2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
58 /* ====================================================================
59 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
87 * 6. Redistributions of any form whatsoever must retain the following
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
113 #include <openssl/objects.h>
114 #include <openssl/evp.h>
115 #include <openssl/hmac.h>
116 #include <openssl/ocsp.h>
117 #include "ssl_locl.h"
119 const char tls1_version_str[]="TLSv1" OPENSSL_VERSION_PTEXT;
121 #ifndef OPENSSL_NO_TLSEXT
122 static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen,
123 const unsigned char *sess_id, int sesslen,
124 SSL_SESSION **psess);
127 SSL3_ENC_METHOD TLSv1_enc_data={
130 tls1_setup_key_block,
131 tls1_generate_master_secret,
132 tls1_change_cipher_state,
133 tls1_final_finish_mac,
134 TLS1_FINISH_MAC_LENGTH,
135 tls1_cert_verify_mac,
136 TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE,
137 TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE,
141 long tls1_default_timeout(void)
143 /* 2 hours, the 24 hours mentioned in the TLSv1 spec
144 * is way too long for http, the cache would over fill */
150 if (!ssl3_new(s)) return(0);
151 s->method->ssl_clear(s);
155 void tls1_free(SSL *s)
160 void tls1_clear(SSL *s)
163 s->version=TLS1_VERSION;
166 #ifndef OPENSSL_NO_EC
167 static int nid_list[] =
169 NID_sect163k1, /* sect163k1 (1) */
170 NID_sect163r1, /* sect163r1 (2) */
171 NID_sect163r2, /* sect163r2 (3) */
172 NID_sect193r1, /* sect193r1 (4) */
173 NID_sect193r2, /* sect193r2 (5) */
174 NID_sect233k1, /* sect233k1 (6) */
175 NID_sect233r1, /* sect233r1 (7) */
176 NID_sect239k1, /* sect239k1 (8) */
177 NID_sect283k1, /* sect283k1 (9) */
178 NID_sect283r1, /* sect283r1 (10) */
179 NID_sect409k1, /* sect409k1 (11) */
180 NID_sect409r1, /* sect409r1 (12) */
181 NID_sect571k1, /* sect571k1 (13) */
182 NID_sect571r1, /* sect571r1 (14) */
183 NID_secp160k1, /* secp160k1 (15) */
184 NID_secp160r1, /* secp160r1 (16) */
185 NID_secp160r2, /* secp160r2 (17) */
186 NID_secp192k1, /* secp192k1 (18) */
187 NID_X9_62_prime192v1, /* secp192r1 (19) */
188 NID_secp224k1, /* secp224k1 (20) */
189 NID_secp224r1, /* secp224r1 (21) */
190 NID_secp256k1, /* secp256k1 (22) */
191 NID_X9_62_prime256v1, /* secp256r1 (23) */
192 NID_secp384r1, /* secp384r1 (24) */
193 NID_secp521r1 /* secp521r1 (25) */
196 int tls1_ec_curve_id2nid(int curve_id)
198 /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
199 if ((curve_id < 1) || ((unsigned int)curve_id >
200 sizeof(nid_list)/sizeof(nid_list[0])))
202 return nid_list[curve_id-1];
205 int tls1_ec_nid2curve_id(int nid)
207 /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
210 case NID_sect163k1: /* sect163k1 (1) */
212 case NID_sect163r1: /* sect163r1 (2) */
214 case NID_sect163r2: /* sect163r2 (3) */
216 case NID_sect193r1: /* sect193r1 (4) */
218 case NID_sect193r2: /* sect193r2 (5) */
220 case NID_sect233k1: /* sect233k1 (6) */
222 case NID_sect233r1: /* sect233r1 (7) */
224 case NID_sect239k1: /* sect239k1 (8) */
226 case NID_sect283k1: /* sect283k1 (9) */
228 case NID_sect283r1: /* sect283r1 (10) */
230 case NID_sect409k1: /* sect409k1 (11) */
232 case NID_sect409r1: /* sect409r1 (12) */
234 case NID_sect571k1: /* sect571k1 (13) */
236 case NID_sect571r1: /* sect571r1 (14) */
238 case NID_secp160k1: /* secp160k1 (15) */
240 case NID_secp160r1: /* secp160r1 (16) */
242 case NID_secp160r2: /* secp160r2 (17) */
244 case NID_secp192k1: /* secp192k1 (18) */
246 case NID_X9_62_prime192v1: /* secp192r1 (19) */
248 case NID_secp224k1: /* secp224k1 (20) */
250 case NID_secp224r1: /* secp224r1 (21) */
252 case NID_secp256k1: /* secp256k1 (22) */
254 case NID_X9_62_prime256v1: /* secp256r1 (23) */
256 case NID_secp384r1: /* secp384r1 (24) */
258 case NID_secp521r1: /* secp521r1 (25) */
264 #endif /* OPENSSL_NO_EC */
266 #ifndef OPENSSL_NO_TLSEXT
267 unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
270 unsigned char *ret = p;
274 if (ret>=limit) return NULL; /* this really never occurs, but ... */
276 if (s->tlsext_hostname != NULL)
278 /* Add TLS extension servername to the Client Hello message */
279 unsigned long size_str;
282 /* check for enough space.
