summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--src/lib/libssl/src/ssl/t1_clnt.c21
-rw-r--r--src/lib/libssl/src/ssl/t1_enc.c1186
-rw-r--r--src/lib/libssl/src/ssl/t1_lib.c2002
-rw-r--r--src/lib/libssl/src/ssl/t1_meth.c20
-rw-r--r--src/lib/libssl/src/ssl/t1_reneg.c278
-rw-r--r--src/lib/libssl/src/ssl/t1_srvr.c21
-rw-r--r--src/lib/libssl/t1_clnt.c21
-rw-r--r--src/lib/libssl/t1_enc.c1186
-rw-r--r--src/lib/libssl/t1_lib.c2002
-rw-r--r--src/lib/libssl/t1_meth.c20
-rw-r--r--src/lib/libssl/t1_reneg.c278
-rw-r--r--src/lib/libssl/t1_srvr.c21
12 files changed, 3348 insertions, 3708 deletions
diff --git a/src/lib/libssl/src/ssl/t1_clnt.c b/src/lib/libssl/src/ssl/t1_clnt.c
index 578617ed84..ac8ff7309f 100644
--- a/src/lib/libssl/src/ssl/t1_clnt.c
+++ b/src/lib/libssl/src/ssl/t1_clnt.c
@@ -64,8 +64,10 @@
64#include <openssl/evp.h> 64#include <openssl/evp.h>
65 65
66static const SSL_METHOD *tls1_get_client_method(int ver); 66static const SSL_METHOD *tls1_get_client_method(int ver);
67static const SSL_METHOD *tls1_get_client_method(int ver) 67
68 { 68static const SSL_METHOD
69*tls1_get_client_method(int ver)
70{
69 if (ver == TLS1_2_VERSION) 71 if (ver == TLS1_2_VERSION)
70 return TLSv1_2_client_method(); 72 return TLSv1_2_client_method();
71 if (ver == TLS1_1_VERSION) 73 if (ver == TLS1_1_VERSION)
@@ -73,20 +75,13 @@ static const SSL_METHOD *tls1_get_client_method(int ver)
73 if (ver == TLS1_VERSION) 75 if (ver == TLS1_VERSION)
74 return TLSv1_client_method(); 76 return TLSv1_client_method();
75 return NULL; 77 return NULL;
76 } 78}
77 79
78IMPLEMENT_tls_meth_func(TLS1_2_VERSION, TLSv1_2_client_method, 80IMPLEMENT_tls_meth_func(TLS1_2_VERSION, TLSv1_2_client_method,
79 ssl_undefined_function, 81 ssl_undefined_function, ssl3_connect, tls1_get_client_method)
80 ssl3_connect,
81 tls1_get_client_method)
82 82
83IMPLEMENT_tls_meth_func(TLS1_1_VERSION, TLSv1_1_client_method, 83IMPLEMENT_tls_meth_func(TLS1_1_VERSION, TLSv1_1_client_method,
84 ssl_undefined_function, 84 ssl_undefined_function, ssl3_connect, tls1_get_client_method)
85 ssl3_connect,
86 tls1_get_client_method)
87 85
88IMPLEMENT_tls_meth_func(TLS1_VERSION, TLSv1_client_method, 86IMPLEMENT_tls_meth_func(TLS1_VERSION, TLSv1_client_method,
89 ssl_undefined_function, 87 ssl_undefined_function, ssl3_connect, tls1_get_client_method)
90 ssl3_connect,
91 tls1_get_client_method)
92
diff --git a/src/lib/libssl/src/ssl/t1_enc.c b/src/lib/libssl/src/ssl/t1_enc.c
index 0c4cddedf8..e59e883424 100644
--- a/src/lib/libssl/src/ssl/t1_enc.c
+++ b/src/lib/libssl/src/ssl/t1_enc.c
@@ -149,15 +149,12 @@
149#endif 149#endif
150 150
151/* seed1 through seed5 are virtually concatenated */ 151/* seed1 through seed5 are virtually concatenated */
152static int tls1_P_hash(const EVP_MD *md, const unsigned char *sec, 152static int
153 int sec_len, 153tls1_P_hash(const EVP_MD *md, const unsigned char *sec, int sec_len,
154 const void *seed1, int seed1_len, 154 const void *seed1, int seed1_len, const void *seed2, int seed2_len,
155 const void *seed2, int seed2_len, 155 const void *seed3, int seed3_len, const void *seed4, int seed4_len,
156 const void *seed3, int seed3_len, 156 const void *seed5, int seed5_len, unsigned char *out, int olen)
157 const void *seed4, int seed4_len, 157{
158 const void *seed5, int seed5_len,
159 unsigned char *out, int olen)
160 {
161 int chunk; 158 int chunk;
162 size_t j; 159 size_t j;
163 EVP_MD_CTX ctx, ctx_tmp; 160 EVP_MD_CTX ctx, ctx_tmp;
@@ -165,8 +162,8 @@ static int tls1_P_hash(const EVP_MD *md, const unsigned char *sec,
165 unsigned char A1[EVP_MAX_MD_SIZE]; 162 unsigned char A1[EVP_MAX_MD_SIZE];
166 size_t A1_len; 163 size_t A1_len;
167 int ret = 0; 164 int ret = 0;
168 165
169 chunk=EVP_MD_size(md); 166 chunk = EVP_MD_size(md);
170 OPENSSL_assert(chunk >= 0); 167 OPENSSL_assert(chunk >= 0);
171 168
172 EVP_MD_CTX_init(&ctx); 169 EVP_MD_CTX_init(&ctx);
@@ -176,114 +173,109 @@ static int tls1_P_hash(const EVP_MD *md, const unsigned char *sec,
176 mac_key = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, sec, sec_len); 173 mac_key = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, sec, sec_len);
177 if (!mac_key) 174 if (!mac_key)
178 goto err; 175 goto err;
179 if (!EVP_DigestSignInit(&ctx,NULL,md, NULL, mac_key)) 176 if (!EVP_DigestSignInit(&ctx, NULL, md, NULL, mac_key))
180 goto err; 177 goto err;
181 if (!EVP_DigestSignInit(&ctx_tmp,NULL,md, NULL, mac_key)) 178 if (!EVP_DigestSignInit(&ctx_tmp, NULL, md, NULL, mac_key))
182 goto err; 179 goto err;
183 if (seed1 && !EVP_DigestSignUpdate(&ctx,seed1,seed1_len)) 180 if (seed1 && !EVP_DigestSignUpdate(&ctx, seed1, seed1_len))
184 goto err; 181 goto err;
185 if (seed2 && !EVP_DigestSignUpdate(&ctx,seed2,seed2_len)) 182 if (seed2 && !EVP_DigestSignUpdate(&ctx, seed2, seed2_len))
186 goto err; 183 goto err;
187 if (seed3 && !EVP_DigestSignUpdate(&ctx,seed3,seed3_len)) 184 if (seed3 && !EVP_DigestSignUpdate(&ctx, seed3, seed3_len))
188 goto err; 185 goto err;
189 if (seed4 && !EVP_DigestSignUpdate(&ctx,seed4,seed4_len)) 186 if (seed4 && !EVP_DigestSignUpdate(&ctx, seed4, seed4_len))
190 goto err; 187 goto err;
191 if (seed5 && !EVP_DigestSignUpdate(&ctx,seed5,seed5_len)) 188 if (seed5 && !EVP_DigestSignUpdate(&ctx, seed5, seed5_len))
192 goto err; 189 goto err;
193 if (!EVP_DigestSignFinal(&ctx,A1,&A1_len)) 190 if (!EVP_DigestSignFinal(&ctx, A1, &A1_len))
194 goto err; 191 goto err;
195 192
196 for (;;) 193 for (;;) {
197 {
198 /* Reinit mac contexts */ 194 /* Reinit mac contexts */
199 if (!EVP_DigestSignInit(&ctx,NULL,md, NULL, mac_key)) 195 if (!EVP_DigestSignInit(&ctx, NULL, md, NULL, mac_key))
200 goto err; 196 goto err;
201 if (!EVP_DigestSignInit(&ctx_tmp,NULL,md, NULL, mac_key)) 197 if (!EVP_DigestSignInit(&ctx_tmp, NULL, md, NULL, mac_key))
202 goto err; 198 goto err;
203 if (!EVP_DigestSignUpdate(&ctx,A1,A1_len)) 199 if (!EVP_DigestSignUpdate(&ctx, A1, A1_len))
204 goto err; 200 goto err;
205 if (!EVP_DigestSignUpdate(&ctx_tmp,A1,A1_len)) 201 if (!EVP_DigestSignUpdate(&ctx_tmp, A1, A1_len))
206 goto err; 202 goto err;
207 if (seed1 && !EVP_DigestSignUpdate(&ctx,seed1,seed1_len)) 203 if (seed1 && !EVP_DigestSignUpdate(&ctx, seed1, seed1_len))
208 goto err; 204 goto err;
209 if (seed2 && !EVP_DigestSignUpdate(&ctx,seed2,seed2_len)) 205 if (seed2 && !EVP_DigestSignUpdate(&ctx, seed2, seed2_len))
210 goto err; 206 goto err;
211 if (seed3 && !EVP_DigestSignUpdate(&ctx,seed3,seed3_len)) 207 if (seed3 && !EVP_DigestSignUpdate(&ctx, seed3, seed3_len))
212 goto err; 208 goto err;
213 if (seed4 && !EVP_DigestSignUpdate(&ctx,seed4,seed4_len)) 209 if (seed4 && !EVP_DigestSignUpdate(&ctx, seed4, seed4_len))
214 goto err; 210 goto err;
215 if (seed5 && !EVP_DigestSignUpdate(&ctx,seed5,seed5_len)) 211 if (seed5 && !EVP_DigestSignUpdate(&ctx, seed5, seed5_len))
216 goto err; 212 goto err;
217 213
218 if (olen > chunk) 214 if (olen > chunk) {
219 { 215 if (!EVP_DigestSignFinal(&ctx, out, &j))
220 if (!EVP_DigestSignFinal(&ctx,out,&j))
221 goto err; 216 goto err;
222 out+=j; 217 out += j;
223 olen-=j; 218 olen -= j;
224 /* calc the next A1 value */ 219 /* calc the next A1 value */
225 if (!EVP_DigestSignFinal(&ctx_tmp,A1,&A1_len)) 220 if (!EVP_DigestSignFinal(&ctx_tmp, A1, &A1_len))
226 goto err; 221 goto err;
227 } 222 }
228 else /* last one */ 223 else /* last one */
229 { 224 {
230 if (!EVP_DigestSignFinal(&ctx,A1,&A1_len)) 225 if (!EVP_DigestSignFinal(&ctx, A1, &A1_len))
231 goto err; 226 goto err;
232 memcpy(out,A1,olen); 227 memcpy(out, A1, olen);
233 break; 228 break;
234 }
235 } 229 }
230 }
236 ret = 1; 231 ret = 1;
237err: 232err:
238 EVP_PKEY_free(mac_key); 233 EVP_PKEY_free(mac_key);
239 EVP_MD_CTX_cleanup(&ctx); 234 EVP_MD_CTX_cleanup(&ctx);
240 EVP_MD_CTX_cleanup(&ctx_tmp); 235 EVP_MD_CTX_cleanup(&ctx_tmp);
241 OPENSSL_cleanse(A1,sizeof(A1)); 236 OPENSSL_cleanse(A1, sizeof(A1));
242 return ret; 237 return ret;
243 } 238}
244 239
245/* seed1 through seed5 are virtually concatenated */ 240/* seed1 through seed5 are virtually concatenated */
246static int tls1_PRF(long digest_mask, 241static int
247 const void *seed1, int seed1_len, 242tls1_PRF(long digest_mask, const void *seed1, int seed1_len, const void *seed2,
248 const void *seed2, int seed2_len, 243 int seed2_len, const void *seed3, int seed3_len, const void *seed4,
249 const void *seed3, int seed3_len, 244 int seed4_len, const void *seed5, int seed5_len, const unsigned char *sec,
250 const void *seed4, int seed4_len, 245 int slen, unsigned char *out1, unsigned char *out2, int olen)
251 const void *seed5, int seed5_len, 246{
252 const unsigned char *sec, int slen, 247 int len, i, idx, count;
253 unsigned char *out1,
254 unsigned char *out2, int olen)
255 {
256 int len,i,idx,count;
257 const unsigned char *S1; 248 const unsigned char *S1;
258 long m; 249 long m;
259 const EVP_MD *md; 250 const EVP_MD *md;
260 int ret = 0; 251 int ret = 0;
261 252
262 /* Count number of digests and partition sec evenly */ 253 /* Count number of digests and partition sec evenly */
263 count=0; 254 count = 0;
264 for (idx=0;ssl_get_handshake_digest(idx,&m,&md);idx++) { 255 for (idx = 0; ssl_get_handshake_digest(idx, &m, &md); idx++) {
265 if ((m<<TLS1_PRF_DGST_SHIFT) & digest_mask) count++; 256 if ((m << TLS1_PRF_DGST_SHIFT)
266 } 257 & digest_mask) count++;
267 len=slen/count; 258 }
259 len = slen/count;
268 if (count == 1) 260 if (count == 1)
269 slen = 0; 261 slen = 0;
270 S1=sec; 262 S1 = sec;
271 memset(out1,0,olen); 263 memset(out1, 0, olen);
272 for (idx=0;ssl_get_handshake_digest(idx,&m,&md);idx++) { 264 for (idx = 0; ssl_get_handshake_digest(idx, &m, &md); idx++) {
273 if ((m<<TLS1_PRF_DGST_SHIFT) & digest_mask) { 265 if ((m << TLS1_PRF_DGST_SHIFT) & digest_mask) {
274 if (!md) { 266 if (!md) {
275 SSLerr(SSL_F_TLS1_PRF, 267 SSLerr(SSL_F_TLS1_PRF,
276 SSL_R_UNSUPPORTED_DIGEST_TYPE); 268 SSL_R_UNSUPPORTED_DIGEST_TYPE);
277 goto err;
278 }
279 if (!tls1_P_hash(md ,S1,len+(slen&1),
280 seed1,seed1_len,seed2,seed2_len,seed3,seed3_len,seed4,seed4_len,seed5,seed5_len,
281 out2,olen))
282 goto err; 269 goto err;
283 S1+=len; 270
284 for (i=0; i<olen; i++) 271 }
285 { 272 if (!tls1_P_hash(md , S1, len + (slen&1),
286 out1[i]^=out2[i]; 273 seed1, seed1_len, seed2, seed2_len, seed3, seed3_len, seed4, seed4_len, seed5, seed5_len,
274 out2, olen))
275 goto err;
276 S1 += len;
277 for (i = 0; i < olen; i++) {
278 out1[i] ^= out2[i];
287 } 279 }
288 } 280 }
289 } 281 }
@@ -291,41 +283,43 @@ static int tls1_PRF(long digest_mask,
291err: 283err:
292 return ret; 284 return ret;
293} 285}
294static int tls1_generate_key_block(SSL *s, unsigned char *km, 286
295 unsigned char *tmp, int num) 287static int
296 { 288tls1_generate_key_block(SSL *s, unsigned char *km, unsigned char *tmp, int num)
289{
297 int ret; 290 int ret;
298 ret = tls1_PRF(ssl_get_algorithm2(s), 291 ret = tls1_PRF(ssl_get_algorithm2(s),
299 TLS_MD_KEY_EXPANSION_CONST,TLS_MD_KEY_EXPANSION_CONST_SIZE, 292 TLS_MD_KEY_EXPANSION_CONST, TLS_MD_KEY_EXPANSION_CONST_SIZE,
300 s->s3->server_random,SSL3_RANDOM_SIZE, 293 s->s3->server_random, SSL3_RANDOM_SIZE,
301 s->s3->client_random,SSL3_RANDOM_SIZE, 294 s->s3->client_random, SSL3_RANDOM_SIZE,
302 NULL,0,NULL,0, 295 NULL, 0, NULL, 0,
303 s->session->master_key,s->session->master_key_length, 296 s->session->master_key, s->session->master_key_length,
304 km,tmp,num); 297 km, tmp, num);
305#ifdef KSSL_DEBUG 298#ifdef KSSL_DEBUG
306 printf("tls1_generate_key_block() ==> %d byte master_key =\n\t", 299 printf("tls1_generate_key_block() ==> %d byte master_key =\n\t",
307 s->session->master_key_length); 300 s->session->master_key_length);
308 { 301 {
309 int i; 302 int i;
310 for (i=0; i < s->session->master_key_length; i++) 303 for (i = 0; i < s->session->master_key_length; i++) {
311 { 304 printf("%02X", s->session->master_key[i]);
312 printf("%02X", s->session->master_key[i]); 305 }
313 } 306 printf("\n");
314 printf("\n"); } 307 }
315#endif /* KSSL_DEBUG */ 308#endif /* KSSL_DEBUG */
316 return ret; 309 return ret;
317 } 310}
318 311
319int tls1_change_cipher_state(SSL *s, int which) 312int
320 { 313tls1_change_cipher_state(SSL *s, int which)
314{
321 static const unsigned char empty[]=""; 315 static const unsigned char empty[]="";
322 unsigned char *p,*mac_secret; 316 unsigned char *p, *mac_secret;
323 unsigned char *exp_label; 317 unsigned char *exp_label;
324 unsigned char tmp1[EVP_MAX_KEY_LENGTH]; 318 unsigned char tmp1[EVP_MAX_KEY_LENGTH];
325 unsigned char tmp2[EVP_MAX_KEY_LENGTH]; 319 unsigned char tmp2[EVP_MAX_KEY_LENGTH];
326 unsigned char iv1[EVP_MAX_IV_LENGTH*2]; 320 unsigned char iv1[EVP_MAX_IV_LENGTH*2];
327 unsigned char iv2[EVP_MAX_IV_LENGTH*2]; 321 unsigned char iv2[EVP_MAX_IV_LENGTH*2];
328 unsigned char *ms,*key,*iv; 322 unsigned char *ms, *key, *iv;
329 int client_write; 323 int client_write;
330 EVP_CIPHER_CTX *dd; 324 EVP_CIPHER_CTX *dd;
331 const EVP_CIPHER *c; 325 const EVP_CIPHER *c;
@@ -337,36 +331,35 @@ int tls1_change_cipher_state(SSL *s, int which)
337 int *mac_secret_size; 331 int *mac_secret_size;
338 EVP_MD_CTX *mac_ctx; 332 EVP_MD_CTX *mac_ctx;
339 EVP_PKEY *mac_key; 333 EVP_PKEY *mac_key;
340 int is_export,n,i,j,k,exp_label_len,cl; 334 int is_export, n, i, j, k, exp_label_len, cl;
341 int reuse_dd = 0; 335 int reuse_dd = 0;
342 336
343 is_export=SSL_C_IS_EXPORT(s->s3->tmp.new_cipher); 337 is_export = SSL_C_IS_EXPORT(s->s3->tmp.new_cipher);
344 c=s->s3->tmp.new_sym_enc; 338 c = s->s3->tmp.new_sym_enc;
345 m=s->s3->tmp.new_hash; 339 m = s->s3->tmp.new_hash;
346 mac_type = s->s3->tmp.new_mac_pkey_type; 340 mac_type = s->s3->tmp.new_mac_pkey_type;
347#ifndef OPENSSL_NO_COMP 341#ifndef OPENSSL_NO_COMP
348 comp=s->s3->tmp.new_compression; 342 comp = s->s3->tmp.new_compression;
349#endif 343#endif
350 344
351#ifdef KSSL_DEBUG 345#ifdef KSSL_DEBUG
352 printf("tls1_change_cipher_state(which= %d) w/\n", which); 346 printf("tls1_change_cipher_state(which= %d) w/\n", which);
353 printf("\talg= %ld/%ld, comp= %p\n", 347 printf("\talg= %ld/%ld, comp= %p\n",
354 s->s3->tmp.new_cipher->algorithm_mkey, 348 s->s3->tmp.new_cipher->algorithm_mkey,
355 s->s3->tmp.new_cipher->algorithm_auth, 349 s->s3->tmp.new_cipher->algorithm_auth,
356 comp); 350 comp);
357 printf("\tevp_cipher == %p ==? &d_cbc_ede_cipher3\n", c); 351 printf("\tevp_cipher == %p ==? &d_cbc_ede_cipher3\n", c);
358 printf("\tevp_cipher: nid, blksz= %d, %d, keylen=%d, ivlen=%d\n", 352 printf("\tevp_cipher: nid, blksz= %d, %d, keylen=%d, ivlen=%d\n",
359 c->nid,c->block_size,c->key_len,c->iv_len); 353 c->nid, c->block_size, c->key_len, c->iv_len);
360 printf("\tkey_block: len= %d, data= ", s->s3->tmp.key_block_length); 354 printf("\tkey_block: len= %d, data= ", s->s3->tmp.key_block_length);
361 { 355 {
362 int i; 356 int i;
363 for (i=0; i<s->s3->tmp.key_block_length; i++) 357 for (i = 0; i < s->s3->tmp.key_block_length; i++)
364 printf("%02x", s->s3->tmp.key_block[i]); printf("\n"); 358 printf("%02x", s->s3->tmp.key_block[i]); printf("\n");
365 } 359 }
366#endif /* KSSL_DEBUG */ 360#endif /* KSSL_DEBUG */
367 361
368 if (which & SSL3_CC_READ) 362 if (which & SSL3_CC_READ) {
369 {
370 if (s->s3->tmp.new_cipher->algorithm2 & TLS1_STREAM_MAC) 363 if (s->s3->tmp.new_cipher->algorithm2 & TLS1_STREAM_MAC)
371 s->mac_flags |= SSL_MAC_FLAG_READ_MAC_STREAM; 364 s->mac_flags |= SSL_MAC_FLAG_READ_MAC_STREAM;
372 else 365 else
@@ -374,303 +367,285 @@ int tls1_change_cipher_state(SSL *s, int which)
374 367
375 if (s->enc_read_ctx != NULL) 368 if (s->enc_read_ctx != NULL)
376 reuse_dd = 1; 369 reuse_dd = 1;
377 else if ((s->enc_read_ctx=OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL) 370 else if ((s->enc_read_ctx = OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL)
378 goto err; 371 goto err;
379 else 372 else
380 /* make sure it's intialized in case we exit later with an error */ 373 /* make sure it's intialized in case we exit later with an error */
381 EVP_CIPHER_CTX_init(s->enc_read_ctx); 374 EVP_CIPHER_CTX_init(s->enc_read_ctx);
382 dd= s->enc_read_ctx; 375 dd = s->enc_read_ctx;
383 mac_ctx=ssl_replace_hash(&s->read_hash,NULL); 376 mac_ctx = ssl_replace_hash(&s->read_hash, NULL);
384#ifndef OPENSSL_NO_COMP 377#ifndef OPENSSL_NO_COMP
385 if (s->expand != NULL) 378 if (s->expand != NULL) {
386 {
387 COMP_CTX_free(s->expand); 379 COMP_CTX_free(s->expand);
388 s->expand=NULL; 380 s->expand = NULL;
389 } 381 }
390 if (comp != NULL) 382 if (comp != NULL) {
391 { 383 s->expand = COMP_CTX_new(comp->method);
392 s->expand=COMP_CTX_new(comp->method); 384 if (s->expand == NULL) {
393 if (s->expand == NULL) 385 SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE, SSL_R_COMPRESSION_LIBRARY_ERROR);
394 {
395 SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE,SSL_R_COMPRESSION_LIBRARY_ERROR);
396 goto err2; 386 goto err2;
397 } 387 }
398 if (s->s3->rrec.comp == NULL) 388 if (s->s3->rrec.comp == NULL)
399 s->s3->rrec.comp=(unsigned char *) 389 s->s3->rrec.comp = (unsigned char *)
400 OPENSSL_malloc(SSL3_RT_MAX_ENCRYPTED_LENGTH); 390 OPENSSL_malloc(SSL3_RT_MAX_ENCRYPTED_LENGTH);
401 if (s->s3->rrec.comp == NULL) 391 if (s->s3->rrec.comp == NULL)
402 goto err; 392 goto err;
403 } 393 }
404#endif 394#endif
405 /* this is done by dtls1_reset_seq_numbers for DTLS1_VERSION */ 395 /* this is done by dtls1_reset_seq_numbers for DTLS1_VERSION */
406 if (s->version != DTLS1_VERSION) 396 if (s->version != DTLS1_VERSION)
407 memset(&(s->s3->read_sequence[0]),0,8); 397 memset(&(s->s3->read_sequence[0]), 0, 8);
408 mac_secret= &(s->s3->read_mac_secret[0]); 398 mac_secret = &(s->s3->read_mac_secret[0]);
409 mac_secret_size=&(s->s3->read_mac_secret_size); 399 mac_secret_size = &(s->s3->read_mac_secret_size);
410 } 400 } else {
411 else
412 {
413 if (s->s3->tmp.new_cipher->algorithm2 & TLS1_STREAM_MAC) 401 if (s->s3->tmp.new_cipher->algorithm2 & TLS1_STREAM_MAC)
414 s->mac_flags |= SSL_MAC_FLAG_WRITE_MAC_STREAM; 402 s->mac_flags |= SSL_MAC_FLAG_WRITE_MAC_STREAM;
415 else 403 else
416 s->mac_flags &= ~SSL_MAC_FLAG_WRITE_MAC_STREAM; 404 s->mac_flags &= ~SSL_MAC_FLAG_WRITE_MAC_STREAM;
417 if (s->enc_write_ctx != NULL && !SSL_IS_DTLS(s)) 405 if (s->enc_write_ctx != NULL && !SSL_IS_DTLS(s))
418 reuse_dd = 1; 406 reuse_dd = 1;
419 else if ((s->enc_write_ctx=EVP_CIPHER_CTX_new()) == NULL) 407 else if ((s->enc_write_ctx = EVP_CIPHER_CTX_new()) == NULL)
420 goto err; 408 goto err;
421 dd= s->enc_write_ctx; 409 dd = s->enc_write_ctx;
422 if (SSL_IS_DTLS(s)) 410 if (SSL_IS_DTLS(s)) {
423 {
424 mac_ctx = EVP_MD_CTX_create(); 411 mac_ctx = EVP_MD_CTX_create();
425 if (!mac_ctx) 412 if (!mac_ctx)
426 goto err; 413 goto err;
427 s->write_hash = mac_ctx; 414 s->write_hash = mac_ctx;
428 } 415 } else
429 else 416 mac_ctx = ssl_replace_hash(&s->write_hash, NULL);
430 mac_ctx = ssl_replace_hash(&s->write_hash,NULL);
431#ifndef OPENSSL_NO_COMP 417#ifndef OPENSSL_NO_COMP
432 if (s->compress != NULL) 418 if (s->compress != NULL) {
433 {
434 COMP_CTX_free(s->compress); 419 COMP_CTX_free(s->compress);
435 s->compress=NULL; 420 s->compress = NULL;
436 } 421 }
437 if (comp != NULL) 422 if (comp != NULL) {
438 { 423 s->compress = COMP_CTX_new(comp->method);
439 s->compress=COMP_CTX_new(comp->method); 424 if (s->compress == NULL) {
440 if (s->compress == NULL) 425 SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE, SSL_R_COMPRESSION_LIBRARY_ERROR);
441 {
442 SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE,SSL_R_COMPRESSION_LIBRARY_ERROR);
443 goto err2; 426 goto err2;
444 }
445 } 427 }
428 }
446#endif 429#endif
447 /* this is done by dtls1_reset_seq_numbers for DTLS1_VERSION */ 430 /* this is done by dtls1_reset_seq_numbers for DTLS1_VERSION */
448 if (s->version != DTLS1_VERSION) 431 if (s->version != DTLS1_VERSION)
449 memset(&(s->s3->write_sequence[0]),0,8); 432 memset(&(s->s3->write_sequence[0]), 0, 8);
450 mac_secret= &(s->s3->write_mac_secret[0]); 433 mac_secret = &(s->s3->write_mac_secret[0]);
451 mac_secret_size = &(s->s3->write_mac_secret_size); 434 mac_secret_size = &(s->s3->write_mac_secret_size);
452 } 435 }
453 436
454 if (reuse_dd) 437 if (reuse_dd)
455 EVP_CIPHER_CTX_cleanup(dd); 438 EVP_CIPHER_CTX_cleanup(dd);
456 439
457 p=s->s3->tmp.key_block; 440 p = s->s3->tmp.key_block;
458 i=*mac_secret_size=s->s3->tmp.new_mac_secret_size; 441 i=*mac_secret_size = s->s3->tmp.new_mac_secret_size;
459 442
460 cl=EVP_CIPHER_key_length(c); 443 cl = EVP_CIPHER_key_length(c);
461 j=is_export ? (cl < SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher) ? 444 j = is_export ? (cl < SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher) ?
462 cl : SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher)) : cl; 445 cl : SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher)) : cl;
463 /* Was j=(exp)?5:EVP_CIPHER_key_length(c); */ 446 /* Was j=(exp)?5:EVP_CIPHER_key_length(c); */
464 /* If GCM mode only part of IV comes from PRF */ 447 /* If GCM mode only part of IV comes from PRF */
465 if (EVP_CIPHER_mode(c) == EVP_CIPH_GCM_MODE) 448 if (EVP_CIPHER_mode(c) == EVP_CIPH_GCM_MODE)
466 k = EVP_GCM_TLS_FIXED_IV_LEN; 449 k = EVP_GCM_TLS_FIXED_IV_LEN;
467 else 450 else
468 k=EVP_CIPHER_iv_length(c); 451 k = EVP_CIPHER_iv_length(c);
469 if ( (which == SSL3_CHANGE_CIPHER_CLIENT_WRITE) || 452 if ((which == SSL3_CHANGE_CIPHER_CLIENT_WRITE) ||
470 (which == SSL3_CHANGE_CIPHER_SERVER_READ)) 453 (which == SSL3_CHANGE_CIPHER_SERVER_READ)) {
471 { 454 ms = &(p[0]);
472 ms= &(p[ 0]); n=i+i; 455 n = i + i;
473 key= &(p[ n]); n+=j+j; 456 key = &(p[n]);
474 iv= &(p[ n]); n+=k+k; 457 n += j + j;
475 exp_label=(unsigned char *)TLS_MD_CLIENT_WRITE_KEY_CONST; 458 iv = &(p[n]);
476 exp_label_len=TLS_MD_CLIENT_WRITE_KEY_CONST_SIZE; 459 n += k + k;
477 client_write=1; 460 exp_label = (unsigned char *)TLS_MD_CLIENT_WRITE_KEY_CONST;
478 } 461 exp_label_len = TLS_MD_CLIENT_WRITE_KEY_CONST_SIZE;
479 else 462 client_write = 1;
480 { 463 } else {
481 n=i; 464 n = i;
482 ms= &(p[ n]); n+=i+j; 465 ms = &(p[n]);
483 key= &(p[ n]); n+=j+k; 466 n += i + j;
484 iv= &(p[ n]); n+=k; 467 key = &(p[n]);
485 exp_label=(unsigned char *)TLS_MD_SERVER_WRITE_KEY_CONST; 468 n += j + k;
486 exp_label_len=TLS_MD_SERVER_WRITE_KEY_CONST_SIZE; 469 iv = &(p[n]);
487 client_write=0; 470 n += k;
488 } 471 exp_label = (unsigned char *)TLS_MD_SERVER_WRITE_KEY_CONST;
472 exp_label_len = TLS_MD_SERVER_WRITE_KEY_CONST_SIZE;
473 client_write = 0;
474 }
489 475
490 if (n > s->s3->tmp.key_block_length) 476 if (n > s->s3->tmp.key_block_length) {
491 { 477 SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR);
492 SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE,ERR_R_INTERNAL_ERROR);
493 goto err2; 478 goto err2;
494 } 479 }
495 480
496 memcpy(mac_secret,ms,i); 481 memcpy(mac_secret, ms, i);
497 482
498 if (!(EVP_CIPHER_flags(c)&EVP_CIPH_FLAG_AEAD_CIPHER)) 483 if (!(EVP_CIPHER_flags(c)&EVP_CIPH_FLAG_AEAD_CIPHER)) {
499 {
500 mac_key = EVP_PKEY_new_mac_key(mac_type, NULL, 484 mac_key = EVP_PKEY_new_mac_key(mac_type, NULL,
501 mac_secret,*mac_secret_size); 485 mac_secret, *mac_secret_size);
502 EVP_DigestSignInit(mac_ctx,NULL,m,NULL,mac_key); 486 EVP_DigestSignInit(mac_ctx, NULL, m, NULL, mac_key);
503 EVP_PKEY_free(mac_key); 487 EVP_PKEY_free(mac_key);
504 } 488 }
505#ifdef TLS_DEBUG 489#ifdef TLS_DEBUG
506printf("which = %04X\nmac key=",which); 490 printf("which = %04X\nmac key=", which);
507{ int z; for (z=0; z<i; z++) printf("%02X%c",ms[z],((z+1)%16)?' ':'\n'); } 491 { int z; for (z = 0; z<i; z++) printf("%02X%c", ms[z],((z+1)%16)?' ':'\n'); }
508#endif 492#endif
509 if (is_export) 493 if (is_export) {
510 {
511 /* In here I set both the read and write key/iv to the 494 /* In here I set both the read and write key/iv to the
512 * same value since only the correct one will be used :-). 495 * same value since only the correct one will be used :-).
513 */ 496 */
514 if (!tls1_PRF(ssl_get_algorithm2(s), 497 if (!tls1_PRF(ssl_get_algorithm2(s),
515 exp_label,exp_label_len, 498 exp_label, exp_label_len,
516 s->s3->client_random,SSL3_RANDOM_SIZE, 499 s->s3->client_random, SSL3_RANDOM_SIZE,
517 s->s3->server_random,SSL3_RANDOM_SIZE, 500 s->s3->server_random, SSL3_RANDOM_SIZE,
518 NULL,0,NULL,0, 501 NULL, 0, NULL, 0,
519 key,j,tmp1,tmp2,EVP_CIPHER_key_length(c))) 502 key, j, tmp1, tmp2, EVP_CIPHER_key_length(c)))
520 goto err2; 503 goto err2;
521 key=tmp1; 504 key = tmp1;
522 505
523 if (k > 0) 506 if (k > 0) {
524 {
525 if (!tls1_PRF(ssl_get_algorithm2(s), 507 if (!tls1_PRF(ssl_get_algorithm2(s),
526 TLS_MD_IV_BLOCK_CONST,TLS_MD_IV_BLOCK_CONST_SIZE, 508 TLS_MD_IV_BLOCK_CONST, TLS_MD_IV_BLOCK_CONST_SIZE,
527 s->s3->client_random,SSL3_RANDOM_SIZE, 509 s->s3->client_random, SSL3_RANDOM_SIZE,
528 s->s3->server_random,SSL3_RANDOM_SIZE, 510 s->s3->server_random, SSL3_RANDOM_SIZE,
529 NULL,0,NULL,0, 511 NULL, 0, NULL, 0,
530 empty,0,iv1,iv2,k*2)) 512 empty, 0, iv1, iv2, k*2))
531 goto err2; 513 goto err2;
532 if (client_write) 514 if (client_write)
533 iv=iv1; 515 iv = iv1;
534 else 516 else
535 iv= &(iv1[k]); 517 iv = &(iv1[k]);
536 }
537 } 518 }
519 }
538 520
539 s->session->key_arg_length=0; 521 s->session->key_arg_length = 0;
540#ifdef KSSL_DEBUG 522#ifdef KSSL_DEBUG
541 { 523 {
542 int i; 524 int i;
543 printf("EVP_CipherInit_ex(dd,c,key=,iv=,which)\n"); 525 printf("EVP_CipherInit_ex(dd, c, key=, iv=, which)\n");
544 printf("\tkey= "); for (i=0; i<c->key_len; i++) printf("%02x", key[i]); 526 printf("\tkey= "); for (i = 0; i<c->key_len; i++) printf("%02x", key[i]);
545 printf("\n"); 527 printf("\n");
546 printf("\t iv= "); for (i=0; i<c->iv_len; i++) printf("%02x", iv[i]); 528 printf("\t iv= "); for (i = 0; i<c->iv_len; i++) printf("%02x", iv[i]);
547 printf("\n"); 529 printf("\n");
548 } 530 }
549#endif /* KSSL_DEBUG */ 531#endif /* KSSL_DEBUG */
550 532
551 if (EVP_CIPHER_mode(c) == EVP_CIPH_GCM_MODE) 533 if (EVP_CIPHER_mode(c) == EVP_CIPH_GCM_MODE) {
552 { 534 EVP_CipherInit_ex(dd, c, NULL, key, NULL,(which & SSL3_CC_WRITE));
553 EVP_CipherInit_ex(dd,c,NULL,key,NULL,(which & SSL3_CC_WRITE));
554 EVP_CIPHER_CTX_ctrl(dd, EVP_CTRL_GCM_SET_IV_FIXED, k, iv); 535 EVP_CIPHER_CTX_ctrl(dd, EVP_CTRL_GCM_SET_IV_FIXED, k, iv);
555 } 536 } else
556 else 537 EVP_CipherInit_ex(dd, c, NULL, key, iv,(which & SSL3_CC_WRITE));
557 EVP_CipherInit_ex(dd,c,NULL,key,iv,(which & SSL3_CC_WRITE));
558 538
559 /* Needed for "composite" AEADs, such as RC4-HMAC-MD5 */ 539 /* Needed for "composite" AEADs, such as RC4-HMAC-MD5 */
560 if ((EVP_CIPHER_flags(c)&EVP_CIPH_FLAG_AEAD_CIPHER) && *mac_secret_size) 540 if ((EVP_CIPHER_flags(c)&EVP_CIPH_FLAG_AEAD_CIPHER) && *mac_secret_size)
561 EVP_CIPHER_CTX_ctrl(dd,EVP_CTRL_AEAD_SET_MAC_KEY, 541 EVP_CIPHER_CTX_ctrl(dd, EVP_CTRL_AEAD_SET_MAC_KEY,
562 *mac_secret_size,mac_secret); 542 *mac_secret_size, mac_secret);
563 543
564#ifdef TLS_DEBUG 544#ifdef TLS_DEBUG
565printf("which = %04X\nkey=",which); 545 printf("which = %04X\nkey=", which);
566{ int z; for (z=0; z<EVP_CIPHER_key_length(c); z++) printf("%02X%c",key[z],((z+1)%16)?' ':'\n'); } 546 { int z; for (z = 0; z<EVP_CIPHER_key_length(c); z++) printf("%02X%c", key[z],((z+1)%16)?' ':'\n'); }
567printf("\niv="); 547 printf("\niv=");
568{ int z; for (z=0; z<k; z++) printf("%02X%c",iv[z],((z+1)%16)?' ':'\n'); } 548 { int z; for (z = 0; z<k; z++) printf("%02X%c", iv[z],((z+1)%16)?' ':'\n'); }
569printf("\n"); 549 printf("\n");
570#endif 550#endif
571 551
572 OPENSSL_cleanse(tmp1,sizeof(tmp1)); 552 OPENSSL_cleanse(tmp1, sizeof(tmp1));
573 OPENSSL_cleanse(tmp2,sizeof(tmp1)); 553 OPENSSL_cleanse(tmp2, sizeof(tmp1));
574 OPENSSL_cleanse(iv1,sizeof(iv1)); 554 OPENSSL_cleanse(iv1, sizeof(iv1));
575 OPENSSL_cleanse(iv2,sizeof(iv2)); 555 OPENSSL_cleanse(iv2, sizeof(iv2));
576 return(1); 556 return (1);
577err: 557err:
578 SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE,ERR_R_MALLOC_FAILURE); 558 SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE, ERR_R_MALLOC_FAILURE);
579err2: 559err2:
580 return(0); 560 return (0);
581 } 561}
582 562
583int tls1_setup_key_block(SSL *s) 563int
584 { 564tls1_setup_key_block(SSL *s)
585 unsigned char *p1,*p2=NULL; 565{
566 unsigned char *p1, *p2 = NULL;
586 const EVP_CIPHER *c; 567 const EVP_CIPHER *c;
587 const EVP_MD *hash; 568 const EVP_MD *hash;
588 int num; 569 int num;
589 SSL_COMP *comp; 570 SSL_COMP *comp;
590 int mac_type= NID_undef,mac_secret_size=0; 571 int mac_type = NID_undef, mac_secret_size = 0;
591 int ret=0; 572 int ret = 0;
592 573
593#ifdef KSSL_DEBUG 574#ifdef KSSL_DEBUG
594 printf ("tls1_setup_key_block()\n"); 575 printf ("tls1_setup_key_block()\n");
595#endif /* KSSL_DEBUG */ 576#endif /* KSSL_DEBUG */
596 577
597 if (s->s3->tmp.key_block_length != 0) 578 if (s->s3->tmp.key_block_length != 0)
598 return(1); 579 return (1);
599 580
600 if (!ssl_cipher_get_evp(s->session,&c,&hash,&mac_type,&mac_secret_size,&comp)) 581 if (!ssl_cipher_get_evp(s->session, &c, &hash, &mac_type, &mac_secret_size, &comp)) {
601 { 582 SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK, SSL_R_CIPHER_OR_HASH_UNAVAILABLE);
602 SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK,SSL_R_CIPHER_OR_HASH_UNAVAILABLE); 583 return (0);
603 return(0); 584 }
604 }
605 585
606 s->s3->tmp.new_sym_enc=c; 586 s->s3->tmp.new_sym_enc = c;
607 s->s3->tmp.new_hash=hash; 587 s->s3->tmp.new_hash = hash;
608 s->s3->tmp.new_mac_pkey_type = mac_type; 588 s->s3->tmp.new_mac_pkey_type = mac_type;
609 s->s3->tmp.new_mac_secret_size = mac_secret_size; 589 s->s3->tmp.new_mac_secret_size = mac_secret_size;
610 num=EVP_CIPHER_key_length(c)+mac_secret_size+EVP_CIPHER_iv_length(c); 590 num = EVP_CIPHER_key_length(c) + mac_secret_size + EVP_CIPHER_iv_length(c);
611 num*=2; 591 num*=2;
612 592
613 ssl3_cleanup_key_block(s); 593 ssl3_cleanup_key_block(s);
614 594
615 if ((p1=(unsigned char *)OPENSSL_malloc(num)) == NULL) 595 if ((p1 = (unsigned char *)OPENSSL_malloc(num)) == NULL) {
616 { 596 SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK, ERR_R_MALLOC_FAILURE);
617 SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK,ERR_R_MALLOC_FAILURE);
618 goto err; 597 goto err;
619 } 598 }
620 599
621 s->s3->tmp.key_block_length=num; 600 s->s3->tmp.key_block_length = num;
622 s->s3->tmp.key_block=p1; 601 s->s3->tmp.key_block = p1;
623 602
624 if ((p2=(unsigned char *)OPENSSL_malloc(num)) == NULL) 603 if ((p2 = (unsigned char *)OPENSSL_malloc(num)) == NULL) {
625 { 604 SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK, ERR_R_MALLOC_FAILURE);
626 SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK,ERR_R_MALLOC_FAILURE);
627 goto err; 605 goto err;
628 } 606 }
629 607
630#ifdef TLS_DEBUG 608#ifdef TLS_DEBUG
631printf("client random\n"); 609 printf("client random\n");
632{ int z; for (z=0; z<SSL3_RANDOM_SIZE; z++) printf("%02X%c",s->s3->client_random[z],((z+1)%16)?' ':'\n'); } 610 { int z; for (z = 0; z<SSL3_RANDOM_SIZE; z++) printf("%02X%c", s->s3->client_random[z],((z+1)%16)?' ':'\n'); }
633printf("server random\n"); 611 printf("server random\n");
634{ int z; for (z=0; z<SSL3_RANDOM_SIZE; z++) printf("%02X%c",s->s3->server_random[z],((z+1)%16)?' ':'\n'); } 612 { int z; for (z = 0; z<SSL3_RANDOM_SIZE; z++) printf("%02X%c", s->s3->server_random[z],((z+1)%16)?' ':'\n'); }
635printf("pre-master\n"); 613 printf("pre-master\n");
636{ int z; for (z=0; z<s->session->master_key_length; z++) printf("%02X%c",s->session->master_key[z],((z+1)%16)?' ':'\n'); } 614 { int z; for (z = 0; z<s->session->master_key_length; z++) printf("%02X%c", s->session->master_key[z],((z+1)%16)?' ':'\n'); }
637#endif 615#endif
638 if (!tls1_generate_key_block(s,p1,p2,num)) 616 if (!tls1_generate_key_block(s, p1, p2, num))
639 goto err; 617 goto err;
640#ifdef TLS_DEBUG 618#ifdef TLS_DEBUG
641printf("\nkey block\n"); 619 printf("\nkey block\n");
642{ int z; for (z=0; z<num; z++) printf("%02X%c",p1[z],((z+1)%16)?' ':'\n'); } 620 { int z; for (z = 0; z<num; z++) printf("%02X%c", p1[z],((z+1)%16)?' ':'\n'); }
643#endif 621#endif
644 622
645 if (!(s->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS) 623 if (!(s->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS)
646 && s->method->version <= TLS1_VERSION) 624 && s->method->version <= TLS1_VERSION) {
647 {
648 /* enable vulnerability countermeasure for CBC ciphers with 625 /* enable vulnerability countermeasure for CBC ciphers with
649 * known-IV problem (http://www.openssl.org/~bodo/tls-cbc.txt) 626 * known-IV problem (http://www.openssl.org/~bodo/tls-cbc.txt)
650 */ 627 */
651 s->s3->need_empty_fragments = 1; 628 s->s3->need_empty_fragments = 1;
652 629
653 if (s->session->cipher != NULL) 630 if (s->session->cipher != NULL) {
654 {
655 if (s->session->cipher->algorithm_enc == SSL_eNULL) 631 if (s->session->cipher->algorithm_enc == SSL_eNULL)
656 s->s3->need_empty_fragments = 0; 632 s->s3->need_empty_fragments = 0;
657 633
658#ifndef OPENSSL_NO_RC4 634#ifndef OPENSSL_NO_RC4
659 if (s->session->cipher->algorithm_enc == SSL_RC4) 635 if (s->session->cipher->algorithm_enc == SSL_RC4)
660 s->s3->need_empty_fragments = 0; 636 s->s3->need_empty_fragments = 0;
661#endif 637#endif
662 }
663 } 638 }
664 639 }
640
665 ret = 1; 641 ret = 1;
666err: 642err:
667 if (p2) 643 if (p2) {
668 { 644 OPENSSL_cleanse(p2, num);
669 OPENSSL_cleanse(p2,num);
670 OPENSSL_free(p2); 645 OPENSSL_free(p2);
671 }
672 return(ret);
673 } 646 }
647 return (ret);
648}
674 649
675/* tls1_enc encrypts/decrypts the record in |s->wrec| / |s->rrec|, respectively. 650/* tls1_enc encrypts/decrypts the record in |s->wrec| / |s->rrec|, respectively.
676 * 651 *
@@ -681,176 +656,161 @@ err:
681 * -1: if the record's padding/AEAD-authenticator is invalid or, if sending, 656 * -1: if the record's padding/AEAD-authenticator is invalid or, if sending,
682 * an internal error occured. 657 * an internal error occured.
683 */ 658 */
684int tls1_enc(SSL *s, int send) 659int
685 { 660tls1_enc(SSL *s, int send)
661{
686 SSL3_RECORD *rec; 662 SSL3_RECORD *rec;
687 EVP_CIPHER_CTX *ds; 663 EVP_CIPHER_CTX *ds;
688 unsigned long l; 664 unsigned long l;
689 int bs,i,j,k,pad=0,ret,mac_size=0; 665 int bs, i, j, k, pad = 0, ret, mac_size = 0;
690 const EVP_CIPHER *enc; 666 const EVP_CIPHER *enc;
691 667
692 if (send) 668 if (send) {
693 { 669 if (EVP_MD_CTX_md(s->write_hash)) {
694 if (EVP_MD_CTX_md(s->write_hash)) 670 int n = EVP_MD_CTX_size(s->write_hash);
695 {
696 int n=EVP_MD_CTX_size(s->write_hash);
697 OPENSSL_assert(n >= 0); 671 OPENSSL_assert(n >= 0);
698 } 672 }
699 ds=s->enc_write_ctx; 673 ds = s->enc_write_ctx;
700 rec= &(s->s3->wrec); 674 rec = &(s->s3->wrec);
701 if (s->enc_write_ctx == NULL) 675 if (s->enc_write_ctx == NULL)
702 enc=NULL; 676 enc = NULL;
703 else 677 else {
704 {
705 int ivlen; 678 int ivlen;
706 enc=EVP_CIPHER_CTX_cipher(s->enc_write_ctx); 679 enc = EVP_CIPHER_CTX_cipher(s->enc_write_ctx);
707 /* For TLSv1.1 and later explicit IV */ 680 /* For TLSv1.1 and later explicit IV */
708 if (s->version >= TLS1_1_VERSION 681 if (s->version >= TLS1_1_VERSION
709 && EVP_CIPHER_mode(enc) == EVP_CIPH_CBC_MODE) 682 && EVP_CIPHER_mode(enc) == EVP_CIPH_CBC_MODE)
710 ivlen = EVP_CIPHER_iv_length(enc); 683 ivlen = EVP_CIPHER_iv_length(enc);
711 else 684 else
712 ivlen = 0; 685 ivlen = 0;
713 if (ivlen > 1) 686 if (ivlen > 1) {
714 { 687 if (rec->data != rec->input)
715 if ( rec->data != rec->input)
716 /* we can't write into the input stream: 688 /* we can't write into the input stream:
717 * Can this ever happen?? (steve) 689 * Can this ever happen?? (steve)
718 */ 690 */
719 fprintf(stderr, 691 fprintf(stderr,
720 "%s:%d: rec->data != rec->input\n", 692 "%s:%d: rec->data != rec->input\n",
721 __FILE__, __LINE__); 693 __FILE__, __LINE__);
722 else if (RAND_bytes(rec->input, ivlen) <= 0) 694 else if (RAND_bytes(rec->input, ivlen) <= 0)
723 return -1; 695 return -1;
724 }
725 } 696 }
726 } 697 }
727 else 698 } else {
728 { 699 if (EVP_MD_CTX_md(s->read_hash)) {
729 if (EVP_MD_CTX_md(s->read_hash)) 700 int n = EVP_MD_CTX_size(s->read_hash);
730 {
731 int n=EVP_MD_CTX_size(s->read_hash);
732 OPENSSL_assert(n >= 0); 701 OPENSSL_assert(n >= 0);
733 } 702 }
734 ds=s->enc_read_ctx; 703 ds = s->enc_read_ctx;
735 rec= &(s->s3->rrec); 704 rec = &(s->s3->rrec);
736 if (s->enc_read_ctx == NULL) 705 if (s->enc_read_ctx == NULL)
737 enc=NULL; 706 enc = NULL;
738 else 707 else
739 enc=EVP_CIPHER_CTX_cipher(s->enc_read_ctx); 708 enc = EVP_CIPHER_CTX_cipher(s->enc_read_ctx);
740 } 709 }
741 710
742#ifdef KSSL_DEBUG 711#ifdef KSSL_DEBUG
743 printf("tls1_enc(%d)\n", send); 712 printf("tls1_enc(%d)\n", send);
744#endif /* KSSL_DEBUG */ 713#endif /* KSSL_DEBUG */
745 714
746 if ((s->session == NULL) || (ds == NULL) || (enc == NULL)) 715 if ((s->session == NULL) || (ds == NULL) || (enc == NULL)) {
747 { 716 memmove(rec->data, rec->input, rec->length);
748 memmove(rec->data,rec->input,rec->length); 717 rec->input = rec->data;
749 rec->input=rec->data;
750 ret = 1; 718 ret = 1;
751 } 719 } else {
752 else 720 l = rec->length;
753 { 721 bs = EVP_CIPHER_block_size(ds->cipher);
754 l=rec->length; 722
755 bs=EVP_CIPHER_block_size(ds->cipher); 723 if (EVP_CIPHER_flags(ds->cipher)&EVP_CIPH_FLAG_AEAD_CIPHER) {
756 724 unsigned char buf[13], *seq;
757 if (EVP_CIPHER_flags(ds->cipher)&EVP_CIPH_FLAG_AEAD_CIPHER) 725
758 { 726 seq = send ? s->s3->write_sequence : s->s3->read_sequence;
759 unsigned char buf[13],*seq; 727
760 728 if (s->version == DTLS1_VERSION || s->version == DTLS1_BAD_VER) {
761 seq = send?s->s3->write_sequence:s->s3->read_sequence; 729 unsigned char dtlsseq[9], *p = dtlsseq;
762 730
763 if (s->version == DTLS1_VERSION || s->version == DTLS1_BAD_VER) 731 s2n(send ? s->d1->w_epoch : s->d1->r_epoch, p);
764 { 732 memcpy(p, &seq[2], 6);
765 unsigned char dtlsseq[9],*p=dtlsseq; 733 memcpy(buf, dtlsseq, 8);
766 734 } else {
767 s2n(send?s->d1->w_epoch:s->d1->r_epoch,p); 735 memcpy(buf, seq, 8);
768 memcpy(p,&seq[2],6); 736 for (i = 7;
769 memcpy(buf,dtlsseq,8); 737 i >= 0;
770 } 738 i--) /* increment */
771 else
772 { 739 {
773 memcpy(buf,seq,8);
774 for (i=7; i>=0; i--) /* increment */
775 {
776 ++seq[i]; 740 ++seq[i];
777 if (seq[i] != 0) break; 741 if (seq[i] != 0)
778 } 742 break;
779 }
780 743
781 buf[8]=rec->type;
782 buf[9]=(unsigned char)(s->version>>8);
783 buf[10]=(unsigned char)(s->version);
784 buf[11]=rec->length>>8;
785 buf[12]=rec->length&0xff;
786 pad=EVP_CIPHER_CTX_ctrl(ds,EVP_CTRL_AEAD_TLS1_AAD,13,buf);
787 if (send)
788 {
789 l+=pad;
790 rec->length+=pad;
791 } 744 }
792 } 745 }
793 else if ((bs != 1) && send) 746
794 { 747 buf[8] = rec->type;
795 i=bs-((int)l%bs); 748 buf[9] = (unsigned char)(s->version >> 8);
749 buf[10] = (unsigned char)(s->version);
750 buf[11] = rec->length >> 8;
751 buf[12] = rec->length&0xff;
752 pad = EVP_CIPHER_CTX_ctrl(ds, EVP_CTRL_AEAD_TLS1_AAD, 13, buf);
753 if (send) {
754 l += pad;
755 rec->length += pad;
756 }
757 } else if ((bs != 1) && send) {
758 i = bs - ((int)l % bs);
796 759
797 /* Add weird padding of upto 256 bytes */ 760 /* Add weird padding of upto 256 bytes */
798 761
799 /* we need to add 'i' padding bytes of value j */ 762 /* we need to add 'i' padding bytes of value j */
800 j=i-1; 763 j = i - 1;
801 if (s->options & SSL_OP_TLS_BLOCK_PADDING_BUG) 764 if (s->options & SSL_OP_TLS_BLOCK_PADDING_BUG) {
802 {
803 if (s->s3->flags & TLS1_FLAGS_TLS_PADDING_BUG) 765 if (s->s3->flags & TLS1_FLAGS_TLS_PADDING_BUG)
804 j++; 766 j++;
805 }
806 for (k=(int)l; k<(int)(l+i); k++)
807 rec->input[k]=j;
808 l+=i;
809 rec->length+=i;
810 } 767 }
768 for (k = (int)l; k < (int)(l + i); k++)
769 rec->input[k] = j;
770 l += i;
771 rec->length += i;
772 }
811 773
812#ifdef KSSL_DEBUG 774#ifdef KSSL_DEBUG
813 { 775 {
814 unsigned long ui; 776 unsigned long ui;
815 printf("EVP_Cipher(ds=%p,rec->data=%p,rec->input=%p,l=%ld) ==>\n", 777 printf("EVP_Cipher(ds=%p, rec->data=%p, rec->input=%p, l=%ld) ==>\n",
816 ds,rec->data,rec->input,l); 778 ds, rec->data, rec->input, l);
817 printf("\tEVP_CIPHER_CTX: %d buf_len, %d key_len [%d %d], %d iv_len\n", 779 printf("\tEVP_CIPHER_CTX: %d buf_len, %d key_len [%d %d], %d iv_len\n",
818 ds->buf_len, ds->cipher->key_len, 780 ds->buf_len, ds->cipher->key_len,
819 DES_KEY_SZ, DES_SCHEDULE_SZ, 781 DES_KEY_SZ, DES_SCHEDULE_SZ,
820 ds->cipher->iv_len); 782 ds->cipher->iv_len);
821 printf("\t\tIV: "); 783 printf("\t\tIV: ");
822 for (i=0; i<ds->cipher->iv_len; i++) printf("%02X", ds->iv[i]); 784 for (i = 0; i<ds->cipher->iv_len; i++) printf("%02X", ds->iv[i]);
823 printf("\n"); 785 printf("\n");
824 printf("\trec->input="); 786 printf("\trec->input=");
825 for (ui=0; ui<l; ui++) printf(" %02x", rec->input[ui]); 787 for (ui = 0; ui<l; ui++) printf(" %02x", rec->input[ui]);
826 printf("\n"); 788 printf("\n");
827 } 789 }
828#endif /* KSSL_DEBUG */ 790#endif /* KSSL_DEBUG */
829 791
830 if (!send) 792 if (!send) {
831 { 793 if (l == 0 || l % bs != 0)
832 if (l == 0 || l%bs != 0)
833 return 0; 794 return 0;
834 } 795 }
835 796
836 i = EVP_Cipher(ds,rec->data,rec->input,l); 797 i = EVP_Cipher(ds, rec->data, rec->input, l);
837 if ((EVP_CIPHER_flags(ds->cipher)&EVP_CIPH_FLAG_CUSTOM_CIPHER) 798 if ((EVP_CIPHER_flags(ds->cipher)&EVP_CIPH_FLAG_CUSTOM_CIPHER)
838 ?(i<0) 799 ?(i < 0)
839 :(i==0)) 800 :(i == 0))
840 return -1; /* AEAD can fail to verify MAC */ 801 return -1; /* AEAD can fail to verify MAC */
841 if (EVP_CIPHER_mode(enc) == EVP_CIPH_GCM_MODE && !send) 802 if (EVP_CIPHER_mode(enc) == EVP_CIPH_GCM_MODE && !send) {
842 {
843 rec->data += EVP_GCM_TLS_EXPLICIT_IV_LEN; 803 rec->data += EVP_GCM_TLS_EXPLICIT_IV_LEN;
844 rec->input += EVP_GCM_TLS_EXPLICIT_IV_LEN; 804 rec->input += EVP_GCM_TLS_EXPLICIT_IV_LEN;
845 rec->length -= EVP_GCM_TLS_EXPLICIT_IV_LEN; 805 rec->length -= EVP_GCM_TLS_EXPLICIT_IV_LEN;
846 } 806 }
847 807
848#ifdef KSSL_DEBUG 808#ifdef KSSL_DEBUG
849 { 809 {
850 unsigned long i; 810 unsigned long i;
851 printf("\trec->data="); 811 printf("\trec->data=");
852 for (i=0; i<l; i++) 812 for (i = 0; i < l; i++)
853 printf(" %02x", rec->data[i]); printf("\n"); 813 printf(" %02x", rec->data[i]); printf("\n");
854 } 814 }
855#endif /* KSSL_DEBUG */ 815#endif /* KSSL_DEBUG */
856 816
@@ -861,97 +821,93 @@ int tls1_enc(SSL *s, int send)
861 ret = tls1_cbc_remove_padding(s, rec, bs, mac_size); 821 ret = tls1_cbc_remove_padding(s, rec, bs, mac_size);
862 if (pad && !send) 822 if (pad && !send)
863 rec->length -= pad; 823 rec->length -= pad;
864 }
865 return ret;
866 } 824 }
825 return ret;
826}
867 827
868int tls1_cert_verify_mac(SSL *s, int md_nid, unsigned char *out) 828int
869 { 829tls1_cert_verify_mac(SSL *s, int md_nid, unsigned char *out)
830{
870 unsigned int ret; 831 unsigned int ret;
871 EVP_MD_CTX ctx, *d=NULL; 832 EVP_MD_CTX ctx, *d = NULL;
872 int i; 833 int i;
873 834
874 if (s->s3->handshake_buffer) 835 if (s->s3->handshake_buffer)
875 if (!ssl3_digest_cached_records(s)) 836 if (!ssl3_digest_cached_records(s))
876 return 0; 837 return 0;
877 838
878 for (i=0;i<SSL_MAX_DIGEST;i++) 839 for (i = 0; i < SSL_MAX_DIGEST; i++) {
879 { 840 if (s->s3->handshake_dgst[i]&&EVP_MD_CTX_type(s->s3->handshake_dgst[i]) == md_nid) {
880 if (s->s3->handshake_dgst[i]&&EVP_MD_CTX_type(s->s3->handshake_dgst[i])==md_nid) 841 d = s->s3->handshake_dgst[i];
881 {
882 d=s->s3->handshake_dgst[i];
883 break; 842 break;
884 }
885 } 843 }
844 }
886 if (!d) { 845 if (!d) {
887 SSLerr(SSL_F_TLS1_CERT_VERIFY_MAC,SSL_R_NO_REQUIRED_DIGEST); 846 SSLerr(SSL_F_TLS1_CERT_VERIFY_MAC, SSL_R_NO_REQUIRED_DIGEST);
888 return 0; 847 return 0;
889 } 848 }
890 849
891 EVP_MD_CTX_init(&ctx); 850 EVP_MD_CTX_init(&ctx);
892 EVP_MD_CTX_copy_ex(&ctx,d); 851 EVP_MD_CTX_copy_ex(&ctx, d);
893 EVP_DigestFinal_ex(&ctx,out,&ret); 852 EVP_DigestFinal_ex(&ctx, out, &ret);
894 EVP_MD_CTX_cleanup(&ctx); 853 EVP_MD_CTX_cleanup(&ctx);
895 return((int)ret); 854 return ((int)ret);
896 } 855}
897 856
898int tls1_final_finish_mac(SSL *s, 857int
899 const char *str, int slen, unsigned char *out) 858tls1_final_finish_mac(SSL *s, const char *str, int slen, unsigned char *out)
900 { 859{
901 unsigned int i; 860 unsigned int i;
902 EVP_MD_CTX ctx; 861 EVP_MD_CTX ctx;
903 unsigned char buf[2*EVP_MAX_MD_SIZE]; 862 unsigned char buf[2*EVP_MAX_MD_SIZE];
904 unsigned char *q,buf2[12]; 863 unsigned char *q, buf2[12];
905 int idx; 864 int idx;
906 long mask; 865 long mask;
907 int err=0; 866 int err = 0;
908 const EVP_MD *md; 867 const EVP_MD *md;
868
909 869
910 q=buf; 870 q = buf;
911 871
912 if (s->s3->handshake_buffer) 872 if (s->s3->handshake_buffer)
913 if (!ssl3_digest_cached_records(s)) 873 if (!ssl3_digest_cached_records(s))
914 return 0; 874 return 0;
915 875
916 EVP_MD_CTX_init(&ctx); 876 EVP_MD_CTX_init(&ctx);
917 877
918 for (idx=0;ssl_get_handshake_digest(idx,&mask,&md);idx++) 878 for (idx = 0; ssl_get_handshake_digest(idx, &mask, &md); idx++) {
919 { 879 if (mask & ssl_get_algorithm2(s)) {
920 if (mask & ssl_get_algorithm2(s))
921 {
922 int hashsize = EVP_MD_size(md); 880 int hashsize = EVP_MD_size(md);
923 EVP_MD_CTX *hdgst = s->s3->handshake_dgst[idx]; 881 EVP_MD_CTX *hdgst = s->s3->handshake_dgst[idx];
924 if (!hdgst || hashsize < 0 || hashsize > (int)(sizeof buf - (size_t)(q-buf))) 882 if (!hdgst || hashsize < 0 || hashsize > (int)(sizeof buf - (size_t)(q - buf))) {
925 {
926 /* internal error: 'buf' is too small for this cipersuite! */ 883 /* internal error: 'buf' is too small for this cipersuite! */
927 err = 1; 884 err = 1;
928 } 885 } else {
929 else
930 {
931 if (!EVP_MD_CTX_copy_ex(&ctx, hdgst) || 886 if (!EVP_MD_CTX_copy_ex(&ctx, hdgst) ||
932 !EVP_DigestFinal_ex(&ctx,q,&i) || 887 !EVP_DigestFinal_ex(&ctx, q, &i) ||
933 (i != (unsigned int)hashsize)) 888 (i != (unsigned int)hashsize))
934 err = 1; 889 err = 1;
935 q+=hashsize; 890 q += hashsize;
936 }
937 } 891 }
938 } 892 }
939 893 }
894
940 if (!tls1_PRF(ssl_get_algorithm2(s), 895 if (!tls1_PRF(ssl_get_algorithm2(s),
941 str,slen, buf,(int)(q-buf), NULL,0, NULL,0, NULL,0, 896 str, slen, buf,(int)(q - buf), NULL, 0, NULL, 0, NULL, 0,
942 s->session->master_key,s->session->master_key_length, 897 s->session->master_key, s->session->master_key_length,
943 out,buf2,sizeof buf2)) 898 out, buf2, sizeof buf2))
944 err = 1; 899 err = 1;
945 EVP_MD_CTX_cleanup(&ctx); 900 EVP_MD_CTX_cleanup(&ctx);
946 901
947 if (err) 902 if (err)
948 return 0; 903 return 0;
949 else 904 else
950 return sizeof buf2; 905 return sizeof buf2;
951 } 906}
952 907
953int tls1_mac(SSL *ssl, unsigned char *md, int send) 908int
954 { 909tls1_mac(SSL *ssl, unsigned char *md, int send)
910{
955 SSL3_RECORD *rec; 911 SSL3_RECORD *rec;
956 unsigned char *seq; 912 unsigned char *seq;
957 EVP_MD_CTX *hash; 913 EVP_MD_CTX *hash;
@@ -959,152 +915,141 @@ int tls1_mac(SSL *ssl, unsigned char *md, int send)
959 int i; 915 int i;
960 EVP_MD_CTX hmac, *mac_ctx; 916 EVP_MD_CTX hmac, *mac_ctx;
961 unsigned char header[13]; 917 unsigned char header[13];
962 int stream_mac = (send?(ssl->mac_flags & SSL_MAC_FLAG_WRITE_MAC_STREAM):(ssl->mac_flags&SSL_MAC_FLAG_READ_MAC_STREAM)); 918 int stream_mac = (send ? (ssl->mac_flags & SSL_MAC_FLAG_WRITE_MAC_STREAM) : (ssl->mac_flags&SSL_MAC_FLAG_READ_MAC_STREAM));
963 int t; 919 int t;
964 920
965 if (send) 921 if (send) {
966 { 922 rec = &(ssl->s3->wrec);
967 rec= &(ssl->s3->wrec); 923 seq = &(ssl->s3->write_sequence[0]);
968 seq= &(ssl->s3->write_sequence[0]); 924 hash = ssl->write_hash;
969 hash=ssl->write_hash; 925 } else {
970 } 926 rec = &(ssl->s3->rrec);
971 else 927 seq = &(ssl->s3->read_sequence[0]);
972 { 928 hash = ssl->read_hash;
973 rec= &(ssl->s3->rrec); 929 }
974 seq= &(ssl->s3->read_sequence[0]);
975 hash=ssl->read_hash;
976 }
977 930
978 t=EVP_MD_CTX_size(hash); 931 t = EVP_MD_CTX_size(hash);
979 OPENSSL_assert(t >= 0); 932 OPENSSL_assert(t >= 0);
980 md_size=t; 933 md_size = t;
981 934
982 /* I should fix this up TLS TLS TLS TLS TLS XXXXXXXX */ 935 /* I should fix this up TLS TLS TLS TLS TLS XXXXXXXX */
983 if (stream_mac) 936 if (stream_mac) {
984 { 937 mac_ctx = hash;
985 mac_ctx = hash; 938 } else {
986 } 939 if (!EVP_MD_CTX_copy(&hmac, hash))
987 else 940 return -1;
988 { 941 mac_ctx = &hmac;
989 if (!EVP_MD_CTX_copy(&hmac,hash)) 942 }
990 return -1;
991 mac_ctx = &hmac;
992 }
993 943
994 if (ssl->version == DTLS1_VERSION || ssl->version == DTLS1_BAD_VER) 944 if (ssl->version == DTLS1_VERSION || ssl->version == DTLS1_BAD_VER) {
995 { 945 unsigned char dtlsseq[8], *p = dtlsseq;
996 unsigned char dtlsseq[8],*p=dtlsseq;
997 946
998 s2n(send?ssl->d1->w_epoch:ssl->d1->r_epoch, p); 947 s2n(send ? ssl->d1->w_epoch : ssl->d1->r_epoch, p);
999 memcpy (p,&seq[2],6); 948 memcpy (p, &seq[2], 6);
1000 949
1001 memcpy(header, dtlsseq, 8); 950 memcpy(header, dtlsseq, 8);
1002 } 951 } else
1003 else
1004 memcpy(header, seq, 8); 952 memcpy(header, seq, 8);
1005 953
1006 /* kludge: tls1_cbc_remove_padding passes padding length in rec->type */ 954 /* kludge: tls1_cbc_remove_padding passes padding length in rec->type */
1007 orig_len = rec->length+md_size+((unsigned int)rec->type>>8); 955 orig_len = rec->length + md_size + ((unsigned int)rec->type >> 8);
1008 rec->type &= 0xff; 956 rec->type &= 0xff;
1009 957
1010 header[8]=rec->type; 958 header[8] = rec->type;
1011 header[9]=(unsigned char)(ssl->version>>8); 959 header[9] = (unsigned char)(ssl->version >> 8);
1012 header[10]=(unsigned char)(ssl->version); 960 header[10] = (unsigned char)(ssl->version);
1013 header[11]=(rec->length)>>8; 961 header[11] = (rec->length) >> 8;
1014 header[12]=(rec->length)&0xff; 962 header[12] = (rec->length)&0xff;
1015 963
1016 if (!send && 964 if (!send &&
1017 EVP_CIPHER_CTX_mode(ssl->enc_read_ctx) == EVP_CIPH_CBC_MODE && 965 EVP_CIPHER_CTX_mode(ssl->enc_read_ctx) == EVP_CIPH_CBC_MODE &&
1018 ssl3_cbc_record_digest_supported(mac_ctx)) 966 ssl3_cbc_record_digest_supported(mac_ctx)) {
1019 {
1020 /* This is a CBC-encrypted record. We must avoid leaking any 967 /* This is a CBC-encrypted record. We must avoid leaking any
1021 * timing-side channel information about how many blocks of 968 * timing-side channel information about how many blocks of
1022 * data we are hashing because that gives an attacker a 969 * data we are hashing because that gives an attacker a
1023 * timing-oracle. */ 970 * timing-oracle. */
1024 ssl3_cbc_digest_record( 971 ssl3_cbc_digest_record(
1025 mac_ctx, 972 mac_ctx,
1026 md, &md_size, 973 md, &md_size,
1027 header, rec->input, 974 header, rec->input,
1028 rec->length + md_size, orig_len, 975 rec->length + md_size, orig_len,
1029 ssl->s3->read_mac_secret, 976 ssl->s3->read_mac_secret,
1030 ssl->s3->read_mac_secret_size, 977 ssl->s3->read_mac_secret_size,
1031 0 /* not SSLv3 */); 978 0 /* not SSLv3 */);
1032 } 979 } else {
1033 else 980 EVP_DigestSignUpdate(mac_ctx, header, sizeof(header));
1034 { 981 EVP_DigestSignUpdate(mac_ctx, rec->input, rec->length);
1035 EVP_DigestSignUpdate(mac_ctx,header,sizeof(header)); 982 t = EVP_DigestSignFinal(mac_ctx, md, &md_size);
1036 EVP_DigestSignUpdate(mac_ctx,rec->input,rec->length);
1037 t=EVP_DigestSignFinal(mac_ctx,md,&md_size);
1038 OPENSSL_assert(t > 0); 983 OPENSSL_assert(t > 0);
1039#ifdef OPENSSL_FIPS 984#ifdef OPENSSL_FIPS
1040 if (!send && FIPS_mode()) 985 if (!send && FIPS_mode())
1041 tls_fips_digest_extra( 986 tls_fips_digest_extra(
1042 ssl->enc_read_ctx, 987 ssl->enc_read_ctx,
1043 mac_ctx, rec->input, 988 mac_ctx, rec->input,
1044 rec->length, orig_len); 989 rec->length, orig_len);
1045#endif 990#endif
1046 } 991 }
1047 992
1048 if (!stream_mac) 993 if (!stream_mac)
1049 EVP_MD_CTX_cleanup(&hmac); 994 EVP_MD_CTX_cleanup(&hmac);
1050#ifdef TLS_DEBUG 995#ifdef TLS_DEBUG
1051printf("sec="); 996 printf("sec=");
1052{unsigned int z; for (z=0; z<md_size; z++) printf("%02X ",mac_sec[z]); printf("\n"); } 997 {unsigned int z; for (z = 0; z<md_size; z++) printf("%02X ", mac_sec[z]); printf("\n"); }
1053printf("seq="); 998 printf("seq=");
1054{int z; for (z=0; z<8; z++) printf("%02X ",seq[z]); printf("\n"); } 999 {int z; for (z = 0; z<8; z++) printf("%02X ", seq[z]); printf("\n"); }
1055printf("buf="); 1000 printf("buf=");
1056{int z; for (z=0; z<5; z++) printf("%02X ",buf[z]); printf("\n"); } 1001 {int z; for (z = 0; z<5; z++) printf("%02X ", buf[z]); printf("\n"); }
1057printf("rec="); 1002 printf("rec=");
1058{unsigned int z; for (z=0; z<rec->length; z++) printf("%02X ",buf[z]); printf("\n"); } 1003 {unsigned int z; for (z = 0; z<rec->length; z++) printf("%02X ", buf[z]); printf("\n"); }
1059#endif 1004#endif
1060 1005
1061 if (ssl->version != DTLS1_VERSION && ssl->version != DTLS1_BAD_VER) 1006 if (ssl->version != DTLS1_VERSION && ssl->version != DTLS1_BAD_VER) {
1062 { 1007 for (i = 7; i >= 0; i--) {
1063 for (i=7; i>=0; i--)
1064 {
1065 ++seq[i]; 1008 ++seq[i];
1066 if (seq[i] != 0) break; 1009 if (seq[i] != 0)
1067 } 1010 break;
1011
1068 } 1012 }
1013 }
1069 1014
1070#ifdef TLS_DEBUG 1015#ifdef TLS_DEBUG
1071{unsigned int z; for (z=0; z<md_size; z++) printf("%02X ",md[z]); printf("\n"); } 1016 {unsigned int z; for (z = 0; z<md_size; z++) printf("%02X ", md[z]); printf("\n"); }
1072#endif 1017#endif
1073 return(md_size); 1018 return (md_size);
1074 } 1019}
1075 1020
1076int tls1_generate_master_secret(SSL *s, unsigned char *out, unsigned char *p, 1021int
1077 int len) 1022tls1_generate_master_secret(SSL *s, unsigned char *out, unsigned char *p,
1078 { 1023 int len)
1024{
1079 unsigned char buff[SSL_MAX_MASTER_KEY_LENGTH]; 1025 unsigned char buff[SSL_MAX_MASTER_KEY_LENGTH];
1080 const void *co = NULL, *so = NULL; 1026 const void *co = NULL, *so = NULL;
1081 int col = 0, sol = 0; 1027 int col = 0, sol = 0;
1082 1028
1083 1029
1084#ifdef KSSL_DEBUG 1030#ifdef KSSL_DEBUG
1085 printf ("tls1_generate_master_secret(%p,%p, %p, %d)\n", s,out, p,len); 1031 printf ("tls1_generate_master_secret(%p,%p, %p, %d)\n", s, out, p, len);
1086#endif /* KSSL_DEBUG */ 1032#endif /* KSSL_DEBUG */
1087 1033
1088#ifdef TLSEXT_TYPE_opaque_prf_input 1034#ifdef TLSEXT_TYPE_opaque_prf_input
1089 if (s->s3->client_opaque_prf_input != NULL && s->s3->server_opaque_prf_input != NULL && 1035 if (s->s3->client_opaque_prf_input != NULL && s->s3->server_opaque_prf_input != NULL &&
1090 s->s3->client_opaque_prf_input_len > 0 && 1036 s->s3->client_opaque_prf_input_len > 0 &&
1091 s->s3->client_opaque_prf_input_len == s->s3->server_opaque_prf_input_len) 1037 s->s3->client_opaque_prf_input_len == s->s3->server_opaque_prf_input_len) {
1092 {
1093 co = s->s3->client_opaque_prf_input; 1038 co = s->s3->client_opaque_prf_input;
1094 col = s->s3->server_opaque_prf_input_len; 1039 col = s->s3->server_opaque_prf_input_len;
1095 so = s->s3->server_opaque_prf_input; 1040 so = s->s3->server_opaque_prf_input;
1096 sol = s->s3->client_opaque_prf_input_len; /* must be same as col (see draft-rescorla-tls-opaque-prf-input-00.txt, section 3.1) */ 1041 sol = s->s3->client_opaque_prf_input_len; /* must be same as col (see draft-rescorla-tls-opaque-prf-input-00.txt, section 3.1) */
1097 } 1042 }
1098#endif 1043#endif
1099 1044
1100 tls1_PRF(ssl_get_algorithm2(s), 1045 tls1_PRF(ssl_get_algorithm2(s),
1101 TLS_MD_MASTER_SECRET_CONST,TLS_MD_MASTER_SECRET_CONST_SIZE, 1046 TLS_MD_MASTER_SECRET_CONST, TLS_MD_MASTER_SECRET_CONST_SIZE,
1102 s->s3->client_random,SSL3_RANDOM_SIZE, 1047 s->s3->client_random, SSL3_RANDOM_SIZE,
1103 co, col, 1048 co, col,
1104 s->s3->server_random,SSL3_RANDOM_SIZE, 1049 s->s3->server_random, SSL3_RANDOM_SIZE,
1105 so, sol, 1050 so, sol,
1106 p,len, 1051 p, len,
1107 s->session->master_key,buff,sizeof buff); 1052 s->session->master_key, buff, sizeof buff);
1108#ifdef SSL_DEBUG 1053#ifdef SSL_DEBUG
1109 fprintf(stderr, "Premaster Secret:\n"); 1054 fprintf(stderr, "Premaster Secret:\n");
1110 BIO_dump_fp(stderr, (char *)p, len); 1055 BIO_dump_fp(stderr, (char *)p, len);
@@ -1119,13 +1064,14 @@ int tls1_generate_master_secret(SSL *s, unsigned char *out, unsigned char *p,
1119#ifdef KSSL_DEBUG 1064#ifdef KSSL_DEBUG
1120 printf ("tls1_generate_master_secret() complete\n"); 1065 printf ("tls1_generate_master_secret() complete\n");
1121#endif /* KSSL_DEBUG */ 1066#endif /* KSSL_DEBUG */
1122 return(SSL3_MASTER_SECRET_SIZE); 1067 return (SSL3_MASTER_SECRET_SIZE);
1123 } 1068}
1124 1069
1125int tls1_export_keying_material(SSL *s, unsigned char *out, size_t olen, 1070int
1126 const char *label, size_t llen, const unsigned char *context, 1071tls1_export_keying_material(SSL *s, unsigned char *out, size_t olen,
1127 size_t contextlen, int use_context) 1072 const char *label, size_t llen, const unsigned char *context,
1128 { 1073 size_t contextlen, int use_context)
1074{
1129 unsigned char *buff; 1075 unsigned char *buff;
1130 unsigned char *val = NULL; 1076 unsigned char *val = NULL;
1131 size_t vallen, currentvalpos; 1077 size_t vallen, currentvalpos;
@@ -1136,7 +1082,8 @@ int tls1_export_keying_material(SSL *s, unsigned char *out, size_t olen,
1136#endif /* KSSL_DEBUG */ 1082#endif /* KSSL_DEBUG */
1137 1083
1138 buff = OPENSSL_malloc(olen); 1084 buff = OPENSSL_malloc(olen);
1139 if (buff == NULL) goto err2; 1085 if (buff == NULL)
1086 goto err2;
1140 1087
1141 /* construct PRF arguments 1088 /* construct PRF arguments
1142 * we construct the PRF argument ourself rather than passing separate 1089 * we construct the PRF argument ourself rather than passing separate
@@ -1144,13 +1091,13 @@ int tls1_export_keying_material(SSL *s, unsigned char *out, size_t olen,
1144 * does not create a prohibited label. 1091 * does not create a prohibited label.
