• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /* ssl/t1_lib.c */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3  * All rights reserved.
4  *
5  * This package is an SSL implementation written
6  * by Eric Young (eay@cryptsoft.com).
7  * The implementation was written so as to conform with Netscapes SSL.
8  *
9  * This library is free for commercial and non-commercial use as long as
10  * the following conditions are aheared to.  The following conditions
11  * apply to all code found in this distribution, be it the RC4, RSA,
12  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
13  * included with this distribution is covered by the same copyright terms
14  * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15  *
16  * Copyright remains Eric Young's, and as such any Copyright notices in
17  * the code are not to be removed.
18  * If this package is used in a product, Eric Young should be given attribution
19  * as the author of the parts of the library used.
20  * This can be in the form of a textual message at program startup or
21  * in documentation (online or textual) provided with the package.
22  *
23  * Redistribution and use in source and binary forms, with or without
24  * modification, are permitted provided that the following conditions
25  * are met:
26  * 1. Redistributions of source code must retain the copyright
27  *    notice, this list of conditions and the following disclaimer.
28  * 2. Redistributions in binary form must reproduce the above copyright
29  *    notice, this list of conditions and the following disclaimer in the
30  *    documentation and/or other materials provided with the distribution.
31  * 3. All advertising materials mentioning features or use of this software
32  *    must display the following acknowledgement:
33  *    "This product includes cryptographic software written by
34  *     Eric Young (eay@cryptsoft.com)"
35  *    The word 'cryptographic' can be left out if the rouines from the library
36  *    being used are not cryptographic related :-).
37  * 4. If you include any Windows specific code (or a derivative thereof) from
38  *    the apps directory (application code) you must include an acknowledgement:
39  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40  *
41  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51  * SUCH DAMAGE.
52  *
53  * The licence and distribution terms for any publically available version or
54  * derivative of this code cannot be changed.  i.e. this code cannot simply be
55  * copied and put under another distribution licence
56  * [including the GNU Public Licence.]
57  */
58 /* ====================================================================
59  * Copyright (c) 1998-2007 The OpenSSL Project.  All rights reserved.
60  *
61  * Redistribution and use in source and binary forms, with or without
62  * modification, are permitted provided that the following conditions
63  * are met:
64  *
65  * 1. Redistributions of source code must retain the above copyright
66  *    notice, this list of conditions and the following disclaimer.
67  *
68  * 2. Redistributions in binary form must reproduce the above copyright
69  *    notice, this list of conditions and the following disclaimer in
70  *    the documentation and/or other materials provided with the
71  *    distribution.
72  *
73  * 3. All advertising materials mentioning features or use of this
74  *    software must display the following acknowledgment:
75  *    "This product includes software developed by the OpenSSL Project
76  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77  *
78  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79  *    endorse or promote products derived from this software without
80  *    prior written permission. For written permission, please contact
81  *    openssl-core@openssl.org.
82  *
83  * 5. Products derived from this software may not be called "OpenSSL"
84  *    nor may "OpenSSL" appear in their names without prior written
85  *    permission of the OpenSSL Project.
86  *
87  * 6. Redistributions of any form whatsoever must retain the following
88  *    acknowledgment:
89  *    "This product includes software developed by the OpenSSL Project
90  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91  *
92  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
96  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103  * OF THE POSSIBILITY OF SUCH DAMAGE.
104  * ====================================================================
105  *
106  * This product includes cryptographic software written by Eric Young
107  * (eay@cryptsoft.com).  This product includes software written by Tim
108  * Hudson (tjh@cryptsoft.com).
109  *
110  */
111 
112 #include <stdio.h>
113 #include <openssl/objects.h>
114 #include <openssl/evp.h>
115 #include <openssl/hmac.h>
116 #include <openssl/ocsp.h>
117 #include <openssl/rand.h>
118 #include "ssl_locl.h"
119 
120 const char tls1_version_str[]="TLSv1" OPENSSL_VERSION_PTEXT;
121 
122 #ifndef OPENSSL_NO_TLSEXT
123 static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen,
124 				const unsigned char *sess_id, int sesslen,
125 				SSL_SESSION **psess);
126 #endif
127 
128 SSL3_ENC_METHOD TLSv1_enc_data={
129 	tls1_enc,
130 	tls1_mac,
131 	tls1_setup_key_block,
132 	tls1_generate_master_secret,
133 	tls1_change_cipher_state,
134 	tls1_final_finish_mac,
135 	TLS1_FINISH_MAC_LENGTH,
136 	tls1_cert_verify_mac,
137 	TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE,
138 	TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE,
139 	tls1_alert_code,
140 	tls1_export_keying_material,
141 	};
142 
tls1_default_timeout(void)143 long tls1_default_timeout(void)
144 	{
145 	/* 2 hours, the 24 hours mentioned in the TLSv1 spec
146 	 * is way too long for http, the cache would over fill */
147 	return(60*60*2);
148 	}
149 
tls1_new(SSL * s)150 int tls1_new(SSL *s)
151 	{
152 	if (!ssl3_new(s)) return(0);
153 	s->method->ssl_clear(s);
154 	return(1);
155 	}
156 
tls1_free(SSL * s)157 void tls1_free(SSL *s)
158 	{
159 #ifndef OPENSSL_NO_TLSEXT
160 	if (s->tlsext_session_ticket)
161 		{
162 		OPENSSL_free(s->tlsext_session_ticket);
163 		}
164 #endif /* OPENSSL_NO_TLSEXT */
165 	ssl3_free(s);
166 	}
167 
tls1_clear(SSL * s)168 void tls1_clear(SSL *s)
169 	{
170 	ssl3_clear(s);
171 	s->version = s->method->version;
172 	}
173 
174 #ifndef OPENSSL_NO_EC
175 
176 static int nid_list[] =
177 	{
178 		NID_sect163k1, /* sect163k1 (1) */
179 		NID_sect163r1, /* sect163r1 (2) */
180 		NID_sect163r2, /* sect163r2 (3) */
181 		NID_sect193r1, /* sect193r1 (4) */
182 		NID_sect193r2, /* sect193r2 (5) */
183 		NID_sect233k1, /* sect233k1 (6) */
184 		NID_sect233r1, /* sect233r1 (7) */
185 		NID_sect239k1, /* sect239k1 (8) */
186 		NID_sect283k1, /* sect283k1 (9) */
187 		NID_sect283r1, /* sect283r1 (10) */
188 		NID_sect409k1, /* sect409k1 (11) */
189 		NID_sect409r1, /* sect409r1 (12) */
190 		NID_sect571k1, /* sect571k1 (13) */
191 		NID_sect571r1, /* sect571r1 (14) */
192 		NID_secp160k1, /* secp160k1 (15) */
193 		NID_secp160r1, /* secp160r1 (16) */
194 		NID_secp160r2, /* secp160r2 (17) */
195 		NID_secp192k1, /* secp192k1 (18) */
196 		NID_X9_62_prime192v1, /* secp192r1 (19) */
197 		NID_secp224k1, /* secp224k1 (20) */
198 		NID_secp224r1, /* secp224r1 (21) */
199 		NID_secp256k1, /* secp256k1 (22) */
200 		NID_X9_62_prime256v1, /* secp256r1 (23) */
201 		NID_secp384r1, /* secp384r1 (24) */
202 		NID_secp521r1  /* secp521r1 (25) */
203 	};
204 
205 static int pref_list[] =
206 	{
207 		NID_sect571r1, /* sect571r1 (14) */
208 		NID_sect571k1, /* sect571k1 (13) */
209 		NID_secp521r1, /* secp521r1 (25) */
210 		NID_sect409k1, /* sect409k1 (11) */
211 		NID_sect409r1, /* sect409r1 (12) */
212 		NID_secp384r1, /* secp384r1 (24) */
213 		NID_sect283k1, /* sect283k1 (9) */
214 		NID_sect283r1, /* sect283r1 (10) */
215 		NID_secp256k1, /* secp256k1 (22) */
216 		NID_X9_62_prime256v1, /* secp256r1 (23) */
217 		NID_sect239k1, /* sect239k1 (8) */
218 		NID_sect233k1, /* sect233k1 (6) */
219 		NID_sect233r1, /* sect233r1 (7) */
220 		NID_secp224k1, /* secp224k1 (20) */
221 		NID_secp224r1, /* secp224r1 (21) */
222 		NID_sect193r1, /* sect193r1 (4) */
223 		NID_sect193r2, /* sect193r2 (5) */
224 		NID_secp192k1, /* secp192k1 (18) */
225 		NID_X9_62_prime192v1, /* secp192r1 (19) */
226 		NID_sect163k1, /* sect163k1 (1) */
227 		NID_sect163r1, /* sect163r1 (2) */
228 		NID_sect163r2, /* sect163r2 (3) */
229 		NID_secp160k1, /* secp160k1 (15) */
230 		NID_secp160r1, /* secp160r1 (16) */
231 		NID_secp160r2, /* secp160r2 (17) */
232 	};
233 
tls1_ec_curve_id2nid(int curve_id)234 int tls1_ec_curve_id2nid(int curve_id)
235 	{
236 	/* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
237 	if ((curve_id < 1) || ((unsigned int)curve_id >
238 				sizeof(nid_list)/sizeof(nid_list[0])))
239 		return 0;
240 	return nid_list[curve_id-1];
241 	}
242 
tls1_ec_nid2curve_id(int nid)243 int tls1_ec_nid2curve_id(int nid)
244 	{
245 	/* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
246 	switch (nid)
247 		{
248 	case NID_sect163k1: /* sect163k1 (1) */
249 		return 1;
250 	case NID_sect163r1: /* sect163r1 (2) */
251 		return 2;
252 	case NID_sect163r2: /* sect163r2 (3) */
253 		return 3;
254 	case NID_sect193r1: /* sect193r1 (4) */
255 		return 4;
256 	case NID_sect193r2: /* sect193r2 (5) */
257 		return 5;
258 	case NID_sect233k1: /* sect233k1 (6) */
259 		return 6;
260 	case NID_sect233r1: /* sect233r1 (7) */
261 		return 7;
262 	case NID_sect239k1: /* sect239k1 (8) */
263 		return 8;
264 	case NID_sect283k1: /* sect283k1 (9) */
265 		return 9;
266 	case NID_sect283r1: /* sect283r1 (10) */
267 		return 10;
268 	case NID_sect409k1: /* sect409k1 (11) */
269 		return 11;
270 	case NID_sect409r1: /* sect409r1 (12) */
271 		return 12;
272 	case NID_sect571k1: /* sect571k1 (13) */
273 		return 13;
274 	case NID_sect571r1: /* sect571r1 (14) */
275 		return 14;
276 	case NID_secp160k1: /* secp160k1 (15) */
277 		return 15;
278 	case NID_secp160r1: /* secp160r1 (16) */
279 		return 16;
280 	case NID_secp160r2: /* secp160r2 (17) */
281 		return 17;
282 	case NID_secp192k1: /* secp192k1 (18) */
283 		return 18;
284 	case NID_X9_62_prime192v1: /* secp192r1 (19) */
285 		return 19;
286 	case NID_secp224k1: /* secp224k1 (20) */
287 		return 20;
288 	case NID_secp224r1: /* secp224r1 (21) */
289 		return 21;
290 	case NID_secp256k1: /* secp256k1 (22) */
291 		return 22;
292 	case NID_X9_62_prime256v1: /* secp256r1 (23) */
293 		return 23;
294 	case NID_secp384r1: /* secp384r1 (24) */
295 		return 24;
296 	case NID_secp521r1:  /* secp521r1 (25) */
297 		return 25;
298 	default:
299 		return 0;
300 		}
301 	}
302 #endif /* OPENSSL_NO_EC */
303 
304 #ifndef OPENSSL_NO_TLSEXT
305 
306 /* List of supported signature algorithms and hashes. Should make this
307  * customisable at some point, for now include everything we support.
