generic-library/openssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Various changes in the new TLS extension code, including the following:

Browse Source 
- fix indentation
 - rename some functions and macros
 - fix up confusion between SSL_ERROR_... and SSL_AD_... values
This commit is contained in:
Bodo Möller
2006-01-03 03:27:19 +00:00
parent 349eb12fd5
commit f1fd4544a3
15 changed files with 484 additions and 213 deletions
Download Patch File Download Diff File Expand all files Collapse all files

31
CHANGES
View File

@@ -4,16 +4,33 @@
Changes between 0.9.8a and 0.9.9 [xx XXX xxxx]
*) Add support for TLS extensions, specifically for the HostName extension.
The SSL_SESSION, SSL_CTX, and SSL data structures now have new members
for HostName support.
*) Add support for TLS extensions, specifically for the HostName extension
so far. The SSL_SESSION, SSL_CTX, and SSL data structures now have new
members for HostName support.
New functions (subject to change):
SSL_get_servername()
SSL_get_servername_type()
SSL_set_SSL_CTX()
New CTRL codes and macros (subject to change):
SSL_CTRL_SET_TLSEXT_SERVERNAME_CB
- SSL_CTX_set_tlsext_servername_callback()
SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG
- SSL_CTX_set_tlsext_servername_arg()
SSL_CTRL_SET_TLSEXT_HOSTNAME - SSL_set_tlsext_hostname()
SSL_CTRL_GET_TLSEXT_HOSTNAME [similar to SSL_get_servername()]
SSL_CTRL_SET_TLSEXT_SERVERNAME_DONE
- SSL_set_tlsext_servername_done()
openssl s_client has a new '-servername' option.
openssl s_server has new options '-servername', '-cert2', and '-key2';
this allows testing the HostName extension for a specific single
host name ('-cert' and '-key' remain fallbacks for handshakes without
HostName negotiation).
openssl s_server has new options '-servername', '-cert2', and '-key2'
(subject to change); this allows testing the HostName extension for a
specific single host name ('-cert' and '-key' remain fallbacks for
handshakes without HostName negotiation).
[Peter Sylvester]

4
Configure
View File

@@ -836,6 +836,10 @@ if (defined($disabled{"md5"}) || defined($disabled{"sha"})
$disabled{"tls1"} = "forced";
}
if (defined($disabled{"tls1"}))
{
$disabled{"tlsext"} = "forced";
}
if ($target eq "TABLE") {
foreach $target (sort keys %table) {

4
apps/s_client.c
View File

@@ -239,11 +239,11 @@ typedef struct tlsextctx_st {
static int MS_CALLBACK ssl_servername_cb(SSL *s, int *ad, void *arg)
{
tlsextctx * p = (tlsextctx *) arg;
const unsigned char * hn= SSL_get_servername(s, TLSEXT_TYPE_SERVER_host);
const unsigned char * hn= SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
if (SSL_get_servername_type(s) != -1)
p->ack = !SSL_session_reused(s) && hn != NULL;
else
BIO_printf(bio_err,"SSL_get_tlsext_hostname does not work\n");
BIO_printf(bio_err,"Can't use SSL_get_servername\n");
return SSL_ERROR_NONE;
}

11
apps/s_server.c
View File

@@ -539,7 +539,7 @@ typedef struct tlsextctx_st {
static int MS_CALLBACK ssl_servername_cb(SSL *s, int *ad, void *arg)
{
tlsextctx * p = (tlsextctx *) arg;
const char * servername = SSL_get_servername(s, TLSEXT_TYPE_SERVER_host);
const char * servername = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
if (servername)
BIO_printf(p->biodebug,"Hostname in TLS extension: \"%s\"\n",servername);
@@ -1257,8 +1257,10 @@ bad:
#endif
#endif
if (cipher != NULL) {
if(!SSL_CTX_set_cipher_list(ctx,cipher)) {
if (cipher != NULL)
{
if(!SSL_CTX_set_cipher_list(ctx,cipher))
{
BIO_printf(bio_err,"error setting cipher list\n");
ERR_print_errors(bio_err);
goto end;
@@ -1283,13 +1285,14 @@ bad:
SSL_CTX_set_session_id_context(ctx2,(void*)&s_server_session_id_context,
sizeof s_server_session_id_context);
}
tlsextcbp.biodebug = bio_s_out;
SSL_CTX_set_tlsext_servername_callback(ctx2, ssl_servername_cb);
SSL_CTX_set_tlsext_servername_arg(ctx2, &tlsextcbp);
SSL_CTX_set_tlsext_servername_callback(ctx, ssl_servername_cb);
SSL_CTX_set_tlsext_servername_arg(ctx, &tlsextcbp);
}
#endif
if (CAfile != NULL)
{
SSL_CTX_set_client_CA_list(ctx,SSL_load_client_CA_file(CAfile));

