2 * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
12 #include <openssl/objects.h>
13 #include <openssl/evp.h>
14 #include <openssl/hmac.h>
15 #include <openssl/ocsp.h>
16 #include <openssl/conf.h>
17 #include <openssl/x509v3.h>
18 #include <openssl/dh.h>
19 #include <openssl/bn.h>
21 #include <openssl/ct.h>
23 static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, size_t ticklen,
24 const unsigned char *sess_id, size_t sesslen,
26 static int ssl_check_serverhello_tlsext(SSL *s);
28 SSL3_ENC_METHOD const TLSv1_enc_data = {
32 tls1_generate_master_secret,
33 tls1_change_cipher_state,
34 tls1_final_finish_mac,
35 TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
36 TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
38 tls1_export_keying_material,
40 ssl3_set_handshake_header,
41 tls_close_construct_packet,
45 SSL3_ENC_METHOD const TLSv1_1_enc_data = {
49 tls1_generate_master_secret,
50 tls1_change_cipher_state,
51 tls1_final_finish_mac,
52 TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
53 TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
55 tls1_export_keying_material,
56 SSL_ENC_FLAG_EXPLICIT_IV,
57 ssl3_set_handshake_header,
58 tls_close_construct_packet,
62 SSL3_ENC_METHOD const TLSv1_2_enc_data = {
66 tls1_generate_master_secret,
67 tls1_change_cipher_state,
68 tls1_final_finish_mac,
69 TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
70 TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
72 tls1_export_keying_material,
73 SSL_ENC_FLAG_EXPLICIT_IV | SSL_ENC_FLAG_SIGALGS | SSL_ENC_FLAG_SHA256_PRF
74 | SSL_ENC_FLAG_TLS1_2_CIPHERS,
75 ssl3_set_handshake_header,
76 tls_close_construct_packet,
80 SSL3_ENC_METHOD const TLSv1_3_enc_data = {
83 tls13_setup_key_block,
84 tls13_generate_master_secret,
85 tls13_change_cipher_state,
86 tls13_final_finish_mac,
87 TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
88 TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
90 tls1_export_keying_material,
91 SSL_ENC_FLAG_SIGALGS | SSL_ENC_FLAG_SHA256_PRF,
92 ssl3_set_handshake_header,
93 tls_close_construct_packet,
97 long tls1_default_timeout(void)
100 * 2 hours, the 24 hours mentioned in the TLSv1 spec is way too long for
101 * http, the cache would over fill
103 return (60 * 60 * 2);
110 s->method->ssl_clear(s);
114 void tls1_free(SSL *s)
116 OPENSSL_free(s->tlsext_session_ticket);
120 void tls1_clear(SSL *s)
123 if (s->method->version == TLS_ANY_VERSION)
124 s->version = TLS_MAX_VERSION;
126 s->version = s->method->version;
129 #ifndef OPENSSL_NO_EC
132 int nid; /* Curve NID */
133 int secbits; /* Bits of security (from SP800-57) */
134 unsigned int flags; /* Flags: currently just field type */
138 * Table of curve information.
139 * Do not delete entries or reorder this array! It is used as a lookup
140 * table: the index of each entry is one less than the TLS curve id.
142 static const tls_curve_info nid_list[] = {
143 {NID_sect163k1, 80, TLS_CURVE_CHAR2}, /* sect163k1 (1) */
144 {NID_sect163r1, 80, TLS_CURVE_CHAR2}, /* sect163r1 (2) */
145 {NID_sect163r2, 80, TLS_CURVE_CHAR2}, /* sect163r2 (3) */
146 {NID_sect193r1, 80, TLS_CURVE_CHAR2}, /* sect193r1 (4) */
147 {NID_sect193r2, 80, TLS_CURVE_CHAR2}, /* sect193r2 (5) */
148 {NID_sect233k1, 112, TLS_CURVE_CHAR2}, /* sect233k1 (6) */
149 {NID_sect233r1, 112, TLS_CURVE_CHAR2}, /* sect233r1 (7) */
150 {NID_sect239k1, 112, TLS_CURVE_CHAR2}, /* sect239k1 (8) */
151 {NID_sect283k1, 128, TLS_CURVE_CHAR2}, /* sect283k1 (9) */
152 {NID_sect283r1, 128, TLS_CURVE_CHAR2}, /* sect283r1 (10) */
153 {NID_sect409k1, 192, TLS_CURVE_CHAR2}, /* sect409k1 (11) */
154 {NID_sect409r1, 192, TLS_CURVE_CHAR2}, /* sect409r1 (12) */
155 {NID_sect571k1, 256, TLS_CURVE_CHAR2}, /* sect571k1 (13) */
156 {NID_sect571r1, 256, TLS_CURVE_CHAR2}, /* sect571r1 (14) */
157 {NID_secp160k1, 80, TLS_CURVE_PRIME}, /* secp160k1 (15) */
158 {NID_secp160r1, 80, TLS_CURVE_PRIME}, /* secp160r1 (16) */
159 {NID_secp160r2, 80, TLS_CURVE_PRIME}, /* secp160r2 (17) */
160 {NID_secp192k1, 80, TLS_CURVE_PRIME}, /* secp192k1 (18) */
161 {NID_X9_62_prime192v1, 80, TLS_CURVE_PRIME}, /* secp192r1 (19) */
162 {NID_secp224k1, 112, TLS_CURVE_PRIME}, /* secp224k1 (20) */
163 {NID_secp224r1, 112, TLS_CURVE_PRIME}, /* secp224r1 (21) */
164 {NID_secp256k1, 128, TLS_CURVE_PRIME}, /* secp256k1 (22) */
165 {NID_X9_62_prime256v1, 128, TLS_CURVE_PRIME}, /* secp256r1 (23) */
166 {NID_secp384r1, 192, TLS_CURVE_PRIME}, /* secp384r1 (24) */
167 {NID_secp521r1, 256, TLS_CURVE_PRIME}, /* secp521r1 (25) */
168 {NID_brainpoolP256r1, 128, TLS_CURVE_PRIME}, /* brainpoolP256r1 (26) */
169 {NID_brainpoolP384r1, 192, TLS_CURVE_PRIME}, /* brainpoolP384r1 (27) */
170 {NID_brainpoolP512r1, 256, TLS_CURVE_PRIME}, /* brainpool512r1 (28) */
171 {NID_X25519, 128, TLS_CURVE_CUSTOM}, /* X25519 (29) */
174 static const unsigned char ecformats_default[] = {
175 TLSEXT_ECPOINTFORMAT_uncompressed,
176 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime,
177 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2
180 /* The default curves */
181 static const unsigned char eccurves_default[] = {
182 0, 29, /* X25519 (29) */
183 0, 23, /* secp256r1 (23) */
184 0, 25, /* secp521r1 (25) */
185 0, 24, /* secp384r1 (24) */
188 static const unsigned char eccurves_all[] = {
189 0, 29, /* X25519 (29) */
190 0, 23, /* secp256r1 (23) */
191 0, 25, /* secp521r1 (25) */
192 0, 24, /* secp384r1 (24) */
193 0, 26, /* brainpoolP256r1 (26) */
194 0, 27, /* brainpoolP384r1 (27) */
195 0, 28, /* brainpool512r1 (28) */
198 * Remaining curves disabled by default but still permitted if set
199 * via an explicit callback or parameters.
201 0, 22, /* secp256k1 (22) */
202 0, 14, /* sect571r1 (14) */
203 0, 13, /* sect571k1 (13) */
204 0, 11, /* sect409k1 (11) */
205 0, 12, /* sect409r1 (12) */
206 0, 9, /* sect283k1 (9) */
207 0, 10, /* sect283r1 (10) */
208 0, 20, /* secp224k1 (20) */
209 0, 21, /* secp224r1 (21) */
210 0, 18, /* secp192k1 (18) */
211 0, 19, /* secp192r1 (19) */
212 0, 15, /* secp160k1 (15) */
213 0, 16, /* secp160r1 (16) */
214 0, 17, /* secp160r2 (17) */
215 0, 8, /* sect239k1 (8) */
216 0, 6, /* sect233k1 (6) */
217 0, 7, /* sect233r1 (7) */
218 0, 4, /* sect193r1 (4) */
219 0, 5, /* sect193r2 (5) */
220 0, 1, /* sect163k1 (1) */
221 0, 2, /* sect163r1 (2) */
222 0, 3, /* sect163r2 (3) */
225 static const unsigned char suiteb_curves[] = {
226 0, TLSEXT_curve_P_256,
227 0, TLSEXT_curve_P_384
230 int tls1_ec_curve_id2nid(int curve_id, unsigned int *pflags)
232 const tls_curve_info *cinfo;
233 /* ECC curves from RFC 4492 and RFC 7027 */
234 if ((curve_id < 1) || ((unsigned int)curve_id > OSSL_NELEM(nid_list)))
236 cinfo = nid_list + curve_id - 1;
238 *pflags = cinfo->flags;
242 int tls1_ec_nid2curve_id(int nid)
245 for (i = 0; i < OSSL_NELEM(nid_list); i++) {
246 if (nid_list[i].nid == nid)
253 * Get curves list, if "sess" is set return client curves otherwise
255 * Sets |num_curves| to the number of curves in the list, i.e.,
256 * the length of |pcurves| is 2 * num_curves.
257 * Returns 1 on success and 0 if the client curves list has invalid format.
258 * The latter indicates an internal error: we should not be accepting such
259 * lists in the first place.
260 * TODO(emilia): we should really be storing the curves list in explicitly
261 * parsed form instead. (However, this would affect binary compatibility
262 * so cannot happen in the 1.0.x series.)
264 int tls1_get_curvelist(SSL *s, int sess, const unsigned char **pcurves,
267 size_t pcurveslen = 0;
269 *pcurves = s->session->tlsext_supportedgroupslist;
270 pcurveslen = s->session->tlsext_supportedgroupslist_length;
272 /* For Suite B mode only include P-256, P-384 */
273 switch (tls1_suiteb(s)) {
274 case SSL_CERT_FLAG_SUITEB_128_LOS:
275 *pcurves = suiteb_curves;
276 pcurveslen = sizeof(suiteb_curves);
279 case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY:
280 *pcurves = suiteb_curves;
284 case SSL_CERT_FLAG_SUITEB_192_LOS:
285 *pcurves = suiteb_curves + 2;
289 *pcurves = s->tlsext_supportedgroupslist;
290 pcurveslen = s->tlsext_supportedgroupslist_length;
293 *pcurves = eccurves_default;
294 pcurveslen = sizeof(eccurves_default);
298 /* We do not allow odd length arrays to enter the system. */
299 if (pcurveslen & 1) {
300 SSLerr(SSL_F_TLS1_GET_CURVELIST, ERR_R_INTERNAL_ERROR);
304 *num_curves = pcurveslen / 2;
309 /* See if curve is allowed by security callback */
310 int tls_curve_allowed(SSL *s, const unsigned char *curve, int op)
312 const tls_curve_info *cinfo;
315 if ((curve[1] < 1) || ((size_t)curve[1] > OSSL_NELEM(nid_list)))
317 cinfo = &nid_list[curve[1] - 1];
318 # ifdef OPENSSL_NO_EC2M
319 if (cinfo->flags & TLS_CURVE_CHAR2)
322 return ssl_security(s, op, cinfo->secbits, cinfo->nid, (void *)curve);
325 /* Check a curve is one of our preferences */
326 int tls1_check_curve(SSL *s, const unsigned char *p, size_t len)
328 const unsigned char *curves;
329 size_t num_curves, i;
330 unsigned int suiteb_flags = tls1_suiteb(s);
331 if (len != 3 || p[0] != NAMED_CURVE_TYPE)
333 /* Check curve matches Suite B preferences */
335 unsigned long cid = s->s3->tmp.new_cipher->id;
338 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256) {
339 if (p[2] != TLSEXT_curve_P_256)
341 } else if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384) {
342 if (p[2] != TLSEXT_curve_P_384)
344 } else /* Should never happen */
347 if (!tls1_get_curvelist(s, 0, &curves, &num_curves))
349 for (i = 0; i < num_curves; i++, curves += 2) {
350 if (p[1] == curves[0] && p[2] == curves[1])
351 return tls_curve_allowed(s, p + 1, SSL_SECOP_CURVE_CHECK);
357 * For nmatch >= 0, return the NID of the |nmatch|th shared group or NID_undef
358 * if there is no match.
359 * For nmatch == -1, return number of matches
360 * For nmatch == -2, return the NID of the group to use for
361 * an EC tmp key, or NID_undef if there is no match.
363 int tls1_shared_group(SSL *s, int nmatch)
365 const unsigned char *pref, *supp;
366 size_t num_pref, num_supp, i, j;
368 /* Can't do anything on client side */
372 if (tls1_suiteb(s)) {
374 * For Suite B ciphersuite determines curve: we already know
375 * these are acceptable due to previous checks.
377 unsigned long cid = s->s3->tmp.new_cipher->id;
378 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
379 return NID_X9_62_prime256v1; /* P-256 */
380 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)
381 return NID_secp384r1; /* P-384 */
382 /* Should never happen */
385 /* If not Suite B just return first preference shared curve */
389 * Avoid truncation. tls1_get_curvelist takes an int
390 * but s->options is a long...
