NID_secp256k1, /* secp256k1 (22) */
NID_X9_62_prime256v1, /* secp256r1 (23) */
NID_secp384r1, /* secp384r1 (24) */
- NID_secp521r1 /* secp521r1 (25) */
+ NID_secp521r1, /* secp521r1 (25) */
+ NID_brainpoolP256r1, /* brainpoolP256r1 (26) */
+ NID_brainpoolP384r1, /* brainpoolP384r1 (27) */
+ NID_brainpoolP512r1 /* brainpool512r1 (28) */
};
0,14, /* sect571r1 (14) */
0,13, /* sect571k1 (13) */
0,25, /* secp521r1 (25) */
+ 0,28, /* brainpool512r1 (28) */
0,11, /* sect409k1 (11) */
0,12, /* sect409r1 (12) */
+ 0,27, /* brainpoolP384r1 (27) */
0,24, /* secp384r1 (24) */
0,9, /* sect283k1 (9) */
0,10, /* sect283r1 (10) */
+ 0,26, /* brainpoolP256r1 (26) */
0,22, /* secp256k1 (22) */
0,23, /* secp256r1 (23) */
0,8, /* sect239k1 (8) */
return 24;
case NID_secp521r1: /* secp521r1 (25) */
return 25;
+ case NID_brainpoolP256r1: /* brainpoolP256r1 (26) */
+ return 26;
+ case NID_brainpoolP384r1: /* brainpoolP384r1 (27) */
+ return 27;
+ case NID_brainpoolP512r1: /* brainpool512r1 (28) */
+ return 28;
default:
return 0;
}
{
int is_prime, id;
const EC_GROUP *grp;
- const EC_POINT *pt;
const EC_METHOD *meth;
if (!ec)
return 0;
/* Determine if it is a prime field */
grp = EC_KEY_get0_group(ec);
- pt = EC_KEY_get0_public_key(ec);
- if (!grp || !pt)
+ if (!grp)
return 0;
meth = EC_GROUP_method_of(grp);
if (!meth)
}
if (comp_id)
{
+ if (EC_KEY_get0_public_key(ec) == NULL)
+ return 0;
if (EC_KEY_get_conv_form(ec) == POINT_CONVERSION_COMPRESSED)
{
if (is_prime)
#endif
}
+#else
+
+static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md)
+ {
+ return 1;
+ }
+
#endif /* OPENSSL_NO_EC */
#ifndef OPENSSL_NO_TLSEXT
#ifndef OPENSSL_NO_SHA
tlsext_sigalg(TLSEXT_hash_sha1)
#endif
-#ifndef OPENSSL_NO_MD5
- tlsext_sigalg_rsa(TLSEXT_hash_md5)
-#endif
};
-
+#ifndef OPENSSL_NO_ECDSA
static unsigned char suiteb_sigalgs[] = {
tlsext_sigalg_ecdsa(TLSEXT_hash_sha256)
tlsext_sigalg_ecdsa(TLSEXT_hash_sha384)
};
-
+#endif
size_t tls12_get_psigalgs(SSL *s, const unsigned char **psigs)
{
/* If Suite B mode use Suite B sigalgs only, ignore any other
* preferences.
