Ubuntu
openssl package

Merge lp:~ubuntu-branches/ubuntu/precise/openssl/precise-201203301638 into lp:ubuntu/precise/openssl

  1. Precise (12.04)
  2. precise-201203301638
  3. Merge into precise
Proposed by Ubuntu Package Importer
Status: Rejected
Rejected by: James Westby
Proposed branch: lp:~ubuntu-branches/ubuntu/precise/openssl/precise-201203301638
Merge into: lp:ubuntu/precise/openssl
Diff against target: 3399 lines (+3380/-0) (has conflicts)
3 files modified
.pc/tls12_workarounds.patch/ssl/s23_clnt.c (+746/-0)
.pc/tls12_workarounds.patch/ssl/t1_lib.c (+2578/-0)
debian/patches/tls12_workarounds.patch (+56/-0)
Conflict adding file .pc/tls12_workarounds.patch.  Moved existing file to .pc/tls12_workarounds.patch.moved.
Conflict adding file debian/patches/tls12_workarounds.patch.  Moved existing file to debian/patches/tls12_workarounds.patch.moved.
To merge this branch: bzr merge lp:~ubuntu-branches/ubuntu/precise/openssl/precise-201203301638
Reviewer Review Type Date Requested Status
Ubuntu branches Pending
Review via email: mp+100193@code.launchpad.net

Description of the change

The package importer has detected a possible inconsistency between the package history in the archive and the history in bzr. As the archive is authoritative the importer has made lp:ubuntu/precise/openssl reflect what is in the archive and the old bzr branch has been pushed to lp:~ubuntu-branches/ubuntu/precise/openssl/precise-201203301638. This merge proposal was created so that an Ubuntu developer can review the situations and perform a merge/upload if necessary. There are three typical cases where this can happen.
  1. Where someone pushes a change to bzr and someone else uploads the package without that change. This is the reason that this check is done by the importer. If this appears to be the case then a merge/upload should be done if the changes that were in bzr are still desirable.
  2. The importer incorrectly detected the above situation when someone made a change in bzr and then uploaded it.
  3. The importer incorrectly detected the above situation when someone just uploaded a package and didn't touch bzr.

If this case doesn't appear to be the first situation then set the status of the merge proposal to "Rejected" and help avoid the problem in future by filing a bug at https://bugs.launchpad.net/udd linking to this merge proposal.

(this is an automatically generated message)

To post a comment you must log in.

Unmerged revisions

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== added directory '.pc/tls12_workarounds.patch'
2=== renamed directory '.pc/tls12_workarounds.patch' => '.pc/tls12_workarounds.patch.moved'
3=== added directory '.pc/tls12_workarounds.patch/ssl'
4=== added file '.pc/tls12_workarounds.patch/ssl/s23_clnt.c'
5--- .pc/tls12_workarounds.patch/ssl/s23_clnt.c 1970-01-01 00:00:00 +0000
6+++ .pc/tls12_workarounds.patch/ssl/s23_clnt.c 2012-03-30 17:06:51 +0000
7@@ -0,0 +1,746 @@
8+/* ssl/s23_clnt.c */
9+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
10+ * All rights reserved.
11+ *
12+ * This package is an SSL implementation written
13+ * by Eric Young (eay@cryptsoft.com).
14+ * The implementation was written so as to conform with Netscapes SSL.
15+ *
16+ * This library is free for commercial and non-commercial use as long as
17+ * the following conditions are aheared to. The following conditions
18+ * apply to all code found in this distribution, be it the RC4, RSA,
19+ * lhash, DES, etc., code; not just the SSL code. The SSL documentation
20+ * included with this distribution is covered by the same copyright terms
21+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
22+ *
23+ * Copyright remains Eric Young's, and as such any Copyright notices in
24+ * the code are not to be removed.
25+ * If this package is used in a product, Eric Young should be given attribution
26+ * as the author of the parts of the library used.
27+ * This can be in the form of a textual message at program startup or
28+ * in documentation (online or textual) provided with the package.
29+ *
30+ * Redistribution and use in source and binary forms, with or without
31+ * modification, are permitted provided that the following conditions
32+ * are met:
33+ * 1. Redistributions of source code must retain the copyright
34+ * notice, this list of conditions and the following disclaimer.
35+ * 2. Redistributions in binary form must reproduce the above copyright
36+ * notice, this list of conditions and the following disclaimer in the
37+ * documentation and/or other materials provided with the distribution.
38+ * 3. All advertising materials mentioning features or use of this software
39+ * must display the following acknowledgement:
40+ * "This product includes cryptographic software written by
41+ * Eric Young (eay@cryptsoft.com)"
42+ * The word 'cryptographic' can be left out if the rouines from the library
43+ * being used are not cryptographic related :-).
44+ * 4. If you include any Windows specific code (or a derivative thereof) from
45+ * the apps directory (application code) you must include an acknowledgement:
46+ * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
47+ *
48+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
49+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
50+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
51+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
52+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
53+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
54+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
55+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
56+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
57+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
58+ * SUCH DAMAGE.
59+ *
60+ * The licence and distribution terms for any publically available version or
61+ * derivative of this code cannot be changed. i.e. this code cannot simply be
62+ * copied and put under another distribution licence
63+ * [including the GNU Public Licence.]
64+ */
65+/* ====================================================================
66+ * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved.
67+ *
68+ * Redistribution and use in source and binary forms, with or without
69+ * modification, are permitted provided that the following conditions
70+ * are met:
71+ *
72+ * 1. Redistributions of source code must retain the above copyright
73+ * notice, this list of conditions and the following disclaimer.
74+ *
75+ * 2. Redistributions in binary form must reproduce the above copyright
76+ * notice, this list of conditions and the following disclaimer in
77+ * the documentation and/or other materials provided with the
78+ * distribution.
79+ *
80+ * 3. All advertising materials mentioning features or use of this
81+ * software must display the following acknowledgment:
82+ * "This product includes software developed by the OpenSSL Project
83+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
84+ *
85+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
86+ * endorse or promote products derived from this software without
87+ * prior written permission. For written permission, please contact
88+ * openssl-core@openssl.org.
89+ *
90+ * 5. Products derived from this software may not be called "OpenSSL"
91+ * nor may "OpenSSL" appear in their names without prior written
92+ * permission of the OpenSSL Project.
93+ *
94+ * 6. Redistributions of any form whatsoever must retain the following
95+ * acknowledgment:
96+ * "This product includes software developed by the OpenSSL Project
97+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
98+ *
99+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
100+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
101+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
102+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
103+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
104+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
105+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
106+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
107+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
108+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
109+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
110+ * OF THE POSSIBILITY OF SUCH DAMAGE.
111+ * ====================================================================
112+ *
113+ * This product includes cryptographic software written by Eric Young
114+ * (eay@cryptsoft.com). This product includes software written by Tim
115+ * Hudson (tjh@cryptsoft.com).
116+ *
117+ */
118+
119+#include <stdio.h>
120+#include "ssl_locl.h"
121+#include <openssl/buffer.h>
122+#include <openssl/rand.h>
123+#include <openssl/objects.h>
124+#include <openssl/evp.h>
125+
126+static const SSL_METHOD *ssl23_get_client_method(int ver);
127+static int ssl23_client_hello(SSL *s);
128+static int ssl23_get_server_hello(SSL *s);
129+static const SSL_METHOD *ssl23_get_client_method(int ver)
130+ {
131+#ifndef OPENSSL_NO_SSL2
132+ if (ver == SSL2_VERSION)
133+ return(SSLv2_client_method());
134+#endif
135+ if (ver == SSL3_VERSION)
136+ return(SSLv3_client_method());
137+ else if (ver == TLS1_VERSION)
138+ return(TLSv1_client_method());
139+ else if (ver == TLS1_1_VERSION)
140+ return(TLSv1_1_client_method());
141+ else if (ver == TLS1_2_VERSION)
142+ return(TLSv1_2_client_method());
143+ else
144+ return(NULL);
145+ }
146+
147+IMPLEMENT_ssl23_meth_func(SSLv23_client_method,
148+ ssl_undefined_function,
149+ ssl23_connect,
150+ ssl23_get_client_method)
151+
152+int ssl23_connect(SSL *s)
153+ {
154+ BUF_MEM *buf=NULL;
155+ unsigned long Time=(unsigned long)time(NULL);
156+ void (*cb)(const SSL *ssl,int type,int val)=NULL;
157+ int ret= -1;
158+ int new_state,state;
159+
160+ RAND_add(&Time,sizeof(Time),0);
161+ ERR_clear_error();
162+ clear_sys_error();
163+
164+ if (s->info_callback != NULL)
165+ cb=s->info_callback;
166+ else if (s->ctx->info_callback != NULL)
167+ cb=s->ctx->info_callback;
168+
169+ s->in_handshake++;
170+ if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s);
171+
172+ for (;;)
173+ {
174+ state=s->state;
175+
176+ switch(s->state)
177+ {
178+ case SSL_ST_BEFORE:
179+ case SSL_ST_CONNECT:
180+ case SSL_ST_BEFORE|SSL_ST_CONNECT:
181+ case SSL_ST_OK|SSL_ST_CONNECT:
182+
183+ if (s->session != NULL)
184+ {
185+ SSLerr(SSL_F_SSL23_CONNECT,SSL_R_SSL23_DOING_SESSION_ID_REUSE);
186+ ret= -1;
187+ goto end;
188+ }
189+ s->server=0;
190+ if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_START,1);
191+
192+ /* s->version=TLS1_VERSION; */
193+ s->type=SSL_ST_CONNECT;
194+
195+ if (s->init_buf == NULL)
196+ {
197+ if ((buf=BUF_MEM_new()) == NULL)
198+ {
199+ ret= -1;
200+ goto end;
201+ }
202+ if (!BUF_MEM_grow(buf,SSL3_RT_MAX_PLAIN_LENGTH))
203+ {
204+ ret= -1;
205+ goto end;
206+ }
207+ s->init_buf=buf;
208+ buf=NULL;
209+ }
210+
211+ if (!ssl3_setup_buffers(s)) { ret= -1; goto end; }
212+
213+ ssl3_init_finished_mac(s);
214+
215+ s->state=SSL23_ST_CW_CLNT_HELLO_A;
216+ s->ctx->stats.sess_connect++;
217+ s->init_num=0;
218+ break;
219+
220+ case SSL23_ST_CW_CLNT_HELLO_A:
221+ case SSL23_ST_CW_CLNT_HELLO_B:
222+
223+ s->shutdown=0;
224+ ret=ssl23_client_hello(s);
225+ if (ret <= 0) goto end;
226+ s->state=SSL23_ST_CR_SRVR_HELLO_A;
227+ s->init_num=0;
228+
229+ break;
230+
231+ case SSL23_ST_CR_SRVR_HELLO_A:
232+ case SSL23_ST_CR_SRVR_HELLO_B:
233+ ret=ssl23_get_server_hello(s);
234+ if (ret >= 0) cb=NULL;
235+ goto end;
236+ /* break; */
237+
238+ default:
239+ SSLerr(SSL_F_SSL23_CONNECT,SSL_R_UNKNOWN_STATE);
240+ ret= -1;
241+ goto end;
242+ /* break; */
243+ }
244+
245+ if (s->debug) { (void)BIO_flush(s->wbio); }
246+
247+ if ((cb != NULL) && (s->state != state))
248+ {
249+ new_state=s->state;
250+ s->state=state;
251+ cb(s,SSL_CB_CONNECT_LOOP,1);
252+ s->state=new_state;
253+ }
254+ }
255+end:
256+ s->in_handshake--;
257+ if (buf != NULL)
258+ BUF_MEM_free(buf);
259+ if (cb != NULL)
260+ cb(s,SSL_CB_CONNECT_EXIT,ret);
261+ return(ret);
262+ }
263+
264+static int ssl23_no_ssl2_ciphers(SSL *s)
265+ {
266+ SSL_CIPHER *cipher;
267+ STACK_OF(SSL_CIPHER) *ciphers;
268+ int i;
269+ ciphers = SSL_get_ciphers(s);
270+ for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++)
271+ {
272+ cipher = sk_SSL_CIPHER_value(ciphers, i);
273+ if (cipher->algorithm_ssl == SSL_SSLV2)
274+ return 0;
275+ }
276+ return 1;
277+ }
278+
279+static int ssl23_client_hello(SSL *s)
280+ {
281+ unsigned char *buf;
282+ unsigned char *p,*d;
283+ int i,ch_len;
284+ unsigned long Time,l;
285+ int ssl2_compat;
286+ int version = 0, version_major, version_minor;
287+#ifndef OPENSSL_NO_COMP
288+ int j;
289+ SSL_COMP *comp;
290+#endif
291+ int ret;
292+
293+ ssl2_compat = (s->options & SSL_OP_NO_SSLv2) ? 0 : 1;
294+
295+ if (ssl2_compat && ssl23_no_ssl2_ciphers(s))
296+ ssl2_compat = 0;
297+
298+ if (!(s->options & SSL_OP_NO_TLSv1_2))
299+ {
300+ version = TLS1_2_VERSION;
301+ }
302+ else if (!(s->options & SSL_OP_NO_TLSv1_1))
303+ {
304+ version = TLS1_1_VERSION;
305+ }
306+ else if (!(s->options & SSL_OP_NO_TLSv1))
307+ {
308+ version = TLS1_VERSION;
309+ }
310+ else if (!(s->options & SSL_OP_NO_SSLv3))
311+ {
312+ version = SSL3_VERSION;
313+ }
314+ else if (!(s->options & SSL_OP_NO_SSLv2))
315+ {
316+ version = SSL2_VERSION;
317+ }
318+#ifndef OPENSSL_NO_TLSEXT