58
ssl/s23_clnt.c
View File

@@ -55,6 +55,59 @@
* copied and put under another distribution licence
* [including the GNU Public Licence.]
*/
/* ====================================================================
* Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. All advertising materials mentioning features or use of this
* software must display the following acknowledgment:
* "This product includes software developed by the OpenSSL Project
* for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
*
* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
* endorse or promote products derived from this software without
* prior written permission. For written permission, please contact
* openssl-core@openssl.org.
*
* 5. Products derived from this software may not be called "OpenSSL"
* nor may "OpenSSL" appear in their names without prior written
* permission of the OpenSSL Project.
*
* 6. Redistributions of any form whatsoever must retain the following
* acknowledgment:
* "This product includes software developed by the OpenSSL Project
* for use in the OpenSSL Toolkit (http://www.openssl.org/)"
*
* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
* OF THE POSSIBILITY OF SUCH DAMAGE.
* ====================================================================
*
* This product includes cryptographic software written by Eric Young
* (eay@cryptsoft.com). This product includes software written by Tim
* Hudson (tjh@cryptsoft.com).
*
*/
#include <stdio.h>
#include "ssl_locl.h"
@@ -352,7 +405,6 @@ static int ssl23_client_hello(SSL *s)
#ifdef OPENSSL_NO_COMP
*(p++)=1;
#else
if ((s->options & SSL_OP_NO_COMPRESSION)
|| !s->ctx->comp_methods)
j=0;
@@ -366,8 +418,9 @@ static int ssl23_client_hello(SSL *s)
}
#endif
*(p++)=0; /* Add the NULL method */
#ifndef OPENSSL_NO_TLSEXT
if ((p = ssl_add_ClientHello_TLS_extensions(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH)) == NULL)
if ((p = ssl_add_clienthello_tlsext(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH)) == NULL)
{
SSLerr(SSL_F_SSL3_CLIENT_HELLO,ERR_R_INTERNAL_ERROR);
return -1;
@@ -375,7 +428,6 @@ static int ssl23_client_hello(SSL *s)
#endif
l = p-d;
*p = 42;
/* fill in 4-byte handshake header */
d=&(buf[5]);

13
ssl/s23_srvr.c
View File

@@ -56,7 +56,7 @@
* [including the GNU Public Licence.]
*/
/* ====================================================================
* Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved.
* Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -140,7 +140,7 @@ IMPLEMENT_ssl23_meth_func(SSLv23_server_method,
int ssl23_accept(SSL *s)
{
BUF_MEM *buf;
unsigned long Time=time(NULL);
unsigned long Time=(unsigned long)time(NULL);
void (*cb)(const SSL *ssl,int type,int val)=NULL;
int ret= -1;
int new_state,state;
@@ -416,7 +416,9 @@ int ssl23_get_client_hello(SSL *s)
n2s(p,sil);
n2s(p,cl);
d=(unsigned char *)s->init_buf->data;
if ((csl+sil+cl+11) > s->packet_length)
if ((csl+sil+cl+11) != s->packet_length) /* We can't have TLS extensions in SSL 2.0 format
* Client Hello, can we? Error condition should be
* '>' otherweise */
{
SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_RECORD_LENGTH_MISMATCH);
goto err;
@@ -459,11 +461,14 @@ int ssl23_get_client_hello(SSL *s)
*(d++)=1;
*(d++)=0;
#if 0
/* copy any remaining data with may be extensions */
p = p+csl+sil+cl;
while (p < s->packet+s->packet_length) {
while (p < s->packet+s->packet_length)
{
*(d++)=*(p++);
}
#endif
i = (d-(unsigned char *)s->init_buf->data) - 4;
l2n3((long)i, d_len);