283 4 for the servername type and entension length
284 2 for servernamelist length
285 1 for the hostname type
286 2 for hostname length
290 if ((lenmax = limit - ret - 9) < 0
291 || (size_str = strlen(s->tlsext_hostname)) > (unsigned long)lenmax)
294 /* extension type and length */
295 s2n(TLSEXT_TYPE_server_name,ret);
298 /* length of servername list */
301 /* hostname type, length and hostname */
302 *(ret++) = (unsigned char) TLSEXT_NAMETYPE_host_name;
304 memcpy(ret, s->tlsext_hostname, size_str);
308 #ifndef OPENSSL_NO_EC
309 if (s->tlsext_ecpointformatlist != NULL)
311 /* Add TLS extension ECPointFormats to the ClientHello message */
314 if ((lenmax = limit - ret - 5) < 0) return NULL;
315 if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax) return NULL;
316 if (s->tlsext_ecpointformatlist_length > 255)
318 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
322 s2n(TLSEXT_TYPE_ec_point_formats,ret);
323 s2n(s->tlsext_ecpointformatlist_length + 1,ret);
324 *(ret++) = (unsigned char) s->tlsext_ecpointformatlist_length;
325 memcpy(ret, s->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist_length);
326 ret+=s->tlsext_ecpointformatlist_length;
328 if (s->tlsext_ellipticcurvelist != NULL)
330 /* Add TLS extension EllipticCurves to the ClientHello message */
333 if ((lenmax = limit - ret - 6) < 0) return NULL;
334 if (s->tlsext_ellipticcurvelist_length > (unsigned long)lenmax) return NULL;
335 if (s->tlsext_ellipticcurvelist_length > 65532)
337 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
341 s2n(TLSEXT_TYPE_elliptic_curves,ret);
342 s2n(s->tlsext_ellipticcurvelist_length + 2, ret);
344 /* NB: draft-ietf-tls-ecc-12.txt uses a one-byte prefix for
345 * elliptic_curve_list, but the examples use two bytes.
346 * http://www1.ietf.org/mail-archive/web/tls/current/msg00538.html
347 * resolves this to two bytes.
349 s2n(s->tlsext_ellipticcurvelist_length, ret);
350 memcpy(ret, s->tlsext_ellipticcurvelist, s->tlsext_ellipticcurvelist_length);
351 ret+=s->tlsext_ellipticcurvelist_length;
353 #endif /* OPENSSL_NO_EC */
355 if (!(SSL_get_options(s) & SSL_OP_NO_TICKET))
358 if (s->session && s->session->tlsext_tick)
359 ticklen = s->session->tlsext_ticklen;
362 /* Check for enough room 2 for extension type, 2 for len
365 if ((long)(limit - ret - 4 - ticklen) < 0) return NULL;
366 s2n(TLSEXT_TYPE_session_ticket,ret);
370 memcpy(ret, s->session->tlsext_tick, ticklen);
375 #ifdef TLSEXT_TYPE_opaque_prf_input
376 if (s->s3->client_opaque_prf_input != NULL)
378 size_t col = s->s3->client_opaque_prf_input_len;
380 if ((long)(limit - ret - 6 - col < 0))
382 if (col > 0xFFFD) /* can't happen */
385 s2n(TLSEXT_TYPE_opaque_prf_input, ret);
388 memcpy(ret, s->s3->client_opaque_prf_input, col);
393 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp)
396 long extlen, idlen, itmp;
400 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++)
402 id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
403 itmp = i2d_OCSP_RESPID(id, NULL);
409 if (s->tlsext_ocsp_exts)
411 extlen = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, NULL);
418 if ((long)(limit - ret - 7 - extlen - idlen) < 0) return NULL;
419 s2n(TLSEXT_TYPE_status_request, ret);
420 if (extlen + idlen > 0xFFF0)
422 s2n(extlen + idlen + 5, ret);
423 *(ret++) = TLSEXT_STATUSTYPE_ocsp;
425 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++)
427 /* save position of id len */
428 unsigned char *q = ret;
429 id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
430 /* skip over id len */
432 itmp = i2d_OCSP_RESPID(id, &ret);
438 i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret);
441 if ((extdatalen = ret-p-2)== 0)
448 unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
451 unsigned char *ret = p;
454 if (ret>=limit) return NULL; /* this really never occurs, but ... */
