1 files changed, 763 insertions, 36 deletions
diff --git a/src/lib/libssl/t1_lib.c b/src/lib/libssl/t1_lib.c
index ca6c03d5af..35f04afa4a 100644
--- a/src/lib/libssl/t1_lib.c
+++ b/src/lib/libssl/t1_lib.c
@@ -58,13 +58,20 @@
 #include <stdio.h>
 #include <openssl/objects.h>
+#include <openssl/evp.h>
+#include <openssl/hmac.h>
+#include <openssl/ocsp.h>
 #include "ssl_locl.h"
-const char *tls1_version_str="TLSv1" OPENSSL_VERSION_PTEXT;
+const char tls1_version_str[]="TLSv1" OPENSSL_VERSION_PTEXT;
-static long tls1_default_timeout(void);
+#ifndef OPENSSL_NO_TLSEXT
+static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen,
+                                const unsigned char *sess_id, int sesslen,
+                                SSL_SESSION **psess);
+#endif
-static SSL3_ENC_METHOD TLSv1_enc_data={
+SSL3_ENC_METHOD TLSv1_enc_data={
        tls1_enc,
        tls1_mac,
        tls1_setup_key_block,
@@ -78,45 +85,17 @@ static SSL3_ENC_METHOD TLSv1_enc_data={
        tls1_alert_code,
        };
-static SSL_METHOD TLSv1_data= {
+long tls1_default_timeout(void)
-        TLS1_VERSION,
-        tls1_new,
-        tls1_clear,
-        tls1_free,
-        ssl_undefined_function,
-        ssl_undefined_function,
-        ssl3_read,
-        ssl3_peek,
-        ssl3_write,
-        ssl3_shutdown,
-        ssl3_renegotiate,
-        ssl3_renegotiate_check,
-        ssl3_ctrl,
-        ssl3_ctx_ctrl,
-        ssl3_get_cipher_by_char,
-        ssl3_put_cipher_by_char,
-        ssl3_pending,
-        ssl3_num_ciphers,
-        ssl3_get_cipher,
-        ssl_bad_method,
-        tls1_default_timeout,
-        &TLSv1_enc_data,
-        ssl_undefined_function,
-        ssl3_callback_ctrl,
-        ssl3_ctx_callback_ctrl,
-        };
-static long tls1_default_timeout(void)
        {
        /* 2 hours, the 24 hours mentioned in the TLSv1 spec
         * is way too long for http, the cache would over fill */
        return(60*60*2);
        }
-SSL_METHOD *tlsv1_base_method(void)
+IMPLEMENT_tls1_meth_func(tlsv1_base_method,
-        {
+                        ssl_undefined_function,
-        return(&TLSv1_data);
+                        ssl_undefined_function,
-        }
+                        ssl_bad_method)
 int tls1_new(SSL *s)
        {
@@ -147,3 +126,751 @@ long tls1_callback_ctrl(SSL *s, int cmd, void *(*fp)())
        return(0);
        }
 #endif
+#ifndef OPENSSL_NO_TLSEXT
+unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
+        {
+        int extdatalen=0;
+        unsigned char *ret = p;
+        ret+=2;
+        if (ret>=limit) return NULL; /* this really never occurs, but ... */
+        if (s->tlsext_hostname != NULL)
+                { 
+                /* Add TLS extension servername to the Client Hello message */
+                unsigned long size_str;
+                long lenmax; 
+                /* check for enough space.
+                   4 for the servername type and entension length
+                   2 for servernamelist length
+                   1 for the hostname type
+                   2 for hostname length
+                   + hostname length 
+                */
+                   
+                if ((lenmax = limit - ret - 9) < 0 
+                || (size_str = strlen(s->tlsext_hostname)) > (unsigned long)lenmax) 
+                        return NULL;
+                        
+                /* extension type and length */
+                s2n(TLSEXT_TYPE_server_name,ret); 
+                s2n(size_str+5,ret);
+                
+                /* length of servername list */
+                s2n(size_str+3,ret);
+        
+                /* hostname type, length and hostname */
+                *(ret++) = (unsigned char) TLSEXT_NAMETYPE_host_name;
+                s2n(size_str,ret);
+                memcpy(ret, s->tlsext_hostname, size_str);
+                ret+=size_str;
+                }
+        if (!(SSL_get_options(s) & SSL_OP_NO_TICKET))
+                {
+                int ticklen;
+                if (s->session && s->session->tlsext_tick)
+                        ticklen = s->session->tlsext_ticklen;
+                else
+                        ticklen = 0;
+                /* Check for enough room 2 for extension type, 2 for len
+                 * rest for ticket
+                 */
+                if (limit - ret - 4 - ticklen < 0)
+                        return NULL;
+                s2n(TLSEXT_TYPE_session_ticket,ret); 
+                s2n(ticklen,ret);
+                if (ticklen)
+                        {
+                        memcpy(ret, s->session->tlsext_tick, ticklen);
+                        ret += ticklen;
+                        }
+                }
+        if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp)
+                {
+                int i;
+                long extlen, idlen, itmp;
+                OCSP_RESPID *id;
+                idlen = 0;
+                for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++)
+                        {
+                        id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
+                        itmp = i2d_OCSP_RESPID(id, NULL);
+                        if (itmp <= 0)
+                                return NULL;
+                        idlen += itmp + 2;
+                        }
+                if (s->tlsext_ocsp_exts)
+                        {
+                        extlen = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, NULL);
+                        if (extlen < 0)
+                                return NULL;
+                        }
+                else
+                        extlen = 0;
+                        
+                if ((long)(limit - ret - 7 - extlen - idlen) < 0) return NULL;
+                s2n(TLSEXT_TYPE_status_request, ret);
+                if (extlen + idlen > 0xFFF0)
+                        return NULL;
+                s2n(extlen + idlen + 5, ret);
+                *(ret++) = TLSEXT_STATUSTYPE_ocsp;
+                s2n(idlen, ret);
+                for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++)
+                        {
+                        /* save position of id len */
+                        unsigned char *q = ret;
+                        id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
+                        /* skip over id len */
+                        ret += 2;
+                        itmp = i2d_OCSP_RESPID(id, &ret);
+                        /* write id len */
+                        s2n(itmp, q);
+                        }
+                s2n(extlen, ret);
+                if (extlen > 0)
+                        i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret);
+                }
+        if ((extdatalen = ret-p-2)== 0) 
+                return p;
+        s2n(extdatalen,p);
+        return ret;
+        }
+unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
+        {
+        int extdatalen=0;
+        unsigned char *ret = p;
+        ret+=2;
+        if (ret>=limit) return NULL; /* this really never occurs, but ... */
+        if (!s->hit && s->servername_done == 1 && s->session->tlsext_hostname != NULL)
+                { 
+                if (limit - ret - 4 < 0) return NULL; 
+                s2n(TLSEXT_TYPE_server_name,ret);
+                s2n(0,ret);
+                }
+        
+        if (s->tlsext_ticket_expected
+                && !(SSL_get_options(s) & SSL_OP_NO_TICKET)) 
+                { 
+                if (limit - ret - 4 < 0) return NULL; 
+                s2n(TLSEXT_TYPE_session_ticket,ret);
+                s2n(0,ret);
+                }
+        if (s->tlsext_status_expected)
+                { 
+                if ((long)(limit - ret - 4) < 0) return NULL; 
+                s2n(TLSEXT_TYPE_status_request,ret);
+                s2n(0,ret);
+                }
+        if ((extdatalen = ret-p-2)== 0) 
+                return p;
+        s2n(extdatalen,p);
+        return ret;
+        }
+int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
+        {
+        unsigned short type;
+        unsigned short size;
+        unsigned short len;
+        unsigned char *data = *p;
+        s->servername_done = 0;
+        s->tlsext_status_type = -1;
+        if (data >= (d+n-2))
+                return 1;
+        n2s(data,len);
+        if (data > (d+n-len)) 
+                return 1;
+        while (data <= (d+n-4))
+                {
+                n2s(data,type);
+                n2s(data,size);
+                if (data+size > (d+n))
+                        return 1;
+                if (s->tlsext_debug_cb)
+                        s->tlsext_debug_cb(s, 0, type, data, size,
+                                                s->tlsext_debug_arg);
+/* The servername extension is treated as follows:
+   - Only the hostname type is supported with a maximum length of 255.
