Skip to content

Instantly share code, notes, and snippets.

@moyix

moyix/probs.t1_lib.txt

Created September 19, 2021 22:20
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save moyix/faaf13bfb4b1ebf6e918842c8386835c to your computer and use it in GitHub Desktop.
Save moyix/faaf13bfb4b1ebf6e918842c8386835c to your computer and use it in GitHub Desktop.
Download ZIP
Raw
probs.t1_lib.txt
-1.541954 | /* ssl/t1_lib.c */
-0.001411 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
-0.000049 | * All rights reserved.
-0.000127 | *
-0.000071 | * This package is an SSL implementation written
-0.000021 | * by Eric Young (eay@cryptsoft.com).
-0.000132 | * The implementation was written so as to conform with Netscapes SSL.
-0.168987 | *
-0.000021 | * This library is free for commercial and non-commercial use as long as
-0.000075 | * the following conditions are aheared to. The following conditions
-0.000027 | * apply to all code found in this distribution, be it the RC4, RSA,
-0.000019 | * lhash, DES, etc., code; not just the SSL code. The SSL documentation
-0.000006 | * included with this distribution is covered by the same copyright terms
-0.000124 | * except that the holder is Tim Hudson (tjh@cryptsoft.com).
-0.001339 | *
-0.000026 | * Copyright remains Eric Young's, and as such any Copyright notices in
-0.000153 | * the code are not to be removed.
-0.000012 | * If this package is used in a product, Eric Young should be given attribution
-0.000039 | * as the author of the parts of the library used.
-0.000009 | * This can be in the form of a textual message at program startup or
-0.000053 | * in documentation (online or textual) provided with the package.
-0.000039 | *
-0.000068 | * Redistribution and use in source and binary forms, with or without
-0.000007 | * modification, are permitted provided that the following conditions
-0.000017 | * are met:
-0.000006 | * 1. Redistributions of source code must retain the copyright
-0.000147 | * notice, this list of conditions and the following disclaimer.
-0.000012 | * 2. Redistributions in binary form must reproduce the above copyright
-0.000012 | * notice, this list of conditions and the following disclaimer in the
-0.000115 | * documentation and/or other materials provided with the distribution.
-0.000011 | * 3. All advertising materials mentioning features or use of this software
-0.000176 | * must display the following acknowledgement:
-0.000158 | * "This product includes cryptographic software written by
-0.000022 | * Eric Young (eay@cryptsoft.com)"
-0.000018 | * The word 'cryptographic' can be left out if the rouines from the library
-0.000148 | * being used are not cryptographic related :-).
-0.000122 | * 4. If you include any Windows specific code (or a derivative thereof) from
-0.000048 | * the apps directory (application code) you must include an acknowledgement:
-0.000256 | * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
-0.000002 | *
-0.000067 | * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
-0.000016 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-0.000013 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
-0.000044 | * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
-0.000004 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-0.000005 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
-0.000034 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-0.000062 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
-0.000009 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
-0.000027 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
-0.000190 | * SUCH DAMAGE.
-0.000494 | *
-0.000679 | * The licence and distribution terms for any publically available version or
-0.000015 | * derivative of this code cannot be changed. i.e. this code cannot simply be
-0.000161 | * copied and put under another distribution licence
-0.001976 | * [including the GNU Public Licence.]
-0.006251 | */
-0.373614 | /* ====================================================================
-0.122334 | * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
-0.000604 | *
-0.000054 | * Redistribution and use in source and binary forms, with or without
-0.000003 | * modification, are permitted provided that the following conditions
-0.000320 | * are met:
-0.000042 | *
-0.000004 | * 1. Redistributions of source code must retain the above copyright
-0.001244 | * notice, this list of conditions and the following disclaimer.
-0.000002 | *
-0.000003 | * 2. Redistributions in binary form must reproduce the above copyright
-0.000007 | * notice, this list of conditions and the following disclaimer in
-0.000608 | * the documentation and/or other materials provided with the
-0.000030 | * distribution.
-0.000035 | *
-0.000046 | * 3. All advertising materials mentioning features or use of this
-0.000149 | * software must display the following acknowledgment:
-0.000042 | * "This product includes software developed by the OpenSSL Project
-0.000249 | * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-0.000015 | *
-0.000699 | * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-0.000008 | * endorse or promote products derived from this software without
-0.000042 | * prior written permission. For written permission, please contact
-0.000496 | * openssl-core@openssl.org.
-0.000047 | *
-0.000028 | * 5. Products derived from this software may not be called "OpenSSL"
-0.000015 | * nor may "OpenSSL" appear in their names without prior written
-0.000029 | * permission of the OpenSSL Project.
-0.000010 | *
-0.000013 | * 6. Redistributions of any form whatsoever must retain the following
-0.000075 | * acknowledgment:
-0.000007 | * "This product includes software developed by the OpenSSL Project
-0.000011 | * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-0.000030 | *
-0.000071 | * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-0.000009 | * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-0.000042 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-0.000018 | * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
-0.000003 | * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-0.000007 | * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-0.000009 | * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-0.000011 | * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-0.000020 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-0.000007 | * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-0.000052 | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-0.000044 | * OF THE POSSIBILITY OF SUCH DAMAGE.
-0.000459 | * ====================================================================
-0.000718 | *
-0.000820 | * This product includes cryptographic software written by Eric Young
-0.000009 | * (eay@cryptsoft.com). This product includes software written by Tim
-0.011179 | * Hudson (tjh@cryptsoft.com).
-0.000913 | *
-0.038810 | */
-0.465642 |
-0.060530 | #include <stdio.h>
-0.336222 | #include <openssl/objects.h>
-0.167686 | #include <openssl/evp.h>
-0.213788 | #include <openssl/hmac.h>
-0.384650 | #include <openssl/ocsp.h>
-0.239793 | #include <openssl/rand.h>
-0.209722 | #include "ssl_locl.h"
-0.571791 |
-0.167378 | const char tls1_version_str[]="TLSv1" OPENSSL_VERSION_PTEXT;
-0.264602 |
-0.429317 | #ifndef OPENSSL_NO_TLSEXT
-0.534907 | static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen,
-0.375220 | const unsigned char *sess_id, int sesslen,
-0.134384 | SSL_SESSION **psess);
-0.265364 | #endif
-0.186323 |
-0.358547 | SSL3_ENC_METHOD TLSv1_enc_data={
-0.016454 | tls1_enc,
-0.009008 | tls1_mac,
-0.008870 | tls1_setup_key_block,
-0.004689 | tls1_generate_master_secret,
-0.003073 | tls1_change_cipher_state,
-0.002505 | tls1_final_finish_mac,
-0.045614 | TLS1_FINISH_MAC_LENGTH,
-0.011220 | tls1_cert_verify_mac,
-0.095510 | TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE,
-0.001305 | TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE,
-0.078330 | tls1_alert_code,
-0.024298 | tls1_export_keying_material,
-2.984523 | };
-0.114243 |
-0.186280 | long tls1_default_timeout(void)
-0.011257 | {
-0.497440 | /* 2 hours, the 24 hours mentioned in the TLSv1 spec
-0.054428 | * is way too long for http, the cache would over fill */
-0.060098 | return(60*60*2);
-0.016668 | }
-0.021435 |
-0.085500 | int tls1_new(SSL *s)
-0.006400 | {
-0.188305 | if (!ssl3_new(s)) return(0);
-0.116935 | s->method->ssl_clear(s);
-0.015089 | return(1);
-0.007715 | }
-0.027263 |
-0.031248 | void tls1_free(SSL *s)
-0.006768 | {
-0.232019 | #ifndef OPENSSL_NO_TLSEXT
-0.290505 | if (s->tlsext_session_ticket)
-0.250588 | {
-0.022955 | OPENSSL_free(s->tlsext_session_ticket);
-1.239552 | }
-0.261866 | #endif /* OPENSSL_NO_TLSEXT */
-0.068124 | ssl3_free(s);
-0.029754 | }
-0.011908 |
-0.085226 | void tls1_clear(SSL *s)
-0.003536 | {
-0.060423 | ssl3_clear(s);
-0.637048 | s->version = s->method->version;
-0.112749 | }
-0.017426 |
-0.536124 | #ifndef OPENSSL_NO_EC
-2.471433 |
-1.464746 | static int nid_list[] =
-0.294936 | {
-0.441755 | NID_sect163k1, /* sect163k1 (1) */
-0.009015 | NID_sect163r1, /* sect163r1 (2) */
-0.003509 | NID_sect163r2, /* sect163r2 (3) */
-0.316109 | NID_sect193r1, /* sect193r1 (4) */
-0.034983 | NID_sect193r2, /* sect193r2 (5) */
-0.097579 | NID_sect233k1, /* sect233k1 (6) */
-0.067191 | NID_sect233r1, /* sect233r1 (7) */
-0.028955 | NID_sect239k1, /* sect239k1 (8) */
-0.053969 | NID_sect283k1, /* sect283k1 (9) */
-0.024341 | NID_sect283r1, /* sect283r1 (10) */
-0.020474 | NID_sect409k1, /* sect409k1 (11) */
-0.091634 | NID_sect409r1, /* sect409r1 (12) */
-0.029168 | NID_sect571k1, /* sect571k1 (13) */
-0.037154 | NID_sect571r1, /* sect571r1 (14) */
-0.076421 | NID_secp160k1, /* secp160k1 (15) */
-0.030097 | NID_secp160r1, /* secp160r1 (16) */
-0.019969 | NID_secp160r2, /* secp160r2 (17) */
-0.039899 | NID_secp192k1, /* secp192k1 (18) */
-0.019627 | NID_X9_62_prime192v1, /* secp192r1 (19) */
-0.022607 | NID_secp224k1, /* secp224k1 (20) */
-0.059487 | NID_secp224r1, /* secp224r1 (21) */
-0.024247 | NID_secp256k1, /* secp256k1 (22) */
-0.024281 | NID_X9_62_prime256v1, /* secp256r1 (23) */
-0.047067 | NID_secp384r1, /* secp384r1 (24) */
-0.398919 | NID_secp521r1 /* secp521r1 (25) */
-0.074767 | };
-0.200244 |
-1.917236 | static int pref_list[] =
-0.021799 | {
-0.707154 | NID_sect571r1, /* sect571r1 (14) */
-0.328619 | NID_sect571k1, /* sect571k1 (13) */
-0.204146 | NID_secp521r1, /* secp521r1 (25) */
-0.493356 | NID_sect409k1, /* sect409k1 (11) */
-0.034017 | NID_sect409r1, /* sect409r1 (12) */
-0.032654 | NID_secp384r1, /* secp384r1 (24) */
-0.062782 | NID_sect283k1, /* sect283k1 (9) */
-0.005742 | NID_sect283r1, /* sect283r1 (10) */
-0.089882 | NID_secp256k1, /* secp256k1 (22) */
-0.007654 | NID_X9_62_prime256v1, /* secp256r1 (23) */
-0.331594 | NID_sect239k1, /* sect239k1 (8) */
-0.065705 | NID_sect233k1, /* sect233k1 (6) */
-0.038209 | NID_sect233r1, /* sect233r1 (7) */
-0.183362 | NID_secp224k1, /* secp224k1 (20) */
-0.004176 | NID_secp224r1, /* secp224r1 (21) */
-0.077273 | NID_sect193r1, /* sect193r1 (4) */
-0.002818 | NID_sect193r2, /* sect193r2 (5) */
-0.098835 | NID_secp192k1, /* secp192k1 (18) */
-0.001746 | NID_X9_62_prime192v1, /* secp192r1 (19) */
-0.016707 | NID_sect163k1, /* sect163k1 (1) */
-0.002601 | NID_sect163r1, /* sect163r1 (2) */
-0.014157 | NID_sect163r2, /* sect163r2 (3) */
-0.150791 | NID_secp160k1, /* secp160k1 (15) */
-0.002655 | NID_secp160r1, /* secp160r1 (16) */
-0.007877 | NID_secp160r2, /* secp160r2 (17) */
-0.243864 | };
-0.169126 |
-0.372556 | int tls1_ec_curve_id2nid(int curve_id)
-0.014726 | {
-1.107614 | /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
-0.606168 | if ((curve_id < 1) || ((unsigned int)curve_id >
-0.116671 | sizeof(nid_list)/sizeof(nid_list[0])))
-0.356600 | return 0;
-0.056616 | return nid_list[curve_id-1];
-0.013161 | }
-0.057620 |
-0.029086 | int tls1_ec_nid2curve_id(int nid)
-0.001306 | {
-0.032344 | /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
-0.723560 | switch (nid)
-0.003058 | {
-0.198355 | case NID_sect163k1: /* sect163k1 (1) */
-0.113427 | return 1;
-0.004428 | case NID_sect163r1: /* sect163r1 (2) */
-0.001804 | return 2;
-0.000498 | case NID_sect163r2: /* sect163r2 (3) */
-0.001579 | return 3;
-0.016392 | case NID_sect193r1: /* sect193r1 (4) */
-0.049191 | return 4;
-0.004393 | case NID_sect193r2: /* sect193r2 (5) */
-0.001578 | return 5;
-0.002272 | case NID_sect233k1: /* sect233k1 (6) */
-0.001211 | return 6;
-0.007914 | case NID_sect233r1: /* sect233r1 (7) */
-0.001229 | return 7;
-0.001361 | case NID_sect239k1: /* sect239k1 (8) */
-0.001832 | return 8;
-0.000951 | case NID_sect283k1: /* sect283k1 (9) */
-0.000530 | return 9;
-0.002869 | case NID_sect283r1: /* sect283r1 (10) */
-0.001175 | return 10;
-0.003549 | case NID_sect409k1: /* sect409k1 (11) */
-0.000686 | return 11;
-0.003168 | case NID_sect409r1: /* sect409r1 (12) */
-0.000583 | return 12;
-0.002063 | case NID_sect571k1: /* sect571k1 (13) */
-0.000793 | return 13;
-0.001453 | case NID_sect571r1: /* sect571r1 (14) */
-0.001594 | return 14;
-0.006125 | case NID_secp160k1: /* secp160k1 (15) */
-0.001755 | return 15;
-0.003617 | case NID_secp160r1: /* secp160r1 (16) */
-0.000996 | return 16;
-0.000834 | case NID_secp160r2: /* secp160r2 (17) */
-0.000852 | return 17;
-0.001133 | case NID_secp192k1: /* secp192k1 (18) */
-0.001214 | return 18;
-0.003840 | case NID_X9_62_prime192v1: /* secp192r1 (19) */
-0.001636 | return 19;
-0.010197 | case NID_secp224k1: /* secp224k1 (20) */
-0.001079 | return 20;
-0.001542 | case NID_secp224r1: /* secp224r1 (21) */
-0.000971 | return 21;
-0.006307 | case NID_secp256k1: /* secp256k1 (22) */
-0.001241 | return 22;
-0.001860 | case NID_X9_62_prime256v1: /* secp256r1 (23) */
-0.001103 | return 23;
-1.145881 | case NID_secp384r1: /* secp384r1 (24) */
-1.514672 | return 24;
-0.701529 | case NID_secp521r1: /* secp521r1 (25) */
-0.025654 | return 25;
-0.462365 | default:
-0.257945 | return 0;
-1.526135 | }
-0.336612 | }
-0.624503 | #endif /* OPENSSL_NO_EC */
-0.130976 |
-0.573655 | #ifndef OPENSSL_NO_TLSEXT
-1.508976 |
-3.039740 | /* List of supported signature algorithms and hashes. Should make this
-1.488566 | * customisable at some point, for now include everything we support.