319+ if (version != SSL2_VERSION)
320+ {
321+ /* have to disable SSL 2.0 compatibility if we need TLS extensions */
322+
323+ if (s->tlsext_hostname != NULL)
324+ ssl2_compat = 0;
325+ if (s->tlsext_status_type != -1)
326+ ssl2_compat = 0;
327+#ifdef TLSEXT_TYPE_opaque_prf_input
328+ if (s->ctx->tlsext_opaque_prf_input_callback != 0 || s->tlsext_opaque_prf_input != NULL)
329+ ssl2_compat = 0;
330+#endif
331+ }
332+#endif
333+
334+ buf=(unsigned char *)s->init_buf->data;
335+ if (s->state == SSL23_ST_CW_CLNT_HELLO_A)
336+ {
337+#if 0
338+ /* don't reuse session-id's */
339+ if (!ssl_get_new_session(s,0))
340+ {
341+ return(-1);
342+ }
343+#endif
344+
345+ p=s->s3->client_random;
346+ Time=(unsigned long)time(NULL); /* Time */
347+ l2n(Time,p);
348+ if (RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-4) <= 0)
349+ return -1;
350+
351+ if (version == TLS1_2_VERSION)
352+ {
353+ version_major = TLS1_2_VERSION_MAJOR;
354+ version_minor = TLS1_2_VERSION_MINOR;
355+ }
356+ else if (version == TLS1_1_VERSION)
357+ {
358+ version_major = TLS1_1_VERSION_MAJOR;
359+ version_minor = TLS1_1_VERSION_MINOR;
360+ }
361+ else if (version == TLS1_VERSION)
362+ {
363+ version_major = TLS1_VERSION_MAJOR;
364+ version_minor = TLS1_VERSION_MINOR;
365+ }
366+#ifdef OPENSSL_FIPS
367+ else if(FIPS_mode())
368+ {
369+ SSLerr(SSL_F_SSL23_CLIENT_HELLO,
370+ SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE);
371+ return -1;
372+ }
373+#endif
374+ else if (version == SSL3_VERSION)
375+ {
376+ version_major = SSL3_VERSION_MAJOR;
377+ version_minor = SSL3_VERSION_MINOR;
378+ }
379+ else if (version == SSL2_VERSION)
380+ {
381+ version_major = SSL2_VERSION_MAJOR;
382+ version_minor = SSL2_VERSION_MINOR;
383+ }
384+ else
385+ {
386+ SSLerr(SSL_F_SSL23_CLIENT_HELLO,SSL_R_NO_PROTOCOLS_AVAILABLE);
387+ return(-1);
388+ }
389+
390+ s->client_version = version;
391+
392+ if (ssl2_compat)
393+ {
394+ /* create SSL 2.0 compatible Client Hello */
395+
396+ /* two byte record header will be written last */
397+ d = &(buf[2]);
398+ p = d + 9; /* leave space for message type, version, individual length fields */
399+
400+ *(d++) = SSL2_MT_CLIENT_HELLO;
401+ *(d++) = version_major;
402+ *(d++) = version_minor;
403+
404+ /* Ciphers supported */
405+ i=ssl_cipher_list_to_bytes(s,SSL_get_ciphers(s),p,0);
406+ if (i == 0)
407+ {
408+ /* no ciphers */
409+ SSLerr(SSL_F_SSL23_CLIENT_HELLO,SSL_R_NO_CIPHERS_AVAILABLE);
410+ return -1;
411+ }
412+ s2n(i,d);
413+ p+=i;
414+
415+ /* put in the session-id length (zero since there is no reuse) */
416+#if 0
417+ s->session->session_id_length=0;
418+#endif
419+ s2n(0,d);
420+
421+ if (s->options & SSL_OP_NETSCAPE_CHALLENGE_BUG)
422+ ch_len=SSL2_CHALLENGE_LENGTH;
423+ else
424+ ch_len=SSL2_MAX_CHALLENGE_LENGTH;
425+
426+ /* write out sslv2 challenge */
427+ /* Note that ch_len must be <= SSL3_RANDOM_SIZE (32),
428+ because it is one of SSL2_MAX_CHALLENGE_LENGTH (32)
429+ or SSL2_MAX_CHALLENGE_LENGTH (16), but leave the
430+ check in for futurproofing */
431+ if (SSL3_RANDOM_SIZE < ch_len)
432+ i=SSL3_RANDOM_SIZE;
433+ else
434+ i=ch_len;
435+ s2n(i,d);
436+ memset(&(s->s3->client_random[0]),0,SSL3_RANDOM_SIZE);
437+ if (RAND_pseudo_bytes(&(s->s3->client_random[SSL3_RANDOM_SIZE-i]),i) <= 0)
438+ return -1;
439+
440+ memcpy(p,&(s->s3->client_random[SSL3_RANDOM_SIZE-i]),i);
441+ p+=i;
442+
443+ i= p- &(buf[2]);
444+ buf[0]=((i>>8)&0xff)|0x80;
445+ buf[1]=(i&0xff);
446+
447+ /* number of bytes to write */
448+ s->init_num=i+2;
449+ s->init_off=0;
450+
451+ ssl3_finish_mac(s,&(buf[2]),i);
452+ }
453+ else
454+ {
455+ /* create Client Hello in SSL 3.0/TLS 1.0 format */
456+
457+ /* do the record header (5 bytes) and handshake message header (4 bytes) last */
458+ d = p = &(buf[9]);
459+
460+ *(p++) = version_major;
461+ *(p++) = version_minor;
462+
463+ /* Random stuff */
464+ memcpy(p, s->s3->client_random, SSL3_RANDOM_SIZE);
465+ p += SSL3_RANDOM_SIZE;
466+
467+ /* Session ID (zero since there is no reuse) */
468+ *(p++) = 0;
469+
470+ /* Ciphers supported (using SSL 3.0/TLS 1.0 format) */
471+ i=ssl_cipher_list_to_bytes(s,SSL_get_ciphers(s),&(p[2]),ssl3_put_cipher_by_char);
472+ if (i == 0)
473+ {
474+ SSLerr(SSL_F_SSL23_CLIENT_HELLO,SSL_R_NO_CIPHERS_AVAILABLE);
475+ return -1;
476+ }
477+ s2n(i,p);
478+ p+=i;
479+
480+ /* COMPRESSION */
481+#ifdef OPENSSL_NO_COMP
482+ *(p++)=1;
483+#else
484+ if ((s->options & SSL_OP_NO_COMPRESSION)
485+ || !s->ctx->comp_methods)
486+ j=0;
487+ else
488+ j=sk_SSL_COMP_num(s->ctx->comp_methods);
489+ *(p++)=1+j;
490+ for (i=0; i<j; i++)
491+ {
492+ comp=sk_SSL_COMP_value(s->ctx->comp_methods,i);
493+ *(p++)=comp->id;
494+ }
495+#endif
496+ *(p++)=0; /* Add the NULL method */
497+
498+#ifndef OPENSSL_NO_TLSEXT
499+ /* TLS extensions*/
500+ if (ssl_prepare_clienthello_tlsext(s) <= 0)
501+ {
502+ SSLerr(SSL_F_SSL23_CLIENT_HELLO,SSL_R_CLIENTHELLO_TLSEXT);
503+ return -1;
504+ }
505+ if ((p = ssl_add_clienthello_tlsext(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH)) == NULL)
506+ {
507+ SSLerr(SSL_F_SSL23_CLIENT_HELLO,ERR_R_INTERNAL_ERROR);
508+ return -1;
509+ }
510+#endif
511+
512+ l = p-d;
513+
514+ /* fill in 4-byte handshake header */
515+ d=&(buf[5]);
516+ *(d++)=SSL3_MT_CLIENT_HELLO;
517+ l2n3(l,d);
518+
519+ l += 4;
520+
521+ if (l > SSL3_RT_MAX_PLAIN_LENGTH)
522+ {
523+ SSLerr(SSL_F_SSL23_CLIENT_HELLO,ERR_R_INTERNAL_ERROR);
524+ return -1;
525+ }
526+
527+ /* fill in 5-byte record header */
528+ d=buf;
529+ *(d++) = SSL3_RT_HANDSHAKE;
530+ *(d++) = version_major;
531+ *(d++) = version_minor; /* arguably we should send the *lowest* suported version here
532+ * (indicating, e.g., TLS 1.0 in "SSL 3.0 format") */
533+ s2n((int)l,d);
534+
535+ /* number of bytes to write */
536+ s->init_num=p-buf;
537+ s->init_off=0;
538+
539+ ssl3_finish_mac(s,&(buf[5]), s->init_num - 5);
540+ }
541+
542+ s->state=SSL23_ST_CW_CLNT_HELLO_B;
543+ s->init_off=0;
544+ }
545+
546+ /* SSL3_ST_CW_CLNT_HELLO_B */
547+ ret = ssl23_write_bytes(s);
548+
549+ if ((ret >= 2) && s->msg_callback)
550+ {
551+ /* Client Hello has been sent; tell msg_callback */
552+
553+ if (ssl2_compat)
554+ s->msg_callback(1, SSL2_VERSION, 0, s->init_buf->data+2, ret-2, s, s->msg_callback_arg);
555+ else
556+ s->msg_callback(1, version, SSL3_RT_HANDSHAKE, s->init_buf->data+5, ret-5, s, s->msg_callback_arg);
557+ }
558+
559+ return ret;
560+ }
561+
562+static int ssl23_get_server_hello(SSL *s)
563+ {
564+ char buf[8];
565+ unsigned char *p;
566+ int i;
567+ int n;
568+
569+ n=ssl23_read_bytes(s,7);
570+
571+ if (n != 7) return(n);
572+ p=s->packet;
573+
574+ memcpy(buf,p,n);
575+
576+ if ((p[0] & 0x80) && (p[2] == SSL2_MT_SERVER_HELLO) &&
577+ (p[5] == 0x00) && (p[6] == 0x02))
578+ {
579+#ifdef OPENSSL_NO_SSL2
580+ SSLerr(SSL_F_SSL23_GET_SERVER_HELLO,SSL_R_UNSUPPORTED_PROTOCOL);
581+ goto err;
582+#else
583+ /* we are talking sslv2 */
584+ /* we need to clean up the SSLv3 setup and put in the
585+ * sslv2 stuff. */
586+ int ch_len;
587+
588+ if (s->options & SSL_OP_NO_SSLv2)
589+ {
590+ SSLerr(SSL_F_SSL23_GET_SERVER_HELLO,SSL_R_UNSUPPORTED_PROTOCOL);
591+ goto err;
592+ }
593+ if (s->s2 == NULL)
594+ {
595+ if (!ssl2_new(s))
596+ goto err;
597+ }
598+ else
599+ ssl2_clear(s);
600+
601+ if (s->options & SSL_OP_NETSCAPE_CHALLENGE_BUG)
602+ ch_len=SSL2_CHALLENGE_LENGTH;
603+ else
604+ ch_len=SSL2_MAX_CHALLENGE_LENGTH;
605+
606+ /* write out sslv2 challenge */
607+ /* Note that ch_len must be <= SSL3_RANDOM_SIZE (32), because
608+ it is one of SSL2_MAX_CHALLENGE_LENGTH (32) or
609+ SSL2_MAX_CHALLENGE_LENGTH (16), but leave the check in for
610+ futurproofing */
611+ i=(SSL3_RANDOM_SIZE < ch_len)
612+ ?SSL3_RANDOM_SIZE:ch_len;
613+ s->s2->challenge_length=i;
614+ memcpy(s->s2->challenge,
615+ &(s->s3->client_random[SSL3_RANDOM_SIZE-i]),i);
616+
617+ if (s->s3 != NULL) ssl3_free(s);
618+
619+ if (!BUF_MEM_grow_clean(s->init_buf,
620+ SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER))
621+ {
622+ SSLerr(SSL_F_SSL23_GET_SERVER_HELLO,ERR_R_BUF_LIB);
623+ goto err;
624+ }
625+
626+ s->state=SSL2_ST_GET_SERVER_HELLO_A;
627+ if (!(s->client_version == SSL2_VERSION))
628+ /* use special padding (SSL 3.0 draft/RFC 2246, App. E.2) */
629+ s->s2->ssl2_rollback=1;
630+
631+ /* setup the 7 bytes we have read so we get them from
632+ * the sslv2 buffer */
633+ s->rstate=SSL_ST_READ_HEADER;
634+ s->packet_length=n;
635+ s->packet= &(s->s2->rbuf[0]);
636+ memcpy(s->packet,buf,n);
637+ s->s2->rbuf_left=n;
638+ s->s2->rbuf_offs=0;
639+
640+ /* we have already written one */
641+ s->s2->write_sequence=1;
642+
643+ s->method=SSLv2_client_method();
644+ s->handshake_func=s->method->ssl_connect;
645+#endif
646+ }
647+ else if (p[1] == SSL3_VERSION_MAJOR &&
648+ p[2] <= TLS1_2_VERSION_MINOR &&
649+ ((p[0] == SSL3_RT_HANDSHAKE && p[5] == SSL3_MT_SERVER_HELLO) ||
650+ (p[0] == SSL3_RT_ALERT && p[3] == 0 && p[4] == 2)))
651+ {
652+ /* we have sslv3 or tls1 (server hello or alert) */
653+
654+ if ((p[2] == SSL3_VERSION_MINOR) &&
655+ !(s->options & SSL_OP_NO_SSLv3))
656+ {
657+#ifdef OPENSSL_FIPS
658+ if(FIPS_mode())
659+ {
660+ SSLerr(SSL_F_SSL23_GET_SERVER_HELLO,
661+ SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE);
662+ goto err;
663+ }
664+#endif
665+ s->version=SSL3_VERSION;
666+ s->method=SSLv3_client_method();
667+ }
668+ else if ((p[2] == TLS1_VERSION_MINOR) &&
669+ !(s->options & SSL_OP_NO_TLSv1))
670+ {
671+ s->version=TLS1_VERSION;
672+ s->method=TLSv1_client_method();
673+ }
674+ else if ((p[2] == TLS1_1_VERSION_MINOR) &&
675+ !(s->options & SSL_OP_NO_TLSv1_1))
676+ {
677+ s->version=TLS1_1_VERSION;
678+ s->method=TLSv1_1_client_method();
679+ }
680+ else if ((p[2] == TLS1_2_VERSION_MINOR) &&
681+ !(s->options & SSL_OP_NO_TLSv1_2))
682+ {
683+ s->version=TLS1_2_VERSION;
684+ s->method=TLSv1_2_client_method();
685+ }
686+ else
687+ {
688+ SSLerr(SSL_F_SSL23_GET_SERVER_HELLO,SSL_R_UNSUPPORTED_PROTOCOL);
689+ goto err;
690+ }
691+
692+ if (p[0] == SSL3_RT_ALERT && p[5] != SSL3_AL_WARNING)
693+ {
694+ /* fatal alert */
695+
696+ void (*cb)(const SSL *ssl,int type,int val)=NULL;
697+ int j;
698+
699+ if (s->info_callback != NULL)
700+ cb=s->info_callback;
701+ else if (s->ctx->info_callback != NULL)
702+ cb=s->ctx->info_callback;
703+
704+ i=p[5];
705+ if (cb != NULL)
706+ {
707+ j=(i<<8)|p[6];
708+ cb(s,SSL_CB_READ_ALERT,j);
709+ }
710+
711+ if (s->msg_callback)
712+ s->msg_callback(0, s->version, SSL3_RT_ALERT, p+5, 2, s, s->msg_callback_arg);
713+
714+ s->rwstate=SSL_NOTHING;
715+ SSLerr(SSL_F_SSL23_GET_SERVER_HELLO,SSL_AD_REASON_OFFSET+p[6]);
716+ goto err;
717+ }
718+
719+ if (!ssl_init_wbio_buffer(s,1)) goto err;
720+
721+ /* we are in this state */
722+ s->state=SSL3_ST_CR_SRVR_HELLO_A;
723+
724+ /* put the 7 bytes we have read into the input buffer
725+ * for SSLv3 */
726+ s->rstate=SSL_ST_READ_HEADER;
727+ s->packet_length=n;
728+ if (s->s3->rbuf.buf == NULL)
729+ if (!ssl3_setup_read_buffer(s))
730+ goto err;
731+ s->packet= &(s->s3->rbuf.buf[0]);
732+ memcpy(s->packet,buf,n);
733+ s->s3->rbuf.left=n;
734+ s->s3->rbuf.offset=0;
735+
736+ s->handshake_func=s->method->ssl_connect;
737+ }
738+ else
739+ {
740+ SSLerr(SSL_F_SSL23_GET_SERVER_HELLO,SSL_R_UNKNOWN_PROTOCOL);
741+ goto err;
742+ }
743+ s->init_num=0;
744+
745+ /* Since, if we are sending a ssl23 client hello, we are not
746+ * reusing a session-id */
747+ if (!ssl_get_new_session(s,0))
748+ goto err;
749+
750+ return(SSL_connect(s));
751+err:
752+ return(-1);
753+ }
754
755=== added file '.pc/tls12_workarounds.patch/ssl/t1_lib.c'
756--- .pc/tls12_workarounds.patch/ssl/t1_lib.c 1970-01-01 00:00:00 +0000
757+++ .pc/tls12_workarounds.patch/ssl/t1_lib.c 2012-03-30 17:06:51 +0000
758@@ -0,0 +1,2578 @@
759+/* ssl/t1_lib.c */
760+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
761+ * All rights reserved.
762+ *
763+ * This package is an SSL implementation written
764+ * by Eric Young (eay@cryptsoft.com).
765+ * The implementation was written so as to conform with Netscapes SSL.
766+ *
767+ * This library is free for commercial and non-commercial use as long as
768+ * the following conditions are aheared to. The following conditions
769+ * apply to all code found in this distribution, be it the RC4, RSA,
770+ * lhash, DES, etc., code; not just the SSL code. The SSL documentation
771+ * included with this distribution is covered by the same copyright terms
772+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
773+ *
774+ * Copyright remains Eric Young's, and as such any Copyright notices in
775+ * the code are not to be removed.
776+ * If this package is used in a product, Eric Young should be given attribution
777+ * as the author of the parts of the library used.
778+ * This can be in the form of a textual message at program startup or
779+ * in documentation (online or textual) provided with the package.
780+ *
781+ * Redistribution and use in source and binary forms, with or without
782+ * modification, are permitted provided that the following conditions
783+ * are met:
784+ * 1. Redistributions of source code must retain the copyright
785+ * notice, this list of conditions and the following disclaimer.
786+ * 2. Redistributions in binary form must reproduce the above copyright
787+ * notice, this list of conditions and the following disclaimer in the
788+ * documentation and/or other materials provided with the distribution.
