1 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
4 * This package is an SSL implementation written
5 * by Eric Young (eay@cryptsoft.com).
6 * The implementation was written so as to conform with Netscapes SSL.
8 * This library is free for commercial and non-commercial use as long as
9 * the following conditions are aheared to. The following conditions
10 * apply to all code found in this distribution, be it the RC4, RSA,
11 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
12 * included with this distribution is covered by the same copyright terms
13 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 * Copyright remains Eric Young's, and as such any Copyright notices in
16 * the code are not to be removed.
17 * If this package is used in a product, Eric Young should be given attribution
18 * as the author of the parts of the library used.
19 * This can be in the form of a textual message at program startup or
20 * in documentation (online or textual) provided with the package.
22 * Redistribution and use in source and binary forms, with or without
23 * modification, are permitted provided that the following conditions
25 * 1. Redistributions of source code must retain the copyright
26 * notice, this list of conditions and the following disclaimer.
27 * 2. Redistributions in binary form must reproduce the above copyright
28 * notice, this list of conditions and the following disclaimer in the
29 * documentation and/or other materials provided with the distribution.
30 * 3. All advertising materials mentioning features or use of this software
31 * must display the following acknowledgement:
32 * "This product includes cryptographic software written by
33 * Eric Young (eay@cryptsoft.com)"
34 * The word 'cryptographic' can be left out if the rouines from the library
35 * being used are not cryptographic related :-).
36 * 4. If you include any Windows specific code (or a derivative thereof) from
37 * the apps directory (application code) you must include an acknowledgement:
38 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
41 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
43 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
44 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
45 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
46 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
48 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
49 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
52 * The licence and distribution terms for any publically available version or
53 * derivative of this code cannot be changed. i.e. this code cannot simply be
54 * copied and put under another distribution licence
55 * [including the GNU Public Licence.]
57 /* ====================================================================
58 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
60 * Redistribution and use in source and binary forms, with or without
61 * modification, are permitted provided that the following conditions
64 * 1. Redistributions of source code must retain the above copyright
65 * notice, this list of conditions and the following disclaimer.
67 * 2. Redistributions in binary form must reproduce the above copyright
68 * notice, this list of conditions and the following disclaimer in
69 * the documentation and/or other materials provided with the
72 * 3. All advertising materials mentioning features or use of this
73 * software must display the following acknowledgment:
74 * "This product includes software developed by the OpenSSL Project
75 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
78 * endorse or promote products derived from this software without
79 * prior written permission. For written permission, please contact
80 * openssl-core@openssl.org.
82 * 5. Products derived from this software may not be called "OpenSSL"
83 * nor may "OpenSSL" appear in their names without prior written
84 * permission of the OpenSSL Project.
86 * 6. Redistributions of any form whatsoever must retain the following
88 * "This product includes software developed by the OpenSSL Project
89 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
92 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
93 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
94 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
95 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
96 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
97 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
98 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
99 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
100 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
101 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
102 * OF THE POSSIBILITY OF SUCH DAMAGE.
103 * ====================================================================
105 * This product includes cryptographic software written by Eric Young
106 * (eay@cryptsoft.com). This product includes software written by Tim
107 * Hudson (tjh@cryptsoft.com).
113 #include <openssl/objects.h>
114 #include <openssl/evp.h>
115 #include <openssl/hmac.h>
116 #include <openssl/ocsp.h>
117 #include <openssl/rand.h>
118 #ifndef OPENSSL_NO_DH
119 # include <openssl/dh.h>
120 # include <openssl/bn.h>
122 #include "ssl_locl.h"
124 static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen,
125 const unsigned char *sess_id, int sesslen,
126 SSL_SESSION **psess);
127 static int ssl_check_clienthello_tlsext_early(SSL *s);
128 static int ssl_check_serverhello_tlsext(SSL *s);
130 SSL3_ENC_METHOD const TLSv1_enc_data = {
133 tls1_setup_key_block,
134 tls1_generate_master_secret,
135 tls1_change_cipher_state,
136 tls1_final_finish_mac,
137 TLS1_FINISH_MAC_LENGTH,
138 TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
139 TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
141 tls1_export_keying_material,
143 SSL3_HM_HEADER_LENGTH,
144 ssl3_set_handshake_header,
148 SSL3_ENC_METHOD const TLSv1_1_enc_data = {
151 tls1_setup_key_block,
152 tls1_generate_master_secret,
153 tls1_change_cipher_state,
154 tls1_final_finish_mac,
155 TLS1_FINISH_MAC_LENGTH,
156 TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
157 TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
159 tls1_export_keying_material,
160 SSL_ENC_FLAG_EXPLICIT_IV,
161 SSL3_HM_HEADER_LENGTH,
162 ssl3_set_handshake_header,
166 SSL3_ENC_METHOD const TLSv1_2_enc_data = {
169 tls1_setup_key_block,
170 tls1_generate_master_secret,
171 tls1_change_cipher_state,
172 tls1_final_finish_mac,
173 TLS1_FINISH_MAC_LENGTH,
174 TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
175 TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
177 tls1_export_keying_material,
178 SSL_ENC_FLAG_EXPLICIT_IV | SSL_ENC_FLAG_SIGALGS | SSL_ENC_FLAG_SHA256_PRF
179 | SSL_ENC_FLAG_TLS1_2_CIPHERS,
180 SSL3_HM_HEADER_LENGTH,
181 ssl3_set_handshake_header,
185 long tls1_default_timeout(void)
188 * 2 hours, the 24 hours mentioned in the TLSv1 spec is way too long for
189 * http, the cache would over fill
191 return (60 * 60 * 2);
198 s->method->ssl_clear(s);
202 void tls1_free(SSL *s)
204 OPENSSL_free(s->tlsext_session_ticket);
208 void tls1_clear(SSL *s)
211 if (s->method->version == TLS_ANY_VERSION)
212 s->version = TLS_MAX_VERSION;
214 s->version = s->method->version;
217 #ifndef OPENSSL_NO_EC
220 int nid; /* Curve NID */
221 int secbits; /* Bits of security (from SP800-57) */
222 unsigned int flags; /* Flags: currently just field type */
225 /* Mask for curve type */
226 # define TLS_CURVE_TYPE 0x3
227 # define TLS_CURVE_PRIME 0x0
228 # define TLS_CURVE_CHAR2 0x1
229 # define TLS_CURVE_CUSTOM 0x2
232 * Table of curve information.
233 * Do not delete entries or reorder this array! It is used as a lookup
234 * table: the index of each entry is one less than the TLS curve id.
236 static const tls_curve_info nid_list[] = {
237 {NID_sect163k1, 80, TLS_CURVE_CHAR2}, /* sect163k1 (1) */
238 {NID_sect163r1, 80, TLS_CURVE_CHAR2}, /* sect163r1 (2) */
239 {NID_sect163r2, 80, TLS_CURVE_CHAR2}, /* sect163r2 (3) */
240 {NID_sect193r1, 80, TLS_CURVE_CHAR2}, /* sect193r1 (4) */
241 {NID_sect193r2, 80, TLS_CURVE_CHAR2}, /* sect193r2 (5) */
242 {NID_sect233k1, 112, TLS_CURVE_CHAR2}, /* sect233k1 (6) */
243 {NID_sect233r1, 112, TLS_CURVE_CHAR2}, /* sect233r1 (7) */
244 {NID_sect239k1, 112, TLS_CURVE_CHAR2}, /* sect239k1 (8) */
245 {NID_sect283k1, 128, TLS_CURVE_CHAR2}, /* sect283k1 (9) */
246 {NID_sect283r1, 128, TLS_CURVE_CHAR2}, /* sect283r1 (10) */
247 {NID_sect409k1, 192, TLS_CURVE_CHAR2}, /* sect409k1 (11) */
248 {NID_sect409r1, 192, TLS_CURVE_CHAR2}, /* sect409r1 (12) */
249 {NID_sect571k1, 256, TLS_CURVE_CHAR2}, /* sect571k1 (13) */
250 {NID_sect571r1, 256, TLS_CURVE_CHAR2}, /* sect571r1 (14) */
251 {NID_secp160k1, 80, TLS_CURVE_PRIME}, /* secp160k1 (15) */
252 {NID_secp160r1, 80, TLS_CURVE_PRIME}, /* secp160r1 (16) */
253 {NID_secp160r2, 80, TLS_CURVE_PRIME}, /* secp160r2 (17) */
254 {NID_secp192k1, 80, TLS_CURVE_PRIME}, /* secp192k1 (18) */
255 {NID_X9_62_prime192v1, 80, TLS_CURVE_PRIME}, /* secp192r1 (19) */
256 {NID_secp224k1, 112, TLS_CURVE_PRIME}, /* secp224k1 (20) */
257 {NID_secp224r1, 112, TLS_CURVE_PRIME}, /* secp224r1 (21) */
258 {NID_secp256k1, 128, TLS_CURVE_PRIME}, /* secp256k1 (22) */
259 {NID_X9_62_prime256v1, 128, TLS_CURVE_PRIME}, /* secp256r1 (23) */
260 {NID_secp384r1, 192, TLS_CURVE_PRIME}, /* secp384r1 (24) */
261 {NID_secp521r1, 256, TLS_CURVE_PRIME}, /* secp521r1 (25) */
262 {NID_brainpoolP256r1, 128, TLS_CURVE_PRIME}, /* brainpoolP256r1 (26) */
263 {NID_brainpoolP384r1, 192, TLS_CURVE_PRIME}, /* brainpoolP384r1 (27) */
264 {NID_brainpoolP512r1, 256, TLS_CURVE_PRIME}, /* brainpool512r1 (28) */
266 {NID_X25519, 128, TLS_CURVE_CUSTOM},
269 static const unsigned char ecformats_default[] = {
270 TLSEXT_ECPOINTFORMAT_uncompressed,
271 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime,
272 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2
275 /* The default curves */
276 static const unsigned char eccurves_default[] = {
277 0, 29, /* X25519 (29) */
278 0, 23, /* secp256r1 (23) */
279 0, 25, /* secp521r1 (25) */
280 0, 24, /* secp384r1 (24) */
283 static const unsigned char eccurves_all[] = {
284 0, 29, /* X25519 (29) */
285 0, 23, /* secp256r1 (23) */
286 0, 25, /* secp521r1 (25) */
287 0, 24, /* secp384r1 (24) */
288 0, 26, /* brainpoolP256r1 (26) */
289 0, 27, /* brainpoolP384r1 (27) */
290 0, 28, /* brainpool512r1 (28) */
293 * Remaining curves disabled by default but still permitted if set
294 * via an explicit callback or parameters.
296 0, 22, /* secp256k1 (22) */
297 0, 14, /* sect571r1 (14) */
298 0, 13, /* sect571k1 (13) */
299 0, 11, /* sect409k1 (11) */
300 0, 12, /* sect409r1 (12) */
301 0, 9, /* sect283k1 (9) */
302 0, 10, /* sect283r1 (10) */
303 0, 20, /* secp224k1 (20) */
304 0, 21, /* secp224r1 (21) */
305 0, 18, /* secp192k1 (18) */
306 0, 19, /* secp192r1 (19) */
307 0, 15, /* secp160k1 (15) */
308 0, 16, /* secp160r1 (16) */
309 0, 17, /* secp160r2 (17) */
310 0, 8, /* sect239k1 (8) */
311 0, 6, /* sect233k1 (6) */
312 0, 7, /* sect233r1 (7) */
313 0, 4, /* sect193r1 (4) */
314 0, 5, /* sect193r2 (5) */
315 0, 1, /* sect163k1 (1) */
316 0, 2, /* sect163r1 (2) */
317 0, 3, /* sect163r2 (3) */
321 static const unsigned char suiteb_curves[] = {
322 0, TLSEXT_curve_P_256,
323 0, TLSEXT_curve_P_384
326 int tls1_ec_curve_id2nid(int curve_id)
328 /* ECC curves from RFC 4492 and RFC 7027 */
329 if ((curve_id < 1) || ((unsigned int)curve_id > OSSL_NELEM(nid_list)))
331 return nid_list[curve_id - 1].nid;
334 int tls1_ec_nid2curve_id(int nid)
337 for (i = 0; i < OSSL_NELEM(nid_list); i++) {
338 if (nid_list[i].nid == nid)
345 * Get curves list, if "sess" is set return client curves otherwise
347 * Sets |num_curves| to the number of curves in the list, i.e.,
348 * the length of |pcurves| is 2 * num_curves.
349 * Returns 1 on success and 0 if the client curves list has invalid format.
350 * The latter indicates an internal error: we should not be accepting such
351 * lists in the first place.
352 * TODO(emilia): we should really be storing the curves list in explicitly
353 * parsed form instead. (However, this would affect binary compatibility
354 * so cannot happen in the 1.0.x series.)
356 static int tls1_get_curvelist(SSL *s, int sess,
357 const unsigned char **pcurves,
360 size_t pcurveslen = 0;
362 *pcurves = s->session->tlsext_ellipticcurvelist;
363 pcurveslen = s->session->tlsext_ellipticcurvelist_length;
365 /* For Suite B mode only include P-256, P-384 */
366 switch (tls1_suiteb(s)) {
367 case SSL_CERT_FLAG_SUITEB_128_LOS:
368 *pcurves = suiteb_curves;
369 pcurveslen = sizeof(suiteb_curves);
372 case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY:
373 *pcurves = suiteb_curves;
377 case SSL_CERT_FLAG_SUITEB_192_LOS:
378 *pcurves = suiteb_curves + 2;
382 *pcurves = s->tlsext_ellipticcurvelist;
383 pcurveslen = s->tlsext_ellipticcurvelist_length;
386 *pcurves = eccurves_default;
387 pcurveslen = sizeof(eccurves_default);
391 /* We do not allow odd length arrays to enter the system. */
392 if (pcurveslen & 1) {
393 SSLerr(SSL_F_TLS1_GET_CURVELIST, ERR_R_INTERNAL_ERROR);
397 *num_curves = pcurveslen / 2;
402 /* See if curve is allowed by security callback */
403 static int tls_curve_allowed(SSL *s, const unsigned char *curve, int op)
405 const tls_curve_info *cinfo;
408 if ((curve[1] < 1) || ((size_t)curve[1] > OSSL_NELEM(nid_list)))
410 cinfo = &nid_list[curve[1] - 1];
411 # ifdef OPENSSL_NO_EC2M
412 if (cinfo->flags & TLS_CURVE_CHAR2)
415 return ssl_security(s, op, cinfo->secbits, cinfo->nid, (void *)curve);
418 /* Check a curve is one of our preferences */
419 int tls1_check_curve(SSL *s, const unsigned char *p, size_t len)
421 const unsigned char *curves;
422 size_t num_curves, i;
423 unsigned int suiteb_flags = tls1_suiteb(s);
424 if (len != 3 || p[0] != NAMED_CURVE_TYPE)
426 /* Check curve matches Suite B preferences */
428 unsigned long cid = s->s3->tmp.new_cipher->id;
431 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256) {
432 if (p[2] != TLSEXT_curve_P_256)
434 } else if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384) {
435 if (p[2] != TLSEXT_curve_P_384)
437 } else /* Should never happen */
440 if (!tls1_get_curvelist(s, 0, &curves, &num_curves))
442 for (i = 0; i < num_curves; i++, curves += 2) {
443 if (p[1] == curves[0] && p[2] == curves[1])
444 return tls_curve_allowed(s, p + 1, SSL_SECOP_CURVE_CHECK);
450 * For nmatch >= 0, return the NID of the |nmatch|th shared curve or NID_undef
451 * if there is no match.
452 * For nmatch == -1, return number of matches
453 * For nmatch == -2, return the NID of the curve to use for
454 * an EC tmp key, or NID_undef if there is no match.
456 int tls1_shared_curve(SSL *s, int nmatch)
458 const unsigned char *pref, *supp;
459 size_t num_pref, num_supp, i, j;
461 /* Can't do anything on client side */
465 if (tls1_suiteb(s)) {
467 * For Suite B ciphersuite determines curve: we already know
468 * these are acceptable due to previous checks.