*/
+#ifndef OPENSSL_NO_EC
switch (tls1_suiteb(s))
{
case SSL_CERT_FLAG_SUITEB_128_LOS:
*psigs = suiteb_sigalgs + 2;
return 2;
}
-
+#endif
/* If server use client authentication sigalgs if not NULL */
if (s->server && s->cert->client_sigalgs)
{
else
{
*psigs = tls12_sigalgs;
-#ifdef OPENSSL_FIPS
- /* If FIPS mode don't include MD5 which is last */
- if (FIPS_mode())
- return sizeof(tls12_sigalgs) - 2;
- else
-#endif
- return sizeof(tls12_sigalgs);
+ return sizeof(tls12_sigalgs);
}
}
/* Check signature algorithm is consistent with sent supported signature
SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG,SSL_R_WRONG_SIGNATURE_TYPE);
return 0;
}
+#ifndef OPENSSL_NO_EC
if (pkey->type == EVP_PKEY_EC)
{
unsigned char curve_id[2], comp_id;
}
else if (tls1_suiteb(s))
return 0;
+#endif
/* Check signature matches a type we sent */
sent_sigslen = tls12_get_psigalgs(s, &sent_sigs);
c->valid = 1;
}
-/* byte_compare is a compare function for qsort(3) that compares bytes. */
-static int byte_compare(const void *in_a, const void *in_b)
- {
- unsigned char a = *((const unsigned char*) in_a);
- unsigned char b = *((const unsigned char*) in_b);
-
- if (a > b)
- return 1;
- else if (a < b)
- return -1;
- return 0;
-}
-
unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
{
int extdatalen=0;
}
#endif
+ if (s->alpn_client_proto_list && !s->s3->tmp.finish_md_len)
+ {
+ if ((size_t)(limit - ret) < 6 + s->alpn_client_proto_list_len)
+ return NULL;
+ s2n(TLSEXT_TYPE_application_layer_protocol_negotiation,ret);
+ s2n(2 + s->alpn_client_proto_list_len,ret);
+ s2n(s->alpn_client_proto_list_len,ret);
+ memcpy(ret, s->alpn_client_proto_list,
+ s->alpn_client_proto_list_len);
+ ret += s->alpn_client_proto_list_len;
+ }
+
if(SSL_get_srtp_profiles(s))
{
int el;
ret += el;
}
- /* Add TLS extension Server_Authz_DataFormats to the ClientHello */
- /* 2 bytes for extension type */
- /* 2 bytes for extension length */
- /* 1 byte for the list length */
- /* 1 byte for the list (we only support audit proofs) */
- if (s->ctx->tlsext_authz_server_audit_proof_cb != NULL)
- {
- const unsigned short ext_len = 2;
- const unsigned char list_len = 1;
-
- if (limit < ret + 6)
- return NULL;
-
- s2n(TLSEXT_TYPE_server_authz, ret);
- /* Extension length: 2 bytes */
- s2n(ext_len, ret);
- *(ret++) = list_len;
- *(ret++) = TLSEXT_AUTHZDATAFORMAT_audit_proof;
- }
-
/* Add custom TLS Extensions to ClientHello */
if (s->ctx->custom_cli_ext_records_count)
{
ret += outlen;
}
}
+#ifdef TLSEXT_TYPE_encrypt_then_mac
+ s2n(TLSEXT_TYPE_encrypt_then_mac,ret);
+ s2n(0,ret);
+#endif
if ((extdatalen = ret-p-2) == 0)
return p;
#ifndef OPENSSL_NO_NEXTPROTONEG
int next_proto_neg_seen;
#endif
+#ifndef OPENSSL_NO_EC
unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
int using_ecc = (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA);
using_ecc = using_ecc && (s->session->tlsext_ecpointformatlist != NULL);
-
+#endif
/* don't add extensions for SSLv3, unless doing secure renegotiation */
if (s->version == SSL3_VERSION && !s->s3->send_connection_binding)
return p;
}
#endif
- /* If the client supports authz then see whether we have any to offer
- * to it. */
- if (s->s3->tlsext_authz_client_types_len)
- {
- size_t authz_length;
- /* By now we already know the new cipher, so we can look ahead
- * to see whether the cert we are going to send
- * has any authz data attached to it. */
- const unsigned char* authz = ssl_get_authz_data(s, &authz_length);
- const unsigned char* const orig_authz = authz;
- size_t i;
- unsigned authz_count = 0;
-
- /* The authz data contains a number of the following structures:
- * uint8_t authz_type
- * uint16_t length
- * uint8_t data[length]
- *
- * First we walk over it to find the number of authz elements. */
- for (i = 0; i < authz_length; i++)
- {
- unsigned short length;
- unsigned char type;
-
- type = *(authz++);
- if (memchr(s->s3->tlsext_authz_client_types,
- type,
- s->s3->tlsext_authz_client_types_len) != NULL)
- authz_count++;
-
- n2s(authz, length);
- /* n2s increments authz by 2 */
- i += 2;
- authz += length;
- i += length;
- }
-
- if (authz_count)
- {
- /* Add TLS extension server_authz to the ServerHello message
- * 2 bytes for extension type
- * 2 bytes for extension length
- * 1 byte for the list length
- * n bytes for the list */
- const unsigned short ext_len = 1 + authz_count;
-
- if ((long)(limit - ret - 4 - ext_len) < 0) return NULL;
- s2n(TLSEXT_TYPE_server_authz, ret);
- s2n(ext_len, ret);
- *(ret++) = authz_count;
- s->s3->tlsext_authz_promised_to_client = 1;
- }
-
- authz = orig_authz;
- for (i = 0; i < authz_length; i++)
- {
- unsigned short length;
- unsigned char type;
-
- authz_count++;
- type = *(authz++);
- if (memchr(s->s3->tlsext_authz_client_types,
- type,
- s->s3->tlsext_authz_client_types_len) != NULL)
- *(ret++) = type;
- n2s(authz, length);
- /* n2s increments authz by 2 */
- i += 2;
- authz += length;
- i += length;
- }
- }
-
/* If custom types were sent in ClientHello, add ServerHello responses */
if (s->s3->tlsext_custom_types_count)
{
}
}
}
+#ifdef TLSEXT_TYPE_encrypt_then_mac
+ if (s->s3->flags & TLS1_FLAGS_ENCRYPT_THEN_MAC)
+ {
+ /* Don't use encrypt_then_mac if AEAD: might want
+ * to disable for other ciphersuites too.
