2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
58 /* ====================================================================
59 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
87 * 6. Redistributions of any form whatsoever must retain the following
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
113 #include <openssl/objects.h>
114 #include <openssl/evp.h>
115 #include <openssl/hmac.h>
116 #include <openssl/ocsp.h>
117 #include <openssl/rand.h>
118 #ifndef OPENSSL_NO_DH
119 # include <openssl/dh.h>
120 # include <openssl/bn.h>
122 #include "ssl_locl.h"
124 const char tls1_version_str[] = "TLSv1" OPENSSL_VERSION_PTEXT;
126 #ifndef OPENSSL_NO_TLSEXT
127 static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen,
128 const unsigned char *sess_id, int sesslen,
129 SSL_SESSION **psess);
130 static int ssl_check_clienthello_tlsext_early(SSL *s);
131 int ssl_check_serverhello_tlsext(SSL *s);
134 SSL3_ENC_METHOD const TLSv1_enc_data = {
137 tls1_setup_key_block,
138 tls1_generate_master_secret,
139 tls1_change_cipher_state,
140 tls1_final_finish_mac,
141 TLS1_FINISH_MAC_LENGTH,
142 tls1_cert_verify_mac,
143 TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
144 TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
146 tls1_export_keying_material,
148 SSL3_HM_HEADER_LENGTH,
149 ssl3_set_handshake_header,
153 SSL3_ENC_METHOD const TLSv1_1_enc_data = {
156 tls1_setup_key_block,
157 tls1_generate_master_secret,
158 tls1_change_cipher_state,
159 tls1_final_finish_mac,
160 TLS1_FINISH_MAC_LENGTH,
161 tls1_cert_verify_mac,
162 TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
163 TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
165 tls1_export_keying_material,
166 SSL_ENC_FLAG_EXPLICIT_IV,
167 SSL3_HM_HEADER_LENGTH,
168 ssl3_set_handshake_header,
172 SSL3_ENC_METHOD const TLSv1_2_enc_data = {
175 tls1_setup_key_block,
176 tls1_generate_master_secret,
177 tls1_change_cipher_state,
178 tls1_final_finish_mac,
179 TLS1_FINISH_MAC_LENGTH,
180 tls1_cert_verify_mac,
181 TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
182 TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
184 tls1_export_keying_material,
185 SSL_ENC_FLAG_EXPLICIT_IV | SSL_ENC_FLAG_SIGALGS | SSL_ENC_FLAG_SHA256_PRF
186 | SSL_ENC_FLAG_TLS1_2_CIPHERS,
187 SSL3_HM_HEADER_LENGTH,
188 ssl3_set_handshake_header,
192 long tls1_default_timeout(void)
195 * 2 hours, the 24 hours mentioned in the TLSv1 spec is way too long for
196 * http, the cache would over fill
198 return (60 * 60 * 2);
205 s->method->ssl_clear(s);
209 void tls1_free(SSL *s)
211 #ifndef OPENSSL_NO_TLSEXT
212 if (s->tlsext_session_ticket) {
213 OPENSSL_free(s->tlsext_session_ticket);
215 #endif /* OPENSSL_NO_TLSEXT */
219 void tls1_clear(SSL *s)
222 s->version = s->method->version;
225 #ifndef OPENSSL_NO_EC
228 int nid; /* Curve NID */
229 int secbits; /* Bits of security (from SP800-57) */
230 unsigned int flags; /* Flags: currently just field type */
233 # define TLS_CURVE_CHAR2 0x1
234 # define TLS_CURVE_PRIME 0x0
236 static const tls_curve_info nid_list[] = {
237 {NID_sect163k1, 80, TLS_CURVE_CHAR2}, /* sect163k1 (1) */
238 {NID_sect163r1, 80, TLS_CURVE_CHAR2}, /* sect163r1 (2) */
239 {NID_sect163r2, 80, TLS_CURVE_CHAR2}, /* sect163r2 (3) */
240 {NID_sect193r1, 80, TLS_CURVE_CHAR2}, /* sect193r1 (4) */
241 {NID_sect193r2, 80, TLS_CURVE_CHAR2}, /* sect193r2 (5) */
242 {NID_sect233k1, 112, TLS_CURVE_CHAR2}, /* sect233k1 (6) */
243 {NID_sect233r1, 112, TLS_CURVE_CHAR2}, /* sect233r1 (7) */
244 {NID_sect239k1, 112, TLS_CURVE_CHAR2}, /* sect239k1 (8) */
245 {NID_sect283k1, 128, TLS_CURVE_CHAR2}, /* sect283k1 (9) */
246 {NID_sect283r1, 128, TLS_CURVE_CHAR2}, /* sect283r1 (10) */
247 {NID_sect409k1, 192, TLS_CURVE_CHAR2}, /* sect409k1 (11) */
248 {NID_sect409r1, 192, TLS_CURVE_CHAR2}, /* sect409r1 (12) */
249 {NID_sect571k1, 256, TLS_CURVE_CHAR2}, /* sect571k1 (13) */
250 {NID_sect571r1, 256, TLS_CURVE_CHAR2}, /* sect571r1 (14) */
251 {NID_secp160k1, 80, TLS_CURVE_PRIME}, /* secp160k1 (15) */
252 {NID_secp160r1, 80, TLS_CURVE_PRIME}, /* secp160r1 (16) */
253 {NID_secp160r2, 80, TLS_CURVE_PRIME}, /* secp160r2 (17) */
254 {NID_secp192k1, 80, TLS_CURVE_PRIME}, /* secp192k1 (18) */
255 {NID_X9_62_prime192v1, 80, TLS_CURVE_PRIME}, /* secp192r1 (19) */
256 {NID_secp224k1, 112, TLS_CURVE_PRIME}, /* secp224k1 (20) */
257 {NID_secp224r1, 112, TLS_CURVE_PRIME}, /* secp224r1 (21) */
258 {NID_secp256k1, 128, TLS_CURVE_PRIME}, /* secp256k1 (22) */
259 {NID_X9_62_prime256v1, 128, TLS_CURVE_PRIME}, /* secp256r1 (23) */
260 {NID_secp384r1, 192, TLS_CURVE_PRIME}, /* secp384r1 (24) */
261 {NID_secp521r1, 256, TLS_CURVE_PRIME}, /* secp521r1 (25) */
262 {NID_brainpoolP256r1, 128, TLS_CURVE_PRIME}, /* brainpoolP256r1 (26) */
263 {NID_brainpoolP384r1, 192, TLS_CURVE_PRIME}, /* brainpoolP384r1 (27) */
264 {NID_brainpoolP512r1, 256, TLS_CURVE_PRIME}, /* brainpool512r1 (28) */
267 static const unsigned char ecformats_default[] = {
268 TLSEXT_ECPOINTFORMAT_uncompressed,
269 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime,
270 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2
273 static const unsigned char eccurves_default[] = {
274 0, 14, /* sect571r1 (14) */
275 0, 13, /* sect571k1 (13) */
276 0, 25, /* secp521r1 (25) */
277 0, 28, /* brainpool512r1 (28) */
278 0, 11, /* sect409k1 (11) */
279 0, 12, /* sect409r1 (12) */
280 0, 27, /* brainpoolP384r1 (27) */
281 0, 24, /* secp384r1 (24) */
282 0, 9, /* sect283k1 (9) */
283 0, 10, /* sect283r1 (10) */
284 0, 26, /* brainpoolP256r1 (26) */
285 0, 22, /* secp256k1 (22) */
286 0, 23, /* secp256r1 (23) */
287 0, 8, /* sect239k1 (8) */
288 0, 6, /* sect233k1 (6) */
289 0, 7, /* sect233r1 (7) */
290 0, 20, /* secp224k1 (20) */
291 0, 21, /* secp224r1 (21) */
292 0, 4, /* sect193r1 (4) */
293 0, 5, /* sect193r2 (5) */
294 0, 18, /* secp192k1 (18) */
295 0, 19, /* secp192r1 (19) */
296 0, 1, /* sect163k1 (1) */
297 0, 2, /* sect163r1 (2) */
298 0, 3, /* sect163r2 (3) */
299 0, 15, /* secp160k1 (15) */
300 0, 16, /* secp160r1 (16) */
301 0, 17, /* secp160r2 (17) */
304 static const unsigned char suiteb_curves[] = {
305 0, TLSEXT_curve_P_256,
306 0, TLSEXT_curve_P_384
309 int tls1_ec_curve_id2nid(int curve_id)
311 /* ECC curves from RFC 4492 and RFC 7027 */
312 if ((curve_id < 1) || ((unsigned int)curve_id >
313 sizeof(nid_list) / sizeof(nid_list[0])))
315 return nid_list[curve_id - 1].nid;
318 int tls1_ec_nid2curve_id(int nid)
320 /* ECC curves from RFC 4492 and RFC 7027 */
322 case NID_sect163k1: /* sect163k1 (1) */
324 case NID_sect163r1: /* sect163r1 (2) */
326 case NID_sect163r2: /* sect163r2 (3) */
328 case NID_sect193r1: /* sect193r1 (4) */
330 case NID_sect193r2: /* sect193r2 (5) */
332 case NID_sect233k1: /* sect233k1 (6) */
334 case NID_sect233r1: /* sect233r1 (7) */
336 case NID_sect239k1: /* sect239k1 (8) */
338 case NID_sect283k1: /* sect283k1 (9) */
340 case NID_sect283r1: /* sect283r1 (10) */
342 case NID_sect409k1: /* sect409k1 (11) */
344 case NID_sect409r1: /* sect409r1 (12) */
346 case NID_sect571k1: /* sect571k1 (13) */
348 case NID_sect571r1: /* sect571r1 (14) */
350 case NID_secp160k1: /* secp160k1 (15) */
352 case NID_secp160r1: /* secp160r1 (16) */
354 case NID_secp160r2: /* secp160r2 (17) */
356 case NID_secp192k1: /* secp192k1 (18) */
358 case NID_X9_62_prime192v1: /* secp192r1 (19) */
360 case NID_secp224k1: /* secp224k1 (20) */
362 case NID_secp224r1: /* secp224r1 (21) */
364 case NID_secp256k1: /* secp256k1 (22) */
366 case NID_X9_62_prime256v1: /* secp256r1 (23) */
368 case NID_secp384r1: /* secp384r1 (24) */
370 case NID_secp521r1: /* secp521r1 (25) */
372 case NID_brainpoolP256r1: /* brainpoolP256r1 (26) */
374 case NID_brainpoolP384r1: /* brainpoolP384r1 (27) */
376 case NID_brainpoolP512r1: /* brainpool512r1 (28) */
384 * Get curves list, if "sess" is set return client curves otherwise
386 * Sets |num_curves| to the number of curves in the list, i.e.,
387 * the length of |pcurves| is 2 * num_curves.
388 * Returns 1 on success and 0 if the client curves list has invalid format.
389 * The latter indicates an internal error: we should not be accepting such
390 * lists in the first place.
391 * TODO(emilia): we should really be storing the curves list in explicitly
392 * parsed form instead. (However, this would affect binary compatibility
393 * so cannot happen in the 1.0.x series.)
395 static int tls1_get_curvelist(SSL *s, int sess,
396 const unsigned char **pcurves,
399 size_t pcurveslen = 0;
401 *pcurves = s->session->tlsext_ellipticcurvelist;
402 pcurveslen = s->session->tlsext_ellipticcurvelist_length;
404 /* For Suite B mode only include P-256, P-384 */
405 switch (tls1_suiteb(s)) {
406 case SSL_CERT_FLAG_SUITEB_128_LOS:
407 *pcurves = suiteb_curves;
408 pcurveslen = sizeof(suiteb_curves);
411 case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY:
412 *pcurves = suiteb_curves;
416 case SSL_CERT_FLAG_SUITEB_192_LOS:
417 *pcurves = suiteb_curves + 2;
421 *pcurves = s->tlsext_ellipticcurvelist;
422 pcurveslen = s->tlsext_ellipticcurvelist_length;
425 *pcurves = eccurves_default;
426 pcurveslen = sizeof(eccurves_default);
430 /* We do not allow odd length arrays to enter the system. */
431 if (pcurveslen & 1) {
432 SSLerr(SSL_F_TLS1_GET_CURVELIST, ERR_R_INTERNAL_ERROR);
436 *num_curves = pcurveslen / 2;
441 /* See if curve is allowed by security callback */
442 static int tls_curve_allowed(SSL *s, const unsigned char *curve, int op)
444 const tls_curve_info *cinfo;
447 if ((curve[1] < 1) || ((size_t)curve[1] >
448 sizeof(nid_list) / sizeof(nid_list[0])))
450 cinfo = &nid_list[curve[1] - 1];
451 # ifdef OPENSSL_NO_EC2M
452 if (cinfo->flags & TLS_CURVE_CHAR2)
455 return ssl_security(s, op, cinfo->secbits, cinfo->nid, (void *)curve);
458 /* Check a curve is one of our preferences */
459 int tls1_check_curve(SSL *s, const unsigned char *p, size_t len)
461 const unsigned char *curves;
462 size_t num_curves, i;
463 unsigned int suiteb_flags = tls1_suiteb(s);
464 if (len != 3 || p[0] != NAMED_CURVE_TYPE)
466 /* Check curve matches Suite B preferences */
468 unsigned long cid = s->s3->tmp.new_cipher->id;
471 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256) {
472 if (p[2] != TLSEXT_curve_P_256)
474 } else if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384) {
475 if (p[2] != TLSEXT_curve_P_384)
477 } else /* Should never happen */
480 if (!tls1_get_curvelist(s, 0, &curves, &num_curves))
482 for (i = 0; i < num_curves; i++, curves += 2) {
483 if (p[1] == curves[0] && p[2] == curves[1])
484 return tls_curve_allowed(s, p + 1, SSL_SECOP_CURVE_CHECK);
490 * Return |nmatch|th shared curve or NID_undef if there is no match.
491 * For nmatch == -1, return number of matches
492 * For nmatch == -2, return the NID of the curve to use for
493 * an EC tmp key, or NID_undef if there is no match.
495 int tls1_shared_curve(SSL *s, int nmatch)
497 const unsigned char *pref, *supp;
498 size_t num_pref, num_supp, i, j;
500 /* Can't do anything on client side */
504 if (tls1_suiteb(s)) {
506 * For Suite B ciphersuite determines curve: we already know
507 * these are acceptable due to previous checks.
509 unsigned long cid = s->s3->tmp.new_cipher->id;
510 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
511 return NID_X9_62_prime256v1; /* P-256 */
512 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)
513 return NID_secp384r1; /* P-384 */
514 /* Should never happen */
517 /* If not Suite B just return first preference shared curve */
521 * Avoid truncation. tls1_get_curvelist takes an int
522 * but s->options is a long...
524 if (!tls1_get_curvelist
525 (s, (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) != 0, &supp,
527 /* In practice, NID_undef == 0 but let's be precise. */
528 return nmatch == -1 ? 0 : NID_undef;
529 if (!tls1_get_curvelist
530 (s, !(s->options & SSL_OP_CIPHER_SERVER_PREFERENCE), &pref,
532 return nmatch == -1 ? 0 : NID_undef;
534 for (i = 0; i < num_pref; i++, pref += 2) {
535 const unsigned char *tsupp = supp;
536 for (j = 0; j < num_supp; j++, tsupp += 2) {
537 if (pref[0] == tsupp[0] && pref[1] == tsupp[1]) {
538 if (!tls_curve_allowed(s, pref, SSL_SECOP_CURVE_SHARED))
541 int id = (pref[0] << 8) | pref[1];
542 return tls1_ec_curve_id2nid(id);
550 /* Out of range (nmatch > k). */
554 int tls1_set_curves(unsigned char **pext, size_t *pextlen,
555 int *curves, size_t ncurves)
557 unsigned char *clist, *p;
560 * Bitmap of curves included to detect duplicates: only works while curve
563 unsigned long dup_list = 0;
564 clist = OPENSSL_malloc(ncurves * 2);
567 for (i = 0, p = clist; i < ncurves; i++) {
568 unsigned long idmask;
570 id = tls1_ec_nid2curve_id(curves[i]);
572 if (!id || (dup_list & idmask)) {
582 *pextlen = ncurves * 2;
586 # define MAX_CURVELIST 28
590 int nid_arr[MAX_CURVELIST];
593 static int nid_cb(const char *elem, int len, void *arg)
595 nid_cb_st *narg = arg;
599 if (narg->nidcnt == MAX_CURVELIST)
601 if (len > (int)(sizeof(etmp) - 1))
603 memcpy(etmp, elem, len);
605 nid = EC_curve_nist2nid(etmp);
606 if (nid == NID_undef)
607 nid = OBJ_sn2nid(etmp);
608 if (nid == NID_undef)
609 nid = OBJ_ln2nid(etmp);
610 if (nid == NID_undef)
612 for (i = 0; i < narg->nidcnt; i++)
613 if (narg->nid_arr[i] == nid)
615 narg->nid_arr[narg->nidcnt++] = nid;
619 /* Set curves based on a colon separate list */
620 int tls1_set_curves_list(unsigned char **pext, size_t *pextlen,
625 if (!CONF_parse_list(str, ':', 1, nid_cb, &ncb))
629 return tls1_set_curves(pext, pextlen, ncb.nid_arr, ncb.nidcnt);
632 /* For an EC key set TLS id and required compression based on parameters */
633 static int tls1_set_ec_id(unsigned char *curve_id, unsigned char *comp_id,
638 const EC_METHOD *meth;
641 /* Determine if it is a prime field */
642 grp = EC_KEY_get0_group(ec);
645 meth = EC_GROUP_method_of(grp);
648 if (EC_METHOD_get_field_type(meth) == NID_X9_62_prime_field)
652 /* Determine curve ID */
653 id = EC_GROUP_get_curve_name(grp);
654 id = tls1_ec_nid2curve_id(id);
655 /* If we have an ID set it, otherwise set arbitrary explicit curve */
658 curve_id[1] = (unsigned char)id;
667 if (EC_KEY_get0_public_key(ec) == NULL)
669 if (EC_KEY_get_conv_form(ec) == POINT_CONVERSION_COMPRESSED) {
671 *comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
673 *comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
675 *comp_id = TLSEXT_ECPOINTFORMAT_uncompressed;
680 /* Check an EC key is compatible with extensions */
681 static int tls1_check_ec_key(SSL *s,
682 unsigned char *curve_id, unsigned char *comp_id)
684 const unsigned char *pformats, *pcurves;
685 size_t num_formats, num_curves, i;
688 * If point formats extension present check it, otherwise everything is
689 * supported (see RFC4492).
691 if (comp_id && s->session->tlsext_ecpointformatlist) {
692 pformats = s->session->tlsext_ecpointformatlist;
693 num_formats = s->session->tlsext_ecpointformatlist_length;
694 for (i = 0; i < num_formats; i++, pformats++) {
695 if (*comp_id == *pformats)
698 if (i == num_formats)
703 /* Check curve is consistent with client and server preferences */
704 for (j = 0; j <= 1; j++) {
705 if (!tls1_get_curvelist(s, j, &pcurves, &num_curves))
707 for (i = 0; i < num_curves; i++, pcurves += 2) {
708 if (pcurves[0] == curve_id[0] && pcurves[1] == curve_id[1])
713 /* For clients can only check sent curve list */
720 static void tls1_get_formatlist(SSL *s, const unsigned char **pformats,
724 * If we have a custom point format list use it otherwise use default
726 if (s->tlsext_ecpointformatlist) {
727 *pformats = s->tlsext_ecpointformatlist;
728 *num_formats = s->tlsext_ecpointformatlist_length;
730 *pformats = ecformats_default;
731 /* For Suite B we don't support char2 fields */
733 *num_formats = sizeof(ecformats_default) - 1;
735 *num_formats = sizeof(ecformats_default);
740 * Check cert parameters compatible with extensions: currently just checks EC
741 * certificates have compatible curves and compression.
743 static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md)
745 unsigned char comp_id, curve_id[2];
748 pkey = X509_get_pubkey(x);
751 /* If not EC nothing to do */
752 if (pkey->type != EVP_PKEY_EC) {
756 rv = tls1_set_ec_id(curve_id, &comp_id, pkey->pkey.ec);
761 * Can't check curve_id for client certs as we don't have a supported
764 rv = tls1_check_ec_key(s, s->server ? curve_id : NULL, &comp_id);
768 * Special case for suite B. We *MUST* sign using SHA256+P-256 or
769 * SHA384+P-384, adjust digest if necessary.
771 if (set_ee_md && tls1_suiteb(s)) {
777 /* Check to see we have necessary signing algorithm */
778 if (curve_id[1] == TLSEXT_curve_P_256)
779 check_md = NID_ecdsa_with_SHA256;
780 else if (curve_id[1] == TLSEXT_curve_P_384)
781 check_md = NID_ecdsa_with_SHA384;
783 return 0; /* Should never happen */
784 for (i = 0; i < c->shared_sigalgslen; i++)
785 if (check_md == c->shared_sigalgs[i].signandhash_nid)
787 if (i == c->shared_sigalgslen)
789 if (set_ee_md == 2) {
790 if (check_md == NID_ecdsa_with_SHA256)
791 c->pkeys[SSL_PKEY_ECC].digest = EVP_sha256();
793 c->pkeys[SSL_PKEY_ECC].digest = EVP_sha384();
799 # ifndef OPENSSL_NO_ECDH
800 /* Check EC temporary key is compatible with client extensions */
801 int tls1_check_ec_tmp_key(SSL *s, unsigned long cid)
803 unsigned char curve_id[2];
804 EC_KEY *ec = s->cert->ecdh_tmp;
805 # ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
806 /* Allow any curve: not just those peer supports */
807 if (s->cert->cert_flags & SSL_CERT_FLAG_BROKEN_PROTOCOL)
811 * If Suite B, AES128 MUST use P-256 and AES256 MUST use P-384, no other
814 if (tls1_suiteb(s)) {
815 /* Curve to check determined by ciphersuite */
816 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
817 curve_id[1] = TLSEXT_curve_P_256;
818 else if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)
819 curve_id[1] = TLSEXT_curve_P_384;
823 /* Check this curve is acceptable */
824 if (!tls1_check_ec_key(s, curve_id, NULL))
826 /* If auto or setting curve from callback assume OK */
827 if (s->cert->ecdh_tmp_auto || s->cert->ecdh_tmp_cb)
829 /* Otherwise check curve is acceptable */
831 unsigned char curve_tmp[2];
834 if (!tls1_set_ec_id(curve_tmp, NULL, ec))
836 if (!curve_tmp[0] || curve_tmp[1] == curve_id[1])
842 if (s->cert->ecdh_tmp_auto) {
843 /* Need a shared curve */
844 if (tls1_shared_curve(s, 0))
850 if (s->cert->ecdh_tmp_cb)
855 if (!tls1_set_ec_id(curve_id, NULL, ec))
857 /* Set this to allow use of invalid curves for testing */
861 return tls1_check_ec_key(s, curve_id, NULL);
864 # endif /* OPENSSL_NO_ECDH */
868 static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md)
873 #endif /* OPENSSL_NO_EC */
875 #ifndef OPENSSL_NO_TLSEXT
878 * List of supported signature algorithms and hashes. Should make this
879 * customisable at some point, for now include everything we support.
882 # ifdef OPENSSL_NO_RSA
883 # define tlsext_sigalg_rsa(md) /* */
885 # define tlsext_sigalg_rsa(md) md, TLSEXT_signature_rsa,
888 # ifdef OPENSSL_NO_DSA
889 # define tlsext_sigalg_dsa(md) /* */
891 # define tlsext_sigalg_dsa(md) md, TLSEXT_signature_dsa,
894 # ifdef OPENSSL_NO_ECDSA
895 # define tlsext_sigalg_ecdsa(md)
898 # define tlsext_sigalg_ecdsa(md) md, TLSEXT_signature_ecdsa,
901 # define tlsext_sigalg(md) \
902 tlsext_sigalg_rsa(md) \
903 tlsext_sigalg_dsa(md) \
904 tlsext_sigalg_ecdsa(md)
906 static const unsigned char tls12_sigalgs[] = {
907 # ifndef OPENSSL_NO_SHA512
908 tlsext_sigalg(TLSEXT_hash_sha512)
909 tlsext_sigalg(TLSEXT_hash_sha384)
911 # ifndef OPENSSL_NO_SHA256
912 tlsext_sigalg(TLSEXT_hash_sha256)
913 tlsext_sigalg(TLSEXT_hash_sha224)
915 # ifndef OPENSSL_NO_SHA
916 tlsext_sigalg(TLSEXT_hash_sha1)
920 # ifndef OPENSSL_NO_ECDSA
921 static const unsigned char suiteb_sigalgs[] = {
922 tlsext_sigalg_ecdsa(TLSEXT_hash_sha256)
923 tlsext_sigalg_ecdsa(TLSEXT_hash_sha384)
926 size_t tls12_get_psigalgs(SSL *s, const unsigned char **psigs)
929 * If Suite B mode use Suite B sigalgs only, ignore any other
932 # ifndef OPENSSL_NO_EC
933 switch (tls1_suiteb(s)) {
934 case SSL_CERT_FLAG_SUITEB_128_LOS:
935 *psigs = suiteb_sigalgs;
936 return sizeof(suiteb_sigalgs);
938 case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY:
939 *psigs = suiteb_sigalgs;
942 case SSL_CERT_FLAG_SUITEB_192_LOS:
943 *psigs = suiteb_sigalgs + 2;
947 /* If server use client authentication sigalgs if not NULL */
948 if (s->server && s->cert->client_sigalgs) {
949 *psigs = s->cert->client_sigalgs;
950 return s->cert->client_sigalgslen;
951 } else if (s->cert->conf_sigalgs) {
952 *psigs = s->cert->conf_sigalgs;
953 return s->cert->conf_sigalgslen;
955 *psigs = tls12_sigalgs;
956 return sizeof(tls12_sigalgs);
961 * Check signature algorithm is consistent with sent supported signature
962 * algorithms and if so return relevant digest.
964 int tls12_check_peer_sigalg(const EVP_MD **pmd, SSL *s,
965 const unsigned char *sig, EVP_PKEY *pkey)
967 const unsigned char *sent_sigs;
968 size_t sent_sigslen, i;
969 int sigalg = tls12_get_sigid(pkey);
970 /* Should never happen */
973 /* Check key type is consistent with signature */
974 if (sigalg != (int)sig[1]) {
975 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_SIGNATURE_TYPE);
978 # ifndef OPENSSL_NO_EC
979 if (pkey->type == EVP_PKEY_EC) {
980 unsigned char curve_id[2], comp_id;
981 /* Check compression and curve matches extensions */
982 if (!tls1_set_ec_id(curve_id, &comp_id, pkey->pkey.ec))
984 if (!s->server && !tls1_check_ec_key(s, curve_id, &comp_id)) {
985 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_CURVE);
988 /* If Suite B only P-384+SHA384 or P-256+SHA-256 allowed */
989 if (tls1_suiteb(s)) {
992 if (curve_id[1] == TLSEXT_curve_P_256) {
993 if (sig[0] != TLSEXT_hash_sha256) {
994 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG,
995 SSL_R_ILLEGAL_SUITEB_DIGEST);
998 } else if (curve_id[1] == TLSEXT_curve_P_384) {
999 if (sig[0] != TLSEXT_hash_sha384) {
1000 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG,
1001 SSL_R_ILLEGAL_SUITEB_DIGEST);
1007 } else if (tls1_suiteb(s))
1011 /* Check signature matches a type we sent */
1012 sent_sigslen = tls12_get_psigalgs(s, &sent_sigs);
1013 for (i = 0; i < sent_sigslen; i += 2, sent_sigs += 2) {
1014 if (sig[0] == sent_sigs[0] && sig[1] == sent_sigs[1])
1017 /* Allow fallback to SHA1 if not strict mode */
1018 if (i == sent_sigslen
1019 && (sig[0] != TLSEXT_hash_sha1
1020 || s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)) {
1021 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_SIGNATURE_TYPE);
1024 *pmd = tls12_get_hash(sig[0]);
1026 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_UNKNOWN_DIGEST);
1029 /* Make sure security callback allows algorithm */
1030 if (!ssl_security(s, SSL_SECOP_SIGALG_CHECK,
1031 EVP_MD_size(*pmd) * 4, EVP_MD_type(*pmd),
1033 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_SIGNATURE_TYPE);
1037 * Store the digest used so applications can retrieve it if they wish.
1039 if (s->session && s->session->sess_cert)
1040 s->session->sess_cert->peer_key->digest = *pmd;
1045 * Get a mask of disabled algorithms: an algorithm is disabled if it isn't
1046 * supported or doesn't appear in supported signature algorithms. Unlike
1047 * ssl_cipher_get_disabled this applies to a specific session and not global
1050 void ssl_set_client_disabled(SSL *s)
1055 /* Don't allow TLS 1.2 only ciphers if we don't suppport them */
1056 if (!SSL_CLIENT_USE_TLS1_2_CIPHERS(s))
1057 c->mask_ssl = SSL_TLSV1_2;
1060 ssl_set_sig_mask(&c->mask_a, s, SSL_SECOP_SIGALG_MASK);
1062 * Disable static DH if we don't include any appropriate signature
1065 if (c->mask_a & SSL_aRSA)
1066 c->mask_k |= SSL_kDHr | SSL_kECDHr;
1067 if (c->mask_a & SSL_aDSS)
1068 c->mask_k |= SSL_kDHd;
1069 if (c->mask_a & SSL_aECDSA)
1070 c->mask_k |= SSL_kECDHe;
1071 # ifndef OPENSSL_NO_KRB5
1072 if (!kssl_tgt_is_available(s->kssl_ctx)) {
1073 c->mask_a |= SSL_aKRB5;
1074 c->mask_k |= SSL_kKRB5;
1077 # ifndef OPENSSL_NO_PSK
1078 /* with PSK there must be client callback set */
1079 if (!s->psk_client_callback) {
1080 c->mask_a |= SSL_aPSK;
1081 c->mask_k |= SSL_kPSK;
1083 # endif /* OPENSSL_NO_PSK */
1084 # ifndef OPENSSL_NO_SRP
1085 if (!(s->srp_ctx.srp_Mask & SSL_kSRP)) {
1086 c->mask_a |= SSL_aSRP;
1087 c->mask_k |= SSL_kSRP;
1093 int ssl_cipher_disabled(SSL *s, const SSL_CIPHER *c, int op)
1096 if (c->algorithm_ssl & ct->mask_ssl || c->algorithm_mkey & ct->mask_k
1097 || c->algorithm_auth & ct->mask_a)
1099 return !ssl_security(s, op, c->strength_bits, 0, (void *)c);
1102 static int tls_use_ticket(SSL *s)
1104 if (s->options & SSL_OP_NO_TICKET)
1106 return ssl_security(s, SSL_SECOP_TICKET, 0, 0, NULL);
1109 unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf,
1110 unsigned char *limit, int *al)
1113 unsigned char *orig = buf;
1114 unsigned char *ret = buf;
1115 # ifndef OPENSSL_NO_EC
1116 /* See if we support any ECC ciphersuites */
1118 if (s->version >= TLS1_VERSION || SSL_IS_DTLS(s)) {
1120 unsigned long alg_k, alg_a;
1121 STACK_OF(SSL_CIPHER) *cipher_stack = SSL_get_ciphers(s);
1123 for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++) {
1124 SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i);
1126 alg_k = c->algorithm_mkey;
1127 alg_a = c->algorithm_auth;
1128 if ((alg_k & (SSL_kECDHE | SSL_kECDHr | SSL_kECDHe)
1129 || (alg_a & SSL_aECDSA))) {
1140 return NULL; /* this really never occurs, but ... */
1142 /* Add RI if renegotiating */
1143 if (s->renegotiate) {
1146 if (!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0)) {
1147 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1151 if ((limit - ret - 4 - el) < 0)
1154 s2n(TLSEXT_TYPE_renegotiate, ret);
1157 if (!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el)) {
1158 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1164 /* Only add RI for SSLv3 */
1165 if (s->client_version == SSL3_VERSION)
1168 if (s->tlsext_hostname != NULL) {
1169 /* Add TLS extension servername to the Client Hello message */
1170 unsigned long size_str;
1174 * check for enough space.
