Remove TLS heartbeat, disable DTLS heartbeat
[openssl.git] / ssl / t1_lib.c
index c91b761..e0e0cb9 100644 (file)
@@ -1,4 +1,3 @@
-/* ssl/t1_lib.c */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
 #endif
 #include "ssl_locl.h"
 
-const char tls1_version_str[] = "TLSv1" OPENSSL_VERSION_PTEXT;
-
-#ifndef OPENSSL_NO_TLSEXT
 static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen,
                               const unsigned char *sess_id, int sesslen,
                               SSL_SESSION **psess);
 static int ssl_check_clienthello_tlsext_early(SSL *s);
 int ssl_check_serverhello_tlsext(SSL *s);
-#endif
 
 SSL3_ENC_METHOD const TLSv1_enc_data = {
     tls1_enc,
@@ -139,7 +134,6 @@ SSL3_ENC_METHOD const TLSv1_enc_data = {
     tls1_change_cipher_state,
     tls1_final_finish_mac,
     TLS1_FINISH_MAC_LENGTH,
-    tls1_cert_verify_mac,
     TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
     TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
     tls1_alert_code,
@@ -158,7 +152,6 @@ SSL3_ENC_METHOD const TLSv1_1_enc_data = {
     tls1_change_cipher_state,
     tls1_final_finish_mac,
     TLS1_FINISH_MAC_LENGTH,
-    tls1_cert_verify_mac,
     TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
     TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
     tls1_alert_code,
@@ -177,7 +170,6 @@ SSL3_ENC_METHOD const TLSv1_2_enc_data = {
     tls1_change_cipher_state,
     tls1_final_finish_mac,
     TLS1_FINISH_MAC_LENGTH,
-    tls1_cert_verify_mac,
     TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
     TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
     tls1_alert_code,
@@ -208,18 +200,17 @@ int tls1_new(SSL *s)
 
 void tls1_free(SSL *s)
 {
-#ifndef OPENSSL_NO_TLSEXT
-    if (s->tlsext_session_ticket) {
-        OPENSSL_free(s->tlsext_session_ticket);
-    }
-#endif                          /* OPENSSL_NO_TLSEXT */
+    OPENSSL_free(s->tlsext_session_ticket);
     ssl3_free(s);
 }
 
 void tls1_clear(SSL *s)
 {
     ssl3_clear(s);
-    s->version = s->method->version;
+    if (s->method->version == TLS_ANY_VERSION)
+        s->version = TLS_MAX_VERSION;
+    else
+        s->version = s->method->version;
 }
 
 #ifndef OPENSSL_NO_EC
@@ -270,37 +261,65 @@ static const unsigned char ecformats_default[] = {
     TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2
 };
 
+/* The default curves */
 static const unsigned char eccurves_default[] = {
-    0, 14,                      /* sect571r1 (14) */
-    0, 13,                      /* sect571k1 (13) */
+    /* Prefer P-256 which has the fastest and most secure implementations. */
+    0, 23,                      /* secp256r1 (23) */
+    /* Other >= 256-bit prime curves. */
     0, 25,                      /* secp521r1 (25) */
     0, 28,                      /* brainpool512r1 (28) */
-    0, 11,                      /* sect409k1 (11) */
-    0, 12,                      /* sect409r1 (12) */
     0, 27,                      /* brainpoolP384r1 (27) */
     0, 24,                      /* secp384r1 (24) */
+    0, 26,                      /* brainpoolP256r1 (26) */
+    0, 22,                      /* secp256k1 (22) */
+    /* >= 256-bit binary curves. */
+    0, 14,                      /* sect571r1 (14) */
+    0, 13,                      /* sect571k1 (13) */
+    0, 11,                      /* sect409k1 (11) */
+    0, 12,                      /* sect409r1 (12) */
     0, 9,                       /* sect283k1 (9) */
     0, 10,                      /* sect283r1 (10) */
+};
+
+static const unsigned char eccurves_all[] = {
+    /* Prefer P-256 which has the fastest and most secure implementations. */
+    0, 23,                      /* secp256r1 (23) */
+    /* Other >= 256-bit prime curves. */
+    0, 25,                      /* secp521r1 (25) */
+    0, 28,                      /* brainpool512r1 (28) */
+    0, 27,                      /* brainpoolP384r1 (27) */
+    0, 24,                      /* secp384r1 (24) */
     0, 26,                      /* brainpoolP256r1 (26) */
     0, 22,                      /* secp256k1 (22) */
-    0, 23,                      /* secp256r1 (23) */
+    /* >= 256-bit binary curves. */
+    0, 14,                      /* sect571r1 (14) */
+    0, 13,                      /* sect571k1 (13) */
+    0, 11,                      /* sect409k1 (11) */
+    0, 12,                      /* sect409r1 (12) */
+    0, 9,                       /* sect283k1 (9) */
+    0, 10,                      /* sect283r1 (10) */
+    /*
+     * Remaining curves disabled by default but still permitted if set
+     * via an explicit callback or parameters.
+     */
+    0, 20,                      /* secp224k1 (20) */
+    0, 21,                      /* secp224r1 (21) */
+    0, 18,                      /* secp192k1 (18) */
+    0, 19,                      /* secp192r1 (19) */
+    0, 15,                      /* secp160k1 (15) */
+    0, 16,                      /* secp160r1 (16) */
+    0, 17,                      /* secp160r2 (17) */
     0, 8,                       /* sect239k1 (8) */
     0, 6,                       /* sect233k1 (6) */
     0, 7,                       /* sect233r1 (7) */
-    0, 20,                      /* secp224k1 (20) */
-    0, 21,                      /* secp224r1 (21) */
     0, 4,                       /* sect193r1 (4) */
     0, 5,                       /* sect193r2 (5) */
-    0, 18,                      /* secp192k1 (18) */
-    0, 19,                      /* secp192r1 (19) */
     0, 1,                       /* sect163k1 (1) */
     0, 2,                       /* sect163r1 (2) */
     0, 3,                       /* sect163r2 (3) */
-    0, 15,                      /* secp160k1 (15) */
-    0, 16,                      /* secp160r1 (16) */
-    0, 17,                      /* secp160r2 (17) */
 };
 
+
 static const unsigned char suiteb_curves[] = {
     0, TLSEXT_curve_P_256,
     0, TLSEXT_curve_P_384
@@ -309,8 +328,7 @@ static const unsigned char suiteb_curves[] = {
 int tls1_ec_curve_id2nid(int curve_id)
 {
     /* ECC curves from RFC 4492 and RFC 7027 */
-    if ((curve_id < 1) || ((unsigned int)curve_id >
-                           sizeof(nid_list) / sizeof(nid_list[0])))
+    if ((curve_id < 1) || ((unsigned int)curve_id > OSSL_NELEM(nid_list)))
         return 0;
     return nid_list[curve_id - 1].nid;
 }
@@ -444,8 +462,7 @@ static int tls_curve_allowed(SSL *s, const unsigned char *curve, int op)
     const tls_curve_info *cinfo;
     if (curve[0])
         return 1;
-    if ((curve[1] < 1) || ((size_t)curve[1] >
-                           sizeof(nid_list) / sizeof(nid_list[0])))
+    if ((curve[1] < 1) || ((size_t)curve[1] > OSSL_NELEM(nid_list)))
         return 0;
     cinfo = &nid_list[curve[1] - 1];
 # ifdef OPENSSL_NO_EC2M
@@ -487,8 +504,9 @@ int tls1_check_curve(SSL *s, const unsigned char *p, size_t len)
 }
 
 /*-
- * Return |nmatch|th shared curve or NID_undef if there is no match.
- * For nmatch == -1, return number of  matches
+ * For nmatch >= 0, return the NID of the |nmatch|th shared curve or NID_undef
+ * if there is no match.
+ * For nmatch == -1, return number of matches
  * For nmatch == -2, return the NID of the curve to use for
  * an EC tmp key, or NID_undef if there is no match.
  */
@@ -530,6 +548,20 @@ int tls1_shared_curve(SSL *s, int nmatch)
         (s, !(s->options & SSL_OP_CIPHER_SERVER_PREFERENCE), &pref,
          &num_pref))
         return nmatch == -1 ? 0 : NID_undef;
+
+    /*
+     * If the client didn't send the elliptic_curves extension all of them
+     * are allowed.
+     */
+    if (num_supp == 0 && (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) != 0) {
+        supp = eccurves_all;
+        num_supp = sizeof(eccurves_all) / 2;
+    } else if (num_pref == 0 &&
+        (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) == 0) {
+        pref = eccurves_all;
+        num_pref = sizeof(eccurves_all) / 2;
+    }
+
     k = 0;
     for (i = 0; i < num_pref; i++, pref += 2) {
         const unsigned char *tsupp = supp;
@@ -562,7 +594,7 @@ int tls1_set_curves(unsigned char **pext, size_t *pextlen,
      */
     unsigned long dup_list = 0;
     clist = OPENSSL_malloc(ncurves * 2);
-    if (!clist)
+    if (clist == NULL)
         return 0;
     for (i = 0, p = clist; i < ncurves; i++) {
         unsigned long idmask;
@@ -576,8 +608,7 @@ int tls1_set_curves(unsigned char **pext, size_t *pextlen,
         dup_list |= idmask;
         s2n(id, p);
     }
-    if (*pext)
-        OPENSSL_free(*pext);
+    OPENSSL_free(*pext);
     *pext = clist;
     *pextlen = ncurves * 2;
     return 1;
@@ -706,6 +737,16 @@ static int tls1_check_ec_key(SSL *s,
     for (j = 0; j <= 1; j++) {
         if (!tls1_get_curvelist(s, j, &pcurves, &num_curves))
             return 0;
+        if (j == 1 && num_curves == 0) {
+            /*
+             * If we've not received any curves then skip this check.
+             * RFC 4492 does not require the supported elliptic curves extension
+             * so if it is not sent we can just choose any curve.
+             * It is invalid to send an empty list in the elliptic curves
+             * extension, so num_curves == 0 always means no extension.
+             */
+            break;
+        }
         for (i = 0; i < num_curves; i++, pcurves += 2) {
             if (pcurves[0] == curve_id[0] && pcurves[1] == curve_id[1])
                 break;
@@ -747,16 +788,13 @@ static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md)
     unsigned char comp_id, curve_id[2];
     EVP_PKEY *pkey;
     int rv;
-    pkey = X509_get_pubkey(x);
+    pkey = X509_get0_pubkey(x);
     if (!pkey)
         return 0;
     /* If not EC nothing to do */
-    if (pkey->type != EVP_PKEY_EC) {
-        EVP_PKEY_free(pkey);
+    if (EVP_PKEY_id(pkey) != EVP_PKEY_EC)
         return 1;
-    }
-    rv = tls1_set_ec_id(curve_id, &comp_id, pkey->pkey.ec);
-    EVP_PKEY_free(pkey);
+    rv = tls1_set_ec_id(curve_id, &comp_id, EVP_PKEY_get0_EC_KEY(pkey));
     if (!rv)
         return 0;
     /*
@@ -790,20 +828,27 @@ static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md)
             return 0;
         if (set_ee_md == 2) {
             if (check_md == NID_ecdsa_with_SHA256)
-                c->pkeys[SSL_PKEY_ECC].digest = EVP_sha256();
+                s->s3->tmp.md[SSL_PKEY_ECC] = EVP_sha256();
             else
-                c->pkeys[SSL_PKEY_ECC].digest = EVP_sha384();
+                s->s3->tmp.md[SSL_PKEY_ECC] = EVP_sha384();
         }
     }
     return rv;
 }
 
-# ifndef OPENSSL_NO_ECDH
-/* Check EC temporary key is compatible with client extensions */
+# ifndef OPENSSL_NO_EC
+/*
+ * tls1_check_ec_tmp_key - Check EC temporary key compatiblity
+ * @s: SSL connection
+ * @cid: Cipher ID we're considering using
+ *
+ * Checks that the kECDHE cipher suite we're considering using
+ * is compatible with the client extensions.
+ *
+ * Returns 0 when the cipher can't be used or 1 when it can.
+ */
 int tls1_check_ec_tmp_key(SSL *s, unsigned long cid)
 {
-    unsigned char curve_id[2];
-    EC_KEY *ec = s->cert->ecdh_tmp;
 #  ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
     /* Allow any curve: not just those peer supports */
     if (s->cert->cert_flags & SSL_CERT_FLAG_BROKEN_PROTOCOL)
@@ -814,6 +859,7 @@ int tls1_check_ec_tmp_key(SSL *s, unsigned long cid)
      * curves permitted.
      */
     if (tls1_suiteb(s)) {
+        unsigned char curve_id[2];
         /* Curve to check determined by ciphersuite */
         if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
             curve_id[1] = TLSEXT_curve_P_256;
@@ -825,45 +871,14 @@ int tls1_check_ec_tmp_key(SSL *s, unsigned long cid)
         /* Check this curve is acceptable */
         if (!tls1_check_ec_key(s, curve_id, NULL))
             return 0;
-        /* If auto or setting curve from callback assume OK */
-        if (s->cert->ecdh_tmp_auto || s->cert->ecdh_tmp_cb)
-            return 1;
-        /* Otherwise check curve is acceptable */
-        else {
-            unsigned char curve_tmp[2];
-            if (!ec)
-                return 0;
-            if (!tls1_set_ec_id(curve_tmp, NULL, ec))
-                return 0;
-            if (!curve_tmp[0] || curve_tmp[1] == curve_id[1])
-                return 1;
-            return 0;
-        }
-
-    }
-    if (s->cert->ecdh_tmp_auto) {
-        /* Need a shared curve */
-        if (tls1_shared_curve(s, 0))
-            return 1;
-        else
-            return 0;
-    }
-    if (!ec) {
-        if (s->cert->ecdh_tmp_cb)
-            return 1;
-        else
-            return 0;
+        return 1;
     }
-    if (!tls1_set_ec_id(curve_id, NULL, ec))
-        return 0;
-/* Set this to allow use of invalid curves for testing */
-#  if 0
-    return 1;
-#  else
-    return tls1_check_ec_key(s, curve_id, NULL);
-#  endif
+    /* Need a shared curve */
+    if (tls1_shared_curve(s, 0))
+        return 1;
+    return 0;
 }
-# endif                         /* OPENSSL_NO_ECDH */
+# endif                         /* OPENSSL_NO_EC */
 
 #else
 
@@ -874,33 +889,30 @@ static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md)
 
 #endif                          /* OPENSSL_NO_EC */
 
-#ifndef OPENSSL_NO_TLSEXT
-
 /*
  * List of supported signature algorithms and hashes. Should make this
  * customisable at some point, for now include everything we support.
  */
 
-# ifdef OPENSSL_NO_RSA
-#  define tlsext_sigalg_rsa(md) /* */
-# else
-#  define tlsext_sigalg_rsa(md) md, TLSEXT_signature_rsa,
-# endif
+#ifdef OPENSSL_NO_RSA
+# define tlsext_sigalg_rsa(md) /* */
+#else
+# define tlsext_sigalg_rsa(md) md, TLSEXT_signature_rsa,
+#endif
 
-# ifdef OPENSSL_NO_DSA
-#  define tlsext_sigalg_dsa(md) /* */
-# else
-#  define tlsext_sigalg_dsa(md) md, TLSEXT_signature_dsa,
-# endif
+#ifdef OPENSSL_NO_DSA
+# define tlsext_sigalg_dsa(md) /* */
+#else
+# define tlsext_sigalg_dsa(md) md, TLSEXT_signature_dsa,
+#endif
 
-# ifdef OPENSSL_NO_ECDSA
-#  define tlsext_sigalg_ecdsa(md)
-                                /* */
-# else
-#  define tlsext_sigalg_ecdsa(md) md, TLSEXT_signature_ecdsa,
-# endif
+#ifdef OPENSSL_NO_EC
+# define tlsext_sigalg_ecdsa(md) /* */
+#else
+# define tlsext_sigalg_ecdsa(md) md, TLSEXT_signature_ecdsa,
+#endif
 
-# define tlsext_sigalg(md) \
+#define tlsext_sigalg(md) \
                 tlsext_sigalg_rsa(md) \
                 tlsext_sigalg_dsa(md) \
                 tlsext_sigalg_ecdsa(md)
@@ -911,21 +923,26 @@ static const unsigned char tls12_sigalgs[] = {
         tlsext_sigalg(TLSEXT_hash_sha256)
         tlsext_sigalg(TLSEXT_hash_sha224)
         tlsext_sigalg(TLSEXT_hash_sha1)
+#ifndef OPENSSL_NO_GOST
+        TLSEXT_hash_gostr3411, TLSEXT_signature_gostr34102001,
+        TLSEXT_hash_gostr34112012_256, TLSEXT_signature_gostr34102012_256,
+        TLSEXT_hash_gostr34112012_512, TLSEXT_signature_gostr34102012_512
+#endif
 };
 
