projects / oweals / openssl.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
DTLS handshake fix.
[oweals/openssl.git] / ssl / t1_lib.c
1 /* ssl/t1_lib.c */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3  * All rights reserved.
4  *
5  * This package is an SSL implementation written
6  * by Eric Young (eay@cryptsoft.com).
7  * The implementation was written so as to conform with Netscapes SSL.
8  * 
9  * This library is free for commercial and non-commercial use as long as
10  * the following conditions are aheared to.  The following conditions
11  * apply to all code found in this distribution, be it the RC4, RSA,
12  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
13  * included with this distribution is covered by the same copyright terms
14  * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15  * 
16  * Copyright remains Eric Young's, and as such any Copyright notices in
17  * the code are not to be removed.
18  * If this package is used in a product, Eric Young should be given attribution
19  * as the author of the parts of the library used.
20  * This can be in the form of a textual message at program startup or
21  * in documentation (online or textual) provided with the package.
22  * 
23  * Redistribution and use in source and binary forms, with or without
24  * modification, are permitted provided that the following conditions
25  * are met:
26  * 1. Redistributions of source code must retain the copyright
27  *    notice, this list of conditions and the following disclaimer.
28  * 2. Redistributions in binary form must reproduce the above copyright
29  *    notice, this list of conditions and the following disclaimer in the
30  *    documentation and/or other materials provided with the distribution.
31  * 3. All advertising materials mentioning features or use of this software
32  *    must display the following acknowledgement:
33  *    "This product includes cryptographic software written by
34  *     Eric Young (eay@cryptsoft.com)"
35  *    The word 'cryptographic' can be left out if the rouines from the library
36  *    being used are not cryptographic related :-).
37  * 4. If you include any Windows specific code (or a derivative thereof) from 
38  *    the apps directory (application code) you must include an acknowledgement:
39  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40  * 
41  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51  * SUCH DAMAGE.
52  * 
53  * The licence and distribution terms for any publically available version or
54  * derivative of this code cannot be changed.  i.e. this code cannot simply be
55  * copied and put under another distribution licence
56  * [including the GNU Public Licence.]
57  */
58 /* ====================================================================
59  * Copyright (c) 1998-2007 The OpenSSL Project.  All rights reserved.
60  *
61  * Redistribution and use in source and binary forms, with or without
62  * modification, are permitted provided that the following conditions
63  * are met:
64  *
65  * 1. Redistributions of source code must retain the above copyright
66  *    notice, this list of conditions and the following disclaimer. 
67  *
68  * 2. Redistributions in binary form must reproduce the above copyright
69  *    notice, this list of conditions and the following disclaimer in
70  *    the documentation and/or other materials provided with the
71  *    distribution.
72  *
73  * 3. All advertising materials mentioning features or use of this
74  *    software must display the following acknowledgment:
75  *    "This product includes software developed by the OpenSSL Project
76  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77  *
78  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79  *    endorse or promote products derived from this software without
80  *    prior written permission. For written permission, please contact
81  *    openssl-core@openssl.org.
82  *
83  * 5. Products derived from this software may not be called "OpenSSL"
84  *    nor may "OpenSSL" appear in their names without prior written
85  *    permission of the OpenSSL Project.
86  *
87  * 6. Redistributions of any form whatsoever must retain the following
88  *    acknowledgment:
89  *    "This product includes software developed by the OpenSSL Project
90  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91  *
92  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
96  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103  * OF THE POSSIBILITY OF SUCH DAMAGE.
104  * ====================================================================
105  *
106  * This product includes cryptographic software written by Eric Young
107  * (eay@cryptsoft.com).  This product includes software written by Tim
108  * Hudson (tjh@cryptsoft.com).
109  *
110  */
111
112 #include <stdio.h>
113 #include <openssl/objects.h>
114 #include <openssl/evp.h>
115 #include <openssl/hmac.h>
116 #include <openssl/ocsp.h>
117 #include <openssl/rand.h>
118 #include "ssl_locl.h"
119
120 const char tls1_version_str[]="TLSv1" OPENSSL_VERSION_PTEXT;
121
122 #ifndef OPENSSL_NO_TLSEXT
123 static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen,
124                                 const unsigned char *sess_id, int sesslen,
125                                 SSL_SESSION **psess);
126 static int ssl_check_clienthello_tlsext_early(SSL *s);
127 int ssl_check_serverhello_tlsext(SSL *s);
128 #endif
129
130 SSL3_ENC_METHOD TLSv1_enc_data={
131         tls1_enc,
132         tls1_mac,
133         tls1_setup_key_block,
134         tls1_generate_master_secret,
135         tls1_change_cipher_state,
136         tls1_final_finish_mac,
137         TLS1_FINISH_MAC_LENGTH,
138         tls1_cert_verify_mac,
139         TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE,
140         TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE,
141         tls1_alert_code,
142         tls1_export_keying_material,
143         };
144
145 long tls1_default_timeout(void)
146         {
147         /* 2 hours, the 24 hours mentioned in the TLSv1 spec
148          * is way too long for http, the cache would over fill */
149         return(60*60*2);
150         }
151
152 int tls1_new(SSL *s)
153         {
154         if (!ssl3_new(s)) return(0);
155         s->method->ssl_clear(s);
156         return(1);
157         }
158
159 void tls1_free(SSL *s)
160         {
161 #ifndef OPENSSL_NO_TLSEXT
162         if (s->tlsext_session_ticket)
163                 {
164                 OPENSSL_free(s->tlsext_session_ticket);
165                 }
166 #endif /* OPENSSL_NO_TLSEXT */
167         ssl3_free(s);
168         }
169
170 void tls1_clear(SSL *s)
171         {
172         ssl3_clear(s);
173         s->version = s->method->version;
174         }
175
176 #ifndef OPENSSL_NO_EC
177
178 static int nid_list[] =
179         {
180                 NID_sect163k1, /* sect163k1 (1) */
181                 NID_sect163r1, /* sect163r1 (2) */
182                 NID_sect163r2, /* sect163r2 (3) */
183                 NID_sect193r1, /* sect193r1 (4) */ 
184                 NID_sect193r2, /* sect193r2 (5) */ 
185                 NID_sect233k1, /* sect233k1 (6) */
186                 NID_sect233r1, /* sect233r1 (7) */ 
187                 NID_sect239k1, /* sect239k1 (8) */ 
188                 NID_sect283k1, /* sect283k1 (9) */
189                 NID_sect283r1, /* sect283r1 (10) */ 
190                 NID_sect409k1, /* sect409k1 (11) */ 
191                 NID_sect409r1, /* sect409r1 (12) */
192                 NID_sect571k1, /* sect571k1 (13) */ 
193                 NID_sect571r1, /* sect571r1 (14) */ 
194                 NID_secp160k1, /* secp160k1 (15) */
195                 NID_secp160r1, /* secp160r1 (16) */ 
196                 NID_secp160r2, /* secp160r2 (17) */ 
197                 NID_secp192k1, /* secp192k1 (18) */
198                 NID_X9_62_prime192v1, /* secp192r1 (19) */ 
199                 NID_secp224k1, /* secp224k1 (20) */ 
200                 NID_secp224r1, /* secp224r1 (21) */
201                 NID_secp256k1, /* secp256k1 (22) */ 
202                 NID_X9_62_prime256v1, /* secp256r1 (23) */ 
203                 NID_secp384r1, /* secp384r1 (24) */
204                 NID_secp521r1  /* secp521r1 (25) */     
205         };
206
207
208 static const unsigned char ecformats_default[] = 
209         {
210         TLSEXT_ECPOINTFORMAT_uncompressed,
211         TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime,
212         TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2
213         };
214
215 static const unsigned char eccurves_default[] =
216         {
217                 0,14, /* sect571r1 (14) */ 
218                 0,13, /* sect571k1 (13) */ 
219                 0,25, /* secp521r1 (25) */      
220                 0,11, /* sect409k1 (11) */ 
221                 0,12, /* sect409r1 (12) */
222                 0,24, /* secp384r1 (24) */
223                 0,9,  /* sect283k1 (9) */
224                 0,10, /* sect283r1 (10) */ 
225                 0,22, /* secp256k1 (22) */ 
226                 0,23, /* secp256r1 (23) */ 
227                 0,8,  /* sect239k1 (8) */ 
228                 0,6,  /* sect233k1 (6) */
229                 0,7,  /* sect233r1 (7) */ 
230                 0,20, /* secp224k1 (20) */ 
231                 0,21, /* secp224r1 (21) */
232                 0,4,  /* sect193r1 (4) */ 
233                 0,5,  /* sect193r2 (5) */ 
234                 0,18, /* secp192k1 (18) */
235                 0,19, /* secp192r1 (19) */ 
236                 0,1,  /* sect163k1 (1) */
237                 0,2,  /* sect163r1 (2) */
238                 0,3,  /* sect163r2 (3) */
239                 0,15, /* secp160k1 (15) */
240                 0,16, /* secp160r1 (16) */ 
241                 0,17, /* secp160r2 (17) */ 
242         };
243
244 static const unsigned char suiteb_curves[] =
245         {
246                 0, TLSEXT_curve_P_256,
247                 0, TLSEXT_curve_P_384
248         };
249
250 int tls1_ec_curve_id2nid(int curve_id)
251         {
252         /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
253         if ((curve_id < 1) || ((unsigned int)curve_id >
254                                 sizeof(nid_list)/sizeof(nid_list[0])))
255                 return 0;
256         return nid_list[curve_id-1];
257         }
258
259 int tls1_ec_nid2curve_id(int nid)
260         {
261         /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
262         switch (nid)
263                 {
264         case NID_sect163k1: /* sect163k1 (1) */
265                 return 1;
266         case NID_sect163r1: /* sect163r1 (2) */
267                 return 2;
268         case NID_sect163r2: /* sect163r2 (3) */
269                 return 3;
270         case NID_sect193r1: /* sect193r1 (4) */ 
271                 return 4;
272         case NID_sect193r2: /* sect193r2 (5) */ 
273                 return 5;
274         case NID_sect233k1: /* sect233k1 (6) */
275                 return 6;
276         case NID_sect233r1: /* sect233r1 (7) */ 
277                 return 7;
278         case NID_sect239k1: /* sect239k1 (8) */ 
279                 return 8;
280         case NID_sect283k1: /* sect283k1 (9) */
281                 return 9;
282         case NID_sect283r1: /* sect283r1 (10) */ 
283                 return 10;
284         case NID_sect409k1: /* sect409k1 (11) */ 
285                 return 11;
286         case NID_sect409r1: /* sect409r1 (12) */
287                 return 12;
288         case NID_sect571k1: /* sect571k1 (13) */ 
289                 return 13;
290         case NID_sect571r1: /* sect571r1 (14) */ 
291                 return 14;
292         case NID_secp160k1: /* secp160k1 (15) */
293                 return 15;
294         case NID_secp160r1: /* secp160r1 (16) */ 
295                 return 16;
296         case NID_secp160r2: /* secp160r2 (17) */ 
297                 return 17;
298         case NID_secp192k1: /* secp192k1 (18) */
299                 return 18;
300         case NID_X9_62_prime192v1: /* secp192r1 (19) */ 
301                 return 19;
302         case NID_secp224k1: /* secp224k1 (20) */ 
303                 return 20;
304         case NID_secp224r1: /* secp224r1 (21) */
305                 return 21;
306         case NID_secp256k1: /* secp256k1 (22) */ 
307                 return 22;
308         case NID_X9_62_prime256v1: /* secp256r1 (23) */ 
309                 return 23;
310         case NID_secp384r1: /* secp384r1 (24) */
311                 return 24;
312         case NID_secp521r1:  /* secp521r1 (25) */       
313                 return 25;
314         default:
315                 return 0;
316                 }
317         }
318 /* Get curves list, if "sess" is set return client curves otherwise
319  * preferred list
320  */
321 static void tls1_get_curvelist(SSL *s, int sess,
322                                         const unsigned char **pcurves,
323                                         size_t *pcurveslen)
324         {
325         if (sess)
326                 {
327                 *pcurves = s->session->tlsext_ellipticcurvelist;
328                 *pcurveslen = s->session->tlsext_ellipticcurvelist_length;
329                 return;
330                 }
331         /* For Suite B mode only include P-256, P-384 */
332         switch (tls1_suiteb(s))
333                 {
334         case SSL_CERT_FLAG_SUITEB_128_LOS:
335                 *pcurves = suiteb_curves;
336                 *pcurveslen = sizeof(suiteb_curves);
337                 break;
338
339         case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY:
340                 *pcurves = suiteb_curves;
341                 *pcurveslen = 2;
342                 break;
343
344         case SSL_CERT_FLAG_SUITEB_192_LOS:
345                 *pcurves = suiteb_curves + 2;
346                 *pcurveslen = 2;
347                 break;
348         default:
349                 *pcurves = s->tlsext_ellipticcurvelist;
350                 *pcurveslen = s->tlsext_ellipticcurvelist_length;
351                 }
352         if (!*pcurves)
353                 {
354                 *pcurves = eccurves_default;
355                 *pcurveslen = sizeof(eccurves_default);
356                 }
357         }
358 /* Check a curve is one of our preferences */
359 int tls1_check_curve(SSL *s, const unsigned char *p, size_t len)
360         {
361         const unsigned char *curves;
362         size_t curveslen, i;
363         unsigned int suiteb_flags = tls1_suiteb(s);
364         if (len != 3 || p[0] != NAMED_CURVE_TYPE)
365                 return 0;
366         /* Check curve matches Suite B preferences */
367         if (suiteb_flags)
368                 {
369                 unsigned long cid = s->s3->tmp.new_cipher->id;
370                 if (p[1])
371                         return 0;
372                 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
373                         {
374                         if (p[2] != TLSEXT_curve_P_256)
375                                 return 0;
376                         }
377                 else if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)
378                         {
379                         if (p[2] != TLSEXT_curve_P_384)
380                                 return 0;
381                         }
382                 else    /* Should never happen */
383                         return 0;
384                 }
385         tls1_get_curvelist(s, 0, &curves, &curveslen);
386         for (i = 0; i < curveslen; i += 2, curves += 2)
387                 {
388                 if (p[1] == curves[0] && p[2] == curves[1])
389                         return 1;
390                 }
391         return 0;
392         }
393
394 /* Return nth shared curve. If nmatch == -1 return number of
395  * matches. For nmatch == -2 return the NID of the curve to use for
396  * an EC tmp key.
397  */
398
399 int tls1_shared_curve(SSL *s, int nmatch)
400         {
401         const unsigned char *pref, *supp;
402         size_t preflen, supplen, i, j;
403         int k;
404         /* Can't do anything on client side */
405         if (s->server == 0)
406                 return -1;
407         if (nmatch == -2)
408                 {
409                 if (tls1_suiteb(s))
410                         {
411                         /* For Suite B ciphersuite determines curve: we 
412                          * already know these are acceptable due to previous
413                          * checks.
414                          */
415                         unsigned long cid = s->s3->tmp.new_cipher->id;
416                         if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
417                                 return NID_X9_62_prime256v1; /* P-256 */
418                         if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)
419                                 return NID_secp384r1; /* P-384 */
420                         /* Should never happen */
421                         return NID_undef;
422                         }
423                 /* If not Suite B just return first preference shared curve */
424                 nmatch = 0;
425                 }
426         tls1_get_curvelist(s, !!(s->options & SSL_OP_CIPHER_SERVER_PREFERENCE),
427                                 &supp, &supplen);
428         tls1_get_curvelist(s, !(s->options & SSL_OP_CIPHER_SERVER_PREFERENCE),
429                                 &pref, &preflen);
430         preflen /= 2;
431         supplen /= 2;
432         k = 0;
433         for (i = 0; i < preflen; i++, pref+=2)
434                 {
435                 const unsigned char *tsupp = supp;
436                 for (j = 0; j < supplen; j++, tsupp+=2)
437                         {
438                         if (pref[0] == tsupp[0] && pref[1] == tsupp[1])
439                                 {
440                                 if (nmatch == k)
441                                         {
442                                         int id = (pref[0] << 8) | pref[1];
443                                         return tls1_ec_curve_id2nid(id);
444                                         }
445                                 k++;
446                                 }
447                         }
448                 }
449         if (nmatch == -1)
450                 return k;
451         return 0;
452         }
453
454 int tls1_set_curves(unsigned char **pext, size_t *pextlen,
455                         int *curves, size_t ncurves)
456         {
457         unsigned char *clist, *p;
458         size_t i;
459         /* Bitmap of curves included to detect duplicates: only works
460          * while curve ids < 32 
461          */
462         unsigned long dup_list = 0;
463         clist = OPENSSL_malloc(ncurves * 2);
464         if (!clist)
465                 return 0;
466         for (i = 0, p = clist; i < ncurves; i++)
467                 {
468                 unsigned long idmask;
469                 int id;
470                 id = tls1_ec_nid2curve_id(curves[i]);
471                 idmask = 1L << id;
472                 if (!id || (dup_list & idmask))
473                         {
474                         OPENSSL_free(clist);
475                         return 0;
476                         }
477                 dup_list |= idmask;
478                 s2n(id, p);
479                 }
480         if (*pext)
481                 OPENSSL_free(*pext);
482         *pext = clist;
483         *pextlen = ncurves * 2;
484         return 1;
485         }
486
487 #define MAX_CURVELIST   25
488
489 typedef struct
490         {
491         size_t nidcnt;
492         int nid_arr[MAX_CURVELIST];
493         } nid_cb_st;
494
495 static int nid_cb(const char *elem, int len, void *arg)
496         {
497         nid_cb_st *narg = arg;
498         size_t i;
499         int nid;
500         char etmp[20];
501         if (narg->nidcnt == MAX_CURVELIST)
502                 return 0;
503         if (len > (int)(sizeof(etmp) - 1))
504                 return 0;
505         memcpy(etmp, elem, len);
506         etmp[len] = 0;
507         nid = EC_curve_nist2nid(etmp);
508         if (nid == NID_undef)
509                 nid = OBJ_sn2nid(etmp);
510         if (nid == NID_undef)
511                 nid = OBJ_ln2nid(etmp);
512         if (nid == NID_undef)
513                 return 0;
514         for (i = 0; i < narg->nidcnt; i++)
515                 if (narg->nid_arr[i] == nid)
516                         return 0;
517         narg->nid_arr[narg->nidcnt++] = nid;
518         return 1;
519         }
520 /* Set curves based on a colon separate list */
521 int tls1_set_curves_list(unsigned char **pext, size_t *pextlen, 
522                                 const char *str)
523         {
524         nid_cb_st ncb;
525         ncb.nidcnt = 0;
526         if (!CONF_parse_list(str, ':', 1, nid_cb, &ncb))
527                 return 0;
528         return tls1_set_curves(pext, pextlen, ncb.nid_arr, ncb.nidcnt);
529         }
530 /* For an EC key set TLS id and required compression based on parameters */
531 static int tls1_set_ec_id(unsigned char *curve_id, unsigned char *comp_id,
532                                 EC_KEY *ec)
533         {
534         int is_prime, id;
535         const EC_GROUP *grp;
536         const EC_POINT *pt;
537         const EC_METHOD *meth;
538         if (!ec)
539                 return 0;
540         /* Determine if it is a prime field */
541         grp = EC_KEY_get0_group(ec);
542         pt = EC_KEY_get0_public_key(ec);
543         if (!grp || !pt)
544                 return 0;
545         meth = EC_GROUP_method_of(grp);
546         if (!meth)
547                 return 0;
548         if (EC_METHOD_get_field_type(meth) == NID_X9_62_prime_field)
549                 is_prime = 1;
550         else
551                 is_prime = 0;
552         /* Determine curve ID */
553         id = EC_GROUP_get_curve_name(grp);
554         id = tls1_ec_nid2curve_id(id);
555         /* If we have an ID set it, otherwise set arbitrary explicit curve */
556         if (id)
557                 {
558                 curve_id[0] = 0;
559                 curve_id[1] = (unsigned char)id;
560                 }
561         else
562                 {
563                 curve_id[0] = 0xff;
564                 if (is_prime)
565                         curve_id[1] = 0x01;
566                 else
567                         curve_id[1] = 0x02;
568                 }
569         if (comp_id)
570                 {
571                 if (EC_KEY_get_conv_form(ec) == POINT_CONVERSION_COMPRESSED)
572                         {
573                         if (is_prime)
574                                 *comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
575                         else
576                                 *comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
577                         }
578                 else
579                         *comp_id = TLSEXT_ECPOINTFORMAT_uncompressed;
580                 }
581         return 1;
582         }
583 /* Check an EC key is compatible with extensions */
584 static int tls1_check_ec_key(SSL *s,
585                         unsigned char *curve_id, unsigned char *comp_id)
586         {
587         const unsigned char *p;
588         size_t plen, i;
589         int j;
590         /* If point formats extension present check it, otherwise everything
591          * is supported (see RFC4492).
