summaryrefslogtreecommitdiff
path: root/src/lib/libssl/t1_lib.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/lib/libssl/t1_lib.c')
-rw-r--r--src/lib/libssl/t1_lib.c2002
1 files changed, 935 insertions, 1067 deletions
diff --git a/src/lib/libssl/t1_lib.c b/src/lib/libssl/t1_lib.c
index bddffd92cc..08f7a444ad 100644
--- a/src/lib/libssl/t1_lib.c
+++ b/src/lib/libssl/t1_lib.c
@@ -120,12 +120,13 @@
120const char tls1_version_str[]="TLSv1" OPENSSL_VERSION_PTEXT; 120const char tls1_version_str[]="TLSv1" OPENSSL_VERSION_PTEXT;
121 121
122#ifndef OPENSSL_NO_TLSEXT 122#ifndef OPENSSL_NO_TLSEXT
123static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen, 123static int
124 const unsigned char *sess_id, int sesslen, 124tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen,
125 SSL_SESSION **psess); 125 const unsigned char *sess_id, int sesslen,
126 SSL_SESSION **psess);
126#endif 127#endif
127 128
128SSL3_ENC_METHOD TLSv1_enc_data={ 129SSL3_ENC_METHOD TLSv1_enc_data = {
129 tls1_enc, 130 tls1_enc,
130 tls1_mac, 131 tls1_mac,
131 tls1_setup_key_block, 132 tls1_setup_key_block,
@@ -134,171 +135,173 @@ SSL3_ENC_METHOD TLSv1_enc_data={
134 tls1_final_finish_mac, 135 tls1_final_finish_mac,
135 TLS1_FINISH_MAC_LENGTH, 136 TLS1_FINISH_MAC_LENGTH,
136 tls1_cert_verify_mac, 137 tls1_cert_verify_mac,
137 TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE, 138 TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
138 TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE, 139 TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
139 tls1_alert_code, 140 tls1_alert_code,
140 tls1_export_keying_material, 141 tls1_export_keying_material,
141 }; 142};
142 143
143long tls1_default_timeout(void) 144long
144 { 145tls1_default_timeout(void)
146{
145 /* 2 hours, the 24 hours mentioned in the TLSv1 spec 147 /* 2 hours, the 24 hours mentioned in the TLSv1 spec
146 * is way too long for http, the cache would over fill */ 148 * is way too long for http, the cache would over fill */
147 return(60*60*2); 149 return (60*60*2);
148 } 150}
149 151
150int tls1_new(SSL *s) 152int
151 { 153tls1_new(SSL *s)
152 if (!ssl3_new(s)) return(0); 154{
153 s->method->ssl_clear(s); 155 if (!ssl3_new(s)) return (0);
154 return(1); 156 s->method->ssl_clear(s);
155 } 157 return (1);
158}
156 159
157void tls1_free(SSL *s) 160void
158 { 161tls1_free(SSL *s)
162{
159#ifndef OPENSSL_NO_TLSEXT 163#ifndef OPENSSL_NO_TLSEXT
160 if (s->tlsext_session_ticket) 164 if (s->tlsext_session_ticket) {
161 {
162 OPENSSL_free(s->tlsext_session_ticket); 165 OPENSSL_free(s->tlsext_session_ticket);
163 } 166 }
164#endif /* OPENSSL_NO_TLSEXT */ 167#endif /* OPENSSL_NO_TLSEXT */
165 ssl3_free(s); 168 ssl3_free(s);
166 } 169}
167 170
168void tls1_clear(SSL *s) 171void
169 { 172tls1_clear(SSL *s)
173{
170 ssl3_clear(s); 174 ssl3_clear(s);
171 s->version = s->method->version; 175 s->version = s->method->version;
172 } 176}
173 177
174#ifndef OPENSSL_NO_EC 178#ifndef OPENSSL_NO_EC
175 179
176static int nid_list[] = 180static int nid_list[] = {
177 { 181 NID_sect163k1, /* sect163k1 (1) */
178 NID_sect163k1, /* sect163k1 (1) */ 182 NID_sect163r1, /* sect163r1 (2) */
179 NID_sect163r1, /* sect163r1 (2) */ 183 NID_sect163r2, /* sect163r2 (3) */
180 NID_sect163r2, /* sect163r2 (3) */ 184 NID_sect193r1, /* sect193r1 (4) */
181 NID_sect193r1, /* sect193r1 (4) */ 185 NID_sect193r2, /* sect193r2 (5) */
182 NID_sect193r2, /* sect193r2 (5) */ 186 NID_sect233k1, /* sect233k1 (6) */
183 NID_sect233k1, /* sect233k1 (6) */ 187 NID_sect233r1, /* sect233r1 (7) */
184 NID_sect233r1, /* sect233r1 (7) */ 188 NID_sect239k1, /* sect239k1 (8) */
185 NID_sect239k1, /* sect239k1 (8) */ 189 NID_sect283k1, /* sect283k1 (9) */
186 NID_sect283k1, /* sect283k1 (9) */ 190 NID_sect283r1, /* sect283r1 (10) */
187 NID_sect283r1, /* sect283r1 (10) */ 191 NID_sect409k1, /* sect409k1 (11) */
188 NID_sect409k1, /* sect409k1 (11) */ 192 NID_sect409r1, /* sect409r1 (12) */
189 NID_sect409r1, /* sect409r1 (12) */ 193 NID_sect571k1, /* sect571k1 (13) */
190 NID_sect571k1, /* sect571k1 (13) */ 194 NID_sect571r1, /* sect571r1 (14) */
191 NID_sect571r1, /* sect571r1 (14) */ 195 NID_secp160k1, /* secp160k1 (15) */
192 NID_secp160k1, /* secp160k1 (15) */ 196 NID_secp160r1, /* secp160r1 (16) */
193 NID_secp160r1, /* secp160r1 (16) */ 197 NID_secp160r2, /* secp160r2 (17) */
194 NID_secp160r2, /* secp160r2 (17) */ 198 NID_secp192k1, /* secp192k1 (18) */
195 NID_secp192k1, /* secp192k1 (18) */ 199 NID_X9_62_prime192v1, /* secp192r1 (19) */
196 NID_X9_62_prime192v1, /* secp192r1 (19) */ 200 NID_secp224k1, /* secp224k1 (20) */
197 NID_secp224k1, /* secp224k1 (20) */ 201 NID_secp224r1, /* secp224r1 (21) */
198 NID_secp224r1, /* secp224r1 (21) */ 202 NID_secp256k1, /* secp256k1 (22) */
199 NID_secp256k1, /* secp256k1 (22) */ 203 NID_X9_62_prime256v1, /* secp256r1 (23) */
200 NID_X9_62_prime256v1, /* secp256r1 (23) */ 204 NID_secp384r1, /* secp384r1 (24) */
201 NID_secp384r1, /* secp384r1 (24) */ 205 NID_secp521r1 /* secp521r1 (25) */
202 NID_secp521r1 /* secp521r1 (25) */ 206};
203 };
204 207
205static int pref_list[] = 208static int pref_list[] = {
206 { 209 NID_sect571r1, /* sect571r1 (14) */
207 NID_sect571r1, /* sect571r1 (14) */ 210 NID_sect571k1, /* sect571k1 (13) */
208 NID_sect571k1, /* sect571k1 (13) */ 211 NID_secp521r1, /* secp521r1 (25) */
209 NID_secp521r1, /* secp521r1 (25) */ 212 NID_sect409k1, /* sect409k1 (11) */
210 NID_sect409k1, /* sect409k1 (11) */ 213 NID_sect409r1, /* sect409r1 (12) */
211 NID_sect409r1, /* sect409r1 (12) */ 214 NID_secp384r1, /* secp384r1 (24) */
212 NID_secp384r1, /* secp384r1 (24) */ 215 NID_sect283k1, /* sect283k1 (9) */
213 NID_sect283k1, /* sect283k1 (9) */ 216 NID_sect283r1, /* sect283r1 (10) */
214 NID_sect283r1, /* sect283r1 (10) */ 217 NID_secp256k1, /* secp256k1 (22) */
215 NID_secp256k1, /* secp256k1 (22) */ 218 NID_X9_62_prime256v1, /* secp256r1 (23) */
216 NID_X9_62_prime256v1, /* secp256r1 (23) */ 219 NID_sect239k1, /* sect239k1 (8) */
217 NID_sect239k1, /* sect239k1 (8) */ 220 NID_sect233k1, /* sect233k1 (6) */
218 NID_sect233k1, /* sect233k1 (6) */ 221 NID_sect233r1, /* sect233r1 (7) */
219 NID_sect233r1, /* sect233r1 (7) */ 222 NID_secp224k1, /* secp224k1 (20) */
220 NID_secp224k1, /* secp224k1 (20) */ 223 NID_secp224r1, /* secp224r1 (21) */
221 NID_secp224r1, /* secp224r1 (21) */ 224 NID_sect193r1, /* sect193r1 (4) */
222 NID_sect193r1, /* sect193r1 (4) */ 225 NID_sect193r2, /* sect193r2 (5) */
223 NID_sect193r2, /* sect193r2 (5) */ 226 NID_secp192k1, /* secp192k1 (18) */
224 NID_secp192k1, /* secp192k1 (18) */ 227 NID_X9_62_prime192v1, /* secp192r1 (19) */
225 NID_X9_62_prime192v1, /* secp192r1 (19) */ 228 NID_sect163k1, /* sect163k1 (1) */
226 NID_sect163k1, /* sect163k1 (1) */ 229 NID_sect163r1, /* sect163r1 (2) */
227 NID_sect163r1, /* sect163r1 (2) */ 230 NID_sect163r2, /* sect163r2 (3) */
228 NID_sect163r2, /* sect163r2 (3) */ 231 NID_secp160k1, /* secp160k1 (15) */
229 NID_secp160k1, /* secp160k1 (15) */ 232 NID_secp160r1, /* secp160r1 (16) */
230 NID_secp160r1, /* secp160r1 (16) */ 233 NID_secp160r2, /* secp160r2 (17) */
231 NID_secp160r2, /* secp160r2 (17) */ 234};
232 };
233 235
234int tls1_ec_curve_id2nid(int curve_id) 236int
235 { 237tls1_ec_curve_id2nid(int curve_id)
238{
236 /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */ 239 /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
237 if ((curve_id < 1) || ((unsigned int)curve_id > 240 if ((curve_id < 1) || ((unsigned int)curve_id >
238 sizeof(nid_list)/sizeof(nid_list[0]))) 241 sizeof(nid_list)/sizeof(nid_list[0])))
239 return 0; 242 return 0;
240 return nid_list[curve_id-1]; 243 return nid_list[curve_id - 1];
241 } 244}
242 245
243int tls1_ec_nid2curve_id(int nid) 246int
244 { 247tls1_ec_nid2curve_id(int nid)
248{
245 /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */ 249 /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
246 switch (nid) 250 switch (nid) {
247 {
248 case NID_sect163k1: /* sect163k1 (1) */ 251 case NID_sect163k1: /* sect163k1 (1) */
249 return 1; 252 return 1;
250 case NID_sect163r1: /* sect163r1 (2) */ 253 case NID_sect163r1: /* sect163r1 (2) */
251 return 2; 254 return 2;
252 case NID_sect163r2: /* sect163r2 (3) */ 255 case NID_sect163r2: /* sect163r2 (3) */
253 return 3; 256 return 3;
254 case NID_sect193r1: /* sect193r1 (4) */ 257 case NID_sect193r1: /* sect193r1 (4) */
255 return 4; 258 return 4;
256 case NID_sect193r2: /* sect193r2 (5) */ 259 case NID_sect193r2: /* sect193r2 (5) */
257 return 5; 260 return 5;
258 case NID_sect233k1: /* sect233k1 (6) */ 261 case NID_sect233k1: /* sect233k1 (6) */
259 return 6; 262 return 6;
260 case NID_sect233r1: /* sect233r1 (7) */ 263 case NID_sect233r1: /* sect233r1 (7) */
261 return 7; 264 return 7;
262 case NID_sect239k1: /* sect239k1 (8) */ 265 case NID_sect239k1: /* sect239k1 (8) */
263 return 8; 266 return 8;
264 case NID_sect283k1: /* sect283k1 (9) */ 267 case NID_sect283k1: /* sect283k1 (9) */
265 return 9; 268 return 9;
266 case NID_sect283r1: /* sect283r1 (10) */ 269 case NID_sect283r1: /* sect283r1 (10) */
267 return 10; 270 return 10;
268 case NID_sect409k1: /* sect409k1 (11) */ 271 case NID_sect409k1: /* sect409k1 (11) */
269 return 11; 272 return 11;
270 case NID_sect409r1: /* sect409r1 (12) */ 273 case NID_sect409r1: /* sect409r1 (12) */
271 return 12; 274 return 12;
272 case NID_sect571k1: /* sect571k1 (13) */ 275 case NID_sect571k1: /* sect571k1 (13) */
273 return 13; 276 return 13;
274 case NID_sect571r1: /* sect571r1 (14) */ 277 case NID_sect571r1: /* sect571r1 (14) */
275 return 14; 278 return 14;
276 case NID_secp160k1: /* secp160k1 (15) */ 279 case NID_secp160k1: /* secp160k1 (15) */
277 return 15; 280 return 15;
278 case NID_secp160r1: /* secp160r1 (16) */ 281 case NID_secp160r1: /* secp160r1 (16) */
279 return 16; 282 return 16;
280 case NID_secp160r2: /* secp160r2 (17) */ 283 case NID_secp160r2: /* secp160r2 (17) */
281 return 17; 284 return 17;
282 case NID_secp192k1: /* secp192k1 (18) */ 285 case NID_secp192k1: /* secp192k1 (18) */
283 return 18; 286 return 18;
284 case NID_X9_62_prime192v1: /* secp192r1 (19) */ 287 case NID_X9_62_prime192v1: /* secp192r1 (19) */
285 return 19; 288 return 19;
286 case NID_secp224k1: /* secp224k1 (20) */ 289 case NID_secp224k1: /* secp224k1 (20) */
287 return 20; 290 return 20;
288 case NID_secp224r1: /* secp224r1 (21) */ 291 case NID_secp224r1: /* secp224r1 (21) */
289 return 21; 292 return 21;
290 case NID_secp256k1: /* secp256k1 (22) */ 293 case NID_secp256k1: /* secp256k1 (22) */
291 return 22; 294 return 22;
292 case NID_X9_62_prime256v1: /* secp256r1 (23) */ 295 case NID_X9_62_prime256v1: /* secp256r1 (23) */
293 return 23; 296 return 23;
294 case NID_secp384r1: /* secp384r1 (24) */ 297 case NID_secp384r1: /* secp384r1 (24) */
295 return 24; 298 return 24;
296 case NID_secp521r1: /* secp521r1 (25) */ 299 case NID_secp521r1: /* secp521r1 (25) */
297 return 25; 300 return 25;
298 default: 301 default:
299 return 0; 302 return 0;
300 }
301 } 303 }
304}
302#endif /* OPENSSL_NO_EC */ 305#endif /* OPENSSL_NO_EC */
303 306
304#ifndef OPENSSL_NO_TLSEXT 307#ifndef OPENSSL_NO_TLSEXT
@@ -344,33 +347,35 @@ static unsigned char tls12_sigalgs[] = {
344#endif 347#endif
345}; 348};
346 349
347int tls12_get_req_sig_algs(SSL *s, unsigned char *p) 350int
348 { 351tls12_get_req_sig_algs(SSL *s, unsigned char *p)
352{
349 size_t slen = sizeof(tls12_sigalgs); 353 size_t slen = sizeof(tls12_sigalgs);
350 if (p) 354 if (p)
351 memcpy(p, tls12_sigalgs, slen); 355 memcpy(p, tls12_sigalgs, slen);
352 return (int)slen; 356 return (int)slen;
353 } 357}
354 358
355unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit) 359unsigned char
356 { 360*ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
357 int extdatalen=0; 361{
362 int extdatalen = 0;
358 unsigned char *ret = p; 363 unsigned char *ret = p;
359 364
360 /* don't add extensions for SSLv3 unless doing secure renegotiation */ 365 /* don't add extensions for SSLv3 unless doing secure renegotiation */
361 if (s->client_version == SSL3_VERSION 366 if (s->client_version == SSL3_VERSION
362 && !s->s3->send_connection_binding) 367 && !s->s3->send_connection_binding)
363 return p; 368 return p;
364 369
365 ret+=2; 370 ret += 2;
366 371
367 if (ret>=limit) return NULL; /* this really never occurs, but ... */ 372 if (ret>=limit) return NULL; /* this really never occurs, but ... */
368 373
369 if (s->tlsext_hostname != NULL) 374 if (s->tlsext_hostname != NULL) {
370 {
371 /* Add TLS extension servername to the Client Hello message */ 375 /* Add TLS extension servername to the Client Hello message */
372 unsigned long size_str; 376 unsigned long size_str;
373 long lenmax; 377 long lenmax;
378
374 379
375 /* check for enough space. 380 /* check for enough space.
376 4 for the servername type and entension length 381 4 for the servername type and entension length
@@ -379,114 +384,117 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned cha
379 2 for hostname length 384 2 for hostname length
380 + hostname length 385 + hostname length
381 */ 386 */
382 387
383 if ((lenmax = limit - ret - 9) < 0 388 if ((lenmax = limit - ret - 9) < 0
384 || (size_str = strlen(s->tlsext_hostname)) > (unsigned long)lenmax) 389 || (size_str = strlen(s->tlsext_hostname)) > (unsigned long)lenmax)
385 return NULL; 390 return NULL;
386 391
387 /* extension type and length */ 392 /* extension type and length */
388 s2n(TLSEXT_TYPE_server_name,ret); 393 s2n(TLSEXT_TYPE_server_name, ret);
389 s2n(size_str+5,ret); 394
390 395 s2n(size_str + 5, ret);
396
391 /* length of servername list */ 397 /* length of servername list */
392 s2n(size_str+3,ret); 398 s2n(size_str + 3, ret);
393 399
394 /* hostname type, length and hostname */ 400 /* hostname type, length and hostname */
395 *(ret++) = (unsigned char) TLSEXT_NAMETYPE_host_name; 401 *(ret++) = (unsigned char) TLSEXT_NAMETYPE_host_name;
396 s2n(size_str,ret); 402 s2n(size_str, ret);
397 memcpy(ret, s->tlsext_hostname, size_str); 403 memcpy(ret, s->tlsext_hostname, size_str);
398 ret+=size_str; 404 ret += size_str;
405 }
406
407 /* Add RI if renegotiating */
408 if (s->renegotiate) {
409 int el;
410
411 if (!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0)) {
412 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
413 return NULL;
399 } 414 }
400 415
401 /* Add RI if renegotiating */ 416 if ((limit - p - 4 - el)
402 if (s->renegotiate) 417 < 0) return NULL;
403 { 418
404 int el; 419 s2n(TLSEXT_TYPE_renegotiate, ret);
405 420 s2n(el, ret);
406 if(!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0)) 421
407 { 422 if (!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el)) {
408 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); 423 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
409 return NULL; 424 return NULL;
410 } 425 }
411 426
412 if((limit - p - 4 - el) < 0) return NULL; 427 ret += el;
413 428 }
414 s2n(TLSEXT_TYPE_renegotiate,ret);
415 s2n(el,ret);
416
417 if(!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el))
418 {
419 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
420 return NULL;
421 }
422
423 ret += el;
424 }
425 429
426#ifndef OPENSSL_NO_SRP 430#ifndef OPENSSL_NO_SRP
427 /* Add SRP username if there is one */ 431 /* Add SRP username if there is one */
428 if (s->srp_ctx.login != NULL) 432 if (s->srp_ctx.login != NULL)
429 { /* Add TLS extension SRP username to the Client Hello message */ 433 { /* Add TLS extension SRP username to the Client Hello message */
434
435 int login_len = strlen(s->srp_ctx.login);
430 436
431 int login_len = strlen(s->srp_ctx.login); 437 if (login_len > 255 || login_len == 0) {
432 if (login_len > 255 || login_len == 0)
433 {
434 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); 438 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
435 return NULL; 439 return NULL;
436 } 440 }
437 441
438 /* check for enough space. 442 /* check for enough space.
