Function tls1_check_ec_server_key is now redundant as we make
[openssl.git] / ssl / t1_lib.c
1 /* ssl/t1_lib.c */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3  * All rights reserved.
4  *
5  * This package is an SSL implementation written
6  * by Eric Young (eay@cryptsoft.com).
7  * The implementation was written so as to conform with Netscapes SSL.
8  * 
9  * This library is free for commercial and non-commercial use as long as
10  * the following conditions are aheared to.  The following conditions
11  * apply to all code found in this distribution, be it the RC4, RSA,
12  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
13  * included with this distribution is covered by the same copyright terms
14  * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15  * 
16  * Copyright remains Eric Young's, and as such any Copyright notices in
17  * the code are not to be removed.
18  * If this package is used in a product, Eric Young should be given attribution
19  * as the author of the parts of the library used.
20  * This can be in the form of a textual message at program startup or
21  * in documentation (online or textual) provided with the package.
22  * 
23  * Redistribution and use in source and binary forms, with or without
24  * modification, are permitted provided that the following conditions
25  * are met:
26  * 1. Redistributions of source code must retain the copyright
27  *    notice, this list of conditions and the following disclaimer.
28  * 2. Redistributions in binary form must reproduce the above copyright
29  *    notice, this list of conditions and the following disclaimer in the
30  *    documentation and/or other materials provided with the distribution.
31  * 3. All advertising materials mentioning features or use of this software
32  *    must display the following acknowledgement:
33  *    "This product includes cryptographic software written by
34  *     Eric Young (eay@cryptsoft.com)"
35  *    The word 'cryptographic' can be left out if the rouines from the library
36  *    being used are not cryptographic related :-).
37  * 4. If you include any Windows specific code (or a derivative thereof) from 
38  *    the apps directory (application code) you must include an acknowledgement:
39  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40  * 
41  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51  * SUCH DAMAGE.
52  * 
53  * The licence and distribution terms for any publically available version or
54  * derivative of this code cannot be changed.  i.e. this code cannot simply be
55  * copied and put under another distribution licence
56  * [including the GNU Public Licence.]
57  */
58 /* ====================================================================
59  * Copyright (c) 1998-2007 The OpenSSL Project.  All rights reserved.
60  *
61  * Redistribution and use in source and binary forms, with or without
62  * modification, are permitted provided that the following conditions
63  * are met:
64  *
65  * 1. Redistributions of source code must retain the above copyright
66  *    notice, this list of conditions and the following disclaimer. 
67  *
68  * 2. Redistributions in binary form must reproduce the above copyright
69  *    notice, this list of conditions and the following disclaimer in
70  *    the documentation and/or other materials provided with the
71  *    distribution.
72  *
73  * 3. All advertising materials mentioning features or use of this
74  *    software must display the following acknowledgment:
75  *    "This product includes software developed by the OpenSSL Project
76  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77  *
78  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79  *    endorse or promote products derived from this software without
80  *    prior written permission. For written permission, please contact
81  *    openssl-core@openssl.org.
82  *
83  * 5. Products derived from this software may not be called "OpenSSL"
84  *    nor may "OpenSSL" appear in their names without prior written
85  *    permission of the OpenSSL Project.
86  *
87  * 6. Redistributions of any form whatsoever must retain the following
88  *    acknowledgment:
89  *    "This product includes software developed by the OpenSSL Project
90  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91  *
92  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
96  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103  * OF THE POSSIBILITY OF SUCH DAMAGE.
104  * ====================================================================
105  *
106  * This product includes cryptographic software written by Eric Young
107  * (eay@cryptsoft.com).  This product includes software written by Tim
108  * Hudson (tjh@cryptsoft.com).
109  *
110  */
111
112 #include <stdio.h>
113 #include <openssl/objects.h>
114 #include <openssl/evp.h>
115 #include <openssl/hmac.h>
116 #include <openssl/ocsp.h>
117 #include <openssl/rand.h>
118 #include "ssl_locl.h"
119
120 const char tls1_version_str[]="TLSv1" OPENSSL_VERSION_PTEXT;
121
122 #ifndef OPENSSL_NO_TLSEXT
123 static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen,
124                                 const unsigned char *sess_id, int sesslen,
125                                 SSL_SESSION **psess);
126 static int ssl_check_clienthello_tlsext(SSL *s);
127 int ssl_check_serverhello_tlsext(SSL *s);
128 #endif
129
130 SSL3_ENC_METHOD TLSv1_enc_data={
131         tls1_enc,
132         tls1_mac,
133         tls1_setup_key_block,
134         tls1_generate_master_secret,
135         tls1_change_cipher_state,
136         tls1_final_finish_mac,
137         TLS1_FINISH_MAC_LENGTH,
138         tls1_cert_verify_mac,
139         TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE,
140         TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE,
141         tls1_alert_code,
142         tls1_export_keying_material,
143         };
144
145 long tls1_default_timeout(void)
146         {
147         /* 2 hours, the 24 hours mentioned in the TLSv1 spec
148          * is way too long for http, the cache would over fill */
149         return(60*60*2);
150         }
151
152 int tls1_new(SSL *s)
153         {
154         if (!ssl3_new(s)) return(0);
155         s->method->ssl_clear(s);
156         return(1);
157         }
158
159 void tls1_free(SSL *s)
160         {
161 #ifndef OPENSSL_NO_TLSEXT
162         if (s->tlsext_session_ticket)
163                 {
164                 OPENSSL_free(s->tlsext_session_ticket);
165                 }
166 #endif /* OPENSSL_NO_TLSEXT */
167         ssl3_free(s);
168         }
169
170 void tls1_clear(SSL *s)
171         {
172         ssl3_clear(s);
173         s->version = s->method->version;
174         }
175
176 #ifndef OPENSSL_NO_EC
177
178 static int nid_list[] =
179         {
180                 NID_sect163k1, /* sect163k1 (1) */
181                 NID_sect163r1, /* sect163r1 (2) */
182                 NID_sect163r2, /* sect163r2 (3) */
183                 NID_sect193r1, /* sect193r1 (4) */ 
184                 NID_sect193r2, /* sect193r2 (5) */ 
185                 NID_sect233k1, /* sect233k1 (6) */
186                 NID_sect233r1, /* sect233r1 (7) */ 
187                 NID_sect239k1, /* sect239k1 (8) */ 
188                 NID_sect283k1, /* sect283k1 (9) */
189                 NID_sect283r1, /* sect283r1 (10) */ 
190                 NID_sect409k1, /* sect409k1 (11) */ 
191                 NID_sect409r1, /* sect409r1 (12) */
192                 NID_sect571k1, /* sect571k1 (13) */ 
193                 NID_sect571r1, /* sect571r1 (14) */ 
194                 NID_secp160k1, /* secp160k1 (15) */
195                 NID_secp160r1, /* secp160r1 (16) */ 
196                 NID_secp160r2, /* secp160r2 (17) */ 
197                 NID_secp192k1, /* secp192k1 (18) */
198                 NID_X9_62_prime192v1, /* secp192r1 (19) */ 
199                 NID_secp224k1, /* secp224k1 (20) */ 
200                 NID_secp224r1, /* secp224r1 (21) */
201                 NID_secp256k1, /* secp256k1 (22) */ 
202                 NID_X9_62_prime256v1, /* secp256r1 (23) */ 
203                 NID_secp384r1, /* secp384r1 (24) */
204                 NID_secp521r1  /* secp521r1 (25) */     
205         };
206
207
208 static const unsigned char ecformats_default[] = 
209         {
210         TLSEXT_ECPOINTFORMAT_uncompressed,
211         TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime,
212         TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2
213         };
214
215 static const unsigned char eccurves_default[] =
216         {
217                 0,14, /* sect571r1 (14) */ 
218                 0,13, /* sect571k1 (13) */ 
219                 0,25, /* secp521r1 (25) */      
220                 0,11, /* sect409k1 (11) */ 
221                 0,12, /* sect409r1 (12) */
222                 0,24, /* secp384r1 (24) */
223                 0,9,  /* sect283k1 (9) */
224                 0,10, /* sect283r1 (10) */ 
225                 0,22, /* secp256k1 (22) */ 
226                 0,23, /* secp256r1 (23) */ 
227                 0,8,  /* sect239k1 (8) */ 
228                 0,6,  /* sect233k1 (6) */
229                 0,7,  /* sect233r1 (7) */ 
230                 0,20, /* secp224k1 (20) */ 
231                 0,21, /* secp224r1 (21) */
232                 0,4,  /* sect193r1 (4) */ 
233                 0,5,  /* sect193r2 (5) */ 
234                 0,18, /* secp192k1 (18) */
235                 0,19, /* secp192r1 (19) */ 
236                 0,1,  /* sect163k1 (1) */
237                 0,2,  /* sect163r1 (2) */
238                 0,3,  /* sect163r2 (3) */
239                 0,15, /* secp160k1 (15) */
240                 0,16, /* secp160r1 (16) */ 
241                 0,17, /* secp160r2 (17) */ 
242         };
243
244 int tls1_ec_curve_id2nid(int curve_id)
245         {
246         /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
247         if ((curve_id < 1) || ((unsigned int)curve_id >
248                                 sizeof(nid_list)/sizeof(nid_list[0])))
249                 return 0;
250         return nid_list[curve_id-1];
251         }
252
253 int tls1_ec_nid2curve_id(int nid)
254         {
255         /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
256         switch (nid)
257                 {
258         case NID_sect163k1: /* sect163k1 (1) */
259                 return 1;
260         case NID_sect163r1: /* sect163r1 (2) */
261                 return 2;
262         case NID_sect163r2: /* sect163r2 (3) */
263                 return 3;
264         case NID_sect193r1: /* sect193r1 (4) */ 
265                 return 4;
266         case NID_sect193r2: /* sect193r2 (5) */ 
267                 return 5;
268         case NID_sect233k1: /* sect233k1 (6) */
269                 return 6;
270         case NID_sect233r1: /* sect233r1 (7) */ 
271                 return 7;
272         case NID_sect239k1: /* sect239k1 (8) */ 
273                 return 8;
274         case NID_sect283k1: /* sect283k1 (9) */
275                 return 9;
276         case NID_sect283r1: /* sect283r1 (10) */ 
277                 return 10;
278         case NID_sect409k1: /* sect409k1 (11) */ 
279                 return 11;
280         case NID_sect409r1: /* sect409r1 (12) */
281                 return 12;
282         case NID_sect571k1: /* sect571k1 (13) */ 
283                 return 13;
284         case NID_sect571r1: /* sect571r1 (14) */ 
285                 return 14;
286         case NID_secp160k1: /* secp160k1 (15) */
287                 return 15;
288         case NID_secp160r1: /* secp160r1 (16) */ 
289                 return 16;
290         case NID_secp160r2: /* secp160r2 (17) */ 
291                 return 17;
292         case NID_secp192k1: /* secp192k1 (18) */
293                 return 18;
294         case NID_X9_62_prime192v1: /* secp192r1 (19) */ 
295                 return 19;
296         case NID_secp224k1: /* secp224k1 (20) */ 
297                 return 20;
298         case NID_secp224r1: /* secp224r1 (21) */
299                 return 21;
300         case NID_secp256k1: /* secp256k1 (22) */ 
301                 return 22;
302         case NID_X9_62_prime256v1: /* secp256r1 (23) */ 
303                 return 23;
304         case NID_secp384r1: /* secp384r1 (24) */
305                 return 24;
306         case NID_secp521r1:  /* secp521r1 (25) */       
307                 return 25;
308         default:
309                 return 0;
310                 }
311         }
312 /* Get curves list, if "sess" is set return client curves otherwise
313  * preferred list
314  */
315 static void tls1_get_curvelist(SSL *s, int sess,
316                                         const unsigned char **pcurves,
317                                         size_t *pcurveslen)
318         {
319         if (sess)
320                 {
321                 *pcurves = s->session->tlsext_ellipticcurvelist;
322                 *pcurveslen = s->session->tlsext_ellipticcurvelist_length;
323                 }
324         else
325                 {
326                 *pcurves = s->tlsext_ellipticcurvelist;
327                 *pcurveslen = s->tlsext_ellipticcurvelist_length;
328                 }
329         /* If not set use default: for now static structure */
330         if (!*pcurves)
331                 {
332                 *pcurves = eccurves_default;
333                 *pcurveslen = sizeof(eccurves_default);
334                 }
335         }
336
337 /* Return nth shared curve. If nmatch == -1 return number of
338  * matches.