-0.221053 | */
-1.248934 |
-0.696462 | #ifdef OPENSSL_NO_RSA
-0.728353 | #define tlsext_sigalg_rsa(md) /* */
-0.072788 | #else
-0.376503 | #define tlsext_sigalg_rsa(md) md, TLSEXT_signature_rsa,
-0.022744 | #endif
-0.352247 |
-0.129795 | #ifdef OPENSSL_NO_DSA
-0.004334 | #define tlsext_sigalg_dsa(md) /* */
-0.003889 | #else
-0.004433 | #define tlsext_sigalg_dsa(md) md, TLSEXT_signature_dsa,
-0.004761 | #endif
-0.011989 |
-0.113174 | #ifdef OPENSSL_NO_ECDSA
-0.007177 | #define tlsext_sigalg_ecdsa(md) /* */
-0.004520 | #else
-0.005133 | #define tlsext_sigalg_ecdsa(md) md, TLSEXT_signature_ecdsa,
-0.011948 | #endif
-0.019409 |
-0.293183 | #define tlsext_sigalg(md) \
-0.165480 | tlsext_sigalg_rsa(md) \
-0.004035 | tlsext_sigalg_dsa(md) \
-0.011850 | tlsext_sigalg_ecdsa(md)
-0.073939 |
-0.532620 | static unsigned char tls12_sigalgs[] = {
-0.526094 | #ifndef OPENSSL_NO_SHA512
-0.218770 | tlsext_sigalg(TLSEXT_hash_sha512)
-0.161529 | tlsext_sigalg(TLSEXT_hash_sha384)
-0.154879 | #endif
-0.014331 | #ifndef OPENSSL_NO_SHA256
-0.002435 | tlsext_sigalg(TLSEXT_hash_sha256)
-0.111017 | tlsext_sigalg(TLSEXT_hash_sha224)
-0.016743 | #endif
-0.086366 | #ifndef OPENSSL_NO_SHA
-0.005461 | tlsext_sigalg(TLSEXT_hash_sha1)
-0.099439 | #endif
-0.789032 | };
-0.164511 |
-1.030208 | int tls12_get_req_sig_algs(SSL *s, unsigned char *p)
-0.257094 | {
-0.671982 | size_t slen = sizeof(tls12_sigalgs);
-0.790850 | if (p)
-0.053999 | memcpy(p, tls12_sigalgs, slen);
-0.096731 | return (int)slen;
-0.014542 | }
-0.247917 |
-0.877178 | unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
-0.021732 | {
-1.515548 | int extdatalen=0;
-0.640181 | unsigned char *ret = p;
- |
-1.123293 | /* don't add extensions for SSLv3 unless doing secure renegotiation */
-0.511935 | if (s->client_version == SSL3_VERSION
-0.608189 | && !s->s3->send_connection_binding)
-0.307004 | return p;
- |
-1.976663 | ret+=2;
- |
-1.874995 | if (ret>=limit) return NULL; /* this really never occurs, but ... */
- |
-0.930248 | if (s->tlsext_hostname != NULL)
-1.248616 | {
-1.051024 | /* Add TLS extension servername to the Client Hello message */
-2.506682 | unsigned long size_str;
-2.564946 | long lenmax;
- |
-2.039682 | /* check for enough space.
-1.942185 | 4 for the servername type and entension length
-1.043911 | 2 for servernamelist length
-0.779638 | 1 for the hostname type
-0.452795 | 2 for hostname length
-1.046099 | + hostname length
-0.300469 | */
-2.036798 |
-1.183646 | if ((lenmax = limit - ret - 9) < 0
-0.219577 | || (size_str = strlen(s->tlsext_hostname)) > (unsigned long)lenmax)
-0.437534 | return NULL;
-0.442139 |
-0.667516 | /* extension type and length */
-0.357539 | s2n(TLSEXT_TYPE_server_name,ret);
-0.294786 | s2n(size_str+5,ret);
-0.454133 |
-0.479411 | /* length of servername list */
-0.119043 | s2n(size_str+3,ret);
-1.674167 |
-0.567075 | /* hostname type, length and hostname */
-0.269898 | *(ret++) = (unsigned char) TLSEXT_NAMETYPE_host_name;
-0.027129 | s2n(size_str,ret);
-0.060977 | memcpy(ret, s->tlsext_hostname, size_str);
-0.178358 | ret+=size_str;
-0.493993 | }
- |
-1.871913 | /* Add RI if renegotiating */
-0.262019 | if (s->renegotiate)
-1.064505 | {
-2.647223 | int el;
-1.167880 |
-0.727120 | if(!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0))
-2.021659 | {
-0.048340 | SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
-0.078182 | return NULL;
-0.685337 | }
- |
-1.156560 | if((limit - p - 4 - el) < 0) return NULL;
-0.603815 |
-0.188399 | s2n(TLSEXT_TYPE_renegotiate,ret);
-0.281790 | s2n(el,ret);
- |
-0.199146 | if(!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el))
-0.062193 | {
-0.001466 | SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
-0.002634 | return NULL;
-0.284568 | }
- |
-0.219647 | ret += el;
-2.595325 | }
-0.864798 |
-0.330509 | #ifndef OPENSSL_NO_SRP
-0.696974 | /* Add SRP username if there is one */
-0.035429 | if (s->srp_ctx.login != NULL)
-0.690464 | { /* Add TLS extension SRP username to the Client Hello message */
- |
-0.665865 | int login_len = strlen(s->srp_ctx.login);
-0.557495 | if (login_len > 255 || login_len == 0)
-0.139071 | {
-0.051370 | SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
-0.023656 | return NULL;
-0.928613 | }
- |
-0.469026 | /* check for enough space.
-1.003283 | 4 for the srp type type and entension length
-1.376249 | 1 for the srp user identity
-0.288321 | + srp user identity length
-0.088740 | */
-0.530713 | if ((limit - ret - 5 - login_len) < 0) return NULL;
- |
-1.538260 | /* fill in the extension */
-0.062719 | s2n(TLSEXT_TYPE_srp,ret);
-0.180277 | s2n(login_len+1,ret);
-0.696580 | (*ret++) = (unsigned char) login_len;
-0.016781 | memcpy(ret, s->srp_ctx.login, login_len);
-0.139349 | ret+=login_len;
-0.042051 | }
-0.353088 | #endif
-0.217009 |
-0.080581 | #ifndef OPENSSL_NO_EC
-0.494102 | if (s->tlsext_ecpointformatlist != NULL &&
-0.947244 | s->version != DTLS1_VERSION)
-0.116248 | {
-0.396243 | /* Add TLS extension ECPointFormats to the ClientHello message */
-1.076973 | long lenmax;
- |
-0.324751 | if ((lenmax = limit - ret - 5) < 0) return NULL;
-0.278963 | if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax) return NULL;
-0.439029 | if (s->tlsext_ecpointformatlist_length > 255)
-0.064683 | {
-0.013210 | SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
-0.005258 | return NULL;
-0.274910 | }
-0.577642 |
-0.068300 | s2n(TLSEXT_TYPE_ec_point_formats,ret);
-0.087106 | s2n(s->tlsext_ecpointformatlist_length + 1,ret);
-0.051847 | *(ret++) = (unsigned char) s->tlsext_ecpointformatlist_length;
-0.032656 | memcpy(ret, s->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist_length);
-0.046021 | ret+=s->tlsext_ecpointformatlist_length;
-0.073475 | }
-0.212771 | if (s->tlsext_ellipticcurvelist != NULL &&
-0.019081 | s->version != DTLS1_VERSION)
-0.011262 | {
-0.058625 | /* Add TLS extension EllipticCurves to the ClientHello message */
-0.036307 | long lenmax;
- |
-0.181851 | if ((lenmax = limit - ret - 6) < 0) return NULL;
-0.005128 | if (s->tlsext_ellipticcurvelist_length > (unsigned long)lenmax) return NULL;
-0.502984 | if (s->tlsext_ellipticcurvelist_length > 65532)
-0.006003 | {
-0.000918 | SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
-0.000566 | return NULL;
-0.074231 | }
-0.061269 |
-0.008619 | s2n(TLSEXT_TYPE_elliptic_curves,ret);
-0.299837 | s2n(s->tlsext_ellipticcurvelist_length + 2, ret);
- |
-1.963441 | /* NB: draft-ietf-tls-ecc-12.txt uses a one-byte prefix for
-1.332406 | * elliptic_curve_list, but the examples use two bytes.
-0.960782 | * http://www1.ietf.org/mail-archive/web/tls/current/msg00538.html
-1.790410 | * resolves this to two bytes.
-0.096040 | */
-0.080956 | s2n(s->tlsext_ellipticcurvelist_length, ret);
-0.012318 | memcpy(ret, s->tlsext_ellipticcurvelist, s->tlsext_ellipticcurvelist_length);
-0.019516 | ret+=s->tlsext_ellipticcurvelist_length;
-0.028000 | }
-0.221281 | #endif /* OPENSSL_NO_EC */
- |
-0.600376 | if (!(SSL_get_options(s) & SSL_OP_NO_TICKET))
-0.063862 | {
-1.001151 | int ticklen;
-0.716085 | if (!s->new_session && s->session && s->session->tlsext_tick)
-0.041714 | ticklen = s->session->tlsext_ticklen;
-0.554095 | else if (s->session && s->tlsext_session_ticket &&
-0.120355 | s->tlsext_session_ticket->data)
-0.435221 | {
-0.045028 | ticklen = s->tlsext_session_ticket->length;
-0.223925 | s->session->tlsext_tick = OPENSSL_malloc(ticklen);
-0.068177 | if (!s->session->tlsext_tick)
-0.217018 | return NULL;
-0.044025 | memcpy(s->session->tlsext_tick,
-0.159412 | s->tlsext_session_ticket->data,
-0.017994 | ticklen);
-0.027839 | s->session->tlsext_ticklen = ticklen;
-0.013798 | }
-0.031624 | else
-0.185214 | ticklen = 0;
-0.530247 | if (ticklen == 0 && s->tlsext_session_ticket &&
-0.234422 | s->tlsext_session_ticket->data == NULL)
-0.913833 | goto skip_ext;
-1.633787 | /* Check for enough room 2 for extension type, 2 for len
-2.243895 | * rest for ticket
-1.161282 | */
-0.379441 | if ((long)(limit - ret - 4 - ticklen) < 0) return NULL;
-0.223174 | s2n(TLSEXT_TYPE_session_ticket,ret);
-0.078670 | s2n(ticklen,ret);
-0.228508 | if (ticklen)
-0.351122 | {
-0.064005 | memcpy(ret, s->session->tlsext_tick, ticklen);
-0.149821 | ret += ticklen;
-0.027973 | }
-0.150808 | }
-1.434280 | skip_ext:
- |
-0.528706 | if (TLS1_get_client_version(s) >= TLS1_2_VERSION)
-0.034797 | {
-0.794865 | if ((size_t)(limit - ret) < sizeof(tls12_sigalgs) + 6)
-0.541211 | return NULL;
-0.058132 | s2n(TLSEXT_TYPE_signature_algorithms,ret);
-0.132370 | s2n(sizeof(tls12_sigalgs) + 2, ret);
-0.100525 | s2n(sizeof(tls12_sigalgs), ret);
-0.005368 | memcpy(ret, tls12_sigalgs, sizeof(tls12_sigalgs));
-0.026759 | ret += sizeof(tls12_sigalgs);
-0.264600 | }
-1.375912 |
-0.179584 | #ifdef TLSEXT_TYPE_opaque_prf_input
-0.240756 | if (s->s3->client_opaque_prf_input != NULL &&
-0.345576 | s->version != DTLS1_VERSION)
-0.021448 | {
-0.602297 | size_t col = s->s3->client_opaque_prf_input_len;
-0.980693 |
-1.012782 | if ((long)(limit - ret - 6 - col < 0))
-0.095441 | return NULL;
-1.104395 | if (col > 0xFFFD) /* can't happen */
-0.354406 | return NULL;
- |
-0.194894 | s2n(TLSEXT_TYPE_opaque_prf_input, ret);
-0.095306 | s2n(col + 2, ret);
-0.065611 | s2n(col, ret);
-0.010144 | memcpy(ret, s->s3->client_opaque_prf_input, col);
-0.021793 | ret += col;
-0.012645 | }
-0.479161 | #endif
- |
-0.254834 | if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp &&
-0.188547 | s->version != DTLS1_VERSION)
-0.020713 | {
-1.175961 | int i;
-1.857665 | long extlen, idlen, itmp;
-0.427738 | OCSP_RESPID *id;
- |
-0.752404 | idlen = 0;
-0.067845 | for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++)
-0.092177 | {
-0.011251 | id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
-0.076693 | itmp = i2d_OCSP_RESPID(id, NULL);
-0.307291 | if (itmp <= 0)
-0.162324 | return NULL;
-0.148177 | idlen += itmp + 2;
-0.104640 | }
- |
-0.272547 | if (s->tlsext_ocsp_exts)
-0.148881 | {
-0.071120 | extlen = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, NULL);
-0.115058 | if (extlen < 0)
-0.009273 | return NULL;
-0.076608 | }
-0.011253 | else
-0.206326 | extlen = 0;
-0.461773 |
-0.411659 | if ((long)(limit - ret - 7 - extlen - idlen) < 0) return NULL;
-0.078858 | s2n(TLSEXT_TYPE_status_request, ret);
-1.022186 | if (extlen + idlen > 0xFFF0)
-0.174747 | return NULL;
-0.212501 | s2n(extlen + idlen + 5, ret);
-0.156649 | *(ret++) = TLSEXT_STATUSTYPE_ocsp;
-0.120465 | s2n(idlen, ret);
-0.005893 | for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++)
-0.003608 | {
-2.137794 | /* save position of id len */
-0.639795 | unsigned char *q = ret;
-0.011228 | id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
-1.254372 | /* skip over id len */
-0.086126 | ret += 2;
-0.020807 | itmp = i2d_OCSP_RESPID(id, &ret);
-0.757173 | /* write id len */
-0.018936 | s2n(itmp, q);
-0.043864 | }
-0.327425 | s2n(extlen, ret);
-0.111828 | if (extlen > 0)
-0.022100 | i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret);
-0.156484 | }
-0.652885 |
-0.169057 | #ifndef OPENSSL_NO_HEARTBEATS
-0.664706 | /* Add Heartbeat extension */
-0.448679 | s2n(TLSEXT_TYPE_heartbeat,ret);
-0.098827 | s2n(1,ret);
-1.723661 | /* Set mode:
-0.457813 | * 1: peer may send requests
-0.017275 | * 2: peer not allowed to send requests
-0.286689 | */
-0.046008 | if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS)
-0.064569 | *(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
-0.033052 | else
-0.012533 | *(ret++) = SSL_TLSEXT_HB_ENABLED;
-0.433642 | #endif
-0.648035 |
-0.076852 | #ifndef OPENSSL_NO_NEXTPROTONEG
-1.710119 | if (s->ctx->next_proto_select_cb && !s->s3->tmp.finish_md_len)
-1.154944 | {
-2.028169 | /* The client advertises an emtpy extension to indicate its
-0.874216 | * support for Next Protocol Negotiation */
-1.744672 | if (limit - ret - 4 < 0)
-1.130317 | return NULL;
-0.369046 | s2n(TLSEXT_TYPE_next_proto_neg,ret);
-0.123429 | s2n(0,ret);
-0.320573 | }
