mirrors/openssl
0
0
Fork 0
mirror of https://github.com/openssl/openssl.git synced 2024-11-24 10:34:12 +08:00
Code Issues Packages Projects Releases Wiki Activity

Various changes in the new TLS extension code, including the following:

Browse Source 
- fix indentation
 - rename some functions and macros
 - fix up confusion between SSL_ERROR_... and SSL_AD_... values
This commit is contained in:
Bodo Möller 2006-01-03 03:27:19 +00:00
parent 349eb12fd5
commit f1fd4544a3
15 changed files with 484 additions and 213 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
CHANGES
View File

@ -4,16 +4,33 @@
Changes between 0.9.8a and 0.9.9 [xx XXX xxxx]
*) Add support for TLS extensions, specifically for the HostName extension.
The SSL_SESSION, SSL_CTX, and SSL data structures now have new members
for HostName support.
*) Add support for TLS extensions, specifically for the HostName extension
so far. The SSL_SESSION, SSL_CTX, and SSL data structures now have new
members for HostName support.
New functions (subject to change):
SSL_get_servername()
SSL_get_servername_type()
SSL_set_SSL_CTX()
New CTRL codes and macros (subject to change):
SSL_CTRL_SET_TLSEXT_SERVERNAME_CB
- SSL_CTX_set_tlsext_servername_callback()
SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG
- SSL_CTX_set_tlsext_servername_arg()
SSL_CTRL_SET_TLSEXT_HOSTNAME - SSL_set_tlsext_hostname()
SSL_CTRL_GET_TLSEXT_HOSTNAME [similar to SSL_get_servername()]
SSL_CTRL_SET_TLSEXT_SERVERNAME_DONE
- SSL_set_tlsext_servername_done()
openssl s_client has a new '-servername' option.
openssl s_server has new options '-servername', '-cert2', and '-key2';
this allows testing the HostName extension for a specific single
host name ('-cert' and '-key' remain fallbacks for handshakes without
HostName negotiation).
openssl s_server has new options '-servername', '-cert2', and '-key2'
(subject to change); this allows testing the HostName extension for a
specific single host name ('-cert' and '-key' remain fallbacks for
handshakes without HostName negotiation).
[Peter Sylvester]

4
Configure
View File

@ -836,6 +836,10 @@ if (defined($disabled{"md5"}) || defined($disabled{"sha"})
$disabled{"tls1"} = "forced";
}
if (defined($disabled{"tls1"}))
{
$disabled{"tlsext"} = "forced";
}
if ($target eq "TABLE") {
foreach $target (sort keys %table) {

4
apps/s_client.c
View File

@ -239,11 +239,11 @@ typedef struct tlsextctx_st {
static int MS_CALLBACK ssl_servername_cb(SSL *s, int *ad, void *arg)
{
tlsextctx * p = (tlsextctx *) arg;
const unsigned char * hn= SSL_get_servername(s, TLSEXT_TYPE_SERVER_host);
const unsigned char * hn= SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
if (SSL_get_servername_type(s) != -1)
p->ack = !SSL_session_reused(s) && hn != NULL;
else
BIO_printf(bio_err,"SSL_get_tlsext_hostname does not work\n");
BIO_printf(bio_err,"Can't use SSL_get_servername\n");
return SSL_ERROR_NONE;
}

23
apps/s_server.c
View File

@ -539,7 +539,7 @@ typedef struct tlsextctx_st {
static int MS_CALLBACK ssl_servername_cb(SSL *s, int *ad, void *arg)
{
tlsextctx * p = (tlsextctx *) arg;
const char * servername = SSL_get_servername(s, TLSEXT_TYPE_SERVER_host);
const char * servername = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
if (servername)
BIO_printf(p->biodebug,"Hostname in TLS extension: \"%s\"\n",servername);
@ -1257,12 +1257,14 @@ bad:
#endif
#endif
if (cipher != NULL) {
if(!SSL_CTX_set_cipher_list(ctx,cipher)) {
if (cipher != NULL)
{
if(!SSL_CTX_set_cipher_list(ctx,cipher))
{
BIO_printf(bio_err,"error setting cipher list\n");
ERR_print_errors(bio_err);
goto end;
}
}
#ifndef OPENSSL_NO_TLSEXT
if (ctx2 && !SSL_CTX_set_cipher_list(ctx2,cipher))
{
@ -1271,7 +1273,7 @@ bad:
goto end;
}
#endif
}
}
SSL_CTX_set_verify(ctx,s_server_verify,verify_callback);
SSL_CTX_set_session_id_context(ctx,(void*)&s_server_session_id_context,
sizeof s_server_session_id_context);
@ -1283,13 +1285,14 @@ bad:
SSL_CTX_set_session_id_context(ctx2,(void*)&s_server_session_id_context,
sizeof s_server_session_id_context);
tlsextcbp.biodebug = bio_s_out;
SSL_CTX_set_tlsext_servername_callback(ctx2, ssl_servername_cb);
SSL_CTX_set_tlsext_servername_arg(ctx2, &tlsextcbp);
SSL_CTX_set_tlsext_servername_callback(ctx, ssl_servername_cb);
SSL_CTX_set_tlsext_servername_arg(ctx, &tlsextcbp);
}
tlsextcbp.biodebug = bio_s_out;
SSL_CTX_set_tlsext_servername_callback(ctx2, ssl_servername_cb);
SSL_CTX_set_tlsext_servername_arg(ctx2, &tlsextcbp);
SSL_CTX_set_tlsext_servername_callback(ctx, ssl_servername_cb);
SSL_CTX_set_tlsext_servername_arg(ctx, &tlsextcbp);
#endif
if (CAfile != NULL)
{
SSL_CTX_set_client_CA_list(ctx,SSL_load_client_CA_file(CAfile));

