2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
58 /* ====================================================================
59 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
87 * 6. Redistributions of any form whatsoever must retain the following
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
113 #include <openssl/objects.h>
114 #include <openssl/evp.h>
115 #include <openssl/hmac.h>
116 #include <openssl/ocsp.h>
117 #include "ssl_locl.h"
119 const char tls1_version_str[]="TLSv1" OPENSSL_VERSION_PTEXT;
121 #ifndef OPENSSL_NO_TLSEXT
122 static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen,
123 const unsigned char *sess_id, int sesslen,
124 SSL_SESSION **psess);
125 static int tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize);
128 SSL3_ENC_METHOD TLSv1_enc_data={
131 tls1_setup_key_block,
132 tls1_generate_master_secret,
133 tls1_change_cipher_state,
134 tls1_final_finish_mac,
135 TLS1_FINISH_MAC_LENGTH,
136 tls1_cert_verify_mac,
137 TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE,
138 TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE,
142 long tls1_default_timeout(void)
144 /* 2 hours, the 24 hours mentioned in the TLSv1 spec
145 * is way too long for http, the cache would over fill */
151 if (!ssl3_new(s)) return(0);
152 s->method->ssl_clear(s);
156 void tls1_free(SSL *s)
158 #ifndef OPENSSL_NO_TLSEXT
159 if (s->tlsext_session_ticket)
161 OPENSSL_free(s->tlsext_session_ticket);
163 #endif /* OPENSSL_NO_TLSEXT */
167 void tls1_clear(SSL *s)
170 s->version = s->method->version;
173 #ifndef OPENSSL_NO_EC
174 static int nid_list[] =
176 NID_sect163k1, /* sect163k1 (1) */
177 NID_sect163r1, /* sect163r1 (2) */
178 NID_sect163r2, /* sect163r2 (3) */
179 NID_sect193r1, /* sect193r1 (4) */
180 NID_sect193r2, /* sect193r2 (5) */
181 NID_sect233k1, /* sect233k1 (6) */
182 NID_sect233r1, /* sect233r1 (7) */
183 NID_sect239k1, /* sect239k1 (8) */
184 NID_sect283k1, /* sect283k1 (9) */
185 NID_sect283r1, /* sect283r1 (10) */
186 NID_sect409k1, /* sect409k1 (11) */
187 NID_sect409r1, /* sect409r1 (12) */
188 NID_sect571k1, /* sect571k1 (13) */
189 NID_sect571r1, /* sect571r1 (14) */
190 NID_secp160k1, /* secp160k1 (15) */
191 NID_secp160r1, /* secp160r1 (16) */
192 NID_secp160r2, /* secp160r2 (17) */
193 NID_secp192k1, /* secp192k1 (18) */
194 NID_X9_62_prime192v1, /* secp192r1 (19) */
195 NID_secp224k1, /* secp224k1 (20) */
196 NID_secp224r1, /* secp224r1 (21) */
197 NID_secp256k1, /* secp256k1 (22) */
198 NID_X9_62_prime256v1, /* secp256r1 (23) */
199 NID_secp384r1, /* secp384r1 (24) */
200 NID_secp521r1 /* secp521r1 (25) */
203 int tls1_ec_curve_id2nid(int curve_id)
205 /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
206 if ((curve_id < 1) || ((unsigned int)curve_id >
207 sizeof(nid_list)/sizeof(nid_list[0])))
209 return nid_list[curve_id-1];
212 int tls1_ec_nid2curve_id(int nid)
214 /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
217 case NID_sect163k1: /* sect163k1 (1) */
219 case NID_sect163r1: /* sect163r1 (2) */
221 case NID_sect163r2: /* sect163r2 (3) */
223 case NID_sect193r1: /* sect193r1 (4) */
225 case NID_sect193r2: /* sect193r2 (5) */
227 case NID_sect233k1: /* sect233k1 (6) */
229 case NID_sect233r1: /* sect233r1 (7) */
231 case NID_sect239k1: /* sect239k1 (8) */
233 case NID_sect283k1: /* sect283k1 (9) */
235 case NID_sect283r1: /* sect283r1 (10) */
237 case NID_sect409k1: /* sect409k1 (11) */
239 case NID_sect409r1: /* sect409r1 (12) */
241 case NID_sect571k1: /* sect571k1 (13) */
243 case NID_sect571r1: /* sect571r1 (14) */
245 case NID_secp160k1: /* secp160k1 (15) */
247 case NID_secp160r1: /* secp160r1 (16) */
249 case NID_secp160r2: /* secp160r2 (17) */
251 case NID_secp192k1: /* secp192k1 (18) */
253 case NID_X9_62_prime192v1: /* secp192r1 (19) */
255 case NID_secp224k1: /* secp224k1 (20) */
257 case NID_secp224r1: /* secp224r1 (21) */
259 case NID_secp256k1: /* secp256k1 (22) */
261 case NID_X9_62_prime256v1: /* secp256r1 (23) */
263 case NID_secp384r1: /* secp384r1 (24) */
265 case NID_secp521r1: /* secp521r1 (25) */
271 #endif /* OPENSSL_NO_EC */
273 #ifndef OPENSSL_NO_TLSEXT
275 /* List of supported signature algorithms and hashes. Should make this
276 * customisable at some point, for now include everything we support.
279 #ifdef OPENSSL_NO_RSA
280 #define tlsext_sigalg_rsa(md) /* */
282 #define tlsext_sigalg_rsa(md) md, TLSEXT_signature_rsa,
285 #ifdef OPENSSL_NO_DSA
286 #define tlsext_sigalg_dsa(md) /* */
288 #define tlsext_sigalg_dsa(md) md, TLSEXT_signature_dsa,
291 #ifdef OPENSSL_NO_ECDSA
292 #define tlsext_sigalg_ecdsa(md) /* */
294 #define tlsext_sigalg_ecdsa(md) md, TLSEXT_signature_dsa,
297 #define tlsext_sigalg(md) \
298 tlsext_sigalg_rsa(md) \
299 tlsext_sigalg_dsa(md) \
300 tlsext_sigalg_ecdsa(md)
302 static unsigned char tls12_sigalgs[] = {
303 #ifndef OPENSSL_NO_SHA512
304 tlsext_sigalg(TLSEXT_hash_sha512)
305 tlsext_sigalg(TLSEXT_hash_sha384)
307 #ifndef OPENSSL_NO_SHA256
308 tlsext_sigalg(TLSEXT_hash_sha256)
309 tlsext_sigalg(TLSEXT_hash_sha224)
311 #ifndef OPENSSL_NO_SHA
312 tlsext_sigalg(TLSEXT_hash_sha1)
314 #ifndef OPENSSL_NO_MD5
315 tlsext_sigalg_rsa(TLSEXT_hash_md5)
321 unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
324 unsigned char *ret = p;
326 /* don't add extensions for SSLv3 unless doing secure renegotiation */
327 if (s->client_version == SSL3_VERSION
328 && !s->s3->send_connection_binding)
333 if (ret>=limit) return NULL; /* this really never occurs, but ... */
335 if (s->tlsext_hostname != NULL)
337 /* Add TLS extension servername to the Client Hello message */
338 unsigned long size_str;
341 /* check for enough space.