+   - The servername is rejected if too long or if it contains zeros,
+     in which case an fatal alert is generated.
+   - The servername field is maintained together with the session cache.
+   - When a session is resumed, the servername call back invoked in order
+     to allow the application to position itself to the right context. 
+   - The servername is acknowledged if it is new for a session or when 
+     it is identical to a previously used for the same session. 
+     Applications can control the behaviour.  They can at any time
+     set a 'desirable' servername for a new SSL object. This can be the
+     case for example with HTTPS when a Host: header field is received and
+     a renegotiation is requested. In this case, a possible servername
+     presented in the new client hello is only acknowledged if it matches
+     the value of the Host: field. 
+   - Applications must  use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
+     if they provide for changing an explicit servername context for the session,
+     i.e. when the session has been established with a servername extension. 
+   - On session reconnect, the servername extension may be absent. 
+*/      
+                if (type == TLSEXT_TYPE_server_name)
+                        {
+                        unsigned char *sdata;
+                        int servname_type;
+                        int dsize; 
+                
+                        if (size < 2) 
+                                {
+                                *al = SSL_AD_DECODE_ERROR;
+                                return 0;
+                                }
+                        n2s(data,dsize);  
+                        size -= 2;
+                        if (dsize > size  ) 
+                                {
+                                *al = SSL_AD_DECODE_ERROR;
+                                return 0;
+                                } 
+                        sdata = data;
+                        while (dsize > 3) 
+                                {
+                                servname_type = *(sdata++); 
+                                n2s(sdata,len);
+                                dsize -= 3;
+                                if (len > dsize) 
+                                        {
+                                        *al = SSL_AD_DECODE_ERROR;
+                                        return 0;
+                                        }
+                                if (s->servername_done == 0)
+                                switch (servname_type)
+                                        {
+                                case TLSEXT_NAMETYPE_host_name:
+                                        if (s->session->tlsext_hostname == NULL)
+                                                {
+                                                if (len > TLSEXT_MAXLEN_host_name || 
+                                                        ((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL))
+                                                        {
+                                                        *al = TLS1_AD_UNRECOGNIZED_NAME;
+                                                        return 0;
+                                                        }
+                                                memcpy(s->session->tlsext_hostname, sdata, len);
+                                                s->session->tlsext_hostname[len]='\0';
+                                                if (strlen(s->session->tlsext_hostname) != len) {
+                                                        OPENSSL_free(s->session->tlsext_hostname);
+                                                        s->session->tlsext_hostname = NULL;
+                                                        *al = TLS1_AD_UNRECOGNIZED_NAME;
+                                                        return 0;
+                                                }
+                                                s->servername_done = 1; 
+                                                }
+                                        else 
+                                                s->servername_done = strlen(s->session->tlsext_hostname) == len 
+                                                        && strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0;
+                                        
+                                        break;
+                                default:
+                                        break;
+                                        }
+                                 
+                                dsize -= len;
+                                }
+                        if (dsize != 0) 
+                                {
+                                *al = SSL_AD_DECODE_ERROR;
+                                return 0;
+                                }
+                        }
+                else if (type == TLSEXT_TYPE_status_request
+                                                && s->ctx->tlsext_status_cb)
+                        {
+                
+                        if (size < 5) 
+                                {
+                                *al = SSL_AD_DECODE_ERROR;
+                                return 0;
+                                }
+                        s->tlsext_status_type = *data++;
+                        size--;
+                        if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp)
+                                {
+                                const unsigned char *sdata;
+                                int dsize;
+                                /* Read in responder_id_list */
+                                n2s(data,dsize);
+                                size -= 2;
+                                if (dsize > size  ) 
+                                        {
+                                        *al = SSL_AD_DECODE_ERROR;
+                                        return 0;
+                                        }
+                                while (dsize > 0)
+                                        {
+                                        OCSP_RESPID *id;
+                                        int idsize;
+                                        if (dsize < 4)
+                                                {
+                                                *al = SSL_AD_DECODE_ERROR;
+                                                return 0;
+                                                }
+                                        n2s(data, idsize);
+                                        dsize -= 2 + idsize;
+                                        if (dsize < 0)
+                                                {
+                                                *al = SSL_AD_DECODE_ERROR;
+                                                return 0;
+                                                }
+                                        sdata = data;
+                                        data += idsize;
+                                        id = d2i_OCSP_RESPID(NULL,
+                                                                &sdata, idsize);
+                                        if (!id)
+                                                {
+                                                *al = SSL_AD_DECODE_ERROR;
+                                                return 0;
+                                                }
+                                        if (data != sdata)
+                                                {
+                                                OCSP_RESPID_free(id);
+                                                *al = SSL_AD_DECODE_ERROR;
+                                                return 0;
+                                                }
+                                        if (!s->tlsext_ocsp_ids
+                                                && !(s->tlsext_ocsp_ids =
+                                                sk_OCSP_RESPID_new_null()))
+                                                {
+                                                OCSP_RESPID_free(id);
+                                                *al = SSL_AD_INTERNAL_ERROR;
+                                                return 0;
+                                                }
+                                        if (!sk_OCSP_RESPID_push(
+                                                        s->tlsext_ocsp_ids, id))
+                                                {
+                                                OCSP_RESPID_free(id);
+                                                *al = SSL_AD_INTERNAL_ERROR;
+                                                return 0;
+                                                }
+                                        }
+                                /* Read in request_extensions */
+                                n2s(data,dsize);
+                                size -= 2;
+                                if (dsize > size) 
+                                        {
+                                        *al = SSL_AD_DECODE_ERROR;
+                                        return 0;
+                                        }
+                                sdata = data;
+                                if (dsize > 0)
+                                        {
+                                        s->tlsext_ocsp_exts =
+                                                d2i_X509_EXTENSIONS(NULL,
+                                                        &sdata, dsize);
+                                        if (!s->tlsext_ocsp_exts
+                                                || (data + dsize != sdata))
+                                                {
+                                                *al = SSL_AD_DECODE_ERROR;
+                                                return 0;
+                                                }
+                                        }
+                                }
+                                /* We don't know what to do with any other type
+                                * so ignore it.
