2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
58 /* ====================================================================
59 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
87 * 6. Redistributions of any form whatsoever must retain the following
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
113 #include <openssl/objects.h>
114 #include <openssl/evp.h>
115 #include <openssl/hmac.h>
116 #include <openssl/ocsp.h>
117 #include "ssl_locl.h"
119 const char tls1_version_str[]="TLSv1" OPENSSL_VERSION_PTEXT;
121 #ifndef OPENSSL_NO_TLSEXT
122 static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen,
123 const unsigned char *sess_id, int sesslen,
124 SSL_SESSION **psess);
127 SSL3_ENC_METHOD TLSv1_enc_data={
130 tls1_setup_key_block,
131 tls1_generate_master_secret,
132 tls1_change_cipher_state,
133 tls1_final_finish_mac,
134 TLS1_FINISH_MAC_LENGTH,
135 tls1_cert_verify_mac,
136 TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE,
137 TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE,
141 long tls1_default_timeout(void)
143 /* 2 hours, the 24 hours mentioned in the TLSv1 spec
144 * is way too long for http, the cache would over fill */
150 if (!ssl3_new(s)) return(0);
151 s->method->ssl_clear(s);
155 void tls1_free(SSL *s)
157 #ifndef OPENSSL_NO_TLSEXT
158 if (s->tlsext_session_ticket)
160 OPENSSL_free(s->tlsext_session_ticket);
162 #endif /* OPENSSL_NO_TLSEXT */
166 void tls1_clear(SSL *s)
169 s->version = s->method->version;
172 #ifndef OPENSSL_NO_EC
174 static int nid_list[] =
176 NID_sect163k1, /* sect163k1 (1) */
177 NID_sect163r1, /* sect163r1 (2) */
178 NID_sect163r2, /* sect163r2 (3) */
179 NID_sect193r1, /* sect193r1 (4) */
180 NID_sect193r2, /* sect193r2 (5) */
181 NID_sect233k1, /* sect233k1 (6) */
182 NID_sect233r1, /* sect233r1 (7) */
183 NID_sect239k1, /* sect239k1 (8) */
184 NID_sect283k1, /* sect283k1 (9) */
185 NID_sect283r1, /* sect283r1 (10) */
186 NID_sect409k1, /* sect409k1 (11) */
187 NID_sect409r1, /* sect409r1 (12) */
188 NID_sect571k1, /* sect571k1 (13) */
189 NID_sect571r1, /* sect571r1 (14) */
190 NID_secp160k1, /* secp160k1 (15) */
191 NID_secp160r1, /* secp160r1 (16) */
192 NID_secp160r2, /* secp160r2 (17) */
193 NID_secp192k1, /* secp192k1 (18) */
194 NID_X9_62_prime192v1, /* secp192r1 (19) */
195 NID_secp224k1, /* secp224k1 (20) */
196 NID_secp224r1, /* secp224r1 (21) */
197 NID_secp256k1, /* secp256k1 (22) */
198 NID_X9_62_prime256v1, /* secp256r1 (23) */
199 NID_secp384r1, /* secp384r1 (24) */
200 NID_secp521r1 /* secp521r1 (25) */
203 static int pref_list[] =
205 NID_sect571r1, /* sect571r1 (14) */
206 NID_sect571k1, /* sect571k1 (13) */
207 NID_secp521r1, /* secp521r1 (25) */
208 NID_sect409k1, /* sect409k1 (11) */
209 NID_sect409r1, /* sect409r1 (12) */
210 NID_secp384r1, /* secp384r1 (24) */
211 NID_sect283k1, /* sect283k1 (9) */
212 NID_sect283r1, /* sect283r1 (10) */
213 NID_secp256k1, /* secp256k1 (22) */
214 NID_X9_62_prime256v1, /* secp256r1 (23) */
215 NID_sect239k1, /* sect239k1 (8) */
216 NID_sect233k1, /* sect233k1 (6) */
217 NID_sect233r1, /* sect233r1 (7) */
218 NID_secp224k1, /* secp224k1 (20) */
219 NID_secp224r1, /* secp224r1 (21) */
220 NID_sect193r1, /* sect193r1 (4) */
221 NID_sect193r2, /* sect193r2 (5) */
222 NID_secp192k1, /* secp192k1 (18) */
223 NID_X9_62_prime192v1, /* secp192r1 (19) */
224 NID_sect163k1, /* sect163k1 (1) */
225 NID_sect163r1, /* sect163r1 (2) */
226 NID_sect163r2, /* sect163r2 (3) */
227 NID_secp160k1, /* secp160k1 (15) */
228 NID_secp160r1, /* secp160r1 (16) */
229 NID_secp160r2, /* secp160r2 (17) */
232 int tls1_ec_curve_id2nid(int curve_id)
234 /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
235 if ((curve_id < 1) || ((unsigned int)curve_id >
236 sizeof(nid_list)/sizeof(nid_list[0])))
238 return nid_list[curve_id-1];
241 int tls1_ec_nid2curve_id(int nid)
243 /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
246 case NID_sect163k1: /* sect163k1 (1) */
248 case NID_sect163r1: /* sect163r1 (2) */
250 case NID_sect163r2: /* sect163r2 (3) */
252 case NID_sect193r1: /* sect193r1 (4) */
254 case NID_sect193r2: /* sect193r2 (5) */
256 case NID_sect233k1: /* sect233k1 (6) */
258 case NID_sect233r1: /* sect233r1 (7) */
260 case NID_sect239k1: /* sect239k1 (8) */
262 case NID_sect283k1: /* sect283k1 (9) */
264 case NID_sect283r1: /* sect283r1 (10) */
266 case NID_sect409k1: /* sect409k1 (11) */
268 case NID_sect409r1: /* sect409r1 (12) */
270 case NID_sect571k1: /* sect571k1 (13) */
272 case NID_sect571r1: /* sect571r1 (14) */
274 case NID_secp160k1: /* secp160k1 (15) */
276 case NID_secp160r1: /* secp160r1 (16) */
278 case NID_secp160r2: /* secp160r2 (17) */
280 case NID_secp192k1: /* secp192k1 (18) */
282 case NID_X9_62_prime192v1: /* secp192r1 (19) */
284 case NID_secp224k1: /* secp224k1 (20) */
286 case NID_secp224r1: /* secp224r1 (21) */
288 case NID_secp256k1: /* secp256k1 (22) */
290 case NID_X9_62_prime256v1: /* secp256r1 (23) */
292 case NID_secp384r1: /* secp384r1 (24) */
294 case NID_secp521r1: /* secp521r1 (25) */
300 #endif /* OPENSSL_NO_EC */
302 #ifndef OPENSSL_NO_TLSEXT
304 /* List of supported signature algorithms and hashes. Should make this
305 * customisable at some point, for now include everything we support.
308 #ifdef OPENSSL_NO_RSA
309 #define tlsext_sigalg_rsa(md) /* */
311 #define tlsext_sigalg_rsa(md) md, TLSEXT_signature_rsa,
314 #ifdef OPENSSL_NO_DSA
315 #define tlsext_sigalg_dsa(md) /* */
317 #define tlsext_sigalg_dsa(md) md, TLSEXT_signature_dsa,
320 #ifdef OPENSSL_NO_ECDSA
321 #define tlsext_sigalg_ecdsa(md) /* */
323 #define tlsext_sigalg_ecdsa(md) md, TLSEXT_signature_ecdsa,
326 #define tlsext_sigalg(md) \
327 tlsext_sigalg_rsa(md) \
328 tlsext_sigalg_dsa(md) \
329 tlsext_sigalg_ecdsa(md)
331 static unsigned char tls12_sigalgs[] = {
332 #ifndef OPENSSL_NO_SHA512
333 tlsext_sigalg(TLSEXT_hash_sha512)
334 tlsext_sigalg(TLSEXT_hash_sha384)
336 #ifndef OPENSSL_NO_SHA256
337 tlsext_sigalg(TLSEXT_hash_sha256)
338 tlsext_sigalg(TLSEXT_hash_sha224)
340 #ifndef OPENSSL_NO_SHA
341 tlsext_sigalg(TLSEXT_hash_sha1)
343 #ifndef OPENSSL_NO_MD5
344 tlsext_sigalg_rsa(TLSEXT_hash_md5)
348 int tls12_get_req_sig_algs(SSL *s, unsigned char *p)
350 size_t slen = sizeof(tls12_sigalgs);
352 /* If FIPS mode don't include MD5 which is last */
357 memcpy(p, tls12_sigalgs, slen);
361 unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
364 unsigned char *ret = p;
366 /* don't add extensions for SSLv3 unless doing secure renegotiation */
367 if (s->client_version == SSL3_VERSION
368 && !s->s3->send_connection_binding)
373 if (ret>=limit) return NULL; /* this really never occurs, but ... */
375 if (s->tlsext_hostname != NULL)
377 /* Add TLS extension servername to the Client Hello message */
378 unsigned long size_str;
381 /* check for enough space.
382 4 for the servername type and entension length
383 2 for servernamelist length
384 1 for the hostname type
385 2 for hostname length
389 if ((lenmax = limit - ret - 9) < 0
390 || (size_str = strlen(s->tlsext_hostname)) > (unsigned long)lenmax)
393 /* extension type and length */
394 s2n(TLSEXT_TYPE_server_name,ret);
397 /* length of servername list */
400 /* hostname type, length and hostname */
401 *(ret++) = (unsigned char) TLSEXT_NAMETYPE_host_name;
403 memcpy(ret, s->tlsext_hostname, size_str);
407 /* Add RI if renegotiating */
412 if(!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0))
414 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
418 if((limit - p - 4 - el) < 0) return NULL;
420 s2n(TLSEXT_TYPE_renegotiate,ret);
423 if(!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el))
425 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
432 #ifndef OPENSSL_NO_SRP
433 #define MIN(x,y) (((x)<(y))?(x):(y))
434 /* we add SRP username the first time only if we have one! */
435 if (s->srp_ctx.login != NULL)
436 {/* Add TLS extension SRP username to the Client Hello message */
437 int login_len = MIN(strlen(s->srp_ctx.login) + 1, 255);
440 if ((lenmax = limit - ret - 5) < 0) return NULL;
441 if (login_len > lenmax) return NULL;
444 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
447 s2n(TLSEXT_TYPE_srp,ret);
448 s2n(login_len+1,ret);
450 (*ret++) = (unsigned char) MIN(strlen(s->srp_ctx.login), 254);
451 memcpy(ret, s->srp_ctx.login, MIN(strlen(s->srp_ctx.login), 254));
456 #ifndef OPENSSL_NO_EC
457 if (s->tlsext_ecpointformatlist != NULL &&
458 s->version != DTLS1_VERSION)
460 /* Add TLS extension ECPointFormats to the ClientHello message */
463 if ((lenmax = limit - ret - 5) < 0) return NULL;
464 if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax) return NULL;
465 if (s->tlsext_ecpointformatlist_length > 255)
467 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
471 s2n(TLSEXT_TYPE_ec_point_formats,ret);
472 s2n(s->tlsext_ecpointformatlist_length + 1,ret);
473 *(ret++) = (unsigned char) s->tlsext_ecpointformatlist_length;
474 memcpy(ret, s->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist_length);
475 ret+=s->tlsext_ecpointformatlist_length;
477 if (s->tlsext_ellipticcurvelist != NULL &&
478 s->version != DTLS1_VERSION)
480 /* Add TLS extension EllipticCurves to the ClientHello message */
483 if ((lenmax = limit - ret - 6) < 0) return NULL;
484 if (s->tlsext_ellipticcurvelist_length > (unsigned long)lenmax) return NULL;
485 if (s->tlsext_ellipticcurvelist_length > 65532)
487 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
491 s2n(TLSEXT_TYPE_elliptic_curves,ret);
492 s2n(s->tlsext_ellipticcurvelist_length + 2, ret);
494 /* NB: draft-ietf-tls-ecc-12.txt uses a one-byte prefix for
495 * elliptic_curve_list, but the examples use two bytes.
496 * http://www1.ietf.org/mail-archive/web/tls/current/msg00538.html
497 * resolves this to two bytes.
499 s2n(s->tlsext_ellipticcurvelist_length, ret);
500 memcpy(ret, s->tlsext_ellipticcurvelist, s->tlsext_ellipticcurvelist_length);
501 ret+=s->tlsext_ellipticcurvelist_length;
503 #endif /* OPENSSL_NO_EC */
505 if (!(SSL_get_options(s) & SSL_OP_NO_TICKET))
508 if (!s->new_session && s->session && s->session->tlsext_tick)
509 ticklen = s->session->tlsext_ticklen;
510 else if (s->session && s->tlsext_session_ticket &&
511 s->tlsext_session_ticket->data)
513 ticklen = s->tlsext_session_ticket->length;
514 s->session->tlsext_tick = OPENSSL_malloc(ticklen);
515 if (!s->session->tlsext_tick)
517 memcpy(s->session->tlsext_tick,
518 s->tlsext_session_ticket->data,
520 s->session->tlsext_ticklen = ticklen;
524 if (ticklen == 0 && s->tlsext_session_ticket &&
525 s->tlsext_session_ticket->data == NULL)
527 /* Check for enough room 2 for extension type, 2 for len
530 if ((long)(limit - ret - 4 - ticklen) < 0) return NULL;
531 s2n(TLSEXT_TYPE_session_ticket,ret);
535 memcpy(ret, s->session->tlsext_tick, ticklen);
541 if (TLS1_get_version(s) >= TLS1_2_VERSION)
543 if ((size_t)(limit - ret) < sizeof(tls12_sigalgs) + 6)
545 s2n(TLSEXT_TYPE_signature_algorithms,ret);
546 s2n(sizeof(tls12_sigalgs) + 2, ret);
547 s2n(sizeof(tls12_sigalgs), ret);
548 memcpy(ret, tls12_sigalgs, sizeof(tls12_sigalgs));
549 ret += sizeof(tls12_sigalgs);
552 #ifdef TLSEXT_TYPE_opaque_prf_input
553 if (s->s3->client_opaque_prf_input != NULL &&
554 s->version != DTLS1_VERSION)
556 size_t col = s->s3->client_opaque_prf_input_len;
558 if ((long)(limit - ret - 6 - col < 0))
560 if (col > 0xFFFD) /* can't happen */
563 s2n(TLSEXT_TYPE_opaque_prf_input, ret);
566 memcpy(ret, s->s3->client_opaque_prf_input, col);
571 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp &&
572 s->version != DTLS1_VERSION)
575 long extlen, idlen, itmp;
579 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++)
581 id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
582 itmp = i2d_OCSP_RESPID(id, NULL);
588 if (s->tlsext_ocsp_exts)
590 extlen = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, NULL);