-# ifndef OPENSSL_NO_ECDSA
+#ifndef OPENSSL_NO_EC
 static const unsigned char suiteb_sigalgs[] = {
     tlsext_sigalg_ecdsa(TLSEXT_hash_sha256)
         tlsext_sigalg_ecdsa(TLSEXT_hash_sha384)
 };
-# endif
+#endif
 size_t tls12_get_psigalgs(SSL *s, const unsigned char **psigs)
 {
     /*
      * If Suite B mode use Suite B sigalgs only, ignore any other
      * preferences.
      */
-# ifndef OPENSSL_NO_EC
+#ifndef OPENSSL_NO_EC
     switch (tls1_suiteb(s)) {
     case SSL_CERT_FLAG_SUITEB_128_LOS:
         *psigs = suiteb_sigalgs;
@@ -939,7 +956,7 @@ size_t tls12_get_psigalgs(SSL *s, const unsigned char **psigs)
         *psigs = suiteb_sigalgs + 2;
         return 2;
     }
-# endif
+#endif
     /* If server use client authentication sigalgs if not NULL */
     if (s->server && s->cert->client_sigalgs) {
         *psigs = s->cert->client_sigalgs;
@@ -971,11 +988,11 @@ int tls12_check_peer_sigalg(const EVP_MD **pmd, SSL *s,
         SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_SIGNATURE_TYPE);
         return 0;
     }
-# ifndef OPENSSL_NO_EC
-    if (pkey->type == EVP_PKEY_EC) {
+#ifndef OPENSSL_NO_EC
+    if (EVP_PKEY_id(pkey) == EVP_PKEY_EC) {
         unsigned char curve_id[2], comp_id;
         /* Check compression and curve matches extensions */
-        if (!tls1_set_ec_id(curve_id, &comp_id, pkey->pkey.ec))
+        if (!tls1_set_ec_id(curve_id, &comp_id, EVP_PKEY_get0_EC_KEY(pkey)))
             return 0;
         if (!s->server && !tls1_check_ec_key(s, curve_id, &comp_id)) {
             SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_CURVE);
@@ -1002,7 +1019,7 @@ int tls12_check_peer_sigalg(const EVP_MD **pmd, SSL *s,
         }
     } else if (tls1_suiteb(s))
         return 0;
-# endif
+#endif
 
     /* Check signature matches a type we sent */
     sent_sigslen = tls12_get_psigalgs(s, &sent_sigs);
@@ -1032,8 +1049,7 @@ int tls12_check_peer_sigalg(const EVP_MD **pmd, SSL *s,
     /*
      * Store the digest used so applications can retrieve it if they wish.
      */
-    if (s->session && s->session->sess_cert)
-        s->session->sess_cert->peer_key->digest = *pmd;
+    s->s3->tmp.peer_md = *pmd;
     return 1;
 }
 
@@ -1045,52 +1061,45 @@ int tls12_check_peer_sigalg(const EVP_MD **pmd, SSL *s,
  */
 void ssl_set_client_disabled(SSL *s)
 {
-    CERT *c = s->cert;
-    c->mask_a = 0;
-    c->mask_k = 0;
+    s->s3->tmp.mask_a = 0;
+    s->s3->tmp.mask_k = 0;
     /* Don't allow TLS 1.2 only ciphers if we don't suppport them */
     if (!SSL_CLIENT_USE_TLS1_2_CIPHERS(s))
-        c->mask_ssl = SSL_TLSV1_2;
+        s->s3->tmp.mask_ssl = SSL_TLSV1_2;
     else
-        c->mask_ssl = 0;
-    ssl_set_sig_mask(&c->mask_a, s, SSL_SECOP_SIGALG_MASK);
+        s->s3->tmp.mask_ssl = 0;
+    /* Disable TLS 1.0 ciphers if using SSL v3 */
+    if (s->client_version == SSL3_VERSION)
+        s->s3->tmp.mask_ssl |= SSL_TLSV1;
+    ssl_set_sig_mask(&s->s3->tmp.mask_a, s, SSL_SECOP_SIGALG_MASK);
     /*
      * Disable static DH if we don't include any appropriate signature
      * algorithms.
      */
-    if (c->mask_a & SSL_aRSA)
-        c->mask_k |= SSL_kDHr | SSL_kECDHr;
-    if (c->mask_a & SSL_aDSS)
-        c->mask_k |= SSL_kDHd;
-    if (c->mask_a & SSL_aECDSA)
-        c->mask_k |= SSL_kECDHe;
-# ifndef OPENSSL_NO_KRB5
-    if (!kssl_tgt_is_available(s->kssl_ctx)) {
-        c->mask_a |= SSL_aKRB5;
-        c->mask_k |= SSL_kKRB5;
-    }
-# endif
+    if (s->s3->tmp.mask_a & SSL_aRSA)
+        s->s3->tmp.mask_k |= SSL_kECDHr;
+    if (s->s3->tmp.mask_a & SSL_aECDSA)
+        s->s3->tmp.mask_k |= SSL_kECDHe;
 # ifndef OPENSSL_NO_PSK
     /* with PSK there must be client callback set */
     if (!s->psk_client_callback) {
-        c->mask_a |= SSL_aPSK;
-        c->mask_k |= SSL_kPSK;
+        s->s3->tmp.mask_a |= SSL_aPSK;
+        s->s3->tmp.mask_k |= SSL_PSK;
     }
-# endif                         /* OPENSSL_NO_PSK */
-# ifndef OPENSSL_NO_SRP
+#endif                         /* OPENSSL_NO_PSK */
+#ifndef OPENSSL_NO_SRP
     if (!(s->srp_ctx.srp_Mask & SSL_kSRP)) {
-        c->mask_a |= SSL_aSRP;
-        c->mask_k |= SSL_kSRP;
+        s->s3->tmp.mask_a |= SSL_aSRP;
+        s->s3->tmp.mask_k |= SSL_kSRP;
     }
-# endif
-    c->valid = 1;
+#endif
 }
 
 int ssl_cipher_disabled(SSL *s, const SSL_CIPHER *c, int op)
 {
-    CERT *ct = s->cert;
-    if (c->algorithm_ssl & ct->mask_ssl || c->algorithm_mkey & ct->mask_k
-        || c->algorithm_auth & ct->mask_a)
+    if (c->algorithm_ssl & s->s3->tmp.mask_ssl
+        || c->algorithm_mkey & s->s3->tmp.mask_k
+        || c->algorithm_auth & s->s3->tmp.mask_a)
         return 1;
     return !ssl_security(s, op, c->strength_bits, 0, (void *)c);
 }
@@ -1108,7 +1117,7 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf,
     int extdatalen = 0;
     unsigned char *orig = buf;
     unsigned char *ret = buf;
-# ifndef OPENSSL_NO_EC
+#ifndef OPENSSL_NO_EC
     /* See if we support any ECC ciphersuites */
     int using_ecc = 0;
     if (s->version >= TLS1_VERSION || SSL_IS_DTLS(s)) {
@@ -1117,18 +1126,18 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf,
         STACK_OF(SSL_CIPHER) *cipher_stack = SSL_get_ciphers(s);
 
         for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++) {
-            SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i);
+            const SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i);
 
             alg_k = c->algorithm_mkey;
             alg_a = c->algorithm_auth;
-            if ((alg_k & (SSL_kECDHE | SSL_kECDHr | SSL_kECDHe)
+            if ((alg_k & (SSL_kECDHE | SSL_kECDHr | SSL_kECDHe | SSL_kECDHEPSK)
                  || (alg_a & SSL_aECDSA))) {
                 using_ecc = 1;
                 break;
             }
         }
     }
-# endif
+#endif
 
     ret += 2;
 
@@ -1193,7 +1202,7 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf,
         memcpy(ret, s->tlsext_hostname, size_str);
         ret += size_str;
     }
-# ifndef OPENSSL_NO_SRP
+#ifndef OPENSSL_NO_SRP
     /* Add SRP username if there is one */
     if (s->srp_ctx.login != NULL) { /* Add TLS extension SRP username to the
                                      * Client Hello message */
@@ -1220,9 +1229,9 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf,
         memcpy(ret, s->srp_ctx.login, login_len);
         ret += login_len;
     }
-# endif
+#endif
 
-# ifndef OPENSSL_NO_EC
+#ifndef OPENSSL_NO_EC
     if (using_ecc) {
         /*
          * Add TLS extension ECPointFormats to the ClientHello message
@@ -1283,7 +1292,7 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf,
         s2n(curves_list_len, ret);
         ret += curves_list_len;
     }
-# endif                         /* OPENSSL_NO_EC */
+#endif                         /* OPENSSL_NO_EC */
 
     if (tls_use_ticket(s)) {
         int ticklen;
@@ -1293,7 +1302,7 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf,
                  s->tlsext_session_ticket->data) {
             ticklen = s->tlsext_session_ticket->length;
             s->session->tlsext_tick = OPENSSL_malloc(ticklen);
-            if (!s->session->tlsext_tick)
+            if (s->session->tlsext_tick == NULL)
                 return NULL;
             memcpy(s->session->tlsext_tick,
                    s->tlsext_session_ticket->data, ticklen);
@@ -1379,24 +1388,26 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf,
         if (extlen > 0)
             i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret);
     }
-# ifndef OPENSSL_NO_HEARTBEATS
-    /* Add Heartbeat extension */
-    if ((limit - ret - 4 - 1) < 0)
-        return NULL;
-    s2n(TLSEXT_TYPE_heartbeat, ret);
-    s2n(1, ret);
-    /*-
-     * Set mode:
-     * 1: peer may send requests
-     * 2: peer not allowed to send requests
-     */
-    if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS)
-        *(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
-    else
-        *(ret++) = SSL_TLSEXT_HB_ENABLED;
-# endif
+#ifndef OPENSSL_NO_HEARTBEATS
+    if (SSL_IS_DTLS(s)) {
+        /* Add Heartbeat extension */
+        if ((limit - ret - 4 - 1) < 0)
+            return NULL;
+        s2n(TLSEXT_TYPE_heartbeat, ret);
+        s2n(1, ret);
+        /*-
+         * Set mode:
+         * 1: peer may send requests
+         * 2: peer not allowed to send requests
+         */
+        if (s->tlsext_heartbeat & SSL_DTLSEXT_HB_DONT_RECV_REQUESTS)
+            *(ret++) = SSL_DTLSEXT_HB_DONT_SEND_REQUESTS;
+        else
+            *(ret++) = SSL_DTLSEXT_HB_ENABLED;
+    }
+#endif
 
-# ifndef OPENSSL_NO_NEXTPROTONEG
+#ifndef OPENSSL_NO_NEXTPROTONEG
     if (s->ctx->next_proto_select_cb && !s->s3->tmp.finish_md_len) {
         /*
          * The client advertises an emtpy extension to indicate its support
@@ -1407,7 +1418,7 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf,
         s2n(TLSEXT_TYPE_next_proto_neg, ret);
         s2n(0, ret);
     }
-# endif
+#endif
 
     if (s->alpn_client_proto_list && !s->s3->tmp.finish_md_len) {
         if ((size_t)(limit - ret) < 6 + s->alpn_client_proto_list_len)
@@ -1418,11 +1429,15 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf,
         memcpy(ret, s->alpn_client_proto_list, s->alpn_client_proto_list_len);
         ret += s->alpn_client_proto_list_len;
     }
-# ifndef OPENSSL_NO_SRTP
+#ifndef OPENSSL_NO_SRTP
     if (SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s)) {
         int el;
 
-        ssl_add_clienthello_use_srtp_ext(s, 0, &el, 0);
+        /* Returns 0 on success!! */
+        if (ssl_add_clienthello_use_srtp_ext(s, 0, &el, 0)) {
+            SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
+            return NULL;
+        }
 
         if ((limit - ret - 4 - el) < 0)
             return NULL;
@@ -1436,15 +1451,15 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf,
         }
         ret += el;
     }
-# endif
+#endif
     custom_ext_init(&s->cert->cli_ext);
     /* Add custom TLS Extensions to ClientHello */
     if (!custom_ext_add(s, 0, &ret, limit, al))
         return NULL;
-# ifdef TLSEXT_TYPE_encrypt_then_mac
+#ifdef TLSEXT_TYPE_encrypt_then_mac
     s2n(TLSEXT_TYPE_encrypt_then_mac, ret);
     s2n(0, ret);
-# endif
+#endif
     s2n(TLSEXT_TYPE_extended_master_secret, ret);
     s2n(0, ret);
 
@@ -1456,13 +1471,7 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf,
      */
     if (s->options & SSL_OP_TLSEXT_PADDING) {
         int hlen = ret - (unsigned char *)s->init_buf->data;
-        /*
-         * The code in s23_clnt.c to build ClientHello messages includes the
-         * 5-byte record header in the buffer, while the code in s3_clnt.c
-         * does not.
-         */
-        if (s->state == SSL23_ST_CW_CLNT_HELLO_A)
-            hlen -= 5;
+
         if (hlen > 0xff && hlen < 0x200) {
             hlen = 0x200 - hlen;
             if (hlen >= 4)
@@ -1492,16 +1501,16 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *buf,
     int extdatalen = 0;
     unsigned char *orig = buf;
     unsigned char *ret = buf;
-# ifndef OPENSSL_NO_NEXTPROTONEG
+#ifndef OPENSSL_NO_NEXTPROTONEG
     int next_proto_neg_seen;
-# endif
-# ifndef OPENSSL_NO_EC
+#endif
+#ifndef OPENSSL_NO_EC
     unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
     unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
     int using_ecc = (alg_k & (SSL_kECDHE | SSL_kECDHr | SSL_kECDHe))
         || (alg_a & SSL_aECDSA);
     using_ecc = using_ecc && (s->session->tlsext_ecpointformatlist != NULL);
-# endif
+#endif
 
     ret += 2;
     if (ret >= limit)
@@ -1541,7 +1550,7 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *buf,
         s2n(TLSEXT_TYPE_server_name, ret);
         s2n(0, ret);
     }
-# ifndef OPENSSL_NO_EC
+#ifndef OPENSSL_NO_EC
     if (using_ecc) {
         const unsigned char *plist;
         size_t plistlen;
@@ -1572,7 +1581,7 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *buf,
      * Currently the server should not respond with a SupportedCurves
      * extension
      */
-# endif                         /* OPENSSL_NO_EC */
+#endif                         /* OPENSSL_NO_EC */
 
     if (s->tlsext_ticket_expected && tls_use_ticket(s)) {
         if ((long)(limit - ret - 4) < 0)
@@ -1588,12 +1597,15 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *buf,
         s2n(0, ret);
     }
 
-# ifndef OPENSSL_NO_SRTP
+#ifndef OPENSSL_NO_SRTP
     if (SSL_IS_DTLS(s) && s->srtp_profile) {
         int el;
 
-        ssl_add_serverhello_use_srtp_ext(s, 0, &el, 0);
-
+        /* Returns 0 on success!! */
+        if (ssl_add_serverhello_use_srtp_ext(s, 0, &el, 0)) {
+            SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
+            return NULL;
+        }
         if ((limit - ret - 4 - el) < 0)
             return NULL;
 
@@ -1606,7 +1618,7 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *buf,
         }
         ret += el;
     }
-# endif
+#endif
 
     if (((s->s3->tmp.new_cipher->id & 0xFFFF) == 0x80
          || (s->s3->tmp.new_cipher->id & 0xFFFF) == 0x81)
@@ -1625,9 +1637,9 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *buf,
         ret += 36;
 
     }
-# ifndef OPENSSL_NO_HEARTBEATS
+#ifndef OPENSSL_NO_HEARTBEATS
     /* Add Heartbeat extension if we've received one */
-    if (s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED) {
+    if (SSL_IS_DTLS(s) && (s->tlsext_heartbeat & SSL_DTLSEXT_HB_ENABLED)) {
         if ((limit - ret - 4 - 1) < 0)
             return NULL;
         s2n(TLSEXT_TYPE_heartbeat, ret);
@@ -1637,15 +1649,15 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *buf,
          * 1: peer may send requests
          * 2: peer not allowed to send requests
          */
-        if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS)
-            *(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
+        if (s->tlsext_heartbeat & SSL_DTLSEXT_HB_DONT_RECV_REQUESTS)
+            *(ret++) = SSL_DTLSEXT_HB_DONT_SEND_REQUESTS;
         else
-            *(ret++) = SSL_TLSEXT_HB_ENABLED;
+            *(ret++) = SSL_DTLSEXT_HB_ENABLED;
 