16
ssl/s3_clnt.c
View File

@@ -56,7 +56,7 @@
* [including the GNU Public Licence.]
*/
/* ====================================================================
* Copyright (c) 1998-2003 The OpenSSL Project. All rights reserved.
* Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -257,10 +257,12 @@ int ssl3_connect(SSL *s)
if (ret <= 0) goto end;
#ifndef OPENSSL_NO_TLSEXT
{
int extension_error = 0,al;
if ((al = ssl_check_Hello_TLS_extensions(s,&extension_error)) != SSL_ERROR_NONE){
ret = -1;
int al;
if (ssl_check_tlsext(s,&al) <= 0)
{
ssl3_send_alert(s,SSL3_AL_FATAL,al); /* XXX does this *have* to be fatal? */
SSLerr(SSL_F_SSL3_CONNECT,SSL_R_SERVERHELLO_TLS_EXT);
ret = -1;
goto end;
}
}
@@ -613,7 +615,7 @@ int ssl3_client_hello(SSL *s)
#endif
*(p++)=0; /* Add the NULL method */
#ifndef OPENSSL_NO_TLSEXT
if ((p = ssl_add_ClientHello_TLS_extensions(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH)) == NULL)
if ((p = ssl_add_clienthello_tlsext(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH)) == NULL)
{
SSLerr(SSL_F_SSL3_CLIENT_HELLO,ERR_R_INTERNAL_ERROR);
goto err;
@@ -807,7 +809,9 @@ int ssl3_get_server_hello(SSL *s)
/* TLS extensions*/
if (s->version > SSL3_VERSION)
{
if ((al = ssl_parse_ServerHello_TLS_extensions(s,&p,d,n)) != SSL_ERROR_NONE){
if (!ssl_parse_serverhello_tlsext(s,&p,d,n, &al))
{
/* 'al' set by ssl_parse_serverhello_tlsext */
SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_PARSE_TLS_EXT);
goto f_err;
}

25
ssl/s3_lib.c
View File

@@ -56,7 +56,7 @@
* [including the GNU Public Licence.]
*/
/* ====================================================================
* Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved.
* Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -1645,16 +1645,21 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
#endif /* !OPENSSL_NO_ECDH */
#ifndef OPENSSL_NO_TLSEXT
case SSL_CTRL_GET_TLSEXT_HOSTNAME:
if (larg != TLSEXT_TYPE_SERVER_host)
if (larg != TLSEXT_NAMETYPE_host_name)
{
SSLerr(SSL_F_SSL3_CTRL, SSL_R_SSL3_EXT_INVALID_SERVERNAME_TYPE);
return(0);
}
*((char **) parg) = s->session&&s->session->tlsext_hostname?s->session->tlsext_hostname:s->tlsext_hostname;
/* XXX cf. SSL_get_servername() (ssl_lib.c) */
if (s->session && s->session->tlsext_hostname)
*((char **) parg) = s->session->tlsext_hostname;
else
*((char **) parg) = s->tlsext_hostname;
ret = 1;
break;
case SSL_CTRL_SET_TLSEXT_HOSTNAME:
if (larg == TLSEXT_TYPE_SERVER_host) {
if (larg == TLSEXT_NAMETYPE_host_name)
{
if (s->tlsext_hostname != NULL)
OPENSSL_free(s->tlsext_hostname);
s->tlsext_hostname = NULL;
@@ -1662,19 +1667,23 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
ret = 1;
if (parg == NULL)
break;
if (strlen((char *)parg) > 255) {
if (strlen((char *)parg) > 255)
{
SSLerr(SSL_F_SSL3_CTRL, SSL_R_SSL3_EXT_INVALID_SERVERNAME);
return 0;
}
if ((s->tlsext_hostname = BUF_strdup((char *)parg)) == NULL) {
if ((s->tlsext_hostname = BUF_strdup((char *)parg)) == NULL)
{
SSLerr(SSL_F_SSL3_CTRL, ERR_R_INTERNAL_ERROR);
return 0;
}
} else {
}
else
{
SSLerr(SSL_F_SSL3_CTRL, SSL_R_SSL3_EXT_INVALID_SERVERNAME_TYPE);
return 0;
}
s->options |= SSL_OP_NO_SSLv2;
s->options |= SSL_OP_NO_SSLv2; /* can't use extension w/ SSL 2.0 format */
break;
case SSL_CTRL_SET_TLSEXT_SERVERNAME_DONE:
s->servername_done = larg;