439 4 for the srp type type and entension length 443 4 for the srp type type and entension length
440 1 for the srp user identity 444 1 for the srp user identity
441 + srp user identity length 445 + srp user identity length
442 */ 446 */
443 if ((limit - ret - 5 - login_len) < 0) return NULL; 447 if ((limit - ret - 5 - login_len)
448 < 0) return NULL;
449
444 450
445 /* fill in the extension */ 451 /* fill in the extension */
446 s2n(TLSEXT_TYPE_srp,ret); 452 s2n(TLSEXT_TYPE_srp, ret);
447 s2n(login_len+1,ret); 453 s2n(login_len + 1, ret);
448 (*ret++) = (unsigned char) login_len; 454 (*ret++) = (unsigned char) login_len;
449 memcpy(ret, s->srp_ctx.login, login_len); 455 memcpy(ret, s->srp_ctx.login, login_len);
450 ret+=login_len; 456 ret += login_len;
451 } 457 }
452#endif 458#endif
453 459
454#ifndef OPENSSL_NO_EC 460#ifndef OPENSSL_NO_EC
455 if (s->tlsext_ecpointformatlist != NULL && 461 if (s->tlsext_ecpointformatlist != NULL &&
456 s->version != DTLS1_VERSION) 462 s->version != DTLS1_VERSION) {
457 {
458 /* Add TLS extension ECPointFormats to the ClientHello message */ 463 /* Add TLS extension ECPointFormats to the ClientHello message */
459 long lenmax; 464 long lenmax;
465
466
467 if ((lenmax = limit - ret - 5)
468 < 0) return NULL;
460 469
461 if ((lenmax = limit - ret - 5) < 0) return NULL;
462 if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax) return NULL; 470 if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax) return NULL;
463 if (s->tlsext_ecpointformatlist_length > 255) 471 if (s->tlsext_ecpointformatlist_length > 255) {
464 {
465 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); 472 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
466 return NULL; 473 return NULL;
467 } 474 }
468 475
469 s2n(TLSEXT_TYPE_ec_point_formats,ret); 476 s2n(TLSEXT_TYPE_ec_point_formats, ret);
470 s2n(s->tlsext_ecpointformatlist_length + 1,ret); 477 s2n(s->tlsext_ecpointformatlist_length + 1, ret);
471 *(ret++) = (unsigned char) s->tlsext_ecpointformatlist_length; 478 *(ret++) = (unsigned char) s->tlsext_ecpointformatlist_length;
472 memcpy(ret, s->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist_length); 479 memcpy(ret, s->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist_length);
473 ret+=s->tlsext_ecpointformatlist_length; 480 ret += s->tlsext_ecpointformatlist_length;
474 } 481 }
475 if (s->tlsext_ellipticcurvelist != NULL && 482 if (s->tlsext_ellipticcurvelist != NULL &&
476 s->version != DTLS1_VERSION) 483 s->version != DTLS1_VERSION) {
477 {
478 /* Add TLS extension EllipticCurves to the ClientHello message */ 484 /* Add TLS extension EllipticCurves to the ClientHello message */
479 long lenmax; 485 long lenmax;
486
487
488 if ((lenmax = limit - ret - 6)
489 < 0) return NULL;
480 490
481 if ((lenmax = limit - ret - 6) < 0) return NULL;
482 if (s->tlsext_ellipticcurvelist_length > (unsigned long)lenmax) return NULL; 491 if (s->tlsext_ellipticcurvelist_length > (unsigned long)lenmax) return NULL;
483 if (s->tlsext_ellipticcurvelist_length > 65532) 492 if (s->tlsext_ellipticcurvelist_length > 65532) {
484 {
485 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); 493 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
486 return NULL; 494 return NULL;
487 } 495 }
488 496
489 s2n(TLSEXT_TYPE_elliptic_curves,ret); 497 s2n(TLSEXT_TYPE_elliptic_curves, ret);
490 s2n(s->tlsext_ellipticcurvelist_length + 2, ret); 498 s2n(s->tlsext_ellipticcurvelist_length + 2, ret);
491 499
492 /* NB: draft-ietf-tls-ecc-12.txt uses a one-byte prefix for 500 /* NB: draft-ietf-tls-ecc-12.txt uses a one-byte prefix for
@@ -496,111 +504,103 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned cha
496 */ 504 */
497 s2n(s->tlsext_ellipticcurvelist_length, ret); 505 s2n(s->tlsext_ellipticcurvelist_length, ret);
498 memcpy(ret, s->tlsext_ellipticcurvelist, s->tlsext_ellipticcurvelist_length); 506 memcpy(ret, s->tlsext_ellipticcurvelist, s->tlsext_ellipticcurvelist_length);
499 ret+=s->tlsext_ellipticcurvelist_length; 507 ret += s->tlsext_ellipticcurvelist_length;
500 } 508 }
501#endif /* OPENSSL_NO_EC */ 509#endif /* OPENSSL_NO_EC */
502 510
503 if (!(SSL_get_options(s) & SSL_OP_NO_TICKET)) 511 if (!(SSL_get_options(s) & SSL_OP_NO_TICKET)) {
504 {
505 int ticklen; 512 int ticklen;
506 if (!s->new_session && s->session && s->session->tlsext_tick) 513 if (!s->new_session && s->session && s->session->tlsext_tick)
507 ticklen = s->session->tlsext_ticklen; 514 ticklen = s->session->tlsext_ticklen;
508 else if (s->session && s->tlsext_session_ticket && 515 else if (s->session && s->tlsext_session_ticket &&
509 s->tlsext_session_ticket->data) 516 s->tlsext_session_ticket->data) {
510 {
511 ticklen = s->tlsext_session_ticket->length; 517 ticklen = s->tlsext_session_ticket->length;
512 s->session->tlsext_tick = OPENSSL_malloc(ticklen); 518 s->session->tlsext_tick = OPENSSL_malloc(ticklen);
513 if (!s->session->tlsext_tick) 519 if (!s->session->tlsext_tick)
514 return NULL; 520 return NULL;
515 memcpy(s->session->tlsext_tick, 521 memcpy(s->session->tlsext_tick,
516 s->tlsext_session_ticket->data, 522 s->tlsext_session_ticket->data,
517 ticklen); 523 ticklen);
518 s->session->tlsext_ticklen = ticklen; 524 s->session->tlsext_ticklen = ticklen;
519 } 525 } else
520 else
521 ticklen = 0; 526 ticklen = 0;
522 if (ticklen == 0 && s->tlsext_session_ticket && 527 if (ticklen == 0 && s->tlsext_session_ticket &&
523 s->tlsext_session_ticket->data == NULL) 528 s->tlsext_session_ticket->data == NULL)
524 goto skip_ext; 529 goto skip_ext;
525 /* Check for enough room 2 for extension type, 2 for len 530 /* Check for enough room 2 for extension type, 2 for len
526 * rest for ticket 531 * rest for ticket
527 */ 532 */
528 if ((long)(limit - ret - 4 - ticklen) < 0) return NULL; 533 if ((long)(limit - ret - 4 - ticklen) < 0) return NULL;
529 s2n(TLSEXT_TYPE_session_ticket,ret); 534 s2n(TLSEXT_TYPE_session_ticket, ret);
530 s2n(ticklen,ret); 535
531 if (ticklen) 536 s2n(ticklen, ret);
532 { 537 if (ticklen) {
533 memcpy(ret, s->session->tlsext_tick, ticklen); 538 memcpy(ret, s->session->tlsext_tick, ticklen);
534 ret += ticklen; 539 ret += ticklen;
535 }
536 } 540 }
537 skip_ext: 541 }
542 skip_ext:
538 543
539 if (TLS1_get_client_version(s) >= TLS1_2_VERSION) 544 if (TLS1_get_client_version(s) >= TLS1_2_VERSION) {
540 {
541 if ((size_t)(limit - ret) < sizeof(tls12_sigalgs) + 6) 545 if ((size_t)(limit - ret) < sizeof(tls12_sigalgs) + 6)
542 return NULL; 546 return NULL;
543 s2n(TLSEXT_TYPE_signature_algorithms,ret); 547
548 s2n(TLSEXT_TYPE_signature_algorithms, ret);
544 s2n(sizeof(tls12_sigalgs) + 2, ret); 549 s2n(sizeof(tls12_sigalgs) + 2, ret);
545 s2n(sizeof(tls12_sigalgs), ret); 550 s2n(sizeof(tls12_sigalgs), ret);
546 memcpy(ret, tls12_sigalgs, sizeof(tls12_sigalgs)); 551 memcpy(ret, tls12_sigalgs, sizeof(tls12_sigalgs));
547 ret += sizeof(tls12_sigalgs); 552 ret += sizeof(tls12_sigalgs);
548 } 553 }
549 554
550#ifdef TLSEXT_TYPE_opaque_prf_input 555#ifdef TLSEXT_TYPE_opaque_prf_input
551 if (s->s3->client_opaque_prf_input != NULL && 556 if (s->s3->client_opaque_prf_input != NULL &&
552 s->version != DTLS1_VERSION) 557 s->version != DTLS1_VERSION) {
553 {
554 size_t col = s->s3->client_opaque_prf_input_len; 558 size_t col = s->s3->client_opaque_prf_input_len;
555 559
556 if ((long)(limit - ret - 6 - col < 0)) 560 if ((long)(limit - ret - 6 - col < 0))
557 return NULL; 561 return NULL;
558 if (col > 0xFFFD) /* can't happen */ 562 if (col > 0xFFFD) /* can't happen */
559 return NULL; 563 return NULL;
560 564
561 s2n(TLSEXT_TYPE_opaque_prf_input, ret); 565 s2n(TLSEXT_TYPE_opaque_prf_input, ret);
566
562 s2n(col + 2, ret); 567 s2n(col + 2, ret);
563 s2n(col, ret); 568 s2n(col, ret);
564 memcpy(ret, s->s3->client_opaque_prf_input, col); 569 memcpy(ret, s->s3->client_opaque_prf_input, col);
565 ret += col; 570 ret += col;
566 } 571 }
567#endif 572#endif
568 573
569 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp && 574 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp &&
570 s->version != DTLS1_VERSION) 575 s->version != DTLS1_VERSION) {
571 {
572 int i; 576 int i;
573 long extlen, idlen, itmp; 577 long extlen, idlen, itmp;
574 OCSP_RESPID *id; 578 OCSP_RESPID *id;
575 579
576 idlen = 0; 580 idlen = 0;
577 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) 581 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) {
578 {
579 id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i); 582 id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
580 itmp = i2d_OCSP_RESPID(id, NULL); 583 itmp = i2d_OCSP_RESPID(id, NULL);
581 if (itmp <= 0) 584 if (itmp <= 0)
582 return NULL; 585 return NULL;
583 idlen += itmp + 2; 586 idlen += itmp + 2;
584 } 587 }
585 588
586 if (s->tlsext_ocsp_exts) 589 if (s->tlsext_ocsp_exts) {
587 {
588 extlen = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, NULL); 590 extlen = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, NULL);
589 if (extlen < 0) 591 if (extlen < 0)
590 return NULL; 592 return NULL;
591 } 593 } else
592 else
593 extlen = 0; 594 extlen = 0;
594 595
595 if ((long)(limit - ret - 7 - extlen - idlen) < 0) return NULL; 596 if ((long)(limit - ret - 7 - extlen - idlen) < 0) return NULL;
596 s2n(TLSEXT_TYPE_status_request, ret); 597 s2n(TLSEXT_TYPE_status_request, ret);
597 if (extlen + idlen > 0xFFF0) 598 if (extlen + idlen > 0xFFF0)
598 return NULL; 599 return NULL;
599 s2n(extlen + idlen + 5, ret); 600 s2n(extlen + idlen + 5, ret);
600 *(ret++) = TLSEXT_STATUSTYPE_ocsp; 601 *(ret++) = TLSEXT_STATUSTYPE_ocsp;
601 s2n(idlen, ret); 602 s2n(idlen, ret);
602 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) 603 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) {
603 {
604 /* save position of id len */ 604 /* save position of id len */
605 unsigned char *q = ret; 605 unsigned char *q = ret;
606 id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i); 606 id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
@@ -609,16 +609,16 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned cha
609 itmp = i2d_OCSP_RESPID(id, &ret); 609 itmp = i2d_OCSP_RESPID(id, &ret);
610 /* write id len */ 610 /* write id len */
611 s2n(itmp, q); 611 s2n(itmp, q);
612 } 612 }
613 s2n(extlen, ret); 613 s2n(extlen, ret);
614 if (extlen > 0) 614 if (extlen > 0)
615 i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret); 615 i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret);
616 } 616 }
617 617
618#ifndef OPENSSL_NO_HEARTBEATS 618#ifndef OPENSSL_NO_HEARTBEATS
619 /* Add Heartbeat extension */ 619 /* Add Heartbeat extension */
620 s2n(TLSEXT_TYPE_heartbeat,ret); 620 s2n(TLSEXT_TYPE_heartbeat, ret);
621 s2n(1,ret); 621 s2n(1, ret);
622 /* Set mode: 622 /* Set mode:
623 * 1: peer may send requests 623 * 1: peer may send requests
624 * 2: peer not allowed to send requests 624 * 2: peer not allowed to send requests
@@ -630,36 +630,34 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned cha
630#endif 630#endif
631 631
632#ifndef OPENSSL_NO_NEXTPROTONEG 632#ifndef OPENSSL_NO_NEXTPROTONEG
633 if (s->ctx->next_proto_select_cb && !s->s3->tmp.finish_md_len) 633 if (s->ctx->next_proto_select_cb && !s->s3->tmp.finish_md_len) {
634 {
635 /* The client advertises an emtpy extension to indicate its 634 /* The client advertises an emtpy extension to indicate its
636 * support for Next Protocol Negotiation */ 635 * support for Next Protocol Negotiation */
637 if (limit - ret - 4 < 0) 636 if (limit - ret - 4 < 0)
638 return NULL; 637 return NULL;
639 s2n(TLSEXT_TYPE_next_proto_neg,ret); 638 s2n(TLSEXT_TYPE_next_proto_neg, ret);
640 s2n(0,ret); 639 s2n(0, ret);
641 } 640 }
642#endif 641#endif
643 642
644#ifndef OPENSSL_NO_SRTP 643#ifndef OPENSSL_NO_SRTP
645 if(SSL_get_srtp_profiles(s)) 644 if (SSL_get_srtp_profiles(s)) {
646 { 645 int el;
647 int el;
648 646
649 ssl_add_clienthello_use_srtp_ext(s, 0, &el, 0); 647 ssl_add_clienthello_use_srtp_ext(s, 0, &el, 0);
650
651 if((limit - p - 4 - el) < 0) return NULL;
652 648
653 s2n(TLSEXT_TYPE_use_srtp,ret); 649 if ((limit - p - 4 - el)
654 s2n(el,ret); 650 < 0) return NULL;
655 651
656 if(ssl_add_clienthello_use_srtp_ext(s, ret, &el, el)) 652 s2n(TLSEXT_TYPE_use_srtp, ret);
657 { 653 s2n(el, ret);
654
655 if (ssl_add_clienthello_use_srtp_ext(s, ret, &el, el)) {
658 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); 656 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
659 return NULL; 657 return NULL;
660 } 658 }
661 ret += el; 659 ret += el;
662 } 660 }
663#endif 661#endif
664 662
665#ifdef TLSEXT_TYPE_padding 663#ifdef TLSEXT_TYPE_padding
@@ -670,38 +668,38 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned cha
670 * extensions it MUST always appear last. 668 * extensions it MUST always appear last.
