1 /* $OpenBSD: t1_lib.c,v 1.141 2018/02/08 11:30:30 jsing Exp $ */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
58 /* ====================================================================
59 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
87 * 6. Redistributions of any form whatsoever must retain the following
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
114 #include <openssl/evp.h>
115 #include <openssl/hmac.h>
116 #include <openssl/objects.h>
117 #include <openssl/ocsp.h>
119 #include "ssl_locl.h"
121 #include "bytestring.h"
122 #include "ssl_tlsext.h"
124 static int tls_decrypt_ticket(SSL
*s
, const unsigned char *tick
, int ticklen
,
125 const unsigned char *sess_id
, int sesslen
,
126 SSL_SESSION
**psess
);
128 SSL3_ENC_METHOD TLSv1_enc_data
= {
133 SSL3_ENC_METHOD TLSv1_1_enc_data
= {
135 .enc_flags
= SSL_ENC_FLAG_EXPLICIT_IV
,
138 SSL3_ENC_METHOD TLSv1_2_enc_data
= {
140 .enc_flags
= SSL_ENC_FLAG_EXPLICIT_IV
|SSL_ENC_FLAG_SIGALGS
|
141 SSL_ENC_FLAG_SHA256_PRF
|SSL_ENC_FLAG_TLS1_2_CIPHERS
,
145 tls1_default_timeout(void)
147 /* 2 hours, the 24 hours mentioned in the TLSv1 spec
148 * is way too long for http, the cache would over fill */
149 return (60 * 60 * 2);
157 s
->method
->internal
->ssl_clear(s
);
167 free(s
->internal
->tlsext_session_ticket
);
175 s
->version
= s
->method
->internal
->version
;
178 static int nid_list
[] = {
179 NID_sect163k1
, /* sect163k1 (1) */
180 NID_sect163r1
, /* sect163r1 (2) */
181 NID_sect163r2
, /* sect163r2 (3) */
182 NID_sect193r1
, /* sect193r1 (4) */
183 NID_sect193r2
, /* sect193r2 (5) */
184 NID_sect233k1
, /* sect233k1 (6) */
185 NID_sect233r1
, /* sect233r1 (7) */
186 NID_sect239k1
, /* sect239k1 (8) */
187 NID_sect283k1
, /* sect283k1 (9) */
188 NID_sect283r1
, /* sect283r1 (10) */
189 NID_sect409k1
, /* sect409k1 (11) */
190 NID_sect409r1
, /* sect409r1 (12) */
191 NID_sect571k1
, /* sect571k1 (13) */
192 NID_sect571r1
, /* sect571r1 (14) */
193 NID_secp160k1
, /* secp160k1 (15) */
194 NID_secp160r1
, /* secp160r1 (16) */
195 NID_secp160r2
, /* secp160r2 (17) */
196 NID_secp192k1
, /* secp192k1 (18) */
197 NID_X9_62_prime192v1
, /* secp192r1 (19) */
198 NID_secp224k1
, /* secp224k1 (20) */
199 NID_secp224r1
, /* secp224r1 (21) */
200 NID_secp256k1
, /* secp256k1 (22) */
201 NID_X9_62_prime256v1
, /* secp256r1 (23) */
202 NID_secp384r1
, /* secp384r1 (24) */
203 NID_secp521r1
, /* secp521r1 (25) */
204 NID_brainpoolP256r1
, /* brainpoolP256r1 (26) */
205 NID_brainpoolP384r1
, /* brainpoolP384r1 (27) */
206 NID_brainpoolP512r1
, /* brainpoolP512r1 (28) */
207 NID_X25519
, /* X25519 (29) */
211 static const uint8_t ecformats_list
[] = {
212 TLSEXT_ECPOINTFORMAT_uncompressed
,
213 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime
,
214 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2
218 static const uint8_t ecformats_default
[] = {
219 TLSEXT_ECPOINTFORMAT_uncompressed
,
223 static const uint16_t eccurves_list
[] = {
224 29, /* X25519 (29) */
225 14, /* sect571r1 (14) */
226 13, /* sect571k1 (13) */
227 25, /* secp521r1 (25) */
228 28, /* brainpoolP512r1 (28) */
229 11, /* sect409k1 (11) */
230 12, /* sect409r1 (12) */
231 27, /* brainpoolP384r1 (27) */
232 24, /* secp384r1 (24) */
233 9, /* sect283k1 (9) */
234 10, /* sect283r1 (10) */
