diff options
| author | Bodo Möller <bodo@openssl.org> | 2006-01-03 03:27:19 +0000 |
|---|---|---|
| committer | Bodo Möller <bodo@openssl.org> | 2006-01-03 03:27:19 +0000 |
| commit | f1fd4544a3747682010ed89ac908713fe90b8304 (patch) | |
| tree | 065bf82040e2d29ce319117bec6952e59ede2fcb /ssl | |
| parent | 349eb12fd5ac3ce216a6d89084b8c6a63b9388b7 (diff) | |
Various changes in the new TLS extension code, including the following:
- fix indentation
- rename some functions and macros
- fix up confusion between SSL_ERROR_... and SSL_AD_... values
Diffstat (limited to 'ssl')
| -rw-r--r-- | ssl/s23_clnt.c | 62 | ||||
| -rw-r--r-- | ssl/s23_srvr.c | 17 | ||||
| -rw-r--r-- | ssl/s3_clnt.c | 26 | ||||
| -rw-r--r-- | ssl/s3_lib.c | 31 | ||||
| -rw-r--r-- | ssl/s3_srvr.c | 46 | ||||
| -rw-r--r-- | ssl/ssl.h | 29 | ||||
| -rw-r--r-- | ssl/ssl_lib.c | 36 | ||||
| -rw-r--r-- | ssl/ssl_locl.h | 12 | ||||
| -rw-r--r-- | ssl/ssl_sess.c | 56 | ||||
| -rw-r--r-- | ssl/t1_lib.c | 226 | ||||
| -rw-r--r-- | ssl/tls1.h | 98 |
11 files changed, 443 insertions, 196 deletions
diff --git a/ssl/s23_clnt.c b/ssl/s23_clnt.c index 5a07db158f..3bb5adfa48 100644 --- a/ssl/s23_clnt.c +++ b/ssl/s23_clnt.c @@ -55,6 +55,59 @@ * copied and put under another distribution licence * [including the GNU Public Licence.] */ +/* ==================================================================== + * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * openssl-core@openssl.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.openssl.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + * + * This product includes cryptographic software written by Eric Young + * (eay@cryptsoft.com). This product includes software written by Tim + * Hudson (tjh@cryptsoft.com). + * + */ #include <stdio.h> #include "ssl_locl.h" @@ -352,7 +405,6 @@ static int ssl23_client_hello(SSL *s) #ifdef OPENSSL_NO_COMP *(p++)=1; #else - if ((s->options & SSL_OP_NO_COMPRESSION) || !s->ctx->comp_methods) j=0; @@ -366,16 +418,16 @@ static int ssl23_client_hello(SSL *s) } #endif *(p++)=0; /* Add the NULL method */ + #ifndef OPENSSL_NO_TLSEXT - if ((p = ssl_add_ClientHello_TLS_extensions(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH)) == NULL) - { + if ((p = ssl_add_clienthello_tlsext(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH)) == NULL) + { SSLerr(SSL_F_SSL3_CLIENT_HELLO,ERR_R_INTERNAL_ERROR); return -1; - } + } #endif l = p-d; - *p = 42; /* fill in 4-byte handshake header */ d=&(buf[5]); diff --git a/ssl/s23_srvr.c b/ssl/s23_srvr.c index 8bf044e15f..4da169eb31 100644 --- a/ssl/s23_srvr.c +++ b/ssl/s23_srvr.c @@ -56,7 +56,7 @@ * [including the GNU Public Licence.] */ /* ==================================================================== - * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved. + * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -140,7 +140,7 @@ IMPLEMENT_ssl23_meth_func(SSLv23_server_method, int ssl23_accept(SSL *s) { BUF_MEM *buf; - unsigned long Time=time(NULL); + unsigned long Time=(unsigned long)time(NULL); void (*cb)(const SSL *ssl,int type,int val)=NULL; int ret= -1; int new_state,state; @@ -416,7 +416,9 @@ int ssl23_get_client_hello(SSL *s) n2s(p,sil); n2s(p,cl); d=(unsigned char *)s->init_buf->data; - if ((csl+sil+cl+11) > s->packet_length) + if ((csl+sil+cl+11) != s->packet_length) /* We can't have TLS extensions in SSL 2.0 format + * Client Hello, can we? Error condition should be + * '>' otherweise */ { SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_RECORD_LENGTH_MISMATCH); goto err; @@ -459,11 +461,14 @@ int ssl23_get_client_hello(SSL *s) *(d++)=1; *(d++)=0; +#if 0 /* copy any remaining data with may be extensions */ - p = p+csl+sil+cl ; - while (p < s->packet+s->packet_length) { + p = p+csl+sil+cl; + while (p < s->packet+s->packet_length) + { *(d++)=*(p++); - } + } +#endif i = (d-(unsigned char *)s->init_buf->data) - 4; l2n3((long)i, d_len); diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c index 7a4f256642..578285230d 100644 --- a/ssl/s3_clnt.c +++ b/ssl/s3_clnt.c @@ -56,7 +56,7 @@ * [including the GNU Public Licence.] */ /* ==================================================================== - * Copyright (c) 1998-2003 The OpenSSL Project. All rights reserved. + * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -257,12 +257,14 @@ int ssl3_connect(SSL *s) if (ret <= 0) goto end; #ifndef OPENSSL_NO_TLSEXT { - int extension_error = 0,al; - if ((al = ssl_check_Hello_TLS_extensions(s,&extension_error)) != SSL_ERROR_NONE){ - ret = -1; + int al; + if (ssl_check_tlsext(s,&al) <= 0) + { + ssl3_send_alert(s,SSL3_AL_FATAL,al); /* XXX does this *have* to be fatal? */ SSLerr(SSL_F_SSL3_CONNECT,SSL_R_SERVERHELLO_TLS_EXT); + ret = -1; goto end; - } + } } #endif if (s->hit) @@ -613,11 +615,11 @@ int ssl3_client_hello(SSL *s) #endif *(p++)=0; /* Add the NULL method */ #ifndef OPENSSL_NO_TLSEXT - if ((p = ssl_add_ClientHello_TLS_extensions(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH)) == NULL) - { + if ((p = ssl_add_clienthello_tlsext(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH)) == NULL) + { SSLerr(SSL_F_SSL3_CLIENT_HELLO,ERR_R_INTERNAL_ERROR); goto err; - } + } #endif l=(p-d); @@ -806,12 +808,14 @@ int ssl3_get_server_hello(SSL *s) #ifndef OPENSSL_NO_TLSEXT /* TLS extensions*/ if (s->version > SSL3_VERSION) - { - if ((al = ssl_parse_ServerHello_TLS_extensions(s,&p,d,n)) != SSL_ERROR_NONE){ + { + if (!ssl_parse_serverhello_tlsext(s,&p,d,n, &al)) + { + /* 'al' set by ssl_parse_serverhello_tlsext */ SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_PARSE_TLS_EXT); goto f_err; + } } - } #endif if (p != (d+n)) diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c index 845e5a16c5..c3bedf20ff 100644 --- a/ssl/s3_lib.c +++ b/ssl/s3_lib.c @@ -56,7 +56,7 @@ * [including the GNU Public Licence.] */ /* ==================================================================== - * Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved. + * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -1645,16 +1645,21 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) #endif /* !OPENSSL_NO_ECDH */ #ifndef OPENSSL_NO_TLSEXT case SSL_CTRL_GET_TLSEXT_HOSTNAME: - if (larg != TLSEXT_TYPE_SERVER_host) + if (larg != TLSEXT_NAMETYPE_host_name) { SSLerr(SSL_F_SSL3_CTRL, SSL_R_SSL3_EXT_INVALID_SERVERNAME_TYPE); return(0); } - *((char **) parg) = s->session&&s->session->tlsext_hostname?s->session->tlsext_hostname:s->tlsext_hostname; + /* XXX cf. SSL_get_servername() (ssl_lib.c) */ + if (s->session && s->session->tlsext_hostname) + *((char **) parg) = s->session->tlsext_hostname; + else + *((char **) parg) = s->tlsext_hostname; ret = 1; - break; + break; case SSL_CTRL_SET_TLSEXT_HOSTNAME: - if (larg == TLSEXT_TYPE_SERVER_host) { + if (larg == TLSEXT_NAMETYPE_host_name) + { if (s->tlsext_hostname != NULL) OPENSSL_free(s->tlsext_hostname); s->tlsext_hostname = NULL; @@ -1662,19 +1667,23 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) ret = 1; if (parg == NULL) break; - if (strlen((char *)parg) > 255) { + if (strlen((char *)parg) > 255) + { SSLerr(SSL_F_SSL3_CTRL, SSL_R_SSL3_EXT_INVALID_SERVERNAME); return 0; - } - if ((s->tlsext_hostname = BUF_strdup((char *)parg)) == NULL) { + } + if ((s->tlsext_hostname = BUF_strdup((char *)parg)) == NULL) + { SSLerr(SSL_F_SSL3_CTRL, ERR_R_INTERNAL_ERROR); return 0; + } } - } else { + else + { SSLerr(SSL_F_SSL3_CTRL, SSL_R_SSL3_EXT_INVALID_SERVERNAME_TYPE); return 0; - } - s->options |= SSL_OP_NO_SSLv2; + } + s->options |= SSL_OP_NO_SSLv2; /* can't use