -1) || (size > 0))
1515  {
1516  *al = TLS1_AD_UNSUPPORTED_EXTENSION;
1517  return 0;
1518  }
1519  /* Set flag to expect CertificateStatus message */
1520  s->tlsext_status_expected = 1;
1521  }
1522 #ifndef OPENSSL_NO_NEXTPROTONEG
1523  else if (type == TLSEXT_TYPE_next_proto_neg &&
1524  s->s3->tmp.finish_md_len == 0)
1525  {
1526  unsigned char *selected;
1527  unsigned char selected_len;
1528 
1529  /* We must have requested it. */
1530  if ((s->ctx->next_proto_select_cb == NULL))
1531  {
1532  *al = TLS1_AD_UNSUPPORTED_EXTENSION;
1533  return 0;
1534  }
1535  /* The data must be valid */
1536  if (!ssl_next_proto_validate(data, size))
1537  {
1538  *al = TLS1_AD_DECODE_ERROR;
1539  return 0;
1540  }
1541  if (s->ctx->next_proto_select_cb(s, &selected, &selected_len, data, size, s->ctx->next_proto_select_cb_arg) != SSL_TLSEXT_ERR_OK)
1542  {
1543  *al = TLS1_AD_INTERNAL_ERROR;
1544  return 0;
1545  }
1546  s->next_proto_negotiated = OPENSSL_malloc(selected_len);
1547  if (!s->next_proto_negotiated)
1548  {
1549  *al = TLS1_AD_INTERNAL_ERROR;
1550  return 0;
1551  }
1552  memcpy(s->next_proto_negotiated, selected, selected_len);
1553  s->next_proto_negotiated_len = selected_len;
1554  s->s3->next_proto_neg_seen = 1;
1555  }
1556 #endif
1557  else if (type == TLSEXT_TYPE_renegotiate)
1558  {
1559  if(!ssl_parse_serverhello_renegotiate_ext(s, data, size, al))
1560  return 0;
1561  renegotiate_seen = 1;
1562  }
1563 #ifndef OPENSSL_NO_HEARTBEATS
1564  else if (type == TLSEXT_TYPE_heartbeat)
1565  {
1566  switch(data[0])
1567  {
1568  case 0x01: /* Server allows us to send HB requests */
1569  s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
1570  break;
1571  case 0x02: /* Server doesn't accept HB requests */
1572  s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
1573  s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
1574  break;
1575  default: *al = SSL_AD_ILLEGAL_PARAMETER;
1576  return 0;
1577  }
1578  }
1579 #endif
1580  else if (type == TLSEXT_TYPE_use_srtp)
1581  {
1582  if(ssl_parse_serverhello_use_srtp_ext(s, data, size,
1583  al))
1584  return 0;
1585  }
1586 
1587  data+=size;
1588  }
1589 
1590  if (data != d+n)
1591  {
1592  *al = SSL_AD_DECODE_ERROR;
1593  return 0;
1594  }
1595 
1596  if (!s->hit && tlsext_servername == 1)
1597  {
1598  if (s->tlsext_hostname)
1599  {
1600  if (s->session->tlsext_hostname == NULL)
1601  {
1602  s->session->tlsext_hostname = BUF_strdup(s->tlsext_hostname);
1603  if (!s->session->tlsext_hostname)
1604  {
1605  *al = SSL_AD_UNRECOGNIZED_NAME;
1606  return 0;
1607  }
1608  }
1609  else
1610  {
1611  *al = SSL_AD_DECODE_ERROR;
1612  return 0;
1613  }
1614  }
1615  }
1616 
1617  *p = data;
1618 
1619  ri_check:
1620 
1621  /* Determine if we need to see RI. Strictly speaking if we want to
1622  * avoid an attack we should *always* see RI even on initial server
1623  * hello because the client doesn't see any renegotiation during an
1624  * attack. However this would mean we could not connect to any server
1625  * which doesn't support RI so for the immediate future tolerate RI
1626  * absence on initial connect only.
1627  */
1628  if (!renegotiate_seen
1629  && !(s->options & SSL_OP_LEGACY_SERVER_CONNECT)
1630  && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
1631  {
1632  *al = SSL_AD_HANDSHAKE_FAILURE;
1633  SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT,
1634  SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
1635  return 0;
1636  }
1637 
1638  return 1;
1639  }
1640 
1641 
1642 int ssl_prepare_clienthello_tlsext(SSL *s)
1643  {
1644 #ifndef OPENSSL_NO_EC
1645  /* If we are client and using an elliptic curve cryptography cipher suite, send the point formats
1646  * and elliptic curves we support.