597 if ((long)(limit - ret - 7 - extlen - idlen) < 0) return NULL;
598 s2n(TLSEXT_TYPE_status_request, ret);
599 if (extlen + idlen > 0xFFF0)
601 s2n(extlen + idlen + 5, ret);
602 *(ret++) = TLSEXT_STATUSTYPE_ocsp;
604 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++)
606 /* save position of id len */
607 unsigned char *q = ret;
608 id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
609 /* skip over id len */
611 itmp = i2d_OCSP_RESPID(id, &ret);
617 i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret);
620 #ifndef OPENSSL_NO_NEXTPROTONEG
621 if (s->ctx->next_proto_select_cb && !s->s3->tmp.finish_md_len)
623 /* The client advertises an emtpy extension to indicate its
624 * support for Next Protocol Negotiation */
625 if (limit - ret - 4 < 0)
627 s2n(TLSEXT_TYPE_next_proto_neg,ret);
632 if(SSL_get_srtp_profiles(s))
636 ssl_add_clienthello_use_srtp_ext(s, 0, &el, 0);
638 if((limit - p - 4 - el) < 0) return NULL;
640 s2n(TLSEXT_TYPE_use_srtp,ret);
643 if(ssl_add_clienthello_use_srtp_ext(s, ret, &el, el))
645 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
651 if ((extdatalen = ret-p-2)== 0)
658 unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
661 unsigned char *ret = p;
662 #ifndef OPENSSL_NO_NEXTPROTONEG
663 int next_proto_neg_seen;
666 /* don't add extensions for SSLv3, unless doing secure renegotiation */
667 if (s->version == SSL3_VERSION && !s->s3->send_connection_binding)
671 if (ret>=limit) return NULL; /* this really never occurs, but ... */
673 if (!s->hit && s->servername_done == 1 && s->session->tlsext_hostname != NULL)
675 if ((long)(limit - ret - 4) < 0) return NULL;
677 s2n(TLSEXT_TYPE_server_name,ret);
681 if(s->s3->send_connection_binding)
685 if(!ssl_add_serverhello_renegotiate_ext(s, 0, &el, 0))
687 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
691 if((limit - p - 4 - el) < 0) return NULL;
693 s2n(TLSEXT_TYPE_renegotiate,ret);
696 if(!ssl_add_serverhello_renegotiate_ext(s, ret, &el, el))
698 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
705 #ifndef OPENSSL_NO_EC
706 if (s->tlsext_ecpointformatlist != NULL &&
707 s->version != DTLS1_VERSION)
709 /* Add TLS extension ECPointFormats to the ServerHello message */
712 if ((lenmax = limit - ret - 5) < 0) return NULL;
713 if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax) return NULL;
714 if (s->tlsext_ecpointformatlist_length > 255)
716 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
720 s2n(TLSEXT_TYPE_ec_point_formats,ret);
721 s2n(s->tlsext_ecpointformatlist_length + 1,ret);
722 *(ret++) = (unsigned char) s->tlsext_ecpointformatlist_length;
723 memcpy(ret, s->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist_length);
724 ret+=s->tlsext_ecpointformatlist_length;
727 /* Currently the server should not respond with a SupportedCurves extension */
728 #endif /* OPENSSL_NO_EC */
730 if (s->tlsext_ticket_expected
731 && !(SSL_get_options(s) & SSL_OP_NO_TICKET))
733 if ((long)(limit - ret - 4) < 0) return NULL;
734 s2n(TLSEXT_TYPE_session_ticket,ret);
738 if (s->tlsext_status_expected)
740 if ((long)(limit - ret - 4) < 0) return NULL;
741 s2n(TLSEXT_TYPE_status_request,ret);
745 #ifdef TLSEXT_TYPE_opaque_prf_input
746 if (s->s3->server_opaque_prf_input != NULL &&
747 s->version != DTLS1_VERSION)
749 size_t sol = s->s3->server_opaque_prf_input_len;
751 if ((long)(limit - ret - 6 - sol) < 0)
753 if (sol > 0xFFFD) /* can't happen */
756 s2n(TLSEXT_TYPE_opaque_prf_input, ret);
759 memcpy(ret, s->s3->server_opaque_prf_input, sol);
768 ssl_add_serverhello_use_srtp_ext(s, 0, &el, 0);
770 if((limit - p - 4 - el) < 0) return NULL;
772 s2n(TLSEXT_TYPE_use_srtp,ret);
775 if(ssl_add_serverhello_use_srtp_ext(s, ret, &el, el))
777 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
783 if (((s->s3->tmp.new_cipher->id & 0xFFFF)==0x80 || (s->s3->tmp.new_cipher->id & 0xFFFF)==0x81)
784 && (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG))
785 { const unsigned char cryptopro_ext[36] = {
786 0xfd, 0xe8, /*65000*/
787 0x00, 0x20, /*32 bytes length*/
788 0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85,
789 0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06,
790 0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08,
791 0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17};
792 if (limit-ret<36) return NULL;
793 memcpy(ret,cryptopro_ext,36);
798 #ifndef OPENSSL_NO_NEXTPROTONEG
799 next_proto_neg_seen = s->s3->next_proto_neg_seen;
800 s->s3->next_proto_neg_seen = 0;
801 if (next_proto_neg_seen && s->ctx->next_protos_advertised_cb)
803 const unsigned char *npa;
807 r = s->ctx->next_protos_advertised_cb(s, &npa, &npalen, s->ctx->next_protos_advertised_cb_arg);
808 if (r == SSL_TLSEXT_ERR_OK)
810 if ((long)(limit - ret - 4 - npalen) < 0) return NULL;
811 s2n(TLSEXT_TYPE_next_proto_neg,ret);
813 memcpy(ret, npa, npalen);
815 s->s3->next_proto_neg_seen = 1;
820 if ((extdatalen = ret-p-2)== 0)
827 int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
832 unsigned char *data = *p;
833 int renegotiate_seen = 0;
836 s->servername_done = 0;
837 s->tlsext_status_type = -1;
843 if (data > (d+n-len))
846 while (data <= (d+n-4))
851 if (data+size > (d+n))
854 fprintf(stderr,"Received extension type %d size %d\n",type,size);
856 if (s->tlsext_debug_cb)
857 s->tlsext_debug_cb(s, 0, type, data, size,
858 s->tlsext_debug_arg);
859 /* The servername extension is treated as follows:
861 - Only the hostname type is supported with a maximum length of 255.
862 - The servername is rejected if too long or if it contains zeros,
863 in which case an fatal alert is generated.
864 - The servername field is maintained together with the session cache.
865 - When a session is resumed, the servername call back invoked in order
866 to allow the application to position itself to the right context.
867 - The servername is acknowledged if it is new for a session or when
868 it is identical to a previously used for the same session.
869 Applications can control the behaviour. They can at any time
870 set a 'desirable' servername for a new SSL object. This can be the
871 case for example with HTTPS when a Host: header field is received and
872 a renegotiation is requested. In this case, a possible servername
873 presented in the new client hello is only acknowledged if it matches
874 the value of the Host: field.
875 - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
876 if they provide for changing an explicit servername context for the session,
877 i.e. when the session has been established with a servername extension.
878 - On session reconnect, the servername extension may be absent.
882 if (type == TLSEXT_TYPE_server_name)
884 unsigned char *sdata;
890 *al = SSL_AD_DECODE_ERROR;
897 *al = SSL_AD_DECODE_ERROR;
904 servname_type = *(sdata++);
910 *al = SSL_AD_DECODE_ERROR;
913 if (s->servername_done == 0)
914 switch (servname_type)
916 case TLSEXT_NAMETYPE_host_name:
919 if(s->session->tlsext_hostname)
921 *al = SSL_AD_DECODE_ERROR;
924 if (len > TLSEXT_MAXLEN_host_name)
926 *al = TLS1_AD_UNRECOGNIZED_NAME;
929 if ((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL)
931 *al = TLS1_AD_INTERNAL_ERROR;
934 memcpy(s->session->tlsext_hostname, sdata, len);
935 s->session->tlsext_hostname[len]='\0';
936 if (strlen(s->session->tlsext_hostname) != len) {
937 OPENSSL_free(s->session->tlsext_hostname);
938 s->session->tlsext_hostname = NULL;
939 *al = TLS1_AD_UNRECOGNIZED_NAME;
942 s->servername_done = 1;
946 s->servername_done = s->session->tlsext_hostname
947 && strlen(s->session->tlsext_hostname) == len
948 && strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0;
960 *al = SSL_AD_DECODE_ERROR;
965 #ifndef OPENSSL_NO_SRP
966 else if (type == TLSEXT_TYPE_srp)
971 if ((s->srp_ctx.login = OPENSSL_malloc(len+1)) == NULL)
973 memcpy(s->srp_ctx.login, &data[1], len);
974 s->srp_ctx.login[len]='\0';
979 #ifndef OPENSSL_NO_EC
980 else if (type == TLSEXT_TYPE_ec_point_formats &&
981 s->version != DTLS1_VERSION)
983 unsigned char *sdata = data;
984 int ecpointformatlist_length = *(sdata++);
986 if (ecpointformatlist_length != size - 1)
988 *al = TLS1_AD_DECODE_ERROR;
993 if(s->session->tlsext_ecpointformatlist)
995 OPENSSL_free(s->session->tlsext_ecpointformatlist);
996 s->session->tlsext_ecpointformatlist = NULL;
998 s->session->tlsext_ecpointformatlist_length = 0;
999 if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
1001 *al = TLS1_AD_INTERNAL_ERROR;
1004 s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
1005 memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
1008 fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ecpointformatlist (length=%i) ", s->session->tlsext_ecpointformatlist_length);
1009 sdata = s->session->tlsext_ecpointformatlist;
1010 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
1011 fprintf(stderr,"%i ",*(sdata++));
1012 fprintf(stderr,"\n");
1015 else if (type == TLSEXT_TYPE_elliptic_curves &&
1016 s->version != DTLS1_VERSION)
1018 unsigned char *sdata = data;
1019 int ellipticcurvelist_length = (*(sdata++) << 8);
1020 ellipticcurvelist_length += (*(sdata++));
1022 if (ellipticcurvelist_length != size - 2)
1024 *al = TLS1_AD_DECODE_ERROR;
1029 if(s->session->tlsext_ellipticcurvelist)
1031 *al = TLS1_AD_DECODE_ERROR;
1034 s->session->tlsext_ellipticcurvelist_length = 0;
1035 if ((s->session->tlsext_ellipticcurvelist = OPENSSL_malloc(ellipticcurvelist_length)) == NULL)
1037 *al = TLS1_AD_INTERNAL_ERROR;
1040 s->session->tlsext_ellipticcurvelist_length = ellipticcurvelist_length;
1041 memcpy(s->session->tlsext_ellipticcurvelist, sdata, ellipticcurvelist_length);
1044 fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ellipticcurvelist (length=%i) ", s->session->tlsext_ellipticcurvelist_length);
1045 sdata = s->session->tlsext_ellipticcurvelist;
1046 for (i = 0; i < s->session->tlsext_ellipticcurvelist_length; i++)
1047 fprintf(stderr,"%i ",*(sdata++));
1048 fprintf(stderr,"\n");
1051 #endif /* OPENSSL_NO_EC */
1052 #ifdef TLSEXT_TYPE_opaque_prf_input
1053 else if (type == TLSEXT_TYPE_opaque_prf_input &&
1054 s->version != DTLS1_VERSION)
1056 unsigned char *sdata = data;
1060 *al = SSL_AD_DECODE_ERROR;
1063 n2s(sdata, s->s3->client_opaque_prf_input_len);
1064 if (s->s3->client_opaque_prf_input_len != size - 2)
1066 *al = SSL_AD_DECODE_ERROR;
1070 if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */
1071 OPENSSL_free(s->s3->client_opaque_prf_input);
1072 if (s->s3->client_opaque_prf_input_len == 0)
1073 s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
1075 s->s3->client_opaque_prf_input = BUF_memdup(sdata, s->s3->client_opaque_prf_input_len);
1076 if (s->s3->client_opaque_prf_input == NULL)
1078 *al = TLS1_AD_INTERNAL_ERROR;
1083 else if (type == TLSEXT_TYPE_session_ticket)
1085 if (s->tls_session_ticket_ext_cb &&
1086 !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg))
1088 *al = TLS1_AD_INTERNAL_ERROR;
1092 else if (type == TLSEXT_TYPE_renegotiate)
1094 if(!ssl_parse_clienthello_renegotiate_ext(s, data, size, al))
1096 renegotiate_seen = 1;
1098 else if (type == TLSEXT_TYPE_signature_algorithms)
1101 if (sigalg_seen || size < 2)
1103 *al = SSL_AD_DECODE_ERROR;
1109 if (dsize != size || dsize & 1)
1111 *al = SSL_AD_DECODE_ERROR;
1114 if (!tls1_process_sigalgs(s, data, dsize))
1116 *al = SSL_AD_DECODE_ERROR;
1120 else if (type == TLSEXT_TYPE_status_request &&
1121 s->version != DTLS1_VERSION && s->ctx->tlsext_status_cb)
1126 *al = SSL_AD_DECODE_ERROR;
1130 s->tlsext_status_type = *data++;
1132 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp)
1134 const unsigned char *sdata;
1136 /* Read in responder_id_list */
1141 *al = SSL_AD_DECODE_ERROR;
1150 *al = SSL_AD_DECODE_ERROR;
1154 dsize -= 2 + idsize;
1158 *al = SSL_AD_DECODE_ERROR;
1163 id = d2i_OCSP_RESPID(NULL,
1167 *al = SSL_AD_DECODE_ERROR;
1172 OCSP_RESPID_free(id);
1173 *al = SSL_AD_DECODE_ERROR;
1176 if (!s->tlsext_ocsp_ids
1177 && !(s->tlsext_ocsp_ids =
1178 sk_OCSP_RESPID_new_null()))
1180 OCSP_RESPID_free(id);
1181 *al = SSL_AD_INTERNAL_ERROR;
1184 if (!sk_OCSP_RESPID_push(
1185 s->tlsext_ocsp_ids, id))
1187 OCSP_RESPID_free(id);
1188 *al = SSL_AD_INTERNAL_ERROR;
1193 /* Read in request_extensions */
1196 *al = SSL_AD_DECODE_ERROR;
1203 *al = SSL_AD_DECODE_ERROR;
1209 s->tlsext_ocsp_exts =
1210 d2i_X509_EXTENSIONS(NULL,
1212 if (!s->tlsext_ocsp_exts
1213 || (data + dsize != sdata))
1215 *al = SSL_AD_DECODE_ERROR;
1220 /* We don't know what to do with any other type
1224 s->tlsext_status_type = -1;
1226 #ifndef OPENSSL_NO_NEXTPROTONEG
1227 else if (type == TLSEXT_TYPE_next_proto_neg &&
1228 s->s3->tmp.finish_md_len == 0)
1230 /* We shouldn't accept this extension on a
1233 * s->new_session will be set on renegotiation, but we
1234 * probably shouldn't rely that it couldn't be set on
1235 * the initial renegotation too in certain cases (when
1236 * there's some other reason to disallow resuming an
1237 * earlier session -- the current code won't be doing
1238 * anything like that, but this might change).
1240 * A valid sign that there's been a previous handshake
1241 * in this connection is if s->s3->tmp.finish_md_len >
1242 * 0. (We are talking about a check that will happen
1243 * in the Hello protocol round, well before a new
1244 * Finished message could have been computed.) */
1245 s->s3->next_proto_neg_seen = 1;
1249 /* session ticket processed earlier */
1250 else if (type == TLSEXT_TYPE_use_srtp)
1252 if(ssl_parse_clienthello_use_srtp_ext(s, data, size,
1264 /* Need RI if renegotiating */
1266 if (!renegotiate_seen && s->renegotiate &&
1267 !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
1269 *al = SSL_AD_HANDSHAKE_FAILURE;
1270 SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT,
1271 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
1278 #ifndef OPENSSL_NO_NEXTPROTONEG
1279 /* ssl_next_proto_validate validates a Next Protocol Negotiation block. No
1280 * elements of zero length are allowed and the set of elements must exactly fill
1281 * the length of the block. */
1282 static char ssl_next_proto_validate(unsigned char *d, unsigned len)
1284 unsigned int off = 0;
1298 int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
1300 unsigned short length;
1301 unsigned short type;
1302 unsigned short size;
1303 unsigned char *data = *p;
1304 int tlsext_servername = 0;
1305 int renegotiate_seen = 0;
1307 if (data >= (d+n-2))
1311 if (data+length != d+n)
1313 *al = SSL_AD_DECODE_ERROR;
1317 while(data <= (d+n-4))
1322 if (data+size > (d+n))
1325 if (s->tlsext_debug_cb)
1326 s->tlsext_debug_cb(s, 1, type, data, size,
1327 s->tlsext_debug_arg);
1329 if (type == TLSEXT_TYPE_server_name)
1331 if (s->tlsext_hostname == NULL || size > 0)
1333 *al = TLS1_AD_UNRECOGNIZED_NAME;
1336 tlsext_servername = 1;
1339 #ifndef OPENSSL_NO_EC
1340 else if (type == TLSEXT_TYPE_ec_point_formats &&
1341 s->version != DTLS1_VERSION)
1343 unsigned char *sdata = data;
1344 int ecpointformatlist_length = *(sdata++);
1346 if (ecpointformatlist_length != size - 1)
1348 *al = TLS1_AD_DECODE_ERROR;
1351 s->session->tlsext_ecpointformatlist_length = 0;
1352 if (s->session->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->session->tlsext_ecpointformatlist);
1353 if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
1355 *al = TLS1_AD_INTERNAL_ERROR;
1358 s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
1359 memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
1361 fprintf(stderr,"ssl_parse_serverhello_tlsext s->session->tlsext_ecpointformatlist ");
1362 sdata = s->session->tlsext_ecpointformatlist;
1363 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
1364 fprintf(stderr,"%i ",*(sdata++));
1365 fprintf(stderr,"\n");
1368 #endif /* OPENSSL_NO_EC */
1370 else if (type == TLSEXT_TYPE_session_ticket)
1372 if (s->tls_session_ticket_ext_cb &&
1373 !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg))
1375 *al = TLS1_AD_INTERNAL_ERROR;
1378 if ((SSL_get_options(s) & SSL_OP_NO_TICKET)
1381 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
1384 s->tlsext_ticket_expected = 1;
1386 #ifdef TLSEXT_TYPE_opaque_prf_input
1387 else if (type == TLSEXT_TYPE_opaque_prf_input &&
1388 s->version != DTLS1_VERSION)
1390 unsigned char *sdata = data;
1394 *al = SSL_AD_DECODE_ERROR;
1397 n2s(sdata, s->s3->server_opaque_prf_input_len);
1398 if (s->s3->server_opaque_prf_input_len != size - 2)
1400 *al = SSL_AD_DECODE_ERROR;
1404 if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */
1405 OPENSSL_free(s->s3->server_opaque_prf_input);
1406 if (s->s3->server_opaque_prf_input_len == 0)
1407 s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
1409 s->s3->server_opaque_prf_input = BUF_memdup(sdata, s->s3->server_opaque_prf_input_len);
1411 if (s->s3->server_opaque_prf_input == NULL)
1413 *al = TLS1_AD_INTERNAL_ERROR;
1418 else if (type == TLSEXT_TYPE_status_request &&
1419 s->version != DTLS1_VERSION)
1421 /* MUST be empty and only sent if we've requested
1422 * a status request message.
1424 if ((s->tlsext_status_type == -1) || (size > 0))
1426 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
1429 /* Set flag to expect CertificateStatus message */
1430 s->tlsext_status_expected = 1;
1432 #ifndef OPENSSL_NO_NEXTPROTONEG
1433 else if (type == TLSEXT_TYPE_next_proto_neg)
1435 unsigned char *selected;
1436 unsigned char selected_len;
1438 /* We must have requested it. */
1439 if ((s->ctx->next_proto_select_cb == NULL))
1441 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
1444 /* The data must be valid */
1445 if (!ssl_next_proto_validate(data, size))
1447 *al = TLS1_AD_DECODE_ERROR;
1450 if (s->ctx->next_proto_select_cb(s, &selected, &selected_len, data, size, s->ctx->next_proto_select_cb_arg) != SSL_TLSEXT_ERR_OK)
1452 *al = TLS1_AD_INTERNAL_ERROR;
1455 s->next_proto_negotiated = OPENSSL_malloc(selected_len);
1456 if (!s->next_proto_negotiated)
1458 *al = TLS1_AD_INTERNAL_ERROR;
1461 memcpy(s->next_proto_negotiated, selected, selected_len);
1462 s->next_proto_negotiated_len = selected_len;
1465 else if (type == TLSEXT_TYPE_renegotiate)
1467 if(!ssl_parse_serverhello_renegotiate_ext(s, data, size, al))
1469 renegotiate_seen = 1;
1471 else if (type == TLSEXT_TYPE_use_srtp)
1473 if(ssl_parse_serverhello_use_srtp_ext(s, data, size,
1483 *al = SSL_AD_DECODE_ERROR;
1487 if (!s->hit && tlsext_servername == 1)
1489 if (s->tlsext_hostname)
1491 if (s->session->tlsext_hostname == NULL)
1493 s->session->tlsext_hostname = BUF_strdup(s->tlsext_hostname);
1494 if (!s->session->tlsext_hostname)
1496 *al = SSL_AD_UNRECOGNIZED_NAME;
1502 *al = SSL_AD_DECODE_ERROR;
1512 /* Determine if we need to see RI. Strictly speaking if we want to
1513 * avoid an attack we should *always* see RI even on initial server
1514 * hello because the client doesn't see any renegotiation during an
1515 * attack. However this would mean we could not connect to any server
1516 * which doesn't support RI so for the immediate future tolerate RI
1517 * absence on initial connect only.
1519 if (!renegotiate_seen
1520 && !(s->options & SSL_OP_LEGACY_SERVER_CONNECT)
1521 && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
1523 *al = SSL_AD_HANDSHAKE_FAILURE;
1524 SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT,
1525 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
1533 int ssl_prepare_clienthello_tlsext(SSL *s)
1535 #ifndef OPENSSL_NO_EC
1536 /* If we are client and using an elliptic curve cryptography cipher suite, send the point formats
1537 * and elliptic curves we support.
1542 unsigned long alg_k, alg_a;
1543 STACK_OF(SSL_CIPHER) *cipher_stack = SSL_get_ciphers(s);
1545 for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++)
1547 SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i);
1549 alg_k = c->algorithm_mkey;
1550 alg_a = c->algorithm_auth;
1551 if ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe) || (alg_a & SSL_aECDSA)))
1557 using_ecc = using_ecc && (s->version >= TLS1_VERSION);
1560 if (s->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->tlsext_ecpointformatlist);
1561 if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(3)) == NULL)
1563 SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
1566 s->tlsext_ecpointformatlist_length = 3;
1567 s->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_uncompressed;
1568 s->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
1569 s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
1571 /* we support all named elliptic curves in draft-ietf-tls-ecc-12 */
1572 if (s->tlsext_ellipticcurvelist != NULL) OPENSSL_free(s->tlsext_ellipticcurvelist);
1573 s->tlsext_ellipticcurvelist_length = sizeof(pref_list)/sizeof(pref_list[0]) * 2;
1574 if ((s->tlsext_ellipticcurvelist = OPENSSL_malloc(s->tlsext_ellipticcurvelist_length)) == NULL)
1576 s->tlsext_ellipticcurvelist_length = 0;
1577 SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
1580 for (i = 0, j = s->tlsext_ellipticcurvelist; (unsigned int)i <
1581 sizeof(pref_list)/sizeof(pref_list[0]); i++)
1583 int id = tls1_ec_nid2curve_id(pref_list[i]);
1587 #endif /* OPENSSL_NO_EC */
1589 #ifdef TLSEXT_TYPE_opaque_prf_input
1593 if (s->ctx->tlsext_opaque_prf_input_callback != 0)
1595 r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg);
1600 if (s->tlsext_opaque_prf_input != NULL)
1602 if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */
1603 OPENSSL_free(s->s3->client_opaque_prf_input);
1605 if (s->tlsext_opaque_prf_input_len == 0)
1606 s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
1608 s->s3->client_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len);
1609 if (s->s3->client_opaque_prf_input == NULL)
1611 SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
1614 s->s3->client_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
1618 /* at callback's request, insist on receiving an appropriate server opaque PRF input */
1619 s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
1626 int ssl_prepare_serverhello_tlsext(SSL *s)
1628 #ifndef OPENSSL_NO_EC
1629 /* If we are server and using an ECC cipher suite, send the point formats we support
1630 * if the client sent us an ECPointsFormat extension. Note that the server is not
1631 * supposed to send an EllipticCurves extension.
1634 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
1635 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
1636 int using_ecc = (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA);
1637 using_ecc = using_ecc && (s->session->tlsext_ecpointformatlist != NULL);
1641 if (s->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->tlsext_ecpointformatlist);
1642 if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(3)) == NULL)
1644 SSLerr(SSL_F_SSL_PREPARE_SERVERHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
1647 s->tlsext_ecpointformatlist_length = 3;
1648 s->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_uncompressed;
1649 s->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
1650 s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
1652 #endif /* OPENSSL_NO_EC */
1657 int ssl_check_clienthello_tlsext(SSL *s)
1659 int ret=SSL_TLSEXT_ERR_NOACK;
1660 int al = SSL_AD_UNRECOGNIZED_NAME;
1662 #ifndef OPENSSL_NO_EC
1663 /* The handling of the ECPointFormats extension is done elsewhere, namely in
1664 * ssl3_choose_cipher in s3_lib.c.
1666 /* The handling of the EllipticCurves extension is done elsewhere, namely in
1667 * ssl3_choose_cipher in s3_lib.c.
1671 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
1672 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
1673 else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)
1674 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
1676 /* If status request then ask callback what to do.
1677 * Note: this must be called after servername callbacks in case
1678 * the certificate has changed.
1680 if ((s->tlsext_status_type != -1) && s->ctx && s->ctx->tlsext_status_cb)
1683 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
1686 /* We don't want to send a status request response */
1687 case SSL_TLSEXT_ERR_NOACK:
1688 s->tlsext_status_expected = 0;
1690 /* status request response should be sent */
1691 case SSL_TLSEXT_ERR_OK:
1692 if (s->tlsext_ocsp_resp)
1693 s->tlsext_status_expected = 1;
1695 s->tlsext_status_expected = 0;
1697 /* something bad happened */
1698 case SSL_TLSEXT_ERR_ALERT_FATAL:
1699 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1700 al = SSL_AD_INTERNAL_ERROR;
1705 s->tlsext_status_expected = 0;
1707 #ifdef TLSEXT_TYPE_opaque_prf_input
1709 /* This sort of belongs into ssl_prepare_serverhello_tlsext(),
1710 * but we might be sending an alert in response to the client hello,
1711 * so this has to happen here in ssl_check_clienthello_tlsext(). */
1715 if (s->ctx->tlsext_opaque_prf_input_callback != 0)
1717 r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg);
1720 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1721 al = SSL_AD_INTERNAL_ERROR;
1726 if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */
1727 OPENSSL_free(s->s3->server_opaque_prf_input);
1728 s->s3->server_opaque_prf_input = NULL;
1730 if (s->tlsext_opaque_prf_input != NULL)
1732 if (s->s3->client_opaque_prf_input != NULL &&
1733 s->s3->client_opaque_prf_input_len == s->tlsext_opaque_prf_input_len)
1735 /* can only use this extension if we have a server opaque PRF input
1736 * of the same length as the client opaque PRF input! */
1738 if (s->tlsext_opaque_prf_input_len == 0)
1739 s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
1741 s->s3->server_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len);
1742 if (s->s3->server_opaque_prf_input == NULL)
1744 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1745 al = SSL_AD_INTERNAL_ERROR;
1748 s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
1752 if (r == 2 && s->s3->server_opaque_prf_input == NULL)
1754 /* The callback wants to enforce use of the extension,
1755 * but we can't do that with the client opaque PRF input;
1756 * abort the handshake.
1758 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1759 al = SSL_AD_HANDSHAKE_FAILURE;
1767 case SSL_TLSEXT_ERR_ALERT_FATAL:
1768 ssl3_send_alert(s,SSL3_AL_FATAL,al);
1771 case SSL_TLSEXT_ERR_ALERT_WARNING:
1772 ssl3_send_alert(s,SSL3_AL_WARNING,al);
1775 case SSL_TLSEXT_ERR_NOACK:
1776 s->servername_done=0;
1782 int ssl_check_serverhello_tlsext(SSL *s)
1784 int ret=SSL_TLSEXT_ERR_NOACK;
1785 int al = SSL_AD_UNRECOGNIZED_NAME;
1787 #ifndef OPENSSL_NO_EC
1788 /* If we are client and using an elliptic curve cryptography cipher
1789 * suite, then if server returns an EC point formats lists extension
1790 * it must contain uncompressed.
