2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
58 /* ====================================================================
59 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
87 * 6. Redistributions of any form whatsoever must retain the following
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
113 #include <openssl/objects.h>
114 #include <openssl/evp.h>
115 #include <openssl/hmac.h>
116 #include <openssl/ocsp.h>
117 #include "ssl_locl.h"
119 const char tls1_version_str[]="TLSv1" OPENSSL_VERSION_PTEXT;
121 #ifndef OPENSSL_NO_TLSEXT
122 static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen,
123 const unsigned char *sess_id, int sesslen,
124 SSL_SESSION **psess);
127 SSL3_ENC_METHOD TLSv1_enc_data={
130 tls1_setup_key_block,
131 tls1_generate_master_secret,
132 tls1_change_cipher_state,
133 tls1_final_finish_mac,
134 TLS1_FINISH_MAC_LENGTH,
135 tls1_cert_verify_mac,
136 TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE,
137 TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE,
139 tls1_export_keying_material,
142 long tls1_default_timeout(void)
144 /* 2 hours, the 24 hours mentioned in the TLSv1 spec
145 * is way too long for http, the cache would over fill */
151 if (!ssl3_new(s)) return(0);
152 s->method->ssl_clear(s);
156 void tls1_free(SSL *s)
158 #ifndef OPENSSL_NO_TLSEXT
159 if (s->tlsext_session_ticket)
161 OPENSSL_free(s->tlsext_session_ticket);
163 #endif /* OPENSSL_NO_TLSEXT */
167 void tls1_clear(SSL *s)
170 s->version = s->method->version;
173 #ifndef OPENSSL_NO_EC
175 static int nid_list[] =
177 NID_sect163k1, /* sect163k1 (1) */
178 NID_sect163r1, /* sect163r1 (2) */
179 NID_sect163r2, /* sect163r2 (3) */
180 NID_sect193r1, /* sect193r1 (4) */
181 NID_sect193r2, /* sect193r2 (5) */
182 NID_sect233k1, /* sect233k1 (6) */
183 NID_sect233r1, /* sect233r1 (7) */
184 NID_sect239k1, /* sect239k1 (8) */
185 NID_sect283k1, /* sect283k1 (9) */
186 NID_sect283r1, /* sect283r1 (10) */
187 NID_sect409k1, /* sect409k1 (11) */
188 NID_sect409r1, /* sect409r1 (12) */
189 NID_sect571k1, /* sect571k1 (13) */
190 NID_sect571r1, /* sect571r1 (14) */
191 NID_secp160k1, /* secp160k1 (15) */
192 NID_secp160r1, /* secp160r1 (16) */
193 NID_secp160r2, /* secp160r2 (17) */
194 NID_secp192k1, /* secp192k1 (18) */
195 NID_X9_62_prime192v1, /* secp192r1 (19) */
196 NID_secp224k1, /* secp224k1 (20) */
197 NID_secp224r1, /* secp224r1 (21) */
198 NID_secp256k1, /* secp256k1 (22) */
199 NID_X9_62_prime256v1, /* secp256r1 (23) */
200 NID_secp384r1, /* secp384r1 (24) */
201 NID_secp521r1 /* secp521r1 (25) */
204 static int pref_list[] =
206 NID_sect571r1, /* sect571r1 (14) */
207 NID_sect571k1, /* sect571k1 (13) */
208 NID_secp521r1, /* secp521r1 (25) */
209 NID_sect409k1, /* sect409k1 (11) */
210 NID_sect409r1, /* sect409r1 (12) */
211 NID_secp384r1, /* secp384r1 (24) */
212 NID_sect283k1, /* sect283k1 (9) */
213 NID_sect283r1, /* sect283r1 (10) */
214 NID_secp256k1, /* secp256k1 (22) */
215 NID_X9_62_prime256v1, /* secp256r1 (23) */
216 NID_sect239k1, /* sect239k1 (8) */
217 NID_sect233k1, /* sect233k1 (6) */
218 NID_sect233r1, /* sect233r1 (7) */
219 NID_secp224k1, /* secp224k1 (20) */
220 NID_secp224r1, /* secp224r1 (21) */
221 NID_sect193r1, /* sect193r1 (4) */
222 NID_sect193r2, /* sect193r2 (5) */
223 NID_secp192k1, /* secp192k1 (18) */
224 NID_X9_62_prime192v1, /* secp192r1 (19) */
225 NID_sect163k1, /* sect163k1 (1) */
226 NID_sect163r1, /* sect163r1 (2) */
227 NID_sect163r2, /* sect163r2 (3) */
228 NID_secp160k1, /* secp160k1 (15) */
229 NID_secp160r1, /* secp160r1 (16) */
230 NID_secp160r2, /* secp160r2 (17) */
233 int tls1_ec_curve_id2nid(int curve_id)
235 /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
236 if ((curve_id < 1) || ((unsigned int)curve_id >
237 sizeof(nid_list)/sizeof(nid_list[0])))
239 return nid_list[curve_id-1];
242 int tls1_ec_nid2curve_id(int nid)
244 /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
247 case NID_sect163k1: /* sect163k1 (1) */
249 case NID_sect163r1: /* sect163r1 (2) */
251 case NID_sect163r2: /* sect163r2 (3) */
253 case NID_sect193r1: /* sect193r1 (4) */
255 case NID_sect193r2: /* sect193r2 (5) */
257 case NID_sect233k1: /* sect233k1 (6) */
259 case NID_sect233r1: /* sect233r1 (7) */
261 case NID_sect239k1: /* sect239k1 (8) */
263 case NID_sect283k1: /* sect283k1 (9) */
265 case NID_sect283r1: /* sect283r1 (10) */
267 case NID_sect409k1: /* sect409k1 (11) */
269 case NID_sect409r1: /* sect409r1 (12) */
271 case NID_sect571k1: /* sect571k1 (13) */
273 case NID_sect571r1: /* sect571r1 (14) */
275 case NID_secp160k1: /* secp160k1 (15) */
277 case NID_secp160r1: /* secp160r1 (16) */
279 case NID_secp160r2: /* secp160r2 (17) */
281 case NID_secp192k1: /* secp192k1 (18) */
283 case NID_X9_62_prime192v1: /* secp192r1 (19) */
285 case NID_secp224k1: /* secp224k1 (20) */
287 case NID_secp224r1: /* secp224r1 (21) */
289 case NID_secp256k1: /* secp256k1 (22) */
291 case NID_X9_62_prime256v1: /* secp256r1 (23) */
293 case NID_secp384r1: /* secp384r1 (24) */
295 case NID_secp521r1: /* secp521r1 (25) */
301 #endif /* OPENSSL_NO_EC */
303 #ifndef OPENSSL_NO_TLSEXT
305 /* List of supported signature algorithms and hashes. Should make this
306 * customisable at some point, for now include everything we support.
