2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
58 /* ====================================================================
59 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
87 * 6. Redistributions of any form whatsoever must retain the following
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
113 #include <openssl/objects.h>
114 #include <openssl/evp.h>
115 #include <openssl/hmac.h>
116 #include <openssl/ocsp.h>
117 #include "ssl_locl.h"
119 const char tls1_version_str[]="TLSv1" OPENSSL_VERSION_PTEXT;
121 #ifndef OPENSSL_NO_TLSEXT
122 static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen,
123 const unsigned char *sess_id, int sesslen,
124 SSL_SESSION **psess);
127 SSL3_ENC_METHOD TLSv1_enc_data={
130 tls1_setup_key_block,
131 tls1_generate_master_secret,
132 tls1_change_cipher_state,
133 tls1_final_finish_mac,
134 TLS1_FINISH_MAC_LENGTH,
135 tls1_cert_verify_mac,
136 TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE,
137 TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE,
141 long tls1_default_timeout(void)
143 /* 2 hours, the 24 hours mentioned in the TLSv1 spec
144 * is way too long for http, the cache would over fill */
150 if (!ssl3_new(s)) return(0);
151 s->method->ssl_clear(s);
155 void tls1_free(SSL *s)
160 void tls1_clear(SSL *s)
163 s->version=TLS1_VERSION;
166 #ifndef OPENSSL_NO_EC
167 static int nid_list[] =
169 NID_sect163k1, /* sect163k1 (1) */
170 NID_sect163r1, /* sect163r1 (2) */
171 NID_sect163r2, /* sect163r2 (3) */
172 NID_sect193r1, /* sect193r1 (4) */
173 NID_sect193r2, /* sect193r2 (5) */
174 NID_sect233k1, /* sect233k1 (6) */
175 NID_sect233r1, /* sect233r1 (7) */
176 NID_sect239k1, /* sect239k1 (8) */
177 NID_sect283k1, /* sect283k1 (9) */
178 NID_sect283r1, /* sect283r1 (10) */
179 NID_sect409k1, /* sect409k1 (11) */
180 NID_sect409r1, /* sect409r1 (12) */
181 NID_sect571k1, /* sect571k1 (13) */
182 NID_sect571r1, /* sect571r1 (14) */
183 NID_secp160k1, /* secp160k1 (15) */
184 NID_secp160r1, /* secp160r1 (16) */
185 NID_secp160r2, /* secp160r2 (17) */
186 NID_secp192k1, /* secp192k1 (18) */
187 NID_X9_62_prime192v1, /* secp192r1 (19) */
188 NID_secp224k1, /* secp224k1 (20) */
189 NID_secp224r1, /* secp224r1 (21) */
190 NID_secp256k1, /* secp256k1 (22) */
191 NID_X9_62_prime256v1, /* secp256r1 (23) */
192 NID_secp384r1, /* secp384r1 (24) */
193 NID_secp521r1 /* secp521r1 (25) */
196 int tls1_ec_curve_id2nid(int curve_id)
198 /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
199 if ((curve_id < 1) || ((unsigned int)curve_id >
200 sizeof(nid_list)/sizeof(nid_list[0])))
202 return nid_list[curve_id-1];
205 int tls1_ec_nid2curve_id(int nid)
207 /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
210 case NID_sect163k1: /* sect163k1 (1) */
212 case NID_sect163r1: /* sect163r1 (2) */
214 case NID_sect163r2: /* sect163r2 (3) */
216 case NID_sect193r1: /* sect193r1 (4) */
218 case NID_sect193r2: /* sect193r2 (5) */
220 case NID_sect233k1: /* sect233k1 (6) */
222 case NID_sect233r1: /* sect233r1 (7) */
224 case NID_sect239k1: /* sect239k1 (8) */
226 case NID_sect283k1: /* sect283k1 (9) */
228 case NID_sect283r1: /* sect283r1 (10) */
230 case NID_sect409k1: /* sect409k1 (11) */
232 case NID_sect409r1: /* sect409r1 (12) */
234 case NID_sect571k1: /* sect571k1 (13) */
236 case NID_sect571r1: /* sect571r1 (14) */
238 case NID_secp160k1: /* secp160k1 (15) */
240 case NID_secp160r1: /* secp160r1 (16) */
242 case NID_secp160r2: /* secp160r2 (17) */
244 case NID_secp192k1: /* secp192k1 (18) */
246 case NID_X9_62_prime192v1: /* secp192r1 (19) */
248 case NID_secp224k1: /* secp224k1 (20) */
250 case NID_secp224r1: /* secp224r1 (21) */
252 case NID_secp256k1: /* secp256k1 (22) */
254 case NID_X9_62_prime256v1: /* secp256r1 (23) */
256 case NID_secp384r1: /* secp384r1 (24) */
258 case NID_secp521r1: /* secp521r1 (25) */
264 #endif /* OPENSSL_NO_EC */
266 #ifndef OPENSSL_NO_TLSEXT
267 unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
270 unsigned char *ret = p;
274 if (ret>=limit) return NULL; /* this really never occurs, but ... */
276 if (s->tlsext_hostname != NULL)
278 /* Add TLS extension servername to the Client Hello message */
279 unsigned long size_str;
282 /* check for enough space.
