• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /* ssl/t1_lib.c */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3  * All rights reserved.
4  *
5  * This package is an SSL implementation written
6  * by Eric Young (eay@cryptsoft.com).
7  * The implementation was written so as to conform with Netscapes SSL.
8  *
9  * This library is free for commercial and non-commercial use as long as
10  * the following conditions are aheared to.  The following conditions
11  * apply to all code found in this distribution, be it the RC4, RSA,
12  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
13  * included with this distribution is covered by the same copyright terms
14  * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15  *
16  * Copyright remains Eric Young's, and as such any Copyright notices in
17  * the code are not to be removed.
18  * If this package is used in a product, Eric Young should be given attribution
19  * as the author of the parts of the library used.
20  * This can be in the form of a textual message at program startup or
21  * in documentation (online or textual) provided with the package.
22  *
23  * Redistribution and use in source and binary forms, with or without
24  * modification, are permitted provided that the following conditions
25  * are met:
26  * 1. Redistributions of source code must retain the copyright
27  *    notice, this list of conditions and the following disclaimer.
28  * 2. Redistributions in binary form must reproduce the above copyright
29  *    notice, this list of conditions and the following disclaimer in the
30  *    documentation and/or other materials provided with the distribution.
31  * 3. All advertising materials mentioning features or use of this software
32  *    must display the following acknowledgement:
33  *    "This product includes cryptographic software written by
34  *     Eric Young (eay@cryptsoft.com)"
35  *    The word 'cryptographic' can be left out if the rouines from the library
36  *    being used are not cryptographic related :-).
37  * 4. If you include any Windows specific code (or a derivative thereof) from
38  *    the apps directory (application code) you must include an acknowledgement:
39  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40  *
41  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51  * SUCH DAMAGE.
52  *
53  * The licence and distribution terms for any publically available version or
54  * derivative of this code cannot be changed.  i.e. this code cannot simply be
55  * copied and put under another distribution licence
56  * [including the GNU Public Licence.]
57  */
58 /* ====================================================================
59  * Copyright (c) 1998-2007 The OpenSSL Project.  All rights reserved.
60  *
61  * Redistribution and use in source and binary forms, with or without
62  * modification, are permitted provided that the following conditions
63  * are met:
64  *
65  * 1. Redistributions of source code must retain the above copyright
66  *    notice, this list of conditions and the following disclaimer.
67  *
68  * 2. Redistributions in binary form must reproduce the above copyright
69  *    notice, this list of conditions and the following disclaimer in
70  *    the documentation and/or other materials provided with the
71  *    distribution.
72  *
73  * 3. All advertising materials mentioning features or use of this
74  *    software must display the following acknowledgment:
75  *    "This product includes software developed by the OpenSSL Project
76  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77  *
78  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79  *    endorse or promote products derived from this software without
80  *    prior written permission. For written permission, please contact
81  *    openssl-core@openssl.org.
82  *
83  * 5. Products derived from this software may not be called "OpenSSL"
84  *    nor may "OpenSSL" appear in their names without prior written
85  *    permission of the OpenSSL Project.
86  *
87  * 6. Redistributions of any form whatsoever must retain the following
88  *    acknowledgment:
89  *    "This product includes software developed by the OpenSSL Project
90  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91  *
92  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
96  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103  * OF THE POSSIBILITY OF SUCH DAMAGE.
104  * ====================================================================
105  *
106  * This product includes cryptographic software written by Eric Young
107  * (eay@cryptsoft.com).  This product includes software written by Tim
108  * Hudson (tjh@cryptsoft.com).
109  *
110  */
111 
112 #include <stdio.h>
113 #include <openssl/objects.h>
114 #include <openssl/evp.h>
115 #include <openssl/hmac.h>
116 #include <openssl/ocsp.h>
117 #include "ssl_locl.h"
118 
119 const char tls1_version_str[]="TLSv1" OPENSSL_VERSION_PTEXT;
120 
121 #ifndef OPENSSL_NO_TLSEXT
122 static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen,
123 				const unsigned char *sess_id, int sesslen,
124 				SSL_SESSION **psess);
125 #endif
126 
127 SSL3_ENC_METHOD TLSv1_enc_data={
128 	tls1_enc,
129 	tls1_mac,
130 	tls1_setup_key_block,
131 	tls1_generate_master_secret,
132 	tls1_change_cipher_state,
133 	tls1_final_finish_mac,
134 	TLS1_FINISH_MAC_LENGTH,
135 	tls1_cert_verify_mac,
136 	TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE,
137 	TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE,
138 	tls1_alert_code,
139 	};
140 
tls1_default_timeout(void)141 long tls1_default_timeout(void)
142 	{
143 	/* 2 hours, the 24 hours mentioned in the TLSv1 spec
144 	 * is way too long for http, the cache would over fill */
145 	return(60*60*2);
146 	}
147 
tls1_new(SSL * s)148 int tls1_new(SSL *s)
149 	{
150 	if (!ssl3_new(s)) return(0);
151 	s->method->ssl_clear(s);
152 	return(1);
153 	}
154 
tls1_free(SSL * s)155 void tls1_free(SSL *s)
156 	{
157 #ifndef OPENSSL_NO_TLSEXT
158 	if (s->tlsext_session_ticket)
159 		{
160 		OPENSSL_free(s->tlsext_session_ticket);
161 		}
162 #endif /* OPENSSL_NO_TLSEXT */
163 	ssl3_free(s);
164 	}
165 
tls1_clear(SSL * s)166 void tls1_clear(SSL *s)
167 	{
168 	ssl3_clear(s);
169 	s->version=TLS1_VERSION;
170 	}
171 
172 #ifndef OPENSSL_NO_EC
173 static int nid_list[] =
174 	{
175 		NID_sect163k1, /* sect163k1 (1) */
176 		NID_sect163r1, /* sect163r1 (2) */
177 		NID_sect163r2, /* sect163r2 (3) */
178 		NID_sect193r1, /* sect193r1 (4) */
179 		NID_sect193r2, /* sect193r2 (5) */
180 		NID_sect233k1, /* sect233k1 (6) */
181 		NID_sect233r1, /* sect233r1 (7) */
182 		NID_sect239k1, /* sect239k1 (8) */