1647  */
1648  int using_ecc = 0;
1649  int i;
1650  unsigned char *j;
1651  unsigned long alg_k, alg_a;
1652  STACK_OF(SSL_CIPHER) *cipher_stack = SSL_get_ciphers(s);
1653 
1654  for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++)
1655  {
1656  SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i);
1657 
1658  alg_k = c->algorithm_mkey;
1659  alg_a = c->algorithm_auth;
1660  if ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe) || (alg_a & SSL_aECDSA)))
1661  {
1662  using_ecc = 1;
1663  break;
1664  }
1665  }
1666  using_ecc = using_ecc && (s->version >= TLS1_VERSION);
1667  if (using_ecc)
1668  {
1669  if (s->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->tlsext_ecpointformatlist);
1670  if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(3)) == NULL)
1671  {
1672  SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
1673  return -1;
1674  }
1675  s->tlsext_ecpointformatlist_length = 3;
1676  s->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_uncompressed;
1677  s->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
1678  s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
1679 
1680  /* we support all named elliptic curves in draft-ietf-tls-ecc-12 */
1681  if (s->tlsext_ellipticcurvelist != NULL) OPENSSL_free(s->tlsext_ellipticcurvelist);
1682  s->tlsext_ellipticcurvelist_length = sizeof(pref_list)/sizeof(pref_list[0]) * 2;
1683  if ((s->tlsext_ellipticcurvelist = OPENSSL_malloc(s->tlsext_ellipticcurvelist_length)) == NULL)
1684  {
1685  s->tlsext_ellipticcurvelist_length = 0;
1686  SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
1687  return -1;
1688  }
1689  for (i = 0, j = s->tlsext_ellipticcurvelist; (unsigned int)i <
1690  sizeof(pref_list)/sizeof(pref_list[0]); i++)
1691  {
1692  int id = tls1_ec_nid2curve_id(pref_list[i]);
1693  s2n(id,j);
1694  }
1695  }
1696 #endif /* OPENSSL_NO_EC */
1697 
1698 #ifdef TLSEXT_TYPE_opaque_prf_input
1699  {
1700  int r = 1;
1701 
1702  if (s->ctx->tlsext_opaque_prf_input_callback != 0)
1703  {
1704  r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg);
1705  if (!r)
1706  return -1;
1707  }
1708 
1709  if (s->tlsext_opaque_prf_input != NULL)
1710  {
1711  if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */
1712  OPENSSL_free(s->s3->client_opaque_prf_input);
1713 
1714  if (s->tlsext_opaque_prf_input_len == 0)
1715  s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
1716  else
1717  s->s3->client_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len);
1718  if (s->s3->client_opaque_prf_input == NULL)
1719  {
1720  SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
1721  return -1;
1722  }
1723  s->s3->client_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
1724  }
1725 
1726  if (r == 2)
1727  /* at callback's request, insist on receiving an appropriate server opaque PRF input */
1728  s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
1729  }
1730 #endif
1731 
1732  return 1;
1733  }
1734 
1735 int ssl_prepare_serverhello_tlsext(SSL *s)
1736  {
1737 #ifndef OPENSSL_NO_EC
1738  /* If we are server and using an ECC cipher suite, send the point formats we support
1739  * if the client sent us an ECPointsFormat extension. Note that the server is not
1740  * supposed to send an EllipticCurves extension.
1741  */
1742 
1743  unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
1744  unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
1745  int using_ecc = (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA);
1746  using_ecc = using_ecc && (s->session->tlsext_ecpointformatlist != NULL);
1747 
1748  if (using_ecc)
1749  {
1750  if (s->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->tlsext_ecpointformatlist);
1751  if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(3)) == NULL)
1752  {
1753  SSLerr(SSL_F_SSL_PREPARE_SERVERHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
1754  return -1;
1755  }
1756  s->tlsext_ecpointformatlist_length = 3;
1757  s->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_uncompressed;
1758  s->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
1759  s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
1760  }
1761 #endif /* OPENSSL_NO_EC */
1762 
1763  return 1;
1764  }
1765 
1766 int ssl_check_clienthello_tlsext(SSL *s)
1767  {
1768  int ret=SSL_TLSEXT_ERR_NOACK;
1769  int al = SSL_AD_UNRECOGNIZED_NAME;
1770 
1771 #ifndef OPENSSL_NO_EC
1772  /* The handling of the ECPointFormats extension is done elsewhere, namely in
1773  * ssl3_choose_cipher in s3_lib.c.
1774  */
1775  /* The handling of the EllipticCurves extension is done elsewhere, namely in
1776  * ssl3_choose_cipher in s3_lib.c.
1777  */
1778 #endif
1779 
1780  if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
1781  ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
1782  else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)
1783  ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
1784 
1785  /* If status request then ask callback what to do.
1786  * Note: this must be called after servername callbacks in case
1787  * the certificate has changed.