671 */ 669 */
672 { 670 {
673 int hlen = ret - (unsigned char *)s->init_buf->data; 671 int hlen = ret - (unsigned char *)s->init_buf->data;
674 /* The code in s23_clnt.c to build ClientHello messages includes the 672 /* The code in s23_clnt.c to build ClientHello messages includes the
675 * 5-byte record header in the buffer, while the code in s3_clnt.c does 673 * 5-byte record header in the buffer, while the code in s3_clnt.c does
676 * not. */ 674 * not. */
677 if (s->state == SSL23_ST_CW_CLNT_HELLO_A) 675 if (s->state == SSL23_ST_CW_CLNT_HELLO_A)
678 hlen -= 5; 676 hlen -= 5;
679 if (hlen > 0xff && hlen < 0x200) 677 if (hlen > 0xff && hlen < 0x200) {
680 { 678 hlen = 0x200 - hlen;
681 hlen = 0x200 - hlen; 679 if (hlen >= 4)
682 if (hlen >= 4) 680 hlen -= 4;
683 hlen -= 4; 681 else
684 else 682 hlen = 0;
685 hlen = 0;
686 683
687 s2n(TLSEXT_TYPE_padding, ret); 684 s2n(TLSEXT_TYPE_padding, ret);
688 s2n(hlen, ret); 685 s2n(hlen, ret);
689 memset(ret, 0, hlen); 686 memset(ret, 0, hlen);
690 ret += hlen; 687 ret += hlen;
691 } 688 }
692 } 689 }
693#endif 690#endif
694 691
695 if ((extdatalen = ret-p-2)== 0) 692 if ((extdatalen = ret - p - 2) == 0)
696 return p; 693 return p;
697 694
698 s2n(extdatalen,p); 695 s2n(extdatalen, p);
699 return ret; 696 return ret;
700 } 697}
701 698
702unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit) 699unsigned char
703 { 700*ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
704 int extdatalen=0; 701{
702 int extdatalen = 0;
705 unsigned char *ret = p; 703 unsigned char *ret = p;
706#ifndef OPENSSL_NO_NEXTPROTONEG 704#ifndef OPENSSL_NO_NEXTPROTONEG
707 int next_proto_neg_seen; 705 int next_proto_neg_seen;
@@ -710,143 +708,141 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned cha
710 /* don't add extensions for SSLv3, unless doing secure renegotiation */ 708 /* don't add extensions for SSLv3, unless doing secure renegotiation */
711 if (s->version == SSL3_VERSION && !s->s3->send_connection_binding) 709 if (s->version == SSL3_VERSION && !s->s3->send_connection_binding)
712 return p; 710 return p;
713 711
714 ret+=2; 712 ret += 2;
715 if (ret>=limit) return NULL; /* this really never occurs, but ... */ 713 if (ret>=limit) return NULL; /* this really never occurs, but ... */
716 714
717 if (!s->hit && s->servername_done == 1 && s->session->tlsext_hostname != NULL) 715 if (!s->hit && s->servername_done == 1 && s->session->tlsext_hostname != NULL) {
718 { 716 if ((long)(limit - ret - 4) < 0) return NULL;
719 if ((long)(limit - ret - 4) < 0) return NULL; 717
718
719 s2n(TLSEXT_TYPE_server_name, ret);
720 s2n(0, ret);
721 }
722
723 if (s->s3->send_connection_binding) {
724 int el;
720 725
721 s2n(TLSEXT_TYPE_server_name,ret); 726 if (!ssl_add_serverhello_renegotiate_ext(s, 0, &el, 0)) {
722 s2n(0,ret); 727 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
728 return NULL;
723 } 729 }
724 730
725 if(s->s3->send_connection_binding) 731 if ((limit - p - 4 - el)
726 { 732 < 0) return NULL;
727 int el; 733
728 734 s2n(TLSEXT_TYPE_renegotiate, ret);
729 if(!ssl_add_serverhello_renegotiate_ext(s, 0, &el, 0)) 735 s2n(el, ret);
730 { 736
731 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); 737 if (!ssl_add_serverhello_renegotiate_ext(s, ret, &el, el)) {
732 return NULL; 738 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
733 } 739 return NULL;
734 740 }
735 if((limit - p - 4 - el) < 0) return NULL; 741
736 742 ret += el;
737 s2n(TLSEXT_TYPE_renegotiate,ret); 743 }
738 s2n(el,ret);
739
740 if(!ssl_add_serverhello_renegotiate_ext(s, ret, &el, el))
741 {
742 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
743 return NULL;
744 }
745
746 ret += el;
747 }
748 744
749#ifndef OPENSSL_NO_EC 745#ifndef OPENSSL_NO_EC
750 if (s->tlsext_ecpointformatlist != NULL && 746 if (s->tlsext_ecpointformatlist != NULL &&
751 s->version != DTLS1_VERSION) 747 s->version != DTLS1_VERSION) {
752 {
753 /* Add TLS extension ECPointFormats to the ServerHello message */ 748 /* Add TLS extension ECPointFormats to the ServerHello message */
754 long lenmax; 749 long lenmax;
750
751
752 if ((lenmax = limit - ret - 5)
753 < 0) return NULL;
755 754
756 if ((lenmax = limit - ret - 5) < 0) return NULL;
757 if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax) return NULL; 755 if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax) return NULL;
758 if (s->tlsext_ecpointformatlist_length > 255) 756 if (s->tlsext_ecpointformatlist_length > 255) {
759 {
760 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); 757 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
761 return NULL; 758 return NULL;
762 } 759 }
763 760
764 s2n(TLSEXT_TYPE_ec_point_formats,ret); 761 s2n(TLSEXT_TYPE_ec_point_formats, ret);
765 s2n(s->tlsext_ecpointformatlist_length + 1,ret); 762 s2n(s->tlsext_ecpointformatlist_length + 1, ret);
766 *(ret++) = (unsigned char) s->tlsext_ecpointformatlist_length; 763 *(ret++) = (unsigned char) s->tlsext_ecpointformatlist_length;
767 memcpy(ret, s->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist_length); 764 memcpy(ret, s->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist_length);
768 ret+=s->tlsext_ecpointformatlist_length; 765 ret += s->tlsext_ecpointformatlist_length;
769 766
770 } 767 }
771 /* Currently the server should not respond with a SupportedCurves extension */ 768 /* Currently the server should not respond with a SupportedCurves extension */
772#endif /* OPENSSL_NO_EC */ 769#endif /* OPENSSL_NO_EC */
773 770
774 if (s->tlsext_ticket_expected 771 if (s->tlsext_ticket_expected
775 && !(SSL_get_options(s) & SSL_OP_NO_TICKET)) 772 && !(SSL_get_options(s) & SSL_OP_NO_TICKET)) {
776 { 773 if ((long)(limit - ret - 4) < 0) return NULL;
777 if ((long)(limit - ret - 4) < 0) return NULL;
778 s2n(TLSEXT_TYPE_session_ticket,ret);
779 s2n(0,ret);
780 }
781 774
782 if (s->tlsext_status_expected) 775 s2n(TLSEXT_TYPE_session_ticket, ret);
783 { 776 s2n(0, ret);
784 if ((long)(limit - ret - 4) < 0) return NULL; 777 }
785 s2n(TLSEXT_TYPE_status_request,ret); 778
786 s2n(0,ret); 779 if (s->tlsext_status_expected) {
787 } 780 if ((long)(limit - ret - 4) < 0) return NULL;
781
782 s2n(TLSEXT_TYPE_status_request, ret);
783 s2n(0, ret);
784 }
788 785
789#ifdef TLSEXT_TYPE_opaque_prf_input 786#ifdef TLSEXT_TYPE_opaque_prf_input
790 if (s->s3->server_opaque_prf_input != NULL && 787 if (s->s3->server_opaque_prf_input != NULL &&
791 s->version != DTLS1_VERSION) 788 s->version != DTLS1_VERSION) {
792 {
793 size_t sol = s->s3->server_opaque_prf_input_len; 789 size_t sol = s->s3->server_opaque_prf_input_len;
794 790
795 if ((long)(limit - ret - 6 - sol) < 0) 791 if ((long)(limit - ret - 6 - sol) < 0)
796 return NULL; 792 return NULL;
797 if (sol > 0xFFFD) /* can't happen */ 793 if (sol > 0xFFFD) /* can't happen */
798 return NULL; 794 return NULL;
799 795
800 s2n(TLSEXT_TYPE_opaque_prf_input, ret); 796 s2n(TLSEXT_TYPE_opaque_prf_input, ret);
797
801 s2n(sol + 2, ret); 798 s2n(sol + 2, ret);
802 s2n(sol, ret); 799 s2n(sol, ret);
803 memcpy(ret, s->s3->server_opaque_prf_input, sol); 800 memcpy(ret, s->s3->server_opaque_prf_input, sol);
804 ret += sol; 801 ret += sol;
805 } 802 }
806#endif 803#endif
807 804
808#ifndef OPENSSL_NO_SRTP 805#ifndef OPENSSL_NO_SRTP
809 if(s->srtp_profile) 806 if (s->srtp_profile) {
810 { 807 int el;
811 int el;
812 808
813 ssl_add_serverhello_use_srtp_ext(s, 0, &el, 0); 809 ssl_add_serverhello_use_srtp_ext(s, 0, &el, 0);
814
815 if((limit - p - 4 - el) < 0) return NULL;
816 810
817 s2n(TLSEXT_TYPE_use_srtp,ret); 811 if ((limit - p - 4 - el) < 0)
818 s2n(el,ret); 812 return NULL;
819 813
820 if(ssl_add_serverhello_use_srtp_ext(s, ret, &el, el)) 814 s2n(TLSEXT_TYPE_use_srtp, ret);
821 { 815 s2n(el, ret);
816
817 if (ssl_add_serverhello_use_srtp_ext(s, ret, &el, el)) {
822 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); 818 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
823 return NULL; 819 return NULL;
824 } 820 }
825 ret+=el; 821 ret += el;
826 } 822 }
827#endif 823#endif
828 824
829 if (((s->s3->tmp.new_cipher->id & 0xFFFF)==0x80 || (s->s3->tmp.new_cipher->id & 0xFFFF)==0x81) 825 if (((s->s3->tmp.new_cipher->id & 0xFFFF) == 0x80 || (s->s3->tmp.new_cipher->id & 0xFFFF) == 0x81)
830 && (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG)) 826 && (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG)) {
831 { const unsigned char cryptopro_ext[36] = { 827 const unsigned char cryptopro_ext[36] = {
832 0xfd, 0xe8, /*65000*/ 828 0xfd, 0xe8, /*65000*/
833 0x00, 0x20, /*32 bytes length*/ 829 0x00, 0x20, /*32 bytes length*/
834 0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85, 830 0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85,
835 0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06, 831 0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06,
836 0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08, 832 0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08,
837 0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17}; 833 0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17
838 if (limit-ret<36) return NULL; 834 };
839 memcpy(ret,cryptopro_ext,36); 835 if (limit - ret < 36)
840 ret+=36; 836 return NULL;
841 837 memcpy(ret, cryptopro_ext, 36);
842 } 838 ret += 36;
839 }
843 840
844#ifndef OPENSSL_NO_HEARTBEATS 841#ifndef OPENSSL_NO_HEARTBEATS
845 /* Add Heartbeat extension if we've received one */ 842 /* Add Heartbeat extension if we've received one */
846 if (s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED) 843 if (s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED) {
847 { 844 s2n(TLSEXT_TYPE_heartbeat, ret);
848 s2n(TLSEXT_TYPE_heartbeat,ret); 845 s2n(1, ret);
849 s2n(1,ret);
850 /* Set mode: 846 /* Set mode:
851 * 1: peer may send requests 847 * 1: peer may send requests
852 * 2: peer not allowed to send requests 848 * 2: peer not allowed to send requests
@@ -856,37 +852,35 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned cha
856 else 852 else
857 *(ret++) = SSL_TLSEXT_HB_ENABLED; 853 *(ret++) = SSL_TLSEXT_HB_ENABLED;
858 854
859 } 855 }
860#endif 856#endif
861 857
862#ifndef OPENSSL_NO_NEXTPROTONEG 858#ifndef OPENSSL_NO_NEXTPROTONEG
863 next_proto_neg_seen = s->s3->next_proto_neg_seen; 859 next_proto_neg_seen = s->s3->next_proto_neg_seen;
864 s->s3->next_proto_neg_seen = 0; 860 s->s3->next_proto_neg_seen = 0;
865 if (next_proto_neg_seen && s->ctx->next_protos_advertised_cb) 861 if (next_proto_neg_seen && s->ctx->next_protos_advertised_cb) {
866 {
867 const unsigned char *npa; 862 const unsigned char *npa;
868 unsigned int npalen; 863 unsigned int npalen;
869 int r; 864 int r;
870 865
871 r = s->ctx->next_protos_advertised_cb(s, &npa, &npalen, s->ctx->next_protos_advertised_cb_arg); 866 r = s->ctx->next_protos_advertised_cb(s, &npa, &npalen, s->ctx->next_protos_advertised_cb_arg);
872 if (r == SSL_TLSEXT_ERR_OK) 867 if (r == SSL_TLSEXT_ERR_OK) {
873 {
874 if ((long)(limit - ret - 4 - npalen) < 0) return NULL; 868 if ((long)(limit - ret - 4 - npalen) < 0) return NULL;
875 s2n(TLSEXT_TYPE_next_proto_neg,ret); 869 s2n(TLSEXT_TYPE_next_proto_neg, ret);
876 s2n(npalen,ret); 870 s2n(npalen, ret);
877 memcpy(ret, npa, npalen); 871 memcpy(ret, npa, npalen);
878 ret += npalen; 872 ret += npalen;
879 s->s3->next_proto_neg_seen = 1; 873 s->s3->next_proto_neg_seen = 1;
880 }
881 } 874 }
875 }
882#endif 876#endif
883 877
884 if ((extdatalen = ret-p-2)== 0) 878 if ((extdatalen = ret - p - 2) == 0)
885 return p; 879 return p;
886 880
887 s2n(extdatalen,p); 881 s2n(extdatalen, p);
888 return ret; 882 return ret;
889 } 883}
890 884
891#ifndef OPENSSL_NO_EC 885#ifndef OPENSSL_NO_EC
892/* ssl_check_for_safari attempts to fingerprint Safari using OS X 886/* ssl_check_for_safari attempts to fingerprint Safari using OS X
@@ -901,7 +895,8 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned cha
901 * Sadly we cannot differentiate 10.6, 10.7 and 10.8.4 (which work), from 895 * Sadly we cannot differentiate 10.6, 10.7 and 10.8.4 (which work), from
902 * 10.8..10.8.3 (which don't work). 896 * 10.8..10.8.3 (which don't work).
903 */ 897 */
904static void ssl_check_for_safari(SSL *s, const unsigned char *data, const unsigned char *d, int n) { 898static void
899ssl_check_for_safari(SSL *s, const unsigned char *data, const unsigned char *d, int n) {
905 unsigned short type, size; 900 unsigned short type, size;
906 static const unsigned char kSafariExtensionsBlock[] = { 901 static const unsigned char kSafariExtensionsBlock[] = {
907 0x00, 0x0a, /* elliptic_curves extension */ 902 0x00, 0x0a, /* elliptic_curves extension */
@@ -929,50 +924,49 @@ static void ssl_check_for_safari(SSL *s, const unsigned char *data, const unsign
929 0x02, 0x03, /* SHA-1/ECDSA */ 924 0x02, 0x03, /* SHA-1/ECDSA */
930 }; 925 };
931 926
932 if (data >= (d+n-2)) 927 if (data >= (d + n - 2))
933 return; 928 return;
934 data += 2; 929 data += 2;
935 930
936 if (data > (d+n-4)) 931 if (data > (d + n - 4))
937 return; 932 return;
938 n2s(data,type); 933 n2s(data, type);
939 n2s(data,size); 934 n2s(data, size);
940 935
941 if (type != TLSEXT_TYPE_server_name) 936 if (type != TLSEXT_TYPE_server_name)
942 return; 937 return;
943 938
944 if (data+size > d+n) 939 if (data + size > d + n)
945 return; 940 return;
946 data += size; 941 data += size;
947 942
948 if (TLS1_get_client_version(s) >= TLS1_2_VERSION) 943 if (TLS1_get_client_version(s) >= TLS1_2_VERSION) {
949 {
950 const size_t len1 = sizeof(kSafariExtensionsBlock); 944 const size_t len1 = sizeof(kSafariExtensionsBlock);
951 const size_t len2 = sizeof(kSafariTLS12ExtensionsBlock); 945 const size_t len2 = sizeof(kSafariTLS12ExtensionsBlock);
952 946
953 if (data + len1 + len2 != d+n) 947 if (data + len1 + len2 != d + n)
954 return; 948 return;
955 if (memcmp(data, kSafariExtensionsBlock, len1) != 0) 949 if (memcmp(data, kSafariExtensionsBlock, len1) != 0)
956 return; 950 return;
957 if (memcmp(data + len1, kSafariTLS12ExtensionsBlock, len2) != 0) 951 if (memcmp(data + len1, kSafariTLS12ExtensionsBlock, len2) != 0)
958 return; 952 return;
959 } 953 } else {
960 else
961 {
962 const size_t len = sizeof(kSafariExtensionsBlock); 954 const size_t len = sizeof(kSafariExtensionsBlock);
963 955
964 if (data + len != d+n) 956 if (data + len != d + n)
965 return; 957 return;
966 if (memcmp(data, kSafariExtensionsBlock, len) != 0) 958 if (memcmp(data, kSafariExtensionsBlock, len) != 0)
967 return; 959 return;
968 } 960 }
969 961
970 s->s3->is_probably_safari = 1; 962 s->s3->is_probably_safari = 1;
971} 963}
972#endif /* !OPENSSL_NO_EC */ 964#endif /* !OPENSSL_NO_EC */
973 965
974int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al) 966int
975 { 967ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d,
968 int n, int *al)
969{
976 unsigned short type; 970 unsigned short type;
977 unsigned short size; 971 unsigned short size;
978 unsigned short len; 972 unsigned short len;
@@ -988,7 +982,7 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
988 982
989#ifndef OPENSSL_NO_HEARTBEATS 983#ifndef OPENSSL_NO_HEARTBEATS
990 s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED | 984 s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED |
991 SSL_TLSEXT_HB_DONT_SEND_REQUESTS); 985 SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
992#endif 986#endif
993 987
994#ifndef OPENSSL_NO_EC 988#ifndef OPENSSL_NO_EC
@@ -996,26 +990,25 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
996 ssl_check_for_safari(s, data, d, n); 990 ssl_check_for_safari(s, data, d, n);
997#endif /* !OPENSSL_NO_EC */ 991#endif /* !OPENSSL_NO_EC */
998 992
999 if (data >= (d+n-2)) 993 if (data >= (d + n - 2))
1000 goto ri_check; 994 goto ri_check;
1001 n2s(data,len); 995 n2s(data, len);
1002 996
1003 if (data > (d+n-len)) 997 if (data > (d + n - len))
1004 goto ri_check; 998 goto ri_check;
1005 999
1006 while (data <= (d+n-4)) 1000 while (data <= (d + n - 4)) {
1007 { 1001 n2s(data, type);
1008 n2s(data,type); 1002 n2s(data, size);
1009 n2s(data,size);
1010 1003
1011 if (data+size > (d+n)) 1004 if (data + size > (d + n))
1012 goto ri_check; 1005 goto ri_check;
1013#if 0 1006#if 0
1014 fprintf(stderr,"Received extension type %d size %d\n",type,size); 1007 fprintf(stderr, "Received extension type %d size %d\n", type, size);
1015#endif 1008#endif
1016 if (s->tlsext_debug_cb) 1009 if (s->tlsext_debug_cb)
1017 s->tlsext_debug_cb(s, 0, type, data, size, 1010 s->tlsext_debug_cb(s, 0, type, data, size,
1018 s->tlsext_debug_arg); 1011 s->tlsext_debug_arg);
1019/* The servername extension is treated as follows: 1012/* The servername extension is treated as follows:
1020 1013
1021 - Only the hostname type is supported with a maximum length of 255. 1014 - Only the hostname type is supported with a maximum length of 255.
