1 /* $OpenBSD: t1_lib.c,v 1.87 2016/05/30 13:42:54 beck Exp $ */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
58 /* ====================================================================
59 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
87 * 6. Redistributions of any form whatsoever must retain the following
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
114 #include <openssl/evp.h>
115 #include <openssl/hmac.h>
116 #include <openssl/objects.h>
117 #include <openssl/ocsp.h>
119 #include "ssl_locl.h"
120 #include "bytestring.h"
122 static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen,
123 const unsigned char *sess_id, int sesslen,
124 SSL_SESSION **psess);
126 SSL3_ENC_METHOD TLSv1_enc_data = {
129 .setup_key_block = tls1_setup_key_block,
130 .generate_master_secret = tls1_generate_master_secret,
131 .change_cipher_state = tls1_change_cipher_state,
132 .final_finish_mac = tls1_final_finish_mac,
133 .finish_mac_length = TLS1_FINISH_MAC_LENGTH,
134 .cert_verify_mac = tls1_cert_verify_mac,
135 .client_finished_label = TLS_MD_CLIENT_FINISH_CONST,
136 .client_finished_label_len = TLS_MD_CLIENT_FINISH_CONST_SIZE,
137 .server_finished_label = TLS_MD_SERVER_FINISH_CONST,
138 .server_finished_label_len = TLS_MD_SERVER_FINISH_CONST_SIZE,
139 .alert_value = tls1_alert_code,
140 .export_keying_material = tls1_export_keying_material,
144 SSL3_ENC_METHOD TLSv1_1_enc_data = {
147 .setup_key_block = tls1_setup_key_block,
148 .generate_master_secret = tls1_generate_master_secret,
149 .change_cipher_state = tls1_change_cipher_state,
150 .final_finish_mac = tls1_final_finish_mac,
151 .finish_mac_length = TLS1_FINISH_MAC_LENGTH,
152 .cert_verify_mac = tls1_cert_verify_mac,
153 .client_finished_label = TLS_MD_CLIENT_FINISH_CONST,
154 .client_finished_label_len = TLS_MD_CLIENT_FINISH_CONST_SIZE,
155 .server_finished_label = TLS_MD_SERVER_FINISH_CONST,
156 .server_finished_label_len = TLS_MD_SERVER_FINISH_CONST_SIZE,
157 .alert_value = tls1_alert_code,
158 .export_keying_material = tls1_export_keying_material,
159 .enc_flags = SSL_ENC_FLAG_EXPLICIT_IV,
162 SSL3_ENC_METHOD TLSv1_2_enc_data = {
165 .setup_key_block = tls1_setup_key_block,
166 .generate_master_secret = tls1_generate_master_secret,
167 .change_cipher_state = tls1_change_cipher_state,
168 .final_finish_mac = tls1_final_finish_mac,
169 .finish_mac_length = TLS1_FINISH_MAC_LENGTH,
170 .cert_verify_mac = tls1_cert_verify_mac,
171 .client_finished_label = TLS_MD_CLIENT_FINISH_CONST,
172 .client_finished_label_len = TLS_MD_CLIENT_FINISH_CONST_SIZE,
173 .server_finished_label = TLS_MD_SERVER_FINISH_CONST,
174 .server_finished_label_len = TLS_MD_SERVER_FINISH_CONST_SIZE,
175 .alert_value = tls1_alert_code,
176 .export_keying_material = tls1_export_keying_material,
177 .enc_flags = SSL_ENC_FLAG_EXPLICIT_IV|SSL_ENC_FLAG_SIGALGS|
178 SSL_ENC_FLAG_SHA256_PRF|SSL_ENC_FLAG_TLS1_2_CIPHERS,
182 tls1_default_timeout(void)
184 /* 2 hours, the 24 hours mentioned in the TLSv1 spec
185 * is way too long for http, the cache would over fill */
186 return (60 * 60 * 2);
194 s->method->ssl_clear(s);
204 free(s->tlsext_session_ticket);
212 s->version = s->method->version;
216 static int nid_list[] = {
217 NID_sect163k1, /* sect163k1 (1) */
218 NID_sect163r1, /* sect163r1 (2) */
219 NID_sect163r2, /* sect163r2 (3) */
220 NID_sect193r1, /* sect193r1 (4) */
221 NID_sect193r2, /* sect193r2 (5) */
222 NID_sect233k1, /* sect233k1 (6) */
223 NID_sect233r1, /* sect233r1 (7) */
224 NID_sect239k1, /* sect239k1 (8) */
225 NID_sect283k1, /* sect283k1 (9) */
226 NID_sect283r1, /* sect283r1 (10) */
227 NID_sect409k1, /* sect409k1 (11) */
228 NID_sect409r1, /* sect409r1 (12) */
229 NID_sect571k1, /* sect571k1 (13) */
230 NID_sect571r1, /* sect571r1 (14) */
231 NID_secp160k1, /* secp160k1 (15) */
232 NID_secp160r1, /* secp160r1 (16) */
233 NID_secp160r2, /* secp160r2 (17) */
234 NID_secp192k1, /* secp192k1 (18) */
235 NID_X9_62_prime192v1, /* secp192r1 (19) */
236 NID_secp224k1, /* secp224k1 (20) */
237 NID_secp224r1, /* secp224r1 (21) */
238 NID_secp256k1, /* secp256k1 (22) */
239 NID_X9_62_prime256v1, /* secp256r1 (23) */
240 NID_secp384r1, /* secp384r1 (24) */
241 NID_secp521r1, /* secp521r1 (25) */
242 NID_brainpoolP256r1, /* brainpoolP256r1 (26) */
243 NID_brainpoolP384r1, /* brainpoolP384r1 (27) */
244 NID_brainpoolP512r1 /* brainpoolP512r1 (28) */
247 static const uint8_t ecformats_default[] = {
248 TLSEXT_ECPOINTFORMAT_uncompressed,
249 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime,
250 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2
253 static const uint16_t eccurves_default[] = {
254 14, /* sect571r1 (14) */
255 13, /* sect571k1 (13) */
256 25, /* secp521r1 (25) */
257 28, /* brainpool512r1 (28) */
258 11, /* sect409k1 (11) */
259 12, /* sect409r1 (12) */
260 27, /* brainpoolP384r1 (27) */
261 24, /* secp384r1 (24) */
262 9, /* sect283k1 (9) */
263 10, /* sect283r1 (10) */
264 26, /* brainpoolP256r1 (26) */
265 22, /* secp256k1 (22) */
266 23, /* secp256r1 (23) */
267 8, /* sect239k1 (8) */
268 6, /* sect233k1 (6) */
269 7, /* sect233r1 (7) */
270 20, /* secp224k1 (20) */
271 21, /* secp224r1 (21) */
272 4, /* sect193r1 (4) */
273 5, /* sect193r2 (5) */
274 18, /* secp192k1 (18) */
275 19, /* secp192r1 (19) */
276 1, /* sect163k1 (1) */
277 2, /* sect163r1 (2) */
278 3, /* sect163r2 (3) */
279 15, /* secp160k1 (15) */
280 16, /* secp160r1 (16) */
281 17, /* secp160r2 (17) */
285 tls1_ec_curve_id2nid(uint16_t curve_id)
287 /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
288 if ((curve_id < 1) ||
289 ((unsigned int)curve_id > sizeof(nid_list) / sizeof(nid_list[0])))
291 return nid_list[curve_id - 1];
295 tls1_ec_nid2curve_id(int nid)
297 /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
299 case NID_sect163k1: /* sect163k1 (1) */
301 case NID_sect163r1: /* sect163r1 (2) */
303 case NID_sect163r2: /* sect163r2 (3) */
305 case NID_sect193r1: /* sect193r1 (4) */
307 case NID_sect193r2: /* sect193r2 (5) */
309 case NID_sect233k1: /* sect233k1 (6) */
311 case NID_sect233r1: /* sect233r1 (7) */
313 case NID_sect239k1: /* sect239k1 (8) */
315 case NID_sect283k1: /* sect283k1 (9) */
317 case NID_sect283r1: /* sect283r1 (10) */
319 case NID_sect409k1: /* sect409k1 (11) */
321 case NID_sect409r1: /* sect409r1 (12) */
323 case NID_sect571k1: /* sect571k1 (13) */
325 case NID_sect571r1: /* sect571r1 (14) */
327 case NID_secp160k1: /* secp160k1 (15) */
329 case NID_secp160r1: /* secp160r1 (16) */
331 case NID_secp160r2: /* secp160r2 (17) */
333 case NID_secp192k1: /* secp192k1 (18) */
335 case NID_X9_62_prime192v1: /* secp192r1 (19) */
337 case NID_secp224k1: /* secp224k1 (20) */
339 case NID_secp224r1: /* secp224r1 (21) */
341 case NID_secp256k1: /* secp256k1 (22) */
343 case NID_X9_62_prime256v1: /* secp256r1 (23) */
345 case NID_secp384r1: /* secp384r1 (24) */
347 case NID_secp521r1: /* secp521r1 (25) */
349 case NID_brainpoolP256r1: /* brainpoolP256r1 (26) */
351 case NID_brainpoolP384r1: /* brainpoolP384r1 (27) */
353 case NID_brainpoolP512r1: /* brainpoolP512r1 (28) */
361 * Return the appropriate format list. If client_formats is non-zero, return
362 * the client/session formats. Otherwise return the custom format list if one
363 * exists, or the default formats if a custom list has not been specified.
