2
0

t1_lib.c 63 KB

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542552562572582592602612622632642652662672682692702712722732742752762772782792802812822832842852862872882892902912922932942952962972982993003013023033043053063073083093103113123133143153163173183193203213223233243253263273283293303313323333343353363373383393403413423433443453463473483493503513523533543553563573583593603613623633643653663673683693703713723733743753763773783793803813823833843853863873883893903913923933943953963973983994004014024034044054064074084094104114124134144154164174184194204214224234244254264274284294304314324334344354364374384394404414424434444454464474484494504514524534544554564574584594604614624634644654664674684694704714724734744754764774784794804814824834844854864874884894904914924934944954964974984995005015025035045055065075085095105115125135145155165175185195205215225235245255265275285295305315325335345355365375385395405415425435445455465475485495505515525535545555565575585595605615625635645655665675685695705715725735745755765775785795805815825835845855865875885895905915925935945955965975985996006016026036046056066076086096106116126136146156166176186196206216226236246256266276286296306316326336346356366376386396406416426436446456466476486496506516526536546556566576586596606616626636646656666676686696706716726736746756766776786796806816826836846856866876886896906916926936946956966976986997007017027037047057067077087097107117127137147157167177187197207217227237247257267277287297307317327337347357367377387397407417427437447457467477487497507517527537547557567577587597607617627637647657667677687697707717727737747757767777787797807817827837847857867877887897907917927937947957967977987998008018028038048058068078088098108118128138148158168178188198208218228238248258268278288298308318328338348358368378388398408418428438448458468478488498508518528538548558568578588598608618628638648658668678688698708718728738748758768778788798808818828838848858868878888898908918928938948958968978988999009019029039049059069079089099109119129139149159169179189199209219229239249259269279289299309319329339349359369379389399409419429439449459469479489499509519529539549559569579589599609619629639649659669679689699709719729739749759769779789799809819829839849859869879889899909919929939949959969979989991000100110021003100410051006100710081009101010111012101310141015101610171018101910201021102210231024102510261027102810291030103110321033103410351036103710381039104010411042104310441045104610471048104910501051105210531054105510561057105810591060106110621063106410651066106710681069107010711072107310741075107610771078107910801081108210831084108510861087108810891090109110921093109410951096109710981099110011011102110311041105110611071108110911101111111211131114111511161117111811191120112111221123112411251126112711281129113011311132113311341135113611371138113911401141114211431144114511461147114811491150115111521153115411551156115711581159116011611162116311641165116611671168116911701171117211731174117511761177117811791180118111821183118411851186118711881189119011911192119311941195119611971198119912001201120212031204120512061207120812091210121112121213121412151216121712181219122012211222122312241225122612271228122912301231123212331234123512361237123812391240124112421243124412451246124712481249125012511252125312541255125612571258125912601261126212631264126512661267126812691270127112721273127412751276127712781279128012811282128312841285128612871288128912901291129212931294129512961297129812991300130113021303130413051306130713081309131013111312131313141315131613171318131913201321132213231324132513261327132813291330133113321333133413351336133713381339134013411342134313441345134613471348134913501351135213531354135513561357135813591360136113621363136413651366136713681369137013711372137313741375137613771378137913801381138213831384138513861387138813891390139113921393139413951396139713981399140014011402140314041405140614071408140914101411141214131414141514161417141814191420142114221423142414251426142714281429143014311432143314341435143614371438143914401441144214431444144514461447144814491450145114521453145414551456145714581459146014611462146314641465146614671468146914701471147214731474147514761477147814791480148114821483148414851486148714881489149014911492149314941495149614971498149915001501150215031504150515061507150815091510151115121513151415151516151715181519152015211522152315241525152615271528152915301531153215331534153515361537153815391540154115421543154415451546154715481549155015511552155315541555155615571558155915601561156215631564156515661567156815691570157115721573157415751576157715781579158015811582158315841585158615871588158915901591159215931594159515961597159815991600160116021603160416051606160716081609161016111612161316141615161616171618161916201621162216231624162516261627162816291630163116321633163416351636163716381639164016411642164316441645164616471648164916501651165216531654165516561657165816591660166116621663166416651666166716681669167016711672167316741675167616771678167916801681168216831684168516861687168816891690169116921693169416951696169716981699170017011702170317041705170617071708170917101711171217131714171517161717171817191720172117221723172417251726172717281729173017311732173317341735173617371738173917401741174217431744174517461747174817491750175117521753175417551756175717581759176017611762176317641765176617671768176917701771177217731774177517761777177817791780178117821783178417851786178717881789179017911792179317941795179617971798179918001801180218031804180518061807180818091810181118121813181418151816181718181819182018211822182318241825182618271828182918301831183218331834183518361837183818391840184118421843184418451846184718481849185018511852185318541855185618571858185918601861186218631864186518661867186818691870187118721873187418751876187718781879188018811882188318841885188618871888188918901891189218931894189518961897189818991900190119021903190419051906190719081909191019111912191319141915191619171918191919201921192219231924192519261927192819291930193119321933193419351936193719381939194019411942194319441945194619471948194919501951195219531954195519561957195819591960196119621963196419651966196719681969197019711972197319741975197619771978197919801981198219831984198519861987198819891990199119921993199419951996199719981999200020012002200320042005200620072008200920102011201220132014201520162017201820192020202120222023202420252026202720282029203020312032203320342035203620372038203920402041204220432044204520462047204820492050205120522053205420552056205720582059206020612062206320642065206620672068206920702071207220732074207520762077207820792080208120822083208420852086208720882089209020912092209320942095209620972098209921002101210221032104210521062107210821092110211121122113211421152116211721182119212021212122212321242125212621272128212921302131213221332134213521362137213821392140214121422143214421452146214721482149215021512152215321542155215621572158215921602161216221632164216521662167216821692170217121722173217421752176217721782179218021812182218321842185218621872188218921902191219221932194219521962197219821992200220122022203220422052206220722082209221022112212221322142215221622172218221922202221222222232224222522262227222822292230223122322233223422352236223722382239224022412242224322442245224622472248224922502251225222532254225522562257225822592260226122622263226422652266226722682269
  1. /* ssl/t1_lib.c */
  2. /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  3. * All rights reserved.
  4. *
  5. * This package is an SSL implementation written
  6. * by Eric Young (eay@cryptsoft.com).
  7. * The implementation was written so as to conform with Netscapes SSL.
  8. *
  9. * This library is free for commercial and non-commercial use as long as
  10. * the following conditions are aheared to. The following conditions
  11. * apply to all code found in this distribution, be it the RC4, RSA,
  12. * lhash, DES, etc., code; not just the SSL code. The SSL documentation
  13. * included with this distribution is covered by the same copyright terms
  14. * except that the holder is Tim Hudson (tjh@cryptsoft.com).
  15. *
  16. * Copyright remains Eric Young's, and as such any Copyright notices in
  17. * the code are not to be removed.
  18. * If this package is used in a product, Eric Young should be given attribution
  19. * as the author of the parts of the library used.
  20. * This can be in the form of a textual message at program startup or
  21. * in documentation (online or textual) provided with the package.
  22. *
  23. * Redistribution and use in source and binary forms, with or without
  24. * modification, are permitted provided that the following conditions
  25. * are met:
  26. * 1. Redistributions of source code must retain the copyright
  27. * notice, this list of conditions and the following disclaimer.
  28. * 2. Redistributions in binary form must reproduce the above copyright
  29. * notice, this list of conditions and the following disclaimer in the
  30. * documentation and/or other materials provided with the distribution.
  31. * 3. All advertising materials mentioning features or use of this software
  32. * must display the following acknowledgement:
  33. * "This product includes cryptographic software written by
  34. * Eric Young (eay@cryptsoft.com)"
  35. * The word 'cryptographic' can be left out if the rouines from the library
  36. * being used are not cryptographic related :-).
  37. * 4. If you include any Windows specific code (or a derivative thereof) from
  38. * the apps directory (application code) you must include an acknowledgement:
  39. * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
  40. *
  41. * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
  42. * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  43. * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  44. * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
  45. * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  46. * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  47. * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  48. * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  49. * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  50. * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  51. * SUCH DAMAGE.
  52. *
  53. * The licence and distribution terms for any publically available version or
  54. * derivative of this code cannot be changed. i.e. this code cannot simply be
  55. * copied and put under another distribution licence
  56. * [including the GNU Public Licence.]
  57. */
  58. /* ====================================================================
  59. * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
  60. *
  61. * Redistribution and use in source and binary forms, with or without
  62. * modification, are permitted provided that the following conditions
  63. * are met:
  64. *
  65. * 1. Redistributions of source code must retain the above copyright
  66. * notice, this list of conditions and the following disclaimer.
  67. *
  68. * 2. Redistributions in binary form must reproduce the above copyright
  69. * notice, this list of conditions and the following disclaimer in
  70. * the documentation and/or other materials provided with the
  71. * distribution.
  72. *
  73. * 3. All advertising materials mentioning features or use of this
  74. * software must display the following acknowledgment:
  75. * "This product includes software developed by the OpenSSL Project
  76. * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
  77. *
  78. * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
  79. * endorse or promote products derived from this software without
  80. * prior written permission. For written permission, please contact
  81. * openssl-core@openssl.org.
  82. *
  83. * 5. Products derived from this software may not be called "OpenSSL"
  84. * nor may "OpenSSL" appear in their names without prior written
  85. * permission of the OpenSSL Project.
  86. *
  87. * 6. Redistributions of any form whatsoever must retain the following
  88. * acknowledgment:
  89. * "This product includes software developed by the OpenSSL Project
  90. * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
  91. *
  92. * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
  93. * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  94. * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
  95. * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
  96. * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
  97. * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
  98. * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
  99. * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  100. * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
  101. * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
  102. * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
  103. * OF THE POSSIBILITY OF SUCH DAMAGE.
  104. * ====================================================================
  105. *
  106. * This product includes cryptographic software written by Eric Young
  107. * (eay@cryptsoft.com). This product includes software written by Tim
  108. * Hudson (tjh@cryptsoft.com).