235 26, /* brainpoolP256r1 (26) */
236 22, /* secp256k1 (22) */
237 23, /* secp256r1 (23) */
238 8, /* sect239k1 (8) */
239 6, /* sect233k1 (6) */
240 7, /* sect233r1 (7) */
241 20, /* secp224k1 (20) */
242 21, /* secp224r1 (21) */
243 4, /* sect193r1 (4) */
244 5, /* sect193r2 (5) */
245 18, /* secp192k1 (18) */
246 19, /* secp192r1 (19) */
247 1, /* sect163k1 (1) */
248 2, /* sect163r1 (2) */
249 3, /* sect163r2 (3) */
250 15, /* secp160k1 (15) */
251 16, /* secp160r1 (16) */
252 17, /* secp160r2 (17) */
256 static const uint16_t eccurves_default
[] = {
257 29, /* X25519 (29) */
258 23, /* secp256r1 (23) */
259 24, /* secp384r1 (24) */
263 tls1_ec_curve_id2nid(const uint16_t curve_id
)
265 /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
266 if ((curve_id
< 1) ||
267 ((unsigned int)curve_id
> sizeof(nid_list
) / sizeof(nid_list
[0])))
269 return nid_list
[curve_id
- 1];
273 tls1_ec_nid2curve_id(const int nid
)
275 /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
277 case NID_sect163k1
: /* sect163k1 (1) */
279 case NID_sect163r1
: /* sect163r1 (2) */
281 case NID_sect163r2
: /* sect163r2 (3) */
283 case NID_sect193r1
: /* sect193r1 (4) */
285 case NID_sect193r2
: /* sect193r2 (5) */
287 case NID_sect233k1
: /* sect233k1 (6) */
289 case NID_sect233r1
: /* sect233r1 (7) */
291 case NID_sect239k1
: /* sect239k1 (8) */
293 case NID_sect283k1
: /* sect283k1 (9) */
295 case NID_sect283r1
: /* sect283r1 (10) */
297 case NID_sect409k1
: /* sect409k1 (11) */
299 case NID_sect409r1
: /* sect409r1 (12) */
301 case NID_sect571k1
: /* sect571k1 (13) */
303 case NID_sect571r1
: /* sect571r1 (14) */
305 case NID_secp160k1
: /* secp160k1 (15) */
307 case NID_secp160r1
: /* secp160r1 (16) */
309 case NID_secp160r2
: /* secp160r2 (17) */
311 case NID_secp192k1
: /* secp192k1 (18) */
313 case NID_X9_62_prime192v1
: /* secp192r1 (19) */
315 case NID_secp224k1
: /* secp224k1 (20) */
317 case NID_secp224r1
: /* secp224r1 (21) */
319 case NID_secp256k1
: /* secp256k1 (22) */
321 case NID_X9_62_prime256v1
: /* secp256r1 (23) */
323 case NID_secp384r1
: /* secp384r1 (24) */
325 case NID_secp521r1
: /* secp521r1 (25) */
327 case NID_brainpoolP256r1
: /* brainpoolP256r1 (26) */
329 case NID_brainpoolP384r1
: /* brainpoolP384r1 (27) */
331 case NID_brainpoolP512r1
: /* brainpoolP512r1 (28) */
333 case NID_X25519
: /* X25519 (29) */
341 * Return the appropriate format list. If client_formats is non-zero, return
342 * the client/session formats. Otherwise return the custom format list if one
343 * exists, or the default formats if a custom list has not been specified.
346 tls1_get_formatlist(SSL
*s
, int client_formats
, const uint8_t **pformats
,
349 if (client_formats
!= 0) {
350 *pformats
= SSI(s
)->tlsext_ecpointformatlist
;
351 *pformatslen
= SSI(s
)->tlsext_ecpointformatlist_length
;
355 *pformats
= s
->internal
->tlsext_ecpointformatlist
;
356 *pformatslen
= s
->internal
->tlsext_ecpointformatlist_length
;
357 if (*pformats
== NULL
) {
358 *pformats
= ecformats_default
;
359 *pformatslen
= sizeof(ecformats_default
);
364 * Return the appropriate curve list. If client_curves is non-zero, return
365 * the client/session curves. Otherwise return the custom curve list if one
366 * exists, or the default curves if a custom list has not been specified.