283 4 for the servername type and entension length
284 2 for servernamelist length
285 1 for the hostname type
286 2 for hostname length
290 if ((lenmax = limit - ret - 9) < 0
291 || (size_str = strlen(s->tlsext_hostname)) > (unsigned long)lenmax)
294 /* extension type and length */
295 s2n(TLSEXT_TYPE_server_name,ret);
298 /* length of servername list */
301 /* hostname type, length and hostname */
302 *(ret++) = (unsigned char) TLSEXT_NAMETYPE_host_name;
304 memcpy(ret, s->tlsext_hostname, size_str);
308 #ifndef OPENSSL_NO_EC
309 if (s->tlsext_ecpointformatlist != NULL)
311 /* Add TLS extension ECPointFormats to the ClientHello message */
314 if ((lenmax = limit - ret - 5) < 0) return NULL;
315 if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax) return NULL;
316 if (s->tlsext_ecpointformatlist_length > 255)
318 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
322 s2n(TLSEXT_TYPE_ec_point_formats,ret);
323 s2n(s->tlsext_ecpointformatlist_length + 1,ret);
324 *(ret++) = (unsigned char) s->tlsext_ecpointformatlist_length;
325 memcpy(ret, s->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist_length);
326 ret+=s->tlsext_ecpointformatlist_length;
328 if (s->tlsext_ellipticcurvelist != NULL)
330 /* Add TLS extension EllipticCurves to the ClientHello message */
333 if ((lenmax = limit - ret - 6) < 0) return NULL;
334 if (s->tlsext_ellipticcurvelist_length > (unsigned long)lenmax) return NULL;
335 if (s->tlsext_ellipticcurvelist_length > 65532)
337 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
341 s2n(TLSEXT_TYPE_elliptic_curves,ret);
342 s2n(s->tlsext_ellipticcurvelist_length + 2, ret);
344 /* NB: draft-ietf-tls-ecc-12.txt uses a one-byte prefix for
345 * elliptic_curve_list, but the examples use two bytes.
346 * http://www1.ietf.org/mail-archive/web/tls/current/msg00538.html
347 * resolves this to two bytes.
349 s2n(s->tlsext_ellipticcurvelist_length, ret);
350 memcpy(ret, s->tlsext_ellipticcurvelist, s->tlsext_ellipticcurvelist_length);
351 ret+=s->tlsext_ellipticcurvelist_length;
353 #endif /* OPENSSL_NO_EC */
355 if (!(SSL_get_options(s) & SSL_OP_NO_TICKET))
358 if (s->session && s->session->tlsext_tick)
359 ticklen = s->session->tlsext_ticklen;
362 /* Check for enough room 2 for extension type, 2 for len
365 if ((long)(limit - ret - 4 - ticklen) < 0) return NULL;
366 s2n(TLSEXT_TYPE_session_ticket,ret);
370 memcpy(ret, s->session->tlsext_tick, ticklen);
375 #ifdef TLSEXT_TYPE_opaque_prf_input
376 if (s->s3->client_opaque_prf_input != NULL)
378 size_t col = s->s3->client_opaque_prf_input_len;
380 if ((long)(limit - ret - 6 - col < 0))
382 if (col > 0xFFFD) /* can't happen */
385 s2n(TLSEXT_TYPE_opaque_prf_input, ret);
388 memcpy(ret, s->s3->client_opaque_prf_input, col);
393 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp)
396 long extlen, idlen, itmp;
400 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++)
402 id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
403 itmp = i2d_OCSP_RESPID(id, NULL);
409 if (s->tlsext_ocsp_exts)
411 extlen = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, NULL);
418 if ((long)(limit - ret - 7 - extlen - idlen) < 0) return NULL;
419 s2n(TLSEXT_TYPE_status_request, ret);
420 if (extlen + idlen > 0xFFF0)
422 s2n(extlen + idlen + 5, ret);
423 *(ret++) = TLSEXT_STATUSTYPE_ocsp;
425 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++)
427 /* save position of id len */
428 unsigned char *q = ret;
429 id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
430 /* skip over id len */
432 itmp = i2d_OCSP_RESPID(id, &ret);
438 i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret);
441 if ((extdatalen = ret-p-2)== 0)
448 unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
451 unsigned char *ret = p;
454 if (ret>=limit) return NULL; /* this really never occurs, but ... */