1788  */
1789  if ((s->tlsext_status_type != -1) && s->ctx && s->ctx->tlsext_status_cb)
1790  {
1791  int r;
1792  r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
1793  switch (r)
1794  {
1795  /* We don't want to send a status request response */
1796  case SSL_TLSEXT_ERR_NOACK:
1797  s->tlsext_status_expected = 0;
1798  break;
1799  /* status request response should be sent */
1800  case SSL_TLSEXT_ERR_OK:
1801  if (s->tlsext_ocsp_resp)
1802  s->tlsext_status_expected = 1;
1803  else
1804  s->tlsext_status_expected = 0;
1805  break;
1806  /* something bad happened */
1807  case SSL_TLSEXT_ERR_ALERT_FATAL:
1808  ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1809  al = SSL_AD_INTERNAL_ERROR;
1810  goto err;
1811  }
1812  }
1813  else
1814  s->tlsext_status_expected = 0;
1815 
1816 #ifdef TLSEXT_TYPE_opaque_prf_input
1817  {
1818  /* This sort of belongs into ssl_prepare_serverhello_tlsext(),
1819  * but we might be sending an alert in response to the client hello,
1820  * so this has to happen here in ssl_check_clienthello_tlsext(). */
1821 
1822  int r = 1;
1823 
1824  if (s->ctx->tlsext_opaque_prf_input_callback != 0)
1825  {
1826  r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg);
1827  if (!r)
1828  {
1829  ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1830  al = SSL_AD_INTERNAL_ERROR;
1831  goto err;
1832  }
1833  }
1834 
1835  if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */
1836  OPENSSL_free(s->s3->server_opaque_prf_input);
1837  s->s3->server_opaque_prf_input = NULL;
1838 
1839  if (s->tlsext_opaque_prf_input != NULL)
1840  {
1841  if (s->s3->client_opaque_prf_input != NULL &&
1842  s->s3->client_opaque_prf_input_len == s->tlsext_opaque_prf_input_len)
1843  {
1844  /* can only use this extension if we have a server opaque PRF input
1845  * of the same length as the client opaque PRF input! */
1846 
1847  if (s->tlsext_opaque_prf_input_len == 0)
1848  s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
1849  else
1850  s->s3->server_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len);
1851  if (s->s3->server_opaque_prf_input == NULL)
1852  {
1853  ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1854  al = SSL_AD_INTERNAL_ERROR;
1855  goto err;
1856  }
1857  s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
1858  }
1859  }
1860 
1861  if (r == 2 && s->s3->server_opaque_prf_input == NULL)
1862  {
1863  /* The callback wants to enforce use of the extension,
1864  * but we can't do that with the client opaque PRF input;
1865  * abort the handshake.
1866  */
1867  ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1868  al = SSL_AD_HANDSHAKE_FAILURE;
1869  }
1870  }
1871 
1872 #endif
1873  err:
1874  switch (ret)
1875  {
1876  case SSL_TLSEXT_ERR_ALERT_FATAL:
1877  ssl3_send_alert(s,SSL3_AL_FATAL,al);
1878  return -1;
1879 
1880  case SSL_TLSEXT_ERR_ALERT_WARNING:
1881  ssl3_send_alert(s,SSL3_AL_WARNING,al);
1882  return 1;
1883 
1884  case SSL_TLSEXT_ERR_NOACK:
1885  s->servername_done=0;
1886  default:
1887  return 1;
1888  }
1889  }
1890 
1891 int ssl_check_serverhello_tlsext(SSL *s)
1892  {
1893  int ret=SSL_TLSEXT_ERR_NOACK;
1894  int al = SSL_AD_UNRECOGNIZED_NAME;
1895 
1896 #ifndef OPENSSL_NO_EC
1897  /* If we are client and using an elliptic curve cryptography cipher
1898  * suite, then if server returns an EC point formats lists extension
1899  * it must contain uncompressed.
1900  */
1901  unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
1902  unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
1903  if ((s->tlsext_ecpointformatlist != NULL) && (s->tlsext_ecpointformatlist_length > 0) &&
1904  (s->session->tlsext_ecpointformatlist != NULL) && (s->session->tlsext_ecpointformatlist_length > 0) &&
1905  ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA)))
1906  {
1907  /* we are using an ECC cipher */
1908  size_t i;
1909  unsigned char *list;
1910  int found_uncompressed = 0;
1911  list = s->session->tlsext_ecpointformatlist;
1912  for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
1913  {
1914  if (*(list++) == TLSEXT_ECPOINTFORMAT_uncompressed)
1915  {
1916  found_uncompressed = 1;
1917  break;
1918  }
1919  }
1920  if (!found_uncompressed)
1921  {
1922  SSLerr(SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT,SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
1923  return -1;
1924  }
1925  }
1926  ret = SSL_TLSEXT_ERR_OK;
1927 #endif /* OPENSSL_NO_EC */
1928 
1929  if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
1930  ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
1931  else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)
1932  ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
1933 
1934 #ifdef TLSEXT_TYPE_opaque_prf_input
1935  if (s->s3->server_opaque_prf_input_len > 0)
1936  {
1937  /* This case may indicate that we, as a client, want to insist on using opaque PRF inputs.