339  */
340
341 int tls1_shared_curve(SSL *s, int nmatch)
342         {
343         const unsigned char *pref, *supp;
344         size_t preflen, supplen, i, j;
345         int k;
346         /* Can't do anything on client side */
347         if (s->server == 0)
348                 return -1;
349         tls1_get_curvelist(s, !!(s->options & SSL_OP_CIPHER_SERVER_PREFERENCE),
350                                 &supp, &supplen);
351         tls1_get_curvelist(s, !(s->options & SSL_OP_CIPHER_SERVER_PREFERENCE),
352                                 &pref, &preflen);
353         preflen /= 2;
354         supplen /= 2;
355         k = 0;
356         for (i = 0; i < preflen; i++, pref+=2)
357                 {
358                 const unsigned char *tsupp = supp;
359                 for (j = 0; j < supplen; j++, tsupp+=2)
360                         {
361                         if (pref[0] == tsupp[0] && pref[1] == tsupp[1])
362                                 {
363                                 if (nmatch == k)
364                                         {
365                                         int id = (pref[0] << 8) | pref[1];
366                                         return tls1_ec_curve_id2nid(id);
367                                         }
368                                 k++;
369                                 }
370                         }
371                 }
372         if (nmatch == -1)
373                 return k;
374         return 0;
375         }
376
377 int tls1_set_curves(unsigned char **pext, size_t *pextlen,
378                         int *curves, size_t ncurves)
379         {
380         unsigned char *clist, *p;
381         size_t i;
382         /* Bitmap of curves included to detect duplicates: only works
383          * while curve ids < 32 
384          */
385         unsigned long dup_list = 0;
386         clist = OPENSSL_malloc(ncurves * 2);
387         if (!clist)
388                 return 0;
389         for (i = 0, p = clist; i < ncurves; i++)
390                 {
391                 unsigned long idmask;
392                 int id;
393                 id = tls1_ec_nid2curve_id(curves[i]);
394                 idmask = 1L << id;
395                 if (!id || (dup_list & idmask))
396                         {
397                         OPENSSL_free(clist);
398                         return 0;
399                         }
400                 dup_list |= idmask;
401                 s2n(id, p);
402                 }
403         if (*pext)
404                 OPENSSL_free(*pext);
405         *pext = clist;
406         *pextlen = ncurves * 2;
407         return 1;
408         }
409
410 #define MAX_CURVELIST   25
411
412 typedef struct
413         {
414         size_t nidcnt;
415         int nid_arr[MAX_CURVELIST];
416         } nid_cb_st;
417
418 static int nid_cb(const char *elem, int len, void *arg)
419         {
420         nid_cb_st *narg = arg;
421         size_t i;
422         int nid;
423         char etmp[20];
424         if (narg->nidcnt == MAX_CURVELIST)
425                 return 0;
426         if (len > (int)(sizeof(etmp) - 1))
427                 return 0;
428         memcpy(etmp, elem, len);
429         etmp[len] = 0;
430         nid = EC_curve_nist2nid(etmp);
431         if (nid == NID_undef)
432                 nid = OBJ_sn2nid(etmp);
433         if (nid == NID_undef)
434                 nid = OBJ_ln2nid(etmp);
435         if (nid == NID_undef)
436                 return 0;
437         for (i = 0; i < narg->nidcnt; i++)
438                 if (narg->nid_arr[i] == nid)
439                         return 0;
440         narg->nid_arr[narg->nidcnt++] = nid;
441         return 1;
442         }
443 /* Set curves based on a colon separate list */
444 int tls1_set_curves_list(unsigned char **pext, size_t *pextlen, 
445                                 const char *str)
446         {
447         nid_cb_st ncb;
448         ncb.nidcnt = 0;
449         if (!CONF_parse_list(str, ':', 1, nid_cb, &ncb))
450                 return 0;
451         return tls1_set_curves(pext, pextlen, ncb.nid_arr, ncb.nidcnt);
452         }
453 /* For an EC key set TLS id and required compression based on parameters */
454 static int tls1_set_ec_id(unsigned char *curve_id, unsigned char *comp_id,
455                                 EC_KEY *ec)
456         {
457         int is_prime, id;
458         const EC_GROUP *grp;
459         const EC_POINT *pt;
460         const EC_METHOD *meth;
461         if (!ec)
462                 return 0;
463         /* Determine if it is a prime field */
464         grp = EC_KEY_get0_group(ec);
465         pt = EC_KEY_get0_public_key(ec);
466         if (!grp || !pt)
467                 return 0;
468         meth = EC_GROUP_method_of(grp);
469         if (!meth)
470                 return 0;
471         if (EC_METHOD_get_field_type(meth) == NID_X9_62_prime_field)
472                 is_prime = 1;
473         else
474                 is_prime = 0;
475         /* Determine curve ID */
476         id = EC_GROUP_get_curve_name(grp);
477         id = tls1_ec_nid2curve_id(id);
478         /* If we have an ID set it, otherwise set arbitrary explicit curve */
479         if (id)
480                 {
481                 curve_id[0] = 0;
482                 curve_id[1] = (unsigned char)id;
483                 }
484         else
485                 {
486                 curve_id[0] = 0xff;
487                 if (is_prime)
488                         curve_id[1] = 0x01;
489                 else
490                         curve_id[1] = 0x02;
491                 }
492         if (comp_id)
493                 {
494                 if (EC_KEY_get_conv_form(ec) == POINT_CONVERSION_COMPRESSED)
495                         {
496                         if (is_prime)
497                                 *comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
498                         else
499                                 *comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
500                         }
501                 else
502                         *comp_id = TLSEXT_ECPOINTFORMAT_uncompressed;
503                 }
504         return 1;
505         }
506 /* Check an EC key is compatible with extensions */
507 static int tls1_check_ec_key(SSL *s,
508                         unsigned char *curve_id, unsigned char *comp_id)
509         {
510         const unsigned char *p;
511         size_t plen, i;
512         int j;
513         /* If point formats extension present check it, otherwise everything
514          * is supported (see RFC4492).
515          */
516         if (comp_id && s->session->tlsext_ecpointformatlist)
517                 {
518                 p = s->session->tlsext_ecpointformatlist;
519                 plen = s->session->tlsext_ecpointformatlist_length;
520                 for (i = 0; i < plen; i++, p++)
521                         {
522                         if (*comp_id == *p)
523                                 break;
524                         }
525                 if (i == plen)
526                         return 0;
527                 }
528         /* Check curve is consistent with client and server preferences */
529         for (j = 0; j <= 1; j++)
530                 {
531                 tls1_get_curvelist(s, j, &p, &plen);
532                 for (i = 0; i < plen; i+=2, p+=2)
533                         {
534                         if (p[0] == curve_id[0] && p[1] == curve_id[1])
535                                 break;
536                         }
537                 if (i == plen)
538                         return 0;
539                 }
540         return 1;
541         }
542
543 /* Check cert parameters compatible with extensions: currently just checks
544  * EC certificates have compatible curves and compression.
545  */
546 static int tls1_check_cert_param(SSL *s, X509 *x)
547         {
548         unsigned char comp_id, curve_id[2];
549         EVP_PKEY *pkey;
550         int rv;
551         pkey = X509_get_pubkey(x);
552         if (!pkey)
553                 return 0;
554         /* If not EC nothing to do */
555         if (pkey->type != EVP_PKEY_EC)
556                 {
557                 EVP_PKEY_free(pkey);
558                 return 1;
559                 }
560         rv = tls1_set_ec_id(curve_id, &comp_id, pkey->pkey.ec);
561         EVP_PKEY_free(pkey);
562         if (!rv)
563                 return 0;
564         return tls1_check_ec_key(s, curve_id, &comp_id);
565         }
566 /* Check EC temporary key is compatible with client extensions */
567 int tls1_check_ec_tmp_key(SSL *s)
568         {
569         unsigned char curve_id[2];
570         EC_KEY *ec = s->cert->ecdh_tmp;
571         if (s->cert->ecdh_tmp_auto)
572                 {
573                 /* Need a shared curve */
574                 if (tls1_shared_curve(s, 0))
575                         return 1;
576                 else return 0;
577                 }
578         if (!ec)
579                 {
580                 if (s->cert->ecdh_tmp_cb)
581                         return 1;
582                 else
583                         return 0;
584                 }
585         if (!tls1_set_ec_id(curve_id, NULL, ec))
586                 return 1;
587         return tls1_check_ec_key(s, curve_id, NULL);
588         }
589
590 #endif /* OPENSSL_NO_EC */
591
592 #ifndef OPENSSL_NO_TLSEXT
593
594 /* List of supported signature algorithms and hashes. Should make this
595  * customisable at some point, for now include everything we support.
596  */
597
598 #ifdef OPENSSL_NO_RSA
599 #define tlsext_sigalg_rsa(md) /* */
600 #else
601 #define tlsext_sigalg_rsa(md) md, TLSEXT_signature_rsa,
602 #endif
603
604 #ifdef OPENSSL_NO_DSA
605 #define tlsext_sigalg_dsa(md) /* */
606 #else
607 #define tlsext_sigalg_dsa(md) md, TLSEXT_signature_dsa,
608 #endif
609
610 #ifdef OPENSSL_NO_ECDSA
611 #define tlsext_sigalg_ecdsa(md) /* */
612 #else
613 #define tlsext_sigalg_ecdsa(md) md, TLSEXT_signature_ecdsa,
614 #endif
615
616 #define tlsext_sigalg(md) \
617                 tlsext_sigalg_rsa(md) \
618                 tlsext_sigalg_dsa(md) \
619                 tlsext_sigalg_ecdsa(md)
620
621 static unsigned char tls12_sigalgs[] = {
622 #ifndef OPENSSL_NO_SHA512
623         tlsext_sigalg(TLSEXT_hash_sha512)
624         tlsext_sigalg(TLSEXT_hash_sha384)
625 #endif
626 #ifndef OPENSSL_NO_SHA256
627         tlsext_sigalg(TLSEXT_hash_sha256)
628         tlsext_sigalg(TLSEXT_hash_sha224)
629 #endif
630 #ifndef OPENSSL_NO_SHA
631         tlsext_sigalg(TLSEXT_hash_sha1)
632 #endif
633 #ifndef OPENSSL_NO_MD5
634         tlsext_sigalg_rsa(TLSEXT_hash_md5)
635 #endif
636 };
637
638 size_t tls12_get_sig_algs(SSL *s, unsigned char *p)
639         {
640         const unsigned char *sigs;
641         size_t sigslen;
642         sigs = s->cert->conf_sigalgs;
643
644         if (sigs)
645                 sigslen = s->cert->conf_sigalgslen;
646         else
647                 {
648                 sigs = tls12_sigalgs;
649                 sigslen = sizeof(tls12_sigalgs);
650 #ifdef OPENSSL_FIPS
651                 /* If FIPS mode don't include MD5 which is last */
652                 if (FIPS_mode())
653                         sigslen -= 2;
654 #endif
655                 }
656
657         if (p)
658                 memcpy(p, sigs, sigslen);
659         return sigslen;
660         }
661
662 /* byte_compare is a compare function for qsort(3) that compares bytes. */
663 static int byte_compare(const void *in_a, const void *in_b)
664         {
665         unsigned char a = *((const unsigned char*) in_a);
666         unsigned char b = *((const unsigned char*) in_b);
667
668         if (a > b)
669                 return 1;
670         else if (a < b)
671                 return -1;
672         return 0;
673 }
674
675 unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
676         {
677         int extdatalen=0;
678         unsigned char *ret = p;
679 #ifndef OPENSSL_NO_EC
680         /* See if we support any ECC ciphersuites */
681         int using_ecc = 0;
682         if (s->version != DTLS1_VERSION && s->version >= TLS1_VERSION)
683                 {
684                 int i;
685                 unsigned long alg_k, alg_a;
686                 STACK_OF(SSL_CIPHER) *cipher_stack = SSL_get_ciphers(s);
687
688                 for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++)
689                         {
690                         SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i);
691
692                         alg_k = c->algorithm_mkey;
693                         alg_a = c->algorithm_auth;
694                         if ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)
695                                 || (alg_a & SSL_aECDSA)))
696                                 {
697                                 using_ecc = 1;
698                                 break;
699                                 }
700                         }
701                 }
702 #endif
703
704         /* don't add extensions for SSLv3 unless doing secure renegotiation */
705         if (s->client_version == SSL3_VERSION
706                                         && !s->s3->send_connection_binding)
707                 return p;
708
709         ret+=2;
710
711         if (ret>=limit) return NULL; /* this really never occurs, but ... */
712
713         if (s->tlsext_hostname != NULL)
714                 { 
715                 /* Add TLS extension servername to the Client Hello message */
716                 unsigned long size_str;
717                 long lenmax; 
718
719                 /* check for enough space.
720                    4 for the servername type and entension length
721                    2 for servernamelist length
722                    1 for the hostname type
723                    2 for hostname length
724                    + hostname length 
725                 */
726                    
727                 if ((lenmax = limit - ret - 9) < 0 
728                     || (size_str = strlen(s->tlsext_hostname)) > (unsigned long)lenmax) 
729                         return NULL;
730                         
731                 /* extension type and length */
732                 s2n(TLSEXT_TYPE_server_name,ret); 
733                 s2n(size_str+5,ret);
734                 
735                 /* length of servername list */
736                 s2n(size_str+3,ret);
737         
738                 /* hostname type, length and hostname */
739                 *(ret++) = (unsigned char) TLSEXT_NAMETYPE_host_name;
740                 s2n(size_str,ret);
741                 memcpy(ret, s->tlsext_hostname, size_str);
742                 ret+=size_str;
743                 }
744
745         /* Add RI if renegotiating */
746         if (s->renegotiate)
747           {
748           int el;
749           
750           if(!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0))
751               {
752               SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
753               return NULL;
754               }
755
756           if((limit - p - 4 - el) < 0) return NULL;
757           
758           s2n(TLSEXT_TYPE_renegotiate,ret);
759           s2n(el,ret);
760
761           if(!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el))
762               {
763               SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
764               return NULL;
765               }
766
767           ret += el;
768         }
769
770 #ifndef OPENSSL_NO_SRP
771         /* Add SRP username if there is one */
772         if (s->srp_ctx.login != NULL)
773                 { /* Add TLS extension SRP username to the Client Hello message */
774
775                 int login_len = strlen(s->srp_ctx.login);       
776                 if (login_len > 255 || login_len == 0)
777                         {
778                         SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
779                         return NULL;
780                         } 
781
782                 /* check for enough space.