309 #ifdef OPENSSL_NO_RSA
310 #define tlsext_sigalg_rsa(md) /* */
312 #define tlsext_sigalg_rsa(md) md, TLSEXT_signature_rsa,
315 #ifdef OPENSSL_NO_DSA
316 #define tlsext_sigalg_dsa(md) /* */
318 #define tlsext_sigalg_dsa(md) md, TLSEXT_signature_dsa,
321 #ifdef OPENSSL_NO_ECDSA
322 #define tlsext_sigalg_ecdsa(md) /* */
324 #define tlsext_sigalg_ecdsa(md) md, TLSEXT_signature_ecdsa,
327 #define tlsext_sigalg(md) \
328 tlsext_sigalg_rsa(md) \
329 tlsext_sigalg_dsa(md) \
330 tlsext_sigalg_ecdsa(md)
332 static unsigned char tls12_sigalgs[] = {
333 #ifndef OPENSSL_NO_SHA512
334 tlsext_sigalg(TLSEXT_hash_sha512)
335 tlsext_sigalg(TLSEXT_hash_sha384)
337 #ifndef OPENSSL_NO_SHA256
338 tlsext_sigalg(TLSEXT_hash_sha256)
339 tlsext_sigalg(TLSEXT_hash_sha224)
341 #ifndef OPENSSL_NO_SHA
342 tlsext_sigalg(TLSEXT_hash_sha1)
344 #ifndef OPENSSL_NO_MD5
345 tlsext_sigalg_rsa(TLSEXT_hash_md5)
349 int tls12_get_req_sig_algs(SSL *s, unsigned char *p)
351 size_t slen = sizeof(tls12_sigalgs);
353 /* If FIPS mode don't include MD5 which is last */
358 memcpy(p, tls12_sigalgs, slen);
362 unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
365 unsigned char *ret = p;
367 /* don't add extensions for SSLv3 unless doing secure renegotiation */
368 if (s->client_version == SSL3_VERSION
369 && !s->s3->send_connection_binding)
374 if (ret>=limit) return NULL; /* this really never occurs, but ... */
376 if (s->tlsext_hostname != NULL)
378 /* Add TLS extension servername to the Client Hello message */
379 unsigned long size_str;
382 /* check for enough space.
383 4 for the servername type and entension length
384 2 for servernamelist length
385 1 for the hostname type
386 2 for hostname length
390 if ((lenmax = limit - ret - 9) < 0
391 || (size_str = strlen(s->tlsext_hostname)) > (unsigned long)lenmax)
394 /* extension type and length */
395 s2n(TLSEXT_TYPE_server_name,ret);
398 /* length of servername list */
401 /* hostname type, length and hostname */
402 *(ret++) = (unsigned char) TLSEXT_NAMETYPE_host_name;
404 memcpy(ret, s->tlsext_hostname, size_str);
408 /* Add RI if renegotiating */
413 if(!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0))
415 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
419 if((limit - p - 4 - el) < 0) return NULL;
421 s2n(TLSEXT_TYPE_renegotiate,ret);
424 if(!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el))
426 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
433 #ifndef OPENSSL_NO_SRP
434 #define MIN(x,y) (((x)<(y))?(x):(y))
435 /* we add SRP username the first time only if we have one! */
436 if (s->srp_ctx.login != NULL)
437 {/* Add TLS extension SRP username to the Client Hello message */
438 int login_len = MIN(strlen(s->srp_ctx.login) + 1, 255);
441 if ((lenmax = limit - ret - 5) < 0) return NULL;
442 if (login_len > lenmax) return NULL;
445 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
448 s2n(TLSEXT_TYPE_srp,ret);
449 s2n(login_len+1,ret);
451 (*ret++) = (unsigned char) MIN(strlen(s->srp_ctx.login), 254);
452 memcpy(ret, s->srp_ctx.login, MIN(strlen(s->srp_ctx.login), 254));
457 #ifndef OPENSSL_NO_EC
458 if (s->tlsext_ecpointformatlist != NULL &&
459 s->version != DTLS1_VERSION)
461 /* Add TLS extension ECPointFormats to the ClientHello message */
464 if ((lenmax = limit - ret - 5) < 0) return NULL;
465 if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax) return NULL;
466 if (s->tlsext_ecpointformatlist_length > 255)
468 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
472 s2n(TLSEXT_TYPE_ec_point_formats,ret);
473 s2n(s->tlsext_ecpointformatlist_length + 1,ret);
474 *(ret++) = (unsigned char) s->tlsext_ecpointformatlist_length;
475 memcpy(ret, s->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist_length);
476 ret+=s->tlsext_ecpointformatlist_length;
478 if (s->tlsext_ellipticcurvelist != NULL &&
479 s->version != DTLS1_VERSION)
481 /* Add TLS extension EllipticCurves to the ClientHello message */
484 if ((lenmax = limit - ret - 6) < 0) return NULL;
485 if (s->tlsext_ellipticcurvelist_length > (unsigned long)lenmax) return NULL;
486 if (s->tlsext_ellipticcurvelist_length > 65532)
488 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
492 s2n(TLSEXT_TYPE_elliptic_curves,ret);
493 s2n(s->tlsext_ellipticcurvelist_length + 2, ret);
495 /* NB: draft-ietf-tls-ecc-12.txt uses a one-byte prefix for
496 * elliptic_curve_list, but the examples use two bytes.
497 * http://www1.ietf.org/mail-archive/web/tls/current/msg00538.html
498 * resolves this to two bytes.
500 s2n(s->tlsext_ellipticcurvelist_length, ret);
501 memcpy(ret, s->tlsext_ellipticcurvelist, s->tlsext_ellipticcurvelist_length);
502 ret+=s->tlsext_ellipticcurvelist_length;
504 #endif /* OPENSSL_NO_EC */
506 if (!(SSL_get_options(s) & SSL_OP_NO_TICKET))
509 if (!s->new_session && s->session && s->session->tlsext_tick)
510 ticklen = s->session->tlsext_ticklen;
511 else if (s->session && s->tlsext_session_ticket &&
512 s->tlsext_session_ticket->data)
514 ticklen = s->tlsext_session_ticket->length;
515 s->session->tlsext_tick = OPENSSL_malloc(ticklen);
516 if (!s->session->tlsext_tick)
518 memcpy(s->session->tlsext_tick,
519 s->tlsext_session_ticket->data,
521 s->session->tlsext_ticklen = ticklen;
525 if (ticklen == 0 && s->tlsext_session_ticket &&
526 s->tlsext_session_ticket->data == NULL)
528 /* Check for enough room 2 for extension type, 2 for len
531 if ((long)(limit - ret - 4 - ticklen) < 0) return NULL;
532 s2n(TLSEXT_TYPE_session_ticket,ret);
536 memcpy(ret, s->session->tlsext_tick, ticklen);
542 if (TLS1_get_version(s) >= TLS1_2_VERSION)
544 if ((size_t)(limit - ret) < sizeof(tls12_sigalgs) + 6)
546 s2n(TLSEXT_TYPE_signature_algorithms,ret);
547 s2n(sizeof(tls12_sigalgs) + 2, ret);
548 s2n(sizeof(tls12_sigalgs), ret);
549 memcpy(ret, tls12_sigalgs, sizeof(tls12_sigalgs));
550 ret += sizeof(tls12_sigalgs);
553 #ifdef TLSEXT_TYPE_opaque_prf_input
554 if (s->s3->client_opaque_prf_input != NULL &&
555 s->version != DTLS1_VERSION)
557 size_t col = s->s3->client_opaque_prf_input_len;
559 if ((long)(limit - ret - 6 - col < 0))
561 if (col > 0xFFFD) /* can't happen */
564 s2n(TLSEXT_TYPE_opaque_prf_input, ret);
567 memcpy(ret, s->s3->client_opaque_prf_input, col);
572 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp &&
573 s->version != DTLS1_VERSION)
576 long extlen, idlen, itmp;
580 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++)
582 id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
583 itmp = i2d_OCSP_RESPID(id, NULL);
589 if (s->tlsext_ocsp_exts)
591 extlen = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, NULL);
