2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
58 /* ====================================================================
59 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
87 * 6. Redistributions of any form whatsoever must retain the following
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
113 #include <openssl/objects.h>
114 #include <openssl/evp.h>
115 #include <openssl/hmac.h>
116 #include <openssl/ocsp.h>
117 #include <openssl/rand.h>
118 #include "ssl_locl.h"
120 const char tls1_version_str[]="TLSv1" OPENSSL_VERSION_PTEXT;
122 #ifndef OPENSSL_NO_TLSEXT
123 static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen,
124 const unsigned char *sess_id, int sesslen,
125 SSL_SESSION **psess);
128 SSL3_ENC_METHOD TLSv1_enc_data={
131 tls1_setup_key_block,
132 tls1_generate_master_secret,
133 tls1_change_cipher_state,
134 tls1_final_finish_mac,
135 TLS1_FINISH_MAC_LENGTH,
136 tls1_cert_verify_mac,
137 TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE,
138 TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE,
140 tls1_export_keying_material,
143 long tls1_default_timeout(void)
145 /* 2 hours, the 24 hours mentioned in the TLSv1 spec
146 * is way too long for http, the cache would over fill */
152 if (!ssl3_new(s)) return(0);
153 s->method->ssl_clear(s);
157 void tls1_free(SSL *s)
159 #ifndef OPENSSL_NO_TLSEXT
160 if (s->tlsext_session_ticket)
162 OPENSSL_free(s->tlsext_session_ticket);
164 #endif /* OPENSSL_NO_TLSEXT */
168 void tls1_clear(SSL *s)
171 s->version = s->method->version;
174 #ifndef OPENSSL_NO_EC
176 static int nid_list[] =
178 NID_sect163k1, /* sect163k1 (1) */
179 NID_sect163r1, /* sect163r1 (2) */
180 NID_sect163r2, /* sect163r2 (3) */
181 NID_sect193r1, /* sect193r1 (4) */
182 NID_sect193r2, /* sect193r2 (5) */
183 NID_sect233k1, /* sect233k1 (6) */
184 NID_sect233r1, /* sect233r1 (7) */
185 NID_sect239k1, /* sect239k1 (8) */
186 NID_sect283k1, /* sect283k1 (9) */
187 NID_sect283r1, /* sect283r1 (10) */
188 NID_sect409k1, /* sect409k1 (11) */
189 NID_sect409r1, /* sect409r1 (12) */
190 NID_sect571k1, /* sect571k1 (13) */
191 NID_sect571r1, /* sect571r1 (14) */
192 NID_secp160k1, /* secp160k1 (15) */
193 NID_secp160r1, /* secp160r1 (16) */
194 NID_secp160r2, /* secp160r2 (17) */
195 NID_secp192k1, /* secp192k1 (18) */
196 NID_X9_62_prime192v1, /* secp192r1 (19) */
197 NID_secp224k1, /* secp224k1 (20) */
198 NID_secp224r1, /* secp224r1 (21) */
199 NID_secp256k1, /* secp256k1 (22) */
200 NID_X9_62_prime256v1, /* secp256r1 (23) */
201 NID_secp384r1, /* secp384r1 (24) */
202 NID_secp521r1 /* secp521r1 (25) */
206 static const unsigned char ecformats_default[] =
208 TLSEXT_ECPOINTFORMAT_uncompressed,
209 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime,
210 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2
213 static const unsigned char eccurves_default[] =
215 0,14, /* sect571r1 (14) */
216 0,13, /* sect571k1 (13) */
217 0,25, /* secp521r1 (25) */
218 0,11, /* sect409k1 (11) */
219 0,12, /* sect409r1 (12) */
220 0,24, /* secp384r1 (24) */
221 0,9, /* sect283k1 (9) */
222 0,10, /* sect283r1 (10) */
223 0,22, /* secp256k1 (22) */
224 0,23, /* secp256r1 (23) */
225 0,8, /* sect239k1 (8) */
226 0,6, /* sect233k1 (6) */
227 0,7, /* sect233r1 (7) */
228 0,20, /* secp224k1 (20) */
229 0,21, /* secp224r1 (21) */
230 0,4, /* sect193r1 (4) */
231 0,5, /* sect193r2 (5) */
232 0,18, /* secp192k1 (18) */
233 0,19, /* secp192r1 (19) */
234 0,1, /* sect163k1 (1) */
235 0,2, /* sect163r1 (2) */
236 0,3, /* sect163r2 (3) */
237 0,15, /* secp160k1 (15) */
238 0,16, /* secp160r1 (16) */
239 0,17, /* secp160r2 (17) */
242 int tls1_ec_curve_id2nid(int curve_id)
244 /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
245 if ((curve_id < 1) || ((unsigned int)curve_id >
246 sizeof(nid_list)/sizeof(nid_list[0])))
248 return nid_list[curve_id-1];
251 int tls1_ec_nid2curve_id(int nid)
253 /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
256 case NID_sect163k1: /* sect163k1 (1) */
258 case NID_sect163r1: /* sect163r1 (2) */
260 case NID_sect163r2: /* sect163r2 (3) */
262 case NID_sect193r1: /* sect193r1 (4) */
264 case NID_sect193r2: /* sect193r2 (5) */
266 case NID_sect233k1: /* sect233k1 (6) */
268 case NID_sect233r1: /* sect233r1 (7) */
270 case NID_sect239k1: /* sect239k1 (8) */
272 case NID_sect283k1: /* sect283k1 (9) */
274 case NID_sect283r1: /* sect283r1 (10) */
276 case NID_sect409k1: /* sect409k1 (11) */
278 case NID_sect409r1: /* sect409r1 (12) */
280 case NID_sect571k1: /* sect571k1 (13) */
282 case NID_sect571r1: /* sect571r1 (14) */
284 case NID_secp160k1: /* secp160k1 (15) */
286 case NID_secp160r1: /* secp160r1 (16) */
288 case NID_secp160r2: /* secp160r2 (17) */
290 case NID_secp192k1: /* secp192k1 (18) */
292 case NID_X9_62_prime192v1: /* secp192r1 (19) */
294 case NID_secp224k1: /* secp224k1 (20) */
296 case NID_secp224r1: /* secp224r1 (21) */
298 case NID_secp256k1: /* secp256k1 (22) */
300 case NID_X9_62_prime256v1: /* secp256r1 (23) */
302 case NID_secp384r1: /* secp384r1 (24) */
304 case NID_secp521r1: /* secp521r1 (25) */
311 /* Return any common values from two lists. One list is used as a
312 * preference list where we return the most preferred match.
314 int tls1_shared_list(SSL *s,
315 const unsigned char *l1, size_t l1len,
316 const unsigned char *l2, size_t l2len,
319 const unsigned char *pref, *supp;
320 size_t preflen, supplen, i, j;
324 if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE)
339 for (i = 0; i < preflen; i++, pref+=2)
341 const unsigned char *tsupp = supp;
342 for (j = 0; j < supplen; j++, tsupp+=2)
344 if (pref[0] == tsupp[0] && pref[1] == tsupp[1])
347 return (pref[0] << 8) | pref[1];
352 if (nmatch == -1 && k > 0)
357 int tls1_shared_curve(SSL *s, int nmatch)
359 const unsigned char *l1, *l2;
362 /* Can't do anything on client side */
365 /* Use our preferred curve list, if not set use default */
366 if (s->tlsext_ellipticcurvelist)
368 l1 = s->tlsext_ellipticcurvelist;
369 l1len = s->tlsext_ellipticcurvelist_length;
373 l1 = eccurves_default;
374 l1len = sizeof(eccurves_default);
376 /* Use peer preferred curve list, if not set use default */
377 if(s->session->tlsext_ellipticcurvelist)
379 l2 = s->session->tlsext_ellipticcurvelist;
380 l2len =s->session->tlsext_ellipticcurvelist_length;
384 l2 = eccurves_default;
385 l2len = sizeof(eccurves_default);
387 id = tls1_shared_list(s, l1, l1len, l2, l2len, nmatch);
390 return tls1_ec_curve_id2nid(id);
393 int tls1_set_curves(unsigned char **pext, size_t *pextlen,
394 int *curves, size_t ncurves)
396 unsigned char *clist, *p;
398 /* Bitmap of curves included to detect duplicates: only works
399 * while curve ids < 32
401 unsigned long dup_list = 0;
402 clist = OPENSSL_malloc(ncurves * 2);
405 for (i = 0, p = clist; i < ncurves; i++)
407 unsigned long idmask;
409 id = tls1_ec_nid2curve_id(curves[i]);
411 if (!id || (dup_list & idmask))
422 *pextlen = ncurves * 2;
426 #define MAX_CURVELIST 25
431 int nid_arr[MAX_CURVELIST];
434 static int nid_cb(const char *elem, int len, void *arg)
436 nid_cb_st *narg = arg;
440 if (narg->nidcnt == MAX_CURVELIST)
442 if (len > (int)(sizeof(etmp) - 1))
444 memcpy(etmp, elem, len);
446 nid = EC_curve_nist2nid(etmp);
447 if (nid == NID_undef)
448 nid = OBJ_sn2nid(etmp);
449 if (nid == NID_undef)
450 nid = OBJ_ln2nid(etmp);
451 if (nid == NID_undef)
453 for (i = 0; i < narg->nidcnt; i++)
454 if (narg->nid_arr[i] == nid)
456 narg->nid_arr[narg->nidcnt++] = nid;
459 /* Set curves based on a colon separate list */
460 int tls1_set_curves_list(unsigned char **pext, size_t *pextlen,
465 if (!CONF_parse_list(str, ':', 1, nid_cb, &ncb))
467 return tls1_set_curves(pext, pextlen, ncb.nid_arr, ncb.nidcnt);
470 #endif /* OPENSSL_NO_EC */
472 #ifndef OPENSSL_NO_TLSEXT
474 /* List of supported signature algorithms and hashes. Should make this
475 * customisable at some point, for now include everything we support.
