1 /* $OpenBSD: t1_lib.c,v 1.86 2016/03/10 23:21:46 mmcc Exp $ */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
58 /* ====================================================================
59 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
87 * 6. Redistributions of any form whatsoever must retain the following
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
114 #include <openssl/evp.h>
115 #include <openssl/hmac.h>
116 #include <openssl/objects.h>
117 #include <openssl/ocsp.h>
119 #include "ssl_locl.h"
120 #include "bytestring.h"
122 static int tls_decrypt_ticket(SSL
*s
, const unsigned char *tick
, int ticklen
,
123 const unsigned char *sess_id
, int sesslen
,
124 SSL_SESSION
**psess
);
126 SSL3_ENC_METHOD TLSv1_enc_data
= {
129 .setup_key_block
= tls1_setup_key_block
,
130 .generate_master_secret
= tls1_generate_master_secret
,
131 .change_cipher_state
= tls1_change_cipher_state
,
132 .final_finish_mac
= tls1_final_finish_mac
,
133 .finish_mac_length
= TLS1_FINISH_MAC_LENGTH
,
134 .cert_verify_mac
= tls1_cert_verify_mac
,
135 .client_finished_label
= TLS_MD_CLIENT_FINISH_CONST
,
136 .client_finished_label_len
= TLS_MD_CLIENT_FINISH_CONST_SIZE
,
137 .server_finished_label
= TLS_MD_SERVER_FINISH_CONST
,
138 .server_finished_label_len
= TLS_MD_SERVER_FINISH_CONST_SIZE
,
139 .alert_value
= tls1_alert_code
,
140 .export_keying_material
= tls1_export_keying_material
,
144 SSL3_ENC_METHOD TLSv1_1_enc_data
= {
147 .setup_key_block
= tls1_setup_key_block
,
148 .generate_master_secret
= tls1_generate_master_secret
,
149 .change_cipher_state
= tls1_change_cipher_state
,
150 .final_finish_mac
= tls1_final_finish_mac
,
151 .finish_mac_length
= TLS1_FINISH_MAC_LENGTH
,
152 .cert_verify_mac
= tls1_cert_verify_mac
,
153 .client_finished_label
= TLS_MD_CLIENT_FINISH_CONST
,
154 .client_finished_label_len
= TLS_MD_CLIENT_FINISH_CONST_SIZE
,
155 .server_finished_label
= TLS_MD_SERVER_FINISH_CONST
,
156 .server_finished_label_len
= TLS_MD_SERVER_FINISH_CONST_SIZE
,
157 .alert_value
= tls1_alert_code
,
158 .export_keying_material
= tls1_export_keying_material
,
159 .enc_flags
= SSL_ENC_FLAG_EXPLICIT_IV
,
162 SSL3_ENC_METHOD TLSv1_2_enc_data
= {
165 .setup_key_block
= tls1_setup_key_block
,
166 .generate_master_secret
= tls1_generate_master_secret
,
167 .change_cipher_state
= tls1_change_cipher_state
,
168 .final_finish_mac
= tls1_final_finish_mac
,
169 .finish_mac_length
= TLS1_FINISH_MAC_LENGTH
,
170 .cert_verify_mac
= tls1_cert_verify_mac
,
171 .client_finished_label
= TLS_MD_CLIENT_FINISH_CONST
,
172 .client_finished_label_len
= TLS_MD_CLIENT_FINISH_CONST_SIZE
,
173 .server_finished_label
= TLS_MD_SERVER_FINISH_CONST
,
174 .server_finished_label_len
= TLS_MD_SERVER_FINISH_CONST_SIZE
,
175 .alert_value
= tls1_alert_code
,
176 .export_keying_material
= tls1_export_keying_material
,
177 .enc_flags
= SSL_ENC_FLAG_EXPLICIT_IV
|SSL_ENC_FLAG_SIGALGS
|
178 SSL_ENC_FLAG_SHA256_PRF
|SSL_ENC_FLAG_TLS1_2_CIPHERS
,
182 tls1_default_timeout(void)
184 /* 2 hours, the 24 hours mentioned in the TLSv1 spec
185 * is way too long for http, the cache would over fill */
186 return (60 * 60 * 2);
194 s
->method
->ssl_clear(s
);
204 free(s
->tlsext_session_ticket
);
212 s
->version
= s
->method
->version
;
216 static int nid_list
[] = {
217 NID_sect163k1
, /* sect163k1 (1) */
218 NID_sect163r1
, /* sect163r1 (2) */
219 NID_sect163r2
, /* sect163r2 (3) */
220 NID_sect193r1
, /* sect193r1 (4) */
221 NID_sect193r2
, /* sect193r2 (5) */
222 NID_sect233k1
, /* sect233k1 (6) */
223 NID_sect233r1
, /* sect233r1 (7) */
224 NID_sect239k1
, /* sect239k1 (8) */
225 NID_sect283k1
, /* sect283k1 (9) */
226 NID_sect283r1
, /* sect283r1 (10) */
227 NID_sect409k1
, /* sect409k1 (11) */
228 NID_sect409r1
, /* sect409r1 (12) */
229 NID_sect571k1
, /* sect571k1 (13) */
230 NID_sect571r1
, /* sect571r1 (14) */
231 NID_secp160k1
, /* secp160k1 (15) */
232 NID_secp160r1
, /* secp160r1 (16) */
233 NID_secp160r2
, /* secp160r2 (17) */
234 NID_secp192k1
, /* secp192k1 (18) */
235 NID_X9_62_prime192v1
, /* secp192r1 (19) */
236 NID_secp224k1
, /* secp224k1 (20) */
237 NID_secp224r1
, /* secp224r1 (21) */
238 NID_secp256k1
, /* secp256k1 (22) */
239 NID_X9_62_prime256v1
, /* secp256r1 (23) */
240 NID_secp384r1
, /* secp384r1 (24) */
241 NID_secp521r1
, /* secp521r1 (25) */
242 NID_brainpoolP256r1
, /* brainpoolP256r1 (26) */
243 NID_brainpoolP384r1
, /* brainpoolP384r1 (27) */
244 NID_brainpoolP512r1
/* brainpoolP512r1 (28) */
247 static const uint8_t ecformats_default
[] = {
248 TLSEXT_ECPOINTFORMAT_uncompressed
,
249 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime
,
250 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2
253 static const uint16_t eccurves_default
[] = {
254 14, /* sect571r1 (14) */
255 13, /* sect571k1 (13) */
256 25, /* secp521r1 (25) */
257 28, /* brainpool512r1 (28) */
258 11, /* sect409k1 (11) */
259 12, /* sect409r1 (12) */
260 27, /* brainpoolP384r1 (27) */
261 24, /* secp384r1 (24) */
262 9, /* sect283k1 (9) */
263 10, /* sect283r1 (10) */
264 26, /* brainpoolP256r1 (26) */
265 22, /* secp256k1 (22) */
266 23, /* secp256r1 (23) */
267 8, /* sect239k1 (8) */
268 6, /* sect233k1 (6) */
269 7, /* sect233r1 (7) */
270 20, /* secp224k1 (20) */
271 21, /* secp224r1 (21) */
272 4, /* sect193r1 (4) */
273 5, /* sect193r2 (5) */
274 18, /* secp192k1 (18) */
275 19, /* secp192r1 (19) */
276 1, /* sect163k1 (1) */
277 2, /* sect163r1 (2) */
278 3, /* sect163r2 (3) */
279 15, /* secp160k1 (15) */
280 16, /* secp160r1 (16) */
281 17, /* secp160r2 (17) */
285 tls1_ec_curve_id2nid(uint16_t curve_id
)
287 /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
288 if ((curve_id
< 1) ||
289 ((unsigned int)curve_id
> sizeof(nid_list
) / sizeof(nid_list
[0])))
291 return nid_list
[curve_id
- 1];
295 tls1_ec_nid2curve_id(int nid
)
297 /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
299 case NID_sect163k1
: /* sect163k1 (1) */
301 case NID_sect163r1
: /* sect163r1 (2) */
303 case NID_sect163r2
: /* sect163r2 (3) */
305 case NID_sect193r1
: /* sect193r1 (4) */
307 case NID_sect193r2
: /* sect193r2 (5) */
309 case NID_sect233k1
: /* sect233k1 (6) */
311 case NID_sect233r1
: /* sect233r1 (7) */
313 case NID_sect239k1
: /* sect239k1 (8) */
315 case NID_sect283k1
: /* sect283k1 (9) */
317 case NID_sect283r1
: /* sect283r1 (10) */
319 case NID_sect409k1
: /* sect409k1 (11) */
321 case NID_sect409r1
: /* sect409r1 (12) */
323 case NID_sect571k1
: /* sect571k1 (13) */
325 case NID_sect571r1
: /* sect571r1 (14) */
327 case NID_secp160k1
: /* secp160k1 (15) */
329 case NID_secp160r1
: /* secp160r1 (16) */
331 case NID_secp160r2
: /* secp160r2 (17) */
333 case NID_secp192k1
: /* secp192k1 (18) */
335 case NID_X9_62_prime192v1
: /* secp192r1 (19) */
337 case NID_secp224k1
: /* secp224k1 (20) */
339 case NID_secp224r1
: /* secp224r1 (21) */
341 case NID_secp256k1
: /* secp256k1 (22) */
343 case NID_X9_62_prime256v1
: /* secp256r1 (23) */
345 case NID_secp384r1
: /* secp384r1 (24) */
347 case NID_secp521r1
: /* secp521r1 (25) */
349 case NID_brainpoolP256r1
: /* brainpoolP256r1 (26) */
351 case NID_brainpoolP384r1
: /* brainpoolP384r1 (27) */
353 case NID_brainpoolP512r1
: /* brainpoolP512r1 (28) */
361 * Return the appropriate format list. If client_formats is non-zero, return
362 * the client/session formats. Otherwise return the custom format list if one
363 * exists, or the default formats if a custom list has not been specified.