308  */
309 
310 #ifdef OPENSSL_NO_RSA
311 #define tlsext_sigalg_rsa(md) /* */
312 #else
313 #define tlsext_sigalg_rsa(md) md, TLSEXT_signature_rsa,
314 #endif
315 
316 #ifdef OPENSSL_NO_DSA
317 #define tlsext_sigalg_dsa(md) /* */
318 #else
319 #define tlsext_sigalg_dsa(md) md, TLSEXT_signature_dsa,
320 #endif
321 
322 #ifdef OPENSSL_NO_ECDSA
323 #define tlsext_sigalg_ecdsa(md) /* */
324 #else
325 #define tlsext_sigalg_ecdsa(md) md, TLSEXT_signature_ecdsa,
326 #endif
327 
328 #define tlsext_sigalg(md) \
329 		tlsext_sigalg_rsa(md) \
330 		tlsext_sigalg_dsa(md) \
331 		tlsext_sigalg_ecdsa(md)
332 
333 static unsigned char tls12_sigalgs[] = {
334 #ifndef OPENSSL_NO_SHA512
335 	tlsext_sigalg(TLSEXT_hash_sha512)
336 	tlsext_sigalg(TLSEXT_hash_sha384)
337 #endif
338 #ifndef OPENSSL_NO_SHA256
339 	tlsext_sigalg(TLSEXT_hash_sha256)
340 	tlsext_sigalg(TLSEXT_hash_sha224)
341 #endif
342 #ifndef OPENSSL_NO_SHA
343 	tlsext_sigalg(TLSEXT_hash_sha1)
344 #endif
345 #ifndef OPENSSL_NO_MD5
346 	tlsext_sigalg_rsa(TLSEXT_hash_md5)
347 #endif
348 };
349 
tls12_get_req_sig_algs(SSL * s,unsigned char * p)350 int tls12_get_req_sig_algs(SSL *s, unsigned char *p)
351 	{
352 	size_t slen = sizeof(tls12_sigalgs);
353 #ifdef OPENSSL_FIPS
354 	/* If FIPS mode don't include MD5 which is last */
355 	if (FIPS_mode())
356 		slen -= 2;
357 #endif
358 	if (p)
359 		memcpy(p, tls12_sigalgs, slen);
360 	return (int)slen;
361 	}
362 
ssl_add_clienthello_tlsext(SSL * s,unsigned char * p,unsigned char * limit)363 unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
364 	{
365 	int extdatalen=0;
366 	unsigned char *ret = p;
367 
368 	/* don't add extensions for SSLv3 unless doing secure renegotiation */
369 	if (s->client_version == SSL3_VERSION
370 					&& !s->s3->send_connection_binding)
371 		return p;
372 
373 	ret+=2;
374 
375 	if (ret>=limit) return NULL; /* this really never occurs, but ... */
376 
377  	if (s->tlsext_hostname != NULL)
378 		{
379 		/* Add TLS extension servername to the Client Hello message */
380 		unsigned long size_str;
381 		long lenmax;
382 
383 		/* check for enough space.
384 		   4 for the servername type and entension length
385 		   2 for servernamelist length
386 		   1 for the hostname type
387 		   2 for hostname length
388 		   + hostname length
389 		*/
390 
391 		if ((lenmax = limit - ret - 9) < 0
392 		    || (size_str = strlen(s->tlsext_hostname)) > (unsigned long)lenmax)
393 			return NULL;
394 
395 		/* extension type and length */
396 		s2n(TLSEXT_TYPE_server_name,ret);
397 		s2n(size_str+5,ret);
398 
399 		/* length of servername list */
400 		s2n(size_str+3,ret);
401 
402 		/* hostname type, length and hostname */
403 		*(ret++) = (unsigned char) TLSEXT_NAMETYPE_host_name;
404 		s2n(size_str,ret);
405 		memcpy(ret, s->tlsext_hostname, size_str);
406 		ret+=size_str;
407 		}
408 
409         /* Add RI if renegotiating */
410         if (s->renegotiate)
411           {
412           int el;
413 
414           if(!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0))
415               {
416               SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
417               return NULL;
418               }
419 
420           if((limit - p - 4 - el) < 0) return NULL;
421 
422           s2n(TLSEXT_TYPE_renegotiate,ret);
423           s2n(el,ret);
424 
425           if(!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el))
426               {
427               SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
428               return NULL;
429               }
430 
431           ret += el;
432         }
433 
434 #ifndef OPENSSL_NO_SRP
435 	/* Add SRP username if there is one */
436 	if (s->srp_ctx.login != NULL)
437 		{ /* Add TLS extension SRP username to the Client Hello message */
438 
439 		int login_len = strlen(s->srp_ctx.login);
440 		if (login_len > 255 || login_len == 0)
441 			{
442 			SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
443 			return NULL;
444 			}
445 
446 		/* check for enough space.
447 		   4 for the srp type type and entension length
448 		   1 for the srp user identity
449 		   + srp user identity length
450 		*/
451 		if ((limit - ret - 5 - login_len) < 0) return NULL;
452 
453 		/* fill in the extension */
454 		s2n(TLSEXT_TYPE_srp,ret);
455 		s2n(login_len+1,ret);
456 		(*ret++) = (unsigned char) login_len;
457 		memcpy(ret, s->srp_ctx.login, login_len);
458 		ret+=login_len;
459 		}
460 #endif
461 
462 #ifndef OPENSSL_NO_EC
463 	if (s->tlsext_ecpointformatlist != NULL &&
464 	    s->version != DTLS1_VERSION)
465 		{
466 		/* Add TLS extension ECPointFormats to the ClientHello message */
467 		long lenmax;
468 
469 		if ((lenmax = limit - ret - 5) < 0) return NULL;
470 		if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax) return NULL;
471 		if (s->tlsext_ecpointformatlist_length > 255)
472 			{
473 			SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
474 			return NULL;
475 			}
476 
477 		s2n(TLSEXT_TYPE_ec_point_formats,ret);
478 		s2n(s->tlsext_ecpointformatlist_length + 1,ret);
479 		*(ret++) = (unsigned char) s->tlsext_ecpointformatlist_length;
480 		memcpy(ret, s->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist_length);
481 		ret+=s->tlsext_ecpointformatlist_length;
482 		}
483 	if (s->tlsext_ellipticcurvelist != NULL &&
484 	    s->version != DTLS1_VERSION)
485 		{
486 		/* Add TLS extension EllipticCurves to the ClientHello message */
487 		long lenmax;
488 
489 		if ((lenmax = limit - ret - 6) < 0) return NULL;
490 		if (s->tlsext_ellipticcurvelist_length > (unsigned long)lenmax) return NULL;
491 		if (s->tlsext_ellipticcurvelist_length > 65532)
492 			{
493 			SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
494 			return NULL;
495 			}
496 
497 		s2n(TLSEXT_TYPE_elliptic_curves,ret);
498 		s2n(s->tlsext_ellipticcurvelist_length + 2, ret);
499 
500 		/* NB: draft-ietf-tls-ecc-12.txt uses a one-byte prefix for
501 		 * elliptic_curve_list, but the examples use two bytes.
502 		 * http://www1.ietf.org/mail-archive/web/tls/current/msg00538.html
503 		 * resolves this to two bytes.
504 		 */
505 		s2n(s->tlsext_ellipticcurvelist_length, ret);
506 		memcpy(ret, s->tlsext_ellipticcurvelist, s->tlsext_ellipticcurvelist_length);
507 		ret+=s->tlsext_ellipticcurvelist_length;
508 		}
509 #endif /* OPENSSL_NO_EC */
510 
511 	if (!(SSL_get_options(s) & SSL_OP_NO_TICKET))
512 		{
513 		int ticklen;
514 		if (!s->new_session && s->session && s->session->tlsext_tick)
515 			ticklen = s->session->tlsext_ticklen;
516 		else if (s->session && s->tlsext_session_ticket &&
517 			 s->tlsext_session_ticket->data)
518 			{
519 			ticklen = s->tlsext_session_ticket->length;
520 			s->session->tlsext_tick = OPENSSL_malloc(ticklen);
521 			if (!s->session->tlsext_tick)
522 				return NULL;
523 			memcpy(s->session->tlsext_tick,
524 			       s->tlsext_session_ticket->data,
525 			       ticklen);
526 			s->session->tlsext_ticklen = ticklen;
527 			}
528 		else
529 			ticklen = 0;
530 		if (ticklen == 0 && s->tlsext_session_ticket &&
531 		    s->tlsext_session_ticket->data == NULL)
532 			goto skip_ext;
533 		/* Check for enough room 2 for extension type, 2 for len
534  		 * rest for ticket
535   		 */
536 		if ((long)(limit - ret - 4 - ticklen) < 0) return NULL;
537 		s2n(TLSEXT_TYPE_session_ticket,ret);
538 		s2n(ticklen,ret);
539 		if (ticklen)
540 			{
541 			memcpy(ret, s->session->tlsext_tick, ticklen);
542 			ret += ticklen;
543 			}
544 		}
545 		skip_ext:
546 
547 	if (TLS1_get_client_version(s) >= TLS1_2_VERSION)
548 		{
549 		if ((size_t)(limit - ret) < sizeof(tls12_sigalgs) + 6)
550 			return NULL;
551 		s2n(TLSEXT_TYPE_signature_algorithms,ret);
552 		s2n(sizeof(tls12_sigalgs) + 2, ret);
553 		s2n(sizeof(tls12_sigalgs), ret);
554 		memcpy(ret, tls12_sigalgs, sizeof(tls12_sigalgs));
555 		ret += sizeof(tls12_sigalgs);
556 		}
557 
558 #ifdef TLSEXT_TYPE_opaque_prf_input
559 	if (s->s3->client_opaque_prf_input != NULL &&
560 	    s->version != DTLS1_VERSION)
561 		{
562 		size_t col = s->s3->client_opaque_prf_input_len;
563 
564 		if ((long)(limit - ret - 6 - col < 0))
565 			return NULL;
566 		if (col > 0xFFFD) /* can't happen */
567 			return NULL;
568 
569 		s2n(TLSEXT_TYPE_opaque_prf_input, ret);
570 		s2n(col + 2, ret);
571 		s2n(col, ret);
572 		memcpy(ret, s->s3->client_opaque_prf_input, col);
573 		ret += col;
574 		}
575 #endif
576 
577 	if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp &&
578 	    s->version != DTLS1_VERSION)
579 		{
580 		int i;
581 		long extlen, idlen, itmp;
582 		OCSP_RESPID *id;
583 
584 		idlen = 0;
585 		for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++)
586 			{
587 			id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
588 			itmp = i2d_OCSP_RESPID(id, NULL);
589 			if (itmp <= 0)
590 				return NULL;
591 			idlen += itmp + 2;
592 			}
593 
594 		if (s->tlsext_ocsp_exts)
595 			{
596 			extlen = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, NULL);
597 			if (extlen < 0)
598 				return NULL;
599 			}
600 		else
601 			extlen = 0;
602 
603 		if ((long)(limit - ret - 7 - extlen - idlen) < 0) return NULL;
604 		s2n(TLSEXT_TYPE_status_request, ret);
605 		if (extlen + idlen > 0xFFF0)
606 			return NULL;
607 		s2n(extlen + idlen + 5, ret);
608 		*(ret++) = TLSEXT_STATUSTYPE_ocsp;
609 		s2n(idlen, ret);
610 		for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++)
611 			{
612 			/* save position of id len */
613 			unsigned char *q = ret;
614 			id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
615 			/* skip over id len */
616 			ret += 2;
617 			itmp = i2d_OCSP_RESPID(id, &ret);
618 			/* write id len */
619 			s2n(itmp, q);
620 			}
621 		s2n(extlen, ret);
622 		if (extlen > 0)
623 			i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret);
624 		}
625 
626 #ifndef OPENSSL_NO_HEARTBEATS
627 	/* Add Heartbeat extension */
628 	s2n(TLSEXT_TYPE_heartbeat,ret);
629 	s2n(1,ret);
630 	/* Set mode:
631 	 * 1: peer may send requests
632 	 * 2: peer not allowed to send requests
633 	 */
634 	if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS)
635 		*(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