342 4 for the servername type and entension length
343 2 for servernamelist length
344 1 for the hostname type
345 2 for hostname length
349 if ((lenmax = limit - ret - 9) < 0
350 || (size_str = strlen(s->tlsext_hostname)) > (unsigned long)lenmax)
353 /* extension type and length */
354 s2n(TLSEXT_TYPE_server_name,ret);
357 /* length of servername list */
360 /* hostname type, length and hostname */
361 *(ret++) = (unsigned char) TLSEXT_NAMETYPE_host_name;
363 memcpy(ret, s->tlsext_hostname, size_str);
367 /* Add RI if renegotiating */
372 if(!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0))
374 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
378 if((limit - p - 4 - el) < 0) return NULL;
380 s2n(TLSEXT_TYPE_renegotiate,ret);
383 if(!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el))
385 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
392 #ifndef OPENSSL_NO_SRP
393 #define MIN(x,y) (((x)<(y))?(x):(y))
394 /* we add SRP username the first time only if we have one! */
395 if (s->srp_ctx.login != NULL)
396 {/* Add TLS extension SRP username to the Client Hello message */
397 int login_len = MIN(strlen(s->srp_ctx.login) + 1, 255);
400 if ((lenmax = limit - ret - 5) < 0) return NULL;
401 if (login_len > lenmax) return NULL;
404 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
407 s2n(TLSEXT_TYPE_srp,ret);
408 s2n(login_len+1,ret);
410 (*ret++) = (unsigned char) MIN(strlen(s->srp_ctx.login), 254);
411 memcpy(ret, s->srp_ctx.login, MIN(strlen(s->srp_ctx.login), 254));
416 #ifndef OPENSSL_NO_EC
417 if (s->tlsext_ecpointformatlist != NULL &&
418 s->version != DTLS1_VERSION)
420 /* Add TLS extension ECPointFormats to the ClientHello message */
423 if ((lenmax = limit - ret - 5) < 0) return NULL;
424 if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax) return NULL;
425 if (s->tlsext_ecpointformatlist_length > 255)
427 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
431 s2n(TLSEXT_TYPE_ec_point_formats,ret);
432 s2n(s->tlsext_ecpointformatlist_length + 1,ret);
433 *(ret++) = (unsigned char) s->tlsext_ecpointformatlist_length;
434 memcpy(ret, s->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist_length);
435 ret+=s->tlsext_ecpointformatlist_length;
437 if (s->tlsext_ellipticcurvelist != NULL &&
438 s->version != DTLS1_VERSION)
440 /* Add TLS extension EllipticCurves to the ClientHello message */
443 if ((lenmax = limit - ret - 6) < 0) return NULL;
444 if (s->tlsext_ellipticcurvelist_length > (unsigned long)lenmax) return NULL;
445 if (s->tlsext_ellipticcurvelist_length > 65532)
447 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
451 s2n(TLSEXT_TYPE_elliptic_curves,ret);
452 s2n(s->tlsext_ellipticcurvelist_length + 2, ret);
454 /* NB: draft-ietf-tls-ecc-12.txt uses a one-byte prefix for
455 * elliptic_curve_list, but the examples use two bytes.
456 * http://www1.ietf.org/mail-archive/web/tls/current/msg00538.html
457 * resolves this to two bytes.
459 s2n(s->tlsext_ellipticcurvelist_length, ret);
460 memcpy(ret, s->tlsext_ellipticcurvelist, s->tlsext_ellipticcurvelist_length);
461 ret+=s->tlsext_ellipticcurvelist_length;
463 #endif /* OPENSSL_NO_EC */
465 if (!(SSL_get_options(s) & SSL_OP_NO_TICKET))
468 if (!s->new_session && s->session && s->session->tlsext_tick)
469 ticklen = s->session->tlsext_ticklen;
470 else if (s->session && s->tlsext_session_ticket &&
471 s->tlsext_session_ticket->data)
473 ticklen = s->tlsext_session_ticket->length;
474 s->session->tlsext_tick = OPENSSL_malloc(ticklen);
475 if (!s->session->tlsext_tick)
477 memcpy(s->session->tlsext_tick,
478 s->tlsext_session_ticket->data,
480 s->session->tlsext_ticklen = ticklen;
484 if (ticklen == 0 && s->tlsext_session_ticket &&
485 s->tlsext_session_ticket->data == NULL)
487 /* Check for enough room 2 for extension type, 2 for len
490 if ((long)(limit - ret - 4 - ticklen) < 0) return NULL;
491 s2n(TLSEXT_TYPE_session_ticket,ret);
495 memcpy(ret, s->session->tlsext_tick, ticklen);
501 if (s->version >= TLS1_2_VERSION)
503 if ((size_t)(limit - ret) < sizeof(tls12_sigalgs) + 6)
505 s2n(TLSEXT_TYPE_signature_algorithms,ret);
506 s2n(sizeof(tls12_sigalgs) + 2, ret);
507 s2n(sizeof(tls12_sigalgs), ret);
508 memcpy(ret, tls12_sigalgs, sizeof(tls12_sigalgs));
509 ret += sizeof(tls12_sigalgs);
512 #ifdef TLSEXT_TYPE_opaque_prf_input
513 if (s->s3->client_opaque_prf_input != NULL &&
514 s->version != DTLS1_VERSION)
516 size_t col = s->s3->client_opaque_prf_input_len;
518 if ((long)(limit - ret - 6 - col < 0))
520 if (col > 0xFFFD) /* can't happen */
523 s2n(TLSEXT_TYPE_opaque_prf_input, ret);
526 memcpy(ret, s->s3->client_opaque_prf_input, col);
531 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp &&
532 s->version != DTLS1_VERSION)
535 long extlen, idlen, itmp;
539 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++)
541 id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
542 itmp = i2d_OCSP_RESPID(id, NULL);
548 if (s->tlsext_ocsp_exts)
550 extlen = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, NULL);
557 if ((long)(limit - ret - 7 - extlen - idlen) < 0) return NULL;
558 s2n(TLSEXT_TYPE_status_request, ret);
559 if (extlen + idlen > 0xFFF0)
561 s2n(extlen + idlen + 5, ret);
562 *(ret++) = TLSEXT_STATUSTYPE_ocsp;
564 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++)
566 /* save position of id len */
567 unsigned char *q = ret;
568 id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
569 /* skip over id len */
571 itmp = i2d_OCSP_RESPID(id, &ret);
577 i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret);