392 if (!tls1_get_curvelist
393 (s, (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) != 0, &supp,
395 /* In practice, NID_undef == 0 but let's be precise. */
396 return nmatch == -1 ? 0 : NID_undef;
397 if (!tls1_get_curvelist
398 (s, !(s->options & SSL_OP_CIPHER_SERVER_PREFERENCE), &pref, &num_pref))
399 return nmatch == -1 ? 0 : NID_undef;
402 * If the client didn't send the elliptic_curves extension all of them
405 if (num_supp == 0 && (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) != 0) {
407 num_supp = sizeof(eccurves_all) / 2;
408 } else if (num_pref == 0 &&
409 (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) == 0) {
411 num_pref = sizeof(eccurves_all) / 2;
415 for (i = 0; i < num_pref; i++, pref += 2) {
416 const unsigned char *tsupp = supp;
417 for (j = 0; j < num_supp; j++, tsupp += 2) {
418 if (pref[0] == tsupp[0] && pref[1] == tsupp[1]) {
419 if (!tls_curve_allowed(s, pref, SSL_SECOP_CURVE_SHARED))
422 int id = (pref[0] << 8) | pref[1];
423 return tls1_ec_curve_id2nid(id, NULL);
431 /* Out of range (nmatch > k). */
435 int tls1_set_groups(unsigned char **pext, size_t *pextlen,
436 int *groups, size_t ngroups)
438 unsigned char *glist, *p;
441 * Bitmap of groups included to detect duplicates: only works while group
444 unsigned long dup_list = 0;
445 glist = OPENSSL_malloc(ngroups * 2);
448 for (i = 0, p = glist; i < ngroups; i++) {
449 unsigned long idmask;
451 /* TODO(TLS1.3): Convert for DH groups */
452 id = tls1_ec_nid2curve_id(groups[i]);
454 if (!id || (dup_list & idmask)) {
463 *pextlen = ngroups * 2;
467 # define MAX_CURVELIST 28
471 int nid_arr[MAX_CURVELIST];
474 static int nid_cb(const char *elem, int len, void *arg)
476 nid_cb_st *narg = arg;
482 if (narg->nidcnt == MAX_CURVELIST)
484 if (len > (int)(sizeof(etmp) - 1))
486 memcpy(etmp, elem, len);
488 nid = EC_curve_nist2nid(etmp);
489 if (nid == NID_undef)
490 nid = OBJ_sn2nid(etmp);
491 if (nid == NID_undef)
492 nid = OBJ_ln2nid(etmp);
493 if (nid == NID_undef)
495 for (i = 0; i < narg->nidcnt; i++)
496 if (narg->nid_arr[i] == nid)
498 narg->nid_arr[narg->nidcnt++] = nid;
502 /* Set groups based on a colon separate list */
503 int tls1_set_groups_list(unsigned char **pext, size_t *pextlen, const char *str)
507 if (!CONF_parse_list(str, ':', 1, nid_cb, &ncb))
511 return tls1_set_groups(pext, pextlen, ncb.nid_arr, ncb.nidcnt);
514 /* For an EC key set TLS id and required compression based on parameters */
515 static int tls1_set_ec_id(unsigned char *curve_id, unsigned char *comp_id,
522 /* Determine if it is a prime field */
523 grp = EC_KEY_get0_group(ec);
526 /* Determine curve ID */
527 id = EC_GROUP_get_curve_name(grp);
528 id = tls1_ec_nid2curve_id(id);
529 /* If no id return error: we don't support arbitrary explicit curves */
533 curve_id[1] = (unsigned char)id;
535 if (EC_KEY_get0_public_key(ec) == NULL)
537 if (EC_KEY_get_conv_form(ec) == POINT_CONVERSION_UNCOMPRESSED) {
538 *comp_id = TLSEXT_ECPOINTFORMAT_uncompressed;
540 if ((nid_list[id - 1].flags & TLS_CURVE_TYPE) == TLS_CURVE_PRIME)
541 *comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
543 *comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
549 /* Check an EC key is compatible with extensions */
550 static int tls1_check_ec_key(SSL *s,
551 unsigned char *curve_id, unsigned char *comp_id)
553 const unsigned char *pformats, *pcurves;
554 size_t num_formats, num_curves, i;
557 * If point formats extension present check it, otherwise everything is
558 * supported (see RFC4492).
560 if (comp_id && s->session->tlsext_ecpointformatlist) {
561 pformats = s->session->tlsext_ecpointformatlist;
562 num_formats = s->session->tlsext_ecpointformatlist_length;
563 for (i = 0; i < num_formats; i++, pformats++) {
564 if (*comp_id == *pformats)
567 if (i == num_formats)
572 /* Check curve is consistent with client and server preferences */
573 for (j = 0; j <= 1; j++) {
574 if (!tls1_get_curvelist(s, j, &pcurves, &num_curves))
576 if (j == 1 && num_curves == 0) {
578 * If we've not received any curves then skip this check.
579 * RFC 4492 does not require the supported elliptic curves extension
580 * so if it is not sent we can just choose any curve.
581 * It is invalid to send an empty list in the elliptic curves
582 * extension, so num_curves == 0 always means no extension.
586 for (i = 0; i < num_curves; i++, pcurves += 2) {
587 if (pcurves[0] == curve_id[0] && pcurves[1] == curve_id[1])
592 /* For clients can only check sent curve list */
599 static void tls1_get_formatlist(SSL *s, const unsigned char **pformats,
603 * If we have a custom point format list use it otherwise use default
605 if (s->tlsext_ecpointformatlist) {
606 *pformats = s->tlsext_ecpointformatlist;
607 *num_formats = s->tlsext_ecpointformatlist_length;
609 *pformats = ecformats_default;
610 /* For Suite B we don't support char2 fields */
612 *num_formats = sizeof(ecformats_default) - 1;
614 *num_formats = sizeof(ecformats_default);
619 * Check cert parameters compatible with extensions: currently just checks EC
620 * certificates have compatible curves and compression.
622 static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md)
624 unsigned char comp_id, curve_id[2];
627 pkey = X509_get0_pubkey(x);
630 /* If not EC nothing to do */
631 if (EVP_PKEY_id(pkey) != EVP_PKEY_EC)
633 rv = tls1_set_ec_id(curve_id, &comp_id, EVP_PKEY_get0_EC_KEY(pkey));
637 * Can't check curve_id for client certs as we don't have a supported
640 rv = tls1_check_ec_key(s, s->server ? curve_id : NULL, &comp_id);
644 * Special case for suite B. We *MUST* sign using SHA256+P-256 or
645 * SHA384+P-384, adjust digest if necessary.
647 if (set_ee_md && tls1_suiteb(s)) {
653 /* Check to see we have necessary signing algorithm */
654 if (curve_id[1] == TLSEXT_curve_P_256)
655 check_md = NID_ecdsa_with_SHA256;
656 else if (curve_id[1] == TLSEXT_curve_P_384)
657 check_md = NID_ecdsa_with_SHA384;
659 return 0; /* Should never happen */
660 for (i = 0; i < c->shared_sigalgslen; i++)
661 if (check_md == c->shared_sigalgs[i].signandhash_nid)
663 if (i == c->shared_sigalgslen)
665 if (set_ee_md == 2) {
666 if (check_md == NID_ecdsa_with_SHA256)
667 s->s3->tmp.md[SSL_PKEY_ECC] = EVP_sha256();
669 s->s3->tmp.md[SSL_PKEY_ECC] = EVP_sha384();
675 # ifndef OPENSSL_NO_EC
677 * tls1_check_ec_tmp_key - Check EC temporary key compatibility
679 * @cid: Cipher ID we're considering using
681 * Checks that the kECDHE cipher suite we're considering using
682 * is compatible with the client extensions.
684 * Returns 0 when the cipher can't be used or 1 when it can.
686 int tls1_check_ec_tmp_key(SSL *s, unsigned long cid)
689 * If Suite B, AES128 MUST use P-256 and AES256 MUST use P-384, no other
692 if (tls1_suiteb(s)) {
693 unsigned char curve_id[2];
694 /* Curve to check determined by ciphersuite */
695 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
696 curve_id[1] = TLSEXT_curve_P_256;
697 else if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)
698 curve_id[1] = TLSEXT_curve_P_384;
702 /* Check this curve is acceptable */
703 if (!tls1_check_ec_key(s, curve_id, NULL))
707 /* Need a shared curve */
708 if (tls1_shared_group(s, 0))
712 # endif /* OPENSSL_NO_EC */
716 static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md)
721 #endif /* OPENSSL_NO_EC */
724 * List of supported signature algorithms and hashes. Should make this
725 * customisable at some point, for now include everything we support.
728 #ifdef OPENSSL_NO_RSA
729 # define tlsext_sigalg_rsa(md) /* */
731 # define tlsext_sigalg_rsa(md) md, TLSEXT_signature_rsa,
734 #ifdef OPENSSL_NO_DSA
735 # define tlsext_sigalg_dsa(md) /* */
737 # define tlsext_sigalg_dsa(md) md, TLSEXT_signature_dsa,
741 # define tlsext_sigalg_ecdsa(md)/* */
743 # define tlsext_sigalg_ecdsa(md) md, TLSEXT_signature_ecdsa,
746 #define tlsext_sigalg(md) \
747 tlsext_sigalg_rsa(md) \
748 tlsext_sigalg_dsa(md) \
749 tlsext_sigalg_ecdsa(md)
751 static const unsigned char tls12_sigalgs[] = {
752 tlsext_sigalg(TLSEXT_hash_sha512)
753 tlsext_sigalg(TLSEXT_hash_sha384)
754 tlsext_sigalg(TLSEXT_hash_sha256)
755 tlsext_sigalg(TLSEXT_hash_sha224)
756 tlsext_sigalg(TLSEXT_hash_sha1)
757 #ifndef OPENSSL_NO_GOST
758 TLSEXT_hash_gostr3411, TLSEXT_signature_gostr34102001,
759 TLSEXT_hash_gostr34112012_256, TLSEXT_signature_gostr34102012_256,
760 TLSEXT_hash_gostr34112012_512, TLSEXT_signature_gostr34102012_512
764 #ifndef OPENSSL_NO_EC
765 static const unsigned char suiteb_sigalgs[] = {
766 tlsext_sigalg_ecdsa(TLSEXT_hash_sha256)
767 tlsext_sigalg_ecdsa(TLSEXT_hash_sha384)
770 size_t tls12_get_psigalgs(SSL *s, const unsigned char **psigs)
773 * If Suite B mode use Suite B sigalgs only, ignore any other
776 #ifndef OPENSSL_NO_EC
777 switch (tls1_suiteb(s)) {
778 case SSL_CERT_FLAG_SUITEB_128_LOS:
779 *psigs = suiteb_sigalgs;
780 return sizeof(suiteb_sigalgs);
782 case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY:
783 *psigs = suiteb_sigalgs;
786 case SSL_CERT_FLAG_SUITEB_192_LOS:
787 *psigs = suiteb_sigalgs + 2;
791 /* If server use client authentication sigalgs if not NULL */
792 if (s->server && s->cert->client_sigalgs) {
793 *psigs = s->cert->client_sigalgs;
794 return s->cert->client_sigalgslen;
795 } else if (s->cert->conf_sigalgs) {
796 *psigs = s->cert->conf_sigalgs;
797 return s->cert->conf_sigalgslen;
799 *psigs = tls12_sigalgs;
800 return sizeof(tls12_sigalgs);
805 * Check signature algorithm is consistent with sent supported signature
806 * algorithms and if so return relevant digest.
808 int tls12_check_peer_sigalg(const EVP_MD **pmd, SSL *s,
809 const unsigned char *sig, EVP_PKEY *pkey)
811 const unsigned char *sent_sigs;
812 size_t sent_sigslen, i;
813 int sigalg = tls12_get_sigid(pkey);
814 /* Should never happen */
817 /* Check key type is consistent with signature */
818 if (sigalg != (int)sig[1]) {
819 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_SIGNATURE_TYPE);
822 #ifndef OPENSSL_NO_EC
823 if (EVP_PKEY_id(pkey) == EVP_PKEY_EC) {
824 unsigned char curve_id[2], comp_id;
825 /* Check compression and curve matches extensions */
826 if (!tls1_set_ec_id(curve_id, &comp_id, EVP_PKEY_get0_EC_KEY(pkey)))
828 if (!s->server && !tls1_check_ec_key(s, curve_id, &comp_id)) {
829 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_CURVE);
832 /* If Suite B only P-384+SHA384 or P-256+SHA-256 allowed */
833 if (tls1_suiteb(s)) {
836 if (curve_id[1] == TLSEXT_curve_P_256) {
837 if (sig[0] != TLSEXT_hash_sha256) {
838 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG,
839 SSL_R_ILLEGAL_SUITEB_DIGEST);
842 } else if (curve_id[1] == TLSEXT_curve_P_384) {
843 if (sig[0] != TLSEXT_hash_sha384) {
844 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG,
845 SSL_R_ILLEGAL_SUITEB_DIGEST);
851 } else if (tls1_suiteb(s))
855 /* Check signature matches a type we sent */
856 sent_sigslen = tls12_get_psigalgs(s, &sent_sigs);
857 for (i = 0; i < sent_sigslen; i += 2, sent_sigs += 2) {
858 if (sig[0] == sent_sigs[0] && sig[1] == sent_sigs[1])
861 /* Allow fallback to SHA1 if not strict mode */
862 if (i == sent_sigslen
863 && (sig[0] != TLSEXT_hash_sha1
864 || s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)) {
865 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_SIGNATURE_TYPE);
868 *pmd = tls12_get_hash(sig[0]);
870 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_UNKNOWN_DIGEST);
873 /* Make sure security callback allows algorithm */
874 if (!ssl_security(s, SSL_SECOP_SIGALG_CHECK,
875 EVP_MD_size(*pmd) * 4, EVP_MD_type(*pmd), (void *)sig)) {
876 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_SIGNATURE_TYPE);
880 * Store the digest used so applications can retrieve it if they wish.
882 s->s3->tmp.peer_md = *pmd;
887 * Set a mask of disabled algorithms: an algorithm is disabled if it isn't
888 * supported, doesn't appear in supported signature algorithms, isn't supported
889 * by the enabled protocol versions or by the security level.
891 * This function should only be used for checking which ciphers are supported
894 * Call ssl_cipher_disabled() to check that it's enabled or not.
896 void ssl_set_client_disabled(SSL *s)
898 s->s3->tmp.mask_a = 0;
899 s->s3->tmp.mask_k = 0;
900 ssl_set_sig_mask(&s->s3->tmp.mask_a, s, SSL_SECOP_SIGALG_MASK);
901 ssl_get_client_min_max_version(s, &s->s3->tmp.min_ver, &s->s3->tmp.max_ver);
902 #ifndef OPENSSL_NO_PSK
903 /* with PSK there must be client callback set */
904 if (!s->psk_client_callback) {
905 s->s3->tmp.mask_a |= SSL_aPSK;
906 s->s3->tmp.mask_k |= SSL_PSK;
908 #endif /* OPENSSL_NO_PSK */
909 #ifndef OPENSSL_NO_SRP
910 if (!(s->srp_ctx.srp_Mask & SSL_kSRP)) {
911 s->s3->tmp.mask_a |= SSL_aSRP;
912 s->s3->tmp.mask_k |= SSL_kSRP;
918 * ssl_cipher_disabled - check that a cipher is disabled or not
919 * @s: SSL connection that you want to use the cipher on
920 * @c: cipher to check
921 * @op: Security check that you want to do
923 * Returns 1 when it's disabled, 0 when enabled.