     }
-# endif
+#endif
 
-# ifndef OPENSSL_NO_NEXTPROTONEG
+#ifndef OPENSSL_NO_NEXTPROTONEG
     next_proto_neg_seen = s->s3->next_proto_neg_seen;
     s->s3->next_proto_neg_seen = 0;
     if (next_proto_neg_seen && s->ctx->next_protos_advertised_cb) {
@@ -1666,25 +1678,27 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *buf,
             s->s3->next_proto_neg_seen = 1;
         }
     }
-# endif
+#endif
     if (!custom_ext_add(s, 1, &ret, limit, al))
         return NULL;
-# ifdef TLSEXT_TYPE_encrypt_then_mac
+#ifdef TLSEXT_TYPE_encrypt_then_mac
     if (s->s3->flags & TLS1_FLAGS_ENCRYPT_THEN_MAC) {
         /*
          * Don't use encrypt_then_mac if AEAD or RC4 might want to disable
          * for other cases too.
          */
         if (s->s3->tmp.new_cipher->algorithm_mac == SSL_AEAD
-            || s->s3->tmp.new_cipher->algorithm_enc == SSL_RC4)
+            || s->s3->tmp.new_cipher->algorithm_enc == SSL_RC4
+            || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT
+            || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT12)
             s->s3->flags &= ~TLS1_FLAGS_ENCRYPT_THEN_MAC;
         else {
             s2n(TLSEXT_TYPE_encrypt_then_mac, ret);
             s2n(0, ret);
         }
     }
-# endif
-    if (!s->hit && s->session->flags & SSL_SESS_FLAG_EXTMS) {
+#endif
+    if (s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) {
         s2n(TLSEXT_TYPE_extended_master_secret, ret);
         s2n(0, ret);
     }
@@ -1719,54 +1733,40 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *buf,
  * alert value to send in the event of a non-zero return.  returns: 0 on
  * success.
  */
-static int tls1_alpn_handle_client_hello(SSL *s, const unsigned char *data,
-                                         unsigned data_len, int *al)
+static int tls1_alpn_handle_client_hello(SSL *s, PACKET *pkt, int *al)
 {
-    unsigned i;
-    unsigned proto_len;
+    unsigned int data_len;
+    unsigned int proto_len;
     const unsigned char *selected;
+    const unsigned char *data;
     unsigned char selected_len;
     int r;
 
     if (s->ctx->alpn_select_cb == NULL)
         return 0;
 
-    if (data_len < 2)
-        goto parse_error;
-
     /*
      * data should contain a uint16 length followed by a series of 8-bit,
      * length-prefixed strings.
      */
-    i = ((unsigned)data[0]) << 8 | ((unsigned)data[1]);
-    data_len -= 2;
-    data += 2;
-    if (data_len != i)
+    if (!PACKET_get_net_2(pkt, &data_len)
+            || PACKET_remaining(pkt) != data_len
+            || !PACKET_peek_bytes(pkt, &data, data_len))
         goto parse_error;
 
-    if (data_len < 2)
-        goto parse_error;
-
-    for (i = 0; i < data_len;) {
-        proto_len = data[i];
-        i++;
-
-        if (proto_len == 0)
-            goto parse_error;
-
-        if (i + proto_len < i || i + proto_len > data_len)
+    do {
+        if (!PACKET_get_1(pkt, &proto_len)
+                || proto_len == 0
+                || !PACKET_forward(pkt, proto_len))
             goto parse_error;
-
-        i += proto_len;
-    }
+    } while (PACKET_remaining(pkt));
 
     r = s->ctx->alpn_select_cb(s, &selected, &selected_len, data, data_len,
                                s->ctx->alpn_select_cb_arg);
     if (r == SSL_TLSEXT_ERR_OK) {
-        if (s->s3->alpn_selected)
-            OPENSSL_free(s->s3->alpn_selected);
+        OPENSSL_free(s->s3->alpn_selected);
         s->s3->alpn_selected = OPENSSL_malloc(selected_len);
-        if (!s->s3->alpn_selected) {
+        if (s->s3->alpn_selected == NULL) {
             *al = SSL_AD_INTERNAL_ERROR;
             return -1;
         }
@@ -1780,7 +1780,7 @@ static int tls1_alpn_handle_client_hello(SSL *s, const unsigned char *data,
     return -1;
 }
 
-# ifndef OPENSSL_NO_EC
+#ifndef OPENSSL_NO_EC
 /*-
  * ssl_check_for_safari attempts to fingerprint Safari using OS X
  * SecureTransport using the TLS extension block in |d|, of length |n|.
@@ -1794,10 +1794,12 @@ static int tls1_alpn_handle_client_hello(SSL *s, const unsigned char *data,
  * Sadly we cannot differentiate 10.6, 10.7 and 10.8.4 (which work), from
  * 10.8..10.8.3 (which don't work).
  */
-static void ssl_check_for_safari(SSL *s, const unsigned char *data,
-                                 const unsigned char *d, int n)
+static void ssl_check_for_safari(SSL *s, const PACKET *pkt)
 {
-    unsigned short type, size;
+    unsigned int type, size;
+    const unsigned char *eblock1, *eblock2;
+    PACKET tmppkt;
+
     static const unsigned char kSafariExtensionsBlock[] = {
         0x00, 0x0a,             /* elliptic_curves extension */
         0x00, 0x08,             /* 8 bytes */
@@ -1824,109 +1826,106 @@ static void ssl_check_for_safari(SSL *s, const unsigned char *data,
         0x02, 0x03,             /* SHA-1/ECDSA */
     };
 
-    if (data >= (d + n - 2))
-        return;
-    data += 2;
+    tmppkt = *pkt;
 
-    if (data > (d + n - 4))
+    if (!PACKET_forward(&tmppkt, 2)
+            || !PACKET_get_net_2(&tmppkt, &type)
+            || !PACKET_get_net_2(&tmppkt, &size)
+            || !PACKET_forward(&tmppkt, size))
         return;
-    n2s(data, type);
-    n2s(data, size);
 
     if (type != TLSEXT_TYPE_server_name)
         return;
 
-    if (data + size > d + n)
-        return;
-    data += size;
-
     if (TLS1_get_client_version(s) >= TLS1_2_VERSION) {
         const size_t len1 = sizeof(kSafariExtensionsBlock);
         const size_t len2 = sizeof(kSafariTLS12ExtensionsBlock);
 
-        if (data + len1 + len2 != d + n)
+        if (!PACKET_get_bytes(&tmppkt, &eblock1, len1)
+                || !PACKET_get_bytes(&tmppkt, &eblock2, len2)
+                || PACKET_remaining(&tmppkt))
             return;
-        if (memcmp(data, kSafariExtensionsBlock, len1) != 0)
+        if (memcmp(eblock1, kSafariExtensionsBlock, len1) != 0)
             return;
-        if (memcmp(data + len1, kSafariTLS12ExtensionsBlock, len2) != 0)
+        if (memcmp(eblock2, kSafariTLS12ExtensionsBlock, len2) != 0)
             return;
     } else {
         const size_t len = sizeof(kSafariExtensionsBlock);
 
-        if (data + len != d + n)
+        if (!PACKET_get_bytes(&tmppkt, &eblock1, len)
+                || PACKET_remaining(&tmppkt))
             return;
-        if (memcmp(data, kSafariExtensionsBlock, len) != 0)
+        if (memcmp(eblock1, kSafariExtensionsBlock, len) != 0)
             return;
     }
 
     s->s3->is_probably_safari = 1;
 }
-# endif                         /* !OPENSSL_NO_EC */
+#endif                         /* !OPENSSL_NO_EC */
 
-static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p,
-                                       unsigned char *d, int n, int *al)
+static int ssl_scan_clienthello_tlsext(SSL *s, PACKET *pkt, int *al)
 {
-    unsigned short type;
-    unsigned short size;
-    unsigned short len;
-    unsigned char *data = *p;
+    unsigned int type;
+    unsigned int size;
+    unsigned int len;
+    const unsigned char *data;
     int renegotiate_seen = 0;
 
     s->servername_done = 0;
     s->tlsext_status_type = -1;
-# ifndef OPENSSL_NO_NEXTPROTONEG
+#ifndef OPENSSL_NO_NEXTPROTONEG
     s->s3->next_proto_neg_seen = 0;
-# endif
+#endif
 
-    if (s->s3->alpn_selected) {
-        OPENSSL_free(s->s3->alpn_selected);
-        s->s3->alpn_selected = NULL;
-    }
-# ifndef OPENSSL_NO_HEARTBEATS
-    s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED |
-                             SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
-# endif
+    OPENSSL_free(s->s3->alpn_selected);
+    s->s3->alpn_selected = NULL;
+#ifndef OPENSSL_NO_HEARTBEATS
+    s->tlsext_heartbeat &= ~(SSL_DTLSEXT_HB_ENABLED |
+                             SSL_DTLSEXT_HB_DONT_SEND_REQUESTS);
+#endif
 
-# ifndef OPENSSL_NO_EC
+#ifndef OPENSSL_NO_EC
     if (s->options & SSL_OP_SAFARI_ECDHE_ECDSA_BUG)
-        ssl_check_for_safari(s, data, d, n);
-# endif                         /* !OPENSSL_NO_EC */
+        ssl_check_for_safari(s, pkt);
+# endif /* !OPENSSL_NO_EC */
 
     /* Clear any signature algorithms extension received */
-    if (s->cert->peer_sigalgs) {
-        OPENSSL_free(s->cert->peer_sigalgs);
-        s->cert->peer_sigalgs = NULL;
-    }
-# ifdef TLSEXT_TYPE_encrypt_then_mac
+    OPENSSL_free(s->s3->tmp.peer_sigalgs);
+    s->s3->tmp.peer_sigalgs = NULL;
+#ifdef TLSEXT_TYPE_encrypt_then_mac
     s->s3->flags &= ~TLS1_FLAGS_ENCRYPT_THEN_MAC;
-# endif
+#endif
 
-# ifndef OPENSSL_NO_SRP
-    if (s->srp_ctx.login != NULL) {
-        OPENSSL_free(s->srp_ctx.login);
-        s->srp_ctx.login = NULL;
-    }
-# endif
+#ifndef OPENSSL_NO_SRP
+    OPENSSL_free(s->srp_ctx.login);
+    s->srp_ctx.login = NULL;
+#endif
 
     s->srtp_profile = NULL;
 
-    if (data >= (d + n - 2))
+    if (PACKET_remaining(pkt) == 0)
         goto ri_check;
-    n2s(data, len);
 
-    if (data > (d + n - len))
-        goto ri_check;
+    if (!PACKET_get_net_2(pkt, &len))
+        goto err;
 
-    while (data <= (d + n - 4)) {
-        n2s(data, type);
-        n2s(data, size);
+    if (PACKET_remaining(pkt) != len)
+        goto err;
+
+    while (PACKET_get_net_2(pkt, &type) && PACKET_get_net_2(pkt, &size)) {
+        PACKET subpkt;
+
+        if (!PACKET_peek_bytes(pkt, &data, size))
+            goto err;
 
-        if (data + size > (d + n))
-            goto ri_check;
         if (s->tlsext_debug_cb)
             s->tlsext_debug_cb(s, 0, type, data, size, s->tlsext_debug_arg);
+
+        if (!PACKET_get_sub_packet(pkt, &subpkt, size))
+            goto err;
+
         if (type == TLSEXT_TYPE_renegotiate) {
-            if (!ssl_parse_clienthello_renegotiate_ext(s, data, size, al))
+            if (!ssl_parse_clienthello_renegotiate_ext(s, &subpkt, al))
                 return 0;
             renegotiate_seen = 1;
         } else if (s->version == SSL3_VERSION) {
@@ -1957,39 +1956,28 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p,
  */
 
         else if (type == TLSEXT_TYPE_server_name) {
-            unsigned char *sdata;
-            int servname_type;
-            int dsize;
+            const unsigned char *sdata;
+            unsigned int servname_type;
+            unsigned int dsize;
+            PACKET ssubpkt;
 
-            if (size < 2) {
-                *al = SSL_AD_DECODE_ERROR;
-                return 0;
-            }
-            n2s(data, dsize);
-            size -= 2;
-            if (dsize > size) {
-                *al = SSL_AD_DECODE_ERROR;
-                return 0;
-            }
+            if (!PACKET_get_net_2(&subpkt, &dsize)
+                    || !PACKET_get_sub_packet(&subpkt, &ssubpkt, dsize))
+                goto err;
 
-            sdata = data;
-            while (dsize > 3) {
-                servname_type = *(sdata++);
-                n2s(sdata, len);
-                dsize -= 3;
+            while (PACKET_remaining(&ssubpkt) > 3) {
+                if (!PACKET_get_1(&ssubpkt, &servname_type)
+                        || !PACKET_get_net_2(&ssubpkt, &len)
+                        || PACKET_remaining(&ssubpkt) < len)
+                    goto err;
 
-                if (len > dsize) {
-                    *al = SSL_AD_DECODE_ERROR;
-                    return 0;
-                }
                 if (s->servername_done == 0)
                     switch (servname_type) {
                     case TLSEXT_NAMETYPE_host_name:
                         if (!s->hit) {
-                            if (s->session->tlsext_hostname) {
-                                *al = SSL_AD_DECODE_ERROR;
-                                return 0;
-                            }
+                            if (s->session->tlsext_hostname)
+                                goto err;
+
                             if (len > TLSEXT_MAXLEN_host_name) {
                                 *al = TLS1_AD_UNRECOGNIZED_NAME;
                                 return 0;
@@ -1999,7 +1987,13 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p,
                                 *al = TLS1_AD_INTERNAL_ERROR;
                                 return 0;
                             }
-                            memcpy(s->session->tlsext_hostname, sdata, len);
+                            if (!PACKET_copy_bytes(&ssubpkt,
+                                    (unsigned char *)s->session
+                                        ->tlsext_hostname,
+                                    len)) {
+                                *al = SSL_AD_DECODE_ERROR;
+                                return 0;
+                            }
                             s->session->tlsext_hostname[len] = '\0';
                             if (strlen(s->session->tlsext_hostname) != len) {
                                 OPENSSL_free(s->session->tlsext_hostname);
@@ -2009,63 +2003,58 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p,
                             }
                             s->servername_done = 1;
 
-                        } else
+                        } else {
+                            if (!PACKET_get_bytes(&ssubpkt, &sdata, len)) {
+                                *al = SSL_AD_DECODE_ERROR;
+                                return 0;
+                            }
                             s->servername_done = s->session->tlsext_hostname
                                 && strlen(s->session->tlsext_hostname) == len
                                 && strncmp(s->session->tlsext_hostname,
                                            (char *)sdata, len) == 0;
+                        }
 
                         break;
 
                     default:
                         break;
                     }
-
-                dsize -= len;
-            }
-            if (dsize != 0) {
-                *al = SSL_AD_DECODE_ERROR;
-                return 0;
             }
+            /* We shouldn't have any bytes left */
+            if (PACKET_remaining(&ssubpkt) != 0)
+                goto err;
 
         }
-# ifndef OPENSSL_NO_SRP
+#ifndef OPENSSL_NO_SRP
         else if (type == TLSEXT_TYPE_srp) {
-            if (size <= 0 || ((len = data[0])) != (size - 1)) {
-                *al = SSL_AD_DECODE_ERROR;
-                return 0;
-            }
-            if (s->srp_ctx.login != NULL) {
-                *al = SSL_AD_DECODE_ERROR;
-                return 0;
-            }
+            if (!PACKET_get_1(&subpkt, &len)
+                    || s->srp_ctx.login != NULL)
+                goto err;
+
             if ((s->srp_ctx.login = OPENSSL_malloc(len + 1)) == NULL)
                 return -1;
-            memcpy(s->srp_ctx.login, &data[1], len);
+            if (!PACKET_copy_bytes(&subpkt, (unsigned char *)s->srp_ctx.login,
+                                   len))
+                goto err;
             s->srp_ctx.login[len] = '\0';
 
-            if (strlen(s->srp_ctx.login) != len) {
-                *al = SSL_AD_DECODE_ERROR;
-                return 0;
-            }
+            if (strlen(s->srp_ctx.login) != len
+                    || PACKET_remaining(&subpkt))
+                goto err;
         }
-# endif
+#endif
 