+                                */
+                                else
+                                        s->tlsext_status_type = -1;
+                        }
+                /* session ticket processed earlier */
+                data+=size;             
+                }
+        *p = data;
+        return 1;
+        }
+int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
+        {
+        unsigned short type;
+        unsigned short size;
+        unsigned short len;  
+        unsigned char *data = *p;
+        int tlsext_servername = 0;
+        if (data >= (d+n-2))
+                return 1;
+        n2s(data,len);
+        while(data <= (d+n-4))
+                {
+                n2s(data,type);
+                n2s(data,size);
+                if (data+size > (d+n))
+                        return 1;
+                if (s->tlsext_debug_cb)
+                        s->tlsext_debug_cb(s, 1, type, data, size,
+                                                s->tlsext_debug_arg);
+                if (type == TLSEXT_TYPE_server_name)
+                        {
+                        if (s->tlsext_hostname == NULL || size > 0)
+                                {
+                                *al = TLS1_AD_UNRECOGNIZED_NAME;
+                                return 0;
+                                }
+                        tlsext_servername = 1;   
+                        }
+                else if (type == TLSEXT_TYPE_session_ticket)
+                        {
+                        if ((SSL_get_options(s) & SSL_OP_NO_TICKET)
+                                || (size > 0))
+                                {
+                                *al = TLS1_AD_UNSUPPORTED_EXTENSION;
+                                return 0;
+                                }
+                        s->tlsext_ticket_expected = 1;
+                        }
+                else if (type == TLSEXT_TYPE_status_request)
+                        {
+                        /* MUST be empty and only sent if we've requested
+                         * a status request message.
+                         */ 
+                        if ((s->tlsext_status_type == -1) || (size > 0))
+                                {
+                                *al = TLS1_AD_UNSUPPORTED_EXTENSION;
+                                return 0;
+                                }
+                        /* Set flag to expect CertificateStatus message */
+                        s->tlsext_status_expected = 1;
+                        }
+                data+=size;             
+                }
+        if (data != d+n)
+                {
+                *al = SSL_AD_DECODE_ERROR;
+                return 0;
+                }
+        if (!s->hit && tlsext_servername == 1)
+                {
+                if (s->tlsext_hostname)
+                        {
+                        if (s->session->tlsext_hostname == NULL)
+                                {
+                                s->session->tlsext_hostname = BUF_strdup(s->tlsext_hostname);   
+                                if (!s->session->tlsext_hostname)
+                                        {
+                                        *al = SSL_AD_UNRECOGNIZED_NAME;
+                                        return 0;
+                                        }
+                                }
+                        else 
+                                {
+                                *al = SSL_AD_DECODE_ERROR;
+                                return 0;
+                                }
+                        }
+                }
+        *p = data;
+        return 1;
+        }
+int ssl_check_clienthello_tlsext(SSL *s)
+        {
+        int ret=SSL_TLSEXT_ERR_NOACK;
+        int al = SSL_AD_UNRECOGNIZED_NAME;
+        if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) 
+                ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
+        else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)             
+                ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
+        /* If status request then ask callback what to do.
+         * Note: this must be called after servername callbacks in case 
+         * the certificate has changed.
+         */
+        if ((s->tlsext_status_type != -1) && s->ctx->tlsext_status_cb)
+                {
+                int r;
+                r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
+                switch (r)
+                        {
+                        /* We don't want to send a status request response */
+                        case SSL_TLSEXT_ERR_NOACK:
+                                s->tlsext_status_expected = 0;
+                                break;
+                        /* status request response should be sent */
+                        case SSL_TLSEXT_ERR_OK:
+                                if (s->tlsext_ocsp_resp)
+                                        s->tlsext_status_expected = 1;
+                                else
+                                        s->tlsext_status_expected = 0;
+                                break;
+                        /* something bad happened */
+                        case SSL_TLSEXT_ERR_ALERT_FATAL:
+                                ret = SSL_TLSEXT_ERR_ALERT_FATAL;
+                                al = SSL_AD_INTERNAL_ERROR;
+                                goto err;
+                        }
+                }
+        else
+                s->tlsext_status_expected = 0;
+        err:
+        switch (ret)
+                {
+                case SSL_TLSEXT_ERR_ALERT_FATAL:
+                        ssl3_send_alert(s,SSL3_AL_FATAL,al); 
+                        return -1;
+                case SSL_TLSEXT_ERR_ALERT_WARNING:
+                        ssl3_send_alert(s,SSL3_AL_WARNING,al);
+                        return 1; 
+                                        
+                case SSL_TLSEXT_ERR_NOACK:
+                        s->servername_done=0;
+                        default:
+                return 1;
+                }
+        }
+int ssl_check_serverhello_tlsext(SSL *s)
+        {
+        int ret=SSL_TLSEXT_ERR_NOACK;
+        int al = SSL_AD_UNRECOGNIZED_NAME;
+        if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) 
+                ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
+        else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)             
+                ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
+        /* If we've requested certificate status and we wont get one
+         * tell the callback
+         */
+        if ((s->tlsext_status_type != -1) && !(s->tlsext_status_expected)
+                        && s->ctx->tlsext_status_cb)
+                {
+                int r;
+                /* Set resp to NULL, resplen to -1 so callback knows
+                 * there is no response.
+                 */
+                if (s->tlsext_ocsp_resp)
+                        {
+                        OPENSSL_free(s->tlsext_ocsp_resp);
+                        s->tlsext_ocsp_resp = NULL;
+                        }
+                s->tlsext_ocsp_resplen = -1;
+                r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
+                if (r == 0)
+                        {
+                        al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE;
+                        ret = SSL_TLSEXT_ERR_ALERT_FATAL;
+                        }
+                if (r < 0)
+                        {
+                        al = SSL_AD_INTERNAL_ERROR;
+                        ret = SSL_TLSEXT_ERR_ALERT_FATAL;
+                        }
+                }
+        switch (ret)
+                {
+                case SSL_TLSEXT_ERR_ALERT_FATAL:
+                        ssl3_send_alert(s,SSL3_AL_FATAL,al); 
+                        return -1;
+                case SSL_TLSEXT_ERR_ALERT_WARNING:
+                        ssl3_send_alert(s,SSL3_AL_WARNING,al);
+                        return 1; 
+                                        
+                case SSL_TLSEXT_ERR_NOACK:
+                        s->servername_done=0;
+                        default:
+                return 1;
+                }
+        }
+/* Since the server cache lookup is done early on in the processing of client
+ * hello and other operations depend on the result we need to handle any TLS
+ * session ticket extension at the same time.