592          */
593         if (comp_id && s->session->tlsext_ecpointformatlist)
594                 {
595                 p = s->session->tlsext_ecpointformatlist;
596                 plen = s->session->tlsext_ecpointformatlist_length;
597                 for (i = 0; i < plen; i++, p++)
598                         {
599                         if (*comp_id == *p)
600                                 break;
601                         }
602                 if (i == plen)
603                         return 0;
604                 }
605         if (!curve_id)
606                 return 1;
607         /* Check curve is consistent with client and server preferences */
608         for (j = 0; j <= 1; j++)
609                 {
610                 tls1_get_curvelist(s, j, &p, &plen);
611                 for (i = 0; i < plen; i+=2, p+=2)
612                         {
613                         if (p[0] == curve_id[0] && p[1] == curve_id[1])
614                                 break;
615                         }
616                 if (i == plen)
617                         return 0;
618                 /* For clients can only check sent curve list */
619                 if (!s->server)
620                         return 1;
621                 }
622         return 1;
623         }
624
625 static void tls1_get_formatlist(SSL *s, const unsigned char **pformats,
626                                         size_t *pformatslen)
627         {
628         /* If we have a custom point format list use it otherwise
629          * use default */
630         if (s->tlsext_ecpointformatlist)
631                 {
632                 *pformats = s->tlsext_ecpointformatlist;
633                 *pformatslen = s->tlsext_ecpointformatlist_length;
634                 }
635         else
636                 {
637                 *pformats = ecformats_default;
638                 /* For Suite B we don't support char2 fields */
639                 if (tls1_suiteb(s))
640                         *pformatslen = sizeof(ecformats_default) - 1;
641                 else
642                         *pformatslen = sizeof(ecformats_default);
643                 }
644         }
645
646 /* Check cert parameters compatible with extensions: currently just checks
647  * EC certificates have compatible curves and compression.
648  */
649 static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md)
650         {
651         unsigned char comp_id, curve_id[2];
652         EVP_PKEY *pkey;
653         int rv;
654         pkey = X509_get_pubkey(x);
655         if (!pkey)
656                 return 0;
657         /* If not EC nothing to do */
658         if (pkey->type != EVP_PKEY_EC)
659                 {
660                 EVP_PKEY_free(pkey);
661                 return 1;
662                 }
663         rv = tls1_set_ec_id(curve_id, &comp_id, pkey->pkey.ec);
664         EVP_PKEY_free(pkey);
665         if (!rv)
666                 return 0;
667         /* Can't check curve_id for client certs as we don't have a
668          * supported curves extension.
669          */
670         rv = tls1_check_ec_key(s, s->server ? curve_id : NULL, &comp_id);
671         if (!rv)
672                 return 0;
673         /* Special case for suite B. We *MUST* sign using SHA256+P-256 or
674          * SHA384+P-384, adjust digest if necessary.
675          */
676         if (set_ee_md && tls1_suiteb(s))
677                 {
678                 int check_md;
679                 size_t i;
680                 CERT *c = s->cert;
681                 if (curve_id[0])
682                         return 0;
683                 /* Check to see we have necessary signing algorithm */
684                 if (curve_id[1] == TLSEXT_curve_P_256)
685                         check_md = NID_ecdsa_with_SHA256;
686                 else if (curve_id[1] == TLSEXT_curve_P_384)
687                         check_md = NID_ecdsa_with_SHA384;
688                 else
689                         return 0; /* Should never happen */
690                 for (i = 0; i < c->shared_sigalgslen; i++)
691                         if (check_md == c->shared_sigalgs[i].signandhash_nid)
692                                 break;
693                 if (i == c->shared_sigalgslen)
694                         return 0;
695                 if (set_ee_md == 2)
696                         {
697                         if (check_md == NID_ecdsa_with_SHA256)
698                                 c->pkeys[SSL_PKEY_ECC].digest = EVP_sha256();
699                         else
700                                 c->pkeys[SSL_PKEY_ECC].digest = EVP_sha384();
701                         }
702                 }
703         return rv;
704         }
705 /* Check EC temporary key is compatible with client extensions */
706 int tls1_check_ec_tmp_key(SSL *s, unsigned long cid)
707         {
708         unsigned char curve_id[2];
709         EC_KEY *ec = s->cert->ecdh_tmp;
710 #ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
711         /* Allow any curve: not just those peer supports */
712         if (s->cert->cert_flags & SSL_CERT_FLAG_BROKEN_PROTOCOL)
713                 return 1;
714 #endif
715         /* If Suite B, AES128 MUST use P-256 and AES256 MUST use P-384,
716          * no other curves permitted.
717          */
718         if (tls1_suiteb(s))
719                 {
720                 /* Curve to check determined by ciphersuite */
721                 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
722                         curve_id[1] = TLSEXT_curve_P_256;
723                 else if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)
724                         curve_id[1] = TLSEXT_curve_P_384;
725                 else
726                         return 0;
727                 curve_id[0] = 0;
728                 /* Check this curve is acceptable */
729                 if (!tls1_check_ec_key(s, curve_id, NULL))
730                         return 0;
731                 /* If auto or setting curve from callback assume OK */
732                 if (s->cert->ecdh_tmp_auto || s->cert->ecdh_tmp_cb)
733                         return 1;
734                 /* Otherwise check curve is acceptable */
735                 else 
736                         {
737                         unsigned char curve_tmp[2];
738                         if (!ec)
739                                 return 0;
740                         if (!tls1_set_ec_id(curve_tmp, NULL, ec))
741                                 return 0;
742                         if (!curve_tmp[0] || curve_tmp[1] == curve_id[1])
743                                 return 1;
744                         return 0;
745                         }
746                         
747                 }
748         if (s->cert->ecdh_tmp_auto)
749                 {
750                 /* Need a shared curve */
751                 if (tls1_shared_curve(s, 0))
752                         return 1;
753                 else return 0;
754                 }
755         if (!ec)
756                 {
757                 if (s->cert->ecdh_tmp_cb)
758                         return 1;
759                 else
760                         return 0;
761                 }
762         if (!tls1_set_ec_id(curve_id, NULL, ec))
763                 return 0;
764 /* Set this to allow use of invalid curves for testing */
765 #if 0
766         return 1;
767 #else
768         return tls1_check_ec_key(s, curve_id, NULL);
769 #endif
770         }
771
772 #endif /* OPENSSL_NO_EC */
773
774 #ifndef OPENSSL_NO_TLSEXT
775
776 /* List of supported signature algorithms and hashes. Should make this
777  * customisable at some point, for now include everything we support.
778  */
779
780 #ifdef OPENSSL_NO_RSA
781 #define tlsext_sigalg_rsa(md) /* */
782 #else
783 #define tlsext_sigalg_rsa(md) md, TLSEXT_signature_rsa,
784 #endif
785
786 #ifdef OPENSSL_NO_DSA
787 #define tlsext_sigalg_dsa(md) /* */
788 #else
789 #define tlsext_sigalg_dsa(md) md, TLSEXT_signature_dsa,
790 #endif
791
792 #ifdef OPENSSL_NO_ECDSA
793 #define tlsext_sigalg_ecdsa(md) /* */
794 #else
795 #define tlsext_sigalg_ecdsa(md) md, TLSEXT_signature_ecdsa,
796 #endif
797
798 #define tlsext_sigalg(md) \
799                 tlsext_sigalg_rsa(md) \
800                 tlsext_sigalg_dsa(md) \
801                 tlsext_sigalg_ecdsa(md)
802
803 static unsigned char tls12_sigalgs[] = {
804 #ifndef OPENSSL_NO_SHA512
805         tlsext_sigalg(TLSEXT_hash_sha512)
806         tlsext_sigalg(TLSEXT_hash_sha384)
807 #endif
808 #ifndef OPENSSL_NO_SHA256
809         tlsext_sigalg(TLSEXT_hash_sha256)
810         tlsext_sigalg(TLSEXT_hash_sha224)
811 #endif
812 #ifndef OPENSSL_NO_SHA
813         tlsext_sigalg(TLSEXT_hash_sha1)
814 #endif
815 #ifndef OPENSSL_NO_MD5
816         tlsext_sigalg_rsa(TLSEXT_hash_md5)
817 #endif
818 };
819
820 static unsigned char suiteb_sigalgs[] = {
821         tlsext_sigalg_ecdsa(TLSEXT_hash_sha256)
822         tlsext_sigalg_ecdsa(TLSEXT_hash_sha384)
823 };
824
825 size_t tls12_get_psigalgs(SSL *s, const unsigned char **psigs)
826         {
827         /* If Suite B mode use Suite B sigalgs only, ignore any other
828          * preferences.
829          */
830         switch (tls1_suiteb(s))
831                 {
832         case SSL_CERT_FLAG_SUITEB_128_LOS:
833                 *psigs = suiteb_sigalgs;
834                 return sizeof(suiteb_sigalgs);
835
836         case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY:
837                 *psigs = suiteb_sigalgs;
838                 return 2;
839
840         case SSL_CERT_FLAG_SUITEB_192_LOS:
841                 *psigs = suiteb_sigalgs + 2;
842                 return 2;
843                 }
844
845         /* If server use client authentication sigalgs if not NULL */
846         if (s->server && s->cert->client_sigalgs)
847                 {
848                 *psigs = s->cert->client_sigalgs;
849                 return s->cert->client_sigalgslen;
850                 }
851         else if (s->cert->conf_sigalgs)
852                 {
853                 *psigs = s->cert->conf_sigalgs;
854                 return s->cert->conf_sigalgslen;
855                 }
856         else
857                 {
858                 *psigs = tls12_sigalgs;
859 #ifdef OPENSSL_FIPS
860                 /* If FIPS mode don't include MD5 which is last */
861                 if (FIPS_mode())
862                         return sizeof(tls12_sigalgs) - 2;
863                 else
864 #endif
865                         return sizeof(tls12_sigalgs);
866                 }
867         }
868 /* Check signature algorithm is consistent with sent supported signature
869  * algorithms and if so return relevant digest.
870  */
871 int tls12_check_peer_sigalg(const EVP_MD **pmd, SSL *s,
872                                 const unsigned char *sig, EVP_PKEY *pkey)
873         {
874         const unsigned char *sent_sigs;
875         size_t sent_sigslen, i;
876         int sigalg = tls12_get_sigid(pkey);
877         /* Should never happen */
878         if (sigalg == -1)
879                 return -1;
880         /* Check key type is consistent with signature */
881         if (sigalg != (int)sig[1])
882                 {
883                 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG,SSL_R_WRONG_SIGNATURE_TYPE);
884                 return 0;
885                 }
886         if (pkey->type == EVP_PKEY_EC)
887                 {
888                 unsigned char curve_id[2], comp_id;
889                 /* Check compression and curve matches extensions */
890                 if (!tls1_set_ec_id(curve_id, &comp_id, pkey->pkey.ec))
891                         return 0;
892                 if (!s->server && !tls1_check_ec_key(s, curve_id, &comp_id))
893                         {
894                         SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG,SSL_R_WRONG_CURVE);
895                         return 0;
896                         }
897                 /* If Suite B only P-384+SHA384 or P-256+SHA-256 allowed */
898                 if (tls1_suiteb(s))
899                         {
900                         if (curve_id[0])
901                                 return 0;
902                         if (curve_id[1] == TLSEXT_curve_P_256)
903                                 {
904                                 if (sig[0] != TLSEXT_hash_sha256)
905                                         {
906                                         SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG,
907                                                 SSL_R_ILLEGAL_SUITEB_DIGEST);
908                                         return 0;
909                                         }
910                                 }
911                         else if (curve_id[1] == TLSEXT_curve_P_384)
912                                 {
913                                 if (sig[0] != TLSEXT_hash_sha384)
914                                         {
915                                         SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG,
916                                                 SSL_R_ILLEGAL_SUITEB_DIGEST);
917                                         return 0;
918                                         }
919                                 }
920                         else
921                                 return 0;
922                         }
923                 }
924         else if (tls1_suiteb(s))
925                 return 0;
926
927         /* Check signature matches a type we sent */
928         sent_sigslen = tls12_get_psigalgs(s, &sent_sigs);
929         for (i = 0; i < sent_sigslen; i+=2, sent_sigs+=2)
930                 {
931                 if (sig[0] == sent_sigs[0] && sig[1] == sent_sigs[1])
932                         break;
933                 }
934         /* Allow fallback to SHA1 if not strict mode */
935         if (i == sent_sigslen && (sig[0] != TLSEXT_hash_sha1 || s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT))
936                 {
937                 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG,SSL_R_WRONG_SIGNATURE_TYPE);
938                 return 0;
939                 }
940         *pmd = tls12_get_hash(sig[0]);
941         if (*pmd == NULL)
942                 {
943                 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG,SSL_R_UNKNOWN_DIGEST);
944                 return 0;
945                 }
946         /* Store the digest used so applications can retrieve it if they
947          * wish.
948          */
949         if (s->session && s->session->sess_cert)
950                 s->session->sess_cert->peer_key->digest = *pmd;
951         return 1;
952         }
953 /* Get a mask of disabled algorithms: an algorithm is disabled
954  * if it isn't supported or doesn't appear in supported signature
955  * algorithms. Unlike ssl_cipher_get_disabled this applies to a specific
956  * session and not global settings.
957  * 
958  */
959 void ssl_set_client_disabled(SSL *s)
960         {
961         CERT *c = s->cert;
962         const unsigned char *sigalgs;
963         size_t i, sigalgslen;
964         int have_rsa = 0, have_dsa = 0, have_ecdsa = 0;
965         c->mask_a = 0;
966         c->mask_k = 0;
967         /* If less than TLS 1.2 don't allow TLS 1.2 only ciphers */
968         if (TLS1_get_client_version(s) < TLS1_2_VERSION)
969                 c->mask_ssl = SSL_TLSV1_2;
970         else
971                 c->mask_ssl = 0;
972         /* Now go through all signature algorithms seeing if we support
973          * any for RSA, DSA, ECDSA. Do this for all versions not just
974          * TLS 1.2.
975          */
976         sigalgslen = tls12_get_psigalgs(s, &sigalgs);
977         for (i = 0; i < sigalgslen; i += 2, sigalgs += 2)
978                 {
979                 switch(sigalgs[1])
980                         {
981 #ifndef OPENSSL_NO_RSA
982                 case TLSEXT_signature_rsa:
983                         have_rsa = 1;
984                         break;
985 #endif
986 #ifndef OPENSSL_NO_DSA
987                 case TLSEXT_signature_dsa:
988                         have_dsa = 1;
989                         break;
990 #endif
991 #ifndef OPENSSL_NO_ECDSA
992                 case TLSEXT_signature_ecdsa:
993                         have_ecdsa = 1;
994                         break;
995 #endif
996                         }
997                 }
998         /* Disable auth and static DH if we don't include any appropriate
999          * signature algorithms.
1000          */
1001         if (!have_rsa)
1002                 {
1003                 c->mask_a |= SSL_aRSA;
1004                 c->mask_k |= SSL_kDHr|SSL_kECDHr;
1005                 }
1006         if (!have_dsa)
1007                 {
1008                 c->mask_a |= SSL_aDSS;
1009                 c->mask_k |= SSL_kDHd;
1010                 }
1011         if (!have_ecdsa)
1012                 {
1013                 c->mask_a |= SSL_aECDSA;
1014                 c->mask_k |= SSL_kECDHe;
1015                 }
1016 #ifndef OPENSSL_NO_KRB5
1017         if (!kssl_tgt_is_available(s->kssl_ctx))
1018                 {
1019                 c->mask_a |= SSL_aKRB5;
1020                 c->mask_k |= SSL_kKRB5;
1021                 }
1022 #endif
1023 #ifndef OPENSSL_NO_PSK
1024         /* with PSK there must be client callback set */
1025         if (!s->psk_client_callback)
1026                 {
1027                 c->mask_a |= SSL_aPSK;
1028                 c->mask_k |= SSL_kPSK;
1029                 }
1030 #endif /* OPENSSL_NO_PSK */
1031         c->valid = 1;
1032         }
1033
1034 /* byte_compare is a compare function for qsort(3) that compares bytes. */
1035 static int byte_compare(const void *in_a, const void *in_b)
1036         {
1037         unsigned char a = *((const unsigned char*) in_a);
1038         unsigned char b = *((const unsigned char*) in_b);
1039
1040         if (a > b)
1041                 return 1;
1042         else if (a < b)
1043                 return -1;
1044         return 0;
1045 }
1046
1047 unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
1048         {
1049         int extdatalen=0;
1050         unsigned char *ret = p;
1051 #ifndef OPENSSL_NO_EC
1052         /* See if we support any ECC ciphersuites */
1053         int using_ecc = 0;
1054         if (s->version != DTLS1_VERSION && s->version >= TLS1_VERSION)
1055                 {
1056                 int i;
1057                 unsigned long alg_k, alg_a;
1058                 STACK_OF(SSL_CIPHER) *cipher_stack = SSL_get_ciphers(s);
1059
1060                 for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++)
1061                         {
1062                         SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i);
1063
1064                         alg_k = c->algorithm_mkey;
1065                         alg_a = c->algorithm_auth;
1066                         if ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)
1067                                 || (alg_a & SSL_aECDSA)))
1068                                 {
1069                                 using_ecc = 1;
1070                                 break;
1071                                 }
1072                         }
1073                 }
1074 #endif
1075
1076         /* don't add extensions for SSLv3 unless doing secure renegotiation */
1077         if (s->client_version == SSL3_VERSION
1078                                         && !s->s3->send_connection_binding)
1079                 return p;
1080
1081         ret+=2;
1082
1083         if (ret>=limit) return NULL; /* this really never occurs, but ... */
1084
1085         if (s->tlsext_hostname != NULL)
1086                 { 
1087                 /* Add TLS extension servername to the Client Hello message */
1088                 unsigned long size_str;
1089                 long lenmax; 
1090
1091                 /* check for enough space.