456 if (!s->hit && s->servername_done == 1 && s->session->tlsext_hostname != NULL)
458 if ((long)(limit - ret - 4) < 0) return NULL;
460 s2n(TLSEXT_TYPE_server_name,ret);
463 #ifndef OPENSSL_NO_EC
464 if (s->tlsext_ecpointformatlist != NULL)
466 /* Add TLS extension ECPointFormats to the ServerHello message */
469 if ((lenmax = limit - ret - 5) < 0) return NULL;
470 if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax) return NULL;
471 if (s->tlsext_ecpointformatlist_length > 255)
473 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
477 s2n(TLSEXT_TYPE_ec_point_formats,ret);
478 s2n(s->tlsext_ecpointformatlist_length + 1,ret);
479 *(ret++) = (unsigned char) s->tlsext_ecpointformatlist_length;
480 memcpy(ret, s->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist_length);
481 ret+=s->tlsext_ecpointformatlist_length;
484 /* Currently the server should not respond with a SupportedCurves extension */
485 #endif /* OPENSSL_NO_EC */
487 if (s->tlsext_ticket_expected
488 && !(SSL_get_options(s) & SSL_OP_NO_TICKET))
490 if ((long)(limit - ret - 4) < 0) return NULL;
491 s2n(TLSEXT_TYPE_session_ticket,ret);
495 if (s->tlsext_status_expected)
497 if ((long)(limit - ret - 4) < 0) return NULL;
498 s2n(TLSEXT_TYPE_status_request,ret);
502 #ifdef TLSEXT_TYPE_opaque_prf_input
503 if (s->s3->server_opaque_prf_input != NULL)
505 size_t sol = s->s3->server_opaque_prf_input_len;
507 if ((long)(limit - ret - 6 - sol) < 0)
509 if (sol > 0xFFFD) /* can't happen */
512 s2n(TLSEXT_TYPE_opaque_prf_input, ret);
515 memcpy(ret, s->s3->server_opaque_prf_input, sol);
519 if (((s->s3->tmp.new_cipher->id & 0xFFFF)==0x80 || (s->s3->tmp.new_cipher->id & 0xFFFF)==0x81)
520 && (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG))
521 { const unsigned char cryptopro_ext[36] = {
522 0xfd, 0xe8, /*65000*/
523 0x00, 0x20, /*32 bytes length*/
524 0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85,
525 0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06,
526 0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08,
527 0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17};
528 if (limit-ret<36) return NULL;
529 memcpy(ret,cryptopro_ext,36);
534 if ((extdatalen = ret-p-2)== 0)
541 int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
546 unsigned char *data = *p;
547 s->servername_done = 0;
548 s->tlsext_status_type = -1;
554 if (data > (d+n-len))
557 while (data <= (d+n-4))
562 if (data+size > (d+n))
565 fprintf(stderr,"Received extension type %d size %d\n",type,size);
567 if (s->tlsext_debug_cb)
568 s->tlsext_debug_cb(s, 0, type, data, size,
569 s->tlsext_debug_arg);
570 /* The servername extension is treated as follows:
572 - Only the hostname type is supported with a maximum length of 255.
573 - The servername is rejected if too long or if it contains zeros,
574 in which case an fatal alert is generated.
575 - The servername field is maintained together with the session cache.
576 - When a session is resumed, the servername call back invoked in order
577 to allow the application to position itself to the right context.
578 - The servername is acknowledged if it is new for a session or when
579 it is identical to a previously used for the same session.
580 Applications can control the behaviour. They can at any time
581 set a 'desirable' servername for a new SSL object. This can be the
582 case for example with HTTPS when a Host: header field is received and
583 a renegotiation is requested. In this case, a possible servername
584 presented in the new client hello is only acknowledged if it matches
585 the value of the Host: field.
586 - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
587 if they provide for changing an explicit servername context for the session,
588 i.e. when the session has been established with a servername extension.
589 - On session reconnect, the servername extension may be absent.