@@ -1039,206 +1032,180 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
1039 1032
1040*/ 1033*/
1041 1034
1042 if (type == TLSEXT_TYPE_server_name) 1035 if (type == TLSEXT_TYPE_server_name) {
1043 {
1044 unsigned char *sdata; 1036 unsigned char *sdata;
1045 int servname_type; 1037 int servname_type;
1046 int dsize; 1038 int dsize;
1047 1039
1048 if (size < 2) 1040
1049 { 1041 if (size < 2) {
1050 *al = SSL_AD_DECODE_ERROR; 1042 *al = SSL_AD_DECODE_ERROR;
1051 return 0; 1043 return 0;
1052 } 1044 }
1053 n2s(data,dsize); 1045 n2s(data, dsize);
1046
1054 size -= 2; 1047 size -= 2;
1055 if (dsize > size ) 1048 if (dsize > size) {
1056 {
1057 *al = SSL_AD_DECODE_ERROR; 1049 *al = SSL_AD_DECODE_ERROR;
1058 return 0; 1050 return 0;
1059 } 1051 }
1060 1052
1061 sdata = data; 1053 sdata = data;
1062 while (dsize > 3) 1054 while (dsize > 3) {
1063 { 1055 servname_type = *(sdata++);
1064 servname_type = *(sdata++); 1056
1065 n2s(sdata,len); 1057 n2s(sdata, len);
1066 dsize -= 3; 1058 dsize -= 3;
1067 1059
1068 if (len > dsize) 1060 if (len > dsize) {
1069 {
1070 *al = SSL_AD_DECODE_ERROR; 1061 *al = SSL_AD_DECODE_ERROR;
1071 return 0; 1062 return 0;
1072 } 1063 }
1073 if (s->servername_done == 0) 1064 if (s->servername_done == 0)
1074 switch (servname_type) 1065 switch (servname_type) {
1075 {
1076 case TLSEXT_NAMETYPE_host_name: 1066 case TLSEXT_NAMETYPE_host_name:
1077 if (!s->hit) 1067 if (!s->hit) {
1078 { 1068 if (s->session->tlsext_hostname) {
1079 if(s->session->tlsext_hostname)
1080 {
1081 *al = SSL_AD_DECODE_ERROR; 1069 *al = SSL_AD_DECODE_ERROR;
1082 return 0; 1070 return 0;
1083 } 1071 }
1084 if (len > TLSEXT_MAXLEN_host_name) 1072 if (len > TLSEXT_MAXLEN_host_name) {
1085 {
1086 *al = TLS1_AD_UNRECOGNIZED_NAME; 1073 *al = TLS1_AD_UNRECOGNIZED_NAME;
1087 return 0; 1074 return 0;
1088 } 1075 }
1089 if ((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL) 1076 if ((s->session->tlsext_hostname = OPENSSL_malloc(len + 1)) == NULL) {
1090 {
1091 *al = TLS1_AD_INTERNAL_ERROR; 1077 *al = TLS1_AD_INTERNAL_ERROR;
1092 return 0; 1078 return 0;
1093 } 1079 }
1094 memcpy(s->session->tlsext_hostname, sdata, len); 1080 memcpy(s->session->tlsext_hostname, sdata, len);
1095 s->session->tlsext_hostname[len]='\0'; 1081 s->session->tlsext_hostname[len] = '\0';
1096 if (strlen(s->session->tlsext_hostname) != len) { 1082 if (strlen(s->session->tlsext_hostname) != len) {
1097 OPENSSL_free(s->session->tlsext_hostname); 1083 OPENSSL_free(s->session->tlsext_hostname);
1098 s->session->tlsext_hostname = NULL; 1084 s->session->tlsext_hostname = NULL;
1099 *al = TLS1_AD_UNRECOGNIZED_NAME; 1085 *al = TLS1_AD_UNRECOGNIZED_NAME;
1100 return 0; 1086 return 0;
1101 } 1087 }
1102 s->servername_done = 1; 1088 s->servername_done = 1;
1103 1089
1104 } 1090
1105 else 1091 } else
1106 s->servername_done = s->session->tlsext_hostname 1092 s->servername_done = s->session->tlsext_hostname
1107 && strlen(s->session->tlsext_hostname) == len 1093 && strlen(s->session->tlsext_hostname) == len
1108 && strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0; 1094 && strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0;
1109 1095
1110 break; 1096 break;
1111 1097
1112 default: 1098 default:
1113 break; 1099 break;
1114 }
1115
1116 dsize -= len;
1117 } 1100 }
1118 if (dsize != 0) 1101
1119 { 1102 dsize -= len;
1103 }
1104 if (dsize != 0) {
1120 *al = SSL_AD_DECODE_ERROR; 1105 *al = SSL_AD_DECODE_ERROR;
1121 return 0; 1106 return 0;
1122 }
1123
1124 } 1107 }
1108
1109 }
1125#ifndef OPENSSL_NO_SRP 1110#ifndef OPENSSL_NO_SRP
1126 else if (type == TLSEXT_TYPE_srp) 1111 else if (type == TLSEXT_TYPE_srp) {
1127 { 1112 if (size <= 0 || ((len = data[0])) != (size - 1)) {
1128 if (size <= 0 || ((len = data[0])) != (size -1))
1129 {
1130 *al = SSL_AD_DECODE_ERROR; 1113 *al = SSL_AD_DECODE_ERROR;
1131 return 0; 1114 return 0;
1132 } 1115 }
1133 if (s->srp_ctx.login != NULL) 1116 if (s->srp_ctx.login != NULL) {
1134 {
1135 *al = SSL_AD_DECODE_ERROR; 1117 *al = SSL_AD_DECODE_ERROR;
1136 return 0; 1118 return 0;
1137 } 1119 }
1138 if ((s->srp_ctx.login = OPENSSL_malloc(len+1)) == NULL) 1120 if ((s->srp_ctx.login = OPENSSL_malloc(len + 1)) == NULL)
1139 return -1; 1121 return -1;
1140 memcpy(s->srp_ctx.login, &data[1], len); 1122 memcpy(s->srp_ctx.login, &data[1], len);
1141 s->srp_ctx.login[len]='\0'; 1123 s->srp_ctx.login[len] = '\0';
1142 1124
1143 if (strlen(s->srp_ctx.login) != len) 1125 if (strlen(s->srp_ctx.login) != len) {
1144 {
1145 *al = SSL_AD_DECODE_ERROR; 1126 *al = SSL_AD_DECODE_ERROR;
1146 return 0; 1127 return 0;
1147 }
1148 } 1128 }
1129 }
1149#endif 1130#endif
1150 1131
1151#ifndef OPENSSL_NO_EC 1132#ifndef OPENSSL_NO_EC
1152 else if (type == TLSEXT_TYPE_ec_point_formats && 1133 else if (type == TLSEXT_TYPE_ec_point_formats &&
1153 s->version != DTLS1_VERSION) 1134 s->version != DTLS1_VERSION) {
1154 {
1155 unsigned char *sdata = data; 1135 unsigned char *sdata = data;
1156 int ecpointformatlist_length = *(sdata++); 1136 int ecpointformatlist_length = *(sdata++);
1157 1137
1158 if (ecpointformatlist_length != size - 1) 1138 if (ecpointformatlist_length != size - 1) {
1159 {
1160 *al = TLS1_AD_DECODE_ERROR; 1139 *al = TLS1_AD_DECODE_ERROR;
1161 return 0; 1140 return 0;
1162 } 1141 }
1163 if (!s->hit) 1142 if (!s->hit) {
1164 { 1143 if (s->session->tlsext_ecpointformatlist) {
1165 if(s->session->tlsext_ecpointformatlist)
1166 {
1167 OPENSSL_free(s->session->tlsext_ecpointformatlist); 1144 OPENSSL_free(s->session->tlsext_ecpointformatlist);
1168 s->session->tlsext_ecpointformatlist = NULL; 1145 s->session->tlsext_ecpointformatlist = NULL;
1169 } 1146 }
1170 s->session->tlsext_ecpointformatlist_length = 0; 1147 s->session->tlsext_ecpointformatlist_length = 0;
1171 if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL) 1148 if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL) {
1172 {
1173 *al = TLS1_AD_INTERNAL_ERROR; 1149 *al = TLS1_AD_INTERNAL_ERROR;
1174 return 0; 1150 return 0;
1175 } 1151 }
1176 s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length; 1152 s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
1177 memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length); 1153 memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
1178 } 1154 }
1179#if 0 1155#if 0
1180 fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ecpointformatlist (length=%i) ", s->session->tlsext_ecpointformatlist_length); 1156 fprintf(stderr, "ssl_parse_clienthello_tlsext s->session->tlsext_ecpointformatlist (length=%i) ", s->session->tlsext_ecpointformatlist_length);
1181 sdata = s->session->tlsext_ecpointformatlist; 1157 sdata = s->session->tlsext_ecpointformatlist;
1182 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++) 1158 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
1183 fprintf(stderr,"%i ",*(sdata++)); 1159 fprintf(stderr, "%i ", *(sdata++));
1184 fprintf(stderr,"\n"); 1160 fprintf(stderr, "\n");
1185#endif 1161#endif
1186 } 1162 } else if (type == TLSEXT_TYPE_elliptic_curves &&
1187 else if (type == TLSEXT_TYPE_elliptic_curves && 1163 s->version != DTLS1_VERSION) {
1188 s->version != DTLS1_VERSION)
1189 {
1190 unsigned char *sdata = data; 1164 unsigned char *sdata = data;
1191 int ellipticcurvelist_length = (*(sdata++) << 8); 1165 int ellipticcurvelist_length = (*(sdata++) << 8);
1192 ellipticcurvelist_length += (*(sdata++)); 1166 ellipticcurvelist_length += (*(sdata++));
1193 1167
1194 if (ellipticcurvelist_length != size - 2 || 1168 if (ellipticcurvelist_length != size - 2 ||
1195 ellipticcurvelist_length < 1) 1169 ellipticcurvelist_length < 1) {
1196 {
1197 *al = TLS1_AD_DECODE_ERROR; 1170 *al = TLS1_AD_DECODE_ERROR;
1198 return 0; 1171 return 0;
1199 } 1172 }
1200 if (!s->hit) 1173 if (!s->hit) {
1201 { 1174 if (s->session->tlsext_ellipticcurvelist) {
1202 if(s->session->tlsext_ellipticcurvelist)
1203 {
1204 *al = TLS1_AD_DECODE_ERROR; 1175 *al = TLS1_AD_DECODE_ERROR;
1205 return 0; 1176 return 0;
1206 } 1177 }
1207 s->session->tlsext_ellipticcurvelist_length = 0; 1178 s->session->tlsext_ellipticcurvelist_length = 0;
1208 if ((s->session->tlsext_ellipticcurvelist = OPENSSL_malloc(ellipticcurvelist_length)) == NULL) 1179 if ((s->session->tlsext_ellipticcurvelist = OPENSSL_malloc(ellipticcurvelist_length)) == NULL) {
1209 {
1210 *al = TLS1_AD_INTERNAL_ERROR; 1180 *al = TLS1_AD_INTERNAL_ERROR;
1211 return 0; 1181 return 0;
1212 } 1182 }
1213 s->session->tlsext_ellipticcurvelist_length = ellipticcurvelist_length; 1183 s->session->tlsext_ellipticcurvelist_length = ellipticcurvelist_length;
1214 memcpy(s->session->tlsext_ellipticcurvelist, sdata, ellipticcurvelist_length); 1184 memcpy(s->session->tlsext_ellipticcurvelist, sdata, ellipticcurvelist_length);
1215 } 1185 }
1216#if 0 1186#if 0
1217 fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ellipticcurvelist (length=%i) ", s->session->tlsext_ellipticcurvelist_length); 1187 fprintf(stderr, "ssl_parse_clienthello_tlsext s->session->tlsext_ellipticcurvelist (length=%i) ", s->session->tlsext_ellipticcurvelist_length);
1218 sdata = s->session->tlsext_ellipticcurvelist; 1188 sdata = s->session->tlsext_ellipticcurvelist;
1219 for (i = 0; i < s->session->tlsext_ellipticcurvelist_length; i++) 1189 for (i = 0; i < s->session->tlsext_ellipticcurvelist_length; i++)
1220 fprintf(stderr,"%i ",*(sdata++)); 1190 fprintf(stderr, "%i ", *(sdata++));
1221 fprintf(stderr,"\n"); 1191 fprintf(stderr, "\n");
1222#endif 1192#endif
1223 } 1193 }
1224#endif /* OPENSSL_NO_EC */ 1194#endif /* OPENSSL_NO_EC */
1225#ifdef TLSEXT_TYPE_opaque_prf_input 1195#ifdef TLSEXT_TYPE_opaque_prf_input
1226 else if (type == TLSEXT_TYPE_opaque_prf_input && 1196 else if (type == TLSEXT_TYPE_opaque_prf_input &&
1227 s->version != DTLS1_VERSION) 1197 s->version != DTLS1_VERSION) {
1228 {
1229 unsigned char *sdata = data; 1198 unsigned char *sdata = data;
1230 1199
1231 if (size < 2) 1200 if (size < 2) {
1232 {
1233 *al = SSL_AD_DECODE_ERROR; 1201 *al = SSL_AD_DECODE_ERROR;
1234 return 0; 1202 return 0;
1235 } 1203 }
1236 n2s(sdata, s->s3->client_opaque_prf_input_len); 1204 n2s(sdata, s->s3->client_opaque_prf_input_len);
1237 if (s->s3->client_opaque_prf_input_len != size - 2) 1205 if (s->s3->client_opaque_prf_input_len != size - 2) {
1238 {
1239 *al = SSL_AD_DECODE_ERROR; 1206 *al = SSL_AD_DECODE_ERROR;
1240 return 0; 1207 return 0;
1241 } 1208 }
1242 1209
1243 if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */ 1210 if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */
1244 OPENSSL_free(s->s3->client_opaque_prf_input); 1211 OPENSSL_free(s->s3->client_opaque_prf_input);
@@ -1246,183 +1213,154 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
1246 s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */ 1213 s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
1247 else 1214 else
1248 s->s3->client_opaque_prf_input = BUF_memdup(sdata, s->s3->client_opaque_prf_input_len); 1215 s->s3->client_opaque_prf_input = BUF_memdup(sdata, s->s3->client_opaque_prf_input_len);
1249 if (s->s3->client_opaque_prf_input == NULL) 1216 if (s->s3->client_opaque_prf_input == NULL) {
1250 {
1251 *al = TLS1_AD_INTERNAL_ERROR; 1217 *al = TLS1_AD_INTERNAL_ERROR;
1252 return 0; 1218 return 0;
1253 }
1254 } 1219 }
1220 }
1255#endif 1221#endif
1256 else if (type == TLSEXT_TYPE_session_ticket) 1222 else if (type == TLSEXT_TYPE_session_ticket) {
1257 {
1258 if (s->tls_session_ticket_ext_cb && 1223 if (s->tls_session_ticket_ext_cb &&
1259 !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg)) 1224 !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg)) {
1260 {
1261 *al = TLS1_AD_INTERNAL_ERROR; 1225 *al = TLS1_AD_INTERNAL_ERROR;
1262 return 0; 1226 return 0;
1263 }
1264 } 1227 }
1265 else if (type == TLSEXT_TYPE_renegotiate) 1228 } else if (type == TLSEXT_TYPE_renegotiate) {
1266 { 1229 if (!ssl_parse_clienthello_renegotiate_ext(s, data, size, al))
1267 if(!ssl_parse_clienthello_renegotiate_ext(s, data, size, al))
1268 return 0; 1230 return 0;
1269 renegotiate_seen = 1; 1231 renegotiate_seen = 1;
1270 } 1232 } else if (type == TLSEXT_TYPE_signature_algorithms) {
1271 else if (type == TLSEXT_TYPE_signature_algorithms)
1272 {
1273 int dsize; 1233 int dsize;
1274 if (sigalg_seen || size < 2) 1234 if (sigalg_seen || size < 2) {
1275 {
1276 *al = SSL_AD_DECODE_ERROR; 1235 *al = SSL_AD_DECODE_ERROR;
1277 return 0; 1236 return 0;
1278 } 1237 }
1279 sigalg_seen = 1; 1238 sigalg_seen = 1;
1280 n2s(data,dsize); 1239 n2s(data, dsize);
1281 size -= 2; 1240 size -= 2;
1282 if (dsize != size || dsize & 1) 1241 if (dsize != size || dsize & 1) {
1283 {
1284 *al = SSL_AD_DECODE_ERROR; 1242 *al = SSL_AD_DECODE_ERROR;
1285 return 0; 1243 return 0;
1286 } 1244 }
1287 if (!tls1_process_sigalgs(s, data, dsize)) 1245 if (!tls1_process_sigalgs(s, data, dsize)) {
1288 {
1289 *al = SSL_AD_DECODE_ERROR; 1246 *al = SSL_AD_DECODE_ERROR;
1290 return 0; 1247 return 0;
1291 }
1292 } 1248 }
1293 else if (type == TLSEXT_TYPE_status_request && 1249 } else if (type == TLSEXT_TYPE_status_request &&
1294 s->version != DTLS1_VERSION) 1250 s->version != DTLS1_VERSION) {
1295 { 1251
1296 1252 if (size < 5) {
1297 if (size < 5)
1298 {
1299 *al = SSL_AD_DECODE_ERROR; 1253 *al = SSL_AD_DECODE_ERROR;
1300 return 0; 1254 return 0;
1301 } 1255 }
1302 1256
1303 s->tlsext_status_type = *data++; 1257 s->tlsext_status_type = *data++;
1304 size--; 1258 size--;
1305 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp) 1259 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp) {
1306 {
1307 const unsigned char *sdata; 1260 const unsigned char *sdata;
1308 int dsize; 1261 int dsize;
1309 /* Read in responder_id_list */ 1262 /* Read in responder_id_list */
1310 n2s(data,dsize); 1263 n2s(data, dsize);
1311 size -= 2; 1264 size -= 2;
1312 if (dsize > size ) 1265 if (dsize > size ) {
1313 {
1314 *al = SSL_AD_DECODE_ERROR; 1266 *al = SSL_AD_DECODE_ERROR;
1315 return 0; 1267 return 0;
1316 } 1268 }
1317 while (dsize > 0) 1269 while (dsize > 0) {
1318 {
1319 OCSP_RESPID *id; 1270 OCSP_RESPID *id;
1320 int idsize; 1271 int idsize;
1321 if (dsize < 4) 1272 if (dsize < 4) {
1322 {
1323 *al = SSL_AD_DECODE_ERROR; 1273 *al = SSL_AD_DECODE_ERROR;
1324 return 0; 1274 return 0;
1325 } 1275 }
1326 n2s(data, idsize); 1276 n2s(data, idsize);
1327 dsize -= 2 + idsize; 1277 dsize -= 2 + idsize;
1328 size -= 2 + idsize; 1278 size -= 2 + idsize;
1329 if (dsize < 0) 1279 if (dsize < 0) {
1330 {
1331 *al = SSL_AD_DECODE_ERROR; 1280 *al = SSL_AD_DECODE_ERROR;
1332 return 0; 1281 return 0;
1333 } 1282 }
1334 sdata = data; 1283 sdata = data;
1335 data += idsize; 1284 data += idsize;
1336 id = d2i_OCSP_RESPID(NULL, 1285 id = d2i_OCSP_RESPID(NULL,
1337 &sdata, idsize); 1286 &sdata, idsize);
1338 if (!id) 1287 if (!id) {
1339 {
1340 *al = SSL_AD_DECODE_ERROR; 1288 *al = SSL_AD_DECODE_ERROR;
1341 return 0; 1289 return 0;
1342 } 1290 }
1343 if (data != sdata) 1291 if (data != sdata) {
1344 {
1345 OCSP_RESPID_free(id); 1292 OCSP_RESPID_free(id);
1346 *al = SSL_AD_DECODE_ERROR; 1293 *al = SSL_AD_DECODE_ERROR;
1347 return 0; 1294 return 0;
1348 } 1295 }
1349 if (!s->tlsext_ocsp_ids 1296 if (!s->tlsext_ocsp_ids
1350 && !(s->tlsext_ocsp_ids = 1297 && !(s->tlsext_ocsp_ids =
1351 sk_OCSP_RESPID_new_null())) 1298 sk_OCSP_RESPID_new_null())) {
1352 {
1353 OCSP_RESPID_free(id); 1299 OCSP_RESPID_free(id);
1354 *al = SSL_AD_INTERNAL_ERROR; 1300 *al = SSL_AD_INTERNAL_ERROR;
1355 return 0; 1301 return 0;
1356 } 1302 }
1357 if (!sk_OCSP_RESPID_push( 1303 if (!sk_OCSP_RESPID_push(
1358 s->tlsext_ocsp_ids, id)) 1304 s->tlsext_ocsp_ids, id)) {
1359 {
1360 OCSP_RESPID_free(id); 1305 OCSP_RESPID_free(id);
1361 *al = SSL_AD_INTERNAL_ERROR; 1306 *al = SSL_AD_INTERNAL_ERROR;
1362 return 0; 1307 return 0;
1363 }
1364 } 1308 }
1309 }
1365 1310
1366 /* Read in request_extensions */ 1311 /* Read in request_extensions */
1367 if (size < 2) 1312 if (size < 2) {
1368 {
1369 *al = SSL_AD_DECODE_ERROR; 1313 *al = SSL_AD_DECODE_ERROR;
1370 return 0; 1314 return 0;
1371 } 1315 }
1372 n2s(data,dsize); 1316 n2s(data, dsize);
1373 size -= 2; 1317 size -= 2;
1374 if (dsize != size) 1318 if (dsize != size) {
1375 {
1376 *al = SSL_AD_DECODE_ERROR; 1319 *al = SSL_AD_DECODE_ERROR;
1377 return 0; 1320 return 0;
1378 } 1321 }
1379 sdata = data; 1322 sdata = data;
1380 if (dsize > 0) 1323 if (dsize > 0) {
1381 { 1324 if (s->tlsext_ocsp_exts) {
1382 if (s->tlsext_ocsp_exts)
1383 {
1384 sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts, 1325 sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts,
1385 X509_EXTENSION_free); 1326 X509_EXTENSION_free);
1386 } 1327 }
1387 1328
1388 s->tlsext_ocsp_exts = 1329 s->tlsext_ocsp_exts =
1389 d2i_X509_EXTENSIONS(NULL, 1330 d2i_X509_EXTENSIONS(NULL,
1390 &sdata, dsize); 1331 &sdata, dsize);
1391 if (!s->tlsext_ocsp_exts 1332 if (!s->tlsext_ocsp_exts
1392 || (data + dsize != sdata)) 1333 || (data + dsize != sdata)) {
1393 {
1394 *al = SSL_AD_DECODE_ERROR; 1334 *al = SSL_AD_DECODE_ERROR;
1395 return 0; 1335 return 0;
1396 }
1397 } 1336 }
1398 } 1337 }
1338 }
1399 /* We don't know what to do with any other type 1339 /* We don't know what to do with any other type
1400 * so ignore it. 1340 * so ignore it.