478 #ifdef OPENSSL_NO_RSA
479 #define tlsext_sigalg_rsa(md) /* */
481 #define tlsext_sigalg_rsa(md) md, TLSEXT_signature_rsa,
484 #ifdef OPENSSL_NO_DSA
485 #define tlsext_sigalg_dsa(md) /* */
487 #define tlsext_sigalg_dsa(md) md, TLSEXT_signature_dsa,
490 #ifdef OPENSSL_NO_ECDSA
491 #define tlsext_sigalg_ecdsa(md) /* */
493 #define tlsext_sigalg_ecdsa(md) md, TLSEXT_signature_ecdsa,
496 #define tlsext_sigalg(md) \
497 tlsext_sigalg_rsa(md) \
498 tlsext_sigalg_dsa(md) \
499 tlsext_sigalg_ecdsa(md)
501 static unsigned char tls12_sigalgs[] = {
502 #ifndef OPENSSL_NO_SHA512
503 tlsext_sigalg(TLSEXT_hash_sha512)
504 tlsext_sigalg(TLSEXT_hash_sha384)
506 #ifndef OPENSSL_NO_SHA256
507 tlsext_sigalg(TLSEXT_hash_sha256)
508 tlsext_sigalg(TLSEXT_hash_sha224)
510 #ifndef OPENSSL_NO_SHA
511 tlsext_sigalg(TLSEXT_hash_sha1)
513 #ifndef OPENSSL_NO_MD5
514 tlsext_sigalg_rsa(TLSEXT_hash_md5)
518 int tls12_get_req_sig_algs(SSL *s, unsigned char *p)
520 size_t slen = sizeof(tls12_sigalgs);
522 /* If FIPS mode don't include MD5 which is last */
527 memcpy(p, tls12_sigalgs, slen);
531 unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
534 unsigned char *ret = p;
535 #ifndef OPENSSL_NO_EC
536 /* See if we support any ECC ciphersuites */
538 if (s->version != DTLS1_VERSION && s->version >= TLS1_VERSION)
541 unsigned long alg_k, alg_a;
542 STACK_OF(SSL_CIPHER) *cipher_stack = SSL_get_ciphers(s);
544 for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++)
546 SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i);
548 alg_k = c->algorithm_mkey;
549 alg_a = c->algorithm_auth;
550 if ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)
551 || (alg_a & SSL_aECDSA)))
560 /* don't add extensions for SSLv3 unless doing secure renegotiation */
561 if (s->client_version == SSL3_VERSION
562 && !s->s3->send_connection_binding)
567 if (ret>=limit) return NULL; /* this really never occurs, but ... */
569 if (s->tlsext_hostname != NULL)
571 /* Add TLS extension servername to the Client Hello message */
572 unsigned long size_str;
575 /* check for enough space.
576 4 for the servername type and entension length
577 2 for servernamelist length
578 1 for the hostname type
579 2 for hostname length
583 if ((lenmax = limit - ret - 9) < 0
584 || (size_str = strlen(s->tlsext_hostname)) > (unsigned long)lenmax)
587 /* extension type and length */
588 s2n(TLSEXT_TYPE_server_name,ret);
591 /* length of servername list */
594 /* hostname type, length and hostname */
595 *(ret++) = (unsigned char) TLSEXT_NAMETYPE_host_name;
597 memcpy(ret, s->tlsext_hostname, size_str);
601 /* Add RI if renegotiating */
606 if(!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0))
608 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
612 if((limit - p - 4 - el) < 0) return NULL;
614 s2n(TLSEXT_TYPE_renegotiate,ret);
617 if(!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el))
619 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
626 #ifndef OPENSSL_NO_SRP
627 /* Add SRP username if there is one */
628 if (s->srp_ctx.login != NULL)
629 { /* Add TLS extension SRP username to the Client Hello message */
631 int login_len = strlen(s->srp_ctx.login);
632 if (login_len > 255 || login_len == 0)
634 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
638 /* check for enough space.
639 4 for the srp type type and entension length
640 1 for the srp user identity
641 + srp user identity length
643 if ((limit - ret - 5 - login_len) < 0) return NULL;
645 /* fill in the extension */
646 s2n(TLSEXT_TYPE_srp,ret);
647 s2n(login_len+1,ret);
648 (*ret++) = (unsigned char) login_len;
649 memcpy(ret, s->srp_ctx.login, login_len);
654 #ifndef OPENSSL_NO_EC
657 /* Add TLS extension ECPointFormats to the ClientHello message */
659 const unsigned char *plist;
661 /* If we have a custom point format list use it otherwise
663 plist = s->tlsext_ecpointformatlist;
665 plistlen = s->tlsext_ecpointformatlist_length;
668 plist = ecformats_default;
669 plistlen = sizeof(ecformats_default);
672 if ((lenmax = limit - ret - 5) < 0) return NULL;
673 if (plistlen > (size_t)lenmax) return NULL;
676 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
680 s2n(TLSEXT_TYPE_ec_point_formats,ret);
681 s2n(plistlen + 1,ret);
682 *(ret++) = (unsigned char)plistlen ;
683 memcpy(ret, plist, plistlen);
686 /* Add TLS extension EllipticCurves to the ClientHello message */
687 plist = s->tlsext_ellipticcurvelist;
688 /* If we have a custom curve list use it otherwise
691 plistlen = s->tlsext_ellipticcurvelist_length;
694 plist = eccurves_default;
695 plistlen = sizeof(eccurves_default);
698 if ((lenmax = limit - ret - 6) < 0) return NULL;
699 if (plistlen > (size_t)lenmax) return NULL;
700 if (plistlen > 65532)
702 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
706 s2n(TLSEXT_TYPE_elliptic_curves,ret);
707 s2n(plistlen + 2, ret);
709 /* NB: draft-ietf-tls-ecc-12.txt uses a one-byte prefix for
710 * elliptic_curve_list, but the examples use two bytes.
711 * http://www1.ietf.org/mail-archive/web/tls/current/msg00538.html
712 * resolves this to two bytes.