470 unsigned long cid = s->s3->tmp.new_cipher->id;
471 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
472 return NID_X9_62_prime256v1; /* P-256 */
473 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)
474 return NID_secp384r1; /* P-384 */
475 /* Should never happen */
478 /* If not Suite B just return first preference shared curve */
482 * Avoid truncation. tls1_get_curvelist takes an int
483 * but s->options is a long...
485 if (!tls1_get_curvelist
486 (s, (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) != 0, &supp,
488 /* In practice, NID_undef == 0 but let's be precise. */
489 return nmatch == -1 ? 0 : NID_undef;
490 if (!tls1_get_curvelist
491 (s, !(s->options & SSL_OP_CIPHER_SERVER_PREFERENCE), &pref,
493 return nmatch == -1 ? 0 : NID_undef;
496 * If the client didn't send the elliptic_curves extension all of them
499 if (num_supp == 0 && (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) != 0) {
501 num_supp = sizeof(eccurves_all) / 2;
502 } else if (num_pref == 0 &&
503 (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) == 0) {
505 num_pref = sizeof(eccurves_all) / 2;
509 for (i = 0; i < num_pref; i++, pref += 2) {
510 const unsigned char *tsupp = supp;
511 for (j = 0; j < num_supp; j++, tsupp += 2) {
512 if (pref[0] == tsupp[0] && pref[1] == tsupp[1]) {
513 if (!tls_curve_allowed(s, pref, SSL_SECOP_CURVE_SHARED))
516 int id = (pref[0] << 8) | pref[1];
517 return tls1_ec_curve_id2nid(id);
525 /* Out of range (nmatch > k). */
529 int tls1_set_curves(unsigned char **pext, size_t *pextlen,
530 int *curves, size_t ncurves)
532 unsigned char *clist, *p;
535 * Bitmap of curves included to detect duplicates: only works while curve
538 unsigned long dup_list = 0;
539 clist = OPENSSL_malloc(ncurves * 2);
542 for (i = 0, p = clist; i < ncurves; i++) {
543 unsigned long idmask;
545 id = tls1_ec_nid2curve_id(curves[i]);
547 if (!id || (dup_list & idmask)) {
556 *pextlen = ncurves * 2;
560 # define MAX_CURVELIST 28
564 int nid_arr[MAX_CURVELIST];
567 static int nid_cb(const char *elem, int len, void *arg)
569 nid_cb_st *narg = arg;
575 if (narg->nidcnt == MAX_CURVELIST)
577 if (len > (int)(sizeof(etmp) - 1))
579 memcpy(etmp, elem, len);
581 nid = EC_curve_nist2nid(etmp);
582 if (nid == NID_undef)
583 nid = OBJ_sn2nid(etmp);
584 if (nid == NID_undef)
585 nid = OBJ_ln2nid(etmp);
586 if (nid == NID_undef)
588 for (i = 0; i < narg->nidcnt; i++)
589 if (narg->nid_arr[i] == nid)
591 narg->nid_arr[narg->nidcnt++] = nid;
595 /* Set curves based on a colon separate list */
596 int tls1_set_curves_list(unsigned char **pext, size_t *pextlen,
601 if (!CONF_parse_list(str, ':', 1, nid_cb, &ncb))
605 return tls1_set_curves(pext, pextlen, ncb.nid_arr, ncb.nidcnt);
608 /* For an EC key set TLS id and required compression based on parameters */
609 static int tls1_set_ec_id(unsigned char *curve_id, unsigned char *comp_id,
616 /* Determine if it is a prime field */
617 grp = EC_KEY_get0_group(ec);
620 /* Determine curve ID */
621 id = EC_GROUP_get_curve_name(grp);
622 id = tls1_ec_nid2curve_id(id);
623 /* If no id return error: we don't support arbitrary explicit curves */
627 curve_id[1] = (unsigned char)id;
629 if (EC_KEY_get0_public_key(ec) == NULL)
631 if (EC_KEY_get_conv_form(ec) == POINT_CONVERSION_UNCOMPRESSED) {
632 *comp_id = TLSEXT_ECPOINTFORMAT_uncompressed;
634 if ((nid_list[id - 1].flags & TLS_CURVE_TYPE) == TLS_CURVE_PRIME)
635 *comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
637 *comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
643 /* Check an EC key is compatible with extensions */
644 static int tls1_check_ec_key(SSL *s,
645 unsigned char *curve_id, unsigned char *comp_id)
647 const unsigned char *pformats, *pcurves;
648 size_t num_formats, num_curves, i;
651 * If point formats extension present check it, otherwise everything is
652 * supported (see RFC4492).
654 if (comp_id && s->session->tlsext_ecpointformatlist) {
655 pformats = s->session->tlsext_ecpointformatlist;
656 num_formats = s->session->tlsext_ecpointformatlist_length;
657 for (i = 0; i < num_formats; i++, pformats++) {
658 if (*comp_id == *pformats)
661 if (i == num_formats)
666 /* Check curve is consistent with client and server preferences */
667 for (j = 0; j <= 1; j++) {
668 if (!tls1_get_curvelist(s, j, &pcurves, &num_curves))
670 if (j == 1 && num_curves == 0) {
672 * If we've not received any curves then skip this check.
673 * RFC 4492 does not require the supported elliptic curves extension
674 * so if it is not sent we can just choose any curve.
675 * It is invalid to send an empty list in the elliptic curves
676 * extension, so num_curves == 0 always means no extension.
680 for (i = 0; i < num_curves; i++, pcurves += 2) {
681 if (pcurves[0] == curve_id[0] && pcurves[1] == curve_id[1])
686 /* For clients can only check sent curve list */
693 static void tls1_get_formatlist(SSL *s, const unsigned char **pformats,
697 * If we have a custom point format list use it otherwise use default
699 if (s->tlsext_ecpointformatlist) {
700 *pformats = s->tlsext_ecpointformatlist;
701 *num_formats = s->tlsext_ecpointformatlist_length;
703 *pformats = ecformats_default;
704 /* For Suite B we don't support char2 fields */
706 *num_formats = sizeof(ecformats_default) - 1;
708 *num_formats = sizeof(ecformats_default);
713 * Check cert parameters compatible with extensions: currently just checks EC
714 * certificates have compatible curves and compression.
716 static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md)
718 unsigned char comp_id, curve_id[2];
721 pkey = X509_get0_pubkey(x);
724 /* If not EC nothing to do */
725 if (EVP_PKEY_id(pkey) != EVP_PKEY_EC)
727 rv = tls1_set_ec_id(curve_id, &comp_id, EVP_PKEY_get0_EC_KEY(pkey));
731 * Can't check curve_id for client certs as we don't have a supported
734 rv = tls1_check_ec_key(s, s->server ? curve_id : NULL, &comp_id);
738 * Special case for suite B. We *MUST* sign using SHA256+P-256 or
739 * SHA384+P-384, adjust digest if necessary.
741 if (set_ee_md && tls1_suiteb(s)) {
747 /* Check to see we have necessary signing algorithm */
748 if (curve_id[1] == TLSEXT_curve_P_256)
749 check_md = NID_ecdsa_with_SHA256;
750 else if (curve_id[1] == TLSEXT_curve_P_384)
751 check_md = NID_ecdsa_with_SHA384;
753 return 0; /* Should never happen */
754 for (i = 0; i < c->shared_sigalgslen; i++)
755 if (check_md == c->shared_sigalgs[i].signandhash_nid)
757 if (i == c->shared_sigalgslen)
759 if (set_ee_md == 2) {
760 if (check_md == NID_ecdsa_with_SHA256)
761 s->s3->tmp.md[SSL_PKEY_ECC] = EVP_sha256();
763 s->s3->tmp.md[SSL_PKEY_ECC] = EVP_sha384();
769 # ifndef OPENSSL_NO_EC
771 * tls1_check_ec_tmp_key - Check EC temporary key compatiblity
773 * @cid: Cipher ID we're considering using
775 * Checks that the kECDHE cipher suite we're considering using
776 * is compatible with the client extensions.
778 * Returns 0 when the cipher can't be used or 1 when it can.
780 int tls1_check_ec_tmp_key(SSL *s, unsigned long cid)
783 * If Suite B, AES128 MUST use P-256 and AES256 MUST use P-384, no other
786 if (tls1_suiteb(s)) {
787 unsigned char curve_id[2];
788 /* Curve to check determined by ciphersuite */
789 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
790 curve_id[1] = TLSEXT_curve_P_256;
791 else if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)
792 curve_id[1] = TLSEXT_curve_P_384;
796 /* Check this curve is acceptable */
797 if (!tls1_check_ec_key(s, curve_id, NULL))
801 /* Need a shared curve */
802 if (tls1_shared_curve(s, 0))
806 # endif /* OPENSSL_NO_EC */
810 static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md)
815 #endif /* OPENSSL_NO_EC */
818 * List of supported signature algorithms and hashes. Should make this
819 * customisable at some point, for now include everything we support.
822 #ifdef OPENSSL_NO_RSA
823 # define tlsext_sigalg_rsa(md) /* */
825 # define tlsext_sigalg_rsa(md) md, TLSEXT_signature_rsa,
828 #ifdef OPENSSL_NO_DSA
829 # define tlsext_sigalg_dsa(md) /* */
831 # define tlsext_sigalg_dsa(md) md, TLSEXT_signature_dsa,
835 # define tlsext_sigalg_ecdsa(md) /* */
837 # define tlsext_sigalg_ecdsa(md) md, TLSEXT_signature_ecdsa,
840 #define tlsext_sigalg(md) \
841 tlsext_sigalg_rsa(md) \
842 tlsext_sigalg_dsa(md) \
843 tlsext_sigalg_ecdsa(md)
845 static const unsigned char tls12_sigalgs[] = {
846 tlsext_sigalg(TLSEXT_hash_sha512)
847 tlsext_sigalg(TLSEXT_hash_sha384)
848 tlsext_sigalg(TLSEXT_hash_sha256)
849 tlsext_sigalg(TLSEXT_hash_sha224)
850 tlsext_sigalg(TLSEXT_hash_sha1)
851 #ifndef OPENSSL_NO_GOST
852 TLSEXT_hash_gostr3411, TLSEXT_signature_gostr34102001,
853 TLSEXT_hash_gostr34112012_256, TLSEXT_signature_gostr34102012_256,
854 TLSEXT_hash_gostr34112012_512, TLSEXT_signature_gostr34102012_512
858 #ifndef OPENSSL_NO_EC
859 static const unsigned char suiteb_sigalgs[] = {
860 tlsext_sigalg_ecdsa(TLSEXT_hash_sha256)
861 tlsext_sigalg_ecdsa(TLSEXT_hash_sha384)
864 size_t tls12_get_psigalgs(SSL *s, const unsigned char **psigs)
867 * If Suite B mode use Suite B sigalgs only, ignore any other
870 #ifndef OPENSSL_NO_EC
871 switch (tls1_suiteb(s)) {
872 case SSL_CERT_FLAG_SUITEB_128_LOS:
873 *psigs = suiteb_sigalgs;
874 return sizeof(suiteb_sigalgs);
876 case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY:
877 *psigs = suiteb_sigalgs;
880 case SSL_CERT_FLAG_SUITEB_192_LOS:
881 *psigs = suiteb_sigalgs + 2;
885 /* If server use client authentication sigalgs if not NULL */
886 if (s->server && s->cert->client_sigalgs) {
887 *psigs = s->cert->client_sigalgs;
888 return s->cert->client_sigalgslen;
889 } else if (s->cert->conf_sigalgs) {
890 *psigs = s->cert->conf_sigalgs;
891 return s->cert->conf_sigalgslen;
893 *psigs = tls12_sigalgs;
894 return sizeof(tls12_sigalgs);
899 * Check signature algorithm is consistent with sent supported signature
900 * algorithms and if so return relevant digest.
902 int tls12_check_peer_sigalg(const EVP_MD **pmd, SSL *s,
903 const unsigned char *sig, EVP_PKEY *pkey)
905 const unsigned char *sent_sigs;
906 size_t sent_sigslen, i;
907 int sigalg = tls12_get_sigid(pkey);
908 /* Should never happen */
911 /* Check key type is consistent with signature */
912 if (sigalg != (int)sig[1]) {
913 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_SIGNATURE_TYPE);
916 #ifndef OPENSSL_NO_EC
917 if (EVP_PKEY_id(pkey) == EVP_PKEY_EC) {
918 unsigned char curve_id[2], comp_id;
919 /* Check compression and curve matches extensions */
920 if (!tls1_set_ec_id(curve_id, &comp_id, EVP_PKEY_get0_EC_KEY(pkey)))
922 if (!s->server && !tls1_check_ec_key(s, curve_id, &comp_id)) {
923 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_CURVE);
926 /* If Suite B only P-384+SHA384 or P-256+SHA-256 allowed */
927 if (tls1_suiteb(s)) {
930 if (curve_id[1] == TLSEXT_curve_P_256) {
931 if (sig[0] != TLSEXT_hash_sha256) {
932 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG,
933 SSL_R_ILLEGAL_SUITEB_DIGEST);
936 } else if (curve_id[1] == TLSEXT_curve_P_384) {
937 if (sig[0] != TLSEXT_hash_sha384) {
938 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG,
939 SSL_R_ILLEGAL_SUITEB_DIGEST);
945 } else if (tls1_suiteb(s))
949 /* Check signature matches a type we sent */
950 sent_sigslen = tls12_get_psigalgs(s, &sent_sigs);
951 for (i = 0; i < sent_sigslen; i += 2, sent_sigs += 2) {
952 if (sig[0] == sent_sigs[0] && sig[1] == sent_sigs[1])
955 /* Allow fallback to SHA1 if not strict mode */
956 if (i == sent_sigslen
957 && (sig[0] != TLSEXT_hash_sha1
958 || s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)) {
959 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_SIGNATURE_TYPE);
962 *pmd = tls12_get_hash(sig[0]);
964 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_UNKNOWN_DIGEST);
967 /* Make sure security callback allows algorithm */
968 if (!ssl_security(s, SSL_SECOP_SIGALG_CHECK,
969 EVP_MD_size(*pmd) * 4, EVP_MD_type(*pmd),
971 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_SIGNATURE_TYPE);
975 * Store the digest used so applications can retrieve it if they wish.
977 s->s3->tmp.peer_md = *pmd;
982 * Get a mask of disabled algorithms: an algorithm is disabled if it isn't
983 * supported or doesn't appear in supported signature algorithms. Unlike
984 * ssl_cipher_get_disabled this applies to a specific session and not global
987 void ssl_set_client_disabled(SSL *s)
989 s->s3->tmp.mask_a = 0;
990 s->s3->tmp.mask_k = 0;
991 /* Don't allow TLS 1.2 only ciphers if we don't suppport them */
992 if (!SSL_CLIENT_USE_TLS1_2_CIPHERS(s))
993 s->s3->tmp.mask_ssl = SSL_TLSV1_2;
995 s->s3->tmp.mask_ssl = 0;
996 /* Disable TLS 1.0 ciphers if using SSL v3 */
997 if (s->client_version == SSL3_VERSION)
998 s->s3->tmp.mask_ssl |= SSL_TLSV1;
999 ssl_set_sig_mask(&s->s3->tmp.mask_a, s, SSL_SECOP_SIGALG_MASK);
1000 # ifndef OPENSSL_NO_PSK
1001 /* with PSK there must be client callback set */
1002 if (!s->psk_client_callback) {
1003 s->s3->tmp.mask_a |= SSL_aPSK;
1004 s->s3->tmp.mask_k |= SSL_PSK;
1006 #endif /* OPENSSL_NO_PSK */
1007 #ifndef OPENSSL_NO_SRP
1008 if (!(s->srp_ctx.srp_Mask & SSL_kSRP)) {
1009 s->s3->tmp.mask_a |= SSL_aSRP;
1010 s->s3->tmp.mask_k |= SSL_kSRP;
1015 int ssl_cipher_disabled(SSL *s, const SSL_CIPHER *c, int op)
1017 if (c->algorithm_ssl & s->s3->tmp.mask_ssl
1018 || c->algorithm_mkey & s->s3->tmp.mask_k
1019 || c->algorithm_auth & s->s3->tmp.mask_a)
1021 return !ssl_security(s, op, c->strength_bits, 0, (void *)c);
1024 static int tls_use_ticket(SSL *s)
1026 if (s->options & SSL_OP_NO_TICKET)
1028 return ssl_security(s, SSL_SECOP_TICKET, 0, 0, NULL);
1031 static int compare_uint(const void *p1, const void *p2) {
1032 unsigned int u1 = *((const unsigned int *)p1);
1033 unsigned int u2 = *((const unsigned int *)p2);
1043 * Per http://tools.ietf.org/html/rfc5246#section-7.4.1.4, there may not be
1044 * more than one extension of the same type in a ClientHello or ServerHello.