36
ssl/s3_srvr.c
View File

@@ -56,7 +56,7 @@
* [including the GNU Public Licence.]
*/
/* ====================================================================
* Copyright (c) 1998-2005 The OpenSSL Project. All rights reserved.
* Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -283,11 +283,12 @@ int ssl3_accept(SSL *s)
if (ret <= 0) goto end;
#ifndef OPENSSL_NO_TLSEXT
{
int extension_error = 0,al;
if ((al = ssl_check_Hello_TLS_extensions(s,&extension_error)) != SSL_ERROR_NONE){
ret = -1;
int al;
if (ssl_check_tlsext(s,&al) <= 0)
{
ssl3_send_alert(s,SSL3_AL_FATAL,al); /* XXX does this *have* to be fatal? */
SSLerr(SSL_F_SSL3_ACCEPT,SSL_R_CLIENTHELLO_TLS_EXT);
ssl3_send_alert(s,al,extension_error);
ret = -1;
goto end;
}
}
@@ -937,30 +938,15 @@ int ssl3_get_client_hello(SSL *s)
}
#endif
/* TLS does not mind if there is extra stuff */
#if 0 /* SSL 3.0 does not mind either, so we should disable this test
* (was enabled in 0.9.6d through 0.9.6j and 0.9.7 through 0.9.7b,
* in earlier SSLeay/OpenSSL releases this test existed but was buggy) */
if (s->version == SSL3_VERSION)
{
if (p < (d+n))
{
/* wrong number of bytes,
* there could be more to follow */
al=SSL_AD_DECODE_ERROR;
SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_LENGTH_MISMATCH);
goto f_err;
}
}
#endif
#ifndef OPENSSL_NO_TLSEXT
/* TLS extensions*/
if (s->version > SSL3_VERSION)
{
if ((al = ssl_parse_ClientHello_TLS_extensions(s,&p,d,n)) != SSL_ERROR_NONE){
if (!ssl_parse_clienthello_tlsext(s,&p,d,n, &al))
{
/* 'al' set by ssl_parse_clienthello_tlsext */
SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_PARSE_TLS_EXT);
ssl3_send_alert(s,SSL3_AL_WARNING,al);
return (ret = al);
goto f_err;
}
}
#endif
@@ -1109,7 +1095,7 @@ int ssl3_send_server_hello(SSL *s)
*(p++)=s->s3->tmp.new_compression->id;
#endif
#ifndef OPENSSL_NO_TLSEXT
if ((p = ssl_add_ServerHello_TLS_extensions(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH)) == NULL)
if ((p = ssl_add_serverhello_tlsext(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH)) == NULL)
{
SSLerr(SSL_F_SSL3_SEND_SERVER_HELLO,ERR_R_INTERNAL_ERROR);
return -1;

17
ssl/ssl.h
View File

@@ -109,7 +109,7 @@
*
*/
/* ====================================================================
* Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved.
* Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -172,11 +172,6 @@
#include <openssl/e_os2.h>
#ifdef OPENSSL_NO_TLS1
# ifndef OPENSSL_NO_TLSEXT
# define OPENSSL_NO_TLSEXT
# endif
#endif
#ifndef OPENSSL_NO_COMP
#include <openssl/comp.h>
#endif
@@ -769,7 +764,6 @@ struct ssl_ctx_st
int (*tlsext_servername_callback)(SSL*, int *, void *);
void *tlsext_servername_arg;
#endif
};
#define SSL_SESS_CACHE_OFF 0x0000
@@ -1145,9 +1139,7 @@ size_t SSL_get_peer_finished(const SSL *s, void *buf, size_t count);
#define SSL_AD_INTERNAL_ERROR TLS1_AD_INTERNAL_ERROR /* fatal */
#define SSL_AD_USER_CANCELLED TLS1_AD_USER_CANCELLED
#define SSL_AD_NO_RENEGOTIATION TLS1_AD_NO_RENEGOTIATION
#ifndef OPENSSL_NO_TLSEXT
#define SSL_AD_UNRECOGNIZED_NAME TLS1_AD_UNRECOGNIZED_NAME
#endif
#define SSL_ERROR_NONE 0
#define SSL_ERROR_SSL 1
@@ -1208,6 +1200,13 @@ size_t SSL_get_peer_finished(const SSL *s, void *buf, size_t count);
#define SSL_CTRL_SET_MAX_SEND_FRAGMENT 52
/* see tls.h for macros based on these */
#define SSL_CTRL_SET_TLSEXT_SERVERNAME_CB 53
#define SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG 54
#define SSL_CTRL_SET_TLSEXT_HOSTNAME 55
#define SSL_CTRL_GET_TLSEXT_HOSTNAME 56
#define SSL_CTRL_SET_TLSEXT_SERVERNAME_DONE 57
#define SSL_session_reused(ssl) \
SSL_ctrl((ssl),SSL_CTRL_GET_SESSION_REUSED,0,NULL)
#define SSL_num_renegotiations(ssl) \