580 #ifndef OPENSSL_NO_NEXTPROTONEG
581 if (s->ctx->next_proto_select_cb && !s->s3->tmp.finish_md_len)
583 /* The client advertises an emtpy extension to indicate its
584 * support for Next Protocol Negotiation */
585 if (limit - ret - 4 < 0)
587 s2n(TLSEXT_TYPE_next_proto_neg,ret);
592 if ((extdatalen = ret-p-2)== 0)
599 unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
602 unsigned char *ret = p;
603 #ifndef OPENSSL_NO_NEXTPROTONEG
604 int next_proto_neg_seen;
607 /* don't add extensions for SSLv3, unless doing secure renegotiation */
608 if (s->version == SSL3_VERSION && !s->s3->send_connection_binding)
612 if (ret>=limit) return NULL; /* this really never occurs, but ... */
614 if (!s->hit && s->servername_done == 1 && s->session->tlsext_hostname != NULL)
616 if ((long)(limit - ret - 4) < 0) return NULL;
618 s2n(TLSEXT_TYPE_server_name,ret);
622 if(s->s3->send_connection_binding)
626 if(!ssl_add_serverhello_renegotiate_ext(s, 0, &el, 0))
628 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
632 if((limit - p - 4 - el) < 0) return NULL;
634 s2n(TLSEXT_TYPE_renegotiate,ret);
637 if(!ssl_add_serverhello_renegotiate_ext(s, ret, &el, el))
639 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
646 #ifndef OPENSSL_NO_EC
647 if (s->tlsext_ecpointformatlist != NULL &&
648 s->version != DTLS1_VERSION)
650 /* Add TLS extension ECPointFormats to the ServerHello message */
653 if ((lenmax = limit - ret - 5) < 0) return NULL;
654 if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax) return NULL;
655 if (s->tlsext_ecpointformatlist_length > 255)
657 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
661 s2n(TLSEXT_TYPE_ec_point_formats,ret);
662 s2n(s->tlsext_ecpointformatlist_length + 1,ret);
663 *(ret++) = (unsigned char) s->tlsext_ecpointformatlist_length;
664 memcpy(ret, s->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist_length);
665 ret+=s->tlsext_ecpointformatlist_length;
668 /* Currently the server should not respond with a SupportedCurves extension */
669 #endif /* OPENSSL_NO_EC */
671 if (s->tlsext_ticket_expected
672 && !(SSL_get_options(s) & SSL_OP_NO_TICKET))
674 if ((long)(limit - ret - 4) < 0) return NULL;
675 s2n(TLSEXT_TYPE_session_ticket,ret);
679 if (s->tlsext_status_expected)
681 if ((long)(limit - ret - 4) < 0) return NULL;
682 s2n(TLSEXT_TYPE_status_request,ret);
686 #ifdef TLSEXT_TYPE_opaque_prf_input
687 if (s->s3->server_opaque_prf_input != NULL &&
688 s->version != DTLS1_VERSION)
690 size_t sol = s->s3->server_opaque_prf_input_len;
692 if ((long)(limit - ret - 6 - sol) < 0)
694 if (sol > 0xFFFD) /* can't happen */
697 s2n(TLSEXT_TYPE_opaque_prf_input, ret);
700 memcpy(ret, s->s3->server_opaque_prf_input, sol);
704 if (((s->s3->tmp.new_cipher->id & 0xFFFF)==0x80 || (s->s3->tmp.new_cipher->id & 0xFFFF)==0x81)
705 && (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG))
706 { const unsigned char cryptopro_ext[36] = {
707 0xfd, 0xe8, /*65000*/
708 0x00, 0x20, /*32 bytes length*/
709 0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85,
710 0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06,
711 0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08,
712 0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17};
713 if (limit-ret<36) return NULL;
714 memcpy(ret,cryptopro_ext,36);
719 #ifndef OPENSSL_NO_NEXTPROTONEG
720 next_proto_neg_seen = s->s3->next_proto_neg_seen;
721 s->s3->next_proto_neg_seen = 0;
722 if (next_proto_neg_seen && s->ctx->next_protos_advertised_cb)
724 const unsigned char *npa;
728 r = s->ctx->next_protos_advertised_cb(s, &npa, &npalen, s->ctx->next_protos_advertised_cb_arg);
729 if (r == SSL_TLSEXT_ERR_OK)
731 if ((long)(limit - ret - 4 - npalen) < 0) return NULL;
732 s2n(TLSEXT_TYPE_next_proto_neg,ret);
734 memcpy(ret, npa, npalen);
736 s->s3->next_proto_neg_seen = 1;
741 if ((extdatalen = ret-p-2)== 0)
748 int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
753 unsigned char *data = *p;
754 int renegotiate_seen = 0;
757 s->servername_done = 0;
758 s->tlsext_status_type = -1;
764 if (data > (d+n-len))
767 while (data <= (d+n-4))
772 if (data+size > (d+n))
775 fprintf(stderr,"Received extension type %d size %d\n",type,size);
777 if (s->tlsext_debug_cb)
778 s->tlsext_debug_cb(s, 0, type, data, size,
779 s->tlsext_debug_arg);
780 /* The servername extension is treated as follows:
782 - Only the hostname type is supported with a maximum length of 255.
783 - The servername is rejected if too long or if it contains zeros,
784 in which case an fatal alert is generated.
785 - The servername field is maintained together with the session cache.
786 - When a session is resumed, the servername call back invoked in order
787 to allow the application to position itself to the right context.
788 - The servername is acknowledged if it is new for a session or when
789 it is identical to a previously used for the same session.
790 Applications can control the behaviour. They can at any time
791 set a 'desirable' servername for a new SSL object. This can be the
792 case for example with HTTPS when a Host: header field is received and
793 a renegotiation is requested. In this case, a possible servername
794 presented in the new client hello is only acknowledged if it matches
795 the value of the Host: field.
796 - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
797 if they provide for changing an explicit servername context for the session,
798 i.e. when the session has been established with a servername extension.
799 - On session reconnect, the servername extension may be absent.