1045 * This function does an initial scan over the extensions block to filter those
1046 * out. It returns 1 if all extensions are unique, and 0 if the extensions
1047 * contain duplicates, could not be successfully parsed, or an internal error
1050 static int tls1_check_duplicate_extensions(const PACKET *packet) {
1051 PACKET extensions = *packet;
1052 size_t num_extensions = 0, i = 0;
1053 unsigned int *extension_types = NULL;
1056 /* First pass: count the extensions. */
1057 while (PACKET_remaining(&extensions) > 0) {
1060 if (!PACKET_get_net_2(&extensions, &type) ||
1061 !PACKET_get_length_prefixed_2(&extensions, &extension)) {
1067 if (num_extensions <= 1)
1070 extension_types = OPENSSL_malloc(sizeof(unsigned int) * num_extensions);
1071 if (extension_types == NULL) {
1072 SSLerr(SSL_F_TLS1_CHECK_DUPLICATE_EXTENSIONS, ERR_R_MALLOC_FAILURE);
1076 /* Second pass: gather the extension types. */
1077 extensions = *packet;
1078 for (i = 0; i < num_extensions; i++) {
1080 if (!PACKET_get_net_2(&extensions, &extension_types[i]) ||
1081 !PACKET_get_length_prefixed_2(&extensions, &extension)) {
1082 /* This should not happen. */
1083 SSLerr(SSL_F_TLS1_CHECK_DUPLICATE_EXTENSIONS, ERR_R_INTERNAL_ERROR);
1088 if (PACKET_remaining(&extensions) != 0) {
1089 SSLerr(SSL_F_TLS1_CHECK_DUPLICATE_EXTENSIONS, ERR_R_INTERNAL_ERROR);
1092 /* Sort the extensions and make sure there are no duplicates. */
1093 qsort(extension_types, num_extensions, sizeof(unsigned int), compare_uint);
1094 for (i = 1; i < num_extensions; i++) {
1095 if (extension_types[i - 1] == extension_types[i])
1100 OPENSSL_free(extension_types);
1104 unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf,
1105 unsigned char *limit, int *al)
1108 unsigned char *orig = buf;
1109 unsigned char *ret = buf;
1110 #ifndef OPENSSL_NO_EC
1111 /* See if we support any ECC ciphersuites */
1113 if (s->version >= TLS1_VERSION || SSL_IS_DTLS(s)) {
1115 unsigned long alg_k, alg_a;
1116 STACK_OF(SSL_CIPHER) *cipher_stack = SSL_get_ciphers(s);
1118 for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++) {
1119 const SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i);
1121 alg_k = c->algorithm_mkey;
1122 alg_a = c->algorithm_auth;
1123 if ((alg_k & (SSL_kECDHE | SSL_kECDHEPSK))
1124 || (alg_a & SSL_aECDSA)) {
1135 return NULL; /* this really never occurs, but ... */
1137 /* Add RI if renegotiating */
1138 if (s->renegotiate) {
1141 if (!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0)) {
1142 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1146 if ((limit - ret - 4 - el) < 0)
1149 s2n(TLSEXT_TYPE_renegotiate, ret);
1152 if (!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el)) {
1153 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1159 /* Only add RI for SSLv3 */
1160 if (s->client_version == SSL3_VERSION)
1163 if (s->tlsext_hostname != NULL) {
1164 /* Add TLS extension servername to the Client Hello message */
1165 unsigned long size_str;
1169 * check for enough space.
1170 * 4 for the servername type and entension length
1171 * 2 for servernamelist length
1172 * 1 for the hostname type
1173 * 2 for hostname length
1177 if ((lenmax = limit - ret - 9) < 0
1179 strlen(s->tlsext_hostname)) > (unsigned long)lenmax)
1182 /* extension type and length */
1183 s2n(TLSEXT_TYPE_server_name, ret);
1184 s2n(size_str + 5, ret);
1186 /* length of servername list */
1187 s2n(size_str + 3, ret);
1189 /* hostname type, length and hostname */
1190 *(ret++) = (unsigned char)TLSEXT_NAMETYPE_host_name;
1192 memcpy(ret, s->tlsext_hostname, size_str);
1195 #ifndef OPENSSL_NO_SRP
1196 /* Add SRP username if there is one */
1197 if (s->srp_ctx.login != NULL) { /* Add TLS extension SRP username to the
1198 * Client Hello message */
1200 int login_len = strlen(s->srp_ctx.login);
1201 if (login_len > 255 || login_len == 0) {
1202 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1207 * check for enough space.
1208 * 4 for the srp type type and entension length
1209 * 1 for the srp user identity
1210 * + srp user identity length
1212 if ((limit - ret - 5 - login_len) < 0)
1215 /* fill in the extension */
1216 s2n(TLSEXT_TYPE_srp, ret);
1217 s2n(login_len + 1, ret);
1218 (*ret++) = (unsigned char)login_len;
1219 memcpy(ret, s->srp_ctx.login, login_len);
1224 #ifndef OPENSSL_NO_EC
1227 * Add TLS extension ECPointFormats to the ClientHello message
1230 const unsigned char *pcurves, *pformats;
1231 size_t num_curves, num_formats, curves_list_len;
1233 unsigned char *etmp;
1235 tls1_get_formatlist(s, &pformats, &num_formats);
1237 if ((lenmax = limit - ret - 5) < 0)
1239 if (num_formats > (size_t)lenmax)
1241 if (num_formats > 255) {
1242 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1246 s2n(TLSEXT_TYPE_ec_point_formats, ret);
1247 /* The point format list has 1-byte length. */
1248 s2n(num_formats + 1, ret);
1249 *(ret++) = (unsigned char)num_formats;
1250 memcpy(ret, pformats, num_formats);
1254 * Add TLS extension EllipticCurves to the ClientHello message
1256 pcurves = s->tlsext_ellipticcurvelist;
1257 if (!tls1_get_curvelist(s, 0, &pcurves, &num_curves))
1260 if ((lenmax = limit - ret - 6) < 0)
1262 if (num_curves > (size_t)lenmax / 2)
1264 if (num_curves > 65532 / 2) {
1265 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1269 s2n(TLSEXT_TYPE_elliptic_curves, ret);
1271 /* Copy curve ID if supported */
1272 for (i = 0; i < num_curves; i++, pcurves += 2) {
1273 if (tls_curve_allowed(s, pcurves, SSL_SECOP_CURVE_SUPPORTED)) {
1274 *etmp++ = pcurves[0];
1275 *etmp++ = pcurves[1];
1279 curves_list_len = etmp - ret - 4;
1281 s2n(curves_list_len + 2, ret);
1282 s2n(curves_list_len, ret);
1283 ret += curves_list_len;
1285 #endif /* OPENSSL_NO_EC */
1287 if (tls_use_ticket(s)) {
1289 if (!s->new_session && s->session && s->session->tlsext_tick)
1290 ticklen = s->session->tlsext_ticklen;
1291 else if (s->session && s->tlsext_session_ticket &&
1292 s->tlsext_session_ticket->data) {
1293 ticklen = s->tlsext_session_ticket->length;
1294 s->session->tlsext_tick = OPENSSL_malloc(ticklen);
1295 if (s->session->tlsext_tick == NULL)
1297 memcpy(s->session->tlsext_tick,
1298 s->tlsext_session_ticket->data, ticklen);
1299 s->session->tlsext_ticklen = ticklen;
1302 if (ticklen == 0 && s->tlsext_session_ticket &&
1303 s->tlsext_session_ticket->data == NULL)
1306 * Check for enough room 2 for extension type, 2 for len rest for
1309 if ((long)(limit - ret - 4 - ticklen) < 0)
1311 s2n(TLSEXT_TYPE_session_ticket, ret);
1314 memcpy(ret, s->session->tlsext_tick, ticklen);
1320 if (SSL_USE_SIGALGS(s)) {
1322 const unsigned char *salg;
1323 unsigned char *etmp;
1324 salglen = tls12_get_psigalgs(s, &salg);
1325 if ((size_t)(limit - ret) < salglen + 6)
1327 s2n(TLSEXT_TYPE_signature_algorithms, ret);
1329 /* Skip over lengths for now */
1331 salglen = tls12_copy_sigalgs(s, ret, salg, salglen);
1332 /* Fill in lengths */
1333 s2n(salglen + 2, etmp);
1338 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp) {
1340 long extlen, idlen, itmp;
1344 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) {
1345 id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
1346 itmp = i2d_OCSP_RESPID(id, NULL);
1352 if (s->tlsext_ocsp_exts) {
1353 extlen = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, NULL);
1359 if ((long)(limit - ret - 7 - extlen - idlen) < 0)
1361 s2n(TLSEXT_TYPE_status_request, ret);
1362 if (extlen + idlen > 0xFFF0)
1364 s2n(extlen + idlen + 5, ret);
1365 *(ret++) = TLSEXT_STATUSTYPE_ocsp;
1367 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) {
1368 /* save position of id len */
1369 unsigned char *q = ret;
1370 id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
1371 /* skip over id len */
1373 itmp = i2d_OCSP_RESPID(id, &ret);
1379 i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret);
1381 #ifndef OPENSSL_NO_HEARTBEATS
1382 if (SSL_IS_DTLS(s)) {
1383 /* Add Heartbeat extension */
1384 if ((limit - ret - 4 - 1) < 0)
1386 s2n(TLSEXT_TYPE_heartbeat, ret);
1390 * 1: peer may send requests
1391 * 2: peer not allowed to send requests
1393 if (s->tlsext_heartbeat & SSL_DTLSEXT_HB_DONT_RECV_REQUESTS)
1394 *(ret++) = SSL_DTLSEXT_HB_DONT_SEND_REQUESTS;
1396 *(ret++) = SSL_DTLSEXT_HB_ENABLED;
1400 #ifndef OPENSSL_NO_NEXTPROTONEG
1401 if (s->ctx->next_proto_select_cb && !s->s3->tmp.finish_md_len) {
1403 * The client advertises an emtpy extension to indicate its support
1404 * for Next Protocol Negotiation
1406 if (limit - ret - 4 < 0)
1408 s2n(TLSEXT_TYPE_next_proto_neg, ret);
1413 if (s->alpn_client_proto_list && !s->s3->tmp.finish_md_len) {
1414 if ((size_t)(limit - ret) < 6 + s->alpn_client_proto_list_len)
1416 s2n(TLSEXT_TYPE_application_layer_protocol_negotiation, ret);
1417 s2n(2 + s->alpn_client_proto_list_len, ret);
1418 s2n(s->alpn_client_proto_list_len, ret);
1419 memcpy(ret, s->alpn_client_proto_list, s->alpn_client_proto_list_len);
1420 ret += s->alpn_client_proto_list_len;
1422 #ifndef OPENSSL_NO_SRTP
1423 if (SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s)) {
1426 /* Returns 0 on success!! */
1427 if (ssl_add_clienthello_use_srtp_ext(s, 0, &el, 0)) {
1428 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1432 if ((limit - ret - 4 - el) < 0)
1435 s2n(TLSEXT_TYPE_use_srtp, ret);
1438 if (ssl_add_clienthello_use_srtp_ext(s, ret, &el, el)) {
1439 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1445 custom_ext_init(&s->cert->cli_ext);
1446 /* Add custom TLS Extensions to ClientHello */
1447 if (!custom_ext_add(s, 0, &ret, limit, al))
1449 #ifdef TLSEXT_TYPE_encrypt_then_mac
1450 s2n(TLSEXT_TYPE_encrypt_then_mac, ret);
1453 s2n(TLSEXT_TYPE_extended_master_secret, ret);
1457 * Add padding to workaround bugs in F5 terminators. See
1458 * https://tools.ietf.org/html/draft-agl-tls-padding-03 NB: because this
1459 * code works out the length of all existing extensions it MUST always
1462 if (s->options & SSL_OP_TLSEXT_PADDING) {
1463 int hlen = ret - (unsigned char *)s->init_buf->data;
1465 if (hlen > 0xff && hlen < 0x200) {
1466 hlen = 0x200 - hlen;
1472 s2n(TLSEXT_TYPE_padding, ret);
1474 memset(ret, 0, hlen);
1481 if ((extdatalen = ret - orig - 2) == 0)
1484 s2n(extdatalen, orig);
1488 unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *buf,
1489 unsigned char *limit, int *al)
1492 unsigned char *orig = buf;
1493 unsigned char *ret = buf;
1494 #ifndef OPENSSL_NO_NEXTPROTONEG
1495 int next_proto_neg_seen;
1497 #ifndef OPENSSL_NO_EC
1498 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
1499 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
1500 int using_ecc = (alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA);
1501 using_ecc = using_ecc && (s->session->tlsext_ecpointformatlist != NULL);
1506 return NULL; /* this really never occurs, but ... */
1508 if (s->s3->send_connection_binding) {
1511 if (!ssl_add_serverhello_renegotiate_ext(s, 0, &el, 0)) {
1512 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1516 if ((limit - ret - 4 - el) < 0)
1519 s2n(TLSEXT_TYPE_renegotiate, ret);
1522 if (!ssl_add_serverhello_renegotiate_ext(s, ret, &el, el)) {
1523 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1530 /* Only add RI for SSLv3 */
1531 if (s->version == SSL3_VERSION)
1534 if (!s->hit && s->servername_done == 1
1535 && s->session->tlsext_hostname != NULL) {
1536 if ((long)(limit - ret - 4) < 0)
1539 s2n(TLSEXT_TYPE_server_name, ret);
1542 #ifndef OPENSSL_NO_EC
1544 const unsigned char *plist;
1547 * Add TLS extension ECPointFormats to the ServerHello message
1551 tls1_get_formatlist(s, &plist, &plistlen);
1553 if ((lenmax = limit - ret - 5) < 0)
1555 if (plistlen > (size_t)lenmax)
1557 if (plistlen > 255) {
1558 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1562 s2n(TLSEXT_TYPE_ec_point_formats, ret);
1563 s2n(plistlen + 1, ret);
1564 *(ret++) = (unsigned char)plistlen;
1565 memcpy(ret, plist, plistlen);
1570 * Currently the server should not respond with a SupportedCurves
1573 #endif /* OPENSSL_NO_EC */
1575 if (s->tlsext_ticket_expected && tls_use_ticket(s)) {
1576 if ((long)(limit - ret - 4) < 0)
1578 s2n(TLSEXT_TYPE_session_ticket, ret);
1582 if (s->tlsext_status_expected) {
1583 if ((long)(limit - ret - 4) < 0)
1585 s2n(TLSEXT_TYPE_status_request, ret);
1589 #ifndef OPENSSL_NO_SRTP
1590 if (SSL_IS_DTLS(s) && s->srtp_profile) {
1593 /* Returns 0 on success!! */
1594 if (ssl_add_serverhello_use_srtp_ext(s, 0, &el, 0)) {
1595 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1598 if ((limit - ret - 4 - el) < 0)
1601 s2n(TLSEXT_TYPE_use_srtp, ret);
1604 if (ssl_add_serverhello_use_srtp_ext(s, ret, &el, el)) {
1605 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1612 if (((s->s3->tmp.new_cipher->id & 0xFFFF) == 0x80
1613 || (s->s3->tmp.new_cipher->id & 0xFFFF) == 0x81)
1614 && (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG)) {
1615 const unsigned char cryptopro_ext[36] = {
1616 0xfd, 0xe8, /* 65000 */
1617 0x00, 0x20, /* 32 bytes length */
1618 0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85,
1619 0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06,
1620 0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08,
1621 0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17
1623 if (limit - ret < 36)
1625 memcpy(ret, cryptopro_ext, 36);
1629 #ifndef OPENSSL_NO_HEARTBEATS
1630 /* Add Heartbeat extension if we've received one */
1631 if (SSL_IS_DTLS(s) && (s->tlsext_heartbeat & SSL_DTLSEXT_HB_ENABLED)) {
1632 if ((limit - ret - 4 - 1) < 0)
1634 s2n(TLSEXT_TYPE_heartbeat, ret);
1638 * 1: peer may send requests
1639 * 2: peer not allowed to send requests
1641 if (s->tlsext_heartbeat & SSL_DTLSEXT_HB_DONT_RECV_REQUESTS)
1642 *(ret++) = SSL_DTLSEXT_HB_DONT_SEND_REQUESTS;
1644 *(ret++) = SSL_DTLSEXT_HB_ENABLED;
1649 #ifndef OPENSSL_NO_NEXTPROTONEG
1650 next_proto_neg_seen = s->s3->next_proto_neg_seen;
1651 s->s3->next_proto_neg_seen = 0;
1652 if (next_proto_neg_seen && s->ctx->next_protos_advertised_cb) {
1653 const unsigned char *npa;
1654 unsigned int npalen;
1657 r = s->ctx->next_protos_advertised_cb(s, &npa, &npalen,
1659 ctx->next_protos_advertised_cb_arg);
1660 if (r == SSL_TLSEXT_ERR_OK) {
1661 if ((long)(limit - ret - 4 - npalen) < 0)
1663 s2n(TLSEXT_TYPE_next_proto_neg, ret);
1665 memcpy(ret, npa, npalen);
1667 s->s3->next_proto_neg_seen = 1;
1671 if (!custom_ext_add(s, 1, &ret, limit, al))
1673 #ifdef TLSEXT_TYPE_encrypt_then_mac
1674 if (s->s3->flags & TLS1_FLAGS_ENCRYPT_THEN_MAC) {
1676 * Don't use encrypt_then_mac if AEAD or RC4 might want to disable
1677 * for other cases too.