789+ * 3. All advertising materials mentioning features or use of this software
790+ * must display the following acknowledgement:
791+ * "This product includes cryptographic software written by
792+ * Eric Young (eay@cryptsoft.com)"
793+ * The word 'cryptographic' can be left out if the rouines from the library
794+ * being used are not cryptographic related :-).
795+ * 4. If you include any Windows specific code (or a derivative thereof) from
796+ * the apps directory (application code) you must include an acknowledgement:
797+ * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
798+ *
799+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
800+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
801+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
802+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
803+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
804+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
805+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
806+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
807+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
808+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
809+ * SUCH DAMAGE.
810+ *
811+ * The licence and distribution terms for any publically available version or
812+ * derivative of this code cannot be changed. i.e. this code cannot simply be
813+ * copied and put under another distribution licence
814+ * [including the GNU Public Licence.]
815+ */
816+/* ====================================================================
817+ * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
818+ *
819+ * Redistribution and use in source and binary forms, with or without
820+ * modification, are permitted provided that the following conditions
821+ * are met:
822+ *
823+ * 1. Redistributions of source code must retain the above copyright
824+ * notice, this list of conditions and the following disclaimer.
825+ *
826+ * 2. Redistributions in binary form must reproduce the above copyright
827+ * notice, this list of conditions and the following disclaimer in
828+ * the documentation and/or other materials provided with the
829+ * distribution.
830+ *
831+ * 3. All advertising materials mentioning features or use of this
832+ * software must display the following acknowledgment:
833+ * "This product includes software developed by the OpenSSL Project
834+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
835+ *
836+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
837+ * endorse or promote products derived from this software without
838+ * prior written permission. For written permission, please contact
839+ * openssl-core@openssl.org.
840+ *
841+ * 5. Products derived from this software may not be called "OpenSSL"
842+ * nor may "OpenSSL" appear in their names without prior written
843+ * permission of the OpenSSL Project.
844+ *
845+ * 6. Redistributions of any form whatsoever must retain the following
846+ * acknowledgment:
847+ * "This product includes software developed by the OpenSSL Project
848+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
849+ *
850+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
851+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
852+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
853+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
854+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
855+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
856+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
857+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
858+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
859+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
860+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
861+ * OF THE POSSIBILITY OF SUCH DAMAGE.
862+ * ====================================================================
863+ *
864+ * This product includes cryptographic software written by Eric Young
865+ * (eay@cryptsoft.com). This product includes software written by Tim
866+ * Hudson (tjh@cryptsoft.com).
867+ *
868+ */
869+
870+#include <stdio.h>
871+#include <openssl/objects.h>
872+#include <openssl/evp.h>
873+#include <openssl/hmac.h>
874+#include <openssl/ocsp.h>
875+#include <openssl/rand.h>
876+#include "ssl_locl.h"
877+
878+const char tls1_version_str[]="TLSv1" OPENSSL_VERSION_PTEXT;
879+
880+#ifndef OPENSSL_NO_TLSEXT
881+static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen,
882+ const unsigned char *sess_id, int sesslen,
883+ SSL_SESSION **psess);
884+#endif
885+
886+SSL3_ENC_METHOD TLSv1_enc_data={
887+ tls1_enc,
888+ tls1_mac,
889+ tls1_setup_key_block,
890+ tls1_generate_master_secret,
891+ tls1_change_cipher_state,
892+ tls1_final_finish_mac,
893+ TLS1_FINISH_MAC_LENGTH,
894+ tls1_cert_verify_mac,
895+ TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE,
896+ TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE,
897+ tls1_alert_code,
898+ tls1_export_keying_material,
899+ };
900+
901+long tls1_default_timeout(void)
902+ {
903+ /* 2 hours, the 24 hours mentioned in the TLSv1 spec
904+ * is way too long for http, the cache would over fill */
905+ return(60*60*2);
906+ }
907+
908+int tls1_new(SSL *s)
909+ {
910+ if (!ssl3_new(s)) return(0);
911+ s->method->ssl_clear(s);
912+ return(1);
913+ }
914+
915+void tls1_free(SSL *s)
916+ {
917+#ifndef OPENSSL_NO_TLSEXT
918+ if (s->tlsext_session_ticket)
919+ {
920+ OPENSSL_free(s->tlsext_session_ticket);
921+ }
922+#endif /* OPENSSL_NO_TLSEXT */
923+ ssl3_free(s);
924+ }
925+
926+void tls1_clear(SSL *s)
927+ {
928+ ssl3_clear(s);
929+ s->version = s->method->version;
930+ }
931+
932+#ifndef OPENSSL_NO_EC
933+
934+static int nid_list[] =
935+ {
936+ NID_sect163k1, /* sect163k1 (1) */
937+ NID_sect163r1, /* sect163r1 (2) */
938+ NID_sect163r2, /* sect163r2 (3) */
939+ NID_sect193r1, /* sect193r1 (4) */
940+ NID_sect193r2, /* sect193r2 (5) */
941+ NID_sect233k1, /* sect233k1 (6) */
942+ NID_sect233r1, /* sect233r1 (7) */
943+ NID_sect239k1, /* sect239k1 (8) */
944+ NID_sect283k1, /* sect283k1 (9) */
945+ NID_sect283r1, /* sect283r1 (10) */
946+ NID_sect409k1, /* sect409k1 (11) */
947+ NID_sect409r1, /* sect409r1 (12) */
948+ NID_sect571k1, /* sect571k1 (13) */
949+ NID_sect571r1, /* sect571r1 (14) */
950+ NID_secp160k1, /* secp160k1 (15) */
951+ NID_secp160r1, /* secp160r1 (16) */
952+ NID_secp160r2, /* secp160r2 (17) */
953+ NID_secp192k1, /* secp192k1 (18) */
954+ NID_X9_62_prime192v1, /* secp192r1 (19) */
955+ NID_secp224k1, /* secp224k1 (20) */
956+ NID_secp224r1, /* secp224r1 (21) */
957+ NID_secp256k1, /* secp256k1 (22) */
958+ NID_X9_62_prime256v1, /* secp256r1 (23) */
959+ NID_secp384r1, /* secp384r1 (24) */
960+ NID_secp521r1 /* secp521r1 (25) */
961+ };
962+
963+static int pref_list[] =
964+ {
965+ NID_sect571r1, /* sect571r1 (14) */
966+ NID_sect571k1, /* sect571k1 (13) */
967+ NID_secp521r1, /* secp521r1 (25) */
968+ NID_sect409k1, /* sect409k1 (11) */
969+ NID_sect409r1, /* sect409r1 (12) */
970+ NID_secp384r1, /* secp384r1 (24) */
971+ NID_sect283k1, /* sect283k1 (9) */
972+ NID_sect283r1, /* sect283r1 (10) */
973+ NID_secp256k1, /* secp256k1 (22) */
974+ NID_X9_62_prime256v1, /* secp256r1 (23) */
975+ NID_sect239k1, /* sect239k1 (8) */
976+ NID_sect233k1, /* sect233k1 (6) */
977+ NID_sect233r1, /* sect233r1 (7) */
978+ NID_secp224k1, /* secp224k1 (20) */
979+ NID_secp224r1, /* secp224r1 (21) */
980+ NID_sect193r1, /* sect193r1 (4) */
981+ NID_sect193r2, /* sect193r2 (5) */
982+ NID_secp192k1, /* secp192k1 (18) */
983+ NID_X9_62_prime192v1, /* secp192r1 (19) */
984+ NID_sect163k1, /* sect163k1 (1) */
985+ NID_sect163r1, /* sect163r1 (2) */
986+ NID_sect163r2, /* sect163r2 (3) */
987+ NID_secp160k1, /* secp160k1 (15) */
988+ NID_secp160r1, /* secp160r1 (16) */
989+ NID_secp160r2, /* secp160r2 (17) */
990+ };
991+
992+int tls1_ec_curve_id2nid(int curve_id)
993+ {
994+ /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
995+ if ((curve_id < 1) || ((unsigned int)curve_id >
996+ sizeof(nid_list)/sizeof(nid_list[0])))
997+ return 0;
998+ return nid_list[curve_id-1];
999+ }
1000+
1001+int tls1_ec_nid2curve_id(int nid)
1002+ {
1003+ /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
1004+ switch (nid)
1005+ {
1006+ case NID_sect163k1: /* sect163k1 (1) */
1007+ return 1;
1008+ case NID_sect163r1: /* sect163r1 (2) */
1009+ return 2;
1010+ case NID_sect163r2: /* sect163r2 (3) */
1011+ return 3;
1012+ case NID_sect193r1: /* sect193r1 (4) */
1013+ return 4;
1014+ case NID_sect193r2: /* sect193r2 (5) */
1015+ return 5;
1016+ case NID_sect233k1: /* sect233k1 (6) */
1017+ return 6;
1018+ case NID_sect233r1: /* sect233r1 (7) */
1019+ return 7;
1020+ case NID_sect239k1: /* sect239k1 (8) */
1021+ return 8;
1022+ case NID_sect283k1: /* sect283k1 (9) */
1023+ return 9;
1024+ case NID_sect283r1: /* sect283r1 (10) */
1025+ return 10;
1026+ case NID_sect409k1: /* sect409k1 (11) */
1027+ return 11;
1028+ case NID_sect409r1: /* sect409r1 (12) */
1029+ return 12;
1030+ case NID_sect571k1: /* sect571k1 (13) */
1031+ return 13;
1032+ case NID_sect571r1: /* sect571r1 (14) */
1033+ return 14;
1034+ case NID_secp160k1: /* secp160k1 (15) */
1035+ return 15;
1036+ case NID_secp160r1: /* secp160r1 (16) */
1037+ return 16;
1038+ case NID_secp160r2: /* secp160r2 (17) */
1039+ return 17;
1040+ case NID_secp192k1: /* secp192k1 (18) */
1041+ return 18;
1042+ case NID_X9_62_prime192v1: /* secp192r1 (19) */
1043+ return 19;
1044+ case NID_secp224k1: /* secp224k1 (20) */
1045+ return 20;
1046+ case NID_secp224r1: /* secp224r1 (21) */
1047+ return 21;
1048+ case NID_secp256k1: /* secp256k1 (22) */
1049+ return 22;
1050+ case NID_X9_62_prime256v1: /* secp256r1 (23) */
1051+ return 23;
1052+ case NID_secp384r1: /* secp384r1 (24) */
1053+ return 24;
1054+ case NID_secp521r1: /* secp521r1 (25) */
1055+ return 25;
1056+ default:
1057+ return 0;
1058+ }
1059+ }
1060+#endif /* OPENSSL_NO_EC */
1061+
1062+#ifndef OPENSSL_NO_TLSEXT
1063+
1064+/* List of supported signature algorithms and hashes. Should make this
1065+ * customisable at some point, for now include everything we support.
1066+ */
1067+
1068+#ifdef OPENSSL_NO_RSA
1069+#define tlsext_sigalg_rsa(md) /* */
1070+#else
1071+#define tlsext_sigalg_rsa(md) md, TLSEXT_signature_rsa,
1072+#endif
1073+
1074+#ifdef OPENSSL_NO_DSA
1075+#define tlsext_sigalg_dsa(md) /* */
1076+#else
1077+#define tlsext_sigalg_dsa(md) md, TLSEXT_signature_dsa,
1078+#endif
1079+
1080+#ifdef OPENSSL_NO_ECDSA
1081+#define tlsext_sigalg_ecdsa(md) /* */
1082+#else
1083+#define tlsext_sigalg_ecdsa(md) md, TLSEXT_signature_ecdsa,
1084+#endif
1085+
1086+#define tlsext_sigalg(md) \
1087+ tlsext_sigalg_rsa(md) \
1088+ tlsext_sigalg_dsa(md) \
1089+ tlsext_sigalg_ecdsa(md)
1090+
1091+static unsigned char tls12_sigalgs[] = {
1092+#ifndef OPENSSL_NO_SHA512
1093+ tlsext_sigalg(TLSEXT_hash_sha512)
1094+ tlsext_sigalg(TLSEXT_hash_sha384)
1095+#endif
1096+#ifndef OPENSSL_NO_SHA256
1097+ tlsext_sigalg(TLSEXT_hash_sha256)
1098+ tlsext_sigalg(TLSEXT_hash_sha224)
1099+#endif
1100+#ifndef OPENSSL_NO_SHA
1101+ tlsext_sigalg(TLSEXT_hash_sha1)
1102+#endif
1103+#ifndef OPENSSL_NO_MD5
1104+ tlsext_sigalg_rsa(TLSEXT_hash_md5)
1105+#endif
1106+};
1107+
1108+int tls12_get_req_sig_algs(SSL *s, unsigned char *p)
1109+ {
1110+ size_t slen = sizeof(tls12_sigalgs);
1111+#ifdef OPENSSL_FIPS
1112+ /* If FIPS mode don't include MD5 which is last */
1113+ if (FIPS_mode())
1114+ slen -= 2;
1115+#endif
1116+ if (p)
1117+ memcpy(p, tls12_sigalgs, slen);
1118+ return (int)slen;
1119+ }
1120+
1121+unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
1122+ {
1123+ int extdatalen=0;
1124+ unsigned char *ret = p;
1125+
1126+ /* don't add extensions for SSLv3 unless doing secure renegotiation */
1127+ if (s->client_version == SSL3_VERSION
1128+ && !s->s3->send_connection_binding)
1129+ return p;
1130+
1131+ ret+=2;
1132+
1133+ if (ret>=limit) return NULL; /* this really never occurs, but ... */
1134+
1135+ if (s->tlsext_hostname != NULL)
1136+ {
1137+ /* Add TLS extension servername to the Client Hello message */
1138+ unsigned long size_str;
1139+ long lenmax;
1140+
1141+ /* check for enough space.
1142+ 4 for the servername type and entension length
1143+ 2 for servernamelist length
1144+ 1 for the hostname type
1145+ 2 for hostname length
1146+ + hostname length
1147+ */
1148+
1149+ if ((lenmax = limit - ret - 9) < 0
1150+ || (size_str = strlen(s->tlsext_hostname)) > (unsigned long)lenmax)
1151+ return NULL;
1152+
1153+ /* extension type and length */
1154+ s2n(TLSEXT_TYPE_server_name,ret);
1155+ s2n(size_str+5,ret);
1156+
1157+ /* length of servername list */
1158+ s2n(size_str+3,ret);
1159+
1160+ /* hostname type, length and hostname */
1161+ *(ret++) = (unsigned char) TLSEXT_NAMETYPE_host_name;
1162+ s2n(size_str,ret);
1163+ memcpy(ret, s->tlsext_hostname, size_str);
1164+ ret+=size_str;
1165+ }
1166+
1167+ /* Add RI if renegotiating */
1168+ if (s->renegotiate)
1169+ {
1170+ int el;
1171+
1172+ if(!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0))
1173+ {
1174+ SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1175+ return NULL;
1176+ }
1177+
1178+ if((limit - p - 4 - el) < 0) return NULL;
1179+
1180+ s2n(TLSEXT_TYPE_renegotiate,ret);
1181+ s2n(el,ret);
1182+
1183+ if(!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el))
1184+ {
1185+ SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1186+ return NULL;
1187+ }
1188+
1189+ ret += el;
1190+ }
1191+
1192+#ifndef OPENSSL_NO_SRP
1193+ /* Add SRP username if there is one */
1194+ if (s->srp_ctx.login != NULL)
1195+ { /* Add TLS extension SRP username to the Client Hello message */
1196+
1197+ int login_len = strlen(s->srp_ctx.login);
1198+ if (login_len > 255 || login_len == 0)
1199+ {
1200+ SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1201+ return NULL;
1202+ }
1203+
1204+ /* check for enough space.