-# ifndef OPENSSL_NO_EC
+#ifndef OPENSSL_NO_EC
         else if (type == TLSEXT_TYPE_ec_point_formats) {
-            unsigned char *sdata = data;
-            int ecpointformatlist_length = *(sdata++);
+            unsigned int ecpointformatlist_length;
+
+            if (!PACKET_get_1(&subpkt, &ecpointformatlist_length)
+                    || ecpointformatlist_length == 0)
+                goto err;
 
-            if (ecpointformatlist_length != size - 1 ||
-                ecpointformatlist_length < 1) {
-                *al = TLS1_AD_DECODE_ERROR;
-                return 0;
-            }
             if (!s->hit) {
-                if (s->session->tlsext_ecpointformatlist) {
-                    OPENSSL_free(s->session->tlsext_ecpointformatlist);
-                    s->session->tlsext_ecpointformatlist = NULL;
-                }
+                OPENSSL_free(s->session->tlsext_ecpointformatlist);
+                s->session->tlsext_ecpointformatlist = NULL;
                 s->session->tlsext_ecpointformatlist_length = 0;
                 if ((s->session->tlsext_ecpointformatlist =
                      OPENSSL_malloc(ecpointformatlist_length)) == NULL) {
@@ -2074,26 +2063,31 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p,
                 }
                 s->session->tlsext_ecpointformatlist_length =
                     ecpointformatlist_length;
-                memcpy(s->session->tlsext_ecpointformatlist, sdata,
-                       ecpointformatlist_length);
+                if (!PACKET_copy_bytes(&subpkt,
+                        s->session->tlsext_ecpointformatlist,
+                        ecpointformatlist_length))
+                    goto err;
+            } else if (!PACKET_forward(&subpkt, ecpointformatlist_length)) {
+                goto err;
             }
-        } else if (type == TLSEXT_TYPE_elliptic_curves) {
-            unsigned char *sdata = data;
-            int ellipticcurvelist_length = (*(sdata++) << 8);
-            ellipticcurvelist_length += (*(sdata++));
-
-            if (ellipticcurvelist_length != size - 2 ||
-                ellipticcurvelist_length < 1 ||
-                /* Each NamedCurve is 2 bytes. */
-                ellipticcurvelist_length & 1) {
+            /* We should have consumed all the bytes by now */
+            if (PACKET_remaining(&subpkt)) {
                 *al = TLS1_AD_DECODE_ERROR;
                 return 0;
             }
+        } else if (type == TLSEXT_TYPE_elliptic_curves) {
+            unsigned int ellipticcurvelist_length;
+
+            /* Each NamedCurve is 2 bytes and we must have at least 1 */
+            if (!PACKET_get_net_2(&subpkt, &ellipticcurvelist_length)
+                    || ellipticcurvelist_length == 0
+                    || (ellipticcurvelist_length & 1) != 0)
+                goto err;
+
             if (!s->hit) {
-                if (s->session->tlsext_ellipticcurvelist) {
-                    *al = TLS1_AD_DECODE_ERROR;
-                    return 0;
-                }
+                if (s->session->tlsext_ellipticcurvelist)
+                    goto err;
+
                 s->session->tlsext_ellipticcurvelist_length = 0;
                 if ((s->session->tlsext_ellipticcurvelist =
                      OPENSSL_malloc(ellipticcurvelist_length)) == NULL) {
@@ -2102,79 +2096,71 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p,
                 }
                 s->session->tlsext_ellipticcurvelist_length =
                     ellipticcurvelist_length;
-                memcpy(s->session->tlsext_ellipticcurvelist, sdata,
-                       ellipticcurvelist_length);
+                if (!PACKET_copy_bytes(&subpkt,
+                        s->session->tlsext_ellipticcurvelist,
+                        ellipticcurvelist_length))
+                    goto err;
+            } else if (!PACKET_forward(&subpkt, ellipticcurvelist_length)) {
+                goto err;
+            }
+            /* We should have consumed all the bytes by now */
+            if (PACKET_remaining(&subpkt)) {
+                goto err;
             }
         }
-# endif                         /* OPENSSL_NO_EC */
+#endif                         /* OPENSSL_NO_EC */
         else if (type == TLSEXT_TYPE_session_ticket) {
-            if (s->tls_session_ticket_ext_cb &&
-                !s->tls_session_ticket_ext_cb(s, data, size,
-                                              s->tls_session_ticket_ext_cb_arg))
-            {
+            if (!PACKET_forward(&subpkt, size)
+                || (s->tls_session_ticket_ext_cb &&
+                    !s->tls_session_ticket_ext_cb(s, data, size,
+                                        s->tls_session_ticket_ext_cb_arg))) {
                 *al = TLS1_AD_INTERNAL_ERROR;
                 return 0;
             }
         } else if (type == TLSEXT_TYPE_signature_algorithms) {
-            int dsize;
-            if (s->cert->peer_sigalgs || size < 2) {
-                *al = SSL_AD_DECODE_ERROR;
-                return 0;
-            }
-            n2s(data, dsize);
-            size -= 2;
-            if (dsize != size || dsize & 1 || !dsize) {
-                *al = SSL_AD_DECODE_ERROR;
-                return 0;
-            }
-            if (!tls1_save_sigalgs(s, data, dsize)) {
-                *al = SSL_AD_DECODE_ERROR;
-                return 0;
+            unsigned int dsize;
+
+            if (s->s3->tmp.peer_sigalgs
+                    || !PACKET_get_net_2(&subpkt, &dsize)
+                    || (dsize & 1) != 0
+                    || (dsize == 0)
+                    || !PACKET_get_bytes(&subpkt, &data, dsize)
+                    || PACKET_remaining(&subpkt) != 0
+                    || !tls1_save_sigalgs(s, data, dsize)) {
+                goto err;
             }
         } else if (type == TLSEXT_TYPE_status_request) {
+            PACKET ssubpkt;
 
-            if (size < 5) {
-                *al = SSL_AD_DECODE_ERROR;
-                return 0;
-            }
+            if (!PACKET_get_1(&subpkt,
+                              (unsigned int *)&s->tlsext_status_type))
+                goto err;
 
-            s->tlsext_status_type = *data++;
-            size--;
             if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp) {
                 const unsigned char *sdata;
-                int dsize;
+                unsigned int dsize;
                 /* Read in responder_id_list */
-                n2s(data, dsize);
-                size -= 2;
-                if (dsize > size) {
-                    *al = SSL_AD_DECODE_ERROR;
-                    return 0;
-                }
-                while (dsize > 0) {
+                if (!PACKET_get_net_2(&subpkt, &dsize)
+                        || !PACKET_get_sub_packet(&subpkt, &ssubpkt, dsize))
+                    goto err;
+
+                while (PACKET_remaining(&ssubpkt)) {
                     OCSP_RESPID *id;
-                    int idsize;
-                    if (dsize < 4) {
-                        *al = SSL_AD_DECODE_ERROR;
-                        return 0;
-                    }
-                    n2s(data, idsize);
-                    dsize -= 2 + idsize;
-                    size -= 2 + idsize;
-                    if (dsize < 0) {
-                        *al = SSL_AD_DECODE_ERROR;
-                        return 0;
+                    unsigned int idsize;
+
+                    if (PACKET_remaining(&ssubpkt) < 4
+                            || !PACKET_get_net_2(&ssubpkt, &idsize)
+                            || !PACKET_get_bytes(&ssubpkt, &data, idsize)) {
+                        goto err;
                     }
                     sdata = data;
                     data += idsize;
                     id = d2i_OCSP_RESPID(NULL, &sdata, idsize);
-                    if (!id) {
-                        *al = SSL_AD_DECODE_ERROR;
-                        return 0;
-                    }
+                    if (!id)
+                        goto err;
                     if (data != sdata) {
                         OCSP_RESPID_free(id);
-                        *al = SSL_AD_DECODE_ERROR;
-                        return 0;
+                        goto err;
                     }
                     if (!s->tlsext_ocsp_ids
                         && !(s->tlsext_ocsp_ids =
@@ -2191,29 +2177,19 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p,
                 }
 
                 /* Read in request_extensions */
-                if (size < 2) {
-                    *al = SSL_AD_DECODE_ERROR;
-                    return 0;
-                }
-                n2s(data, dsize);
-                size -= 2;
-                if (dsize != size) {
-                    *al = SSL_AD_DECODE_ERROR;
-                    return 0;
+                if (!PACKET_get_net_2(&subpkt, &dsize)
+                        || !PACKET_get_bytes(&subpkt, &data, dsize)
+                        || PACKET_remaining(&subpkt)) {
+                    goto err;
                 }
                 sdata = data;
                 if (dsize > 0) {
-                    if (s->tlsext_ocsp_exts) {
-                        sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts,
-                                                   X509_EXTENSION_free);
-                    }
-
+                    sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts,
+                                               X509_EXTENSION_free);
                     s->tlsext_ocsp_exts =
                         d2i_X509_EXTENSIONS(NULL, &sdata, dsize);
-                    if (!s->tlsext_ocsp_exts || (data + dsize != sdata)) {
-                        *al = SSL_AD_DECODE_ERROR;
-                        return 0;
-                    }
+                    if (!s->tlsext_ocsp_exts || (data + dsize != sdata))
+                        goto err;
                 }
             }
             /*
@@ -2222,23 +2198,30 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p,
             else
                 s->tlsext_status_type = -1;
         }
-# ifndef OPENSSL_NO_HEARTBEATS
-        else if (type == TLSEXT_TYPE_heartbeat) {
-            switch (data[0]) {
+#ifndef OPENSSL_NO_HEARTBEATS
+        else if (SSL_IS_DTLS(s) && type == TLSEXT_TYPE_heartbeat) {
+            unsigned int hbtype;
+
+            if (!PACKET_get_1(&subpkt, &hbtype)
+                    || PACKET_remaining(&subpkt)) {
+                *al = SSL_AD_DECODE_ERROR;
+                return 0;
+            }
+            switch (hbtype) {
             case 0x01:         /* Client allows us to send HB requests */
-                s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
+                s->tlsext_heartbeat |= SSL_DTLSEXT_HB_ENABLED;
                 break;
             case 0x02:         /* Client doesn't accept HB requests */
-                s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
-                s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
+                s->tlsext_heartbeat |= SSL_DTLSEXT_HB_ENABLED;
+                s->tlsext_heartbeat |= SSL_DTLSEXT_HB_DONT_SEND_REQUESTS;
                 break;
             default:
                 *al = SSL_AD_ILLEGAL_PARAMETER;
                 return 0;
             }
         }
-# endif
-# ifndef OPENSSL_NO_NEXTPROTONEG
+#endif
+#ifndef OPENSSL_NO_NEXTPROTONEG
         else if (type == TLSEXT_TYPE_next_proto_neg &&
                  s->s3->tmp.finish_md_len == 0 &&
                  s->s3->alpn_selected == NULL) {
@@ -2261,34 +2244,35 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p,
              */
             s->s3->next_proto_neg_seen = 1;
         }
-# endif
+#endif
 
         else if (type == TLSEXT_TYPE_application_layer_protocol_negotiation &&
                  s->ctx->alpn_select_cb && s->s3->tmp.finish_md_len == 0) {
-            if (tls1_alpn_handle_client_hello(s, data, size, al) != 0)
+            if (tls1_alpn_handle_client_hello(s, &subpkt, al) != 0)
                 return 0;
-# ifndef OPENSSL_NO_NEXTPROTONEG
+#ifndef OPENSSL_NO_NEXTPROTONEG
             /* ALPN takes precedence over NPN. */
             s->s3->next_proto_neg_seen = 0;
-# endif
+#endif
         }
 
         /* session ticket processed earlier */
-# ifndef OPENSSL_NO_SRTP
+#ifndef OPENSSL_NO_SRTP
         else if (SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s)
                  && type == TLSEXT_TYPE_use_srtp) {
-            if (ssl_parse_clienthello_use_srtp_ext(s, data, size, al))
+            if (ssl_parse_clienthello_use_srtp_ext(s, &subpkt, al))
                 return 0;
         }
-# endif
-# ifdef TLSEXT_TYPE_encrypt_then_mac
+#endif
+#ifdef TLSEXT_TYPE_encrypt_then_mac
         else if (type == TLSEXT_TYPE_encrypt_then_mac)
             s->s3->flags |= TLS1_FLAGS_ENCRYPT_THEN_MAC;
-# endif
-        else if (type == TLSEXT_TYPE_extended_master_secret) {
-            if (!s->hit)
-                s->session->flags |= SSL_SESS_FLAG_EXTMS;
-        }
+#endif
+        /*
+         * Note: extended master secret extension handled in
+         * tls_check_serverhello_tlsext_early()
+         */
+
         /*
          * If this ClientHello extension was unhandled and this is a
          * nonresumed connection, check whether the extension is a custom
@@ -2300,11 +2284,11 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p,
             if (custom_ext_parse(s, 1, type, data, size, al) <= 0)
                 return 0;
         }
-
-        data += size;
     }
 
-    *p = data;
+    /* Spurious data on the end */
+    if (PACKET_remaining(pkt) != 0)
+        goto err;
 
  ri_check:
 
@@ -2319,14 +2303,16 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p,
     }
 
     return 1;
+err:
+    *al = SSL_AD_DECODE_ERROR;
+    return 0;
 }
 
-int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d,
-                                 int n)
+int ssl_parse_clienthello_tlsext(SSL *s, PACKET *pkt)
 {
     int al = -1;
     custom_ext_init(&s->cert->srv_ext);
-    if (ssl_scan_clienthello_tlsext(s, p, d, n, &al) <= 0) {
+    if (ssl_scan_clienthello_tlsext(s, pkt, &al) <= 0) {
         ssl3_send_alert(s, SSL3_AL_FATAL, al);
         return 0;
     }
@@ -2338,76 +2324,71 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d,
     return 1;
 }
 
-# ifndef OPENSSL_NO_NEXTPROTONEG
+#ifndef OPENSSL_NO_NEXTPROTONEG
 /*
  * ssl_next_proto_validate validates a Next Protocol Negotiation block. No
  * elements of zero length are allowed and the set of elements must exactly
  * fill the length of the block.
  */
-static char ssl_next_proto_validate(unsigned char *d, unsigned len)
+static char ssl_next_proto_validate(PACKET *pkt)
 {
-    unsigned int off = 0;
+    unsigned int len;
 
-    while (off < len) {
-        if (d[off] == 0)
+    while (PACKET_remaining(pkt)) {
+        if (!PACKET_get_1(pkt, &len)
+                || !PACKET_forward(pkt, len))
             return 0;
-        off += d[off];
-        off++;
     }
 
-    return off == len;
+    return 1;
 }
-# endif
+#endif
 
-static int ssl_scan_serverhello_tlsext(SSL *s, unsigned char **p,
-                                       unsigned char *d, int n, int *al)
+static int ssl_scan_serverhello_tlsext(SSL *s, PACKET *pkt, int *al)
 {
-    unsigned short length;
-    unsigned short type;
-    unsigned short size;
-    unsigned char *data = *p;
+    unsigned int length, type, size;
     int tlsext_servername = 0;
     int renegotiate_seen = 0;
 
-# ifndef OPENSSL_NO_NEXTPROTONEG
+#ifndef OPENSSL_NO_NEXTPROTONEG
     s->s3->next_proto_neg_seen = 0;
-# endif
+#endif
     s->tlsext_ticket_expected = 0;
 
-    if (s->s3->alpn_selected) {
-        OPENSSL_free(s->s3->alpn_selected);
-        s->s3->alpn_selected = NULL;
-    }
-# ifndef OPENSSL_NO_HEARTBEATS
-    s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED |
-                             SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
-# endif
+    OPENSSL_free(s->s3->alpn_selected);
+    s->s3->alpn_selected = NULL;
+#ifndef OPENSSL_NO_HEARTBEATS
+    s->tlsext_heartbeat &= ~(SSL_DTLSEXT_HB_ENABLED |
+                             SSL_DTLSEXT_HB_DONT_SEND_REQUESTS);
+#endif
 
-# ifdef TLSEXT_TYPE_encrypt_then_mac
+#ifdef TLSEXT_TYPE_encrypt_then_mac
     s->s3->flags &= ~TLS1_FLAGS_ENCRYPT_THEN_MAC;
-# endif
+#endif
 
-    if (data >= (d + n - 2))
+    s->s3->flags &= ~TLS1_FLAGS_RECEIVED_EXTMS;
+
+    if (!PACKET_get_net_2(pkt, &length))
         goto ri_check;
 
-    n2s(data, length);
-    if (data + length != d + n) {
+    if (PACKET_remaining(pkt) != length) {
         *al = SSL_AD_DECODE_ERROR;
         return 0;
     }
 