1092                    4 for the servername type and entension length
1093                    2 for servernamelist length
1094                    1 for the hostname type
1095                    2 for hostname length
1096                    + hostname length 
1097                 */
1098                    
1099                 if ((lenmax = limit - ret - 9) < 0 
1100                     || (size_str = strlen(s->tlsext_hostname)) > (unsigned long)lenmax) 
1101                         return NULL;
1102                         
1103                 /* extension type and length */
1104                 s2n(TLSEXT_TYPE_server_name,ret); 
1105                 s2n(size_str+5,ret);
1106                 
1107                 /* length of servername list */
1108                 s2n(size_str+3,ret);
1109         
1110                 /* hostname type, length and hostname */
1111                 *(ret++) = (unsigned char) TLSEXT_NAMETYPE_host_name;
1112                 s2n(size_str,ret);
1113                 memcpy(ret, s->tlsext_hostname, size_str);
1114                 ret+=size_str;
1115                 }
1116
1117         /* Add RI if renegotiating */
1118         if (s->renegotiate)
1119           {
1120           int el;
1121           
1122           if(!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0))
1123               {
1124               SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1125               return NULL;
1126               }
1127
1128           if((limit - p - 4 - el) < 0) return NULL;
1129           
1130           s2n(TLSEXT_TYPE_renegotiate,ret);
1131           s2n(el,ret);
1132
1133           if(!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el))
1134               {
1135               SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1136               return NULL;
1137               }
1138
1139           ret += el;
1140         }
1141
1142 #ifndef OPENSSL_NO_SRP
1143         /* Add SRP username if there is one */
1144         if (s->srp_ctx.login != NULL)
1145                 { /* Add TLS extension SRP username to the Client Hello message */
1146
1147                 int login_len = strlen(s->srp_ctx.login);       
1148                 if (login_len > 255 || login_len == 0)
1149                         {
1150                         SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1151                         return NULL;
1152                         } 
1153
1154                 /* check for enough space.
1155                    4 for the srp type type and entension length
1156                    1 for the srp user identity
1157                    + srp user identity length 
1158                 */
1159                 if ((limit - ret - 5 - login_len) < 0) return NULL; 
1160
1161                 /* fill in the extension */
1162                 s2n(TLSEXT_TYPE_srp,ret);
1163                 s2n(login_len+1,ret);
1164                 (*ret++) = (unsigned char) login_len;
1165                 memcpy(ret, s->srp_ctx.login, login_len);
1166                 ret+=login_len;
1167                 }
1168 #endif
1169
1170 #ifndef OPENSSL_NO_EC
1171         if (using_ecc)
1172                 {
1173                 /* Add TLS extension ECPointFormats to the ClientHello message */
1174                 long lenmax; 
1175                 const unsigned char *plist;
1176                 size_t plistlen;
1177
1178                 tls1_get_formatlist(s, &plist, &plistlen);
1179
1180                 if ((lenmax = limit - ret - 5) < 0) return NULL; 
1181                 if (plistlen > (size_t)lenmax) return NULL;
1182                 if (plistlen > 255)
1183                         {
1184                         SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1185                         return NULL;
1186                         }
1187                 
1188                 s2n(TLSEXT_TYPE_ec_point_formats,ret);
1189                 s2n(plistlen + 1,ret);
1190                 *(ret++) = (unsigned char)plistlen ;
1191                 memcpy(ret, plist, plistlen);
1192                 ret+=plistlen;
1193
1194                 /* Add TLS extension EllipticCurves to the ClientHello message */
1195                 plist = s->tlsext_ellipticcurvelist;
1196                 tls1_get_curvelist(s, 0, &plist, &plistlen);
1197
1198                 if ((lenmax = limit - ret - 6) < 0) return NULL; 
1199                 if (plistlen > (size_t)lenmax) return NULL;
1200                 if (plistlen > 65532)
1201                         {
1202                         SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1203                         return NULL;
1204                         }
1205                 
1206                 s2n(TLSEXT_TYPE_elliptic_curves,ret);
1207                 s2n(plistlen + 2, ret);
1208
1209                 /* NB: draft-ietf-tls-ecc-12.txt uses a one-byte prefix for
1210                  * elliptic_curve_list, but the examples use two bytes.
1211                  * http://www1.ietf.org/mail-archive/web/tls/current/msg00538.html
1212                  * resolves this to two bytes.
1213                  */
1214                 s2n(plistlen, ret);
1215                 memcpy(ret, plist, plistlen);
1216                 ret+=plistlen;
1217                 }
1218 #endif /* OPENSSL_NO_EC */
1219
1220         if (!(SSL_get_options(s) & SSL_OP_NO_TICKET))
1221                 {
1222                 int ticklen;
1223                 if (!s->new_session && s->session && s->session->tlsext_tick)
1224                         ticklen = s->session->tlsext_ticklen;
1225                 else if (s->session && s->tlsext_session_ticket &&
1226                          s->tlsext_session_ticket->data)
1227                         {
1228                         ticklen = s->tlsext_session_ticket->length;
1229                         s->session->tlsext_tick = OPENSSL_malloc(ticklen);
1230                         if (!s->session->tlsext_tick)
1231                                 return NULL;
1232                         memcpy(s->session->tlsext_tick,
1233                                s->tlsext_session_ticket->data,
1234                                ticklen);
1235                         s->session->tlsext_ticklen = ticklen;
1236                         }
1237                 else
1238                         ticklen = 0;
1239                 if (ticklen == 0 && s->tlsext_session_ticket &&
1240                     s->tlsext_session_ticket->data == NULL)
1241                         goto skip_ext;
1242                 /* Check for enough room 2 for extension type, 2 for len
1243                  * rest for ticket
1244                  */
1245                 if ((long)(limit - ret - 4 - ticklen) < 0) return NULL;
1246                 s2n(TLSEXT_TYPE_session_ticket,ret); 
1247                 s2n(ticklen,ret);
1248                 if (ticklen)
1249                         {
1250                         memcpy(ret, s->session->tlsext_tick, ticklen);
1251                         ret += ticklen;
1252                         }
1253                 }
1254                 skip_ext:
1255
1256         if (TLS1_get_client_version(s) >= TLS1_2_VERSION)
1257                 {
1258                 size_t salglen;
1259                 const unsigned char *salg;
1260                 salglen = tls12_get_psigalgs(s, &salg);
1261                 if ((size_t)(limit - ret) < salglen + 6)
1262                         return NULL; 
1263                 s2n(TLSEXT_TYPE_signature_algorithms,ret);
1264                 s2n(salglen + 2, ret);
1265                 s2n(salglen, ret);
1266                 memcpy(ret, salg, salglen);
1267                 ret += salglen;
1268                 }
1269
1270 #ifdef TLSEXT_TYPE_opaque_prf_input
1271         if (s->s3->client_opaque_prf_input != NULL &&
1272             s->version != DTLS1_VERSION)
1273                 {
1274                 size_t col = s->s3->client_opaque_prf_input_len;
1275                 
1276                 if ((long)(limit - ret - 6 - col < 0))
1277                         return NULL;
1278                 if (col > 0xFFFD) /* can't happen */
1279                         return NULL;
1280
1281                 s2n(TLSEXT_TYPE_opaque_prf_input, ret); 
1282                 s2n(col + 2, ret);
1283                 s2n(col, ret);
1284                 memcpy(ret, s->s3->client_opaque_prf_input, col);
1285                 ret += col;
1286                 }
1287 #endif
1288
1289         if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp &&
1290             s->version != DTLS1_VERSION)
1291                 {
1292                 int i;
1293                 long extlen, idlen, itmp;
1294                 OCSP_RESPID *id;
1295
1296                 idlen = 0;
1297                 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++)
1298                         {
1299                         id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
1300                         itmp = i2d_OCSP_RESPID(id, NULL);
1301                         if (itmp <= 0)
1302                                 return NULL;
1303                         idlen += itmp + 2;
1304                         }
1305
1306                 if (s->tlsext_ocsp_exts)
1307                         {
1308                         extlen = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, NULL);
1309                         if (extlen < 0)
1310                                 return NULL;
1311                         }
1312                 else
1313                         extlen = 0;
1314                         
1315                 if ((long)(limit - ret - 7 - extlen - idlen) < 0) return NULL;
1316                 s2n(TLSEXT_TYPE_status_request, ret);
1317                 if (extlen + idlen > 0xFFF0)
1318                         return NULL;
1319                 s2n(extlen + idlen + 5, ret);
1320                 *(ret++) = TLSEXT_STATUSTYPE_ocsp;
1321                 s2n(idlen, ret);
1322                 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++)
1323                         {
1324                         /* save position of id len */
1325                         unsigned char *q = ret;
1326                         id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
1327                         /* skip over id len */
1328                         ret += 2;
1329                         itmp = i2d_OCSP_RESPID(id, &ret);
1330                         /* write id len */
1331                         s2n(itmp, q);
1332                         }
1333                 s2n(extlen, ret);
1334                 if (extlen > 0)
1335                         i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret);
1336                 }
1337
1338 #ifndef OPENSSL_NO_HEARTBEATS
1339         /* Add Heartbeat extension */
1340         s2n(TLSEXT_TYPE_heartbeat,ret);
1341         s2n(1,ret);
1342         /* Set mode:
1343          * 1: peer may send requests
1344          * 2: peer not allowed to send requests
1345          */
1346         if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS)
1347                 *(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
1348         else
1349                 *(ret++) = SSL_TLSEXT_HB_ENABLED;
1350 #endif
1351
1352 #ifndef OPENSSL_NO_NEXTPROTONEG
1353         if (s->ctx->next_proto_select_cb && !s->s3->tmp.finish_md_len)
1354                 {
1355                 /* The client advertises an emtpy extension to indicate its
1356                  * support for Next Protocol Negotiation */
1357                 if (limit - ret - 4 < 0)
1358                         return NULL;
1359                 s2n(TLSEXT_TYPE_next_proto_neg,ret);
1360                 s2n(0,ret);
1361                 }
1362 #endif
1363
1364         if(SSL_get_srtp_profiles(s))
1365                 {
1366                 int el;
1367
1368                 ssl_add_clienthello_use_srtp_ext(s, 0, &el, 0);
1369                 
1370                 if((limit - p - 4 - el) < 0) return NULL;
1371
1372                 s2n(TLSEXT_TYPE_use_srtp,ret);
1373                 s2n(el,ret);
1374
1375                 if(ssl_add_clienthello_use_srtp_ext(s, ret, &el, el))
1376                         {
1377                         SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1378                         return NULL;
1379                         }
1380                 ret += el;
1381                 }
1382
1383         /* Add TLS extension Server_Authz_DataFormats to the ClientHello */
1384         /* 2 bytes for extension type */
1385         /* 2 bytes for extension length */
1386         /* 1 byte for the list length */
1387         /* 1 byte for the list (we only support audit proofs) */
1388         if (s->ctx->tlsext_authz_server_audit_proof_cb != NULL)
1389                 {
1390                 const unsigned short ext_len = 2;
1391                 const unsigned char list_len = 1;
1392
1393                 if (limit < ret + 6)
1394                         return NULL;
1395
1396                 s2n(TLSEXT_TYPE_server_authz, ret);
1397                 /* Extension length: 2 bytes */
1398                 s2n(ext_len, ret);
1399                 *(ret++) = list_len;
1400                 *(ret++) = TLSEXT_AUTHZDATAFORMAT_audit_proof;
1401                 }
1402
1403         /* Add custom TLS Extensions to ClientHello */
1404         if (s->ctx->custom_cli_ext_records_count)
1405                 {
1406                 size_t i;
1407                 custom_cli_ext_record* record;
1408
1409                 for (i = 0; i < s->ctx->custom_cli_ext_records_count; i++)
1410                         {
1411                         const unsigned char* out = NULL;
1412                         unsigned short outlen = 0;
1413
1414                         record = &s->ctx->custom_cli_ext_records[i];
1415                         /* NULL callback sends empty extension */ 
1416                         /* -1 from callback omits extension */
1417                         if (record->fn1)
1418                                 {
1419                                 int cb_retval = 0;
1420                                 cb_retval = record->fn1(s, record->ext_type,
1421                                                         &out, &outlen,
1422                                                         record->arg);
1423                                 if (cb_retval == 0)
1424                                         return NULL; /* error */
1425                                 if (cb_retval == -1)
1426                                         continue; /* skip this extension */
1427                                 }
1428                         if (limit < ret + 4 + outlen)
1429                                 return NULL;
1430                         s2n(record->ext_type, ret);
1431                         s2n(outlen, ret);
1432                         memcpy(ret, out, outlen);
1433                         ret += outlen;
1434                         }
1435                 }
1436
1437         if ((extdatalen = ret-p-2) == 0)
1438                 return p;
1439
1440         s2n(extdatalen,p);
1441         return ret;
1442         }
1443
1444 unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
1445         {
1446         int extdatalen=0;
1447         unsigned char *ret = p;
1448 #ifndef OPENSSL_NO_NEXTPROTONEG
1449         int next_proto_neg_seen;
1450 #endif
1451         unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
1452         unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
1453         int using_ecc = (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA);
1454         using_ecc = using_ecc && (s->session->tlsext_ecpointformatlist != NULL);
1455
1456         /* don't add extensions for SSLv3, unless doing secure renegotiation */
1457         if (s->version == SSL3_VERSION && !s->s3->send_connection_binding)
1458                 return p;
1459         
1460         ret+=2;
1461         if (ret>=limit) return NULL; /* this really never occurs, but ... */
1462
1463         if (!s->hit && s->servername_done == 1 && s->session->tlsext_hostname != NULL)
1464                 { 
1465                 if ((long)(limit - ret - 4) < 0) return NULL; 
1466
1467                 s2n(TLSEXT_TYPE_server_name,ret);
1468                 s2n(0,ret);
1469                 }
1470
1471         if(s->s3->send_connection_binding)
1472         {
1473           int el;
1474           
1475           if(!ssl_add_serverhello_renegotiate_ext(s, 0, &el, 0))
1476               {
1477               SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1478               return NULL;
1479               }
1480
1481           if((limit - p - 4 - el) < 0) return NULL;
1482           
1483           s2n(TLSEXT_TYPE_renegotiate,ret);
1484           s2n(el,ret);
1485
1486           if(!ssl_add_serverhello_renegotiate_ext(s, ret, &el, el))
1487               {
1488               SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1489               return NULL;
1490               }
1491
1492           ret += el;
1493         }
1494
1495 #ifndef OPENSSL_NO_EC
1496         if (using_ecc && s->version != DTLS1_VERSION)
1497                 {
1498                 const unsigned char *plist;
1499                 size_t plistlen;
1500                 /* Add TLS extension ECPointFormats to the ServerHello message */
1501                 long lenmax; 
1502
1503                 tls1_get_formatlist(s, &plist, &plistlen);
1504
1505                 if ((lenmax = limit - ret - 5) < 0) return NULL; 
1506                 if (plistlen > (size_t)lenmax) return NULL;
1507                 if (plistlen > 255)
1508                         {
1509                         SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1510                         return NULL;
1511                         }
1512                 
1513                 s2n(TLSEXT_TYPE_ec_point_formats,ret);
1514                 s2n(plistlen + 1,ret);
1515                 *(ret++) = (unsigned char) plistlen;
1516                 memcpy(ret, plist, plistlen);
1517                 ret+=plistlen;
1518
1519                 }
1520         /* Currently the server should not respond with a SupportedCurves extension */
1521 #endif /* OPENSSL_NO_EC */
1522
1523         if (s->tlsext_ticket_expected
1524                 && !(SSL_get_options(s) & SSL_OP_NO_TICKET)) 
1525                 { 
1526                 if ((long)(limit - ret - 4) < 0) return NULL; 
1527                 s2n(TLSEXT_TYPE_session_ticket,ret);
1528                 s2n(0,ret);
1529                 }
1530
1531         if (s->tlsext_status_expected)
1532                 { 
1533                 if ((long)(limit - ret - 4) < 0) return NULL; 
1534                 s2n(TLSEXT_TYPE_status_request,ret);
1535                 s2n(0,ret);
1536                 }
1537
1538 #ifdef TLSEXT_TYPE_opaque_prf_input
1539         if (s->s3->server_opaque_prf_input != NULL &&
1540             s->version != DTLS1_VERSION)
1541                 {
1542                 size_t sol = s->s3->server_opaque_prf_input_len;
1543                 
1544                 if ((long)(limit - ret - 6 - sol) < 0)
1545                         return NULL;
1546                 if (sol > 0xFFFD) /* can't happen */
1547                         return NULL;
1548
1549                 s2n(TLSEXT_TYPE_opaque_prf_input, ret); 
1550                 s2n(sol + 2, ret);
1551                 s2n(sol, ret);
1552                 memcpy(ret, s->s3->server_opaque_prf_input, sol);
1553                 ret += sol;
1554                 }
1555 #endif
1556
1557         if(s->srtp_profile)
1558                 {
1559                 int el;
1560
1561                 ssl_add_serverhello_use_srtp_ext(s, 0, &el, 0);
1562                 
1563                 if((limit - p - 4 - el) < 0) return NULL;
1564
1565                 s2n(TLSEXT_TYPE_use_srtp,ret);
1566                 s2n(el,ret);
1567
1568                 if(ssl_add_serverhello_use_srtp_ext(s, ret, &el, el))
1569                         {
1570                         SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1571                         return NULL;
1572                         }
1573                 ret+=el;
1574                 }
1575
1576         if (((s->s3->tmp.new_cipher->id & 0xFFFF)==0x80 || (s->s3->tmp.new_cipher->id & 0xFFFF)==0x81) 
1577                 && (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG))
1578                 { const unsigned char cryptopro_ext[36] = {
1579                         0xfd, 0xe8, /*65000*/
1580                         0x00, 0x20, /*32 bytes length*/
1581                         0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85, 
1582                         0x03,   0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06, 
1583                         0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08, 
1584                         0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17};
1585                         if (limit-ret<36) return NULL;
1586                         memcpy(ret,cryptopro_ext,36);
1587                         ret+=36;
1588
1589                 }
1590
1591 #ifndef OPENSSL_NO_HEARTBEATS
1592         /* Add Heartbeat extension if we've received one */
1593         if (s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED)
1594                 {
1595                 s2n(TLSEXT_TYPE_heartbeat,ret);
1596                 s2n(1,ret);
1597                 /* Set mode:
1598                  * 1: peer may send requests
1599                  * 2: peer not allowed to send requests
1600                  */
1601                 if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS)
1602                         *(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
1603                 else
1604                         *(ret++) = SSL_TLSEXT_HB_ENABLED;
1605
1606                 }
1607 #endif
1608
1609 #ifndef OPENSSL_NO_NEXTPROTONEG
1610         next_proto_neg_seen = s->s3->next_proto_neg_seen;
1611         s->s3->next_proto_neg_seen = 0;
1612         if (next_proto_neg_seen && s->ctx->next_protos_advertised_cb)
1613                 {
1614                 const unsigned char *npa;
1615                 unsigned int npalen;
1616                 int r;
1617
1618                 r = s->ctx->next_protos_advertised_cb(s, &npa, &npalen, s->ctx->next_protos_advertised_cb_arg);
1619                 if (r == SSL_TLSEXT_ERR_OK)
1620                         {
1621                         if ((long)(limit - ret - 4 - npalen) < 0) return NULL;
1622                         s2n(TLSEXT_TYPE_next_proto_neg,ret);
1623                         s2n(npalen,ret);
1624                         memcpy(ret, npa, npalen);
1625                         ret += npalen;
1626                         s->s3->next_proto_neg_seen = 1;
1627                         }
1628                 }
1629 #endif
1630
1631         /* If the client supports authz then see whether we have any to offer
1632          * to it. */
1633         if (s->s3->tlsext_authz_client_types_len)
1634                 {
1635                 size_t authz_length;
1636                 /* By now we already know the new cipher, so we can look ahead
1637                  * to see whether the cert we are going to send
1638                  * has any authz data attached to it. */
1639                 const unsigned char* authz = ssl_get_authz_data(s, &authz_length);
1640                 const unsigned char* const orig_authz = authz;
1641                 size_t i;
1642                 unsigned authz_count = 0;
1643
1644                 /* The authz data contains a number of the following structures:
1645                  *      uint8_t authz_type
1646                  *      uint16_t length
1647                  *      uint8_t data[length]
1648                  *
1649                  * First we walk over it to find the number of authz elements. */
1650                 for (i = 0; i < authz_length; i++)
1651                         {
1652                         unsigned short length;
1653                         unsigned char type;
1654
1655                         type = *(authz++);
1656                         if (memchr(s->s3->tlsext_authz_client_types,
1657                                    type,
1658                                    s->s3->tlsext_authz_client_types_len) != NULL)
1659                                 authz_count++;
1660
1661                         n2s(authz, length);
1662                         /* n2s increments authz by 2 */
1663                         i += 2;
1664                         authz += length;
1665                         i += length;
1666                         }
1667
1668                 if (authz_count)
1669                         {
1670                         /* Add TLS extension server_authz to the ServerHello message
1671                          * 2 bytes for extension type
1672                          * 2 bytes for extension length
1673                          * 1 byte for the list length
1674                          * n bytes for the list */
1675                         const unsigned short ext_len = 1 + authz_count;
1676
1677                         if ((long)(limit - ret - 4 - ext_len) < 0) return NULL;
1678                         s2n(TLSEXT_TYPE_server_authz, ret);
1679                         s2n(ext_len, ret);
1680                         *(ret++) = authz_count;
1681                         s->s3->tlsext_authz_promised_to_client = 1;
1682                         }
1683
1684                 authz = orig_authz;
1685                 for (i = 0; i < authz_length; i++)
1686                         {
1687                         unsigned short length;
1688                         unsigned char type;
1689
1690                         authz_count++;
1691                         type = *(authz++);
1692                         if (memchr(s->s3->tlsext_authz_client_types,
1693                                    type,
1694                                    s->s3->tlsext_authz_client_types_len) != NULL)
1695                                 *(ret++) = type;
1696                         n2s(authz, length);
1697                         /* n2s increments authz by 2 */
1698                         i += 2;
1699                         authz += length;
1700                         i += length;
1701                         }
1702                 }
1703
1704         /* If custom types were sent in ClientHello, add ServerHello responses */
1705         if (s->s3->tlsext_custom_types_count)
1706                 {
1707                 size_t i;
1708
1709                 for (i = 0; i < s->s3->tlsext_custom_types_count; i++)
1710                         {
1711                         size_t j;
1712                         custom_srv_ext_record *record;
1713
1714                         for (j = 0; j < s->ctx->custom_srv_ext_records_count; j++)
1715                                 {
1716                                 record = &s->ctx->custom_srv_ext_records[j];
1717                                 if (s->s3->tlsext_custom_types[i] == record->ext_type)
1718                                         {
1719                                         const unsigned char *out = NULL;
1720                                         unsigned short outlen = 0;
1721                                         int cb_retval = 0;
1722
1723                                         /* NULL callback or -1 omits extension */
1724                                         if (!record->fn2)
1725                                                 break;
1726                                         cb_retval = record->fn2(s, record->ext_type,
1727                                                                 &out, &outlen,
1728                                                                 record->arg);
1729                                         if (cb_retval == 0)
1730                                                 return NULL; /* error */
1731                                         if (cb_retval == -1)
1732                                                 break; /* skip this extension */
1733                                         if (limit < ret + 4 + outlen)
1734                                                 return NULL;
1735                                         s2n(record->ext_type, ret);
1736                                         s2n(outlen, ret);
1737                                         memcpy(ret, out, outlen);
1738                                         ret += outlen;
1739                                         break;
1740                                         }
1741                                 }
1742                         }
1743                 }
1744
1745         if ((extdatalen = ret-p-2)== 0) 
1746                 return p;
1747
1748         s2n(extdatalen,p);
1749         return ret;
1750         }
1751
1752 static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al) 
1753         {       
1754         unsigned short type;
1755         unsigned short size;
1756         unsigned short len;
1757         unsigned char *data = *p;
1758         int renegotiate_seen = 0;
1759         size_t i;
1760
1761         s->servername_done = 0;
1762         s->tlsext_status_type = -1;
1763 #ifndef OPENSSL_NO_NEXTPROTONEG
1764         s->s3->next_proto_neg_seen = 0;
1765 #endif
1766
1767 #ifndef OPENSSL_NO_HEARTBEATS
1768         s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED |
1769                                SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
1770 #endif
1771         /* Clear any signature algorithms extension received */
1772         if (s->cert->peer_sigalgs)
1773                 {
1774                 OPENSSL_free(s->cert->peer_sigalgs);
1775                 s->cert->peer_sigalgs = NULL;
1776                 }
1777         /* Clear any shared sigtnature algorithms */
1778         if (s->cert->shared_sigalgs)
1779                 {
1780                 OPENSSL_free(s->cert->shared_sigalgs);
1781                 s->cert->shared_sigalgs = NULL;
1782                 }
1783         /* Clear certificate digests and validity flags */
1784         for (i = 0; i < SSL_PKEY_NUM; i++)
1785                 {
1786                 s->cert->pkeys[i].digest = NULL;
1787                 s->cert->pkeys[i].valid_flags = 0;
1788                 }
1789
1790         if (data >= (d+n-2))
1791                 goto ri_check;
1792         n2s(data,len);
1793
1794         if (data > (d+n-len)) 
1795                 goto ri_check;
1796
1797         while (data <= (d+n-4))
1798                 {
1799                 n2s(data,type);
1800                 n2s(data,size);
1801
1802                 if (data+size > (d+n))
1803                         goto ri_check;
1804 #if 0
1805                 fprintf(stderr,"Received extension type %d size %d\n",type,size);
1806 #endif
1807                 if (s->tlsext_debug_cb)
1808                         s->tlsext_debug_cb(s, 0, type, data, size,
1809                                                 s->tlsext_debug_arg);
1810 /* The servername extension is treated as follows:
1811
1812    - Only the hostname type is supported with a maximum length of 255.