extension w/ SSL 2.0 format */ break; case SSL_CTRL_SET_TLSEXT_SERVERNAME_DONE: s->servername_done = larg; diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c index 25b56fa6fa..954959404a 100644 --- a/ssl/s3_srvr.c +++ b/ssl/s3_srvr.c @@ -56,7 +56,7 @@ * [including the GNU Public Licence.] */ /* ==================================================================== - * Copyright (c) 1998-2005 The OpenSSL Project. All rights reserved. + * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -283,13 +283,14 @@ int ssl3_accept(SSL *s) if (ret <= 0) goto end; #ifndef OPENSSL_NO_TLSEXT { - int extension_error = 0,al; - if ((al = ssl_check_Hello_TLS_extensions(s,&extension_error)) != SSL_ERROR_NONE){ - ret = -1; + int al; + if (ssl_check_tlsext(s,&al) <= 0) + { + ssl3_send_alert(s,SSL3_AL_FATAL,al); /* XXX does this *have* to be fatal? */ SSLerr(SSL_F_SSL3_ACCEPT,SSL_R_CLIENTHELLO_TLS_EXT); - ssl3_send_alert(s,al,extension_error); + ret = -1; goto end; - } + } } #endif s->new_session = 2; @@ -937,32 +938,17 @@ int ssl3_get_client_hello(SSL *s) } #endif - /* TLS does not mind if there is extra stuff */ -#if 0 /* SSL 3.0 does not mind either, so we should disable this test - * (was enabled in 0.9.6d through 0.9.6j and 0.9.7 through 0.9.7b, - * in earlier SSLeay/OpenSSL releases this test existed but was buggy) */ - if (s->version == SSL3_VERSION) - { - if (p < (d+n)) - { - /* wrong number of bytes, - * there could be more to follow */ - al=SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_LENGTH_MISMATCH); - goto f_err; - } - } -#endif #ifndef OPENSSL_NO_TLSEXT /* TLS extensions*/ if (s->version > SSL3_VERSION) - { - if ((al = ssl_parse_ClientHello_TLS_extensions(s,&p,d,n)) != SSL_ERROR_NONE){ + { + if (!ssl_parse_clienthello_tlsext(s,&p,d,n, &al)) + { + /* 'al' set by ssl_parse_clienthello_tlsext */ SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_PARSE_TLS_EXT); - ssl3_send_alert(s,SSL3_AL_WARNING,al); - return (ret = al); + goto f_err; + } } - } #endif /* Given s->session->ciphers and SSL_get_ciphers, we must @@ -1109,11 +1095,11 @@ int ssl3_send_server_hello(SSL *s) *(p++)=s->s3->tmp.new_compression->id; #endif #ifndef OPENSSL_NO_TLSEXT - if ((p = ssl_add_ServerHello_TLS_extensions(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH)) == NULL) - { + if ((p = ssl_add_serverhello_tlsext(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH)) == NULL) + { SSLerr(SSL_F_SSL3_SEND_SERVER_HELLO,ERR_R_INTERNAL_ERROR); return -1; - } + } #endif /* do the header */ @@ -109,7 +109,7 @@ * */ /* ==================================================================== - * Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved. + * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -172,11 +172,6 @@ #include <openssl/e_os2.h> -#ifdef OPENSSL_NO_TLS1 -# ifndef OPENSSL_NO_TLSEXT -# define OPENSSL_NO_TLSEXT -# endif -#endif #ifndef OPENSSL_NO_COMP #include <openssl/comp.h> #endif @@ -765,11 +760,10 @@ struct ssl_ctx_st unsigned int max_send_fragment; #ifndef OPENSSL_NO_TLSEXT - /* TLS extensions servername callback */ + /* TLS extensions servername callback */ int (*tlsext_servername_callback)(SSL*, int *, void *); void *tlsext_servername_arg; #endif - }; #define SSL_SESS_CACHE_OFF 0x0000 @@ -994,11 +988,11 @@ struct ssl_st unsigned int max_send_fragment; #ifndef OPENSSL_NO_TLSEXT char *tlsext_hostname; - int servername_done; /* no further mod of servername - 0 : call the servername extension callback. - 1 : prepare 2, allow last ack just after in server callback. - 2 : don't call servername callback, no ack in server hello - */ + int servername_done; /* no further mod of servername + 0 : call the servername extension callback. + 1 : prepare 2, allow last ack just after in server callback. + 2 : don't