366 tls1_get_formatlist(SSL
*s
, int client_formats
, const uint8_t **pformats
,
369 if (client_formats
!= 0) {
370 *pformats
= s
->session
->tlsext_ecpointformatlist
;
371 *pformatslen
= s
->session
->tlsext_ecpointformatlist_length
;
375 *pformats
= s
->tlsext_ecpointformatlist
;
376 *pformatslen
= s
->tlsext_ecpointformatlist_length
;
377 if (*pformats
== NULL
) {
378 *pformats
= ecformats_default
;
379 *pformatslen
= sizeof(ecformats_default
);
384 * Return the appropriate curve list. If client_curves is non-zero, return
385 * the client/session curves. Otherwise return the custom curve list if one
386 * exists, or the default curves if a custom list has not been specified.
389 tls1_get_curvelist(SSL
*s
, int client_curves
, const uint16_t **pcurves
,
392 if (client_curves
!= 0) {
393 *pcurves
= s
->session
->tlsext_ellipticcurvelist
;
394 *pcurveslen
= s
->session
->tlsext_ellipticcurvelist_length
;
398 *pcurves
= s
->tlsext_ellipticcurvelist
;
399 *pcurveslen
= s
->tlsext_ellipticcurvelist_length
;
400 if (*pcurves
== NULL
) {
401 *pcurves
= eccurves_default
;
402 *pcurveslen
= sizeof(eccurves_default
) / 2;
406 /* Check that a curve is one of our preferences. */
408 tls1_check_curve(SSL
*s
, const unsigned char *p
, size_t len
)
411 const uint16_t *curves
;
416 CBS_init(&cbs
, p
, len
);
418 /* Only named curves are supported. */
419 if (CBS_len(&cbs
) != 3 ||
420 !CBS_get_u8(&cbs
, &type
) ||
421 type
!= NAMED_CURVE_TYPE
||
422 !CBS_get_u16(&cbs
, &cid
))
425 tls1_get_curvelist(s
, 0, &curves
, &curveslen
);
427 for (i
= 0; i
< curveslen
; i
++) {
428 if (curves
[i
] == cid
)
435 tls1_get_shared_curve(SSL
*s
)
437 size_t preflen
, supplen
, i
, j
;
438 const uint16_t *pref
, *supp
;
439 unsigned long server_pref
;
441 /* Cannot do anything on the client side. */
445 /* Return first preference shared curve. */
446 server_pref
= (s
->options
& SSL_OP_CIPHER_SERVER_PREFERENCE
);
447 tls1_get_curvelist(s
, (server_pref
== 0), &pref
, &preflen
);
448 tls1_get_curvelist(s
, (server_pref
!= 0), &supp
, &supplen
);
450 for (i
= 0; i
< preflen
; i
++) {
451 for (j
= 0; j
< supplen
; j
++) {
452 if (pref
[i
] == supp
[j
])
453 return (tls1_ec_curve_id2nid(pref
[i
]));
459 /* For an EC key set TLS ID and required compression based on parameters. */
461 tls1_set_ec_id(uint16_t *curve_id
, uint8_t *comp_id
, EC_KEY
*ec
)
464 const EC_METHOD
*meth
;
471 /* Determine if it is a prime field. */
472 if ((grp
= EC_KEY_get0_group(ec
)) == NULL
)
474 if ((meth
= EC_GROUP_method_of(grp
)) == NULL
)
476 if (EC_METHOD_get_field_type(meth
) == NID_X9_62_prime_field
)
479 /* Determine curve ID. */
480 nid
= EC_GROUP_get_curve_name(grp
);
481 id
= tls1_ec_nid2curve_id(nid
);
483 /* If we have an ID set it, otherwise set arbitrary explicit curve. */
487 *curve_id
= is_prime
? 0xff01 : 0xff02;
489 /* Specify the compression identifier. */
490 if (comp_id
!= NULL
) {
491 if (EC_KEY_get0_public_key(ec
) == NULL
)
494 if (EC_KEY_get_conv_form(ec
) == POINT_CONVERSION_COMPRESSED
) {
495 *comp_id
= is_prime
?
496 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime
:
497 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2
;
499 *comp_id
= TLSEXT_ECPOINTFORMAT_uncompressed
;
505 /* Check that an EC key is compatible with extensions. */
507 tls1_check_ec_key(SSL
*s
, const uint16_t *curve_id
, const uint8_t *comp_id
)
509 size_t curveslen
, formatslen
, i
;
510 const uint16_t *curves
;
511 const uint8_t *formats
;
514 * Check point formats extension if present, otherwise everything
515 * is supported (see RFC4492).
517 tls1_get_formatlist(s
, 1, &formats
, &formatslen
);
518 if (comp_id
!= NULL
&& formats
!= NULL
) {
519 for (i
= 0; i
< formatslen
; i
++) {
520 if (formats
[i
] == *comp_id
)
528 * Check curve list if present, otherwise everything is supported.
530 tls1_get_curvelist(s
, 1, &curves
, &curveslen
);
531 if (curve_id
!= NULL
&& curves
!= NULL
) {
532 for (i
= 0; i
< curveslen
; i
++) {
533 if (curves
[i
] == *curve_id
)
543 /* Check EC server key is compatible with client extensions. */
545 tls1_check_ec_server_key(SSL
*s
)
547 CERT_PKEY
*cpk
= s
->cert
->pkeys
+ SSL_PKEY_ECC
;
553 if (cpk
->x509
== NULL
|| cpk
->privatekey
== NULL
)
555 if ((pkey
= X509_get_pubkey(cpk
->x509
)) == NULL
)
557 rv
= tls1_set_ec_id(&curve_id
, &comp_id
, pkey
->pkey
.ec
);
562 return tls1_check_ec_key(s
, &curve_id
, &comp_id
);
565 /* Check EC temporary key is compatible with client extensions. */
567 tls1_check_ec_tmp_key(SSL
*s
)
569 EC_KEY
*ec
= s
->cert
->ecdh_tmp
;
572 if (s
->cert
->ecdh_tmp_auto
!= 0) {
573 /* Need a shared curve. */
574 if (tls1_get_shared_curve(s
) != NID_undef
)
580 if (s
->cert
->ecdh_tmp_cb
!= NULL
)
584 if (tls1_set_ec_id(&curve_id
, NULL
, ec
) != 1)
587 return tls1_check_ec_key(s
, &curve_id
, NULL
);
591 * List of supported signature algorithms and hashes. Should make this
592 * customisable at some point, for now include everything we support.
595 static unsigned char tls12_sigalgs
[] = {
596 TLSEXT_hash_sha512
, TLSEXT_signature_rsa
,
597 TLSEXT_hash_sha512
, TLSEXT_signature_dsa
,
598 TLSEXT_hash_sha512
, TLSEXT_signature_ecdsa
,
599 #ifndef OPENSSL_NO_GOST
600 TLSEXT_hash_streebog_512
, TLSEXT_signature_gostr12_512
,
603 TLSEXT_hash_sha384
, TLSEXT_signature_rsa
,
604 TLSEXT_hash_sha384
, TLSEXT_signature_dsa
,
605 TLSEXT_hash_sha384
, TLSEXT_signature_ecdsa
,
607 TLSEXT_hash_sha256
, TLSEXT_signature_rsa
,
608 TLSEXT_hash_sha256
, TLSEXT_signature_dsa
,
609 TLSEXT_hash_sha256
, TLSEXT_signature_ecdsa
,
611 #ifndef OPENSSL_NO_GOST
612 TLSEXT_hash_streebog_256
, TLSEXT_signature_gostr12_256
,
613 TLSEXT_hash_gost94
, TLSEXT_signature_gostr01
,
616 TLSEXT_hash_sha224
, TLSEXT_signature_rsa
,
617 TLSEXT_hash_sha224
, TLSEXT_signature_dsa
,
618 TLSEXT_hash_sha224
, TLSEXT_signature_ecdsa
,
620 TLSEXT_hash_sha1
, TLSEXT_signature_rsa
,
621 TLSEXT_hash_sha1
, TLSEXT_signature_dsa
,
622 TLSEXT_hash_sha1
, TLSEXT_signature_ecdsa
,
626 tls12_get_req_sig_algs(SSL
*s
, unsigned char *p
)
628 size_t slen
= sizeof(tls12_sigalgs
);
631 memcpy(p
, tls12_sigalgs
, slen
);
636 ssl_add_clienthello_tlsext(SSL
*s
, unsigned char *p
, unsigned char *limit
)
639 unsigned char *ret
= p
;
642 /* See if we support any ECC ciphersuites. */
643 if (s
->version
!= DTLS1_VERSION
&& s
->version
>= TLS1_VERSION
) {
644 STACK_OF(SSL_CIPHER
) *cipher_stack
= SSL_get_ciphers(s
);
645 unsigned long alg_k
, alg_a
;
648 for (i
= 0; i
< sk_SSL_CIPHER_num(cipher_stack
); i
++) {
649 SSL_CIPHER
*c
= sk_SSL_CIPHER_value(cipher_stack
, i
);
651 alg_k
= c
->algorithm_mkey
;
652 alg_a
= c
->algorithm_auth
;
654 if ((alg_k
& (SSL_kECDHE
|SSL_kECDHr
|SSL_kECDHe
) ||
655 (alg_a
& SSL_aECDSA
))) {
665 return NULL
; /* this really never occurs, but ... */
667 if (s
->tlsext_hostname
!= NULL
) {
668 /* Add TLS extension servername to the Client Hello message */
669 size_t size_str
, lenmax
;
671 /* check for enough space.