30
ssl/ssl_lib.c
View File

@@ -58,7 +58,7 @@
* [including the GNU Public Licence.]
*/
/* ====================================================================
* Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved.
* Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -1315,27 +1315,30 @@ err:
return(NULL);
}
#ifndef OPENSSL_TLSEXT
/** return a servername extension value if provided in CLIENT HELLO
* or NULL.
* For the moment, only hostname types are supported.
/** return a servername extension value if provided in Client Hello, or NULL.
* So far, only host_name types are defined (RFC 3546).
*/
const char *SSL_get_servername(const SSL *s, const int type) {
if (type != TLSEXT_TYPE_SERVER_host)
const char *SSL_get_servername(const SSL *s, const int type)
{
if (type != TLSEXT_NAMETYPE_host_name)
return NULL;
return s->session /*&&s->session->tlsext_hostname*/?s->session->tlsext_hostname:s->tlsext_hostname;
/* XXX cf. SSL_CTRL_GET_TLSEXT_HOSTNAME case in ssl3_ctrl (s3_lib.c) */
return s->session /*&&s->session->tlsext_hostname*/ ?
s->session->tlsext_hostname :
s->tlsext_hostname;
}
int SSL_get_servername_type(const SSL *s) {
int SSL_get_servername_type(const SSL *s)
{
if (s->session &&s->session->tlsext_hostname ? s->session->tlsext_hostname : s->tlsext_hostname)
return TLSEXT_TYPE_SERVER_host;
return TLSEXT_NAMETYPE_host_name;
return -1;
}
#endif
unsigned long SSL_SESSION_hash(const SSL_SESSION *a)
{
unsigned long l;
@@ -1488,7 +1491,7 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth)
ret->max_send_fragment = SSL3_RT_MAX_PLAIN_LENGTH;
#ifndef OPENSSL_NO_TLSEXT
ret->tlsext_servername_callback = NULL;
ret->tlsext_servername_callback = 0;
ret->tlsext_servername_arg = NULL;
#endif
return(ret);
@@ -2442,7 +2445,6 @@ SSL_CTX *SSL_get_SSL_CTX(const SSL *ssl)
SSL_CTX *SSL_set_SSL_CTX(SSL *ssl, SSL_CTX* ctx)
{
if (ssl->cert != NULL)
ssl_cert_free(ssl->cert);
ssl->cert = ssl_cert_dup(ctx->cert);

12
ssl/ssl_locl.h
View File

@@ -56,7 +56,7 @@
* [including the GNU Public Licence.]
*/
/* ====================================================================
* Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved.
* Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -941,10 +941,10 @@ int check_srvr_ecc_cert_and_alg(X509 *x, SSL_CIPHER *cs);
SSL_COMP *ssl3_comp_find(STACK_OF(SSL_COMP) *sk, int n);
#ifndef OPENSSL_NO_TLSEXT
unsigned char *ssl_add_ClientHello_TLS_extensions(SSL *s, unsigned char *p, unsigned char *limit);
unsigned char *ssl_add_ServerHello_TLS_extensions(SSL *s, unsigned char *p, unsigned char *limit);
int ssl_parse_ClientHello_TLS_extensions(SSL *s, unsigned char **data, unsigned char *d, int n);
int ssl_parse_ServerHello_TLS_extensions(SSL *s, unsigned char **data, unsigned char *d, int n);
int ssl_check_Hello_TLS_extensions(SSL *s,int *ad);
unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit);
unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit);
int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **data, unsigned char *d, int n, int *al);
int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **data, unsigned char *d, int n, int *al);
int ssl_check_tlsext(SSL *s,int *al);
#endif
#endif

56
ssl/ssl_sess.c
View File

@@ -55,6 +55,59 @@
* copied and put under another distribution licence
* [including the GNU Public Licence.]
*/
/* ====================================================================
* Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. All advertising materials mentioning features or use of this
* software must display the following acknowledgment:
* "This product includes software developed by the OpenSSL Project
* for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
*
* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
* endorse or promote products derived from this software without
* prior written permission. For written permission, please contact
* openssl-core@openssl.org.
*
* 5. Products derived from this software may not be called "OpenSSL"
* nor may "OpenSSL" appear in their names without prior written
* permission of the OpenSSL Project.
*
* 6. Redistributions of any form whatsoever must retain the following
* acknowledgment:
* "This product includes software developed by the OpenSSL Project
* for use in the OpenSSL Toolkit (http://www.openssl.org/)"
*
* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
* OF THE POSSIBILITY OF SUCH DAMAGE.
* ====================================================================
*
* This product includes cryptographic software written by Eric Young
* (eay@cryptsoft.com). This product includes software written by Tim
* Hudson (tjh@cryptsoft.com).
*
*/
#include <stdio.h>
#include <openssl/lhash.h>
@@ -550,8 +603,7 @@ void SSL_SESSION_free(SSL_SESSION *ss)
if (ss->peer != NULL) X509_free(ss->peer);
if (ss->ciphers != NULL) sk_SSL_CIPHER_free(ss->ciphers);
#ifndef OPENSSL_NO_TLSEXT
if (ss->tlsext_hostname != NULL)
OPENSSL_free(ss->tlsext_hostname);
if (ss->tlsext_hostname != NULL) OPENSSL_free(ss->tlsext_hostname);
#endif
OPENSSL_cleanse(ss,sizeof(*ss));
OPENSSL_free(ss);