+ */
+int tls1_process_ticket(SSL *s, unsigned char *session_id, int len,
+                                const unsigned char *limit, SSL_SESSION **ret)
+        {
+        /* Point after session ID in client hello */
+        const unsigned char *p = session_id + len;
+        unsigned short i;
+        if ((s->version <= SSL3_VERSION) || !limit)
+                return 1;
+        if (p >= limit)
+                return -1;
+        /* Skip past cipher list */
+        n2s(p, i);
+        p+= i;
+        if (p >= limit)
+                return -1;
+        /* Skip past compression algorithm list */
+        i = *(p++);
+        p += i;
+        if (p > limit)
+                return -1;
+        /* Now at start of extensions */
+        if ((p + 2) >= limit)
+                return 1;
+        n2s(p, i);
+        while ((p + 4) <= limit)
+                {
+                unsigned short type, size;
+                n2s(p, type);
+                n2s(p, size);
+                if (p + size > limit)
+                        return 1;
+                if (type == TLSEXT_TYPE_session_ticket)
+                        {
+                        /* If tickets disabled indicate cache miss which will
+                         * trigger a full handshake
+                         */
+                        if (SSL_get_options(s) & SSL_OP_NO_TICKET)
+                                return 0;
+                        /* If zero length not client will accept a ticket
+                         * and indicate cache miss to trigger full handshake
+                         */
+                        if (size == 0)
+                                {
+                                s->tlsext_ticket_expected = 1;
+                                return 0;       /* Cache miss */
+                                }
+                        return tls_decrypt_ticket(s, p, size, session_id, len,
+                                                                        ret);
+                        }
+                p += size;
+                }
+        return 1;
+        }
+static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen,
+                                const unsigned char *sess_id, int sesslen,
+                                SSL_SESSION **psess)
+        {
+        SSL_SESSION *sess;
+        unsigned char *sdec;
+        const unsigned char *p;
+        int slen, mlen, renew_ticket = 0;
+        unsigned char tick_hmac[EVP_MAX_MD_SIZE];
+        HMAC_CTX hctx;
+        EVP_CIPHER_CTX ctx;
+        /* Need at least keyname + iv + some encrypted data */
+        if (eticklen < 48)
+                goto tickerr;
+        /* Initialize session ticket encryption and HMAC contexts */
+        HMAC_CTX_init(&hctx);
+        EVP_CIPHER_CTX_init(&ctx);
+        if (s->ctx->tlsext_ticket_key_cb)
+                {
+                unsigned char *nctick = (unsigned char *)etick;
+                int rv = s->ctx->tlsext_ticket_key_cb(s, nctick, nctick + 16,
+                                                        &ctx, &hctx, 0);
+                if (rv < 0)
+                        return -1;
+                if (rv == 0)
+                        goto tickerr;
+                if (rv == 2)
+                        renew_ticket = 1;
+                }
+        else
+                {
+                /* Check key name matches */
+                if (memcmp(etick, s->ctx->tlsext_tick_key_name, 16))
+                        goto tickerr;
+                HMAC_Init_ex(&hctx, s->ctx->tlsext_tick_hmac_key, 16,
+                                        tlsext_tick_md(), NULL);
+                EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL,
+                                s->ctx->tlsext_tick_aes_key, etick + 16);
+                }
+        /* Attempt to process session ticket, first conduct sanity and
+         * integrity checks on ticket.
+         */
+        mlen = HMAC_size(&hctx);
+        eticklen -= mlen;
+        /* Check HMAC of encrypted ticket */
+        HMAC_Update(&hctx, etick, eticklen);
+        HMAC_Final(&hctx, tick_hmac, NULL);
+        HMAC_CTX_cleanup(&hctx);
+        if (memcmp(tick_hmac, etick + eticklen, mlen))
+                goto tickerr;
+        /* Attempt to decrypt session data */
+        /* Move p after IV to start of encrypted ticket, update length */
+        p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx);
+        eticklen -= 16 + EVP_CIPHER_CTX_iv_length(&ctx);
+        sdec = OPENSSL_malloc(eticklen);
+        if (!sdec)
+                {
+                EVP_CIPHER_CTX_cleanup(&ctx);
+                return -1;
+                }
+        EVP_DecryptUpdate(&ctx, sdec, &slen, p, eticklen);
+        if (EVP_DecryptFinal(&ctx, sdec + slen, &mlen) <= 0)
+                goto tickerr;
+        slen += mlen;
+        EVP_CIPHER_CTX_cleanup(&ctx);
+        p = sdec;
+                
+        sess = d2i_SSL_SESSION(NULL, &p, slen);
+        OPENSSL_free(sdec);
+        if (sess)
+                {
+                /* The session ID if non-empty is used by some clients to
+                 * detect that the ticket has been accepted. So we copy it to
+                 * the session structure. If it is empty set length to zero
+                 * as required by standard.