672 4 for the servername type and extension length
673 2 for servernamelist length
674 1 for the hostname type
675 2 for hostname length
679 if ((size_t)(limit
- ret
) < 9)
682 lenmax
= limit
- ret
- 9;
683 if ((size_str
= strlen(s
->tlsext_hostname
)) > lenmax
)
686 /* extension type and length */
687 s2n(TLSEXT_TYPE_server_name
, ret
);
689 s2n(size_str
+ 5, ret
);
691 /* length of servername list */
692 s2n(size_str
+ 3, ret
);
694 /* hostname type, length and hostname */
695 *(ret
++) = (unsigned char) TLSEXT_NAMETYPE_host_name
;
697 memcpy(ret
, s
->tlsext_hostname
, size_str
);
701 /* Add RI if renegotiating */
702 if (s
->renegotiate
) {
705 if (!ssl_add_clienthello_renegotiate_ext(s
, 0, &el
, 0)) {
706 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT
,
707 ERR_R_INTERNAL_ERROR
);
711 if ((size_t)(limit
- ret
) < 4 + el
)
714 s2n(TLSEXT_TYPE_renegotiate
, ret
);
717 if (!ssl_add_clienthello_renegotiate_ext(s
, ret
, &el
, el
)) {
718 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT
,
719 ERR_R_INTERNAL_ERROR
);
727 size_t curveslen
, formatslen
, lenmax
;
728 const uint16_t *curves
;
729 const uint8_t *formats
;
733 * Add TLS extension ECPointFormats to the ClientHello message.
735 tls1_get_formatlist(s
, 0, &formats
, &formatslen
);
737 if ((size_t)(limit
- ret
) < 5)
740 lenmax
= limit
- ret
- 5;
741 if (formatslen
> lenmax
)
743 if (formatslen
> 255) {
744 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT
,
745 ERR_R_INTERNAL_ERROR
);
749 s2n(TLSEXT_TYPE_ec_point_formats
, ret
);
750 s2n(formatslen
+ 1, ret
);
751 *(ret
++) = (unsigned char)formatslen
;
752 memcpy(ret
, formats
, formatslen
);
756 * Add TLS extension EllipticCurves to the ClientHello message.
758 tls1_get_curvelist(s
, 0, &curves
, &curveslen
);
760 if ((size_t)(limit
- ret
) < 6)
763 lenmax
= limit
- ret
- 6;
764 if (curveslen
> lenmax
)
766 if (curveslen
> 65532) {
767 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT
,
768 ERR_R_INTERNAL_ERROR
);
772 s2n(TLSEXT_TYPE_elliptic_curves
, ret
);
773 s2n((curveslen
* 2) + 2, ret
);
775 /* NB: draft-ietf-tls-ecc-12.txt uses a one-byte prefix for
776 * elliptic_curve_list, but the examples use two bytes.
777 * https://www1.ietf.org/mail-archive/web/tls/current/msg00538.html
778 * resolves this to two bytes.
780 s2n(curveslen
* 2, ret
);
781 for (i
= 0; i
< curveslen
; i
++)
785 if (!(SSL_get_options(s
) & SSL_OP_NO_TICKET
)) {
787 if (!s
->new_session
&& s
->session
&& s
->session
->tlsext_tick
)
788 ticklen
= s
->session
->tlsext_ticklen
;
789 else if (s
->session
&& s
->tlsext_session_ticket
&&
790 s
->tlsext_session_ticket
->data
) {
791 ticklen
= s
->tlsext_session_ticket
->length
;
792 s
->session
->tlsext_tick
= malloc(ticklen
);
793 if (!s
->session
->tlsext_tick
)
795 memcpy(s
->session
->tlsext_tick
,
796 s
->tlsext_session_ticket
->data
, ticklen
);
797 s
->session
->tlsext_ticklen
= ticklen
;
800 if (ticklen
== 0 && s
->tlsext_session_ticket
&&
801 s
->tlsext_session_ticket
->data
== NULL
)
803 /* Check for enough room 2 for extension type, 2 for len
806 if ((size_t)(limit
- ret
) < 4 + ticklen
)
808 s2n(TLSEXT_TYPE_session_ticket
, ret
);
812 memcpy(ret
, s
->session
->tlsext_tick
, ticklen
);
818 if (TLS1_get_client_version(s
) >= TLS1_2_VERSION
) {
819 if ((size_t)(limit
- ret
) < sizeof(tls12_sigalgs
) + 6)
822 s2n(TLSEXT_TYPE_signature_algorithms
, ret
);
823 s2n(sizeof(tls12_sigalgs
) + 2, ret
);
824 s2n(sizeof(tls12_sigalgs
), ret
);
825 memcpy(ret
, tls12_sigalgs
, sizeof(tls12_sigalgs
));
826 ret
+= sizeof(tls12_sigalgs
);
829 if (s
->tlsext_status_type
== TLSEXT_STATUSTYPE_ocsp
&&
830 s
->version
!= DTLS1_VERSION
) {
832 long extlen
, idlen
, itmp
;
836 for (i
= 0; i
< sk_OCSP_RESPID_num(s
->tlsext_ocsp_ids
); i
++) {
837 id
= sk_OCSP_RESPID_value(s
->tlsext_ocsp_ids
, i
);
838 itmp
= i2d_OCSP_RESPID(id
, NULL
);
844 if (s
->tlsext_ocsp_exts
) {
845 extlen
= i2d_X509_EXTENSIONS(s
->tlsext_ocsp_exts
, NULL
);
851 if ((size_t)(limit
- ret
) < 7 + extlen
+ idlen
)
853 s2n(TLSEXT_TYPE_status_request
, ret
);
854 if (extlen
+ idlen
> 0xFFF0)
856 s2n(extlen
+ idlen
+ 5, ret
);
857 *(ret
++) = TLSEXT_STATUSTYPE_ocsp
;
859 for (i
= 0; i
< sk_OCSP_RESPID_num(s
->tlsext_ocsp_ids
); i
++) {
860 /* save position of id len */
861 unsigned char *q
= ret
;
862 id
= sk_OCSP_RESPID_value(s
->tlsext_ocsp_ids
, i
);
863 /* skip over id len */
865 itmp
= i2d_OCSP_RESPID(id
, &ret
);
871 i2d_X509_EXTENSIONS(s
->tlsext_ocsp_exts
, &ret
);
874 if (s
->ctx
->next_proto_select_cb
&& !s
->s3
->tmp
.finish_md_len
) {
875 /* The client advertises an emtpy extension to indicate its
876 * support for Next Protocol Negotiation */
877 if ((size_t)(limit
- ret
) < 4)
879 s2n(TLSEXT_TYPE_next_proto_neg
, ret
);
883 if (s
->alpn_client_proto_list
!= NULL
&&
884 s
->s3
->tmp
.finish_md_len
== 0) {
885 if ((size_t)(limit
- ret
) < 6 + s
->alpn_client_proto_list_len
)
887 s2n(TLSEXT_TYPE_application_layer_protocol_negotiation
, ret
);
888 s2n(2 + s
->alpn_client_proto_list_len
, ret
);
889 s2n(s
->alpn_client_proto_list_len
, ret
);
890 memcpy(ret
, s
->alpn_client_proto_list
,
891 s
->alpn_client_proto_list_len
);
892 ret
+= s
->alpn_client_proto_list_len
;
895 #ifndef OPENSSL_NO_SRTP
896 if (SSL_IS_DTLS(s
) && SSL_get_srtp_profiles(s
)) {
899 ssl_add_clienthello_use_srtp_ext(s
, 0, &el
, 0);
901 if ((size_t)(limit
- ret
) < 4 + el
)
904 s2n(TLSEXT_TYPE_use_srtp
, ret
);
907 if (ssl_add_clienthello_use_srtp_ext(s
, ret
, &el
, el
)) {
908 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT
,
909 ERR_R_INTERNAL_ERROR
);
917 * Add padding to workaround bugs in F5 terminators.
918 * See https://tools.ietf.org/html/draft-agl-tls-padding-03
920 * Note that this seems to trigger issues with IronPort SMTP
923 * NB: because this code works out the length of all existing
924 * extensions it MUST always appear last.
926 if (s
->options
& SSL_OP_TLSEXT_PADDING
) {
927 int hlen
= ret
- (unsigned char *)s
->init_buf
->data
;
930 * The code in s23_clnt.c to build ClientHello messages
931 * includes the 5-byte record header in the buffer, while the
932 * code in s3_clnt.c does not.