1813    - The servername is rejected if too long or if it contains zeros,
1814      in which case an fatal alert is generated.
1815    - The servername field is maintained together with the session cache.
1816    - When a session is resumed, the servername call back invoked in order
1817      to allow the application to position itself to the right context. 
1818    - The servername is acknowledged if it is new for a session or when 
1819      it is identical to a previously used for the same session. 
1820      Applications can control the behaviour.  They can at any time
1821      set a 'desirable' servername for a new SSL object. This can be the
1822      case for example with HTTPS when a Host: header field is received and
1823      a renegotiation is requested. In this case, a possible servername
1824      presented in the new client hello is only acknowledged if it matches
1825      the value of the Host: field. 
1826    - Applications must  use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
1827      if they provide for changing an explicit servername context for the session,
1828      i.e. when the session has been established with a servername extension. 
1829    - On session reconnect, the servername extension may be absent. 
1830
1831 */      
1832
1833                 if (type == TLSEXT_TYPE_server_name)
1834                         {
1835                         unsigned char *sdata;
1836                         int servname_type;
1837                         int dsize; 
1838                 
1839                         if (size < 2) 
1840                                 {
1841                                 *al = SSL_AD_DECODE_ERROR;
1842                                 return 0;
1843                                 }
1844                         n2s(data,dsize);  
1845                         size -= 2;
1846                         if (dsize > size  ) 
1847                                 {
1848                                 *al = SSL_AD_DECODE_ERROR;
1849                                 return 0;
1850                                 } 
1851
1852                         sdata = data;
1853                         while (dsize > 3) 
1854                                 {
1855                                 servname_type = *(sdata++); 
1856                                 n2s(sdata,len);
1857                                 dsize -= 3;
1858
1859                                 if (len > dsize) 
1860                                         {
1861                                         *al = SSL_AD_DECODE_ERROR;
1862                                         return 0;
1863                                         }
1864                                 if (s->servername_done == 0)
1865                                 switch (servname_type)
1866                                         {
1867                                 case TLSEXT_NAMETYPE_host_name:
1868                                         if (!s->hit)
1869                                                 {
1870                                                 if(s->session->tlsext_hostname)
1871                                                         {
1872                                                         *al = SSL_AD_DECODE_ERROR;
1873                                                         return 0;
1874                                                         }
1875                                                 if (len > TLSEXT_MAXLEN_host_name)
1876                                                         {
1877                                                         *al = TLS1_AD_UNRECOGNIZED_NAME;
1878                                                         return 0;
1879                                                         }
1880                                                 if ((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL)
1881                                                         {
1882                                                         *al = TLS1_AD_INTERNAL_ERROR;
1883                                                         return 0;
1884                                                         }
1885                                                 memcpy(s->session->tlsext_hostname, sdata, len);
1886                                                 s->session->tlsext_hostname[len]='\0';
1887                                                 if (strlen(s->session->tlsext_hostname) != len) {
1888                                                         OPENSSL_free(s->session->tlsext_hostname);
1889                                                         s->session->tlsext_hostname = NULL;
1890                                                         *al = TLS1_AD_UNRECOGNIZED_NAME;
1891                                                         return 0;
1892                                                 }
1893                                                 s->servername_done = 1; 
1894
1895                                                 }
1896                                         else 
1897                                                 s->servername_done = s->session->tlsext_hostname
1898                                                         && strlen(s->session->tlsext_hostname) == len 
1899                                                         && strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0;
1900                                         
1901                                         break;
1902
1903                                 default:
1904                                         break;
1905                                         }
1906                                  
1907                                 dsize -= len;
1908                                 }
1909                         if (dsize != 0) 
1910                                 {
1911                                 *al = SSL_AD_DECODE_ERROR;
1912                                 return 0;
1913                                 }
1914
1915                         }
1916 #ifndef OPENSSL_NO_SRP
1917                 else if (type == TLSEXT_TYPE_srp)
1918                         {
1919                         if (size <= 0 || ((len = data[0])) != (size -1))
1920                                 {
1921                                 *al = SSL_AD_DECODE_ERROR;
1922                                 return 0;
1923                                 }
1924                         if (s->srp_ctx.login != NULL)
1925                                 {
1926                                 *al = SSL_AD_DECODE_ERROR;
1927                                 return 0;
1928                                 }
1929                         if ((s->srp_ctx.login = OPENSSL_malloc(len+1)) == NULL)
1930                                 return -1;
1931                         memcpy(s->srp_ctx.login, &data[1], len);
1932                         s->srp_ctx.login[len]='\0';
1933   
1934                         if (strlen(s->srp_ctx.login) != len) 
1935                                 {
1936                                 *al = SSL_AD_DECODE_ERROR;
1937                                 return 0;
1938                                 }
1939                         }
1940 #endif
1941
1942 #ifndef OPENSSL_NO_EC
1943                 else if (type == TLSEXT_TYPE_ec_point_formats &&
1944                      s->version != DTLS1_VERSION)
1945                         {
1946                         unsigned char *sdata = data;
1947                         int ecpointformatlist_length = *(sdata++);
1948
1949                         if (ecpointformatlist_length != size - 1 || 
1950                                 ecpointformatlist_length < 1)
1951                                 {
1952                                 *al = TLS1_AD_DECODE_ERROR;
1953                                 return 0;
1954                                 }
1955                         if (!s->hit)
1956                                 {
1957                                 if(s->session->tlsext_ecpointformatlist)
1958                                         {
1959                                         OPENSSL_free(s->session->tlsext_ecpointformatlist);
1960                                         s->session->tlsext_ecpointformatlist = NULL;
1961                                         }
1962                                 s->session->tlsext_ecpointformatlist_length = 0;
1963                                 if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
1964                                         {
1965                                         *al = TLS1_AD_INTERNAL_ERROR;
1966                                         return 0;
1967                                         }
1968                                 s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
1969                                 memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
1970                                 }
1971 #if 0
1972                         fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ecpointformatlist (length=%i) ", s->session->tlsext_ecpointformatlist_length);
1973                         sdata = s->session->tlsext_ecpointformatlist;
1974                         for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
1975                                 fprintf(stderr,"%i ",*(sdata++));
1976                         fprintf(stderr,"\n");
1977 #endif
1978                         }
1979                 else if (type == TLSEXT_TYPE_elliptic_curves &&
1980                      s->version != DTLS1_VERSION)
1981                         {
1982                         unsigned char *sdata = data;
1983                         int ellipticcurvelist_length = (*(sdata++) << 8);
1984                         ellipticcurvelist_length += (*(sdata++));
1985
1986                         if (ellipticcurvelist_length != size - 2 ||
1987                                 ellipticcurvelist_length < 1)
1988                                 {
1989                                 *al = TLS1_AD_DECODE_ERROR;
1990                                 return 0;
1991                                 }
1992                         if (!s->hit)
1993                                 {
1994                                 if(s->session->tlsext_ellipticcurvelist)
1995                                         {
1996                                         *al = TLS1_AD_DECODE_ERROR;
1997                                         return 0;
1998                                         }
1999                                 s->session->tlsext_ellipticcurvelist_length = 0;
2000                                 if ((s->session->tlsext_ellipticcurvelist = OPENSSL_malloc(ellipticcurvelist_length)) == NULL)
2001                                         {
2002                                         *al = TLS1_AD_INTERNAL_ERROR;
2003                                         return 0;
2004                                         }
2005                                 s->session->tlsext_ellipticcurvelist_length = ellipticcurvelist_length;
2006                                 memcpy(s->session->tlsext_ellipticcurvelist, sdata, ellipticcurvelist_length);
2007                                 }
2008 #if 0
2009                         fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ellipticcurvelist (length=%i) ", s->session->tlsext_ellipticcurvelist_length);
2010                         sdata = s->session->tlsext_ellipticcurvelist;
2011                         for (i = 0; i < s->session->tlsext_ellipticcurvelist_length; i++)
2012                                 fprintf(stderr,"%i ",*(sdata++));
2013                         fprintf(stderr,"\n");
2014 #endif
2015                         }
2016 #endif /* OPENSSL_NO_EC */
2017 #ifdef TLSEXT_TYPE_opaque_prf_input
2018                 else if (type == TLSEXT_TYPE_opaque_prf_input &&
2019                      s->version != DTLS1_VERSION)
2020                         {
2021                         unsigned char *sdata = data;
2022
2023                         if (size < 2)
2024                                 {
2025                                 *al = SSL_AD_DECODE_ERROR;
2026                                 return 0;
2027                                 }
2028                         n2s(sdata, s->s3->client_opaque_prf_input_len);
2029                         if (s->s3->client_opaque_prf_input_len != size - 2)
2030                                 {
2031                                 *al = SSL_AD_DECODE_ERROR;
2032                                 return 0;
2033                                 }
2034
2035                         if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */
2036                                 OPENSSL_free(s->s3->client_opaque_prf_input);
2037                         if (s->s3->client_opaque_prf_input_len == 0)
2038                                 s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
2039                         else
2040                                 s->s3->client_opaque_prf_input = BUF_memdup(sdata, s->s3->client_opaque_prf_input_len);
2041                         if (s->s3->client_opaque_prf_input == NULL)
2042                                 {
2043                                 *al = TLS1_AD_INTERNAL_ERROR;
2044                                 return 0;
2045                                 }
2046                         }
2047 #endif
2048                 else if (type == TLSEXT_TYPE_session_ticket)
2049                         {
2050                         if (s->tls_session_ticket_ext_cb &&
2051                             !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg))
2052                                 {
2053                                 *al = TLS1_AD_INTERNAL_ERROR;
2054                                 return 0;
2055                                 }
2056                         }
2057                 else if (type == TLSEXT_TYPE_renegotiate)
2058                         {
2059                         if(!ssl_parse_clienthello_renegotiate_ext(s, data, size, al))
2060                                 return 0;
2061                         renegotiate_seen = 1;
2062                         }
2063                 else if (type == TLSEXT_TYPE_signature_algorithms)
2064                         {
2065                         int dsize;
2066                         if (s->cert->peer_sigalgs || size < 2) 
2067                                 {
2068                                 *al = SSL_AD_DECODE_ERROR;
2069                                 return 0;
2070                                 }
2071                         n2s(data,dsize);
2072                         size -= 2;
2073                         if (dsize != size || dsize & 1 || !dsize) 
2074                                 {
2075                                 *al = SSL_AD_DECODE_ERROR;
2076                                 return 0;
2077                                 }
2078                         if (!tls1_process_sigalgs(s, data, dsize))
2079                                 {
2080                                 *al = SSL_AD_DECODE_ERROR;
2081                                 return 0;
2082                                 }
2083                         /* If sigalgs received and no shared algorithms fatal
2084                          * error.
2085                          */
2086                         if (s->cert->peer_sigalgs && !s->cert->shared_sigalgs)
2087                                 {
2088                                 SSLerr(SSL_F_SSL_SCAN_CLIENTHELLO_TLSEXT,
2089                                         SSL_R_NO_SHARED_SIGATURE_ALGORITHMS);
2090                                 *al = SSL_AD_ILLEGAL_PARAMETER;
2091                                 return 0;
2092                                 }
2093                         }
2094                 else if (type == TLSEXT_TYPE_status_request &&
2095                          s->version != DTLS1_VERSION && s->ctx->tlsext_status_cb)
2096                         {
2097                 
2098                         if (size < 5) 
2099                                 {
2100                                 *al = SSL_AD_DECODE_ERROR;
2101                                 return 0;
2102                                 }
2103
2104                         s->tlsext_status_type = *data++;
2105                         size--;
2106                         if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp)
2107                                 {
2108                                 const unsigned char *sdata;
2109                                 int dsize;
2110                                 /* Read in responder_id_list */
2111                                 n2s(data,dsize);
2112                                 size -= 2;
2113                                 if (dsize > size  ) 
2114                                         {
2115                                         *al = SSL_AD_DECODE_ERROR;
2116                                         return 0;
2117                                         }
2118                                 while (dsize > 0)
2119                                         {
2120                                         OCSP_RESPID *id;
2121                                         int idsize;
2122                                         if (dsize < 4)
2123                                                 {
2124                                                 *al = SSL_AD_DECODE_ERROR;
2125                                                 return 0;
2126                                                 }
2127                                         n2s(data, idsize);
2128                                         dsize -= 2 + idsize;
2129                                         size -= 2 + idsize;
2130                                         if (dsize < 0)
2131                                                 {
2132                                                 *al = SSL_AD_DECODE_ERROR;
2133                                                 return 0;
2134                                                 }
2135                                         sdata = data;
2136                                         data += idsize;
2137                                         id = d2i_OCSP_RESPID(NULL,
2138                                                                 &sdata, idsize);
2139                                         if (!id)
2140                                                 {
2141                                                 *al = SSL_AD_DECODE_ERROR;
2142                                                 return 0;
2143                                                 }
2144                                         if (data != sdata)
2145                                                 {
2146                                                 OCSP_RESPID_free(id);
2147                                                 *al = SSL_AD_DECODE_ERROR;
2148                                                 return 0;
2149                                                 }
2150                                         if (!s->tlsext_ocsp_ids
2151                                                 && !(s->tlsext_ocsp_ids =
2152                                                 sk_OCSP_RESPID_new_null()))
2153                                                 {
2154                                                 OCSP_RESPID_free(id);
2155                                                 *al = SSL_AD_INTERNAL_ERROR;
2156                                                 return 0;
2157                                                 }
2158                                         if (!sk_OCSP_RESPID_push(
2159                                                         s->tlsext_ocsp_ids, id))
2160                                                 {
2161                                                 OCSP_RESPID_free(id);
2162                                                 *al = SSL_AD_INTERNAL_ERROR;
2163                                                 return 0;
2164                                                 }
2165                                         }
2166
2167                                 /* Read in request_extensions */
2168                                 if (size < 2)
2169                                         {
2170                                         *al = SSL_AD_DECODE_ERROR;
2171                                         return 0;
2172                                         }
2173                                 n2s(data,dsize);
2174                                 size -= 2;
2175                                 if (dsize != size)
2176                                         {
2177                                         *al = SSL_AD_DECODE_ERROR;
2178                                         return 0;
2179                                         }
2180                                 sdata = data;
2181                                 if (dsize > 0)
2182                                         {
2183                                         if (s->tlsext_ocsp_exts)
2184                                                 {
2185                                                 sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts,
2186                                                                            X509_EXTENSION_free);
2187                                                 }
2188
2189                                         s->tlsext_ocsp_exts =
2190                                                 d2i_X509_EXTENSIONS(NULL,
2191                                                         &sdata, dsize);
2192                                         if (!s->tlsext_ocsp_exts
2193                                                 || (data + dsize != sdata))
2194                                                 {
2195                                                 *al = SSL_AD_DECODE_ERROR;
2196                                                 return 0;
2197                                                 }
2198                                         }
2199                                 }
2200                                 /* We don't know what to do with any other type
2201                                 * so ignore it.