+                 */
+                if (sesslen)
+                        memcpy(sess->session_id, sess_id, sesslen);
+                sess->session_id_length = sesslen;
+                *psess = sess;
+                s->tlsext_ticket_expected = renew_ticket;
+                return 1;
+                }
+        /* If session decrypt failure indicate a cache miss and set state to
+         * send a new ticket
+         */
+        tickerr:        
+        s->tlsext_ticket_expected = 1;
+        return 0;
+        }
+#endif

diff --git a/src/lib/libssl/t1_lib.c b/src/lib/libssl/t1_lib.c index ca6c03d5af..35f04afa4a 100644 --- a/src/lib/libssl/t1_lib.c +++ b/src/lib/libssl/t1_lib.c
@@ -58,13 +58,20 @@
58		58
59	#include <stdio.h>	59	#include <stdio.h>
60	#include <openssl/objects.h>	60	#include <openssl/objects.h>
		61	#include <openssl/evp.h>
		62	#include <openssl/hmac.h>
		63	#include <openssl/ocsp.h>
61	#include "ssl_locl.h"	64	#include "ssl_locl.h"
62		65
63	const char *tls1_version_str="TLSv1" OPENSSL_VERSION_PTEXT;	66	const char tls1_version_str[]="TLSv1" OPENSSL_VERSION_PTEXT;
64		67
65	static long tls1_default_timeout(void);	68	#ifndef OPENSSL_NO_TLSEXT
		69	static int tls_decrypt_ticket(SSL s, const unsigned char tick, int ticklen,
		70	const unsigned char *sess_id, int sesslen,
		71	SSL_SESSION **psess);
		72	#endif
66		73
67	static SSL3_ENC_METHOD TLSv1_enc_data={	74	SSL3_ENC_METHOD TLSv1_enc_data={
68	tls1_enc,	75	tls1_enc,
69	tls1_mac,	76	tls1_mac,
70	tls1_setup_key_block,	77	tls1_setup_key_block,
@@ -78,45 +85,17 @@ static SSL3_ENC_METHOD TLSv1_enc_data={
78	tls1_alert_code,	85	tls1_alert_code,
79	};	86	};
80		87
81	static SSL_METHOD TLSv1_data= {	88	long tls1_default_timeout(void)
82	TLS1_VERSION,
83	tls1_new,
84	tls1_clear,
85	tls1_free,
86	ssl_undefined_function,
87	ssl_undefined_function,
88	ssl3_read,
89	ssl3_peek,
90	ssl3_write,
91	ssl3_shutdown,
92	ssl3_renegotiate,
93	ssl3_renegotiate_check,
94	ssl3_ctrl,
95	ssl3_ctx_ctrl,
96	ssl3_get_cipher_by_char,
97	ssl3_put_cipher_by_char,
98	ssl3_pending,
99	ssl3_num_ciphers,
100	ssl3_get_cipher,
101	ssl_bad_method,
102	tls1_default_timeout,
103	&TLSv1_enc_data,
104	ssl_undefined_function,
105	ssl3_callback_ctrl,
106	ssl3_ctx_callback_ctrl,
107	};
108
109	static long tls1_default_timeout(void)
110	{	89	{
111	/* 2 hours, the 24 hours mentioned in the TLSv1 spec	90	/* 2 hours, the 24 hours mentioned in the TLSv1 spec
112	* is way too long for http, the cache would over fill */	91	* is way too long for http, the cache would over fill */
113	return(60602);	92	return(60602);
114	}	93	}
115		94
116	SSL_METHOD *tlsv1_base_method(void)	95	IMPLEMENT_tls1_meth_func(tlsv1_base_method,
117	{	96	ssl_undefined_function,
118	return(&TLSv1_data);	97	ssl_undefined_function,
119	}	98	ssl_bad_method)
120		99
121	int tls1_new(SSL *s)	100	int tls1_new(SSL *s)
122	{	101	{
@@ -147,3 +126,751 @@ long tls1_callback_ctrl(SSL s, int cmd, void (*fp)())
147	return(0);	126	return(0);
148	}	127	}
149	#endif	128	#endif
		129
		130	#ifndef OPENSSL_NO_TLSEXT
		131	unsigned char ssl_add_clienthello_tlsext(SSL s, unsigned char p, unsigned char limit)
		132	{
		133	int extdatalen=0;
		134	unsigned char *ret = p;
		135
		136	ret+=2;
		137
		138	if (ret>=limit) return NULL; /* this really never occurs, but ... */
		139
		140	if (s->tlsext_hostname != NULL)
		141	{
		142	/* Add TLS extension servername to the Client Hello message */
		143	unsigned long size_str;
		144	long lenmax;
		145
		146	/* check for enough space.
		147	4 for the servername type and entension length
		148	2 for servernamelist length
		149	1 for the hostname type
		150	2 for hostname length
		151	+ hostname length
		152	*/
		153
		154	if ((lenmax = limit - ret - 9) < 0
		155	\|\| (size_str = strlen(s->tlsext_hostname)) > (unsigned long)lenmax)
		156	return NULL;
		157
		158	/* extension type and length */
		159	s2n(TLSEXT_TYPE_server_name,ret);
		160	s2n(size_str+5,ret);
		161
		162	/* length of servername list */
		163	s2n(size_str+3,ret);
		164
		165	/* hostname type, length and hostname */
		166	*(ret++) = (unsigned char) TLSEXT_NAMETYPE_host_name;
		167	s2n(size_str,ret);
		168	memcpy(ret, s->tlsext_hostname, size_str);
		169	ret+=size_str;
		170
		171	}
		172
		173	if (!(SSL_get_options(s) & SSL_OP_NO_TICKET))
		174	{
		175	int ticklen;
		176	if (s->session && s->session->tlsext_tick)
		177	ticklen = s->session->tlsext_ticklen;
		178	else
		179	ticklen = 0;
		180	/* Check for enough room 2 for extension type, 2 for len
		181	* rest for ticket
		182	*/
		183	if (limit - ret - 4 - ticklen < 0)
		184	return NULL;
		185	s2n(TLSEXT_TYPE_session_ticket,ret);
		186	s2n(ticklen,ret);
		187	if (ticklen)
		188	{
		189	memcpy(ret, s->session->tlsext_tick, ticklen);
		190	ret += ticklen;
		191	}
		192	}
		193
		194	if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp)
		195	{
		196	int i;
		197	long extlen, idlen, itmp;
		198	OCSP_RESPID *id;
		199
		200	idlen = 0;
		201	for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++)
		202	{
		203	id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
		204	itmp = i2d_OCSP_RESPID(id, NULL);
		205	if (itmp <= 0)
		206	return NULL;
		207	idlen += itmp + 2;
		208	}
		209
		210	if (s->tlsext_ocsp_exts)
		211	{
		212	extlen = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, NULL);
		213	if (extlen < 0)
		214	return NULL;
		215	}
		216	else
		217	extlen = 0;
		218
		219	if ((long)(limit - ret - 7 - extlen - idlen) < 0) return NULL;
		220	s2n(TLSEXT_TYPE_status_request, ret);
		221	if (extlen + idlen > 0xFFF0)
		222	return NULL;
		223	s2n(extlen + idlen + 5, ret);
		224	*(ret++) = TLSEXT_STATUSTYPE_ocsp;
		225	s2n(idlen, ret);
		226	for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++)
		227	{
		228	/* save position of id len */
		229	unsigned char *q = ret;
		230	id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
		231	/* skip over id len */
		232	ret += 2;
		233	itmp = i2d_OCSP_RESPID(id, &ret);
		234	/* write id len */
		235	s2n(itmp, q);
		236	}
		237	s2n(extlen, ret);
		238	if (extlen > 0)
		239	i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret);
		240	}
		241
		242	if ((extdatalen = ret-p-2)== 0)
		243	return p;
		244
		245	s2n(extdatalen,p);
		246	return ret;
		247	}
		248
		249	unsigned char ssl_add_serverhello_tlsext(SSL s, unsigned char p, unsigned char limit)
		250	{
		251	int extdatalen=0;
		252	unsigned char *ret = p;
		253
		254	ret+=2;
		255	if (ret>=limit) return NULL; /* this really never occurs, but ... */
		256
		257	if (!s->hit && s->servername_done == 1 && s->session->tlsext_hostname != NULL)
		258	{
		259	if (limit - ret - 4 < 0) return NULL;
		260
		261	s2n(TLSEXT_TYPE_server_name,ret);
		262	s2n(0,ret);
		263	}
		264
		265	if (s->tlsext_ticket_expected
		266	&& !(SSL_get_options(s) & SSL_OP_NO_TICKET))
		267	{
		268	if (limit - ret - 4 < 0) return NULL;
		269	s2n(TLSEXT_TYPE_session_ticket,ret);
		270	s2n(0,ret);
		271	}
		272
		273	if (s->tlsext_status_expected)
		274	{
		275	if ((long)(limit - ret - 4) < 0) return NULL;
		276	s2n(TLSEXT_TYPE_status_request,ret);
		277	s2n(0,ret);
		278	}
		279
		280	if ((extdatalen = ret-p-2)== 0)
		281	return p;
		282
		283	s2n(extdatalen,p);
		284	return ret;
		285	}
		286
		287	int ssl_parse_clienthello_tlsext(SSL s, unsigned char p, unsigned char d, int n, int *al)
		288	{
		289	unsigned short type;
		290	unsigned short size;
		291	unsigned short len;
		292	unsigned char data = p;
		293	s->servername_done = 0;
		294	s->tlsext_status_type = -1;
		295
		296	if (data >= (d+n-2))
		297	return 1;
		298	n2s(data,len);
		299
		300	if (data > (d+n-len))
		301	return 1;
		302
		303	while (data <= (d+n-4))
		304	{
		305	n2s(data,type);
		306	n2s(data,size);
		307
		308	if (data+size > (d+n))
		309	return 1;
		310
		311	if (s->tlsext_debug_cb)
		312	s->tlsext_debug_cb(s, 0, type, data, size,
		313	s->tlsext_debug_arg);
		314	/* The servername extension is treated as follows:
		315
		316	- Only the hostname type is supported with a maximum length of 255.