183 		NID_sect283k1, /* sect283k1 (9) */
184 		NID_sect283r1, /* sect283r1 (10) */
185 		NID_sect409k1, /* sect409k1 (11) */
186 		NID_sect409r1, /* sect409r1 (12) */
187 		NID_sect571k1, /* sect571k1 (13) */
188 		NID_sect571r1, /* sect571r1 (14) */
189 		NID_secp160k1, /* secp160k1 (15) */
190 		NID_secp160r1, /* secp160r1 (16) */
191 		NID_secp160r2, /* secp160r2 (17) */
192 		NID_secp192k1, /* secp192k1 (18) */
193 		NID_X9_62_prime192v1, /* secp192r1 (19) */
194 		NID_secp224k1, /* secp224k1 (20) */
195 		NID_secp224r1, /* secp224r1 (21) */
196 		NID_secp256k1, /* secp256k1 (22) */
197 		NID_X9_62_prime256v1, /* secp256r1 (23) */
198 		NID_secp384r1, /* secp384r1 (24) */
199 		NID_secp521r1  /* secp521r1 (25) */
200 	};
201 
tls1_ec_curve_id2nid(int curve_id)202 int tls1_ec_curve_id2nid(int curve_id)
203 	{
204 	/* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
205 	if ((curve_id < 1) || ((unsigned int)curve_id >
206 				sizeof(nid_list)/sizeof(nid_list[0])))
207 		return 0;
208 	return nid_list[curve_id-1];
209 	}
210 
tls1_ec_nid2curve_id(int nid)211 int tls1_ec_nid2curve_id(int nid)
212 	{
213 	/* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
214 	switch (nid)
215 		{
216 	case NID_sect163k1: /* sect163k1 (1) */
217 		return 1;
218 	case NID_sect163r1: /* sect163r1 (2) */
219 		return 2;
220 	case NID_sect163r2: /* sect163r2 (3) */
221 		return 3;
222 	case NID_sect193r1: /* sect193r1 (4) */
223 		return 4;
224 	case NID_sect193r2: /* sect193r2 (5) */
225 		return 5;
226 	case NID_sect233k1: /* sect233k1 (6) */
227 		return 6;
228 	case NID_sect233r1: /* sect233r1 (7) */
229 		return 7;
230 	case NID_sect239k1: /* sect239k1 (8) */
231 		return 8;
232 	case NID_sect283k1: /* sect283k1 (9) */
233 		return 9;
234 	case NID_sect283r1: /* sect283r1 (10) */
235 		return 10;
236 	case NID_sect409k1: /* sect409k1 (11) */
237 		return 11;
238 	case NID_sect409r1: /* sect409r1 (12) */
239 		return 12;
240 	case NID_sect571k1: /* sect571k1 (13) */
241 		return 13;
242 	case NID_sect571r1: /* sect571r1 (14) */
243 		return 14;
244 	case NID_secp160k1: /* secp160k1 (15) */
245 		return 15;
246 	case NID_secp160r1: /* secp160r1 (16) */
247 		return 16;
248 	case NID_secp160r2: /* secp160r2 (17) */
249 		return 17;
250 	case NID_secp192k1: /* secp192k1 (18) */
251 		return 18;
252 	case NID_X9_62_prime192v1: /* secp192r1 (19) */
253 		return 19;
254 	case NID_secp224k1: /* secp224k1 (20) */
255 		return 20;
256 	case NID_secp224r1: /* secp224r1 (21) */
257 		return 21;
258 	case NID_secp256k1: /* secp256k1 (22) */
259 		return 22;
260 	case NID_X9_62_prime256v1: /* secp256r1 (23) */
261 		return 23;
262 	case NID_secp384r1: /* secp384r1 (24) */
263 		return 24;
264 	case NID_secp521r1:  /* secp521r1 (25) */
265 		return 25;
266 	default:
267 		return 0;
268 		}
269 	}
270 #endif /* OPENSSL_NO_EC */
271 
272 #ifndef OPENSSL_NO_TLSEXT
ssl_add_clienthello_tlsext(SSL * s,unsigned char * p,unsigned char * limit)273 unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
274 	{
275 	int extdatalen=0;
276 	unsigned char *ret = p;
277 
278 	/* don't add extensions for SSLv3 unless doing secure renegotiation */
279 	if (s->client_version == SSL3_VERSION
280 					&& !s->s3->send_connection_binding)
281 		return p;
282 
283 	ret+=2;
284 
285 	if (ret>=limit) return NULL; /* this really never occurs, but ... */
286 
287  	if (s->tlsext_hostname != NULL)
288 		{
289 		/* Add TLS extension servername to the Client Hello message */
290 		unsigned long size_str;
291 		long lenmax;
292 
293 		/* check for enough space.
294 		   4 for the servername type and entension length
295 		   2 for servernamelist length
296 		   1 for the hostname type
297 		   2 for hostname length
298 		   + hostname length
299 		*/
300 
301 		if ((lenmax = limit - ret - 9) < 0
302 		    || (size_str = strlen(s->tlsext_hostname)) > (unsigned long)lenmax)
303 			return NULL;
304 
305 		/* extension type and length */
306 		s2n(TLSEXT_TYPE_server_name,ret);
307 		s2n(size_str+5,ret);
308 
309 		/* length of servername list */
310 		s2n(size_str+3,ret);
311 
312 		/* hostname type, length and hostname */
313 		*(ret++) = (unsigned char) TLSEXT_NAMETYPE_host_name;
314 		s2n(size_str,ret);
315 		memcpy(ret, s->tlsext_hostname, size_str);
316 		ret+=size_str;
317 		}
318 
319         /* Add RI if renegotiating */
320         if (s->new_session)
321           {
322           int el;
323 
324           if(!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0))
325               {
326               SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
327               return NULL;
328               }
329 
330           if((limit - p - 4 - el) < 0) return NULL;
331 
332           s2n(TLSEXT_TYPE_renegotiate,ret);
333           s2n(el,ret);
334 
335           if(!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el))
336               {
337               SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
338               return NULL;
339               }
340 
341           ret += el;
342         }
343 
344 #ifndef OPENSSL_NO_EC
345 	if (s->tlsext_ecpointformatlist != NULL &&
346 	    s->version != DTLS1_VERSION)
347 		{
348 		/* Add TLS extension ECPointFormats to the ClientHello message */
349 		long lenmax;
350 
351 		if ((lenmax = limit - ret - 5) < 0) return NULL;
352 		if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax) return NULL;
353 		if (s->tlsext_ecpointformatlist_length > 255)
354 			{
355 			SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
356 			return NULL;
357 			}
358 
359 		s2n(TLSEXT_TYPE_ec_point_formats,ret);
360 		s2n(s->tlsext_ecpointformatlist_length + 1,ret);
361 		*(ret++) = (unsigned char) s->tlsext_ecpointformatlist_length;
362 		memcpy(ret, s->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist_length);
363 		ret+=s->tlsext_ecpointformatlist_length;
364 		}
365 	if (s->tlsext_ellipticcurvelist != NULL &&
366 	    s->version != DTLS1_VERSION)
367 		{
368 		/* Add TLS extension EllipticCurves to the ClientHello message */
369 		long lenmax;
370 
371 		if ((lenmax = limit - ret - 6) < 0) return NULL;
372 		if (s->tlsext_ellipticcurvelist_length > (unsigned long)lenmax) return NULL;
373 		if (s->tlsext_ellipticcurvelist_length > 65532)
374 			{
375 			SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
376 			return NULL;
377 			}
378 
379 		s2n(TLSEXT_TYPE_elliptic_curves,ret);
380 		s2n(s->tlsext_ellipticcurvelist_length + 2, ret);
381 
382 		/* NB: draft-ietf-tls-ecc-12.txt uses a one-byte prefix for
383 		 * elliptic_curve_list, but the examples use two bytes.
384 		 * http://www1.ietf.org/mail-archive/web/tls/current/msg00538.html
385 		 * resolves this to two bytes.