1145 */ 1092 */
1146 vallen = llen + SSL3_RANDOM_SIZE * 2; 1093 vallen = llen + SSL3_RANDOM_SIZE * 2;
1147 if (use_context) 1094 if (use_context) {
1148 {
1149 vallen += 2 + contextlen; 1095 vallen += 2 + contextlen;
1150 } 1096 }
1151 1097
1152 val = OPENSSL_malloc(vallen); 1098 val = OPENSSL_malloc(vallen);
1153 if (val == NULL) goto err2; 1099 if (val == NULL)
1100 goto err2;
1154 currentvalpos = 0; 1101 currentvalpos = 0;
1155 memcpy(val + currentvalpos, (unsigned char *) label, llen); 1102 memcpy(val + currentvalpos, (unsigned char *) label, llen);
1156 currentvalpos += llen; 1103 currentvalpos += llen;
@@ -1159,17 +1106,15 @@ int tls1_export_keying_material(SSL *s, unsigned char *out, size_t olen,
1159 memcpy(val + currentvalpos, s->s3->server_random, SSL3_RANDOM_SIZE); 1106 memcpy(val + currentvalpos, s->s3->server_random, SSL3_RANDOM_SIZE);
1160 currentvalpos += SSL3_RANDOM_SIZE; 1107 currentvalpos += SSL3_RANDOM_SIZE;
1161 1108
1162 if (use_context) 1109 if (use_context) {
1163 {
1164 val[currentvalpos] = (contextlen >> 8) & 0xff; 1110 val[currentvalpos] = (contextlen >> 8) & 0xff;
1165 currentvalpos++; 1111 currentvalpos++;
1166 val[currentvalpos] = contextlen & 0xff; 1112 val[currentvalpos] = contextlen & 0xff;
1167 currentvalpos++; 1113 currentvalpos++;
1168 if ((contextlen > 0) || (context != NULL)) 1114 if ((contextlen > 0) || (context != NULL)) {
1169 {
1170 memcpy(val + currentvalpos, context, contextlen); 1115 memcpy(val + currentvalpos, context, contextlen);
1171 }
1172 } 1116 }
1117 }
1173 1118
1174 /* disallow prohibited labels 1119 /* disallow prohibited labels
1175 * note that SSL3_RANDOM_SIZE > max(prohibited label len) = 1120 * note that SSL3_RANDOM_SIZE > max(prohibited label len) =
@@ -1177,22 +1122,22 @@ int tls1_export_keying_material(SSL *s, unsigned char *out, size_t olen,
1177 * comparisons won't have buffer overflow 1122 * comparisons won't have buffer overflow
1178 */ 1123 */
1179 if (memcmp(val, TLS_MD_CLIENT_FINISH_CONST, 1124 if (memcmp(val, TLS_MD_CLIENT_FINISH_CONST,
1180 TLS_MD_CLIENT_FINISH_CONST_SIZE) == 0) goto err1; 1125 TLS_MD_CLIENT_FINISH_CONST_SIZE) == 0) goto err1;
1181 if (memcmp(val, TLS_MD_SERVER_FINISH_CONST, 1126 if (memcmp(val, TLS_MD_SERVER_FINISH_CONST,
1182 TLS_MD_SERVER_FINISH_CONST_SIZE) == 0) goto err1; 1127 TLS_MD_SERVER_FINISH_CONST_SIZE) == 0) goto err1;
1183 if (memcmp(val, TLS_MD_MASTER_SECRET_CONST, 1128 if (memcmp(val, TLS_MD_MASTER_SECRET_CONST,
1184 TLS_MD_MASTER_SECRET_CONST_SIZE) == 0) goto err1; 1129 TLS_MD_MASTER_SECRET_CONST_SIZE) == 0) goto err1;
1185 if (memcmp(val, TLS_MD_KEY_EXPANSION_CONST, 1130 if (memcmp(val, TLS_MD_KEY_EXPANSION_CONST,
1186 TLS_MD_KEY_EXPANSION_CONST_SIZE) == 0) goto err1; 1131 TLS_MD_KEY_EXPANSION_CONST_SIZE) == 0) goto err1;
1187 1132
1188 rv = tls1_PRF(s->s3->tmp.new_cipher->algorithm2, 1133 rv = tls1_PRF(s->s3->tmp.new_cipher->algorithm2,
1189 val, vallen, 1134 val, vallen,
1190 NULL, 0, 1135 NULL, 0,
1191 NULL, 0, 1136 NULL, 0,
1192 NULL, 0, 1137 NULL, 0,
1193 NULL, 0, 1138 NULL, 0,
1194 s->session->master_key,s->session->master_key_length, 1139 s->session->master_key, s->session->master_key_length,
1195 out,buff,olen); 1140 out, buff, olen);
1196 1141
1197#ifdef KSSL_DEBUG 1142#ifdef KSSL_DEBUG
1198 printf ("tls1_export_keying_material() complete\n"); 1143 printf ("tls1_export_keying_material() complete\n");
@@ -1206,49 +1151,82 @@ err2:
1206 SSLerr(SSL_F_TLS1_EXPORT_KEYING_MATERIAL, ERR_R_MALLOC_FAILURE); 1151 SSLerr(SSL_F_TLS1_EXPORT_KEYING_MATERIAL, ERR_R_MALLOC_FAILURE);
1207 rv = 0; 1152 rv = 0;
1208ret: 1153ret:
1209 if (buff != NULL) OPENSSL_free(buff); 1154 if (buff != NULL)
1210 if (val != NULL) OPENSSL_free(val); 1155 OPENSSL_free(buff);
1211 return(rv); 1156 if (val != NULL)
1212 } 1157 OPENSSL_free(val);
1158 return (rv);
1159}
1213 1160
1214int tls1_alert_code(int code) 1161int
1215 { 1162tls1_alert_code(int code)
1216 switch (code) 1163{
1217 { 1164 switch (code) {
1218 case SSL_AD_CLOSE_NOTIFY: return(SSL3_AD_CLOSE_NOTIFY); 1165 case SSL_AD_CLOSE_NOTIFY:
1219 case SSL_AD_UNEXPECTED_MESSAGE: return(SSL3_AD_UNEXPECTED_MESSAGE); 1166 return (SSL3_AD_CLOSE_NOTIFY);
1220 case SSL_AD_BAD_RECORD_MAC: return(SSL3_AD_BAD_RECORD_MAC); 1167 case SSL_AD_UNEXPECTED_MESSAGE:
1221 case SSL_AD_DECRYPTION_FAILED: return(TLS1_AD_DECRYPTION_FAILED); 1168 return (SSL3_AD_UNEXPECTED_MESSAGE);
1222 case SSL_AD_RECORD_OVERFLOW: return(TLS1_AD_RECORD_OVERFLOW); 1169 case SSL_AD_BAD_RECORD_MAC:
1223 case SSL_AD_DECOMPRESSION_FAILURE:return(SSL3_AD_DECOMPRESSION_FAILURE); 1170 return (SSL3_AD_BAD_RECORD_MAC);
1224 case SSL_AD_HANDSHAKE_FAILURE: return(SSL3_AD_HANDSHAKE_FAILURE); 1171 case SSL_AD_DECRYPTION_FAILED:
1225 case SSL_AD_NO_CERTIFICATE: return(-1); 1172 return (TLS1_AD_DECRYPTION_FAILED);
1226 case SSL_AD_BAD_CERTIFICATE: return(SSL3_AD_BAD_CERTIFICATE); 1173 case SSL_AD_RECORD_OVERFLOW:
1227 case SSL_AD_UNSUPPORTED_CERTIFICATE:return(SSL3_AD_UNSUPPORTED_CERTIFICATE); 1174 return (TLS1_AD_RECORD_OVERFLOW);
1228 case SSL_AD_CERTIFICATE_REVOKED:return(SSL3_AD_CERTIFICATE_REVOKED); 1175 case SSL_AD_DECOMPRESSION_FAILURE:
1229 case SSL_AD_CERTIFICATE_EXPIRED:return(SSL3_AD_CERTIFICATE_EXPIRED); 1176 return (SSL3_AD_DECOMPRESSION_FAILURE);
1230 case SSL_AD_CERTIFICATE_UNKNOWN:return(SSL3_AD_CERTIFICATE_UNKNOWN); 1177 case SSL_AD_HANDSHAKE_FAILURE:
1231 case SSL_AD_ILLEGAL_PARAMETER: return(SSL3_AD_ILLEGAL_PARAMETER); 1178 return (SSL3_AD_HANDSHAKE_FAILURE);
1232 case SSL_AD_UNKNOWN_CA: return(TLS1_AD_UNKNOWN_CA); 1179 case SSL_AD_NO_CERTIFICATE:
1233 case SSL_AD_ACCESS_DENIED: return(TLS1_AD_ACCESS_DENIED); 1180 return (-1);
1234 case SSL_AD_DECODE_ERROR: return(TLS1_AD_DECODE_ERROR); 1181 case SSL_AD_BAD_CERTIFICATE:
1235 case SSL_AD_DECRYPT_ERROR: return(TLS1_AD_DECRYPT_ERROR); 1182 return (SSL3_AD_BAD_CERTIFICATE);
1236 case SSL_AD_EXPORT_RESTRICTION: return(TLS1_AD_EXPORT_RESTRICTION); 1183 case SSL_AD_UNSUPPORTED_CERTIFICATE:
1237 case SSL_AD_PROTOCOL_VERSION: return(TLS1_AD_PROTOCOL_VERSION); 1184 return (SSL3_AD_UNSUPPORTED_CERTIFICATE);
1238 case SSL_AD_INSUFFICIENT_SECURITY:return(TLS1_AD_INSUFFICIENT_SECURITY); 1185 case SSL_AD_CERTIFICATE_REVOKED:
1239 case SSL_AD_INTERNAL_ERROR: return(TLS1_AD_INTERNAL_ERROR); 1186 return (SSL3_AD_CERTIFICATE_REVOKED);
1240 case SSL_AD_USER_CANCELLED: return(TLS1_AD_USER_CANCELLED); 1187 case SSL_AD_CERTIFICATE_EXPIRED:
1241 case SSL_AD_NO_RENEGOTIATION: return(TLS1_AD_NO_RENEGOTIATION); 1188 return (SSL3_AD_CERTIFICATE_EXPIRED);
1242 case SSL_AD_UNSUPPORTED_EXTENSION: return(TLS1_AD_UNSUPPORTED_EXTENSION); 1189 case SSL_AD_CERTIFICATE_UNKNOWN:
1243 case SSL_AD_CERTIFICATE_UNOBTAINABLE: return(TLS1_AD_CERTIFICATE_UNOBTAINABLE); 1190 return (SSL3_AD_CERTIFICATE_UNKNOWN);
1244 case SSL_AD_UNRECOGNIZED_NAME: return(TLS1_AD_UNRECOGNIZED_NAME); 1191 case SSL_AD_ILLEGAL_PARAMETER:
1245 case SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE: return(TLS1_AD_BAD_CERTIFICATE_STATUS_RESPONSE); 1192 return (SSL3_AD_ILLEGAL_PARAMETER);
1246 case SSL_AD_BAD_CERTIFICATE_HASH_VALUE: return(TLS1_AD_BAD_CERTIFICATE_HASH_VALUE); 1193 case SSL_AD_UNKNOWN_CA:
1247 case SSL_AD_UNKNOWN_PSK_IDENTITY:return(TLS1_AD_UNKNOWN_PSK_IDENTITY); 1194 return (TLS1_AD_UNKNOWN_CA);
1195 case SSL_AD_ACCESS_DENIED:
1196 return (TLS1_AD_ACCESS_DENIED);
1197 case SSL_AD_DECODE_ERROR:
1198 return (TLS1_AD_DECODE_ERROR);
1199 case SSL_AD_DECRYPT_ERROR:
1200 return (TLS1_AD_DECRYPT_ERROR);
1201 case SSL_AD_EXPORT_RESTRICTION:
1202 return (TLS1_AD_EXPORT_RESTRICTION);
1203 case SSL_AD_PROTOCOL_VERSION:
1204 return (TLS1_AD_PROTOCOL_VERSION);
1205 case SSL_AD_INSUFFICIENT_SECURITY:
1206 return (TLS1_AD_INSUFFICIENT_SECURITY);
1207 case SSL_AD_INTERNAL_ERROR:
1208 return (TLS1_AD_INTERNAL_ERROR);
1209 case SSL_AD_USER_CANCELLED:
1210 return (TLS1_AD_USER_CANCELLED);
1211 case SSL_AD_NO_RENEGOTIATION:
1212 return (TLS1_AD_NO_RENEGOTIATION);
1213 case SSL_AD_UNSUPPORTED_EXTENSION:
1214 return (TLS1_AD_UNSUPPORTED_EXTENSION);
1215 case SSL_AD_CERTIFICATE_UNOBTAINABLE:
1216 return (TLS1_AD_CERTIFICATE_UNOBTAINABLE);
1217 case SSL_AD_UNRECOGNIZED_NAME:
1218 return (TLS1_AD_UNRECOGNIZED_NAME);
1219 case SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE:
1220 return (TLS1_AD_BAD_CERTIFICATE_STATUS_RESPONSE);
1221 case SSL_AD_BAD_CERTIFICATE_HASH_VALUE:
1222 return (TLS1_AD_BAD_CERTIFICATE_HASH_VALUE);
1223 case SSL_AD_UNKNOWN_PSK_IDENTITY:
1224 return (TLS1_AD_UNKNOWN_PSK_IDENTITY);
1248#if 0 /* not appropriate for TLS, not used for DTLS */ 1225#if 0 /* not appropriate for TLS, not used for DTLS */
1249 case DTLS1_AD_MISSING_HANDSHAKE_MESSAGE: return 1226 case DTLS1_AD_MISSING_HANDSHAKE_MESSAGE : return
1250 (DTLS1_AD_MISSING_HANDSHAKE_MESSAGE); 1227 (DTLS1_AD_MISSING_HANDSHAKE_MESSAGE);
1251#endif 1228#endif
1252 default: return(-1); 1229 default:
1253 } 1230 return (-1);
1254 } 1231 }
1232}
diff --git a/src/lib/libssl/src/ssl/t1_lib.c b/src/lib/libssl/src/ssl/t1_lib.c
index bddffd92cc..08f7a444ad 100644
--- a/src/lib/libssl/src/ssl/t1_lib.c
+++ b/src/lib/libssl/src/ssl/t1_lib.c
@@ -120,12 +120,13 @@
120const char tls1_version_str[]="TLSv1" OPENSSL_VERSION_PTEXT; 120const char tls1_version_str[]="TLSv1" OPENSSL_VERSION_PTEXT;
121 121
122#ifndef OPENSSL_NO_TLSEXT 122#ifndef OPENSSL_NO_TLSEXT
123static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen, 123static int
124 const unsigned char *sess_id, int sesslen, 124tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen,
125 SSL_SESSION **psess); 125 const unsigned char *sess_id, int sesslen,
126 SSL_SESSION **psess);
126#endif 127#endif
127 128
128SSL3_ENC_METHOD TLSv1_enc_data={ 129SSL3_ENC_METHOD TLSv1_enc_data = {
129 tls1_enc, 130 tls1_enc,
130 tls1_mac, 131 tls1_mac,
131 tls1_setup_key_block, 132 tls1_setup_key_block,
@@ -134,171 +135,173 @@ SSL3_ENC_METHOD TLSv1_enc_data={
134 tls1_final_finish_mac, 135 tls1_final_finish_mac,
135 TLS1_FINISH_MAC_LENGTH, 136 TLS1_FINISH_MAC_LENGTH,
136 tls1_cert_verify_mac, 137 tls1_cert_verify_mac,
137 TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE, 138 TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
138 TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE, 139 TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
139 tls1_alert_code, 140 tls1_alert_code,
140 tls1_export_keying_material, 141 tls1_export_keying_material,
141 }; 142};
142 143
143long tls1_default_timeout(void) 144long
144 { 145tls1_default_timeout(void)
146{
145 /* 2 hours, the 24 hours mentioned in the TLSv1 spec 147 /* 2 hours, the 24 hours mentioned in the TLSv1 spec
146 * is way too long for http, the cache would over fill */ 148 * is way too long for http, the cache would over fill */
147 return(60*60*2); 149 return (60*60*2);
148 } 150}
149 151
150int tls1_new(SSL *s) 152int
151 { 153tls1_new(SSL *s)
152 if (!ssl3_new(s)) return(0); 154{
153 s->method->ssl_clear(s); 155 if (!ssl3_new(s)) return (0);
154 return(1); 156 s->method->ssl_clear(s);
155 } 157 return (1);
158}
156 159
157void tls1_free(SSL *s) 160void
158 { 161tls1_free(SSL *s)
162{
159#ifndef OPENSSL_NO_TLSEXT 163#ifndef OPENSSL_NO_TLSEXT
160 if (s->tlsext_session_ticket) 164 if (s->tlsext_session_ticket) {
161 {
162 OPENSSL_free(s->tlsext_session_ticket); 165 OPENSSL_free(s->tlsext_session_ticket);
163 } 166 }
164#endif /* OPENSSL_NO_TLSEXT */ 167#endif /* OPENSSL_NO_TLSEXT */
165 ssl3_free(s); 168 ssl3_free(s);
166 } 169}
167 170
168void tls1_clear(SSL *s) 171void
169 { 172tls1_clear(SSL *s)
173{
170 ssl3_clear(s); 174 ssl3_clear(s);
171 s->version = s->method->version; 175 s->version = s->method->version;
172 } 176}
173 177
174#ifndef OPENSSL_NO_EC 178#ifndef OPENSSL_NO_EC
175 179
176static int nid_list[] = 180static int nid_list[] = {
177 { 181 NID_sect163k1, /* sect163k1 (1) */
178 NID_sect163k1, /* sect163k1 (1) */ 182 NID_sect163r1, /* sect163r1 (2) */
179 NID_sect163r1, /* sect163r1 (2) */ 183 NID_sect163r2, /* sect163r2 (3) */
180 NID_sect163r2, /* sect163r2 (3) */ 184 NID_sect193r1, /* sect193r1 (4) */
181 NID_sect193r1, /* sect193r1 (4) */ 185 NID_sect193r2, /* sect193r2 (5) */
182 NID_sect193r2, /* sect193r2 (5) */ 186 NID_sect233k1, /* sect233k1 (6) */
183 NID_sect233k1, /* sect233k1 (6) */ 187 NID_sect233r1, /* sect233r1 (7) */
184 NID_sect233r1, /* sect233r1 (7) */ 188 NID_sect239k1, /* sect239k1 (8) */
185 NID_sect239k1, /* sect239k1 (8) */ 189 NID_sect283k1, /* sect283k1 (9) */
186 NID_sect283k1, /* sect283k1 (9) */ 190 NID_sect283r1, /* sect283r1 (10) */
187 NID_sect283r1, /* sect283r1 (10) */ 191 NID_sect409k1, /* sect409k1 (11) */
188 NID_sect409k1, /* sect409k1 (11) */ 192 NID_sect409r1, /* sect409r1 (12) */
189 NID_sect409r1, /* sect409r1 (12) */ 193 NID_sect571k1, /* sect571k1 (13) */
190 NID_sect571k1, /* sect571k1 (13) */ 194 NID_sect571r1, /* sect571r1 (14) */
191 NID_sect571r1, /* sect571r1 (14) */ 195 NID_secp160k1, /* secp160k1 (15) */
192 NID_secp160k1, /* secp160k1 (15) */ 196 NID_secp160r1, /* secp160r1 (16) */
193 NID_secp160r1, /* secp160r1 (16) */ 197 NID_secp160r2, /* secp160r2 (17) */
194 NID_secp160r2, /* secp160r2 (17) */ 198 NID_secp192k1, /* secp192k1 (18) */
195 NID_secp192k1, /* secp192k1 (18) */ 199 NID_X9_62_prime192v1, /* secp192r1 (19) */
196 NID_X9_62_prime192v1, /* secp192r1 (19) */ 200 NID_secp224k1, /* secp224k1 (20) */
197 NID_secp224k1, /* secp224k1 (20) */ 201 NID_secp224r1, /* secp224r1 (21) */
198 NID_secp224r1, /* secp224r1 (21) */ 202 NID_secp256k1, /* secp256k1 (22) */
199 NID_secp256k1, /* secp256k1 (22) */ 203 NID_X9_62_prime256v1, /* secp256r1 (23) */
200 NID_X9_62_prime256v1, /* secp256r1 (23) */ 204 NID_secp384r1, /* secp384r1 (24) */
201 NID_secp384r1, /* secp384r1 (24) */ 205 NID_secp521r1 /* secp521r1 (25) */
202 NID_secp521r1 /* secp521r1 (25) */ 206};
203 };
204 207
205static int pref_list[] = 208static int pref_list[] = {
206 { 209 NID_sect571r1, /* sect571r1 (14) */
207 NID_sect571r1, /* sect571r1 (14) */ 210 NID_sect571k1, /* sect571k1 (13) */
208 NID_sect571k1, /* sect571k1 (13) */ 211 NID_secp521r1, /* secp521r1 (25) */
209 NID_secp521r1, /* secp521r1 (25) */ 212 NID_sect409k1, /* sect409k1 (11) */
210 NID_sect409k1, /* sect409k1 (11) */ 213 NID_sect409r1, /* sect409r1 (12) */
211 NID_sect409r1, /* sect409r1 (12) */ 214 NID_secp384r1, /* secp384r1 (24) */
212 NID_secp384r1, /* secp384r1 (24) */ 215 NID_sect283k1, /* sect283k1 (9) */
213 NID_sect283k1, /* sect283k1 (9) */ 216 NID_sect283r1, /* sect283r1 (10) */
214 NID_sect283r1, /* sect283r1 (10) */ 217 NID_secp256k1, /* secp256k1 (22) */
215 NID_secp256k1, /* secp256k1 (22) */ 218 NID_X9_62_prime256v1, /* secp256r1 (23) */
216 NID_X9_62_prime256v1, /* secp256r1 (23) */ 219 NID_sect239k1, /* sect239k1 (8) */
217 NID_sect239k1, /* sect239k1 (8) */ 220 NID_sect233k1, /* sect233k1 (6) */
218 NID_sect233k1, /* sect233k1 (6) */ 221 NID_sect233r1, /* sect233r1 (7) */
219 NID_sect233r1, /* sect233r1 (7) */ 222 NID_secp224k1, /* secp224k1 (20) */
220 NID_secp224k1, /* secp224k1 (20) */ 223 NID_secp224r1, /* secp224r1 (21) */
221 NID_secp224r1, /* secp224r1 (21) */ 224 NID_sect193r1, /* sect193r1 (4) */
222 NID_sect193r1, /* sect193r1 (4) */ 225 NID_sect193r2, /* sect193r2 (5) */
223 NID_sect193r2, /* sect193r2 (5) */ 226 NID_secp192k1, /* secp192k1 (18) */
224 NID_secp192k1, /* secp192k1 (18) */ 227 NID_X9_62_prime192v1, /* secp192r1 (19) */
225 NID_X9_62_prime192v1, /* secp192r1 (19) */ 228 NID_sect163k1, /* sect163k1 (1) */
226 NID_sect163k1, /* sect163k1 (1) */ 229 NID_sect163r1, /* sect163r1 (2) */
227 NID_sect163r1, /* sect163r1 (2) */ 230 NID_sect163r2, /* sect163r2 (3) */
228 NID_sect163r2, /* sect163r2 (3) */ 231 NID_secp160k1, /* secp160k1 (15) */
229 NID_secp160k1, /* secp160k1 (15) */ 232 NID_secp160r1, /* secp160r1 (16) */
230 NID_secp160r1, /* secp160r1 (16) */ 233 NID_secp160r2, /* secp160r2 (17) */
231 NID_secp160r2, /* secp160r2 (17) */ 234};
232 };
233 235
234int tls1_ec_curve_id2nid(int curve_id) 236int
235 { 237tls1_ec_curve_id2nid(int curve_id)
238{
236 /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */ 239 /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
237 if ((curve_id < 1) || ((unsigned int)curve_id > 240 if ((curve_id < 1) || ((unsigned int)curve_id >
238 sizeof(nid_list)/sizeof(nid_list[0]))) 241 sizeof(nid_list)/sizeof(nid_list[0])))
239 return 0; 242 return 0;
240 return nid_list[curve_id-1]; 243 return nid_list[curve_id - 1];
241 } 244}
242 245
243int tls1_ec_nid2curve_id(int nid) 246int
244 { 247tls1_ec_nid2curve_id(int nid)
248{
245 /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */ 249 /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
246 switch (nid) 250 switch (nid) {
247 {
248 case NID_sect163k1: /* sect163k1 (1) */ 251 case NID_sect163k1: /* sect163k1 (1) */
249 return 1; 252 return 1;
250 case NID_sect163r1: /* sect163r1 (2) */ 253 case NID_sect163r1: /* sect163r1 (2) */
251 return 2; 254 return 2;
252 case NID_sect163r2: /* sect163r2 (3) */ 255 case NID_sect163r2: /* sect163r2 (3) */
253 return 3; 256 return 3;
254 case NID_sect193r1: /* sect193r1 (4) */ 257 case NID_sect193r1: /* sect193r1 (4) */
255 return 4; 258 return 4;
256 case NID_sect193r2: /* sect193r2 (5) */ 259 case NID_sect193r2: /* sect193r2 (5) */
257 return 5; 260 return 5;
258 case NID_sect233k1: /* sect233k1 (6) */ 261 case NID_sect233k1: /* sect233k1 (6) */
259 return 6; 262 return 6;
260 case NID_sect233r1: /* sect233r1 (7) */ 263 case NID_sect233r1: /* sect233r1 (7) */
261 return 7; 264 return 7;
262 case NID_sect239k1: /* sect239k1 (8) */ 265 case NID_sect239k1: /* sect239k1 (8) */
263 return 8; 266 return 8;
264 case NID_sect283k1: /* sect283k1 (9) */ 267 case NID_sect283k1: /* sect283k1 (9) */
265 return 9; 268 return 9;
266 case NID_sect283r1: /* sect283r1 (10) */ 269 case NID_sect283r1: /* sect283r1 (10) */
267 return 10; 270 return 10;
268 case NID_sect409k1: /* sect409k1 (11) */ 271 case NID_sect409k1: /* sect409k1 (11) */
269 return 11; 272 return 11;
270 case NID_sect409r1: /* sect409r1 (12) */ 273 case NID_sect409r1: /* sect409r1 (12) */
271 return 12; 274 return 12;
272 case NID_sect571k1: /* sect571k1 (13) */ 275 case NID_sect571k1: /* sect571k1 (13) */
273 return 13; 276 return 13;
274 case NID_sect571r1: /* sect571r1 (14) */ 277 case NID_sect571r1: /* sect571r1 (14) */
275 return 14; 278 return 14;
276 case NID_secp160k1: /* secp160k1 (15) */ 279 case NID_secp160k1: /* secp160k1 (15) */
277 return 15; 280 return 15;
278 case NID_secp160r1: /* secp160r1 (16) */ 281 case NID_secp160r1: /* secp160r1 (16) */
279 return 16; 282 return 16;
280 case NID_secp160r2: /* secp160r2 (17) */ 283 case NID_secp160r2: /* secp160r2 (17) */
281 return 17; 284 return 17;
282 case NID_secp192k1: /* secp192k1 (18) */ 285 case NID_secp192k1: /* secp192k1 (18) */
283 return 18; 286 return 18;
284 case NID_X9_62_prime192v1: /* secp192r1 (19) */ 287 case NID_X9_62_prime192v1: /* secp192r1 (19) */
285 return 19; 288 return 19;
286 case NID_secp224k1: /* secp224k1 (20) */ 289 case NID_secp224k1: /* secp224k1 (20) */
287 return 20; 290 return 20;
288 case NID_secp224r1: /* secp224r1 (21) */ 291 case NID_secp224r1: /* secp224r1 (21) */
289 return 21; 292 return 21;
290 case NID_secp256k1: /* secp256k1 (22) */ 293 case NID_secp256k1: /* secp256k1 (22) */
291 return 22; 294 return 22;
292 case NID_X9_62_prime256v1: /* secp256r1 (23) */ 295 case NID_X9_62_prime256v1: /* secp256r1 (23) */
293 return 23; 296 return 23;
294 case NID_secp384r1: /* secp384r1 (24) */ 297 case NID_secp384r1: /* secp384r1 (24) */
295 return 24; 298 return 24;
296 case NID_secp521r1: /* secp521r1 (25) */ 299 case NID_secp521r1: /* secp521r1 (25) */
297 return 25; 300 return 25;
298 default: 301 default:
299 return 0; 302 return 0;
300 }
301 } 303 }
304}
302#endif /* OPENSSL_NO_EC */ 305#endif /* OPENSSL_NO_EC */
303 306
304#ifndef OPENSSL_NO_TLSEXT 307#ifndef OPENSSL_NO_TLSEXT
@@ -344,33 +347,35 @@ static unsigned char tls12_sigalgs[] = {
344#endif 347#endif
345}; 348};
346 349
347int tls12_get_req_sig_algs(SSL *s, unsigned char *p) 350int
348 { 351tls12_get_req_sig_algs(SSL *s, unsigned char *p)
352{
349 size_t slen = sizeof(tls12_sigalgs); 353 size_t slen = sizeof(tls12_sigalgs);
350 if (p) 354 if (p)
351 memcpy(p, tls12_sigalgs, slen); 355 memcpy(p, tls12_sigalgs, slen);
352 return (int)slen; 356 return (int)slen;
353 } 357}
354 358
355unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit) 359unsigned char
356 { 360*ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
357 int extdatalen=0; 361{
362 int extdatalen = 0;
358 unsigned char *ret = p; 363 unsigned char *ret = p;
359 364
360 /* don't add extensions for SSLv3 unless doing secure renegotiation */ 365 /* don't add extensions for SSLv3 unless doing secure renegotiation */
361 if (s->client_version == SSL3_VERSION 366 if (s->client_version == SSL3_VERSION
362 && !s->s3->send_connection_binding) 367 && !s->s3->send_connection_binding)
363 return p; 368 return p;
364 369
365 ret+=2; 370 ret += 2;
366 371
367 if (ret>=limit) return NULL; /* this really never occurs, but ... */ 372 if (ret>=limit) return NULL; /* this really never occurs, but ... */
368 373
369 if (s->tlsext_hostname != NULL) 374 if (s->tlsext_hostname != NULL) {
370 {
371 /* Add TLS extension servername to the Client Hello message */ 375 /* Add TLS extension servername to the Client Hello message */
372 unsigned long size_str; 376 unsigned long size_str;
373 long lenmax; 377 long lenmax;
378
374 379
375 /* check for enough space. 380 /* check for enough space.
376 4 for the servername type and entension length 381 4 for the servername type and entension length
@@ -379,114 +384,117 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned cha
379 2 for hostname length 384 2 for hostname length
380 + hostname length 385 + hostname length
381 */ 386 */
382 387
383 if ((lenmax = limit - ret - 9) < 0 388 if ((lenmax = limit - ret - 9) < 0
384 || (size_str = strlen(s->tlsext_hostname)) > (unsigned long)lenmax) 389 || (size_str = strlen(s->tlsext_hostname)) > (unsigned long)lenmax)
385 return NULL; 390 return NULL;
386 391
387 /* extension type and length */ 392 /* extension type and length */
388 s2n(TLSEXT_TYPE_server_name,ret); 393 s2n(TLSEXT_TYPE_server_name, ret);
389 s2n(size_str+5,ret); 394
390 395 s2n(size_str + 5, ret);
396
391 /* length of servername list */ 397 /* length of servername list */
392 s2n(size_str+3,ret); 398 s2n(size_str + 3, ret);
393 399
394 /* hostname type, length and hostname */ 400 /* hostname type, length and hostname */
395 *(ret++) = (unsigned char) TLSEXT_NAMETYPE_host_name; 401 *(ret++) = (unsigned char) TLSEXT_NAMETYPE_host_name;
396 s2n(size_str,ret); 402 s2n(size_str, ret);
397 memcpy(ret, s->tlsext_hostname, size_str); 403 memcpy(ret, s->tlsext_hostname, size_str);
398 ret+=size_str; 404 ret += size_str;
405 }
406
407 /* Add RI if renegotiating */
408 if (s->renegotiate) {
409 int el;
410
411 if (!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0)) {
412 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
413 return NULL;
399 } 414 }
400 415
401 /* Add RI if renegotiating */ 416 if ((limit - p - 4 - el)
402 if (s->renegotiate) 417 < 0) return NULL;
403 { 418
404 int el; 419 s2n(TLSEXT_TYPE_renegotiate, ret);
405 420 s2n(el, ret);
406 if(!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0)) 421
407 { 422 if (!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el)) {
408 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); 423 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
409 return NULL; 424 return NULL;
410 } 425 }
411 426
412 if((limit - p - 4 - el) < 0) return NULL; 427 ret += el;
413 428 }
414 s2n(TLSEXT_TYPE_renegotiate,ret);
415 s2n(el,ret);
416
417 if(!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el))
418 {
419 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
420 return NULL;
421 }
422
423 ret += el;
424 }
425 429
426#ifndef OPENSSL_NO_SRP 430#ifndef OPENSSL_NO_SRP
427 /* Add SRP username if there is one */ 431 /* Add SRP username if there is one */
428 if (s->srp_ctx.login != NULL) 432 if (s->srp_ctx.login != NULL)
429 { /* Add TLS extension SRP username to the Client Hello message */ 433 { /* Add TLS extension SRP username to the Client Hello message */
434
435 int login_len = strlen(s->srp_ctx.login);
430 436
431 int login_len = strlen(s->srp_ctx.login); 437 if (login_len > 255 || login_len == 0) {
432 if (login_len > 255 || login_len == 0)
433 {
434 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); 438 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
435 return NULL; 439 return NULL;
436 } 440 }
437 441
438 /* check for enough space. 442 /* check for enough space.
439 4 for the srp type type and entension length 443 4 for the srp type type and entension length
440 1 for the srp user identity 444 1 for the srp user identity
441 + srp user identity length 445 + srp user identity length
442 */ 446 */
443 if ((limit - ret - 5 - login_len) < 0) return NULL; 447 if ((limit - ret - 5 - login_len)
448 < 0) return NULL;
449
444 450
445 /* fill in the extension */ 451 /* fill in the extension */
446 s2n(TLSEXT_TYPE_srp,ret); 452 s2n(TLSEXT_TYPE_srp, ret);
447 s2n(login_len+1,ret); 453 s2n(login_len + 1, ret);
448 (*ret++) = (unsigned char) login_len; 454 (*ret++) = (unsigned char) login_len;
449 memcpy(ret, s->srp_ctx.login, login_len); 455 memcpy(ret, s->srp_ctx.login, login_len);
450 ret+=login_len; 456 ret += login_len;
451 } 457 }
452#endif 458#endif
453 459
454#ifndef OPENSSL_NO_EC 460#ifndef OPENSSL_NO_EC
455 if (s->tlsext_ecpointformatlist != NULL && 461 if (s->tlsext_ecpointformatlist != NULL &&
456 s->version != DTLS1_VERSION) 462 s->version != DTLS1_VERSION) {
457 {
458 /* Add TLS extension ECPointFormats to the ClientHello message */ 463 /* Add TLS extension ECPointFormats to the ClientHello message */
459 long lenmax; 464 long lenmax;
465
466
467 if ((lenmax = limit - ret - 5)
468 < 0) return NULL;
460 469
461 if ((lenmax = limit - ret - 5) < 0) return NULL;
462 if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax) return NULL; 470 if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax) return NULL;
463 if (s->tlsext_ecpointformatlist_length > 255) 471 if (s->tlsext_ecpointformatlist_length > 255) {
464 {
465 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); 472 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
466 return NULL; 473 return NULL;
467 } 474 }
468 475
469 s2n(TLSEXT_TYPE_ec_point_formats,ret); 476 s2n(TLSEXT_TYPE_ec_point_formats, ret);
470 s2n(s->tlsext_ecpointformatlist_length + 1,ret); 477 s2n(s->tlsext_ecpointformatlist_length + 1, ret);
471 *(ret++) = (unsigned char) s->tlsext_ecpointformatlist_length; 478 *(ret++) = (unsigned char) s->tlsext_ecpointformatlist_length;
472 memcpy(ret, s->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist_length); 479 memcpy(ret, s->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist_length);
473 ret+=s->tlsext_ecpointformatlist_length; 480 ret += s->tlsext_ecpointformatlist_length;
474 } 481 }
475 if (s->tlsext_ellipticcurvelist != NULL && 482 if (s->tlsext_ellipticcurvelist != NULL &&
476 s->version != DTLS1_VERSION) 483 s->version != DTLS1_VERSION) {
477 {
478 /* Add TLS extension EllipticCurves to the ClientHello message */ 484 /* Add TLS extension EllipticCurves to the ClientHello message */
479 long lenmax; 485 long lenmax;
486
487
488 if ((lenmax = limit - ret - 6)
489 < 0) return NULL;
480 490
481 if ((lenmax = limit - ret - 6) < 0) return NULL;
482 if (s->tlsext_ellipticcurvelist_length > (unsigned long)lenmax) return NULL; 491 if (s->tlsext_ellipticcurvelist_length > (unsigned long)lenmax) return NULL;
483 if (s->tlsext_ellipticcurvelist_length > 65532) 492 if (s->tlsext_ellipticcurvelist_length > 65532) {
484 {
485 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); 493 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
486 return NULL; 494 return NULL;
487 } 495 }
488 496
489 s2n(TLSEXT_TYPE_elliptic_curves,ret); 497 s2n(TLSEXT_TYPE_elliptic_curves, ret);
490 s2n(s->tlsext_ellipticcurvelist_length + 2, ret); 498 s2n(s->tlsext_ellipticcurvelist_length + 2, ret);
491 499
492 /* NB: draft-ietf-tls-ecc-12.txt uses a one-byte prefix for 500 /* NB: draft-ietf-tls-ecc-12.txt uses a one-byte prefix for
@@ -496,111 +504,103 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned cha
496 */ 504 */
497 s2n(s->tlsext_ellipticcurvelist_length, ret); 505 s2n(s->tlsext_ellipticcurvelist_length, ret);
498 memcpy(ret, s->tlsext_ellipticcurvelist, s->tlsext_ellipticcurvelist_length); 506 memcpy(ret, s->tlsext_ellipticcurvelist, s->tlsext_ellipticcurvelist_length);
499 ret+=s->tlsext_ellipticcurvelist_length; 507 ret += s->tlsext_ellipticcurvelist_length;
500 } 508 }
501#endif /* OPENSSL_NO_EC */ 509#endif /* OPENSSL_NO_EC */
502 510
503 if (!(SSL_get_options(s) & SSL_OP_NO_TICKET)) 511 if (!(SSL_get_options(s) & SSL_OP_NO_TICKET)) {
504 {
505 int ticklen; 512 int ticklen;
506 if (!s->new_session && s->session && s->session->tlsext_tick) 513 if (!s->new_session && s->session && s->session->tlsext_tick)
507 ticklen = s->session->tlsext_ticklen; 514 ticklen = s->session->tlsext_ticklen;
508 else if (s->session && s->tlsext_session_ticket && 515 else if (s->session && s->tlsext_session_ticket &&
509 s->tlsext_session_ticket->data) 516 s->tlsext_session_ticket->data) {
510 {
511 ticklen = s->tlsext_session_ticket->length; 517 ticklen = s->tlsext_session_ticket->length;
512 s->session->tlsext_tick = OPENSSL_malloc(ticklen); 518 s->session->tlsext_tick = OPENSSL_malloc(ticklen);
513 if (!s->session->tlsext_tick) 519 if (!s->session->tlsext_tick)
514 return NULL; 520 return NULL;
515 memcpy(s->session->tlsext_tick, 521 memcpy(s->session->tlsext_tick,
516 s->tlsext_session_ticket->data, 522 s->tlsext_session_ticket->data,
517 ticklen); 523 ticklen);
518 s->session->tlsext_ticklen = ticklen; 524 s->session->tlsext_ticklen = ticklen;
519 } 525 } else
520 else
521 ticklen = 0; 526 ticklen = 0;
522 if (ticklen == 0 && s->tlsext_session_ticket && 527 if (ticklen == 0 && s->tlsext_session_ticket &&
523 s->tlsext_session_ticket->data == NULL) 528 s->tlsext_session_ticket->data == NULL)
524 goto skip_ext; 529 goto skip_ext;
525 /* Check for enough room 2 for extension type, 2 for len 530 /* Check for enough room 2 for extension type, 2 for len
526 * rest for ticket 531 * rest for ticket
527 */ 532 */
528 if ((long)(limit - ret - 4 - ticklen) < 0) return NULL; 533 if ((long)(limit - ret - 4 - ticklen) < 0) return NULL;
529 s2n(TLSEXT_TYPE_session_ticket,ret); 534 s2n(TLSEXT_TYPE_session_ticket, ret);
530 s2n(ticklen,ret); 535
531 if (ticklen) 536 s2n(ticklen, ret);
532 { 537 if (ticklen) {
533 memcpy(ret, s->session->tlsext_tick, ticklen); 538 memcpy(ret, s->session->tlsext_tick, ticklen);
534 ret += ticklen; 539 ret += ticklen;
535 }
536 } 540 }
537 skip_ext: 541 }
542 skip_ext:
538 543
539 if (TLS1_get_client_version(s) >= TLS1_2_VERSION) 544 if (TLS1_get_client_version(s) >= TLS1_2_VERSION) {
540 {
541 if ((size_t)(limit - ret) < sizeof(tls12_sigalgs) + 6) 545 if ((size_t)(limit - ret) < sizeof(tls12_sigalgs) + 6)
542 return NULL; 546 return NULL;
543 s2n(TLSEXT_TYPE_signature_algorithms,ret); 547
548 s2n(TLSEXT_TYPE_signature_algorithms, ret);
544 s2n(sizeof(tls12_sigalgs) + 2, ret); 549 s2n(sizeof(tls12_sigalgs) + 2, ret);
545 s2n(sizeof(tls12_sigalgs), ret); 550 s2n(sizeof(tls12_sigalgs), ret);
546 memcpy(ret, tls12_sigalgs, sizeof(tls12_sigalgs)); 551 memcpy(ret, tls12_sigalgs, sizeof(tls12_sigalgs));
547 ret += sizeof(tls12_sigalgs); 552 ret += sizeof(tls12_sigalgs);
548 } 553 }
549 554
550#ifdef TLSEXT_TYPE_opaque_prf_input 555#ifdef TLSEXT_TYPE_opaque_prf_input
551 if (s->s3->client_opaque_prf_input != NULL && 556 if (s->s3->client_opaque_prf_input != NULL &&
552 s->version != DTLS1_VERSION) 557 s->version != DTLS1_VERSION) {
553 {
554 size_t col = s->s3->client_opaque_prf_input_len; 558 size_t col = s->s3->client_opaque_prf_input_len;
555 559
556 if ((long)(limit - ret - 6 - col < 0)) 560 if ((long)(limit - ret - 6 - col < 0))
557 return NULL; 561 return NULL;
558 if (col > 0xFFFD) /* can't happen */ 562 if (col > 0xFFFD) /* can't happen */
559 return NULL; 563 return NULL;
560 564
561 s2n(TLSEXT_TYPE_opaque_prf_input, ret); 565 s2n(TLSEXT_TYPE_opaque_prf_input, ret);
566
562 s2n(col + 2, ret); 567 s2n(col + 2, ret);
563 s2n(col, ret); 568 s2n(col, ret);
564 memcpy(ret, s->s3->client_opaque_prf_input, col); 569 memcpy(ret, s->s3->client_opaque_prf_input, col);
565 ret += col; 570 ret += col;
566 } 571 }
567#endif 572#endif
568 573
569 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp && 574 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp &&
570 s->version != DTLS1_VERSION) 575 s->version != DTLS1_VERSION) {
571 {
572 int i; 576 int i;
573 long extlen, idlen, itmp; 577 long extlen, idlen, itmp;
574 OCSP_RESPID *id; 578 OCSP_RESPID *id;
575 579
576 idlen = 0; 580 idlen = 0;
577 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) 581 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) {
578 {
579 id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i); 582 id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
580 itmp = i2d_OCSP_RESPID(id, NULL); 583 itmp = i2d_OCSP_RESPID(id, NULL);
581 if (itmp <= 0) 584 if (itmp <= 0)
582 return NULL; 585 return NULL;
583 idlen += itmp + 2; 586 idlen += itmp + 2;
584 } 587 }
585 588
586 if (s->tlsext_ocsp_exts) 589 if (s->tlsext_ocsp_exts) {
587 {
588 extlen = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, NULL); 590 extlen = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, NULL);
589 if (extlen < 0) 591 if (extlen < 0)
590 return NULL; 592 return NULL;
591 } 593 } else
592 else
593 extlen = 0; 594 extlen = 0;
594 595
595 if ((long)(limit - ret - 7 - extlen - idlen) < 0) return NULL; 596 if ((long)(limit - ret - 7 - extlen - idlen) < 0) return NULL;
596 s2n(TLSEXT_TYPE_status_request, ret); 597 s2n(TLSEXT_TYPE_status_request, ret);
597 if (extlen + idlen > 0xFFF0) 598 if (extlen + idlen > 0xFFF0)
598 return NULL; 599 return NULL;
599 s2n(extlen + idlen + 5, ret); 600 s2n(extlen + idlen + 5, ret);
600 *(ret++) = TLSEXT_STATUSTYPE_ocsp; 601 *(ret++) = TLSEXT_STATUSTYPE_ocsp;
601 s2n(idlen, ret); 602 s2n(idlen, ret);
602 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) 603 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) {
603 {
604 /* save position of id len */ 604 /* save position of id len */
605 unsigned char *q = ret; 605 unsigned char *q = ret;
606 id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i); 606 id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
@@ -609,16 +609,16 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned cha
609 itmp = i2d_OCSP_RESPID(id, &ret); 609 itmp = i2d_OCSP_RESPID(id, &ret);
610 /* write id len */ 610 /* write id len */
611 s2n(itmp, q); 611 s2n(itmp, q);
612 } 612 }
613 s2n(extlen, ret); 613 s2n(extlen, ret);
614 if (extlen > 0) 614 if (extlen > 0)
615 i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret); 615 i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret);
616 } 616 }
617 617
618#ifndef OPENSSL_NO_HEARTBEATS 618#ifndef OPENSSL_NO_HEARTBEATS
619 /* Add Heartbeat extension */ 619 /* Add Heartbeat extension */
620 s2n(TLSEXT_TYPE_heartbeat,ret); 620 s2n(TLSEXT_TYPE_heartbeat, ret);
621 s2n(1,ret); 621 s2n(1, ret);
622 /* Set mode: 622 /* Set mode:
623 * 1: peer may send requests 623 * 1: peer may send requests
624 * 2: peer not allowed to send requests 624 * 2: peer not allowed to send requests
@@ -630,36 +630,34 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned cha
630#endif 630#endif
631 631
632#ifndef OPENSSL_NO_NEXTPROTONEG 632#ifndef OPENSSL_NO_NEXTPROTONEG
633 if (s->ctx->next_proto_select_cb && !s->s3->tmp.finish_md_len) 633 if (s->ctx->next_proto_select_cb && !s->s3->tmp.finish_md_len) {
634 {
635 /* The client advertises an emtpy extension to indicate its 634 /* The client advertises an emtpy extension to indicate its
636 * support for Next Protocol Negotiation */ 635 * support for Next Protocol Negotiation */
637 if (limit - ret - 4 < 0) 636 if (limit - ret - 4 < 0)
638 return NULL; 637 return NULL;
639 s2n(TLSEXT_TYPE_next_proto_neg,ret); 638 s2n(TLSEXT_TYPE_next_proto_neg, ret);
640 s2n(0,ret); 639 s2n(0, ret);
641 } 640 }
642#endif 641#endif
643 642
644#ifndef OPENSSL_NO_SRTP 643#ifndef OPENSSL_NO_SRTP
645 if(SSL_get_srtp_profiles(s)) 644 if (SSL_get_srtp_profiles(s)) {
646 { 645 int el;
647 int el;
648 646
649 ssl_add_clienthello_use_srtp_ext(s, 0, &el, 0); 647 ssl_add_clienthello_use_srtp_ext(s, 0, &el, 0);
650
651 if((limit - p - 4 - el) < 0) return NULL;
652 648
653 s2n(TLSEXT_TYPE_use_srtp,ret); 649 if ((limit - p - 4 - el)
654 s2n(el,ret); 650 < 0) return NULL;
655 651
656 if(ssl_add_clienthello_use_srtp_ext(s, ret, &el, el)) 652 s2n(TLSEXT_TYPE_use_srtp, ret);
657 { 653 s2n(el, ret);
654
655 if (ssl_add_clienthello_use_srtp_ext(s, ret, &el, el)) {
658 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); 656 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
659 return NULL; 657 return NULL;
660 } 658 }
661 ret += el; 659 ret += el;
662 } 660 }
663#endif 661#endif
664 662
665#ifdef TLSEXT_TYPE_padding 663#ifdef TLSEXT_TYPE_padding
@@ -670,38 +668,38 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned cha
670 * extensions it MUST always appear last. 668 * extensions it MUST always appear last.