803 if (type == TLSEXT_TYPE_server_name)
805 unsigned char *sdata;
811 *al = SSL_AD_DECODE_ERROR;
818 *al = SSL_AD_DECODE_ERROR;
825 servname_type = *(sdata++);
831 *al = SSL_AD_DECODE_ERROR;
834 if (s->servername_done == 0)
835 switch (servname_type)
837 case TLSEXT_NAMETYPE_host_name:
840 if(s->session->tlsext_hostname)
842 *al = SSL_AD_DECODE_ERROR;
845 if (len > TLSEXT_MAXLEN_host_name)
847 *al = TLS1_AD_UNRECOGNIZED_NAME;
850 if ((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL)
852 *al = TLS1_AD_INTERNAL_ERROR;
855 memcpy(s->session->tlsext_hostname, sdata, len);
856 s->session->tlsext_hostname[len]='\0';
857 if (strlen(s->session->tlsext_hostname) != len) {
858 OPENSSL_free(s->session->tlsext_hostname);
859 s->session->tlsext_hostname = NULL;
860 *al = TLS1_AD_UNRECOGNIZED_NAME;
863 s->servername_done = 1;
867 s->servername_done = s->session->tlsext_hostname
868 && strlen(s->session->tlsext_hostname) == len
869 && strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0;
881 *al = SSL_AD_DECODE_ERROR;
886 #ifndef OPENSSL_NO_SRP
887 else if (type == TLSEXT_TYPE_srp)
892 if ((s->srp_ctx.login = OPENSSL_malloc(len+1)) == NULL)
894 memcpy(s->srp_ctx.login, &data[1], len);
895 s->srp_ctx.login[len]='\0';
900 #ifndef OPENSSL_NO_EC
901 else if (type == TLSEXT_TYPE_ec_point_formats &&
902 s->version != DTLS1_VERSION)
904 unsigned char *sdata = data;
905 int ecpointformatlist_length = *(sdata++);
907 if (ecpointformatlist_length != size - 1)
909 *al = TLS1_AD_DECODE_ERROR;
914 if(s->session->tlsext_ecpointformatlist)
916 OPENSSL_free(s->session->tlsext_ecpointformatlist);
917 s->session->tlsext_ecpointformatlist = NULL;
919 s->session->tlsext_ecpointformatlist_length = 0;
920 if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
922 *al = TLS1_AD_INTERNAL_ERROR;
925 s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
926 memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
929 fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ecpointformatlist (length=%i) ", s->session->tlsext_ecpointformatlist_length);
930 sdata = s->session->tlsext_ecpointformatlist;
931 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
932 fprintf(stderr,"%i ",*(sdata++));
933 fprintf(stderr,"\n");
936 else if (type == TLSEXT_TYPE_elliptic_curves &&
937 s->version != DTLS1_VERSION)
939 unsigned char *sdata = data;
940 int ellipticcurvelist_length = (*(sdata++) << 8);
941 ellipticcurvelist_length += (*(sdata++));
943 if (ellipticcurvelist_length != size - 2)
945 *al = TLS1_AD_DECODE_ERROR;
950 if(s->session->tlsext_ellipticcurvelist)
952 *al = TLS1_AD_DECODE_ERROR;
955 s->session->tlsext_ellipticcurvelist_length = 0;
956 if ((s->session->tlsext_ellipticcurvelist = OPENSSL_malloc(ellipticcurvelist_length)) == NULL)
958 *al = TLS1_AD_INTERNAL_ERROR;
961 s->session->tlsext_ellipticcurvelist_length = ellipticcurvelist_length;
962 memcpy(s->session->tlsext_ellipticcurvelist, sdata, ellipticcurvelist_length);
965 fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ellipticcurvelist (length=%i) ", s->session->tlsext_ellipticcurvelist_length);
966 sdata = s->session->tlsext_ellipticcurvelist;
967 for (i = 0; i < s->session->tlsext_ellipticcurvelist_length; i++)
968 fprintf(stderr,"%i ",*(sdata++));
969 fprintf(stderr,"\n");
972 #endif /* OPENSSL_NO_EC */
973 #ifdef TLSEXT_TYPE_opaque_prf_input
974 else if (type == TLSEXT_TYPE_opaque_prf_input &&
975 s->version != DTLS1_VERSION)
977 unsigned char *sdata = data;
981 *al = SSL_AD_DECODE_ERROR;
984 n2s(sdata, s->s3->client_opaque_prf_input_len);
985 if (s->s3->client_opaque_prf_input_len != size - 2)
987 *al = SSL_AD_DECODE_ERROR;
991 if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */
992 OPENSSL_free(s->s3->client_opaque_prf_input);
993 if (s->s3->client_opaque_prf_input_len == 0)
994 s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
996 s->s3->client_opaque_prf_input = BUF_memdup(sdata, s->s3->client_opaque_prf_input_len);
997 if (s->s3->client_opaque_prf_input == NULL)
999 *al = TLS1_AD_INTERNAL_ERROR;
1004 else if (type == TLSEXT_TYPE_session_ticket)
1006 if (s->tls_session_ticket_ext_cb &&
1007 !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg))
1009 *al = TLS1_AD_INTERNAL_ERROR;
1013 else if (type == TLSEXT_TYPE_renegotiate)
1015 if(!ssl_parse_clienthello_renegotiate_ext(s, data, size, al))
1017 renegotiate_seen = 1;
1019 else if (type == TLSEXT_TYPE_signature_algorithms)
1022 if (sigalg_seen || size < 2)
1024 *al = SSL_AD_DECODE_ERROR;
1030 if (dsize != size || dsize & 1)
1032 *al = SSL_AD_DECODE_ERROR;
1035 if (!tls1_process_sigalgs(s, data, dsize))
1037 *al = SSL_AD_DECODE_ERROR;
1041 else if (type == TLSEXT_TYPE_status_request &&
1042 s->version != DTLS1_VERSION && s->ctx->tlsext_status_cb)
1047 *al = SSL_AD_DECODE_ERROR;
1051 s->tlsext_status_type = *data++;
1053 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp)
1055 const unsigned char *sdata;
1057 /* Read in responder_id_list */
1062 *al = SSL_AD_DECODE_ERROR;
1071 *al = SSL_AD_DECODE_ERROR;
1075 dsize -= 2 + idsize;
1079 *al = SSL_AD_DECODE_ERROR;
1084 id = d2i_OCSP_RESPID(NULL,
1088 *al = SSL_AD_DECODE_ERROR;
1093 OCSP_RESPID_free(id);
1094 *al = SSL_AD_DECODE_ERROR;
1097 if (!s->tlsext_ocsp_ids
1098 && !(s->tlsext_ocsp_ids =
1099 sk_OCSP_RESPID_new_null()))
1101 OCSP_RESPID_free(id);
1102 *al = SSL_AD_INTERNAL_ERROR;
1105 if (!sk_OCSP_RESPID_push(
1106 s->tlsext_ocsp_ids, id))
1108 OCSP_RESPID_free(id);
1109 *al = SSL_AD_INTERNAL_ERROR;
1114 /* Read in request_extensions */
1117 *al = SSL_AD_DECODE_ERROR;
1124 *al = SSL_AD_DECODE_ERROR;
1130 s->tlsext_ocsp_exts =
1131 d2i_X509_EXTENSIONS(NULL,
1133 if (!s->tlsext_ocsp_exts
1134 || (data + dsize != sdata))
1136 *al = SSL_AD_DECODE_ERROR;
1141 /* We don't know what to do with any other type
1145 s->tlsext_status_type = -1;
1147 #ifndef OPENSSL_NO_NEXTPROTONEG
1148 else if (type == TLSEXT_TYPE_next_proto_neg &&
1149 s->s3->tmp.finish_md_len == 0)
1151 /* We shouldn't accept this extension on a
1154 * s->new_session will be set on renegotiation, but we
1155 * probably shouldn't rely that it couldn't be set on
1156 * the initial renegotation too in certain cases (when
1157 * there's some other reason to disallow resuming an
1158 * earlier session -- the current code won't be doing
1159 * anything like that, but this might change).