  109. *
  110. */
  111. #include <stdio.h>
  112. #include <openssl/objects.h>
  113. #include <openssl/evp.h>
  114. #include <openssl/hmac.h>
  115. #include <openssl/ocsp.h>
  116. #include "ssl_locl.h"
  117. const char tls1_version_str[]="TLSv1" OPENSSL_VERSION_PTEXT;
  118. #ifndef OPENSSL_NO_TLSEXT
  119. static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen,
  120. const unsigned char *sess_id, int sesslen,
  121. SSL_SESSION **psess);
  122. #endif
  123. SSL3_ENC_METHOD TLSv1_enc_data={
  124. tls1_enc,
  125. tls1_mac,
  126. tls1_setup_key_block,
  127. tls1_generate_master_secret,
  128. tls1_change_cipher_state,
  129. tls1_final_finish_mac,
  130. TLS1_FINISH_MAC_LENGTH,
  131. tls1_cert_verify_mac,
  132. TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE,
  133. TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE,
  134. tls1_alert_code,
  135. };
  136. long tls1_default_timeout(void)
  137. {
  138. /* 2 hours, the 24 hours mentioned in the TLSv1 spec
  139. * is way too long for http, the cache would over fill */
  140. return(60*60*2);
  141. }
  142. int tls1_new(SSL *s)
  143. {
  144. if (!ssl3_new(s)) return(0);
  145. s->method->ssl_clear(s);
  146. return(1);
  147. }
  148. void tls1_free(SSL *s)
  149. {
  150. #ifndef OPENSSL_NO_TLSEXT
  151. if (s->tlsext_session_ticket)
  152. {
  153. OPENSSL_free(s->tlsext_session_ticket);
  154. }
  155. #endif /* OPENSSL_NO_TLSEXT */
  156. ssl3_free(s);
  157. }
  158. void tls1_clear(SSL *s)
  159. {
  160. ssl3_clear(s);
  161. s->version = s->method->version;
  162. }
  163. #ifndef OPENSSL_NO_EC
  164. static int nid_list[] =
  165. {
  166. NID_sect163k1, /* sect163k1 (1) */
  167. NID_sect163r1, /* sect163r1 (2) */
  168. NID_sect163r2, /* sect163r2 (3) */
  169. NID_sect193r1, /* sect193r1 (4) */
  170. NID_sect193r2, /* sect193r2 (5) */
  171. NID_sect233k1, /* sect233k1 (6) */
  172. NID_sect233r1, /* sect233r1 (7) */
  173. NID_sect239k1, /* sect239k1 (8) */
  174. NID_sect283k1, /* sect283k1 (9) */
  175. NID_sect283r1, /* sect283r1 (10) */
  176. NID_sect409k1, /* sect409k1 (11) */
  177. NID_sect409r1, /* sect409r1 (12) */
  178. NID_sect571k1, /* sect571k1 (13) */
  179. NID_sect571r1, /* sect571r1 (14) */
  180. NID_secp160k1, /* secp160k1 (15) */
  181. NID_secp160r1, /* secp160r1 (16) */
  182. NID_secp160r2, /* secp160r2 (17) */
  183. NID_secp192k1, /* secp192k1 (18) */
  184. NID_X9_62_prime192v1, /* secp192r1 (19) */
  185. NID_secp224k1, /* secp224k1 (20) */
  186. NID_secp224r1, /* secp224r1 (21) */
  187. NID_secp256k1, /* secp256k1 (22) */
  188. NID_X9_62_prime256v1, /* secp256r1 (23) */
  189. NID_secp384r1, /* secp384r1 (24) */
  190. NID_secp521r1 /* secp521r1 (25) */
  191. };
  192. static int pref_list[] =
  193. {
  194. NID_sect571r1, /* sect571r1 (14) */
  195. NID_sect571k1, /* sect571k1 (13) */
  196. NID_secp521r1, /* secp521r1 (25) */
  197. NID_sect409k1, /* sect409k1 (11) */
  198. NID_sect409r1, /* sect409r1 (12) */
  199. NID_secp384r1, /* secp384r1 (24) */
  200. NID_sect283k1, /* sect283k1 (9) */
  201. NID_sect283r1, /* sect283r1 (10) */
  202. NID_secp256k1, /* secp256k1 (22) */
  203. NID_X9_62_prime256v1, /* secp256r1 (23) */
  204. NID_sect239k1, /* sect239k1 (8) */
  205. NID_sect233k1, /* sect233k1 (6) */
  206. NID_sect233r1, /* sect233r1 (7) */
  207. NID_secp224k1, /* secp224k1 (20) */
  208. NID_secp224r1, /* secp224r1 (21) */
  209. NID_sect193r1, /* sect193r1 (4) */
  210. NID_sect193r2, /* sect193r2 (5) */
  211. NID_secp192k1, /* secp192k1 (18) */
  212. NID_X9_62_prime192v1, /* secp192r1 (19) */
  213. NID_sect163k1, /* sect163k1 (1) */
  214. NID_sect163r1, /* sect163r1 (2) */
  215. NID_sect163r2, /* sect163r2 (3) */
  216. NID_secp160k1, /* secp160k1 (15) */
  217. NID_secp160r1, /* secp160r1 (16) */
  218. NID_secp160r2, /* secp160r2 (17) */
  219. };
  220. int tls1_ec_curve_id2nid(int curve_id)
  221. {
  222. /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
  223. if ((curve_id < 1) || ((unsigned int)curve_id >
  224. sizeof(nid_list)/sizeof(nid_list[0])))
  225. return 0;
  226. return nid_list[curve_id-1];
  227. }
  228. int tls1_ec_nid2curve_id(int nid)
  229. {
  230. /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
  231. switch (nid)
  232. {
  233. case NID_sect163k1: /* sect163k1 (1) */
  234. return 1;
  235. case NID_sect163r1: /* sect163r1 (2) */
  236. return 2;
  237. case NID_sect163r2: /* sect163r2 (3) */
  238. return 3;
  239. case NID_sect193r1: /* sect193r1 (4) */
  240. return 4;
  241. case NID_sect193r2: /* sect193r2 (5) */
  242. return 5;
  243. case NID_sect233k1: /* sect233k1 (6) */
  244. return 6;
  245. case NID_sect233r1: /* sect233r1 (7) */
  246. return 7;
  247. case NID_sect239k1: /* sect239k1 (8) */
  248. return 8;
  249. case NID_sect283k1: /* sect283k1 (9) */
  250. return 9;
  251. case NID_sect283r1: /* sect283r1 (10) */
  252. return 10;
  253. case NID_sect409k1: /* sect409k1 (11) */
  254. return 11;
  255. case NID_sect409r1: /* sect409r1 (12) */
  256. return 12;
  257. case NID_sect571k1: /* sect571k1 (13) */
  258. return 13;
  259. case NID_sect571r1: /* sect571r1 (14) */
  260. return 14;
  261. case NID_secp160k1: /* secp160k1 (15) */
  262. return 15;
  263. case NID_secp160r1: /* secp160r1 (16) */
  264. return 16;
  265. case NID_secp160r2: /* secp160r2 (17) */
  266. return 17;
  267. case NID_secp192k1: /* secp192k1 (18) */
  268. return 18;
  269. case NID_X9_62_prime192v1: /* secp192r1 (19) */
  270. return 19;
  271. case NID_secp224k1: /* secp224k1 (20) */
  272. return 20;
  273. case NID_secp224r1: /* secp224r1 (21) */
  274. return 21;
  275. case NID_secp256k1: /* secp256k1 (22) */
  276. return 22;
  277. case NID_X9_62_prime256v1: /* secp256r1 (23) */
  278. return 23;
  279. case NID_secp384r1: /* secp384r1 (24) */
  280. return 24;
  281. case NID_secp521r1: /* secp521r1 (25) */
  282. return 25;
  283. default:
  284. return 0;
  285. }
  286. }
  287. #endif /* OPENSSL_NO_EC */
  288. #ifndef OPENSSL_NO_TLSEXT
  289. /* List of supported signature algorithms and hashes. Should make this
  290. * customisable at some point, for now include everything we support.
  291. */
  292. #ifdef OPENSSL_NO_RSA
  293. #define tlsext_sigalg_rsa(md) /* */
  294. #else
  295. #define tlsext_sigalg_rsa(md) md, TLSEXT_signature_rsa,
  296. #endif
  297. #ifdef OPENSSL_NO_DSA
  298. #define tlsext_sigalg_dsa(md) /* */
  299. #else
  300. #define tlsext_sigalg_dsa(md) md, TLSEXT_signature_dsa,
  301. #endif
  302. #ifdef OPENSSL_NO_ECDSA
  303. #define tlsext_sigalg_ecdsa(md) /* */
  304. #else
  305. #define tlsext_sigalg_ecdsa(md) md, TLSEXT_signature_ecdsa,
  306. #endif
  307. #define tlsext_sigalg(md) \
  308. tlsext_sigalg_rsa(md) \
  309. tlsext_sigalg_dsa(md) \
  310. tlsext_sigalg_ecdsa(md)
  311. static unsigned char tls12_sigalgs[] = {
  312. #ifndef OPENSSL_NO_SHA512
  313. tlsext_sigalg(TLSEXT_hash_sha512)
  314. tlsext_sigalg(TLSEXT_hash_sha384)
  315. #endif
  316. #ifndef OPENSSL_NO_SHA256
  317. tlsext_sigalg(TLSEXT_hash_sha256)
  318. tlsext_sigalg(TLSEXT_hash_sha224)
  319. #endif
  320. #ifndef OPENSSL_NO_SHA
  321. tlsext_sigalg(TLSEXT_hash_sha1)
  322. #endif
  323. #ifndef OPENSSL_NO_MD5
  324. tlsext_sigalg_rsa(TLSEXT_hash_md5)
  325. #endif
  326. };
  327. int tls12_get_req_sig_algs(SSL *s, unsigned char *p)
  328. {
  329. size_t slen = sizeof(tls12_sigalgs);
  330. #ifdef OPENSSL_FIPS
  331. /* If FIPS mode don't include MD5 which is last */
  332. if (FIPS_mode())
  333. slen -= 2;
  334. #endif
  335. if (p)
  336. memcpy(p, tls12_sigalgs, slen);
  337. return (int)slen;
  338. }
  339. unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
  340. {
  341. int extdatalen=0;
  342. unsigned char *ret = p;
  343. /* don't add extensions for SSLv3 unless doing secure renegotiation */
  344. if (s->client_version == SSL3_VERSION
  345. && !s->s3->send_connection_binding)
  346. return p;
  347. ret+=2;
  348. if (ret>=limit) return NULL; /* this really never occurs, but ... */
  349. if (s->tlsext_hostname != NULL)
  350. {
  351. /* Add TLS extension servername to the Client Hello message */
  352. unsigned long size_str;
  353. long lenmax;
  354. /* check for enough space.