-0.669216 | #endif
-1.344870 |
-0.156987 | #ifndef OPENSSL_NO_SRTP
-0.741082 | if(SSL_get_srtp_profiles(s))
-0.838172 | {
-2.697132 | int el;
- |
-0.743973 | ssl_add_clienthello_use_srtp_ext(s, 0, &el, 0);
-3.225118 |
-1.373364 | if((limit - p - 4 - el) < 0) return NULL;
- |
-0.204701 | s2n(TLSEXT_TYPE_use_srtp,ret);
-0.224864 | s2n(el,ret);
- |
-0.384157 | if(ssl_add_clienthello_use_srtp_ext(s, ret, &el, el))
-1.136161 | {
-0.129463 | SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
-0.058459 | return NULL;
-0.074736 | }
-0.185422 | ret += el;
-0.049773 | }
-0.349613 | #endif
- |
-1.825749 | if ((extdatalen = ret-p-2)== 0)
-0.491743 | return p;
- |
-0.142005 | s2n(extdatalen,p);
-0.547391 | return ret;
-0.139206 | }
-0.057464 |
-0.288033 | unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
-0.032151 | {
-0.671601 | int extdatalen=0;
-0.328978 | unsigned char *ret = p;
-0.207326 | #ifndef OPENSSL_NO_NEXTPROTONEG
-0.521633 | int next_proto_neg_seen;
-0.734440 | #endif
- |
-1.280880 | /* don't add extensions for SSLv3, unless doing secure renegotiation */
-0.145755 | if (s->version == SSL3_VERSION && !s->s3->send_connection_binding)
-0.200116 | return p;
-1.678193 |
-1.705601 | ret+=2;
-1.768360 | if (ret>=limit) return NULL; /* this really never occurs, but ... */
- |
-0.787382 | if (!s->hit && s->servername_done == 1 && s->session->tlsext_hostname != NULL)
-1.156107 | {
-0.889153 | if ((long)(limit - ret - 4) < 0) return NULL;
- |
-0.033817 | s2n(TLSEXT_TYPE_server_name,ret);
-0.128643 | s2n(0,ret);
-0.486614 | }
- |
-0.492868 | if(s->s3->send_connection_binding)
-1.842530 | {
-1.973990 | int el;
-1.243693 |
-0.409864 | if(!ssl_add_serverhello_renegotiate_ext(s, 0, &el, 0))
-1.205601 | {
-0.024880 | SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
-0.012657 | return NULL;
-0.402943 | }
- |
-0.154145 | if((limit - p - 4 - el) < 0) return NULL;
-0.220912 |
-0.011839 | s2n(TLSEXT_TYPE_renegotiate,ret);
-0.108865 | s2n(el,ret);
- |
-0.046274 | if(!ssl_add_serverhello_renegotiate_ext(s, ret, &el, el))
-0.060864 | {
-0.000557 | SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
-0.001215 | return NULL;
-0.708920 | }
- |
-0.062083 | ret += el;
-0.276663 | }
-0.269715 |
-0.088828 | #ifndef OPENSSL_NO_EC
-0.361457 | if (s->tlsext_ecpointformatlist != NULL &&
-1.015306 | s->version != DTLS1_VERSION)
-0.029332 | {
-0.809636 | /* Add TLS extension ECPointFormats to the ServerHello message */
-2.578915 | long lenmax;
- |
-0.571846 | if ((lenmax = limit - ret - 5) < 0) return NULL;
-0.477140 | if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax) return NULL;
-0.474576 | if (s->tlsext_ecpointformatlist_length > 255)
-0.115614 | {
-0.031520 | SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
-0.009659 | return NULL;
-0.173367 | }
-0.662484 |
-0.020743 | s2n(TLSEXT_TYPE_ec_point_formats,ret);
-0.175346 | s2n(s->tlsext_ecpointformatlist_length + 1,ret);
-0.187552 | *(ret++) = (unsigned char) s->tlsext_ecpointformatlist_length;
-0.060353 | memcpy(ret, s->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist_length);
-0.374231 | ret+=s->tlsext_ecpointformatlist_length;
- |
-0.286525 | }
-1.885618 | /* Currently the server should not respond with a SupportedCurves extension */
-0.489254 | #endif /* OPENSSL_NO_EC */
- |
-0.900900 | if (s->tlsext_ticket_expected
-0.371322 | && !(SSL_get_options(s) & SSL_OP_NO_TICKET))
-0.454408 | {
-0.141501 | if ((long)(limit - ret - 4) < 0) return NULL;
-0.022006 | s2n(TLSEXT_TYPE_session_ticket,ret);
-0.013048 | s2n(0,ret);
-0.325529 | }
- |
-0.225474 | if (s->tlsext_status_expected)
-0.271182 | {
-0.033208 | if ((long)(limit - ret - 4) < 0) return NULL;
-0.004193 | s2n(TLSEXT_TYPE_status_request,ret);
-0.009628 | s2n(0,ret);
-0.110822 | }
-0.192222 |
-0.188716 | #ifdef TLSEXT_TYPE_opaque_prf_input
-0.452118 | if (s->s3->server_opaque_prf_input != NULL &&
-0.229458 | s->version != DTLS1_VERSION)
-0.151656 | {
-0.738169 | size_t sol = s->s3->server_opaque_prf_input_len;
-0.944507 |
-0.443692 | if ((long)(limit - ret - 6 - sol) < 0)
-0.106375 | return NULL;
-0.915112 | if (sol > 0xFFFD) /* can't happen */
-0.365749 | return NULL;
- |
-0.284047 | s2n(TLSEXT_TYPE_opaque_prf_input, ret);
-0.164103 | s2n(sol + 2, ret);
-0.117372 | s2n(sol, ret);
-0.015712 | memcpy(ret, s->s3->server_opaque_prf_input, sol);
-0.040623 | ret += sol;
-0.019842 | }
-0.163159 | #endif
-0.120794 |
-0.179745 | #ifndef OPENSSL_NO_SRTP
-0.435636 | if(s->srtp_profile)
-0.088330 | {
-0.138455 | int el;
- |
-0.035507 | ssl_add_serverhello_use_srtp_ext(s, 0, &el, 0);
-0.046363 |
-0.020458 | if((limit - p - 4 - el) < 0) return NULL;
- |
-0.002108 | s2n(TLSEXT_TYPE_use_srtp,ret);
-0.005931 | s2n(el,ret);
- |
-0.007044 | if(ssl_add_serverhello_use_srtp_ext(s, ret, &el, el))
-0.027858 | {
-0.000656 | SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
-0.000477 | return NULL;
-0.008559 | }
-0.875163 | ret+=el;
-0.008118 | }
-0.247898 | #endif
- |
-0.736742 | if (((s->s3->tmp.new_cipher->id & 0xFFFF)==0x80 || (s->s3->tmp.new_cipher->id & 0xFFFF)==0x81)
-0.303096 | && (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG))
-1.397063 | { const unsigned char cryptopro_ext[36] = {
-1.387062 | 0xfd, 0xe8, /*65000*/
-0.409935 | 0x00, 0x20, /*32 bytes length*/
-0.276855 | 0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85,
-0.508129 | 0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06,
-0.149603 | 0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08,
-0.078991 | 0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17};
-0.706532 | if (limit-ret<36) return NULL;
-0.092206 | memcpy(ret,cryptopro_ext,36);
-0.631509 | ret+=36;
- |
-0.358269 | }
-0.483954 |
-0.230552 | #ifndef OPENSSL_NO_HEARTBEATS
-1.235839 | /* Add Heartbeat extension if we've received one */
-0.050200 | if (s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED)
-0.054038 | {
-0.289828 | s2n(TLSEXT_TYPE_heartbeat,ret);
-0.136348 | s2n(1,ret);
-1.130289 | /* Set mode:
-0.466325 | * 1: peer may send requests
-0.014602 | * 2: peer not allowed to send requests
-0.252902 | */
-0.020075 | if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS)
-0.091689 | *(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
-0.017425 | else
-0.122187 | *(ret++) = SSL_TLSEXT_HB_ENABLED;
- |
-0.144070 | }
-0.173499 | #endif
-0.130705 |
-0.013593 | #ifndef OPENSSL_NO_NEXTPROTONEG
-0.116245 | next_proto_neg_seen = s->s3->next_proto_neg_seen;
-0.043976 | s->s3->next_proto_neg_seen = 0;
-0.272327 | if (next_proto_neg_seen && s->ctx->next_protos_advertised_cb)
-0.017850 | {
-0.194404 | const unsigned char *npa;
-0.156989 | unsigned int npalen;
-0.606248 | int r;
- |
-0.055705 | r = s->ctx->next_protos_advertised_cb(s, &npa, &npalen, s->ctx->next_protos_advertised_cb_arg);
-0.028103 | if (r == SSL_TLSEXT_ERR_OK)
-0.006641 | {
-0.158755 | if ((long)(limit - ret - 4 - npalen) < 0) return NULL;
-0.022895 | s2n(TLSEXT_TYPE_next_proto_neg,ret);
-0.016179 | s2n(npalen,ret);
-0.025563 | memcpy(ret, npa, npalen);
-0.013175 | ret += npalen;
-0.212140 | s->s3->next_proto_neg_seen = 1;
-0.015786 | }
-0.055762 | }
-0.354071 | #endif
- |
-0.083889 | if ((extdatalen = ret-p-2)== 0)
-0.016696 | return p;
- |
-0.006926 | s2n(extdatalen,p);
-0.012877 | return ret;
-0.073208 | }
-0.046175 |
-0.334291 | #ifndef OPENSSL_NO_EC
-1.311337 | /* ssl_check_for_safari attempts to fingerprint Safari using OS X
-1.185608 | * SecureTransport using the TLS extension block in |d|, of length |n|.
-0.764938 | * Safari, since 10.6, sends exactly these extensions, in this order:
-1.053030 | * SNI,
-0.220055 | * elliptic_curves
-0.018673 | * ec_point_formats
-1.014713 | *
-0.426614 | * We wish to fingerprint Safari because they broke ECDHE-ECDSA support in 10.8,
-0.275825 | * but they advertise support. So enabling ECDHE-ECDSA ciphers breaks them.
-0.597795 | * Sadly we cannot differentiate 10.6, 10.7 and 10.8.4 (which work), from
-0.089875 | * 10.8..10.8.3 (which don't work).
-0.825352 | */
-0.855696 | static void ssl_check_for_safari(SSL *s, const unsigned char *data, const unsigned char *d, int n) {
-0.965390 | unsigned short type, size;
-0.606281 | static const unsigned char kSafariExtensionsBlock[] = {
-0.249800 | 0x00, 0x0a, /* elliptic_curves extension */
-0.049020 | 0x00, 0x08, /* 8 bytes */
-0.201419 | 0x00, 0x06, /* 6 bytes of curve ids */
-0.026512 | 0x00, 0x17, /* P-256 */
-0.001745 | 0x00, 0x18, /* P-384 */
-0.180793 | 0x00, 0x19, /* P-521 */
- |
-0.038220 | 0x00, 0x0b, /* ec_point_formats */
-0.060520 | 0x00, 0x02, /* 2 bytes */
-0.134408 | 0x01, /* 1 point format */
-0.165259 | 0x00, /* uncompressed */
-0.362451 | };
- |
-1.691188 | /* The following is only present in TLS 1.2 */
-0.434412 | static const unsigned char kSafariTLS12ExtensionsBlock[] = {
-0.241636 | 0x00, 0x0d, /* signature_algorithms */
-0.112453 | 0x00, 0x0c, /* 12 bytes */
-0.101646 | 0x00, 0x0a, /* 10 bytes */
-0.150923 | 0x05, 0x01, /* SHA-384/RSA */
-0.012320 | 0x04, 0x01, /* SHA-256/RSA */
-0.015196 | 0x02, 0x01, /* SHA-1/RSA */
-0.016418 | 0x04, 0x03, /* SHA-256/ECDSA */
-0.027033 | 0x02, 0x03, /* SHA-1/ECDSA */
-0.259866 | };
- |
-1.524448 | if (data >= (d+n-2))
-0.213434 | return;
-1.202893 | data += 2;
- |
-0.659592 | if (data > (d+n-4))
-0.058087 | return;
-1.042179 | n2s(data,type);
-0.100223 | n2s(data,size);
- |
-0.250574 | if (type != TLSEXT_TYPE_server_name)
-0.114466 | return;
- |
-0.387115 | if (data+size > d+n)
-0.268765 | return;
-0.741128 | data += size;
- |
-0.466849 | if (TLS1_get_client_version(s) >= TLS1_2_VERSION)
-0.025567 | {
-0.756837 | const size_t len1 = sizeof(kSafariExtensionsBlock);
-0.055694 | const size_t len2 = sizeof(kSafariTLS12ExtensionsBlock);
- |
-0.672490 | if (data + len1 + len2 != d+n)
-0.137406 | return;
-0.057969 | if (memcmp(data, kSafariExtensionsBlock, len1) != 0)
-0.007402 | return;
-0.033012 | if (memcmp(data + len1, kSafariTLS12ExtensionsBlock, len2) != 0)
-0.032285 | return;
-0.070498 | }
-0.041006 | else
-0.002095 | {
-0.066796 | const size_t len = sizeof(kSafariExtensionsBlock);
- |
-0.010442 | if (data + len != d+n)
-0.004893 | return;
-0.001341 | if (memcmp(data, kSafariExtensionsBlock, len) != 0)
-0.001284 | return;
-0.048231 | }
- |
-0.137592 | s->s3->is_probably_safari = 1;
-0.714675 | }
-0.242525 | #endif /* !OPENSSL_NO_EC */
-0.025667 |
-0.215575 | int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
-0.031364 | {
-0.485501 | unsigned short type;
-0.208973 | unsigned short size;
-0.544118 | unsigned short len;
-0.454981 | unsigned char *data = *p;
-0.518408 | int renegotiate_seen = 0;
-0.890170 | int sigalg_seen = 0;
- |
-0.555404 | s->servername_done = 0;
-0.125441 | s->tlsext_status_type = -1;
-0.259235 | #ifndef OPENSSL_NO_NEXTPROTONEG
-0.013711 | s->s3->next_proto_neg_seen = 0;
-0.163382 | #endif
-2.072606 |
-0.077925 | #ifndef OPENSSL_NO_HEARTBEATS
-0.255895 | s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED |
-0.345641 | SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
-0.428711 | #endif
-0.631878 |
-0.111300 | #ifndef OPENSSL_NO_EC
-0.259362 | if (s->options & SSL_OP_SAFARI_ECDHE_ECDSA_BUG)
-0.168719 | ssl_check_for_safari(s, data, d, n);
-0.256679 | #endif /* !OPENSSL_NO_EC */
- |
-0.287906 | if (data >= (d+n-2))
-0.439852 | goto ri_check;
-0.709949 | n2s(data,len);
- |
-0.630271 | if (data > (d+n-len))
-0.141935 | goto ri_check;
- |
-0.539868 | while (data <= (d+n-4))
-0.009714 | {
-0.085520 | n2s(data,type);
-0.051952 | n2s(data,size);
- |
-0.255365 | if (data+size > (d+n))
-1.047166 | goto ri_check;
-1.680491 | #if 0
-1.295151 | fprintf(stderr,"Received extension type %d size %d\n",type,size);
-1.080877 | #endif
-1.549131 | if (s->tlsext_debug_cb)
-0.285297 | s->tlsext_debug_cb(s, 0, type, data, size,
-0.234182 | s->tlsext_debug_arg);
-2.615633 | /* The servername extension is treated as follows:
- |
-0.498195 | - Only the hostname type is supported with a maximum length of 255.