715 memcpy(ret, plist, plistlen);
718 #endif /* OPENSSL_NO_EC */
720 if (!(SSL_get_options(s) & SSL_OP_NO_TICKET))
723 if (!s->new_session && s->session && s->session->tlsext_tick)
724 ticklen = s->session->tlsext_ticklen;
725 else if (s->session && s->tlsext_session_ticket &&
726 s->tlsext_session_ticket->data)
728 ticklen = s->tlsext_session_ticket->length;
729 s->session->tlsext_tick = OPENSSL_malloc(ticklen);
730 if (!s->session->tlsext_tick)
732 memcpy(s->session->tlsext_tick,
733 s->tlsext_session_ticket->data,
735 s->session->tlsext_ticklen = ticklen;
739 if (ticklen == 0 && s->tlsext_session_ticket &&
740 s->tlsext_session_ticket->data == NULL)
742 /* Check for enough room 2 for extension type, 2 for len
745 if ((long)(limit - ret - 4 - ticklen) < 0) return NULL;
746 s2n(TLSEXT_TYPE_session_ticket,ret);
750 memcpy(ret, s->session->tlsext_tick, ticklen);
756 if (TLS1_get_client_version(s) >= TLS1_2_VERSION)
758 if ((size_t)(limit - ret) < sizeof(tls12_sigalgs) + 6)
760 s2n(TLSEXT_TYPE_signature_algorithms,ret);
761 s2n(sizeof(tls12_sigalgs) + 2, ret);
762 s2n(sizeof(tls12_sigalgs), ret);
763 memcpy(ret, tls12_sigalgs, sizeof(tls12_sigalgs));
764 ret += sizeof(tls12_sigalgs);
767 #ifdef TLSEXT_TYPE_opaque_prf_input
768 if (s->s3->client_opaque_prf_input != NULL &&
769 s->version != DTLS1_VERSION)
771 size_t col = s->s3->client_opaque_prf_input_len;
773 if ((long)(limit - ret - 6 - col < 0))
775 if (col > 0xFFFD) /* can't happen */
778 s2n(TLSEXT_TYPE_opaque_prf_input, ret);
781 memcpy(ret, s->s3->client_opaque_prf_input, col);
786 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp &&
787 s->version != DTLS1_VERSION)
790 long extlen, idlen, itmp;
794 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++)
796 id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
797 itmp = i2d_OCSP_RESPID(id, NULL);
803 if (s->tlsext_ocsp_exts)
805 extlen = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, NULL);
812 if ((long)(limit - ret - 7 - extlen - idlen) < 0) return NULL;
813 s2n(TLSEXT_TYPE_status_request, ret);
814 if (extlen + idlen > 0xFFF0)
816 s2n(extlen + idlen + 5, ret);
817 *(ret++) = TLSEXT_STATUSTYPE_ocsp;
819 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++)
821 /* save position of id len */
822 unsigned char *q = ret;
823 id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
824 /* skip over id len */
826 itmp = i2d_OCSP_RESPID(id, &ret);
832 i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret);
835 #ifndef OPENSSL_NO_HEARTBEATS
836 /* Add Heartbeat extension */
837 s2n(TLSEXT_TYPE_heartbeat,ret);
840 * 1: peer may send requests
841 * 2: peer not allowed to send requests
843 if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS)
844 *(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
846 *(ret++) = SSL_TLSEXT_HB_ENABLED;
849 #ifndef OPENSSL_NO_NEXTPROTONEG
850 if (s->ctx->next_proto_select_cb && !s->s3->tmp.finish_md_len)
852 /* The client advertises an emtpy extension to indicate its
853 * support for Next Protocol Negotiation */
854 if (limit - ret - 4 < 0)
856 s2n(TLSEXT_TYPE_next_proto_neg,ret);
861 if(SSL_get_srtp_profiles(s))
865 ssl_add_clienthello_use_srtp_ext(s, 0, &el, 0);
867 if((limit - p - 4 - el) < 0) return NULL;
869 s2n(TLSEXT_TYPE_use_srtp,ret);
872 if(ssl_add_clienthello_use_srtp_ext(s, ret, &el, el))
874 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
880 if ((extdatalen = ret-p-2)== 0)
887 unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
890 unsigned char *ret = p;
891 #ifndef OPENSSL_NO_NEXTPROTONEG
892 int next_proto_neg_seen;
895 /* don't add extensions for SSLv3, unless doing secure renegotiation */
896 if (s->version == SSL3_VERSION && !s->s3->send_connection_binding)
900 if (ret>=limit) return NULL; /* this really never occurs, but ... */
902 if (!s->hit && s->servername_done == 1 && s->session->tlsext_hostname != NULL)
904 if ((long)(limit - ret - 4) < 0) return NULL;
906 s2n(TLSEXT_TYPE_server_name,ret);
910 if(s->s3->send_connection_binding)
914 if(!ssl_add_serverhello_renegotiate_ext(s, 0, &el, 0))
916 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
920 if((limit - p - 4 - el) < 0) return NULL;
922 s2n(TLSEXT_TYPE_renegotiate,ret);
925 if(!ssl_add_serverhello_renegotiate_ext(s, ret, &el, el))
927 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
934 #ifndef OPENSSL_NO_EC
935 if (s->tlsext_ecpointformatlist != NULL &&
936 s->version != DTLS1_VERSION)
938 /* Add TLS extension ECPointFormats to the ServerHello message */
941 if ((lenmax = limit - ret - 5) < 0) return NULL;
942 if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax) return NULL;
943 if (s->tlsext_ecpointformatlist_length > 255)
945 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
949 s2n(TLSEXT_TYPE_ec_point_formats,ret);
950 s2n(s->tlsext_ecpointformatlist_length + 1,ret);
951 *(ret++) = (unsigned char) s->tlsext_ecpointformatlist_length;
952 memcpy(ret, s->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist_length);
953 ret+=s->tlsext_ecpointformatlist_length;
956 /* Currently the server should not respond with a SupportedCurves extension */
957 #endif /* OPENSSL_NO_EC */
959 if (s->tlsext_ticket_expected
960 && !(SSL_get_options(s) & SSL_OP_NO_TICKET))
962 if ((long)(limit - ret - 4) < 0) return NULL;
963 s2n(TLSEXT_TYPE_session_ticket,ret);
967 if (s->tlsext_status_expected)
969 if ((long)(limit - ret - 4) < 0) return NULL;
970 s2n(TLSEXT_TYPE_status_request,ret);
974 #ifdef TLSEXT_TYPE_opaque_prf_input
975 if (s->s3->server_opaque_prf_input != NULL &&
976 s->version != DTLS1_VERSION)
978 size_t sol = s->s3->server_opaque_prf_input_len;
980 if ((long)(limit - ret - 6 - sol) < 0)
982 if (sol > 0xFFFD) /* can't happen */
985 s2n(TLSEXT_TYPE_opaque_prf_input, ret);
988 memcpy(ret, s->s3->server_opaque_prf_input, sol);
997 ssl_add_serverhello_use_srtp_ext(s, 0, &el, 0);
999 if((limit - p - 4 - el) < 0) return NULL;
1001 s2n(TLSEXT_TYPE_use_srtp,ret);
1004 if(ssl_add_serverhello_use_srtp_ext(s, ret, &el, el))
1006 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1012 if (((s->s3->tmp.new_cipher->id & 0xFFFF)==0x80 || (s->s3->tmp.new_cipher->id & 0xFFFF)==0x81)
1013 && (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG))
1014 { const unsigned char cryptopro_ext[36] = {
1015 0xfd, 0xe8, /*65000*/
1016 0x00, 0x20, /*32 bytes length*/
1017 0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85,
1018 0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06,
1019 0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08,
1020 0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17};
1021 if (limit-ret<36) return NULL;
1022 memcpy(ret,cryptopro_ext,36);
1027 #ifndef OPENSSL_NO_HEARTBEATS
1028 /* Add Heartbeat extension if we've received one */
1029 if (s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED)
1031 s2n(TLSEXT_TYPE_heartbeat,ret);
1034 * 1: peer may send requests
1035 * 2: peer not allowed to send requests
1037 if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS)
1038 *(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
1040 *(ret++) = SSL_TLSEXT_HB_ENABLED;
1045 #ifndef OPENSSL_NO_NEXTPROTONEG
1046 next_proto_neg_seen = s->s3->next_proto_neg_seen;
1047 s->s3->next_proto_neg_seen = 0;
1048 if (next_proto_neg_seen && s->ctx->next_protos_advertised_cb)
1050 const unsigned char *npa;
1051 unsigned int npalen;
1054 r = s->ctx->next_protos_advertised_cb(s, &npa, &npalen, s->ctx->next_protos_advertised_cb_arg);
1055 if (r == SSL_TLSEXT_ERR_OK)
1057 if ((long)(limit - ret - 4 - npalen) < 0) return NULL;
1058 s2n(TLSEXT_TYPE_next_proto_neg,ret);
1060 memcpy(ret, npa, npalen);
1062 s->s3->next_proto_neg_seen = 1;
1067 if ((extdatalen = ret-p-2)== 0)
1074 int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
1076 unsigned short type;
1077 unsigned short size;
1079 unsigned char *data = *p;
1080 int renegotiate_seen = 0;
1081 int sigalg_seen = 0;
1083 s->servername_done = 0;
1084 s->tlsext_status_type = -1;
1085 #ifndef OPENSSL_NO_NEXTPROTONEG
1086 s->s3->next_proto_neg_seen = 0;
1089 #ifndef OPENSSL_NO_HEARTBEATS
1090 s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED |
1091 SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
1094 if (data >= (d+n-2))
1098 if (data > (d+n-len))
1101 while (data <= (d+n-4))
1106 if (data+size > (d+n))
1109 fprintf(stderr,"Received extension type %d size %d\n",type,size);
1111 if (s->tlsext_debug_cb)
1112 s->tlsext_debug_cb(s, 0, type, data, size,
1113 s->tlsext_debug_arg);
1114 /* The servername extension is treated as follows:
1116 - Only the hostname type is supported with a maximum length of 255.
