2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
58 /* ====================================================================
59 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
87 * 6. Redistributions of any form whatsoever must retain the following
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
113 #include <openssl/objects.h>
114 #include <openssl/evp.h>
115 #include <openssl/hmac.h>
116 #include <openssl/ocsp.h>
117 #include "ssl_locl.h"
119 const char tls1_version_str[]="TLSv1" OPENSSL_VERSION_PTEXT;
121 #ifndef OPENSSL_NO_TLSEXT
122 static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen,
123 const unsigned char *sess_id, int sesslen,
124 SSL_SESSION **psess);
127 SSL3_ENC_METHOD TLSv1_enc_data={
130 tls1_setup_key_block,
131 tls1_generate_master_secret,
132 tls1_change_cipher_state,
133 tls1_final_finish_mac,
134 TLS1_FINISH_MAC_LENGTH,
135 tls1_cert_verify_mac,
136 TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE,
137 TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE,
141 long tls1_default_timeout(void)
143 /* 2 hours, the 24 hours mentioned in the TLSv1 spec
144 * is way too long for http, the cache would over fill */
150 if (!ssl3_new(s)) return(0);
151 s->method->ssl_clear(s);
155 void tls1_free(SSL *s)
157 #ifndef OPENSSL_NO_TLSEXT
158 if (s->tlsext_session_ticket)
160 OPENSSL_free(s->tlsext_session_ticket);
162 #endif /* OPENSSL_NO_TLSEXT */
166 void tls1_clear(SSL *s)
169 s->version = s->method->version;
172 #ifndef OPENSSL_NO_EC
174 static int nid_list[] =
176 NID_sect163k1, /* sect163k1 (1) */
177 NID_sect163r1, /* sect163r1 (2) */
178 NID_sect163r2, /* sect163r2 (3) */
179 NID_sect193r1, /* sect193r1 (4) */
180 NID_sect193r2, /* sect193r2 (5) */
181 NID_sect233k1, /* sect233k1 (6) */
182 NID_sect233r1, /* sect233r1 (7) */
183 NID_sect239k1, /* sect239k1 (8) */
184 NID_sect283k1, /* sect283k1 (9) */
185 NID_sect283r1, /* sect283r1 (10) */
186 NID_sect409k1, /* sect409k1 (11) */
187 NID_sect409r1, /* sect409r1 (12) */
188 NID_sect571k1, /* sect571k1 (13) */
189 NID_sect571r1, /* sect571r1 (14) */
190 NID_secp160k1, /* secp160k1 (15) */
191 NID_secp160r1, /* secp160r1 (16) */
192 NID_secp160r2, /* secp160r2 (17) */
193 NID_secp192k1, /* secp192k1 (18) */
194 NID_X9_62_prime192v1, /* secp192r1 (19) */
195 NID_secp224k1, /* secp224k1 (20) */
196 NID_secp224r1, /* secp224r1 (21) */
197 NID_secp256k1, /* secp256k1 (22) */
198 NID_X9_62_prime256v1, /* secp256r1 (23) */
199 NID_secp384r1, /* secp384r1 (24) */
200 NID_secp521r1 /* secp521r1 (25) */
203 static int pref_list[] =
205 NID_sect571r1, /* sect571r1 (14) */
206 NID_sect571k1, /* sect571k1 (13) */
207 NID_secp521r1, /* secp521r1 (25) */
208 NID_sect409k1, /* sect409k1 (11) */
209 NID_sect409r1, /* sect409r1 (12) */
210 NID_secp384r1, /* secp384r1 (24) */
211 NID_sect283k1, /* sect283k1 (9) */
212 NID_sect283r1, /* sect283r1 (10) */
213 NID_secp256k1, /* secp256k1 (22) */
214 NID_X9_62_prime256v1, /* secp256r1 (23) */
215 NID_sect239k1, /* sect239k1 (8) */
216 NID_sect233k1, /* sect233k1 (6) */
217 NID_sect233r1, /* sect233r1 (7) */
218 NID_secp224k1, /* secp224k1 (20) */
219 NID_secp224r1, /* secp224r1 (21) */
220 NID_sect193r1, /* sect193r1 (4) */
221 NID_sect193r2, /* sect193r2 (5) */
222 NID_secp192k1, /* secp192k1 (18) */
223 NID_X9_62_prime192v1, /* secp192r1 (19) */
224 NID_sect163k1, /* sect163k1 (1) */
225 NID_sect163r1, /* sect163r1 (2) */
226 NID_sect163r2, /* sect163r2 (3) */
227 NID_secp160k1, /* secp160k1 (15) */
228 NID_secp160r1, /* secp160r1 (16) */
229 NID_secp160r2, /* secp160r2 (17) */
232 int tls1_ec_curve_id2nid(int curve_id)
234 /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
235 if ((curve_id < 1) || ((unsigned int)curve_id >
236 sizeof(nid_list)/sizeof(nid_list[0])))
238 return nid_list[curve_id-1];
241 int tls1_ec_nid2curve_id(int nid)
243 /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
246 case NID_sect163k1: /* sect163k1 (1) */
248 case NID_sect163r1: /* sect163r1 (2) */
250 case NID_sect163r2: /* sect163r2 (3) */
252 case NID_sect193r1: /* sect193r1 (4) */
254 case NID_sect193r2: /* sect193r2 (5) */
256 case NID_sect233k1: /* sect233k1 (6) */
258 case NID_sect233r1: /* sect233r1 (7) */
260 case NID_sect239k1: /* sect239k1 (8) */
262 case NID_sect283k1: /* sect283k1 (9) */
264 case NID_sect283r1: /* sect283r1 (10) */
266 case NID_sect409k1: /* sect409k1 (11) */
268 case NID_sect409r1: /* sect409r1 (12) */
270 case NID_sect571k1: /* sect571k1 (13) */
272 case NID_sect571r1: /* sect571r1 (14) */
274 case NID_secp160k1: /* secp160k1 (15) */
276 case NID_secp160r1: /* secp160r1 (16) */
278 case NID_secp160r2: /* secp160r2 (17) */
280 case NID_secp192k1: /* secp192k1 (18) */
282 case NID_X9_62_prime192v1: /* secp192r1 (19) */
284 case NID_secp224k1: /* secp224k1 (20) */
286 case NID_secp224r1: /* secp224r1 (21) */
288 case NID_secp256k1: /* secp256k1 (22) */
290 case NID_X9_62_prime256v1: /* secp256r1 (23) */
292 case NID_secp384r1: /* secp384r1 (24) */
294 case NID_secp521r1: /* secp521r1 (25) */
300 #endif /* OPENSSL_NO_EC */
302 #ifndef OPENSSL_NO_TLSEXT
304 /* List of supported signature algorithms and hashes. Should make this
305 * customisable at some point, for now include everything we support.
308 #ifdef OPENSSL_NO_RSA
309 #define tlsext_sigalg_rsa(md) /* */
311 #define tlsext_sigalg_rsa(md) md, TLSEXT_signature_rsa,
314 #ifdef OPENSSL_NO_DSA
315 #define tlsext_sigalg_dsa(md) /* */
317 #define tlsext_sigalg_dsa(md) md, TLSEXT_signature_dsa,
320 #ifdef OPENSSL_NO_ECDSA
321 #define tlsext_sigalg_ecdsa(md) /* */
323 #define tlsext_sigalg_ecdsa(md) md, TLSEXT_signature_ecdsa,
326 #define tlsext_sigalg(md) \
327 tlsext_sigalg_rsa(md) \
328 tlsext_sigalg_dsa(md) \
329 tlsext_sigalg_ecdsa(md)
331 static unsigned char tls12_sigalgs[] = {
332 #ifndef OPENSSL_NO_SHA512
333 tlsext_sigalg(TLSEXT_hash_sha512)
334 tlsext_sigalg(TLSEXT_hash_sha384)
336 #ifndef OPENSSL_NO_SHA256
337 tlsext_sigalg(TLSEXT_hash_sha256)
338 tlsext_sigalg(TLSEXT_hash_sha224)
340 #ifndef OPENSSL_NO_SHA
341 tlsext_sigalg(TLSEXT_hash_sha1)
343 #ifndef OPENSSL_NO_MD5
344 tlsext_sigalg_rsa(TLSEXT_hash_md5)
348 int tls12_get_req_sig_algs(SSL *s, unsigned char *p)
350 size_t slen = sizeof(tls12_sigalgs);
352 /* If FIPS mode don't include MD5 which is last */
357 memcpy(p, tls12_sigalgs, slen);
361 unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
364 unsigned char *ret = p;
366 /* don't add extensions for SSLv3 unless doing secure renegotiation */
367 if (s->client_version == SSL3_VERSION
368 && !s->s3->send_connection_binding)
373 if (ret>=limit) return NULL; /* this really never occurs, but ... */
375 if (s->tlsext_hostname != NULL)
377 /* Add TLS extension servername to the Client Hello message */
378 unsigned long size_str;
381 /* check for enough space.
382 4 for the servername type and entension length
383 2 for servernamelist length
384 1 for the hostname type
385 2 for hostname length
389 if ((lenmax = limit - ret - 9) < 0
390 || (size_str = strlen(s->tlsext_hostname)) > (unsigned long)lenmax)
393 /* extension type and length */
394 s2n(TLSEXT_TYPE_server_name,ret);
397 /* length of servername list */
400 /* hostname type, length and hostname */
401 *(ret++) = (unsigned char) TLSEXT_NAMETYPE_host_name;
403 memcpy(ret, s->tlsext_hostname, size_str);
407 /* Add RI if renegotiating */
412 if(!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0))
414 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
418 if((limit - p - 4 - el) < 0) return NULL;
420 s2n(TLSEXT_TYPE_renegotiate,ret);
423 if(!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el))
425 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
432 #ifndef OPENSSL_NO_SRP
433 #define MIN(x,y) (((x)<(y))?(x):(y))
434 /* we add SRP username the first time only if we have one! */
435 if (s->srp_ctx.login != NULL)
436 {/* Add TLS extension SRP username to the Client Hello message */
437 int login_len = MIN(strlen(s->srp_ctx.login) + 1, 255);
440 if ((lenmax = limit - ret - 5) < 0) return NULL;
441 if (login_len > lenmax) return NULL;
444 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
447 s2n(TLSEXT_TYPE_srp,ret);
448 s2n(login_len+1,ret);
450 (*ret++) = (unsigned char) MIN(strlen(s->srp_ctx.login), 254);
451 memcpy(ret, s->srp_ctx.login, MIN(strlen(s->srp_ctx.login), 254));
456 #ifndef OPENSSL_NO_EC
457 if (s->tlsext_ecpointformatlist != NULL &&
458 s->version != DTLS1_VERSION)
460 /* Add TLS extension ECPointFormats to the ClientHello message */
463 if ((lenmax = limit - ret - 5) < 0) return NULL;
464 if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax) return NULL;
465 if (s->tlsext_ecpointformatlist_length > 255)
467 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
471 s2n(TLSEXT_TYPE_ec_point_formats,ret);
472 s2n(s->tlsext_ecpointformatlist_length + 1,ret);
473 *(ret++) = (unsigned char) s->tlsext_ecpointformatlist_length;
474 memcpy(ret, s->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist_length);
475 ret+=s->tlsext_ecpointformatlist_length;
477 if (s->tlsext_ellipticcurvelist != NULL &&
478 s->version != DTLS1_VERSION)
480 /* Add TLS extension EllipticCurves to the ClientHello message */
483 if ((lenmax = limit - ret - 6) < 0) return NULL;
484 if (s->tlsext_ellipticcurvelist_length > (unsigned long)lenmax) return NULL;
485 if (s->tlsext_ellipticcurvelist_length > 65532)
487 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
491 s2n(TLSEXT_TYPE_elliptic_curves,ret);
492 s2n(s->tlsext_ellipticcurvelist_length + 2, ret);
494 /* NB: draft-ietf-tls-ecc-12.txt uses a one-byte prefix for
495 * elliptic_curve_list, but the examples use two bytes.
496 * http://www1.ietf.org/mail-archive/web/tls/current/msg00538.html
497 * resolves this to two bytes.
499 s2n(s->tlsext_ellipticcurvelist_length, ret);
500 memcpy(ret, s->tlsext_ellipticcurvelist, s->tlsext_ellipticcurvelist_length);
501 ret+=s->tlsext_ellipticcurvelist_length;
503 #endif /* OPENSSL_NO_EC */
505 if (!(SSL_get_options(s) & SSL_OP_NO_TICKET))
508 if (!s->new_session && s->session && s->session->tlsext_tick)
509 ticklen = s->session->tlsext_ticklen;
510 else if (s->session && s->tlsext_session_ticket &&
511 s->tlsext_session_ticket->data)
513 ticklen = s->tlsext_session_ticket->length;
514 s->session->tlsext_tick = OPENSSL_malloc(ticklen);
515 if (!s->session->tlsext_tick)
517 memcpy(s->session->tlsext_tick,
518 s->tlsext_session_ticket->data,
520 s->session->tlsext_ticklen = ticklen;
524 if (ticklen == 0 && s->tlsext_session_ticket &&
525 s->tlsext_session_ticket->data == NULL)
527 /* Check for enough room 2 for extension type, 2 for len
530 if ((long)(limit - ret - 4 - ticklen) < 0) return NULL;
531 s2n(TLSEXT_TYPE_session_ticket,ret);
535 memcpy(ret, s->session->tlsext_tick, ticklen);
541 if (TLS1_get_version(s) >= TLS1_2_VERSION)
543 if ((size_t)(limit - ret) < sizeof(tls12_sigalgs) + 6)
545 s2n(TLSEXT_TYPE_signature_algorithms,ret);
546 s2n(sizeof(tls12_sigalgs) + 2, ret);
547 s2n(sizeof(tls12_sigalgs), ret);
548 memcpy(ret, tls12_sigalgs, sizeof(tls12_sigalgs));
549 ret += sizeof(tls12_sigalgs);
552 #ifdef TLSEXT_TYPE_opaque_prf_input
553 if (s->s3->client_opaque_prf_input != NULL &&
554 s->version != DTLS1_VERSION)
556 size_t col = s->s3->client_opaque_prf_input_len;
558 if ((long)(limit - ret - 6 - col < 0))
560 if (col > 0xFFFD) /* can't happen */
563 s2n(TLSEXT_TYPE_opaque_prf_input, ret);
566 memcpy(ret, s->s3->client_opaque_prf_input, col);
571 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp &&
572 s->version != DTLS1_VERSION)
575 long extlen, idlen, itmp;
579 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++)
581 id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
582 itmp = i2d_OCSP_RESPID(id, NULL);
588 if (s->tlsext_ocsp_exts)
590 extlen = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, NULL);
597 if ((long)(limit - ret - 7 - extlen - idlen) < 0) return NULL;
598 s2n(TLSEXT_TYPE_status_request, ret);
599 if (extlen + idlen > 0xFFF0)
601 s2n(extlen + idlen + 5, ret);
602 *(ret++) = TLSEXT_STATUSTYPE_ocsp;
604 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++)
606 /* save position of id len */
607 unsigned char *q = ret;
608 id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
609 /* skip over id len */
611 itmp = i2d_OCSP_RESPID(id, &ret);
617 i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret);
620 #ifndef OPENSSL_NO_NEXTPROTONEG
621 if (s->ctx->next_proto_select_cb && !s->s3->tmp.finish_md_len)
623 /* The client advertises an emtpy extension to indicate its
624 * support for Next Protocol Negotiation */
625 if (limit - ret - 4 < 0)
627 s2n(TLSEXT_TYPE_next_proto_neg,ret);
632 if ((extdatalen = ret-p-2)== 0)
639 unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
642 unsigned char *ret = p;
643 #ifndef OPENSSL_NO_NEXTPROTONEG
644 int next_proto_neg_seen;
647 /* don't add extensions for SSLv3, unless doing secure renegotiation */
648 if (s->version == SSL3_VERSION && !s->s3->send_connection_binding)
652 if (ret>=limit) return NULL; /* this really never occurs, but ... */
654 if (!s->hit && s->servername_done == 1 && s->session->tlsext_hostname != NULL)
656 if ((long)(limit - ret - 4) < 0) return NULL;
658 s2n(TLSEXT_TYPE_server_name,ret);
662 if(s->s3->send_connection_binding)
666 if(!ssl_add_serverhello_renegotiate_ext(s, 0, &el, 0))
668 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
672 if((limit - p - 4 - el) < 0) return NULL;
674 s2n(TLSEXT_TYPE_renegotiate,ret);
677 if(!ssl_add_serverhello_renegotiate_ext(s, ret, &el, el))
679 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
686 #ifndef OPENSSL_NO_EC
687 if (s->tlsext_ecpointformatlist != NULL &&
688 s->version != DTLS1_VERSION)
690 /* Add TLS extension ECPointFormats to the ServerHello message */
693 if ((lenmax = limit - ret - 5) < 0) return NULL;
694 if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax) return NULL;
695 if (s->tlsext_ecpointformatlist_length > 255)
697 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
701 s2n(TLSEXT_TYPE_ec_point_formats,ret);
702 s2n(s->tlsext_ecpointformatlist_length + 1,ret);
703 *(ret++) = (unsigned char) s->tlsext_ecpointformatlist_length;
704 memcpy(ret, s->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist_length);
705 ret+=s->tlsext_ecpointformatlist_length;
708 /* Currently the server should not respond with a SupportedCurves extension */
709 #endif /* OPENSSL_NO_EC */
711 if (s->tlsext_ticket_expected
712 && !(SSL_get_options(s) & SSL_OP_NO_TICKET))
714 if ((long)(limit - ret - 4) < 0) return NULL;
715 s2n(TLSEXT_TYPE_session_ticket,ret);
719 if (s->tlsext_status_expected)
721 if ((long)(limit - ret - 4) < 0) return NULL;
722 s2n(TLSEXT_TYPE_status_request,ret);
726 #ifdef TLSEXT_TYPE_opaque_prf_input
727 if (s->s3->server_opaque_prf_input != NULL &&
728 s->version != DTLS1_VERSION)
730 size_t sol = s->s3->server_opaque_prf_input_len;
732 if ((long)(limit - ret - 6 - sol) < 0)
734 if (sol > 0xFFFD) /* can't happen */
737 s2n(TLSEXT_TYPE_opaque_prf_input, ret);
740 memcpy(ret, s->s3->server_opaque_prf_input, sol);
744 if (((s->s3->tmp.new_cipher->id & 0xFFFF)==0x80 || (s->s3->tmp.new_cipher->id & 0xFFFF)==0x81)
745 && (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG))
746 { const unsigned char cryptopro_ext[36] = {
747 0xfd, 0xe8, /*65000*/
748 0x00, 0x20, /*32 bytes length*/
749 0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85,
750 0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06,
751 0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08,
752 0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17};
753 if (limit-ret<36) return NULL;
754 memcpy(ret,cryptopro_ext,36);
759 #ifndef OPENSSL_NO_NEXTPROTONEG
760 next_proto_neg_seen = s->s3->next_proto_neg_seen;
761 s->s3->next_proto_neg_seen = 0;
762 if (next_proto_neg_seen && s->ctx->next_protos_advertised_cb)
764 const unsigned char *npa;
768 r = s->ctx->next_protos_advertised_cb(s, &npa, &npalen, s->ctx->next_protos_advertised_cb_arg);
769 if (r == SSL_TLSEXT_ERR_OK)
771 if ((long)(limit - ret - 4 - npalen) < 0) return NULL;
772 s2n(TLSEXT_TYPE_next_proto_neg,ret);
774 memcpy(ret, npa, npalen);
776 s->s3->next_proto_neg_seen = 1;
781 if ((extdatalen = ret-p-2)== 0)
788 int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
793 unsigned char *data = *p;
794 int renegotiate_seen = 0;
797 s->servername_done = 0;
798 s->tlsext_status_type = -1;
804 if (data > (d+n-len))
807 while (data <= (d+n-4))
812 if (data+size > (d+n))
815 fprintf(stderr,"Received extension type %d size %d\n",type,size);
817 if (s->tlsext_debug_cb)
818 s->tlsext_debug_cb(s, 0, type, data, size,
819 s->tlsext_debug_arg);
820 /* The servername extension is treated as follows:
822 - Only the hostname type is supported with a maximum length of 255.
823 - The servername is rejected if too long or if it contains zeros,
824 in which case an fatal alert is generated.
825 - The servername field is maintained together with the session cache.
826 - When a session is resumed, the servername call back invoked in order
827 to allow the application to position itself to the right context.
828 - The servername is acknowledged if it is new for a session or when
829 it is identical to a previously used for the same session.
830 Applications can control the behaviour. They can at any time
831 set a 'desirable' servername for a new SSL object. This can be the
832 case for example with HTTPS when a Host: header field is received and
833 a renegotiation is requested. In this case, a possible servername
834 presented in the new client hello is only acknowledged if it matches
835 the value of the Host: field.
836 - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
837 if they provide for changing an explicit servername context for the session,
838 i.e. when the session has been established with a servername extension.
839 - On session reconnect, the servername extension may be absent.
843 if (type == TLSEXT_TYPE_server_name)
845 unsigned char *sdata;
851 *al = SSL_AD_DECODE_ERROR;
858 *al = SSL_AD_DECODE_ERROR;
865 servname_type = *(sdata++);
871 *al = SSL_AD_DECODE_ERROR;
874 if (s->servername_done == 0)
875 switch (servname_type)
877 case TLSEXT_NAMETYPE_host_name:
880 if(s->session->tlsext_hostname)
882 *al = SSL_AD_DECODE_ERROR;
885 if (len > TLSEXT_MAXLEN_host_name)
887 *al = TLS1_AD_UNRECOGNIZED_NAME;
890 if ((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL)
892 *al = TLS1_AD_INTERNAL_ERROR;
895 memcpy(s->session->tlsext_hostname, sdata, len);
896 s->session->tlsext_hostname[len]='\0';
897 if (strlen(s->session->tlsext_hostname) != len) {
898 OPENSSL_free(s->session->tlsext_hostname);
899 s->session->tlsext_hostname = NULL;
900 *al = TLS1_AD_UNRECOGNIZED_NAME;
903 s->servername_done = 1;
907 s->servername_done = s->session->tlsext_hostname
908 && strlen(s->session->tlsext_hostname) == len
909 && strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0;
921 *al = SSL_AD_DECODE_ERROR;
926 #ifndef OPENSSL_NO_SRP
927 else if (type == TLSEXT_TYPE_srp)
932 if ((s->srp_ctx.login = OPENSSL_malloc(len+1)) == NULL)
934 memcpy(s->srp_ctx.login, &data[1], len);
935 s->srp_ctx.login[len]='\0';
940 #ifndef OPENSSL_NO_EC
941 else if (type == TLSEXT_TYPE_ec_point_formats &&
942 s->version != DTLS1_VERSION)
944 unsigned char *sdata = data;
945 int ecpointformatlist_length = *(sdata++);
947 if (ecpointformatlist_length != size - 1)
949 *al = TLS1_AD_DECODE_ERROR;
954 if(s->session->tlsext_ecpointformatlist)
956 OPENSSL_free(s->session->tlsext_ecpointformatlist);
957 s->session->tlsext_ecpointformatlist = NULL;
959 s->session->tlsext_ecpointformatlist_length = 0;
960 if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
962 *al = TLS1_AD_INTERNAL_ERROR;
965 s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
966 memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
969 fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ecpointformatlist (length=%i) ", s->session->tlsext_ecpointformatlist_length);
970 sdata = s->session->tlsext_ecpointformatlist;
971 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
972 fprintf(stderr,"%i ",*(sdata++));
973 fprintf(stderr,"\n");
976 else if (type == TLSEXT_TYPE_elliptic_curves &&
977 s->version != DTLS1_VERSION)
979 unsigned char *sdata = data;
980 int ellipticcurvelist_length = (*(sdata++) << 8);
981 ellipticcurvelist_length += (*(sdata++));
983 if (ellipticcurvelist_length != size - 2)
985 *al = TLS1_AD_DECODE_ERROR;
990 if(s->session->tlsext_ellipticcurvelist)
992 *al = TLS1_AD_DECODE_ERROR;
995 s->session->tlsext_ellipticcurvelist_length = 0;
996 if ((s->session->tlsext_ellipticcurvelist = OPENSSL_malloc(ellipticcurvelist_length)) == NULL)
998 *al = TLS1_AD_INTERNAL_ERROR;
1001 s->session->tlsext_ellipticcurvelist_length = ellipticcurvelist_length;
1002 memcpy(s->session->tlsext_ellipticcurvelist, sdata, ellipticcurvelist_length);
1005 fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ellipticcurvelist (length=%i) ", s->session->tlsext_ellipticcurvelist_length);
1006 sdata = s->session->tlsext_ellipticcurvelist;
1007 for (i = 0; i < s->session->tlsext_ellipticcurvelist_length; i++)
1008 fprintf(stderr,"%i ",*(sdata++));
1009 fprintf(stderr,"\n");
1012 #endif /* OPENSSL_NO_EC */
1013 #ifdef TLSEXT_TYPE_opaque_prf_input
1014 else if (type == TLSEXT_TYPE_opaque_prf_input &&
1015 s->version != DTLS1_VERSION)
1017 unsigned char *sdata = data;
1021 *al = SSL_AD_DECODE_ERROR;
1024 n2s(sdata, s->s3->client_opaque_prf_input_len);
1025 if (s->s3->client_opaque_prf_input_len != size - 2)
1027 *al = SSL_AD_DECODE_ERROR;
1031 if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */
1032 OPENSSL_free(s->s3->client_opaque_prf_input);
1033 if (s->s3->client_opaque_prf_input_len == 0)
1034 s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
1036 s->s3->client_opaque_prf_input = BUF_memdup(sdata, s->s3->client_opaque_prf_input_len);
1037 if (s->s3->client_opaque_prf_input == NULL)
1039 *al = TLS1_AD_INTERNAL_ERROR;
1044 else if (type == TLSEXT_TYPE_session_ticket)
1046 if (s->tls_session_ticket_ext_cb &&
1047 !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg))
1049 *al = TLS1_AD_INTERNAL_ERROR;
1053 else if (type == TLSEXT_TYPE_renegotiate)
1055 if(!ssl_parse_clienthello_renegotiate_ext(s, data, size, al))
1057 renegotiate_seen = 1;
1059 else if (type == TLSEXT_TYPE_signature_algorithms)
1062 if (sigalg_seen || size < 2)
1064 *al = SSL_AD_DECODE_ERROR;
1070 if (dsize != size || dsize & 1)
1072 *al = SSL_AD_DECODE_ERROR;
1075 if (!tls1_process_sigalgs(s, data, dsize))
1077 *al = SSL_AD_DECODE_ERROR;
1081 else if (type == TLSEXT_TYPE_status_request &&
1082 s->version != DTLS1_VERSION && s->ctx->tlsext_status_cb)
1087 *al = SSL_AD_DECODE_ERROR;
1091 s->tlsext_status_type = *data++;
1093 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp)
1095 const unsigned char *sdata;
1097 /* Read in responder_id_list */
1102 *al = SSL_AD_DECODE_ERROR;
1111 *al = SSL_AD_DECODE_ERROR;
1115 dsize -= 2 + idsize;
1119 *al = SSL_AD_DECODE_ERROR;
1124 id = d2i_OCSP_RESPID(NULL,
1128 *al = SSL_AD_DECODE_ERROR;
1133 OCSP_RESPID_free(id);
1134 *al = SSL_AD_DECODE_ERROR;
1137 if (!s->tlsext_ocsp_ids
1138 && !(s->tlsext_ocsp_ids =
1139 sk_OCSP_RESPID_new_null()))
1141 OCSP_RESPID_free(id);
1142 *al = SSL_AD_INTERNAL_ERROR;
1145 if (!sk_OCSP_RESPID_push(
1146 s->tlsext_ocsp_ids, id))
1148 OCSP_RESPID_free(id);
1149 *al = SSL_AD_INTERNAL_ERROR;
1154 /* Read in request_extensions */
1157 *al = SSL_AD_DECODE_ERROR;
1164 *al = SSL_AD_DECODE_ERROR;
1170 s->tlsext_ocsp_exts =
1171 d2i_X509_EXTENSIONS(NULL,
1173 if (!s->tlsext_ocsp_exts
1174 || (data + dsize != sdata))
1176 *al = SSL_AD_DECODE_ERROR;
1181 /* We don't know what to do with any other type
1185 s->tlsext_status_type = -1;
1187 #ifndef OPENSSL_NO_NEXTPROTONEG
1188 else if (type == TLSEXT_TYPE_next_proto_neg &&
1189 s->s3->tmp.finish_md_len == 0)
1191 /* We shouldn't accept this extension on a
1194 * s->new_session will be set on renegotiation, but we
1195 * probably shouldn't rely that it couldn't be set on
1196 * the initial renegotation too in certain cases (when
1197 * there's some other reason to disallow resuming an
1198 * earlier session -- the current code won't be doing
1199 * anything like that, but this might change).
1201 * A valid sign that there's been a previous handshake
1202 * in this connection is if s->s3->tmp.finish_md_len >
1203 * 0. (We are talking about a check that will happen
1204 * in the Hello protocol round, well before a new
1205 * Finished message could have been computed.) */
1206 s->s3->next_proto_neg_seen = 1;
1210 /* session ticket processed earlier */
1218 /* Need RI if renegotiating */
1220 if (!renegotiate_seen && s->renegotiate &&
1221 !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
1223 *al = SSL_AD_HANDSHAKE_FAILURE;
1224 SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT,
1225 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
1232 #ifndef OPENSSL_NO_NEXTPROTONEG
1233 /* ssl_next_proto_validate validates a Next Protocol Negotiation block. No
1234 * elements of zero length are allowed and the set of elements must exactly fill
1235 * the length of the block. */
1236 static int ssl_next_proto_validate(unsigned char *d, unsigned len)
1238 unsigned int off = 0;
1252 int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
1254 unsigned short length;
1255 unsigned short type;
1256 unsigned short size;
1257 unsigned char *data = *p;
1258 int tlsext_servername = 0;
1259 int renegotiate_seen = 0;
1261 if (data >= (d+n-2))
1265 if (data+length != d+n)
1267 *al = SSL_AD_DECODE_ERROR;
1271 while(data <= (d+n-4))
1276 if (data+size > (d+n))
1279 if (s->tlsext_debug_cb)
1280 s->tlsext_debug_cb(s, 1, type, data, size,
1281 s->tlsext_debug_arg);
1283 if (type == TLSEXT_TYPE_server_name)
1285 if (s->tlsext_hostname == NULL || size > 0)
1287 *al = TLS1_AD_UNRECOGNIZED_NAME;
1290 tlsext_servername = 1;
1293 #ifndef OPENSSL_NO_EC
1294 else if (type == TLSEXT_TYPE_ec_point_formats &&
1295 s->version != DTLS1_VERSION)
1297 unsigned char *sdata = data;
1298 int ecpointformatlist_length = *(sdata++);
1300 if (ecpointformatlist_length != size - 1)
1302 *al = TLS1_AD_DECODE_ERROR;
1305 s->session->tlsext_ecpointformatlist_length = 0;
1306 if (s->session->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->session->tlsext_ecpointformatlist);
1307 if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
1309 *al = TLS1_AD_INTERNAL_ERROR;
1312 s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
1313 memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
1315 fprintf(stderr,"ssl_parse_serverhello_tlsext s->session->tlsext_ecpointformatlist ");
1316 sdata = s->session->tlsext_ecpointformatlist;
1317 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
1318 fprintf(stderr,"%i ",*(sdata++));
1319 fprintf(stderr,"\n");
1322 #endif /* OPENSSL_NO_EC */
1324 else if (type == TLSEXT_TYPE_session_ticket)
1326 if (s->tls_session_ticket_ext_cb &&
1327 !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg))
1329 *al = TLS1_AD_INTERNAL_ERROR;
1332 if ((SSL_get_options(s) & SSL_OP_NO_TICKET)
1335 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
1338 s->tlsext_ticket_expected = 1;
1340 #ifdef TLSEXT_TYPE_opaque_prf_input
1341 else if (type == TLSEXT_TYPE_opaque_prf_input &&
1342 s->version != DTLS1_VERSION)
1344 unsigned char *sdata = data;
1348 *al = SSL_AD_DECODE_ERROR;
1351 n2s(sdata, s->s3->server_opaque_prf_input_len);
1352 if (s->s3->server_opaque_prf_input_len != size - 2)
1354 *al = SSL_AD_DECODE_ERROR;
1358 if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */
1359 OPENSSL_free(s->s3->server_opaque_prf_input);
1360 if (s->s3->server_opaque_prf_input_len == 0)
1361 s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
1363 s->s3->server_opaque_prf_input = BUF_memdup(sdata, s->s3->server_opaque_prf_input_len);
1365 if (s->s3->server_opaque_prf_input == NULL)
1367 *al = TLS1_AD_INTERNAL_ERROR;
1372 else if (type == TLSEXT_TYPE_status_request &&
1373 s->version != DTLS1_VERSION)
1375 /* MUST be empty and only sent if we've requested
1376 * a status request message.
1378 if ((s->tlsext_status_type == -1) || (size > 0))
1380 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
1383 /* Set flag to expect CertificateStatus message */
1384 s->tlsext_status_expected = 1;
1386 #ifndef OPENSSL_NO_NEXTPROTONEG
1387 else if (type == TLSEXT_TYPE_next_proto_neg)
1389 unsigned char *selected;
1390 unsigned char selected_len;
1392 /* We must have requested it. */
1393 if ((s->ctx->next_proto_select_cb == NULL))
1395 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
1398 /* The data must be valid */
1399 if (!ssl_next_proto_validate(data, size))
1401 *al = TLS1_AD_DECODE_ERROR;
1404 if (s->ctx->next_proto_select_cb(s, &selected, &selected_len, data, size, s->ctx->next_proto_select_cb_arg) != SSL_TLSEXT_ERR_OK)
1406 *al = TLS1_AD_INTERNAL_ERROR;
1409 s->next_proto_negotiated = OPENSSL_malloc(selected_len);
1410 if (!s->next_proto_negotiated)
1412 *al = TLS1_AD_INTERNAL_ERROR;
1415 memcpy(s->next_proto_negotiated, selected, selected_len);
1416 s->next_proto_negotiated_len = selected_len;
1419 else if (type == TLSEXT_TYPE_renegotiate)
1421 if(!ssl_parse_serverhello_renegotiate_ext(s, data, size, al))
1423 renegotiate_seen = 1;
1430 *al = SSL_AD_DECODE_ERROR;
1434 if (!s->hit && tlsext_servername == 1)
1436 if (s->tlsext_hostname)
1438 if (s->session->tlsext_hostname == NULL)
1440 s->session->tlsext_hostname = BUF_strdup(s->tlsext_hostname);
1441 if (!s->session->tlsext_hostname)
1443 *al = SSL_AD_UNRECOGNIZED_NAME;
1449 *al = SSL_AD_DECODE_ERROR;
1459 /* Determine if we need to see RI. Strictly speaking if we want to
1460 * avoid an attack we should *always* see RI even on initial server
1461 * hello because the client doesn't see any renegotiation during an
1462 * attack. However this would mean we could not connect to any server
1463 * which doesn't support RI so for the immediate future tolerate RI
1464 * absence on initial connect only.
1466 if (!renegotiate_seen
1467 && !(s->options & SSL_OP_LEGACY_SERVER_CONNECT)
1468 && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
1470 *al = SSL_AD_HANDSHAKE_FAILURE;
1471 SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT,
1472 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
1480 int ssl_prepare_clienthello_tlsext(SSL *s)
1482 #ifndef OPENSSL_NO_EC
1483 /* If we are client and using an elliptic curve cryptography cipher suite, send the point formats
1484 * and elliptic curves we support.
1489 unsigned long alg_k, alg_a;
1490 STACK_OF(SSL_CIPHER) *cipher_stack = SSL_get_ciphers(s);
1492 for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++)
1494 SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i);
1496 alg_k = c->algorithm_mkey;
1497 alg_a = c->algorithm_auth;
1498 if ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe) || (alg_a & SSL_aECDSA)))
1504 using_ecc = using_ecc && (s->version >= TLS1_VERSION);
1507 if (s->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->tlsext_ecpointformatlist);
1508 if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(3)) == NULL)
1510 SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
1513 s->tlsext_ecpointformatlist_length = 3;
1514 s->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_uncompressed;
1515 s->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
1516 s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
1518 /* we support all named elliptic curves in draft-ietf-tls-ecc-12 */
1519 if (s->tlsext_ellipticcurvelist != NULL) OPENSSL_free(s->tlsext_ellipticcurvelist);
1520 s->tlsext_ellipticcurvelist_length = sizeof(pref_list)/sizeof(pref_list[0]) * 2;
1521 if ((s->tlsext_ellipticcurvelist = OPENSSL_malloc(s->tlsext_ellipticcurvelist_length)) == NULL)
1523 s->tlsext_ellipticcurvelist_length = 0;
1524 SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
1527 for (i = 0, j = s->tlsext_ellipticcurvelist; (unsigned int)i <
1528 sizeof(pref_list)/sizeof(pref_list[0]); i++)
1530 int id = tls1_ec_nid2curve_id(pref_list[i]);
1534 #endif /* OPENSSL_NO_EC */
1536 #ifdef TLSEXT_TYPE_opaque_prf_input
1540 if (s->ctx->tlsext_opaque_prf_input_callback != 0)
1542 r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg);
1547 if (s->tlsext_opaque_prf_input != NULL)
1549 if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */
1550 OPENSSL_free(s->s3->client_opaque_prf_input);
1552 if (s->tlsext_opaque_prf_input_len == 0)
1553 s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
1555 s->s3->client_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len);
1556 if (s->s3->client_opaque_prf_input == NULL)
1558 SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
1561 s->s3->client_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
1565 /* at callback's request, insist on receiving an appropriate server opaque PRF input */
1566 s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
1573 int ssl_prepare_serverhello_tlsext(SSL *s)
1575 #ifndef OPENSSL_NO_EC
1576 /* If we are server and using an ECC cipher suite, send the point formats we support
1577 * if the client sent us an ECPointsFormat extension. Note that the server is not
1578 * supposed to send an EllipticCurves extension.
1581 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
1582 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
1583 int using_ecc = (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA);
1584 using_ecc = using_ecc && (s->session->tlsext_ecpointformatlist != NULL);
1588 if (s->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->tlsext_ecpointformatlist);
1589 if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(3)) == NULL)
1591 SSLerr(SSL_F_SSL_PREPARE_SERVERHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
1594 s->tlsext_ecpointformatlist_length = 3;
1595 s->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_uncompressed;
1596 s->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
1597 s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
1599 #endif /* OPENSSL_NO_EC */
1604 int ssl_check_clienthello_tlsext(SSL *s)
1606 int ret=SSL_TLSEXT_ERR_NOACK;
1607 int al = SSL_AD_UNRECOGNIZED_NAME;
1609 #ifndef OPENSSL_NO_EC
1610 /* The handling of the ECPointFormats extension is done elsewhere, namely in
1611 * ssl3_choose_cipher in s3_lib.c.
1613 /* The handling of the EllipticCurves extension is done elsewhere, namely in
1614 * ssl3_choose_cipher in s3_lib.c.
1618 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
1619 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
1620 else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)
1621 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
1623 /* If status request then ask callback what to do.
1624 * Note: this must be called after servername callbacks in case
1625 * the certificate has changed.
1627 if ((s->tlsext_status_type != -1) && s->ctx && s->ctx->tlsext_status_cb)
1630 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
1633 /* We don't want to send a status request response */
1634 case SSL_TLSEXT_ERR_NOACK:
1635 s->tlsext_status_expected = 0;
1637 /* status request response should be sent */
1638 case SSL_TLSEXT_ERR_OK:
1639 if (s->tlsext_ocsp_resp)
1640 s->tlsext_status_expected = 1;
1642 s->tlsext_status_expected = 0;
1644 /* something bad happened */
1645 case SSL_TLSEXT_ERR_ALERT_FATAL:
1646 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1647 al = SSL_AD_INTERNAL_ERROR;
1652 s->tlsext_status_expected = 0;
1654 #ifdef TLSEXT_TYPE_opaque_prf_input
1656 /* This sort of belongs into ssl_prepare_serverhello_tlsext(),
1657 * but we might be sending an alert in response to the client hello,
1658 * so this has to happen here in ssl_check_clienthello_tlsext(). */
1662 if (s->ctx->tlsext_opaque_prf_input_callback != 0)
1664 r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg);
1667 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1668 al = SSL_AD_INTERNAL_ERROR;
1673 if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */
1674 OPENSSL_free(s->s3->server_opaque_prf_input);
1675 s->s3->server_opaque_prf_input = NULL;
1677 if (s->tlsext_opaque_prf_input != NULL)
1679 if (s->s3->client_opaque_prf_input != NULL &&
1680 s->s3->client_opaque_prf_input_len == s->tlsext_opaque_prf_input_len)
1682 /* can only use this extension if we have a server opaque PRF input
1683 * of the same length as the client opaque PRF input! */
1685 if (s->tlsext_opaque_prf_input_len == 0)
1686 s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
1688 s->s3->server_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len);
1689 if (s->s3->server_opaque_prf_input == NULL)
1691 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1692 al = SSL_AD_INTERNAL_ERROR;
1695 s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
1699 if (r == 2 && s->s3->server_opaque_prf_input == NULL)
1701 /* The callback wants to enforce use of the extension,
1702 * but we can't do that with the client opaque PRF input;
1703 * abort the handshake.
1705 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1706 al = SSL_AD_HANDSHAKE_FAILURE;
1714 case SSL_TLSEXT_ERR_ALERT_FATAL:
1715 ssl3_send_alert(s,SSL3_AL_FATAL,al);
1718 case SSL_TLSEXT_ERR_ALERT_WARNING:
1719 ssl3_send_alert(s,SSL3_AL_WARNING,al);
1722 case SSL_TLSEXT_ERR_NOACK:
1723 s->servername_done=0;
1729 int ssl_check_serverhello_tlsext(SSL *s)
1731 int ret=SSL_TLSEXT_ERR_NOACK;
1732 int al = SSL_AD_UNRECOGNIZED_NAME;
1734 #ifndef OPENSSL_NO_EC
1735 /* If we are client and using an elliptic curve cryptography cipher
1736 * suite, then if server returns an EC point formats lists extension
1737 * it must contain uncompressed.
1739 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
1740 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
1741 if ((s->tlsext_ecpointformatlist != NULL) && (s->tlsext_ecpointformatlist_length > 0) &&
1742 (s->session->tlsext_ecpointformatlist != NULL) && (s->session->tlsext_ecpointformatlist_length > 0) &&
1743 ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA)))
1745 /* we are using an ECC cipher */
1747 unsigned char *list;
1748 int found_uncompressed = 0;
1749 list = s->session->tlsext_ecpointformatlist;
1750 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
1752 if (*(list++) == TLSEXT_ECPOINTFORMAT_uncompressed)
1754 found_uncompressed = 1;
1758 if (!found_uncompressed)
1760 SSLerr(SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT,SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
1764 ret = SSL_TLSEXT_ERR_OK;
1765 #endif /* OPENSSL_NO_EC */
1767 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
1768 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
1769 else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)
1770 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
1772 #ifdef TLSEXT_TYPE_opaque_prf_input
1773 if (s->s3->server_opaque_prf_input_len > 0)
1775 /* This case may indicate that we, as a client, want to insist on using opaque PRF inputs.
1776 * So first verify that we really have a value from the server too. */
1778 if (s->s3->server_opaque_prf_input == NULL)
1780 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1781 al = SSL_AD_HANDSHAKE_FAILURE;
1784 /* Anytime the server *has* sent an opaque PRF input, we need to check
1785 * that we have a client opaque PRF input of the same size. */
1786 if (s->s3->client_opaque_prf_input == NULL ||
1787 s->s3->client_opaque_prf_input_len != s->s3->server_opaque_prf_input_len)
1789 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1790 al = SSL_AD_ILLEGAL_PARAMETER;
1795 /* If we've requested certificate status and we wont get one
1798 if ((s->tlsext_status_type != -1) && !(s->tlsext_status_expected)
1799 && s->ctx && s->ctx->tlsext_status_cb)
1802 /* Set resp to NULL, resplen to -1 so callback knows
1803 * there is no response.
1805 if (s->tlsext_ocsp_resp)
1807 OPENSSL_free(s->tlsext_ocsp_resp);
1808 s->tlsext_ocsp_resp = NULL;
1810 s->tlsext_ocsp_resplen = -1;
1811 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
1814 al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE;
1815 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1819 al = SSL_AD_INTERNAL_ERROR;
1820 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1826 case SSL_TLSEXT_ERR_ALERT_FATAL:
1827 ssl3_send_alert(s,SSL3_AL_FATAL,al);
1830 case SSL_TLSEXT_ERR_ALERT_WARNING:
1831 ssl3_send_alert(s,SSL3_AL_WARNING,al);
1834 case SSL_TLSEXT_ERR_NOACK:
1835 s->servername_done=0;
1841 /* Since the server cache lookup is done early on in the processing of client
1842 * hello and other operations depend on the result we need to handle any TLS
1843 * session ticket extension at the same time.
1846 int tls1_process_ticket(SSL *s, unsigned char *session_id, int len,
1847 const unsigned char *limit, SSL_SESSION **ret)
1849 /* Point after session ID in client hello */
1850 const unsigned char *p = session_id + len;
1853 /* If tickets disabled behave as if no ticket present
1854 * to permit stateful resumption.
1856 if (SSL_get_options(s) & SSL_OP_NO_TICKET)
1859 if ((s->version <= SSL3_VERSION) || !limit)
1863 /* Skip past DTLS cookie */
1864 if (s->version == DTLS1_VERSION || s->version == DTLS1_BAD_VER)
1871 /* Skip past cipher list */
1876 /* Skip past compression algorithm list */
1881 /* Now at start of extensions */
1882 if ((p + 2) >= limit)
1885 while ((p + 4) <= limit)
1887 unsigned short type, size;
1890 if (p + size > limit)
1892 if (type == TLSEXT_TYPE_session_ticket)
1894 /* If tickets disabled indicate cache miss which will
1895 * trigger a full handshake
1897 if (SSL_get_options(s) & SSL_OP_NO_TICKET)
1899 /* If zero length note client will accept a ticket
1900 * and indicate cache miss to trigger full handshake
1904 s->tlsext_ticket_expected = 1;
1905 return 0; /* Cache miss */
1907 if (s->tls_session_secret_cb)
1909 /* Indicate cache miss here and instead of
1910 * generating the session from ticket now,
1911 * trigger abbreviated handshake based on
1912 * external mechanism to calculate the master
1916 return tls_decrypt_ticket(s, p, size, session_id, len,
1924 static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen,
1925 const unsigned char *sess_id, int sesslen,
1926 SSL_SESSION **psess)
1929 unsigned char *sdec;
1930 const unsigned char *p;
1931 int slen, mlen, renew_ticket = 0;
1932 unsigned char tick_hmac[EVP_MAX_MD_SIZE];
1935 SSL_CTX *tctx = s->initial_ctx;
1936 /* Need at least keyname + iv + some encrypted data */
1939 /* Initialize session ticket encryption and HMAC contexts */
1940 HMAC_CTX_init(&hctx);
1941 EVP_CIPHER_CTX_init(&ctx);
1942 if (tctx->tlsext_ticket_key_cb)
1944 unsigned char *nctick = (unsigned char *)etick;
1945 int rv = tctx->tlsext_ticket_key_cb(s, nctick, nctick + 16,
1956 /* Check key name matches */
1957 if (memcmp(etick, tctx->tlsext_tick_key_name, 16))
1959 HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16,
1960 tlsext_tick_md(), NULL);
1961 EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL,
1962 tctx->tlsext_tick_aes_key, etick + 16);
1964 /* Attempt to process session ticket, first conduct sanity and
1965 * integrity checks on ticket.
1967 mlen = HMAC_size(&hctx);
1970 EVP_CIPHER_CTX_cleanup(&ctx);
1974 /* Check HMAC of encrypted ticket */
1975 HMAC_Update(&hctx, etick, eticklen);
1976 HMAC_Final(&hctx, tick_hmac, NULL);
1977 HMAC_CTX_cleanup(&hctx);
1978 if (memcmp(tick_hmac, etick + eticklen, mlen))
1980 /* Attempt to decrypt session data */
1981 /* Move p after IV to start of encrypted ticket, update length */
1982 p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx);
1983 eticklen -= 16 + EVP_CIPHER_CTX_iv_length(&ctx);
1984 sdec = OPENSSL_malloc(eticklen);
1987 EVP_CIPHER_CTX_cleanup(&ctx);
1990 EVP_DecryptUpdate(&ctx, sdec, &slen, p, eticklen);
1991 if (EVP_DecryptFinal(&ctx, sdec + slen, &mlen) <= 0)
1994 EVP_CIPHER_CTX_cleanup(&ctx);
1997 sess = d2i_SSL_SESSION(NULL, &p, slen);
2001 /* The session ID if non-empty is used by some clients to
2002 * detect that the ticket has been accepted. So we copy it to
2003 * the session structure. If it is empty set length to zero
2004 * as required by standard.
2007 memcpy(sess->session_id, sess_id, sesslen);
2008 sess->session_id_length = sesslen;
2010 s->tlsext_ticket_expected = renew_ticket;
2013 /* If session decrypt failure indicate a cache miss and set state to
2017 s->tlsext_ticket_expected = 1;
2021 /* Tables to translate from NIDs to TLS v1.2 ids */
2029 static tls12_lookup tls12_md[] = {
2030 #ifndef OPENSSL_NO_MD5
2031 {NID_md5, TLSEXT_hash_md5},
2033 #ifndef OPENSSL_NO_SHA
2034 {NID_sha1, TLSEXT_hash_sha1},
2036 #ifndef OPENSSL_NO_SHA256
2037 {NID_sha224, TLSEXT_hash_sha224},
2038 {NID_sha256, TLSEXT_hash_sha256},
2040 #ifndef OPENSSL_NO_SHA512
2041 {NID_sha384, TLSEXT_hash_sha384},
2042 {NID_sha512, TLSEXT_hash_sha512}
2046 static tls12_lookup tls12_sig[] = {
2047 #ifndef OPENSSL_NO_RSA
2048 {EVP_PKEY_RSA, TLSEXT_signature_rsa},
2050 #ifndef OPENSSL_NO_RSA
2051 {EVP_PKEY_DSA, TLSEXT_signature_dsa},
2053 #ifndef OPENSSL_NO_ECDSA
2054 {EVP_PKEY_EC, TLSEXT_signature_ecdsa}
2058 static int tls12_find_id(int nid, tls12_lookup *table, size_t tlen)
2061 for (i = 0; i < tlen; i++)
2063 if (table[i].nid == nid)
2069 static int tls12_find_nid(int id, tls12_lookup *table, size_t tlen)
2072 for (i = 0; i < tlen; i++)
2074 if (table[i].id == id)
2075 return table[i].nid;
2081 int tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk, const EVP_MD *md)
2084 md_id = tls12_find_id(EVP_MD_type(md), tls12_md,
2085 sizeof(tls12_md)/sizeof(tls12_lookup));
2088 sig_id = tls12_get_sigid(pk);
2091 p[0] = (unsigned char)md_id;
2092 p[1] = (unsigned char)sig_id;
2096 int tls12_get_sigid(const EVP_PKEY *pk)
2098 return tls12_find_id(pk->type, tls12_sig,
2099 sizeof(tls12_sig)/sizeof(tls12_lookup));
2102 const EVP_MD *tls12_get_hash(unsigned char hash_alg)
2106 #ifndef OPENSSL_NO_MD5
2107 case TLSEXT_hash_md5:
2114 #ifndef OPENSSL_NO_SHA
2115 case TLSEXT_hash_sha1:
2118 #ifndef OPENSSL_NO_SHA256
2119 case TLSEXT_hash_sha224:
2120 return EVP_sha224();
2122 case TLSEXT_hash_sha256:
2123 return EVP_sha256();
2125 #ifndef OPENSSL_NO_SHA512
2126 case TLSEXT_hash_sha384:
2127 return EVP_sha384();
2129 case TLSEXT_hash_sha512:
2130 return EVP_sha512();
2138 /* Set preferred digest for each key type */
2140 int tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize)
2145 /* Extension ignored for TLS versions below 1.2 */
2146 if (TLS1_get_version(s) < TLS1_2_VERSION)
2148 /* Should never happen */
2152 c->pkeys[SSL_PKEY_DSA_SIGN].digest = NULL;
2153 c->pkeys[SSL_PKEY_RSA_SIGN].digest = NULL;
2154 c->pkeys[SSL_PKEY_RSA_ENC].digest = NULL;
2155 c->pkeys[SSL_PKEY_ECC].digest = NULL;
2157 for (i = 0; i < dsize; i += 2)
2159 unsigned char hash_alg = data[i], sig_alg = data[i+1];
2163 #ifndef OPENSSL_NO_RSA
2164 case TLSEXT_signature_rsa:
2165 idx = SSL_PKEY_RSA_SIGN;
2168 #ifndef OPENSSL_NO_DSA
2169 case TLSEXT_signature_dsa:
2170 idx = SSL_PKEY_DSA_SIGN;
2173 #ifndef OPENSSL_NO_ECDSA
2174 case TLSEXT_signature_ecdsa:
2182 if (c->pkeys[idx].digest == NULL)
2184 md = tls12_get_hash(hash_alg);
2187 c->pkeys[idx].digest = md;
2188 if (idx == SSL_PKEY_RSA_SIGN)
2189 c->pkeys[SSL_PKEY_RSA_ENC].digest = md;
2196 /* Set any remaining keys to default values. NOTE: if alg is not
2197 * supported it stays as NULL.
2199 #ifndef OPENSSL_NO_DSA
2200 if (!c->pkeys[SSL_PKEY_DSA_SIGN].digest)
2201 c->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_dss1();
2203 #ifndef OPENSSL_NO_RSA
2204 if (!c->pkeys[SSL_PKEY_RSA_SIGN].digest)
2206 c->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1();
2207 c->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1();
2210 #ifndef OPENSSL_NO_ECDSA
2211 if (!c->pkeys[SSL_PKEY_ECC].digest)
2212 c->pkeys[SSL_PKEY_ECC].digest = EVP_ecdsa();