2202                                 */
2203                                 else
2204                                         s->tlsext_status_type = -1;
2205                         }
2206 #ifndef OPENSSL_NO_HEARTBEATS
2207                 else if (type == TLSEXT_TYPE_heartbeat)
2208                         {
2209                         switch(data[0])
2210                                 {
2211                                 case 0x01:      /* Client allows us to send HB requests */
2212                                                         s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
2213                                                         break;
2214                                 case 0x02:      /* Client doesn't accept HB requests */
2215                                                         s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
2216                                                         s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
2217                                                         break;
2218                                 default:        *al = SSL_AD_ILLEGAL_PARAMETER;
2219                                                         return 0;
2220                                 }
2221                         }
2222 #endif
2223 #ifndef OPENSSL_NO_NEXTPROTONEG
2224                 else if (type == TLSEXT_TYPE_next_proto_neg &&
2225                          s->s3->tmp.finish_md_len == 0)
2226                         {
2227                         /* We shouldn't accept this extension on a
2228                          * renegotiation.
2229                          *
2230                          * s->new_session will be set on renegotiation, but we
2231                          * probably shouldn't rely that it couldn't be set on
2232                          * the initial renegotation too in certain cases (when
2233                          * there's some other reason to disallow resuming an
2234                          * earlier session -- the current code won't be doing
2235                          * anything like that, but this might change).
2236
2237                          * A valid sign that there's been a previous handshake
2238                          * in this connection is if s->s3->tmp.finish_md_len >
2239                          * 0.  (We are talking about a check that will happen
2240                          * in the Hello protocol round, well before a new
2241                          * Finished message could have been computed.) */
2242                         s->s3->next_proto_neg_seen = 1;
2243                         }
2244 #endif
2245
2246                 /* session ticket processed earlier */
2247                 else if (type == TLSEXT_TYPE_use_srtp)
2248                         {
2249                         if(ssl_parse_clienthello_use_srtp_ext(s, data, size,
2250                                                               al))
2251                                 return 0;
2252                         }
2253
2254                 else if (type == TLSEXT_TYPE_server_authz)
2255                         {
2256                         unsigned char *sdata = data;
2257                         unsigned char server_authz_dataformatlist_length;
2258
2259                         if (size == 0)
2260                                 {
2261                                 *al = TLS1_AD_DECODE_ERROR;
2262                                 return 0;
2263                                 }
2264
2265                         server_authz_dataformatlist_length = *(sdata++);
2266
2267                         if (server_authz_dataformatlist_length != size - 1)
2268                                 {
2269                                 *al = TLS1_AD_DECODE_ERROR;
2270                                 return 0;
2271                                 }
2272
2273                         /* Successful session resumption uses the same authz
2274                          * information as the original session so we ignore this
2275                          * in the case of a session resumption. */
2276                         if (!s->hit)
2277                                 {
2278                                 if (s->s3->tlsext_authz_client_types != NULL)
2279                                         OPENSSL_free(s->s3->tlsext_authz_client_types);
2280                                 s->s3->tlsext_authz_client_types =
2281                                         OPENSSL_malloc(server_authz_dataformatlist_length);
2282                                 if (!s->s3->tlsext_authz_client_types)
2283                                         {
2284                                         *al = TLS1_AD_INTERNAL_ERROR;
2285                                         return 0;
2286                                         }
2287
2288                                 s->s3->tlsext_authz_client_types_len =
2289                                         server_authz_dataformatlist_length;
2290                                 memcpy(s->s3->tlsext_authz_client_types,
2291                                        sdata,
2292                                        server_authz_dataformatlist_length);
2293
2294                                 /* Sort the types in order to check for duplicates. */
2295                                 qsort(s->s3->tlsext_authz_client_types,
2296                                       server_authz_dataformatlist_length,
2297                                       1 /* element size */,
2298                                       byte_compare);
2299
2300                                 for (i = 0; i < server_authz_dataformatlist_length; i++)
2301                                         {
2302                                         if (i > 0 &&
2303                                             s->s3->tlsext_authz_client_types[i] ==
2304                                               s->s3->tlsext_authz_client_types[i-1])
2305                                                 {
2306                                                 *al = TLS1_AD_DECODE_ERROR;
2307                                                 return 0;
2308                                                 }
2309                                         }
2310                                 }
2311                         }
2312
2313                 /* If this ClientHello extension was unhandled and this is 
2314                  * a nonresumed connection, check whether the extension is a 
2315                  * custom TLS Extension (has a custom_srv_ext_record), and if
2316                  * so call the callback and record the extension number so that
2317                  * an appropriate ServerHello may be later returned.
2318                  */
2319                 else if (!s->hit && s->ctx->custom_srv_ext_records_count)
2320                         {
2321                         custom_srv_ext_record *record;
2322
2323                         for (i=0; i < s->ctx->custom_srv_ext_records_count; i++)
2324                                 {
2325                                 record = &s->ctx->custom_srv_ext_records[i];
2326                                 if (type == record->ext_type)
2327                                         {
2328                                         size_t j;
2329
2330                                         /* Error on duplicate TLS Extensions */
2331                                         for (j = 0; j < s->s3->tlsext_custom_types_count; j++)
2332                                                 {
2333                                                 if (type == s->s3->tlsext_custom_types[j])
2334                                                         {
2335                                                         *al = TLS1_AD_DECODE_ERROR;
2336                                                         return 0;
2337                                                         }
2338                                                 }
2339
2340                                         /* NULL callback still notes the extension */ 
2341                                         if (record->fn1 && !record->fn1(s, type, data, size, al, record->arg))
2342                                                 return 0;
2343                                                 
2344                                         /* Add the (non-duplicated) entry */
2345                                         s->s3->tlsext_custom_types_count++;
2346                                         s->s3->tlsext_custom_types = OPENSSL_realloc(
2347                                                         s->s3->tlsext_custom_types,
2348                                                         s->s3->tlsext_custom_types_count * 2);
2349                                         if (s->s3->tlsext_custom_types == NULL)
2350                                                 {
2351                                                 s->s3->tlsext_custom_types = 0;
2352                                                 *al = TLS1_AD_INTERNAL_ERROR;
2353                                                 return 0;
2354                                                 }
2355                                         s->s3->tlsext_custom_types[
2356                                                         s->s3->tlsext_custom_types_count - 1] = type;
2357                                         }                                               
2358                                 }
2359                         }
2360
2361                 data+=size;
2362                 }
2363
2364         *p = data;
2365
2366         ri_check:
2367
2368         /* Need RI if renegotiating */
2369
2370         if (!renegotiate_seen && s->renegotiate &&
2371                 !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
2372                 {
2373                 *al = SSL_AD_HANDSHAKE_FAILURE;
2374                 SSLerr(SSL_F_SSL_SCAN_CLIENTHELLO_TLSEXT,
2375                                 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
2376                 return 0;
2377                 }
2378         /* If no signature algorithms extension set default values */
2379         if (!s->cert->peer_sigalgs)
2380                 ssl_cert_set_default_md(s->cert);
2381
2382         return 1;
2383         }
2384
2385 int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n) 
2386         {
2387         int al = -1;
2388         if (ssl_scan_clienthello_tlsext(s, p, d, n, &al) <= 0) 
2389                 {
2390                 ssl3_send_alert(s,SSL3_AL_FATAL,al); 
2391                 return 0;
2392                 }
2393
2394         if (ssl_check_clienthello_tlsext_early(s) <= 0) 
2395                 {
2396                 SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT,SSL_R_CLIENTHELLO_TLSEXT);
2397                 return 0;
2398                 }
2399         return 1;
2400 }
2401
2402 #ifndef OPENSSL_NO_NEXTPROTONEG
2403 /* ssl_next_proto_validate validates a Next Protocol Negotiation block. No
2404  * elements of zero length are allowed and the set of elements must exactly fill
2405  * the length of the block. */
2406 static char ssl_next_proto_validate(unsigned char *d, unsigned len)
2407         {
2408         unsigned int off = 0;
2409
2410         while (off < len)
2411                 {
2412                 if (d[off] == 0)
2413                         return 0;
2414                 off += d[off];
2415                 off++;
2416                 }
2417
2418         return off == len;
2419         }
2420 #endif
2421
2422 static int ssl_scan_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
2423         {
2424         unsigned short length;
2425         unsigned short type;
2426         unsigned short size;
2427         unsigned char *data = *p;
2428         int tlsext_servername = 0;
2429         int renegotiate_seen = 0;
2430
2431 #ifndef OPENSSL_NO_NEXTPROTONEG
2432         s->s3->next_proto_neg_seen = 0;
2433 #endif
2434
2435 #ifndef OPENSSL_NO_HEARTBEATS
2436         s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED |
2437                                SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
2438 #endif
2439
2440         if (data >= (d+n-2))
2441                 goto ri_check;
2442
2443         n2s(data,length);
2444         if (data+length != d+n)
2445                 {
2446                 *al = SSL_AD_DECODE_ERROR;
2447                 return 0;
2448                 }
2449
2450         while(data <= (d+n-4))
2451                 {
2452                 n2s(data,type);
2453                 n2s(data,size);
2454
2455                 if (data+size > (d+n))
2456                         goto ri_check;
2457
2458                 if (s->tlsext_debug_cb)
2459                         s->tlsext_debug_cb(s, 1, type, data, size,
2460                                                 s->tlsext_debug_arg);
2461
2462                 if (type == TLSEXT_TYPE_server_name)
2463                         {
2464                         if (s->tlsext_hostname == NULL || size > 0)
2465                                 {
2466                                 *al = TLS1_AD_UNRECOGNIZED_NAME;
2467                                 return 0;
2468                                 }
2469                         tlsext_servername = 1;   
2470                         }
2471
2472 #ifndef OPENSSL_NO_EC
2473                 else if (type == TLSEXT_TYPE_ec_point_formats &&
2474                      s->version != DTLS1_VERSION)
2475                         {
2476                         unsigned char *sdata = data;
2477                         int ecpointformatlist_length = *(sdata++);
2478
2479                         if (ecpointformatlist_length != size - 1)
2480                                 {
2481                                 *al = TLS1_AD_DECODE_ERROR;
2482                                 return 0;
2483                                 }
2484                         s->session->tlsext_ecpointformatlist_length = 0;
2485                         if (s->session->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->session->tlsext_ecpointformatlist);
2486                         if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
2487                                 {
2488                                 *al = TLS1_AD_INTERNAL_ERROR;
2489                                 return 0;
2490                                 }
2491                         s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
2492                         memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
2493 #if 0
2494                         fprintf(stderr,"ssl_parse_serverhello_tlsext s->session->tlsext_ecpointformatlist ");
2495                         sdata = s->session->tlsext_ecpointformatlist;
2496                         for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
2497                                 fprintf(stderr,"%i ",*(sdata++));
2498                         fprintf(stderr,"\n");
2499 #endif
2500                         }
2501 #endif /* OPENSSL_NO_EC */
2502
2503                 else if (type == TLSEXT_TYPE_session_ticket)
2504                         {
2505                         if (s->tls_session_ticket_ext_cb &&
2506                             !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg))
2507                                 {
2508                                 *al = TLS1_AD_INTERNAL_ERROR;
2509                                 return 0;
2510                                 }
2511                         if ((SSL_get_options(s) & SSL_OP_NO_TICKET)
2512                                 || (size > 0))
2513                                 {
2514                                 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2515                                 return 0;
2516                                 }
2517                         s->tlsext_ticket_expected = 1;
2518                         }
2519 #ifdef TLSEXT_TYPE_opaque_prf_input
2520                 else if (type == TLSEXT_TYPE_opaque_prf_input &&
2521                      s->version != DTLS1_VERSION)
2522                         {
2523                         unsigned char *sdata = data;
2524
2525                         if (size < 2)
2526                                 {
2527                                 *al = SSL_AD_DECODE_ERROR;
2528                                 return 0;
2529                                 }
2530                         n2s(sdata, s->s3->server_opaque_prf_input_len);
2531                         if (s->s3->server_opaque_prf_input_len != size - 2)
2532                                 {
2533                                 *al = SSL_AD_DECODE_ERROR;
2534                                 return 0;
2535                                 }
2536                         
2537                         if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */
2538                                 OPENSSL_free(s->s3->server_opaque_prf_input);
2539                         if (s->s3->server_opaque_prf_input_len == 0)
2540                                 s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
2541                         else
2542                                 s->s3->server_opaque_prf_input = BUF_memdup(sdata, s->s3->server_opaque_prf_input_len);
2543
2544                         if (s->s3->server_opaque_prf_input == NULL)
2545                                 {
2546                                 *al = TLS1_AD_INTERNAL_ERROR;
2547                                 return 0;
2548                                 }
2549                         }
2550 #endif
2551                 else if (type == TLSEXT_TYPE_status_request &&
2552                          s->version != DTLS1_VERSION)
2553                         {
2554                         /* MUST be empty and only sent if we've requested
2555                          * a status request message.
2556                          */ 
2557                         if ((s->tlsext_status_type == -1) || (size > 0))
2558                                 {
2559                                 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2560                                 return 0;
2561                                 }
2562                         /* Set flag to expect CertificateStatus message */
2563                         s->tlsext_status_expected = 1;
2564                         }
2565 #ifndef OPENSSL_NO_NEXTPROTONEG
2566                 else if (type == TLSEXT_TYPE_next_proto_neg &&
2567                          s->s3->tmp.finish_md_len == 0)
2568                         {
2569                         unsigned char *selected;
2570                         unsigned char selected_len;
2571
2572                         /* We must have requested it. */
2573                         if (s->ctx->next_proto_select_cb == NULL)
2574                                 {
2575                                 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2576                                 return 0;
2577                                 }
2578                         /* The data must be valid */
2579                         if (!ssl_next_proto_validate(data, size))
2580                                 {
2581                                 *al = TLS1_AD_DECODE_ERROR;
2582                                 return 0;
2583                                 }
2584                         if (s->ctx->next_proto_select_cb(s, &selected, &selected_len, data, size, s->ctx->next_proto_select_cb_arg) != SSL_TLSEXT_ERR_OK)
2585                                 {
2586                                 *al = TLS1_AD_INTERNAL_ERROR;
2587                                 return 0;
2588                                 }
2589                         s->next_proto_negotiated = OPENSSL_malloc(selected_len);
2590                         if (!s->next_proto_negotiated)
2591                                 {
2592                                 *al = TLS1_AD_INTERNAL_ERROR;
2593                                 return 0;
2594                                 }
2595                         memcpy(s->next_proto_negotiated, selected, selected_len);
2596                         s->next_proto_negotiated_len = selected_len;
2597                         s->s3->next_proto_neg_seen = 1;
2598                         }
2599 #endif
2600                 else if (type == TLSEXT_TYPE_renegotiate)
2601                         {
2602                         if(!ssl_parse_serverhello_renegotiate_ext(s, data, size, al))
2603                                 return 0;
2604                         renegotiate_seen = 1;
2605                         }
2606 #ifndef OPENSSL_NO_HEARTBEATS
2607                 else if (type == TLSEXT_TYPE_heartbeat)
2608                         {
2609                         switch(data[0])
2610                                 {
2611                                 case 0x01:      /* Server allows us to send HB requests */
2612                                                         s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
2613                                                         break;
2614                                 case 0x02:      /* Server doesn't accept HB requests */
2615                                                         s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
2616                                                         s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
2617                                                         break;
2618                                 default:        *al = SSL_AD_ILLEGAL_PARAMETER;
2619                                                         return 0;
2620                                 }
2621                         }
2622 #endif
2623                 else if (type == TLSEXT_TYPE_use_srtp)
2624                         {
2625                         if(ssl_parse_serverhello_use_srtp_ext(s, data, size,
2626                                                               al))
2627                                 return 0;
2628                         }
2629
2630                 else if (type == TLSEXT_TYPE_server_authz)
2631                         {
2632                         /* We only support audit proofs. It's an error to send
2633                          * an authz hello extension if the client
2634                          * didn't request a proof. */
2635                         unsigned char *sdata = data;
2636                         unsigned char server_authz_dataformatlist_length;
2637
2638                         if (!s->ctx->tlsext_authz_server_audit_proof_cb)
2639                                 {
2640                                 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2641                                 return 0;
2642                                 }
2643
2644                         if (!size)
2645                                 {
2646                                 *al = TLS1_AD_DECODE_ERROR;
2647                                 return 0;
2648                                 }
2649
2650                         server_authz_dataformatlist_length = *(sdata++);
2651                         if (server_authz_dataformatlist_length != size - 1)
2652                                 {
2653                                 *al = TLS1_AD_DECODE_ERROR;
2654                                 return 0;
2655                                 }
2656
2657                         /* We only support audit proofs, so a legal ServerHello
2658                          * authz list contains exactly one entry. */
2659                         if (server_authz_dataformatlist_length != 1 ||
2660                                 sdata[0] != TLSEXT_AUTHZDATAFORMAT_audit_proof)
2661                                 {
2662                                 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2663                                 return 0;
2664                                 }
2665
2666                         s->s3->tlsext_authz_server_promised = 1;
2667                         }
2668
2669                 /* If this extension type was not otherwise handled, but 
2670                  * matches a custom_cli_ext_record, then send it to the c
2671                  * callback */
2672                 else if (s->ctx->custom_cli_ext_records_count)
2673                         {
2674                         size_t i;
2675                         custom_cli_ext_record* record;
2676
2677                         for (i = 0; i < s->ctx->custom_cli_ext_records_count; i++)
2678                                 {
2679                                 record = &s->ctx->custom_cli_ext_records[i];
2680                                 if (record->ext_type == type)
2681                                         {
2682                                         if (record->fn2 && !record->fn2(s, type, data, size, al, record->arg))
2683                                                 return 0;
2684                                         break;
2685                                         }
2686                                 }                       
2687                         }
2688  
2689                 data += size;
2690                 }
2691
2692         if (data != d+n)
2693                 {
2694                 *al = SSL_AD_DECODE_ERROR;
2695                 return 0;
2696                 }
2697
2698         if (!s->hit && tlsext_servername == 1)
2699                 {
2700                 if (s->tlsext_hostname)
2701                         {
2702                         if (s->session->tlsext_hostname == NULL)
2703                                 {
2704                                 s->session->tlsext_hostname = BUF_strdup(s->tlsext_hostname);   
2705                                 if (!s->session->tlsext_hostname)
2706                                         {
2707                                         *al = SSL_AD_UNRECOGNIZED_NAME;
2708                                         return 0;
2709                                         }
2710                                 }
2711                         else 
2712                                 {
2713                                 *al = SSL_AD_DECODE_ERROR;
2714                                 return 0;
2715                                 }
2716                         }
2717                 }
2718
2719         *p = data;
2720
2721         ri_check:
2722
2723         /* Determine if we need to see RI. Strictly speaking if we want to
2724          * avoid an attack we should *always* see RI even on initial server
2725          * hello because the client doesn't see any renegotiation during an
2726          * attack. However this would mean we could not connect to any server
2727          * which doesn't support RI so for the immediate future tolerate RI
2728          * absence on initial connect only.