925 int ssl_cipher_disabled(SSL *s, const SSL_CIPHER *c, int op)
927 if (c->algorithm_mkey & s->s3->tmp.mask_k
928 || c->algorithm_auth & s->s3->tmp.mask_a)
930 if (s->s3->tmp.max_ver == 0)
932 if (!SSL_IS_DTLS(s) && ((c->min_tls > s->s3->tmp.max_ver)
933 || (c->max_tls < s->s3->tmp.min_ver)))
935 if (SSL_IS_DTLS(s) && (DTLS_VERSION_GT(c->min_dtls, s->s3->tmp.max_ver)
936 || DTLS_VERSION_LT(c->max_dtls, s->s3->tmp.min_ver)))
939 return !ssl_security(s, op, c->strength_bits, 0, (void *)c);
942 static int tls_use_ticket(SSL *s)
944 if ((s->options & SSL_OP_NO_TICKET) || SSL_IS_TLS13(s))
946 return ssl_security(s, SSL_SECOP_TICKET, 0, 0, NULL);
949 static int compare_uint(const void *p1, const void *p2)
951 unsigned int u1 = *((const unsigned int *)p1);
952 unsigned int u2 = *((const unsigned int *)p2);
962 * Per http://tools.ietf.org/html/rfc5246#section-7.4.1.4, there may not be
963 * more than one extension of the same type in a ClientHello or ServerHello.
964 * This function does an initial scan over the extensions block to filter those
965 * out. It returns 1 if all extensions are unique, and 0 if the extensions
966 * contain duplicates, could not be successfully parsed, or an internal error
969 static int tls1_check_duplicate_extensions(const PACKET *packet)
971 PACKET extensions = *packet;
972 size_t num_extensions = 0, i = 0;
973 unsigned int *extension_types = NULL;
976 /* First pass: count the extensions. */
977 while (PACKET_remaining(&extensions) > 0) {
980 if (!PACKET_get_net_2(&extensions, &type) ||
981 !PACKET_get_length_prefixed_2(&extensions, &extension)) {
987 if (num_extensions <= 1)
990 extension_types = OPENSSL_malloc(sizeof(unsigned int) * num_extensions);
991 if (extension_types == NULL) {
992 SSLerr(SSL_F_TLS1_CHECK_DUPLICATE_EXTENSIONS, ERR_R_MALLOC_FAILURE);
996 /* Second pass: gather the extension types. */
997 extensions = *packet;
998 for (i = 0; i < num_extensions; i++) {
1000 if (!PACKET_get_net_2(&extensions, &extension_types[i]) ||
1001 !PACKET_get_length_prefixed_2(&extensions, &extension)) {
1002 /* This should not happen. */
1003 SSLerr(SSL_F_TLS1_CHECK_DUPLICATE_EXTENSIONS, ERR_R_INTERNAL_ERROR);
1008 if (PACKET_remaining(&extensions) != 0) {
1009 SSLerr(SSL_F_TLS1_CHECK_DUPLICATE_EXTENSIONS, ERR_R_INTERNAL_ERROR);
1012 /* Sort the extensions and make sure there are no duplicates. */
1013 qsort(extension_types, num_extensions, sizeof(unsigned int), compare_uint);
1014 for (i = 1; i < num_extensions; i++) {
1015 if (extension_types[i - 1] == extension_types[i])
1020 OPENSSL_free(extension_types);
1024 int ssl_add_clienthello_tlsext(SSL *s, WPACKET *pkt, int *al)
1026 #ifndef OPENSSL_NO_EC
1027 const unsigned char *pcurves = NULL;
1028 size_t num_curves = 0;
1030 int min_version, max_version, reason;
1032 /* See if we support any ECC ciphersuites */
1033 if ((s->version >= TLS1_VERSION && s->version <= TLS1_3_VERSION)
1034 || SSL_IS_DTLS(s)) {
1036 unsigned long alg_k, alg_a;
1037 STACK_OF(SSL_CIPHER) *cipher_stack = SSL_get_ciphers(s);
1039 for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++) {
1040 const SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i);
1042 alg_k = c->algorithm_mkey;
1043 alg_a = c->algorithm_auth;
1044 if ((alg_k & (SSL_kECDHE | SSL_kECDHEPSK))
1045 || (alg_a & SSL_aECDSA)
1046 || c->min_tls >= TLS1_3_VERSION) {
1053 if (SSL_IS_TLS13(s)) {
1054 /* Shouldn't happen! */
1055 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1060 /* Add RI if renegotiating */
1061 if (s->renegotiate) {
1062 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_renegotiate)
1063 || !WPACKET_start_sub_packet_u16(pkt)
1064 || !WPACKET_sub_memcpy_u8(pkt, s->s3->previous_client_finished,
1065 s->s3->previous_client_finished_len)
1066 || !WPACKET_close(pkt)) {
1067 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1071 /* Only add RI for SSLv3 */
1072 if (s->client_version == SSL3_VERSION)
1075 if (s->tlsext_hostname != NULL) {
1076 /* Add TLS extension servername to the Client Hello message */
1077 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_server_name)
1078 /* Sub-packet for server_name extension */
1079 || !WPACKET_start_sub_packet_u16(pkt)
1080 /* Sub-packet for servername list (always 1 hostname)*/
1081 || !WPACKET_start_sub_packet_u16(pkt)
1082 || !WPACKET_put_bytes_u8(pkt, TLSEXT_NAMETYPE_host_name)
1083 || !WPACKET_sub_memcpy_u16(pkt, s->tlsext_hostname,
1084 strlen(s->tlsext_hostname))
1085 || !WPACKET_close(pkt)
1086 || !WPACKET_close(pkt)) {
1087 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1091 #ifndef OPENSSL_NO_SRP
1092 /* Add SRP username if there is one */
1093 if (s->srp_ctx.login != NULL) {
1094 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_srp)
1095 /* Sub-packet for SRP extension */
1096 || !WPACKET_start_sub_packet_u16(pkt)
1097 || !WPACKET_start_sub_packet_u8(pkt)
1098 /* login must not be zero...internal error if so */
1099 || !WPACKET_set_flags(pkt, WPACKET_FLAGS_NON_ZERO_LENGTH)
1100 || !WPACKET_memcpy(pkt, s->srp_ctx.login,
1101 strlen(s->srp_ctx.login))
1102 || !WPACKET_close(pkt)
1103 || !WPACKET_close(pkt)) {
1104 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1110 #ifndef OPENSSL_NO_EC
1113 * Add TLS extension ECPointFormats to the ClientHello message
1115 const unsigned char *pformats, *pcurvestmp;
1119 tls1_get_formatlist(s, &pformats, &num_formats);
1121 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_ec_point_formats)
1122 /* Sub-packet for formats extension */
1123 || !WPACKET_start_sub_packet_u16(pkt)
1124 || !WPACKET_sub_memcpy_u8(pkt, pformats, num_formats)
1125 || !WPACKET_close(pkt)) {
1126 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1131 * Add TLS extension supported_groups to the ClientHello message
1133 /* TODO(TLS1.3): Add support for DHE groups */
1134 pcurves = s->tlsext_supportedgroupslist;
1135 if (!tls1_get_curvelist(s, 0, &pcurves, &num_curves)) {
1136 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1139 pcurvestmp = pcurves;
1141 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_groups)
1142 /* Sub-packet for supported_groups extension */
1143 || !WPACKET_start_sub_packet_u16(pkt)
1144 || !WPACKET_start_sub_packet_u16(pkt)) {
1145 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1148 /* Copy curve ID if supported */
1149 for (i = 0; i < num_curves; i++, pcurvestmp += 2) {
1150 if (tls_curve_allowed(s, pcurves, SSL_SECOP_CURVE_SUPPORTED)) {
1151 if (!WPACKET_put_bytes_u8(pkt, pcurvestmp[0])
1152 || !WPACKET_put_bytes_u8(pkt, pcurvestmp[1])) {
1153 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT,
1154 ERR_R_INTERNAL_ERROR);
1159 if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) {
1160 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1164 #endif /* OPENSSL_NO_EC */
1166 if (tls_use_ticket(s)) {
1168 if (!s->new_session && s->session && s->session->tlsext_tick)
1169 ticklen = s->session->tlsext_ticklen;
1170 else if (s->session && s->tlsext_session_ticket &&
1171 s->tlsext_session_ticket->data) {
1172 ticklen = s->tlsext_session_ticket->length;
1173 s->session->tlsext_tick = OPENSSL_malloc(ticklen);
1174 if (s->session->tlsext_tick == NULL) {
1175 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1178 memcpy(s->session->tlsext_tick,
1179 s->tlsext_session_ticket->data, ticklen);
1180 s->session->tlsext_ticklen = ticklen;
1183 if (ticklen == 0 && s->tlsext_session_ticket &&
1184 s->tlsext_session_ticket->data == NULL)
1187 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_session_ticket)
1188 || !WPACKET_sub_memcpy_u16(pkt, s->session->tlsext_tick,
1190 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1196 if (SSL_CLIENT_USE_SIGALGS(s)) {
1198 const unsigned char *salg;
1200 salglen = tls12_get_psigalgs(s, &salg);
1202 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_signature_algorithms)
1203 /* Sub-packet for sig-algs extension */
1204 || !WPACKET_start_sub_packet_u16(pkt)
1205 /* Sub-packet for the actual list */
1206 || !WPACKET_start_sub_packet_u16(pkt)
1207 || !tls12_copy_sigalgs(s, pkt, salg, salglen)
1208 || !WPACKET_close(pkt)
1209 || !WPACKET_close(pkt)) {
1210 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1214 #ifndef OPENSSL_NO_OCSP
1215 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp) {
1218 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_status_request)
1219 /* Sub-packet for status request extension */
1220 || !WPACKET_start_sub_packet_u16(pkt)
1221 || !WPACKET_put_bytes_u8(pkt, TLSEXT_STATUSTYPE_ocsp)
1222 /* Sub-packet for the ids */
1223 || !WPACKET_start_sub_packet_u16(pkt)) {
1224 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1227 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) {
1228 unsigned char *idbytes;
1232 id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
1233 idlen = i2d_OCSP_RESPID(id, NULL);
1235 /* Sub-packet for an individual id */
1236 || !WPACKET_sub_allocate_bytes_u16(pkt, idlen, &idbytes)
1237 || i2d_OCSP_RESPID(id, &idbytes) != idlen) {
1238 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1242 if (!WPACKET_close(pkt)
1243 || !WPACKET_start_sub_packet_u16(pkt)) {
1244 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1247 if (s->tlsext_ocsp_exts) {
1248 unsigned char *extbytes;
1249 int extlen = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, NULL);
1252 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1255 if (!WPACKET_allocate_bytes(pkt, extlen, &extbytes)
1256 || i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &extbytes)
1258 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1262 if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) {
1263 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1269 #ifndef OPENSSL_NO_NEXTPROTONEG
1270 if (s->ctx->next_proto_select_cb && !s->s3->tmp.finish_md_len) {
1272 * The client advertises an empty extension to indicate its support
1273 * for Next Protocol Negotiation
1275 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_next_proto_neg)
1276 || !WPACKET_put_bytes_u16(pkt, 0)) {
1277 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1284 * finish_md_len is non-zero during a renegotiation, so
1285 * this avoids sending ALPN during the renegotiation
1286 * (see longer comment below)
1288 if (s->alpn_client_proto_list && !s->s3->tmp.finish_md_len) {
1289 if (!WPACKET_put_bytes_u16(pkt,
1290 TLSEXT_TYPE_application_layer_protocol_negotiation)
1291 /* Sub-packet ALPN extension */
1292 || !WPACKET_start_sub_packet_u16(pkt)
1293 || !WPACKET_sub_memcpy_u16(pkt, s->alpn_client_proto_list,
1294 s->alpn_client_proto_list_len)
1295 || !WPACKET_close(pkt)) {
1296 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1299 s->s3->alpn_sent = 1;
1301 #ifndef OPENSSL_NO_SRTP
1302 if (SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s)) {
1303 STACK_OF(SRTP_PROTECTION_PROFILE) *clnt = SSL_get_srtp_profiles(s);
1304 SRTP_PROTECTION_PROFILE *prof;
1307 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_use_srtp)
1308 /* Sub-packet for SRTP extension */
1309 || !WPACKET_start_sub_packet_u16(pkt)
1310 /* Sub-packet for the protection profile list */
1311 || !WPACKET_start_sub_packet_u16(pkt)) {
1312 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1315 ct = sk_SRTP_PROTECTION_PROFILE_num(clnt);
1316 for (i = 0; i < ct; i++) {
1317 prof = sk_SRTP_PROTECTION_PROFILE_value(clnt, i);
1318 if (prof == NULL || !WPACKET_put_bytes_u16(pkt, prof->id)) {
1319 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1323 if (!WPACKET_close(pkt)
1324 /* Add an empty use_mki value */
1325 || !WPACKET_put_bytes_u8(pkt, 0)
1326 || !WPACKET_close(pkt)) {
1327 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1332 custom_ext_init(&s->cert->cli_ext);
1333 /* Add custom TLS Extensions to ClientHello */
1334 if (!custom_ext_add(s, 0, pkt, al)) {
1335 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1339 if (!(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC)) {
1340 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_encrypt_then_mac)
1341 || !WPACKET_put_bytes_u16(pkt, 0)) {
1342 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1347 #ifndef OPENSSL_NO_CT
1348 if (s->ct_validation_callback != NULL) {
1349 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_signed_certificate_timestamp)
1350 || !WPACKET_put_bytes_u16(pkt, 0)) {
1351 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1357 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_extended_master_secret)
1358 || !WPACKET_put_bytes_u16(pkt, 0)) {
1359 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1363 reason = ssl_get_client_min_max_version(s, &min_version, &max_version);
1365 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, reason);
1369 /* TLS1.3 specific extensions */
1370 if (!SSL_IS_DTLS(s) && max_version >= TLS1_3_VERSION) {
1372 size_t i, sharessent = 0;
1374 /* TODO(TLS1.3): Should we add this extension for versions < TLS1.3? */
1375 /* supported_versions extension */
1376 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_versions)
1377 || !WPACKET_start_sub_packet_u16(pkt)
1378 || !WPACKET_start_sub_packet_u8(pkt)) {
1379 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1384 * TODO(TLS1.3): There is some discussion on the TLS list as to wheter
1385 * we should include versions <TLS1.2. For the moment we do. To be
1388 for (currv = max_version; currv >= min_version; currv--) {
1389 /* TODO(TLS1.3): Remove this first if clause prior to release!! */
1390 if (currv == TLS1_3_VERSION) {
1391 if (!WPACKET_put_bytes_u16(pkt, TLS1_3_VERSION_DRAFT)) {
1392 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT,
1393 ERR_R_INTERNAL_ERROR);
1396 } else if (!WPACKET_put_bytes_u16(pkt, currv)) {
1397 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1401 if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) {
1402 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1407 /* key_share extension */
1408 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)
1409 /* Extension data sub-packet */
1410 || !WPACKET_start_sub_packet_u16(pkt)
1411 /* KeyShare list sub-packet */
1412 || !WPACKET_start_sub_packet_u16(pkt)) {
1413 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1418 * TODO(TLS1.3): Make the number of key_shares sent configurable. For
1419 * now, just send one
1421 for (i = 0; i < num_curves && sharessent < 1; i++, pcurves += 2) {
1422 unsigned char *encodedPoint = NULL;
1423 unsigned int curve_id = 0;
1424 EVP_PKEY *key_share_key = NULL;
1427 if (!tls_curve_allowed(s, pcurves, SSL_SECOP_CURVE_SUPPORTED))
1430 if (s->s3->tmp.pkey != NULL) {
1431 /* Shouldn't happen! */
1432 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT,
1433 ERR_R_INTERNAL_ERROR);
1437 /* Generate a key for this key_share */
1438 curve_id = (pcurves[0] << 8) | pcurves[1];
1439 key_share_key = ssl_generate_pkey_curve(curve_id);
1440 if (key_share_key == NULL) {
1441 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_EVP_LIB);
1445 /* Encode the public key. */
1446 encodedlen = EVP_PKEY_get1_tls_encodedpoint(key_share_key,
1448 if (encodedlen == 0) {
1449 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_EC_LIB);
1450 EVP_PKEY_free(key_share_key);
1454 /* Create KeyShareEntry */
1455 if (!WPACKET_put_bytes_u16(pkt, curve_id)
1456 || !WPACKET_sub_memcpy_u16(pkt, encodedPoint, encodedlen)) {
1457 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT,
1458 ERR_R_INTERNAL_ERROR);
1459 EVP_PKEY_free(key_share_key);
1460 OPENSSL_free(encodedPoint);
1465 * TODO(TLS1.3): When changing to send more than one key_share we're
1466 * going to need to be able to save more than one EVP_PKEY. For now
1467 * we reuse the existing tmp.pkey
1469 s->s3->group_id = curve_id;
1470 s->s3->tmp.pkey = key_share_key;
1472 OPENSSL_free(encodedPoint);
1474 if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) {
1475 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1481 * Add padding to workaround bugs in F5 terminators. See
1482 * https://tools.ietf.org/html/draft-agl-tls-padding-03 NB: because this
1483 * code works out the length of all existing extensions it MUST always
1486 if (s->options & SSL_OP_TLSEXT_PADDING) {
1487 unsigned char *padbytes;
1490 if (!WPACKET_get_total_written(pkt, &hlen)) {
1491 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1495 if (hlen > 0xff && hlen < 0x200) {
1496 hlen = 0x200 - hlen;
1502 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_padding)
1503 || !WPACKET_sub_allocate_bytes_u16(pkt, hlen, &padbytes)) {
1504 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1507 memset(padbytes, 0, hlen);
1516 * Add the key_share extension.