-0.120485 | - The servername is rejected if too long or if it contains zeros,
-0.087911 | in which case an fatal alert is generated.
-0.131013 | - The servername field is maintained together with the session cache.
-0.301845 | - When a session is resumed, the servername call back invoked in order
-0.531029 | to allow the application to position itself to the right context.
-0.392890 | - The servername is acknowledged if it is new for a session or when
-0.189333 | it is identical to a previously used for the same session.
-0.611352 | Applications can control the behaviour. They can at any time
-0.450250 | set a 'desirable' servername for a new SSL object. This can be the
-0.337066 | case for example with HTTPS when a Host: header field is received and
-0.360401 | a renegotiation is requested. In this case, a possible servername
-0.207821 | presented in the new client hello is only acknowledged if it matches
-0.373914 | the value of the Host: field.
-0.351221 | - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
-1.117539 | if they provide for changing an explicit servername context for the session,
-0.611057 | i.e. when the session has been established with a servername extension.
-0.587115 | - On session reconnect, the servername extension may be absent.
-2.457763 |
-3.110195 | */
- |
-0.202537 | if (type == TLSEXT_TYPE_server_name)
-0.098414 | {
-0.658710 | unsigned char *sdata;
-1.116031 | int servname_type;
-1.403661 | int dsize;
-2.098726 |
-0.489492 | if (size < 2)
-0.085754 | {
-0.297330 | *al = SSL_AD_DECODE_ERROR;
-0.162946 | return 0;
-0.061725 | }
-0.981660 | n2s(data,dsize);
-0.793778 | size -= 2;
-0.907041 | if (dsize > size )
-0.007573 | {
-0.008930 | *al = SSL_AD_DECODE_ERROR;
-0.003403 | return 0;
-0.959757 | }
- |
-0.157515 | sdata = data;
-0.722828 | while (dsize > 3)
-0.012989 | {
-0.852263 | servname_type = *(sdata++);
-0.309156 | n2s(sdata,len);
-0.447745 | dsize -= 3;
- |
-0.176837 | if (len > dsize)
-0.012085 | {
-0.007576 | *al = SSL_AD_DECODE_ERROR;
-0.004373 | return 0;
-0.091790 | }
-0.545778 | if (s->servername_done == 0)
-1.007179 | switch (servname_type)
-0.013228 | {
-0.033490 | case TLSEXT_NAMETYPE_host_name:
-0.382384 | if (!s->hit)
-0.049684 | {
-0.508314 | if(s->session->tlsext_hostname)
-0.288396 | {
-0.489646 | *al = SSL_AD_DECODE_ERROR;
-0.009304 | return 0;
-0.014244 | }
-0.203366 | if (len > TLSEXT_MAXLEN_host_name)
-0.017207 | {
-0.139451 | *al = TLS1_AD_UNRECOGNIZED_NAME;
-0.011035 | return 0;
-0.011185 | }
-0.336503 | if ((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL)
-0.024319 | {
-0.067318 | *al = TLS1_AD_INTERNAL_ERROR;
-0.006947 | return 0;
-0.007158 | }
-0.065162 | memcpy(s->session->tlsext_hostname, sdata, len);
-0.127810 | s->session->tlsext_hostname[len]='\0';
-0.544814 | if (strlen(s->session->tlsext_hostname) != len) {
-0.098093 | OPENSSL_free(s->session->tlsext_hostname);
-0.031112 | s->session->tlsext_hostname = NULL;
-0.028163 | *al = TLS1_AD_UNRECOGNIZED_NAME;
-0.003592 | return 0;
-0.018014 | }
-0.511132 | s->servername_done = 1;
- |
-0.201018 | }
-0.371235 | else
-0.354945 | s->servername_done = s->session->tlsext_hostname
-0.325060 | && strlen(s->session->tlsext_hostname) == len
-0.173565 | && strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0;
-0.545717 |
-0.312094 | break;
- |
-0.083523 | default:
-0.110922 | break;
-0.073123 | }
-1.131994 |
-0.168763 | dsize -= len;
-1.044440 | }
-0.347293 | if (dsize != 0)
-0.011318 | {
-0.010454 | *al = SSL_AD_DECODE_ERROR;
-0.004195 | return 0;
-0.341312 | }
- |
-0.407781 | }
-0.651347 | #ifndef OPENSSL_NO_SRP
-0.059494 | else if (type == TLSEXT_TYPE_srp)
-0.019208 | {
-1.742869 | if (size <= 0 || ((len = data[0])) != (size -1))
-0.015732 | {
-0.011716 | *al = SSL_AD_DECODE_ERROR;
-0.005355 | return 0;
-0.050530 | }
-0.232896 | if (s->srp_ctx.login != NULL)
-0.057026 | {
-0.148782 | *al = SSL_AD_DECODE_ERROR;
-0.006604 | return 0;
-0.021182 | }
-0.152481 | if ((s->srp_ctx.login = OPENSSL_malloc(len+1)) == NULL)
-0.677018 | return -1;
-0.100364 | memcpy(s->srp_ctx.login, &data[1], len);
-0.075094 | s->srp_ctx.login[len]='\0';
-4.850175 |
-0.164938 | if (strlen(s->srp_ctx.login) != len)
-0.013753 | {
-0.142560 | *al = SSL_AD_DECODE_ERROR;
-0.009627 | return 0;
-0.041563 | }
-0.168780 | }
-0.151107 | #endif
-2.247521 |
-0.131350 | #ifndef OPENSSL_NO_EC
-0.314068 | else if (type == TLSEXT_TYPE_ec_point_formats &&
-1.211337 | s->version != DTLS1_VERSION)
-0.030132 | {
-0.545963 | unsigned char *sdata = data;
-0.627556 | int ecpointformatlist_length = *(sdata++);
- |
-0.261925 | if (ecpointformatlist_length != size - 1)
-0.010849 | {
-0.218987 | *al = TLS1_AD_DECODE_ERROR;
-0.006557 | return 0;
-0.140246 | }
-0.504682 | if (!s->hit)
-0.021099 | {
-0.271781 | if(s->session->tlsext_ecpointformatlist)
-0.058552 | {
-0.019505 | OPENSSL_free(s->session->tlsext_ecpointformatlist);
-0.013255 | s->session->tlsext_ecpointformatlist = NULL;
-0.028938 | }
-0.209013 | s->session->tlsext_ecpointformatlist_length = 0;
-0.085011 | if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
-0.091745 | {
-0.008054 | *al = TLS1_AD_INTERNAL_ERROR;
-0.003499 | return 0;
-0.008147 | }
-0.098998 | s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
-0.021343 | memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
-0.045909 | }
-1.739920 | #if 0
-0.839331 | fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ecpointformatlist (length=%i) ", s->session->tlsext_ecpointformatlist_length);
-0.369414 | sdata = s->session->tlsext_ecpointformatlist;
-0.070303 | for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
-0.293485 | fprintf(stderr,"%i ",*(sdata++));
-0.008454 | fprintf(stderr,"\n");
-0.056652 | #endif
-0.043570 | }
-0.105011 | else if (type == TLSEXT_TYPE_elliptic_curves &&
-0.065425 | s->version != DTLS1_VERSION)
-0.005205 | {
-0.009743 | unsigned char *sdata = data;
-0.726646 | int ellipticcurvelist_length = (*(sdata++) << 8);
-0.187114 | ellipticcurvelist_length += (*(sdata++));
- |
-0.271217 | if (ellipticcurvelist_length != size - 2 ||
-0.325731 | ellipticcurvelist_length < 1)
-0.002208 | {
-0.003798 | *al = TLS1_AD_DECODE_ERROR;
-0.001035 | return 0;
-0.033214 | }
-0.014405 | if (!s->hit)
-0.001307 | {
-0.008818 | if(s->session->tlsext_ellipticcurvelist)
-0.001183 | {
-0.485600 | *al = TLS1_AD_DECODE_ERROR;
-0.008488 | return 0;
-0.006787 | }
-0.015418 | s->session->tlsext_ellipticcurvelist_length = 0;
-0.010951 | if ((s->session->tlsext_ellipticcurvelist = OPENSSL_malloc(ellipticcurvelist_length)) == NULL)
-0.006760 | {
-0.001812 | *al = TLS1_AD_INTERNAL_ERROR;
-0.000354 | return 0;
-0.003238 | }
-0.010388 | s->session->tlsext_ellipticcurvelist_length = ellipticcurvelist_length;
-0.006500 | memcpy(s->session->tlsext_ellipticcurvelist, sdata, ellipticcurvelist_length);
-0.009604 | }
-0.194324 | #if 0
-0.013674 | fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ellipticcurvelist (length=%i) ", s->session->tlsext_ellipticcurvelist_length);
-0.002103 | sdata = s->session->tlsext_ellipticcurvelist;
-0.003195 | for (i = 0; i < s->session->tlsext_ellipticcurvelist_length; i++)
-0.009409 | fprintf(stderr,"%i ",*(sdata++));
-0.001108 | fprintf(stderr,"\n");
-0.026747 | #endif
-0.040424 | }
-0.217044 | #endif /* OPENSSL_NO_EC */
-0.217269 | #ifdef TLSEXT_TYPE_opaque_prf_input
-0.066299 | else if (type == TLSEXT_TYPE_opaque_prf_input &&
-0.173896 | s->version != DTLS1_VERSION)
-0.007673 | {
-0.281966 | unsigned char *sdata = data;
- |
-0.265413 | if (size < 2)
-0.005439 | {
-0.007805 | *al = SSL_AD_DECODE_ERROR;
-0.001527 | return 0;
-0.030195 | }
-0.330090 | n2s(sdata, s->s3->client_opaque_prf_input_len);
-0.140323 | if (s->s3->client_opaque_prf_input_len != size - 2)
-0.002527 | {
-0.006807 | *al = SSL_AD_DECODE_ERROR;
-0.000882 | return 0;
-0.361751 | }
- |
-0.505127 | if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */
-0.035706 | OPENSSL_free(s->s3->client_opaque_prf_input);
-0.306976 | if (s->s3->client_opaque_prf_input_len == 0)
-0.482292 | s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
-0.057269 | else
-0.114419 | s->s3->client_opaque_prf_input = BUF_memdup(sdata, s->s3->client_opaque_prf_input_len);
-0.028420 | if (s->s3->client_opaque_prf_input == NULL)
-0.010916 | {
-0.011704 | *al = TLS1_AD_INTERNAL_ERROR;
-0.004583 | return 0;
-0.027480 | }
-0.048939 | }
-0.166533 | #endif
-0.359978 | else if (type == TLSEXT_TYPE_session_ticket)
-0.018719 | {
-0.349674 | if (s->tls_session_ticket_ext_cb &&
-0.120533 | !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg))
-0.054229 | {
-0.089764 | *al = TLS1_AD_INTERNAL_ERROR;
-0.009608 | return 0;
-0.010513 | }
-0.084771 | }
-0.223784 | else if (type == TLSEXT_TYPE_renegotiate)
-0.010023 | {
-0.390930 | if(!ssl_parse_clienthello_renegotiate_ext(s, data, size, al))
-0.051241 | return 0;
-0.613415 | renegotiate_seen = 1;
-0.055489 | }
-0.154912 | else if (type == TLSEXT_TYPE_signature_algorithms)
-0.009289 | {
-1.312217 | int dsize;
-1.381577 | if (sigalg_seen || size < 2)
-0.010236 | {
-0.027644 | *al = SSL_AD_DECODE_ERROR;
-0.002170 | return 0;
-0.023296 | }
-0.164590 | sigalg_seen = 1;
-0.095603 | n2s(data,dsize);
-0.184689 | size -= 2;
-0.546529 | if (dsize != size || dsize & 1)
-0.002693 | {
-0.003076 | *al = SSL_AD_DECODE_ERROR;
-0.000762 | return 0;
-0.026759 | }
-0.291794 | if (!tls1_process_sigalgs(s, data, dsize))
-0.038343 | {
-0.074081 | *al = SSL_AD_DECODE_ERROR;
-0.002393 | return 0;
-0.005252 | }
-0.053614 | }
-0.407011 | else if (type == TLSEXT_TYPE_status_request &&
-0.826404 | s->version != DTLS1_VERSION && s->ctx->tlsext_status_cb)
-0.011510 | {
-3.255971 |
-0.457065 | if (size < 5)
-0.003069 | {
-0.004379 | *al = SSL_AD_DECODE_ERROR;
-0.001162 | return 0;
-0.344820 | }
- |
-0.363580 | s->tlsext_status_type = *data++;
-0.343425 | size--;
-0.087360 | if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp)
-0.016306 | {
-0.728982 | const unsigned char *sdata;
-0.436098 | int dsize;
-1.040295 | /* Read in responder_id_list */
-0.101965 | n2s(data,dsize);
-0.165787 | size -= 2;
-0.399504 | if (dsize > size )
-0.001687 | {
-0.002089 | *al = SSL_AD_DECODE_ERROR;
-0.001077 | return 0;
-0.087551 | }
-0.675597 | while (dsize > 0)
-0.006584 | {
-0.432385 | OCSP_RESPID *id;
-0.484786 | int idsize;
-0.556205 | if (dsize < 4)
-0.012063 | {
-0.010380 | *al = SSL_AD_DECODE_ERROR;
-0.002024 | return 0;
-0.752712 | }
-2.301545 | n2s(data, idsize);
-0.942052 | dsize -= 2 + idsize;
-0.487422 | size -= 2 + idsize;
-0.375776 | if (dsize < 0)
-0.885313 | {
-0.944782 | *al = SSL_AD_DECODE_ERROR;
-0.094187 | return 0;
-0.021319 | }
-0.995344 | sdata = data;
-0.129671 | data += idsize;
-0.658919 | id = d2i_OCSP_RESPID(NULL,
-0.347139 | &sdata, idsize);
-0.199174 | if (!id)
-0.005889 | {
-0.012832 | *al = SSL_AD_DECODE_ERROR;
-0.004188 | return 0;
-0.010663 | }
-0.760015 | if (data != sdata)
-0.028832 | {
-0.084660 | OCSP_RESPID_free(id);
-0.008925 | *al = SSL_AD_DECODE_ERROR;
-0.000605 | return 0;
-0.013446 | }
-0.737769 | if (!s->tlsext_ocsp_ids
-0.146633 | && !(s->tlsext_ocsp_ids =
-0.033101 | sk_OCSP_RESPID_new_null()))
-0.012727 | {
-0.009787 | OCSP_RESPID_free(id);
-0.010824 | *al = SSL_AD_INTERNAL_ERROR;
-0.003252 | return 0;
-0.005508 | }
-0.147609 | if (!sk_OCSP_RESPID_push(
-0.061729 | s->tlsext_ocsp_ids, id))
-0.001892 | {
-0.002516 | OCSP_RESPID_free(id);
-0.002160 | *al = SSL_AD_INTERNAL_ERROR;
-0.000351 | return 0;
-0.003370 | }
-0.460218 | }
- |
-1.175251 | /* Read in request_extensions */
-0.366711 | if (size < 2)
-0.009666 | {
-0.005385 | *al = SSL_AD_DECODE_ERROR;
-0.002742 | return 0;
-0.011616 | }
-0.450415 | n2s(data,dsize);
-0.144424 | size -= 2;
-0.218547 | if (dsize != size)
-0.002273 | {
-0.002723 | *al = SSL_AD_DECODE_ERROR;
-0.000453 | return 0;
-0.029005 | }
-0.639737 | sdata = data;
-0.431379 | if (dsize > 0)
-0.017148 | {
-0.251568 | if (s->tlsext_ocsp_exts)
-0.099359 | {
-0.078415 | sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts,
-0.139422 | X509_EXTENSION_free);
-0.774732 | }
- |
-0.050246 | s->tlsext_ocsp_exts =
-0.073025 | d2i_X509_EXTENSIONS(NULL,
-0.175835 | &sdata, dsize);
-0.213038 | if (!s->tlsext_ocsp_exts
-0.468159 | || (data + dsize != sdata))
-0.002378 | {
-0.008820 | *al = SSL_AD_DECODE_ERROR;
-0.002608 | return 0;
-0.005190 | }
-0.050755 | }
-0.208105 | }
-1.413404 | /* We don't know what to do with any other type
-1.782495 | * so ignore it.