636 	else
637 		*(ret++) = SSL_TLSEXT_HB_ENABLED;
638 #endif
639 
640 #ifndef OPENSSL_NO_NEXTPROTONEG
641 	if (s->ctx->next_proto_select_cb && !s->s3->tmp.finish_md_len)
642 		{
643 		/* The client advertises an emtpy extension to indicate its
644 		 * support for Next Protocol Negotiation */
645 		if (limit - ret - 4 < 0)
646 			return NULL;
647 		s2n(TLSEXT_TYPE_next_proto_neg,ret);
648 		s2n(0,ret);
649 		}
650 #endif
651 
652 	if (s->tlsext_channel_id_enabled)
653 		{
654 		/* The client advertises an emtpy extension to indicate its
655 		 * support for Channel ID. */
656 		if (limit - ret - 4 < 0)
657 			return NULL;
658 		s2n(TLSEXT_TYPE_channel_id,ret);
659 		s2n(0,ret);
660 		}
661 
662 #ifndef OPENSSL_NO_SRTP
663         if(SSL_get_srtp_profiles(s))
664                 {
665                 int el;
666 
667                 ssl_add_clienthello_use_srtp_ext(s, 0, &el, 0);
668 
669                 if((limit - p - 4 - el) < 0) return NULL;
670 
671                 s2n(TLSEXT_TYPE_use_srtp,ret);
672                 s2n(el,ret);
673 
674                 if(ssl_add_clienthello_use_srtp_ext(s, ret, &el, el))
675 			{
676 			SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
677 			return NULL;
678 			}
679                 ret += el;
680                 }
681 #endif
682 
683 	if ((extdatalen = ret-p-2)== 0)
684 		return p;
685 
686 	s2n(extdatalen,p);
687 	return ret;
688 	}
689 
ssl_add_serverhello_tlsext(SSL * s,unsigned char * p,unsigned char * limit)690 unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
691 	{
692 	int extdatalen=0;
693 	unsigned char *ret = p;
694 #ifndef OPENSSL_NO_NEXTPROTONEG
695 	int next_proto_neg_seen;
696 #endif
697 
698 	/* don't add extensions for SSLv3, unless doing secure renegotiation */
699 	if (s->version == SSL3_VERSION && !s->s3->send_connection_binding)
700 		return p;
701 
702 	ret+=2;
703 	if (ret>=limit) return NULL; /* this really never occurs, but ... */
704 
705 	if (!s->hit && s->servername_done == 1 && s->session->tlsext_hostname != NULL)
706 		{
707 		if ((long)(limit - ret - 4) < 0) return NULL;
708 
709 		s2n(TLSEXT_TYPE_server_name,ret);
710 		s2n(0,ret);
711 		}
712 
713 	if(s->s3->send_connection_binding)
714         {
715           int el;
716 
717           if(!ssl_add_serverhello_renegotiate_ext(s, 0, &el, 0))
718               {
719               SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
720               return NULL;
721               }
722 
723           if((limit - p - 4 - el) < 0) return NULL;
724 
725           s2n(TLSEXT_TYPE_renegotiate,ret);
726           s2n(el,ret);
727 
728           if(!ssl_add_serverhello_renegotiate_ext(s, ret, &el, el))
729               {
730               SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
731               return NULL;
732               }
733 
734           ret += el;
735         }
736 
737 #ifndef OPENSSL_NO_EC
738 	if (s->tlsext_ecpointformatlist != NULL &&
739 	    s->version != DTLS1_VERSION)
740 		{
741 		/* Add TLS extension ECPointFormats to the ServerHello message */
742 		long lenmax;
743 
744 		if ((lenmax = limit - ret - 5) < 0) return NULL;
745 		if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax) return NULL;
746 		if (s->tlsext_ecpointformatlist_length > 255)
747 			{
748 			SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
749 			return NULL;
750 			}
751 
752 		s2n(TLSEXT_TYPE_ec_point_formats,ret);
753 		s2n(s->tlsext_ecpointformatlist_length + 1,ret);
754 		*(ret++) = (unsigned char) s->tlsext_ecpointformatlist_length;
755 		memcpy(ret, s->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist_length);
756 		ret+=s->tlsext_ecpointformatlist_length;
757 
758 		}
759 	/* Currently the server should not respond with a SupportedCurves extension */
760 #endif /* OPENSSL_NO_EC */
761 
762 	if (s->tlsext_ticket_expected
763 		&& !(SSL_get_options(s) & SSL_OP_NO_TICKET))
764 		{
765 		if ((long)(limit - ret - 4) < 0) return NULL;
766 		s2n(TLSEXT_TYPE_session_ticket,ret);
767 		s2n(0,ret);
768 		}
769 
770 	if (s->tlsext_status_expected)
771 		{
772 		if ((long)(limit - ret - 4) < 0) return NULL;
773 		s2n(TLSEXT_TYPE_status_request,ret);
774 		s2n(0,ret);
775 		}
776 
777 #ifdef TLSEXT_TYPE_opaque_prf_input
778 	if (s->s3->server_opaque_prf_input != NULL &&
779 	    s->version != DTLS1_VERSION)
780 		{
781 		size_t sol = s->s3->server_opaque_prf_input_len;
782 
783 		if ((long)(limit - ret - 6 - sol) < 0)
784 			return NULL;
785 		if (sol > 0xFFFD) /* can't happen */
786 			return NULL;
787 
788 		s2n(TLSEXT_TYPE_opaque_prf_input, ret);
789 		s2n(sol + 2, ret);
790 		s2n(sol, ret);
791 		memcpy(ret, s->s3->server_opaque_prf_input, sol);
792 		ret += sol;
793 		}
794 #endif
795 
796 #ifndef OPENSSL_NO_SRTP
797         if(s->srtp_profile)
798                 {
799                 int el;
800 
801                 ssl_add_serverhello_use_srtp_ext(s, 0, &el, 0);
802 
803                 if((limit - p - 4 - el) < 0) return NULL;
804 
805                 s2n(TLSEXT_TYPE_use_srtp,ret);
806                 s2n(el,ret);
807 
808                 if(ssl_add_serverhello_use_srtp_ext(s, ret, &el, el))
809 			{
810 			SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
811 			return NULL;
812 			}
813                 ret+=el;
814                 }
815 #endif
816 
817 	if (((s->s3->tmp.new_cipher->id & 0xFFFF)==0x80 || (s->s3->tmp.new_cipher->id & 0xFFFF)==0x81)
818 		&& (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG))
819 		{ const unsigned char cryptopro_ext[36] = {
820 			0xfd, 0xe8, /*65000*/
821 			0x00, 0x20, /*32 bytes length*/
822 			0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85,
823 			0x03,   0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06,
824 			0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08,
825 			0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17};
826 			if (limit-ret<36) return NULL;
827 			memcpy(ret,cryptopro_ext,36);
828 			ret+=36;
829 
830 		}
831 
832 #ifndef OPENSSL_NO_HEARTBEATS
833 	/* Add Heartbeat extension if we've received one */
834 	if (s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED)
835 		{
836 		s2n(TLSEXT_TYPE_heartbeat,ret);
837 		s2n(1,ret);
838 		/* Set mode:
839 		 * 1: peer may send requests
840 		 * 2: peer not allowed to send requests
841 		 */
842 		if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS)
843 			*(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
844 		else
845 			*(ret++) = SSL_TLSEXT_HB_ENABLED;
846 
847 		}
848 #endif
849 
850 #ifndef OPENSSL_NO_NEXTPROTONEG
851 	next_proto_neg_seen = s->s3->next_proto_neg_seen;
852 	s->s3->next_proto_neg_seen = 0;
853 	if (next_proto_neg_seen && s->ctx->next_protos_advertised_cb)
854 		{
855 		const unsigned char *npa;
856 		unsigned int npalen;
857 		int r;
858 
859 		r = s->ctx->next_protos_advertised_cb(s, &npa, &npalen, s->ctx->next_protos_advertised_cb_arg);
860 		if (r == SSL_TLSEXT_ERR_OK)
861 			{
862 			if ((long)(limit - ret - 4 - npalen) < 0) return NULL;
863 			s2n(TLSEXT_TYPE_next_proto_neg,ret);
864 			s2n(npalen,ret);
865 			memcpy(ret, npa, npalen);
866 			ret += npalen;
867 			s->s3->next_proto_neg_seen = 1;
868 			}
869 		}
870 #endif
871 
872 	/* If the client advertised support for Channel ID, and we have it
873 	 * enabled, then we want to echo it back. */
874 	if (s->s3->tlsext_channel_id_valid)
875 		{
876 		if (limit - ret - 4 < 0)
877 			return NULL;
878 		s2n(TLSEXT_TYPE_channel_id,ret);
879 		s2n(0,ret);
880 		}
881 
882 	if ((extdatalen = ret-p-2)== 0)
883 		return p;
884 
885 	s2n(extdatalen,p);
886 	return ret;
887 	}
888 
ssl_parse_clienthello_tlsext(SSL * s,unsigned char ** p,unsigned char * d,int n,int * al)889 int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
890 	{
891 	unsigned short type;
892 	unsigned short size;
893 	unsigned short len;
894 	unsigned char *data = *p;
895 	int renegotiate_seen = 0;
896 	int sigalg_seen = 0;
897 
898 	s->servername_done = 0;
899 	s->tlsext_status_type = -1;
900 #ifndef OPENSSL_NO_NEXTPROTONEG
901 	s->s3->next_proto_neg_seen = 0;
902 #endif
903 
904 #ifndef OPENSSL_NO_HEARTBEATS
905 	s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED |
906 	                       SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
907 #endif
908 
909 	if (data >= (d+n-2))
910 		goto ri_check;
911 	n2s(data,len);
912 
913 	if (data > (d+n-len))
914 		goto ri_check;
915 
916 	while (data <= (d+n-4))
917 		{
918 		n2s(data,type);
919 		n2s(data,size);
920 
921 		if (data+size > (d+n))
922 	   		goto ri_check;
923 #if 0
924 		fprintf(stderr,"Received extension type %d size %d\n",type,size);
925 #endif
926 		if (s->tlsext_debug_cb)
927 			s->tlsext_debug_cb(s, 0, type, data, size,
928 						s->tlsext_debug_arg);
929 /* The servername extension is treated as follows:
930 
931    - Only the hostname type is supported with a maximum length of 255.
932    - The servername is rejected if too long or if it contains zeros,
933      in which case an fatal alert is generated.
934    - The servername field is maintained together with the session cache.
935    - When a session is resumed, the servername call back invoked in order
936      to allow the application to position itself to the right context.
937    - The servername is acknowledged if it is new for a session or when
938      it is identical to a previously used for the same session.
939      Applications can control the behaviour.  They can at any time
940      set a 'desirable' servername for a new SSL object. This can be the
941      case for example with HTTPS when a Host: header field is received and
942      a renegotiation is requested. In this case, a possible servername
943      presented in the new client hello is only acknowledged if it matches
944      the value of the Host: field.
945    - Applications must  use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
946      if they provide for changing an explicit servername context for the session,
947      i.e. when the session has been established with a servername extension.
948    - On session reconnect, the servername extension may be absent.