598 if ((long)(limit - ret - 7 - extlen - idlen) < 0) return NULL;
599 s2n(TLSEXT_TYPE_status_request, ret);
600 if (extlen + idlen > 0xFFF0)
602 s2n(extlen + idlen + 5, ret);
603 *(ret++) = TLSEXT_STATUSTYPE_ocsp;
605 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++)
607 /* save position of id len */
608 unsigned char *q = ret;
609 id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
610 /* skip over id len */
612 itmp = i2d_OCSP_RESPID(id, &ret);
618 i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret);
621 #ifndef OPENSSL_NO_NEXTPROTONEG
622 if (s->ctx->next_proto_select_cb && !s->s3->tmp.finish_md_len)
624 /* The client advertises an emtpy extension to indicate its
625 * support for Next Protocol Negotiation */
626 if (limit - ret - 4 < 0)
628 s2n(TLSEXT_TYPE_next_proto_neg,ret);
633 if(SSL_get_srtp_profiles(s))
637 ssl_add_clienthello_use_srtp_ext(s, 0, &el, 0);
639 if((limit - p - 4 - el) < 0) return NULL;
641 s2n(TLSEXT_TYPE_use_srtp,ret);
644 if(ssl_add_clienthello_use_srtp_ext(s, ret, &el, el))
646 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
652 if ((extdatalen = ret-p-2)== 0)
659 unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
662 unsigned char *ret = p;
663 #ifndef OPENSSL_NO_NEXTPROTONEG
664 int next_proto_neg_seen;
667 /* don't add extensions for SSLv3, unless doing secure renegotiation */
668 if (s->version == SSL3_VERSION && !s->s3->send_connection_binding)
672 if (ret>=limit) return NULL; /* this really never occurs, but ... */
674 if (!s->hit && s->servername_done == 1 && s->session->tlsext_hostname != NULL)
676 if ((long)(limit - ret - 4) < 0) return NULL;
678 s2n(TLSEXT_TYPE_server_name,ret);
682 if(s->s3->send_connection_binding)
686 if(!ssl_add_serverhello_renegotiate_ext(s, 0, &el, 0))
688 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
692 if((limit - p - 4 - el) < 0) return NULL;
694 s2n(TLSEXT_TYPE_renegotiate,ret);
697 if(!ssl_add_serverhello_renegotiate_ext(s, ret, &el, el))
699 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
706 #ifndef OPENSSL_NO_EC
707 if (s->tlsext_ecpointformatlist != NULL &&
708 s->version != DTLS1_VERSION)
710 /* Add TLS extension ECPointFormats to the ServerHello message */
713 if ((lenmax = limit - ret - 5) < 0) return NULL;
714 if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax) return NULL;
715 if (s->tlsext_ecpointformatlist_length > 255)
717 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
721 s2n(TLSEXT_TYPE_ec_point_formats,ret);
722 s2n(s->tlsext_ecpointformatlist_length + 1,ret);
723 *(ret++) = (unsigned char) s->tlsext_ecpointformatlist_length;
724 memcpy(ret, s->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist_length);
725 ret+=s->tlsext_ecpointformatlist_length;
728 /* Currently the server should not respond with a SupportedCurves extension */
729 #endif /* OPENSSL_NO_EC */
731 if (s->tlsext_ticket_expected
732 && !(SSL_get_options(s) & SSL_OP_NO_TICKET))
734 if ((long)(limit - ret - 4) < 0) return NULL;
735 s2n(TLSEXT_TYPE_session_ticket,ret);
739 if (s->tlsext_status_expected)
741 if ((long)(limit - ret - 4) < 0) return NULL;
742 s2n(TLSEXT_TYPE_status_request,ret);
746 #ifdef TLSEXT_TYPE_opaque_prf_input
747 if (s->s3->server_opaque_prf_input != NULL &&
748 s->version != DTLS1_VERSION)
750 size_t sol = s->s3->server_opaque_prf_input_len;
752 if ((long)(limit - ret - 6 - sol) < 0)
754 if (sol > 0xFFFD) /* can't happen */
757 s2n(TLSEXT_TYPE_opaque_prf_input, ret);
760 memcpy(ret, s->s3->server_opaque_prf_input, sol);
769 ssl_add_serverhello_use_srtp_ext(s, 0, &el, 0);
771 if((limit - p - 4 - el) < 0) return NULL;
773 s2n(TLSEXT_TYPE_use_srtp,ret);
776 if(ssl_add_serverhello_use_srtp_ext(s, ret, &el, el))
778 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
784 if (((s->s3->tmp.new_cipher->id & 0xFFFF)==0x80 || (s->s3->tmp.new_cipher->id & 0xFFFF)==0x81)
785 && (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG))
786 { const unsigned char cryptopro_ext[36] = {
787 0xfd, 0xe8, /*65000*/
788 0x00, 0x20, /*32 bytes length*/
789 0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85,
790 0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06,
791 0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08,
792 0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17};
793 if (limit-ret<36) return NULL;
794 memcpy(ret,cryptopro_ext,36);
799 #ifndef OPENSSL_NO_NEXTPROTONEG
800 next_proto_neg_seen = s->s3->next_proto_neg_seen;
801 s->s3->next_proto_neg_seen = 0;
802 if (next_proto_neg_seen && s->ctx->next_protos_advertised_cb)
804 const unsigned char *npa;
808 r = s->ctx->next_protos_advertised_cb(s, &npa, &npalen, s->ctx->next_protos_advertised_cb_arg);
809 if (r == SSL_TLSEXT_ERR_OK)
811 if ((long)(limit - ret - 4 - npalen) < 0) return NULL;
812 s2n(TLSEXT_TYPE_next_proto_neg,ret);
814 memcpy(ret, npa, npalen);
816 s->s3->next_proto_neg_seen = 1;
821 if ((extdatalen = ret-p-2)== 0)
828 int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
833 unsigned char *data = *p;
834 int renegotiate_seen = 0;
837 s->servername_done = 0;
838 s->tlsext_status_type = -1;
844 if (data > (d+n-len))
847 while (data <= (d+n-4))
852 if (data+size > (d+n))
855 fprintf(stderr,"Received extension type %d size %d\n",type,size);
857 if (s->tlsext_debug_cb)
858 s->tlsext_debug_cb(s, 0, type, data, size,
859 s->tlsext_debug_arg);
860 /* The servername extension is treated as follows:
862 - Only the hostname type is supported with a maximum length of 255.
863 - The servername is rejected if too long or if it contains zeros,
864 in which case an fatal alert is generated.
865 - The servername field is maintained together with the session cache.
866 - When a session is resumed, the servername call back invoked in order
867 to allow the application to position itself to the right context.
868 - The servername is acknowledged if it is new for a session or when
869 it is identical to a previously used for the same session.
870 Applications can control the behaviour. They can at any time
871 set a 'desirable' servername for a new SSL object. This can be the
872 case for example with HTTPS when a Host: header field is received and
873 a renegotiation is requested. In this case, a possible servername
874 presented in the new client hello is only acknowledged if it matches
875 the value of the Host: field.
876 - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
877 if they provide for changing an explicit servername context for the session,
878 i.e. when the session has been established with a servername extension.