934 if (s
->state
== SSL23_ST_CW_CLNT_HELLO_A
)
936 if (hlen
> 0xff && hlen
< 0x200) {
943 s2n(TLSEXT_TYPE_padding
, ret
);
945 memset(ret
, 0, hlen
);
950 if ((extdatalen
= ret
- p
- 2) == 0)
958 ssl_add_serverhello_tlsext(SSL
*s
, unsigned char *p
, unsigned char *limit
)
960 int using_ecc
, extdatalen
= 0;
961 unsigned long alg_a
, alg_k
;
962 unsigned char *ret
= p
;
963 int next_proto_neg_seen
;
965 alg_a
= s
->s3
->tmp
.new_cipher
->algorithm_auth
;
966 alg_k
= s
->s3
->tmp
.new_cipher
->algorithm_mkey
;
967 using_ecc
= (alg_k
& (SSL_kECDHE
|SSL_kECDHr
|SSL_kECDHe
) ||
968 alg_a
& SSL_aECDSA
) &&
969 s
->session
->tlsext_ecpointformatlist
!= NULL
;
973 return NULL
; /* this really never occurs, but ... */
975 if (!s
->hit
&& s
->servername_done
== 1 &&
976 s
->session
->tlsext_hostname
!= NULL
) {
977 if ((size_t)(limit
- ret
) < 4)
980 s2n(TLSEXT_TYPE_server_name
, ret
);
984 if (s
->s3
->send_connection_binding
) {
987 if (!ssl_add_serverhello_renegotiate_ext(s
, 0, &el
, 0)) {
988 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT
,
989 ERR_R_INTERNAL_ERROR
);
993 if ((size_t)(limit
- ret
) < 4 + el
)
996 s2n(TLSEXT_TYPE_renegotiate
, ret
);
999 if (!ssl_add_serverhello_renegotiate_ext(s
, ret
, &el
, el
)) {
1000 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT
,
1001 ERR_R_INTERNAL_ERROR
);
1008 if (using_ecc
&& s
->version
!= DTLS1_VERSION
) {
1009 const unsigned char *formats
;
1010 size_t formatslen
, lenmax
;
1013 * Add TLS extension ECPointFormats to the ServerHello message.
1015 tls1_get_formatlist(s
, 0, &formats
, &formatslen
);
1017 if ((size_t)(limit
- ret
) < 5)
1020 lenmax
= limit
- ret
- 5;
1021 if (formatslen
> lenmax
)
1023 if (formatslen
> 255) {
1024 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT
,
1025 ERR_R_INTERNAL_ERROR
);
1029 s2n(TLSEXT_TYPE_ec_point_formats
, ret
);
1030 s2n(formatslen
+ 1, ret
);
1031 *(ret
++) = (unsigned char)formatslen
;
1032 memcpy(ret
, formats
, formatslen
);
1037 * Currently the server should not respond with a SupportedCurves
1041 if (s
->tlsext_ticket_expected
&&
1042 !(SSL_get_options(s
) & SSL_OP_NO_TICKET
)) {
1043 if ((size_t)(limit
- ret
) < 4)
1046 s2n(TLSEXT_TYPE_session_ticket
, ret
);
1050 if (s
->tlsext_status_expected
) {
1051 if ((size_t)(limit
- ret
) < 4)
1054 s2n(TLSEXT_TYPE_status_request
, ret
);
1058 #ifndef OPENSSL_NO_SRTP
1059 if (SSL_IS_DTLS(s
) && s
->srtp_profile
) {
1062 ssl_add_serverhello_use_srtp_ext(s
, 0, &el
, 0);
1064 if ((size_t)(limit
- ret
) < 4 + el
)
1067 s2n(TLSEXT_TYPE_use_srtp
, ret
);
1070 if (ssl_add_serverhello_use_srtp_ext(s
, ret
, &el
, el
)) {
1071 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT
,
1072 ERR_R_INTERNAL_ERROR
);
1079 if (((s
->s3
->tmp
.new_cipher
->id
& 0xFFFF) == 0x80 ||
1080 (s
->s3
->tmp
.new_cipher
->id
& 0xFFFF) == 0x81) &&
1081 (SSL_get_options(s
) & SSL_OP_CRYPTOPRO_TLSEXT_BUG
)) {
1082 static const unsigned char cryptopro_ext
[36] = {
1083 0xfd, 0xe8, /*65000*/
1084 0x00, 0x20, /*32 bytes length*/
1085 0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85,
1086 0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06,
1087 0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08,
1088 0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17
1090 if ((size_t)(limit
- ret
) < sizeof(cryptopro_ext
))
1092 memcpy(ret
, cryptopro_ext
, sizeof(cryptopro_ext
));
1093 ret
+= sizeof(cryptopro_ext
);
1096 next_proto_neg_seen
= s
->s3
->next_proto_neg_seen
;
1097 s
->s3
->next_proto_neg_seen
= 0;
1098 if (next_proto_neg_seen
&& s
->ctx
->next_protos_advertised_cb
) {
1099 const unsigned char *npa
;
1100 unsigned int npalen
;
1103 r
= s
->ctx
->next_protos_advertised_cb(s
, &npa
, &npalen
,
1104 s
->ctx
->next_protos_advertised_cb_arg
);
1105 if (r
== SSL_TLSEXT_ERR_OK
) {
1106 if ((size_t)(limit
- ret
) < 4 + npalen
)
1108 s2n(TLSEXT_TYPE_next_proto_neg
, ret
);
1110 memcpy(ret
, npa
, npalen
);
1112 s
->s3
->next_proto_neg_seen
= 1;
1116 if (s
->s3
->alpn_selected
!= NULL
) {
1117 const unsigned char *selected
= s
->s3
->alpn_selected
;
1118 unsigned int len
= s
->s3
->alpn_selected_len
;
1120 if ((long)(limit
- ret
- 4 - 2 - 1 - len
) < 0)
1122 s2n(TLSEXT_TYPE_application_layer_protocol_negotiation
, ret
);
1126 memcpy(ret
, selected
, len
);
1130 if ((extdatalen
= ret
- p
- 2) == 0)
1138 * tls1_alpn_handle_client_hello is called to process the ALPN extension in a
1140 * data: the contents of the extension, not including the type and length.
1141 * data_len: the number of bytes in data.
1142 * al: a pointer to the alert value to send in the event of a non-zero
1144 * returns: 1 on success.
1147 tls1_alpn_handle_client_hello(SSL
*s
, const unsigned char *data
,
1148 unsigned int data_len
, int *al
)
1150 CBS cbs
, proto_name_list
, alpn
;
1151 const unsigned char *selected
;
1152 unsigned char selected_len
;
1155 if (s
->ctx
->alpn_select_cb
== NULL
)
1161 CBS_init(&cbs
, data
, data_len
);
1164 * data should contain a uint16 length followed by a series of 8-bit,
1165 * length-prefixed strings.
1167 if (!CBS_get_u16_length_prefixed(&cbs
, &alpn
) ||
1168 CBS_len(&alpn
) < 2 ||
1172 /* Validate data before sending to callback. */
1173 CBS_dup(&alpn
, &proto_name_list
);
1174 while (CBS_len(&proto_name_list
) > 0) {
1177 if (!CBS_get_u8_length_prefixed(&proto_name_list
, &proto_name
) ||
1178 CBS_len(&proto_name
) == 0)
1182 r
= s
->ctx
->alpn_select_cb(s
, &selected
, &selected_len
,
1183 CBS_data(&alpn
), CBS_len(&alpn
), s
->ctx
->alpn_select_cb_arg
);
1184 if (r
== SSL_TLSEXT_ERR_OK
) {
1185 free(s
->s3
->alpn_selected
);
1186 if ((s
->s3
->alpn_selected
= malloc(selected_len
)) == NULL
) {
1187 *al
= SSL_AD_INTERNAL_ERROR
;
1190 memcpy(s
->s3
->alpn_selected
, selected
, selected_len
);
1191 s
->s3
->alpn_selected_len
= selected_len
;
1197 *al
= SSL_AD_DECODE_ERROR
;
1202 ssl_parse_clienthello_tlsext(SSL
*s
, unsigned char **p
, unsigned char *d
,
1205 unsigned short type
;
1206 unsigned short size
;
1208 unsigned char *data
= *p
;
1209 int renegotiate_seen
= 0;
1210 int sigalg_seen
= 0;
1212 s
->servername_done
= 0;
1213 s
->tlsext_status_type
= -1;
1214 s
->s3
->next_proto_neg_seen
= 0;
1215 free(s
->s3
->alpn_selected
);
1216 s
->s3
->alpn_selected
= NULL
;
1218 if (data
>= (d
+ n
- 2))
1222 if (data
> (d
+ n
- len
))
1225 while (data
<= (d
+ n
- 4)) {
1229 if (data
+ size
> (d
+ n
))
1231 if (s
->tlsext_debug_cb
)
1232 s
->tlsext_debug_cb(s
, 0, type
, data
, size
,
1233 s
->tlsext_debug_arg
);
1234 /* The servername extension is treated as follows:
1236 - Only the hostname type is supported with a maximum length of 255.
1237 - The servername is rejected if too long or if it contains zeros,
1238 in which case an fatal alert is generated.
1239 - The servername field is maintained together with the session cache.
1240 - When a session is resumed, the servername call back invoked in order
1241 to allow the application to position itself to the right context.
1242 - The servername is acknowledged if it is new for a session or when
1243 it is identical to a previously used for the same session.
1244 Applications can control the behaviour. They can at any time
1245 set a 'desirable' servername for a new SSL object. This can be the
1246 case for example with HTTPS when a Host: header field is received and
1247 a renegotiation is requested. In this case, a possible servername
1248 presented in the new client hello is only acknowledged if it matches
1249 the value of the Host: field.
1250 - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
1251 if they provide for changing an explicit servername context for the session,
1252 i.e. when the session has been established with a servername extension.
1253 - On session reconnect, the servername extension may be absent.