-0.162776 | */
-0.629809 | else
-0.375103 | s->tlsext_status_type = -1;
-0.458492 | }
-0.528585 | #ifndef OPENSSL_NO_HEARTBEATS
-0.102263 | else if (type == TLSEXT_TYPE_heartbeat)
-0.021265 | {
-0.991820 | switch(data[0])
-0.002598 | {
-0.454792 | case 0x01: /* Client allows us to send HB requests */
-0.272821 | s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
-0.073596 | break;
-0.024966 | case 0x02: /* Client doesn't accept HB requests */
-0.054914 | s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
-0.004901 | s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
-0.003913 | break;
-0.297719 | default: *al = SSL_AD_ILLEGAL_PARAMETER;
-0.008633 | return 0;
-0.031102 | }
-0.058710 | }
-0.102451 | #endif
-0.135442 | #ifndef OPENSSL_NO_NEXTPROTONEG
-0.112823 | else if (type == TLSEXT_TYPE_next_proto_neg &&
-0.237013 | s->s3->tmp.finish_md_len == 0)
-0.020914 | {
-0.997990 | /* We shouldn't accept this extension on a
-0.249644 | * renegotiation.
-0.941996 | *
-0.916722 | * s->new_session will be set on renegotiation, but we
-1.287328 | * probably shouldn't rely that it couldn't be set on
-1.863801 | * the initial renegotation too in certain cases (when
-1.340389 | * there's some other reason to disallow resuming an
-1.653616 | * earlier session -- the current code won't be doing
-1.308348 | * anything like that, but this might change).
- |
-1.976237 | * A valid sign that there's been a previous handshake
-0.559207 | * in this connection is if s->s3->tmp.finish_md_len >
-1.533792 | * 0. (We are talking about a check that will happen
-2.286318 | * in the Hello protocol round, well before a new
-1.204834 | * Finished message could have been computed.) */
-0.295282 | s->s3->next_proto_neg_seen = 1;
-0.146640 | }
-0.995839 | #endif
- |
-2.151761 | /* session ticket processed earlier */
-0.173900 | #ifndef OPENSSL_NO_SRTP
-0.014762 | else if (type == TLSEXT_TYPE_use_srtp)
-0.024089 | {
-0.464124 | if(ssl_parse_clienthello_use_srtp_ext(s, data, size,
-0.348277 | al))
-0.076865 | return 0;
-0.027572 | }
-0.594245 | #endif
- |
-1.250309 | data+=size;
-0.381506 | }
-1.706661 |
-1.119274 | *p = data;
- |
-4.530638 | ri_check:
- |
-1.546427 | /* Need RI if renegotiating */
- |
-0.558937 | if (!renegotiate_seen && s->renegotiate &&
-0.164954 | !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
-0.061543 | {
-0.048904 | *al = SSL_AD_HANDSHAKE_FAILURE;
-0.546032 | SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT,
-0.144534 | SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
-0.043326 | return 0;
-0.069526 | }
- |
-0.254005 | return 1;
-0.117904 | }
-0.048499 |
-0.172601 | #ifndef OPENSSL_NO_NEXTPROTONEG
-0.694100 | /* ssl_next_proto_validate validates a Next Protocol Negotiation block. No
-0.896656 | * elements of zero length are allowed and the set of elements must exactly fill
-0.291084 | * the length of the block. */
-0.823034 | static char ssl_next_proto_validate(unsigned char *d, unsigned len)
-0.059530 | {
-1.188100 | unsigned int off = 0;
- |
-0.104801 | while (off < len)
-0.003503 | {
-0.199811 | if (d[off] == 0)
-0.140732 | return 0;
-0.232747 | off += d[off];
-0.819020 | off++;
-0.180556 | }
- |
-0.228113 | return off == len;
-0.006999 | }
-0.225656 | #endif
-0.015278 |
-0.309590 | int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
-0.015053 | {
-1.551843 | unsigned short length;
-0.232740 | unsigned short type;
-0.395680 | unsigned short size;
-0.421464 | unsigned char *data = *p;
-0.795479 | int tlsext_servername = 0;
-0.312562 | int renegotiate_seen = 0;
-2.834802 |
-0.060312 | #ifndef OPENSSL_NO_NEXTPROTONEG
-0.118254 | s->s3->next_proto_neg_seen = 0;
-0.300235 | #endif
-1.611508 |
-0.048957 | #ifndef OPENSSL_NO_HEARTBEATS
-0.226300 | s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED |
-0.380629 | SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
-0.142205 | #endif
- |
-1.230517 | if (data >= (d+n-2))
-0.538397 | goto ri_check;
- |
-0.239556 | n2s(data,length);
-0.396587 | if (data+length != d+n)
-0.107680 | {
-0.055267 | *al = SSL_AD_DECODE_ERROR;
-0.023255 | return 0;
-0.098383 | }
- |
-0.815756 | while(data <= (d+n-4))
-0.008511 | {
-0.048798 | n2s(data,type);
-0.066932 | n2s(data,size);
- |
-0.275603 | if (data+size > (d+n))
-1.227404 | goto ri_check;
- |
-0.326233 | if (s->tlsext_debug_cb)
-0.254126 | s->tlsext_debug_cb(s, 1, type, data, size,
-0.178541 | s->tlsext_debug_arg);
- |
-0.156588 | if (type == TLSEXT_TYPE_server_name)
-0.011847 | {
-0.535199 | if (s->tlsext_hostname == NULL || size > 0)
-0.044484 | {
-0.244381 | *al = TLS1_AD_UNRECOGNIZED_NAME;
-0.027282 | return 0;
-0.045637 | }
-0.913900 | tlsext_servername = 1;
-0.408834 | }
-2.666112 |
-0.166209 | #ifndef OPENSSL_NO_EC
-0.209488 | else if (type == TLSEXT_TYPE_ec_point_formats &&
-1.178243 | s->version != DTLS1_VERSION)
-0.032097 | {
-0.490055 | unsigned char *sdata = data;
-0.998495 | int ecpointformatlist_length = *(sdata++);
- |
-0.526959 | if (ecpointformatlist_length != size - 1 ||
-0.401497 | ecpointformatlist_length < 1)
-0.022621 | {
-0.065753 | *al = TLS1_AD_DECODE_ERROR;
-0.005921 | return 0;
-0.171685 | }
-0.691369 | s->session->tlsext_ecpointformatlist_length = 0;
-0.341720 | if (s->session->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->session->tlsext_ecpointformatlist);
-0.146000 | if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
-0.015496 | {
-0.027994 | *al = TLS1_AD_INTERNAL_ERROR;
-0.004971 | return 0;
-0.017106 | }
-0.069104 | s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
-0.023991 | memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
-2.118316 | #if 0
-0.577138 | fprintf(stderr,"ssl_parse_serverhello_tlsext s->session->tlsext_ecpointformatlist ");
-0.383060 | sdata = s->session->tlsext_ecpointformatlist;
-0.066386 | for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
-0.484265 | fprintf(stderr,"%i ",*(sdata++));
-0.012257 | fprintf(stderr,"\n");
-0.037233 | #endif
-0.031163 | }
-0.442337 | #endif /* OPENSSL_NO_EC */
- |
-0.205262 | else if (type == TLSEXT_TYPE_session_ticket)
-0.035576 | {
-0.401864 | if (s->tls_session_ticket_ext_cb &&
-0.154127 | !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg))
-0.050599 | {
-0.085125 | *al = TLS1_AD_INTERNAL_ERROR;
-0.011472 | return 0;
-0.012639 | }
-0.562004 | if ((SSL_get_options(s) & SSL_OP_NO_TICKET)
-0.908547 | || (size > 0))
-0.078788 | {
-0.054808 | *al = TLS1_AD_UNSUPPORTED_EXTENSION;
-0.004904 | return 0;
-0.005482 | }
-0.202662 | s->tlsext_ticket_expected = 1;
-0.069150 | }
-0.308553 | #ifdef TLSEXT_TYPE_opaque_prf_input
-0.105314 | else if (type == TLSEXT_TYPE_opaque_prf_input &&
-0.330347 | s->version != DTLS1_VERSION)
-0.012819 | {
-0.338716 | unsigned char *sdata = data;
- |
-0.407722 | if (size < 2)
-0.011789 | {
-0.180956 | *al = SSL_AD_DECODE_ERROR;
-0.001595 | return 0;
-0.031147 | }
-0.356092 | n2s(sdata, s->s3->server_opaque_prf_input_len);
-0.115761 | if (s->s3->server_opaque_prf_input_len != size - 2)
-0.002102 | {
-0.014851 | *al = SSL_AD_DECODE_ERROR;
-0.000678 | return 0;
-0.012194 | }
-1.472600 |
-0.470044 | if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */
-0.035684 | OPENSSL_free(s->s3->server_opaque_prf_input);
-0.340720 | if (s->s3->server_opaque_prf_input_len == 0)
-0.464337 | s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
-0.057398 | else
-0.152202 | s->s3->server_opaque_prf_input = BUF_memdup(sdata, s->s3->server_opaque_prf_input_len);
- |
-0.024728 | if (s->s3->server_opaque_prf_input == NULL)
-0.005188 | {
-0.009895 | *al = TLS1_AD_INTERNAL_ERROR;
-0.003103 | return 0;
-0.019622 | }
-0.053189 | }
-0.143169 | #endif
-0.374013 | else if (type == TLSEXT_TYPE_status_request &&
-0.304365 | s->version != DTLS1_VERSION)
-0.010136 | {
-1.337537 | /* MUST be empty and only sent if we've requested
-0.663699 | * a status request message.
-1.082761 | */
-0.338781 | if ((s->tlsext_status_type == -1) || (size > 0))
-0.007429 | {
-0.032147 | *al = TLS1_AD_UNSUPPORTED_EXTENSION;
-0.002088 | return 0;
-0.062282 | }
-1.107938 | /* Set flag to expect CertificateStatus message */
-0.012318 | s->tlsext_status_expected = 1;
-0.049151 | }
-0.147519 | #ifndef OPENSSL_NO_NEXTPROTONEG
-0.024024 | else if (type == TLSEXT_TYPE_next_proto_neg &&
-0.087423 | s->s3->tmp.finish_md_len == 0)
-0.011588 | {
-1.114038 | unsigned char *selected;
-0.251151 | unsigned char selected_len;
- |
-0.634515 | /* We must have requested it. */
-0.211052 | if (s->ctx->next_proto_select_cb == NULL)
-0.005436 | {
-0.014560 | *al = TLS1_AD_UNSUPPORTED_EXTENSION;
-0.002733 | return 0;
-0.148001 | }
-0.732091 | /* The data must be valid */
-0.016474 | if (!ssl_next_proto_validate(data, size))
-0.001809 | {
-0.011444 | *al = TLS1_AD_DECODE_ERROR;
-0.000639 | return 0;
-0.087937 | }
-0.364795 | if (s->ctx->next_proto_select_cb(s, &selected, &selected_len, data, size, s->ctx->next_proto_select_cb_arg) != SSL_TLSEXT_ERR_OK)
-0.782174 | {
-0.904690 | *al = TLS1_AD_INTERNAL_ERROR;
-0.176450 | return 0;
-0.030622 | }
-1.187211 | s->next_proto_negotiated = OPENSSL_malloc(selected_len);
-0.073862 | if (!s->next_proto_negotiated)
-0.037973 | {
-0.063678 | *al = TLS1_AD_INTERNAL_ERROR;
-0.007287 | return 0;
-0.008881 | }
-0.030932 | memcpy(s->next_proto_negotiated, selected, selected_len);
-0.006280 | s->next_proto_negotiated_len = selected_len;
-0.330766 | s->s3->next_proto_neg_seen = 1;
-0.107864 | }
-0.749688 | #endif
-0.475046 | else if (type == TLSEXT_TYPE_renegotiate)
-0.026751 | {
-0.528871 | if(!ssl_parse_serverhello_renegotiate_ext(s, data, size, al))
-0.044902 | return 0;
-0.505018 | renegotiate_seen = 1;
-0.052619 | }
-0.251934 | #ifndef OPENSSL_NO_HEARTBEATS
-0.011515 | else if (type == TLSEXT_TYPE_heartbeat)
-0.008718 | {
-0.849348 | switch(data[0])
-0.000977 | {
-0.792385 | case 0x01: /* Server allows us to send HB requests */
-0.262697 | s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
-0.102281 | break;
-0.015575 | case 0x02: /* Server doesn't accept HB requests */
-0.066901 | s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
-0.003313 | s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
-0.003678 | break;
-0.183400 | default: *al = SSL_AD_ILLEGAL_PARAMETER;
-0.008093 | return 0;
-0.024704 | }
-0.033433 | }
-0.074746 | #endif
-0.465899 | #ifndef OPENSSL_NO_SRTP
-0.007455 | else if (type == TLSEXT_TYPE_use_srtp)
-0.008361 | {
-0.701359 | if(ssl_parse_serverhello_use_srtp_ext(s, data, size,
-0.717861 | al))
-0.237559 | return 0;
-0.065855 | }
-0.942999 | #endif
- |
-2.255164 | data+=size;
-0.603674 | }
- |
-1.547027 | if (data != d+n)
-0.047309 | {
-0.068053 | *al = SSL_AD_DECODE_ERROR;
-0.020720 | return 0;
-0.078191 | }
- |
-1.287373 | if (!s->hit && tlsext_servername == 1)
-0.042551 | {
-0.732504 | if (s->tlsext_hostname)
-0.155207 | {
-0.370606 | if (s->session->tlsext_hostname == NULL)
-0.081182 | {
-0.377500 | s->session->tlsext_hostname = BUF_strdup(s->tlsext_hostname);
-0.066055 | if (!s->session->tlsext_hostname)
-0.087306 | {
-0.480782 | *al = SSL_AD_UNRECOGNIZED_NAME;
-0.018097 | return 0;
-0.003651 | }
-0.023353 | }
-0.783323 | else
-0.075788 | {
-0.485737 | *al = SSL_AD_DECODE_ERROR;
-0.009683 | return 0;
-0.010081 | }
-0.040102 | }
-0.346370 | }
- |
-1.640492 | *p = data;
- |
-4.353205 | ri_check:
- |
-2.323943 | /* Determine if we need to see RI. Strictly speaking if we want to
-1.369688 | * avoid an attack we should *always* see RI even on initial server
-0.735551 | * hello because the client doesn't see any renegotiation during an
-0.585984 | * attack. However this would mean we could not connect to any server
-1.527088 | * which doesn't support RI so for the immediate future tolerate RI
-1.407964 | * absence on initial connect only.