879 - On session reconnect, the servername extension may be absent.
883 if (type == TLSEXT_TYPE_server_name)
885 unsigned char *sdata;
891 *al = SSL_AD_DECODE_ERROR;
898 *al = SSL_AD_DECODE_ERROR;
905 servname_type = *(sdata++);
911 *al = SSL_AD_DECODE_ERROR;
914 if (s->servername_done == 0)
915 switch (servname_type)
917 case TLSEXT_NAMETYPE_host_name:
920 if(s->session->tlsext_hostname)
922 *al = SSL_AD_DECODE_ERROR;
925 if (len > TLSEXT_MAXLEN_host_name)
927 *al = TLS1_AD_UNRECOGNIZED_NAME;
930 if ((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL)
932 *al = TLS1_AD_INTERNAL_ERROR;
935 memcpy(s->session->tlsext_hostname, sdata, len);
936 s->session->tlsext_hostname[len]='\0';
937 if (strlen(s->session->tlsext_hostname) != len) {
938 OPENSSL_free(s->session->tlsext_hostname);
939 s->session->tlsext_hostname = NULL;
940 *al = TLS1_AD_UNRECOGNIZED_NAME;
943 s->servername_done = 1;
947 s->servername_done = s->session->tlsext_hostname
948 && strlen(s->session->tlsext_hostname) == len
949 && strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0;
961 *al = SSL_AD_DECODE_ERROR;
966 #ifndef OPENSSL_NO_SRP
967 else if (type == TLSEXT_TYPE_srp)
972 if ((s->srp_ctx.login = OPENSSL_malloc(len+1)) == NULL)
974 memcpy(s->srp_ctx.login, &data[1], len);
975 s->srp_ctx.login[len]='\0';
980 #ifndef OPENSSL_NO_EC
981 else if (type == TLSEXT_TYPE_ec_point_formats &&
982 s->version != DTLS1_VERSION)
984 unsigned char *sdata = data;
985 int ecpointformatlist_length = *(sdata++);
987 if (ecpointformatlist_length != size - 1)
989 *al = TLS1_AD_DECODE_ERROR;
994 if(s->session->tlsext_ecpointformatlist)
996 OPENSSL_free(s->session->tlsext_ecpointformatlist);
997 s->session->tlsext_ecpointformatlist = NULL;
999 s->session->tlsext_ecpointformatlist_length = 0;
1000 if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
1002 *al = TLS1_AD_INTERNAL_ERROR;
1005 s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
1006 memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
1009 fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ecpointformatlist (length=%i) ", s->session->tlsext_ecpointformatlist_length);
1010 sdata = s->session->tlsext_ecpointformatlist;
1011 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
1012 fprintf(stderr,"%i ",*(sdata++));
1013 fprintf(stderr,"\n");
1016 else if (type == TLSEXT_TYPE_elliptic_curves &&
1017 s->version != DTLS1_VERSION)
1019 unsigned char *sdata = data;
1020 int ellipticcurvelist_length = (*(sdata++) << 8);
1021 ellipticcurvelist_length += (*(sdata++));
1023 if (ellipticcurvelist_length != size - 2)
1025 *al = TLS1_AD_DECODE_ERROR;
1030 if(s->session->tlsext_ellipticcurvelist)
1032 *al = TLS1_AD_DECODE_ERROR;
1035 s->session->tlsext_ellipticcurvelist_length = 0;
1036 if ((s->session->tlsext_ellipticcurvelist = OPENSSL_malloc(ellipticcurvelist_length)) == NULL)
1038 *al = TLS1_AD_INTERNAL_ERROR;
1041 s->session->tlsext_ellipticcurvelist_length = ellipticcurvelist_length;
1042 memcpy(s->session->tlsext_ellipticcurvelist, sdata, ellipticcurvelist_length);
1045 fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ellipticcurvelist (length=%i) ", s->session->tlsext_ellipticcurvelist_length);
1046 sdata = s->session->tlsext_ellipticcurvelist;
1047 for (i = 0; i < s->session->tlsext_ellipticcurvelist_length; i++)
1048 fprintf(stderr,"%i ",*(sdata++));
1049 fprintf(stderr,"\n");
1052 #endif /* OPENSSL_NO_EC */
1053 #ifdef TLSEXT_TYPE_opaque_prf_input
1054 else if (type == TLSEXT_TYPE_opaque_prf_input &&
1055 s->version != DTLS1_VERSION)
1057 unsigned char *sdata = data;
1061 *al = SSL_AD_DECODE_ERROR;
1064 n2s(sdata, s->s3->client_opaque_prf_input_len);
1065 if (s->s3->client_opaque_prf_input_len != size - 2)
1067 *al = SSL_AD_DECODE_ERROR;
1071 if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */
1072 OPENSSL_free(s->s3->client_opaque_prf_input);
1073 if (s->s3->client_opaque_prf_input_len == 0)
1074 s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
1076 s->s3->client_opaque_prf_input = BUF_memdup(sdata, s->s3->client_opaque_prf_input_len);
1077 if (s->s3->client_opaque_prf_input == NULL)
1079 *al = TLS1_AD_INTERNAL_ERROR;
1084 else if (type == TLSEXT_TYPE_session_ticket)
1086 if (s->tls_session_ticket_ext_cb &&
1087 !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg))
1089 *al = TLS1_AD_INTERNAL_ERROR;
1093 else if (type == TLSEXT_TYPE_renegotiate)
1095 if(!ssl_parse_clienthello_renegotiate_ext(s, data, size, al))
1097 renegotiate_seen = 1;
1099 else if (type == TLSEXT_TYPE_signature_algorithms)
1102 if (sigalg_seen || size < 2)
1104 *al = SSL_AD_DECODE_ERROR;
1110 if (dsize != size || dsize & 1)
1112 *al = SSL_AD_DECODE_ERROR;
1115 if (!tls1_process_sigalgs(s, data, dsize))
1117 *al = SSL_AD_DECODE_ERROR;
1121 else if (type == TLSEXT_TYPE_status_request &&
1122 s->version != DTLS1_VERSION && s->ctx->tlsext_status_cb)
1127 *al = SSL_AD_DECODE_ERROR;
1131 s->tlsext_status_type = *data++;
1133 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp)
1135 const unsigned char *sdata;
1137 /* Read in responder_id_list */
1142 *al = SSL_AD_DECODE_ERROR;
1151 *al = SSL_AD_DECODE_ERROR;
1155 dsize -= 2 + idsize;
1159 *al = SSL_AD_DECODE_ERROR;
1164 id = d2i_OCSP_RESPID(NULL,
1168 *al = SSL_AD_DECODE_ERROR;
1173 OCSP_RESPID_free(id);
1174 *al = SSL_AD_DECODE_ERROR;
1177 if (!s->tlsext_ocsp_ids
1178 && !(s->tlsext_ocsp_ids =
1179 sk_OCSP_RESPID_new_null()))
1181 OCSP_RESPID_free(id);
1182 *al = SSL_AD_INTERNAL_ERROR;
1185 if (!sk_OCSP_RESPID_push(
1186 s->tlsext_ocsp_ids, id))
1188 OCSP_RESPID_free(id);
1189 *al = SSL_AD_INTERNAL_ERROR;
1194 /* Read in request_extensions */
1197 *al = SSL_AD_DECODE_ERROR;
1204 *al = SSL_AD_DECODE_ERROR;
1210 s->tlsext_ocsp_exts =
1211 d2i_X509_EXTENSIONS(NULL,
1213 if (!s->tlsext_ocsp_exts
1214 || (data + dsize != sdata))
1216 *al = SSL_AD_DECODE_ERROR;
1221 /* We don't know what to do with any other type
1225 s->tlsext_status_type = -1;
1227 #ifndef OPENSSL_NO_NEXTPROTONEG
1228 else if (type == TLSEXT_TYPE_next_proto_neg &&
1229 s->s3->tmp.finish_md_len == 0)
1231 /* We shouldn't accept this extension on a
1234 * s->new_session will be set on renegotiation, but we
1235 * probably shouldn't rely that it couldn't be set on
1236 * the initial renegotation too in certain cases (when
1237 * there's some other reason to disallow resuming an
1238 * earlier session -- the current code won't be doing
1239 * anything like that, but this might change).
