| commit ed5845e49b3c76f8735ec00e151a7b234acc266c |
| Author: Adam Langley <agl@chromium.org> |
| Date: Thu Nov 4 16:06:58 2010 -0400 |
| |
| next_proto_neg.patch |
| |
| diff --git a/apps/apps.c b/apps/apps.c |
| index ab60b70..eede8a8 100644 |
| --- a/apps/apps.c |
| +++ b/apps/apps.c |
| @@ -2579,3 +2579,45 @@ void jpake_server_auth(BIO *out, BIO *conn, const char *secret) |
| } |
| |
| #endif |
| + |
| +/* next_protos_parse parses a comma separated list of strings into a string |
| + * in a format suitable for passing to SSL_CTX_set_next_protos_advertised. |
| + * outlen: (output) set to the length of the resulting buffer on success. |
| + * err: (maybe NULL) on failure, an error message line is written to this BIO. |
| + * in: a NUL termianted string like "abc,def,ghi" |
| + * |
| + * returns: a malloced buffer |
| + */ |
| +unsigned char *next_protos_parse(unsigned short *outlen, const char *in) |
| + { |
| + size_t len; |
| + unsigned char *out; |
| + size_t i, start = 0; |
| + |
| + len = strlen(in); |
| + if (len > 65535) |
| + return NULL; |
| + |
| + out = OPENSSL_malloc(strlen(in) + 1); |
| + if (!out) |
| + return NULL; |
| + |
| + for (i = 0; i <= len; ++i) |
| + { |
| + if (i == len || in[i] == ',') |
| + { |
| + if (i - start > 255) |
| + { |
| + OPENSSL_free(out); |
| + return NULL; |
| + } |
| + out[start] = i - start; |
| + start = i + 1; |
| + } |
| + else |
| + out[i+1] = in[i]; |
| + } |
| + |
| + *outlen = len + 1; |
| + return out; |
| + } |
| diff --git a/apps/s_apps.h b/apps/s_apps.h |
| index f5a39ba..513bcfe 100644 |
| --- a/apps/s_apps.h |
| +++ b/apps/s_apps.h |
| @@ -174,3 +174,5 @@ void MS_CALLBACK tlsext_cb(SSL *s, int client_server, int type, |
| |
| int MS_CALLBACK generate_cookie_callback(SSL *ssl, unsigned char *cookie, unsigned int *cookie_len); |
| int MS_CALLBACK verify_cookie_callback(SSL *ssl, unsigned char *cookie, unsigned int cookie_len); |
| + |
| +unsigned char *next_protos_parse(unsigned short *outlen, const char *in); |
| diff --git a/apps/s_client.c b/apps/s_client.c |
| index c071658..6033e77 100644 |
| --- a/apps/s_client.c |
| +++ b/apps/s_client.c |
| @@ -249,6 +249,7 @@ static void sc_usage(void) |
| BIO_printf(bio_err," -status - request certificate status from server\n"); |
| BIO_printf(bio_err," -no_ticket - disable use of RFC4507bis session tickets\n"); |
| BIO_printf(bio_err," -cutthrough - enable 1-RTT full-handshake for strong ciphers\n"); |
| + BIO_printf(bio_err," -nextprotoneg arg - enable NPN extension, considering named protocols supported (comma-separated list)\n"); |
| #endif |
| BIO_printf(bio_err," -legacy_renegotiation - enable use of legacy renegotiation (dangerous)\n"); |
| } |
| @@ -284,6 +285,38 @@ enum |
| PROTO_XMPP |
| }; |
| |
| +/* This the context that we pass to next_proto_cb */ |
| +typedef struct tlsextnextprotoctx_st { |
| + unsigned char *data; |
| + unsigned short len; |
| + int status; |
| +} tlsextnextprotoctx; |
| + |
| +static tlsextnextprotoctx next_proto; |
| + |
| +static int next_proto_cb(SSL *s, unsigned char **out, unsigned char *outlen, const unsigned char *in, unsigned int inlen, void *arg) |
| + { |
| + tlsextnextprotoctx *ctx = arg; |
| + |
| + if (!c_quiet) |
| + { |
| + /* We can assume that |in| is syntactically valid. */ |
| + unsigned i; |
| + BIO_printf(bio_c_out, "Protocols advertised by server: "); |
| + for (i = 0; i < inlen; ) |
| + { |
| + if (i) |
| + BIO_write(bio_c_out, ", ", 2); |
| + BIO_write(bio_c_out, &in[i + 1], in[i]); |
| + i += in[i] + 1; |
| + } |
| + BIO_write(bio_c_out, "\n", 1); |
| + } |
| + |
| + ctx->status = SSL_select_next_proto(out, outlen, in, inlen, ctx->data, ctx->len); |
| + return SSL_TLSEXT_ERR_OK; |
| + } |
| + |
| int MAIN(int, char **); |
| |
| int MAIN(int argc, char **argv) |
| @@ -336,6 +369,7 @@ int MAIN(int argc, char **argv) |
| char *servername = NULL; |
| tlsextctx tlsextcbp = |
| {NULL,0}; |
| + const char *next_proto_neg_in = NULL; |
| #endif |
| char *sess_in = NULL; |
| char *sess_out = NULL; |
| @@ -536,6 +570,11 @@ int MAIN(int argc, char **argv) |
| #ifndef OPENSSL_NO_TLSEXT |
| else if (strcmp(*argv,"-no_ticket") == 0) |
| { off|=SSL_OP_NO_TICKET; } |
| + else if (strcmp(*argv,"-nextprotoneg") == 0) |
| + { |
| + if (--argc < 1) goto bad; |
| + next_proto_neg_in = *(++argv); |
| + } |
| #endif |
| else if (strcmp(*argv,"-cutthrough") == 0) |
| cutthrough=1; |
| @@ -624,6 +663,21 @@ bad: |
| OpenSSL_add_ssl_algorithms(); |
| SSL_load_error_strings(); |
| |
| +#ifndef OPENSSL_NO_TLSEXT |
| + next_proto.status = -1; |
| + if (next_proto_neg_in) |
| + { |
| + next_proto.data = next_protos_parse(&next_proto.len, next_proto_neg_in); |
| + if (next_proto.data == NULL) |
| + { |
| + BIO_printf(bio_err, "Error parsing -nextprotoneg argument\n"); |
| + goto end; |
| + } |
| + } |
| + else |
| + next_proto.data = NULL; |
| +#endif |
| + |
| #ifndef OPENSSL_NO_ENGINE |