369 tls1_get_curvelist(SSL
*s
, int client_curves
, const uint16_t **pcurves
,
372 if (client_curves
!= 0) {
373 *pcurves
= SSI(s
)->tlsext_supportedgroups
;
374 *pcurveslen
= SSI(s
)->tlsext_supportedgroups_length
;
378 *pcurves
= s
->internal
->tlsext_supportedgroups
;
379 *pcurveslen
= s
->internal
->tlsext_supportedgroups_length
;
380 if (*pcurves
== NULL
) {
381 *pcurves
= eccurves_default
;
382 *pcurveslen
= sizeof(eccurves_default
) / 2;
387 tls1_set_groups(uint16_t **out_group_ids
, size_t *out_group_ids_len
,
388 const int *groups
, size_t ngroups
)
393 group_ids
= calloc(ngroups
, sizeof(uint16_t));
394 if (group_ids
== NULL
)
397 for (i
= 0; i
< ngroups
; i
++) {
398 group_ids
[i
] = tls1_ec_nid2curve_id(groups
[i
]);
399 if (group_ids
[i
] == 0) {
405 free(*out_group_ids
);
406 *out_group_ids
= group_ids
;
407 *out_group_ids_len
= ngroups
;
413 tls1_set_groups_list(uint16_t **out_group_ids
, size_t *out_group_ids_len
,
416 uint16_t *new_group_ids
, *group_ids
= NULL
;
421 if ((gs
= strdup(groups
)) == NULL
)
425 while ((p
= strsep(&q
, ":")) != NULL
) {
427 if (nid
== NID_undef
)
429 if (nid
== NID_undef
)
430 nid
= EC_curve_nist2nid(p
);
431 if (nid
== NID_undef
)
434 if ((new_group_ids
= reallocarray(group_ids
, ngroups
+ 1,
435 sizeof(uint16_t))) == NULL
)
437 group_ids
= new_group_ids
;
439 group_ids
[ngroups
] = tls1_ec_nid2curve_id(nid
);
440 if (group_ids
[ngroups
] == 0)
447 free(*out_group_ids
);
448 *out_group_ids
= group_ids
;
449 *out_group_ids_len
= ngroups
;
460 /* Check that a curve is one of our preferences. */
462 tls1_check_curve(SSL
*s
, const uint16_t curve_id
)
464 const uint16_t *curves
;
467 tls1_get_curvelist(s
, 0, &curves
, &curveslen
);
469 for (i
= 0; i
< curveslen
; i
++) {
470 if (curves
[i
] == curve_id
)
477 tls1_get_shared_curve(SSL
*s
)
479 size_t preflen
, supplen
, i
, j
;
480 const uint16_t *pref
, *supp
;
481 unsigned long server_pref
;
483 /* Cannot do anything on the client side. */
487 /* Return first preference shared curve. */
488 server_pref
= (s
->internal
->options
& SSL_OP_CIPHER_SERVER_PREFERENCE
);
489 tls1_get_curvelist(s
, (server_pref
== 0), &pref
, &preflen
);
490 tls1_get_curvelist(s
, (server_pref
!= 0), &supp
, &supplen
);
492 for (i
= 0; i
< preflen
; i
++) {
493 for (j
= 0; j
< supplen
; j
++) {
494 if (pref
[i
] == supp
[j
])
495 return (tls1_ec_curve_id2nid(pref
[i
]));
501 /* For an EC key set TLS ID and required compression based on parameters. */
503 tls1_set_ec_id(uint16_t *curve_id
, uint8_t *comp_id
, EC_KEY
*ec
)
506 const EC_METHOD
*meth
;
513 /* Determine if it is a prime field. */
514 if ((grp
= EC_KEY_get0_group(ec
)) == NULL
)
516 if ((meth
= EC_GROUP_method_of(grp
)) == NULL
)
518 if (EC_METHOD_get_field_type(meth
) == NID_X9_62_prime_field
)
521 /* Determine curve ID. */
522 nid
= EC_GROUP_get_curve_name(grp
);
523 id
= tls1_ec_nid2curve_id(nid
);
525 /* If we have an ID set it, otherwise set arbitrary explicit curve. */
529 *curve_id
= is_prime
? 0xff01 : 0xff02;
531 /* Specify the compression identifier. */
532 if (comp_id
!= NULL
) {
533 if (EC_KEY_get0_public_key(ec
) == NULL
)
536 if (EC_KEY_get_conv_form(ec
) == POINT_CONVERSION_COMPRESSED
) {
537 *comp_id
= is_prime
?
538 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime
:
539 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2
;
541 *comp_id
= TLSEXT_ECPOINTFORMAT_uncompressed
;
547 /* Check that an EC key is compatible with extensions. */
549 tls1_check_ec_key(SSL
*s
, const uint16_t *curve_id
, const uint8_t *comp_id
)
551 size_t curveslen
, formatslen
, i
;
552 const uint16_t *curves
;
553 const uint8_t *formats
;
556 * Check point formats extension if present, otherwise everything
557 * is supported (see RFC4492).
559 tls1_get_formatlist(s
, 1, &formats
, &formatslen
);
560 if (comp_id
!= NULL
&& formats
!= NULL
) {
561 for (i
= 0; i
< formatslen
; i
++) {
562 if (formats
[i
] == *comp_id
)
570 * Check curve list if present, otherwise everything is supported.