593 if (type == TLSEXT_TYPE_server_name)
595 unsigned char *sdata;
601 *al = SSL_AD_DECODE_ERROR;
608 *al = SSL_AD_DECODE_ERROR;
615 servname_type = *(sdata++);
621 *al = SSL_AD_DECODE_ERROR;
624 if (s->servername_done == 0)
625 switch (servname_type)
627 case TLSEXT_NAMETYPE_host_name:
628 if (s->session->tlsext_hostname == NULL)
630 if (len > TLSEXT_MAXLEN_host_name ||
631 ((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL))
633 *al = TLS1_AD_UNRECOGNIZED_NAME;
636 memcpy(s->session->tlsext_hostname, sdata, len);
637 s->session->tlsext_hostname[len]='\0';
638 if (strlen(s->session->tlsext_hostname) != len) {
639 OPENSSL_free(s->session->tlsext_hostname);
640 s->session->tlsext_hostname = NULL;
641 *al = TLS1_AD_UNRECOGNIZED_NAME;
644 s->servername_done = 1;
648 s->servername_done = strlen(s->session->tlsext_hostname) == len
649 && strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0;
661 *al = SSL_AD_DECODE_ERROR;
667 #ifndef OPENSSL_NO_EC
668 else if (type == TLSEXT_TYPE_ec_point_formats)
670 unsigned char *sdata = data;
671 int ecpointformatlist_length = *(sdata++);
673 if (ecpointformatlist_length != size - 1)
675 *al = TLS1_AD_DECODE_ERROR;
678 s->session->tlsext_ecpointformatlist_length = 0;
679 if (s->session->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->session->tlsext_ecpointformatlist);
680 if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
682 *al = TLS1_AD_INTERNAL_ERROR;
685 s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
686 memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
688 fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ecpointformatlist (length=%i) ", s->session->tlsext_ecpointformatlist_length);
689 sdata = s->session->tlsext_ecpointformatlist;
690 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
691 fprintf(stderr,"%i ",*(sdata++));
692 fprintf(stderr,"\n");
695 else if (type == TLSEXT_TYPE_elliptic_curves)
697 unsigned char *sdata = data;
698 int ellipticcurvelist_length = (*(sdata++) << 8);
699 ellipticcurvelist_length += (*(sdata++));
701 if (ellipticcurvelist_length != size - 2)
703 *al = TLS1_AD_DECODE_ERROR;
706 s->session->tlsext_ellipticcurvelist_length = 0;
707 if (s->session->tlsext_ellipticcurvelist != NULL) OPENSSL_free(s->session->tlsext_ellipticcurvelist);
708 if ((s->session->tlsext_ellipticcurvelist = OPENSSL_malloc(ellipticcurvelist_length)) == NULL)
710 *al = TLS1_AD_INTERNAL_ERROR;
713 s->session->tlsext_ellipticcurvelist_length = ellipticcurvelist_length;
714 memcpy(s->session->tlsext_ellipticcurvelist, sdata, ellipticcurvelist_length);
716 fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ellipticcurvelist (length=%i) ", s->session->tlsext_ellipticcurvelist_length);
717 sdata = s->session->tlsext_ellipticcurvelist;
718 for (i = 0; i < s->session->tlsext_ellipticcurvelist_length; i++)
719 fprintf(stderr,"%i ",*(sdata++));
720 fprintf(stderr,"\n");
723 #endif /* OPENSSL_NO_EC */
724 #ifdef TLSEXT_TYPE_opaque_prf_input
725 else if (type == TLSEXT_TYPE_opaque_prf_input)
727 unsigned char *sdata = data;
731 *al = SSL_AD_DECODE_ERROR;
734 n2s(sdata, s->s3->client_opaque_prf_input_len);
735 if (s->s3->client_opaque_prf_input_len != size - 2)
737 *al = SSL_AD_DECODE_ERROR;
741 if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */
742 OPENSSL_free(s->s3->client_opaque_prf_input);
743 if (s->s3->client_opaque_prf_input_len == 0)
744 s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
746 s->s3->client_opaque_prf_input = BUF_memdup(sdata, s->s3->client_opaque_prf_input_len);
747 if (s->s3->client_opaque_prf_input == NULL)
749 *al = TLS1_AD_INTERNAL_ERROR;
754 else if (type == TLSEXT_TYPE_status_request
755 && s->ctx->tlsext_status_cb)
760 *al = SSL_AD_DECODE_ERROR;
764 s->tlsext_status_type = *data++;
766 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp)
768 const unsigned char *sdata;
770 /* Read in responder_id_list */