62
ssl/s23_clnt.c
View File

@ -55,6 +55,59 @@
* copied and put under another distribution licence
* [including the GNU Public Licence.]
*/
/* ====================================================================
* Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. All advertising materials mentioning features or use of this
* software must display the following acknowledgment:
* "This product includes software developed by the OpenSSL Project
* for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
*
* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
* endorse or promote products derived from this software without
* prior written permission. For written permission, please contact
* openssl-core@openssl.org.
*
* 5. Products derived from this software may not be called "OpenSSL"
* nor may "OpenSSL" appear in their names without prior written
* permission of the OpenSSL Project.
*
* 6. Redistributions of any form whatsoever must retain the following
* acknowledgment:
* "This product includes software developed by the OpenSSL Project
* for use in the OpenSSL Toolkit (http://www.openssl.org/)"
*
* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
* OF THE POSSIBILITY OF SUCH DAMAGE.
* ====================================================================
*
* This product includes cryptographic software written by Eric Young
* (eay@cryptsoft.com). This product includes software written by Tim
* Hudson (tjh@cryptsoft.com).
*
*/
#include <stdio.h>
#include "ssl_locl.h"
@ -352,7 +405,6 @@ static int ssl23_client_hello(SSL *s)
#ifdef OPENSSL_NO_COMP
*(p++)=1;
#else
if ((s->options & SSL_OP_NO_COMPRESSION)
|| !s->ctx->comp_methods)
j=0;
@ -366,16 +418,16 @@ static int ssl23_client_hello(SSL *s)
}
#endif
*(p++)=0; /* Add the NULL method */
#ifndef OPENSSL_NO_TLSEXT
if ((p = ssl_add_ClientHello_TLS_extensions(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH)) == NULL)
{
if ((p = ssl_add_clienthello_tlsext(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH)) == NULL)
{
SSLerr(SSL_F_SSL3_CLIENT_HELLO,ERR_R_INTERNAL_ERROR);
return -1;
}
}
#endif
l = p-d;
*p = 42;
/* fill in 4-byte handshake header */
d=&(buf[5]);

17
ssl/s23_srvr.c
View File

@ -56,7 +56,7 @@
* [including the GNU Public Licence.]
*/
/* ====================================================================
* Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved.
* Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@ -140,7 +140,7 @@ IMPLEMENT_ssl23_meth_func(SSLv23_server_method,
int ssl23_accept(SSL *s)
{
BUF_MEM *buf;
unsigned long Time=time(NULL);
unsigned long Time=(unsigned long)time(NULL);
void (*cb)(const SSL *ssl,int type,int val)=NULL;
int ret= -1;
int new_state,state;
@ -416,7 +416,9 @@ int ssl23_get_client_hello(SSL *s)
n2s(p,sil);
n2s(p,cl);
d=(unsigned char *)s->init_buf->data;
if ((csl+sil+cl+11) > s->packet_length)
if ((csl+sil+cl+11) != s->packet_length) /* We can't have TLS extensions in SSL 2.0 format
* Client Hello, can we? Error condition should be
* '>' otherweise */
{
SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_RECORD_LENGTH_MISMATCH);
goto err;
@ -459,11 +461,14 @@ int ssl23_get_client_hello(SSL *s)
*(d++)=1;
*(d++)=0;
#if 0
/* copy any remaining data with may be extensions */
p = p+csl+sil+cl ;
while (p < s->packet+s->packet_length) {
p = p+csl+sil+cl;
while (p < s->packet+s->packet_length)
{
*(d++)=*(p++);
}
}
#endif
i = (d-(unsigned char *)s->init_buf->data) - 4;
l2n3((long)i, d_len);