366 tls1_get_formatlist(SSL *s, int client_formats, const uint8_t **pformats,
369 if (client_formats != 0) {
370 *pformats = s->session->tlsext_ecpointformatlist;
371 *pformatslen = s->session->tlsext_ecpointformatlist_length;
375 *pformats = s->tlsext_ecpointformatlist;
376 *pformatslen = s->tlsext_ecpointformatlist_length;
377 if (*pformats == NULL) {
378 *pformats = ecformats_default;
379 *pformatslen = sizeof(ecformats_default);
384 * Return the appropriate curve list. If client_curves is non-zero, return
385 * the client/session curves. Otherwise return the custom curve list if one
386 * exists, or the default curves if a custom list has not been specified.
389 tls1_get_curvelist(SSL *s, int client_curves, const uint16_t **pcurves,
392 if (client_curves != 0) {
393 *pcurves = s->session->tlsext_ellipticcurvelist;
394 *pcurveslen = s->session->tlsext_ellipticcurvelist_length;
398 *pcurves = s->tlsext_ellipticcurvelist;
399 *pcurveslen = s->tlsext_ellipticcurvelist_length;
400 if (*pcurves == NULL) {
401 *pcurves = eccurves_default;
402 *pcurveslen = sizeof(eccurves_default) / 2;
406 /* Check that a curve is one of our preferences. */
408 tls1_check_curve(SSL *s, const unsigned char *p, size_t len)
411 const uint16_t *curves;
416 CBS_init(&cbs, p, len);
418 /* Only named curves are supported. */
419 if (CBS_len(&cbs) != 3 ||
420 !CBS_get_u8(&cbs, &type) ||
421 type != NAMED_CURVE_TYPE ||
422 !CBS_get_u16(&cbs, &cid))
425 tls1_get_curvelist(s, 0, &curves, &curveslen);
427 for (i = 0; i < curveslen; i++) {
428 if (curves[i] == cid)
435 tls1_get_shared_curve(SSL *s)
437 size_t preflen, supplen, i, j;
438 const uint16_t *pref, *supp;
439 unsigned long server_pref;
441 /* Cannot do anything on the client side. */
445 /* Return first preference shared curve. */
446 server_pref = (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE);
447 tls1_get_curvelist(s, (server_pref == 0), &pref, &preflen);
448 tls1_get_curvelist(s, (server_pref != 0), &supp, &supplen);
450 for (i = 0; i < preflen; i++) {
451 for (j = 0; j < supplen; j++) {
452 if (pref[i] == supp[j])
453 return (tls1_ec_curve_id2nid(pref[i]));
459 /* For an EC key set TLS ID and required compression based on parameters. */
461 tls1_set_ec_id(uint16_t *curve_id, uint8_t *comp_id, EC_KEY *ec)
464 const EC_METHOD *meth;
471 /* Determine if it is a prime field. */
472 if ((grp = EC_KEY_get0_group(ec)) == NULL)
474 if ((meth = EC_GROUP_method_of(grp)) == NULL)
476 if (EC_METHOD_get_field_type(meth) == NID_X9_62_prime_field)
479 /* Determine curve ID. */
480 nid = EC_GROUP_get_curve_name(grp);
481 id = tls1_ec_nid2curve_id(nid);
483 /* If we have an ID set it, otherwise set arbitrary explicit curve. */
487 *curve_id = is_prime ? 0xff01 : 0xff02;
489 /* Specify the compression identifier. */
490 if (comp_id != NULL) {
491 if (EC_KEY_get0_public_key(ec) == NULL)
494 if (EC_KEY_get_conv_form(ec) == POINT_CONVERSION_COMPRESSED) {
495 *comp_id = is_prime ?
496 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime :
497 TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
499 *comp_id = TLSEXT_ECPOINTFORMAT_uncompressed;
505 /* Check that an EC key is compatible with extensions. */
507 tls1_check_ec_key(SSL *s, const uint16_t *curve_id, const uint8_t *comp_id)
509 size_t curveslen, formatslen, i;
510 const uint16_t *curves;
511 const uint8_t *formats;
514 * Check point formats extension if present, otherwise everything
515 * is supported (see RFC4492).
517 tls1_get_formatlist(s, 1, &formats, &formatslen);
518 if (comp_id != NULL && formats != NULL) {
519 for (i = 0; i < formatslen; i++) {
520 if (formats[i] == *comp_id)
528 * Check curve list if present, otherwise everything is supported.
530 tls1_get_curvelist(s, 1, &curves, &curveslen);
531 if (curve_id != NULL && curves != NULL) {
532 for (i = 0; i < curveslen; i++) {
533 if (curves[i] == *curve_id)
543 /* Check EC server key is compatible with client extensions. */
545 tls1_check_ec_server_key(SSL *s)
547 CERT_PKEY *cpk = s->cert->pkeys + SSL_PKEY_ECC;
553 if (cpk->x509 == NULL || cpk->privatekey == NULL)
555 if ((pkey = X509_get_pubkey(cpk->x509)) == NULL)
557 rv = tls1_set_ec_id(&curve_id, &comp_id, pkey->pkey.ec);
562 return tls1_check_ec_key(s, &curve_id, &comp_id);
565 /* Check EC temporary key is compatible with client extensions. */
567 tls1_check_ec_tmp_key(SSL *s)
569 EC_KEY *ec = s->cert->ecdh_tmp;
572 if (s->cert->ecdh_tmp_auto != 0) {
573 /* Need a shared curve. */
574 if (tls1_get_shared_curve(s) != NID_undef)
580 if (s->cert->ecdh_tmp_cb != NULL)
584 if (tls1_set_ec_id(&curve_id, NULL, ec) != 1)
587 return tls1_check_ec_key(s, &curve_id, NULL);
591 * List of supported signature algorithms and hashes. Should make this
592 * customisable at some point, for now include everything we support.
595 static unsigned char tls12_sigalgs[] = {
596 TLSEXT_hash_sha512, TLSEXT_signature_rsa,
597 TLSEXT_hash_sha512, TLSEXT_signature_dsa,
598 TLSEXT_hash_sha512, TLSEXT_signature_ecdsa,
599 #ifndef OPENSSL_NO_GOST
600 TLSEXT_hash_streebog_512, TLSEXT_signature_gostr12_512,
603 TLSEXT_hash_sha384, TLSEXT_signature_rsa,
604 TLSEXT_hash_sha384, TLSEXT_signature_dsa,
605 TLSEXT_hash_sha384, TLSEXT_signature_ecdsa,
607 TLSEXT_hash_sha256, TLSEXT_signature_rsa,
608 TLSEXT_hash_sha256, TLSEXT_signature_dsa,
609 TLSEXT_hash_sha256, TLSEXT_signature_ecdsa,
611 #ifndef OPENSSL_NO_GOST
612 TLSEXT_hash_streebog_256, TLSEXT_signature_gostr12_256,
613 TLSEXT_hash_gost94, TLSEXT_signature_gostr01,
616 TLSEXT_hash_sha224, TLSEXT_signature_rsa,
617 TLSEXT_hash_sha224, TLSEXT_signature_dsa,
618 TLSEXT_hash_sha224, TLSEXT_signature_ecdsa,
620 TLSEXT_hash_sha1, TLSEXT_signature_rsa,
621 TLSEXT_hash_sha1, TLSEXT_signature_dsa,
622 TLSEXT_hash_sha1, TLSEXT_signature_ecdsa,
626 tls12_get_req_sig_algs(SSL *s, unsigned char *p)
628 size_t slen = sizeof(tls12_sigalgs);
631 memcpy(p, tls12_sigalgs, slen);
636 ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
639 unsigned char *ret = p;
642 /* See if we support any ECC ciphersuites. */
643 if (s->version != DTLS1_VERSION && s->version >= TLS1_VERSION) {
644 STACK_OF(SSL_CIPHER) *cipher_stack = SSL_get_ciphers(s);
645 unsigned long alg_k, alg_a;
648 for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++) {
649 SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i);
651 alg_k = c->algorithm_mkey;
652 alg_a = c->algorithm_auth;
654 if ((alg_k & (SSL_kECDHE|SSL_kECDHr|SSL_kECDHe) ||
655 (alg_a & SSL_aECDSA))) {
665 return NULL; /* this really never occurs, but ... */
667 if (s->tlsext_hostname != NULL) {
668 /* Add TLS extension servername to the Client Hello message */
669 size_t size_str, lenmax;
671 /* check for enough space.