949 
950 */
951 
952 		if (type == TLSEXT_TYPE_server_name)
953 			{
954 			unsigned char *sdata;
955 			int servname_type;
956 			int dsize;
957 
958 			if (size < 2)
959 				{
960 				*al = SSL_AD_DECODE_ERROR;
961 				return 0;
962 				}
963 			n2s(data,dsize);
964 			size -= 2;
965 			if (dsize > size  )
966 				{
967 				*al = SSL_AD_DECODE_ERROR;
968 				return 0;
969 				}
970 
971 			sdata = data;
972 			while (dsize > 3)
973 				{
974 	 			servname_type = *(sdata++);
975 				n2s(sdata,len);
976 				dsize -= 3;
977 
978 				if (len > dsize)
979 					{
980 					*al = SSL_AD_DECODE_ERROR;
981 					return 0;
982 					}
983 				if (s->servername_done == 0)
984 				switch (servname_type)
985 					{
986 				case TLSEXT_NAMETYPE_host_name:
987 					if (!s->hit)
988 						{
989 						if(s->session->tlsext_hostname)
990 							{
991 							*al = SSL_AD_DECODE_ERROR;
992 							return 0;
993 							}
994 						if (len > TLSEXT_MAXLEN_host_name)
995 							{
996 							*al = TLS1_AD_UNRECOGNIZED_NAME;
997 							return 0;
998 							}
999 						if ((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL)
1000 							{
1001 							*al = TLS1_AD_INTERNAL_ERROR;
1002 							return 0;
1003 							}
1004 						memcpy(s->session->tlsext_hostname, sdata, len);
1005 						s->session->tlsext_hostname[len]='\0';
1006 						if (strlen(s->session->tlsext_hostname) != len) {
1007 							OPENSSL_free(s->session->tlsext_hostname);
1008 							s->session->tlsext_hostname = NULL;
1009 							*al = TLS1_AD_UNRECOGNIZED_NAME;
1010 							return 0;
1011 						}
1012 						s->servername_done = 1;
1013 
1014 						}
1015 					else
1016 						s->servername_done = s->session->tlsext_hostname
1017 							&& strlen(s->session->tlsext_hostname) == len
1018 							&& strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0;
1019 
1020 					break;
1021 
1022 				default:
1023 					break;
1024 					}
1025 
1026 				dsize -= len;
1027 				}
1028 			if (dsize != 0)
1029 				{
1030 				*al = SSL_AD_DECODE_ERROR;
1031 				return 0;
1032 				}
1033 
1034 			}
1035 #ifndef OPENSSL_NO_SRP
1036 		else if (type == TLSEXT_TYPE_srp)
1037 			{
1038 			if (size <= 0 || ((len = data[0])) != (size -1))
1039 				{
1040 				*al = SSL_AD_DECODE_ERROR;
1041 				return 0;
1042 				}
1043 			if (s->srp_ctx.login != NULL)
1044 				{
1045 				*al = SSL_AD_DECODE_ERROR;
1046 				return 0;
1047 				}
1048 			if ((s->srp_ctx.login = OPENSSL_malloc(len+1)) == NULL)
1049 				return -1;
1050 			memcpy(s->srp_ctx.login, &data[1], len);
1051 			s->srp_ctx.login[len]='\0';
1052 
1053 			if (strlen(s->srp_ctx.login) != len)
1054 				{
1055 				*al = SSL_AD_DECODE_ERROR;
1056 				return 0;
1057 				}
1058 			}
1059 #endif
1060 
1061 #ifndef OPENSSL_NO_EC
1062 		else if (type == TLSEXT_TYPE_ec_point_formats &&
1063 	             s->version != DTLS1_VERSION)
1064 			{
1065 			unsigned char *sdata = data;
1066 			int ecpointformatlist_length = *(sdata++);
1067 
1068 			if (ecpointformatlist_length != size - 1)
1069 				{
1070 				*al = TLS1_AD_DECODE_ERROR;
1071 				return 0;
1072 				}
1073 			if (!s->hit)
1074 				{
1075 				if(s->session->tlsext_ecpointformatlist)
1076 					{
1077 					OPENSSL_free(s->session->tlsext_ecpointformatlist);
1078 					s->session->tlsext_ecpointformatlist = NULL;
1079 					}
1080 				s->session->tlsext_ecpointformatlist_length = 0;
1081 				if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
1082 					{
1083 					*al = TLS1_AD_INTERNAL_ERROR;
1084 					return 0;
1085 					}
1086 				s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
1087 				memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
1088 				}
1089 #if 0
1090 			fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ecpointformatlist (length=%i) ", s->session->tlsext_ecpointformatlist_length);
1091 			sdata = s->session->tlsext_ecpointformatlist;
1092 			for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
1093 				fprintf(stderr,"%i ",*(sdata++));
1094 			fprintf(stderr,"\n");
1095 #endif
1096 			}
1097 		else if (type == TLSEXT_TYPE_elliptic_curves &&
1098 	             s->version != DTLS1_VERSION)
1099 			{
1100 			unsigned char *sdata = data;
1101 			int ellipticcurvelist_length = (*(sdata++) << 8);
1102 			ellipticcurvelist_length += (*(sdata++));
1103 
1104 			if (ellipticcurvelist_length != size - 2 ||
1105 				ellipticcurvelist_length < 1)
1106 				{
1107 				*al = TLS1_AD_DECODE_ERROR;
1108 				return 0;
1109 				}
1110 			if (!s->hit)
1111 				{
1112 				if(s->session->tlsext_ellipticcurvelist)
1113 					{
1114 					*al = TLS1_AD_DECODE_ERROR;
1115 					return 0;
1116 					}
1117 				s->session->tlsext_ellipticcurvelist_length = 0;
1118 				if ((s->session->tlsext_ellipticcurvelist = OPENSSL_malloc(ellipticcurvelist_length)) == NULL)
1119 					{
1120 					*al = TLS1_AD_INTERNAL_ERROR;
1121 					return 0;
1122 					}
1123 				s->session->tlsext_ellipticcurvelist_length = ellipticcurvelist_length;
1124 				memcpy(s->session->tlsext_ellipticcurvelist, sdata, ellipticcurvelist_length);
1125 				}
1126 #if 0
1127 			fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ellipticcurvelist (length=%i) ", s->session->tlsext_ellipticcurvelist_length);
1128 			sdata = s->session->tlsext_ellipticcurvelist;
1129 			for (i = 0; i < s->session->tlsext_ellipticcurvelist_length; i++)
1130 				fprintf(stderr,"%i ",*(sdata++));
1131 			fprintf(stderr,"\n");
1132 #endif
1133 			}
1134 #endif /* OPENSSL_NO_EC */
1135 #ifdef TLSEXT_TYPE_opaque_prf_input
1136 		else if (type == TLSEXT_TYPE_opaque_prf_input &&
1137 	             s->version != DTLS1_VERSION)
1138 			{
1139 			unsigned char *sdata = data;
1140 
1141 			if (size < 2)
1142 				{
1143 				*al = SSL_AD_DECODE_ERROR;
1144 				return 0;
1145 				}
1146 			n2s(sdata, s->s3->client_opaque_prf_input_len);
1147 			if (s->s3->client_opaque_prf_input_len != size - 2)
1148 				{
1149 				*al = SSL_AD_DECODE_ERROR;
1150 				return 0;
1151 				}
1152 
1153 			if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */
1154 				OPENSSL_free(s->s3->client_opaque_prf_input);
1155 			if (s->s3->client_opaque_prf_input_len == 0)
1156 				s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
1157 			else
1158 				s->s3->client_opaque_prf_input = BUF_memdup(sdata, s->s3->client_opaque_prf_input_len);
1159 			if (s->s3->client_opaque_prf_input == NULL)
1160 				{
1161 				*al = TLS1_AD_INTERNAL_ERROR;
1162 				return 0;
1163 				}
1164 			}
1165 #endif
1166 		else if (type == TLSEXT_TYPE_session_ticket)
1167 			{
1168 			if (s->tls_session_ticket_ext_cb &&
1169 			    !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg))
1170 				{
1171 				*al = TLS1_AD_INTERNAL_ERROR;
1172 				return 0;
1173 				}
1174 			}
1175 		else if (type == TLSEXT_TYPE_renegotiate)
1176 			{
1177 			if(!ssl_parse_clienthello_renegotiate_ext(s, data, size, al))
1178 				return 0;
1179 			renegotiate_seen = 1;
1180 			}
1181 		else if (type == TLSEXT_TYPE_signature_algorithms)
1182 			{
1183 			int dsize;
1184 			if (sigalg_seen || size < 2)
1185 				{
1186 				*al = SSL_AD_DECODE_ERROR;
1187 				return 0;
1188 				}
1189 			sigalg_seen = 1;
1190 			n2s(data,dsize);
1191 			size -= 2;
1192 			if (dsize != size || dsize & 1)
1193 				{
1194 				*al = SSL_AD_DECODE_ERROR;
1195 				return 0;
1196 				}
1197 			if (!tls1_process_sigalgs(s, data, dsize))
1198 				{
1199 				*al = SSL_AD_DECODE_ERROR;
1200 				return 0;
1201 				}
1202 			}
1203 		else if (type == TLSEXT_TYPE_status_request &&
1204 		         s->version != DTLS1_VERSION && s->ctx->tlsext_status_cb)
1205 			{
1206 
1207 			if (size < 5)
1208 				{
1209 				*al = SSL_AD_DECODE_ERROR;
1210 				return 0;
1211 				}
1212 
1213 			s->tlsext_status_type = *data++;
1214 			size--;
1215 			if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp)
1216 				{
1217 				const unsigned char *sdata;
1218 				int dsize;
1219 				/* Read in responder_id_list */
1220 				n2s(data,dsize);
1221 				size -= 2;
1222 				if (dsize > size  )
1223 					{
1224 					*al = SSL_AD_DECODE_ERROR;
1225 					return 0;
1226 					}
1227 				while (dsize > 0)
1228 					{
1229 					OCSP_RESPID *id;
1230 					int idsize;
1231 					if (dsize < 4)
1232 						{
1233 						*al = SSL_AD_DECODE_ERROR;
1234 						return 0;
1235 						}
1236 					n2s(data, idsize);
1237 					dsize -= 2 + idsize;
1238 					size -= 2 + idsize;
1239 					if (dsize < 0)
1240 						{
1241 						*al = SSL_AD_DECODE_ERROR;
1242 						return 0;
1243 						}
1244 					sdata = data;
1245 					data += idsize;
1246 					id = d2i_OCSP_RESPID(NULL,
1247 								&sdata, idsize);
1248 					if (!id)
1249 						{
1250 						*al = SSL_AD_DECODE_ERROR;
1251 						return 0;
1252 						}
1253 					if (data != sdata)
1254 						{
1255 						OCSP_RESPID_free(id);
1256 						*al = SSL_AD_DECODE_ERROR;
1257 						return 0;
1258 						}
1259 					if (!s->tlsext_ocsp_ids
1260 						&& !(s->tlsext_ocsp_ids =
1261 						sk_OCSP_RESPID_new_null()))
1262 						{
1263 						OCSP_RESPID_free(id);
1264 						*al = SSL_AD_INTERNAL_ERROR;
1265 						return 0;
1266 						}
1267 					if (!sk_OCSP_RESPID_push(
1268 							s->tlsext_ocsp_ids, id))
1269 						{
1270 						OCSP_RESPID_free(id);
1271 						*al = SSL_AD_INTERNAL_ERROR;
1272 						return 0;
1273 						}
1274 					}
1275 
1276 				/* Read in request_extensions */
1277 				if (size < 2)
1278 					{
1279 					*al = SSL_AD_DECODE_ERROR;
1280 					return 0;
1281 					}
1282 				n2s(data,dsize);
1283 				size -= 2;
1284 				if (dsize != size)
1285 					{
1286 					*al = SSL_AD_DECODE_ERROR;
1287 					return 0;
1288 					}
1289 				sdata = data;
1290 				if (dsize > 0)
1291 					{
1292 					if (s->tlsext_ocsp_exts)
1293 						{
1294 						sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts,
1295 									   X509_EXTENSION_free);
1296 						}
1297 
1298 					s->tlsext_ocsp_exts =
1299 						d2i_X509_EXTENSIONS(NULL,
1300 							&sdata, dsize);
1301 					if (!s->tlsext_ocsp_exts
1302 						|| (data + dsize != sdata))
1303 						{
1304 						*al = SSL_AD_DECODE_ERROR;
1305 						return 0;
1306 						}
1307 					}
1308 				}
1309 				/* We don't know what to do with any other type
1310  			 	* so ignore it.
1311  			 	*/
1312 				else
1313 					s->tlsext_status_type = -1;
1314 			}
1315 #ifndef OPENSSL_NO_HEARTBEATS
1316 		else if (type == TLSEXT_TYPE_heartbeat)
1317 			{
1318 			switch(data[0])
1319 				{
1320 				case 0x01:	/* Client allows us to send HB requests */
1321 							s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
1322 							break;
1323 				case 0x02:	/* Client doesn't accept HB requests */
1324 							s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
1325 							s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
1326 							break;
1327 				default:	*al = SSL_AD_ILLEGAL_PARAMETER;
1328 							return 0;
1329 				}
1330 			}
1331 #endif
1332 #ifndef OPENSSL_NO_NEXTPROTONEG
1333 		else if (type == TLSEXT_TYPE_next_proto_neg &&
1334 			 s->s3->tmp.finish_md_len == 0)
1335 			{
1336 			/* We shouldn't accept this extension on a
1337 			 * renegotiation.
1338 			 *
1339 			 * s->new_session will be set on renegotiation, but we
1340 			 * probably shouldn't rely that it couldn't be set on
1341 			 * the initial renegotation too in certain cases (when
1342 			 * there's some other reason to disallow resuming an
1343 			 * earlier session -- the current code won't be doing
1344 			 * anything like that, but this might change).