+ */
+ if (s->s3->tmp.new_cipher->algorithm_mac == SSL_AEAD)
+ s->s3->flags &= ~TLS1_FLAGS_ENCRYPT_THEN_MAC;
+ else
+ {
+ s2n(TLSEXT_TYPE_encrypt_then_mac,ret);
+ s2n(0,ret);
+ }
+ }
+#endif
+
+ if (s->s3->alpn_selected)
+ {
+ const unsigned char *selected = s->s3->alpn_selected;
+ unsigned len = s->s3->alpn_selected_len;
+
+ if ((long)(limit - ret - 4 - 2 - 1 - len) < 0)
+ return NULL;
+ s2n(TLSEXT_TYPE_application_layer_protocol_negotiation,ret);
+ s2n(3 + len,ret);
+ s2n(1 + len,ret);
+ *ret++ = len;
+ memcpy(ret, selected, len);
+ ret += len;
+ }
if ((extdatalen = ret-p-2)== 0)
return p;
return ret;
}
+/* tls1_alpn_handle_client_hello is called to process the ALPN extension in a
+ * ClientHello.
+ * data: the contents of the extension, not including the type and length.
+ * data_len: the number of bytes in |data|
+ * al: a pointer to the alert value to send in the event of a non-zero
+ * return.
+ *
+ * returns: 0 on success. */
+static int tls1_alpn_handle_client_hello(SSL *s, const unsigned char *data,
+ unsigned data_len, int *al)
+ {
+ unsigned i;
+ unsigned proto_len;
+ const unsigned char *selected;
+ unsigned char selected_len;
+ int r;
+
+ if (s->ctx->alpn_select_cb == NULL)
+ return 0;
+
+ if (data_len < 2)
+ goto parse_error;
+
+ /* data should contain a uint16 length followed by a series of 8-bit,
+ * length-prefixed strings. */
+ i = ((unsigned) data[0]) << 8 |
+ ((unsigned) data[1]);
+ data_len -= 2;
+ data += 2;
+ if (data_len != i)
+ goto parse_error;
+
+ if (data_len < 2)
+ goto parse_error;
+
+ for (i = 0; i < data_len;)
+ {
+ proto_len = data[i];
+ i++;
+
+ if (proto_len == 0)
+ goto parse_error;
+
+ if (i + proto_len < i || i + proto_len > data_len)
+ goto parse_error;
+
+ i += proto_len;
+ }
+
+ r = s->ctx->alpn_select_cb(s, &selected, &selected_len, data, data_len,
+ s->ctx->alpn_select_cb_arg);
+ if (r == SSL_TLSEXT_ERR_OK) {
+ if (s->s3->alpn_selected)
+ OPENSSL_free(s->s3->alpn_selected);
+ s->s3->alpn_selected = OPENSSL_malloc(selected_len);
+ if (!s->s3->alpn_selected)
+ {
+ *al = SSL_AD_INTERNAL_ERROR;
+ return -1;
+ }
+ memcpy(s->s3->alpn_selected, selected, selected_len);
+ s->s3->alpn_selected_len = selected_len;
+ }
+ return 0;
+
+parse_error:
+ *al = SSL_AD_DECODE_ERROR;
+ return -1;
+ }
+
+#ifndef OPENSSL_NO_EC
+/* ssl_check_for_safari attempts to fingerprint Safari using OS X
+ * SecureTransport using the TLS extension block in |d|, of length |n|.