456 if (!s->hit && s->servername_done == 1 && s->session->tlsext_hostname != NULL)
458 if ((long)(limit - ret - 4) < 0) return NULL;
460 s2n(TLSEXT_TYPE_server_name,ret);
463 #ifndef OPENSSL_NO_EC
464 if (s->tlsext_ecpointformatlist != NULL)
466 /* Add TLS extension ECPointFormats to the ServerHello message */
469 if ((lenmax = limit - ret - 5) < 0) return NULL;
470 if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax) return NULL;
471 if (s->tlsext_ecpointformatlist_length > 255)
473 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
477 s2n(TLSEXT_TYPE_ec_point_formats,ret);
478 s2n(s->tlsext_ecpointformatlist_length + 1,ret);
479 *(ret++) = (unsigned char) s->tlsext_ecpointformatlist_length;
480 memcpy(ret, s->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist_length);
481 ret+=s->tlsext_ecpointformatlist_length;
484 /* Currently the server should not respond with a SupportedCurves extension */
485 #endif /* OPENSSL_NO_EC */
487 if (s->tlsext_ticket_expected
488 && !(SSL_get_options(s) & SSL_OP_NO_TICKET))
490 if ((long)(limit - ret - 4) < 0) return NULL;
491 s2n(TLSEXT_TYPE_session_ticket,ret);
495 if (s->tlsext_status_expected)
497 if ((long)(limit - ret - 4) < 0) return NULL;
498 s2n(TLSEXT_TYPE_status_request,ret);
502 #ifdef TLSEXT_TYPE_opaque_prf_input
503 if (s->s3->server_opaque_prf_input != NULL)
505 size_t sol = s->s3->server_opaque_prf_input_len;
507 if ((long)(limit - ret - 6 - sol) < 0)
509 if (sol > 0xFFFD) /* can't happen */
512 s2n(TLSEXT_TYPE_opaque_prf_input, ret);
515 memcpy(ret, s->s3->server_opaque_prf_input, sol);
519 if (((s->s3->tmp.new_cipher->id & 0xFFFF)==0x80 || (s->s3->tmp.new_cipher->id & 0xFFFF)==0x81)
520 && (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG))
521 { const unsigned char cryptopro_ext[36] = {
522 0xfd, 0xe8, /*65000*/
523 0x00, 0x20, /*32 bytes length*/
524 0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85,
525 0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06,
526 0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08,
527 0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17};
528 if (limit-ret<36) return NULL;
529 memcpy(ret,cryptopro_ext,36);
534 if ((extdatalen = ret-p-2)== 0)
541 int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
546 unsigned char *data = *p;
547 s->servername_done = 0;
548 s->tlsext_status_type = -1;
554 if (data > (d+n-len))
557 while (data <= (d+n-4))
562 if (data+size > (d+n))
564 fprintf(stderr,"Received extension type %d size %d\n",type,size);
565 if (s->tlsext_debug_cb)
566 s->tlsext_debug_cb(s, 0, type, data, size,
567 s->tlsext_debug_arg);
568 /* The servername extension is treated as follows:
570 - Only the hostname type is supported with a maximum length of 255.
571 - The servername is rejected if too long or if it contains zeros,
572 in which case an fatal alert is generated.
573 - The servername field is maintained together with the session cache.
574 - When a session is resumed, the servername call back invoked in order
575 to allow the application to position itself to the right context.
576 - The servername is acknowledged if it is new for a session or when
577 it is identical to a previously used for the same session.
578 Applications can control the behaviour. They can at any time
579 set a 'desirable' servername for a new SSL object. This can be the
580 case for example with HTTPS when a Host: header field is received and
581 a renegotiation is requested. In this case, a possible servername
582 presented in the new client hello is only acknowledged if it matches
583 the value of the Host: field.
584 - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
585 if they provide for changing an explicit servername context for the session,
586 i.e. when the session has been established with a servername extension.
587 - On session reconnect, the servername extension may be absent.