1205+ 4 for the srp type type and entension length
1206+ 1 for the srp user identity
1207+ + srp user identity length
1208+ */
1209+ if ((limit - ret - 5 - login_len) < 0) return NULL;
1210+
1211+ /* fill in the extension */
1212+ s2n(TLSEXT_TYPE_srp,ret);
1213+ s2n(login_len+1,ret);
1214+ (*ret++) = (unsigned char) login_len;
1215+ memcpy(ret, s->srp_ctx.login, login_len);
1216+ ret+=login_len;
1217+ }
1218+#endif
1219+
1220+#ifndef OPENSSL_NO_EC
1221+ if (s->tlsext_ecpointformatlist != NULL &&
1222+ s->version != DTLS1_VERSION)
1223+ {
1224+ /* Add TLS extension ECPointFormats to the ClientHello message */
1225+ long lenmax;
1226+
1227+ if ((lenmax = limit - ret - 5) < 0) return NULL;
1228+ if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax) return NULL;
1229+ if (s->tlsext_ecpointformatlist_length > 255)
1230+ {
1231+ SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1232+ return NULL;
1233+ }
1234+
1235+ s2n(TLSEXT_TYPE_ec_point_formats,ret);
1236+ s2n(s->tlsext_ecpointformatlist_length + 1,ret);
1237+ *(ret++) = (unsigned char) s->tlsext_ecpointformatlist_length;
1238+ memcpy(ret, s->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist_length);
1239+ ret+=s->tlsext_ecpointformatlist_length;
1240+ }
1241+ if (s->tlsext_ellipticcurvelist != NULL &&
1242+ s->version != DTLS1_VERSION)
1243+ {
1244+ /* Add TLS extension EllipticCurves to the ClientHello message */
1245+ long lenmax;
1246+
1247+ if ((lenmax = limit - ret - 6) < 0) return NULL;
1248+ if (s->tlsext_ellipticcurvelist_length > (unsigned long)lenmax) return NULL;
1249+ if (s->tlsext_ellipticcurvelist_length > 65532)
1250+ {
1251+ SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1252+ return NULL;
1253+ }
1254+
1255+ s2n(TLSEXT_TYPE_elliptic_curves,ret);
1256+ s2n(s->tlsext_ellipticcurvelist_length + 2, ret);
1257+
1258+ /* NB: draft-ietf-tls-ecc-12.txt uses a one-byte prefix for
1259+ * elliptic_curve_list, but the examples use two bytes.
1260+ * http://www1.ietf.org/mail-archive/web/tls/current/msg00538.html
1261+ * resolves this to two bytes.
1262+ */
1263+ s2n(s->tlsext_ellipticcurvelist_length, ret);
1264+ memcpy(ret, s->tlsext_ellipticcurvelist, s->tlsext_ellipticcurvelist_length);
1265+ ret+=s->tlsext_ellipticcurvelist_length;
1266+ }
1267+#endif /* OPENSSL_NO_EC */
1268+
1269+ if (!(SSL_get_options(s) & SSL_OP_NO_TICKET))
1270+ {
1271+ int ticklen;
1272+ if (!s->new_session && s->session && s->session->tlsext_tick)
1273+ ticklen = s->session->tlsext_ticklen;
1274+ else if (s->session && s->tlsext_session_ticket &&
1275+ s->tlsext_session_ticket->data)
1276+ {
1277+ ticklen = s->tlsext_session_ticket->length;
1278+ s->session->tlsext_tick = OPENSSL_malloc(ticklen);
1279+ if (!s->session->tlsext_tick)
1280+ return NULL;
1281+ memcpy(s->session->tlsext_tick,
1282+ s->tlsext_session_ticket->data,
1283+ ticklen);
1284+ s->session->tlsext_ticklen = ticklen;
1285+ }
1286+ else
1287+ ticklen = 0;
1288+ if (ticklen == 0 && s->tlsext_session_ticket &&
1289+ s->tlsext_session_ticket->data == NULL)
1290+ goto skip_ext;
1291+ /* Check for enough room 2 for extension type, 2 for len
1292+ * rest for ticket
1293+ */
1294+ if ((long)(limit - ret - 4 - ticklen) < 0) return NULL;
1295+ s2n(TLSEXT_TYPE_session_ticket,ret);
1296+ s2n(ticklen,ret);
1297+ if (ticklen)
1298+ {
1299+ memcpy(ret, s->session->tlsext_tick, ticklen);
1300+ ret += ticklen;
1301+ }
1302+ }
1303+ skip_ext:
1304+
1305+ if (TLS1_get_version(s) >= TLS1_2_VERSION)
1306+ {
1307+ if ((size_t)(limit - ret) < sizeof(tls12_sigalgs) + 6)
1308+ return NULL;
1309+ s2n(TLSEXT_TYPE_signature_algorithms,ret);
1310+ s2n(sizeof(tls12_sigalgs) + 2, ret);
1311+ s2n(sizeof(tls12_sigalgs), ret);
1312+ memcpy(ret, tls12_sigalgs, sizeof(tls12_sigalgs));
1313+ ret += sizeof(tls12_sigalgs);
1314+ }
1315+
1316+#ifdef TLSEXT_TYPE_opaque_prf_input
1317+ if (s->s3->client_opaque_prf_input != NULL &&
1318+ s->version != DTLS1_VERSION)
1319+ {
1320+ size_t col = s->s3->client_opaque_prf_input_len;
1321+
1322+ if ((long)(limit - ret - 6 - col < 0))
1323+ return NULL;
1324+ if (col > 0xFFFD) /* can't happen */
1325+ return NULL;
1326+
1327+ s2n(TLSEXT_TYPE_opaque_prf_input, ret);
1328+ s2n(col + 2, ret);
1329+ s2n(col, ret);
1330+ memcpy(ret, s->s3->client_opaque_prf_input, col);
1331+ ret += col;
1332+ }
1333+#endif
1334+
1335+ if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp &&
1336+ s->version != DTLS1_VERSION)
1337+ {
1338+ int i;
1339+ long extlen, idlen, itmp;
1340+ OCSP_RESPID *id;
1341+
1342+ idlen = 0;
1343+ for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++)
1344+ {
1345+ id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
1346+ itmp = i2d_OCSP_RESPID(id, NULL);
1347+ if (itmp <= 0)
1348+ return NULL;
1349+ idlen += itmp + 2;
1350+ }
1351+
1352+ if (s->tlsext_ocsp_exts)
1353+ {
1354+ extlen = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, NULL);
1355+ if (extlen < 0)
1356+ return NULL;
1357+ }
1358+ else
1359+ extlen = 0;
1360+
1361+ if ((long)(limit - ret - 7 - extlen - idlen) < 0) return NULL;
1362+ s2n(TLSEXT_TYPE_status_request, ret);
1363+ if (extlen + idlen > 0xFFF0)
1364+ return NULL;
1365+ s2n(extlen + idlen + 5, ret);
1366+ *(ret++) = TLSEXT_STATUSTYPE_ocsp;
1367+ s2n(idlen, ret);
1368+ for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++)
1369+ {
1370+ /* save position of id len */
1371+ unsigned char *q = ret;
1372+ id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
1373+ /* skip over id len */
1374+ ret += 2;
1375+ itmp = i2d_OCSP_RESPID(id, &ret);
1376+ /* write id len */
1377+ s2n(itmp, q);
1378+ }
1379+ s2n(extlen, ret);
1380+ if (extlen > 0)
1381+ i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret);
1382+ }
1383+
1384+#ifndef OPENSSL_NO_HEARTBEATS
1385+ /* Add Heartbeat extension */
1386+ s2n(TLSEXT_TYPE_heartbeat,ret);
1387+ s2n(1,ret);
1388+ /* Set mode:
1389+ * 1: peer may send requests
1390+ * 2: peer not allowed to send requests
1391+ */
1392+ if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS)
1393+ *(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
1394+ else
1395+ *(ret++) = SSL_TLSEXT_HB_ENABLED;
1396+#endif
1397+
1398+#ifndef OPENSSL_NO_NEXTPROTONEG
1399+ if (s->ctx->next_proto_select_cb && !s->s3->tmp.finish_md_len)
1400+ {
1401+ /* The client advertises an emtpy extension to indicate its
1402+ * support for Next Protocol Negotiation */
1403+ if (limit - ret - 4 < 0)
1404+ return NULL;
1405+ s2n(TLSEXT_TYPE_next_proto_neg,ret);
1406+ s2n(0,ret);
1407+ }
1408+#endif
1409+
1410+ if(SSL_get_srtp_profiles(s))
1411+ {
1412+ int el;
1413+
1414+ ssl_add_clienthello_use_srtp_ext(s, 0, &el, 0);
1415+
1416+ if((limit - p - 4 - el) < 0) return NULL;
1417+
1418+ s2n(TLSEXT_TYPE_use_srtp,ret);
1419+ s2n(el,ret);
1420+
1421+ if(ssl_add_clienthello_use_srtp_ext(s, ret, &el, el))
1422+ {
1423+ SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1424+ return NULL;
1425+ }
1426+ ret += el;
1427+ }
1428+
1429+ if ((extdatalen = ret-p-2)== 0)
1430+ return p;
1431+
1432+ s2n(extdatalen,p);
1433+ return ret;
1434+ }
1435+
1436+unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
1437+ {
1438+ int extdatalen=0;
1439+ unsigned char *ret = p;
1440+#ifndef OPENSSL_NO_NEXTPROTONEG
1441+ int next_proto_neg_seen;
1442+#endif
1443+
1444+ /* don't add extensions for SSLv3, unless doing secure renegotiation */
1445+ if (s->version == SSL3_VERSION && !s->s3->send_connection_binding)
1446+ return p;
1447+
1448+ ret+=2;
1449+ if (ret>=limit) return NULL; /* this really never occurs, but ... */
1450+
1451+ if (!s->hit && s->servername_done == 1 && s->session->tlsext_hostname != NULL)
1452+ {
1453+ if ((long)(limit - ret - 4) < 0) return NULL;
1454+
1455+ s2n(TLSEXT_TYPE_server_name,ret);
1456+ s2n(0,ret);
1457+ }
1458+
1459+ if(s->s3->send_connection_binding)
1460+ {
1461+ int el;
1462+
1463+ if(!ssl_add_serverhello_renegotiate_ext(s, 0, &el, 0))
1464+ {
1465+ SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1466+ return NULL;
1467+ }
1468+
1469+ if((limit - p - 4 - el) < 0) return NULL;
1470+
1471+ s2n(TLSEXT_TYPE_renegotiate,ret);
1472+ s2n(el,ret);
1473+
1474+ if(!ssl_add_serverhello_renegotiate_ext(s, ret, &el, el))
1475+ {
1476+ SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1477+ return NULL;
1478+ }
1479+
1480+ ret += el;
1481+ }
1482+
1483+#ifndef OPENSSL_NO_EC
1484+ if (s->tlsext_ecpointformatlist != NULL &&
1485+ s->version != DTLS1_VERSION)
1486+ {
1487+ /* Add TLS extension ECPointFormats to the ServerHello message */
1488+ long lenmax;
1489+
1490+ if ((lenmax = limit - ret - 5) < 0) return NULL;
1491+ if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax) return NULL;
1492+ if (s->tlsext_ecpointformatlist_length > 255)
1493+ {
1494+ SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1495+ return NULL;
1496+ }
1497+
1498+ s2n(TLSEXT_TYPE_ec_point_formats,ret);
1499+ s2n(s->tlsext_ecpointformatlist_length + 1,ret);
1500+ *(ret++) = (unsigned char) s->tlsext_ecpointformatlist_length;
1501+ memcpy(ret, s->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist_length);
1502+ ret+=s->tlsext_ecpointformatlist_length;
1503+
1504+ }
1505+ /* Currently the server should not respond with a SupportedCurves extension */
1506+#endif /* OPENSSL_NO_EC */
1507+
1508+ if (s->tlsext_ticket_expected
1509+ && !(SSL_get_options(s) & SSL_OP_NO_TICKET))
1510+ {
1511+ if ((long)(limit - ret - 4) < 0) return NULL;
1512+ s2n(TLSEXT_TYPE_session_ticket,ret);
1513+ s2n(0,ret);
1514+ }
1515+
1516+ if (s->tlsext_status_expected)
1517+ {
1518+ if ((long)(limit - ret - 4) < 0) return NULL;
1519+ s2n(TLSEXT_TYPE_status_request,ret);
1520+ s2n(0,ret);
1521+ }
1522+
1523+#ifdef TLSEXT_TYPE_opaque_prf_input
1524+ if (s->s3->server_opaque_prf_input != NULL &&
1525+ s->version != DTLS1_VERSION)
1526+ {
1527+ size_t sol = s->s3->server_opaque_prf_input_len;
1528+
1529+ if ((long)(limit - ret - 6 - sol) < 0)
1530+ return NULL;
1531+ if (sol > 0xFFFD) /* can't happen */
1532+ return NULL;
1533+
1534+ s2n(TLSEXT_TYPE_opaque_prf_input, ret);
1535+ s2n(sol + 2, ret);
1536+ s2n(sol, ret);
1537+ memcpy(ret, s->s3->server_opaque_prf_input, sol);
1538+ ret += sol;
1539+ }
1540+#endif
1541+
1542+ if(s->srtp_profile)
1543+ {
1544+ int el;
1545+
1546+ ssl_add_serverhello_use_srtp_ext(s, 0, &el, 0);
1547+
1548+ if((limit - p - 4 - el) < 0) return NULL;
1549+
1550+ s2n(TLSEXT_TYPE_use_srtp,ret);
1551+ s2n(el,ret);
1552+
1553+ if(ssl_add_serverhello_use_srtp_ext(s, ret, &el, el))
1554+ {
1555+ SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1556+ return NULL;
1557+ }
1558+ ret+=el;
1559+ }
1560+
1561+ if (((s->s3->tmp.new_cipher->id & 0xFFFF)==0x80 || (s->s3->tmp.new_cipher->id & 0xFFFF)==0x81)
1562+ && (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG))
1563+ { const unsigned char cryptopro_ext[36] = {
1564+ 0xfd, 0xe8, /*65000*/
1565+ 0x00, 0x20, /*32 bytes length*/
1566+ 0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85,
1567+ 0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06,
1568+ 0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08,
1569+ 0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17};
1570+ if (limit-ret<36) return NULL;
1571+ memcpy(ret,cryptopro_ext,36);
1572+ ret+=36;
1573+
1574+ }
1575+
1576+#ifndef OPENSSL_NO_HEARTBEATS
1577+ /* Add Heartbeat extension if we've received one */
1578+ if (s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED)
1579+ {
1580+ s2n(TLSEXT_TYPE_heartbeat,ret);
1581+ s2n(1,ret);
1582+ /* Set mode:
1583+ * 1: peer may send requests
1584+ * 2: peer not allowed to send requests
1585+ */
1586+ if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS)
1587+ *(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
1588+ else
1589+ *(ret++) = SSL_TLSEXT_HB_ENABLED;
1590+
1591+ }
1592+#endif
1593+
1594+#ifndef OPENSSL_NO_NEXTPROTONEG
1595+ next_proto_neg_seen = s->s3->next_proto_neg_seen;
1596+ s->s3->next_proto_neg_seen = 0;
1597+ if (next_proto_neg_seen && s->ctx->next_protos_advertised_cb)
1598+ {
1599+ const unsigned char *npa;
1600+ unsigned int npalen;
1601+ int r;
1602+
1603+ r = s->ctx->next_protos_advertised_cb(s, &npa, &npalen, s->ctx->next_protos_advertised_cb_arg);
1604+ if (r == SSL_TLSEXT_ERR_OK)
1605+ {
1606+ if ((long)(limit - ret - 4 - npalen) < 0) return NULL;
1607+ s2n(TLSEXT_TYPE_next_proto_neg,ret);
1608+ s2n(npalen,ret);
1609+ memcpy(ret, npa, npalen);
1610+ ret += npalen;
1611+ s->s3->next_proto_neg_seen = 1;
1612+ }
1613+ }
1614+#endif
1615+
1616+ if ((extdatalen = ret-p-2)== 0)
1617+ return p;
1618+
1619+ s2n(extdatalen,p);
1620+ return ret;
1621+ }
1622+
1623+int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
1624+ {
1625+ unsigned short type;
1626+ unsigned short size;
1627+ unsigned short len;
1628+ unsigned char *data = *p;
1629+ int renegotiate_seen = 0;
1630+ int sigalg_seen = 0;
1631+
1632+ s->servername_done = 0;
1633+ s->tlsext_status_type = -1;
1634+#ifndef OPENSSL_NO_NEXTPROTONEG
1635+ s->s3->next_proto_neg_seen = 0;
1636+#endif
1637+
1638+#ifndef OPENSSL_NO_HEARTBEATS
1639+ s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED |
1640+ SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
1641+#endif
1642+
1643+ if (data >= (d+n-2))
1644+ goto ri_check;
1645+ n2s(data,len);
1646+
1647+ if (data > (d+n-len))
1648+ goto ri_check;
1649+
1650+ while (data <= (d+n-4))
1651+ {
1652+ n2s(data,type);
1653+ n2s(data,size);
1654+
1655+ if (data+size > (d+n))
1656+ goto ri_check;
1657+#if 0
1658+ fprintf(stderr,"Received extension type %d size %d\n",type,size);
1659+#endif
1660+ if (s->tlsext_debug_cb)
1661+ s->tlsext_debug_cb(s, 0, type, data, size,
1662+ s->tlsext_debug_arg);
1663+/* The servername extension is treated as follows:
1664+
1665+ - Only the hostname type is supported with a maximum length of 255.