783                    4 for the srp type type and entension length
784                    1 for the srp user identity
785                    + srp user identity length 
786                 */
787                 if ((limit - ret - 5 - login_len) < 0) return NULL; 
788
789                 /* fill in the extension */
790                 s2n(TLSEXT_TYPE_srp,ret);
791                 s2n(login_len+1,ret);
792                 (*ret++) = (unsigned char) login_len;
793                 memcpy(ret, s->srp_ctx.login, login_len);
794                 ret+=login_len;
795                 }
796 #endif
797
798 #ifndef OPENSSL_NO_EC
799         if (using_ecc)
800                 {
801                 /* Add TLS extension ECPointFormats to the ClientHello message */
802                 long lenmax; 
803                 const unsigned char *plist;
804                 size_t plistlen;
805                 /* If we have a custom point format list use it otherwise
806                  * use default */
807                 plist = s->tlsext_ecpointformatlist;
808                 if (plist)
809                         plistlen = s->tlsext_ecpointformatlist_length;
810                 else
811                         {
812                         plist = ecformats_default;
813                         plistlen = sizeof(ecformats_default);
814                         }
815
816                 if ((lenmax = limit - ret - 5) < 0) return NULL; 
817                 if (plistlen > (size_t)lenmax) return NULL;
818                 if (plistlen > 255)
819                         {
820                         SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
821                         return NULL;
822                         }
823                 
824                 s2n(TLSEXT_TYPE_ec_point_formats,ret);
825                 s2n(plistlen + 1,ret);
826                 *(ret++) = (unsigned char)plistlen ;
827                 memcpy(ret, plist, plistlen);
828                 ret+=plistlen;
829
830                 /* Add TLS extension EllipticCurves to the ClientHello message */
831                 plist = s->tlsext_ellipticcurvelist;
832                 tls1_get_curvelist(s, 0, &plist, &plistlen);
833
834                 if ((lenmax = limit - ret - 6) < 0) return NULL; 
835                 if (plistlen > (size_t)lenmax) return NULL;
836                 if (plistlen > 65532)
837                         {
838                         SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
839                         return NULL;
840                         }
841                 
842                 s2n(TLSEXT_TYPE_elliptic_curves,ret);
843                 s2n(plistlen + 2, ret);
844
845                 /* NB: draft-ietf-tls-ecc-12.txt uses a one-byte prefix for
846                  * elliptic_curve_list, but the examples use two bytes.
847                  * http://www1.ietf.org/mail-archive/web/tls/current/msg00538.html
848                  * resolves this to two bytes.
849                  */
850                 s2n(plistlen, ret);
851                 memcpy(ret, plist, plistlen);
852                 ret+=plistlen;
853                 }
854 #endif /* OPENSSL_NO_EC */
855
856         if (!(SSL_get_options(s) & SSL_OP_NO_TICKET))
857                 {
858                 int ticklen;
859                 if (!s->new_session && s->session && s->session->tlsext_tick)
860                         ticklen = s->session->tlsext_ticklen;
861                 else if (s->session && s->tlsext_session_ticket &&
862                          s->tlsext_session_ticket->data)
863                         {
864                         ticklen = s->tlsext_session_ticket->length;
865                         s->session->tlsext_tick = OPENSSL_malloc(ticklen);
866                         if (!s->session->tlsext_tick)
867                                 return NULL;
868                         memcpy(s->session->tlsext_tick,
869                                s->tlsext_session_ticket->data,
870                                ticklen);
871                         s->session->tlsext_ticklen = ticklen;
872                         }
873                 else
874                         ticklen = 0;
875                 if (ticklen == 0 && s->tlsext_session_ticket &&
876                     s->tlsext_session_ticket->data == NULL)
877                         goto skip_ext;
878                 /* Check for enough room 2 for extension type, 2 for len
879                  * rest for ticket
880                  */
881                 if ((long)(limit - ret - 4 - ticklen) < 0) return NULL;
882                 s2n(TLSEXT_TYPE_session_ticket,ret); 
883                 s2n(ticklen,ret);
884                 if (ticklen)
885                         {
886                         memcpy(ret, s->session->tlsext_tick, ticklen);
887                         ret += ticklen;
888                         }
889                 }
890                 skip_ext:
891
892         if (TLS1_get_client_version(s) >= TLS1_2_VERSION)
893                 {
894                 size_t salglen;
895                 salglen = tls12_get_sig_algs(s, NULL);
896                 if ((size_t)(limit - ret) < salglen + 6)
897                         return NULL; 
898                 s2n(TLSEXT_TYPE_signature_algorithms,ret);
899                 s2n(salglen + 2, ret);
900                 s2n(salglen, ret);
901                 tls12_get_sig_algs(s, ret);
902                 ret += salglen;
903                 }
904
905 #ifdef TLSEXT_TYPE_opaque_prf_input
906         if (s->s3->client_opaque_prf_input != NULL &&
907             s->version != DTLS1_VERSION)
908                 {
909                 size_t col = s->s3->client_opaque_prf_input_len;
910                 
911                 if ((long)(limit - ret - 6 - col < 0))
912                         return NULL;
913                 if (col > 0xFFFD) /* can't happen */
914                         return NULL;
915
916                 s2n(TLSEXT_TYPE_opaque_prf_input, ret); 
917                 s2n(col + 2, ret);
918                 s2n(col, ret);
919                 memcpy(ret, s->s3->client_opaque_prf_input, col);
920                 ret += col;
921                 }
922 #endif
923
924         if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp &&
925             s->version != DTLS1_VERSION)
926                 {
927                 int i;
928                 long extlen, idlen, itmp;
929                 OCSP_RESPID *id;
930
931                 idlen = 0;
932                 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++)
933                         {
934                         id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
935                         itmp = i2d_OCSP_RESPID(id, NULL);
936                         if (itmp <= 0)
937                                 return NULL;
938                         idlen += itmp + 2;
939                         }
940
941                 if (s->tlsext_ocsp_exts)
942                         {
943                         extlen = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, NULL);
944                         if (extlen < 0)
945                                 return NULL;
946                         }
947                 else
948                         extlen = 0;
949                         
950                 if ((long)(limit - ret - 7 - extlen - idlen) < 0) return NULL;
951                 s2n(TLSEXT_TYPE_status_request, ret);
952                 if (extlen + idlen > 0xFFF0)
953                         return NULL;
954                 s2n(extlen + idlen + 5, ret);
955                 *(ret++) = TLSEXT_STATUSTYPE_ocsp;
956                 s2n(idlen, ret);
957                 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++)
958                         {
959                         /* save position of id len */
960                         unsigned char *q = ret;
961                         id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
962                         /* skip over id len */
963                         ret += 2;
964                         itmp = i2d_OCSP_RESPID(id, &ret);
965                         /* write id len */
966                         s2n(itmp, q);
967                         }
968                 s2n(extlen, ret);
969                 if (extlen > 0)
970                         i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret);
971                 }
972
973 #ifndef OPENSSL_NO_HEARTBEATS
974         /* Add Heartbeat extension */
975         s2n(TLSEXT_TYPE_heartbeat,ret);
976         s2n(1,ret);
977         /* Set mode:
978          * 1: peer may send requests
979          * 2: peer not allowed to send requests
980          */
981         if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS)
982                 *(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
983         else
984                 *(ret++) = SSL_TLSEXT_HB_ENABLED;
985 #endif
986
987 #ifndef OPENSSL_NO_NEXTPROTONEG
988         if (s->ctx->next_proto_select_cb && !s->s3->tmp.finish_md_len)
989                 {
990                 /* The client advertises an emtpy extension to indicate its
991                  * support for Next Protocol Negotiation */
992                 if (limit - ret - 4 < 0)
993                         return NULL;
994                 s2n(TLSEXT_TYPE_next_proto_neg,ret);
995                 s2n(0,ret);
996                 }
997 #endif
998
999         if(SSL_get_srtp_profiles(s))
1000                 {
1001                 int el;
1002
1003                 ssl_add_clienthello_use_srtp_ext(s, 0, &el, 0);
1004                 
1005                 if((limit - p - 4 - el) < 0) return NULL;
1006
1007                 s2n(TLSEXT_TYPE_use_srtp,ret);
1008                 s2n(el,ret);
1009
1010                 if(ssl_add_clienthello_use_srtp_ext(s, ret, &el, el))
1011                         {
1012                         SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1013                         return NULL;
1014                         }
1015                 ret += el;
1016                 }
1017
1018         /* Add TLS extension Server_Authz_DataFormats to the ClientHello */
1019         /* 2 bytes for extension type */
1020         /* 2 bytes for extension length */
1021         /* 1 byte for the list length */
1022         /* 1 byte for the list (we only support audit proofs) */
1023         if (s->ctx->tlsext_authz_server_audit_proof_cb != NULL)
1024                 {
1025                 size_t lenmax;
1026                 const unsigned short ext_len = 2;
1027                 const unsigned char list_len = 1;
1028
1029                 if ((lenmax = limit - ret - 6) < 0) return NULL;
1030
1031                 s2n(TLSEXT_TYPE_server_authz, ret);
1032                 /* Extension length: 2 bytes */
1033                 s2n(ext_len, ret);
1034                 *(ret++) = list_len;
1035                 *(ret++) = TLSEXT_AUTHZDATAFORMAT_audit_proof;
1036                 }
1037
1038         if ((extdatalen = ret-p-2) == 0)
1039                 return p;
1040
1041         s2n(extdatalen,p);
1042         return ret;
1043         }
1044
1045 unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
1046         {
1047         int extdatalen=0;
1048         unsigned char *ret = p;
1049 #ifndef OPENSSL_NO_NEXTPROTONEG
1050         int next_proto_neg_seen;
1051 #endif
1052
1053         /* don't add extensions for SSLv3, unless doing secure renegotiation */
1054         if (s->version == SSL3_VERSION && !s->s3->send_connection_binding)
1055                 return p;
1056         
1057         ret+=2;
1058         if (ret>=limit) return NULL; /* this really never occurs, but ... */
1059
1060         if (!s->hit && s->servername_done == 1 && s->session->tlsext_hostname != NULL)
1061                 { 
1062                 if ((long)(limit - ret - 4) < 0) return NULL; 
1063
1064                 s2n(TLSEXT_TYPE_server_name,ret);
1065                 s2n(0,ret);
1066                 }
1067
1068         if(s->s3->send_connection_binding)
1069         {
1070           int el;
1071           
1072           if(!ssl_add_serverhello_renegotiate_ext(s, 0, &el, 0))
1073               {
1074               SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1075               return NULL;
1076               }
1077
1078           if((limit - p - 4 - el) < 0) return NULL;
1079           
1080           s2n(TLSEXT_TYPE_renegotiate,ret);
1081           s2n(el,ret);
1082
1083           if(!ssl_add_serverhello_renegotiate_ext(s, ret, &el, el))
1084               {
1085               SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1086               return NULL;
1087               }
1088
1089           ret += el;
1090         }
1091
1092 #ifndef OPENSSL_NO_EC
1093         if (s->tlsext_ecpointformatlist != NULL &&
1094             s->version != DTLS1_VERSION)
1095                 {
1096                 /* Add TLS extension ECPointFormats to the ServerHello message */
1097                 long lenmax; 
1098
1099                 if ((lenmax = limit - ret - 5) < 0) return NULL; 
1100                 if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax) return NULL;
1101                 if (s->tlsext_ecpointformatlist_length > 255)
1102                         {
1103                         SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1104                         return NULL;
1105                         }
1106                 
1107                 s2n(TLSEXT_TYPE_ec_point_formats,ret);
1108                 s2n(s->tlsext_ecpointformatlist_length + 1,ret);
1109                 *(ret++) = (unsigned char) s->tlsext_ecpointformatlist_length;
1110                 memcpy(ret, s->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist_length);
1111                 ret+=s->tlsext_ecpointformatlist_length;
1112
1113                 }
1114         /* Currently the server should not respond with a SupportedCurves extension */
1115 #endif /* OPENSSL_NO_EC */
1116
1117         if (s->tlsext_ticket_expected
1118                 && !(SSL_get_options(s) & SSL_OP_NO_TICKET)) 
1119                 { 
1120                 if ((long)(limit - ret - 4) < 0) return NULL; 
1121                 s2n(TLSEXT_TYPE_session_ticket,ret);
1122                 s2n(0,ret);
1123                 }
1124
1125         if (s->tlsext_status_expected)
1126                 { 
1127                 if ((long)(limit - ret - 4) < 0) return NULL; 
1128                 s2n(TLSEXT_TYPE_status_request,ret);
1129                 s2n(0,ret);
1130                 }
1131
1132 #ifdef TLSEXT_TYPE_opaque_prf_input
1133         if (s->s3->server_opaque_prf_input != NULL &&
1134             s->version != DTLS1_VERSION)
1135                 {
1136                 size_t sol = s->s3->server_opaque_prf_input_len;
1137                 
1138                 if ((long)(limit - ret - 6 - sol) < 0)
1139                         return NULL;
1140                 if (sol > 0xFFFD) /* can't happen */
1141                         return NULL;
1142
1143                 s2n(TLSEXT_TYPE_opaque_prf_input, ret); 
1144                 s2n(sol + 2, ret);
1145                 s2n(sol, ret);
1146                 memcpy(ret, s->s3->server_opaque_prf_input, sol);
1147                 ret += sol;
1148                 }
1149 #endif
1150
1151         if(s->srtp_profile)
1152                 {
1153                 int el;
1154
1155                 ssl_add_serverhello_use_srtp_ext(s, 0, &el, 0);
1156                 
1157                 if((limit - p - 4 - el) < 0) return NULL;
1158
1159                 s2n(TLSEXT_TYPE_use_srtp,ret);
1160                 s2n(el,ret);
1161
1162                 if(ssl_add_serverhello_use_srtp_ext(s, ret, &el, el))
1163                         {
1164                         SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1165                         return NULL;
1166                         }
1167                 ret+=el;
1168                 }
1169
1170         if (((s->s3->tmp.new_cipher->id & 0xFFFF)==0x80 || (s->s3->tmp.new_cipher->id & 0xFFFF)==0x81) 
1171                 && (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG))
1172                 { const unsigned char cryptopro_ext[36] = {
1173                         0xfd, 0xe8, /*65000*/
1174                         0x00, 0x20, /*32 bytes length*/
1175                         0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85, 
1176                         0x03,   0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06, 
1177                         0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08, 
1178                         0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17};
1179                         if (limit-ret<36) return NULL;
1180                         memcpy(ret,cryptopro_ext,36);
1181                         ret+=36;
1182
1183                 }
1184
1185 #ifndef OPENSSL_NO_HEARTBEATS
1186         /* Add Heartbeat extension if we've received one */
1187         if (s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED)
1188                 {
1189                 s2n(TLSEXT_TYPE_heartbeat,ret);
1190                 s2n(1,ret);
1191                 /* Set mode:
1192                  * 1: peer may send requests
1193                  * 2: peer not allowed to send requests
1194                  */
1195                 if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS)
1196                         *(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
1197                 else
1198                         *(ret++) = SSL_TLSEXT_HB_ENABLED;
1199
1200                 }
1201 #endif
1202
1203 #ifndef OPENSSL_NO_NEXTPROTONEG
1204         next_proto_neg_seen = s->s3->next_proto_neg_seen;
1205         s->s3->next_proto_neg_seen = 0;
1206         if (next_proto_neg_seen && s->ctx->next_protos_advertised_cb)
1207                 {
1208                 const unsigned char *npa;
1209                 unsigned int npalen;
1210                 int r;
1211
1212                 r = s->ctx->next_protos_advertised_cb(s, &npa, &npalen, s->ctx->next_protos_advertised_cb_arg);
1213                 if (r == SSL_TLSEXT_ERR_OK)
1214                         {
1215                         if ((long)(limit - ret - 4 - npalen) < 0) return NULL;
1216                         s2n(TLSEXT_TYPE_next_proto_neg,ret);
1217                         s2n(npalen,ret);
1218                         memcpy(ret, npa, npalen);
1219                         ret += npalen;
1220                         s->s3->next_proto_neg_seen = 1;
1221                         }
1222                 }
1223 #endif
1224
1225         /* If the client supports authz then see whether we have any to offer
1226          * to it. */
1227         if (s->s3->tlsext_authz_client_types_len)
1228                 {
1229                 size_t authz_length;
1230                 /* By now we already know the new cipher, so we can look ahead
1231                  * to see whether the cert we are going to send
1232                  * has any authz data attached to it. */
1233                 const unsigned char* authz = ssl_get_authz_data(s, &authz_length);
1234                 const unsigned char* const orig_authz = authz;
1235                 size_t i;
1236                 unsigned authz_count = 0;
1237
1238                 /* The authz data contains a number of the following structures:
1239                  *      uint8_t authz_type
1240                  *      uint16_t length
1241                  *      uint8_t data[length]
1242                  *
1243                  * First we walk over it to find the number of authz elements. */
1244                 for (i = 0; i < authz_length; i++)
1245                         {