  355. 4 for the servername type and entension length
  356. 2 for servernamelist length
  357. 1 for the hostname type
  358. 2 for hostname length
  359. + hostname length
  360. */
  361. if ((lenmax = limit - ret - 9) < 0
  362. || (size_str = strlen(s->tlsext_hostname)) > (unsigned long)lenmax)
  363. return NULL;
  364. /* extension type and length */
  365. s2n(TLSEXT_TYPE_server_name,ret);
  366. s2n(size_str+5,ret);
  367. /* length of servername list */
  368. s2n(size_str+3,ret);
  369. /* hostname type, length and hostname */
  370. *(ret++) = (unsigned char) TLSEXT_NAMETYPE_host_name;
  371. s2n(size_str,ret);
  372. memcpy(ret, s->tlsext_hostname, size_str);
  373. ret+=size_str;
  374. }
  375. /* Add RI if renegotiating */
  376. if (s->renegotiate)
  377. {
  378. int el;
  379. if(!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0))
  380. {
  381. SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
  382. return NULL;
  383. }
  384. if((limit - p - 4 - el) < 0) return NULL;
  385. s2n(TLSEXT_TYPE_renegotiate,ret);
  386. s2n(el,ret);
  387. if(!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el))
  388. {
  389. SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
  390. return NULL;
  391. }
  392. ret += el;
  393. }
  394. #ifndef OPENSSL_NO_SRP
  395. #define MIN(x,y) (((x)<(y))?(x):(y))
  396. /* we add SRP username the first time only if we have one! */
  397. if (s->srp_ctx.login != NULL)
  398. {/* Add TLS extension SRP username to the Client Hello message */
  399. int login_len = MIN(strlen(s->srp_ctx.login) + 1, 255);
  400. long lenmax;
  401. if ((lenmax = limit - ret - 5) < 0) return NULL;
  402. if (login_len > lenmax) return NULL;
  403. if (login_len > 255)
  404. {
  405. SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
  406. return NULL;
  407. }
  408. s2n(TLSEXT_TYPE_srp,ret);
  409. s2n(login_len+1,ret);
  410. (*ret++) = (unsigned char) MIN(strlen(s->srp_ctx.login), 254);
  411. memcpy(ret, s->srp_ctx.login, MIN(strlen(s->srp_ctx.login), 254));
  412. ret+=login_len;
  413. }
  414. #endif
  415. #ifndef OPENSSL_NO_EC
  416. if (s->tlsext_ecpointformatlist != NULL &&
  417. s->version != DTLS1_VERSION)
  418. {
  419. /* Add TLS extension ECPointFormats to the ClientHello message */
  420. long lenmax;
  421. if ((lenmax = limit - ret - 5) < 0) return NULL;
  422. if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax) return NULL;
  423. if (s->tlsext_ecpointformatlist_length > 255)
  424. {
  425. SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
  426. return NULL;
  427. }
  428. s2n(TLSEXT_TYPE_ec_point_formats,ret);
  429. s2n(s->tlsext_ecpointformatlist_length + 1,ret);
  430. *(ret++) = (unsigned char) s->tlsext_ecpointformatlist_length;
  431. memcpy(ret, s->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist_length);
  432. ret+=s->tlsext_ecpointformatlist_length;
  433. }
  434. if (s->tlsext_ellipticcurvelist != NULL &&
  435. s->version != DTLS1_VERSION)
  436. {
  437. /* Add TLS extension EllipticCurves to the ClientHello message */
  438. long lenmax;
  439. if ((lenmax = limit - ret - 6) < 0) return NULL;
  440. if (s->tlsext_ellipticcurvelist_length > (unsigned long)lenmax) return NULL;
  441. if (s->tlsext_ellipticcurvelist_length > 65532)
  442. {
  443. SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
  444. return NULL;
  445. }
  446. s2n(TLSEXT_TYPE_elliptic_curves,ret);
  447. s2n(s->tlsext_ellipticcurvelist_length + 2, ret);
  448. /* NB: draft-ietf-tls-ecc-12.txt uses a one-byte prefix for
  449. * elliptic_curve_list, but the examples use two bytes.
  450. * http://www1.ietf.org/mail-archive/web/tls/current/msg00538.html
  451. * resolves this to two bytes.
  452. */
  453. s2n(s->tlsext_ellipticcurvelist_length, ret);
  454. memcpy(ret, s->tlsext_ellipticcurvelist, s->tlsext_ellipticcurvelist_length);
  455. ret+=s->tlsext_ellipticcurvelist_length;
  456. }
  457. #endif /* OPENSSL_NO_EC */
  458. if (!(SSL_get_options(s) & SSL_OP_NO_TICKET))
  459. {
  460. int ticklen;
  461. if (!s->new_session && s->session && s->session->tlsext_tick)
  462. ticklen = s->session->tlsext_ticklen;
  463. else if (s->session && s->tlsext_session_ticket &&
  464. s->tlsext_session_ticket->data)
  465. {
  466. ticklen = s->tlsext_session_ticket->length;
  467. s->session->tlsext_tick = OPENSSL_malloc(ticklen);
  468. if (!s->session->tlsext_tick)
  469. return NULL;
  470. memcpy(s->session->tlsext_tick,
  471. s->tlsext_session_ticket->data,
  472. ticklen);
  473. s->session->tlsext_ticklen = ticklen;
  474. }
  475. else
  476. ticklen = 0;
  477. if (ticklen == 0 && s->tlsext_session_ticket &&
  478. s->tlsext_session_ticket->data == NULL)
  479. goto skip_ext;
  480. /* Check for enough room 2 for extension type, 2 for len
  481. * rest for ticket
  482. */
  483. if ((long)(limit - ret - 4 - ticklen) < 0) return NULL;
  484. s2n(TLSEXT_TYPE_session_ticket,ret);
  485. s2n(ticklen,ret);
  486. if (ticklen)
  487. {
  488. memcpy(ret, s->session->tlsext_tick, ticklen);
  489. ret += ticklen;
  490. }
  491. }
  492. skip_ext:
  493. if (TLS1_get_version(s) >= TLS1_2_VERSION)
  494. {
  495. if ((size_t)(limit - ret) < sizeof(tls12_sigalgs) + 6)
  496. return NULL;
  497. s2n(TLSEXT_TYPE_signature_algorithms,ret);
  498. s2n(sizeof(tls12_sigalgs) + 2, ret);
  499. s2n(sizeof(tls12_sigalgs), ret);
  500. memcpy(ret, tls12_sigalgs, sizeof(tls12_sigalgs));
  501. ret += sizeof(tls12_sigalgs);
  502. }
  503. #ifdef TLSEXT_TYPE_opaque_prf_input
  504. if (s->s3->client_opaque_prf_input != NULL &&
  505. s->version != DTLS1_VERSION)
  506. {
  507. size_t col = s->s3->client_opaque_prf_input_len;
  508. if ((long)(limit - ret - 6 - col < 0))
  509. return NULL;
  510. if (col > 0xFFFD) /* can't happen */
  511. return NULL;
  512. s2n(TLSEXT_TYPE_opaque_prf_input, ret);
  513. s2n(col + 2, ret);
  514. s2n(col, ret);
  515. memcpy(ret, s->s3->client_opaque_prf_input, col);
  516. ret += col;
  517. }
  518. #endif
  519. if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp &&
  520. s->version != DTLS1_VERSION)
  521. {
  522. int i;
  523. long extlen, idlen, itmp;
  524. OCSP_RESPID *id;
  525. idlen = 0;
  526. for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++)
  527. {
  528. id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
  529. itmp = i2d_OCSP_RESPID(id, NULL);
  530. if (itmp <= 0)
  531. return NULL;
  532. idlen += itmp + 2;
  533. }
  534. if (s->tlsext_ocsp_exts)
  535. {
  536. extlen = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, NULL);
  537. if (extlen < 0)
  538. return NULL;
  539. }
  540. else
  541. extlen = 0;
  542. if ((long)(limit - ret - 7 - extlen - idlen) < 0) return NULL;
  543. s2n(TLSEXT_TYPE_status_request, ret);
  544. if (extlen + idlen > 0xFFF0)
  545. return NULL;
  546. s2n(extlen + idlen + 5, ret);
  547. *(ret++) = TLSEXT_STATUSTYPE_ocsp;
  548. s2n(idlen, ret);
  549. for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++)
  550. {
  551. /* save position of id len */
  552. unsigned char *q = ret;
  553. id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
  554. /* skip over id len */
  555. ret += 2;
  556. itmp = i2d_OCSP_RESPID(id, &ret);
  557. /* write id len */
  558. s2n(itmp, q);
  559. }
  560. s2n(extlen, ret);
  561. if (extlen > 0)
  562. i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret);
  563. }
  564. #ifndef OPENSSL_NO_NEXTPROTONEG
  565. if (s->ctx->next_proto_select_cb && !s->s3->tmp.finish_md_len)
  566. {
  567. /* The client advertises an emtpy extension to indicate its
  568. * support for Next Protocol Negotiation */
  569. if (limit - ret - 4 < 0)
  570. return NULL;
  571. s2n(TLSEXT_TYPE_next_proto_neg,ret);
  572. s2n(0,ret);
  573. }
  574. #endif
  575. if ((extdatalen = ret-p-2)== 0)
  576. return p;
  577. s2n(extdatalen,p);
  578. return ret;
  579. }
  580. unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
  581. {
  582. int extdatalen=0;
  583. unsigned char *ret = p;
  584. #ifndef OPENSSL_NO_NEXTPROTONEG
  585. int next_proto_neg_seen;
  586. #endif
  587. /* don't add extensions for SSLv3, unless doing secure renegotiation */
  588. if (s->version == SSL3_VERSION && !s->s3->send_connection_binding)
  589. return p;
  590. ret+=2;
  591. if (ret>=limit) return NULL; /* this really never occurs, but ... */
  592. if (!s->hit && s->servername_done == 1 && s->session->tlsext_hostname != NULL)
  593. {
  594. if ((long)(limit - ret - 4) < 0) return NULL;
  595. s2n(TLSEXT_TYPE_server_name,ret);
  596. s2n(0,ret);
  597. }
  598. if(s->s3->send_connection_binding)
  599. {
  600. int el;
  601. if(!ssl_add_serverhello_renegotiate_ext(s, 0, &el, 0))
  602. {
  603. SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
  604. return NULL;
  605. }
  606. if((limit - p - 4 - el) < 0) return NULL;
  607. s2n(TLSEXT_TYPE_renegotiate,ret);
  608. s2n(el,ret);
  609. if(!ssl_add_serverhello_renegotiate_ext(s, ret, &el, el))
  610. {
  611. SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
  612. return NULL;
  613. }
  614. ret += el;
  615. }
  616. #ifndef OPENSSL_NO_EC
  617. if (s->tlsext_ecpointformatlist != NULL &&
  618. s->version != DTLS1_VERSION)
  619. {
  620. /* Add TLS extension ECPointFormats to the ServerHello message */
  621. long lenmax;
  622. if ((lenmax = limit - ret - 5) < 0) return NULL;
  623. if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax) return NULL;
  624. if (s->tlsext_ecpointformatlist_length > 255)
  625. {
  626. SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
  627. return NULL;
  628. }
  629. s2n(TLSEXT_TYPE_ec_point_formats,ret);
  630. s2n(s->tlsext_ecpointformatlist_length + 1,ret);
  631. *(ret++) = (unsigned char) s->tlsext_ecpointformatlist_length;
  632. memcpy(ret, s->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist_length);
  633. ret+=s->tlsext_ecpointformatlist_length;
  634. }
  635. /* Currently the server should not respond with a SupportedCurves extension */
  636. #endif /* OPENSSL_NO_EC */
  637. if (s->tlsext_ticket_expected
  638. && !(SSL_get_options(s) & SSL_OP_NO_TICKET))
  639. {
  640. if ((long)(limit - ret - 4) < 0) return NULL;
  641. s2n(TLSEXT_TYPE_session_ticket,ret);
  642. s2n(0,ret);
  643. }
  644. if (s->tlsext_status_expected)
  645. {
  646. if ((long)(limit - ret - 4) < 0) return NULL;
  647. s2n(TLSEXT_TYPE_status_request,ret);
  648. s2n(0,ret);
  649. }
  650. #ifdef TLSEXT_TYPE_opaque_prf_input
  651. if (s->s3->server_opaque_prf_input != NULL &&
  652. s->version != DTLS1_VERSION)
  653. {
  654. size_t sol = s->s3->server_opaque_prf_input_len;
  655. if ((long)(limit - ret - 6 - sol) < 0)
  656. return NULL;
  657. if (sol > 0xFFFD) /* can't happen */
  658. return NULL;
  659. s2n(TLSEXT_TYPE_opaque_prf_input, ret);
  660. s2n(sol + 2, ret);
  661. s2n(sol, ret);
  662. memcpy(ret, s->s3->server_opaque_prf_input, sol);
  663. ret += sol;
  664. }
  665. #endif
  666. if (((s->s3->tmp.new_cipher->id & 0xFFFF)==0x80 || (s->s3->tmp.new_cipher->id & 0xFFFF)==0x81)
  667. && (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG))
  668. { const unsigned char cryptopro_ext[36] = {
  669. 0xfd, 0xe8, /*65000*/
  670. 0x00, 0x20, /*32 bytes length*/
  671. 0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85,
  672. 0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06,
  673. 0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08,
  674. 0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17};
  675. if (limit-ret<36) return NULL;
  676. memcpy(ret,cryptopro_ext,36);
  677. ret+=36;
  678. }
  679. #ifndef OPENSSL_NO_NEXTPROTONEG
  680. next_proto_neg_seen = s->s3->next_proto_neg_seen;
  681. s->s3->next_proto_neg_seen = 0;
  682. if (next_proto_neg_seen && s->ctx->next_protos_advertised_cb)
  683. {
  684. const unsigned char *npa;
  685. unsigned int npalen;
  686. int r;
  687. r = s->ctx->next_protos_advertised_cb(s, &npa, &npalen, s->ctx->next_protos_advertised_cb_arg);
  688. if (r == SSL_TLSEXT_ERR_OK)
  689. {
  690. if ((long)(limit - ret - 4 - npalen) < 0) return NULL;
  691. s2n(TLSEXT_TYPE_next_proto_neg,ret);
  692. s2n(npalen,ret);
  693. memcpy(ret, npa, npalen);
  694. ret += npalen;
  695. s->s3->next_proto_neg_seen = 1;
  696. }
  697. }
  698. #endif
  699. if ((extdatalen = ret-p-2)== 0)
  700. return p;
  701. s2n(extdatalen,p);
  702. return ret;
  703. }
  704. int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
  705. {
  706. unsigned short type;
  707. unsigned short size;
  708. unsigned short len;
  709. unsigned char *data = *p;
  710. int renegotiate_seen = 0;
  711. int sigalg_seen = 0;
  712. s->servername_done = 0;
  713. s->tlsext_status_type = -1;
  714. if (data >= (d+n-2))
  715. goto ri_check;
  716. n2s(data,len);
  717. if (data > (d+n-len))
  718. goto ri_check;
  719. while (data <= (d+n-4))
  720. {
  721. n2s(data,type);
  722. n2s(data,size);
  723. if (data+size > (d+n))
  724. goto ri_check;
  725. #if 0
  726. fprintf(stderr,"Received extension type %d size %d\n",type,size);
  727. #endif
  728. if (s->tlsext_debug_cb)
  729. s->tlsext_debug_cb(s, 0, type, data, size,
  730. s->tlsext_debug_arg);
  731. /* The servername extension is treated as follows:
  732. - Only the hostname type is supported with a maximum length of 255.