1161 * A valid sign that there's been a previous handshake
1162 * in this connection is if s->s3->tmp.finish_md_len >
1163 * 0. (We are talking about a check that will happen
1164 * in the Hello protocol round, well before a new
1165 * Finished message could have been computed.) */
1166 s->s3->next_proto_neg_seen = 1;
1170 /* session ticket processed earlier */
1178 /* Need RI if renegotiating */
1180 if (!renegotiate_seen && s->renegotiate &&
1181 !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
1183 *al = SSL_AD_HANDSHAKE_FAILURE;
1184 SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT,
1185 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
1192 #ifndef OPENSSL_NO_NEXTPROTONEG
1193 /* ssl_next_proto_validate validates a Next Protocol Negotiation block. No
1194 * elements of zero length are allowed and the set of elements must exactly fill
1195 * the length of the block. */
1196 static int ssl_next_proto_validate(unsigned char *d, unsigned len)
1198 unsigned int off = 0;
1212 int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
1214 unsigned short length;
1215 unsigned short type;
1216 unsigned short size;
1217 unsigned char *data = *p;
1218 int tlsext_servername = 0;
1219 int renegotiate_seen = 0;
1221 if (data >= (d+n-2))
1225 if (data+length != d+n)
1227 *al = SSL_AD_DECODE_ERROR;
1231 while(data <= (d+n-4))
1236 if (data+size > (d+n))
1239 if (s->tlsext_debug_cb)
1240 s->tlsext_debug_cb(s, 1, type, data, size,
1241 s->tlsext_debug_arg);
1243 if (type == TLSEXT_TYPE_server_name)
1245 if (s->tlsext_hostname == NULL || size > 0)
1247 *al = TLS1_AD_UNRECOGNIZED_NAME;
1250 tlsext_servername = 1;
1253 #ifndef OPENSSL_NO_EC
1254 else if (type == TLSEXT_TYPE_ec_point_formats &&
1255 s->version != DTLS1_VERSION)
1257 unsigned char *sdata = data;
1258 int ecpointformatlist_length = *(sdata++);
1260 if (ecpointformatlist_length != size - 1)
1262 *al = TLS1_AD_DECODE_ERROR;
1265 s->session->tlsext_ecpointformatlist_length = 0;
1266 if (s->session->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->session->tlsext_ecpointformatlist);
1267 if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
1269 *al = TLS1_AD_INTERNAL_ERROR;
1272 s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
1273 memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
1275 fprintf(stderr,"ssl_parse_serverhello_tlsext s->session->tlsext_ecpointformatlist ");
1276 sdata = s->session->tlsext_ecpointformatlist;
1277 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
1278 fprintf(stderr,"%i ",*(sdata++));
1279 fprintf(stderr,"\n");
1282 #endif /* OPENSSL_NO_EC */
1284 else if (type == TLSEXT_TYPE_session_ticket)
1286 if (s->tls_session_ticket_ext_cb &&
1287 !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg))
1289 *al = TLS1_AD_INTERNAL_ERROR;
1292 if ((SSL_get_options(s) & SSL_OP_NO_TICKET)
1295 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
1298 s->tlsext_ticket_expected = 1;
1300 #ifdef TLSEXT_TYPE_opaque_prf_input
1301 else if (type == TLSEXT_TYPE_opaque_prf_input &&
1302 s->version != DTLS1_VERSION)
1304 unsigned char *sdata = data;
1308 *al = SSL_AD_DECODE_ERROR;
1311 n2s(sdata, s->s3->server_opaque_prf_input_len);
1312 if (s->s3->server_opaque_prf_input_len != size - 2)
1314 *al = SSL_AD_DECODE_ERROR;
1318 if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */
1319 OPENSSL_free(s->s3->server_opaque_prf_input);
1320 if (s->s3->server_opaque_prf_input_len == 0)
1321 s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
1323 s->s3->server_opaque_prf_input = BUF_memdup(sdata, s->s3->server_opaque_prf_input_len);
1325 if (s->s3->server_opaque_prf_input == NULL)
1327 *al = TLS1_AD_INTERNAL_ERROR;
1332 else if (type == TLSEXT_TYPE_status_request &&
1333 s->version != DTLS1_VERSION)
1335 /* MUST be empty and only sent if we've requested
1336 * a status request message.
1338 if ((s->tlsext_status_type == -1) || (size > 0))
1340 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
1343 /* Set flag to expect CertificateStatus message */
1344 s->tlsext_status_expected = 1;
1346 #ifndef OPENSSL_NO_NEXTPROTONEG
1347 else if (type == TLSEXT_TYPE_next_proto_neg)
1349 unsigned char *selected;
1350 unsigned char selected_len;
1352 /* We must have requested it. */
1353 if ((s->ctx->next_proto_select_cb == NULL))
1355 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
1358 /* The data must be valid */
1359 if (!ssl_next_proto_validate(data, size))
1361 *al = TLS1_AD_DECODE_ERROR;
1364 if (s->ctx->next_proto_select_cb(s, &selected, &selected_len, data, size, s->ctx->next_proto_select_cb_arg) != SSL_TLSEXT_ERR_OK)
1366 *al = TLS1_AD_INTERNAL_ERROR;
1369 s->next_proto_negotiated = OPENSSL_malloc(selected_len);
1370 if (!s->next_proto_negotiated)
1372 *al = TLS1_AD_INTERNAL_ERROR;
1375 memcpy(s->next_proto_negotiated, selected, selected_len);
1376 s->next_proto_negotiated_len = selected_len;
1379 else if (type == TLSEXT_TYPE_renegotiate)
1381 if(!ssl_parse_serverhello_renegotiate_ext(s, data, size, al))
1383 renegotiate_seen = 1;
1390 *al = SSL_AD_DECODE_ERROR;
1394 if (!s->hit && tlsext_servername == 1)
1396 if (s->tlsext_hostname)
1398 if (s->session->tlsext_hostname == NULL)
1400 s->session->tlsext_hostname = BUF_strdup(s->tlsext_hostname);
1401 if (!s->session->tlsext_hostname)
1403 *al = SSL_AD_UNRECOGNIZED_NAME;
1409 *al = SSL_AD_DECODE_ERROR;
1419 /* Determine if we need to see RI. Strictly speaking if we want to
1420 * avoid an attack we should *always* see RI even on initial server
1421 * hello because the client doesn't see any renegotiation during an
1422 * attack. However this would mean we could not connect to any server
1423 * which doesn't support RI so for the immediate future tolerate RI
1424 * absence on initial connect only.