1679 if (s->s3->tmp.new_cipher->algorithm_mac == SSL_AEAD
1680 || s->s3->tmp.new_cipher->algorithm_enc == SSL_RC4
1681 || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT
1682 || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT12)
1683 s->s3->flags &= ~TLS1_FLAGS_ENCRYPT_THEN_MAC;
1685 s2n(TLSEXT_TYPE_encrypt_then_mac, ret);
1690 if (s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) {
1691 s2n(TLSEXT_TYPE_extended_master_secret, ret);
1695 if (s->s3->alpn_selected) {
1696 const unsigned char *selected = s->s3->alpn_selected;
1697 unsigned len = s->s3->alpn_selected_len;
1699 if ((long)(limit - ret - 4 - 2 - 1 - len) < 0)
1701 s2n(TLSEXT_TYPE_application_layer_protocol_negotiation, ret);
1705 memcpy(ret, selected, len);
1711 if ((extdatalen = ret - orig - 2) == 0)
1714 s2n(extdatalen, orig);
1719 * Process the ALPN extension in a ClientHello.
1720 * pkt: the contents of the ALPN extension, not including type and length.
1721 * al: a pointer to the alert value to send in the event of a failure.
1722 * returns: 1 on success, 0 on error.
1724 static int tls1_alpn_handle_client_hello(SSL *s, PACKET *pkt, int *al)
1726 const unsigned char *selected;
1727 unsigned char selected_len;
1729 PACKET protocol_list, save_protocol_list, protocol;
1731 *al = SSL_AD_DECODE_ERROR;
1733 if (!PACKET_as_length_prefixed_2(pkt, &protocol_list)
1734 || PACKET_remaining(&protocol_list) < 2) {
1738 save_protocol_list = protocol_list;
1740 /* Protocol names can't be empty. */
1741 if (!PACKET_get_length_prefixed_1(&protocol_list, &protocol)
1742 || PACKET_remaining(&protocol) == 0) {
1745 } while (PACKET_remaining(&protocol_list) != 0);
1747 if (s->ctx->alpn_select_cb == NULL)
1750 r = s->ctx->alpn_select_cb(s, &selected, &selected_len,
1751 PACKET_data(&save_protocol_list),
1752 PACKET_remaining(&save_protocol_list),
1753 s->ctx->alpn_select_cb_arg);
1754 if (r == SSL_TLSEXT_ERR_OK) {
1755 OPENSSL_free(s->s3->alpn_selected);
1756 s->s3->alpn_selected = OPENSSL_malloc(selected_len);
1757 if (s->s3->alpn_selected == NULL) {
1758 *al = SSL_AD_INTERNAL_ERROR;
1761 memcpy(s->s3->alpn_selected, selected, selected_len);
1762 s->s3->alpn_selected_len = selected_len;
1764 *al = SSL_AD_NO_APPLICATION_PROTOCOL;
1771 #ifndef OPENSSL_NO_EC
1773 * ssl_check_for_safari attempts to fingerprint Safari using OS X
1774 * SecureTransport using the TLS extension block in |pkt|.
1775 * Safari, since 10.6, sends exactly these extensions, in this order:
1780 * We wish to fingerprint Safari because they broke ECDHE-ECDSA support in 10.8,
1781 * but they advertise support. So enabling ECDHE-ECDSA ciphers breaks them.
1782 * Sadly we cannot differentiate 10.6, 10.7 and 10.8.4 (which work), from
1783 * 10.8..10.8.3 (which don't work).
1785 static void ssl_check_for_safari(SSL *s, const PACKET *pkt)
1791 static const unsigned char kSafariExtensionsBlock[] = {
1792 0x00, 0x0a, /* elliptic_curves extension */
1793 0x00, 0x08, /* 8 bytes */
1794 0x00, 0x06, /* 6 bytes of curve ids */
1795 0x00, 0x17, /* P-256 */
1796 0x00, 0x18, /* P-384 */
1797 0x00, 0x19, /* P-521 */
1799 0x00, 0x0b, /* ec_point_formats */
1800 0x00, 0x02, /* 2 bytes */
1801 0x01, /* 1 point format */
1802 0x00, /* uncompressed */
1803 /* The following is only present in TLS 1.2 */
1804 0x00, 0x0d, /* signature_algorithms */
1805 0x00, 0x0c, /* 12 bytes */
1806 0x00, 0x0a, /* 10 bytes */
1807 0x05, 0x01, /* SHA-384/RSA */
1808 0x04, 0x01, /* SHA-256/RSA */
1809 0x02, 0x01, /* SHA-1/RSA */
1810 0x04, 0x03, /* SHA-256/ECDSA */
1811 0x02, 0x03, /* SHA-1/ECDSA */
1814 /* Length of the common prefix (first two extensions). */
1815 static const size_t kSafariCommonExtensionsLength = 18;
1819 if (!PACKET_forward(&tmppkt, 2)
1820 || !PACKET_get_net_2(&tmppkt, &type)
1821 || !PACKET_get_length_prefixed_2(&tmppkt, &sni)) {
1825 if (type != TLSEXT_TYPE_server_name)
1828 ext_len = TLS1_get_client_version(s) >= TLS1_2_VERSION ?
1829 sizeof(kSafariExtensionsBlock) : kSafariCommonExtensionsLength;
1831 s->s3->is_probably_safari = PACKET_equal(&tmppkt, kSafariExtensionsBlock,
1834 #endif /* !OPENSSL_NO_EC */
1837 * Parse ClientHello extensions and stash extension info in various parts of
1838 * the SSL object. Verify that there are no duplicate extensions.
1840 * Behaviour upon resumption is extension-specific. If the extension has no
1841 * effect during resumption, it is parsed (to verify its format) but otherwise
1844 * Consumes the entire packet in |pkt|. Returns 1 on success and 0 on failure.
1845 * Upon failure, sets |al| to the appropriate alert.
1847 static int ssl_scan_clienthello_tlsext(SSL *s, PACKET *pkt, int *al)
1850 int renegotiate_seen = 0;
1853 *al = SSL_AD_DECODE_ERROR;
1854 s->servername_done = 0;
1855 s->tlsext_status_type = -1;
1856 #ifndef OPENSSL_NO_NEXTPROTONEG
1857 s->s3->next_proto_neg_seen = 0;
1860 OPENSSL_free(s->s3->alpn_selected);
1861 s->s3->alpn_selected = NULL;
1862 #ifndef OPENSSL_NO_HEARTBEATS
1863 s->tlsext_heartbeat &= ~(SSL_DTLSEXT_HB_ENABLED |
1864 SSL_DTLSEXT_HB_DONT_SEND_REQUESTS);
1867 #ifndef OPENSSL_NO_EC
1868 if (s->options & SSL_OP_SAFARI_ECDHE_ECDSA_BUG)
1869 ssl_check_for_safari(s, pkt);
1870 # endif /* !OPENSSL_NO_EC */
1872 /* Clear any signature algorithms extension received */
1873 OPENSSL_free(s->s3->tmp.peer_sigalgs);
1874 s->s3->tmp.peer_sigalgs = NULL;
1875 #ifdef TLSEXT_TYPE_encrypt_then_mac
1876 s->s3->flags &= ~TLS1_FLAGS_ENCRYPT_THEN_MAC;
1879 #ifndef OPENSSL_NO_SRP
1880 OPENSSL_free(s->srp_ctx.login);
1881 s->srp_ctx.login = NULL;
1884 s->srtp_profile = NULL;
1886 if (PACKET_remaining(pkt) == 0)
1889 if (!PACKET_as_length_prefixed_2(pkt, &extensions))
1892 if (!tls1_check_duplicate_extensions(&extensions))
1896 * We parse all extensions to ensure the ClientHello is well-formed but,
1897 * unless an extension specifies otherwise, we ignore extensions upon
1900 while (PACKET_get_net_2(&extensions, &type)) {
1902 if (!PACKET_get_length_prefixed_2(&extensions, &extension))
1905 if (s->tlsext_debug_cb)
1906 s->tlsext_debug_cb(s, 0, type, PACKET_data(&extension),
1907 PACKET_remaining(&extension),
1908 s->tlsext_debug_arg);
1910 if (type == TLSEXT_TYPE_renegotiate) {
1911 if (!ssl_parse_clienthello_renegotiate_ext(s, &extension, al))
1913 renegotiate_seen = 1;
1914 } else if (s->version == SSL3_VERSION) {
1917 * The servername extension is treated as follows:
1919 * - Only the hostname type is supported with a maximum length of 255.
1920 * - The servername is rejected if too long or if it contains zeros,
1921 * in which case an fatal alert is generated.
1922 * - The servername field is maintained together with the session cache.
1923 * - When a session is resumed, the servername call back invoked in order
1924 * to allow the application to position itself to the right context.
1925 * - The servername is acknowledged if it is new for a session or when
1926 * it is identical to a previously used for the same session.
1927 * Applications can control the behaviour. They can at any time
1928 * set a 'desirable' servername for a new SSL object. This can be the
1929 * case for example with HTTPS when a Host: header field is received and
1930 * a renegotiation is requested. In this case, a possible servername
1931 * presented in the new client hello is only acknowledged if it matches
1932 * the value of the Host: field.
1933 * - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
1934 * if they provide for changing an explicit servername context for the
1935 * session, i.e. when the session has been established with a servername
1937 * - On session reconnect, the servername extension may be absent.
1941 else if (type == TLSEXT_TYPE_server_name) {
1942 unsigned int servname_type;
1943 PACKET sni, hostname;
1945 if (!PACKET_as_length_prefixed_2(&extension, &sni)
1946 /* ServerNameList must be at least 1 byte long. */
1947 || PACKET_remaining(&sni) == 0) {
1952 * Although the server_name extension was intended to be
1953 * extensible to new name types, RFC 4366 defined the
1954 * syntax inextensibly and OpenSSL 1.0.x parses it as
1956 * RFC 6066 corrected the mistake but adding new name types
1957 * is nevertheless no longer feasible, so act as if no other
1958 * SNI types can exist, to simplify parsing.
1960 * Also note that the RFC permits only one SNI value per type,
1961 * i.e., we can only have a single hostname.
1963 if (!PACKET_get_1(&sni, &servname_type)
1964 || servname_type != TLSEXT_NAMETYPE_host_name
1965 || !PACKET_as_length_prefixed_2(&sni, &hostname)) {
1970 if (PACKET_remaining(&hostname) > TLSEXT_MAXLEN_host_name) {
1971 *al = TLS1_AD_UNRECOGNIZED_NAME;
1975 if (PACKET_contains_zero_byte(&hostname)) {
1976 *al = TLS1_AD_UNRECOGNIZED_NAME;
1980 if (!PACKET_strndup(&hostname, &s->session->tlsext_hostname)) {
1981 *al = TLS1_AD_INTERNAL_ERROR;
1985 s->servername_done = 1;
1988 * TODO(openssl-team): if the SNI doesn't match, we MUST
1989 * fall back to a full handshake.
1991 s->servername_done = s->session->tlsext_hostname
1992 && PACKET_equal(&hostname, s->session->tlsext_hostname,
1993 strlen(s->session->tlsext_hostname));
1996 #ifndef OPENSSL_NO_SRP
1997 else if (type == TLSEXT_TYPE_srp) {
2000 if (!PACKET_as_length_prefixed_1(&extension, &srp_I))
2003 if (PACKET_contains_zero_byte(&srp_I))
2007 * TODO(openssl-team): currently, we re-authenticate the user
2008 * upon resumption. Instead, we MUST ignore the login.
2010 if (!PACKET_strndup(&srp_I, &s->srp_ctx.login)) {
2011 *al = TLS1_AD_INTERNAL_ERROR;
2017 #ifndef OPENSSL_NO_EC
2018 else if (type == TLSEXT_TYPE_ec_point_formats) {
2019 PACKET ec_point_format_list;
2021 if (!PACKET_as_length_prefixed_1(&extension,
2022 &ec_point_format_list)
2023 || PACKET_remaining(&ec_point_format_list) == 0) {
2028 if (!PACKET_memdup(&ec_point_format_list,
2029 &s->session->tlsext_ecpointformatlist,
2030 &s->session->tlsext_ecpointformatlist_length)) {
2031 *al = TLS1_AD_INTERNAL_ERROR;
2035 } else if (type == TLSEXT_TYPE_elliptic_curves) {
2036 PACKET elliptic_curve_list;
2038 /* Each NamedCurve is 2 bytes and we must have at least 1. */
2039 if (!PACKET_as_length_prefixed_2(&extension,
2040 &elliptic_curve_list)
2041 || PACKET_remaining(&elliptic_curve_list) == 0
2042 || (PACKET_remaining(&elliptic_curve_list) % 2) != 0) {
2047 if (!PACKET_memdup(&elliptic_curve_list,
2048 &s->session->tlsext_ellipticcurvelist,
2049 &s->session->tlsext_ellipticcurvelist_length)) {
2050 *al = TLS1_AD_INTERNAL_ERROR;
2055 #endif /* OPENSSL_NO_EC */
2056 else if (type == TLSEXT_TYPE_session_ticket) {
2057 if (s->tls_session_ticket_ext_cb &&
2058 !s->tls_session_ticket_ext_cb(s, PACKET_data(&extension),
2059 PACKET_remaining(&extension),
2060 s->tls_session_ticket_ext_cb_arg)) {
2061 *al = TLS1_AD_INTERNAL_ERROR;
2064 } else if (type == TLSEXT_TYPE_signature_algorithms) {
2065 PACKET supported_sig_algs;
2067 if (!PACKET_as_length_prefixed_2(&extension, &supported_sig_algs)
2068 || (PACKET_remaining(&supported_sig_algs) % 2) != 0
2069 || PACKET_remaining(&supported_sig_algs) == 0) {
2074 if (!tls1_save_sigalgs(s, PACKET_data(&supported_sig_algs),
2075 PACKET_remaining(&supported_sig_algs))) {
2079 } else if (type == TLSEXT_TYPE_status_request) {
2080 const unsigned char *ext_data;
2082 if (!PACKET_get_1(&extension,
2083 (unsigned int *)&s->tlsext_status_type)) {
2087 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp) {
2088 PACKET responder_id_list, exts;
2089 if (!PACKET_get_length_prefixed_2(&extension, &responder_id_list))
2092 while (PACKET_remaining(&responder_id_list) > 0) {
2094 PACKET responder_id;
2095 const unsigned char *id_data;
2097 if (!PACKET_get_length_prefixed_2(&responder_id_list,
2099 || PACKET_remaining(&responder_id) == 0) {
2103 if (s->tlsext_ocsp_ids == NULL
2104 && (s->tlsext_ocsp_ids =
2105 sk_OCSP_RESPID_new_null()) == NULL) {
2106 *al = SSL_AD_INTERNAL_ERROR;
2110 id_data = PACKET_data(&responder_id);
2111 id = d2i_OCSP_RESPID(NULL, &id_data,
2112 PACKET_remaining(&responder_id));
2116 if (id_data != PACKET_end(&responder_id)) {
2117 OCSP_RESPID_free(id);
2121 if (!sk_OCSP_RESPID_push(s->tlsext_ocsp_ids, id)) {
2122 OCSP_RESPID_free(id);
2123 *al = SSL_AD_INTERNAL_ERROR;
2128 /* Read in request_extensions */
2129 if (!PACKET_as_length_prefixed_2(&extension, &exts))
2132 if (PACKET_remaining(&exts) > 0) {
2133 ext_data = PACKET_data(&exts);
2134 sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts,
2135 X509_EXTENSION_free);
2136 s->tlsext_ocsp_exts =
2137 d2i_X509_EXTENSIONS(NULL, &ext_data,
2138 PACKET_remaining(&exts));
2139 if (s->tlsext_ocsp_exts == NULL
2140 || ext_data != PACKET_end(&exts)) {
2145 * We don't know what to do with any other type * so ignore it.