1241 * A valid sign that there's been a previous handshake
1242 * in this connection is if s->s3->tmp.finish_md_len >
1243 * 0. (We are talking about a check that will happen
1244 * in the Hello protocol round, well before a new
1245 * Finished message could have been computed.) */
1246 s->s3->next_proto_neg_seen = 1;
1250 /* session ticket processed earlier */
1251 else if (type == TLSEXT_TYPE_use_srtp)
1253 if(ssl_parse_clienthello_use_srtp_ext(s, data, size,
1265 /* Need RI if renegotiating */
1267 if (!renegotiate_seen && s->renegotiate &&
1268 !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
1270 *al = SSL_AD_HANDSHAKE_FAILURE;
1271 SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT,
1272 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
1279 #ifndef OPENSSL_NO_NEXTPROTONEG
1280 /* ssl_next_proto_validate validates a Next Protocol Negotiation block. No
1281 * elements of zero length are allowed and the set of elements must exactly fill
1282 * the length of the block. */
1283 static int ssl_next_proto_validate(unsigned char *d, unsigned len)
1285 unsigned int off = 0;
1299 int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
1301 unsigned short length;
1302 unsigned short type;
1303 unsigned short size;
1304 unsigned char *data = *p;
1305 int tlsext_servername = 0;
1306 int renegotiate_seen = 0;
1308 if (data >= (d+n-2))
1312 if (data+length != d+n)
1314 *al = SSL_AD_DECODE_ERROR;
1318 while(data <= (d+n-4))
1323 if (data+size > (d+n))
1326 if (s->tlsext_debug_cb)
1327 s->tlsext_debug_cb(s, 1, type, data, size,
1328 s->tlsext_debug_arg);
1330 if (type == TLSEXT_TYPE_server_name)
1332 if (s->tlsext_hostname == NULL || size > 0)
1334 *al = TLS1_AD_UNRECOGNIZED_NAME;
1337 tlsext_servername = 1;
1340 #ifndef OPENSSL_NO_EC
1341 else if (type == TLSEXT_TYPE_ec_point_formats &&
1342 s->version != DTLS1_VERSION)
1344 unsigned char *sdata = data;
1345 int ecpointformatlist_length = *(sdata++);
1347 if (ecpointformatlist_length != size - 1)
1349 *al = TLS1_AD_DECODE_ERROR;
1352 s->session->tlsext_ecpointformatlist_length = 0;
1353 if (s->session->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->session->tlsext_ecpointformatlist);
1354 if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
1356 *al = TLS1_AD_INTERNAL_ERROR;
1359 s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
1360 memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
1362 fprintf(stderr,"ssl_parse_serverhello_tlsext s->session->tlsext_ecpointformatlist ");
1363 sdata = s->session->tlsext_ecpointformatlist;
1364 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
1365 fprintf(stderr,"%i ",*(sdata++));
1366 fprintf(stderr,"\n");
1369 #endif /* OPENSSL_NO_EC */
1371 else if (type == TLSEXT_TYPE_session_ticket)
1373 if (s->tls_session_ticket_ext_cb &&
1374 !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg))
1376 *al = TLS1_AD_INTERNAL_ERROR;
1379 if ((SSL_get_options(s) & SSL_OP_NO_TICKET)
1382 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
1385 s->tlsext_ticket_expected = 1;
1387 #ifdef TLSEXT_TYPE_opaque_prf_input
1388 else if (type == TLSEXT_TYPE_opaque_prf_input &&
1389 s->version != DTLS1_VERSION)
1391 unsigned char *sdata = data;
1395 *al = SSL_AD_DECODE_ERROR;
1398 n2s(sdata, s->s3->server_opaque_prf_input_len);
1399 if (s->s3->server_opaque_prf_input_len != size - 2)
1401 *al = SSL_AD_DECODE_ERROR;
1405 if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */
1406 OPENSSL_free(s->s3->server_opaque_prf_input);
1407 if (s->s3->server_opaque_prf_input_len == 0)
1408 s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
1410 s->s3->server_opaque_prf_input = BUF_memdup(sdata, s->s3->server_opaque_prf_input_len);
1412 if (s->s3->server_opaque_prf_input == NULL)
1414 *al = TLS1_AD_INTERNAL_ERROR;
1419 else if (type == TLSEXT_TYPE_status_request &&
1420 s->version != DTLS1_VERSION)
1422 /* MUST be empty and only sent if we've requested
1423 * a status request message.
1425 if ((s->tlsext_status_type == -1) || (size > 0))
1427 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
1430 /* Set flag to expect CertificateStatus message */
1431 s->tlsext_status_expected = 1;
1433 #ifndef OPENSSL_NO_NEXTPROTONEG
1434 else if (type == TLSEXT_TYPE_next_proto_neg)
1436 unsigned char *selected;
1437 unsigned char selected_len;
1439 /* We must have requested it. */
1440 if ((s->ctx->next_proto_select_cb == NULL))
1442 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
1445 /* The data must be valid */
1446 if (!ssl_next_proto_validate(data, size))
1448 *al = TLS1_AD_DECODE_ERROR;
1451 if (s->ctx->next_proto_select_cb(s, &selected, &selected_len, data, size, s->ctx->next_proto_select_cb_arg) != SSL_TLSEXT_ERR_OK)
1453 *al = TLS1_AD_INTERNAL_ERROR;
1456 s->next_proto_negotiated = OPENSSL_malloc(selected_len);
1457 if (!s->next_proto_negotiated)
1459 *al = TLS1_AD_INTERNAL_ERROR;
1462 memcpy(s->next_proto_negotiated, selected, selected_len);
1463 s->next_proto_negotiated_len = selected_len;
1466 else if (type == TLSEXT_TYPE_renegotiate)
1468 if(!ssl_parse_serverhello_renegotiate_ext(s, data, size, al))
1470 renegotiate_seen = 1;
1472 else if (type == TLSEXT_TYPE_use_srtp)
1474 if(ssl_parse_serverhello_use_srtp_ext(s, data, size,
1484 *al = SSL_AD_DECODE_ERROR;
1488 if (!s->hit && tlsext_servername == 1)
1490 if (s->tlsext_hostname)
1492 if (s->session->tlsext_hostname == NULL)
1494 s->session->tlsext_hostname = BUF_strdup(s->tlsext_hostname);
1495 if (!s->session->tlsext_hostname)
1497 *al = SSL_AD_UNRECOGNIZED_NAME;
1503 *al = SSL_AD_DECODE_ERROR;
1513 /* Determine if we need to see RI. Strictly speaking if we want to
1514 * avoid an attack we should *always* see RI even on initial server
1515 * hello because the client doesn't see any renegotiation during an
1516 * attack. However this would mean we could not connect to any server
1517 * which doesn't support RI so for the immediate future tolerate RI
1518 * absence on initial connect only.