  733. - The servername is rejected if too long or if it contains zeros,
  734. in which case an fatal alert is generated.
  735. - The servername field is maintained together with the session cache.
  736. - When a session is resumed, the servername call back invoked in order
  737. to allow the application to position itself to the right context.
  738. - The servername is acknowledged if it is new for a session or when
  739. it is identical to a previously used for the same session.
  740. Applications can control the behaviour. They can at any time
  741. set a 'desirable' servername for a new SSL object. This can be the
  742. case for example with HTTPS when a Host: header field is received and
  743. a renegotiation is requested. In this case, a possible servername
  744. presented in the new client hello is only acknowledged if it matches
  745. the value of the Host: field.
  746. - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
  747. if they provide for changing an explicit servername context for the session,
  748. i.e. when the session has been established with a servername extension.
  749. - On session reconnect, the servername extension may be absent.
  750. */
  751. if (type == TLSEXT_TYPE_server_name)
  752. {
  753. unsigned char *sdata;
  754. int servname_type;
  755. int dsize;
  756. if (size < 2)
  757. {
  758. *al = SSL_AD_DECODE_ERROR;
  759. return 0;
  760. }
  761. n2s(data,dsize);
  762. size -= 2;
  763. if (dsize > size )
  764. {
  765. *al = SSL_AD_DECODE_ERROR;
  766. return 0;
  767. }
  768. sdata = data;
  769. while (dsize > 3)
  770. {
  771. servname_type = *(sdata++);
  772. n2s(sdata,len);
  773. dsize -= 3;
  774. if (len > dsize)
  775. {
  776. *al = SSL_AD_DECODE_ERROR;
  777. return 0;
  778. }
  779. if (s->servername_done == 0)
  780. switch (servname_type)
  781. {
  782. case TLSEXT_NAMETYPE_host_name:
  783. if (!s->hit)
  784. {
  785. if(s->session->tlsext_hostname)
  786. {
  787. *al = SSL_AD_DECODE_ERROR;
  788. return 0;
  789. }
  790. if (len > TLSEXT_MAXLEN_host_name)
  791. {
  792. *al = TLS1_AD_UNRECOGNIZED_NAME;
  793. return 0;
  794. }
  795. if ((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL)
  796. {
  797. *al = TLS1_AD_INTERNAL_ERROR;
  798. return 0;
  799. }
  800. memcpy(s->session->tlsext_hostname, sdata, len);
  801. s->session->tlsext_hostname[len]='\0';
  802. if (strlen(s->session->tlsext_hostname) != len) {
  803. OPENSSL_free(s->session->tlsext_hostname);
  804. s->session->tlsext_hostname = NULL;
  805. *al = TLS1_AD_UNRECOGNIZED_NAME;
  806. return 0;
  807. }
  808. s->servername_done = 1;
  809. }
  810. else
  811. s->servername_done = s->session->tlsext_hostname
  812. && strlen(s->session->tlsext_hostname) == len
  813. && strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0;
  814. break;
  815. default:
  816. break;
  817. }
  818. dsize -= len;
  819. }
  820. if (dsize != 0)
  821. {
  822. *al = SSL_AD_DECODE_ERROR;
  823. return 0;
  824. }
  825. }
  826. #ifndef OPENSSL_NO_SRP
  827. else if (type == TLSEXT_TYPE_srp)
  828. {
  829. if (size > 0)
  830. {
  831. len = data[0];
  832. if ((s->srp_ctx.login = OPENSSL_malloc(len+1)) == NULL)
  833. return -1;
  834. memcpy(s->srp_ctx.login, &data[1], len);
  835. s->srp_ctx.login[len]='\0';
  836. }
  837. }
  838. #endif
  839. #ifndef OPENSSL_NO_EC
  840. else if (type == TLSEXT_TYPE_ec_point_formats &&
  841. s->version != DTLS1_VERSION)
  842. {
  843. unsigned char *sdata = data;
  844. int ecpointformatlist_length = *(sdata++);
  845. if (ecpointformatlist_length != size - 1)
  846. {
  847. *al = TLS1_AD_DECODE_ERROR;
  848. return 0;
  849. }
  850. if (!s->hit)
  851. {
  852. if(s->session->tlsext_ecpointformatlist)
  853. {
  854. OPENSSL_free(s->session->tlsext_ecpointformatlist);
  855. s->session->tlsext_ecpointformatlist = NULL;
  856. }
  857. s->session->tlsext_ecpointformatlist_length = 0;
  858. if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
  859. {
  860. *al = TLS1_AD_INTERNAL_ERROR;
  861. return 0;
  862. }
  863. s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
  864. memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
  865. }
  866. #if 0
  867. fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ecpointformatlist (length=%i) ", s->session->tlsext_ecpointformatlist_length);
  868. sdata = s->session->tlsext_ecpointformatlist;
  869. for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
  870. fprintf(stderr,"%i ",*(sdata++));
  871. fprintf(stderr,"\n");
  872. #endif
  873. }
  874. else if (type == TLSEXT_TYPE_elliptic_curves &&
  875. s->version != DTLS1_VERSION)
  876. {
  877. unsigned char *sdata = data;
  878. int ellipticcurvelist_length = (*(sdata++) << 8);
  879. ellipticcurvelist_length += (*(sdata++));
  880. if (ellipticcurvelist_length != size - 2)
  881. {
  882. *al = TLS1_AD_DECODE_ERROR;
  883. return 0;
  884. }
  885. if (!s->hit)
  886. {
  887. if(s->session->tlsext_ellipticcurvelist)
  888. {
  889. *al = TLS1_AD_DECODE_ERROR;
  890. return 0;
  891. }
  892. s->session->tlsext_ellipticcurvelist_length = 0;
  893. if ((s->session->tlsext_ellipticcurvelist = OPENSSL_malloc(ellipticcurvelist_length)) == NULL)
  894. {
  895. *al = TLS1_AD_INTERNAL_ERROR;
  896. return 0;
  897. }
  898. s->session->tlsext_ellipticcurvelist_length = ellipticcurvelist_length;
  899. memcpy(s->session->tlsext_ellipticcurvelist, sdata, ellipticcurvelist_length);
  900. }
  901. #if 0
  902. fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ellipticcurvelist (length=%i) ", s->session->tlsext_ellipticcurvelist_length);
  903. sdata = s->session->tlsext_ellipticcurvelist;
  904. for (i = 0; i < s->session->tlsext_ellipticcurvelist_length; i++)
  905. fprintf(stderr,"%i ",*(sdata++));
  906. fprintf(stderr,"\n");
  907. #endif
  908. }
  909. #endif /* OPENSSL_NO_EC */
  910. #ifdef TLSEXT_TYPE_opaque_prf_input
  911. else if (type == TLSEXT_TYPE_opaque_prf_input &&
  912. s->version != DTLS1_VERSION)
  913. {
  914. unsigned char *sdata = data;
  915. if (size < 2)
  916. {
  917. *al = SSL_AD_DECODE_ERROR;
  918. return 0;
  919. }
  920. n2s(sdata, s->s3->client_opaque_prf_input_len);
  921. if (s->s3->client_opaque_prf_input_len != size - 2)
  922. {
  923. *al = SSL_AD_DECODE_ERROR;
  924. return 0;
  925. }
  926. if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */
  927. OPENSSL_free(s->s3->client_opaque_prf_input);
  928. if (s->s3->client_opaque_prf_input_len == 0)
  929. s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
  930. else
  931. s->s3->client_opaque_prf_input = BUF_memdup(sdata, s->s3->client_opaque_prf_input_len);
  932. if (s->s3->client_opaque_prf_input == NULL)
  933. {
  934. *al = TLS1_AD_INTERNAL_ERROR;
  935. return 0;
  936. }
  937. }
  938. #endif
  939. else if (type == TLSEXT_TYPE_session_ticket)
  940. {
  941. if (s->tls_session_ticket_ext_cb &&
  942. !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg))
  943. {
  944. *al = TLS1_AD_INTERNAL_ERROR;
  945. return 0;
  946. }
  947. }
  948. else if (type == TLSEXT_TYPE_renegotiate)
  949. {
  950. if(!ssl_parse_clienthello_renegotiate_ext(s, data, size, al))
  951. return 0;
  952. renegotiate_seen = 1;
  953. }
  954. else if (type == TLSEXT_TYPE_signature_algorithms)
  955. {
  956. int dsize;
  957. if (sigalg_seen || size < 2)
  958. {
  959. *al = SSL_AD_DECODE_ERROR;
  960. return 0;
  961. }
  962. sigalg_seen = 1;
  963. n2s(data,dsize);
  964. size -= 2;
  965. if (dsize != size || dsize & 1)
  966. {
  967. *al = SSL_AD_DECODE_ERROR;
  968. return 0;
  969. }
  970. if (!tls1_process_sigalgs(s, data, dsize))
  971. {
  972. *al = SSL_AD_DECODE_ERROR;
  973. return 0;
  974. }
  975. }
  976. else if (type == TLSEXT_TYPE_status_request &&
  977. s->version != DTLS1_VERSION && s->ctx->tlsext_status_cb)
  978. {
  979. if (size < 5)
  980. {