1117 - The servername is rejected if too long or if it contains zeros,
1118 in which case an fatal alert is generated.
1119 - The servername field is maintained together with the session cache.
1120 - When a session is resumed, the servername call back invoked in order
1121 to allow the application to position itself to the right context.
1122 - The servername is acknowledged if it is new for a session or when
1123 it is identical to a previously used for the same session.
1124 Applications can control the behaviour. They can at any time
1125 set a 'desirable' servername for a new SSL object. This can be the
1126 case for example with HTTPS when a Host: header field is received and
1127 a renegotiation is requested. In this case, a possible servername
1128 presented in the new client hello is only acknowledged if it matches
1129 the value of the Host: field.
1130 - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
1131 if they provide for changing an explicit servername context for the session,
1132 i.e. when the session has been established with a servername extension.
1133 - On session reconnect, the servername extension may be absent.
1137 if (type == TLSEXT_TYPE_server_name)
1139 unsigned char *sdata;
1145 *al = SSL_AD_DECODE_ERROR;
1152 *al = SSL_AD_DECODE_ERROR;
1159 servname_type = *(sdata++);
1165 *al = SSL_AD_DECODE_ERROR;
1168 if (s->servername_done == 0)
1169 switch (servname_type)
1171 case TLSEXT_NAMETYPE_host_name:
1174 if(s->session->tlsext_hostname)
1176 *al = SSL_AD_DECODE_ERROR;
1179 if (len > TLSEXT_MAXLEN_host_name)
1181 *al = TLS1_AD_UNRECOGNIZED_NAME;
1184 if ((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL)
1186 *al = TLS1_AD_INTERNAL_ERROR;
1189 memcpy(s->session->tlsext_hostname, sdata, len);
1190 s->session->tlsext_hostname[len]='\0';
1191 if (strlen(s->session->tlsext_hostname) != len) {
1192 OPENSSL_free(s->session->tlsext_hostname);
1193 s->session->tlsext_hostname = NULL;
1194 *al = TLS1_AD_UNRECOGNIZED_NAME;
1197 s->servername_done = 1;
1201 s->servername_done = s->session->tlsext_hostname
1202 && strlen(s->session->tlsext_hostname) == len
1203 && strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0;
1215 *al = SSL_AD_DECODE_ERROR;
1220 #ifndef OPENSSL_NO_SRP
1221 else if (type == TLSEXT_TYPE_srp)
1223 if (size <= 0 || ((len = data[0])) != (size -1))
1225 *al = SSL_AD_DECODE_ERROR;
1228 if (s->srp_ctx.login != NULL)
1230 *al = SSL_AD_DECODE_ERROR;
1233 if ((s->srp_ctx.login = OPENSSL_malloc(len+1)) == NULL)
1235 memcpy(s->srp_ctx.login, &data[1], len);
1236 s->srp_ctx.login[len]='\0';
1238 if (strlen(s->srp_ctx.login) != len)
1240 *al = SSL_AD_DECODE_ERROR;
1246 #ifndef OPENSSL_NO_EC
1247 else if (type == TLSEXT_TYPE_ec_point_formats &&
1248 s->version != DTLS1_VERSION)
1250 unsigned char *sdata = data;
1251 int ecpointformatlist_length = *(sdata++);
1253 if (ecpointformatlist_length != size - 1)
1255 *al = TLS1_AD_DECODE_ERROR;
1260 if(s->session->tlsext_ecpointformatlist)
1262 OPENSSL_free(s->session->tlsext_ecpointformatlist);
1263 s->session->tlsext_ecpointformatlist = NULL;
1265 s->session->tlsext_ecpointformatlist_length = 0;
1266 if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
1268 *al = TLS1_AD_INTERNAL_ERROR;
1271 s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
1272 memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
1275 fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ecpointformatlist (length=%i) ", s->session->tlsext_ecpointformatlist_length);
1276 sdata = s->session->tlsext_ecpointformatlist;
1277 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
1278 fprintf(stderr,"%i ",*(sdata++));
1279 fprintf(stderr,"\n");
1282 else if (type == TLSEXT_TYPE_elliptic_curves &&
1283 s->version != DTLS1_VERSION)
1285 unsigned char *sdata = data;
1286 int ellipticcurvelist_length = (*(sdata++) << 8);
1287 ellipticcurvelist_length += (*(sdata++));
1289 if (ellipticcurvelist_length != size - 2)
1291 *al = TLS1_AD_DECODE_ERROR;
1296 if(s->session->tlsext_ellipticcurvelist)
1298 *al = TLS1_AD_DECODE_ERROR;
1301 s->session->tlsext_ellipticcurvelist_length = 0;
1302 if ((s->session->tlsext_ellipticcurvelist = OPENSSL_malloc(ellipticcurvelist_length)) == NULL)
1304 *al = TLS1_AD_INTERNAL_ERROR;
1307 s->session->tlsext_ellipticcurvelist_length = ellipticcurvelist_length;
1308 memcpy(s->session->tlsext_ellipticcurvelist, sdata, ellipticcurvelist_length);
1311 fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ellipticcurvelist (length=%i) ", s->session->tlsext_ellipticcurvelist_length);
1312 sdata = s->session->tlsext_ellipticcurvelist;
1313 for (i = 0; i < s->session->tlsext_ellipticcurvelist_length; i++)
1314 fprintf(stderr,"%i ",*(sdata++));
1315 fprintf(stderr,"\n");
1318 #endif /* OPENSSL_NO_EC */
1319 #ifdef TLSEXT_TYPE_opaque_prf_input
1320 else if (type == TLSEXT_TYPE_opaque_prf_input &&
1321 s->version != DTLS1_VERSION)
1323 unsigned char *sdata = data;
1327 *al = SSL_AD_DECODE_ERROR;
1330 n2s(sdata, s->s3->client_opaque_prf_input_len);
1331 if (s->s3->client_opaque_prf_input_len != size - 2)
1333 *al = SSL_AD_DECODE_ERROR;
1337 if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */
1338 OPENSSL_free(s->s3->client_opaque_prf_input);
1339 if (s->s3->client_opaque_prf_input_len == 0)
1340 s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
1342 s->s3->client_opaque_prf_input = BUF_memdup(sdata, s->s3->client_opaque_prf_input_len);
1343 if (s->s3->client_opaque_prf_input == NULL)
1345 *al = TLS1_AD_INTERNAL_ERROR;
1350 else if (type == TLSEXT_TYPE_session_ticket)
1352 if (s->tls_session_ticket_ext_cb &&
1353 !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg))
1355 *al = TLS1_AD_INTERNAL_ERROR;
1359 else if (type == TLSEXT_TYPE_renegotiate)
1361 if(!ssl_parse_clienthello_renegotiate_ext(s, data, size, al))
1363 renegotiate_seen = 1;
1365 else if (type == TLSEXT_TYPE_signature_algorithms)
1368 if (sigalg_seen || size < 2)
1370 *al = SSL_AD_DECODE_ERROR;
1376 if (dsize != size || dsize & 1)
1378 *al = SSL_AD_DECODE_ERROR;
1381 if (!tls1_process_sigalgs(s, data, dsize))
1383 *al = SSL_AD_DECODE_ERROR;
1387 else if (type == TLSEXT_TYPE_status_request &&
1388 s->version != DTLS1_VERSION && s->ctx->tlsext_status_cb)
1393 *al = SSL_AD_DECODE_ERROR;
1397 s->tlsext_status_type = *data++;
1399 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp)
1401 const unsigned char *sdata;
1403 /* Read in responder_id_list */
1408 *al = SSL_AD_DECODE_ERROR;
1417 *al = SSL_AD_DECODE_ERROR;
1421 dsize -= 2 + idsize;
1425 *al = SSL_AD_DECODE_ERROR;
1430 id = d2i_OCSP_RESPID(NULL,
1434 *al = SSL_AD_DECODE_ERROR;
1439 OCSP_RESPID_free(id);
1440 *al = SSL_AD_DECODE_ERROR;
1443 if (!s->tlsext_ocsp_ids
1444 && !(s->tlsext_ocsp_ids =
1445 sk_OCSP_RESPID_new_null()))
1447 OCSP_RESPID_free(id);
1448 *al = SSL_AD_INTERNAL_ERROR;
1451 if (!sk_OCSP_RESPID_push(
1452 s->tlsext_ocsp_ids, id))
1454 OCSP_RESPID_free(id);
1455 *al = SSL_AD_INTERNAL_ERROR;
1460 /* Read in request_extensions */
1463 *al = SSL_AD_DECODE_ERROR;
1470 *al = SSL_AD_DECODE_ERROR;
1476 if (s->tlsext_ocsp_exts)
1478 sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts,
1479 X509_EXTENSION_free);
1482 s->tlsext_ocsp_exts =
1483 d2i_X509_EXTENSIONS(NULL,
1485 if (!s->tlsext_ocsp_exts
1486 || (data + dsize != sdata))
1488 *al = SSL_AD_DECODE_ERROR;
1493 /* We don't know what to do with any other type
1497 s->tlsext_status_type = -1;
1499 #ifndef OPENSSL_NO_HEARTBEATS
1500 else if (type == TLSEXT_TYPE_heartbeat)
1504 case 0x01: /* Client allows us to send HB requests */
1505 s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
1507 case 0x02: /* Client doesn't accept HB requests */
1508 s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
1509 s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
1511 default: *al = SSL_AD_ILLEGAL_PARAMETER;
1516 #ifndef OPENSSL_NO_NEXTPROTONEG
1517 else if (type == TLSEXT_TYPE_next_proto_neg &&
1518 s->s3->tmp.finish_md_len == 0)
1520 /* We shouldn't accept this extension on a
1523 * s->new_session will be set on renegotiation, but we
1524 * probably shouldn't rely that it couldn't be set on
1525 * the initial renegotation too in certain cases (when
1526 * there's some other reason to disallow resuming an
1527 * earlier session -- the current code won't be doing
1528 * anything like that, but this might change).