1345 
1346 			 * A valid sign that there's been a previous handshake
1347 			 * in this connection is if s->s3->tmp.finish_md_len >
1348 			 * 0.  (We are talking about a check that will happen
1349 			 * in the Hello protocol round, well before a new
1350 			 * Finished message could have been computed.) */
1351 			s->s3->next_proto_neg_seen = 1;
1352 			}
1353 #endif
1354 
1355 		else if (type == TLSEXT_TYPE_channel_id && s->tlsext_channel_id_enabled)
1356 			s->s3->tlsext_channel_id_valid = 1;
1357 
1358 		/* session ticket processed earlier */
1359 #ifndef OPENSSL_NO_SRTP
1360 		else if (type == TLSEXT_TYPE_use_srtp)
1361 			{
1362 			if(ssl_parse_clienthello_use_srtp_ext(s, data, size,
1363 							      al))
1364 				return 0;
1365 			}
1366 #endif
1367 
1368 		data+=size;
1369 		}
1370 
1371 	*p = data;
1372 
1373 	ri_check:
1374 
1375 	/* Need RI if renegotiating */
1376 
1377 	if (!renegotiate_seen && s->renegotiate &&
1378 		!(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
1379 		{
1380 		*al = SSL_AD_HANDSHAKE_FAILURE;
1381 	 	SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT,
1382 				SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
1383 		return 0;
1384 		}
1385 
1386 	return 1;
1387 	}
1388 
1389 #ifndef OPENSSL_NO_NEXTPROTONEG
1390 /* ssl_next_proto_validate validates a Next Protocol Negotiation block. No
1391  * elements of zero length are allowed and the set of elements must exactly fill
1392  * the length of the block. */
ssl_next_proto_validate(unsigned char * d,unsigned len)1393 static char ssl_next_proto_validate(unsigned char *d, unsigned len)
1394 	{
1395 	unsigned int off = 0;
1396 
1397 	while (off < len)
1398 		{
1399 		if (d[off] == 0)
1400 			return 0;
1401 		off += d[off];
1402 		off++;
1403 		}
1404 
1405 	return off == len;
1406 	}
1407 #endif
1408 
ssl_parse_serverhello_tlsext(SSL * s,unsigned char ** p,unsigned char * d,int n,int * al)1409 int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
1410 	{
1411 	unsigned short length;
1412 	unsigned short type;
1413 	unsigned short size;
1414 	unsigned char *data = *p;
1415 	int tlsext_servername = 0;
1416 	int renegotiate_seen = 0;
1417 
1418 #ifndef OPENSSL_NO_NEXTPROTONEG
1419 	s->s3->next_proto_neg_seen = 0;
1420 #endif
1421 
1422 #ifndef OPENSSL_NO_HEARTBEATS
1423 	s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED |
1424 	                       SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
1425 #endif
1426 
1427 	if (data >= (d+n-2))
1428 		goto ri_check;
1429 
1430 	n2s(data,length);
1431 	if (data+length != d+n)
1432 		{
1433 		*al = SSL_AD_DECODE_ERROR;
1434 		return 0;
1435 		}
1436 
1437 	while(data <= (d+n-4))
1438 		{
1439 		n2s(data,type);
1440 		n2s(data,size);
1441 
1442 		if (data+size > (d+n))
1443 	   		goto ri_check;
1444 
1445 		if (s->tlsext_debug_cb)
1446 			s->tlsext_debug_cb(s, 1, type, data, size,
1447 						s->tlsext_debug_arg);
1448 
1449 		if (type == TLSEXT_TYPE_server_name)
1450 			{
1451 			if (s->tlsext_hostname == NULL || size > 0)
1452 				{
1453 				*al = TLS1_AD_UNRECOGNIZED_NAME;
1454 				return 0;
1455 				}
1456 			tlsext_servername = 1;
1457 			}
1458 
1459 #ifndef OPENSSL_NO_EC
1460 		else if (type == TLSEXT_TYPE_ec_point_formats &&
1461 	             s->version != DTLS1_VERSION)
1462 			{
1463 			unsigned char *sdata = data;
1464 			int ecpointformatlist_length = *(sdata++);
1465 
1466 			if (ecpointformatlist_length != size - 1 ||
1467 				ecpointformatlist_length < 1)
1468 				{
1469 				*al = TLS1_AD_DECODE_ERROR;
1470 				return 0;
1471 				}
1472 			s->session->tlsext_ecpointformatlist_length = 0;
1473 			if (s->session->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->session->tlsext_ecpointformatlist);
1474 			if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
1475 				{
1476 				*al = TLS1_AD_INTERNAL_ERROR;
1477 				return 0;
1478 				}
1479 			s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
1480 			memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
1481 #if 0
1482 			fprintf(stderr,"ssl_parse_serverhello_tlsext s->session->tlsext_ecpointformatlist ");
1483 			sdata = s->session->tlsext_ecpointformatlist;
1484 			for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
1485 				fprintf(stderr,"%i ",*(sdata++));
1486 			fprintf(stderr,"\n");
1487 #endif
1488 			}
1489 #endif /* OPENSSL_NO_EC */
1490 
1491 		else if (type == TLSEXT_TYPE_session_ticket)
1492 			{
1493 			if (s->tls_session_ticket_ext_cb &&
1494 			    !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg))
1495 				{
1496 				*al = TLS1_AD_INTERNAL_ERROR;
1497 				return 0;
1498 				}
1499 			if ((SSL_get_options(s) & SSL_OP_NO_TICKET)
1500 				|| (size > 0))
1501 				{
1502 				*al = TLS1_AD_UNSUPPORTED_EXTENSION;
1503 				return 0;
1504 				}
1505 			s->tlsext_ticket_expected = 1;
1506 			}
1507 #ifdef TLSEXT_TYPE_opaque_prf_input
1508 		else if (type == TLSEXT_TYPE_opaque_prf_input &&
1509 	             s->version != DTLS1_VERSION)
1510 			{
1511 			unsigned char *sdata = data;
1512 
1513 			if (size < 2)
1514 				{
1515 				*al = SSL_AD_DECODE_ERROR;
1516 				return 0;
1517 				}
1518 			n2s(sdata, s->s3->server_opaque_prf_input_len);
1519 			if (s->s3->server_opaque_prf_input_len != size - 2)
1520 				{
1521 				*al = SSL_AD_DECODE_ERROR;
1522 				return 0;
1523 				}
1524 
1525 			if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */
1526 				OPENSSL_free(s->s3->server_opaque_prf_input);
1527 			if (s->s3->server_opaque_prf_input_len == 0)
1528 				s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
1529 			else
1530 				s->s3->server_opaque_prf_input = BUF_memdup(sdata, s->s3->server_opaque_prf_input_len);
1531 
1532 			if (s->s3->server_opaque_prf_input == NULL)
1533 				{
1534 				*al = TLS1_AD_INTERNAL_ERROR;
1535 				return 0;
1536 				}
1537 			}
1538 #endif
1539 		else if (type == TLSEXT_TYPE_status_request &&
1540 		         s->version != DTLS1_VERSION)
1541 			{
1542 			/* MUST be empty and only sent if we've requested
1543 			 * a status request message.
1544 			 */
1545 			if ((s->tlsext_status_type == -1) || (size > 0))
1546 				{
1547 				*al = TLS1_AD_UNSUPPORTED_EXTENSION;
1548 				return 0;
1549 				}
1550 			/* Set flag to expect CertificateStatus message */
1551 			s->tlsext_status_expected = 1;
1552 			}
1553 #ifndef OPENSSL_NO_NEXTPROTONEG
1554 		else if (type == TLSEXT_TYPE_next_proto_neg &&
1555 			 s->s3->tmp.finish_md_len == 0)
1556 			{
1557 			unsigned char *selected;
1558 			unsigned char selected_len;
1559 
1560 			/* We must have requested it. */
1561 			if (s->ctx->next_proto_select_cb == NULL)
1562 				{
1563 				*al = TLS1_AD_UNSUPPORTED_EXTENSION;
1564 				return 0;
1565 				}
1566 			/* The data must be valid */
1567 			if (!ssl_next_proto_validate(data, size))
1568 				{
1569 				*al = TLS1_AD_DECODE_ERROR;
1570 				return 0;
1571 				}
1572 			if (s->ctx->next_proto_select_cb(s, &selected, &selected_len, data, size, s->ctx->next_proto_select_cb_arg) != SSL_TLSEXT_ERR_OK)
1573 				{
1574 				*al = TLS1_AD_INTERNAL_ERROR;
1575 				return 0;
1576 				}
1577 			s->next_proto_negotiated = OPENSSL_malloc(selected_len);
1578 			if (!s->next_proto_negotiated)
1579 				{
1580 				*al = TLS1_AD_INTERNAL_ERROR;
1581 				return 0;
1582 				}
1583 			memcpy(s->next_proto_negotiated, selected, selected_len);
1584 			s->next_proto_negotiated_len = selected_len;
1585 			s->s3->next_proto_neg_seen = 1;
1586 			}
1587 #endif
1588 		else if (type == TLSEXT_TYPE_channel_id)
1589 			s->s3->tlsext_channel_id_valid = 1;
1590 
1591 		else if (type == TLSEXT_TYPE_renegotiate)
1592 			{
1593 			if(!ssl_parse_serverhello_renegotiate_ext(s, data, size, al))
1594 				return 0;
1595 			renegotiate_seen = 1;
1596 			}
1597 #ifndef OPENSSL_NO_HEARTBEATS
1598 		else if (type == TLSEXT_TYPE_heartbeat)
1599 			{
1600 			switch(data[0])
1601 				{
1602 				case 0x01:	/* Server allows us to send HB requests */
1603 							s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
1604 							break;
1605 				case 0x02:	/* Server doesn't accept HB requests */
1606 							s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
1607 							s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
1608 							break;
1609 				default:	*al = SSL_AD_ILLEGAL_PARAMETER;
1610 							return 0;
1611 				}
1612 			}
1613 #endif
1614 #ifndef OPENSSL_NO_SRTP
1615 		else if (type == TLSEXT_TYPE_use_srtp)
1616 			{
1617                         if(ssl_parse_serverhello_use_srtp_ext(s, data, size,
1618 							      al))
1619                                 return 0;
1620 			}
1621 #endif
1622 
1623 		data+=size;
1624 		}
1625 
1626 	if (data != d+n)
1627 		{
1628 		*al = SSL_AD_DECODE_ERROR;
1629 		return 0;
1630 		}
1631 
1632 	if (!s->hit && tlsext_servername == 1)
1633 		{
1634  		if (s->tlsext_hostname)
1635 			{
1636 			if (s->session->tlsext_hostname == NULL)
1637 				{
1638 				s->session->tlsext_hostname = BUF_strdup(s->tlsext_hostname);
1639 				if (!s->session->tlsext_hostname)
1640 					{
1641 					*al = SSL_AD_UNRECOGNIZED_NAME;
1642 					return 0;
1643 					}
1644 				}
1645 			else
1646 				{
1647 				*al = SSL_AD_DECODE_ERROR;
1648 				return 0;
1649 				}
1650 			}
1651 		}
1652 
1653 	*p = data;
1654 
1655 	ri_check:
1656 
1657 	/* Determine if we need to see RI. Strictly speaking if we want to
1658 	 * avoid an attack we should *always* see RI even on initial server
1659 	 * hello because the client doesn't see any renegotiation during an
1660 	 * attack. However this would mean we could not connect to any server
1661 	 * which doesn't support RI so for the immediate future tolerate RI
1662 	 * absence on initial connect only.
1663 	 */
1664 	if (!renegotiate_seen
1665 		&& !(s->options & SSL_OP_LEGACY_SERVER_CONNECT)
1666 		&& !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
1667 		{
1668 		*al = SSL_AD_HANDSHAKE_FAILURE;
1669 		SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT,
1670 				SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
1671 		return 0;
1672 		}
1673 
1674 	return 1;
1675 	}
1676 
1677 
ssl_prepare_clienthello_tlsext(SSL * s)1678 int ssl_prepare_clienthello_tlsext(SSL *s)
1679 	{
1680 #ifndef OPENSSL_NO_EC
1681 	/* If we are client and using an elliptic curve cryptography cipher suite, send the point formats
1682 	 * and elliptic curves we support.