1666+ - The servername is rejected if too long or if it contains zeros,
1667+ in which case an fatal alert is generated.
1668+ - The servername field is maintained together with the session cache.
1669+ - When a session is resumed, the servername call back invoked in order
1670+ to allow the application to position itself to the right context.
1671+ - The servername is acknowledged if it is new for a session or when
1672+ it is identical to a previously used for the same session.
1673+ Applications can control the behaviour. They can at any time
1674+ set a 'desirable' servername for a new SSL object. This can be the
1675+ case for example with HTTPS when a Host: header field is received and
1676+ a renegotiation is requested. In this case, a possible servername
1677+ presented in the new client hello is only acknowledged if it matches
1678+ the value of the Host: field.
1679+ - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
1680+ if they provide for changing an explicit servername context for the session,
1681+ i.e. when the session has been established with a servername extension.
1682+ - On session reconnect, the servername extension may be absent.
1683+
1684+*/
1685+
1686+ if (type == TLSEXT_TYPE_server_name)
1687+ {
1688+ unsigned char *sdata;
1689+ int servname_type;
1690+ int dsize;
1691+
1692+ if (size < 2)
1693+ {
1694+ *al = SSL_AD_DECODE_ERROR;
1695+ return 0;
1696+ }
1697+ n2s(data,dsize);
1698+ size -= 2;
1699+ if (dsize > size )
1700+ {
1701+ *al = SSL_AD_DECODE_ERROR;
1702+ return 0;
1703+ }
1704+
1705+ sdata = data;
1706+ while (dsize > 3)
1707+ {
1708+ servname_type = *(sdata++);
1709+ n2s(sdata,len);
1710+ dsize -= 3;
1711+
1712+ if (len > dsize)
1713+ {
1714+ *al = SSL_AD_DECODE_ERROR;
1715+ return 0;
1716+ }
1717+ if (s->servername_done == 0)
1718+ switch (servname_type)
1719+ {
1720+ case TLSEXT_NAMETYPE_host_name:
1721+ if (!s->hit)
1722+ {
1723+ if(s->session->tlsext_hostname)
1724+ {
1725+ *al = SSL_AD_DECODE_ERROR;
1726+ return 0;
1727+ }
1728+ if (len > TLSEXT_MAXLEN_host_name)
1729+ {
1730+ *al = TLS1_AD_UNRECOGNIZED_NAME;
1731+ return 0;
1732+ }
1733+ if ((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL)
1734+ {
1735+ *al = TLS1_AD_INTERNAL_ERROR;
1736+ return 0;
1737+ }
1738+ memcpy(s->session->tlsext_hostname, sdata, len);
1739+ s->session->tlsext_hostname[len]='\0';
1740+ if (strlen(s->session->tlsext_hostname) != len) {
1741+ OPENSSL_free(s->session->tlsext_hostname);
1742+ s->session->tlsext_hostname = NULL;
1743+ *al = TLS1_AD_UNRECOGNIZED_NAME;
1744+ return 0;
1745+ }
1746+ s->servername_done = 1;
1747+
1748+ }
1749+ else
1750+ s->servername_done = s->session->tlsext_hostname
1751+ && strlen(s->session->tlsext_hostname) == len
1752+ && strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0;
1753+
1754+ break;
1755+
1756+ default:
1757+ break;
1758+ }
1759+
1760+ dsize -= len;
1761+ }
1762+ if (dsize != 0)
1763+ {
1764+ *al = SSL_AD_DECODE_ERROR;
1765+ return 0;
1766+ }
1767+
1768+ }
1769+#ifndef OPENSSL_NO_SRP
1770+ else if (type == TLSEXT_TYPE_srp)
1771+ {
1772+ if (size <= 0 || ((len = data[0])) != (size -1))
1773+ {
1774+ *al = SSL_AD_DECODE_ERROR;
1775+ return 0;
1776+ }
1777+ if (s->srp_ctx.login != NULL)
1778+ {
1779+ *al = SSL_AD_DECODE_ERROR;
1780+ return 0;
1781+ }
1782+ if ((s->srp_ctx.login = OPENSSL_malloc(len+1)) == NULL)
1783+ return -1;
1784+ memcpy(s->srp_ctx.login, &data[1], len);
1785+ s->srp_ctx.login[len]='\0';
1786+
1787+ if (strlen(s->srp_ctx.login) != len)
1788+ {
1789+ *al = SSL_AD_DECODE_ERROR;
1790+ return 0;
1791+ }
1792+ }
1793+#endif
1794+
1795+#ifndef OPENSSL_NO_EC
1796+ else if (type == TLSEXT_TYPE_ec_point_formats &&
1797+ s->version != DTLS1_VERSION)
1798+ {
1799+ unsigned char *sdata = data;
1800+ int ecpointformatlist_length = *(sdata++);
1801+
1802+ if (ecpointformatlist_length != size - 1)
1803+ {
1804+ *al = TLS1_AD_DECODE_ERROR;
1805+ return 0;
1806+ }
1807+ if (!s->hit)
1808+ {
1809+ if(s->session->tlsext_ecpointformatlist)
1810+ {
1811+ OPENSSL_free(s->session->tlsext_ecpointformatlist);
1812+ s->session->tlsext_ecpointformatlist = NULL;
1813+ }
1814+ s->session->tlsext_ecpointformatlist_length = 0;
1815+ if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
1816+ {
1817+ *al = TLS1_AD_INTERNAL_ERROR;
1818+ return 0;
1819+ }
1820+ s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
1821+ memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
1822+ }
1823+#if 0
1824+ fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ecpointformatlist (length=%i) ", s->session->tlsext_ecpointformatlist_length);
1825+ sdata = s->session->tlsext_ecpointformatlist;
1826+ for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
1827+ fprintf(stderr,"%i ",*(sdata++));
1828+ fprintf(stderr,"\n");
1829+#endif
1830+ }
1831+ else if (type == TLSEXT_TYPE_elliptic_curves &&
1832+ s->version != DTLS1_VERSION)
1833+ {
1834+ unsigned char *sdata = data;
1835+ int ellipticcurvelist_length = (*(sdata++) << 8);
1836+ ellipticcurvelist_length += (*(sdata++));
1837+
1838+ if (ellipticcurvelist_length != size - 2)
1839+ {
1840+ *al = TLS1_AD_DECODE_ERROR;
1841+ return 0;
1842+ }
1843+ if (!s->hit)
1844+ {
1845+ if(s->session->tlsext_ellipticcurvelist)
1846+ {
1847+ *al = TLS1_AD_DECODE_ERROR;
1848+ return 0;
1849+ }
1850+ s->session->tlsext_ellipticcurvelist_length = 0;
1851+ if ((s->session->tlsext_ellipticcurvelist = OPENSSL_malloc(ellipticcurvelist_length)) == NULL)
1852+ {
1853+ *al = TLS1_AD_INTERNAL_ERROR;
1854+ return 0;
1855+ }
1856+ s->session->tlsext_ellipticcurvelist_length = ellipticcurvelist_length;
1857+ memcpy(s->session->tlsext_ellipticcurvelist, sdata, ellipticcurvelist_length);
1858+ }
1859+#if 0
1860+ fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ellipticcurvelist (length=%i) ", s->session->tlsext_ellipticcurvelist_length);
1861+ sdata = s->session->tlsext_ellipticcurvelist;
1862+ for (i = 0; i < s->session->tlsext_ellipticcurvelist_length; i++)
1863+ fprintf(stderr,"%i ",*(sdata++));
1864+ fprintf(stderr,"\n");
1865+#endif
1866+ }
1867+#endif /* OPENSSL_NO_EC */
1868+#ifdef TLSEXT_TYPE_opaque_prf_input
1869+ else if (type == TLSEXT_TYPE_opaque_prf_input &&
1870+ s->version != DTLS1_VERSION)
1871+ {
1872+ unsigned char *sdata = data;
1873+
1874+ if (size < 2)
1875+ {
1876+ *al = SSL_AD_DECODE_ERROR;
1877+ return 0;
1878+ }
1879+ n2s(sdata, s->s3->client_opaque_prf_input_len);
1880+ if (s->s3->client_opaque_prf_input_len != size - 2)
1881+ {
1882+ *al = SSL_AD_DECODE_ERROR;
1883+ return 0;
1884+ }
1885+
1886+ if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */
1887+ OPENSSL_free(s->s3->client_opaque_prf_input);
1888+ if (s->s3->client_opaque_prf_input_len == 0)
1889+ s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
1890+ else
1891+ s->s3->client_opaque_prf_input = BUF_memdup(sdata, s->s3->client_opaque_prf_input_len);
1892+ if (s->s3->client_opaque_prf_input == NULL)
1893+ {
1894+ *al = TLS1_AD_INTERNAL_ERROR;
1895+ return 0;
1896+ }
1897+ }
1898+#endif
1899+ else if (type == TLSEXT_TYPE_session_ticket)
1900+ {
1901+ if (s->tls_session_ticket_ext_cb &&
1902+ !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg))
1903+ {
1904+ *al = TLS1_AD_INTERNAL_ERROR;
1905+ return 0;
1906+ }
1907+ }
1908+ else if (type == TLSEXT_TYPE_renegotiate)
1909+ {
1910+ if(!ssl_parse_clienthello_renegotiate_ext(s, data, size, al))
1911+ return 0;
1912+ renegotiate_seen = 1;
1913+ }
1914+ else if (type == TLSEXT_TYPE_signature_algorithms)
1915+ {
1916+ int dsize;
1917+ if (sigalg_seen || size < 2)
1918+ {
1919+ *al = SSL_AD_DECODE_ERROR;
1920+ return 0;
1921+ }
1922+ sigalg_seen = 1;
1923+ n2s(data,dsize);
1924+ size -= 2;
1925+ if (dsize != size || dsize & 1)
1926+ {
1927+ *al = SSL_AD_DECODE_ERROR;
1928+ return 0;
1929+ }
1930+ if (!tls1_process_sigalgs(s, data, dsize))
1931+ {
1932+ *al = SSL_AD_DECODE_ERROR;
1933+ return 0;
1934+ }
1935+ }
1936+ else if (type == TLSEXT_TYPE_status_request &&
1937+ s->version != DTLS1_VERSION && s->ctx->tlsext_status_cb)
1938+ {
1939+
1940+ if (size < 5)
1941+ {
1942+ *al = SSL_AD_DECODE_ERROR;
1943+ return 0;
1944+ }
1945+
1946+ s->tlsext_status_type = *data++;
1947+ size--;
1948+ if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp)
1949+ {
1950+ const unsigned char *sdata;
1951+ int dsize;
1952+ /* Read in responder_id_list */
1953+ n2s(data,dsize);
1954+ size -= 2;
1955+ if (dsize > size )
1956+ {
1957+ *al = SSL_AD_DECODE_ERROR;
1958+ return 0;
1959+ }
1960+ while (dsize > 0)
1961+ {
1962+ OCSP_RESPID *id;
1963+ int idsize;
1964+ if (dsize < 4)
1965+ {
1966+ *al = SSL_AD_DECODE_ERROR;
1967+ return 0;
1968+ }
1969+ n2s(data, idsize);
1970+ dsize -= 2 + idsize;
1971+ size -= 2 + idsize;
1972+ if (dsize < 0)
1973+ {
1974+ *al = SSL_AD_DECODE_ERROR;
1975+ return 0;
1976+ }
1977+ sdata = data;
1978+ data += idsize;
1979+ id = d2i_OCSP_RESPID(NULL,
1980+ &sdata, idsize);
1981+ if (!id)
1982+ {
1983+ *al = SSL_AD_DECODE_ERROR;
1984+ return 0;
1985+ }
1986+ if (data != sdata)
1987+ {
1988+ OCSP_RESPID_free(id);
1989+ *al = SSL_AD_DECODE_ERROR;
1990+ return 0;
1991+ }
1992+ if (!s->tlsext_ocsp_ids
1993+ && !(s->tlsext_ocsp_ids =
1994+ sk_OCSP_RESPID_new_null()))
1995+ {
1996+ OCSP_RESPID_free(id);
1997+ *al = SSL_AD_INTERNAL_ERROR;
1998+ return 0;
1999+ }
2000+ if (!sk_OCSP_RESPID_push(
2001+ s->tlsext_ocsp_ids, id))
2002+ {
2003+ OCSP_RESPID_free(id);
2004+ *al = SSL_AD_INTERNAL_ERROR;
2005+ return 0;
2006+ }
2007+ }
2008+
2009+ /* Read in request_extensions */
2010+ if (size < 2)
2011+ {
2012+ *al = SSL_AD_DECODE_ERROR;
2013+ return 0;
2014+ }
2015+ n2s(data,dsize);
2016+ size -= 2;
2017+ if (dsize != size)
2018+ {
2019+ *al = SSL_AD_DECODE_ERROR;
2020+ return 0;
2021+ }
2022+ sdata = data;
2023+ if (dsize > 0)
2024+ {
2025+ if (s->tlsext_ocsp_exts)
2026+ {
2027+ sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts,
2028+ X509_EXTENSION_free);
2029+ }
2030+
2031+ s->tlsext_ocsp_exts =
2032+ d2i_X509_EXTENSIONS(NULL,
2033+ &sdata, dsize);
2034+ if (!s->tlsext_ocsp_exts
2035+ || (data + dsize != sdata))
2036+ {
2037+ *al = SSL_AD_DECODE_ERROR;
2038+ return 0;
2039+ }
2040+ }
2041+ }
2042+ /* We don't know what to do with any other type
2043+ * so ignore it.
2044+ */
2045+ else
2046+ s->tlsext_status_type = -1;
2047+ }
2048+#ifndef OPENSSL_NO_HEARTBEATS
2049+ else if (type == TLSEXT_TYPE_heartbeat)
2050+ {
2051+ switch(data[0])
2052+ {
2053+ case 0x01: /* Client allows us to send HB requests */
2054+ s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
2055+ break;
2056+ case 0x02: /* Client doesn't accept HB requests */
2057+ s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
2058+ s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
2059+ break;
2060+ default: *al = SSL_AD_ILLEGAL_PARAMETER;
2061+ return 0;
2062+ }
2063+ }
2064+#endif
2065+#ifndef OPENSSL_NO_NEXTPROTONEG
2066+ else if (type == TLSEXT_TYPE_next_proto_neg &&
2067+ s->s3->tmp.finish_md_len == 0)
2068+ {
2069+ /* We shouldn't accept this extension on a
2070+ * renegotiation.
2071+ *
2072+ * s->new_session will be set on renegotiation, but we
2073+ * probably shouldn't rely that it couldn't be set on
2074+ * the initial renegotation too in certain cases (when
2075+ * there's some other reason to disallow resuming an
2076+ * earlier session -- the current code won't be doing
2077+ * anything like that, but this might change).