1246                         unsigned short length;
1247                         unsigned char type;
1248
1249                         type = *(authz++);
1250                         if (memchr(s->s3->tlsext_authz_client_types,
1251                                    type,
1252                                    s->s3->tlsext_authz_client_types_len) != NULL)
1253                                 authz_count++;
1254
1255                         n2s(authz, length);
1256                         /* n2s increments authz by 2 */
1257                         i += 2;
1258                         authz += length;
1259                         i += length;
1260                         }
1261
1262                 if (authz_count)
1263                         {
1264                         /* Add TLS extension server_authz to the ServerHello message
1265                          * 2 bytes for extension type
1266                          * 2 bytes for extension length
1267                          * 1 byte for the list length
1268                          * n bytes for the list */
1269                         const unsigned short ext_len = 1 + authz_count;
1270
1271                         if ((long)(limit - ret - 4 - ext_len) < 0) return NULL;
1272                         s2n(TLSEXT_TYPE_server_authz, ret);
1273                         s2n(ext_len, ret);
1274                         *(ret++) = authz_count;
1275                         s->s3->tlsext_authz_promised_to_client = 1;
1276                         }
1277
1278                 authz = orig_authz;
1279                 for (i = 0; i < authz_length; i++)
1280                         {
1281                         unsigned short length;
1282                         unsigned char type;
1283
1284                         authz_count++;
1285                         type = *(authz++);
1286                         if (memchr(s->s3->tlsext_authz_client_types,
1287                                    type,
1288                                    s->s3->tlsext_authz_client_types_len) != NULL)
1289                                 *(ret++) = type;
1290                         n2s(authz, length);
1291                         /* n2s increments authz by 2 */
1292                         i += 2;
1293                         authz += length;
1294                         i += length;
1295                         }
1296                 }
1297
1298         if ((extdatalen = ret-p-2)== 0) 
1299                 return p;
1300
1301         s2n(extdatalen,p);
1302         return ret;
1303         }
1304
1305 static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al) 
1306         {       
1307         unsigned short type;
1308         unsigned short size;
1309         unsigned short len;
1310         unsigned char *data = *p;
1311         int renegotiate_seen = 0;
1312
1313         s->servername_done = 0;
1314         s->tlsext_status_type = -1;
1315 #ifndef OPENSSL_NO_NEXTPROTONEG
1316         s->s3->next_proto_neg_seen = 0;
1317 #endif
1318
1319 #ifndef OPENSSL_NO_HEARTBEATS
1320         s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED |
1321                                SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
1322 #endif
1323         /* Clear any signature algorithms extension received */
1324         if (s->cert->peer_sigalgs)
1325                 {
1326                 OPENSSL_free(s->cert->peer_sigalgs);
1327                 s->cert->peer_sigalgs = NULL;
1328                 }
1329         /* Clear any shared sigtnature algorithms */
1330         if (s->cert->shared_sigalgs)
1331                 {
1332                 OPENSSL_free(s->cert->shared_sigalgs);
1333                 s->cert->shared_sigalgs = NULL;
1334                 }
1335
1336         if (data >= (d+n-2))
1337                 goto ri_check;
1338         n2s(data,len);
1339
1340         if (data > (d+n-len)) 
1341                 goto ri_check;
1342
1343         while (data <= (d+n-4))
1344                 {
1345                 n2s(data,type);
1346                 n2s(data,size);
1347
1348                 if (data+size > (d+n))
1349                         goto ri_check;
1350 #if 0
1351                 fprintf(stderr,"Received extension type %d size %d\n",type,size);
1352 #endif
1353                 if (s->tlsext_debug_cb)
1354                         s->tlsext_debug_cb(s, 0, type, data, size,
1355                                                 s->tlsext_debug_arg);
1356 /* The servername extension is treated as follows:
1357
1358    - Only the hostname type is supported with a maximum length of 255.
1359    - The servername is rejected if too long or if it contains zeros,
1360      in which case an fatal alert is generated.
1361    - The servername field is maintained together with the session cache.
1362    - When a session is resumed, the servername call back invoked in order
1363      to allow the application to position itself to the right context. 
1364    - The servername is acknowledged if it is new for a session or when 
1365      it is identical to a previously used for the same session. 
1366      Applications can control the behaviour.  They can at any time
1367      set a 'desirable' servername for a new SSL object. This can be the
1368      case for example with HTTPS when a Host: header field is received and
1369      a renegotiation is requested. In this case, a possible servername
1370      presented in the new client hello is only acknowledged if it matches
1371      the value of the Host: field. 
1372    - Applications must  use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
1373      if they provide for changing an explicit servername context for the session,
1374      i.e. when the session has been established with a servername extension. 
1375    - On session reconnect, the servername extension may be absent. 
1376
1377 */      
1378
1379                 if (type == TLSEXT_TYPE_server_name)
1380                         {
1381                         unsigned char *sdata;
1382                         int servname_type;
1383                         int dsize; 
1384                 
1385                         if (size < 2) 
1386                                 {
1387                                 *al = SSL_AD_DECODE_ERROR;
1388                                 return 0;
1389                                 }
1390                         n2s(data,dsize);  
1391                         size -= 2;
1392                         if (dsize > size  ) 
1393                                 {
1394                                 *al = SSL_AD_DECODE_ERROR;
1395                                 return 0;
1396                                 } 
1397
1398                         sdata = data;
1399                         while (dsize > 3) 
1400                                 {
1401                                 servname_type = *(sdata++); 
1402                                 n2s(sdata,len);
1403                                 dsize -= 3;
1404
1405                                 if (len > dsize) 
1406                                         {
1407                                         *al = SSL_AD_DECODE_ERROR;
1408                                         return 0;
1409                                         }
1410                                 if (s->servername_done == 0)
1411                                 switch (servname_type)
1412                                         {
1413                                 case TLSEXT_NAMETYPE_host_name:
1414                                         if (!s->hit)
1415                                                 {
1416                                                 if(s->session->tlsext_hostname)
1417                                                         {
1418                                                         *al = SSL_AD_DECODE_ERROR;
1419                                                         return 0;
1420                                                         }
1421                                                 if (len > TLSEXT_MAXLEN_host_name)
1422                                                         {
1423                                                         *al = TLS1_AD_UNRECOGNIZED_NAME;
1424                                                         return 0;
1425                                                         }
1426                                                 if ((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL)
1427                                                         {
1428                                                         *al = TLS1_AD_INTERNAL_ERROR;
1429                                                         return 0;
1430                                                         }
1431                                                 memcpy(s->session->tlsext_hostname, sdata, len);
1432                                                 s->session->tlsext_hostname[len]='\0';
1433                                                 if (strlen(s->session->tlsext_hostname) != len) {
1434                                                         OPENSSL_free(s->session->tlsext_hostname);
1435                                                         s->session->tlsext_hostname = NULL;
1436                                                         *al = TLS1_AD_UNRECOGNIZED_NAME;
1437                                                         return 0;
1438                                                 }
1439                                                 s->servername_done = 1; 
1440
1441                                                 }
1442                                         else 
1443                                                 s->servername_done = s->session->tlsext_hostname
1444                                                         && strlen(s->session->tlsext_hostname) == len 
1445                                                         && strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0;
1446                                         
1447                                         break;
1448
1449                                 default:
1450                                         break;
1451                                         }
1452                                  
1453                                 dsize -= len;
1454                                 }
1455                         if (dsize != 0) 
1456                                 {
1457                                 *al = SSL_AD_DECODE_ERROR;
1458                                 return 0;
1459                                 }
1460
1461                         }
1462 #ifndef OPENSSL_NO_SRP
1463                 else if (type == TLSEXT_TYPE_srp)
1464                         {
1465                         if (size <= 0 || ((len = data[0])) != (size -1))
1466                                 {
1467                                 *al = SSL_AD_DECODE_ERROR;
1468                                 return 0;
1469                                 }
1470                         if (s->srp_ctx.login != NULL)
1471                                 {
1472                                 *al = SSL_AD_DECODE_ERROR;
1473                                 return 0;
1474                                 }
1475                         if ((s->srp_ctx.login = OPENSSL_malloc(len+1)) == NULL)
1476                                 return -1;
1477                         memcpy(s->srp_ctx.login, &data[1], len);
1478                         s->srp_ctx.login[len]='\0';
1479   
1480                         if (strlen(s->srp_ctx.login) != len) 
1481                                 {
1482                                 *al = SSL_AD_DECODE_ERROR;
1483                                 return 0;
1484                                 }
1485                         }
1486 #endif
1487
1488 #ifndef OPENSSL_NO_EC
1489                 else if (type == TLSEXT_TYPE_ec_point_formats &&
1490                      s->version != DTLS1_VERSION)
1491                         {
1492                         unsigned char *sdata = data;
1493                         int ecpointformatlist_length = *(sdata++);
1494
1495                         if (ecpointformatlist_length != size - 1)
1496                                 {
1497                                 *al = TLS1_AD_DECODE_ERROR;
1498                                 return 0;
1499                                 }
1500                         if (!s->hit)
1501                                 {
1502                                 if(s->session->tlsext_ecpointformatlist)
1503                                         {
1504                                         OPENSSL_free(s->session->tlsext_ecpointformatlist);
1505                                         s->session->tlsext_ecpointformatlist = NULL;
1506                                         }
1507                                 s->session->tlsext_ecpointformatlist_length = 0;
1508                                 if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
1509                                         {
1510                                         *al = TLS1_AD_INTERNAL_ERROR;
1511                                         return 0;
1512                                         }
1513                                 s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
1514                                 memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
1515                                 }
1516 #if 0
1517                         fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ecpointformatlist (length=%i) ", s->session->tlsext_ecpointformatlist_length);
1518                         sdata = s->session->tlsext_ecpointformatlist;
1519                         for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
1520                                 fprintf(stderr,"%i ",*(sdata++));
1521                         fprintf(stderr,"\n");
1522 #endif
1523                         }
1524                 else if (type == TLSEXT_TYPE_elliptic_curves &&
1525                      s->version != DTLS1_VERSION)
1526                         {
1527                         unsigned char *sdata = data;
1528                         int ellipticcurvelist_length = (*(sdata++) << 8);
1529                         ellipticcurvelist_length += (*(sdata++));
1530
1531                         if (ellipticcurvelist_length != size - 2)
1532                                 {
1533                                 *al = TLS1_AD_DECODE_ERROR;
1534                                 return 0;
1535                                 }
1536                         if (!s->hit)
1537                                 {
1538                                 if(s->session->tlsext_ellipticcurvelist)
1539                                         {
1540                                         *al = TLS1_AD_DECODE_ERROR;
1541                                         return 0;
1542                                         }
1543                                 s->session->tlsext_ellipticcurvelist_length = 0;
1544                                 if ((s->session->tlsext_ellipticcurvelist = OPENSSL_malloc(ellipticcurvelist_length)) == NULL)
1545                                         {
1546                                         *al = TLS1_AD_INTERNAL_ERROR;
1547                                         return 0;
1548                                         }
1549                                 s->session->tlsext_ellipticcurvelist_length = ellipticcurvelist_length;
1550                                 memcpy(s->session->tlsext_ellipticcurvelist, sdata, ellipticcurvelist_length);
1551                                 }
1552 #if 0
1553                         fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ellipticcurvelist (length=%i) ", s->session->tlsext_ellipticcurvelist_length);
1554                         sdata = s->session->tlsext_ellipticcurvelist;
1555                         for (i = 0; i < s->session->tlsext_ellipticcurvelist_length; i++)
1556                                 fprintf(stderr,"%i ",*(sdata++));
1557                         fprintf(stderr,"\n");
1558 #endif
1559                         }
1560 #endif /* OPENSSL_NO_EC */
1561 #ifdef TLSEXT_TYPE_opaque_prf_input
1562                 else if (type == TLSEXT_TYPE_opaque_prf_input &&
1563                      s->version != DTLS1_VERSION)
1564                         {
1565                         unsigned char *sdata = data;
1566
1567                         if (size < 2)
1568                                 {
1569                                 *al = SSL_AD_DECODE_ERROR;
1570                                 return 0;
1571                                 }
1572                         n2s(sdata, s->s3->client_opaque_prf_input_len);
1573                         if (s->s3->client_opaque_prf_input_len != size - 2)
1574                                 {
1575                                 *al = SSL_AD_DECODE_ERROR;
1576                                 return 0;
1577                                 }
1578
1579                         if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */
1580                                 OPENSSL_free(s->s3->client_opaque_prf_input);
1581                         if (s->s3->client_opaque_prf_input_len == 0)
1582                                 s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
1583                         else
1584                                 s->s3->client_opaque_prf_input = BUF_memdup(sdata, s->s3->client_opaque_prf_input_len);
1585                         if (s->s3->client_opaque_prf_input == NULL)
1586                                 {
1587                                 *al = TLS1_AD_INTERNAL_ERROR;
1588                                 return 0;
1589                                 }
1590                         }
1591 #endif
1592                 else if (type == TLSEXT_TYPE_session_ticket)
1593                         {
1594                         if (s->tls_session_ticket_ext_cb &&
1595                             !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg))
1596                                 {
1597                                 *al = TLS1_AD_INTERNAL_ERROR;
1598                                 return 0;
1599                                 }
1600                         }
1601                 else if (type == TLSEXT_TYPE_renegotiate)
1602                         {
1603                         if(!ssl_parse_clienthello_renegotiate_ext(s, data, size, al))
1604                                 return 0;
1605                         renegotiate_seen = 1;
1606                         }
1607                 else if (type == TLSEXT_TYPE_signature_algorithms)
1608                         {
1609                         int dsize;
1610                         if (s->cert->peer_sigalgs || size < 2) 
1611                                 {
1612                                 *al = SSL_AD_DECODE_ERROR;
1613                                 return 0;
1614                                 }
1615                         n2s(data,dsize);
1616                         size -= 2;
1617                         if (dsize != size || dsize & 1 || !dsize) 
1618                                 {
1619                                 *al = SSL_AD_DECODE_ERROR;
1620                                 return 0;
1621                                 }
1622                         if (!tls1_process_sigalgs(s, data, dsize))
1623                                 {
1624                                 *al = SSL_AD_DECODE_ERROR;
1625                                 return 0;
1626                                 }
1627                         /* If sigalgs received and no shared algorithms fatal
1628                          * error.
1629                          */
1630                         if (s->cert->peer_sigalgs && !s->cert->shared_sigalgs)
1631                                 {
1632                                 SSLerr(SSL_F_SSL_SCAN_CLIENTHELLO_TLSEXT,
1633                                         SSL_R_NO_SHARED_SIGATURE_ALGORITHMS);
1634                                 *al = SSL_AD_ILLEGAL_PARAMETER;
1635                                 return 0;
1636                                 }
1637                         }
1638                 else if (type == TLSEXT_TYPE_status_request &&
1639                          s->version != DTLS1_VERSION && s->ctx->tlsext_status_cb)
1640                         {
1641                 
1642                         if (size < 5) 
1643                                 {
1644                                 *al = SSL_AD_DECODE_ERROR;
1645                                 return 0;
1646                                 }
1647
1648                         s->tlsext_status_type = *data++;
1649                         size--;
1650                         if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp)
1651                                 {
1652                                 const unsigned char *sdata;
1653                                 int dsize;
1654                                 /* Read in responder_id_list */
1655                                 n2s(data,dsize);
1656                                 size -= 2;
1657                                 if (dsize > size  ) 
1658                                         {
1659                                         *al = SSL_AD_DECODE_ERROR;
1660                                         return 0;
1661                                         }
1662                                 while (dsize > 0)
1663                                         {
1664                                         OCSP_RESPID *id;
1665                                         int idsize;
1666                                         if (dsize < 4)
1667                                                 {
1668                                                 *al = SSL_AD_DECODE_ERROR;
1669                                                 return 0;
1670                                                 }
1671                                         n2s(data, idsize);
1672                                         dsize -= 2 + idsize;
1673                                         size -= 2 + idsize;
1674                                         if (dsize < 0)
1675                                                 {
1676                                                 *al = SSL_AD_DECODE_ERROR;
1677                                                 return 0;
1678                                                 }
1679                                         sdata = data;
1680                                         data += idsize;
1681                                         id = d2i_OCSP_RESPID(NULL,
1682                                                                 &sdata, idsize);
1683                                         if (!id)
1684                                                 {
1685                                                 *al = SSL_AD_DECODE_ERROR;
1686                                                 return 0;
1687                                                 }
1688                                         if (data != sdata)
1689                                                 {
1690                                                 OCSP_RESPID_free(id);
1691                                                 *al = SSL_AD_DECODE_ERROR;
1692                                                 return 0;
1693                                                 }
1694                                         if (!s->tlsext_ocsp_ids
1695                                                 && !(s->tlsext_ocsp_ids =
1696                                                 sk_OCSP_RESPID_new_null()))
1697                                                 {
1698                                                 OCSP_RESPID_free(id);
1699                                                 *al = SSL_AD_INTERNAL_ERROR;
1700                                                 return 0;
1701                                                 }
1702                                         if (!sk_OCSP_RESPID_push(
1703                                                         s->tlsext_ocsp_ids, id))
1704                                                 {
1705                                                 OCSP_RESPID_free(id);
1706                                                 *al = SSL_AD_INTERNAL_ERROR;
1707                                                 return 0;
1708                                                 }
1709                                         }
1710
1711                                 /* Read in request_extensions */
1712                                 if (size < 2)
1713                                         {
1714                                         *al = SSL_AD_DECODE_ERROR;
1715                                         return 0;
1716                                         }
1717                                 n2s(data,dsize);
1718                                 size -= 2;
1719                                 if (dsize != size)
1720                                         {
1721                                         *al = SSL_AD_DECODE_ERROR;
1722                                         return 0;
1723                                         }
1724                                 sdata = data;
1725                                 if (dsize > 0)
1726                                         {
1727                                         if (s->tlsext_ocsp_exts)
1728                                                 {
1729                                                 sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts,
1730                                                                            X509_EXTENSION_free);
1731                                                 }
1732
1733                                         s->tlsext_ocsp_exts =
1734                                                 d2i_X509_EXTENSIONS(NULL,
1735                                                         &sdata, dsize);
1736                                         if (!s->tlsext_ocsp_exts
1737                                                 || (data + dsize != sdata))
1738                                                 {
1739                                                 *al = SSL_AD_DECODE_ERROR;
1740                                                 return 0;
1741                                                 }
1742                                         }
1743                                 }
1744                                 /* We don't know what to do with any other type
1745                                 * so ignore it.
1746                                 */
1747                                 else
1748                                         s->tlsext_status_type = -1;
1749                         }
1750 #ifndef OPENSSL_NO_HEARTBEATS
1751                 else if (type == TLSEXT_TYPE_heartbeat)
1752                         {
1753                         switch(data[0])
1754                                 {
1755                                 case 0x01:      /* Client allows us to send HB requests */
1756                                                         s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
1757                                                         break;
1758                                 case 0x02:      /* Client doesn't accept HB requests */
1759                                                         s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
1760                                                         s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
1761                                                         break;
1762                                 default:        *al = SSL_AD_ILLEGAL_PARAMETER;
1763                                                         return 0;
1764                                 }
1765                         }
1766 #endif
1767 #ifndef OPENSSL_NO_NEXTPROTONEG
1768                 else if (type == TLSEXT_TYPE_next_proto_neg &&
1769                          s->s3->tmp.finish_md_len == 0)
1770                         {
1771                         /* We shouldn't accept this extension on a
1772                          * renegotiation.
1773                          *
1774                          * s->new_session will be set on renegotiation, but we
1775                          * probably shouldn't rely that it couldn't be set on
1776                          * the initial renegotation too in certain cases (when
1777                          * there's some other reason to disallow resuming an
1778                          * earlier session -- the current code won't be doing
1779                          * anything like that, but this might change).
1780
1781                          * A valid sign that there's been a previous handshake
1782                          * in this connection is if s->s3->tmp.finish_md_len >
1783                          * 0.  (We are talking about a check that will happen
1784                          * in the Hello protocol round, well before a new
1785                          * Finished message could have been computed.) */
1786                         s->s3->next_proto_neg_seen = 1;
1787                         }
1788 #endif
1789
1790                 /* session ticket processed earlier */
1791                 else if (type == TLSEXT_TYPE_use_srtp)
1792                         {
1793                         if(ssl_parse_clienthello_use_srtp_ext(s, data, size,
1794                                                               al))
1795                                 return 0;
1796                         }
1797
1798                 else if (type == TLSEXT_TYPE_server_authz)
1799                         {
1800                         unsigned char *sdata = data;
1801                         unsigned char server_authz_dataformatlist_length;
1802
1803                         if (size == 0)
1804                                 {
1805                                 *al = TLS1_AD_DECODE_ERROR;
1806                                 return 0;
1807                                 }
1808
1809                         server_authz_dataformatlist_length = *(sdata++);
1810
1811                         if (server_authz_dataformatlist_length != size - 1)
1812                                 {
1813                                 *al = TLS1_AD_DECODE_ERROR;
1814                                 return 0;
1815                                 }
1816
1817                         /* Successful session resumption uses the same authz
1818                          * information as the original session so we ignore this
1819                          * in the case of a session resumption. */
1820                         if (!s->hit)
1821                                 {
1822                                 size_t i;
1823                                 if (s->s3->tlsext_authz_client_types != NULL)
1824                                         OPENSSL_free(s->s3->tlsext_authz_client_types);
1825                                 s->s3->tlsext_authz_client_types =
1826                                         OPENSSL_malloc(server_authz_dataformatlist_length);
1827                                 if (!s->s3->tlsext_authz_client_types)
1828                                         {
1829                                         *al = TLS1_AD_INTERNAL_ERROR;
1830                                         return 0;
1831                                         }
1832
1833                                 s->s3->tlsext_authz_client_types_len =
1834                                         server_authz_dataformatlist_length;
1835                                 memcpy(s->s3->tlsext_authz_client_types,
1836                                        sdata,
1837                                        server_authz_dataformatlist_length);
1838
1839                                 /* Sort the types in order to check for duplicates. */
1840                                 qsort(s->s3->tlsext_authz_client_types,
1841                                       server_authz_dataformatlist_length,
1842                                       1 /* element size */,
1843                                       byte_compare);
1844
1845                                 for (i = 0; i < server_authz_dataformatlist_length; i++)
1846                                         {
1847                                         if (i > 0 &&
1848                                             s->s3->tlsext_authz_client_types[i] ==
1849                                               s->s3->tlsext_authz_client_types[i-1])
1850                                                 {
1851                                                 *al = TLS1_AD_DECODE_ERROR;
1852                                                 return 0;
1853                                                 }
1854                                         }
1855                                 }
1856                         }
1857
1858                 data+=size;
1859                 }
1860
1861         *p = data;
1862
1863         ri_check:
1864
1865         /* Need RI if renegotiating */
1866
1867         if (!renegotiate_seen && s->renegotiate &&
1868                 !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
1869                 {
1870                 *al = SSL_AD_HANDSHAKE_FAILURE;
1871                 SSLerr(SSL_F_SSL_SCAN_CLIENTHELLO_TLSEXT,
1872                                 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
1873                 return 0;
1874                 }
1875         /* If no signature algorithms extension set default values */
1876         if (!s->cert->peer_sigalgs)
1877                 ssl_cert_set_default_md(s->cert);
1878
1879         return 1;
1880         }
1881
1882 int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n) 
1883         {
1884         int al = -1;
1885         if (ssl_scan_clienthello_tlsext(s, p, d, n, &al) <= 0) 
1886                 {
1887                 ssl3_send_alert(s,SSL3_AL_FATAL,al); 
1888                 return 0;
1889                 }
1890
1891         if (ssl_check_clienthello_tlsext(s) <= 0) 
1892                 {
1893                 SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT,SSL_R_CLIENTHELLO_TLSEXT);
1894                 return 0;
1895                 }
1896         return 1;
1897 }
1898
1899 #ifndef OPENSSL_NO_NEXTPROTONEG
1900 /* ssl_next_proto_validate validates a Next Protocol Negotiation block. No
1901  * elements of zero length are allowed and the set of elements must exactly fill
1902  * the length of the block. */
1903 static char ssl_next_proto_validate(unsigned char *d, unsigned len)
1904         {
1905         unsigned int off = 0;
1906
1907         while (off < len)
1908                 {
1909                 if (d[off] == 0)
1910                         return 0;
1911                 off += d[off];
1912                 off++;
1913                 }
1914
1915         return off == len;
1916         }
1917 #endif
1918
1919 static int ssl_scan_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
1920         {
1921         unsigned short length;
1922         unsigned short type;
1923         unsigned short size;
1924         unsigned char *data = *p;
1925         int tlsext_servername = 0;
1926         int renegotiate_seen = 0;
1927
1928 #ifndef OPENSSL_NO_NEXTPROTONEG
1929         s->s3->next_proto_neg_seen = 0;
1930 #endif
1931
1932 #ifndef OPENSSL_NO_HEARTBEATS
1933         s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED |
1934                                SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
1935 #endif
1936
1937         if (data >= (d+n-2))
1938                 goto ri_check;
1939
1940         n2s(data,length);
1941         if (data+length != d+n)
1942                 {
1943                 *al = SSL_AD_DECODE_ERROR;
1944                 return 0;
1945                 }
1946
1947         while(data <= (d+n-4))
1948                 {
1949                 n2s(data,type);
1950                 n2s(data,size);
1951
1952                 if (data+size > (d+n))
1953                         goto ri_check;
1954
1955                 if (s->tlsext_debug_cb)
1956                         s->tlsext_debug_cb(s, 1, type, data, size,
1957                                                 s->tlsext_debug_arg);
1958
1959                 if (type == TLSEXT_TYPE_server_name)
1960                         {
1961                         if (s->tlsext_hostname == NULL || size > 0)
1962                                 {
1963                                 *al = TLS1_AD_UNRECOGNIZED_NAME;
1964                                 return 0;
1965                                 }
1966                         tlsext_servername = 1;   
1967                         }
1968
1969 #ifndef OPENSSL_NO_EC
1970                 else if (type == TLSEXT_TYPE_ec_point_formats &&
1971                      s->version != DTLS1_VERSION)
1972                         {
1973                         unsigned char *sdata = data;
1974                         int ecpointformatlist_length = *(sdata++);
1975
1976                         if (ecpointformatlist_length != size - 1)
1977                                 {
1978                                 *al = TLS1_AD_DECODE_ERROR;
1979                                 return 0;
1980                                 }
1981                         s->session->tlsext_ecpointformatlist_length = 0;
1982                         if (s->session->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->session->tlsext_ecpointformatlist);
1983                         if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
1984                                 {
1985                                 *al = TLS1_AD_INTERNAL_ERROR;
1986                                 return 0;
1987                                 }
1988                         s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
1989                         memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
1990 #if 0
1991                         fprintf(stderr,"ssl_parse_serverhello_tlsext s->session->tlsext_ecpointformatlist ");
1992                         sdata = s->session->tlsext_ecpointformatlist;
1993                         for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
1994                                 fprintf(stderr,"%i ",*(sdata++));
1995                         fprintf(stderr,"\n");
1996 #endif
1997                         }
1998 #endif /* OPENSSL_NO_EC */
1999
2000                 else if (type == TLSEXT_TYPE_session_ticket)
2001                         {
2002                         if (s->tls_session_ticket_ext_cb &&
2003                             !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg))
2004                                 {
2005                                 *al = TLS1_AD_INTERNAL_ERROR;
2006                                 return 0;
2007                                 }
2008                         if ((SSL_get_options(s) & SSL_OP_NO_TICKET)
2009                                 || (size > 0))
2010                                 {
2011                                 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2012                                 return 0;
2013                                 }
2014                         s->tlsext_ticket_expected = 1;
2015                         }
2016 #ifdef TLSEXT_TYPE_opaque_prf_input
2017                 else if (type == TLSEXT_TYPE_opaque_prf_input &&
2018                      s->version != DTLS1_VERSION)
2019                         {
2020                         unsigned char *sdata = data;
2021
2022                         if (size < 2)
2023                                 {
2024                                 *al = SSL_AD_DECODE_ERROR;
2025                                 return 0;
2026                                 }
2027                         n2s(sdata, s->s3->server_opaque_prf_input_len);
2028                         if (s->s3->server_opaque_prf_input_len != size - 2)
2029                                 {
2030                                 *al = SSL_AD_DECODE_ERROR;
2031                                 return 0;
2032                                 }
2033                         
2034                         if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */
2035                                 OPENSSL_free(s->s3->server_opaque_prf_input);
2036                         if (s->s3->server_opaque_prf_input_len == 0)
2037                                 s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
2038                         else
2039                                 s->s3->server_opaque_prf_input = BUF_memdup(sdata, s->s3->server_opaque_prf_input_len);
2040
2041                         if (s->s3->server_opaque_prf_input == NULL)
2042                                 {
2043                                 *al = TLS1_AD_INTERNAL_ERROR;
2044                                 return 0;
2045                                 }
2046                         }
2047 #endif
2048                 else if (type == TLSEXT_TYPE_status_request &&
2049                          s->version != DTLS1_VERSION)
2050                         {
2051                         /* MUST be empty and only sent if we've requested
2052                          * a status request message.
2053                          */ 
2054                         if ((s->tlsext_status_type == -1) || (size > 0))
2055                                 {
2056                                 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2057                                 return 0;
2058                                 }
2059                         /* Set flag to expect CertificateStatus message */
2060                         s->tlsext_status_expected = 1;
2061                         }
2062 #ifndef OPENSSL_NO_NEXTPROTONEG
2063                 else if (type == TLSEXT_TYPE_next_proto_neg &&
2064                          s->s3->tmp.finish_md_len == 0)
2065                         {
2066                         unsigned char *selected;
2067                         unsigned char selected_len;
2068
2069                         /* We must have requested it. */
2070                         if ((s->ctx->next_proto_select_cb == NULL))
2071                                 {
2072                                 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2073                                 return 0;
2074                                 }
2075                         /* The data must be valid */
2076                         if (!ssl_next_proto_validate(data, size))
2077                                 {
2078                                 *al = TLS1_AD_DECODE_ERROR;
2079                                 return 0;
2080                                 }
2081                         if (s->ctx->next_proto_select_cb(s, &selected, &selected_len, data, size, s->ctx->next_proto_select_cb_arg) != SSL_TLSEXT_ERR_OK)
2082                                 {
2083                                 *al = TLS1_AD_INTERNAL_ERROR;
2084                                 return 0;
2085                                 }
2086                         s->next_proto_negotiated = OPENSSL_malloc(selected_len);
2087                         if (!s->next_proto_negotiated)
2088                                 {
2089                                 *al = TLS1_AD_INTERNAL_ERROR;
2090                                 return 0;
2091                                 }
2092                         memcpy(s->next_proto_negotiated, selected, selected_len);
2093                         s->next_proto_negotiated_len = selected_len;
2094                         s->s3->next_proto_neg_seen = 1;
2095                         }
2096 #endif
2097                 else if (type == TLSEXT_TYPE_renegotiate)
2098                         {
2099                         if(!ssl_parse_serverhello_renegotiate_ext(s, data, size, al))
2100                                 return 0;
2101                         renegotiate_seen = 1;
2102                         }
2103 #ifndef OPENSSL_NO_HEARTBEATS
2104                 else if (type == TLSEXT_TYPE_heartbeat)
2105                         {
2106                         switch(data[0])
2107                                 {
2108                                 case 0x01:      /* Server allows us to send HB requests */
2109                                                         s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
2110                                                         break;
2111                                 case 0x02:      /* Server doesn't accept HB requests */
2112                                                         s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
2113                                                         s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
2114                                                         break;
2115                                 default:        *al = SSL_AD_ILLEGAL_PARAMETER;
2116                                                         return 0;
2117                                 }
2118                         }
2119 #endif
2120                 else if (type == TLSEXT_TYPE_use_srtp)
2121                         {
2122                         if(ssl_parse_serverhello_use_srtp_ext(s, data, size,
2123                                                               al))
2124                                 return 0;
2125                         }
2126
2127                 else if (type == TLSEXT_TYPE_server_authz)
2128                         {
2129                         /* We only support audit proofs. It's an error to send
2130                          * an authz hello extension if the client
2131                          * didn't request a proof. */
2132                         unsigned char *sdata = data;
2133                         unsigned char server_authz_dataformatlist_length;
2134
2135                         if (!s->ctx->tlsext_authz_server_audit_proof_cb)
2136                                 {
2137                                 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2138                                 return 0;
2139                                 }
2140
2141                         if (!size)
2142                                 {
2143                                 *al = TLS1_AD_DECODE_ERROR;
2144                                 return 0;
2145                                 }
2146
2147                         server_authz_dataformatlist_length = *(sdata++);
2148                         if (server_authz_dataformatlist_length != size - 1)
2149                                 {
2150                                 *al = TLS1_AD_DECODE_ERROR;
2151                                 return 0;
2152                                 }
2153
2154                         /* We only support audit proofs, so a legal ServerHello
2155                          * authz list contains exactly one entry. */
2156                         if (server_authz_dataformatlist_length != 1 ||
2157                                 sdata[0] != TLSEXT_AUTHZDATAFORMAT_audit_proof)
2158                                 {
2159                                 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2160                                 return 0;
2161                                 }
2162
2163                         s->s3->tlsext_authz_server_promised = 1;
2164                         }
2165  
2166                 data += size;
2167                 }
2168
2169         if (data != d+n)
2170                 {
2171                 *al = SSL_AD_DECODE_ERROR;
2172                 return 0;
2173                 }
2174
2175         if (!s->hit && tlsext_servername == 1)
2176                 {
2177                 if (s->tlsext_hostname)
2178                         {
2179                         if (s->session->tlsext_hostname == NULL)
2180                                 {
2181                                 s->session->tlsext_hostname = BUF_strdup(s->tlsext_hostname);   
2182                                 if (!s->session->tlsext_hostname)
2183                                         {
2184                                         *al = SSL_AD_UNRECOGNIZED_NAME;
2185                                         return 0;
2186                                         }
2187                                 }
2188                         else 
2189                                 {
2190                                 *al = SSL_AD_DECODE_ERROR;
2191                                 return 0;
2192                                 }
2193                         }
2194                 }
2195
2196         *p = data;
2197
2198         ri_check:
2199
2200         /* Determine if we need to see RI. Strictly speaking if we want to
2201          * avoid an attack we should *always* see RI even on initial server
2202          * hello because the client doesn't see any renegotiation during an
2203          * attack. However this would mean we could not connect to any server
2204          * which doesn't support RI so for the immediate future tolerate RI
2205          * absence on initial connect only.
2206          */
2207         if (!renegotiate_seen
2208                 && !(s->options & SSL_OP_LEGACY_SERVER_CONNECT)
2209                 && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
2210                 {
2211                 *al = SSL_AD_HANDSHAKE_FAILURE;
2212                 SSLerr(SSL_F_SSL_SCAN_SERVERHELLO_TLSEXT,
2213                                 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
2214                 return 0;
2215                 }
2216
2217         return 1;
2218         }
2219
2220
2221 int ssl_prepare_clienthello_tlsext(SSL *s)
2222         {
2223
2224 #ifdef TLSEXT_TYPE_opaque_prf_input
2225         {
2226                 int r = 1;
2227         
2228                 if (s->ctx->tlsext_opaque_prf_input_callback != 0)
2229                         {
2230                         r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg);
2231                         if (!r)
2232                                 return -1;
2233                         }
2234
2235                 if (s->tlsext_opaque_prf_input != NULL)
2236                         {
2237                         if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */
2238                                 OPENSSL_free(s->s3->client_opaque_prf_input);
2239
2240                         if (s->tlsext_opaque_prf_input_len == 0)
2241                                 s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
2242                         else
2243                                 s->s3->client_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len);
2244                         if (s->s3->client_opaque_prf_input == NULL)
2245                                 {
2246                                 SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
2247                                 return -1;
2248                                 }
2249                         s->s3->client_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
2250                         }
2251
2252                 if (r == 2)
2253                         /* at callback's request, insist on receiving an appropriate server opaque PRF input */
2254                         s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
2255         }
2256 #endif
2257
2258         return 1;
2259         }
2260
2261 int ssl_prepare_serverhello_tlsext(SSL *s)
2262         {
2263 #ifndef OPENSSL_NO_EC
2264         /* If we are server and using an ECC cipher suite, send the point formats we support 
2265          * if the client sent us an ECPointsFormat extension.  Note that the server is not
2266          * supposed to send an EllipticCurves extension.
2267          */
2268
2269         unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
2270         unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
2271         int using_ecc = (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA);
2272         using_ecc = using_ecc && (s->session->tlsext_ecpointformatlist != NULL);
2273         
2274         if (using_ecc)
2275                 {
2276                 if (s->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->tlsext_ecpointformatlist);
2277                 if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(3)) == NULL)
2278                         {
2279                         SSLerr(SSL_F_SSL_PREPARE_SERVERHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
2280                         return -1;
2281                         }
2282                 s->tlsext_ecpointformatlist_length = 3;
2283                 s->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_uncompressed;
2284                 s->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
2285                 s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
2286                 }
2287 #endif /* OPENSSL_NO_EC */
2288
2289         return 1;
2290         }
2291
2292 static int ssl_check_clienthello_tlsext(SSL *s)
2293         {
2294         int ret=SSL_TLSEXT_ERR_NOACK;
2295         int al = SSL_AD_UNRECOGNIZED_NAME;
2296
2297 #ifndef OPENSSL_NO_EC
2298         /* The handling of the ECPointFormats extension is done elsewhere, namely in 
2299          * ssl3_choose_cipher in s3_lib.c.
2300          */
2301         /* The handling of the EllipticCurves extension is done elsewhere, namely in 
2302          * ssl3_choose_cipher in s3_lib.c.
2303          */
2304 #endif
2305
2306         if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) 
2307                 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
2308         else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)             
2309                 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
2310
2311         /* If status request then ask callback what to do.
2312          * Note: this must be called after servername callbacks in case 
2313          * the certificate has changed.
2314          */
2315         if ((s->tlsext_status_type != -1) && s->ctx && s->ctx->tlsext_status_cb)
2316                 {
2317                 int r;
2318                 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
2319                 switch (r)
2320                         {
2321                         /* We don't want to send a status request response */
2322                         case SSL_TLSEXT_ERR_NOACK:
2323                                 s->tlsext_status_expected = 0;
2324                                 break;
2325                         /* status request response should be sent */
2326                         case SSL_TLSEXT_ERR_OK:
2327                                 if (s->tlsext_ocsp_resp)
2328                                         s->tlsext_status_expected = 1;
2329                                 else
2330                                         s->tlsext_status_expected = 0;
2331                                 break;
2332                         /* something bad happened */
2333                         case SSL_TLSEXT_ERR_ALERT_FATAL:
2334                                 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2335                                 al = SSL_AD_INTERNAL_ERROR;
2336                                 goto err;
2337                         }
2338                 }
2339         else
2340                 s->tlsext_status_expected = 0;
2341
2342 #ifdef TLSEXT_TYPE_opaque_prf_input
2343         {
2344                 /* This sort of belongs into ssl_prepare_serverhello_tlsext(),
2345                  * but we might be sending an alert in response to the client hello,
2346                  * so this has to happen here in ssl_check_clienthello_tlsext(). */
2347
2348                 int r = 1;
2349         
2350                 if (s->ctx->tlsext_opaque_prf_input_callback != 0)
2351                         {
2352                         r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg);
2353                         if (!r)
2354                                 {
2355                                 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2356                                 al = SSL_AD_INTERNAL_ERROR;
2357                                 goto err;
2358                                 }
2359                         }
2360
2361                 if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */
2362                         OPENSSL_free(s->s3->server_opaque_prf_input);
2363                 s->s3->server_opaque_prf_input = NULL;
2364
2365                 if (s->tlsext_opaque_prf_input != NULL)
2366                         {
2367                         if (s->s3->client_opaque_prf_input != NULL &&
2368                                 s->s3->client_opaque_prf_input_len == s->tlsext_opaque_prf_input_len)
2369                                 {
2370                                 /* can only use this extension if we have a server opaque PRF input
2371                                  * of the same length as the client opaque PRF input! */
2372
2373                                 if (s->tlsext_opaque_prf_input_len == 0)
2374                                         s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
2375                                 else
2376                                         s->s3->server_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len);
2377                                 if (s->s3->server_opaque_prf_input == NULL)
2378                                         {
2379                                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2380                                         al = SSL_AD_INTERNAL_ERROR;
2381                                         goto err;
2382                                         }
2383                                 s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
2384                                 }
2385                         }
2386
2387                 if (r == 2 && s->s3->server_opaque_prf_input == NULL)
2388                         {
2389                         /* The callback wants to enforce use of the extension,
2390                          * but we can't do that with the client opaque PRF input;
2391                          * abort the handshake.
2392                          */
2393                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2394                         al = SSL_AD_HANDSHAKE_FAILURE;
2395                         }
2396         }
2397
2398 #endif
2399  err:
2400         switch (ret)
2401                 {
2402                 case SSL_TLSEXT_ERR_ALERT_FATAL:
2403                         ssl3_send_alert(s,SSL3_AL_FATAL,al); 
2404                         return -1;
2405
2406                 case SSL_TLSEXT_ERR_ALERT_WARNING:
2407                         ssl3_send_alert(s,SSL3_AL_WARNING,al);
2408                         return 1; 
2409                                         
2410                 case SSL_TLSEXT_ERR_NOACK:
2411                         s->servername_done=0;
2412                         default:
2413                 return 1;
2414                 }
2415         }
2416
2417 int ssl_check_serverhello_tlsext(SSL *s)
2418         {
2419         int ret=SSL_TLSEXT_ERR_NOACK;
2420         int al = SSL_AD_UNRECOGNIZED_NAME;
2421
2422 #ifndef OPENSSL_NO_EC
2423         /* If we are client and using an elliptic curve cryptography cipher
2424          * suite, then if server returns an EC point formats lists extension
2425          * it must contain uncompressed.
2426          */
2427         unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
2428         unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
2429         if ((s->tlsext_ecpointformatlist != NULL) && (s->tlsext_ecpointformatlist_length > 0) && 
2430             (s->session->tlsext_ecpointformatlist != NULL) && (s->session->tlsext_ecpointformatlist_length > 0) && 
2431             ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA)))
2432                 {
2433                 /* we are using an ECC cipher */
2434                 size_t i;
2435                 unsigned char *list;
2436                 int found_uncompressed = 0;
2437                 list = s->session->tlsext_ecpointformatlist;
2438                 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
2439                         {
2440                         if (*(list++) == TLSEXT_ECPOINTFORMAT_uncompressed)
2441                                 {
2442                                 found_uncompressed = 1;
2443                                 break;
2444                                 }
2445                         }
2446                 if (!found_uncompressed)
2447                         {
2448                         SSLerr(SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT,SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
2449                         return -1;
2450                         }
2451                 }
2452         ret = SSL_TLSEXT_ERR_OK;
2453 #endif /* OPENSSL_NO_EC */
2454
2455         if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) 
2456                 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
2457         else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)             
2458                 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
2459
2460 #ifdef TLSEXT_TYPE_opaque_prf_input
2461         if (s->s3->server_opaque_prf_input_len > 0)
2462                 {
2463                 /* This case may indicate that we, as a client, want to insist on using opaque PRF inputs.
2464                  * So first verify that we really have a value from the server too. */
2465
2466                 if (s->s3->server_opaque_prf_input == NULL)
2467                         {
2468                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2469                         al = SSL_AD_HANDSHAKE_FAILURE;
2470                         }
2471                 
2472                 /* Anytime the server *has* sent an opaque PRF input, we need to check
2473                  * that we have a client opaque PRF input of the same size. */
2474                 if (s->s3->client_opaque_prf_input == NULL ||
2475                     s->s3->client_opaque_prf_input_len != s->s3->server_opaque_prf_input_len)
2476                         {
2477                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2478                         al = SSL_AD_ILLEGAL_PARAMETER;
2479                         }
2480                 }
2481 #endif
2482
2483         /* If we've requested certificate status and we wont get one
2484          * tell the callback
2485          */
2486         if ((s->tlsext_status_type != -1) && !(s->tlsext_status_expected)
2487                         && s->ctx && s->ctx->tlsext_status_cb)
2488                 {
2489                 int r;
2490                 /* Set resp to NULL, resplen to -1 so callback knows
2491                  * there is no response.
2492                  */
2493                 if (s->tlsext_ocsp_resp)
2494                         {
2495                         OPENSSL_free(s->tlsext_ocsp_resp);
2496                         s->tlsext_ocsp_resp = NULL;
2497                         }
2498                 s->tlsext_ocsp_resplen = -1;
2499                 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
2500                 if (r == 0)
2501                         {
2502                         al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE;
2503                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2504                         }
2505                 if (r < 0)
2506                         {
2507                         al = SSL_AD_INTERNAL_ERROR;
2508                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2509                         }
2510                 }
2511
2512         switch (ret)
2513                 {
2514                 case SSL_TLSEXT_ERR_ALERT_FATAL:
2515                         ssl3_send_alert(s,SSL3_AL_FATAL,al); 
2516                         return -1;
2517
2518                 case SSL_TLSEXT_ERR_ALERT_WARNING:
2519                         ssl3_send_alert(s,SSL3_AL_WARNING,al);
2520                         return 1; 
2521                                         
2522                 case SSL_TLSEXT_ERR_NOACK:
2523                         s->servername_done=0;
2524                         default:
2525                 return 1;
2526                 }
2527         }
2528
2529 int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n) 
2530         {
2531         int al = -1;
2532         if (s->version < SSL3_VERSION)
2533                 return 1;
2534         if (ssl_scan_serverhello_tlsext(s, p, d, n, &al) <= 0) 
2535                 {
2536                 ssl3_send_alert(s,SSL3_AL_FATAL,al); 
2537                 return 0;
2538                 }
2539
2540         if (ssl_check_serverhello_tlsext(s) <= 0) 
2541                 {
2542                 SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT,SSL_R_SERVERHELLO_TLSEXT);
2543                 return 0;
2544                 }
2545         return 1;
2546 }
2547
2548 /* Since the server cache lookup is done early on in the processing of the
2549  * ClientHello, and other operations depend on the result, we need to handle
2550  * any TLS session ticket extension at the same time.
2551  *
2552  *   session_id: points at the session ID in the ClientHello. This code will
2553  *       read past the end of this in order to parse out the session ticket
2554  *       extension, if any.
2555  *   len: the length of the session ID.
2556  *   limit: a pointer to the first byte after the ClientHello.
2557  *   ret: (output) on return, if a ticket was decrypted, then this is set to
2558  *       point to the resulting session.
2559  *
2560  * If s->tls_session_secret_cb is set then we are expecting a pre-shared key
2561  * ciphersuite, in which case we have no use for session tickets and one will
2562  * never be decrypted, nor will s->tlsext_ticket_expected be set to 1.
2563  *
2564  * Returns:
2565  *   -1: fatal error, either from parsing or decrypting the ticket.
2566  *    0: no ticket was found (or was ignored, based on settings).
2567  *    1: a zero length extension was found, indicating that the client supports
2568  *       session tickets but doesn't currently have one to offer.
2569  *    2: either s->tls_session_secret_cb was set, or a ticket was offered but
2570  *       couldn't be decrypted because of a non-fatal error.
2571  *    3: a ticket was successfully decrypted and *ret was set.
2572  *
2573  * Side effects:
2574  *   Sets s->tlsext_ticket_expected to 1 if the server will have to issue
2575  *   a new session ticket to the client because the client indicated support
2576  *   (and s->tls_session_secret_cb is NULL) but the client either doesn't have
2577  *   a session ticket or we couldn't use the one it gave us, or if
2578  *   s->ctx->tlsext_ticket_key_cb asked to renew the client's ticket.
2579  *   Otherwise, s->tlsext_ticket_expected is set to 0.
2580  */
2581 int tls1_process_ticket(SSL *s, unsigned char *session_id, int len,
2582                         const unsigned char *limit, SSL_SESSION **ret)
2583         {
2584         /* Point after session ID in client hello */
2585         const unsigned char *p = session_id + len;
2586         unsigned short i;
2587
2588         *ret = NULL;
2589         s->tlsext_ticket_expected = 0;
2590
2591         /* If tickets disabled behave as if no ticket present
2592          * to permit stateful resumption.
2593          */
2594         if (SSL_get_options(s) & SSL_OP_NO_TICKET)
2595                 return 0;
2596         if ((s->version <= SSL3_VERSION) || !limit)
2597                 return 0;
2598         if (p >= limit)
2599                 return -1;
2600         /* Skip past DTLS cookie */
2601         if (s->version == DTLS1_VERSION || s->version == DTLS1_BAD_VER)
2602                 {
2603                 i = *(p++);
2604                 p+= i;
2605                 if (p >= limit)
2606                         return -1;
2607                 }
2608         /* Skip past cipher list */
2609         n2s(p, i);
2610         p+= i;
2611         if (p >= limit)
2612                 return -1;
2613         /* Skip past compression algorithm list */
2614         i = *(p++);
2615         p += i;
2616         if (p > limit)
2617                 return -1;
2618         /* Now at start of extensions */
2619         if ((p + 2) >= limit)
2620                 return 0;
2621         n2s(p, i);
2622         while ((p + 4) <= limit)
2623                 {
2624                 unsigned short type, size;
2625                 n2s(p, type);
2626                 n2s(p, size);
2627                 if (p + size > limit)
2628                         return 0;
2629                 if (type == TLSEXT_TYPE_session_ticket)
2630                         {
2631                         int r;
2632                         if (size == 0)
2633                                 {
2634                                 /* The client will accept a ticket but doesn't
2635                                  * currently have one. */
2636                                 s->tlsext_ticket_expected = 1;
2637                                 return 1;
2638                                 }
2639                         if (s->tls_session_secret_cb)
2640                                 {
2641                                 /* Indicate that the ticket couldn't be
2642                                  * decrypted rather than generating the session
2643                                  * from ticket now, trigger abbreviated
2644                                  * handshake based on external mechanism to
2645                                  * calculate the master secret later. */
2646                                 return 2;
2647                                 }
2648                         r = tls_decrypt_ticket(s, p, size, session_id, len, ret);
2649                         switch (r)
2650                                 {
2651                                 case 2: /* ticket couldn't be decrypted */
2652                                         s->tlsext_ticket_expected = 1;
2653                                         return 2;
2654                                 case 3: /* ticket was decrypted */
2655                                         return r;
2656                                 case 4: /* ticket decrypted but need to renew */
2657                                         s->tlsext_ticket_expected = 1;
2658                                         return 3;
2659                                 default: /* fatal error */
2660                                         return -1;
2661                                 }
2662                         }
2663                 p += size;
2664                 }
2665         return 0;
2666         }
2667
2668 /* tls_decrypt_ticket attempts to decrypt a session ticket.
2669  *
2670  *   etick: points to the body of the session ticket extension.
2671  *   eticklen: the length of the session tickets extenion.
2672  *   sess_id: points at the session ID.
2673  *   sesslen: the length of the session ID.
2674  *   psess: (output) on return, if a ticket was decrypted, then this is set to
2675  *       point to the resulting session.
2676  *
2677  * Returns:
2678  *   -1: fatal error, either from parsing or decrypting the ticket.
2679  *    2: the ticket couldn't be decrypted.
2680  *    3: a ticket was successfully decrypted and *psess was set.
2681  *    4: same as 3, but the ticket needs to be renewed.