1175 * 4 for the servername type and entension length
1176 * 2 for servernamelist length
1177 * 1 for the hostname type
1178 * 2 for hostname length
1182 if ((lenmax = limit - ret - 9) < 0
1184 strlen(s->tlsext_hostname)) > (unsigned long)lenmax)
1187 /* extension type and length */
1188 s2n(TLSEXT_TYPE_server_name, ret);
1189 s2n(size_str + 5, ret);
1191 /* length of servername list */
1192 s2n(size_str + 3, ret);
1194 /* hostname type, length and hostname */
1195 *(ret++) = (unsigned char)TLSEXT_NAMETYPE_host_name;
1197 memcpy(ret, s->tlsext_hostname, size_str);
1200 # ifndef OPENSSL_NO_SRP
1201 /* Add SRP username if there is one */
1202 if (s->srp_ctx.login != NULL) { /* Add TLS extension SRP username to the
1203 * Client Hello message */
1205 int login_len = strlen(s->srp_ctx.login);
1206 if (login_len > 255 || login_len == 0) {
1207 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1212 * check for enough space.
1213 * 4 for the srp type type and entension length
1214 * 1 for the srp user identity
1215 * + srp user identity length
1217 if ((limit - ret - 5 - login_len) < 0)
1220 /* fill in the extension */
1221 s2n(TLSEXT_TYPE_srp, ret);
1222 s2n(login_len + 1, ret);
1223 (*ret++) = (unsigned char)login_len;
1224 memcpy(ret, s->srp_ctx.login, login_len);
1229 # ifndef OPENSSL_NO_EC
1232 * Add TLS extension ECPointFormats to the ClientHello message
1235 const unsigned char *pcurves, *pformats;
1236 size_t num_curves, num_formats, curves_list_len;
1238 unsigned char *etmp;
1240 tls1_get_formatlist(s, &pformats, &num_formats);
1242 if ((lenmax = limit - ret - 5) < 0)
1244 if (num_formats > (size_t)lenmax)
1246 if (num_formats > 255) {
1247 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1251 s2n(TLSEXT_TYPE_ec_point_formats, ret);
1252 /* The point format list has 1-byte length. */
1253 s2n(num_formats + 1, ret);
1254 *(ret++) = (unsigned char)num_formats;
1255 memcpy(ret, pformats, num_formats);
1259 * Add TLS extension EllipticCurves to the ClientHello message
1261 pcurves = s->tlsext_ellipticcurvelist;
1262 if (!tls1_get_curvelist(s, 0, &pcurves, &num_curves))
1265 if ((lenmax = limit - ret - 6) < 0)
1267 if (num_curves > (size_t)lenmax / 2)
1269 if (num_curves > 65532 / 2) {
1270 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1274 s2n(TLSEXT_TYPE_elliptic_curves, ret);
1276 /* Copy curve ID if supported */
1277 for (i = 0; i < num_curves; i++, pcurves += 2) {
1278 if (tls_curve_allowed(s, pcurves, SSL_SECOP_CURVE_SUPPORTED)) {
1279 *etmp++ = pcurves[0];
1280 *etmp++ = pcurves[1];
1284 curves_list_len = etmp - ret - 4;
1286 s2n(curves_list_len + 2, ret);
1287 s2n(curves_list_len, ret);
1288 ret += curves_list_len;
1290 # endif /* OPENSSL_NO_EC */
1292 if (tls_use_ticket(s)) {
1294 if (!s->new_session && s->session && s->session->tlsext_tick)
1295 ticklen = s->session->tlsext_ticklen;
1296 else if (s->session && s->tlsext_session_ticket &&
1297 s->tlsext_session_ticket->data) {
1298 ticklen = s->tlsext_session_ticket->length;
1299 s->session->tlsext_tick = OPENSSL_malloc(ticklen);
1300 if (!s->session->tlsext_tick)
1302 memcpy(s->session->tlsext_tick,
1303 s->tlsext_session_ticket->data, ticklen);
1304 s->session->tlsext_ticklen = ticklen;
1307 if (ticklen == 0 && s->tlsext_session_ticket &&
1308 s->tlsext_session_ticket->data == NULL)
1311 * Check for enough room 2 for extension type, 2 for len rest for
1314 if ((long)(limit - ret - 4 - ticklen) < 0)
1316 s2n(TLSEXT_TYPE_session_ticket, ret);
1319 memcpy(ret, s->session->tlsext_tick, ticklen);
1325 if (SSL_USE_SIGALGS(s)) {
1327 const unsigned char *salg;
1328 unsigned char *etmp;
1329 salglen = tls12_get_psigalgs(s, &salg);
1330 if ((size_t)(limit - ret) < salglen + 6)
1332 s2n(TLSEXT_TYPE_signature_algorithms, ret);
1334 /* Skip over lengths for now */
1336 salglen = tls12_copy_sigalgs(s, ret, salg, salglen);
1337 /* Fill in lengths */
1338 s2n(salglen + 2, etmp);
1342 # ifdef TLSEXT_TYPE_opaque_prf_input
1343 if (s->s3->client_opaque_prf_input != NULL) {
1344 size_t col = s->s3->client_opaque_prf_input_len;
1346 if ((long)(limit - ret - 6 - col) < 0)
1348 if (col > 0xFFFD) /* can't happen */
1351 s2n(TLSEXT_TYPE_opaque_prf_input, ret);
1354 memcpy(ret, s->s3->client_opaque_prf_input, col);
1359 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp) {
1361 long extlen, idlen, itmp;
1365 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) {
1366 id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
1367 itmp = i2d_OCSP_RESPID(id, NULL);
1373 if (s->tlsext_ocsp_exts) {
1374 extlen = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, NULL);
1380 if ((long)(limit - ret - 7 - extlen - idlen) < 0)
1382 s2n(TLSEXT_TYPE_status_request, ret);
1383 if (extlen + idlen > 0xFFF0)
1385 s2n(extlen + idlen + 5, ret);
1386 *(ret++) = TLSEXT_STATUSTYPE_ocsp;
1388 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) {
1389 /* save position of id len */
1390 unsigned char *q = ret;
1391 id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
1392 /* skip over id len */
1394 itmp = i2d_OCSP_RESPID(id, &ret);
1400 i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret);
1402 # ifndef OPENSSL_NO_HEARTBEATS
1403 /* Add Heartbeat extension */
1404 if ((limit - ret - 4 - 1) < 0)
1406 s2n(TLSEXT_TYPE_heartbeat, ret);
1410 * 1: peer may send requests
1411 * 2: peer not allowed to send requests
1413 if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS)
1414 *(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
1416 *(ret++) = SSL_TLSEXT_HB_ENABLED;
1419 # ifndef OPENSSL_NO_NEXTPROTONEG
1420 if (s->ctx->next_proto_select_cb && !s->s3->tmp.finish_md_len) {
1422 * The client advertises an emtpy extension to indicate its support
1423 * for Next Protocol Negotiation
1425 if (limit - ret - 4 < 0)
1427 s2n(TLSEXT_TYPE_next_proto_neg, ret);
1432 if (s->alpn_client_proto_list && !s->s3->tmp.finish_md_len) {
1433 if ((size_t)(limit - ret) < 6 + s->alpn_client_proto_list_len)
1435 s2n(TLSEXT_TYPE_application_layer_protocol_negotiation, ret);
1436 s2n(2 + s->alpn_client_proto_list_len, ret);
1437 s2n(s->alpn_client_proto_list_len, ret);
1438 memcpy(ret, s->alpn_client_proto_list, s->alpn_client_proto_list_len);
1439 ret += s->alpn_client_proto_list_len;
1441 # ifndef OPENSSL_NO_SRTP
1442 if (SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s)) {
1445 ssl_add_clienthello_use_srtp_ext(s, 0, &el, 0);
1447 if ((limit - ret - 4 - el) < 0)
1450 s2n(TLSEXT_TYPE_use_srtp, ret);
1453 if (ssl_add_clienthello_use_srtp_ext(s, ret, &el, el)) {
1454 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1460 custom_ext_init(&s->cert->cli_ext);
1461 /* Add custom TLS Extensions to ClientHello */
1462 if (!custom_ext_add(s, 0, &ret, limit, al))
1464 # ifdef TLSEXT_TYPE_encrypt_then_mac
1465 s2n(TLSEXT_TYPE_encrypt_then_mac, ret);
1470 * Add padding to workaround bugs in F5 terminators. See
1471 * https://tools.ietf.org/html/draft-agl-tls-padding-03 NB: because this
1472 * code works out the length of all existing extensions it MUST always
1475 if (s->options & SSL_OP_TLSEXT_PADDING) {
1476 int hlen = ret - (unsigned char *)s->init_buf->data;
1478 * The code in s23_clnt.c to build ClientHello messages includes the
1479 * 5-byte record header in the buffer, while the code in s3_clnt.c
1482 if (s->state == SSL23_ST_CW_CLNT_HELLO_A)
1484 if (hlen > 0xff && hlen < 0x200) {
1485 hlen = 0x200 - hlen;
1491 s2n(TLSEXT_TYPE_padding, ret);
1493 memset(ret, 0, hlen);
1500 if ((extdatalen = ret - orig - 2) == 0)
1503 s2n(extdatalen, orig);
1507 unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *buf,
1508 unsigned char *limit, int *al)
1511 unsigned char *orig = buf;
1512 unsigned char *ret = buf;
1513 # ifndef OPENSSL_NO_NEXTPROTONEG
1514 int next_proto_neg_seen;
1516 # ifndef OPENSSL_NO_EC
1517 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
1518 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
1519 int using_ecc = (alg_k & (SSL_kECDHE | SSL_kECDHr | SSL_kECDHe))
1520 || (alg_a & SSL_aECDSA);
1521 using_ecc = using_ecc && (s->session->tlsext_ecpointformatlist != NULL);
1526 return NULL; /* this really never occurs, but ... */
1528 if (s->s3->send_connection_binding) {
1531 if (!ssl_add_serverhello_renegotiate_ext(s, 0, &el, 0)) {
1532 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1536 if ((limit - ret - 4 - el) < 0)
1539 s2n(TLSEXT_TYPE_renegotiate, ret);
1542 if (!ssl_add_serverhello_renegotiate_ext(s, ret, &el, el)) {
1543 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1550 /* Only add RI for SSLv3 */
1551 if (s->version == SSL3_VERSION)
1554 if (!s->hit && s->servername_done == 1
1555 && s->session->tlsext_hostname != NULL) {
1556 if ((long)(limit - ret - 4) < 0)
1559 s2n(TLSEXT_TYPE_server_name, ret);
1562 # ifndef OPENSSL_NO_EC
1564 const unsigned char *plist;
1567 * Add TLS extension ECPointFormats to the ServerHello message
1571 tls1_get_formatlist(s, &plist, &plistlen);
1573 if ((lenmax = limit - ret - 5) < 0)
1575 if (plistlen > (size_t)lenmax)
1577 if (plistlen > 255) {
1578 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1582 s2n(TLSEXT_TYPE_ec_point_formats, ret);
1583 s2n(plistlen + 1, ret);
1584 *(ret++) = (unsigned char)plistlen;
1585 memcpy(ret, plist, plistlen);
1590 * Currently the server should not respond with a SupportedCurves
1593 # endif /* OPENSSL_NO_EC */
1595 if (s->tlsext_ticket_expected && tls_use_ticket(s)) {
1596 if ((long)(limit - ret - 4) < 0)
1598 s2n(TLSEXT_TYPE_session_ticket, ret);
1602 if (s->tlsext_status_expected) {
1603 if ((long)(limit - ret - 4) < 0)
1605 s2n(TLSEXT_TYPE_status_request, ret);
1608 # ifdef TLSEXT_TYPE_opaque_prf_input
1609 if (s->s3->server_opaque_prf_input != NULL) {
1610 size_t sol = s->s3->server_opaque_prf_input_len;
1612 if ((long)(limit - ret - 6 - sol) < 0)
1614 if (sol > 0xFFFD) /* can't happen */
1617 s2n(TLSEXT_TYPE_opaque_prf_input, ret);
1620 memcpy(ret, s->s3->server_opaque_prf_input, sol);
1625 # ifndef OPENSSL_NO_SRTP
1626 if (SSL_IS_DTLS(s) && s->srtp_profile) {
1629 ssl_add_serverhello_use_srtp_ext(s, 0, &el, 0);
1631 if ((limit - ret - 4 - el) < 0)
1634 s2n(TLSEXT_TYPE_use_srtp, ret);
1637 if (ssl_add_serverhello_use_srtp_ext(s, ret, &el, el)) {
1638 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1645 if (((s->s3->tmp.new_cipher->id & 0xFFFF) == 0x80
1646 || (s->s3->tmp.new_cipher->id & 0xFFFF) == 0x81)
1647 && (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG)) {
1648 const unsigned char cryptopro_ext[36] = {
1649 0xfd, 0xe8, /* 65000 */
1650 0x00, 0x20, /* 32 bytes length */
1651 0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85,
1652 0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06,
1653 0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08,
1654 0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17
1656 if (limit - ret < 36)
1658 memcpy(ret, cryptopro_ext, 36);
1662 # ifndef OPENSSL_NO_HEARTBEATS
1663 /* Add Heartbeat extension if we've received one */
1664 if (s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED) {
1665 if ((limit - ret - 4 - 1) < 0)
1667 s2n(TLSEXT_TYPE_heartbeat, ret);
1671 * 1: peer may send requests
1672 * 2: peer not allowed to send requests
1674 if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS)
1675 *(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
1677 *(ret++) = SSL_TLSEXT_HB_ENABLED;
1682 # ifndef OPENSSL_NO_NEXTPROTONEG
1683 next_proto_neg_seen = s->s3->next_proto_neg_seen;
1684 s->s3->next_proto_neg_seen = 0;
1685 if (next_proto_neg_seen && s->ctx->next_protos_advertised_cb) {
1686 const unsigned char *npa;
1687 unsigned int npalen;
1690 r = s->ctx->next_protos_advertised_cb(s, &npa, &npalen,
1692 ctx->next_protos_advertised_cb_arg);
1693 if (r == SSL_TLSEXT_ERR_OK) {
1694 if ((long)(limit - ret - 4 - npalen) < 0)
1696 s2n(TLSEXT_TYPE_next_proto_neg, ret);
1698 memcpy(ret, npa, npalen);
1700 s->s3->next_proto_neg_seen = 1;
1704 if (!custom_ext_add(s, 1, &ret, limit, al))
1706 # ifdef TLSEXT_TYPE_encrypt_then_mac
1707 if (s->s3->flags & TLS1_FLAGS_ENCRYPT_THEN_MAC) {
1709 * Don't use encrypt_then_mac if AEAD or RC4 might want to disable
1710 * for other cases too.
1712 if (s->s3->tmp.new_cipher->algorithm_mac == SSL_AEAD
1713 || s->s3->tmp.new_cipher->algorithm_enc == SSL_RC4)
1714 s->s3->flags &= ~TLS1_FLAGS_ENCRYPT_THEN_MAC;
1716 s2n(TLSEXT_TYPE_encrypt_then_mac, ret);
1722 if (s->s3->alpn_selected) {
1723 const unsigned char *selected = s->s3->alpn_selected;
1724 unsigned len = s->s3->alpn_selected_len;
1726 if ((long)(limit - ret - 4 - 2 - 1 - len) < 0)
1728 s2n(TLSEXT_TYPE_application_layer_protocol_negotiation, ret);
1732 memcpy(ret, selected, len);
1738 if ((extdatalen = ret - orig - 2) == 0)
1741 s2n(extdatalen, orig);
1746 * tls1_alpn_handle_client_hello is called to process the ALPN extension in a
1747 * ClientHello. data: the contents of the extension, not including the type
1748 * and length. data_len: the number of bytes in |data| al: a pointer to the
1749 * alert value to send in the event of a non-zero return. returns: 0 on
1752 static int tls1_alpn_handle_client_hello(SSL *s, const unsigned char *data,
1753 unsigned data_len, int *al)
1757 const unsigned char *selected;
1758 unsigned char selected_len;
1761 if (s->ctx->alpn_select_cb == NULL)
1768 * data should contain a uint16 length followed by a series of 8-bit,
1769 * length-prefixed strings.
1771 i = ((unsigned)data[0]) << 8 | ((unsigned)data[1]);
1780 for (i = 0; i < data_len;) {
1781 proto_len = data[i];
1787 if (i + proto_len < i || i + proto_len > data_len)
1793 r = s->ctx->alpn_select_cb(s, &selected, &selected_len, data, data_len,
1794 s->ctx->alpn_select_cb_arg);
1795 if (r == SSL_TLSEXT_ERR_OK) {
1796 if (s->s3->alpn_selected)
1797 OPENSSL_free(s->s3->alpn_selected);
1798 s->s3->alpn_selected = OPENSSL_malloc(selected_len);
1799 if (!s->s3->alpn_selected) {
1800 *al = SSL_AD_INTERNAL_ERROR;
1803 memcpy(s->s3->alpn_selected, selected, selected_len);
1804 s->s3->alpn_selected_len = selected_len;
1809 *al = SSL_AD_DECODE_ERROR;
1813 # ifndef OPENSSL_NO_EC
1815 * ssl_check_for_safari attempts to fingerprint Safari using OS X
1816 * SecureTransport using the TLS extension block in |d|, of length |n|.
1817 * Safari, since 10.6, sends exactly these extensions, in this order:
1822 * We wish to fingerprint Safari because they broke ECDHE-ECDSA support in 10.8,
1823 * but they advertise support. So enabling ECDHE-ECDSA ciphers breaks them.
1824 * Sadly we cannot differentiate 10.6, 10.7 and 10.8.4 (which work), from
1825 * 10.8..10.8.3 (which don't work).
1827 static void ssl_check_for_safari(SSL *s, const unsigned char *data,
1828 const unsigned char *d, int n)
1830 unsigned short type, size;
1831 static const unsigned char kSafariExtensionsBlock[] = {
1832 0x00, 0x0a, /* elliptic_curves extension */
1833 0x00, 0x08, /* 8 bytes */
1834 0x00, 0x06, /* 6 bytes of curve ids */
1835 0x00, 0x17, /* P-256 */
1836 0x00, 0x18, /* P-384 */
1837 0x00, 0x19, /* P-521 */
1839 0x00, 0x0b, /* ec_point_formats */
1840 0x00, 0x02, /* 2 bytes */
1841 0x01, /* 1 point format */
1842 0x00, /* uncompressed */
1845 /* The following is only present in TLS 1.2 */
1846 static const unsigned char kSafariTLS12ExtensionsBlock[] = {
1847 0x00, 0x0d, /* signature_algorithms */
1848 0x00, 0x0c, /* 12 bytes */
1849 0x00, 0x0a, /* 10 bytes */
1850 0x05, 0x01, /* SHA-384/RSA */
1851 0x04, 0x01, /* SHA-256/RSA */
1852 0x02, 0x01, /* SHA-1/RSA */
1853 0x04, 0x03, /* SHA-256/ECDSA */
1854 0x02, 0x03, /* SHA-1/ECDSA */
1857 if (data >= (d + n - 2))
1861 if (data > (d + n - 4))
1866 if (type != TLSEXT_TYPE_server_name)
1869 if (data + size > d + n)
1873 if (TLS1_get_client_version(s) >= TLS1_2_VERSION) {
1874 const size_t len1 = sizeof(kSafariExtensionsBlock);
1875 const size_t len2 = sizeof(kSafariTLS12ExtensionsBlock);
1877 if (data + len1 + len2 != d + n)
1879 if (memcmp(data, kSafariExtensionsBlock, len1) != 0)
1881 if (memcmp(data + len1, kSafariTLS12ExtensionsBlock, len2) != 0)
1884 const size_t len = sizeof(kSafariExtensionsBlock);
1886 if (data + len != d + n)
1888 if (memcmp(data, kSafariExtensionsBlock, len) != 0)
1892 s->s3->is_probably_safari = 1;
1894 # endif /* !OPENSSL_NO_EC */
1896 static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p,
1897 unsigned char *d, int n, int *al)
1899 unsigned short type;
1900 unsigned short size;
1902 unsigned char *data = *p;
1903 int renegotiate_seen = 0;
1905 s->servername_done = 0;
1906 s->tlsext_status_type = -1;
1907 # ifndef OPENSSL_NO_NEXTPROTONEG
1908 s->s3->next_proto_neg_seen = 0;
1911 if (s->s3->alpn_selected) {
1912 OPENSSL_free(s->s3->alpn_selected);
1913 s->s3->alpn_selected = NULL;
1915 # ifndef OPENSSL_NO_HEARTBEATS
1916 s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED |
1917 SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
1920 # ifndef OPENSSL_NO_EC
1921 if (s->options & SSL_OP_SAFARI_ECDHE_ECDSA_BUG)
1922 ssl_check_for_safari(s, data, d, n);
1923 # endif /* !OPENSSL_NO_EC */
1925 /* Clear any signature algorithms extension received */
1926 if (s->cert->peer_sigalgs) {
1927 OPENSSL_free(s->cert->peer_sigalgs);
1928 s->cert->peer_sigalgs = NULL;
1930 # ifdef TLSEXT_TYPE_encrypt_then_mac
1931 s->s3->flags &= ~TLS1_FLAGS_ENCRYPT_THEN_MAC;
1934 # ifndef OPENSSL_NO_SRP
1935 if (s->srp_ctx.login != NULL) {
1936 OPENSSL_free(s->srp_ctx.login);
1937 s->srp_ctx.login = NULL;
1941 s->srtp_profile = NULL;
1943 if (data >= (d + n - 2))
1947 if (data > (d + n - len))
1950 while (data <= (d + n - 4)) {
1954 if (data + size > (d + n))
1957 fprintf(stderr, "Received extension type %d size %d\n", type, size);
1959 if (s->tlsext_debug_cb)
1960 s->tlsext_debug_cb(s, 0, type, data, size, s->tlsext_debug_arg);
1961 if (type == TLSEXT_TYPE_renegotiate) {
1962 if (!ssl_parse_clienthello_renegotiate_ext(s, data, size, al))
1964 renegotiate_seen = 1;
1965 } else if (s->version == SSL3_VERSION) {
1968 * The servername extension is treated as follows:
1970 * - Only the hostname type is supported with a maximum length of 255.
1971 * - The servername is rejected if too long or if it contains zeros,
1972 * in which case an fatal alert is generated.
1973 * - The servername field is maintained together with the session cache.
1974 * - When a session is resumed, the servername call back invoked in order
1975 * to allow the application to position itself to the right context.
1976 * - The servername is acknowledged if it is new for a session or when
1977 * it is identical to a previously used for the same session.
1978 * Applications can control the behaviour. They can at any time
1979 * set a 'desirable' servername for a new SSL object. This can be the
1980 * case for example with HTTPS when a Host: header field is received and
1981 * a renegotiation is requested. In this case, a possible servername
1982 * presented in the new client hello is only acknowledged if it matches
1983 * the value of the Host: field.
1984 * - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
1985 * if they provide for changing an explicit servername context for the
1986 * session, i.e. when the session has been established with a servername
1988 * - On session reconnect, the servername extension may be absent.
1992 else if (type == TLSEXT_TYPE_server_name) {
1993 unsigned char *sdata;
1998 *al = SSL_AD_DECODE_ERROR;
2004 *al = SSL_AD_DECODE_ERROR;
2010 servname_type = *(sdata++);
2015 *al = SSL_AD_DECODE_ERROR;
2018 if (s->servername_done == 0)
2019 switch (servname_type) {
2020 case TLSEXT_NAMETYPE_host_name:
2022 if (s->session->tlsext_hostname) {
2023 *al = SSL_AD_DECODE_ERROR;
2026 if (len > TLSEXT_MAXLEN_host_name) {
2027 *al = TLS1_AD_UNRECOGNIZED_NAME;
2030 if ((s->session->tlsext_hostname =
2031 OPENSSL_malloc(len + 1)) == NULL) {
2032 *al = TLS1_AD_INTERNAL_ERROR;
2035 memcpy(s->session->tlsext_hostname, sdata, len);
2036 s->session->tlsext_hostname[len] = '\0';
2037 if (strlen(s->session->tlsext_hostname) != len) {
2038 OPENSSL_free(s->session->tlsext_hostname);
2039 s->session->tlsext_hostname = NULL;
2040 *al = TLS1_AD_UNRECOGNIZED_NAME;
2043 s->servername_done = 1;
2046 s->servername_done = s->session->tlsext_hostname
2047 && strlen(s->session->tlsext_hostname) == len
2048 && strncmp(s->session->tlsext_hostname,
2049 (char *)sdata, len) == 0;
2060 *al = SSL_AD_DECODE_ERROR;
2065 # ifndef OPENSSL_NO_SRP
2066 else if (type == TLSEXT_TYPE_srp) {
2067 if (size <= 0 || ((len = data[0])) != (size - 1)) {
2068 *al = SSL_AD_DECODE_ERROR;
2071 if (s->srp_ctx.login != NULL) {
2072 *al = SSL_AD_DECODE_ERROR;
2075 if ((s->srp_ctx.login = OPENSSL_malloc(len + 1)) == NULL)
2077 memcpy(s->srp_ctx.login, &data[1], len);
2078 s->srp_ctx.login[len] = '\0';
2080 if (strlen(s->srp_ctx.login) != len) {
2081 *al = SSL_AD_DECODE_ERROR;
2087 # ifndef OPENSSL_NO_EC
2088 else if (type == TLSEXT_TYPE_ec_point_formats) {
2089 unsigned char *sdata = data;
2090 int ecpointformatlist_length = *(sdata++);
2092 if (ecpointformatlist_length != size - 1 ||
2093 ecpointformatlist_length < 1) {
2094 *al = TLS1_AD_DECODE_ERROR;
2098 if (s->session->tlsext_ecpointformatlist) {
2099 OPENSSL_free(s->session->tlsext_ecpointformatlist);
2100 s->session->tlsext_ecpointformatlist = NULL;
2102 s->session->tlsext_ecpointformatlist_length = 0;
2103 if ((s->session->tlsext_ecpointformatlist =
2104 OPENSSL_malloc(ecpointformatlist_length)) == NULL) {
2105 *al = TLS1_AD_INTERNAL_ERROR;
2108 s->session->tlsext_ecpointformatlist_length =
2109 ecpointformatlist_length;
2110 memcpy(s->session->tlsext_ecpointformatlist, sdata,
2111 ecpointformatlist_length);
2115 "ssl_parse_clienthello_tlsext s->session->tlsext_ecpointformatlist (length=%i) ",
2116 s->session->tlsext_ecpointformatlist_length);
2117 sdata = s->session->tlsext_ecpointformatlist;
2118 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
2119 fprintf(stderr, "%i ", *(sdata++));
2120 fprintf(stderr, "\n");
2122 } else if (type == TLSEXT_TYPE_elliptic_curves) {
2123 unsigned char *sdata = data;
2124 int ellipticcurvelist_length = (*(sdata++) << 8);
2125 ellipticcurvelist_length += (*(sdata++));
2127 if (ellipticcurvelist_length != size - 2 ||
2128 ellipticcurvelist_length < 1 ||
2129 /* Each NamedCurve is 2 bytes. */
2130 ellipticcurvelist_length & 1) {
2131 *al = TLS1_AD_DECODE_ERROR;
2135 if (s->session->tlsext_ellipticcurvelist) {
2136 *al = TLS1_AD_DECODE_ERROR;
2139 s->session->tlsext_ellipticcurvelist_length = 0;
2140 if ((s->session->tlsext_ellipticcurvelist =
2141 OPENSSL_malloc(ellipticcurvelist_length)) == NULL) {
2142 *al = TLS1_AD_INTERNAL_ERROR;
2145 s->session->tlsext_ellipticcurvelist_length =
2146 ellipticcurvelist_length;
2147 memcpy(s->session->tlsext_ellipticcurvelist, sdata,
2148 ellipticcurvelist_length);
2152 "ssl_parse_clienthello_tlsext s->session->tlsext_ellipticcurvelist (length=%i) ",
2153 s->session->tlsext_ellipticcurvelist_length);
2154 sdata = s->session->tlsext_ellipticcurvelist;
2155 for (i = 0; i < s->session->tlsext_ellipticcurvelist_length; i++)
2156 fprintf(stderr, "%i ", *(sdata++));
2157 fprintf(stderr, "\n");
2160 # endif /* OPENSSL_NO_EC */
2161 # ifdef TLSEXT_TYPE_opaque_prf_input
2162 else if (type == TLSEXT_TYPE_opaque_prf_input) {
2163 unsigned char *sdata = data;
2166 *al = SSL_AD_DECODE_ERROR;
2169 n2s(sdata, s->s3->client_opaque_prf_input_len);
2170 if (s->s3->client_opaque_prf_input_len != size - 2) {
2171 *al = SSL_AD_DECODE_ERROR;
2175 if (s->s3->client_opaque_prf_input != NULL) {
2176 /* shouldn't really happen */
2177 OPENSSL_free(s->s3->client_opaque_prf_input);
2180 /* dummy byte just to get non-NULL */
2181 if (s->s3->client_opaque_prf_input_len == 0)
2182 s->s3->client_opaque_prf_input = OPENSSL_malloc(1);
2184 s->s3->client_opaque_prf_input =
2185 BUF_memdup(sdata, s->s3->client_opaque_prf_input_len);
2186 if (s->s3->client_opaque_prf_input == NULL) {
2187 *al = TLS1_AD_INTERNAL_ERROR;
2192 else if (type == TLSEXT_TYPE_session_ticket) {
2193 if (s->tls_session_ticket_ext_cb &&
2194 !s->tls_session_ticket_ext_cb(s, data, size,
2195 s->tls_session_ticket_ext_cb_arg))
2197 *al = TLS1_AD_INTERNAL_ERROR;
2200 } else if (type == TLSEXT_TYPE_signature_algorithms) {
2202 if (s->cert->peer_sigalgs || size < 2) {
2203 *al = SSL_AD_DECODE_ERROR;
2208 if (dsize != size || dsize & 1 || !dsize) {
2209 *al = SSL_AD_DECODE_ERROR;
2212 if (!tls1_save_sigalgs(s, data, dsize)) {
2213 *al = SSL_AD_DECODE_ERROR;
2216 } else if (type == TLSEXT_TYPE_status_request) {
2219 *al = SSL_AD_DECODE_ERROR;
2223 s->tlsext_status_type = *data++;
2225 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp) {
2226 const unsigned char *sdata;
2228 /* Read in responder_id_list */
2232 *al = SSL_AD_DECODE_ERROR;
2239 *al = SSL_AD_DECODE_ERROR;
2243 dsize -= 2 + idsize;
2246 *al = SSL_AD_DECODE_ERROR;
2251 id = d2i_OCSP_RESPID(NULL, &sdata, idsize);
2253 *al = SSL_AD_DECODE_ERROR;
2256 if (data != sdata) {
2257 OCSP_RESPID_free(id);
2258 *al = SSL_AD_DECODE_ERROR;
2261 if (!s->tlsext_ocsp_ids
2262 && !(s->tlsext_ocsp_ids =
2263 sk_OCSP_RESPID_new_null())) {
2264 OCSP_RESPID_free(id);
2265 *al = SSL_AD_INTERNAL_ERROR;
2268 if (!sk_OCSP_RESPID_push(s->tlsext_ocsp_ids, id)) {
2269 OCSP_RESPID_free(id);
2270 *al = SSL_AD_INTERNAL_ERROR;
2275 /* Read in request_extensions */
2277 *al = SSL_AD_DECODE_ERROR;
2282 if (dsize != size) {
2283 *al = SSL_AD_DECODE_ERROR;
2288 if (s->tlsext_ocsp_exts) {
2289 sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts,
2290 X509_EXTENSION_free);
2293 s->tlsext_ocsp_exts =
2294 d2i_X509_EXTENSIONS(NULL, &sdata, dsize);
2295 if (!s->tlsext_ocsp_exts || (data + dsize != sdata)) {
2296 *al = SSL_AD_DECODE_ERROR;
2302 * We don't know what to do with any other type * so ignore it.
2305 s->tlsext_status_type = -1;
2307 # ifndef OPENSSL_NO_HEARTBEATS
2308 else if (type == TLSEXT_TYPE_heartbeat) {
2310 case 0x01: /* Client allows us to send HB requests */
2311 s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
2313 case 0x02: /* Client doesn't accept HB requests */
2314 s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
2315 s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
2318 *al = SSL_AD_ILLEGAL_PARAMETER;
2323 # ifndef OPENSSL_NO_NEXTPROTONEG
2324 else if (type == TLSEXT_TYPE_next_proto_neg &&
2325 s->s3->tmp.finish_md_len == 0 &&
2326 s->s3->alpn_selected == NULL) {
2328 * We shouldn't accept this extension on a
2331 * s->new_session will be set on renegotiation, but we
2332 * probably shouldn't rely that it couldn't be set on
2333 * the initial renegotation too in certain cases (when
2334 * there's some other reason to disallow resuming an
2335 * earlier session -- the current code won't be doing
2336 * anything like that, but this might change).
2338 * A valid sign that there's been a previous handshake
2339 * in this connection is if s->s3->tmp.finish_md_len >
2340 * 0. (We are talking about a check that will happen
2341 * in the Hello protocol round, well before a new
2342 * Finished message could have been computed.)
2344 s->s3->next_proto_neg_seen = 1;
2348 else if (type == TLSEXT_TYPE_application_layer_protocol_negotiation &&
2349 s->ctx->alpn_select_cb && s->s3->tmp.finish_md_len == 0) {
2350 if (tls1_alpn_handle_client_hello(s, data, size, al) != 0)
2352 # ifndef OPENSSL_NO_NEXTPROTONEG
2353 /* ALPN takes precedence over NPN. */
2354 s->s3->next_proto_neg_seen = 0;
2358 /* session ticket processed earlier */
2359 # ifndef OPENSSL_NO_SRTP
2360 else if (SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s)
2361 && type == TLSEXT_TYPE_use_srtp) {
2362 if (ssl_parse_clienthello_use_srtp_ext(s, data, size, al))
2366 # ifdef TLSEXT_TYPE_encrypt_then_mac
2367 else if (type == TLSEXT_TYPE_encrypt_then_mac)
2368 s->s3->flags |= TLS1_FLAGS_ENCRYPT_THEN_MAC;
2371 * If this ClientHello extension was unhandled and this is a
2372 * nonresumed connection, check whether the extension is a custom
2373 * TLS Extension (has a custom_srv_ext_record), and if so call the
2374 * callback and record the extension number so that an appropriate
2375 * ServerHello may be later returned.
2378 if (custom_ext_parse(s, 1, type, data, size, al) <= 0)
2389 /* Need RI if renegotiating */
2391 if (!renegotiate_seen && s->renegotiate &&
2392 !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) {
2393 *al = SSL_AD_HANDSHAKE_FAILURE;
2394 SSLerr(SSL_F_SSL_SCAN_CLIENTHELLO_TLSEXT,
2395 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
2402 int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d,
2406 custom_ext_init(&s->cert->srv_ext);
2407 if (ssl_scan_clienthello_tlsext(s, p, d, n, &al) <= 0) {
2408 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2412 if (ssl_check_clienthello_tlsext_early(s) <= 0) {
2413 SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT, SSL_R_CLIENTHELLO_TLSEXT);
2419 # ifndef OPENSSL_NO_NEXTPROTONEG
2421 * ssl_next_proto_validate validates a Next Protocol Negotiation block. No
2422 * elements of zero length are allowed and the set of elements must exactly
2423 * fill the length of the block.
2425 static char ssl_next_proto_validate(unsigned char *d, unsigned len)
2427 unsigned int off = 0;
2440 static int ssl_scan_serverhello_tlsext(SSL *s, unsigned char **p,
2441 unsigned char *d, int n, int *al)
2443 unsigned short length;
2444 unsigned short type;
2445 unsigned short size;
2446 unsigned char *data = *p;
2447 int tlsext_servername = 0;
2448 int renegotiate_seen = 0;
2450 # ifndef OPENSSL_NO_NEXTPROTONEG
2451 s->s3->next_proto_neg_seen = 0;
2453 s->tlsext_ticket_expected = 0;
2455 if (s->s3->alpn_selected) {
2456 OPENSSL_free(s->s3->alpn_selected);
2457 s->s3->alpn_selected = NULL;
2459 # ifndef OPENSSL_NO_HEARTBEATS
2460 s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED |
2461 SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
2464 # ifdef TLSEXT_TYPE_encrypt_then_mac
2465 s->s3->flags &= ~TLS1_FLAGS_ENCRYPT_THEN_MAC;
2468 if (data >= (d + n - 2))
2472 if (data + length != d + n) {
2473 *al = SSL_AD_DECODE_ERROR;
2477 while (data <= (d + n - 4)) {
2481 if (data + size > (d + n))
2484 if (s->tlsext_debug_cb)
2485 s->tlsext_debug_cb(s, 1, type, data, size, s->tlsext_debug_arg);
2487 if (type == TLSEXT_TYPE_renegotiate) {
2488 if (!ssl_parse_serverhello_renegotiate_ext(s, data, size, al))
2490 renegotiate_seen = 1;
2491 } else if (s->version == SSL3_VERSION) {
2492 } else if (type == TLSEXT_TYPE_server_name) {
2493 if (s->tlsext_hostname == NULL || size > 0) {
2494 *al = TLS1_AD_UNRECOGNIZED_NAME;
2497 tlsext_servername = 1;
2499 # ifndef OPENSSL_NO_EC
2500 else if (type == TLSEXT_TYPE_ec_point_formats) {
2501 unsigned char *sdata = data;
2502 int ecpointformatlist_length = *(sdata++);
2504 if (ecpointformatlist_length != size - 1) {
2505 *al = TLS1_AD_DECODE_ERROR;
2509 s->session->tlsext_ecpointformatlist_length = 0;
2510 if (s->session->tlsext_ecpointformatlist != NULL)
2511 OPENSSL_free(s->session->tlsext_ecpointformatlist);
2512 if ((s->session->tlsext_ecpointformatlist =
2513 OPENSSL_malloc(ecpointformatlist_length)) == NULL) {
2514 *al = TLS1_AD_INTERNAL_ERROR;
2517 s->session->tlsext_ecpointformatlist_length =
2518 ecpointformatlist_length;
2519 memcpy(s->session->tlsext_ecpointformatlist, sdata,
2520 ecpointformatlist_length);
2524 "ssl_parse_serverhello_tlsext s->session->tlsext_ecpointformatlist ");
2525 sdata = s->session->tlsext_ecpointformatlist;
2526 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
2527 fprintf(stderr, "%i ", *(sdata++));
2528 fprintf(stderr, "\n");
2531 # endif /* OPENSSL_NO_EC */
2533 else if (type == TLSEXT_TYPE_session_ticket) {
2534 if (s->tls_session_ticket_ext_cb &&
2535 !s->tls_session_ticket_ext_cb(s, data, size,
2536 s->tls_session_ticket_ext_cb_arg))
2538 *al = TLS1_AD_INTERNAL_ERROR;
2541 if (!tls_use_ticket(s) || (size > 0)) {
2542 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2545 s->tlsext_ticket_expected = 1;
2547 # ifdef TLSEXT_TYPE_opaque_prf_input
2548 else if (type == TLSEXT_TYPE_opaque_prf_input) {
2549 unsigned char *sdata = data;
2552 *al = SSL_AD_DECODE_ERROR;
2555 n2s(sdata, s->s3->server_opaque_prf_input_len);
2556 if (s->s3->server_opaque_prf_input_len != size - 2) {
2557 *al = SSL_AD_DECODE_ERROR;
2561 if (s->s3->server_opaque_prf_input != NULL) {
2562 /* shouldn't really happen */
2563 OPENSSL_free(s->s3->server_opaque_prf_input);
2565 if (s->s3->server_opaque_prf_input_len == 0) {
2566 /* dummy byte just to get non-NULL */
2567 s->s3->server_opaque_prf_input = OPENSSL_malloc(1);
2569 s->s3->server_opaque_prf_input =
2570 BUF_memdup(sdata, s->s3->server_opaque_prf_input_len);
2573 if (s->s3->server_opaque_prf_input == NULL) {
2574 *al = TLS1_AD_INTERNAL_ERROR;
2579 else if (type == TLSEXT_TYPE_status_request) {
2581 * MUST be empty and only sent if we've requested a status
2584 if ((s->tlsext_status_type == -1) || (size > 0)) {
2585 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2588 /* Set flag to expect CertificateStatus message */
2589 s->tlsext_status_expected = 1;
2591 # ifndef OPENSSL_NO_NEXTPROTONEG
2592 else if (type == TLSEXT_TYPE_next_proto_neg &&
2593 s->s3->tmp.finish_md_len == 0) {
2594 unsigned char *selected;
2595 unsigned char selected_len;
2597 /* We must have requested it. */
2598 if (s->ctx->next_proto_select_cb == NULL) {
2599 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2602 /* The data must be valid */
2603 if (!ssl_next_proto_validate(data, size)) {
2604 *al = TLS1_AD_DECODE_ERROR;
2608 ctx->next_proto_select_cb(s, &selected, &selected_len, data,
2610 s->ctx->next_proto_select_cb_arg) !=
2611 SSL_TLSEXT_ERR_OK) {
2612 *al = TLS1_AD_INTERNAL_ERROR;
2615 s->next_proto_negotiated = OPENSSL_malloc(selected_len);
2616 if (!s->next_proto_negotiated) {
2617 *al = TLS1_AD_INTERNAL_ERROR;
2620 memcpy(s->next_proto_negotiated, selected, selected_len);
2621 s->next_proto_negotiated_len = selected_len;
2622 s->s3->next_proto_neg_seen = 1;
2626 else if (type == TLSEXT_TYPE_application_layer_protocol_negotiation) {
2629 /* We must have requested it. */
2630 if (s->alpn_client_proto_list == NULL) {
2631 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2635 *al = TLS1_AD_DECODE_ERROR;
2639 * The extension data consists of:
2640 * uint16 list_length
2641 * uint8 proto_length;
2642 * uint8 proto[proto_length];
2647 if (len != (unsigned)size - 2) {
2648 *al = TLS1_AD_DECODE_ERROR;
2652 if (len != (unsigned)size - 3) {
2653 *al = TLS1_AD_DECODE_ERROR;
2656 if (s->s3->alpn_selected)
2657 OPENSSL_free(s->s3->alpn_selected);
2658 s->s3->alpn_selected = OPENSSL_malloc(len);
2659 if (!s->s3->alpn_selected) {
2660 *al = TLS1_AD_INTERNAL_ERROR;
2663 memcpy(s->s3->alpn_selected, data + 3, len);
2664 s->s3->alpn_selected_len = len;
2666 # ifndef OPENSSL_NO_HEARTBEATS
2667 else if (type == TLSEXT_TYPE_heartbeat) {
2669 case 0x01: /* Server allows us to send HB requests */
2670 s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
2672 case 0x02: /* Server doesn't accept HB requests */
2673 s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
2674 s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
2677 *al = SSL_AD_ILLEGAL_PARAMETER;
2682 # ifndef OPENSSL_NO_SRTP
2683 else if (SSL_IS_DTLS(s) && type == TLSEXT_TYPE_use_srtp) {
2684 if (ssl_parse_serverhello_use_srtp_ext(s, data, size, al))
2688 # ifdef TLSEXT_TYPE_encrypt_then_mac
2689 else if (type == TLSEXT_TYPE_encrypt_then_mac) {
2690 /* Ignore if inappropriate ciphersuite */
2691 if (s->s3->tmp.new_cipher->algorithm_mac != SSL_AEAD
2692 && s->s3->tmp.new_cipher->algorithm_enc != SSL_RC4)
2693 s->s3->flags |= TLS1_FLAGS_ENCRYPT_THEN_MAC;
2697 * If this extension type was not otherwise handled, but matches a
2698 * custom_cli_ext_record, then send it to the c callback
2700 else if (custom_ext_parse(s, 0, type, data, size, al) <= 0)
2706 if (data != d + n) {
2707 *al = SSL_AD_DECODE_ERROR;
2711 if (!s->hit && tlsext_servername == 1) {
2712 if (s->tlsext_hostname) {
2713 if (s->session->tlsext_hostname == NULL) {
2714 s->session->tlsext_hostname = BUF_strdup(s->tlsext_hostname);
2715 if (!s->session->tlsext_hostname) {
2716 *al = SSL_AD_UNRECOGNIZED_NAME;
2720 *al = SSL_AD_DECODE_ERROR;
2731 * Determine if we need to see RI. Strictly speaking if we want to avoid
2732 * an attack we should *always* see RI even on initial server hello
2733 * because the client doesn't see any renegotiation during an attack.
2734 * However this would mean we could not connect to any server which
2735 * doesn't support RI so for the immediate future tolerate RI absence on
2736 * initial connect only.
2738 if (!renegotiate_seen && !(s->options & SSL_OP_LEGACY_SERVER_CONNECT)
2739 && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) {
2740 *al = SSL_AD_HANDSHAKE_FAILURE;
2741 SSLerr(SSL_F_SSL_SCAN_SERVERHELLO_TLSEXT,
2742 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
2749 int ssl_prepare_clienthello_tlsext(SSL *s)
2752 # ifdef TLSEXT_TYPE_opaque_prf_input
2756 if (s->ctx->tlsext_opaque_prf_input_callback != 0) {
2757 r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0,
2759 ctx->tlsext_opaque_prf_input_callback_arg);
2764 if (s->tlsext_opaque_prf_input != NULL) {
2765 if (s->s3->client_opaque_prf_input != NULL) {
2766 /* shouldn't really happen */
2767 OPENSSL_free(s->s3->client_opaque_prf_input);
2770 if (s->tlsext_opaque_prf_input_len == 0) {
2771 /* dummy byte just to get non-NULL */
2772 s->s3->client_opaque_prf_input = OPENSSL_malloc(1);
2774 s->s3->client_opaque_prf_input =
2775 BUF_memdup(s->tlsext_opaque_prf_input,
2776 s->tlsext_opaque_prf_input_len);
2778 if (s->s3->client_opaque_prf_input == NULL) {
2779 SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,
2780 ERR_R_MALLOC_FAILURE);
2783 s->s3->client_opaque_prf_input_len =
2784 s->tlsext_opaque_prf_input_len;
2789 * at callback's request, insist on receiving an appropriate
2790 * server opaque PRF input
2792 s->s3->server_opaque_prf_input_len =
2793 s->tlsext_opaque_prf_input_len;
2800 int ssl_prepare_serverhello_tlsext(SSL *s)
2805 static int ssl_check_clienthello_tlsext_early(SSL *s)
2807 int ret = SSL_TLSEXT_ERR_NOACK;
2808 int al = SSL_AD_UNRECOGNIZED_NAME;
2810 # ifndef OPENSSL_NO_EC
2812 * The handling of the ECPointFormats extension is done elsewhere, namely
2813 * in ssl3_choose_cipher in s3_lib.c.
2816 * The handling of the EllipticCurves extension is done elsewhere, namely
2817 * in ssl3_choose_cipher in s3_lib.c.
2821 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
2823 s->ctx->tlsext_servername_callback(s, &al,
2824 s->ctx->tlsext_servername_arg);
2825 else if (s->initial_ctx != NULL
2826 && s->initial_ctx->tlsext_servername_callback != 0)
2828 s->initial_ctx->tlsext_servername_callback(s, &al,
2830 initial_ctx->tlsext_servername_arg);
2832 # ifdef TLSEXT_TYPE_opaque_prf_input
2835 * This sort of belongs into ssl_prepare_serverhello_tlsext(), but we
2836 * might be sending an alert in response to the client hello, so this
2837 * has to happen here in ssl_check_clienthello_tlsext_early().
2842 if (s->ctx->tlsext_opaque_prf_input_callback != 0) {
2843 r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0,
2845 ctx->tlsext_opaque_prf_input_callback_arg);
2847 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2848 al = SSL_AD_INTERNAL_ERROR;
2853 if (s->s3->server_opaque_prf_input != NULL) {
2854 /* shouldn't really happen */
2855 OPENSSL_free(s->s3->server_opaque_prf_input);
2857 s->s3->server_opaque_prf_input = NULL;
2859 if (s->tlsext_opaque_prf_input != NULL) {
2860 if (s->s3->client_opaque_prf_input != NULL &&
2861 s->s3->client_opaque_prf_input_len ==
2862 s->tlsext_opaque_prf_input_len) {
2864 * can only use this extension if we have a server opaque PRF
2865 * input of the same length as the client opaque PRF input!
2868 if (s->tlsext_opaque_prf_input_len == 0) {
2869 /* dummy byte just to get non-NULL */
2870 s->s3->server_opaque_prf_input = OPENSSL_malloc(1);
2872 s->s3->server_opaque_prf_input =
2873 BUF_memdup(s->tlsext_opaque_prf_input,
2874 s->tlsext_opaque_prf_input_len);
2876 if (s->s3->server_opaque_prf_input == NULL) {
2877 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2878 al = SSL_AD_INTERNAL_ERROR;
2881 s->s3->server_opaque_prf_input_len =
2882 s->tlsext_opaque_prf_input_len;
2886 if (r == 2 && s->s3->server_opaque_prf_input == NULL) {
2888 * The callback wants to enforce use of the extension, but we
2889 * can't do that with the client opaque PRF input; abort the
2892 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2893 al = SSL_AD_HANDSHAKE_FAILURE;
2900 case SSL_TLSEXT_ERR_ALERT_FATAL:
2901 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2904 case SSL_TLSEXT_ERR_ALERT_WARNING:
2905 ssl3_send_alert(s, SSL3_AL_WARNING, al);
2908 case SSL_TLSEXT_ERR_NOACK:
2909 s->servername_done = 0;
2915 int tls1_set_server_sigalgs(SSL *s)
2919 /* Clear any shared sigtnature algorithms */
2920 if (s->cert->shared_sigalgs) {
2921 OPENSSL_free(s->cert->shared_sigalgs);
2922 s->cert->shared_sigalgs = NULL;
2924 /* Clear certificate digests and validity flags */
2925 for (i = 0; i < SSL_PKEY_NUM; i++) {
2926 s->cert->pkeys[i].digest = NULL;
2927 s->cert->pkeys[i].valid_flags = 0;
2930 /* If sigalgs received process it. */
2931 if (s->cert->peer_sigalgs) {
2932 if (!tls1_process_sigalgs(s)) {
2933 SSLerr(SSL_F_TLS1_SET_SERVER_SIGALGS, ERR_R_MALLOC_FAILURE);
2934 al = SSL_AD_INTERNAL_ERROR;
2937 /* Fatal error is no shared signature algorithms */
2938 if (!s->cert->shared_sigalgs) {
2939 SSLerr(SSL_F_TLS1_SET_SERVER_SIGALGS,
2940 SSL_R_NO_SHARED_SIGATURE_ALGORITHMS);
2941 al = SSL_AD_ILLEGAL_PARAMETER;
2945 ssl_cert_set_default_md(s->cert);
2948 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2952 int ssl_check_clienthello_tlsext_late(SSL *s)
2954 int ret = SSL_TLSEXT_ERR_OK;
2958 * If status request then ask callback what to do. Note: this must be
2959 * called after servername callbacks in case the certificate has changed,
2960 * and must be called after the cipher has been chosen because this may
2961 * influence which certificate is sent
2963 if ((s->tlsext_status_type != -1) && s->ctx && s->ctx->tlsext_status_cb) {
2965 CERT_PKEY *certpkey;
2966 certpkey = ssl_get_server_send_pkey(s);
2967 /* If no certificate can't return certificate status */
2968 if (certpkey == NULL) {
2969 s->tlsext_status_expected = 0;
2973 * Set current certificate to one we will use so SSL_get_certificate
2974 * et al can pick it up.
2976 s->cert->key = certpkey;
2977 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
2979 /* We don't want to send a status request response */
2980 case SSL_TLSEXT_ERR_NOACK:
2981 s->tlsext_status_expected = 0;
2983 /* status request response should be sent */
2984 case SSL_TLSEXT_ERR_OK:
2985 if (s->tlsext_ocsp_resp)
2986 s->tlsext_status_expected = 1;
2988 s->tlsext_status_expected = 0;
2990 /* something bad happened */
2991 case SSL_TLSEXT_ERR_ALERT_FATAL:
2992 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2993 al = SSL_AD_INTERNAL_ERROR;
2997 s->tlsext_status_expected = 0;
3001 case SSL_TLSEXT_ERR_ALERT_FATAL:
3002 ssl3_send_alert(s, SSL3_AL_FATAL, al);
3005 case SSL_TLSEXT_ERR_ALERT_WARNING:
3006 ssl3_send_alert(s, SSL3_AL_WARNING, al);
3014 int ssl_check_serverhello_tlsext(SSL *s)
3016 int ret = SSL_TLSEXT_ERR_NOACK;
3017 int al = SSL_AD_UNRECOGNIZED_NAME;
3019 # ifndef OPENSSL_NO_EC
3021 * If we are client and using an elliptic curve cryptography cipher
3022 * suite, then if server returns an EC point formats lists extension it
3023 * must contain uncompressed.
3025 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
3026 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
3027 if ((s->tlsext_ecpointformatlist != NULL)
3028 && (s->tlsext_ecpointformatlist_length > 0)
3029 && (s->session->tlsext_ecpointformatlist != NULL)
3030 && (s->session->tlsext_ecpointformatlist_length > 0)
3031 && ((alg_k & (SSL_kECDHE | SSL_kECDHr | SSL_kECDHe))
3032 || (alg_a & SSL_aECDSA))) {
3033 /* we are using an ECC cipher */
3035 unsigned char *list;
3036 int found_uncompressed = 0;
3037 list = s->session->tlsext_ecpointformatlist;
3038 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++) {
3039 if (*(list++) == TLSEXT_ECPOINTFORMAT_uncompressed) {
3040 found_uncompressed = 1;
3044 if (!found_uncompressed) {
3045 SSLerr(SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT,
3046 SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
3050 ret = SSL_TLSEXT_ERR_OK;
3051 # endif /* OPENSSL_NO_EC */
3053 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
3055 s->ctx->tlsext_servername_callback(s, &al,
3056 s->ctx->tlsext_servername_arg);
3057 else if (s->initial_ctx != NULL
3058 && s->initial_ctx->tlsext_servername_callback != 0)
3060 s->initial_ctx->tlsext_servername_callback(s, &al,
3062 initial_ctx->tlsext_servername_arg);
3064 # ifdef TLSEXT_TYPE_opaque_prf_input
3065 if (s->s3->server_opaque_prf_input_len > 0) {
3067 * This case may indicate that we, as a client, want to insist on
3068 * using opaque PRF inputs. So first verify that we really have a
3069 * value from the server too.
3072 if (s->s3->server_opaque_prf_input == NULL) {
3073 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
3074 al = SSL_AD_HANDSHAKE_FAILURE;
3078 * Anytime the server *has* sent an opaque PRF input, we need to
3079 * check that we have a client opaque PRF input of the same size.
3081 if (s->s3->client_opaque_prf_input == NULL ||
3082 s->s3->client_opaque_prf_input_len !=
3083 s->s3->server_opaque_prf_input_len) {
3084 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
3085 al = SSL_AD_ILLEGAL_PARAMETER;
3091 * If we've requested certificate status and we wont get one tell the
3094 if ((s->tlsext_status_type != -1) && !(s->tlsext_status_expected)
3095 && s->ctx && s->ctx->tlsext_status_cb) {
3098 * Set resp to NULL, resplen to -1 so callback knows there is no
3101 if (s->tlsext_ocsp_resp) {
3102 OPENSSL_free(s->tlsext_ocsp_resp);
3103 s->tlsext_ocsp_resp = NULL;
3105 s->tlsext_ocsp_resplen = -1;
3106 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
3108 al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE;
3109 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
3112 al = SSL_AD_INTERNAL_ERROR;
3113 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
3118 case SSL_TLSEXT_ERR_ALERT_FATAL:
3119 ssl3_send_alert(s, SSL3_AL_FATAL, al);
3122 case SSL_TLSEXT_ERR_ALERT_WARNING:
3123 ssl3_send_alert(s, SSL3_AL_WARNING, al);
3126 case SSL_TLSEXT_ERR_NOACK:
3127 s->servername_done = 0;
3133 int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d,
3137 if (s->version < SSL3_VERSION)
3139 if (ssl_scan_serverhello_tlsext(s, p, d, n, &al) <= 0) {
3140 ssl3_send_alert(s, SSL3_AL_FATAL, al);
3144 if (ssl_check_serverhello_tlsext(s) <= 0) {
3145 SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT, SSL_R_SERVERHELLO_TLSEXT);
3152 * Since the server cache lookup is done early on in the processing of the
3153 * ClientHello, and other operations depend on the result, we need to handle
3154 * any TLS session ticket extension at the same time.
3156 * session_id: points at the session ID in the ClientHello. This code will
3157 * read past the end of this in order to parse out the session ticket
3158 * extension, if any.
3159 * len: the length of the session ID.
3160 * limit: a pointer to the first byte after the ClientHello.
3161 * ret: (output) on return, if a ticket was decrypted, then this is set to
3162 * point to the resulting session.
3164 * If s->tls_session_secret_cb is set then we are expecting a pre-shared key
3165 * ciphersuite, in which case we have no use for session tickets and one will
3166 * never be decrypted, nor will s->tlsext_ticket_expected be set to 1.
3169 * -1: fatal error, either from parsing or decrypting the ticket.
3170 * 0: no ticket was found (or was ignored, based on settings).
3171 * 1: a zero length extension was found, indicating that the client supports
3172 * session tickets but doesn't currently have one to offer.
3173 * 2: either s->tls_session_secret_cb was set, or a ticket was offered but
3174 * couldn't be decrypted because of a non-fatal error.
3175 * 3: a ticket was successfully decrypted and *ret was set.
3178 * Sets s->tlsext_ticket_expected to 1 if the server will have to issue
3179 * a new session ticket to the client because the client indicated support
3180 * (and s->tls_session_secret_cb is NULL) but the client either doesn't have
3181 * a session ticket or we couldn't use the one it gave us, or if
3182 * s->ctx->tlsext_ticket_key_cb asked to renew the client's ticket.
3183 * Otherwise, s->tlsext_ticket_expected is set to 0.
3185 int tls1_process_ticket(SSL *s, unsigned char *session_id, int len,
3186 const unsigned char *limit, SSL_SESSION **ret)
3188 /* Point after session ID in client hello */
3189 const unsigned char *p = session_id + len;
3193 s->tlsext_ticket_expected = 0;
3196 * If tickets disabled behave as if no ticket present to permit stateful
3199 if (!tls_use_ticket(s))
3201 if ((s->version <= SSL3_VERSION) || !limit)
3205 /* Skip past DTLS cookie */
3206 if (SSL_IS_DTLS(s)) {
3212 /* Skip past cipher list */
3217 /* Skip past compression algorithm list */
3222 /* Now at start of extensions */
3223 if ((p + 2) >= limit)
3226 while ((p + 4) <= limit) {
3227 unsigned short type, size;
3230 if (p + size > limit)
3232 if (type == TLSEXT_TYPE_session_ticket) {
3236 * The client will accept a ticket but doesn't currently have
3239 s->tlsext_ticket_expected = 1;
3242 if (s->tls_session_secret_cb) {
3244 * Indicate that the ticket couldn't be decrypted rather than
3245 * generating the session from ticket now, trigger
3246 * abbreviated handshake based on external mechanism to
3247 * calculate the master secret later.
3251 r = tls_decrypt_ticket(s, p, size, session_id, len, ret);
3253 case 2: /* ticket couldn't be decrypted */
3254 s->tlsext_ticket_expected = 1;
3256 case 3: /* ticket was decrypted */
3258 case 4: /* ticket decrypted but need to renew */
3259 s->tlsext_ticket_expected = 1;
3261 default: /* fatal error */
3271 * tls_decrypt_ticket attempts to decrypt a session ticket.
3273 * etick: points to the body of the session ticket extension.
3274 * eticklen: the length of the session tickets extenion.
3275 * sess_id: points at the session ID.
3276 * sesslen: the length of the session ID.
3277 * psess: (output) on return, if a ticket was decrypted, then this is set to
3278 * point to the resulting session.
3281 * -1: fatal error, either from parsing or decrypting the ticket.
3282 * 2: the ticket couldn't be decrypted.
3283 * 3: a ticket was successfully decrypted and *psess was set.
3284 * 4: same as 3, but the ticket needs to be renewed.
3286 static int tls_decrypt_ticket(SSL *s, const unsigned char *etick,
3287 int eticklen, const unsigned char *sess_id,
3288 int sesslen, SSL_SESSION **psess)
3291 unsigned char *sdec;
3292 const unsigned char *p;
3293 int slen, mlen, renew_ticket = 0;
3294 unsigned char tick_hmac[EVP_MAX_MD_SIZE];
3297 SSL_CTX *tctx = s->initial_ctx;
3298 /* Need at least keyname + iv + some encrypted data */
3301 /* Initialize session ticket encryption and HMAC contexts */
3302 HMAC_CTX_init(&hctx);
3303 EVP_CIPHER_CTX_init(&ctx);
3304 if (tctx->tlsext_ticket_key_cb) {
3305 unsigned char *nctick = (unsigned char *)etick;
3306 int rv = tctx->tlsext_ticket_key_cb(s, nctick, nctick + 16,
3315 /* Check key name matches */
3316 if (memcmp(etick, tctx->tlsext_tick_key_name, 16))
3318 HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16,
3319 tlsext_tick_md(), NULL);
3320 EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL,
3321 tctx->tlsext_tick_aes_key, etick + 16);
3324 * Attempt to process session ticket, first conduct sanity and integrity
3327 mlen = HMAC_size(&hctx);
3329 EVP_CIPHER_CTX_cleanup(&ctx);
3333 /* Check HMAC of encrypted ticket */
3334 HMAC_Update(&hctx, etick, eticklen);
3335 HMAC_Final(&hctx, tick_hmac, NULL);
3336 HMAC_CTX_cleanup(&hctx);
3337 if (CRYPTO_memcmp(tick_hmac, etick + eticklen, mlen)) {
3338 EVP_CIPHER_CTX_cleanup(&ctx);
3341 /* Attempt to decrypt session data */
3342 /* Move p after IV to start of encrypted ticket, update length */
3343 p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx);
3344 eticklen -= 16 + EVP_CIPHER_CTX_iv_length(&ctx);
3345 sdec = OPENSSL_malloc(eticklen);
3347 EVP_CIPHER_CTX_cleanup(&ctx);
3350 EVP_DecryptUpdate(&ctx, sdec, &slen, p, eticklen);
3351 if (EVP_DecryptFinal(&ctx, sdec + slen, &mlen) <= 0) {
3352 EVP_CIPHER_CTX_cleanup(&ctx);
3357 EVP_CIPHER_CTX_cleanup(&ctx);
3360 sess = d2i_SSL_SESSION(NULL, &p, slen);
3364 * The session ID, if non-empty, is used by some clients to detect
3365 * that the ticket has been accepted. So we copy it to the session
3366 * structure. If it is empty set length to zero as required by
3370 memcpy(sess->session_id, sess_id, sesslen);
3371 sess->session_id_length = sesslen;
3380 * For session parse failure, indicate that we need to send a new ticket.