call servername callback, no ack in server hello + */ #endif }; @@ -1145,9 +1139,7 @@ size_t SSL_get_peer_finished(const SSL *s, void *buf, size_t count); #define SSL_AD_INTERNAL_ERROR TLS1_AD_INTERNAL_ERROR /* fatal */ #define SSL_AD_USER_CANCELLED TLS1_AD_USER_CANCELLED #define SSL_AD_NO_RENEGOTIATION TLS1_AD_NO_RENEGOTIATION -#ifndef OPENSSL_NO_TLSEXT #define SSL_AD_UNRECOGNIZED_NAME TLS1_AD_UNRECOGNIZED_NAME -#endif #define SSL_ERROR_NONE 0 #define SSL_ERROR_SSL 1 @@ -1208,6 +1200,13 @@ size_t SSL_get_peer_finished(const SSL *s, void *buf, size_t count); #define SSL_CTRL_SET_MAX_SEND_FRAGMENT 52 +/* see tls.h for macros based on these */ +#define SSL_CTRL_SET_TLSEXT_SERVERNAME_CB 53 +#define SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG 54 +#define SSL_CTRL_SET_TLSEXT_HOSTNAME 55 +#define SSL_CTRL_GET_TLSEXT_HOSTNAME 56 +#define SSL_CTRL_SET_TLSEXT_SERVERNAME_DONE 57 + #define SSL_session_reused(ssl) \ SSL_ctrl((ssl),SSL_CTRL_GET_SESSION_REUSED,0,NULL) #define SSL_num_renegotiations(ssl) \ diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index afe7162ab7..841d75d585 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -58,7 +58,7 @@ * [including the GNU Public Licence.] */ /* ==================================================================== - * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved. + * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -1315,27 +1315,30 @@ err: return(NULL); } + #ifndef OPENSSL_TLSEXT -/** return a servername extension value if provided in CLIENT HELLO - * or NULL. - * For the moment, only hostname types are supported. +/** return a servername extension value if provided in Client Hello, or NULL. + * So far, only host_name types are defined (RFC 3546). */ -const char *SSL_get_servername(const SSL *s, const int type) { - - if (type != TLSEXT_TYPE_SERVER_host) +const char *SSL_get_servername(const SSL *s, const int type) + { + if (type != TLSEXT_NAMETYPE_host_name) return NULL; - return s->session /*&&s->session->tlsext_hostname*/?s->session->tlsext_hostname:s->tlsext_hostname; -} - -int SSL_get_servername_type(const SSL *s) { + /* XXX cf. SSL_CTRL_GET_TLSEXT_HOSTNAME case in ssl3_ctrl (s3_lib.c) */ + return s->session /*&&s->session->tlsext_hostname*/ ? + s->session->tlsext_hostname : + s->tlsext_hostname; + } - if (s->session &&s->session->tlsext_hostname ?s->session->tlsext_hostname:s->tlsext_hostname) - return TLSEXT_TYPE_SERVER_host; +int SSL_get_servername_type(const SSL *s) + { + if (s->session &&s->session->tlsext_hostname ? s->session->tlsext_hostname : s->tlsext_hostname) + return TLSEXT_NAMETYPE_host_name; return -1; -} - + } #endif + unsigned long SSL_SESSION_hash(const SSL_SESSION *a) { unsigned long l; @@ -1488,7 +1491,7 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth) ret->max_send_fragment = SSL3_RT_MAX_PLAIN_LENGTH; #ifndef OPENSSL_NO_TLSEXT - ret->tlsext_servername_callback = NULL; + ret->tlsext_servername_callback = 0; ret->tlsext_servername_arg = NULL; #endif return(ret); @@ -2442,7 +2445,6 @@ SSL_CTX *SSL_get_SSL_CTX(const SSL *ssl) SSL_CTX *SSL_set_SSL_CTX(SSL *ssl, SSL_CTX* ctx) { - if (ssl->cert != NULL) ssl_cert_free(ssl->cert); ssl->cert = ssl_cert_dup(ctx->cert); diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h index 26a062fdcd..ccc490aaf1 100644 --- a/ssl/ssl_locl.h +++ b/ssl/ssl_locl.h @@ -56,7 +56,7 @@ * [including the GNU Public Licence.] */ /* ==================================================================== - * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved. + * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -941,10 +941,10 @@ int check_srvr_ecc_cert_and_alg(X509 *x, SSL_CIPHER *cs); SSL_COMP *ssl3_comp_find(STACK_OF(SSL_COMP) *sk, int n); #ifndef OPENSSL_NO_TLSEXT -unsigned char *ssl_add_ClientHello_TLS_extensions(SSL *s, unsigned char *p, unsigned char *limit); -unsigned char *ssl_add_ServerHello_TLS_extensions(SSL *s, unsigned char *p, unsigned char *limit); -int ssl_parse_ClientHello_TLS_extensions(SSL *s, unsigned char **data, unsigned char *d, int n); -int ssl_parse_ServerHello_TLS_extensions(SSL *s, unsigned char **data, unsigned char *d, int n); -int ssl_check_Hello_TLS_extensions(SSL *s,int *ad); +unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit); +unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit); +int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **data, unsigned char *d, int n, int *al); +int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **data, unsigned char *d, int n, int *al); +int ssl_check_tlsext(SSL *s,int *al); #endif #endif diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c index 6c2c04bf0f..16162fa951 100644 --- a/ssl/ssl_sess.c +++ b/ssl/ssl_sess.c @@ -55,6 +55,59 @@ * copied and put under another distribution licence * [including the GNU Public Licence.] */ +/* ==================================================================== + * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * openssl-core@openssl.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.openssl.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + * + * This product includes cryptographic software written by Eric Young + * (eay@cryptsoft.com). This product includes software written by Tim + * Hudson (tjh@cryptsoft.com). + * + */ #include <stdio.h> #include <openssl/lhash.h> @@ -550,8 +603,7 @@ void SSL_SESSION_free(SSL_SESSION *ss) if (ss->peer != NULL) X509_free(ss->peer); if (ss->ciphers != NULL) sk_SSL_CIPHER_free(ss->ciphers); #ifndef OPENSSL_NO_TLSEXT - if (ss->tlsext_hostname != NULL) - OPENSSL_free(ss->tlsext_hostname); + if (ss->tlsext_hostname != NULL) OPENSSL_free(ss->tlsext_hostname); #endif OPENSSL_cleanse(ss,sizeof(*ss)); OPENSSL_free(ss); diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index ff5bc58ce7..b248dab361 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -55,6 +55,59 @@ * copied and put under another distribution licence * [including the GNU Public Licence.] */ +/* ==================================================================== + * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * openssl-core@openssl.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.openssl.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + * + * This product includes cryptographic software written by Eric Young + * (eay@cryptsoft.com). This product includes software written by Tim + * Hudson (tjh@cryptsoft.com). + * + */ #include <stdio.h> #include <openssl/objects.h> @@ -101,41 +154,43 @@ void tls1_clear(SSL *s) s->version=TLS1_VERSION; } + #ifndef OPENSSL_NO_TLSEXT -unsigned char *ssl_add_ClientHello_TLS_extensions(SSL *s, unsigned char *p, unsigned char *limit) { +unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit) + { int extdatalen=0; unsigned char *ret = p; ret+=2; if (ret>=limit) return NULL; /* this really never occurs, but ... */ - if (s->servername_done == 0 && s->tlsext_hostname != NULL) { + if (s->servername_done == 0 && s->tlsext_hostname != NULL) + { /* Add TLS extension servername to the Client Hello message */ unsigned long size_str; long lenmax; if ((lenmax = limit - p - 7) < 0) return NULL; if ((size_str = strlen(s->tlsext_hostname)) > (unsigned long)lenmax) return NULL; - + s2n(TLSEXT_TYPE_server_name,ret); s2n(size_str+3,ret); - *(ret++) = (unsigned char) TLSEXT_TYPE_SERVER_host; + *(ret++) = (unsigned char) TLSEXT_NAMETYPE_host_name; s2n(size_str,ret); memcpy(ret, s->tlsext_hostname, size_str); ret+=size_str; - } + } - if ((extdatalen = ret-p-2)== 0) return p; s2n(extdatalen,p); return