1938  * So first verify that we really have a value from the server too. */
1939 
1940  if (s->s3->server_opaque_prf_input == NULL)
1941  {
1942  ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1943  al = SSL_AD_HANDSHAKE_FAILURE;
1944  }
1945 
1946  /* Anytime the server *has* sent an opaque PRF input, we need to check
1947  * that we have a client opaque PRF input of the same size. */
1948  if (s->s3->client_opaque_prf_input == NULL ||
1949  s->s3->client_opaque_prf_input_len != s->s3->server_opaque_prf_input_len)
1950  {
1951  ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1952  al = SSL_AD_ILLEGAL_PARAMETER;
1953  }
1954  }
1955 #endif
1956 
1957  /* If we've requested certificate status and we wont get one
1958  * tell the callback
1959  */
1960  if ((s->tlsext_status_type != -1) && !(s->tlsext_status_expected)
1961  && s->ctx && s->ctx->tlsext_status_cb)
1962  {
1963  int r;
1964  /* Set resp to NULL, resplen to -1 so callback knows
1965  * there is no response.
1966  */
1967  if (s->tlsext_ocsp_resp)
1968  {
1969  OPENSSL_free(s->tlsext_ocsp_resp);
1970  s->tlsext_ocsp_resp = NULL;
1971  }
1972  s->tlsext_ocsp_resplen = -1;
1973  r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
1974  if (r == 0)
1975  {
1976  al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE;
1977  ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1978  }
1979  if (r < 0)
1980  {
1981  al = SSL_AD_INTERNAL_ERROR;
1982  ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1983  }
1984  }
1985 
1986  switch (ret)
1987  {
1988  case SSL_TLSEXT_ERR_ALERT_FATAL:
1989  ssl3_send_alert(s,SSL3_AL_FATAL,al);
1990  return -1;
1991 
1992  case SSL_TLSEXT_ERR_ALERT_WARNING:
1993  ssl3_send_alert(s,SSL3_AL_WARNING,al);
1994  return 1;
1995 
1996  case SSL_TLSEXT_ERR_NOACK:
1997  s->servername_done=0;
1998  default:
1999  return 1;
2000  }
2001  }
2002 
2003 /* Since the server cache lookup is done early on in the processing of the
2004  * ClientHello, and other operations depend on the result, we need to handle
2005  * any TLS session ticket extension at the same time.
2006  *
2007  * session_id: points at the session ID in the ClientHello. This code will
2008  * read past the end of this in order to parse out the session ticket
2009  * extension, if any.
2010  * len: the length of the session ID.
2011  * limit: a pointer to the first byte after the ClientHello.
2012  * ret: (output) on return, if a ticket was decrypted, then this is set to
2013  * point to the resulting session.
2014  *
2015  * If s->tls_session_secret_cb is set then we are expecting a pre-shared key
2016  * ciphersuite, in which case we have no use for session tickets and one will
2017  * never be decrypted, nor will s->tlsext_ticket_expected be set to 1.
2018  *
2019  * Returns:
2020  * -1: fatal error, either from parsing or decrypting the ticket.
2021  * 0: no ticket was found (or was ignored, based on settings).
2022  * 1: a zero length extension was found, indicating that the client supports
2023  * session tickets but doesn't currently have one to offer.
2024  * 2: either s->tls_session_secret_cb was set, or a ticket was offered but
2025  * couldn't be decrypted because of a non-fatal error.
2026  * 3: a ticket was successfully decrypted and *ret was set.
2027  *
2028  * Side effects:
2029  * Sets s->tlsext_ticket_expected to 1 if the server will have to issue
2030  * a new session ticket to the client because the client indicated support
2031  * (and s->tls_session_secret_cb is NULL) but the client either doesn't have
2032  * a session ticket or we couldn't use the one it gave us, or if
2033  * s->ctx->tlsext_ticket_key_cb asked to renew the client's ticket.
2034  * Otherwise, s->tlsext_ticket_expected is set to 0.
2035  */
2036 int tls1_process_ticket(SSL *s, unsigned char *session_id, int len,
2037  const unsigned char *limit, SSL_SESSION **ret)
2038  {
2039  /* Point after session ID in client hello */
2040  const unsigned char *p = session_id + len;
2041  unsigned short i;
2042 
2043  *ret = NULL;
2044  s->tlsext_ticket_expected = 0;
2045 
2046  /* If tickets disabled behave as if no ticket present
2047  * to permit stateful resumption.