3385 /* Tables to translate from NIDs to TLS v1.2 ids */
3392 static const tls12_lookup tls12_md[] = {
3393 {NID_md5, TLSEXT_hash_md5},
3394 {NID_sha1, TLSEXT_hash_sha1},
3395 {NID_sha224, TLSEXT_hash_sha224},
3396 {NID_sha256, TLSEXT_hash_sha256},
3397 {NID_sha384, TLSEXT_hash_sha384},
3398 {NID_sha512, TLSEXT_hash_sha512}
3401 static const tls12_lookup tls12_sig[] = {
3402 {EVP_PKEY_RSA, TLSEXT_signature_rsa},
3403 {EVP_PKEY_DSA, TLSEXT_signature_dsa},
3404 {EVP_PKEY_EC, TLSEXT_signature_ecdsa}
3407 static int tls12_find_id(int nid, const tls12_lookup *table, size_t tlen)
3410 for (i = 0; i < tlen; i++) {
3411 if (table[i].nid == nid)
3417 static int tls12_find_nid(int id, const tls12_lookup *table, size_t tlen)
3420 for (i = 0; i < tlen; i++) {
3421 if ((table[i].id) == id)
3422 return table[i].nid;
3427 int tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk,
3433 md_id = tls12_find_id(EVP_MD_type(md), tls12_md,
3434 sizeof(tls12_md) / sizeof(tls12_lookup));
3437 sig_id = tls12_get_sigid(pk);
3440 p[0] = (unsigned char)md_id;
3441 p[1] = (unsigned char)sig_id;
3445 int tls12_get_sigid(const EVP_PKEY *pk)
3447 return tls12_find_id(pk->type, tls12_sig,
3448 sizeof(tls12_sig) / sizeof(tls12_lookup));
3454 const EVP_MD *(*mfunc) (void);
3457 static const tls12_hash_info tls12_md_info[] = {
3458 # ifdef OPENSSL_NO_MD5
3461 {NID_md5, 64, EVP_md5},
3463 # ifdef OPENSSL_NO_SHA
3466 {NID_sha1, 80, EVP_sha1},
3468 # ifdef OPENSSL_NO_SHA256
3469 {NID_sha224, 112, 0},
3470 {NID_sha256, 128, 0},
3472 {NID_sha224, 112, EVP_sha224},
3473 {NID_sha256, 128, EVP_sha256},
3475 # ifdef OPENSSL_NO_SHA512
3476 {NID_sha384, 192, 0},
3477 {NID_sha512, 256, 0}
3479 {NID_sha384, 192, EVP_sha384},
3480 {NID_sha512, 256, EVP_sha512}
3484 static const tls12_hash_info *tls12_get_hash_info(unsigned char hash_alg)
3488 if (hash_alg > sizeof(tls12_md_info) / sizeof(tls12_md_info[0]))
3490 return tls12_md_info + hash_alg - 1;
3493 const EVP_MD *tls12_get_hash(unsigned char hash_alg)
3495 const tls12_hash_info *inf;
3496 if (hash_alg == TLSEXT_hash_md5 && FIPS_mode())
3498 inf = tls12_get_hash_info(hash_alg);
3499 if (!inf || !inf->mfunc)
3501 return inf->mfunc();
3504 static int tls12_get_pkey_idx(unsigned char sig_alg)
3507 # ifndef OPENSSL_NO_RSA
3508 case TLSEXT_signature_rsa:
3509 return SSL_PKEY_RSA_SIGN;
3511 # ifndef OPENSSL_NO_DSA
3512 case TLSEXT_signature_dsa:
3513 return SSL_PKEY_DSA_SIGN;
3515 # ifndef OPENSSL_NO_ECDSA
3516 case TLSEXT_signature_ecdsa:
3517 return SSL_PKEY_ECC;
3523 /* Convert TLS 1.2 signature algorithm extension values into NIDs */
3524 static void tls1_lookup_sigalg(int *phash_nid, int *psign_nid,
3525 int *psignhash_nid, const unsigned char *data)
3527 int sign_nid = 0, hash_nid = 0;
3528 if (!phash_nid && !psign_nid && !psignhash_nid)
3530 if (phash_nid || psignhash_nid) {
3531 hash_nid = tls12_find_nid(data[0], tls12_md,
3532 sizeof(tls12_md) / sizeof(tls12_lookup));
3534 *phash_nid = hash_nid;
3536 if (psign_nid || psignhash_nid) {
3537 sign_nid = tls12_find_nid(data[1], tls12_sig,
3538 sizeof(tls12_sig) / sizeof(tls12_lookup));
3540 *psign_nid = sign_nid;
3542 if (psignhash_nid) {
3543 if (sign_nid && hash_nid)
3544 OBJ_find_sigid_by_algs(psignhash_nid, hash_nid, sign_nid);
3546 *psignhash_nid = NID_undef;
3550 /* Check to see if a signature algorithm is allowed */
3551 static int tls12_sigalg_allowed(SSL *s, int op, const unsigned char *ptmp)
3553 /* See if we have an entry in the hash table and it is enabled */
3554 const tls12_hash_info *hinf = tls12_get_hash_info(ptmp[0]);
3555 if (!hinf || !hinf->mfunc)
3557 /* See if public key algorithm allowed */
3558 if (tls12_get_pkey_idx(ptmp[1]) == -1)
3560 /* Finally see if security callback allows it */
3561 return ssl_security(s, op, hinf->secbits, hinf->nid, (void *)ptmp);
3565 * Get a mask of disabled public key algorithms based on supported signature
3566 * algorithms. For example if no signature algorithm supports RSA then RSA is
3570 void ssl_set_sig_mask(unsigned long *pmask_a, SSL *s, int op)
3572 const unsigned char *sigalgs;
3573 size_t i, sigalgslen;
3574 int have_rsa = 0, have_dsa = 0, have_ecdsa = 0;
3576 * Now go through all signature algorithms seeing if we support any for
3577 * RSA, DSA, ECDSA. Do this for all versions not just TLS 1.2. To keep
3578 * down calls to security callback only check if we have to.
3580 sigalgslen = tls12_get_psigalgs(s, &sigalgs);
3581 for (i = 0; i < sigalgslen; i += 2, sigalgs += 2) {
3582 switch (sigalgs[1]) {
3583 # ifndef OPENSSL_NO_RSA
3584 case TLSEXT_signature_rsa:
3585 if (!have_rsa && tls12_sigalg_allowed(s, op, sigalgs))
3589 # ifndef OPENSSL_NO_DSA
3590 case TLSEXT_signature_dsa:
3591 if (!have_dsa && tls12_sigalg_allowed(s, op, sigalgs))
3595 # ifndef OPENSSL_NO_ECDSA
3596 case TLSEXT_signature_ecdsa:
3597 if (!have_ecdsa && tls12_sigalg_allowed(s, op, sigalgs))
3604 *pmask_a |= SSL_aRSA;
3606 *pmask_a |= SSL_aDSS;
3608 *pmask_a |= SSL_aECDSA;
3611 size_t tls12_copy_sigalgs(SSL *s, unsigned char *out,
3612 const unsigned char *psig, size_t psiglen)
3614 unsigned char *tmpout = out;
3616 for (i = 0; i < psiglen; i += 2, psig += 2) {
3617 if (tls12_sigalg_allowed(s, SSL_SECOP_SIGALG_SUPPORTED, psig)) {
3618 *tmpout++ = psig[0];
3619 *tmpout++ = psig[1];
3622 return tmpout - out;
3625 /* Given preference and allowed sigalgs set shared sigalgs */
3626 static int tls12_shared_sigalgs(SSL *s, TLS_SIGALGS *shsig,
3627 const unsigned char *pref, size_t preflen,
3628 const unsigned char *allow, size_t allowlen)
3630 const unsigned char *ptmp, *atmp;
3631 size_t i, j, nmatch = 0;
3632 for (i = 0, ptmp = pref; i < preflen; i += 2, ptmp += 2) {
3633 /* Skip disabled hashes or signature algorithms */
3634 if (!tls12_sigalg_allowed(s, SSL_SECOP_SIGALG_SHARED, ptmp))
3636 for (j = 0, atmp = allow; j < allowlen; j += 2, atmp += 2) {
3637 if (ptmp[0] == atmp[0] && ptmp[1] == atmp[1]) {
3640 shsig->rhash = ptmp[0];
3641 shsig->rsign = ptmp[1];
3642 tls1_lookup_sigalg(&shsig->hash_nid,
3644 &shsig->signandhash_nid, ptmp);
3654 /* Set shared signature algorithms for SSL structures */
3655 static int tls1_set_shared_sigalgs(SSL *s)
3657 const unsigned char *pref, *allow, *conf;
3658 size_t preflen, allowlen, conflen;
3660 TLS_SIGALGS *salgs = NULL;
3662 unsigned int is_suiteb = tls1_suiteb(s);
3663 if (c->shared_sigalgs) {
3664 OPENSSL_free(c->shared_sigalgs);
3665 c->shared_sigalgs = NULL;
3667 /* If client use client signature algorithms if not NULL */
3668 if (!s->server && c->client_sigalgs && !is_suiteb) {
3669 conf = c->client_sigalgs;
3670 conflen = c->client_sigalgslen;
3671 } else if (c->conf_sigalgs && !is_suiteb) {
3672 conf = c->conf_sigalgs;
3673 conflen = c->conf_sigalgslen;
3675 conflen = tls12_get_psigalgs(s, &conf);
3676 if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE || is_suiteb) {
3679 allow = c->peer_sigalgs;
3680 allowlen = c->peer_sigalgslen;
3684 pref = c->peer_sigalgs;
3685 preflen = c->peer_sigalgslen;
3687 nmatch = tls12_shared_sigalgs(s, NULL, pref, preflen, allow, allowlen);
3690 salgs = OPENSSL_malloc(nmatch * sizeof(TLS_SIGALGS));
3693 nmatch = tls12_shared_sigalgs(s, salgs, pref, preflen, allow, allowlen);
3694 c->shared_sigalgs = salgs;
3695 c->shared_sigalgslen = nmatch;
3699 /* Set preferred digest for each key type */
3701 int tls1_save_sigalgs(SSL *s, const unsigned char *data, int dsize)
3704 /* Extension ignored for inappropriate versions */
3705 if (!SSL_USE_SIGALGS(s))
3707 /* Should never happen */
3711 if (c->peer_sigalgs)
3712 OPENSSL_free(c->peer_sigalgs);
3713 c->peer_sigalgs = OPENSSL_malloc(dsize);
3714 if (!c->peer_sigalgs)
3716 c->peer_sigalgslen = dsize;
3717 memcpy(c->peer_sigalgs, data, dsize);
3721 int tls1_process_sigalgs(SSL *s)
3727 TLS_SIGALGS *sigptr;
3728 if (!tls1_set_shared_sigalgs(s))
3731 # ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
3732 if (s->cert->cert_flags & SSL_CERT_FLAG_BROKEN_PROTOCOL) {
3734 * Use first set signature preference to force message digest,
3735 * ignoring any peer preferences.
3737 const unsigned char *sigs = NULL;
3739 sigs = c->conf_sigalgs;
3741 sigs = c->client_sigalgs;
3743 idx = tls12_get_pkey_idx(sigs[1]);
3744 md = tls12_get_hash(sigs[0]);
3745 c->pkeys[idx].digest = md;
3746 c->pkeys[idx].valid_flags = CERT_PKEY_EXPLICIT_SIGN;
3747 if (idx == SSL_PKEY_RSA_SIGN) {
3748 c->pkeys[SSL_PKEY_RSA_ENC].valid_flags =
3749 CERT_PKEY_EXPLICIT_SIGN;
3750 c->pkeys[SSL_PKEY_RSA_ENC].digest = md;
3756 for (i = 0, sigptr = c->shared_sigalgs;
3757 i < c->shared_sigalgslen; i++, sigptr++) {
3758 idx = tls12_get_pkey_idx(sigptr->rsign);
3759 if (idx > 0 && c->pkeys[idx].digest == NULL) {
3760 md = tls12_get_hash(sigptr->rhash);
3761 c->pkeys[idx].digest = md;
3762 c->pkeys[idx].valid_flags = CERT_PKEY_EXPLICIT_SIGN;
3763 if (idx == SSL_PKEY_RSA_SIGN) {
3764 c->pkeys[SSL_PKEY_RSA_ENC].valid_flags =
3765 CERT_PKEY_EXPLICIT_SIGN;
3766 c->pkeys[SSL_PKEY_RSA_ENC].digest = md;
3772 * In strict mode leave unset digests as NULL to indicate we can't use
3773 * the certificate for signing.
3775 if (!(s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)) {
3777 * Set any remaining keys to default values. NOTE: if alg is not
3778 * supported it stays as NULL.
3780 # ifndef OPENSSL_NO_DSA
3781 if (!c->pkeys[SSL_PKEY_DSA_SIGN].digest)
3782 c->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_sha1();
3784 # ifndef OPENSSL_NO_RSA
3785 if (!c->pkeys[SSL_PKEY_RSA_SIGN].digest) {
3786 c->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1();
3787 c->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1();
3790 # ifndef OPENSSL_NO_ECDSA
3791 if (!c->pkeys[SSL_PKEY_ECC].digest)
3792 c->pkeys[SSL_PKEY_ECC].digest = EVP_sha1();
3798 int SSL_get_sigalgs(SSL *s, int idx,
3799 int *psign, int *phash, int *psignhash,
3800 unsigned char *rsig, unsigned char *rhash)
3802 const unsigned char *psig = s->cert->peer_sigalgs;
3807 if (idx >= (int)s->cert->peer_sigalgslen)
3814 tls1_lookup_sigalg(phash, psign, psignhash, psig);
3816 return s->cert->peer_sigalgslen / 2;
3819 int SSL_get_shared_sigalgs(SSL *s, int idx,
3820 int *psign, int *phash, int *psignhash,
3821 unsigned char *rsig, unsigned char *rhash)
3823 TLS_SIGALGS *shsigalgs = s->cert->shared_sigalgs;
3824 if (!shsigalgs || idx >= (int)s->cert->shared_sigalgslen)
3828 *phash = shsigalgs->hash_nid;
3830 *psign = shsigalgs->sign_nid;
3832 *psignhash = shsigalgs->signandhash_nid;
3834 *rsig = shsigalgs->rsign;
3836 *rhash = shsigalgs->rhash;
3837 return s->cert->shared_sigalgslen;
3840 # ifndef OPENSSL_NO_HEARTBEATS
3841 int tls1_process_heartbeat(SSL *s)
3843 unsigned char *p = &s->s3->rrec.data[0], *pl;
3844 unsigned short hbtype;
3845 unsigned int payload;
3846 unsigned int padding = 16; /* Use minimum padding */
3848 if (s->msg_callback)
3849 s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT,
3850 &s->s3->rrec.data[0], s->s3->rrec.length,
3851 s, s->msg_callback_arg);
3853 /* Read type and payload length first */
3854 if (1 + 2 + 16 > s->s3->rrec.length)
3855 return 0; /* silently discard */
3858 if (1 + 2 + payload + 16 > s->s3->rrec.length)
3859 return 0; /* silently discard per RFC 6520 sec. 4 */
3862 if (hbtype == TLS1_HB_REQUEST) {
3863 unsigned char *buffer, *bp;
3867 * Allocate memory for the response, size is 1 bytes message type,
3868 * plus 2 bytes payload length, plus payload, plus padding
3870 buffer = OPENSSL_malloc(1 + 2 + payload + padding);
3871 if (buffer == NULL) {
3872 SSLerr(SSL_F_TLS1_PROCESS_HEARTBEAT, ERR_R_MALLOC_FAILURE);
3877 /* Enter response type, length and copy payload */
3878 *bp++ = TLS1_HB_RESPONSE;
3880 memcpy(bp, pl, payload);
3882 /* Random padding */
3883 RAND_pseudo_bytes(bp, padding);
3885 r = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buffer,
3886 3 + payload + padding);
3888 if (r >= 0 && s->msg_callback)
3889 s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT,
3890 buffer, 3 + payload + padding,
3891 s, s->msg_callback_arg);
3893 OPENSSL_free(buffer);
3897 } else if (hbtype == TLS1_HB_RESPONSE) {
3901 * We only send sequence numbers (2 bytes unsigned int), and 16
3902 * random bytes, so we just try to read the sequence number
3906 if (payload == 18 && seq == s->tlsext_hb_seq) {
3908 s->tlsext_hb_pending = 0;
3915 int tls1_heartbeat(SSL *s)
3917 unsigned char *buf, *p;
3919 unsigned int payload = 18; /* Sequence number + random bytes */
3920 unsigned int padding = 16; /* Use minimum padding */
3922 /* Only send if peer supports and accepts HB requests... */
3923 if (!(s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED) ||
3924 s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_SEND_REQUESTS) {
3925 SSLerr(SSL_F_TLS1_HEARTBEAT, SSL_R_TLS_HEARTBEAT_PEER_DOESNT_ACCEPT);
3929 /* ...and there is none in flight yet... */
3930 if (s->tlsext_hb_pending) {
3931 SSLerr(SSL_F_TLS1_HEARTBEAT, SSL_R_TLS_HEARTBEAT_PENDING);
3935 /* ...and no handshake in progress. */
3936 if (SSL_in_init(s) || s->in_handshake) {
3937 SSLerr(SSL_F_TLS1_HEARTBEAT, SSL_R_UNEXPECTED_MESSAGE);
3942 * Check if padding is too long, payload and padding must not exceed 2^14
3943 * - 3 = 16381 bytes in total.
3945 OPENSSL_assert(payload + padding <= 16381);
3948 * Create HeartBeat message, we just use a sequence number
3949 * as payload to distuingish different messages and add
3950 * some random stuff.