672 4 for the servername type and extension length
673 2 for servernamelist length
674 1 for the hostname type
675 2 for hostname length
679 if ((size_t)(limit - ret) < 9)
682 lenmax = limit - ret - 9;
683 if ((size_str = strlen(s->tlsext_hostname)) > lenmax)
686 /* extension type and length */
687 s2n(TLSEXT_TYPE_server_name, ret);
689 s2n(size_str + 5, ret);
691 /* length of servername list */
692 s2n(size_str + 3, ret);
694 /* hostname type, length and hostname */
695 *(ret++) = (unsigned char) TLSEXT_NAMETYPE_host_name;
697 memcpy(ret, s->tlsext_hostname, size_str);
701 /* Add RI if renegotiating */
702 if (s->renegotiate) {
705 if (!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0)) {
706 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT,
707 ERR_R_INTERNAL_ERROR);
711 if ((size_t)(limit - ret) < 4 + el)
714 s2n(TLSEXT_TYPE_renegotiate, ret);
717 if (!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el)) {
718 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT,
719 ERR_R_INTERNAL_ERROR);
727 size_t curveslen, formatslen, lenmax;
728 const uint16_t *curves;
729 const uint8_t *formats;
733 * Add TLS extension ECPointFormats to the ClientHello message.
735 tls1_get_formatlist(s, 0, &formats, &formatslen);
737 if ((size_t)(limit - ret) < 5)
740 lenmax = limit - ret - 5;
741 if (formatslen > lenmax)
743 if (formatslen > 255) {
744 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT,
745 ERR_R_INTERNAL_ERROR);
749 s2n(TLSEXT_TYPE_ec_point_formats, ret);
750 s2n(formatslen + 1, ret);
751 *(ret++) = (unsigned char)formatslen;
752 memcpy(ret, formats, formatslen);
756 * Add TLS extension EllipticCurves to the ClientHello message.
758 tls1_get_curvelist(s, 0, &curves, &curveslen);
760 if ((size_t)(limit - ret) < 6)
763 lenmax = limit - ret - 6;
764 if (curveslen > lenmax)
766 if (curveslen > 65532) {
767 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT,
768 ERR_R_INTERNAL_ERROR);
772 s2n(TLSEXT_TYPE_elliptic_curves, ret);
773 s2n((curveslen * 2) + 2, ret);
775 /* NB: draft-ietf-tls-ecc-12.txt uses a one-byte prefix for
776 * elliptic_curve_list, but the examples use two bytes.
777 * https://www1.ietf.org/mail-archive/web/tls/current/msg00538.html
778 * resolves this to two bytes.
780 s2n(curveslen * 2, ret);
781 for (i = 0; i < curveslen; i++)
785 if (!(SSL_get_options(s) & SSL_OP_NO_TICKET)) {
787 if (!s->new_session && s->session && s->session->tlsext_tick)
788 ticklen = s->session->tlsext_ticklen;
789 else if (s->session && s->tlsext_session_ticket &&
790 s->tlsext_session_ticket->data) {
791 ticklen = s->tlsext_session_ticket->length;
792 s->session->tlsext_tick = malloc(ticklen);
793 if (!s->session->tlsext_tick)
795 memcpy(s->session->tlsext_tick,
796 s->tlsext_session_ticket->data, ticklen);
797 s->session->tlsext_ticklen = ticklen;
800 if (ticklen == 0 && s->tlsext_session_ticket &&
801 s->tlsext_session_ticket->data == NULL)
803 /* Check for enough room 2 for extension type, 2 for len
806 if ((size_t)(limit - ret) < 4 + ticklen)
808 s2n(TLSEXT_TYPE_session_ticket, ret);
812 memcpy(ret, s->session->tlsext_tick, ticklen);
818 if (TLS1_get_client_version(s) >= TLS1_2_VERSION) {
819 if ((size_t)(limit - ret) < sizeof(tls12_sigalgs) + 6)
822 s2n(TLSEXT_TYPE_signature_algorithms, ret);
823 s2n(sizeof(tls12_sigalgs) + 2, ret);
824 s2n(sizeof(tls12_sigalgs), ret);
825 memcpy(ret, tls12_sigalgs, sizeof(tls12_sigalgs));
826 ret += sizeof(tls12_sigalgs);
829 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp &&
830 s->version != DTLS1_VERSION) {
832 long extlen, idlen, itmp;
836 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) {
837 id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
838 itmp = i2d_OCSP_RESPID(id, NULL);
844 if (s->tlsext_ocsp_exts) {
845 extlen = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, NULL);
851 if ((size_t)(limit - ret) < 7 + extlen + idlen)
853 s2n(TLSEXT_TYPE_status_request, ret);
854 if (extlen + idlen > 0xFFF0)
856 s2n(extlen + idlen + 5, ret);
857 *(ret++) = TLSEXT_STATUSTYPE_ocsp;
859 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) {
860 /* save position of id len */
861 unsigned char *q = ret;
862 id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
863 /* skip over id len */
865 itmp = i2d_OCSP_RESPID(id, &ret);
871 i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret);
874 if (s->ctx->next_proto_select_cb && !s->s3->tmp.finish_md_len) {
875 /* The client advertises an emtpy extension to indicate its
876 * support for Next Protocol Negotiation */
877 if ((size_t)(limit - ret) < 4)
879 s2n(TLSEXT_TYPE_next_proto_neg, ret);
883 if (s->alpn_client_proto_list != NULL &&
884 s->s3->tmp.finish_md_len == 0) {
885 if ((size_t)(limit - ret) < 6 + s->alpn_client_proto_list_len)
887 s2n(TLSEXT_TYPE_application_layer_protocol_negotiation, ret);
888 s2n(2 + s->alpn_client_proto_list_len, ret);
889 s2n(s->alpn_client_proto_list_len, ret);
890 memcpy(ret, s->alpn_client_proto_list,
891 s->alpn_client_proto_list_len);
892 ret += s->alpn_client_proto_list_len;
895 #ifndef OPENSSL_NO_SRTP
896 if (SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s)) {
899 ssl_add_clienthello_use_srtp_ext(s, 0, &el, 0);
901 if ((size_t)(limit - ret) < 4 + el)
904 s2n(TLSEXT_TYPE_use_srtp, ret);
907 if (ssl_add_clienthello_use_srtp_ext(s, ret, &el, el)) {
908 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT,
909 ERR_R_INTERNAL_ERROR);
917 * Add padding to workaround bugs in F5 terminators.
918 * See https://tools.ietf.org/html/draft-agl-tls-padding-03
920 * Note that this seems to trigger issues with IronPort SMTP
923 * NB: because this code works out the length of all existing
924 * extensions it MUST always appear last.
926 if (s->options & SSL_OP_TLSEXT_PADDING) {
927 int hlen = ret - (unsigned char *)s->init_buf->data;
930 * The code in s23_clnt.c to build ClientHello messages
931 * includes the 5-byte record header in the buffer, while the
932 * code in s3_clnt.c does not.