  981. *al = SSL_AD_DECODE_ERROR;
  982. return 0;
  983. }
  984. s->tlsext_status_type = *data++;
  985. size--;
  986. if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp)
  987. {
  988. const unsigned char *sdata;
  989. int dsize;
  990. /* Read in responder_id_list */
  991. n2s(data,dsize);
  992. size -= 2;
  993. if (dsize > size )
  994. {
  995. *al = SSL_AD_DECODE_ERROR;
  996. return 0;
  997. }
  998. while (dsize > 0)
  999. {
  1000. OCSP_RESPID *id;
  1001. int idsize;
  1002. if (dsize < 4)
  1003. {
  1004. *al = SSL_AD_DECODE_ERROR;
  1005. return 0;
  1006. }
  1007. n2s(data, idsize);
  1008. dsize -= 2 + idsize;
  1009. size -= 2 + idsize;
  1010. if (dsize < 0)
  1011. {
  1012. *al = SSL_AD_DECODE_ERROR;
  1013. return 0;
  1014. }
  1015. sdata = data;
  1016. data += idsize;
  1017. id = d2i_OCSP_RESPID(NULL,
  1018. &sdata, idsize);
  1019. if (!id)
  1020. {
  1021. *al = SSL_AD_DECODE_ERROR;
  1022. return 0;
  1023. }
  1024. if (data != sdata)
  1025. {
  1026. OCSP_RESPID_free(id);
  1027. *al = SSL_AD_DECODE_ERROR;
  1028. return 0;
  1029. }
  1030. if (!s->tlsext_ocsp_ids
  1031. && !(s->tlsext_ocsp_ids =
  1032. sk_OCSP_RESPID_new_null()))
  1033. {
  1034. OCSP_RESPID_free(id);
  1035. *al = SSL_AD_INTERNAL_ERROR;
  1036. return 0;
  1037. }
  1038. if (!sk_OCSP_RESPID_push(
  1039. s->tlsext_ocsp_ids, id))
  1040. {
  1041. OCSP_RESPID_free(id);
  1042. *al = SSL_AD_INTERNAL_ERROR;
  1043. return 0;
  1044. }
  1045. }
  1046. /* Read in request_extensions */
  1047. if (size < 2)
  1048. {
  1049. *al = SSL_AD_DECODE_ERROR;
  1050. return 0;
  1051. }
  1052. n2s(data,dsize);
  1053. size -= 2;
  1054. if (dsize != size)
  1055. {
  1056. *al = SSL_AD_DECODE_ERROR;
  1057. return 0;
  1058. }
  1059. sdata = data;
  1060. if (dsize > 0)
  1061. {
  1062. s->tlsext_ocsp_exts =
  1063. d2i_X509_EXTENSIONS(NULL,
  1064. &sdata, dsize);
  1065. if (!s->tlsext_ocsp_exts
  1066. || (data + dsize != sdata))
  1067. {
  1068. *al = SSL_AD_DECODE_ERROR;
  1069. return 0;
  1070. }
  1071. }
  1072. }
  1073. /* We don't know what to do with any other type
  1074. * so ignore it.
  1075. */
  1076. else
  1077. s->tlsext_status_type = -1;
  1078. }
  1079. #ifndef OPENSSL_NO_NEXTPROTONEG
  1080. else if (type == TLSEXT_TYPE_next_proto_neg &&
  1081. s->s3->tmp.finish_md_len == 0)
  1082. {
  1083. /* We shouldn't accept this extension on a
  1084. * renegotiation.
  1085. *
  1086. * s->new_session will be set on renegotiation, but we
  1087. * probably shouldn't rely that it couldn't be set on
  1088. * the initial renegotation too in certain cases (when
  1089. * there's some other reason to disallow resuming an
  1090. * earlier session -- the current code won't be doing
  1091. * anything like that, but this might change).
  1092. * A valid sign that there's been a previous handshake
  1093. * in this connection is if s->s3->tmp.finish_md_len >
  1094. * 0. (We are talking about a check that will happen
  1095. * in the Hello protocol round, well before a new
  1096. * Finished message could have been computed.) */
  1097. s->s3->next_proto_neg_seen = 1;
  1098. }
  1099. #endif
  1100. /* session ticket processed earlier */
  1101. data+=size;
  1102. }
  1103. *p = data;
  1104. ri_check:
  1105. /* Need RI if renegotiating */
  1106. if (!renegotiate_seen && s->renegotiate &&
  1107. !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
  1108. {
  1109. *al = SSL_AD_HANDSHAKE_FAILURE;
  1110. SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT,
  1111. SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
  1112. return 0;
  1113. }
  1114. return 1;
  1115. }
  1116. #ifndef OPENSSL_NO_NEXTPROTONEG
  1117. /* ssl_next_proto_validate validates a Next Protocol Negotiation block. No
  1118. * elements of zero length are allowed and the set of elements must exactly fill
  1119. * the length of the block. */
  1120. static int ssl_next_proto_validate(unsigned char *d, unsigned len)
  1121. {
  1122. unsigned int off = 0;
  1123. while (off < len)
  1124. {
  1125. if (d[off] == 0)
  1126. return 0;
  1127. off += d[off];
  1128. off++;
  1129. }
  1130. return off == len;
  1131. }
  1132. #endif
  1133. int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
  1134. {
  1135. unsigned short length;
  1136. unsigned short type;
  1137. unsigned short size;
  1138. unsigned char *data = *p;
  1139. int tlsext_servername = 0;
  1140. int renegotiate_seen = 0;
  1141. if (data >= (d+n-2))
  1142. goto ri_check;
  1143. n2s(data,length);
  1144. if (data+length != d+n)
  1145. {
  1146. *al = SSL_AD_DECODE_ERROR;
  1147. return 0;
  1148. }
  1149. while(data <= (d+n-4))
  1150. {
  1151. n2s(data,type);
  1152. n2s(data,size);
  1153. if (data+size > (d+n))
  1154. goto ri_check;
  1155. if (s->tlsext_debug_cb)
  1156. s->tlsext_debug_cb(s, 1, type, data, size,
  1157. s->tlsext_debug_arg);
  1158. if (type == TLSEXT_TYPE_server_name)
  1159. {
  1160. if (s->tlsext_hostname == NULL || size > 0)
  1161. {
  1162. *al = TLS1_AD_UNRECOGNIZED_NAME;
  1163. return 0;
  1164. }
  1165. tlsext_servername = 1;
  1166. }
  1167. #ifndef OPENSSL_NO_EC
  1168. else if (type == TLSEXT_TYPE_ec_point_formats &&
  1169. s->version != DTLS1_VERSION)
  1170. {
  1171. unsigned char *sdata = data;
  1172. int ecpointformatlist_length = *(sdata++);
  1173. if (ecpointformatlist_length != size - 1)
  1174. {
  1175. *al = TLS1_AD_DECODE_ERROR;
  1176. return 0;
  1177. }
  1178. s->session->tlsext_ecpointformatlist_length = 0;
  1179. if (s->session->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->session->tlsext_ecpointformatlist);
  1180. if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
  1181. {
  1182. *al = TLS1_AD_INTERNAL_ERROR;
  1183. return 0;
  1184. }
  1185. s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
  1186. memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
  1187. #if 0
  1188. fprintf(stderr,"ssl_parse_serverhello_tlsext s->session->tlsext_ecpointformatlist ");
  1189. sdata = s->session->tlsext_ecpointformatlist;
  1190. for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
  1191. fprintf(stderr,"%i ",*(sdata++));
  1192. fprintf(stderr,"\n");
  1193. #endif
  1194. }
  1195. #endif /* OPENSSL_NO_EC */
  1196. else if (type == TLSEXT_TYPE_session_ticket)
  1197. {
  1198. if (s->tls_session_ticket_ext_cb &&
  1199. !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg))
  1200. {
  1201. *al = TLS1_AD_INTERNAL_ERROR;
  1202. return 0;
  1203. }
  1204. if ((SSL_get_options(s) & SSL_OP_NO_TICKET)
  1205. || (size > 0))
  1206. {
  1207. *al = TLS1_AD_UNSUPPORTED_EXTENSION;
  1208. return 0;
  1209. }
  1210. s->tlsext_ticket_expected = 1;
  1211. }
  1212. #ifdef TLSEXT_TYPE_opaque_prf_input
  1213. else if (type == TLSEXT_TYPE_opaque_prf_input &&
  1214. s->version != DTLS1_VERSION)
  1215. {
  1216. unsigned char *sdata = data;
  1217. if (size < 2)
  1218. {
  1219. *al = SSL_AD_DECODE_ERROR;
  1220. return 0;
  1221. }
  1222. n2s(sdata, s->s3->server_opaque_prf_input_len);
  1223. if (s->s3->server_opaque_prf_input_len != size - 2)
  1224. {
  1225. *al = SSL_AD_DECODE_ERROR;
  1226. return 0;
  1227. }
  1228. if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */
  1229. OPENSSL_free(s->s3->server_opaque_prf_input);
  1230. if (s->s3->server_opaque_prf_input_len == 0)
  1231. s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
  1232. else
  1233. s->s3->server_opaque_prf_input = BUF_memdup(sdata, s->s3->server_opaque_prf_input_len);
  1234. if (s->s3->server_opaque_prf_input == NULL)
  1235. {
  1236. *al = TLS1_AD_INTERNAL_ERROR;
  1237. return 0;
  1238. }
  1239. }
  1240. #endif
  1241. else if (type == TLSEXT_TYPE_status_request &&
  1242. s->version != DTLS1_VERSION)
  1243. {
  1244. /* MUST be empty and only sent if we've requested
  1245. * a status request message.