+ * Safari, since 10.6, sends exactly these extensions, in this order:
+ * SNI,
+ * elliptic_curves
+ * ec_point_formats
+ *
+ * We wish to fingerprint Safari because they broke ECDHE-ECDSA support in 10.8,
+ * but they advertise support. So enabling ECDHE-ECDSA ciphers breaks them.
+ * Sadly we cannot differentiate 10.6, 10.7 and 10.8.4 (which work), from
+ * 10.8..10.8.3 (which don't work).
+ */
+static void ssl_check_for_safari(SSL *s, const unsigned char *data, const unsigned char *d, int n) {
+ unsigned short type, size;
+ static const unsigned char kSafariExtensionsBlock[] = {
+ 0x00, 0x0a, /* elliptic_curves extension */
+ 0x00, 0x08, /* 8 bytes */
+ 0x00, 0x06, /* 6 bytes of curve ids */
+ 0x00, 0x17, /* P-256 */
+ 0x00, 0x18, /* P-384 */
+ 0x00, 0x19, /* P-521 */
+
+ 0x00, 0x0b, /* ec_point_formats */
+ 0x00, 0x02, /* 2 bytes */
+ 0x01, /* 1 point format */
+ 0x00, /* uncompressed */
+ };
+
+ /* The following is only present in TLS 1.2 */
+ static const unsigned char kSafariTLS12ExtensionsBlock[] = {
+ 0x00, 0x0d, /* signature_algorithms */
+ 0x00, 0x0c, /* 12 bytes */
+ 0x00, 0x0a, /* 10 bytes */
+ 0x05, 0x01, /* SHA-384/RSA */
+ 0x04, 0x01, /* SHA-256/RSA */
+ 0x02, 0x01, /* SHA-1/RSA */
+ 0x04, 0x03, /* SHA-256/ECDSA */
+ 0x02, 0x03, /* SHA-1/ECDSA */
+ };
+
+ if (data >= (d+n-2))
+ return;
+ data += 2;
+
+ if (data > (d+n-4))
+ return;
+ n2s(data,type);
+ n2s(data,size);
+
+ if (type != TLSEXT_TYPE_server_name)
+ return;
+
+ if (data+size > d+n)
+ return;
+ data += size;
+
+ if (TLS1_get_client_version(s) >= TLS1_2_VERSION)
+ {
+ const size_t len1 = sizeof(kSafariExtensionsBlock);
+ const size_t len2 = sizeof(kSafariTLS12ExtensionsBlock);
+
+ if (data + len1 + len2 != d+n)
+ return;
+ if (memcmp(data, kSafariExtensionsBlock, len1) != 0)
+ return;
+ if (memcmp(data + len1, kSafariTLS12ExtensionsBlock, len2) != 0)
+ return;
+ }
+ else
+ {
+ const size_t len = sizeof(kSafariExtensionsBlock);
+
+ if (data + len != d+n)
+ return;
+ if (memcmp(data, kSafariExtensionsBlock, len) != 0)
+ return;
+ }
+
+ s->s3->is_probably_safari = 1;
+}
+#endif /* !OPENSSL_NO_EC */
+
static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
{
unsigned short type;
s->s3->next_proto_neg_seen = 0;
#endif
+ if (s->s3->alpn_selected)
+ {
+ OPENSSL_free(s->s3->alpn_selected);
+ s->s3->alpn_selected = NULL;
+ }
+
+ /* Clear observed custom extensions */
+ s->s3->tlsext_custom_types_count = 0;
+ if (s->s3->tlsext_custom_types != NULL)
+ {
+ OPENSSL_free(s->s3->tlsext_custom_types);
+ s->s3->tlsext_custom_types = NULL;
+ }
+
#ifndef OPENSSL_NO_HEARTBEATS
s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED |
SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
#endif
+
+#ifndef OPENSSL_NO_EC
+ if (s->options & SSL_OP_SAFARI_ECDHE_ECDSA_BUG)
+ ssl_check_for_safari(s, data, d, n);
+#endif /* !OPENSSL_NO_EC */
+
/* Clear any signature algorithms extension received */
if (s->cert->peer_sigalgs)
{
s->cert->pkeys[i].valid_flags = 0;
}
+#ifdef TLSEXT_TYPE_encrypt_then_mac
+ s->s3->flags &= ~TLS1_FLAGS_ENCRYPT_THEN_MAC;
+#endif
+
if (data >= (d+n-2))
goto ri_check;
n2s(data,len);
#endif
#ifndef OPENSSL_NO_NEXTPROTONEG
else if (type == TLSEXT_TYPE_next_proto_neg &&
- s->s3->tmp.finish_md_len == 0)
+ s->s3->tmp.finish_md_len == 0 &&
+ s->s3->alpn_selected == NULL)
{
/* We shouldn't accept this extension on a
* renegotiation.