775 *al = SSL_AD_DECODE_ERROR;
784 *al = SSL_AD_DECODE_ERROR;
791 *al = SSL_AD_DECODE_ERROR;
796 id = d2i_OCSP_RESPID(NULL,
800 *al = SSL_AD_DECODE_ERROR;
805 OCSP_RESPID_free(id);
806 *al = SSL_AD_DECODE_ERROR;
809 if (!s->tlsext_ocsp_ids
810 && !(s->tlsext_ocsp_ids =
811 sk_OCSP_RESPID_new_null()))
813 OCSP_RESPID_free(id);
814 *al = SSL_AD_INTERNAL_ERROR;
817 if (!sk_OCSP_RESPID_push(
818 s->tlsext_ocsp_ids, id))
820 OCSP_RESPID_free(id);
821 *al = SSL_AD_INTERNAL_ERROR;
826 /* Read in request_extensions */
831 *al = SSL_AD_DECODE_ERROR;
837 s->tlsext_ocsp_exts =
838 d2i_X509_EXTENSIONS(NULL,
840 if (!s->tlsext_ocsp_exts
841 || (data + dsize != sdata))
843 *al = SSL_AD_DECODE_ERROR;
848 /* We don't know what to do with any other type
852 s->tlsext_status_type = -1;
855 /* session ticket processed earlier */
863 int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
868 unsigned char *data = *p;
870 int tlsext_servername = 0;
877 while(data <= (d+n-4))
882 if (data+size > (d+n))
885 if (s->tlsext_debug_cb)
886 s->tlsext_debug_cb(s, 1, type, data, size,
887 s->tlsext_debug_arg);
889 if (type == TLSEXT_TYPE_server_name)
891 if (s->tlsext_hostname == NULL || size > 0)
893 *al = TLS1_AD_UNRECOGNIZED_NAME;
896 tlsext_servername = 1;
899 #ifndef OPENSSL_NO_EC
900 else if (type == TLSEXT_TYPE_ec_point_formats)
902 unsigned char *sdata = data;
903 int ecpointformatlist_length = *(sdata++);
905 if (ecpointformatlist_length != size - 1)
907 *al = TLS1_AD_DECODE_ERROR;
910 s->session->tlsext_ecpointformatlist_length = 0;
911 if (s->session->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->session->tlsext_ecpointformatlist);
912 if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
914 *al = TLS1_AD_INTERNAL_ERROR;
917 s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
918 memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
920 fprintf(stderr,"ssl_parse_serverhello_tlsext s->session->tlsext_ecpointformatlist ");
921 sdata = s->session->tlsext_ecpointformatlist;
922 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
923 fprintf(stderr,"%i ",*(sdata++));
924 fprintf(stderr,"\n");
927 #endif /* OPENSSL_NO_EC */
929 else if (type == TLSEXT_TYPE_session_ticket)
931 if ((SSL_get_options(s) & SSL_OP_NO_TICKET)
934 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
937 s->tlsext_ticket_expected = 1;
939 #ifdef TLSEXT_TYPE_opaque_prf_input
940 else if (type == TLSEXT_TYPE_opaque_prf_input)
942 unsigned char *sdata = data;
946 *al = SSL_AD_DECODE_ERROR;
949 n2s(sdata, s->s3->server_opaque_prf_input_len);
950 if (s->s3->server_opaque_prf_input_len != size - 2)
952 *al = SSL_AD_DECODE_ERROR;
956 if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */
957 OPENSSL_free(s->s3->server_opaque_prf_input);
958 if (s->s3->server_opaque_prf_input_len == 0)
959 s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
961 s->s3->server_opaque_prf_input = BUF_memdup(sdata, s->s3->server_opaque_prf_input_len);
963 if (s->s3->server_opaque_prf_input == NULL)
965 *al = TLS1_AD_INTERNAL_ERROR;
970 else if (type == TLSEXT_TYPE_status_request)
972 /* MUST be empty and only sent if we've requested
973 * a status request message.
975 if ((s->tlsext_status_type == -1) || (size > 0))
977 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
980 /* Set flag to expect CertificateStatus message */
981 s->tlsext_status_expected = 1;
989 *al = SSL_AD_DECODE_ERROR;
993 if (!s->hit && tlsext_servername == 1)
995 if (s->tlsext_hostname)
997 if (s->session->tlsext_hostname == NULL)
999 s->session->tlsext_hostname = BUF_strdup(s->tlsext_hostname);
1000 if (!s->session->tlsext_hostname)
1002 *al = SSL_AD_UNRECOGNIZED_NAME;
1008 *al = SSL_AD_DECODE_ERROR;
1019 int ssl_prepare_clienthello_tlsext(SSL *s)
1021 #ifndef OPENSSL_NO_EC
1022 /* If we are client and using an elliptic curve cryptography cipher suite, send the point formats
1023 * and elliptic curves we support.