| e = setup_engine(bio_err, engine_id, 1); |
| if (ssl_client_engine_id) |
| @@ -738,6 +792,9 @@ bad: |
| SSL_CTX_set_mode(ctx, ssl_mode); |
| } |
| |
| + if (next_proto.data) |
| + SSL_CTX_set_next_proto_select_cb(ctx, next_proto_cb, &next_proto); |
| + |
| if (state) SSL_CTX_set_info_callback(ctx,apps_ssl_info_callback); |
| if (cipher != NULL) |
| if(!SSL_CTX_set_cipher_list(ctx,cipher)) { |
| @@ -1555,6 +1612,20 @@ static void print_stuff(BIO *bio, SSL *s, int full) |
| BIO_printf(bio,"Expansion: %s\n", |
| expansion ? SSL_COMP_get_name(expansion) : "NONE"); |
| #endif |
| + |
| +#ifndef OPENSSL_NO_TLSEXT |
| + { |
| + if (next_proto.status != -1) { |
| + const unsigned char *proto; |
| + unsigned int proto_len; |
| + SSL_get0_next_proto_negotiated(s, &proto, &proto_len); |
| + BIO_printf(bio, "Next protocol: (%d) ", next_proto.status); |
| + BIO_write(bio, proto, proto_len); |
| + BIO_write(bio, "\n", 1); |
| + } |
| + } |
| +#endif |
| + |
| SSL_SESSION_print(bio,SSL_get_session(s)); |
| BIO_printf(bio,"---\n"); |
| if (peer != NULL) |
| diff --git a/apps/s_server.c b/apps/s_server.c |
| index 88b308c..c4e19c9 100644 |
| --- a/apps/s_server.c |
| +++ b/apps/s_server.c |
| @@ -405,6 +405,7 @@ static void sv_usage(void) |
| BIO_printf(bio_err," -tlsextdebug - hex dump of all TLS extensions received\n"); |
| BIO_printf(bio_err," -no_ticket - disable use of RFC4507bis session tickets\n"); |
| BIO_printf(bio_err," -legacy_renegotiation - enable use of legacy renegotiation (dangerous)\n"); |
| + BIO_printf(bio_err," -nextprotoneg arg - set the advertised protocols for the NPN extension (comma-separated list)\n"); |
| #endif |
| } |
| |
| @@ -740,6 +741,26 @@ BIO_printf(err, "cert_status: received %d ids\n", sk_OCSP_RESPID_num(ids)); |
| goto done; |
| } |
| #endif |
| + |
| + |
| +/* This the context that we pass to next_proto_cb */ |
| +typedef struct tlsextnextprotoctx_st { |
| + unsigned char *data; |
| + unsigned int len; |
| +} tlsextnextprotoctx; |
| + |
| + |
| +static int next_proto_cb(SSL *s, const unsigned char **data, unsigned int *len, void *arg) |
| + { |
| + tlsextnextprotoctx *next_proto = arg; |
| + |
| + *data = next_proto->data; |
| + *len = next_proto->len; |
| + |
| + return SSL_TLSEXT_ERR_OK; |
| + } |
| + |
| + |
| int MAIN(int, char **); |
| |
| #ifndef OPENSSL_NO_JPAKE |
| @@ -779,6 +800,8 @@ int MAIN(int argc, char *argv[]) |
| #endif |
| #ifndef OPENSSL_NO_TLSEXT |
| tlsextctx tlsextcbp = {NULL, NULL, SSL_TLSEXT_ERR_ALERT_WARNING}; |
| + const char *next_proto_neg_in = NULL; |
| + tlsextnextprotoctx next_proto; |
| #endif |
| |
| #if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3) |
| @@ -1077,7 +1100,11 @@ int MAIN(int argc, char *argv[]) |
| if (--argc < 1) goto bad; |
| s_key_file2= *(++argv); |
| } |
| - |
| + else if (strcmp(*argv,"-nextprotoneg") == 0) |
| + { |
| + if (--argc < 1) goto bad; |
| + next_proto_neg_in = *(++argv); |
| + } |
| #endif |
| #ifndef OPENSSL_NO_JPAKE |
| else if (strcmp(*argv,"-jpake") == 0) |
| @@ -1162,6 +1189,20 @@ bad: |
| goto end; |
| } |
| } |
| + |
| + if (next_proto_neg_in) |
| + { |
| + unsigned short len; |
| + next_proto.data = next_protos_parse(&len, |
| + next_proto_neg_in); |
| + if (next_proto.data == NULL) |
| + goto end; |
| + next_proto.len = len; |
| + } |
| + else |
| + { |
| + next_proto.data = NULL; |
| + } |
| #endif |
| } |
| if (s_dcert_file) |
| @@ -1341,6 +1382,11 @@ bad: |
| store = SSL_CTX_get_cert_store(ctx2); |
| X509_STORE_set_flags(store, vflags); |
| } |
| + |
| + if (next_proto.data) |
| + { |
| + SSL_CTX_set_next_protos_advertised_cb(ctx, next_proto_cb, &next_proto); |
| + } |
| #endif |
| |
| |
| @@ -1980,6 +2026,10 @@ static int init_ssl_connection(SSL *con) |
| X509 *peer; |
| long verify_error; |
| MS_STATIC char buf[BUFSIZ]; |
| +#ifndef OPENSSL_NO_TLSEXT |
| + const unsigned char *next_proto_neg; |
| + unsigned next_proto_neg_len; |
| +#endif |
| |
| if ((i=SSL_accept(con)) <= 0) |
| { |
| @@ -2019,6 +2069,14 @@ static int init_ssl_connection(SSL *con) |
| BIO_printf(bio_s_out,"Shared ciphers:%s\n",buf); |
| str=SSL_CIPHER_get_name(SSL_get_current_cipher(con)); |
| BIO_printf(bio_s_out,"CIPHER is %s\n",(str != NULL)?str:"(NONE)"); |
| +#ifndef OPENSSL_NO_TLSEXT |
| + SSL_get0_next_proto_negotiated(con, &next_proto_neg, &next_proto_neg_len); |
| + if (next_proto_neg) { |
| + BIO_printf(bio_s_out,"NEXTPROTO is "); |
| + BIO_write(bio_s_out, next_proto_neg, next_proto_neg_len); |
| + BIO_printf(bio_s_out, "\n"); |
| + } |
| +#endif |
| if (con->hit) BIO_printf(bio_s_out,"Reused session-id\n"); |
| if (SSL_ctrl(con,SSL_CTRL_GET_FLAGS,0,NULL) & |
| TLS1_FLAGS_TLS_PADDING_BUG) |
| diff --git a/ssl/s3_both.c b/ssl/s3_both.c |
| index 869a25d..b88288e 100644 |
| --- a/ssl/s3_both.c |
| +++ b/ssl/s3_both.c |
| @@ -204,16 +204,34 @@ int ssl3_send_finished(SSL *s, int a, int b, const char *sender, int slen) |
| return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); |