2048  */
2049  if (SSL_get_options(s) & SSL_OP_NO_TICKET)
2050  return 0;
2051  if ((s->version <= SSL3_VERSION) || !limit)
2052  return 0;
2053  if (p >= limit)
2054  return -1;
2055  /* Skip past DTLS cookie */
2056  if (s->version == DTLS1_VERSION || s->version == DTLS1_BAD_VER)
2057  {
2058  i = *(p++);
2059  p+= i;
2060  if (p >= limit)
2061  return -1;
2062  }
2063  /* Skip past cipher list */
2064  n2s(p, i);
2065  p+= i;
2066  if (p >= limit)
2067  return -1;
2068  /* Skip past compression algorithm list */
2069  i = *(p++);
2070  p += i;
2071  if (p > limit)
2072  return -1;
2073  /* Now at start of extensions */
2074  if ((p + 2) >= limit)
2075  return 0;
2076  n2s(p, i);
2077  while ((p + 4) <= limit)
2078  {
2079  unsigned short type, size;
2080  n2s(p, type);
2081  n2s(p, size);
2082  if (p + size > limit)
2083  return 0;
2084  if (type == TLSEXT_TYPE_session_ticket)
2085  {
2086  int r;
2087  if (size == 0)
2088  {
2089  /* The client will accept a ticket but doesn't
2090  * currently have one. */
2091  s->tlsext_ticket_expected = 1;
2092  return 1;
2093  }
2094  if (s->tls_session_secret_cb)
2095  {
2096  /* Indicate that the ticket couldn't be
2097  * decrypted rather than generating the session
2098  * from ticket now, trigger abbreviated
2099  * handshake based on external mechanism to
2100  * calculate the master secret later. */
2101  return 2;
2102  }
2103  r = tls_decrypt_ticket(s, p, size, session_id, len, ret);
2104  switch (r)
2105  {
2106  case 2: /* ticket couldn't be decrypted */
2107  s->tlsext_ticket_expected = 1;
2108  return 2;
2109  case 3: /* ticket was decrypted */
2110  return r;
2111  case 4: /* ticket decrypted but need to renew */
2112  s->tlsext_ticket_expected = 1;
2113  return 3;
2114  default: /* fatal error */
2115  return -1;
2116  }
2117  }
2118  p += size;
2119  }
2120  return 0;
2121  }
2122 
2123 /* tls_decrypt_ticket attempts to decrypt a session ticket.
2124  *
2125  * etick: points to the body of the session ticket extension.
2126  * eticklen: the length of the session tickets extenion.
2127  * sess_id: points at the session ID.
2128  * sesslen: the length of the session ID.
2129  * psess: (output) on return, if a ticket was decrypted, then this is set to
2130  * point to the resulting session.
2131  *
2132  * Returns:
2133  * -1: fatal error, either from parsing or decrypting the ticket.
2134  * 2: the ticket couldn't be decrypted.
2135  * 3: a ticket was successfully decrypted and *psess was set.
2136  * 4: same as 3, but the ticket needs to be renewed.
2137  */
2138 static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen,
2139  const unsigned char *sess_id, int sesslen,
2140  SSL_SESSION **psess)
2141  {
2142  SSL_SESSION *sess;
2143  unsigned char *sdec;
2144  const unsigned char *p;
2145  int slen, mlen, renew_ticket = 0;
2146  unsigned char tick_hmac[EVP_MAX_MD_SIZE];
2147  HMAC_CTX hctx;
2148  EVP_CIPHER_CTX ctx;
2149  SSL_CTX *tctx = s->initial_ctx;
2150  /* Need at least keyname + iv + some encrypted data */
2151  if (eticklen < 48)
2152  return 2;
2153  /* Initialize session ticket encryption and HMAC contexts */
2154  HMAC_CTX_init(&hctx);
2155  EVP_CIPHER_CTX_init(&ctx);
2156  if (tctx->tlsext_ticket_key_cb)
2157  {
2158  unsigned char *nctick = (unsigned char *)etick;
2159  int rv = tctx->tlsext_ticket_key_cb(s, nctick, nctick + 16,
2160  &ctx, &hctx, 0);
2161  if (rv < 0)
2162  return -1;
2163  if (rv == 0)
2164  return 2;
2165  if (rv == 2)
2166  renew_ticket = 1;
2167  }
2168  else
2169  {
2170  /* Check key name matches */
2171  if (memcmp(etick, tctx->tlsext_tick_key_name, 16))
2172  return 2;
2173  HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16,
2174  tlsext_tick_md(), NULL);
2175  EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL,
2176  tctx->tlsext_tick_aes_key, etick + 16);
2177  }
2178  /* Attempt to process session ticket, first conduct sanity and
2179  * integrity checks on ticket.