2078+
2079+ * A valid sign that there's been a previous handshake
2080+ * in this connection is if s->s3->tmp.finish_md_len >
2081+ * 0. (We are talking about a check that will happen
2082+ * in the Hello protocol round, well before a new
2083+ * Finished message could have been computed.) */
2084+ s->s3->next_proto_neg_seen = 1;
2085+ }
2086+#endif
2087+
2088+ /* session ticket processed earlier */
2089+ else if (type == TLSEXT_TYPE_use_srtp)
2090+ {
2091+ if(ssl_parse_clienthello_use_srtp_ext(s, data, size,
2092+ al))
2093+ return 0;
2094+ }
2095+
2096+ data+=size;
2097+ }
2098+
2099+ *p = data;
2100+
2101+ ri_check:
2102+
2103+ /* Need RI if renegotiating */
2104+
2105+ if (!renegotiate_seen && s->renegotiate &&
2106+ !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
2107+ {
2108+ *al = SSL_AD_HANDSHAKE_FAILURE;
2109+ SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT,
2110+ SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
2111+ return 0;
2112+ }
2113+
2114+ return 1;
2115+ }
2116+
2117+#ifndef OPENSSL_NO_NEXTPROTONEG
2118+/* ssl_next_proto_validate validates a Next Protocol Negotiation block. No
2119+ * elements of zero length are allowed and the set of elements must exactly fill
2120+ * the length of the block. */
2121+static char ssl_next_proto_validate(unsigned char *d, unsigned len)
2122+ {
2123+ unsigned int off = 0;
2124+
2125+ while (off < len)
2126+ {
2127+ if (d[off] == 0)
2128+ return 0;
2129+ off += d[off];
2130+ off++;
2131+ }
2132+
2133+ return off == len;
2134+ }
2135+#endif
2136+
2137+int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
2138+ {
2139+ unsigned short length;
2140+ unsigned short type;
2141+ unsigned short size;
2142+ unsigned char *data = *p;
2143+ int tlsext_servername = 0;
2144+ int renegotiate_seen = 0;
2145+
2146+#ifndef OPENSSL_NO_NEXTPROTONEG
2147+ s->s3->next_proto_neg_seen = 0;
2148+#endif
2149+
2150+#ifndef OPENSSL_NO_HEARTBEATS
2151+ s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED |
2152+ SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
2153+#endif
2154+
2155+ if (data >= (d+n-2))
2156+ goto ri_check;
2157+
2158+ n2s(data,length);
2159+ if (data+length != d+n)
2160+ {
2161+ *al = SSL_AD_DECODE_ERROR;
2162+ return 0;
2163+ }
2164+
2165+ while(data <= (d+n-4))
2166+ {
2167+ n2s(data,type);
2168+ n2s(data,size);
2169+
2170+ if (data+size > (d+n))
2171+ goto ri_check;
2172+
2173+ if (s->tlsext_debug_cb)
2174+ s->tlsext_debug_cb(s, 1, type, data, size,
2175+ s->tlsext_debug_arg);
2176+
2177+ if (type == TLSEXT_TYPE_server_name)
2178+ {
2179+ if (s->tlsext_hostname == NULL || size > 0)
2180+ {
2181+ *al = TLS1_AD_UNRECOGNIZED_NAME;
2182+ return 0;
2183+ }
2184+ tlsext_servername = 1;
2185+ }
2186+
2187+#ifndef OPENSSL_NO_EC
2188+ else if (type == TLSEXT_TYPE_ec_point_formats &&
2189+ s->version != DTLS1_VERSION)
2190+ {
2191+ unsigned char *sdata = data;
2192+ int ecpointformatlist_length = *(sdata++);
2193+
2194+ if (ecpointformatlist_length != size - 1)
2195+ {
2196+ *al = TLS1_AD_DECODE_ERROR;
2197+ return 0;
2198+ }
2199+ s->session->tlsext_ecpointformatlist_length = 0;
2200+ if (s->session->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->session->tlsext_ecpointformatlist);
2201+ if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
2202+ {
2203+ *al = TLS1_AD_INTERNAL_ERROR;
2204+ return 0;
2205+ }
2206+ s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
2207+ memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
2208+#if 0
2209+ fprintf(stderr,"ssl_parse_serverhello_tlsext s->session->tlsext_ecpointformatlist ");
2210+ sdata = s->session->tlsext_ecpointformatlist;
2211+ for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
2212+ fprintf(stderr,"%i ",*(sdata++));
2213+ fprintf(stderr,"\n");
2214+#endif
2215+ }
2216+#endif /* OPENSSL_NO_EC */
2217+
2218+ else if (type == TLSEXT_TYPE_session_ticket)
2219+ {
2220+ if (s->tls_session_ticket_ext_cb &&
2221+ !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg))
2222+ {
2223+ *al = TLS1_AD_INTERNAL_ERROR;
2224+ return 0;
2225+ }
2226+ if ((SSL_get_options(s) & SSL_OP_NO_TICKET)
2227+ || (size > 0))
2228+ {
2229+ *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2230+ return 0;
2231+ }
2232+ s->tlsext_ticket_expected = 1;
2233+ }
2234+#ifdef TLSEXT_TYPE_opaque_prf_input
2235+ else if (type == TLSEXT_TYPE_opaque_prf_input &&
2236+ s->version != DTLS1_VERSION)
2237+ {
2238+ unsigned char *sdata = data;
2239+
2240+ if (size < 2)
2241+ {
2242+ *al = SSL_AD_DECODE_ERROR;
2243+ return 0;
2244+ }
2245+ n2s(sdata, s->s3->server_opaque_prf_input_len);
2246+ if (s->s3->server_opaque_prf_input_len != size - 2)
2247+ {
2248+ *al = SSL_AD_DECODE_ERROR;
2249+ return 0;
2250+ }
2251+
2252+ if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */
2253+ OPENSSL_free(s->s3->server_opaque_prf_input);
2254+ if (s->s3->server_opaque_prf_input_len == 0)
2255+ s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
2256+ else
2257+ s->s3->server_opaque_prf_input = BUF_memdup(sdata, s->s3->server_opaque_prf_input_len);
2258+
2259+ if (s->s3->server_opaque_prf_input == NULL)
2260+ {
2261+ *al = TLS1_AD_INTERNAL_ERROR;
2262+ return 0;
2263+ }
2264+ }
2265+#endif
2266+ else if (type == TLSEXT_TYPE_status_request &&
2267+ s->version != DTLS1_VERSION)
2268+ {
2269+ /* MUST be empty and only sent if we've requested
2270+ * a status request message.
2271+ */
2272+ if ((s->tlsext_status_type == -1) || (size > 0))
2273+ {
2274+ *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2275+ return 0;
2276+ }
2277+ /* Set flag to expect CertificateStatus message */
2278+ s->tlsext_status_expected = 1;
2279+ }
2280+#ifndef OPENSSL_NO_NEXTPROTONEG
2281+ else if (type == TLSEXT_TYPE_next_proto_neg &&
2282+ s->s3->tmp.finish_md_len == 0)
2283+ {
2284+ unsigned char *selected;
2285+ unsigned char selected_len;
2286+
2287+ /* We must have requested it. */
2288+ if ((s->ctx->next_proto_select_cb == NULL))
2289+ {
2290+ *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2291+ return 0;
2292+ }
2293+ /* The data must be valid */
2294+ if (!ssl_next_proto_validate(data, size))
2295+ {
2296+ *al = TLS1_AD_DECODE_ERROR;
2297+ return 0;
2298+ }
2299+ if (s->ctx->next_proto_select_cb(s, &selected, &selected_len, data, size, s->ctx->next_proto_select_cb_arg) != SSL_TLSEXT_ERR_OK)
2300+ {
2301+ *al = TLS1_AD_INTERNAL_ERROR;
2302+ return 0;
2303+ }
2304+ s->next_proto_negotiated = OPENSSL_malloc(selected_len);
2305+ if (!s->next_proto_negotiated)
2306+ {
2307+ *al = TLS1_AD_INTERNAL_ERROR;
2308+ return 0;
2309+ }
2310+ memcpy(s->next_proto_negotiated, selected, selected_len);
2311+ s->next_proto_negotiated_len = selected_len;
2312+ s->s3->next_proto_neg_seen = 1;
2313+ }
2314+#endif
2315+ else if (type == TLSEXT_TYPE_renegotiate)
2316+ {
2317+ if(!ssl_parse_serverhello_renegotiate_ext(s, data, size, al))
2318+ return 0;
2319+ renegotiate_seen = 1;
2320+ }
2321+#ifndef OPENSSL_NO_HEARTBEATS
2322+ else if (type == TLSEXT_TYPE_heartbeat)
2323+ {
2324+ switch(data[0])
2325+ {
2326+ case 0x01: /* Server allows us to send HB requests */
2327+ s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
2328+ break;
2329+ case 0x02: /* Server doesn't accept HB requests */
2330+ s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
2331+ s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
2332+ break;
2333+ default: *al = SSL_AD_ILLEGAL_PARAMETER;
2334+ return 0;
2335+ }
2336+ }
2337+#endif
2338+ else if (type == TLSEXT_TYPE_use_srtp)
2339+ {
2340+ if(ssl_parse_serverhello_use_srtp_ext(s, data, size,
2341+ al))
2342+ return 0;
2343+ }
2344+
2345+ data+=size;
2346+ }
2347+
2348+ if (data != d+n)
2349+ {
2350+ *al = SSL_AD_DECODE_ERROR;
2351+ return 0;
2352+ }
2353+
2354+ if (!s->hit && tlsext_servername == 1)
2355+ {
2356+ if (s->tlsext_hostname)
2357+ {
2358+ if (s->session->tlsext_hostname == NULL)
2359+ {
2360+ s->session->tlsext_hostname = BUF_strdup(s->tlsext_hostname);
2361+ if (!s->session->tlsext_hostname)
2362+ {
2363+ *al = SSL_AD_UNRECOGNIZED_NAME;
2364+ return 0;
2365+ }
2366+ }
2367+ else
2368+ {
2369+ *al = SSL_AD_DECODE_ERROR;
2370+ return 0;
2371+ }
2372+ }
2373+ }
2374+
2375+ *p = data;
2376+
2377+ ri_check:
2378+
2379+ /* Determine if we need to see RI. Strictly speaking if we want to
2380+ * avoid an attack we should *always* see RI even on initial server
2381+ * hello because the client doesn't see any renegotiation during an
2382+ * attack. However this would mean we could not connect to any server
2383+ * which doesn't support RI so for the immediate future tolerate RI
2384+ * absence on initial connect only.
2385+ */
2386+ if (!renegotiate_seen
2387+ && !(s->options & SSL_OP_LEGACY_SERVER_CONNECT)
2388+ && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
2389+ {
2390+ *al = SSL_AD_HANDSHAKE_FAILURE;
2391+ SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT,
2392+ SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
2393+ return 0;
2394+ }
2395+
2396+ return 1;
2397+ }
2398+
2399+
2400+int ssl_prepare_clienthello_tlsext(SSL *s)
2401+ {
2402+#ifndef OPENSSL_NO_EC
2403+ /* If we are client and using an elliptic curve cryptography cipher suite, send the point formats
2404+ * and elliptic curves we support.
2405+ */
2406+ int using_ecc = 0;
2407+ int i;
2408+ unsigned char *j;
2409+ unsigned long alg_k, alg_a;
2410+ STACK_OF(SSL_CIPHER) *cipher_stack = SSL_get_ciphers(s);
2411+
2412+ for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++)
2413+ {
2414+ SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i);
2415+
2416+ alg_k = c->algorithm_mkey;
2417+ alg_a = c->algorithm_auth;
2418+ if ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe) || (alg_a & SSL_aECDSA)))
2419+ {
2420+ using_ecc = 1;
2421+ break;
2422+ }
2423+ }
2424+ using_ecc = using_ecc && (s->version >= TLS1_VERSION);
2425+ if (using_ecc)
2426+ {
2427+ if (s->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->tlsext_ecpointformatlist);
2428+ if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(3)) == NULL)
2429+ {
2430+ SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
2431+ return -1;
2432+ }
2433+ s->tlsext_ecpointformatlist_length = 3;
2434+ s->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_uncompressed;
2435+ s->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
2436+ s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
2437+
2438+ /* we support all named elliptic curves in draft-ietf-tls-ecc-12 */
2439+ if (s->tlsext_ellipticcurvelist != NULL) OPENSSL_free(s->tlsext_ellipticcurvelist);
2440+ s->tlsext_ellipticcurvelist_length = sizeof(pref_list)/sizeof(pref_list[0]) * 2;
2441+ if ((s->tlsext_ellipticcurvelist = OPENSSL_malloc(s->tlsext_ellipticcurvelist_length)) == NULL)
2442+ {
2443+ s->tlsext_ellipticcurvelist_length = 0;
2444+ SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
2445+ return -1;
2446+ }
2447+ for (i = 0, j = s->tlsext_ellipticcurvelist; (unsigned int)i <
2448+ sizeof(pref_list)/sizeof(pref_list[0]); i++)
2449+ {
2450+ int id = tls1_ec_nid2curve_id(pref_list[i]);
2451+ s2n(id,j);
2452+ }
2453+ }
2454+#endif /* OPENSSL_NO_EC */
2455+
2456+#ifdef TLSEXT_TYPE_opaque_prf_input
2457+ {
2458+ int r = 1;
2459+
2460+ if (s->ctx->tlsext_opaque_prf_input_callback != 0)
2461+ {
2462+ r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg);
2463+ if (!r)
2464+ return -1;
2465+ }
2466+
2467+ if (s->tlsext_opaque_prf_input != NULL)
2468+ {
2469+ if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */
2470+ OPENSSL_free(s->s3->client_opaque_prf_input);
2471+
2472+ if (s->tlsext_opaque_prf_input_len == 0)
2473+ s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
2474+ else
2475+ s->s3->client_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len);
2476+ if (s->s3->client_opaque_prf_input == NULL)
2477+ {
2478+ SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
2479+ return -1;
2480+ }
2481+ s->s3->client_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
2482+ }
2483+
2484+ if (r == 2)
2485+ /* at callback's request, insist on receiving an appropriate server opaque PRF input */
2486+ s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
2487+ }
2488+#endif
2489+
2490+ return 1;
2491+ }
2492+
2493+int ssl_prepare_serverhello_tlsext(SSL *s)
2494+ {
2495+#ifndef OPENSSL_NO_EC
2496+ /* If we are server and using an ECC cipher suite, send the point formats we support
2497+ * if the client sent us an ECPointsFormat extension. Note that the server is not
2498+ * supposed to send an EllipticCurves extension.
2499+ */
2500+
2501+ unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
2502+ unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
2503+ int using_ecc = (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA);
2504+ using_ecc = using_ecc && (s->session->tlsext_ecpointformatlist != NULL);
2505+
2506+ if (using_ecc)
2507+ {
2508+ if (s->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->tlsext_ecpointformatlist);
2509+ if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(3)) == NULL)
2510+ {
2511+ SSLerr(SSL_F_SSL_PREPARE_SERVERHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
2512+ return -1;
2513+ }
2514+ s->tlsext_ecpointformatlist_length = 3;
2515+ s->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_uncompressed;
2516+ s->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
2517+ s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
2518+ }
2519+#endif /* OPENSSL_NO_EC */
2520+
2521+ return 1;
2522+ }
2523+
2524+int ssl_check_clienthello_tlsext(SSL *s)
2525+ {
2526+ int ret=SSL_TLSEXT_ERR_NOACK;
2527+ int al = SSL_AD_UNRECOGNIZED_NAME;
2528+
2529+#ifndef OPENSSL_NO_EC
2530+ /* The handling of the ECPointFormats extension is done elsewhere, namely in
2531+ * ssl3_choose_cipher in s3_lib.c.
2532+ */
2533+ /* The handling of the EllipticCurves extension is done elsewhere, namely in
2534+ * ssl3_choose_cipher in s3_lib.c.
2535+ */
2536+#endif
2537+
2538+ if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
2539+ ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
2540+ else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)
2541+ ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
2542+
2543+ /* If status request then ask callback what to do.
2544+ * Note: this must be called after servername callbacks in case
2545+ * the certificate has changed.