198
ssl/t1_lib.c
View File

@@ -55,6 +55,59 @@
* copied and put under another distribution licence
* [including the GNU Public Licence.]
*/
/* ====================================================================
* Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. All advertising materials mentioning features or use of this
* software must display the following acknowledgment:
* "This product includes software developed by the OpenSSL Project
* for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
*
* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
* endorse or promote products derived from this software without
* prior written permission. For written permission, please contact
* openssl-core@openssl.org.
*
* 5. Products derived from this software may not be called "OpenSSL"
* nor may "OpenSSL" appear in their names without prior written
* permission of the OpenSSL Project.
*
* 6. Redistributions of any form whatsoever must retain the following
* acknowledgment:
* "This product includes software developed by the OpenSSL Project
* for use in the OpenSSL Toolkit (http://www.openssl.org/)"
*
* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
* OF THE POSSIBILITY OF SUCH DAMAGE.
* ====================================================================
*
* This product includes cryptographic software written by Eric Young
* (eay@cryptsoft.com). This product includes software written by Tim
* Hudson (tjh@cryptsoft.com).
*
*/
#include <stdio.h>
#include <openssl/objects.h>
@@ -101,15 +154,18 @@ void tls1_clear(SSL *s)
s->version=TLS1_VERSION;
}
#ifndef OPENSSL_NO_TLSEXT
unsigned char *ssl_add_ClientHello_TLS_extensions(SSL *s, unsigned char *p, unsigned char *limit) {
unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
{
int extdatalen=0;
unsigned char *ret = p;
ret+=2;
if (ret>=limit) return NULL; /* this really never occurs, but ... */
if (s->servername_done == 0 && s->tlsext_hostname != NULL) {
if (s->servername_done == 0 && s->tlsext_hostname != NULL)
{
/* Add TLS extension servername to the Client Hello message */
unsigned long size_str;
long lenmax;
@@ -119,23 +175,22 @@ unsigned char *ssl_add_ClientHello_TLS_extensions(SSL *s, unsigned char *p, unsi
s2n(TLSEXT_TYPE_server_name,ret);
s2n(size_str+3,ret);
*(ret++) = (unsigned char) TLSEXT_TYPE_SERVER_host;
*(ret++) = (unsigned char) TLSEXT_NAMETYPE_host_name;
s2n(size_str,ret);
memcpy(ret, s->tlsext_hostname, size_str);
ret+=size_str;
}
if ((extdatalen = ret-p-2)== 0)
return p;
s2n(extdatalen,p);
return ret;
}
unsigned char *ssl_add_ServerHello_TLS_extensions(SSL *s, unsigned char *p, unsigned char *limit) {
unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
{
int extdatalen=0;
unsigned char *ret = p;
if (s->hit || s->servername_done == 2)
@@ -146,64 +201,76 @@ unsigned char *ssl_add_ServerHello_TLS_extensions(SSL *s, unsigned char *p, unsi
if (ret>=limit) return NULL; /* this really never occurs, but ... */
if (s->session->tlsext_hostname != NULL) {
if (s->session->tlsext_hostname != NULL)
{
if (limit - p - 4 < 0) return NULL;
s2n(TLSEXT_TYPE_server_name,ret);
s2n(0,ret);
}
if ((extdatalen = ret-p-2)== 0)
return p;
s2n(extdatalen,p);
return ret;
}
int ssl_parse_ClientHello_TLS_extensions(SSL *s, unsigned char **p, unsigned char *d, int n) {
int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
{
unsigned short type;
unsigned short size;
unsigned short len;
unsigned char *data = *p;
if (data >= (d+n-2))