591 if (type == TLSEXT_TYPE_server_name)
593 unsigned char *sdata;
599 *al = SSL_AD_DECODE_ERROR;
606 *al = SSL_AD_DECODE_ERROR;
613 servname_type = *(sdata++);
619 *al = SSL_AD_DECODE_ERROR;
622 if (s->servername_done == 0)
623 switch (servname_type)
625 case TLSEXT_NAMETYPE_host_name:
626 if (s->session->tlsext_hostname == NULL)
628 if (len > TLSEXT_MAXLEN_host_name ||
629 ((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL))
631 *al = TLS1_AD_UNRECOGNIZED_NAME;
634 memcpy(s->session->tlsext_hostname, sdata, len);
635 s->session->tlsext_hostname[len]='\0';
636 if (strlen(s->session->tlsext_hostname) != len) {
637 OPENSSL_free(s->session->tlsext_hostname);
638 *al = TLS1_AD_UNRECOGNIZED_NAME;
641 s->servername_done = 1;
645 s->servername_done = strlen(s->session->tlsext_hostname) == len
646 && strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0;
658 *al = SSL_AD_DECODE_ERROR;
664 #ifndef OPENSSL_NO_EC
665 else if (type == TLSEXT_TYPE_ec_point_formats)
667 unsigned char *sdata = data;
668 int ecpointformatlist_length = *(sdata++);
670 if (ecpointformatlist_length != size - 1)
672 *al = TLS1_AD_DECODE_ERROR;
675 s->session->tlsext_ecpointformatlist_length = 0;
676 if (s->session->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->session->tlsext_ecpointformatlist);
677 if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
679 *al = TLS1_AD_INTERNAL_ERROR;
682 s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
683 memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
685 fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ecpointformatlist (length=%i) ", s->session->tlsext_ecpointformatlist_length);
686 sdata = s->session->tlsext_ecpointformatlist;
687 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
688 fprintf(stderr,"%i ",*(sdata++));
689 fprintf(stderr,"\n");
692 else if (type == TLSEXT_TYPE_elliptic_curves)
694 unsigned char *sdata = data;
695 int ellipticcurvelist_length = (*(sdata++) << 8);
696 ellipticcurvelist_length += (*(sdata++));
698 if (ellipticcurvelist_length != size - 2)
700 *al = TLS1_AD_DECODE_ERROR;
703 s->session->tlsext_ellipticcurvelist_length = 0;
704 if (s->session->tlsext_ellipticcurvelist != NULL) OPENSSL_free(s->session->tlsext_ellipticcurvelist);
705 if ((s->session->tlsext_ellipticcurvelist = OPENSSL_malloc(ellipticcurvelist_length)) == NULL)
707 *al = TLS1_AD_INTERNAL_ERROR;
710 s->session->tlsext_ellipticcurvelist_length = ellipticcurvelist_length;
711 memcpy(s->session->tlsext_ellipticcurvelist, sdata, ellipticcurvelist_length);
713 fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ellipticcurvelist (length=%i) ", s->session->tlsext_ellipticcurvelist_length);
714 sdata = s->session->tlsext_ellipticcurvelist;
715 for (i = 0; i < s->session->tlsext_ellipticcurvelist_length; i++)
716 fprintf(stderr,"%i ",*(sdata++));
717 fprintf(stderr,"\n");
720 #endif /* OPENSSL_NO_EC */
721 #ifdef TLSEXT_TYPE_opaque_prf_input
722 else if (type == TLSEXT_TYPE_opaque_prf_input)
724 unsigned char *sdata = data;
728 *al = SSL_AD_DECODE_ERROR;
731 n2s(sdata, s->s3->client_opaque_prf_input_len);
732 if (s->s3->client_opaque_prf_input_len != size - 2)
734 *al = SSL_AD_DECODE_ERROR;
738 if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */
739 OPENSSL_free(s->s3->client_opaque_prf_input);
740 if (s->s3->client_opaque_prf_input_len == 0)
741 s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
743 s->s3->client_opaque_prf_input = BUF_memdup(sdata, s->s3->client_opaque_prf_input_len);
744 if (s->s3->client_opaque_prf_input == NULL)
746 *al = TLS1_AD_INTERNAL_ERROR;
751 else if (type == TLSEXT_TYPE_status_request
752 && s->ctx->tlsext_status_cb)
757 *al = SSL_AD_DECODE_ERROR;
761 s->tlsext_status_type = *data++;
763 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp)
765 const unsigned char *sdata;
767 /* Read in responder_id_list */
772 *al = SSL_AD_DECODE_ERROR;