1426 if (!renegotiate_seen
1427 && !(s->options & SSL_OP_LEGACY_SERVER_CONNECT)
1428 && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
1430 *al = SSL_AD_HANDSHAKE_FAILURE;
1431 SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT,
1432 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
1440 int ssl_prepare_clienthello_tlsext(SSL *s)
1442 #ifndef OPENSSL_NO_EC
1443 /* If we are client and using an elliptic curve cryptography cipher suite, send the point formats
1444 * and elliptic curves we support.
1449 unsigned long alg_k, alg_a;
1450 STACK_OF(SSL_CIPHER) *cipher_stack = SSL_get_ciphers(s);
1452 for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++)
1454 SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i);
1456 alg_k = c->algorithm_mkey;
1457 alg_a = c->algorithm_auth;
1458 if ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe) || (alg_a & SSL_aECDSA)))
1464 using_ecc = using_ecc && (s->version >= TLS1_VERSION);
1467 if (s->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->tlsext_ecpointformatlist);
1468 if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(3)) == NULL)
1470 SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
1473 s->tlsext_ecpointformatlist_length = 3;
1474 s->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_uncompressed;
1475 s->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
1476 s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
1478 /* we support all named elliptic curves in draft-ietf-tls-ecc-12 */
1479 if (s->tlsext_ellipticcurvelist != NULL) OPENSSL_free(s->tlsext_ellipticcurvelist);
1480 s->tlsext_ellipticcurvelist_length = sizeof(nid_list)/sizeof(nid_list[0]) * 2;
1481 if ((s->tlsext_ellipticcurvelist = OPENSSL_malloc(s->tlsext_ellipticcurvelist_length)) == NULL)
1483 s->tlsext_ellipticcurvelist_length = 0;
1484 SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
1487 for (i = 1, j = s->tlsext_ellipticcurvelist; (unsigned int)i <=
1488 sizeof(nid_list)/sizeof(nid_list[0]); i++)
1491 #endif /* OPENSSL_NO_EC */
1493 #ifdef TLSEXT_TYPE_opaque_prf_input
1497 if (s->ctx->tlsext_opaque_prf_input_callback != 0)
1499 r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg);
1504 if (s->tlsext_opaque_prf_input != NULL)
1506 if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */
1507 OPENSSL_free(s->s3->client_opaque_prf_input);
1509 if (s->tlsext_opaque_prf_input_len == 0)
1510 s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
1512 s->s3->client_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len);
1513 if (s->s3->client_opaque_prf_input == NULL)
1515 SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
1518 s->s3->client_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
1522 /* at callback's request, insist on receiving an appropriate server opaque PRF input */
1523 s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
1530 int ssl_prepare_serverhello_tlsext(SSL *s)
1532 #ifndef OPENSSL_NO_EC
1533 /* If we are server and using an ECC cipher suite, send the point formats we support
1534 * if the client sent us an ECPointsFormat extension. Note that the server is not
1535 * supposed to send an EllipticCurves extension.
1538 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
1539 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
1540 int using_ecc = (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA);
1541 using_ecc = using_ecc && (s->session->tlsext_ecpointformatlist != NULL);
1545 if (s->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->tlsext_ecpointformatlist);
1546 if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(3)) == NULL)
1548 SSLerr(SSL_F_SSL_PREPARE_SERVERHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
1551 s->tlsext_ecpointformatlist_length = 3;
1552 s->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_uncompressed;
1553 s->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
1554 s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
1556 #endif /* OPENSSL_NO_EC */
1561 int ssl_check_clienthello_tlsext(SSL *s)
1563 int ret=SSL_TLSEXT_ERR_NOACK;
1564 int al = SSL_AD_UNRECOGNIZED_NAME;
1566 #ifndef OPENSSL_NO_EC
1567 /* The handling of the ECPointFormats extension is done elsewhere, namely in
1568 * ssl3_choose_cipher in s3_lib.c.
1570 /* The handling of the EllipticCurves extension is done elsewhere, namely in
1571 * ssl3_choose_cipher in s3_lib.c.
1575 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
1576 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
1577 else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)
1578 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
1580 /* If status request then ask callback what to do.
1581 * Note: this must be called after servername callbacks in case
1582 * the certificate has changed.
1584 if ((s->tlsext_status_type != -1) && s->ctx && s->ctx->tlsext_status_cb)
1587 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
1590 /* We don't want to send a status request response */
1591 case SSL_TLSEXT_ERR_NOACK:
1592 s->tlsext_status_expected = 0;
1594 /* status request response should be sent */
1595 case SSL_TLSEXT_ERR_OK:
1596 if (s->tlsext_ocsp_resp)
1597 s->tlsext_status_expected = 1;
1599 s->tlsext_status_expected = 0;
1601 /* something bad happened */
1602 case SSL_TLSEXT_ERR_ALERT_FATAL:
1603 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1604 al = SSL_AD_INTERNAL_ERROR;
1609 s->tlsext_status_expected = 0;
1611 #ifdef TLSEXT_TYPE_opaque_prf_input
1613 /* This sort of belongs into ssl_prepare_serverhello_tlsext(),
1614 * but we might be sending an alert in response to the client hello,
1615 * so this has to happen here in ssl_check_clienthello_tlsext(). */
1619 if (s->ctx->tlsext_opaque_prf_input_callback != 0)
1621 r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg);
1624 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1625 al = SSL_AD_INTERNAL_ERROR;
1630 if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */
1631 OPENSSL_free(s->s3->server_opaque_prf_input);
1632 s->s3->server_opaque_prf_input = NULL;
1634 if (s->tlsext_opaque_prf_input != NULL)
1636 if (s->s3->client_opaque_prf_input != NULL &&
1637 s->s3->client_opaque_prf_input_len == s->tlsext_opaque_prf_input_len)
1639 /* can only use this extension if we have a server opaque PRF input
1640 * of the same length as the client opaque PRF input! */
1642 if (s->tlsext_opaque_prf_input_len == 0)
1643 s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
1645 s->s3->server_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len);
1646 if (s->s3->server_opaque_prf_input == NULL)
1648 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1649 al = SSL_AD_INTERNAL_ERROR;
1652 s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
1656 if (r == 2 && s->s3->server_opaque_prf_input == NULL)
1658 /* The callback wants to enforce use of the extension,
1659 * but we can't do that with the client opaque PRF input;
1660 * abort the handshake.