934 if (s->state == SSL23_ST_CW_CLNT_HELLO_A)
936 if (hlen > 0xff && hlen < 0x200) {
943 s2n(TLSEXT_TYPE_padding, ret);
945 memset(ret, 0, hlen);
950 if ((extdatalen = ret - p - 2) == 0)
958 ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
960 int using_ecc, extdatalen = 0;
961 unsigned long alg_a, alg_k;
962 unsigned char *ret = p;
963 int next_proto_neg_seen;
965 alg_a = s->s3->tmp.new_cipher->algorithm_auth;
966 alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
967 using_ecc = (alg_k & (SSL_kECDHE|SSL_kECDHr|SSL_kECDHe) ||
968 alg_a & SSL_aECDSA) &&
969 s->session->tlsext_ecpointformatlist != NULL;
973 return NULL; /* this really never occurs, but ... */
975 if (!s->hit && s->servername_done == 1 &&
976 s->session->tlsext_hostname != NULL) {
977 if ((size_t)(limit - ret) < 4)
980 s2n(TLSEXT_TYPE_server_name, ret);
984 if (s->s3->send_connection_binding) {
987 if (!ssl_add_serverhello_renegotiate_ext(s, 0, &el, 0)) {
988 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT,
989 ERR_R_INTERNAL_ERROR);
993 if ((size_t)(limit - ret) < 4 + el)
996 s2n(TLSEXT_TYPE_renegotiate, ret);
999 if (!ssl_add_serverhello_renegotiate_ext(s, ret, &el, el)) {
1000 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT,
1001 ERR_R_INTERNAL_ERROR);
1008 if (using_ecc && s->version != DTLS1_VERSION) {
1009 const unsigned char *formats;
1010 size_t formatslen, lenmax;
1013 * Add TLS extension ECPointFormats to the ServerHello message.
1015 tls1_get_formatlist(s, 0, &formats, &formatslen);
1017 if ((size_t)(limit - ret) < 5)
1020 lenmax = limit - ret - 5;
1021 if (formatslen > lenmax)
1023 if (formatslen > 255) {
1024 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT,
1025 ERR_R_INTERNAL_ERROR);
1029 s2n(TLSEXT_TYPE_ec_point_formats, ret);
1030 s2n(formatslen + 1, ret);
1031 *(ret++) = (unsigned char)formatslen;
1032 memcpy(ret, formats, formatslen);
1037 * Currently the server should not respond with a SupportedCurves
1041 if (s->tlsext_ticket_expected &&
1042 !(SSL_get_options(s) & SSL_OP_NO_TICKET)) {
1043 if ((size_t)(limit - ret) < 4)
1046 s2n(TLSEXT_TYPE_session_ticket, ret);
1050 if (s->tlsext_status_expected) {
1051 if ((size_t)(limit - ret) < 4)
1054 s2n(TLSEXT_TYPE_status_request, ret);
1058 #ifndef OPENSSL_NO_SRTP
1059 if (SSL_IS_DTLS(s) && s->srtp_profile) {
1062 ssl_add_serverhello_use_srtp_ext(s, 0, &el, 0);
1064 if ((size_t)(limit - ret) < 4 + el)
1067 s2n(TLSEXT_TYPE_use_srtp, ret);
1070 if (ssl_add_serverhello_use_srtp_ext(s, ret, &el, el)) {
1071 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT,
1072 ERR_R_INTERNAL_ERROR);
1079 if (((s->s3->tmp.new_cipher->id & 0xFFFF) == 0x80 ||
1080 (s->s3->tmp.new_cipher->id & 0xFFFF) == 0x81) &&
1081 (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG)) {
1082 static const unsigned char cryptopro_ext[36] = {
1083 0xfd, 0xe8, /*65000*/
1084 0x00, 0x20, /*32 bytes length*/
1085 0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85,
1086 0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06,
1087 0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08,
1088 0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17
1090 if ((size_t)(limit - ret) < sizeof(cryptopro_ext))
1092 memcpy(ret, cryptopro_ext, sizeof(cryptopro_ext));
1093 ret += sizeof(cryptopro_ext);
1096 next_proto_neg_seen = s->s3->next_proto_neg_seen;
1097 s->s3->next_proto_neg_seen = 0;
1098 if (next_proto_neg_seen && s->ctx->next_protos_advertised_cb) {
1099 const unsigned char *npa;
1100 unsigned int npalen;
1103 r = s->ctx->next_protos_advertised_cb(s, &npa, &npalen,
1104 s->ctx->next_protos_advertised_cb_arg);
1105 if (r == SSL_TLSEXT_ERR_OK) {
1106 if ((size_t)(limit - ret) < 4 + npalen)
1108 s2n(TLSEXT_TYPE_next_proto_neg, ret);
1110 memcpy(ret, npa, npalen);
1112 s->s3->next_proto_neg_seen = 1;
1116 if (s->s3->alpn_selected != NULL) {
1117 const unsigned char *selected = s->s3->alpn_selected;
1118 unsigned int len = s->s3->alpn_selected_len;
1120 if ((long)(limit - ret - 4 - 2 - 1 - len) < 0)
1122 s2n(TLSEXT_TYPE_application_layer_protocol_negotiation, ret);
1126 memcpy(ret, selected, len);
1130 if ((extdatalen = ret - p - 2) == 0)
1138 * tls1_alpn_handle_client_hello is called to process the ALPN extension in a
1140 * data: the contents of the extension, not including the type and length.
1141 * data_len: the number of bytes in data.
1142 * al: a pointer to the alert value to send in the event of a non-zero
1144 * returns: 1 on success.
1147 tls1_alpn_handle_client_hello(SSL *s, const unsigned char *data,
1148 unsigned int data_len, int *al)
1150 CBS cbs, proto_name_list, alpn;
1151 const unsigned char *selected;
1152 unsigned char selected_len;
1155 if (s->ctx->alpn_select_cb == NULL)
1161 CBS_init(&cbs, data, data_len);
1164 * data should contain a uint16 length followed by a series of 8-bit,
1165 * length-prefixed strings.
1167 if (!CBS_get_u16_length_prefixed(&cbs, &alpn) ||
1168 CBS_len(&alpn) < 2 ||
1172 /* Validate data before sending to callback. */
1173 CBS_dup(&alpn, &proto_name_list);
1174 while (CBS_len(&proto_name_list) > 0) {
1177 if (!CBS_get_u8_length_prefixed(&proto_name_list, &proto_name) ||
1178 CBS_len(&proto_name) == 0)
1182 r = s->ctx->alpn_select_cb(s, &selected, &selected_len,
1183 CBS_data(&alpn), CBS_len(&alpn), s->ctx->alpn_select_cb_arg);
1184 if (r == SSL_TLSEXT_ERR_OK) {
1185 free(s->s3->alpn_selected);
1186 if ((s->s3->alpn_selected = malloc(selected_len)) == NULL) {
1187 *al = SSL_AD_INTERNAL_ERROR;
1190 memcpy(s->s3->alpn_selected, selected, selected_len);
1191 s->s3->alpn_selected_len = selected_len;
1197 *al = SSL_AD_DECODE_ERROR;
1202 ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d,
1205 unsigned short type;
1206 unsigned short size;
1208 unsigned char *data = *p;
1209 int renegotiate_seen = 0;
1210 int sigalg_seen = 0;
1212 s->servername_done = 0;
1213 s->tlsext_status_type = -1;
1214 s->s3->next_proto_neg_seen = 0;
1215 free(s->s3->alpn_selected);
1216 s->s3->alpn_selected = NULL;
1218 if (data >= (d + n - 2))
1222 if (data > (d + n - len))
1225 while (data <= (d + n - 4)) {
1229 if (data + size > (d + n))
1231 if (s->tlsext_debug_cb)
1232 s->tlsext_debug_cb(s, 0, type, data, size,
1233 s->tlsext_debug_arg);
1234 /* The servername extension is treated as follows:
1236 - Only the hostname type is supported with a maximum length of 255.
1237 - The servername is rejected if too long or if it contains zeros,
1238 in which case an fatal alert is generated.
1239 - The servername field is maintained together with the session cache.
1240 - When a session is resumed, the servername call back invoked in order
1241 to allow the application to position itself to the right context.
1242 - The servername is acknowledged if it is new for a session or when
1243 it is identical to a previously used for the same session.