2729          */
2730         if (!renegotiate_seen
2731                 && !(s->options & SSL_OP_LEGACY_SERVER_CONNECT)
2732                 && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
2733                 {
2734                 *al = SSL_AD_HANDSHAKE_FAILURE;
2735                 SSLerr(SSL_F_SSL_SCAN_SERVERHELLO_TLSEXT,
2736                                 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
2737                 return 0;
2738                 }
2739
2740         return 1;
2741         }
2742
2743
2744 int ssl_prepare_clienthello_tlsext(SSL *s)
2745         {
2746
2747 #ifdef TLSEXT_TYPE_opaque_prf_input
2748         {
2749                 int r = 1;
2750         
2751                 if (s->ctx->tlsext_opaque_prf_input_callback != 0)
2752                         {
2753                         r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg);
2754                         if (!r)
2755                                 return -1;
2756                         }
2757
2758                 if (s->tlsext_opaque_prf_input != NULL)
2759                         {
2760                         if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */
2761                                 OPENSSL_free(s->s3->client_opaque_prf_input);
2762
2763                         if (s->tlsext_opaque_prf_input_len == 0)
2764                                 s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
2765                         else
2766                                 s->s3->client_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len);
2767                         if (s->s3->client_opaque_prf_input == NULL)
2768                                 {
2769                                 SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
2770                                 return -1;
2771                                 }
2772                         s->s3->client_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
2773                         }
2774
2775                 if (r == 2)
2776                         /* at callback's request, insist on receiving an appropriate server opaque PRF input */
2777                         s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
2778         }
2779 #endif
2780
2781         return 1;
2782         }
2783
2784 int ssl_prepare_serverhello_tlsext(SSL *s)
2785         {
2786         return 1;
2787         }
2788
2789 static int ssl_check_clienthello_tlsext_early(SSL *s)
2790         {
2791         int ret=SSL_TLSEXT_ERR_NOACK;
2792         int al = SSL_AD_UNRECOGNIZED_NAME;
2793
2794 #ifndef OPENSSL_NO_EC
2795         /* The handling of the ECPointFormats extension is done elsewhere, namely in 
2796          * ssl3_choose_cipher in s3_lib.c.
2797          */
2798         /* The handling of the EllipticCurves extension is done elsewhere, namely in 
2799          * ssl3_choose_cipher in s3_lib.c.
2800          */
2801 #endif
2802
2803         if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) 
2804                 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
2805         else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)             
2806                 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
2807
2808 #ifdef TLSEXT_TYPE_opaque_prf_input
2809         {
2810                 /* This sort of belongs into ssl_prepare_serverhello_tlsext(),
2811                  * but we might be sending an alert in response to the client hello,
2812                  * so this has to happen here in
2813                  * ssl_check_clienthello_tlsext_early(). */
2814
2815                 int r = 1;
2816         
2817                 if (s->ctx->tlsext_opaque_prf_input_callback != 0)
2818                         {
2819                         r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg);
2820                         if (!r)
2821                                 {
2822                                 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2823                                 al = SSL_AD_INTERNAL_ERROR;
2824                                 goto err;
2825                                 }
2826                         }
2827
2828                 if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */
2829                         OPENSSL_free(s->s3->server_opaque_prf_input);
2830                 s->s3->server_opaque_prf_input = NULL;
2831
2832                 if (s->tlsext_opaque_prf_input != NULL)
2833                         {
2834                         if (s->s3->client_opaque_prf_input != NULL &&
2835                                 s->s3->client_opaque_prf_input_len == s->tlsext_opaque_prf_input_len)
2836                                 {
2837                                 /* can only use this extension if we have a server opaque PRF input
2838                                  * of the same length as the client opaque PRF input! */
2839
2840                                 if (s->tlsext_opaque_prf_input_len == 0)
2841                                         s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
2842                                 else
2843                                         s->s3->server_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len);
2844                                 if (s->s3->server_opaque_prf_input == NULL)
2845                                         {
2846                                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2847                                         al = SSL_AD_INTERNAL_ERROR;
2848                                         goto err;
2849                                         }
2850                                 s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
2851                                 }
2852                         }
2853
2854                 if (r == 2 && s->s3->server_opaque_prf_input == NULL)
2855                         {
2856                         /* The callback wants to enforce use of the extension,
2857                          * but we can't do that with the client opaque PRF input;
2858                          * abort the handshake.
2859                          */
2860                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2861                         al = SSL_AD_HANDSHAKE_FAILURE;
2862                         }
2863         }
2864
2865  err:
2866 #endif
2867         switch (ret)
2868                 {
2869                 case SSL_TLSEXT_ERR_ALERT_FATAL:
2870                         ssl3_send_alert(s,SSL3_AL_FATAL,al); 
2871                         return -1;
2872
2873                 case SSL_TLSEXT_ERR_ALERT_WARNING:
2874                         ssl3_send_alert(s,SSL3_AL_WARNING,al);
2875                         return 1; 
2876                                         
2877                 case SSL_TLSEXT_ERR_NOACK:
2878                         s->servername_done=0;
2879                         default:
2880                 return 1;
2881                 }
2882         }
2883
2884 int ssl_check_clienthello_tlsext_late(SSL *s)
2885         {
2886         int ret = SSL_TLSEXT_ERR_OK;
2887         int al;
2888
2889         /* If status request then ask callback what to do.
2890          * Note: this must be called after servername callbacks in case
2891          * the certificate has changed, and must be called after the cipher
2892          * has been chosen because this may influence which certificate is sent
2893          */
2894         if ((s->tlsext_status_type != -1) && s->ctx && s->ctx->tlsext_status_cb)
2895                 {
2896                 int r;
2897                 CERT_PKEY *certpkey;
2898                 certpkey = ssl_get_server_send_pkey(s);
2899                 /* If no certificate can't return certificate status */
2900                 if (certpkey == NULL)
2901                         {
2902                         s->tlsext_status_expected = 0;
2903                         return 1;
2904                         }
2905                 /* Set current certificate to one we will use so
2906                  * SSL_get_certificate et al can pick it up.
2907                  */
2908                 s->cert->key = certpkey;
2909                 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
2910                 switch (r)
2911                         {
2912                         /* We don't want to send a status request response */
2913                         case SSL_TLSEXT_ERR_NOACK:
2914                                 s->tlsext_status_expected = 0;
2915                                 break;
2916                         /* status request response should be sent */
2917                         case SSL_TLSEXT_ERR_OK:
2918                                 if (s->tlsext_ocsp_resp)
2919                                         s->tlsext_status_expected = 1;
2920                                 else
2921                                         s->tlsext_status_expected = 0;
2922                                 break;
2923                         /* something bad happened */
2924                         case SSL_TLSEXT_ERR_ALERT_FATAL:
2925                                 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2926                                 al = SSL_AD_INTERNAL_ERROR;
2927                                 goto err;
2928                         }
2929                 }
2930         else
2931                 s->tlsext_status_expected = 0;
2932
2933  err:
2934         switch (ret)
2935                 {
2936                 case SSL_TLSEXT_ERR_ALERT_FATAL:
2937                         ssl3_send_alert(s, SSL3_AL_FATAL, al);
2938                         return -1;
2939
2940                 case SSL_TLSEXT_ERR_ALERT_WARNING:
2941                         ssl3_send_alert(s, SSL3_AL_WARNING, al);
2942                         return 1; 
2943
2944                 default:
2945                         return 1;
2946                 }
2947         }
2948
2949 int ssl_check_serverhello_tlsext(SSL *s)
2950         {
2951         int ret=SSL_TLSEXT_ERR_NOACK;
2952         int al = SSL_AD_UNRECOGNIZED_NAME;
2953
2954 #ifndef OPENSSL_NO_EC
2955         /* If we are client and using an elliptic curve cryptography cipher
2956          * suite, then if server returns an EC point formats lists extension
2957          * it must contain uncompressed.
2958          */
2959         unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
2960         unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
2961         if ((s->tlsext_ecpointformatlist != NULL) && (s->tlsext_ecpointformatlist_length > 0) && 
2962             (s->session->tlsext_ecpointformatlist != NULL) && (s->session->tlsext_ecpointformatlist_length > 0) && 
2963             ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA)))
2964                 {
2965                 /* we are using an ECC cipher */
2966                 size_t i;
2967                 unsigned char *list;
2968                 int found_uncompressed = 0;
2969                 list = s->session->tlsext_ecpointformatlist;
2970                 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
2971                         {
2972                         if (*(list++) == TLSEXT_ECPOINTFORMAT_uncompressed)
2973                                 {
2974                                 found_uncompressed = 1;
2975                                 break;
2976                                 }
2977                         }
2978                 if (!found_uncompressed)
2979                         {
2980                         SSLerr(SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT,SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
2981                         return -1;
2982                         }
2983                 }
2984         ret = SSL_TLSEXT_ERR_OK;
2985 #endif /* OPENSSL_NO_EC */
2986
2987         if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) 
2988                 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
2989         else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)             
2990                 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
2991
2992 #ifdef TLSEXT_TYPE_opaque_prf_input
2993         if (s->s3->server_opaque_prf_input_len > 0)
2994                 {
2995                 /* This case may indicate that we, as a client, want to insist on using opaque PRF inputs.
2996                  * So first verify that we really have a value from the server too. */
2997
2998                 if (s->s3->server_opaque_prf_input == NULL)
2999                         {
3000                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
3001                         al = SSL_AD_HANDSHAKE_FAILURE;
3002                         }
3003                 
3004                 /* Anytime the server *has* sent an opaque PRF input, we need to check
3005                  * that we have a client opaque PRF input of the same size. */
3006                 if (s->s3->client_opaque_prf_input == NULL ||
3007                     s->s3->client_opaque_prf_input_len != s->s3->server_opaque_prf_input_len)
3008                         {
3009                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
3010                         al = SSL_AD_ILLEGAL_PARAMETER;
3011                         }
3012                 }
3013 #endif
3014
3015         /* If we've requested certificate status and we wont get one
3016          * tell the callback
3017          */
3018         if ((s->tlsext_status_type != -1) && !(s->tlsext_status_expected)
3019                         && s->ctx && s->ctx->tlsext_status_cb)
3020                 {
3021                 int r;
3022                 /* Set resp to NULL, resplen to -1 so callback knows
3023                  * there is no response.
3024                  */
3025                 if (s->tlsext_ocsp_resp)
3026                         {
3027                         OPENSSL_free(s->tlsext_ocsp_resp);
3028                         s->tlsext_ocsp_resp = NULL;
3029                         }
3030                 s->tlsext_ocsp_resplen = -1;
3031                 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
3032                 if (r == 0)
3033                         {
3034                         al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE;
3035                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
3036                         }
3037                 if (r < 0)
3038                         {
3039                         al = SSL_AD_INTERNAL_ERROR;
3040                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
3041                         }
3042                 }
3043
3044         switch (ret)
3045                 {
3046                 case SSL_TLSEXT_ERR_ALERT_FATAL:
3047                         ssl3_send_alert(s,SSL3_AL_FATAL,al); 
3048                         return -1;
3049
3050                 case SSL_TLSEXT_ERR_ALERT_WARNING:
3051                         ssl3_send_alert(s,SSL3_AL_WARNING,al);
3052                         return 1; 
3053                                         
3054                 case SSL_TLSEXT_ERR_NOACK:
3055                         s->servername_done=0;
3056                         default:
3057                 return 1;
3058                 }
3059         }
3060
3061 int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n) 
3062         {
3063         int al = -1;
3064         if (s->version < SSL3_VERSION)
3065                 return 1;
3066         if (ssl_scan_serverhello_tlsext(s, p, d, n, &al) <= 0) 
3067                 {
3068                 ssl3_send_alert(s,SSL3_AL_FATAL,al); 
3069                 return 0;
3070                 }
3071
3072         if (ssl_check_serverhello_tlsext(s) <= 0) 
3073                 {
3074                 SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT,SSL_R_SERVERHELLO_TLSEXT);
3075                 return 0;
3076                 }
3077         return 1;
3078 }
3079
3080 /* Since the server cache lookup is done early on in the processing of the
3081  * ClientHello, and other operations depend on the result, we need to handle
3082  * any TLS session ticket extension at the same time.
3083  *
3084  *   session_id: points at the session ID in the ClientHello. This code will
3085  *       read past the end of this in order to parse out the session ticket
3086  *       extension, if any.
3087  *   len: the length of the session ID.
3088  *   limit: a pointer to the first byte after the ClientHello.
3089  *   ret: (output) on return, if a ticket was decrypted, then this is set to
3090  *       point to the resulting session.
3091  *
3092  * If s->tls_session_secret_cb is set then we are expecting a pre-shared key
3093  * ciphersuite, in which case we have no use for session tickets and one will
3094  * never be decrypted, nor will s->tlsext_ticket_expected be set to 1.
3095  *
3096  * Returns:
3097  *   -1: fatal error, either from parsing or decrypting the ticket.
3098  *    0: no ticket was found (or was ignored, based on settings).
3099  *    1: a zero length extension was found, indicating that the client supports
3100  *       session tickets but doesn't currently have one to offer.
3101  *    2: either s->tls_session_secret_cb was set, or a ticket was offered but
3102  *       couldn't be decrypted because of a non-fatal error.
3103  *    3: a ticket was successfully decrypted and *ret was set.
3104  *
3105  * Side effects:
3106  *   Sets s->tlsext_ticket_expected to 1 if the server will have to issue
3107  *   a new session ticket to the client because the client indicated support
3108  *   (and s->tls_session_secret_cb is NULL) but the client either doesn't have
3109  *   a session ticket or we couldn't use the one it gave us, or if
3110  *   s->ctx->tlsext_ticket_key_cb asked to renew the client's ticket.
3111  *   Otherwise, s->tlsext_ticket_expected is set to 0.
3112  */
3113 int tls1_process_ticket(SSL *s, unsigned char *session_id, int len,
3114                         const unsigned char *limit, SSL_SESSION **ret)
3115         {
3116         /* Point after session ID in client hello */
3117         const unsigned char *p = session_id + len;
3118         unsigned short i;
3119
3120         *ret = NULL;
3121         s->tlsext_ticket_expected = 0;
3122
3123         /* If tickets disabled behave as if no ticket present
3124          * to permit stateful resumption.
3125          */
3126         if (SSL_get_options(s) & SSL_OP_NO_TICKET)
3127                 return 0;
3128         if ((s->version <= SSL3_VERSION) || !limit)
3129                 return 0;
3130         if (p >= limit)
3131                 return -1;
3132         /* Skip past DTLS cookie */
3133         if (s->version == DTLS1_VERSION || s->version == DTLS1_BAD_VER)
3134                 {
3135                 i = *(p++);
3136                 p+= i;
3137                 if (p >= limit)
3138                         return -1;
3139                 }
3140         /* Skip past cipher list */
3141         n2s(p, i);
3142         p+= i;
3143         if (p >= limit)
3144                 return -1;
3145         /* Skip past compression algorithm list */
3146         i = *(p++);
3147         p += i;
3148         if (p > limit)
3149                 return -1;
3150         /* Now at start of extensions */
3151         if ((p + 2) >= limit)
3152                 return 0;
3153         n2s(p, i);
3154         while ((p + 4) <= limit)
3155                 {
3156                 unsigned short type, size;
3157                 n2s(p, type);
3158                 n2s(p, size);
3159                 if (p + size > limit)
3160                         return 0;
3161                 if (type == TLSEXT_TYPE_session_ticket)
3162                         {
3163                         int r;
3164                         if (size == 0)
3165                                 {
3166                                 /* The client will accept a ticket but doesn't
3167                                  * currently have one. */
3168                                 s->tlsext_ticket_expected = 1;
3169                                 return 1;
3170                                 }
3171                         if (s->tls_session_secret_cb)
3172                                 {
3173                                 /* Indicate that the ticket couldn't be
3174                                  * decrypted rather than generating the session
3175                                  * from ticket now, trigger abbreviated
3176                                  * handshake based on external mechanism to
3177                                  * calculate the master secret later. */
3178                                 return 2;
3179                                 }
3180                         r = tls_decrypt_ticket(s, p, size, session_id, len, ret);
3181                         switch (r)
3182                                 {
3183                                 case 2: /* ticket couldn't be decrypted */
3184                                         s->tlsext_ticket_expected = 1;
3185                                         return 2;
3186                                 case 3: /* ticket was decrypted */
3187                                         return r;
3188                                 case 4: /* ticket decrypted but need to renew */
3189                                         s->tlsext_ticket_expected = 1;
3190                                         return 3;
3191                                 default: /* fatal error */
3192                                         return -1;
3193                                 }
3194                         }
3195                 p += size;
3196                 }
3197         return 0;
3198         }
3199
3200 /* tls_decrypt_ticket attempts to decrypt a session ticket.
3201  *
3202  *   etick: points to the body of the session ticket extension.
3203  *   eticklen: the length of the session tickets extenion.
3204  *   sess_id: points at the session ID.
3205  *   sesslen: the length of the session ID.
3206  *   psess: (output) on return, if a ticket was decrypted, then this is set to
3207  *       point to the resulting session.
3208  *
3209  * Returns:
3210  *   -1: fatal error, either from parsing or decrypting the ticket.
3211  *    2: the ticket couldn't be decrypted.
3212  *    3: a ticket was successfully decrypted and *psess was set.
3213  *    4: same as 3, but the ticket needs to be renewed.
3214  */
3215 static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen,
3216                                 const unsigned char *sess_id, int sesslen,
3217                                 SSL_SESSION **psess)
3218         {
3219         SSL_SESSION *sess;
3220         unsigned char *sdec;
3221         const unsigned char *p;
3222         int slen, mlen, renew_ticket = 0;
3223         unsigned char tick_hmac[EVP_MAX_MD_SIZE];
3224         HMAC_CTX hctx;
3225         EVP_CIPHER_CTX ctx;
3226         SSL_CTX *tctx = s->initial_ctx;
3227         /* Need at least keyname + iv + some encrypted data */
3228         if (eticklen < 48)
3229                 return 2;
3230         /* Initialize session ticket encryption and HMAC contexts */
3231         HMAC_CTX_init(&hctx);
3232         EVP_CIPHER_CTX_init(&ctx);
3233         if (tctx->tlsext_ticket_key_cb)
3234                 {
3235                 unsigned char *nctick = (unsigned char *)etick;
3236                 int rv = tctx->tlsext_ticket_key_cb(s, nctick, nctick + 16,
3237                                                         &ctx, &hctx, 0);
3238                 if (rv < 0)
3239                         return -1;
3240                 if (rv == 0)
3241                         return 2;
3242                 if (rv == 2)
3243                         renew_ticket = 1;
3244                 }
3245         else
3246                 {
3247                 /* Check key name matches */
3248                 if (memcmp(etick, tctx->tlsext_tick_key_name, 16))
3249                         return 2;
3250                 HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16,
3251                                         tlsext_tick_md(), NULL);
3252                 EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL,
3253                                 tctx->tlsext_tick_aes_key, etick + 16);
3254                 }
3255         /* Attempt to process session ticket, first conduct sanity and
3256          * integrity checks on ticket.