26
ssl/s3_clnt.c
View File

@ -56,7 +56,7 @@
* [including the GNU Public Licence.]
*/
/* ====================================================================
* Copyright (c) 1998-2003 The OpenSSL Project. All rights reserved.
* Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@ -257,12 +257,14 @@ int ssl3_connect(SSL *s)
if (ret <= 0) goto end;
#ifndef OPENSSL_NO_TLSEXT
{
int extension_error = 0,al;
if ((al = ssl_check_Hello_TLS_extensions(s,&extension_error)) != SSL_ERROR_NONE){
ret = -1;
int al;
if (ssl_check_tlsext(s,&al) <= 0)
{
ssl3_send_alert(s,SSL3_AL_FATAL,al); /* XXX does this *have* to be fatal? */
SSLerr(SSL_F_SSL3_CONNECT,SSL_R_SERVERHELLO_TLS_EXT);
ret = -1;
goto end;
}
}
}
#endif
if (s->hit)
@ -613,11 +615,11 @@ int ssl3_client_hello(SSL *s)
#endif
*(p++)=0; /* Add the NULL method */
#ifndef OPENSSL_NO_TLSEXT
if ((p = ssl_add_ClientHello_TLS_extensions(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH)) == NULL)
{
if ((p = ssl_add_clienthello_tlsext(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH)) == NULL)
{
SSLerr(SSL_F_SSL3_CLIENT_HELLO,ERR_R_INTERNAL_ERROR);
goto err;
}
}
#endif
l=(p-d);
@ -806,12 +808,14 @@ int ssl3_get_server_hello(SSL *s)
#ifndef OPENSSL_NO_TLSEXT
/* TLS extensions*/
if (s->version > SSL3_VERSION)
{
if ((al = ssl_parse_ServerHello_TLS_extensions(s,&p,d,n)) != SSL_ERROR_NONE){
{
if (!ssl_parse_serverhello_tlsext(s,&p,d,n, &al))
{
/* 'al' set by ssl_parse_serverhello_tlsext */
SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_PARSE_TLS_EXT);
goto f_err;
}
}
}
#endif
if (p != (d+n))

31
ssl/s3_lib.c
View File

@ -56,7 +56,7 @@
* [including the GNU Public Licence.]
*/
/* ====================================================================
* Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved.
* Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@ -1645,16 +1645,21 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
#endif /* !OPENSSL_NO_ECDH */
#ifndef OPENSSL_NO_TLSEXT
case SSL_CTRL_GET_TLSEXT_HOSTNAME:
if (larg != TLSEXT_TYPE_SERVER_host)
if (larg != TLSEXT_NAMETYPE_host_name)
{
SSLerr(SSL_F_SSL3_CTRL, SSL_R_SSL3_EXT_INVALID_SERVERNAME_TYPE);
return(0);
}
*((char **) parg) = s->session&&s->session->tlsext_hostname?s->session->tlsext_hostname:s->tlsext_hostname;
/* XXX cf. SSL_get_servername() (ssl_lib.c) */
if (s->session && s->session->tlsext_hostname)
*((char **) parg) = s->session->tlsext_hostname;
else
*((char **) parg) = s->tlsext_hostname;
ret = 1;
break;
break;
case SSL_CTRL_SET_TLSEXT_HOSTNAME:
if (larg == TLSEXT_TYPE_SERVER_host) {
if (larg == TLSEXT_NAMETYPE_host_name)
{
if (s->tlsext_hostname != NULL)
OPENSSL_free(s->tlsext_hostname);
s->tlsext_hostname = NULL;
@ -1662,19 +1667,23 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
ret = 1;
if (parg == NULL)
break;
if (strlen((char *)parg) > 255) {
if (strlen((char *)parg) > 255)
{
SSLerr(SSL_F_SSL3_CTRL, SSL_R_SSL3_EXT_INVALID_SERVERNAME);
return 0;
}
if ((s->tlsext_hostname = BUF_strdup((char *)parg)) == NULL) {
}
if ((s->tlsext_hostname = BUF_strdup((char *)parg)) == NULL)
{
SSLerr(SSL_F_SSL3_CTRL, ERR_R_INTERNAL_ERROR);
return 0;
}
}
} else {
else
{
SSLerr(SSL_F_SSL3_CTRL, SSL_R_SSL3_EXT_INVALID_SERVERNAME_TYPE);
return 0;
}
s->options |= SSL_OP_NO_SSLv2;
}
s->options |= SSL_OP_NO_SSLv2; /* can't use extension w/ SSL 2.0 format */
break;
case SSL_CTRL_SET_TLSEXT_SERVERNAME_DONE:
s->servername_done = larg;