return SSL_ERROR_NONE;
return 1;
n2s(data,len);
if (data > (d+n-len))
return SSL_ERROR_NONE;
return 1;
while(data <= (d+n-4)){
while (data <= (d+n-4))
{
n2s(data,type);
n2s(data,size);
if (data+size > (d+n))
return SSL_ERROR_SSL;
return 1;
if (type == TLSEXT_TYPE_server_name) {
if (type == TLSEXT_TYPE_server_name)
{
unsigned char *sdata = data;
int servname_type;
int dsize = size-3 ;
if (dsize > 0 ) {
if (dsize > 0 )
{
servname_type = *(sdata++);
n2s(sdata,len);
if (len != dsize)
return SSL_ERROR_SSL;
{
*al = SSL_AD_DECODE_ERROR;
return 0;
}
switch (servname_type) {
case TLSEXT_TYPE_SERVER_host:
if (s->session->tlsext_hostname == NULL) {
switch (servname_type)
{
case TLSEXT_NAMETYPE_host_name:
if (s->session->tlsext_hostname == NULL)
{
if (len > 255 ||
((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL))
return SSL_ERROR_SSL;
{
*al = TLS1_AD_UNRECOGNIZED_NAME;
return 0;
}
memcpy(s->session->tlsext_hostname, sdata, len);
s->session->tlsext_hostname[len]='\0';
}
break;
default:
break;
}
@@ -213,11 +280,13 @@ int ssl_parse_ClientHello_TLS_extensions(SSL *s, unsigned char **p, unsigned cha
data+=size;
}
*p = data;
return SSL_ERROR_NONE;
*p = data;
return 1;
}
int ssl_parse_ServerHello_TLS_extensions(SSL *s, unsigned char **p, unsigned char *d, int n) {
int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
{
unsigned short type;
unsigned short size;
unsigned short len;
@@ -226,21 +295,24 @@ int ssl_parse_ServerHello_TLS_extensions(SSL *s, unsigned char **p, unsigned cha
int tlsext_servername = 0;
if (data >= (d+n-2))
return SSL_ERROR_NONE;
return 1;
n2s(data,len);
while(data <= (d+n-4)){
while(data <= (d+n-4))
{
n2s(data,type);
n2s(data,size);
if (data+size > (d+n))
return SSL_ERROR_SSL;
return 1;
if (type == TLSEXT_TYPE_server_name) {
if ( s->tlsext_hostname == NULL || size > 0 ) {
return SSL_ERROR_SSL;
if (type == TLSEXT_TYPE_server_name)
{
if (s->tlsext_hostname == NULL || size > 0)
{
*al = TLS1_AD_UNRECOGNIZED_NAME;
return 0;
}
tlsext_servername = 1;
}
@@ -248,39 +320,51 @@ int ssl_parse_ServerHello_TLS_extensions(SSL *s, unsigned char **p, unsigned cha
data+=size;
}
if (data != d+n)
return SSL_ERROR_SSL;
{
*al = SSL_AD_DECODE_ERROR;
return 0;
}
if (!s->hit && tlsext_servername == 1) {
if (s->tlsext_hostname) {
if (s->session->tlsext_hostname == NULL) {
if (!s->hit && tlsext_servername == 1)
{
if (s->tlsext_hostname)
{
if (s->session->tlsext_hostname == NULL)
{
s->session->tlsext_hostname = BUF_strdup(s->tlsext_hostname);
if (!s->session->tlsext_hostname)
return SSL_ERROR_SSL;
}
} else
return SSL_ERROR_SSL;
}
*p = data;
return SSL_ERROR_NONE;
}
int ssl_check_Hello_TLS_extensions(SSL *s,int *ad)
{
int ret = SSL_ERROR_NONE;
*al = SSL_AD_UNRECOGNIZED_NAME;
return 0;
}
}
else
{
*al = SSL_AD_DECODE_ERROR;
return 0;
}
}
}
*ad = SSL_AD_UNRECOGNIZED_NAME;
if (s->servername_done == 0 && (s->ctx != NULL && s->ctx->tlsext_servername_callback != NULL)
&& ((ret = s->ctx->tlsext_servername_callback(s, ad, s->ctx->tlsext_servername_arg))!= SSL_ERROR_NONE))
*p = data;
return 1;
}
int ssl_check_tlsext(SSL *s,int *al)
{
int ret;
*al = SSL_AD_UNRECOGNIZED_NAME;
if (s->servername_done == 0 && (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0))
{
ret = s->ctx->tlsext_servername_callback(s, al, s->ctx->tlsext_servername_arg);
if (ret <= 0)
return ret;
else if (s->servername_done == 1)
}
if (s->servername_done == 1)
s->servername_done = 2;
return ret;
return 1;
}
#endif