2148 s->tlsext_status_type = -1;
2151 #ifndef OPENSSL_NO_HEARTBEATS
2152 else if (SSL_IS_DTLS(s) && type == TLSEXT_TYPE_heartbeat) {
2153 unsigned int hbtype;
2155 if (!PACKET_get_1(&extension, &hbtype)
2156 || PACKET_remaining(&extension)) {
2157 *al = SSL_AD_DECODE_ERROR;
2161 case 0x01: /* Client allows us to send HB requests */
2162 s->tlsext_heartbeat |= SSL_DTLSEXT_HB_ENABLED;
2164 case 0x02: /* Client doesn't accept HB requests */
2165 s->tlsext_heartbeat |= SSL_DTLSEXT_HB_ENABLED;
2166 s->tlsext_heartbeat |= SSL_DTLSEXT_HB_DONT_SEND_REQUESTS;
2169 *al = SSL_AD_ILLEGAL_PARAMETER;
2174 #ifndef OPENSSL_NO_NEXTPROTONEG
2175 else if (type == TLSEXT_TYPE_next_proto_neg &&
2176 s->s3->tmp.finish_md_len == 0 &&
2177 s->s3->alpn_selected == NULL) {
2179 * We shouldn't accept this extension on a
2182 * s->new_session will be set on renegotiation, but we
2183 * probably shouldn't rely that it couldn't be set on
2184 * the initial renegotation too in certain cases (when
2185 * there's some other reason to disallow resuming an
2186 * earlier session -- the current code won't be doing
2187 * anything like that, but this might change).
2189 * A valid sign that there's been a previous handshake
2190 * in this connection is if s->s3->tmp.finish_md_len >
2191 * 0. (We are talking about a check that will happen
2192 * in the Hello protocol round, well before a new
2193 * Finished message could have been computed.)
2195 s->s3->next_proto_neg_seen = 1;
2199 else if (type == TLSEXT_TYPE_application_layer_protocol_negotiation &&
2200 s->s3->tmp.finish_md_len == 0) {
2201 if (!tls1_alpn_handle_client_hello(s, &extension, al))
2203 #ifndef OPENSSL_NO_NEXTPROTONEG
2204 /* ALPN takes precedence over NPN. */
2205 s->s3->next_proto_neg_seen = 0;
2209 /* session ticket processed earlier */
2210 #ifndef OPENSSL_NO_SRTP
2211 else if (SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s)
2212 && type == TLSEXT_TYPE_use_srtp) {
2213 if (ssl_parse_clienthello_use_srtp_ext(s, &extension, al))
2217 #ifdef TLSEXT_TYPE_encrypt_then_mac
2218 else if (type == TLSEXT_TYPE_encrypt_then_mac)
2219 s->s3->flags |= TLS1_FLAGS_ENCRYPT_THEN_MAC;
2222 * Note: extended master secret extension handled in
2223 * tls_check_serverhello_tlsext_early()
2227 * If this ClientHello extension was unhandled and this is a
2228 * nonresumed connection, check whether the extension is a custom
2229 * TLS Extension (has a custom_srv_ext_record), and if so call the
2230 * callback and record the extension number so that an appropriate
2231 * ServerHello may be later returned.
2234 if (custom_ext_parse(s, 1, type, PACKET_data(&extension),
2235 PACKET_remaining(&extension), al) <= 0)
2240 if (PACKET_remaining(pkt) != 0) {
2241 /* tls1_check_duplicate_extensions should ensure this never happens. */
2242 *al = SSL_AD_INTERNAL_ERROR;
2248 /* Need RI if renegotiating */
2250 if (!renegotiate_seen && s->renegotiate &&
2251 !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) {
2252 *al = SSL_AD_HANDSHAKE_FAILURE;
2253 SSLerr(SSL_F_SSL_SCAN_CLIENTHELLO_TLSEXT,
2254 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
2259 * This function currently has no state to clean up, so it returns directly.
2260 * If parsing fails at any point, the function returns early.
2261 * The SSL object may be left with partial data from extensions, but it must
2262 * then no longer be used, and clearing it up will free the leftovers.
2267 int ssl_parse_clienthello_tlsext(SSL *s, PACKET *pkt)
2270 custom_ext_init(&s->cert->srv_ext);
2271 if (ssl_scan_clienthello_tlsext(s, pkt, &al) <= 0) {
2272 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2275 if (ssl_check_clienthello_tlsext_early(s) <= 0) {
2276 SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT, SSL_R_CLIENTHELLO_TLSEXT);
2282 #ifndef OPENSSL_NO_NEXTPROTONEG
2284 * ssl_next_proto_validate validates a Next Protocol Negotiation block. No
2285 * elements of zero length are allowed and the set of elements must exactly
2286 * fill the length of the block.
2288 static char ssl_next_proto_validate(PACKET *pkt)
2292 while (PACKET_remaining(pkt)) {
2293 if (!PACKET_get_1(pkt, &len)
2294 || !PACKET_forward(pkt, len))
2302 static int ssl_scan_serverhello_tlsext(SSL *s, PACKET *pkt, int *al)
2304 unsigned int length, type, size;
2305 int tlsext_servername = 0;
2306 int renegotiate_seen = 0;
2308 #ifndef OPENSSL_NO_NEXTPROTONEG
2309 s->s3->next_proto_neg_seen = 0;
2311 s->tlsext_ticket_expected = 0;
2313 OPENSSL_free(s->s3->alpn_selected);
2314 s->s3->alpn_selected = NULL;
2315 #ifndef OPENSSL_NO_HEARTBEATS
2316 s->tlsext_heartbeat &= ~(SSL_DTLSEXT_HB_ENABLED |
2317 SSL_DTLSEXT_HB_DONT_SEND_REQUESTS);
2320 #ifdef TLSEXT_TYPE_encrypt_then_mac
2321 s->s3->flags &= ~TLS1_FLAGS_ENCRYPT_THEN_MAC;
2324 s->s3->flags &= ~TLS1_FLAGS_RECEIVED_EXTMS;
2326 if (!PACKET_get_net_2(pkt, &length))
2329 if (PACKET_remaining(pkt) != length) {
2330 *al = SSL_AD_DECODE_ERROR;
2334 if (!tls1_check_duplicate_extensions(pkt)) {
2335 *al = SSL_AD_DECODE_ERROR;
2339 while (PACKET_get_net_2(pkt, &type) && PACKET_get_net_2(pkt, &size)) {
2340 const unsigned char *data;
2343 if (!PACKET_get_sub_packet(pkt, &spkt, size)
2344 || !PACKET_peek_bytes(&spkt, &data, size))
2347 if (s->tlsext_debug_cb)
2348 s->tlsext_debug_cb(s, 1, type, data, size, s->tlsext_debug_arg);
2350 if (type == TLSEXT_TYPE_renegotiate) {
2351 if (!ssl_parse_serverhello_renegotiate_ext(s, &spkt, al))
2353 renegotiate_seen = 1;
2354 } else if (s->version == SSL3_VERSION) {
2355 } else if (type == TLSEXT_TYPE_server_name) {
2356 if (s->tlsext_hostname == NULL || size > 0) {
2357 *al = TLS1_AD_UNRECOGNIZED_NAME;
2360 tlsext_servername = 1;
2362 #ifndef OPENSSL_NO_EC
2363 else if (type == TLSEXT_TYPE_ec_point_formats) {
2364 unsigned int ecpointformatlist_length;
2365 if (!PACKET_get_1(&spkt, &ecpointformatlist_length)
2366 || ecpointformatlist_length != size - 1) {
2367 *al = TLS1_AD_DECODE_ERROR;
2371 s->session->tlsext_ecpointformatlist_length = 0;
2372 OPENSSL_free(s->session->tlsext_ecpointformatlist);
2373 if ((s->session->tlsext_ecpointformatlist =
2374 OPENSSL_malloc(ecpointformatlist_length)) == NULL) {
2375 *al = TLS1_AD_INTERNAL_ERROR;
2378 s->session->tlsext_ecpointformatlist_length =
2379 ecpointformatlist_length;
2380 if (!PACKET_copy_bytes(&spkt,
2381 s->session->tlsext_ecpointformatlist,
2382 ecpointformatlist_length)) {
2383 *al = TLS1_AD_DECODE_ERROR;
2389 #endif /* OPENSSL_NO_EC */
2391 else if (type == TLSEXT_TYPE_session_ticket) {
2392 if (s->tls_session_ticket_ext_cb &&
2393 !s->tls_session_ticket_ext_cb(s, data, size,
2394 s->tls_session_ticket_ext_cb_arg))
2396 *al = TLS1_AD_INTERNAL_ERROR;
2399 if (!tls_use_ticket(s) || (size > 0)) {
2400 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2403 s->tlsext_ticket_expected = 1;
2405 else if (type == TLSEXT_TYPE_status_request) {
2407 * MUST be empty and only sent if we've requested a status
2410 if ((s->tlsext_status_type == -1) || (size > 0)) {
2411 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2414 /* Set flag to expect CertificateStatus message */
2415 s->tlsext_status_expected = 1;
2417 #ifndef OPENSSL_NO_NEXTPROTONEG
2418 else if (type == TLSEXT_TYPE_next_proto_neg &&
2419 s->s3->tmp.finish_md_len == 0) {
2420 unsigned char *selected;
2421 unsigned char selected_len;
2422 /* We must have requested it. */
2423 if (s->ctx->next_proto_select_cb == NULL) {
2424 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2427 /* The data must be valid */
2428 if (!ssl_next_proto_validate(&spkt)) {
2429 *al = TLS1_AD_DECODE_ERROR;
2433 ctx->next_proto_select_cb(s, &selected, &selected_len, data,
2435 s->ctx->next_proto_select_cb_arg) !=
2436 SSL_TLSEXT_ERR_OK) {
2437 *al = TLS1_AD_INTERNAL_ERROR;
2440 s->next_proto_negotiated = OPENSSL_malloc(selected_len);
2441 if (s->next_proto_negotiated == NULL) {
2442 *al = TLS1_AD_INTERNAL_ERROR;
2445 memcpy(s->next_proto_negotiated, selected, selected_len);
2446 s->next_proto_negotiated_len = selected_len;
2447 s->s3->next_proto_neg_seen = 1;
2451 else if (type == TLSEXT_TYPE_application_layer_protocol_negotiation) {
2453 /* We must have requested it. */
2454 if (s->alpn_client_proto_list == NULL) {
2455 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2459 * The extension data consists of:
2460 * uint16 list_length
2461 * uint8 proto_length;
2462 * uint8 proto[proto_length];
2464 if (!PACKET_get_net_2(&spkt, &len)
2465 || PACKET_remaining(&spkt) != len
2466 || !PACKET_get_1(&spkt, &len)
2467 || PACKET_remaining(&spkt) != len) {
2468 *al = TLS1_AD_DECODE_ERROR;
2471 OPENSSL_free(s->s3->alpn_selected);
2472 s->s3->alpn_selected = OPENSSL_malloc(len);
2473 if (s->s3->alpn_selected == NULL) {
2474 *al = TLS1_AD_INTERNAL_ERROR;
2477 if (!PACKET_copy_bytes(&spkt, s->s3->alpn_selected, len)) {
2478 *al = TLS1_AD_DECODE_ERROR;
2481 s->s3->alpn_selected_len = len;
2483 #ifndef OPENSSL_NO_HEARTBEATS
2484 else if (SSL_IS_DTLS(s) && type == TLSEXT_TYPE_heartbeat) {
2485 unsigned int hbtype;
2486 if (!PACKET_get_1(&spkt, &hbtype)) {
2487 *al = SSL_AD_DECODE_ERROR;
2491 case 0x01: /* Server allows us to send HB requests */
2492 s->tlsext_heartbeat |= SSL_DTLSEXT_HB_ENABLED;
2494 case 0x02: /* Server doesn't accept HB requests */
2495 s->tlsext_heartbeat |= SSL_DTLSEXT_HB_ENABLED;
2496 s->tlsext_heartbeat |= SSL_DTLSEXT_HB_DONT_SEND_REQUESTS;
2499 *al = SSL_AD_ILLEGAL_PARAMETER;
2504 #ifndef OPENSSL_NO_SRTP
2505 else if (SSL_IS_DTLS(s) && type == TLSEXT_TYPE_use_srtp) {
2506 if (ssl_parse_serverhello_use_srtp_ext(s, &spkt, al))
2510 #ifdef TLSEXT_TYPE_encrypt_then_mac
2511 else if (type == TLSEXT_TYPE_encrypt_then_mac) {
2512 /* Ignore if inappropriate ciphersuite */
2513 if (s->s3->tmp.new_cipher->algorithm_mac != SSL_AEAD
2514 && s->s3->tmp.new_cipher->algorithm_enc != SSL_RC4)
2515 s->s3->flags |= TLS1_FLAGS_ENCRYPT_THEN_MAC;
2518 else if (type == TLSEXT_TYPE_extended_master_secret) {
2519 s->s3->flags |= TLS1_FLAGS_RECEIVED_EXTMS;
2521 s->session->flags |= SSL_SESS_FLAG_EXTMS;
2524 * If this extension type was not otherwise handled, but matches a
2525 * custom_cli_ext_record, then send it to the c callback
2527 else if (custom_ext_parse(s, 0, type, data, size, al) <= 0)
2531 if (PACKET_remaining(pkt) != 0) {
2532 *al = SSL_AD_DECODE_ERROR;
2536 if (!s->hit && tlsext_servername == 1) {
2537 if (s->tlsext_hostname) {
2538 if (s->session->tlsext_hostname == NULL) {
2539 s->session->tlsext_hostname = OPENSSL_strdup(s->tlsext_hostname);
2540 if (!s->session->tlsext_hostname) {
2541 *al = SSL_AD_UNRECOGNIZED_NAME;
2545 *al = SSL_AD_DECODE_ERROR;
2554 * Determine if we need to see RI. Strictly speaking if we want to avoid
2555 * an attack we should *always* see RI even on initial server hello
2556 * because the client doesn't see any renegotiation during an attack.
2557 * However this would mean we could not connect to any server which
2558 * doesn't support RI so for the immediate future tolerate RI absence on
2559 * initial connect only.