3257          */
3258         mlen = HMAC_size(&hctx);
3259         if (mlen < 0)
3260                 {
3261                 EVP_CIPHER_CTX_cleanup(&ctx);
3262                 return -1;
3263                 }
3264         eticklen -= mlen;
3265         /* Check HMAC of encrypted ticket */
3266         HMAC_Update(&hctx, etick, eticklen);
3267         HMAC_Final(&hctx, tick_hmac, NULL);
3268         HMAC_CTX_cleanup(&hctx);
3269         if (CRYPTO_memcmp(tick_hmac, etick + eticklen, mlen))
3270                 return 2;
3271         /* Attempt to decrypt session data */
3272         /* Move p after IV to start of encrypted ticket, update length */
3273         p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx);
3274         eticklen -= 16 + EVP_CIPHER_CTX_iv_length(&ctx);
3275         sdec = OPENSSL_malloc(eticklen);
3276         if (!sdec)
3277                 {
3278                 EVP_CIPHER_CTX_cleanup(&ctx);
3279                 return -1;
3280                 }
3281         EVP_DecryptUpdate(&ctx, sdec, &slen, p, eticklen);
3282         if (EVP_DecryptFinal(&ctx, sdec + slen, &mlen) <= 0)
3283                 return 2;
3284         slen += mlen;
3285         EVP_CIPHER_CTX_cleanup(&ctx);
3286         p = sdec;
3287
3288         sess = d2i_SSL_SESSION(NULL, &p, slen);
3289         OPENSSL_free(sdec);
3290         if (sess)
3291                 {
3292                 /* The session ID, if non-empty, is used by some clients to
3293                  * detect that the ticket has been accepted. So we copy it to
3294                  * the session structure. If it is empty set length to zero
3295                  * as required by standard.
3296                  */
3297                 if (sesslen)
3298                         memcpy(sess->session_id, sess_id, sesslen);
3299                 sess->session_id_length = sesslen;
3300                 *psess = sess;
3301                 if (renew_ticket)
3302                         return 4;
3303                 else
3304                         return 3;
3305                 }
3306         ERR_clear_error();
3307         /* For session parse failure, indicate that we need to send a new
3308          * ticket. */
3309         return 2;
3310         }
3311
3312 /* Tables to translate from NIDs to TLS v1.2 ids */
3313
3314 typedef struct 
3315         {
3316         int nid;
3317         int id;
3318         } tls12_lookup;
3319
3320 static tls12_lookup tls12_md[] = {
3321         {NID_md5, TLSEXT_hash_md5},
3322         {NID_sha1, TLSEXT_hash_sha1},
3323         {NID_sha224, TLSEXT_hash_sha224},
3324         {NID_sha256, TLSEXT_hash_sha256},
3325         {NID_sha384, TLSEXT_hash_sha384},
3326         {NID_sha512, TLSEXT_hash_sha512}
3327 };
3328
3329 static tls12_lookup tls12_sig[] = {
3330         {EVP_PKEY_RSA, TLSEXT_signature_rsa},
3331         {EVP_PKEY_DSA, TLSEXT_signature_dsa},
3332         {EVP_PKEY_EC, TLSEXT_signature_ecdsa}
3333 };
3334
3335 static int tls12_find_id(int nid, tls12_lookup *table, size_t tlen)
3336         {
3337         size_t i;
3338         for (i = 0; i < tlen; i++)
3339                 {
3340                 if (table[i].nid == nid)
3341                         return table[i].id;
3342                 }
3343         return -1;
3344         }
3345
3346 static int tls12_find_nid(int id, tls12_lookup *table, size_t tlen)
3347         {
3348         size_t i;
3349         for (i = 0; i < tlen; i++)
3350                 {
3351                 if ((table[i].id) == id)
3352                         return table[i].nid;
3353                 }
3354         return NID_undef;
3355         }
3356
3357 int tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk, const EVP_MD *md)
3358         {
3359         int sig_id, md_id;
3360         if (!md)
3361                 return 0;
3362         md_id = tls12_find_id(EVP_MD_type(md), tls12_md,
3363                                 sizeof(tls12_md)/sizeof(tls12_lookup));
3364         if (md_id == -1)
3365                 return 0;
3366         sig_id = tls12_get_sigid(pk);
3367         if (sig_id == -1)
3368                 return 0;
3369         p[0] = (unsigned char)md_id;
3370         p[1] = (unsigned char)sig_id;
3371         return 1;
3372         }
3373
3374 int tls12_get_sigid(const EVP_PKEY *pk)
3375         {
3376         return tls12_find_id(pk->type, tls12_sig,
3377                                 sizeof(tls12_sig)/sizeof(tls12_lookup));
3378         }
3379
3380 const EVP_MD *tls12_get_hash(unsigned char hash_alg)
3381         {
3382         switch(hash_alg)
3383                 {
3384 #ifndef OPENSSL_NO_MD5
3385                 case TLSEXT_hash_md5:
3386 #ifdef OPENSSL_FIPS
3387                 if (FIPS_mode())
3388                         return NULL;
3389 #endif
3390                 return EVP_md5();
3391 #endif
3392 #ifndef OPENSSL_NO_SHA
3393                 case TLSEXT_hash_sha1:
3394                 return EVP_sha1();
3395 #endif
3396 #ifndef OPENSSL_NO_SHA256
3397                 case TLSEXT_hash_sha224:
3398                 return EVP_sha224();
3399
3400                 case TLSEXT_hash_sha256:
3401                 return EVP_sha256();
3402 #endif
3403 #ifndef OPENSSL_NO_SHA512
3404                 case TLSEXT_hash_sha384:
3405                 return EVP_sha384();
3406
3407                 case TLSEXT_hash_sha512:
3408                 return EVP_sha512();
3409 #endif
3410                 default:
3411                 return NULL;
3412
3413                 }
3414         }
3415
3416 static int tls12_get_pkey_idx(unsigned char sig_alg)
3417         {
3418         switch(sig_alg)
3419                 {
3420 #ifndef OPENSSL_NO_RSA
3421         case TLSEXT_signature_rsa:
3422                 return SSL_PKEY_RSA_SIGN;
3423 #endif
3424 #ifndef OPENSSL_NO_DSA
3425         case TLSEXT_signature_dsa:
3426                 return SSL_PKEY_DSA_SIGN;
3427 #endif
3428 #ifndef OPENSSL_NO_ECDSA
3429         case TLSEXT_signature_ecdsa:
3430                 return SSL_PKEY_ECC;
3431 #endif
3432                 }
3433         return -1;
3434         }
3435
3436 /* Convert TLS 1.2 signature algorithm extension values into NIDs */
3437 static void tls1_lookup_sigalg(int *phash_nid, int *psign_nid,
3438                         int *psignhash_nid, const unsigned char *data)
3439         {
3440         int sign_nid = 0, hash_nid = 0;
3441         if (!phash_nid && !psign_nid && !psignhash_nid)
3442                 return;
3443         if (phash_nid || psignhash_nid)
3444                 {
3445                 hash_nid = tls12_find_nid(data[0], tls12_md,
3446                                         sizeof(tls12_md)/sizeof(tls12_lookup));
3447                 if (phash_nid)
3448                         *phash_nid = hash_nid;
3449                 }
3450         if (psign_nid || psignhash_nid)
3451                 {
3452                 sign_nid = tls12_find_nid(data[1], tls12_sig,
3453                                         sizeof(tls12_sig)/sizeof(tls12_lookup));
3454                 if (psign_nid)
3455                         *psign_nid = sign_nid;
3456                 }
3457         if (psignhash_nid)
3458                 {
3459                 if (sign_nid && hash_nid)
3460                         OBJ_find_sigid_by_algs(psignhash_nid,
3461                                                         hash_nid, sign_nid);
3462                 else
3463                         *psignhash_nid = NID_undef;
3464                 }
3465         }
3466 /* Given preference and allowed sigalgs set shared sigalgs */
3467 static int tls12_do_shared_sigalgs(TLS_SIGALGS *shsig,
3468                                 const unsigned char *pref, size_t preflen,
3469                                 const unsigned char *allow, size_t allowlen)
3470         {
3471         const unsigned char *ptmp, *atmp;
3472         size_t i, j, nmatch = 0;
3473         for (i = 0, ptmp = pref; i < preflen; i+=2, ptmp+=2)
3474                 {
3475                 /* Skip disabled hashes or signature algorithms */
3476                 if (tls12_get_hash(ptmp[0]) == NULL)
3477                         continue;
3478                 if (tls12_get_pkey_idx(ptmp[1]) == -1)
3479                         continue;
3480                 for (j = 0, atmp = allow; j < allowlen; j+=2, atmp+=2)
3481                         {
3482                         if (ptmp[0] == atmp[0] && ptmp[1] == atmp[1])
3483                                 {
3484                                 nmatch++;
3485                                 if (shsig)
3486                                         {
3487                                         shsig->rhash = ptmp[0];
3488                                         shsig->rsign = ptmp[1];
3489                                         tls1_lookup_sigalg(&shsig->hash_nid,
3490                                                 &shsig->sign_nid,
3491                                                 &shsig->signandhash_nid,
3492                                                 ptmp);
3493                                         shsig++;
3494                                         }
3495                                 break;
3496                                 }
3497                         }
3498                 }
3499         return nmatch;
3500         }
3501
3502 /* Set shared signature algorithms for SSL structures */
3503 static int tls1_set_shared_sigalgs(SSL *s)
3504         {
3505         const unsigned char *pref, *allow, *conf;
3506         size_t preflen, allowlen, conflen;
3507         size_t nmatch;
3508         TLS_SIGALGS *salgs = NULL;
3509         CERT *c = s->cert;
3510         unsigned int is_suiteb = tls1_suiteb(s);
3511         /* If client use client signature algorithms if not NULL */
3512         if (!s->server && c->client_sigalgs && !is_suiteb)
3513                 {
3514                 conf = c->client_sigalgs;
3515                 conflen = c->client_sigalgslen;
3516                 }
3517         else if (c->conf_sigalgs && !is_suiteb)
3518                 {
3519                 conf = c->conf_sigalgs;
3520                 conflen = c->conf_sigalgslen;
3521                 }
3522         else
3523                 conflen = tls12_get_psigalgs(s, &conf);
3524         if(s->options & SSL_OP_CIPHER_SERVER_PREFERENCE || is_suiteb)
3525                 {
3526                 pref = conf;
3527                 preflen = conflen;
3528                 allow = c->peer_sigalgs;
3529                 allowlen = c->peer_sigalgslen;
3530                 }
3531         else
3532                 {
3533                 allow = conf;
3534                 allowlen = conflen;
3535                 pref = c->peer_sigalgs;
3536                 preflen = c->peer_sigalgslen;
3537                 }
3538         nmatch = tls12_do_shared_sigalgs(NULL, pref, preflen, allow, allowlen);
3539         if (!nmatch)
3540                 return 1;
3541         salgs = OPENSSL_malloc(nmatch * sizeof(TLS_SIGALGS));
3542         if (!salgs)
3543                 return 0;
3544         nmatch = tls12_do_shared_sigalgs(salgs, pref, preflen, allow, allowlen);
3545         c->shared_sigalgs = salgs;
3546         c->shared_sigalgslen = nmatch;
3547         return 1;
3548         }
3549                 
3550
3551 /* Set preferred digest for each key type */
3552
3553 int tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize)
3554         {
3555         int idx;
3556         size_t i;
3557         const EVP_MD *md;
3558         CERT *c = s->cert;
3559         TLS_SIGALGS *sigptr;
3560         /* Extension ignored for TLS versions below 1.2 */
3561         if (TLS1_get_version(s) < TLS1_2_VERSION)
3562                 return 1;
3563         /* Should never happen */
3564         if (!c)
3565                 return 0;
3566
3567         c->peer_sigalgs = OPENSSL_malloc(dsize);
3568         if (!c->peer_sigalgs)
3569                 return 0;
3570         c->peer_sigalgslen = dsize;
3571         memcpy(c->peer_sigalgs, data, dsize);
3572
3573         tls1_set_shared_sigalgs(s);
3574
3575 #ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
3576         if (s->cert->cert_flags & SSL_CERT_FLAG_BROKEN_PROTOCOL)
3577                 {
3578                 /* Use first set signature preference to force message
3579                  * digest, ignoring any peer preferences.
3580                  */
3581                 const unsigned char *sigs = NULL;
3582                 if (s->server)
3583                         sigs = c->conf_sigalgs;
3584                 else
3585                         sigs = c->client_sigalgs;
3586                 if (sigs)
3587                         {
3588                         idx = tls12_get_pkey_idx(sigs[1]);
3589                         md = tls12_get_hash(sigs[0]);
3590                         c->pkeys[idx].digest = md;
3591                         c->pkeys[idx].valid_flags = CERT_PKEY_EXPLICIT_SIGN;
3592                         if (idx == SSL_PKEY_RSA_SIGN)
3593                                 {
3594                                 c->pkeys[SSL_PKEY_RSA_ENC].valid_flags = CERT_PKEY_EXPLICIT_SIGN;
3595                                 c->pkeys[SSL_PKEY_RSA_ENC].digest = md;
3596                                 }
3597                         }
3598                 }
3599 #endif
3600
3601         for (i = 0, sigptr = c->shared_sigalgs;
3602                         i < c->shared_sigalgslen; i++, sigptr++)
3603                 {
3604                 idx = tls12_get_pkey_idx(sigptr->rsign);
3605                 if (idx > 0 && c->pkeys[idx].digest == NULL)
3606                         {
3607                         md = tls12_get_hash(sigptr->rhash);
3608                         c->pkeys[idx].digest = md;
3609                         c->pkeys[idx].valid_flags = CERT_PKEY_EXPLICIT_SIGN;
3610                         if (idx == SSL_PKEY_RSA_SIGN)
3611                                 {
3612                                 c->pkeys[SSL_PKEY_RSA_ENC].valid_flags = CERT_PKEY_EXPLICIT_SIGN;
3613                                 c->pkeys[SSL_PKEY_RSA_ENC].digest = md;
3614                                 }
3615                         }
3616
3617                 }
3618         /* In strict mode leave unset digests as NULL to indicate we can't
3619          * use the certificate for signing.
3620          */
3621         if (!(s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT))
3622                 {
3623                 /* Set any remaining keys to default values. NOTE: if alg is
3624                  * not supported it stays as NULL.
3625                  */
3626 #ifndef OPENSSL_NO_DSA
3627                 if (!c->pkeys[SSL_PKEY_DSA_SIGN].digest)
3628                         c->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_sha1();
3629 #endif
3630 #ifndef OPENSSL_NO_RSA
3631                 if (!c->pkeys[SSL_PKEY_RSA_SIGN].digest)
3632                         {
3633                         c->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1();
3634                         c->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1();
3635                         }
3636 #endif
3637 #ifndef OPENSSL_NO_ECDSA
3638                 if (!c->pkeys[SSL_PKEY_ECC].digest)
3639                         c->pkeys[SSL_PKEY_ECC].digest = EVP_sha1();
3640 #endif
3641                 }
3642         return 1;
3643         }
3644
3645
3646 int SSL_get_sigalgs(SSL *s, int idx,
3647                         int *psign, int *phash, int *psignhash,
3648                         unsigned char *rsig, unsigned char *rhash)
3649         {
3650         const unsigned char *psig = s->cert->peer_sigalgs;
3651         if (psig == NULL)
3652                 return 0;
3653         if (idx >= 0)
3654                 {
3655                 idx <<= 1;
3656                 if (idx >= (int)s->cert->peer_sigalgslen)
3657                         return 0;
3658                 psig += idx;
3659                 if (rhash)
3660                         *rhash = psig[0];
3661                 if (rsig)
3662                         *rsig = psig[1];
3663                 tls1_lookup_sigalg(phash, psign, psignhash, psig);
3664                 }
3665         return s->cert->peer_sigalgslen / 2;
3666         }
3667
3668 int SSL_get_shared_sigalgs(SSL *s, int idx,
3669                         int *psign, int *phash, int *psignhash,
3670                         unsigned char *rsig, unsigned char *rhash)
3671         {
3672         TLS_SIGALGS *shsigalgs = s->cert->shared_sigalgs;
3673         if (!shsigalgs || idx >= (int)s->cert->shared_sigalgslen)
3674                 return 0;
3675         shsigalgs += idx;
3676         if (phash)
3677                 *phash = shsigalgs->hash_nid;
3678         if (psign)
3679                 *psign = shsigalgs->sign_nid;
3680         if (psignhash)
3681                 *psignhash = shsigalgs->signandhash_nid;
3682         if (rsig)
3683                 *rsig = shsigalgs->rsign;
3684         if (rhash)
3685                 *rhash = shsigalgs->rhash;
3686         return s->cert->shared_sigalgslen;
3687         }
3688         
3689
3690 #ifndef OPENSSL_NO_HEARTBEATS
3691 int
3692 tls1_process_heartbeat(SSL *s)
3693         {
3694         unsigned char *p = &s->s3->rrec.data[0], *pl;
3695         unsigned short hbtype;
3696         unsigned int payload;
3697         unsigned int padding = 16; /* Use minimum padding */
3698
3699         /* Read type and payload length first */
3700         hbtype = *p++;
3701         n2s(p, payload);
3702         pl = p;
3703
3704         if (s->msg_callback)
3705                 s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT,
3706                         &s->s3->rrec.data[0], s->s3->rrec.length,
3707                         s, s->msg_callback_arg);
3708
3709         if (hbtype == TLS1_HB_REQUEST)
3710                 {
3711                 unsigned char *buffer, *bp;
3712                 int r;
3713
3714                 /* Allocate memory for the response, size is 1 bytes
3715                  * message type, plus 2 bytes payload length, plus
3716                  * payload, plus padding
3717                  */
3718                 buffer = OPENSSL_malloc(1 + 2 + payload + padding);
3719                 bp = buffer;
3720                 
3721                 /* Enter response type, length and copy payload */
3722                 *bp++ = TLS1_HB_RESPONSE;
3723                 s2n(payload, bp);
3724                 memcpy(bp, pl, payload);
3725                 bp += payload;
3726                 /* Random padding */
3727                 RAND_pseudo_bytes(bp, padding);
3728
3729                 r = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, 3 + payload + padding);
3730
3731                 if (r >= 0 && s->msg_callback)
3732                         s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT,
3733                                 buffer, 3 + payload + padding,
3734                                 s, s->msg_callback_arg);
3735
3736                 OPENSSL_free(buffer);
3737
3738                 if (r < 0)
3739                         return r;
3740                 }
3741         else if (hbtype == TLS1_HB_RESPONSE)
3742                 {
3743                 unsigned int seq;
3744                 
3745                 /* We only send sequence numbers (2 bytes unsigned int),
3746                  * and 16 random bytes, so we just try to read the
3747                  * sequence number */
3748                 n2s(pl, seq);
3749                 
3750                 if (payload == 18 && seq == s->tlsext_hb_seq)
3751                         {
3752                         s->tlsext_hb_seq++;
3753                         s->tlsext_hb_pending = 0;
3754                         }
3755                 }
3756
3757         return 0;
3758         }
3759
3760 int
3761 tls1_heartbeat(SSL *s)
3762         {
3763         unsigned char *buf, *p;
3764         int ret;
3765         unsigned int payload = 18; /* Sequence number + random bytes */
3766         unsigned int padding = 16; /* Use minimum padding */
3767
3768         /* Only send if peer supports and accepts HB requests... */
3769         if (!(s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED) ||
3770             s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_SEND_REQUESTS)
3771                 {
3772                 SSLerr(SSL_F_TLS1_HEARTBEAT,SSL_R_TLS_HEARTBEAT_PEER_DOESNT_ACCEPT);
3773                 return -1;
3774                 }
3775
3776         /* ...and there is none in flight yet... */
3777         if (s->tlsext_hb_pending)
3778                 {
3779                 SSLerr(SSL_F_TLS1_HEARTBEAT,SSL_R_TLS_HEARTBEAT_PENDING);
3780                 return -1;
3781                 }
3782                 
3783         /* ...and no handshake in progress. */
3784         if (SSL_in_init(s) || s->in_handshake)
3785                 {
3786                 SSLerr(SSL_F_TLS1_HEARTBEAT,SSL_R_UNEXPECTED_MESSAGE);
3787                 return -1;
3788                 }
3789                 
3790         /* Check if padding is too long, payload and padding
3791          * must not exceed 2^14 - 3 = 16381 bytes in total.