  1246. */
  1247. if ((s->tlsext_status_type == -1) || (size > 0))
  1248. {
  1249. *al = TLS1_AD_UNSUPPORTED_EXTENSION;
  1250. return 0;
  1251. }
  1252. /* Set flag to expect CertificateStatus message */
  1253. s->tlsext_status_expected = 1;
  1254. }
  1255. #ifndef OPENSSL_NO_NEXTPROTONEG
  1256. else if (type == TLSEXT_TYPE_next_proto_neg)
  1257. {
  1258. unsigned char *selected;
  1259. unsigned char selected_len;
  1260. /* We must have requested it. */
  1261. if ((s->ctx->next_proto_select_cb == NULL))
  1262. {
  1263. *al = TLS1_AD_UNSUPPORTED_EXTENSION;
  1264. return 0;
  1265. }
  1266. /* The data must be valid */
  1267. if (!ssl_next_proto_validate(data, size))
  1268. {
  1269. *al = TLS1_AD_DECODE_ERROR;
  1270. return 0;
  1271. }
  1272. if (s->ctx->next_proto_select_cb(s, &selected, &selected_len, data, size, s->ctx->next_proto_select_cb_arg) != SSL_TLSEXT_ERR_OK)
  1273. {
  1274. *al = TLS1_AD_INTERNAL_ERROR;
  1275. return 0;
  1276. }
  1277. s->next_proto_negotiated = OPENSSL_malloc(selected_len);
  1278. if (!s->next_proto_negotiated)
  1279. {
  1280. *al = TLS1_AD_INTERNAL_ERROR;
  1281. return 0;
  1282. }
  1283. memcpy(s->next_proto_negotiated, selected, selected_len);
  1284. s->next_proto_negotiated_len = selected_len;
  1285. }
  1286. #endif
  1287. else if (type == TLSEXT_TYPE_renegotiate)
  1288. {
  1289. if(!ssl_parse_serverhello_renegotiate_ext(s, data, size, al))
  1290. return 0;
  1291. renegotiate_seen = 1;
  1292. }
  1293. data+=size;
  1294. }
  1295. if (data != d+n)
  1296. {
  1297. *al = SSL_AD_DECODE_ERROR;
  1298. return 0;
  1299. }
  1300. if (!s->hit && tlsext_servername == 1)
  1301. {
  1302. if (s->tlsext_hostname)
  1303. {
  1304. if (s->session->tlsext_hostname == NULL)
  1305. {
  1306. s->session->tlsext_hostname = BUF_strdup(s->tlsext_hostname);
  1307. if (!s->session->tlsext_hostname)
  1308. {
  1309. *al = SSL_AD_UNRECOGNIZED_NAME;
  1310. return 0;
  1311. }
  1312. }
  1313. else
  1314. {
  1315. *al = SSL_AD_DECODE_ERROR;
  1316. return 0;
  1317. }
  1318. }
  1319. }
  1320. *p = data;
  1321. ri_check:
  1322. /* Determine if we need to see RI. Strictly speaking if we want to
  1323. * avoid an attack we should *always* see RI even on initial server
  1324. * hello because the client doesn't see any renegotiation during an
  1325. * attack. However this would mean we could not connect to any server
  1326. * which doesn't support RI so for the immediate future tolerate RI
  1327. * absence on initial connect only.
  1328. */
  1329. if (!renegotiate_seen
  1330. && !(s->options & SSL_OP_LEGACY_SERVER_CONNECT)
  1331. && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
  1332. {
  1333. *al = SSL_AD_HANDSHAKE_FAILURE;
  1334. SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT,
  1335. SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
  1336. return 0;
  1337. }
  1338. return 1;
  1339. }
  1340. int ssl_prepare_clienthello_tlsext(SSL *s)
  1341. {
  1342. #ifndef OPENSSL_NO_EC
  1343. /* If we are client and using an elliptic curve cryptography cipher suite, send the point formats
  1344. * and elliptic curves we support.
  1345. */
  1346. int using_ecc = 0;
  1347. int i;
  1348. unsigned char *j;
  1349. unsigned long alg_k, alg_a;
  1350. STACK_OF(SSL_CIPHER) *cipher_stack = SSL_get_ciphers(s);
  1351. for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++)
  1352. {
  1353. SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i);
  1354. alg_k = c->algorithm_mkey;
  1355. alg_a = c->algorithm_auth;
  1356. if ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe) || (alg_a & SSL_aECDSA)))
  1357. {
  1358. using_ecc = 1;
  1359. break;
  1360. }
  1361. }
  1362. using_ecc = using_ecc && (s->version >= TLS1_VERSION);
  1363. if (using_ecc)
  1364. {
  1365. if (s->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->tlsext_ecpointformatlist);
  1366. if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(3)) == NULL)
  1367. {
  1368. SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
  1369. return -1;
  1370. }
  1371. s->tlsext_ecpointformatlist_length = 3;
  1372. s->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_uncompressed;
  1373. s->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
  1374. s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
  1375. /* we support all named elliptic curves in draft-ietf-tls-ecc-12 */
  1376. if (s->tlsext_ellipticcurvelist != NULL) OPENSSL_free(s->tlsext_ellipticcurvelist);
  1377. s->tlsext_ellipticcurvelist_length = sizeof(pref_list)/sizeof(pref_list[0]) * 2;
  1378. if ((s->tlsext_ellipticcurvelist = OPENSSL_malloc(s->tlsext_ellipticcurvelist_length)) == NULL)
  1379. {
  1380. s->tlsext_ellipticcurvelist_length = 0;
  1381. SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
  1382. return -1;
  1383. }
  1384. for (i = 0, j = s->tlsext_ellipticcurvelist; (unsigned int)i <
  1385. sizeof(pref_list)/sizeof(pref_list[0]); i++)
  1386. {
  1387. int id = tls1_ec_nid2curve_id(pref_list[i]);
  1388. s2n(id,j);
  1389. }
  1390. }
  1391. #endif /* OPENSSL_NO_EC */
  1392. #ifdef TLSEXT_TYPE_opaque_prf_input
  1393. {
  1394. int r = 1;
  1395. if (s->ctx->tlsext_opaque_prf_input_callback != 0)
  1396. {
  1397. r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg);
  1398. if (!r)
  1399. return -1;
  1400. }
  1401. if (s->tlsext_opaque_prf_input != NULL)
  1402. {
  1403. if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */
  1404. OPENSSL_free(s->s3->client_opaque_prf_input);
  1405. if (s->tlsext_opaque_prf_input_len == 0)
  1406. s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
  1407. else
  1408. s->s3->client_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len);
  1409. if (s->s3->client_opaque_prf_input == NULL)
  1410. {
  1411. SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
  1412. return -1;
  1413. }
  1414. s->s3->client_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
  1415. }
  1416. if (r == 2)
  1417. /* at callback's request, insist on receiving an appropriate server opaque PRF input */
  1418. s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
  1419. }
  1420. #endif
  1421. return 1;
  1422. }
  1423. int ssl_prepare_serverhello_tlsext(SSL *s)
  1424. {
  1425. #ifndef OPENSSL_NO_EC
  1426. /* If we are server and using an ECC cipher suite, send the point formats we support
  1427. * if the client sent us an ECPointsFormat extension. Note that the server is not
  1428. * supposed to send an EllipticCurves extension.
  1429. */
  1430. unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
  1431. unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
  1432. int using_ecc = (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA);
  1433. using_ecc = using_ecc && (s->session->tlsext_ecpointformatlist != NULL);
  1434. if (using_ecc)
  1435. {
  1436. if (s->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->tlsext_ecpointformatlist);
  1437. if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(3)) == NULL)
  1438. {
  1439. SSLerr(SSL_F_SSL_PREPARE_SERVERHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
  1440. return -1;
  1441. }
  1442. s->tlsext_ecpointformatlist_length = 3;
  1443. s->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_uncompressed;
  1444. s->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
  1445. s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
  1446. }
  1447. #endif /* OPENSSL_NO_EC */
  1448. return 1;
  1449. }
  1450. int ssl_check_clienthello_tlsext(SSL *s)
  1451. {
  1452. int ret=SSL_TLSEXT_ERR_NOACK;
  1453. int al = SSL_AD_UNRECOGNIZED_NAME;
  1454. #ifndef OPENSSL_NO_EC
  1455. /* The handling of the ECPointFormats extension is done elsewhere, namely in
  1456. * ssl3_choose_cipher in s3_lib.c.
  1457. */
  1458. /* The handling of the EllipticCurves extension is done elsewhere, namely in
  1459. * ssl3_choose_cipher in s3_lib.c.
  1460. */
  1461. #endif
  1462. if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
  1463. ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
  1464. else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)
  1465. ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
  1466. /* If status request then ask callback what to do.
  1467. * Note: this must be called after servername callbacks in case
  1468. * the certificate has changed.
  1469. */
  1470. if ((s->tlsext_status_type != -1) && s->ctx && s->ctx->tlsext_status_cb)
  1471. {
  1472. int r;
  1473. r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
  1474. switch (r)
  1475. {
  1476. /* We don't want to send a status request response */
  1477. case SSL_TLSEXT_ERR_NOACK:
  1478. s->tlsext_status_expected = 0;
  1479. break;
  1480. /* status request response should be sent */
  1481. case SSL_TLSEXT_ERR_OK:
  1482. if (s->tlsext_ocsp_resp)
  1483. s->tlsext_status_expected = 1;
  1484. else
  1485. s->tlsext_status_expected = 0;
  1486. break;
  1487. /* something bad happened */
  1488. case SSL_TLSEXT_ERR_ALERT_FATAL:
  1489. ret = SSL_TLSEXT_ERR_ALERT_FATAL;
  1490. al = SSL_AD_INTERNAL_ERROR;
  1491. goto err;
  1492. }
  1493. }
  1494. else
  1495. s->tlsext_status_expected = 0;
  1496. #ifdef TLSEXT_TYPE_opaque_prf_input
  1497. {
  1498. /* This sort of belongs into ssl_prepare_serverhello_tlsext(),
  1499. * but we might be sending an alert in response to the client hello,
  1500. * so this has to happen here in ssl_check_clienthello_tlsext(). */
  1501. int r = 1;
  1502. if (s->ctx->tlsext_opaque_prf_input_callback != 0)
  1503. {
  1504. r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg);
  1505. if (!r)
  1506. {
  1507. ret = SSL_TLSEXT_ERR_ALERT_FATAL;
  1508. al = SSL_AD_INTERNAL_ERROR;
  1509. goto err;
  1510. }
  1511. }
  1512. if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */
  1513. OPENSSL_free(s->s3->server_opaque_prf_input);
  1514. s->s3->server_opaque_prf_input = NULL;
  1515. if (s->tlsext_opaque_prf_input != NULL)
  1516. {
  1517. if (s->s3->client_opaque_prf_input != NULL &&
  1518. s->s3->client_opaque_prf_input_len == s->tlsext_opaque_prf_input_len)
  1519. {
  1520. /* can only use this extension if we have a server opaque PRF input
  1521. * of the same length as the client opaque PRF input! */
  1522. if (s->tlsext_opaque_prf_input_len == 0)
  1523. s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
  1524. else
  1525. s->s3->server_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len);
  1526. if (s->s3->server_opaque_prf_input == NULL)
  1527. {
  1528. ret = SSL_TLSEXT_ERR_ALERT_FATAL;
  1529. al = SSL_AD_INTERNAL_ERROR;
  1530. goto err;
  1531. }
  1532. s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
  1533. }
  1534. }
  1535. if (r == 2 && s->s3->server_opaque_prf_input == NULL)
  1536. {
  1537. /* The callback wants to enforce use of the extension,
  1538. * but we can't do that with the client opaque PRF input;
  1539. * abort the handshake.