1401 */ 1341 */
1402 else 1342 else
1403 s->tlsext_status_type = -1; 1343 s->tlsext_status_type = -1;
1404 } 1344 }
1405#ifndef OPENSSL_NO_HEARTBEATS 1345#ifndef OPENSSL_NO_HEARTBEATS
1406 else if (type == TLSEXT_TYPE_heartbeat) 1346 else if (type == TLSEXT_TYPE_heartbeat) {
1407 { 1347 switch (data[0]) {
1408 switch(data[0]) 1348 case 0x01: /* Client allows us to send HB requests */
1409 { 1349 s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
1410 case 0x01: /* Client allows us to send HB requests */ 1350 break;
1411 s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED; 1351 case 0x02: /* Client doesn't accept HB requests */
1412 break; 1352 s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
1413 case 0x02: /* Client doesn't accept HB requests */ 1353 s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
1414 s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED; 1354 break;
1415 s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS; 1355 default:
1416 break; 1356 *al = SSL_AD_ILLEGAL_PARAMETER;
1417 default: *al = SSL_AD_ILLEGAL_PARAMETER; 1357 return 0;
1418 return 0;
1419 }
1420 } 1358 }
1359 }
1421#endif 1360#endif
1422#ifndef OPENSSL_NO_NEXTPROTONEG 1361#ifndef OPENSSL_NO_NEXTPROTONEG
1423 else if (type == TLSEXT_TYPE_next_proto_neg && 1362 else if (type == TLSEXT_TYPE_next_proto_neg &&
1424 s->s3->tmp.finish_md_len == 0) 1363 s->s3->tmp.finish_md_len == 0) {
1425 {
1426 /* We shouldn't accept this extension on a 1364 /* We shouldn't accept this extension on a
1427 * renegotiation. 1365 * renegotiation.
1428 * 1366 *
@@ -1439,22 +1377,21 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
1439 * in the Hello protocol round, well before a new 1377 * in the Hello protocol round, well before a new
1440 * Finished message could have been computed.) */ 1378 * Finished message could have been computed.) */
1441 s->s3->next_proto_neg_seen = 1; 1379 s->s3->next_proto_neg_seen = 1;
1442 } 1380 }
1443#endif 1381#endif
1444 1382
1445 /* session ticket processed earlier */ 1383 /* session ticket processed earlier */
1446#ifndef OPENSSL_NO_SRTP 1384#ifndef OPENSSL_NO_SRTP
1447 else if (type == TLSEXT_TYPE_use_srtp) 1385 else if (type == TLSEXT_TYPE_use_srtp) {
1448 { 1386 if (ssl_parse_clienthello_use_srtp_ext(s, data, size,
1449 if(ssl_parse_clienthello_use_srtp_ext(s, data, size, 1387 al))
1450 al)) 1388 return 0;
1451 return 0; 1389 }
1452 }
1453#endif 1390#endif
1454 1391
1455 data+=size; 1392 data += size;
1456 } 1393 }
1457 1394
1458 *p = data; 1395 *p = data;
1459 1396
1460 ri_check: 1397 ri_check:
@@ -1462,39 +1399,39 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
1462 /* Need RI if renegotiating */ 1399 /* Need RI if renegotiating */
1463 1400
1464 if (!renegotiate_seen && s->renegotiate && 1401 if (!renegotiate_seen && s->renegotiate &&
1465 !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) 1402 !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) {
1466 {
1467 *al = SSL_AD_HANDSHAKE_FAILURE; 1403 *al = SSL_AD_HANDSHAKE_FAILURE;
1468 SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT, 1404 SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT,
1469 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); 1405 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
1470 return 0; 1406 return 0;
1471 } 1407 }
1472 1408
1473 return 1; 1409 return 1;
1474 } 1410}
1475 1411
1476#ifndef OPENSSL_NO_NEXTPROTONEG 1412#ifndef OPENSSL_NO_NEXTPROTONEG
1477/* ssl_next_proto_validate validates a Next Protocol Negotiation block. No 1413/* ssl_next_proto_validate validates a Next Protocol Negotiation block. No
1478 * elements of zero length are allowed and the set of elements must exactly fill 1414 * elements of zero length are allowed and the set of elements must exactly fill
1479 * the length of the block. */ 1415 * the length of the block. */
1480static char ssl_next_proto_validate(unsigned char *d, unsigned len) 1416static char
1481 { 1417ssl_next_proto_validate(unsigned char *d, unsigned len)
1418{
1482 unsigned int off = 0; 1419 unsigned int off = 0;
1483 1420
1484 while (off < len) 1421 while (off < len) {
1485 {
1486 if (d[off] == 0) 1422 if (d[off] == 0)
1487 return 0; 1423 return 0;
1488 off += d[off]; 1424 off += d[off];
1489 off++; 1425 off++;
1490 } 1426 }
1491 1427
1492 return off == len; 1428 return off == len;
1493 } 1429}
1494#endif 1430#endif
1495 1431
1496int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al) 1432int
1497 { 1433ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
1434{
1498 unsigned short length; 1435 unsigned short length;
1499 unsigned short type; 1436 unsigned short type;
1500 unsigned short size; 1437 unsigned short size;
@@ -1508,107 +1445,96 @@ int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
1508 1445
1509#ifndef OPENSSL_NO_HEARTBEATS 1446#ifndef OPENSSL_NO_HEARTBEATS
1510 s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED | 1447 s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED |
1511 SSL_TLSEXT_HB_DONT_SEND_REQUESTS); 1448 SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
1512#endif 1449#endif
1513 1450
1514 if (data >= (d+n-2)) 1451 if (data >= (d + n - 2))
1515 goto ri_check; 1452 goto ri_check;
1516 1453
1517 n2s(data,length); 1454 n2s(data, length);
1518 if (data+length != d+n) 1455 if (data + length != d + n) {
1519 {
1520 *al = SSL_AD_DECODE_ERROR; 1456 *al = SSL_AD_DECODE_ERROR;
1521 return 0; 1457 return 0;
1522 } 1458 }
1523 1459
1524 while(data <= (d+n-4)) 1460 while (data <= (d + n - 4)) {
1525 { 1461 n2s(data, type);
1526 n2s(data,type); 1462 n2s(data, size);
1527 n2s(data,size);
1528 1463
1529 if (data+size > (d+n)) 1464 if (data + size > (d + n))
1530 goto ri_check; 1465 goto ri_check;
1531 1466
1532 if (s->tlsext_debug_cb) 1467 if (s->tlsext_debug_cb)
1533 s->tlsext_debug_cb(s, 1, type, data, size, 1468 s->tlsext_debug_cb(s, 1, type, data, size,
1534 s->tlsext_debug_arg); 1469 s->tlsext_debug_arg);
1535 1470
1536 if (type == TLSEXT_TYPE_server_name) 1471 if (type == TLSEXT_TYPE_server_name) {
1537 { 1472 if (s->tlsext_hostname == NULL || size > 0) {
1538 if (s->tlsext_hostname == NULL || size > 0)
1539 {
1540 *al = TLS1_AD_UNRECOGNIZED_NAME; 1473 *al = TLS1_AD_UNRECOGNIZED_NAME;
1541 return 0; 1474 return 0;
1542 }
1543 tlsext_servername = 1;
1544 } 1475 }
1476 tlsext_servername = 1;
1477
1478 }
1545 1479
1546#ifndef OPENSSL_NO_EC 1480#ifndef OPENSSL_NO_EC
1547 else if (type == TLSEXT_TYPE_ec_point_formats && 1481 else if (type == TLSEXT_TYPE_ec_point_formats &&
1548 s->version != DTLS1_VERSION) 1482 s->version != DTLS1_VERSION) {
1549 {
1550 unsigned char *sdata = data; 1483 unsigned char *sdata = data;
1551 int ecpointformatlist_length = *(sdata++); 1484 int ecpointformatlist_length = *(sdata++);
1552 1485
1553 if (ecpointformatlist_length != size - 1 || 1486 if (ecpointformatlist_length != size - 1 ||
1554 ecpointformatlist_length < 1) 1487 ecpointformatlist_length < 1) {
1555 {
1556 *al = TLS1_AD_DECODE_ERROR; 1488 *al = TLS1_AD_DECODE_ERROR;
1557 return 0; 1489 return 0;
1558 } 1490 }
1559 s->session->tlsext_ecpointformatlist_length = 0; 1491 s->session->tlsext_ecpointformatlist_length = 0;
1560 if (s->session->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->session->tlsext_ecpointformatlist); 1492 if (s->session->tlsext_ecpointformatlist != NULL)
1561 if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL) 1493 OPENSSL_free(s->session->tlsext_ecpointformatlist);
1562 { 1494 if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL) {
1563 *al = TLS1_AD_INTERNAL_ERROR; 1495 *al = TLS1_AD_INTERNAL_ERROR;
1564 return 0; 1496 return 0;
1565 } 1497 }
1566 s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length; 1498 s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
1567 memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length); 1499 memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
1568#if 0 1500#if 0
1569 fprintf(stderr,"ssl_parse_serverhello_tlsext s->session->tlsext_ecpointformatlist "); 1501 fprintf(stderr, "ssl_parse_serverhello_tlsext s->session->tlsext_ecpointformatlist ");
1570 sdata = s->session->tlsext_ecpointformatlist; 1502 sdata = s->session->tlsext_ecpointformatlist;
1571 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++) 1503 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
1572 fprintf(stderr,"%i ",*(sdata++)); 1504 fprintf(stderr, "%i ", *(sdata++));
1573 fprintf(stderr,"\n"); 1505 fprintf(stderr, "\n");
1574#endif 1506#endif
1575 } 1507 }
1576#endif /* OPENSSL_NO_EC */ 1508#endif /* OPENSSL_NO_EC */
1577 1509
1578 else if (type == TLSEXT_TYPE_session_ticket) 1510 else if (type == TLSEXT_TYPE_session_ticket) {
1579 {
1580 if (s->tls_session_ticket_ext_cb && 1511 if (s->tls_session_ticket_ext_cb &&
1581 !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg)) 1512 !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg)) {
1582 {
1583 *al = TLS1_AD_INTERNAL_ERROR; 1513 *al = TLS1_AD_INTERNAL_ERROR;
1584 return 0; 1514 return 0;
1585 } 1515 }
1586 if ((SSL_get_options(s) & SSL_OP_NO_TICKET) 1516 if ((SSL_get_options(s) & SSL_OP_NO_TICKET)
1587 || (size > 0)) 1517 || (size > 0)) {
1588 {
1589 *al = TLS1_AD_UNSUPPORTED_EXTENSION; 1518 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
1590 return 0; 1519 return 0;
1591 }
1592 s->tlsext_ticket_expected = 1;
1593 } 1520 }
1521 s->tlsext_ticket_expected = 1;
1522 }
1594#ifdef TLSEXT_TYPE_opaque_prf_input 1523#ifdef TLSEXT_TYPE_opaque_prf_input
1595 else if (type == TLSEXT_TYPE_opaque_prf_input && 1524 else if (type == TLSEXT_TYPE_opaque_prf_input &&
1596 s->version != DTLS1_VERSION) 1525 s->version != DTLS1_VERSION) {
1597 {
1598 unsigned char *sdata = data; 1526 unsigned char *sdata = data;
1599 1527
1600 if (size < 2) 1528 if (size < 2) {
1601 {
1602 *al = SSL_AD_DECODE_ERROR; 1529 *al = SSL_AD_DECODE_ERROR;
1603 return 0; 1530 return 0;
1604 } 1531 }
1605 n2s(sdata, s->s3->server_opaque_prf_input_len); 1532 n2s(sdata, s->s3->server_opaque_prf_input_len);
1606 if (s->s3->server_opaque_prf_input_len != size - 2) 1533 if (s->s3->server_opaque_prf_input_len != size - 2) {
1607 {
1608 *al = SSL_AD_DECODE_ERROR; 1534 *al = SSL_AD_DECODE_ERROR;
1609 return 0; 1535 return 0;
1610 } 1536 }
1611 1537
1612 if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */ 1538 if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */
1613 OPENSSL_free(s->s3->server_opaque_prf_input); 1539 OPENSSL_free(s->s3->server_opaque_prf_input);
1614 if (s->s3->server_opaque_prf_input_len == 0) 1540 if (s->s3->server_opaque_prf_input_len == 0)
@@ -1616,123 +1542,107 @@ int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
1616 else 1542 else
1617 s->s3->server_opaque_prf_input = BUF_memdup(sdata, s->s3->server_opaque_prf_input_len); 1543 s->s3->server_opaque_prf_input = BUF_memdup(sdata, s->s3->server_opaque_prf_input_len);
1618 1544
1619 if (s->s3->server_opaque_prf_input == NULL) 1545 if (s->s3->server_opaque_prf_input == NULL) {
1620 {
1621 *al = TLS1_AD_INTERNAL_ERROR; 1546 *al = TLS1_AD_INTERNAL_ERROR;
1622 return 0; 1547 return 0;
1623 }
1624 } 1548 }
1549 }
1625#endif 1550#endif
1626 else if (type == TLSEXT_TYPE_status_request && 1551 else if (type == TLSEXT_TYPE_status_request &&
1627 s->version != DTLS1_VERSION) 1552 s->version != DTLS1_VERSION) {
1628 {
1629 /* MUST be empty and only sent if we've requested 1553 /* MUST be empty and only sent if we've requested
1630 * a status request message. 1554 * a status request message.
1631 */ 1555 */
1632 if ((s->tlsext_status_type == -1) || (size > 0)) 1556 if ((s->tlsext_status_type == -1) || (size > 0)) {
1633 {
1634 *al = TLS1_AD_UNSUPPORTED_EXTENSION; 1557 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
1635 return 0; 1558 return 0;
1636 } 1559 }
1637 /* Set flag to expect CertificateStatus message */ 1560 /* Set flag to expect CertificateStatus message */
1638 s->tlsext_status_expected = 1; 1561 s->tlsext_status_expected = 1;
1639 } 1562 }
1640#ifndef OPENSSL_NO_NEXTPROTONEG 1563#ifndef OPENSSL_NO_NEXTPROTONEG
1641 else if (type == TLSEXT_TYPE_next_proto_neg && 1564 else if (type == TLSEXT_TYPE_next_proto_neg &&
1642 s->s3->tmp.finish_md_len == 0) 1565 s->s3->tmp.finish_md_len == 0) {
1643 {
1644 unsigned char *selected; 1566 unsigned char *selected;
1645 unsigned char selected_len; 1567 unsigned char selected_len;
1646 1568
1647 /* We must have requested it. */ 1569 /* We must have requested it. */
1648 if (s->ctx->next_proto_select_cb == NULL) 1570 if (s->ctx->next_proto_select_cb == NULL) {
1649 {
1650 *al = TLS1_AD_UNSUPPORTED_EXTENSION; 1571 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
1651 return 0; 1572 return 0;
1652 } 1573 }
1653 /* The data must be valid */ 1574 /* The data must be valid */
1654 if (!ssl_next_proto_validate(data, size)) 1575 if (!ssl_next_proto_validate(data, size)) {
1655 {
1656 *al = TLS1_AD_DECODE_ERROR; 1576 *al = TLS1_AD_DECODE_ERROR;
1657 return 0; 1577 return 0;
1658 } 1578 }
1659 if (s->ctx->next_proto_select_cb(s, &selected, &selected_len, data, size, s->ctx->next_proto_select_cb_arg) != SSL_TLSEXT_ERR_OK) 1579 if (s->ctx->next_proto_select_cb(s, &selected, &selected_len, data, size, s->ctx->next_proto_select_cb_arg) != SSL_TLSEXT_ERR_OK) {
1660 {
1661 *al = TLS1_AD_INTERNAL_ERROR; 1580 *al = TLS1_AD_INTERNAL_ERROR;
1662 return 0; 1581 return 0;
1663 } 1582 }
1664 s->next_proto_negotiated = OPENSSL_malloc(selected_len); 1583 s->next_proto_negotiated = OPENSSL_malloc(selected_len);
1665 if (!s->next_proto_negotiated) 1584 if (!s->next_proto_negotiated) {
1666 {
1667 *al = TLS1_AD_INTERNAL_ERROR; 1585 *al = TLS1_AD_INTERNAL_ERROR;
1668 return 0; 1586 return 0;
1669 } 1587 }
1670 memcpy(s->next_proto_negotiated, selected, selected_len); 1588 memcpy(s->next_proto_negotiated, selected, selected_len);
1671 s->next_proto_negotiated_len = selected_len; 1589 s->next_proto_negotiated_len = selected_len;
1672 s->s3->next_proto_neg_seen = 1; 1590 s->s3->next_proto_neg_seen = 1;
1673 } 1591 }
1674#endif 1592#endif
1675 else if (type == TLSEXT_TYPE_renegotiate) 1593 else if (type == TLSEXT_TYPE_renegotiate) {
1676 { 1594 if (!ssl_parse_serverhello_renegotiate_ext(s, data, size, al))
1677 if(!ssl_parse_serverhello_renegotiate_ext(s, data, size, al))
1678 return 0; 1595 return 0;
1679 renegotiate_seen = 1; 1596 renegotiate_seen = 1;
1680 } 1597 }
1681#ifndef OPENSSL_NO_HEARTBEATS 1598#ifndef OPENSSL_NO_HEARTBEATS
1682 else if (type == TLSEXT_TYPE_heartbeat) 1599 else if (type == TLSEXT_TYPE_heartbeat) {
1683 { 1600 switch (data[0]) {
1684 switch(data[0]) 1601 case 0x01: /* Server allows us to send HB requests */
1685 { 1602 s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
1686 case 0x01: /* Server allows us to send HB requests */ 1603 break;
1687 s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED; 1604 case 0x02: /* Server doesn't accept HB requests */
1688 break; 1605 s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
1689 case 0x02: /* Server doesn't accept HB requests */ 1606 s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
1690 s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED; 1607 break;
1691 s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS; 1608 default:
1692 break; 1609 *al = SSL_AD_ILLEGAL_PARAMETER;
1693 default: *al = SSL_AD_ILLEGAL_PARAMETER; 1610 return 0;
1694 return 0;
1695 }
1696 } 1611 }
1612 }
1697#endif 1613#endif
1698#ifndef OPENSSL_NO_SRTP 1614#ifndef OPENSSL_NO_SRTP
1699 else if (type == TLSEXT_TYPE_use_srtp) 1615 else if (type == TLSEXT_TYPE_use_srtp) {
1700 { 1616 if (ssl_parse_serverhello_use_srtp_ext(s, data, size,
1701 if(ssl_parse_serverhello_use_srtp_ext(s, data, size, 1617 al))
1702 al)) 1618 return 0;
1703 return 0; 1619 }
1704 }
1705#endif 1620#endif
1706 1621
1707 data+=size; 1622 data += size;
1708 } 1623
1624 }
1709 1625
1710 if (data != d+n) 1626 if (data != d + n) {
1711 {
1712 *al = SSL_AD_DECODE_ERROR; 1627 *al = SSL_AD_DECODE_ERROR;
1713 return 0; 1628 return 0;
1714 } 1629 }
1715 1630
1716 if (!s->hit && tlsext_servername == 1) 1631 if (!s->hit && tlsext_servername == 1) {
1717 { 1632 if (s->tlsext_hostname) {
1718 if (s->tlsext_hostname) 1633 if (s->session->tlsext_hostname == NULL) {
1719 { 1634 s->session->tlsext_hostname = BUF_strdup(s->tlsext_hostname);
1720 if (s->session->tlsext_hostname == NULL) 1635
1721 { 1636 if (!s->session->tlsext_hostname) {
1722 s->session->tlsext_hostname = BUF_strdup(s->tlsext_hostname);
1723 if (!s->session->tlsext_hostname)
1724 {
1725 *al = SSL_AD_UNRECOGNIZED_NAME; 1637 *al = SSL_AD_UNRECOGNIZED_NAME;
1726 return 0; 1638 return 0;
1727 }
1728 } 1639 }
1729 else 1640 } else {
1730 {
1731 *al = SSL_AD_DECODE_ERROR; 1641 *al = SSL_AD_DECODE_ERROR;
1732 return 0; 1642 return 0;
1733 }
1734 } 1643 }
1735 } 1644 }
1645 }
1736 1646
1737 *p = data; 1647 *p = data;
1738 1648
@@ -1747,20 +1657,20 @@ int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
1747 */ 1657 */
1748 if (!renegotiate_seen 1658 if (!renegotiate_seen
1749 && !(s->options & SSL_OP_LEGACY_SERVER_CONNECT) 1659 && !(s->options & SSL_OP_LEGACY_SERVER_CONNECT)
1750 && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) 1660 && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) {
1751 {
1752 *al = SSL_AD_HANDSHAKE_FAILURE; 1661 *al = SSL_AD_HANDSHAKE_FAILURE;
1753 SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT, 1662 SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT,
1754 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); 1663 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
1755 return 0; 1664 return 0;
1756 } 1665 }
1757 1666
1758 return 1; 1667 return 1;
1759 } 1668}
1760 1669
1761 1670
1762int ssl_prepare_clienthello_tlsext(SSL *s) 1671int
1763 { 1672ssl_prepare_clienthello_tlsext(SSL *s)
1673{
1764#ifndef OPENSSL_NO_EC 1674#ifndef OPENSSL_NO_EC
1765 /* If we are client and using an elliptic curve cryptography cipher suite, send the point formats 1675 /* If we are client and using an elliptic curve cryptography cipher suite, send the point formats
1766 * and elliptic curves we support. 1676 * and elliptic curves we support.