-0.382714 | */
-0.668860 | if (!renegotiate_seen
-0.214829 | && !(s->options & SSL_OP_LEGACY_SERVER_CONNECT)
-0.143601 | && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
-0.142872 | {
-0.096615 | *al = SSL_AD_HANDSHAKE_FAILURE;
-0.314820 | SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT,
-0.209922 | SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
-0.021183 | return 0;
-0.063191 | }
- |
-0.343263 | return 1;
-0.498846 | }
- |
-0.013691 |
-0.400211 | int ssl_prepare_clienthello_tlsext(SSL *s)
-0.013734 | {
-0.387395 | #ifndef OPENSSL_NO_EC
-2.487072 | /* If we are client and using an elliptic curve cryptography cipher suite, send the point formats
-1.576118 | * and elliptic curves we support.
-0.090140 | */
-1.064826 | int using_ecc = 0;
-0.693931 | int i;
-1.861818 | unsigned char *j;
-0.448799 | unsigned long alg_k, alg_a;
-0.368402 | STACK_OF(SSL_CIPHER) *cipher_stack = SSL_get_ciphers(s);
- |
-0.072300 | for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++)
-0.021283 | {
-0.113729 | SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i);
- |
-0.088461 | alg_k = c->algorithm_mkey;
-0.069474 | alg_a = c->algorithm_auth;
-0.466641 | if ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe) || (alg_a & SSL_aECDSA)))
-0.078145 | {
-0.031025 | using_ecc = 1;
-0.019432 | break;
-0.005413 | }
-0.344148 | }
-0.843619 | using_ecc = using_ecc && (s->version >= TLS1_VERSION);
-0.132098 | if (using_ecc)
-0.015272 | {
-0.414333 | if (s->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->tlsext_ecpointformatlist);
-0.308224 | if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(3)) == NULL)
-0.120544 | {
-0.047874 | SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
-0.286457 | return -1;
-0.025021 | }
-0.176765 | s->tlsext_ecpointformatlist_length = 3;
-0.024101 | s->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_uncompressed;
-0.009774 | s->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
-0.024032 | s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
- |
-1.563771 | /* we support all named elliptic curves in draft-ietf-tls-ecc-12 */
-0.024748 | if (s->tlsext_ellipticcurvelist != NULL) OPENSSL_free(s->tlsext_ellipticcurvelist);
-0.727515 | s->tlsext_ellipticcurvelist_length = sizeof(pref_list)/sizeof(pref_list[0]) * 2;
-0.025485 | if ((s->tlsext_ellipticcurvelist = OPENSSL_malloc(s->tlsext_ellipticcurvelist_length)) == NULL)
-0.002029 | {
-0.459847 | s->tlsext_ellipticcurvelist_length = 0;
-0.009192 | SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
-0.002263 | return -1;
-0.043189 | }
-0.565257 | for (i = 0, j = s->tlsext_ellipticcurvelist; (unsigned int)i <
-0.125236 | sizeof(pref_list)/sizeof(pref_list[0]); i++)
-0.013094 | {
-0.471701 | int id = tls1_ec_nid2curve_id(pref_list[i]);
-0.719399 | s2n(id,j);
-0.738472 | }
-0.066623 | }
-0.255247 | #endif /* OPENSSL_NO_EC */
-1.327883 |
-0.148018 | #ifdef TLSEXT_TYPE_opaque_prf_input
-2.357416 | {
-1.480742 | int r = 1;
-2.594965 |
-0.384464 | if (s->ctx->tlsext_opaque_prf_input_callback != 0)
-0.141444 | {
-0.187658 | r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg);
-0.517881 | if (!r)
-0.289332 | return -1;
-0.505597 | }
- |
-0.091536 | if (s->tlsext_opaque_prf_input != NULL)
-0.048286 | {
-0.696783 | if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */
-0.112149 | OPENSSL_free(s->s3->client_opaque_prf_input);
- |
-0.309688 | if (s->tlsext_opaque_prf_input_len == 0)
-0.333477 | s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
-0.025303 | else
-0.044810 | s->s3->client_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len);
-0.031848 | if (s->s3->client_opaque_prf_input == NULL)
-0.064542 | {
-0.008395 | SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
-0.002884 | return -1;
-0.016473 | }
-0.012328 | s->s3->client_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
-0.598007 | }
- |
-0.525690 | if (r == 2)
-2.635174 | /* at callback's request, insist on receiving an appropriate server opaque PRF input */
-0.244550 | s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
-0.600866 | }
-0.321973 | #endif
- |
-0.101108 | return 1;
-0.179555 | }
-0.052236 |
-0.222949 | int ssl_prepare_serverhello_tlsext(SSL *s)
-0.025698 | {
-0.108229 | #ifndef OPENSSL_NO_EC
-0.755061 | /* If we are server and using an ECC cipher suite, send the point formats we support
-1.910105 | * if the client sent us an ECPointsFormat extension. Note that the server is not
-1.366229 | * supposed to send an EllipticCurves extension.
-1.319458 | */
- |
-0.251404 | unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
-0.017054 | unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
-0.138702 | int using_ecc = (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA);
-0.486848 | using_ecc = using_ecc && (s->session->tlsext_ecpointformatlist != NULL);
-1.389924 |
-0.119652 | if (using_ecc)
-0.014710 | {
-0.073034 | if (s->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->tlsext_ecpointformatlist);
-0.023112 | if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(3)) == NULL)
-0.001873 | {
-0.004520 | SSLerr(SSL_F_SSL_PREPARE_SERVERHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
-0.008438 | return -1;
-0.006321 | }
-0.006116 | s->tlsext_ecpointformatlist_length = 3;
-0.000982 | s->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_uncompressed;
-0.000268 | s->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
-0.006479 | s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
-0.049540 | }
-0.132003 | #endif /* OPENSSL_NO_EC */
- |
-0.058379 | return 1;
-0.145322 | }
-0.101547 |
-0.368549 | int ssl_check_clienthello_tlsext_early(SSL *s)
-0.023740 | {
-0.643958 | int ret=SSL_TLSEXT_ERR_NOACK;
-0.256352 | int al = SSL_AD_UNRECOGNIZED_NAME;
-1.583136 |
-0.043354 | #ifndef OPENSSL_NO_EC
-1.782265 | /* The handling of the ECPointFormats extension is done elsewhere, namely in
-0.475997 | * ssl3_choose_cipher in s3_lib.c.
-0.141980 | */
-0.354593 | /* The handling of the EllipticCurves extension is done elsewhere, namely in
-0.025351 | * ssl3_choose_cipher in s3_lib.c.
-0.043576 | */
-0.327700 | #endif
- |
-0.473125 | if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
-0.156027 | ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
-0.411449 | else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)
-0.021037 | ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
-2.571533 |
-0.080197 | #ifdef TLSEXT_TYPE_opaque_prf_input
-0.609140 | {
-1.376820 | /* This sort of belongs into ssl_prepare_serverhello_tlsext(),
-1.548536 | * but we might be sending an alert in response to the client hello,
-2.104768 | * so this has to happen here in
-0.256906 | * ssl_check_clienthello_tlsext_early(). */
- |
-0.223936 | int r = 1;
-0.302331 |
-0.141408 | if (s->ctx->tlsext_opaque_prf_input_callback != 0)
-0.011602 | {
-0.004091 | r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg);
-0.020322 | if (!r)
-0.434183 | {
-0.050900 | ret = SSL_TLSEXT_ERR_ALERT_FATAL;
-0.108923 | al = SSL_AD_INTERNAL_ERROR;
-0.250298 | goto err;
-0.001899 | }
-0.059410 | }
- |
-0.255360 | if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */
-0.111332 | OPENSSL_free(s->s3->server_opaque_prf_input);
-0.201420 | s->s3->server_opaque_prf_input = NULL;
- |
-0.056990 | if (s->tlsext_opaque_prf_input != NULL)
-0.005222 | {
-0.410642 | if (s->s3->client_opaque_prf_input != NULL &&
-0.110949 | s->s3->client_opaque_prf_input_len == s->tlsext_opaque_prf_input_len)
-0.024438 | {
-1.579994 | /* can only use this extension if we have a server opaque PRF input
-0.784684 | * of the same length as the client opaque PRF input! */
- |
-0.135254 | if (s->tlsext_opaque_prf_input_len == 0)
-0.010847 | s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
-0.006502 | else
-0.013960 | s->s3->server_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len);
-0.008616 | if (s->s3->server_opaque_prf_input == NULL)
-0.002346 | {
-0.009668 | ret = SSL_TLSEXT_ERR_ALERT_FATAL;
-1.556040 | al = SSL_AD_INTERNAL_ERROR;
-0.582895 | goto err;
-0.495726 | }
-0.857937 | s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
-0.344349 | }
-0.684636 | }
- |
-0.872870 | if (r == 2 && s->s3->server_opaque_prf_input == NULL)
-0.039089 | {
-2.689909 | /* The callback wants to enforce use of the extension,
-1.927121 | * but we can't do that with the client opaque PRF input;
-1.164436 | * abort the handshake.
-0.013126 | */
-0.574563 | ret = SSL_TLSEXT_ERR_ALERT_FATAL;
-0.061206 | al = SSL_AD_HANDSHAKE_FAILURE;
-0.829655 | }
-2.275572 | }
- |
-1.358292 | err:
-2.490856 | #endif
-1.133166 | switch (ret)
-0.010280 | {
-0.089174 | case SSL_TLSEXT_ERR_ALERT_FATAL:
-0.411360 | ssl3_send_alert(s,SSL3_AL_FATAL,al);
-0.491023 | return -1;
- |
-0.165708 | case SSL_TLSEXT_ERR_ALERT_WARNING:
-0.045038 | ssl3_send_alert(s,SSL3_AL_WARNING,al);
-1.066235 | return 1;
-0.935176 |
-0.021916 | case SSL_TLSEXT_ERR_NOACK:
-0.843043 | s->servername_done=0;
-1.292420 | default:
-1.189309 | return 1;
-0.104269 | }
-0.206181 | }
-0.176115 |
-0.541316 | int ssl_check_clienthello_tlsext_late(SSL *s)
-0.022472 | {
-0.331768 | int ret = SSL_TLSEXT_ERR_OK;
-0.748409 | int al;
- |
-1.951550 | /* If status request then ask callback what to do.
-1.554952 | * Note: this must be called after servername callbacks in case
-1.029670 | * the certificate has changed, and must be called after the cipher
-1.390802 | * has been chosen because this may influence which certificate is sent
-0.758980 | */
-0.441924 | if ((s->tlsext_status_type != -1) && s->ctx && s->ctx->tlsext_status_cb)
-0.036038 | {
-0.671476 | int r;
-1.477727 | CERT_PKEY *certpkey;
-0.295001 | certpkey = ssl_get_server_send_pkey(s);
-0.839027 | /* If no certificate can't return certificate status */
-0.074112 | if (certpkey == NULL)
-0.072091 | {
-0.217102 | s->tlsext_status_expected = 0;
-0.505846 | return 1;
-0.087561 | }
-1.608827 | /* Set current certificate to one we will use so
-0.822412 | * SSL_get_certificate et al can pick it up.
-0.082031 | */
-0.133613 | s->cert->key = certpkey;
-0.057379 | r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
-0.381393 | switch (r)
-0.004759 | {
-0.748231 | /* We don't want to send a status request response */
-0.024693 | case SSL_TLSEXT_ERR_NOACK:
-0.063409 | s->tlsext_status_expected = 0;
-0.326983 | break;
-0.577392 | /* status request response should be sent */
-0.046997 | case SSL_TLSEXT_ERR_OK:
-0.637284 | if (s->tlsext_ocsp_resp)
-0.119662 | s->tlsext_status_expected = 1;
-0.102609 | else
-0.042617 | s->tlsext_status_expected = 0;
-0.031454 | break;
-1.024449 | /* something bad happened */
-0.065819 | case SSL_TLSEXT_ERR_ALERT_FATAL:
-0.047370 | ret = SSL_TLSEXT_ERR_ALERT_FATAL;
-0.076170 | al = SSL_AD_INTERNAL_ERROR;
-0.045217 | goto err;
-0.353780 | }
-0.208457 | }
-0.948629 | else
-0.079003 | s->tlsext_status_expected = 0;
- |
-0.612917 | err:
-0.036059 | switch (ret)
-0.001419 | {
-0.009185 | case SSL_TLSEXT_ERR_ALERT_FATAL:
-0.013830 | ssl3_send_alert(s,SSL3_AL_FATAL,al);
-0.011837 | return -1;
- |
-0.000982 | case SSL_TLSEXT_ERR_ALERT_WARNING:
-0.001723 | ssl3_send_alert(s,SSL3_AL_WARNING,al);
-0.390330 | return 1;
- |
-0.324393 | default:
-0.136338 | return 1;
-0.010736 | }
-0.073008 | }
-0.076672 |
-0.170671 | int ssl_check_serverhello_tlsext(SSL *s)
-0.014714 | {
-0.446225 | int ret=SSL_TLSEXT_ERR_NOACK;
-0.281222 | int al = SSL_AD_UNRECOGNIZED_NAME;
-2.198934 |
-0.143453 | #ifndef OPENSSL_NO_EC
-1.543548 | /* If we are client and using an elliptic curve cryptography cipher
-1.556736 | * suite, then if server returns an EC point formats lists extension
-0.812914 | * it must contain uncompressed.