}
#endif
+ else if (type == TLSEXT_TYPE_application_layer_protocol_negotiation &&
+ s->ctx->alpn_select_cb &&
+ s->s3->tmp.finish_md_len == 0)
+ {
+ if (tls1_alpn_handle_client_hello(s, data, size, al) != 0)
+ return 0;
+ /* ALPN takes precedence over NPN. */
+ s->s3->next_proto_neg_seen = 0;
+ }
+
/* session ticket processed earlier */
else if (type == TLSEXT_TYPE_use_srtp)
{
al))
return 0;
}
-
- else if (type == TLSEXT_TYPE_server_authz)
- {
- unsigned char *sdata = data;
- unsigned char server_authz_dataformatlist_length;
-
- if (size == 0)
- {
- *al = TLS1_AD_DECODE_ERROR;
- return 0;
- }
-
- server_authz_dataformatlist_length = *(sdata++);
-
- if (server_authz_dataformatlist_length != size - 1)
- {
- *al = TLS1_AD_DECODE_ERROR;
- return 0;
- }
-
- /* Successful session resumption uses the same authz
- * information as the original session so we ignore this
- * in the case of a session resumption. */
- if (!s->hit)
- {
- if (s->s3->tlsext_authz_client_types != NULL)
- OPENSSL_free(s->s3->tlsext_authz_client_types);
- s->s3->tlsext_authz_client_types =
- OPENSSL_malloc(server_authz_dataformatlist_length);
- if (!s->s3->tlsext_authz_client_types)
- {
- *al = TLS1_AD_INTERNAL_ERROR;
- return 0;
- }
-
- s->s3->tlsext_authz_client_types_len =
- server_authz_dataformatlist_length;
- memcpy(s->s3->tlsext_authz_client_types,
- sdata,
- server_authz_dataformatlist_length);
-
- /* Sort the types in order to check for duplicates. */
- qsort(s->s3->tlsext_authz_client_types,
- server_authz_dataformatlist_length,
- 1 /* element size */,
- byte_compare);
-
- for (i = 0; i < server_authz_dataformatlist_length; i++)
- {
- if (i > 0 &&
- s->s3->tlsext_authz_client_types[i] ==
- s->s3->tlsext_authz_client_types[i-1])
- {
- *al = TLS1_AD_DECODE_ERROR;
- return 0;
- }
- }
- }
- }
-
/* If this ClientHello extension was unhandled and this is
* a nonresumed connection, check whether the extension is a
* custom TLS Extension (has a custom_srv_ext_record), and if
record = &s->ctx->custom_srv_ext_records[i];
if (type == record->ext_type)
{
- /* Error on duplicate TLS Extensions */
size_t j;
+ /* Error on duplicate TLS Extensions */
for (j = 0; j < s->s3->tlsext_custom_types_count; j++)
{
- if (s->s3->tlsext_custom_types[j] == type)
+ if (type == s->s3->tlsext_custom_types[j])
{
*al = TLS1_AD_DECODE_ERROR;
return 0;
}
}
- /* Callback */
+ /* NULL callback still notes the extension */
if (record->fn1 && !record->fn1(s, type, data, size, al, record->arg))
return 0;
s->s3->tlsext_custom_types_count++;
s->s3->tlsext_custom_types = OPENSSL_realloc(
s->s3->tlsext_custom_types,
- s->s3->tlsext_custom_types_count*2);
+ s->s3->tlsext_custom_types_count * 2);
if (s->s3->tlsext_custom_types == NULL)
{
s->s3->tlsext_custom_types = 0;
return 0;
}
s->s3->tlsext_custom_types[
- s->s3->tlsext_custom_types_count-1] = type;
+ s->s3->tlsext_custom_types_count - 1] = type;
}
}
}
+#ifdef TLSEXT_TYPE_encrypt_then_mac