2546+ */
2547+ if ((s->tlsext_status_type != -1) && s->ctx && s->ctx->tlsext_status_cb)
2548+ {
2549+ int r;
2550+ r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
2551+ switch (r)
2552+ {
2553+ /* We don't want to send a status request response */
2554+ case SSL_TLSEXT_ERR_NOACK:
2555+ s->tlsext_status_expected = 0;
2556+ break;
2557+ /* status request response should be sent */
2558+ case SSL_TLSEXT_ERR_OK:
2559+ if (s->tlsext_ocsp_resp)
2560+ s->tlsext_status_expected = 1;
2561+ else
2562+ s->tlsext_status_expected = 0;
2563+ break;
2564+ /* something bad happened */
2565+ case SSL_TLSEXT_ERR_ALERT_FATAL:
2566+ ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2567+ al = SSL_AD_INTERNAL_ERROR;
2568+ goto err;
2569+ }
2570+ }
2571+ else
2572+ s->tlsext_status_expected = 0;
2573+
2574+#ifdef TLSEXT_TYPE_opaque_prf_input
2575+ {
2576+ /* This sort of belongs into ssl_prepare_serverhello_tlsext(),
2577+ * but we might be sending an alert in response to the client hello,
2578+ * so this has to happen here in ssl_check_clienthello_tlsext(). */
2579+
2580+ int r = 1;
2581+
2582+ if (s->ctx->tlsext_opaque_prf_input_callback != 0)
2583+ {
2584+ r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg);
2585+ if (!r)
2586+ {
2587+ ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2588+ al = SSL_AD_INTERNAL_ERROR;
2589+ goto err;
2590+ }
2591+ }
2592+
2593+ if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */
2594+ OPENSSL_free(s->s3->server_opaque_prf_input);
2595+ s->s3->server_opaque_prf_input = NULL;
2596+
2597+ if (s->tlsext_opaque_prf_input != NULL)
2598+ {
2599+ if (s->s3->client_opaque_prf_input != NULL &&
2600+ s->s3->client_opaque_prf_input_len == s->tlsext_opaque_prf_input_len)
2601+ {
2602+ /* can only use this extension if we have a server opaque PRF input
2603+ * of the same length as the client opaque PRF input! */
2604+
2605+ if (s->tlsext_opaque_prf_input_len == 0)
2606+ s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
2607+ else
2608+ s->s3->server_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len);
2609+ if (s->s3->server_opaque_prf_input == NULL)
2610+ {
2611+ ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2612+ al = SSL_AD_INTERNAL_ERROR;
2613+ goto err;
2614+ }
2615+ s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
2616+ }
2617+ }
2618+
2619+ if (r == 2 && s->s3->server_opaque_prf_input == NULL)
2620+ {
2621+ /* The callback wants to enforce use of the extension,
2622+ * but we can't do that with the client opaque PRF input;
2623+ * abort the handshake.
2624+ */
2625+ ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2626+ al = SSL_AD_HANDSHAKE_FAILURE;
2627+ }
2628+ }
2629+
2630+#endif
2631+ err:
2632+ switch (ret)
2633+ {
2634+ case SSL_TLSEXT_ERR_ALERT_FATAL:
2635+ ssl3_send_alert(s,SSL3_AL_FATAL,al);
2636+ return -1;
2637+
2638+ case SSL_TLSEXT_ERR_ALERT_WARNING:
2639+ ssl3_send_alert(s,SSL3_AL_WARNING,al);
2640+ return 1;
2641+
2642+ case SSL_TLSEXT_ERR_NOACK:
2643+ s->servername_done=0;
2644+ default:
2645+ return 1;
2646+ }
2647+ }
2648+
2649+int ssl_check_serverhello_tlsext(SSL *s)
2650+ {
2651+ int ret=SSL_TLSEXT_ERR_NOACK;
2652+ int al = SSL_AD_UNRECOGNIZED_NAME;
2653+
2654+#ifndef OPENSSL_NO_EC
2655+ /* If we are client and using an elliptic curve cryptography cipher
2656+ * suite, then if server returns an EC point formats lists extension
2657+ * it must contain uncompressed.
2658+ */
2659+ unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
2660+ unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
2661+ if ((s->tlsext_ecpointformatlist != NULL) && (s->tlsext_ecpointformatlist_length > 0) &&
2662+ (s->session->tlsext_ecpointformatlist != NULL) && (s->session->tlsext_ecpointformatlist_length > 0) &&
2663+ ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA)))
2664+ {
2665+ /* we are using an ECC cipher */
2666+ size_t i;
2667+ unsigned char *list;
2668+ int found_uncompressed = 0;
2669+ list = s->session->tlsext_ecpointformatlist;
2670+ for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
2671+ {
2672+ if (*(list++) == TLSEXT_ECPOINTFORMAT_uncompressed)
2673+ {
2674+ found_uncompressed = 1;
2675+ break;
2676+ }
2677+ }
2678+ if (!found_uncompressed)
2679+ {
2680+ SSLerr(SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT,SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
2681+ return -1;
2682+ }
2683+ }
2684+ ret = SSL_TLSEXT_ERR_OK;
2685+#endif /* OPENSSL_NO_EC */
2686+
2687+ if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
2688+ ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
2689+ else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)
2690+ ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
2691+
2692+#ifdef TLSEXT_TYPE_opaque_prf_input
2693+ if (s->s3->server_opaque_prf_input_len > 0)
2694+ {
2695+ /* This case may indicate that we, as a client, want to insist on using opaque PRF inputs.
2696+ * So first verify that we really have a value from the server too. */
2697+
2698+ if (s->s3->server_opaque_prf_input == NULL)
2699+ {
2700+ ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2701+ al = SSL_AD_HANDSHAKE_FAILURE;
2702+ }
2703+
2704+ /* Anytime the server *has* sent an opaque PRF input, we need to check
2705+ * that we have a client opaque PRF input of the same size. */
2706+ if (s->s3->client_opaque_prf_input == NULL ||
2707+ s->s3->client_opaque_prf_input_len != s->s3->server_opaque_prf_input_len)
2708+ {
2709+ ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2710+ al = SSL_AD_ILLEGAL_PARAMETER;
2711+ }
2712+ }
2713+#endif
2714+
2715+ /* If we've requested certificate status and we wont get one
2716+ * tell the callback
2717+ */
2718+ if ((s->tlsext_status_type != -1) && !(s->tlsext_status_expected)
2719+ && s->ctx && s->ctx->tlsext_status_cb)
2720+ {
2721+ int r;
2722+ /* Set resp to NULL, resplen to -1 so callback knows
2723+ * there is no response.
2724+ */
2725+ if (s->tlsext_ocsp_resp)
2726+ {
2727+ OPENSSL_free(s->tlsext_ocsp_resp);
2728+ s->tlsext_ocsp_resp = NULL;
2729+ }
2730+ s->tlsext_ocsp_resplen = -1;
2731+ r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
2732+ if (r == 0)
2733+ {
2734+ al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE;
2735+ ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2736+ }
2737+ if (r < 0)
2738+ {
2739+ al = SSL_AD_INTERNAL_ERROR;
2740+ ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2741+ }
2742+ }
2743+
2744+ switch (ret)
2745+ {
2746+ case SSL_TLSEXT_ERR_ALERT_FATAL:
2747+ ssl3_send_alert(s,SSL3_AL_FATAL,al);
2748+ return -1;
2749+
2750+ case SSL_TLSEXT_ERR_ALERT_WARNING:
2751+ ssl3_send_alert(s,SSL3_AL_WARNING,al);
2752+ return 1;
2753+
2754+ case SSL_TLSEXT_ERR_NOACK:
2755+ s->servername_done=0;
2756+ default:
2757+ return 1;
2758+ }
2759+ }
2760+
2761+/* Since the server cache lookup is done early on in the processing of the
2762+ * ClientHello, and other operations depend on the result, we need to handle
2763+ * any TLS session ticket extension at the same time.
2764+ *
2765+ * session_id: points at the session ID in the ClientHello. This code will
2766+ * read past the end of this in order to parse out the session ticket
2767+ * extension, if any.
2768+ * len: the length of the session ID.
2769+ * limit: a pointer to the first byte after the ClientHello.
2770+ * ret: (output) on return, if a ticket was decrypted, then this is set to
2771+ * point to the resulting session.
2772+ *
2773+ * If s->tls_session_secret_cb is set then we are expecting a pre-shared key
2774+ * ciphersuite, in which case we have no use for session tickets and one will
2775+ * never be decrypted, nor will s->tlsext_ticket_expected be set to 1.
2776+ *
2777+ * Returns:
2778+ * -1: fatal error, either from parsing or decrypting the ticket.
2779+ * 0: no ticket was found (or was ignored, based on settings).
2780+ * 1: a zero length extension was found, indicating that the client supports
2781+ * session tickets but doesn't currently have one to offer.
2782+ * 2: either s->tls_session_secret_cb was set, or a ticket was offered but
2783+ * couldn't be decrypted because of a non-fatal error.
2784+ * 3: a ticket was successfully decrypted and *ret was set.
2785+ *
2786+ * Side effects:
2787+ * Sets s->tlsext_ticket_expected to 1 if the server will have to issue
2788+ * a new session ticket to the client because the client indicated support
2789+ * (and s->tls_session_secret_cb is NULL) but the client either doesn't have
2790+ * a session ticket or we couldn't use the one it gave us, or if
2791+ * s->ctx->tlsext_ticket_key_cb asked to renew the client's ticket.
2792+ * Otherwise, s->tlsext_ticket_expected is set to 0.
2793+ */
2794+int tls1_process_ticket(SSL *s, unsigned char *session_id, int len,
2795+ const unsigned char *limit, SSL_SESSION **ret)
2796+ {
2797+ /* Point after session ID in client hello */
2798+ const unsigned char *p = session_id + len;
2799+ unsigned short i;
2800+
2801+ *ret = NULL;
2802+ s->tlsext_ticket_expected = 0;
2803+
2804+ /* If tickets disabled behave as if no ticket present
2805+ * to permit stateful resumption.
2806+ */
2807+ if (SSL_get_options(s) & SSL_OP_NO_TICKET)
2808+ return 0;
2809+ if ((s->version <= SSL3_VERSION) || !limit)
2810+ return 0;
2811+ if (p >= limit)
2812+ return -1;
2813+ /* Skip past DTLS cookie */
2814+ if (s->version == DTLS1_VERSION || s->version == DTLS1_BAD_VER)
2815+ {
2816+ i = *(p++);
2817+ p+= i;
2818+ if (p >= limit)
2819+ return -1;
2820+ }
2821+ /* Skip past cipher list */
2822+ n2s(p, i);
2823+ p+= i;
2824+ if (p >= limit)
2825+ return -1;
2826+ /* Skip past compression algorithm list */
2827+ i = *(p++);
2828+ p += i;
2829+ if (p > limit)
2830+ return -1;
2831+ /* Now at start of extensions */
2832+ if ((p + 2) >= limit)
2833+ return 0;
2834+ n2s(p, i);
2835+ while ((p + 4) <= limit)
2836+ {
2837+ unsigned short type, size;
2838+ n2s(p, type);
2839+ n2s(p, size);
2840+ if (p + size > limit)
2841+ return 0;
2842+ if (type == TLSEXT_TYPE_session_ticket)
2843+ {
2844+ int r;
2845+ if (size == 0)
2846+ {
2847+ /* The client will accept a ticket but doesn't
2848+ * currently have one. */
2849+ s->tlsext_ticket_expected = 1;
2850+ return 1;
2851+ }
2852+ if (s->tls_session_secret_cb)
2853+ {
2854+ /* Indicate that the ticket couldn't be
2855+ * decrypted rather than generating the session
2856+ * from ticket now, trigger abbreviated
2857+ * handshake based on external mechanism to
2858+ * calculate the master secret later. */
2859+ return 2;
2860+ }
2861+ r = tls_decrypt_ticket(s, p, size, session_id, len, ret);
2862+ switch (r)
2863+ {
2864+ case 2: /* ticket couldn't be decrypted */
2865+ s->tlsext_ticket_expected = 1;
2866+ return 2;
2867+ case 3: /* ticket was decrypted */
2868+ return r;
2869+ case 4: /* ticket decrypted but need to renew */
2870+ s->tlsext_ticket_expected = 1;
2871+ return 3;
2872+ default: /* fatal error */
2873+ return -1;
2874+ }
2875+ }
2876+ p += size;
2877+ }
2878+ return 0;
2879+ }
2880+
2881+/* tls_decrypt_ticket attempts to decrypt a session ticket.
2882+ *
2883+ * etick: points to the body of the session ticket extension.
2884+ * eticklen: the length of the session tickets extenion.
2885+ * sess_id: points at the session ID.
2886+ * sesslen: the length of the session ID.
2887+ * psess: (output) on return, if a ticket was decrypted, then this is set to
2888+ * point to the resulting session.
2889+ *
2890+ * Returns:
2891+ * -1: fatal error, either from parsing or decrypting the ticket.
2892+ * 2: the ticket couldn't be decrypted.
2893+ * 3: a ticket was successfully decrypted and *psess was set.
2894+ * 4: same as 3, but the ticket needs to be renewed.
2895+ */
2896+static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen,
2897+ const unsigned char *sess_id, int sesslen,
2898+ SSL_SESSION **psess)
2899+ {
2900+ SSL_SESSION *sess;
2901+ unsigned char *sdec;
2902+ const unsigned char *p;
2903+ int slen, mlen, renew_ticket = 0;
2904+ unsigned char tick_hmac[EVP_MAX_MD_SIZE];
2905+ HMAC_CTX hctx;
2906+ EVP_CIPHER_CTX ctx;
2907+ SSL_CTX *tctx = s->initial_ctx;
2908+ /* Need at least keyname + iv + some encrypted data */
2909+ if (eticklen < 48)
2910+ return 2;
2911+ /* Initialize session ticket encryption and HMAC contexts */
2912+ HMAC_CTX_init(&hctx);
2913+ EVP_CIPHER_CTX_init(&ctx);
2914+ if (tctx->tlsext_ticket_key_cb)
2915+ {
2916+ unsigned char *nctick = (unsigned char *)etick;
2917+ int rv = tctx->tlsext_ticket_key_cb(s, nctick, nctick + 16,
2918+ &ctx, &hctx, 0);
2919+ if (rv < 0)
2920+ return -1;
2921+ if (rv == 0)
2922+ return 2;
2923+ if (rv == 2)
2924+ renew_ticket = 1;
2925+ }
2926+ else
2927+ {
2928+ /* Check key name matches */
2929+ if (memcmp(etick, tctx->tlsext_tick_key_name, 16))
2930+ return 2;
2931+ HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16,
2932+ tlsext_tick_md(), NULL);
2933+ EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL,
2934+ tctx->tlsext_tick_aes_key, etick + 16);
2935+ }
2936+ /* Attempt to process session ticket, first conduct sanity and
2937+ * integrity checks on ticket.
2938+ */
2939+ mlen = HMAC_size(&hctx);
2940+ if (mlen < 0)
2941+ {
2942+ EVP_CIPHER_CTX_cleanup(&ctx);
2943+ return -1;
2944+ }
2945+ eticklen -= mlen;
2946+ /* Check HMAC of encrypted ticket */
2947+ HMAC_Update(&hctx, etick, eticklen);
2948+ HMAC_Final(&hctx, tick_hmac, NULL);
2949+ HMAC_CTX_cleanup(&hctx);
2950+ if (memcmp(tick_hmac, etick + eticklen, mlen))
2951+ return 2;
2952+ /* Attempt to decrypt session data */
2953+ /* Move p after IV to start of encrypted ticket, update length */
2954+ p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx);
2955+ eticklen -= 16 + EVP_CIPHER_CTX_iv_length(&ctx);
2956+ sdec = OPENSSL_malloc(eticklen);
2957+ if (!sdec)
2958+ {
2959+ EVP_CIPHER_CTX_cleanup(&ctx);
2960+ return -1;
2961+ }
2962+ EVP_DecryptUpdate(&ctx, sdec, &slen, p, eticklen);
2963+ if (EVP_DecryptFinal(&ctx, sdec + slen, &mlen) <= 0)
2964+ return 2;
2965+ slen += mlen;
2966+ EVP_CIPHER_CTX_cleanup(&ctx);
2967+ p = sdec;
2968+
2969+ sess = d2i_SSL_SESSION(NULL, &p, slen);
2970+ OPENSSL_free(sdec);
2971+ if (sess)
2972+ {
2973+ /* The session ID, if non-empty, is used by some clients to
2974+ * detect that the ticket has been accepted. So we copy it to
2975+ * the session structure. If it is empty set length to zero
2976+ * as required by standard.
