1 files changed, 34 insertions, 139 deletions
diff --git a/src/lib/libssl/t1_lib.c b/src/lib/libssl/t1_lib.c
index eb2314ac26..e3046fec09 100644
--- a/src/lib/libssl/t1_lib.c
+++ b/src/lib/libssl/t1_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: t1_lib.c,v 1.117 2017/05/07 04:22:24 beck Exp $ */
+/* $OpenBSD: t1_lib.c,v 1.118 2017/07/16 18:14:37 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -117,7 +117,9 @@
 #include <openssl/ocsp.h>
 #include "ssl_locl.h"
 #include "bytestring.h"
+#include "ssl_tlsext.h"
 static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen,
    const unsigned char *sess_id, int sesslen,
@@ -678,6 +680,8 @@ ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
        int extdatalen = 0;
        unsigned char *ret = p;
        int using_ecc = 0;
+        size_t len;
+        CBB cbb;
        /* See if we support any ECC ciphersuites. */
        if (s->version != DTLS1_VERSION && s->version >= TLS1_VERSION) {
@@ -699,43 +703,21 @@ ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
        }
        ret += 2;
        if (ret >= limit)
                return NULL; /* this really never occurs, but ... */
-        if (s->tlsext_hostname != NULL) {
+        CBB_init_fixed(&cbb, ret, limit - ret);
-                /* Add TLS extension servername to the Client Hello message */
+        if (!tlsext_clienthello_build(s, &cbb)) {
-                size_t size_str, lenmax;
+                CBB_cleanup(&cbb);
+                return NULL;
-                /* check for enough space.
+        }
-                   4 for the servername type and extension length
+        if (!CBB_finish(&cbb, NULL, &len)) {
-                   2 for servernamelist length
+                CBB_cleanup(&cbb);
-                   1 for the hostname type
+                return NULL;
-                   2 for hostname length
-                   + hostname length
-                */
-                if ((size_t)(limit - ret) < 9)
-                        return NULL;
-                lenmax = limit - ret - 9;
-                if ((size_str = strlen(s->tlsext_hostname)) > lenmax)
-                        return NULL;
-                /* extension type and length */
-                s2n(TLSEXT_TYPE_server_name, ret);
-                s2n(size_str + 5, ret);
-                /* length of servername list */
-                s2n(size_str + 3, ret);
-                /* hostname type, length and hostname */
-                *(ret++) = (unsigned char) TLSEXT_NAMETYPE_host_name;
-                s2n(size_str, ret);
-                memcpy(ret, s->tlsext_hostname, size_str);
-                ret += size_str;
        }
+        if (len > (limit - ret))
+                return NULL;
+        ret += len;
        /* Add RI if renegotiating */
        if (s->internal->renegotiate) {
@@ -997,6 +979,8 @@ ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
        unsigned long alg_a, alg_k;
        unsigned char *ret = p;
        int next_proto_neg_seen;
+        size_t len;
+        CBB cbb;
        alg_a = S3I(s)->hs.new_cipher->algorithm_auth;
        alg_k = S3I(s)->hs.new_cipher->algorithm_mkey;
@@ -1007,14 +991,18 @@ ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
        if (ret >= limit)
                return NULL; /* this really never occurs, but ... */
-        if (!s->internal->hit && s->internal->servername_done == 1 &&
+        CBB_init_fixed(&cbb, ret, limit - ret);
-            s->session->tlsext_hostname != NULL) {
+        if (!tlsext_serverhello_build(s, &cbb)) {
-                if ((size_t)(limit - ret) < 4)
+                CBB_cleanup(&cbb);
-                        return NULL;
+                return NULL;
-                s2n(TLSEXT_TYPE_server_name, ret);
-                s2n(0, ret);
        }
+        if (!CBB_finish(&cbb, NULL, &len)) {
+                CBB_cleanup(&cbb);
+                return NULL;
+        }
+        if (len > (limit - ret))
+                return NULL;
+        ret += len;
        if (S3I(s)->send_connection_binding) {
                int el;
@@ -1241,6 +1229,7 @@ ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d,
        unsigned char *end = d + n;
        int renegotiate_seen = 0;
        int sigalg_seen = 0;
+        CBS cbs;
        s->internal->servername_done = 0;
        s->tlsext_status_type = -1;
@@ -1269,106 +1258,12 @@ ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d,
                if (s->internal->tlsext_debug_cb)
                        s->internal->tlsext_debug_cb(s, 0, type, data, size,
                            s->internal->tlsext_debug_arg);
-/* The servername extension is treated as follows:
-   - Only the hostname type is supported with a maximum length of 255.
-   - The servername is rejected if too long or if it contains zeros,
-     in which case an fatal alert is generated.
-   - The servername field is maintained together with the session cache.
-   - When a session is resumed, the servername call back invoked in order
-     to allow the application to position itself to the right context.