-    while (data <= (d + n - 4)) {
-        n2s(data, type);
-        n2s(data, size);
+    while (PACKET_get_net_2(pkt, &type) && PACKET_get_net_2(pkt, &size)) {
+        const unsigned char *data;
+        PACKET spkt;
 
-        if (data + size > (d + n))
+        if (!PACKET_get_sub_packet(pkt, &spkt, size)
+                ||  !PACKET_peek_bytes(&spkt, &data, size))
             goto ri_check;
 
         if (s->tlsext_debug_cb)
             s->tlsext_debug_cb(s, 1, type, data, size, s->tlsext_debug_arg);
 
         if (type == TLSEXT_TYPE_renegotiate) {
-            if (!ssl_parse_serverhello_renegotiate_ext(s, data, size, al))
+            if (!ssl_parse_serverhello_renegotiate_ext(s, &spkt, al))
                 return 0;
             renegotiate_seen = 1;
         } else if (s->version == SSL3_VERSION) {
@@ -2418,19 +2399,17 @@ static int ssl_scan_serverhello_tlsext(SSL *s, unsigned char **p,
             }
             tlsext_servername = 1;
         }
-# ifndef OPENSSL_NO_EC
+#ifndef OPENSSL_NO_EC
         else if (type == TLSEXT_TYPE_ec_point_formats) {
-            unsigned char *sdata = data;
-            int ecpointformatlist_length = *(sdata++);
-
-            if (ecpointformatlist_length != size - 1) {
+            unsigned int ecpointformatlist_length;
+            if (!PACKET_get_1(&spkt, &ecpointformatlist_length)
+                    || ecpointformatlist_length != size - 1) {
                 *al = TLS1_AD_DECODE_ERROR;
                 return 0;
             }
             if (!s->hit) {
                 s->session->tlsext_ecpointformatlist_length = 0;
-                if (s->session->tlsext_ecpointformatlist != NULL)
-                    OPENSSL_free(s->session->tlsext_ecpointformatlist);
+                OPENSSL_free(s->session->tlsext_ecpointformatlist);
                 if ((s->session->tlsext_ecpointformatlist =
                      OPENSSL_malloc(ecpointformatlist_length)) == NULL) {
                     *al = TLS1_AD_INTERNAL_ERROR;
@@ -2438,11 +2417,16 @@ static int ssl_scan_serverhello_tlsext(SSL *s, unsigned char **p,
                 }
                 s->session->tlsext_ecpointformatlist_length =
                     ecpointformatlist_length;
-                memcpy(s->session->tlsext_ecpointformatlist, sdata,
-                       ecpointformatlist_length);
+                if (!PACKET_copy_bytes(&spkt,
+                                       s->session->tlsext_ecpointformatlist,
+                                       ecpointformatlist_length)) {
+                    *al = TLS1_AD_DECODE_ERROR;
+                    return 0;
+                }
+
             }
         }
-# endif                         /* OPENSSL_NO_EC */
+#endif                         /* OPENSSL_NO_EC */
 
         else if (type == TLSEXT_TYPE_session_ticket) {
             if (s->tls_session_ticket_ext_cb &&
@@ -2470,19 +2454,18 @@ static int ssl_scan_serverhello_tlsext(SSL *s, unsigned char **p,
             /* Set flag to expect CertificateStatus message */
             s->tlsext_status_expected = 1;
         }
-# ifndef OPENSSL_NO_NEXTPROTONEG
+#ifndef OPENSSL_NO_NEXTPROTONEG
         else if (type == TLSEXT_TYPE_next_proto_neg &&
                  s->s3->tmp.finish_md_len == 0) {
             unsigned char *selected;
             unsigned char selected_len;
-
             /* We must have requested it. */
             if (s->ctx->next_proto_select_cb == NULL) {
                 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
                 return 0;
             }
             /* The data must be valid */
-            if (!ssl_next_proto_validate(data, size)) {
+            if (!ssl_next_proto_validate(&spkt)) {
                 *al = TLS1_AD_DECODE_ERROR;
                 return 0;
             }
@@ -2495,7 +2478,7 @@ static int ssl_scan_serverhello_tlsext(SSL *s, unsigned char **p,
                 return 0;
             }
             s->next_proto_negotiated = OPENSSL_malloc(selected_len);
-            if (!s->next_proto_negotiated) {
+            if (s->next_proto_negotiated == NULL) {
                 *al = TLS1_AD_INTERNAL_ERROR;
                 return 0;
             }
@@ -2503,79 +2486,77 @@ static int ssl_scan_serverhello_tlsext(SSL *s, unsigned char **p,
             s->next_proto_negotiated_len = selected_len;
             s->s3->next_proto_neg_seen = 1;
         }
-# endif
+#endif
 
         else if (type == TLSEXT_TYPE_application_layer_protocol_negotiation) {
             unsigned len;
-
             /* We must have requested it. */
             if (s->alpn_client_proto_list == NULL) {
                 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
                 return 0;
             }
-            if (size < 4) {
-                *al = TLS1_AD_DECODE_ERROR;
-                return 0;
-            }
             /*-
              * The extension data consists of:
              *   uint16 list_length
              *   uint8 proto_length;
              *   uint8 proto[proto_length];
              */
-            len = data[0];
-            len <<= 8;
-            len |= data[1];
-            if (len != (unsigned)size - 2) {
-                *al = TLS1_AD_DECODE_ERROR;
-                return 0;
-            }
-            len = data[2];
-            if (len != (unsigned)size - 3) {
+            if (!PACKET_get_net_2(&spkt, &len)
+                    || PACKET_remaining(&spkt) != len
+                    || !PACKET_get_1(&spkt, &len)
+                    || PACKET_remaining(&spkt) != len) {
                 *al = TLS1_AD_DECODE_ERROR;
                 return 0;
             }
-            if (s->s3->alpn_selected)
-                OPENSSL_free(s->s3->alpn_selected);
+            OPENSSL_free(s->s3->alpn_selected);
             s->s3->alpn_selected = OPENSSL_malloc(len);
-            if (!s->s3->alpn_selected) {
+            if (s->s3->alpn_selected == NULL) {
                 *al = TLS1_AD_INTERNAL_ERROR;
                 return 0;
             }
-            memcpy(s->s3->alpn_selected, data + 3, len);
+            if (!PACKET_copy_bytes(&spkt, s->s3->alpn_selected, len)) {
+                *al = TLS1_AD_DECODE_ERROR;
+                return 0;
+            }
             s->s3->alpn_selected_len = len;
         }
-# ifndef OPENSSL_NO_HEARTBEATS
-        else if (type == TLSEXT_TYPE_heartbeat) {
-            switch (data[0]) {
+#ifndef OPENSSL_NO_HEARTBEATS
+        else if (SSL_IS_DTLS(s) && type == TLSEXT_TYPE_heartbeat) {
+            unsigned int hbtype;
+            if (!PACKET_get_1(&spkt, &hbtype)) {
+                *al = SSL_AD_DECODE_ERROR;
+                return 0;
+            }
+            switch (hbtype) {
             case 0x01:         /* Server allows us to send HB requests */
-                s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
+                s->tlsext_heartbeat |= SSL_DTLSEXT_HB_ENABLED;
                 break;
             case 0x02:         /* Server doesn't accept HB requests */
-                s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
-                s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
+                s->tlsext_heartbeat |= SSL_DTLSEXT_HB_ENABLED;
+                s->tlsext_heartbeat |= SSL_DTLSEXT_HB_DONT_SEND_REQUESTS;
                 break;
             default:
                 *al = SSL_AD_ILLEGAL_PARAMETER;
                 return 0;
             }
         }
-# endif
-# ifndef OPENSSL_NO_SRTP
+#endif
+#ifndef OPENSSL_NO_SRTP
         else if (SSL_IS_DTLS(s) && type == TLSEXT_TYPE_use_srtp) {
-            if (ssl_parse_serverhello_use_srtp_ext(s, data, size, al))
+            if (ssl_parse_serverhello_use_srtp_ext(s, &spkt, al))
                 return 0;
         }
-# endif
-# ifdef TLSEXT_TYPE_encrypt_then_mac
+#endif
+#ifdef TLSEXT_TYPE_encrypt_then_mac
         else if (type == TLSEXT_TYPE_encrypt_then_mac) {
             /* Ignore if inappropriate ciphersuite */
             if (s->s3->tmp.new_cipher->algorithm_mac != SSL_AEAD
                 && s->s3->tmp.new_cipher->algorithm_enc != SSL_RC4)
                 s->s3->flags |= TLS1_FLAGS_ENCRYPT_THEN_MAC;
         }
-# endif
+#endif
         else if (type == TLSEXT_TYPE_extended_master_secret) {
+            s->s3->flags |= TLS1_FLAGS_RECEIVED_EXTMS;
             if (!s->hit)
                 s->session->flags |= SSL_SESS_FLAG_EXTMS;
         }
@@ -2585,11 +2566,9 @@ static int ssl_scan_serverhello_tlsext(SSL *s, unsigned char **p,
          */
         else if (custom_ext_parse(s, 0, type, data, size, al) <= 0)
             return 0;
-
-        data += size;
     }
 
-    if (data != d + n) {
+    if (PACKET_remaining(pkt) != 0) {
         *al = SSL_AD_DECODE_ERROR;
         return 0;
     }
@@ -2597,7 +2576,7 @@ static int ssl_scan_serverhello_tlsext(SSL *s, unsigned char **p,
     if (!s->hit && tlsext_servername == 1) {
         if (s->tlsext_hostname) {
             if (s->session->tlsext_hostname == NULL) {
-                s->session->tlsext_hostname = BUF_strdup(s->tlsext_hostname);
+                s->session->tlsext_hostname = OPENSSL_strdup(s->tlsext_hostname);
                 if (!s->session->tlsext_hostname) {
                     *al = SSL_AD_UNRECOGNIZED_NAME;
                     return 0;
@@ -2609,8 +2588,6 @@ static int ssl_scan_serverhello_tlsext(SSL *s, unsigned char **p,
         }
     }
 
-    *p = data;
-
  ri_check:
 
     /*
@@ -2629,6 +2606,19 @@ static int ssl_scan_serverhello_tlsext(SSL *s, unsigned char **p,
         return 0;
     }
 
+    if (s->hit) {
+        /*
+         * Check extended master secret extension is consistent with
+         * original session.
+         */
+        if (!(s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) !=
+            !(s->session->flags & SSL_SESS_FLAG_EXTMS)) {
+            *al = SSL_AD_HANDSHAKE_FAILURE;
+            SSLerr(SSL_F_SSL_SCAN_SERVERHELLO_TLSEXT, SSL_R_INCONSISTENT_EXTMS);
+            return 0;
+            }
+    }
+
     return 1;
 }
 
@@ -2648,7 +2638,7 @@ static int ssl_check_clienthello_tlsext_early(SSL *s)
     int ret = SSL_TLSEXT_ERR_NOACK;
     int al = SSL_AD_UNRECOGNIZED_NAME;
 
-# ifndef OPENSSL_NO_EC
+#ifndef OPENSSL_NO_EC
     /*
      * The handling of the ECPointFormats extension is done elsewhere, namely
      * in ssl3_choose_cipher in s3_lib.c.
@@ -2657,7 +2647,7 @@ static int ssl_check_clienthello_tlsext_early(SSL *s)
      * The handling of the EllipticCurves extension is done elsewhere, namely
      * in ssl3_choose_cipher in s3_lib.c.
      */
-# endif
+#endif
 
     if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
         ret =
@@ -2685,24 +2675,46 @@ static int ssl_check_clienthello_tlsext_early(SSL *s)
         return 1;
     }
 }
+/* Initialise digests to default values */
+void ssl_set_default_md(SSL *s)
+{
+    const EVP_MD **pmd = s->s3->tmp.md;
+#ifndef OPENSSL_NO_DSA
+    pmd[SSL_PKEY_DSA_SIGN] = ssl_md(SSL_MD_SHA1_IDX);
+#endif
+#ifndef OPENSSL_NO_RSA
+    if (SSL_USE_SIGALGS(s))
+        pmd[SSL_PKEY_RSA_SIGN] = ssl_md(SSL_MD_SHA1_IDX);
+    else
+        pmd[SSL_PKEY_RSA_SIGN] = ssl_md(SSL_MD_MD5_SHA1_IDX);
+    pmd[SSL_PKEY_RSA_ENC] = pmd[SSL_PKEY_RSA_SIGN];
+#endif
+#ifndef OPENSSL_NO_EC
+    pmd[SSL_PKEY_ECC] = ssl_md(SSL_MD_SHA1_IDX);
+#endif
+#ifndef OPENSSL_NO_GOST
+    pmd[SSL_PKEY_GOST01] = ssl_md(SSL_MD_GOST94_IDX);
+    pmd[SSL_PKEY_GOST12_256] = ssl_md(SSL_MD_GOST12_256_IDX);
+    pmd[SSL_PKEY_GOST12_512] = ssl_md(SSL_MD_GOST12_512_IDX);
+#endif
+}
 
 int tls1_set_server_sigalgs(SSL *s)
 {
     int al;
     size_t i;
     /* Clear any shared sigtnature algorithms */
-    if (s->cert->shared_sigalgs) {
-        OPENSSL_free(s->cert->shared_sigalgs);
-        s->cert->shared_sigalgs = NULL;
-    }
+    OPENSSL_free(s->cert->shared_sigalgs);
+    s->cert->shared_sigalgs = NULL;
+    s->cert->shared_sigalgslen = 0;
     /* Clear certificate digests and validity flags */
     for (i = 0; i < SSL_PKEY_NUM; i++) {
-        s->cert->pkeys[i].digest = NULL;
-        s->cert->pkeys[i].valid_flags = 0;
+        s->s3->tmp.md[i] = NULL;
+        s->s3->tmp.valid_flags[i] = 0;
     }
 
     /* If sigalgs received process it. */
-    if (s->cert->peer_sigalgs) {
+    if (s->s3->tmp.peer_sigalgs) {
         if (!tls1_process_sigalgs(s)) {
             SSLerr(SSL_F_TLS1_SET_SERVER_SIGALGS, ERR_R_MALLOC_FAILURE);
             al = SSL_AD_INTERNAL_ERROR;
@@ -2715,8 +2727,9 @@ int tls1_set_server_sigalgs(SSL *s)
             al = SSL_AD_ILLEGAL_PARAMETER;
             goto err;
         }
-    } else
-        ssl_cert_set_default_md(s->cert);
+    } else {
+        ssl_set_default_md(s);
+    }
     return 1;
  err:
     ssl3_send_alert(s, SSL3_AL_FATAL, al);
@@ -2726,7 +2739,7 @@ int tls1_set_server_sigalgs(SSL *s)
 int ssl_check_clienthello_tlsext_late(SSL *s)
 {
     int ret = SSL_TLSEXT_ERR_OK;
-    int al;
+    int al = SSL_AD_INTERNAL_ERROR;
 
     /*
      * If status request then ask callback what to do. Note: this must be
@@ -2790,7 +2803,7 @@ int ssl_check_serverhello_tlsext(SSL *s)
     int ret = SSL_TLSEXT_ERR_NOACK;
     int al = SSL_AD_UNRECOGNIZED_NAME;
 
-# ifndef OPENSSL_NO_EC
+#ifndef OPENSSL_NO_EC
     /*
      * If we are client and using an elliptic curve cryptography cipher
      * suite, then if server returns an EC point formats lists extension it
@@ -2822,7 +2835,7 @@ int ssl_check_serverhello_tlsext(SSL *s)
         }
     }
     ret = SSL_TLSEXT_ERR_OK;
-# endif                         /* OPENSSL_NO_EC */
+#endif                         /* OPENSSL_NO_EC */
 
     if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
         ret =
@@ -2836,31 +2849,12 @@ int ssl_check_serverhello_tlsext(SSL *s)
                                                        initial_ctx->tlsext_servername_arg);
 