671 */ 669 */
672 { 670 {
673 int hlen = ret - (unsigned char *)s->init_buf->data; 671 int hlen = ret - (unsigned char *)s->init_buf->data;
674 /* The code in s23_clnt.c to build ClientHello messages includes the 672 /* The code in s23_clnt.c to build ClientHello messages includes the
675 * 5-byte record header in the buffer, while the code in s3_clnt.c does 673 * 5-byte record header in the buffer, while the code in s3_clnt.c does
676 * not. */ 674 * not. */
677 if (s->state == SSL23_ST_CW_CLNT_HELLO_A) 675 if (s->state == SSL23_ST_CW_CLNT_HELLO_A)
678 hlen -= 5; 676 hlen -= 5;
679 if (hlen > 0xff && hlen < 0x200) 677 if (hlen > 0xff && hlen < 0x200) {
680 { 678 hlen = 0x200 - hlen;
681 hlen = 0x200 - hlen; 679 if (hlen >= 4)
682 if (hlen >= 4) 680 hlen -= 4;
683 hlen -= 4; 681 else
684 else 682 hlen = 0;
685 hlen = 0;
686 683
687 s2n(TLSEXT_TYPE_padding, ret); 684 s2n(TLSEXT_TYPE_padding, ret);
688 s2n(hlen, ret); 685 s2n(hlen, ret);
689 memset(ret, 0, hlen); 686 memset(ret, 0, hlen);
690 ret += hlen; 687 ret += hlen;
691 } 688 }
692 } 689 }
693#endif 690#endif
694 691
695 if ((extdatalen = ret-p-2)== 0) 692 if ((extdatalen = ret - p - 2) == 0)
696 return p; 693 return p;
697 694
698 s2n(extdatalen,p); 695 s2n(extdatalen, p);
699 return ret; 696 return ret;
700 } 697}
701 698
702unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit) 699unsigned char
703 { 700*ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
704 int extdatalen=0; 701{
702 int extdatalen = 0;
705 unsigned char *ret = p; 703 unsigned char *ret = p;
706#ifndef OPENSSL_NO_NEXTPROTONEG 704#ifndef OPENSSL_NO_NEXTPROTONEG
707 int next_proto_neg_seen; 705 int next_proto_neg_seen;
@@ -710,143 +708,141 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned cha
710 /* don't add extensions for SSLv3, unless doing secure renegotiation */ 708 /* don't add extensions for SSLv3, unless doing secure renegotiation */
711 if (s->version == SSL3_VERSION && !s->s3->send_connection_binding) 709 if (s->version == SSL3_VERSION && !s->s3->send_connection_binding)
712 return p; 710 return p;
713 711
714 ret+=2; 712 ret += 2;
715 if (ret>=limit) return NULL; /* this really never occurs, but ... */ 713 if (ret>=limit) return NULL; /* this really never occurs, but ... */
716 714
717 if (!s->hit && s->servername_done == 1 && s->session->tlsext_hostname != NULL) 715 if (!s->hit && s->servername_done == 1 && s->session->tlsext_hostname != NULL) {
718 { 716 if ((long)(limit - ret - 4) < 0) return NULL;
719 if ((long)(limit - ret - 4) < 0) return NULL; 717
718
719 s2n(TLSEXT_TYPE_server_name, ret);
720 s2n(0, ret);
721 }
722
723 if (s->s3->send_connection_binding) {
724 int el;
720 725
721 s2n(TLSEXT_TYPE_server_name,ret); 726 if (!ssl_add_serverhello_renegotiate_ext(s, 0, &el, 0)) {
722 s2n(0,ret); 727 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
728 return NULL;
723 } 729 }
724 730
725 if(s->s3->send_connection_binding) 731 if ((limit - p - 4 - el)
726 { 732 < 0) return NULL;
727 int el; 733
728 734 s2n(TLSEXT_TYPE_renegotiate, ret);
729 if(!ssl_add_serverhello_renegotiate_ext(s, 0, &el, 0)) 735 s2n(el, ret);
730 { 736
731 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); 737 if (!ssl_add_serverhello_renegotiate_ext(s, ret, &el, el)) {
732 return NULL; 738 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
733 } 739 return NULL;
734 740 }
735 if((limit - p - 4 - el) < 0) return NULL; 741
736 742 ret += el;
737 s2n(TLSEXT_TYPE_renegotiate,ret); 743 }
738 s2n(el,ret);
739
740 if(!ssl_add_serverhello_renegotiate_ext(s, ret, &el, el))
741 {
742 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
743 return NULL;
744 }
745
746 ret += el;
747 }
748 744
749#ifndef OPENSSL_NO_EC 745#ifndef OPENSSL_NO_EC
750 if (s->tlsext_ecpointformatlist != NULL && 746 if (s->tlsext_ecpointformatlist != NULL &&
751 s->version != DTLS1_VERSION) 747 s->version != DTLS1_VERSION) {
752 {
753 /* Add TLS extension ECPointFormats to the ServerHello message */ 748 /* Add TLS extension ECPointFormats to the ServerHello message */
754 long lenmax; 749 long lenmax;
750
751
752 if ((lenmax = limit - ret - 5)
753 < 0) return NULL;
755 754
756 if ((lenmax = limit - ret - 5) < 0) return NULL;
757 if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax) return NULL; 755 if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax) return NULL;
758 if (s->tlsext_ecpointformatlist_length > 255) 756 if (s->tlsext_ecpointformatlist_length > 255) {
759 {
760 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); 757 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
761 return NULL; 758 return NULL;
762 } 759 }
763 760
764 s2n(TLSEXT_TYPE_ec_point_formats,ret); 761 s2n(TLSEXT_TYPE_ec_point_formats, ret);
765 s2n(s->tlsext_ecpointformatlist_length + 1,ret); 762 s2n(s->tlsext_ecpointformatlist_length + 1, ret);
766 *(ret++) = (unsigned char) s->tlsext_ecpointformatlist_length; 763 *(ret++) = (unsigned char) s->tlsext_ecpointformatlist_length;
767 memcpy(ret, s->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist_length); 764 memcpy(ret, s->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist_length);
768 ret+=s->tlsext_ecpointformatlist_length; 765 ret += s->tlsext_ecpointformatlist_length;
769 766
770 } 767 }
771 /* Currently the server should not respond with a SupportedCurves extension */ 768 /* Currently the server should not respond with a SupportedCurves extension */
772#endif /* OPENSSL_NO_EC */ 769#endif /* OPENSSL_NO_EC */
773 770
774 if (s->tlsext_ticket_expected 771 if (s->tlsext_ticket_expected
775 && !(SSL_get_options(s) & SSL_OP_NO_TICKET)) 772 && !(SSL_get_options(s) & SSL_OP_NO_TICKET)) {
776 { 773 if ((long)(limit - ret - 4) < 0) return NULL;
777 if ((long)(limit - ret - 4) < 0) return NULL;
778 s2n(TLSEXT_TYPE_session_ticket,ret);
779 s2n(0,ret);
780 }
781 774
782 if (s->tlsext_status_expected) 775 s2n(TLSEXT_TYPE_session_ticket, ret);
783 { 776 s2n(0, ret);
784 if ((long)(limit - ret - 4) < 0) return NULL; 777 }
785 s2n(TLSEXT_TYPE_status_request,ret); 778
786 s2n(0,ret); 779 if (s->tlsext_status_expected) {
787 } 780 if ((long)(limit - ret - 4) < 0) return NULL;
781
782 s2n(TLSEXT_TYPE_status_request, ret);
783 s2n(0, ret);
784 }
788 785
789#ifdef TLSEXT_TYPE_opaque_prf_input 786#ifdef TLSEXT_TYPE_opaque_prf_input
790 if (s->s3->server_opaque_prf_input != NULL && 787 if (s->s3->server_opaque_prf_input != NULL &&
791 s->version != DTLS1_VERSION) 788 s->version != DTLS1_VERSION) {
792 {
793 size_t sol = s->s3->server_opaque_prf_input_len; 789 size_t sol = s->s3->server_opaque_prf_input_len;
794 790
795 if ((long)(limit - ret - 6 - sol) < 0) 791 if ((long)(limit - ret - 6 - sol) < 0)
796 return NULL; 792 return NULL;
797 if (sol > 0xFFFD) /* can't happen */ 793 if (sol > 0xFFFD) /* can't happen */
798 return NULL; 794 return NULL;
799 795
800 s2n(TLSEXT_TYPE_opaque_prf_input, ret); 796 s2n(TLSEXT_TYPE_opaque_prf_input, ret);
797
801 s2n(sol + 2, ret); 798 s2n(sol + 2, ret);
802 s2n(sol, ret); 799 s2n(sol, ret);
803 memcpy(ret, s->s3->server_opaque_prf_input, sol); 800 memcpy(ret, s->s3->server_opaque_prf_input, sol);
804 ret += sol; 801 ret += sol;
805 } 802 }
806#endif 803#endif
807 804
808#ifndef OPENSSL_NO_SRTP 805#ifndef OPENSSL_NO_SRTP
809 if(s->srtp_profile) 806 if (s->srtp_profile) {
810 { 807 int el;
811 int el;
812 808
813 ssl_add_serverhello_use_srtp_ext(s, 0, &el, 0); 809 ssl_add_serverhello_use_srtp_ext(s, 0, &el, 0);
814
815 if((limit - p - 4 - el) < 0) return NULL;
816 810
817 s2n(TLSEXT_TYPE_use_srtp,ret); 811 if ((limit - p - 4 - el) < 0)
818 s2n(el,ret); 812 return NULL;
819 813
820 if(ssl_add_serverhello_use_srtp_ext(s, ret, &el, el)) 814 s2n(TLSEXT_TYPE_use_srtp, ret);
821 { 815 s2n(el, ret);
816
817 if (ssl_add_serverhello_use_srtp_ext(s, ret, &el, el)) {
822 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); 818 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
823 return NULL; 819 return NULL;
824 } 820 }
825 ret+=el; 821 ret += el;
826 } 822 }
827#endif 823#endif
828 824
829 if (((s->s3->tmp.new_cipher->id & 0xFFFF)==0x80 || (s->s3->tmp.new_cipher->id & 0xFFFF)==0x81) 825 if (((s->s3->tmp.new_cipher->id & 0xFFFF) == 0x80 || (s->s3->tmp.new_cipher->id & 0xFFFF) == 0x81)
830 && (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG)) 826 && (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG)) {
831 { const unsigned char cryptopro_ext[36] = { 827 const unsigned char cryptopro_ext[36] = {
832 0xfd, 0xe8, /*65000*/ 828 0xfd, 0xe8, /*65000*/
833 0x00, 0x20, /*32 bytes length*/ 829 0x00, 0x20, /*32 bytes length*/
834 0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85, 830 0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85,
835 0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06, 831 0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06,
836 0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08, 832 0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08,
837 0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17}; 833 0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17
838 if (limit-ret<36) return NULL; 834 };
839 memcpy(ret,cryptopro_ext,36); 835 if (limit - ret < 36)
840 ret+=36; 836 return NULL;
841 837 memcpy(ret, cryptopro_ext, 36);
842 } 838 ret += 36;
839 }
843 840
844#ifndef OPENSSL_NO_HEARTBEATS 841#ifndef OPENSSL_NO_HEARTBEATS
845 /* Add Heartbeat extension if we've received one */ 842 /* Add Heartbeat extension if we've received one */
846 if (s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED) 843 if (s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED) {
847 { 844 s2n(TLSEXT_TYPE_heartbeat, ret);
848 s2n(TLSEXT_TYPE_heartbeat,ret); 845 s2n(1, ret);
849 s2n(1,ret);
850 /* Set mode: 846 /* Set mode:
851 * 1: peer may send requests 847 * 1: peer may send requests
852 * 2: peer not allowed to send requests 848 * 2: peer not allowed to send requests
@@ -856,37 +852,35 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned cha
856 else 852 else
857 *(ret++) = SSL_TLSEXT_HB_ENABLED; 853 *(ret++) = SSL_TLSEXT_HB_ENABLED;
858 854
859 } 855 }
860#endif 856#endif
861 857
862#ifndef OPENSSL_NO_NEXTPROTONEG 858#ifndef OPENSSL_NO_NEXTPROTONEG
863 next_proto_neg_seen = s->s3->next_proto_neg_seen; 859 next_proto_neg_seen = s->s3->next_proto_neg_seen;
864 s->s3->next_proto_neg_seen = 0; 860 s->s3->next_proto_neg_seen = 0;
865 if (next_proto_neg_seen && s->ctx->next_protos_advertised_cb) 861 if (next_proto_neg_seen && s->ctx->next_protos_advertised_cb) {
866 {
867 const unsigned char *npa; 862 const unsigned char *npa;
868 unsigned int npalen; 863 unsigned int npalen;
869 int r; 864 int r;
870 865
871 r = s->ctx->next_protos_advertised_cb(s, &npa, &npalen, s->ctx->next_protos_advertised_cb_arg); 866 r = s->ctx->next_protos_advertised_cb(s, &npa, &npalen, s->ctx->next_protos_advertised_cb_arg);
872 if (r == SSL_TLSEXT_ERR_OK) 867 if (r == SSL_TLSEXT_ERR_OK) {
873 {
874 if ((long)(limit - ret - 4 - npalen) < 0) return NULL; 868 if ((long)(limit - ret - 4 - npalen) < 0) return NULL;
875 s2n(TLSEXT_TYPE_next_proto_neg,ret); 869 s2n(TLSEXT_TYPE_next_proto_neg, ret);
876 s2n(npalen,ret); 870 s2n(npalen, ret);
877 memcpy(ret, npa, npalen); 871 memcpy(ret, npa, npalen);
878 ret += npalen; 872 ret += npalen;
879 s->s3->next_proto_neg_seen = 1; 873 s->s3->next_proto_neg_seen = 1;
880 }
881 } 874 }
875 }
882#endif 876#endif
883 877
884 if ((extdatalen = ret-p-2)== 0) 878 if ((extdatalen = ret - p - 2) == 0)
885 return p; 879 return p;
886 880
887 s2n(extdatalen,p); 881 s2n(extdatalen, p);
888 return ret; 882 return ret;
889 } 883}
890 884
891#ifndef OPENSSL_NO_EC 885#ifndef OPENSSL_NO_EC
892/* ssl_check_for_safari attempts to fingerprint Safari using OS X 886/* ssl_check_for_safari attempts to fingerprint Safari using OS X
@@ -901,7 +895,8 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned cha
901 * Sadly we cannot differentiate 10.6, 10.7 and 10.8.4 (which work), from 895 * Sadly we cannot differentiate 10.6, 10.7 and 10.8.4 (which work), from
902 * 10.8..10.8.3 (which don't work). 896 * 10.8..10.8.3 (which don't work).
903 */ 897 */
904static void ssl_check_for_safari(SSL *s, const unsigned char *data, const unsigned char *d, int n) { 898static void
899ssl_check_for_safari(SSL *s, const unsigned char *data, const unsigned char *d, int n) {
905 unsigned short type, size; 900 unsigned short type, size;
906 static const unsigned char kSafariExtensionsBlock[] = { 901 static const unsigned char kSafariExtensionsBlock[] = {
907 0x00, 0x0a, /* elliptic_curves extension */ 902 0x00, 0x0a, /* elliptic_curves extension */
@@ -929,50 +924,49 @@ static void ssl_check_for_safari(SSL *s, const unsigned char *data, const unsign
929 0x02, 0x03, /* SHA-1/ECDSA */ 924 0x02, 0x03, /* SHA-1/ECDSA */
930 }; 925 };
931 926
932 if (data >= (d+n-2)) 927 if (data >= (d + n - 2))
933 return; 928 return;
934 data += 2; 929 data += 2;
935 930
936 if (data > (d+n-4)) 931 if (data > (d + n - 4))
937 return; 932 return;
938 n2s(data,type); 933 n2s(data, type);
939 n2s(data,size); 934 n2s(data, size);
940 935
941 if (type != TLSEXT_TYPE_server_name) 936 if (type != TLSEXT_TYPE_server_name)
942 return; 937 return;
943 938
944 if (data+size > d+n) 939 if (data + size > d + n)
945 return; 940 return;
946 data += size; 941 data += size;
947 942
948 if (TLS1_get_client_version(s) >= TLS1_2_VERSION) 943 if (TLS1_get_client_version(s) >= TLS1_2_VERSION) {
949 {
950 const size_t len1 = sizeof(kSafariExtensionsBlock); 944 const size_t len1 = sizeof(kSafariExtensionsBlock);
951 const size_t len2 = sizeof(kSafariTLS12ExtensionsBlock); 945 const size_t len2 = sizeof(kSafariTLS12ExtensionsBlock);
952 946
953 if (data + len1 + len2 != d+n) 947 if (data + len1 + len2 != d + n)
954 return; 948 return;
955 if (memcmp(data, kSafariExtensionsBlock, len1) != 0) 949 if (memcmp(data, kSafariExtensionsBlock, len1) != 0)
956 return; 950 return;
957 if (memcmp(data + len1, kSafariTLS12ExtensionsBlock, len2) != 0) 951 if (memcmp(data + len1, kSafariTLS12ExtensionsBlock, len2) != 0)
958 return; 952 return;
959 } 953 } else {
960 else
961 {
962 const size_t len = sizeof(kSafariExtensionsBlock); 954 const size_t len = sizeof(kSafariExtensionsBlock);
963 955
964 if (data + len != d+n) 956 if (data + len != d + n)
965 return; 957 return;
966 if (memcmp(data, kSafariExtensionsBlock, len) != 0) 958 if (memcmp(data, kSafariExtensionsBlock, len) != 0)
967 return; 959 return;
968 } 960 }
969 961
970 s->s3->is_probably_safari = 1; 962 s->s3->is_probably_safari = 1;
971} 963}
972#endif /* !OPENSSL_NO_EC */ 964#endif /* !OPENSSL_NO_EC */
973 965
974int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al) 966int
975 { 967ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d,
968 int n, int *al)
969{
976 unsigned short type; 970 unsigned short type;
977 unsigned short size; 971 unsigned short size;
978 unsigned short len; 972 unsigned short len;
@@ -988,7 +982,7 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
988 982
989#ifndef OPENSSL_NO_HEARTBEATS 983#ifndef OPENSSL_NO_HEARTBEATS
990 s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED | 984 s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED |
991 SSL_TLSEXT_HB_DONT_SEND_REQUESTS); 985 SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
992#endif 986#endif
993 987
994#ifndef OPENSSL_NO_EC 988#ifndef OPENSSL_NO_EC
@@ -996,26 +990,25 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
996 ssl_check_for_safari(s, data, d, n); 990 ssl_check_for_safari(s, data, d, n);
997#endif /* !OPENSSL_NO_EC */ 991#endif /* !OPENSSL_NO_EC */
998 992
999 if (data >= (d+n-2)) 993 if (data >= (d + n - 2))
1000 goto ri_check; 994 goto ri_check;
1001 n2s(data,len); 995 n2s(data, len);
1002 996
1003 if (data > (d+n-len)) 997 if (data > (d + n - len))
1004 goto ri_check; 998 goto ri_check;
1005 999
1006 while (data <= (d+n-4)) 1000 while (data <= (d + n - 4)) {
1007 { 1001 n2s(data, type);
1008 n2s(data,type); 1002 n2s(data, size);
1009 n2s(data,size);
1010 1003
1011 if (data+size > (d+n)) 1004 if (data + size > (d + n))
1012 goto ri_check; 1005 goto ri_check;
1013#if 0 1006#if 0
1014 fprintf(stderr,"Received extension type %d size %d\n",type,size); 1007 fprintf(stderr, "Received extension type %d size %d\n", type, size);
1015#endif 1008#endif
1016 if (s->tlsext_debug_cb) 1009 if (s->tlsext_debug_cb)
1017 s->tlsext_debug_cb(s, 0, type, data, size, 1010 s->tlsext_debug_cb(s, 0, type, data, size,
1018 s->tlsext_debug_arg); 1011 s->tlsext_debug_arg);
1019/* The servername extension is treated as follows: 1012/* The servername extension is treated as follows:
1020 1013
1021 - Only the hostname type is supported with a maximum length of 255. 1014 - Only the hostname type is supported with a maximum length of 255.
@@ -1039,206 +1032,180 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
1039 1032
1040*/ 1033*/
1041 1034
1042 if (type == TLSEXT_TYPE_server_name) 1035 if (type == TLSEXT_TYPE_server_name) {
1043 {
1044 unsigned char *sdata; 1036 unsigned char *sdata;
1045 int servname_type; 1037 int servname_type;
1046 int dsize; 1038 int dsize;
1047 1039
1048 if (size < 2) 1040
1049 { 1041 if (size < 2) {
1050 *al = SSL_AD_DECODE_ERROR; 1042 *al = SSL_AD_DECODE_ERROR;
1051 return 0; 1043 return 0;
1052 } 1044 }
1053 n2s(data,dsize); 1045 n2s(data, dsize);
1046
1054 size -= 2; 1047 size -= 2;
1055 if (dsize > size ) 1048 if (dsize > size) {
1056 {
1057 *al = SSL_AD_DECODE_ERROR; 1049 *al = SSL_AD_DECODE_ERROR;
1058 return 0; 1050 return 0;
1059 } 1051 }
1060 1052
1061 sdata = data; 1053 sdata = data;
1062 while (dsize > 3) 1054 while (dsize > 3) {
1063 { 1055 servname_type = *(sdata++);
1064 servname_type = *(sdata++); 1056
1065 n2s(sdata,len); 1057 n2s(sdata, len);
1066 dsize -= 3; 1058 dsize -= 3;
1067 1059
1068 if (len > dsize) 1060 if (len > dsize) {
1069 {
1070 *al = SSL_AD_DECODE_ERROR; 1061 *al = SSL_AD_DECODE_ERROR;
1071 return 0; 1062 return 0;
1072 } 1063 }
1073 if (s->servername_done == 0) 1064 if (s->servername_done == 0)
1074 switch (servname_type) 1065 switch (servname_type) {
1075 {
1076 case TLSEXT_NAMETYPE_host_name: 1066 case TLSEXT_NAMETYPE_host_name:
1077 if (!s->hit) 1067 if (!s->hit) {
1078 { 1068 if (s->session->tlsext_hostname) {
1079 if(s->session->tlsext_hostname)
1080 {
1081 *al = SSL_AD_DECODE_ERROR; 1069 *al = SSL_AD_DECODE_ERROR;
1082 return 0; 1070 return 0;
1083 } 1071 }
1084 if (len > TLSEXT_MAXLEN_host_name) 1072 if (len > TLSEXT_MAXLEN_host_name) {
1085 {
1086 *al = TLS1_AD_UNRECOGNIZED_NAME; 1073 *al = TLS1_AD_UNRECOGNIZED_NAME;
1087 return 0; 1074 return 0;
1088 } 1075 }
1089 if ((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL) 1076 if ((s->session->tlsext_hostname = OPENSSL_malloc(len + 1)) == NULL) {
1090 {
1091 *al = TLS1_AD_INTERNAL_ERROR; 1077 *al = TLS1_AD_INTERNAL_ERROR;
1092 return 0; 1078 return 0;
1093 } 1079 }
1094 memcpy(s->session->tlsext_hostname, sdata, len); 1080 memcpy(s->session->tlsext_hostname, sdata, len);
1095 s->session->tlsext_hostname[len]='\0'; 1081 s->session->tlsext_hostname[len] = '\0';
1096 if (strlen(s->session->tlsext_hostname) != len) { 1082 if (strlen(s->session->tlsext_hostname) != len) {
1097 OPENSSL_free(s->session->tlsext_hostname); 1083 OPENSSL_free(s->session->tlsext_hostname);
1098 s->session->tlsext_hostname = NULL; 1084 s->session->tlsext_hostname = NULL;
1099 *al = TLS1_AD_UNRECOGNIZED_NAME; 1085 *al = TLS1_AD_UNRECOGNIZED_NAME;
1100 return 0; 1086 return 0;
1101 } 1087 }
1102 s->servername_done = 1; 1088 s->servername_done = 1;
1103 1089
1104 } 1090
1105 else 1091 } else
1106 s->servername_done = s->session->tlsext_hostname 1092 s->servername_done = s->session->tlsext_hostname
1107 && strlen(s->session->tlsext_hostname) == len 1093 && strlen(s->session->tlsext_hostname) == len
1108 && strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0; 1094 && strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0;
1109 1095
1110 break; 1096 break;
1111 1097
1112 default: 1098 default:
1113 break; 1099 break;
1114 }
1115
1116 dsize -= len;
1117 } 1100 }
1118 if (dsize != 0) 1101
1119 { 1102 dsize -= len;
1103 }
1104 if (dsize != 0) {
1120 *al = SSL_AD_DECODE_ERROR; 1105 *al = SSL_AD_DECODE_ERROR;
1121 return 0; 1106 return 0;
1122 }
1123
1124 } 1107 }
1108
1109 }
1125#ifndef OPENSSL_NO_SRP 1110#ifndef OPENSSL_NO_SRP
1126 else if (type == TLSEXT_TYPE_srp) 1111 else if (type == TLSEXT_TYPE_srp) {
1127 { 1112 if (size <= 0 || ((len = data[0])) != (size - 1)) {
1128 if (size <= 0 || ((len = data[0])) != (size -1))
1129 {
1130 *al = SSL_AD_DECODE_ERROR; 1113 *al = SSL_AD_DECODE_ERROR;
1131 return 0; 1114 return 0;
1132 } 1115 }
1133 if (s->srp_ctx.login != NULL) 1116 if (s->srp_ctx.login != NULL) {
1134 {
1135 *al = SSL_AD_DECODE_ERROR; 1117 *al = SSL_AD_DECODE_ERROR;
1136 return 0; 1118 return 0;
1137 } 1119 }
1138 if ((s->srp_ctx.login = OPENSSL_malloc(len+1)) == NULL) 1120 if ((s->srp_ctx.login = OPENSSL_malloc(len + 1)) == NULL)
1139 return -1; 1121 return -1;
1140 memcpy(s->srp_ctx.login, &data[1], len); 1122 memcpy(s->srp_ctx.login, &data[1], len);
1141 s->srp_ctx.login[len]='\0'; 1123 s->srp_ctx.login[len] = '\0';
1142 1124
1143 if (strlen(s->srp_ctx.login) != len) 1125 if (strlen(s->srp_ctx.login) != len) {
1144 {
1145 *al = SSL_AD_DECODE_ERROR; 1126 *al = SSL_AD_DECODE_ERROR;
1146 return 0; 1127 return 0;
1147 }
1148 } 1128 }
1129 }
1149#endif 1130#endif
1150 1131
1151#ifndef OPENSSL_NO_EC 1132#ifndef OPENSSL_NO_EC
1152 else if (type == TLSEXT_TYPE_ec_point_formats && 1133 else if (type == TLSEXT_TYPE_ec_point_formats &&
1153 s->version != DTLS1_VERSION) 1134 s->version != DTLS1_VERSION) {
1154 {
1155 unsigned char *sdata = data; 1135 unsigned char *sdata = data;
1156 int ecpointformatlist_length = *(sdata++); 1136 int ecpointformatlist_length = *(sdata++);
1157 1137
1158 if (ecpointformatlist_length != size - 1) 1138 if (ecpointformatlist_length != size - 1) {
1159 {
1160 *al = TLS1_AD_DECODE_ERROR; 1139 *al = TLS1_AD_DECODE_ERROR;
1161 return 0; 1140 return 0;
1162 } 1141 }
1163 if (!s->hit) 1142 if (!s->hit) {
1164 { 1143 if (s->session->tlsext_ecpointformatlist) {
1165 if(s->session->tlsext_ecpointformatlist)
1166 {
1167 OPENSSL_free(s->session->tlsext_ecpointformatlist); 1144 OPENSSL_free(s->session->tlsext_ecpointformatlist);
1168 s->session->tlsext_ecpointformatlist = NULL; 1145 s->session->tlsext_ecpointformatlist = NULL;
1169 } 1146 }
1170 s->session->tlsext_ecpointformatlist_length = 0; 1147 s->session->tlsext_ecpointformatlist_length = 0;
1171 if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL) 1148 if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL) {
1172 {
1173 *al = TLS1_AD_INTERNAL_ERROR; 1149 *al = TLS1_AD_INTERNAL_ERROR;
1174 return 0; 1150 return 0;
1175 } 1151 }
1176 s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length; 1152 s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
1177 memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length); 1153 memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
1178 } 1154 }
1179#if 0 1155#if 0
1180 fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ecpointformatlist (length=%i) ", s->session->tlsext_ecpointformatlist_length); 1156 fprintf(stderr, "ssl_parse_clienthello_tlsext s->session->tlsext_ecpointformatlist (length=%i) ", s->session->tlsext_ecpointformatlist_length);
1181 sdata = s->session->tlsext_ecpointformatlist; 1157 sdata = s->session->tlsext_ecpointformatlist;
1182 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++) 1158 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
1183 fprintf(stderr,"%i ",*(sdata++)); 1159 fprintf(stderr, "%i ", *(sdata++));
1184 fprintf(stderr,"\n"); 1160 fprintf(stderr, "\n");
1185#endif 1161#endif
1186 } 1162 } else if (type == TLSEXT_TYPE_elliptic_curves &&
1187 else if (type == TLSEXT_TYPE_elliptic_curves && 1163 s->version != DTLS1_VERSION) {
1188 s->version != DTLS1_VERSION)
1189 {
1190 unsigned char *sdata = data; 1164 unsigned char *sdata = data;
1191 int ellipticcurvelist_length = (*(sdata++) << 8); 1165 int ellipticcurvelist_length = (*(sdata++) << 8);
1192 ellipticcurvelist_length += (*(sdata++)); 1166 ellipticcurvelist_length += (*(sdata++));
1193 1167
1194 if (ellipticcurvelist_length != size - 2 || 1168 if (ellipticcurvelist_length != size - 2 ||
1195 ellipticcurvelist_length < 1) 1169 ellipticcurvelist_length < 1) {
1196 {
1197 *al = TLS1_AD_DECODE_ERROR; 1170 *al = TLS1_AD_DECODE_ERROR;
1198 return 0; 1171 return 0;
1199 } 1172 }
1200 if (!s->hit) 1173 if (!s->hit) {
1201 { 1174 if (s->session->tlsext_ellipticcurvelist) {
1202 if(s->session->tlsext_ellipticcurvelist)
1203 {
1204 *al = TLS1_AD_DECODE_ERROR; 1175 *al = TLS1_AD_DECODE_ERROR;
1205 return 0; 1176 return 0;
1206 } 1177 }
1207 s->session->tlsext_ellipticcurvelist_length = 0; 1178 s->session->tlsext_ellipticcurvelist_length = 0;
1208 if ((s->session->tlsext_ellipticcurvelist = OPENSSL_malloc(ellipticcurvelist_length)) == NULL) 1179 if ((s->session->tlsext_ellipticcurvelist = OPENSSL_malloc(ellipticcurvelist_length)) == NULL) {
1209 {
1210 *al = TLS1_AD_INTERNAL_ERROR; 1180 *al = TLS1_AD_INTERNAL_ERROR;
1211 return 0; 1181 return 0;
1212 } 1182 }
1213 s->session->tlsext_ellipticcurvelist_length = ellipticcurvelist_length; 1183 s->session->tlsext_ellipticcurvelist_length = ellipticcurvelist_length;
1214 memcpy(s->session->tlsext_ellipticcurvelist, sdata, ellipticcurvelist_length); 1184 memcpy(s->session->tlsext_ellipticcurvelist, sdata, ellipticcurvelist_length);
1215 } 1185 }
1216#if 0 1186#if 0
1217 fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ellipticcurvelist (length=%i) ", s->session->tlsext_ellipticcurvelist_length); 1187 fprintf(stderr, "ssl_parse_clienthello_tlsext s->session->tlsext_ellipticcurvelist (length=%i) ", s->session->tlsext_ellipticcurvelist_length);
1218 sdata = s->session->tlsext_ellipticcurvelist; 1188 sdata = s->session->tlsext_ellipticcurvelist;
1219 for (i = 0; i < s->session->tlsext_ellipticcurvelist_length; i++) 1189 for (i = 0; i < s->session->tlsext_ellipticcurvelist_length; i++)
1220 fprintf(stderr,"%i ",*(sdata++)); 1190 fprintf(stderr, "%i ", *(sdata++));
1221 fprintf(stderr,"\n"); 1191 fprintf(stderr, "\n");
1222#endif 1192#endif
1223 } 1193 }
1224#endif /* OPENSSL_NO_EC */ 1194#endif /* OPENSSL_NO_EC */
1225#ifdef TLSEXT_TYPE_opaque_prf_input 1195#ifdef TLSEXT_TYPE_opaque_prf_input
1226 else if (type == TLSEXT_TYPE_opaque_prf_input && 1196 else if (type == TLSEXT_TYPE_opaque_prf_input &&
1227 s->version != DTLS1_VERSION) 1197 s->version != DTLS1_VERSION) {
1228 {
1229 unsigned char *sdata = data; 1198 unsigned char *sdata = data;
1230 1199
1231 if (size < 2) 1200 if (size < 2) {
1232 {
1233 *al = SSL_AD_DECODE_ERROR; 1201 *al = SSL_AD_DECODE_ERROR;
1234 return 0; 1202 return 0;
1235 } 1203 }
1236 n2s(sdata, s->s3->client_opaque_prf_input_len); 1204 n2s(sdata, s->s3->client_opaque_prf_input_len);
1237 if (s->s3->client_opaque_prf_input_len != size - 2) 1205 if (s->s3->client_opaque_prf_input_len != size - 2) {
1238 {
1239 *al = SSL_AD_DECODE_ERROR; 1206 *al = SSL_AD_DECODE_ERROR;
1240 return 0; 1207 return 0;
1241 } 1208 }
1242 1209
1243 if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */ 1210 if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */
1244 OPENSSL_free(s->s3->client_opaque_prf_input); 1211 OPENSSL_free(s->s3->client_opaque_prf_input);
@@ -1246,183 +1213,154 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
1246 s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */ 1213 s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
1247 else 1214 else
1248 s->s3->client_opaque_prf_input = BUF_memdup(sdata, s->s3->client_opaque_prf_input_len); 1215 s->s3->client_opaque_prf_input = BUF_memdup(sdata, s->s3->client_opaque_prf_input_len);
1249 if (s->s3->client_opaque_prf_input == NULL) 1216 if (s->s3->client_opaque_prf_input == NULL) {
1250 {
1251 *al = TLS1_AD_INTERNAL_ERROR; 1217 *al = TLS1_AD_INTERNAL_ERROR;
1252 return 0; 1218 return 0;
1253 }
1254 } 1219 }
1220 }
1255#endif 1221#endif
1256 else if (type == TLSEXT_TYPE_session_ticket) 1222 else if (type == TLSEXT_TYPE_session_ticket) {
1257 {
1258 if (s->tls_session_ticket_ext_cb && 1223 if (s->tls_session_ticket_ext_cb &&
1259 !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg)) 1224 !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg)) {
1260 {
1261 *al = TLS1_AD_INTERNAL_ERROR; 1225 *al = TLS1_AD_INTERNAL_ERROR;
1262 return 0; 1226 return 0;
1263 }
1264 } 1227 }
1265 else if (type == TLSEXT_TYPE_renegotiate) 1228 } else if (type == TLSEXT_TYPE_renegotiate) {
1266 { 1229 if (!ssl_parse_clienthello_renegotiate_ext(s, data, size, al))
1267 if(!ssl_parse_clienthello_renegotiate_ext(s, data, size, al))
1268 return 0; 1230 return 0;
1269 renegotiate_seen = 1; 1231 renegotiate_seen = 1;
1270 } 1232 } else if (type == TLSEXT_TYPE_signature_algorithms) {
1271 else if (type == TLSEXT_TYPE_signature_algorithms)
1272 {
1273 int dsize; 1233 int dsize;
1274 if (sigalg_seen || size < 2) 1234 if (sigalg_seen || size < 2) {
1275 {
1276 *al = SSL_AD_DECODE_ERROR; 1235 *al = SSL_AD_DECODE_ERROR;
1277 return 0; 1236 return 0;
1278 } 1237 }
1279 sigalg_seen = 1; 1238 sigalg_seen = 1;
1280 n2s(data,dsize); 1239 n2s(data, dsize);
1281 size -= 2; 1240 size -= 2;
1282 if (dsize != size || dsize & 1) 1241 if (dsize != size || dsize & 1) {
1283 {
1284 *al = SSL_AD_DECODE_ERROR; 1242 *al = SSL_AD_DECODE_ERROR;
1285 return 0; 1243 return 0;
1286 } 1244 }
1287 if (!tls1_process_sigalgs(s, data, dsize)) 1245 if (!tls1_process_sigalgs(s, data, dsize)) {
1288 {
1289 *al = SSL_AD_DECODE_ERROR; 1246 *al = SSL_AD_DECODE_ERROR;
1290 return 0; 1247 return 0;
1291 }
1292 } 1248 }
1293 else if (type == TLSEXT_TYPE_status_request && 1249 } else if (type == TLSEXT_TYPE_status_request &&
1294 s->version != DTLS1_VERSION) 1250 s->version != DTLS1_VERSION) {
1295 { 1251
1296 1252 if (size < 5) {
1297 if (size < 5)
1298 {
1299 *al = SSL_AD_DECODE_ERROR; 1253 *al = SSL_AD_DECODE_ERROR;
1300 return 0; 1254 return 0;
1301 } 1255 }
1302 1256
1303 s->tlsext_status_type = *data++; 1257 s->tlsext_status_type = *data++;
1304 size--; 1258 size--;
1305 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp) 1259 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp) {
1306 {
1307 const unsigned char *sdata; 1260 const unsigned char *sdata;
1308 int dsize; 1261 int dsize;
1309 /* Read in responder_id_list */ 1262 /* Read in responder_id_list */
1310 n2s(data,dsize); 1263 n2s(data, dsize);
1311 size -= 2; 1264 size -= 2;
1312 if (dsize > size ) 1265 if (dsize > size ) {
1313 {
1314 *al = SSL_AD_DECODE_ERROR; 1266 *al = SSL_AD_DECODE_ERROR;
1315 return 0; 1267 return 0;
1316 } 1268 }
1317 while (dsize > 0) 1269 while (dsize > 0) {
1318 {
1319 OCSP_RESPID *id; 1270 OCSP_RESPID *id;
1320 int idsize; 1271 int idsize;
1321 if (dsize < 4) 1272 if (dsize < 4) {
1322 {
1323 *al = SSL_AD_DECODE_ERROR; 1273 *al = SSL_AD_DECODE_ERROR;
1324 return 0; 1274 return 0;
1325 } 1275 }
1326 n2s(data, idsize); 1276 n2s(data, idsize);
1327 dsize -= 2 + idsize; 1277 dsize -= 2 + idsize;
1328 size -= 2 + idsize; 1278 size -= 2 + idsize;
1329 if (dsize < 0) 1279 if (dsize < 0) {
1330 {
1331 *al = SSL_AD_DECODE_ERROR; 1280 *al = SSL_AD_DECODE_ERROR;
1332 return 0; 1281 return 0;
1333 } 1282 }
1334 sdata = data; 1283 sdata = data;
1335 data += idsize; 1284 data += idsize;
1336 id = d2i_OCSP_RESPID(NULL, 1285 id = d2i_OCSP_RESPID(NULL,
1337 &sdata, idsize); 1286 &sdata, idsize);
1338 if (!id) 1287 if (!id) {
1339 {
1340 *al = SSL_AD_DECODE_ERROR; 1288 *al = SSL_AD_DECODE_ERROR;
1341 return 0; 1289 return 0;
1342 } 1290 }
1343 if (data != sdata) 1291 if (data != sdata) {
1344 {
1345 OCSP_RESPID_free(id); 1292 OCSP_RESPID_free(id);
1346 *al = SSL_AD_DECODE_ERROR; 1293 *al = SSL_AD_DECODE_ERROR;
1347 return 0; 1294 return 0;
1348 } 1295 }
1349 if (!s->tlsext_ocsp_ids 1296 if (!s->tlsext_ocsp_ids
1350 && !(s->tlsext_ocsp_ids = 1297 && !(s->tlsext_ocsp_ids =
1351 sk_OCSP_RESPID_new_null())) 1298 sk_OCSP_RESPID_new_null())) {
1352 {
1353 OCSP_RESPID_free(id); 1299 OCSP_RESPID_free(id);
1354 *al = SSL_AD_INTERNAL_ERROR; 1300 *al = SSL_AD_INTERNAL_ERROR;
1355 return 0; 1301 return 0;
1356 } 1302 }
1357 if (!sk_OCSP_RESPID_push( 1303 if (!sk_OCSP_RESPID_push(
1358 s->tlsext_ocsp_ids, id)) 1304 s->tlsext_ocsp_ids, id)) {
1359 {
1360 OCSP_RESPID_free(id); 1305 OCSP_RESPID_free(id);
1361 *al = SSL_AD_INTERNAL_ERROR; 1306 *al = SSL_AD_INTERNAL_ERROR;
1362 return 0; 1307 return 0;
1363 }
1364 } 1308 }
1309 }
1365 1310
1366 /* Read in request_extensions */ 1311 /* Read in request_extensions */
1367 if (size < 2) 1312 if (size < 2) {
1368 {
1369 *al = SSL_AD_DECODE_ERROR; 1313 *al = SSL_AD_DECODE_ERROR;
1370 return 0; 1314 return 0;
1371 } 1315 }
1372 n2s(data,dsize); 1316 n2s(data, dsize);
1373 size -= 2; 1317 size -= 2;
1374 if (dsize != size) 1318 if (dsize != size) {
1375 {
1376 *al = SSL_AD_DECODE_ERROR; 1319 *al = SSL_AD_DECODE_ERROR;
1377 return 0; 1320 return 0;
1378 } 1321 }
1379 sdata = data; 1322 sdata = data;
1380 if (dsize > 0) 1323 if (dsize > 0) {
1381 { 1324 if (s->tlsext_ocsp_exts) {
1382 if (s->tlsext_ocsp_exts)
1383 {
1384 sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts, 1325 sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts,
1385 X509_EXTENSION_free); 1326 X509_EXTENSION_free);
1386 } 1327 }
1387 1328
1388 s->tlsext_ocsp_exts = 1329 s->tlsext_ocsp_exts =
1389 d2i_X509_EXTENSIONS(NULL, 1330 d2i_X509_EXTENSIONS(NULL,
1390 &sdata, dsize); 1331 &sdata, dsize);
1391 if (!s->tlsext_ocsp_exts 1332 if (!s->tlsext_ocsp_exts
1392 || (data + dsize != sdata)) 1333 || (data + dsize != sdata)) {
1393 {
1394 *al = SSL_AD_DECODE_ERROR; 1334 *al = SSL_AD_DECODE_ERROR;
1395 return 0; 1335 return 0;
1396 }
1397 } 1336 }
1398 } 1337 }
1338 }
1399 /* We don't know what to do with any other type 1339 /* We don't know what to do with any other type
1400 * so ignore it. 1340 * so ignore it.
1401 */ 1341 */
1402 else 1342 else
1403 s->tlsext_status_type = -1; 1343 s->tlsext_status_type = -1;
1404 } 1344 }
1405#ifndef OPENSSL_NO_HEARTBEATS 1345#ifndef OPENSSL_NO_HEARTBEATS
1406 else if (type == TLSEXT_TYPE_heartbeat) 1346 else if (type == TLSEXT_TYPE_heartbeat) {
1407 { 1347 switch (data[0]) {
1408 switch(data[0]) 1348 case 0x01: /* Client allows us to send HB requests */
1409 { 1349 s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
1410 case 0x01: /* Client allows us to send HB requests */ 1350 break;
1411 s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED; 1351 case 0x02: /* Client doesn't accept HB requests */
1412 break; 1352 s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
1413 case 0x02: /* Client doesn't accept HB requests */ 1353 s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
1414 s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED; 1354 break;
1415 s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS; 1355 default:
1416 break; 1356 *al = SSL_AD_ILLEGAL_PARAMETER;
1417 default: *al = SSL_AD_ILLEGAL_PARAMETER; 1357 return 0;
1418 return 0;
1419 }
1420 } 1358 }
1359 }
1421#endif 1360#endif
1422#ifndef OPENSSL_NO_NEXTPROTONEG 1361#ifndef OPENSSL_NO_NEXTPROTONEG
1423 else if (type == TLSEXT_TYPE_next_proto_neg && 1362 else if (type == TLSEXT_TYPE_next_proto_neg &&
1424 s->s3->tmp.finish_md_len == 0) 1363 s->s3->tmp.finish_md_len == 0) {
1425 {
1426 /* We shouldn't accept this extension on a 1364 /* We shouldn't accept this extension on a
1427 * renegotiation. 1365 * renegotiation.
1428 * 1366 *
@@ -1439,22 +1377,21 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
1439 * in the Hello protocol round, well before a new 1377 * in the Hello protocol round, well before a new
1440 * Finished message could have been computed.) */ 1378 * Finished message could have been computed.) */
1441 s->s3->next_proto_neg_seen = 1; 1379 s->s3->next_proto_neg_seen = 1;
1442 } 1380 }
1443#endif 1381#endif
1444 1382
1445 /* session ticket processed earlier */ 1383 /* session ticket processed earlier */
1446#ifndef OPENSSL_NO_SRTP 1384#ifndef OPENSSL_NO_SRTP
1447 else if (type == TLSEXT_TYPE_use_srtp) 1385 else if (type == TLSEXT_TYPE_use_srtp) {
1448 { 1386 if (ssl_parse_clienthello_use_srtp_ext(s, data, size,
1449 if(ssl_parse_clienthello_use_srtp_ext(s, data, size, 1387 al))
1450 al)) 1388 return 0;
1451 return 0; 1389 }
1452 }
1453#endif 1390#endif
1454 1391
1455 data+=size; 1392 data += size;
1456 } 1393 }
1457 1394
1458 *p = data; 1395 *p = data;
1459 1396
1460 ri_check: 1397 ri_check:
@@ -1462,39 +1399,39 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
1462 /* Need RI if renegotiating */ 1399 /* Need RI if renegotiating */
1463 1400
1464 if (!renegotiate_seen && s->renegotiate && 1401 if (!renegotiate_seen && s->renegotiate &&
1465 !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) 1402 !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) {
1466 {
1467 *al = SSL_AD_HANDSHAKE_FAILURE; 1403 *al = SSL_AD_HANDSHAKE_FAILURE;
1468 SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT, 1404 SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT,
1469 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); 1405 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
1470 return 0; 1406 return 0;
1471 } 1407 }
1472 1408
1473 return 1; 1409 return 1;
1474 } 1410}
1475 1411
1476#ifndef OPENSSL_NO_NEXTPROTONEG 1412#ifndef OPENSSL_NO_NEXTPROTONEG
1477/* ssl_next_proto_validate validates a Next Protocol Negotiation block. No 1413/* ssl_next_proto_validate validates a Next Protocol Negotiation block. No
1478 * elements of zero length are allowed and the set of elements must exactly fill 1414 * elements of zero length are allowed and the set of elements must exactly fill
1479 * the length of the block. */ 1415 * the length of the block. */
1480static char ssl_next_proto_validate(unsigned char *d, unsigned len) 1416static char
1481 { 1417ssl_next_proto_validate(unsigned char *d, unsigned len)
1418{
1482 unsigned int off = 0; 1419 unsigned int off = 0;
1483 1420
1484 while (off < len) 1421 while (off < len) {
1485 {
1486 if (d[off] == 0) 1422 if (d[off] == 0)
1487 return 0; 1423 return 0;
1488 off += d[off]; 1424 off += d[off];
1489 off++; 1425 off++;
1490 } 1426 }
1491 1427
1492 return off == len; 1428 return off == len;
1493 } 1429}
1494#endif 1430#endif
1495 1431
1496int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al) 1432int
1497 { 1433ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
1434{
1498 unsigned short length; 1435 unsigned short length;
1499 unsigned short type; 1436 unsigned short type;
1500 unsigned short size; 1437 unsigned short size;
@@ -1508,107 +1445,96 @@ int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
1508 1445
1509#ifndef OPENSSL_NO_HEARTBEATS 1446#ifndef OPENSSL_NO_HEARTBEATS
1510 s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED | 1447 s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED |
1511 SSL_TLSEXT_HB_DONT_SEND_REQUESTS); 1448 SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
1512#endif 1449#endif
1513 1450
1514 if (data >= (d+n-2)) 1451 if (data >= (d + n - 2))
1515 goto ri_check; 1452 goto ri_check;
1516 1453
1517 n2s(data,length); 1454 n2s(data, length);
1518 if (data+length != d+n) 1455 if (data + length != d + n) {
1519 {
1520 *al = SSL_AD_DECODE_ERROR; 1456 *al = SSL_AD_DECODE_ERROR;
1521 return 0; 1457 return 0;
1522 } 1458 }
1523 1459
1524 while(data <= (d+n-4)) 1460 while (data <= (d + n - 4)) {
1525 { 1461 n2s(data, type);
1526 n2s(data,type); 1462 n2s(data, size);
1527 n2s(data,size);
1528 1463
1529 if (data+size > (d+n)) 1464 if (data + size > (d + n))
1530 goto ri_check; 1465 goto ri_check;
1531 1466
1532 if (s->tlsext_debug_cb) 1467 if (s->tlsext_debug_cb)
1533 s->tlsext_debug_cb(s, 1, type, data, size, 1468 s->tlsext_debug_cb(s, 1, type, data, size,
1534 s->tlsext_debug_arg); 1469 s->tlsext_debug_arg);
1535 1470
1536 if (type == TLSEXT_TYPE_server_name) 1471 if (type == TLSEXT_TYPE_server_name) {
1537 { 1472 if (s->tlsext_hostname == NULL || size > 0) {
1538 if (s->tlsext_hostname == NULL || size > 0)
1539 {
1540 *al = TLS1_AD_UNRECOGNIZED_NAME; 1473 *al = TLS1_AD_UNRECOGNIZED_NAME;
1541 return 0; 1474 return 0;
1542 }
1543 tlsext_servername = 1;
1544 } 1475 }
1476 tlsext_servername = 1;
1477
1478 }
1545 1479
1546#ifndef OPENSSL_NO_EC 1480#ifndef OPENSSL_NO_EC
1547 else if (type == TLSEXT_TYPE_ec_point_formats && 1481 else if (type == TLSEXT_TYPE_ec_point_formats &&
1548 s->version != DTLS1_VERSION) 1482 s->version != DTLS1_VERSION) {
1549 {
1550 unsigned char *sdata = data; 1483 unsigned char *sdata = data;
1551 int ecpointformatlist_length = *(sdata++); 1484 int ecpointformatlist_length = *(sdata++);
1552 1485
1553 if (ecpointformatlist_length != size - 1 || 1486 if (ecpointformatlist_length != size - 1 ||
1554 ecpointformatlist_length < 1) 1487 ecpointformatlist_length < 1) {
1555 {
1556 *al = TLS1_AD_DECODE_ERROR; 1488 *al = TLS1_AD_DECODE_ERROR;
1557 return 0; 1489 return 0;
1558 } 1490 }
1559 s->session->tlsext_ecpointformatlist_length = 0; 1491 s->session->tlsext_ecpointformatlist_length = 0;
1560 if (s->session->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->session->tlsext_ecpointformatlist); 1492 if (s->session->tlsext_ecpointformatlist != NULL)
1561 if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL) 1493 OPENSSL_free(s->session->tlsext_ecpointformatlist);
1562 { 1494 if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL) {
1563 *al = TLS1_AD_INTERNAL_ERROR; 1495 *al = TLS1_AD_INTERNAL_ERROR;
1564 return 0; 1496 return 0;
1565 } 1497 }
1566 s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length; 1498 s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
1567 memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length); 1499 memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
1568#if 0 1500#if 0
1569 fprintf(stderr,"ssl_parse_serverhello_tlsext s->session->tlsext_ecpointformatlist "); 1501 fprintf(stderr, "ssl_parse_serverhello_tlsext s->session->tlsext_ecpointformatlist ");
1570 sdata = s->session->tlsext_ecpointformatlist; 1502 sdata = s->session->tlsext_ecpointformatlist;
1571 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++) 1503 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
1572 fprintf(stderr,"%i ",*(sdata++)); 1504 fprintf(stderr, "%i ", *(sdata++));
1573 fprintf(stderr,"\n"); 1505 fprintf(stderr, "\n");
1574#endif 1506#endif
1575 } 1507 }
1576#endif /* OPENSSL_NO_EC */ 1508#endif /* OPENSSL_NO_EC */
1577 1509
1578 else if (type == TLSEXT_TYPE_session_ticket) 1510 else if (type == TLSEXT_TYPE_session_ticket) {
1579 {
1580 if (s->tls_session_ticket_ext_cb && 1511 if (s->tls_session_ticket_ext_cb &&
1581 !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg)) 1512 !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg)) {
1582 {
1583 *al = TLS1_AD_INTERNAL_ERROR; 1513 *al = TLS1_AD_INTERNAL_ERROR;
1584 return 0; 1514 return 0;
1585 } 1515 }
1586 if ((SSL_get_options(s) & SSL_OP_NO_TICKET) 1516 if ((SSL_get_options(s) & SSL_OP_NO_TICKET)
1587 || (size > 0)) 1517 || (size > 0)) {
1588 {
1589 *al = TLS1_AD_UNSUPPORTED_EXTENSION; 1518 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
1590 return 0; 1519 return 0;
1591 }
1592 s->tlsext_ticket_expected = 1;
1593 } 1520 }
1521 s->tlsext_ticket_expected = 1;
1522 }
1594#ifdef TLSEXT_TYPE_opaque_prf_input 1523#ifdef TLSEXT_TYPE_opaque_prf_input
1595 else if (type == TLSEXT_TYPE_opaque_prf_input && 1524 else if (type == TLSEXT_TYPE_opaque_prf_input &&
1596 s->version != DTLS1_VERSION) 1525 s->version != DTLS1_VERSION) {
1597 {
1598 unsigned char *sdata = data; 1526 unsigned char *sdata = data;
1599 1527
1600 if (size < 2) 1528 if (size < 2) {
1601 {
1602 *al = SSL_AD_DECODE_ERROR; 1529 *al = SSL_AD_DECODE_ERROR;
1603 return 0; 1530 return 0;
1604 } 1531 }
1605 n2s(sdata, s->s3->server_opaque_prf_input_len); 1532 n2s(sdata, s->s3->server_opaque_prf_input_len);
1606 if (s->s3->server_opaque_prf_input_len != size - 2) 1533 if (s->s3->server_opaque_prf_input_len != size - 2) {
1607 {
1608 *al = SSL_AD_DECODE_ERROR; 1534 *al = SSL_AD_DECODE_ERROR;
1609 return 0; 1535 return 0;
1610 } 1536 }
1611 1537
1612 if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */ 1538 if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */
1613 OPENSSL_free(s->s3->server_opaque_prf_input); 1539 OPENSSL_free(s->s3->server_opaque_prf_input);
1614 if (s->s3->server_opaque_prf_input_len == 0) 1540 if (s->s3->server_opaque_prf_input_len == 0)
@@ -1616,123 +1542,107 @@ int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
1616 else 1542 else
1617 s->s3->server_opaque_prf_input = BUF_memdup(sdata, s->s3->server_opaque_prf_input_len); 1543 s->s3->server_opaque_prf_input = BUF_memdup(sdata, s->s3->server_opaque_prf_input_len);
1618 1544
1619 if (s->s3->server_opaque_prf_input == NULL) 1545 if (s->s3->server_opaque_prf_input == NULL) {
1620 {
1621 *al = TLS1_AD_INTERNAL_ERROR; 1546 *al = TLS1_AD_INTERNAL_ERROR;
1622 return 0; 1547 return 0;
1623 }
1624 } 1548 }
1549 }
1625#endif 1550#endif
1626 else if (type == TLSEXT_TYPE_status_request && 1551 else if (type == TLSEXT_TYPE_status_request &&
1627 s->version != DTLS1_VERSION) 1552 s->version != DTLS1_VERSION) {
1628 {
1629 /* MUST be empty and only sent if we've requested 1553 /* MUST be empty and only sent if we've requested
1630 * a status request message. 1554 * a status request message.
1631 */ 1555 */
1632 if ((s->tlsext_status_type == -1) || (size > 0)) 1556 if ((s->tlsext_status_type == -1) || (size > 0)) {
1633 {
1634 *al = TLS1_AD_UNSUPPORTED_EXTENSION; 1557 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
1635 return 0; 1558 return 0;
1636 } 1559 }
1637 /* Set flag to expect CertificateStatus message */ 1560 /* Set flag to expect CertificateStatus message */
1638 s->tlsext_status_expected = 1; 1561 s->tlsext_status_expected = 1;
1639 } 1562 }
1640#ifndef OPENSSL_NO_NEXTPROTONEG 1563#ifndef OPENSSL_NO_NEXTPROTONEG
1641 else if (type == TLSEXT_TYPE_next_proto_neg && 1564 else if (type == TLSEXT_TYPE_next_proto_neg &&
1642 s->s3->tmp.finish_md_len == 0) 1565 s->s3->tmp.finish_md_len == 0) {
1643 {
1644 unsigned char *selected; 1566 unsigned char *selected;
1645 unsigned char selected_len; 1567 unsigned char selected_len;
1646 1568
1647 /* We must have requested it. */ 1569 /* We must have requested it. */
1648 if (s->ctx->next_proto_select_cb == NULL) 1570 if (s->ctx->next_proto_select_cb == NULL) {
1649 {
1650 *al = TLS1_AD_UNSUPPORTED_EXTENSION; 1571 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
1651 return 0; 1572 return 0;
1652 } 1573 }
1653 /* The data must be valid */ 1574 /* The data must be valid */
1654 if (!ssl_next_proto_validate(data, size)) 1575 if (!ssl_next_proto_validate(data, size)) {
1655 {
1656 *al = TLS1_AD_DECODE_ERROR; 1576 *al = TLS1_AD_DECODE_ERROR;
1657 return 0; 1577 return 0;
1658 } 1578 }
1659 if (s->ctx->next_proto_select_cb(s, &selected, &selected_len, data, size, s->ctx->next_proto_select_cb_arg) != SSL_TLSEXT_ERR_OK) 1579 if (s->ctx->next_proto_select_cb(s, &selected, &selected_len, data, size, s->ctx->next_proto_select_cb_arg) != SSL_TLSEXT_ERR_OK) {
1660 {
1661 *al = TLS1_AD_INTERNAL_ERROR; 1580 *al = TLS1_AD_INTERNAL_ERROR;
1662 return 0; 1581 return 0;
1663 } 1582 }
1664 s->next_proto_negotiated = OPENSSL_malloc(selected_len); 1583 s->next_proto_negotiated = OPENSSL_malloc(selected_len);
1665 if (!s->next_proto_negotiated) 1584 if (!s->next_proto_negotiated) {
1666 {
1667 *al = TLS1_AD_INTERNAL_ERROR; 1585 *al = TLS1_AD_INTERNAL_ERROR;
1668 return 0; 1586 return 0;
1669 } 1587 }
1670 memcpy(s->next_proto_negotiated, selected, selected_len); 1588 memcpy(s->next_proto_negotiated, selected, selected_len);
1671 s->next_proto_negotiated_len = selected_len; 1589 s->next_proto_negotiated_len = selected_len;
1672 s->s3->next_proto_neg_seen = 1; 1590 s->s3->next_proto_neg_seen = 1;
1673 } 1591 }
1674#endif 1592#endif
1675 else if (type == TLSEXT_TYPE_renegotiate) 1593 else if (type == TLSEXT_TYPE_renegotiate) {
1676 { 1594 if (!ssl_parse_serverhello_renegotiate_ext(s, data, size, al))
1677 if(!ssl_parse_serverhello_renegotiate_ext(s, data, size, al))
1678 return 0; 1595 return 0;
1679 renegotiate_seen = 1; 1596 renegotiate_seen = 1;
1680 } 1597 }
1681#ifndef OPENSSL_NO_HEARTBEATS 1598#ifndef OPENSSL_NO_HEARTBEATS
1682 else if (type == TLSEXT_TYPE_heartbeat) 1599 else if (type == TLSEXT_TYPE_heartbeat) {
1683 { 1600 switch (data[0]) {
1684 switch(data[0]) 1601 case 0x01: /* Server allows us to send HB requests */
1685 { 1602 s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
1686 case 0x01: /* Server allows us to send HB requests */ 1603 break;
1687 s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED; 1604 case 0x02: /* Server doesn't accept HB requests */
1688 break; 1605 s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
1689 case 0x02: /* Server doesn't accept HB requests */ 1606 s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
1690 s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED; 1607 break;
1691 s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS; 1608 default:
1692 break; 1609 *al = SSL_AD_ILLEGAL_PARAMETER;
1693 default: *al = SSL_AD_ILLEGAL_PARAMETER; 1610 return 0;
1694 return 0;
1695 }
1696 } 1611 }
1612 }
1697#endif 1613#endif
1698#ifndef OPENSSL_NO_SRTP 1614#ifndef OPENSSL_NO_SRTP
1699 else if (type == TLSEXT_TYPE_use_srtp) 1615 else if (type == TLSEXT_TYPE_use_srtp) {
1700 { 1616 if (ssl_parse_serverhello_use_srtp_ext(s, data, size,
1701 if(ssl_parse_serverhello_use_srtp_ext(s, data, size, 1617 al))
1702 al)) 1618 return 0;
1703 return 0; 1619 }
1704 }
1705#endif 1620#endif
1706 1621
1707 data+=size; 1622 data += size;
1708 } 1623
1624 }
1709 1625
1710 if (data != d+n) 1626 if (data != d + n) {
1711 {
1712 *al = SSL_AD_DECODE_ERROR; 1627 *al = SSL_AD_DECODE_ERROR;
1713 return 0; 1628 return 0;
1714 } 1629 }
1715 1630
1716 if (!s->hit && tlsext_servername == 1) 1631 if (!s->hit && tlsext_servername == 1) {
1717 { 1632 if (s->tlsext_hostname) {
1718 if (s->tlsext_hostname) 1633 if (s->session->tlsext_hostname == NULL) {
1719 { 1634 s->session->tlsext_hostname = BUF_strdup(s->tlsext_hostname);
1720 if (s->session->tlsext_hostname == NULL) 1635
1721 { 1636 if (!s->session->tlsext_hostname) {
1722 s->session->tlsext_hostname = BUF_strdup(s->tlsext_hostname);
1723 if (!s->session->tlsext_hostname)
1724 {
1725 *al = SSL_AD_UNRECOGNIZED_NAME; 1637 *al = SSL_AD_UNRECOGNIZED_NAME;
1726 return 0; 1638 return 0;
1727 }
1728 } 1639 }
1729 else 1640 } else {
1730 {
1731 *al = SSL_AD_DECODE_ERROR; 1641 *al = SSL_AD_DECODE_ERROR;
1732 return 0; 1642 return 0;
1733 }
1734 } 1643 }
1735 } 1644 }
1645 }
1736 1646
1737 *p = data; 1647 *p = data;
1738 1648
@@ -1747,20 +1657,20 @@ int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
1747 */ 1657 */
1748 if (!renegotiate_seen 1658 if (!renegotiate_seen
1749 && !(s->options & SSL_OP_LEGACY_SERVER_CONNECT) 1659 && !(s->options & SSL_OP_LEGACY_SERVER_CONNECT)
1750 && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) 1660 && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) {
1751 {
1752 *al = SSL_AD_HANDSHAKE_FAILURE; 1661 *al = SSL_AD_HANDSHAKE_FAILURE;
1753 SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT, 1662 SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT,
1754 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); 1663 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
1755 return 0; 1664 return 0;
1756 } 1665 }
1757 1666
1758 return 1; 1667 return 1;
1759 } 1668}
1760 1669
1761 1670
1762int ssl_prepare_clienthello_tlsext(SSL *s) 1671int
1763 { 1672ssl_prepare_clienthello_tlsext(SSL *s)
1673{
1764#ifndef OPENSSL_NO_EC 1674#ifndef OPENSSL_NO_EC
1765 /* If we are client and using an elliptic curve cryptography cipher suite, send the point formats 1675 /* If we are client and using an elliptic curve cryptography cipher suite, send the point formats
1766 * and elliptic curves we support. 1676 * and elliptic curves we support.
@@ -1771,63 +1681,59 @@ int ssl_prepare_clienthello_tlsext(SSL *s)
1771 unsigned long alg_k, alg_a; 1681 unsigned long alg_k, alg_a;
1772 STACK_OF(SSL_CIPHER) *cipher_stack = SSL_get_ciphers(s); 1682 STACK_OF(SSL_CIPHER) *cipher_stack = SSL_get_ciphers(s);
1773 1683
1774 for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++) 1684 for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++) {
1775 {
1776 SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i); 1685 SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i);
1777 1686
1778 alg_k = c->algorithm_mkey; 1687 alg_k = c->algorithm_mkey;
1779 alg_a = c->algorithm_auth; 1688 alg_a = c->algorithm_auth;
1780 if ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe) || (alg_a & SSL_aECDSA))) 1689 if ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe) || (alg_a & SSL_aECDSA))) {
1781 {
1782 using_ecc = 1; 1690 using_ecc = 1;
1783 break; 1691 break;
1784 }
1785 } 1692 }
1693 }
1786 using_ecc = using_ecc && (s->version >= TLS1_VERSION); 1694 using_ecc = using_ecc && (s->version >= TLS1_VERSION);
1787 if (using_ecc) 1695 if (using_ecc) {
1788 { 1696 if (s->tlsext_ecpointformatlist != NULL)
1789 if (s->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->tlsext_ecpointformatlist); 1697 OPENSSL_free(s->tlsext_ecpointformatlist);
1790 if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(3)) == NULL) 1698 if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(3)) == NULL) {
1791 { 1699 SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT, ERR_R_MALLOC_FAILURE);
1792 SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
1793 return -1; 1700 return -1;
1794 } 1701 }
1795 s->tlsext_ecpointformatlist_length = 3; 1702 s->tlsext_ecpointformatlist_length = 3;
1796 s->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_uncompressed; 1703 s->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_uncompressed;
1797 s->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime; 1704 s->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
1798 s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2; 1705 s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
1799 1706
1800 /* we support all named elliptic curves in draft-ietf-tls-ecc-12 */ 1707 /* we support all named elliptic curves in draft-ietf-tls-ecc-12 */
1801 if (s->tlsext_ellipticcurvelist != NULL) OPENSSL_free(s->tlsext_ellipticcurvelist); 1708 if (s->tlsext_ellipticcurvelist != NULL)
1709 OPENSSL_free(s->tlsext_ellipticcurvelist);
1802 s->tlsext_ellipticcurvelist_length = sizeof(pref_list)/sizeof(pref_list[0]) * 2; 1710 s->tlsext_ellipticcurvelist_length = sizeof(pref_list)/sizeof(pref_list[0]) * 2;
1803 if ((s->tlsext_ellipticcurvelist = OPENSSL_malloc(s->tlsext_ellipticcurvelist_length)) == NULL) 1711 if ((s->tlsext_ellipticcurvelist = OPENSSL_malloc(s->tlsext_ellipticcurvelist_length)) == NULL) {
1804 {
1805 s->tlsext_ellipticcurvelist_length = 0; 1712 s->tlsext_ellipticcurvelist_length = 0;
1806 SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE); 1713 SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT, ERR_R_MALLOC_FAILURE);
1807 return -1; 1714 return -1;
1808 } 1715 }
1809 for (i = 0, j = s->tlsext_ellipticcurvelist; (unsigned int)i < 1716 for (i = 0, j = s->tlsext_ellipticcurvelist;
1810 sizeof(pref_list)/sizeof(pref_list[0]); i++) 1717 (unsigned int)i <
1811 { 1718 sizeof(pref_list)/sizeof(pref_list[0]);
1719 i++) {
1812 int id = tls1_ec_nid2curve_id(pref_list[i]); 1720 int id = tls1_ec_nid2curve_id(pref_list[i]);
1813 s2n(id,j); 1721 s2n(id, j);
1814 }
1815 } 1722 }
1723 }
1816#endif /* OPENSSL_NO_EC */ 1724#endif /* OPENSSL_NO_EC */
1817 1725
1818#ifdef TLSEXT_TYPE_opaque_prf_input 1726#ifdef TLSEXT_TYPE_opaque_prf_input
1819 { 1727 {
1820 int r = 1; 1728 int r = 1;
1821 1729
1822 if (s->ctx->tlsext_opaque_prf_input_callback != 0) 1730 if (s->ctx->tlsext_opaque_prf_input_callback != 0) {
1823 {
1824 r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg); 1731 r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg);
1825 if (!r) 1732 if (!r)
1826 return -1; 1733 return -1;
1827 } 1734 }
1828 1735
1829 if (s->tlsext_opaque_prf_input != NULL) 1736 if (s->tlsext_opaque_prf_input != NULL) {
1830 {
1831 if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */ 1737 if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */
1832 OPENSSL_free(s->s3->client_opaque_prf_input); 1738 OPENSSL_free(s->s3->client_opaque_prf_input);
1833 1739
@@ -1835,25 +1741,25 @@ int ssl_prepare_clienthello_tlsext(SSL *s)
1835 s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */ 1741 s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
1836 else 1742 else
1837 s->s3->client_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len); 1743 s->s3->client_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len);
1838 if (s->s3->client_opaque_prf_input == NULL) 1744 if (s->s3->client_opaque_prf_input == NULL) {
1839 { 1745 SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT, ERR_R_MALLOC_FAILURE);
1840 SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
1841 return -1; 1746 return -1;
1842 }
1843 s->s3->client_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
1844 } 1747 }
1748 s->s3->client_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
1749 }
1845 1750
1846 if (r == 2) 1751 if (r == 2)
1847 /* at callback's request, insist on receiving an appropriate server opaque PRF input */ 1752 /* at callback's request, insist on receiving an appropriate server opaque PRF input */
1848 s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len; 1753 s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
1849 } 1754 }
1850#endif 1755#endif
1851 1756
1852 return 1; 1757 return 1;
1853 } 1758}
1854 1759
1855int ssl_prepare_serverhello_tlsext(SSL *s) 1760int
1856 { 1761ssl_prepare_serverhello_tlsext(SSL *s)
1762{
1857#ifndef OPENSSL_NO_EC 1763#ifndef OPENSSL_NO_EC
1858 /* If we are server and using an ECC cipher suite, send the point formats we support 1764 /* If we are server and using an ECC cipher suite, send the point formats we support
1859 * if the client sent us an ECPointsFormat extension. Note that the server is not 1765 * if the client sent us an ECPointsFormat extension. Note that the server is not
@@ -1864,28 +1770,28 @@ int ssl_prepare_serverhello_tlsext(SSL *s)
1864 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth; 1770 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
1865 int using_ecc = (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA); 1771 int using_ecc = (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA);
1866 using_ecc = using_ecc && (s->session->tlsext_ecpointformatlist != NULL); 1772 using_ecc = using_ecc && (s->session->tlsext_ecpointformatlist != NULL);
1867 1773
1868 if (using_ecc) 1774 if (using_ecc) {
1869 { 1775 if (s->tlsext_ecpointformatlist != NULL)
1870 if (s->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->tlsext_ecpointformatlist); 1776 OPENSSL_free(s->tlsext_ecpointformatlist);
1871 if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(3)) == NULL) 1777 if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(3)) == NULL) {
1872 { 1778 SSLerr(SSL_F_SSL_PREPARE_SERVERHELLO_TLSEXT, ERR_R_MALLOC_FAILURE);
1873 SSLerr(SSL_F_SSL_PREPARE_SERVERHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
1874 return -1; 1779 return -1;
1875 } 1780 }
1876 s->tlsext_ecpointformatlist_length = 3; 1781 s->tlsext_ecpointformatlist_length = 3;
1877 s->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_uncompressed; 1782 s->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_uncompressed;
1878 s->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime; 1783 s->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
1879 s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2; 1784 s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
1880 } 1785 }
1881#endif /* OPENSSL_NO_EC */ 1786#endif /* OPENSSL_NO_EC */
1882 1787
1883 return 1; 1788 return 1;
1884 } 1789}
1885 1790
1886int ssl_check_clienthello_tlsext_early(SSL *s) 1791int
1887 { 1792ssl_check_clienthello_tlsext_early(SSL *s)
1888 int ret=SSL_TLSEXT_ERR_NOACK; 1793{
1794 int ret = SSL_TLSEXT_ERR_NOACK;
1889 int al = SSL_AD_UNRECOGNIZED_NAME; 1795 int al = SSL_AD_UNRECOGNIZED_NAME;
1890 1796
1891#ifndef OPENSSL_NO_EC 1797#ifndef OPENSSL_NO_EC
@@ -1897,40 +1803,36 @@ int ssl_check_clienthello_tlsext_early(SSL *s)
1897 */ 1803 */
1898#endif 1804#endif
1899 1805
1900 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) 1806 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
1901 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg); 1807 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
1902 else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0) 1808 else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)
1903 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg); 1809 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
1904 1810
1905#ifdef TLSEXT_TYPE_opaque_prf_input 1811#ifdef TLSEXT_TYPE_opaque_prf_input
1906 { 1812 {
1907 /* This sort of belongs into ssl_prepare_serverhello_tlsext(), 1813 /* This sort of belongs into ssl_prepare_serverhello_tlsext(),
1908 * but we might be sending an alert in response to the client hello, 1814 * but we might be sending an alert in response to the client hello,
1909 * so this has to happen here in 1815 * so this has to happen here in
1910 * ssl_check_clienthello_tlsext_early(). */ 1816 * ssl_check_clienthello_tlsext_early(). */
1911 1817
1912 int r = 1; 1818 int r = 1;
1913 1819
1914 if (s->ctx->tlsext_opaque_prf_input_callback != 0) 1820 if (s->ctx->tlsext_opaque_prf_input_callback != 0) {
1915 {
1916 r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg); 1821 r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg);
1917 if (!r) 1822 if (!r) {
1918 {
1919 ret = SSL_TLSEXT_ERR_ALERT_FATAL; 1823 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1920 al = SSL_AD_INTERNAL_ERROR; 1824 al = SSL_AD_INTERNAL_ERROR;
1921 goto err; 1825 goto err;
1922 }
1923 } 1826 }
1827 }
1924 1828
1925 if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */ 1829 if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */
1926 OPENSSL_free(s->s3->server_opaque_prf_input); 1830 OPENSSL_free(s->s3->server_opaque_prf_input);
1927 s->s3->server_opaque_prf_input = NULL; 1831 s->s3->server_opaque_prf_input = NULL;
1928 1832
1929 if (s->tlsext_opaque_prf_input != NULL) 1833 if (s->tlsext_opaque_prf_input != NULL) {
1930 {
1931 if (s->s3->client_opaque_prf_input != NULL && 1834 if (s->s3->client_opaque_prf_input != NULL &&
1932 s->s3->client_opaque_prf_input_len == s->tlsext_opaque_prf_input_len) 1835 s->s3->client_opaque_prf_input_len == s->tlsext_opaque_prf_input_len) {
1933 {
1934 /* can only use this extension if we have a server opaque PRF input 1836 /* can only use this extension if we have a server opaque PRF input
1935 * of the same length as the client opaque PRF input! */ 1837 * of the same length as the client opaque PRF input! */
1936 1838
@@ -1938,48 +1840,48 @@ int ssl_check_clienthello_tlsext_early(SSL *s)
1938 s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */ 1840 s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
1939 else 1841 else
1940 s->s3->server_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len); 1842 s->s3->server_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len);
1941 if (s->s3->server_opaque_prf_input == NULL) 1843 if (s->s3->server_opaque_prf_input == NULL) {
1942 {
1943 ret = SSL_TLSEXT_ERR_ALERT_FATAL; 1844 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1944 al = SSL_AD_INTERNAL_ERROR; 1845 al = SSL_AD_INTERNAL_ERROR;
1945 goto err; 1846 goto err;
1946 }
1947 s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
1948 } 1847 }
1848 s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
1949 } 1849 }
1850 }
1950 1851
1951 if (r == 2 && s->s3->server_opaque_prf_input == NULL) 1852 if (r == 2 && s->s3->server_opaque_prf_input == NULL) {
1952 {
1953 /* The callback wants to enforce use of the extension, 1853 /* The callback wants to enforce use of the extension,
1954 * but we can't do that with the client opaque PRF input; 1854 * but we can't do that with the client opaque PRF input;
1955 * abort the handshake. 1855 * abort the handshake.
1956 */ 1856 */
1957 ret = SSL_TLSEXT_ERR_ALERT_FATAL; 1857 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1958 al = SSL_AD_HANDSHAKE_FAILURE; 1858 al = SSL_AD_HANDSHAKE_FAILURE;
1959 } 1859 }
1960 } 1860 }
1961 1861
1962 err: 1862 err:
1963#endif 1863#endif
1964 switch (ret) 1864 switch (ret) {
1965 { 1865 case SSL_TLSEXT_ERR_ALERT_FATAL:
1966 case SSL_TLSEXT_ERR_ALERT_FATAL: 1866 ssl3_send_alert(s, SSL3_AL_FATAL, al);
1967 ssl3_send_alert(s,SSL3_AL_FATAL,al);
1968 return -1;
1969 1867
1970 case SSL_TLSEXT_ERR_ALERT_WARNING: 1868 return -1;
1971 ssl3_send_alert(s,SSL3_AL_WARNING,al); 1869
1972 return 1; 1870 case SSL_TLSEXT_ERR_ALERT_WARNING:
1973 1871 ssl3_send_alert(s, SSL3_AL_WARNING, al);
1974 case SSL_TLSEXT_ERR_NOACK: 1872 return 1;
1975 s->servername_done=0; 1873
1976 default: 1874
1875 case SSL_TLSEXT_ERR_NOACK:
1876 s->servername_done = 0;
1877 default:
1977 return 1; 1878 return 1;
1978 }
1979 } 1879 }
1880}
1980 1881
1981int ssl_check_clienthello_tlsext_late(SSL *s) 1882int
1982 { 1883ssl_check_clienthello_tlsext_late(SSL *s)
1884{
1983 int ret = SSL_TLSEXT_ERR_OK; 1885 int ret = SSL_TLSEXT_ERR_OK;
1984 int al; 1886 int al;
1985 1887
@@ -1988,64 +1890,62 @@ int ssl_check_clienthello_tlsext_late(SSL *s)
1988 * the certificate has changed, and must be called after the cipher 1890 * the certificate has changed, and must be called after the cipher
1989 * has been chosen because this may influence which certificate is sent 1891 * has been chosen because this may influence which certificate is sent
1990 */ 1892 */
1991 if ((s->tlsext_status_type != -1) && s->ctx && s->ctx->tlsext_status_cb) 1893 if ((s->tlsext_status_type != -1) && s->ctx && s->ctx->tlsext_status_cb) {
1992 {
1993 int r; 1894 int r;
1994 CERT_PKEY *certpkey; 1895 CERT_PKEY *certpkey;
1995 certpkey = ssl_get_server_send_pkey(s); 1896 certpkey = ssl_get_server_send_pkey(s);
1996 /* If no certificate can't return certificate status */ 1897 /* If no certificate can't return certificate status */
1997 if (certpkey == NULL) 1898 if (certpkey == NULL) {
1998 {
1999 s->tlsext_status_expected = 0; 1899 s->tlsext_status_expected = 0;
2000 return 1; 1900 return 1;
2001 } 1901 }
2002 /* Set current certificate to one we will use so 1902 /* Set current certificate to one we will use so
2003 * SSL_get_certificate et al can pick it up. 1903 * SSL_get_certificate et al can pick it up.
2004 */ 1904 */
2005 s->cert->key = certpkey; 1905 s->cert->key = certpkey;
2006 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg); 1906 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
2007 switch (r) 1907 switch (r) {
2008 {
2009 /* We don't want to send a status request response */ 1908 /* We don't want to send a status request response */
2010 case SSL_TLSEXT_ERR_NOACK: 1909 case SSL_TLSEXT_ERR_NOACK:
2011 s->tlsext_status_expected = 0; 1910 s->tlsext_status_expected = 0;
2012 break; 1911 break;
2013 /* status request response should be sent */ 1912 /* status request response should be sent */
2014 case SSL_TLSEXT_ERR_OK: 1913 case SSL_TLSEXT_ERR_OK:
2015 if (s->tlsext_ocsp_resp) 1914 if (s->tlsext_ocsp_resp)
2016 s->tlsext_status_expected = 1; 1915 s->tlsext_status_expected = 1;
2017 else 1916 else
2018 s->tlsext_status_expected = 0; 1917 s->tlsext_status_expected = 0;
2019 break; 1918 break;
2020 /* something bad happened */ 1919 /* something bad happened */
2021 case SSL_TLSEXT_ERR_ALERT_FATAL: 1920 case SSL_TLSEXT_ERR_ALERT_FATAL:
2022 ret = SSL_TLSEXT_ERR_ALERT_FATAL; 1921 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2023 al = SSL_AD_INTERNAL_ERROR; 1922 al = SSL_AD_INTERNAL_ERROR;
2024 goto err; 1923 goto err;
2025 }
2026 } 1924 }
2027 else 1925 } else
2028 s->tlsext_status_expected = 0; 1926 s->tlsext_status_expected = 0;
2029 1927
2030 err: 1928err:
2031 switch (ret) 1929 switch (ret) {
2032 { 1930 case SSL_TLSEXT_ERR_ALERT_FATAL:
2033 case SSL_TLSEXT_ERR_ALERT_FATAL: 1931 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2034 ssl3_send_alert(s,SSL3_AL_FATAL,al);
2035 return -1;
2036 1932
2037 case SSL_TLSEXT_ERR_ALERT_WARNING: 1933 return -1;
2038 ssl3_send_alert(s,SSL3_AL_WARNING,al);
2039 return 1;
2040 1934
2041 default: 1935 case SSL_TLSEXT_ERR_ALERT_WARNING:
2042 return 1; 1936 ssl3_send_alert(s, SSL3_AL_WARNING, al);
2043 } 1937 return 1;
1938
1939
1940 default:
1941 return 1;
2044 } 1942 }
1943}
2045 1944
2046int ssl_check_serverhello_tlsext(SSL *s) 1945int
2047 { 1946ssl_check_serverhello_tlsext(SSL *s)
2048 int ret=SSL_TLSEXT_ERR_NOACK; 1947{
1948 int ret = SSL_TLSEXT_ERR_NOACK;
2049 int al = SSL_AD_UNRECOGNIZED_NAME; 1949 int al = SSL_AD_UNRECOGNIZED_NAME;
2050 1950
2051#ifndef OPENSSL_NO_EC 1951#ifndef OPENSSL_NO_EC
@@ -2055,105 +1955,95 @@ int ssl_check_serverhello_tlsext(SSL *s)
2055 */ 1955 */
2056 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey; 1956 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
2057 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth; 1957 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
2058 if ((s->tlsext_ecpointformatlist != NULL) && (s->tlsext_ecpointformatlist_length > 0) && 1958 if ((s->tlsext_ecpointformatlist != NULL) && (s->tlsext_ecpointformatlist_length > 0) &&
2059 (s->session->tlsext_ecpointformatlist != NULL) && (s->session->tlsext_ecpointformatlist_length > 0) && 1959 (s->session->tlsext_ecpointformatlist != NULL) && (s->session->tlsext_ecpointformatlist_length > 0) &&
2060 ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA))) 1960 ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA))) {
2061 {
2062 /* we are using an ECC cipher */ 1961 /* we are using an ECC cipher */
2063 size_t i; 1962 size_t i;
2064 unsigned char *list; 1963 unsigned char *list;
2065 int found_uncompressed = 0; 1964 int found_uncompressed = 0;
2066 list = s->session->tlsext_ecpointformatlist; 1965 list = s->session->tlsext_ecpointformatlist;
2067 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++) 1966 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++) {
2068 { 1967 if (*(list++) == TLSEXT_ECPOINTFORMAT_uncompressed) {
2069 if (*(list++) == TLSEXT_ECPOINTFORMAT_uncompressed)
2070 {
2071 found_uncompressed = 1; 1968 found_uncompressed = 1;
2072 break; 1969 break;
2073 }
2074 } 1970 }
2075 if (!found_uncompressed) 1971 }
2076 { 1972 if (!found_uncompressed) {
2077 SSLerr(SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT,SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST); 1973 SSLerr(SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT, SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
2078 return -1; 1974 return -1;
2079 }
2080 } 1975 }
1976 }
2081 ret = SSL_TLSEXT_ERR_OK; 1977 ret = SSL_TLSEXT_ERR_OK;
2082#endif /* OPENSSL_NO_EC */ 1978#endif /* OPENSSL_NO_EC */
2083 1979
2084 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) 1980 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
2085 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg); 1981 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
2086 else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0) 1982 else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)
2087 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg); 1983 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
2088 1984
2089#ifdef TLSEXT_TYPE_opaque_prf_input 1985#ifdef TLSEXT_TYPE_opaque_prf_input
2090 if (s->s3->server_opaque_prf_input_len > 0) 1986 if (s->s3->server_opaque_prf_input_len > 0) {
2091 {
2092 /* This case may indicate that we, as a client, want to insist on using opaque PRF inputs. 1987 /* This case may indicate that we, as a client, want to insist on using opaque PRF inputs.
2093 * So first verify that we really have a value from the server too. */ 1988 * So first verify that we really have a value from the server too. */
2094 1989
2095 if (s->s3->server_opaque_prf_input == NULL) 1990 if (s->s3->server_opaque_prf_input == NULL) {
2096 {
2097 ret = SSL_TLSEXT_ERR_ALERT_FATAL; 1991 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2098 al = SSL_AD_HANDSHAKE_FAILURE; 1992 al = SSL_AD_HANDSHAKE_FAILURE;
2099 } 1993 }
2100 1994
2101 /* Anytime the server *has* sent an opaque PRF input, we need to check 1995 /* Anytime the server *has* sent an opaque PRF input, we need to check
2102 * that we have a client opaque PRF input of the same size. */ 1996 * that we have a client opaque PRF input of the same size. */
2103 if (s->s3->client_opaque_prf_input == NULL || 1997 if (s->s3->client_opaque_prf_input == NULL ||
2104 s->s3->client_opaque_prf_input_len != s->s3->server_opaque_prf_input_len) 1998 s->s3->client_opaque_prf_input_len != s->s3->server_opaque_prf_input_len) {
2105 {
2106 ret = SSL_TLSEXT_ERR_ALERT_FATAL; 1999 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2107 al = SSL_AD_ILLEGAL_PARAMETER; 2000 al = SSL_AD_ILLEGAL_PARAMETER;
2108 }
2109 } 2001 }
2002 }
2110#endif 2003#endif
2111 2004
2112 /* If we've requested certificate status and we wont get one 2005 /* If we've requested certificate status and we wont get one
2113 * tell the callback 2006 * tell the callback
2114 */ 2007 */
2115 if ((s->tlsext_status_type != -1) && !(s->tlsext_status_expected) 2008 if ((s->tlsext_status_type != -1) && !(s->tlsext_status_expected)
2116 && s->ctx && s->ctx->tlsext_status_cb) 2009 && s->ctx && s->ctx->tlsext_status_cb) {
2117 {
2118 int r; 2010 int r;
2119 /* Set resp to NULL, resplen to -1 so callback knows 2011 /* Set resp to NULL, resplen to -1 so callback knows
2120 * there is no response. 2012 * there is no response.
2121 */ 2013 */
2122 if (s->tlsext_ocsp_resp) 2014 if (s->tlsext_ocsp_resp) {
2123 {
2124 OPENSSL_free(s->tlsext_ocsp_resp); 2015 OPENSSL_free(s->tlsext_ocsp_resp);
2125 s->tlsext_ocsp_resp = NULL; 2016 s->tlsext_ocsp_resp = NULL;
2126 } 2017 }
2127 s->tlsext_ocsp_resplen = -1; 2018 s->tlsext_ocsp_resplen = -1;
2128 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg); 2019 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
2129 if (r == 0) 2020 if (r == 0) {
2130 {
2131 al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE; 2021 al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE;
2132 ret = SSL_TLSEXT_ERR_ALERT_FATAL; 2022 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2133 } 2023 }
2134 if (r < 0) 2024 if (r < 0) {
2135 {
2136 al = SSL_AD_INTERNAL_ERROR; 2025 al = SSL_AD_INTERNAL_ERROR;
2137 ret = SSL_TLSEXT_ERR_ALERT_FATAL; 2026 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2138 }
2139 } 2027 }
2028 }
2140 2029
2141 switch (ret) 2030 switch (ret) {
2142 { 2031 case SSL_TLSEXT_ERR_ALERT_FATAL:
2143 case SSL_TLSEXT_ERR_ALERT_FATAL: 2032 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2144 ssl3_send_alert(s,SSL3_AL_FATAL,al);
2145 return -1;
2146 2033
2147 case SSL_TLSEXT_ERR_ALERT_WARNING: 2034 return -1;
2148 ssl3_send_alert(s,SSL3_AL_WARNING,al); 2035
2149 return 1; 2036 case SSL_TLSEXT_ERR_ALERT_WARNING:
2150 2037 ssl3_send_alert(s, SSL3_AL_WARNING, al);
2151 case SSL_TLSEXT_ERR_NOACK: 2038 return 1;
2152 s->servername_done=0; 2039
2153 default: 2040
2041 case SSL_TLSEXT_ERR_NOACK:
2042 s->servername_done = 0;
2043 default:
2154 return 1; 2044 return 1;
2155 }
2156 } 2045 }
2046}
2157 2047
2158/* Since the server cache lookup is done early on in the processing of the 2048/* Since the server cache lookup is done early on in the processing of the
2159 * ClientHello, and other operations depend on the result, we need to handle 2049 * ClientHello, and other operations depend on the result, we need to handle
@@ -2188,9 +2078,10 @@ int ssl_check_serverhello_tlsext(SSL *s)
2188 * s->ctx->tlsext_ticket_key_cb asked to renew the client's ticket. 2078 * s->ctx->tlsext_ticket_key_cb asked to renew the client's ticket.
2189 * Otherwise, s->tlsext_ticket_expected is set to 0. 2079 * Otherwise, s->tlsext_ticket_expected is set to 0.
2190 */ 2080 */
2191int tls1_process_ticket(SSL *s, unsigned char *session_id, int len, 2081int
2192 const unsigned char *limit, SSL_SESSION **ret) 2082tls1_process_ticket(SSL *s, unsigned char *session_id, int len,
2193 { 2083 const unsigned char *limit, SSL_SESSION **ret)
2084{
2194 /* Point after session ID in client hello */ 2085 /* Point after session ID in client hello */
2195 const unsigned char *p = session_id + len; 2086 const unsigned char *p = session_id + len;
2196 unsigned short i; 2087 unsigned short i;
@@ -2208,16 +2099,15 @@ int tls1_process_ticket(SSL *s, unsigned char *session_id, int len,
2208 if (p >= limit) 2099 if (p >= limit)
2209 return -1; 2100 return -1;
2210 /* Skip past DTLS cookie */ 2101 /* Skip past DTLS cookie */
2211 if (s->version == DTLS1_VERSION || s->version == DTLS1_BAD_VER) 2102 if (s->version == DTLS1_VERSION || s->version == DTLS1_BAD_VER) {
2212 {
2213 i = *(p++); 2103 i = *(p++);
2214 p+= i; 2104 p += i;
2215 if (p >= limit) 2105 if (p >= limit)
2216 return -1; 2106 return -1;
2217 } 2107 }
2218 /* Skip past cipher list */ 2108 /* Skip past cipher list */
2219 n2s(p, i); 2109 n2s(p, i);
2220 p+= i; 2110 p += i;
2221 if (p >= limit) 2111 if (p >= limit)
2222 return -1; 2112 return -1;
2223 /* Skip past compression algorithm list */ 2113 /* Skip past compression algorithm list */
@@ -2229,51 +2119,46 @@ int tls1_process_ticket(SSL *s, unsigned char *session_id, int len,
2229 if ((p + 2) >= limit) 2119 if ((p + 2) >= limit)
2230 return 0; 2120 return 0;
2231 n2s(p, i); 2121 n2s(p, i);
2232 while ((p + 4) <= limit) 2122 while ((p + 4) <= limit) {
2233 {
2234 unsigned short type, size; 2123 unsigned short type, size;
2235 n2s(p, type); 2124 n2s(p, type);
2236 n2s(p, size); 2125 n2s(p, size);
2237 if (p + size > limit) 2126 if (p + size > limit)
2238 return 0; 2127 return 0;
2239 if (type == TLSEXT_TYPE_session_ticket) 2128 if (type == TLSEXT_TYPE_session_ticket) {
2240 {
2241 int r; 2129 int r;
2242 if (size == 0) 2130 if (size == 0) {
2243 {
2244 /* The client will accept a ticket but doesn't 2131 /* The client will accept a ticket but doesn't
2245 * currently have one. */ 2132 * currently have one. */
2246 s->tlsext_ticket_expected = 1; 2133 s->tlsext_ticket_expected = 1;
2247 return 1; 2134 return 1;
2248 } 2135 }
2249 if (s->tls_session_secret_cb) 2136 if (s->tls_session_secret_cb) {
2250 {
2251 /* Indicate that the ticket couldn't be 2137 /* Indicate that the ticket couldn't be
2252 * decrypted rather than generating the session 2138 * decrypted rather than generating the session
2253 * from ticket now, trigger abbreviated 2139 * from ticket now, trigger abbreviated
2254 * handshake based on external mechanism to 2140 * handshake based on external mechanism to
2255 * calculate the master secret later. */ 2141 * calculate the master secret later. */
2256 return 2; 2142 return 2;
2257 } 2143 }
2258 r = tls_decrypt_ticket(s, p, size, session_id, len, ret); 2144 r = tls_decrypt_ticket(s, p, size, session_id, len, ret);
2259 switch (r) 2145 switch (r) {
2260 { 2146 case 2: /* ticket couldn't be decrypted */
2261 case 2: /* ticket couldn't be decrypted */ 2147 s->tlsext_ticket_expected = 1;
2262 s->tlsext_ticket_expected = 1; 2148 return 2;
2263 return 2; 2149 case 3: /* ticket was decrypted */
2264 case 3: /* ticket was decrypted */ 2150 return r;
2265 return r; 2151 case 4: /* ticket decrypted but need to renew */
2266 case 4: /* ticket decrypted but need to renew */ 2152 s->tlsext_ticket_expected = 1;
2267 s->tlsext_ticket_expected = 1; 2153 return 3;
2268 return 3; 2154 default: /* fatal error */
2269 default: /* fatal error */ 2155 return -1;
2270 return -1;
2271 }
2272 } 2156 }
2273 p += size;
2274 } 2157 }
2275 return 0; 2158 p += size;
2276 } 2159 }
2160 return 0;
2161}
2277 2162
2278/* tls_decrypt_ticket attempts to decrypt a session ticket. 2163/* tls_decrypt_ticket attempts to decrypt a session ticket.
2279 * 2164 *
@@ -2290,10 +2175,10 @@ int tls1_process_ticket(SSL *s, unsigned char *session_id, int len,
2290 * 3: a ticket was successfully decrypted and *psess was set. 2175 * 3: a ticket was successfully decrypted and *psess was set.
2291 * 4: same as 3, but the ticket needs to be renewed. 2176 * 4: same as 3, but the ticket needs to be renewed.
2292 */ 2177 */
2293static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen, 2178static int
2294 const unsigned char *sess_id, int sesslen, 2179tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen,
2295 SSL_SESSION **psess) 2180 const unsigned char *sess_id, int sesslen, SSL_SESSION **psess)
2296 { 2181{
2297 SSL_SESSION *sess; 2182 SSL_SESSION *sess;
2298 unsigned char *sdec; 2183 unsigned char *sdec;
2299 const unsigned char *p; 2184 const unsigned char *p;
@@ -2308,37 +2193,33 @@ static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen,
2308 /* Initialize session ticket encryption and HMAC contexts */ 2193 /* Initialize session ticket encryption and HMAC contexts */
2309 HMAC_CTX_init(&hctx); 2194 HMAC_CTX_init(&hctx);
2310 EVP_CIPHER_CTX_init(&ctx); 2195 EVP_CIPHER_CTX_init(&ctx);
2311 if (tctx->tlsext_ticket_key_cb) 2196 if (tctx->tlsext_ticket_key_cb) {
2312 {
2313 unsigned char *nctick = (unsigned char *)etick; 2197 unsigned char *nctick = (unsigned char *)etick;
2314 int rv = tctx->tlsext_ticket_key_cb(s, nctick, nctick + 16, 2198 int rv = tctx->tlsext_ticket_key_cb(s, nctick, nctick + 16,
2315 &ctx, &hctx, 0); 2199 &ctx, &hctx, 0);
2316 if (rv < 0) 2200 if (rv < 0)
2317 return -1; 2201 return -1;
2318 if (rv == 0) 2202 if (rv == 0)
2319 return 2; 2203 return 2;
2320 if (rv == 2) 2204 if (rv == 2)
2321 renew_ticket = 1; 2205 renew_ticket = 1;
2322 } 2206 } else {
2323 else
2324 {
2325 /* Check key name matches */ 2207 /* Check key name matches */
2326 if (memcmp(etick, tctx->tlsext_tick_key_name, 16)) 2208 if (memcmp(etick, tctx->tlsext_tick_key_name, 16))
2327 return 2; 2209 return 2;
2328 HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16, 2210 HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16,
2329 tlsext_tick_md(), NULL); 2211 tlsext_tick_md(), NULL);
2330 EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL, 2212 EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL,
2331 tctx->tlsext_tick_aes_key, etick + 16); 2213 tctx->tlsext_tick_aes_key, etick + 16);
2332 } 2214 }
2333 /* Attempt to process session ticket, first conduct sanity and 2215 /* Attempt to process session ticket, first conduct sanity and
2334 * integrity checks on ticket. 2216 * integrity checks on ticket.
2335 */ 2217 */
2336 mlen = HMAC_size(&hctx); 2218 mlen = HMAC_size(&hctx);
2337 if (mlen < 0) 2219 if (mlen < 0) {
2338 {
2339 EVP_CIPHER_CTX_cleanup(&ctx); 2220 EVP_CIPHER_CTX_cleanup(&ctx);
2340 return -1; 2221 return -1;
2341 } 2222 }
2342 eticklen -= mlen; 2223 eticklen -= mlen;
2343 /* Check HMAC of encrypted ticket */ 2224 /* Check HMAC of encrypted ticket */
2344 HMAC_Update(&hctx, etick, eticklen); 2225 HMAC_Update(&hctx, etick, eticklen);
@@ -2351,11 +2232,10 @@ static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen,
2351 p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx); 2232 p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx);
2352 eticklen -= 16 + EVP_CIPHER_CTX_iv_length(&ctx); 2233 eticklen -= 16 + EVP_CIPHER_CTX_iv_length(&ctx);
2353 sdec = OPENSSL_malloc(eticklen); 2234 sdec = OPENSSL_malloc(eticklen);
2354 if (!sdec) 2235 if (!sdec) {
2355 {
2356 EVP_CIPHER_CTX_cleanup(&ctx); 2236 EVP_CIPHER_CTX_cleanup(&ctx);
2357 return -1; 2237 return -1;
2358 } 2238 }
2359 EVP_DecryptUpdate(&ctx, sdec, &slen, p, eticklen); 2239 EVP_DecryptUpdate(&ctx, sdec, &slen, p, eticklen);
2360 if (EVP_DecryptFinal(&ctx, sdec + slen, &mlen) <= 0) 2240 if (EVP_DecryptFinal(&ctx, sdec + slen, &mlen) <= 0)
2361 return 2; 2241 return 2;
@@ -2365,8 +2245,7 @@ static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen,
2365 2245
2366 sess = d2i_SSL_SESSION(NULL, &p, slen); 2246 sess = d2i_SSL_SESSION(NULL, &p, slen);
2367 OPENSSL_free(sdec); 2247 OPENSSL_free(sdec);
2368 if (sess) 2248 if (sess) {
2369 {
2370 /* The session ID, if non-empty, is used by some clients to 2249 /* The session ID, if non-empty, is used by some clients to
2371 * detect that the ticket has been accepted. So we copy it to 2250 * detect that the ticket has been accepted. So we copy it to
2372 * the session structure. If it is empty set length to zero 2251 * the session structure. If it is empty set length to zero
@@ -2380,20 +2259,19 @@ static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen,
2380 return 4; 2259 return 4;
2381 else 2260 else
2382 return 3; 2261 return 3;
2383 } 2262 }
2384 ERR_clear_error(); 2263 ERR_clear_error();
2385 /* For session parse failure, indicate that we need to send a new 2264 /* For session parse failure, indicate that we need to send a new
2386 * ticket. */ 2265 * ticket. */
2387 return 2; 2266 return 2;
2388 } 2267}
2389 2268
2390/* Tables to translate from NIDs to TLS v1.2 ids */ 2269/* Tables to translate from NIDs to TLS v1.2 ids */
2391 2270
2392typedef struct 2271typedef struct {
2393 {
2394 int nid; 2272 int nid;
2395 int id; 2273 int id;
2396 } tls12_lookup; 2274} tls12_lookup;
2397 2275
2398static tls12_lookup tls12_md[] = { 2276static tls12_lookup tls12_md[] = {
2399#ifndef OPENSSL_NO_MD5 2277#ifndef OPENSSL_NO_MD5
@@ -2424,36 +2302,37 @@ static tls12_lookup tls12_sig[] = {
2424#endif 2302#endif
2425}; 2303};
2426 2304
2427static int tls12_find_id(int nid, tls12_lookup *table, size_t tlen) 2305static int
2428 { 2306tls12_find_id(int nid, tls12_lookup *table, size_t tlen)
2307{
2429 size_t i; 2308 size_t i;
2430 for (i = 0; i < tlen; i++) 2309 for (i = 0; i < tlen; i++) {
2431 {
2432 if (table[i].nid == nid) 2310 if (table[i].nid == nid)
2433 return table[i].id; 2311 return table[i].id;
2434 }
2435 return -1;
2436 } 2312 }
2313 return -1;
2314}
2437#if 0 2315#if 0
2438static int tls12_find_nid(int id, tls12_lookup *table, size_t tlen) 2316static int
2439 { 2317tls12_find_nid(int id, tls12_lookup *table, size_t tlen)
2318{
2440 size_t i; 2319 size_t i;
2441 for (i = 0; i < tlen; i++) 2320 for (i = 0; i < tlen; i++) {
2442 {
2443 if (table[i].id == id) 2321 if (table[i].id == id)
2444 return table[i].nid; 2322 return table[i].nid;
2445 }
2446 return -1;
2447 } 2323 }
2324 return -1;
2325}
2448#endif 2326#endif
2449 2327
2450int tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk, const EVP_MD *md) 2328int
2451 { 2329tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk, const EVP_MD *md)
2330{
2452 int sig_id, md_id; 2331 int sig_id, md_id;
2453 if (!md) 2332 if (!md)
2454 return 0; 2333 return 0;
2455 md_id = tls12_find_id(EVP_MD_type(md), tls12_md, 2334 md_id = tls12_find_id(EVP_MD_type(md), tls12_md,
2456 sizeof(tls12_md)/sizeof(tls12_lookup)); 2335 sizeof(tls12_md)/sizeof(tls12_lookup));
2457 if (md_id == -1) 2336 if (md_id == -1)
2458 return 0; 2337 return 0;
2459 sig_id = tls12_get_sigid(pk); 2338 sig_id = tls12_get_sigid(pk);
@@ -2462,46 +2341,48 @@ int tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk, const EVP_MD *md)
2462 p[0] = (unsigned char)md_id; 2341 p[0] = (unsigned char)md_id;
2463 p[1] = (unsigned char)sig_id; 2342 p[1] = (unsigned char)sig_id;
2464 return 1; 2343 return 1;
2465 } 2344}
2466 2345
2467int tls12_get_sigid(const EVP_PKEY *pk) 2346int
2468 { 2347tls12_get_sigid(const EVP_PKEY *pk)
2348{
2469 return tls12_find_id(pk->type, tls12_sig, 2349 return tls12_find_id(pk->type, tls12_sig,
2470 sizeof(tls12_sig)/sizeof(tls12_lookup)); 2350 sizeof(tls12_sig)/sizeof(tls12_lookup));
2471 } 2351}
2472 2352
2473const EVP_MD *tls12_get_hash(unsigned char hash_alg) 2353const EVP_MD
2474 { 2354*tls12_get_hash(unsigned char hash_alg)
2475 switch(hash_alg) 2355{
2476 { 2356 switch (hash_alg) {
2477#ifndef OPENSSL_NO_SHA 2357#ifndef OPENSSL_NO_SHA
2478 case TLSEXT_hash_sha1: 2358 case TLSEXT_hash_sha1:
2479 return EVP_sha1(); 2359 return EVP_sha1();
2480#endif 2360#endif
2481#ifndef OPENSSL_NO_SHA256 2361#ifndef OPENSSL_NO_SHA256
2482 case TLSEXT_hash_sha224: 2362 case TLSEXT_hash_sha224:
2483 return EVP_sha224(); 2363 return EVP_sha224();
2484 2364
2485 case TLSEXT_hash_sha256: 2365 case TLSEXT_hash_sha256:
2486 return EVP_sha256(); 2366 return EVP_sha256();
2487#endif 2367#endif
2488#ifndef OPENSSL_NO_SHA512 2368#ifndef OPENSSL_NO_SHA512
2489 case TLSEXT_hash_sha384: 2369 case TLSEXT_hash_sha384:
2490 return EVP_sha384(); 2370 return EVP_sha384();
2491 2371
2492 case TLSEXT_hash_sha512: 2372 case TLSEXT_hash_sha512:
2493 return EVP_sha512(); 2373 return EVP_sha512();
2494#endif 2374#endif
2495 default: 2375 default:
2496 return NULL; 2376 return NULL;
2497 2377
2498 }
2499 } 2378 }
2379}
2500 2380
2501/* Set preferred digest for each key type */ 2381/* Set preferred digest for each key type */
2502 2382
2503int tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize) 2383int
2504 { 2384tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize)
2385{
2505 int i, idx; 2386 int i, idx;
2506 const EVP_MD *md; 2387 const EVP_MD *md;
2507 CERT *c = s->cert; 2388 CERT *c = s->cert;
@@ -2517,44 +2398,40 @@ int tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize)
2517 c->pkeys[SSL_PKEY_RSA_ENC].digest = NULL; 2398 c->pkeys[SSL_PKEY_RSA_ENC].digest = NULL;
2518 c->pkeys[SSL_PKEY_ECC].digest = NULL; 2399 c->pkeys[SSL_PKEY_ECC].digest = NULL;
2519 2400
2520 for (i = 0; i < dsize; i += 2) 2401 for (i = 0; i < dsize; i += 2) {
2521 { 2402 unsigned char hash_alg = data[i], sig_alg = data[i + 1];
2522 unsigned char hash_alg = data[i], sig_alg = data[i+1];
2523 2403
2524 switch(sig_alg) 2404 switch (sig_alg) {
2525 {
2526#ifndef OPENSSL_NO_RSA 2405#ifndef OPENSSL_NO_RSA
2527 case TLSEXT_signature_rsa: 2406 case TLSEXT_signature_rsa:
2528 idx = SSL_PKEY_RSA_SIGN; 2407 idx = SSL_PKEY_RSA_SIGN;
2529 break; 2408 break;
2530#endif 2409#endif
2531#ifndef OPENSSL_NO_DSA 2410#ifndef OPENSSL_NO_DSA
2532 case TLSEXT_signature_dsa: 2411 case TLSEXT_signature_dsa:
2533 idx = SSL_PKEY_DSA_SIGN; 2412 idx = SSL_PKEY_DSA_SIGN;
2534 break; 2413 break;
2535#endif 2414#endif
2536#ifndef OPENSSL_NO_ECDSA 2415#ifndef OPENSSL_NO_ECDSA
2537 case TLSEXT_signature_ecdsa: 2416 case TLSEXT_signature_ecdsa:
2538 idx = SSL_PKEY_ECC; 2417 idx = SSL_PKEY_ECC;
2539 break; 2418 break;
2540#endif 2419#endif
2541 default: 2420 default:
2542 continue; 2421 continue;
2543 } 2422 }
2544 2423
2545 if (c->pkeys[idx].digest == NULL) 2424 if (c->pkeys[idx].digest == NULL) {
2546 {
2547 md = tls12_get_hash(hash_alg); 2425 md = tls12_get_hash(hash_alg);
2548 if (md) 2426 if (md) {
2549 {
2550 c->pkeys[idx].digest = md; 2427 c->pkeys[idx].digest = md;
2551 if (idx == SSL_PKEY_RSA_SIGN) 2428 if (idx == SSL_PKEY_RSA_SIGN)
2552 c->pkeys[SSL_PKEY_RSA_ENC].digest = md; 2429 c->pkeys[SSL_PKEY_RSA_ENC].digest = md;
2553 }
2554 } 2430 }
2555
2556 } 2431 }
2557 2432
2433 }
2434
2558 2435
2559 /* Set any remaining keys to default values. NOTE: if alg is not 2436 /* Set any remaining keys to default values. NOTE: if alg is not
2560 * supported it stays as NULL. 2437 * supported it stays as NULL.
@@ -2564,25 +2441,24 @@ int tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize)
2564 c->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_sha1(); 2441 c->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_sha1();
2565#endif 2442#endif
2566#ifndef OPENSSL_NO_RSA 2443#ifndef OPENSSL_NO_RSA
2567 if (!c->pkeys[SSL_PKEY_RSA_SIGN].digest) 2444 if (!c->pkeys[SSL_PKEY_RSA_SIGN].digest) {
2568 {
2569 c->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1(); 2445 c->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1();
2570 c->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1(); 2446 c->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1();
2571 } 2447 }
2572#endif 2448#endif
2573#ifndef OPENSSL_NO_ECDSA 2449#ifndef OPENSSL_NO_ECDSA
2574 if (!c->pkeys[SSL_PKEY_ECC].digest) 2450 if (!c->pkeys[SSL_PKEY_ECC].digest)
2575 c->pkeys[SSL_PKEY_ECC].digest = EVP_sha1(); 2451 c->pkeys[SSL_PKEY_ECC].digest = EVP_sha1();
2576#endif 2452#endif
2577 return 1; 2453 return 1;
2578 } 2454}
2579 2455
2580#endif 2456#endif
2581 2457
2582#ifndef OPENSSL_NO_HEARTBEATS 2458#ifndef OPENSSL_NO_HEARTBEATS
2583int 2459int
2584tls1_process_heartbeat(SSL *s) 2460tls1_process_heartbeat(SSL *s)
2585 { 2461{
2586 unsigned char *p = &s->s3->rrec.data[0], *pl; 2462 unsigned char *p = &s->s3->rrec.data[0], *pl;
2587 unsigned short hbtype; 2463 unsigned short hbtype;
2588 unsigned int payload; 2464 unsigned int payload;
@@ -2590,8 +2466,8 @@ tls1_process_heartbeat(SSL *s)
2590 2466
2591 if (s->msg_callback) 2467 if (s->msg_callback)
2592 s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT, 2468 s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT,
2593 &s->s3->rrec.data[0], s->s3->rrec.length, 2469 &s->s3->rrec.data[0], s->s3->rrec.length,
2594 s, s->msg_callback_arg); 2470 s, s->msg_callback_arg);
2595 2471
2596 /* Read type and payload length first */ 2472 /* Read type and payload length first */
2597 if (1 + 2 + 16 > s->s3->rrec.length) 2473 if (1 + 2 + 16 > s->s3->rrec.length)
@@ -2602,8 +2478,7 @@ tls1_process_heartbeat(SSL *s)
2602 return 0; /* silently discard per RFC 6520 sec. 4 */ 2478 return 0; /* silently discard per RFC 6520 sec. 4 */
2603 pl = p; 2479 pl = p;
2604 2480
2605 if (hbtype == TLS1_HB_REQUEST) 2481 if (hbtype == TLS1_HB_REQUEST) {
2606 {
2607 unsigned char *buffer, *bp; 2482 unsigned char *buffer, *bp;
2608 int r; 2483 int r;
2609 2484
@@ -2613,7 +2488,7 @@ tls1_process_heartbeat(SSL *s)
2613 */ 2488 */
2614 buffer = OPENSSL_malloc(1 + 2 + payload + padding); 2489 buffer = OPENSSL_malloc(1 + 2 + payload + padding);
2615 bp = buffer; 2490 bp = buffer;
2616 2491
2617 /* Enter response type, length and copy payload */ 2492 /* Enter response type, length and copy payload */
2618 *bp++ = TLS1_HB_RESPONSE; 2493 *bp++ = TLS1_HB_RESPONSE;
2619 s2n(payload, bp); 2494 s2n(payload, bp);
@@ -2626,36 +2501,33 @@ tls1_process_heartbeat(SSL *s)
2626 2501
2627 if (r >= 0 && s->msg_callback) 2502 if (r >= 0 && s->msg_callback)
2628 s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT, 2503 s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT,
2629 buffer, 3 + payload + padding, 2504 buffer, 3 + payload + padding,
2630 s, s->msg_callback_arg); 2505 s, s->msg_callback_arg);
2631 2506
2632 OPENSSL_free(buffer); 2507 OPENSSL_free(buffer);
2633 2508
2634 if (r < 0) 2509 if (r < 0)
2635 return r; 2510 return r;
2636 } 2511 } else if (hbtype == TLS1_HB_RESPONSE) {
2637 else if (hbtype == TLS1_HB_RESPONSE)
2638 {
2639 unsigned int seq; 2512 unsigned int seq;
2640 2513
2641 /* We only send sequence numbers (2 bytes unsigned int), 2514 /* We only send sequence numbers (2 bytes unsigned int),
2642 * and 16 random bytes, so we just try to read the 2515 * and 16 random bytes, so we just try to read the
2643 * sequence number */ 2516 * sequence number */
2644 n2s(pl, seq); 2517 n2s(pl, seq);
2645 2518
2646 if (payload == 18 && seq == s->tlsext_hb_seq) 2519 if (payload == 18 && seq == s->tlsext_hb_seq) {
2647 {
2648 s->tlsext_hb_seq++; 2520 s->tlsext_hb_seq++;
2649 s->tlsext_hb_pending = 0; 2521 s->tlsext_hb_pending = 0;
2650 }
2651 } 2522 }
2523 }
2652 2524
2653 return 0; 2525 return 0;
2654 } 2526}
2655 2527
2656int 2528int
2657tls1_heartbeat(SSL *s) 2529tls1_heartbeat(SSL *s)
2658 { 2530{
2659 unsigned char *buf, *p; 2531 unsigned char *buf, *p;
2660 int ret; 2532 int ret;
2661 unsigned int payload = 18; /* Sequence number + random bytes */ 2533 unsigned int payload = 18; /* Sequence number + random bytes */
@@ -2663,26 +2535,23 @@ tls1_heartbeat(SSL *s)
2663 2535
2664 /* Only send if peer supports and accepts HB requests... */ 2536 /* Only send if peer supports and accepts HB requests... */
2665 if (!(s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED) || 2537 if (!(s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED) ||
2666 s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_SEND_REQUESTS) 2538 s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_SEND_REQUESTS) {
2667 { 2539 SSLerr(SSL_F_TLS1_HEARTBEAT, SSL_R_TLS_HEARTBEAT_PEER_DOESNT_ACCEPT);
2668 SSLerr(SSL_F_TLS1_HEARTBEAT,SSL_R_TLS_HEARTBEAT_PEER_DOESNT_ACCEPT);
2669 return -1; 2540 return -1;
2670 } 2541 }
2671 2542
2672 /* ...and there is none in flight yet... */ 2543 /* ...and there is none in flight yet... */
2673 if (s->tlsext_hb_pending) 2544 if (s->tlsext_hb_pending) {
2674 { 2545 SSLerr(SSL_F_TLS1_HEARTBEAT, SSL_R_TLS_HEARTBEAT_PENDING);
2675 SSLerr(SSL_F_TLS1_HEARTBEAT,SSL_R_TLS_HEARTBEAT_PENDING);
2676 return -1; 2546 return -1;
2677 } 2547 }
2678 2548
2679 /* ...and no handshake in progress. */ 2549 /* ...and no handshake in progress. */
2680 if (SSL_in_init(s) || s->in_handshake) 2550 if (SSL_in_init(s) || s->in_handshake) {
2681 { 2551 SSLerr(SSL_F_TLS1_HEARTBEAT, SSL_R_UNEXPECTED_MESSAGE);
2682 SSLerr(SSL_F_TLS1_HEARTBEAT,SSL_R_UNEXPECTED_MESSAGE);
2683 return -1; 2552 return -1;
2684 } 2553 }
2685 2554
2686 /* Check if padding is too long, payload and padding 2555 /* Check if padding is too long, payload and padding
2687 * must not exceed 2^14 - 3 = 16381 bytes in total. 2556 * must not exceed 2^14 - 3 = 16381 bytes in total.
2688 */ 2557 */
@@ -2712,18 +2581,17 @@ tls1_heartbeat(SSL *s)
2712 RAND_pseudo_bytes(p, padding); 2581 RAND_pseudo_bytes(p, padding);
2713 2582
2714 ret = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buf, 3 + payload + padding); 2583 ret = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buf, 3 + payload + padding);
2715 if (ret >= 0) 2584 if (ret >= 0) {
2716 {
2717 if (s->msg_callback) 2585 if (s->msg_callback)
2718 s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT, 2586 s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT,
2719 buf, 3 + payload + padding, 2587 buf, 3 + payload + padding,
2720 s, s->msg_callback_arg); 2588 s, s->msg_callback_arg);
2721 2589
2722 s->tlsext_hb_pending = 1; 2590 s->tlsext_hb_pending = 1;
2723 } 2591 }
2724 2592
2725 OPENSSL_free(buf); 2593 OPENSSL_free(buf);
2726 2594
2727 return ret; 2595 return ret;
2728 } 2596}
2729#endif 2597#endif
diff --git a/src/lib/libssl/src/ssl/t1_meth.c b/src/lib/libssl/src/ssl/t1_meth.c
index 53c807de28..ab2d789e59 100644
--- a/src/lib/libssl/src/ssl/t1_meth.c
+++ b/src/lib/libssl/src/ssl/t1_meth.c
@@ -60,8 +60,9 @@
60#include <openssl/objects.h> 60#include <openssl/objects.h>
61#include "ssl_locl.h" 61#include "ssl_locl.h"
62 62
63static const SSL_METHOD *tls1_get_method(int ver) 63static const SSL_METHOD
64 { 64*tls1_get_method(int ver)
65{
65 if (ver == TLS1_2_VERSION) 66 if (ver == TLS1_2_VERSION)
66 return TLSv1_2_method(); 67 return TLSv1_2_method();
67 if (ver == TLS1_1_VERSION) 68 if (ver == TLS1_1_VERSION)
@@ -69,20 +70,13 @@ static const SSL_METHOD *tls1_get_method(int ver)
69 if (ver == TLS1_VERSION) 70 if (ver == TLS1_VERSION)
70 return TLSv1_method(); 71 return TLSv1_method();
71 return NULL; 72 return NULL;
72 } 73}
73 74
74IMPLEMENT_tls_meth_func(TLS1_2_VERSION, TLSv1_2_method, 75IMPLEMENT_tls_meth_func(TLS1_2_VERSION, TLSv1_2_method,
75 ssl3_accept, 76 ssl3_accept, ssl3_connect, tls1_get_method)
76 ssl3_connect,
77 tls1_get_method)
78 77
79IMPLEMENT_tls_meth_func(TLS1_1_VERSION, TLSv1_1_method, 78IMPLEMENT_tls_meth_func(TLS1_1_VERSION, TLSv1_1_method,
80 ssl3_accept, 79 ssl3_accept, ssl3_connect, tls1_get_method)
81 ssl3_connect,
82 tls1_get_method)
83 80
84IMPLEMENT_tls_meth_func(TLS1_VERSION, TLSv1_method, 81IMPLEMENT_tls_meth_func(TLS1_VERSION, TLSv1_method,
85 ssl3_accept, 82 ssl3_accept, ssl3_connect, tls1_get_method)
86 ssl3_connect,
87 tls1_get_method)
88
diff --git a/src/lib/libssl/src/ssl/t1_reneg.c b/src/lib/libssl/src/ssl/t1_reneg.c
index 9c2cc3c712..86e0e61ffb 100644
--- a/src/lib/libssl/src/ssl/t1_reneg.c
+++ b/src/lib/libssl/src/ssl/t1_reneg.c
@@ -113,180 +113,170 @@
113#include "ssl_locl.h" 113#include "ssl_locl.h"
114 114
115/* Add the client's renegotiation binding */ 115/* Add the client's renegotiation binding */
116int ssl_add_clienthello_renegotiate_ext(SSL *s, unsigned char *p, int *len, 116int
117 int maxlen) 117ssl_add_clienthello_renegotiate_ext(SSL *s, unsigned char *p, int *len,
118 { 118 int maxlen)
119 if(p) 119{
120 { 120 if (p) {
121 if((s->s3->previous_client_finished_len+1) > maxlen) 121 if ((s->s3->previous_client_finished_len + 1) > maxlen) {
122 { 122 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_RENEGOTIATE_EXT, SSL_R_RENEGOTIATE_EXT_TOO_LONG);
123 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_RENEGOTIATE_EXT,SSL_R_RENEGOTIATE_EXT_TOO_LONG); 123 return 0;
124 return 0; 124 }
125 }
126
127 /* Length byte */
128 *p = s->s3->previous_client_finished_len;
129 p++;
130 125
131 memcpy(p, s->s3->previous_client_finished, 126 /* Length byte */
132 s->s3->previous_client_finished_len); 127 *p = s->s3->previous_client_finished_len;
128 p++;
129
130 memcpy(p, s->s3->previous_client_finished,
131 s->s3->previous_client_finished_len);
133#ifdef OPENSSL_RI_DEBUG 132#ifdef OPENSSL_RI_DEBUG
134 fprintf(stderr, "%s RI extension sent by client\n", 133 fprintf(stderr, "%s RI extension sent by client\n",
135 s->s3->previous_client_finished_len ? "Non-empty" : "Empty"); 134 s->s3->previous_client_finished_len ? "Non-empty" : "Empty");
136#endif 135#endif
137 } 136 }
138 137
139 *len=s->s3->previous_client_finished_len + 1; 138 *len = s->s3->previous_client_finished_len + 1;
140 139
141 140 return 1;
142 return 1; 141}
143 }
144 142
145/* Parse the client's renegotiation binding and abort if it's not 143/* Parse the client's renegotiation binding and abort if it's not
146 right */ 144 right */
147int ssl_parse_clienthello_renegotiate_ext(SSL *s, unsigned char *d, int len, 145int
148 int *al) 146ssl_parse_clienthello_renegotiate_ext(SSL *s, unsigned char *d, int len,
149 { 147 int *al)
150 int ilen; 148{
149 int ilen;
150
151 /* Parse the length byte */
152 if (len < 1) {
153 SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT, SSL_R_RENEGOTIATION_ENCODING_ERR);
154 *al = SSL_AD_ILLEGAL_PARAMETER;
155 return 0;
156 }
157 ilen = *d;
158 d++;
151 159
152 /* Parse the length byte */ 160 /* Consistency check */
153 if(len < 1) 161 if ((ilen + 1) != len) {
154 { 162 SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT, SSL_R_RENEGOTIATION_ENCODING_ERR);
155 SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT,SSL_R_RENEGOTIATION_ENCODING_ERR); 163 *al = SSL_AD_ILLEGAL_PARAMETER;
156 *al=SSL_AD_ILLEGAL_PARAMETER; 164 return 0;
157 return 0; 165 }
158 }
159 ilen = *d;
160 d++;
161 166
162 /* Consistency check */ 167 /* Check that the extension matches */
163 if((ilen+1) != len) 168 if (ilen != s->s3->previous_client_finished_len) {
164 { 169 SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT, SSL_R_RENEGOTIATION_MISMATCH);
165 SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT,SSL_R_RENEGOTIATION_ENCODING_ERR); 170 *al = SSL_AD_HANDSHAKE_FAILURE;
166 *al=SSL_AD_ILLEGAL_PARAMETER; 171 return 0;
167 return 0; 172 }
168 }
169 173
170 /* Check that the extension matches */ 174 if (memcmp(d, s->s3->previous_client_finished,
171 if(ilen != s->s3->previous_client_finished_len) 175 s->s3->previous_client_finished_len)) {
172 { 176 SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT, SSL_R_RENEGOTIATION_MISMATCH);
173 SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT,SSL_R_RENEGOTIATION_MISMATCH); 177 *al = SSL_AD_HANDSHAKE_FAILURE;
174 *al=SSL_AD_HANDSHAKE_FAILURE; 178 return 0;
175 return 0; 179 }
176 }
177
178 if(memcmp(d, s->s3->previous_client_finished,
179 s->s3->previous_client_finished_len))
180 {
181 SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT,SSL_R_RENEGOTIATION_MISMATCH);
182 *al=SSL_AD_HANDSHAKE_FAILURE;
183 return 0;
184 }
185#ifdef OPENSSL_RI_DEBUG 180#ifdef OPENSSL_RI_DEBUG
186 fprintf(stderr, "%s RI extension received by server\n", 181 fprintf(stderr, "%s RI extension received by server\n",
187 ilen ? "Non-empty" : "Empty"); 182 ilen ? "Non-empty" : "Empty");
188#endif 183#endif
189 184
190 s->s3->send_connection_binding=1; 185 s->s3->send_connection_binding = 1;
191 186
192 return 1; 187 return 1;
193 } 188}
194 189
195/* Add the server's renegotiation binding */ 190/* Add the server's renegotiation binding */
196int ssl_add_serverhello_renegotiate_ext(SSL *s, unsigned char *p, int *len, 191int
197 int maxlen) 192ssl_add_serverhello_renegotiate_ext(SSL *s, unsigned char *p, int *len,
198 { 193 int maxlen)
199 if(p) 194{
200 { 195 if (p) {
201 if((s->s3->previous_client_finished_len + 196 if ((s->s3->previous_client_finished_len +
202 s->s3->previous_server_finished_len + 1) > maxlen) 197 s->s3->previous_server_finished_len + 1) > maxlen) {
203 { 198 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_RENEGOTIATE_EXT, SSL_R_RENEGOTIATE_EXT_TOO_LONG);
204 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_RENEGOTIATE_EXT,SSL_R_RENEGOTIATE_EXT_TOO_LONG); 199 return 0;
205 return 0; 200 }
206 }
207
208 /* Length byte */
209 *p = s->s3->previous_client_finished_len + s->s3->previous_server_finished_len;
210 p++;
211 201
212 memcpy(p, s->s3->previous_client_finished, 202 /* Length byte */
213 s->s3->previous_client_finished_len); 203 *p = s->s3->previous_client_finished_len + s->s3->previous_server_finished_len;
214 p += s->s3->previous_client_finished_len; 204 p++;
215 205
216 memcpy(p, s->s3->previous_server_finished, 206 memcpy(p, s->s3->previous_client_finished,
217 s->s3->previous_server_finished_len); 207 s->s3->previous_client_finished_len);
208 p += s->s3->previous_client_finished_len;
209
210 memcpy(p, s->s3->previous_server_finished,
211 s->s3->previous_server_finished_len);
218#ifdef OPENSSL_RI_DEBUG 212#ifdef OPENSSL_RI_DEBUG
219 fprintf(stderr, "%s RI extension sent by server\n", 213 fprintf(stderr, "%s RI extension sent by server\n",
220 s->s3->previous_client_finished_len ? "Non-empty" : "Empty"); 214 s->s3->previous_client_finished_len ? "Non-empty" : "Empty");
221#endif 215#endif
222 } 216 }
223 217
224 *len=s->s3->previous_client_finished_len 218 *len = s->s3->previous_client_finished_len
225 + s->s3->previous_server_finished_len + 1; 219 + s->s3->previous_server_finished_len + 1;
226 220
227 return 1; 221 return 1;
228 } 222}
229 223
230/* Parse the server's renegotiation binding and abort if it's not 224/* Parse the server's renegotiation binding and abort if it's not
231 right */ 225 right */
232int ssl_parse_serverhello_renegotiate_ext(SSL *s, unsigned char *d, int len, 226int
233 int *al) 227ssl_parse_serverhello_renegotiate_ext(SSL *s, unsigned char *d, int len,
234 { 228 int *al)
235 int expected_len=s->s3->previous_client_finished_len 229{
230 int expected_len = s->s3->previous_client_finished_len
236 + s->s3->previous_server_finished_len; 231 + s->s3->previous_server_finished_len;
237 int ilen; 232 int ilen;
233
234 /* Check for logic errors */
235 OPENSSL_assert(!expected_len || s->s3->previous_client_finished_len);
236 OPENSSL_assert(!expected_len || s->s3->previous_server_finished_len);
237
238 /* Parse the length byte */
239 if (len < 1) {
240 SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT, SSL_R_RENEGOTIATION_ENCODING_ERR);
241 *al = SSL_AD_ILLEGAL_PARAMETER;
242 return 0;
243 }
244 ilen = *d;
245 d++;
238 246
239 /* Check for logic errors */ 247 /* Consistency check */
240 OPENSSL_assert(!expected_len || s->s3->previous_client_finished_len); 248 if (ilen + 1 != len) {
241 OPENSSL_assert(!expected_len || s->s3->previous_server_finished_len); 249 SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT, SSL_R_RENEGOTIATION_ENCODING_ERR);
242 250 *al = SSL_AD_ILLEGAL_PARAMETER;
243 /* Parse the length byte */ 251 return 0;
244 if(len < 1) 252 }
245 {
246 SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT,SSL_R_RENEGOTIATION_ENCODING_ERR);
247 *al=SSL_AD_ILLEGAL_PARAMETER;
248 return 0;
249 }
250 ilen = *d;
251 d++;
252 253
253 /* Consistency check */ 254 /* Check that the extension matches */
254 if(ilen+1 != len) 255 if (ilen != expected_len) {
255 { 256 SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT, SSL_R_RENEGOTIATION_MISMATCH);
256 SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT,SSL_R_RENEGOTIATION_ENCODING_ERR); 257 *al = SSL_AD_HANDSHAKE_FAILURE;
257 *al=SSL_AD_ILLEGAL_PARAMETER; 258 return 0;
258 return 0; 259 }
259 }
260
261 /* Check that the extension matches */
262 if(ilen != expected_len)
263 {
264 SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT,SSL_R_RENEGOTIATION_MISMATCH);
265 *al=SSL_AD_HANDSHAKE_FAILURE;
266 return 0;
267 }
268 260
269 if(memcmp(d, s->s3->previous_client_finished, 261 if (memcmp(d, s->s3->previous_client_finished,
270 s->s3->previous_client_finished_len)) 262 s->s3->previous_client_finished_len)) {
271 { 263 SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT, SSL_R_RENEGOTIATION_MISMATCH);
272 SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT,SSL_R_RENEGOTIATION_MISMATCH); 264 *al = SSL_AD_HANDSHAKE_FAILURE;
273 *al=SSL_AD_HANDSHAKE_FAILURE; 265 return 0;
274 return 0; 266 }
275 } 267 d += s->s3->previous_client_finished_len;
276 d += s->s3->previous_client_finished_len;
277 268
278 if(memcmp(d, s->s3->previous_server_finished, 269 if (memcmp(d, s->s3->previous_server_finished,
279 s->s3->previous_server_finished_len)) 270 s->s3->previous_server_finished_len)) {
280 { 271 SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT, SSL_R_RENEGOTIATION_MISMATCH);
281 SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT,SSL_R_RENEGOTIATION_MISMATCH); 272 *al = SSL_AD_ILLEGAL_PARAMETER;
282 *al=SSL_AD_ILLEGAL_PARAMETER; 273 return 0;
283 return 0; 274 }
284 }
285#ifdef OPENSSL_RI_DEBUG 275#ifdef OPENSSL_RI_DEBUG
286 fprintf(stderr, "%s RI extension received by client\n", 276 fprintf(stderr, "%s RI extension received by client\n",
287 ilen ? "Non-empty" : "Empty"); 277 ilen ? "Non-empty" : "Empty");
288#endif 278#endif
289 s->s3->send_connection_binding=1; 279 s->s3->send_connection_binding = 1;
290 280
291 return 1; 281 return 1;
292 } 282}
diff --git a/src/lib/libssl/src/ssl/t1_srvr.c b/src/lib/libssl/src/ssl/t1_srvr.c
index f1d1565769..776bcabc46 100644
--- a/src/lib/libssl/src/ssl/t1_srvr.c
+++ b/src/lib/libssl/src/ssl/t1_srvr.c
@@ -65,8 +65,10 @@
65#include <openssl/x509.h> 65#include <openssl/x509.h>
66 66
67static const SSL_METHOD *tls1_get_server_method(int ver); 67static const SSL_METHOD *tls1_get_server_method(int ver);
68static const SSL_METHOD *tls1_get_server_method(int ver) 68
69 { 69static const SSL_METHOD
70*tls1_get_server_method(int ver)
71{
70 if (ver == TLS1_2_VERSION) 72 if (ver == TLS1_2_VERSION)
71 return TLSv1_2_server_method(); 73 return TLSv1_2_server_method();
72 if (ver == TLS1_1_VERSION) 74 if (ver == TLS1_1_VERSION)
@@ -74,20 +76,13 @@ static const SSL_METHOD *tls1_get_server_method(int ver)
74 if (ver == TLS1_VERSION) 76 if (ver == TLS1_VERSION)
75 return TLSv1_server_method(); 77 return TLSv1_server_method();
76 return NULL; 78 return NULL;
77 } 79}
78 80
79IMPLEMENT_tls_meth_func(TLS1_2_VERSION, TLSv1_2_server_method, 81IMPLEMENT_tls_meth_func(TLS1_2_VERSION, TLSv1_2_server_method,
80 ssl3_accept, 82 ssl3_accept, ssl_undefined_function, tls1_get_server_method)
81 ssl_undefined_function,
82 tls1_get_server_method)
83 83
84IMPLEMENT_tls_meth_func(TLS1_1_VERSION, TLSv1_1_server_method, 84IMPLEMENT_tls_meth_func(TLS1_1_VERSION, TLSv1_1_server_method,
85 ssl3_accept, 85 ssl3_accept, ssl_undefined_function, tls1_get_server_method)
86 ssl_undefined_function,
87 tls1_get_server_method)
88 86
89IMPLEMENT_tls_meth_func(TLS1_VERSION, TLSv1_server_method, 87IMPLEMENT_tls_meth_func(TLS1_VERSION, TLSv1_server_method,
90 ssl3_accept, 88 ssl3_accept, ssl_undefined_function, tls1_get_server_method)
91 ssl_undefined_function,
92 tls1_get_server_method)
93
diff --git a/src/lib/libssl/t1_clnt.c b/src/lib/libssl/t1_clnt.c
index 578617ed84..ac8ff7309f 100644
--- a/src/lib/libssl/t1_clnt.c
+++ b/src/lib/libssl/t1_clnt.c
@@ -64,8 +64,10 @@
64#include <openssl/evp.h> 64#include <openssl/evp.h>
65 65
66static const SSL_METHOD *tls1_get_client_method(int ver); 66static const SSL_METHOD *tls1_get_client_method(int ver);
67static const SSL_METHOD *tls1_get_client_method(int ver) 67
68 { 68static const SSL_METHOD
69*tls1_get_client_method(int ver)
70{
69 if (ver == TLS1_2_VERSION) 71 if (ver == TLS1_2_VERSION)
70 return TLSv1_2_client_method(); 72 return TLSv1_2_client_method();
71 if (ver == TLS1_1_VERSION) 73 if (ver == TLS1_1_VERSION)
@@ -73,20 +75,13 @@ static const SSL_METHOD *tls1_get_client_method(int ver)
73 if (ver == TLS1_VERSION) 75 if (ver == TLS1_VERSION)
74 return TLSv1_client_method(); 76 return TLSv1_client_method();
75 return NULL; 77 return NULL;
76 } 78}
77 79
78IMPLEMENT_tls_meth_func(TLS1_2_VERSION, TLSv1_2_client_method, 80IMPLEMENT_tls_meth_func(TLS1_2_VERSION, TLSv1_2_client_method,
79 ssl_undefined_function, 81 ssl_undefined_function, ssl3_connect, tls1_get_client_method)
80 ssl3_connect,
81 tls1_get_client_method)
82 82
83IMPLEMENT_tls_meth_func(TLS1_1_VERSION, TLSv1_1_client_method, 83IMPLEMENT_tls_meth_func(TLS1_1_VERSION, TLSv1_1_client_method,
84 ssl_undefined_function, 84 ssl_undefined_function, ssl3_connect, tls1_get_client_method)
85 ssl3_connect,
86 tls1_get_client_method)
87 85
88IMPLEMENT_tls_meth_func(TLS1_VERSION, TLSv1_client_method, 86IMPLEMENT_tls_meth_func(TLS1_VERSION, TLSv1_client_method,
89 ssl_undefined_function, 87 ssl_undefined_function, ssl3_connect, tls1_get_client_method)
90 ssl3_connect,
91 tls1_get_client_method)
92
diff --git a/src/lib/libssl/t1_enc.c b/src/lib/libssl/t1_enc.c
index 0c4cddedf8..e59e883424 100644
--- a/src/lib/libssl/t1_enc.c
+++ b/src/lib/libssl/t1_enc.c
@@ -149,15 +149,12 @@
149#endif 149#endif
150 150
151/* seed1 through seed5 are virtually concatenated */ 151/* seed1 through seed5 are virtually concatenated */
152static int tls1_P_hash(const EVP_MD *md, const unsigned char *sec, 152static int
153 int sec_len, 153tls1_P_hash(const EVP_MD *md, const unsigned char *sec, int sec_len,
154 const void *seed1, int seed1_len, 154 const void *seed1, int seed1_len, const void *seed2, int seed2_len,
155 const void *seed2, int seed2_len, 155 const void *seed3, int seed3_len, const void *seed4, int seed4_len,
156 const void *seed3, int seed3_len, 156 const void *seed5, int seed5_len, unsigned char *out, int olen)
157 const void *seed4, int seed4_len, 157{
158 const void *seed5, int seed5_len,
159 unsigned char *out, int olen)
160 {
161 int chunk; 158 int chunk;
162 size_t j; 159 size_t j;
163 EVP_MD_CTX ctx, ctx_tmp; 160 EVP_MD_CTX ctx, ctx_tmp;
@@ -165,8 +162,8 @@ static int tls1_P_hash(const EVP_MD *md, const unsigned char *sec,
165 unsigned char A1[EVP_MAX_MD_SIZE]; 162 unsigned char A1[EVP_MAX_MD_SIZE];
166 size_t A1_len; 163 size_t A1_len;
167 int ret = 0; 164 int ret = 0;
168 165
169 chunk=EVP_MD_size(md); 166 chunk = EVP_MD_size(md);
170 OPENSSL_assert(chunk >= 0); 167 OPENSSL_assert(chunk >= 0);
171 168
172 EVP_MD_CTX_init(&ctx); 169 EVP_MD_CTX_init(&ctx);
@@ -176,114 +173,109 @@ static int tls1_P_hash(const EVP_MD *md, const unsigned char *sec,
176 mac_key = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, sec, sec_len); 173 mac_key = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, sec, sec_len);
177 if (!mac_key) 174 if (!mac_key)
178 goto err; 175 goto err;
179 if (!EVP_DigestSignInit(&ctx,NULL,md, NULL, mac_key)) 176 if (!EVP_DigestSignInit(&ctx, NULL, md, NULL, mac_key))
180 goto err; 177 goto err;
181 if (!EVP_DigestSignInit(&ctx_tmp,NULL,md, NULL, mac_key)) 178 if (!EVP_DigestSignInit(&ctx_tmp, NULL, md, NULL, mac_key))
182 goto err; 179 goto err;
183 if (seed1 && !EVP_DigestSignUpdate(&ctx,seed1,seed1_len)) 180 if (seed1 && !EVP_DigestSignUpdate(&ctx, seed1, seed1_len))
184 goto err; 181 goto err;
185 if (seed2 && !EVP_DigestSignUpdate(&ctx,seed2,seed2_len)) 182 if (seed2 && !EVP_DigestSignUpdate(&ctx, seed2, seed2_len))
186 goto err; 183 goto err;
187 if (seed3 && !EVP_DigestSignUpdate(&ctx,seed3,seed3_len)) 184 if (seed3 && !EVP_DigestSignUpdate(&ctx, seed3, seed3_len))
188 goto err; 185 goto err;
189 if (seed4 && !EVP_DigestSignUpdate(&ctx,seed4,seed4_len)) 186 if (seed4 && !EVP_DigestSignUpdate(&ctx, seed4, seed4_len))
190 goto err; 187 goto err;
191 if (seed5 && !EVP_DigestSignUpdate(&ctx,seed5,seed5_len)) 188 if (seed5 && !EVP_DigestSignUpdate(&ctx, seed5, seed5_len))
192 goto err; 189 goto err;
193 if (!EVP_DigestSignFinal(&ctx,A1,&A1_len)) 190 if (!EVP_DigestSignFinal(&ctx, A1, &A1_len))
194 goto err; 191 goto err;
195 192
196 for (;;) 193 for (;;) {
197 {
198 /* Reinit mac contexts */ 194 /* Reinit mac contexts */
199 if (!EVP_DigestSignInit(&ctx,NULL,md, NULL, mac_key)) 195 if (!EVP_DigestSignInit(&ctx, NULL, md, NULL, mac_key))
200 goto err; 196 goto err;
201 if (!EVP_DigestSignInit(&ctx_tmp,NULL,md, NULL, mac_key)) 197 if (!EVP_DigestSignInit(&ctx_tmp, NULL, md, NULL, mac_key))
202 goto err; 198 goto err;
203 if (!EVP_DigestSignUpdate(&ctx,A1,A1_len)) 199 if (!EVP_DigestSignUpdate(&ctx, A1, A1_len))
204 goto err; 200 goto err;
205 if (!EVP_DigestSignUpdate(&ctx_tmp,A1,A1_len)) 201 if (!EVP_DigestSignUpdate(&ctx_tmp, A1, A1_len))
206 goto err; 202 goto err;
207 if (seed1 && !EVP_DigestSignUpdate(&ctx,seed1,seed1_len)) 203 if (seed1 && !EVP_DigestSignUpdate(&ctx, seed1, seed1_len))
208 goto err; 204 goto err;
209 if (seed2 && !EVP_DigestSignUpdate(&ctx,seed2,seed2_len)) 205 if (seed2 && !EVP_DigestSignUpdate(&ctx, seed2, seed2_len))
210 goto err; 206 goto err;
211 if (seed3 && !EVP_DigestSignUpdate(&ctx,seed3,seed3_len)) 207 if (seed3 && !EVP_DigestSignUpdate(&ctx, seed3, seed3_len))
212 goto err; 208 goto err;
213 if (seed4 && !EVP_DigestSignUpdate(&ctx,seed4,seed4_len)) 209 if (seed4 && !EVP_DigestSignUpdate(&ctx, seed4, seed4_len))
214 goto err; 210 goto err;
215 if (seed5 && !EVP_DigestSignUpdate(&ctx,seed5,seed5_len)) 211 if (seed5 && !EVP_DigestSignUpdate(&ctx, seed5, seed5_len))
216 goto err; 212 goto err;
217 213
218 if (olen > chunk) 214 if (olen > chunk) {
219 { 215 if (!EVP_DigestSignFinal(&ctx, out, &j))
220 if (!EVP_DigestSignFinal(&ctx,out,&j))
221 goto err; 216 goto err;
222 out+=j; 217 out += j;
223 olen-=j; 218 olen -= j;
224 /* calc the next A1 value */ 219 /* calc the next A1 value */
225 if (!EVP_DigestSignFinal(&ctx_tmp,A1,&A1_len)) 220 if (!EVP_DigestSignFinal(&ctx_tmp, A1, &A1_len))
226 goto err; 221 goto err;
227 } 222 }
228 else /* last one */ 223 else /* last one */
229 { 224 {
230 if (!EVP_DigestSignFinal(&ctx,A1,&A1_len)) 225 if (!EVP_DigestSignFinal(&ctx, A1, &A1_len))
231 goto err; 226 goto err;
232 memcpy(out,A1,olen); 227 memcpy(out, A1, olen);
233 break; 228 break;
234 }
235 } 229 }
230 }
236 ret = 1; 231 ret = 1;
237err: 232err:
238 EVP_PKEY_free(mac_key); 233 EVP_PKEY_free(mac_key);
239 EVP_MD_CTX_cleanup(&ctx); 234 EVP_MD_CTX_cleanup(&ctx);
240 EVP_MD_CTX_cleanup(&ctx_tmp); 235 EVP_MD_CTX_cleanup(&ctx_tmp);
241 OPENSSL_cleanse(A1,sizeof(A1)); 236 OPENSSL_cleanse(A1, sizeof(A1));
242 return ret; 237 return ret;
243 } 238}
244 239
245/* seed1 through seed5 are virtually concatenated */ 240/* seed1 through seed5 are virtually concatenated */
246static int tls1_PRF(long digest_mask, 241static int
247 const void *seed1, int seed1_len, 242tls1_PRF(long digest_mask, const void *seed1, int seed1_len, const void *seed2,
248 const void *seed2, int seed2_len, 243 int seed2_len, const void *seed3, int seed3_len, const void *seed4,
249 const void *seed3, int seed3_len, 244 int seed4_len, const void *seed5, int seed5_len, const unsigned char *sec,
250 const void *seed4, int seed4_len, 245 int slen, unsigned char *out1, unsigned char *out2, int olen)
251 const void *seed5, int seed5_len, 246{
252 const unsigned char *sec, int slen, 247 int len, i, idx, count;
253 unsigned char *out1,
254 unsigned char *out2, int olen)
255 {
256 int len,i,idx,count;
257 const unsigned char *S1; 248 const unsigned char *S1;
258 long m; 249 long m;
259 const EVP_MD *md; 250 const EVP_MD *md;
260 int ret = 0; 251 int ret = 0;
261 252
262 /* Count number of digests and partition sec evenly */ 253 /* Count number of digests and partition sec evenly */
263 count=0; 254 count = 0;
264 for (idx=0;ssl_get_handshake_digest(idx,&m,&md);idx++) { 255 for (idx = 0; ssl_get_handshake_digest(idx, &m, &md); idx++) {
265 if ((m<<TLS1_PRF_DGST_SHIFT) & digest_mask) count++; 256 if ((m << TLS1_PRF_DGST_SHIFT)
266 } 257 & digest_mask) count++;
267 len=slen/count; 258 }
259 len = slen/count;
268 if (count == 1) 260 if (count == 1)
269 slen = 0; 261 slen = 0;
270 S1=sec; 262 S1 = sec;
271 memset(out1,0,olen); 263 memset(out1, 0, olen);
272 for (idx=0;ssl_get_handshake_digest(idx,&m,&md);idx++) { 264 for (idx = 0; ssl_get_handshake_digest(idx, &m, &md); idx++) {
273 if ((m<<TLS1_PRF_DGST_SHIFT) & digest_mask) { 265 if ((m << TLS1_PRF_DGST_SHIFT) & digest_mask) {
274 if (!md) { 266 if (!md) {
275 SSLerr(SSL_F_TLS1_PRF, 267 SSLerr(SSL_F_TLS1_PRF,
276 SSL_R_UNSUPPORTED_DIGEST_TYPE); 268 SSL_R_UNSUPPORTED_DIGEST_TYPE);
277 goto err;
278 }
279 if (!tls1_P_hash(md ,S1,len+(slen&1),
280 seed1,seed1_len,seed2,seed2_len,seed3,seed3_len,seed4,seed4_len,seed5,seed5_len,
281 out2,olen))
282 goto err; 269 goto err;
283 S1+=len; 270
284 for (i=0; i<olen; i++) 271 }
285 { 272 if (!tls1_P_hash(md , S1, len + (slen&1),
286 out1[i]^=out2[i]; 273 seed1, seed1_len, seed2, seed2_len, seed3, seed3_len, seed4, seed4_len, seed5, seed5_len,
274 out2, olen))
275 goto err;
276 S1 += len;
277 for (i = 0; i < olen; i++) {
278 out1[i] ^= out2[i];
287 } 279 }
288 } 280 }
289 } 281 }
@@ -291,41 +283,43 @@ static int tls1_PRF(long digest_mask,
291err: 283err:
292 return ret; 284 return ret;
293} 285}
294static int tls1_generate_key_block(SSL *s, unsigned char *km, 286
295 unsigned char *tmp, int num) 287static int
296 { 288tls1_generate_key_block(SSL *s, unsigned char *km, unsigned char *tmp, int num)
289{
297 int ret; 290 int ret;
298 ret = tls1_PRF(ssl_get_algorithm2(s), 291 ret = tls1_PRF(ssl_get_algorithm2(s),
299 TLS_MD_KEY_EXPANSION_CONST,TLS_MD_KEY_EXPANSION_CONST_SIZE, 292 TLS_MD_KEY_EXPANSION_CONST, TLS_MD_KEY_EXPANSION_CONST_SIZE,
300 s->s3->server_random,SSL3_RANDOM_SIZE, 293 s->s3->server_random, SSL3_RANDOM_SIZE,
301 s->s3->client_random,SSL3_RANDOM_SIZE, 294 s->s3->client_random, SSL3_RANDOM_SIZE,
302 NULL,0,NULL,0, 295 NULL, 0, NULL, 0,
303 s->session->master_key,s->session->master_key_length, 296 s->session->master_key, s->session->master_key_length,
304 km,tmp,num); 297 km, tmp, num);
305#ifdef KSSL_DEBUG 298#ifdef KSSL_DEBUG
306 printf("tls1_generate_key_block() ==> %d byte master_key =\n\t", 299 printf("tls1_generate_key_block() ==> %d byte master_key =\n\t",
307 s->session->master_key_length); 300 s->session->master_key_length);
308 { 301 {
309 int i; 302 int i;
310 for (i=0; i < s->session->master_key_length; i++) 303 for (i = 0; i < s->session->master_key_length; i++) {
311 { 304 printf("%02X", s->session->master_key[i]);
312 printf("%02X", s->session->master_key[i]); 305 }
313 } 306 printf("\n");
314 printf("\n"); } 307 }
315#endif /* KSSL_DEBUG */ 308#endif /* KSSL_DEBUG */
316 return ret; 309 return ret;
317 } 310}
318 311
319int tls1_change_cipher_state(SSL *s, int which) 312int
320 { 313tls1_change_cipher_state(SSL *s, int which)
314{
321 static const unsigned char empty[]=""; 315 static const unsigned char empty[]="";
322 unsigned char *p,*mac_secret; 316 unsigned char *p, *mac_secret;
323 unsigned char *exp_label; 317 unsigned char *exp_label;
324 unsigned char tmp1[EVP_MAX_KEY_LENGTH]; 318 unsigned char tmp1[EVP_MAX_KEY_LENGTH];
325 unsigned char tmp2[EVP_MAX_KEY_LENGTH]; 319 unsigned char tmp2[EVP_MAX_KEY_LENGTH];
326 unsigned char iv1[EVP_MAX_IV_LENGTH*2]; 320 unsigned char iv1[EVP_MAX_IV_LENGTH*2];
327 unsigned char iv2[EVP_MAX_IV_LENGTH*2]; 321 unsigned char iv2[EVP_MAX_IV_LENGTH*2];
328 unsigned char *ms,*key,*iv; 322 unsigned char *ms, *key, *iv;
329 int client_write; 323 int client_write;
330 EVP_CIPHER_CTX *dd; 324 EVP_CIPHER_CTX *dd;
331 const EVP_CIPHER *c; 325 const EVP_CIPHER *c;
@@ -337,36 +331,35 @@ int tls1_change_cipher_state(SSL *s, int which)
337 int *mac_secret_size; 331 int *mac_secret_size;
338 EVP_MD_CTX *mac_ctx; 332 EVP_MD_CTX *mac_ctx;
339 EVP_PKEY *mac_key; 333 EVP_PKEY *mac_key;
340 int is_export,n,i,j,k,exp_label_len,cl; 334 int is_export, n, i, j, k, exp_label_len, cl;
341 int reuse_dd = 0; 335 int reuse_dd = 0;
342 336
343 is_export=SSL_C_IS_EXPORT(s->s3->tmp.new_cipher); 337 is_export = SSL_C_IS_EXPORT(s->s3->tmp.new_cipher);
344 c=s->s3->tmp.new_sym_enc; 338 c = s->s3->tmp.new_sym_enc;
345 m=s->s3->tmp.new_hash; 339 m = s->s3->tmp.new_hash;
346 mac_type = s->s3->tmp.new_mac_pkey_type; 340 mac_type = s->s3->tmp.new_mac_pkey_type;
347#ifndef OPENSSL_NO_COMP 341#ifndef OPENSSL_NO_COMP
348 comp=s->s3->tmp.new_compression; 342 comp = s->s3->tmp.new_compression;
349#endif 343#endif
350 344
351#ifdef KSSL_DEBUG 345#ifdef KSSL_DEBUG
352 printf("tls1_change_cipher_state(which= %d) w/\n", which); 346 printf("tls1_change_cipher_state(which= %d) w/\n", which);
353 printf("\talg= %ld/%ld, comp= %p\n", 347 printf("\talg= %ld/%ld, comp= %p\n",
354 s->s3->tmp.new_cipher->algorithm_mkey, 348 s->s3->tmp.new_cipher->algorithm_mkey,
355 s->s3->tmp.new_cipher->algorithm_auth, 349 s->s3->tmp.new_cipher->algorithm_auth,
356 comp); 350 comp);
357 printf("\tevp_cipher == %p ==? &d_cbc_ede_cipher3\n", c); 351 printf("\tevp_cipher == %p ==? &d_cbc_ede_cipher3\n", c);
358 printf("\tevp_cipher: nid, blksz= %d, %d, keylen=%d, ivlen=%d\n", 352 printf("\tevp_cipher: nid, blksz= %d, %d, keylen=%d, ivlen=%d\n",
359 c->nid,c->block_size,c->key_len,c->iv_len); 353 c->nid, c->block_size, c->key_len, c->iv_len);
360 printf("\tkey_block: len= %d, data= ", s->s3->tmp.key_block_length); 354 printf("\tkey_block: len= %d, data= ", s->s3->tmp.key_block_length);
361 { 355 {
362 int i; 356 int i;
363 for (i=0; i<s->s3->tmp.key_block_length; i++) 357 for (i = 0; i < s->s3->tmp.key_block_length; i++)
364 printf("%02x", s->s3->tmp.key_block[i]); printf("\n"); 358 printf("%02x", s->s3->tmp.key_block[i]); printf("\n");
365 } 359 }
366#endif /* KSSL_DEBUG */ 360#endif /* KSSL_DEBUG */
367 361
368 if (which & SSL3_CC_READ) 362 if (which & SSL3_CC_READ) {
369 {
370 if (s->s3->tmp.new_cipher->algorithm2 & TLS1_STREAM_MAC) 363 if (s->s3->tmp.new_cipher->algorithm2 & TLS1_STREAM_MAC)
371 s->mac_flags |= SSL_MAC_FLAG_READ_MAC_STREAM; 364 s->mac_flags |= SSL_MAC_FLAG_READ_MAC_STREAM;
372 else 365 else
@@ -374,303 +367,285 @@ int tls1_change_cipher_state(SSL *s, int which)
374 367
375 if (s->enc_read_ctx != NULL) 368 if (s->enc_read_ctx != NULL)
376 reuse_dd = 1; 369 reuse_dd = 1;
377 else if ((s->enc_read_ctx=OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL) 370 else if ((s->enc_read_ctx = OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL)
378 goto err; 371 goto err;
379 else 372 else
380 /* make sure it's intialized in case we exit later with an error */ 373 /* make sure it's intialized in case we exit later with an error */
381 EVP_CIPHER_CTX_init(s->enc_read_ctx); 374 EVP_CIPHER_CTX_init(s->enc_read_ctx);
382 dd= s->enc_read_ctx; 375 dd = s->enc_read_ctx;
383 mac_ctx=ssl_replace_hash(&s->read_hash,NULL); 376 mac_ctx = ssl_replace_hash(&s->read_hash, NULL);
384#ifndef OPENSSL_NO_COMP 377#ifndef OPENSSL_NO_COMP
385 if (s->expand != NULL) 378 if (s->expand != NULL) {
386 {
387 COMP_CTX_free(s->expand); 379 COMP_CTX_free(s->expand);
388 s->expand=NULL; 380 s->expand = NULL;
389 } 381 }
390 if (comp != NULL) 382 if (comp != NULL) {
391 { 383 s->expand = COMP_CTX_new(comp->method);
392 s->expand=COMP_CTX_new(comp->method); 384 if (s->expand == NULL) {
393 if (s->expand == NULL) 385 SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE, SSL_R_COMPRESSION_LIBRARY_ERROR);
394 {
395 SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE,SSL_R_COMPRESSION_LIBRARY_ERROR);
396 goto err2; 386 goto err2;
397 } 387 }
398 if (s->s3->rrec.comp == NULL) 388 if (s->s3->rrec.comp == NULL)
399 s->s3->rrec.comp=(unsigned char *) 389 s->s3->rrec.comp = (unsigned char *)
400 OPENSSL_malloc(SSL3_RT_MAX_ENCRYPTED_LENGTH); 390 OPENSSL_malloc(SSL3_RT_MAX_ENCRYPTED_LENGTH);
401 if (s->s3->rrec.comp == NULL) 391 if (s->s3->rrec.comp == NULL)
402 goto err; 392 goto err;
403 } 393 }
404#endif 394#endif
405 /* this is done by dtls1_reset_seq_numbers for DTLS1_VERSION */ 395 /* this is done by dtls1_reset_seq_numbers for DTLS1_VERSION */
406 if (s->version != DTLS1_VERSION) 396 if (s->version != DTLS1_VERSION)
407 memset(&(s->s3->read_sequence[0]),0,8); 397 memset(&(s->s3->read_sequence[0]), 0, 8);
408 mac_secret= &(s->s3->read_mac_secret[0]); 398 mac_secret = &(s->s3->read_mac_secret[0]);
409 mac_secret_size=&(s->s3->read_mac_secret_size); 399 mac_secret_size = &(s->s3->read_mac_secret_size);
410 } 400 } else {
411 else
412 {
413 if (s->s3->tmp.new_cipher->algorithm2 & TLS1_STREAM_MAC) 401 if (s->s3->tmp.new_cipher->algorithm2 & TLS1_STREAM_MAC)
414 s->mac_flags |= SSL_MAC_FLAG_WRITE_MAC_STREAM; 402 s->mac_flags |= SSL_MAC_FLAG_WRITE_MAC_STREAM;
415 else 403 else
416 s->mac_flags &= ~SSL_MAC_FLAG_WRITE_MAC_STREAM; 404 s->mac_flags &= ~SSL_MAC_FLAG_WRITE_MAC_STREAM;
417 if (s->enc_write_ctx != NULL && !SSL_IS_DTLS(s)) 405 if (s->enc_write_ctx != NULL && !SSL_IS_DTLS(s))
418 reuse_dd = 1; 406 reuse_dd = 1;
419 else if ((s->enc_write_ctx=EVP_CIPHER_CTX_new()) == NULL) 407 else if ((s->enc_write_ctx = EVP_CIPHER_CTX_new()) == NULL)
420 goto err; 408 goto err;
421 dd= s->enc_write_ctx; 409 dd = s->enc_write_ctx;
422 if (SSL_IS_DTLS(s)) 410 if (SSL_IS_DTLS(s)) {
423 {
424 mac_ctx = EVP_MD_CTX_create(); 411 mac_ctx = EVP_MD_CTX_create();
425 if (!mac_ctx) 412 if (!mac_ctx)
426 goto err; 413 goto err;
427 s->write_hash = mac_ctx; 414 s->write_hash = mac_ctx;
428 } 415 } else
429 else 416 mac_ctx = ssl_replace_hash(&s->write_hash, NULL);
430 mac_ctx = ssl_replace_hash(&s->write_hash,NULL);
431#ifndef OPENSSL_NO_COMP 417#ifndef OPENSSL_NO_COMP
432 if (s->compress != NULL) 418 if (s->compress != NULL) {
433 {
434 COMP_CTX_free(s->compress); 419 COMP_CTX_free(s->compress);
435 s->compress=NULL; 420 s->compress = NULL;
436 } 421 }
437 if (comp != NULL) 422 if (comp != NULL) {
438 { 423 s->compress = COMP_CTX_new(comp->method);
439 s->compress=COMP_CTX_new(comp->method); 424 if (s->compress == NULL) {
440 if (s->compress == NULL) 425 SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE, SSL_R_COMPRESSION_LIBRARY_ERROR);
441 {
442 SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE,SSL_R_COMPRESSION_LIBRARY_ERROR);
443 goto err2; 426 goto err2;
444 }
445 } 427 }
428 }
446#endif 429#endif
447 /* this is done by dtls1_reset_seq_numbers for DTLS1_VERSION */ 430 /* this is done by dtls1_reset_seq_numbers for DTLS1_VERSION */
448 if (s->version != DTLS1_VERSION) 431 if (s->version != DTLS1_VERSION)
449 memset(&(s->s3->write_sequence[0]),0,8); 432 memset(&(s->s3->write_sequence[0]), 0, 8);
450 mac_secret= &(s->s3->write_mac_secret[0]); 433 mac_secret = &(s->s3->write_mac_secret[0]);
451 mac_secret_size = &(s->s3->write_mac_secret_size); 434 mac_secret_size = &(s->s3->write_mac_secret_size);
452 } 435 }
453 436
454 if (reuse_dd) 437 if (reuse_dd)
455 EVP_CIPHER_CTX_cleanup(dd); 438 EVP_CIPHER_CTX_cleanup(dd);
456 439
457 p=s->s3->tmp.key_block; 440 p = s->s3->tmp.key_block;
458 i=*mac_secret_size=s->s3->tmp.new_mac_secret_size; 441 i=*mac_secret_size = s->s3->tmp.new_mac_secret_size;
459 442
460 cl=EVP_CIPHER_key_length(c); 443 cl = EVP_CIPHER_key_length(c);
461 j=is_export ? (cl < SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher) ? 444 j = is_export ? (cl < SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher) ?
462 cl : SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher)) : cl; 445 cl : SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher)) : cl;
463 /* Was j=(exp)?5:EVP_CIPHER_key_length(c); */ 446 /* Was j=(exp)?5:EVP_CIPHER_key_length(c); */
464 /* If GCM mode only part of IV comes from PRF */ 447 /* If GCM mode only part of IV comes from PRF */
465 if (EVP_CIPHER_mode(c) == EVP_CIPH_GCM_MODE) 448 if (EVP_CIPHER_mode(c) == EVP_CIPH_GCM_MODE)
466 k = EVP_GCM_TLS_FIXED_IV_LEN; 449 k = EVP_GCM_TLS_FIXED_IV_LEN;
467 else 450 else
468 k=EVP_CIPHER_iv_length(c); 451 k = EVP_CIPHER_iv_length(c);
469 if ( (which == SSL3_CHANGE_CIPHER_CLIENT_WRITE) || 452 if ((which == SSL3_CHANGE_CIPHER_CLIENT_WRITE) ||
470 (which == SSL3_CHANGE_CIPHER_SERVER_READ)) 453 (which == SSL3_CHANGE_CIPHER_SERVER_READ)) {
471 { 454 ms = &(p[0]);
472 ms= &(p[ 0]); n=i+i; 455 n = i + i;
473 key= &(p[ n]); n+=j+j; 456 key = &(p[n]);
474 iv= &(p[ n]); n+=k+k; 457 n += j + j;
475 exp_label=(unsigned char *)TLS_MD_CLIENT_WRITE_KEY_CONST; 458 iv = &(p[n]);
476 exp_label_len=TLS_MD_CLIENT_WRITE_KEY_CONST_SIZE; 459 n += k + k;
477 client_write=1; 460 exp_label = (unsigned char *)TLS_MD_CLIENT_WRITE_KEY_CONST;
478 } 461 exp_label_len = TLS_MD_CLIENT_WRITE_KEY_CONST_SIZE;
479 else 462 client_write = 1;
480 { 463 } else {
481 n=i; 464 n = i;
482 ms= &(p[ n]); n+=i+j; 465 ms = &(p[n]);
483 key= &(p[ n]); n+=j+k; 466 n += i + j;
484 iv= &(p[ n]); n+=k; 467 key = &(p[n]);
485 exp_label=(unsigned char *)TLS_MD_SERVER_WRITE_KEY_CONST; 468 n += j + k;
486 exp_label_len=TLS_MD_SERVER_WRITE_KEY_CONST_SIZE; 469 iv = &(p[n]);
487 client_write=0; 470 n += k;
488 } 471 exp_label = (unsigned char *)TLS_MD_SERVER_WRITE_KEY_CONST;
472 exp_label_len = TLS_MD_SERVER_WRITE_KEY_CONST_SIZE;
473 client_write = 0;
474 }
489 475
490 if (n > s->s3->tmp.key_block_length) 476 if (n > s->s3->tmp.key_block_length) {
491 { 477 SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR);
492 SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE,ERR_R_INTERNAL_ERROR);
493 goto err2; 478 goto err2;
494 } 479 }
495 480
496 memcpy(mac_secret,ms,i); 481 memcpy(mac_secret, ms, i);
497 482
498 if (!(EVP_CIPHER_flags(c)&EVP_CIPH_FLAG_AEAD_CIPHER)) 483 if (!(EVP_CIPHER_flags(c)&EVP_CIPH_FLAG_AEAD_CIPHER)) {
499 {
500 mac_key = EVP_PKEY_new_mac_key(mac_type, NULL, 484 mac_key = EVP_PKEY_new_mac_key(mac_type, NULL,
501 mac_secret,*mac_secret_size); 485 mac_secret, *mac_secret_size);
502 EVP_DigestSignInit(mac_ctx,NULL,m,NULL,mac_key); 486 EVP_DigestSignInit(mac_ctx, NULL, m, NULL, mac_key);
503 EVP_PKEY_free(mac_key); 487 EVP_PKEY_free(mac_key);
504 } 488 }
505#ifdef TLS_DEBUG 489#ifdef TLS_DEBUG
506printf("which = %04X\nmac key=",which); 490 printf("which = %04X\nmac key=", which);
507{ int z; for (z=0; z<i; z++) printf("%02X%c",ms[z],((z+1)%16)?' ':'\n'); } 491 { int z; for (z = 0; z<i; z++) printf("%02X%c", ms[z],((z+1)%16)?' ':'\n'); }
508#endif 492#endif
509 if (is_export) 493 if (is_export) {
510 {
511 /* In here I set both the read and write key/iv to the 494 /* In here I set both the read and write key/iv to the
512 * same value since only the correct one will be used :-). 495 * same value since only the correct one will be used :-).
513 */ 496 */
514 if (!tls1_PRF(ssl_get_algorithm2(s), 497 if (!tls1_PRF(ssl_get_algorithm2(s),
515 exp_label,exp_label_len, 498 exp_label, exp_label_len,
516 s->s3->client_random,SSL3_RANDOM_SIZE, 499 s->s3->client_random, SSL3_RANDOM_SIZE,
517 s->s3->server_random,SSL3_RANDOM_SIZE, 500 s->s3->server_random, SSL3_RANDOM_SIZE,
518 NULL,0,NULL,0, 501 NULL, 0, NULL, 0,
519 key,j,tmp1,tmp2,EVP_CIPHER_key_length(c))) 502 key, j, tmp1, tmp2, EVP_CIPHER_key_length(c)))
520 goto err2; 503 goto err2;
521 key=tmp1; 504 key = tmp1;
522 505
523 if (k > 0) 506 if (k > 0) {
524 {
525 if (!tls1_PRF(ssl_get_algorithm2(s), 507 if (!tls1_PRF(ssl_get_algorithm2(s),
526 TLS_MD_IV_BLOCK_CONST,TLS_MD_IV_BLOCK_CONST_SIZE, 508 TLS_MD_IV_BLOCK_CONST, TLS_MD_IV_BLOCK_CONST_SIZE,
527 s->s3->client_random,SSL3_RANDOM_SIZE, 509 s->s3->client_random, SSL3_RANDOM_SIZE,
528 s->s3->server_random,SSL3_RANDOM_SIZE, 510 s->s3->server_random, SSL3_RANDOM_SIZE,
529 NULL,0,NULL,0, 511 NULL, 0, NULL, 0,
530 empty,0,iv1,iv2,k*2)) 512 empty, 0, iv1, iv2, k*2))
531 goto err2; 513 goto err2;
532 if (client_write) 514 if (client_write)
533 iv=iv1; 515 iv = iv1;
534 else 516 else
535 iv= &(iv1[k]); 517 iv = &(iv1[k]);
536 }
537 } 518 }
519 }
538 520
539 s->session->key_arg_length=0; 521 s->session->key_arg_length = 0;
540#ifdef KSSL_DEBUG 522#ifdef KSSL_DEBUG
541 { 523 {
542 int i; 524 int i;
543 printf("EVP_CipherInit_ex(dd,c,key=,iv=,which)\n"); 525 printf("EVP_CipherInit_ex(dd, c, key=, iv=, which)\n");
544 printf("\tkey= "); for (i=0; i<c->key_len; i++) printf("%02x", key[i]); 526 printf("\tkey= "); for (i = 0; i<c->key_len; i++) printf("%02x", key[i]);
545 printf("\n"); 527 printf("\n");
546 printf("\t iv= "); for (i=0; i<c->iv_len; i++) printf("%02x", iv[i]); 528 printf("\t iv= "); for (i = 0; i<c->iv_len; i++) printf("%02x", iv[i]);
547 printf("\n"); 529 printf("\n");
548 } 530 }
549#endif /* KSSL_DEBUG */ 531#endif /* KSSL_DEBUG */
550 532
551 if (EVP_CIPHER_mode(c) == EVP_CIPH_GCM_MODE) 533 if (EVP_CIPHER_mode(c) == EVP_CIPH_GCM_MODE) {
552 { 534 EVP_CipherInit_ex(dd, c, NULL, key, NULL,(which & SSL3_CC_WRITE));
553 EVP_CipherInit_ex(dd,c,NULL,key,NULL,(which & SSL3_CC_WRITE));
554 EVP_CIPHER_CTX_ctrl(dd, EVP_CTRL_GCM_SET_IV_FIXED, k, iv); 535 EVP_CIPHER_CTX_ctrl(dd, EVP_CTRL_GCM_SET_IV_FIXED, k, iv);
555 } 536 } else
556 else 537 EVP_CipherInit_ex(dd, c, NULL, key, iv,(which & SSL3_CC_WRITE));
557 EVP_CipherInit_ex(dd,c,NULL,key,iv,(which & SSL3_CC_WRITE));
558 538
559 /* Needed for "composite" AEADs, such as RC4-HMAC-MD5 */ 539 /* Needed for "composite" AEADs, such as RC4-HMAC-MD5 */
560 if ((EVP_CIPHER_flags(c)&EVP_CIPH_FLAG_AEAD_CIPHER) && *mac_secret_size) 540 if ((EVP_CIPHER_flags(c)&EVP_CIPH_FLAG_AEAD_CIPHER) && *mac_secret_size)
561 EVP_CIPHER_CTX_ctrl(dd,EVP_CTRL_AEAD_SET_MAC_KEY, 541 EVP_CIPHER_CTX_ctrl(dd, EVP_CTRL_AEAD_SET_MAC_KEY,
562 *mac_secret_size,mac_secret); 542 *mac_secret_size, mac_secret);
563 543
564#ifdef TLS_DEBUG 544#ifdef TLS_DEBUG
565printf("which = %04X\nkey=",which); 545 printf("which = %04X\nkey=", which);
566{ int z; for (z=0; z<EVP_CIPHER_key_length(c); z++) printf("%02X%c",key[z],((z+1)%16)?' ':'\n'); } 546 { int z; for (z = 0; z<EVP_CIPHER_key_length(c); z++) printf("%02X%c", key[z],((z+1)%16)?' ':'\n'); }
567printf("\niv="); 547 printf("\niv=");
568{ int z; for (z=0; z<k; z++) printf("%02X%c",iv[z],((z+1)%16)?' ':'\n'); } 548 { int z; for (z = 0; z<k; z++) printf("%02X%c", iv[z],((z+1)%16)?' ':'\n'); }
569printf("\n"); 549 printf("\n");
570#endif 550#endif
571 551
572 OPENSSL_cleanse(tmp1,sizeof(tmp1)); 552 OPENSSL_cleanse(tmp1, sizeof(tmp1));
573 OPENSSL_cleanse(tmp2,sizeof(tmp1)); 553 OPENSSL_cleanse(tmp2, sizeof(tmp1));
574 OPENSSL_cleanse(iv1,sizeof(iv1)); 554 OPENSSL_cleanse(iv1, sizeof(iv1));
575 OPENSSL_cleanse(iv2,sizeof(iv2)); 555 OPENSSL_cleanse(iv2, sizeof(iv2));
576 return(1); 556 return (1);
577err: 557err:
578 SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE,ERR_R_MALLOC_FAILURE); 558 SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE, ERR_R_MALLOC_FAILURE);
579err2: 559err2:
580 return(0); 560 return (0);
581 } 561}
582 562
583int tls1_setup_key_block(SSL *s) 563int
584 { 564tls1_setup_key_block(SSL *s)
585 unsigned char *p1,*p2=NULL; 565{
566 unsigned char *p1, *p2 = NULL;
586 const EVP_CIPHER *c; 567 const EVP_CIPHER *c;
587 const EVP_MD *hash; 568 const EVP_MD *hash;
588 int num; 569 int num;
589 SSL_COMP *comp; 570 SSL_COMP *comp;
590 int mac_type= NID_undef,mac_secret_size=0; 571 int mac_type = NID_undef, mac_secret_size = 0;
591 int ret=0; 572 int ret = 0;
592 573
593#ifdef KSSL_DEBUG 574#ifdef KSSL_DEBUG
594 printf ("tls1_setup_key_block()\n"); 575 printf ("tls1_setup_key_block()\n");
595#endif /* KSSL_DEBUG */ 576#endif /* KSSL_DEBUG */
596 577
597 if (s->s3->tmp.key_block_length != 0) 578 if (s->s3->tmp.key_block_length != 0)
598 return(1); 579 return (1);
599 580
600 if (!ssl_cipher_get_evp(s->session,&c,&hash,&mac_type,&mac_secret_size,&comp)) 581 if (!ssl_cipher_get_evp(s->session, &c, &hash, &mac_type, &mac_secret_size, &comp)) {
601 { 582 SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK, SSL_R_CIPHER_OR_HASH_UNAVAILABLE);
602 SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK,SSL_R_CIPHER_OR_HASH_UNAVAILABLE); 583 return (0);
603 return(0); 584 }
604 }
605 585
606 s->s3->tmp.new_sym_enc=c; 586 s->s3->tmp.new_sym_enc = c;
607 s->s3->tmp.new_hash=hash; 587 s->s3->tmp.new_hash = hash;
608 s->s3->tmp.new_mac_pkey_type = mac_type; 588 s->s3->tmp.new_mac_pkey_type = mac_type;
609 s->s3->tmp.new_mac_secret_size = mac_secret_size; 589 s->s3->tmp.new_mac_secret_size = mac_secret_size;
610 num=EVP_CIPHER_key_length(c)+mac_secret_size+EVP_CIPHER_iv_length(c); 590 num = EVP_CIPHER_key_length(c) + mac_secret_size + EVP_CIPHER_iv_length(c);
611 num*=2; 591 num*=2;
612 592
613 ssl3_cleanup_key_block(s); 593 ssl3_cleanup_key_block(s);
614 594
615 if ((p1=(unsigned char *)OPENSSL_malloc(num)) == NULL) 595 if ((p1 = (unsigned char *)OPENSSL_malloc(num)) == NULL) {
616 { 596 SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK, ERR_R_MALLOC_FAILURE);
617 SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK,ERR_R_MALLOC_FAILURE);
618 goto err; 597 goto err;
619 } 598 }
620 599
621 s->s3->tmp.key_block_length=num; 600 s->s3->tmp.key_block_length = num;
622 s->s3->tmp.key_block=p1; 601 s->s3->tmp.key_block = p1;
623 602
624 if ((p2=(unsigned char *)OPENSSL_malloc(num)) == NULL) 603 if ((p2 = (unsigned char *)OPENSSL_malloc(num)) == NULL) {
625 { 604 SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK, ERR_R_MALLOC_FAILURE);
626 SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK,ERR_R_MALLOC_FAILURE);
627 goto err; 605 goto err;
628 } 606 }
629 607
630#ifdef TLS_DEBUG 608#ifdef TLS_DEBUG
631printf("client random\n"); 609 printf("client random\n");
632{ int z; for (z=0; z<SSL3_RANDOM_SIZE; z++) printf("%02X%c",s->s3->client_random[z],((z+1)%16)?' ':'\n'); } 610 { int z; for (z = 0; z<SSL3_RANDOM_SIZE; z++) printf("%02X%c", s->s3->client_random[z],((z+1)%16)?' ':'\n'); }
633printf("server random\n"); 611 printf("server random\n");
634{ int z; for (z=0; z<SSL3_RANDOM_SIZE; z++) printf("%02X%c",s->s3->server_random[z],((z+1)%16)?' ':'\n'); } 612 { int z; for (z = 0; z<SSL3_RANDOM_SIZE; z++) printf("%02X%c", s->s3->server_random[z],((z+1)%16)?' ':'\n'); }
635printf("pre-master\n"); 613 printf("pre-master\n");
636{ int z; for (z=0; z<s->session->master_key_length; z++) printf("%02X%c",s->session->master_key[z],((z+1)%16)?' ':'\n'); } 614 { int z; for (z = 0; z<s->session->master_key_length; z++) printf("%02X%c", s->session->master_key[z],((z+1)%16)?' ':'\n'); }
637#endif 615#endif
638 if (!tls1_generate_key_block(s,p1,p2,num)) 616 if (!tls1_generate_key_block(s, p1, p2, num))
639 goto err; 617 goto err;
640#ifdef TLS_DEBUG 618#ifdef TLS_DEBUG
641printf("\nkey block\n"); 619 printf("\nkey block\n");
642{ int z; for (z=0; z<num; z++) printf("%02X%c",p1[z],((z+1)%16)?' ':'\n'); } 620 { int z; for (z = 0; z<num; z++) printf("%02X%c", p1[z],((z+1)%16)?' ':'\n'); }
643#endif 621#endif
644 622
645 if (!(s->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS) 623 if (!(s->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS)
646 && s->method->version <= TLS1_VERSION) 624 && s->method->version <= TLS1_VERSION) {
647 {
648 /* enable vulnerability countermeasure for CBC ciphers with 625 /* enable vulnerability countermeasure for CBC ciphers with
649 * known-IV problem (http://www.openssl.org/~bodo/tls-cbc.txt) 626 * known-IV problem (http://www.openssl.org/~bodo/tls-cbc.txt)
650 */ 627 */
651 s->s3->need_empty_fragments = 1; 628 s->s3->need_empty_fragments = 1;
652 629
653 if (s->session->cipher != NULL) 630 if (s->session->cipher != NULL) {
654 {
655 if (s->session->cipher->algorithm_enc == SSL_eNULL) 631 if (s->session->cipher->algorithm_enc == SSL_eNULL)
656 s->s3->need_empty_fragments = 0; 632 s->s3->need_empty_fragments = 0;
657 633
658#ifndef OPENSSL_NO_RC4 634#ifndef OPENSSL_NO_RC4
659 if (s->session->cipher->algorithm_enc == SSL_RC4) 635 if (s->session->cipher->algorithm_enc == SSL_RC4)
660 s->s3->need_empty_fragments = 0; 636 s->s3->need_empty_fragments = 0;
661#endif 637#endif
662 }
663 } 638 }
664 639 }
640
665 ret = 1; 641 ret = 1;
666err: 642err:
667 if (p2) 643 if (p2) {
668 { 644 OPENSSL_cleanse(p2, num);
669 OPENSSL_cleanse(p2,num);
670 OPENSSL_free(p2); 645 OPENSSL_free(p2);
671 }
672 return(ret);
673 } 646 }
647 return (ret);
648}
674 649
675/* tls1_enc encrypts/decrypts the record in |s->wrec| / |s->rrec|, respectively. 650/* tls1_enc encrypts/decrypts the record in |s->wrec| / |s->rrec|, respectively.
676 * 651 *
@@ -681,176 +656,161 @@ err:
681 * -1: if the record's padding/AEAD-authenticator is invalid or, if sending, 656 * -1: if the record's padding/AEAD-authenticator is invalid or, if sending,
682 * an internal error occured. 657 * an internal error occured.
683 */ 658 */
684int tls1_enc(SSL *s, int send) 659int
685 { 660tls1_enc(SSL *s, int send)
661{
686 SSL3_RECORD *rec; 662 SSL3_RECORD *rec;
687 EVP_CIPHER_CTX *ds; 663 EVP_CIPHER_CTX *ds;
688 unsigned long l; 664 unsigned long l;
689 int bs,i,j,k,pad=0,ret,mac_size=0; 665 int bs, i, j, k, pad = 0, ret, mac_size = 0;
690 const EVP_CIPHER *enc; 666 const EVP_CIPHER *enc;
691 667
692 if (send) 668 if (send) {
693 { 669 if (EVP_MD_CTX_md(s->write_hash)) {
694 if (EVP_MD_CTX_md(s->write_hash)) 670 int n = EVP_MD_CTX_size(s->write_hash);
695 {
696 int n=EVP_MD_CTX_size(s->write_hash);
697 OPENSSL_assert(n >= 0); 671 OPENSSL_assert(n >= 0);
698 } 672 }
699 ds=s->enc_write_ctx; 673 ds = s->enc_write_ctx;
700 rec= &(s->s3->wrec); 674 rec = &(s->s3->wrec);
701 if (s->enc_write_ctx == NULL) 675 if (s->enc_write_ctx == NULL)
702 enc=NULL; 676 enc = NULL;
703 else 677 else {
704 {
705 int ivlen; 678 int ivlen;
706 enc=EVP_CIPHER_CTX_cipher(s->enc_write_ctx); 679 enc = EVP_CIPHER_CTX_cipher(s->enc_write_ctx);
707 /* For TLSv1.1 and later explicit IV */ 680 /* For TLSv1.1 and later explicit IV */
708 if (s->version >= TLS1_1_VERSION 681 if (s->version >= TLS1_1_VERSION
709 && EVP_CIPHER_mode(enc) == EVP_CIPH_CBC_MODE) 682 && EVP_CIPHER_mode(enc) == EVP_CIPH_CBC_MODE)
710 ivlen = EVP_CIPHER_iv_length(enc); 683 ivlen = EVP_CIPHER_iv_length(enc);
711 else 684 else
712 ivlen = 0; 685 ivlen = 0;
713 if (ivlen > 1) 686 if (ivlen > 1) {
714 { 687 if (rec->data != rec->input)
715 if ( rec->data != rec->input)
716 /* we can't write into the input stream: 688 /* we can't write into the input stream:
717 * Can this ever happen?? (steve) 689 * Can this ever happen?? (steve)
718 */ 690 */
719 fprintf(stderr, 691 fprintf(stderr,
720 "%s:%d: rec->data != rec->input\n", 692 "%s:%d: rec->data != rec->input\n",
721 __FILE__, __LINE__); 693 __FILE__, __LINE__);
722 else if (RAND_bytes(rec->input, ivlen) <= 0) 694 else if (RAND_bytes(rec->input, ivlen) <= 0)
723 return -1; 695 return -1;
724 }
725 } 696 }
726 } 697 }
727 else 698 } else {
728 { 699 if (EVP_MD_CTX_md(s->read_hash)) {
729 if (EVP_MD_CTX_md(s->read_hash)) 700 int n = EVP_MD_CTX_size(s->read_hash);
730 {
731 int n=EVP_MD_CTX_size(s->read_hash);
732 OPENSSL_assert(n >= 0); 701 OPENSSL_assert(n >= 0);
733 } 702 }
734 ds=s->enc_read_ctx; 703 ds = s->enc_read_ctx;
735 rec= &(s->s3->rrec); 704 rec = &(s->s3->rrec);
736 if (s->enc_read_ctx == NULL) 705 if (s->enc_read_ctx == NULL)
737 enc=NULL; 706 enc = NULL;
738 else 707 else
739 enc=EVP_CIPHER_CTX_cipher(s->enc_read_ctx); 708 enc = EVP_CIPHER_CTX_cipher(s->enc_read_ctx);
740 } 709 }
741 710
742#ifdef KSSL_DEBUG 711#ifdef KSSL_DEBUG
743 printf("tls1_enc(%d)\n", send); 712 printf("tls1_enc(%d)\n", send);
744#endif /* KSSL_DEBUG */ 713#endif /* KSSL_DEBUG */
745 714
746 if ((s->session == NULL) || (ds == NULL) || (enc == NULL)) 715 if ((s->session == NULL) || (ds == NULL) || (enc == NULL)) {
747 { 716 memmove(rec->data, rec->input, rec->length);
748 memmove(rec->data,rec->input,rec->length); 717 rec->input = rec->data;
749 rec->input=rec->data;
750 ret = 1; 718 ret = 1;
751 } 719 } else {
752 else 720 l = rec->length;
753 { 721 bs = EVP_CIPHER_block_size(ds->cipher);
754 l=rec->length; 722
755 bs=EVP_CIPHER_block_size(ds->cipher); 723 if (EVP_CIPHER_flags(ds->cipher)&EVP_CIPH_FLAG_AEAD_CIPHER) {
756 724 unsigned char buf[13], *seq;
757 if (EVP_CIPHER_flags(ds->cipher)&EVP_CIPH_FLAG_AEAD_CIPHER) 725
758 { 726 seq = send ? s->s3->write_sequence : s->s3->read_sequence;
759 unsigned char buf[13],*seq; 727
760 728 if (s->version == DTLS1_VERSION || s->version == DTLS1_BAD_VER) {
761 seq = send?s->s3->write_sequence:s->s3->read_sequence; 729 unsigned char dtlsseq[9], *p = dtlsseq;
762 730
763 if (s->version == DTLS1_VERSION || s->version == DTLS1_BAD_VER) 731 s2n(send ? s->d1->w_epoch : s->d1->r_epoch, p);
764 { 732 memcpy(p, &seq[2], 6);
765 unsigned char dtlsseq[9],*p=dtlsseq; 733 memcpy(buf, dtlsseq, 8);
766 734 } else {
767 s2n(send?s->d1->w_epoch:s->d1->r_epoch,p); 735 memcpy(buf, seq, 8);
768 memcpy(p,&seq[2],6); 736 for (i = 7;
769 memcpy(buf,dtlsseq,8); 737 i >= 0;
770 } 738 i--) /* increment */
771 else
772 { 739 {
773 memcpy(buf,seq,8);
774 for (i=7; i>=0; i--) /* increment */
775 {
776 ++seq[i]; 740 ++seq[i];
777 if (seq[i] != 0) break; 741 if (seq[i] != 0)
778 } 742 break;
779 }
780 743
781 buf[8]=rec->type;
782 buf[9]=(unsigned char)(s->version>>8);
783 buf[10]=(unsigned char)(s->version);
784 buf[11]=rec->length>>8;
785 buf[12]=rec->length&0xff;
786 pad=EVP_CIPHER_CTX_ctrl(ds,EVP_CTRL_AEAD_TLS1_AAD,13,buf);
787 if (send)
788 {
789 l+=pad;
790 rec->length+=pad;
791 } 744 }
792 } 745 }
793 else if ((bs != 1) && send) 746
794 { 747 buf[8] = rec->type;
795 i=bs-((int)l%bs); 748 buf[9] = (unsigned char)(s->version >> 8);
749 buf[10] = (unsigned char)(s->version);
750 buf[11] = rec->length >> 8;
751 buf[12] = rec->length&0xff;
752 pad = EVP_CIPHER_CTX_ctrl(ds, EVP_CTRL_AEAD_TLS1_AAD, 13, buf);
753 if (send) {
754 l += pad;
755 rec->length += pad;
756 }
757 } else if ((bs != 1) && send) {
758 i = bs - ((int)l % bs);
796 759
797 /* Add weird padding of upto 256 bytes */ 760 /* Add weird padding of upto 256 bytes */
798 761
799 /* we need to add 'i' padding bytes of value j */ 762 /* we need to add 'i' padding bytes of value j */
800 j=i-1; 763 j = i - 1;
801 if (s->options & SSL_OP_TLS_BLOCK_PADDING_BUG) 764 if (s->options & SSL_OP_TLS_BLOCK_PADDING_BUG) {
802 {
803 if (s->s3->flags & TLS1_FLAGS_TLS_PADDING_BUG) 765 if (s->s3->flags & TLS1_FLAGS_TLS_PADDING_BUG)
804 j++; 766 j++;
805 }
806 for (k=(int)l; k<(int)(l+i); k++)
807 rec->input[k]=j;
808 l+=i;
809 rec->length+=i;
810 } 767 }
768 for (k = (int)l; k < (int)(l + i); k++)
769 rec->input[k] = j;
770 l += i;
771 rec->length += i;
772 }
811 773
812#ifdef KSSL_DEBUG 774#ifdef KSSL_DEBUG
813 { 775 {
814 unsigned long ui; 776 unsigned long ui;
815 printf("EVP_Cipher(ds=%p,rec->data=%p,rec->input=%p,l=%ld) ==>\n", 777 printf("EVP_Cipher(ds=%p, rec->data=%p, rec->input=%p, l=%ld) ==>\n",
816 ds,rec->data,rec->input,l); 778 ds, rec->data, rec->input, l);
817 printf("\tEVP_CIPHER_CTX: %d buf_len, %d key_len [%d %d], %d iv_len\n", 779 printf("\tEVP_CIPHER_CTX: %d buf_len, %d key_len [%d %d], %d iv_len\n",
818 ds->buf_len, ds->cipher->key_len, 780 ds->buf_len, ds->cipher->key_len,
819 DES_KEY_SZ, DES_SCHEDULE_SZ, 781 DES_KEY_SZ, DES_SCHEDULE_SZ,
820 ds->cipher->iv_len); 782 ds->cipher->iv_len);
821 printf("\t\tIV: "); 783 printf("\t\tIV: ");
822 for (i=0; i<ds->cipher->iv_len; i++) printf("%02X", ds->iv[i]); 784 for (i = 0; i<ds->cipher->iv_len; i++) printf("%02X", ds->iv[i]);
823 printf("\n"); 785 printf("\n");
824 printf("\trec->input="); 786 printf("\trec->input=");
825 for (ui=0; ui<l; ui++) printf(" %02x", rec->input[ui]); 787 for (ui = 0; ui<l; ui++) printf(" %02x", rec->input[ui]);
826 printf("\n"); 788 printf("\n");
827 } 789 }
828#endif /* KSSL_DEBUG */ 790#endif /* KSSL_DEBUG */
829 791
830 if (!send) 792 if (!send) {
831 { 793 if (l == 0 || l % bs != 0)
832 if (l == 0 || l%bs != 0)
833 return 0; 794 return 0;
834 } 795 }
835 796
836 i = EVP_Cipher(ds,rec->data,rec->input,l); 797 i = EVP_Cipher(ds, rec->data, rec->input, l);
837 if ((EVP_CIPHER_flags(ds->cipher)&EVP_CIPH_FLAG_CUSTOM_CIPHER) 798 if ((EVP_CIPHER_flags(ds->cipher)&EVP_CIPH_FLAG_CUSTOM_CIPHER)
838 ?(i<0) 799 ?(i < 0)
839 :(i==0)) 800 :(i == 0))
840 return -1; /* AEAD can fail to verify MAC */ 801 return -1; /* AEAD can fail to verify MAC */
841 if (EVP_CIPHER_mode(enc) == EVP_CIPH_GCM_MODE && !send) 802 if (EVP_CIPHER_mode(enc) == EVP_CIPH_GCM_MODE && !send) {
842 {
843 rec->data += EVP_GCM_TLS_EXPLICIT_IV_LEN; 803 rec->data += EVP_GCM_TLS_EXPLICIT_IV_LEN;
844 rec->input += EVP_GCM_TLS_EXPLICIT_IV_LEN; 804 rec->input += EVP_GCM_TLS_EXPLICIT_IV_LEN;
845 rec->length -= EVP_GCM_TLS_EXPLICIT_IV_LEN; 805 rec->length -= EVP_GCM_TLS_EXPLICIT_IV_LEN;
846 } 806 }
847 807
848#ifdef KSSL_DEBUG 808#ifdef KSSL_DEBUG
849 { 809 {
850 unsigned long i; 810 unsigned long i;
851 printf("\trec->data="); 811 printf("\trec->data=");
852 for (i=0; i<l; i++) 812 for (i = 0; i < l; i++)
853 printf(" %02x", rec->data[i]); printf("\n"); 813 printf(" %02x", rec->data[i]); printf("\n");
854 } 814 }
855#endif /* KSSL_DEBUG */ 815#endif /* KSSL_DEBUG */
856 816
@@ -861,97 +821,93 @@ int tls1_enc(SSL *s, int send)
861 ret = tls1_cbc_remove_padding(s, rec, bs, mac_size); 821 ret = tls1_cbc_remove_padding(s, rec, bs, mac_size);
862 if (pad && !send) 822 if (pad && !send)
863 rec->length -= pad; 823 rec->length -= pad;
864 }
865 return ret;
866 } 824 }
825 return ret;
826}
867 827
868int tls1_cert_verify_mac(SSL *s, int md_nid, unsigned char *out) 828int
869 { 829tls1_cert_verify_mac(SSL *s, int md_nid, unsigned char *out)
830{
870 unsigned int ret; 831 unsigned int ret;
871 EVP_MD_CTX ctx, *d=NULL; 832 EVP_MD_CTX ctx, *d = NULL;
872 int i; 833 int i;
873 834
874 if (s->s3->handshake_buffer) 835 if (s->s3->handshake_buffer)
875 if (!ssl3_digest_cached_records(s)) 836 if (!ssl3_digest_cached_records(s))
876 return 0; 837 return 0;
877 838
878 for (i=0;i<SSL_MAX_DIGEST;i++) 839 for (i = 0; i < SSL_MAX_DIGEST; i++) {
879 { 840 if (s->s3->handshake_dgst[i]&&EVP_MD_CTX_type(s->s3->handshake_dgst[i]) == md_nid) {
880 if (s->s3->handshake_dgst[i]&&EVP_MD_CTX_type(s->s3->handshake_dgst[i])==md_nid) 841 d = s->s3->handshake_dgst[i];
881 {
882 d=s->s3->handshake_dgst[i];
883 break; 842 break;
884 }
885 } 843 }
844 }
886 if (!d) { 845 if (!d) {
887 SSLerr(SSL_F_TLS1_CERT_VERIFY_MAC,SSL_R_NO_REQUIRED_DIGEST); 846 SSLerr(SSL_F_TLS1_CERT_VERIFY_MAC, SSL_R_NO_REQUIRED_DIGEST);
888 return 0; 847 return 0;
889 } 848 }
890 849
891 EVP_MD_CTX_init(&ctx); 850 EVP_MD_CTX_init(&ctx);
892 EVP_MD_CTX_copy_ex(&ctx,d); 851 EVP_MD_CTX_copy_ex(&ctx, d);
893 EVP_DigestFinal_ex(&ctx,out,&ret); 852 EVP_DigestFinal_ex(&ctx, out, &ret);
894 EVP_MD_CTX_cleanup(&ctx); 853 EVP_MD_CTX_cleanup(&ctx);
895 return((int)ret); 854 return ((int)ret);
896 } 855}
897 856
898int tls1_final_finish_mac(SSL *s, 857int
899 const char *str, int slen, unsigned char *out) 858tls1_final_finish_mac(SSL *s, const char *str, int slen, unsigned char *out)
900 { 859{
901 unsigned int i; 860 unsigned int i;
902 EVP_MD_CTX ctx; 861 EVP_MD_CTX ctx;
903 unsigned char buf[2*EVP_MAX_MD_SIZE]; 862 unsigned char buf[2*EVP_MAX_MD_SIZE];
904 unsigned char *q,buf2[12]; 863 unsigned char *q, buf2[12];
905 int idx; 864 int idx;
906 long mask; 865 long mask;
907 int err=0; 866 int err = 0;
908 const EVP_MD *md; 867 const EVP_MD *md;
868
909 869
910 q=buf; 870 q = buf;
911 871
912 if (s->s3->handshake_buffer) 872 if (s->s3->handshake_buffer)
913 if (!ssl3_digest_cached_records(s)) 873 if (!ssl3_digest_cached_records(s))
914 return 0; 874 return 0;
915 875
916 EVP_MD_CTX_init(&ctx); 876 EVP_MD_CTX_init(&ctx);
917 877
918 for (idx=0;ssl_get_handshake_digest(idx,&mask,&md);idx++) 878 for (idx = 0; ssl_get_handshake_digest(idx, &mask, &md); idx++) {
919 { 879 if (mask & ssl_get_algorithm2(s)) {
920 if (mask & ssl_get_algorithm2(s))
921 {
922 int hashsize = EVP_MD_size(md); 880 int hashsize = EVP_MD_size(md);
923 EVP_MD_CTX *hdgst = s->s3->handshake_dgst[idx]; 881 EVP_MD_CTX *hdgst = s->s3->handshake_dgst[idx];
924 if (!hdgst || hashsize < 0 || hashsize > (int)(sizeof buf - (size_t)(q-buf))) 882 if (!hdgst || hashsize < 0 || hashsize > (int)(sizeof buf - (size_t)(q - buf))) {
925 {
926 /* internal error: 'buf' is too small for this cipersuite! */ 883 /* internal error: 'buf' is too small for this cipersuite! */
927 err = 1; 884 err = 1;
928 } 885 } else {
929 else
930 {
931 if (!EVP_MD_CTX_copy_ex(&ctx, hdgst) || 886 if (!EVP_MD_CTX_copy_ex(&ctx, hdgst) ||
932 !EVP_DigestFinal_ex(&ctx,q,&i) || 887 !EVP_DigestFinal_ex(&ctx, q, &i) ||
933 (i != (unsigned int)hashsize)) 888 (i != (unsigned int)hashsize))
934 err = 1; 889 err = 1;
935 q+=hashsize; 890 q += hashsize;
936 }
937 } 891 }
938 } 892 }
939 893 }
894
940 if (!tls1_PRF(ssl_get_algorithm2(s), 895 if (!tls1_PRF(ssl_get_algorithm2(s),
941 str,slen, buf,(int)(q-buf), NULL,0, NULL,0, NULL,0, 896 str, slen, buf,(int)(q - buf), NULL, 0, NULL, 0, NULL, 0,
942 s->session->master_key,s->session->master_key_length, 897 s->session->master_key, s->session->master_key_length,
943 out,buf2,sizeof buf2)) 898 out, buf2, sizeof buf2))
944 err = 1; 899 err = 1;
945 EVP_MD_CTX_cleanup(&ctx); 900 EVP_MD_CTX_cleanup(&ctx);
946 901
947 if (err) 902 if (err)
948 return 0; 903 return 0;
949 else 904 else
950 return sizeof buf2; 905 return sizeof buf2;
951 } 906}
952 907
953int tls1_mac(SSL *ssl, unsigned char *md, int send) 908int
954 { 909tls1_mac(SSL *ssl, unsigned char *md, int send)
910{
955 SSL3_RECORD *rec; 911 SSL3_RECORD *rec;
956 unsigned char *seq; 912 unsigned char *seq;
957 EVP_MD_CTX *hash; 913 EVP_MD_CTX *hash;
@@ -959,152 +915,141 @@ int tls1_mac(SSL *ssl, unsigned char *md, int send)
959 int i; 915 int i;
960 EVP_MD_CTX hmac, *mac_ctx; 916 EVP_MD_CTX hmac, *mac_ctx;
961 unsigned char header[13]; 917 unsigned char header[13];
962 int stream_mac = (send?(ssl->mac_flags & SSL_MAC_FLAG_WRITE_MAC_STREAM):(ssl->mac_flags&SSL_MAC_FLAG_READ_MAC_STREAM)); 918 int stream_mac = (send ? (ssl->mac_flags & SSL_MAC_FLAG_WRITE_MAC_STREAM) : (ssl->mac_flags&SSL_MAC_FLAG_READ_MAC_STREAM));
963 int t; 919 int t;
964 920
965 if (send) 921 if (send) {
966 { 922 rec = &(ssl->s3->wrec);
967 rec= &(ssl->s3->wrec); 923 seq = &(ssl->s3->write_sequence[0]);
968 seq= &(ssl->s3->write_sequence[0]); 924 hash = ssl->write_hash;
969 hash=ssl->write_hash; 925 } else {
970 } 926 rec = &(ssl->s3->rrec);
971 else 927 seq = &(ssl->s3->read_sequence[0]);
972 { 928 hash = ssl->read_hash;
973 rec= &(ssl->s3->rrec); 929 }
974 seq= &(ssl->s3->read_sequence[0]);
975 hash=ssl->read_hash;
976 }
977 930
978 t=EVP_MD_CTX_size(hash); 931 t = EVP_MD_CTX_size(hash);
979 OPENSSL_assert(t >= 0); 932 OPENSSL_assert(t >= 0);
980 md_size=t; 933 md_size = t;
981 934
982 /* I should fix this up TLS TLS TLS TLS TLS XXXXXXXX */ 935 /* I should fix this up TLS TLS TLS TLS TLS XXXXXXXX */
983 if (stream_mac) 936 if (stream_mac) {
984 { 937 mac_ctx = hash;
985 mac_ctx = hash; 938 } else {
986 } 939 if (!EVP_MD_CTX_copy(&hmac, hash))
987 else 940 return -1;
988 { 941 mac_ctx = &hmac;
989 if (!EVP_MD_CTX_copy(&hmac,hash)) 942 }
990 return -1;
991 mac_ctx = &hmac;
992 }
993 943
994 if (ssl->version == DTLS1_VERSION || ssl->version == DTLS1_BAD_VER) 944 if (ssl->version == DTLS1_VERSION || ssl->version == DTLS1_BAD_VER) {
995 { 945 unsigned char dtlsseq[8], *p = dtlsseq;
996 unsigned char dtlsseq[8],*p=dtlsseq;
997 946
998 s2n(send?ssl->d1->w_epoch:ssl->d1->r_epoch, p); 947 s2n(send ? ssl->d1->w_epoch : ssl->d1->r_epoch, p);
999 memcpy (p,&seq[2],6); 948 memcpy (p, &seq[2], 6);
1000 949
1001 memcpy(header, dtlsseq, 8); 950 memcpy(header, dtlsseq, 8);
1002 } 951 } else
1003 else
1004 memcpy(header, seq, 8); 952 memcpy(header, seq, 8);
1005 953
1006 /* kludge: tls1_cbc_remove_padding passes padding length in rec->type */ 954 /* kludge: tls1_cbc_remove_padding passes padding length in rec->type */
1007 orig_len = rec->length+md_size+((unsigned int)rec->type>>8); 955 orig_len = rec->length + md_size + ((unsigned int)rec->type >> 8);
1008 rec->type &= 0xff; 956 rec->type &= 0xff;
1009 957
1010 header[8]=rec->type; 958 header[8] = rec->type;
1011 header[9]=(unsigned char)(ssl->version>>8); 959 header[9] = (unsigned char)(ssl->version >> 8);
1012 header[10]=(unsigned char)(ssl->version); 960 header[10] = (unsigned char)(ssl->version);
1013 header[11]=(rec->length)>>8; 961 header[11] = (rec->length) >> 8;
1014 header[12]=(rec->length)&0xff; 962 header[12] = (rec->length)&0xff;
1015 963
1016 if (!send && 964 if (!send &&
1017 EVP_CIPHER_CTX_mode(ssl->enc_read_ctx) == EVP_CIPH_CBC_MODE && 965 EVP_CIPHER_CTX_mode(ssl->enc_read_ctx) == EVP_CIPH_CBC_MODE &&
1018 ssl3_cbc_record_digest_supported(mac_ctx)) 966 ssl3_cbc_record_digest_supported(mac_ctx)) {
1019 {
1020 /* This is a CBC-encrypted record. We must avoid leaking any 967 /* This is a CBC-encrypted record. We must avoid leaking any
1021 * timing-side channel information about how many blocks of 968 * timing-side channel information about how many blocks of
1022 * data we are hashing because that gives an attacker a 969 * data we are hashing because that gives an attacker a
1023 * timing-oracle. */ 970 * timing-oracle. */
1024 ssl3_cbc_digest_record( 971 ssl3_cbc_digest_record(
1025 mac_ctx, 972 mac_ctx,
1026 md, &md_size, 973 md, &md_size,
1027 header, rec->input, 974 header, rec->input,
1028 rec->length + md_size, orig_len, 975 rec->length + md_size, orig_len,
1029 ssl->s3->read_mac_secret, 976 ssl->s3->read_mac_secret,
1030 ssl->s3->read_mac_secret_size, 977 ssl->s3->read_mac_secret_size,
1031 0 /* not SSLv3 */); 978 0 /* not SSLv3 */);
1032 } 979 } else {
1033 else 980 EVP_DigestSignUpdate(mac_ctx, header, sizeof(header));
1034 { 981 EVP_DigestSignUpdate(mac_ctx, rec->input, rec->length);
1035 EVP_DigestSignUpdate(mac_ctx,header,sizeof(header)); 982 t = EVP_DigestSignFinal(mac_ctx, md, &md_size);
1036 EVP_DigestSignUpdate(mac_ctx,rec->input,rec->length);
1037 t=EVP_DigestSignFinal(mac_ctx,md,&md_size);
1038 OPENSSL_assert(t > 0); 983 OPENSSL_assert(t > 0);
1039#ifdef OPENSSL_FIPS 984#ifdef OPENSSL_FIPS
1040 if (!send && FIPS_mode()) 985 if (!send && FIPS_mode())
1041 tls_fips_digest_extra( 986 tls_fips_digest_extra(
1042 ssl->enc_read_ctx, 987 ssl->enc_read_ctx,
1043 mac_ctx, rec->input, 988 mac_ctx, rec->input,
1044 rec->length, orig_len); 989 rec->length, orig_len);
1045#endif 990#endif
1046 } 991 }
1047 992
1048 if (!stream_mac) 993 if (!stream_mac)
1049 EVP_MD_CTX_cleanup(&hmac); 994 EVP_MD_CTX_cleanup(&hmac);
1050#ifdef TLS_DEBUG 995#ifdef TLS_DEBUG
1051printf("sec="); 996 printf("sec=");
1052{unsigned int z; for (z=0; z<md_size; z++) printf("%02X ",mac_sec[z]); printf("\n"); } 997 {unsigned int z; for (z = 0; z<md_size; z++) printf("%02X ", mac_sec[z]); printf("\n"); }
1053printf("seq="); 998 printf("seq=");
1054{int z; for (z=0; z<8; z++) printf("%02X ",seq[z]); printf("\n"); } 999 {int z; for (z = 0; z<8; z++) printf("%02X ", seq[z]); printf("\n"); }
1055printf("buf="); 1000 printf("buf=");
1056{int z; for (z=0; z<5; z++) printf("%02X ",buf[z]); printf("\n"); } 1001 {int z; for (z = 0; z<5; z++) printf("%02X ", buf[z]); printf("\n"); }
1057printf("rec="); 1002 printf("rec=");
1058{unsigned int z; for (z=0; z<rec->length; z++) printf("%02X ",buf[z]); printf("\n"); } 1003 {unsigned int z; for (z = 0; z<rec->length; z++) printf("%02X ", buf[z]); printf("\n"); }
1059#endif 1004#endif
1060 1005
1061 if (ssl->version != DTLS1_VERSION && ssl->version != DTLS1_BAD_VER) 1006 if (ssl->version != DTLS1_VERSION && ssl->version != DTLS1_BAD_VER) {
1062 { 1007 for (i = 7; i >= 0; i--) {
1063 for (i=7; i>=0; i--)
1064 {
1065 ++seq[i]; 1008 ++seq[i];
1066 if (seq[i] != 0) break; 1009 if (seq[i] != 0)
1067 } 1010 break;
1011
1068 } 1012 }
1013 }
1069 1014
1070#ifdef TLS_DEBUG 1015#ifdef TLS_DEBUG
1071{unsigned int z; for (z=0; z<md_size; z++) printf("%02X ",md[z]); printf("\n"); } 1016 {unsigned int z; for (z = 0; z<md_size; z++) printf("%02X ", md[z]); printf("\n"); }
1072#endif 1017#endif
1073 return(md_size); 1018 return (md_size);
1074 } 1019}
1075 1020
1076int tls1_generate_master_secret(SSL *s, unsigned char *out, unsigned char *p, 1021int
1077 int len) 1022tls1_generate_master_secret(SSL *s, unsigned char *out, unsigned char *p,
1078 { 1023 int len)
1024{
1079 unsigned char buff[SSL_MAX_MASTER_KEY_LENGTH]; 1025 unsigned char buff[SSL_MAX_MASTER_KEY_LENGTH];
1080 const void *co = NULL, *so = NULL; 1026 const void *co = NULL, *so = NULL;
1081 int col = 0, sol = 0; 1027 int col = 0, sol = 0;
1082 1028
1083 1029
1084#ifdef KSSL_DEBUG 1030#ifdef KSSL_DEBUG
1085 printf ("tls1_generate_master_secret(%p,%p, %p, %d)\n", s,out, p,len); 1031 printf ("tls1_generate_master_secret(%p,%p, %p, %d)\n", s, out, p, len);
1086#endif /* KSSL_DEBUG */ 1032#endif /* KSSL_DEBUG */
1087 1033
1088#ifdef TLSEXT_TYPE_opaque_prf_input 1034#ifdef TLSEXT_TYPE_opaque_prf_input
1089 if (s->s3->client_opaque_prf_input != NULL && s->s3->server_opaque_prf_input != NULL && 1035 if (s->s3->client_opaque_prf_input != NULL && s->s3->server_opaque_prf_input != NULL &&
1090 s->s3->client_opaque_prf_input_len > 0 && 1036 s->s3->client_opaque_prf_input_len > 0 &&
1091 s->s3->client_opaque_prf_input_len == s->s3->server_opaque_prf_input_len) 1037 s->s3->client_opaque_prf_input_len == s->s3->server_opaque_prf_input_len) {
1092 {
1093 co = s->s3->client_opaque_prf_input; 1038 co = s->s3->client_opaque_prf_input;
1094 col = s->s3->server_opaque_prf_input_len; 1039 col = s->s3->server_opaque_prf_input_len;
1095 so = s->s3->server_opaque_prf_input; 1040 so = s->s3->server_opaque_prf_input;
1096 sol = s->s3->client_opaque_prf_input_len; /* must be same as col (see draft-rescorla-tls-opaque-prf-input-00.txt, section 3.1) */ 1041 sol = s->s3->client_opaque_prf_input_len; /* must be same as col (see draft-rescorla-tls-opaque-prf-input-00.txt, section 3.1) */
1097 } 1042 }
1098#endif 1043#endif
1099 1044
1100 tls1_PRF(ssl_get_algorithm2(s), 1045 tls1_PRF(ssl_get_algorithm2(s),
1101 TLS_MD_MASTER_SECRET_CONST,TLS_MD_MASTER_SECRET_CONST_SIZE, 1046 TLS_MD_MASTER_SECRET_CONST, TLS_MD_MASTER_SECRET_CONST_SIZE,
1102 s->s3->client_random,SSL3_RANDOM_SIZE, 1047 s->s3->client_random, SSL3_RANDOM_SIZE,
1103 co, col, 1048 co, col,
1104 s->s3->server_random,SSL3_RANDOM_SIZE, 1049 s->s3->server_random, SSL3_RANDOM_SIZE,
1105 so, sol, 1050 so, sol,
1106 p,len, 1051 p, len,
1107 s->session->master_key,buff,sizeof buff); 1052 s->session->master_key, buff, sizeof buff);
1108#ifdef SSL_DEBUG 1053#ifdef SSL_DEBUG
1109 fprintf(stderr, "Premaster Secret:\n"); 1054 fprintf(stderr, "Premaster Secret:\n");
1110 BIO_dump_fp(stderr, (char *)p, len); 1055 BIO_dump_fp(stderr, (char *)p, len);
@@ -1119,13 +1064,14 @@ int tls1_generate_master_secret(SSL *s, unsigned char *out, unsigned char *p,
1119#ifdef KSSL_DEBUG 1064#ifdef KSSL_DEBUG
1120 printf ("tls1_generate_master_secret() complete\n"); 1065 printf ("tls1_generate_master_secret() complete\n");
1121#endif /* KSSL_DEBUG */ 1066#endif /* KSSL_DEBUG */
1122 return(SSL3_MASTER_SECRET_SIZE); 1067 return (SSL3_MASTER_SECRET_SIZE);
1123 } 1068}
1124 1069
1125int tls1_export_keying_material(SSL *s, unsigned char *out, size_t olen, 1070int
1126 const char *label, size_t llen, const unsigned char *context, 1071tls1_export_keying_material(SSL *s, unsigned char *out, size_t olen,
1127 size_t contextlen, int use_context) 1072 const char *label, size_t llen, const unsigned char *context,
1128 { 1073 size_t contextlen, int use_context)
1074{
1129 unsigned char *buff; 1075 unsigned char *buff;
1130 unsigned char *val = NULL; 1076 unsigned char *val = NULL;
1131 size_t vallen, currentvalpos; 1077 size_t vallen, currentvalpos;
@@ -1136,7 +1082,8 @@ int tls1_export_keying_material(SSL *s, unsigned char *out, size_t olen,
1136#endif /* KSSL_DEBUG */ 1082#endif /* KSSL_DEBUG */
1137 1083
1138 buff = OPENSSL_malloc(olen); 1084 buff = OPENSSL_malloc(olen);
1139 if (buff == NULL) goto err2; 1085 if (buff == NULL)
1086 goto err2;
1140 1087
1141 /* construct PRF arguments 1088 /* construct PRF arguments
1142 * we construct the PRF argument ourself rather than passing separate 1089 * we construct the PRF argument ourself rather than passing separate
@@ -1144,13 +1091,13 @@ int tls1_export_keying_material(SSL *s, unsigned char *out, size_t olen,
1144 * does not create a prohibited label. 1091 * does not create a prohibited label.
1145 */ 1092 */
1146 vallen = llen + SSL3_RANDOM_SIZE * 2; 1093 vallen = llen + SSL3_RANDOM_SIZE * 2;
1147 if (use_context) 1094 if (use_context) {
1148 {
1149 vallen += 2 + contextlen; 1095 vallen += 2 + contextlen;
1150 } 1096 }
1151 1097
1152 val = OPENSSL_malloc(vallen); 1098 val = OPENSSL_malloc(vallen);
1153 if (val == NULL) goto err2; 1099 if (val == NULL)
1100 goto err2;
1154 currentvalpos = 0; 1101 currentvalpos = 0;
1155 memcpy(val + currentvalpos, (unsigned char *) label, llen); 1102 memcpy(val + currentvalpos, (unsigned char *) label, llen);
1156 currentvalpos += llen; 1103 currentvalpos += llen;
@@ -1159,17 +1106,15 @@ int tls1_export_keying_material(SSL *s, unsigned char *out, size_t olen,
1159 memcpy(val + currentvalpos, s->s3->server_random, SSL3_RANDOM_SIZE); 1106 memcpy(val + currentvalpos, s->s3->server_random, SSL3_RANDOM_SIZE);
1160 currentvalpos += SSL3_RANDOM_SIZE; 1107 currentvalpos += SSL3_RANDOM_SIZE;
1161 1108
1162 if (use_context) 1109 if (use_context) {
1163 {
1164 val[currentvalpos] = (contextlen >> 8) & 0xff; 1110 val[currentvalpos] = (contextlen >> 8) & 0xff;
1165 currentvalpos++; 1111 currentvalpos++;
1166 val[currentvalpos] = contextlen & 0xff; 1112 val[currentvalpos] = contextlen & 0xff;
1167 currentvalpos++; 1113 currentvalpos++;
1168 if ((contextlen > 0) || (context != NULL)) 1114 if ((contextlen > 0) || (context != NULL)) {
1169 {
1170 memcpy(val + currentvalpos, context, contextlen); 1115 memcpy(val + currentvalpos, context, contextlen);
1171 }
1172 } 1116 }
1117 }
1173 1118
1174 /* disallow prohibited labels 1119 /* disallow prohibited labels
1175 * note that SSL3_RANDOM_SIZE > max(prohibited label len) = 1120 * note that SSL3_RANDOM_SIZE > max(prohibited label len) =
@@ -1177,22 +1122,22 @@ int tls1_export_keying_material(SSL *s, unsigned char *out, size_t olen,
1177 * comparisons won't have buffer overflow 1122 * comparisons won't have buffer overflow
1178 */ 1123 */
1179 if (memcmp(val, TLS_MD_CLIENT_FINISH_CONST, 1124 if (memcmp(val, TLS_MD_CLIENT_FINISH_CONST,
1180 TLS_MD_CLIENT_FINISH_CONST_SIZE) == 0) goto err1; 1125 TLS_MD_CLIENT_FINISH_CONST_SIZE) == 0) goto err1;
1181 if (memcmp(val, TLS_MD_SERVER_FINISH_CONST, 1126 if (memcmp(val, TLS_MD_SERVER_FINISH_CONST,
1182 TLS_MD_SERVER_FINISH_CONST_SIZE) == 0) goto err1; 1127 TLS_MD_SERVER_FINISH_CONST_SIZE) == 0) goto err1;
1183 if (memcmp(val, TLS_MD_MASTER_SECRET_CONST, 1128 if (memcmp(val, TLS_MD_MASTER_SECRET_CONST,
1184 TLS_MD_MASTER_SECRET_CONST_SIZE) == 0) goto err1; 1129 TLS_MD_MASTER_SECRET_CONST_SIZE) == 0) goto err1;
1185 if (memcmp(val, TLS_MD_KEY_EXPANSION_CONST, 1130 if (memcmp(val, TLS_MD_KEY_EXPANSION_CONST,
1186 TLS_MD_KEY_EXPANSION_CONST_SIZE) == 0) goto err1; 1131 TLS_MD_KEY_EXPANSION_CONST_SIZE) == 0) goto err1;
1187 1132
1188 rv = tls1_PRF(s->s3->tmp.new_cipher->algorithm2, 1133 rv = tls1_PRF(s->s3->tmp.new_cipher->algorithm2,
1189 val, vallen, 1134 val, vallen,
1190 NULL, 0, 1135 NULL, 0,
1191 NULL, 0, 1136 NULL, 0,
1192 NULL, 0, 1137 NULL, 0,
1193 NULL, 0, 1138 NULL, 0,
1194 s->session->master_key,s->session->master_key_length, 1139 s->session->master_key, s->session->master_key_length,
1195 out,buff,olen); 1140 out, buff, olen);
1196 1141
1197#ifdef KSSL_DEBUG 1142#ifdef KSSL_DEBUG
1198 printf ("tls1_export_keying_material() complete\n"); 1143 printf ("tls1_export_keying_material() complete\n");
@@ -1206,49 +1151,82 @@ err2:
1206 SSLerr(SSL_F_TLS1_EXPORT_KEYING_MATERIAL, ERR_R_MALLOC_FAILURE); 1151 SSLerr(SSL_F_TLS1_EXPORT_KEYING_MATERIAL, ERR_R_MALLOC_FAILURE);
1207 rv = 0; 1152 rv = 0;
1208ret: 1153ret:
1209 if (buff != NULL) OPENSSL_free(buff); 1154 if (buff != NULL)
1210 if (val != NULL) OPENSSL_free(val); 1155 OPENSSL_free(buff);
1211 return(rv); 1156 if (val != NULL)
1212 } 1157 OPENSSL_free(val);
1158 return (rv);
1159}
1213 1160
1214int tls1_alert_code(int code) 1161int
1215 { 1162tls1_alert_code(int code)
1216 switch (code) 1163{
1217 { 1164 switch (code) {
1218 case SSL_AD_CLOSE_NOTIFY: return(SSL3_AD_CLOSE_NOTIFY); 1165 case SSL_AD_CLOSE_NOTIFY:
1219 case SSL_AD_UNEXPECTED_MESSAGE: return(SSL3_AD_UNEXPECTED_MESSAGE); 1166 return (SSL3_AD_CLOSE_NOTIFY);
1220 case SSL_AD_BAD_RECORD_MAC: return(SSL3_AD_BAD_RECORD_MAC); 1167 case SSL_AD_UNEXPECTED_MESSAGE:
1221 case SSL_AD_DECRYPTION_FAILED: return(TLS1_AD_DECRYPTION_FAILED); 1168 return (SSL3_AD_UNEXPECTED_MESSAGE);
1222 case SSL_AD_RECORD_OVERFLOW: return(TLS1_AD_RECORD_OVERFLOW); 1169 case SSL_AD_BAD_RECORD_MAC:
1223 case SSL_AD_DECOMPRESSION_FAILURE:return(SSL3_AD_DECOMPRESSION_FAILURE); 1170 return (SSL3_AD_BAD_RECORD_MAC);
1224 case SSL_AD_HANDSHAKE_FAILURE: return(SSL3_AD_HANDSHAKE_FAILURE); 1171 case SSL_AD_DECRYPTION_FAILED:
1225 case SSL_AD_NO_CERTIFICATE: return(-1); 1172 return (TLS1_AD_DECRYPTION_FAILED);
1226 case SSL_AD_BAD_CERTIFICATE: return(SSL3_AD_BAD_CERTIFICATE); 1173 case SSL_AD_RECORD_OVERFLOW:
1227 case SSL_AD_UNSUPPORTED_CERTIFICATE:return(SSL3_AD_UNSUPPORTED_CERTIFICATE); 1174 return (TLS1_AD_RECORD_OVERFLOW);
1228 case SSL_AD_CERTIFICATE_REVOKED:return(SSL3_AD_CERTIFICATE_REVOKED); 1175 case SSL_AD_DECOMPRESSION_FAILURE:
1229 case SSL_AD_CERTIFICATE_EXPIRED:return(SSL3_AD_CERTIFICATE_EXPIRED); 1176 return (SSL3_AD_DECOMPRESSION_FAILURE);
1230 case SSL_AD_CERTIFICATE_UNKNOWN:return(SSL3_AD_CERTIFICATE_UNKNOWN); 1177 case SSL_AD_HANDSHAKE_FAILURE:
1231 case SSL_AD_ILLEGAL_PARAMETER: return(SSL3_AD_ILLEGAL_PARAMETER); 1178 return (SSL3_AD_HANDSHAKE_FAILURE);
1232 case SSL_AD_UNKNOWN_CA: return(TLS1_AD_UNKNOWN_CA); 1179 case SSL_AD_NO_CERTIFICATE:
1233 case SSL_AD_ACCESS_DENIED: return(TLS1_AD_ACCESS_DENIED); 1180 return (-1);
1234 case SSL_AD_DECODE_ERROR: return(TLS1_AD_DECODE_ERROR); 1181 case SSL_AD_BAD_CERTIFICATE:
1235 case SSL_AD_DECRYPT_ERROR: return(TLS1_AD_DECRYPT_ERROR); 1182 return (SSL3_AD_BAD_CERTIFICATE);
1236 case SSL_AD_EXPORT_RESTRICTION: return(TLS1_AD_EXPORT_RESTRICTION); 1183 case SSL_AD_UNSUPPORTED_CERTIFICATE:
1237 case SSL_AD_PROTOCOL_VERSION: return(TLS1_AD_PROTOCOL_VERSION); 1184 return (SSL3_AD_UNSUPPORTED_CERTIFICATE);
1238 case SSL_AD_INSUFFICIENT_SECURITY:return(TLS1_AD_INSUFFICIENT_SECURITY); 1185 case SSL_AD_CERTIFICATE_REVOKED:
1239 case SSL_AD_INTERNAL_ERROR: return(TLS1_AD_INTERNAL_ERROR); 1186 return (SSL3_AD_CERTIFICATE_REVOKED);
1240 case SSL_AD_USER_CANCELLED: return(TLS1_AD_USER_CANCELLED); 1187 case SSL_AD_CERTIFICATE_EXPIRED:
1241 case SSL_AD_NO_RENEGOTIATION: return(TLS1_AD_NO_RENEGOTIATION); 1188 return (SSL3_AD_CERTIFICATE_EXPIRED);
1242 case SSL_AD_UNSUPPORTED_EXTENSION: return(TLS1_AD_UNSUPPORTED_EXTENSION); 1189 case SSL_AD_CERTIFICATE_UNKNOWN:
1243 case SSL_AD_CERTIFICATE_UNOBTAINABLE: return(TLS1_AD_CERTIFICATE_UNOBTAINABLE); 1190 return (SSL3_AD_CERTIFICATE_UNKNOWN);
1244 case SSL_AD_UNRECOGNIZED_NAME: return(TLS1_AD_UNRECOGNIZED_NAME); 1191 case SSL_AD_ILLEGAL_PARAMETER:
1245 case SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE: return(TLS1_AD_BAD_CERTIFICATE_STATUS_RESPONSE); 1192 return (SSL3_AD_ILLEGAL_PARAMETER);
1246 case SSL_AD_BAD_CERTIFICATE_HASH_VALUE: return(TLS1_AD_BAD_CERTIFICATE_HASH_VALUE); 1193 case SSL_AD_UNKNOWN_CA:
1247 case SSL_AD_UNKNOWN_PSK_IDENTITY:return(TLS1_AD_UNKNOWN_PSK_IDENTITY); 1194 return (TLS1_AD_UNKNOWN_CA);
1195 case SSL_AD_ACCESS_DENIED:
1196 return (TLS1_AD_ACCESS_DENIED);
1197 case SSL_AD_DECODE_ERROR:
1198 return (TLS1_AD_DECODE_ERROR);
1199 case SSL_AD_DECRYPT_ERROR:
1200 return (TLS1_AD_DECRYPT_ERROR);
1201 case SSL_AD_EXPORT_RESTRICTION:
1202 return (TLS1_AD_EXPORT_RESTRICTION);
1203 case SSL_AD_PROTOCOL_VERSION:
1204 return (TLS1_AD_PROTOCOL_VERSION);
1205 case SSL_AD_INSUFFICIENT_SECURITY:
1206 return (TLS1_AD_INSUFFICIENT_SECURITY);
1207 case SSL_AD_INTERNAL_ERROR:
1208 return (TLS1_AD_INTERNAL_ERROR);
1209 case SSL_AD_USER_CANCELLED:
1210 return (TLS1_AD_USER_CANCELLED);
1211 case SSL_AD_NO_RENEGOTIATION:
1212 return (TLS1_AD_NO_RENEGOTIATION);
1213 case SSL_AD_UNSUPPORTED_EXTENSION:
1214 return (TLS1_AD_UNSUPPORTED_EXTENSION);
1215 case SSL_AD_CERTIFICATE_UNOBTAINABLE:
1216 return (TLS1_AD_CERTIFICATE_UNOBTAINABLE);
1217 case SSL_AD_UNRECOGNIZED_NAME:
1218 return (TLS1_AD_UNRECOGNIZED_NAME);
1219 case SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE:
1220 return (TLS1_AD_BAD_CERTIFICATE_STATUS_RESPONSE);
1221 case SSL_AD_BAD_CERTIFICATE_HASH_VALUE:
1222 return (TLS1_AD_BAD_CERTIFICATE_HASH_VALUE);
1223 case SSL_AD_UNKNOWN_PSK_IDENTITY:
1224 return (TLS1_AD_UNKNOWN_PSK_IDENTITY);
1248#if 0 /* not appropriate for TLS, not used for DTLS */ 1225#if 0 /* not appropriate for TLS, not used for DTLS */
1249 case DTLS1_AD_MISSING_HANDSHAKE_MESSAGE: return 1226 case DTLS1_AD_MISSING_HANDSHAKE_MESSAGE : return
1250 (DTLS1_AD_MISSING_HANDSHAKE_MESSAGE); 1227 (DTLS1_AD_MISSING_HANDSHAKE_MESSAGE);
1251#endif 1228#endif
1252 default: return(-1); 1229 default:
1253 } 1230 return (-1);
1254 } 1231 }
1232}
diff --git a/src/lib/libssl/t1_lib.c b/src/lib/libssl/t1_lib.c
index bddffd92cc..08f7a444ad 100644
--- a/src/lib/libssl/t1_lib.c
+++ b/src/lib/libssl/t1_lib.c
@@ -120,12 +120,13 @@
120const char tls1_version_str[]="TLSv1" OPENSSL_VERSION_PTEXT; 120const char tls1_version_str[]="TLSv1" OPENSSL_VERSION_PTEXT;
121 121
122#ifndef OPENSSL_NO_TLSEXT 122#ifndef OPENSSL_NO_TLSEXT
123static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen, 123static int
124 const unsigned char *sess_id, int sesslen, 124tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen,
125 SSL_SESSION **psess); 125 const unsigned char *sess_id, int sesslen,
126 SSL_SESSION **psess);
126#endif 127#endif
127 128
128SSL3_ENC_METHOD TLSv1_enc_data={ 129SSL3_ENC_METHOD TLSv1_enc_data = {
129 tls1_enc, 130 tls1_enc,
130 tls1_mac, 131 tls1_mac,
131 tls1_setup_key_block, 132 tls1_setup_key_block,
@@ -134,171 +135,173 @@ SSL3_ENC_METHOD TLSv1_enc_data={
134 tls1_final_finish_mac, 135 tls1_final_finish_mac,
135 TLS1_FINISH_MAC_LENGTH, 136 TLS1_FINISH_MAC_LENGTH,
136 tls1_cert_verify_mac, 137 tls1_cert_verify_mac,
137 TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE, 138 TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
138 TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE, 139 TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
139 tls1_alert_code, 140 tls1_alert_code,
140 tls1_export_keying_material, 141 tls1_export_keying_material,
141 }; 142};
142 143
143long tls1_default_timeout(void) 144long
144 { 145tls1_default_timeout(void)
146{
145 /* 2 hours, the 24 hours mentioned in the TLSv1 spec 147 /* 2 hours, the 24 hours mentioned in the TLSv1 spec
146 * is way too long for http, the cache would over fill */ 148 * is way too long for http, the cache would over fill */
147 return(60*60*2); 149 return (60*60*2);
148 } 150}
149 151
150int tls1_new(SSL *s) 152int
151 { 153tls1_new(SSL *s)
152 if (!ssl3_new(s)) return(0); 154{
153 s->method->ssl_clear(s); 155 if (!ssl3_new(s)) return (0);
154 return(1); 156 s->method->ssl_clear(s);
155 } 157 return (1);
158}
156 159
157void tls1_free(SSL *s) 160void
158 { 161tls1_free(SSL *s)
162{
159#ifndef OPENSSL_NO_TLSEXT 163#ifndef OPENSSL_NO_TLSEXT
160 if (s->tlsext_session_ticket) 164 if (s->tlsext_session_ticket) {
161 {
162 OPENSSL_free(s->tlsext_session_ticket); 165 OPENSSL_free(s->tlsext_session_ticket);
163 } 166 }
164#endif /* OPENSSL_NO_TLSEXT */ 167#endif /* OPENSSL_NO_TLSEXT */
165 ssl3_free(s); 168 ssl3_free(s);
166 } 169}
167 170
168void tls1_clear(SSL *s) 171void
169 { 172tls1_clear(SSL *s)
173{
170 ssl3_clear(s); 174 ssl3_clear(s);
171 s->version = s->method->version; 175 s->version = s->method->version;
172 } 176}
173 177
174#ifndef OPENSSL_NO_EC 178#ifndef OPENSSL_NO_EC
175 179
176static int nid_list[] = 180static int nid_list[] = {
177 { 181 NID_sect163k1, /* sect163k1 (1) */
178 NID_sect163k1, /* sect163k1 (1) */ 182 NID_sect163r1, /* sect163r1 (2) */
179 NID_sect163r1, /* sect163r1 (2) */ 183 NID_sect163r2, /* sect163r2 (3) */
180 NID_sect163r2, /* sect163r2 (3) */ 184 NID_sect193r1, /* sect193r1 (4) */
181 NID_sect193r1, /* sect193r1 (4) */ 185 NID_sect193r2, /* sect193r2 (5) */
182 NID_sect193r2, /* sect193r2 (5) */ 186 NID_sect233k1, /* sect233k1 (6) */
183 NID_sect233k1, /* sect233k1 (6) */ 187 NID_sect233r1, /* sect233r1 (7) */
184 NID_sect233r1, /* sect233r1 (7) */ 188 NID_sect239k1, /* sect239k1 (8) */
185 NID_sect239k1, /* sect239k1 (8) */ 189 NID_sect283k1, /* sect283k1 (9) */
186 NID_sect283k1, /* sect283k1 (9) */ 190 NID_sect283r1, /* sect283r1 (10) */
187 NID_sect283r1, /* sect283r1 (10) */ 191 NID_sect409k1, /* sect409k1 (11) */
188 NID_sect409k1, /* sect409k1 (11) */ 192 NID_sect409r1, /* sect409r1 (12) */
189 NID_sect409r1, /* sect409r1 (12) */ 193 NID_sect571k1, /* sect571k1 (13) */
190 NID_sect571k1, /* sect571k1 (13) */ 194 NID_sect571r1, /* sect571r1 (14) */
191 NID_sect571r1, /* sect571r1 (14) */ 195 NID_secp160k1, /* secp160k1 (15) */
192 NID_secp160k1, /* secp160k1 (15) */ 196 NID_secp160r1, /* secp160r1 (16) */
193 NID_secp160r1, /* secp160r1 (16) */ 197 NID_secp160r2, /* secp160r2 (17) */
194 NID_secp160r2, /* secp160r2 (17) */ 198 NID_secp192k1, /* secp192k1 (18) */
195 NID_secp192k1, /* secp192k1 (18) */ 199 NID_X9_62_prime192v1, /* secp192r1 (19) */
196 NID_X9_62_prime192v1, /* secp192r1 (19) */ 200 NID_secp224k1, /* secp224k1 (20) */
197 NID_secp224k1, /* secp224k1 (20) */ 201 NID_secp224r1, /* secp224r1 (21) */
198 NID_secp224r1, /* secp224r1 (21) */ 202 NID_secp256k1, /* secp256k1 (22) */
199 NID_secp256k1, /* secp256k1 (22) */ 203 NID_X9_62_prime256v1, /* secp256r1 (23) */
200 NID_X9_62_prime256v1, /* secp256r1 (23) */ 204 NID_secp384r1, /* secp384r1 (24) */
201 NID_secp384r1, /* secp384r1 (24) */ 205 NID_secp521r1 /* secp521r1 (25) */
202 NID_secp521r1 /* secp521r1 (25) */ 206};
203 };
204 207
205static int pref_list[] = 208static int pref_list[] = {
206 { 209 NID_sect571r1, /* sect571r1 (14) */
207 NID_sect571r1, /* sect571r1 (14) */ 210 NID_sect571k1, /* sect571k1 (13) */
208 NID_sect571k1, /* sect571k1 (13) */ 211 NID_secp521r1, /* secp521r1 (25) */
209 NID_secp521r1, /* secp521r1 (25) */ 212 NID_sect409k1, /* sect409k1 (11) */
210 NID_sect409k1, /* sect409k1 (11) */ 213 NID_sect409r1, /* sect409r1 (12) */
211 NID_sect409r1, /* sect409r1 (12) */ 214 NID_secp384r1, /* secp384r1 (24) */
212 NID_secp384r1, /* secp384r1 (24) */ 215 NID_sect283k1, /* sect283k1 (9) */
213 NID_sect283k1, /* sect283k1 (9) */ 216 NID_sect283r1, /* sect283r1 (10) */
214 NID_sect283r1, /* sect283r1 (10) */ 217 NID_secp256k1, /* secp256k1 (22) */
215 NID_secp256k1, /* secp256k1 (22) */ 218 NID_X9_62_prime256v1, /* secp256r1 (23) */
216 NID_X9_62_prime256v1, /* secp256r1 (23) */ 219 NID_sect239k1, /* sect239k1 (8) */
217 NID_sect239k1, /* sect239k1 (8) */ 220 NID_sect233k1, /* sect233k1 (6) */
218 NID_sect233k1, /* sect233k1 (6) */ 221 NID_sect233r1, /* sect233r1 (7) */
219 NID_sect233r1, /* sect233r1 (7) */ 222 NID_secp224k1, /* secp224k1 (20) */
220 NID_secp224k1, /* secp224k1 (20) */ 223 NID_secp224r1, /* secp224r1 (21) */
221 NID_secp224r1, /* secp224r1 (21) */ 224 NID_sect193r1, /* sect193r1 (4) */
222 NID_sect193r1, /* sect193r1 (4) */ 225 NID_sect193r2, /* sect193r2 (5) */
223 NID_sect193r2, /* sect193r2 (5) */ 226 NID_secp192k1, /* secp192k1 (18) */
224 NID_secp192k1, /* secp192k1 (18) */ 227 NID_X9_62_prime192v1, /* secp192r1 (19) */
225 NID_X9_62_prime192v1, /* secp192r1 (19) */ 228 NID_sect163k1, /* sect163k1 (1) */
226 NID_sect163k1, /* sect163k1 (1) */ 229 NID_sect163r1, /* sect163r1 (2) */
227 NID_sect163r1, /* sect163r1 (2) */ 230 NID_sect163r2, /* sect163r2 (3) */
228 NID_sect163r2, /* sect163r2 (3) */ 231 NID_secp160k1, /* secp160k1 (15) */
229 NID_secp160k1, /* secp160k1 (15) */ 232 NID_secp160r1, /* secp160r1 (16) */
230 NID_secp160r1, /* secp160r1 (16) */ 233 NID_secp160r2, /* secp160r2 (17) */
231 NID_secp160r2, /* secp160r2 (17) */ 234};
232 };
233 235
234int tls1_ec_curve_id2nid(int curve_id) 236int
235 { 237tls1_ec_curve_id2nid(int curve_id)
238{
236 /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */ 239 /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
237 if ((curve_id < 1) || ((unsigned int)curve_id > 240 if ((curve_id < 1) || ((unsigned int)curve_id >
238 sizeof(nid_list)/sizeof(nid_list[0]))) 241 sizeof(nid_list)/sizeof(nid_list[0])))
239 return 0; 242 return 0;
240 return nid_list[curve_id-1]; 243 return nid_list[curve_id - 1];
241 } 244}
242 245
243int tls1_ec_nid2curve_id(int nid) 246int
244 { 247tls1_ec_nid2curve_id(int nid)
248{
245 /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */ 249 /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
246 switch (nid) 250 switch (nid) {
247 {
248 case NID_sect163k1: /* sect163k1 (1) */ 251 case NID_sect163k1: /* sect163k1 (1) */
249 return 1; 252 return 1;
250 case NID_sect163r1: /* sect163r1 (2) */ 253 case NID_sect163r1: /* sect163r1 (2) */
251 return 2; 254 return 2;
252 case NID_sect163r2: /* sect163r2 (3) */ 255 case NID_sect163r2: /* sect163r2 (3) */
253 return 3; 256 return 3;
254 case NID_sect193r1: /* sect193r1 (4) */ 257 case NID_sect193r1: /* sect193r1 (4) */
255 return 4; 258 return 4;
256 case NID_sect193r2: /* sect193r2 (5) */ 259 case NID_sect193r2: /* sect193r2 (5) */
257 return 5; 260 return 5;
258 case NID_sect233k1: /* sect233k1 (6) */ 261 case NID_sect233k1: /* sect233k1 (6) */
259 return 6; 262 return 6;
260 case NID_sect233r1: /* sect233r1 (7) */ 263 case NID_sect233r1: /* sect233r1 (7) */
261 return 7; 264 return 7;
262 case NID_sect239k1: /* sect239k1 (8) */ 265 case NID_sect239k1: /* sect239k1 (8) */
263 return 8; 266 return 8;
264 case NID_sect283k1: /* sect283k1 (9) */ 267 case NID_sect283k1: /* sect283k1 (9) */
265 return 9; 268 return 9;
266 case NID_sect283r1: /* sect283r1 (10) */ 269 case NID_sect283r1: /* sect283r1 (10) */
267 return 10; 270 return 10;
268 case NID_sect409k1: /* sect409k1 (11) */ 271 case NID_sect409k1: /* sect409k1 (11) */
269 return 11; 272 return 11;
270 case NID_sect409r1: /* sect409r1 (12) */ 273 case NID_sect409r1: /* sect409r1 (12) */
271 return 12; 274 return 12;
272 case NID_sect571k1: /* sect571k1 (13) */ 275 case NID_sect571k1: /* sect571k1 (13) */
273 return 13; 276 return 13;
274 case NID_sect571r1: /* sect571r1 (14) */ 277 case NID_sect571r1: /* sect571r1 (14) */
275 return 14; 278 return 14;
276 case NID_secp160k1: /* secp160k1 (15) */ 279 case NID_secp160k1: /* secp160k1 (15) */
277 return 15; 280 return 15;
278 case NID_secp160r1: /* secp160r1 (16) */ 281 case NID_secp160r1: /* secp160r1 (16) */
279 return 16; 282 return 16;
280 case NID_secp160r2: /* secp160r2 (17) */ 283 case NID_secp160r2: /* secp160r2 (17) */
281 return 17; 284 return 17;
282 case NID_secp192k1: /* secp192k1 (18) */ 285 case NID_secp192k1: /* secp192k1 (18) */
283 return 18; 286 return 18;
284 case NID_X9_62_prime192v1: /* secp192r1 (19) */ 287 case NID_X9_62_prime192v1: /* secp192r1 (19) */
285 return 19; 288 return 19;
286 case NID_secp224k1: /* secp224k1 (20) */ 289 case NID_secp224k1: /* secp224k1 (20) */
287 return 20; 290 return 20;
288 case NID_secp224r1: /* secp224r1 (21) */ 291 case NID_secp224r1: /* secp224r1 (21) */
289 return 21; 292 return 21;
290 case NID_secp256k1: /* secp256k1 (22) */ 293 case NID_secp256k1: /* secp256k1 (22) */
291 return 22; 294 return 22;
292 case NID_X9_62_prime256v1: /* secp256r1 (23) */ 295 case NID_X9_62_prime256v1: /* secp256r1 (23) */
293 return 23; 296 return 23;
294 case NID_secp384r1: /* secp384r1 (24) */ 297 case NID_secp384r1: /* secp384r1 (24) */
295 return 24; 298 return 24;
296 case NID_secp521r1: /* secp521r1 (25) */ 299 case NID_secp521r1: /* secp521r1 (25) */
297 return 25; 300 return 25;
298 default: 301 default:
299 return 0; 302 return 0;
300 }
301 } 303 }
304}
302#endif /* OPENSSL_NO_EC */ 305#endif /* OPENSSL_NO_EC */
303 306
304#ifndef OPENSSL_NO_TLSEXT 307#ifndef OPENSSL_NO_TLSEXT
@@ -344,33 +347,35 @@ static unsigned char tls12_sigalgs[] = {
344#endif 347#endif
345}; 348};
346 349
347int tls12_get_req_sig_algs(SSL *s, unsigned char *p) 350int
348 { 351tls12_get_req_sig_algs(SSL *s, unsigned char *p)
352{
349 size_t slen = sizeof(tls12_sigalgs); 353 size_t slen = sizeof(tls12_sigalgs);
350 if (p) 354 if (p)
351 memcpy(p, tls12_sigalgs, slen); 355 memcpy(p, tls12_sigalgs, slen);
352 return (int)slen; 356 return (int)slen;
353 } 357}
354 358
355unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit) 359unsigned char
356 { 360*ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
357 int extdatalen=0; 361{
362 int extdatalen = 0;
358 unsigned char *ret = p; 363 unsigned char *ret = p;
359 364
360 /* don't add extensions for SSLv3 unless doing secure renegotiation */ 365 /* don't add extensions for SSLv3 unless doing secure renegotiation */
361 if (s->client_version == SSL3_VERSION 366 if (s->client_version == SSL3_VERSION
362 && !s->s3->send_connection_binding) 367 && !s->s3->send_connection_binding)
363 return p; 368 return p;
364 369
365 ret+=2; 370 ret += 2;
366 371
367 if (ret>=limit) return NULL; /* this really never occurs, but ... */ 372 if (ret>=limit) return NULL; /* this really never occurs, but ... */
368 373
369 if (s->tlsext_hostname != NULL) 374 if (s->tlsext_hostname != NULL) {
370 {
371 /* Add TLS extension servername to the Client Hello message */ 375 /* Add TLS extension servername to the Client Hello message */
372 unsigned long size_str; 376 unsigned long size_str;
373 long lenmax; 377 long lenmax;
378
374 379
375 /* check for enough space. 380 /* check for enough space.
376 4 for the servername type and entension length 381 4 for the servername type and entension length
@@ -379,114 +384,117 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned cha
379 2 for hostname length 384 2 for hostname length
380 + hostname length 385 + hostname length
381 */ 386 */
382 387
383 if ((lenmax = limit - ret - 9) < 0 388 if ((lenmax = limit - ret - 9) < 0
384 || (size_str = strlen(s->tlsext_hostname)) > (unsigned long)lenmax) 389 || (size_str = strlen(s->tlsext_hostname)) > (unsigned long)lenmax)
385 return NULL; 390 return NULL;
386 391
387 /* extension type and length */ 392 /* extension type and length */
388 s2n(TLSEXT_TYPE_server_name,ret); 393 s2n(TLSEXT_TYPE_server_name, ret);
389 s2n(size_str+5,ret); 394
390 395 s2n(size_str + 5, ret);
396
391 /* length of servername list */ 397 /* length of servername list */
392 s2n(size_str+3,ret); 398 s2n(size_str + 3, ret);
393 399
394 /* hostname type, length and hostname */ 400 /* hostname type, length and hostname */
395 *(ret++) = (unsigned char) TLSEXT_NAMETYPE_host_name; 401 *(ret++) = (unsigned char) TLSEXT_NAMETYPE_host_name;
396 s2n(size_str,ret); 402 s2n(size_str, ret);
397 memcpy(ret, s->tlsext_hostname, size_str); 403 memcpy(ret, s->tlsext_hostname, size_str);
398 ret+=size_str; 404 ret += size_str;
405 }
406
407 /* Add RI if renegotiating */
408 if (s->renegotiate) {
409 int el;
410
411 if (!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0)) {
412 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
413 return NULL;
399 } 414 }
400 415
401 /* Add RI if renegotiating */ 416 if ((limit - p - 4 - el)
402 if (s->renegotiate) 417 < 0) return NULL;
403 { 418
404 int el; 419 s2n(TLSEXT_TYPE_renegotiate, ret);
405 420 s2n(el, ret);
406 if(!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0)) 421
407 { 422 if (!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el)) {
408 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); 423 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
409 return NULL; 424 return NULL;
410 } 425 }
411 426
412 if((limit - p - 4 - el) < 0) return NULL; 427 ret += el;
413 428 }
414 s2n(TLSEXT_TYPE_renegotiate,ret);
415 s2n(el,ret);
416
417 if(!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el))
418 {
419 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
420 return NULL;
421 }
422
423 ret += el;
424 }
425 429
426#ifndef OPENSSL_NO_SRP 430#ifndef OPENSSL_NO_SRP
427 /* Add SRP username if there is one */ 431 /* Add SRP username if there is one */
428 if (s->srp_ctx.login != NULL) 432 if (s->srp_ctx.login != NULL)
429 { /* Add TLS extension SRP username to the Client Hello message */ 433 { /* Add TLS extension SRP username to the Client Hello message */
434
435 int login_len = strlen(s->srp_ctx.login);
430 436
431 int login_len = strlen(s->srp_ctx.login); 437 if (login_len > 255 || login_len == 0) {
432 if (login_len > 255 || login_len == 0)
433 {
434 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); 438 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
435 return NULL; 439 return NULL;
436 } 440 }
437 441
438 /* check for enough space. 442 /* check for enough space.
439 4 for the srp type type and entension length 443 4 for the srp type type and entension length
440 1 for the srp user identity 444 1 for the srp user identity
441 + srp user identity length 445 + srp user identity length
442 */ 446 */
443 if ((limit - ret - 5 - login_len) < 0) return NULL; 447 if ((limit - ret - 5 - login_len)
448 < 0) return NULL;
449
444 450
445 /* fill in the extension */ 451 /* fill in the extension */
446 s2n(TLSEXT_TYPE_srp,ret); 452 s2n(TLSEXT_TYPE_srp, ret);
447 s2n(login_len+1,ret); 453 s2n(login_len + 1, ret);
448 (*ret++) = (unsigned char) login_len; 454 (*ret++) = (unsigned char) login_len;
449 memcpy(ret, s->srp_ctx.login, login_len); 455 memcpy(ret, s->srp_ctx.login, login_len);
450 ret+=login_len; 456 ret += login_len;
451 } 457 }
452#endif 458#endif
453 459
454#ifndef OPENSSL_NO_EC 460#ifndef OPENSSL_NO_EC
455 if (s->tlsext_ecpointformatlist != NULL && 461 if (s->tlsext_ecpointformatlist != NULL &&
456 s->version != DTLS1_VERSION) 462 s->version != DTLS1_VERSION) {
457 {
458 /* Add TLS extension ECPointFormats to the ClientHello message */ 463 /* Add TLS extension ECPointFormats to the ClientHello message */
459 long lenmax; 464 long lenmax;
465
466
467 if ((lenmax = limit - ret - 5)
468 < 0) return NULL;
460 469
461 if ((lenmax = limit - ret - 5) < 0) return NULL;
462 if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax) return NULL; 470 if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax) return NULL;
463 if (s->tlsext_ecpointformatlist_length > 255) 471 if (s->tlsext_ecpointformatlist_length > 255) {
464 {
465 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); 472 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
466 return NULL; 473 return NULL;
467 } 474 }
468 475
469 s2n(TLSEXT_TYPE_ec_point_formats,ret); 476 s2n(TLSEXT_TYPE_ec_point_formats, ret);
470 s2n(s->tlsext_ecpointformatlist_length + 1,ret); 477 s2n(s->tlsext_ecpointformatlist_length + 1, ret);
471 *(ret++) = (unsigned char) s->tlsext_ecpointformatlist_length; 478 *(ret++) = (unsigned char) s->tlsext_ecpointformatlist_length;
472 memcpy(ret, s->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist_length); 479 memcpy(ret, s->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist_length);
473 ret+=s->tlsext_ecpointformatlist_length; 480 ret += s->tlsext_ecpointformatlist_length;
474 } 481 }
475 if (s->tlsext_ellipticcurvelist != NULL && 482 if (s->tlsext_ellipticcurvelist != NULL &&
476 s->version != DTLS1_VERSION) 483 s->version != DTLS1_VERSION) {
477 {
478 /* Add TLS extension EllipticCurves to the ClientHello message */ 484 /* Add TLS extension EllipticCurves to the ClientHello message */
479 long lenmax; 485 long lenmax;
486
487
488 if ((lenmax = limit - ret - 6)
489 < 0) return NULL;
480 490
481 if ((lenmax = limit - ret - 6) < 0) return NULL;
482 if (s->tlsext_ellipticcurvelist_length > (unsigned long)lenmax) return NULL; 491 if (s->tlsext_ellipticcurvelist_length > (unsigned long)lenmax) return NULL;
483 if (s->tlsext_ellipticcurvelist_length > 65532) 492 if (s->tlsext_ellipticcurvelist_length > 65532) {
484 {
485 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); 493 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
486 return NULL; 494 return NULL;
487 } 495 }
488 496
489 s2n(TLSEXT_TYPE_elliptic_curves,ret); 497 s2n(TLSEXT_TYPE_elliptic_curves, ret);
490 s2n(s->tlsext_ellipticcurvelist_length + 2, ret); 498 s2n(s->tlsext_ellipticcurvelist_length + 2, ret);
491 499
492 /* NB: draft-ietf-tls-ecc-12.txt uses a one-byte prefix for 500 /* NB: draft-ietf-tls-ecc-12.txt uses a one-byte prefix for
@@ -496,111 +504,103 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned cha
496 */ 504 */
497 s2n(s->tlsext_ellipticcurvelist_length, ret); 505 s2n(s->tlsext_ellipticcurvelist_length, ret);
498 memcpy(ret, s->tlsext_ellipticcurvelist, s->tlsext_ellipticcurvelist_length); 506 memcpy(ret, s->tlsext_ellipticcurvelist, s->tlsext_ellipticcurvelist_length);
499 ret+=s->tlsext_ellipticcurvelist_length; 507 ret += s->tlsext_ellipticcurvelist_length;
500 } 508 }
501#endif /* OPENSSL_NO_EC */ 509#endif /* OPENSSL_NO_EC */
502 510
503 if (!(SSL_get_options(s) & SSL_OP_NO_TICKET)) 511 if (!(SSL_get_options(s) & SSL_OP_NO_TICKET)) {
504 {
505 int ticklen; 512 int ticklen;
506 if (!s->new_session && s->session && s->session->tlsext_tick) 513 if (!s->new_session && s->session && s->session->tlsext_tick)
507 ticklen = s->session->tlsext_ticklen; 514 ticklen = s->session->tlsext_ticklen;
508 else if (s->session && s->tlsext_session_ticket && 515 else if (s->session && s->tlsext_session_ticket &&
509 s->tlsext_session_ticket->data) 516 s->tlsext_session_ticket->data) {
510 {
511 ticklen = s->tlsext_session_ticket->length; 517 ticklen = s->tlsext_session_ticket->length;
512 s->session->tlsext_tick = OPENSSL_malloc(ticklen); 518 s->session->tlsext_tick = OPENSSL_malloc(ticklen);
513 if (!s->session->tlsext_tick) 519 if (!s->session->tlsext_tick)
514 return NULL; 520 return NULL;
515 memcpy(s->session->tlsext_tick, 521 memcpy(s->session->tlsext_tick,
516 s->tlsext_session_ticket->data, 522 s->tlsext_session_ticket->data,
517 ticklen); 523 ticklen);
518 s->session->tlsext_ticklen = ticklen; 524 s->session->tlsext_ticklen = ticklen;
519 } 525 } else
520 else
521 ticklen = 0; 526 ticklen = 0;
522 if (ticklen == 0 && s->tlsext_session_ticket && 527 if (ticklen == 0 && s->tlsext_session_ticket &&
523 s->tlsext_session_ticket->data == NULL) 528 s->tlsext_session_ticket->data == NULL)
524 goto skip_ext; 529 goto skip_ext;
525 /* Check for enough room 2 for extension type, 2 for len 530 /* Check for enough room 2 for extension type, 2 for len
526 * rest for ticket 531 * rest for ticket
527 */ 532 */
528 if ((long)(limit - ret - 4 - ticklen) < 0) return NULL; 533 if ((long)(limit - ret - 4 - ticklen) < 0) return NULL;
529 s2n(TLSEXT_TYPE_session_ticket,ret); 534 s2n(TLSEXT_TYPE_session_ticket, ret);
530 s2n(ticklen,ret); 535
531 if (ticklen) 536 s2n(ticklen, ret);
532 { 537 if (ticklen) {
533 memcpy(ret, s->session->tlsext_tick, ticklen); 538 memcpy(ret, s->session->tlsext_tick, ticklen);
534 ret += ticklen; 539 ret += ticklen;
535 }
536 } 540 }
537 skip_ext: 541 }
542 skip_ext:
538 543
539 if (TLS1_get_client_version(s) >= TLS1_2_VERSION) 544 if (TLS1_get_client_version(s) >= TLS1_2_VERSION) {
540 {
541 if ((size_t)(limit - ret) < sizeof(tls12_sigalgs) + 6) 545 if ((size_t)(limit - ret) < sizeof(tls12_sigalgs) + 6)
542 return NULL; 546 return NULL;
543 s2n(TLSEXT_TYPE_signature_algorithms,ret); 547
548 s2n(TLSEXT_TYPE_signature_algorithms, ret);
544 s2n(sizeof(tls12_sigalgs) + 2, ret); 549 s2n(sizeof(tls12_sigalgs) + 2, ret);
545 s2n(sizeof(tls12_sigalgs), ret); 550 s2n(sizeof(tls12_sigalgs), ret);
546 memcpy(ret, tls12_sigalgs, sizeof(tls12_sigalgs)); 551 memcpy(ret, tls12_sigalgs, sizeof(tls12_sigalgs));
547 ret += sizeof(tls12_sigalgs); 552 ret += sizeof(tls12_sigalgs);
548 } 553 }
549 554
550#ifdef TLSEXT_TYPE_opaque_prf_input 555#ifdef TLSEXT_TYPE_opaque_prf_input
551 if (s->s3->client_opaque_prf_input != NULL && 556 if (s->s3->client_opaque_prf_input != NULL &&
552 s->version != DTLS1_VERSION) 557 s->version != DTLS1_VERSION) {
553 {
554 size_t col = s->s3->client_opaque_prf_input_len; 558 size_t col = s->s3->client_opaque_prf_input_len;
555 559
556 if ((long)(limit - ret - 6 - col < 0)) 560 if ((long)(limit - ret - 6 - col < 0))
557 return NULL; 561 return NULL;
558 if (col > 0xFFFD) /* can't happen */ 562 if (col > 0xFFFD) /* can't happen */
559 return NULL; 563 return NULL;
560 564
561 s2n(TLSEXT_TYPE_opaque_prf_input, ret); 565 s2n(TLSEXT_TYPE_opaque_prf_input, ret);
566
562 s2n(col + 2, ret); 567 s2n(col + 2, ret);
563 s2n(col, ret); 568 s2n(col, ret);
564 memcpy(ret, s->s3->client_opaque_prf_input, col); 569 memcpy(ret, s->s3->client_opaque_prf_input, col);
565 ret += col; 570 ret += col;
566 } 571 }
567#endif 572#endif
568 573
569 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp && 574 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp &&
570 s->version != DTLS1_VERSION) 575 s->version != DTLS1_VERSION) {
571 {
572 int i; 576 int i;
573 long extlen, idlen, itmp; 577 long extlen, idlen, itmp;
574 OCSP_RESPID *id; 578 OCSP_RESPID *id;
575 579
576 idlen = 0; 580 idlen = 0;
577 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) 581 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) {
578 {
579 id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i); 582 id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
580 itmp = i2d_OCSP_RESPID(id, NULL); 583 itmp = i2d_OCSP_RESPID(id, NULL);
581 if (itmp <= 0) 584 if (itmp <= 0)
582 return NULL; 585 return NULL;
583 idlen += itmp + 2; 586 idlen += itmp + 2;
584 } 587 }
585 588
586 if (s->tlsext_ocsp_exts) 589 if (s->tlsext_ocsp_exts) {
587 {
588 extlen = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, NULL); 590 extlen = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, NULL);
589 if (extlen < 0) 591 if (extlen < 0)
590 return NULL; 592 return NULL;
591 } 593 } else
592 else
593 extlen = 0; 594 extlen = 0;
594 595
595 if ((long)(limit - ret - 7 - extlen - idlen) < 0) return NULL; 596 if ((long)(limit - ret - 7 - extlen - idlen) < 0) return NULL;
596 s2n(TLSEXT_TYPE_status_request, ret); 597 s2n(TLSEXT_TYPE_status_request, ret);
597 if (extlen + idlen > 0xFFF0) 598 if (extlen + idlen > 0xFFF0)
598 return NULL; 599 return NULL;
599 s2n(extlen + idlen + 5, ret); 600 s2n(extlen + idlen + 5, ret);
600 *(ret++) = TLSEXT_STATUSTYPE_ocsp; 601 *(ret++) = TLSEXT_STATUSTYPE_ocsp;
601 s2n(idlen, ret); 602 s2n(idlen, ret);
602 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) 603 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) {
603 {
604 /* save position of id len */ 604 /* save position of id len */
605 unsigned char *q = ret; 605 unsigned char *q = ret;
606 id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i); 606 id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
@@ -609,16 +609,16 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned cha
609 itmp = i2d_OCSP_RESPID(id, &ret); 609 itmp = i2d_OCSP_RESPID(id, &ret);
610 /* write id len */ 610 /* write id len */
611 s2n(itmp, q); 611 s2n(itmp, q);
612 } 612 }
613 s2n(extlen, ret); 613 s2n(extlen, ret);
614 if (extlen > 0) 614 if (extlen > 0)
615 i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret); 615 i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret);
616 } 616 }
617 617
618#ifndef OPENSSL_NO_HEARTBEATS 618#ifndef OPENSSL_NO_HEARTBEATS
619 /* Add Heartbeat extension */ 619 /* Add Heartbeat extension */
620 s2n(TLSEXT_TYPE_heartbeat,ret); 620 s2n(TLSEXT_TYPE_heartbeat, ret);
621 s2n(1,ret); 621 s2n(1, ret);
622 /* Set mode: 622 /* Set mode:
623 * 1: peer may send requests 623 * 1: peer may send requests
624 * 2: peer not allowed to send requests 624 * 2: peer not allowed to send requests
@@ -630,36 +630,34 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned cha
630#endif 630#endif
631 631
632#ifndef OPENSSL_NO_NEXTPROTONEG 632#ifndef OPENSSL_NO_NEXTPROTONEG
633 if (s->ctx->next_proto_select_cb && !s->s3->tmp.finish_md_len) 633 if (s->ctx->next_proto_select_cb && !s->s3->tmp.finish_md_len) {
634 {
635 /* The client advertises an emtpy extension to indicate its 634 /* The client advertises an emtpy extension to indicate its
636 * support for Next Protocol Negotiation */ 635 * support for Next Protocol Negotiation */
637 if (limit - ret - 4 < 0) 636 if (limit - ret - 4 < 0)
638 return NULL; 637 return NULL;
639 s2n(TLSEXT_TYPE_next_proto_neg,ret); 638 s2n(TLSEXT_TYPE_next_proto_neg, ret);
640 s2n(0,ret); 639 s2n(0, ret);
641 } 640 }
642#endif 641#endif
643 642
644#ifndef OPENSSL_NO_SRTP 643#ifndef OPENSSL_NO_SRTP
645 if(SSL_get_srtp_profiles(s)) 644 if (SSL_get_srtp_profiles(s)) {
646 { 645 int el;
647 int el;
648 646
649 ssl_add_clienthello_use_srtp_ext(s, 0, &el, 0); 647 ssl_add_clienthello_use_srtp_ext(s, 0, &el, 0);
650
651 if((limit - p - 4 - el) < 0) return NULL;
652 648
653 s2n(TLSEXT_TYPE_use_srtp,ret); 649 if ((limit - p - 4 - el)
654 s2n(el,ret); 650 < 0) return NULL;
655 651
656 if(ssl_add_clienthello_use_srtp_ext(s, ret, &el, el)) 652 s2n(TLSEXT_TYPE_use_srtp, ret);
657 { 653 s2n(el, ret);
654
655 if (ssl_add_clienthello_use_srtp_ext(s, ret, &el, el)) {
658 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); 656 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
659 return NULL; 657 return NULL;
660 } 658 }
661 ret += el; 659 ret += el;
662 } 660 }
663#endif 661#endif
664 662
665#ifdef TLSEXT_TYPE_padding 663#ifdef TLSEXT_TYPE_padding
@@ -670,38 +668,38 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned cha
670 * extensions it MUST always appear last. 668 * extensions it MUST always appear last.
671 */ 669 */
672 { 670 {
673 int hlen = ret - (unsigned char *)s->init_buf->data; 671 int hlen = ret - (unsigned char *)s->init_buf->data;
674 /* The code in s23_clnt.c to build ClientHello messages includes the 672 /* The code in s23_clnt.c to build ClientHello messages includes the
675 * 5-byte record header in the buffer, while the code in s3_clnt.c does 673 * 5-byte record header in the buffer, while the code in s3_clnt.c does
676 * not. */ 674 * not. */
677 if (s->state == SSL23_ST_CW_CLNT_HELLO_A) 675 if (s->state == SSL23_ST_CW_CLNT_HELLO_A)
678 hlen -= 5; 676 hlen -= 5;
679 if (hlen > 0xff && hlen < 0x200) 677 if (hlen > 0xff && hlen < 0x200) {
680 { 678 hlen = 0x200 - hlen;
681 hlen = 0x200 - hlen; 679 if (hlen >= 4)
682 if (hlen >= 4) 680 hlen -= 4;
683 hlen -= 4; 681 else
684 else 682 hlen = 0;
685 hlen = 0;
686 683
687 s2n(TLSEXT_TYPE_padding, ret); 684 s2n(TLSEXT_TYPE_padding, ret);
688 s2n(hlen, ret); 685 s2n(hlen, ret);
689 memset(ret, 0, hlen); 686 memset(ret, 0, hlen);
690 ret += hlen; 687 ret += hlen;
691 } 688 }
692 } 689 }
693#endif 690#endif
694 691
695 if ((extdatalen = ret-p-2)== 0) 692 if ((extdatalen = ret - p - 2) == 0)
696 return p; 693 return p;
697 694
698 s2n(extdatalen,p); 695 s2n(extdatalen, p);
699 return ret; 696 return ret;
700 } 697}
701 698
702unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit) 699unsigned char
703 { 700*ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
704 int extdatalen=0; 701{
702 int extdatalen = 0;
705 unsigned char *ret = p; 703 unsigned char *ret = p;
706#ifndef OPENSSL_NO_NEXTPROTONEG 704#ifndef OPENSSL_NO_NEXTPROTONEG
707 int next_proto_neg_seen; 705 int next_proto_neg_seen;
@@ -710,143 +708,141 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned cha
710 /* don't add extensions for SSLv3, unless doing secure renegotiation */ 708 /* don't add extensions for SSLv3, unless doing secure renegotiation */
711 if (s->version == SSL3_VERSION && !s->s3->send_connection_binding) 709 if (s->version == SSL3_VERSION && !s->s3->send_connection_binding)
712 return p; 710 return p;
713 711
714 ret+=2; 712 ret += 2;
715 if (ret>=limit) return NULL; /* this really never occurs, but ... */ 713 if (ret>=limit) return NULL; /* this really never occurs, but ... */
716 714
717 if (!s->hit && s->servername_done == 1 && s->session->tlsext_hostname != NULL) 715 if (!s->hit && s->servername_done == 1 && s->session->tlsext_hostname != NULL) {
718 { 716 if ((long)(limit - ret - 4) < 0) return NULL;
719 if ((long)(limit - ret - 4) < 0) return NULL; 717
718
719 s2n(TLSEXT_TYPE_server_name, ret);
720 s2n(0, ret);
721 }
722
723 if (s->s3->send_connection_binding) {
724 int el;
720 725
721 s2n(TLSEXT_TYPE_server_name,ret); 726 if (!ssl_add_serverhello_renegotiate_ext(s, 0, &el, 0)) {
722 s2n(0,ret); 727 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
728 return NULL;
723 } 729 }
724 730
725 if(s->s3->send_connection_binding) 731 if ((limit - p - 4 - el)
726 { 732 < 0) return NULL;
727 int el; 733
728 734 s2n(TLSEXT_TYPE_renegotiate, ret);
729 if(!ssl_add_serverhello_renegotiate_ext(s, 0, &el, 0)) 735 s2n(el, ret);
730 { 736
731 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); 737 if (!ssl_add_serverhello_renegotiate_ext(s, ret, &el, el)) {
732 return NULL; 738 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
733 } 739 return NULL;
734 740 }
735 if((limit - p - 4 - el) < 0) return NULL; 741
736 742 ret += el;
737 s2n(TLSEXT_TYPE_renegotiate,ret); 743 }
738 s2n(el,ret);
739
740 if(!ssl_add_serverhello_renegotiate_ext(s, ret, &el, el))
741 {
742 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
743 return NULL;
744 }
745
746 ret += el;
747 }
748 744
749#ifndef OPENSSL_NO_EC 745#ifndef OPENSSL_NO_EC
750 if (s->tlsext_ecpointformatlist != NULL && 746 if (s->tlsext_ecpointformatlist != NULL &&
751 s->version != DTLS1_VERSION) 747 s->version != DTLS1_VERSION) {
752 {
753 /* Add TLS extension ECPointFormats to the ServerHello message */ 748 /* Add TLS extension ECPointFormats to the ServerHello message */
754 long lenmax; 749 long lenmax;
750
751
752 if ((lenmax = limit - ret - 5)
753 < 0) return NULL;
755 754
756 if ((lenmax = limit - ret - 5) < 0) return NULL;
757 if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax) return NULL; 755 if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax) return NULL;
758 if (s->tlsext_ecpointformatlist_length > 255) 756 if (s->tlsext_ecpointformatlist_length > 255) {
759 {
760 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); 757 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
761 return NULL; 758 return NULL;
762 } 759 }
763 760
764 s2n(TLSEXT_TYPE_ec_point_formats,ret); 761 s2n(TLSEXT_TYPE_ec_point_formats, ret);
765 s2n(s->tlsext_ecpointformatlist_length + 1,ret); 762 s2n(s->tlsext_ecpointformatlist_length + 1, ret);
766 *(ret++) = (unsigned char) s->tlsext_ecpointformatlist_length; 763 *(ret++) = (unsigned char) s->tlsext_ecpointformatlist_length;
767 memcpy(ret, s->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist_length); 764 memcpy(ret, s->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist_length);
768 ret+=s->tlsext_ecpointformatlist_length; 765 ret += s->tlsext_ecpointformatlist_length;
769 766
770 } 767 }
771 /* Currently the server should not respond with a SupportedCurves extension */ 768 /* Currently the server should not respond with a SupportedCurves extension */
772#endif /* OPENSSL_NO_EC */ 769#endif /* OPENSSL_NO_EC */
773 770
774 if (s->tlsext_ticket_expected 771 if (s->tlsext_ticket_expected
775 && !(SSL_get_options(s) & SSL_OP_NO_TICKET)) 772 && !(SSL_get_options(s) & SSL_OP_NO_TICKET)) {
776 { 773 if ((long)(limit - ret - 4) < 0) return NULL;
777 if ((long)(limit - ret - 4) < 0) return NULL;
778 s2n(TLSEXT_TYPE_session_ticket,ret);
779 s2n(0,ret);
780 }
781 774
782 if (s->tlsext_status_expected) 775 s2n(TLSEXT_TYPE_session_ticket, ret);
783 { 776 s2n(0, ret);
784 if ((long)(limit - ret - 4) < 0) return NULL; 777 }
785 s2n(TLSEXT_TYPE_status_request,ret); 778
786 s2n(0,ret); 779 if (s->tlsext_status_expected) {
787 } 780 if ((long)(limit - ret - 4) < 0) return NULL;
781
782 s2n(TLSEXT_TYPE_status_request, ret);
783 s2n(0, ret);
784 }
788 785
789#ifdef TLSEXT_TYPE_opaque_prf_input 786#ifdef TLSEXT_TYPE_opaque_prf_input
790 if (s->s3->server_opaque_prf_input != NULL && 787 if (s->s3->server_opaque_prf_input != NULL &&
791 s->version != DTLS1_VERSION) 788 s->version != DTLS1_VERSION) {
792 {
793 size_t sol = s->s3->server_opaque_prf_input_len; 789 size_t sol = s->s3->server_opaque_prf_input_len;
794 790
795 if ((long)(limit - ret - 6 - sol) < 0) 791 if ((long)(limit - ret - 6 - sol) < 0)
796 return NULL; 792 return NULL;
797 if (sol > 0xFFFD) /* can't happen */ 793 if (sol > 0xFFFD) /* can't happen */
798 return NULL; 794 return NULL;
799 795
800 s2n(TLSEXT_TYPE_opaque_prf_input, ret); 796 s2n(TLSEXT_TYPE_opaque_prf_input, ret);
797
801 s2n(sol + 2, ret); 798 s2n(sol + 2, ret);
802 s2n(sol, ret); 799 s2n(sol, ret);
803 memcpy(ret, s->s3->server_opaque_prf_input, sol); 800 memcpy(ret, s->s3->server_opaque_prf_input, sol);
804 ret += sol; 801 ret += sol;
805 } 802 }
806#endif 803#endif
807 804
808#ifndef OPENSSL_NO_SRTP 805#ifndef OPENSSL_NO_SRTP
809 if(s->srtp_profile) 806 if (s->srtp_profile) {
810 { 807 int el;
811 int el;
812 808
813 ssl_add_serverhello_use_srtp_ext(s, 0, &el, 0); 809 ssl_add_serverhello_use_srtp_ext(s, 0, &el, 0);
814
815 if((limit - p - 4 - el) < 0) return NULL;
816 810
817 s2n(TLSEXT_TYPE_use_srtp,ret); 811 if ((limit - p - 4 - el) < 0)
818 s2n(el,ret); 812 return NULL;
819 813
820 if(ssl_add_serverhello_use_srtp_ext(s, ret, &el, el)) 814 s2n(TLSEXT_TYPE_use_srtp, ret);
821 { 815 s2n(el, ret);
816
817 if (ssl_add_serverhello_use_srtp_ext(s, ret, &el, el)) {
822 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); 818 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
823 return NULL; 819 return NULL;
824 } 820 }
825 ret+=el; 821 ret += el;
826 } 822 }
827#endif 823#endif
828 824
829 if (((s->s3->tmp.new_cipher->id & 0xFFFF)==0x80 || (s->s3->tmp.new_cipher->id & 0xFFFF)==0x81) 825 if (((s->s3->tmp.new_cipher->id & 0xFFFF) == 0x80 || (s->s3->tmp.new_cipher->id & 0xFFFF) == 0x81)
830 && (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG)) 826 && (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG)) {
831 { const unsigned char cryptopro_ext[36] = { 827 const unsigned char cryptopro_ext[36] = {
832 0xfd, 0xe8, /*65000*/ 828 0xfd, 0xe8, /*65000*/
833 0x00, 0x20, /*32 bytes length*/ 829 0x00, 0x20, /*32 bytes length*/
834 0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85, 830 0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85,
835 0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06, 831 0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06,
836 0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08, 832 0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08,
837 0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17}; 833 0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17
838 if (limit-ret<36) return NULL; 834 };
839 memcpy(ret,cryptopro_ext,36); 835 if (limit - ret < 36)
840 ret+=36; 836 return NULL;
841 837 memcpy(ret, cryptopro_ext, 36);
842 } 838 ret += 36;
839 }
843 840
844#ifndef OPENSSL_NO_HEARTBEATS 841#ifndef OPENSSL_NO_HEARTBEATS
845 /* Add Heartbeat extension if we've received one */ 842 /* Add Heartbeat extension if we've received one */
846 if (s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED) 843 if (s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED) {
847 { 844 s2n(TLSEXT_TYPE_heartbeat, ret);
848 s2n(TLSEXT_TYPE_heartbeat,ret); 845 s2n(1, ret);
849 s2n(1,ret);
850 /* Set mode: 846 /* Set mode:
851 * 1: peer may send requests 847 * 1: peer may send requests
852 * 2: peer not allowed to send requests 848 * 2: peer not allowed to send requests
@@ -856,37 +852,35 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned cha
856 else 852 else
857 *(ret++) = SSL_TLSEXT_HB_ENABLED; 853 *(ret++) = SSL_TLSEXT_HB_ENABLED;
858 854
859 } 855 }
860#endif 856#endif
861 857
862#ifndef OPENSSL_NO_NEXTPROTONEG 858#ifndef OPENSSL_NO_NEXTPROTONEG
863 next_proto_neg_seen = s->s3->next_proto_neg_seen; 859 next_proto_neg_seen = s->s3->next_proto_neg_seen;
864 s->s3->next_proto_neg_seen = 0; 860 s->s3->next_proto_neg_seen = 0;
865 if (next_proto_neg_seen && s->ctx->next_protos_advertised_cb) 861 if (next_proto_neg_seen && s->ctx->next_protos_advertised_cb) {
866 {
867 const unsigned char *npa; 862 const unsigned char *npa;
868 unsigned int npalen; 863 unsigned int npalen;
869 int r; 864 int r;
870 865
871 r = s->ctx->next_protos_advertised_cb(s, &npa, &npalen, s->ctx->next_protos_advertised_cb_arg); 866 r = s->ctx->next_protos_advertised_cb(s, &npa, &npalen, s->ctx->next_protos_advertised_cb_arg);
872 if (r == SSL_TLSEXT_ERR_OK) 867 if (r == SSL_TLSEXT_ERR_OK) {
873 {
874 if ((long)(limit - ret - 4 - npalen) < 0) return NULL; 868 if ((long)(limit - ret - 4 - npalen) < 0) return NULL;
875 s2n(TLSEXT_TYPE_next_proto_neg,ret); 869 s2n(TLSEXT_TYPE_next_proto_neg, ret);
876 s2n(npalen,ret); 870 s2n(npalen, ret);
877 memcpy(ret, npa, npalen); 871 memcpy(ret, npa, npalen);
878 ret += npalen; 872 ret += npalen;
879 s->s3->next_proto_neg_seen = 1; 873 s->s3->next_proto_neg_seen = 1;
880 }
881 } 874 }
875 }
882#endif 876#endif
883 877
884 if ((extdatalen = ret-p-2)== 0) 878 if ((extdatalen = ret - p - 2) == 0)
885 return p; 879 return p;
886 880
887 s2n(extdatalen,p); 881 s2n(extdatalen, p);
888 return ret; 882 return ret;
889 } 883}
890 884
891#ifndef OPENSSL_NO_EC 885#ifndef OPENSSL_NO_EC
892/* ssl_check_for_safari attempts to fingerprint Safari using OS X 886/* ssl_check_for_safari attempts to fingerprint Safari using OS X
@@ -901,7 +895,8 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned cha
901 * Sadly we cannot differentiate 10.6, 10.7 and 10.8.4 (which work), from 895 * Sadly we cannot differentiate 10.6, 10.7 and 10.8.4 (which work), from
902 * 10.8..10.8.3 (which don't work). 896 * 10.8..10.8.3 (which don't work).
903 */ 897 */
904static void ssl_check_for_safari(SSL *s, const unsigned char *data, const unsigned char *d, int n) { 898static void
899ssl_check_for_safari(SSL *s, const unsigned char *data, const unsigned char *d, int n) {
905 unsigned short type, size; 900 unsigned short type, size;
906 static const unsigned char kSafariExtensionsBlock[] = { 901 static const unsigned char kSafariExtensionsBlock[] = {
907 0x00, 0x0a, /* elliptic_curves extension */ 902 0x00, 0x0a, /* elliptic_curves extension */
@@ -929,50 +924,49 @@ static void ssl_check_for_safari(SSL *s, const unsigned char *data, const unsign
929 0x02, 0x03, /* SHA-1/ECDSA */ 924 0x02, 0x03, /* SHA-1/ECDSA */
930 }; 925 };
931 926
932 if (data >= (d+n-2)) 927 if (data >= (d + n - 2))
933 return; 928 return;
934 data += 2; 929 data += 2;
935 930
936 if (data > (d+n-4)) 931 if (data > (d + n - 4))
937 return; 932 return;
938 n2s(data,type); 933 n2s(data, type);
939 n2s(data,size); 934 n2s(data, size);
940 935
941 if (type != TLSEXT_TYPE_server_name) 936 if (type != TLSEXT_TYPE_server_name)
942 return; 937 return;
943 938
944 if (data+size > d+n) 939 if (data + size > d + n)
945 return; 940 return;
946 data += size; 941 data += size;
947 942
948 if (TLS1_get_client_version(s) >= TLS1_2_VERSION) 943 if (TLS1_get_client_version(s) >= TLS1_2_VERSION) {
949 {
950 const size_t len1 = sizeof(kSafariExtensionsBlock); 944 const size_t len1 = sizeof(kSafariExtensionsBlock);
951 const size_t len2 = sizeof(kSafariTLS12ExtensionsBlock); 945 const size_t len2 = sizeof(kSafariTLS12ExtensionsBlock);
952 946
953 if (data + len1 + len2 != d+n) 947 if (data + len1 + len2 != d + n)
954 return; 948 return;
955 if (memcmp(data, kSafariExtensionsBlock, len1) != 0) 949 if (memcmp(data, kSafariExtensionsBlock, len1) != 0)
956 return; 950 return;
957 if (memcmp(data + len1, kSafariTLS12ExtensionsBlock, len2) != 0) 951 if (memcmp(data + len1, kSafariTLS12ExtensionsBlock, len2) != 0)
958 return; 952 return;
959 } 953 } else {
960 else
961 {
962 const size_t len = sizeof(kSafariExtensionsBlock); 954 const size_t len = sizeof(kSafariExtensionsBlock);
963 955
964 if (data + len != d+n) 956 if (data + len != d + n)
965 return; 957 return;
966 if (memcmp(data, kSafariExtensionsBlock, len) != 0) 958 if (memcmp(data, kSafariExtensionsBlock, len) != 0)
967 return; 959 return;
968 } 960 }
969 961
970 s->s3->is_probably_safari = 1; 962 s->s3->is_probably_safari = 1;
971} 963}
972#endif /* !OPENSSL_NO_EC */ 964#endif /* !OPENSSL_NO_EC */
973 965
974int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al) 966int
975 { 967ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d,
968 int n, int *al)
969{
976 unsigned short type; 970 unsigned short type;
977 unsigned short size; 971 unsigned short size;
978 unsigned short len; 972 unsigned short len;
@@ -988,7 +982,7 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
988 982
989#ifndef OPENSSL_NO_HEARTBEATS 983#ifndef OPENSSL_NO_HEARTBEATS
990 s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED | 984 s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED |
991 SSL_TLSEXT_HB_DONT_SEND_REQUESTS); 985 SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
992#endif 986#endif
993 987
994#ifndef OPENSSL_NO_EC 988#ifndef OPENSSL_NO_EC
@@ -996,26 +990,25 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
996 ssl_check_for_safari(s, data, d, n); 990 ssl_check_for_safari(s, data, d, n);
997#endif /* !OPENSSL_NO_EC */ 991#endif /* !OPENSSL_NO_EC */
998 992
999 if (data >= (d+n-2)) 993 if (data >= (d + n - 2))
1000 goto ri_check; 994 goto ri_check;
1001 n2s(data,len); 995 n2s(data, len);
1002 996
1003 if (data > (d+n-len)) 997 if (data > (d + n - len))
1004 goto ri_check; 998 goto ri_check;
1005 999
1006 while (data <= (d+n-4)) 1000 while (data <= (d + n - 4)) {
1007 { 1001 n2s(data, type);
1008 n2s(data,type); 1002 n2s(data, size);
1009 n2s(data,size);
1010 1003
1011 if (data+size > (d+n)) 1004 if (data + size > (d + n))
1012 goto ri_check; 1005 goto ri_check;
1013#if 0 1006#if 0
1014 fprintf(stderr,"Received extension type %d size %d\n",type,size); 1007 fprintf(stderr, "Received extension type %d size %d\n", type, size);
1015#endif 1008#endif
1016 if (s->tlsext_debug_cb) 1009 if (s->tlsext_debug_cb)
1017 s->tlsext_debug_cb(s, 0, type, data, size, 1010 s->tlsext_debug_cb(s, 0, type, data, size,
1018 s->tlsext_debug_arg); 1011 s->tlsext_debug_arg);
1019/* The servername extension is treated as follows: 1012/* The servername extension is treated as follows:
1020 1013
1021 - Only the hostname type is supported with a maximum length of 255. 1014 - Only the hostname type is supported with a maximum length of 255.
@@ -1039,206 +1032,180 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
1039 1032
1040*/ 1033*/
1041 1034
1042 if (type == TLSEXT_TYPE_server_name) 1035 if (type == TLSEXT_TYPE_server_name) {
1043 {
1044 unsigned char *sdata; 1036 unsigned char *sdata;
1045 int servname_type; 1037 int servname_type;
1046 int dsize; 1038 int dsize;
1047 1039
1048 if (size < 2) 1040
1049 { 1041 if (size < 2) {
1050 *al = SSL_AD_DECODE_ERROR; 1042 *al = SSL_AD_DECODE_ERROR;
1051 return 0; 1043 return 0;
1052 } 1044 }
1053 n2s(data,dsize); 1045 n2s(data, dsize);
1046
1054 size -= 2; 1047 size -= 2;
1055 if (dsize > size ) 1048 if (dsize > size) {
1056 {
1057 *al = SSL_AD_DECODE_ERROR; 1049 *al = SSL_AD_DECODE_ERROR;
1058 return 0; 1050 return 0;
1059 } 1051 }
1060 1052
1061 sdata = data; 1053 sdata = data;
1062 while (dsize > 3) 1054 while (dsize > 3) {
1063 { 1055 servname_type = *(sdata++);
1064 servname_type = *(sdata++); 1056
1065 n2s(sdata,len); 1057 n2s(sdata, len);
1066 dsize -= 3; 1058 dsize -= 3;
1067 1059
1068 if (len > dsize) 1060 if (len > dsize) {
1069 {
1070 *al = SSL_AD_DECODE_ERROR; 1061 *al = SSL_AD_DECODE_ERROR;
1071 return 0; 1062 return 0;
1072 } 1063 }
1073 if (s->servername_done == 0) 1064 if (s->servername_done == 0)
1074 switch (servname_type) 1065 switch (servname_type) {
1075 {
1076 case TLSEXT_NAMETYPE_host_name: 1066 case TLSEXT_NAMETYPE_host_name:
1077 if (!s->hit) 1067 if (!s->hit) {
1078 { 1068 if (s->session->tlsext_hostname) {
1079 if(s->session->tlsext_hostname)
1080 {
1081 *al = SSL_AD_DECODE_ERROR; 1069 *al = SSL_AD_DECODE_ERROR;
1082 return 0; 1070 return 0;
1083 } 1071 }
1084 if (len > TLSEXT_MAXLEN_host_name) 1072 if (len > TLSEXT_MAXLEN_host_name) {
1085 {
1086 *al = TLS1_AD_UNRECOGNIZED_NAME; 1073 *al = TLS1_AD_UNRECOGNIZED_NAME;
1087 return 0; 1074 return 0;
1088 } 1075 }
1089 if ((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL) 1076 if ((s->session->tlsext_hostname = OPENSSL_malloc(len + 1)) == NULL) {
1090 {
1091 *al = TLS1_AD_INTERNAL_ERROR; 1077 *al = TLS1_AD_INTERNAL_ERROR;
1092 return 0; 1078 return 0;
1093 } 1079 }
1094 memcpy(s->session->tlsext_hostname, sdata, len); 1080 memcpy(s->session->tlsext_hostname, sdata, len);
1095 s->session->tlsext_hostname[len]='\0'; 1081 s->session->tlsext_hostname[len] = '\0';
1096 if (strlen(s->session->tlsext_hostname) != len) { 1082 if (strlen(s->session->tlsext_hostname) != len) {
1097 OPENSSL_free(s->session->tlsext_hostname); 1083 OPENSSL_free(s->session->tlsext_hostname);
1098 s->session->tlsext_hostname = NULL; 1084 s->session->tlsext_hostname = NULL;
1099 *al = TLS1_AD_UNRECOGNIZED_NAME; 1085 *al = TLS1_AD_UNRECOGNIZED_NAME;
1100 return 0; 1086 return 0;
1101 } 1087 }
1102 s->servername_done = 1; 1088 s->servername_done = 1;
1103 1089
1104 } 1090
1105 else 1091 } else
1106 s->servername_done = s->session->tlsext_hostname 1092 s->servername_done = s->session->tlsext_hostname
1107 && strlen(s->session->tlsext_hostname) == len 1093 && strlen(s->session->tlsext_hostname) == len
1108 && strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0; 1094 && strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0;
1109 1095
1110 break; 1096 break;
1111 1097
1112 default: 1098 default:
1113 break; 1099 break;
1114 }
1115
1116 dsize -= len;
1117 } 1100 }
1118 if (dsize != 0) 1101
1119 { 1102 dsize -= len;
1103 }
1104 if (dsize != 0) {
1120 *al = SSL_AD_DECODE_ERROR; 1105 *al = SSL_AD_DECODE_ERROR;
1121 return 0; 1106 return 0;
1122 }
1123
1124 } 1107 }
1108
1109 }
1125#ifndef OPENSSL_NO_SRP 1110#ifndef OPENSSL_NO_SRP
1126 else if (type == TLSEXT_TYPE_srp) 1111 else if (type == TLSEXT_TYPE_srp) {
1127 { 1112 if (size <= 0 || ((len = data[0])) != (size - 1)) {
1128 if (size <= 0 || ((len = data[0])) != (size -1))
1129 {
1130 *al = SSL_AD_DECODE_ERROR; 1113 *al = SSL_AD_DECODE_ERROR;
1131 return 0; 1114 return 0;
1132 } 1115 }
1133 if (s->srp_ctx.login != NULL) 1116 if (s->srp_ctx.login != NULL) {
1134 {
1135 *al = SSL_AD_DECODE_ERROR; 1117 *al = SSL_AD_DECODE_ERROR;
1136 return 0; 1118 return 0;
1137 } 1119 }
1138 if ((s->srp_ctx.login = OPENSSL_malloc(len+1)) == NULL) 1120 if ((s->srp_ctx.login = OPENSSL_malloc(len + 1)) == NULL)
1139 return -1; 1121 return -1;
1140 memcpy(s->srp_ctx.login, &data[1], len); 1122 memcpy(s->srp_ctx.login, &data[1], len);
1141 s->srp_ctx.login[len]='\0'; 1123 s->srp_ctx.login[len] = '\0';
1142 1124
1143 if (strlen(s->srp_ctx.login) != len) 1125 if (strlen(s->srp_ctx.login) != len) {
1144 {
1145 *al = SSL_AD_DECODE_ERROR; 1126 *al = SSL_AD_DECODE_ERROR;
1146 return 0; 1127 return 0;
1147 }
1148 } 1128 }
1129 }
1149#endif 1130#endif
1150 1131
1151#ifndef OPENSSL_NO_EC 1132#ifndef OPENSSL_NO_EC
1152 else if (type == TLSEXT_TYPE_ec_point_formats && 1133 else if (type == TLSEXT_TYPE_ec_point_formats &&
1153 s->version != DTLS1_VERSION) 1134 s->version != DTLS1_VERSION) {
1154 {
1155 unsigned char *sdata = data; 1135 unsigned char *sdata = data;
1156 int ecpointformatlist_length = *(sdata++); 1136 int ecpointformatlist_length = *(sdata++);
1157 1137
1158 if (ecpointformatlist_length != size - 1) 1138 if (ecpointformatlist_length != size - 1) {
1159 {
1160 *al = TLS1_AD_DECODE_ERROR; 1139 *al = TLS1_AD_DECODE_ERROR;
1161 return 0; 1140 return 0;
1162 } 1141 }
1163 if (!s->hit) 1142 if (!s->hit) {
1164 { 1143 if (s->session->tlsext_ecpointformatlist) {
1165 if(s->session->tlsext_ecpointformatlist)
1166 {
1167 OPENSSL_free(s->session->tlsext_ecpointformatlist); 1144 OPENSSL_free(s->session->tlsext_ecpointformatlist);
1168 s->session->tlsext_ecpointformatlist = NULL; 1145 s->session->tlsext_ecpointformatlist = NULL;
1169 } 1146 }
1170 s->session->tlsext_ecpointformatlist_length = 0; 1147 s->session->tlsext_ecpointformatlist_length = 0;
1171 if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL) 1148 if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL) {
1172 {
1173 *al = TLS1_AD_INTERNAL_ERROR; 1149 *al = TLS1_AD_INTERNAL_ERROR;
1174 return 0; 1150 return 0;
1175 } 1151 }
1176 s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length; 1152 s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
1177 memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length); 1153 memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
1178 } 1154 }
1179#if 0 1155#if 0
1180 fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ecpointformatlist (length=%i) ", s->session->tlsext_ecpointformatlist_length); 1156 fprintf(stderr, "ssl_parse_clienthello_tlsext s->session->tlsext_ecpointformatlist (length=%i) ", s->session->tlsext_ecpointformatlist_length);
1181 sdata = s->session->tlsext_ecpointformatlist; 1157 sdata = s->session->tlsext_ecpointformatlist;
1182 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++) 1158 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
1183 fprintf(stderr,"%i ",*(sdata++)); 1159 fprintf(stderr, "%i ", *(sdata++));
1184 fprintf(stderr,"\n"); 1160 fprintf(stderr, "\n");
1185#endif 1161#endif
1186 } 1162 } else if (type == TLSEXT_TYPE_elliptic_curves &&
1187 else if (type == TLSEXT_TYPE_elliptic_curves && 1163 s->version != DTLS1_VERSION) {
1188 s->version != DTLS1_VERSION)
1189 {
1190 unsigned char *sdata = data; 1164 unsigned char *sdata = data;
1191 int ellipticcurvelist_length = (*(sdata++) << 8); 1165 int ellipticcurvelist_length = (*(sdata++) << 8);
1192 ellipticcurvelist_length += (*(sdata++)); 1166 ellipticcurvelist_length += (*(sdata++));
1193 1167
1194 if (ellipticcurvelist_length != size - 2 || 1168 if (ellipticcurvelist_length != size - 2 ||
1195 ellipticcurvelist_length < 1) 1169 ellipticcurvelist_length < 1) {
1196 {
1197 *al = TLS1_AD_DECODE_ERROR; 1170 *al = TLS1_AD_DECODE_ERROR;
1198 return 0; 1171 return 0;
1199 } 1172 }
1200 if (!s->hit) 1173 if (!s->hit) {
1201 { 1174 if (s->session->tlsext_ellipticcurvelist) {
1202 if(s->session->tlsext_ellipticcurvelist)
1203 {
1204 *al = TLS1_AD_DECODE_ERROR; 1175 *al = TLS1_AD_DECODE_ERROR;
1205 return 0; 1176 return 0;
1206 } 1177 }
1207 s->session->tlsext_ellipticcurvelist_length = 0; 1178 s->session->tlsext_ellipticcurvelist_length = 0;
1208 if ((s->session->tlsext_ellipticcurvelist = OPENSSL_malloc(ellipticcurvelist_length)) == NULL) 1179 if ((s->session->tlsext_ellipticcurvelist = OPENSSL_malloc(ellipticcurvelist_length)) == NULL) {
1209 {
1210 *al = TLS1_AD_INTERNAL_ERROR; 1180 *al = TLS1_AD_INTERNAL_ERROR;
1211 return 0; 1181 return 0;
1212 } 1182 }
1213 s->session->tlsext_ellipticcurvelist_length = ellipticcurvelist_length; 1183 s->session->tlsext_ellipticcurvelist_length = ellipticcurvelist_length;
1214 memcpy(s->session->tlsext_ellipticcurvelist, sdata, ellipticcurvelist_length); 1184 memcpy(s->session->tlsext_ellipticcurvelist, sdata, ellipticcurvelist_length);
1215 } 1185 }
1216#if 0 1186#if 0
1217 fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ellipticcurvelist (length=%i) ", s->session->tlsext_ellipticcurvelist_length); 1187 fprintf(stderr, "ssl_parse_clienthello_tlsext s->session->tlsext_ellipticcurvelist (length=%i) ", s->session->tlsext_ellipticcurvelist_length);
1218 sdata = s->session->tlsext_ellipticcurvelist; 1188 sdata = s->session->tlsext_ellipticcurvelist;
1219 for (i = 0; i < s->session->tlsext_ellipticcurvelist_length; i++) 1189 for (i = 0; i < s->session->tlsext_ellipticcurvelist_length; i++)
1220 fprintf(stderr,"%i ",*(sdata++)); 1190 fprintf(stderr, "%i ", *(sdata++));
1221 fprintf(stderr,"\n"); 1191 fprintf(stderr, "\n");
1222#endif 1192#endif
1223 } 1193 }
1224#endif /* OPENSSL_NO_EC */ 1194#endif /* OPENSSL_NO_EC */
1225#ifdef TLSEXT_TYPE_opaque_prf_input 1195#ifdef TLSEXT_TYPE_opaque_prf_input
1226 else if (type == TLSEXT_TYPE_opaque_prf_input && 1196 else if (type == TLSEXT_TYPE_opaque_prf_input &&
1227 s->version != DTLS1_VERSION) 1197 s->version != DTLS1_VERSION) {
1228 {
1229 unsigned char *sdata = data; 1198 unsigned char *sdata = data;
1230 1199
1231 if (size < 2) 1200 if (size < 2) {
1232 {
1233 *al = SSL_AD_DECODE_ERROR; 1201 *al = SSL_AD_DECODE_ERROR;
1234 return 0; 1202 return 0;
1235 } 1203 }
1236 n2s(sdata, s->s3->client_opaque_prf_input_len); 1204 n2s(sdata, s->s3->client_opaque_prf_input_len);
1237 if (s->s3->client_opaque_prf_input_len != size - 2) 1205 if (s->s3->client_opaque_prf_input_len != size - 2) {
1238 {
1239 *al = SSL_AD_DECODE_ERROR; 1206 *al = SSL_AD_DECODE_ERROR;
1240 return 0; 1207 return 0;
1241 } 1208 }
1242 1209
1243 if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */ 1210 if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */
1244 OPENSSL_free(s->s3->client_opaque_prf_input); 1211 OPENSSL_free(s->s3->client_opaque_prf_input);
@@ -1246,183 +1213,154 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
1246 s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */ 1213 s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
1247 else 1214 else
1248 s->s3->client_opaque_prf_input = BUF_memdup(sdata, s->s3->client_opaque_prf_input_len); 1215 s->s3->client_opaque_prf_input = BUF_memdup(sdata, s->s3->client_opaque_prf_input_len);
1249 if (s->s3->client_opaque_prf_input == NULL) 1216 if (s->s3->client_opaque_prf_input == NULL) {
1250 {
1251 *al = TLS1_AD_INTERNAL_ERROR; 1217 *al = TLS1_AD_INTERNAL_ERROR;
1252 return 0; 1218 return 0;
1253 }
1254 } 1219 }
1220 }
1255#endif 1221#endif
1256 else if (type == TLSEXT_TYPE_session_ticket) 1222 else if (type == TLSEXT_TYPE_session_ticket) {
1257 {
1258 if (s->tls_session_ticket_ext_cb && 1223 if (s->tls_session_ticket_ext_cb &&
1259 !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg)) 1224 !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg)) {
1260 {
1261 *al = TLS1_AD_INTERNAL_ERROR; 1225 *al = TLS1_AD_INTERNAL_ERROR;
1262 return 0; 1226 return 0;
1263 }
1264 } 1227 }
1265 else if (type == TLSEXT_TYPE_renegotiate) 1228 } else if (type == TLSEXT_TYPE_renegotiate) {
1266 { 1229 if (!ssl_parse_clienthello_renegotiate_ext(s, data, size, al))
1267 if(!ssl_parse_clienthello_renegotiate_ext(s, data, size, al))
1268 return 0; 1230 return 0;
1269 renegotiate_seen = 1; 1231 renegotiate_seen = 1;
1270 } 1232 } else if (type == TLSEXT_TYPE_signature_algorithms) {
1271 else if (type == TLSEXT_TYPE_signature_algorithms)
1272 {
1273 int dsize; 1233 int dsize;
1274 if (sigalg_seen || size < 2) 1234 if (sigalg_seen || size < 2) {
1275 {
1276 *al = SSL_AD_DECODE_ERROR; 1235 *al = SSL_AD_DECODE_ERROR;
1277 return 0; 1236 return 0;
1278 } 1237 }
1279 sigalg_seen = 1; 1238 sigalg_seen = 1;
1280 n2s(data,dsize); 1239 n2s(data, dsize);
1281 size -= 2; 1240 size -= 2;
1282 if (dsize != size || dsize & 1) 1241 if (dsize != size || dsize & 1) {
1283 {
1284 *al = SSL_AD_DECODE_ERROR; 1242 *al = SSL_AD_DECODE_ERROR;
1285 return 0; 1243 return 0;
1286 } 1244 }
1287 if (!tls1_process_sigalgs(s, data, dsize)) 1245 if (!tls1_process_sigalgs(s, data, dsize)) {
1288 {
1289 *al = SSL_AD_DECODE_ERROR; 1246 *al = SSL_AD_DECODE_ERROR;
1290 return 0; 1247 return 0;
1291 }
1292 } 1248 }
1293 else if (type == TLSEXT_TYPE_status_request && 1249 } else if (type == TLSEXT_TYPE_status_request &&
1294 s->version != DTLS1_VERSION) 1250 s->version != DTLS1_VERSION) {
1295 { 1251
1296 1252 if (size < 5) {
1297 if (size < 5)
1298 {
1299 *al = SSL_AD_DECODE_ERROR; 1253 *al = SSL_AD_DECODE_ERROR;
1300 return 0; 1254 return 0;
1301 } 1255 }
1302 1256
1303 s->tlsext_status_type = *data++; 1257 s->tlsext_status_type = *data++;
1304 size--; 1258 size--;
1305 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp) 1259 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp) {
1306 {
1307 const unsigned char *sdata; 1260 const unsigned char *sdata;
1308 int dsize; 1261 int dsize;
1309 /* Read in responder_id_list */ 1262 /* Read in responder_id_list */
1310 n2s(data,dsize); 1263 n2s(data, dsize);
1311 size -= 2; 1264 size -= 2;
1312 if (dsize > size ) 1265 if (dsize > size ) {
1313 {
1314 *al = SSL_AD_DECODE_ERROR; 1266 *al = SSL_AD_DECODE_ERROR;
1315 return 0; 1267 return 0;
1316 } 1268 }
1317 while (dsize > 0) 1269 while (dsize > 0) {
1318 {
1319 OCSP_RESPID *id; 1270 OCSP_RESPID *id;
1320 int idsize; 1271 int idsize;
1321 if (dsize < 4) 1272 if (dsize < 4) {
1322 {
1323 *al = SSL_AD_DECODE_ERROR; 1273 *al = SSL_AD_DECODE_ERROR;
1324 return 0; 1274 return 0;
1325 } 1275 }
1326 n2s(data, idsize); 1276 n2s(data, idsize);
1327 dsize -= 2 + idsize; 1277 dsize -= 2 + idsize;
1328 size -= 2 + idsize; 1278 size -= 2 + idsize;
1329 if (dsize < 0) 1279 if (dsize < 0) {
1330 {
1331 *al = SSL_AD_DECODE_ERROR; 1280 *al = SSL_AD_DECODE_ERROR;
1332 return 0; 1281 return 0;
1333 } 1282 }
1334 sdata = data; 1283 sdata = data;
1335 data += idsize; 1284 data += idsize;
1336 id = d2i_OCSP_RESPID(NULL, 1285 id = d2i_OCSP_RESPID(NULL,
1337 &sdata, idsize); 1286 &sdata, idsize);
1338 if (!id) 1287 if (!id) {
1339 {
1340 *al = SSL_AD_DECODE_ERROR; 1288 *al = SSL_AD_DECODE_ERROR;
1341 return 0; 1289 return 0;
1342 } 1290 }
1343 if (data != sdata) 1291 if (data != sdata) {
1344 {
1345 OCSP_RESPID_free(id); 1292 OCSP_RESPID_free(id);
1346 *al = SSL_AD_DECODE_ERROR; 1293 *al = SSL_AD_DECODE_ERROR;
1347 return 0; 1294 return 0;
1348 } 1295 }
1349 if (!s->tlsext_ocsp_ids 1296 if (!s->tlsext_ocsp_ids
1350 && !(s->tlsext_ocsp_ids = 1297 && !(s->tlsext_ocsp_ids =
1351 sk_OCSP_RESPID_new_null())) 1298 sk_OCSP_RESPID_new_null())) {
1352 {
1353 OCSP_RESPID_free(id); 1299 OCSP_RESPID_free(id);
1354 *al = SSL_AD_INTERNAL_ERROR; 1300 *al = SSL_AD_INTERNAL_ERROR;
1355 return 0; 1301 return 0;
1356 } 1302 }
1357 if (!sk_OCSP_RESPID_push( 1303 if (!sk_OCSP_RESPID_push(
1358 s->tlsext_ocsp_ids, id)) 1304 s->tlsext_ocsp_ids, id)) {
1359 {
1360 OCSP_RESPID_free(id); 1305 OCSP_RESPID_free(id);
1361 *al = SSL_AD_INTERNAL_ERROR; 1306 *al = SSL_AD_INTERNAL_ERROR;
1362 return 0; 1307 return 0;
1363 }
1364 } 1308 }
1309 }
1365 1310
1366 /* Read in request_extensions */ 1311 /* Read in request_extensions */
1367 if (size < 2) 1312 if (size < 2) {
1368 {
1369 *al = SSL_AD_DECODE_ERROR; 1313 *al = SSL_AD_DECODE_ERROR;
1370 return 0; 1314 return 0;
1371 } 1315 }
1372 n2s(data,dsize); 1316 n2s(data, dsize);
1373 size -= 2; 1317 size -= 2;
1374 if (dsize != size) 1318 if (dsize != size) {
1375 {
1376 *al = SSL_AD_DECODE_ERROR; 1319 *al = SSL_AD_DECODE_ERROR;
1377 return 0; 1320 return 0;
1378 } 1321 }
1379 sdata = data; 1322 sdata = data;
1380 if (dsize > 0) 1323 if (dsize > 0) {
1381 { 1324 if (s->tlsext_ocsp_exts) {
1382 if (s->tlsext_ocsp_exts)
1383 {
1384 sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts, 1325 sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts,
1385 X509_EXTENSION_free); 1326 X509_EXTENSION_free);
1386 } 1327 }
1387 1328
1388 s->tlsext_ocsp_exts = 1329 s->tlsext_ocsp_exts =
1389 d2i_X509_EXTENSIONS(NULL, 1330 d2i_X509_EXTENSIONS(NULL,
1390 &sdata, dsize); 1331 &sdata, dsize);
1391 if (!s->tlsext_ocsp_exts 1332 if (!s->tlsext_ocsp_exts
1392 || (data + dsize != sdata)) 1333 || (data + dsize != sdata)) {
1393 {
1394 *al = SSL_AD_DECODE_ERROR; 1334 *al = SSL_AD_DECODE_ERROR;
1395 return 0; 1335 return 0;
1396 }
1397 } 1336 }
1398 } 1337 }
1338 }
1399 /* We don't know what to do with any other type 1339 /* We don't know what to do with any other type
1400 * so ignore it. 1340 * so ignore it.
1401 */ 1341 */
1402 else 1342 else
1403 s->tlsext_status_type = -1; 1343 s->tlsext_status_type = -1;
1404 } 1344 }
1405#ifndef OPENSSL_NO_HEARTBEATS 1345#ifndef OPENSSL_NO_HEARTBEATS
1406 else if (type == TLSEXT_TYPE_heartbeat) 1346 else if (type == TLSEXT_TYPE_heartbeat) {
1407 { 1347 switch (data[0]) {
1408 switch(data[0]) 1348 case 0x01: /* Client allows us to send HB requests */
1409 { 1349 s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
1410 case 0x01: /* Client allows us to send HB requests */ 1350 break;
1411 s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED; 1351 case 0x02: /* Client doesn't accept HB requests */
1412 break; 1352 s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
1413 case 0x02: /* Client doesn't accept HB requests */ 1353 s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
1414 s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED; 1354 break;
1415 s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS; 1355 default:
1416 break; 1356 *al = SSL_AD_ILLEGAL_PARAMETER;
1417 default: *al = SSL_AD_ILLEGAL_PARAMETER; 1357 return 0;
1418 return 0;
1419 }
1420 } 1358 }
1359 }
1421#endif 1360#endif
1422#ifndef OPENSSL_NO_NEXTPROTONEG 1361#ifndef OPENSSL_NO_NEXTPROTONEG
1423 else if (type == TLSEXT_TYPE_next_proto_neg && 1362 else if (type == TLSEXT_TYPE_next_proto_neg &&
1424 s->s3->tmp.finish_md_len == 0) 1363 s->s3->tmp.finish_md_len == 0) {
1425 {
1426 /* We shouldn't accept this extension on a 1364 /* We shouldn't accept this extension on a
1427 * renegotiation. 1365 * renegotiation.
1428 * 1366 *
@@ -1439,22 +1377,21 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
1439 * in the Hello protocol round, well before a new 1377 * in the Hello protocol round, well before a new
1440 * Finished message could have been computed.) */ 1378 * Finished message could have been computed.) */
1441 s->s3->next_proto_neg_seen = 1; 1379 s->s3->next_proto_neg_seen = 1;
1442 } 1380 }
1443#endif 1381#endif
1444 1382
1445 /* session ticket processed earlier */ 1383 /* session ticket processed earlier */
1446#ifndef OPENSSL_NO_SRTP 1384#ifndef OPENSSL_NO_SRTP
1447 else if (type == TLSEXT_TYPE_use_srtp) 1385 else if (type == TLSEXT_TYPE_use_srtp) {
1448 { 1386 if (ssl_parse_clienthello_use_srtp_ext(s, data, size,
1449 if(ssl_parse_clienthello_use_srtp_ext(s, data, size, 1387 al))
1450 al)) 1388 return 0;
1451 return 0; 1389 }
1452 }
1453#endif 1390#endif
1454 1391
1455 data+=size; 1392 data += size;
1456 } 1393 }
1457 1394
1458 *p = data; 1395 *p = data;
1459 1396
1460 ri_check: 1397 ri_check:
@@ -1462,39 +1399,39 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
1462 /* Need RI if renegotiating */ 1399 /* Need RI if renegotiating */
1463 1400
1464 if (!renegotiate_seen && s->renegotiate && 1401 if (!renegotiate_seen && s->renegotiate &&
1465 !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) 1402 !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) {
1466 {
1467 *al = SSL_AD_HANDSHAKE_FAILURE; 1403 *al = SSL_AD_HANDSHAKE_FAILURE;
1468 SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT, 1404 SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT,
1469 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); 1405 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
1470 return 0; 1406 return 0;
1471 } 1407 }
1472 1408
1473 return 1; 1409 return 1;
1474 } 1410}
1475 1411
1476#ifndef OPENSSL_NO_NEXTPROTONEG 1412#ifndef OPENSSL_NO_NEXTPROTONEG
1477/* ssl_next_proto_validate validates a Next Protocol Negotiation block. No 1413/* ssl_next_proto_validate validates a Next Protocol Negotiation block. No
1478 * elements of zero length are allowed and the set of elements must exactly fill 1414 * elements of zero length are allowed and the set of elements must exactly fill
1479 * the length of the block. */ 1415 * the length of the block. */
1480static char ssl_next_proto_validate(unsigned char *d, unsigned len) 1416static char
1481 { 1417ssl_next_proto_validate(unsigned char *d, unsigned len)
1418{
1482 unsigned int off = 0; 1419 unsigned int off = 0;
1483 1420
1484 while (off < len) 1421 while (off < len) {
1485 {
1486 if (d[off] == 0) 1422 if (d[off] == 0)
1487 return 0; 1423 return 0;
1488 off += d[off]; 1424 off += d[off];
1489 off++; 1425 off++;
1490 } 1426 }
1491 1427
1492 return off == len; 1428 return off == len;
1493 } 1429}
1494#endif 1430#endif
1495 1431
1496int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al) 1432int
1497 { 1433ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
1434{
1498 unsigned short length; 1435 unsigned short length;
1499 unsigned short type; 1436 unsigned short type;
1500 unsigned short size; 1437 unsigned short size;
@@ -1508,107 +1445,96 @@ int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
1508 1445
1509#ifndef OPENSSL_NO_HEARTBEATS 1446#ifndef OPENSSL_NO_HEARTBEATS
1510 s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED | 1447 s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED |
1511 SSL_TLSEXT_HB_DONT_SEND_REQUESTS); 1448 SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
1512#endif 1449#endif
1513 1450
1514 if (data >= (d+n-2)) 1451 if (data >= (d + n - 2))
1515 goto ri_check; 1452 goto ri_check;
1516 1453
1517 n2s(data,length); 1454 n2s(data, length);
1518 if (data+length != d+n) 1455 if (data + length != d + n) {
1519 {
1520 *al = SSL_AD_DECODE_ERROR; 1456 *al = SSL_AD_DECODE_ERROR;
1521 return 0; 1457 return 0;
1522 } 1458 }
1523 1459
1524 while(data <= (d+n-4)) 1460 while (data <= (d + n - 4)) {
1525 { 1461 n2s(data, type);
1526 n2s(data,type); 1462 n2s(data, size);
1527 n2s(data,size);
1528 1463
1529 if (data+size > (d+n)) 1464 if (data + size > (d + n))
1530 goto ri_check; 1465 goto ri_check;
1531 1466
1532 if (s->tlsext_debug_cb) 1467 if (s->tlsext_debug_cb)
1533 s->tlsext_debug_cb(s, 1, type, data, size, 1468 s->tlsext_debug_cb(s, 1, type, data, size,
1534 s->tlsext_debug_arg); 1469 s->tlsext_debug_arg);
1535 1470
1536 if (type == TLSEXT_TYPE_server_name) 1471 if (type == TLSEXT_TYPE_server_name) {
1537 { 1472 if (s->tlsext_hostname == NULL || size > 0) {
1538 if (s->tlsext_hostname == NULL || size > 0)
1539 {
1540 *al = TLS1_AD_UNRECOGNIZED_NAME; 1473 *al = TLS1_AD_UNRECOGNIZED_NAME;
1541 return 0; 1474 return 0;
1542 }
1543 tlsext_servername = 1;
1544 } 1475 }
1476 tlsext_servername = 1;
1477
1478 }
1545 1479
1546#ifndef OPENSSL_NO_EC 1480#ifndef OPENSSL_NO_EC
1547 else if (type == TLSEXT_TYPE_ec_point_formats && 1481 else if (type == TLSEXT_TYPE_ec_point_formats &&
1548 s->version != DTLS1_VERSION) 1482 s->version != DTLS1_VERSION) {
1549 {
1550 unsigned char *sdata = data; 1483 unsigned char *sdata = data;
1551 int ecpointformatlist_length = *(sdata++); 1484 int ecpointformatlist_length = *(sdata++);
1552 1485
1553 if (ecpointformatlist_length != size - 1 || 1486 if (ecpointformatlist_length != size - 1 ||
1554 ecpointformatlist_length < 1) 1487 ecpointformatlist_length < 1) {
1555 {
1556 *al = TLS1_AD_DECODE_ERROR; 1488 *al = TLS1_AD_DECODE_ERROR;
1557 return 0; 1489 return 0;
1558 } 1490 }
1559 s->session->tlsext_ecpointformatlist_length = 0; 1491 s->session->tlsext_ecpointformatlist_length = 0;
1560 if (s->session->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->session->tlsext_ecpointformatlist); 1492 if (s->session->tlsext_ecpointformatlist != NULL)
1561 if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL) 1493 OPENSSL_free(s->session->tlsext_ecpointformatlist);
1562 { 1494 if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL) {
1563 *al = TLS1_AD_INTERNAL_ERROR; 1495 *al = TLS1_AD_INTERNAL_ERROR;
1564 return 0; 1496 return 0;
1565 } 1497 }
1566 s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length; 1498 s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
1567 memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length); 1499 memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
1568#if 0 1500#if 0
1569 fprintf(stderr,"ssl_parse_serverhello_tlsext s->session->tlsext_ecpointformatlist "); 1501 fprintf(stderr, "ssl_parse_serverhello_tlsext s->session->tlsext_ecpointformatlist ");
1570 sdata = s->session->tlsext_ecpointformatlist; 1502 sdata = s->session->tlsext_ecpointformatlist;
1571 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++) 1503 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
1572 fprintf(stderr,"%i ",*(sdata++)); 1504 fprintf(stderr, "%i ", *(sdata++));
1573 fprintf(stderr,"\n"); 1505 fprintf(stderr, "\n");
1574#endif 1506#endif
1575 } 1507 }
1576#endif /* OPENSSL_NO_EC */ 1508#endif /* OPENSSL_NO_EC */
1577 1509
1578 else if (type == TLSEXT_TYPE_session_ticket) 1510 else if (type == TLSEXT_TYPE_session_ticket) {
1579 {
1580 if (s->tls_session_ticket_ext_cb && 1511 if (s->tls_session_ticket_ext_cb &&
1581 !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg)) 1512 !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg)) {
1582 {
1583 *al = TLS1_AD_INTERNAL_ERROR; 1513 *al = TLS1_AD_INTERNAL_ERROR;
1584 return 0; 1514 return 0;
1585 } 1515 }
1586 if ((SSL_get_options(s) & SSL_OP_NO_TICKET) 1516 if ((SSL_get_options(s) & SSL_OP_NO_TICKET)
1587 || (size > 0)) 1517 || (size > 0)) {
1588 {
1589 *al = TLS1_AD_UNSUPPORTED_EXTENSION; 1518 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
1590 return 0; 1519 return 0;
1591 }
1592 s->tlsext_ticket_expected = 1;
1593 } 1520 }
1521 s->tlsext_ticket_expected = 1;
1522 }
1594#ifdef TLSEXT_TYPE_opaque_prf_input 1523#ifdef TLSEXT_TYPE_opaque_prf_input
1595 else if (type == TLSEXT_TYPE_opaque_prf_input && 1524 else if (type == TLSEXT_TYPE_opaque_prf_input &&
1596 s->version != DTLS1_VERSION) 1525 s->version != DTLS1_VERSION) {
1597 {
1598 unsigned char *sdata = data; 1526 unsigned char *sdata = data;
1599 1527
1600 if (size < 2) 1528 if (size < 2) {
1601 {
1602 *al = SSL_AD_DECODE_ERROR; 1529 *al = SSL_AD_DECODE_ERROR;
1603 return 0; 1530 return 0;
1604 } 1531 }
1605 n2s(sdata, s->s3->server_opaque_prf_input_len); 1532 n2s(sdata, s->s3->server_opaque_prf_input_len);
1606 if (s->s3->server_opaque_prf_input_len != size - 2) 1533 if (s->s3->server_opaque_prf_input_len != size - 2) {
1607 {
1608 *al = SSL_AD_DECODE_ERROR; 1534 *al = SSL_AD_DECODE_ERROR;
1609 return 0; 1535 return 0;
1610 } 1536 }
1611 1537
1612 if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */ 1538 if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */
1613 OPENSSL_free(s->s3->server_opaque_prf_input); 1539 OPENSSL_free(s->s3->server_opaque_prf_input);
1614 if (s->s3->server_opaque_prf_input_len == 0) 1540 if (s->s3->server_opaque_prf_input_len == 0)
@@ -1616,123 +1542,107 @@ int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
1616 else 1542 else
1617 s->s3->server_opaque_prf_input = BUF_memdup(sdata, s->s3->server_opaque_prf_input_len); 1543 s->s3->server_opaque_prf_input = BUF_memdup(sdata, s->s3->server_opaque_prf_input_len);
1618 1544
1619 if (s->s3->server_opaque_prf_input == NULL) 1545 if (s->s3->server_opaque_prf_input == NULL) {
1620 {
1621 *al = TLS1_AD_INTERNAL_ERROR; 1546 *al = TLS1_AD_INTERNAL_ERROR;
1622 return 0; 1547 return 0;
1623 }
1624 } 1548 }
1549 }
1625#endif 1550#endif
1626 else if (type == TLSEXT_TYPE_status_request && 1551 else if (type == TLSEXT_TYPE_status_request &&
1627 s->version != DTLS1_VERSION) 1552 s->version != DTLS1_VERSION) {
1628 {
1629 /* MUST be empty and only sent if we've requested 1553 /* MUST be empty and only sent if we've requested
1630 * a status request message. 1554 * a status request message.
1631 */ 1555 */
1632 if ((s->tlsext_status_type == -1) || (size > 0)) 1556 if ((s->tlsext_status_type == -1) || (size > 0)) {
1633 {
1634 *al = TLS1_AD_UNSUPPORTED_EXTENSION; 1557 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
1635 return 0; 1558 return 0;
1636 } 1559 }
1637 /* Set flag to expect CertificateStatus message */ 1560 /* Set flag to expect CertificateStatus message */
1638 s->tlsext_status_expected = 1; 1561 s->tlsext_status_expected = 1;
1639 } 1562 }
1640#ifndef OPENSSL_NO_NEXTPROTONEG 1563#ifndef OPENSSL_NO_NEXTPROTONEG
1641 else if (type == TLSEXT_TYPE_next_proto_neg && 1564 else if (type == TLSEXT_TYPE_next_proto_neg &&
1642 s->s3->tmp.finish_md_len == 0) 1565 s->s3->tmp.finish_md_len == 0) {
1643 {
1644 unsigned char *selected; 1566 unsigned char *selected;
1645 unsigned char selected_len; 1567 unsigned char selected_len;
1646 1568
1647 /* We must have requested it. */ 1569 /* We must have requested it. */
1648 if (s->ctx->next_proto_select_cb == NULL) 1570 if (s->ctx->next_proto_select_cb == NULL) {
1649 {
1650 *al = TLS1_AD_UNSUPPORTED_EXTENSION; 1571 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
1651 return 0; 1572 return 0;
1652 } 1573 }
1653 /* The data must be valid */ 1574 /* The data must be valid */
1654 if (!ssl_next_proto_validate(data, size)) 1575 if (!ssl_next_proto_validate(data, size)) {
1655 {
1656 *al = TLS1_AD_DECODE_ERROR; 1576 *al = TLS1_AD_DECODE_ERROR;
1657 return 0; 1577 return 0;
1658 } 1578 }
1659 if (s->ctx->next_proto_select_cb(s, &selected, &selected_len, data, size, s->ctx->next_proto_select_cb_arg) != SSL_TLSEXT_ERR_OK) 1579 if (s->ctx->next_proto_select_cb(s, &selected, &selected_len, data, size, s->ctx->next_proto_select_cb_arg) != SSL_TLSEXT_ERR_OK) {
1660 {
1661 *al = TLS1_AD_INTERNAL_ERROR; 1580 *al = TLS1_AD_INTERNAL_ERROR;
1662 return 0; 1581 return 0;
1663 } 1582 }
1664 s->next_proto_negotiated = OPENSSL_malloc(selected_len); 1583 s->next_proto_negotiated = OPENSSL_malloc(selected_len);
1665 if (!s->next_proto_negotiated) 1584 if (!s->next_proto_negotiated) {
1666 {
1667 *al = TLS1_AD_INTERNAL_ERROR; 1585 *al = TLS1_AD_INTERNAL_ERROR;
1668 return 0; 1586 return 0;
1669 } 1587 }
1670 memcpy(s->next_proto_negotiated, selected, selected_len); 1588 memcpy(s->next_proto_negotiated, selected, selected_len);
1671 s->next_proto_negotiated_len = selected_len; 1589 s->next_proto_negotiated_len = selected_len;
1672 s->s3->next_proto_neg_seen = 1; 1590 s->s3->next_proto_neg_seen = 1;
1673 } 1591 }
1674#endif 1592#endif
1675 else if (type == TLSEXT_TYPE_renegotiate) 1593 else if (type == TLSEXT_TYPE_renegotiate) {
1676 { 1594 if (!ssl_parse_serverhello_renegotiate_ext(s, data, size, al))
1677 if(!ssl_parse_serverhello_renegotiate_ext(s, data, size, al))
1678 return 0; 1595 return 0;
1679 renegotiate_seen = 1; 1596 renegotiate_seen = 1;
1680 } 1597 }
1681#ifndef OPENSSL_NO_HEARTBEATS 1598#ifndef OPENSSL_NO_HEARTBEATS
1682 else if (type == TLSEXT_TYPE_heartbeat) 1599 else if (type == TLSEXT_TYPE_heartbeat) {
1683 { 1600 switch (data[0]) {
1684 switch(data[0]) 1601 case 0x01: /* Server allows us to send HB requests */
1685 { 1602 s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
1686 case 0x01: /* Server allows us to send HB requests */ 1603 break;
1687 s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED; 1604 case 0x02: /* Server doesn't accept HB requests */
1688 break; 1605 s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
1689 case 0x02: /* Server doesn't accept HB requests */ 1606 s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
1690 s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED; 1607 break;
1691 s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS; 1608 default:
1692 break; 1609 *al = SSL_AD_ILLEGAL_PARAMETER;
1693 default: *al = SSL_AD_ILLEGAL_PARAMETER; 1610 return 0;
1694 return 0;
1695 }
1696 } 1611 }
1612 }
1697#endif 1613#endif
1698#ifndef OPENSSL_NO_SRTP 1614#ifndef OPENSSL_NO_SRTP
1699 else if (type == TLSEXT_TYPE_use_srtp) 1615 else if (type == TLSEXT_TYPE_use_srtp) {
1700 { 1616 if (ssl_parse_serverhello_use_srtp_ext(s, data, size,
1701 if(ssl_parse_serverhello_use_srtp_ext(s, data, size, 1617 al))
1702 al)) 1618 return 0;
1703 return 0; 1619 }
1704 }
1705#endif 1620#endif
1706 1621
1707 data+=size; 1622 data += size;
1708 } 1623
1624 }
1709 1625
1710 if (data != d+n) 1626 if (data != d + n) {
1711 {
1712 *al = SSL_AD_DECODE_ERROR; 1627 *al = SSL_AD_DECODE_ERROR;
1713 return 0; 1628 return 0;
1714 } 1629 }
1715 1630
1716 if (!s->hit && tlsext_servername == 1) 1631 if (!s->hit && tlsext_servername == 1) {
1717 { 1632 if (s->tlsext_hostname) {
1718 if (s->tlsext_hostname) 1633 if (s->session->tlsext_hostname == NULL) {
1719 { 1634 s->session->tlsext_hostname = BUF_strdup(s->tlsext_hostname);
1720 if (s->session->tlsext_hostname == NULL) 1635
1721 { 1636 if (!s->session->tlsext_hostname) {
1722 s->session->tlsext_hostname = BUF_strdup(s->tlsext_hostname);
1723 if (!s->session->tlsext_hostname)
1724 {
1725 *al = SSL_AD_UNRECOGNIZED_NAME; 1637 *al = SSL_AD_UNRECOGNIZED_NAME;
1726 return 0; 1638 return 0;
1727 }
1728 } 1639 }
1729 else 1640 } else {
1730 {
1731 *al = SSL_AD_DECODE_ERROR; 1641 *al = SSL_AD_DECODE_ERROR;
1732 return 0; 1642 return 0;
1733 }
1734 } 1643 }
1735 } 1644 }
1645 }
1736 1646
1737 *p = data; 1647 *p = data;
1738 1648
@@ -1747,20 +1657,20 @@ int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
1747 */ 1657 */
1748 if (!renegotiate_seen 1658 if (!renegotiate_seen
1749 && !(s->options & SSL_OP_LEGACY_SERVER_CONNECT) 1659 && !(s->options & SSL_OP_LEGACY_SERVER_CONNECT)
1750 && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) 1660 && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) {
1751 {
1752 *al = SSL_AD_HANDSHAKE_FAILURE; 1661 *al = SSL_AD_HANDSHAKE_FAILURE;
1753 SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT, 1662 SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT,
1754 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); 1663 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
1755 return 0; 1664 return 0;
1756 } 1665 }
1757 1666
1758 return 1; 1667 return 1;
1759 } 1668}
1760 1669
1761 1670
1762int ssl_prepare_clienthello_tlsext(SSL *s) 1671int
1763 { 1672ssl_prepare_clienthello_tlsext(SSL *s)
1673{
1764#ifndef OPENSSL_NO_EC 1674#ifndef OPENSSL_NO_EC
1765 /* If we are client and using an elliptic curve cryptography cipher suite, send the point formats 1675 /* If we are client and using an elliptic curve cryptography cipher suite, send the point formats
1766 * and elliptic curves we support. 1676 * and elliptic curves we support.