1518 * Returns 1 on success or 0 on failure.
1520 static int add_client_key_share_ext(SSL *s, WPACKET *pkt, int *al)
1522 unsigned char *encodedPoint;
1523 size_t encoded_pt_len = 0;
1524 EVP_PKEY *ckey = s->s3->peer_tmp, *skey = NULL;
1527 SSLerr(SSL_F_ADD_CLIENT_KEY_SHARE_EXT, ERR_R_INTERNAL_ERROR);
1531 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)
1532 || !WPACKET_start_sub_packet_u16(pkt)
1533 || !WPACKET_put_bytes_u16(pkt, s->s3->group_id)) {
1534 SSLerr(SSL_F_ADD_CLIENT_KEY_SHARE_EXT, ERR_R_INTERNAL_ERROR);
1538 skey = ssl_generate_pkey(ckey);
1540 SSLerr(SSL_F_ADD_CLIENT_KEY_SHARE_EXT, ERR_R_MALLOC_FAILURE);
1544 /* Generate encoding of server key */
1545 encoded_pt_len = EVP_PKEY_get1_tls_encodedpoint(skey, &encodedPoint);
1546 if (encoded_pt_len == 0) {
1547 SSLerr(SSL_F_ADD_CLIENT_KEY_SHARE_EXT, ERR_R_EC_LIB);
1548 EVP_PKEY_free(skey);
1552 if (!WPACKET_sub_memcpy_u16(pkt, encodedPoint, encoded_pt_len)
1553 || !WPACKET_close(pkt)) {
1554 SSLerr(SSL_F_ADD_CLIENT_KEY_SHARE_EXT, ERR_R_INTERNAL_ERROR);
1555 EVP_PKEY_free(skey);
1556 OPENSSL_free(encodedPoint);
1559 OPENSSL_free(encodedPoint);
1561 /* This causes the crypto state to be updated based on the derived keys */
1562 s->s3->tmp.pkey = skey;
1563 if (ssl_derive(s, skey, ckey, 1) == 0) {
1564 *al = SSL_AD_INTERNAL_ERROR;
1565 SSLerr(SSL_F_ADD_CLIENT_KEY_SHARE_EXT, ERR_R_INTERNAL_ERROR);
1572 int ssl_add_serverhello_tlsext(SSL *s, WPACKET *pkt, int *al)
1574 #ifndef OPENSSL_NO_NEXTPROTONEG
1575 int next_proto_neg_seen;
1577 #ifndef OPENSSL_NO_EC
1578 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
1579 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
1580 int using_ecc = (alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA);
1581 using_ecc = using_ecc && (s->session->tlsext_ecpointformatlist != NULL);
1584 if (!WPACKET_start_sub_packet_u16(pkt)
1585 || !WPACKET_set_flags(pkt, WPACKET_FLAGS_ABANDON_ON_ZERO_LENGTH)) {
1586 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1590 if (s->s3->send_connection_binding &&
1591 !ssl_add_serverhello_renegotiate_ext(s, pkt)) {
1592 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1596 /* Only add RI for SSLv3 */
1597 if (s->version == SSL3_VERSION)
1600 if (!s->hit && s->servername_done == 1
1601 && s->session->tlsext_hostname != NULL) {
1602 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_server_name)
1603 || !WPACKET_put_bytes_u16(pkt, 0)) {
1604 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1608 #ifndef OPENSSL_NO_EC
1610 const unsigned char *plist;
1613 * Add TLS extension ECPointFormats to the ServerHello message
1615 tls1_get_formatlist(s, &plist, &plistlen);
1617 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_ec_point_formats)
1618 || !WPACKET_start_sub_packet_u16(pkt)
1619 || !WPACKET_sub_memcpy_u8(pkt, plist, plistlen)
1620 || !WPACKET_close(pkt)) {
1621 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1626 * Currently the server should not respond with a SupportedCurves
1629 #endif /* OPENSSL_NO_EC */
1631 if (s->tlsext_ticket_expected && tls_use_ticket(s)) {
1632 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_session_ticket)
1633 || !WPACKET_put_bytes_u16(pkt, 0)) {
1634 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1639 * if we don't add the above TLSEXT, we can't add a session ticket
1642 s->tlsext_ticket_expected = 0;
1645 if (s->tlsext_status_expected) {
1646 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_status_request)
1647 || !WPACKET_put_bytes_u16(pkt, 0)) {
1648 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1652 #ifndef OPENSSL_NO_SRTP
1653 if (SSL_IS_DTLS(s) && s->srtp_profile) {
1654 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_use_srtp)
1655 || !WPACKET_start_sub_packet_u16(pkt)
1656 || !WPACKET_put_bytes_u16(pkt, 2)
1657 || !WPACKET_put_bytes_u16(pkt, s->srtp_profile->id)
1658 || !WPACKET_put_bytes_u8(pkt, 0)
1659 || !WPACKET_close(pkt)) {
1660 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1666 if (((s->s3->tmp.new_cipher->id & 0xFFFF) == 0x80
1667 || (s->s3->tmp.new_cipher->id & 0xFFFF) == 0x81)
1668 && (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG)) {
1669 const unsigned char cryptopro_ext[36] = {
1670 0xfd, 0xe8, /* 65000 */
1671 0x00, 0x20, /* 32 bytes length */
1672 0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85,
1673 0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06,
1674 0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08,
1675 0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17
1677 if (!WPACKET_memcpy(pkt, cryptopro_ext, sizeof(cryptopro_ext))) {
1678 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1683 #ifndef OPENSSL_NO_NEXTPROTONEG
1684 next_proto_neg_seen = s->s3->next_proto_neg_seen;
1685 s->s3->next_proto_neg_seen = 0;
1686 if (next_proto_neg_seen && s->ctx->next_protos_advertised_cb) {
1687 const unsigned char *npa;
1688 unsigned int npalen;
1691 r = s->ctx->next_protos_advertised_cb(s, &npa, &npalen,
1693 ctx->next_protos_advertised_cb_arg);
1694 if (r == SSL_TLSEXT_ERR_OK) {
1695 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_next_proto_neg)
1696 || !WPACKET_sub_memcpy_u16(pkt, npa, npalen)) {
1697 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1700 s->s3->next_proto_neg_seen = 1;
1705 if (SSL_IS_TLS13(s) && !s->hit && !add_client_key_share_ext(s, pkt, al))
1708 if (!custom_ext_add(s, 1, pkt, al)) {
1709 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1713 if (s->s3->flags & TLS1_FLAGS_ENCRYPT_THEN_MAC) {
1715 * Don't use encrypt_then_mac if AEAD or RC4 might want to disable
1716 * for other cases too.
1718 if (s->s3->tmp.new_cipher->algorithm_mac == SSL_AEAD
1719 || s->s3->tmp.new_cipher->algorithm_enc == SSL_RC4
1720 || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT
1721 || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT12)
1722 s->s3->flags &= ~TLS1_FLAGS_ENCRYPT_THEN_MAC;
1724 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_encrypt_then_mac)
1725 || !WPACKET_put_bytes_u16(pkt, 0)) {
1726 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1731 if (s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) {
1732 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_extended_master_secret)
1733 || !WPACKET_put_bytes_u16(pkt, 0)) {
1734 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1739 if (s->s3->alpn_selected != NULL) {
1740 if (!WPACKET_put_bytes_u16(pkt,
1741 TLSEXT_TYPE_application_layer_protocol_negotiation)
1742 || !WPACKET_start_sub_packet_u16(pkt)
1743 || !WPACKET_start_sub_packet_u16(pkt)
1744 || !WPACKET_sub_memcpy_u8(pkt, s->s3->alpn_selected,
1745 s->s3->alpn_selected_len)
1746 || !WPACKET_close(pkt)
1747 || !WPACKET_close(pkt)) {
1748 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1754 if (!WPACKET_close(pkt)) {
1755 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1762 * Process the ALPN extension in a ClientHello.
1763 * al: a pointer to the alert value to send in the event of a failure.
1764 * returns 1 on success, 0 on error.
1766 static int tls1_alpn_handle_client_hello_late(SSL *s, int *al)
1768 const unsigned char *selected = NULL;
1769 unsigned char selected_len = 0;
1771 if (s->ctx->alpn_select_cb != NULL && s->s3->alpn_proposed != NULL) {
1772 int r = s->ctx->alpn_select_cb(s, &selected, &selected_len,
1773 s->s3->alpn_proposed,
1774 (unsigned int)s->s3->alpn_proposed_len,
1775 s->ctx->alpn_select_cb_arg);
1777 if (r == SSL_TLSEXT_ERR_OK) {
1778 OPENSSL_free(s->s3->alpn_selected);
1779 s->s3->alpn_selected = OPENSSL_memdup(selected, selected_len);
1780 if (s->s3->alpn_selected == NULL) {
1781 *al = SSL_AD_INTERNAL_ERROR;
1784 s->s3->alpn_selected_len = selected_len;
1785 #ifndef OPENSSL_NO_NEXTPROTONEG
1786 /* ALPN takes precedence over NPN. */
1787 s->s3->next_proto_neg_seen = 0;
1790 *al = SSL_AD_NO_APPLICATION_PROTOCOL;
1798 #ifndef OPENSSL_NO_NEXTPROTONEG
1800 * ssl_next_proto_validate validates a Next Protocol Negotiation block. No
1801 * elements of zero length are allowed and the set of elements must exactly
1802 * fill the length of the block.