46
ssl/s3_srvr.c
View File

@ -56,7 +56,7 @@
* [including the GNU Public Licence.]
*/
/* ====================================================================
* Copyright (c) 1998-2005 The OpenSSL Project. All rights reserved.
* Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@ -283,13 +283,14 @@ int ssl3_accept(SSL *s)
if (ret <= 0) goto end;
#ifndef OPENSSL_NO_TLSEXT
{
int extension_error = 0,al;
if ((al = ssl_check_Hello_TLS_extensions(s,&extension_error)) != SSL_ERROR_NONE){
ret = -1;
int al;
if (ssl_check_tlsext(s,&al) <= 0)
{
ssl3_send_alert(s,SSL3_AL_FATAL,al); /* XXX does this *have* to be fatal? */
SSLerr(SSL_F_SSL3_ACCEPT,SSL_R_CLIENTHELLO_TLS_EXT);
ssl3_send_alert(s,al,extension_error);
ret = -1;
goto end;
}
}
}
#endif
s->new_session = 2;
@ -937,32 +938,17 @@ int ssl3_get_client_hello(SSL *s)
}
#endif
/* TLS does not mind if there is extra stuff */
#if 0 /* SSL 3.0 does not mind either, so we should disable this test
* (was enabled in 0.9.6d through 0.9.6j and 0.9.7 through 0.9.7b,
* in earlier SSLeay/OpenSSL releases this test existed but was buggy) */
if (s->version == SSL3_VERSION)
{
if (p < (d+n))
{
/* wrong number of bytes,
* there could be more to follow */
al=SSL_AD_DECODE_ERROR;
SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_LENGTH_MISMATCH);
goto f_err;
}
}
#endif
#ifndef OPENSSL_NO_TLSEXT
/* TLS extensions*/
if (s->version > SSL3_VERSION)
{
if ((al = ssl_parse_ClientHello_TLS_extensions(s,&p,d,n)) != SSL_ERROR_NONE){
{
if (!ssl_parse_clienthello_tlsext(s,&p,d,n, &al))
{
/* 'al' set by ssl_parse_clienthello_tlsext */
SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_PARSE_TLS_EXT);
ssl3_send_alert(s,SSL3_AL_WARNING,al);
return (ret = al);
goto f_err;
}
}
}
#endif
/* Given s->session->ciphers and SSL_get_ciphers, we must
@ -1109,11 +1095,11 @@ int ssl3_send_server_hello(SSL *s)
*(p++)=s->s3->tmp.new_compression->id;
#endif
#ifndef OPENSSL_NO_TLSEXT
if ((p = ssl_add_ServerHello_TLS_extensions(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH)) == NULL)
{
if ((p = ssl_add_serverhello_tlsext(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH)) == NULL)
{
SSLerr(SSL_F_SSL3_SEND_SERVER_HELLO,ERR_R_INTERNAL_ERROR);
return -1;
}
}
#endif
/* do the header */

29
ssl/ssl.h
View File

@ -109,7 +109,7 @@
*
*/
/* ====================================================================
* Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved.
* Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@ -172,11 +172,6 @@
#include <openssl/e_os2.h>
#ifdef OPENSSL_NO_TLS1
# ifndef OPENSSL_NO_TLSEXT
# define OPENSSL_NO_TLSEXT
# endif
#endif
#ifndef OPENSSL_NO_COMP
#include <openssl/comp.h>
#endif
@ -765,11 +760,10 @@ struct ssl_ctx_st
unsigned int max_send_fragment;
#ifndef OPENSSL_NO_TLSEXT
/* TLS extensions servername callback */
/* TLS extensions servername callback */
int (*tlsext_servername_callback)(SSL*, int *, void *);
void *tlsext_servername_arg;
#endif
};
#define SSL_SESS_CACHE_OFF 0x0000
@ -994,11 +988,11 @@ struct ssl_st
unsigned int max_send_fragment;
#ifndef OPENSSL_NO_TLSEXT
char *tlsext_hostname;
int servername_done; /* no further mod of servername
0 : call the servername extension callback.
1 : prepare 2, allow last ack just after in server callback.
2 : don't call servername callback, no ack in server hello
*/
int servername_done; /* no further mod of servername
0 : call the servername extension callback.
1 : prepare 2, allow last ack just after in server callback.
2 : don't call servername callback, no ack in server hello
*/
#endif
};
@ -1145,9 +1139,7 @@ size_t SSL_get_peer_finished(const SSL *s, void *buf, size_t count);
#define SSL_AD_INTERNAL_ERROR TLS1_AD_INTERNAL_ERROR /* fatal */
#define SSL_AD_USER_CANCELLED TLS1_AD_USER_CANCELLED
#define SSL_AD_NO_RENEGOTIATION TLS1_AD_NO_RENEGOTIATION
#ifndef OPENSSL_NO_TLSEXT
#define SSL_AD_UNRECOGNIZED_NAME TLS1_AD_UNRECOGNIZED_NAME
#endif
#define SSL_ERROR_NONE 0
#define SSL_ERROR_SSL 1
@ -1208,6 +1200,13 @@ size_t SSL_get_peer_finished(const SSL *s, void *buf, size_t count);
#define SSL_CTRL_SET_MAX_SEND_FRAGMENT 52
/* see tls.h for macros based on these */
#define SSL_CTRL_SET_TLSEXT_SERVERNAME_CB 53
#define SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG 54
#define SSL_CTRL_SET_TLSEXT_HOSTNAME 55
#define SSL_CTRL_GET_TLSEXT_HOSTNAME 56
#define SSL_CTRL_SET_TLSEXT_SERVERNAME_DONE 57
#define SSL_session_reused(ssl) \
SSL_ctrl((ssl),SSL_CTRL_GET_SESSION_REUSED,0,NULL)
#define SSL_num_renegotiations(ssl) \