386 		 */
387 		s2n(s->tlsext_ellipticcurvelist_length, ret);
388 		memcpy(ret, s->tlsext_ellipticcurvelist, s->tlsext_ellipticcurvelist_length);
389 		ret+=s->tlsext_ellipticcurvelist_length;
390 		}
391 #endif /* OPENSSL_NO_EC */
392 
393 	if (!(SSL_get_options(s) & SSL_OP_NO_TICKET))
394 		{
395 		int ticklen;
396 		if (!s->new_session && s->session && s->session->tlsext_tick)
397 			ticklen = s->session->tlsext_ticklen;
398 		else if (s->session && s->tlsext_session_ticket &&
399 			 s->tlsext_session_ticket->data)
400 			{
401 			ticklen = s->tlsext_session_ticket->length;
402 			s->session->tlsext_tick = OPENSSL_malloc(ticklen);
403 			if (!s->session->tlsext_tick)
404 				return NULL;
405 			memcpy(s->session->tlsext_tick,
406 			       s->tlsext_session_ticket->data,
407 			       ticklen);
408 			s->session->tlsext_ticklen = ticklen;
409 			}
410 		else
411 			ticklen = 0;
412 		if (ticklen == 0 && s->tlsext_session_ticket &&
413 		    s->tlsext_session_ticket->data == NULL)
414 			goto skip_ext;
415 		/* Check for enough room 2 for extension type, 2 for len
416  		 * rest for ticket
417   		 */
418 		if ((long)(limit - ret - 4 - ticklen) < 0) return NULL;
419 		s2n(TLSEXT_TYPE_session_ticket,ret);
420 		s2n(ticklen,ret);
421 		if (ticklen)
422 			{
423 			memcpy(ret, s->session->tlsext_tick, ticklen);
424 			ret += ticklen;
425 			}
426 		}
427 		skip_ext:
428 
429 #ifdef TLSEXT_TYPE_opaque_prf_input
430 	if (s->s3->client_opaque_prf_input != NULL &&
431 	    s->version != DTLS1_VERSION)
432 		{
433 		size_t col = s->s3->client_opaque_prf_input_len;
434 
435 		if ((long)(limit - ret - 6 - col < 0))
436 			return NULL;
437 		if (col > 0xFFFD) /* can't happen */
438 			return NULL;
439 
440 		s2n(TLSEXT_TYPE_opaque_prf_input, ret);
441 		s2n(col + 2, ret);
442 		s2n(col, ret);
443 		memcpy(ret, s->s3->client_opaque_prf_input, col);
444 		ret += col;
445 		}
446 #endif
447 
448 	if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp &&
449 	    s->version != DTLS1_VERSION)
450 		{
451 		int i;
452 		long extlen, idlen, itmp;
453 		OCSP_RESPID *id;
454 
455 		idlen = 0;
456 		for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++)
457 			{
458 			id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
459 			itmp = i2d_OCSP_RESPID(id, NULL);
460 			if (itmp <= 0)
461 				return NULL;
462 			idlen += itmp + 2;
463 			}
464 
465 		if (s->tlsext_ocsp_exts)
466 			{
467 			extlen = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, NULL);
468 			if (extlen < 0)
469 				return NULL;
470 			}
471 		else
472 			extlen = 0;
473 
474 		if ((long)(limit - ret - 7 - extlen - idlen) < 0) return NULL;
475 		s2n(TLSEXT_TYPE_status_request, ret);
476 		if (extlen + idlen > 0xFFF0)
477 			return NULL;
478 		s2n(extlen + idlen + 5, ret);
479 		*(ret++) = TLSEXT_STATUSTYPE_ocsp;
480 		s2n(idlen, ret);
481 		for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++)
482 			{
483 			/* save position of id len */
484 			unsigned char *q = ret;
485 			id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
486 			/* skip over id len */
487 			ret += 2;
488 			itmp = i2d_OCSP_RESPID(id, &ret);
489 			/* write id len */
490 			s2n(itmp, q);
491 			}
492 		s2n(extlen, ret);
493 		if (extlen > 0)
494 			i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret);
495 		}
496 
497 	if ((extdatalen = ret-p-2)== 0)
498 		return p;
499 
500 	s2n(extdatalen,p);
501 	return ret;
502 	}
503 
ssl_add_serverhello_tlsext(SSL * s,unsigned char * p,unsigned char * limit)504 unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
505 	{
506 	int extdatalen=0;
507 	unsigned char *ret = p;
508 
509 	/* don't add extensions for SSLv3, unless doing secure renegotiation */
510 	if (s->version == SSL3_VERSION && !s->s3->send_connection_binding)
511 		return p;
512 
513 	ret+=2;
514 	if (ret>=limit) return NULL; /* this really never occurs, but ... */
515 
516 	if (!s->hit && s->servername_done == 1 && s->session->tlsext_hostname != NULL)
517 		{
518 		if ((long)(limit - ret - 4) < 0) return NULL;
519 
520 		s2n(TLSEXT_TYPE_server_name,ret);
521 		s2n(0,ret);
522 		}
523 
524 	if(s->s3->send_connection_binding)
525         {
526           int el;
527 
528           if(!ssl_add_serverhello_renegotiate_ext(s, 0, &el, 0))
529               {
530               SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
531               return NULL;
532               }
533 
534           if((limit - p - 4 - el) < 0) return NULL;
535 
536           s2n(TLSEXT_TYPE_renegotiate,ret);
537           s2n(el,ret);
538 
539           if(!ssl_add_serverhello_renegotiate_ext(s, ret, &el, el))
540               {
541               SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
542               return NULL;
543               }
544 
545           ret += el;
546         }
547 
548 #ifndef OPENSSL_NO_EC
549 	if (s->tlsext_ecpointformatlist != NULL &&
550 	    s->version != DTLS1_VERSION)
551 		{
552 		/* Add TLS extension ECPointFormats to the ServerHello message */
553 		long lenmax;
554 
555 		if ((lenmax = limit - ret - 5) < 0) return NULL;
556 		if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax) return NULL;
557 		if (s->tlsext_ecpointformatlist_length > 255)
558 			{
559 			SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
560 			return NULL;
561 			}
562 
563 		s2n(TLSEXT_TYPE_ec_point_formats,ret);
564 		s2n(s->tlsext_ecpointformatlist_length + 1,ret);
565 		*(ret++) = (unsigned char) s->tlsext_ecpointformatlist_length;
566 		memcpy(ret, s->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist_length);
567 		ret+=s->tlsext_ecpointformatlist_length;
568 
569 		}
570 	/* Currently the server should not respond with a SupportedCurves extension */
571 #endif /* OPENSSL_NO_EC */
572 
573 	if (s->tlsext_ticket_expected
574 		&& !(SSL_get_options(s) & SSL_OP_NO_TICKET))
575 		{
576 		if ((long)(limit - ret - 4) < 0) return NULL;
577 		s2n(TLSEXT_TYPE_session_ticket,ret);
578 		s2n(0,ret);
579 		}
580 
581 	if (s->tlsext_status_expected)
582 		{
583 		if ((long)(limit - ret - 4) < 0) return NULL;
584 		s2n(TLSEXT_TYPE_status_request,ret);
585 		s2n(0,ret);
586 		}
587 
588 #ifdef TLSEXT_TYPE_opaque_prf_input
589 	if (s->s3->server_opaque_prf_input != NULL &&
590 	    s->version != DTLS1_VERSION)
591 		{
592 		size_t sol = s->s3->server_opaque_prf_input_len;
593 
594 		if ((long)(limit - ret - 6 - sol) < 0)
595 			return NULL;
596 		if (sol > 0xFFFD) /* can't happen */
597 			return NULL;
598 
599 		s2n(TLSEXT_TYPE_opaque_prf_input, ret);
600 		s2n(sol + 2, ret);
601 		s2n(sol, ret);
602 		memcpy(ret, s->s3->server_opaque_prf_input, sol);
603 		ret += sol;
604 		}
605 #endif
606 	if (((s->s3->tmp.new_cipher->id & 0xFFFF)==0x80 || (s->s3->tmp.new_cipher->id & 0xFFFF)==0x81)
607 		&& (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG))
608 		{ const unsigned char cryptopro_ext[36] = {
609 			0xfd, 0xe8, /*65000*/
610 			0x00, 0x20, /*32 bytes length*/
611 			0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85,
612 			0x03,   0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06,
613 			0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08,
614 			0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17};
615 			if (limit-ret<36) return NULL;
616 			memcpy(ret,cryptopro_ext,36);
617 			ret+=36;
618 
619 		}
620 
621 	if ((extdatalen = ret-p-2)== 0)
622 		return p;
623 
624 	s2n(extdatalen,p);
625 	return ret;
626 	}
627 
ssl_parse_clienthello_tlsext(SSL * s,unsigned char ** p,unsigned char * d,int n,int * al)628 int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
629 	{
630 	unsigned short type;
631 	unsigned short size;
632 	unsigned short len;
633 	unsigned char *data = *p;
634 	int renegotiate_seen = 0;
635 
636 	s->servername_done = 0;
637 	s->tlsext_status_type = -1;
638 
639 	if (data >= (d+n-2))
640 		goto ri_check;
641 	n2s(data,len);
642 
643 	if (data > (d+n-len))
644 		goto ri_check;
645 
646 	while (data <= (d+n-4))
647 		{
648 		n2s(data,type);
649 		n2s(data,size);
650 
651 		if (data+size > (d+n))
652 	   		goto ri_check;
653 #if 0
654 		fprintf(stderr,"Received extension type %d size %d\n",type,size);
655 #endif
656 		if (s->tlsext_debug_cb)
657 			s->tlsext_debug_cb(s, 0, type, data, size,
658 						s->tlsext_debug_arg);
659 /* The servername extension is treated as follows:
660 
661    - Only the hostname type is supported with a maximum length of 255.