1804 static char ssl_next_proto_validate(PACKET *pkt)
1806 PACKET tmp_protocol;
1808 while (PACKET_remaining(pkt)) {
1809 if (!PACKET_get_length_prefixed_1(pkt, &tmp_protocol)
1810 || PACKET_remaining(&tmp_protocol) == 0)
1818 static int ssl_scan_serverhello_tlsext(SSL *s, PACKET *pkt, int *al)
1820 unsigned int length, type, size;
1821 int tlsext_servername = 0;
1822 int renegotiate_seen = 0;
1824 #ifndef OPENSSL_NO_NEXTPROTONEG
1825 s->s3->next_proto_neg_seen = 0;
1827 s->tlsext_ticket_expected = 0;
1829 OPENSSL_free(s->s3->alpn_selected);
1830 s->s3->alpn_selected = NULL;
1832 s->s3->flags &= ~TLS1_FLAGS_ENCRYPT_THEN_MAC;
1834 s->s3->flags &= ~TLS1_FLAGS_RECEIVED_EXTMS;
1836 if (!PACKET_get_net_2(pkt, &length))
1839 if (PACKET_remaining(pkt) != length) {
1840 *al = SSL_AD_DECODE_ERROR;
1844 if (!tls1_check_duplicate_extensions(pkt)) {
1845 *al = SSL_AD_DECODE_ERROR;
1849 while (PACKET_get_net_2(pkt, &type) && PACKET_get_net_2(pkt, &size)) {
1850 const unsigned char *data;
1853 if (!PACKET_get_sub_packet(pkt, &spkt, size)
1854 || !PACKET_peek_bytes(&spkt, &data, size))
1857 if (s->tlsext_debug_cb)
1858 s->tlsext_debug_cb(s, 1, type, data, size, s->tlsext_debug_arg);
1860 if (type == TLSEXT_TYPE_renegotiate) {
1861 if (!ssl_parse_serverhello_renegotiate_ext(s, &spkt, al))
1863 renegotiate_seen = 1;
1864 } else if (s->version == SSL3_VERSION) {
1865 } else if (type == TLSEXT_TYPE_server_name) {
1866 if (s->tlsext_hostname == NULL || size > 0) {
1867 *al = TLS1_AD_UNRECOGNIZED_NAME;
1870 tlsext_servername = 1;
1872 #ifndef OPENSSL_NO_EC
1873 else if (type == TLSEXT_TYPE_ec_point_formats) {
1874 unsigned int ecpointformatlist_length;
1875 if (!PACKET_get_1(&spkt, &ecpointformatlist_length)
1876 || ecpointformatlist_length != size - 1) {
1877 *al = TLS1_AD_DECODE_ERROR;
1881 s->session->tlsext_ecpointformatlist_length = 0;
1882 OPENSSL_free(s->session->tlsext_ecpointformatlist);
1883 if ((s->session->tlsext_ecpointformatlist =
1884 OPENSSL_malloc(ecpointformatlist_length)) == NULL) {
1885 *al = TLS1_AD_INTERNAL_ERROR;
1888 s->session->tlsext_ecpointformatlist_length =
1889 ecpointformatlist_length;
1890 if (!PACKET_copy_bytes(&spkt,
1891 s->session->tlsext_ecpointformatlist,
1892 ecpointformatlist_length)) {
1893 *al = TLS1_AD_DECODE_ERROR;
1899 #endif /* OPENSSL_NO_EC */
1901 else if (type == TLSEXT_TYPE_session_ticket) {
1902 if (s->tls_session_ticket_ext_cb &&
1903 !s->tls_session_ticket_ext_cb(s, data, size,
1904 s->tls_session_ticket_ext_cb_arg))
1906 *al = TLS1_AD_INTERNAL_ERROR;
1909 if (!tls_use_ticket(s) || (size > 0)) {
1910 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
1913 s->tlsext_ticket_expected = 1;
1914 } else if (type == TLSEXT_TYPE_status_request) {
1916 * MUST be empty and only sent if we've requested a status
1919 if ((s->tlsext_status_type == -1) || (size > 0)) {
1920 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
1923 /* Set flag to expect CertificateStatus message */
1924 s->tlsext_status_expected = 1;
1926 #ifndef OPENSSL_NO_CT
1928 * Only take it if we asked for it - i.e if there is no CT validation
1929 * callback set, then a custom extension MAY be processing it, so we
1930 * need to let control continue to flow to that.
1932 else if (type == TLSEXT_TYPE_signed_certificate_timestamp &&
1933 s->ct_validation_callback != NULL) {
1934 /* Simply copy it off for later processing */
1935 if (s->tlsext_scts != NULL) {
1936 OPENSSL_free(s->tlsext_scts);
1937 s->tlsext_scts = NULL;
1939 s->tlsext_scts_len = size;
1941 s->tlsext_scts = OPENSSL_malloc(size);
1942 if (s->tlsext_scts == NULL) {
1943 *al = TLS1_AD_INTERNAL_ERROR;
1946 memcpy(s->tlsext_scts, data, size);
1950 #ifndef OPENSSL_NO_NEXTPROTONEG
1951 else if (type == TLSEXT_TYPE_next_proto_neg &&
1952 s->s3->tmp.finish_md_len == 0) {
1953 unsigned char *selected;
1954 unsigned char selected_len;
1955 /* We must have requested it. */
1956 if (s->ctx->next_proto_select_cb == NULL) {
1957 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
1960 /* The data must be valid */
1961 if (!ssl_next_proto_validate(&spkt)) {
1962 *al = TLS1_AD_DECODE_ERROR;
1965 if (s->ctx->next_proto_select_cb(s, &selected, &selected_len, data,
1968 ctx->next_proto_select_cb_arg) !=
1969 SSL_TLSEXT_ERR_OK) {
1970 *al = TLS1_AD_INTERNAL_ERROR;
1974 * Could be non-NULL if server has sent multiple NPN extensions in
1975 * a single Serverhello
1977 OPENSSL_free(s->next_proto_negotiated);
1978 s->next_proto_negotiated = OPENSSL_malloc(selected_len);
1979 if (s->next_proto_negotiated == NULL) {
1980 *al = TLS1_AD_INTERNAL_ERROR;
1983 memcpy(s->next_proto_negotiated, selected, selected_len);
1984 s->next_proto_negotiated_len = selected_len;
1985 s->s3->next_proto_neg_seen = 1;
1989 else if (type == TLSEXT_TYPE_application_layer_protocol_negotiation) {
1991 /* We must have requested it. */
1992 if (!s->s3->alpn_sent) {
1993 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
1997 * The extension data consists of:
1998 * uint16 list_length
1999 * uint8 proto_length;
2000 * uint8 proto[proto_length];
2002 if (!PACKET_get_net_2(&spkt, &len)
2003 || PACKET_remaining(&spkt) != len || !PACKET_get_1(&spkt, &len)
2004 || PACKET_remaining(&spkt) != len) {
2005 *al = TLS1_AD_DECODE_ERROR;
2008 OPENSSL_free(s->s3->alpn_selected);
2009 s->s3->alpn_selected = OPENSSL_malloc(len);
2010 if (s->s3->alpn_selected == NULL) {
2011 *al = TLS1_AD_INTERNAL_ERROR;
2014 if (!PACKET_copy_bytes(&spkt, s->s3->alpn_selected, len)) {
2015 *al = TLS1_AD_DECODE_ERROR;
2018 s->s3->alpn_selected_len = len;
2020 #ifndef OPENSSL_NO_SRTP
2021 else if (SSL_IS_DTLS(s) && type == TLSEXT_TYPE_use_srtp) {
2022 if (ssl_parse_serverhello_use_srtp_ext(s, &spkt, al))
2026 else if (type == TLSEXT_TYPE_encrypt_then_mac) {
2027 /* Ignore if inappropriate ciphersuite */
2028 if (!(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC) &&
2029 s->s3->tmp.new_cipher->algorithm_mac != SSL_AEAD
2030 && s->s3->tmp.new_cipher->algorithm_enc != SSL_RC4)
2031 s->s3->flags |= TLS1_FLAGS_ENCRYPT_THEN_MAC;
2032 } else if (type == TLSEXT_TYPE_extended_master_secret &&
2033 (SSL_IS_DTLS(s) || !SSL_IS_TLS13(s))) {
2034 s->s3->flags |= TLS1_FLAGS_RECEIVED_EXTMS;
2036 s->session->flags |= SSL_SESS_FLAG_EXTMS;
2037 } else if (type == TLSEXT_TYPE_key_share
2038 && SSL_IS_TLS13(s)) {
2039 unsigned int group_id;
2041 EVP_PKEY *ckey = s->s3->tmp.pkey, *skey = NULL;
2045 *al = SSL_AD_INTERNAL_ERROR;
2046 SSLerr(SSL_F_SSL_SCAN_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
2050 if (!PACKET_get_net_2(&spkt, &group_id)) {
2051 *al = SSL_AD_HANDSHAKE_FAILURE;
2052 SSLerr(SSL_F_SSL_SCAN_SERVERHELLO_TLSEXT,
2053 SSL_R_LENGTH_MISMATCH);
2057 if (group_id != s->s3->group_id) {
2059 * This isn't for the group that we sent in the original
2062 *al = SSL_AD_HANDSHAKE_FAILURE;
2063 SSLerr(SSL_F_SSL_SCAN_SERVERHELLO_TLSEXT,
2064 SSL_R_BAD_KEY_SHARE);
2068 if (!PACKET_as_length_prefixed_2(&spkt, &encoded_pt)
2069 || PACKET_remaining(&encoded_pt) == 0) {
2070 *al = SSL_AD_DECODE_ERROR;
2071 SSLerr(SSL_F_SSL_SCAN_SERVERHELLO_TLSEXT,
2072 SSL_R_LENGTH_MISMATCH);
2076 skey = ssl_generate_pkey(ckey);
2078 *al = SSL_AD_INTERNAL_ERROR;
2079 SSLerr(SSL_F_SSL_SCAN_SERVERHELLO_TLSEXT, ERR_R_MALLOC_FAILURE);
2082 if (!EVP_PKEY_set1_tls_encodedpoint(skey, PACKET_data(&encoded_pt),
2083 PACKET_remaining(&encoded_pt))) {
2084 *al = SSL_AD_DECODE_ERROR;
2085 SSLerr(SSL_F_SSL_SCAN_SERVERHELLO_TLSEXT, SSL_R_BAD_ECPOINT);
2089 if (ssl_derive(s, ckey, skey, 1) == 0) {
2090 *al = SSL_AD_INTERNAL_ERROR;
2091 SSLerr(SSL_F_SSL_SCAN_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
2092 EVP_PKEY_free(skey);
2095 EVP_PKEY_free(skey);
2097 * If this extension type was not otherwise handled, but matches a
2098 * custom_cli_ext_record, then send it to the c callback
2100 } else if (custom_ext_parse(s, 0, type, data, size, al) <= 0)
2104 if (PACKET_remaining(pkt) != 0) {
2105 *al = SSL_AD_DECODE_ERROR;
2109 if (!s->hit && tlsext_servername == 1) {
2110 if (s->tlsext_hostname) {
2111 if (s->session->tlsext_hostname == NULL) {
2112 s->session->tlsext_hostname =
2113 OPENSSL_strdup(s->tlsext_hostname);
2114 if (!s->session->tlsext_hostname) {
2115 *al = SSL_AD_UNRECOGNIZED_NAME;
2119 *al = SSL_AD_DECODE_ERROR;
2128 * Determine if we need to see RI. Strictly speaking if we want to avoid
2129 * an attack we should *always* see RI even on initial server hello
2130 * because the client doesn't see any renegotiation during an attack.
2131 * However this would mean we could not connect to any server which
2132 * doesn't support RI so for the immediate future tolerate RI absence
2134 if (!renegotiate_seen && !(s->options & SSL_OP_LEGACY_SERVER_CONNECT)
2135 && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) {
2136 *al = SSL_AD_HANDSHAKE_FAILURE;
2137 SSLerr(SSL_F_SSL_SCAN_SERVERHELLO_TLSEXT,
2138 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
2144 * Check extended master secret extension is consistent with
2147 if (!(s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) !=
2148 !(s->session->flags & SSL_SESS_FLAG_EXTMS)) {
2149 *al = SSL_AD_HANDSHAKE_FAILURE;
2150 SSLerr(SSL_F_SSL_SCAN_SERVERHELLO_TLSEXT, SSL_R_INCONSISTENT_EXTMS);
2158 int ssl_prepare_clienthello_tlsext(SSL *s)
2160 s->s3->alpn_sent = 0;
2164 int ssl_prepare_serverhello_tlsext(SSL *s)
2169 /* Initialise digests to default values */
2170 void ssl_set_default_md(SSL *s)
2172 const EVP_MD **pmd = s->s3->tmp.md;
2173 #ifndef OPENSSL_NO_DSA
2174 pmd[SSL_PKEY_DSA_SIGN] = ssl_md(SSL_MD_SHA1_IDX);
2176 #ifndef OPENSSL_NO_RSA
2177 if (SSL_USE_SIGALGS(s))
2178 pmd[SSL_PKEY_RSA_SIGN] = ssl_md(SSL_MD_SHA1_IDX);
2180 pmd[SSL_PKEY_RSA_SIGN] = ssl_md(SSL_MD_MD5_SHA1_IDX);
2181 pmd[SSL_PKEY_RSA_ENC] = pmd[SSL_PKEY_RSA_SIGN];
2183 #ifndef OPENSSL_NO_EC
2184 pmd[SSL_PKEY_ECC] = ssl_md(SSL_MD_SHA1_IDX);
2186 #ifndef OPENSSL_NO_GOST
2187 pmd[SSL_PKEY_GOST01] = ssl_md(SSL_MD_GOST94_IDX);
2188 pmd[SSL_PKEY_GOST12_256] = ssl_md(SSL_MD_GOST12_256_IDX);
2189 pmd[SSL_PKEY_GOST12_512] = ssl_md(SSL_MD_GOST12_512_IDX);
2193 int tls1_set_server_sigalgs(SSL *s)
2198 /* Clear any shared signature algorithms */
2199 OPENSSL_free(s->cert->shared_sigalgs);
2200 s->cert->shared_sigalgs = NULL;
2201 s->cert->shared_sigalgslen = 0;
2202 /* Clear certificate digests and validity flags */
2203 for (i = 0; i < SSL_PKEY_NUM; i++) {
2204 s->s3->tmp.md[i] = NULL;
2205 s->s3->tmp.valid_flags[i] = 0;
2208 /* If sigalgs received process it. */
2209 if (s->s3->tmp.peer_sigalgs) {
2210 if (!tls1_process_sigalgs(s)) {
2211 SSLerr(SSL_F_TLS1_SET_SERVER_SIGALGS, ERR_R_MALLOC_FAILURE);
2212 al = SSL_AD_INTERNAL_ERROR;
2215 /* Fatal error is no shared signature algorithms */
2216 if (!s->cert->shared_sigalgs) {
2217 SSLerr(SSL_F_TLS1_SET_SERVER_SIGALGS,
2218 SSL_R_NO_SHARED_SIGNATURE_ALGORITHMS);
2219 al = SSL_AD_ILLEGAL_PARAMETER;
2223 ssl_set_default_md(s);
2227 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2232 * Upon success, returns 1.
2233 * Upon failure, returns 0 and sets |al| to the appropriate fatal alert.
2235 int ssl_check_clienthello_tlsext_late(SSL *s, int *al)
2237 s->tlsext_status_expected = 0;
2240 * If status request then ask callback what to do. Note: this must be
2241 * called after servername callbacks in case the certificate has changed,
2242 * and must be called after the cipher has been chosen because this may
2243 * influence which certificate is sent
2245 if ((s->tlsext_status_type != -1) && s->ctx && s->ctx->tlsext_status_cb) {
2247 CERT_PKEY *certpkey;
2248 certpkey = ssl_get_server_send_pkey(s);
2249 /* If no certificate can't return certificate status */
2250 if (certpkey != NULL) {
2252 * Set current certificate to one we will use so SSL_get_certificate
2253 * et al can pick it up.