1530 * A valid sign that there's been a previous handshake
1531 * in this connection is if s->s3->tmp.finish_md_len >
1532 * 0. (We are talking about a check that will happen
1533 * in the Hello protocol round, well before a new
1534 * Finished message could have been computed.) */
1535 s->s3->next_proto_neg_seen = 1;
1539 /* session ticket processed earlier */
1540 else if (type == TLSEXT_TYPE_use_srtp)
1542 if(ssl_parse_clienthello_use_srtp_ext(s, data, size,
1554 /* Need RI if renegotiating */
1556 if (!renegotiate_seen && s->renegotiate &&
1557 !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
1559 *al = SSL_AD_HANDSHAKE_FAILURE;
1560 SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT,
1561 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
1568 #ifndef OPENSSL_NO_NEXTPROTONEG
1569 /* ssl_next_proto_validate validates a Next Protocol Negotiation block. No
1570 * elements of zero length are allowed and the set of elements must exactly fill
1571 * the length of the block. */
1572 static int ssl_next_proto_validate(unsigned char *d, unsigned len)
1574 unsigned int off = 0;
1588 int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
1590 unsigned short length;
1591 unsigned short type;
1592 unsigned short size;
1593 unsigned char *data = *p;
1594 int tlsext_servername = 0;
1595 int renegotiate_seen = 0;
1597 #ifndef OPENSSL_NO_NEXTPROTONEG
1598 s->s3->next_proto_neg_seen = 0;
1601 #ifndef OPENSSL_NO_HEARTBEATS
1602 s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED |
1603 SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
1606 if (data >= (d+n-2))
1610 if (data+length != d+n)
1612 *al = SSL_AD_DECODE_ERROR;
1616 while(data <= (d+n-4))
1621 if (data+size > (d+n))
1624 if (s->tlsext_debug_cb)
1625 s->tlsext_debug_cb(s, 1, type, data, size,
1626 s->tlsext_debug_arg);
1628 if (type == TLSEXT_TYPE_server_name)
1630 if (s->tlsext_hostname == NULL || size > 0)
1632 *al = TLS1_AD_UNRECOGNIZED_NAME;
1635 tlsext_servername = 1;
1638 #ifndef OPENSSL_NO_EC
1639 else if (type == TLSEXT_TYPE_ec_point_formats &&
1640 s->version != DTLS1_VERSION)
1642 unsigned char *sdata = data;
1643 int ecpointformatlist_length = *(sdata++);
1645 if (ecpointformatlist_length != size - 1)
1647 *al = TLS1_AD_DECODE_ERROR;
1650 s->session->tlsext_ecpointformatlist_length = 0;
1651 if (s->session->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->session->tlsext_ecpointformatlist);
1652 if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
1654 *al = TLS1_AD_INTERNAL_ERROR;
1657 s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
1658 memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
1660 fprintf(stderr,"ssl_parse_serverhello_tlsext s->session->tlsext_ecpointformatlist ");
1661 sdata = s->session->tlsext_ecpointformatlist;
1662 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
1663 fprintf(stderr,"%i ",*(sdata++));
1664 fprintf(stderr,"\n");
1667 #endif /* OPENSSL_NO_EC */
1669 else if (type == TLSEXT_TYPE_session_ticket)
1671 if (s->tls_session_ticket_ext_cb &&
1672 !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg))
1674 *al = TLS1_AD_INTERNAL_ERROR;
1677 if ((SSL_get_options(s) & SSL_OP_NO_TICKET)
1680 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
1683 s->tlsext_ticket_expected = 1;
1685 #ifdef TLSEXT_TYPE_opaque_prf_input
1686 else if (type == TLSEXT_TYPE_opaque_prf_input &&
1687 s->version != DTLS1_VERSION)
1689 unsigned char *sdata = data;
1693 *al = SSL_AD_DECODE_ERROR;
1696 n2s(sdata, s->s3->server_opaque_prf_input_len);
1697 if (s->s3->server_opaque_prf_input_len != size - 2)
1699 *al = SSL_AD_DECODE_ERROR;
1703 if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */
1704 OPENSSL_free(s->s3->server_opaque_prf_input);
1705 if (s->s3->server_opaque_prf_input_len == 0)
1706 s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
1708 s->s3->server_opaque_prf_input = BUF_memdup(sdata, s->s3->server_opaque_prf_input_len);
1710 if (s->s3->server_opaque_prf_input == NULL)
1712 *al = TLS1_AD_INTERNAL_ERROR;
1717 else if (type == TLSEXT_TYPE_status_request &&
1718 s->version != DTLS1_VERSION)
1720 /* MUST be empty and only sent if we've requested
1721 * a status request message.
1723 if ((s->tlsext_status_type == -1) || (size > 0))
1725 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
1728 /* Set flag to expect CertificateStatus message */
1729 s->tlsext_status_expected = 1;
1731 #ifndef OPENSSL_NO_NEXTPROTONEG
1732 else if (type == TLSEXT_TYPE_next_proto_neg &&
1733 s->s3->tmp.finish_md_len == 0)
1735 unsigned char *selected;
1736 unsigned char selected_len;
1738 /* We must have requested it. */
1739 if ((s->ctx->next_proto_select_cb == NULL))
1741 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
1744 /* The data must be valid */
1745 if (!ssl_next_proto_validate(data, size))
1747 *al = TLS1_AD_DECODE_ERROR;
1750 if (s->ctx->next_proto_select_cb(s, &selected, &selected_len, data, size, s->ctx->next_proto_select_cb_arg) != SSL_TLSEXT_ERR_OK)
1752 *al = TLS1_AD_INTERNAL_ERROR;
1755 s->next_proto_negotiated = OPENSSL_malloc(selected_len);
1756 if (!s->next_proto_negotiated)
1758 *al = TLS1_AD_INTERNAL_ERROR;
1761 memcpy(s->next_proto_negotiated, selected, selected_len);
1762 s->next_proto_negotiated_len = selected_len;
1763 s->s3->next_proto_neg_seen = 1;
1766 else if (type == TLSEXT_TYPE_renegotiate)
1768 if(!ssl_parse_serverhello_renegotiate_ext(s, data, size, al))
1770 renegotiate_seen = 1;
1772 #ifndef OPENSSL_NO_HEARTBEATS
1773 else if (type == TLSEXT_TYPE_heartbeat)
1777 case 0x01: /* Server allows us to send HB requests */
1778 s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
1780 case 0x02: /* Server doesn't accept HB requests */
1781 s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
1782 s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
1784 default: *al = SSL_AD_ILLEGAL_PARAMETER;
1789 else if (type == TLSEXT_TYPE_use_srtp)
1791 if(ssl_parse_serverhello_use_srtp_ext(s, data, size,
1801 *al = SSL_AD_DECODE_ERROR;
1805 if (!s->hit && tlsext_servername == 1)
1807 if (s->tlsext_hostname)
1809 if (s->session->tlsext_hostname == NULL)
1811 s->session->tlsext_hostname = BUF_strdup(s->tlsext_hostname);
1812 if (!s->session->tlsext_hostname)
1814 *al = SSL_AD_UNRECOGNIZED_NAME;
1820 *al = SSL_AD_DECODE_ERROR;
1830 /* Determine if we need to see RI. Strictly speaking if we want to
1831 * avoid an attack we should *always* see RI even on initial server
1832 * hello because the client doesn't see any renegotiation during an
1833 * attack. However this would mean we could not connect to any server
1834 * which doesn't support RI so for the immediate future tolerate RI
1835 * absence on initial connect only.