@@ -1771,63 +1681,59 @@ int ssl_prepare_clienthello_tlsext(SSL *s)
1771 unsigned long alg_k, alg_a; 1681 unsigned long alg_k, alg_a;
1772 STACK_OF(SSL_CIPHER) *cipher_stack = SSL_get_ciphers(s); 1682 STACK_OF(SSL_CIPHER) *cipher_stack = SSL_get_ciphers(s);
1773 1683
1774 for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++) 1684 for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++) {
1775 {
1776 SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i); 1685 SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i);
1777 1686
1778 alg_k = c->algorithm_mkey; 1687 alg_k = c->algorithm_mkey;
1779 alg_a = c->algorithm_auth; 1688 alg_a = c->algorithm_auth;
1780 if ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe) || (alg_a & SSL_aECDSA))) 1689 if ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe) || (alg_a & SSL_aECDSA))) {
1781 {
1782 using_ecc = 1; 1690 using_ecc = 1;
1783 break; 1691 break;
1784 }
1785 } 1692 }
1693 }
1786 using_ecc = using_ecc && (s->version >= TLS1_VERSION); 1694 using_ecc = using_ecc && (s->version >= TLS1_VERSION);
1787 if (using_ecc) 1695 if (using_ecc) {
1788 { 1696 if (s->tlsext_ecpointformatlist != NULL)
1789 if (s->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->tlsext_ecpointformatlist); 1697 OPENSSL_free(s->tlsext_ecpointformatlist);
1790 if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(3)) == NULL) 1698 if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(3)) == NULL) {
1791 { 1699 SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT, ERR_R_MALLOC_FAILURE);
1792 SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
1793 return -1; 1700 return -1;
1794 } 1701 }
1795 s->tlsext_ecpointformatlist_length = 3; 1702 s->tlsext_ecpointformatlist_length = 3;
1796 s->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_uncompressed; 1703 s->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_uncompressed;
1797 s->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime; 1704 s->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
1798 s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2; 1705 s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
1799 1706
1800 /* we support all named elliptic curves in draft-ietf-tls-ecc-12 */ 1707 /* we support all named elliptic curves in draft-ietf-tls-ecc-12 */
1801 if (s->tlsext_ellipticcurvelist != NULL) OPENSSL_free(s->tlsext_ellipticcurvelist); 1708 if (s->tlsext_ellipticcurvelist != NULL)
1709 OPENSSL_free(s->tlsext_ellipticcurvelist);
1802 s->tlsext_ellipticcurvelist_length = sizeof(pref_list)/sizeof(pref_list[0]) * 2; 1710 s->tlsext_ellipticcurvelist_length = sizeof(pref_list)/sizeof(pref_list[0]) * 2;
1803 if ((s->tlsext_ellipticcurvelist = OPENSSL_malloc(s->tlsext_ellipticcurvelist_length)) == NULL) 1711 if ((s->tlsext_ellipticcurvelist = OPENSSL_malloc(s->tlsext_ellipticcurvelist_length)) == NULL) {
1804 {
1805 s->tlsext_ellipticcurvelist_length = 0; 1712 s->tlsext_ellipticcurvelist_length = 0;
1806 SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE); 1713 SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT, ERR_R_MALLOC_FAILURE);
1807 return -1; 1714 return -1;
1808 } 1715 }
1809 for (i = 0, j = s->tlsext_ellipticcurvelist; (unsigned int)i < 1716 for (i = 0, j = s->tlsext_ellipticcurvelist;
1810 sizeof(pref_list)/sizeof(pref_list[0]); i++) 1717 (unsigned int)i <
1811 { 1718 sizeof(pref_list)/sizeof(pref_list[0]);
1719 i++) {
1812 int id = tls1_ec_nid2curve_id(pref_list[i]); 1720 int id = tls1_ec_nid2curve_id(pref_list[i]);
1813 s2n(id,j); 1721 s2n(id, j);
1814 }
1815 } 1722 }
1723 }
1816#endif /* OPENSSL_NO_EC */ 1724#endif /* OPENSSL_NO_EC */
1817 1725
1818#ifdef TLSEXT_TYPE_opaque_prf_input 1726#ifdef TLSEXT_TYPE_opaque_prf_input
1819 { 1727 {
1820 int r = 1; 1728 int r = 1;
1821 1729
1822 if (s->ctx->tlsext_opaque_prf_input_callback != 0) 1730 if (s->ctx->tlsext_opaque_prf_input_callback != 0) {
1823 {
1824 r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg); 1731 r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg);
1825 if (!r) 1732 if (!r)
1826 return -1; 1733 return -1;
1827 } 1734 }
1828 1735
1829 if (s->tlsext_opaque_prf_input != NULL) 1736 if (s->tlsext_opaque_prf_input != NULL) {
1830 {
1831 if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */ 1737 if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */
1832 OPENSSL_free(s->s3->client_opaque_prf_input); 1738 OPENSSL_free(s->s3->client_opaque_prf_input);
1833 1739
@@ -1835,25 +1741,25 @@ int ssl_prepare_clienthello_tlsext(SSL *s)
1835 s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */ 1741 s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
1836 else 1742 else
1837 s->s3->client_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len); 1743 s->s3->client_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len);
1838 if (s->s3->client_opaque_prf_input == NULL) 1744 if (s->s3->client_opaque_prf_input == NULL) {
1839 { 1745 SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT, ERR_R_MALLOC_FAILURE);
1840 SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
1841 return -1; 1746 return -1;
1842 }
1843 s->s3->client_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
1844 } 1747 }
1748 s->s3->client_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
1749 }
1845 1750
1846 if (r == 2) 1751 if (r == 2)
1847 /* at callback's request, insist on receiving an appropriate server opaque PRF input */ 1752 /* at callback's request, insist on receiving an appropriate server opaque PRF input */
1848 s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len; 1753 s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
1849 } 1754 }
1850#endif 1755#endif
1851 1756
1852 return 1; 1757 return 1;
1853 } 1758}
1854 1759
1855int ssl_prepare_serverhello_tlsext(SSL *s) 1760int
1856 { 1761ssl_prepare_serverhello_tlsext(SSL *s)
1762{
1857#ifndef OPENSSL_NO_EC 1763#ifndef OPENSSL_NO_EC
1858 /* If we are server and using an ECC cipher suite, send the point formats we support 1764 /* If we are server and using an ECC cipher suite, send the point formats we support
1859 * if the client sent us an ECPointsFormat extension. Note that the server is not 1765 * if the client sent us an ECPointsFormat extension. Note that the server is not
@@ -1864,28 +1770,28 @@ int ssl_prepare_serverhello_tlsext(SSL *s)
1864 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth; 1770 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
1865 int using_ecc = (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA); 1771 int using_ecc = (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA);
1866 using_ecc = using_ecc && (s->session->tlsext_ecpointformatlist != NULL); 1772 using_ecc = using_ecc && (s->session->tlsext_ecpointformatlist != NULL);
1867 1773
1868 if (using_ecc) 1774 if (using_ecc) {
1869 { 1775 if (s->tlsext_ecpointformatlist != NULL)
1870 if (s->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->tlsext_ecpointformatlist); 1776 OPENSSL_free(s->tlsext_ecpointformatlist);
1871 if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(3)) == NULL) 1777 if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(3)) == NULL) {
1872 { 1778 SSLerr(SSL_F_SSL_PREPARE_SERVERHELLO_TLSEXT, ERR_R_MALLOC_FAILURE);
1873 SSLerr(SSL_F_SSL_PREPARE_SERVERHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
1874 return -1; 1779 return -1;
1875 } 1780 }
1876 s->tlsext_ecpointformatlist_length = 3; 1781 s->tlsext_ecpointformatlist_length = 3;
1877 s->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_uncompressed; 1782 s->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_uncompressed;
1878 s->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime; 1783 s->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
1879 s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2; 1784 s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
1880 } 1785 }
1881#endif /* OPENSSL_NO_EC */ 1786#endif /* OPENSSL_NO_EC */
1882 1787
1883 return 1; 1788 return 1;
1884 } 1789}
1885 1790
1886int ssl_check_clienthello_tlsext_early(SSL *s) 1791int
1887 { 1792ssl_check_clienthello_tlsext_early(SSL *s)
1888 int ret=SSL_TLSEXT_ERR_NOACK; 1793{
1794 int ret = SSL_TLSEXT_ERR_NOACK;
1889 int al = SSL_AD_UNRECOGNIZED_NAME; 1795 int al = SSL_AD_UNRECOGNIZED_NAME;
1890 1796
1891#ifndef OPENSSL_NO_EC 1797#ifndef OPENSSL_NO_EC
@@ -1897,40 +1803,36 @@ int ssl_check_clienthello_tlsext_early(SSL *s)
1897 */ 1803 */
1898#endif 1804#endif
1899 1805
1900 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) 1806 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
1901 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg); 1807 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
1902 else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0) 1808 else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)
1903 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg); 1809 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
1904 1810
1905#ifdef TLSEXT_TYPE_opaque_prf_input 1811#ifdef TLSEXT_TYPE_opaque_prf_input
1906 { 1812 {
1907 /* This sort of belongs into ssl_prepare_serverhello_tlsext(), 1813 /* This sort of belongs into ssl_prepare_serverhello_tlsext(),
1908 * but we might be sending an alert in response to the client hello, 1814 * but we might be sending an alert in response to the client hello,
1909 * so this has to happen here in 1815 * so this has to happen here in
1910 * ssl_check_clienthello_tlsext_early(). */ 1816 * ssl_check_clienthello_tlsext_early(). */
1911 1817
1912 int r = 1; 1818 int r = 1;
1913 1819
1914 if (s->ctx->tlsext_opaque_prf_input_callback != 0) 1820 if (s->ctx->tlsext_opaque_prf_input_callback != 0) {
1915 {
1916 r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg); 1821 r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg);
1917 if (!r) 1822 if (!r) {
1918 {
1919 ret = SSL_TLSEXT_ERR_ALERT_FATAL; 1823 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1920 al = SSL_AD_INTERNAL_ERROR; 1824 al = SSL_AD_INTERNAL_ERROR;
1921 goto err; 1825 goto err;
1922 }
1923 } 1826 }
1827 }
1924 1828
1925 if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */ 1829 if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */
1926 OPENSSL_free(s->s3->server_opaque_prf_input); 1830 OPENSSL_free(s->s3->server_opaque_prf_input);
1927 s->s3->server_opaque_prf_input = NULL; 1831 s->s3->server_opaque_prf_input = NULL;
1928 1832
1929 if (s->tlsext_opaque_prf_input != NULL) 1833 if (s->tlsext_opaque_prf_input != NULL) {
1930 {
1931 if (s->s3->client_opaque_prf_input != NULL && 1834 if (s->s3->client_opaque_prf_input != NULL &&
1932 s->s3->client_opaque_prf_input_len == s->tlsext_opaque_prf_input_len) 1835 s->s3->client_opaque_prf_input_len == s->tlsext_opaque_prf_input_len) {
1933 {
1934 /* can only use this extension if we have a server opaque PRF input 1836 /* can only use this extension if we have a server opaque PRF input
1935 * of the same length as the client opaque PRF input! */ 1837 * of the same length as the client opaque PRF input! */
1936 1838
@@ -1938,48 +1840,48 @@ int ssl_check_clienthello_tlsext_early(SSL *s)
1938 s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */ 1840 s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
1939 else 1841 else
1940 s->s3->server_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len); 1842 s->s3->server_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len);
1941 if (s->s3->server_opaque_prf_input == NULL) 1843 if (s->s3->server_opaque_prf_input == NULL) {
1942 {
1943 ret = SSL_TLSEXT_ERR_ALERT_FATAL; 1844 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1944 al = SSL_AD_INTERNAL_ERROR; 1845 al = SSL_AD_INTERNAL_ERROR;
1945 goto err; 1846 goto err;
1946 }
1947 s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
1948 } 1847 }
1848 s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
1949 } 1849 }
1850 }
1950 1851
1951 if (r == 2 && s->s3->server_opaque_prf_input == NULL) 1852 if (r == 2 && s->s3->server_opaque_prf_input == NULL) {
1952 {
1953 /* The callback wants to enforce use of the extension, 1853 /* The callback wants to enforce use of the extension,
1954 * but we can't do that with the client opaque PRF input; 1854 * but we can't do that with the client opaque PRF input;
1955 * abort the handshake. 1855 * abort the handshake.
1956 */ 1856 */
1957 ret = SSL_TLSEXT_ERR_ALERT_FATAL; 1857 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1958 al = SSL_AD_HANDSHAKE_FAILURE; 1858 al = SSL_AD_HANDSHAKE_FAILURE;
1959 } 1859 }
1960 } 1860 }
1961 1861
1962 err: 1862 err:
1963#endif 1863#endif
1964 switch (ret) 1864 switch (ret) {
1965 { 1865 case SSL_TLSEXT_ERR_ALERT_FATAL:
1966 case SSL_TLSEXT_ERR_ALERT_FATAL: 1866 ssl3_send_alert(s, SSL3_AL_FATAL, al);
1967 ssl3_send_alert(s,SSL3_AL_FATAL,al);
1968 return -1;
1969 1867
1970 case SSL_TLSEXT_ERR_ALERT_WARNING: 1868 return -1;
1971 ssl3_send_alert(s,SSL3_AL_WARNING,al); 1869
1972 return 1; 1870 case SSL_TLSEXT_ERR_ALERT_WARNING:
1973 1871 ssl3_send_alert(s, SSL3_AL_WARNING, al);
1974 case SSL_TLSEXT_ERR_NOACK: 1872 return 1;
1975 s->servername_done=0; 1873
1976 default: 1874
1875 case SSL_TLSEXT_ERR_NOACK:
1876 s->servername_done = 0;
1877 default:
1977 return 1; 1878 return 1;
1978 }
1979 } 1879 }
1880}
1980 1881
1981int ssl_check_clienthello_tlsext_late(SSL *s) 1882int
1982 { 1883ssl_check_clienthello_tlsext_late(SSL *s)
1884{
1983 int ret = SSL_TLSEXT_ERR_OK; 1885 int ret = SSL_TLSEXT_ERR_OK;
1984 int al; 1886 int al;
1985 1887
@@ -1988,64 +1890,62 @@ int ssl_check_clienthello_tlsext_late(SSL *s)
1988 * the certificate has changed, and must be called after the cipher 1890 * the certificate has changed, and must be called after the cipher
1989 * has been chosen because this may influence which certificate is sent 1891 * has been chosen because this may influence which certificate is sent
1990 */ 1892 */
1991 if ((s->tlsext_status_type != -1) && s->ctx && s->ctx->tlsext_status_cb) 1893 if ((s->tlsext_status_type != -1) && s->ctx && s->ctx->tlsext_status_cb) {
1992 {
1993 int r; 1894 int r;
1994 CERT_PKEY *certpkey; 1895 CERT_PKEY *certpkey;
1995 certpkey = ssl_get_server_send_pkey(s); 1896 certpkey = ssl_get_server_send_pkey(s);
1996 /* If no certificate can't return certificate status */ 1897 /* If no certificate can't return certificate status */
1997 if (certpkey == NULL) 1898 if (certpkey == NULL) {
1998 {
1999 s->tlsext_status_expected = 0; 1899 s->tlsext_status_expected = 0;
2000 return 1; 1900 return 1;
2001 } 1901 }
2002 /* Set current certificate to one we will use so 1902 /* Set current certificate to one we will use so
2003 * SSL_get_certificate et al can pick it up. 1903 * SSL_get_certificate et al can pick it up.