2561 if (!renegotiate_seen && !(s->options & SSL_OP_LEGACY_SERVER_CONNECT)
2562 && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) {
2563 *al = SSL_AD_HANDSHAKE_FAILURE;
2564 SSLerr(SSL_F_SSL_SCAN_SERVERHELLO_TLSEXT,
2565 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
2571 * Check extended master secret extension is consistent with
2574 if (!(s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) !=
2575 !(s->session->flags & SSL_SESS_FLAG_EXTMS)) {
2576 *al = SSL_AD_HANDSHAKE_FAILURE;
2577 SSLerr(SSL_F_SSL_SCAN_SERVERHELLO_TLSEXT, SSL_R_INCONSISTENT_EXTMS);
2585 int ssl_prepare_clienthello_tlsext(SSL *s)
2591 int ssl_prepare_serverhello_tlsext(SSL *s)
2596 static int ssl_check_clienthello_tlsext_early(SSL *s)
2598 int ret = SSL_TLSEXT_ERR_NOACK;
2599 int al = SSL_AD_UNRECOGNIZED_NAME;
2601 #ifndef OPENSSL_NO_EC
2603 * The handling of the ECPointFormats extension is done elsewhere, namely
2604 * in ssl3_choose_cipher in s3_lib.c.
2607 * The handling of the EllipticCurves extension is done elsewhere, namely
2608 * in ssl3_choose_cipher in s3_lib.c.
2612 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
2614 s->ctx->tlsext_servername_callback(s, &al,
2615 s->ctx->tlsext_servername_arg);
2616 else if (s->initial_ctx != NULL
2617 && s->initial_ctx->tlsext_servername_callback != 0)
2619 s->initial_ctx->tlsext_servername_callback(s, &al,
2621 initial_ctx->tlsext_servername_arg);
2624 case SSL_TLSEXT_ERR_ALERT_FATAL:
2625 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2628 case SSL_TLSEXT_ERR_ALERT_WARNING:
2629 ssl3_send_alert(s, SSL3_AL_WARNING, al);
2632 case SSL_TLSEXT_ERR_NOACK:
2633 s->servername_done = 0;
2638 /* Initialise digests to default values */
2639 void ssl_set_default_md(SSL *s)
2641 const EVP_MD **pmd = s->s3->tmp.md;
2642 #ifndef OPENSSL_NO_DSA
2643 pmd[SSL_PKEY_DSA_SIGN] = ssl_md(SSL_MD_SHA1_IDX);
2645 #ifndef OPENSSL_NO_RSA
2646 if (SSL_USE_SIGALGS(s))
2647 pmd[SSL_PKEY_RSA_SIGN] = ssl_md(SSL_MD_SHA1_IDX);
2649 pmd[SSL_PKEY_RSA_SIGN] = ssl_md(SSL_MD_MD5_SHA1_IDX);
2650 pmd[SSL_PKEY_RSA_ENC] = pmd[SSL_PKEY_RSA_SIGN];
2652 #ifndef OPENSSL_NO_EC
2653 pmd[SSL_PKEY_ECC] = ssl_md(SSL_MD_SHA1_IDX);
2655 #ifndef OPENSSL_NO_GOST
2656 pmd[SSL_PKEY_GOST01] = ssl_md(SSL_MD_GOST94_IDX);
2657 pmd[SSL_PKEY_GOST12_256] = ssl_md(SSL_MD_GOST12_256_IDX);
2658 pmd[SSL_PKEY_GOST12_512] = ssl_md(SSL_MD_GOST12_512_IDX);
2662 int tls1_set_server_sigalgs(SSL *s)
2666 /* Clear any shared sigtnature algorithms */
2667 OPENSSL_free(s->cert->shared_sigalgs);
2668 s->cert->shared_sigalgs = NULL;
2669 s->cert->shared_sigalgslen = 0;
2670 /* Clear certificate digests and validity flags */
2671 for (i = 0; i < SSL_PKEY_NUM; i++) {
2672 s->s3->tmp.md[i] = NULL;
2673 s->s3->tmp.valid_flags[i] = 0;
2676 /* If sigalgs received process it. */
2677 if (s->s3->tmp.peer_sigalgs) {
2678 if (!tls1_process_sigalgs(s)) {
2679 SSLerr(SSL_F_TLS1_SET_SERVER_SIGALGS, ERR_R_MALLOC_FAILURE);
2680 al = SSL_AD_INTERNAL_ERROR;
2683 /* Fatal error is no shared signature algorithms */
2684 if (!s->cert->shared_sigalgs) {
2685 SSLerr(SSL_F_TLS1_SET_SERVER_SIGALGS,
2686 SSL_R_NO_SHARED_SIGATURE_ALGORITHMS);
2687 al = SSL_AD_ILLEGAL_PARAMETER;
2691 ssl_set_default_md(s);
2695 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2699 int ssl_check_clienthello_tlsext_late(SSL *s)
2701 int ret = SSL_TLSEXT_ERR_OK;
2702 int al = SSL_AD_INTERNAL_ERROR;
2705 * If status request then ask callback what to do. Note: this must be
2706 * called after servername callbacks in case the certificate has changed,
2707 * and must be called after the cipher has been chosen because this may
2708 * influence which certificate is sent
2710 if ((s->tlsext_status_type != -1) && s->ctx && s->ctx->tlsext_status_cb) {
2712 CERT_PKEY *certpkey;
2713 certpkey = ssl_get_server_send_pkey(s);
2714 /* If no certificate can't return certificate status */
2715 if (certpkey == NULL) {
2716 s->tlsext_status_expected = 0;
2720 * Set current certificate to one we will use so SSL_get_certificate
2721 * et al can pick it up.
2723 s->cert->key = certpkey;
2724 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
2726 /* We don't want to send a status request response */
2727 case SSL_TLSEXT_ERR_NOACK:
2728 s->tlsext_status_expected = 0;
2730 /* status request response should be sent */
2731 case SSL_TLSEXT_ERR_OK:
2732 if (s->tlsext_ocsp_resp)
2733 s->tlsext_status_expected = 1;
2735 s->tlsext_status_expected = 0;
2737 /* something bad happened */
2738 case SSL_TLSEXT_ERR_ALERT_FATAL:
2739 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2740 al = SSL_AD_INTERNAL_ERROR;
2744 s->tlsext_status_expected = 0;
2748 case SSL_TLSEXT_ERR_ALERT_FATAL:
2749 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2752 case SSL_TLSEXT_ERR_ALERT_WARNING:
2753 ssl3_send_alert(s, SSL3_AL_WARNING, al);
2761 int ssl_check_serverhello_tlsext(SSL *s)
2763 int ret = SSL_TLSEXT_ERR_NOACK;
2764 int al = SSL_AD_UNRECOGNIZED_NAME;
2766 #ifndef OPENSSL_NO_EC
2768 * If we are client and using an elliptic curve cryptography cipher
2769 * suite, then if server returns an EC point formats lists extension it
2770 * must contain uncompressed.
2772 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
2773 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
2774 if ((s->tlsext_ecpointformatlist != NULL)
2775 && (s->tlsext_ecpointformatlist_length > 0)
2776 && (s->session->tlsext_ecpointformatlist != NULL)
2777 && (s->session->tlsext_ecpointformatlist_length > 0)
2778 && ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA))) {
2779 /* we are using an ECC cipher */
2781 unsigned char *list;
2782 int found_uncompressed = 0;
2783 list = s->session->tlsext_ecpointformatlist;
2784 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++) {
2785 if (*(list++) == TLSEXT_ECPOINTFORMAT_uncompressed) {
2786 found_uncompressed = 1;
2790 if (!found_uncompressed) {
2791 SSLerr(SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT,
2792 SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
2796 ret = SSL_TLSEXT_ERR_OK;
2797 #endif /* OPENSSL_NO_EC */
2799 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
2801 s->ctx->tlsext_servername_callback(s, &al,
2802 s->ctx->tlsext_servername_arg);
2803 else if (s->initial_ctx != NULL
2804 && s->initial_ctx->tlsext_servername_callback != 0)
2806 s->initial_ctx->tlsext_servername_callback(s, &al,
2808 initial_ctx->tlsext_servername_arg);
2811 * Ensure we get sensible values passed to tlsext_status_cb in the event
2812 * that we don't receive a status message
2814 OPENSSL_free(s->tlsext_ocsp_resp);
2815 s->tlsext_ocsp_resp = NULL;
2816 s->tlsext_ocsp_resplen = -1;
2819 case SSL_TLSEXT_ERR_ALERT_FATAL:
2820 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2823 case SSL_TLSEXT_ERR_ALERT_WARNING:
2824 ssl3_send_alert(s, SSL3_AL_WARNING, al);
2827 case SSL_TLSEXT_ERR_NOACK:
2828 s->servername_done = 0;
2834 int ssl_parse_serverhello_tlsext(SSL *s, PACKET *pkt)
2837 if (s->version < SSL3_VERSION)
2839 if (ssl_scan_serverhello_tlsext(s, pkt, &al) <= 0) {
2840 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2844 if (ssl_check_serverhello_tlsext(s) <= 0) {
2845 SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT, SSL_R_SERVERHELLO_TLSEXT);
2852 * Since the server cache lookup is done early on in the processing of the
2853 * ClientHello and other operations depend on the result some extensions
2854 * need to be handled at the same time.
2856 * Two extensions are currently handled, session ticket and extended master
2859 * session_id: ClientHello session ID.
2860 * ext: ClientHello extensions (including length prefix)
2861 * ret: (output) on return, if a ticket was decrypted, then this is set to
2862 * point to the resulting session.
2864 * If s->tls_session_secret_cb is set then we are expecting a pre-shared key
2865 * ciphersuite, in which case we have no use for session tickets and one will
2866 * never be decrypted, nor will s->tlsext_ticket_expected be set to 1.
2869 * -1: fatal error, either from parsing or decrypting the ticket.
2870 * 0: no ticket was found (or was ignored, based on settings).
2871 * 1: a zero length extension was found, indicating that the client supports
2872 * session tickets but doesn't currently have one to offer.
2873 * 2: either s->tls_session_secret_cb was set, or a ticket was offered but
2874 * couldn't be decrypted because of a non-fatal error.
2875 * 3: a ticket was successfully decrypted and *ret was set.
2878 * Sets s->tlsext_ticket_expected to 1 if the server will have to issue
2879 * a new session ticket to the client because the client indicated support
2880 * (and s->tls_session_secret_cb is NULL) but the client either doesn't have
2881 * a session ticket or we couldn't use the one it gave us, or if
2882 * s->ctx->tlsext_ticket_key_cb asked to renew the client's ticket.
2883 * Otherwise, s->tlsext_ticket_expected is set to 0.
2885 * For extended master secret flag is set if the extension is present.
2888 int tls_check_serverhello_tlsext_early(SSL *s, const PACKET *ext,
2889 const PACKET *session_id,
2893 PACKET local_ext = *ext;
2896 int have_ticket = 0;
2897 int use_ticket = tls_use_ticket(s);
2900 s->tlsext_ticket_expected = 0;
2901 s->s3->flags &= ~TLS1_FLAGS_RECEIVED_EXTMS;
2904 * If tickets disabled behave as if no ticket present to permit stateful
2907 if ((s->version <= SSL3_VERSION))
2910 if (!PACKET_get_net_2(&local_ext, &i)) {
2914 while (PACKET_remaining(&local_ext) >= 4) {
2915 unsigned int type, size;
2917 if (!PACKET_get_net_2(&local_ext, &type)
2918 || !PACKET_get_net_2(&local_ext, &size)) {
2919 /* Shouldn't ever happen */
2923 if (PACKET_remaining(&local_ext) < size) {
2927 if (type == TLSEXT_TYPE_session_ticket && use_ticket) {
2929 const unsigned char *etick;
2931 /* Duplicate extension */
2932 if (have_ticket != 0) {
2940 * The client will accept a ticket but doesn't currently have
2943 s->tlsext_ticket_expected = 1;
2947 if (s->tls_session_secret_cb) {
2949 * Indicate that the ticket couldn't be decrypted rather than
2950 * generating the session from ticket now, trigger
2951 * abbreviated handshake based on external mechanism to
2952 * calculate the master secret later.
2957 if (!PACKET_get_bytes(&local_ext, &etick, size)) {
2958 /* Shouldn't ever happen */
2962 r = tls_decrypt_ticket(s, etick, size, PACKET_data(session_id),
2963 PACKET_remaining(session_id), ret);
2965 case 2: /* ticket couldn't be decrypted */
2966 s->tlsext_ticket_expected = 1;
2969 case 3: /* ticket was decrypted */
2972 case 4: /* ticket decrypted but need to renew */
2973 s->tlsext_ticket_expected = 1;
2976 default: /* fatal error */
2982 if (type == TLSEXT_TYPE_extended_master_secret)
2983 s->s3->flags |= TLS1_FLAGS_RECEIVED_EXTMS;
2984 if (!PACKET_forward(&local_ext, size)) {
2990 if (have_ticket == 0)
2997 * tls_decrypt_ticket attempts to decrypt a session ticket.
2999 * etick: points to the body of the session ticket extension.
3000 * eticklen: the length of the session tickets extenion.
3001 * sess_id: points at the session ID.
3002 * sesslen: the length of the session ID.
3003 * psess: (output) on return, if a ticket was decrypted, then this is set to
3004 * point to the resulting session.
3007 * -2: fatal error, malloc failure.
3008 * -1: fatal error, either from parsing or decrypting the ticket.
3009 * 2: the ticket couldn't be decrypted.
3010 * 3: a ticket was successfully decrypted and *psess was set.
3011 * 4: same as 3, but the ticket needs to be renewed.
3013 static int tls_decrypt_ticket(SSL *s, const unsigned char *etick,
3014 int eticklen, const unsigned char *sess_id,
3015 int sesslen, SSL_SESSION **psess)
3018 unsigned char *sdec;
3019 const unsigned char *p;
3020 int slen, mlen, renew_ticket = 0, ret = -1;
3021 unsigned char tick_hmac[EVP_MAX_MD_SIZE];
3022 HMAC_CTX *hctx = NULL;
3023 EVP_CIPHER_CTX *ctx;
3024 SSL_CTX *tctx = s->initial_ctx;
3025 /* Need at least keyname + iv + some encrypted data */
3028 /* Initialize session ticket encryption and HMAC contexts */
3029 hctx = HMAC_CTX_new();
3032 ctx = EVP_CIPHER_CTX_new();
3037 if (tctx->tlsext_ticket_key_cb) {
3038 unsigned char *nctick = (unsigned char *)etick;
3039 int rv = tctx->tlsext_ticket_key_cb(s, nctick, nctick + 16,
3050 /* Check key name matches */
3051 if (memcmp(etick, tctx->tlsext_tick_key_name, 16)) {
3055 if (HMAC_Init_ex(hctx, tctx->tlsext_tick_hmac_key, 16,
3056 EVP_sha256(), NULL) <= 0
3057 || EVP_DecryptInit_ex(ctx, EVP_aes_128_cbc(), NULL,
3058 tctx->tlsext_tick_aes_key,
3064 * Attempt to process session ticket, first conduct sanity and integrity
3067 mlen = HMAC_size(hctx);
3072 /* Check HMAC of encrypted ticket */
3073 if (HMAC_Update(hctx, etick, eticklen) <= 0
3074 || HMAC_Final(hctx, tick_hmac, NULL) <= 0) {
3077 HMAC_CTX_free(hctx);
3078 if (CRYPTO_memcmp(tick_hmac, etick + eticklen, mlen)) {
3079 EVP_CIPHER_CTX_free(ctx);
3082 /* Attempt to decrypt session data */
3083 /* Move p after IV to start of encrypted ticket, update length */
3084 p = etick + 16 + EVP_CIPHER_CTX_iv_length(ctx);
3085 eticklen -= 16 + EVP_CIPHER_CTX_iv_length(ctx);
3086 sdec = OPENSSL_malloc(eticklen);
3088 || EVP_DecryptUpdate(ctx, sdec, &slen, p, eticklen) <= 0) {
3089 EVP_CIPHER_CTX_free(ctx);
3092 if (EVP_DecryptFinal(ctx, sdec + slen, &mlen) <= 0) {
3093 EVP_CIPHER_CTX_free(ctx);
3098 EVP_CIPHER_CTX_free(ctx);
3102 sess = d2i_SSL_SESSION(NULL, &p, slen);
3106 * The session ID, if non-empty, is used by some clients to detect
3107 * that the ticket has been accepted. So we copy it to the session
3108 * structure. If it is empty set length to zero as required by
3112 memcpy(sess->session_id, sess_id, sesslen);
3113 sess->session_id_length = sesslen;
3122 * For session parse failure, indicate that we need to send a new ticket.