| } |
| |
| +/* ssl3_take_mac calculates the Finished MAC for the handshakes messages seen to far. */ |
| +void ssl3_take_mac(SSL *s) { |
| + const char *sender; |
| + int slen; |
| + |
| + if (s->state & SSL_ST_CONNECT) |
| + { |
| + sender=s->method->ssl3_enc->server_finished_label; |
| + slen=s->method->ssl3_enc->server_finished_label_len; |
| + } |
| + else |
| + { |
| + sender=s->method->ssl3_enc->client_finished_label; |
| + slen=s->method->ssl3_enc->client_finished_label_len; |
| + } |
| + |
| + s->s3->tmp.peer_finish_md_len = s->method->ssl3_enc->final_finish_mac(s, |
| + &(s->s3->finish_dgst1), |
| + &(s->s3->finish_dgst2), |
| + sender,slen,s->s3->tmp.peer_finish_md); |
| +} |
| + |
| int ssl3_get_finished(SSL *s, int a, int b) |
| { |
| int al,i,ok; |
| long n; |
| unsigned char *p; |
| |
| - /* the mac has already been generated when we received the |
| - * change cipher spec message and is in s->s3->tmp.peer_finish_md |
| - */ |
| - |
| n=s->method->ssl_get_message(s, |
| a, |
| b, |
| @@ -516,6 +534,11 @@ long ssl3_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok) |
| s->init_num += i; |
| n -= i; |
| } |
| + /* If receiving Finished, record MAC of prior handshake messages for |
| + * Finished verification. */ |
| + if (*s->init_buf->data == SSL3_MT_FINISHED) |
| + ssl3_take_mac(s); |
| + /* Feed this message into MAC computation. */ |
| ssl3_finish_mac(s, (unsigned char *)s->init_buf->data, s->init_num + 4); |
| if (s->msg_callback) |
| s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, s->init_buf->data, (size_t)s->init_num + 4, s, s->msg_callback_arg); |
| diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c |
| index 6173dbe..f9e1554 100644 |
| --- a/ssl/s3_clnt.c |
| +++ b/ssl/s3_clnt.c |
| @@ -404,7 +404,11 @@ int ssl3_connect(SSL *s) |
| ret=ssl3_send_change_cipher_spec(s, |
| SSL3_ST_CW_CHANGE_A,SSL3_ST_CW_CHANGE_B); |
| if (ret <= 0) goto end; |
| - s->state=SSL3_ST_CW_FINISHED_A; |
| + |
| + if (s->next_proto_negotiated) |
| + s->state=SSL3_ST_CW_NEXT_PROTO_A; |
| + else |
| + s->state=SSL3_ST_CW_FINISHED_A; |
| s->init_num=0; |
| |
| s->session->cipher=s->s3->tmp.new_cipher; |
| @@ -432,6 +436,13 @@ int ssl3_connect(SSL *s) |
| |
| break; |
| |
| + case SSL3_ST_CW_NEXT_PROTO_A: |
| + case SSL3_ST_CW_NEXT_PROTO_B: |
| + ret=ssl3_send_next_proto(s); |
| + if (ret <= 0) goto end; |
| + s->state=SSL3_ST_CW_FINISHED_A; |
| + break; |
| + |
| case SSL3_ST_CW_FINISHED_A: |
| case SSL3_ST_CW_FINISHED_B: |
| ret=ssl3_send_finished(s, |
| @@ -2752,6 +2763,30 @@ static int curve_id2nid(int curve_id) |
| } |
| #endif |
| |
| +int ssl3_send_next_proto(SSL *s) |
| + { |
| + unsigned int len, padding_len; |
| + unsigned char *d; |
| + |
| + if (s->state == SSL3_ST_CW_NEXT_PROTO_A) |
| + { |
| + len = s->next_proto_negotiated_len; |
| + padding_len = 32 - ((len + 2) % 32); |
| + d = (unsigned char *)s->init_buf->data; |
| + d[4] = len; |
| + memcpy(d + 5, s->next_proto_negotiated, len); |
| + d[5 + len] = padding_len; |
| + memset(d + 6 + len, 0, padding_len); |
| + *(d++)=SSL3_MT_NEXT_PROTO; |
| + l2n3(2 + len + padding_len, d); |
| + s->state = SSL3_ST_CW_NEXT_PROTO_B; |
| + s->init_num = 4 + 2 + len + padding_len; |
| + s->init_off = 0; |
| + } |
| + |
| + return ssl3_do_write(s, SSL3_RT_HANDSHAKE); |
| +} |
| + |
| /* Check to see if handshake is full or resumed. Usually this is just a |
| * case of checking to see if a cache hit has occurred. In the case of |
| * session tickets we have to check the next message to be sure. |
| diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c |
| index 2c44bde..84bff8d 100644 |
| --- a/ssl/s3_lib.c |
| +++ b/ssl/s3_lib.c |
| @@ -1751,6 +1751,14 @@ void ssl3_clear(SSL *s) |
| s->s3->num_renegotiations=0; |
| s->s3->in_read_app_data=0; |
| s->version=SSL3_VERSION; |
| + |
| +#ifndef OPENSSL_NO_TLSEXT |
| + if (s->next_proto_negotiated) { |
| + OPENSSL_free(s->next_proto_negotiated); |
| + s->next_proto_negotiated = 0; |
| + s->next_proto_negotiated_len = 0; |
| + } |
| +#endif |
| } |
| |
| long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) |
| diff --git a/ssl/s3_pkt.c b/ssl/s3_pkt.c |
| index 5e3583c..6853058 100644 |
| --- a/ssl/s3_pkt.c |
| +++ b/ssl/s3_pkt.c |
| @@ -1264,8 +1264,6 @@ err: |
| int ssl3_do_change_cipher_spec(SSL *s) |
| { |
| int i; |
| - const char *sender; |
| - int slen; |
| |
| if (s->state & SSL_ST_ACCEPT) |
| i=SSL3_CHANGE_CIPHER_SERVER_READ; |
| @@ -1288,25 +1286,6 @@ int ssl3_do_change_cipher_spec(SSL *s) |
| if (!s->method->ssl3_enc->change_cipher_state(s,i)) |
| return(0); |
| |
| - /* we have to record the message digest at |
| - * this point so we can get it before we read |
| - * the finished message */ |
| - if (s->state & SSL_ST_CONNECT) |
| - { |
| - sender=s->method->ssl3_enc->server_finished_label; |
| - slen=s->method->ssl3_enc->server_finished_label_len; |
| - } |
| - else |
| - { |