1028 unsigned long alg_k, alg_a;
1029 STACK_OF(SSL_CIPHER) *cipher_stack = SSL_get_ciphers(s);
1031 for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++)
1033 SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i);
1035 alg_k = c->algorithm_mkey;
1036 alg_a = c->algorithm_auth;
1037 if ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe) || (alg_a & SSL_aECDSA)))
1043 using_ecc = using_ecc && (s->version == TLS1_VERSION);
1046 if (s->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->tlsext_ecpointformatlist);
1047 if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(3)) == NULL)
1049 SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
1052 s->tlsext_ecpointformatlist_length = 3;
1053 s->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_uncompressed;
1054 s->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
1055 s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
1057 /* we support all named elliptic curves in draft-ietf-tls-ecc-12 */
1058 if (s->tlsext_ellipticcurvelist != NULL) OPENSSL_free(s->tlsext_ellipticcurvelist);
1059 s->tlsext_ellipticcurvelist_length = sizeof(nid_list)/sizeof(nid_list[0]) * 2;
1060 if ((s->tlsext_ellipticcurvelist = OPENSSL_malloc(s->tlsext_ellipticcurvelist_length)) == NULL)
1062 s->tlsext_ellipticcurvelist_length = 0;
1063 SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
1066 for (i = 1, j = s->tlsext_ellipticcurvelist; (unsigned int)i <=
1067 sizeof(nid_list)/sizeof(nid_list[0]); i++)
1070 #endif /* OPENSSL_NO_EC */
1072 #ifdef TLSEXT_TYPE_opaque_prf_input
1076 if (s->ctx->tlsext_opaque_prf_input_callback != 0)
1078 r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg);
1083 if (s->tlsext_opaque_prf_input != NULL)
1085 if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */
1086 OPENSSL_free(s->s3->client_opaque_prf_input);
1088 if (s->tlsext_opaque_prf_input_len == 0)
1089 s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
1091 s->s3->client_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len);
1092 if (s->s3->client_opaque_prf_input == NULL)
1094 SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
1097 s->s3->client_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
1101 /* at callback's request, insist on receiving an appropriate server opaque PRF input */
1102 s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
1109 int ssl_prepare_serverhello_tlsext(SSL *s)
1111 #ifndef OPENSSL_NO_EC
1112 /* If we are server and using an ECC cipher suite, send the point formats we support
1113 * if the client sent us an ECPointsFormat extension. Note that the server is not
1114 * supposed to send an EllipticCurves extension.
1117 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
1118 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
1119 int using_ecc = (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA);
1120 using_ecc = using_ecc && (s->session->tlsext_ecpointformatlist != NULL);
1124 if (s->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->tlsext_ecpointformatlist);
1125 if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(3)) == NULL)
1127 SSLerr(SSL_F_SSL_PREPARE_SERVERHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
1130 s->tlsext_ecpointformatlist_length = 3;
1131 s->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_uncompressed;
1132 s->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
1133 s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
1135 #endif /* OPENSSL_NO_EC */
1140 int ssl_check_clienthello_tlsext(SSL *s)
1142 int ret=SSL_TLSEXT_ERR_NOACK;
1143 int al = SSL_AD_UNRECOGNIZED_NAME;
1145 #ifndef OPENSSL_NO_EC
1146 /* The handling of the ECPointFormats extension is done elsewhere, namely in
1147 * ssl3_choose_cipher in s3_lib.c.
1149 /* The handling of the EllipticCurves extension is done elsewhere, namely in
1150 * ssl3_choose_cipher in s3_lib.c.
1154 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
1155 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
1156 else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)
1157 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
1159 /* If status request then ask callback what to do.
1160 * Note: this must be called after servername callbacks in case
1161 * the certificate has changed.