36
ssl/ssl_lib.c
View File

@ -58,7 +58,7 @@
* [including the GNU Public Licence.]
*/
/* ====================================================================
* Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved.
* Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@ -1315,27 +1315,30 @@ err:
return(NULL);
}
#ifndef OPENSSL_TLSEXT
/** return a servername extension value if provided in CLIENT HELLO
* or NULL.
* For the moment, only hostname types are supported.
/** return a servername extension value if provided in Client Hello, or NULL.
* So far, only host_name types are defined (RFC 3546).
*/
const char *SSL_get_servername(const SSL *s, const int type) {
if (type != TLSEXT_TYPE_SERVER_host)
const char *SSL_get_servername(const SSL *s, const int type)
{
if (type != TLSEXT_NAMETYPE_host_name)
return NULL;
return s->session /*&&s->session->tlsext_hostname*/?s->session->tlsext_hostname:s->tlsext_hostname;
}
/* XXX cf. SSL_CTRL_GET_TLSEXT_HOSTNAME case in ssl3_ctrl (s3_lib.c) */
return s->session /*&&s->session->tlsext_hostname*/ ?
s->session->tlsext_hostname :
s->tlsext_hostname;
}
int SSL_get_servername_type(const SSL *s) {
if (s->session &&s->session->tlsext_hostname ?s->session->tlsext_hostname:s->tlsext_hostname)
return TLSEXT_TYPE_SERVER_host;
int SSL_get_servername_type(const SSL *s)
{
if (s->session &&s->session->tlsext_hostname ? s->session->tlsext_hostname : s->tlsext_hostname)
return TLSEXT_NAMETYPE_host_name;
return -1;
}
}
#endif
unsigned long SSL_SESSION_hash(const SSL_SESSION *a)
{
unsigned long l;
@ -1488,7 +1491,7 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth)
ret->max_send_fragment = SSL3_RT_MAX_PLAIN_LENGTH;
#ifndef OPENSSL_NO_TLSEXT
ret->tlsext_servername_callback = NULL;
ret->tlsext_servername_callback = 0;
ret->tlsext_servername_arg = NULL;
#endif
return(ret);
@ -2442,7 +2445,6 @@ SSL_CTX *SSL_get_SSL_CTX(const SSL *ssl)
SSL_CTX *SSL_set_SSL_CTX(SSL *ssl, SSL_CTX* ctx)
{
if (ssl->cert != NULL)
ssl_cert_free(ssl->cert);
ssl->cert = ssl_cert_dup(ctx->cert);

12
ssl/ssl_locl.h
View File

@ -56,7 +56,7 @@
* [including the GNU Public Licence.]
*/
/* ====================================================================
* Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved.
* Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@ -941,10 +941,10 @@ int check_srvr_ecc_cert_and_alg(X509 *x, SSL_CIPHER *cs);
SSL_COMP *ssl3_comp_find(STACK_OF(SSL_COMP) *sk, int n);
#ifndef OPENSSL_NO_TLSEXT
unsigned char *ssl_add_ClientHello_TLS_extensions(SSL *s, unsigned char *p, unsigned char *limit);
unsigned char *ssl_add_ServerHello_TLS_extensions(SSL *s, unsigned char *p, unsigned char *limit);
int ssl_parse_ClientHello_TLS_extensions(SSL *s, unsigned char **data, unsigned char *d, int n);
int ssl_parse_ServerHello_TLS_extensions(SSL *s, unsigned char **data, unsigned char *d, int n);
int ssl_check_Hello_TLS_extensions(SSL *s,int *ad);
unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit);
unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit);
int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **data, unsigned char *d, int n, int *al);
int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **data, unsigned char *d, int n, int *al);
int ssl_check_tlsext(SSL *s,int *al);
#endif
#endif

