X-Git-Url: https://git.openssl.org/gitweb/?a=blobdiff_plain;f=ssl%2Fs3_lib.c;h=6c09e43463cda7c3b79445c6cc6e0da8811f834a;hb=c38b76bf69adff2ae6240a474ac4309cda9bf163;hp=bd373e326b9ce44c98bed510461e1e3b416052ec;hpb=a43526302f3049f2eed3fc2ea538c14a5f3ff956;p=openssl.git

diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index bd373e326b..6c09e43463 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -1076,7 +1076,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
 	SSL_aRSA,
 	SSL_eNULL,
 	SSL_SHA256,
-	SSL_SSLV3,
+	SSL_TLSV1_2,
 	SSL_NOT_EXP|SSL_STRONG_NONE|SSL_FIPS,
 	SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
 	0,
@@ -1092,7 +1092,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
 	SSL_aRSA,
 	SSL_AES128,
 	SSL_SHA256,
-	SSL_TLSV1,
+	SSL_TLSV1_2,
 	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
 	SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
 	128,
@@ -1108,7 +1108,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
 	SSL_aRSA,
 	SSL_AES256,
 	SSL_SHA256,
-	SSL_TLSV1,
+	SSL_TLSV1_2,
 	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
 	SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
 	256,
@@ -1120,11 +1120,11 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
 	1,
 	TLS1_TXT_DH_DSS_WITH_AES_128_SHA256,
 	TLS1_CK_DH_DSS_WITH_AES_128_SHA256,
-	SSL_kDHr,
+	SSL_kDHd,
 	SSL_aDH,
 	SSL_AES128,
 	SSL_SHA256,
-	SSL_TLSV1,
+	SSL_TLSV1_2,
 	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
 	SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
 	128,
@@ -1140,7 +1140,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
 	SSL_aDH,
 	SSL_AES128,
 	SSL_SHA256,
-	SSL_TLSV1,
+	SSL_TLSV1_2,
 	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
 	SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
 	128,
@@ -1156,7 +1156,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
 	SSL_aDSS,
 	SSL_AES128,
 	SSL_SHA256,
-	SSL_TLSV1,
+	SSL_TLSV1_2,
 	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
 	SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
 	128,
@@ -1390,7 +1390,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
 	SSL_aRSA,
 	SSL_AES128,
 	SSL_SHA256,
-	SSL_TLSV1,
+	SSL_TLSV1_2,
 	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
 	SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
 	128,
@@ -1402,11 +1402,11 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
 	1,
 	TLS1_TXT_DH_DSS_WITH_AES_256_SHA256,
 	TLS1_CK_DH_DSS_WITH_AES_256_SHA256,
-	SSL_kDHr,
+	SSL_kDHd,
 	SSL_aDH,
 	SSL_AES256,
 	SSL_SHA256,
-	SSL_TLSV1,
+	SSL_TLSV1_2,
 	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
 	SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
 	256,
@@ -1422,7 +1422,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
 	SSL_aDH,
 	SSL_AES256,
 	SSL_SHA256,
-	SSL_TLSV1,
+	SSL_TLSV1_2,
 	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
 	SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
 	256,
@@ -1438,7 +1438,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
 	SSL_aDSS,
 	SSL_AES256,
 	SSL_SHA256,
-	SSL_TLSV1,
+	SSL_TLSV1_2,
 	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
 	SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
 	256,
@@ -1454,7 +1454,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
 	SSL_aRSA,
 	SSL_AES256,
 	SSL_SHA256,
-	SSL_TLSV1,
+	SSL_TLSV1_2,
 	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
 	SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
 	256,
@@ -1470,7 +1470,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
 	SSL_aNULL,
 	SSL_AES128,
 	SSL_SHA256,
-	SSL_TLSV1,
+	SSL_TLSV1_2,
 	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
 	SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
 	128,
@@ -1486,7 +1486,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
 	SSL_aNULL,
 	SSL_AES256,
 	SSL_SHA256,
-	SSL_TLSV1,
+	SSL_TLSV1_2,
 	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
 	SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
 	256,
@@ -1953,7 +1953,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
 	1,
 	TLS1_TXT_DH_DSS_WITH_AES_128_GCM_SHA256,
 	TLS1_CK_DH_DSS_WITH_AES_128_GCM_SHA256,
-	SSL_kDHr,
+	SSL_kDHd,
 	SSL_aDH,
 	SSL_AES128GCM,
 	SSL_AEAD,
@@ -1969,7 +1969,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
 	1,
 	TLS1_TXT_DH_DSS_WITH_AES_256_GCM_SHA384,
 	TLS1_CK_DH_DSS_WITH_AES_256_GCM_SHA384,
-	SSL_kDHr,
+	SSL_kDHd,
 	SSL_aDH,
 	SSL_AES256GCM,
 	SSL_AEAD,
@@ -2011,6 +2011,22 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
 	256,
 	256,
 	},
+#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
+	{
+	1,
+	"SCSV",
+	SSL3_CK_SCSV,
+	0,
+	0,
+	0,
+	0,
+	0,
+	0,
+	0,
+	0,
+	0
+	},
+#endif
 