1683 	 */
1684 	int using_ecc = 0;
1685 	int i;
1686 	unsigned char *j;
1687 	unsigned long alg_k, alg_a;
1688 	STACK_OF(SSL_CIPHER) *cipher_stack = SSL_get_ciphers(s);
1689 
1690 	for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++)
1691 		{
1692 		SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i);
1693 
1694 		alg_k = c->algorithm_mkey;
1695 		alg_a = c->algorithm_auth;
1696 		if ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe) || (alg_a & SSL_aECDSA)))
1697 			{
1698 			using_ecc = 1;
1699 			break;
1700 			}
1701 		}
1702 	using_ecc = using_ecc && (s->version >= TLS1_VERSION);
1703 	if (using_ecc)
1704 		{
1705 		if (s->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->tlsext_ecpointformatlist);
1706 		if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(3)) == NULL)
1707 			{
1708 			SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
1709 			return -1;
1710 			}
1711 		s->tlsext_ecpointformatlist_length = 3;
1712 		s->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_uncompressed;
1713 		s->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
1714 		s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
1715 
1716 		/* we support all named elliptic curves in draft-ietf-tls-ecc-12 */
1717 		if (s->tlsext_ellipticcurvelist != NULL) OPENSSL_free(s->tlsext_ellipticcurvelist);
1718 		s->tlsext_ellipticcurvelist_length = sizeof(pref_list)/sizeof(pref_list[0]) * 2;
1719 		if ((s->tlsext_ellipticcurvelist = OPENSSL_malloc(s->tlsext_ellipticcurvelist_length)) == NULL)
1720 			{
1721 			s->tlsext_ellipticcurvelist_length = 0;
1722 			SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
1723 			return -1;
1724 			}
1725 		for (i = 0, j = s->tlsext_ellipticcurvelist; (unsigned int)i <
1726 				sizeof(pref_list)/sizeof(pref_list[0]); i++)
1727 			{
1728 			int id = tls1_ec_nid2curve_id(pref_list[i]);
1729 			s2n(id,j);
1730 			}
1731 		}
1732 #endif /* OPENSSL_NO_EC */
1733 
1734 #ifdef TLSEXT_TYPE_opaque_prf_input
1735  	{
1736 		int r = 1;
1737 
1738 		if (s->ctx->tlsext_opaque_prf_input_callback != 0)
1739 			{
1740 			r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg);
1741 			if (!r)
1742 				return -1;
1743 			}
1744 
1745 		if (s->tlsext_opaque_prf_input != NULL)
1746 			{
1747 			if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */
1748 				OPENSSL_free(s->s3->client_opaque_prf_input);
1749 
1750 			if (s->tlsext_opaque_prf_input_len == 0)
1751 				s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
1752 			else
1753 				s->s3->client_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len);
1754 			if (s->s3->client_opaque_prf_input == NULL)
1755 				{
1756 				SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
1757 				return -1;
1758 				}
1759 			s->s3->client_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
1760 			}
1761 
1762 		if (r == 2)
1763 			/* at callback's request, insist on receiving an appropriate server opaque PRF input */
1764 			s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
1765 	}
1766 #endif
1767 
1768 	return 1;
1769 	}
1770 
ssl_prepare_serverhello_tlsext(SSL * s)1771 int ssl_prepare_serverhello_tlsext(SSL *s)
1772 	{
1773 #ifndef OPENSSL_NO_EC
1774 	/* If we are server and using an ECC cipher suite, send the point formats we support
1775 	 * if the client sent us an ECPointsFormat extension.  Note that the server is not
1776 	 * supposed to send an EllipticCurves extension.
1777 	 */
1778 
1779 	unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
1780 	unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
1781 	int using_ecc = (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA);
1782 	using_ecc = using_ecc && (s->session->tlsext_ecpointformatlist != NULL);
1783 
1784 	if (using_ecc)
1785 		{
1786 		if (s->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->tlsext_ecpointformatlist);
1787 		if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(3)) == NULL)
1788 			{
1789 			SSLerr(SSL_F_SSL_PREPARE_SERVERHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
1790 			return -1;
1791 			}
1792 		s->tlsext_ecpointformatlist_length = 3;
1793 		s->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_uncompressed;
1794 		s->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
1795 		s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
1796 		}
1797 #endif /* OPENSSL_NO_EC */
1798 
1799 	return 1;
1800 	}
1801 
ssl_check_clienthello_tlsext_early(SSL * s)1802 int ssl_check_clienthello_tlsext_early(SSL *s)
1803 	{
1804 	int ret=SSL_TLSEXT_ERR_NOACK;
1805 	int al = SSL_AD_UNRECOGNIZED_NAME;
1806 
1807 #ifndef OPENSSL_NO_EC
1808 	/* The handling of the ECPointFormats extension is done elsewhere, namely in
1809 	 * ssl3_choose_cipher in s3_lib.c.
1810 	 */
1811 	/* The handling of the EllipticCurves extension is done elsewhere, namely in
1812 	 * ssl3_choose_cipher in s3_lib.c.
1813 	 */
1814 #endif
1815 
1816 	if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
1817 		ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
1818 	else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)
1819 		ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
1820 
1821 #ifdef TLSEXT_TYPE_opaque_prf_input
1822  	{
1823 		/* This sort of belongs into ssl_prepare_serverhello_tlsext(),
1824 		 * but we might be sending an alert in response to the client hello,
1825 		 * so this has to happen here in
1826 		 * ssl_check_clienthello_tlsext_early(). */
1827 
1828 		int r = 1;
1829 
1830 		if (s->ctx->tlsext_opaque_prf_input_callback != 0)
1831 			{
1832 			r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg);
1833 			if (!r)
1834 				{
1835 				ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1836 				al = SSL_AD_INTERNAL_ERROR;
1837 				goto err;
1838 				}
1839 			}
1840 
1841 		if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */
1842 			OPENSSL_free(s->s3->server_opaque_prf_input);
1843 		s->s3->server_opaque_prf_input = NULL;
1844 
1845 		if (s->tlsext_opaque_prf_input != NULL)
1846 			{
1847 			if (s->s3->client_opaque_prf_input != NULL &&
1848 				s->s3->client_opaque_prf_input_len == s->tlsext_opaque_prf_input_len)
1849 				{
1850 				/* can only use this extension if we have a server opaque PRF input
1851 				 * of the same length as the client opaque PRF input! */
1852 
1853 				if (s->tlsext_opaque_prf_input_len == 0)
1854 					s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
1855 				else
1856 					s->s3->server_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len);
1857 				if (s->s3->server_opaque_prf_input == NULL)
1858 					{
1859 					ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1860 					al = SSL_AD_INTERNAL_ERROR;
1861 					goto err;
1862 					}
1863 				s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
1864 				}
1865 			}
1866 
1867 		if (r == 2 && s->s3->server_opaque_prf_input == NULL)
1868 			{
1869 			/* The callback wants to enforce use of the extension,
1870 			 * but we can't do that with the client opaque PRF input;
1871 			 * abort the handshake.
1872 			 */
1873 			ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1874 			al = SSL_AD_HANDSHAKE_FAILURE;
1875 			}
1876 	}
1877 
1878  err:
1879 #endif
1880 	switch (ret)
1881 		{
1882 		case SSL_TLSEXT_ERR_ALERT_FATAL:
1883 			ssl3_send_alert(s,SSL3_AL_FATAL,al);
1884 			return -1;
1885 
1886 		case SSL_TLSEXT_ERR_ALERT_WARNING:
1887 			ssl3_send_alert(s,SSL3_AL_WARNING,al);
1888 			return 1;
1889 
1890 		case SSL_TLSEXT_ERR_NOACK:
1891 			s->servername_done=0;
1892 			default:
1893 		return 1;
1894 		}
1895 	}
1896 
ssl_check_clienthello_tlsext_late(SSL * s)1897 int ssl_check_clienthello_tlsext_late(SSL *s)
1898 	{
1899 	int ret = SSL_TLSEXT_ERR_OK;
1900 	int al;
1901 
1902 	/* If status request then ask callback what to do.
1903  	 * Note: this must be called after servername callbacks in case
1904  	 * the certificate has changed, and must be called after the cipher
1905 	 * has been chosen because this may influence which certificate is sent
1906  	 */
1907 	if ((s->tlsext_status_type != -1) && s->ctx && s->ctx->tlsext_status_cb)
1908 		{
1909 		int r;
1910 		CERT_PKEY *certpkey;
1911 		certpkey = ssl_get_server_send_pkey(s);
1912 		/* If no certificate can't return certificate status */
1913 		if (certpkey == NULL)
1914 			{
1915 			s->tlsext_status_expected = 0;
1916 			return 1;
1917 			}
1918 		/* Set current certificate to one we will use so
1919 		 * SSL_get_certificate et al can pick it up.
1920 		 */
1921 		s->cert->key = certpkey;
1922 		r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
1923 		switch (r)
1924 			{
1925 			/* We don't want to send a status request response */
1926 			case SSL_TLSEXT_ERR_NOACK:
1927 				s->tlsext_status_expected = 0;
1928 				break;
1929 			/* status request response should be sent */
1930 			case SSL_TLSEXT_ERR_OK:
1931 				if (s->tlsext_ocsp_resp)
1932 					s->tlsext_status_expected = 1;
1933 				else
1934 					s->tlsext_status_expected = 0;
1935 				break;
1936 			/* something bad happened */
1937 			case SSL_TLSEXT_ERR_ALERT_FATAL:
1938 				ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1939 				al = SSL_AD_INTERNAL_ERROR;
1940 				goto err;
1941 			}
1942 		}
1943 	else
1944 		s->tlsext_status_expected = 0;
1945 
1946  err:
1947 	switch (ret)
1948 		{
1949 		case SSL_TLSEXT_ERR_ALERT_FATAL:
1950 			ssl3_send_alert(s,SSL3_AL_FATAL,al);
1951 			return -1;
1952 
1953 		case SSL_TLSEXT_ERR_ALERT_WARNING:
1954 			ssl3_send_alert(s,SSL3_AL_WARNING,al);
1955 			return 1;
1956 
1957 		default:
1958 			return 1;
1959 		}
1960 	}
1961 
ssl_check_serverhello_tlsext(SSL * s)1962 int ssl_check_serverhello_tlsext(SSL *s)
1963 	{
1964 	int ret=SSL_TLSEXT_ERR_NOACK;
1965 	int al = SSL_AD_UNRECOGNIZED_NAME;
1966 
1967 #ifndef OPENSSL_NO_EC
1968 	/* If we are client and using an elliptic curve cryptography cipher
1969 	 * suite, then if server returns an EC point formats lists extension
1970 	 * it must contain uncompressed.
1971 	 */
1972 	unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
1973 	unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
1974 	if ((s->tlsext_ecpointformatlist != NULL) && (s->tlsext_ecpointformatlist_length > 0) &&
1975 	    (s->session->tlsext_ecpointformatlist != NULL) && (s->session->tlsext_ecpointformatlist_length > 0) &&
1976 	    ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA)))
1977 		{
1978 		/* we are using an ECC cipher */
1979 		size_t i;
1980 		unsigned char *list;
1981 		int found_uncompressed = 0;
1982 		list = s->session->tlsext_ecpointformatlist;
1983 		for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
1984 			{
1985 			if (*(list++) == TLSEXT_ECPOINTFORMAT_uncompressed)
1986 				{
1987 				found_uncompressed = 1;
1988 				break;
1989 				}
1990 			}
1991 		if (!found_uncompressed)
1992 			{
1993 			SSLerr(SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT,SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
1994 			return -1;
1995 			}
1996 		}
1997 	ret = SSL_TLSEXT_ERR_OK;
1998 #endif /* OPENSSL_NO_EC */
1999 
2000 	if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
2001 		ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
2002 	else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)
2003 		ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
2004 
2005 #ifdef TLSEXT_TYPE_opaque_prf_input
2006 	if (s->s3->server_opaque_prf_input_len > 0)
2007 		{
2008 		/* This case may indicate that we, as a client, want to insist on using opaque PRF inputs.
2009 		 * So first verify that we really have a value from the server too. */
2010 
2011 		if (s->s3->server_opaque_prf_input == NULL)
2012 			{
2013 			ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2014 			al = SSL_AD_HANDSHAKE_FAILURE;
2015 			}
2016 
2017 		/* Anytime the server *has* sent an opaque PRF input, we need to check
2018 		 * that we have a client opaque PRF input of the same size. */
2019 		if (s->s3->client_opaque_prf_input == NULL ||
2020 		    s->s3->client_opaque_prf_input_len != s->s3->server_opaque_prf_input_len)
2021 			{
2022 			ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2023 			al = SSL_AD_ILLEGAL_PARAMETER;
2024 			}
2025 		}
2026 #endif
2027 
2028 	/* If we've requested certificate status and we wont get one
2029  	 * tell the callback
2030  	 */
2031 	if ((s->tlsext_status_type != -1) && !(s->tlsext_status_expected)
2032 			&& s->ctx && s->ctx->tlsext_status_cb)
2033 		{
2034 		int r;
2035 		/* Set resp to NULL, resplen to -1 so callback knows
2036  		 * there is no response.