  1540. */
  1541. ret = SSL_TLSEXT_ERR_ALERT_FATAL;
  1542. al = SSL_AD_HANDSHAKE_FAILURE;
  1543. }
  1544. }
  1545. #endif
  1546. err:
  1547. switch (ret)
  1548. {
  1549. case SSL_TLSEXT_ERR_ALERT_FATAL:
  1550. ssl3_send_alert(s,SSL3_AL_FATAL,al);
  1551. return -1;
  1552. case SSL_TLSEXT_ERR_ALERT_WARNING:
  1553. ssl3_send_alert(s,SSL3_AL_WARNING,al);
  1554. return 1;
  1555. case SSL_TLSEXT_ERR_NOACK:
  1556. s->servername_done=0;
  1557. default:
  1558. return 1;
  1559. }
  1560. }
  1561. int ssl_check_serverhello_tlsext(SSL *s)
  1562. {
  1563. int ret=SSL_TLSEXT_ERR_NOACK;
  1564. int al = SSL_AD_UNRECOGNIZED_NAME;
  1565. #ifndef OPENSSL_NO_EC
  1566. /* If we are client and using an elliptic curve cryptography cipher
  1567. * suite, then if server returns an EC point formats lists extension
  1568. * it must contain uncompressed.
  1569. */
  1570. unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
  1571. unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
  1572. if ((s->tlsext_ecpointformatlist != NULL) && (s->tlsext_ecpointformatlist_length > 0) &&
  1573. (s->session->tlsext_ecpointformatlist != NULL) && (s->session->tlsext_ecpointformatlist_length > 0) &&
  1574. ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA)))
  1575. {
  1576. /* we are using an ECC cipher */
  1577. size_t i;
  1578. unsigned char *list;
  1579. int found_uncompressed = 0;
  1580. list = s->session->tlsext_ecpointformatlist;
  1581. for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
  1582. {
  1583. if (*(list++) == TLSEXT_ECPOINTFORMAT_uncompressed)
  1584. {
  1585. found_uncompressed = 1;
  1586. break;
  1587. }
  1588. }
  1589. if (!found_uncompressed)
  1590. {
  1591. SSLerr(SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT,SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
  1592. return -1;
  1593. }
  1594. }
  1595. ret = SSL_TLSEXT_ERR_OK;
  1596. #endif /* OPENSSL_NO_EC */
  1597. if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
  1598. ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
  1599. else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)
  1600. ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
  1601. #ifdef TLSEXT_TYPE_opaque_prf_input
  1602. if (s->s3->server_opaque_prf_input_len > 0)
  1603. {
  1604. /* This case may indicate that we, as a client, want to insist on using opaque PRF inputs.
  1605. * So first verify that we really have a value from the server too. */
  1606. if (s->s3->server_opaque_prf_input == NULL)
  1607. {
  1608. ret = SSL_TLSEXT_ERR_ALERT_FATAL;
  1609. al = SSL_AD_HANDSHAKE_FAILURE;
  1610. }
  1611. /* Anytime the server *has* sent an opaque PRF input, we need to check
  1612. * that we have a client opaque PRF input of the same size. */
  1613. if (s->s3->client_opaque_prf_input == NULL ||
  1614. s->s3->client_opaque_prf_input_len != s->s3->server_opaque_prf_input_len)
  1615. {
  1616. ret = SSL_TLSEXT_ERR_ALERT_FATAL;
  1617. al = SSL_AD_ILLEGAL_PARAMETER;
  1618. }
  1619. }
  1620. #endif
  1621. /* If we've requested certificate status and we wont get one
  1622. * tell the callback
  1623. */
  1624. if ((s->tlsext_status_type != -1) && !(s->tlsext_status_expected)
  1625. && s->ctx && s->ctx->tlsext_status_cb)
  1626. {
  1627. int r;
  1628. /* Set resp to NULL, resplen to -1 so callback knows
  1629. * there is no response.
  1630. */
  1631. if (s->tlsext_ocsp_resp)
  1632. {
  1633. OPENSSL_free(s->tlsext_ocsp_resp);
  1634. s->tlsext_ocsp_resp = NULL;
  1635. }
  1636. s->tlsext_ocsp_resplen = -1;
  1637. r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
  1638. if (r == 0)
  1639. {
  1640. al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE;
  1641. ret = SSL_TLSEXT_ERR_ALERT_FATAL;
  1642. }
  1643. if (r < 0)
  1644. {
  1645. al = SSL_AD_INTERNAL_ERROR;
  1646. ret = SSL_TLSEXT_ERR_ALERT_FATAL;
  1647. }
  1648. }
  1649. switch (ret)
  1650. {
  1651. case SSL_TLSEXT_ERR_ALERT_FATAL:
  1652. ssl3_send_alert(s,SSL3_AL_FATAL,al);
  1653. return -1;
  1654. case SSL_TLSEXT_ERR_ALERT_WARNING:
  1655. ssl3_send_alert(s,SSL3_AL_WARNING,al);
  1656. return 1;
  1657. case SSL_TLSEXT_ERR_NOACK:
  1658. s->servername_done=0;
  1659. default:
  1660. return 1;
  1661. }
  1662. }
  1663. /* Since the server cache lookup is done early on in the processing of the
  1664. * ClientHello, and other operations depend on the result, we need to handle
  1665. * any TLS session ticket extension at the same time.
  1666. *
  1667. * session_id: points at the session ID in the ClientHello. This code will
  1668. * read past the end of this in order to parse out the session ticket
  1669. * extension, if any.
  1670. * len: the length of the session ID.
  1671. * limit: a pointer to the first byte after the ClientHello.
  1672. * ret: (output) on return, if a ticket was decrypted, then this is set to
  1673. * point to the resulting session.
  1674. *
  1675. * If s->tls_session_secret_cb is set then we are expecting a pre-shared key
  1676. * ciphersuite, in which case we have no use for session tickets and one will
  1677. * never be decrypted, nor will s->tlsext_ticket_expected be set to 1.
  1678. *
  1679. * Returns:
  1680. * -1: fatal error, either from parsing or decrypting the ticket.
  1681. * 0: no ticket was found (or was ignored, based on settings).
  1682. * 1: a zero length extension was found, indicating that the client supports
  1683. * session tickets but doesn't currently have one to offer.
  1684. * 2: either s->tls_session_secret_cb was set, or a ticket was offered but
  1685. * couldn't be decrypted because of a non-fatal error.
  1686. * 3: a ticket was successfully decrypted and *ret was set.
  1687. *
  1688. * Side effects:
  1689. * Sets s->tlsext_ticket_expected to 1 if the server will have to issue
  1690. * a new session ticket to the client because the client indicated support
  1691. * (and s->tls_session_secret_cb is NULL) but the client either doesn't have
  1692. * a session ticket or we couldn't use the one it gave us, or if
  1693. * s->ctx->tlsext_ticket_key_cb asked to renew the client's ticket.
  1694. * Otherwise, s->tlsext_ticket_expected is set to 0.
  1695. */
  1696. int tls1_process_ticket(SSL *s, unsigned char *session_id, int len,
  1697. const unsigned char *limit, SSL_SESSION **ret)
  1698. {
  1699. /* Point after session ID in client hello */
  1700. const unsigned char *p = session_id + len;
  1701. unsigned short i;
  1702. *ret = NULL;
  1703. s->tlsext_ticket_expected = 0;
  1704. /* If tickets disabled behave as if no ticket present
  1705. * to permit stateful resumption.
  1706. */
  1707. if (SSL_get_options(s) & SSL_OP_NO_TICKET)
  1708. return 0;
  1709. if ((s->version <= SSL3_VERSION) || !limit)
  1710. return 0;
  1711. if (p >= limit)
  1712. return -1;
  1713. /* Skip past DTLS cookie */
  1714. if (s->version == DTLS1_VERSION || s->version == DTLS1_BAD_VER)
  1715. {
  1716. i = *(p++);
  1717. p+= i;
  1718. if (p >= limit)
  1719. return -1;
  1720. }
  1721. /* Skip past cipher list */
  1722. n2s(p, i);
  1723. p+= i;
  1724. if (p >= limit)
  1725. return -1;
  1726. /* Skip past compression algorithm list */
  1727. i = *(p++);
  1728. p += i;
  1729. if (p > limit)
  1730. return -1;
  1731. /* Now at start of extensions */
  1732. if ((p + 2) >= limit)
  1733. return 0;
  1734. n2s(p, i);
  1735. while ((p + 4) <= limit)
  1736. {
  1737. unsigned short type, size;
  1738. n2s(p, type);
  1739. n2s(p, size);
  1740. if (p + size > limit)
  1741. return 0;
  1742. if (type == TLSEXT_TYPE_session_ticket)
  1743. {
  1744. int r;
  1745. if (size == 0)
  1746. {
  1747. /* The client will accept a ticket but doesn't
  1748. * currently have one. */
  1749. s->tlsext_ticket_expected = 1;
  1750. return 1;
  1751. }
  1752. if (s->tls_session_secret_cb)
  1753. {
  1754. /* Indicate that the ticket couldn't be
  1755. * decrypted rather than generating the session
  1756. * from ticket now, trigger abbreviated
  1757. * handshake based on external mechanism to
  1758. * calculate the master secret later. */
  1759. return 2;
  1760. }
  1761. r = tls_decrypt_ticket(s, p, size, session_id, len, ret);
  1762. switch (r)
  1763. {
  1764. case 2: /* ticket couldn't be decrypted */
  1765. s->tlsext_ticket_expected = 1;
  1766. return 2;
  1767. case 3: /* ticket was decrypted */
  1768. return r;
  1769. case 4: /* ticket decrypted but need to renew */
  1770. s->tlsext_ticket_expected = 1;
  1771. return 3;
  1772. default: /* fatal error */
  1773. return -1;
  1774. }
  1775. }
  1776. p += size;
  1777. }
  1778. return 0;
  1779. }
  1780. /* tls_decrypt_ticket attempts to decrypt a session ticket.
  1781. *
  1782. * etick: points to the body of the session ticket extension.
  1783. * eticklen: the length of the session tickets extenion.
  1784. * sess_id: points at the session ID.
  1785. * sesslen: the length of the session ID.
  1786. * psess: (output) on return, if a ticket was decrypted, then this is set to
  1787. * point to the resulting session.
  1788. *
  1789. * Returns:
  1790. * -1: fatal error, either from parsing or decrypting the ticket.
  1791. * 2: the ticket couldn't be decrypted.
  1792. * 3: a ticket was successfully decrypted and *psess was set.
  1793. * 4: same as 3, but the ticket needs to be renewed.