781 *al = SSL_AD_DECODE_ERROR;
788 *al = SSL_AD_DECODE_ERROR;
793 id = d2i_OCSP_RESPID(NULL,
797 *al = SSL_AD_DECODE_ERROR;
802 OCSP_RESPID_free(id);
803 *al = SSL_AD_DECODE_ERROR;
806 if (!s->tlsext_ocsp_ids
807 && !(s->tlsext_ocsp_ids =
808 sk_OCSP_RESPID_new_null()))
810 OCSP_RESPID_free(id);
811 *al = SSL_AD_INTERNAL_ERROR;
814 if (!sk_OCSP_RESPID_push(
815 s->tlsext_ocsp_ids, id))
817 OCSP_RESPID_free(id);
818 *al = SSL_AD_INTERNAL_ERROR;
823 /* Read in request_extensions */
828 *al = SSL_AD_DECODE_ERROR;
834 s->tlsext_ocsp_exts =
835 d2i_X509_EXTENSIONS(NULL,
837 if (!s->tlsext_ocsp_exts
838 || (data + dsize != sdata))
840 *al = SSL_AD_DECODE_ERROR;
845 /* We don't know what to do with any other type
849 s->tlsext_status_type = -1;
852 /* session ticket processed earlier */
860 int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
865 unsigned char *data = *p;
867 int tlsext_servername = 0;
874 while(data <= (d+n-4))
879 if (data+size > (d+n))
882 if (s->tlsext_debug_cb)
883 s->tlsext_debug_cb(s, 1, type, data, size,
884 s->tlsext_debug_arg);
886 if (type == TLSEXT_TYPE_server_name)
888 if (s->tlsext_hostname == NULL || size > 0)
890 *al = TLS1_AD_UNRECOGNIZED_NAME;
893 tlsext_servername = 1;
896 #ifndef OPENSSL_NO_EC
897 else if (type == TLSEXT_TYPE_ec_point_formats)
899 unsigned char *sdata = data;
900 int ecpointformatlist_length = *(sdata++);
902 if (ecpointformatlist_length != size - 1)
904 *al = TLS1_AD_DECODE_ERROR;
907 s->session->tlsext_ecpointformatlist_length = 0;
908 if (s->session->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->session->tlsext_ecpointformatlist);
909 if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
911 *al = TLS1_AD_INTERNAL_ERROR;
914 s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
915 memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
917 fprintf(stderr,"ssl_parse_serverhello_tlsext s->session->tlsext_ecpointformatlist ");
918 sdata = s->session->tlsext_ecpointformatlist;
919 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
920 fprintf(stderr,"%i ",*(sdata++));
921 fprintf(stderr,"\n");
924 #endif /* OPENSSL_NO_EC */
926 else if (type == TLSEXT_TYPE_session_ticket)
928 if ((SSL_get_options(s) & SSL_OP_NO_TICKET)
931 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
934 s->tlsext_ticket_expected = 1;
936 #ifdef TLSEXT_TYPE_opaque_prf_input
937 else if (type == TLSEXT_TYPE_opaque_prf_input)
939 unsigned char *sdata = data;
943 *al = SSL_AD_DECODE_ERROR;
946 n2s(sdata, s->s3->server_opaque_prf_input_len);
947 if (s->s3->server_opaque_prf_input_len != size - 2)
949 *al = SSL_AD_DECODE_ERROR;
953 if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */
954 OPENSSL_free(s->s3->server_opaque_prf_input);
955 if (s->s3->server_opaque_prf_input_len == 0)
956 s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
958 s->s3->server_opaque_prf_input = BUF_memdup(sdata, s->s3->server_opaque_prf_input_len);
960 if (s->s3->server_opaque_prf_input == NULL)
962 *al = TLS1_AD_INTERNAL_ERROR;
967 else if (type == TLSEXT_TYPE_status_request)
969 /* MUST be empty and only sent if we've requested
970 * a status request message.
972 if ((s->tlsext_status_type == -1) || (size > 0))
974 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
977 /* Set flag to expect CertificateStatus message */
978 s->tlsext_status_expected = 1;
986 *al = SSL_AD_DECODE_ERROR;
990 if (!s->hit && tlsext_servername == 1)
992 if (s->tlsext_hostname)
994 if (s->session->tlsext_hostname == NULL)
996 s->session->tlsext_hostname = BUF_strdup(s->tlsext_hostname);
997 if (!s->session->tlsext_hostname)
999 *al = SSL_AD_UNRECOGNIZED_NAME;
1005 *al = SSL_AD_DECODE_ERROR;
1016 int ssl_prepare_clienthello_tlsext(SSL *s)
1018 #ifndef OPENSSL_NO_EC
1019 /* If we are client and using an elliptic curve cryptography cipher suite, send the point formats
1020 * and elliptic curves we support.