662    - The servername is rejected if too long or if it contains zeros,
663      in which case an fatal alert is generated.
664    - The servername field is maintained together with the session cache.
665    - When a session is resumed, the servername call back invoked in order
666      to allow the application to position itself to the right context.
667    - The servername is acknowledged if it is new for a session or when
668      it is identical to a previously used for the same session.
669      Applications can control the behaviour.  They can at any time
670      set a 'desirable' servername for a new SSL object. This can be the
671      case for example with HTTPS when a Host: header field is received and
672      a renegotiation is requested. In this case, a possible servername
673      presented in the new client hello is only acknowledged if it matches
674      the value of the Host: field.
675    - Applications must  use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
676      if they provide for changing an explicit servername context for the session,
677      i.e. when the session has been established with a servername extension.
678    - On session reconnect, the servername extension may be absent.
679 
680 */
681 
682 		if (type == TLSEXT_TYPE_server_name)
683 			{
684 			unsigned char *sdata;
685 			int servname_type;
686 			int dsize;
687 
688 			if (size < 2)
689 				{
690 				*al = SSL_AD_DECODE_ERROR;
691 				return 0;
692 				}
693 			n2s(data,dsize);
694 			size -= 2;
695 			if (dsize > size  )
696 				{
697 				*al = SSL_AD_DECODE_ERROR;
698 				return 0;
699 				}
700 
701 			sdata = data;
702 			while (dsize > 3)
703 				{
704 	 			servname_type = *(sdata++);
705 				n2s(sdata,len);
706 				dsize -= 3;
707 
708 				if (len > dsize)
709 					{
710 					*al = SSL_AD_DECODE_ERROR;
711 					return 0;
712 					}
713 				if (s->servername_done == 0)
714 				switch (servname_type)
715 					{
716 				case TLSEXT_NAMETYPE_host_name:
717 					if (!s->hit)
718 						{
719 						if(s->session->tlsext_hostname)
720 							{
721 							*al = SSL_AD_DECODE_ERROR;
722 							return 0;
723 							}
724 						if (len > TLSEXT_MAXLEN_host_name)
725 							{
726 							*al = TLS1_AD_UNRECOGNIZED_NAME;
727 							return 0;
728 							}
729 						if ((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL)
730 							{
731 							*al = TLS1_AD_INTERNAL_ERROR;
732 							return 0;
733 							}
734 						memcpy(s->session->tlsext_hostname, sdata, len);
735 						s->session->tlsext_hostname[len]='\0';
736 						if (strlen(s->session->tlsext_hostname) != len) {
737 							OPENSSL_free(s->session->tlsext_hostname);
738 							s->session->tlsext_hostname = NULL;
739 							*al = TLS1_AD_UNRECOGNIZED_NAME;
740 							return 0;
741 						}
742 						s->servername_done = 1;
743 
744 						}
745 					else
746 						s->servername_done = s->session->tlsext_hostname
747 							&& strlen(s->session->tlsext_hostname) == len
748 							&& strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0;
749 
750 					break;
751 
752 				default:
753 					break;
754 					}
755 
756 				dsize -= len;
757 				}
758 			if (dsize != 0)
759 				{
760 				*al = SSL_AD_DECODE_ERROR;
761 				return 0;
762 				}
763 
764 			}
765 
766 #ifndef OPENSSL_NO_EC
767 		else if (type == TLSEXT_TYPE_ec_point_formats &&
768 	             s->version != DTLS1_VERSION)
769 			{
770 			unsigned char *sdata = data;
771 			int ecpointformatlist_length = *(sdata++);
772 
773 			if (ecpointformatlist_length != size - 1)
774 				{
775 				*al = TLS1_AD_DECODE_ERROR;
776 				return 0;
777 				}
778 			if (!s->hit)
779 				{
780 				if(s->session->tlsext_ecpointformatlist)
781 					{
782 					*al = TLS1_AD_DECODE_ERROR;
783 					return 0;
784 					}
785 				s->session->tlsext_ecpointformatlist_length = 0;
786 				if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
787 					{
788 					*al = TLS1_AD_INTERNAL_ERROR;
789 					return 0;
790 					}
791 				s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
792 				memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
793 				}
794 #if 0
795 			fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ecpointformatlist (length=%i) ", s->session->tlsext_ecpointformatlist_length);
796 			sdata = s->session->tlsext_ecpointformatlist;
797 			for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
798 				fprintf(stderr,"%i ",*(sdata++));
799 			fprintf(stderr,"\n");
800 #endif
801 			}
802 		else if (type == TLSEXT_TYPE_elliptic_curves &&
803 	             s->version != DTLS1_VERSION)
804 			{
805 			unsigned char *sdata = data;
806 			int ellipticcurvelist_length = (*(sdata++) << 8);
807 			ellipticcurvelist_length += (*(sdata++));
808 
809 			if (ellipticcurvelist_length != size - 2)
810 				{
811 				*al = TLS1_AD_DECODE_ERROR;
812 				return 0;
813 				}
814 			if (!s->hit)
815 				{
816 				if(s->session->tlsext_ellipticcurvelist)
817 					{
818 					*al = TLS1_AD_DECODE_ERROR;
819 					return 0;
820 					}
821 				s->session->tlsext_ellipticcurvelist_length = 0;
822 				if ((s->session->tlsext_ellipticcurvelist = OPENSSL_malloc(ellipticcurvelist_length)) == NULL)
823 					{
824 					*al = TLS1_AD_INTERNAL_ERROR;
825 					return 0;
826 					}
827 				s->session->tlsext_ellipticcurvelist_length = ellipticcurvelist_length;
828 				memcpy(s->session->tlsext_ellipticcurvelist, sdata, ellipticcurvelist_length);
829 				}
830 #if 0
831 			fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ellipticcurvelist (length=%i) ", s->session->tlsext_ellipticcurvelist_length);
832 			sdata = s->session->tlsext_ellipticcurvelist;
833 			for (i = 0; i < s->session->tlsext_ellipticcurvelist_length; i++)
834 				fprintf(stderr,"%i ",*(sdata++));
835 			fprintf(stderr,"\n");
836 #endif
837 			}
838 #endif /* OPENSSL_NO_EC */
839 #ifdef TLSEXT_TYPE_opaque_prf_input
840 		else if (type == TLSEXT_TYPE_opaque_prf_input &&
841 	             s->version != DTLS1_VERSION)
842 			{
843 			unsigned char *sdata = data;
844 
845 			if (size < 2)
846 				{
847 				*al = SSL_AD_DECODE_ERROR;
848 				return 0;
849 				}
850 			n2s(sdata, s->s3->client_opaque_prf_input_len);
851 			if (s->s3->client_opaque_prf_input_len != size - 2)
852 				{
853 				*al = SSL_AD_DECODE_ERROR;
854 				return 0;
855 				}
856 
857 			if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */
858 				OPENSSL_free(s->s3->client_opaque_prf_input);
859 			if (s->s3->client_opaque_prf_input_len == 0)
860 				s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
861 			else
862 				s->s3->client_opaque_prf_input = BUF_memdup(sdata, s->s3->client_opaque_prf_input_len);
863 			if (s->s3->client_opaque_prf_input == NULL)
864 				{
865 				*al = TLS1_AD_INTERNAL_ERROR;
866 				return 0;
867 				}
868 			}
869 #endif
870 		else if (type == TLSEXT_TYPE_session_ticket)
871 			{
872 			if (s->tls_session_ticket_ext_cb &&
873 			    !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg))