1837 if (!renegotiate_seen
1838 && !(s->options & SSL_OP_LEGACY_SERVER_CONNECT)
1839 && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
1841 *al = SSL_AD_HANDSHAKE_FAILURE;
1842 SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT,
1843 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
1851 int ssl_prepare_clienthello_tlsext(SSL *s)
1854 #ifdef TLSEXT_TYPE_opaque_prf_input
1858 if (s->ctx->tlsext_opaque_prf_input_callback != 0)
1860 r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg);
1865 if (s->tlsext_opaque_prf_input != NULL)
1867 if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */
1868 OPENSSL_free(s->s3->client_opaque_prf_input);
1870 if (s->tlsext_opaque_prf_input_len == 0)
1871 s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
1873 s->s3->client_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len);
1874 if (s->s3->client_opaque_prf_input == NULL)
1876 SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
1879 s->s3->client_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
1883 /* at callback's request, insist on receiving an appropriate server opaque PRF input */
1884 s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
1891 int ssl_prepare_serverhello_tlsext(SSL *s)
1893 #ifndef OPENSSL_NO_EC
1894 /* If we are server and using an ECC cipher suite, send the point formats we support
1895 * if the client sent us an ECPointsFormat extension. Note that the server is not
1896 * supposed to send an EllipticCurves extension.
1899 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
1900 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
1901 int using_ecc = (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA);
1902 using_ecc = using_ecc && (s->session->tlsext_ecpointformatlist != NULL);
1906 if (s->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->tlsext_ecpointformatlist);
1907 if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(3)) == NULL)
1909 SSLerr(SSL_F_SSL_PREPARE_SERVERHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
1912 s->tlsext_ecpointformatlist_length = 3;
1913 s->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_uncompressed;
1914 s->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
1915 s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
1917 #endif /* OPENSSL_NO_EC */
1922 int ssl_check_clienthello_tlsext(SSL *s)
1924 int ret=SSL_TLSEXT_ERR_NOACK;
1925 int al = SSL_AD_UNRECOGNIZED_NAME;
1927 #ifndef OPENSSL_NO_EC
1928 /* The handling of the ECPointFormats extension is done elsewhere, namely in
1929 * ssl3_choose_cipher in s3_lib.c.
1931 /* The handling of the EllipticCurves extension is done elsewhere, namely in
1932 * ssl3_choose_cipher in s3_lib.c.
1936 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
1937 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
1938 else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)
1939 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
1941 /* If status request then ask callback what to do.
1942 * Note: this must be called after servername callbacks in case
1943 * the certificate has changed.
1945 if ((s->tlsext_status_type != -1) && s->ctx && s->ctx->tlsext_status_cb)
1948 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
1951 /* We don't want to send a status request response */
1952 case SSL_TLSEXT_ERR_NOACK:
1953 s->tlsext_status_expected = 0;
1955 /* status request response should be sent */
1956 case SSL_TLSEXT_ERR_OK:
1957 if (s->tlsext_ocsp_resp)
1958 s->tlsext_status_expected = 1;
1960 s->tlsext_status_expected = 0;
1962 /* something bad happened */
1963 case SSL_TLSEXT_ERR_ALERT_FATAL:
1964 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1965 al = SSL_AD_INTERNAL_ERROR;
1970 s->tlsext_status_expected = 0;
1972 #ifdef TLSEXT_TYPE_opaque_prf_input
1974 /* This sort of belongs into ssl_prepare_serverhello_tlsext(),
1975 * but we might be sending an alert in response to the client hello,
1976 * so this has to happen here in ssl_check_clienthello_tlsext(). */
1980 if (s->ctx->tlsext_opaque_prf_input_callback != 0)
1982 r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg);
1985 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1986 al = SSL_AD_INTERNAL_ERROR;
1991 if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */
1992 OPENSSL_free(s->s3->server_opaque_prf_input);
1993 s->s3->server_opaque_prf_input = NULL;
1995 if (s->tlsext_opaque_prf_input != NULL)
1997 if (s->s3->client_opaque_prf_input != NULL &&
1998 s->s3->client_opaque_prf_input_len == s->tlsext_opaque_prf_input_len)
2000 /* can only use this extension if we have a server opaque PRF input
2001 * of the same length as the client opaque PRF input! */
2003 if (s->tlsext_opaque_prf_input_len == 0)
2004 s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
2006 s->s3->server_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len);
2007 if (s->s3->server_opaque_prf_input == NULL)
2009 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2010 al = SSL_AD_INTERNAL_ERROR;
2013 s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
2017 if (r == 2 && s->s3->server_opaque_prf_input == NULL)
2019 /* The callback wants to enforce use of the extension,
2020 * but we can't do that with the client opaque PRF input;
2021 * abort the handshake.
2023 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2024 al = SSL_AD_HANDSHAKE_FAILURE;
2032 case SSL_TLSEXT_ERR_ALERT_FATAL:
2033 ssl3_send_alert(s,SSL3_AL_FATAL,al);
2036 case SSL_TLSEXT_ERR_ALERT_WARNING:
2037 ssl3_send_alert(s,SSL3_AL_WARNING,al);
2040 case SSL_TLSEXT_ERR_NOACK:
2041 s->servername_done=0;
2047 int ssl_check_serverhello_tlsext(SSL *s)
2049 int ret=SSL_TLSEXT_ERR_NOACK;
2050 int al = SSL_AD_UNRECOGNIZED_NAME;
2052 #ifndef OPENSSL_NO_EC
2053 /* If we are client and using an elliptic curve cryptography cipher
2054 * suite, then if server returns an EC point formats lists extension
2055 * it must contain uncompressed.
2057 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
2058 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
2059 if ((s->tlsext_ecpointformatlist != NULL) && (s->tlsext_ecpointformatlist_length > 0) &&
2060 (s->session->tlsext_ecpointformatlist != NULL) && (s->session->tlsext_ecpointformatlist_length > 0) &&
2061 ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA)))
2063 /* we are using an ECC cipher */
2065 unsigned char *list;
2066 int found_uncompressed = 0;
2067 list = s->session->tlsext_ecpointformatlist;
2068 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
2070 if (*(list++) == TLSEXT_ECPOINTFORMAT_uncompressed)
2072 found_uncompressed = 1;
2076 if (!found_uncompressed)
2078 SSLerr(SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT,SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
2082 ret = SSL_TLSEXT_ERR_OK;
2083 #endif /* OPENSSL_NO_EC */
2085 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
2086 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
2087 else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)
2088 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
2090 #ifdef TLSEXT_TYPE_opaque_prf_input
2091 if (s->s3->server_opaque_prf_input_len > 0)
2093 /* This case may indicate that we, as a client, want to insist on using opaque PRF inputs.
2094 * So first verify that we really have a value from the server too. */
2096 if (s->s3->server_opaque_prf_input == NULL)
2098 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2099 al = SSL_AD_HANDSHAKE_FAILURE;
2102 /* Anytime the server *has* sent an opaque PRF input, we need to check
2103 * that we have a client opaque PRF input of the same size. */
2104 if (s->s3->client_opaque_prf_input == NULL ||
2105 s->s3->client_opaque_prf_input_len != s->s3->server_opaque_prf_input_len)
2107 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2108 al = SSL_AD_ILLEGAL_PARAMETER;
2113 /* If we've requested certificate status and we wont get one
2116 if ((s->tlsext_status_type != -1) && !(s->tlsext_status_expected)
2117 && s->ctx && s->ctx->tlsext_status_cb)
2120 /* Set resp to NULL, resplen to -1 so callback knows
2121 * there is no response.