1257 if (type
== TLSEXT_TYPE_server_name
) {
1258 unsigned char *sdata
;
1263 *al
= SSL_AD_DECODE_ERROR
;
1270 *al
= SSL_AD_DECODE_ERROR
;
1276 servname_type
= *(sdata
++);
1282 *al
= SSL_AD_DECODE_ERROR
;
1285 if (s
->servername_done
== 0)
1286 switch (servname_type
) {
1287 case TLSEXT_NAMETYPE_host_name
:
1289 if (s
->session
->tlsext_hostname
) {
1290 *al
= SSL_AD_DECODE_ERROR
;
1293 if (len
> TLSEXT_MAXLEN_host_name
) {
1294 *al
= TLS1_AD_UNRECOGNIZED_NAME
;
1297 if ((s
->session
->tlsext_hostname
=
1298 malloc(len
+ 1)) == NULL
) {
1299 *al
= TLS1_AD_INTERNAL_ERROR
;
1302 memcpy(s
->session
->tlsext_hostname
, sdata
, len
);
1303 s
->session
->tlsext_hostname
[len
] = '\0';
1304 if (strlen(s
->session
->tlsext_hostname
) != len
) {
1305 free(s
->session
->tlsext_hostname
);
1306 s
->session
->tlsext_hostname
= NULL
;
1307 *al
= TLS1_AD_UNRECOGNIZED_NAME
;
1310 s
->servername_done
= 1;
1314 s
->servername_done
= s
->session
->tlsext_hostname
&&
1315 strlen(s
->session
->tlsext_hostname
) == len
&&
1316 strncmp(s
->session
->tlsext_hostname
, (char *)sdata
, len
) == 0;
1327 *al
= SSL_AD_DECODE_ERROR
;
1333 else if (type
== TLSEXT_TYPE_ec_point_formats
&&
1334 s
->version
!= DTLS1_VERSION
) {
1335 unsigned char *sdata
= data
;
1340 *al
= TLS1_AD_DECODE_ERROR
;
1343 formatslen
= *(sdata
++);
1344 if (formatslen
!= size
- 1) {
1345 *al
= TLS1_AD_DECODE_ERROR
;
1350 free(s
->session
->tlsext_ecpointformatlist
);
1351 s
->session
->tlsext_ecpointformatlist
= NULL
;
1352 s
->session
->tlsext_ecpointformatlist_length
= 0;
1354 if ((formats
= reallocarray(NULL
, formatslen
,
1355 sizeof(uint8_t))) == NULL
) {
1356 *al
= TLS1_AD_INTERNAL_ERROR
;
1359 memcpy(formats
, sdata
, formatslen
);
1360 s
->session
->tlsext_ecpointformatlist
= formats
;
1361 s
->session
->tlsext_ecpointformatlist_length
=
1364 } else if (type
== TLSEXT_TYPE_elliptic_curves
&&
1365 s
->version
!= DTLS1_VERSION
) {
1366 unsigned char *sdata
= data
;
1367 size_t curveslen
, i
;
1371 *al
= TLS1_AD_DECODE_ERROR
;
1374 n2s(sdata
, curveslen
);
1375 if (curveslen
!= size
- 2 || curveslen
% 2 != 0) {
1376 *al
= TLS1_AD_DECODE_ERROR
;
1382 if (s
->session
->tlsext_ellipticcurvelist
) {
1383 *al
= TLS1_AD_DECODE_ERROR
;
1386 s
->session
->tlsext_ellipticcurvelist_length
= 0;
1387 if ((curves
= reallocarray(NULL
, curveslen
,
1388 sizeof(uint16_t))) == NULL
) {
1389 *al
= TLS1_AD_INTERNAL_ERROR
;
1392 for (i
= 0; i
< curveslen
; i
++)
1393 n2s(sdata
, curves
[i
]);
1394 s
->session
->tlsext_ellipticcurvelist
= curves
;
1395 s
->session
->tlsext_ellipticcurvelist_length
= curveslen
;
1398 else if (type
== TLSEXT_TYPE_session_ticket
) {
1399 if (s
->tls_session_ticket_ext_cb
&&
1400 !s
->tls_session_ticket_ext_cb(s
, data
, size
, s
->tls_session_ticket_ext_cb_arg
)) {
1401 *al
= TLS1_AD_INTERNAL_ERROR
;
1404 } else if (type
== TLSEXT_TYPE_renegotiate
) {
1405 if (!ssl_parse_clienthello_renegotiate_ext(s
, data
, size
, al
))
1407 renegotiate_seen
= 1;
1408 } else if (type
== TLSEXT_TYPE_signature_algorithms
) {
1410 if (sigalg_seen
|| size
< 2) {
1411 *al
= SSL_AD_DECODE_ERROR
;
1417 if (dsize
!= size
|| dsize
& 1) {
1418 *al
= SSL_AD_DECODE_ERROR
;
1421 if (!tls1_process_sigalgs(s
, data
, dsize
)) {
1422 *al
= SSL_AD_DECODE_ERROR
;
1425 } else if (type
== TLSEXT_TYPE_status_request
&&
1426 s
->version
!= DTLS1_VERSION
) {
1429 *al
= SSL_AD_DECODE_ERROR
;
1433 s
->tlsext_status_type
= *data
++;
1435 if (s
->tlsext_status_type
== TLSEXT_STATUSTYPE_ocsp
) {
1436 const unsigned char *sdata
;
1438 /* Read in responder_id_list */
1441 if (dsize
> size
) {
1442 *al
= SSL_AD_DECODE_ERROR
;
1449 *al
= SSL_AD_DECODE_ERROR
;
1453 dsize
-= 2 + idsize
;
1456 *al
= SSL_AD_DECODE_ERROR
;
1461 id
= d2i_OCSP_RESPID(NULL
,
1464 *al
= SSL_AD_DECODE_ERROR
;
1467 if (data
!= sdata
) {
1468 OCSP_RESPID_free(id
);
1469 *al
= SSL_AD_DECODE_ERROR
;
1472 if (!s
->tlsext_ocsp_ids
&&
1473 !(s
->tlsext_ocsp_ids
=
1474 sk_OCSP_RESPID_new_null())) {
1475 OCSP_RESPID_free(id
);
1476 *al
= SSL_AD_INTERNAL_ERROR
;
1479 if (!sk_OCSP_RESPID_push(
1480 s
->tlsext_ocsp_ids
, id
)) {
1481 OCSP_RESPID_free(id
);
1482 *al
= SSL_AD_INTERNAL_ERROR
;
1487 /* Read in request_extensions */
1489 *al
= SSL_AD_DECODE_ERROR
;
1494 if (dsize
!= size
) {
1495 *al
= SSL_AD_DECODE_ERROR
;
1500 if (s
->tlsext_ocsp_exts
) {
1501 sk_X509_EXTENSION_pop_free(s
->tlsext_ocsp_exts
,
1502 X509_EXTENSION_free
);
1505 s
->tlsext_ocsp_exts
=
1506 d2i_X509_EXTENSIONS(NULL
,
1508 if (!s
->tlsext_ocsp_exts
||
1509 (data
+ dsize
!= sdata
)) {
1510 *al
= SSL_AD_DECODE_ERROR
;
1515 /* We don't know what to do with any other type
1518 s
->tlsext_status_type
= -1;
1521 else if (type
== TLSEXT_TYPE_next_proto_neg
&&
1522 s
->s3
->tmp
.finish_md_len
== 0 &&
1523 s
->s3
->alpn_selected
== NULL
) {
1524 /* We shouldn't accept this extension on a
1527 * s->new_session will be set on renegotiation, but we
1528 * probably shouldn't rely that it couldn't be set on
1529 * the initial renegotation too in certain cases (when
1530 * there's some other reason to disallow resuming an
1531 * earlier session -- the current code won't be doing
1532 * anything like that, but this might change).
1534 * A valid sign that there's been a previous handshake
1535 * in this connection is if s->s3->tmp.finish_md_len >
1536 * 0. (We are talking about a check that will happen
1537 * in the Hello protocol round, well before a new
1538 * Finished message could have been computed.) */
1539 s
->s3
->next_proto_neg_seen
= 1;
1542 TLSEXT_TYPE_application_layer_protocol_negotiation
&&
1543 s
->ctx
->alpn_select_cb
!= NULL
&&
1544 s
->s3
->tmp
.finish_md_len
== 0) {
1545 if (tls1_alpn_handle_client_hello(s
, data
,
1548 /* ALPN takes precedence over NPN. */
1549 s
->s3
->next_proto_neg_seen
= 0;
1552 /* session ticket processed earlier */
1553 #ifndef OPENSSL_NO_SRTP
1554 else if (SSL_IS_DTLS(s
) && type
== TLSEXT_TYPE_use_srtp
) {
1555 if (ssl_parse_clienthello_use_srtp_ext(s
, data
, size
, al
))
1567 /* Need RI if renegotiating */
1569 if (!renegotiate_seen
&& s
->renegotiate
) {
1570 *al
= SSL_AD_HANDSHAKE_FAILURE
;
1571 SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT
,
1572 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED
);
1580 * ssl_next_proto_validate validates a Next Protocol Negotiation block. No
1581 * elements of zero length are allowed and the set of elements must exactly fill
1582 * the length of the block.