+ else if (type == TLSEXT_TYPE_encrypt_then_mac)
+ s->s3->flags |= TLS1_FLAGS_ENCRYPT_THEN_MAC;
+#endif
data+=size;
}
s->s3->next_proto_neg_seen = 0;
#endif
+ if (s->s3->alpn_selected)
+ {
+ OPENSSL_free(s->s3->alpn_selected);
+ s->s3->alpn_selected = NULL;
+ }
+
#ifndef OPENSSL_NO_HEARTBEATS
s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED |
SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
#endif
+#ifdef TLSEXT_TYPE_encrypt_then_mac
+ s->s3->flags &= ~TLS1_FLAGS_ENCRYPT_THEN_MAC;
+#endif
+
if (data >= (d+n-2))
goto ri_check;
s->s3->next_proto_neg_seen = 1;
}
#endif
+
+ else if (type == TLSEXT_TYPE_application_layer_protocol_negotiation)
+ {
+ unsigned len;
+
+ /* We must have requested it. */
+ if (s->alpn_client_proto_list == NULL)
+ {
+ *al = TLS1_AD_UNSUPPORTED_EXTENSION;
+ return 0;
+ }
+ if (size < 4)
+ {
+ *al = TLS1_AD_DECODE_ERROR;
+ return 0;
+ }
+ /* The extension data consists of:
+ * uint16 list_length
+ * uint8 proto_length;
+ * uint8 proto[proto_length]; */
+ len = data[0];
+ len <<= 8;
+ len |= data[1];
+ if (len != (unsigned) size - 2)
+ {
+ *al = TLS1_AD_DECODE_ERROR;
+ return 0;
+ }
+ len = data[2];
+ if (len != (unsigned) size - 3)
+ {
+ *al = TLS1_AD_DECODE_ERROR;
+ return 0;
+ }
+ if (s->s3->alpn_selected)
+ OPENSSL_free(s->s3->alpn_selected);
+ s->s3->alpn_selected = OPENSSL_malloc(len);
+ if (!s->s3->alpn_selected)
+ {
+ *al = TLS1_AD_INTERNAL_ERROR;
+ return 0;
+ }
+ memcpy(s->s3->alpn_selected, data + 3, len);
+ s->s3->alpn_selected_len = len;
+ }
+
else if (type == TLSEXT_TYPE_renegotiate)
{
if(!ssl_parse_serverhello_renegotiate_ext(s, data, size, al))
al))
return 0;
}
-
- else if (type == TLSEXT_TYPE_server_authz)
- {
- /* We only support audit proofs. It's an error to send
- * an authz hello extension if the client
- * didn't request a proof. */
- unsigned char *sdata = data;
- unsigned char server_authz_dataformatlist_length;
-
- if (!s->ctx->tlsext_authz_server_audit_proof_cb)
- {
- *al = TLS1_AD_UNSUPPORTED_EXTENSION;
- return 0;
- }
-
- if (!size)
- {
- *al = TLS1_AD_DECODE_ERROR;
- return 0;
- }
-
- server_authz_dataformatlist_length = *(sdata++);
- if (server_authz_dataformatlist_length != size - 1)
- {
- *al = TLS1_AD_DECODE_ERROR;
- return 0;
- }
-
- /* We only support audit proofs, so a legal ServerHello
- * authz list contains exactly one entry. */
- if (server_authz_dataformatlist_length != 1 ||
- sdata[0] != TLSEXT_AUTHZDATAFORMAT_audit_proof)
- {
- *al = TLS1_AD_UNSUPPORTED_EXTENSION;
- return 0;
- }
-
- s->s3->tlsext_authz_server_promised = 1;
- }
-
/* If this extension type was not otherwise handled, but
* matches a custom_cli_ext_record, then send it to the c
* callback */
}
}
}
+#ifdef TLSEXT_TYPE_encrypt_then_mac
+ else if (type == TLSEXT_TYPE_encrypt_then_mac)
+ {
+ /* Ignore if inappropriate ciphersuite */
+ if (s->s3->tmp.new_cipher->algorithm_mac != SSL_AEAD)
+ s->s3->flags |= TLS1_FLAGS_ENCRYPT_THEN_MAC;
+ }
+#endif
data += size;
}