-0.058640 | */
-0.414413 | unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
-0.033025 | unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
-0.405152 | if ((s->tlsext_ecpointformatlist != NULL) && (s->tlsext_ecpointformatlist_length > 0) &&
-0.204476 | (s->session->tlsext_ecpointformatlist != NULL) && (s->session->tlsext_ecpointformatlist_length > 0) &&
-0.323712 | ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA)))
-0.018833 | {
-0.850672 | /* we are using an ECC cipher */
-0.426584 | size_t i;
-0.721126 | unsigned char *list;
-0.407333 | int found_uncompressed = 0;
-0.153337 | list = s->session->tlsext_ecpointformatlist;
-0.093030 | for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
-0.013885 | {
-0.170179 | if (*(list++) == TLSEXT_ECPOINTFORMAT_uncompressed)
-0.096700 | {
-0.007342 | found_uncompressed = 1;
-0.005375 | break;
-0.001556 | }
-0.038933 | }
-0.116391 | if (!found_uncompressed)
-0.010337 | {
-0.208457 | SSLerr(SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT,SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
-0.249628 | return -1;
-0.006684 | }
-0.043049 | }
-0.594171 | ret = SSL_TLSEXT_ERR_OK;
-0.308397 | #endif /* OPENSSL_NO_EC */
- |
-0.519031 | if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
-0.250750 | ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
-0.455402 | else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)
-0.023764 | ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
-2.711919 |
-0.126921 | #ifdef TLSEXT_TYPE_opaque_prf_input
-0.336598 | if (s->s3->server_opaque_prf_input_len > 0)
-0.049425 | {
-2.165454 | /* This case may indicate that we, as a client, want to insist on using opaque PRF inputs.
-2.519046 | * So first verify that we really have a value from the server too. */
- |
-0.108286 | if (s->s3->server_opaque_prf_input == NULL)
-0.021294 | {
-0.082655 | ret = SSL_TLSEXT_ERR_ALERT_FATAL;
-0.091671 | al = SSL_AD_HANDSHAKE_FAILURE;
-0.251046 | }
-1.625115 |
-1.816322 | /* Anytime the server *has* sent an opaque PRF input, we need to check
-0.942548 | * that we have a client opaque PRF input of the same size. */
-0.151299 | if (s->s3->client_opaque_prf_input == NULL ||
-0.040883 | s->s3->client_opaque_prf_input_len != s->s3->server_opaque_prf_input_len)
-0.003975 | {
-0.003667 | ret = SSL_TLSEXT_ERR_ALERT_FATAL;
-0.041122 | al = SSL_AD_ILLEGAL_PARAMETER;
-0.057024 | }
-0.078740 | }
-0.353069 | #endif
- |
-2.612209 | /* If we've requested certificate status and we wont get one
-2.392081 | * tell the callback
-0.049006 | */
-0.310587 | if ((s->tlsext_status_type != -1) && !(s->tlsext_status_expected)
-0.176908 | && s->ctx && s->ctx->tlsext_status_cb)
-0.042936 | {
-0.175884 | int r;
-2.479172 | /* Set resp to NULL, resplen to -1 so callback knows
-0.858664 | * there is no response.
-0.023400 | */
-0.260875 | if (s->tlsext_ocsp_resp)
-0.258216 | {
-0.019166 | OPENSSL_free(s->tlsext_ocsp_resp);
-0.018371 | s->tlsext_ocsp_resp = NULL;
-0.073638 | }
-0.038273 | s->tlsext_ocsp_resplen = -1;
-0.012910 | r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
-0.573617 | if (r == 0)
-0.133678 | {
-0.171600 | al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE;
-0.009115 | ret = SSL_TLSEXT_ERR_ALERT_FATAL;
-0.052521 | }
-0.554201 | if (r < 0)
-0.135553 | {
-0.039211 | al = SSL_AD_INTERNAL_ERROR;
-0.000876 | ret = SSL_TLSEXT_ERR_ALERT_FATAL;
-0.006800 | }
-0.145019 | }
- |
-0.163087 | switch (ret)
-0.002319 | {
-0.012537 | case SSL_TLSEXT_ERR_ALERT_FATAL:
-0.012762 | ssl3_send_alert(s,SSL3_AL_FATAL,al);
-0.011292 | return -1;
- |
-0.000436 | case SSL_TLSEXT_ERR_ALERT_WARNING:
-0.001792 | ssl3_send_alert(s,SSL3_AL_WARNING,al);
-0.214455 | return 1;
-0.073281 |
-0.008093 | case SSL_TLSEXT_ERR_NOACK:
-0.115786 | s->servername_done=0;
-0.037557 | default:
-0.034979 | return 1;
-0.010873 | }
-0.095400 | }
-0.068863 |
-2.499670 | /* Since the server cache lookup is done early on in the processing of the
-1.612023 | * ClientHello, and other operations depend on the result, we need to handle
-1.706963 | * any TLS session ticket extension at the same time.
-0.675435 | *
-1.658194 | * session_id: points at the session ID in the ClientHello. This code will
-0.402677 | * read past the end of this in order to parse out the session ticket
-0.458075 | * extension, if any.
-0.393422 | * len: the length of the session ID.
-0.666947 | * limit: a pointer to the first byte after the ClientHello.
-0.438886 | * ret: (output) on return, if a ticket was decrypted, then this is set to
-0.268509 | * point to the resulting session.
-0.465679 | *
-0.814531 | * If s->tls_session_secret_cb is set then we are expecting a pre-shared key
-1.266087 | * ciphersuite, in which case we have no use for session tickets and one will
-0.467685 | * never be decrypted, nor will s->tlsext_ticket_expected be set to 1.
-0.441978 | *
-0.571561 | * Returns:
-0.762539 | * -1: fatal error, either from parsing or decrypting the ticket.
-0.870433 | * 0: no ticket was found (or was ignored, based on settings).
-1.078004 | * 1: a zero length extension was found, indicating that the client supports
-0.652248 | * session tickets but doesn't currently have one to offer.
-0.605581 | * 2: either s->tls_session_secret_cb was set, or a ticket was offered but
-0.320981 | * couldn't be decrypted because of a non-fatal error.
-0.216762 | * 3: a ticket was successfully decrypted and *ret was set.
-0.643245 | *
-0.243415 | * Side effects:
-0.352932 | * Sets s->tlsext_ticket_expected to 1 if the server will have to issue
-0.123989 | * a new session ticket to the client because the client indicated support
-0.389697 | * (and s->tls_session_secret_cb is NULL) but the client either doesn't have
-0.637452 | * a session ticket or we couldn't use the one it gave us, or if
-0.257054 | * s->ctx->tlsext_ticket_key_cb asked to renew the client's ticket.
-0.208306 | * Otherwise, s->tlsext_ticket_expected is set to 0.
-0.437705 | */
-0.112920 | int tls1_process_ticket(SSL *s, unsigned char *session_id, int len,
-0.184701 | const unsigned char *limit, SSL_SESSION **ret)
-0.020258 | {
-1.689002 | /* Point after session ID in client hello */
-0.074421 | const unsigned char *p = session_id + len;
-2.335076 | unsigned short i;
- |
-0.505894 | *ret = NULL;
-0.243172 | s->tlsext_ticket_expected = 0;
- |
-2.756464 | /* If tickets disabled behave as if no ticket present
-1.083130 | * to permit stateful resumption.
-0.024963 | */
-0.137523 | if (SSL_get_options(s) & SSL_OP_NO_TICKET)
-0.424248 | return 0;
-1.386797 | if ((s->version <= SSL3_VERSION) || !limit)
-0.234620 | return 0;
-0.685134 | if (p >= limit)
-0.845238 | return -1;
-1.850738 | /* Skip past DTLS cookie */
-0.161100 | if (s->version == DTLS1_VERSION || s->version == DTLS1_BAD_VER)
-0.016241 | {
-0.462244 | i = *(p++);
-1.521491 | p+= i;
-0.166683 | if (p >= limit)
-0.009498 | return -1;
-0.178770 | }
-1.175726 | /* Skip past cipher list */
-0.866712 | n2s(p, i);
-0.136225 | p+= i;
-0.049645 | if (p >= limit)
-0.037252 | return -1;
-0.847331 | /* Skip past compression algorithm list */
-0.310139 | i = *(p++);
-0.693806 | p += i;
-0.313470 | if (p > limit)
-0.097955 | return -1;
-1.317428 | /* Now at start of extensions */
-0.962994 | if ((p + 2) >= limit)
-0.679340 | return 0;
-0.267439 | n2s(p, i);
-0.825695 | while ((p + 4) <= limit)
-0.003910 | {
-0.459422 | unsigned short type, size;
-0.080805 | n2s(p, type);
-0.011777 | n2s(p, size);
-0.173386 | if (p + size > limit)
-0.286278 | return 0;
-0.043754 | if (type == TLSEXT_TYPE_session_ticket)
-0.014570 | {
-1.070514 | int r;
-0.494185 | if (size == 0)
-0.076176 | {
-1.062191 | /* The client will accept a ticket but doesn't
-0.353076 | * currently have one. */
-0.040787 | s->tlsext_ticket_expected = 1;
-0.132909 | return 1;
-0.021963 | }
-0.231140 | if (s->tls_session_secret_cb)
-0.037724 | {
-1.215008 | /* Indicate that the ticket couldn't be
-1.148130 | * decrypted rather than generating the session
-2.427752 | * from ticket now, trigger abbreviated
-1.307307 | * handshake based on external mechanism to
-0.699017 | * calculate the master secret later. */
-0.261021 | return 2;
-0.019761 | }
-0.424178 | r = tls_decrypt_ticket(s, p, size, session_id, len, ret);
-0.283989 | switch (r)
-0.001117 | {
-0.623819 | case 2: /* ticket couldn't be decrypted */
-0.094427 | s->tlsext_ticket_expected = 1;
-0.111614 | return 2;
-0.761024 | case 3: /* ticket was decrypted */
-0.502161 | return r;
-0.934884 | case 4: /* ticket decrypted but need to renew */
-0.028761 | s->tlsext_ticket_expected = 1;
-0.123875 | return 3;
-0.295769 | default: /* fatal error */
-0.030890 | return -1;
-0.003996 | }
-0.011555 | }
-0.143348 | p += size;
-0.099681 | }
-0.068717 | return 0;
-0.067306 | }
-0.044629 |
-0.953889 | /* tls_decrypt_ticket attempts to decrypt a session ticket.
-0.282141 | *
-1.902640 | * etick: points to the body of the session ticket extension.
-0.963418 | * eticklen: the length of the session tickets extenion.
-0.574158 | * sess_id: points at the session ID.
-0.117294 | * sesslen: the length of the session ID.
-0.681406 | * psess: (output) on return, if a ticket was decrypted, then this is set to
-0.039429 | * point to the resulting session.
-0.056287 | *
-2.878929 | * Returns:
-2.692877 | * -1: fatal error, either from parsing or decrypting the ticket.
-1.363079 | * 2: the ticket couldn't be decrypted.
-1.919818 | * 3: a ticket was successfully decrypted and *psess was set.
-1.342386 | * 4: same as 3, but the ticket needs to be renewed.
-0.577720 | */
-0.869436 | static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen,
-0.958915 | const unsigned char *sess_id, int sesslen,
-0.120786 | SSL_SESSION **psess)
-0.771785 | {
-0.402425 | SSL_SESSION *sess;
-1.060255 | unsigned char *sdec;
-0.413646 | const unsigned char *p;
-1.435226 | int slen, mlen, renew_ticket = 0;
-0.375023 | unsigned char tick_hmac[EVP_MAX_MD_SIZE];
-0.446561 | HMAC_CTX hctx;
-0.348955 | EVP_CIPHER_CTX ctx;
-0.845305 | SSL_CTX *tctx = s->initial_ctx;
-1.459088 | /* Need at least keyname + iv + some encrypted data */
-0.300179 | if (eticklen < 48)
-0.682291 | return 2;
-1.361256 | /* Initialize session ticket encryption and HMAC contexts */
-0.041727 | HMAC_CTX_init(&hctx);
-0.033874 | EVP_CIPHER_CTX_init(&ctx);
-0.560461 | if (tctx->tlsext_ticket_key_cb)
-0.027454 | {
-0.740076 | unsigned char *nctick = (unsigned char *)etick;
-0.595379 | int rv = tctx->tlsext_ticket_key_cb(s, nctick, nctick + 16,
-0.766834 | &ctx, &hctx, 0);
-0.212022 | if (rv < 0)
-0.172958 | return -1;
-0.276617 | if (rv == 0)
-0.152149 | return 2;
-0.415628 | if (rv == 2)
-0.018917 | renew_ticket = 1;
-0.164860 | }
-0.213438 | else
-0.019429 | {
-1.231893 | /* Check key name matches */
-0.144127 | if (memcmp(etick, tctx->tlsext_tick_key_name, 16))
-0.112728 | return 2;
-0.205802 | HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16,
-0.684327 | tlsext_tick_md(), NULL);
-0.067134 | EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL,
-0.089407 | tctx->tlsext_tick_aes_key, etick + 16);
-0.112158 | }
-3.475588 | /* Attempt to process session ticket, first conduct sanity and
-0.968824 | * integrity checks on ticket.
-0.044978 | */
-0.798223 | mlen = HMAC_size(&hctx);
-0.510173 | if (mlen < 0)
-0.208011 | {
-0.322185 | EVP_CIPHER_CTX_cleanup(&ctx);
-0.394677 | return -1;
-0.006089 | }
-1.156680 | eticklen -= mlen;
-1.237261 | /* Check HMAC of encrypted ticket */
-0.053339 | HMAC_Update(&hctx, etick, eticklen);
-0.018875 | HMAC_Final(&hctx, tick_hmac, NULL);
-0.151159 | HMAC_CTX_cleanup(&hctx);
-0.150847 | if (CRYPTO_memcmp(tick_hmac, etick + eticklen, mlen))
-0.153512 | return 2;
-0.978277 | /* Attempt to decrypt session data */
-2.385057 | /* Move p after IV to start of encrypted ticket, update length */
-0.155895 | p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx);
-0.020962 | eticklen -= 16 + EVP_CIPHER_CTX_iv_length(&ctx);
-0.368514 | sdec = OPENSSL_malloc(eticklen);
-0.160608 | if (!sdec)
-0.027350 | {
-0.010660 | EVP_CIPHER_CTX_cleanup(&ctx);
-0.009254 | return -1;
-0.002192 | }
-0.027033 | EVP_DecryptUpdate(&ctx, sdec, &slen, p, eticklen);
-0.310084 | if (EVP_DecryptFinal(&ctx, sdec + slen, &mlen) <= 0)
-1.086508 | return 2;
-0.108501 | slen += mlen;
-0.030830 | EVP_CIPHER_CTX_cleanup(&ctx);
-0.925717 | p = sdec;
- |
-0.192015 | sess = d2i_SSL_SESSION(NULL, &p, slen);
-0.096031 | OPENSSL_free(sdec);
-0.798050 | if (sess)
-0.011861 | {
-1.412584 | /* The session ID, if non-empty, is used by some clients to
-0.714377 | * detect that the ticket has been accepted. So we copy it to
-1.025683 | * the session structure. If it is empty set length to zero
-1.173428 | * as required by standard.