2255 s->cert->key = certpkey;
2256 ret = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
2258 /* We don't want to send a status request response */
2259 case SSL_TLSEXT_ERR_NOACK:
2260 s->tlsext_status_expected = 0;
2262 /* status request response should be sent */
2263 case SSL_TLSEXT_ERR_OK:
2264 if (s->tlsext_ocsp_resp)
2265 s->tlsext_status_expected = 1;
2267 /* something bad happened */
2268 case SSL_TLSEXT_ERR_ALERT_FATAL:
2270 *al = SSL_AD_INTERNAL_ERROR;
2276 if (!tls1_alpn_handle_client_hello_late(s, al)) {
2283 int ssl_check_serverhello_tlsext(SSL *s)
2285 int ret = SSL_TLSEXT_ERR_NOACK;
2286 int al = SSL_AD_UNRECOGNIZED_NAME;
2288 #ifndef OPENSSL_NO_EC
2290 * If we are client and using an elliptic curve cryptography cipher
2291 * suite, then if server returns an EC point formats lists extension it
2292 * must contain uncompressed.
2294 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
2295 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
2296 if ((s->tlsext_ecpointformatlist != NULL)
2297 && (s->tlsext_ecpointformatlist_length > 0)
2298 && (s->session->tlsext_ecpointformatlist != NULL)
2299 && (s->session->tlsext_ecpointformatlist_length > 0)
2300 && ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA))) {
2301 /* we are using an ECC cipher */
2303 unsigned char *list;
2304 int found_uncompressed = 0;
2305 list = s->session->tlsext_ecpointformatlist;
2306 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++) {
2307 if (*(list++) == TLSEXT_ECPOINTFORMAT_uncompressed) {
2308 found_uncompressed = 1;
2312 if (!found_uncompressed) {
2313 SSLerr(SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT,
2314 SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
2318 ret = SSL_TLSEXT_ERR_OK;
2319 #endif /* OPENSSL_NO_EC */
2321 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
2323 s->ctx->tlsext_servername_callback(s, &al,
2324 s->ctx->tlsext_servername_arg);
2325 else if (s->initial_ctx != NULL
2326 && s->initial_ctx->tlsext_servername_callback != 0)
2328 s->initial_ctx->tlsext_servername_callback(s, &al,
2330 initial_ctx->tlsext_servername_arg);
2333 * Ensure we get sensible values passed to tlsext_status_cb in the event
2334 * that we don't receive a status message
2336 OPENSSL_free(s->tlsext_ocsp_resp);
2337 s->tlsext_ocsp_resp = NULL;
2338 s->tlsext_ocsp_resplen = 0;
2341 case SSL_TLSEXT_ERR_ALERT_FATAL:
2342 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2345 case SSL_TLSEXT_ERR_ALERT_WARNING:
2346 ssl3_send_alert(s, SSL3_AL_WARNING, al);
2349 case SSL_TLSEXT_ERR_NOACK:
2350 s->servername_done = 0;
2356 int ssl_parse_serverhello_tlsext(SSL *s, PACKET *pkt)
2359 if (s->version < SSL3_VERSION)
2361 if (ssl_scan_serverhello_tlsext(s, pkt, &al) <= 0) {
2362 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2366 if (ssl_check_serverhello_tlsext(s) <= 0) {
2367 SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT, SSL_R_SERVERHELLO_TLSEXT);
2374 * Given a list of extensions that we collected earlier, find one of a given
2375 * type and return it.
2377 * |exts| is the set of extensions previously collected.
2378 * |numexts| is the number of extensions that we have.
2379 * |type| the type of the extension that we are looking for.
2381 * Returns a pointer to the found RAW_EXTENSION data, or NULL if not found.
2383 RAW_EXTENSION *tls_get_extension_by_type(RAW_EXTENSION *exts, size_t numexts,
2388 for (loop = 0; loop < numexts; loop++) {
2389 if (exts[loop].type == type)
2397 * Gets the ticket information supplied by the client if any.
2399 * hello: The parsed ClientHello data
2400 * ret: (output) on return, if a ticket was decrypted, then this is set to
2401 * point to the resulting session.
2403 * If s->tls_session_secret_cb is set then we are expecting a pre-shared key
2404 * ciphersuite, in which case we have no use for session tickets and one will
2405 * never be decrypted, nor will s->tlsext_ticket_expected be set to 1.
2408 * -1: fatal error, either from parsing or decrypting the ticket.
2409 * 0: no ticket was found (or was ignored, based on settings).
2410 * 1: a zero length extension was found, indicating that the client supports
2411 * session tickets but doesn't currently have one to offer.
2412 * 2: either s->tls_session_secret_cb was set, or a ticket was offered but
2413 * couldn't be decrypted because of a non-fatal error.
2414 * 3: a ticket was successfully decrypted and *ret was set.
2417 * Sets s->tlsext_ticket_expected to 1 if the server will have to issue
2418 * a new session ticket to the client because the client indicated support
2419 * (and s->tls_session_secret_cb is NULL) but the client either doesn't have
2420 * a session ticket or we couldn't use the one it gave us, or if
2421 * s->ctx->tlsext_ticket_key_cb asked to renew the client's ticket.
2422 * Otherwise, s->tlsext_ticket_expected is set to 0.
2424 int tls_get_ticket_from_client(SSL *s, CLIENTHELLO_MSG *hello,
2428 const unsigned char *etick;
2430 RAW_EXTENSION *ticketext;
2433 s->tlsext_ticket_expected = 0;
2436 * If tickets disabled or not supported by the protocol version
2437 * (e.g. TLSv1.3) behave as if no ticket present to permit stateful
2440 if (s->version <= SSL3_VERSION || !tls_use_ticket(s))
2443 ticketext = tls_get_extension_by_type(hello->pre_proc_exts,
2444 hello->num_extensions,
2445 TLSEXT_TYPE_session_ticket);
2446 if (ticketext == NULL)
2449 ticketext->parsed = 1;
2451 size = PACKET_remaining(&ticketext->data);
2454 * The client will accept a ticket but doesn't currently have
2457 s->tlsext_ticket_expected = 1;
2460 if (s->tls_session_secret_cb) {
2462 * Indicate that the ticket couldn't be decrypted rather than
2463 * generating the session from ticket now, trigger
2464 * abbreviated handshake based on external mechanism to
2465 * calculate the master secret later.
2469 if (!PACKET_get_bytes(&ticketext->data, &etick, size)) {
2470 /* Shouldn't ever happen */
2473 retv = tls_decrypt_ticket(s, etick, size, hello->session_id,
2474 hello->session_id_len, ret);
2476 case 2: /* ticket couldn't be decrypted */
2477 s->tlsext_ticket_expected = 1;
2480 case 3: /* ticket was decrypted */
2483 case 4: /* ticket decrypted but need to renew */
2484 s->tlsext_ticket_expected = 1;
2487 default: /* fatal error */
2493 * tls_decrypt_ticket attempts to decrypt a session ticket.
2495 * etick: points to the body of the session ticket extension.
2496 * eticklen: the length of the session tickets extension.
2497 * sess_id: points at the session ID.
2498 * sesslen: the length of the session ID.
2499 * psess: (output) on return, if a ticket was decrypted, then this is set to
2500 * point to the resulting session.
2503 * -2: fatal error, malloc failure.
2504 * -1: fatal error, either from parsing or decrypting the ticket.
2505 * 2: the ticket couldn't be decrypted.
2506 * 3: a ticket was successfully decrypted and *psess was set.
2507 * 4: same as 3, but the ticket needs to be renewed.
2509 static int tls_decrypt_ticket(SSL *s, const unsigned char *etick,
2510 size_t eticklen, const unsigned char *sess_id,
2511 size_t sesslen, SSL_SESSION **psess)
2514 unsigned char *sdec;
2515 const unsigned char *p;
2516 int slen, renew_ticket = 0, ret = -1, declen;
2518 unsigned char tick_hmac[EVP_MAX_MD_SIZE];
2519 HMAC_CTX *hctx = NULL;
2520 EVP_CIPHER_CTX *ctx;
2521 SSL_CTX *tctx = s->initial_ctx;
2523 /* Initialize session ticket encryption and HMAC contexts */
2524 hctx = HMAC_CTX_new();
2527 ctx = EVP_CIPHER_CTX_new();
2532 if (tctx->tlsext_ticket_key_cb) {
2533 unsigned char *nctick = (unsigned char *)etick;
2534 int rv = tctx->tlsext_ticket_key_cb(s, nctick, nctick + 16,
2545 /* Check key name matches */
2546 if (memcmp(etick, tctx->tlsext_tick_key_name,
2547 sizeof(tctx->tlsext_tick_key_name)) != 0) {
2551 if (HMAC_Init_ex(hctx, tctx->tlsext_tick_hmac_key,
2552 sizeof(tctx->tlsext_tick_hmac_key),
2553 EVP_sha256(), NULL) <= 0
2554 || EVP_DecryptInit_ex(ctx, EVP_aes_256_cbc(), NULL,
2555 tctx->tlsext_tick_aes_key,
2556 etick + sizeof(tctx->tlsext_tick_key_name)) <=
2562 * Attempt to process session ticket, first conduct sanity and integrity
2565 mlen = HMAC_size(hctx);
2569 /* Sanity check ticket length: must exceed keyname + IV + HMAC */
2571 TLSEXT_KEYNAME_LENGTH + EVP_CIPHER_CTX_iv_length(ctx) + mlen) {
2576 /* Check HMAC of encrypted ticket */
2577 if (HMAC_Update(hctx, etick, eticklen) <= 0
2578 || HMAC_Final(hctx, tick_hmac, NULL) <= 0) {
2581 HMAC_CTX_free(hctx);
2582 if (CRYPTO_memcmp(tick_hmac, etick + eticklen, mlen)) {
2583 EVP_CIPHER_CTX_free(ctx);
2586 /* Attempt to decrypt session data */
2587 /* Move p after IV to start of encrypted ticket, update length */
2588 p = etick + 16 + EVP_CIPHER_CTX_iv_length(ctx);
2589 eticklen -= 16 + EVP_CIPHER_CTX_iv_length(ctx);
2590 sdec = OPENSSL_malloc(eticklen);
2591 if (sdec == NULL || EVP_DecryptUpdate(ctx, sdec, &slen, p,
2592 (int)eticklen) <= 0) {
2593 EVP_CIPHER_CTX_free(ctx);
2597 if (EVP_DecryptFinal(ctx, sdec + slen, &declen) <= 0) {
2598 EVP_CIPHER_CTX_free(ctx);
2603 EVP_CIPHER_CTX_free(ctx);
2607 sess = d2i_SSL_SESSION(NULL, &p, slen);
2611 * The session ID, if non-empty, is used by some clients to detect
2612 * that the ticket has been accepted. So we copy it to the session
2613 * structure. If it is empty set length to zero as required by
2617 memcpy(sess->session_id, sess_id, sesslen);
2618 sess->session_id_length = sesslen;
2627 * For session parse failure, indicate that we need to send a new ticket.