100
ssl/tls1.h
View File

@@ -55,6 +55,59 @@
* copied and put under another distribution licence
* [including the GNU Public Licence.]
*/
/* ====================================================================
* Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. All advertising materials mentioning features or use of this
* software must display the following acknowledgment:
* "This product includes software developed by the OpenSSL Project
* for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
*
* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
* endorse or promote products derived from this software without
* prior written permission. For written permission, please contact
* openssl-core@openssl.org.
*
* 5. Products derived from this software may not be called "OpenSSL"
* nor may "OpenSSL" appear in their names without prior written
* permission of the OpenSSL Project.
*
* 6. Redistributions of any form whatsoever must retain the following
* acknowledgment:
* "This product includes software developed by the OpenSSL Project
* for use in the OpenSSL Toolkit (http://www.openssl.org/)"
*
* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
* OF THE POSSIBILITY OF SUCH DAMAGE.
* ====================================================================
*
* This product includes cryptographic software written by Eric Young
* (eay@cryptsoft.com). This product includes software written by Tim
* Hudson (tjh@cryptsoft.com).
*
*/
/* ====================================================================
* Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
*
@@ -96,54 +149,55 @@ extern "C" {
#define TLS1_AD_INTERNAL_ERROR 80 /* fatal */
#define TLS1_AD_USER_CANCELLED 90
#define TLS1_AD_NO_RENEGOTIATION 100
#ifndef OPENSSL_NO_TLSEXT
#define TLS1_AD_UNRECOGNIZED_NAME 122
/* ExtensionType values from RFC 3546 */
#define TLSEXT_TYPE_server_name 0
#define TLSEXT_TYPE_max_fragment_length 1
#define TLSEXT_TYPE_client_certificate_url 2
#define TLSEXT_TYPE_trusted_ca_keys 3
#define TLSEXT_TYPE_truncated_hmac 4
#define TLSEXT_TYPE_status_request 5
#if 0
#define TLSEXT_TYPE_srp 6
#endif
#define TLSEXT_TYPE_SERVER_host 0
/* NameType value from RFC 3546 */
#define TLSEXT_NAMETYPE_host_name 0
#ifndef OPENSSL_NO_TLSEXT
const char *SSL_get_servername(const SSL *s, const int type) ;
int SSL_get_servername_type(const SSL *s) ;
#define SSL_CTX_set_tlsext_hostname(ctx,name) \
SSL_CTX_ctrl(ctx,SSL_CTRL_SET_TLSEXT_HOSTNAME,TLSEXT_TYPE_SERVER_host,(char *)name)
#define SSL_set_tlsext_hostname(s,name) \
SSL_ctrl(s,SSL_CTRL_SET_TLSEXT_HOSTNAME,TLSEXT_TYPE_SERVER_host,(char *)name)
SSL_ctrl(s,SSL_CTRL_SET_TLSEXT_HOSTNAME,TLSEXT_NAMETYPE_host_name,(char *)name)
#define SSL_CTX_set_tlsext_servername_callback(ctx, cb) \
SSL_CTX_callback_ctrl(ctx,SSL_CTRL_SET_TLSEXT_SERVERNAME_CB,(void (*)(void))cb)
#define SSL_CTX_set_tlsext_servername_arg(ctx, arg) \
SSL_CTX_ctrl(ctx,SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG,0, (void *)arg)
const char *SSL_get_servername(const SSL *s, const int type) ;
int SSL_get_servername_type(const SSL *s) ;
#if 0
#define SSL_get_tlsext_hostname(s,psn) \
SSL_ctrl(s,SSL_CTRL_GET_TLSEXT_HOSTNAME,TLSEXT_TYPE_SERVER_host, (void *)psn)
#else
#define SSL_get_tlsext_hostname(s,psn) \
(*psn = SSL_get_servername(s, TLSEXT_TYPE_SERVER_host),*psn != NULL)
#endif
#define SSL_set_tlsext_servername_done(s,t) \
SSL_ctrl(s,SSL_CTRL_SET_TLSEXT_SERVERNAME_DONE,t, NULL)
void SSL_set_ctx(SSL *s, SSL_CTX *ctx) ;
#if 0
# if 0
#define SSL_CTRL_SET_TLSEXT_SERVERNAME_CB 53
#define SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG 54
#define SSL_CTRL_SET_TLSEXT_HOSTNAME 55
#define SSL_CTRL_GET_TLSEXT_HOSTNAME 56
#define SSL_CTRL_SET_TLSEXT_SERVERNAME_DONE 57
#define SSL_get_tlsext_hostname(s,psn) \
SSL_ctrl(s,SSL_CTRL_GET_TLSEXT_HOSTNAME,TLSEXT_NAMETYPE_host_name, (void *)psn)
# else
/* XXX this looks weird for a macro, define a function instead? */
* or just used SSL_get_servername() directly ... */
#define SSL_get_tlsext_hostname(s,psn) \
(*psn = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name),*psn != NULL)
# endif
#endif
#endif
/* Additional TLS ciphersuites from expired Internet Draft
* draft-ietf-tls-56-bit-ciphersuites-01.txt
* (available if TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES is defined, see