-0.008744 | */
-0.210118 | if (sesslen)
-0.126221 | memcpy(sess->session_id, sess_id, sesslen);
-0.191538 | sess->session_id_length = sesslen;
-0.320341 | *psess = sess;
-0.125895 | if (renew_ticket)
-0.019871 | return 4;
-0.159270 | else
-0.003053 | return 3;
-0.037463 | }
-1.404063 | ERR_clear_error();
-1.497993 | /* For session parse failure, indicate that we need to send a new
-0.740852 | * ticket. */
-0.293408 | return 2;
-0.055767 | }
-0.155000 |
-2.327951 | /* Tables to translate from NIDs to TLS v1.2 ids */
-1.228371 |
-1.517898 | typedef struct
-0.060345 | {
-0.094529 | int nid;
-0.400689 | int id;
-0.918907 | } tls12_lookup;
-0.024772 |
-0.973962 | static tls12_lookup tls12_md[] = {
-0.392250 | #ifndef OPENSSL_NO_MD5
-0.186648 | {NID_md5, TLSEXT_hash_md5},
-0.064299 | #endif
-0.030388 | #ifndef OPENSSL_NO_SHA
-0.004550 | {NID_sha1, TLSEXT_hash_sha1},
-0.261705 | #endif
-0.026073 | #ifndef OPENSSL_NO_SHA256
-0.173361 | {NID_sha224, TLSEXT_hash_sha224},
-0.000950 | {NID_sha256, TLSEXT_hash_sha256},
-0.065492 | #endif
-0.015250 | #ifndef OPENSSL_NO_SHA512
-0.001325 | {NID_sha384, TLSEXT_hash_sha384},
-0.112686 | {NID_sha512, TLSEXT_hash_sha512}
-0.008644 | #endif
-1.125560 | };
-0.132386 |
-0.146720 | static tls12_lookup tls12_sig[] = {
-0.017850 | #ifndef OPENSSL_NO_RSA
-0.399207 | {EVP_PKEY_RSA, TLSEXT_signature_rsa},
-0.022610 | #endif
-0.014780 | #ifndef OPENSSL_NO_DSA
-0.013414 | {EVP_PKEY_DSA, TLSEXT_signature_dsa},
-0.037386 | #endif
-0.060708 | #ifndef OPENSSL_NO_ECDSA
-0.034954 | {EVP_PKEY_EC, TLSEXT_signature_ecdsa}
-0.021243 | #endif
-0.045263 | };
-0.016688 |
-0.671654 | static int tls12_find_id(int nid, tls12_lookup *table, size_t tlen)
-0.010144 | {
-0.070440 | size_t i;
-0.027417 | for (i = 0; i < tlen; i++)
-0.127194 | {
-0.023365 | if (table[i].nid == nid)
-0.008258 | return table[i].id;
-0.006070 | }
-0.010648 | return -1;
-0.021711 | }
-2.281687 | #if 0
-0.109571 | static int tls12_find_nid(int id, tls12_lookup *table, size_t tlen)
-0.018561 | {
-0.002819 | size_t i;
-0.001816 | for (i = 0; i < tlen; i++)
-0.002368 | {
-0.002245 | if (table[i].id == id)
-0.001017 | return table[i].nid;
-0.000743 | }
-0.010480 | return -1;
-0.002825 | }
-0.023454 | #endif
-0.316171 |
-0.755155 | int tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk, const EVP_MD *md)
-0.019200 | {
-0.666100 | int sig_id, md_id;
-0.412334 | if (!md)
-0.512263 | return 0;
-0.127830 | md_id = tls12_find_id(EVP_MD_type(md), tls12_md,
-0.092294 | sizeof(tls12_md)/sizeof(tls12_lookup));
-0.069163 | if (md_id == -1)
-0.070643 | return 0;
-0.460418 | sig_id = tls12_get_sigid(pk);
-0.032055 | if (sig_id == -1)
-0.011159 | return 0;
-0.495596 | p[0] = (unsigned char)md_id;
-0.007570 | p[1] = (unsigned char)sig_id;
-0.166992 | return 1;
-0.020667 | }
-0.060207 |
-0.033547 | int tls12_get_sigid(const EVP_PKEY *pk)
-0.005045 | {
-0.266146 | return tls12_find_id(pk->type, tls12_sig,
-0.009337 | sizeof(tls12_sig)/sizeof(tls12_lookup));
-0.040186 | }
-0.082189 |
-0.495406 | const EVP_MD *tls12_get_hash(unsigned char hash_alg)
-0.003258 | {
-0.371338 | switch(hash_alg)
-0.001973 | {
-0.256320 | #ifndef OPENSSL_NO_SHA
-0.043897 | case TLSEXT_hash_sha1:
-0.081199 | return EVP_sha1();
-0.018764 | #endif
-0.004520 | #ifndef OPENSSL_NO_SHA256
-0.027631 | case TLSEXT_hash_sha224:
-0.616822 | return EVP_sha224();
- |
-0.000419 | case TLSEXT_hash_sha256:
-0.001168 | return EVP_sha256();
-0.005115 | #endif
-0.002489 | #ifndef OPENSSL_NO_SHA512
-0.000737 | case TLSEXT_hash_sha384:
-0.014628 | return EVP_sha384();
- |
-0.000173 | case TLSEXT_hash_sha512:
-0.000553 | return EVP_sha512();
-0.003870 | #endif
-0.210826 | default:
-1.025335 | return NULL;
- |
-0.013198 | }
-0.148737 | }
-0.148720 |
-1.947604 | /* Set preferred digest for each key type */
-0.640074 |
-1.296134 | int tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize)
-0.013165 | {
-0.935361 | int i, idx;
-0.833652 | const EVP_MD *md;
-0.724664 | CERT *c = s->cert;
-1.508474 | /* Extension ignored for TLS versions below 1.2 */
-0.229138 | if (TLS1_get_version(s) < TLS1_2_VERSION)
-0.069772 | return 1;
-0.880195 | /* Should never happen */
-0.517290 | if (!c)
-0.339824 | return 0;
- |
-0.606301 | c->pkeys[SSL_PKEY_DSA_SIGN].digest = NULL;
-0.011299 | c->pkeys[SSL_PKEY_RSA_SIGN].digest = NULL;
-0.062294 | c->pkeys[SSL_PKEY_RSA_ENC].digest = NULL;
-0.126812 | c->pkeys[SSL_PKEY_ECC].digest = NULL;
- |
-0.162682 | for (i = 0; i < dsize; i += 2)
-0.004250 | {
-0.418679 | unsigned char hash_alg = data[i], sig_alg = data[i+1];
- |
-0.737362 | switch(sig_alg)
-0.007419 | {
-0.106392 | #ifndef OPENSSL_NO_RSA
-0.032319 | case TLSEXT_signature_rsa:
-0.074350 | idx = SSL_PKEY_RSA_SIGN;
-0.064807 | break;
-0.024541 | #endif
-0.014072 | #ifndef OPENSSL_NO_DSA
-0.000509 | case TLSEXT_signature_dsa:
-0.001268 | idx = SSL_PKEY_DSA_SIGN;
-0.003072 | break;
-0.005528 | #endif
-0.020461 | #ifndef OPENSSL_NO_ECDSA
-0.000765 | case TLSEXT_signature_ecdsa:
-0.007193 | idx = SSL_PKEY_ECC;
-0.007493 | break;
-0.008182 | #endif
-0.012168 | default:
-0.149599 | continue;
-0.143925 | }
- |
-0.359520 | if (c->pkeys[idx].digest == NULL)
-0.107178 | {
-0.056783 | md = tls12_get_hash(hash_alg);
-0.267884 | if (md)
-0.183868 | {
-0.014429 | c->pkeys[idx].digest = md;
-0.416269 | if (idx == SSL_PKEY_RSA_SIGN)
-0.082439 | c->pkeys[SSL_PKEY_RSA_ENC].digest = md;
-0.028796 | }
-0.563443 | }
- |
-0.396255 | }
- |
-4.472366 |
-3.042698 | /* Set any remaining keys to default values. NOTE: if alg is not
-2.181912 | * supported it stays as NULL.
-0.128955 | */
-0.427222 | #ifndef OPENSSL_NO_DSA
-0.137844 | if (!c->pkeys[SSL_PKEY_DSA_SIGN].digest)
-0.050616 | c->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_sha1();
-0.244293 | #endif
-0.025277 | #ifndef OPENSSL_NO_RSA
-0.008380 | if (!c->pkeys[SSL_PKEY_RSA_SIGN].digest)
-0.495749 | {
-0.022683 | c->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1();
-0.005139 | c->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1();
-0.004824 | }
-0.029838 | #endif
-0.039418 | #ifndef OPENSSL_NO_ECDSA
-0.002650 | if (!c->pkeys[SSL_PKEY_ECC].digest)
-0.017742 | c->pkeys[SSL_PKEY_ECC].digest = EVP_sha1();
-0.256616 | #endif
-0.049142 | return 1;
-0.105673 | }
-0.070586 |
-1.674506 | #endif
-0.195479 |
-0.471773 | #ifndef OPENSSL_NO_HEARTBEATS
-3.596041 | int
-0.389579 | tls1_process_heartbeat(SSL *s)
-0.135248 | {
-0.778353 | unsigned char *p = &s->s3->rrec.data[0], *pl;
-0.588106 | unsigned short hbtype;
-0.750892 | unsigned int payload;
-0.836333 | unsigned int padding = 16; /* Use minimum padding */
- |
-1.023496 | /* Read type and payload length first */
-0.567731 | hbtype = *p++;
-0.346340 | n2s(p, payload);
-0.448007 | pl = p;
- |
-0.347395 | if (s->msg_callback)
-0.113271 | s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT,
-0.292899 | &s->s3->rrec.data[0], s->s3->rrec.length,
-0.022980 | s, s->msg_callback_arg);
- |
-0.155938 | if (hbtype == TLS1_HB_REQUEST)
-0.016430 | {
-0.422859 | unsigned char *buffer, *bp;
-0.830422 | int r;
- |
-1.196514 | /* Allocate memory for the response, size is 1 bytes
-0.669974 | * message type, plus 2 bytes payload length, plus
-0.441242 | * payload, plus padding
-0.014795 | */
-0.179963 | buffer = OPENSSL_malloc(1 + 2 + payload + padding);
-0.308801 | bp = buffer;
-1.017527 |
-0.658053 | /* Enter response type, length and copy payload */
-0.004627 | *bp++ = TLS1_HB_RESPONSE;
-0.016453 | s2n(payload, bp);
-0.056408 | memcpy(bp, pl, payload);
-0.165415 | bp += payload;
-0.301605 | /* Random padding */
-0.120381 | RAND_pseudo_bytes(bp, padding);
- |
-0.253903 | r = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, 3 + payload + padding);
- |
-0.305203 | if (r >= 0 && s->msg_callback)
-0.014858 | s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT,
-0.081264 | buffer, 3 + payload + padding,
-0.016210 | s, s->msg_callback_arg);
- |
-0.134292 | OPENSSL_free(buffer);
- |
-0.244142 | if (r < 0)
-0.198598 | return r;
-0.192851 | }
-0.029036 | else if (hbtype == TLS1_HB_RESPONSE)
-0.017195 | {
-0.464082 | unsigned int seq;
-0.992819 |
-0.330958 | /* We only send sequence numbers (2 bytes unsigned int),
-0.147071 | * and 16 random bytes, so we just try to read the
-0.371636 | * sequence number */
-0.185372 | n2s(pl, seq);
-0.486241 |
-0.263062 | if (payload == 18 && seq == s->tlsext_hb_seq)
-0.077217 | {
-0.046586 | s->tlsext_hb_seq++;
-0.081252 | s->tlsext_hb_pending = 0;
-0.045001 | }
-0.462814 | }
- |
-0.482583 | return 0;
-0.015028 | }
-1.633506 |
-0.762235 | int
-0.014174 | tls1_heartbeat(SSL *s)
-0.006421 | {
-0.204211 | unsigned char *buf, *p;
-0.935922 | int ret;
-0.234290 | unsigned int payload = 18; /* Sequence number + random bytes */
-0.102813 | unsigned int padding = 16; /* Use minimum padding */
- |
-0.398286 | /* Only send if peer supports and accepts HB requests... */
-0.030662 | if (!(s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED) ||
-0.127890 | s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_SEND_REQUESTS)
-0.699479 | {
-0.049980 | SSLerr(SSL_F_TLS1_HEARTBEAT,SSL_R_TLS_HEARTBEAT_PEER_DOESNT_ACCEPT);
-0.176311 | return -1;
-0.064727 | }
- |
-0.519989 | /* ...and there is none in flight yet... */
-0.014580 | if (s->tlsext_hb_pending)
-0.008629 | {
-0.010122 | SSLerr(SSL_F_TLS1_HEARTBEAT,SSL_R_TLS_HEARTBEAT_PENDING);
-1.770761 | return -1;
-1.284274 | }
-1.057055 |
-3.183019 | /* ...and no handshake in progress. */
-0.643227 | if (SSL_in_init(s) || s->in_handshake)
-0.079662 | {
-0.379433 | SSLerr(SSL_F_TLS1_HEARTBEAT,SSL_R_UNEXPECTED_MESSAGE);
-0.050819 | return -1;
-0.148816 | }
-0.297117 |
-2.043303 | /* Check if padding is too long, payload and padding
-0.906917 | * must not exceed 2^14 - 3 = 16381 bytes in total.
-0.093004 | */
-0.938520 | OPENSSL_assert(payload + padding <= 16381);
- |
-1.187867 | /* Create HeartBeat message, we just use a sequence number
-0.781558 | * as payload to distuingish different messages and add
-0.784506 | * some random stuff.
-1.899279 | * - Message Type, 1 byte
-0.334183 | * - Payload Length, 2 bytes (unsigned int)
-1.078982 | * - Payload, the sequence number (2 bytes uint)
-0.850382 | * - Payload, random bytes (16 bytes uint)
-0.698507 | * - Padding
-0.174395 | */
-0.627043 | buf = OPENSSL_malloc(1 + 2 + payload + padding);
-1.352987 | p = buf;
-0.596559 | /* Message Type */
-0.125410 | *p++ = TLS1_HB_REQUEST;
-1.010153 | /* Payload length (18 bytes here) */
-0.380152 | s2n(payload, p);
-0.270779 | /* Sequence number */
-0.147081 | s2n(s->tlsext_hb_seq, p);
-0.262383 | /* 16 random bytes */
-0.071389 | RAND_pseudo_bytes(p, 16);
-0.172455 | p += 16;
-0.398368 | /* Random padding */
-0.159551 | RAND_pseudo_bytes(p, padding);
- |
-0.357686 | ret = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buf, 3 + payload + padding);
-0.475920 | if (ret >= 0)
-0.326296 | {
-0.364960 | if (s->msg_callback)
-0.097618 | s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT,
-0.473089 | buf, 3 + payload + padding,
-0.090538 | s, s->msg_callback_arg);
- |
-0.357879 | s->tlsext_hb_pending = 1;
-0.632804 | }
-0.906147 |
-0.191584 | OPENSSL_free(buf);
- |
-0.066963 | return ret;
-0.102778 | }
-0.995233 | #endif
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment