2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
58 /* ====================================================================
59 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
87 * 6. Redistributions of any form whatsoever must retain the following
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
113 #include <openssl/objects.h>
114 #include <openssl/evp.h>
115 #include <openssl/hmac.h>
116 #include <openssl/ocsp.h>
117 #include <openssl/rand.h>
118 #include "ssl_locl.h"
120 const char tls1_version_str[]="TLSv1" OPENSSL_VERSION_PTEXT;
122 #ifndef OPENSSL_NO_TLSEXT
123 static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen,
124 const unsigned char *sess_id, int sesslen,
125 SSL_SESSION **psess);
126 static int ssl_check_clienthello_tlsext_early(SSL *s);
127 int ssl_check_serverhello_tlsext(SSL *s);
130 SSL3_ENC_METHOD TLSv1_enc_data={
133 tls1_setup_key_block,
134 tls1_generate_master_secret,
135 tls1_change_cipher_state,
136 tls1_final_finish_mac,
137 TLS1_FINISH_MAC_LENGTH,
138 tls1_cert_verify_mac,
139 TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE,
140 TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE,
142 tls1_export_keying_material,
144 SSL3_HM_HEADER_LENGTH,
145 ssl3_set_handshake_header,
149 SSL3_ENC_METHOD TLSv1_1_enc_data={
152 tls1_setup_key_block,
153 tls1_generate_master_secret,
154 tls1_change_cipher_state,
155 tls1_final_finish_mac,
156 TLS1_FINISH_MAC_LENGTH,
157 tls1_cert_verify_mac,
158 TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE,
159 TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE,
161 tls1_export_keying_material,
162 SSL_ENC_FLAG_EXPLICIT_IV,
163 SSL3_HM_HEADER_LENGTH,
164 ssl3_set_handshake_header,
168 SSL3_ENC_METHOD TLSv1_2_enc_data={
171 tls1_setup_key_block,
172 tls1_generate_master_secret,
173 tls1_change_cipher_state,
174 tls1_final_finish_mac,
175 TLS1_FINISH_MAC_LENGTH,
176 tls1_cert_verify_mac,
177 TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE,
178 TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE,
180 tls1_export_keying_material,
181 SSL_ENC_FLAG_EXPLICIT_IV|SSL_ENC_FLAG_SIGALGS|SSL_ENC_FLAG_SHA256_PRF
182 |SSL_ENC_FLAG_TLS1_2_CIPHERS,
183 SSL3_HM_HEADER_LENGTH,
184 ssl3_set_handshake_header,
188 long tls1_default_timeout(void)
190 /* 2 hours, the 24 hours mentioned in the TLSv1 spec
191 * is way too long for http, the cache would over fill */
197 if (!ssl3_new(s)) return(0);
198 s->method->ssl_clear(s);
202 void tls1_free(SSL *s)
204 #ifndef OPENSSL_NO_TLSEXT
205 if (s->tlsext_session_ticket)
207 OPENSSL_free(s->tlsext_session_ticket);
209 #endif /* OPENSSL_NO_TLSEXT */
213 void tls1_clear(SSL *s)
216 s->version = s->method->version;
219 #ifndef OPENSSL_NO_EC
221 static int nid_list[] =
223 NID_sect163k1, /* sect163k1 (1) */
224 NID_sect163r1, /* sect163r1 (2) */
225 NID_sect163r2, /* sect163r2 (3) */
226 NID_sect193r1, /* sect193r1 (4) */
227 NID_sect193r2, /* sect193r2 (5) */
228 NID_sect233k1, /* sect233k1 (6) */
229 NID_sect233r1, /* sect233r1 (7) */
230 NID_sect239k1, /* sect239k1 (8) */
231 NID_sect283k1, /* sect283k1 (9) */
232 NID_sect283r1, /* sect283r1 (10) */
233 NID_sect409k1, /* sect409k1 (11) */
234 NID_sect409r1, /* sect409r1 (12) */
235 NID_sect571k1, /* sect571k1 (13) */
236 NID_sect571r1, /* sect571r1 (14) */
237 NID_secp160k1, /* secp160k1 (15) */
238 NID_secp160r1, /* secp160r1 (16) */
239 NID_secp160r2, /* secp160r2 (17) */
240 NID_secp192k1, /* secp192k1 (18) */
241 NID_X9_62_prime192v1, /* secp192r1 (19) */
242 NID_secp224k1, /* secp224k1 (20) */
243 NID_secp224r1, /* secp224r1 (21) */
244 NID_secp256k1, /* secp256k1 (22) */
245 NID_X9_62_prime256v1, /* secp256r1 (23) */
246 NID_secp384r1, /* secp384r1 (24) */
247 NID_secp521r1, /* secp521r1 (25) */
248 NID_brainpoolP256r1, /* brainpoolP256r1 (26) */
249 NID_brainpoolP384r1, /* brainpoolP384r1 (27) */
250 NID_brainpoolP512r1 /* brainpool512r1 (28) */
254 static const unsigned char ecformats_default[] =
256 TLSEXT_ECPOINTFORMAT_uncompressed,
257 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime,
258 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2
261 static const unsigned char eccurves_default[] =
263 0,14, /* sect571r1 (14) */
264 0,13, /* sect571k1 (13) */
265 0,25, /* secp521r1 (25) */
266 0,28, /* brainpool512r1 (28) */
267 0,11, /* sect409k1 (11) */
268 0,12, /* sect409r1 (12) */
269 0,27, /* brainpoolP384r1 (27) */
270 0,24, /* secp384r1 (24) */
271 0,9, /* sect283k1 (9) */
272 0,10, /* sect283r1 (10) */
273 0,26, /* brainpoolP256r1 (26) */
274 0,22, /* secp256k1 (22) */
275 0,23, /* secp256r1 (23) */
276 0,8, /* sect239k1 (8) */
277 0,6, /* sect233k1 (6) */
278 0,7, /* sect233r1 (7) */
279 0,20, /* secp224k1 (20) */
280 0,21, /* secp224r1 (21) */
281 0,4, /* sect193r1 (4) */
282 0,5, /* sect193r2 (5) */
283 0,18, /* secp192k1 (18) */
284 0,19, /* secp192r1 (19) */
285 0,1, /* sect163k1 (1) */
286 0,2, /* sect163r1 (2) */
287 0,3, /* sect163r2 (3) */
288 0,15, /* secp160k1 (15) */
289 0,16, /* secp160r1 (16) */
290 0,17, /* secp160r2 (17) */
293 static const unsigned char suiteb_curves[] =
295 0, TLSEXT_curve_P_256,
296 0, TLSEXT_curve_P_384
299 int tls1_ec_curve_id2nid(int curve_id)
301 /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
302 if ((curve_id < 1) || ((unsigned int)curve_id >
303 sizeof(nid_list)/sizeof(nid_list[0])))
305 return nid_list[curve_id-1];
308 int tls1_ec_nid2curve_id(int nid)
310 /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
313 case NID_sect163k1: /* sect163k1 (1) */
315 case NID_sect163r1: /* sect163r1 (2) */
317 case NID_sect163r2: /* sect163r2 (3) */
319 case NID_sect193r1: /* sect193r1 (4) */
321 case NID_sect193r2: /* sect193r2 (5) */
323 case NID_sect233k1: /* sect233k1 (6) */
325 case NID_sect233r1: /* sect233r1 (7) */
327 case NID_sect239k1: /* sect239k1 (8) */
329 case NID_sect283k1: /* sect283k1 (9) */
331 case NID_sect283r1: /* sect283r1 (10) */
333 case NID_sect409k1: /* sect409k1 (11) */
335 case NID_sect409r1: /* sect409r1 (12) */
337 case NID_sect571k1: /* sect571k1 (13) */
339 case NID_sect571r1: /* sect571r1 (14) */
341 case NID_secp160k1: /* secp160k1 (15) */
343 case NID_secp160r1: /* secp160r1 (16) */
345 case NID_secp160r2: /* secp160r2 (17) */
347 case NID_secp192k1: /* secp192k1 (18) */
349 case NID_X9_62_prime192v1: /* secp192r1 (19) */
351 case NID_secp224k1: /* secp224k1 (20) */
353 case NID_secp224r1: /* secp224r1 (21) */
355 case NID_secp256k1: /* secp256k1 (22) */
357 case NID_X9_62_prime256v1: /* secp256r1 (23) */
359 case NID_secp384r1: /* secp384r1 (24) */
361 case NID_secp521r1: /* secp521r1 (25) */
363 case NID_brainpoolP256r1: /* brainpoolP256r1 (26) */
365 case NID_brainpoolP384r1: /* brainpoolP384r1 (27) */
367 case NID_brainpoolP512r1: /* brainpool512r1 (28) */
373 /* Get curves list, if "sess" is set return client curves otherwise
376 static void tls1_get_curvelist(SSL *s, int sess,
377 const unsigned char **pcurves,
382 *pcurves = s->session->tlsext_ellipticcurvelist;
383 *pcurveslen = s->session->tlsext_ellipticcurvelist_length;
386 /* For Suite B mode only include P-256, P-384 */
387 switch (tls1_suiteb(s))
389 case SSL_CERT_FLAG_SUITEB_128_LOS:
390 *pcurves = suiteb_curves;
391 *pcurveslen = sizeof(suiteb_curves);
394 case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY:
395 *pcurves = suiteb_curves;
399 case SSL_CERT_FLAG_SUITEB_192_LOS:
400 *pcurves = suiteb_curves + 2;
404 *pcurves = s->tlsext_ellipticcurvelist;
405 *pcurveslen = s->tlsext_ellipticcurvelist_length;
409 *pcurves = eccurves_default;
410 *pcurveslen = sizeof(eccurves_default);
413 /* Check a curve is one of our preferences */
414 int tls1_check_curve(SSL *s, const unsigned char *p, size_t len)
416 const unsigned char *curves;
418 unsigned int suiteb_flags = tls1_suiteb(s);
419 if (len != 3 || p[0] != NAMED_CURVE_TYPE)
421 /* Check curve matches Suite B preferences */
424 unsigned long cid = s->s3->tmp.new_cipher->id;
427 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
429 if (p[2] != TLSEXT_curve_P_256)
432 else if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)
434 if (p[2] != TLSEXT_curve_P_384)
437 else /* Should never happen */
440 tls1_get_curvelist(s, 0, &curves, &curveslen);
441 for (i = 0; i < curveslen; i += 2, curves += 2)
443 if (p[1] == curves[0] && p[2] == curves[1])
449 /* Return nth shared curve. If nmatch == -1 return number of
450 * matches. For nmatch == -2 return the NID of the curve to use for
454 int tls1_shared_curve(SSL *s, int nmatch)
456 const unsigned char *pref, *supp;
457 size_t preflen, supplen, i, j;
459 /* Can't do anything on client side */
466 /* For Suite B ciphersuite determines curve: we
467 * already know these are acceptable due to previous
470 unsigned long cid = s->s3->tmp.new_cipher->id;
471 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
472 return NID_X9_62_prime256v1; /* P-256 */
473 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)
474 return NID_secp384r1; /* P-384 */
475 /* Should never happen */
478 /* If not Suite B just return first preference shared curve */
481 tls1_get_curvelist(s, !!(s->options & SSL_OP_CIPHER_SERVER_PREFERENCE),
483 tls1_get_curvelist(s, !(s->options & SSL_OP_CIPHER_SERVER_PREFERENCE),
488 for (i = 0; i < preflen; i++, pref+=2)
490 const unsigned char *tsupp = supp;
491 for (j = 0; j < supplen; j++, tsupp+=2)
493 if (pref[0] == tsupp[0] && pref[1] == tsupp[1])
497 int id = (pref[0] << 8) | pref[1];
498 return tls1_ec_curve_id2nid(id);
509 int tls1_set_curves(unsigned char **pext, size_t *pextlen,
510 int *curves, size_t ncurves)
512 unsigned char *clist, *p;
514 /* Bitmap of curves included to detect duplicates: only works
515 * while curve ids < 32
517 unsigned long dup_list = 0;
518 clist = OPENSSL_malloc(ncurves * 2);
521 for (i = 0, p = clist; i < ncurves; i++)
523 unsigned long idmask;
525 id = tls1_ec_nid2curve_id(curves[i]);
527 if (!id || (dup_list & idmask))
538 *pextlen = ncurves * 2;
542 #define MAX_CURVELIST 25
547 int nid_arr[MAX_CURVELIST];
550 static int nid_cb(const char *elem, int len, void *arg)
552 nid_cb_st *narg = arg;
556 if (narg->nidcnt == MAX_CURVELIST)
558 if (len > (int)(sizeof(etmp) - 1))
560 memcpy(etmp, elem, len);
562 nid = EC_curve_nist2nid(etmp);
563 if (nid == NID_undef)
564 nid = OBJ_sn2nid(etmp);
565 if (nid == NID_undef)
566 nid = OBJ_ln2nid(etmp);
567 if (nid == NID_undef)
569 for (i = 0; i < narg->nidcnt; i++)
570 if (narg->nid_arr[i] == nid)
572 narg->nid_arr[narg->nidcnt++] = nid;
575 /* Set curves based on a colon separate list */
576 int tls1_set_curves_list(unsigned char **pext, size_t *pextlen,
581 if (!CONF_parse_list(str, ':', 1, nid_cb, &ncb))
585 return tls1_set_curves(pext, pextlen, ncb.nid_arr, ncb.nidcnt);
587 /* For an EC key set TLS id and required compression based on parameters */
588 static int tls1_set_ec_id(unsigned char *curve_id, unsigned char *comp_id,
594 const EC_METHOD *meth;
597 /* Determine if it is a prime field */
598 grp = EC_KEY_get0_group(ec);
599 pt = EC_KEY_get0_public_key(ec);
602 meth = EC_GROUP_method_of(grp);
605 if (EC_METHOD_get_field_type(meth) == NID_X9_62_prime_field)
609 /* Determine curve ID */
610 id = EC_GROUP_get_curve_name(grp);
611 id = tls1_ec_nid2curve_id(id);
612 /* If we have an ID set it, otherwise set arbitrary explicit curve */
616 curve_id[1] = (unsigned char)id;
628 if (EC_KEY_get_conv_form(ec) == POINT_CONVERSION_COMPRESSED)
631 *comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
633 *comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
636 *comp_id = TLSEXT_ECPOINTFORMAT_uncompressed;
640 /* Check an EC key is compatible with extensions */
641 static int tls1_check_ec_key(SSL *s,
642 unsigned char *curve_id, unsigned char *comp_id)
644 const unsigned char *p;
647 /* If point formats extension present check it, otherwise everything
648 * is supported (see RFC4492).
650 if (comp_id && s->session->tlsext_ecpointformatlist)
652 p = s->session->tlsext_ecpointformatlist;
653 plen = s->session->tlsext_ecpointformatlist_length;
654 for (i = 0; i < plen; i++, p++)
664 /* Check curve is consistent with client and server preferences */
665 for (j = 0; j <= 1; j++)
667 tls1_get_curvelist(s, j, &p, &plen);
668 for (i = 0; i < plen; i+=2, p+=2)
670 if (p[0] == curve_id[0] && p[1] == curve_id[1])
675 /* For clients can only check sent curve list */
682 static void tls1_get_formatlist(SSL *s, const unsigned char **pformats,
685 /* If we have a custom point format list use it otherwise
687 if (s->tlsext_ecpointformatlist)
689 *pformats = s->tlsext_ecpointformatlist;
690 *pformatslen = s->tlsext_ecpointformatlist_length;
694 *pformats = ecformats_default;
695 /* For Suite B we don't support char2 fields */
697 *pformatslen = sizeof(ecformats_default) - 1;
699 *pformatslen = sizeof(ecformats_default);
703 /* Check cert parameters compatible with extensions: currently just checks
704 * EC certificates have compatible curves and compression.
706 static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md)
708 unsigned char comp_id, curve_id[2];
711 pkey = X509_get_pubkey(x);
714 /* If not EC nothing to do */
715 if (pkey->type != EVP_PKEY_EC)
720 rv = tls1_set_ec_id(curve_id, &comp_id, pkey->pkey.ec);
724 /* Can't check curve_id for client certs as we don't have a
725 * supported curves extension.
727 rv = tls1_check_ec_key(s, s->server ? curve_id : NULL, &comp_id);
730 /* Special case for suite B. We *MUST* sign using SHA256+P-256 or
731 * SHA384+P-384, adjust digest if necessary.
733 if (set_ee_md && tls1_suiteb(s))
740 /* Check to see we have necessary signing algorithm */
741 if (curve_id[1] == TLSEXT_curve_P_256)
742 check_md = NID_ecdsa_with_SHA256;
743 else if (curve_id[1] == TLSEXT_curve_P_384)
744 check_md = NID_ecdsa_with_SHA384;
746 return 0; /* Should never happen */
747 for (i = 0; i < c->shared_sigalgslen; i++)
748 if (check_md == c->shared_sigalgs[i].signandhash_nid)
750 if (i == c->shared_sigalgslen)
754 if (check_md == NID_ecdsa_with_SHA256)
755 c->pkeys[SSL_PKEY_ECC].digest = EVP_sha256();
757 c->pkeys[SSL_PKEY_ECC].digest = EVP_sha384();
762 /* Check EC temporary key is compatible with client extensions */
763 int tls1_check_ec_tmp_key(SSL *s, unsigned long cid)
765 unsigned char curve_id[2];
766 EC_KEY *ec = s->cert->ecdh_tmp;
767 #ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
768 /* Allow any curve: not just those peer supports */
769 if (s->cert->cert_flags & SSL_CERT_FLAG_BROKEN_PROTOCOL)
772 /* If Suite B, AES128 MUST use P-256 and AES256 MUST use P-384,
773 * no other curves permitted.
777 /* Curve to check determined by ciphersuite */
778 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
779 curve_id[1] = TLSEXT_curve_P_256;
780 else if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)
781 curve_id[1] = TLSEXT_curve_P_384;
785 /* Check this curve is acceptable */
786 if (!tls1_check_ec_key(s, curve_id, NULL))
788 /* If auto or setting curve from callback assume OK */
789 if (s->cert->ecdh_tmp_auto || s->cert->ecdh_tmp_cb)
791 /* Otherwise check curve is acceptable */
794 unsigned char curve_tmp[2];
797 if (!tls1_set_ec_id(curve_tmp, NULL, ec))
799 if (!curve_tmp[0] || curve_tmp[1] == curve_id[1])
805 if (s->cert->ecdh_tmp_auto)
807 /* Need a shared curve */
808 if (tls1_shared_curve(s, 0))
814 if (s->cert->ecdh_tmp_cb)
819 if (!tls1_set_ec_id(curve_id, NULL, ec))
821 /* Set this to allow use of invalid curves for testing */
825 return tls1_check_ec_key(s, curve_id, NULL);
831 static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md)
836 #endif /* OPENSSL_NO_EC */
838 #ifndef OPENSSL_NO_TLSEXT
840 /* List of supported signature algorithms and hashes. Should make this
841 * customisable at some point, for now include everything we support.
844 #ifdef OPENSSL_NO_RSA
845 #define tlsext_sigalg_rsa(md) /* */
847 #define tlsext_sigalg_rsa(md) md, TLSEXT_signature_rsa,
850 #ifdef OPENSSL_NO_DSA
851 #define tlsext_sigalg_dsa(md) /* */
853 #define tlsext_sigalg_dsa(md) md, TLSEXT_signature_dsa,
856 #ifdef OPENSSL_NO_ECDSA
857 #define tlsext_sigalg_ecdsa(md) /* */
859 #define tlsext_sigalg_ecdsa(md) md, TLSEXT_signature_ecdsa,
862 #define tlsext_sigalg(md) \
863 tlsext_sigalg_rsa(md) \
864 tlsext_sigalg_dsa(md) \
865 tlsext_sigalg_ecdsa(md)
867 static unsigned char tls12_sigalgs[] = {
868 #ifndef OPENSSL_NO_SHA512
869 tlsext_sigalg(TLSEXT_hash_sha512)
870 tlsext_sigalg(TLSEXT_hash_sha384)
872 #ifndef OPENSSL_NO_SHA256
873 tlsext_sigalg(TLSEXT_hash_sha256)
874 tlsext_sigalg(TLSEXT_hash_sha224)
876 #ifndef OPENSSL_NO_SHA
877 tlsext_sigalg(TLSEXT_hash_sha1)
879 #ifndef OPENSSL_NO_MD5
880 tlsext_sigalg_rsa(TLSEXT_hash_md5)
883 #ifndef OPENSSL_NO_ECDSA
884 static unsigned char suiteb_sigalgs[] = {
885 tlsext_sigalg_ecdsa(TLSEXT_hash_sha256)
886 tlsext_sigalg_ecdsa(TLSEXT_hash_sha384)
889 size_t tls12_get_psigalgs(SSL *s, const unsigned char **psigs)
891 /* If Suite B mode use Suite B sigalgs only, ignore any other
894 #ifndef OPENSSL_NO_EC
895 switch (tls1_suiteb(s))
897 case SSL_CERT_FLAG_SUITEB_128_LOS:
898 *psigs = suiteb_sigalgs;
899 return sizeof(suiteb_sigalgs);
901 case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY:
902 *psigs = suiteb_sigalgs;
905 case SSL_CERT_FLAG_SUITEB_192_LOS:
906 *psigs = suiteb_sigalgs + 2;
910 /* If server use client authentication sigalgs if not NULL */
911 if (s->server && s->cert->client_sigalgs)
913 *psigs = s->cert->client_sigalgs;
914 return s->cert->client_sigalgslen;
916 else if (s->cert->conf_sigalgs)
918 *psigs = s->cert->conf_sigalgs;
919 return s->cert->conf_sigalgslen;
923 *psigs = tls12_sigalgs;
925 /* If FIPS mode don't include MD5 which is last */
927 return sizeof(tls12_sigalgs) - 2;
930 return sizeof(tls12_sigalgs);
933 /* Check signature algorithm is consistent with sent supported signature
934 * algorithms and if so return relevant digest.
936 int tls12_check_peer_sigalg(const EVP_MD **pmd, SSL *s,
937 const unsigned char *sig, EVP_PKEY *pkey)
939 const unsigned char *sent_sigs;
940 size_t sent_sigslen, i;
941 int sigalg = tls12_get_sigid(pkey);
942 /* Should never happen */
945 /* Check key type is consistent with signature */
946 if (sigalg != (int)sig[1])
948 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG,SSL_R_WRONG_SIGNATURE_TYPE);
951 #ifndef OPENSSL_NO_EC
952 if (pkey->type == EVP_PKEY_EC)
954 unsigned char curve_id[2], comp_id;
955 /* Check compression and curve matches extensions */
956 if (!tls1_set_ec_id(curve_id, &comp_id, pkey->pkey.ec))
958 if (!s->server && !tls1_check_ec_key(s, curve_id, &comp_id))
960 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG,SSL_R_WRONG_CURVE);
963 /* If Suite B only P-384+SHA384 or P-256+SHA-256 allowed */
968 if (curve_id[1] == TLSEXT_curve_P_256)
970 if (sig[0] != TLSEXT_hash_sha256)
972 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG,
973 SSL_R_ILLEGAL_SUITEB_DIGEST);
977 else if (curve_id[1] == TLSEXT_curve_P_384)
979 if (sig[0] != TLSEXT_hash_sha384)
981 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG,
982 SSL_R_ILLEGAL_SUITEB_DIGEST);
990 else if (tls1_suiteb(s))
994 /* Check signature matches a type we sent */
995 sent_sigslen = tls12_get_psigalgs(s, &sent_sigs);
996 for (i = 0; i < sent_sigslen; i+=2, sent_sigs+=2)
998 if (sig[0] == sent_sigs[0] && sig[1] == sent_sigs[1])
1001 /* Allow fallback to SHA1 if not strict mode */
1002 if (i == sent_sigslen && (sig[0] != TLSEXT_hash_sha1 || s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT))
1004 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG,SSL_R_WRONG_SIGNATURE_TYPE);
1007 *pmd = tls12_get_hash(sig[0]);
1010 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG,SSL_R_UNKNOWN_DIGEST);
1013 /* Store the digest used so applications can retrieve it if they
1016 if (s->session && s->session->sess_cert)
1017 s->session->sess_cert->peer_key->digest = *pmd;
1020 /* Get a mask of disabled algorithms: an algorithm is disabled
1021 * if it isn't supported or doesn't appear in supported signature
1022 * algorithms. Unlike ssl_cipher_get_disabled this applies to a specific
1023 * session and not global settings.
1026 void ssl_set_client_disabled(SSL *s)
1029 const unsigned char *sigalgs;
1030 size_t i, sigalgslen;
1031 int have_rsa = 0, have_dsa = 0, have_ecdsa = 0;
1034 /* Don't allow TLS 1.2 only ciphers if we don't suppport them */
1035 if (!SSL_CLIENT_USE_TLS1_2_CIPHERS(s))
1036 c->mask_ssl = SSL_TLSV1_2;
1039 /* Now go through all signature algorithms seeing if we support
1040 * any for RSA, DSA, ECDSA. Do this for all versions not just
1043 sigalgslen = tls12_get_psigalgs(s, &sigalgs);
1044 for (i = 0; i < sigalgslen; i += 2, sigalgs += 2)
1048 #ifndef OPENSSL_NO_RSA
1049 case TLSEXT_signature_rsa:
1053 #ifndef OPENSSL_NO_DSA
1054 case TLSEXT_signature_dsa:
1058 #ifndef OPENSSL_NO_ECDSA
1059 case TLSEXT_signature_ecdsa:
1065 /* Disable auth and static DH if we don't include any appropriate
1066 * signature algorithms.
1070 c->mask_a |= SSL_aRSA;
1071 c->mask_k |= SSL_kDHr|SSL_kECDHr;
1075 c->mask_a |= SSL_aDSS;
1076 c->mask_k |= SSL_kDHd;
1080 c->mask_a |= SSL_aECDSA;
1081 c->mask_k |= SSL_kECDHe;
1083 #ifndef OPENSSL_NO_KRB5
1084 if (!kssl_tgt_is_available(s->kssl_ctx))
1086 c->mask_a |= SSL_aKRB5;
1087 c->mask_k |= SSL_kKRB5;
1090 #ifndef OPENSSL_NO_PSK
1091 /* with PSK there must be client callback set */
1092 if (!s->psk_client_callback)
1094 c->mask_a |= SSL_aPSK;
1095 c->mask_k |= SSL_kPSK;
1097 #endif /* OPENSSL_NO_PSK */
1101 unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
1104 unsigned char *ret = p;
1105 #ifndef OPENSSL_NO_EC
1106 /* See if we support any ECC ciphersuites */
1108 if (s->version >= TLS1_VERSION || SSL_IS_DTLS(s))
1111 unsigned long alg_k, alg_a;
1112 STACK_OF(SSL_CIPHER) *cipher_stack = SSL_get_ciphers(s);
1114 for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++)
1116 SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i);
1118 alg_k = c->algorithm_mkey;
1119 alg_a = c->algorithm_auth;
1120 if ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)
1121 || (alg_a & SSL_aECDSA)))
1130 /* don't add extensions for SSLv3 unless doing secure renegotiation */
1131 if (s->client_version == SSL3_VERSION
1132 && !s->s3->send_connection_binding)
1137 if (ret>=limit) return NULL; /* this really never occurs, but ... */
1139 if (s->tlsext_hostname != NULL)
1141 /* Add TLS extension servername to the Client Hello message */
1142 unsigned long size_str;
1145 /* check for enough space.
1146 4 for the servername type and entension length
1147 2 for servernamelist length
1148 1 for the hostname type
1149 2 for hostname length
1153 if ((lenmax = limit - ret - 9) < 0
1154 || (size_str = strlen(s->tlsext_hostname)) > (unsigned long)lenmax)
1157 /* extension type and length */
1158 s2n(TLSEXT_TYPE_server_name,ret);
1159 s2n(size_str+5,ret);
1161 /* length of servername list */
1162 s2n(size_str+3,ret);
1164 /* hostname type, length and hostname */
1165 *(ret++) = (unsigned char) TLSEXT_NAMETYPE_host_name;
1167 memcpy(ret, s->tlsext_hostname, size_str);
1171 /* Add RI if renegotiating */
1176 if(!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0))
1178 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1182 if((limit - p - 4 - el) < 0) return NULL;
1184 s2n(TLSEXT_TYPE_renegotiate,ret);
1187 if(!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el))
1189 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1196 #ifndef OPENSSL_NO_SRP
1197 /* Add SRP username if there is one */
1198 if (s->srp_ctx.login != NULL)
1199 { /* Add TLS extension SRP username to the Client Hello message */
1201 int login_len = strlen(s->srp_ctx.login);
1202 if (login_len > 255 || login_len == 0)
1204 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1208 /* check for enough space.
1209 4 for the srp type type and entension length
1210 1 for the srp user identity
1211 + srp user identity length
1213 if ((limit - ret - 5 - login_len) < 0) return NULL;
1215 /* fill in the extension */
1216 s2n(TLSEXT_TYPE_srp,ret);
1217 s2n(login_len+1,ret);
1218 (*ret++) = (unsigned char) login_len;
1219 memcpy(ret, s->srp_ctx.login, login_len);
1224 #ifndef OPENSSL_NO_EC
1227 /* Add TLS extension ECPointFormats to the ClientHello message */
1229 const unsigned char *plist;
1232 tls1_get_formatlist(s, &plist, &plistlen);
1234 if ((lenmax = limit - ret - 5) < 0) return NULL;
1235 if (plistlen > (size_t)lenmax) return NULL;
1238 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1242 s2n(TLSEXT_TYPE_ec_point_formats,ret);
1243 s2n(plistlen + 1,ret);
1244 *(ret++) = (unsigned char)plistlen ;
1245 memcpy(ret, plist, plistlen);
1248 /* Add TLS extension EllipticCurves to the ClientHello message */
1249 plist = s->tlsext_ellipticcurvelist;
1250 tls1_get_curvelist(s, 0, &plist, &plistlen);
1252 if ((lenmax = limit - ret - 6) < 0) return NULL;
1253 if (plistlen > (size_t)lenmax) return NULL;
1254 if (plistlen > 65532)
1256 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1260 s2n(TLSEXT_TYPE_elliptic_curves,ret);
1261 s2n(plistlen + 2, ret);
1263 /* NB: draft-ietf-tls-ecc-12.txt uses a one-byte prefix for
1264 * elliptic_curve_list, but the examples use two bytes.
1265 * http://www1.ietf.org/mail-archive/web/tls/current/msg00538.html
1266 * resolves this to two bytes.
1269 memcpy(ret, plist, plistlen);
1272 #endif /* OPENSSL_NO_EC */
1274 if (!(SSL_get_options(s) & SSL_OP_NO_TICKET))
1277 if (!s->new_session && s->session && s->session->tlsext_tick)
1278 ticklen = s->session->tlsext_ticklen;
1279 else if (s->session && s->tlsext_session_ticket &&
1280 s->tlsext_session_ticket->data)
1282 ticklen = s->tlsext_session_ticket->length;
1283 s->session->tlsext_tick = OPENSSL_malloc(ticklen);
1284 if (!s->session->tlsext_tick)
1286 memcpy(s->session->tlsext_tick,
1287 s->tlsext_session_ticket->data,
1289 s->session->tlsext_ticklen = ticklen;
1293 if (ticklen == 0 && s->tlsext_session_ticket &&
1294 s->tlsext_session_ticket->data == NULL)
1296 /* Check for enough room 2 for extension type, 2 for len
1299 if ((long)(limit - ret - 4 - ticklen) < 0) return NULL;
1300 s2n(TLSEXT_TYPE_session_ticket,ret);
1304 memcpy(ret, s->session->tlsext_tick, ticklen);
1310 if (SSL_USE_SIGALGS(s))
1313 const unsigned char *salg;
1314 salglen = tls12_get_psigalgs(s, &salg);
1315 if ((size_t)(limit - ret) < salglen + 6)
1317 s2n(TLSEXT_TYPE_signature_algorithms,ret);
1318 s2n(salglen + 2, ret);
1320 memcpy(ret, salg, salglen);
1324 #ifdef TLSEXT_TYPE_opaque_prf_input
1325 if (s->s3->client_opaque_prf_input != NULL)
1327 size_t col = s->s3->client_opaque_prf_input_len;
1329 if ((long)(limit - ret - 6 - col < 0))
1331 if (col > 0xFFFD) /* can't happen */
1334 s2n(TLSEXT_TYPE_opaque_prf_input, ret);
1337 memcpy(ret, s->s3->client_opaque_prf_input, col);
1342 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp)
1345 long extlen, idlen, itmp;
1349 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++)
1351 id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
1352 itmp = i2d_OCSP_RESPID(id, NULL);
1358 if (s->tlsext_ocsp_exts)
1360 extlen = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, NULL);
1367 if ((long)(limit - ret - 7 - extlen - idlen) < 0) return NULL;
1368 s2n(TLSEXT_TYPE_status_request, ret);
1369 if (extlen + idlen > 0xFFF0)
1371 s2n(extlen + idlen + 5, ret);
1372 *(ret++) = TLSEXT_STATUSTYPE_ocsp;
1374 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++)
1376 /* save position of id len */
1377 unsigned char *q = ret;
1378 id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
1379 /* skip over id len */
1381 itmp = i2d_OCSP_RESPID(id, &ret);
1387 i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret);
1390 #ifndef OPENSSL_NO_HEARTBEATS
1391 /* Add Heartbeat extension */
1392 s2n(TLSEXT_TYPE_heartbeat,ret);
1395 * 1: peer may send requests
1396 * 2: peer not allowed to send requests
1398 if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS)
1399 *(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
1401 *(ret++) = SSL_TLSEXT_HB_ENABLED;
1404 #ifndef OPENSSL_NO_NEXTPROTONEG
1405 if (s->ctx->next_proto_select_cb && !s->s3->tmp.finish_md_len)
1407 /* The client advertises an emtpy extension to indicate its
1408 * support for Next Protocol Negotiation */
1409 if (limit - ret - 4 < 0)
1411 s2n(TLSEXT_TYPE_next_proto_neg,ret);
1416 if (s->alpn_client_proto_list && !s->s3->tmp.finish_md_len)
1418 if ((size_t)(limit - ret) < 6 + s->alpn_client_proto_list_len)
1420 s2n(TLSEXT_TYPE_application_layer_protocol_negotiation,ret);
1421 s2n(2 + s->alpn_client_proto_list_len,ret);
1422 s2n(s->alpn_client_proto_list_len,ret);
1423 memcpy(ret, s->alpn_client_proto_list,
1424 s->alpn_client_proto_list_len);
1425 ret += s->alpn_client_proto_list_len;
1428 if(SSL_get_srtp_profiles(s))
1432 ssl_add_clienthello_use_srtp_ext(s, 0, &el, 0);
1434 if((limit - p - 4 - el) < 0) return NULL;
1436 s2n(TLSEXT_TYPE_use_srtp,ret);
1439 if(ssl_add_clienthello_use_srtp_ext(s, ret, &el, el))
1441 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1447 /* Add custom TLS Extensions to ClientHello */
1448 if (s->ctx->custom_cli_ext_records_count)
1451 custom_cli_ext_record* record;
1453 for (i = 0; i < s->ctx->custom_cli_ext_records_count; i++)
1455 const unsigned char* out = NULL;
1456 unsigned short outlen = 0;
1458 record = &s->ctx->custom_cli_ext_records[i];
1459 /* NULL callback sends empty extension */
1460 /* -1 from callback omits extension */
1464 cb_retval = record->fn1(s, record->ext_type,
1468 return NULL; /* error */
1469 if (cb_retval == -1)
1470 continue; /* skip this extension */
1472 if (limit < ret + 4 + outlen)
1474 s2n(record->ext_type, ret);
1476 memcpy(ret, out, outlen);
1480 #ifdef TLSEXT_TYPE_encrypt_then_mac
1481 s2n(TLSEXT_TYPE_encrypt_then_mac,ret);
1485 if ((extdatalen = ret-p-2) == 0)
1492 unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
1495 unsigned char *ret = p;
1496 #ifndef OPENSSL_NO_NEXTPROTONEG
1497 int next_proto_neg_seen;
1499 #ifndef OPENSSL_NO_EC
1500 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
1501 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
1502 int using_ecc = (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA);
1503 using_ecc = using_ecc && (s->session->tlsext_ecpointformatlist != NULL);
1505 /* don't add extensions for SSLv3, unless doing secure renegotiation */
1506 if (s->version == SSL3_VERSION && !s->s3->send_connection_binding)
1510 if (ret>=limit) return NULL; /* this really never occurs, but ... */
1512 if (!s->hit && s->servername_done == 1 && s->session->tlsext_hostname != NULL)
1514 if ((long)(limit - ret - 4) < 0) return NULL;
1516 s2n(TLSEXT_TYPE_server_name,ret);
1520 if(s->s3->send_connection_binding)
1524 if(!ssl_add_serverhello_renegotiate_ext(s, 0, &el, 0))
1526 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1530 if((limit - p - 4 - el) < 0) return NULL;
1532 s2n(TLSEXT_TYPE_renegotiate,ret);
1535 if(!ssl_add_serverhello_renegotiate_ext(s, ret, &el, el))
1537 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1544 #ifndef OPENSSL_NO_EC
1547 const unsigned char *plist;
1549 /* Add TLS extension ECPointFormats to the ServerHello message */
1552 tls1_get_formatlist(s, &plist, &plistlen);
1554 if ((lenmax = limit - ret - 5) < 0) return NULL;
1555 if (plistlen > (size_t)lenmax) return NULL;
1558 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1562 s2n(TLSEXT_TYPE_ec_point_formats,ret);
1563 s2n(plistlen + 1,ret);
1564 *(ret++) = (unsigned char) plistlen;
1565 memcpy(ret, plist, plistlen);
1569 /* Currently the server should not respond with a SupportedCurves extension */
1570 #endif /* OPENSSL_NO_EC */
1572 if (s->tlsext_ticket_expected
1573 && !(SSL_get_options(s) & SSL_OP_NO_TICKET))
1575 if ((long)(limit - ret - 4) < 0) return NULL;
1576 s2n(TLSEXT_TYPE_session_ticket,ret);
1580 if (s->tlsext_status_expected)
1582 if ((long)(limit - ret - 4) < 0) return NULL;
1583 s2n(TLSEXT_TYPE_status_request,ret);
1587 #ifdef TLSEXT_TYPE_opaque_prf_input
1588 if (s->s3->server_opaque_prf_input != NULL)
1590 size_t sol = s->s3->server_opaque_prf_input_len;
1592 if ((long)(limit - ret - 6 - sol) < 0)
1594 if (sol > 0xFFFD) /* can't happen */
1597 s2n(TLSEXT_TYPE_opaque_prf_input, ret);
1600 memcpy(ret, s->s3->server_opaque_prf_input, sol);
1609 ssl_add_serverhello_use_srtp_ext(s, 0, &el, 0);
1611 if((limit - p - 4 - el) < 0) return NULL;
1613 s2n(TLSEXT_TYPE_use_srtp,ret);
1616 if(ssl_add_serverhello_use_srtp_ext(s, ret, &el, el))
1618 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1624 if (((s->s3->tmp.new_cipher->id & 0xFFFF)==0x80 || (s->s3->tmp.new_cipher->id & 0xFFFF)==0x81)
1625 && (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG))
1626 { const unsigned char cryptopro_ext[36] = {
1627 0xfd, 0xe8, /*65000*/
1628 0x00, 0x20, /*32 bytes length*/
1629 0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85,
1630 0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06,
1631 0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08,
1632 0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17};
1633 if (limit-ret<36) return NULL;
1634 memcpy(ret,cryptopro_ext,36);
1639 #ifndef OPENSSL_NO_HEARTBEATS
1640 /* Add Heartbeat extension if we've received one */
1641 if (s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED)
1643 s2n(TLSEXT_TYPE_heartbeat,ret);
1646 * 1: peer may send requests
1647 * 2: peer not allowed to send requests
1649 if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS)
1650 *(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
1652 *(ret++) = SSL_TLSEXT_HB_ENABLED;
1657 #ifndef OPENSSL_NO_NEXTPROTONEG
1658 next_proto_neg_seen = s->s3->next_proto_neg_seen;
1659 s->s3->next_proto_neg_seen = 0;
1660 if (next_proto_neg_seen && s->ctx->next_protos_advertised_cb)
1662 const unsigned char *npa;
1663 unsigned int npalen;
1666 r = s->ctx->next_protos_advertised_cb(s, &npa, &npalen, s->ctx->next_protos_advertised_cb_arg);
1667 if (r == SSL_TLSEXT_ERR_OK)
1669 if ((long)(limit - ret - 4 - npalen) < 0) return NULL;
1670 s2n(TLSEXT_TYPE_next_proto_neg,ret);
1672 memcpy(ret, npa, npalen);
1674 s->s3->next_proto_neg_seen = 1;
1679 /* If custom types were sent in ClientHello, add ServerHello responses */
1680 if (s->s3->tlsext_custom_types_count)
1684 for (i = 0; i < s->s3->tlsext_custom_types_count; i++)
1687 custom_srv_ext_record *record;
1689 for (j = 0; j < s->ctx->custom_srv_ext_records_count; j++)
1691 record = &s->ctx->custom_srv_ext_records[j];
1692 if (s->s3->tlsext_custom_types[i] == record->ext_type)
1694 const unsigned char *out = NULL;
1695 unsigned short outlen = 0;
1698 /* NULL callback or -1 omits extension */
1701 cb_retval = record->fn2(s, record->ext_type,
1705 return NULL; /* error */
1706 if (cb_retval == -1)
1707 break; /* skip this extension */
1708 if (limit < ret + 4 + outlen)
1710 s2n(record->ext_type, ret);
1712 memcpy(ret, out, outlen);
1719 #ifdef TLSEXT_TYPE_encrypt_then_mac
1720 if (s->s3->flags & TLS1_FLAGS_ENCRYPT_THEN_MAC)
1722 /* Don't use encrypt_then_mac if AEAD: might want
1723 * to disable for other ciphersuites too.
1725 if (s->s3->tmp.new_cipher->algorithm_mac == SSL_AEAD)
1726 s->s3->flags &= ~TLS1_FLAGS_ENCRYPT_THEN_MAC;
1729 s2n(TLSEXT_TYPE_encrypt_then_mac,ret);
1735 if (s->s3->alpn_selected)
1737 const unsigned char *selected = s->s3->alpn_selected;
1738 unsigned len = s->s3->alpn_selected_len;
1740 if ((long)(limit - ret - 4 - 2 - 1 - len) < 0)
1742 s2n(TLSEXT_TYPE_application_layer_protocol_negotiation,ret);
1746 memcpy(ret, selected, len);
1750 if ((extdatalen = ret-p-2)== 0)
1757 /* tls1_alpn_handle_client_hello is called to process the ALPN extension in a
1759 * data: the contents of the extension, not including the type and length.
1760 * data_len: the number of bytes in |data|
1761 * al: a pointer to the alert value to send in the event of a non-zero
1764 * returns: 0 on success. */
1765 static int tls1_alpn_handle_client_hello(SSL *s, const unsigned char *data,
1766 unsigned data_len, int *al)
1770 const unsigned char *selected;
1771 unsigned char selected_len;
1774 if (s->ctx->alpn_select_cb == NULL)
1780 /* data should contain a uint16 length followed by a series of 8-bit,
1781 * length-prefixed strings. */
1782 i = ((unsigned) data[0]) << 8 |
1783 ((unsigned) data[1]);
1792 for (i = 0; i < data_len;)
1794 proto_len = data[i];
1800 if (i + proto_len < i || i + proto_len > data_len)
1806 r = s->ctx->alpn_select_cb(s, &selected, &selected_len, data, data_len,
1807 s->ctx->alpn_select_cb_arg);
1808 if (r == SSL_TLSEXT_ERR_OK) {
1809 if (s->s3->alpn_selected)
1810 OPENSSL_free(s->s3->alpn_selected);
1811 s->s3->alpn_selected = OPENSSL_malloc(selected_len);
1812 if (!s->s3->alpn_selected)
1814 *al = SSL_AD_INTERNAL_ERROR;
1817 memcpy(s->s3->alpn_selected, selected, selected_len);
1818 s->s3->alpn_selected_len = selected_len;
1823 *al = SSL_AD_DECODE_ERROR;
1827 #ifndef OPENSSL_NO_EC
1828 /* ssl_check_for_safari attempts to fingerprint Safari using OS X
1829 * SecureTransport using the TLS extension block in |d|, of length |n|.
1830 * Safari, since 10.6, sends exactly these extensions, in this order:
1835 * We wish to fingerprint Safari because they broke ECDHE-ECDSA support in 10.8,
1836 * but they advertise support. So enabling ECDHE-ECDSA ciphers breaks them.
1837 * Sadly we cannot differentiate 10.6, 10.7 and 10.8.4 (which work), from
1838 * 10.8..10.8.3 (which don't work).
1840 static void ssl_check_for_safari(SSL *s, const unsigned char *data, const unsigned char *d, int n) {
1841 unsigned short type, size;
1842 static const unsigned char kSafariExtensionsBlock[] = {
1843 0x00, 0x0a, /* elliptic_curves extension */
1844 0x00, 0x08, /* 8 bytes */
1845 0x00, 0x06, /* 6 bytes of curve ids */
1846 0x00, 0x17, /* P-256 */
1847 0x00, 0x18, /* P-384 */
1848 0x00, 0x19, /* P-521 */
1850 0x00, 0x0b, /* ec_point_formats */
1851 0x00, 0x02, /* 2 bytes */
1852 0x01, /* 1 point format */
1853 0x00, /* uncompressed */
1856 /* The following is only present in TLS 1.2 */
1857 static const unsigned char kSafariTLS12ExtensionsBlock[] = {
1858 0x00, 0x0d, /* signature_algorithms */
1859 0x00, 0x0c, /* 12 bytes */
1860 0x00, 0x0a, /* 10 bytes */
1861 0x05, 0x01, /* SHA-384/RSA */
1862 0x04, 0x01, /* SHA-256/RSA */
1863 0x02, 0x01, /* SHA-1/RSA */
1864 0x04, 0x03, /* SHA-256/ECDSA */
1865 0x02, 0x03, /* SHA-1/ECDSA */
1868 if (data >= (d+n-2))
1877 if (type != TLSEXT_TYPE_server_name)
1880 if (data+size > d+n)
1884 if (TLS1_get_client_version(s) >= TLS1_2_VERSION)
1886 const size_t len1 = sizeof(kSafariExtensionsBlock);
1887 const size_t len2 = sizeof(kSafariTLS12ExtensionsBlock);
1889 if (data + len1 + len2 != d+n)
1891 if (memcmp(data, kSafariExtensionsBlock, len1) != 0)
1893 if (memcmp(data + len1, kSafariTLS12ExtensionsBlock, len2) != 0)
1898 const size_t len = sizeof(kSafariExtensionsBlock);
1900 if (data + len != d+n)
1902 if (memcmp(data, kSafariExtensionsBlock, len) != 0)
1906 s->s3->is_probably_safari = 1;
1908 #endif /* !OPENSSL_NO_EC */
1910 static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
1912 unsigned short type;
1913 unsigned short size;
1915 unsigned char *data = *p;
1916 int renegotiate_seen = 0;
1919 s->servername_done = 0;
1920 s->tlsext_status_type = -1;
1921 #ifndef OPENSSL_NO_NEXTPROTONEG
1922 s->s3->next_proto_neg_seen = 0;
1925 if (s->s3->alpn_selected)
1927 OPENSSL_free(s->s3->alpn_selected);
1928 s->s3->alpn_selected = NULL;
1931 /* Clear observed custom extensions */
1932 s->s3->tlsext_custom_types_count = 0;
1933 if (s->s3->tlsext_custom_types != NULL)
1935 OPENSSL_free(s->s3->tlsext_custom_types);
1936 s->s3->tlsext_custom_types = NULL;
1939 #ifndef OPENSSL_NO_HEARTBEATS
1940 s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED |
1941 SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
1944 #ifndef OPENSSL_NO_EC
1945 if (s->options & SSL_OP_SAFARI_ECDHE_ECDSA_BUG)
1946 ssl_check_for_safari(s, data, d, n);
1947 #endif /* !OPENSSL_NO_EC */
1949 /* Clear any signature algorithms extension received */
1950 if (s->cert->peer_sigalgs)
1952 OPENSSL_free(s->cert->peer_sigalgs);
1953 s->cert->peer_sigalgs = NULL;
1955 /* Clear any shared sigtnature algorithms */
1956 if (s->cert->shared_sigalgs)
1958 OPENSSL_free(s->cert->shared_sigalgs);
1959 s->cert->shared_sigalgs = NULL;
1961 /* Clear certificate digests and validity flags */
1962 for (i = 0; i < SSL_PKEY_NUM; i++)
1964 s->cert->pkeys[i].digest = NULL;
1965 s->cert->pkeys[i].valid_flags = 0;
1968 #ifdef TLSEXT_TYPE_encrypt_then_mac
1969 s->s3->flags &= ~TLS1_FLAGS_ENCRYPT_THEN_MAC;
1972 if (data >= (d+n-2))
1976 if (data > (d+n-len))
1979 while (data <= (d+n-4))
1984 if (data+size > (d+n))
1987 fprintf(stderr,"Received extension type %d size %d\n",type,size);
1989 if (s->tlsext_debug_cb)
1990 s->tlsext_debug_cb(s, 0, type, data, size,
1991 s->tlsext_debug_arg);
1992 /* The servername extension is treated as follows:
1994 - Only the hostname type is supported with a maximum length of 255.
1995 - The servername is rejected if too long or if it contains zeros,
1996 in which case an fatal alert is generated.
1997 - The servername field is maintained together with the session cache.
1998 - When a session is resumed, the servername call back invoked in order
1999 to allow the application to position itself to the right context.
2000 - The servername is acknowledged if it is new for a session or when
2001 it is identical to a previously used for the same session.
2002 Applications can control the behaviour. They can at any time
2003 set a 'desirable' servername for a new SSL object. This can be the
2004 case for example with HTTPS when a Host: header field is received and
2005 a renegotiation is requested. In this case, a possible servername
2006 presented in the new client hello is only acknowledged if it matches
2007 the value of the Host: field.
2008 - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
2009 if they provide for changing an explicit servername context for the session,
2010 i.e. when the session has been established with a servername extension.
2011 - On session reconnect, the servername extension may be absent.
2015 if (type == TLSEXT_TYPE_server_name)
2017 unsigned char *sdata;
2023 *al = SSL_AD_DECODE_ERROR;
2030 *al = SSL_AD_DECODE_ERROR;
2037 servname_type = *(sdata++);
2043 *al = SSL_AD_DECODE_ERROR;
2046 if (s->servername_done == 0)
2047 switch (servname_type)
2049 case TLSEXT_NAMETYPE_host_name:
2052 if(s->session->tlsext_hostname)
2054 *al = SSL_AD_DECODE_ERROR;
2057 if (len > TLSEXT_MAXLEN_host_name)
2059 *al = TLS1_AD_UNRECOGNIZED_NAME;
2062 if ((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL)
2064 *al = TLS1_AD_INTERNAL_ERROR;
2067 memcpy(s->session->tlsext_hostname, sdata, len);
2068 s->session->tlsext_hostname[len]='\0';
2069 if (strlen(s->session->tlsext_hostname) != len) {
2070 OPENSSL_free(s->session->tlsext_hostname);
2071 s->session->tlsext_hostname = NULL;
2072 *al = TLS1_AD_UNRECOGNIZED_NAME;
2075 s->servername_done = 1;
2079 s->servername_done = s->session->tlsext_hostname
2080 && strlen(s->session->tlsext_hostname) == len
2081 && strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0;
2093 *al = SSL_AD_DECODE_ERROR;
2098 #ifndef OPENSSL_NO_SRP
2099 else if (type == TLSEXT_TYPE_srp)
2101 if (size <= 0 || ((len = data[0])) != (size -1))
2103 *al = SSL_AD_DECODE_ERROR;
2106 if (s->srp_ctx.login != NULL)
2108 *al = SSL_AD_DECODE_ERROR;
2111 if ((s->srp_ctx.login = OPENSSL_malloc(len+1)) == NULL)
2113 memcpy(s->srp_ctx.login, &data[1], len);
2114 s->srp_ctx.login[len]='\0';
2116 if (strlen(s->srp_ctx.login) != len)
2118 *al = SSL_AD_DECODE_ERROR;
2124 #ifndef OPENSSL_NO_EC
2125 else if (type == TLSEXT_TYPE_ec_point_formats)
2127 unsigned char *sdata = data;
2128 int ecpointformatlist_length = *(sdata++);
2130 if (ecpointformatlist_length != size - 1 ||
2131 ecpointformatlist_length < 1)
2133 *al = TLS1_AD_DECODE_ERROR;
2138 if(s->session->tlsext_ecpointformatlist)
2140 OPENSSL_free(s->session->tlsext_ecpointformatlist);
2141 s->session->tlsext_ecpointformatlist = NULL;
2143 s->session->tlsext_ecpointformatlist_length = 0;
2144 if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
2146 *al = TLS1_AD_INTERNAL_ERROR;
2149 s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
2150 memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
2153 fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ecpointformatlist (length=%i) ", s->session->tlsext_ecpointformatlist_length);
2154 sdata = s->session->tlsext_ecpointformatlist;
2155 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
2156 fprintf(stderr,"%i ",*(sdata++));
2157 fprintf(stderr,"\n");
2160 else if (type == TLSEXT_TYPE_elliptic_curves)
2162 unsigned char *sdata = data;
2163 int ellipticcurvelist_length = (*(sdata++) << 8);
2164 ellipticcurvelist_length += (*(sdata++));
2166 if (ellipticcurvelist_length != size - 2 ||
2167 ellipticcurvelist_length < 1)
2169 *al = TLS1_AD_DECODE_ERROR;
2174 if(s->session->tlsext_ellipticcurvelist)
2176 *al = TLS1_AD_DECODE_ERROR;
2179 s->session->tlsext_ellipticcurvelist_length = 0;
2180 if ((s->session->tlsext_ellipticcurvelist = OPENSSL_malloc(ellipticcurvelist_length)) == NULL)
2182 *al = TLS1_AD_INTERNAL_ERROR;
2185 s->session->tlsext_ellipticcurvelist_length = ellipticcurvelist_length;
2186 memcpy(s->session->tlsext_ellipticcurvelist, sdata, ellipticcurvelist_length);
2189 fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ellipticcurvelist (length=%i) ", s->session->tlsext_ellipticcurvelist_length);
2190 sdata = s->session->tlsext_ellipticcurvelist;
2191 for (i = 0; i < s->session->tlsext_ellipticcurvelist_length; i++)
2192 fprintf(stderr,"%i ",*(sdata++));
2193 fprintf(stderr,"\n");
2196 #endif /* OPENSSL_NO_EC */
2197 #ifdef TLSEXT_TYPE_opaque_prf_input
2198 else if (type == TLSEXT_TYPE_opaque_prf_input)
2200 unsigned char *sdata = data;
2204 *al = SSL_AD_DECODE_ERROR;
2207 n2s(sdata, s->s3->client_opaque_prf_input_len);
2208 if (s->s3->client_opaque_prf_input_len != size - 2)
2210 *al = SSL_AD_DECODE_ERROR;
2214 if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */
2215 OPENSSL_free(s->s3->client_opaque_prf_input);
2216 if (s->s3->client_opaque_prf_input_len == 0)
2217 s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
2219 s->s3->client_opaque_prf_input = BUF_memdup(sdata, s->s3->client_opaque_prf_input_len);
2220 if (s->s3->client_opaque_prf_input == NULL)
2222 *al = TLS1_AD_INTERNAL_ERROR;
2227 else if (type == TLSEXT_TYPE_session_ticket)
2229 if (s->tls_session_ticket_ext_cb &&
2230 !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg))
2232 *al = TLS1_AD_INTERNAL_ERROR;
2236 else if (type == TLSEXT_TYPE_renegotiate)
2238 if(!ssl_parse_clienthello_renegotiate_ext(s, data, size, al))
2240 renegotiate_seen = 1;
2242 else if (type == TLSEXT_TYPE_signature_algorithms)
2245 if (s->cert->peer_sigalgs || size < 2)
2247 *al = SSL_AD_DECODE_ERROR;
2252 if (dsize != size || dsize & 1 || !dsize)
2254 *al = SSL_AD_DECODE_ERROR;
2257 if (!tls1_process_sigalgs(s, data, dsize))
2259 *al = SSL_AD_DECODE_ERROR;
2262 /* If sigalgs received and no shared algorithms fatal
2265 if (s->cert->peer_sigalgs && !s->cert->shared_sigalgs)
2267 SSLerr(SSL_F_SSL_SCAN_CLIENTHELLO_TLSEXT,
2268 SSL_R_NO_SHARED_SIGATURE_ALGORITHMS);
2269 *al = SSL_AD_ILLEGAL_PARAMETER;
2273 else if (type == TLSEXT_TYPE_status_request
2274 && s->ctx->tlsext_status_cb)
2279 *al = SSL_AD_DECODE_ERROR;
2283 s->tlsext_status_type = *data++;
2285 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp)
2287 const unsigned char *sdata;
2289 /* Read in responder_id_list */
2294 *al = SSL_AD_DECODE_ERROR;
2303 *al = SSL_AD_DECODE_ERROR;
2307 dsize -= 2 + idsize;
2311 *al = SSL_AD_DECODE_ERROR;
2316 id = d2i_OCSP_RESPID(NULL,
2320 *al = SSL_AD_DECODE_ERROR;
2325 OCSP_RESPID_free(id);
2326 *al = SSL_AD_DECODE_ERROR;
2329 if (!s->tlsext_ocsp_ids
2330 && !(s->tlsext_ocsp_ids =
2331 sk_OCSP_RESPID_new_null()))
2333 OCSP_RESPID_free(id);
2334 *al = SSL_AD_INTERNAL_ERROR;
2337 if (!sk_OCSP_RESPID_push(
2338 s->tlsext_ocsp_ids, id))
2340 OCSP_RESPID_free(id);
2341 *al = SSL_AD_INTERNAL_ERROR;
2346 /* Read in request_extensions */
2349 *al = SSL_AD_DECODE_ERROR;
2356 *al = SSL_AD_DECODE_ERROR;
2362 if (s->tlsext_ocsp_exts)
2364 sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts,
2365 X509_EXTENSION_free);
2368 s->tlsext_ocsp_exts =
2369 d2i_X509_EXTENSIONS(NULL,
2371 if (!s->tlsext_ocsp_exts
2372 || (data + dsize != sdata))
2374 *al = SSL_AD_DECODE_ERROR;
2379 /* We don't know what to do with any other type
2383 s->tlsext_status_type = -1;
2385 #ifndef OPENSSL_NO_HEARTBEATS
2386 else if (type == TLSEXT_TYPE_heartbeat)
2390 case 0x01: /* Client allows us to send HB requests */
2391 s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
2393 case 0x02: /* Client doesn't accept HB requests */
2394 s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
2395 s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
2397 default: *al = SSL_AD_ILLEGAL_PARAMETER;
2402 #ifndef OPENSSL_NO_NEXTPROTONEG
2403 else if (type == TLSEXT_TYPE_next_proto_neg &&
2404 s->s3->tmp.finish_md_len == 0 &&
2405 s->s3->alpn_selected == NULL)
2407 /* We shouldn't accept this extension on a
2410 * s->new_session will be set on renegotiation, but we
2411 * probably shouldn't rely that it couldn't be set on
2412 * the initial renegotation too in certain cases (when
2413 * there's some other reason to disallow resuming an
2414 * earlier session -- the current code won't be doing
2415 * anything like that, but this might change).
2417 * A valid sign that there's been a previous handshake
2418 * in this connection is if s->s3->tmp.finish_md_len >
2419 * 0. (We are talking about a check that will happen
2420 * in the Hello protocol round, well before a new
2421 * Finished message could have been computed.) */
2422 s->s3->next_proto_neg_seen = 1;
2426 else if (type == TLSEXT_TYPE_application_layer_protocol_negotiation &&
2427 s->ctx->alpn_select_cb &&
2428 s->s3->tmp.finish_md_len == 0)
2430 if (tls1_alpn_handle_client_hello(s, data, size, al) != 0)
2432 /* ALPN takes precedence over NPN. */
2433 s->s3->next_proto_neg_seen = 0;
2436 /* session ticket processed earlier */
2437 else if (type == TLSEXT_TYPE_use_srtp)
2439 if(ssl_parse_clienthello_use_srtp_ext(s, data, size,
2443 /* If this ClientHello extension was unhandled and this is
2444 * a nonresumed connection, check whether the extension is a
2445 * custom TLS Extension (has a custom_srv_ext_record), and if
2446 * so call the callback and record the extension number so that
2447 * an appropriate ServerHello may be later returned.
2449 else if (!s->hit && s->ctx->custom_srv_ext_records_count)
2451 custom_srv_ext_record *record;
2453 for (i=0; i < s->ctx->custom_srv_ext_records_count; i++)
2455 record = &s->ctx->custom_srv_ext_records[i];
2456 if (type == record->ext_type)
2460 /* Error on duplicate TLS Extensions */
2461 for (j = 0; j < s->s3->tlsext_custom_types_count; j++)
2463 if (type == s->s3->tlsext_custom_types[j])
2465 *al = TLS1_AD_DECODE_ERROR;
2470 /* NULL callback still notes the extension */
2471 if (record->fn1 && !record->fn1(s, type, data, size, al, record->arg))
2474 /* Add the (non-duplicated) entry */
2475 s->s3->tlsext_custom_types_count++;
2476 s->s3->tlsext_custom_types = OPENSSL_realloc(
2477 s->s3->tlsext_custom_types,
2478 s->s3->tlsext_custom_types_count * 2);
2479 if (s->s3->tlsext_custom_types == NULL)
2481 s->s3->tlsext_custom_types = 0;
2482 *al = TLS1_AD_INTERNAL_ERROR;
2485 s->s3->tlsext_custom_types[
2486 s->s3->tlsext_custom_types_count - 1] = type;
2490 #ifdef TLSEXT_TYPE_encrypt_then_mac
2491 else if (type == TLSEXT_TYPE_encrypt_then_mac)
2492 s->s3->flags |= TLS1_FLAGS_ENCRYPT_THEN_MAC;
2502 /* Need RI if renegotiating */
2504 if (!renegotiate_seen && s->renegotiate &&
2505 !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
2507 *al = SSL_AD_HANDSHAKE_FAILURE;
2508 SSLerr(SSL_F_SSL_SCAN_CLIENTHELLO_TLSEXT,
2509 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
2512 /* If no signature algorithms extension set default values */
2513 if (!s->cert->peer_sigalgs)
2514 ssl_cert_set_default_md(s->cert);
2519 int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n)
2522 if (ssl_scan_clienthello_tlsext(s, p, d, n, &al) <= 0)
2524 ssl3_send_alert(s,SSL3_AL_FATAL,al);
2528 if (ssl_check_clienthello_tlsext_early(s) <= 0)
2530 SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT,SSL_R_CLIENTHELLO_TLSEXT);
2536 #ifndef OPENSSL_NO_NEXTPROTONEG
2537 /* ssl_next_proto_validate validates a Next Protocol Negotiation block. No
2538 * elements of zero length are allowed and the set of elements must exactly fill
2539 * the length of the block. */
2540 static char ssl_next_proto_validate(unsigned char *d, unsigned len)
2542 unsigned int off = 0;
2556 static int ssl_scan_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
2558 unsigned short length;
2559 unsigned short type;
2560 unsigned short size;
2561 unsigned char *data = *p;
2562 int tlsext_servername = 0;
2563 int renegotiate_seen = 0;
2565 #ifndef OPENSSL_NO_NEXTPROTONEG
2566 s->s3->next_proto_neg_seen = 0;
2569 if (s->s3->alpn_selected)
2571 OPENSSL_free(s->s3->alpn_selected);
2572 s->s3->alpn_selected = NULL;
2575 #ifndef OPENSSL_NO_HEARTBEATS
2576 s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED |
2577 SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
2580 #ifdef TLSEXT_TYPE_encrypt_then_mac
2581 s->s3->flags &= ~TLS1_FLAGS_ENCRYPT_THEN_MAC;
2584 if (data >= (d+n-2))
2588 if (data+length != d+n)
2590 *al = SSL_AD_DECODE_ERROR;
2594 while(data <= (d+n-4))
2599 if (data+size > (d+n))
2602 if (s->tlsext_debug_cb)
2603 s->tlsext_debug_cb(s, 1, type, data, size,
2604 s->tlsext_debug_arg);
2606 if (type == TLSEXT_TYPE_server_name)
2608 if (s->tlsext_hostname == NULL || size > 0)
2610 *al = TLS1_AD_UNRECOGNIZED_NAME;
2613 tlsext_servername = 1;
2616 #ifndef OPENSSL_NO_EC
2617 else if (type == TLSEXT_TYPE_ec_point_formats)
2619 unsigned char *sdata = data;
2620 int ecpointformatlist_length = *(sdata++);
2622 if (ecpointformatlist_length != size - 1)
2624 *al = TLS1_AD_DECODE_ERROR;
2627 s->session->tlsext_ecpointformatlist_length = 0;
2628 if (s->session->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->session->tlsext_ecpointformatlist);
2629 if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
2631 *al = TLS1_AD_INTERNAL_ERROR;
2634 s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
2635 memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
2637 fprintf(stderr,"ssl_parse_serverhello_tlsext s->session->tlsext_ecpointformatlist ");
2638 sdata = s->session->tlsext_ecpointformatlist;
2639 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
2640 fprintf(stderr,"%i ",*(sdata++));
2641 fprintf(stderr,"\n");
2644 #endif /* OPENSSL_NO_EC */
2646 else if (type == TLSEXT_TYPE_session_ticket)
2648 if (s->tls_session_ticket_ext_cb &&
2649 !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg))
2651 *al = TLS1_AD_INTERNAL_ERROR;
2654 if ((SSL_get_options(s) & SSL_OP_NO_TICKET)
2657 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2660 s->tlsext_ticket_expected = 1;
2662 #ifdef TLSEXT_TYPE_opaque_prf_input
2663 else if (type == TLSEXT_TYPE_opaque_prf_input)
2665 unsigned char *sdata = data;
2669 *al = SSL_AD_DECODE_ERROR;
2672 n2s(sdata, s->s3->server_opaque_prf_input_len);
2673 if (s->s3->server_opaque_prf_input_len != size - 2)
2675 *al = SSL_AD_DECODE_ERROR;
2679 if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */
2680 OPENSSL_free(s->s3->server_opaque_prf_input);
2681 if (s->s3->server_opaque_prf_input_len == 0)
2682 s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
2684 s->s3->server_opaque_prf_input = BUF_memdup(sdata, s->s3->server_opaque_prf_input_len);
2686 if (s->s3->server_opaque_prf_input == NULL)
2688 *al = TLS1_AD_INTERNAL_ERROR;
2693 else if (type == TLSEXT_TYPE_status_request)
2695 /* MUST be empty and only sent if we've requested
2696 * a status request message.
2698 if ((s->tlsext_status_type == -1) || (size > 0))
2700 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2703 /* Set flag to expect CertificateStatus message */
2704 s->tlsext_status_expected = 1;
2706 #ifndef OPENSSL_NO_NEXTPROTONEG
2707 else if (type == TLSEXT_TYPE_next_proto_neg &&
2708 s->s3->tmp.finish_md_len == 0)
2710 unsigned char *selected;
2711 unsigned char selected_len;
2713 /* We must have requested it. */
2714 if (s->ctx->next_proto_select_cb == NULL)
2716 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2719 /* The data must be valid */
2720 if (!ssl_next_proto_validate(data, size))
2722 *al = TLS1_AD_DECODE_ERROR;
2725 if (s->ctx->next_proto_select_cb(s, &selected, &selected_len, data, size, s->ctx->next_proto_select_cb_arg) != SSL_TLSEXT_ERR_OK)
2727 *al = TLS1_AD_INTERNAL_ERROR;
2730 s->next_proto_negotiated = OPENSSL_malloc(selected_len);
2731 if (!s->next_proto_negotiated)
2733 *al = TLS1_AD_INTERNAL_ERROR;
2736 memcpy(s->next_proto_negotiated, selected, selected_len);
2737 s->next_proto_negotiated_len = selected_len;
2738 s->s3->next_proto_neg_seen = 1;
2742 else if (type == TLSEXT_TYPE_application_layer_protocol_negotiation)
2746 /* We must have requested it. */
2747 if (s->alpn_client_proto_list == NULL)
2749 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2754 *al = TLS1_AD_DECODE_ERROR;
2757 /* The extension data consists of:
2758 * uint16 list_length
2759 * uint8 proto_length;
2760 * uint8 proto[proto_length]; */
2764 if (len != (unsigned) size - 2)
2766 *al = TLS1_AD_DECODE_ERROR;
2770 if (len != (unsigned) size - 3)
2772 *al = TLS1_AD_DECODE_ERROR;
2775 if (s->s3->alpn_selected)
2776 OPENSSL_free(s->s3->alpn_selected);
2777 s->s3->alpn_selected = OPENSSL_malloc(len);
2778 if (!s->s3->alpn_selected)
2780 *al = TLS1_AD_INTERNAL_ERROR;
2783 memcpy(s->s3->alpn_selected, data + 3, len);
2784 s->s3->alpn_selected_len = len;
2787 else if (type == TLSEXT_TYPE_renegotiate)
2789 if(!ssl_parse_serverhello_renegotiate_ext(s, data, size, al))
2791 renegotiate_seen = 1;
2793 #ifndef OPENSSL_NO_HEARTBEATS
2794 else if (type == TLSEXT_TYPE_heartbeat)
2798 case 0x01: /* Server allows us to send HB requests */
2799 s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
2801 case 0x02: /* Server doesn't accept HB requests */
2802 s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
2803 s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
2805 default: *al = SSL_AD_ILLEGAL_PARAMETER;
2810 else if (type == TLSEXT_TYPE_use_srtp)
2812 if(ssl_parse_serverhello_use_srtp_ext(s, data, size,
2816 /* If this extension type was not otherwise handled, but
2817 * matches a custom_cli_ext_record, then send it to the c
2819 else if (s->ctx->custom_cli_ext_records_count)
2822 custom_cli_ext_record* record;
2824 for (i = 0; i < s->ctx->custom_cli_ext_records_count; i++)
2826 record = &s->ctx->custom_cli_ext_records[i];
2827 if (record->ext_type == type)
2829 if (record->fn2 && !record->fn2(s, type, data, size, al, record->arg))
2835 #ifdef TLSEXT_TYPE_encrypt_then_mac
2836 else if (type == TLSEXT_TYPE_encrypt_then_mac)
2838 /* Ignore if inappropriate ciphersuite */
2839 if (s->s3->tmp.new_cipher->algorithm_mac != SSL_AEAD)
2840 s->s3->flags |= TLS1_FLAGS_ENCRYPT_THEN_MAC;
2849 *al = SSL_AD_DECODE_ERROR;
2853 if (!s->hit && tlsext_servername == 1)
2855 if (s->tlsext_hostname)
2857 if (s->session->tlsext_hostname == NULL)
2859 s->session->tlsext_hostname = BUF_strdup(s->tlsext_hostname);
2860 if (!s->session->tlsext_hostname)
2862 *al = SSL_AD_UNRECOGNIZED_NAME;
2868 *al = SSL_AD_DECODE_ERROR;
2878 /* Determine if we need to see RI. Strictly speaking if we want to
2879 * avoid an attack we should *always* see RI even on initial server
2880 * hello because the client doesn't see any renegotiation during an
2881 * attack. However this would mean we could not connect to any server
2882 * which doesn't support RI so for the immediate future tolerate RI
2883 * absence on initial connect only.
2885 if (!renegotiate_seen
2886 && !(s->options & SSL_OP_LEGACY_SERVER_CONNECT)
2887 && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
2889 *al = SSL_AD_HANDSHAKE_FAILURE;
2890 SSLerr(SSL_F_SSL_SCAN_SERVERHELLO_TLSEXT,
2891 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
2899 int ssl_prepare_clienthello_tlsext(SSL *s)
2902 #ifdef TLSEXT_TYPE_opaque_prf_input
2906 if (s->ctx->tlsext_opaque_prf_input_callback != 0)
2908 r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg);
2913 if (s->tlsext_opaque_prf_input != NULL)
2915 if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */
2916 OPENSSL_free(s->s3->client_opaque_prf_input);
2918 if (s->tlsext_opaque_prf_input_len == 0)
2919 s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
2921 s->s3->client_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len);
2922 if (s->s3->client_opaque_prf_input == NULL)
2924 SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
2927 s->s3->client_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
2931 /* at callback's request, insist on receiving an appropriate server opaque PRF input */
2932 s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
2939 int ssl_prepare_serverhello_tlsext(SSL *s)
2944 static int ssl_check_clienthello_tlsext_early(SSL *s)
2946 int ret=SSL_TLSEXT_ERR_NOACK;
2947 int al = SSL_AD_UNRECOGNIZED_NAME;
2949 #ifndef OPENSSL_NO_EC
2950 /* The handling of the ECPointFormats extension is done elsewhere, namely in
2951 * ssl3_choose_cipher in s3_lib.c.
2953 /* The handling of the EllipticCurves extension is done elsewhere, namely in
2954 * ssl3_choose_cipher in s3_lib.c.
2958 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
2959 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
2960 else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)
2961 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
2963 #ifdef TLSEXT_TYPE_opaque_prf_input
2965 /* This sort of belongs into ssl_prepare_serverhello_tlsext(),
2966 * but we might be sending an alert in response to the client hello,
2967 * so this has to happen here in
2968 * ssl_check_clienthello_tlsext_early(). */
2972 if (s->ctx->tlsext_opaque_prf_input_callback != 0)
2974 r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg);
2977 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2978 al = SSL_AD_INTERNAL_ERROR;
2983 if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */
2984 OPENSSL_free(s->s3->server_opaque_prf_input);
2985 s->s3->server_opaque_prf_input = NULL;
2987 if (s->tlsext_opaque_prf_input != NULL)
2989 if (s->s3->client_opaque_prf_input != NULL &&
2990 s->s3->client_opaque_prf_input_len == s->tlsext_opaque_prf_input_len)
2992 /* can only use this extension if we have a server opaque PRF input
2993 * of the same length as the client opaque PRF input! */
2995 if (s->tlsext_opaque_prf_input_len == 0)
2996 s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
2998 s->s3->server_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len);
2999 if (s->s3->server_opaque_prf_input == NULL)
3001 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
3002 al = SSL_AD_INTERNAL_ERROR;
3005 s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
3009 if (r == 2 && s->s3->server_opaque_prf_input == NULL)
3011 /* The callback wants to enforce use of the extension,
3012 * but we can't do that with the client opaque PRF input;
3013 * abort the handshake.
3015 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
3016 al = SSL_AD_HANDSHAKE_FAILURE;
3024 case SSL_TLSEXT_ERR_ALERT_FATAL:
3025 ssl3_send_alert(s,SSL3_AL_FATAL,al);
3028 case SSL_TLSEXT_ERR_ALERT_WARNING:
3029 ssl3_send_alert(s,SSL3_AL_WARNING,al);
3032 case SSL_TLSEXT_ERR_NOACK:
3033 s->servername_done=0;
3039 int ssl_check_clienthello_tlsext_late(SSL *s)
3041 int ret = SSL_TLSEXT_ERR_OK;
3044 /* If status request then ask callback what to do.
3045 * Note: this must be called after servername callbacks in case
3046 * the certificate has changed, and must be called after the cipher
3047 * has been chosen because this may influence which certificate is sent
3049 if ((s->tlsext_status_type != -1) && s->ctx && s->ctx->tlsext_status_cb)
3052 CERT_PKEY *certpkey;
3053 certpkey = ssl_get_server_send_pkey(s);
3054 /* If no certificate can't return certificate status */
3055 if (certpkey == NULL)
3057 s->tlsext_status_expected = 0;
3060 /* Set current certificate to one we will use so
3061 * SSL_get_certificate et al can pick it up.
3063 s->cert->key = certpkey;
3064 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
3067 /* We don't want to send a status request response */
3068 case SSL_TLSEXT_ERR_NOACK:
3069 s->tlsext_status_expected = 0;
3071 /* status request response should be sent */
3072 case SSL_TLSEXT_ERR_OK:
3073 if (s->tlsext_ocsp_resp)
3074 s->tlsext_status_expected = 1;
3076 s->tlsext_status_expected = 0;
3078 /* something bad happened */
3079 case SSL_TLSEXT_ERR_ALERT_FATAL:
3080 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
3081 al = SSL_AD_INTERNAL_ERROR;
3086 s->tlsext_status_expected = 0;
3091 case SSL_TLSEXT_ERR_ALERT_FATAL:
3092 ssl3_send_alert(s, SSL3_AL_FATAL, al);
3095 case SSL_TLSEXT_ERR_ALERT_WARNING:
3096 ssl3_send_alert(s, SSL3_AL_WARNING, al);
3104 int ssl_check_serverhello_tlsext(SSL *s)
3106 int ret=SSL_TLSEXT_ERR_NOACK;
3107 int al = SSL_AD_UNRECOGNIZED_NAME;
3109 #ifndef OPENSSL_NO_EC
3110 /* If we are client and using an elliptic curve cryptography cipher
3111 * suite, then if server returns an EC point formats lists extension
3112 * it must contain uncompressed.
3114 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
3115 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
3116 if ((s->tlsext_ecpointformatlist != NULL) && (s->tlsext_ecpointformatlist_length > 0) &&
3117 (s->session->tlsext_ecpointformatlist != NULL) && (s->session->tlsext_ecpointformatlist_length > 0) &&
3118 ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA)))
3120 /* we are using an ECC cipher */
3122 unsigned char *list;
3123 int found_uncompressed = 0;
3124 list = s->session->tlsext_ecpointformatlist;
3125 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
3127 if (*(list++) == TLSEXT_ECPOINTFORMAT_uncompressed)
3129 found_uncompressed = 1;
3133 if (!found_uncompressed)
3135 SSLerr(SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT,SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
3139 ret = SSL_TLSEXT_ERR_OK;
3140 #endif /* OPENSSL_NO_EC */
3142 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
3143 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
3144 else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)
3145 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
3147 #ifdef TLSEXT_TYPE_opaque_prf_input
3148 if (s->s3->server_opaque_prf_input_len > 0)
3150 /* This case may indicate that we, as a client, want to insist on using opaque PRF inputs.
3151 * So first verify that we really have a value from the server too. */
3153 if (s->s3->server_opaque_prf_input == NULL)
3155 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
3156 al = SSL_AD_HANDSHAKE_FAILURE;
3159 /* Anytime the server *has* sent an opaque PRF input, we need to check
3160 * that we have a client opaque PRF input of the same size. */
3161 if (s->s3->client_opaque_prf_input == NULL ||
3162 s->s3->client_opaque_prf_input_len != s->s3->server_opaque_prf_input_len)
3164 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
3165 al = SSL_AD_ILLEGAL_PARAMETER;
3170 /* If we've requested certificate status and we wont get one
3173 if ((s->tlsext_status_type != -1) && !(s->tlsext_status_expected)
3174 && s->ctx && s->ctx->tlsext_status_cb)
3177 /* Set resp to NULL, resplen to -1 so callback knows
3178 * there is no response.
3180 if (s->tlsext_ocsp_resp)
3182 OPENSSL_free(s->tlsext_ocsp_resp);
3183 s->tlsext_ocsp_resp = NULL;
3185 s->tlsext_ocsp_resplen = -1;
3186 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
3189 al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE;
3190 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
3194 al = SSL_AD_INTERNAL_ERROR;
3195 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
3201 case SSL_TLSEXT_ERR_ALERT_FATAL:
3202 ssl3_send_alert(s,SSL3_AL_FATAL,al);
3205 case SSL_TLSEXT_ERR_ALERT_WARNING:
3206 ssl3_send_alert(s,SSL3_AL_WARNING,al);
3209 case SSL_TLSEXT_ERR_NOACK:
3210 s->servername_done=0;
3216 int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n)
3219 if (s->version < SSL3_VERSION)
3221 if (ssl_scan_serverhello_tlsext(s, p, d, n, &al) <= 0)
3223 ssl3_send_alert(s,SSL3_AL_FATAL,al);
3227 if (ssl_check_serverhello_tlsext(s) <= 0)
3229 SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT,SSL_R_SERVERHELLO_TLSEXT);
3235 /* Since the server cache lookup is done early on in the processing of the
3236 * ClientHello, and other operations depend on the result, we need to handle
3237 * any TLS session ticket extension at the same time.
3239 * session_id: points at the session ID in the ClientHello. This code will
3240 * read past the end of this in order to parse out the session ticket
3241 * extension, if any.
3242 * len: the length of the session ID.
3243 * limit: a pointer to the first byte after the ClientHello.
3244 * ret: (output) on return, if a ticket was decrypted, then this is set to
3245 * point to the resulting session.
3247 * If s->tls_session_secret_cb is set then we are expecting a pre-shared key
3248 * ciphersuite, in which case we have no use for session tickets and one will
3249 * never be decrypted, nor will s->tlsext_ticket_expected be set to 1.
3252 * -1: fatal error, either from parsing or decrypting the ticket.
3253 * 0: no ticket was found (or was ignored, based on settings).
3254 * 1: a zero length extension was found, indicating that the client supports
3255 * session tickets but doesn't currently have one to offer.
3256 * 2: either s->tls_session_secret_cb was set, or a ticket was offered but
3257 * couldn't be decrypted because of a non-fatal error.
3258 * 3: a ticket was successfully decrypted and *ret was set.
3261 * Sets s->tlsext_ticket_expected to 1 if the server will have to issue
3262 * a new session ticket to the client because the client indicated support
3263 * (and s->tls_session_secret_cb is NULL) but the client either doesn't have
3264 * a session ticket or we couldn't use the one it gave us, or if
3265 * s->ctx->tlsext_ticket_key_cb asked to renew the client's ticket.
3266 * Otherwise, s->tlsext_ticket_expected is set to 0.
3268 int tls1_process_ticket(SSL *s, unsigned char *session_id, int len,
3269 const unsigned char *limit, SSL_SESSION **ret)
3271 /* Point after session ID in client hello */
3272 const unsigned char *p = session_id + len;
3276 s->tlsext_ticket_expected = 0;
3278 /* If tickets disabled behave as if no ticket present
3279 * to permit stateful resumption.
3281 if (SSL_get_options(s) & SSL_OP_NO_TICKET)
3283 if ((s->version <= SSL3_VERSION) || !limit)
3287 /* Skip past DTLS cookie */
3295 /* Skip past cipher list */
3300 /* Skip past compression algorithm list */
3305 /* Now at start of extensions */
3306 if ((p + 2) >= limit)
3309 while ((p + 4) <= limit)
3311 unsigned short type, size;
3314 if (p + size > limit)
3316 if (type == TLSEXT_TYPE_session_ticket)
3321 /* The client will accept a ticket but doesn't
3322 * currently have one. */
3323 s->tlsext_ticket_expected = 1;
3326 if (s->tls_session_secret_cb)
3328 /* Indicate that the ticket couldn't be
3329 * decrypted rather than generating the session
3330 * from ticket now, trigger abbreviated
3331 * handshake based on external mechanism to
3332 * calculate the master secret later. */
3335 r = tls_decrypt_ticket(s, p, size, session_id, len, ret);
3338 case 2: /* ticket couldn't be decrypted */
3339 s->tlsext_ticket_expected = 1;
3341 case 3: /* ticket was decrypted */
3343 case 4: /* ticket decrypted but need to renew */
3344 s->tlsext_ticket_expected = 1;
3346 default: /* fatal error */
3355 /* tls_decrypt_ticket attempts to decrypt a session ticket.
3357 * etick: points to the body of the session ticket extension.
3358 * eticklen: the length of the session tickets extenion.
3359 * sess_id: points at the session ID.
3360 * sesslen: the length of the session ID.
3361 * psess: (output) on return, if a ticket was decrypted, then this is set to
3362 * point to the resulting session.
3365 * -1: fatal error, either from parsing or decrypting the ticket.
3366 * 2: the ticket couldn't be decrypted.
3367 * 3: a ticket was successfully decrypted and *psess was set.
3368 * 4: same as 3, but the ticket needs to be renewed.
3370 static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen,
3371 const unsigned char *sess_id, int sesslen,
3372 SSL_SESSION **psess)
3375 unsigned char *sdec;
3376 const unsigned char *p;
3377 int slen, mlen, renew_ticket = 0;
3378 unsigned char tick_hmac[EVP_MAX_MD_SIZE];
3381 SSL_CTX *tctx = s->initial_ctx;
3382 /* Need at least keyname + iv + some encrypted data */
3385 /* Initialize session ticket encryption and HMAC contexts */
3386 HMAC_CTX_init(&hctx);
3387 EVP_CIPHER_CTX_init(&ctx);
3388 if (tctx->tlsext_ticket_key_cb)
3390 unsigned char *nctick = (unsigned char *)etick;
3391 int rv = tctx->tlsext_ticket_key_cb(s, nctick, nctick + 16,
3402 /* Check key name matches */
3403 if (memcmp(etick, tctx->tlsext_tick_key_name, 16))
3405 HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16,
3406 tlsext_tick_md(), NULL);
3407 EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL,
3408 tctx->tlsext_tick_aes_key, etick + 16);
3410 /* Attempt to process session ticket, first conduct sanity and
3411 * integrity checks on ticket.
3413 mlen = HMAC_size(&hctx);
3416 EVP_CIPHER_CTX_cleanup(&ctx);
3420 /* Check HMAC of encrypted ticket */
3421 HMAC_Update(&hctx, etick, eticklen);
3422 HMAC_Final(&hctx, tick_hmac, NULL);
3423 HMAC_CTX_cleanup(&hctx);
3424 if (CRYPTO_memcmp(tick_hmac, etick + eticklen, mlen))
3426 /* Attempt to decrypt session data */
3427 /* Move p after IV to start of encrypted ticket, update length */
3428 p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx);
3429 eticklen -= 16 + EVP_CIPHER_CTX_iv_length(&ctx);
3430 sdec = OPENSSL_malloc(eticklen);
3433 EVP_CIPHER_CTX_cleanup(&ctx);
3436 EVP_DecryptUpdate(&ctx, sdec, &slen, p, eticklen);
3437 if (EVP_DecryptFinal(&ctx, sdec + slen, &mlen) <= 0)
3440 EVP_CIPHER_CTX_cleanup(&ctx);
3443 sess = d2i_SSL_SESSION(NULL, &p, slen);
3447 /* The session ID, if non-empty, is used by some clients to
3448 * detect that the ticket has been accepted. So we copy it to
3449 * the session structure. If it is empty set length to zero
3450 * as required by standard.
3453 memcpy(sess->session_id, sess_id, sesslen);
3454 sess->session_id_length = sesslen;
3462 /* For session parse failure, indicate that we need to send a new
3467 /* Tables to translate from NIDs to TLS v1.2 ids */
3475 static tls12_lookup tls12_md[] = {
3476 {NID_md5, TLSEXT_hash_md5},
3477 {NID_sha1, TLSEXT_hash_sha1},
3478 {NID_sha224, TLSEXT_hash_sha224},
3479 {NID_sha256, TLSEXT_hash_sha256},
3480 {NID_sha384, TLSEXT_hash_sha384},
3481 {NID_sha512, TLSEXT_hash_sha512}
3484 static tls12_lookup tls12_sig[] = {
3485 {EVP_PKEY_RSA, TLSEXT_signature_rsa},
3486 {EVP_PKEY_DSA, TLSEXT_signature_dsa},
3487 {EVP_PKEY_EC, TLSEXT_signature_ecdsa}
3490 static int tls12_find_id(int nid, tls12_lookup *table, size_t tlen)
3493 for (i = 0; i < tlen; i++)
3495 if (table[i].nid == nid)
3501 static int tls12_find_nid(int id, tls12_lookup *table, size_t tlen)
3504 for (i = 0; i < tlen; i++)
3506 if ((table[i].id) == id)
3507 return table[i].nid;
3512 int tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk, const EVP_MD *md)
3517 md_id = tls12_find_id(EVP_MD_type(md), tls12_md,
3518 sizeof(tls12_md)/sizeof(tls12_lookup));
3521 sig_id = tls12_get_sigid(pk);
3524 p[0] = (unsigned char)md_id;
3525 p[1] = (unsigned char)sig_id;
3529 int tls12_get_sigid(const EVP_PKEY *pk)
3531 return tls12_find_id(pk->type, tls12_sig,
3532 sizeof(tls12_sig)/sizeof(tls12_lookup));
3535 const EVP_MD *tls12_get_hash(unsigned char hash_alg)
3539 #ifndef OPENSSL_NO_MD5
3540 case TLSEXT_hash_md5:
3547 #ifndef OPENSSL_NO_SHA
3548 case TLSEXT_hash_sha1:
3551 #ifndef OPENSSL_NO_SHA256
3552 case TLSEXT_hash_sha224:
3553 return EVP_sha224();
3555 case TLSEXT_hash_sha256:
3556 return EVP_sha256();
3558 #ifndef OPENSSL_NO_SHA512
3559 case TLSEXT_hash_sha384:
3560 return EVP_sha384();
3562 case TLSEXT_hash_sha512:
3563 return EVP_sha512();
3571 static int tls12_get_pkey_idx(unsigned char sig_alg)
3575 #ifndef OPENSSL_NO_RSA
3576 case TLSEXT_signature_rsa:
3577 return SSL_PKEY_RSA_SIGN;
3579 #ifndef OPENSSL_NO_DSA
3580 case TLSEXT_signature_dsa:
3581 return SSL_PKEY_DSA_SIGN;
3583 #ifndef OPENSSL_NO_ECDSA
3584 case TLSEXT_signature_ecdsa:
3585 return SSL_PKEY_ECC;
3591 /* Convert TLS 1.2 signature algorithm extension values into NIDs */
3592 static void tls1_lookup_sigalg(int *phash_nid, int *psign_nid,
3593 int *psignhash_nid, const unsigned char *data)
3595 int sign_nid = 0, hash_nid = 0;
3596 if (!phash_nid && !psign_nid && !psignhash_nid)
3598 if (phash_nid || psignhash_nid)
3600 hash_nid = tls12_find_nid(data[0], tls12_md,
3601 sizeof(tls12_md)/sizeof(tls12_lookup));
3603 *phash_nid = hash_nid;
3605 if (psign_nid || psignhash_nid)
3607 sign_nid = tls12_find_nid(data[1], tls12_sig,
3608 sizeof(tls12_sig)/sizeof(tls12_lookup));
3610 *psign_nid = sign_nid;
3614 if (sign_nid && hash_nid)
3615 OBJ_find_sigid_by_algs(psignhash_nid,
3616 hash_nid, sign_nid);
3618 *psignhash_nid = NID_undef;
3621 /* Given preference and allowed sigalgs set shared sigalgs */
3622 static int tls12_do_shared_sigalgs(TLS_SIGALGS *shsig,
3623 const unsigned char *pref, size_t preflen,
3624 const unsigned char *allow, size_t allowlen)
3626 const unsigned char *ptmp, *atmp;
3627 size_t i, j, nmatch = 0;
3628 for (i = 0, ptmp = pref; i < preflen; i+=2, ptmp+=2)
3630 /* Skip disabled hashes or signature algorithms */
3631 if (tls12_get_hash(ptmp[0]) == NULL)
3633 if (tls12_get_pkey_idx(ptmp[1]) == -1)
3635 for (j = 0, atmp = allow; j < allowlen; j+=2, atmp+=2)
3637 if (ptmp[0] == atmp[0] && ptmp[1] == atmp[1])
3642 shsig->rhash = ptmp[0];
3643 shsig->rsign = ptmp[1];
3644 tls1_lookup_sigalg(&shsig->hash_nid,
3646 &shsig->signandhash_nid,
3657 /* Set shared signature algorithms for SSL structures */
3658 static int tls1_set_shared_sigalgs(SSL *s)
3660 const unsigned char *pref, *allow, *conf;
3661 size_t preflen, allowlen, conflen;
3663 TLS_SIGALGS *salgs = NULL;
3665 unsigned int is_suiteb = tls1_suiteb(s);
3666 /* If client use client signature algorithms if not NULL */
3667 if (!s->server && c->client_sigalgs && !is_suiteb)
3669 conf = c->client_sigalgs;
3670 conflen = c->client_sigalgslen;
3672 else if (c->conf_sigalgs && !is_suiteb)
3674 conf = c->conf_sigalgs;
3675 conflen = c->conf_sigalgslen;
3678 conflen = tls12_get_psigalgs(s, &conf);
3679 if(s->options & SSL_OP_CIPHER_SERVER_PREFERENCE || is_suiteb)
3683 allow = c->peer_sigalgs;
3684 allowlen = c->peer_sigalgslen;
3690 pref = c->peer_sigalgs;
3691 preflen = c->peer_sigalgslen;
3693 nmatch = tls12_do_shared_sigalgs(NULL, pref, preflen, allow, allowlen);
3696 salgs = OPENSSL_malloc(nmatch * sizeof(TLS_SIGALGS));
3699 nmatch = tls12_do_shared_sigalgs(salgs, pref, preflen, allow, allowlen);
3700 c->shared_sigalgs = salgs;
3701 c->shared_sigalgslen = nmatch;
3706 /* Set preferred digest for each key type */
3708 int tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize)
3714 TLS_SIGALGS *sigptr;
3715 /* Extension ignored for inappropriate versions */
3716 if (!SSL_USE_SIGALGS(s))
3718 /* Should never happen */
3722 c->peer_sigalgs = OPENSSL_malloc(dsize);
3723 if (!c->peer_sigalgs)
3725 c->peer_sigalgslen = dsize;
3726 memcpy(c->peer_sigalgs, data, dsize);
3728 tls1_set_shared_sigalgs(s);
3730 #ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
3731 if (s->cert->cert_flags & SSL_CERT_FLAG_BROKEN_PROTOCOL)
3733 /* Use first set signature preference to force message
3734 * digest, ignoring any peer preferences.
3736 const unsigned char *sigs = NULL;
3738 sigs = c->conf_sigalgs;
3740 sigs = c->client_sigalgs;
3743 idx = tls12_get_pkey_idx(sigs[1]);
3744 md = tls12_get_hash(sigs[0]);
3745 c->pkeys[idx].digest = md;
3746 c->pkeys[idx].valid_flags = CERT_PKEY_EXPLICIT_SIGN;
3747 if (idx == SSL_PKEY_RSA_SIGN)
3749 c->pkeys[SSL_PKEY_RSA_ENC].valid_flags = CERT_PKEY_EXPLICIT_SIGN;
3750 c->pkeys[SSL_PKEY_RSA_ENC].digest = md;
3756 for (i = 0, sigptr = c->shared_sigalgs;
3757 i < c->shared_sigalgslen; i++, sigptr++)
3759 idx = tls12_get_pkey_idx(sigptr->rsign);
3760 if (idx > 0 && c->pkeys[idx].digest == NULL)
3762 md = tls12_get_hash(sigptr->rhash);
3763 c->pkeys[idx].digest = md;
3764 c->pkeys[idx].valid_flags = CERT_PKEY_EXPLICIT_SIGN;
3765 if (idx == SSL_PKEY_RSA_SIGN)
3767 c->pkeys[SSL_PKEY_RSA_ENC].valid_flags = CERT_PKEY_EXPLICIT_SIGN;
3768 c->pkeys[SSL_PKEY_RSA_ENC].digest = md;
3773 /* In strict mode leave unset digests as NULL to indicate we can't
3774 * use the certificate for signing.
3776 if (!(s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT))
3778 /* Set any remaining keys to default values. NOTE: if alg is
3779 * not supported it stays as NULL.
3781 #ifndef OPENSSL_NO_DSA
3782 if (!c->pkeys[SSL_PKEY_DSA_SIGN].digest)
3783 c->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_sha1();
3785 #ifndef OPENSSL_NO_RSA
3786 if (!c->pkeys[SSL_PKEY_RSA_SIGN].digest)
3788 c->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1();
3789 c->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1();
3792 #ifndef OPENSSL_NO_ECDSA
3793 if (!c->pkeys[SSL_PKEY_ECC].digest)
3794 c->pkeys[SSL_PKEY_ECC].digest = EVP_sha1();
3801 int SSL_get_sigalgs(SSL *s, int idx,
3802 int *psign, int *phash, int *psignhash,
3803 unsigned char *rsig, unsigned char *rhash)
3805 const unsigned char *psig = s->cert->peer_sigalgs;
3811 if (idx >= (int)s->cert->peer_sigalgslen)
3818 tls1_lookup_sigalg(phash, psign, psignhash, psig);
3820 return s->cert->peer_sigalgslen / 2;
3823 int SSL_get_shared_sigalgs(SSL *s, int idx,
3824 int *psign, int *phash, int *psignhash,
3825 unsigned char *rsig, unsigned char *rhash)
3827 TLS_SIGALGS *shsigalgs = s->cert->shared_sigalgs;
3828 if (!shsigalgs || idx >= (int)s->cert->shared_sigalgslen)
3832 *phash = shsigalgs->hash_nid;
3834 *psign = shsigalgs->sign_nid;
3836 *psignhash = shsigalgs->signandhash_nid;
3838 *rsig = shsigalgs->rsign;
3840 *rhash = shsigalgs->rhash;
3841 return s->cert->shared_sigalgslen;
3845 #ifndef OPENSSL_NO_HEARTBEATS
3847 tls1_process_heartbeat(SSL *s)
3849 unsigned char *p = &s->s3->rrec.data[0], *pl;
3850 unsigned short hbtype;
3851 unsigned int payload;
3852 unsigned int padding = 16; /* Use minimum padding */
3854 /* Read type and payload length first */
3859 if (s->msg_callback)
3860 s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT,
3861 &s->s3->rrec.data[0], s->s3->rrec.length,
3862 s, s->msg_callback_arg);
3864 if (hbtype == TLS1_HB_REQUEST)
3866 unsigned char *buffer, *bp;
3869 /* Allocate memory for the response, size is 1 bytes
3870 * message type, plus 2 bytes payload length, plus
3871 * payload, plus padding
3873 buffer = OPENSSL_malloc(1 + 2 + payload + padding);
3876 /* Enter response type, length and copy payload */
3877 *bp++ = TLS1_HB_RESPONSE;
3879 memcpy(bp, pl, payload);
3881 /* Random padding */
3882 RAND_pseudo_bytes(bp, padding);
3884 r = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, 3 + payload + padding);
3886 if (r >= 0 && s->msg_callback)
3887 s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT,
3888 buffer, 3 + payload + padding,
3889 s, s->msg_callback_arg);
3891 OPENSSL_free(buffer);
3896 else if (hbtype == TLS1_HB_RESPONSE)
3900 /* We only send sequence numbers (2 bytes unsigned int),
3901 * and 16 random bytes, so we just try to read the
3902 * sequence number */
3905 if (payload == 18 && seq == s->tlsext_hb_seq)
3908 s->tlsext_hb_pending = 0;
3916 tls1_heartbeat(SSL *s)
3918 unsigned char *buf, *p;
3920 unsigned int payload = 18; /* Sequence number + random bytes */
3921 unsigned int padding = 16; /* Use minimum padding */
3923 /* Only send if peer supports and accepts HB requests... */
3924 if (!(s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED) ||
3925 s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_SEND_REQUESTS)
3927 SSLerr(SSL_F_TLS1_HEARTBEAT,SSL_R_TLS_HEARTBEAT_PEER_DOESNT_ACCEPT);
3931 /* ...and there is none in flight yet... */
3932 if (s->tlsext_hb_pending)
3934 SSLerr(SSL_F_TLS1_HEARTBEAT,SSL_R_TLS_HEARTBEAT_PENDING);
3938 /* ...and no handshake in progress. */
3939 if (SSL_in_init(s) || s->in_handshake)
3941 SSLerr(SSL_F_TLS1_HEARTBEAT,SSL_R_UNEXPECTED_MESSAGE);
3945 /* Check if padding is too long, payload and padding
3946 * must not exceed 2^14 - 3 = 16381 bytes in total.