572 tls1_get_curvelist(s
, 1, &curves
, &curveslen
);
573 if (curve_id
!= NULL
&& curves
!= NULL
) {
574 for (i
= 0; i
< curveslen
; i
++) {
575 if (curves
[i
] == *curve_id
)
585 /* Check EC server key is compatible with client extensions. */
587 tls1_check_ec_server_key(SSL
*s
)
589 CERT_PKEY
*cpk
= s
->cert
->pkeys
+ SSL_PKEY_ECC
;
595 if (cpk
->x509
== NULL
|| cpk
->privatekey
== NULL
)
597 if ((pkey
= X509_get_pubkey(cpk
->x509
)) == NULL
)
599 rv
= tls1_set_ec_id(&curve_id
, &comp_id
, pkey
->pkey
.ec
);
604 return tls1_check_ec_key(s
, &curve_id
, &comp_id
);
607 /* Check EC temporary key is compatible with client extensions. */
609 tls1_check_ec_tmp_key(SSL
*s
)
611 EC_KEY
*ec
= s
->cert
->ecdh_tmp
;
614 /* Need a shared curve. */
615 if (tls1_get_shared_curve(s
) != NID_undef
)
621 if (tls1_set_ec_id(&curve_id
, NULL
, ec
) != 1)
624 return tls1_check_ec_key(s
, &curve_id
, NULL
);
628 * List of supported signature algorithms and hashes. Should make this
629 * customisable at some point, for now include everything we support.
632 static unsigned char tls12_sigalgs
[] = {
633 TLSEXT_hash_sha512
, TLSEXT_signature_rsa
,
634 TLSEXT_hash_sha512
, TLSEXT_signature_ecdsa
,
635 #ifndef OPENSSL_NO_GOST
636 TLSEXT_hash_streebog_512
, TLSEXT_signature_gostr12_512
,
639 TLSEXT_hash_sha384
, TLSEXT_signature_rsa
,
640 TLSEXT_hash_sha384
, TLSEXT_signature_ecdsa
,
642 TLSEXT_hash_sha256
, TLSEXT_signature_rsa
,
643 TLSEXT_hash_sha256
, TLSEXT_signature_ecdsa
,
645 #ifndef OPENSSL_NO_GOST
646 TLSEXT_hash_streebog_256
, TLSEXT_signature_gostr12_256
,
647 TLSEXT_hash_gost94
, TLSEXT_signature_gostr01
,
650 TLSEXT_hash_sha224
, TLSEXT_signature_rsa
,
651 TLSEXT_hash_sha224
, TLSEXT_signature_ecdsa
,
653 TLSEXT_hash_sha1
, TLSEXT_signature_rsa
,
654 TLSEXT_hash_sha1
, TLSEXT_signature_ecdsa
,
658 tls12_get_req_sig_algs(SSL
*s
, unsigned char **sigalgs
, size_t *sigalgs_len
)
660 *sigalgs
= tls12_sigalgs
;
661 *sigalgs_len
= sizeof(tls12_sigalgs
);
665 ssl_check_clienthello_tlsext_early(SSL
*s
)
667 int ret
= SSL_TLSEXT_ERR_NOACK
;
668 int al
= SSL_AD_UNRECOGNIZED_NAME
;
670 /* The handling of the ECPointFormats extension is done elsewhere, namely in
671 * ssl3_choose_cipher in s3_lib.c.
673 /* The handling of the EllipticCurves extension is done elsewhere, namely in
674 * ssl3_choose_cipher in s3_lib.c.
677 if (s
->ctx
!= NULL
&& s
->ctx
->internal
->tlsext_servername_callback
!= 0)
678 ret
= s
->ctx
->internal
->tlsext_servername_callback(s
, &al
,
679 s
->ctx
->internal
->tlsext_servername_arg
);
680 else if (s
->initial_ctx
!= NULL
&& s
->initial_ctx
->internal
->tlsext_servername_callback
!= 0)
681 ret
= s
->initial_ctx
->internal
->tlsext_servername_callback(s
, &al
,
682 s
->initial_ctx
->internal
->tlsext_servername_arg
);
685 case SSL_TLSEXT_ERR_ALERT_FATAL
:
686 ssl3_send_alert(s
, SSL3_AL_FATAL
, al
);
688 case SSL_TLSEXT_ERR_ALERT_WARNING
:
689 ssl3_send_alert(s
, SSL3_AL_WARNING
, al
);
691 case SSL_TLSEXT_ERR_NOACK
:
692 s
->internal
->servername_done
= 0;
699 ssl_check_clienthello_tlsext_late(SSL
*s
)
701 int ret
= SSL_TLSEXT_ERR_OK
;
702 int al
= 0; /* XXX gcc3 */
704 /* If status request then ask callback what to do.