2123 if (s->tlsext_ocsp_resp)
2125 OPENSSL_free(s->tlsext_ocsp_resp);
2126 s->tlsext_ocsp_resp = NULL;
2128 s->tlsext_ocsp_resplen = -1;
2129 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
2132 al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE;
2133 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2137 al = SSL_AD_INTERNAL_ERROR;
2138 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2144 case SSL_TLSEXT_ERR_ALERT_FATAL:
2145 ssl3_send_alert(s,SSL3_AL_FATAL,al);
2148 case SSL_TLSEXT_ERR_ALERT_WARNING:
2149 ssl3_send_alert(s,SSL3_AL_WARNING,al);
2152 case SSL_TLSEXT_ERR_NOACK:
2153 s->servername_done=0;
2159 /* Since the server cache lookup is done early on in the processing of the
2160 * ClientHello, and other operations depend on the result, we need to handle
2161 * any TLS session ticket extension at the same time.
2163 * session_id: points at the session ID in the ClientHello. This code will
2164 * read past the end of this in order to parse out the session ticket
2165 * extension, if any.
2166 * len: the length of the session ID.
2167 * limit: a pointer to the first byte after the ClientHello.
2168 * ret: (output) on return, if a ticket was decrypted, then this is set to
2169 * point to the resulting session.
2171 * If s->tls_session_secret_cb is set then we are expecting a pre-shared key
2172 * ciphersuite, in which case we have no use for session tickets and one will
2173 * never be decrypted, nor will s->tlsext_ticket_expected be set to 1.
2176 * -1: fatal error, either from parsing or decrypting the ticket.
2177 * 0: no ticket was found (or was ignored, based on settings).
2178 * 1: a zero length extension was found, indicating that the client supports
2179 * session tickets but doesn't currently have one to offer.
2180 * 2: either s->tls_session_secret_cb was set, or a ticket was offered but
2181 * couldn't be decrypted because of a non-fatal error.
2182 * 3: a ticket was successfully decrypted and *ret was set.
2185 * Sets s->tlsext_ticket_expected to 1 if the server will have to issue
2186 * a new session ticket to the client because the client indicated support
2187 * (and s->tls_session_secret_cb is NULL) but the client either doesn't have
2188 * a session ticket or we couldn't use the one it gave us, or if
2189 * s->ctx->tlsext_ticket_key_cb asked to renew the client's ticket.
2190 * Otherwise, s->tlsext_ticket_expected is set to 0.
2192 int tls1_process_ticket(SSL *s, unsigned char *session_id, int len,
2193 const unsigned char *limit, SSL_SESSION **ret)
2195 /* Point after session ID in client hello */
2196 const unsigned char *p = session_id + len;
2200 s->tlsext_ticket_expected = 0;
2202 /* If tickets disabled behave as if no ticket present
2203 * to permit stateful resumption.
2205 if (SSL_get_options(s) & SSL_OP_NO_TICKET)
2207 if ((s->version <= SSL3_VERSION) || !limit)
2211 /* Skip past DTLS cookie */
2212 if (s->version == DTLS1_VERSION || s->version == DTLS1_BAD_VER)
2219 /* Skip past cipher list */
2224 /* Skip past compression algorithm list */
2229 /* Now at start of extensions */
2230 if ((p + 2) >= limit)
2233 while ((p + 4) <= limit)
2235 unsigned short type, size;
2238 if (p + size > limit)
2240 if (type == TLSEXT_TYPE_session_ticket)
2245 /* The client will accept a ticket but doesn't
2246 * currently have one. */
2247 s->tlsext_ticket_expected = 1;
2250 if (s->tls_session_secret_cb)
2252 /* Indicate that the ticket couldn't be
2253 * decrypted rather than generating the session
2254 * from ticket now, trigger abbreviated
2255 * handshake based on external mechanism to
2256 * calculate the master secret later. */
2259 r = tls_decrypt_ticket(s, p, size, session_id, len, ret);
2262 case 2: /* ticket couldn't be decrypted */
2263 s->tlsext_ticket_expected = 1;
2265 case 3: /* ticket was decrypted */
2267 case 4: /* ticket decrypted but need to renew */
2268 s->tlsext_ticket_expected = 1;
2270 default: /* fatal error */
2279 /* tls_decrypt_ticket attempts to decrypt a session ticket.
2281 * etick: points to the body of the session ticket extension.
2282 * eticklen: the length of the session tickets extenion.
2283 * sess_id: points at the session ID.
2284 * sesslen: the length of the session ID.
2285 * psess: (output) on return, if a ticket was decrypted, then this is set to
2286 * point to the resulting session.
2289 * -1: fatal error, either from parsing or decrypting the ticket.
2290 * 2: the ticket couldn't be decrypted.
2291 * 3: a ticket was successfully decrypted and *psess was set.
2292 * 4: same as 3, but the ticket needs to be renewed.
2294 static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen,
2295 const unsigned char *sess_id, int sesslen,
2296 SSL_SESSION **psess)
2299 unsigned char *sdec;
2300 const unsigned char *p;
2301 int slen, mlen, renew_ticket = 0;
2302 unsigned char tick_hmac[EVP_MAX_MD_SIZE];
2305 SSL_CTX *tctx = s->initial_ctx;
2306 /* Need at least keyname + iv + some encrypted data */
2309 /* Initialize session ticket encryption and HMAC contexts */
2310 HMAC_CTX_init(&hctx);
2311 EVP_CIPHER_CTX_init(&ctx);
2312 if (tctx->tlsext_ticket_key_cb)
2314 unsigned char *nctick = (unsigned char *)etick;
2315 int rv = tctx->tlsext_ticket_key_cb(s, nctick, nctick + 16,
2326 /* Check key name matches */
2327 if (memcmp(etick, tctx->tlsext_tick_key_name, 16))
2329 HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16,
2330 tlsext_tick_md(), NULL);
2331 EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL,
2332 tctx->tlsext_tick_aes_key, etick + 16);
2334 /* Attempt to process session ticket, first conduct sanity and
2335 * integrity checks on ticket.
2337 mlen = HMAC_size(&hctx);
2340 EVP_CIPHER_CTX_cleanup(&ctx);
2344 /* Check HMAC of encrypted ticket */
2345 HMAC_Update(&hctx, etick, eticklen);
2346 HMAC_Final(&hctx, tick_hmac, NULL);
2347 HMAC_CTX_cleanup(&hctx);
2348 if (memcmp(tick_hmac, etick + eticklen, mlen))
2350 /* Attempt to decrypt session data */
2351 /* Move p after IV to start of encrypted ticket, update length */
2352 p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx);
2353 eticklen -= 16 + EVP_CIPHER_CTX_iv_length(&ctx);
2354 sdec = OPENSSL_malloc(eticklen);
2357 EVP_CIPHER_CTX_cleanup(&ctx);
2360 EVP_DecryptUpdate(&ctx, sdec, &slen, p, eticklen);
2361 if (EVP_DecryptFinal(&ctx, sdec + slen, &mlen) <= 0)
2364 EVP_CIPHER_CTX_cleanup(&ctx);
2367 sess = d2i_SSL_SESSION(NULL, &p, slen);
2371 /* The session ID, if non-empty, is used by some clients to
2372 * detect that the ticket has been accepted. So we copy it to
2373 * the session structure. If it is empty set length to zero
2374 * as required by standard.