-   - The servername is acknowledged if it is new for a session or when
-     it is identical to a previously used for the same session.
-     Applications can control the behaviour.  They can at any time
-     set a 'desirable' servername for a new SSL object. This can be the
-     case for example with HTTPS when a Host: header field is received and
-     a renegotiation is requested. In this case, a possible servername
-     presented in the new client hello is only acknowledged if it matches
-     the value of the Host: field.
-   - Applications must  use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
-     if they provide for changing an explicit servername context for the session,
-     i.e. when the session has been established with a servername extension.
-   - On session reconnect, the servername extension may be absent.
-*/
-                if (type == TLSEXT_TYPE_server_name) {
-                        unsigned char *sdata;
-                        int servname_type;
-                        int dsize;
-                        if (size < 2) {
+                CBS_init(&cbs, data, size);
-                                *al = SSL_AD_DECODE_ERROR;
+                if (!tlsext_clienthello_parse_one(s, &cbs, type, al))
-                                return 0;
+                        return 0;
-                        }
-                        n2s(data, dsize);
-                        size -= 2;
-                        if (dsize > size) {
-                                *al = SSL_AD_DECODE_ERROR;
-                                return 0;
-                        }
-                        sdata = data;
-                        while (dsize > 3) {
-                                servname_type = *(sdata++);
-                                n2s(sdata, len);
-                                dsize -= 3;
-                                if (len > dsize) {
-                                        *al = SSL_AD_DECODE_ERROR;
-                                        return 0;
-                                }
-                                if (s->internal->servername_done == 0)
-                                        switch (servname_type) {
-                                        case TLSEXT_NAMETYPE_host_name:
-                                                if (!s->internal->hit) {
-                                                        if (s->session->tlsext_hostname) {
-                                                                *al = SSL_AD_DECODE_ERROR;
-                                                                return 0;
-                                                        }
-                                                        if (len > TLSEXT_MAXLEN_host_name) {
-                                                                *al = TLS1_AD_UNRECOGNIZED_NAME;
-                                                                return 0;
-                                                        }
-                                                        if ((s->session->tlsext_hostname =
-                                                            malloc(len + 1)) == NULL) {
-                                                                *al = TLS1_AD_INTERNAL_ERROR;
-                                                                return 0;
-                                                        }
-                                                        memcpy(s->session->tlsext_hostname, sdata, len);
-                                                        s->session->tlsext_hostname[len] = '\0';
-                                                        if (strlen(s->session->tlsext_hostname) != len) {
-                                                                free(s->session->tlsext_hostname);
-                                                                s->session->tlsext_hostname = NULL;
-                                                                *al = TLS1_AD_UNRECOGNIZED_NAME;
-                                                                return 0;
-                                                        }
-                                                        s->internal->servername_done = 1;
-                                                } else {
-                                                        s->internal->servername_done = s->session->tlsext_hostname &&
-                                                            strlen(s->session->tlsext_hostname) == len &&
-                                                            strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0;
-                                                }
-                                                break;
-                                        default:
-                                                break;
-                                        }
-                                dsize -= len;
-                        }
-                        if (dsize != 0) {
-                                *al = SSL_AD_DECODE_ERROR;
-                                return 0;
-                        }
-                }
-                else if (type == TLSEXT_TYPE_ec_point_formats &&
+                if (type == TLSEXT_TYPE_ec_point_formats &&
                    s->version != DTLS1_VERSION) {
                        unsigned char *sdata = data;
                        size_t formatslen;