1792 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
1793 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
1794 if ((s->tlsext_ecpointformatlist != NULL) && (s->tlsext_ecpointformatlist_length > 0) &&
1795 (s->session->tlsext_ecpointformatlist != NULL) && (s->session->tlsext_ecpointformatlist_length > 0) &&
1796 ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA)))
1798 /* we are using an ECC cipher */
1800 unsigned char *list;
1801 int found_uncompressed = 0;
1802 list = s->session->tlsext_ecpointformatlist;
1803 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
1805 if (*(list++) == TLSEXT_ECPOINTFORMAT_uncompressed)
1807 found_uncompressed = 1;
1811 if (!found_uncompressed)
1813 SSLerr(SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT,SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
1817 ret = SSL_TLSEXT_ERR_OK;
1818 #endif /* OPENSSL_NO_EC */
1820 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
1821 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
1822 else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)
1823 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
1825 #ifdef TLSEXT_TYPE_opaque_prf_input
1826 if (s->s3->server_opaque_prf_input_len > 0)
1828 /* This case may indicate that we, as a client, want to insist on using opaque PRF inputs.
1829 * So first verify that we really have a value from the server too. */
1831 if (s->s3->server_opaque_prf_input == NULL)
1833 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1834 al = SSL_AD_HANDSHAKE_FAILURE;
1837 /* Anytime the server *has* sent an opaque PRF input, we need to check
1838 * that we have a client opaque PRF input of the same size. */
1839 if (s->s3->client_opaque_prf_input == NULL ||
1840 s->s3->client_opaque_prf_input_len != s->s3->server_opaque_prf_input_len)
1842 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1843 al = SSL_AD_ILLEGAL_PARAMETER;
1848 /* If we've requested certificate status and we wont get one
1851 if ((s->tlsext_status_type != -1) && !(s->tlsext_status_expected)
1852 && s->ctx && s->ctx->tlsext_status_cb)
1855 /* Set resp to NULL, resplen to -1 so callback knows
1856 * there is no response.
1858 if (s->tlsext_ocsp_resp)
1860 OPENSSL_free(s->tlsext_ocsp_resp);
1861 s->tlsext_ocsp_resp = NULL;
1863 s->tlsext_ocsp_resplen = -1;
1864 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
1867 al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE;
1868 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1872 al = SSL_AD_INTERNAL_ERROR;
1873 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1879 case SSL_TLSEXT_ERR_ALERT_FATAL:
1880 ssl3_send_alert(s,SSL3_AL_FATAL,al);
1883 case SSL_TLSEXT_ERR_ALERT_WARNING:
1884 ssl3_send_alert(s,SSL3_AL_WARNING,al);
1887 case SSL_TLSEXT_ERR_NOACK:
1888 s->servername_done=0;
1894 /* Since the server cache lookup is done early on in the processing of the
1895 * ClientHello, and other operations depend on the result, we need to handle
1896 * any TLS session ticket extension at the same time.
1898 * session_id: points at the session ID in the ClientHello. This code will
1899 * read past the end of this in order to parse out the session ticket
1900 * extension, if any.
1901 * len: the length of the session ID.
1902 * limit: a pointer to the first byte after the ClientHello.
1903 * ret: (output) on return, if a ticket was decrypted, then this is set to
1904 * point to the resulting session.
1906 * If s->tls_session_secret_cb is set then we are expecting a pre-shared key
1907 * ciphersuite, in which case we have no use for session tickets and one will
1908 * never be decrypted, nor will s->tlsext_ticket_expected be set to 1.
1911 * -1: fatal error, either from parsing or decrypting the ticket.
1912 * 0: no ticket was found (or was ignored, based on settings).
1913 * 1: a zero length extension was found, indicating that the client supports
1914 * session tickets but doesn't currently have one to offer.
1915 * 2: either s->tls_session_secret_cb was set, or a ticket was offered but
1916 * couldn't be decrypted because of a non-fatal error.
1917 * 3: a ticket was successfully decrypted and *ret was set.
1920 * Sets s->tlsext_ticket_expected to 1 if the server will have to issue
1921 * a new session ticket to the client because the client indicated support
1922 * (and s->tls_session_secret_cb is NULL) but the client either doesn't have
1923 * a session ticket or we couldn't use the one it gave us, or if
1924 * s->ctx->tlsext_ticket_key_cb asked to renew the client's ticket.
1925 * Otherwise, s->tlsext_ticket_expected is set to 0.
1927 int tls1_process_ticket(SSL *s, unsigned char *session_id, int len,
1928 const unsigned char *limit, SSL_SESSION **ret)
1930 /* Point after session ID in client hello */
1931 const unsigned char *p = session_id + len;
1935 s->tlsext_ticket_expected = 0;
1937 /* If tickets disabled behave as if no ticket present
1938 * to permit stateful resumption.
1940 if (SSL_get_options(s) & SSL_OP_NO_TICKET)
1942 if ((s->version <= SSL3_VERSION) || !limit)
1946 /* Skip past DTLS cookie */
1947 if (s->version == DTLS1_VERSION || s->version == DTLS1_BAD_VER)
1954 /* Skip past cipher list */
1959 /* Skip past compression algorithm list */
1964 /* Now at start of extensions */
1965 if ((p + 2) >= limit)
1968 while ((p + 4) <= limit)
1970 unsigned short type, size;
1973 if (p + size > limit)
1975 if (type == TLSEXT_TYPE_session_ticket)
1980 /* The client will accept a ticket but doesn't
1981 * currently have one. */
1982 s->tlsext_ticket_expected = 1;
1985 if (s->tls_session_secret_cb)
1987 /* Indicate that the ticket couldn't be
1988 * decrypted rather than generating the session
1989 * from ticket now, trigger abbreviated
1990 * handshake based on external mechanism to
1991 * calculate the master secret later. */
1994 r = tls_decrypt_ticket(s, p, size, session_id, len, ret);
1997 case 2: /* ticket couldn't be decrypted */
1998 s->tlsext_ticket_expected = 1;
2000 case 3: /* ticket was decrypted */
2002 case 4: /* ticket decrypted but need to renew */
2003 s->tlsext_ticket_expected = 1;
2005 default: /* fatal error */
2014 /* tls_decrypt_ticket attempts to decrypt a session ticket.
2016 * etick: points to the body of the session ticket extension.
2017 * eticklen: the length of the session tickets extenion.
2018 * sess_id: points at the session ID.
2019 * sesslen: the length of the session ID.
2020 * psess: (output) on return, if a ticket was decrypted, then this is set to
2021 * point to the resulting session.
2024 * -1: fatal error, either from parsing or decrypting the ticket.
2025 * 2: the ticket couldn't be decrypted.
2026 * 3: a ticket was successfully decrypted and *psess was set.
2027 * 4: same as 3, but the ticket needs to be renewed.