3126 EVP_CIPHER_CTX_free(ctx);
3127 HMAC_CTX_free(hctx);
3131 /* Tables to translate from NIDs to TLS v1.2 ids */
3138 static const tls12_lookup tls12_md[] = {
3139 {NID_md5, TLSEXT_hash_md5},
3140 {NID_sha1, TLSEXT_hash_sha1},
3141 {NID_sha224, TLSEXT_hash_sha224},
3142 {NID_sha256, TLSEXT_hash_sha256},
3143 {NID_sha384, TLSEXT_hash_sha384},
3144 {NID_sha512, TLSEXT_hash_sha512},
3145 {NID_id_GostR3411_94, TLSEXT_hash_gostr3411},
3146 {NID_id_GostR3411_2012_256, TLSEXT_hash_gostr34112012_256},
3147 {NID_id_GostR3411_2012_512, TLSEXT_hash_gostr34112012_512},
3150 static const tls12_lookup tls12_sig[] = {
3151 {EVP_PKEY_RSA, TLSEXT_signature_rsa},
3152 {EVP_PKEY_DSA, TLSEXT_signature_dsa},
3153 {EVP_PKEY_EC, TLSEXT_signature_ecdsa},
3154 {NID_id_GostR3410_2001, TLSEXT_signature_gostr34102001},
3155 {NID_id_GostR3410_2012_256, TLSEXT_signature_gostr34102012_256},
3156 {NID_id_GostR3410_2012_512, TLSEXT_signature_gostr34102012_512}
3159 static int tls12_find_id(int nid, const tls12_lookup *table, size_t tlen)
3162 for (i = 0; i < tlen; i++) {
3163 if (table[i].nid == nid)
3169 static int tls12_find_nid(int id, const tls12_lookup *table, size_t tlen)
3172 for (i = 0; i < tlen; i++) {
3173 if ((table[i].id) == id)
3174 return table[i].nid;
3179 int tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk,
3185 md_id = tls12_find_id(EVP_MD_type(md), tls12_md, OSSL_NELEM(tls12_md));
3188 sig_id = tls12_get_sigid(pk);
3191 p[0] = (unsigned char)md_id;
3192 p[1] = (unsigned char)sig_id;
3196 int tls12_get_sigid(const EVP_PKEY *pk)
3198 return tls12_find_id(EVP_PKEY_id(pk), tls12_sig, OSSL_NELEM(tls12_sig));
3205 unsigned char tlsext_hash;
3208 static const tls12_hash_info tls12_md_info[] = {
3209 {NID_md5, 64, SSL_MD_MD5_IDX, TLSEXT_hash_md5},
3210 {NID_sha1, 80, SSL_MD_SHA1_IDX, TLSEXT_hash_sha1},
3211 {NID_sha224, 112, SSL_MD_SHA224_IDX, TLSEXT_hash_sha224},
3212 {NID_sha256, 128, SSL_MD_SHA256_IDX, TLSEXT_hash_sha256},
3213 {NID_sha384, 192, SSL_MD_SHA384_IDX, TLSEXT_hash_sha384},
3214 {NID_sha512, 256, SSL_MD_SHA512_IDX, TLSEXT_hash_sha512},
3215 {NID_id_GostR3411_94, 128, SSL_MD_GOST94_IDX, TLSEXT_hash_gostr3411},
3216 {NID_id_GostR3411_2012_256, 128, SSL_MD_GOST12_256_IDX, TLSEXT_hash_gostr34112012_256},
3217 {NID_id_GostR3411_2012_512, 256, SSL_MD_GOST12_512_IDX, TLSEXT_hash_gostr34112012_512},
3220 static const tls12_hash_info *tls12_get_hash_info(unsigned char hash_alg)
3226 for (i=0; i < OSSL_NELEM(tls12_md_info); i++)
3228 if (tls12_md_info[i].tlsext_hash == hash_alg)
3229 return tls12_md_info + i;
3235 const EVP_MD *tls12_get_hash(unsigned char hash_alg)
3237 const tls12_hash_info *inf;
3238 if (hash_alg == TLSEXT_hash_md5 && FIPS_mode())
3240 inf = tls12_get_hash_info(hash_alg);
3243 return ssl_md(inf->md_idx);
3246 static int tls12_get_pkey_idx(unsigned char sig_alg)
3249 #ifndef OPENSSL_NO_RSA
3250 case TLSEXT_signature_rsa:
3251 return SSL_PKEY_RSA_SIGN;
3253 #ifndef OPENSSL_NO_DSA
3254 case TLSEXT_signature_dsa:
3255 return SSL_PKEY_DSA_SIGN;
3257 #ifndef OPENSSL_NO_EC
3258 case TLSEXT_signature_ecdsa:
3259 return SSL_PKEY_ECC;
3261 # ifndef OPENSSL_NO_GOST
3262 case TLSEXT_signature_gostr34102001:
3263 return SSL_PKEY_GOST01;
3265 case TLSEXT_signature_gostr34102012_256:
3266 return SSL_PKEY_GOST12_256;
3268 case TLSEXT_signature_gostr34102012_512:
3269 return SSL_PKEY_GOST12_512;
3275 /* Convert TLS 1.2 signature algorithm extension values into NIDs */
3276 static void tls1_lookup_sigalg(int *phash_nid, int *psign_nid,
3277 int *psignhash_nid, const unsigned char *data)
3279 int sign_nid = NID_undef, hash_nid = NID_undef;
3280 if (!phash_nid && !psign_nid && !psignhash_nid)
3282 if (phash_nid || psignhash_nid) {
3283 hash_nid = tls12_find_nid(data[0], tls12_md, OSSL_NELEM(tls12_md));
3285 *phash_nid = hash_nid;
3287 if (psign_nid || psignhash_nid) {
3288 sign_nid = tls12_find_nid(data[1], tls12_sig, OSSL_NELEM(tls12_sig));
3290 *psign_nid = sign_nid;
3292 if (psignhash_nid) {
3293 if (sign_nid == NID_undef || hash_nid == NID_undef
3294 || OBJ_find_sigid_by_algs(psignhash_nid, hash_nid,
3296 *psignhash_nid = NID_undef;
3300 /* Check to see if a signature algorithm is allowed */
3301 static int tls12_sigalg_allowed(SSL *s, int op, const unsigned char *ptmp)
3303 /* See if we have an entry in the hash table and it is enabled */
3304 const tls12_hash_info *hinf = tls12_get_hash_info(ptmp[0]);
3305 if (hinf == NULL || ssl_md(hinf->md_idx) == NULL)
3307 /* See if public key algorithm allowed */
3308 if (tls12_get_pkey_idx(ptmp[1]) == -1)
3310 /* Finally see if security callback allows it */
3311 return ssl_security(s, op, hinf->secbits, hinf->nid, (void *)ptmp);
3315 * Get a mask of disabled public key algorithms based on supported signature
3316 * algorithms. For example if no signature algorithm supports RSA then RSA is
3320 void ssl_set_sig_mask(uint32_t *pmask_a, SSL *s, int op)
3322 const unsigned char *sigalgs;
3323 size_t i, sigalgslen;
3324 int have_rsa = 0, have_dsa = 0, have_ecdsa = 0;
3326 * Now go through all signature algorithms seeing if we support any for
3327 * RSA, DSA, ECDSA. Do this for all versions not just TLS 1.2. To keep
3328 * down calls to security callback only check if we have to.
3330 sigalgslen = tls12_get_psigalgs(s, &sigalgs);
3331 for (i = 0; i < sigalgslen; i += 2, sigalgs += 2) {
3332 switch (sigalgs[1]) {
3333 #ifndef OPENSSL_NO_RSA
3334 case TLSEXT_signature_rsa:
3335 if (!have_rsa && tls12_sigalg_allowed(s, op, sigalgs))
3339 #ifndef OPENSSL_NO_DSA
3340 case TLSEXT_signature_dsa:
3341 if (!have_dsa && tls12_sigalg_allowed(s, op, sigalgs))
3345 #ifndef OPENSSL_NO_EC
3346 case TLSEXT_signature_ecdsa:
3347 if (!have_ecdsa && tls12_sigalg_allowed(s, op, sigalgs))
3354 *pmask_a |= SSL_aRSA;
3356 *pmask_a |= SSL_aDSS;
3358 *pmask_a |= SSL_aECDSA;
3361 size_t tls12_copy_sigalgs(SSL *s, unsigned char *out,
3362 const unsigned char *psig, size_t psiglen)
3364 unsigned char *tmpout = out;
3366 for (i = 0; i < psiglen; i += 2, psig += 2) {
3367 if (tls12_sigalg_allowed(s, SSL_SECOP_SIGALG_SUPPORTED, psig)) {
3368 *tmpout++ = psig[0];
3369 *tmpout++ = psig[1];
3372 return tmpout - out;
3375 /* Given preference and allowed sigalgs set shared sigalgs */
3376 static int tls12_shared_sigalgs(SSL *s, TLS_SIGALGS *shsig,
3377 const unsigned char *pref, size_t preflen,
3378 const unsigned char *allow, size_t allowlen)
3380 const unsigned char *ptmp, *atmp;
3381 size_t i, j, nmatch = 0;
3382 for (i = 0, ptmp = pref; i < preflen; i += 2, ptmp += 2) {
3383 /* Skip disabled hashes or signature algorithms */
3384 if (!tls12_sigalg_allowed(s, SSL_SECOP_SIGALG_SHARED, ptmp))
3386 for (j = 0, atmp = allow; j < allowlen; j += 2, atmp += 2) {
3387 if (ptmp[0] == atmp[0] && ptmp[1] == atmp[1]) {
3390 shsig->rhash = ptmp[0];
3391 shsig->rsign = ptmp[1];
3392 tls1_lookup_sigalg(&shsig->hash_nid,
3394 &shsig->signandhash_nid, ptmp);
3404 /* Set shared signature algorithms for SSL structures */
3405 static int tls1_set_shared_sigalgs(SSL *s)
3407 const unsigned char *pref, *allow, *conf;
3408 size_t preflen, allowlen, conflen;
3410 TLS_SIGALGS *salgs = NULL;
3412 unsigned int is_suiteb = tls1_suiteb(s);
3414 OPENSSL_free(c->shared_sigalgs);
3415 c->shared_sigalgs = NULL;
3416 c->shared_sigalgslen = 0;
3417 /* If client use client signature algorithms if not NULL */
3418 if (!s->server && c->client_sigalgs && !is_suiteb) {
3419 conf = c->client_sigalgs;
3420 conflen = c->client_sigalgslen;
3421 } else if (c->conf_sigalgs && !is_suiteb) {
3422 conf = c->conf_sigalgs;
3423 conflen = c->conf_sigalgslen;
3425 conflen = tls12_get_psigalgs(s, &conf);
3426 if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE || is_suiteb) {
3429 allow = s->s3->tmp.peer_sigalgs;
3430 allowlen = s->s3->tmp.peer_sigalgslen;
3434 pref = s->s3->tmp.peer_sigalgs;
3435 preflen = s->s3->tmp.peer_sigalgslen;
3437 nmatch = tls12_shared_sigalgs(s, NULL, pref, preflen, allow, allowlen);
3439 salgs = OPENSSL_malloc(nmatch * sizeof(TLS_SIGALGS));
3442 nmatch = tls12_shared_sigalgs(s, salgs, pref, preflen, allow, allowlen);
3446 c->shared_sigalgs = salgs;
3447 c->shared_sigalgslen = nmatch;
3451 /* Set preferred digest for each key type */
3453 int tls1_save_sigalgs(SSL *s, const unsigned char *data, int dsize)
3456 /* Extension ignored for inappropriate versions */
3457 if (!SSL_USE_SIGALGS(s))
3459 /* Should never happen */
3463 OPENSSL_free(s->s3->tmp.peer_sigalgs);
3464 s->s3->tmp.peer_sigalgs = OPENSSL_malloc(dsize);
3465 if (s->s3->tmp.peer_sigalgs == NULL)
3467 s->s3->tmp.peer_sigalgslen = dsize;
3468 memcpy(s->s3->tmp.peer_sigalgs, data, dsize);
3472 int tls1_process_sigalgs(SSL *s)
3477 const EVP_MD **pmd = s->s3->tmp.md;
3478 uint32_t *pvalid = s->s3->tmp.valid_flags;
3480 TLS_SIGALGS *sigptr;
3481 if (!tls1_set_shared_sigalgs(s))
3484 for (i = 0, sigptr = c->shared_sigalgs;
3485 i < c->shared_sigalgslen; i++, sigptr++) {
3486 idx = tls12_get_pkey_idx(sigptr->rsign);
3487 if (idx > 0 && pmd[idx] == NULL) {
3488 md = tls12_get_hash(sigptr->rhash);
3490 pvalid[idx] = CERT_PKEY_EXPLICIT_SIGN;
3491 if (idx == SSL_PKEY_RSA_SIGN) {
3492 pvalid[SSL_PKEY_RSA_ENC] = CERT_PKEY_EXPLICIT_SIGN;
3493 pmd[SSL_PKEY_RSA_ENC] = md;
3499 * In strict mode leave unset digests as NULL to indicate we can't use
3500 * the certificate for signing.
3502 if (!(s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)) {
3504 * Set any remaining keys to default values. NOTE: if alg is not
3505 * supported it stays as NULL.