| - sender=s->method->ssl3_enc->client_finished_label; |
| - slen=s->method->ssl3_enc->client_finished_label_len; |
| - } |
| - |
| - s->s3->tmp.peer_finish_md_len = s->method->ssl3_enc->final_finish_mac(s, |
| - &(s->s3->finish_dgst1), |
| - &(s->s3->finish_dgst2), |
| - sender,slen,s->s3->tmp.peer_finish_md); |
| - |
| return(1); |
| } |
| |
| diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c |
| index e696450..8e0a504 100644 |
| --- a/ssl/s3_srvr.c |
| +++ b/ssl/s3_srvr.c |
| @@ -499,7 +499,10 @@ int ssl3_accept(SSL *s) |
| * a certificate, the CertificateVerify |
| * message is not sent. |
| */ |
| - s->state=SSL3_ST_SR_FINISHED_A; |
| + if (s->s3->next_proto_neg_seen) |
| + s->state=SSL3_ST_SR_NEXT_PROTO_A; |
| + else |
| + s->state=SSL3_ST_SR_FINISHED_A; |
| s->init_num = 0; |
| } |
| else |
| @@ -526,10 +529,21 @@ int ssl3_accept(SSL *s) |
| ret=ssl3_get_cert_verify(s); |
| if (ret <= 0) goto end; |
| |
| - s->state=SSL3_ST_SR_FINISHED_A; |
| + if (s->s3->next_proto_neg_seen) |
| + s->state=SSL3_ST_SR_NEXT_PROTO_A; |
| + else |
| + s->state=SSL3_ST_SR_FINISHED_A; |
| s->init_num=0; |
| break; |
| |
| + case SSL3_ST_SR_NEXT_PROTO_A: |
| + case SSL3_ST_SR_NEXT_PROTO_B: |
| + ret=ssl3_get_next_proto(s); |
| + if (ret <= 0) goto end; |
| + s->init_num = 0; |
| + s->state=SSL3_ST_SR_FINISHED_A; |
| + break; |
| + |
| case SSL3_ST_SR_FINISHED_A: |
| case SSL3_ST_SR_FINISHED_B: |
| ret=ssl3_get_finished(s,SSL3_ST_SR_FINISHED_A, |
| @@ -597,7 +611,12 @@ int ssl3_accept(SSL *s) |
| if (ret <= 0) goto end; |
| s->state=SSL3_ST_SW_FLUSH; |
| if (s->hit) |
| - s->s3->tmp.next_state=SSL3_ST_SR_FINISHED_A; |
| + { |
| + if (s->s3->next_proto_neg_seen) |
| + s->s3->tmp.next_state=SSL3_ST_SR_NEXT_PROTO_A; |
| + else |
| + s->s3->tmp.next_state=SSL3_ST_SR_FINISHED_A; |
| + } |
| else |
| s->s3->tmp.next_state=SSL_ST_OK; |
| s->init_num=0; |
| @@ -2324,6 +2343,70 @@ err: |
| return(-1); |
| } |
| |
| +/* ssl3_get_next_proto reads a Next Protocol Negotiation handshake message. It |
| + * sets the next_proto member in s if found */ |
| +int ssl3_get_next_proto(SSL *s) |
| + { |
| + int ok; |
| + unsigned proto_len, padding_len; |
| + long n; |
| + const unsigned char *p; |
| + |
| + /* Clients cannot send a NextProtocol message if we didn't see the |
| + * extension in their ClientHello */ |
| + if (!s->s3->next_proto_neg_seen) { |
| + SSLerr(SSL_F_SSL3_GET_NEXT_PROTO,SSL_R_GOT_NEXT_PROTO_WITHOUT_EXTENSION); |
| + return -1; |
| + } |
| + |
| + n=s->method->ssl_get_message(s, |
| + SSL3_ST_SR_NEXT_PROTO_A, |
| + SSL3_ST_SR_NEXT_PROTO_B, |
| + SSL3_MT_NEXT_PROTO, |
| + 129, |
| + &ok); |
| + |
| + if (!ok) |
| + return((int)n); |
| + |
| + /* s->state doesn't reflect whether ChangeCipherSpec has been received |
| + * in this handshake, but s->s3->change_cipher_spec does (will be reset |
| + * by ssl3_get_finished). */ |
| + if (!s->s3->change_cipher_spec) |
| + { |
| + SSLerr(SSL_F_SSL3_GET_NEXT_PROTO,SSL_R_GOT_NEXT_PROTO_BEFORE_A_CCS); |
| + return -1; |
| + } |
| + |
| + if (n < 2) |
| + return 0; // The body must be > 1 bytes long */ |
| + |
| + p=(unsigned char *)s->init_msg; |
| + |
| + /* The payload looks like: |
| + * uint8 proto_len; |
| + * uint8 proto[proto_len]; |
| + * uint8 padding_len; |
| + * uint8 padding[padding_len]; |
| + */ |
| + proto_len = p[0]; |
| + if (proto_len + 2 > s->init_num) |
| + return 0; |
| + padding_len = p[proto_len + 1]; |
| + if (proto_len + padding_len + 2 != s->init_num) |
| + return 0; |
| + |
| + s->next_proto_negotiated = OPENSSL_malloc(proto_len); |
| + if (!s->next_proto_negotiated) { |
| + SSLerr(SSL_F_SSL3_GET_NEXT_PROTO,ERR_R_MALLOC_FAILURE); |
| + return 0; |
| + } |
| + memcpy(s->next_proto_negotiated, p + 1, proto_len); |
| + s->next_proto_negotiated_len = proto_len; |
| + |
| + return 1; |
| + } |
| + |
| int ssl3_get_cert_verify(SSL *s) |
| { |
| EVP_PKEY *pkey=NULL; |
| diff --git a/ssl/ssl.h b/ssl/ssl.h |
| index 9ab9495..dc8dff8 100644 |
| --- a/ssl/ssl.h |
| +++ b/ssl/ssl.h |
| @@ -801,6 +801,23 @@ struct ssl_ctx_st |
| /* Callback for status request */ |
| int (*tlsext_status_cb)(SSL *ssl, void *arg); |
| void *tlsext_status_arg; |
| + |
| + /* Next protocol negotiation information */ |
| + /* (for experimental NPN extension). */ |
| + |
| + /* For a server, this contains a callback function by which the set of |
| + * advertised protocols can be provided. */ |
| + int (*next_protos_advertised_cb)(SSL *s, const unsigned char **buf, |
| + unsigned int *len, void *arg); |
| + void *next_protos_advertised_cb_arg; |
| + /* For a client, this contains a callback function that selects the |
| + * next protocol from the list provided by the server. */ |
| + int (*next_proto_select_cb)(SSL *s, unsigned char **out, |
| + unsigned char *outlen, |
| + const unsigned char *in, |
| + unsigned int inlen, |
| + void *arg); |
| + void *next_proto_select_cb_arg; |
| #endif |
| |
| }; |
| @@ -857,6 +874,15 @@ int SSL_CTX_set_client_cert_engine(SSL_CTX *ctx, ENGINE *e); |
| #endif |
| void SSL_CTX_set_cookie_generate_cb(SSL_CTX *ctx, int (*app_gen_cookie_cb)(SSL *ssl, unsigned char *cookie, unsigned int *cookie_len)); |
| void SSL_CTX_set_cookie_verify_cb(SSL_CTX *ctx, int (*app_verify_cookie_cb)(SSL *ssl, unsigned char *cookie, unsigned int cookie_len)); |
| +void SSL_CTX_set_next_protos_advertised_cb(SSL_CTX *s, int (*cb) (SSL *ssl, const unsigned char **out, unsigned int *outlen, void *arg), void *arg); |
| +void SSL_CTX_set_next_proto_select_cb(SSL_CTX *s, int (*cb) (SSL *ssl, unsigned char **out, unsigned char *outlen, const unsigned char *in, unsigned int inlen, void *arg), void *arg); |
| + |
| +int SSL_select_next_proto(unsigned char **out, unsigned char *outlen, const unsigned char *in, unsigned int inlen, const unsigned char *client, unsigned int client_len); |
| +void SSL_get0_next_proto_negotiated(const SSL *s, const unsigned char **data, unsigned *len); |
| + |
| +#define OPENSSL_NPN_UNSUPPORTED 0 |
| +#define OPENSSL_NPN_NEGOTIATED 1 |
| +#define OPENSSL_NPN_NO_OVERLAP 2 |
| |
| #define SSL_NOTHING 1 |
| #define SSL_WRITING 2 |
| @@ -1054,6 +1080,16 @@ struct ssl_st |
| /* RFC4507 session ticket expected to be received or sent */ |
| int tlsext_ticket_expected; |
| SSL_CTX * initial_ctx; /* initial ctx, used to store sessions */ |
| + |
| + /* Next protocol negotiation. For the client, this is the protocol that |
| + * we sent in NextProtocol and is set when handling ServerHello |
| + * extensions. |
| + * |
| + * For a server, this is the client's selected_protocol from |
| + * NextProtocol and is set when handling the NextProtocol message, |
| + * before the Finished message. */ |
| + unsigned char *next_proto_negotiated; |
| + unsigned char next_proto_negotiated_len; |
| #define session_ctx initial_ctx |
| #else |
| #define session_ctx ctx |
| @@ -1761,6 +1797,7 @@ void ERR_load_SSL_strings(void); |
| #define SSL_F_SSL3_GET_KEY_EXCHANGE 141 |
| #define SSL_F_SSL3_GET_MESSAGE 142 |
| #define SSL_F_SSL3_GET_NEW_SESSION_TICKET 283 |
| +#define SSL_F_SSL3_GET_NEXT_PROTO 297 |
| #define SSL_F_SSL3_GET_RECORD 143 |
| #define SSL_F_SSL3_GET_SERVER_CERTIFICATE 144 |
| #define SSL_F_SSL3_GET_SERVER_DONE 145 |
| @@ -1827,6 +1864,7 @@ void ERR_load_SSL_strings(void); |
| #define SSL_F_SSL_INIT_WBIO_BUFFER 184 |
| #define SSL_F_SSL_LOAD_CLIENT_CA_FILE 185 |
| #define SSL_F_SSL_NEW 186 |
| +#define SSL_F_SSL_NEXT_PROTOS_PARSE 298 |
| #define SSL_F_SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT 287 |
| #define SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT 290 |
| #define SSL_F_SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT 289 |
| @@ -1869,6 +1907,7 @@ void ERR_load_SSL_strings(void); |
| #define SSL_F_TLS1_ENC 210 |
| #define SSL_F_TLS1_SETUP_KEY_BLOCK 211 |
| #define SSL_F_WRITE_PENDING 212 |
| +/* Next entry: 299 */ |
| |
| /* Reason codes. */ |
| #define SSL_R_APP_DATA_IN_HANDSHAKE 100 |
| @@ -1939,6 +1978,8 @@ void ERR_load_SSL_strings(void); |
| #define SSL_R_EXCESSIVE_MESSAGE_SIZE 152 |
| #define SSL_R_EXTRA_DATA_IN_MESSAGE 153 |
| #define SSL_R_GOT_A_FIN_BEFORE_A_CCS 154 |
| +#define SSL_R_GOT_NEXT_PROTO_BEFORE_A_CCS 334 |
| +#define SSL_R_GOT_NEXT_PROTO_WITHOUT_EXTENSION 335 |
| #define SSL_R_HTTPS_PROXY_REQUEST 155 |
| #define SSL_R_HTTP_REQUEST 156 |
| #define SSL_R_ILLEGAL_PADDING 283 |
| @@ -2120,6 +2161,7 @@ void ERR_load_SSL_strings(void); |
| #define SSL_R_WRONG_VERSION_NUMBER 267 |
| #define SSL_R_X509_LIB 268 |
| #define SSL_R_X509_VERIFICATION_SETUP_PROBLEMS 269 |
| +/* Next entry: 335 or 1115 */ |
| |
| #ifdef __cplusplus |
| } |
| diff --git a/ssl/ssl3.h b/ssl/ssl3.h |
| index afbdd70..54b73b7 100644 |
| --- a/ssl/ssl3.h |
| +++ b/ssl/ssl3.h |
| @@ -394,6 +394,9 @@ typedef struct ssl3_state_st |
| |
| int in_read_app_data; |
| |
| + /* Set if we saw the Next Protocol Negotiation extension from our peer. */ |
| + int next_proto_neg_seen; |
| + |
| struct { |
| /* actually only needs to be 16+20 */ |
| unsigned char cert_verify_md[EVP_MAX_MD_SIZE*2]; |
| @@ -484,6 +487,8 @@ typedef struct ssl3_state_st |
| #define SSL3_ST_CW_CERT_VRFY_B (0x191|SSL_ST_CONNECT) |
| #define SSL3_ST_CW_CHANGE_A (0x1A0|SSL_ST_CONNECT) |
| #define SSL3_ST_CW_CHANGE_B (0x1A1|SSL_ST_CONNECT) |
| +#define SSL3_ST_CW_NEXT_PROTO_A (0x200|SSL_ST_CONNECT) |
| +#define SSL3_ST_CW_NEXT_PROTO_B (0x201|SSL_ST_CONNECT) |
| #define SSL3_ST_CW_FINISHED_A (0x1B0|SSL_ST_CONNECT) |
| #define SSL3_ST_CW_FINISHED_B (0x1B1|SSL_ST_CONNECT) |
| /* read from server */ |
| @@ -529,6 +534,8 @@ typedef struct ssl3_state_st |
| #define SSL3_ST_SR_CERT_VRFY_B (0x1A1|SSL_ST_ACCEPT) |
| #define SSL3_ST_SR_CHANGE_A (0x1B0|SSL_ST_ACCEPT) |
| #define SSL3_ST_SR_CHANGE_B (0x1B1|SSL_ST_ACCEPT) |
| +#define SSL3_ST_SR_NEXT_PROTO_A (0x210|SSL_ST_ACCEPT) |
| +#define SSL3_ST_SR_NEXT_PROTO_B (0x211|SSL_ST_ACCEPT) |
| #define SSL3_ST_SR_FINISHED_A (0x1C0|SSL_ST_ACCEPT) |
| #define SSL3_ST_SR_FINISHED_B (0x1C1|SSL_ST_ACCEPT) |
| /* write to client */ |
| @@ -553,6 +560,7 @@ typedef struct ssl3_state_st |
| #define SSL3_MT_CLIENT_KEY_EXCHANGE 16 |
| #define SSL3_MT_FINISHED 20 |
| #define SSL3_MT_CERTIFICATE_STATUS 22 |
| +#define SSL3_MT_NEXT_PROTO 67 |
| #define DTLS1_MT_HELLO_VERIFY_REQUEST 3 |
| |
| |
| diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c |
| index 7eb5202..ff9c856 100644 |
| --- a/ssl/ssl_err.c |
| +++ b/ssl/ssl_err.c |
| @@ -154,6 +154,7 @@ static ERR_STRING_DATA SSL_str_functs[]= |
| {ERR_FUNC(SSL_F_SSL3_GET_KEY_EXCHANGE), "SSL3_GET_KEY_EXCHANGE"}, |
| {ERR_FUNC(SSL_F_SSL3_GET_MESSAGE), "SSL3_GET_MESSAGE"}, |
| {ERR_FUNC(SSL_F_SSL3_GET_NEW_SESSION_TICKET), "SSL3_GET_NEW_SESSION_TICKET"}, |
| +{ERR_FUNC(SSL_F_SSL3_GET_NEXT_PROTO), "SSL3_GET_NEXT_PROTO"}, |
| {ERR_FUNC(SSL_F_SSL3_GET_RECORD), "SSL3_GET_RECORD"}, |
| {ERR_FUNC(SSL_F_SSL3_GET_SERVER_CERTIFICATE), "SSL3_GET_SERVER_CERTIFICATE"}, |
| {ERR_FUNC(SSL_F_SSL3_GET_SERVER_DONE), "SSL3_GET_SERVER_DONE"}, |
| @@ -220,6 +221,7 @@ static ERR_STRING_DATA SSL_str_functs[]= |
| {ERR_FUNC(SSL_F_SSL_INIT_WBIO_BUFFER), "SSL_INIT_WBIO_BUFFER"}, |
| {ERR_FUNC(SSL_F_SSL_LOAD_CLIENT_CA_FILE), "SSL_load_client_CA_file"}, |
| {ERR_FUNC(SSL_F_SSL_NEW), "SSL_new"}, |
| +{ERR_FUNC(SSL_F_SSL_NEXT_PROTOS_PARSE), "SSL_next_protos_parse"}, |
| {ERR_FUNC(SSL_F_SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT), "SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT"}, |
| {ERR_FUNC(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT), "SSL_PARSE_CLIENTHELLO_TLSEXT"}, |
| {ERR_FUNC(SSL_F_SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT), "SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT"}, |
| @@ -335,6 +337,8 @@ static ERR_STRING_DATA SSL_str_reasons[]= |
| {ERR_REASON(SSL_R_EXCESSIVE_MESSAGE_SIZE),"excessive message size"}, |
| {ERR_REASON(SSL_R_EXTRA_DATA_IN_MESSAGE) ,"extra data in message"}, |
| {ERR_REASON(SSL_R_GOT_A_FIN_BEFORE_A_CCS),"got a fin before a ccs"}, |
| +{ERR_REASON(SSL_R_GOT_NEXT_PROTO_BEFORE_A_CCS),"got next proto before a ccs"}, |
| +{ERR_REASON(SSL_R_GOT_NEXT_PROTO_WITHOUT_EXTENSION),"got next proto without seeing extension"}, |
| {ERR_REASON(SSL_R_HTTPS_PROXY_REQUEST) ,"https proxy request"}, |
| {ERR_REASON(SSL_R_HTTP_REQUEST) ,"http request"}, |
| {ERR_REASON(SSL_R_ILLEGAL_PADDING) ,"illegal padding"}, |
| diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c |
| index 96e056d..cfa70ec 100644 |
| --- a/ssl/ssl_lib.c |
| +++ b/ssl/ssl_lib.c |
| @@ -323,6 +323,7 @@ SSL *SSL_new(SSL_CTX *ctx) |
| s->tlsext_ocsp_resplen = -1; |
| CRYPTO_add(&ctx->references,1,CRYPTO_LOCK_SSL_CTX); |
| s->initial_ctx=ctx; |
| + s->next_proto_negotiated = NULL; |
| #endif |
| s->verify_result=X509_V_OK; |
| |
| @@ -532,6 +533,11 @@ void SSL_free(SSL *s) |
| kssl_ctx_free(s->kssl_ctx); |
| #endif /* OPENSSL_NO_KRB5 */ |
| |
| +#ifndef OPENSSL_NO_TLSEXT |
| + if (s->next_proto_negotiated) |
| + OPENSSL_free(s->next_proto_negotiated); |
| +#endif |
| + |
| OPENSSL_free(s); |
| } |
| |
| @@ -1576,6 +1582,8 @@ SSL_CTX *SSL_CTX_new(SSL_METHOD *meth) |
| ret->tlsext_status_cb = 0; |
| ret->tlsext_status_arg = NULL; |
| |
| + ret->next_protos_advertised_cb = 0; |
| + ret->next_proto_select_cb = 0; |
| #endif |
| |
| #ifndef OPENSSL_NO_ENGINE |
| @@ -1677,6 +1685,7 @@ void SSL_CTX_free(SSL_CTX *a) |
| if (a->client_cert_engine) |
| ENGINE_finish(a->client_cert_engine); |
| #endif |
| + |
| OPENSSL_free(a); |
| } |
| |
| @@ -2752,6 +2761,123 @@ void SSL_set_msg_callback(SSL *ssl, void (*cb)(int write_p, int version, int con |
| SSL_callback_ctrl(ssl, SSL_CTRL_SET_MSG_CALLBACK, (void (*)(void))cb); |
| } |
| |
| +#ifndef OPENSSL_NO_TLSEXT |
| +/* SSL_select_next_proto implements the standard protocol selection. It is |
| + * expected that this function is called from the callback set by |
| + * SSL_CTX_set_next_proto_select_cb. |
| + * |
| + * The protocol data is assumed to be a vector of 8-bit, length prefixed byte |
| + * strings. The length byte itself is not included in the length. A byte |
| + * string of length 0 is invalid. No byte string may be truncated. |
| + * |
| + * The current, but experimental algorithm for selecting the protocol is: |
| + * |
| + * 1) If the server doesn't support NPN then this is indicated to the |
| + * callback. In this case, the client application has to abort the connection |
| + * or have a default application level protocol. |
| + * |
| + * 2) If the server supports NPN, but advertises an empty list then the |
| + * client selects the first protcol in its list, but indicates via the |
| + * API that this fallback case was enacted. |
| + * |
| + * 3) Otherwise, the client finds the first protocol in the server's list |
| + * that it supports and selects this protocol. This is because it's |
| + * assumed that the server has better information about which protocol |