2037  		 */
2038 		if (s->tlsext_ocsp_resp)
2039 			{
2040 			OPENSSL_free(s->tlsext_ocsp_resp);
2041 			s->tlsext_ocsp_resp = NULL;
2042 			}
2043 		s->tlsext_ocsp_resplen = -1;
2044 		r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
2045 		if (r == 0)
2046 			{
2047 			al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE;
2048 			ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2049 			}
2050 		if (r < 0)
2051 			{
2052 			al = SSL_AD_INTERNAL_ERROR;
2053 			ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2054 			}
2055 		}
2056 
2057 	switch (ret)
2058 		{
2059 		case SSL_TLSEXT_ERR_ALERT_FATAL:
2060 			ssl3_send_alert(s,SSL3_AL_FATAL,al);
2061 			return -1;
2062 
2063 		case SSL_TLSEXT_ERR_ALERT_WARNING:
2064 			ssl3_send_alert(s,SSL3_AL_WARNING,al);
2065 			return 1;
2066 
2067 		case SSL_TLSEXT_ERR_NOACK:
2068 			s->servername_done=0;
2069 			default:
2070 		return 1;
2071 		}
2072 	}
2073 
2074 /* Since the server cache lookup is done early on in the processing of the
2075  * ClientHello, and other operations depend on the result, we need to handle
2076  * any TLS session ticket extension at the same time.
2077  *
2078  *   session_id: points at the session ID in the ClientHello. This code will
2079  *       read past the end of this in order to parse out the session ticket
2080  *       extension, if any.
2081  *   len: the length of the session ID.
2082  *   limit: a pointer to the first byte after the ClientHello.
2083  *   ret: (output) on return, if a ticket was decrypted, then this is set to
2084  *       point to the resulting session.
2085  *
2086  * If s->tls_session_secret_cb is set then we are expecting a pre-shared key
2087  * ciphersuite, in which case we have no use for session tickets and one will
2088  * never be decrypted, nor will s->tlsext_ticket_expected be set to 1.
2089  *
2090  * Returns:
2091  *   -1: fatal error, either from parsing or decrypting the ticket.
2092  *    0: no ticket was found (or was ignored, based on settings).
2093  *    1: a zero length extension was found, indicating that the client supports
2094  *       session tickets but doesn't currently have one to offer.
2095  *    2: either s->tls_session_secret_cb was set, or a ticket was offered but
2096  *       couldn't be decrypted because of a non-fatal error.
2097  *    3: a ticket was successfully decrypted and *ret was set.
2098  *
2099  * Side effects:
2100  *   Sets s->tlsext_ticket_expected to 1 if the server will have to issue
2101  *   a new session ticket to the client because the client indicated support
2102  *   (and s->tls_session_secret_cb is NULL) but the client either doesn't have
2103  *   a session ticket or we couldn't use the one it gave us, or if
2104  *   s->ctx->tlsext_ticket_key_cb asked to renew the client's ticket.
2105  *   Otherwise, s->tlsext_ticket_expected is set to 0.
2106  */
tls1_process_ticket(SSL * s,unsigned char * session_id,int len,const unsigned char * limit,SSL_SESSION ** ret)2107 int tls1_process_ticket(SSL *s, unsigned char *session_id, int len,
2108 			const unsigned char *limit, SSL_SESSION **ret)
2109 	{
2110 	/* Point after session ID in client hello */
2111 	const unsigned char *p = session_id + len;
2112 	unsigned short i;
2113 
2114 	*ret = NULL;
2115 	s->tlsext_ticket_expected = 0;
2116 
2117 	/* If tickets disabled behave as if no ticket present
2118 	 * to permit stateful resumption.
2119 	 */
2120 	if (SSL_get_options(s) & SSL_OP_NO_TICKET)
2121 		return 0;
2122 	if ((s->version <= SSL3_VERSION) || !limit)
2123 		return 0;
2124 	if (p >= limit)
2125 		return -1;
2126 	/* Skip past DTLS cookie */
2127 	if (s->version == DTLS1_VERSION || s->version == DTLS1_BAD_VER)
2128 		{
2129 		i = *(p++);
2130 		p+= i;
2131 		if (p >= limit)
2132 			return -1;
2133 		}
2134 	/* Skip past cipher list */
2135 	n2s(p, i);
2136 	p+= i;
2137 	if (p >= limit)
2138 		return -1;
2139 	/* Skip past compression algorithm list */
2140 	i = *(p++);
2141 	p += i;
2142 	if (p > limit)
2143 		return -1;
2144 	/* Now at start of extensions */
2145 	if ((p + 2) >= limit)
2146 		return 0;
2147 	n2s(p, i);
2148 	while ((p + 4) <= limit)
2149 		{
2150 		unsigned short type, size;
2151 		n2s(p, type);
2152 		n2s(p, size);
2153 		if (p + size > limit)
2154 			return 0;
2155 		if (type == TLSEXT_TYPE_session_ticket)
2156 			{
2157 			int r;
2158 			if (size == 0)
2159 				{
2160 				/* The client will accept a ticket but doesn't
2161 				 * currently have one. */
2162 				s->tlsext_ticket_expected = 1;
2163 				return 1;
2164 				}
2165 			if (s->tls_session_secret_cb)
2166 				{
2167 				/* Indicate that the ticket couldn't be
2168 				 * decrypted rather than generating the session
2169 				 * from ticket now, trigger abbreviated
2170 				 * handshake based on external mechanism to
2171 				 * calculate the master secret later. */
2172 				return 2;
2173 				}
2174 			r = tls_decrypt_ticket(s, p, size, session_id, len, ret);
2175 			switch (r)
2176 				{
2177 				case 2: /* ticket couldn't be decrypted */
2178 					s->tlsext_ticket_expected = 1;
2179 					return 2;
2180 				case 3: /* ticket was decrypted */
2181 					return r;
2182 				case 4: /* ticket decrypted but need to renew */
2183 					s->tlsext_ticket_expected = 1;
2184 					return 3;
2185 				default: /* fatal error */
2186 					return -1;
2187 				}
2188 			}
2189 		p += size;
2190 		}
2191 	return 0;
2192 	}
2193 
2194 /* tls_decrypt_ticket attempts to decrypt a session ticket.
2195  *
2196  *   etick: points to the body of the session ticket extension.
2197  *   eticklen: the length of the session tickets extenion.
2198  *   sess_id: points at the session ID.
2199  *   sesslen: the length of the session ID.
2200  *   psess: (output) on return, if a ticket was decrypted, then this is set to
2201  *       point to the resulting session.
2202  *
2203  * Returns:
2204  *   -1: fatal error, either from parsing or decrypting the ticket.
2205  *    2: the ticket couldn't be decrypted.
2206  *    3: a ticket was successfully decrypted and *psess was set.
2207  *    4: same as 3, but the ticket needs to be renewed.
2208  */
tls_decrypt_ticket(SSL * s,const unsigned char * etick,int eticklen,const unsigned char * sess_id,int sesslen,SSL_SESSION ** psess)2209 static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen,
2210 				const unsigned char *sess_id, int sesslen,
2211 				SSL_SESSION **psess)
2212 	{
2213 	SSL_SESSION *sess;
2214 	unsigned char *sdec;
2215 	const unsigned char *p;
2216 	int slen, mlen, renew_ticket = 0;
2217 	unsigned char tick_hmac[EVP_MAX_MD_SIZE];
2218 	HMAC_CTX hctx;
2219 	EVP_CIPHER_CTX ctx;
2220 	SSL_CTX *tctx = s->initial_ctx;
2221 	/* Need at least keyname + iv + some encrypted data */
2222 	if (eticklen < 48)
2223 		return 2;
2224 	/* Initialize session ticket encryption and HMAC contexts */
2225 	HMAC_CTX_init(&hctx);
2226 	EVP_CIPHER_CTX_init(&ctx);
2227 	if (tctx->tlsext_ticket_key_cb)
2228 		{
2229 		unsigned char *nctick = (unsigned char *)etick;
2230 		int rv = tctx->tlsext_ticket_key_cb(s, nctick, nctick + 16,
2231 							&ctx, &hctx, 0);
2232 		if (rv < 0)
2233 			return -1;
2234 		if (rv == 0)
2235 			return 2;
2236 		if (rv == 2)
2237 			renew_ticket = 1;
2238 		}
2239 	else
2240 		{
2241 		/* Check key name matches */
2242 		if (memcmp(etick, tctx->tlsext_tick_key_name, 16))
2243 			return 2;
2244 		HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16,
2245 					tlsext_tick_md(), NULL);
2246 		EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL,
2247 				tctx->tlsext_tick_aes_key, etick + 16);
2248 		}
2249 	/* Attempt to process session ticket, first conduct sanity and
2250 	 * integrity checks on ticket.
2251 	 */
2252 	mlen = HMAC_size(&hctx);
2253 	if (mlen < 0)
2254 		{
2255 		EVP_CIPHER_CTX_cleanup(&ctx);
2256 		return -1;
2257 		}
2258 	eticklen -= mlen;
2259 	/* Check HMAC of encrypted ticket */
2260 	HMAC_Update(&hctx, etick, eticklen);
2261 	HMAC_Final(&hctx, tick_hmac, NULL);
2262 	HMAC_CTX_cleanup(&hctx);
2263 	if (CRYPTO_memcmp(tick_hmac, etick + eticklen, mlen))
2264 		return 2;
2265 	/* Attempt to decrypt session data */
2266 	/* Move p after IV to start of encrypted ticket, update length */
2267 	p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx);
2268 	eticklen -= 16 + EVP_CIPHER_CTX_iv_length(&ctx);
2269 	sdec = OPENSSL_malloc(eticklen);
2270 	if (!sdec)
2271 		{
2272 		EVP_CIPHER_CTX_cleanup(&ctx);
2273 		return -1;
2274 		}
2275 	EVP_DecryptUpdate(&ctx, sdec, &slen, p, eticklen);
2276 	if (EVP_DecryptFinal(&ctx, sdec + slen, &mlen) <= 0)
2277 		return 2;
2278 	slen += mlen;
2279 	EVP_CIPHER_CTX_cleanup(&ctx);
2280 	p = sdec;
2281 
2282 	sess = d2i_SSL_SESSION(NULL, &p, slen);
2283 	OPENSSL_free(sdec);
2284 	if (sess)
2285 		{
2286 		/* The session ID, if non-empty, is used by some clients to
2287 		 * detect that the ticket has been accepted. So we copy it to
2288 		 * the session structure. If it is empty set length to zero
2289 		 * as required by standard.