3507 #ifndef OPENSSL_NO_DSA
3508 if (pmd[SSL_PKEY_DSA_SIGN] == NULL)
3509 pmd[SSL_PKEY_DSA_SIGN] = EVP_sha1();
3511 #ifndef OPENSSL_NO_RSA
3512 if (pmd[SSL_PKEY_RSA_SIGN] == NULL) {
3513 pmd[SSL_PKEY_RSA_SIGN] = EVP_sha1();
3514 pmd[SSL_PKEY_RSA_ENC] = EVP_sha1();
3517 #ifndef OPENSSL_NO_EC
3518 if (pmd[SSL_PKEY_ECC] == NULL)
3519 pmd[SSL_PKEY_ECC] = EVP_sha1();
3521 # ifndef OPENSSL_NO_GOST
3522 if (pmd[SSL_PKEY_GOST01] == NULL)
3523 pmd[SSL_PKEY_GOST01] = EVP_get_digestbynid(NID_id_GostR3411_94);
3524 if (pmd[SSL_PKEY_GOST12_256] == NULL)
3525 pmd[SSL_PKEY_GOST12_256] = EVP_get_digestbynid(NID_id_GostR3411_2012_256);
3526 if (pmd[SSL_PKEY_GOST12_512] == NULL)
3527 pmd[SSL_PKEY_GOST12_512] = EVP_get_digestbynid(NID_id_GostR3411_2012_512);
3533 int SSL_get_sigalgs(SSL *s, int idx,
3534 int *psign, int *phash, int *psignhash,
3535 unsigned char *rsig, unsigned char *rhash)
3537 const unsigned char *psig = s->s3->tmp.peer_sigalgs;
3542 if (idx >= (int)s->s3->tmp.peer_sigalgslen)
3549 tls1_lookup_sigalg(phash, psign, psignhash, psig);
3551 return s->s3->tmp.peer_sigalgslen / 2;
3554 int SSL_get_shared_sigalgs(SSL *s, int idx,
3555 int *psign, int *phash, int *psignhash,
3556 unsigned char *rsig, unsigned char *rhash)
3558 TLS_SIGALGS *shsigalgs = s->cert->shared_sigalgs;
3559 if (!shsigalgs || idx >= (int)s->cert->shared_sigalgslen)
3563 *phash = shsigalgs->hash_nid;
3565 *psign = shsigalgs->sign_nid;
3567 *psignhash = shsigalgs->signandhash_nid;
3569 *rsig = shsigalgs->rsign;
3571 *rhash = shsigalgs->rhash;
3572 return s->cert->shared_sigalgslen;
3575 #define MAX_SIGALGLEN (TLSEXT_hash_num * TLSEXT_signature_num * 2)
3579 int sigalgs[MAX_SIGALGLEN];
3582 static void get_sigorhash(int *psig, int *phash, const char *str)
3584 if (strcmp(str, "RSA") == 0) {
3585 *psig = EVP_PKEY_RSA;
3586 } else if (strcmp(str, "DSA") == 0) {
3587 *psig = EVP_PKEY_DSA;
3588 } else if (strcmp(str, "ECDSA") == 0) {
3589 *psig = EVP_PKEY_EC;
3591 *phash = OBJ_sn2nid(str);
3592 if (*phash == NID_undef)
3593 *phash = OBJ_ln2nid(str);
3597 static int sig_cb(const char *elem, int len, void *arg)
3599 sig_cb_st *sarg = arg;
3602 int sig_alg = NID_undef, hash_alg = NID_undef;
3605 if (sarg->sigalgcnt == MAX_SIGALGLEN)
3607 if (len > (int)(sizeof(etmp) - 1))
3609 memcpy(etmp, elem, len);
3611 p = strchr(etmp, '+');
3619 get_sigorhash(&sig_alg, &hash_alg, etmp);
3620 get_sigorhash(&sig_alg, &hash_alg, p);
3622 if (sig_alg == NID_undef || hash_alg == NID_undef)
3625 for (i = 0; i < sarg->sigalgcnt; i += 2) {
3626 if (sarg->sigalgs[i] == sig_alg && sarg->sigalgs[i + 1] == hash_alg)
3629 sarg->sigalgs[sarg->sigalgcnt++] = hash_alg;
3630 sarg->sigalgs[sarg->sigalgcnt++] = sig_alg;
3635 * Set suppored signature algorithms based on a colon separated list of the
3636 * form sig+hash e.g. RSA+SHA512:DSA+SHA512
3638 int tls1_set_sigalgs_list(CERT *c, const char *str, int client)
3642 if (!CONF_parse_list(str, ':', 1, sig_cb, &sig))
3646 return tls1_set_sigalgs(c, sig.sigalgs, sig.sigalgcnt, client);
3649 int tls1_set_sigalgs(CERT *c, const int *psig_nids, size_t salglen,
3652 unsigned char *sigalgs, *sptr;
3657 sigalgs = OPENSSL_malloc(salglen);
3658 if (sigalgs == NULL)
3660 for (i = 0, sptr = sigalgs; i < salglen; i += 2) {
3661 rhash = tls12_find_id(*psig_nids++, tls12_md, OSSL_NELEM(tls12_md));
3662 rsign = tls12_find_id(*psig_nids++, tls12_sig, OSSL_NELEM(tls12_sig));
3664 if (rhash == -1 || rsign == -1)
3671 OPENSSL_free(c->client_sigalgs);
3672 c->client_sigalgs = sigalgs;
3673 c->client_sigalgslen = salglen;
3675 OPENSSL_free(c->conf_sigalgs);
3676 c->conf_sigalgs = sigalgs;
3677 c->conf_sigalgslen = salglen;
3683 OPENSSL_free(sigalgs);
3687 static int tls1_check_sig_alg(CERT *c, X509 *x, int default_nid)
3691 if (default_nid == -1)
3693 sig_nid = X509_get_signature_nid(x);
3695 return sig_nid == default_nid ? 1 : 0;
3696 for (i = 0; i < c->shared_sigalgslen; i++)
3697 if (sig_nid == c->shared_sigalgs[i].signandhash_nid)
3702 /* Check to see if a certificate issuer name matches list of CA names */
3703 static int ssl_check_ca_name(STACK_OF(X509_NAME) *names, X509 *x)
3707 nm = X509_get_issuer_name(x);
3708 for (i = 0; i < sk_X509_NAME_num(names); i++) {
3709 if (!X509_NAME_cmp(nm, sk_X509_NAME_value(names, i)))
3716 * Check certificate chain is consistent with TLS extensions and is usable by
3717 * server. This servers two purposes: it allows users to check chains before
3718 * passing them to the server and it allows the server to check chains before
3719 * attempting to use them.
3722 /* Flags which need to be set for a certificate when stict mode not set */
3724 #define CERT_PKEY_VALID_FLAGS \
3725 (CERT_PKEY_EE_SIGNATURE|CERT_PKEY_EE_PARAM)
3726 /* Strict mode flags */
3727 #define CERT_PKEY_STRICT_FLAGS \
3728 (CERT_PKEY_VALID_FLAGS|CERT_PKEY_CA_SIGNATURE|CERT_PKEY_CA_PARAM \
3729 | CERT_PKEY_ISSUER_NAME|CERT_PKEY_CERT_TYPE)
3731 int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain,
3736 int check_flags = 0, strict_mode;
3737 CERT_PKEY *cpk = NULL;
3740 unsigned int suiteb_flags = tls1_suiteb(s);
3741 /* idx == -1 means checking server chains */
3743 /* idx == -2 means checking client certificate chains */
3746 idx = cpk - c->pkeys;
3748 cpk = c->pkeys + idx;
3749 pvalid = s->s3->tmp.valid_flags + idx;
3751 pk = cpk->privatekey;
3753 strict_mode = c->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT;
3754 /* If no cert or key, forget it */
3760 idx = ssl_cert_type(x, pk);
3763 pvalid = s->s3->tmp.valid_flags + idx;
3765 if (c->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)
3766 check_flags = CERT_PKEY_STRICT_FLAGS;
3768 check_flags = CERT_PKEY_VALID_FLAGS;
3775 check_flags |= CERT_PKEY_SUITEB;
3776 ok = X509_chain_check_suiteb(NULL, x, chain, suiteb_flags);
3777 if (ok == X509_V_OK)
3778 rv |= CERT_PKEY_SUITEB;
3779 else if (!check_flags)
3784 * Check all signature algorithms are consistent with signature
3785 * algorithms extension if TLS 1.2 or later and strict mode.
3787 if (TLS1_get_version(s) >= TLS1_2_VERSION && strict_mode) {
3789 unsigned char rsign = 0;
3790 if (s->s3->tmp.peer_sigalgs)
3792 /* If no sigalgs extension use defaults from RFC5246 */
3795 case SSL_PKEY_RSA_ENC:
3796 case SSL_PKEY_RSA_SIGN:
3797 rsign = TLSEXT_signature_rsa;
3798 default_nid = NID_sha1WithRSAEncryption;
3801 case SSL_PKEY_DSA_SIGN:
3802 rsign = TLSEXT_signature_dsa;
3803 default_nid = NID_dsaWithSHA1;
3807 rsign = TLSEXT_signature_ecdsa;
3808 default_nid = NID_ecdsa_with_SHA1;
3811 case SSL_PKEY_GOST01:
3812 rsign = TLSEXT_signature_gostr34102001;
3813 default_nid = NID_id_GostR3411_94_with_GostR3410_2001;
3816 case SSL_PKEY_GOST12_256:
3817 rsign = TLSEXT_signature_gostr34102012_256;
3818 default_nid = NID_id_tc26_signwithdigest_gost3410_2012_256;
3821 case SSL_PKEY_GOST12_512:
3822 rsign = TLSEXT_signature_gostr34102012_512;
3823 default_nid = NID_id_tc26_signwithdigest_gost3410_2012_512;
3832 * If peer sent no signature algorithms extension and we have set
3833 * preferred signature algorithms check we support sha1.
3835 if (default_nid > 0 && c->conf_sigalgs) {
3837 const unsigned char *p = c->conf_sigalgs;
3838 for (j = 0; j < c->conf_sigalgslen; j += 2, p += 2) {
3839 if (p[0] == TLSEXT_hash_sha1 && p[1] == rsign)
3842 if (j == c->conf_sigalgslen) {
3849 /* Check signature algorithm of each cert in chain */
3850 if (!tls1_check_sig_alg(c, x, default_nid)) {
3854 rv |= CERT_PKEY_EE_SIGNATURE;
3855 rv |= CERT_PKEY_CA_SIGNATURE;
3856 for (i = 0; i < sk_X509_num(chain); i++) {
3857 if (!tls1_check_sig_alg(c, sk_X509_value(chain, i), default_nid)) {
3859 rv &= ~CERT_PKEY_CA_SIGNATURE;
3866 /* Else not TLS 1.2, so mark EE and CA signing algorithms OK */
3867 else if (check_flags)
3868 rv |= CERT_PKEY_EE_SIGNATURE | CERT_PKEY_CA_SIGNATURE;
3870 /* Check cert parameters are consistent */
3871 if (tls1_check_cert_param(s, x, check_flags ? 1 : 2))
3872 rv |= CERT_PKEY_EE_PARAM;
3873 else if (!check_flags)
3876 rv |= CERT_PKEY_CA_PARAM;
3877 /* In strict mode check rest of chain too */
3878 else if (strict_mode) {
3879 rv |= CERT_PKEY_CA_PARAM;
3880 for (i = 0; i < sk_X509_num(chain); i++) {
3881 X509 *ca = sk_X509_value(chain, i);
3882 if (!tls1_check_cert_param(s, ca, 0)) {
3884 rv &= ~CERT_PKEY_CA_PARAM;
3891 if (!s->server && strict_mode) {
3892 STACK_OF(X509_NAME) *ca_dn;
3894 switch (EVP_PKEY_id(pk)) {
3896 check_type = TLS_CT_RSA_SIGN;
3899 check_type = TLS_CT_DSS_SIGN;
3902 check_type = TLS_CT_ECDSA_SIGN;
3906 const unsigned char *ctypes;
3910 ctypelen = (int)c->ctype_num;
3912 ctypes = (unsigned char *)s->s3->tmp.ctype;
3913 ctypelen = s->s3->tmp.ctype_num;
3915 for (i = 0; i < ctypelen; i++) {
3916 if (ctypes[i] == check_type) {
3917 rv |= CERT_PKEY_CERT_TYPE;
3921 if (!(rv & CERT_PKEY_CERT_TYPE) && !check_flags)
3924 rv |= CERT_PKEY_CERT_TYPE;
3926 ca_dn = s->s3->tmp.ca_names;
3928 if (!sk_X509_NAME_num(ca_dn))
3929 rv |= CERT_PKEY_ISSUER_NAME;
3931 if (!(rv & CERT_PKEY_ISSUER_NAME)) {
3932 if (ssl_check_ca_name(ca_dn, x))
3933 rv |= CERT_PKEY_ISSUER_NAME;
3935 if (!(rv & CERT_PKEY_ISSUER_NAME)) {
3936 for (i = 0; i < sk_X509_num(chain); i++) {
3937 X509 *xtmp = sk_X509_value(chain, i);
3938 if (ssl_check_ca_name(ca_dn, xtmp)) {
3939 rv |= CERT_PKEY_ISSUER_NAME;
3944 if (!check_flags && !(rv & CERT_PKEY_ISSUER_NAME))
3947 rv |= CERT_PKEY_ISSUER_NAME | CERT_PKEY_CERT_TYPE;
3949 if (!check_flags || (rv & check_flags) == check_flags)
3950 rv |= CERT_PKEY_VALID;
3954 if (TLS1_get_version(s) >= TLS1_2_VERSION) {
3955 if (*pvalid & CERT_PKEY_EXPLICIT_SIGN)
3956 rv |= CERT_PKEY_EXPLICIT_SIGN | CERT_PKEY_SIGN;
3957 else if (s->s3->tmp.md[idx] != NULL)
3958 rv |= CERT_PKEY_SIGN;
3960 rv |= CERT_PKEY_SIGN | CERT_PKEY_EXPLICIT_SIGN;
3963 * When checking a CERT_PKEY structure all flags are irrelevant if the
3967 if (rv & CERT_PKEY_VALID)
3970 /* Preserve explicit sign flag, clear rest */
3971 *pvalid &= CERT_PKEY_EXPLICIT_SIGN;
3978 /* Set validity of certificates in an SSL structure */
3979 void tls1_set_cert_validity(SSL *s)
3981 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA_ENC);
3982 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA_SIGN);
3983 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DSA_SIGN);
3984 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_ECC);
3985 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_GOST01);
3986 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_GOST12_256);
3987 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_GOST12_512);
3990 /* User level utiity function to check a chain is suitable */
3991 int SSL_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain)
3993 return tls1_check_chain(s, x, pk, chain, -1);
3997 #ifndef OPENSSL_NO_DH
3998 DH *ssl_get_auto_dh(SSL *s)
4000 int dh_secbits = 80;
4001 if (s->cert->dh_tmp_auto == 2)
4002 return DH_get_1024_160();
4003 if (s->s3->tmp.new_cipher->algorithm_auth & (SSL_aNULL | SSL_aPSK)) {
4004 if (s->s3->tmp.new_cipher->strength_bits == 256)
4009 CERT_PKEY *cpk = ssl_get_server_send_pkey(s);
4010 dh_secbits = EVP_PKEY_security_bits(cpk->privatekey);
4013 if (dh_secbits >= 128) {
4019 BN_set_word(dhp->g, 2);
4020 if (dh_secbits >= 192)
4021 dhp->p = get_rfc3526_prime_8192(NULL);
4023 dhp->p = get_rfc3526_prime_3072(NULL);
4024 if (dhp->p == NULL || dhp->g == NULL) {
4030 if (dh_secbits >= 112)
4031 return DH_get_2048_224();
4032 return DH_get_1024_160();
4036 static int ssl_security_cert_key(SSL *s, SSL_CTX *ctx, X509 *x, int op)
4039 EVP_PKEY *pkey = X509_get0_pubkey(x);
4042 * If no parameters this will return -1 and fail using the default
4043 * security callback for any non-zero security level. This will
4044 * reject keys which omit parameters but this only affects DSA and
4045 * omission of parameters is never (?) done in practice.
4047 secbits = EVP_PKEY_security_bits(pkey);
4050 return ssl_security(s, op, secbits, 0, x);
4052 return ssl_ctx_security(ctx, op, secbits, 0, x);
4055 static int ssl_security_cert_sig(SSL *s, SSL_CTX *ctx, X509 *x, int op)
4057 /* Lookup signature algorithm digest */
4058 int secbits = -1, md_nid = NID_undef, sig_nid;
4059 /* Don't check signature if self signed */
4060 if ((X509_get_extension_flags(x) & EXFLAG_SS) != 0)
4062 sig_nid = X509_get_signature_nid(x);
4063 if (sig_nid && OBJ_find_sigid_algs(sig_nid, &md_nid, NULL)) {
4065 if (md_nid && (md = EVP_get_digestbynid(md_nid)))
4066 secbits = EVP_MD_size(md) * 4;
4069 return ssl_security(s, op, secbits, md_nid, x);
4071 return ssl_ctx_security(ctx, op, secbits, md_nid, x);
4074 int ssl_security_cert(SSL *s, SSL_CTX *ctx, X509 *x, int vfy, int is_ee)
4077 vfy = SSL_SECOP_PEER;
4079 if (!ssl_security_cert_key(s, ctx, x, SSL_SECOP_EE_KEY | vfy))
4080 return SSL_R_EE_KEY_TOO_SMALL;
4082 if (!ssl_security_cert_key(s, ctx, x, SSL_SECOP_CA_KEY | vfy))
4083 return SSL_R_CA_KEY_TOO_SMALL;
4085 if (!ssl_security_cert_sig(s, ctx, x, SSL_SECOP_CA_MD | vfy))
4086 return SSL_R_CA_MD_TOO_WEAK;
4091 * Check security of a chain, if sk includes the end entity certificate then
4092 * x is NULL. If vfy is 1 then we are verifying a peer chain and not sending
4093 * one to the peer. Return values: 1 if ok otherwise error code to use
4096 int ssl_security_cert_chain(SSL *s, STACK_OF(X509) *sk, X509 *x, int vfy)
4098 int rv, start_idx, i;
4100 x = sk_X509_value(sk, 0);
4105 rv = ssl_security_cert(s, NULL, x, vfy, 1);
4109 for (i = start_idx; i < sk_X509_num(sk); i++) {
4110 x = sk_X509_value(sk, i);
4111 rv = ssl_security_cert(s, NULL, x, vfy, 0);