1244 Applications can control the behaviour. They can at any time
1245 set a 'desirable' servername for a new SSL object. This can be the
1246 case for example with HTTPS when a Host: header field is received and
1247 a renegotiation is requested. In this case, a possible servername
1248 presented in the new client hello is only acknowledged if it matches
1249 the value of the Host: field.
1250 - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
1251 if they provide for changing an explicit servername context for the session,
1252 i.e. when the session has been established with a servername extension.
1253 - On session reconnect, the servername extension may be absent.
1257 if (type == TLSEXT_TYPE_server_name) {
1258 unsigned char *sdata;
1263 *al = SSL_AD_DECODE_ERROR;
1270 *al = SSL_AD_DECODE_ERROR;
1276 servname_type = *(sdata++);
1282 *al = SSL_AD_DECODE_ERROR;
1285 if (s->servername_done == 0)
1286 switch (servname_type) {
1287 case TLSEXT_NAMETYPE_host_name:
1289 if (s->session->tlsext_hostname) {
1290 *al = SSL_AD_DECODE_ERROR;
1293 if (len > TLSEXT_MAXLEN_host_name) {
1294 *al = TLS1_AD_UNRECOGNIZED_NAME;
1297 if ((s->session->tlsext_hostname =
1298 malloc(len + 1)) == NULL) {
1299 *al = TLS1_AD_INTERNAL_ERROR;
1302 memcpy(s->session->tlsext_hostname, sdata, len);
1303 s->session->tlsext_hostname[len] = '\0';
1304 if (strlen(s->session->tlsext_hostname) != len) {
1305 free(s->session->tlsext_hostname);
1306 s->session->tlsext_hostname = NULL;
1307 *al = TLS1_AD_UNRECOGNIZED_NAME;
1310 s->servername_done = 1;
1314 s->servername_done = s->session->tlsext_hostname &&
1315 strlen(s->session->tlsext_hostname) == len &&
1316 strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0;
1327 *al = SSL_AD_DECODE_ERROR;
1333 else if (type == TLSEXT_TYPE_ec_point_formats &&
1334 s->version != DTLS1_VERSION) {
1335 unsigned char *sdata = data;
1340 *al = TLS1_AD_DECODE_ERROR;
1343 formatslen = *(sdata++);
1344 if (formatslen != size - 1) {
1345 *al = TLS1_AD_DECODE_ERROR;
1350 free(s->session->tlsext_ecpointformatlist);
1351 s->session->tlsext_ecpointformatlist = NULL;
1352 s->session->tlsext_ecpointformatlist_length = 0;
1354 if ((formats = reallocarray(NULL, formatslen,
1355 sizeof(uint8_t))) == NULL) {
1356 *al = TLS1_AD_INTERNAL_ERROR;
1359 memcpy(formats, sdata, formatslen);
1360 s->session->tlsext_ecpointformatlist = formats;
1361 s->session->tlsext_ecpointformatlist_length =
1364 } else if (type == TLSEXT_TYPE_elliptic_curves &&
1365 s->version != DTLS1_VERSION) {
1366 unsigned char *sdata = data;
1367 size_t curveslen, i;
1371 *al = TLS1_AD_DECODE_ERROR;
1374 n2s(sdata, curveslen);
1375 if (curveslen != size - 2 || curveslen % 2 != 0) {
1376 *al = TLS1_AD_DECODE_ERROR;
1382 if (s->session->tlsext_ellipticcurvelist) {
1383 *al = TLS1_AD_DECODE_ERROR;
1386 s->session->tlsext_ellipticcurvelist_length = 0;
1387 if ((curves = reallocarray(NULL, curveslen,
1388 sizeof(uint16_t))) == NULL) {
1389 *al = TLS1_AD_INTERNAL_ERROR;
1392 for (i = 0; i < curveslen; i++)
1393 n2s(sdata, curves[i]);
1394 s->session->tlsext_ellipticcurvelist = curves;
1395 s->session->tlsext_ellipticcurvelist_length = curveslen;
1398 else if (type == TLSEXT_TYPE_session_ticket) {
1399 if (s->tls_session_ticket_ext_cb &&
1400 !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg)) {
1401 *al = TLS1_AD_INTERNAL_ERROR;
1404 } else if (type == TLSEXT_TYPE_renegotiate) {
1405 if (!ssl_parse_clienthello_renegotiate_ext(s, data, size, al))
1407 renegotiate_seen = 1;
1408 } else if (type == TLSEXT_TYPE_signature_algorithms) {
1410 if (sigalg_seen || size < 2) {
1411 *al = SSL_AD_DECODE_ERROR;
1417 if (dsize != size || dsize & 1) {
1418 *al = SSL_AD_DECODE_ERROR;
1421 if (!tls1_process_sigalgs(s, data, dsize)) {
1422 *al = SSL_AD_DECODE_ERROR;
1425 } else if (type == TLSEXT_TYPE_status_request &&
1426 s->version != DTLS1_VERSION) {
1429 *al = SSL_AD_DECODE_ERROR;
1433 s->tlsext_status_type = *data++;
1435 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp) {
1436 const unsigned char *sdata;
1438 /* Read in responder_id_list */
1442 *al = SSL_AD_DECODE_ERROR;
1447 * We remove any OCSP_RESPIDs from a
1448 * previous handshake to prevent
1449 * unbounded memory growth.
1451 sk_OCSP_RESPID_pop_free(s->tlsext_ocsp_ids,
1453 s->tlsext_ocsp_ids = NULL;
1455 s->tlsext_ocsp_ids =
1456 sk_OCSP_RESPID_new_null();
1457 if (s->tlsext_ocsp_ids == NULL) {
1458 *al = SSL_AD_INTERNAL_ERROR;
1467 *al = SSL_AD_DECODE_ERROR;
1471 dsize -= 2 + idsize;
1474 *al = SSL_AD_DECODE_ERROR;
1479 id = d2i_OCSP_RESPID(NULL,
1482 *al = SSL_AD_DECODE_ERROR;
1485 if (data != sdata) {
1486 OCSP_RESPID_free(id);
1487 *al = SSL_AD_DECODE_ERROR;
1490 if (!sk_OCSP_RESPID_push(
1491 s->tlsext_ocsp_ids, id)) {
1492 OCSP_RESPID_free(id);
1493 *al = SSL_AD_INTERNAL_ERROR;
1498 /* Read in request_extensions */
1500 *al = SSL_AD_DECODE_ERROR;
1505 if (dsize != size) {
1506 *al = SSL_AD_DECODE_ERROR;
1511 if (s->tlsext_ocsp_exts) {
1512 sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts,
1513 X509_EXTENSION_free);
1516 s->tlsext_ocsp_exts =
1517 d2i_X509_EXTENSIONS(NULL,
1519 if (!s->tlsext_ocsp_exts ||
1520 (data + dsize != sdata)) {
1521 *al = SSL_AD_DECODE_ERROR;
1526 /* We don't know what to do with any other type
1529 s->tlsext_status_type = -1;
1532 else if (type == TLSEXT_TYPE_next_proto_neg &&
1533 s->s3->tmp.finish_md_len == 0 &&
1534 s->s3->alpn_selected == NULL) {
1535 /* We shouldn't accept this extension on a
1538 * s->new_session will be set on renegotiation, but we
1539 * probably shouldn't rely that it couldn't be set on
1540 * the initial renegotation too in certain cases (when
1541 * there's some other reason to disallow resuming an
1542 * earlier session -- the current code won't be doing
1543 * anything like that, but this might change).
1545 * A valid sign that there's been a previous handshake
1546 * in this connection is if s->s3->tmp.finish_md_len >
1547 * 0. (We are talking about a check that will happen
1548 * in the Hello protocol round, well before a new
1549 * Finished message could have been computed.) */
1550 s->s3->next_proto_neg_seen = 1;
1553 TLSEXT_TYPE_application_layer_protocol_negotiation &&
1554 s->ctx->alpn_select_cb != NULL &&
1555 s->s3->tmp.finish_md_len == 0) {
1556 if (tls1_alpn_handle_client_hello(s, data,
1559 /* ALPN takes precedence over NPN. */
1560 s->s3->next_proto_neg_seen = 0;
1563 /* session ticket processed earlier */
1564 #ifndef OPENSSL_NO_SRTP
1565 else if (SSL_IS_DTLS(s) && type == TLSEXT_TYPE_use_srtp) {
1566 if (ssl_parse_clienthello_use_srtp_ext(s, data, size, al))
1578 /* Need RI if renegotiating */
1580 if (!renegotiate_seen && s->renegotiate) {
1581 *al = SSL_AD_HANDSHAKE_FAILURE;
1582 SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT,
1583 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
1591 * ssl_next_proto_validate validates a Next Protocol Negotiation block. No
1592 * elements of zero length are allowed and the set of elements must exactly fill
1593 * the length of the block.