1520 if (!renegotiate_seen
1521 && !(s->options & SSL_OP_LEGACY_SERVER_CONNECT)
1522 && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
1524 *al = SSL_AD_HANDSHAKE_FAILURE;
1525 SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT,
1526 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
1534 int ssl_prepare_clienthello_tlsext(SSL *s)
1536 #ifndef OPENSSL_NO_EC
1537 /* If we are client and using an elliptic curve cryptography cipher suite, send the point formats
1538 * and elliptic curves we support.
1543 unsigned long alg_k, alg_a;
1544 STACK_OF(SSL_CIPHER) *cipher_stack = SSL_get_ciphers(s);
1546 for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++)
1548 SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i);
1550 alg_k = c->algorithm_mkey;
1551 alg_a = c->algorithm_auth;
1552 if ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe) || (alg_a & SSL_aECDSA)))
1558 using_ecc = using_ecc && (s->version >= TLS1_VERSION);
1561 if (s->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->tlsext_ecpointformatlist);
1562 if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(3)) == NULL)
1564 SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
1567 s->tlsext_ecpointformatlist_length = 3;
1568 s->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_uncompressed;
1569 s->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
1570 s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
1572 /* we support all named elliptic curves in draft-ietf-tls-ecc-12 */
1573 if (s->tlsext_ellipticcurvelist != NULL) OPENSSL_free(s->tlsext_ellipticcurvelist);
1574 s->tlsext_ellipticcurvelist_length = sizeof(pref_list)/sizeof(pref_list[0]) * 2;
1575 if ((s->tlsext_ellipticcurvelist = OPENSSL_malloc(s->tlsext_ellipticcurvelist_length)) == NULL)
1577 s->tlsext_ellipticcurvelist_length = 0;
1578 SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
1581 for (i = 0, j = s->tlsext_ellipticcurvelist; (unsigned int)i <
1582 sizeof(pref_list)/sizeof(pref_list[0]); i++)
1584 int id = tls1_ec_nid2curve_id(pref_list[i]);
1588 #endif /* OPENSSL_NO_EC */
1590 #ifdef TLSEXT_TYPE_opaque_prf_input
1594 if (s->ctx->tlsext_opaque_prf_input_callback != 0)
1596 r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg);
1601 if (s->tlsext_opaque_prf_input != NULL)
1603 if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */
1604 OPENSSL_free(s->s3->client_opaque_prf_input);
1606 if (s->tlsext_opaque_prf_input_len == 0)
1607 s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
1609 s->s3->client_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len);
1610 if (s->s3->client_opaque_prf_input == NULL)
1612 SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
1615 s->s3->client_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
1619 /* at callback's request, insist on receiving an appropriate server opaque PRF input */
1620 s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
1627 int ssl_prepare_serverhello_tlsext(SSL *s)
1629 #ifndef OPENSSL_NO_EC
1630 /* If we are server and using an ECC cipher suite, send the point formats we support
1631 * if the client sent us an ECPointsFormat extension. Note that the server is not
1632 * supposed to send an EllipticCurves extension.
1635 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
1636 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
1637 int using_ecc = (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA);
1638 using_ecc = using_ecc && (s->session->tlsext_ecpointformatlist != NULL);
1642 if (s->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->tlsext_ecpointformatlist);
1643 if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(3)) == NULL)
1645 SSLerr(SSL_F_SSL_PREPARE_SERVERHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
1648 s->tlsext_ecpointformatlist_length = 3;
1649 s->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_uncompressed;
1650 s->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
1651 s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
1653 #endif /* OPENSSL_NO_EC */
1658 int ssl_check_clienthello_tlsext(SSL *s)
1660 int ret=SSL_TLSEXT_ERR_NOACK;
1661 int al = SSL_AD_UNRECOGNIZED_NAME;
1663 #ifndef OPENSSL_NO_EC
1664 /* The handling of the ECPointFormats extension is done elsewhere, namely in
1665 * ssl3_choose_cipher in s3_lib.c.
1667 /* The handling of the EllipticCurves extension is done elsewhere, namely in
1668 * ssl3_choose_cipher in s3_lib.c.
1672 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
1673 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
1674 else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)
1675 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
1677 /* If status request then ask callback what to do.
1678 * Note: this must be called after servername callbacks in case
1679 * the certificate has changed.
1681 if ((s->tlsext_status_type != -1) && s->ctx && s->ctx->tlsext_status_cb)
1684 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
1687 /* We don't want to send a status request response */
1688 case SSL_TLSEXT_ERR_NOACK:
1689 s->tlsext_status_expected = 0;
1691 /* status request response should be sent */
1692 case SSL_TLSEXT_ERR_OK:
1693 if (s->tlsext_ocsp_resp)
1694 s->tlsext_status_expected = 1;
1696 s->tlsext_status_expected = 0;
1698 /* something bad happened */
1699 case SSL_TLSEXT_ERR_ALERT_FATAL:
1700 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1701 al = SSL_AD_INTERNAL_ERROR;
1706 s->tlsext_status_expected = 0;
1708 #ifdef TLSEXT_TYPE_opaque_prf_input
1710 /* This sort of belongs into ssl_prepare_serverhello_tlsext(),
1711 * but we might be sending an alert in response to the client hello,
1712 * so this has to happen here in ssl_check_clienthello_tlsext(). */
1716 if (s->ctx->tlsext_opaque_prf_input_callback != 0)
1718 r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg);
1721 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1722 al = SSL_AD_INTERNAL_ERROR;
1727 if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */
1728 OPENSSL_free(s->s3->server_opaque_prf_input);
1729 s->s3->server_opaque_prf_input = NULL;
1731 if (s->tlsext_opaque_prf_input != NULL)
1733 if (s->s3->client_opaque_prf_input != NULL &&
1734 s->s3->client_opaque_prf_input_len == s->tlsext_opaque_prf_input_len)
1736 /* can only use this extension if we have a server opaque PRF input
1737 * of the same length as the client opaque PRF input! */
1739 if (s->tlsext_opaque_prf_input_len == 0)
1740 s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
1742 s->s3->server_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len);
1743 if (s->s3->server_opaque_prf_input == NULL)
1745 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1746 al = SSL_AD_INTERNAL_ERROR;
1749 s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
1753 if (r == 2 && s->s3->server_opaque_prf_input == NULL)
1755 /* The callback wants to enforce use of the extension,
1756 * but we can't do that with the client opaque PRF input;
1757 * abort the handshake.
1759 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1760 al = SSL_AD_HANDSHAKE_FAILURE;
1768 case SSL_TLSEXT_ERR_ALERT_FATAL:
1769 ssl3_send_alert(s,SSL3_AL_FATAL,al);
1772 case SSL_TLSEXT_ERR_ALERT_WARNING:
1773 ssl3_send_alert(s,SSL3_AL_WARNING,al);
1776 case SSL_TLSEXT_ERR_NOACK:
1777 s->servername_done=0;
1783 int ssl_check_serverhello_tlsext(SSL *s)
1785 int ret=SSL_TLSEXT_ERR_NOACK;
1786 int al = SSL_AD_UNRECOGNIZED_NAME;
1788 #ifndef OPENSSL_NO_EC
1789 /* If we are client and using an elliptic curve cryptography cipher
1790 * suite, then if server returns an EC point formats lists extension
1791 * it must contain uncompressed.