ret; - } -unsigned char *ssl_add_ServerHello_TLS_extensions(SSL *s, unsigned char *p, unsigned char *limit) { +unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit) + { int extdatalen=0; unsigned char *ret = p; if (s->hit || s->servername_done == 2) @@ -146,78 +201,92 @@ unsigned char *ssl_add_ServerHello_TLS_extensions(SSL *s, unsigned char *p, unsi if (ret>=limit) return NULL; /* this really never occurs, but ... */ - if (s->session->tlsext_hostname != NULL) { - + if (s->session->tlsext_hostname != NULL) + { if (limit - p - 4 < 0) return NULL; s2n(TLSEXT_TYPE_server_name,ret); s2n(0,ret); - } - + } if ((extdatalen = ret-p-2)== 0) return p; s2n(extdatalen,p); return ret; - } -int ssl_parse_ClientHello_TLS_extensions(SSL *s, unsigned char **p, unsigned char *d, int n) { +int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al) + { unsigned short type; unsigned short size; unsigned short len; - unsigned char * data = *p; + unsigned char *data = *p; if (data >= (d+n-2)) - return SSL_ERROR_NONE; + return 1; n2s(data,len); if (data > (d+n-len)) - return SSL_ERROR_NONE; + return 1; - while(data <= (d+n-4)){ + while (data <= (d+n-4)) + { n2s(data,type); n2s(data,size); if (data+size > (d+n)) - return SSL_ERROR_SSL; - - if (type == TLSEXT_TYPE_server_name) { + return 1; + + if (type == TLSEXT_TYPE_server_name) + { unsigned char *sdata = data; int servname_type; int dsize = size-3 ; - if (dsize > 0 ) { + if (dsize > 0 ) + { servname_type = *(sdata++); n2s(sdata,len); if (len != dsize) - return SSL_ERROR_SSL; + { + *al = SSL_AD_DECODE_ERROR; + return 0; + } - switch (servname_type) { - case TLSEXT_TYPE_SERVER_host: - if (s->session->tlsext_hostname == NULL) { + switch (servname_type) + { + case TLSEXT_NAMETYPE_host_name: + if (s->session->tlsext_hostname == NULL) + { if (len > 255 || ((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL)) - return SSL_ERROR_SSL; + { + *al = TLS1_AD_UNRECOGNIZED_NAME; + return 0; + } + memcpy(s->session->tlsext_hostname, sdata, len); s->session->tlsext_hostname[len]='\0'; - } + } break; + default: break; - } + } + } } - } data+=size; - } - *p = data; + } - return SSL_ERROR_NONE; + *p = data; + return 1; } -int ssl_parse_ServerHello_TLS_extensions(SSL *s, unsigned char **p, unsigned char *d, int n) { + +int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al) + { unsigned short type; unsigned short size; unsigned short len; @@ -226,61 +295,76 @@ int ssl_parse_ServerHello_TLS_extensions(SSL *s, unsigned char **p, unsigned cha int tlsext_servername = 0; if (data >= (d+n-2)) - return SSL_ERROR_NONE; - + return 1; n2s(data,len); - while(data <= (d+n-4)){ + while(data <= (d+n-4)) + { n2s(data,type); n2s(data,size); if (data+size > (d+n)) - return SSL_ERROR_SSL; - - if (type == TLSEXT_TYPE_server_name) { - if ( s->tlsext_hostname == NULL || size > 0 ) { - return SSL_ERROR_SSL; - } + return 1; + + if (type == TLSEXT_TYPE_server_name) + { + if (s->tlsext_hostname == NULL || size > 0) + { + *al = TLS1_AD_UNRECOGNIZED_NAME; + return 0; + } tlsext_servername = 1; - } + } data+=size; - } - - + } if (data != d+n) - return SSL_ERROR_SSL; + { + *al = SSL_AD_DECODE_ERROR; + return 0; + } - if (!s->hit && tlsext_servername == 1) { - if (s->tlsext_hostname) { - if (s->session->tlsext_hostname == NULL) { + if (!s->hit && tlsext_servername == 1) + { + if (s->tlsext_hostname) + { + if (s->session->tlsext_hostname == NULL) + { s->session->tlsext_hostname = BUF_strdup(s->tlsext_hostname); if (!s->session->tlsext_hostname) - return SSL_ERROR_SSL; + { + *al = SSL_AD_UNRECOGNIZED_NAME; + return 0; + } + } + else + { + *al = SSL_AD_DECODE_ERROR; + return 0; + } } - } else - return SSL_ERROR_SSL; - } - *p = data; + } - return SSL_ERROR_NONE; + *p = data; + return 1; |