@@ -1771,63 +1681,59 @@ int ssl_prepare_clienthello_tlsext(SSL *s)
1771 unsigned long alg_k, alg_a; 1681 unsigned long alg_k, alg_a;
1772 STACK_OF(SSL_CIPHER) *cipher_stack = SSL_get_ciphers(s); 1682 STACK_OF(SSL_CIPHER) *cipher_stack = SSL_get_ciphers(s);
1773 1683
1774 for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++) 1684 for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++) {
1775 {
1776 SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i); 1685 SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i);
1777 1686
1778 alg_k = c->algorithm_mkey; 1687 alg_k = c->algorithm_mkey;
1779 alg_a = c->algorithm_auth; 1688 alg_a = c->algorithm_auth;
1780 if ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe) || (alg_a & SSL_aECDSA))) 1689 if ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe) || (alg_a & SSL_aECDSA))) {
1781 {
1782 using_ecc = 1; 1690 using_ecc = 1;
1783 break; 1691 break;
1784 }
1785 } 1692 }
1693 }
1786 using_ecc = using_ecc && (s->version >= TLS1_VERSION); 1694 using_ecc = using_ecc && (s->version >= TLS1_VERSION);
1787 if (using_ecc) 1695 if (using_ecc) {
1788 { 1696 if (s->tlsext_ecpointformatlist != NULL)
1789 if (s->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->tlsext_ecpointformatlist); 1697 OPENSSL_free(s->tlsext_ecpointformatlist);
1790 if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(3)) == NULL) 1698 if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(3)) == NULL) {
1791 { 1699 SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT, ERR_R_MALLOC_FAILURE);
1792 SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
1793 return -1; 1700 return -1;
1794 } 1701 }
1795 s->tlsext_ecpointformatlist_length = 3; 1702 s->tlsext_ecpointformatlist_length = 3;
1796 s->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_uncompressed; 1703 s->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_uncompressed;
1797 s->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime; 1704 s->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
1798 s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2; 1705 s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
1799 1706
1800 /* we support all named elliptic curves in draft-ietf-tls-ecc-12 */ 1707 /* we support all named elliptic curves in draft-ietf-tls-ecc-12 */
1801 if (s->tlsext_ellipticcurvelist != NULL) OPENSSL_free(s->tlsext_ellipticcurvelist); 1708 if (s->tlsext_ellipticcurvelist != NULL)
1709 OPENSSL_free(s->tlsext_ellipticcurvelist);
1802 s->tlsext_ellipticcurvelist_length = sizeof(pref_list)/sizeof(pref_list[0]) * 2; 1710 s->tlsext_ellipticcurvelist_length = sizeof(pref_list)/sizeof(pref_list[0]) * 2;
1803 if ((s->tlsext_ellipticcurvelist = OPENSSL_malloc(s->tlsext_ellipticcurvelist_length)) == NULL) 1711 if ((s->tlsext_ellipticcurvelist = OPENSSL_malloc(s->tlsext_ellipticcurvelist_length)) == NULL) {
1804 {
1805 s->tlsext_ellipticcurvelist_length = 0; 1712 s->tlsext_ellipticcurvelist_length = 0;
1806 SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE); 1713 SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT, ERR_R_MALLOC_FAILURE);
1807 return -1; 1714 return -1;
1808 } 1715 }
1809 for (i = 0, j = s->tlsext_ellipticcurvelist; (unsigned int)i < 1716 for (i = 0, j = s->tlsext_ellipticcurvelist;
1810 sizeof(pref_list)/sizeof(pref_list[0]); i++) 1717 (unsigned int)i <
1811 { 1718 sizeof(pref_list)/sizeof(pref_list[0]);
1719 i++) {
1812 int id = tls1_ec_nid2curve_id(pref_list[i]); 1720 int id = tls1_ec_nid2curve_id(pref_list[i]);
1813 s2n(id,j); 1721 s2n(id, j);
1814 }
1815 } 1722 }
1723 }
1816#endif /* OPENSSL_NO_EC */ 1724#endif /* OPENSSL_NO_EC */
1817 1725
1818#ifdef TLSEXT_TYPE_opaque_prf_input 1726#ifdef TLSEXT_TYPE_opaque_prf_input
1819 { 1727 {
1820 int r = 1; 1728 int r = 1;
1821 1729
1822 if (s->ctx->tlsext_opaque_prf_input_callback != 0) 1730 if (s->ctx->tlsext_opaque_prf_input_callback != 0) {
1823 {
1824 r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg); 1731 r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg);
1825 if (!r) 1732 if (!r)
1826 return -1; 1733 return -1;
1827 } 1734 }
1828 1735
1829 if (s->tlsext_opaque_prf_input != NULL) 1736 if (s->tlsext_opaque_prf_input != NULL) {
1830 {
1831 if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */ 1737 if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */
1832 OPENSSL_free(s->s3->client_opaque_prf_input); 1738 OPENSSL_free(s->s3->client_opaque_prf_input);
1833 1739
@@ -1835,25 +1741,25 @@ int ssl_prepare_clienthello_tlsext(SSL *s)
1835 s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */ 1741 s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
1836 else 1742 else
1837 s->s3->client_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len); 1743 s->s3->client_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len);
1838 if (s->s3->client_opaque_prf_input == NULL) 1744 if (s->s3->client_opaque_prf_input == NULL) {
1839 { 1745 SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT, ERR_R_MALLOC_FAILURE);
1840 SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
1841 return -1; 1746 return -1;
1842 }
1843 s->s3->client_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
1844 } 1747 }
1748 s->s3->client_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
1749 }
1845 1750
1846 if (r == 2) 1751 if (r == 2)
1847 /* at callback's request, insist on receiving an appropriate server opaque PRF input */ 1752 /* at callback's request, insist on receiving an appropriate server opaque PRF input */
1848 s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len; 1753 s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
1849 } 1754 }
1850#endif 1755#endif
1851 1756
1852 return 1; 1757 return 1;
1853 } 1758}
1854 1759
1855int ssl_prepare_serverhello_tlsext(SSL *s) 1760int
1856 { 1761ssl_prepare_serverhello_tlsext(SSL *s)
1762{
1857#ifndef OPENSSL_NO_EC 1763#ifndef OPENSSL_NO_EC
1858 /* If we are server and using an ECC cipher suite, send the point formats we support 1764 /* If we are server and using an ECC cipher suite, send the point formats we support
1859 * if the client sent us an ECPointsFormat extension. Note that the server is not 1765 * if the client sent us an ECPointsFormat extension. Note that the server is not
@@ -1864,28 +1770,28 @@ int ssl_prepare_serverhello_tlsext(SSL *s)
1864 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth; 1770 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
1865 int using_ecc = (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA); 1771 int using_ecc = (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA);
1866 using_ecc = using_ecc && (s->session->tlsext_ecpointformatlist != NULL); 1772 using_ecc = using_ecc && (s->session->tlsext_ecpointformatlist != NULL);
1867 1773
1868 if (using_ecc) 1774 if (using_ecc) {
1869 { 1775 if (s->tlsext_ecpointformatlist != NULL)
1870 if (s->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->tlsext_ecpointformatlist); 1776 OPENSSL_free(s->tlsext_ecpointformatlist);
1871 if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(3)) == NULL) 1777 if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(3)) == NULL) {
1872 { 1778 SSLerr(SSL_F_SSL_PREPARE_SERVERHELLO_TLSEXT, ERR_R_MALLOC_FAILURE);
1873 SSLerr(SSL_F_SSL_PREPARE_SERVERHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
1874 return -1; 1779 return -1;
1875 } 1780 }
1876 s->tlsext_ecpointformatlist_length = 3; 1781 s->tlsext_ecpointformatlist_length = 3;
1877 s->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_uncompressed; 1782 s->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_uncompressed;
1878 s->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime; 1783 s->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
1879 s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2; 1784 s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
1880 } 1785 }
1881#endif /* OPENSSL_NO_EC */ 1786#endif /* OPENSSL_NO_EC */
1882 1787
1883 return 1; 1788 return 1;
1884 } 1789}
1885 1790
1886int ssl_check_clienthello_tlsext_early(SSL *s) 1791int
1887 { 1792ssl_check_clienthello_tlsext_early(SSL *s)
1888 int ret=SSL_TLSEXT_ERR_NOACK; 1793{
1794 int ret = SSL_TLSEXT_ERR_NOACK;
1889 int al = SSL_AD_UNRECOGNIZED_NAME; 1795 int al = SSL_AD_UNRECOGNIZED_NAME;
1890 1796
1891#ifndef OPENSSL_NO_EC 1797#ifndef OPENSSL_NO_EC
@@ -1897,40 +1803,36 @@ int ssl_check_clienthello_tlsext_early(SSL *s)
1897 */ 1803 */
1898#endif 1804#endif
1899 1805
1900 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) 1806 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
1901 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg); 1807 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
1902 else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0) 1808 else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)
1903 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg); 1809 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
1904 1810
1905#ifdef TLSEXT_TYPE_opaque_prf_input 1811#ifdef TLSEXT_TYPE_opaque_prf_input
1906 { 1812 {
1907 /* This sort of belongs into ssl_prepare_serverhello_tlsext(), 1813 /* This sort of belongs into ssl_prepare_serverhello_tlsext(),
1908 * but we might be sending an alert in response to the client hello, 1814 * but we might be sending an alert in response to the client hello,
1909 * so this has to happen here in 1815 * so this has to happen here in
1910 * ssl_check_clienthello_tlsext_early(). */ 1816 * ssl_check_clienthello_tlsext_early(). */
1911 1817
1912 int r = 1; 1818 int r = 1;
1913 1819
1914 if (s->ctx->tlsext_opaque_prf_input_callback != 0) 1820 if (s->ctx->tlsext_opaque_prf_input_callback != 0) {
1915 {
1916 r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg); 1821 r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg);
1917 if (!r) 1822 if (!r) {
1918 {
1919 ret = SSL_TLSEXT_ERR_ALERT_FATAL; 1823 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1920 al = SSL_AD_INTERNAL_ERROR; 1824 al = SSL_AD_INTERNAL_ERROR;
1921 goto err; 1825 goto err;
1922 }
1923 } 1826 }
1827 }
1924 1828
1925 if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */ 1829 if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */
1926 OPENSSL_free(s->s3->server_opaque_prf_input); 1830 OPENSSL_free(s->s3->server_opaque_prf_input);
1927 s->s3->server_opaque_prf_input = NULL; 1831 s->s3->server_opaque_prf_input = NULL;
1928 1832
1929 if (s->tlsext_opaque_prf_input != NULL) 1833 if (s->tlsext_opaque_prf_input != NULL) {
1930 {
1931 if (s->s3->client_opaque_prf_input != NULL && 1834 if (s->s3->client_opaque_prf_input != NULL &&
1932 s->s3->client_opaque_prf_input_len == s->tlsext_opaque_prf_input_len) 1835 s->s3->client_opaque_prf_input_len == s->tlsext_opaque_prf_input_len) {
1933 {
1934 /* can only use this extension if we have a server opaque PRF input 1836 /* can only use this extension if we have a server opaque PRF input
1935 * of the same length as the client opaque PRF input! */ 1837 * of the same length as the client opaque PRF input! */
1936 1838
@@ -1938,48 +1840,48 @@ int ssl_check_clienthello_tlsext_early(SSL *s)
1938 s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */ 1840 s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
1939 else 1841 else
1940 s->s3->server_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len); 1842 s->s3->server_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len);
1941 if (s->s3->server_opaque_prf_input == NULL) 1843 if (s->s3->server_opaque_prf_input == NULL) {
1942 {
1943 ret = SSL_TLSEXT_ERR_ALERT_FATAL; 1844 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1944 al = SSL_AD_INTERNAL_ERROR; 1845 al = SSL_AD_INTERNAL_ERROR;
1945 goto err; 1846 goto err;
1946 }
1947 s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
1948 } 1847 }
1848 s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
1949 } 1849 }
1850 }
1950 1851
1951 if (r == 2 && s->s3->server_opaque_prf_input == NULL) 1852 if (r == 2 && s->s3->server_opaque_prf_input == NULL) {
1952 {
1953 /* The callback wants to enforce use of the extension, 1853 /* The callback wants to enforce use of the extension,
1954 * but we can't do that with the client opaque PRF input; 1854 * but we can't do that with the client opaque PRF input;
1955 * abort the handshake. 1855 * abort the handshake.
1956 */ 1856 */
1957 ret = SSL_TLSEXT_ERR_ALERT_FATAL; 1857 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1958 al = SSL_AD_HANDSHAKE_FAILURE; 1858 al = SSL_AD_HANDSHAKE_FAILURE;
1959 } 1859 }
1960 } 1860 }
1961 1861
1962 err: 1862 err:
1963#endif 1863#endif
1964 switch (ret) 1864 switch (ret) {
1965 { 1865 case SSL_TLSEXT_ERR_ALERT_FATAL:
1966 case SSL_TLSEXT_ERR_ALERT_FATAL: 1866 ssl3_send_alert(s, SSL3_AL_FATAL, al);
1967 ssl3_send_alert(s,SSL3_AL_FATAL,al);
1968 return -1;
1969 1867
1970 case SSL_TLSEXT_ERR_ALERT_WARNING: 1868 return -1;
1971 ssl3_send_alert(s,SSL3_AL_WARNING,al); 1869
1972 return 1; 1870 case SSL_TLSEXT_ERR_ALERT_WARNING:
1973 1871 ssl3_send_alert(s, SSL3_AL_WARNING, al);
1974 case SSL_TLSEXT_ERR_NOACK: 1872 return 1;
1975 s->servername_done=0; 1873
1976 default: 1874
1875 case SSL_TLSEXT_ERR_NOACK:
1876 s->servername_done = 0;
1877 default:
1977 return 1; 1878 return 1;
1978 }
1979 } 1879 }
1880}
1980 1881
1981int ssl_check_clienthello_tlsext_late(SSL *s) 1882int
1982 { 1883ssl_check_clienthello_tlsext_late(SSL *s)
1884{
1983 int ret = SSL_TLSEXT_ERR_OK; 1885 int ret = SSL_TLSEXT_ERR_OK;
1984 int al; 1886 int al;
1985 1887
@@ -1988,64 +1890,62 @@ int ssl_check_clienthello_tlsext_late(SSL *s)
1988 * the certificate has changed, and must be called after the cipher 1890 * the certificate has changed, and must be called after the cipher
1989 * has been chosen because this may influence which certificate is sent 1891 * has been chosen because this may influence which certificate is sent
1990 */ 1892 */
1991 if ((s->tlsext_status_type != -1) && s->ctx && s->ctx->tlsext_status_cb) 1893 if ((s->tlsext_status_type != -1) && s->ctx && s->ctx->tlsext_status_cb) {
1992 {
1993 int r; 1894 int r;
1994 CERT_PKEY *certpkey; 1895 CERT_PKEY *certpkey;
1995 certpkey = ssl_get_server_send_pkey(s); 1896 certpkey = ssl_get_server_send_pkey(s);
1996 /* If no certificate can't return certificate status */ 1897 /* If no certificate can't return certificate status */
1997 if (certpkey == NULL) 1898 if (certpkey == NULL) {
1998 {
1999 s->tlsext_status_expected = 0; 1899 s->tlsext_status_expected = 0;
2000 return 1; 1900 return 1;
2001 } 1901 }
2002 /* Set current certificate to one we will use so 1902 /* Set current certificate to one we will use so
2003 * SSL_get_certificate et al can pick it up. 1903 * SSL_get_certificate et al can pick it up.
2004 */ 1904 */
2005 s->cert->key = certpkey; 1905 s->cert->key = certpkey;
2006 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg); 1906 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
2007 switch (r) 1907 switch (r) {
2008 {
2009 /* We don't want to send a status request response */ 1908 /* We don't want to send a status request response */
2010 case SSL_TLSEXT_ERR_NOACK: 1909 case SSL_TLSEXT_ERR_NOACK:
2011 s->tlsext_status_expected = 0; 1910 s->tlsext_status_expected = 0;
2012 break; 1911 break;
2013 /* status request response should be sent */ 1912 /* status request response should be sent */
2014 case SSL_TLSEXT_ERR_OK: 1913 case SSL_TLSEXT_ERR_OK:
2015 if (s->tlsext_ocsp_resp) 1914 if (s->tlsext_ocsp_resp)
2016 s->tlsext_status_expected = 1; 1915 s->tlsext_status_expected = 1;
2017 else 1916 else
2018 s->tlsext_status_expected = 0; 1917 s->tlsext_status_expected = 0;
2019 break; 1918 break;
2020 /* something bad happened */ 1919 /* something bad happened */
2021 case SSL_TLSEXT_ERR_ALERT_FATAL: 1920 case SSL_TLSEXT_ERR_ALERT_FATAL:
2022 ret = SSL_TLSEXT_ERR_ALERT_FATAL; 1921 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2023 al = SSL_AD_INTERNAL_ERROR; 1922 al = SSL_AD_INTERNAL_ERROR;
2024 goto err; 1923 goto err;
2025 }
2026 } 1924 }
2027 else 1925 } else
2028 s->tlsext_status_expected = 0; 1926 s->tlsext_status_expected = 0;
2029 1927
2030 err: 1928err:
2031 switch (ret) 1929 switch (ret) {
2032 { 1930 case SSL_TLSEXT_ERR_ALERT_FATAL:
2033 case SSL_TLSEXT_ERR_ALERT_FATAL: 1931 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2034 ssl3_send_alert(s,SSL3_AL_FATAL,al);
2035 return -1;
2036 1932
2037 case SSL_TLSEXT_ERR_ALERT_WARNING: 1933 return -1;
2038 ssl3_send_alert(s,SSL3_AL_WARNING,al);
2039 return 1;
2040 1934
2041 default: 1935 case SSL_TLSEXT_ERR_ALERT_WARNING:
2042 return 1; 1936 ssl3_send_alert(s, SSL3_AL_WARNING, al);
2043 } 1937 return 1;
1938
1939
1940 default:
1941 return 1;
2044 } 1942 }
1943}
2045 1944
2046int ssl_check_serverhello_tlsext(SSL *s) 1945int
2047 { 1946ssl_check_serverhello_tlsext(SSL *s)
2048 int ret=SSL_TLSEXT_ERR_NOACK; 1947{
1948 int ret = SSL_TLSEXT_ERR_NOACK;
2049 int al = SSL_AD_UNRECOGNIZED_NAME; 1949 int al = SSL_AD_UNRECOGNIZED_NAME;
2050 1950
2051#ifndef OPENSSL_NO_EC 1951#ifndef OPENSSL_NO_EC
@@ -2055,105 +1955,95 @@ int ssl_check_serverhello_tlsext(SSL *s)
2055 */ 1955 */
2056 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey; 1956 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
2057 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth; 1957 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
2058 if ((s->tlsext_ecpointformatlist != NULL) && (s->tlsext_ecpointformatlist_length > 0) && 1958 if ((s->tlsext_ecpointformatlist != NULL) && (s->tlsext_ecpointformatlist_length > 0) &&
2059 (s->session->tlsext_ecpointformatlist != NULL) && (s->session->tlsext_ecpointformatlist_length > 0) && 1959 (s->session->tlsext_ecpointformatlist != NULL) && (s->session->tlsext_ecpointformatlist_length > 0) &&
2060 ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA))) 1960 ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA))) {
2061 {
2062 /* we are using an ECC cipher */ 1961 /* we are using an ECC cipher */
2063 size_t i; 1962 size_t i;
2064 unsigned char *list; 1963 unsigned char *list;
2065 int found_uncompressed = 0; 1964 int found_uncompressed = 0;
2066 list = s->session->tlsext_ecpointformatlist; 1965 list = s->session->tlsext_ecpointformatlist;
2067 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++) 1966 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++) {
2068 { 1967 if (*(list++) == TLSEXT_ECPOINTFORMAT_uncompressed) {
2069 if (*(list++) == TLSEXT_ECPOINTFORMAT_uncompressed)
2070 {
2071 found_uncompressed = 1; 1968 found_uncompressed = 1;
2072 break; 1969 break;
2073 }
2074 } 1970 }
2075 if (!found_uncompressed) 1971 }
2076 { 1972 if (!found_uncompressed) {
2077 SSLerr(SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT,SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST); 1973 SSLerr(SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT, SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
2078 return -1; 1974 return -1;
2079 }
2080 } 1975 }
1976 }
2081 ret = SSL_TLSEXT_ERR_OK; 1977 ret = SSL_TLSEXT_ERR_OK;
2082#endif /* OPENSSL_NO_EC */ 1978#endif /* OPENSSL_NO_EC */
2083 1979
2084 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) 1980 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
2085 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg); 1981 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
2086 else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0) 1982 else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)
2087 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg); 1983 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
2088 1984
2089#ifdef TLSEXT_TYPE_opaque_prf_input 1985#ifdef TLSEXT_TYPE_opaque_prf_input
2090 if (s->s3->server_opaque_prf_input_len > 0) 1986 if (s->s3->server_opaque_prf_input_len > 0) {
2091 {
2092 /* This case may indicate that we, as a client, want to insist on using opaque PRF inputs. 1987 /* This case may indicate that we, as a client, want to insist on using opaque PRF inputs.
2093 * So first verify that we really have a value from the server too. */ 1988 * So first verify that we really have a value from the server too. */
2094 1989
2095 if (s->s3->server_opaque_prf_input == NULL) 1990 if (s->s3->server_opaque_prf_input == NULL) {
2096 {
2097 ret = SSL_TLSEXT_ERR_ALERT_FATAL; 1991 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2098 al = SSL_AD_HANDSHAKE_FAILURE; 1992 al = SSL_AD_HANDSHAKE_FAILURE;
2099 } 1993 }
2100 1994
2101 /* Anytime the server *has* sent an opaque PRF input, we need to check 1995 /* Anytime the server *has* sent an opaque PRF input, we need to check
2102 * that we have a client opaque PRF input of the same size. */ 1996 * that we have a client opaque PRF input of the same size. */
2103 if (s->s3->client_opaque_prf_input == NULL || 1997 if (s->s3->client_opaque_prf_input == NULL ||
2104 s->s3->client_opaque_prf_input_len != s->s3->server_opaque_prf_input_len) 1998 s->s3->client_opaque_prf_input_len != s->s3->server_opaque_prf_input_len) {
2105 {
2106 ret = SSL_TLSEXT_ERR_ALERT_FATAL; 1999 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2107 al = SSL_AD_ILLEGAL_PARAMETER; 2000 al = SSL_AD_ILLEGAL_PARAMETER;
2108 }
2109 } 2001 }
2002 }
2110#endif 2003#endif
2111 2004
2112 /* If we've requested certificate status and we wont get one 2005 /* If we've requested certificate status and we wont get one
2113 * tell the callback 2006 * tell the callback
2114 */ 2007 */
2115 if ((s->tlsext_status_type != -1) && !(s->tlsext_status_expected) 2008 if ((s->tlsext_status_type != -1) && !(s->tlsext_status_expected)
2116 && s->ctx && s->ctx->tlsext_status_cb) 2009 && s->ctx && s->ctx->tlsext_status_cb) {
2117 {
2118 int r; 2010 int r;
2119 /* Set resp to NULL, resplen to -1 so callback knows 2011 /* Set resp to NULL, resplen to -1 so callback knows
2120 * there is no response. 2012 * there is no response.
2121 */ 2013 */
2122 if (s->tlsext_ocsp_resp) 2014 if (s->tlsext_ocsp_resp) {
2123 {
2124 OPENSSL_free(s->tlsext_ocsp_resp); 2015 OPENSSL_free(s->tlsext_ocsp_resp);
2125 s->tlsext_ocsp_resp = NULL; 2016 s->tlsext_ocsp_resp = NULL;
2126 } 2017 }
2127 s->tlsext_ocsp_resplen = -1; 2018 s->tlsext_ocsp_resplen = -1;
2128 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg); 2019 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
2129 if (r == 0) 2020 if (r == 0) {
2130 {
2131 al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE; 2021 al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE;
2132 ret = SSL_TLSEXT_ERR_ALERT_FATAL; 2022 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2133 } 2023 }
2134 if (r < 0) 2024 if (r < 0) {
2135 {
2136 al = SSL_AD_INTERNAL_ERROR; 2025 al = SSL_AD_INTERNAL_ERROR;
2137 ret = SSL_TLSEXT_ERR_ALERT_FATAL; 2026 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2138 }
2139 } 2027 }
2028 }
2140 2029
2141 switch (ret) 2030 switch (ret) {
2142 { 2031 case SSL_TLSEXT_ERR_ALERT_FATAL:
2143 case SSL_TLSEXT_ERR_ALERT_FATAL: 2032 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2144 ssl3_send_alert(s,SSL3_AL_FATAL,al);
2145 return -1;
2146 2033
2147 case SSL_TLSEXT_ERR_ALERT_WARNING: 2034 return -1;
2148 ssl3_send_alert(s,SSL3_AL_WARNING,al); 2035
2149 return 1; 2036 case SSL_TLSEXT_ERR_ALERT_WARNING:
2150 2037 ssl3_send_alert(s, SSL3_AL_WARNING, al);
2151 case SSL_TLSEXT_ERR_NOACK: 2038 return 1;
2152 s->servername_done=0; 2039
2153 default: 2040
2041 case SSL_TLSEXT_ERR_NOACK:
2042 s->servername_done = 0;
2043 default:
2154 return 1; 2044 return 1;
2155 }
2156 } 2045 }
2046}
2157 2047
2158/* Since the server cache lookup is done early on in the processing of the 2048/* Since the server cache lookup is done early on in the processing of the
2159 * ClientHello, and other operations depend on the result, we need to handle 2049 * ClientHello, and other operations depend on the result, we need to handle
@@ -2188,9 +2078,10 @@ int ssl_check_serverhello_tlsext(SSL *s)
2188 * s->ctx->tlsext_ticket_key_cb asked to renew the client's ticket. 2078 * s->ctx->tlsext_ticket_key_cb asked to renew the client's ticket.
2189 * Otherwise, s->tlsext_ticket_expected is set to 0. 2079 * Otherwise, s->tlsext_ticket_expected is set to 0.
2190 */ 2080 */
2191int tls1_process_ticket(SSL *s, unsigned char *session_id, int len, 2081int
2192 const unsigned char *limit, SSL_SESSION **ret) 2082tls1_process_ticket(SSL *s, unsigned char *session_id, int len,
2193 { 2083 const unsigned char *limit, SSL_SESSION **ret)
2084{
2194 /* Point after session ID in client hello */ 2085 /* Point after session ID in client hello */
2195 const unsigned char *p = session_id + len; 2086 const unsigned char *p = session_id + len;
2196 unsigned short i; 2087 unsigned short i;
@@ -2208,16 +2099,15 @@ int tls1_process_ticket(SSL *s, unsigned char *session_id, int len,
2208 if (p >= limit) 2099 if (p >= limit)
2209 return -1; 2100 return -1;
2210 /* Skip past DTLS cookie */ 2101 /* Skip past DTLS cookie */
2211 if (s->version == DTLS1_VERSION || s->version == DTLS1_BAD_VER) 2102 if (s->version == DTLS1_VERSION || s->version == DTLS1_BAD_VER) {
2212 {
2213 i = *(p++); 2103 i = *(p++);
2214 p+= i; 2104 p += i;
2215 if (p >= limit) 2105 if (p >= limit)
2216 return -1; 2106 return -1;
2217 } 2107 }
2218 /* Skip past cipher list */ 2108 /* Skip past cipher list */
2219 n2s(p, i); 2109 n2s(p, i);
2220 p+= i; 2110 p += i;
2221 if (p >= limit) 2111 if (p >= limit)
2222 return -1; 2112 return -1;
2223 /* Skip past compression algorithm list */ 2113 /* Skip past compression algorithm list */
@@ -2229,51 +2119,46 @@ int tls1_process_ticket(SSL *s, unsigned char *session_id, int len,
2229 if ((p + 2) >= limit) 2119 if ((p + 2) >= limit)
2230 return 0; 2120 return 0;
2231 n2s(p, i); 2121 n2s(p, i);
2232 while ((p + 4) <= limit) 2122 while ((p + 4) <= limit) {
2233 {
2234 unsigned short type, size; 2123 unsigned short type, size;
2235 n2s(p, type); 2124 n2s(p, type);
2236 n2s(p, size); 2125 n2s(p, size);
2237 if (p + size > limit) 2126 if (p + size > limit)
2238 return 0; 2127 return 0;
2239 if (type == TLSEXT_TYPE_session_ticket) 2128 if (type == TLSEXT_TYPE_session_ticket) {
2240 {
2241 int r; 2129 int r;
2242 if (size == 0) 2130 if (size == 0) {
2243 {
2244 /* The client will accept a ticket but doesn't 2131 /* The client will accept a ticket but doesn't
2245 * currently have one. */ 2132 * currently have one. */
2246 s->tlsext_ticket_expected = 1; 2133 s->tlsext_ticket_expected = 1;
2247 return 1; 2134 return 1;
2248 } 2135 }
2249 if (s->tls_session_secret_cb) 2136 if (s->tls_session_secret_cb) {
2250 {
2251 /* Indicate that the ticket couldn't be 2137 /* Indicate that the ticket couldn't be
2252 * decrypted rather than generating the session 2138 * decrypted rather than generating the session
2253 * from ticket now, trigger abbreviated 2139 * from ticket now, trigger abbreviated
2254 * handshake based on external mechanism to 2140 * handshake based on external mechanism to
2255 * calculate the master secret later. */ 2141 * calculate the master secret later. */
2256 return 2; 2142 return 2;
2257 } 2143 }
2258 r = tls_decrypt_ticket(s, p, size, session_id, len, ret); 2144 r = tls_decrypt_ticket(s, p, size, session_id, len, ret);
2259 switch (r) 2145 switch (r) {
2260 { 2146 case 2: /* ticket couldn't be decrypted */
2261 case 2: /* ticket couldn't be decrypted */ 2147 s->tlsext_ticket_expected = 1;
2262 s->tlsext_ticket_expected = 1; 2148 return 2;
2263 return 2; 2149 case 3: /* ticket was decrypted */
2264 case 3: /* ticket was decrypted */ 2150 return r;
2265 return r; 2151 case 4: /* ticket decrypted but need to renew */
2266 case 4: /* ticket decrypted but need to renew */ 2152 s->tlsext_ticket_expected = 1;
2267 s->tlsext_ticket_expected = 1; 2153 return 3;
2268 return 3; 2154 default: /* fatal error */
2269 default: /* fatal error */ 2155 return -1;
2270 return -1;
2271 }
2272 } 2156 }
2273 p += size;
2274 } 2157 }
2275 return 0; 2158 p += size;
2276 } 2159 }
2160 return 0;
2161}
2277 2162
2278/* tls_decrypt_ticket attempts to decrypt a session ticket. 2163/* tls_decrypt_ticket attempts to decrypt a session ticket.
2279 * 2164 *
@@ -2290,10 +2175,10 @@ int tls1_process_ticket(SSL *s, unsigned char *session_id, int len,
2290 * 3: a ticket was successfully decrypted and *psess was set. 2175 * 3: a ticket was successfully decrypted and *psess was set.
2291 * 4: same as 3, but the ticket needs to be renewed. 2176 * 4: same as 3, but the ticket needs to be renewed.
2292 */ 2177 */
2293static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen, 2178static int
2294 const unsigned char *sess_id, int sesslen, 2179tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen,
2295 SSL_SESSION **psess) 2180 const unsigned char *sess_id, int sesslen, SSL_SESSION **psess)
2296 { 2181{
2297 SSL_SESSION *sess; 2182 SSL_SESSION *sess;
2298 unsigned char *sdec; 2183 unsigned char *sdec;
2299 const unsigned char *p; 2184 const unsigned char *p;
@@ -2308,37 +2193,33 @@ static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen,
2308 /* Initialize session ticket encryption and HMAC contexts */ 2193 /* Initialize session ticket encryption and HMAC contexts */
2309 HMAC_CTX_init(&hctx); 2194 HMAC_CTX_init(&hctx);
2310 EVP_CIPHER_CTX_init(&ctx); 2195 EVP_CIPHER_CTX_init(&ctx);
2311 if (tctx->tlsext_ticket_key_cb) 2196 if (tctx->tlsext_ticket_key_cb) {
2312 {
2313 unsigned char *nctick = (unsigned char *)etick; 2197 unsigned char *nctick = (unsigned char *)etick;
2314 int rv = tctx->tlsext_ticket_key_cb(s, nctick, nctick + 16, 2198 int rv = tctx->tlsext_ticket_key_cb(s, nctick, nctick + 16,
2315 &ctx, &hctx, 0); 2199 &ctx, &hctx, 0);
2316 if (rv < 0) 2200 if (rv < 0)
2317 return -1; 2201 return -1;
2318 if (rv == 0) 2202 if (rv == 0)
2319 return 2; 2203 return 2;
2320 if (rv == 2) 2204 if (rv == 2)
2321 renew_ticket = 1; 2205 renew_ticket = 1;
2322 } 2206 } else {
2323 else
2324 {
2325 /* Check key name matches */ 2207 /* Check key name matches */
2326 if (memcmp(etick, tctx->tlsext_tick_key_name, 16)) 2208 if (memcmp(etick, tctx->tlsext_tick_key_name, 16))
2327 return 2; 2209 return 2;
2328 HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16, 2210 HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16,
2329 tlsext_tick_md(), NULL); 2211 tlsext_tick_md(), NULL);
2330 EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL, 2212 EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL,
2331 tctx->tlsext_tick_aes_key, etick + 16); 2213 tctx->tlsext_tick_aes_key, etick + 16);
2332 } 2214 }
2333 /* Attempt to process session ticket, first conduct sanity and 2215 /* Attempt to process session ticket, first conduct sanity and
2334 * integrity checks on ticket. 2216 * integrity checks on ticket.
2335 */ 2217 */
2336 mlen = HMAC_size(&hctx); 2218 mlen = HMAC_size(&hctx);
2337 if (mlen < 0) 2219 if (mlen < 0) {
2338 {
2339 EVP_CIPHER_CTX_cleanup(&ctx); 2220 EVP_CIPHER_CTX_cleanup(&ctx);
2340 return -1; 2221 return -1;
2341 } 2222 }
2342 eticklen -= mlen; 2223 eticklen -= mlen;
2343 /* Check HMAC of encrypted ticket */ 2224 /* Check HMAC of encrypted ticket */
2344 HMAC_Update(&hctx, etick, eticklen); 2225 HMAC_Update(&hctx, etick, eticklen);
@@ -2351,11 +2232,10 @@ static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen,
2351 p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx); 2232 p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx);
2352 eticklen -= 16 + EVP_CIPHER_CTX_iv_length(&ctx); 2233 eticklen -= 16 + EVP_CIPHER_CTX_iv_length(&ctx);
2353 sdec = OPENSSL_malloc(eticklen); 2234 sdec = OPENSSL_malloc(eticklen);
2354 if (!sdec) 2235 if (!sdec) {
2355 {
2356 EVP_CIPHER_CTX_cleanup(&ctx); 2236 EVP_CIPHER_CTX_cleanup(&ctx);
2357 return -1; 2237 return -1;
2358 } 2238 }
2359 EVP_DecryptUpdate(&ctx, sdec, &slen, p, eticklen); 2239 EVP_DecryptUpdate(&ctx, sdec, &slen, p, eticklen);
2360 if (EVP_DecryptFinal(&ctx, sdec + slen, &mlen) <= 0) 2240 if (EVP_DecryptFinal(&ctx, sdec + slen, &mlen) <= 0)
2361 return 2; 2241 return 2;
@@ -2365,8 +2245,7 @@ static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen,
2365 2245
2366 sess = d2i_SSL_SESSION(NULL, &p, slen); 2246 sess = d2i_SSL_SESSION(NULL, &p, slen);
2367 OPENSSL_free(sdec); 2247 OPENSSL_free(sdec);
2368 if (sess) 2248 if (sess) {
2369 {
2370 /* The session ID, if non-empty, is used by some clients to 2249 /* The session ID, if non-empty, is used by some clients to
2371 * detect that the ticket has been accepted. So we copy it to 2250 * detect that the ticket has been accepted. So we copy it to
2372 * the session structure. If it is empty set length to zero 2251 * the session structure. If it is empty set length to zero
@@ -2380,20 +2259,19 @@ static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen,
2380 return 4; 2259 return 4;
2381 else 2260 else
2382 return 3; 2261 return 3;
2383 } 2262 }
2384 ERR_clear_error(); 2263 ERR_clear_error();
2385 /* For session parse failure, indicate that we need to send a new 2264 /* For session parse failure, indicate that we need to send a new
2386 * ticket. */ 2265 * ticket. */
2387 return 2; 2266 return 2;
2388 } 2267}
2389 2268
2390/* Tables to translate from NIDs to TLS v1.2 ids */ 2269/* Tables to translate from NIDs to TLS v1.2 ids */
2391 2270
2392typedef struct 2271typedef struct {
2393 {
2394 int nid; 2272 int nid;
2395 int id; 2273 int id;
2396 } tls12_lookup; 2274} tls12_lookup;
2397 2275
2398static tls12_lookup tls12_md[] = { 2276static tls12_lookup tls12_md[] = {
2399#ifndef OPENSSL_NO_MD5 2277#ifndef OPENSSL_NO_MD5
@@ -2424,36 +2302,37 @@ static tls12_lookup tls12_sig[] = {
2424#endif 2302#endif
2425}; 2303};
2426 2304
2427static int tls12_find_id(int nid, tls12_lookup *table, size_t tlen) 2305static int
2428 { 2306tls12_find_id(int nid, tls12_lookup *table, size_t tlen)
2307{
2429 size_t i; 2308 size_t i;
2430 for (i = 0; i < tlen; i++) 2309 for (i = 0; i < tlen; i++) {
2431 {
2432 if (table[i].nid == nid) 2310 if (table[i].nid == nid)
2433 return table[i].id; 2311 return table[i].id;
2434 }
2435 return -1;
2436 } 2312 }
2313 return -1;
2314}
2437#if 0 2315#if 0
2438static int tls12_find_nid(int id, tls12_lookup *table, size_t tlen) 2316static int
2439 { 2317tls12_find_nid(int id, tls12_lookup *table, size_t tlen)
2318{
2440 size_t i; 2319 size_t i;
2441 for (i = 0; i < tlen; i++) 2320 for (i = 0; i < tlen; i++) {
2442 {
2443 if (table[i].id == id) 2321 if (table[i].id == id)
2444 return table[i].nid; 2322 return table[i].nid;
2445 }
2446 return -1;
2447 } 2323 }
2324 return -1;
2325}
2448#endif 2326#endif
2449 2327
2450int tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk, const EVP_MD *md) 2328int
2451 { 2329tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk, const EVP_MD *md)
2330{
2452 int sig_id, md_id; 2331 int sig_id, md_id;
2453 if (!md) 2332 if (!md)
2454 return 0; 2333 return 0;
2455 md_id = tls12_find_id(EVP_MD_type(md), tls12_md, 2334 md_id = tls12_find_id(EVP_MD_type(md), tls12_md,
2456 sizeof(tls12_md)/sizeof(tls12_lookup)); 2335 sizeof(tls12_md)/sizeof(tls12_lookup));
2457 if (md_id == -1) 2336 if (md_id == -1)
2458 return 0; 2337 return 0;
2459 sig_id = tls12_get_sigid(pk); 2338 sig_id = tls12_get_sigid(pk);
@@ -2462,46 +2341,48 @@ int tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk, const EVP_MD *md)
2462 p[0] = (unsigned char)md_id; 2341 p[0] = (unsigned char)md_id;
2463 p[1] = (unsigned char)sig_id; 2342 p[1] = (unsigned char)sig_id;
2464 return 1; 2343 return 1;
2465 } 2344}
2466 2345
2467int tls12_get_sigid(const EVP_PKEY *pk) 2346int
2468 { 2347tls12_get_sigid(const EVP_PKEY *pk)
2348{
2469 return tls12_find_id(pk->type, tls12_sig, 2349 return tls12_find_id(pk->type, tls12_sig,
2470 sizeof(tls12_sig)/sizeof(tls12_lookup)); 2350 sizeof(tls12_sig)/sizeof(tls12_lookup));
2471 } 2351}
2472 2352
2473const EVP_MD *tls12_get_hash(unsigned char hash_alg) 2353const EVP_MD
2474 { 2354*tls12_get_hash(unsigned char hash_alg)
2475 switch(hash_alg) 2355{
2476 { 2356 switch (hash_alg) {
2477#ifndef OPENSSL_NO_SHA 2357#ifndef OPENSSL_NO_SHA
2478 case TLSEXT_hash_sha1: 2358 case TLSEXT_hash_sha1:
2479 return EVP_sha1(); 2359 return EVP_sha1();
2480#endif 2360#endif
2481#ifndef OPENSSL_NO_SHA256 2361#ifndef OPENSSL_NO_SHA256
2482 case TLSEXT_hash_sha224: 2362 case TLSEXT_hash_sha224:
2483 return EVP_sha224(); 2363 return EVP_sha224();
2484 2364
2485 case TLSEXT_hash_sha256: 2365 case TLSEXT_hash_sha256:
2486 return EVP_sha256(); 2366 return EVP_sha256();
2487#endif 2367#endif
2488#ifndef OPENSSL_NO_SHA512 2368#ifndef OPENSSL_NO_SHA512
2489 case TLSEXT_hash_sha384: 2369 case TLSEXT_hash_sha384:
2490 return EVP_sha384(); 2370 return EVP_sha384();
2491 2371
2492 case TLSEXT_hash_sha512: 2372 case TLSEXT_hash_sha512:
2493 return EVP_sha512(); 2373 return EVP_sha512();
2494#endif 2374#endif
2495 default: 2375 default:
2496 return NULL; 2376 return NULL;
2497 2377
2498 }
2499 } 2378 }
2379}
2500 2380
2501/* Set preferred digest for each key type */ 2381/* Set preferred digest for each key type */
2502 2382
2503int tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize) 2383int
2504 { 2384tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize)
2385{
2505 int i, idx; 2386 int i, idx;
2506 const EVP_MD *md; 2387 const EVP_MD *md;
2507 CERT *c = s->cert; 2388 CERT *c = s->cert;
@@ -2517,44 +2398,40 @@ int tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize)
2517 c->pkeys[SSL_PKEY_RSA_ENC].digest = NULL; 2398 c->pkeys[SSL_PKEY_RSA_ENC].digest = NULL;
2518 c->pkeys[SSL_PKEY_ECC].digest = NULL; 2399 c->pkeys[SSL_PKEY_ECC].digest = NULL;
2519 2400
2520 for (i = 0; i < dsize; i += 2) 2401 for (i = 0; i < dsize; i += 2) {
2521 { 2402 unsigned char hash_alg = data[i], sig_alg = data[i + 1];
2522 unsigned char hash_alg = data[i], sig_alg = data[i+1];
2523 2403
2524 switch(sig_alg) 2404 switch (sig_alg) {
2525 {
2526#ifndef OPENSSL_NO_RSA 2405#ifndef OPENSSL_NO_RSA
2527 case TLSEXT_signature_rsa: 2406 case TLSEXT_signature_rsa:
2528 idx = SSL_PKEY_RSA_SIGN; 2407 idx = SSL_PKEY_RSA_SIGN;
2529 break; 2408 break;
2530#endif 2409#endif
2531#ifndef OPENSSL_NO_DSA 2410#ifndef OPENSSL_NO_DSA
2532 case TLSEXT_signature_dsa: 2411 case TLSEXT_signature_dsa:
2533 idx = SSL_PKEY_DSA_SIGN; 2412 idx = SSL_PKEY_DSA_SIGN;
2534 break; 2413 break;
2535#endif 2414#endif
2536#ifndef OPENSSL_NO_ECDSA 2415#ifndef OPENSSL_NO_ECDSA
2537 case TLSEXT_signature_ecdsa: 2416 case TLSEXT_signature_ecdsa:
2538 idx = SSL_PKEY_ECC; 2417 idx = SSL_PKEY_ECC;
2539 break; 2418 break;
2540#endif 2419#endif
2541 default: 2420 default:
2542 continue; 2421 continue;
2543 } 2422 }
2544 2423
2545 if (c->pkeys[idx].digest == NULL) 2424 if (c->pkeys[idx].digest == NULL) {
2546 {
2547 md = tls12_get_hash(hash_alg); 2425 md = tls12_get_hash(hash_alg);
2548 if (md) 2426 if (md) {
2549 {
2550 c->pkeys[idx].digest = md; 2427 c->pkeys[idx].digest = md;
2551 if (idx == SSL_PKEY_RSA_SIGN) 2428 if (idx == SSL_PKEY_RSA_SIGN)
2552 c->pkeys[SSL_PKEY_RSA_ENC].digest = md; 2429 c->pkeys[SSL_PKEY_RSA_ENC].digest = md;
2553 }
2554 } 2430 }
2555
2556 } 2431 }
2557 2432
2433 }
2434
2558 2435
2559 /* Set any remaining keys to default values. NOTE: if alg is not 2436 /* Set any remaining keys to default values. NOTE: if alg is not
2560 * supported it stays as NULL. 2437 * supported it stays as NULL.
@@ -2564,25 +2441,24 @@ int tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize)
2564 c->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_sha1(); 2441 c->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_sha1();
2565#endif 2442#endif
2566#ifndef OPENSSL_NO_RSA 2443#ifndef OPENSSL_NO_RSA
2567 if (!c->pkeys[SSL_PKEY_RSA_SIGN].digest) 2444 if (!c->pkeys[SSL_PKEY_RSA_SIGN].digest) {
2568 {
2569 c->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1(); 2445 c->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1();
2570 c->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1(); 2446 c->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1();
2571 } 2447 }
2572#endif 2448#endif
2573#ifndef OPENSSL_NO_ECDSA 2449#ifndef OPENSSL_NO_ECDSA
2574 if (!c->pkeys[SSL_PKEY_ECC].digest) 2450 if (!c->pkeys[SSL_PKEY_ECC].digest)
2575 c->pkeys[SSL_PKEY_ECC].digest = EVP_sha1(); 2451 c->pkeys[SSL_PKEY_ECC].digest = EVP_sha1();
2576#endif 2452#endif
2577 return 1; 2453 return 1;
2578 } 2454}
2579 2455
2580#endif 2456#endif
2581 2457
2582#ifndef OPENSSL_NO_HEARTBEATS 2458#ifndef OPENSSL_NO_HEARTBEATS
2583int 2459int
2584tls1_process_heartbeat(SSL *s) 2460tls1_process_heartbeat(SSL *s)
2585 { 2461{
2586 unsigned char *p = &s->s3->rrec.data[0], *pl; 2462 unsigned char *p = &s->s3->rrec.data[0], *pl;
2587 unsigned short hbtype; 2463 unsigned short hbtype;
2588 unsigned int payload; 2464 unsigned int payload;
@@ -2590,8 +2466,8 @@ tls1_process_heartbeat(SSL *s)
2590 2466
2591 if (s->msg_callback) 2467 if (s->msg_callback)
2592 s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT, 2468 s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT,
2593 &s->s3->rrec.data[0], s->s3->rrec.length, 2469 &s->s3->rrec.data[0], s->s3->rrec.length,
2594 s, s->msg_callback_arg); 2470 s, s->msg_callback_arg);
2595 2471
2596 /* Read type and payload length first */ 2472 /* Read type and payload length first */
2597 if (1 + 2 + 16 > s->s3->rrec.length) 2473 if (1 + 2 + 16 > s->s3->rrec.length)
@@ -2602,8 +2478,7 @@ tls1_process_heartbeat(SSL *s)
2602 return 0; /* silently discard per RFC 6520 sec. 4 */ 2478 return 0; /* silently discard per RFC 6520 sec. 4 */
2603 pl = p; 2479 pl = p;
2604 2480
2605 if (hbtype == TLS1_HB_REQUEST) 2481 if (hbtype == TLS1_HB_REQUEST) {
2606 {
2607 unsigned char *buffer, *bp; 2482 unsigned char *buffer, *bp;
2608 int r; 2483 int r;
2609 2484
@@ -2613,7 +2488,7 @@ tls1_process_heartbeat(SSL *s)
2613 */ 2488 */
2614 buffer = OPENSSL_malloc(1 + 2 + payload + padding); 2489 buffer = OPENSSL_malloc(1 + 2 + payload + padding);
2615 bp = buffer; 2490 bp = buffer;
2616 2491
2617 /* Enter response type, length and copy payload */ 2492 /* Enter response type, length and copy payload */
2618 *bp++ = TLS1_HB_RESPONSE; 2493 *bp++ = TLS1_HB_RESPONSE;
2619 s2n(payload, bp); 2494 s2n(payload, bp);
@@ -2626,36 +2501,33 @@ tls1_process_heartbeat(SSL *s)
2626 2501
2627 if (r >= 0 && s->msg_callback) 2502 if (r >= 0 && s->msg_callback)
2628 s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT, 2503 s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT,
2629 buffer, 3 + payload + padding, 2504 buffer, 3 + payload + padding,
2630 s, s->msg_callback_arg); 2505 s, s->msg_callback_arg);
2631 2506
2632 OPENSSL_free(buffer); 2507 OPENSSL_free(buffer);
2633 2508
2634 if (r < 0) 2509 if (r < 0)
2635 return r; 2510 return r;
2636 } 2511 } else if (hbtype == TLS1_HB_RESPONSE) {
2637 else if (hbtype == TLS1_HB_RESPONSE)
2638 {
2639 unsigned int seq; 2512 unsigned int seq;
2640 2513
2641 /* We only send sequence numbers (2 bytes unsigned int), 2514 /* We only send sequence numbers (2 bytes unsigned int),
2642 * and 16 random bytes, so we just try to read the 2515 * and 16 random bytes, so we just try to read the
2643 * sequence number */ 2516 * sequence number */
2644 n2s(pl, seq); 2517 n2s(pl, seq);
2645 2518
2646 if (payload == 18 && seq == s->tlsext_hb_seq) 2519 if (payload == 18 && seq == s->tlsext_hb_seq) {
2647 {
2648 s->tlsext_hb_seq++; 2520 s->tlsext_hb_seq++;
2649 s->tlsext_hb_pending = 0; 2521 s->tlsext_hb_pending = 0;
2650 }
2651 } 2522 }
2523 }
2652 2524
2653 return 0; 2525 return 0;
2654 } 2526}
2655 2527
2656int 2528int
2657tls1_heartbeat(SSL *s) 2529tls1_heartbeat(SSL *s)
2658 { 2530{
2659 unsigned char *buf, *p; 2531 unsigned char *buf, *p;
2660 int ret; 2532 int ret;
2661 unsigned int payload = 18; /* Sequence number + random bytes */ 2533 unsigned int payload = 18; /* Sequence number + random bytes */
@@ -2663,26 +2535,23 @@ tls1_heartbeat(SSL *s)
2663 2535
2664 /* Only send if peer supports and accepts HB requests... */ 2536 /* Only send if peer supports and accepts HB requests... */
2665 if (!(s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED) || 2537 if (!(s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED) ||
2666 s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_SEND_REQUESTS) 2538 s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_SEND_REQUESTS) {
2667 { 2539 SSLerr(SSL_F_TLS1_HEARTBEAT, SSL_R_TLS_HEARTBEAT_PEER_DOESNT_ACCEPT);
2668 SSLerr(SSL_F_TLS1_HEARTBEAT,SSL_R_TLS_HEARTBEAT_PEER_DOESNT_ACCEPT);
2669 return -1; 2540 return -1;
2670 } 2541 }
2671 2542
2672 /* ...and there is none in flight yet... */ 2543 /* ...and there is none in flight yet... */
2673 if (s->tlsext_hb_pending) 2544 if (s->tlsext_hb_pending) {
2674 { 2545 SSLerr(SSL_F_TLS1_HEARTBEAT, SSL_R_TLS_HEARTBEAT_PENDING);
2675 SSLerr(SSL_F_TLS1_HEARTBEAT,SSL_R_TLS_HEARTBEAT_PENDING);
2676 return -1; 2546 return -1;
2677 } 2547 }
2678 2548
2679 /* ...and no handshake in progress. */ 2549 /* ...and no handshake in progress. */
2680 if (SSL_in_init(s) || s->in_handshake) 2550 if (SSL_in_init(s) || s->in_handshake) {
2681 { 2551 SSLerr(SSL_F_TLS1_HEARTBEAT, SSL_R_UNEXPECTED_MESSAGE);
2682 SSLerr(SSL_F_TLS1_HEARTBEAT,SSL_R_UNEXPECTED_MESSAGE);
2683 return -1; 2552 return -1;
2684 } 2553 }
2685 2554
2686 /* Check if padding is too long, payload and padding 2555 /* Check if padding is too long, payload and padding
2687 * must not exceed 2^14 - 3 = 16381 bytes in total. 2556 * must not exceed 2^14 - 3 = 16381 bytes in total.
2688 */ 2557 */
@@ -2712,18 +2581,17 @@ tls1_heartbeat(SSL *s)
2712 RAND_pseudo_bytes(p, padding); 2581 RAND_pseudo_bytes(p, padding);
2713 2582
2714 ret = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buf, 3 + payload + padding); 2583 ret = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buf, 3 + payload + padding);
2715 if (ret >= 0) 2584 if (ret >= 0) {
2716 {
2717 if (s->msg_callback) 2585 if (s->msg_callback)
2718 s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT, 2586 s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT,
2719 buf, 3 + payload + padding, 2587 buf, 3 + payload + padding,
2720 s, s->msg_callback_arg); 2588 s, s->msg_callback_arg);
2721 2589
2722 s->tlsext_hb_pending = 1; 2590 s->tlsext_hb_pending = 1;
2723 } 2591 }
2724 2592
2725 OPENSSL_free(buf); 2593 OPENSSL_free(buf);
2726 2594
2727 return ret; 2595 return ret;
2728 } 2596}
2729#endif 2597#endif
diff --git a/src/lib/libssl/t1_meth.c b/src/lib/libssl/t1_meth.c
index 53c807de28..ab2d789e59 100644
--- a/src/lib/libssl/t1_meth.c
+++ b/src/lib/libssl/t1_meth.c
@@ -60,8 +60,9 @@
60#include <openssl/objects.h> 60#include <openssl/objects.h>
61#include "ssl_locl.h" 61#include "ssl_locl.h"
62 62
63static const SSL_METHOD *tls1_get_method(int ver) 63static const SSL_METHOD
64 { 64*tls1_get_method(int ver)
65{
65 if (ver == TLS1_2_VERSION) 66 if (ver == TLS1_2_VERSION)
66 return TLSv1_2_method(); 67 return TLSv1_2_method();
67 if (ver == TLS1_1_VERSION) 68 if (ver == TLS1_1_VERSION)
@@ -69,20 +70,13 @@ static const SSL_METHOD *tls1_get_method(int ver)
69 if (ver == TLS1_VERSION) 70 if (ver == TLS1_VERSION)
70 return TLSv1_method(); 71 return TLSv1_method();
71 return NULL; 72 return NULL;
72 } 73}
73 74
74IMPLEMENT_tls_meth_func(TLS1_2_VERSION, TLSv1_2_method, 75IMPLEMENT_tls_meth_func(TLS1_2_VERSION, TLSv1_2_method,
75 ssl3_accept, 76 ssl3_accept, ssl3_connect, tls1_get_method)
76 ssl3_connect,
77 tls1_get_method)
78 77
79IMPLEMENT_tls_meth_func(TLS1_1_VERSION, TLSv1_1_method, 78IMPLEMENT_tls_meth_func(TLS1_1_VERSION, TLSv1_1_method,
80 ssl3_accept, 79 ssl3_accept, ssl3_connect, tls1_get_method)
81 ssl3_connect,
82 tls1_get_method)
83 80
84IMPLEMENT_tls_meth_func(TLS1_VERSION, TLSv1_method, 81IMPLEMENT_tls_meth_func(TLS1_VERSION, TLSv1_method,
85 ssl3_accept, 82 ssl3_accept, ssl3_connect, tls1_get_method)
86 ssl3_connect,
87 tls1_get_method)
88
diff --git a/src/lib/libssl/t1_reneg.c b/src/lib/libssl/t1_reneg.c
index 9c2cc3c712..86e0e61ffb 100644
--- a/src/lib/libssl/t1_reneg.c
+++ b/src/lib/libssl/t1_reneg.c
@@ -113,180 +113,170 @@
113#include "ssl_locl.h" 113#include "ssl_locl.h"
114 114
115/* Add the client's renegotiation binding */ 115/* Add the client's renegotiation binding */
116int ssl_add_clienthello_renegotiate_ext(SSL *s, unsigned char *p, int *len, 116int
117 int maxlen) 117ssl_add_clienthello_renegotiate_ext(SSL *s, unsigned char *p, int *len,
118 { 118 int maxlen)
119 if(p) 119{
120 { 120 if (p) {
121 if((s->s3->previous_client_finished_len+1) > maxlen) 121 if ((s->s3->previous_client_finished_len + 1) > maxlen) {
122 { 122 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_RENEGOTIATE_EXT, SSL_R_RENEGOTIATE_EXT_TOO_LONG);
123 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_RENEGOTIATE_EXT,SSL_R_RENEGOTIATE_EXT_TOO_LONG); 123 return 0;
124 return 0; 124 }
125 }
126
127 /* Length byte */
128 *p = s->s3->previous_client_finished_len;
129 p++;
130 125
131 memcpy(p, s->s3->previous_client_finished, 126 /* Length byte */
132 s->s3->previous_client_finished_len); 127 *p = s->s3->previous_client_finished_len;
128 p++;
129
130 memcpy(p, s->s3->previous_client_finished,
131 s->s3->previous_client_finished_len);
133#ifdef OPENSSL_RI_DEBUG 132#ifdef OPENSSL_RI_DEBUG
134 fprintf(stderr, "%s RI extension sent by client\n", 133 fprintf(stderr, "%s RI extension sent by client\n",
135 s->s3->previous_client_finished_len ? "Non-empty" : "Empty"); 134 s->s3->previous_client_finished_len ? "Non-empty" : "Empty");
136#endif 135#endif
137 } 136 }
138 137
139 *len=s->s3->previous_client_finished_len + 1; 138 *len = s->s3->previous_client_finished_len + 1;
140 139
141 140 return 1;
142 return 1; 141}
143 }
144 142
145/* Parse the client's renegotiation binding and abort if it's not 143/* Parse the client's renegotiation binding and abort if it's not
146 right */ 144 right */
147int ssl_parse_clienthello_renegotiate_ext(SSL *s, unsigned char *d, int len, 145int
148 int *al) 146ssl_parse_clienthello_renegotiate_ext(SSL *s, unsigned char *d, int len,
149 { 147 int *al)
150 int ilen; 148{
149 int ilen;
150
151 /* Parse the length byte */
152 if (len < 1) {
153 SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT, SSL_R_RENEGOTIATION_ENCODING_ERR);
154 *al = SSL_AD_ILLEGAL_PARAMETER;
155 return 0;
156 }
157 ilen = *d;
158 d++;
151 159
152 /* Parse the length byte */ 160 /* Consistency check */
153 if(len < 1) 161 if ((ilen + 1) != len) {
154 { 162 SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT, SSL_R_RENEGOTIATION_ENCODING_ERR);
155 SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT,SSL_R_RENEGOTIATION_ENCODING_ERR); 163 *al = SSL_AD_ILLEGAL_PARAMETER;
156 *al=SSL_AD_ILLEGAL_PARAMETER; 164 return 0;
157 return 0; 165 }
158 }
159 ilen = *d;
160 d++;
161 166
162 /* Consistency check */ 167 /* Check that the extension matches */
163 if((ilen+1) != len) 168 if (ilen != s->s3->previous_client_finished_len) {
164 { 169 SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT, SSL_R_RENEGOTIATION_MISMATCH);
165 SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT,SSL_R_RENEGOTIATION_ENCODING_ERR); 170 *al = SSL_AD_HANDSHAKE_FAILURE;
166 *al=SSL_AD_ILLEGAL_PARAMETER; 171 return 0;
167 return 0; 172 }
168 }
169 173
170 /* Check that the extension matches */ 174 if (memcmp(d, s->s3->previous_client_finished,
171 if(ilen != s->s3->previous_client_finished_len) 175 s->s3->previous_client_finished_len)) {
172 { 176 SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT, SSL_R_RENEGOTIATION_MISMATCH);
173 SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT,SSL_R_RENEGOTIATION_MISMATCH); 177 *al = SSL_AD_HANDSHAKE_FAILURE;
174 *al=SSL_AD_HANDSHAKE_FAILURE; 178 return 0;
175 return 0; 179 }
176 }
177
178 if(memcmp(d, s->s3->previous_client_finished,
179 s->s3->previous_client_finished_len))
180 {
181 SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT,SSL_R_RENEGOTIATION_MISMATCH);
182 *al=SSL_AD_HANDSHAKE_FAILURE;
183 return 0;
184 }
185#ifdef OPENSSL_RI_DEBUG 180#ifdef OPENSSL_RI_DEBUG
186 fprintf(stderr, "%s RI extension received by server\n", 181 fprintf(stderr, "%s RI extension received by server\n",
187 ilen ? "Non-empty" : "Empty"); 182 ilen ? "Non-empty" : "Empty");
188#endif 183#endif
189 184
190 s->s3->send_connection_binding=1; 185 s->s3->send_connection_binding = 1;
191 186
192 return 1; 187 return 1;
193 } 188}
194 189
195/* Add the server's renegotiation binding */ 190/* Add the server's renegotiation binding */
196int ssl_add_serverhello_renegotiate_ext(SSL *s, unsigned char *p, int *len, 191int
197 int maxlen) 192ssl_add_serverhello_renegotiate_ext(SSL *s, unsigned char *p, int *len,
198 { 193 int maxlen)
199 if(p) 194{
200 { 195 if (p) {
201 if((s->s3->previous_client_finished_len + 196 if ((s->s3->previous_client_finished_len +
202 s->s3->previous_server_finished_len + 1) > maxlen) 197 s->s3->previous_server_finished_len + 1) > maxlen) {
203 { 198 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_RENEGOTIATE_EXT, SSL_R_RENEGOTIATE_EXT_TOO_LONG);
204 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_RENEGOTIATE_EXT,SSL_R_RENEGOTIATE_EXT_TOO_LONG); 199 return 0;
205 return 0; 200 }
206 }
207
208 /* Length byte */
209 *p = s->s3->previous_client_finished_len + s->s3->previous_server_finished_len;
210 p++;
211 201
212 memcpy(p, s->s3->previous_client_finished, 202 /* Length byte */
213 s->s3->previous_client_finished_len); 203 *p = s->s3->previous_client_finished_len + s->s3->previous_server_finished_len;
214 p += s->s3->previous_client_finished_len; 204 p++;
215 205
216 memcpy(p, s->s3->previous_server_finished, 206 memcpy(p, s->s3->previous_client_finished,
217 s->s3->previous_server_finished_len); 207 s->s3->previous_client_finished_len);
208 p += s->s3->previous_client_finished_len;
209
210 memcpy(p, s->s3->previous_server_finished,
211 s->s3->previous_server_finished_len);
218#ifdef OPENSSL_RI_DEBUG 212#ifdef OPENSSL_RI_DEBUG
219 fprintf(stderr, "%s RI extension sent by server\n", 213 fprintf(stderr, "%s RI extension sent by server\n",
220 s->s3->previous_client_finished_len ? "Non-empty" : "Empty"); 214 s->s3->previous_client_finished_len ? "Non-empty" : "Empty");
221#endif 215#endif
222 } 216 }
223 217
224 *len=s->s3->previous_client_finished_len 218 *len = s->s3->previous_client_finished_len
225 + s->s3->previous_server_finished_len + 1; 219 + s->s3->previous_server_finished_len + 1;
226 220
227 return 1; 221 return 1;
228 } 222}
229 223
230/* Parse the server's renegotiation binding and abort if it's not 224/* Parse the server's renegotiation binding and abort if it's not
231 right */ 225 right */
232int ssl_parse_serverhello_renegotiate_ext(SSL *s, unsigned char *d, int len, 226int
233 int *al) 227ssl_parse_serverhello_renegotiate_ext(SSL *s, unsigned char *d, int len,
234 { 228 int *al)
235 int expected_len=s->s3->previous_client_finished_len 229{
230 int expected_len = s->s3->previous_client_finished_len
236 + s->s3->previous_server_finished_len; 231 + s->s3->previous_server_finished_len;
237 int ilen; 232 int ilen;
233
234 /* Check for logic errors */
235 OPENSSL_assert(!expected_len || s->s3->previous_client_finished_len);
236 OPENSSL_assert(!expected_len || s->s3->previous_server_finished_len);
237
238 /* Parse the length byte */
239 if (len < 1) {
240 SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT, SSL_R_RENEGOTIATION_ENCODING_ERR);
241 *al = SSL_AD_ILLEGAL_PARAMETER;
242 return 0;
243 }
244 ilen = *d;
245 d++;
238 246
239 /* Check for logic errors */ 247 /* Consistency check */
240 OPENSSL_assert(!expected_len || s->s3->previous_client_finished_len); 248 if (ilen + 1 != len) {
241 OPENSSL_assert(!expected_len || s->s3->previous_server_finished_len); 249 SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT, SSL_R_RENEGOTIATION_ENCODING_ERR);
242 250 *al = SSL_AD_ILLEGAL_PARAMETER;
243 /* Parse the length byte */ 251 return 0;
244 if(len < 1) 252 }
245 {
246 SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT,SSL_R_RENEGOTIATION_ENCODING_ERR);
247 *al=SSL_AD_ILLEGAL_PARAMETER;
248 return 0;
249 }
250 ilen = *d;
251 d++;
252 253
253 /* Consistency check */ 254 /* Check that the extension matches */
254 if(ilen+1 != len) 255 if (ilen != expected_len) {
255 { 256 SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT, SSL_R_RENEGOTIATION_MISMATCH);
256 SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT,SSL_R_RENEGOTIATION_ENCODING_ERR); 257 *al = SSL_AD_HANDSHAKE_FAILURE;
257 *al=SSL_AD_ILLEGAL_PARAMETER; 258 return 0;
258 return 0; 259 }
259 }
260
261 /* Check that the extension matches */
262 if(ilen != expected_len)
263 {
264 SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT,SSL_R_RENEGOTIATION_MISMATCH);
265 *al=SSL_AD_HANDSHAKE_FAILURE;
266 return 0;
267 }
268 260
269 if(memcmp(d, s->s3->previous_client_finished, 261 if (memcmp(d, s->s3->previous_client_finished,
270 s->s3->previous_client_finished_len)) 262 s->s3->previous_client_finished_len)) {
271 { 263 SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT, SSL_R_RENEGOTIATION_MISMATCH);
272 SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT,SSL_R_RENEGOTIATION_MISMATCH); 264 *al = SSL_AD_HANDSHAKE_FAILURE;
273 *al=SSL_AD_HANDSHAKE_FAILURE; 265 return 0;
274 return 0; 266 }
275 } 267 d += s->s3->previous_client_finished_len;
276 d += s->s3->previous_client_finished_len;
277 268
278 if(memcmp(d, s->s3->previous_server_finished, 269 if (memcmp(d, s->s3->previous_server_finished,
279 s->s3->previous_server_finished_len)) 270 s->s3->previous_server_finished_len)) {
280 { 271 SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT, SSL_R_RENEGOTIATION_MISMATCH);
281 SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT,SSL_R_RENEGOTIATION_MISMATCH); 272 *al = SSL_AD_ILLEGAL_PARAMETER;
282 *al=SSL_AD_ILLEGAL_PARAMETER; 273 return 0;
283 return 0; 274 }
284 }
285#ifdef OPENSSL_RI_DEBUG 275#ifdef OPENSSL_RI_DEBUG
286 fprintf(stderr, "%s RI extension received by client\n", 276 fprintf(stderr, "%s RI extension received by client\n",
287 ilen ? "Non-empty" : "Empty"); 277 ilen ? "Non-empty" : "Empty");
288#endif 278#endif
289 s->s3->send_connection_binding=1; 279 s->s3->send_connection_binding = 1;
290 280
291 return 1; 281 return 1;
292 } 282}
diff --git a/src/lib/libssl/t1_srvr.c b/src/lib/libssl/t1_srvr.c
index f1d1565769..776bcabc46 100644
--- a/src/lib/libssl/t1_srvr.c
+++ b/src/lib/libssl/t1_srvr.c
@@ -65,8 +65,10 @@
65#include <openssl/x509.h> 65#include <openssl/x509.h>
66 66
67static const SSL_METHOD *tls1_get_server_method(int ver); 67static const SSL_METHOD *tls1_get_server_method(int ver);
68static const SSL_METHOD *tls1_get_server_method(int ver) 68
69 { 69static const SSL_METHOD
70*tls1_get_server_method(int ver)
71{
70 if (ver == TLS1_2_VERSION) 72 if (ver == TLS1_2_VERSION)
71 return TLSv1_2_server_method(); 73 return TLSv1_2_server_method();
72 if (ver == TLS1_1_VERSION) 74 if (ver == TLS1_1_VERSION)
@@ -74,20 +76,13 @@ static const SSL_METHOD *tls1_get_server_method(int ver)
74 if (ver == TLS1_VERSION) 76 if (ver == TLS1_VERSION)
75 return TLSv1_server_method(); 77 return TLSv1_server_method();
76 return NULL; 78 return NULL;
77 } 79}
78 80
79IMPLEMENT_tls_meth_func(TLS1_2_VERSION, TLSv1_2_server_method, 81IMPLEMENT_tls_meth_func(TLS1_2_VERSION, TLSv1_2_server_method,
80 ssl3_accept, 82 ssl3_accept, ssl_undefined_function, tls1_get_server_method)
81 ssl_undefined_function,
82 tls1_get_server_method)
83 83
84IMPLEMENT_tls_meth_func(TLS1_1_VERSION, TLSv1_1_server_method, 84IMPLEMENT_tls_meth_func(TLS1_1_VERSION, TLSv1_1_server_method,
85 ssl3_accept, 85 ssl3_accept, ssl_undefined_function, tls1_get_server_method)
86 ssl_undefined_function,
87 tls1_get_server_method)
88 86
89IMPLEMENT_tls_meth_func(TLS1_VERSION, TLSv1_server_method, 87IMPLEMENT_tls_meth_func(TLS1_VERSION, TLSv1_server_method,
90 ssl3_accept, 88 ssl3_accept, ssl_undefined_function, tls1_get_server_method)
91 ssl_undefined_function,
92 tls1_get_server_method)
93
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-10-27 16:29:43 +0000