  1794. */
  1795. static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen,
  1796. const unsigned char *sess_id, int sesslen,
  1797. SSL_SESSION **psess)
  1798. {
  1799. SSL_SESSION *sess;
  1800. unsigned char *sdec;
  1801. const unsigned char *p;
  1802. int slen, mlen, renew_ticket = 0;
  1803. unsigned char tick_hmac[EVP_MAX_MD_SIZE];
  1804. HMAC_CTX hctx;
  1805. EVP_CIPHER_CTX ctx;
  1806. SSL_CTX *tctx = s->initial_ctx;
  1807. /* Need at least keyname + iv + some encrypted data */
  1808. if (eticklen < 48)
  1809. return 2;
  1810. /* Initialize session ticket encryption and HMAC contexts */
  1811. HMAC_CTX_init(&hctx);
  1812. EVP_CIPHER_CTX_init(&ctx);
  1813. if (tctx->tlsext_ticket_key_cb)
  1814. {
  1815. unsigned char *nctick = (unsigned char *)etick;
  1816. int rv = tctx->tlsext_ticket_key_cb(s, nctick, nctick + 16,
  1817. &ctx, &hctx, 0);
  1818. if (rv < 0)
  1819. return -1;
  1820. if (rv == 0)
  1821. return 2;
  1822. if (rv == 2)
  1823. renew_ticket = 1;
  1824. }
  1825. else
  1826. {
  1827. /* Check key name matches */
  1828. if (memcmp(etick, tctx->tlsext_tick_key_name, 16))
  1829. return 2;
  1830. HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16,
  1831. tlsext_tick_md(), NULL);
  1832. EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL,
  1833. tctx->tlsext_tick_aes_key, etick + 16);
  1834. }
  1835. /* Attempt to process session ticket, first conduct sanity and
  1836. * integrity checks on ticket.
  1837. */
  1838. mlen = HMAC_size(&hctx);
  1839. if (mlen < 0)
  1840. {
  1841. EVP_CIPHER_CTX_cleanup(&ctx);
  1842. return -1;
  1843. }
  1844. eticklen -= mlen;
  1845. /* Check HMAC of encrypted ticket */
  1846. HMAC_Update(&hctx, etick, eticklen);
  1847. HMAC_Final(&hctx, tick_hmac, NULL);
  1848. HMAC_CTX_cleanup(&hctx);
  1849. if (memcmp(tick_hmac, etick + eticklen, mlen))
  1850. return 2;
  1851. /* Attempt to decrypt session data */
  1852. /* Move p after IV to start of encrypted ticket, update length */
  1853. p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx);
  1854. eticklen -= 16 + EVP_CIPHER_CTX_iv_length(&ctx);
  1855. sdec = OPENSSL_malloc(eticklen);
  1856. if (!sdec)
  1857. {
  1858. EVP_CIPHER_CTX_cleanup(&ctx);
  1859. return -1;
  1860. }
  1861. EVP_DecryptUpdate(&ctx, sdec, &slen, p, eticklen);
  1862. if (EVP_DecryptFinal(&ctx, sdec + slen, &mlen) <= 0)
  1863. return 2;
  1864. slen += mlen;
  1865. EVP_CIPHER_CTX_cleanup(&ctx);
  1866. p = sdec;
  1867. sess = d2i_SSL_SESSION(NULL, &p, slen);
  1868. OPENSSL_free(sdec);
  1869. if (sess)
  1870. {
  1871. /* The session ID, if non-empty, is used by some clients to
  1872. * detect that the ticket has been accepted. So we copy it to
  1873. * the session structure. If it is empty set length to zero
  1874. * as required by standard.
  1875. */
  1876. if (sesslen)
  1877. memcpy(sess->session_id, sess_id, sesslen);
  1878. sess->session_id_length = sesslen;
  1879. *psess = sess;
  1880. if (renew_ticket)
  1881. return 4;
  1882. else
  1883. return 3;
  1884. }
  1885. ERR_clear_error();
  1886. /* For session parse failure, indicate that we need to send a new
  1887. * ticket. */
  1888. return 2;
  1889. }
  1890. /* Tables to translate from NIDs to TLS v1.2 ids */
  1891. typedef struct
  1892. {
  1893. int nid;
  1894. int id;
  1895. } tls12_lookup;
  1896. static tls12_lookup tls12_md[] = {
  1897. #ifndef OPENSSL_NO_MD5
  1898. {NID_md5, TLSEXT_hash_md5},
  1899. #endif
  1900. #ifndef OPENSSL_NO_SHA
  1901. {NID_sha1, TLSEXT_hash_sha1},
  1902. #endif
  1903. #ifndef OPENSSL_NO_SHA256
  1904. {NID_sha224, TLSEXT_hash_sha224},
  1905. {NID_sha256, TLSEXT_hash_sha256},
  1906. #endif
  1907. #ifndef OPENSSL_NO_SHA512
  1908. {NID_sha384, TLSEXT_hash_sha384},
  1909. {NID_sha512, TLSEXT_hash_sha512}
  1910. #endif
  1911. };
  1912. static tls12_lookup tls12_sig[] = {
  1913. #ifndef OPENSSL_NO_RSA
  1914. {EVP_PKEY_RSA, TLSEXT_signature_rsa},
  1915. #endif
  1916. #ifndef OPENSSL_NO_RSA
  1917. {EVP_PKEY_DSA, TLSEXT_signature_dsa},
  1918. #endif
  1919. #ifndef OPENSSL_NO_ECDSA
  1920. {EVP_PKEY_EC, TLSEXT_signature_ecdsa}
  1921. #endif
  1922. };
  1923. static int tls12_find_id(int nid, tls12_lookup *table, size_t tlen)
  1924. {
  1925. size_t i;
  1926. for (i = 0; i < tlen; i++)
  1927. {
  1928. if (table[i].nid == nid)
  1929. return table[i].id;
  1930. }
  1931. return -1;
  1932. }
  1933. #if 0
  1934. static int tls12_find_nid(int id, tls12_lookup *table, size_t tlen)
  1935. {
  1936. size_t i;
  1937. for (i = 0; i < tlen; i++)
  1938. {
  1939. if (table[i].id == id)
  1940. return table[i].nid;
  1941. }
  1942. return -1;
  1943. }
  1944. #endif
  1945. int tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk, const EVP_MD *md)
  1946. {
  1947. int sig_id, md_id;
  1948. md_id = tls12_find_id(EVP_MD_type(md), tls12_md,
  1949. sizeof(tls12_md)/sizeof(tls12_lookup));
  1950. if (md_id == -1)
  1951. return 0;
  1952. sig_id = tls12_get_sigid(pk);
  1953. if (sig_id == -1)
  1954. return 0;
  1955. p[0] = (unsigned char)md_id;
  1956. p[1] = (unsigned char)sig_id;
  1957. return 1;
  1958. }
  1959. int tls12_get_sigid(const EVP_PKEY *pk)
  1960. {
  1961. return tls12_find_id(pk->type, tls12_sig,
  1962. sizeof(tls12_sig)/sizeof(tls12_lookup));
  1963. }
  1964. const EVP_MD *tls12_get_hash(unsigned char hash_alg)
  1965. {
  1966. switch(hash_alg)
  1967. {
  1968. #ifndef OPENSSL_NO_MD5
  1969. case TLSEXT_hash_md5:
  1970. #ifdef OPENSSL_FIPS
  1971. if (FIPS_mode())
  1972. return NULL;
  1973. #endif
  1974. return EVP_md5();
  1975. #endif
  1976. #ifndef OPENSSL_NO_SHA
  1977. case TLSEXT_hash_sha1:
  1978. return EVP_sha1();
  1979. #endif
  1980. #ifndef OPENSSL_NO_SHA256
  1981. case TLSEXT_hash_sha224:
  1982. return EVP_sha224();
  1983. case TLSEXT_hash_sha256:
  1984. return EVP_sha256();
  1985. #endif
  1986. #ifndef OPENSSL_NO_SHA512
  1987. case TLSEXT_hash_sha384:
  1988. return EVP_sha384();
  1989. case TLSEXT_hash_sha512:
  1990. return EVP_sha512();
  1991. #endif
  1992. default:
  1993. return NULL;
  1994. }
  1995. }
  1996. /* Set preferred digest for each key type */
  1997. int tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize)
  1998. {
  1999. int i, idx;
  2000. const EVP_MD *md;
  2001. CERT *c = s->cert;
  2002. /* Extension ignored for TLS versions below 1.2 */
  2003. if (TLS1_get_version(s) < TLS1_2_VERSION)
  2004. return 1;
  2005. /* Should never happen */
  2006. if (!c)
  2007. return 0;
  2008. c->pkeys[SSL_PKEY_DSA_SIGN].digest = NULL;
  2009. c->pkeys[SSL_PKEY_RSA_SIGN].digest = NULL;
  2010. c->pkeys[SSL_PKEY_RSA_ENC].digest = NULL;
  2011. c->pkeys[SSL_PKEY_ECC].digest = NULL;
  2012. for (i = 0; i < dsize; i += 2)
  2013. {
  2014. unsigned char hash_alg = data[i], sig_alg = data[i+1];
  2015. switch(sig_alg)
  2016. {
  2017. #ifndef OPENSSL_NO_RSA
  2018. case TLSEXT_signature_rsa:
  2019. idx = SSL_PKEY_RSA_SIGN;
  2020. break;
  2021. #endif
  2022. #ifndef OPENSSL_NO_DSA
  2023. case TLSEXT_signature_dsa:
  2024. idx = SSL_PKEY_DSA_SIGN;
  2025. break;
  2026. #endif
  2027. #ifndef OPENSSL_NO_ECDSA
  2028. case TLSEXT_signature_ecdsa:
  2029. idx = SSL_PKEY_ECC;
  2030. break;
  2031. #endif
  2032. default:
  2033. continue;
  2034. }
  2035. if (c->pkeys[idx].digest == NULL)
  2036. {
  2037. md = tls12_get_hash(hash_alg);
  2038. if (md)
  2039. {
  2040. c->pkeys[idx].digest = md;
  2041. if (idx == SSL_PKEY_RSA_SIGN)
  2042. c->pkeys[SSL_PKEY_RSA_ENC].digest = md;
  2043. }
  2044. }
  2045. }
  2046. /* Set any remaining keys to default values. NOTE: if alg is not
  2047. * supported it stays as NULL.
  2048. */
  2049. #ifndef OPENSSL_NO_DSA
  2050. if (!c->pkeys[SSL_PKEY_DSA_SIGN].digest)
  2051. c->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_dss1();
  2052. #endif
  2053. #ifndef OPENSSL_NO_RSA
  2054. if (!c->pkeys[SSL_PKEY_RSA_SIGN].digest)
  2055. {
  2056. c->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1();
  2057. c->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1();
  2058. }
  2059. #endif
  2060. #ifndef OPENSSL_NO_ECDSA
  2061. if (!c->pkeys[SSL_PKEY_ECC].digest)
  2062. c->pkeys[SSL_PKEY_ECC].digest = EVP_ecdsa();
  2063. #endif
  2064. return 1;
  2065. }
  2066. #endif