		317	- The servername is rejected if too long or if it contains zeros,
		318	in which case an fatal alert is generated.
		319	- The servername field is maintained together with the session cache.
		320	- When a session is resumed, the servername call back invoked in order
		321	to allow the application to position itself to the right context.
		322	- The servername is acknowledged if it is new for a session or when
		323	it is identical to a previously used for the same session.
		324	Applications can control the behaviour. They can at any time
		325	set a 'desirable' servername for a new SSL object. This can be the
		326	case for example with HTTPS when a Host: header field is received and
		327	a renegotiation is requested. In this case, a possible servername
		328	presented in the new client hello is only acknowledged if it matches
		329	the value of the Host: field.
		330	- Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
		331	if they provide for changing an explicit servername context for the session,
		332	i.e. when the session has been established with a servername extension.
		333	- On session reconnect, the servername extension may be absent.
		334
		335	*/
		336
		337	if (type == TLSEXT_TYPE_server_name)
		338	{
		339	unsigned char *sdata;
		340	int servname_type;
		341	int dsize;
		342
		343	if (size < 2)
		344	{
		345	*al = SSL_AD_DECODE_ERROR;
		346	return 0;
		347	}
		348	n2s(data,dsize);
		349	size -= 2;
		350	if (dsize > size )
		351	{
		352	*al = SSL_AD_DECODE_ERROR;
		353	return 0;
		354	}
		355
		356	sdata = data;
		357	while (dsize > 3)
		358	{
		359	servname_type = *(sdata++);
		360	n2s(sdata,len);
		361	dsize -= 3;
		362
		363	if (len > dsize)
		364	{
		365	*al = SSL_AD_DECODE_ERROR;
		366	return 0;
		367	}
		368	if (s->servername_done == 0)
		369	switch (servname_type)
		370	{
		371	case TLSEXT_NAMETYPE_host_name:
		372	if (s->session->tlsext_hostname == NULL)
		373	{
		374	if (len > TLSEXT_MAXLEN_host_name \|\|
		375	((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL))
		376	{
		377	*al = TLS1_AD_UNRECOGNIZED_NAME;
		378	return 0;
		379	}
		380	memcpy(s->session->tlsext_hostname, sdata, len);
		381	s->session->tlsext_hostname[len]='\0';
		382	if (strlen(s->session->tlsext_hostname) != len) {
		383	OPENSSL_free(s->session->tlsext_hostname);
		384	s->session->tlsext_hostname = NULL;
		385	*al = TLS1_AD_UNRECOGNIZED_NAME;
		386	return 0;
		387	}
		388	s->servername_done = 1;
		389
		390	}
		391	else
		392	s->servername_done = strlen(s->session->tlsext_hostname) == len
		393	&& strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0;
		394
		395	break;
		396
		397	default:
		398	break;
		399	}
		400
		401	dsize -= len;
		402	}
		403	if (dsize != 0)
		404	{
		405	*al = SSL_AD_DECODE_ERROR;
		406	return 0;
		407	}
		408
		409	}
		410	else if (type == TLSEXT_TYPE_status_request
		411	&& s->ctx->tlsext_status_cb)
		412	{
		413
		414	if (size < 5)
		415	{
		416	*al = SSL_AD_DECODE_ERROR;
		417	return 0;
		418	}
		419
		420	s->tlsext_status_type = *data++;
		421	size--;
		422	if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp)
		423	{
		424	const unsigned char *sdata;
		425	int dsize;
		426	/* Read in responder_id_list */
		427	n2s(data,dsize);
		428	size -= 2;
		429	if (dsize > size )
		430	{
		431	*al = SSL_AD_DECODE_ERROR;
		432	return 0;
		433	}
		434	while (dsize > 0)
		435	{
		436	OCSP_RESPID *id;
		437	int idsize;
		438	if (dsize < 4)
		439	{
		440	*al = SSL_AD_DECODE_ERROR;
		441	return 0;
		442	}
		443	n2s(data, idsize);
		444	dsize -= 2 + idsize;
		445	if (dsize < 0)
		446	{
		447	*al = SSL_AD_DECODE_ERROR;
		448	return 0;
		449	}
		450	sdata = data;
		451	data += idsize;
		452	id = d2i_OCSP_RESPID(NULL,
		453	&sdata, idsize);
		454	if (!id)
		455	{
		456	*al = SSL_AD_DECODE_ERROR;
		457	return 0;
		458	}
		459	if (data != sdata)
		460	{
		461	OCSP_RESPID_free(id);
		462	*al = SSL_AD_DECODE_ERROR;
		463	return 0;
		464	}
		465	if (!s->tlsext_ocsp_ids
		466	&& !(s->tlsext_ocsp_ids =
		467	sk_OCSP_RESPID_new_null()))
		468	{
		469	OCSP_RESPID_free(id);
		470	*al = SSL_AD_INTERNAL_ERROR;
		471	return 0;
		472	}
		473	if (!sk_OCSP_RESPID_push(
		474	s->tlsext_ocsp_ids, id))
		475	{
		476	OCSP_RESPID_free(id);
		477	*al = SSL_AD_INTERNAL_ERROR;
		478	return 0;
		479	}
		480	}
		481
		482	/* Read in request_extensions */
		483	n2s(data,dsize);
		484	size -= 2;
		485	if (dsize > size)
		486	{
		487	*al = SSL_AD_DECODE_ERROR;
		488	return 0;
		489	}
		490	sdata = data;
		491	if (dsize > 0)
		492	{
		493	s->tlsext_ocsp_exts =
		494	d2i_X509_EXTENSIONS(NULL,
		495	&sdata, dsize);
		496	if (!s->tlsext_ocsp_exts
		497	\|\| (data + dsize != sdata))
		498	{
		499	*al = SSL_AD_DECODE_ERROR;
		500	return 0;
		501	}
		502	}
		503	}
		504	/* We don't know what to do with any other type
		505	* so ignore it.