1163 if ((s->tlsext_status_type != -1) && s->ctx->tlsext_status_cb)
1166 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
1169 /* We don't want to send a status request response */
1170 case SSL_TLSEXT_ERR_NOACK:
1171 s->tlsext_status_expected = 0;
1173 /* status request response should be sent */
1174 case SSL_TLSEXT_ERR_OK:
1175 if (s->tlsext_ocsp_resp)
1176 s->tlsext_status_expected = 1;
1178 s->tlsext_status_expected = 0;
1180 /* something bad happened */
1181 case SSL_TLSEXT_ERR_ALERT_FATAL:
1182 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1183 al = SSL_AD_INTERNAL_ERROR;
1188 s->tlsext_status_expected = 0;
1190 #ifdef TLSEXT_TYPE_opaque_prf_input
1192 /* This sort of belongs into ssl_prepare_serverhello_tlsext(),
1193 * but we might be sending an alert in response to the client hello,
1194 * so this has to happen here in ssl_check_clienthello_tlsext(). */
1198 if (s->ctx->tlsext_opaque_prf_input_callback != 0)
1200 r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg);
1203 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1204 al = SSL_AD_INTERNAL_ERROR;
1209 if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */
1210 OPENSSL_free(s->s3->server_opaque_prf_input);
1211 s->s3->server_opaque_prf_input = NULL;
1213 if (s->tlsext_opaque_prf_input != NULL)
1215 if (s->s3->client_opaque_prf_input != NULL &&
1216 s->s3->client_opaque_prf_input_len == s->tlsext_opaque_prf_input_len)
1218 /* can only use this extension if we have a server opaque PRF input
1219 * of the same length as the client opaque PRF input! */
1221 if (s->tlsext_opaque_prf_input_len == 0)
1222 s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
1224 s->s3->server_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len);
1225 if (s->s3->server_opaque_prf_input == NULL)
1227 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1228 al = SSL_AD_INTERNAL_ERROR;
1231 s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
1235 if (r == 2 && s->s3->server_opaque_prf_input == NULL)
1237 /* The callback wants to enforce use of the extension,
1238 * but we can't do that with the client opaque PRF input;
1239 * abort the handshake.
1241 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1242 al = SSL_AD_HANDSHAKE_FAILURE;
1250 case SSL_TLSEXT_ERR_ALERT_FATAL:
1251 ssl3_send_alert(s,SSL3_AL_FATAL,al);
1254 case SSL_TLSEXT_ERR_ALERT_WARNING:
1255 ssl3_send_alert(s,SSL3_AL_WARNING,al);
1258 case SSL_TLSEXT_ERR_NOACK:
1259 s->servername_done=0;
1265 int ssl_check_serverhello_tlsext(SSL *s)
1267 int ret=SSL_TLSEXT_ERR_NOACK;
1268 int al = SSL_AD_UNRECOGNIZED_NAME;
1270 #ifndef OPENSSL_NO_EC
1271 /* If we are client and using an elliptic curve cryptography cipher suite, then server
1272 * must return a an EC point formats lists containing uncompressed.
1274 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
1275 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
1276 if ((s->tlsext_ecpointformatlist != NULL) && (s->tlsext_ecpointformatlist_length > 0) &&
1277 ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA)))
1279 /* we are using an ECC cipher */
1281 unsigned char *list;
1282 int found_uncompressed = 0;
1283 if ((s->session->tlsext_ecpointformatlist == NULL) || (s->session->tlsext_ecpointformatlist_length == 0))
1285 SSLerr(SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT,SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
1288 list = s->session->tlsext_ecpointformatlist;
1289 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
1291 if (*(list++) == TLSEXT_ECPOINTFORMAT_uncompressed)
1293 found_uncompressed = 1;
1297 if (!found_uncompressed)
1299 SSLerr(SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT,SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
1303 ret = SSL_TLSEXT_ERR_OK;
1304 #endif /* OPENSSL_NO_EC */
1306 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
1307 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
1308 else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)
1309 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
1311 #ifdef TLSEXT_TYPE_opaque_prf_input
1312 if (s->s3->server_opaque_prf_input_len > 0)
1314 /* This case may indicate that we, as a client, want to insist on using opaque PRF inputs.
1315 * So first verify that we really have a value from the server too. */
1317 if (s->s3->server_opaque_prf_input == NULL)
1319 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1320 al = SSL_AD_HANDSHAKE_FAILURE;
1323 /* Anytime the server *has* sent an opaque PRF input, we need to check
1324 * that we have a client opaque PRF input of the same size. */
1325 if (s->s3->client_opaque_prf_input == NULL ||
1326 s->s3->client_opaque_prf_input_len != s->s3->server_opaque_prf_input_len)
1328 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1329 al = SSL_AD_ILLEGAL_PARAMETER;
1334 /* If we've requested certificate status and we wont get one
1337 if ((s->tlsext_status_type != -1) && !(s->tlsext_status_expected)
1338 && s->ctx->tlsext_status_cb)
1341 /* Set resp to NULL, resplen to -1 so callback knows
1342 * there is no response.