 #ifndef OPENSSL_NO_ECDH
 	/* Cipher C001 */
@@ -2664,7 +2680,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
 	1,
 	TLS1_TXT_ECDH_RSA_WITH_AES_128_SHA256,
 	TLS1_CK_ECDH_RSA_WITH_AES_128_SHA256,
-	SSL_kECDHe,
+	SSL_kECDHr,
 	SSL_aECDH,
 	SSL_AES128,
 	SSL_SHA256,
@@ -2680,7 +2696,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
 	1,
 	TLS1_TXT_ECDH_RSA_WITH_AES_256_SHA384,
 	TLS1_CK_ECDH_RSA_WITH_AES_256_SHA384,
-	SSL_kECDHe,
+	SSL_kECDHr,
 	SSL_aECDH,
 	SSL_AES256,
 	SSL_SHA384,
@@ -2794,7 +2810,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
 	1,
 	TLS1_TXT_ECDH_RSA_WITH_AES_128_GCM_SHA256,
 	TLS1_CK_ECDH_RSA_WITH_AES_128_GCM_SHA256,
-	SSL_kECDHe,
+	SSL_kECDHr,
 	SSL_aECDH,
 	SSL_AES128GCM,
 	SSL_AEAD,
@@ -2810,7 +2826,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
 	1,
 	TLS1_TXT_ECDH_RSA_WITH_AES_256_GCM_SHA384,
 	TLS1_CK_ECDH_RSA_WITH_AES_256_GCM_SHA384,
-	SSL_kECDHe,
+	SSL_kECDHr,
 	SSL_aECDH,
 	SSL_AES256GCM,
 	SSL_AEAD,
@@ -2988,6 +3004,10 @@ void ssl3_free(SSL *s)
 	if (s->s3->handshake_dgst) ssl3_free_digest_list(s);
 #ifndef OPENSSL_NO_SRP
 	SSL_SRP_CTX_free(s);
+#endif
+#ifndef OPENSSL_NO_TLSEXT
+	if (s->s3->tlsext_authz_client_types != NULL)
+		OPENSSL_free(s->s3->tlsext_authz_client_types);
 #endif
 	OPENSSL_cleanse(s->s3,sizeof *s->s3);
 	OPENSSL_free(s->s3);
@@ -3032,6 +3052,13 @@ void ssl3_clear(SSL *s)
 		s->s3->tmp.ecdh = NULL;
 		}
 #endif
+#ifndef OPENSSL_NO_TLSEXT
+	if (s->s3->tlsext_authz_client_types != NULL)
+		{
+		OPENSSL_free(s->s3->tlsext_authz_client_types);
+		s->s3->tlsext_authz_client_types = NULL;
+		}
+#endif
 
 	rp = s->s3->rbuf.buf;
 	wp = s->s3->wbuf.buf;
@@ -3078,6 +3105,8 @@ static char * MS_CALLBACK srp_password_from_info_cb(SSL *s, void *arg)
 	}
 #endif
 
+static int ssl3_set_req_cert_type(CERT *c, const unsigned char *p, size_t len);
+
 long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
 	{
 	int ret=0;
@@ -3403,6 +3432,114 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
 		s->cert->ecdh_tmp_auto = larg;
 		break;
 
+	case SSL_CTRL_SET_SIGALGS:
+		return tls1_set_sigalgs(s->cert, parg, larg, 0);
+
+	case SSL_CTRL_SET_SIGALGS_LIST:
+		return tls1_set_sigalgs_list(s->cert, parg, 0);
+
+	case SSL_CTRL_SET_CLIENT_SIGALGS:
+		return tls1_set_sigalgs(s->cert, parg, larg, 1);
+
+	case SSL_CTRL_SET_CLIENT_SIGALGS_LIST:
+		return tls1_set_sigalgs_list(s->cert, parg, 1);
+
+	case SSL_CTRL_GET_CLIENT_CERT_TYPES:
+		{
+		const unsigned char **pctype = parg;
+		if (s->server || !s->s3->tmp.cert_req)
+			return 0;
+		if (s->cert->ctypes)
+			{
+			if (pctype)
+				*pctype = s->cert->ctypes;
+			return (int)s->cert->ctype_num;
+			}
+		if (pctype)
+			*pctype = (unsigned char *)s->s3->tmp.ctype;
+		return s->s3->tmp.ctype_num;
+		}
+
+	case SSL_CTRL_SET_CLIENT_CERT_TYPES:
+		if (!s->server)
+			return 0;
+		return ssl3_set_req_cert_type(s->cert, parg, larg);
+
+	case SSL_CTRL_BUILD_CERT_CHAIN:
+		return ssl_build_cert_chain(s->cert, s->ctx->cert_store, larg);
+
+	case SSL_CTRL_SET_VERIFY_CERT_STORE:
+		return ssl_cert_set_cert_store(s->cert, parg, 0, larg);
+
+	case SSL_CTRL_SET_CHAIN_CERT_STORE:
+		return ssl_cert_set_cert_store(s->cert, parg, 1, larg);
+
+	case SSL_CTRL_GET_PEER_SIGNATURE_NID:
+		if (TLS1_get_version(s) >= TLS1_2_VERSION)
+			{
+			if (s->session && s->session->sess_cert)
+				{
+				const EVP_MD *sig;
+				sig = s->session->sess_cert->peer_key->digest;
+				if (sig)
+					{
+					*(int *)parg = EVP_MD_type(sig);
+					return 1;
+					}
+				}
+			return 0;
+			}
+		/* Might want to do something here for other versions */
+		else
+			return 0;
+
+	case SSL_CTRL_GET_SERVER_TMP_KEY:
+		if (s->server || !s->session || !s->session->sess_cert)
+			return 0;
+		else
+			{
+			SESS_CERT *sc;
+			EVP_PKEY *ptmp;
+			int rv = 0;
+			sc = s->session->sess_cert;
+			if (!sc->peer_rsa_tmp && !sc->peer_dh_tmp
+							&& !sc->peer_ecdh_tmp)
+				return 0;
+			ptmp = EVP_PKEY_new();
+			if (!ptmp)
+				return 0;
+			if (0);
+#ifndef OPENSSL_NO_RSA
+			else if (sc->peer_rsa_tmp)
+				rv = EVP_PKEY_set1_RSA(ptmp, sc->peer_rsa_tmp);
+#endif
+#ifndef OPENSSL_NO_DH
+			else if (sc->peer_dh_tmp)
+				rv = EVP_PKEY_set1_DH(ptmp, sc->peer_dh_tmp);
+#endif
+#ifndef OPENSSL_NO_ECDH
+			else if (sc->peer_ecdh_tmp)
+				rv = EVP_PKEY_set1_EC_KEY(ptmp, sc->peer_ecdh_tmp);
+#endif
+			if (rv)
+				{
+				*(EVP_PKEY **)parg = ptmp;
+				return 1;
+				}
+			EVP_PKEY_free(ptmp);
+			return 0;
+			}
+
+	case SSL_CTRL_GET_EC_POINT_FORMATS:
+		{
+		SSL_SESSION *sess = s->session;
+		const unsigned char **pformat = parg;
+		if (!sess || !sess->tlsext_ecpointformatlist)
+			return 0;
+		*pformat = sess->tlsext_ecpointformatlist;
+		return (int)sess->tlsext_ecpointformatlist_length;
+		}
+
 	default:
 		break;
 		}
@@ -3684,6 +3821,35 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
 	case SSL_CTRL_SET_ECDH_AUTO:
 		ctx->cert->ecdh_tmp_auto = larg;
 		break;
+
+	case SSL_CTRL_SET_SIGALGS:
+		return tls1_set_sigalgs(ctx->cert, parg, larg, 0);
+
+	case SSL_CTRL_SET_SIGALGS_LIST:
+		return tls1_set_sigalgs_list(ctx->cert, parg, 0);
+
+	case SSL_CTRL_SET_CLIENT_SIGALGS:
+		return tls1_set_sigalgs(ctx->cert, parg, larg, 1);
+
+	case SSL_CTRL_SET_CLIENT_SIGALGS_LIST:
+		return tls1_set_sigalgs_list(ctx->cert, parg, 1);
+
+	case SSL_CTRL_SET_CLIENT_CERT_TYPES:
+		return ssl3_set_req_cert_type(ctx->cert, parg, larg);
+
+	case SSL_CTRL_BUILD_CERT_CHAIN:
+		return ssl_build_cert_chain(ctx->cert, ctx->cert_store, larg);
+
+	case SSL_CTRL_SET_VERIFY_CERT_STORE:
+		return ssl_cert_set_cert_store(ctx->cert, parg, 0, larg);
+
+	case SSL_CTRL_SET_CHAIN_CERT_STORE:
+		return ssl_cert_set_cert_store(ctx->cert, parg, 1, larg);
+
+	case SSL_CTRL_SET_TLSEXT_AUTHZ_SERVER_AUDIT_PROOF_CB_ARG:
+		ctx->tlsext_authz_server_audit_proof_cb_arg = parg;
+		break;
+
 #endif /* !OPENSSL_NO_TLSEXT */
 