874 				{
875 				*al = TLS1_AD_INTERNAL_ERROR;
876 				return 0;
877 				}
878 			}
879 		else if (type == TLSEXT_TYPE_renegotiate)
880 			{
881 			if(!ssl_parse_clienthello_renegotiate_ext(s, data, size, al))
882 				return 0;
883 			renegotiate_seen = 1;
884 			}
885 		else if (type == TLSEXT_TYPE_status_request &&
886 		         s->version != DTLS1_VERSION && s->ctx->tlsext_status_cb)
887 			{
888 
889 			if (size < 5)
890 				{
891 				*al = SSL_AD_DECODE_ERROR;
892 				return 0;
893 				}
894 
895 			s->tlsext_status_type = *data++;
896 			size--;
897 			if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp)
898 				{
899 				const unsigned char *sdata;
900 				int dsize;
901 				/* Read in responder_id_list */
902 				n2s(data,dsize);
903 				size -= 2;
904 				if (dsize > size  )
905 					{
906 					*al = SSL_AD_DECODE_ERROR;
907 					return 0;
908 					}
909 				while (dsize > 0)
910 					{
911 					OCSP_RESPID *id;
912 					int idsize;
913 					if (dsize < 4)
914 						{
915 						*al = SSL_AD_DECODE_ERROR;
916 						return 0;
917 						}
918 					n2s(data, idsize);
919 					dsize -= 2 + idsize;
920 					if (dsize < 0)
921 						{
922 						*al = SSL_AD_DECODE_ERROR;
923 						return 0;
924 						}
925 					sdata = data;
926 					data += idsize;
927 					id = d2i_OCSP_RESPID(NULL,
928 								&sdata, idsize);
929 					if (!id)
930 						{
931 						*al = SSL_AD_DECODE_ERROR;
932 						return 0;
933 						}
934 					if (data != sdata)
935 						{
936 						OCSP_RESPID_free(id);
937 						*al = SSL_AD_DECODE_ERROR;
938 						return 0;
939 						}
940 					if (!s->tlsext_ocsp_ids
941 						&& !(s->tlsext_ocsp_ids =
942 						sk_OCSP_RESPID_new_null()))
943 						{
944 						OCSP_RESPID_free(id);
945 						*al = SSL_AD_INTERNAL_ERROR;
946 						return 0;
947 						}
948 					if (!sk_OCSP_RESPID_push(
949 							s->tlsext_ocsp_ids, id))
950 						{
951 						OCSP_RESPID_free(id);
952 						*al = SSL_AD_INTERNAL_ERROR;
953 						return 0;
954 						}
955 					}
956 
957 				/* Read in request_extensions */
958 				n2s(data,dsize);
959 				size -= 2;
960 				if (dsize > size)
961 					{
962 					*al = SSL_AD_DECODE_ERROR;
963 					return 0;
964 					}
965 				sdata = data;
966 				if (dsize > 0)
967 					{
968 					s->tlsext_ocsp_exts =
969 						d2i_X509_EXTENSIONS(NULL,
970 							&sdata, dsize);
971 					if (!s->tlsext_ocsp_exts
972 						|| (data + dsize != sdata))
973 						{
974 						*al = SSL_AD_DECODE_ERROR;
975 						return 0;
976 						}
977 					}
978 				}
979 				/* We don't know what to do with any other type
980  			 	* so ignore it.
981  			 	*/
982 				else
983 					s->tlsext_status_type = -1;
984 			}
985 
986 		/* session ticket processed earlier */
987 		data+=size;
988 		}
989 
990 	*p = data;
991 
992 	ri_check:
993 
994 	/* Need RI if renegotiating */
995 
996 	if (!renegotiate_seen && s->new_session &&
997 		!(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
998 		{
999 		*al = SSL_AD_HANDSHAKE_FAILURE;
1000 	 	SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT,
1001 				SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
1002 		return 0;
1003 		}
1004 
1005 	return 1;
1006 	}
1007 
ssl_parse_serverhello_tlsext(SSL * s,unsigned char ** p,unsigned char * d,int n,int * al)1008 int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
1009 	{
1010 	unsigned short type;
1011 	unsigned short size;
1012 	unsigned short len;
1013 	unsigned char *data = *p;
1014 	int tlsext_servername = 0;
1015 	int renegotiate_seen = 0;
1016 
1017 	if (data >= (d+n-2))
1018 		goto ri_check;
1019 
1020 	n2s(data,len);
1021 
1022 	while(data <= (d+n-4))
1023 		{
1024 		n2s(data,type);
1025 		n2s(data,size);
1026 
1027 		if (data+size > (d+n))
1028 	   		goto ri_check;
1029 
1030 		if (s->tlsext_debug_cb)
1031 			s->tlsext_debug_cb(s, 1, type, data, size,
1032 						s->tlsext_debug_arg);
1033 
1034 		if (type == TLSEXT_TYPE_server_name)
1035 			{
1036 			if (s->tlsext_hostname == NULL || size > 0)
1037 				{
1038 				*al = TLS1_AD_UNRECOGNIZED_NAME;
1039 				return 0;
1040 				}
1041 			tlsext_servername = 1;
1042 			}
1043 
1044 #ifndef OPENSSL_NO_EC
1045 		else if (type == TLSEXT_TYPE_ec_point_formats &&
1046 	             s->version != DTLS1_VERSION)
1047 			{
1048 			unsigned char *sdata = data;
1049 			int ecpointformatlist_length = *(sdata++);
1050 
1051 			if (ecpointformatlist_length != size - 1)
1052 				{
1053 				*al = TLS1_AD_DECODE_ERROR;
1054 				return 0;
1055 				}
1056 			s->session->tlsext_ecpointformatlist_length = 0;
1057 			if (s->session->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->session->tlsext_ecpointformatlist);
1058 			if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
1059 				{
1060 				*al = TLS1_AD_INTERNAL_ERROR;
1061 				return 0;
1062 				}
1063 			s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
1064 			memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
1065 #if 0
1066 			fprintf(stderr,"ssl_parse_serverhello_tlsext s->session->tlsext_ecpointformatlist ");
1067 			sdata = s->session->tlsext_ecpointformatlist;
1068 			for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
1069 				fprintf(stderr,"%i ",*(sdata++));
1070 			fprintf(stderr,"\n");
1071 #endif
1072 			}
1073 #endif /* OPENSSL_NO_EC */
1074 
1075 		else if (type == TLSEXT_TYPE_session_ticket)
1076 			{
1077 			if (s->tls_session_ticket_ext_cb &&
1078 			    !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg))
1079 				{
1080 				*al = TLS1_AD_INTERNAL_ERROR;
1081 				return 0;
1082 				}
1083 			if ((SSL_get_options(s) & SSL_OP_NO_TICKET)
1084 				|| (size > 0))
1085 				{
1086 				*al = TLS1_AD_UNSUPPORTED_EXTENSION;
1087 				return 0;
1088 				}
1089 			s->tlsext_ticket_expected = 1;
1090 			}
1091 #ifdef TLSEXT_TYPE_opaque_prf_input
1092 		else if (type == TLSEXT_TYPE_opaque_prf_input &&
1093 	             s->version != DTLS1_VERSION)
1094 			{
1095 			unsigned char *sdata = data;
1096 
1097 			if (size < 2)
1098 				{
1099 				*al = SSL_AD_DECODE_ERROR;
1100 				return 0;
1101 				}
1102 			n2s(sdata, s->s3->server_opaque_prf_input_len);
1103 			if (s->s3->server_opaque_prf_input_len != size - 2)
1104 				{
1105 				*al = SSL_AD_DECODE_ERROR;
1106 				return 0;
1107 				}
1108 
1109 			if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */
1110 				OPENSSL_free(s->s3->server_opaque_prf_input);
1111 			if (s->s3->server_opaque_prf_input_len == 0)
1112 				s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
1113 			else
1114 				s->s3->server_opaque_prf_input = BUF_memdup(sdata, s->s3->server_opaque_prf_input_len);
1115 
1116 			if (s->s3->server_opaque_prf_input == NULL)
1117 				{
1118 				*al = TLS1_AD_INTERNAL_ERROR;
1119 				return 0;
1120 				}
1121 			}
1122 #endif
1123 		else if (type == TLSEXT_TYPE_status_request &&
1124 		         s->version != DTLS1_VERSION)
1125 			{
1126 			/* MUST be empty and only sent if we've requested
1127 			 * a status request message.