705 * Note: this must be called after servername callbacks in case
706 * the certificate has changed, and must be called after the cipher
707 * has been chosen because this may influence which certificate is sent
709 if ((s
->tlsext_status_type
!= -1) &&
710 s
->ctx
&& s
->ctx
->internal
->tlsext_status_cb
) {
713 certpkey
= ssl_get_server_send_pkey(s
);
714 /* If no certificate can't return certificate status */
715 if (certpkey
== NULL
) {
716 s
->internal
->tlsext_status_expected
= 0;
719 /* Set current certificate to one we will use so
720 * SSL_get_certificate et al can pick it up.
722 s
->cert
->key
= certpkey
;
723 r
= s
->ctx
->internal
->tlsext_status_cb(s
,
724 s
->ctx
->internal
->tlsext_status_arg
);
726 /* We don't want to send a status request response */
727 case SSL_TLSEXT_ERR_NOACK
:
728 s
->internal
->tlsext_status_expected
= 0;
730 /* status request response should be sent */
731 case SSL_TLSEXT_ERR_OK
:
732 if (s
->internal
->tlsext_ocsp_resp
)
733 s
->internal
->tlsext_status_expected
= 1;
735 s
->internal
->tlsext_status_expected
= 0;
737 /* something bad happened */
738 case SSL_TLSEXT_ERR_ALERT_FATAL
:
739 ret
= SSL_TLSEXT_ERR_ALERT_FATAL
;
740 al
= SSL_AD_INTERNAL_ERROR
;
744 s
->internal
->tlsext_status_expected
= 0;
748 case SSL_TLSEXT_ERR_ALERT_FATAL
:
749 ssl3_send_alert(s
, SSL3_AL_FATAL
, al
);
751 case SSL_TLSEXT_ERR_ALERT_WARNING
:
752 ssl3_send_alert(s
, SSL3_AL_WARNING
, al
);
760 ssl_check_serverhello_tlsext(SSL
*s
)
762 int ret
= SSL_TLSEXT_ERR_NOACK
;
763 int al
= SSL_AD_UNRECOGNIZED_NAME
;
765 ret
= SSL_TLSEXT_ERR_OK
;
767 if (s
->ctx
!= NULL
&& s
->ctx
->internal
->tlsext_servername_callback
!= 0)
768 ret
= s
->ctx
->internal
->tlsext_servername_callback(s
, &al
,
769 s
->ctx
->internal
->tlsext_servername_arg
);
770 else if (s
->initial_ctx
!= NULL
&& s
->initial_ctx
->internal
->tlsext_servername_callback
!= 0)
771 ret
= s
->initial_ctx
->internal
->tlsext_servername_callback(s
, &al
,
772 s
->initial_ctx
->internal
->tlsext_servername_arg
);
774 /* If we've requested certificate status and we wont get one
777 if ((s
->tlsext_status_type
!= -1) && !(s
->internal
->tlsext_status_expected
) &&
778 s
->ctx
&& s
->ctx
->internal
->tlsext_status_cb
) {
780 /* Set resp to NULL, resplen to -1 so callback knows
781 * there is no response.
783 free(s
->internal
->tlsext_ocsp_resp
);
784 s
->internal
->tlsext_ocsp_resp
= NULL
;
785 s
->internal
->tlsext_ocsp_resplen
= -1;
786 r
= s
->ctx
->internal
->tlsext_status_cb(s
,
787 s
->ctx
->internal
->tlsext_status_arg
);
789 al
= SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE
;
790 ret
= SSL_TLSEXT_ERR_ALERT_FATAL
;
793 al
= SSL_AD_INTERNAL_ERROR
;
794 ret
= SSL_TLSEXT_ERR_ALERT_FATAL
;
799 case SSL_TLSEXT_ERR_ALERT_FATAL
:
800 ssl3_send_alert(s
, SSL3_AL_FATAL
, al
);
803 case SSL_TLSEXT_ERR_ALERT_WARNING
:
804 ssl3_send_alert(s
, SSL3_AL_WARNING
, al
);
807 case SSL_TLSEXT_ERR_NOACK
:
808 s
->internal
->servername_done
= 0;
814 /* Since the server cache lookup is done early on in the processing of the
815 * ClientHello, and other operations depend on the result, we need to handle
816 * any TLS session ticket extension at the same time.
818 * session_id: points at the session ID in the ClientHello. This code will
819 * read past the end of this in order to parse out the session ticket
821 * len: the length of the session ID.
822 * limit: a pointer to the first byte after the ClientHello.
823 * ret: (output) on return, if a ticket was decrypted, then this is set to
824 * point to the resulting session.