2977+ */
2978+ if (sesslen)
2979+ memcpy(sess->session_id, sess_id, sesslen);
2980+ sess->session_id_length = sesslen;
2981+ *psess = sess;
2982+ if (renew_ticket)
2983+ return 4;
2984+ else
2985+ return 3;
2986+ }
2987+ ERR_clear_error();
2988+ /* For session parse failure, indicate that we need to send a new
2989+ * ticket. */
2990+ return 2;
2991+ }
2992+
2993+/* Tables to translate from NIDs to TLS v1.2 ids */
2994+
2995+typedef struct
2996+ {
2997+ int nid;
2998+ int id;
2999+ } tls12_lookup;
3000+
3001+static tls12_lookup tls12_md[] = {
3002+#ifndef OPENSSL_NO_MD5
3003+ {NID_md5, TLSEXT_hash_md5},
3004+#endif
3005+#ifndef OPENSSL_NO_SHA
3006+ {NID_sha1, TLSEXT_hash_sha1},
3007+#endif
3008+#ifndef OPENSSL_NO_SHA256
3009+ {NID_sha224, TLSEXT_hash_sha224},
3010+ {NID_sha256, TLSEXT_hash_sha256},
3011+#endif
3012+#ifndef OPENSSL_NO_SHA512
3013+ {NID_sha384, TLSEXT_hash_sha384},
3014+ {NID_sha512, TLSEXT_hash_sha512}
3015+#endif
3016+};
3017+
3018+static tls12_lookup tls12_sig[] = {
3019+#ifndef OPENSSL_NO_RSA
3020+ {EVP_PKEY_RSA, TLSEXT_signature_rsa},
3021+#endif
3022+#ifndef OPENSSL_NO_DSA
3023+ {EVP_PKEY_DSA, TLSEXT_signature_dsa},
3024+#endif
3025+#ifndef OPENSSL_NO_ECDSA
3026+ {EVP_PKEY_EC, TLSEXT_signature_ecdsa}
3027+#endif
3028+};
3029+
3030+static int tls12_find_id(int nid, tls12_lookup *table, size_t tlen)
3031+ {
3032+ size_t i;
3033+ for (i = 0; i < tlen; i++)
3034+ {
3035+ if (table[i].nid == nid)
3036+ return table[i].id;
3037+ }
3038+ return -1;
3039+ }
3040+#if 0
3041+static int tls12_find_nid(int id, tls12_lookup *table, size_t tlen)
3042+ {
3043+ size_t i;
3044+ for (i = 0; i < tlen; i++)
3045+ {
3046+ if (table[i].id == id)
3047+ return table[i].nid;
3048+ }
3049+ return -1;
3050+ }
3051+#endif
3052+
3053+int tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk, const EVP_MD *md)
3054+ {
3055+ int sig_id, md_id;
3056+ if (!md)
3057+ return 0;
3058+ md_id = tls12_find_id(EVP_MD_type(md), tls12_md,
3059+ sizeof(tls12_md)/sizeof(tls12_lookup));
3060+ if (md_id == -1)
3061+ return 0;
3062+ sig_id = tls12_get_sigid(pk);
3063+ if (sig_id == -1)
3064+ return 0;
3065+ p[0] = (unsigned char)md_id;
3066+ p[1] = (unsigned char)sig_id;
3067+ return 1;
3068+ }
3069+
3070+int tls12_get_sigid(const EVP_PKEY *pk)
3071+ {
3072+ return tls12_find_id(pk->type, tls12_sig,
3073+ sizeof(tls12_sig)/sizeof(tls12_lookup));
3074+ }
3075+
3076+const EVP_MD *tls12_get_hash(unsigned char hash_alg)
3077+ {
3078+ switch(hash_alg)
3079+ {
3080+#ifndef OPENSSL_NO_MD5
3081+ case TLSEXT_hash_md5:
3082+#ifdef OPENSSL_FIPS
3083+ if (FIPS_mode())
3084+ return NULL;
3085+#endif
3086+ return EVP_md5();
3087+#endif
3088+#ifndef OPENSSL_NO_SHA
3089+ case TLSEXT_hash_sha1:
3090+ return EVP_sha1();
3091+#endif
3092+#ifndef OPENSSL_NO_SHA256
3093+ case TLSEXT_hash_sha224:
3094+ return EVP_sha224();
3095+
3096+ case TLSEXT_hash_sha256:
3097+ return EVP_sha256();
3098+#endif
3099+#ifndef OPENSSL_NO_SHA512
3100+ case TLSEXT_hash_sha384:
3101+ return EVP_sha384();
3102+
3103+ case TLSEXT_hash_sha512:
3104+ return EVP_sha512();
3105+#endif
3106+ default:
3107+ return NULL;
3108+
3109+ }
3110+ }
3111+
3112+/* Set preferred digest for each key type */
3113+
3114+int tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize)
3115+ {
3116+ int i, idx;
3117+ const EVP_MD *md;
3118+ CERT *c = s->cert;
3119+ /* Extension ignored for TLS versions below 1.2 */
3120+ if (TLS1_get_version(s) < TLS1_2_VERSION)
3121+ return 1;
3122+ /* Should never happen */
3123+ if (!c)
3124+ return 0;
3125+
3126+ c->pkeys[SSL_PKEY_DSA_SIGN].digest = NULL;
3127+ c->pkeys[SSL_PKEY_RSA_SIGN].digest = NULL;
3128+ c->pkeys[SSL_PKEY_RSA_ENC].digest = NULL;
3129+ c->pkeys[SSL_PKEY_ECC].digest = NULL;
3130+
3131+ for (i = 0; i < dsize; i += 2)
3132+ {
3133+ unsigned char hash_alg = data[i], sig_alg = data[i+1];
3134+
3135+ switch(sig_alg)
3136+ {
3137+#ifndef OPENSSL_NO_RSA
3138+ case TLSEXT_signature_rsa:
3139+ idx = SSL_PKEY_RSA_SIGN;
3140+ break;
3141+#endif
3142+#ifndef OPENSSL_NO_DSA
3143+ case TLSEXT_signature_dsa:
3144+ idx = SSL_PKEY_DSA_SIGN;
3145+ break;
3146+#endif
3147+#ifndef OPENSSL_NO_ECDSA
3148+ case TLSEXT_signature_ecdsa:
3149+ idx = SSL_PKEY_ECC;
3150+ break;
3151+#endif
3152+ default:
3153+ continue;
3154+ }
3155+
3156+ if (c->pkeys[idx].digest == NULL)
3157+ {
3158+ md = tls12_get_hash(hash_alg);
3159+ if (md)
3160+ {
3161+ c->pkeys[idx].digest = md;
3162+ if (idx == SSL_PKEY_RSA_SIGN)
3163+ c->pkeys[SSL_PKEY_RSA_ENC].digest = md;
3164+ }
3165+ }
3166+
3167+ }
3168+
3169+
3170+ /* Set any remaining keys to default values. NOTE: if alg is not
3171+ * supported it stays as NULL.
3172+ */
3173+#ifndef OPENSSL_NO_DSA
3174+ if (!c->pkeys[SSL_PKEY_DSA_SIGN].digest)
3175+ c->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_dss1();
3176+#endif
3177+#ifndef OPENSSL_NO_RSA
3178+ if (!c->pkeys[SSL_PKEY_RSA_SIGN].digest)
3179+ {
3180+ c->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1();
3181+ c->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1();
3182+ }
3183+#endif
3184+#ifndef OPENSSL_NO_ECDSA
3185+ if (!c->pkeys[SSL_PKEY_ECC].digest)
3186+ c->pkeys[SSL_PKEY_ECC].digest = EVP_ecdsa();
3187+#endif
3188+ return 1;
3189+ }
3190+
3191+#endif
3192+
3193+#ifndef OPENSSL_NO_HEARTBEATS
3194+int
3195+tls1_process_heartbeat(SSL *s)
3196+ {
3197+ unsigned char *p = &s->s3->rrec.data[0], *pl;
3198+ unsigned short hbtype;
3199+ unsigned int payload;
3200+ unsigned int padding = 16; /* Use minimum padding */
3201+
3202+ /* Read type and payload length first */
3203+ hbtype = *p++;
3204+ n2s(p, payload);
3205+ pl = p;
3206+
3207+ if (s->msg_callback)
3208+ s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT,
3209+ &s->s3->rrec.data[0], s->s3->rrec.length,
3210+ s, s->msg_callback_arg);
3211+
3212+ if (hbtype == TLS1_HB_REQUEST)
3213+ {
3214+ unsigned char *buffer, *bp;
3215+ int r;
3216+
3217+ /* Allocate memory for the response, size is 1 bytes
3218+ * message type, plus 2 bytes payload length, plus
3219+ * payload, plus padding
3220+ */
3221+ buffer = OPENSSL_malloc(1 + 2 + payload + padding);
3222+ bp = buffer;
3223+
3224+ /* Enter response type, length and copy payload */
3225+ *bp++ = TLS1_HB_RESPONSE;
3226+ s2n(payload, bp);
3227+ memcpy(bp, pl, payload);
3228+ bp += payload;
3229+ /* Random padding */
3230+ RAND_pseudo_bytes(bp, padding);
3231+
3232+ r = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, 3 + payload + padding);
3233+
3234+ if (r >= 0 && s->msg_callback)
3235+ s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT,
3236+ buffer, 3 + payload + padding,
3237+ s, s->msg_callback_arg);
3238+
3239+ OPENSSL_free(buffer);
3240+
3241+ if (r < 0)
3242+ return r;
3243+ }
3244+ else if (hbtype == TLS1_HB_RESPONSE)
3245+ {
3246+ unsigned int seq;
3247+
3248+ /* We only send sequence numbers (2 bytes unsigned int),
3249+ * and 16 random bytes, so we just try to read the
3250+ * sequence number */
3251+ n2s(pl, seq);
3252+
3253+ if (payload == 18 && seq == s->tlsext_hb_seq)
3254+ {
3255+ s->tlsext_hb_seq++;
3256+ s->tlsext_hb_pending = 0;
3257+ }
3258+ }
3259+
3260+ return 0;
3261+ }
3262+
3263+int
3264+tls1_heartbeat(SSL *s)
3265+ {
3266+ unsigned char *buf, *p;
3267+ int ret;
3268+ unsigned int payload = 18; /* Sequence number + random bytes */
3269+ unsigned int padding = 16; /* Use minimum padding */
3270+
3271+ /* Only send if peer supports and accepts HB requests... */
3272+ if (!(s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED) ||
3273+ s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_SEND_REQUESTS)
3274+ {
3275+ SSLerr(SSL_F_TLS1_HEARTBEAT,SSL_R_TLS_HEARTBEAT_PEER_DOESNT_ACCEPT);
3276+ return -1;
3277+ }
3278+
3279+ /* ...and there is none in flight yet... */
3280+ if (s->tlsext_hb_pending)
3281+ {
3282+ SSLerr(SSL_F_TLS1_HEARTBEAT,SSL_R_TLS_HEARTBEAT_PENDING);
3283+ return -1;
3284+ }
3285+
3286+ /* ...and no handshake in progress. */
3287+ if (SSL_in_init(s) || s->in_handshake)
3288+ {
3289+ SSLerr(SSL_F_TLS1_HEARTBEAT,SSL_R_UNEXPECTED_MESSAGE);
3290+ return -1;
3291+ }
3292+
3293+ /* Check if padding is too long, payload and padding
3294+ * must not exceed 2^14 - 3 = 16381 bytes in total.
3295+ */
3296+ OPENSSL_assert(payload + padding <= 16381);
3297+
3298+ /* Create HeartBeat message, we just use a sequence number
3299+ * as payload to distuingish different messages and add
3300+ * some random stuff.
3301+ * - Message Type, 1 byte
3302+ * - Payload Length, 2 bytes (unsigned int)
3303+ * - Payload, the sequence number (2 bytes uint)
3304+ * - Payload, random bytes (16 bytes uint)
3305+ * - Padding
3306+ */
3307+ buf = OPENSSL_malloc(1 + 2 + payload + padding);
3308+ p = buf;
3309+ /* Message Type */
3310+ *p++ = TLS1_HB_REQUEST;
3311+ /* Payload length (18 bytes here) */
3312+ s2n(payload, p);
3313+ /* Sequence number */
3314+ s2n(s->tlsext_hb_seq, p);
3315+ /* 16 random bytes */
3316+ RAND_pseudo_bytes(p, 16);
3317+ p += 16;
3318+ /* Random padding */
3319+ RAND_pseudo_bytes(p, padding);
3320+
3321+ ret = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buf, 3 + payload + padding);
3322+ if (ret >= 0)
3323+ {
3324+ if (s->msg_callback)
3325+ s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT,
3326+ buf, 3 + payload + padding,
3327+ s, s->msg_callback_arg);
3328+
3329+ s->tlsext_hb_pending = 1;
3330+ }
3331+
3332+ OPENSSL_free(buf);
3333+
3334+ return ret;
3335+ }
3336+#endif
3337
3338=== added file 'debian/patches/tls12_workarounds.patch'
3339--- debian/patches/tls12_workarounds.patch 1970-01-01 00:00:00 +0000
3340+++ debian/patches/tls12_workarounds.patch 2012-03-30 17:06:51 +0000
3341@@ -0,0 +1,56 @@
3342+Description: Work around TLS 1.2 failures as suggested by upstream
3343+Origin: upstream, http://cvs.openssl.org/chngview?cn=22286
3344+Origin: upstream, http://cvs.openssl.org/chngview?cn=22306
3345+Bug-Ubuntu: https://bugs.launchpad.net/bugs/965371
3346+Bug-Debian: http://bugs.debian.org/665452
3347+Bug: http://rt.openssl.org/Ticket/Display.html?id=2771
3348+Forwarded: not-needed
3349+Last-Update: 2012-03-30
3350+
3351+Index: b/ssl/s23_clnt.c
3352+===================================================================
3353+--- a/ssl/s23_clnt.c
3354++++ b/ssl/s23_clnt.c
3355+@@ -287,12 +287,14 @@
3356+
3357+ if (ssl2_compat && ssl23_no_ssl2_ciphers(s))
3358+ ssl2_compat = 0;
3359+-
3360++#ifndef OPENSSL_NO_TLS1_2_CLIENT
3361+ if (!(s->options & SSL_OP_NO_TLSv1_2))
3362+ {
3363+ version = TLS1_2_VERSION;
3364+ }
3365+- else if (!(s->options & SSL_OP_NO_TLSv1_1))
3366++ else
3367++#endif
3368++ if (!(s->options & SSL_OP_NO_TLSv1_1))
3369+ {
3370+ version = TLS1_1_VERSION;
3371+ }
3372+Index: b/ssl/t1_lib.c
3373+===================================================================
3374+--- a/ssl/t1_lib.c
3375++++ b/ssl/t1_lib.c
3376+@@ -544,7 +544,7 @@
3377+ }
3378+ skip_ext:
3379+
3380+- if (TLS1_get_version(s) >= TLS1_2_VERSION)
3381++ if (TLS1_get_client_version(s) >= TLS1_2_VERSION)
3382+ {
3383+ if ((size_t)(limit - ret) < sizeof(tls12_sigalgs) + 6)
3384+ return NULL;
3385+Index: b/Configure
3386+===================================================================
3387+--- a/Configure
3388++++ b/Configure
3389+@@ -106,7 +106,7 @@
3390+ my $gcc_devteam_warn = "-Wall -pedantic -DPEDANTIC -Wno-long-long -Wsign-compare -Wmissing-prototypes -Wshadow -Wformat -Werror -DCRYPTO_MDEBUG_ALL -DCRYPTO_MDEBUG_ABORT -DREF_CHECK -DOPENSSL_NO_DEPRECATED";
3391+
3392+ # There are no separate CFLAGS/CPPFLAGS/LDFLAGS, set everything in CFLAGS
3393+-my $debian_cflags = `dpkg-buildflags --get CFLAGS` . `dpkg-buildflags --get CPPFLAGS` . `dpkg-buildflags --get LDFLAGS` . "-Wa,--noexecstack -Wall";
3394++my $debian_cflags = `dpkg-buildflags --get CFLAGS` . `dpkg-buildflags --get CPPFLAGS` . `dpkg-buildflags --get LDFLAGS` . "-Wa,--noexecstack -Wall -DOPENSSL_NO_TLS1_2_CLIENT";
3395+ $debian_cflags =~ s/\n/ /g;
3396+
3397+ my $strict_warnings = 0;
3398
3399=== renamed file 'debian/patches/tls12_workarounds.patch' => 'debian/patches/tls12_workarounds.patch.moved'

Subscribers

People subscribed via source and target branches

to all changes: