2 * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
12 #include <openssl/objects.h>
13 #include <openssl/evp.h>
14 #include <openssl/hmac.h>
15 #include <openssl/ocsp.h>
16 #include <openssl/conf.h>
17 #include <openssl/x509v3.h>
18 #include <openssl/dh.h>
19 #include <openssl/bn.h>
21 #include <openssl/ct.h>
23 static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen,
24 const unsigned char *sess_id, size_t sesslen,
26 static int ssl_check_clienthello_tlsext_early(SSL *s);
27 static int ssl_check_serverhello_tlsext(SSL *s);
29 SSL3_ENC_METHOD const TLSv1_enc_data = {
33 tls1_generate_master_secret,
34 tls1_change_cipher_state,
35 tls1_final_finish_mac,
36 TLS1_FINISH_MAC_LENGTH,
37 TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
38 TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
40 tls1_export_keying_material,
42 SSL3_HM_HEADER_LENGTH,
43 ssl3_set_handshake_header,
44 tls_close_construct_packet,
48 SSL3_ENC_METHOD const TLSv1_1_enc_data = {
52 tls1_generate_master_secret,
53 tls1_change_cipher_state,
54 tls1_final_finish_mac,
55 TLS1_FINISH_MAC_LENGTH,
56 TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
57 TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
59 tls1_export_keying_material,
60 SSL_ENC_FLAG_EXPLICIT_IV,
61 SSL3_HM_HEADER_LENGTH,
62 ssl3_set_handshake_header,
63 tls_close_construct_packet,
67 SSL3_ENC_METHOD const TLSv1_2_enc_data = {
71 tls1_generate_master_secret,
72 tls1_change_cipher_state,
73 tls1_final_finish_mac,
74 TLS1_FINISH_MAC_LENGTH,
75 TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
76 TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
78 tls1_export_keying_material,
79 SSL_ENC_FLAG_EXPLICIT_IV | SSL_ENC_FLAG_SIGALGS | SSL_ENC_FLAG_SHA256_PRF
80 | SSL_ENC_FLAG_TLS1_2_CIPHERS,
81 SSL3_HM_HEADER_LENGTH,
82 ssl3_set_handshake_header,
83 tls_close_construct_packet,
87 SSL3_ENC_METHOD const TLSv1_3_enc_data = {
91 tls1_generate_master_secret,
92 tls1_change_cipher_state,
93 tls1_final_finish_mac,
94 TLS1_FINISH_MAC_LENGTH,
95 TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
96 TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
98 tls1_export_keying_material,
99 SSL_ENC_FLAG_EXPLICIT_IV | SSL_ENC_FLAG_SIGALGS | SSL_ENC_FLAG_SHA256_PRF
100 | SSL_ENC_FLAG_TLS1_2_CIPHERS,
101 SSL3_HM_HEADER_LENGTH,
102 ssl3_set_handshake_header,
103 tls_close_construct_packet,
107 long tls1_default_timeout(void)
110 * 2 hours, the 24 hours mentioned in the TLSv1 spec is way too long for
111 * http, the cache would over fill
113 return (60 * 60 * 2);
120 s->method->ssl_clear(s);
124 void tls1_free(SSL *s)
126 OPENSSL_free(s->tlsext_session_ticket);
130 void tls1_clear(SSL *s)
133 if (s->method->version == TLS_ANY_VERSION)
134 s->version = TLS_MAX_VERSION;
136 s->version = s->method->version;
139 #ifndef OPENSSL_NO_EC
142 int nid; /* Curve NID */
143 int secbits; /* Bits of security (from SP800-57) */
144 unsigned int flags; /* Flags: currently just field type */
148 * Table of curve information.
149 * Do not delete entries or reorder this array! It is used as a lookup
150 * table: the index of each entry is one less than the TLS curve id.
152 static const tls_curve_info nid_list[] = {
153 {NID_sect163k1, 80, TLS_CURVE_CHAR2}, /* sect163k1 (1) */
154 {NID_sect163r1, 80, TLS_CURVE_CHAR2}, /* sect163r1 (2) */
155 {NID_sect163r2, 80, TLS_CURVE_CHAR2}, /* sect163r2 (3) */
156 {NID_sect193r1, 80, TLS_CURVE_CHAR2}, /* sect193r1 (4) */
157 {NID_sect193r2, 80, TLS_CURVE_CHAR2}, /* sect193r2 (5) */
158 {NID_sect233k1, 112, TLS_CURVE_CHAR2}, /* sect233k1 (6) */
159 {NID_sect233r1, 112, TLS_CURVE_CHAR2}, /* sect233r1 (7) */
160 {NID_sect239k1, 112, TLS_CURVE_CHAR2}, /* sect239k1 (8) */
161 {NID_sect283k1, 128, TLS_CURVE_CHAR2}, /* sect283k1 (9) */
162 {NID_sect283r1, 128, TLS_CURVE_CHAR2}, /* sect283r1 (10) */
163 {NID_sect409k1, 192, TLS_CURVE_CHAR2}, /* sect409k1 (11) */
164 {NID_sect409r1, 192, TLS_CURVE_CHAR2}, /* sect409r1 (12) */
165 {NID_sect571k1, 256, TLS_CURVE_CHAR2}, /* sect571k1 (13) */
166 {NID_sect571r1, 256, TLS_CURVE_CHAR2}, /* sect571r1 (14) */
167 {NID_secp160k1, 80, TLS_CURVE_PRIME}, /* secp160k1 (15) */
168 {NID_secp160r1, 80, TLS_CURVE_PRIME}, /* secp160r1 (16) */
169 {NID_secp160r2, 80, TLS_CURVE_PRIME}, /* secp160r2 (17) */
170 {NID_secp192k1, 80, TLS_CURVE_PRIME}, /* secp192k1 (18) */
171 {NID_X9_62_prime192v1, 80, TLS_CURVE_PRIME}, /* secp192r1 (19) */
172 {NID_secp224k1, 112, TLS_CURVE_PRIME}, /* secp224k1 (20) */
173 {NID_secp224r1, 112, TLS_CURVE_PRIME}, /* secp224r1 (21) */
174 {NID_secp256k1, 128, TLS_CURVE_PRIME}, /* secp256k1 (22) */
175 {NID_X9_62_prime256v1, 128, TLS_CURVE_PRIME}, /* secp256r1 (23) */
176 {NID_secp384r1, 192, TLS_CURVE_PRIME}, /* secp384r1 (24) */
177 {NID_secp521r1, 256, TLS_CURVE_PRIME}, /* secp521r1 (25) */
178 {NID_brainpoolP256r1, 128, TLS_CURVE_PRIME}, /* brainpoolP256r1 (26) */
179 {NID_brainpoolP384r1, 192, TLS_CURVE_PRIME}, /* brainpoolP384r1 (27) */
180 {NID_brainpoolP512r1, 256, TLS_CURVE_PRIME}, /* brainpool512r1 (28) */
181 {NID_X25519, 128, TLS_CURVE_CUSTOM}, /* X25519 (29) */
184 static const unsigned char ecformats_default[] = {
185 TLSEXT_ECPOINTFORMAT_uncompressed,
186 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime,
187 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2
190 /* The default curves */
191 static const unsigned char eccurves_default[] = {
192 0, 29, /* X25519 (29) */
193 0, 23, /* secp256r1 (23) */
194 0, 25, /* secp521r1 (25) */
195 0, 24, /* secp384r1 (24) */
198 static const unsigned char eccurves_all[] = {
199 0, 29, /* X25519 (29) */
200 0, 23, /* secp256r1 (23) */
201 0, 25, /* secp521r1 (25) */
202 0, 24, /* secp384r1 (24) */
203 0, 26, /* brainpoolP256r1 (26) */
204 0, 27, /* brainpoolP384r1 (27) */
205 0, 28, /* brainpool512r1 (28) */
208 * Remaining curves disabled by default but still permitted if set
209 * via an explicit callback or parameters.
211 0, 22, /* secp256k1 (22) */
212 0, 14, /* sect571r1 (14) */
213 0, 13, /* sect571k1 (13) */
214 0, 11, /* sect409k1 (11) */
215 0, 12, /* sect409r1 (12) */
216 0, 9, /* sect283k1 (9) */
217 0, 10, /* sect283r1 (10) */
218 0, 20, /* secp224k1 (20) */
219 0, 21, /* secp224r1 (21) */
220 0, 18, /* secp192k1 (18) */
221 0, 19, /* secp192r1 (19) */
222 0, 15, /* secp160k1 (15) */
223 0, 16, /* secp160r1 (16) */
224 0, 17, /* secp160r2 (17) */
225 0, 8, /* sect239k1 (8) */
226 0, 6, /* sect233k1 (6) */
227 0, 7, /* sect233r1 (7) */
228 0, 4, /* sect193r1 (4) */
229 0, 5, /* sect193r2 (5) */
230 0, 1, /* sect163k1 (1) */
231 0, 2, /* sect163r1 (2) */
232 0, 3, /* sect163r2 (3) */
235 static const unsigned char suiteb_curves[] = {
236 0, TLSEXT_curve_P_256,
237 0, TLSEXT_curve_P_384
240 int tls1_ec_curve_id2nid(int curve_id, unsigned int *pflags)
242 const tls_curve_info *cinfo;
243 /* ECC curves from RFC 4492 and RFC 7027 */
244 if ((curve_id < 1) || ((unsigned int)curve_id > OSSL_NELEM(nid_list)))
246 cinfo = nid_list + curve_id - 1;
248 *pflags = cinfo->flags;
252 int tls1_ec_nid2curve_id(int nid)
255 for (i = 0; i < OSSL_NELEM(nid_list); i++) {
256 if (nid_list[i].nid == nid)
263 * Get curves list, if "sess" is set return client curves otherwise
265 * Sets |num_curves| to the number of curves in the list, i.e.,
266 * the length of |pcurves| is 2 * num_curves.
267 * Returns 1 on success and 0 if the client curves list has invalid format.
268 * The latter indicates an internal error: we should not be accepting such
269 * lists in the first place.
270 * TODO(emilia): we should really be storing the curves list in explicitly
271 * parsed form instead. (However, this would affect binary compatibility
272 * so cannot happen in the 1.0.x series.)
274 static int tls1_get_curvelist(SSL *s, int sess,
275 const unsigned char **pcurves, size_t *num_curves)
277 size_t pcurveslen = 0;
279 *pcurves = s->session->tlsext_ellipticcurvelist;
280 pcurveslen = s->session->tlsext_ellipticcurvelist_length;
282 /* For Suite B mode only include P-256, P-384 */
283 switch (tls1_suiteb(s)) {
284 case SSL_CERT_FLAG_SUITEB_128_LOS:
285 *pcurves = suiteb_curves;
286 pcurveslen = sizeof(suiteb_curves);
289 case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY:
290 *pcurves = suiteb_curves;
294 case SSL_CERT_FLAG_SUITEB_192_LOS:
295 *pcurves = suiteb_curves + 2;
299 *pcurves = s->tlsext_ellipticcurvelist;
300 pcurveslen = s->tlsext_ellipticcurvelist_length;
303 *pcurves = eccurves_default;
304 pcurveslen = sizeof(eccurves_default);
308 /* We do not allow odd length arrays to enter the system. */
309 if (pcurveslen & 1) {
310 SSLerr(SSL_F_TLS1_GET_CURVELIST, ERR_R_INTERNAL_ERROR);
314 *num_curves = pcurveslen / 2;
319 /* See if curve is allowed by security callback */
320 static int tls_curve_allowed(SSL *s, const unsigned char *curve, int op)
322 const tls_curve_info *cinfo;
325 if ((curve[1] < 1) || ((size_t)curve[1] > OSSL_NELEM(nid_list)))
327 cinfo = &nid_list[curve[1] - 1];
328 # ifdef OPENSSL_NO_EC2M
329 if (cinfo->flags & TLS_CURVE_CHAR2)
332 return ssl_security(s, op, cinfo->secbits, cinfo->nid, (void *)curve);
335 /* Check a curve is one of our preferences */
336 int tls1_check_curve(SSL *s, const unsigned char *p, size_t len)
338 const unsigned char *curves;
339 size_t num_curves, i;
340 unsigned int suiteb_flags = tls1_suiteb(s);
341 if (len != 3 || p[0] != NAMED_CURVE_TYPE)
343 /* Check curve matches Suite B preferences */
345 unsigned long cid = s->s3->tmp.new_cipher->id;
348 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256) {
349 if (p[2] != TLSEXT_curve_P_256)
351 } else if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384) {
352 if (p[2] != TLSEXT_curve_P_384)
354 } else /* Should never happen */
357 if (!tls1_get_curvelist(s, 0, &curves, &num_curves))
359 for (i = 0; i < num_curves; i++, curves += 2) {
360 if (p[1] == curves[0] && p[2] == curves[1])
361 return tls_curve_allowed(s, p + 1, SSL_SECOP_CURVE_CHECK);
367 * For nmatch >= 0, return the NID of the |nmatch|th shared curve or NID_undef
368 * if there is no match.
369 * For nmatch == -1, return number of matches
370 * For nmatch == -2, return the NID of the curve to use for
371 * an EC tmp key, or NID_undef if there is no match.
373 int tls1_shared_curve(SSL *s, int nmatch)
375 const unsigned char *pref, *supp;
376 size_t num_pref, num_supp, i, j;
378 /* Can't do anything on client side */
382 if (tls1_suiteb(s)) {
384 * For Suite B ciphersuite determines curve: we already know
385 * these are acceptable due to previous checks.
387 unsigned long cid = s->s3->tmp.new_cipher->id;
388 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
389 return NID_X9_62_prime256v1; /* P-256 */
390 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)
391 return NID_secp384r1; /* P-384 */
392 /* Should never happen */
395 /* If not Suite B just return first preference shared curve */
399 * Avoid truncation. tls1_get_curvelist takes an int
400 * but s->options is a long...
402 if (!tls1_get_curvelist
403 (s, (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) != 0, &supp,
405 /* In practice, NID_undef == 0 but let's be precise. */
406 return nmatch == -1 ? 0 : NID_undef;
407 if (!tls1_get_curvelist
408 (s, !(s->options & SSL_OP_CIPHER_SERVER_PREFERENCE), &pref, &num_pref))
409 return nmatch == -1 ? 0 : NID_undef;
412 * If the client didn't send the elliptic_curves extension all of them
415 if (num_supp == 0 && (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) != 0) {
417 num_supp = sizeof(eccurves_all) / 2;
418 } else if (num_pref == 0 &&
419 (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) == 0) {
421 num_pref = sizeof(eccurves_all) / 2;
425 for (i = 0; i < num_pref; i++, pref += 2) {
426 const unsigned char *tsupp = supp;
427 for (j = 0; j < num_supp; j++, tsupp += 2) {
428 if (pref[0] == tsupp[0] && pref[1] == tsupp[1]) {
429 if (!tls_curve_allowed(s, pref, SSL_SECOP_CURVE_SHARED))
432 int id = (pref[0] << 8) | pref[1];
433 return tls1_ec_curve_id2nid(id, NULL);
441 /* Out of range (nmatch > k). */
445 int tls1_set_curves(unsigned char **pext, size_t *pextlen,
446 int *curves, size_t ncurves)
448 unsigned char *clist, *p;
451 * Bitmap of curves included to detect duplicates: only works while curve
454 unsigned long dup_list = 0;
455 clist = OPENSSL_malloc(ncurves * 2);
458 for (i = 0, p = clist; i < ncurves; i++) {
459 unsigned long idmask;
461 id = tls1_ec_nid2curve_id(curves[i]);
463 if (!id || (dup_list & idmask)) {
472 *pextlen = ncurves * 2;
476 # define MAX_CURVELIST 28
480 int nid_arr[MAX_CURVELIST];
483 static int nid_cb(const char *elem, int len, void *arg)
485 nid_cb_st *narg = arg;
491 if (narg->nidcnt == MAX_CURVELIST)
493 if (len > (int)(sizeof(etmp) - 1))
495 memcpy(etmp, elem, len);
497 nid = EC_curve_nist2nid(etmp);
498 if (nid == NID_undef)
499 nid = OBJ_sn2nid(etmp);
500 if (nid == NID_undef)
501 nid = OBJ_ln2nid(etmp);
502 if (nid == NID_undef)
504 for (i = 0; i < narg->nidcnt; i++)
505 if (narg->nid_arr[i] == nid)
507 narg->nid_arr[narg->nidcnt++] = nid;
511 /* Set curves based on a colon separate list */
512 int tls1_set_curves_list(unsigned char **pext, size_t *pextlen, const char *str)
516 if (!CONF_parse_list(str, ':', 1, nid_cb, &ncb))
520 return tls1_set_curves(pext, pextlen, ncb.nid_arr, ncb.nidcnt);
523 /* For an EC key set TLS id and required compression based on parameters */
524 static int tls1_set_ec_id(unsigned char *curve_id, unsigned char *comp_id,
531 /* Determine if it is a prime field */
532 grp = EC_KEY_get0_group(ec);
535 /* Determine curve ID */
536 id = EC_GROUP_get_curve_name(grp);
537 id = tls1_ec_nid2curve_id(id);
538 /* If no id return error: we don't support arbitrary explicit curves */
542 curve_id[1] = (unsigned char)id;
544 if (EC_KEY_get0_public_key(ec) == NULL)
546 if (EC_KEY_get_conv_form(ec) == POINT_CONVERSION_UNCOMPRESSED) {
547 *comp_id = TLSEXT_ECPOINTFORMAT_uncompressed;
549 if ((nid_list[id - 1].flags & TLS_CURVE_TYPE) == TLS_CURVE_PRIME)
550 *comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
552 *comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
558 /* Check an EC key is compatible with extensions */
559 static int tls1_check_ec_key(SSL *s,
560 unsigned char *curve_id, unsigned char *comp_id)
562 const unsigned char *pformats, *pcurves;
563 size_t num_formats, num_curves, i;
566 * If point formats extension present check it, otherwise everything is
567 * supported (see RFC4492).
569 if (comp_id && s->session->tlsext_ecpointformatlist) {
570 pformats = s->session->tlsext_ecpointformatlist;
571 num_formats = s->session->tlsext_ecpointformatlist_length;
572 for (i = 0; i < num_formats; i++, pformats++) {
573 if (*comp_id == *pformats)
576 if (i == num_formats)
581 /* Check curve is consistent with client and server preferences */
582 for (j = 0; j <= 1; j++) {
583 if (!tls1_get_curvelist(s, j, &pcurves, &num_curves))
585 if (j == 1 && num_curves == 0) {
587 * If we've not received any curves then skip this check.
588 * RFC 4492 does not require the supported elliptic curves extension
589 * so if it is not sent we can just choose any curve.
590 * It is invalid to send an empty list in the elliptic curves
591 * extension, so num_curves == 0 always means no extension.
595 for (i = 0; i < num_curves; i++, pcurves += 2) {
596 if (pcurves[0] == curve_id[0] && pcurves[1] == curve_id[1])
601 /* For clients can only check sent curve list */
608 static void tls1_get_formatlist(SSL *s, const unsigned char **pformats,
612 * If we have a custom point format list use it otherwise use default
614 if (s->tlsext_ecpointformatlist) {
615 *pformats = s->tlsext_ecpointformatlist;
616 *num_formats = s->tlsext_ecpointformatlist_length;
618 *pformats = ecformats_default;
619 /* For Suite B we don't support char2 fields */
621 *num_formats = sizeof(ecformats_default) - 1;
623 *num_formats = sizeof(ecformats_default);
628 * Check cert parameters compatible with extensions: currently just checks EC
629 * certificates have compatible curves and compression.
631 static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md)
633 unsigned char comp_id, curve_id[2];
636 pkey = X509_get0_pubkey(x);
639 /* If not EC nothing to do */
640 if (EVP_PKEY_id(pkey) != EVP_PKEY_EC)
642 rv = tls1_set_ec_id(curve_id, &comp_id, EVP_PKEY_get0_EC_KEY(pkey));
646 * Can't check curve_id for client certs as we don't have a supported
649 rv = tls1_check_ec_key(s, s->server ? curve_id : NULL, &comp_id);
653 * Special case for suite B. We *MUST* sign using SHA256+P-256 or
654 * SHA384+P-384, adjust digest if necessary.
656 if (set_ee_md && tls1_suiteb(s)) {
662 /* Check to see we have necessary signing algorithm */
663 if (curve_id[1] == TLSEXT_curve_P_256)
664 check_md = NID_ecdsa_with_SHA256;
665 else if (curve_id[1] == TLSEXT_curve_P_384)
666 check_md = NID_ecdsa_with_SHA384;
668 return 0; /* Should never happen */
669 for (i = 0; i < c->shared_sigalgslen; i++)
670 if (check_md == c->shared_sigalgs[i].signandhash_nid)
672 if (i == c->shared_sigalgslen)
674 if (set_ee_md == 2) {
675 if (check_md == NID_ecdsa_with_SHA256)
676 s->s3->tmp.md[SSL_PKEY_ECC] = EVP_sha256();
678 s->s3->tmp.md[SSL_PKEY_ECC] = EVP_sha384();
684 # ifndef OPENSSL_NO_EC
686 * tls1_check_ec_tmp_key - Check EC temporary key compatibility
688 * @cid: Cipher ID we're considering using
690 * Checks that the kECDHE cipher suite we're considering using
691 * is compatible with the client extensions.
693 * Returns 0 when the cipher can't be used or 1 when it can.
695 int tls1_check_ec_tmp_key(SSL *s, unsigned long cid)
698 * If Suite B, AES128 MUST use P-256 and AES256 MUST use P-384, no other
701 if (tls1_suiteb(s)) {
702 unsigned char curve_id[2];
703 /* Curve to check determined by ciphersuite */
704 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
705 curve_id[1] = TLSEXT_curve_P_256;
706 else if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)
707 curve_id[1] = TLSEXT_curve_P_384;
711 /* Check this curve is acceptable */
712 if (!tls1_check_ec_key(s, curve_id, NULL))
716 /* Need a shared curve */
717 if (tls1_shared_curve(s, 0))
721 # endif /* OPENSSL_NO_EC */
725 static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md)
730 #endif /* OPENSSL_NO_EC */
733 * List of supported signature algorithms and hashes. Should make this
734 * customisable at some point, for now include everything we support.
737 #ifdef OPENSSL_NO_RSA
738 # define tlsext_sigalg_rsa(md) /* */
740 # define tlsext_sigalg_rsa(md) md, TLSEXT_signature_rsa,
743 #ifdef OPENSSL_NO_DSA
744 # define tlsext_sigalg_dsa(md) /* */
746 # define tlsext_sigalg_dsa(md) md, TLSEXT_signature_dsa,
750 # define tlsext_sigalg_ecdsa(md)/* */
752 # define tlsext_sigalg_ecdsa(md) md, TLSEXT_signature_ecdsa,
755 #define tlsext_sigalg(md) \
756 tlsext_sigalg_rsa(md) \
757 tlsext_sigalg_dsa(md) \
758 tlsext_sigalg_ecdsa(md)
760 static const unsigned char tls12_sigalgs[] = {
761 tlsext_sigalg(TLSEXT_hash_sha512)
762 tlsext_sigalg(TLSEXT_hash_sha384)
763 tlsext_sigalg(TLSEXT_hash_sha256)
764 tlsext_sigalg(TLSEXT_hash_sha224)
765 tlsext_sigalg(TLSEXT_hash_sha1)
766 #ifndef OPENSSL_NO_GOST
767 TLSEXT_hash_gostr3411, TLSEXT_signature_gostr34102001,
768 TLSEXT_hash_gostr34112012_256, TLSEXT_signature_gostr34102012_256,
769 TLSEXT_hash_gostr34112012_512, TLSEXT_signature_gostr34102012_512
773 #ifndef OPENSSL_NO_EC
774 static const unsigned char suiteb_sigalgs[] = {
775 tlsext_sigalg_ecdsa(TLSEXT_hash_sha256)
776 tlsext_sigalg_ecdsa(TLSEXT_hash_sha384)
779 size_t tls12_get_psigalgs(SSL *s, const unsigned char **psigs)
782 * If Suite B mode use Suite B sigalgs only, ignore any other
785 #ifndef OPENSSL_NO_EC
786 switch (tls1_suiteb(s)) {
787 case SSL_CERT_FLAG_SUITEB_128_LOS:
788 *psigs = suiteb_sigalgs;
789 return sizeof(suiteb_sigalgs);
791 case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY:
792 *psigs = suiteb_sigalgs;
795 case SSL_CERT_FLAG_SUITEB_192_LOS:
796 *psigs = suiteb_sigalgs + 2;
800 /* If server use client authentication sigalgs if not NULL */
801 if (s->server && s->cert->client_sigalgs) {
802 *psigs = s->cert->client_sigalgs;
803 return s->cert->client_sigalgslen;
804 } else if (s->cert->conf_sigalgs) {
805 *psigs = s->cert->conf_sigalgs;
806 return s->cert->conf_sigalgslen;
808 *psigs = tls12_sigalgs;
809 return sizeof(tls12_sigalgs);
814 * Check signature algorithm is consistent with sent supported signature
815 * algorithms and if so return relevant digest.
817 int tls12_check_peer_sigalg(const EVP_MD **pmd, SSL *s,
818 const unsigned char *sig, EVP_PKEY *pkey)
820 const unsigned char *sent_sigs;
821 size_t sent_sigslen, i;
822 int sigalg = tls12_get_sigid(pkey);
823 /* Should never happen */
826 /* Check key type is consistent with signature */
827 if (sigalg != (int)sig[1]) {
828 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_SIGNATURE_TYPE);
831 #ifndef OPENSSL_NO_EC
832 if (EVP_PKEY_id(pkey) == EVP_PKEY_EC) {
833 unsigned char curve_id[2], comp_id;
834 /* Check compression and curve matches extensions */
835 if (!tls1_set_ec_id(curve_id, &comp_id, EVP_PKEY_get0_EC_KEY(pkey)))
837 if (!s->server && !tls1_check_ec_key(s, curve_id, &comp_id)) {
838 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_CURVE);
841 /* If Suite B only P-384+SHA384 or P-256+SHA-256 allowed */
842 if (tls1_suiteb(s)) {
845 if (curve_id[1] == TLSEXT_curve_P_256) {
846 if (sig[0] != TLSEXT_hash_sha256) {
847 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG,
848 SSL_R_ILLEGAL_SUITEB_DIGEST);
851 } else if (curve_id[1] == TLSEXT_curve_P_384) {
852 if (sig[0] != TLSEXT_hash_sha384) {
853 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG,
854 SSL_R_ILLEGAL_SUITEB_DIGEST);
860 } else if (tls1_suiteb(s))
864 /* Check signature matches a type we sent */
865 sent_sigslen = tls12_get_psigalgs(s, &sent_sigs);
866 for (i = 0; i < sent_sigslen; i += 2, sent_sigs += 2) {
867 if (sig[0] == sent_sigs[0] && sig[1] == sent_sigs[1])
870 /* Allow fallback to SHA1 if not strict mode */
871 if (i == sent_sigslen
872 && (sig[0] != TLSEXT_hash_sha1
873 || s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)) {
874 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_SIGNATURE_TYPE);
877 *pmd = tls12_get_hash(sig[0]);
879 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_UNKNOWN_DIGEST);
882 /* Make sure security callback allows algorithm */
883 if (!ssl_security(s, SSL_SECOP_SIGALG_CHECK,
884 EVP_MD_size(*pmd) * 4, EVP_MD_type(*pmd), (void *)sig)) {
885 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_SIGNATURE_TYPE);
889 * Store the digest used so applications can retrieve it if they wish.
891 s->s3->tmp.peer_md = *pmd;
896 * Set a mask of disabled algorithms: an algorithm is disabled if it isn't
897 * supported, doesn't appear in supported signature algorithms, isn't supported
898 * by the enabled protocol versions or by the security level.
900 * This function should only be used for checking which ciphers are supported
903 * Call ssl_cipher_disabled() to check that it's enabled or not.
905 void ssl_set_client_disabled(SSL *s)
907 s->s3->tmp.mask_a = 0;
908 s->s3->tmp.mask_k = 0;
909 ssl_set_sig_mask(&s->s3->tmp.mask_a, s, SSL_SECOP_SIGALG_MASK);
910 ssl_get_client_min_max_version(s, &s->s3->tmp.min_ver, &s->s3->tmp.max_ver);
911 #ifndef OPENSSL_NO_PSK
912 /* with PSK there must be client callback set */
913 if (!s->psk_client_callback) {
914 s->s3->tmp.mask_a |= SSL_aPSK;
915 s->s3->tmp.mask_k |= SSL_PSK;
917 #endif /* OPENSSL_NO_PSK */
918 #ifndef OPENSSL_NO_SRP
919 if (!(s->srp_ctx.srp_Mask & SSL_kSRP)) {
920 s->s3->tmp.mask_a |= SSL_aSRP;
921 s->s3->tmp.mask_k |= SSL_kSRP;
927 * ssl_cipher_disabled - check that a cipher is disabled or not
928 * @s: SSL connection that you want to use the cipher on
929 * @c: cipher to check
930 * @op: Security check that you want to do
932 * Returns 1 when it's disabled, 0 when enabled.
934 int ssl_cipher_disabled(SSL *s, const SSL_CIPHER *c, int op)
936 if (c->algorithm_mkey & s->s3->tmp.mask_k
937 || c->algorithm_auth & s->s3->tmp.mask_a)
939 if (s->s3->tmp.max_ver == 0)
941 if (!SSL_IS_DTLS(s) && ((c->min_tls > s->s3->tmp.max_ver)
942 || (c->max_tls < s->s3->tmp.min_ver)))
944 if (SSL_IS_DTLS(s) && (DTLS_VERSION_GT(c->min_dtls, s->s3->tmp.max_ver)
945 || DTLS_VERSION_LT(c->max_dtls, s->s3->tmp.min_ver)))
948 return !ssl_security(s, op, c->strength_bits, 0, (void *)c);
951 static int tls_use_ticket(SSL *s)
953 if (s->options & SSL_OP_NO_TICKET)
955 return ssl_security(s, SSL_SECOP_TICKET, 0, 0, NULL);
958 static int compare_uint(const void *p1, const void *p2)
960 unsigned int u1 = *((const unsigned int *)p1);
961 unsigned int u2 = *((const unsigned int *)p2);
971 * Per http://tools.ietf.org/html/rfc5246#section-7.4.1.4, there may not be
972 * more than one extension of the same type in a ClientHello or ServerHello.
973 * This function does an initial scan over the extensions block to filter those
974 * out. It returns 1 if all extensions are unique, and 0 if the extensions
975 * contain duplicates, could not be successfully parsed, or an internal error
978 static int tls1_check_duplicate_extensions(const PACKET *packet)
980 PACKET extensions = *packet;
981 size_t num_extensions = 0, i = 0;
982 unsigned int *extension_types = NULL;
985 /* First pass: count the extensions. */
986 while (PACKET_remaining(&extensions) > 0) {
989 if (!PACKET_get_net_2(&extensions, &type) ||
990 !PACKET_get_length_prefixed_2(&extensions, &extension)) {
996 if (num_extensions <= 1)
999 extension_types = OPENSSL_malloc(sizeof(unsigned int) * num_extensions);
1000 if (extension_types == NULL) {
1001 SSLerr(SSL_F_TLS1_CHECK_DUPLICATE_EXTENSIONS, ERR_R_MALLOC_FAILURE);
1005 /* Second pass: gather the extension types. */
1006 extensions = *packet;
1007 for (i = 0; i < num_extensions; i++) {
1009 if (!PACKET_get_net_2(&extensions, &extension_types[i]) ||
1010 !PACKET_get_length_prefixed_2(&extensions, &extension)) {
1011 /* This should not happen. */
1012 SSLerr(SSL_F_TLS1_CHECK_DUPLICATE_EXTENSIONS, ERR_R_INTERNAL_ERROR);
1017 if (PACKET_remaining(&extensions) != 0) {
1018 SSLerr(SSL_F_TLS1_CHECK_DUPLICATE_EXTENSIONS, ERR_R_INTERNAL_ERROR);
1021 /* Sort the extensions and make sure there are no duplicates. */
1022 qsort(extension_types, num_extensions, sizeof(unsigned int), compare_uint);
1023 for (i = 1; i < num_extensions; i++) {
1024 if (extension_types[i - 1] == extension_types[i])
1029 OPENSSL_free(extension_types);
1033 int ssl_add_clienthello_tlsext(SSL *s, WPACKET *pkt, int *al)
1035 #ifndef OPENSSL_NO_EC
1036 /* See if we support any ECC ciphersuites */
1038 if (s->version >= TLS1_VERSION || SSL_IS_DTLS(s)) {
1040 unsigned long alg_k, alg_a;
1041 STACK_OF(SSL_CIPHER) *cipher_stack = SSL_get_ciphers(s);
1043 for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++) {
1044 const SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i);
1046 alg_k = c->algorithm_mkey;
1047 alg_a = c->algorithm_auth;
1048 if ((alg_k & (SSL_kECDHE | SSL_kECDHEPSK))
1049 || (alg_a & SSL_aECDSA)) {
1057 /* Add RI if renegotiating */
1058 if (s->renegotiate) {
1059 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_renegotiate)
1060 || !WPACKET_start_sub_packet_u16(pkt)
1061 || !WPACKET_sub_memcpy_u8(pkt, s->s3->previous_client_finished,
1062 s->s3->previous_client_finished_len)
1063 || !WPACKET_close(pkt)) {
1064 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1068 /* Only add RI for SSLv3 */
1069 if (s->client_version == SSL3_VERSION)
1072 if (s->tlsext_hostname != NULL) {
1073 /* Add TLS extension servername to the Client Hello message */
1074 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_server_name)
1075 /* Sub-packet for server_name extension */
1076 || !WPACKET_start_sub_packet_u16(pkt)
1077 /* Sub-packet for servername list (always 1 hostname)*/
1078 || !WPACKET_start_sub_packet_u16(pkt)
1079 || !WPACKET_put_bytes_u8(pkt, TLSEXT_NAMETYPE_host_name)
1080 || !WPACKET_sub_memcpy_u16(pkt, s->tlsext_hostname,
1081 strlen(s->tlsext_hostname))
1082 || !WPACKET_close(pkt)
1083 || !WPACKET_close(pkt)) {
1084 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1088 #ifndef OPENSSL_NO_SRP
1089 /* Add SRP username if there is one */
1090 if (s->srp_ctx.login != NULL) {
1091 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_srp)
1092 /* Sub-packet for SRP extension */
1093 || !WPACKET_start_sub_packet_u16(pkt)
1094 || !WPACKET_start_sub_packet_u8(pkt)
1095 /* login must not be zero...internal error if so */
1096 || !WPACKET_set_flags(pkt, WPACKET_FLAGS_NON_ZERO_LENGTH)
1097 || !WPACKET_memcpy(pkt, s->srp_ctx.login,
1098 strlen(s->srp_ctx.login))
1099 || !WPACKET_close(pkt)
1100 || !WPACKET_close(pkt)) {
1101 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1107 #ifndef OPENSSL_NO_EC
1110 * Add TLS extension ECPointFormats to the ClientHello message
1112 const unsigned char *pcurves, *pformats;
1113 size_t num_curves, num_formats;
1116 tls1_get_formatlist(s, &pformats, &num_formats);
1118 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_ec_point_formats)
1119 /* Sub-packet for formats extension */
1120 || !WPACKET_start_sub_packet_u16(pkt)
1121 || !WPACKET_sub_memcpy_u8(pkt, pformats, num_formats)
1122 || !WPACKET_close(pkt)) {
1123 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1128 * Add TLS extension EllipticCurves to the ClientHello message
1130 pcurves = s->tlsext_ellipticcurvelist;
1131 if (!tls1_get_curvelist(s, 0, &pcurves, &num_curves)) {
1132 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1136 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_elliptic_curves)
1137 /* Sub-packet for curves extension */
1138 || !WPACKET_start_sub_packet_u16(pkt)
1139 || !WPACKET_start_sub_packet_u16(pkt)) {
1140 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1143 /* Copy curve ID if supported */
1144 for (i = 0; i < num_curves; i++, pcurves += 2) {
1145 if (tls_curve_allowed(s, pcurves, SSL_SECOP_CURVE_SUPPORTED)) {
1146 if (!WPACKET_put_bytes_u8(pkt, pcurves[0])
1147 || !WPACKET_put_bytes_u8(pkt, pcurves[1])) {
1148 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT,
1149 ERR_R_INTERNAL_ERROR);
1154 if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) {
1155 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1159 #endif /* OPENSSL_NO_EC */
1161 if (tls_use_ticket(s)) {
1163 if (!s->new_session && s->session && s->session->tlsext_tick)
1164 ticklen = s->session->tlsext_ticklen;
1165 else if (s->session && s->tlsext_session_ticket &&
1166 s->tlsext_session_ticket->data) {
1167 ticklen = s->tlsext_session_ticket->length;
1168 s->session->tlsext_tick = OPENSSL_malloc(ticklen);
1169 if (s->session->tlsext_tick == NULL) {
1170 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1173 memcpy(s->session->tlsext_tick,
1174 s->tlsext_session_ticket->data, ticklen);
1175 s->session->tlsext_ticklen = ticklen;
1178 if (ticklen == 0 && s->tlsext_session_ticket &&
1179 s->tlsext_session_ticket->data == NULL)
1182 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_session_ticket)
1183 || !WPACKET_sub_memcpy_u16(pkt, s->session->tlsext_tick,
1185 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1191 if (SSL_CLIENT_USE_SIGALGS(s)) {
1193 const unsigned char *salg;
1195 salglen = tls12_get_psigalgs(s, &salg);
1197 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_signature_algorithms)
1198 /* Sub-packet for sig-algs extension */
1199 || !WPACKET_start_sub_packet_u16(pkt)
1200 /* Sub-packet for the actual list */
1201 || !WPACKET_start_sub_packet_u16(pkt)
1202 || !tls12_copy_sigalgs(s, pkt, salg, salglen)
1203 || !WPACKET_close(pkt)
1204 || !WPACKET_close(pkt)) {
1205 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1209 #ifndef OPENSSL_NO_OCSP
1210 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp) {
1213 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_status_request)
1214 /* Sub-packet for status request extension */
1215 || !WPACKET_start_sub_packet_u16(pkt)
1216 || !WPACKET_put_bytes_u8(pkt, TLSEXT_STATUSTYPE_ocsp)
1217 /* Sub-packet for the ids */
1218 || !WPACKET_start_sub_packet_u16(pkt)) {
1219 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1222 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) {
1223 unsigned char *idbytes;
1227 id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
1228 idlen = i2d_OCSP_RESPID(id, NULL);
1230 /* Sub-packet for an individual id */
1231 || !WPACKET_sub_allocate_bytes_u16(pkt, idlen, &idbytes)
1232 || i2d_OCSP_RESPID(id, &idbytes) != idlen) {
1233 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1237 if (!WPACKET_close(pkt)
1238 || !WPACKET_start_sub_packet_u16(pkt)) {
1239 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1242 if (s->tlsext_ocsp_exts) {
1243 unsigned char *extbytes;
1244 int extlen = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, NULL);
1247 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1250 if (!WPACKET_allocate_bytes(pkt, extlen, &extbytes)
1251 || i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &extbytes)
1253 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1257 if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) {
1258 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1263 #ifndef OPENSSL_NO_HEARTBEATS
1264 if (SSL_IS_DTLS(s)) {
1269 * 1: peer may send requests
1270 * 2: peer not allowed to send requests
1272 if (s->tlsext_heartbeat & SSL_DTLSEXT_HB_DONT_RECV_REQUESTS)
1273 mode = SSL_DTLSEXT_HB_DONT_SEND_REQUESTS;
1275 mode = SSL_DTLSEXT_HB_ENABLED;
1277 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_heartbeat)
1278 /* Sub-packet for Hearbeat extension */
1279 || !WPACKET_start_sub_packet_u16(pkt)
1280 || !WPACKET_put_bytes_u8(pkt, mode)
1281 || !WPACKET_close(pkt)) {
1282 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1288 #ifndef OPENSSL_NO_NEXTPROTONEG
1289 if (s->ctx->next_proto_select_cb && !s->s3->tmp.finish_md_len) {
1291 * The client advertises an empty extension to indicate its support
1292 * for Next Protocol Negotiation
1294 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_next_proto_neg)
1295 || !WPACKET_put_bytes_u16(pkt, 0)) {
1296 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1303 * finish_md_len is non-zero during a renegotiation, so
1304 * this avoids sending ALPN during the renegotiation
1305 * (see longer comment below)
1307 if (s->alpn_client_proto_list && !s->s3->tmp.finish_md_len) {
1308 if (!WPACKET_put_bytes_u16(pkt,
1309 TLSEXT_TYPE_application_layer_protocol_negotiation)
1310 /* Sub-packet ALPN extension */
1311 || !WPACKET_start_sub_packet_u16(pkt)
1312 || !WPACKET_sub_memcpy_u16(pkt, s->alpn_client_proto_list,
1313 s->alpn_client_proto_list_len)
1314 || !WPACKET_close(pkt)) {
1315 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1318 s->s3->alpn_sent = 1;
1320 #ifndef OPENSSL_NO_SRTP
1321 if (SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s)) {
1322 STACK_OF(SRTP_PROTECTION_PROFILE) *clnt = SSL_get_srtp_profiles(s);
1323 SRTP_PROTECTION_PROFILE *prof;
1326 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_use_srtp)
1327 /* Sub-packet for SRTP extension */
1328 || !WPACKET_start_sub_packet_u16(pkt)
1329 /* Sub-packet for the protection profile list */
1330 || !WPACKET_start_sub_packet_u16(pkt)) {
1331 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1334 ct = sk_SRTP_PROTECTION_PROFILE_num(clnt);
1335 for (i = 0; i < ct; i++) {
1336 prof = sk_SRTP_PROTECTION_PROFILE_value(clnt, i);
1337 if (prof == NULL || !WPACKET_put_bytes_u16(pkt, prof->id)) {
1338 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1342 if (!WPACKET_close(pkt)
1343 /* Add an empty use_mki value */
1344 || !WPACKET_put_bytes_u8(pkt, 0)
1345 || !WPACKET_close(pkt)) {
1346 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1351 custom_ext_init(&s->cert->cli_ext);
1352 /* Add custom TLS Extensions to ClientHello */
1353 if (!custom_ext_add(s, 0, pkt, al)) {
1354 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1358 if (!(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC)) {
1359 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_encrypt_then_mac)
1360 || !WPACKET_put_bytes_u16(pkt, 0)) {
1361 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1366 #ifndef OPENSSL_NO_CT
1367 if (s->ct_validation_callback != NULL) {
1368 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_signed_certificate_timestamp)
1369 || !WPACKET_put_bytes_u16(pkt, 0)) {
1370 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1376 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_extended_master_secret)
1377 || !WPACKET_put_bytes_u16(pkt, 0)) {
1378 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1383 * Add padding to workaround bugs in F5 terminators. See
1384 * https://tools.ietf.org/html/draft-agl-tls-padding-03 NB: because this
1385 * code works out the length of all existing extensions it MUST always
1388 if (s->options & SSL_OP_TLSEXT_PADDING) {
1389 unsigned char *padbytes;
1392 if (!WPACKET_get_total_written(pkt, &hlen)) {
1393 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1397 if (hlen > 0xff && hlen < 0x200) {
1398 hlen = 0x200 - hlen;
1404 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_padding)
1405 || !WPACKET_sub_allocate_bytes_u16(pkt, hlen, &padbytes)) {
1406 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1409 memset(padbytes, 0, hlen);
1417 int ssl_add_serverhello_tlsext(SSL *s, WPACKET *pkt, int *al)
1419 #ifndef OPENSSL_NO_NEXTPROTONEG
1420 int next_proto_neg_seen;
1422 #ifndef OPENSSL_NO_EC
1423 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
1424 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
1425 int using_ecc = (alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA);
1426 using_ecc = using_ecc && (s->session->tlsext_ecpointformatlist != NULL);
1429 if (!WPACKET_start_sub_packet_u16(pkt)
1430 || !WPACKET_set_flags(pkt, WPACKET_FLAGS_ABANDON_ON_ZERO_LENGTH)) {
1431 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1435 if (s->s3->send_connection_binding &&
1436 !ssl_add_serverhello_renegotiate_ext(s, pkt)) {
1437 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1441 /* Only add RI for SSLv3 */
1442 if (s->version == SSL3_VERSION)
1445 if (!s->hit && s->servername_done == 1
1446 && s->session->tlsext_hostname != NULL) {
1447 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_server_name)
1448 || !WPACKET_put_bytes_u16(pkt, 0)) {
1449 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1453 #ifndef OPENSSL_NO_EC
1455 const unsigned char *plist;
1458 * Add TLS extension ECPointFormats to the ServerHello message
1460 tls1_get_formatlist(s, &plist, &plistlen);
1462 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_ec_point_formats)
1463 || !WPACKET_start_sub_packet_u16(pkt)
1464 || !WPACKET_sub_memcpy_u8(pkt, plist, plistlen)
1465 || !WPACKET_close(pkt)) {
1466 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1471 * Currently the server should not respond with a SupportedCurves
1474 #endif /* OPENSSL_NO_EC */
1476 if (s->tlsext_ticket_expected && tls_use_ticket(s)) {
1477 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_session_ticket)
1478 || !WPACKET_put_bytes_u16(pkt, 0)) {
1479 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1484 * if we don't add the above TLSEXT, we can't add a session ticket
1487 s->tlsext_ticket_expected = 0;
1490 if (s->tlsext_status_expected) {
1491 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_status_request)
1492 || !WPACKET_put_bytes_u16(pkt, 0)) {
1493 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1497 #ifndef OPENSSL_NO_SRTP
1498 if (SSL_IS_DTLS(s) && s->srtp_profile) {
1499 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_use_srtp)
1500 || !WPACKET_start_sub_packet_u16(pkt)
1501 || !WPACKET_put_bytes_u16(pkt, 2)
1502 || !WPACKET_put_bytes_u16(pkt, s->srtp_profile->id)
1503 || !WPACKET_put_bytes_u8(pkt, 0)
1504 || !WPACKET_close(pkt)) {
1505 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1511 if (((s->s3->tmp.new_cipher->id & 0xFFFF) == 0x80
1512 || (s->s3->tmp.new_cipher->id & 0xFFFF) == 0x81)
1513 && (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG)) {
1514 const unsigned char cryptopro_ext[36] = {
1515 0xfd, 0xe8, /* 65000 */
1516 0x00, 0x20, /* 32 bytes length */
1517 0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85,
1518 0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06,
1519 0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08,
1520 0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17
1522 if (!WPACKET_memcpy(pkt, cryptopro_ext, sizeof(cryptopro_ext))) {
1523 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1527 #ifndef OPENSSL_NO_HEARTBEATS
1528 /* Add Heartbeat extension if we've received one */
1529 if (SSL_IS_DTLS(s) && (s->tlsext_heartbeat & SSL_DTLSEXT_HB_ENABLED)) {
1533 * 1: peer may send requests
1534 * 2: peer not allowed to send requests
1536 if (s->tlsext_heartbeat & SSL_DTLSEXT_HB_DONT_RECV_REQUESTS)
1537 mode = SSL_DTLSEXT_HB_DONT_SEND_REQUESTS;
1539 mode = SSL_DTLSEXT_HB_ENABLED;
1541 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_heartbeat)
1542 || !WPACKET_start_sub_packet_u16(pkt)
1543 || !WPACKET_put_bytes_u8(pkt, mode)
1544 || !WPACKET_close(pkt)) {
1545 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1552 #ifndef OPENSSL_NO_NEXTPROTONEG
1553 next_proto_neg_seen = s->s3->next_proto_neg_seen;
1554 s->s3->next_proto_neg_seen = 0;
1555 if (next_proto_neg_seen && s->ctx->next_protos_advertised_cb) {
1556 const unsigned char *npa;
1557 unsigned int npalen;
1560 r = s->ctx->next_protos_advertised_cb(s, &npa, &npalen,
1562 ctx->next_protos_advertised_cb_arg);
1563 if (r == SSL_TLSEXT_ERR_OK) {
1564 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_next_proto_neg)
1565 || !WPACKET_sub_memcpy_u16(pkt, npa, npalen)) {
1566 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1569 s->s3->next_proto_neg_seen = 1;
1573 if (!custom_ext_add(s, 1, pkt, al)) {
1574 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1578 if (s->s3->flags & TLS1_FLAGS_ENCRYPT_THEN_MAC) {
1580 * Don't use encrypt_then_mac if AEAD or RC4 might want to disable
1581 * for other cases too.
1583 if (s->s3->tmp.new_cipher->algorithm_mac == SSL_AEAD
1584 || s->s3->tmp.new_cipher->algorithm_enc == SSL_RC4
1585 || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT
1586 || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT12)
1587 s->s3->flags &= ~TLS1_FLAGS_ENCRYPT_THEN_MAC;
1589 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_encrypt_then_mac)
1590 || !WPACKET_put_bytes_u16(pkt, 0)) {
1591 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1596 if (s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) {
1597 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_extended_master_secret)
1598 || !WPACKET_put_bytes_u16(pkt, 0)) {
1599 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1604 if (s->s3->alpn_selected != NULL) {
1605 if (!WPACKET_put_bytes_u16(pkt,
1606 TLSEXT_TYPE_application_layer_protocol_negotiation)
1607 || !WPACKET_start_sub_packet_u16(pkt)
1608 || !WPACKET_start_sub_packet_u16(pkt)
1609 || !WPACKET_sub_memcpy_u8(pkt, s->s3->alpn_selected,
1610 s->s3->alpn_selected_len)
1611 || !WPACKET_close(pkt)
1612 || !WPACKET_close(pkt)) {
1613 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1619 if (!WPACKET_close(pkt)) {
1620 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1627 * Save the ALPN extension in a ClientHello.
1628 * pkt: the contents of the ALPN extension, not including type and length.
1629 * al: a pointer to the alert value to send in the event of a failure.
1630 * returns: 1 on success, 0 on error.
1632 static int tls1_alpn_handle_client_hello(SSL *s, PACKET *pkt, int *al)
1634 PACKET protocol_list, save_protocol_list, protocol;
1636 *al = SSL_AD_DECODE_ERROR;
1638 if (!PACKET_as_length_prefixed_2(pkt, &protocol_list)
1639 || PACKET_remaining(&protocol_list) < 2) {
1643 save_protocol_list = protocol_list;
1645 /* Protocol names can't be empty. */
1646 if (!PACKET_get_length_prefixed_1(&protocol_list, &protocol)
1647 || PACKET_remaining(&protocol) == 0) {
1650 } while (PACKET_remaining(&protocol_list) != 0);
1652 if (!PACKET_memdup(&save_protocol_list,
1653 &s->s3->alpn_proposed, &s->s3->alpn_proposed_len)) {
1654 *al = TLS1_AD_INTERNAL_ERROR;
1662 * Process the ALPN extension in a ClientHello.
1663 * al: a pointer to the alert value to send in the event of a failure.
1664 * returns 1 on success, 0 on error.
1666 static int tls1_alpn_handle_client_hello_late(SSL *s, int *al)
1668 const unsigned char *selected = NULL;
1669 unsigned char selected_len = 0;
1671 if (s->ctx->alpn_select_cb != NULL && s->s3->alpn_proposed != NULL) {
1672 int r = s->ctx->alpn_select_cb(s, &selected, &selected_len,
1673 s->s3->alpn_proposed,
1674 s->s3->alpn_proposed_len,
1675 s->ctx->alpn_select_cb_arg);
1677 if (r == SSL_TLSEXT_ERR_OK) {
1678 OPENSSL_free(s->s3->alpn_selected);
1679 s->s3->alpn_selected = OPENSSL_memdup(selected, selected_len);
1680 if (s->s3->alpn_selected == NULL) {
1681 *al = SSL_AD_INTERNAL_ERROR;
1684 s->s3->alpn_selected_len = selected_len;
1685 #ifndef OPENSSL_NO_NEXTPROTONEG
1686 /* ALPN takes precedence over NPN. */
1687 s->s3->next_proto_neg_seen = 0;
1690 *al = SSL_AD_NO_APPLICATION_PROTOCOL;
1698 #ifndef OPENSSL_NO_EC
1700 * ssl_check_for_safari attempts to fingerprint Safari using OS X
1701 * SecureTransport using the TLS extension block in |pkt|.
1702 * Safari, since 10.6, sends exactly these extensions, in this order:
1707 * We wish to fingerprint Safari because they broke ECDHE-ECDSA support in 10.8,
1708 * but they advertise support. So enabling ECDHE-ECDSA ciphers breaks them.
1709 * Sadly we cannot differentiate 10.6, 10.7 and 10.8.4 (which work), from
1710 * 10.8..10.8.3 (which don't work).
1712 static void ssl_check_for_safari(SSL *s, const PACKET *pkt)
1718 static const unsigned char kSafariExtensionsBlock[] = {
1719 0x00, 0x0a, /* elliptic_curves extension */
1720 0x00, 0x08, /* 8 bytes */
1721 0x00, 0x06, /* 6 bytes of curve ids */
1722 0x00, 0x17, /* P-256 */
1723 0x00, 0x18, /* P-384 */
1724 0x00, 0x19, /* P-521 */
1726 0x00, 0x0b, /* ec_point_formats */
1727 0x00, 0x02, /* 2 bytes */
1728 0x01, /* 1 point format */
1729 0x00, /* uncompressed */
1730 /* The following is only present in TLS 1.2 */
1731 0x00, 0x0d, /* signature_algorithms */
1732 0x00, 0x0c, /* 12 bytes */
1733 0x00, 0x0a, /* 10 bytes */
1734 0x05, 0x01, /* SHA-384/RSA */
1735 0x04, 0x01, /* SHA-256/RSA */
1736 0x02, 0x01, /* SHA-1/RSA */
1737 0x04, 0x03, /* SHA-256/ECDSA */
1738 0x02, 0x03, /* SHA-1/ECDSA */
1741 /* Length of the common prefix (first two extensions). */
1742 static const size_t kSafariCommonExtensionsLength = 18;
1746 if (!PACKET_forward(&tmppkt, 2)
1747 || !PACKET_get_net_2(&tmppkt, &type)
1748 || !PACKET_get_length_prefixed_2(&tmppkt, &sni)) {
1752 if (type != TLSEXT_TYPE_server_name)
1755 ext_len = TLS1_get_client_version(s) >= TLS1_2_VERSION ?
1756 sizeof(kSafariExtensionsBlock) : kSafariCommonExtensionsLength;
1758 s->s3->is_probably_safari = PACKET_equal(&tmppkt, kSafariExtensionsBlock,
1761 #endif /* !OPENSSL_NO_EC */
1764 * Parse ClientHello extensions and stash extension info in various parts of
1765 * the SSL object. Verify that there are no duplicate extensions.
1767 * Behaviour upon resumption is extension-specific. If the extension has no
1768 * effect during resumption, it is parsed (to verify its format) but otherwise
1771 * Consumes the entire packet in |pkt|. Returns 1 on success and 0 on failure.
1772 * Upon failure, sets |al| to the appropriate alert.
1774 static int ssl_scan_clienthello_tlsext(SSL *s, PACKET *pkt, int *al)
1777 int renegotiate_seen = 0;
1780 *al = SSL_AD_DECODE_ERROR;
1781 s->servername_done = 0;
1782 s->tlsext_status_type = -1;
1783 #ifndef OPENSSL_NO_NEXTPROTONEG
1784 s->s3->next_proto_neg_seen = 0;
1787 OPENSSL_free(s->s3->alpn_selected);
1788 s->s3->alpn_selected = NULL;
1789 s->s3->alpn_selected_len = 0;
1790 OPENSSL_free(s->s3->alpn_proposed);
1791 s->s3->alpn_proposed = NULL;
1792 s->s3->alpn_proposed_len = 0;
1793 #ifndef OPENSSL_NO_HEARTBEATS
1794 s->tlsext_heartbeat &= ~(SSL_DTLSEXT_HB_ENABLED |
1795 SSL_DTLSEXT_HB_DONT_SEND_REQUESTS);
1798 #ifndef OPENSSL_NO_EC
1799 if (s->options & SSL_OP_SAFARI_ECDHE_ECDSA_BUG)
1800 ssl_check_for_safari(s, pkt);
1801 #endif /* !OPENSSL_NO_EC */
1803 /* Clear any signature algorithms extension received */
1804 OPENSSL_free(s->s3->tmp.peer_sigalgs);
1805 s->s3->tmp.peer_sigalgs = NULL;
1806 s->s3->flags &= ~TLS1_FLAGS_ENCRYPT_THEN_MAC;
1808 #ifndef OPENSSL_NO_SRP
1809 OPENSSL_free(s->srp_ctx.login);
1810 s->srp_ctx.login = NULL;
1813 s->srtp_profile = NULL;
1815 if (PACKET_remaining(pkt) == 0)
1818 if (!PACKET_as_length_prefixed_2(pkt, &extensions))
1821 if (!tls1_check_duplicate_extensions(&extensions))
1825 * We parse all extensions to ensure the ClientHello is well-formed but,
1826 * unless an extension specifies otherwise, we ignore extensions upon
1829 while (PACKET_get_net_2(&extensions, &type)) {
1831 if (!PACKET_get_length_prefixed_2(&extensions, &extension))
1834 if (s->tlsext_debug_cb)
1835 s->tlsext_debug_cb(s, 0, type, PACKET_data(&extension),
1836 PACKET_remaining(&extension),
1837 s->tlsext_debug_arg);
1839 if (type == TLSEXT_TYPE_renegotiate) {
1840 if (!ssl_parse_clienthello_renegotiate_ext(s, &extension, al))
1842 renegotiate_seen = 1;
1843 } else if (s->version == SSL3_VERSION) {
1846 * The servername extension is treated as follows:
1848 * - Only the hostname type is supported with a maximum length of 255.
1849 * - The servername is rejected if too long or if it contains zeros,
1850 * in which case an fatal alert is generated.
1851 * - The servername field is maintained together with the session cache.
1852 * - When a session is resumed, the servername call back invoked in order
1853 * to allow the application to position itself to the right context.
1854 * - The servername is acknowledged if it is new for a session or when
1855 * it is identical to a previously used for the same session.
1856 * Applications can control the behaviour. They can at any time
1857 * set a 'desirable' servername for a new SSL object. This can be the
1858 * case for example with HTTPS when a Host: header field is received and
1859 * a renegotiation is requested. In this case, a possible servername
1860 * presented in the new client hello is only acknowledged if it matches
1861 * the value of the Host: field.
1862 * - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
1863 * if they provide for changing an explicit servername context for the
1864 * session, i.e. when the session has been established with a servername
1866 * - On session reconnect, the servername extension may be absent.
1870 else if (type == TLSEXT_TYPE_server_name) {
1871 unsigned int servname_type;
1872 PACKET sni, hostname;
1874 if (!PACKET_as_length_prefixed_2(&extension, &sni)
1875 /* ServerNameList must be at least 1 byte long. */
1876 || PACKET_remaining(&sni) == 0) {
1881 * Although the server_name extension was intended to be
1882 * extensible to new name types, RFC 4366 defined the
1883 * syntax inextensibility and OpenSSL 1.0.x parses it as
1885 * RFC 6066 corrected the mistake but adding new name types
1886 * is nevertheless no longer feasible, so act as if no other
1887 * SNI types can exist, to simplify parsing.
1889 * Also note that the RFC permits only one SNI value per type,
1890 * i.e., we can only have a single hostname.
1892 if (!PACKET_get_1(&sni, &servname_type)
1893 || servname_type != TLSEXT_NAMETYPE_host_name
1894 || !PACKET_as_length_prefixed_2(&sni, &hostname)) {
1899 if (PACKET_remaining(&hostname) > TLSEXT_MAXLEN_host_name) {
1900 *al = TLS1_AD_UNRECOGNIZED_NAME;
1904 if (PACKET_contains_zero_byte(&hostname)) {
1905 *al = TLS1_AD_UNRECOGNIZED_NAME;
1909 if (!PACKET_strndup(&hostname, &s->session->tlsext_hostname)) {
1910 *al = TLS1_AD_INTERNAL_ERROR;
1914 s->servername_done = 1;
1917 * TODO(openssl-team): if the SNI doesn't match, we MUST
1918 * fall back to a full handshake.
1920 s->servername_done = s->session->tlsext_hostname
1921 && PACKET_equal(&hostname, s->session->tlsext_hostname,
1922 strlen(s->session->tlsext_hostname));
1925 #ifndef OPENSSL_NO_SRP
1926 else if (type == TLSEXT_TYPE_srp) {
1929 if (!PACKET_as_length_prefixed_1(&extension, &srp_I))
1932 if (PACKET_contains_zero_byte(&srp_I))
1936 * TODO(openssl-team): currently, we re-authenticate the user
1937 * upon resumption. Instead, we MUST ignore the login.
1939 if (!PACKET_strndup(&srp_I, &s->srp_ctx.login)) {
1940 *al = TLS1_AD_INTERNAL_ERROR;
1946 #ifndef OPENSSL_NO_EC
1947 else if (type == TLSEXT_TYPE_ec_point_formats) {
1948 PACKET ec_point_format_list;
1950 if (!PACKET_as_length_prefixed_1(&extension, &ec_point_format_list)
1951 || PACKET_remaining(&ec_point_format_list) == 0) {
1956 if (!PACKET_memdup(&ec_point_format_list,
1957 &s->session->tlsext_ecpointformatlist,
1959 session->tlsext_ecpointformatlist_length)) {
1960 *al = TLS1_AD_INTERNAL_ERROR;
1964 } else if (type == TLSEXT_TYPE_elliptic_curves) {
1965 PACKET elliptic_curve_list;
1967 /* Each NamedCurve is 2 bytes and we must have at least 1. */
1968 if (!PACKET_as_length_prefixed_2(&extension, &elliptic_curve_list)
1969 || PACKET_remaining(&elliptic_curve_list) == 0
1970 || (PACKET_remaining(&elliptic_curve_list) % 2) != 0) {
1975 if (!PACKET_memdup(&elliptic_curve_list,
1976 &s->session->tlsext_ellipticcurvelist,
1978 session->tlsext_ellipticcurvelist_length)) {
1979 *al = TLS1_AD_INTERNAL_ERROR;
1984 #endif /* OPENSSL_NO_EC */
1985 else if (type == TLSEXT_TYPE_session_ticket) {
1986 if (s->tls_session_ticket_ext_cb &&
1987 !s->tls_session_ticket_ext_cb(s, PACKET_data(&extension),
1988 PACKET_remaining(&extension),
1989 s->tls_session_ticket_ext_cb_arg))
1991 *al = TLS1_AD_INTERNAL_ERROR;
1994 } else if (type == TLSEXT_TYPE_signature_algorithms) {
1995 PACKET supported_sig_algs;
1997 if (!PACKET_as_length_prefixed_2(&extension, &supported_sig_algs)
1998 || (PACKET_remaining(&supported_sig_algs) % 2) != 0
1999 || PACKET_remaining(&supported_sig_algs) == 0) {
2004 if (!tls1_save_sigalgs(s, PACKET_data(&supported_sig_algs),
2005 PACKET_remaining(&supported_sig_algs))) {
2009 } else if (type == TLSEXT_TYPE_status_request) {
2010 if (!PACKET_get_1(&extension,
2011 (unsigned int *)&s->tlsext_status_type)) {
2014 #ifndef OPENSSL_NO_OCSP
2015 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp) {
2016 const unsigned char *ext_data;
2017 PACKET responder_id_list, exts;
2018 if (!PACKET_get_length_prefixed_2
2019 (&extension, &responder_id_list))
2023 * We remove any OCSP_RESPIDs from a previous handshake
2024 * to prevent unbounded memory growth - CVE-2016-6304
2026 sk_OCSP_RESPID_pop_free(s->tlsext_ocsp_ids,
2028 if (PACKET_remaining(&responder_id_list) > 0) {
2029 s->tlsext_ocsp_ids = sk_OCSP_RESPID_new_null();
2030 if (s->tlsext_ocsp_ids == NULL) {
2031 *al = SSL_AD_INTERNAL_ERROR;
2035 s->tlsext_ocsp_ids = NULL;
2038 while (PACKET_remaining(&responder_id_list) > 0) {
2040 PACKET responder_id;
2041 const unsigned char *id_data;
2043 if (!PACKET_get_length_prefixed_2(&responder_id_list,
2045 || PACKET_remaining(&responder_id) == 0) {
2049 id_data = PACKET_data(&responder_id);
2050 id = d2i_OCSP_RESPID(NULL, &id_data,
2051 PACKET_remaining(&responder_id));
2055 if (id_data != PACKET_end(&responder_id)) {
2056 OCSP_RESPID_free(id);
2060 if (!sk_OCSP_RESPID_push(s->tlsext_ocsp_ids, id)) {
2061 OCSP_RESPID_free(id);
2062 *al = SSL_AD_INTERNAL_ERROR;
2067 /* Read in request_extensions */
2068 if (!PACKET_as_length_prefixed_2(&extension, &exts))
2071 if (PACKET_remaining(&exts) > 0) {
2072 ext_data = PACKET_data(&exts);
2073 sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts,
2074 X509_EXTENSION_free);
2075 s->tlsext_ocsp_exts =
2076 d2i_X509_EXTENSIONS(NULL, &ext_data,
2077 PACKET_remaining(&exts));
2078 if (s->tlsext_ocsp_exts == NULL
2079 || ext_data != PACKET_end(&exts)) {
2087 * We don't know what to do with any other type so ignore it.
2089 s->tlsext_status_type = -1;
2092 #ifndef OPENSSL_NO_HEARTBEATS
2093 else if (SSL_IS_DTLS(s) && type == TLSEXT_TYPE_heartbeat) {
2094 unsigned int hbtype;
2096 if (!PACKET_get_1(&extension, &hbtype)
2097 || PACKET_remaining(&extension)) {
2098 *al = SSL_AD_DECODE_ERROR;
2102 case 0x01: /* Client allows us to send HB requests */
2103 s->tlsext_heartbeat |= SSL_DTLSEXT_HB_ENABLED;
2105 case 0x02: /* Client doesn't accept HB requests */
2106 s->tlsext_heartbeat |= SSL_DTLSEXT_HB_ENABLED;
2107 s->tlsext_heartbeat |= SSL_DTLSEXT_HB_DONT_SEND_REQUESTS;
2110 *al = SSL_AD_ILLEGAL_PARAMETER;
2115 #ifndef OPENSSL_NO_NEXTPROTONEG
2116 else if (type == TLSEXT_TYPE_next_proto_neg &&
2117 s->s3->tmp.finish_md_len == 0) {
2119 * We shouldn't accept this extension on a
2122 * s->new_session will be set on renegotiation, but we
2123 * probably shouldn't rely that it couldn't be set on
2124 * the initial renegotiation too in certain cases (when
2125 * there's some other reason to disallow resuming an
2126 * earlier session -- the current code won't be doing
2127 * anything like that, but this might change).
2129 * A valid sign that there's been a previous handshake
2130 * in this connection is if s->s3->tmp.finish_md_len >
2131 * 0. (We are talking about a check that will happen
2132 * in the Hello protocol round, well before a new
2133 * Finished message could have been computed.)
2135 s->s3->next_proto_neg_seen = 1;
2139 else if (type == TLSEXT_TYPE_application_layer_protocol_negotiation &&
2140 s->s3->tmp.finish_md_len == 0) {
2141 if (!tls1_alpn_handle_client_hello(s, &extension, al))
2145 /* session ticket processed earlier */
2146 #ifndef OPENSSL_NO_SRTP
2147 else if (SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s)
2148 && type == TLSEXT_TYPE_use_srtp) {
2149 if (ssl_parse_clienthello_use_srtp_ext(s, &extension, al))
2153 else if (type == TLSEXT_TYPE_encrypt_then_mac &&
2154 !(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC))
2155 s->s3->flags |= TLS1_FLAGS_ENCRYPT_THEN_MAC;
2157 * Note: extended master secret extension handled in
2158 * tls_check_serverhello_tlsext_early()
2162 * If this ClientHello extension was unhandled and this is a
2163 * nonresumed connection, check whether the extension is a custom
2164 * TLS Extension (has a custom_srv_ext_record), and if so call the
2165 * callback and record the extension number so that an appropriate
2166 * ServerHello may be later returned.
2169 if (custom_ext_parse(s, 1, type, PACKET_data(&extension),
2170 PACKET_remaining(&extension), al) <= 0)
2175 if (PACKET_remaining(pkt) != 0) {
2177 * tls1_check_duplicate_extensions should ensure this never happens.
2179 *al = SSL_AD_INTERNAL_ERROR;
2185 /* Need RI if renegotiating */
2187 if (!renegotiate_seen && s->renegotiate &&
2188 !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) {
2189 *al = SSL_AD_HANDSHAKE_FAILURE;
2190 SSLerr(SSL_F_SSL_SCAN_CLIENTHELLO_TLSEXT,
2191 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
2196 * This function currently has no state to clean up, so it returns directly.
2197 * If parsing fails at any point, the function returns early.
2198 * The SSL object may be left with partial data from extensions, but it must
2199 * then no longer be used, and clearing it up will free the leftovers.
2204 int ssl_parse_clienthello_tlsext(SSL *s, PACKET *pkt)
2207 custom_ext_init(&s->cert->srv_ext);
2208 if (ssl_scan_clienthello_tlsext(s, pkt, &al) <= 0) {
2209 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2212 if (ssl_check_clienthello_tlsext_early(s) <= 0) {
2213 SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT, SSL_R_CLIENTHELLO_TLSEXT);
2219 #ifndef OPENSSL_NO_NEXTPROTONEG
2221 * ssl_next_proto_validate validates a Next Protocol Negotiation block. No
2222 * elements of zero length are allowed and the set of elements must exactly
2223 * fill the length of the block.
2225 static char ssl_next_proto_validate(PACKET *pkt)
2227 PACKET tmp_protocol;
2229 while (PACKET_remaining(pkt)) {
2230 if (!PACKET_get_length_prefixed_1(pkt, &tmp_protocol)
2231 || PACKET_remaining(&tmp_protocol) == 0)
2239 static int ssl_scan_serverhello_tlsext(SSL *s, PACKET *pkt, int *al)
2241 unsigned int length, type, size;
2242 int tlsext_servername = 0;
2243 int renegotiate_seen = 0;
2245 #ifndef OPENSSL_NO_NEXTPROTONEG
2246 s->s3->next_proto_neg_seen = 0;
2248 s->tlsext_ticket_expected = 0;
2250 OPENSSL_free(s->s3->alpn_selected);
2251 s->s3->alpn_selected = NULL;
2252 #ifndef OPENSSL_NO_HEARTBEATS
2253 s->tlsext_heartbeat &= ~(SSL_DTLSEXT_HB_ENABLED |
2254 SSL_DTLSEXT_HB_DONT_SEND_REQUESTS);
2257 s->s3->flags &= ~TLS1_FLAGS_ENCRYPT_THEN_MAC;
2259 s->s3->flags &= ~TLS1_FLAGS_RECEIVED_EXTMS;
2261 if (!PACKET_get_net_2(pkt, &length))
2264 if (PACKET_remaining(pkt) != length) {
2265 *al = SSL_AD_DECODE_ERROR;
2269 if (!tls1_check_duplicate_extensions(pkt)) {
2270 *al = SSL_AD_DECODE_ERROR;
2274 while (PACKET_get_net_2(pkt, &type) && PACKET_get_net_2(pkt, &size)) {
2275 const unsigned char *data;
2278 if (!PACKET_get_sub_packet(pkt, &spkt, size)
2279 || !PACKET_peek_bytes(&spkt, &data, size))
2282 if (s->tlsext_debug_cb)
2283 s->tlsext_debug_cb(s, 1, type, data, size, s->tlsext_debug_arg);
2285 if (type == TLSEXT_TYPE_renegotiate) {
2286 if (!ssl_parse_serverhello_renegotiate_ext(s, &spkt, al))
2288 renegotiate_seen = 1;
2289 } else if (s->version == SSL3_VERSION) {
2290 } else if (type == TLSEXT_TYPE_server_name) {
2291 if (s->tlsext_hostname == NULL || size > 0) {
2292 *al = TLS1_AD_UNRECOGNIZED_NAME;
2295 tlsext_servername = 1;
2297 #ifndef OPENSSL_NO_EC
2298 else if (type == TLSEXT_TYPE_ec_point_formats) {
2299 unsigned int ecpointformatlist_length;
2300 if (!PACKET_get_1(&spkt, &ecpointformatlist_length)
2301 || ecpointformatlist_length != size - 1) {
2302 *al = TLS1_AD_DECODE_ERROR;
2306 s->session->tlsext_ecpointformatlist_length = 0;
2307 OPENSSL_free(s->session->tlsext_ecpointformatlist);
2308 if ((s->session->tlsext_ecpointformatlist =
2309 OPENSSL_malloc(ecpointformatlist_length)) == NULL) {
2310 *al = TLS1_AD_INTERNAL_ERROR;
2313 s->session->tlsext_ecpointformatlist_length =
2314 ecpointformatlist_length;
2315 if (!PACKET_copy_bytes(&spkt,
2316 s->session->tlsext_ecpointformatlist,
2317 ecpointformatlist_length)) {
2318 *al = TLS1_AD_DECODE_ERROR;
2324 #endif /* OPENSSL_NO_EC */
2326 else if (type == TLSEXT_TYPE_session_ticket) {
2327 if (s->tls_session_ticket_ext_cb &&
2328 !s->tls_session_ticket_ext_cb(s, data, size,
2329 s->tls_session_ticket_ext_cb_arg))
2331 *al = TLS1_AD_INTERNAL_ERROR;
2334 if (!tls_use_ticket(s) || (size > 0)) {
2335 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2338 s->tlsext_ticket_expected = 1;
2339 } else if (type == TLSEXT_TYPE_status_request) {
2341 * MUST be empty and only sent if we've requested a status
2344 if ((s->tlsext_status_type == -1) || (size > 0)) {
2345 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2348 /* Set flag to expect CertificateStatus message */
2349 s->tlsext_status_expected = 1;
2351 #ifndef OPENSSL_NO_CT
2353 * Only take it if we asked for it - i.e if there is no CT validation
2354 * callback set, then a custom extension MAY be processing it, so we
2355 * need to let control continue to flow to that.
2357 else if (type == TLSEXT_TYPE_signed_certificate_timestamp &&
2358 s->ct_validation_callback != NULL) {
2359 /* Simply copy it off for later processing */
2360 if (s->tlsext_scts != NULL) {
2361 OPENSSL_free(s->tlsext_scts);
2362 s->tlsext_scts = NULL;
2364 s->tlsext_scts_len = size;
2366 s->tlsext_scts = OPENSSL_malloc(size);
2367 if (s->tlsext_scts == NULL) {
2368 *al = TLS1_AD_INTERNAL_ERROR;
2371 memcpy(s->tlsext_scts, data, size);
2375 #ifndef OPENSSL_NO_NEXTPROTONEG
2376 else if (type == TLSEXT_TYPE_next_proto_neg &&
2377 s->s3->tmp.finish_md_len == 0) {
2378 unsigned char *selected;
2379 unsigned char selected_len;
2380 /* We must have requested it. */
2381 if (s->ctx->next_proto_select_cb == NULL) {
2382 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2385 /* The data must be valid */
2386 if (!ssl_next_proto_validate(&spkt)) {
2387 *al = TLS1_AD_DECODE_ERROR;
2390 if (s->ctx->next_proto_select_cb(s, &selected, &selected_len, data,
2393 ctx->next_proto_select_cb_arg) !=
2394 SSL_TLSEXT_ERR_OK) {
2395 *al = TLS1_AD_INTERNAL_ERROR;
2399 * Could be non-NULL if server has sent multiple NPN extensions in
2400 * a single Serverhello
2402 OPENSSL_free(s->next_proto_negotiated);
2403 s->next_proto_negotiated = OPENSSL_malloc(selected_len);
2404 if (s->next_proto_negotiated == NULL) {
2405 *al = TLS1_AD_INTERNAL_ERROR;
2408 memcpy(s->next_proto_negotiated, selected, selected_len);
2409 s->next_proto_negotiated_len = selected_len;
2410 s->s3->next_proto_neg_seen = 1;
2414 else if (type == TLSEXT_TYPE_application_layer_protocol_negotiation) {
2416 /* We must have requested it. */
2417 if (!s->s3->alpn_sent) {
2418 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2422 * The extension data consists of:
2423 * uint16 list_length
2424 * uint8 proto_length;
2425 * uint8 proto[proto_length];
2427 if (!PACKET_get_net_2(&spkt, &len)
2428 || PACKET_remaining(&spkt) != len || !PACKET_get_1(&spkt, &len)
2429 || PACKET_remaining(&spkt) != len) {
2430 *al = TLS1_AD_DECODE_ERROR;
2433 OPENSSL_free(s->s3->alpn_selected);
2434 s->s3->alpn_selected = OPENSSL_malloc(len);
2435 if (s->s3->alpn_selected == NULL) {
2436 *al = TLS1_AD_INTERNAL_ERROR;
2439 if (!PACKET_copy_bytes(&spkt, s->s3->alpn_selected, len)) {
2440 *al = TLS1_AD_DECODE_ERROR;
2443 s->s3->alpn_selected_len = len;
2445 #ifndef OPENSSL_NO_HEARTBEATS
2446 else if (SSL_IS_DTLS(s) && type == TLSEXT_TYPE_heartbeat) {
2447 unsigned int hbtype;
2448 if (!PACKET_get_1(&spkt, &hbtype)) {
2449 *al = SSL_AD_DECODE_ERROR;
2453 case 0x01: /* Server allows us to send HB requests */
2454 s->tlsext_heartbeat |= SSL_DTLSEXT_HB_ENABLED;
2456 case 0x02: /* Server doesn't accept HB requests */
2457 s->tlsext_heartbeat |= SSL_DTLSEXT_HB_ENABLED;
2458 s->tlsext_heartbeat |= SSL_DTLSEXT_HB_DONT_SEND_REQUESTS;
2461 *al = SSL_AD_ILLEGAL_PARAMETER;
2466 #ifndef OPENSSL_NO_SRTP
2467 else if (SSL_IS_DTLS(s) && type == TLSEXT_TYPE_use_srtp) {
2468 if (ssl_parse_serverhello_use_srtp_ext(s, &spkt, al))
2472 else if (type == TLSEXT_TYPE_encrypt_then_mac) {
2473 /* Ignore if inappropriate ciphersuite */
2474 if (!(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC) &&
2475 s->s3->tmp.new_cipher->algorithm_mac != SSL_AEAD
2476 && s->s3->tmp.new_cipher->algorithm_enc != SSL_RC4)
2477 s->s3->flags |= TLS1_FLAGS_ENCRYPT_THEN_MAC;
2478 } else if (type == TLSEXT_TYPE_extended_master_secret) {
2479 s->s3->flags |= TLS1_FLAGS_RECEIVED_EXTMS;
2481 s->session->flags |= SSL_SESS_FLAG_EXTMS;
2484 * If this extension type was not otherwise handled, but matches a
2485 * custom_cli_ext_record, then send it to the c callback
2487 else if (custom_ext_parse(s, 0, type, data, size, al) <= 0)
2491 if (PACKET_remaining(pkt) != 0) {
2492 *al = SSL_AD_DECODE_ERROR;
2496 if (!s->hit && tlsext_servername == 1) {
2497 if (s->tlsext_hostname) {
2498 if (s->session->tlsext_hostname == NULL) {
2499 s->session->tlsext_hostname =
2500 OPENSSL_strdup(s->tlsext_hostname);
2501 if (!s->session->tlsext_hostname) {
2502 *al = SSL_AD_UNRECOGNIZED_NAME;
2506 *al = SSL_AD_DECODE_ERROR;
2515 * Determine if we need to see RI. Strictly speaking if we want to avoid
2516 * an attack we should *always* see RI even on initial server hello
2517 * because the client doesn't see any renegotiation during an attack.
2518 * However this would mean we could not connect to any server which
2519 * doesn't support RI so for the immediate future tolerate RI absence
2521 if (!renegotiate_seen && !(s->options & SSL_OP_LEGACY_SERVER_CONNECT)
2522 && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) {
2523 *al = SSL_AD_HANDSHAKE_FAILURE;
2524 SSLerr(SSL_F_SSL_SCAN_SERVERHELLO_TLSEXT,
2525 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
2531 * Check extended master secret extension is consistent with
2534 if (!(s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) !=
2535 !(s->session->flags & SSL_SESS_FLAG_EXTMS)) {
2536 *al = SSL_AD_HANDSHAKE_FAILURE;
2537 SSLerr(SSL_F_SSL_SCAN_SERVERHELLO_TLSEXT, SSL_R_INCONSISTENT_EXTMS);
2545 int ssl_prepare_clienthello_tlsext(SSL *s)
2547 s->s3->alpn_sent = 0;
2551 int ssl_prepare_serverhello_tlsext(SSL *s)
2556 static int ssl_check_clienthello_tlsext_early(SSL *s)
2558 int ret = SSL_TLSEXT_ERR_NOACK;
2559 int al = SSL_AD_UNRECOGNIZED_NAME;
2561 #ifndef OPENSSL_NO_EC
2563 * The handling of the ECPointFormats extension is done elsewhere, namely
2564 * in ssl3_choose_cipher in s3_lib.c.
2567 * The handling of the EllipticCurves extension is done elsewhere, namely
2568 * in ssl3_choose_cipher in s3_lib.c.
2572 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
2574 s->ctx->tlsext_servername_callback(s, &al,
2575 s->ctx->tlsext_servername_arg);
2576 else if (s->initial_ctx != NULL
2577 && s->initial_ctx->tlsext_servername_callback != 0)
2579 s->initial_ctx->tlsext_servername_callback(s, &al,
2581 initial_ctx->tlsext_servername_arg);
2584 case SSL_TLSEXT_ERR_ALERT_FATAL:
2585 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2588 case SSL_TLSEXT_ERR_ALERT_WARNING:
2589 ssl3_send_alert(s, SSL3_AL_WARNING, al);
2592 case SSL_TLSEXT_ERR_NOACK:
2593 s->servername_done = 0;
2599 /* Initialise digests to default values */
2600 void ssl_set_default_md(SSL *s)
2602 const EVP_MD **pmd = s->s3->tmp.md;
2603 #ifndef OPENSSL_NO_DSA
2604 pmd[SSL_PKEY_DSA_SIGN] = ssl_md(SSL_MD_SHA1_IDX);
2606 #ifndef OPENSSL_NO_RSA
2607 if (SSL_USE_SIGALGS(s))
2608 pmd[SSL_PKEY_RSA_SIGN] = ssl_md(SSL_MD_SHA1_IDX);
2610 pmd[SSL_PKEY_RSA_SIGN] = ssl_md(SSL_MD_MD5_SHA1_IDX);
2611 pmd[SSL_PKEY_RSA_ENC] = pmd[SSL_PKEY_RSA_SIGN];
2613 #ifndef OPENSSL_NO_EC
2614 pmd[SSL_PKEY_ECC] = ssl_md(SSL_MD_SHA1_IDX);
2616 #ifndef OPENSSL_NO_GOST
2617 pmd[SSL_PKEY_GOST01] = ssl_md(SSL_MD_GOST94_IDX);
2618 pmd[SSL_PKEY_GOST12_256] = ssl_md(SSL_MD_GOST12_256_IDX);
2619 pmd[SSL_PKEY_GOST12_512] = ssl_md(SSL_MD_GOST12_512_IDX);
2623 int tls1_set_server_sigalgs(SSL *s)
2628 /* Clear any shared signature algorithms */
2629 OPENSSL_free(s->cert->shared_sigalgs);
2630 s->cert->shared_sigalgs = NULL;
2631 s->cert->shared_sigalgslen = 0;
2632 /* Clear certificate digests and validity flags */
2633 for (i = 0; i < SSL_PKEY_NUM; i++) {
2634 s->s3->tmp.md[i] = NULL;
2635 s->s3->tmp.valid_flags[i] = 0;
2638 /* If sigalgs received process it. */
2639 if (s->s3->tmp.peer_sigalgs) {
2640 if (!tls1_process_sigalgs(s)) {
2641 SSLerr(SSL_F_TLS1_SET_SERVER_SIGALGS, ERR_R_MALLOC_FAILURE);
2642 al = SSL_AD_INTERNAL_ERROR;
2645 /* Fatal error is no shared signature algorithms */
2646 if (!s->cert->shared_sigalgs) {
2647 SSLerr(SSL_F_TLS1_SET_SERVER_SIGALGS,
2648 SSL_R_NO_SHARED_SIGNATURE_ALGORITHMS);
2649 al = SSL_AD_ILLEGAL_PARAMETER;
2653 ssl_set_default_md(s);
2657 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2662 * Upon success, returns 1.
2663 * Upon failure, returns 0 and sets |al| to the appropriate fatal alert.
2665 int ssl_check_clienthello_tlsext_late(SSL *s, int *al)
2667 s->tlsext_status_expected = 0;
2670 * If status request then ask callback what to do. Note: this must be
2671 * called after servername callbacks in case the certificate has changed,
2672 * and must be called after the cipher has been chosen because this may
2673 * influence which certificate is sent
2675 if ((s->tlsext_status_type != -1) && s->ctx && s->ctx->tlsext_status_cb) {
2677 CERT_PKEY *certpkey;
2678 certpkey = ssl_get_server_send_pkey(s);
2679 /* If no certificate can't return certificate status */
2680 if (certpkey != NULL) {
2682 * Set current certificate to one we will use so SSL_get_certificate
2683 * et al can pick it up.
2685 s->cert->key = certpkey;
2686 ret = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
2688 /* We don't want to send a status request response */
2689 case SSL_TLSEXT_ERR_NOACK:
2690 s->tlsext_status_expected = 0;
2692 /* status request response should be sent */
2693 case SSL_TLSEXT_ERR_OK:
2694 if (s->tlsext_ocsp_resp)
2695 s->tlsext_status_expected = 1;
2697 /* something bad happened */
2698 case SSL_TLSEXT_ERR_ALERT_FATAL:
2700 *al = SSL_AD_INTERNAL_ERROR;
2706 if (!tls1_alpn_handle_client_hello_late(s, al)) {
2713 int ssl_check_serverhello_tlsext(SSL *s)
2715 int ret = SSL_TLSEXT_ERR_NOACK;
2716 int al = SSL_AD_UNRECOGNIZED_NAME;
2718 #ifndef OPENSSL_NO_EC
2720 * If we are client and using an elliptic curve cryptography cipher
2721 * suite, then if server returns an EC point formats lists extension it
2722 * must contain uncompressed.
2724 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
2725 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
2726 if ((s->tlsext_ecpointformatlist != NULL)
2727 && (s->tlsext_ecpointformatlist_length > 0)
2728 && (s->session->tlsext_ecpointformatlist != NULL)
2729 && (s->session->tlsext_ecpointformatlist_length > 0)
2730 && ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA))) {
2731 /* we are using an ECC cipher */
2733 unsigned char *list;
2734 int found_uncompressed = 0;
2735 list = s->session->tlsext_ecpointformatlist;
2736 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++) {
2737 if (*(list++) == TLSEXT_ECPOINTFORMAT_uncompressed) {
2738 found_uncompressed = 1;
2742 if (!found_uncompressed) {
2743 SSLerr(SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT,
2744 SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
2748 ret = SSL_TLSEXT_ERR_OK;
2749 #endif /* OPENSSL_NO_EC */
2751 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
2753 s->ctx->tlsext_servername_callback(s, &al,
2754 s->ctx->tlsext_servername_arg);
2755 else if (s->initial_ctx != NULL
2756 && s->initial_ctx->tlsext_servername_callback != 0)
2758 s->initial_ctx->tlsext_servername_callback(s, &al,
2760 initial_ctx->tlsext_servername_arg);
2763 * Ensure we get sensible values passed to tlsext_status_cb in the event
2764 * that we don't receive a status message
2766 OPENSSL_free(s->tlsext_ocsp_resp);
2767 s->tlsext_ocsp_resp = NULL;
2768 s->tlsext_ocsp_resplen = -1;
2771 case SSL_TLSEXT_ERR_ALERT_FATAL:
2772 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2775 case SSL_TLSEXT_ERR_ALERT_WARNING:
2776 ssl3_send_alert(s, SSL3_AL_WARNING, al);
2779 case SSL_TLSEXT_ERR_NOACK:
2780 s->servername_done = 0;
2786 int ssl_parse_serverhello_tlsext(SSL *s, PACKET *pkt)
2789 if (s->version < SSL3_VERSION)
2791 if (ssl_scan_serverhello_tlsext(s, pkt, &al) <= 0) {
2792 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2796 if (ssl_check_serverhello_tlsext(s) <= 0) {
2797 SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT, SSL_R_SERVERHELLO_TLSEXT);
2804 * Since the server cache lookup is done early on in the processing of the
2805 * ClientHello and other operations depend on the result some extensions
2806 * need to be handled at the same time.
2808 * Two extensions are currently handled, session ticket and extended master
2811 * session_id: ClientHello session ID.
2812 * ext: ClientHello extensions (including length prefix)
2813 * ret: (output) on return, if a ticket was decrypted, then this is set to
2814 * point to the resulting session.
2816 * If s->tls_session_secret_cb is set then we are expecting a pre-shared key
2817 * ciphersuite, in which case we have no use for session tickets and one will
2818 * never be decrypted, nor will s->tlsext_ticket_expected be set to 1.
2821 * -1: fatal error, either from parsing or decrypting the ticket.
2822 * 0: no ticket was found (or was ignored, based on settings).
2823 * 1: a zero length extension was found, indicating that the client supports
2824 * session tickets but doesn't currently have one to offer.
2825 * 2: either s->tls_session_secret_cb was set, or a ticket was offered but
2826 * couldn't be decrypted because of a non-fatal error.
2827 * 3: a ticket was successfully decrypted and *ret was set.
2830 * Sets s->tlsext_ticket_expected to 1 if the server will have to issue
2831 * a new session ticket to the client because the client indicated support
2832 * (and s->tls_session_secret_cb is NULL) but the client either doesn't have
2833 * a session ticket or we couldn't use the one it gave us, or if
2834 * s->ctx->tlsext_ticket_key_cb asked to renew the client's ticket.
2835 * Otherwise, s->tlsext_ticket_expected is set to 0.
2837 * For extended master secret flag is set if the extension is present.
2840 int tls_check_serverhello_tlsext_early(SSL *s, const PACKET *ext,
2841 const PACKET *session_id,
2845 PACKET local_ext = *ext;
2848 int have_ticket = 0;
2849 int use_ticket = tls_use_ticket(s);
2852 s->tlsext_ticket_expected = 0;
2853 s->s3->flags &= ~TLS1_FLAGS_RECEIVED_EXTMS;
2856 * If tickets disabled behave as if no ticket present to permit stateful
2859 if ((s->version <= SSL3_VERSION))
2862 if (!PACKET_get_net_2(&local_ext, &i)) {
2866 while (PACKET_remaining(&local_ext) >= 4) {
2867 unsigned int type, size;
2869 if (!PACKET_get_net_2(&local_ext, &type)
2870 || !PACKET_get_net_2(&local_ext, &size)) {
2871 /* Shouldn't ever happen */
2875 if (PACKET_remaining(&local_ext) < size) {
2879 if (type == TLSEXT_TYPE_session_ticket && use_ticket) {
2881 const unsigned char *etick;
2883 /* Duplicate extension */
2884 if (have_ticket != 0) {
2892 * The client will accept a ticket but doesn't currently have
2895 s->tlsext_ticket_expected = 1;
2899 if (s->tls_session_secret_cb) {
2901 * Indicate that the ticket couldn't be decrypted rather than
2902 * generating the session from ticket now, trigger
2903 * abbreviated handshake based on external mechanism to
2904 * calculate the master secret later.
2909 if (!PACKET_get_bytes(&local_ext, &etick, size)) {
2910 /* Shouldn't ever happen */
2914 r = tls_decrypt_ticket(s, etick, size, PACKET_data(session_id),
2915 PACKET_remaining(session_id), ret);
2917 case 2: /* ticket couldn't be decrypted */
2918 s->tlsext_ticket_expected = 1;
2921 case 3: /* ticket was decrypted */
2924 case 4: /* ticket decrypted but need to renew */
2925 s->tlsext_ticket_expected = 1;
2928 default: /* fatal error */
2934 if (type == TLSEXT_TYPE_extended_master_secret)
2935 s->s3->flags |= TLS1_FLAGS_RECEIVED_EXTMS;
2936 if (!PACKET_forward(&local_ext, size)) {
2942 if (have_ticket == 0)
2949 * tls_decrypt_ticket attempts to decrypt a session ticket.
2951 * etick: points to the body of the session ticket extension.
2952 * eticklen: the length of the session tickets extension.
2953 * sess_id: points at the session ID.
2954 * sesslen: the length of the session ID.
2955 * psess: (output) on return, if a ticket was decrypted, then this is set to
2956 * point to the resulting session.
2959 * -2: fatal error, malloc failure.
2960 * -1: fatal error, either from parsing or decrypting the ticket.
2961 * 2: the ticket couldn't be decrypted.
2962 * 3: a ticket was successfully decrypted and *psess was set.
2963 * 4: same as 3, but the ticket needs to be renewed.
2965 static int tls_decrypt_ticket(SSL *s, const unsigned char *etick,
2966 int eticklen, const unsigned char *sess_id,
2967 size_t sesslen, SSL_SESSION **psess)
2970 unsigned char *sdec;
2971 const unsigned char *p;
2972 int slen, mlen, renew_ticket = 0, ret = -1;
2973 unsigned char tick_hmac[EVP_MAX_MD_SIZE];
2974 HMAC_CTX *hctx = NULL;
2975 EVP_CIPHER_CTX *ctx;
2976 SSL_CTX *tctx = s->initial_ctx;
2978 /* Initialize session ticket encryption and HMAC contexts */
2979 hctx = HMAC_CTX_new();
2982 ctx = EVP_CIPHER_CTX_new();
2987 if (tctx->tlsext_ticket_key_cb) {
2988 unsigned char *nctick = (unsigned char *)etick;
2989 int rv = tctx->tlsext_ticket_key_cb(s, nctick, nctick + 16,
3000 /* Check key name matches */
3001 if (memcmp(etick, tctx->tlsext_tick_key_name,
3002 sizeof(tctx->tlsext_tick_key_name)) != 0) {
3006 if (HMAC_Init_ex(hctx, tctx->tlsext_tick_hmac_key,
3007 sizeof(tctx->tlsext_tick_hmac_key),
3008 EVP_sha256(), NULL) <= 0
3009 || EVP_DecryptInit_ex(ctx, EVP_aes_256_cbc(), NULL,
3010 tctx->tlsext_tick_aes_key,
3011 etick + sizeof(tctx->tlsext_tick_key_name)) <=
3017 * Attempt to process session ticket, first conduct sanity and integrity
3020 mlen = HMAC_size(hctx);
3024 /* Sanity check ticket length: must exceed keyname + IV + HMAC */
3026 TLSEXT_KEYNAME_LENGTH + EVP_CIPHER_CTX_iv_length(ctx) + mlen) {
3031 /* Check HMAC of encrypted ticket */
3032 if (HMAC_Update(hctx, etick, eticklen) <= 0
3033 || HMAC_Final(hctx, tick_hmac, NULL) <= 0) {
3036 HMAC_CTX_free(hctx);
3037 if (CRYPTO_memcmp(tick_hmac, etick + eticklen, mlen)) {
3038 EVP_CIPHER_CTX_free(ctx);
3041 /* Attempt to decrypt session data */
3042 /* Move p after IV to start of encrypted ticket, update length */
3043 p = etick + 16 + EVP_CIPHER_CTX_iv_length(ctx);
3044 eticklen -= 16 + EVP_CIPHER_CTX_iv_length(ctx);
3045 sdec = OPENSSL_malloc(eticklen);
3046 if (sdec == NULL || EVP_DecryptUpdate(ctx, sdec, &slen, p, eticklen) <= 0) {
3047 EVP_CIPHER_CTX_free(ctx);
3051 if (EVP_DecryptFinal(ctx, sdec + slen, &mlen) <= 0) {
3052 EVP_CIPHER_CTX_free(ctx);
3057 EVP_CIPHER_CTX_free(ctx);
3061 sess = d2i_SSL_SESSION(NULL, &p, slen);
3065 * The session ID, if non-empty, is used by some clients to detect
3066 * that the ticket has been accepted. So we copy it to the session
3067 * structure. If it is empty set length to zero as required by
3071 memcpy(sess->session_id, sess_id, sesslen);
3072 sess->session_id_length = sesslen;
3081 * For session parse failure, indicate that we need to send a new ticket.
3085 EVP_CIPHER_CTX_free(ctx);
3086 HMAC_CTX_free(hctx);
3090 /* Tables to translate from NIDs to TLS v1.2 ids */
3097 static const tls12_lookup tls12_md[] = {
3098 {NID_md5, TLSEXT_hash_md5},
3099 {NID_sha1, TLSEXT_hash_sha1},
3100 {NID_sha224, TLSEXT_hash_sha224},
3101 {NID_sha256, TLSEXT_hash_sha256},
3102 {NID_sha384, TLSEXT_hash_sha384},
3103 {NID_sha512, TLSEXT_hash_sha512},
3104 {NID_id_GostR3411_94, TLSEXT_hash_gostr3411},
3105 {NID_id_GostR3411_2012_256, TLSEXT_hash_gostr34112012_256},
3106 {NID_id_GostR3411_2012_512, TLSEXT_hash_gostr34112012_512},
3109 static const tls12_lookup tls12_sig[] = {
3110 {EVP_PKEY_RSA, TLSEXT_signature_rsa},
3111 {EVP_PKEY_DSA, TLSEXT_signature_dsa},
3112 {EVP_PKEY_EC, TLSEXT_signature_ecdsa},
3113 {NID_id_GostR3410_2001, TLSEXT_signature_gostr34102001},
3114 {NID_id_GostR3410_2012_256, TLSEXT_signature_gostr34102012_256},
3115 {NID_id_GostR3410_2012_512, TLSEXT_signature_gostr34102012_512}
3118 static int tls12_find_id(int nid, const tls12_lookup *table, size_t tlen)
3121 for (i = 0; i < tlen; i++) {
3122 if (table[i].nid == nid)
3128 static int tls12_find_nid(int id, const tls12_lookup *table, size_t tlen)
3131 for (i = 0; i < tlen; i++) {
3132 if ((table[i].id) == id)
3133 return table[i].nid;
3138 int tls12_get_sigandhash(WPACKET *pkt, const EVP_PKEY *pk, const EVP_MD *md)
3144 md_id = tls12_find_id(EVP_MD_type(md), tls12_md, OSSL_NELEM(tls12_md));
3147 sig_id = tls12_get_sigid(pk);
3150 if (!WPACKET_put_bytes_u8(pkt, md_id) || !WPACKET_put_bytes_u8(pkt, sig_id))
3156 int tls12_get_sigid(const EVP_PKEY *pk)
3158 return tls12_find_id(EVP_PKEY_id(pk), tls12_sig, OSSL_NELEM(tls12_sig));
3165 unsigned char tlsext_hash;
3168 static const tls12_hash_info tls12_md_info[] = {
3169 {NID_md5, 64, SSL_MD_MD5_IDX, TLSEXT_hash_md5},
3170 {NID_sha1, 80, SSL_MD_SHA1_IDX, TLSEXT_hash_sha1},
3171 {NID_sha224, 112, SSL_MD_SHA224_IDX, TLSEXT_hash_sha224},
3172 {NID_sha256, 128, SSL_MD_SHA256_IDX, TLSEXT_hash_sha256},
3173 {NID_sha384, 192, SSL_MD_SHA384_IDX, TLSEXT_hash_sha384},
3174 {NID_sha512, 256, SSL_MD_SHA512_IDX, TLSEXT_hash_sha512},
3175 {NID_id_GostR3411_94, 128, SSL_MD_GOST94_IDX, TLSEXT_hash_gostr3411},
3176 {NID_id_GostR3411_2012_256, 128, SSL_MD_GOST12_256_IDX,
3177 TLSEXT_hash_gostr34112012_256},
3178 {NID_id_GostR3411_2012_512, 256, SSL_MD_GOST12_512_IDX,
3179 TLSEXT_hash_gostr34112012_512},
3182 static const tls12_hash_info *tls12_get_hash_info(unsigned char hash_alg)
3188 for (i = 0; i < OSSL_NELEM(tls12_md_info); i++) {
3189 if (tls12_md_info[i].tlsext_hash == hash_alg)
3190 return tls12_md_info + i;
3196 const EVP_MD *tls12_get_hash(unsigned char hash_alg)
3198 const tls12_hash_info *inf;
3199 if (hash_alg == TLSEXT_hash_md5 && FIPS_mode())
3201 inf = tls12_get_hash_info(hash_alg);
3204 return ssl_md(inf->md_idx);
3207 static int tls12_get_pkey_idx(unsigned char sig_alg)
3210 #ifndef OPENSSL_NO_RSA
3211 case TLSEXT_signature_rsa:
3212 return SSL_PKEY_RSA_SIGN;
3214 #ifndef OPENSSL_NO_DSA
3215 case TLSEXT_signature_dsa:
3216 return SSL_PKEY_DSA_SIGN;
3218 #ifndef OPENSSL_NO_EC
3219 case TLSEXT_signature_ecdsa:
3220 return SSL_PKEY_ECC;
3222 #ifndef OPENSSL_NO_GOST
3223 case TLSEXT_signature_gostr34102001:
3224 return SSL_PKEY_GOST01;
3226 case TLSEXT_signature_gostr34102012_256:
3227 return SSL_PKEY_GOST12_256;
3229 case TLSEXT_signature_gostr34102012_512:
3230 return SSL_PKEY_GOST12_512;
3236 /* Convert TLS 1.2 signature algorithm extension values into NIDs */
3237 static void tls1_lookup_sigalg(int *phash_nid, int *psign_nid,
3238 int *psignhash_nid, const unsigned char *data)
3240 int sign_nid = NID_undef, hash_nid = NID_undef;
3241 if (!phash_nid && !psign_nid && !psignhash_nid)
3243 if (phash_nid || psignhash_nid) {
3244 hash_nid = tls12_find_nid(data[0], tls12_md, OSSL_NELEM(tls12_md));
3246 *phash_nid = hash_nid;
3248 if (psign_nid || psignhash_nid) {
3249 sign_nid = tls12_find_nid(data[1], tls12_sig, OSSL_NELEM(tls12_sig));
3251 *psign_nid = sign_nid;
3253 if (psignhash_nid) {
3254 if (sign_nid == NID_undef || hash_nid == NID_undef
3255 || OBJ_find_sigid_by_algs(psignhash_nid, hash_nid, sign_nid) <= 0)
3256 *psignhash_nid = NID_undef;
3260 /* Check to see if a signature algorithm is allowed */
3261 static int tls12_sigalg_allowed(SSL *s, int op, const unsigned char *ptmp)
3263 /* See if we have an entry in the hash table and it is enabled */
3264 const tls12_hash_info *hinf = tls12_get_hash_info(ptmp[0]);
3265 if (hinf == NULL || ssl_md(hinf->md_idx) == NULL)
3267 /* See if public key algorithm allowed */
3268 if (tls12_get_pkey_idx(ptmp[1]) == -1)
3270 /* Finally see if security callback allows it */
3271 return ssl_security(s, op, hinf->secbits, hinf->nid, (void *)ptmp);
3275 * Get a mask of disabled public key algorithms based on supported signature
3276 * algorithms. For example if no signature algorithm supports RSA then RSA is
3280 void ssl_set_sig_mask(uint32_t *pmask_a, SSL *s, int op)
3282 const unsigned char *sigalgs;
3283 size_t i, sigalgslen;
3284 int have_rsa = 0, have_dsa = 0, have_ecdsa = 0;
3286 * Now go through all signature algorithms seeing if we support any for
3287 * RSA, DSA, ECDSA. Do this for all versions not just TLS 1.2. To keep
3288 * down calls to security callback only check if we have to.
3290 sigalgslen = tls12_get_psigalgs(s, &sigalgs);
3291 for (i = 0; i < sigalgslen; i += 2, sigalgs += 2) {
3292 switch (sigalgs[1]) {
3293 #ifndef OPENSSL_NO_RSA
3294 case TLSEXT_signature_rsa:
3295 if (!have_rsa && tls12_sigalg_allowed(s, op, sigalgs))
3299 #ifndef OPENSSL_NO_DSA
3300 case TLSEXT_signature_dsa:
3301 if (!have_dsa && tls12_sigalg_allowed(s, op, sigalgs))
3305 #ifndef OPENSSL_NO_EC
3306 case TLSEXT_signature_ecdsa:
3307 if (!have_ecdsa && tls12_sigalg_allowed(s, op, sigalgs))
3314 *pmask_a |= SSL_aRSA;
3316 *pmask_a |= SSL_aDSS;
3318 *pmask_a |= SSL_aECDSA;
3321 int tls12_copy_sigalgs(SSL *s, WPACKET *pkt,
3322 const unsigned char *psig, size_t psiglen)
3326 for (i = 0; i < psiglen; i += 2, psig += 2) {
3327 if (tls12_sigalg_allowed(s, SSL_SECOP_SIGALG_SUPPORTED, psig)) {
3328 if (!WPACKET_put_bytes_u8(pkt, psig[0])
3329 || !WPACKET_put_bytes_u8(pkt, psig[1]))
3336 /* Given preference and allowed sigalgs set shared sigalgs */
3337 static int tls12_shared_sigalgs(SSL *s, TLS_SIGALGS *shsig,
3338 const unsigned char *pref, size_t preflen,
3339 const unsigned char *allow, size_t allowlen)
3341 const unsigned char *ptmp, *atmp;
3342 size_t i, j, nmatch = 0;
3343 for (i = 0, ptmp = pref; i < preflen; i += 2, ptmp += 2) {
3344 /* Skip disabled hashes or signature algorithms */
3345 if (!tls12_sigalg_allowed(s, SSL_SECOP_SIGALG_SHARED, ptmp))
3347 for (j = 0, atmp = allow; j < allowlen; j += 2, atmp += 2) {
3348 if (ptmp[0] == atmp[0] && ptmp[1] == atmp[1]) {
3351 shsig->rhash = ptmp[0];
3352 shsig->rsign = ptmp[1];
3353 tls1_lookup_sigalg(&shsig->hash_nid,
3355 &shsig->signandhash_nid, ptmp);
3365 /* Set shared signature algorithms for SSL structures */
3366 static int tls1_set_shared_sigalgs(SSL *s)
3368 const unsigned char *pref, *allow, *conf;
3369 size_t preflen, allowlen, conflen;
3371 TLS_SIGALGS *salgs = NULL;
3373 unsigned int is_suiteb = tls1_suiteb(s);
3375 OPENSSL_free(c->shared_sigalgs);
3376 c->shared_sigalgs = NULL;
3377 c->shared_sigalgslen = 0;
3378 /* If client use client signature algorithms if not NULL */
3379 if (!s->server && c->client_sigalgs && !is_suiteb) {
3380 conf = c->client_sigalgs;
3381 conflen = c->client_sigalgslen;
3382 } else if (c->conf_sigalgs && !is_suiteb) {
3383 conf = c->conf_sigalgs;
3384 conflen = c->conf_sigalgslen;
3386 conflen = tls12_get_psigalgs(s, &conf);
3387 if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE || is_suiteb) {
3390 allow = s->s3->tmp.peer_sigalgs;
3391 allowlen = s->s3->tmp.peer_sigalgslen;
3395 pref = s->s3->tmp.peer_sigalgs;
3396 preflen = s->s3->tmp.peer_sigalgslen;
3398 nmatch = tls12_shared_sigalgs(s, NULL, pref, preflen, allow, allowlen);
3400 salgs = OPENSSL_malloc(nmatch * sizeof(TLS_SIGALGS));
3403 nmatch = tls12_shared_sigalgs(s, salgs, pref, preflen, allow, allowlen);
3407 c->shared_sigalgs = salgs;
3408 c->shared_sigalgslen = nmatch;
3412 /* Set preferred digest for each key type */
3414 int tls1_save_sigalgs(SSL *s, const unsigned char *data, int dsize)
3417 /* Extension ignored for inappropriate versions */
3418 if (!SSL_USE_SIGALGS(s))
3420 /* Should never happen */
3424 OPENSSL_free(s->s3->tmp.peer_sigalgs);
3425 s->s3->tmp.peer_sigalgs = OPENSSL_malloc(dsize);
3426 if (s->s3->tmp.peer_sigalgs == NULL)
3428 s->s3->tmp.peer_sigalgslen = dsize;
3429 memcpy(s->s3->tmp.peer_sigalgs, data, dsize);
3433 int tls1_process_sigalgs(SSL *s)
3438 const EVP_MD **pmd = s->s3->tmp.md;
3439 uint32_t *pvalid = s->s3->tmp.valid_flags;
3441 TLS_SIGALGS *sigptr;
3442 if (!tls1_set_shared_sigalgs(s))
3445 for (i = 0, sigptr = c->shared_sigalgs;
3446 i < c->shared_sigalgslen; i++, sigptr++) {
3447 idx = tls12_get_pkey_idx(sigptr->rsign);
3448 if (idx > 0 && pmd[idx] == NULL) {
3449 md = tls12_get_hash(sigptr->rhash);
3451 pvalid[idx] = CERT_PKEY_EXPLICIT_SIGN;
3452 if (idx == SSL_PKEY_RSA_SIGN) {
3453 pvalid[SSL_PKEY_RSA_ENC] = CERT_PKEY_EXPLICIT_SIGN;
3454 pmd[SSL_PKEY_RSA_ENC] = md;
3460 * In strict mode leave unset digests as NULL to indicate we can't use
3461 * the certificate for signing.
3463 if (!(s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)) {
3465 * Set any remaining keys to default values. NOTE: if alg is not
3466 * supported it stays as NULL.
3468 #ifndef OPENSSL_NO_DSA
3469 if (pmd[SSL_PKEY_DSA_SIGN] == NULL)
3470 pmd[SSL_PKEY_DSA_SIGN] = EVP_sha1();
3472 #ifndef OPENSSL_NO_RSA
3473 if (pmd[SSL_PKEY_RSA_SIGN] == NULL) {
3474 pmd[SSL_PKEY_RSA_SIGN] = EVP_sha1();
3475 pmd[SSL_PKEY_RSA_ENC] = EVP_sha1();
3478 #ifndef OPENSSL_NO_EC
3479 if (pmd[SSL_PKEY_ECC] == NULL)
3480 pmd[SSL_PKEY_ECC] = EVP_sha1();
3482 #ifndef OPENSSL_NO_GOST
3483 if (pmd[SSL_PKEY_GOST01] == NULL)
3484 pmd[SSL_PKEY_GOST01] = EVP_get_digestbynid(NID_id_GostR3411_94);
3485 if (pmd[SSL_PKEY_GOST12_256] == NULL)
3486 pmd[SSL_PKEY_GOST12_256] =
3487 EVP_get_digestbynid(NID_id_GostR3411_2012_256);
3488 if (pmd[SSL_PKEY_GOST12_512] == NULL)
3489 pmd[SSL_PKEY_GOST12_512] =
3490 EVP_get_digestbynid(NID_id_GostR3411_2012_512);
3496 int SSL_get_sigalgs(SSL *s, int idx,
3497 int *psign, int *phash, int *psignhash,
3498 unsigned char *rsig, unsigned char *rhash)
3500 const unsigned char *psig = s->s3->tmp.peer_sigalgs;
3505 if (idx >= (int)s->s3->tmp.peer_sigalgslen)
3512 tls1_lookup_sigalg(phash, psign, psignhash, psig);
3514 return s->s3->tmp.peer_sigalgslen / 2;
3517 int SSL_get_shared_sigalgs(SSL *s, int idx,
3518 int *psign, int *phash, int *psignhash,
3519 unsigned char *rsig, unsigned char *rhash)
3521 TLS_SIGALGS *shsigalgs = s->cert->shared_sigalgs;
3522 if (!shsigalgs || idx >= (int)s->cert->shared_sigalgslen)
3526 *phash = shsigalgs->hash_nid;
3528 *psign = shsigalgs->sign_nid;
3530 *psignhash = shsigalgs->signandhash_nid;
3532 *rsig = shsigalgs->rsign;
3534 *rhash = shsigalgs->rhash;
3535 return s->cert->shared_sigalgslen;
3538 #define MAX_SIGALGLEN (TLSEXT_hash_num * TLSEXT_signature_num * 2)
3542 int sigalgs[MAX_SIGALGLEN];
3545 static void get_sigorhash(int *psig, int *phash, const char *str)
3547 if (strcmp(str, "RSA") == 0) {
3548 *psig = EVP_PKEY_RSA;
3549 } else if (strcmp(str, "DSA") == 0) {
3550 *psig = EVP_PKEY_DSA;
3551 } else if (strcmp(str, "ECDSA") == 0) {
3552 *psig = EVP_PKEY_EC;
3554 *phash = OBJ_sn2nid(str);
3555 if (*phash == NID_undef)
3556 *phash = OBJ_ln2nid(str);
3560 static int sig_cb(const char *elem, int len, void *arg)
3562 sig_cb_st *sarg = arg;
3565 int sig_alg = NID_undef, hash_alg = NID_undef;
3568 if (sarg->sigalgcnt == MAX_SIGALGLEN)
3570 if (len > (int)(sizeof(etmp) - 1))
3572 memcpy(etmp, elem, len);
3574 p = strchr(etmp, '+');
3582 get_sigorhash(&sig_alg, &hash_alg, etmp);
3583 get_sigorhash(&sig_alg, &hash_alg, p);
3585 if (sig_alg == NID_undef || hash_alg == NID_undef)
3588 for (i = 0; i < sarg->sigalgcnt; i += 2) {
3589 if (sarg->sigalgs[i] == sig_alg && sarg->sigalgs[i + 1] == hash_alg)
3592 sarg->sigalgs[sarg->sigalgcnt++] = hash_alg;
3593 sarg->sigalgs[sarg->sigalgcnt++] = sig_alg;
3598 * Set supported signature algorithms based on a colon separated list of the
3599 * form sig+hash e.g. RSA+SHA512:DSA+SHA512
3601 int tls1_set_sigalgs_list(CERT *c, const char *str, int client)
3605 if (!CONF_parse_list(str, ':', 1, sig_cb, &sig))
3609 return tls1_set_sigalgs(c, sig.sigalgs, sig.sigalgcnt, client);
3612 int tls1_set_sigalgs(CERT *c, const int *psig_nids, size_t salglen, int client)
3614 unsigned char *sigalgs, *sptr;
3619 sigalgs = OPENSSL_malloc(salglen);
3620 if (sigalgs == NULL)
3622 for (i = 0, sptr = sigalgs; i < salglen; i += 2) {
3623 rhash = tls12_find_id(*psig_nids++, tls12_md, OSSL_NELEM(tls12_md));
3624 rsign = tls12_find_id(*psig_nids++, tls12_sig, OSSL_NELEM(tls12_sig));
3626 if (rhash == -1 || rsign == -1)
3633 OPENSSL_free(c->client_sigalgs);
3634 c->client_sigalgs = sigalgs;
3635 c->client_sigalgslen = salglen;
3637 OPENSSL_free(c->conf_sigalgs);
3638 c->conf_sigalgs = sigalgs;
3639 c->conf_sigalgslen = salglen;
3645 OPENSSL_free(sigalgs);
3649 static int tls1_check_sig_alg(CERT *c, X509 *x, int default_nid)
3653 if (default_nid == -1)
3655 sig_nid = X509_get_signature_nid(x);
3657 return sig_nid == default_nid ? 1 : 0;
3658 for (i = 0; i < c->shared_sigalgslen; i++)
3659 if (sig_nid == c->shared_sigalgs[i].signandhash_nid)
3664 /* Check to see if a certificate issuer name matches list of CA names */
3665 static int ssl_check_ca_name(STACK_OF(X509_NAME) *names, X509 *x)
3669 nm = X509_get_issuer_name(x);
3670 for (i = 0; i < sk_X509_NAME_num(names); i++) {
3671 if (!X509_NAME_cmp(nm, sk_X509_NAME_value(names, i)))
3678 * Check certificate chain is consistent with TLS extensions and is usable by
3679 * server. This servers two purposes: it allows users to check chains before
3680 * passing them to the server and it allows the server to check chains before
3681 * attempting to use them.
3684 /* Flags which need to be set for a certificate when stict mode not set */
3686 #define CERT_PKEY_VALID_FLAGS \
3687 (CERT_PKEY_EE_SIGNATURE|CERT_PKEY_EE_PARAM)
3688 /* Strict mode flags */
3689 #define CERT_PKEY_STRICT_FLAGS \
3690 (CERT_PKEY_VALID_FLAGS|CERT_PKEY_CA_SIGNATURE|CERT_PKEY_CA_PARAM \
3691 | CERT_PKEY_ISSUER_NAME|CERT_PKEY_CERT_TYPE)
3693 int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain,
3698 int check_flags = 0, strict_mode;
3699 CERT_PKEY *cpk = NULL;
3702 unsigned int suiteb_flags = tls1_suiteb(s);
3703 /* idx == -1 means checking server chains */
3705 /* idx == -2 means checking client certificate chains */
3708 idx = cpk - c->pkeys;
3710 cpk = c->pkeys + idx;
3711 pvalid = s->s3->tmp.valid_flags + idx;
3713 pk = cpk->privatekey;
3715 strict_mode = c->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT;
3716 /* If no cert or key, forget it */
3722 idx = ssl_cert_type(x, pk);
3725 pvalid = s->s3->tmp.valid_flags + idx;
3727 if (c->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)
3728 check_flags = CERT_PKEY_STRICT_FLAGS;
3730 check_flags = CERT_PKEY_VALID_FLAGS;
3737 check_flags |= CERT_PKEY_SUITEB;
3738 ok = X509_chain_check_suiteb(NULL, x, chain, suiteb_flags);
3739 if (ok == X509_V_OK)
3740 rv |= CERT_PKEY_SUITEB;
3741 else if (!check_flags)
3746 * Check all signature algorithms are consistent with signature
3747 * algorithms extension if TLS 1.2 or later and strict mode.
3749 if (TLS1_get_version(s) >= TLS1_2_VERSION && strict_mode) {
3751 unsigned char rsign = 0;
3752 if (s->s3->tmp.peer_sigalgs)
3754 /* If no sigalgs extension use defaults from RFC5246 */
3757 case SSL_PKEY_RSA_ENC:
3758 case SSL_PKEY_RSA_SIGN:
3759 rsign = TLSEXT_signature_rsa;
3760 default_nid = NID_sha1WithRSAEncryption;
3763 case SSL_PKEY_DSA_SIGN:
3764 rsign = TLSEXT_signature_dsa;
3765 default_nid = NID_dsaWithSHA1;
3769 rsign = TLSEXT_signature_ecdsa;
3770 default_nid = NID_ecdsa_with_SHA1;
3773 case SSL_PKEY_GOST01:
3774 rsign = TLSEXT_signature_gostr34102001;
3775 default_nid = NID_id_GostR3411_94_with_GostR3410_2001;
3778 case SSL_PKEY_GOST12_256:
3779 rsign = TLSEXT_signature_gostr34102012_256;
3780 default_nid = NID_id_tc26_signwithdigest_gost3410_2012_256;
3783 case SSL_PKEY_GOST12_512:
3784 rsign = TLSEXT_signature_gostr34102012_512;
3785 default_nid = NID_id_tc26_signwithdigest_gost3410_2012_512;
3794 * If peer sent no signature algorithms extension and we have set
3795 * preferred signature algorithms check we support sha1.
3797 if (default_nid > 0 && c->conf_sigalgs) {
3799 const unsigned char *p = c->conf_sigalgs;
3800 for (j = 0; j < c->conf_sigalgslen; j += 2, p += 2) {
3801 if (p[0] == TLSEXT_hash_sha1 && p[1] == rsign)
3804 if (j == c->conf_sigalgslen) {
3811 /* Check signature algorithm of each cert in chain */
3812 if (!tls1_check_sig_alg(c, x, default_nid)) {
3816 rv |= CERT_PKEY_EE_SIGNATURE;
3817 rv |= CERT_PKEY_CA_SIGNATURE;
3818 for (i = 0; i < sk_X509_num(chain); i++) {
3819 if (!tls1_check_sig_alg(c, sk_X509_value(chain, i), default_nid)) {
3821 rv &= ~CERT_PKEY_CA_SIGNATURE;
3828 /* Else not TLS 1.2, so mark EE and CA signing algorithms OK */
3829 else if (check_flags)
3830 rv |= CERT_PKEY_EE_SIGNATURE | CERT_PKEY_CA_SIGNATURE;
3832 /* Check cert parameters are consistent */
3833 if (tls1_check_cert_param(s, x, check_flags ? 1 : 2))
3834 rv |= CERT_PKEY_EE_PARAM;
3835 else if (!check_flags)
3838 rv |= CERT_PKEY_CA_PARAM;
3839 /* In strict mode check rest of chain too */
3840 else if (strict_mode) {
3841 rv |= CERT_PKEY_CA_PARAM;
3842 for (i = 0; i < sk_X509_num(chain); i++) {
3843 X509 *ca = sk_X509_value(chain, i);
3844 if (!tls1_check_cert_param(s, ca, 0)) {
3846 rv &= ~CERT_PKEY_CA_PARAM;
3853 if (!s->server && strict_mode) {
3854 STACK_OF(X509_NAME) *ca_dn;
3856 switch (EVP_PKEY_id(pk)) {
3858 check_type = TLS_CT_RSA_SIGN;
3861 check_type = TLS_CT_DSS_SIGN;
3864 check_type = TLS_CT_ECDSA_SIGN;
3868 const unsigned char *ctypes;
3872 ctypelen = (int)c->ctype_num;
3874 ctypes = (unsigned char *)s->s3->tmp.ctype;
3875 ctypelen = s->s3->tmp.ctype_num;
3877 for (i = 0; i < ctypelen; i++) {
3878 if (ctypes[i] == check_type) {
3879 rv |= CERT_PKEY_CERT_TYPE;
3883 if (!(rv & CERT_PKEY_CERT_TYPE) && !check_flags)
3886 rv |= CERT_PKEY_CERT_TYPE;
3888 ca_dn = s->s3->tmp.ca_names;
3890 if (!sk_X509_NAME_num(ca_dn))
3891 rv |= CERT_PKEY_ISSUER_NAME;
3893 if (!(rv & CERT_PKEY_ISSUER_NAME)) {
3894 if (ssl_check_ca_name(ca_dn, x))
3895 rv |= CERT_PKEY_ISSUER_NAME;
3897 if (!(rv & CERT_PKEY_ISSUER_NAME)) {
3898 for (i = 0; i < sk_X509_num(chain); i++) {
3899 X509 *xtmp = sk_X509_value(chain, i);
3900 if (ssl_check_ca_name(ca_dn, xtmp)) {
3901 rv |= CERT_PKEY_ISSUER_NAME;
3906 if (!check_flags && !(rv & CERT_PKEY_ISSUER_NAME))
3909 rv |= CERT_PKEY_ISSUER_NAME | CERT_PKEY_CERT_TYPE;
3911 if (!check_flags || (rv & check_flags) == check_flags)
3912 rv |= CERT_PKEY_VALID;
3916 if (TLS1_get_version(s) >= TLS1_2_VERSION) {
3917 if (*pvalid & CERT_PKEY_EXPLICIT_SIGN)
3918 rv |= CERT_PKEY_EXPLICIT_SIGN | CERT_PKEY_SIGN;
3919 else if (s->s3->tmp.md[idx] != NULL)
3920 rv |= CERT_PKEY_SIGN;
3922 rv |= CERT_PKEY_SIGN | CERT_PKEY_EXPLICIT_SIGN;
3925 * When checking a CERT_PKEY structure all flags are irrelevant if the
3929 if (rv & CERT_PKEY_VALID)
3932 /* Preserve explicit sign flag, clear rest */
3933 *pvalid &= CERT_PKEY_EXPLICIT_SIGN;
3940 /* Set validity of certificates in an SSL structure */
3941 void tls1_set_cert_validity(SSL *s)
3943 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA_ENC);
3944 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA_SIGN);
3945 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DSA_SIGN);
3946 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_ECC);
3947 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_GOST01);
3948 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_GOST12_256);
3949 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_GOST12_512);
3952 /* User level utiity function to check a chain is suitable */
3953 int SSL_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain)
3955 return tls1_check_chain(s, x, pk, chain, -1);
3958 #ifndef OPENSSL_NO_DH
3959 DH *ssl_get_auto_dh(SSL *s)
3961 int dh_secbits = 80;
3962 if (s->cert->dh_tmp_auto == 2)
3963 return DH_get_1024_160();
3964 if (s->s3->tmp.new_cipher->algorithm_auth & (SSL_aNULL | SSL_aPSK)) {
3965 if (s->s3->tmp.new_cipher->strength_bits == 256)
3970 CERT_PKEY *cpk = ssl_get_server_send_pkey(s);
3971 dh_secbits = EVP_PKEY_security_bits(cpk->privatekey);
3974 if (dh_secbits >= 128) {
3982 if (dh_secbits >= 192)
3983 p = BN_get_rfc3526_prime_8192(NULL);
3985 p = BN_get_rfc3526_prime_3072(NULL);
3986 if (p == NULL || g == NULL || !DH_set0_pqg(dhp, p, NULL, g)) {
3994 if (dh_secbits >= 112)
3995 return DH_get_2048_224();
3996 return DH_get_1024_160();
4000 static int ssl_security_cert_key(SSL *s, SSL_CTX *ctx, X509 *x, int op)
4003 EVP_PKEY *pkey = X509_get0_pubkey(x);
4006 * If no parameters this will return -1 and fail using the default
4007 * security callback for any non-zero security level. This will
4008 * reject keys which omit parameters but this only affects DSA and
4009 * omission of parameters is never (?) done in practice.
4011 secbits = EVP_PKEY_security_bits(pkey);
4014 return ssl_security(s, op, secbits, 0, x);
4016 return ssl_ctx_security(ctx, op, secbits, 0, x);
4019 static int ssl_security_cert_sig(SSL *s, SSL_CTX *ctx, X509 *x, int op)
4021 /* Lookup signature algorithm digest */
4022 int secbits = -1, md_nid = NID_undef, sig_nid;
4023 /* Don't check signature if self signed */
4024 if ((X509_get_extension_flags(x) & EXFLAG_SS) != 0)
4026 sig_nid = X509_get_signature_nid(x);
4027 if (sig_nid && OBJ_find_sigid_algs(sig_nid, &md_nid, NULL)) {
4029 if (md_nid && (md = EVP_get_digestbynid(md_nid)))
4030 secbits = EVP_MD_size(md) * 4;
4033 return ssl_security(s, op, secbits, md_nid, x);
4035 return ssl_ctx_security(ctx, op, secbits, md_nid, x);
4038 int ssl_security_cert(SSL *s, SSL_CTX *ctx, X509 *x, int vfy, int is_ee)
4041 vfy = SSL_SECOP_PEER;
4043 if (!ssl_security_cert_key(s, ctx, x, SSL_SECOP_EE_KEY | vfy))
4044 return SSL_R_EE_KEY_TOO_SMALL;
4046 if (!ssl_security_cert_key(s, ctx, x, SSL_SECOP_CA_KEY | vfy))
4047 return SSL_R_CA_KEY_TOO_SMALL;
4049 if (!ssl_security_cert_sig(s, ctx, x, SSL_SECOP_CA_MD | vfy))
4050 return SSL_R_CA_MD_TOO_WEAK;
4055 * Check security of a chain, if sk includes the end entity certificate then
4056 * x is NULL. If vfy is 1 then we are verifying a peer chain and not sending
4057 * one to the peer. Return values: 1 if ok otherwise error code to use
4060 int ssl_security_cert_chain(SSL *s, STACK_OF(X509) *sk, X509 *x, int vfy)
4062 int rv, start_idx, i;
4064 x = sk_X509_value(sk, 0);
4069 rv = ssl_security_cert(s, NULL, x, vfy, 1);
4073 for (i = start_idx; i < sk_X509_num(sk); i++) {
4074 x = sk_X509_value(sk, i);
4075 rv = ssl_security_cert(s, NULL, x, vfy, 0);