2377 memcpy(sess->session_id, sess_id, sesslen);
2378 sess->session_id_length = sesslen;
2386 /* For session parse failure, indicate that we need to send a new
2391 /* Tables to translate from NIDs to TLS v1.2 ids */
2399 static tls12_lookup tls12_md[] = {
2400 {NID_md5, TLSEXT_hash_md5},
2401 {NID_sha1, TLSEXT_hash_sha1},
2402 {NID_sha224, TLSEXT_hash_sha224},
2403 {NID_sha256, TLSEXT_hash_sha256},
2404 {NID_sha384, TLSEXT_hash_sha384},
2405 {NID_sha512, TLSEXT_hash_sha512}
2408 static tls12_lookup tls12_sig[] = {
2409 {EVP_PKEY_RSA, TLSEXT_signature_rsa},
2410 {EVP_PKEY_DSA, TLSEXT_signature_dsa},
2411 {EVP_PKEY_EC, TLSEXT_signature_ecdsa}
2414 static int tls12_find_id(int nid, tls12_lookup *table, size_t tlen)
2417 for (i = 0; i < tlen; i++)
2419 if (table[i].nid == nid)
2425 static int tls12_find_nid(int id, tls12_lookup *table, size_t tlen)
2428 for (i = 0; i < tlen; i++)
2430 if ((table[i].id) == id)
2431 return table[i].nid;
2436 int tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk, const EVP_MD *md)
2441 md_id = tls12_find_id(EVP_MD_type(md), tls12_md,
2442 sizeof(tls12_md)/sizeof(tls12_lookup));
2445 sig_id = tls12_get_sigid(pk);
2448 p[0] = (unsigned char)md_id;
2449 p[1] = (unsigned char)sig_id;
2453 int tls12_get_sigid(const EVP_PKEY *pk)
2455 return tls12_find_id(pk->type, tls12_sig,
2456 sizeof(tls12_sig)/sizeof(tls12_lookup));
2459 const EVP_MD *tls12_get_hash(unsigned char hash_alg)
2463 #ifndef OPENSSL_NO_MD5
2464 case TLSEXT_hash_md5:
2471 #ifndef OPENSSL_NO_SHA
2472 case TLSEXT_hash_sha1:
2475 #ifndef OPENSSL_NO_SHA256
2476 case TLSEXT_hash_sha224:
2477 return EVP_sha224();
2479 case TLSEXT_hash_sha256:
2480 return EVP_sha256();
2482 #ifndef OPENSSL_NO_SHA512
2483 case TLSEXT_hash_sha384:
2484 return EVP_sha384();
2486 case TLSEXT_hash_sha512:
2487 return EVP_sha512();
2495 /* Set preferred digest for each key type */
2497 int tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize)
2502 TLS_SIGALGS *sigptr;
2503 /* Extension ignored for TLS versions below 1.2 */
2504 if (TLS1_get_version(s) < TLS1_2_VERSION)
2506 /* Should never happen */
2510 c->pkeys[SSL_PKEY_DSA_SIGN].digest = NULL;
2511 c->pkeys[SSL_PKEY_RSA_SIGN].digest = NULL;
2512 c->pkeys[SSL_PKEY_RSA_ENC].digest = NULL;
2513 c->pkeys[SSL_PKEY_ECC].digest = NULL;
2516 OPENSSL_free(c->sigalgs);
2517 c->sigalgs = OPENSSL_malloc((dsize/2) * sizeof(TLS_SIGALGS));
2520 c->sigalgslen = dsize/2;
2522 for (i = 0, sigptr = c->sigalgs; i < dsize; i += 2, sigptr++)
2524 sigptr->rhash = data[i];
2525 sigptr->rsign = data[i + 1];
2526 sigptr->hash_nid = tls12_find_nid(sigptr->rhash, tls12_md,
2527 sizeof(tls12_md)/sizeof(tls12_lookup));
2528 sigptr->sign_nid = tls12_find_nid(sigptr->rsign, tls12_sig,
2529 sizeof(tls12_sig)/sizeof(tls12_lookup));
2530 if (!OBJ_find_sigid_by_algs(&sigptr->signandhash_nid,
2533 sigptr->signandhash_nid = NID_undef;
2534 switch(sigptr->rsign)
2536 #ifndef OPENSSL_NO_RSA
2537 case TLSEXT_signature_rsa:
2538 idx = SSL_PKEY_RSA_SIGN;
2541 #ifndef OPENSSL_NO_DSA
2542 case TLSEXT_signature_dsa:
2543 idx = SSL_PKEY_DSA_SIGN;
2546 #ifndef OPENSSL_NO_ECDSA
2547 case TLSEXT_signature_ecdsa:
2555 if (c->pkeys[idx].digest == NULL)
2557 md = tls12_get_hash(sigptr->rhash);
2560 c->pkeys[idx].digest = md;
2561 if (idx == SSL_PKEY_RSA_SIGN)
2562 c->pkeys[SSL_PKEY_RSA_ENC].digest = md;
2569 /* Set any remaining keys to default values. NOTE: if alg is not
2570 * supported it stays as NULL.
2572 #ifndef OPENSSL_NO_DSA
2573 if (!c->pkeys[SSL_PKEY_DSA_SIGN].digest)
2574 c->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_dss1();
2576 #ifndef OPENSSL_NO_RSA
2577 if (!c->pkeys[SSL_PKEY_RSA_SIGN].digest)
2579 c->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1();
2580 c->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1();
2583 #ifndef OPENSSL_NO_ECDSA
2584 if (!c->pkeys[SSL_PKEY_ECC].digest)
2585 c->pkeys[SSL_PKEY_ECC].digest = EVP_ecdsa();
2592 int SSL_get_sigalgs(SSL *s, int idx,
2593 int *psign, int *phash, int *psignandhash,
2594 unsigned char *rsig, unsigned char *rhash)
2596 if (s->cert->sigalgs == NULL)
2601 if (idx >= (int)s->cert->sigalgslen)
2603 psig = s->cert->sigalgs + idx;
2605 *psign = psig->sign_nid;
2607 *phash = psig->hash_nid;
2609 *psignandhash = psig->signandhash_nid;
2611 *rsig = psig->rsign;
2613 *rhash = psig->rhash;
2615 return s->cert->sigalgslen;
2619 #ifndef OPENSSL_NO_HEARTBEATS
2621 tls1_process_heartbeat(SSL *s)
2623 unsigned char *p = &s->s3->rrec.data[0], *pl;
2624 unsigned short hbtype;
2625 unsigned int payload;
2626 unsigned int padding = 16; /* Use minimum padding */
2628 /* Read type and payload length first */
2633 if (s->msg_callback)
2634 s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT,
2635 &s->s3->rrec.data[0], s->s3->rrec.length,
2636 s, s->msg_callback_arg);
2638 if (hbtype == TLS1_HB_REQUEST)
2640 unsigned char *buffer, *bp;
2643 /* Allocate memory for the response, size is 1 bytes
2644 * message type, plus 2 bytes payload length, plus
2645 * payload, plus padding
2647 buffer = OPENSSL_malloc(1 + 2 + payload + padding);
2650 /* Enter response type, length and copy payload */
2651 *bp++ = TLS1_HB_RESPONSE;
2653 memcpy(bp, pl, payload);
2655 /* Random padding */
2656 RAND_pseudo_bytes(bp, padding);
2658 r = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, 3 + payload + padding);
2660 if (r >= 0 && s->msg_callback)
2661 s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT,
2662 buffer, 3 + payload + padding,
2663 s, s->msg_callback_arg);
2665 OPENSSL_free(buffer);
2670 else if (hbtype == TLS1_HB_RESPONSE)
2674 /* We only send sequence numbers (2 bytes unsigned int),
2675 * and 16 random bytes, so we just try to read the
2676 * sequence number */
2679 if (payload == 18 && seq == s->tlsext_hb_seq)
2682 s->tlsext_hb_pending = 0;
2690 tls1_heartbeat(SSL *s)
2692 unsigned char *buf, *p;
2694 unsigned int payload = 18; /* Sequence number + random bytes */
2695 unsigned int padding = 16; /* Use minimum padding */
2697 /* Only send if peer supports and accepts HB requests... */
2698 if (!(s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED) ||
2699 s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_SEND_REQUESTS)
2701 SSLerr(SSL_F_TLS1_HEARTBEAT,SSL_R_TLS_HEARTBEAT_PEER_DOESNT_ACCEPT);
2705 /* ...and there is none in flight yet... */
2706 if (s->tlsext_hb_pending)
2708 SSLerr(SSL_F_TLS1_HEARTBEAT,SSL_R_TLS_HEARTBEAT_PENDING);
2712 /* ...and no handshake in progress. */
2713 if (SSL_in_init(s) || s->in_handshake)
2715 SSLerr(SSL_F_TLS1_HEARTBEAT,SSL_R_UNEXPECTED_MESSAGE);
2719 /* Check if padding is too long, payload and padding
2720 * must not exceed 2^14 - 3 = 16381 bytes in total.
2722 OPENSSL_assert(payload + padding <= 16381);
2724 /* Create HeartBeat message, we just use a sequence number
2725 * as payload to distuingish different messages and add
2726 * some random stuff.
2727 * - Message Type, 1 byte
2728 * - Payload Length, 2 bytes (unsigned int)
2729 * - Payload, the sequence number (2 bytes uint)
2730 * - Payload, random bytes (16 bytes uint)
2733 buf = OPENSSL_malloc(1 + 2 + payload + padding);
2736 *p++ = TLS1_HB_REQUEST;
2737 /* Payload length (18 bytes here) */
2739 /* Sequence number */
2740 s2n(s->tlsext_hb_seq, p);
2741 /* 16 random bytes */
2742 RAND_pseudo_bytes(p, 16);
2744 /* Random padding */
2745 RAND_pseudo_bytes(p, padding);
2747 ret = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buf, 3 + payload + padding);
2750 if (s->msg_callback)
2751 s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT,
2752 buf, 3 + payload + padding,
2753 s, s->msg_callback_arg);
2755 s->tlsext_hb_pending = 1;