2180  */
2181  mlen = HMAC_size(&hctx);
2182  if (mlen < 0)
2183  {
2184  EVP_CIPHER_CTX_cleanup(&ctx);
2185  return -1;
2186  }
2187  eticklen -= mlen;
2188  /* Check HMAC of encrypted ticket */
2189  HMAC_Update(&hctx, etick, eticklen);
2190  HMAC_Final(&hctx, tick_hmac, NULL);
2191  HMAC_CTX_cleanup(&hctx);
2192  if (memcmp(tick_hmac, etick + eticklen, mlen))
2193  return 2;
2194  /* Attempt to decrypt session data */
2195  /* Move p after IV to start of encrypted ticket, update length */
2196  p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx);
2197  eticklen -= 16 + EVP_CIPHER_CTX_iv_length(&ctx);
2198  sdec = OPENSSL_malloc(eticklen);
2199  if (!sdec)
2200  {
2201  EVP_CIPHER_CTX_cleanup(&ctx);
2202  return -1;
2203  }
2204  EVP_DecryptUpdate(&ctx, sdec, &slen, p, eticklen);
2205  if (EVP_DecryptFinal(&ctx, sdec + slen, &mlen) <= 0)
2206  return 2;
2207  slen += mlen;
2208  EVP_CIPHER_CTX_cleanup(&ctx);
2209  p = sdec;
2210 
2211  sess = d2i_SSL_SESSION(NULL, &p, slen);
2212  OPENSSL_free(sdec);
2213  if (sess)
2214  {
2215  /* The session ID, if non-empty, is used by some clients to
2216  * detect that the ticket has been accepted. So we copy it to
2217  * the session structure. If it is empty set length to zero
2218  * as required by standard.
2219  */
2220  if (sesslen)
2221  memcpy(sess->session_id, sess_id, sesslen);
2222  sess->session_id_length = sesslen;
2223  *psess = sess;
2224  if (renew_ticket)
2225  return 4;
2226  else
2227  return 3;
2228  }
2229  ERR_clear_error();
2230  /* For session parse failure, indicate that we need to send a new
2231  * ticket. */
2232  return 2;
2233  }
2234 
2235 /* Tables to translate from NIDs to TLS v1.2 ids */
2236 
2237 typedef struct
2238  {
2239  int nid;
2240  int id;
2241  } tls12_lookup;
2242 
2243 static tls12_lookup tls12_md[] = {
2244 #ifndef OPENSSL_NO_MD5
2245  {NID_md5, TLSEXT_hash_md5},
2246 #endif
2247 #ifndef OPENSSL_NO_SHA
2248  {NID_sha1, TLSEXT_hash_sha1},
2249 #endif
2250 #ifndef OPENSSL_NO_SHA256
2251  {NID_sha224, TLSEXT_hash_sha224},
2252  {NID_sha256, TLSEXT_hash_sha256},
2253 #endif
2254 #ifndef OPENSSL_NO_SHA512
2255  {NID_sha384, TLSEXT_hash_sha384},
2256  {NID_sha512, TLSEXT_hash_sha512}
2257 #endif
2258 };
2259 
2260 static tls12_lookup tls12_sig[] = {
2261 #ifndef OPENSSL_NO_RSA
2262  {EVP_PKEY_RSA, TLSEXT_signature_rsa},
2263 #endif
2264 #ifndef OPENSSL_NO_DSA
2265  {EVP_PKEY_DSA, TLSEXT_signature_dsa},
2266 #endif
2267 #ifndef OPENSSL_NO_ECDSA
2268  {EVP_PKEY_EC, TLSEXT_signature_ecdsa}
2269 #endif
2270 };
2271 
2272 static int tls12_find_id(int nid, tls12_lookup *table, size_t tlen)
2273  {
2274  size_t i;
2275  for (i = 0; i < tlen; i++)
2276  {
2277  if (table[i].nid == nid)
2278  return table[i].id;
2279  }
2280  return -1;
2281  }
2282 #if 0
2283 static int tls12_find_nid(int id, tls12_lookup *table, size_t tlen)
2284  {
2285  size_t i;
2286  for (i = 0; i < tlen; i++)
2287  {
2288  if (table[i].id == id)