3951 * - Message Type, 1 byte
3952 * - Payload Length, 2 bytes (unsigned int)
3953 * - Payload, the sequence number (2 bytes uint)
3954 * - Payload, random bytes (16 bytes uint)
3957 buf = OPENSSL_malloc(1 + 2 + payload + padding);
3959 SSLerr(SSL_F_TLS1_HEARTBEAT, ERR_R_MALLOC_FAILURE);
3964 *p++ = TLS1_HB_REQUEST;
3965 /* Payload length (18 bytes here) */
3967 /* Sequence number */
3968 s2n(s->tlsext_hb_seq, p);
3969 /* 16 random bytes */
3970 RAND_pseudo_bytes(p, 16);
3972 /* Random padding */
3973 RAND_pseudo_bytes(p, padding);
3975 ret = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buf, 3 + payload + padding);
3977 if (s->msg_callback)
3978 s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT,
3979 buf, 3 + payload + padding,
3980 s, s->msg_callback_arg);
3982 s->tlsext_hb_pending = 1;
3991 # define MAX_SIGALGLEN (TLSEXT_hash_num * TLSEXT_signature_num * 2)
3995 int sigalgs[MAX_SIGALGLEN];
3998 static int sig_cb(const char *elem, int len, void *arg)
4000 sig_cb_st *sarg = arg;
4003 int sig_alg, hash_alg;
4004 if (sarg->sigalgcnt == MAX_SIGALGLEN)
4006 if (len > (int)(sizeof(etmp) - 1))
4008 memcpy(etmp, elem, len);
4010 p = strchr(etmp, '+');
4018 if (!strcmp(etmp, "RSA"))
4019 sig_alg = EVP_PKEY_RSA;
4020 else if (!strcmp(etmp, "DSA"))
4021 sig_alg = EVP_PKEY_DSA;
4022 else if (!strcmp(etmp, "ECDSA"))
4023 sig_alg = EVP_PKEY_EC;
4027 hash_alg = OBJ_sn2nid(p);
4028 if (hash_alg == NID_undef)
4029 hash_alg = OBJ_ln2nid(p);
4030 if (hash_alg == NID_undef)
4033 for (i = 0; i < sarg->sigalgcnt; i += 2) {
4034 if (sarg->sigalgs[i] == sig_alg && sarg->sigalgs[i + 1] == hash_alg)
4037 sarg->sigalgs[sarg->sigalgcnt++] = hash_alg;
4038 sarg->sigalgs[sarg->sigalgcnt++] = sig_alg;
4043 * Set suppored signature algorithms based on a colon separated list of the
4044 * form sig+hash e.g. RSA+SHA512:DSA+SHA512
4046 int tls1_set_sigalgs_list(CERT *c, const char *str, int client)
4050 if (!CONF_parse_list(str, ':', 1, sig_cb, &sig))
4054 return tls1_set_sigalgs(c, sig.sigalgs, sig.sigalgcnt, client);
4057 int tls1_set_sigalgs(CERT *c, const int *psig_nids, size_t salglen,
4060 unsigned char *sigalgs, *sptr;
4065 sigalgs = OPENSSL_malloc(salglen);
4066 if (sigalgs == NULL)
4068 for (i = 0, sptr = sigalgs; i < salglen; i += 2) {
4069 rhash = tls12_find_id(*psig_nids++, tls12_md,
4070 sizeof(tls12_md) / sizeof(tls12_lookup));
4071 rsign = tls12_find_id(*psig_nids++, tls12_sig,
4072 sizeof(tls12_sig) / sizeof(tls12_lookup));
4074 if (rhash == -1 || rsign == -1)
4081 if (c->client_sigalgs)
4082 OPENSSL_free(c->client_sigalgs);
4083 c->client_sigalgs = sigalgs;
4084 c->client_sigalgslen = salglen;
4086 if (c->conf_sigalgs)
4087 OPENSSL_free(c->conf_sigalgs);
4088 c->conf_sigalgs = sigalgs;
4089 c->conf_sigalgslen = salglen;
4095 OPENSSL_free(sigalgs);
4099 static int tls1_check_sig_alg(CERT *c, X509 *x, int default_nid)
4103 if (default_nid == -1)
4105 sig_nid = X509_get_signature_nid(x);
4107 return sig_nid == default_nid ? 1 : 0;
4108 for (i = 0; i < c->shared_sigalgslen; i++)
4109 if (sig_nid == c->shared_sigalgs[i].signandhash_nid)
4114 /* Check to see if a certificate issuer name matches list of CA names */
4115 static int ssl_check_ca_name(STACK_OF(X509_NAME) *names, X509 *x)
4119 nm = X509_get_issuer_name(x);
4120 for (i = 0; i < sk_X509_NAME_num(names); i++) {
4121 if (!X509_NAME_cmp(nm, sk_X509_NAME_value(names, i)))
4128 * Check certificate chain is consistent with TLS extensions and is usable by
4129 * server. This servers two purposes: it allows users to check chains before
4130 * passing them to the server and it allows the server to check chains before
4131 * attempting to use them.
4134 /* Flags which need to be set for a certificate when stict mode not set */
4136 # define CERT_PKEY_VALID_FLAGS \
4137 (CERT_PKEY_EE_SIGNATURE|CERT_PKEY_EE_PARAM)
4138 /* Strict mode flags */
4139 # define CERT_PKEY_STRICT_FLAGS \
4140 (CERT_PKEY_VALID_FLAGS|CERT_PKEY_CA_SIGNATURE|CERT_PKEY_CA_PARAM \
4141 | CERT_PKEY_ISSUER_NAME|CERT_PKEY_CERT_TYPE)
4143 int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain,
4148 int check_flags = 0, strict_mode;
4149 CERT_PKEY *cpk = NULL;
4151 unsigned int suiteb_flags = tls1_suiteb(s);
4152 /* idx == -1 means checking server chains */
4154 /* idx == -2 means checking client certificate chains */
4157 idx = cpk - c->pkeys;
4159 cpk = c->pkeys + idx;
4161 pk = cpk->privatekey;
4163 strict_mode = c->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT;
4164 /* If no cert or key, forget it */
4167 # ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
4168 /* Allow any certificate to pass test */
4169 if (s->cert->cert_flags & SSL_CERT_FLAG_BROKEN_PROTOCOL) {
4170 rv = CERT_PKEY_STRICT_FLAGS | CERT_PKEY_EXPLICIT_SIGN |
4171 CERT_PKEY_VALID | CERT_PKEY_SIGN;
4172 cpk->valid_flags = rv;
4179 idx = ssl_cert_type(x, pk);
4182 cpk = c->pkeys + idx;
4183 if (c->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)
4184 check_flags = CERT_PKEY_STRICT_FLAGS;
4186 check_flags = CERT_PKEY_VALID_FLAGS;
4193 check_flags |= CERT_PKEY_SUITEB;
4194 ok = X509_chain_check_suiteb(NULL, x, chain, suiteb_flags);
4195 if (ok == X509_V_OK)
4196 rv |= CERT_PKEY_SUITEB;
4197 else if (!check_flags)
4202 * Check all signature algorithms are consistent with signature
4203 * algorithms extension if TLS 1.2 or later and strict mode.
4205 if (TLS1_get_version(s) >= TLS1_2_VERSION && strict_mode) {
4207 unsigned char rsign = 0;
4208 if (c->peer_sigalgs)
4210 /* If no sigalgs extension use defaults from RFC5246 */
4213 case SSL_PKEY_RSA_ENC:
4214 case SSL_PKEY_RSA_SIGN:
4215 case SSL_PKEY_DH_RSA:
4216 rsign = TLSEXT_signature_rsa;
4217 default_nid = NID_sha1WithRSAEncryption;
4220 case SSL_PKEY_DSA_SIGN:
4221 case SSL_PKEY_DH_DSA:
4222 rsign = TLSEXT_signature_dsa;
4223 default_nid = NID_dsaWithSHA1;
4227 rsign = TLSEXT_signature_ecdsa;
4228 default_nid = NID_ecdsa_with_SHA1;
4237 * If peer sent no signature algorithms extension and we have set
4238 * preferred signature algorithms check we support sha1.
4240 if (default_nid > 0 && c->conf_sigalgs) {
4242 const unsigned char *p = c->conf_sigalgs;
4243 for (j = 0; j < c->conf_sigalgslen; j += 2, p += 2) {
4244 if (p[0] == TLSEXT_hash_sha1 && p[1] == rsign)
4247 if (j == c->conf_sigalgslen) {
4254 /* Check signature algorithm of each cert in chain */
4255 if (!tls1_check_sig_alg(c, x, default_nid)) {
4259 rv |= CERT_PKEY_EE_SIGNATURE;
4260 rv |= CERT_PKEY_CA_SIGNATURE;
4261 for (i = 0; i < sk_X509_num(chain); i++) {
4262 if (!tls1_check_sig_alg(c, sk_X509_value(chain, i), default_nid)) {
4264 rv &= ~CERT_PKEY_CA_SIGNATURE;
4271 /* Else not TLS 1.2, so mark EE and CA signing algorithms OK */
4272 else if (check_flags)
4273 rv |= CERT_PKEY_EE_SIGNATURE | CERT_PKEY_CA_SIGNATURE;
4275 /* Check cert parameters are consistent */
4276 if (tls1_check_cert_param(s, x, check_flags ? 1 : 2))
4277 rv |= CERT_PKEY_EE_PARAM;
4278 else if (!check_flags)
4281 rv |= CERT_PKEY_CA_PARAM;
4282 /* In strict mode check rest of chain too */
4283 else if (strict_mode) {
4284 rv |= CERT_PKEY_CA_PARAM;
4285 for (i = 0; i < sk_X509_num(chain); i++) {
4286 X509 *ca = sk_X509_value(chain, i);
4287 if (!tls1_check_cert_param(s, ca, 0)) {
4289 rv &= ~CERT_PKEY_CA_PARAM;
4296 if (!s->server && strict_mode) {
4297 STACK_OF(X509_NAME) *ca_dn;
4301 check_type = TLS_CT_RSA_SIGN;
4304 check_type = TLS_CT_DSS_SIGN;
4307 check_type = TLS_CT_ECDSA_SIGN;
4312 int cert_type = X509_certificate_type(x, pk);
4313 if (cert_type & EVP_PKS_RSA)
4314 check_type = TLS_CT_RSA_FIXED_DH;
4315 if (cert_type & EVP_PKS_DSA)
4316 check_type = TLS_CT_DSS_FIXED_DH;
4320 const unsigned char *ctypes;
4324 ctypelen = (int)c->ctype_num;
4326 ctypes = (unsigned char *)s->s3->tmp.ctype;
4327 ctypelen = s->s3->tmp.ctype_num;
4329 for (i = 0; i < ctypelen; i++) {
4330 if (ctypes[i] == check_type) {
4331 rv |= CERT_PKEY_CERT_TYPE;
4335 if (!(rv & CERT_PKEY_CERT_TYPE) && !check_flags)
4338 rv |= CERT_PKEY_CERT_TYPE;
4340 ca_dn = s->s3->tmp.ca_names;
4342 if (!sk_X509_NAME_num(ca_dn))
4343 rv |= CERT_PKEY_ISSUER_NAME;
4345 if (!(rv & CERT_PKEY_ISSUER_NAME)) {
4346 if (ssl_check_ca_name(ca_dn, x))
4347 rv |= CERT_PKEY_ISSUER_NAME;
4349 if (!(rv & CERT_PKEY_ISSUER_NAME)) {
4350 for (i = 0; i < sk_X509_num(chain); i++) {
4351 X509 *xtmp = sk_X509_value(chain, i);
4352 if (ssl_check_ca_name(ca_dn, xtmp)) {
4353 rv |= CERT_PKEY_ISSUER_NAME;
4358 if (!check_flags && !(rv & CERT_PKEY_ISSUER_NAME))
4361 rv |= CERT_PKEY_ISSUER_NAME | CERT_PKEY_CERT_TYPE;
4363 if (!check_flags || (rv & check_flags) == check_flags)
4364 rv |= CERT_PKEY_VALID;
4368 if (TLS1_get_version(s) >= TLS1_2_VERSION) {
4369 if (cpk->valid_flags & CERT_PKEY_EXPLICIT_SIGN)
4370 rv |= CERT_PKEY_EXPLICIT_SIGN | CERT_PKEY_SIGN;
4371 else if (cpk->digest)
4372 rv |= CERT_PKEY_SIGN;
4374 rv |= CERT_PKEY_SIGN | CERT_PKEY_EXPLICIT_SIGN;
4377 * When checking a CERT_PKEY structure all flags are irrelevant if the
4381 if (rv & CERT_PKEY_VALID)
4382 cpk->valid_flags = rv;
4384 /* Preserve explicit sign flag, clear rest */
4385 cpk->valid_flags &= CERT_PKEY_EXPLICIT_SIGN;
4392 /* Set validity of certificates in an SSL structure */
4393 void tls1_set_cert_validity(SSL *s)
4395 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA_ENC);
4396 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA_SIGN);
4397 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DSA_SIGN);
4398 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DH_RSA);
4399 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DH_DSA);
4400 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_ECC);
4403 /* User level utiity function to check a chain is suitable */
4404 int SSL_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain)
4406 return tls1_check_chain(s, x, pk, chain, -1);
4411 #ifndef OPENSSL_NO_DH
4412 DH *ssl_get_auto_dh(SSL *s)
4414 int dh_secbits = 80;
4415 if (s->cert->dh_tmp_auto == 2)
4416 return DH_get_1024_160();
4417 if (s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) {
4418 if (s->s3->tmp.new_cipher->strength_bits == 256)
4423 CERT_PKEY *cpk = ssl_get_server_send_pkey(s);
4424 dh_secbits = EVP_PKEY_security_bits(cpk->privatekey);
4427 if (dh_secbits >= 128) {
4433 BN_set_word(dhp->g, 2);
4434 if (dh_secbits >= 192)
4435 dhp->p = get_rfc3526_prime_8192(NULL);
4437 dhp->p = get_rfc3526_prime_3072(NULL);
4438 if (!dhp->p || !dhp->g) {
4444 if (dh_secbits >= 112)
4445 return DH_get_2048_224();
4446 return DH_get_1024_160();
4450 static int ssl_security_cert_key(SSL *s, SSL_CTX *ctx, X509 *x, int op)
4453 EVP_PKEY *pkey = X509_get_pubkey(x);
4455 secbits = EVP_PKEY_security_bits(pkey);
4456 EVP_PKEY_free(pkey);
4460 return ssl_security(s, op, secbits, 0, x);
4462 return ssl_ctx_security(ctx, op, secbits, 0, x);
4465 static int ssl_security_cert_sig(SSL *s, SSL_CTX *ctx, X509 *x, int op)
4467 /* Lookup signature algorithm digest */
4468 int secbits = -1, md_nid = NID_undef, sig_nid;
4469 sig_nid = X509_get_signature_nid(x);
4470 if (sig_nid && OBJ_find_sigid_algs(sig_nid, &md_nid, NULL)) {
4472 if (md_nid && (md = EVP_get_digestbynid(md_nid)))
4473 secbits = EVP_MD_size(md) * 4;
4476 return ssl_security(s, op, secbits, md_nid, x);
4478 return ssl_ctx_security(ctx, op, secbits, md_nid, x);
4481 int ssl_security_cert(SSL *s, SSL_CTX *ctx, X509 *x, int vfy, int is_ee)
4484 vfy = SSL_SECOP_PEER;
4486 if (!ssl_security_cert_key(s, ctx, x, SSL_SECOP_EE_KEY | vfy))
4487 return SSL_R_EE_KEY_TOO_SMALL;
4489 if (!ssl_security_cert_key(s, ctx, x, SSL_SECOP_CA_KEY | vfy))
4490 return SSL_R_CA_KEY_TOO_SMALL;
4492 if (!ssl_security_cert_sig(s, ctx, x, SSL_SECOP_CA_MD | vfy))
4493 return SSL_R_CA_MD_TOO_WEAK;
4498 * Check security of a chain, if sk includes the end entity certificate then
4499 * x is NULL. If vfy is 1 then we are verifying a peer chain and not sending
4500 * one to the peer. Return values: 1 if ok otherwise error code to use
4503 int ssl_security_cert_chain(SSL *s, STACK_OF(X509) *sk, X509 *x, int vfy)
4505 int rv, start_idx, i;
4507 x = sk_X509_value(sk, 0);
4512 rv = ssl_security_cert(s, NULL, x, vfy, 1);
4516 for (i = start_idx; i < sk_X509_num(sk); i++) {
4517 x = sk_X509_value(sk, i);
4518 rv = ssl_security_cert(s, NULL, x, vfy, 0);