826 * If s->internal->tls_session_secret_cb is set then we are expecting a pre-shared key
827 * ciphersuite, in which case we have no use for session tickets and one will
828 * never be decrypted, nor will s->internal->tlsext_ticket_expected be set to 1.
831 * -1: fatal error, either from parsing or decrypting the ticket.
832 * 0: no ticket was found (or was ignored, based on settings).
833 * 1: a zero length extension was found, indicating that the client supports
834 * session tickets but doesn't currently have one to offer.
835 * 2: either s->internal->tls_session_secret_cb was set, or a ticket was offered but
836 * couldn't be decrypted because of a non-fatal error.
837 * 3: a ticket was successfully decrypted and *ret was set.
840 * Sets s->internal->tlsext_ticket_expected to 1 if the server will have to issue
841 * a new session ticket to the client because the client indicated support
842 * (and s->internal->tls_session_secret_cb is NULL) but the client either doesn't have
843 * a session ticket or we couldn't use the one it gave us, or if
844 * s->ctx->tlsext_ticket_key_cb asked to renew the client's ticket.
845 * Otherwise, s->internal->tlsext_ticket_expected is set to 0.
848 tls1_process_ticket(SSL
*s
, const unsigned char *session
, int session_len
,
849 const unsigned char *limit
, SSL_SESSION
**ret
)
851 /* Point after session ID in client hello */
852 CBS session_id
, cookie
, cipher_list
, compress_algo
, extensions
;
855 s
->internal
->tlsext_ticket_expected
= 0;
857 /* If tickets disabled behave as if no ticket present
858 * to permit stateful resumption.
860 if (SSL_get_options(s
) & SSL_OP_NO_TICKET
)
868 CBS_init(&session_id
, session
, limit
- session
);
870 /* Skip past the session id */
871 if (!CBS_skip(&session_id
, session_len
))
874 /* Skip past DTLS cookie */
875 if (SSL_IS_DTLS(s
)) {
876 if (!CBS_get_u8_length_prefixed(&session_id
, &cookie
))
880 /* Skip past cipher list */
881 if (!CBS_get_u16_length_prefixed(&session_id
, &cipher_list
))
884 /* Skip past compression algorithm list */
885 if (!CBS_get_u8_length_prefixed(&session_id
, &compress_algo
))
888 /* Now at start of extensions */
889 if (CBS_len(&session_id
) == 0)
891 if (!CBS_get_u16_length_prefixed(&session_id
, &extensions
))
894 while (CBS_len(&extensions
) > 0) {
898 if (!CBS_get_u16(&extensions
, &ext_type
) ||
899 !CBS_get_u16_length_prefixed(&extensions
, &ext_data
))
902 if (ext_type
== TLSEXT_TYPE_session_ticket
) {
904 if (CBS_len(&ext_data
) == 0) {
905 /* The client will accept a ticket but doesn't
906 * currently have one. */
907 s
->internal
->tlsext_ticket_expected
= 1;
910 if (s
->internal
->tls_session_secret_cb
) {
911 /* Indicate that the ticket couldn't be
912 * decrypted rather than generating the session
913 * from ticket now, trigger abbreviated
914 * handshake based on external mechanism to
915 * calculate the master secret later. */
919 r
= tls_decrypt_ticket(s
, CBS_data(&ext_data
),
920 CBS_len(&ext_data
), session
, session_len
, ret
);
923 case 2: /* ticket couldn't be decrypted */
924 s
->internal
->tlsext_ticket_expected
= 1;
926 case 3: /* ticket was decrypted */
928 case 4: /* ticket decrypted but need to renew */
929 s
->internal
->tlsext_ticket_expected
= 1;
931 default: /* fatal error */
939 /* tls_decrypt_ticket attempts to decrypt a session ticket.
941 * etick: points to the body of the session ticket extension.
942 * eticklen: the length of the session tickets extenion.
943 * sess_id: points at the session ID.
944 * sesslen: the length of the session ID.
945 * psess: (output) on return, if a ticket was decrypted, then this is set to
946 * point to the resulting session.
949 * -1: fatal error, either from parsing or decrypting the ticket.
950 * 2: the ticket couldn't be decrypted.
951 * 3: a ticket was successfully decrypted and *psess was set.
952 * 4: same as 3, but the ticket needs to be renewed.
955 tls_decrypt_ticket(SSL
*s
, const unsigned char *etick
, int eticklen
,
956 const unsigned char *sess_id
, int sesslen
, SSL_SESSION
**psess
)
960 const unsigned char *p
;
961 int slen
, mlen
, renew_ticket
= 0;
962 unsigned char tick_hmac
[EVP_MAX_MD_SIZE
];
965 SSL_CTX
*tctx
= s
->initial_ctx
;
968 * The API guarantees EVP_MAX_IV_LENGTH bytes of space for
969 * the iv to tlsext_ticket_key_cb(). Since the total space
970 * required for a session cookie is never less than this,
971 * this check isn't too strict. The exact check comes later.