1344 if (s->tlsext_ocsp_resp)
1346 OPENSSL_free(s->tlsext_ocsp_resp);
1347 s->tlsext_ocsp_resp = NULL;
1349 s->tlsext_ocsp_resplen = -1;
1350 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
1353 al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE;
1354 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1358 al = SSL_AD_INTERNAL_ERROR;
1359 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1365 case SSL_TLSEXT_ERR_ALERT_FATAL:
1366 ssl3_send_alert(s,SSL3_AL_FATAL,al);
1369 case SSL_TLSEXT_ERR_ALERT_WARNING:
1370 ssl3_send_alert(s,SSL3_AL_WARNING,al);
1373 case SSL_TLSEXT_ERR_NOACK:
1374 s->servername_done=0;
1380 /* Since the server cache lookup is done early on in the processing of client
1381 * hello and other operations depend on the result we need to handle any TLS
1382 * session ticket extension at the same time.
1385 int tls1_process_ticket(SSL *s, unsigned char *session_id, int len,
1386 const unsigned char *limit, SSL_SESSION **ret)
1388 /* Point after session ID in client hello */
1389 const unsigned char *p = session_id + len;
1391 if ((s->version <= SSL3_VERSION) || !limit)
1395 /* Skip past cipher list */
1400 /* Skip past compression algorithm list */
1405 /* Now at start of extensions */
1406 if ((p + 2) >= limit)
1409 while ((p + 4) <= limit)
1411 unsigned short type, size;
1414 if (p + size > limit)
1416 if (type == TLSEXT_TYPE_session_ticket)
1418 /* If tickets disabled indicate cache miss which will
1419 * trigger a full handshake
1421 if (SSL_get_options(s) & SSL_OP_NO_TICKET)
1423 /* If zero length not client will accept a ticket
1424 * and indicate cache miss to trigger full handshake
1428 s->tlsext_ticket_expected = 1;
1429 return 0; /* Cache miss */
1431 return tls_decrypt_ticket(s, p, size, session_id, len,
1439 static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen,
1440 const unsigned char *sess_id, int sesslen,
1441 SSL_SESSION **psess)
1444 unsigned char *sdec;
1445 const unsigned char *p;
1446 int slen, mlen, renew_ticket = 0;
1447 unsigned char tick_hmac[EVP_MAX_MD_SIZE];
1450 /* Need at least keyname + iv + some encrypted data */
1453 /* Initialize session ticket encryption and HMAC contexts */
1454 HMAC_CTX_init(&hctx);
1455 EVP_CIPHER_CTX_init(&ctx);
1456 if (s->ctx->tlsext_ticket_key_cb)
1458 unsigned char *nctick = (unsigned char *)etick;
1459 int rv = s->ctx->tlsext_ticket_key_cb(s, nctick, nctick + 16,
1470 /* Check key name matches */
1471 if (memcmp(etick, s->ctx->tlsext_tick_key_name, 16))
1473 HMAC_Init_ex(&hctx, s->ctx->tlsext_tick_hmac_key, 16,
1474 tlsext_tick_md(), NULL);
1475 EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL,
1476 s->ctx->tlsext_tick_aes_key, etick + 16);
1478 /* Attempt to process session ticket, first conduct sanity and
1479 * integrity checks on ticket.
1481 mlen = HMAC_size(&hctx);
1483 /* Check HMAC of encrypted ticket */
1484 HMAC_Update(&hctx, etick, eticklen);
1485 HMAC_Final(&hctx, tick_hmac, NULL);
1486 HMAC_CTX_cleanup(&hctx);
1487 if (memcmp(tick_hmac, etick + eticklen, mlen))
1489 /* Attempt to decrypt session data */
1490 /* Move p after IV to start of encrypted ticket, update length */
1491 p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx);
1492 eticklen -= 16 + EVP_CIPHER_CTX_iv_length(&ctx);
1493 sdec = OPENSSL_malloc(eticklen);
1496 EVP_CIPHER_CTX_cleanup(&ctx);
1499 EVP_DecryptUpdate(&ctx, sdec, &slen, p, eticklen);
1500 if (EVP_DecryptFinal(&ctx, sdec + slen, &mlen) <= 0)
1503 EVP_CIPHER_CTX_cleanup(&ctx);
1506 sess = d2i_SSL_SESSION(NULL, &p, slen);
1510 /* The session ID if non-empty is used by some clients to
1511 * detect that the ticket has been accepted. So we copy it to
1512 * the session structure. If it is empty set length to zero
1513 * as required by standard.
1516 memcpy(sess->session_id, sess_id, sesslen);
1517 sess->session_id_length = sesslen;
1519 s->tlsext_ticket_expected = renew_ticket;
1522 /* If session decrypt failure indicate a cache miss and set state to
1526 s->tlsext_ticket_expected = 1;