1128 			 */
1129 			if ((s->tlsext_status_type == -1) || (size > 0))
1130 				{
1131 				*al = TLS1_AD_UNSUPPORTED_EXTENSION;
1132 				return 0;
1133 				}
1134 			/* Set flag to expect CertificateStatus message */
1135 			s->tlsext_status_expected = 1;
1136 			}
1137 		else if (type == TLSEXT_TYPE_renegotiate)
1138 			{
1139 			if(!ssl_parse_serverhello_renegotiate_ext(s, data, size, al))
1140 				return 0;
1141 			renegotiate_seen = 1;
1142 			}
1143 		data+=size;
1144 		}
1145 
1146 	if (data != d+n)
1147 		{
1148 		*al = SSL_AD_DECODE_ERROR;
1149 		return 0;
1150 		}
1151 
1152 	if (!s->hit && tlsext_servername == 1)
1153 		{
1154  		if (s->tlsext_hostname)
1155 			{
1156 			if (s->session->tlsext_hostname == NULL)
1157 				{
1158 				s->session->tlsext_hostname = BUF_strdup(s->tlsext_hostname);
1159 				if (!s->session->tlsext_hostname)
1160 					{
1161 					*al = SSL_AD_UNRECOGNIZED_NAME;
1162 					return 0;
1163 					}
1164 				}
1165 			else
1166 				{
1167 				*al = SSL_AD_DECODE_ERROR;
1168 				return 0;
1169 				}
1170 			}
1171 		}
1172 
1173 	*p = data;
1174 
1175 	ri_check:
1176 
1177 	/* Determine if we need to see RI. Strictly speaking if we want to
1178 	 * avoid an attack we should *always* see RI even on initial server
1179 	 * hello because the client doesn't see any renegotiation during an
1180 	 * attack. However this would mean we could not connect to any server
1181 	 * which doesn't support RI so for the immediate future tolerate RI
1182 	 * absence on initial connect only.
1183 	 */
1184 	if (!renegotiate_seen
1185 		&& !(s->options & SSL_OP_LEGACY_SERVER_CONNECT)
1186 		&& !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
1187 		{
1188 		*al = SSL_AD_HANDSHAKE_FAILURE;
1189 		SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT,
1190 				SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
1191 		return 0;
1192 		}
1193 
1194 	return 1;
1195 	}
1196 
1197 
ssl_prepare_clienthello_tlsext(SSL * s)1198 int ssl_prepare_clienthello_tlsext(SSL *s)
1199 	{
1200 #ifndef OPENSSL_NO_EC
1201 	/* If we are client and using an elliptic curve cryptography cipher suite, send the point formats
1202 	 * and elliptic curves we support.
1203 	 */
1204 	int using_ecc = 0;
1205 	int i;
1206 	unsigned char *j;
1207 	unsigned long alg_k, alg_a;
1208 	STACK_OF(SSL_CIPHER) *cipher_stack = SSL_get_ciphers(s);
1209 
1210 	for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++)
1211 		{
1212 		SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i);
1213 
1214 		alg_k = c->algorithm_mkey;
1215 		alg_a = c->algorithm_auth;
1216 		if ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe) || (alg_a & SSL_aECDSA)))
1217 			{
1218 			using_ecc = 1;
1219 			break;
1220 			}
1221 		}
1222 	using_ecc = using_ecc && (s->version == TLS1_VERSION);
1223 	if (using_ecc)
1224 		{
1225 		if (s->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->tlsext_ecpointformatlist);
1226 		if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(3)) == NULL)
1227 			{
1228 			SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
1229 			return -1;
1230 			}
1231 		s->tlsext_ecpointformatlist_length = 3;
1232 		s->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_uncompressed;
1233 		s->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
1234 		s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
1235 
1236 		/* we support all named elliptic curves in draft-ietf-tls-ecc-12 */
1237 		if (s->tlsext_ellipticcurvelist != NULL) OPENSSL_free(s->tlsext_ellipticcurvelist);
1238 		s->tlsext_ellipticcurvelist_length = sizeof(nid_list)/sizeof(nid_list[0]) * 2;
1239 		if ((s->tlsext_ellipticcurvelist = OPENSSL_malloc(s->tlsext_ellipticcurvelist_length)) == NULL)
1240 			{
1241 			s->tlsext_ellipticcurvelist_length = 0;
1242 			SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
1243 			return -1;
1244 			}
1245 		for (i = 1, j = s->tlsext_ellipticcurvelist; (unsigned int)i <=
1246 				sizeof(nid_list)/sizeof(nid_list[0]); i++)
1247 			s2n(i,j);
1248 		}
1249 #endif /* OPENSSL_NO_EC */
1250 
1251 #ifdef TLSEXT_TYPE_opaque_prf_input
1252  	{
1253 		int r = 1;
1254 
1255 		if (s->ctx->tlsext_opaque_prf_input_callback != 0)
1256 			{
1257 			r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg);
1258 			if (!r)
1259 				return -1;
1260 			}
1261 
1262 		if (s->tlsext_opaque_prf_input != NULL)
1263 			{
1264 			if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */
1265 				OPENSSL_free(s->s3->client_opaque_prf_input);
1266 
1267 			if (s->tlsext_opaque_prf_input_len == 0)
1268 				s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
1269 			else
1270 				s->s3->client_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len);
1271 			if (s->s3->client_opaque_prf_input == NULL)
1272 				{
1273 				SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
1274 				return -1;
1275 				}
1276 			s->s3->client_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
1277 			}
1278 
1279 		if (r == 2)
1280 			/* at callback's request, insist on receiving an appropriate server opaque PRF input */
1281 			s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
1282 	}
1283 #endif
1284 
1285 	return 1;
1286 	}
1287 
ssl_prepare_serverhello_tlsext(SSL * s)1288 int ssl_prepare_serverhello_tlsext(SSL *s)
1289 	{
1290 #ifndef OPENSSL_NO_EC
1291 	/* If we are server and using an ECC cipher suite, send the point formats we support
1292 	 * if the client sent us an ECPointsFormat extension.  Note that the server is not
1293 	 * supposed to send an EllipticCurves extension.
1294 	 */
1295 
1296 	unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
1297 	unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
1298 	int using_ecc = (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA);
1299 	using_ecc = using_ecc && (s->session->tlsext_ecpointformatlist != NULL);
1300 
1301 	if (using_ecc)
1302 		{
1303 		if (s->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->tlsext_ecpointformatlist);
1304 		if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(3)) == NULL)
1305 			{
1306 			SSLerr(SSL_F_SSL_PREPARE_SERVERHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
1307 			return -1;
1308 			}
1309 		s->tlsext_ecpointformatlist_length = 3;
1310 		s->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_uncompressed;
1311 		s->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
1312 		s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
1313 		}
1314 #endif /* OPENSSL_NO_EC */
1315 
1316 	return 1;
1317 	}
1318 
ssl_check_clienthello_tlsext(SSL * s)1319 int ssl_check_clienthello_tlsext(SSL *s)
1320 	{
1321 	int ret=SSL_TLSEXT_ERR_NOACK;
1322 	int al = SSL_AD_UNRECOGNIZED_NAME;
1323 
1324 #ifndef OPENSSL_NO_EC
1325 	/* The handling of the ECPointFormats extension is done elsewhere, namely in
1326 	 * ssl3_choose_cipher in s3_lib.c.