1596 ssl_next_proto_validate(const unsigned char *d, unsigned int len)
1600 CBS_init(&npn, d, len);
1601 while (CBS_len(&npn) > 0) {
1602 if (!CBS_get_u8_length_prefixed(&npn, &value) ||
1603 CBS_len(&value) == 0)
1610 ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d,
1613 unsigned short length;
1614 unsigned short type;
1615 unsigned short size;
1616 unsigned char *data = *p;
1617 int tlsext_servername = 0;
1618 int renegotiate_seen = 0;
1620 s->s3->next_proto_neg_seen = 0;
1621 free(s->s3->alpn_selected);
1622 s->s3->alpn_selected = NULL;
1624 if (data >= (d + n - 2))
1628 if (data + length != d + n) {
1629 *al = SSL_AD_DECODE_ERROR;
1633 while (data <= (d + n - 4)) {
1637 if (data + size > (d + n))
1640 if (s->tlsext_debug_cb)
1641 s->tlsext_debug_cb(s, 1, type, data, size,
1642 s->tlsext_debug_arg);
1644 if (type == TLSEXT_TYPE_server_name) {
1645 if (s->tlsext_hostname == NULL || size > 0) {
1646 *al = TLS1_AD_UNRECOGNIZED_NAME;
1649 tlsext_servername = 1;
1652 else if (type == TLSEXT_TYPE_ec_point_formats &&
1653 s->version != DTLS1_VERSION) {
1654 unsigned char *sdata = data;
1659 *al = TLS1_AD_DECODE_ERROR;
1662 formatslen = *(sdata++);
1663 if (formatslen != size - 1) {
1664 *al = TLS1_AD_DECODE_ERROR;
1669 free(s->session->tlsext_ecpointformatlist);
1670 s->session->tlsext_ecpointformatlist = NULL;
1671 s->session->tlsext_ecpointformatlist_length = 0;
1673 if ((formats = reallocarray(NULL, formatslen,
1674 sizeof(uint8_t))) == NULL) {
1675 *al = TLS1_AD_INTERNAL_ERROR;
1678 memcpy(formats, sdata, formatslen);
1679 s->session->tlsext_ecpointformatlist = formats;
1680 s->session->tlsext_ecpointformatlist_length =
1684 else if (type == TLSEXT_TYPE_session_ticket) {
1685 if (s->tls_session_ticket_ext_cb &&
1686 !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg)) {
1687 *al = TLS1_AD_INTERNAL_ERROR;
1690 if ((SSL_get_options(s) & SSL_OP_NO_TICKET) || (size > 0)) {
1691 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
1694 s->tlsext_ticket_expected = 1;
1696 else if (type == TLSEXT_TYPE_status_request &&
1697 s->version != DTLS1_VERSION) {
1698 /* MUST be empty and only sent if we've requested
1699 * a status request message.
1701 if ((s->tlsext_status_type == -1) || (size > 0)) {
1702 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
1705 /* Set flag to expect CertificateStatus message */
1706 s->tlsext_status_expected = 1;
1708 else if (type == TLSEXT_TYPE_next_proto_neg &&
1709 s->s3->tmp.finish_md_len == 0) {
1710 unsigned char *selected;
1711 unsigned char selected_len;
1713 /* We must have requested it. */
1714 if (s->ctx->next_proto_select_cb == NULL) {
1715 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
1718 /* The data must be valid */
1719 if (!ssl_next_proto_validate(data, size)) {
1720 *al = TLS1_AD_DECODE_ERROR;
1723 if (s->ctx->next_proto_select_cb(s, &selected, &selected_len, data, size, s->ctx->next_proto_select_cb_arg) != SSL_TLSEXT_ERR_OK) {
1724 *al = TLS1_AD_INTERNAL_ERROR;
1727 s->next_proto_negotiated = malloc(selected_len);
1728 if (!s->next_proto_negotiated) {
1729 *al = TLS1_AD_INTERNAL_ERROR;
1732 memcpy(s->next_proto_negotiated, selected, selected_len);
1733 s->next_proto_negotiated_len = selected_len;
1734 s->s3->next_proto_neg_seen = 1;
1737 TLSEXT_TYPE_application_layer_protocol_negotiation) {
1740 /* We must have requested it. */
1741 if (s->alpn_client_proto_list == NULL) {
1742 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
1746 *al = TLS1_AD_DECODE_ERROR;
1750 /* The extension data consists of:
1751 * uint16 list_length
1752 * uint8 proto_length;
1753 * uint8 proto[proto_length]; */
1754 len = ((unsigned int)data[0]) << 8 |
1755 ((unsigned int)data[1]);
1756 if (len != (unsigned int)size - 2) {
1757 *al = TLS1_AD_DECODE_ERROR;
1761 if (len != (unsigned int)size - 3) {
1762 *al = TLS1_AD_DECODE_ERROR;
1765 free(s->s3->alpn_selected);
1766 s->s3->alpn_selected = malloc(len);
1767 if (s->s3->alpn_selected == NULL) {
1768 *al = TLS1_AD_INTERNAL_ERROR;
1771 memcpy(s->s3->alpn_selected, data + 3, len);
1772 s->s3->alpn_selected_len = len;
1774 } else if (type == TLSEXT_TYPE_renegotiate) {
1775 if (!ssl_parse_serverhello_renegotiate_ext(s, data, size, al))
1777 renegotiate_seen = 1;
1779 #ifndef OPENSSL_NO_SRTP
1780 else if (SSL_IS_DTLS(s) && type == TLSEXT_TYPE_use_srtp) {
1781 if (ssl_parse_serverhello_use_srtp_ext(s, data,
1791 if (data != d + n) {
1792 *al = SSL_AD_DECODE_ERROR;
1796 if (!s->hit && tlsext_servername == 1) {
1797 if (s->tlsext_hostname) {
1798 if (s->session->tlsext_hostname == NULL) {
1799 s->session->tlsext_hostname =
1800 strdup(s->tlsext_hostname);
1802 if (!s->session->tlsext_hostname) {
1803 *al = SSL_AD_UNRECOGNIZED_NAME;
1807 *al = SSL_AD_DECODE_ERROR;
1817 /* Determine if we need to see RI. Strictly speaking if we want to
1818 * avoid an attack we should *always* see RI even on initial server
1819 * hello because the client doesn't see any renegotiation during an
1820 * attack. However this would mean we could not connect to any server
1821 * which doesn't support RI so for the immediate future tolerate RI
1822 * absence on initial connect only.
1824 if (!renegotiate_seen && !(s->options & SSL_OP_LEGACY_SERVER_CONNECT)) {
1825 *al = SSL_AD_HANDSHAKE_FAILURE;
1826 SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT,
1827 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
1835 ssl_check_clienthello_tlsext_early(SSL *s)
1837 int ret = SSL_TLSEXT_ERR_NOACK;
1838 int al = SSL_AD_UNRECOGNIZED_NAME;
1840 /* The handling of the ECPointFormats extension is done elsewhere, namely in
1841 * ssl3_choose_cipher in s3_lib.c.
1843 /* The handling of the EllipticCurves extension is done elsewhere, namely in
1844 * ssl3_choose_cipher in s3_lib.c.
1847 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
1848 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
1849 else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)
1850 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
1853 case SSL_TLSEXT_ERR_ALERT_FATAL:
1854 ssl3_send_alert(s, SSL3_AL_FATAL, al);
1856 case SSL_TLSEXT_ERR_ALERT_WARNING:
1857 ssl3_send_alert(s, SSL3_AL_WARNING, al);
1859 case SSL_TLSEXT_ERR_NOACK:
1860 s->servername_done = 0;
1867 ssl_check_clienthello_tlsext_late(SSL *s)
1869 int ret = SSL_TLSEXT_ERR_OK;
1870 int al = 0; /* XXX gcc3 */
1872 /* If status request then ask callback what to do.