3948 OPENSSL_assert(payload + padding <= 16381);
3950 /* Create HeartBeat message, we just use a sequence number
3951 * as payload to distuingish different messages and add
3952 * some random stuff.
3953 * - Message Type, 1 byte
3954 * - Payload Length, 2 bytes (unsigned int)
3955 * - Payload, the sequence number (2 bytes uint)
3956 * - Payload, random bytes (16 bytes uint)
3959 buf = OPENSSL_malloc(1 + 2 + payload + padding);
3962 *p++ = TLS1_HB_REQUEST;
3963 /* Payload length (18 bytes here) */
3965 /* Sequence number */
3966 s2n(s->tlsext_hb_seq, p);
3967 /* 16 random bytes */
3968 RAND_pseudo_bytes(p, 16);
3970 /* Random padding */
3971 RAND_pseudo_bytes(p, padding);
3973 ret = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buf, 3 + payload + padding);
3976 if (s->msg_callback)
3977 s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT,
3978 buf, 3 + payload + padding,
3979 s, s->msg_callback_arg);
3981 s->tlsext_hb_pending = 1;
3990 #define MAX_SIGALGLEN (TLSEXT_hash_num * TLSEXT_signature_num * 2)
3995 int sigalgs[MAX_SIGALGLEN];
3998 static int sig_cb(const char *elem, int len, void *arg)
4000 sig_cb_st *sarg = arg;
4003 int sig_alg, hash_alg;
4004 if (sarg->sigalgcnt == MAX_SIGALGLEN)
4006 if (len > (int)(sizeof(etmp) - 1))
4008 memcpy(etmp, elem, len);
4010 p = strchr(etmp, '+');
4018 if (!strcmp(etmp, "RSA"))
4019 sig_alg = EVP_PKEY_RSA;
4020 else if (!strcmp(etmp, "DSA"))
4021 sig_alg = EVP_PKEY_DSA;
4022 else if (!strcmp(etmp, "ECDSA"))
4023 sig_alg = EVP_PKEY_EC;
4026 hash_alg = OBJ_sn2nid(p);
4027 if (hash_alg == NID_undef)
4028 hash_alg = OBJ_ln2nid(p);
4029 if (hash_alg == NID_undef)
4032 for (i = 0; i < sarg->sigalgcnt; i+=2)
4034 if (sarg->sigalgs[i] == sig_alg
4035 && sarg->sigalgs[i + 1] == hash_alg)
4038 sarg->sigalgs[sarg->sigalgcnt++] = hash_alg;
4039 sarg->sigalgs[sarg->sigalgcnt++] = sig_alg;
4043 /* Set suppored signature algorithms based on a colon separated list
4044 * of the form sig+hash e.g. RSA+SHA512:DSA+SHA512 */
4045 int tls1_set_sigalgs_list(CERT *c, const char *str, int client)
4049 if (!CONF_parse_list(str, ':', 1, sig_cb, &sig))
4053 return tls1_set_sigalgs(c, sig.sigalgs, sig.sigalgcnt, client);
4056 int tls1_set_sigalgs(CERT *c, const int *psig_nids, size_t salglen, int client)
4058 unsigned char *sigalgs, *sptr;
4063 sigalgs = OPENSSL_malloc(salglen);
4064 if (sigalgs == NULL)
4066 for (i = 0, sptr = sigalgs; i < salglen; i+=2)
4068 rhash = tls12_find_id(*psig_nids++, tls12_md,
4069 sizeof(tls12_md)/sizeof(tls12_lookup));
4070 rsign = tls12_find_id(*psig_nids++, tls12_sig,
4071 sizeof(tls12_sig)/sizeof(tls12_lookup));
4073 if (rhash == -1 || rsign == -1)
4081 if (c->client_sigalgs)
4082 OPENSSL_free(c->client_sigalgs);
4083 c->client_sigalgs = sigalgs;
4084 c->client_sigalgslen = salglen;
4088 if (c->conf_sigalgs)
4089 OPENSSL_free(c->conf_sigalgs);
4090 c->conf_sigalgs = sigalgs;
4091 c->conf_sigalgslen = salglen;
4097 OPENSSL_free(sigalgs);
4101 static int tls1_check_sig_alg(CERT *c, X509 *x, int default_nid)
4105 if (default_nid == -1)
4107 sig_nid = X509_get_signature_nid(x);
4109 return sig_nid == default_nid ? 1 : 0;
4110 for (i = 0; i < c->shared_sigalgslen; i++)
4111 if (sig_nid == c->shared_sigalgs[i].signandhash_nid)
4115 /* Check to see if a certificate issuer name matches list of CA names */
4116 static int ssl_check_ca_name(STACK_OF(X509_NAME) *names, X509 *x)
4120 nm = X509_get_issuer_name(x);
4121 for (i = 0; i < sk_X509_NAME_num(names); i++)
4123 if(!X509_NAME_cmp(nm, sk_X509_NAME_value(names, i)))
4129 /* Check certificate chain is consistent with TLS extensions and is
4130 * usable by server. This servers two purposes: it allows users to
4131 * check chains before passing them to the server and it allows the
4132 * server to check chains before attempting to use them.
4135 /* Flags which need to be set for a certificate when stict mode not set */
4137 #define CERT_PKEY_VALID_FLAGS \
4138 (CERT_PKEY_EE_SIGNATURE|CERT_PKEY_EE_PARAM)
4139 /* Strict mode flags */
4140 #define CERT_PKEY_STRICT_FLAGS \
4141 (CERT_PKEY_VALID_FLAGS|CERT_PKEY_CA_SIGNATURE|CERT_PKEY_CA_PARAM \
4142 | CERT_PKEY_ISSUER_NAME|CERT_PKEY_CERT_TYPE)
4144 int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain,
4149 int check_flags = 0, strict_mode;
4150 CERT_PKEY *cpk = NULL;
4152 unsigned int suiteb_flags = tls1_suiteb(s);
4153 /* idx == -1 means checking server chains */
4156 /* idx == -2 means checking client certificate chains */
4160 idx = cpk - c->pkeys;
4163 cpk = c->pkeys + idx;
4165 pk = cpk->privatekey;
4167 strict_mode = c->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT;
4168 /* If no cert or key, forget it */
4171 #ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
4172 /* Allow any certificate to pass test */
4173 if (s->cert->cert_flags & SSL_CERT_FLAG_BROKEN_PROTOCOL)
4175 rv = CERT_PKEY_STRICT_FLAGS|CERT_PKEY_EXPLICIT_SIGN|CERT_PKEY_VALID|CERT_PKEY_SIGN;
4176 cpk->valid_flags = rv;
4185 idx = ssl_cert_type(x, pk);
4188 cpk = c->pkeys + idx;
4189 if (c->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)
4190 check_flags = CERT_PKEY_STRICT_FLAGS;
4192 check_flags = CERT_PKEY_VALID_FLAGS;
4200 check_flags |= CERT_PKEY_SUITEB;
4201 ok = X509_chain_check_suiteb(NULL, x, chain, suiteb_flags);
4202 if (ok != X509_V_OK)
4205 rv |= CERT_PKEY_SUITEB;
4211 /* Check all signature algorithms are consistent with
4212 * signature algorithms extension if TLS 1.2 or later
4215 if (TLS1_get_version(s) >= TLS1_2_VERSION && strict_mode)
4218 unsigned char rsign = 0;
4219 if (c->peer_sigalgs)
4221 /* If no sigalgs extension use defaults from RFC5246 */
4226 case SSL_PKEY_RSA_ENC:
4227 case SSL_PKEY_RSA_SIGN:
4228 case SSL_PKEY_DH_RSA:
4229 rsign = TLSEXT_signature_rsa;
4230 default_nid = NID_sha1WithRSAEncryption;
4233 case SSL_PKEY_DSA_SIGN:
4234 case SSL_PKEY_DH_DSA:
4235 rsign = TLSEXT_signature_dsa;
4236 default_nid = NID_dsaWithSHA1;
4240 rsign = TLSEXT_signature_ecdsa;
4241 default_nid = NID_ecdsa_with_SHA1;
4249 /* If peer sent no signature algorithms extension and we
4250 * have set preferred signature algorithms check we support
4253 if (default_nid > 0 && c->conf_sigalgs)
4256 const unsigned char *p = c->conf_sigalgs;
4257 for (j = 0; j < c->conf_sigalgslen; j += 2, p += 2)
4259 if (p[0] == TLSEXT_hash_sha1 && p[1] == rsign)
4262 if (j == c->conf_sigalgslen)
4270 /* Check signature algorithm of each cert in chain */
4271 if (!tls1_check_sig_alg(c, x, default_nid))
4273 if (!check_flags) goto end;
4276 rv |= CERT_PKEY_EE_SIGNATURE;
4277 rv |= CERT_PKEY_CA_SIGNATURE;
4278 for (i = 0; i < sk_X509_num(chain); i++)
4280 if (!tls1_check_sig_alg(c, sk_X509_value(chain, i),
4285 rv &= ~CERT_PKEY_CA_SIGNATURE;
4293 /* Else not TLS 1.2, so mark EE and CA signing algorithms OK */
4294 else if(check_flags)
4295 rv |= CERT_PKEY_EE_SIGNATURE|CERT_PKEY_CA_SIGNATURE;
4297 /* Check cert parameters are consistent */
4298 if (tls1_check_cert_param(s, x, check_flags ? 1 : 2))
4299 rv |= CERT_PKEY_EE_PARAM;
4300 else if (!check_flags)
4303 rv |= CERT_PKEY_CA_PARAM;
4304 /* In strict mode check rest of chain too */
4305 else if (strict_mode)
4307 rv |= CERT_PKEY_CA_PARAM;
4308 for (i = 0; i < sk_X509_num(chain); i++)
4310 X509 *ca = sk_X509_value(chain, i);
4311 if (!tls1_check_cert_param(s, ca, 0))
4315 rv &= ~CERT_PKEY_CA_PARAM;
4323 if (!s->server && strict_mode)
4325 STACK_OF(X509_NAME) *ca_dn;
4330 check_type = TLS_CT_RSA_SIGN;
4333 check_type = TLS_CT_DSS_SIGN;
4336 check_type = TLS_CT_ECDSA_SIGN;
4341 int cert_type = X509_certificate_type(x, pk);
4342 if (cert_type & EVP_PKS_RSA)
4343 check_type = TLS_CT_RSA_FIXED_DH;
4344 if (cert_type & EVP_PKS_DSA)
4345 check_type = TLS_CT_DSS_FIXED_DH;
4350 const unsigned char *ctypes;
4355 ctypelen = (int)c->ctype_num;
4359 ctypes = (unsigned char *)s->s3->tmp.ctype;
4360 ctypelen = s->s3->tmp.ctype_num;
4362 for (i = 0; i < ctypelen; i++)
4364 if (ctypes[i] == check_type)
4366 rv |= CERT_PKEY_CERT_TYPE;
4370 if (!(rv & CERT_PKEY_CERT_TYPE) && !check_flags)
4374 rv |= CERT_PKEY_CERT_TYPE;
4377 ca_dn = s->s3->tmp.ca_names;
4379 if (!sk_X509_NAME_num(ca_dn))
4380 rv |= CERT_PKEY_ISSUER_NAME;
4382 if (!(rv & CERT_PKEY_ISSUER_NAME))
4384 if (ssl_check_ca_name(ca_dn, x))
4385 rv |= CERT_PKEY_ISSUER_NAME;
4387 if (!(rv & CERT_PKEY_ISSUER_NAME))
4389 for (i = 0; i < sk_X509_num(chain); i++)
4391 X509 *xtmp = sk_X509_value(chain, i);
4392 if (ssl_check_ca_name(ca_dn, xtmp))
4394 rv |= CERT_PKEY_ISSUER_NAME;
4399 if (!check_flags && !(rv & CERT_PKEY_ISSUER_NAME))
4403 rv |= CERT_PKEY_ISSUER_NAME|CERT_PKEY_CERT_TYPE;
4405 if (!check_flags || (rv & check_flags) == check_flags)
4406 rv |= CERT_PKEY_VALID;
4410 if (TLS1_get_version(s) >= TLS1_2_VERSION)
4412 if (cpk->valid_flags & CERT_PKEY_EXPLICIT_SIGN)
4413 rv |= CERT_PKEY_EXPLICIT_SIGN|CERT_PKEY_SIGN;
4414 else if (cpk->digest)
4415 rv |= CERT_PKEY_SIGN;
4418 rv |= CERT_PKEY_SIGN|CERT_PKEY_EXPLICIT_SIGN;
4420 /* When checking a CERT_PKEY structure all flags are irrelevant
4421 * if the chain is invalid.
4425 if (rv & CERT_PKEY_VALID)
4426 cpk->valid_flags = rv;
4429 /* Preserve explicit sign flag, clear rest */
4430 cpk->valid_flags &= CERT_PKEY_EXPLICIT_SIGN;
4437 /* Set validity of certificates in an SSL structure */
4438 void tls1_set_cert_validity(SSL *s)
4440 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA_ENC);
4441 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA_SIGN);
4442 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DSA_SIGN);
4443 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DH_RSA);
4444 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DH_DSA);
4445 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_ECC);
4447 /* User level utiity function to check a chain is suitable */
4448 int SSL_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain)
4450 return tls1_check_chain(s, x, pk, chain, -1);