 	/* A Thawte special :-) */
@@ -3793,6 +3959,12 @@ long ssl3_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)(void))
 		ctx->srp_ctx.SRP_give_srp_client_pwd_callback=(char *(*)(SSL *,void *))fp;
 		break;
 #endif
+
+	case SSL_CTRL_SET_TLSEXT_AUTHZ_SERVER_AUDIT_PROOF_CB:
+		ctx->tlsext_authz_server_audit_proof_cb =
+			(int (*)(SSL *, void *))fp;
+		break;
+
 #endif
 	case SSL_CTRL_SET_NOT_RESUMABLE_SESS_CB:
 		{
@@ -3819,10 +3991,7 @@ const SSL_CIPHER *ssl3_get_cipher_by_char(const unsigned char *p)
 #ifdef DEBUG_PRINT_UNKNOWN_CIPHERSUITES
 if (cp == NULL) fprintf(stderr, "Unknown cipher ID %x\n", (p[0] << 8) | p[1]);
 #endif
-	if (cp == NULL || cp->valid == 0)
-		return NULL;
-	else
-		return cp;
+	return cp;
 	}
 
 int ssl3_put_cipher_by_char(const SSL_CIPHER *c, unsigned char *p)
@@ -3876,7 +4045,7 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
 	    }
 #endif
 
-	if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE)
+	if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE || tls1_suiteb(s))
 		{
 		prio = srvr;
 		allow = clnt;
@@ -3887,6 +4056,8 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
 		allow = srvr;
 		}
 
+	tls1_set_cert_validity(s);
+
 	for (i=0; i<sk_SSL_CIPHER_num(prio); i++)
 		{
 		c=sk_SSL_CIPHER_value(prio,i);
@@ -3945,14 +4116,10 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
 
 #ifndef OPENSSL_NO_TLSEXT
 #ifndef OPENSSL_NO_EC
-		/* if we are considering an ECC cipher suite that uses our
-		 * certificate check it */
-		if (alg_a & (SSL_aECDSA|SSL_aECDH))
-			ok = ok && tls1_check_ec_server_key(s);
 		/* if we are considering an ECC cipher suite that uses
 		 * an ephemeral EC key check it */
 		if (alg_k & SSL_kEECDH)
-			ok = ok && tls1_check_ec_tmp_key(s);
+			ok = ok && tls1_check_ec_tmp_key(s, c->id);
 #endif /* OPENSSL_NO_EC */
 #endif /* OPENSSL_NO_TLSEXT */
 
@@ -3970,8 +4137,40 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
 int ssl3_get_req_cert_type(SSL *s, unsigned char *p)
 	{
 	int ret=0;
+	const unsigned char *sig;
+	size_t i, siglen;
+	int have_rsa_sign = 0, have_dsa_sign = 0, have_ecdsa_sign = 0;
+	int nostrict = 1;
 	unsigned long alg_k;
 