2004 */ 1904 */
2005 s->cert->key = certpkey; 1905 s->cert->key = certpkey;
2006 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg); 1906 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
2007 switch (r) 1907 switch (r) {
2008 {
2009 /* We don't want to send a status request response */ 1908 /* We don't want to send a status request response */
2010 case SSL_TLSEXT_ERR_NOACK: 1909 case SSL_TLSEXT_ERR_NOACK:
2011 s->tlsext_status_expected = 0; 1910 s->tlsext_status_expected = 0;
2012 break; 1911 break;
2013 /* status request response should be sent */ 1912 /* status request response should be sent */
2014 case SSL_TLSEXT_ERR_OK: 1913 case SSL_TLSEXT_ERR_OK:
2015 if (s->tlsext_ocsp_resp) 1914 if (s->tlsext_ocsp_resp)
2016 s->tlsext_status_expected = 1; 1915 s->tlsext_status_expected = 1;
2017 else 1916 else
2018 s->tlsext_status_expected = 0; 1917 s->tlsext_status_expected = 0;
2019 break; 1918 break;
2020 /* something bad happened */ 1919 /* something bad happened */
2021 case SSL_TLSEXT_ERR_ALERT_FATAL: 1920 case SSL_TLSEXT_ERR_ALERT_FATAL:
2022 ret = SSL_TLSEXT_ERR_ALERT_FATAL; 1921 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2023 al = SSL_AD_INTERNAL_ERROR; 1922 al = SSL_AD_INTERNAL_ERROR;
2024 goto err; 1923 goto err;
2025 }
2026 } 1924 }
2027 else 1925 } else
2028 s->tlsext_status_expected = 0; 1926 s->tlsext_status_expected = 0;
2029 1927
2030 err: 1928err:
2031 switch (ret) 1929 switch (ret) {
2032 { 1930 case SSL_TLSEXT_ERR_ALERT_FATAL:
2033 case SSL_TLSEXT_ERR_ALERT_FATAL: 1931 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2034 ssl3_send_alert(s,SSL3_AL_FATAL,al);
2035 return -1;
2036 1932
2037 case SSL_TLSEXT_ERR_ALERT_WARNING: 1933 return -1;
2038 ssl3_send_alert(s,SSL3_AL_WARNING,al);
2039 return 1;
2040 1934
2041 default: 1935 case SSL_TLSEXT_ERR_ALERT_WARNING:
2042 return 1; 1936 ssl3_send_alert(s, SSL3_AL_WARNING, al);
2043 } 1937 return 1;
1938
1939
1940 default:
1941 return 1;
2044 } 1942 }
1943}
2045 1944
2046int ssl_check_serverhello_tlsext(SSL *s) 1945int
2047 { 1946ssl_check_serverhello_tlsext(SSL *s)
2048 int ret=SSL_TLSEXT_ERR_NOACK; 1947{
1948 int ret = SSL_TLSEXT_ERR_NOACK;
2049 int al = SSL_AD_UNRECOGNIZED_NAME; 1949 int al = SSL_AD_UNRECOGNIZED_NAME;
2050 1950
2051#ifndef OPENSSL_NO_EC 1951#ifndef OPENSSL_NO_EC
@@ -2055,105 +1955,95 @@ int ssl_check_serverhello_tlsext(SSL *s)
2055 */ 1955 */
2056 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey; 1956 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
2057 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth; 1957 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
2058 if ((s->tlsext_ecpointformatlist != NULL) && (s->tlsext_ecpointformatlist_length > 0) && 1958 if ((s->tlsext_ecpointformatlist != NULL) && (s->tlsext_ecpointformatlist_length > 0) &&
2059 (s->session->tlsext_ecpointformatlist != NULL) && (s->session->tlsext_ecpointformatlist_length > 0) && 1959 (s->session->tlsext_ecpointformatlist != NULL) && (s->session->tlsext_ecpointformatlist_length > 0) &&
2060 ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA))) 1960 ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA))) {
2061 {
2062 /* we are using an ECC cipher */ 1961 /* we are using an ECC cipher */
2063 size_t i; 1962 size_t i;
2064 unsigned char *list; 1963 unsigned char *list;
2065 int found_uncompressed = 0; 1964 int found_uncompressed = 0;
2066 list = s->session->tlsext_ecpointformatlist; 1965 list = s->session->tlsext_ecpointformatlist;
2067 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++) 1966 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++) {
2068 { 1967 if (*(list++) == TLSEXT_ECPOINTFORMAT_uncompressed) {
2069 if (*(list++) == TLSEXT_ECPOINTFORMAT_uncompressed)
2070 {
2071 found_uncompressed = 1; 1968 found_uncompressed = 1;
2072 break; 1969 break;
2073 }
2074 } 1970 }
2075 if (!found_uncompressed) 1971 }
2076 { 1972 if (!found_uncompressed) {
2077 SSLerr(SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT,SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST); 1973 SSLerr(SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT, SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
2078 return -1; 1974 return -1;
2079 }
2080 } 1975 }
1976 }
2081 ret = SSL_TLSEXT_ERR_OK; 1977 ret = SSL_TLSEXT_ERR_OK;
2082#endif /* OPENSSL_NO_EC */ 1978#endif /* OPENSSL_NO_EC */
2083 1979
2084 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) 1980 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
2085 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg); 1981 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
2086 else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0) 1982 else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)
2087 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg); 1983 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
2088 1984
2089#ifdef TLSEXT_TYPE_opaque_prf_input 1985#ifdef TLSEXT_TYPE_opaque_prf_input
2090 if (s->s3->server_opaque_prf_input_len > 0) 1986 if (s->s3->server_opaque_prf_input_len > 0) {
2091 {
2092 /* This case may indicate that we, as a client, want to insist on using opaque PRF inputs. 1987 /* This case may indicate that we, as a client, want to insist on using opaque PRF inputs.
2093 * So first verify that we really have a value from the server too. */ 1988 * So first verify that we really have a value from the server too. */
2094 1989
2095 if (s->s3->server_opaque_prf_input == NULL) 1990 if (s->s3->server_opaque_prf_input == NULL) {
2096 {
2097 ret = SSL_TLSEXT_ERR_ALERT_FATAL; 1991 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2098 al = SSL_AD_HANDSHAKE_FAILURE; 1992 al = SSL_AD_HANDSHAKE_FAILURE;
2099 } 1993 }
2100 1994
2101 /* Anytime the server *has* sent an opaque PRF input, we need to check 1995 /* Anytime the server *has* sent an opaque PRF input, we need to check
2102 * that we have a client opaque PRF input of the same size. */ 1996 * that we have a client opaque PRF input of the same size. */
2103 if (s->s3->client_opaque_prf_input == NULL || 1997 if (s->s3->client_opaque_prf_input == NULL ||
2104 s->s3->client_opaque_prf_input_len != s->s3->server_opaque_prf_input_len) 1998 s->s3->client_opaque_prf_input_len != s->s3->server_opaque_prf_input_len) {
2105 {
2106 ret = SSL_TLSEXT_ERR_ALERT_FATAL; 1999 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2107 al = SSL_AD_ILLEGAL_PARAMETER; 2000 al = SSL_AD_ILLEGAL_PARAMETER;
2108 }
2109 } 2001 }
2002 }
2110#endif 2003#endif
2111 2004
2112 /* If we've requested certificate status and we wont get one 2005 /* If we've requested certificate status and we wont get one
2113 * tell the callback 2006 * tell the callback
2114 */ 2007 */
2115 if ((s->tlsext_status_type != -1) && !(s->tlsext_status_expected) 2008 if ((s->tlsext_status_type != -1) && !(s->tlsext_status_expected)
2116 && s->ctx && s->ctx->tlsext_status_cb) 2009 && s->ctx && s->ctx->tlsext_status_cb) {
2117 {
2118 int r; 2010 int r;
2119 /* Set resp to NULL, resplen to -1 so callback knows 2011 /* Set resp to NULL, resplen to -1 so callback knows
2120 * there is no response. 2012 * there is no response.
2121 */ 2013 */
2122 if (s->tlsext_ocsp_resp) 2014 if (s->tlsext_ocsp_resp) {
2123 {
2124 OPENSSL_free(s->tlsext_ocsp_resp); 2015 OPENSSL_free(s->tlsext_ocsp_resp);
2125 s->tlsext_ocsp_resp = NULL; 2016 s->tlsext_ocsp_resp = NULL;
2126 } 2017 }
2127 s->tlsext_ocsp_resplen = -1; 2018 s->tlsext_ocsp_resplen = -1;
2128 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg); 2019 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
2129 if (r == 0) 2020 if (r == 0) {
2130 {
2131 al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE; 2021 al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE;
2132 ret = SSL_TLSEXT_ERR_ALERT_FATAL; 2022 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2133 } 2023 }
2134 if (r < 0) 2024 if (r < 0) {
2135 {
2136 al = SSL_AD_INTERNAL_ERROR; 2025 al = SSL_AD_INTERNAL_ERROR;
2137 ret = SSL_TLSEXT_ERR_ALERT_FATAL; 2026 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2138 }
2139 } 2027 }
2028 }
2140 2029
2141 switch (ret) 2030 switch (ret) {
2142 { 2031 case SSL_TLSEXT_ERR_ALERT_FATAL:
2143 case SSL_TLSEXT_ERR_ALERT_FATAL: 2032 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2144 ssl3_send_alert(s,SSL3_AL_FATAL,al);
2145 return -1;
2146 2033
2147 case SSL_TLSEXT_ERR_ALERT_WARNING: 2034 return -1;
2148 ssl3_send_alert(s,SSL3_AL_WARNING,al); 2035
2149 return 1; 2036 case SSL_TLSEXT_ERR_ALERT_WARNING:
2150 2037 ssl3_send_alert(s, SSL3_AL_WARNING, al);
2151 case SSL_TLSEXT_ERR_NOACK: 2038 return 1;
2152 s->servername_done=0; 2039
2153 default: 2040
2041 case SSL_TLSEXT_ERR_NOACK:
2042 s->servername_done = 0;
2043 default:
2154 return 1; 2044 return 1;
2155 }
2156 } 2045 }
2046}
2157 2047
2158/* Since the server cache lookup is done early on in the processing of the 2048/* Since the server cache lookup is done early on in the processing of the
2159 * ClientHello, and other operations depend on the result, we need to handle 2049 * ClientHello, and other operations depend on the result, we need to handle
@@ -2188,9 +2078,10 @@ int ssl_check_serverhello_tlsext(SSL *s)
2188 * s->ctx->tlsext_ticket_key_cb asked to renew the client's ticket. 2078 * s->ctx->tlsext_ticket_key_cb asked to renew the client's ticket.
2189 * Otherwise, s->tlsext_ticket_expected is set to 0. 2079 * Otherwise, s->tlsext_ticket_expected is set to 0.
2190 */ 2080 */
2191int tls1_process_ticket(SSL *s, unsigned char *session_id, int len, 2081int
2192 const unsigned char *limit, SSL_SESSION **ret) 2082tls1_process_ticket(SSL *s, unsigned char *session_id, int len,
2193 { 2083 const unsigned char *limit, SSL_SESSION **ret)
2084{
2194 /* Point after session ID in client hello */ 2085 /* Point after session ID in client hello */
2195 const unsigned char *p = session_id + len; 2086 const unsigned char *p = session_id + len;
2196 unsigned short i; 2087 unsigned short i;
@@ -2208,16 +2099,15 @@ int tls1_process_ticket(SSL *s, unsigned char *session_id, int len,
2208 if (p >= limit) 2099 if (p >= limit)
2209 return -1; 2100 return -1;
2210 /* Skip past DTLS cookie */ 2101 /* Skip past DTLS cookie */
2211 if (s->version == DTLS1_VERSION || s->version == DTLS1_BAD_VER) 2102 if (s->version == DTLS1_VERSION || s->version == DTLS1_BAD_VER) {
2212 {
2213 i = *(p++); 2103 i = *(p++);
2214 p+= i; 2104 p += i;
2215 if (p >= limit) 2105 if (p >= limit)
2216 return -1; 2106 return -1;
2217 } 2107 }
2218 /* Skip past cipher list */ 2108 /* Skip past cipher list */
2219 n2s(p, i); 2109 n2s(p, i);
2220 p+= i; 2110 p += i;
2221 if (p >= limit) 2111 if (p >= limit)
2222 return -1; 2112 return -1;
2223 /* Skip past compression algorithm list */ 2113 /* Skip past compression algorithm list */
@@ -2229,51 +2119,46 @@ int tls1_process_ticket(SSL *s, unsigned char *session_id, int len,
2229 if ((p + 2) >= limit) 2119 if ((p + 2) >= limit)
2230 return 0; 2120 return 0;
2231 n2s(p, i); 2121 n2s(p, i);
2232 while ((p + 4) <= limit) 2122 while ((p + 4) <= limit) {
2233 {
2234 unsigned short type, size; 2123 unsigned short type, size;
2235 n2s(p, type); 2124 n2s(p, type);
2236 n2s(p, size); 2125 n2s(p, size);
2237 if (p + size > limit) 2126 if (p + size > limit)
2238 return 0; 2127 return 0;
2239 if (type == TLSEXT_TYPE_session_ticket) 2128 if (type == TLSEXT_TYPE_session_ticket) {
2240 {
2241 int r; 2129 int r;
2242 if (size == 0) 2130 if (size == 0) {
2243 {
2244 /* The client will accept a ticket but doesn't 2131 /* The client will accept a ticket but doesn't
2245 * currently have one. */ 2132 * currently have one. */
2246 s->tlsext_ticket_expected = 1; 2133 s->tlsext_ticket_expected = 1;
2247 return 1; 2134 return 1;
2248 } 2135 }
2249 if (s->tls_session_secret_cb) 2136 if (s->tls_session_secret_cb) {
2250 {
2251 /* Indicate that the ticket couldn't be 2137 /* Indicate that the ticket couldn't be
2252 * decrypted rather than generating the session 2138 * decrypted rather than generating the session
2253 * from ticket now, trigger abbreviated 2139 * from ticket now, trigger abbreviated
2254 * handshake based on external mechanism to 2140 * handshake based on external mechanism to
2255 * calculate the master secret later. */ 2141 * calculate the master secret later. */
2256 return 2; 2142 return 2;
2257 } 2143 }
2258 r = tls_decrypt_ticket(s, p, size, session_id, len, ret); 2144 r = tls_decrypt_ticket(s, p, size, session_id, len, ret);
2259 switch (r) 2145 switch (r) {
2260 { 2146 case 2: /* ticket couldn't be decrypted */
2261 case 2: /* ticket couldn't be decrypted */ 2147 s->tlsext_ticket_expected = 1;
2262 s->tlsext_ticket_expected = 1; 2148 return 2;
2263 return 2; 2149 case 3: /* ticket was decrypted */
2264 case 3: /* ticket was decrypted */ 2150 return r;
2265 return r; 2151 case 4: /* ticket decrypted but need to renew */
2266 case 4: /* ticket decrypted but need to renew */ 2152 s->tlsext_ticket_expected = 1;
2267 s->tlsext_ticket_expected = 1; 2153 return 3;
2268 return 3; 2154 default: /* fatal error */
2269 default: /* fatal error */ 2155 return -1;
2270 return -1;
2271 }
2272 } 2156 }
2273 p += size;
2274 } 2157 }
2275 return 0; 2158 p += size;
2276 } 2159 }
2160 return 0;
2161}
2277 2162
2278/* tls_decrypt_ticket attempts to decrypt a session ticket. 2163/* tls_decrypt_ticket attempts to decrypt a session ticket.
2279 * 2164 *
@@ -2290,10 +2175,10 @@ int tls1_process_ticket(SSL *s, unsigned char *session_id, int len,
2290 * 3: a ticket was successfully decrypted and *psess was set. 2175 * 3: a ticket was successfully decrypted and *psess was set.
2291 * 4: same as 3, but the ticket needs to be renewed. 2176 * 4: same as 3, but the ticket needs to be renewed.
2292 */ 2177 */
2293static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen, 2178static int
2294 const unsigned char *sess_id, int sesslen, 2179tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen,
2295 SSL_SESSION **psess) 2180 const unsigned char *sess_id, int sesslen, SSL_SESSION **psess)
2296 { 2181{
2297 SSL_SESSION *sess; 2182 SSL_SESSION *sess;
2298 unsigned char *sdec; 2183 unsigned char *sdec;
2299 const unsigned char *p; 2184 const unsigned char *p;
@@ -2308,37 +2193,33 @@ static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen,
2308 /* Initialize session ticket encryption and HMAC contexts */ 2193 /* Initialize session ticket encryption and HMAC contexts */
2309 HMAC_CTX_init(&hctx); 2194 HMAC_CTX_init(&hctx);
2310 EVP_CIPHER_CTX_init(&ctx); 2195 EVP_CIPHER_CTX_init(&ctx);
2311 if (tctx->tlsext_ticket_key_cb) 2196 if (tctx->tlsext_ticket_key_cb) {
2312 {
2313 unsigned char *nctick = (unsigned char *)etick; 2197 unsigned char *nctick = (unsigned char *)etick;
2314 int rv = tctx->tlsext_ticket_key_cb(s, nctick, nctick + 16, 2198 int rv = tctx->tlsext_ticket_key_cb(s, nctick, nctick + 16,
2315 &ctx, &hctx, 0); 2199 &ctx, &hctx, 0);
2316 if (rv < 0) 2200 if (rv < 0)
2317 return -1; 2201 return -1;
2318 if (rv == 0) 2202 if (rv == 0)
2319 return 2; 2203 return 2;
2320 if (rv == 2) 2204 if (rv == 2)
2321 renew_ticket = 1; 2205 renew_ticket = 1;
2322 } 2206 } else {
2323 else
2324 {
2325 /* Check key name matches */ 2207 /* Check key name matches */
2326 if (memcmp(etick, tctx->tlsext_tick_key_name, 16)) 2208 if (memcmp(etick, tctx->tlsext_tick_key_name, 16))
2327 return 2; 2209 return 2;
2328 HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16, 2210 HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16,
2329 tlsext_tick_md(), NULL); 2211 tlsext_tick_md(), NULL);
2330 EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL, 2212 EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL,
2331 tctx->tlsext_tick_aes_key, etick + 16); 2213 tctx->tlsext_tick_aes_key, etick + 16);
2332 } 2214 }
2333 /* Attempt to process session ticket, first conduct sanity and 2215 /* Attempt to process session ticket, first conduct sanity and
2334 * integrity checks on ticket. 2216 * integrity checks on ticket.