2631 EVP_CIPHER_CTX_free(ctx);
2632 HMAC_CTX_free(hctx);
2636 /* Tables to translate from NIDs to TLS v1.2 ids */
2643 static const tls12_lookup tls12_md[] = {
2644 {NID_md5, TLSEXT_hash_md5},
2645 {NID_sha1, TLSEXT_hash_sha1},
2646 {NID_sha224, TLSEXT_hash_sha224},
2647 {NID_sha256, TLSEXT_hash_sha256},
2648 {NID_sha384, TLSEXT_hash_sha384},
2649 {NID_sha512, TLSEXT_hash_sha512},
2650 {NID_id_GostR3411_94, TLSEXT_hash_gostr3411},
2651 {NID_id_GostR3411_2012_256, TLSEXT_hash_gostr34112012_256},
2652 {NID_id_GostR3411_2012_512, TLSEXT_hash_gostr34112012_512},
2655 static const tls12_lookup tls12_sig[] = {
2656 {EVP_PKEY_RSA, TLSEXT_signature_rsa},
2657 {EVP_PKEY_DSA, TLSEXT_signature_dsa},
2658 {EVP_PKEY_EC, TLSEXT_signature_ecdsa},
2659 {NID_id_GostR3410_2001, TLSEXT_signature_gostr34102001},
2660 {NID_id_GostR3410_2012_256, TLSEXT_signature_gostr34102012_256},
2661 {NID_id_GostR3410_2012_512, TLSEXT_signature_gostr34102012_512}
2664 static int tls12_find_id(int nid, const tls12_lookup *table, size_t tlen)
2667 for (i = 0; i < tlen; i++) {
2668 if (table[i].nid == nid)
2674 static int tls12_find_nid(int id, const tls12_lookup *table, size_t tlen)
2677 for (i = 0; i < tlen; i++) {
2678 if ((table[i].id) == id)
2679 return table[i].nid;
2684 int tls12_get_sigandhash(WPACKET *pkt, const EVP_PKEY *pk, const EVP_MD *md)
2690 md_id = tls12_find_id(EVP_MD_type(md), tls12_md, OSSL_NELEM(tls12_md));
2693 sig_id = tls12_get_sigid(pk);
2696 if (!WPACKET_put_bytes_u8(pkt, md_id) || !WPACKET_put_bytes_u8(pkt, sig_id))
2702 int tls12_get_sigid(const EVP_PKEY *pk)
2704 return tls12_find_id(EVP_PKEY_id(pk), tls12_sig, OSSL_NELEM(tls12_sig));
2711 unsigned char tlsext_hash;
2714 static const tls12_hash_info tls12_md_info[] = {
2715 {NID_md5, 64, SSL_MD_MD5_IDX, TLSEXT_hash_md5},
2716 {NID_sha1, 80, SSL_MD_SHA1_IDX, TLSEXT_hash_sha1},
2717 {NID_sha224, 112, SSL_MD_SHA224_IDX, TLSEXT_hash_sha224},
2718 {NID_sha256, 128, SSL_MD_SHA256_IDX, TLSEXT_hash_sha256},
2719 {NID_sha384, 192, SSL_MD_SHA384_IDX, TLSEXT_hash_sha384},
2720 {NID_sha512, 256, SSL_MD_SHA512_IDX, TLSEXT_hash_sha512},
2721 {NID_id_GostR3411_94, 128, SSL_MD_GOST94_IDX, TLSEXT_hash_gostr3411},
2722 {NID_id_GostR3411_2012_256, 128, SSL_MD_GOST12_256_IDX,
2723 TLSEXT_hash_gostr34112012_256},
2724 {NID_id_GostR3411_2012_512, 256, SSL_MD_GOST12_512_IDX,
2725 TLSEXT_hash_gostr34112012_512},
2728 static const tls12_hash_info *tls12_get_hash_info(unsigned char hash_alg)
2734 for (i = 0; i < OSSL_NELEM(tls12_md_info); i++) {
2735 if (tls12_md_info[i].tlsext_hash == hash_alg)
2736 return tls12_md_info + i;
2742 const EVP_MD *tls12_get_hash(unsigned char hash_alg)
2744 const tls12_hash_info *inf;
2745 if (hash_alg == TLSEXT_hash_md5 && FIPS_mode())
2747 inf = tls12_get_hash_info(hash_alg);
2750 return ssl_md(inf->md_idx);
2753 static int tls12_get_pkey_idx(unsigned char sig_alg)
2756 #ifndef OPENSSL_NO_RSA
2757 case TLSEXT_signature_rsa:
2758 return SSL_PKEY_RSA_SIGN;
2760 #ifndef OPENSSL_NO_DSA
2761 case TLSEXT_signature_dsa:
2762 return SSL_PKEY_DSA_SIGN;
2764 #ifndef OPENSSL_NO_EC
2765 case TLSEXT_signature_ecdsa:
2766 return SSL_PKEY_ECC;
2768 #ifndef OPENSSL_NO_GOST
2769 case TLSEXT_signature_gostr34102001:
2770 return SSL_PKEY_GOST01;
2772 case TLSEXT_signature_gostr34102012_256:
2773 return SSL_PKEY_GOST12_256;
2775 case TLSEXT_signature_gostr34102012_512:
2776 return SSL_PKEY_GOST12_512;
2782 /* Convert TLS 1.2 signature algorithm extension values into NIDs */
2783 static void tls1_lookup_sigalg(int *phash_nid, int *psign_nid,
2784 int *psignhash_nid, const unsigned char *data)
2786 int sign_nid = NID_undef, hash_nid = NID_undef;
2787 if (!phash_nid && !psign_nid && !psignhash_nid)
2789 if (phash_nid || psignhash_nid) {
2790 hash_nid = tls12_find_nid(data[0], tls12_md, OSSL_NELEM(tls12_md));
2792 *phash_nid = hash_nid;
2794 if (psign_nid || psignhash_nid) {
2795 sign_nid = tls12_find_nid(data[1], tls12_sig, OSSL_NELEM(tls12_sig));
2797 *psign_nid = sign_nid;
2799 if (psignhash_nid) {
2800 if (sign_nid == NID_undef || hash_nid == NID_undef
2801 || OBJ_find_sigid_by_algs(psignhash_nid, hash_nid, sign_nid) <= 0)
2802 *psignhash_nid = NID_undef;
2806 /* Check to see if a signature algorithm is allowed */
2807 static int tls12_sigalg_allowed(SSL *s, int op, const unsigned char *ptmp)
2809 /* See if we have an entry in the hash table and it is enabled */
2810 const tls12_hash_info *hinf = tls12_get_hash_info(ptmp[0]);
2811 if (hinf == NULL || ssl_md(hinf->md_idx) == NULL)
2813 /* See if public key algorithm allowed */
2814 if (tls12_get_pkey_idx(ptmp[1]) == -1)
2816 /* Finally see if security callback allows it */
2817 return ssl_security(s, op, hinf->secbits, hinf->nid, (void *)ptmp);
2821 * Get a mask of disabled public key algorithms based on supported signature
2822 * algorithms. For example if no signature algorithm supports RSA then RSA is
2826 void ssl_set_sig_mask(uint32_t *pmask_a, SSL *s, int op)
2828 const unsigned char *sigalgs;
2829 size_t i, sigalgslen;
2830 int have_rsa = 0, have_dsa = 0, have_ecdsa = 0;
2832 * Now go through all signature algorithms seeing if we support any for
2833 * RSA, DSA, ECDSA. Do this for all versions not just TLS 1.2. To keep
2834 * down calls to security callback only check if we have to.
2836 sigalgslen = tls12_get_psigalgs(s, &sigalgs);
2837 for (i = 0; i < sigalgslen; i += 2, sigalgs += 2) {
2838 switch (sigalgs[1]) {
2839 #ifndef OPENSSL_NO_RSA
2840 case TLSEXT_signature_rsa:
2841 if (!have_rsa && tls12_sigalg_allowed(s, op, sigalgs))
2845 #ifndef OPENSSL_NO_DSA
2846 case TLSEXT_signature_dsa:
2847 if (!have_dsa && tls12_sigalg_allowed(s, op, sigalgs))
2851 #ifndef OPENSSL_NO_EC
2852 case TLSEXT_signature_ecdsa:
2853 if (!have_ecdsa && tls12_sigalg_allowed(s, op, sigalgs))
2860 *pmask_a |= SSL_aRSA;
2862 *pmask_a |= SSL_aDSS;
2864 *pmask_a |= SSL_aECDSA;
2867 int tls12_copy_sigalgs(SSL *s, WPACKET *pkt,
2868 const unsigned char *psig, size_t psiglen)
2872 for (i = 0; i < psiglen; i += 2, psig += 2) {
2873 if (tls12_sigalg_allowed(s, SSL_SECOP_SIGALG_SUPPORTED, psig)) {
2874 if (!WPACKET_put_bytes_u8(pkt, psig[0])
2875 || !WPACKET_put_bytes_u8(pkt, psig[1]))
2882 /* Given preference and allowed sigalgs set shared sigalgs */
2883 static size_t tls12_shared_sigalgs(SSL *s, TLS_SIGALGS *shsig,
2884 const unsigned char *pref, size_t preflen,
2885 const unsigned char *allow, size_t allowlen)
2887 const unsigned char *ptmp, *atmp;
2888 size_t i, j, nmatch = 0;
2889 for (i = 0, ptmp = pref; i < preflen; i += 2, ptmp += 2) {
2890 /* Skip disabled hashes or signature algorithms */
2891 if (!tls12_sigalg_allowed(s, SSL_SECOP_SIGALG_SHARED, ptmp))
2893 for (j = 0, atmp = allow; j < allowlen; j += 2, atmp += 2) {
2894 if (ptmp[0] == atmp[0] && ptmp[1] == atmp[1]) {
2897 shsig->rhash = ptmp[0];
2898 shsig->rsign = ptmp[1];
2899 tls1_lookup_sigalg(&shsig->hash_nid,
2901 &shsig->signandhash_nid, ptmp);
2911 /* Set shared signature algorithms for SSL structures */
2912 static int tls1_set_shared_sigalgs(SSL *s)
2914 const unsigned char *pref, *allow, *conf;
2915 size_t preflen, allowlen, conflen;
2917 TLS_SIGALGS *salgs = NULL;
2919 unsigned int is_suiteb = tls1_suiteb(s);
2921 OPENSSL_free(c->shared_sigalgs);
2922 c->shared_sigalgs = NULL;
2923 c->shared_sigalgslen = 0;
2924 /* If client use client signature algorithms if not NULL */
2925 if (!s->server && c->client_sigalgs && !is_suiteb) {
2926 conf = c->client_sigalgs;
2927 conflen = c->client_sigalgslen;
2928 } else if (c->conf_sigalgs && !is_suiteb) {
2929 conf = c->conf_sigalgs;
2930 conflen = c->conf_sigalgslen;
2932 conflen = tls12_get_psigalgs(s, &conf);
2933 if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE || is_suiteb) {
2936 allow = s->s3->tmp.peer_sigalgs;
2937 allowlen = s->s3->tmp.peer_sigalgslen;
2941 pref = s->s3->tmp.peer_sigalgs;
2942 preflen = s->s3->tmp.peer_sigalgslen;
2944 nmatch = tls12_shared_sigalgs(s, NULL, pref, preflen, allow, allowlen);
2946 salgs = OPENSSL_malloc(nmatch * sizeof(TLS_SIGALGS));
2949 nmatch = tls12_shared_sigalgs(s, salgs, pref, preflen, allow, allowlen);
2953 c->shared_sigalgs = salgs;
2954 c->shared_sigalgslen = nmatch;
2958 /* Set preferred digest for each key type */
2960 int tls1_save_sigalgs(SSL *s, const unsigned char *data, size_t dsize)
2963 /* Extension ignored for inappropriate versions */
2964 if (!SSL_USE_SIGALGS(s))
2966 /* Should never happen */
2970 OPENSSL_free(s->s3->tmp.peer_sigalgs);
2971 s->s3->tmp.peer_sigalgs = OPENSSL_malloc(dsize);
2972 if (s->s3->tmp.peer_sigalgs == NULL)
2974 s->s3->tmp.peer_sigalgslen = dsize;
2975 memcpy(s->s3->tmp.peer_sigalgs, data, dsize);
2979 int tls1_process_sigalgs(SSL *s)
2984 const EVP_MD **pmd = s->s3->tmp.md;
2985 uint32_t *pvalid = s->s3->tmp.valid_flags;
2987 TLS_SIGALGS *sigptr;
2988 if (!tls1_set_shared_sigalgs(s))
2991 for (i = 0, sigptr = c->shared_sigalgs;
2992 i < c->shared_sigalgslen; i++, sigptr++) {
2993 idx = tls12_get_pkey_idx(sigptr->rsign);
2994 if (idx > 0 && pmd[idx] == NULL) {
2995 md = tls12_get_hash(sigptr->rhash);
2997 pvalid[idx] = CERT_PKEY_EXPLICIT_SIGN;
2998 if (idx == SSL_PKEY_RSA_SIGN) {
2999 pvalid[SSL_PKEY_RSA_ENC] = CERT_PKEY_EXPLICIT_SIGN;
3000 pmd[SSL_PKEY_RSA_ENC] = md;
3006 * In strict mode leave unset digests as NULL to indicate we can't use
3007 * the certificate for signing.
3009 if (!(s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)) {
3011 * Set any remaining keys to default values. NOTE: if alg is not
3012 * supported it stays as NULL.
3014 #ifndef OPENSSL_NO_DSA
3015 if (pmd[SSL_PKEY_DSA_SIGN] == NULL)
3016 pmd[SSL_PKEY_DSA_SIGN] = EVP_sha1();
3018 #ifndef OPENSSL_NO_RSA
3019 if (pmd[SSL_PKEY_RSA_SIGN] == NULL) {
3020 pmd[SSL_PKEY_RSA_SIGN] = EVP_sha1();
3021 pmd[SSL_PKEY_RSA_ENC] = EVP_sha1();
3024 #ifndef OPENSSL_NO_EC
3025 if (pmd[SSL_PKEY_ECC] == NULL)
3026 pmd[SSL_PKEY_ECC] = EVP_sha1();
3028 #ifndef OPENSSL_NO_GOST
3029 if (pmd[SSL_PKEY_GOST01] == NULL)
3030 pmd[SSL_PKEY_GOST01] = EVP_get_digestbynid(NID_id_GostR3411_94);
3031 if (pmd[SSL_PKEY_GOST12_256] == NULL)
3032 pmd[SSL_PKEY_GOST12_256] =
3033 EVP_get_digestbynid(NID_id_GostR3411_2012_256);
3034 if (pmd[SSL_PKEY_GOST12_512] == NULL)
3035 pmd[SSL_PKEY_GOST12_512] =
3036 EVP_get_digestbynid(NID_id_GostR3411_2012_512);
3042 int SSL_get_sigalgs(SSL *s, int idx,
3043 int *psign, int *phash, int *psignhash,
3044 unsigned char *rsig, unsigned char *rhash)
3046 const unsigned char *psig = s->s3->tmp.peer_sigalgs;
3047 size_t numsigalgs = s->s3->tmp.peer_sigalgslen / 2;
3048 if (psig == NULL || numsigalgs > INT_MAX)
3052 if (idx >= (int)s->s3->tmp.peer_sigalgslen)
3059 tls1_lookup_sigalg(phash, psign, psignhash, psig);
3061 return (int)numsigalgs;
3064 int SSL_get_shared_sigalgs(SSL *s, int idx,
3065 int *psign, int *phash, int *psignhash,
3066 unsigned char *rsig, unsigned char *rhash)
3068 TLS_SIGALGS *shsigalgs = s->cert->shared_sigalgs;
3069 if (!shsigalgs || idx >= (int)s->cert->shared_sigalgslen
3070 || s->cert->shared_sigalgslen > INT_MAX)
3074 *phash = shsigalgs->hash_nid;
3076 *psign = shsigalgs->sign_nid;
3078 *psignhash = shsigalgs->signandhash_nid;
3080 *rsig = shsigalgs->rsign;
3082 *rhash = shsigalgs->rhash;
3083 return (int)s->cert->shared_sigalgslen;
3086 #define MAX_SIGALGLEN (TLSEXT_hash_num * TLSEXT_signature_num * 2)
3090 int sigalgs[MAX_SIGALGLEN];
3093 static void get_sigorhash(int *psig, int *phash, const char *str)
3095 if (strcmp(str, "RSA") == 0) {
3096 *psig = EVP_PKEY_RSA;
3097 } else if (strcmp(str, "DSA") == 0) {
3098 *psig = EVP_PKEY_DSA;
3099 } else if (strcmp(str, "ECDSA") == 0) {
3100 *psig = EVP_PKEY_EC;
3102 *phash = OBJ_sn2nid(str);
3103 if (*phash == NID_undef)
3104 *phash = OBJ_ln2nid(str);
3108 static int sig_cb(const char *elem, int len, void *arg)
3110 sig_cb_st *sarg = arg;
3113 int sig_alg = NID_undef, hash_alg = NID_undef;
3116 if (sarg->sigalgcnt == MAX_SIGALGLEN)
3118 if (len > (int)(sizeof(etmp) - 1))
3120 memcpy(etmp, elem, len);
3122 p = strchr(etmp, '+');
3130 get_sigorhash(&sig_alg, &hash_alg, etmp);
3131 get_sigorhash(&sig_alg, &hash_alg, p);
3133 if (sig_alg == NID_undef || hash_alg == NID_undef)
3136 for (i = 0; i < sarg->sigalgcnt; i += 2) {
3137 if (sarg->sigalgs[i] == sig_alg && sarg->sigalgs[i + 1] == hash_alg)
3140 sarg->sigalgs[sarg->sigalgcnt++] = hash_alg;
3141 sarg->sigalgs[sarg->sigalgcnt++] = sig_alg;
3146 * Set supported signature algorithms based on a colon separated list of the
3147 * form sig+hash e.g. RSA+SHA512:DSA+SHA512
3149 int tls1_set_sigalgs_list(CERT *c, const char *str, int client)
3153 if (!CONF_parse_list(str, ':', 1, sig_cb, &sig))
3157 return tls1_set_sigalgs(c, sig.sigalgs, sig.sigalgcnt, client);
3160 int tls1_set_sigalgs(CERT *c, const int *psig_nids, size_t salglen, int client)
3162 unsigned char *sigalgs, *sptr;
3167 sigalgs = OPENSSL_malloc(salglen);
3168 if (sigalgs == NULL)
3170 for (i = 0, sptr = sigalgs; i < salglen; i += 2) {
3171 rhash = tls12_find_id(*psig_nids++, tls12_md, OSSL_NELEM(tls12_md));
3172 rsign = tls12_find_id(*psig_nids++, tls12_sig, OSSL_NELEM(tls12_sig));
3174 if (rhash == -1 || rsign == -1)
3181 OPENSSL_free(c->client_sigalgs);
3182 c->client_sigalgs = sigalgs;
3183 c->client_sigalgslen = salglen;
3185 OPENSSL_free(c->conf_sigalgs);
3186 c->conf_sigalgs = sigalgs;
3187 c->conf_sigalgslen = salglen;
3193 OPENSSL_free(sigalgs);
3197 static int tls1_check_sig_alg(CERT *c, X509 *x, int default_nid)
3201 if (default_nid == -1)
3203 sig_nid = X509_get_signature_nid(x);
3205 return sig_nid == default_nid ? 1 : 0;
3206 for (i = 0; i < c->shared_sigalgslen; i++)
3207 if (sig_nid == c->shared_sigalgs[i].signandhash_nid)
3212 /* Check to see if a certificate issuer name matches list of CA names */
3213 static int ssl_check_ca_name(STACK_OF(X509_NAME) *names, X509 *x)
3217 nm = X509_get_issuer_name(x);
3218 for (i = 0; i < sk_X509_NAME_num(names); i++) {
3219 if (!X509_NAME_cmp(nm, sk_X509_NAME_value(names, i)))
3226 * Check certificate chain is consistent with TLS extensions and is usable by
3227 * server. This servers two purposes: it allows users to check chains before
3228 * passing them to the server and it allows the server to check chains before
3229 * attempting to use them.