1585 ssl_next_proto_validate(const unsigned char *d
, unsigned int len
)
1589 CBS_init(&npn
, d
, len
);
1590 while (CBS_len(&npn
) > 0) {
1591 if (!CBS_get_u8_length_prefixed(&npn
, &value
) ||
1592 CBS_len(&value
) == 0)
1599 ssl_parse_serverhello_tlsext(SSL
*s
, unsigned char **p
, unsigned char *d
,
1602 unsigned short length
;
1603 unsigned short type
;
1604 unsigned short size
;
1605 unsigned char *data
= *p
;
1606 int tlsext_servername
= 0;
1607 int renegotiate_seen
= 0;
1609 s
->s3
->next_proto_neg_seen
= 0;
1610 free(s
->s3
->alpn_selected
);
1611 s
->s3
->alpn_selected
= NULL
;
1613 if (data
>= (d
+ n
- 2))
1617 if (data
+ length
!= d
+ n
) {
1618 *al
= SSL_AD_DECODE_ERROR
;
1622 while (data
<= (d
+ n
- 4)) {
1626 if (data
+ size
> (d
+ n
))
1629 if (s
->tlsext_debug_cb
)
1630 s
->tlsext_debug_cb(s
, 1, type
, data
, size
,
1631 s
->tlsext_debug_arg
);
1633 if (type
== TLSEXT_TYPE_server_name
) {
1634 if (s
->tlsext_hostname
== NULL
|| size
> 0) {
1635 *al
= TLS1_AD_UNRECOGNIZED_NAME
;
1638 tlsext_servername
= 1;
1641 else if (type
== TLSEXT_TYPE_ec_point_formats
&&
1642 s
->version
!= DTLS1_VERSION
) {
1643 unsigned char *sdata
= data
;
1648 *al
= TLS1_AD_DECODE_ERROR
;
1651 formatslen
= *(sdata
++);
1652 if (formatslen
!= size
- 1) {
1653 *al
= TLS1_AD_DECODE_ERROR
;
1658 free(s
->session
->tlsext_ecpointformatlist
);
1659 s
->session
->tlsext_ecpointformatlist
= NULL
;
1660 s
->session
->tlsext_ecpointformatlist_length
= 0;
1662 if ((formats
= reallocarray(NULL
, formatslen
,
1663 sizeof(uint8_t))) == NULL
) {
1664 *al
= TLS1_AD_INTERNAL_ERROR
;
1667 memcpy(formats
, sdata
, formatslen
);
1668 s
->session
->tlsext_ecpointformatlist
= formats
;
1669 s
->session
->tlsext_ecpointformatlist_length
=
1673 else if (type
== TLSEXT_TYPE_session_ticket
) {
1674 if (s
->tls_session_ticket_ext_cb
&&
1675 !s
->tls_session_ticket_ext_cb(s
, data
, size
, s
->tls_session_ticket_ext_cb_arg
)) {
1676 *al
= TLS1_AD_INTERNAL_ERROR
;
1679 if ((SSL_get_options(s
) & SSL_OP_NO_TICKET
) || (size
> 0)) {
1680 *al
= TLS1_AD_UNSUPPORTED_EXTENSION
;
1683 s
->tlsext_ticket_expected
= 1;
1685 else if (type
== TLSEXT_TYPE_status_request
&&
1686 s
->version
!= DTLS1_VERSION
) {
1687 /* MUST be empty and only sent if we've requested
1688 * a status request message.
1690 if ((s
->tlsext_status_type
== -1) || (size
> 0)) {
1691 *al
= TLS1_AD_UNSUPPORTED_EXTENSION
;
1694 /* Set flag to expect CertificateStatus message */
1695 s
->tlsext_status_expected
= 1;
1697 else if (type
== TLSEXT_TYPE_next_proto_neg
&&
1698 s
->s3
->tmp
.finish_md_len
== 0) {
1699 unsigned char *selected
;
1700 unsigned char selected_len
;
1702 /* We must have requested it. */
1703 if (s
->ctx
->next_proto_select_cb
== NULL
) {
1704 *al
= TLS1_AD_UNSUPPORTED_EXTENSION
;
1707 /* The data must be valid */
1708 if (!ssl_next_proto_validate(data
, size
)) {
1709 *al
= TLS1_AD_DECODE_ERROR
;
1712 if (s
->ctx
->next_proto_select_cb(s
, &selected
, &selected_len
, data
, size
, s
->ctx
->next_proto_select_cb_arg
) != SSL_TLSEXT_ERR_OK
) {
1713 *al
= TLS1_AD_INTERNAL_ERROR
;
1716 s
->next_proto_negotiated
= malloc(selected_len
);
1717 if (!s
->next_proto_negotiated
) {
1718 *al
= TLS1_AD_INTERNAL_ERROR
;
1721 memcpy(s
->next_proto_negotiated
, selected
, selected_len
);
1722 s
->next_proto_negotiated_len
= selected_len
;
1723 s
->s3
->next_proto_neg_seen
= 1;
1726 TLSEXT_TYPE_application_layer_protocol_negotiation
) {
1729 /* We must have requested it. */
1730 if (s
->alpn_client_proto_list
== NULL
) {
1731 *al
= TLS1_AD_UNSUPPORTED_EXTENSION
;
1735 *al
= TLS1_AD_DECODE_ERROR
;
1739 /* The extension data consists of:
1740 * uint16 list_length
1741 * uint8 proto_length;
1742 * uint8 proto[proto_length]; */
1743 len
= ((unsigned int)data
[0]) << 8 |
1744 ((unsigned int)data
[1]);
1745 if (len
!= (unsigned int)size
- 2) {
1746 *al
= TLS1_AD_DECODE_ERROR
;
1750 if (len
!= (unsigned int)size
- 3) {
1751 *al
= TLS1_AD_DECODE_ERROR
;
1754 free(s
->s3
->alpn_selected
);
1755 s
->s3
->alpn_selected
= malloc(len
);
1756 if (s
->s3
->alpn_selected
== NULL
) {
1757 *al
= TLS1_AD_INTERNAL_ERROR
;
1760 memcpy(s
->s3
->alpn_selected
, data
+ 3, len
);
1761 s
->s3
->alpn_selected_len
= len
;
1763 } else if (type
== TLSEXT_TYPE_renegotiate
) {
1764 if (!ssl_parse_serverhello_renegotiate_ext(s
, data
, size
, al
))
1766 renegotiate_seen
= 1;
1768 #ifndef OPENSSL_NO_SRTP
1769 else if (SSL_IS_DTLS(s
) && type
== TLSEXT_TYPE_use_srtp
) {
1770 if (ssl_parse_serverhello_use_srtp_ext(s
, data
,
1780 if (data
!= d
+ n
) {
1781 *al
= SSL_AD_DECODE_ERROR
;
1785 if (!s
->hit
&& tlsext_servername
== 1) {
1786 if (s
->tlsext_hostname
) {
1787 if (s
->session
->tlsext_hostname
== NULL
) {
1788 s
->session
->tlsext_hostname
=
1789 strdup(s
->tlsext_hostname
);
1791 if (!s
->session
->tlsext_hostname
) {
1792 *al
= SSL_AD_UNRECOGNIZED_NAME
;
1796 *al
= SSL_AD_DECODE_ERROR
;
1806 /* Determine if we need to see RI. Strictly speaking if we want to
1807 * avoid an attack we should *always* see RI even on initial server
1808 * hello because the client doesn't see any renegotiation during an
1809 * attack. However this would mean we could not connect to any server
1810 * which doesn't support RI so for the immediate future tolerate RI
1811 * absence on initial connect only.
1813 if (!renegotiate_seen
&& !(s
->options
& SSL_OP_LEGACY_SERVER_CONNECT
)) {
1814 *al
= SSL_AD_HANDSHAKE_FAILURE
;
1815 SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT
,
1816 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED
);
1824 ssl_check_clienthello_tlsext_early(SSL
*s
)
1826 int ret
= SSL_TLSEXT_ERR_NOACK
;
1827 int al
= SSL_AD_UNRECOGNIZED_NAME
;
1829 /* The handling of the ECPointFormats extension is done elsewhere, namely in
1830 * ssl3_choose_cipher in s3_lib.c.
1832 /* The handling of the EllipticCurves extension is done elsewhere, namely in
1833 * ssl3_choose_cipher in s3_lib.c.
1836 if (s
->ctx
!= NULL
&& s
->ctx
->tlsext_servername_callback
!= 0)
1837 ret
= s
->ctx
->tlsext_servername_callback(s
, &al
, s
->ctx
->tlsext_servername_arg
);
1838 else if (s
->initial_ctx
!= NULL
&& s
->initial_ctx
->tlsext_servername_callback
!= 0)
1839 ret
= s
->initial_ctx
->tlsext_servername_callback(s
, &al
, s
->initial_ctx
->tlsext_servername_arg
);
1842 case SSL_TLSEXT_ERR_ALERT_FATAL
:
1843 ssl3_send_alert(s
, SSL3_AL_FATAL
, al
);
1845 case SSL_TLSEXT_ERR_ALERT_WARNING
:
1846 ssl3_send_alert(s
, SSL3_AL_WARNING
, al
);
1848 case SSL_TLSEXT_ERR_NOACK
:
1849 s
->servername_done
= 0;
1856 ssl_check_clienthello_tlsext_late(SSL
*s
)
1858 int ret
= SSL_TLSEXT_ERR_OK
;
1859 int al
= 0; /* XXX gcc3 */
1861 /* If status request then ask callback what to do.
1862 * Note: this must be called after servername callbacks in case
1863 * the certificate has changed, and must be called after the cipher
1864 * has been chosen because this may influence which certificate is sent
1866 if ((s
->tlsext_status_type
!= -1) &&
1867 s
->ctx
&& s
->ctx
->tlsext_status_cb
) {
1869 CERT_PKEY
*certpkey
;
1870 certpkey
= ssl_get_server_send_pkey(s
);
1871 /* If no certificate can't return certificate status */
1872 if (certpkey
== NULL
) {
1873 s
->tlsext_status_expected
= 0;
1876 /* Set current certificate to one we will use so
1877 * SSL_get_certificate et al can pick it up.