973 if (eticklen
< 16 + EVP_MAX_IV_LENGTH
)
976 /* Initialize session ticket encryption and HMAC contexts */
977 HMAC_CTX_init(&hctx
);
978 EVP_CIPHER_CTX_init(&ctx
);
979 if (tctx
->internal
->tlsext_ticket_key_cb
) {
980 unsigned char *nctick
= (unsigned char *)etick
;
981 int rv
= tctx
->internal
->tlsext_ticket_key_cb(s
,
982 nctick
, nctick
+ 16, &ctx
, &hctx
, 0);
984 HMAC_CTX_cleanup(&hctx
);
985 EVP_CIPHER_CTX_cleanup(&ctx
);
989 HMAC_CTX_cleanup(&hctx
);
990 EVP_CIPHER_CTX_cleanup(&ctx
);
996 /* Check key name matches */
997 if (timingsafe_memcmp(etick
,
998 tctx
->internal
->tlsext_tick_key_name
, 16))
1000 HMAC_Init_ex(&hctx
, tctx
->internal
->tlsext_tick_hmac_key
,
1001 16, tlsext_tick_md(), NULL
);
1002 EVP_DecryptInit_ex(&ctx
, EVP_aes_128_cbc(), NULL
,
1003 tctx
->internal
->tlsext_tick_aes_key
, etick
+ 16);
1007 * Attempt to process session ticket, first conduct sanity and
1008 * integrity checks on ticket.
1010 mlen
= HMAC_size(&hctx
);
1012 HMAC_CTX_cleanup(&hctx
);
1013 EVP_CIPHER_CTX_cleanup(&ctx
);
1017 /* Sanity check ticket length: must exceed keyname + IV + HMAC */
1018 if (eticklen
<= 16 + EVP_CIPHER_CTX_iv_length(&ctx
) + mlen
) {
1019 HMAC_CTX_cleanup(&hctx
);
1020 EVP_CIPHER_CTX_cleanup(&ctx
);
1025 /* Check HMAC of encrypted ticket */
1026 if (HMAC_Update(&hctx
, etick
, eticklen
) <= 0 ||
1027 HMAC_Final(&hctx
, tick_hmac
, NULL
) <= 0) {
1028 HMAC_CTX_cleanup(&hctx
);
1029 EVP_CIPHER_CTX_cleanup(&ctx
);
1033 HMAC_CTX_cleanup(&hctx
);
1034 if (timingsafe_memcmp(tick_hmac
, etick
+ eticklen
, mlen
)) {
1035 EVP_CIPHER_CTX_cleanup(&ctx
);
1039 /* Attempt to decrypt session data */
1040 /* Move p after IV to start of encrypted ticket, update length */
1041 p
= etick
+ 16 + EVP_CIPHER_CTX_iv_length(&ctx
);
1042 eticklen
-= 16 + EVP_CIPHER_CTX_iv_length(&ctx
);
1043 sdec
= malloc(eticklen
);
1045 EVP_DecryptUpdate(&ctx
, sdec
, &slen
, p
, eticklen
) <= 0) {
1047 EVP_CIPHER_CTX_cleanup(&ctx
);
1050 if (EVP_DecryptFinal_ex(&ctx
, sdec
+ slen
, &mlen
) <= 0) {
1052 EVP_CIPHER_CTX_cleanup(&ctx
);
1056 EVP_CIPHER_CTX_cleanup(&ctx
);
1059 sess
= d2i_SSL_SESSION(NULL
, &p
, slen
);
1062 /* The session ID, if non-empty, is used by some clients to
1063 * detect that the ticket has been accepted. So we copy it to
1064 * the session structure. If it is empty set length to zero
1065 * as required by standard.