diff --git a/src/lib/libssl/t1_lib.c b/src/lib/libssl/t1_lib.c index eb2314ac26..e3046fec09 100644 --- a/src/lib/libssl/t1_lib.c +++ b/src/lib/libssl/t1_lib.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: t1_lib.c,v 1.117 2017/05/07 04:22:24 beck Exp $ */	1	/* $OpenBSD: t1_lib.c,v 1.118 2017/07/16 18:14:37 jsing Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -117,7 +117,9 @@
117	#include <openssl/ocsp.h>	117	#include <openssl/ocsp.h>
118		118
119	#include "ssl_locl.h"	119	#include "ssl_locl.h"
		120
120	#include "bytestring.h"	121	#include "bytestring.h"
		122	#include "ssl_tlsext.h"
121		123
122	static int tls_decrypt_ticket(SSL s, const unsigned char tick, int ticklen,	124	static int tls_decrypt_ticket(SSL s, const unsigned char tick, int ticklen,
123	const unsigned char *sess_id, int sesslen,	125	const unsigned char *sess_id, int sesslen,
@@ -678,6 +680,8 @@ ssl_add_clienthello_tlsext(SSL s, unsigned char p, unsigned char *limit)
678	int extdatalen = 0;	680	int extdatalen = 0;
679	unsigned char *ret = p;	681	unsigned char *ret = p;
680	int using_ecc = 0;	682	int using_ecc = 0;
		683	size_t len;
		684	CBB cbb;
681		685
682	/* See if we support any ECC ciphersuites. */	686	/* See if we support any ECC ciphersuites. */
683	if (s->version != DTLS1_VERSION && s->version >= TLS1_VERSION) {	687	if (s->version != DTLS1_VERSION && s->version >= TLS1_VERSION) {
@@ -699,43 +703,21 @@ ssl_add_clienthello_tlsext(SSL s, unsigned char p, unsigned char *limit)
699	}	703	}
700		704
701	ret += 2;	705	ret += 2;
702
703	if (ret >= limit)	706	if (ret >= limit)
704	return NULL; /* this really never occurs, but ... */	707	return NULL; /* this really never occurs, but ... */
705		708
706	if (s->tlsext_hostname != NULL) {	709	CBB_init_fixed(&cbb, ret, limit - ret);
707	/* Add TLS extension servername to the Client Hello message */	710	if (!tlsext_clienthello_build(s, &cbb)) {
708	size_t size_str, lenmax;	711	CBB_cleanup(&cbb);
709		712	return NULL;
710	/* check for enough space.	713	}
711	4 for the servername type and extension length	714	if (!CBB_finish(&cbb, NULL, &len)) {
712	2 for servernamelist length	715	CBB_cleanup(&cbb);
713	1 for the hostname type	716	return NULL;
714	2 for hostname length
715	+ hostname length
716	*/
717
718	if ((size_t)(limit - ret) < 9)
719	return NULL;
720
721	lenmax = limit - ret - 9;
722	if ((size_str = strlen(s->tlsext_hostname)) > lenmax)
723	return NULL;
724
725	/* extension type and length */
726	s2n(TLSEXT_TYPE_server_name, ret);
727
728	s2n(size_str + 5, ret);
729
730	/* length of servername list */
731	s2n(size_str + 3, ret);
732
733	/* hostname type, length and hostname */
734	*(ret++) = (unsigned char) TLSEXT_NAMETYPE_host_name;
735	s2n(size_str, ret);
736	memcpy(ret, s->tlsext_hostname, size_str);
737	ret += size_str;
738	}	717	}
		718	if (len > (limit - ret))
		719	return NULL;
		720	ret += len;
739		721
740	/* Add RI if renegotiating */	722	/* Add RI if renegotiating */
741	if (s->internal->renegotiate) {	723	if (s->internal->renegotiate) {
@@ -997,6 +979,8 @@ ssl_add_serverhello_tlsext(SSL s, unsigned char p, unsigned char *limit)
997	unsigned long alg_a, alg_k;	979	unsigned long alg_a, alg_k;
998	unsigned char *ret = p;	980	unsigned char *ret = p;
999	int next_proto_neg_seen;	981	int next_proto_neg_seen;
		982	size_t len;
		983	CBB cbb;
1000		984
1001	alg_a = S3I(s)->hs.new_cipher->algorithm_auth;	985	alg_a = S3I(s)->hs.new_cipher->algorithm_auth;
1002	alg_k = S3I(s)->hs.new_cipher->algorithm_mkey;	986	alg_k = S3I(s)->hs.new_cipher->algorithm_mkey;
@@ -1007,14 +991,18 @@ ssl_add_serverhello_tlsext(SSL s, unsigned char p, unsigned char *limit)
1007	if (ret >= limit)	991	if (ret >= limit)
1008	return NULL; /* this really never occurs, but ... */	992	return NULL; /* this really never occurs, but ... */
1009		993
1010	if (!s->internal->hit && s->internal->servername_done == 1 &&	994	CBB_init_fixed(&cbb, ret, limit - ret);
1011	s->session->tlsext_hostname != NULL) {	995	if (!tlsext_serverhello_build(s, &cbb)) {
1012	if ((size_t)(limit - ret) < 4)	996	CBB_cleanup(&cbb);
1013	return NULL;	997	return NULL;
1014
1015	s2n(TLSEXT_TYPE_server_name, ret);
1016	s2n(0, ret);
1017	}	998	}
		999	if (!CBB_finish(&cbb, NULL, &len)) {
		1000	CBB_cleanup(&cbb);
		1001	return NULL;
		1002	}
		1003	if (len > (limit - ret))
		1004	return NULL;
		1005	ret += len;
1018		1006
1019	if (S3I(s)->send_connection_binding) {	1007	if (S3I(s)->send_connection_binding) {
1020	int el;	1008	int el;
@@ -1241,6 +1229,7 @@ ssl_parse_clienthello_tlsext(SSL s, unsigned char p, unsigned char d,
1241	unsigned char *end = d + n;	1229	unsigned char *end = d + n;
1242	int renegotiate_seen = 0;	1230	int renegotiate_seen = 0;
1243	int sigalg_seen = 0;	1231	int sigalg_seen = 0;
		1232	CBS cbs;
1244		1233
1245	s->internal->servername_done = 0;	1234	s->internal->servername_done = 0;
1246	s->tlsext_status_type = -1;	1235	s->tlsext_status_type = -1;
@@ -1269,106 +1258,12 @@ ssl_parse_clienthello_tlsext(SSL s, unsigned char p, unsigned char d,
1269	if (s->internal->tlsext_debug_cb)	1258	if (s->internal->tlsext_debug_cb)
1270	s->internal->tlsext_debug_cb(s, 0, type, data, size,	1259	s->internal->tlsext_debug_cb(s, 0, type, data, size,
1271	s->internal->tlsext_debug_arg);	1260	s->internal->tlsext_debug_arg);
1272	/* The servername extension is treated as follows:
1273
1274	- Only the hostname type is supported with a maximum length of 255.