1025 unsigned long alg_k, alg_a;
1026 STACK_OF(SSL_CIPHER) *cipher_stack = SSL_get_ciphers(s);
1028 for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++)
1030 SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i);
1032 alg_k = c->algorithm_mkey;
1033 alg_a = c->algorithm_auth;
1034 if ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe) || (alg_a & SSL_aECDSA)))
1040 using_ecc = using_ecc && (s->version == TLS1_VERSION);
1043 if (s->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->tlsext_ecpointformatlist);
1044 if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(3)) == NULL)
1046 SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
1049 s->tlsext_ecpointformatlist_length = 3;
1050 s->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_uncompressed;
1051 s->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
1052 s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
1054 /* we support all named elliptic curves in draft-ietf-tls-ecc-12 */
1055 if (s->tlsext_ellipticcurvelist != NULL) OPENSSL_free(s->tlsext_ellipticcurvelist);
1056 s->tlsext_ellipticcurvelist_length = sizeof(nid_list)/sizeof(nid_list[0]) * 2;
1057 if ((s->tlsext_ellipticcurvelist = OPENSSL_malloc(s->tlsext_ellipticcurvelist_length)) == NULL)
1059 s->tlsext_ellipticcurvelist_length = 0;
1060 SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
1063 for (i = 1, j = s->tlsext_ellipticcurvelist; (unsigned int)i <=
1064 sizeof(nid_list)/sizeof(nid_list[0]); i++)
1067 #endif /* OPENSSL_NO_EC */
1069 #ifdef TLSEXT_TYPE_opaque_prf_input
1073 if (s->ctx->tlsext_opaque_prf_input_callback != 0)
1075 r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg);
1080 if (s->tlsext_opaque_prf_input != NULL)
1082 if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */
1083 OPENSSL_free(s->s3->client_opaque_prf_input);
1085 if (s->tlsext_opaque_prf_input_len == 0)
1086 s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
1088 s->s3->client_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len);
1089 if (s->s3->client_opaque_prf_input == NULL)
1091 SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
1094 s->s3->client_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
1098 /* at callback's request, insist on receiving an appropriate server opaque PRF input */
1099 s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
1106 int ssl_prepare_serverhello_tlsext(SSL *s)
1108 #ifndef OPENSSL_NO_EC
1109 /* If we are server and using an ECC cipher suite, send the point formats we support
1110 * if the client sent us an ECPointsFormat extension. Note that the server is not
1111 * supposed to send an EllipticCurves extension.
1114 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
1115 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
1116 int using_ecc = (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA);
1117 using_ecc = using_ecc && (s->session->tlsext_ecpointformatlist != NULL);
1121 if (s->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->tlsext_ecpointformatlist);
1122 if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(3)) == NULL)
1124 SSLerr(SSL_F_SSL_PREPARE_SERVERHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
1127 s->tlsext_ecpointformatlist_length = 3;
1128 s->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_uncompressed;
1129 s->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
1130 s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
1132 #endif /* OPENSSL_NO_EC */
1137 int ssl_check_clienthello_tlsext(SSL *s)
1139 int ret=SSL_TLSEXT_ERR_NOACK;
1140 int al = SSL_AD_UNRECOGNIZED_NAME;
1142 #ifndef OPENSSL_NO_EC
1143 /* The handling of the ECPointFormats extension is done elsewhere, namely in
1144 * ssl3_choose_cipher in s3_lib.c.
1146 /* The handling of the EllipticCurves extension is done elsewhere, namely in
1147 * ssl3_choose_cipher in s3_lib.c.
1151 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
1152 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
1153 else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)
1154 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
1156 /* If status request then ask callback what to do.
1157 * Note: this must be called after servername callbacks in case
1158 * the certificate has changed.