1793 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
1794 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
1795 if ((s->tlsext_ecpointformatlist != NULL) && (s->tlsext_ecpointformatlist_length > 0) &&
1796 (s->session->tlsext_ecpointformatlist != NULL) && (s->session->tlsext_ecpointformatlist_length > 0) &&
1797 ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA)))
1799 /* we are using an ECC cipher */
1801 unsigned char *list;
1802 int found_uncompressed = 0;
1803 list = s->session->tlsext_ecpointformatlist;
1804 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
1806 if (*(list++) == TLSEXT_ECPOINTFORMAT_uncompressed)
1808 found_uncompressed = 1;
1812 if (!found_uncompressed)
1814 SSLerr(SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT,SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
1818 ret = SSL_TLSEXT_ERR_OK;
1819 #endif /* OPENSSL_NO_EC */
1821 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
1822 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
1823 else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)
1824 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
1826 #ifdef TLSEXT_TYPE_opaque_prf_input
1827 if (s->s3->server_opaque_prf_input_len > 0)
1829 /* This case may indicate that we, as a client, want to insist on using opaque PRF inputs.
1830 * So first verify that we really have a value from the server too. */
1832 if (s->s3->server_opaque_prf_input == NULL)
1834 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1835 al = SSL_AD_HANDSHAKE_FAILURE;
1838 /* Anytime the server *has* sent an opaque PRF input, we need to check
1839 * that we have a client opaque PRF input of the same size. */
1840 if (s->s3->client_opaque_prf_input == NULL ||
1841 s->s3->client_opaque_prf_input_len != s->s3->server_opaque_prf_input_len)
1843 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1844 al = SSL_AD_ILLEGAL_PARAMETER;
1849 /* If we've requested certificate status and we wont get one
1852 if ((s->tlsext_status_type != -1) && !(s->tlsext_status_expected)
1853 && s->ctx && s->ctx->tlsext_status_cb)
1856 /* Set resp to NULL, resplen to -1 so callback knows
1857 * there is no response.
1859 if (s->tlsext_ocsp_resp)
1861 OPENSSL_free(s->tlsext_ocsp_resp);
1862 s->tlsext_ocsp_resp = NULL;
1864 s->tlsext_ocsp_resplen = -1;
1865 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
1868 al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE;
1869 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1873 al = SSL_AD_INTERNAL_ERROR;
1874 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1880 case SSL_TLSEXT_ERR_ALERT_FATAL:
1881 ssl3_send_alert(s,SSL3_AL_FATAL,al);
1884 case SSL_TLSEXT_ERR_ALERT_WARNING:
1885 ssl3_send_alert(s,SSL3_AL_WARNING,al);
1888 case SSL_TLSEXT_ERR_NOACK:
1889 s->servername_done=0;
1895 /* Since the server cache lookup is done early on in the processing of the
1896 * ClientHello, and other operations depend on the result, we need to handle
1897 * any TLS session ticket extension at the same time.
1899 * session_id: points at the session ID in the ClientHello. This code will
1900 * read past the end of this in order to parse out the session ticket
1901 * extension, if any.
1902 * len: the length of the session ID.
1903 * limit: a pointer to the first byte after the ClientHello.
1904 * ret: (output) on return, if a ticket was decrypted, then this is set to
1905 * point to the resulting session.
1907 * If s->tls_session_secret_cb is set then we are expecting a pre-shared key
1908 * ciphersuite, in which case we have no use for session tickets and one will
1909 * never be decrypted, nor will s->tlsext_ticket_expected be set to 1.
1912 * -1: fatal error, either from parsing or decrypting the ticket.
1913 * 0: no ticket was found (or was ignored, based on settings).
1914 * 1: a zero length extension was found, indicating that the client supports
1915 * session tickets but doesn't currently have one to offer.
1916 * 2: either s->tls_session_secret_cb was set, or a ticket was offered but
1917 * couldn't be decrypted because of a non-fatal error.
1918 * 3: a ticket was successfully decrypted and *ret was set.
1921 * Sets s->tlsext_ticket_expected to 1 if the server will have to issue
1922 * a new session ticket to the client because the client indicated support
1923 * (and s->tls_session_secret_cb is NULL) but the client either doesn't have
1924 * a session ticket or we couldn't use the one it gave us, or if
1925 * s->ctx->tlsext_ticket_key_cb asked to renew the client's ticket.
1926 * Otherwise, s->tlsext_ticket_expected is set to 0.
1928 int tls1_process_ticket(SSL *s, unsigned char *session_id, int len,
1929 const unsigned char *limit, SSL_SESSION **ret)
1931 /* Point after session ID in client hello */
1932 const unsigned char *p = session_id + len;
1936 s->tlsext_ticket_expected = 0;
1938 /* If tickets disabled behave as if no ticket present
1939 * to permit stateful resumption.
1941 if (SSL_get_options(s) & SSL_OP_NO_TICKET)
1943 if ((s->version <= SSL3_VERSION) || !limit)
1947 /* Skip past DTLS cookie */
1948 if (s->version == DTLS1_VERSION || s->version == DTLS1_BAD_VER)
1955 /* Skip past cipher list */
1960 /* Skip past compression algorithm list */
1965 /* Now at start of extensions */
1966 if ((p + 2) >= limit)
1969 while ((p + 4) <= limit)
1971 unsigned short type, size;
1974 if (p + size > limit)
1976 if (type == TLSEXT_TYPE_session_ticket)
1981 /* The client will accept a ticket but doesn't
1982 * currently have one. */
1983 s->tlsext_ticket_expected = 1;
1986 if (s->tls_session_secret_cb)
1988 /* Indicate that the ticket couldn't be
1989 * decrypted rather than generating the session
1990 * from ticket now, trigger abbreviated
1991 * handshake based on external mechanism to
1992 * calculate the master secret later. */
1995 r = tls_decrypt_ticket(s, p, size, session_id, len, ret);
1998 case 2: /* ticket couldn't be decrypted */
1999 s->tlsext_ticket_expected = 1;
2001 case 3: /* ticket was decrypted */
2003 case 4: /* ticket decrypted but need to renew */
2004 s->tlsext_ticket_expected = 1;
2006 default: /* fatal error */
2015 /* tls_decrypt_ticket attempts to decrypt a session ticket.
2017 * etick: points to the body of the session ticket extension.
2018 * eticklen: the length of the session tickets extenion.
2019 * sess_id: points at the session ID.
2020 * sesslen: the length of the session ID.
2021 * psess: (output) on return, if a ticket was decrypted, then this is set to
2022 * point to the resulting session.
2025 * -1: fatal error, either from parsing or decrypting the ticket.
2026 * 2: the ticket couldn't be decrypted.
2027 * 3: a ticket was successfully decrypted and *psess was set.
2028 * 4: same as 3, but the ticket needs to be renewed.