2289  return table[i].nid;
2290  }
2291  return -1;
2292  }
2293 #endif
2294 
2295 int tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk, const EVP_MD *md)
2296  {
2297  int sig_id, md_id;
2298  if (!md)
2299  return 0;
2300  md_id = tls12_find_id(EVP_MD_type(md), tls12_md,
2301  sizeof(tls12_md)/sizeof(tls12_lookup));
2302  if (md_id == -1)
2303  return 0;
2304  sig_id = tls12_get_sigid(pk);
2305  if (sig_id == -1)
2306  return 0;
2307  p[0] = (unsigned char)md_id;
2308  p[1] = (unsigned char)sig_id;
2309  return 1;
2310  }
2311 
2312 int tls12_get_sigid(const EVP_PKEY *pk)
2313  {
2314  return tls12_find_id(pk->type, tls12_sig,
2315  sizeof(tls12_sig)/sizeof(tls12_lookup));
2316  }
2317 
2318 const EVP_MD *tls12_get_hash(unsigned char hash_alg)
2319  {
2320  switch(hash_alg)
2321  {
2322 #ifndef OPENSSL_NO_MD5
2323  case TLSEXT_hash_md5:
2324 #ifdef OPENSSL_FIPS
2325  if (FIPS_mode())
2326  return NULL;
2327 #endif
2328  return EVP_md5();
2329 #endif
2330 #ifndef OPENSSL_NO_SHA
2331  case TLSEXT_hash_sha1:
2332  return EVP_sha1();
2333 #endif
2334 #ifndef OPENSSL_NO_SHA256
2335  case TLSEXT_hash_sha224:
2336  return EVP_sha224();
2337 
2338  case TLSEXT_hash_sha256:
2339  return EVP_sha256();
2340 #endif
2341 #ifndef OPENSSL_NO_SHA512
2342  case TLSEXT_hash_sha384:
2343  return EVP_sha384();
2344 
2345  case TLSEXT_hash_sha512:
2346  return EVP_sha512();
2347 #endif
2348  default:
2349  return NULL;
2350 
2351  }
2352  }
2353 
2354 /* Set preferred digest for each key type */
2355 
2356 int tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize)
2357  {
2358  int i, idx;
2359  const EVP_MD *md;
2360  CERT *c = s->cert;
2361  /* Extension ignored for TLS versions below 1.2 */
2362  if (TLS1_get_version(s) < TLS1_2_VERSION)
2363  return 1;
2364  /* Should never happen */
2365  if (!c)
2366  return 0;
2367 
2368  c->pkeys[SSL_PKEY_DSA_SIGN].digest = NULL;
2369  c->pkeys[SSL_PKEY_RSA_SIGN].digest = NULL;
2370  c->pkeys[SSL_PKEY_RSA_ENC].digest = NULL;
2371  c->pkeys[SSL_PKEY_ECC].digest = NULL;
2372 
2373  for (i = 0; i < dsize; i += 2)
2374  {
2375  unsigned char hash_alg = data[i], sig_alg = data[i+1];
2376 
2377  switch(sig_alg)
2378  {
2379 #ifndef OPENSSL_NO_RSA
2380  case TLSEXT_signature_rsa:
2381  idx = SSL_PKEY_RSA_SIGN;
2382  break;
2383 #endif
2384 #ifndef OPENSSL_NO_DSA
2385  case TLSEXT_signature_dsa:
2386  idx = SSL_PKEY_DSA_SIGN;
2387  break;
2388 #endif
2389 #ifndef OPENSSL_NO_ECDSA
2390  case TLSEXT_signature_ecdsa:
2391  idx = SSL_PKEY_ECC;
2392  break;
2393 #endif
2394  default:
2395  continue;
2396  }
2397 
2398  if (c->pkeys[idx].digest == NULL)
2399  {
2400  md = tls12_get_hash(hash_alg);
2401  if (md)
2402  {
2403  c->pkeys[idx].digest = md;
2404  if (idx == SSL_PKEY_RSA_SIGN)
2405  c->pkeys[SSL_PKEY_RSA_ENC].digest = md;
2406  }
2407  }
2408 
2409  }
2410 
2411 
2412  /* Set any remaining keys to default values. NOTE: if alg is not
2413  * supported it stays as NULL.