| + * a client should use. |
| + * |
| + * 4) If the client doesn't support any of the server's advertised |
| + * protocols, then this is treated the same as case 2. |
| + * |
| + * It returns either |
| + * OPENSSL_NPN_NEGOTIATED if a common protocol was found, or |
| + * OPENSSL_NPN_NO_OVERLAP if the fallback case was reached. |
| + */ |
| +int SSL_select_next_proto(unsigned char **out, unsigned char *outlen, const unsigned char *server, unsigned int server_len, const unsigned char *client, unsigned int client_len) |
| + { |
| + unsigned int i, j; |
| + const unsigned char *result; |
| + int status = OPENSSL_NPN_UNSUPPORTED; |
| + |
| + /* For each protocol in server preference order, see if we support it. */ |
| + for (i = 0; i < server_len; ) |
| + { |
| + for (j = 0; j < client_len; ) |
| + { |
| + if (server[i] == client[j] && |
| + memcmp(&server[i+1], &client[j+1], server[i]) == 0) |
| + { |
| + /* We found a match */ |
| + result = &server[i]; |
| + status = OPENSSL_NPN_NEGOTIATED; |
| + goto found; |
| + } |
| + j += client[j]; |
| + j++; |
| + } |
| + i += server[i]; |
| + i++; |
| + } |
| + |
| + /* There's no overlap between our protocols and the server's list. */ |
| + result = client; |
| + status = OPENSSL_NPN_NO_OVERLAP; |
| + |
| + found: |
| + *out = (unsigned char *) result + 1; |
| + *outlen = result[0]; |
| + return status; |
| + } |
| + |
| +/* SSL_get0_next_proto_negotiated sets *data and *len to point to the client's |
| + * requested protocol for this connection and returns 0. If the client didn't |
| + * request any protocol, then *data is set to NULL. |
| + * |
| + * Note that the client can request any protocol it chooses. The value returned |
| + * from this function need not be a member of the list of supported protocols |
| + * provided by the callback. |
| + */ |
| +void SSL_get0_next_proto_negotiated(const SSL *s, const unsigned char **data, unsigned *len) |
| + { |
| + *data = s->next_proto_negotiated; |
| + if (!*data) { |
| + *len = 0; |
| + } else { |
| + *len = s->next_proto_negotiated_len; |
| + } |
| +} |
| + |
| +/* SSL_CTX_set_next_protos_advertised_cb sets a callback that is called when a |
| + * TLS server needs a list of supported protocols for Next Protocol |
| + * Negotiation. The returned list must be in wire format. The list is returned |
| + * by setting |out| to point to it and |outlen| to its length. This memory will |
| + * not be modified, but one should assume that the SSL* keeps a reference to |
| + * it. |
| + * |
| + * The callback should return SSL_TLSEXT_ERR_OK if it wishes to advertise. Otherwise, no |
| + * such extension will be included in the ServerHello. */ |
| +void SSL_CTX_set_next_protos_advertised_cb(SSL_CTX *ctx, int (*cb) (SSL *ssl, const unsigned char **out, unsigned int *outlen, void *arg), void *arg) |
| + { |
| + ctx->next_protos_advertised_cb = cb; |
| + ctx->next_protos_advertised_cb_arg = arg; |
| + } |
| + |
| +/* SSL_CTX_set_next_proto_select_cb sets a callback that is called when a |
| + * client needs to select a protocol from the server's provided list. |out| |
| + * must be set to point to the selected protocol (which may be within |in|). |
| + * The length of the protocol name must be written into |outlen|. The server's |
| + * advertised protocols are provided in |in| and |inlen|. The callback can |
| + * assume that |in| is syntactically valid. |
| + * |
| + * The client must select a protocol. It is fatal to the connection if this |
| + * callback returns a value other than SSL_TLSEXT_ERR_OK. |
| + */ |
| +void SSL_CTX_set_next_proto_select_cb(SSL_CTX *ctx, int (*cb) (SSL *s, unsigned char **out, unsigned char *outlen, const unsigned char *in, unsigned int inlen, void *arg), void *arg) |
| + { |
| + ctx->next_proto_select_cb = cb; |
| + ctx->next_proto_select_cb_arg = arg; |
| + } |
| +#endif |
| + |
| int SSL_cutthrough_complete(const SSL *s) |
| { |
| return (!s->server && /* cutthrough only applies to clients */ |
| diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h |
| index e305db4..a9183ff 100644 |
| --- a/ssl/ssl_locl.h |
| +++ b/ssl/ssl_locl.h |
| @@ -895,6 +895,7 @@ int ssl3_get_server_certificate(SSL *s); |
| int ssl3_check_cert_and_algorithm(SSL *s); |
| #ifndef OPENSSL_NO_TLSEXT |
| int ssl3_check_finished(SSL *s); |
| +int ssl3_send_next_proto(SSL *s); |
| #endif |
| |
| int dtls1_client_hello(SSL *s); |
| @@ -913,6 +914,7 @@ int ssl3_check_client_hello(SSL *s); |
| int ssl3_get_client_certificate(SSL *s); |
| int ssl3_get_client_key_exchange(SSL *s); |
| int ssl3_get_cert_verify(SSL *s); |
| +int ssl3_get_next_proto(SSL *s); |
| |
| int dtls1_send_hello_request(SSL *s); |
| int dtls1_send_server_hello(SSL *s); |
| diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c |
| index 8b53112..fd35b18 100644 |
| --- a/ssl/t1_lib.c |
| +++ b/ssl/t1_lib.c |
| @@ -271,6 +271,16 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned cha |