2030 static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen,
2031 const unsigned char *sess_id, int sesslen,
2032 SSL_SESSION **psess)
2035 unsigned char *sdec;
2036 const unsigned char *p;
2037 int slen, mlen, renew_ticket = 0;
2038 unsigned char tick_hmac[EVP_MAX_MD_SIZE];
2041 SSL_CTX *tctx = s->initial_ctx;
2042 /* Need at least keyname + iv + some encrypted data */
2045 /* Initialize session ticket encryption and HMAC contexts */
2046 HMAC_CTX_init(&hctx);
2047 EVP_CIPHER_CTX_init(&ctx);
2048 if (tctx->tlsext_ticket_key_cb)
2050 unsigned char *nctick = (unsigned char *)etick;
2051 int rv = tctx->tlsext_ticket_key_cb(s, nctick, nctick + 16,
2062 /* Check key name matches */
2063 if (memcmp(etick, tctx->tlsext_tick_key_name, 16))
2065 HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16,
2066 tlsext_tick_md(), NULL);
2067 EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL,
2068 tctx->tlsext_tick_aes_key, etick + 16);
2070 /* Attempt to process session ticket, first conduct sanity and
2071 * integrity checks on ticket.
2073 mlen = HMAC_size(&hctx);
2076 EVP_CIPHER_CTX_cleanup(&ctx);
2080 /* Check HMAC of encrypted ticket */
2081 HMAC_Update(&hctx, etick, eticklen);
2082 HMAC_Final(&hctx, tick_hmac, NULL);
2083 HMAC_CTX_cleanup(&hctx);
2084 if (memcmp(tick_hmac, etick + eticklen, mlen))
2086 /* Attempt to decrypt session data */
2087 /* Move p after IV to start of encrypted ticket, update length */
2088 p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx);
2089 eticklen -= 16 + EVP_CIPHER_CTX_iv_length(&ctx);
2090 sdec = OPENSSL_malloc(eticklen);
2093 EVP_CIPHER_CTX_cleanup(&ctx);
2096 EVP_DecryptUpdate(&ctx, sdec, &slen, p, eticklen);
2097 if (EVP_DecryptFinal(&ctx, sdec + slen, &mlen) <= 0)
2100 EVP_CIPHER_CTX_cleanup(&ctx);
2103 sess = d2i_SSL_SESSION(NULL, &p, slen);
2107 /* The session ID, if non-empty, is used by some clients to
2108 * detect that the ticket has been accepted. So we copy it to
2109 * the session structure. If it is empty set length to zero
2110 * as required by standard.
2113 memcpy(sess->session_id, sess_id, sesslen);
2114 sess->session_id_length = sesslen;
2122 /* For session parse failure, indicate that we need to send a new
2127 /* Tables to translate from NIDs to TLS v1.2 ids */
2135 static tls12_lookup tls12_md[] = {
2136 #ifndef OPENSSL_NO_MD5
2137 {NID_md5, TLSEXT_hash_md5},
2139 #ifndef OPENSSL_NO_SHA
2140 {NID_sha1, TLSEXT_hash_sha1},
2142 #ifndef OPENSSL_NO_SHA256
2143 {NID_sha224, TLSEXT_hash_sha224},
2144 {NID_sha256, TLSEXT_hash_sha256},
2146 #ifndef OPENSSL_NO_SHA512
2147 {NID_sha384, TLSEXT_hash_sha384},
2148 {NID_sha512, TLSEXT_hash_sha512}
2152 static tls12_lookup tls12_sig[] = {
2153 #ifndef OPENSSL_NO_RSA
2154 {EVP_PKEY_RSA, TLSEXT_signature_rsa},
2156 #ifndef OPENSSL_NO_RSA
2157 {EVP_PKEY_DSA, TLSEXT_signature_dsa},
2159 #ifndef OPENSSL_NO_ECDSA
2160 {EVP_PKEY_EC, TLSEXT_signature_ecdsa}
2164 static int tls12_find_id(int nid, tls12_lookup *table, size_t tlen)
2167 for (i = 0; i < tlen; i++)
2169 if (table[i].nid == nid)
2175 static int tls12_find_nid(int id, tls12_lookup *table, size_t tlen)
2178 for (i = 0; i < tlen; i++)
2180 if (table[i].id == id)
2181 return table[i].nid;
2187 int tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk, const EVP_MD *md)
2190 md_id = tls12_find_id(EVP_MD_type(md), tls12_md,
2191 sizeof(tls12_md)/sizeof(tls12_lookup));
2194 sig_id = tls12_get_sigid(pk);
2197 p[0] = (unsigned char)md_id;
2198 p[1] = (unsigned char)sig_id;
2202 int tls12_get_sigid(const EVP_PKEY *pk)
2204 return tls12_find_id(pk->type, tls12_sig,
2205 sizeof(tls12_sig)/sizeof(tls12_lookup));
2208 const EVP_MD *tls12_get_hash(unsigned char hash_alg)
2212 #ifndef OPENSSL_NO_MD5
2213 case TLSEXT_hash_md5:
2220 #ifndef OPENSSL_NO_SHA
2221 case TLSEXT_hash_sha1:
2224 #ifndef OPENSSL_NO_SHA256
2225 case TLSEXT_hash_sha224:
2226 return EVP_sha224();
2228 case TLSEXT_hash_sha256:
2229 return EVP_sha256();
2231 #ifndef OPENSSL_NO_SHA512
2232 case TLSEXT_hash_sha384:
2233 return EVP_sha384();
2235 case TLSEXT_hash_sha512:
2236 return EVP_sha512();
2244 /* Set preferred digest for each key type */
2246 int tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize)
2251 /* Extension ignored for TLS versions below 1.2 */
2252 if (TLS1_get_version(s) < TLS1_2_VERSION)
2254 /* Should never happen */
2258 c->pkeys[SSL_PKEY_DSA_SIGN].digest = NULL;
2259 c->pkeys[SSL_PKEY_RSA_SIGN].digest = NULL;
2260 c->pkeys[SSL_PKEY_RSA_ENC].digest = NULL;
2261 c->pkeys[SSL_PKEY_ECC].digest = NULL;
2263 for (i = 0; i < dsize; i += 2)
2265 unsigned char hash_alg = data[i], sig_alg = data[i+1];
2269 #ifndef OPENSSL_NO_RSA
2270 case TLSEXT_signature_rsa:
2271 idx = SSL_PKEY_RSA_SIGN;
2274 #ifndef OPENSSL_NO_DSA
2275 case TLSEXT_signature_dsa:
2276 idx = SSL_PKEY_DSA_SIGN;
2279 #ifndef OPENSSL_NO_ECDSA
2280 case TLSEXT_signature_ecdsa:
2288 if (c->pkeys[idx].digest == NULL)
2290 md = tls12_get_hash(hash_alg);
2293 c->pkeys[idx].digest = md;
2294 if (idx == SSL_PKEY_RSA_SIGN)
2295 c->pkeys[SSL_PKEY_RSA_ENC].digest = md;
2302 /* Set any remaining keys to default values. NOTE: if alg is not
2303 * supported it stays as NULL.
2305 #ifndef OPENSSL_NO_DSA
2306 if (!c->pkeys[SSL_PKEY_DSA_SIGN].digest)
2307 c->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_dss1();
2309 #ifndef OPENSSL_NO_RSA
2310 if (!c->pkeys[SSL_PKEY_RSA_SIGN].digest)
2312 c->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1();
2313 c->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1();
2316 #ifndef OPENSSL_NO_ECDSA
2317 if (!c->pkeys[SSL_PKEY_ECC].digest)
2318 c->pkeys[SSL_PKEY_ECC].digest = EVP_ecdsa();