     /*
-     * If we've requested certificate status and we wont get one tell the
-     * callback
+     * Ensure we get sensible values passed to tlsext_status_cb in the event
+     * that we don't receive a status message
      */
-    if ((s->tlsext_status_type != -1) && !(s->tlsext_status_expected)
-        && s->ctx && s->ctx->tlsext_status_cb) {
-        int r;
-        /*
-         * Set resp to NULL, resplen to -1 so callback knows there is no
-         * response.
-         */
-        if (s->tlsext_ocsp_resp) {
-            OPENSSL_free(s->tlsext_ocsp_resp);
-            s->tlsext_ocsp_resp = NULL;
-        }
-        s->tlsext_ocsp_resplen = -1;
-        r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
-        if (r == 0) {
-            al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE;
-            ret = SSL_TLSEXT_ERR_ALERT_FATAL;
-        }
-        if (r < 0) {
-            al = SSL_AD_INTERNAL_ERROR;
-            ret = SSL_TLSEXT_ERR_ALERT_FATAL;
-        }
-    }
+    OPENSSL_free(s->tlsext_ocsp_resp);
+    s->tlsext_ocsp_resp = NULL;
+    s->tlsext_ocsp_resplen = -1;
 
     switch (ret) {
     case SSL_TLSEXT_ERR_ALERT_FATAL:
@@ -2878,13 +2872,12 @@ int ssl_check_serverhello_tlsext(SSL *s)
     }
 }
 
-int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d,
-                                 int n)
+int ssl_parse_serverhello_tlsext(SSL *s, PACKET *pkt)
 {
     int al = -1;
     if (s->version < SSL3_VERSION)
         return 1;
-    if (ssl_scan_serverhello_tlsext(s, p, d, n, &al) <= 0) {
+    if (ssl_scan_serverhello_tlsext(s, pkt, &al) <= 0) {
         ssl3_send_alert(s, SSL3_AL_FATAL, al);
         return 0;
     }
@@ -2898,14 +2891,14 @@ int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d,
 
 /*-
  * Since the server cache lookup is done early on in the processing of the
- * ClientHello, and other operations depend on the result, we need to handle
- * any TLS session ticket extension at the same time.
+ * ClientHello and other operations depend on the result some extensions
+ * need to be handled at the same time.
+ *
+ * Two extensions are currently handled, session ticket and extended master
+ * secret.
  *
- *   session_id: points at the session ID in the ClientHello. This code will
- *       read past the end of this in order to parse out the session ticket
- *       extension, if any.
- *   len: the length of the session ID.
- *   limit: a pointer to the first byte after the ClientHello.
+ *   session_id: ClientHello session ID.
+ *   ext: ClientHello extensions (including length prefix)
  *   ret: (output) on return, if a ticket was decrypted, then this is set to
  *       point to the resulting session.
  *
@@ -2929,63 +2922,68 @@ int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d,
  *   a session ticket or we couldn't use the one it gave us, or if
  *   s->ctx->tlsext_ticket_key_cb asked to renew the client's ticket.
  *   Otherwise, s->tlsext_ticket_expected is set to 0.
+ *
+ *   For extended master secret flag is set if the extension is present.
+ *
  */
-int tls1_process_ticket(SSL *s, unsigned char *session_id, int len,
-                        const unsigned char *limit, SSL_SESSION **ret)
+int tls_check_serverhello_tlsext_early(SSL *s, const PACKET *ext,
+                                       const PACKET *session_id,
+                                       SSL_SESSION **ret)
 {
-    /* Point after session ID in client hello */
-    const unsigned char *p = session_id + len;
-    unsigned short i;
+    unsigned int i;
+    PACKET local_ext = *ext;
+    int retv = -1;
+
+    int have_ticket = 0;
+    int use_ticket = tls_use_ticket(s);
 
     *ret = NULL;
     s->tlsext_ticket_expected = 0;
+    s->s3->flags &= ~TLS1_FLAGS_RECEIVED_EXTMS;
 
     /*
      * If tickets disabled behave as if no ticket present to permit stateful
      * resumption.
      */
-    if (!tls_use_ticket(s))
+    if ((s->version <= SSL3_VERSION))
         return 0;
-    if ((s->version <= SSL3_VERSION) || !limit)
-        return 0;
-    if (p >= limit)
-        return -1;
-    /* Skip past DTLS cookie */
-    if (SSL_IS_DTLS(s)) {
-        i = *(p++);
-        p += i;
-        if (p >= limit)
-            return -1;
+
+    if (!PACKET_get_net_2(&local_ext, &i)) {
+        retv = 0;
+        goto end;
     }
-    /* Skip past cipher list */
-    n2s(p, i);
-    p += i;
-    if (p >= limit)
-        return -1;
-    /* Skip past compression algorithm list */
-    i = *(p++);
-    p += i;
-    if (p > limit)
-        return -1;
-    /* Now at start of extensions */
-    if ((p + 2) >= limit)
-        return 0;
-    n2s(p, i);
-    while ((p + 4) <= limit) {
-        unsigned short type, size;
-        n2s(p, type);
-        n2s(p, size);
-        if (p + size > limit)
-            return 0;
-        if (type == TLSEXT_TYPE_session_ticket) {
+    while (PACKET_remaining(&local_ext) >= 4) {
+        unsigned int type, size;
+
+        if (!PACKET_get_net_2(&local_ext, &type)
+                || !PACKET_get_net_2(&local_ext, &size)) {
+            /* Shouldn't ever happen */
+            retv = -1;
+            goto end;
+        }
+        if (PACKET_remaining(&local_ext) < size) {
+            retv = 0;
+            goto end;
+        }
+        if (type == TLSEXT_TYPE_session_ticket && use_ticket) {
             int r;
+            const unsigned char *etick;
+
+            /* Duplicate extension */
+            if (have_ticket != 0) {
+                retv = -1;
+                goto end;
+            }
+            have_ticket = 1;
+
             if (size == 0) {
                 /*
                  * The client will accept a ticket but doesn't currently have
                  * one.
                  */
                 s->tlsext_ticket_expected = 1;
-                return 1;
+                retv = 1;
+                continue;
             }
             if (s->tls_session_secret_cb) {
                 /*
@@ -2994,25 +2992,46 @@ int tls1_process_ticket(SSL *s, unsigned char *session_id, int len,
                  * abbreviated handshake based on external mechanism to
                  * calculate the master secret later.
                  */
-                return 2;
+                retv = 2;
+                continue;
+            }
+            if (!PACKET_get_bytes(&local_ext, &etick, size)) {
+                /* Shouldn't ever happen */
+                retv = -1;
+                goto end;
             }
-            r = tls_decrypt_ticket(s, p, size, session_id, len, ret);
+            r = tls_decrypt_ticket(s, etick, size, PACKET_data(session_id),
+                                   PACKET_remaining(session_id), ret);
             switch (r) {
             case 2:            /* ticket couldn't be decrypted */
                 s->tlsext_ticket_expected = 1;
-                return 2;
+                retv = 2;
+                break;
             case 3:            /* ticket was decrypted */
-                return r;
+                retv = r;
+                break;
             case 4:            /* ticket decrypted but need to renew */
                 s->tlsext_ticket_expected = 1;
-                return 3;
+                retv = 3;
+                break;
             default:           /* fatal error */
-                return -1;
+                retv = -1;
+                break;
+            }
+            continue;
+        } else {
+            if (type == TLSEXT_TYPE_extended_master_secret)
+                s->s3->flags |= TLS1_FLAGS_RECEIVED_EXTMS;
+            if (!PACKET_forward(&local_ext, size)) {
+                retv = -1;
+                goto end;
             }
         }
-        p += size;
     }
-    return 0;
+    if (have_ticket == 0)
+        retv = 0;
+end:
+    return retv;
 }
 
 /*-
@@ -3026,6 +3045,7 @@ int tls1_process_ticket(SSL *s, unsigned char *session_id, int len,
  *       point to the resulting session.
  *
  * Returns:
+ *   -2: fatal error, malloc failure.
  *   -1: fatal error, either from parsing or decrypting the ticket.
  *    2: the ticket couldn't be decrypted.
  *    3: a ticket was successfully decrypted and *psess was set.
@@ -3040,19 +3060,21 @@ static int tls_decrypt_ticket(SSL *s, const unsigned char *etick,
     const unsigned char *p;
     int slen, mlen, renew_ticket = 0;
     unsigned char tick_hmac[EVP_MAX_MD_SIZE];
-    HMAC_CTX hctx;
-    EVP_CIPHER_CTX ctx;
+    HMAC_CTX *hctx = NULL;
+    EVP_CIPHER_CTX *ctx;
     SSL_CTX *tctx = s->initial_ctx;
     /* Need at least keyname + iv + some encrypted data */
     if (eticklen < 48)
         return 2;
     /* Initialize session ticket encryption and HMAC contexts */
-    HMAC_CTX_init(&hctx);
-    EVP_CIPHER_CTX_init(&ctx);
+    hctx = HMAC_CTX_new();
+    if (hctx == NULL)
+        return -2;
+    ctx = EVP_CIPHER_CTX_new();
     if (tctx->tlsext_ticket_key_cb) {
         unsigned char *nctick = (unsigned char *)etick;
         int rv = tctx->tlsext_ticket_key_cb(s, nctick, nctick + 16,
-                                            &ctx, &hctx, 0);
+                                            ctx, hctx, 0);
         if (rv < 0)
             return -1;
         if (rv == 0)
@@ -3063,46 +3085,51 @@ static int tls_decrypt_ticket(SSL *s, const unsigned char *etick,
         /* Check key name matches */
         if (memcmp(etick, tctx->tlsext_tick_key_name, 16))
             return 2;
-        HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16,
-                     EVP_sha256(), NULL);
-        EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL,
-                           tctx->tlsext_tick_aes_key, etick + 16);
+        if (HMAC_Init_ex(hctx, tctx->tlsext_tick_hmac_key, 16,
+                         EVP_sha256(), NULL) <= 0
+                || EVP_DecryptInit_ex(ctx, EVP_aes_128_cbc(), NULL,
+                                      tctx->tlsext_tick_aes_key,
+                                      etick + 16) <= 0) {
+            goto err;
+       }
     }
     /*
      * Attempt to process session ticket, first conduct sanity and integrity
      * checks on ticket.
      */
-    mlen = HMAC_size(&hctx);
+    mlen = HMAC_size(hctx);
     if (mlen < 0) {
-        EVP_CIPHER_CTX_cleanup(&ctx);
-        return -1;
+        goto err;
     }
     eticklen -= mlen;
     /* Check HMAC of encrypted ticket */
-    HMAC_Update(&hctx, etick, eticklen);
-    HMAC_Final(&hctx, tick_hmac, NULL);
-    HMAC_CTX_cleanup(&hctx);
+    if (HMAC_Update(hctx, etick, eticklen) <= 0
+            || HMAC_Final(hctx, tick_hmac, NULL) <= 0) {
+        goto err;
+    }
+    HMAC_CTX_free(hctx);
     if (CRYPTO_memcmp(tick_hmac, etick + eticklen, mlen)) {
-        EVP_CIPHER_CTX_cleanup(&ctx);
+        EVP_CIPHER_CTX_free(ctx);
         return 2;
     }
     /* Attempt to decrypt session data */
     /* Move p after IV to start of encrypted ticket, update length */
-    p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx);
-    eticklen -= 16 + EVP_CIPHER_CTX_iv_length(&ctx);
+    p = etick + 16 + EVP_CIPHER_CTX_iv_length(ctx);
+    eticklen -= 16 + EVP_CIPHER_CTX_iv_length(ctx);
     sdec = OPENSSL_malloc(eticklen);
-    if (!sdec) {
-        EVP_CIPHER_CTX_cleanup(&ctx);
+    if (sdec == NULL
+            || EVP_DecryptUpdate(ctx, sdec, &slen, p, eticklen) <= 0) {
+        EVP_CIPHER_CTX_free(ctx);
         return -1;
     }
-    EVP_DecryptUpdate(&ctx, sdec, &slen, p, eticklen);
-    if (EVP_DecryptFinal(&ctx, sdec + slen, &mlen) <= 0) {
-        EVP_CIPHER_CTX_cleanup(&ctx);
+    if (EVP_DecryptFinal(ctx, sdec + slen, &mlen) <= 0) {
+        EVP_CIPHER_CTX_free(ctx);
         OPENSSL_free(sdec);
         return 2;
     }
     slen += mlen;
-    EVP_CIPHER_CTX_cleanup(&ctx);
+    EVP_CIPHER_CTX_free(ctx);
+    ctx = NULL;
     p = sdec;
 
     sess = d2i_SSL_SESSION(NULL, &p, slen);
@@ -3128,6 +3155,10 @@ static int tls_decrypt_ticket(SSL *s, const unsigned char *etick,
      * For session parse failure, indicate that we need to send a new ticket.
      */
     return 2;
+err:
+    EVP_CIPHER_CTX_free(ctx);
+    HMAC_CTX_free(hctx);
+    return -1;
 }
 
 /* Tables to translate from NIDs to TLS v1.2 ids */
@@ -3143,13 +3174,19 @@ static const tls12_lookup tls12_md[] = {
     {NID_sha224, TLSEXT_hash_sha224},
     {NID_sha256, TLSEXT_hash_sha256},
     {NID_sha384, TLSEXT_hash_sha384},
-    {NID_sha512, TLSEXT_hash_sha512}
+    {NID_sha512, TLSEXT_hash_sha512},
+    {NID_id_GostR3411_94, TLSEXT_hash_gostr3411},
+    {NID_id_GostR3411_2012_256, TLSEXT_hash_gostr34112012_256},
+    {NID_id_GostR3411_2012_512, TLSEXT_hash_gostr34112012_512},
 };
 
 static const tls12_lookup tls12_sig[] = {
     {EVP_PKEY_RSA, TLSEXT_signature_rsa},
     {EVP_PKEY_DSA, TLSEXT_signature_dsa},
-    {EVP_PKEY_EC, TLSEXT_signature_ecdsa}
+    {EVP_PKEY_EC, TLSEXT_signature_ecdsa},
+    {NID_id_GostR3410_2001, TLSEXT_signature_gostr34102001},
+    {NID_id_GostR3410_2012_256, TLSEXT_signature_gostr34102012_256},
+    {NID_id_GostR3410_2012_512, TLSEXT_signature_gostr34102012_512}
 };
 
 static int tls12_find_id(int nid, const tls12_lookup *table, size_t tlen)
@@ -3178,8 +3215,7 @@ int tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk,
     int sig_id, md_id;
     if (!md)
         return 0;
-    md_id = tls12_find_id(EVP_MD_type(md), tls12_md,
-                          sizeof(tls12_md) / sizeof(tls12_lookup));
+    md_id = tls12_find_id(EVP_MD_type(md), tls12_md, OSSL_NELEM(tls12_md));
     if (md_id == -1)
         return 0;
     sig_id = tls12_get_sigid(pk);
@@ -3192,36 +3228,41 @@ int tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk,
 
 int tls12_get_sigid(const EVP_PKEY *pk)
 {
-    return tls12_find_id(pk->type, tls12_sig,
-                         sizeof(tls12_sig) / sizeof(tls12_lookup));
+    return tls12_find_id(EVP_PKEY_id(pk), tls12_sig, OSSL_NELEM(tls12_sig));
 }
 
 typedef struct {
     int nid;
     int secbits;
-    const EVP_MD *(*mfunc) (void);
+    int md_idx;
+    unsigned char tlsext_hash;
 } tls12_hash_info;
 
 static const tls12_hash_info tls12_md_info[] = {
-# ifdef OPENSSL_NO_MD5
-    {NID_md5, 64, 0},
-# else
-    {NID_md5, 64, EVP_md5},
-# endif
-    {NID_sha1, 80, EVP_sha1},
-    {NID_sha224, 112, EVP_sha224},
-    {NID_sha256, 128, EVP_sha256},
-    {NID_sha384, 192, EVP_sha384},
-    {NID_sha512, 256, EVP_sha512}
+    {NID_md5, 64, SSL_MD_MD5_IDX, TLSEXT_hash_md5},
+    {NID_sha1, 80, SSL_MD_SHA1_IDX, TLSEXT_hash_sha1},
+    {NID_sha224, 112, SSL_MD_SHA224_IDX, TLSEXT_hash_sha224},
+    {NID_sha256, 128, SSL_MD_SHA256_IDX, TLSEXT_hash_sha256},
+    {NID_sha384, 192, SSL_MD_SHA384_IDX, TLSEXT_hash_sha384},
+    {NID_sha512, 256, SSL_MD_SHA512_IDX, TLSEXT_hash_sha512},
+    {NID_id_GostR3411_94,       128, SSL_MD_GOST94_IDX, TLSEXT_hash_gostr3411},
+    {NID_id_GostR3411_2012_256, 128, SSL_MD_GOST12_256_IDX, TLSEXT_hash_gostr34112012_256},
+    {NID_id_GostR3411_2012_512, 256, SSL_MD_GOST12_512_IDX, TLSEXT_hash_gostr34112012_512},
 };
 