56
ssl/ssl_sess.c
View File

@ -55,6 +55,59 @@
* copied and put under another distribution licence
* [including the GNU Public Licence.]
*/
/* ====================================================================
* Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. All advertising materials mentioning features or use of this
* software must display the following acknowledgment:
* "This product includes software developed by the OpenSSL Project
* for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
*
* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
* endorse or promote products derived from this software without
* prior written permission. For written permission, please contact
* openssl-core@openssl.org.
*
* 5. Products derived from this software may not be called "OpenSSL"
* nor may "OpenSSL" appear in their names without prior written
* permission of the OpenSSL Project.
*
* 6. Redistributions of any form whatsoever must retain the following
* acknowledgment:
* "This product includes software developed by the OpenSSL Project
* for use in the OpenSSL Toolkit (http://www.openssl.org/)"
*
* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
* OF THE POSSIBILITY OF SUCH DAMAGE.
* ====================================================================
*
* This product includes cryptographic software written by Eric Young
* (eay@cryptsoft.com). This product includes software written by Tim
* Hudson (tjh@cryptsoft.com).
*
*/
#include <stdio.h>
#include <openssl/lhash.h>
@ -550,8 +603,7 @@ void SSL_SESSION_free(SSL_SESSION *ss)
if (ss->peer != NULL) X509_free(ss->peer);
if (ss->ciphers != NULL) sk_SSL_CIPHER_free(ss->ciphers);
#ifndef OPENSSL_NO_TLSEXT
if (ss->tlsext_hostname != NULL)
OPENSSL_free(ss->tlsext_hostname);
if (ss->tlsext_hostname != NULL) OPENSSL_free(ss->tlsext_hostname);
#endif
OPENSSL_cleanse(ss,sizeof(*ss));
OPENSSL_free(ss);