1160 if ((s->tlsext_status_type != -1) && s->ctx->tlsext_status_cb)
1163 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
1166 /* We don't want to send a status request response */
1167 case SSL_TLSEXT_ERR_NOACK:
1168 s->tlsext_status_expected = 0;
1170 /* status request response should be sent */
1171 case SSL_TLSEXT_ERR_OK:
1172 if (s->tlsext_ocsp_resp)
1173 s->tlsext_status_expected = 1;
1175 s->tlsext_status_expected = 0;
1177 /* something bad happened */
1178 case SSL_TLSEXT_ERR_ALERT_FATAL:
1179 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1180 al = SSL_AD_INTERNAL_ERROR;
1185 s->tlsext_status_expected = 0;
1187 #ifdef TLSEXT_TYPE_opaque_prf_input
1189 /* This sort of belongs into ssl_prepare_serverhello_tlsext(),
1190 * but we might be sending an alert in response to the client hello,
1191 * so this has to happen here in ssl_check_clienthello_tlsext(). */
1195 if (s->ctx->tlsext_opaque_prf_input_callback != 0)
1197 r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg);
1200 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1201 al = SSL_AD_INTERNAL_ERROR;
1206 if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */
1207 OPENSSL_free(s->s3->server_opaque_prf_input);
1208 s->s3->server_opaque_prf_input = NULL;
1210 if (s->tlsext_opaque_prf_input != NULL)
1212 if (s->s3->client_opaque_prf_input != NULL &&
1213 s->s3->client_opaque_prf_input_len == s->tlsext_opaque_prf_input_len)
1215 /* can only use this extension if we have a server opaque PRF input
1216 * of the same length as the client opaque PRF input! */
1218 if (s->tlsext_opaque_prf_input_len == 0)
1219 s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
1221 s->s3->server_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len);
1222 if (s->s3->server_opaque_prf_input == NULL)
1224 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1225 al = SSL_AD_INTERNAL_ERROR;
1228 s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
1232 if (r == 2 && s->s3->server_opaque_prf_input == NULL)
1234 /* The callback wants to enforce use of the extension,
1235 * but we can't do that with the client opaque PRF input;
1236 * abort the handshake.
1238 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1239 al = SSL_AD_HANDSHAKE_FAILURE;
1247 case SSL_TLSEXT_ERR_ALERT_FATAL:
1248 ssl3_send_alert(s,SSL3_AL_FATAL,al);
1251 case SSL_TLSEXT_ERR_ALERT_WARNING:
1252 ssl3_send_alert(s,SSL3_AL_WARNING,al);
1255 case SSL_TLSEXT_ERR_NOACK:
1256 s->servername_done=0;
1262 int ssl_check_serverhello_tlsext(SSL *s)
1264 int ret=SSL_TLSEXT_ERR_NOACK;
1265 int al = SSL_AD_UNRECOGNIZED_NAME;
1267 #ifndef OPENSSL_NO_EC
1268 /* If we are client and using an elliptic curve cryptography cipher suite, then server
1269 * must return a an EC point formats lists containing uncompressed.
1271 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
1272 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
1273 if ((s->tlsext_ecpointformatlist != NULL) && (s->tlsext_ecpointformatlist_length > 0) &&
1274 ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA)))
1276 /* we are using an ECC cipher */
1278 unsigned char *list;
1279 int found_uncompressed = 0;
1280 if ((s->session->tlsext_ecpointformatlist == NULL) || (s->session->tlsext_ecpointformatlist_length == 0))
1282 SSLerr(SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT,SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
1285 list = s->session->tlsext_ecpointformatlist;
1286 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
1288 if (*(list++) == TLSEXT_ECPOINTFORMAT_uncompressed)
1290 found_uncompressed = 1;
1294 if (!found_uncompressed)
1296 SSLerr(SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT,SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
1300 ret = SSL_TLSEXT_ERR_OK;
1301 #endif /* OPENSSL_NO_EC */
1303 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
1304 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
1305 else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)
1306 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
1308 #ifdef TLSEXT_TYPE_opaque_prf_input
1309 if (s->s3->server_opaque_prf_input_len > 0)
1311 /* This case may indicate that we, as a client, want to insist on using opaque PRF inputs.
1312 * So first verify that we really have a value from the server too. */
1314 if (s->s3->server_opaque_prf_input == NULL)
1316 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1317 al = SSL_AD_HANDSHAKE_FAILURE;
1320 /* Anytime the server *has* sent an opaque PRF input, we need to check
1321 * that we have a client opaque PRF input of the same size. */
1322 if (s->s3->client_opaque_prf_input == NULL ||
1323 s->s3->client_opaque_prf_input_len != s->s3->server_opaque_prf_input_len)
1325 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1326 al = SSL_AD_ILLEGAL_PARAMETER;
1331 /* If we've requested certificate status and we wont get one
1334 if ((s->tlsext_status_type != -1) && !(s->tlsext_status_expected)
1335 && s->ctx->tlsext_status_cb)
1338 /* Set resp to NULL, resplen to -1 so callback knows
1339 * there is no response.