 static const tls12_hash_info *tls12_get_hash_info(unsigned char hash_alg)
 {
+    unsigned int i;
     if (hash_alg == 0)
         return NULL;
-    if (hash_alg > sizeof(tls12_md_info) / sizeof(tls12_md_info[0]))
-        return NULL;
-    return tls12_md_info + hash_alg - 1;
+
+    for (i=0; i < OSSL_NELEM(tls12_md_info); i++)
+    {
+        if (tls12_md_info[i].tlsext_hash == hash_alg)
+            return tls12_md_info + i;
+    }
+
+    return NULL;
 }
 
 const EVP_MD *tls12_get_hash(unsigned char hash_alg)
@@ -3230,25 +3271,35 @@ const EVP_MD *tls12_get_hash(unsigned char hash_alg)
     if (hash_alg == TLSEXT_hash_md5 && FIPS_mode())
         return NULL;
     inf = tls12_get_hash_info(hash_alg);
-    if (!inf || !inf->mfunc)
+    if (!inf)
         return NULL;
-    return inf->mfunc();
+    return ssl_md(inf->md_idx);
 }
 
 static int tls12_get_pkey_idx(unsigned char sig_alg)
 {
     switch (sig_alg) {
-# ifndef OPENSSL_NO_RSA
+#ifndef OPENSSL_NO_RSA
     case TLSEXT_signature_rsa:
         return SSL_PKEY_RSA_SIGN;
-# endif
-# ifndef OPENSSL_NO_DSA
+#endif
+#ifndef OPENSSL_NO_DSA
     case TLSEXT_signature_dsa:
         return SSL_PKEY_DSA_SIGN;
-# endif
-# ifndef OPENSSL_NO_ECDSA
+#endif
+#ifndef OPENSSL_NO_EC
     case TLSEXT_signature_ecdsa:
         return SSL_PKEY_ECC;
+#endif
+# ifndef OPENSSL_NO_GOST
+    case TLSEXT_signature_gostr34102001:
+        return SSL_PKEY_GOST01;
+
+    case TLSEXT_signature_gostr34102012_256:
+        return SSL_PKEY_GOST12_256;
+
+    case TLSEXT_signature_gostr34102012_512:
+        return SSL_PKEY_GOST12_512;
 # endif
     }
     return -1;
@@ -3258,25 +3309,23 @@ static int tls12_get_pkey_idx(unsigned char sig_alg)
 static void tls1_lookup_sigalg(int *phash_nid, int *psign_nid,
                                int *psignhash_nid, const unsigned char *data)
 {
-    int sign_nid = 0, hash_nid = 0;
+    int sign_nid = NID_undef, hash_nid = NID_undef;
     if (!phash_nid && !psign_nid && !psignhash_nid)
         return;
     if (phash_nid || psignhash_nid) {
-        hash_nid = tls12_find_nid(data[0], tls12_md,
-                                  sizeof(tls12_md) / sizeof(tls12_lookup));
+        hash_nid = tls12_find_nid(data[0], tls12_md, OSSL_NELEM(tls12_md));
         if (phash_nid)
             *phash_nid = hash_nid;
     }
     if (psign_nid || psignhash_nid) {
-        sign_nid = tls12_find_nid(data[1], tls12_sig,
-                                  sizeof(tls12_sig) / sizeof(tls12_lookup));
+        sign_nid = tls12_find_nid(data[1], tls12_sig, OSSL_NELEM(tls12_sig));
         if (psign_nid)
             *psign_nid = sign_nid;
     }
     if (psignhash_nid) {
-        if (sign_nid && hash_nid)
-            OBJ_find_sigid_by_algs(psignhash_nid, hash_nid, sign_nid);
-        else
+        if (sign_nid == NID_undef || hash_nid == NID_undef
+                || OBJ_find_sigid_by_algs(psignhash_nid, hash_nid,
+                                          sign_nid) <= 0)
             *psignhash_nid = NID_undef;
     }
 }
@@ -3286,7 +3335,7 @@ static int tls12_sigalg_allowed(SSL *s, int op, const unsigned char *ptmp)
 {
     /* See if we have an entry in the hash table and it is enabled */
     const tls12_hash_info *hinf = tls12_get_hash_info(ptmp[0]);
-    if (!hinf || !hinf->mfunc)
+    if (hinf == NULL || ssl_md(hinf->md_idx) == NULL)
         return 0;
     /* See if public key algorithm allowed */
     if (tls12_get_pkey_idx(ptmp[1]) == -1)
@@ -3301,7 +3350,7 @@ static int tls12_sigalg_allowed(SSL *s, int op, const unsigned char *ptmp)
  * disabled.
  */
 
-void ssl_set_sig_mask(unsigned long *pmask_a, SSL *s, int op)
+void ssl_set_sig_mask(uint32_t *pmask_a, SSL *s, int op)
 {
     const unsigned char *sigalgs;
     size_t i, sigalgslen;
@@ -3314,24 +3363,24 @@ void ssl_set_sig_mask(unsigned long *pmask_a, SSL *s, int op)
     sigalgslen = tls12_get_psigalgs(s, &sigalgs);
     for (i = 0; i < sigalgslen; i += 2, sigalgs += 2) {
         switch (sigalgs[1]) {
-# ifndef OPENSSL_NO_RSA
+#ifndef OPENSSL_NO_RSA
         case TLSEXT_signature_rsa:
             if (!have_rsa && tls12_sigalg_allowed(s, op, sigalgs))
                 have_rsa = 1;
             break;
-# endif
-# ifndef OPENSSL_NO_DSA
+#endif
+#ifndef OPENSSL_NO_DSA
         case TLSEXT_signature_dsa:
             if (!have_dsa && tls12_sigalg_allowed(s, op, sigalgs))
                 have_dsa = 1;
             break;
-# endif
-# ifndef OPENSSL_NO_ECDSA
+#endif
+#ifndef OPENSSL_NO_EC
         case TLSEXT_signature_ecdsa:
             if (!have_ecdsa && tls12_sigalg_allowed(s, op, sigalgs))
                 have_ecdsa = 1;
             break;
-# endif
+#endif
         }
     }
     if (!have_rsa)
@@ -3394,10 +3443,10 @@ static int tls1_set_shared_sigalgs(SSL *s)
     TLS_SIGALGS *salgs = NULL;
     CERT *c = s->cert;
     unsigned int is_suiteb = tls1_suiteb(s);
-    if (c->shared_sigalgs) {
-        OPENSSL_free(c->shared_sigalgs);
-        c->shared_sigalgs = NULL;
-    }
+
+    OPENSSL_free(c->shared_sigalgs);
+    c->shared_sigalgs = NULL;
+    c->shared_sigalgslen = 0;
     /* If client use client signature algorithms if not NULL */
     if (!s->server && c->client_sigalgs && !is_suiteb) {
         conf = c->client_sigalgs;
@@ -3410,21 +3459,23 @@ static int tls1_set_shared_sigalgs(SSL *s)
     if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE || is_suiteb) {
         pref = conf;
         preflen = conflen;
-        allow = c->peer_sigalgs;
-        allowlen = c->peer_sigalgslen;
+        allow = s->s3->tmp.peer_sigalgs;
+        allowlen = s->s3->tmp.peer_sigalgslen;
     } else {
         allow = conf;
         allowlen = conflen;
-        pref = c->peer_sigalgs;
-        preflen = c->peer_sigalgslen;
+        pref = s->s3->tmp.peer_sigalgs;
+        preflen = s->s3->tmp.peer_sigalgslen;
     }
     nmatch = tls12_shared_sigalgs(s, NULL, pref, preflen, allow, allowlen);
-    if (!nmatch)
-        return 1;
-    salgs = OPENSSL_malloc(nmatch * sizeof(TLS_SIGALGS));
-    if (!salgs)
-        return 0;
-    nmatch = tls12_shared_sigalgs(s, salgs, pref, preflen, allow, allowlen);
+    if (nmatch) {
+        salgs = OPENSSL_malloc(nmatch * sizeof(TLS_SIGALGS));
+        if (salgs == NULL)
+            return 0;
+        nmatch = tls12_shared_sigalgs(s, salgs, pref, preflen, allow, allowlen);
+    } else {
+        salgs = NULL;
+    }
     c->shared_sigalgs = salgs;
     c->shared_sigalgslen = nmatch;
     return 1;
@@ -3442,13 +3493,12 @@ int tls1_save_sigalgs(SSL *s, const unsigned char *data, int dsize)
     if (!c)
         return 0;
 
-    if (c->peer_sigalgs)
-        OPENSSL_free(c->peer_sigalgs);
-    c->peer_sigalgs = OPENSSL_malloc(dsize);
-    if (!c->peer_sigalgs)
+    OPENSSL_free(s->s3->tmp.peer_sigalgs);
+    s->s3->tmp.peer_sigalgs = OPENSSL_malloc(dsize);
+    if (s->s3->tmp.peer_sigalgs == NULL)
         return 0;
-    c->peer_sigalgslen = dsize;
-    memcpy(c->peer_sigalgs, data, dsize);
+    s->s3->tmp.peer_sigalgslen = dsize;
+    memcpy(s->s3->tmp.peer_sigalgs, data, dsize);
     return 1;
 }
 
@@ -3457,12 +3507,14 @@ int tls1_process_sigalgs(SSL *s)
     int idx;
     size_t i;
     const EVP_MD *md;
+    const EVP_MD **pmd = s->s3->tmp.md;
+    uint32_t *pvalid = s->s3->tmp.valid_flags;
     CERT *c = s->cert;
     TLS_SIGALGS *sigptr;
     if (!tls1_set_shared_sigalgs(s))
         return 0;
 
-# ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
+#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
     if (s->cert->cert_flags & SSL_CERT_FLAG_BROKEN_PROTOCOL) {
         /*
          * Use first set signature preference to force message digest,
@@ -3476,28 +3528,26 @@ int tls1_process_sigalgs(SSL *s)
         if (sigs) {
             idx = tls12_get_pkey_idx(sigs[1]);
             md = tls12_get_hash(sigs[0]);
-            c->pkeys[idx].digest = md;
-            c->pkeys[idx].valid_flags = CERT_PKEY_EXPLICIT_SIGN;
+            pmd[idx] = md;
+            pvalid[idx] = CERT_PKEY_EXPLICIT_SIGN;
             if (idx == SSL_PKEY_RSA_SIGN) {
-                c->pkeys[SSL_PKEY_RSA_ENC].valid_flags =
-                    CERT_PKEY_EXPLICIT_SIGN;
-                c->pkeys[SSL_PKEY_RSA_ENC].digest = md;
+                pvalid[SSL_PKEY_RSA_ENC] = CERT_PKEY_EXPLICIT_SIGN;
+                pmd[SSL_PKEY_RSA_ENC] = md;
             }
         }
     }
-# endif
+#endif
 
     for (i = 0, sigptr = c->shared_sigalgs;
          i < c->shared_sigalgslen; i++, sigptr++) {
         idx = tls12_get_pkey_idx(sigptr->rsign);
-        if (idx > 0 && c->pkeys[idx].digest == NULL) {
+        if (idx > 0 && pmd[idx] == NULL) {
             md = tls12_get_hash(sigptr->rhash);
-            c->pkeys[idx].digest = md;
-            c->pkeys[idx].valid_flags = CERT_PKEY_EXPLICIT_SIGN;
+            pmd[idx] = md;
+            pvalid[idx] = CERT_PKEY_EXPLICIT_SIGN;
             if (idx == SSL_PKEY_RSA_SIGN) {
-                c->pkeys[SSL_PKEY_RSA_ENC].valid_flags =
-                    CERT_PKEY_EXPLICIT_SIGN;
-                c->pkeys[SSL_PKEY_RSA_ENC].digest = md;
+                pvalid[SSL_PKEY_RSA_ENC] = CERT_PKEY_EXPLICIT_SIGN;
+                pmd[SSL_PKEY_RSA_ENC] = md;
             }
         }
 
@@ -3511,19 +3561,27 @@ int tls1_process_sigalgs(SSL *s)
          * Set any remaining keys to default values. NOTE: if alg is not
          * supported it stays as NULL.
          */
-# ifndef OPENSSL_NO_DSA
-        if (!c->pkeys[SSL_PKEY_DSA_SIGN].digest)
-            c->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_sha1();
-# endif
-# ifndef OPENSSL_NO_RSA
-        if (!c->pkeys[SSL_PKEY_RSA_SIGN].digest) {
-            c->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1();
-            c->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1();
+#ifndef OPENSSL_NO_DSA
+        if (pmd[SSL_PKEY_DSA_SIGN] == NULL)
+            pmd[SSL_PKEY_DSA_SIGN] = EVP_sha1();
+#endif
+#ifndef OPENSSL_NO_RSA
+        if (pmd[SSL_PKEY_RSA_SIGN] == NULL) {
+            pmd[SSL_PKEY_RSA_SIGN] = EVP_sha1();
+            pmd[SSL_PKEY_RSA_ENC] = EVP_sha1();
         }
-# endif
-# ifndef OPENSSL_NO_ECDSA
-        if (!c->pkeys[SSL_PKEY_ECC].digest)
-            c->pkeys[SSL_PKEY_ECC].digest = EVP_sha1();
+#endif
+#ifndef OPENSSL_NO_EC
+        if (pmd[SSL_PKEY_ECC] == NULL)
+            pmd[SSL_PKEY_ECC] = EVP_sha1();
+#endif
+# ifndef OPENSSL_NO_GOST
+        if (pmd[SSL_PKEY_GOST01] == NULL)
+            pmd[SSL_PKEY_GOST01] = EVP_get_digestbynid(NID_id_GostR3411_94);
+        if (pmd[SSL_PKEY_GOST12_256] == NULL)
+            pmd[SSL_PKEY_GOST12_256] = EVP_get_digestbynid(NID_id_GostR3411_2012_256);
+        if (pmd[SSL_PKEY_GOST12_512] == NULL)
+            pmd[SSL_PKEY_GOST12_512] = EVP_get_digestbynid(NID_id_GostR3411_2012_512);
 # endif
     }
     return 1;
@@ -3533,12 +3591,12 @@ int SSL_get_sigalgs(SSL *s, int idx,
                     int *psign, int *phash, int *psignhash,
                     unsigned char *rsig, unsigned char *rhash)
 {
-    const unsigned char *psig = s->cert->peer_sigalgs;
+    const unsigned char *psig = s->s3->tmp.peer_sigalgs;
     if (psig == NULL)
         return 0;
     if (idx >= 0) {
         idx <<= 1;
-        if (idx >= (int)s->cert->peer_sigalgslen)
+        if (idx >= (int)s->s3->tmp.peer_sigalgslen)
             return 0;
         psig += idx;
         if (rhash)
@@ -3547,7 +3605,7 @@ int SSL_get_sigalgs(SSL *s, int idx,
             *rsig = psig[1];
         tls1_lookup_sigalg(phash, psign, psignhash, psig);
     }
-    return s->cert->peer_sigalgslen / 2;
+    return s->s3->tmp.peer_sigalgslen / 2;
 }
 
 int SSL_get_shared_sigalgs(SSL *s, int idx,
@@ -3571,170 +3629,34 @@ int SSL_get_shared_sigalgs(SSL *s, int idx,
     return s->cert->shared_sigalgslen;
 }
 