1873 * Note: this must be called after servername callbacks in case
1874 * the certificate has changed, and must be called after the cipher
1875 * has been chosen because this may influence which certificate is sent
1877 if ((s->tlsext_status_type != -1) &&
1878 s->ctx && s->ctx->tlsext_status_cb) {
1880 CERT_PKEY *certpkey;
1881 certpkey = ssl_get_server_send_pkey(s);
1882 /* If no certificate can't return certificate status */
1883 if (certpkey == NULL) {
1884 s->tlsext_status_expected = 0;
1887 /* Set current certificate to one we will use so
1888 * SSL_get_certificate et al can pick it up.
1890 s->cert->key = certpkey;
1891 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
1893 /* We don't want to send a status request response */
1894 case SSL_TLSEXT_ERR_NOACK:
1895 s->tlsext_status_expected = 0;
1897 /* status request response should be sent */
1898 case SSL_TLSEXT_ERR_OK:
1899 if (s->tlsext_ocsp_resp)
1900 s->tlsext_status_expected = 1;
1902 s->tlsext_status_expected = 0;
1904 /* something bad happened */
1905 case SSL_TLSEXT_ERR_ALERT_FATAL:
1906 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1907 al = SSL_AD_INTERNAL_ERROR;
1911 s->tlsext_status_expected = 0;
1915 case SSL_TLSEXT_ERR_ALERT_FATAL:
1916 ssl3_send_alert(s, SSL3_AL_FATAL, al);
1918 case SSL_TLSEXT_ERR_ALERT_WARNING:
1919 ssl3_send_alert(s, SSL3_AL_WARNING, al);
1927 ssl_check_serverhello_tlsext(SSL *s)
1929 int ret = SSL_TLSEXT_ERR_NOACK;
1930 int al = SSL_AD_UNRECOGNIZED_NAME;
1932 /* If we are client and using an elliptic curve cryptography cipher
1933 * suite, then if server returns an EC point formats lists extension
1934 * it must contain uncompressed.
1936 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
1937 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
1938 if ((s->tlsext_ecpointformatlist != NULL) &&
1939 (s->tlsext_ecpointformatlist_length > 0) &&
1940 (s->session->tlsext_ecpointformatlist != NULL) &&
1941 (s->session->tlsext_ecpointformatlist_length > 0) &&
1942 ((alg_k & (SSL_kECDHE|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA))) {
1943 /* we are using an ECC cipher */
1945 unsigned char *list;
1946 int found_uncompressed = 0;
1947 list = s->session->tlsext_ecpointformatlist;
1948 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++) {
1949 if (*(list++) == TLSEXT_ECPOINTFORMAT_uncompressed) {
1950 found_uncompressed = 1;
1954 if (!found_uncompressed) {
1955 SSLerr(SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT, SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
1959 ret = SSL_TLSEXT_ERR_OK;
1961 if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
1962 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
1963 else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)
1964 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
1966 /* If we've requested certificate status and we wont get one
1969 if ((s->tlsext_status_type != -1) && !(s->tlsext_status_expected) &&
1970 s->ctx && s->ctx->tlsext_status_cb) {
1972 /* Set resp to NULL, resplen to -1 so callback knows
1973 * there is no response.
1975 free(s->tlsext_ocsp_resp);
1976 s->tlsext_ocsp_resp = NULL;
1977 s->tlsext_ocsp_resplen = -1;
1978 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
1980 al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE;
1981 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1984 al = SSL_AD_INTERNAL_ERROR;
1985 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1990 case SSL_TLSEXT_ERR_ALERT_FATAL:
1991 ssl3_send_alert(s, SSL3_AL_FATAL, al);
1994 case SSL_TLSEXT_ERR_ALERT_WARNING:
1995 ssl3_send_alert(s, SSL3_AL_WARNING, al);
1998 case SSL_TLSEXT_ERR_NOACK:
1999 s->servername_done = 0;
2005 /* Since the server cache lookup is done early on in the processing of the
2006 * ClientHello, and other operations depend on the result, we need to handle
2007 * any TLS session ticket extension at the same time.
2009 * session_id: points at the session ID in the ClientHello. This code will
2010 * read past the end of this in order to parse out the session ticket
2011 * extension, if any.
2012 * len: the length of the session ID.
2013 * limit: a pointer to the first byte after the ClientHello.
2014 * ret: (output) on return, if a ticket was decrypted, then this is set to
2015 * point to the resulting session.
2017 * If s->tls_session_secret_cb is set then we are expecting a pre-shared key
2018 * ciphersuite, in which case we have no use for session tickets and one will
2019 * never be decrypted, nor will s->tlsext_ticket_expected be set to 1.
2022 * -1: fatal error, either from parsing or decrypting the ticket.
2023 * 0: no ticket was found (or was ignored, based on settings).
2024 * 1: a zero length extension was found, indicating that the client supports
2025 * session tickets but doesn't currently have one to offer.
2026 * 2: either s->tls_session_secret_cb was set, or a ticket was offered but
2027 * couldn't be decrypted because of a non-fatal error.
2028 * 3: a ticket was successfully decrypted and *ret was set.
2031 * Sets s->tlsext_ticket_expected to 1 if the server will have to issue
2032 * a new session ticket to the client because the client indicated support
2033 * (and s->tls_session_secret_cb is NULL) but the client either doesn't have
2034 * a session ticket or we couldn't use the one it gave us, or if
2035 * s->ctx->tlsext_ticket_key_cb asked to renew the client's ticket.
2036 * Otherwise, s->tlsext_ticket_expected is set to 0.
2039 tls1_process_ticket(SSL *s, const unsigned char *session, int session_len,
2040 const unsigned char *limit, SSL_SESSION **ret)
2042 /* Point after session ID in client hello */
2043 CBS session_id, cookie, cipher_list, compress_algo, extensions;
2046 s->tlsext_ticket_expected = 0;
2048 /* If tickets disabled behave as if no ticket present
2049 * to permit stateful resumption.
2051 if (SSL_get_options(s) & SSL_OP_NO_TICKET)
2056 if (limit < session)
2059 CBS_init(&session_id, session, limit - session);
2061 /* Skip past the session id */
2062 if (!CBS_skip(&session_id, session_len))
2065 /* Skip past DTLS cookie */
2066 if (SSL_IS_DTLS(s)) {
2067 if (!CBS_get_u8_length_prefixed(&session_id, &cookie))
2071 /* Skip past cipher list */
2072 if (!CBS_get_u16_length_prefixed(&session_id, &cipher_list))
2075 /* Skip past compression algorithm list */
2076 if (!CBS_get_u8_length_prefixed(&session_id, &compress_algo))
2079 /* Now at start of extensions */
2080 if (CBS_len(&session_id) == 0)
2082 if (!CBS_get_u16_length_prefixed(&session_id, &extensions))
2085 while (CBS_len(&extensions) > 0) {
2089 if (!CBS_get_u16(&extensions, &ext_type) ||
2090 !CBS_get_u16_length_prefixed(&extensions, &ext_data))
2093 if (ext_type == TLSEXT_TYPE_session_ticket) {
2095 if (CBS_len(&ext_data) == 0) {
2096 /* The client will accept a ticket but doesn't
2097 * currently have one. */
2098 s->tlsext_ticket_expected = 1;
2101 if (s->tls_session_secret_cb) {
2102 /* Indicate that the ticket couldn't be
2103 * decrypted rather than generating the session
2104 * from ticket now, trigger abbreviated
2105 * handshake based on external mechanism to
2106 * calculate the master secret later. */
2110 r = tls_decrypt_ticket(s, CBS_data(&ext_data),
2111 CBS_len(&ext_data), session, session_len, ret);
2114 case 2: /* ticket couldn't be decrypted */
2115 s->tlsext_ticket_expected = 1;
2117 case 3: /* ticket was decrypted */
2119 case 4: /* ticket decrypted but need to renew */
2120 s->tlsext_ticket_expected = 1;
2122 default: /* fatal error */
2130 /* tls_decrypt_ticket attempts to decrypt a session ticket.
2132 * etick: points to the body of the session ticket extension.
2133 * eticklen: the length of the session tickets extenion.
2134 * sess_id: points at the session ID.
2135 * sesslen: the length of the session ID.
2136 * psess: (output) on return, if a ticket was decrypted, then this is set to
2137 * point to the resulting session.
2140 * -1: fatal error, either from parsing or decrypting the ticket.