1662 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1663 al = SSL_AD_HANDSHAKE_FAILURE;
1671 case SSL_TLSEXT_ERR_ALERT_FATAL:
1672 ssl3_send_alert(s,SSL3_AL_FATAL,al);
1675 case SSL_TLSEXT_ERR_ALERT_WARNING:
1676 ssl3_send_alert(s,SSL3_AL_WARNING,al);
1679 case SSL_TLSEXT_ERR_NOACK:
1680 s->servername_done=0;
1686 int ssl_check_serverhello_tlsext(SSL *s)
1688 int ret=SSL_TLSEXT_ERR_NOACK;
1689 int al = SSL_AD_UNRECOGNIZED_NAME;
1691 #ifndef OPENSSL_NO_EC
1692 /* If we are client and using an elliptic curve cryptography cipher
1693 * suite, then if server returns an EC point formats lists extension
1694 * it must contain uncompressed.
1696 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
1697 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
1698 if ((s->tlsext_ecpointformatlist != NULL) && (s->tlsext_ecpointformatlist_length > 0) &&
1699 (s->session->tlsext_ecpointformatlist != NULL) && (s->session->tlsext_ecpointformatlist_length > 0) &&
1700 ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA)))
1702 /* we are using an ECC cipher */
1704 unsigned char *list;
1705 int found_uncompressed = 0;
1706 list = s->session->tlsext_ecpointformatlist;
1707 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
1709 if (*(list++) == TLSEXT_ECPOINTFORMAT_uncompressed)
1711 found_uncompressed = 1;
1715 if (!found_uncompressed)
1717 SSLerr(SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT,SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
1721 ret = SSL_TLSEXT_ERR_OK;
1722 #endif /* OPENSSL_NO_EC */
1724 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
1725 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
1726 else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)
1727 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
1729 #ifdef TLSEXT_TYPE_opaque_prf_input
1730 if (s->s3->server_opaque_prf_input_len > 0)
1732 /* This case may indicate that we, as a client, want to insist on using opaque PRF inputs.
1733 * So first verify that we really have a value from the server too. */
1735 if (s->s3->server_opaque_prf_input == NULL)
1737 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1738 al = SSL_AD_HANDSHAKE_FAILURE;
1741 /* Anytime the server *has* sent an opaque PRF input, we need to check
1742 * that we have a client opaque PRF input of the same size. */
1743 if (s->s3->client_opaque_prf_input == NULL ||
1744 s->s3->client_opaque_prf_input_len != s->s3->server_opaque_prf_input_len)
1746 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1747 al = SSL_AD_ILLEGAL_PARAMETER;
1752 /* If we've requested certificate status and we wont get one
1755 if ((s->tlsext_status_type != -1) && !(s->tlsext_status_expected)
1756 && s->ctx && s->ctx->tlsext_status_cb)
1759 /* Set resp to NULL, resplen to -1 so callback knows
1760 * there is no response.
1762 if (s->tlsext_ocsp_resp)
1764 OPENSSL_free(s->tlsext_ocsp_resp);
1765 s->tlsext_ocsp_resp = NULL;
1767 s->tlsext_ocsp_resplen = -1;
1768 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
1771 al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE;
1772 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1776 al = SSL_AD_INTERNAL_ERROR;
1777 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1783 case SSL_TLSEXT_ERR_ALERT_FATAL:
1784 ssl3_send_alert(s,SSL3_AL_FATAL,al);
1787 case SSL_TLSEXT_ERR_ALERT_WARNING:
1788 ssl3_send_alert(s,SSL3_AL_WARNING,al);
1791 case SSL_TLSEXT_ERR_NOACK:
1792 s->servername_done=0;
1798 /* Since the server cache lookup is done early on in the processing of client
1799 * hello and other operations depend on the result we need to handle any TLS
1800 * session ticket extension at the same time.
1803 int tls1_process_ticket(SSL *s, unsigned char *session_id, int len,
1804 const unsigned char *limit, SSL_SESSION **ret)
1806 /* Point after session ID in client hello */
1807 const unsigned char *p = session_id + len;
1810 /* If tickets disabled behave as if no ticket present
1811 * to permit stateful resumption.
1813 if (SSL_get_options(s) & SSL_OP_NO_TICKET)
1816 if ((s->version <= SSL3_VERSION) || !limit)
1820 /* Skip past DTLS cookie */
1821 if (s->version == DTLS1_VERSION || s->version == DTLS1_BAD_VER)
1828 /* Skip past cipher list */
1833 /* Skip past compression algorithm list */
1838 /* Now at start of extensions */
1839 if ((p + 2) >= limit)
1842 while ((p + 4) <= limit)
1844 unsigned short type, size;
1847 if (p + size > limit)
1849 if (type == TLSEXT_TYPE_session_ticket)
1851 /* If tickets disabled indicate cache miss which will
1852 * trigger a full handshake
1854 if (SSL_get_options(s) & SSL_OP_NO_TICKET)
1856 /* If zero length note client will accept a ticket
1857 * and indicate cache miss to trigger full handshake
1861 s->tlsext_ticket_expected = 1;
1862 return 0; /* Cache miss */
1864 if (s->tls_session_secret_cb)
1866 /* Indicate cache miss here and instead of
1867 * generating the session from ticket now,
1868 * trigger abbreviated handshake based on
1869 * external mechanism to calculate the master
1873 return tls_decrypt_ticket(s, p, size, session_id, len,
1881 static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen,
1882 const unsigned char *sess_id, int sesslen,
1883 SSL_SESSION **psess)
1886 unsigned char *sdec;
1887 const unsigned char *p;
1888 int slen, mlen, renew_ticket = 0;
1889 unsigned char tick_hmac[EVP_MAX_MD_SIZE];
1892 SSL_CTX *tctx = s->initial_ctx;
1893 /* Need at least keyname + iv + some encrypted data */
1896 /* Initialize session ticket encryption and HMAC contexts */
1897 HMAC_CTX_init(&hctx);
1898 EVP_CIPHER_CTX_init(&ctx);
1899 if (tctx->tlsext_ticket_key_cb)
1901 unsigned char *nctick = (unsigned char *)etick;
1902 int rv = tctx->tlsext_ticket_key_cb(s, nctick, nctick + 16,
1913 /* Check key name matches */
1914 if (memcmp(etick, tctx->tlsext_tick_key_name, 16))
1916 HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16,
1917 tlsext_tick_md(), NULL);
1918 EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL,
1919 tctx->tlsext_tick_aes_key, etick + 16);
1921 /* Attempt to process session ticket, first conduct sanity and
1922 * integrity checks on ticket.