2335 */ 2217 */
2336 mlen = HMAC_size(&hctx); 2218 mlen = HMAC_size(&hctx);
2337 if (mlen < 0) 2219 if (mlen < 0) {
2338 {
2339 EVP_CIPHER_CTX_cleanup(&ctx); 2220 EVP_CIPHER_CTX_cleanup(&ctx);
2340 return -1; 2221 return -1;
2341 } 2222 }
2342 eticklen -= mlen; 2223 eticklen -= mlen;
2343 /* Check HMAC of encrypted ticket */ 2224 /* Check HMAC of encrypted ticket */
2344 HMAC_Update(&hctx, etick, eticklen); 2225 HMAC_Update(&hctx, etick, eticklen);
@@ -2351,11 +2232,10 @@ static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen,
2351 p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx); 2232 p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx);
2352 eticklen -= 16 + EVP_CIPHER_CTX_iv_length(&ctx); 2233 eticklen -= 16 + EVP_CIPHER_CTX_iv_length(&ctx);
2353 sdec = OPENSSL_malloc(eticklen); 2234 sdec = OPENSSL_malloc(eticklen);
2354 if (!sdec) 2235 if (!sdec) {
2355 {
2356 EVP_CIPHER_CTX_cleanup(&ctx); 2236 EVP_CIPHER_CTX_cleanup(&ctx);
2357 return -1; 2237 return -1;
2358 } 2238 }
2359 EVP_DecryptUpdate(&ctx, sdec, &slen, p, eticklen); 2239 EVP_DecryptUpdate(&ctx, sdec, &slen, p, eticklen);
2360 if (EVP_DecryptFinal(&ctx, sdec + slen, &mlen) <= 0) 2240 if (EVP_DecryptFinal(&ctx, sdec + slen, &mlen) <= 0)
2361 return 2; 2241 return 2;
@@ -2365,8 +2245,7 @@ static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen,
2365 2245
2366 sess = d2i_SSL_SESSION(NULL, &p, slen); 2246 sess = d2i_SSL_SESSION(NULL, &p, slen);
2367 OPENSSL_free(sdec); 2247 OPENSSL_free(sdec);
2368 if (sess) 2248 if (sess) {
2369 {
2370 /* The session ID, if non-empty, is used by some clients to 2249 /* The session ID, if non-empty, is used by some clients to
2371 * detect that the ticket has been accepted. So we copy it to 2250 * detect that the ticket has been accepted. So we copy it to
2372 * the session structure. If it is empty set length to zero 2251 * the session structure. If it is empty set length to zero
@@ -2380,20 +2259,19 @@ static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen,
2380 return 4; 2259 return 4;
2381 else 2260 else
2382 return 3; 2261 return 3;
2383 } 2262 }
2384 ERR_clear_error(); 2263 ERR_clear_error();
2385 /* For session parse failure, indicate that we need to send a new 2264 /* For session parse failure, indicate that we need to send a new
2386 * ticket. */ 2265 * ticket. */
2387 return 2; 2266 return 2;
2388 } 2267}
2389 2268
2390/* Tables to translate from NIDs to TLS v1.2 ids */ 2269/* Tables to translate from NIDs to TLS v1.2 ids */
2391 2270
2392typedef struct 2271typedef struct {
2393 {
2394 int nid; 2272 int nid;
2395 int id; 2273 int id;
2396 } tls12_lookup; 2274} tls12_lookup;
2397 2275
2398static tls12_lookup tls12_md[] = { 2276static tls12_lookup tls12_md[] = {
2399#ifndef OPENSSL_NO_MD5 2277#ifndef OPENSSL_NO_MD5
@@ -2424,36 +2302,37 @@ static tls12_lookup tls12_sig[] = {
2424#endif 2302#endif
2425}; 2303};
2426 2304
2427static int tls12_find_id(int nid, tls12_lookup *table, size_t tlen) 2305static int
2428 { 2306tls12_find_id(int nid, tls12_lookup *table, size_t tlen)
2307{
2429 size_t i; 2308 size_t i;
2430 for (i = 0; i < tlen; i++) 2309 for (i = 0; i < tlen; i++) {
2431 {
2432 if (table[i].nid == nid) 2310 if (table[i].nid == nid)
2433 return table[i].id; 2311 return table[i].id;
2434 }
2435 return -1;
2436 } 2312 }
2313 return -1;
2314}
2437#if 0 2315#if 0
2438static int tls12_find_nid(int id, tls12_lookup *table, size_t tlen) 2316static int
2439 { 2317tls12_find_nid(int id, tls12_lookup *table, size_t tlen)
2318{
2440 size_t i; 2319 size_t i;
2441 for (i = 0; i < tlen; i++) 2320 for (i = 0; i < tlen; i++) {
2442 {
2443 if (table[i].id == id) 2321 if (table[i].id == id)
2444 return table[i].nid; 2322 return table[i].nid;
2445 }
2446 return -1;
2447 } 2323 }
2324 return -1;
2325}
2448#endif 2326#endif
2449 2327
2450int tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk, const EVP_MD *md) 2328int
2451 { 2329tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk, const EVP_MD *md)
2330{
2452 int sig_id, md_id; 2331 int sig_id, md_id;
2453 if (!md) 2332 if (!md)
2454 return 0; 2333 return 0;
2455 md_id = tls12_find_id(EVP_MD_type(md), tls12_md, 2334 md_id = tls12_find_id(EVP_MD_type(md), tls12_md,
2456 sizeof(tls12_md)/sizeof(tls12_lookup)); 2335 sizeof(tls12_md)/sizeof(tls12_lookup));
2457 if (md_id == -1) 2336 if (md_id == -1)
2458 return 0; 2337 return 0;
2459 sig_id = tls12_get_sigid(pk); 2338 sig_id = tls12_get_sigid(pk);
@@ -2462,46 +2341,48 @@ int tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk, const EVP_MD *md)
2462 p[0] = (unsigned char)md_id; 2341 p[0] = (unsigned char)md_id;
2463 p[1] = (unsigned char)sig_id; 2342 p[1] = (unsigned char)sig_id;
2464 return 1; 2343 return 1;
2465 } 2344}
2466 2345
2467int tls12_get_sigid(const EVP_PKEY *pk) 2346int
2468 { 2347tls12_get_sigid(const EVP_PKEY *pk)
2348{
2469 return tls12_find_id(pk->type, tls12_sig, 2349 return tls12_find_id(pk->type, tls12_sig,
2470 sizeof(tls12_sig)/sizeof(tls12_lookup)); 2350 sizeof(tls12_sig)/sizeof(tls12_lookup));
2471 } 2351}
2472 2352
2473const EVP_MD *tls12_get_hash(unsigned char hash_alg) 2353const EVP_MD
2474 { 2354*tls12_get_hash(unsigned char hash_alg)
2475 switch(hash_alg) 2355{
2476 { 2356 switch (hash_alg) {
2477#ifndef OPENSSL_NO_SHA 2357#ifndef OPENSSL_NO_SHA
2478 case TLSEXT_hash_sha1: 2358 case TLSEXT_hash_sha1:
2479 return EVP_sha1(); 2359 return EVP_sha1();
2480#endif 2360#endif
2481#ifndef OPENSSL_NO_SHA256 2361#ifndef OPENSSL_NO_SHA256
2482 case TLSEXT_hash_sha224: 2362 case TLSEXT_hash_sha224:
2483 return EVP_sha224(); 2363 return EVP_sha224();
2484 2364
2485 case TLSEXT_hash_sha256: 2365 case TLSEXT_hash_sha256:
2486 return EVP_sha256(); 2366 return EVP_sha256();
2487#endif 2367#endif
2488#ifndef OPENSSL_NO_SHA512 2368#ifndef OPENSSL_NO_SHA512
2489 case TLSEXT_hash_sha384: 2369 case TLSEXT_hash_sha384:
2490 return EVP_sha384(); 2370 return EVP_sha384();
2491 2371
2492 case TLSEXT_hash_sha512: 2372 case TLSEXT_hash_sha512:
2493 return EVP_sha512(); 2373 return EVP_sha512();
2494#endif 2374#endif
2495 default: 2375 default:
2496 return NULL; 2376 return NULL;
2497 2377
2498 }
2499 } 2378 }
2379}
2500 2380
2501/* Set preferred digest for each key type */ 2381/* Set preferred digest for each key type */
2502 2382
2503int tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize) 2383int
2504 { 2384tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize)
2385{
2505 int i, idx; 2386 int i, idx;
2506 const EVP_MD *md; 2387 const EVP_MD *md;
2507 CERT *c = s->cert; 2388 CERT *c = s->cert;
@@ -2517,44 +2398,40 @@ int tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize)
2517 c->pkeys[SSL_PKEY_RSA_ENC].digest = NULL; 2398 c->pkeys[SSL_PKEY_RSA_ENC].digest = NULL;
2518 c->pkeys[SSL_PKEY_ECC].digest = NULL; 2399 c->pkeys[SSL_PKEY_ECC].digest = NULL;
2519 2400
2520 for (i = 0; i < dsize; i += 2) 2401 for (i = 0; i < dsize; i += 2) {
2521 { 2402 unsigned char hash_alg = data[i], sig_alg = data[i + 1];
2522 unsigned char hash_alg = data[i], sig_alg = data[i+1];
2523 2403
2524 switch(sig_alg) 2404 switch (sig_alg) {
2525 {
2526#ifndef OPENSSL_NO_RSA 2405#ifndef OPENSSL_NO_RSA
2527 case TLSEXT_signature_rsa: 2406 case TLSEXT_signature_rsa:
2528 idx = SSL_PKEY_RSA_SIGN; 2407 idx = SSL_PKEY_RSA_SIGN;
2529 break; 2408 break;
2530#endif 2409#endif
2531#ifndef OPENSSL_NO_DSA 2410#ifndef OPENSSL_NO_DSA
2532 case TLSEXT_signature_dsa: 2411 case TLSEXT_signature_dsa:
2533 idx = SSL_PKEY_DSA_SIGN; 2412 idx = SSL_PKEY_DSA_SIGN;
2534 break; 2413 break;
2535#endif 2414#endif
2536#ifndef OPENSSL_NO_ECDSA 2415#ifndef OPENSSL_NO_ECDSA
2537 case TLSEXT_signature_ecdsa: 2416 case TLSEXT_signature_ecdsa:
2538 idx = SSL_PKEY_ECC; 2417 idx = SSL_PKEY_ECC;
2539 break; 2418 break;
2540#endif 2419#endif
2541 default: 2420 default:
2542 continue; 2421 continue;
2543 } 2422 }
2544 2423
2545 if (c->pkeys[idx].digest == NULL) 2424 if (c->pkeys[idx].digest == NULL) {
2546 {
2547 md = tls12_get_hash(hash_alg); 2425 md = tls12_get_hash(hash_alg);
2548 if (md) 2426 if (md) {
2549 {
2550 c->pkeys[idx].digest = md; 2427 c->pkeys[idx].digest = md;
2551 if (idx == SSL_PKEY_RSA_SIGN) 2428 if (idx == SSL_PKEY_RSA_SIGN)
2552 c->pkeys[SSL_PKEY_RSA_ENC].digest = md; 2429 c->pkeys[SSL_PKEY_RSA_ENC].digest = md;
2553 }
2554 } 2430 }
2555
2556 } 2431 }
2557 2432
2433 }
2434
2558 2435
2559 /* Set any remaining keys to default values. NOTE: if alg is not 2436 /* Set any remaining keys to default values. NOTE: if alg is not
2560 * supported it stays as NULL. 2437 * supported it stays as NULL.
@@ -2564,25 +2441,24 @@ int tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize)
2564 c->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_sha1(); 2441 c->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_sha1();
2565#endif 2442#endif
2566#ifndef OPENSSL_NO_RSA 2443#ifndef OPENSSL_NO_RSA
2567 if (!c->pkeys[SSL_PKEY_RSA_SIGN].digest) 2444 if (!c->pkeys[SSL_PKEY_RSA_SIGN].digest) {
2568 {
2569 c->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1(); 2445 c->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1();
2570 c->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1(); 2446 c->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1();
2571 } 2447 }
2572#endif 2448#endif
2573#ifndef OPENSSL_NO_ECDSA 2449#ifndef OPENSSL_NO_ECDSA
2574 if (!c->pkeys[SSL_PKEY_ECC].digest) 2450 if (!c->pkeys[SSL_PKEY_ECC].digest)
2575 c->pkeys[SSL_PKEY_ECC].digest = EVP_sha1(); 2451 c->pkeys[SSL_PKEY_ECC].digest = EVP_sha1();
2576#endif 2452#endif
2577 return 1; 2453 return 1;
2578 } 2454}
2579 2455
2580#endif 2456#endif
2581 2457
2582#ifndef OPENSSL_NO_HEARTBEATS 2458#ifndef OPENSSL_NO_HEARTBEATS
2583int 2459int
2584tls1_process_heartbeat(SSL *s) 2460tls1_process_heartbeat(SSL *s)
2585 { 2461{
2586 unsigned char *p = &s->s3->rrec.data[0], *pl; 2462 unsigned char *p = &s->s3->rrec.data[0], *pl;
2587 unsigned short hbtype; 2463 unsigned short hbtype;
2588 unsigned int payload; 2464 unsigned int payload;
@@ -2590,8 +2466,8 @@ tls1_process_heartbeat(SSL *s)
2590 2466
2591 if (s->msg_callback) 2467 if (s->msg_callback)
2592 s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT, 2468 s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT,
2593 &s->s3->rrec.data[0], s->s3->rrec.length, 2469 &s->s3->rrec.data[0], s->s3->rrec.length,
2594 s, s->msg_callback_arg); 2470 s, s->msg_callback_arg);
2595 2471
2596 /* Read type and payload length first */ 2472 /* Read type and payload length first */
2597 if (1 + 2 + 16 > s->s3->rrec.length) 2473 if (1 + 2 + 16 > s->s3->rrec.length)
@@ -2602,8 +2478,7 @@ tls1_process_heartbeat(SSL *s)
2602 return 0; /* silently discard per RFC 6520 sec. 4 */ 2478 return 0; /* silently discard per RFC 6520 sec. 4 */
2603 pl = p; 2479 pl = p;
2604 2480
2605 if (hbtype == TLS1_HB_REQUEST) 2481 if (hbtype == TLS1_HB_REQUEST) {
2606 {
2607 unsigned char *buffer, *bp; 2482 unsigned char *buffer, *bp;
2608 int r; 2483 int r;
2609 2484
@@ -2613,7 +2488,7 @@ tls1_process_heartbeat(SSL *s)
2613 */ 2488 */
2614 buffer = OPENSSL_malloc(1 + 2 + payload + padding); 2489 buffer = OPENSSL_malloc(1 + 2 + payload + padding);
2615 bp = buffer; 2490 bp = buffer;
2616 2491
2617 /* Enter response type, length and copy payload */ 2492 /* Enter response type, length and copy payload */
2618 *bp++ = TLS1_HB_RESPONSE; 2493 *bp++ = TLS1_HB_RESPONSE;
2619 s2n(payload, bp); 2494 s2n(payload, bp);
@@ -2626,36 +2501,33 @@ tls1_process_heartbeat(SSL *s)
2626 2501
2627 if (r >= 0 && s->msg_callback) 2502 if (r >= 0 && s->msg_callback)
2628 s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT, 2503 s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT,
2629 buffer, 3 + payload + padding, 2504 buffer, 3 + payload + padding,
2630 s, s->msg_callback_arg); 2505 s, s->msg_callback_arg);
2631 2506
2632 OPENSSL_free(buffer); 2507 OPENSSL_free(buffer);
2633 2508
2634 if (r < 0) 2509 if (r < 0)
2635 return r; 2510 return r;
2636 } 2511 } else if (hbtype == TLS1_HB_RESPONSE) {
2637 else if (hbtype == TLS1_HB_RESPONSE)
2638 {
2639 unsigned int seq; 2512 unsigned int seq;
2640 2513
2641 /* We only send sequence numbers (2 bytes unsigned int), 2514 /* We only send sequence numbers (2 bytes unsigned int),
2642 * and 16 random bytes, so we just try to read the 2515 * and 16 random bytes, so we just try to read the
2643 * sequence number */ 2516 * sequence number */
2644 n2s(pl, seq); 2517 n2s(pl, seq);
2645 2518
2646 if (payload == 18 && seq == s->tlsext_hb_seq) 2519 if (payload == 18 && seq == s->tlsext_hb_seq) {
2647 {
2648 s->tlsext_hb_seq++; 2520 s->tlsext_hb_seq++;
2649 s->tlsext_hb_pending = 0; 2521 s->tlsext_hb_pending = 0;
2650 }
2651 } 2522 }
2523 }
2652 2524
2653 return 0; 2525 return 0;
2654 } 2526}
2655 2527
2656int 2528int
2657tls1_heartbeat(SSL *s) 2529tls1_heartbeat(SSL *s)
2658 { 2530{
2659 unsigned char *buf, *p; 2531 unsigned char *buf, *p;
2660 int ret; 2532 int ret;
2661 unsigned int payload = 18; /* Sequence number + random bytes */ 2533 unsigned int payload = 18; /* Sequence number + random bytes */
@@ -2663,26 +2535,23 @@ tls1_heartbeat(SSL *s)
2663 2535
2664 /* Only send if peer supports and accepts HB requests... */ 2536 /* Only send if peer supports and accepts HB requests... */
2665 if (!(s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED) || 2537 if (!(s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED) ||
2666 s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_SEND_REQUESTS) 2538 s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_SEND_REQUESTS) {
2667 { 2539 SSLerr(SSL_F_TLS1_HEARTBEAT, SSL_R_TLS_HEARTBEAT_PEER_DOESNT_ACCEPT);
2668 SSLerr(SSL_F_TLS1_HEARTBEAT,SSL_R_TLS_HEARTBEAT_PEER_DOESNT_ACCEPT);
2669 return -1; 2540 return -1;
2670 } 2541 }
2671 2542
2672 /* ...and there is none in flight yet... */ 2543 /* ...and there is none in flight yet... */
2673 if (s->tlsext_hb_pending) 2544 if (s->tlsext_hb_pending) {
2674 { 2545 SSLerr(SSL_F_TLS1_HEARTBEAT, SSL_R_TLS_HEARTBEAT_PENDING);
2675 SSLerr(SSL_F_TLS1_HEARTBEAT,SSL_R_TLS_HEARTBEAT_PENDING);
2676 return -1; 2546 return -1;
2677 } 2547 }
2678 2548
2679 /* ...and no handshake in progress. */ 2549 /* ...and no handshake in progress. */
2680 if (SSL_in_init(s) || s->in_handshake) 2550 if (SSL_in_init(s) || s->in_handshake) {
2681 { 2551 SSLerr(SSL_F_TLS1_HEARTBEAT, SSL_R_UNEXPECTED_MESSAGE);
2682 SSLerr(SSL_F_TLS1_HEARTBEAT,SSL_R_UNEXPECTED_MESSAGE);
2683 return -1; 2552 return -1;
2684 } 2553 }
2685 2554
2686 /* Check if padding is too long, payload and padding 2555 /* Check if padding is too long, payload and padding
2687 * must not exceed 2^14 - 3 = 16381 bytes in total. 2556 * must not exceed 2^14 - 3 = 16381 bytes in total.
2688 */ 2557 */
@@ -2712,18 +2581,17 @@ tls1_heartbeat(SSL *s)
2712 RAND_pseudo_bytes(p, padding); 2581 RAND_pseudo_bytes(p, padding);
2713 2582
2714 ret = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buf, 3 + payload + padding); 2583 ret = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buf, 3 + payload + padding);
2715 if (ret >= 0) 2584 if (ret >= 0) {
2716 {
2717 if (s->msg_callback) 2585 if (s->msg_callback)
2718 s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT, 2586 s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT,
2719 buf, 3 + payload + padding, 2587 buf, 3 + payload + padding,
2720 s, s->msg_callback_arg); 2588 s, s->msg_callback_arg);
2721 2589
2722 s->tlsext_hb_pending = 1; 2590 s->tlsext_hb_pending = 1;
2723 } 2591 }
2724 2592
2725 OPENSSL_free(buf); 2593 OPENSSL_free(buf);
2726 2594
2727 return ret; 2595 return ret;
2728 } 2596}
2729#endif 2597#endif
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-08-14 08:36:47 +0000