2029 static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen,
2030 const unsigned char *sess_id, int sesslen,
2031 SSL_SESSION **psess)
2034 unsigned char *sdec;
2035 const unsigned char *p;
2036 int slen, mlen, renew_ticket = 0;
2037 unsigned char tick_hmac[EVP_MAX_MD_SIZE];
2040 SSL_CTX *tctx = s->initial_ctx;
2041 /* Need at least keyname + iv + some encrypted data */
2044 /* Initialize session ticket encryption and HMAC contexts */
2045 HMAC_CTX_init(&hctx);
2046 EVP_CIPHER_CTX_init(&ctx);
2047 if (tctx->tlsext_ticket_key_cb)
2049 unsigned char *nctick = (unsigned char *)etick;
2050 int rv = tctx->tlsext_ticket_key_cb(s, nctick, nctick + 16,
2061 /* Check key name matches */
2062 if (memcmp(etick, tctx->tlsext_tick_key_name, 16))
2064 HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16,
2065 tlsext_tick_md(), NULL);
2066 EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL,
2067 tctx->tlsext_tick_aes_key, etick + 16);
2069 /* Attempt to process session ticket, first conduct sanity and
2070 * integrity checks on ticket.
2072 mlen = HMAC_size(&hctx);
2075 EVP_CIPHER_CTX_cleanup(&ctx);
2079 /* Check HMAC of encrypted ticket */
2080 HMAC_Update(&hctx, etick, eticklen);
2081 HMAC_Final(&hctx, tick_hmac, NULL);
2082 HMAC_CTX_cleanup(&hctx);
2083 if (memcmp(tick_hmac, etick + eticklen, mlen))
2085 /* Attempt to decrypt session data */
2086 /* Move p after IV to start of encrypted ticket, update length */
2087 p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx);
2088 eticklen -= 16 + EVP_CIPHER_CTX_iv_length(&ctx);
2089 sdec = OPENSSL_malloc(eticklen);
2092 EVP_CIPHER_CTX_cleanup(&ctx);
2095 EVP_DecryptUpdate(&ctx, sdec, &slen, p, eticklen);
2096 if (EVP_DecryptFinal(&ctx, sdec + slen, &mlen) <= 0)
2099 EVP_CIPHER_CTX_cleanup(&ctx);
2102 sess = d2i_SSL_SESSION(NULL, &p, slen);
2106 /* The session ID, if non-empty, is used by some clients to
2107 * detect that the ticket has been accepted. So we copy it to
2108 * the session structure. If it is empty set length to zero
2109 * as required by standard.
2112 memcpy(sess->session_id, sess_id, sesslen);
2113 sess->session_id_length = sesslen;
2121 /* For session parse failure, indicate that we need to send a new
2126 /* Tables to translate from NIDs to TLS v1.2 ids */
2134 static tls12_lookup tls12_md[] = {
2135 #ifndef OPENSSL_NO_MD5
2136 {NID_md5, TLSEXT_hash_md5},
2138 #ifndef OPENSSL_NO_SHA
2139 {NID_sha1, TLSEXT_hash_sha1},
2141 #ifndef OPENSSL_NO_SHA256
2142 {NID_sha224, TLSEXT_hash_sha224},
2143 {NID_sha256, TLSEXT_hash_sha256},
2145 #ifndef OPENSSL_NO_SHA512
2146 {NID_sha384, TLSEXT_hash_sha384},
2147 {NID_sha512, TLSEXT_hash_sha512}
2151 static tls12_lookup tls12_sig[] = {
2152 #ifndef OPENSSL_NO_RSA
2153 {EVP_PKEY_RSA, TLSEXT_signature_rsa},
2155 #ifndef OPENSSL_NO_RSA
2156 {EVP_PKEY_DSA, TLSEXT_signature_dsa},
2158 #ifndef OPENSSL_NO_ECDSA
2159 {EVP_PKEY_EC, TLSEXT_signature_ecdsa}
2163 static int tls12_find_id(int nid, tls12_lookup *table, size_t tlen)
2166 for (i = 0; i < tlen; i++)
2168 if (table[i].nid == nid)
2174 static int tls12_find_nid(int id, tls12_lookup *table, size_t tlen)
2177 for (i = 0; i < tlen; i++)
2179 if (table[i].id == id)
2180 return table[i].nid;
2186 int tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk, const EVP_MD *md)
2189 md_id = tls12_find_id(EVP_MD_type(md), tls12_md,
2190 sizeof(tls12_md)/sizeof(tls12_lookup));
2193 sig_id = tls12_get_sigid(pk);
2196 p[0] = (unsigned char)md_id;
2197 p[1] = (unsigned char)sig_id;
2201 int tls12_get_sigid(const EVP_PKEY *pk)
2203 return tls12_find_id(pk->type, tls12_sig,
2204 sizeof(tls12_sig)/sizeof(tls12_lookup));
2207 const EVP_MD *tls12_get_hash(unsigned char hash_alg)
2211 #ifndef OPENSSL_NO_MD5
2212 case TLSEXT_hash_md5:
2219 #ifndef OPENSSL_NO_SHA
2220 case TLSEXT_hash_sha1:
2223 #ifndef OPENSSL_NO_SHA256
2224 case TLSEXT_hash_sha224:
2225 return EVP_sha224();
2227 case TLSEXT_hash_sha256:
2228 return EVP_sha256();
2230 #ifndef OPENSSL_NO_SHA512
2231 case TLSEXT_hash_sha384:
2232 return EVP_sha384();
2234 case TLSEXT_hash_sha512:
2235 return EVP_sha512();
2243 /* Set preferred digest for each key type */
2245 int tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize)
2250 /* Extension ignored for TLS versions below 1.2 */
2251 if (TLS1_get_version(s) < TLS1_2_VERSION)
2253 /* Should never happen */
2257 c->pkeys[SSL_PKEY_DSA_SIGN].digest = NULL;
2258 c->pkeys[SSL_PKEY_RSA_SIGN].digest = NULL;
2259 c->pkeys[SSL_PKEY_RSA_ENC].digest = NULL;
2260 c->pkeys[SSL_PKEY_ECC].digest = NULL;
2262 for (i = 0; i < dsize; i += 2)
2264 unsigned char hash_alg = data[i], sig_alg = data[i+1];
2268 #ifndef OPENSSL_NO_RSA
2269 case TLSEXT_signature_rsa:
2270 idx = SSL_PKEY_RSA_SIGN;
2273 #ifndef OPENSSL_NO_DSA
2274 case TLSEXT_signature_dsa:
2275 idx = SSL_PKEY_DSA_SIGN;
2278 #ifndef OPENSSL_NO_ECDSA
2279 case TLSEXT_signature_ecdsa:
2287 if (c->pkeys[idx].digest == NULL)
2289 md = tls12_get_hash(hash_alg);
2292 c->pkeys[idx].digest = md;
2293 if (idx == SSL_PKEY_RSA_SIGN)
2294 c->pkeys[SSL_PKEY_RSA_ENC].digest = md;
2301 /* Set any remaining keys to default values. NOTE: if alg is not
2302 * supported it stays as NULL.
2304 #ifndef OPENSSL_NO_DSA
2305 if (!c->pkeys[SSL_PKEY_DSA_SIGN].digest)
2306 c->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_dss1();
2308 #ifndef OPENSSL_NO_RSA
2309 if (!c->pkeys[SSL_PKEY_RSA_SIGN].digest)
2311 c->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1();
2312 c->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1();
2315 #ifndef OPENSSL_NO_ECDSA
2316 if (!c->pkeys[SSL_PKEY_ECC].digest)
2317 c->pkeys[SSL_PKEY_ECC].digest = EVP_ecdsa();