3792          */
3793         OPENSSL_assert(payload + padding <= 16381);
3794
3795         /* Create HeartBeat message, we just use a sequence number
3796          * as payload to distuingish different messages and add
3797          * some random stuff.
3798          *  - Message Type, 1 byte
3799          *  - Payload Length, 2 bytes (unsigned int)
3800          *  - Payload, the sequence number (2 bytes uint)
3801          *  - Payload, random bytes (16 bytes uint)
3802          *  - Padding
3803          */
3804         buf = OPENSSL_malloc(1 + 2 + payload + padding);
3805         p = buf;
3806         /* Message Type */
3807         *p++ = TLS1_HB_REQUEST;
3808         /* Payload length (18 bytes here) */
3809         s2n(payload, p);
3810         /* Sequence number */
3811         s2n(s->tlsext_hb_seq, p);
3812         /* 16 random bytes */
3813         RAND_pseudo_bytes(p, 16);
3814         p += 16;
3815         /* Random padding */
3816         RAND_pseudo_bytes(p, padding);
3817
3818         ret = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buf, 3 + payload + padding);
3819         if (ret >= 0)
3820                 {
3821                 if (s->msg_callback)
3822                         s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT,
3823                                 buf, 3 + payload + padding,
3824                                 s, s->msg_callback_arg);
3825
3826                 s->tlsext_hb_pending = 1;
3827                 }
3828                 
3829         OPENSSL_free(buf);
3830
3831         return ret;
3832         }
3833 #endif
3834
3835 #define MAX_SIGALGLEN   (TLSEXT_hash_num * TLSEXT_signature_num * 2)
3836
3837 typedef struct
3838         {
3839         size_t sigalgcnt;
3840         int sigalgs[MAX_SIGALGLEN];
3841         } sig_cb_st;
3842
3843 static int sig_cb(const char *elem, int len, void *arg)
3844         {
3845         sig_cb_st *sarg = arg;
3846         size_t i;
3847         char etmp[20], *p;
3848         int sig_alg, hash_alg;
3849         if (sarg->sigalgcnt == MAX_SIGALGLEN)
3850                 return 0;
3851         if (len > (int)(sizeof(etmp) - 1))
3852                 return 0;
3853         memcpy(etmp, elem, len);
3854         etmp[len] = 0;
3855         p = strchr(etmp, '+');
3856         if (!p)
3857                 return 0;
3858         *p = 0;
3859         p++;
3860         if (!*p)
3861                 return 0;
3862
3863         if (!strcmp(etmp, "RSA"))
3864                 sig_alg = EVP_PKEY_RSA;
3865         else if (!strcmp(etmp, "DSA"))
3866                 sig_alg = EVP_PKEY_DSA;
3867         else if (!strcmp(etmp, "ECDSA"))
3868                 sig_alg = EVP_PKEY_EC;
3869         else return 0;
3870
3871         hash_alg = OBJ_sn2nid(p);
3872         if (hash_alg == NID_undef)
3873                 hash_alg = OBJ_ln2nid(p);
3874         if (hash_alg == NID_undef)
3875                 return 0;
3876
3877         for (i = 0; i < sarg->sigalgcnt; i+=2)
3878                 {
3879                 if (sarg->sigalgs[i] == sig_alg
3880                         && sarg->sigalgs[i + 1] == hash_alg)
3881                         return 0;
3882                 }
3883         sarg->sigalgs[sarg->sigalgcnt++] = hash_alg;
3884         sarg->sigalgs[sarg->sigalgcnt++] = sig_alg;
3885         return 1;
3886         }
3887
3888 /* Set suppored signature algorithms based on a colon separated list
3889  * of the form sig+hash e.g. RSA+SHA512:DSA+SHA512 */
3890 int tls1_set_sigalgs_list(CERT *c, const char *str, int client)
3891         {
3892         sig_cb_st sig;
3893         sig.sigalgcnt = 0;
3894         if (!CONF_parse_list(str, ':', 1, sig_cb, &sig))
3895                 return 0;
3896         if (c == NULL)
3897                 return 1;
3898         return tls1_set_sigalgs(c, sig.sigalgs, sig.sigalgcnt, client);
3899         }
3900
3901 int tls1_set_sigalgs(CERT *c, const int *psig_nids, size_t salglen, int client)
3902         {
3903         unsigned char *sigalgs, *sptr;
3904         int rhash, rsign;
3905         size_t i;
3906         if (salglen & 1)
3907                 return 0;
3908         sigalgs = OPENSSL_malloc(salglen);
3909         if (sigalgs == NULL)
3910                 return 0;
3911         for (i = 0, sptr = sigalgs; i < salglen; i+=2)
3912                 {
3913                 rhash = tls12_find_id(*psig_nids++, tls12_md,
3914                                         sizeof(tls12_md)/sizeof(tls12_lookup));
3915                 rsign = tls12_find_id(*psig_nids++, tls12_sig,
3916                                 sizeof(tls12_sig)/sizeof(tls12_lookup));
3917
3918                 if (rhash == -1 || rsign == -1)
3919                         goto err;
3920                 *sptr++ = rhash;
3921                 *sptr++ = rsign;
3922                 }
3923
3924         if (client)
3925                 {
3926                 if (c->client_sigalgs)
3927                         OPENSSL_free(c->client_sigalgs);
3928                 c->client_sigalgs = sigalgs;
3929                 c->client_sigalgslen = salglen;
3930                 }
3931         else
3932                 {
3933                 if (c->conf_sigalgs)
3934                         OPENSSL_free(c->conf_sigalgs);
3935                 c->conf_sigalgs = sigalgs;
3936                 c->conf_sigalgslen = salglen;
3937                 }
3938
3939         return 1;
3940
3941         err:
3942         OPENSSL_free(sigalgs);
3943         return 0;
3944         }
3945
3946 static int tls1_check_sig_alg(CERT *c, X509 *x, int default_nid)
3947         {
3948         int sig_nid;
3949         size_t i;
3950         if (default_nid == -1)
3951                 return 1;
3952         sig_nid = X509_get_signature_nid(x);
3953         if (default_nid)
3954                 return sig_nid == default_nid ? 1 : 0;
3955         for (i = 0; i < c->shared_sigalgslen; i++)
3956                 if (sig_nid == c->shared_sigalgs[i].signandhash_nid)
3957                         return 1;
3958         return 0;
3959         }
3960 /* Check to see if a certificate issuer name matches list of CA names */
3961 static int ssl_check_ca_name(STACK_OF(X509_NAME) *names, X509 *x)
3962         {
3963         X509_NAME *nm;
3964         int i;
3965         nm = X509_get_issuer_name(x);
3966         for (i = 0; i < sk_X509_NAME_num(names); i++)
3967                 {
3968                 if(!X509_NAME_cmp(nm, sk_X509_NAME_value(names, i)))
3969                         return 1;
3970                 }
3971         return 0;
3972         }
3973
3974 /* Check certificate chain is consistent with TLS extensions and is
3975  * usable by server. This servers two purposes: it allows users to 
3976  * check chains before passing them to the server and it allows the
3977  * server to check chains before attempting to use them.
3978  */
3979
3980 /* Flags which need to be set for a certificate when stict mode not set */
3981
3982 #define CERT_PKEY_VALID_FLAGS \
3983         (CERT_PKEY_EE_SIGNATURE|CERT_PKEY_EE_PARAM)
3984 /* Strict mode flags */
3985 #define CERT_PKEY_STRICT_FLAGS \
3986          (CERT_PKEY_VALID_FLAGS|CERT_PKEY_CA_SIGNATURE|CERT_PKEY_CA_PARAM \
3987          | CERT_PKEY_ISSUER_NAME|CERT_PKEY_CERT_TYPE)
3988
3989 int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain,
3990                                                                         int idx)
3991         {
3992         int i;
3993         int rv = 0;
3994         int check_flags = 0, strict_mode;
3995         CERT_PKEY *cpk = NULL;
3996         CERT *c = s->cert;
3997         unsigned int suiteb_flags = tls1_suiteb(s);
3998         /* idx == -1 means checking server chains */
3999         if (idx != -1)
4000                 {
4001                 /* idx == -2 means checking client certificate chains */
4002                 if (idx == -2)
4003                         {
4004                         cpk = c->key;
4005                         idx = cpk - c->pkeys;
4006                         }
4007                 else
4008                         cpk = c->pkeys + idx;
4009                 x = cpk->x509;
4010                 pk = cpk->privatekey;
4011                 chain = cpk->chain;
4012                 strict_mode = c->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT;
4013                 /* If no cert or key, forget it */
4014                 if (!x || !pk)
4015                         goto end;
4016 #ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
4017                 /* Allow any certificate to pass test */
4018                 if (s->cert->cert_flags & SSL_CERT_FLAG_BROKEN_PROTOCOL)
4019                         {
4020                         rv = CERT_PKEY_STRICT_FLAGS|CERT_PKEY_EXPLICIT_SIGN|CERT_PKEY_VALID|CERT_PKEY_SIGN;
4021                         cpk->valid_flags = rv;
4022                         return rv;
4023                         }
4024 #endif
4025                 }
4026         else
4027                 {
4028                 if (!x || !pk)
4029                         goto end;
4030                 idx = ssl_cert_type(x, pk);
4031                 if (idx == -1)
4032                         goto end;
4033                 cpk = c->pkeys + idx;
4034                 if (c->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)
4035                         check_flags = CERT_PKEY_STRICT_FLAGS;
4036                 else
4037                         check_flags = CERT_PKEY_VALID_FLAGS;
4038                 strict_mode = 1;
4039                 }
4040
4041         if (suiteb_flags)
4042                 {
4043                 int ok;
4044                 if (check_flags)
4045                         check_flags |= CERT_PKEY_SUITEB;
4046                 ok = X509_chain_check_suiteb(NULL, x, chain, suiteb_flags);
4047                 if (ok != X509_V_OK)
4048                         {
4049                         if (check_flags)
4050                                 rv |= CERT_PKEY_SUITEB;
4051                         else
4052                                 goto end;
4053                         }
4054                 }
4055
4056         /* Check all signature algorithms are consistent with
4057          * signature algorithms extension if TLS 1.2 or later
4058          * and strict mode.
4059          */
4060         if (TLS1_get_version(s) >= TLS1_2_VERSION && strict_mode)
4061                 {
4062                 int default_nid;
4063                 unsigned char rsign = 0;
4064                 if (c->peer_sigalgs)
4065                         default_nid = 0;
4066                 /* If no sigalgs extension use defaults from RFC5246 */
4067                 else
4068                         {
4069                         switch(idx)
4070                                 {       
4071                         case SSL_PKEY_RSA_ENC:
4072                         case SSL_PKEY_RSA_SIGN:
4073                         case SSL_PKEY_DH_RSA:
4074                                 rsign = TLSEXT_signature_rsa;
4075                                 default_nid = NID_sha1WithRSAEncryption;
4076                                 break;
4077
4078                         case SSL_PKEY_DSA_SIGN:
4079                         case SSL_PKEY_DH_DSA:
4080                                 rsign = TLSEXT_signature_dsa;
4081                                 default_nid = NID_dsaWithSHA1;
4082                                 break;
4083
4084                         case SSL_PKEY_ECC:
4085                                 rsign = TLSEXT_signature_ecdsa;
4086                                 default_nid = NID_ecdsa_with_SHA1;
4087                                 break;
4088
4089                         default:
4090                                 default_nid = -1;
4091                                 break;
4092                                 }
4093                         }
4094                 /* If peer sent no signature algorithms extension and we
4095                  * have set preferred signature algorithms check we support
4096                  * sha1.
4097                  */
4098                 if (default_nid > 0 && c->conf_sigalgs)
4099                         {
4100                         size_t j;
4101                         const unsigned char *p = c->conf_sigalgs;
4102                         for (j = 0; j < c->conf_sigalgslen; j += 2, p += 2)
4103                                 {
4104                                 if (p[0] == TLSEXT_hash_sha1 && p[1] == rsign)
4105                                         break;
4106                                 }
4107                         if (j == c->conf_sigalgslen)
4108                                 {
4109                                 if (check_flags)
4110                                         goto skip_sigs;
4111                                 else
4112                                         goto end;
4113                                 }
4114                         }
4115                 /* Check signature algorithm of each cert in chain */
4116                 if (!tls1_check_sig_alg(c, x, default_nid))
4117                         {
4118                         if (!check_flags) goto end;
4119                         }
4120                 else
4121                         rv |= CERT_PKEY_EE_SIGNATURE;
4122                 rv |= CERT_PKEY_CA_SIGNATURE;
4123                 for (i = 0; i < sk_X509_num(chain); i++)
4124                         {
4125                         if (!tls1_check_sig_alg(c, sk_X509_value(chain, i),
4126                                                         default_nid))
4127                                 {
4128                                 if (check_flags)
4129                                         {
4130                                         rv &= ~CERT_PKEY_CA_SIGNATURE;
4131                                         break;
4132                                         }
4133                                 else
4134                                         goto end;
4135                                 }
4136                         }
4137                 }
4138         /* Else not TLS 1.2, so mark EE and CA signing algorithms OK */
4139         else if(check_flags)
4140                 rv |= CERT_PKEY_EE_SIGNATURE|CERT_PKEY_CA_SIGNATURE;
4141         skip_sigs:
4142         /* Check cert parameters are consistent */
4143         if (tls1_check_cert_param(s, x, check_flags ? 1 : 2))
4144                 rv |= CERT_PKEY_EE_PARAM;
4145         else if (!check_flags)
4146                 goto end;
4147         if (!s->server)
4148                 rv |= CERT_PKEY_CA_PARAM;
4149         /* In strict mode check rest of chain too */
4150         else if (strict_mode)
4151                 {
4152                 rv |= CERT_PKEY_CA_PARAM;
4153                 for (i = 0; i < sk_X509_num(chain); i++)
4154                         {
4155                         X509 *ca = sk_X509_value(chain, i);
4156                         if (!tls1_check_cert_param(s, ca, 0))
4157                                 {
4158                                 if (check_flags)
4159                                         {
4160                                         rv &= ~CERT_PKEY_CA_PARAM;
4161                                         break;
4162                                         }
4163                                 else
4164                                         goto end;
4165                                 }
4166                         }
4167                 }
4168         if (!s->server && strict_mode)
4169                 {
4170                 STACK_OF(X509_NAME) *ca_dn;
4171                 int check_type = 0;
4172                 switch (pk->type)
4173                         {
4174                 case EVP_PKEY_RSA:
4175                         check_type = TLS_CT_RSA_SIGN;
4176                         break;
4177                 case EVP_PKEY_DSA:
4178                         check_type = TLS_CT_DSS_SIGN;
4179                         break;
4180                 case EVP_PKEY_EC:
4181                         check_type = TLS_CT_ECDSA_SIGN;
4182                         break;
4183                 case EVP_PKEY_DH:
4184                 case EVP_PKEY_DHX:
4185                                 {
4186                                 int cert_type = X509_certificate_type(x, pk);
4187                                 if (cert_type & EVP_PKS_RSA)
4188                                         check_type = TLS_CT_RSA_FIXED_DH;
4189                                 if (cert_type & EVP_PKS_DSA)
4190                                         check_type = TLS_CT_DSS_FIXED_DH;
4191                                 }
4192                         }
4193                 if (check_type)
4194                         {
4195                         const unsigned char *ctypes;
4196                         int ctypelen;
4197                         if (c->ctypes)
4198                                 {
4199                                 ctypes = c->ctypes;
4200                                 ctypelen = (int)c->ctype_num;
4201                                 }
4202                         else
4203                                 {
4204                                 ctypes = (unsigned char *)s->s3->tmp.ctype;
4205                                 ctypelen = s->s3->tmp.ctype_num;
4206                                 }
4207                         for (i = 0; i < ctypelen; i++)
4208                                 {
4209                                 if (ctypes[i] == check_type)
4210                                         {
4211                                         rv |= CERT_PKEY_CERT_TYPE;
4212                                         break;
4213                                         }
4214                                 }
4215                         if (!(rv & CERT_PKEY_CERT_TYPE) && !check_flags)
4216                                 goto end;
4217                         }
4218                 else
4219                         rv |= CERT_PKEY_CERT_TYPE;
4220
4221
4222                 ca_dn = s->s3->tmp.ca_names;
4223
4224                 if (!sk_X509_NAME_num(ca_dn))
4225                         rv |= CERT_PKEY_ISSUER_NAME;
4226
4227                 if (!(rv & CERT_PKEY_ISSUER_NAME))
4228                         {
4229                         if (ssl_check_ca_name(ca_dn, x))
4230                                 rv |= CERT_PKEY_ISSUER_NAME;
4231                         }
4232                 if (!(rv & CERT_PKEY_ISSUER_NAME))
4233                         {
4234                         for (i = 0; i < sk_X509_num(chain); i++)
4235                                 {
4236                                 X509 *xtmp = sk_X509_value(chain, i);
4237                                 if (ssl_check_ca_name(ca_dn, xtmp))
4238                                         {
4239                                         rv |= CERT_PKEY_ISSUER_NAME;
4240                                         break;
4241                                         }
4242                                 }
4243                         }
4244                 if (!check_flags && !(rv & CERT_PKEY_ISSUER_NAME))
4245                         goto end;
4246                 }
4247         else
4248                 rv |= CERT_PKEY_ISSUER_NAME|CERT_PKEY_CERT_TYPE;
4249
4250         if (!check_flags || (rv & check_flags) == check_flags)
4251                 rv |= CERT_PKEY_VALID;
4252
4253         end:
4254
4255         if (TLS1_get_version(s) >= TLS1_2_VERSION)
4256                 {
4257                 if (cpk->valid_flags & CERT_PKEY_EXPLICIT_SIGN)
4258                         rv |= CERT_PKEY_EXPLICIT_SIGN|CERT_PKEY_SIGN;
4259                 else if (cpk->digest)
4260                         rv |= CERT_PKEY_SIGN;
4261                 }
4262         else
4263                 rv |= CERT_PKEY_SIGN|CERT_PKEY_EXPLICIT_SIGN;
4264
4265         /* When checking a CERT_PKEY structure all flags are irrelevant
4266          * if the chain is invalid.
4267          */
4268         if (!check_flags)
4269                 {
4270                 if (rv & CERT_PKEY_VALID)
4271                         cpk->valid_flags = rv;
4272                 else
4273                         {
4274                         /* Preserve explicit sign flag, clear rest */
4275                         cpk->valid_flags &= CERT_PKEY_EXPLICIT_SIGN;
4276                         return 0;
4277                         }
4278                 }
4279         return rv;
4280         }
4281
4282 /* Set validity of certificates in an SSL structure */
4283 void tls1_set_cert_validity(SSL *s)
4284         {
4285         tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA_ENC);
4286         tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA_SIGN);
4287         tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DSA_SIGN);
4288         tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DH_RSA);
4289         tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DH_DSA);
4290         tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_ECC);
4291         }
4292 /* User level utiity function to check a chain is suitable */
4293 int SSL_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain)
4294         {
4295         return tls1_check_chain(s, x, pk, chain, -1);
4296         }
4297
4298 #endif
Unnamed repository; edit this file 'description' to name the repository.