1341 if (s->tlsext_ocsp_resp)
1343 OPENSSL_free(s->tlsext_ocsp_resp);
1344 s->tlsext_ocsp_resp = NULL;
1346 s->tlsext_ocsp_resplen = -1;
1347 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
1350 al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE;
1351 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1355 al = SSL_AD_INTERNAL_ERROR;
1356 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1362 case SSL_TLSEXT_ERR_ALERT_FATAL:
1363 ssl3_send_alert(s,SSL3_AL_FATAL,al);
1366 case SSL_TLSEXT_ERR_ALERT_WARNING:
1367 ssl3_send_alert(s,SSL3_AL_WARNING,al);
1370 case SSL_TLSEXT_ERR_NOACK:
1371 s->servername_done=0;
1377 /* Since the server cache lookup is done early on in the processing of client
1378 * hello and other operations depend on the result we need to handle any TLS
1379 * session ticket extension at the same time.
1382 int tls1_process_ticket(SSL *s, unsigned char *session_id, int len,
1383 const unsigned char *limit, SSL_SESSION **ret)
1385 /* Point after session ID in client hello */
1386 const unsigned char *p = session_id + len;
1388 if ((s->version <= SSL3_VERSION) || !limit)
1392 /* Skip past cipher list */
1397 /* Skip past compression algorithm list */
1402 /* Now at start of extensions */
1403 if ((p + 2) >= limit)
1406 while ((p + 4) <= limit)
1408 unsigned short type, size;
1411 if (p + size > limit)
1413 if (type == TLSEXT_TYPE_session_ticket)
1415 /* If tickets disabled indicate cache miss which will
1416 * trigger a full handshake
1418 if (SSL_get_options(s) & SSL_OP_NO_TICKET)
1420 /* If zero length not client will accept a ticket
1421 * and indicate cache miss to trigger full handshake
1425 s->tlsext_ticket_expected = 1;
1426 return 0; /* Cache miss */
1428 return tls_decrypt_ticket(s, p, size, session_id, len,
1436 static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen,
1437 const unsigned char *sess_id, int sesslen,
1438 SSL_SESSION **psess)
1441 unsigned char *sdec;
1442 const unsigned char *p;
1444 unsigned char tick_hmac[EVP_MAX_MD_SIZE];
1447 /* Attempt to process session ticket, first conduct sanity and
1448 * integrity checks on ticket.
1450 mlen = EVP_MD_size(tlsext_tick_md());
1452 /* Need at least keyname + iv + some encrypted data */
1455 /* Check key name matches */
1456 if (memcmp(etick, s->ctx->tlsext_tick_key_name, 16))
1458 /* Check HMAC of encrypted ticket */
1459 HMAC_CTX_init(&hctx);
1460 HMAC_Init_ex(&hctx, s->ctx->tlsext_tick_hmac_key, 16,
1461 tlsext_tick_md(), NULL);
1462 HMAC_Update(&hctx, etick, eticklen);
1463 HMAC_Final(&hctx, tick_hmac, NULL);
1464 HMAC_CTX_cleanup(&hctx);
1465 if (memcmp(tick_hmac, etick + eticklen, mlen))
1467 /* Set p to start of IV */
1469 EVP_CIPHER_CTX_init(&ctx);
1470 /* Attempt to decrypt session data */
1471 EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL,
1472 s->ctx->tlsext_tick_aes_key, p);
1473 /* Move p after IV to start of encrypted ticket, update length */
1476 sdec = OPENSSL_malloc(eticklen);
1479 EVP_CIPHER_CTX_cleanup(&ctx);
1482 EVP_DecryptUpdate(&ctx, sdec, &slen, p, eticklen);
1483 if (EVP_DecryptFinal(&ctx, sdec + slen, &mlen) <= 0)
1486 EVP_CIPHER_CTX_cleanup(&ctx);
1489 sess = d2i_SSL_SESSION(NULL, &p, slen);
1493 /* The session ID if non-empty is used by some clients to
1494 * detect that the ticket has been accepted. So we copy it to
1495 * the session structure. If it is empty set length to zero
1496 * as required by standard.
1499 memcpy(sess->session_id, sess_id, sesslen);
1500 sess->session_id_length = sesslen;
1502 s->tlsext_ticket_expected = 0;
1505 /* If session decrypt failure indicate a cache miss and set state to
1509 s->tlsext_ticket_expected = 1;
projects / openssl.git / blob