2414  */
2415 #ifndef OPENSSL_NO_DSA
2416  if (!c->pkeys[SSL_PKEY_DSA_SIGN].digest)
2417  c->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_dss1();
2418 #endif
2419 #ifndef OPENSSL_NO_RSA
2420  if (!c->pkeys[SSL_PKEY_RSA_SIGN].digest)
2421  {
2422  c->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1();
2423  c->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1();
2424  }
2425 #endif
2426 #ifndef OPENSSL_NO_ECDSA
2427  if (!c->pkeys[SSL_PKEY_ECC].digest)
2428  c->pkeys[SSL_PKEY_ECC].digest = EVP_ecdsa();
2429 #endif
2430  return 1;
2431  }
2432 
2433 #endif
2434 
2435 #ifndef OPENSSL_NO_HEARTBEATS
2436 int
2437 tls1_process_heartbeat(SSL *s)
2438  {
2439  unsigned char *p = &s->s3->rrec.data[0], *pl;
2440  unsigned short hbtype;
2441  unsigned int payload;
2442  unsigned int padding = 16; /* Use minimum padding */
2443 
2444  /* Read type and payload length first */
2445  hbtype = *p++;
2446  n2s(p, payload);
2447  pl = p;
2448 
2449  if (s->msg_callback)
2450  s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT,
2451  &s->s3->rrec.data[0], s->s3->rrec.length,
2452  s, s->msg_callback_arg);
2453 
2454  if (hbtype == TLS1_HB_REQUEST)
2455  {
2456  unsigned char *buffer, *bp;
2457  int r;
2458 
2459  /* Allocate memory for the response, size is 1 bytes
2460  * message type, plus 2 bytes payload length, plus
2461  * payload, plus padding
2462  */
2463  buffer = OPENSSL_malloc(1 + 2 + payload + padding);
2464  bp = buffer;
2465 
2466  /* Enter response type, length and copy payload */
2467  *bp++ = TLS1_HB_RESPONSE;
2468  s2n(payload, bp);
2469  memcpy(bp, pl, payload);
2470  bp += payload;
2471  /* Random padding */
2472  RAND_pseudo_bytes(bp, padding);
2473 
2474  r = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, 3 + payload + padding);
2475 
2476  if (r >= 0 && s->msg_callback)
2477  s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT,
2478  buffer, 3 + payload + padding,
2479  s, s->msg_callback_arg);
2480 
2481  OPENSSL_free(buffer);
2482 
2483  if (r < 0)
2484  return r;
2485  }
2486  else if (hbtype == TLS1_HB_RESPONSE)
2487  {
2488  unsigned int seq;
2489 
2490  /* We only send sequence numbers (2 bytes unsigned int),
2491  * and 16 random bytes, so we just try to read the
2492  * sequence number */
2493  n2s(pl, seq);
2494 
2495  if (payload == 18 && seq == s->tlsext_hb_seq)
2496  {
2497  s->tlsext_hb_seq++;
2498  s->tlsext_hb_pending = 0;
2499  }
2500  }
2501 
2502  return 0;
2503  }
2504 
2505 int
2506 tls1_heartbeat(SSL *s)
2507  {
2508  unsigned char *buf, *p;
2509  int ret;
2510  unsigned int payload = 18; /* Sequence number + random bytes */
2511  unsigned int padding = 16; /* Use minimum padding */
2512 
2513  /* Only send if peer supports and accepts HB requests... */
2514  if (!(s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED) ||
2515  s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_SEND_REQUESTS)
2516  {
2517  SSLerr(SSL_F_TLS1_HEARTBEAT,SSL_R_TLS_HEARTBEAT_PEER_DOESNT_ACCEPT);
2518  return -1;
2519  }
2520 
2521  /* ...and there is none in flight yet... */
2522  if (s->tlsext_hb_pending)
2523  {
2524  SSLerr(SSL_F_TLS1_HEARTBEAT,SSL_R_TLS_HEARTBEAT_PENDING);
2525  return -1;
2526  }
2527 
2528  /* ...and no handshake in progress. */
2529  if (SSL_in_init(s) || s->in_handshake)
2530  {
2531  SSLerr(SSL_F_TLS1_HEARTBEAT,SSL_R_UNEXPECTED_MESSAGE);
2532  return -1;
2533  }
2534 
2535  /* Check if padding is too long, payload and padding
2536  * must not exceed 2^14 - 3 = 16381 bytes in total.
2537  */
2538  OPENSSL_assert(payload + padding <= 16381);
2539 
2540  /* Create HeartBeat message, we just use a sequence number
2541  * as payload to distuingish different messages and add
2542  * some random stuff.
2543  * - Message Type, 1 byte
2544  * - Payload Length, 2 bytes (unsigned int)
2545  * - Payload, the sequence number (2 bytes uint)
2546  * - Payload, random bytes (16 bytes uint)
2547  * - Padding
2548  */
2549  buf = OPENSSL_malloc(1 + 2 + payload + padding);
2550  p = buf;
2551  /* Message Type */
2552  *p++ = TLS1_HB_REQUEST;
2553  /* Payload length (18 bytes here) */
2554  s2n(payload, p);
2555  /* Sequence number */
2556  s2n(s->tlsext_hb_seq, p);
2557  /* 16 random bytes */
2558  RAND_pseudo_bytes(p, 16);
2559  p += 16;
2560  /* Random padding */
2561  RAND_pseudo_bytes(p, padding);
2562 
2563  ret = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buf, 3 + payload + padding);
2564  if (ret >= 0)
2565  {
2566  if (s->msg_callback)
2567  s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT,
2568  buf, 3 + payload + padding,
2569  s, s->msg_callback_arg);
2570 
2571  s->tlsext_hb_pending = 1;
2572  }
2573 
2574  OPENSSL_free(buf);
2575 
2576  return ret;
2577  }
2578 #endif
Generated on Thu Jan 10 2013 09:53:44 for OpenSSL by   doxygen 1.8.2