-# ifndef OPENSSL_NO_HEARTBEATS
-int tls1_process_heartbeat(SSL *s)
-{
-    unsigned char *p = &s->s3->rrec.data[0], *pl;
-    unsigned short hbtype;
-    unsigned int payload;
-    unsigned int padding = 16;  /* Use minimum padding */
-
-    if (s->msg_callback)
-        s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT,
-                        &s->s3->rrec.data[0], s->s3->rrec.length,
-                        s, s->msg_callback_arg);
-
-    /* Read type and payload length first */
-    if (1 + 2 + 16 > s->s3->rrec.length)
-        return 0;               /* silently discard */
-    hbtype = *p++;
-    n2s(p, payload);
-    if (1 + 2 + payload + 16 > s->s3->rrec.length)
-        return 0;               /* silently discard per RFC 6520 sec. 4 */
-    pl = p;
-
-    if (hbtype == TLS1_HB_REQUEST) {
-        unsigned char *buffer, *bp;
-        int r;
-
-        /*
-         * Allocate memory for the response, size is 1 bytes message type,
-         * plus 2 bytes payload length, plus payload, plus padding
-         */
-        buffer = OPENSSL_malloc(1 + 2 + payload + padding);
-        if (buffer == NULL) {
-            SSLerr(SSL_F_TLS1_PROCESS_HEARTBEAT, ERR_R_MALLOC_FAILURE);
-            return -1;
-        }
-        bp = buffer;
-
-        /* Enter response type, length and copy payload */
-        *bp++ = TLS1_HB_RESPONSE;
-        s2n(payload, bp);
-        memcpy(bp, pl, payload);
-        bp += payload;
-        /* Random padding */
-        RAND_pseudo_bytes(bp, padding);
-
-        r = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buffer,
-                             3 + payload + padding);
-
-        if (r >= 0 && s->msg_callback)
-            s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT,
-                            buffer, 3 + payload + padding,
-                            s, s->msg_callback_arg);
-
-        OPENSSL_free(buffer);
-
-        if (r < 0)
-            return r;
-    } else if (hbtype == TLS1_HB_RESPONSE) {
-        unsigned int seq;
-
-        /*
-         * We only send sequence numbers (2 bytes unsigned int), and 16
-         * random bytes, so we just try to read the sequence number
-         */
-        n2s(pl, seq);
-
-        if (payload == 18 && seq == s->tlsext_hb_seq) {
-            s->tlsext_hb_seq++;
-            s->tlsext_hb_pending = 0;
-        }
-    }
-
-    return 0;
-}
-
-int tls1_heartbeat(SSL *s)
-{
-    unsigned char *buf, *p;
-    int ret;
-    unsigned int payload = 18;  /* Sequence number + random bytes */
-    unsigned int padding = 16;  /* Use minimum padding */
-
-    /* Only send if peer supports and accepts HB requests... */
-    if (!(s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED) ||
-        s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_SEND_REQUESTS) {
-        SSLerr(SSL_F_TLS1_HEARTBEAT, SSL_R_TLS_HEARTBEAT_PEER_DOESNT_ACCEPT);
-        return -1;
-    }
-
-    /* ...and there is none in flight yet... */
-    if (s->tlsext_hb_pending) {
-        SSLerr(SSL_F_TLS1_HEARTBEAT, SSL_R_TLS_HEARTBEAT_PENDING);
-        return -1;
-    }
-
-    /* ...and no handshake in progress. */
-    if (SSL_in_init(s) || s->in_handshake) {
-        SSLerr(SSL_F_TLS1_HEARTBEAT, SSL_R_UNEXPECTED_MESSAGE);
-        return -1;
-    }
-
-    /*
-     * Check if padding is too long, payload and padding must not exceed 2^14
-     * - 3 = 16381 bytes in total.
-     */
-    OPENSSL_assert(payload + padding <= 16381);
-
-    /*-
-     * Create HeartBeat message, we just use a sequence number
-     * as payload to distuingish different messages and add
-     * some random stuff.
-     *  - Message Type, 1 byte
-     *  - Payload Length, 2 bytes (unsigned int)
-     *  - Payload, the sequence number (2 bytes uint)
-     *  - Payload, random bytes (16 bytes uint)
-     *  - Padding
-     */
-    buf = OPENSSL_malloc(1 + 2 + payload + padding);
-    if (buf == NULL) {
-        SSLerr(SSL_F_TLS1_HEARTBEAT, ERR_R_MALLOC_FAILURE);
-        return -1;
-    }
-    p = buf;
-    /* Message Type */
-    *p++ = TLS1_HB_REQUEST;
-    /* Payload length (18 bytes here) */
-    s2n(payload, p);
-    /* Sequence number */
-    s2n(s->tlsext_hb_seq, p);
-    /* 16 random bytes */
-    RAND_pseudo_bytes(p, 16);
-    p += 16;
-    /* Random padding */
-    RAND_pseudo_bytes(p, padding);
-
-    ret = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buf, 3 + payload + padding);
-    if (ret >= 0) {
-        if (s->msg_callback)
-            s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT,
-                            buf, 3 + payload + padding,
-                            s, s->msg_callback_arg);
-
-        s->tlsext_hb_pending = 1;
-    }
-
-    OPENSSL_free(buf);
-
-    return ret;
-}
-# endif
-
-# define MAX_SIGALGLEN   (TLSEXT_hash_num * TLSEXT_signature_num * 2)
+#define MAX_SIGALGLEN   (TLSEXT_hash_num * TLSEXT_signature_num * 2)
 
 typedef struct {
     size_t sigalgcnt;
     int sigalgs[MAX_SIGALGLEN];
 } sig_cb_st;
 
+static void get_sigorhash(int *psig, int *phash, const char *str)
+{
+    if (strcmp(str, "RSA") == 0) {
+        *psig = EVP_PKEY_RSA;
+    } else if (strcmp(str, "DSA") == 0) {
+        *psig = EVP_PKEY_DSA;
+    } else if (strcmp(str, "ECDSA") == 0) {
+        *psig = EVP_PKEY_EC;
+    } else {
+        *phash = OBJ_sn2nid(str);
+        if (*phash == NID_undef)
+            *phash = OBJ_ln2nid(str);
+    }
+}
+
 static int sig_cb(const char *elem, int len, void *arg)
 {
     sig_cb_st *sarg = arg;
     size_t i;
     char etmp[20], *p;
-    int sig_alg, hash_alg;
+    int sig_alg = NID_undef, hash_alg = NID_undef;
     if (elem == NULL)
         return 0;
     if (sarg->sigalgcnt == MAX_SIGALGLEN)
@@ -3751,19 +3673,10 @@ static int sig_cb(const char *elem, int len, void *arg)
     if (!*p)
         return 0;
 
-    if (!strcmp(etmp, "RSA"))
-        sig_alg = EVP_PKEY_RSA;
-    else if (!strcmp(etmp, "DSA"))
-        sig_alg = EVP_PKEY_DSA;
-    else if (!strcmp(etmp, "ECDSA"))
-        sig_alg = EVP_PKEY_EC;
-    else
-        return 0;
+    get_sigorhash(&sig_alg, &hash_alg, etmp);
+    get_sigorhash(&sig_alg, &hash_alg, p);
 
-    hash_alg = OBJ_sn2nid(p);
-    if (hash_alg == NID_undef)
-        hash_alg = OBJ_ln2nid(p);
-    if (hash_alg == NID_undef)
+    if (sig_alg == NID_undef || hash_alg == NID_undef)
         return 0;
 
     for (i = 0; i < sarg->sigalgcnt; i += 2) {
@@ -3802,10 +3715,8 @@ int tls1_set_sigalgs(CERT *c, const int *psig_nids, size_t salglen,
     if (sigalgs == NULL)
         return 0;
     for (i = 0, sptr = sigalgs; i < salglen; i += 2) {
-        rhash = tls12_find_id(*psig_nids++, tls12_md,
-                              sizeof(tls12_md) / sizeof(tls12_lookup));
-        rsign = tls12_find_id(*psig_nids++, tls12_sig,
-                              sizeof(tls12_sig) / sizeof(tls12_lookup));
+        rhash = tls12_find_id(*psig_nids++, tls12_md, OSSL_NELEM(tls12_md));
+        rsign = tls12_find_id(*psig_nids++, tls12_sig, OSSL_NELEM(tls12_sig));
 
         if (rhash == -1 || rsign == -1)
             goto err;
@@ -3814,13 +3725,11 @@ int tls1_set_sigalgs(CERT *c, const int *psig_nids, size_t salglen,
     }
 
     if (client) {
-        if (c->client_sigalgs)
-            OPENSSL_free(c->client_sigalgs);
+        OPENSSL_free(c->client_sigalgs);
         c->client_sigalgs = sigalgs;
         c->client_sigalgslen = salglen;
     } else {
-        if (c->conf_sigalgs)
-            OPENSSL_free(c->conf_sigalgs);
+        OPENSSL_free(c->conf_sigalgs);
         c->conf_sigalgs = sigalgs;
         c->conf_sigalgslen = salglen;
     }
@@ -3869,10 +3778,10 @@ static int ssl_check_ca_name(STACK_OF(X509_NAME) *names, X509 *x)
 
 /* Flags which need to be set for a certificate when stict mode not set */
 
-# define CERT_PKEY_VALID_FLAGS \
+#define CERT_PKEY_VALID_FLAGS \
         (CERT_PKEY_EE_SIGNATURE|CERT_PKEY_EE_PARAM)
 /* Strict mode flags */
-# define CERT_PKEY_STRICT_FLAGS \
+#define CERT_PKEY_STRICT_FLAGS \
          (CERT_PKEY_VALID_FLAGS|CERT_PKEY_CA_SIGNATURE|CERT_PKEY_CA_PARAM \
          | CERT_PKEY_ISSUER_NAME|CERT_PKEY_CERT_TYPE)
 
@@ -3884,6 +3793,7 @@ int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain,
     int check_flags = 0, strict_mode;
     CERT_PKEY *cpk = NULL;
     CERT *c = s->cert;
+    uint32_t *pvalid;
     unsigned int suiteb_flags = tls1_suiteb(s);
     /* idx == -1 means checking server chains */
     if (idx != -1) {
@@ -3893,6 +3803,7 @@ int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain,
             idx = cpk - c->pkeys;
         } else
             cpk = c->pkeys + idx;
+        pvalid = s->s3->tmp.valid_flags + idx;
         x = cpk->x509;
         pk = cpk->privatekey;
         chain = cpk->chain;
@@ -3900,22 +3811,23 @@ int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain,
         /* If no cert or key, forget it */
         if (!x || !pk)
             goto end;
-# ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
+#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
         /* Allow any certificate to pass test */
         if (s->cert->cert_flags & SSL_CERT_FLAG_BROKEN_PROTOCOL) {
             rv = CERT_PKEY_STRICT_FLAGS | CERT_PKEY_EXPLICIT_SIGN |
                 CERT_PKEY_VALID | CERT_PKEY_SIGN;
-            cpk->valid_flags = rv;
+            *pvalid = rv;
             return rv;
         }
-# endif
+#endif
     } else {
         if (!x || !pk)
-            goto end;
+            return 0;
         idx = ssl_cert_type(x, pk);
         if (idx == -1)
-            goto end;
-        cpk = c->pkeys + idx;
+            return 0;
+        pvalid = s->s3->tmp.valid_flags + idx;
+
         if (c->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)
             check_flags = CERT_PKEY_STRICT_FLAGS;
         else
@@ -3941,20 +3853,18 @@ int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain,
     if (TLS1_get_version(s) >= TLS1_2_VERSION && strict_mode) {
         int default_nid;
         unsigned char rsign = 0;
-        if (c->peer_sigalgs)
+        if (s->s3->tmp.peer_sigalgs)
             default_nid = 0;
         /* If no sigalgs extension use defaults from RFC5246 */
         else {
             switch (idx) {
             case SSL_PKEY_RSA_ENC:
             case SSL_PKEY_RSA_SIGN:
-            case SSL_PKEY_DH_RSA:
                 rsign = TLSEXT_signature_rsa;
                 default_nid = NID_sha1WithRSAEncryption;
                 break;
 
             case SSL_PKEY_DSA_SIGN:
-            case SSL_PKEY_DH_DSA:
                 rsign = TLSEXT_signature_dsa;
                 default_nid = NID_dsaWithSHA1;
                 break;
@@ -3964,6 +3874,21 @@ int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain,
                 default_nid = NID_ecdsa_with_SHA1;
                 break;
 
+            case SSL_PKEY_GOST01:
+                rsign = TLSEXT_signature_gostr34102001;
+                default_nid = NID_id_GostR3411_94_with_GostR3410_2001;
+                break;
+
+            case SSL_PKEY_GOST12_256:
+                rsign = TLSEXT_signature_gostr34102012_256;
+                default_nid = NID_id_tc26_signwithdigest_gost3410_2012_256;
+                break;
+
+            case SSL_PKEY_GOST12_512:
+                rsign = TLSEXT_signature_gostr34102012_512;
+                default_nid = NID_id_tc26_signwithdigest_gost3410_2012_512;
+                break;
+
             default:
                 default_nid = -1;
                 break;
@@ -4032,7 +3957,7 @@ int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain,
     if (!s->server && strict_mode) {
         STACK_OF(X509_NAME) *ca_dn;
         int check_type = 0;
-        switch (pk->type) {
+        switch (EVP_PKEY_id(pk)) {
         case EVP_PKEY_RSA:
             check_type = TLS_CT_RSA_SIGN;
             break;
@@ -4042,15 +3967,6 @@ int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain,
         case EVP_PKEY_EC:
             check_type = TLS_CT_ECDSA_SIGN;
             break;
-        case EVP_PKEY_DH:
-        case EVP_PKEY_DHX:
-            {
-                int cert_type = X509_certificate_type(x, pk);
-                if (cert_type & EVP_PKS_RSA)
-                    check_type = TLS_CT_RSA_FIXED_DH;
-                if (cert_type & EVP_PKS_DSA)
-                    check_type = TLS_CT_DSS_FIXED_DH;
-            }
         }
         if (check_type) {
             const unsigned char *ctypes;
@@ -4102,9 +4018,9 @@ int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain,
  end:
 
     if (TLS1_get_version(s) >= TLS1_2_VERSION) {
-        if (cpk->valid_flags & CERT_PKEY_EXPLICIT_SIGN)
+        if (*pvalid & CERT_PKEY_EXPLICIT_SIGN)
             rv |= CERT_PKEY_EXPLICIT_SIGN | CERT_PKEY_SIGN;
-        else if (cpk->digest)
+        else if (s->s3->tmp.md[idx] != NULL)
             rv |= CERT_PKEY_SIGN;
     } else
         rv |= CERT_PKEY_SIGN | CERT_PKEY_EXPLICIT_SIGN;
@@ -4115,10 +4031,10 @@ int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain,
      */
     if (!check_flags) {
         if (rv & CERT_PKEY_VALID)
-            cpk->valid_flags = rv;
+            *pvalid = rv;
         else {
             /* Preserve explicit sign flag, clear rest */
-            cpk->valid_flags &= CERT_PKEY_EXPLICIT_SIGN;
+            *pvalid &= CERT_PKEY_EXPLICIT_SIGN;
             return 0;
         }
     }
@@ -4131,9 +4047,10 @@ void tls1_set_cert_validity(SSL *s)
     tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA_ENC);
     tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA_SIGN);
     tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DSA_SIGN);
-    tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DH_RSA);
-    tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DH_DSA);
     tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_ECC);
+    tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_GOST01);
+    tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_GOST12_256);
+    tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_GOST12_512);
 }
 
 /* User level utiity function to check a chain is suitable */
@@ -4142,7 +4059,6 @@ int SSL_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain)
     return tls1_check_chain(s, x, pk, chain, -1);
 }
 
-#endif
 
 #ifndef OPENSSL_NO_DH
 DH *ssl_get_auto_dh(SSL *s)
@@ -4150,7 +4066,7 @@ DH *ssl_get_auto_dh(SSL *s)
     int dh_secbits = 80;
     if (s->cert->dh_tmp_auto == 2)
         return DH_get_1024_160();
-    if (s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) {
+    if (s->s3->tmp.new_cipher->algorithm_auth & (SSL_aNULL | SSL_aPSK)) {
         if (s->s3->tmp.new_cipher->strength_bits == 256)
             dh_secbits = 128;
         else
@@ -4162,16 +4078,16 @@ DH *ssl_get_auto_dh(SSL *s)
 
     if (dh_secbits >= 128) {
         DH *dhp = DH_new();
-        if (!dhp)
+        if (dhp == NULL)
             return NULL;
         dhp->g = BN_new();
-        if (dhp->g)
+        if (dhp->g != NULL)
             BN_set_word(dhp->g, 2);
         if (dh_secbits >= 192)
             dhp->p = get_rfc3526_prime_8192(NULL);
         else
             dhp->p = get_rfc3526_prime_3072(NULL);
-        if (!dhp->p || !dhp->g) {
+        if (dhp->p == NULL || dhp->g == NULL) {
             DH_free(dhp);
             return NULL;
         }
@@ -4185,13 +4101,17 @@ DH *ssl_get_auto_dh(SSL *s)
 
 static int ssl_security_cert_key(SSL *s, SSL_CTX *ctx, X509 *x, int op)
 {
-    int secbits;
-    EVP_PKEY *pkey = X509_get_pubkey(x);
+    int secbits = -1;
+    EVP_PKEY *pkey = X509_get0_pubkey(x);
     if (pkey) {
+        /*
+         * If no parameters this will return -1 and fail using the default
+         * security callback for any non-zero security level. This will
+         * reject keys which omit parameters but this only affects DSA and
+         * omission of parameters is never (?) done in practice.
+         */
         secbits = EVP_PKEY_security_bits(pkey);
-        EVP_PKEY_free(pkey);
-    } else
-        secbits = -1;
+    }
     if (s)
         return ssl_security(s, op, secbits, 0, x);
     else