1879 s
->cert
->key
= certpkey
;
1880 r
= s
->ctx
->tlsext_status_cb(s
, s
->ctx
->tlsext_status_arg
);
1882 /* We don't want to send a status request response */
1883 case SSL_TLSEXT_ERR_NOACK
:
1884 s
->tlsext_status_expected
= 0;
1886 /* status request response should be sent */
1887 case SSL_TLSEXT_ERR_OK
:
1888 if (s
->tlsext_ocsp_resp
)
1889 s
->tlsext_status_expected
= 1;
1891 s
->tlsext_status_expected
= 0;
1893 /* something bad happened */
1894 case SSL_TLSEXT_ERR_ALERT_FATAL
:
1895 ret
= SSL_TLSEXT_ERR_ALERT_FATAL
;
1896 al
= SSL_AD_INTERNAL_ERROR
;
1900 s
->tlsext_status_expected
= 0;
1904 case SSL_TLSEXT_ERR_ALERT_FATAL
:
1905 ssl3_send_alert(s
, SSL3_AL_FATAL
, al
);
1907 case SSL_TLSEXT_ERR_ALERT_WARNING
:
1908 ssl3_send_alert(s
, SSL3_AL_WARNING
, al
);
1916 ssl_check_serverhello_tlsext(SSL
*s
)
1918 int ret
= SSL_TLSEXT_ERR_NOACK
;
1919 int al
= SSL_AD_UNRECOGNIZED_NAME
;
1921 /* If we are client and using an elliptic curve cryptography cipher
1922 * suite, then if server returns an EC point formats lists extension
1923 * it must contain uncompressed.
1925 unsigned long alg_k
= s
->s3
->tmp
.new_cipher
->algorithm_mkey
;
1926 unsigned long alg_a
= s
->s3
->tmp
.new_cipher
->algorithm_auth
;
1927 if ((s
->tlsext_ecpointformatlist
!= NULL
) &&
1928 (s
->tlsext_ecpointformatlist_length
> 0) &&
1929 (s
->session
->tlsext_ecpointformatlist
!= NULL
) &&
1930 (s
->session
->tlsext_ecpointformatlist_length
> 0) &&
1931 ((alg_k
& (SSL_kECDHE
|SSL_kECDHr
|SSL_kECDHe
)) || (alg_a
& SSL_aECDSA
))) {
1932 /* we are using an ECC cipher */
1934 unsigned char *list
;
1935 int found_uncompressed
= 0;
1936 list
= s
->session
->tlsext_ecpointformatlist
;
1937 for (i
= 0; i
< s
->session
->tlsext_ecpointformatlist_length
; i
++) {
1938 if (*(list
++) == TLSEXT_ECPOINTFORMAT_uncompressed
) {
1939 found_uncompressed
= 1;
1943 if (!found_uncompressed
) {
1944 SSLerr(SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT
, SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST
);
1948 ret
= SSL_TLSEXT_ERR_OK
;
1950 if (s
->ctx
!= NULL
&& s
->ctx
->tlsext_servername_callback
!= 0)
1951 ret
= s
->ctx
->tlsext_servername_callback(s
, &al
, s
->ctx
->tlsext_servername_arg
);
1952 else if (s
->initial_ctx
!= NULL
&& s
->initial_ctx
->tlsext_servername_callback
!= 0)
1953 ret
= s
->initial_ctx
->tlsext_servername_callback(s
, &al
, s
->initial_ctx
->tlsext_servername_arg
);
1955 /* If we've requested certificate status and we wont get one
1958 if ((s
->tlsext_status_type
!= -1) && !(s
->tlsext_status_expected
) &&
1959 s
->ctx
&& s
->ctx
->tlsext_status_cb
) {
1961 /* Set resp to NULL, resplen to -1 so callback knows
1962 * there is no response.
1964 free(s
->tlsext_ocsp_resp
);
1965 s
->tlsext_ocsp_resp
= NULL
;
1966 s
->tlsext_ocsp_resplen
= -1;
1967 r
= s
->ctx
->tlsext_status_cb(s
, s
->ctx
->tlsext_status_arg
);
1969 al
= SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE
;
1970 ret
= SSL_TLSEXT_ERR_ALERT_FATAL
;
1973 al
= SSL_AD_INTERNAL_ERROR
;
1974 ret
= SSL_TLSEXT_ERR_ALERT_FATAL
;
1979 case SSL_TLSEXT_ERR_ALERT_FATAL
:
1980 ssl3_send_alert(s
, SSL3_AL_FATAL
, al
);
1983 case SSL_TLSEXT_ERR_ALERT_WARNING
:
1984 ssl3_send_alert(s
, SSL3_AL_WARNING
, al
);
1987 case SSL_TLSEXT_ERR_NOACK
:
1988 s
->servername_done
= 0;
1994 /* Since the server cache lookup is done early on in the processing of the
1995 * ClientHello, and other operations depend on the result, we need to handle
1996 * any TLS session ticket extension at the same time.
1998 * session_id: points at the session ID in the ClientHello. This code will
1999 * read past the end of this in order to parse out the session ticket
2000 * extension, if any.
2001 * len: the length of the session ID.
2002 * limit: a pointer to the first byte after the ClientHello.
2003 * ret: (output) on return, if a ticket was decrypted, then this is set to
2004 * point to the resulting session.
2006 * If s->tls_session_secret_cb is set then we are expecting a pre-shared key
2007 * ciphersuite, in which case we have no use for session tickets and one will
2008 * never be decrypted, nor will s->tlsext_ticket_expected be set to 1.
2011 * -1: fatal error, either from parsing or decrypting the ticket.
2012 * 0: no ticket was found (or was ignored, based on settings).
2013 * 1: a zero length extension was found, indicating that the client supports
2014 * session tickets but doesn't currently have one to offer.
2015 * 2: either s->tls_session_secret_cb was set, or a ticket was offered but
2016 * couldn't be decrypted because of a non-fatal error.
2017 * 3: a ticket was successfully decrypted and *ret was set.
2020 * Sets s->tlsext_ticket_expected to 1 if the server will have to issue
2021 * a new session ticket to the client because the client indicated support
2022 * (and s->tls_session_secret_cb is NULL) but the client either doesn't have
2023 * a session ticket or we couldn't use the one it gave us, or if
2024 * s->ctx->tlsext_ticket_key_cb asked to renew the client's ticket.
2025 * Otherwise, s->tlsext_ticket_expected is set to 0.
2028 tls1_process_ticket(SSL
*s
, const unsigned char *session
, int session_len
,
2029 const unsigned char *limit
, SSL_SESSION
**ret
)
2031 /* Point after session ID in client hello */
2032 CBS session_id
, cookie
, cipher_list
, compress_algo
, extensions
;
2035 s
->tlsext_ticket_expected
= 0;
2037 /* If tickets disabled behave as if no ticket present
2038 * to permit stateful resumption.
2040 if (SSL_get_options(s
) & SSL_OP_NO_TICKET
)
2045 if (limit
< session
)
2048 CBS_init(&session_id
, session
, limit
- session
);
2050 /* Skip past the session id */
2051 if (!CBS_skip(&session_id
, session_len
))
2054 /* Skip past DTLS cookie */
2055 if (SSL_IS_DTLS(s
)) {
2056 if (!CBS_get_u8_length_prefixed(&session_id
, &cookie
))
2060 /* Skip past cipher list */
2061 if (!CBS_get_u16_length_prefixed(&session_id
, &cipher_list
))
2064 /* Skip past compression algorithm list */
2065 if (!CBS_get_u8_length_prefixed(&session_id
, &compress_algo
))
2068 /* Now at start of extensions */
2069 if (CBS_len(&session_id
) == 0)
2071 if (!CBS_get_u16_length_prefixed(&session_id
, &extensions
))
2074 while (CBS_len(&extensions
) > 0) {
2078 if (!CBS_get_u16(&extensions
, &ext_type
) ||
2079 !CBS_get_u16_length_prefixed(&extensions
, &ext_data
))
2082 if (ext_type
== TLSEXT_TYPE_session_ticket
) {
2084 if (CBS_len(&ext_data
) == 0) {
2085 /* The client will accept a ticket but doesn't
2086 * currently have one. */
2087 s
->tlsext_ticket_expected
= 1;
2090 if (s
->tls_session_secret_cb
) {
2091 /* Indicate that the ticket couldn't be
2092 * decrypted rather than generating the session
2093 * from ticket now, trigger abbreviated
2094 * handshake based on external mechanism to
2095 * calculate the master secret later. */
2099 r
= tls_decrypt_ticket(s
, CBS_data(&ext_data
),
2100 CBS_len(&ext_data
), session
, session_len
, ret
);
2103 case 2: /* ticket couldn't be decrypted */
2104 s
->tlsext_ticket_expected
= 1;
2106 case 3: /* ticket was decrypted */
2108 case 4: /* ticket decrypted but need to renew */
2109 s
->tlsext_ticket_expected
= 1;
2111 default: /* fatal error */
2119 /* tls_decrypt_ticket attempts to decrypt a session ticket.
2121 * etick: points to the body of the session ticket extension.
2122 * eticklen: the length of the session tickets extenion.
2123 * sess_id: points at the session ID.
2124 * sesslen: the length of the session ID.
2125 * psess: (output) on return, if a ticket was decrypted, then this is set to
2126 * point to the resulting session.
2129 * -1: fatal error, either from parsing or decrypting the ticket.
2130 * 2: the ticket couldn't be decrypted.
2131 * 3: a ticket was successfully decrypted and *psess was set.