1327 	 */
1328 	/* The handling of the EllipticCurves extension is done elsewhere, namely in
1329 	 * ssl3_choose_cipher in s3_lib.c.
1330 	 */
1331 #endif
1332 
1333 	if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
1334 		ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
1335 	else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)
1336 		ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
1337 
1338 	/* If status request then ask callback what to do.
1339  	 * Note: this must be called after servername callbacks in case
1340  	 * the certificate has changed.
1341  	 */
1342 	if ((s->tlsext_status_type != -1) && s->ctx && s->ctx->tlsext_status_cb)
1343 		{
1344 		int r;
1345 		r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
1346 		switch (r)
1347 			{
1348 			/* We don't want to send a status request response */
1349 			case SSL_TLSEXT_ERR_NOACK:
1350 				s->tlsext_status_expected = 0;
1351 				break;
1352 			/* status request response should be sent */
1353 			case SSL_TLSEXT_ERR_OK:
1354 				if (s->tlsext_ocsp_resp)
1355 					s->tlsext_status_expected = 1;
1356 				else
1357 					s->tlsext_status_expected = 0;
1358 				break;
1359 			/* something bad happened */
1360 			case SSL_TLSEXT_ERR_ALERT_FATAL:
1361 				ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1362 				al = SSL_AD_INTERNAL_ERROR;
1363 				goto err;
1364 			}
1365 		}
1366 	else
1367 		s->tlsext_status_expected = 0;
1368 
1369 #ifdef TLSEXT_TYPE_opaque_prf_input
1370  	{
1371 		/* This sort of belongs into ssl_prepare_serverhello_tlsext(),
1372 		 * but we might be sending an alert in response to the client hello,
1373 		 * so this has to happen here in ssl_check_clienthello_tlsext(). */
1374 
1375 		int r = 1;
1376 
1377 		if (s->ctx->tlsext_opaque_prf_input_callback != 0)
1378 			{
1379 			r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg);
1380 			if (!r)
1381 				{
1382 				ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1383 				al = SSL_AD_INTERNAL_ERROR;
1384 				goto err;
1385 				}
1386 			}
1387 
1388 		if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */
1389 			OPENSSL_free(s->s3->server_opaque_prf_input);
1390 		s->s3->server_opaque_prf_input = NULL;
1391 
1392 		if (s->tlsext_opaque_prf_input != NULL)
1393 			{
1394 			if (s->s3->client_opaque_prf_input != NULL &&
1395 				s->s3->client_opaque_prf_input_len == s->tlsext_opaque_prf_input_len)
1396 				{
1397 				/* can only use this extension if we have a server opaque PRF input
1398 				 * of the same length as the client opaque PRF input! */
1399 
1400 				if (s->tlsext_opaque_prf_input_len == 0)
1401 					s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
1402 				else
1403 					s->s3->server_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len);
1404 				if (s->s3->server_opaque_prf_input == NULL)
1405 					{
1406 					ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1407 					al = SSL_AD_INTERNAL_ERROR;
1408 					goto err;
1409 					}
1410 				s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
1411 				}
1412 			}
1413 
1414 		if (r == 2 && s->s3->server_opaque_prf_input == NULL)
1415 			{
1416 			/* The callback wants to enforce use of the extension,
1417 			 * but we can't do that with the client opaque PRF input;
1418 			 * abort the handshake.
1419 			 */
1420 			ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1421 			al = SSL_AD_HANDSHAKE_FAILURE;
1422 			}
1423 	}
1424 
1425 #endif
1426  err:
1427 	switch (ret)
1428 		{
1429 		case SSL_TLSEXT_ERR_ALERT_FATAL:
1430 			ssl3_send_alert(s,SSL3_AL_FATAL,al);
1431 			return -1;
1432 
1433 		case SSL_TLSEXT_ERR_ALERT_WARNING:
1434 			ssl3_send_alert(s,SSL3_AL_WARNING,al);
1435 			return 1;
1436 
1437 		case SSL_TLSEXT_ERR_NOACK:
1438 			s->servername_done=0;
1439 			default:
1440 		return 1;
1441 		}
1442 	}
1443 
ssl_check_serverhello_tlsext(SSL * s)1444 int ssl_check_serverhello_tlsext(SSL *s)
1445 	{
1446 	int ret=SSL_TLSEXT_ERR_NOACK;
1447 	int al = SSL_AD_UNRECOGNIZED_NAME;
1448 
1449 #ifndef OPENSSL_NO_EC
1450 	/* If we are client and using an elliptic curve cryptography cipher suite, then server
1451 	 * must return a an EC point formats lists containing uncompressed.
1452 	 */
1453 	unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
1454 	unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
1455 	if ((s->tlsext_ecpointformatlist != NULL) && (s->tlsext_ecpointformatlist_length > 0) &&
1456 	    ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA)))
1457 		{
1458 		/* we are using an ECC cipher */
1459 		size_t i;
1460 		unsigned char *list;
1461 		int found_uncompressed = 0;
1462 		if ((s->session->tlsext_ecpointformatlist == NULL) || (s->session->tlsext_ecpointformatlist_length == 0))
1463 			{
1464 			SSLerr(SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT,SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
1465 			return -1;
1466 			}
1467 		list = s->session->tlsext_ecpointformatlist;
1468 		for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
1469 			{
1470 			if (*(list++) == TLSEXT_ECPOINTFORMAT_uncompressed)
1471 				{
1472 				found_uncompressed = 1;
1473 				break;
1474 				}
1475 			}
1476 		if (!found_uncompressed)
1477 			{
1478 			SSLerr(SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT,SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
1479 			return -1;
1480 			}
1481 		}
1482 	ret = SSL_TLSEXT_ERR_OK;
1483 #endif /* OPENSSL_NO_EC */
1484 
1485 	if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
1486 		ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
1487 	else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)
1488 		ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
1489 
1490 #ifdef TLSEXT_TYPE_opaque_prf_input
1491 	if (s->s3->server_opaque_prf_input_len > 0)
1492 		{
1493 		/* This case may indicate that we, as a client, want to insist on using opaque PRF inputs.
1494 		 * So first verify that we really have a value from the server too. */
1495 
1496 		if (s->s3->server_opaque_prf_input == NULL)
1497 			{
1498 			ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1499 			al = SSL_AD_HANDSHAKE_FAILURE;
1500 			}
1501 
1502 		/* Anytime the server *has* sent an opaque PRF input, we need to check
1503 		 * that we have a client opaque PRF input of the same size. */
1504 		if (s->s3->client_opaque_prf_input == NULL ||
1505 		    s->s3->client_opaque_prf_input_len != s->s3->server_opaque_prf_input_len)
1506 			{
1507 			ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1508 			al = SSL_AD_ILLEGAL_PARAMETER;
1509 			}
1510 		}
1511 #endif
1512 
1513 	/* If we've requested certificate status and we wont get one
1514  	 * tell the callback
1515  	 */
1516 	if ((s->tlsext_status_type != -1) && !(s->tlsext_status_expected)
1517 			&& s->ctx && s->ctx->tlsext_status_cb)
1518 		{
1519 		int r;
1520 		/* Set resp to NULL, resplen to -1 so callback knows
1521  		 * there is no response.