1924 mlen = HMAC_size(&hctx);
1927 EVP_CIPHER_CTX_cleanup(&ctx);
1931 /* Check HMAC of encrypted ticket */
1932 HMAC_Update(&hctx, etick, eticklen);
1933 HMAC_Final(&hctx, tick_hmac, NULL);
1934 HMAC_CTX_cleanup(&hctx);
1935 if (memcmp(tick_hmac, etick + eticklen, mlen))
1937 /* Attempt to decrypt session data */
1938 /* Move p after IV to start of encrypted ticket, update length */
1939 p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx);
1940 eticklen -= 16 + EVP_CIPHER_CTX_iv_length(&ctx);
1941 sdec = OPENSSL_malloc(eticklen);
1944 EVP_CIPHER_CTX_cleanup(&ctx);
1947 EVP_DecryptUpdate(&ctx, sdec, &slen, p, eticklen);
1948 if (EVP_DecryptFinal(&ctx, sdec + slen, &mlen) <= 0)
1951 EVP_CIPHER_CTX_cleanup(&ctx);
1954 sess = d2i_SSL_SESSION(NULL, &p, slen);
1958 /* The session ID if non-empty is used by some clients to
1959 * detect that the ticket has been accepted. So we copy it to
1960 * the session structure. If it is empty set length to zero
1961 * as required by standard.
1964 memcpy(sess->session_id, sess_id, sesslen);
1965 sess->session_id_length = sesslen;
1967 s->tlsext_ticket_expected = renew_ticket;
1970 /* If session decrypt failure indicate a cache miss and set state to
1974 s->tlsext_ticket_expected = 1;
1978 /* Tables to translate from NIDs to TLS v1.2 ids */
1986 static tls12_lookup tls12_md[] = {
1987 #ifndef OPENSSL_NO_MD5
1988 {NID_md5, TLSEXT_hash_md5},
1990 #ifndef OPENSSL_NO_SHA
1991 {NID_sha1, TLSEXT_hash_sha1},
1993 #ifndef OPENSSL_NO_SHA256
1994 {NID_sha224, TLSEXT_hash_sha224},
1995 {NID_sha256, TLSEXT_hash_sha256},
1997 #ifndef OPENSSL_NO_SHA512
1998 {NID_sha384, TLSEXT_hash_sha384},
1999 {NID_sha512, TLSEXT_hash_sha512}
2003 static tls12_lookup tls12_sig[] = {
2004 #ifndef OPENSSL_NO_RSA
2005 {EVP_PKEY_RSA, TLSEXT_signature_rsa},
2007 #ifndef OPENSSL_NO_RSA
2008 {EVP_PKEY_DSA, TLSEXT_signature_dsa},
2010 #ifndef OPENSSL_NO_ECDSA
2011 {EVP_PKEY_EC, TLSEXT_signature_ecdsa}
2015 static int tls12_find_id(int nid, tls12_lookup *table, size_t tlen)
2018 for (i = 0; i < tlen; i++)
2020 if (table[i].nid == nid)
2026 static int tls12_find_nid(int id, tls12_lookup *table, size_t tlen)
2029 for (i = 0; i < tlen; i++)
2031 if (table[i].id == id)
2032 return table[i].nid;
2038 int tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk, const EVP_MD *md)
2041 md_id = tls12_find_id(EVP_MD_type(md), tls12_md,
2042 sizeof(tls12_md)/sizeof(tls12_lookup));
2045 sig_id = tls12_get_sigid(pk);
2048 p[0] = (unsigned char)md_id;
2049 p[1] = (unsigned char)sig_id;
2053 int tls12_get_sigid(const EVP_PKEY *pk)
2055 return tls12_find_id(pk->type, tls12_sig,
2056 sizeof(tls12_sig)/sizeof(tls12_lookup));
2059 const EVP_MD *tls12_get_hash(unsigned char hash_alg)
2063 #ifndef OPENSSL_NO_MD5
2064 case TLSEXT_hash_md5:
2067 #ifndef OPENSSL_NO_SHA
2068 case TLSEXT_hash_sha1:
2071 #ifndef OPENSSL_NO_SHA256
2072 case TLSEXT_hash_sha224:
2073 return EVP_sha224();
2075 case TLSEXT_hash_sha256:
2076 return EVP_sha256();
2078 #ifndef OPENSSL_NO_SHA512
2079 case TLSEXT_hash_sha384:
2080 return EVP_sha384();
2082 case TLSEXT_hash_sha512:
2083 return EVP_sha512();
2091 /* Set preferred digest for each key type */
2093 static int tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize)
2098 /* Extension ignored for TLS versions below 1.2 */
2099 if (s->version < TLS1_2_VERSION)
2102 c->pkeys[SSL_PKEY_DSA_SIGN].digest = NULL;
2103 c->pkeys[SSL_PKEY_RSA_SIGN].digest = NULL;
2104 c->pkeys[SSL_PKEY_RSA_ENC].digest = NULL;
2105 c->pkeys[SSL_PKEY_ECC].digest = NULL;
2107 for (i = 0; i < dsize; i += 2)
2109 unsigned char hash_alg = data[i], sig_alg = data[i+1];
2113 #ifndef OPENSSL_NO_RSA
2114 case TLSEXT_signature_rsa:
2115 idx = SSL_PKEY_RSA_SIGN;
2118 #ifndef OPENSSL_NO_DSA
2119 case TLSEXT_signature_dsa:
2120 idx = SSL_PKEY_DSA_SIGN;
2123 #ifndef OPENSSL_NO_ECDSA
2124 case TLSEXT_signature_ecdsa:
2132 if (c->pkeys[idx].digest == NULL)
2134 md = tls12_get_hash(hash_alg);
2137 c->pkeys[idx].digest = md;
2138 if (idx == SSL_PKEY_RSA_SIGN)
2139 c->pkeys[SSL_PKEY_RSA_ENC].digest = md;
2145 /* Set any remaining keys to default values. NOTE: if alg is not
2146 * supported it stays as NULL.
2148 #ifndef OPENSSL_NO_DSA
2149 if (!c->pkeys[SSL_PKEY_DSA_SIGN].digest)
2150 c->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_dss1();
2152 #ifndef OPENSSL_NO_RSA
2153 if (!c->pkeys[SSL_PKEY_RSA_SIGN].digest)
2155 c->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1();
2156 c->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1();
2159 #ifndef OPENSSL_NO_ECDSA
2160 if (!c->pkeys[SSL_PKEY_ECC].digest)
2161 c->pkeys[SSL_PKEY_ECC].digest = EVP_ecdsa();