2141 * 2: the ticket couldn't be decrypted.
2142 * 3: a ticket was successfully decrypted and *psess was set.
2143 * 4: same as 3, but the ticket needs to be renewed.
2146 tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen,
2147 const unsigned char *sess_id, int sesslen, SSL_SESSION **psess)
2150 unsigned char *sdec;
2151 const unsigned char *p;
2152 int slen, mlen, renew_ticket = 0;
2153 unsigned char tick_hmac[EVP_MAX_MD_SIZE];
2156 SSL_CTX *tctx = s->initial_ctx;
2157 /* Need at least keyname + iv + some encrypted data */
2160 /* Initialize session ticket encryption and HMAC contexts */
2161 HMAC_CTX_init(&hctx);
2162 EVP_CIPHER_CTX_init(&ctx);
2163 if (tctx->tlsext_ticket_key_cb) {
2164 unsigned char *nctick = (unsigned char *)etick;
2165 int rv = tctx->tlsext_ticket_key_cb(s, nctick, nctick + 16,
2168 EVP_CIPHER_CTX_cleanup(&ctx);
2172 EVP_CIPHER_CTX_cleanup(&ctx);
2178 /* Check key name matches */
2179 if (timingsafe_memcmp(etick, tctx->tlsext_tick_key_name, 16))
2181 HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16,
2182 tlsext_tick_md(), NULL);
2183 EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL,
2184 tctx->tlsext_tick_aes_key, etick + 16);
2186 /* Attempt to process session ticket, first conduct sanity and
2187 * integrity checks on ticket.
2189 mlen = HMAC_size(&hctx);
2191 EVP_CIPHER_CTX_cleanup(&ctx);
2195 /* Check HMAC of encrypted ticket */
2196 HMAC_Update(&hctx, etick, eticklen);
2197 HMAC_Final(&hctx, tick_hmac, NULL);
2198 HMAC_CTX_cleanup(&hctx);
2199 if (timingsafe_memcmp(tick_hmac, etick + eticklen, mlen)) {
2200 EVP_CIPHER_CTX_cleanup(&ctx);
2203 /* Attempt to decrypt session data */
2204 /* Move p after IV to start of encrypted ticket, update length */
2205 p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx);
2206 eticklen -= 16 + EVP_CIPHER_CTX_iv_length(&ctx);
2207 sdec = malloc(eticklen);
2209 EVP_CIPHER_CTX_cleanup(&ctx);
2212 EVP_DecryptUpdate(&ctx, sdec, &slen, p, eticklen);
2213 if (EVP_DecryptFinal_ex(&ctx, sdec + slen, &mlen) <= 0) {
2215 EVP_CIPHER_CTX_cleanup(&ctx);
2219 EVP_CIPHER_CTX_cleanup(&ctx);
2222 sess = d2i_SSL_SESSION(NULL, &p, slen);
2225 /* The session ID, if non-empty, is used by some clients to
2226 * detect that the ticket has been accepted. So we copy it to
2227 * the session structure. If it is empty set length to zero
2228 * as required by standard.
2231 memcpy(sess->session_id, sess_id, sesslen);
2232 sess->session_id_length = sesslen;
2240 /* For session parse failure, indicate that we need to send a new
2245 /* Tables to translate from NIDs to TLS v1.2 ids */
2252 static tls12_lookup tls12_md[] = {
2253 {NID_md5, TLSEXT_hash_md5},
2254 {NID_sha1, TLSEXT_hash_sha1},
2255 {NID_sha224, TLSEXT_hash_sha224},
2256 {NID_sha256, TLSEXT_hash_sha256},
2257 {NID_sha384, TLSEXT_hash_sha384},
2258 {NID_sha512, TLSEXT_hash_sha512},
2259 {NID_id_GostR3411_94, TLSEXT_hash_gost94},
2260 {NID_id_tc26_gost3411_2012_256, TLSEXT_hash_streebog_256},
2261 {NID_id_tc26_gost3411_2012_512, TLSEXT_hash_streebog_512}
2264 static tls12_lookup tls12_sig[] = {
2265 {EVP_PKEY_RSA, TLSEXT_signature_rsa},
2266 {EVP_PKEY_DSA, TLSEXT_signature_dsa},
2267 {EVP_PKEY_EC, TLSEXT_signature_ecdsa},
2268 {EVP_PKEY_GOSTR01, TLSEXT_signature_gostr01},
2272 tls12_find_id(int nid, tls12_lookup *table, size_t tlen)
2275 for (i = 0; i < tlen; i++) {
2276 if (table[i].nid == nid)
2283 tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk, const EVP_MD *md)
2288 md_id = tls12_find_id(EVP_MD_type(md), tls12_md,
2289 sizeof(tls12_md) / sizeof(tls12_lookup));
2292 sig_id = tls12_get_sigid(pk);
2295 p[0] = (unsigned char)md_id;
2296 p[1] = (unsigned char)sig_id;
2301 tls12_get_sigid(const EVP_PKEY *pk)
2303 return tls12_find_id(pk->type, tls12_sig,
2304 sizeof(tls12_sig) / sizeof(tls12_lookup));
2308 tls12_get_hash(unsigned char hash_alg)
2311 case TLSEXT_hash_sha1:
2313 case TLSEXT_hash_sha224:
2314 return EVP_sha224();
2315 case TLSEXT_hash_sha256:
2316 return EVP_sha256();
2317 case TLSEXT_hash_sha384:
2318 return EVP_sha384();
2319 case TLSEXT_hash_sha512:
2320 return EVP_sha512();
2321 #ifndef OPENSSL_NO_GOST
2322 case TLSEXT_hash_gost94:
2323 return EVP_gostr341194();
2324 case TLSEXT_hash_streebog_256:
2325 return EVP_streebog256();
2326 case TLSEXT_hash_streebog_512:
2327 return EVP_streebog512();
2334 /* Set preferred digest for each key type */
2337 tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize)
2344 /* Extension ignored for inappropriate versions */
2345 if (!SSL_USE_SIGALGS(s))
2348 /* Should never happen */
2349 if (!c || dsize < 0)
2352 CBS_init(&cbs, data, dsize);
2354 c->pkeys[SSL_PKEY_DSA_SIGN].digest = NULL;
2355 c->pkeys[SSL_PKEY_RSA_SIGN].digest = NULL;
2356 c->pkeys[SSL_PKEY_RSA_ENC].digest = NULL;
2357 c->pkeys[SSL_PKEY_ECC].digest = NULL;
2358 c->pkeys[SSL_PKEY_GOST01].digest = NULL;
2360 while (CBS_len(&cbs) > 0) {
2361 uint8_t hash_alg, sig_alg;
2363 if (!CBS_get_u8(&cbs, &hash_alg) ||
2364 !CBS_get_u8(&cbs, &sig_alg)) {
2365 /* Should never happen */
2370 case TLSEXT_signature_rsa:
2371 idx = SSL_PKEY_RSA_SIGN;
2373 case TLSEXT_signature_dsa:
2374 idx = SSL_PKEY_DSA_SIGN;
2376 case TLSEXT_signature_ecdsa:
2379 case TLSEXT_signature_gostr01:
2380 case TLSEXT_signature_gostr12_256:
2381 case TLSEXT_signature_gostr12_512:
2382 idx = SSL_PKEY_GOST01;
2388 if (c->pkeys[idx].digest == NULL) {
2389 md = tls12_get_hash(hash_alg);
2391 c->pkeys[idx].digest = md;
2392 if (idx == SSL_PKEY_RSA_SIGN)
2393 c->pkeys[SSL_PKEY_RSA_ENC].digest = md;
2399 /* Set any remaining keys to default values. NOTE: if alg is not
2400 * supported it stays as NULL.
2402 if (!c->pkeys[SSL_PKEY_DSA_SIGN].digest)
2403 c->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_sha1();
2404 if (!c->pkeys[SSL_PKEY_RSA_SIGN].digest) {
2405 c->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1();
2406 c->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1();
2408 if (!c->pkeys[SSL_PKEY_ECC].digest)
2409 c->pkeys[SSL_PKEY_ECC].digest = EVP_sha1();
2410 #ifndef OPENSSL_NO_GOST
2411 if (!c->pkeys[SSL_PKEY_GOST01].digest)
2412 c->pkeys[SSL_PKEY_GOST01].digest = EVP_gostr341194();