2132 * 4: same as 3, but the ticket needs to be renewed.
2135 tls_decrypt_ticket(SSL
*s
, const unsigned char *etick
, int eticklen
,
2136 const unsigned char *sess_id
, int sesslen
, SSL_SESSION
**psess
)
2139 unsigned char *sdec
;
2140 const unsigned char *p
;
2141 int slen
, mlen
, renew_ticket
= 0;
2142 unsigned char tick_hmac
[EVP_MAX_MD_SIZE
];
2145 SSL_CTX
*tctx
= s
->initial_ctx
;
2146 /* Need at least keyname + iv + some encrypted data */
2149 /* Initialize session ticket encryption and HMAC contexts */
2150 HMAC_CTX_init(&hctx
);
2151 EVP_CIPHER_CTX_init(&ctx
);
2152 if (tctx
->tlsext_ticket_key_cb
) {
2153 unsigned char *nctick
= (unsigned char *)etick
;
2154 int rv
= tctx
->tlsext_ticket_key_cb(s
, nctick
, nctick
+ 16,
2157 EVP_CIPHER_CTX_cleanup(&ctx
);
2161 EVP_CIPHER_CTX_cleanup(&ctx
);
2167 /* Check key name matches */
2168 if (timingsafe_memcmp(etick
, tctx
->tlsext_tick_key_name
, 16))
2170 HMAC_Init_ex(&hctx
, tctx
->tlsext_tick_hmac_key
, 16,
2171 tlsext_tick_md(), NULL
);
2172 EVP_DecryptInit_ex(&ctx
, EVP_aes_128_cbc(), NULL
,
2173 tctx
->tlsext_tick_aes_key
, etick
+ 16);
2175 /* Attempt to process session ticket, first conduct sanity and
2176 * integrity checks on ticket.
2178 mlen
= HMAC_size(&hctx
);
2180 EVP_CIPHER_CTX_cleanup(&ctx
);
2184 /* Check HMAC of encrypted ticket */
2185 HMAC_Update(&hctx
, etick
, eticklen
);
2186 HMAC_Final(&hctx
, tick_hmac
, NULL
);
2187 HMAC_CTX_cleanup(&hctx
);
2188 if (timingsafe_memcmp(tick_hmac
, etick
+ eticklen
, mlen
)) {
2189 EVP_CIPHER_CTX_cleanup(&ctx
);
2192 /* Attempt to decrypt session data */
2193 /* Move p after IV to start of encrypted ticket, update length */
2194 p
= etick
+ 16 + EVP_CIPHER_CTX_iv_length(&ctx
);
2195 eticklen
-= 16 + EVP_CIPHER_CTX_iv_length(&ctx
);
2196 sdec
= malloc(eticklen
);
2198 EVP_CIPHER_CTX_cleanup(&ctx
);
2201 EVP_DecryptUpdate(&ctx
, sdec
, &slen
, p
, eticklen
);
2202 if (EVP_DecryptFinal_ex(&ctx
, sdec
+ slen
, &mlen
) <= 0) {
2204 EVP_CIPHER_CTX_cleanup(&ctx
);
2208 EVP_CIPHER_CTX_cleanup(&ctx
);
2211 sess
= d2i_SSL_SESSION(NULL
, &p
, slen
);
2214 /* The session ID, if non-empty, is used by some clients to
2215 * detect that the ticket has been accepted. So we copy it to
2216 * the session structure. If it is empty set length to zero
2217 * as required by standard.
2220 memcpy(sess
->session_id
, sess_id
, sesslen
);
2221 sess
->session_id_length
= sesslen
;
2229 /* For session parse failure, indicate that we need to send a new
2234 /* Tables to translate from NIDs to TLS v1.2 ids */
2241 static tls12_lookup tls12_md
[] = {
2242 {NID_md5
, TLSEXT_hash_md5
},
2243 {NID_sha1
, TLSEXT_hash_sha1
},
2244 {NID_sha224
, TLSEXT_hash_sha224
},
2245 {NID_sha256
, TLSEXT_hash_sha256
},
2246 {NID_sha384
, TLSEXT_hash_sha384
},
2247 {NID_sha512
, TLSEXT_hash_sha512
},
2248 {NID_id_GostR3411_94
, TLSEXT_hash_gost94
},
2249 {NID_id_tc26_gost3411_2012_256
, TLSEXT_hash_streebog_256
},
2250 {NID_id_tc26_gost3411_2012_512
, TLSEXT_hash_streebog_512
}
2253 static tls12_lookup tls12_sig
[] = {
2254 {EVP_PKEY_RSA
, TLSEXT_signature_rsa
},
2255 {EVP_PKEY_DSA
, TLSEXT_signature_dsa
},
2256 {EVP_PKEY_EC
, TLSEXT_signature_ecdsa
},
2257 {EVP_PKEY_GOSTR01
, TLSEXT_signature_gostr01
},
2261 tls12_find_id(int nid
, tls12_lookup
*table
, size_t tlen
)
2264 for (i
= 0; i
< tlen
; i
++) {
2265 if (table
[i
].nid
== nid
)
2272 tls12_get_sigandhash(unsigned char *p
, const EVP_PKEY
*pk
, const EVP_MD
*md
)
2277 md_id
= tls12_find_id(EVP_MD_type(md
), tls12_md
,
2278 sizeof(tls12_md
) / sizeof(tls12_lookup
));
2281 sig_id
= tls12_get_sigid(pk
);
2284 p
[0] = (unsigned char)md_id
;
2285 p
[1] = (unsigned char)sig_id
;
2290 tls12_get_sigid(const EVP_PKEY
*pk
)
2292 return tls12_find_id(pk
->type
, tls12_sig
,
2293 sizeof(tls12_sig
) / sizeof(tls12_lookup
));
2297 tls12_get_hash(unsigned char hash_alg
)
2300 case TLSEXT_hash_sha1
:
2302 case TLSEXT_hash_sha224
:
2303 return EVP_sha224();
2304 case TLSEXT_hash_sha256
:
2305 return EVP_sha256();
2306 case TLSEXT_hash_sha384
:
2307 return EVP_sha384();
2308 case TLSEXT_hash_sha512
:
2309 return EVP_sha512();
2310 #ifndef OPENSSL_NO_GOST
2311 case TLSEXT_hash_gost94
:
2312 return EVP_gostr341194();
2313 case TLSEXT_hash_streebog_256
:
2314 return EVP_streebog256();
2315 case TLSEXT_hash_streebog_512
:
2316 return EVP_streebog512();
2323 /* Set preferred digest for each key type */
2326 tls1_process_sigalgs(SSL
*s
, const unsigned char *data
, int dsize
)
2333 /* Extension ignored for inappropriate versions */
2334 if (!SSL_USE_SIGALGS(s
))
2337 /* Should never happen */
2338 if (!c
|| dsize
< 0)
2341 CBS_init(&cbs
, data
, dsize
);
2343 c
->pkeys
[SSL_PKEY_DSA_SIGN
].digest
= NULL
;
2344 c
->pkeys
[SSL_PKEY_RSA_SIGN
].digest
= NULL
;
2345 c
->pkeys
[SSL_PKEY_RSA_ENC
].digest
= NULL
;
2346 c
->pkeys
[SSL_PKEY_ECC
].digest
= NULL
;
2347 c
->pkeys
[SSL_PKEY_GOST01
].digest
= NULL
;
2349 while (CBS_len(&cbs
) > 0) {
2350 uint8_t hash_alg
, sig_alg
;
2352 if (!CBS_get_u8(&cbs
, &hash_alg
) ||
2353 !CBS_get_u8(&cbs
, &sig_alg
)) {
2354 /* Should never happen */
2359 case TLSEXT_signature_rsa
:
2360 idx
= SSL_PKEY_RSA_SIGN
;
2362 case TLSEXT_signature_dsa
:
2363 idx
= SSL_PKEY_DSA_SIGN
;
2365 case TLSEXT_signature_ecdsa
:
2368 case TLSEXT_signature_gostr01
:
2369 case TLSEXT_signature_gostr12_256
:
2370 case TLSEXT_signature_gostr12_512
:
2371 idx
= SSL_PKEY_GOST01
;
2377 if (c
->pkeys
[idx
].digest
== NULL
) {
2378 md
= tls12_get_hash(hash_alg
);
2380 c
->pkeys
[idx
].digest
= md
;
2381 if (idx
== SSL_PKEY_RSA_SIGN
)
2382 c
->pkeys
[SSL_PKEY_RSA_ENC
].digest
= md
;
2388 /* Set any remaining keys to default values. NOTE: if alg is not
2389 * supported it stays as NULL.
2391 if (!c
->pkeys
[SSL_PKEY_DSA_SIGN
].digest
)
2392 c
->pkeys
[SSL_PKEY_DSA_SIGN
].digest
= EVP_sha1();
2393 if (!c
->pkeys
[SSL_PKEY_RSA_SIGN
].digest
) {
2394 c
->pkeys
[SSL_PKEY_RSA_SIGN
].digest
= EVP_sha1();
2395 c
->pkeys
[SSL_PKEY_RSA_ENC
].digest
= EVP_sha1();
2397 if (!c
->pkeys
[SSL_PKEY_ECC
].digest
)
2398 c
->pkeys
[SSL_PKEY_ECC
].digest
= EVP_sha1();
2399 #ifndef OPENSSL_NO_GOST
2400 if (!c
->pkeys
[SSL_PKEY_GOST01
].digest
)
2401 c
->pkeys
[SSL_PKEY_GOST01
].digest
= EVP_gostr341194();