1275	- The servername is rejected if too long or if it contains zeros,
1276	in which case an fatal alert is generated.
1277	- The servername field is maintained together with the session cache.
1278	- When a session is resumed, the servername call back invoked in order
1279	to allow the application to position itself to the right context.
1280	- The servername is acknowledged if it is new for a session or when
1281	it is identical to a previously used for the same session.
1282	Applications can control the behaviour. They can at any time
1283	set a 'desirable' servername for a new SSL object. This can be the
1284	case for example with HTTPS when a Host: header field is received and
1285	a renegotiation is requested. In this case, a possible servername
1286	presented in the new client hello is only acknowledged if it matches
1287	the value of the Host: field.
1288	- Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
1289	if they provide for changing an explicit servername context for the session,
1290	i.e. when the session has been established with a servername extension.
1291	- On session reconnect, the servername extension may be absent.
1292
1293	*/
1294
1295	if (type == TLSEXT_TYPE_server_name) {
1296	unsigned char *sdata;
1297	int servname_type;
1298	int dsize;
1299		1261
1300	if (size < 2) {	1262	CBS_init(&cbs, data, size);
1301	*al = SSL_AD_DECODE_ERROR;	1263	if (!tlsext_clienthello_parse_one(s, &cbs, type, al))
1302	return 0;	1264	return 0;
1303	}
1304	n2s(data, dsize);
1305
1306	size -= 2;
1307	if (dsize > size) {
1308	*al = SSL_AD_DECODE_ERROR;
1309	return 0;
1310	}
1311
1312	sdata = data;
1313	while (dsize > 3) {
1314	servname_type = *(sdata++);
1315
1316	n2s(sdata, len);
1317	dsize -= 3;
1318
1319	if (len > dsize) {
1320	*al = SSL_AD_DECODE_ERROR;
1321	return 0;
1322	}
1323	if (s->internal->servername_done == 0)
1324	switch (servname_type) {
1325	case TLSEXT_NAMETYPE_host_name:
1326	if (!s->internal->hit) {
1327	if (s->session->tlsext_hostname) {
1328	*al = SSL_AD_DECODE_ERROR;
1329	return 0;
1330	}
1331	if (len > TLSEXT_MAXLEN_host_name) {
1332	*al = TLS1_AD_UNRECOGNIZED_NAME;
1333	return 0;
1334	}
1335	if ((s->session->tlsext_hostname =
1336	malloc(len + 1)) == NULL) {
1337	*al = TLS1_AD_INTERNAL_ERROR;
1338	return 0;
1339	}
1340	memcpy(s->session->tlsext_hostname, sdata, len);
1341	s->session->tlsext_hostname[len] = '\0';
1342	if (strlen(s->session->tlsext_hostname) != len) {
1343	free(s->session->tlsext_hostname);
1344	s->session->tlsext_hostname = NULL;
1345	*al = TLS1_AD_UNRECOGNIZED_NAME;
1346	return 0;
1347	}
1348	s->internal->servername_done = 1;
1349
1350
1351	} else {
1352	s->internal->servername_done = s->session->tlsext_hostname &&
1353	strlen(s->session->tlsext_hostname) == len &&
1354	strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0;
1355	}
1356	break;
1357
1358	default:
1359	break;
1360	}
1361
1362	dsize -= len;
1363	}
1364	if (dsize != 0) {
1365	*al = SSL_AD_DECODE_ERROR;
1366	return 0;
1367	}
1368
1369	}
1370		1265
1371	else if (type == TLSEXT_TYPE_ec_point_formats &&	1266	if (type == TLSEXT_TYPE_ec_point_formats &&
1372	s->version != DTLS1_VERSION) {	1267	s->version != DTLS1_VERSION) {
1373	unsigned char *sdata = data;	1268	unsigned char *sdata = data;
1374	size_t formatslen;	1269	size_t formatslen;