1068 memcpy(sess
->session_id
, sess_id
, sesslen
);
1069 sess
->session_id_length
= sesslen
;
1077 /* For session parse failure, indicate that we need to send a new
1082 /* Tables to translate from NIDs to TLS v1.2 ids */
1089 static tls12_lookup tls12_md
[] = {
1090 {NID_md5
, TLSEXT_hash_md5
},
1091 {NID_sha1
, TLSEXT_hash_sha1
},
1092 {NID_sha224
, TLSEXT_hash_sha224
},
1093 {NID_sha256
, TLSEXT_hash_sha256
},
1094 {NID_sha384
, TLSEXT_hash_sha384
},
1095 {NID_sha512
, TLSEXT_hash_sha512
},
1096 {NID_id_GostR3411_94
, TLSEXT_hash_gost94
},
1097 {NID_id_tc26_gost3411_2012_256
, TLSEXT_hash_streebog_256
},
1098 {NID_id_tc26_gost3411_2012_512
, TLSEXT_hash_streebog_512
}
1101 static tls12_lookup tls12_sig
[] = {
1102 {EVP_PKEY_RSA
, TLSEXT_signature_rsa
},
1103 {EVP_PKEY_EC
, TLSEXT_signature_ecdsa
},
1104 {EVP_PKEY_GOSTR01
, TLSEXT_signature_gostr01
},
1108 tls12_find_id(int nid
, tls12_lookup
*table
, size_t tlen
)
1111 for (i
= 0; i
< tlen
; i
++) {
1112 if (table
[i
].nid
== nid
)
1119 tls12_get_sigandhash(unsigned char *p
, const EVP_PKEY
*pk
, const EVP_MD
*md
)
1124 md_id
= tls12_find_id(EVP_MD_type(md
), tls12_md
,
1125 sizeof(tls12_md
) / sizeof(tls12_lookup
));
1128 sig_id
= tls12_get_sigid(pk
);
1131 p
[0] = (unsigned char)md_id
;
1132 p
[1] = (unsigned char)sig_id
;
1137 tls12_get_sigid(const EVP_PKEY
*pk
)
1139 return tls12_find_id(pk
->type
, tls12_sig
,
1140 sizeof(tls12_sig
) / sizeof(tls12_lookup
));
1144 tls12_get_hash(unsigned char hash_alg
)
1147 case TLSEXT_hash_sha1
:
1149 case TLSEXT_hash_sha224
:
1150 return EVP_sha224();
1151 case TLSEXT_hash_sha256
:
1152 return EVP_sha256();
1153 case TLSEXT_hash_sha384
:
1154 return EVP_sha384();
1155 case TLSEXT_hash_sha512
:
1156 return EVP_sha512();
1157 #ifndef OPENSSL_NO_GOST
1158 case TLSEXT_hash_gost94
:
1159 return EVP_gostr341194();
1160 case TLSEXT_hash_streebog_256
:
1161 return EVP_streebog256();
1162 case TLSEXT_hash_streebog_512
:
1163 return EVP_streebog512();
1170 /* Set preferred digest for each key type */
1173 tls1_process_sigalgs(SSL
*s
, CBS
*cbs
)
1179 /* Extension ignored for inappropriate versions */
1180 if (!SSL_USE_SIGALGS(s
))
1183 /* Should never happen */
1187 c
->pkeys
[SSL_PKEY_RSA_SIGN
].digest
= NULL
;
1188 c
->pkeys
[SSL_PKEY_RSA_ENC
].digest
= NULL
;
1189 c
->pkeys
[SSL_PKEY_ECC
].digest
= NULL
;
1190 c
->pkeys
[SSL_PKEY_GOST01
].digest
= NULL
;
1192 while (CBS_len(cbs
) > 0) {
1193 uint8_t hash_alg
, sig_alg
;
1195 if (!CBS_get_u8(cbs
, &hash_alg
) || !CBS_get_u8(cbs
, &sig_alg
))
1199 case TLSEXT_signature_rsa
:
1200 idx
= SSL_PKEY_RSA_SIGN
;
1202 case TLSEXT_signature_ecdsa
:
1205 case TLSEXT_signature_gostr01
:
1206 case TLSEXT_signature_gostr12_256
:
1207 case TLSEXT_signature_gostr12_512
:
1208 idx
= SSL_PKEY_GOST01
;
1214 if (c
->pkeys
[idx
].digest
== NULL
) {
1215 md
= tls12_get_hash(hash_alg
);
1217 c
->pkeys
[idx
].digest
= md
;
1218 if (idx
== SSL_PKEY_RSA_SIGN
)
1219 c
->pkeys
[SSL_PKEY_RSA_ENC
].digest
= md
;
1226 * Set any remaining keys to default values. NOTE: if alg is not
1227 * supported it stays as NULL.
1229 if (!c
->pkeys
[SSL_PKEY_RSA_SIGN
].digest
) {
1230 c
->pkeys
[SSL_PKEY_RSA_SIGN
].digest
= EVP_sha1();
1231 c
->pkeys
[SSL_PKEY_RSA_ENC
].digest
= EVP_sha1();
1233 if (!c
->pkeys
[SSL_PKEY_ECC
].digest
)
1234 c
->pkeys
[SSL_PKEY_ECC
].digest
= EVP_sha1();
1235 #ifndef OPENSSL_NO_GOST
1236 if (!c
->pkeys
[SSL_PKEY_GOST01
].digest
)
1237 c
->pkeys
[SSL_PKEY_GOST01
].digest
= EVP_gostr341194();