2290 		 */
2291 		if (sesslen)
2292 			memcpy(sess->session_id, sess_id, sesslen);
2293 		sess->session_id_length = sesslen;
2294 		*psess = sess;
2295 		if (renew_ticket)
2296 			return 4;
2297 		else
2298 			return 3;
2299 		}
2300         ERR_clear_error();
2301 	/* For session parse failure, indicate that we need to send a new
2302 	 * ticket. */
2303 	return 2;
2304 	}
2305 
2306 /* Tables to translate from NIDs to TLS v1.2 ids */
2307 
2308 typedef struct
2309 	{
2310 	int nid;
2311 	int id;
2312 	} tls12_lookup;
2313 
2314 static tls12_lookup tls12_md[] = {
2315 #ifndef OPENSSL_NO_MD5
2316 	{NID_md5, TLSEXT_hash_md5},
2317 #endif
2318 #ifndef OPENSSL_NO_SHA
2319 	{NID_sha1, TLSEXT_hash_sha1},
2320 #endif
2321 #ifndef OPENSSL_NO_SHA256
2322 	{NID_sha224, TLSEXT_hash_sha224},
2323 	{NID_sha256, TLSEXT_hash_sha256},
2324 #endif
2325 #ifndef OPENSSL_NO_SHA512
2326 	{NID_sha384, TLSEXT_hash_sha384},
2327 	{NID_sha512, TLSEXT_hash_sha512}
2328 #endif
2329 };
2330 
2331 static tls12_lookup tls12_sig[] = {
2332 #ifndef OPENSSL_NO_RSA
2333 	{EVP_PKEY_RSA, TLSEXT_signature_rsa},
2334 #endif
2335 #ifndef OPENSSL_NO_DSA
2336 	{EVP_PKEY_DSA, TLSEXT_signature_dsa},
2337 #endif
2338 #ifndef OPENSSL_NO_ECDSA
2339 	{EVP_PKEY_EC, TLSEXT_signature_ecdsa}
2340 #endif
2341 };
2342 
tls12_find_id(int nid,tls12_lookup * table,size_t tlen)2343 static int tls12_find_id(int nid, tls12_lookup *table, size_t tlen)
2344 	{
2345 	size_t i;
2346 	for (i = 0; i < tlen; i++)
2347 		{
2348 		if (table[i].nid == nid)
2349 			return table[i].id;
2350 		}
2351 	return -1;
2352 	}
2353 #if 0
2354 static int tls12_find_nid(int id, tls12_lookup *table, size_t tlen)
2355 	{
2356 	size_t i;
2357 	for (i = 0; i < tlen; i++)
2358 		{
2359 		if (table[i].id == id)
2360 			return table[i].nid;
2361 		}
2362 	return -1;
2363 	}
2364 #endif
2365 
tls12_get_sigandhash(unsigned char * p,const EVP_PKEY * pk,const EVP_MD * md)2366 int tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk, const EVP_MD *md)
2367 	{
2368 	int sig_id, md_id;
2369 	if (!md)
2370 		return 0;
2371 	md_id = tls12_find_id(EVP_MD_type(md), tls12_md,
2372 				sizeof(tls12_md)/sizeof(tls12_lookup));
2373 	if (md_id == -1)
2374 		return 0;
2375 	sig_id = tls12_get_sigid(pk);
2376 	if (sig_id == -1)
2377 		return 0;
2378 	p[0] = (unsigned char)md_id;
2379 	p[1] = (unsigned char)sig_id;
2380 	return 1;
2381 	}
2382 
tls12_get_sigid(const EVP_PKEY * pk)2383 int tls12_get_sigid(const EVP_PKEY *pk)
2384 	{
2385 	return tls12_find_id(pk->type, tls12_sig,
2386 				sizeof(tls12_sig)/sizeof(tls12_lookup));
2387 	}
2388 
tls12_get_hash(unsigned char hash_alg)2389 const EVP_MD *tls12_get_hash(unsigned char hash_alg)
2390 	{
2391 	switch(hash_alg)
2392 		{
2393 #ifndef OPENSSL_NO_MD5
2394 		case TLSEXT_hash_md5:
2395 #ifdef OPENSSL_FIPS
2396 		if (FIPS_mode())
2397 			return NULL;
2398 #endif
2399 		return EVP_md5();
2400 #endif
2401 #ifndef OPENSSL_NO_SHA
2402 		case TLSEXT_hash_sha1:
2403 		return EVP_sha1();
2404 #endif
2405 #ifndef OPENSSL_NO_SHA256
2406 		case TLSEXT_hash_sha224:
2407 		return EVP_sha224();
2408 
2409 		case TLSEXT_hash_sha256:
2410 		return EVP_sha256();
2411 #endif
2412 #ifndef OPENSSL_NO_SHA512
2413 		case TLSEXT_hash_sha384:
2414 		return EVP_sha384();
2415 
2416 		case TLSEXT_hash_sha512:
2417 		return EVP_sha512();
2418 #endif
2419 		default:
2420 		return NULL;
2421 
2422 		}
2423 	}
2424 
2425 /* Set preferred digest for each key type */
2426 
tls1_process_sigalgs(SSL * s,const unsigned char * data,int dsize)2427 int tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize)
2428 	{
2429 	int i, idx;
2430 	const EVP_MD *md;
2431 	CERT *c = s->cert;
2432 	/* Extension ignored for TLS versions below 1.2 */
2433 	if (TLS1_get_version(s) < TLS1_2_VERSION)
2434 		return 1;
2435 	/* Should never happen */
2436 	if (!c)
2437 		return 0;
2438 
2439 	c->pkeys[SSL_PKEY_DSA_SIGN].digest = NULL;
2440 	c->pkeys[SSL_PKEY_RSA_SIGN].digest = NULL;
2441 	c->pkeys[SSL_PKEY_RSA_ENC].digest = NULL;
2442 	c->pkeys[SSL_PKEY_ECC].digest = NULL;
2443 
2444 	for (i = 0; i < dsize; i += 2)
2445 		{
2446 		unsigned char hash_alg = data[i], sig_alg = data[i+1];
2447 
2448 		switch(sig_alg)
2449 			{
2450 #ifndef OPENSSL_NO_RSA
2451 			case TLSEXT_signature_rsa:
2452 			idx = SSL_PKEY_RSA_SIGN;
2453 			break;
2454 #endif
2455 #ifndef OPENSSL_NO_DSA
2456 			case TLSEXT_signature_dsa:
2457 			idx = SSL_PKEY_DSA_SIGN;
2458 			break;
2459 #endif
2460 #ifndef OPENSSL_NO_ECDSA
2461 			case TLSEXT_signature_ecdsa:
2462 			idx = SSL_PKEY_ECC;
2463 			break;
2464 #endif
2465 			default:
2466 			continue;
2467 			}
2468 
2469 		if (c->pkeys[idx].digest == NULL)
2470 			{
2471 			md = tls12_get_hash(hash_alg);
2472 			if (md)
2473 				{
2474 				c->pkeys[idx].digest = md;
2475 				if (idx == SSL_PKEY_RSA_SIGN)
2476 					c->pkeys[SSL_PKEY_RSA_ENC].digest = md;
2477 				}
2478 			}
2479 
2480 		}
2481 
2482 
2483 	/* Set any remaining keys to default values. NOTE: if alg is not
2484 	 * supported it stays as NULL.
2485 	 */
2486 #ifndef OPENSSL_NO_DSA
2487 	if (!c->pkeys[SSL_PKEY_DSA_SIGN].digest)
2488 		c->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_sha1();
2489 #endif
2490 #ifndef OPENSSL_NO_RSA
2491 	if (!c->pkeys[SSL_PKEY_RSA_SIGN].digest)
2492 		{
2493 		c->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1();
2494 		c->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1();
2495 		}
2496 #endif
2497 #ifndef OPENSSL_NO_ECDSA
2498 	if (!c->pkeys[SSL_PKEY_ECC].digest)
2499 		c->pkeys[SSL_PKEY_ECC].digest = EVP_sha1();
2500 #endif
2501 	return 1;
2502 	}
2503 
2504 #endif
2505 
2506 #ifndef OPENSSL_NO_HEARTBEATS
2507 int
tls1_process_heartbeat(SSL * s)2508 tls1_process_heartbeat(SSL *s)
2509 	{
2510 	unsigned char *p = &s->s3->rrec.data[0], *pl;
2511 	unsigned short hbtype;
2512 	unsigned int payload;
2513 	unsigned int padding = 16; /* Use minimum padding */
2514 
2515 	/* Read type and payload length first */
2516 	hbtype = *p++;
2517 	n2s(p, payload);
2518 	pl = p;
2519 
2520 	if (s->msg_callback)
2521 		s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT,
2522 			&s->s3->rrec.data[0], s->s3->rrec.length,
2523 			s, s->msg_callback_arg);
2524 
2525 	if (hbtype == TLS1_HB_REQUEST)
2526 		{
2527 		unsigned char *buffer, *bp;
2528 		int r;
2529 
2530 		/* Allocate memory for the response, size is 1 bytes
2531 		 * message type, plus 2 bytes payload length, plus
2532 		 * payload, plus padding
2533 		 */
2534 		buffer = OPENSSL_malloc(1 + 2 + payload + padding);
2535 		bp = buffer;
2536 
2537 		/* Enter response type, length and copy payload */
2538 		*bp++ = TLS1_HB_RESPONSE;
2539 		s2n(payload, bp);
2540 		memcpy(bp, pl, payload);
2541 		bp += payload;
2542 		/* Random padding */
2543 		RAND_pseudo_bytes(bp, padding);
2544 
2545 		r = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, 3 + payload + padding);
2546 
2547 		if (r >= 0 && s->msg_callback)
2548 			s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT,
2549 				buffer, 3 + payload + padding,
2550 				s, s->msg_callback_arg);
2551 
2552 		OPENSSL_free(buffer);
2553 
2554 		if (r < 0)
2555 			return r;
2556 		}
2557 	else if (hbtype == TLS1_HB_RESPONSE)
2558 		{
2559 		unsigned int seq;
2560 
2561 		/* We only send sequence numbers (2 bytes unsigned int),
2562 		 * and 16 random bytes, so we just try to read the
2563 		 * sequence number */
2564 		n2s(pl, seq);
2565 
2566 		if (payload == 18 && seq == s->tlsext_hb_seq)
2567 			{
2568 			s->tlsext_hb_seq++;
2569 			s->tlsext_hb_pending = 0;
2570 			}
2571 		}
2572 
2573 	return 0;
2574 	}
2575 
2576 int
tls1_heartbeat(SSL * s)2577 tls1_heartbeat(SSL *s)
2578 	{
2579 	unsigned char *buf, *p;
2580 	int ret;
2581 	unsigned int payload = 18; /* Sequence number + random bytes */
2582 	unsigned int padding = 16; /* Use minimum padding */
2583 
2584 	/* Only send if peer supports and accepts HB requests... */
2585 	if (!(s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED) ||
2586 	    s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_SEND_REQUESTS)
2587 		{
2588 		SSLerr(SSL_F_TLS1_HEARTBEAT,SSL_R_TLS_HEARTBEAT_PEER_DOESNT_ACCEPT);
2589 		return -1;
2590 		}
2591 
2592 	/* ...and there is none in flight yet... */
2593 	if (s->tlsext_hb_pending)
2594 		{
2595 		SSLerr(SSL_F_TLS1_HEARTBEAT,SSL_R_TLS_HEARTBEAT_PENDING);
2596 		return -1;
2597 		}
2598 
2599 	/* ...and no handshake in progress. */
2600 	if (SSL_in_init(s) || s->in_handshake)
2601 		{
2602 		SSLerr(SSL_F_TLS1_HEARTBEAT,SSL_R_UNEXPECTED_MESSAGE);
2603 		return -1;
2604 		}
2605 
2606 	/* Check if padding is too long, payload and padding
2607 	 * must not exceed 2^14 - 3 = 16381 bytes in total.
2608 	 */
2609 	OPENSSL_assert(payload + padding <= 16381);
2610 
2611 	/* Create HeartBeat message, we just use a sequence number
2612 	 * as payload to distuingish different messages and add
2613 	 * some random stuff.
2614 	 *  - Message Type, 1 byte
2615 	 *  - Payload Length, 2 bytes (unsigned int)
2616 	 *  - Payload, the sequence number (2 bytes uint)
2617 	 *  - Payload, random bytes (16 bytes uint)
2618 	 *  - Padding
2619 	 */
2620 	buf = OPENSSL_malloc(1 + 2 + payload + padding);
2621 	p = buf;
2622 	/* Message Type */
2623 	*p++ = TLS1_HB_REQUEST;
2624 	/* Payload length (18 bytes here) */
2625 	s2n(payload, p);
2626 	/* Sequence number */
2627 	s2n(s->tlsext_hb_seq, p);
2628 	/* 16 random bytes */
2629 	RAND_pseudo_bytes(p, 16);
2630 	p += 16;
2631 	/* Random padding */
2632 	RAND_pseudo_bytes(p, padding);
2633 
2634 	ret = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buf, 3 + payload + padding);
2635 	if (ret >= 0)
2636 		{
2637 		if (s->msg_callback)
2638 			s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT,
2639 				buf, 3 + payload + padding,
2640 				s, s->msg_callback_arg);
2641 
2642 		s->tlsext_hb_pending = 1;
2643 		}
2644 
2645 	OPENSSL_free(buf);
2646 
2647 	return ret;
2648 	}
2649 #endif
2650 
2651 #if !defined(OPENSSL_NO_TLSEXT)
2652 /* tls1_channel_id_hash calculates the signed data for a Channel ID on the given
2653  * SSL connection and writes it to |md|.
2654  */
2655 int
tls1_channel_id_hash(EVP_MD_CTX * md,SSL * s)2656 tls1_channel_id_hash(EVP_MD_CTX *md, SSL *s)
2657 	{
2658 	EVP_MD_CTX ctx;
2659 	unsigned char temp_digest[EVP_MAX_MD_SIZE];
2660 	unsigned temp_digest_len;
2661 	int i;
2662 	static const char kClientIDMagic[] = "TLS Channel ID signature";
2663 
2664 	if (s->s3->handshake_buffer)
2665 		if (!ssl3_digest_cached_records(s))
2666 			return 0;
2667 
2668 	EVP_DigestUpdate(md, kClientIDMagic, sizeof(kClientIDMagic));
2669 
2670 	EVP_MD_CTX_init(&ctx);
2671 	for (i = 0; i < SSL_MAX_DIGEST; i++)
2672 		{
2673 		if (s->s3->handshake_dgst[i] == NULL)
2674 			continue;
2675 		EVP_MD_CTX_copy_ex(&ctx, s->s3->handshake_dgst[i]);
2676 		EVP_DigestFinal_ex(&ctx, temp_digest, &temp_digest_len);
2677 		EVP_DigestUpdate(md, temp_digest, temp_digest_len);
2678 		}
2679 	EVP_MD_CTX_cleanup(&ctx);
2680 
2681 	return 1;
2682 	}
2683 #endif
2684