1522  		 */
1523 		if (s->tlsext_ocsp_resp)
1524 			{
1525 			OPENSSL_free(s->tlsext_ocsp_resp);
1526 			s->tlsext_ocsp_resp = NULL;
1527 			}
1528 		s->tlsext_ocsp_resplen = -1;
1529 		r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
1530 		if (r == 0)
1531 			{
1532 			al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE;
1533 			ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1534 			}
1535 		if (r < 0)
1536 			{
1537 			al = SSL_AD_INTERNAL_ERROR;
1538 			ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1539 			}
1540 		}
1541 
1542 	switch (ret)
1543 		{
1544 		case SSL_TLSEXT_ERR_ALERT_FATAL:
1545 			ssl3_send_alert(s,SSL3_AL_FATAL,al);
1546 			return -1;
1547 
1548 		case SSL_TLSEXT_ERR_ALERT_WARNING:
1549 			ssl3_send_alert(s,SSL3_AL_WARNING,al);
1550 			return 1;
1551 
1552 		case SSL_TLSEXT_ERR_NOACK:
1553 			s->servername_done=0;
1554 			default:
1555 		return 1;
1556 		}
1557 	}
1558 
1559 /* Since the server cache lookup is done early on in the processing of client
1560  * hello and other operations depend on the result we need to handle any TLS
1561  * session ticket extension at the same time.
1562  */
1563 
tls1_process_ticket(SSL * s,unsigned char * session_id,int len,const unsigned char * limit,SSL_SESSION ** ret)1564 int tls1_process_ticket(SSL *s, unsigned char *session_id, int len,
1565 				const unsigned char *limit, SSL_SESSION **ret)
1566 	{
1567 	/* Point after session ID in client hello */
1568 	const unsigned char *p = session_id + len;
1569 	unsigned short i;
1570 
1571 	/* If tickets disabled behave as if no ticket present
1572  	 * to permit stateful resumption.
1573  	 */
1574 	if (SSL_get_options(s) & SSL_OP_NO_TICKET)
1575 		return 1;
1576 
1577 	if ((s->version <= SSL3_VERSION) || !limit)
1578 		return 1;
1579 	if (p >= limit)
1580 		return -1;
1581 	/* Skip past DTLS cookie */
1582 	if (s->version == DTLS1_VERSION || s->version == DTLS1_BAD_VER)
1583 		{
1584 		i = *(p++);
1585 		p+= i;
1586 		if (p >= limit)
1587 			return -1;
1588 		}
1589 	/* Skip past cipher list */
1590 	n2s(p, i);
1591 	p+= i;
1592 	if (p >= limit)
1593 		return -1;
1594 	/* Skip past compression algorithm list */
1595 	i = *(p++);
1596 	p += i;
1597 	if (p > limit)
1598 		return -1;
1599 	/* Now at start of extensions */
1600 	if ((p + 2) >= limit)
1601 		return 1;
1602 	n2s(p, i);
1603 	while ((p + 4) <= limit)
1604 		{
1605 		unsigned short type, size;
1606 		n2s(p, type);
1607 		n2s(p, size);
1608 		if (p + size > limit)
1609 			return 1;
1610 		if (type == TLSEXT_TYPE_session_ticket)
1611 			{
1612 			/* If tickets disabled indicate cache miss which will
1613  			 * trigger a full handshake
1614  			 */
1615 			if (SSL_get_options(s) & SSL_OP_NO_TICKET)
1616 				return 1;
1617 			/* If zero length note client will accept a ticket
1618  			 * and indicate cache miss to trigger full handshake
1619  			 */
1620 			if (size == 0)
1621 				{
1622 				s->tlsext_ticket_expected = 1;
1623 				return 0;	/* Cache miss */
1624 				}
1625 			if (s->tls_session_secret_cb)
1626 				{
1627 				/* Indicate cache miss here and instead of
1628 				 * generating the session from ticket now,
1629 				 * trigger abbreviated handshake based on
1630 				 * external mechanism to calculate the master
1631 				 * secret later. */
1632 				return 0;
1633 				}
1634 			return tls_decrypt_ticket(s, p, size, session_id, len,
1635 									ret);
1636 			}
1637 		p += size;
1638 		}
1639 	return 1;
1640 	}
1641 
tls_decrypt_ticket(SSL * s,const unsigned char * etick,int eticklen,const unsigned char * sess_id,int sesslen,SSL_SESSION ** psess)1642 static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen,
1643 				const unsigned char *sess_id, int sesslen,
1644 				SSL_SESSION **psess)
1645 	{
1646 	SSL_SESSION *sess;
1647 	unsigned char *sdec;
1648 	const unsigned char *p;
1649 	int slen, mlen, renew_ticket = 0;
1650 	unsigned char tick_hmac[EVP_MAX_MD_SIZE];
1651 	HMAC_CTX hctx;
1652 	EVP_CIPHER_CTX ctx;
1653 	SSL_CTX *tctx = s->initial_ctx;
1654 	/* Need at least keyname + iv + some encrypted data */
1655 	if (eticklen < 48)
1656 		goto tickerr;
1657 	/* Initialize session ticket encryption and HMAC contexts */
1658 	HMAC_CTX_init(&hctx);
1659 	EVP_CIPHER_CTX_init(&ctx);
1660 	if (tctx->tlsext_ticket_key_cb)
1661 		{
1662 		unsigned char *nctick = (unsigned char *)etick;
1663 		int rv = tctx->tlsext_ticket_key_cb(s, nctick, nctick + 16,
1664 							&ctx, &hctx, 0);
1665 		if (rv < 0)
1666 			return -1;
1667 		if (rv == 0)
1668 			goto tickerr;
1669 		if (rv == 2)
1670 			renew_ticket = 1;
1671 		}
1672 	else
1673 		{
1674 		/* Check key name matches */
1675 		if (memcmp(etick, tctx->tlsext_tick_key_name, 16))
1676 			goto tickerr;
1677 		HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16,
1678 					tlsext_tick_md(), NULL);
1679 		EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL,
1680 				tctx->tlsext_tick_aes_key, etick + 16);
1681 		}
1682 	/* Attempt to process session ticket, first conduct sanity and
1683  	 * integrity checks on ticket.
1684  	 */
1685 	mlen = HMAC_size(&hctx);
1686 	if (mlen < 0)
1687 		{
1688 		EVP_CIPHER_CTX_cleanup(&ctx);
1689 		return -1;
1690 		}
1691 	eticklen -= mlen;
1692 	/* Check HMAC of encrypted ticket */
1693 	HMAC_Update(&hctx, etick, eticklen);
1694 	HMAC_Final(&hctx, tick_hmac, NULL);
1695 	HMAC_CTX_cleanup(&hctx);
1696 	if (memcmp(tick_hmac, etick + eticklen, mlen))
1697 		goto tickerr;
1698 	/* Attempt to decrypt session data */
1699 	/* Move p after IV to start of encrypted ticket, update length */
1700 	p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx);
1701 	eticklen -= 16 + EVP_CIPHER_CTX_iv_length(&ctx);
1702 	sdec = OPENSSL_malloc(eticklen);
1703 	if (!sdec)
1704 		{
1705 		EVP_CIPHER_CTX_cleanup(&ctx);
1706 		return -1;
1707 		}
1708 	EVP_DecryptUpdate(&ctx, sdec, &slen, p, eticklen);
1709 	if (EVP_DecryptFinal(&ctx, sdec + slen, &mlen) <= 0)
1710 		goto tickerr;
1711 	slen += mlen;
1712 	EVP_CIPHER_CTX_cleanup(&ctx);
1713 	p = sdec;
1714 
1715 	sess = d2i_SSL_SESSION(NULL, &p, slen);
1716 	OPENSSL_free(sdec);
1717 	if (sess)
1718 		{
1719 		/* The session ID if non-empty is used by some clients to
1720  		 * detect that the ticket has been accepted. So we copy it to
1721  		 * the session structure. If it is empty set length to zero
1722  		 * as required by standard.
1723  		 */
1724 		if (sesslen)
1725 			memcpy(sess->session_id, sess_id, sesslen);
1726 		sess->session_id_length = sesslen;
1727 		*psess = sess;
1728 		s->tlsext_ticket_expected = renew_ticket;
1729 		return 1;
1730 		}
1731 	/* If session decrypt failure indicate a cache miss and set state to
1732  	 * send a new ticket
1733  	 */
1734 	tickerr:
1735 	s->tlsext_ticket_expected = 1;
1736 	return 0;
1737 	}
1738 
1739 #endif
1740