222
ssl/t1_lib.c
View File

@ -55,6 +55,59 @@
* copied and put under another distribution licence
* [including the GNU Public Licence.]
*/
/* ====================================================================
* Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. All advertising materials mentioning features or use of this
* software must display the following acknowledgment:
* "This product includes software developed by the OpenSSL Project
* for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
*
* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
* endorse or promote products derived from this software without
* prior written permission. For written permission, please contact
* openssl-core@openssl.org.
*
* 5. Products derived from this software may not be called "OpenSSL"
* nor may "OpenSSL" appear in their names without prior written
* permission of the OpenSSL Project.
*
* 6. Redistributions of any form whatsoever must retain the following
* acknowledgment:
* "This product includes software developed by the OpenSSL Project
* for use in the OpenSSL Toolkit (http://www.openssl.org/)"
*
* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
* OF THE POSSIBILITY OF SUCH DAMAGE.
* ====================================================================
*
* This product includes cryptographic software written by Eric Young
* (eay@cryptsoft.com). This product includes software written by Tim
* Hudson (tjh@cryptsoft.com).
*
*/
#include <stdio.h>
#include <openssl/objects.h>
@ -101,41 +154,43 @@ void tls1_clear(SSL *s)
s->version=TLS1_VERSION;
}
#ifndef OPENSSL_NO_TLSEXT
unsigned char *ssl_add_ClientHello_TLS_extensions(SSL *s, unsigned char *p, unsigned char *limit) {
unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
{
int extdatalen=0;
unsigned char *ret = p;
ret+=2;
if (ret>=limit) return NULL; /* this really never occurs, but ... */
if (s->servername_done == 0 && s->tlsext_hostname != NULL) {
if (s->servername_done == 0 && s->tlsext_hostname != NULL)
{
/* Add TLS extension servername to the Client Hello message */
unsigned long size_str;
long lenmax;
if ((lenmax = limit - p - 7) < 0) return NULL;
if ((size_str = strlen(s->tlsext_hostname)) > (unsigned long)lenmax) return NULL;
s2n(TLSEXT_TYPE_server_name,ret);
s2n(size_str+3,ret);
*(ret++) = (unsigned char) TLSEXT_TYPE_SERVER_host;
*(ret++) = (unsigned char) TLSEXT_NAMETYPE_host_name;
s2n(size_str,ret);
memcpy(ret, s->tlsext_hostname, size_str);
ret+=size_str;
}
}
if ((extdatalen = ret-p-2)== 0)
return p;
s2n(extdatalen,p);
return ret;
}
unsigned char *ssl_add_ServerHello_TLS_extensions(SSL *s, unsigned char *p, unsigned char *limit) {
unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
{
int extdatalen=0;
unsigned char *ret = p;
if (s->hit || s->servername_done == 2)
@ -146,78 +201,92 @@ unsigned char *ssl_add_ServerHello_TLS_extensions(SSL *s, unsigned char *p, unsi
if (ret>=limit) return NULL; /* this really never occurs, but ... */
if (s->session->tlsext_hostname != NULL) {
if (s->session->tlsext_hostname != NULL)
{
if (limit - p - 4 < 0) return NULL;
s2n(TLSEXT_TYPE_server_name,ret);
s2n(0,ret);
}
}
if ((extdatalen = ret-p-2)== 0)
return p;
s2n(extdatalen,p);
return ret;
}
int ssl_parse_ClientHello_TLS_extensions(SSL *s, unsigned char **p, unsigned char *d, int n) {
int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
{
unsigned short type;
unsigned short size;
unsigned short len;
unsigned char * data = *p;
unsigned char *data = *p;
if (data >= (d+n-2))
return SSL_ERROR_NONE;
return 1;
n2s(data,len);
if (data > (d+n-len))
return SSL_ERROR_NONE;
return 1;
while(data <= (d+n-4)){
while (data <= (d+n-4))
{
n2s(data,type);
n2s(data,size);
if (data+size > (d+n))
return SSL_ERROR_SSL;
if (type == TLSEXT_TYPE_server_name) {
return 1;
if (type == TLSEXT_TYPE_server_name)
{
unsigned char *sdata = data;
int servname_type;
int dsize = size-3 ;
if (dsize > 0 ) {
if (dsize > 0 )
{
servname_type = *(sdata++);
n2s(sdata,len);
if (len != dsize)
return SSL_ERROR_SSL;
{
*al = SSL_AD_DECODE_ERROR;
return 0;
}
switch (servname_type) {
case TLSEXT_TYPE_SERVER_host:
if (s->session->tlsext_hostname == NULL) {
switch (servname_type)
{
case TLSEXT_NAMETYPE_host_name:
if (s->session->tlsext_hostname == NULL)
{
if (len > 255 ||
((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL))
return SSL_ERROR_SSL;
{
*al = TLS1_AD_UNRECOGNIZED_NAME;
return 0;
}
memcpy(s->session->tlsext_hostname, sdata, len);
s->session->tlsext_hostname[len]='\0';
}
}
break;
default:
break;
}
}
}
}
}
data+=size;
}
*p = data;
}
return SSL_ERROR_NONE;
*p = data;
return 1;
}
int ssl_parse_ServerHello_TLS_extensions(SSL *s, unsigned char **p, unsigned char *d, int n) {
int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
{
unsigned short type;
unsigned short size;
unsigned short len;
@ -226,61 +295,76 @@ int ssl_parse_ServerHello_TLS_extensions(SSL *s, unsigned char **p, unsigned cha
int tlsext_servername = 0;
if (data >= (d+n-2))
return SSL_ERROR_NONE;
return 1;
n2s(data,len);
while(data <= (d+n-4)){
while(data <= (d+n-4))
{
n2s(data,type);
n2s(data,size);
if (data+size > (d+n))
return SSL_ERROR_SSL;
return 1;
if (type == TLSEXT_TYPE_server_name) {
if ( s->tlsext_hostname == NULL || size > 0 ) {
return SSL_ERROR_SSL;
}
if (type == TLSEXT_TYPE_server_name)
{
if (s->tlsext_hostname == NULL || size > 0)
{
*al = TLS1_AD_UNRECOGNIZED_NAME;
return 0;
}
tlsext_servername = 1;
}
}
data+=size;
}
}
if (data != d+n)
return SSL_ERROR_SSL;
{
*al = SSL_AD_DECODE_ERROR;
return 0;
}
if (!s->hit && tlsext_servername == 1) {
if (s->tlsext_hostname) {
if (s->session->tlsext_hostname == NULL) {
if (!s->hit && tlsext_servername == 1)
{
if (s->tlsext_hostname)
{
if (s->session->tlsext_hostname == NULL)
{
s->session->tlsext_hostname = BUF_strdup(s->tlsext_hostname);
if (!s->session->tlsext_hostname)
return SSL_ERROR_SSL;
{
*al = SSL_AD_UNRECOGNIZED_NAME;
return 0;
}
}
else
{
*al = SSL_AD_DECODE_ERROR;
return 0;
}
}
} else
return SSL_ERROR_SSL;
}
}
*p = data;
return SSL_ERROR_NONE;
return 1;
}
int ssl_check_Hello_TLS_extensions(SSL *s,int *ad)
{
int ret = SSL_ERROR_NONE;
int ssl_check_tlsext(SSL *s,int *al)
{
int ret;
*ad = SSL_AD_UNRECOGNIZED_NAME;
if (s->servername_done == 0 && (s->ctx != NULL && s->ctx->tlsext_servername_callback != NULL)
&& ((ret = s->ctx->tlsext_servername_callback(s, ad, s->ctx->tlsext_servername_arg))!= SSL_ERROR_NONE))
return ret;
else if (s->servername_done == 1)
*al = SSL_AD_UNRECOGNIZED_NAME;
if (s->servername_done == 0 && (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0))
{
ret = s->ctx->tlsext_servername_callback(s, al, s->ctx->tlsext_servername_arg);
if (ret <= 0)
return ret;
}
if (s->servername_done == 1)
s->servername_done = 2;
return ret;
}
return 1;
}
#endif