		506	*/
		507	else
		508	s->tlsext_status_type = -1;
		509	}
		510	/* session ticket processed earlier */
		511
		512	data+=size;
		513	}
		514
		515	*p = data;
		516	return 1;
		517	}
		518
		519	int ssl_parse_serverhello_tlsext(SSL s, unsigned char p, unsigned char d, int n, int *al)
		520	{
		521	unsigned short type;
		522	unsigned short size;
		523	unsigned short len;
		524	unsigned char data = p;
		525
		526	int tlsext_servername = 0;
		527
		528	if (data >= (d+n-2))
		529	return 1;
		530
		531	n2s(data,len);
		532
		533	while(data <= (d+n-4))
		534	{
		535	n2s(data,type);
		536	n2s(data,size);
		537
		538	if (data+size > (d+n))
		539	return 1;
		540
		541	if (s->tlsext_debug_cb)
		542	s->tlsext_debug_cb(s, 1, type, data, size,
		543	s->tlsext_debug_arg);
		544
		545	if (type == TLSEXT_TYPE_server_name)
		546	{
		547	if (s->tlsext_hostname == NULL \|\| size > 0)
		548	{
		549	*al = TLS1_AD_UNRECOGNIZED_NAME;
		550	return 0;
		551	}
		552	tlsext_servername = 1;
		553	}
		554	else if (type == TLSEXT_TYPE_session_ticket)
		555	{
		556	if ((SSL_get_options(s) & SSL_OP_NO_TICKET)
		557	\|\| (size > 0))
		558	{
		559	*al = TLS1_AD_UNSUPPORTED_EXTENSION;
		560	return 0;
		561	}
		562	s->tlsext_ticket_expected = 1;
		563	}
		564	else if (type == TLSEXT_TYPE_status_request)
		565	{
		566	/* MUST be empty and only sent if we've requested
		567	* a status request message.
		568	*/
		569	if ((s->tlsext_status_type == -1) \|\| (size > 0))
		570	{
		571	*al = TLS1_AD_UNSUPPORTED_EXTENSION;
		572	return 0;
		573	}
		574	/* Set flag to expect CertificateStatus message */
		575	s->tlsext_status_expected = 1;
		576	}
		577
		578	data+=size;
		579	}
		580
		581	if (data != d+n)
		582	{
		583	*al = SSL_AD_DECODE_ERROR;
		584	return 0;
		585	}
		586
		587	if (!s->hit && tlsext_servername == 1)
		588	{
		589	if (s->tlsext_hostname)
		590	{
		591	if (s->session->tlsext_hostname == NULL)
		592	{
		593	s->session->tlsext_hostname = BUF_strdup(s->tlsext_hostname);
		594	if (!s->session->tlsext_hostname)
		595	{
		596	*al = SSL_AD_UNRECOGNIZED_NAME;
		597	return 0;
		598	}
		599	}
		600	else
		601	{
		602	*al = SSL_AD_DECODE_ERROR;
		603	return 0;
		604	}
		605	}
		606	}
		607
		608	*p = data;
		609	return 1;
		610	}
		611
		612	int ssl_check_clienthello_tlsext(SSL *s)
		613	{
		614	int ret=SSL_TLSEXT_ERR_NOACK;
		615	int al = SSL_AD_UNRECOGNIZED_NAME;
		616
		617	if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
		618	ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
		619	else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)
		620	ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
		621
		622	/* If status request then ask callback what to do.
		623	* Note: this must be called after servername callbacks in case
		624	* the certificate has changed.
		625	*/
		626	if ((s->tlsext_status_type != -1) && s->ctx->tlsext_status_cb)
		627	{
		628	int r;
		629	r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
		630	switch (r)
		631	{
		632	/* We don't want to send a status request response */
		633	case SSL_TLSEXT_ERR_NOACK:
		634	s->tlsext_status_expected = 0;
		635	break;
		636	/* status request response should be sent */
		637	case SSL_TLSEXT_ERR_OK:
		638	if (s->tlsext_ocsp_resp)
		639	s->tlsext_status_expected = 1;
		640	else
		641	s->tlsext_status_expected = 0;
		642	break;
		643	/* something bad happened */
		644	case SSL_TLSEXT_ERR_ALERT_FATAL:
		645	ret = SSL_TLSEXT_ERR_ALERT_FATAL;
		646	al = SSL_AD_INTERNAL_ERROR;
		647	goto err;
		648	}
		649	}
		650	else
		651	s->tlsext_status_expected = 0;
		652	err:
		653	switch (ret)
		654	{
		655	case SSL_TLSEXT_ERR_ALERT_FATAL:
		656	ssl3_send_alert(s,SSL3_AL_FATAL,al);
		657	return -1;
		658
		659	case SSL_TLSEXT_ERR_ALERT_WARNING:
		660	ssl3_send_alert(s,SSL3_AL_WARNING,al);
		661	return 1;
		662
		663	case SSL_TLSEXT_ERR_NOACK:
		664	s->servername_done=0;
		665	default:
		666	return 1;
		667	}
		668	}
		669
		670	int ssl_check_serverhello_tlsext(SSL *s)
		671	{
		672	int ret=SSL_TLSEXT_ERR_NOACK;
		673	int al = SSL_AD_UNRECOGNIZED_NAME;
		674
		675	if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
		676	ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
		677	else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)
		678	ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
		679
		680	/* If we've requested certificate status and we wont get one
		681	* tell the callback
		682	*/
		683	if ((s->tlsext_status_type != -1) && !(s->tlsext_status_expected)
		684	&& s->ctx->tlsext_status_cb)
		685	{
		686	int r;
		687	/* Set resp to NULL, resplen to -1 so callback knows
		688	* there is no response.