+	/* If we have custom certificate types set, use them */
+	if (s->cert->ctypes)
+		{
+		memcpy(p, s->cert->ctypes, s->cert->ctype_num);
+		return (int)s->cert->ctype_num;
+		}
+	/* get configured sigalgs */
+	siglen = tls12_get_psigalgs(s, &sig);
+	if (s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)
+		nostrict = 0;
+	for (i = 0; i < siglen; i+=2, sig+=2)
+		{
+		switch(sig[1])
+			{
+		case TLSEXT_signature_rsa:
+			have_rsa_sign = 1;
+			break;
+
+		case TLSEXT_signature_dsa:
+			have_dsa_sign = 1;
+			break;
+
+		case TLSEXT_signature_ecdsa:
+			have_ecdsa_sign = 1;
+			break;
+			}
+		}
+
 	alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
 
 #ifndef OPENSSL_NO_GOST
@@ -3990,10 +4189,15 @@ int ssl3_get_req_cert_type(SSL *s, unsigned char *p)
 	if (alg_k & (SSL_kDHr|SSL_kEDH))
 		{
 #  ifndef OPENSSL_NO_RSA
-		p[ret++]=SSL3_CT_RSA_FIXED_DH;
+		/* Since this refers to a certificate signed with an RSA
+		 * algorithm, only check for rsa signing in strict mode.
+		 */
+		if (nostrict || have_rsa_sign)
+			p[ret++]=SSL3_CT_RSA_FIXED_DH;
 #  endif
 #  ifndef OPENSSL_NO_DSA
-		p[ret++]=SSL3_CT_DSS_FIXED_DH;
+		if (nostrict || have_dsa_sign)
+			p[ret++]=SSL3_CT_DSS_FIXED_DH;
 #  endif
 		}
 	if ((s->version == SSL3_VERSION) &&
@@ -4008,16 +4212,20 @@ int ssl3_get_req_cert_type(SSL *s, unsigned char *p)
 		}
 #endif /* !OPENSSL_NO_DH */
 #ifndef OPENSSL_NO_RSA
-	p[ret++]=SSL3_CT_RSA_SIGN;
+	if (have_rsa_sign)
+		p[ret++]=SSL3_CT_RSA_SIGN;
 #endif
 #ifndef OPENSSL_NO_DSA
-	p[ret++]=SSL3_CT_DSS_SIGN;
+	if (have_dsa_sign)
+		p[ret++]=SSL3_CT_DSS_SIGN;
 #endif
 #ifndef OPENSSL_NO_ECDH
 	if ((alg_k & (SSL_kECDHr|SSL_kECDHe)) && (s->version >= TLS1_VERSION))
 		{
-		p[ret++]=TLS_CT_RSA_FIXED_ECDH;
-		p[ret++]=TLS_CT_ECDSA_FIXED_ECDH;
+		if (nostrict || have_rsa_sign)
+			p[ret++]=TLS_CT_RSA_FIXED_ECDH;
+		if (nostrict || have_ecdsa_sign)
+			p[ret++]=TLS_CT_ECDSA_FIXED_ECDH;
 		}
 #endif
 
@@ -4027,12 +4235,32 @@ int ssl3_get_req_cert_type(SSL *s, unsigned char *p)
 	 */
 	if (s->version >= TLS1_VERSION)
 		{
-		p[ret++]=TLS_CT_ECDSA_SIGN;
+		if (have_ecdsa_sign)
+			p[ret++]=TLS_CT_ECDSA_SIGN;
 		}
 #endif	
 	return(ret);
 	}
 
+static int ssl3_set_req_cert_type(CERT *c, const unsigned char *p, size_t len)
+	{
+	if (c->ctypes)
+		{
+		OPENSSL_free(c->ctypes);
+		c->ctypes = NULL;
+		}
+	if (!p || !len)
+		return 1;
+	if (len > 0xff)
+		return 0;
+	c->ctypes = OPENSSL_malloc(len);
+	if (!c->ctypes)
+		return 0;
+	memcpy(c->ctypes, p, len);
+	c->ctype_num = len;
+	return 1;
+	}
+
 int ssl3_shutdown(SSL *s)
 	{
 	int ret;