98
ssl/tls1.h
View File

@ -55,6 +55,59 @@
* copied and put under another distribution licence
* [including the GNU Public Licence.]
*/
/* ====================================================================
* Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. All advertising materials mentioning features or use of this
* software must display the following acknowledgment:
* "This product includes software developed by the OpenSSL Project
* for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
*
* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
* endorse or promote products derived from this software without
* prior written permission. For written permission, please contact
* openssl-core@openssl.org.
*
* 5. Products derived from this software may not be called "OpenSSL"
* nor may "OpenSSL" appear in their names without prior written
* permission of the OpenSSL Project.
*
* 6. Redistributions of any form whatsoever must retain the following
* acknowledgment:
* "This product includes software developed by the OpenSSL Project
* for use in the OpenSSL Toolkit (http://www.openssl.org/)"
*
* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
* OF THE POSSIBILITY OF SUCH DAMAGE.
* ====================================================================
*
* This product includes cryptographic software written by Eric Young
* (eay@cryptsoft.com). This product includes software written by Tim
* Hudson (tjh@cryptsoft.com).
*
*/
/* ====================================================================
* Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
*
@ -96,54 +149,55 @@ extern "C" {
#define TLS1_AD_INTERNAL_ERROR 80 /* fatal */
#define TLS1_AD_USER_CANCELLED 90
#define TLS1_AD_NO_RENEGOTIATION 100
#ifndef OPENSSL_NO_TLSEXT
#define TLS1_AD_UNRECOGNIZED_NAME 122
/* ExtensionType values from RFC 3546 */
#define TLSEXT_TYPE_server_name 0
#define TLSEXT_TYPE_max_fragment_length 1
#define TLSEXT_TYPE_client_certificate_url 2
#define TLSEXT_TYPE_trusted_ca_keys 3
#define TLSEXT_TYPE_truncated_hmac 4
#define TLSEXT_TYPE_status_request 5
#if 0
#define TLSEXT_TYPE_srp 6
#endif
#define TLSEXT_TYPE_SERVER_host 0
/* NameType value from RFC 3546 */
#define TLSEXT_NAMETYPE_host_name 0
#ifndef OPENSSL_NO_TLSEXT
const char *SSL_get_servername(const SSL *s, const int type) ;
int SSL_get_servername_type(const SSL *s) ;
#define SSL_CTX_set_tlsext_hostname(ctx,name) \
SSL_CTX_ctrl(ctx,SSL_CTRL_SET_TLSEXT_HOSTNAME,TLSEXT_TYPE_SERVER_host,(char *)name)
#define SSL_set_tlsext_hostname(s,name) \
SSL_ctrl(s,SSL_CTRL_SET_TLSEXT_HOSTNAME,TLSEXT_TYPE_SERVER_host,(char *)name)
SSL_ctrl(s,SSL_CTRL_SET_TLSEXT_HOSTNAME,TLSEXT_NAMETYPE_host_name,(char *)name)
#define SSL_CTX_set_tlsext_servername_callback(ctx, cb) \
SSL_CTX_callback_ctrl(ctx,SSL_CTRL_SET_TLSEXT_SERVERNAME_CB,(void (*)(void))cb)
#define SSL_CTX_set_tlsext_servername_arg(ctx, arg) \
SSL_CTX_ctrl(ctx,SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG,0, (void *)arg)
const char *SSL_get_servername(const SSL *s, const int type) ;
int SSL_get_servername_type(const SSL *s) ;
#define SSL_set_tlsext_servername_done(s,t) \
SSL_ctrl(s,SSL_CTRL_SET_TLSEXT_SERVERNAME_DONE,t, NULL)
#if 0
# if 0
#define SSL_get_tlsext_hostname(s,psn) \
SSL_ctrl(s,SSL_CTRL_GET_TLSEXT_HOSTNAME,TLSEXT_TYPE_SERVER_host, (void *)psn)
#else
SSL_ctrl(s,SSL_CTRL_GET_TLSEXT_HOSTNAME,TLSEXT_NAMETYPE_host_name, (void *)psn)
# else
/* XXX this looks weird for a macro, define a function instead? */
* or just used SSL_get_servername() directly ... */
#define SSL_get_tlsext_hostname(s,psn) \
(*psn = SSL_get_servername(s, TLSEXT_TYPE_SERVER_host),*psn != NULL)
(*psn = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name),*psn != NULL)
# endif
#endif
#define SSL_set_tlsext_servername_done(s,t) \
SSL_ctrl(s,SSL_CTRL_SET_TLSEXT_SERVERNAME_DONE,t, NULL)
void SSL_set_ctx(SSL *s, SSL_CTX *ctx) ;
#define SSL_CTRL_SET_TLSEXT_SERVERNAME_CB 53
#define SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG 54
#define SSL_CTRL_SET_TLSEXT_HOSTNAME 55
#define SSL_CTRL_GET_TLSEXT_HOSTNAME 56
#define SSL_CTRL_SET_TLSEXT_SERVERNAME_DONE 57
#endif
/* Additional TLS ciphersuites from expired Internet Draft
* draft-ietf-tls-56-bit-ciphersuites-01.txt
* (available if TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES is defined, see