| i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret); |
| } |
| |
| + if (s->ctx->next_proto_select_cb) |
| + { |
| + /* The client advertises an emtpy extension to indicate its |
| + * support for Next Protocol Negotiation */ |
| + if (limit - ret - 4 < 0) |
| + return NULL; |
| + s2n(TLSEXT_TYPE_next_proto_neg,ret); |
| + s2n(0,ret); |
| + } |
| + |
| if ((extdatalen = ret-p-2)== 0) |
| return p; |
| |
| @@ -282,6 +292,7 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned cha |
| { |
| int extdatalen=0; |
| unsigned char *ret = p; |
| + char next_proto_neg_seen; |
| |
| /* don't add extensions for SSLv3, unless doing secure renegotiation */ |
| if (s->version == SSL3_VERSION && !s->s3->send_connection_binding) |
| @@ -337,6 +348,26 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned cha |
| s2n(0,ret); |
| } |
| |
| + next_proto_neg_seen = s->s3->next_proto_neg_seen; |
| + s->s3->next_proto_neg_seen = 0; |
| + if (next_proto_neg_seen && s->ctx->next_protos_advertised_cb) |
| + { |
| + const unsigned char *npa; |
| + unsigned int npalen; |
| + int r; |
| + |
| + r = s->ctx->next_protos_advertised_cb(s, &npa, &npalen, s->ctx->next_protos_advertised_cb_arg); |
| + if (r == SSL_TLSEXT_ERR_OK) |
| + { |
| + if ((long)(limit - ret - 4 - npalen) < 0) return NULL; |
| + s2n(TLSEXT_TYPE_next_proto_neg,ret); |
| + s2n(npalen,ret); |
| + memcpy(ret, npa, npalen); |
| + ret += npalen; |
| + s->s3->next_proto_neg_seen = 1; |
| + } |
| + } |
| + |
| if ((extdatalen = ret-p-2)== 0) |
| return p; |
| |
| @@ -576,6 +607,25 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in |
| else |
| s->tlsext_status_type = -1; |
| } |
| + else if (type == TLSEXT_TYPE_next_proto_neg) |
| + { |
| + /* We shouldn't accept this extension on a |
| + * renegotiation, but we currently do. |
| + * |
| + * s->new_session will be set on renegotiation, but we |
| + * probably shouldn't rely that it couldn't be set on |
| + * the initial renegotation too in certain cases (when |
| + * there's some other reason to disallow resuming an |
| + * earlier session -- the current code won't be doing |
| + * anything like that, but this might change). |
| + |
| + * A valid sign that there's been a previous handshake |
| + * in this connection is if s->s3->tmp.finish_md_len > |
| + * 0. (We are talking about a check that will happen |
| + * in the Hello protocol round, well before a new |
| + * Finished message could have been computed.) */ |
| + s->s3->next_proto_neg_seen = 1; |
| + } |
| |
| /* session ticket processed earlier */ |
| |
| @@ -599,6 +649,24 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in |
| return 1; |
| } |
| |
| +/* ssl_next_proto_validate validates a Next Protocol Negotiation block. No |
| + * elements of zero length are allowed and the set of elements must exactly fill |
| + * the length of the block. */ |
| +static char ssl_next_proto_validate(unsigned char *d, unsigned len) |
| + { |
| + unsigned int off = 0; |
| + |
| + while (off < len) |
| + { |
| + if (d[off] == 0) |
| + return 0; |
| + off += d[off]; |
| + off++; |
| + } |
| + |
| + return off == len; |
| + } |
| + |
| int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al) |
| { |
| unsigned short type; |
| @@ -658,6 +726,37 @@ int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in |
| /* Set flag to expect CertificateStatus message */ |
| s->tlsext_status_expected = 1; |
| } |
| + else if (type == TLSEXT_TYPE_next_proto_neg) |
| + { |
| + unsigned char *selected; |
| + unsigned char selected_len; |
| + |
| + /* We must have requested it. */ |
| + if ((s->ctx->next_proto_select_cb == NULL)) |
| + { |
| + *al = TLS1_AD_UNSUPPORTED_EXTENSION; |
| + return 0; |
| + } |
| + /* The data must be valid */ |
| + if (!ssl_next_proto_validate(data, size)) |
| + { |
| + *al = TLS1_AD_DECODE_ERROR; |
| + return 0; |
| + } |
| + if (s->ctx->next_proto_select_cb(s, &selected, &selected_len, data, size, s->ctx->next_proto_select_cb_arg) != SSL_TLSEXT_ERR_OK) |
| + { |
| + *al = TLS1_AD_INTERNAL_ERROR; |
| + return 0; |
| + } |
| + s->next_proto_negotiated = OPENSSL_malloc(selected_len); |
| + if (!s->next_proto_negotiated) |
| + { |
| + *al = TLS1_AD_INTERNAL_ERROR; |
| + return 0; |
| + } |
| + memcpy(s->next_proto_negotiated, selected, selected_len); |
| + s->next_proto_negotiated_len = selected_len; |
| + } |
| else if (type == TLSEXT_TYPE_renegotiate) |
| { |
| if(!ssl_parse_serverhello_renegotiate_ext(s, data, size, al)) |
| diff --git a/ssl/tls1.h b/ssl/tls1.h |
| index afe4807..71d76de 100644 |
| --- a/ssl/tls1.h |
| +++ b/ssl/tls1.h |
| @@ -118,6 +118,9 @@ extern "C" { |
| /* Temporary extension type */ |
| #define TLSEXT_TYPE_renegotiate 0xff01 |
| |
| +/* This is not an IANA defined extension number */ |
| +#define TLSEXT_TYPE_next_proto_neg 13172 |
| + |
| /* NameType value from RFC 3546 */ |
| #define TLSEXT_NAMETYPE_host_name 0 |
| /* status request value from RFC 3546 */ |