3232 /* Flags which need to be set for a certificate when stict mode not set */
3234 #define CERT_PKEY_VALID_FLAGS \
3235 (CERT_PKEY_EE_SIGNATURE|CERT_PKEY_EE_PARAM)
3236 /* Strict mode flags */
3237 #define CERT_PKEY_STRICT_FLAGS \
3238 (CERT_PKEY_VALID_FLAGS|CERT_PKEY_CA_SIGNATURE|CERT_PKEY_CA_PARAM \
3239 | CERT_PKEY_ISSUER_NAME|CERT_PKEY_CERT_TYPE)
3241 int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain,
3246 int check_flags = 0, strict_mode;
3247 CERT_PKEY *cpk = NULL;
3250 unsigned int suiteb_flags = tls1_suiteb(s);
3251 /* idx == -1 means checking server chains */
3253 /* idx == -2 means checking client certificate chains */
3256 idx = (int)(cpk - c->pkeys);
3258 cpk = c->pkeys + idx;
3259 pvalid = s->s3->tmp.valid_flags + idx;
3261 pk = cpk->privatekey;
3263 strict_mode = c->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT;
3264 /* If no cert or key, forget it */
3270 idx = ssl_cert_type(x, pk);
3273 pvalid = s->s3->tmp.valid_flags + idx;
3275 if (c->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)
3276 check_flags = CERT_PKEY_STRICT_FLAGS;
3278 check_flags = CERT_PKEY_VALID_FLAGS;
3285 check_flags |= CERT_PKEY_SUITEB;
3286 ok = X509_chain_check_suiteb(NULL, x, chain, suiteb_flags);
3287 if (ok == X509_V_OK)
3288 rv |= CERT_PKEY_SUITEB;
3289 else if (!check_flags)
3294 * Check all signature algorithms are consistent with signature
3295 * algorithms extension if TLS 1.2 or later and strict mode.
3297 if (TLS1_get_version(s) >= TLS1_2_VERSION && strict_mode) {
3299 unsigned char rsign = 0;
3300 if (s->s3->tmp.peer_sigalgs)
3302 /* If no sigalgs extension use defaults from RFC5246 */
3305 case SSL_PKEY_RSA_ENC:
3306 case SSL_PKEY_RSA_SIGN:
3307 rsign = TLSEXT_signature_rsa;
3308 default_nid = NID_sha1WithRSAEncryption;
3311 case SSL_PKEY_DSA_SIGN:
3312 rsign = TLSEXT_signature_dsa;
3313 default_nid = NID_dsaWithSHA1;
3317 rsign = TLSEXT_signature_ecdsa;
3318 default_nid = NID_ecdsa_with_SHA1;
3321 case SSL_PKEY_GOST01:
3322 rsign = TLSEXT_signature_gostr34102001;
3323 default_nid = NID_id_GostR3411_94_with_GostR3410_2001;
3326 case SSL_PKEY_GOST12_256:
3327 rsign = TLSEXT_signature_gostr34102012_256;
3328 default_nid = NID_id_tc26_signwithdigest_gost3410_2012_256;
3331 case SSL_PKEY_GOST12_512:
3332 rsign = TLSEXT_signature_gostr34102012_512;
3333 default_nid = NID_id_tc26_signwithdigest_gost3410_2012_512;
3342 * If peer sent no signature algorithms extension and we have set
3343 * preferred signature algorithms check we support sha1.
3345 if (default_nid > 0 && c->conf_sigalgs) {
3347 const unsigned char *p = c->conf_sigalgs;
3348 for (j = 0; j < c->conf_sigalgslen; j += 2, p += 2) {
3349 if (p[0] == TLSEXT_hash_sha1 && p[1] == rsign)
3352 if (j == c->conf_sigalgslen) {
3359 /* Check signature algorithm of each cert in chain */
3360 if (!tls1_check_sig_alg(c, x, default_nid)) {
3364 rv |= CERT_PKEY_EE_SIGNATURE;
3365 rv |= CERT_PKEY_CA_SIGNATURE;
3366 for (i = 0; i < sk_X509_num(chain); i++) {
3367 if (!tls1_check_sig_alg(c, sk_X509_value(chain, i), default_nid)) {
3369 rv &= ~CERT_PKEY_CA_SIGNATURE;
3376 /* Else not TLS 1.2, so mark EE and CA signing algorithms OK */
3377 else if (check_flags)
3378 rv |= CERT_PKEY_EE_SIGNATURE | CERT_PKEY_CA_SIGNATURE;
3380 /* Check cert parameters are consistent */
3381 if (tls1_check_cert_param(s, x, check_flags ? 1 : 2))
3382 rv |= CERT_PKEY_EE_PARAM;
3383 else if (!check_flags)
3386 rv |= CERT_PKEY_CA_PARAM;
3387 /* In strict mode check rest of chain too */
3388 else if (strict_mode) {
3389 rv |= CERT_PKEY_CA_PARAM;
3390 for (i = 0; i < sk_X509_num(chain); i++) {
3391 X509 *ca = sk_X509_value(chain, i);
3392 if (!tls1_check_cert_param(s, ca, 0)) {
3394 rv &= ~CERT_PKEY_CA_PARAM;
3401 if (!s->server && strict_mode) {
3402 STACK_OF(X509_NAME) *ca_dn;
3404 switch (EVP_PKEY_id(pk)) {
3406 check_type = TLS_CT_RSA_SIGN;
3409 check_type = TLS_CT_DSS_SIGN;
3412 check_type = TLS_CT_ECDSA_SIGN;
3416 const unsigned char *ctypes;
3420 ctypelen = (int)c->ctype_num;
3422 ctypes = (unsigned char *)s->s3->tmp.ctype;
3423 ctypelen = s->s3->tmp.ctype_num;
3425 for (i = 0; i < ctypelen; i++) {
3426 if (ctypes[i] == check_type) {
3427 rv |= CERT_PKEY_CERT_TYPE;
3431 if (!(rv & CERT_PKEY_CERT_TYPE) && !check_flags)
3434 rv |= CERT_PKEY_CERT_TYPE;
3436 ca_dn = s->s3->tmp.ca_names;
3438 if (!sk_X509_NAME_num(ca_dn))
3439 rv |= CERT_PKEY_ISSUER_NAME;
3441 if (!(rv & CERT_PKEY_ISSUER_NAME)) {
3442 if (ssl_check_ca_name(ca_dn, x))
3443 rv |= CERT_PKEY_ISSUER_NAME;
3445 if (!(rv & CERT_PKEY_ISSUER_NAME)) {
3446 for (i = 0; i < sk_X509_num(chain); i++) {
3447 X509 *xtmp = sk_X509_value(chain, i);
3448 if (ssl_check_ca_name(ca_dn, xtmp)) {
3449 rv |= CERT_PKEY_ISSUER_NAME;
3454 if (!check_flags && !(rv & CERT_PKEY_ISSUER_NAME))
3457 rv |= CERT_PKEY_ISSUER_NAME | CERT_PKEY_CERT_TYPE;
3459 if (!check_flags || (rv & check_flags) == check_flags)
3460 rv |= CERT_PKEY_VALID;
3464 if (TLS1_get_version(s) >= TLS1_2_VERSION) {
3465 if (*pvalid & CERT_PKEY_EXPLICIT_SIGN)
3466 rv |= CERT_PKEY_EXPLICIT_SIGN | CERT_PKEY_SIGN;
3467 else if (s->s3->tmp.md[idx] != NULL)
3468 rv |= CERT_PKEY_SIGN;
3470 rv |= CERT_PKEY_SIGN | CERT_PKEY_EXPLICIT_SIGN;
3473 * When checking a CERT_PKEY structure all flags are irrelevant if the
3477 if (rv & CERT_PKEY_VALID)
3480 /* Preserve explicit sign flag, clear rest */
3481 *pvalid &= CERT_PKEY_EXPLICIT_SIGN;
3488 /* Set validity of certificates in an SSL structure */
3489 void tls1_set_cert_validity(SSL *s)
3491 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA_ENC);
3492 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA_SIGN);
3493 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DSA_SIGN);
3494 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_ECC);
3495 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_GOST01);
3496 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_GOST12_256);
3497 tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_GOST12_512);
3500 /* User level utiity function to check a chain is suitable */
3501 int SSL_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain)
3503 return tls1_check_chain(s, x, pk, chain, -1);
3506 #ifndef OPENSSL_NO_DH
3507 DH *ssl_get_auto_dh(SSL *s)
3509 int dh_secbits = 80;
3510 if (s->cert->dh_tmp_auto == 2)
3511 return DH_get_1024_160();
3512 if (s->s3->tmp.new_cipher->algorithm_auth & (SSL_aNULL | SSL_aPSK)) {
3513 if (s->s3->tmp.new_cipher->strength_bits == 256)
3518 CERT_PKEY *cpk = ssl_get_server_send_pkey(s);
3519 dh_secbits = EVP_PKEY_security_bits(cpk->privatekey);
3522 if (dh_secbits >= 128) {
3530 if (dh_secbits >= 192)
3531 p = BN_get_rfc3526_prime_8192(NULL);
3533 p = BN_get_rfc3526_prime_3072(NULL);
3534 if (p == NULL || g == NULL || !DH_set0_pqg(dhp, p, NULL, g)) {
3542 if (dh_secbits >= 112)
3543 return DH_get_2048_224();
3544 return DH_get_1024_160();
3548 static int ssl_security_cert_key(SSL *s, SSL_CTX *ctx, X509 *x, int op)
3551 EVP_PKEY *pkey = X509_get0_pubkey(x);
3554 * If no parameters this will return -1 and fail using the default
3555 * security callback for any non-zero security level. This will
3556 * reject keys which omit parameters but this only affects DSA and
3557 * omission of parameters is never (?) done in practice.
3559 secbits = EVP_PKEY_security_bits(pkey);
3562 return ssl_security(s, op, secbits, 0, x);
3564 return ssl_ctx_security(ctx, op, secbits, 0, x);
3567 static int ssl_security_cert_sig(SSL *s, SSL_CTX *ctx, X509 *x, int op)
3569 /* Lookup signature algorithm digest */
3570 int secbits = -1, md_nid = NID_undef, sig_nid;
3571 /* Don't check signature if self signed */
3572 if ((X509_get_extension_flags(x) & EXFLAG_SS) != 0)
3574 sig_nid = X509_get_signature_nid(x);
3575 if (sig_nid && OBJ_find_sigid_algs(sig_nid, &md_nid, NULL)) {
3577 if (md_nid && (md = EVP_get_digestbynid(md_nid)))
3578 secbits = EVP_MD_size(md) * 4;
3581 return ssl_security(s, op, secbits, md_nid, x);
3583 return ssl_ctx_security(ctx, op, secbits, md_nid, x);
3586 int ssl_security_cert(SSL *s, SSL_CTX *ctx, X509 *x, int vfy, int is_ee)
3589 vfy = SSL_SECOP_PEER;
3591 if (!ssl_security_cert_key(s, ctx, x, SSL_SECOP_EE_KEY | vfy))
3592 return SSL_R_EE_KEY_TOO_SMALL;
3594 if (!ssl_security_cert_key(s, ctx, x, SSL_SECOP_CA_KEY | vfy))
3595 return SSL_R_CA_KEY_TOO_SMALL;
3597 if (!ssl_security_cert_sig(s, ctx, x, SSL_SECOP_CA_MD | vfy))
3598 return SSL_R_CA_MD_TOO_WEAK;
3603 * Check security of a chain, if sk includes the end entity certificate then
3604 * x is NULL. If vfy is 1 then we are verifying a peer chain and not sending
3605 * one to the peer. Return values: 1 if ok otherwise error code to use
3608 int ssl_security_cert_chain(SSL *s, STACK_OF(X509) *sk, X509 *x, int vfy)
3610 int rv, start_idx, i;
3612 x = sk_X509_value(sk, 0);
3617 rv = ssl_security_cert(s, NULL, x, vfy, 1);
3621 for (i = start_idx; i < sk_X509_num(sk); i++) {
3622 x = sk_X509_value(sk, i);
3623 rv = ssl_security_cert(s, NULL, x, vfy, 0);