		689	*/
		690	if (s->tlsext_ocsp_resp)
		691	{
		692	OPENSSL_free(s->tlsext_ocsp_resp);
		693	s->tlsext_ocsp_resp = NULL;
		694	}
		695	s->tlsext_ocsp_resplen = -1;
		696	r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
		697	if (r == 0)
		698	{
		699	al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE;
		700	ret = SSL_TLSEXT_ERR_ALERT_FATAL;
		701	}
		702	if (r < 0)
		703	{
		704	al = SSL_AD_INTERNAL_ERROR;
		705	ret = SSL_TLSEXT_ERR_ALERT_FATAL;
		706	}
		707	}
		708
		709	switch (ret)
		710	{
		711	case SSL_TLSEXT_ERR_ALERT_FATAL:
		712	ssl3_send_alert(s,SSL3_AL_FATAL,al);
		713	return -1;
		714
		715	case SSL_TLSEXT_ERR_ALERT_WARNING:
		716	ssl3_send_alert(s,SSL3_AL_WARNING,al);
		717	return 1;
		718
		719	case SSL_TLSEXT_ERR_NOACK:
		720	s->servername_done=0;
		721	default:
		722	return 1;
		723	}
		724	}
		725
		726	/* Since the server cache lookup is done early on in the processing of client
		727	* hello and other operations depend on the result we need to handle any TLS
		728	* session ticket extension at the same time.
		729	*/
		730
		731	int tls1_process_ticket(SSL s, unsigned char session_id, int len,
		732	const unsigned char limit, SSL_SESSION *ret)
		733	{
		734	/* Point after session ID in client hello */
		735	const unsigned char *p = session_id + len;
		736	unsigned short i;
		737	if ((s->version <= SSL3_VERSION) \|\| !limit)
		738	return 1;
		739	if (p >= limit)
		740	return -1;
		741	/* Skip past cipher list */
		742	n2s(p, i);
		743	p+= i;
		744	if (p >= limit)
		745	return -1;
		746	/* Skip past compression algorithm list */
		747	i = *(p++);
		748	p += i;
		749	if (p > limit)
		750	return -1;
		751	/* Now at start of extensions */
		752	if ((p + 2) >= limit)
		753	return 1;
		754	n2s(p, i);
		755	while ((p + 4) <= limit)
		756	{
		757	unsigned short type, size;
		758	n2s(p, type);
		759	n2s(p, size);
		760	if (p + size > limit)
		761	return 1;
		762	if (type == TLSEXT_TYPE_session_ticket)
		763	{
		764	/* If tickets disabled indicate cache miss which will
		765	* trigger a full handshake
		766	*/
		767	if (SSL_get_options(s) & SSL_OP_NO_TICKET)
		768	return 0;
		769	/* If zero length not client will accept a ticket
		770	* and indicate cache miss to trigger full handshake
		771	*/
		772	if (size == 0)
		773	{
		774	s->tlsext_ticket_expected = 1;
		775	return 0; /* Cache miss */
		776	}
		777	return tls_decrypt_ticket(s, p, size, session_id, len,
		778	ret);
		779	}
		780	p += size;
		781	}
		782	return 1;
		783	}
		784
		785	static int tls_decrypt_ticket(SSL s, const unsigned char etick, int eticklen,
		786	const unsigned char *sess_id, int sesslen,
		787	SSL_SESSION **psess)
		788	{
		789	SSL_SESSION *sess;
		790	unsigned char *sdec;
		791	const unsigned char *p;
		792	int slen, mlen, renew_ticket = 0;
		793	unsigned char tick_hmac[EVP_MAX_MD_SIZE];
		794	HMAC_CTX hctx;
		795	EVP_CIPHER_CTX ctx;
		796	/* Need at least keyname + iv + some encrypted data */
		797	if (eticklen < 48)
		798	goto tickerr;
		799	/* Initialize session ticket encryption and HMAC contexts */
		800	HMAC_CTX_init(&hctx);
		801	EVP_CIPHER_CTX_init(&ctx);
		802	if (s->ctx->tlsext_ticket_key_cb)
		803	{
		804	unsigned char nctick = (unsigned char )etick;
		805	int rv = s->ctx->tlsext_ticket_key_cb(s, nctick, nctick + 16,
		806	&ctx, &hctx, 0);
		807	if (rv < 0)
		808	return -1;
		809	if (rv == 0)
		810	goto tickerr;
		811	if (rv == 2)
		812	renew_ticket = 1;
		813	}
		814	else
		815	{
		816	/* Check key name matches */
		817	if (memcmp(etick, s->ctx->tlsext_tick_key_name, 16))
		818	goto tickerr;
		819	HMAC_Init_ex(&hctx, s->ctx->tlsext_tick_hmac_key, 16,
		820	tlsext_tick_md(), NULL);
		821	EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL,
		822	s->ctx->tlsext_tick_aes_key, etick + 16);
		823	}
		824	/* Attempt to process session ticket, first conduct sanity and
		825	* integrity checks on ticket.
		826	*/
		827	mlen = HMAC_size(&hctx);
		828	eticklen -= mlen;
		829	/* Check HMAC of encrypted ticket */
		830	HMAC_Update(&hctx, etick, eticklen);
		831	HMAC_Final(&hctx, tick_hmac, NULL);
		832	HMAC_CTX_cleanup(&hctx);
		833	if (memcmp(tick_hmac, etick + eticklen, mlen))
		834	goto tickerr;
		835	/* Attempt to decrypt session data */
		836	/* Move p after IV to start of encrypted ticket, update length */
		837	p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx);
		838	eticklen -= 16 + EVP_CIPHER_CTX_iv_length(&ctx);
		839	sdec = OPENSSL_malloc(eticklen);
		840	if (!sdec)
		841	{
		842	EVP_CIPHER_CTX_cleanup(&ctx);
		843	return -1;
		844	}
		845	EVP_DecryptUpdate(&ctx, sdec, &slen, p, eticklen);
		846	if (EVP_DecryptFinal(&ctx, sdec + slen, &mlen) <= 0)
		847	goto tickerr;
		848	slen += mlen;
		849	EVP_CIPHER_CTX_cleanup(&ctx);
		850	p = sdec;
		851
		852	sess = d2i_SSL_SESSION(NULL, &p, slen);
		853	OPENSSL_free(sdec);
		854	if (sess)
		855	{
		856	/* The session ID if non-empty is used by some clients to
		857	* detect that the ticket has been accepted. So we copy it to
		858	* the session structure. If it is empty set length to zero
		859	* as required by standard.
		860	*/
		861	if (sesslen)
		862	memcpy(sess->session_id, sess_id, sesslen);
		863	sess->session_id_length = sesslen;
		864	*psess = sess;
		865	s->tlsext_ticket_expected = renew_ticket;
		866	return 1;
		867	}
		868	/* If session decrypt failure indicate a cache miss and set state to
		869	* send a new ticket
		870	*/
		871	tickerr:
		872	s->tlsext_ticket_expected = 1;
		873	return 0;
		874	}
		875
		876	#endif