2682  */
2683 static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen,
2684                                 const unsigned char *sess_id, int sesslen,
2685                                 SSL_SESSION **psess)
2686         {
2687         SSL_SESSION *sess;
2688         unsigned char *sdec;
2689         const unsigned char *p;
2690         int slen, mlen, renew_ticket = 0;
2691         unsigned char tick_hmac[EVP_MAX_MD_SIZE];
2692         HMAC_CTX hctx;
2693         EVP_CIPHER_CTX ctx;
2694         SSL_CTX *tctx = s->initial_ctx;
2695         /* Need at least keyname + iv + some encrypted data */
2696         if (eticklen < 48)
2697                 return 2;
2698         /* Initialize session ticket encryption and HMAC contexts */
2699         HMAC_CTX_init(&hctx);
2700         EVP_CIPHER_CTX_init(&ctx);
2701         if (tctx->tlsext_ticket_key_cb)
2702                 {
2703                 unsigned char *nctick = (unsigned char *)etick;
2704                 int rv = tctx->tlsext_ticket_key_cb(s, nctick, nctick + 16,
2705                                                         &ctx, &hctx, 0);
2706                 if (rv < 0)
2707                         return -1;
2708                 if (rv == 0)
2709                         return 2;
2710                 if (rv == 2)
2711                         renew_ticket = 1;
2712                 }
2713         else
2714                 {
2715                 /* Check key name matches */
2716                 if (memcmp(etick, tctx->tlsext_tick_key_name, 16))
2717                         return 2;
2718                 HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16,
2719                                         tlsext_tick_md(), NULL);
2720                 EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL,
2721                                 tctx->tlsext_tick_aes_key, etick + 16);
2722                 }
2723         /* Attempt to process session ticket, first conduct sanity and
2724          * integrity checks on ticket.
2725          */
2726         mlen = HMAC_size(&hctx);
2727         if (mlen < 0)
2728                 {
2729                 EVP_CIPHER_CTX_cleanup(&ctx);
2730                 return -1;
2731                 }
2732         eticklen -= mlen;
2733         /* Check HMAC of encrypted ticket */
2734         HMAC_Update(&hctx, etick, eticklen);
2735         HMAC_Final(&hctx, tick_hmac, NULL);
2736         HMAC_CTX_cleanup(&hctx);
2737         if (memcmp(tick_hmac, etick + eticklen, mlen))
2738                 return 2;
2739         /* Attempt to decrypt session data */
2740         /* Move p after IV to start of encrypted ticket, update length */
2741         p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx);
2742         eticklen -= 16 + EVP_CIPHER_CTX_iv_length(&ctx);
2743         sdec = OPENSSL_malloc(eticklen);
2744         if (!sdec)
2745                 {
2746                 EVP_CIPHER_CTX_cleanup(&ctx);
2747                 return -1;
2748                 }
2749         EVP_DecryptUpdate(&ctx, sdec, &slen, p, eticklen);
2750         if (EVP_DecryptFinal(&ctx, sdec + slen, &mlen) <= 0)
2751                 return 2;
2752         slen += mlen;
2753         EVP_CIPHER_CTX_cleanup(&ctx);
2754         p = sdec;
2755
2756         sess = d2i_SSL_SESSION(NULL, &p, slen);
2757         OPENSSL_free(sdec);
2758         if (sess)
2759                 {
2760                 /* The session ID, if non-empty, is used by some clients to
2761                  * detect that the ticket has been accepted. So we copy it to
2762                  * the session structure. If it is empty set length to zero
2763                  * as required by standard.
2764                  */
2765                 if (sesslen)
2766                         memcpy(sess->session_id, sess_id, sesslen);
2767                 sess->session_id_length = sesslen;
2768                 *psess = sess;
2769                 if (renew_ticket)
2770                         return 4;
2771                 else
2772                         return 3;
2773                 }
2774         ERR_clear_error();
2775         /* For session parse failure, indicate that we need to send a new
2776          * ticket. */
2777         return 2;
2778         }
2779
2780 /* Tables to translate from NIDs to TLS v1.2 ids */
2781
2782 typedef struct 
2783         {
2784         int nid;
2785         int id;
2786         } tls12_lookup;
2787
2788 static tls12_lookup tls12_md[] = {
2789         {NID_md5, TLSEXT_hash_md5},
2790         {NID_sha1, TLSEXT_hash_sha1},
2791         {NID_sha224, TLSEXT_hash_sha224},
2792         {NID_sha256, TLSEXT_hash_sha256},
2793         {NID_sha384, TLSEXT_hash_sha384},
2794         {NID_sha512, TLSEXT_hash_sha512}
2795 };
2796
2797 static tls12_lookup tls12_sig[] = {
2798         {EVP_PKEY_RSA, TLSEXT_signature_rsa},
2799         {EVP_PKEY_DSA, TLSEXT_signature_dsa},
2800         {EVP_PKEY_EC, TLSEXT_signature_ecdsa}
2801 };
2802
2803 static int tls12_find_id(int nid, tls12_lookup *table, size_t tlen)
2804         {
2805         size_t i;
2806         for (i = 0; i < tlen; i++)
2807                 {
2808                 if (table[i].nid == nid)
2809                         return table[i].id;
2810                 }
2811         return -1;
2812         }
2813
2814 static int tls12_find_nid(int id, tls12_lookup *table, size_t tlen)
2815         {
2816         size_t i;
2817         for (i = 0; i < tlen; i++)
2818                 {
2819                 if ((table[i].id) == id)
2820                         return table[i].nid;
2821                 }
2822         return NID_undef;
2823         }
2824
2825 int tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk, const EVP_MD *md)
2826         {
2827         int sig_id, md_id;
2828         if (!md)
2829                 return 0;
2830         md_id = tls12_find_id(EVP_MD_type(md), tls12_md,
2831                                 sizeof(tls12_md)/sizeof(tls12_lookup));
2832         if (md_id == -1)
2833                 return 0;
2834         sig_id = tls12_get_sigid(pk);
2835         if (sig_id == -1)
2836                 return 0;
2837         p[0] = (unsigned char)md_id;
2838         p[1] = (unsigned char)sig_id;
2839         return 1;
2840         }
2841
2842 int tls12_get_sigid(const EVP_PKEY *pk)
2843         {
2844         return tls12_find_id(pk->type, tls12_sig,
2845                                 sizeof(tls12_sig)/sizeof(tls12_lookup));
2846         }
2847
2848 const EVP_MD *tls12_get_hash(unsigned char hash_alg)
2849         {
2850         switch(hash_alg)
2851                 {
2852 #ifndef OPENSSL_NO_MD5
2853                 case TLSEXT_hash_md5:
2854 #ifdef OPENSSL_FIPS
2855                 if (FIPS_mode())
2856                         return NULL;
2857 #endif
2858                 return EVP_md5();
2859 #endif
2860 #ifndef OPENSSL_NO_SHA
2861                 case TLSEXT_hash_sha1:
2862                 return EVP_sha1();
2863 #endif
2864 #ifndef OPENSSL_NO_SHA256
2865                 case TLSEXT_hash_sha224:
2866                 return EVP_sha224();
2867
2868                 case TLSEXT_hash_sha256:
2869                 return EVP_sha256();
2870 #endif
2871 #ifndef OPENSSL_NO_SHA512
2872                 case TLSEXT_hash_sha384:
2873                 return EVP_sha384();
2874
2875                 case TLSEXT_hash_sha512:
2876                 return EVP_sha512();
2877 #endif
2878                 default:
2879                 return NULL;
2880
2881                 }
2882         }
2883
2884 static int tls12_get_pkey_idx(unsigned char sig_alg)
2885         {
2886         switch(sig_alg)
2887                 {
2888 #ifndef OPENSSL_NO_RSA
2889         case TLSEXT_signature_rsa:
2890                 return SSL_PKEY_RSA_SIGN;
2891 #endif
2892 #ifndef OPENSSL_NO_DSA
2893         case TLSEXT_signature_dsa:
2894                 return SSL_PKEY_DSA_SIGN;
2895 #endif
2896 #ifndef OPENSSL_NO_ECDSA
2897         case TLSEXT_signature_ecdsa:
2898                 return SSL_PKEY_ECC;
2899 #endif
2900                 }
2901         return -1;
2902         }
2903
2904 /* Convert TLS 1.2 signature algorithm extension values into NIDs */
2905 static void tls1_lookup_sigalg(int *phash_nid, int *psign_nid,
2906                         int *psignhash_nid, const unsigned char *data)
2907         {
2908         int sign_nid, hash_nid;
2909         if (!phash_nid && !psign_nid && !psignhash_nid)
2910                 return;
2911         if (phash_nid || psignhash_nid)
2912                 {
2913                 hash_nid = tls12_find_nid(data[0], tls12_md,
2914                                         sizeof(tls12_md)/sizeof(tls12_lookup));
2915                 if (phash_nid)
2916                         *phash_nid = hash_nid;
2917                 }
2918         if (psign_nid || psignhash_nid)
2919                 {
2920                 sign_nid = tls12_find_nid(data[1], tls12_sig,
2921                                         sizeof(tls12_sig)/sizeof(tls12_lookup));
2922                 if (psign_nid)
2923                         *psign_nid = sign_nid;
2924                 }
2925         if (psignhash_nid)
2926                 {
2927                 if (sign_nid && hash_nid)
2928                         OBJ_find_sigid_by_algs(psignhash_nid,
2929                                                         hash_nid, sign_nid);
2930                 else
2931                         *psignhash_nid = NID_undef;
2932                 }
2933         }
2934 /* Given preference and allowed sigalgs set shared sigalgs */
2935 static int tls12_do_shared_sigalgs(TLS_SIGALGS *shsig,
2936                                 const unsigned char *pref, size_t preflen,
2937                                 const unsigned char *allow, size_t allowlen)
2938         {
2939         const unsigned char *ptmp, *atmp;
2940         size_t i, j, nmatch = 0;
2941         for (i = 0, ptmp = pref; i < preflen; i+=2, ptmp+=2)
2942                 {
2943                 /* Skip disabled hashes or signature algorithms */
2944                 if (tls12_get_hash(ptmp[0]) == NULL)
2945                         continue;
2946                 if (tls12_get_pkey_idx(ptmp[1]) == -1)
2947                         continue;
2948                 for (j = 0, atmp = allow; j < allowlen; j+=2, atmp+=2)
2949                         {
2950                         if (ptmp[0] == atmp[0] && ptmp[1] == atmp[1])
2951                                 {
2952                                 nmatch++;
2953                                 if (shsig)
2954                                         {
2955                                         shsig->rhash = ptmp[0];
2956                                         shsig->rsign = ptmp[1];
2957                                         tls1_lookup_sigalg(&shsig->hash_nid,
2958                                                 &shsig->sign_nid,
2959                                                 &shsig->signandhash_nid,
2960                                                 ptmp);
2961                                         shsig++;
2962                                         }
2963                                 break;
2964                                 }
2965                         }
2966                 }
2967         return nmatch;
2968         }
2969
2970 /* Set shared signature algorithms for SSL structures */
2971 static int tls1_set_shared_sigalgs(SSL *s)
2972         {
2973         const unsigned char *pref, *allow, *conf;
2974         size_t preflen, allowlen, conflen;
2975         size_t nmatch;
2976         TLS_SIGALGS *salgs = NULL;
2977         CERT *c = s->cert;
2978         conf = c->conf_sigalgs;
2979         if (conf)
2980                 conflen = c->conf_sigalgslen;
2981         else
2982                 {
2983                 conf = tls12_sigalgs;
2984                 conflen = sizeof(tls12_sigalgs);
2985 #ifdef OPENSSL_FIPS
2986                 if (FIPS_mode())
2987                         conflen -= 2;
2988 #endif
2989                 }
2990         if(s->options & SSL_OP_CIPHER_SERVER_PREFERENCE)
2991                 {
2992                 pref = conf;
2993                 preflen = conflen;
2994                 allow = c->peer_sigalgs;
2995                 allowlen = c->peer_sigalgslen;
2996                 }
2997         else
2998                 {
2999                 allow = conf;
3000                 allowlen = conflen;
3001                 pref = c->peer_sigalgs;
3002                 preflen = c->peer_sigalgslen;
3003                 }
3004         nmatch = tls12_do_shared_sigalgs(NULL, pref, preflen, allow, allowlen);
3005         if (!nmatch)
3006                 return 1;
3007         salgs = OPENSSL_malloc(nmatch * sizeof(TLS_SIGALGS));
3008         if (!salgs)
3009                 return 0;
3010         nmatch = tls12_do_shared_sigalgs(salgs, pref, preflen, allow, allowlen);
3011         c->shared_sigalgs = salgs;
3012         c->shared_sigalgslen = nmatch;
3013         return 1;
3014         }
3015                 
3016
3017 /* Set preferred digest for each key type */
3018
3019 int tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize)
3020         {
3021         int idx;
3022         size_t i;
3023         const EVP_MD *md;
3024         CERT *c = s->cert;
3025         TLS_SIGALGS *sigptr;
3026         /* Extension ignored for TLS versions below 1.2 */
3027         if (TLS1_get_version(s) < TLS1_2_VERSION)
3028                 return 1;
3029         /* Should never happen */
3030         if (!c)
3031                 return 0;
3032
3033         c->pkeys[SSL_PKEY_DSA_SIGN].digest = NULL;
3034         c->pkeys[SSL_PKEY_RSA_SIGN].digest = NULL;
3035         c->pkeys[SSL_PKEY_RSA_ENC].digest = NULL;
3036         c->pkeys[SSL_PKEY_ECC].digest = NULL;
3037
3038         c->peer_sigalgs = OPENSSL_malloc(dsize);
3039         if (!c->peer_sigalgs)
3040                 return 0;
3041         c->peer_sigalgslen = dsize;
3042         memcpy(c->peer_sigalgs, data, dsize);
3043
3044         tls1_set_shared_sigalgs(s);
3045
3046         for (i = 0, sigptr = c->shared_sigalgs;
3047                         i < c->shared_sigalgslen; i++, sigptr++)
3048                 {
3049                 idx = tls12_get_pkey_idx(sigptr->rsign);
3050                 if (idx > 0 && c->pkeys[idx].digest == NULL)
3051                         {
3052                         md = tls12_get_hash(sigptr->rhash);
3053                         c->pkeys[idx].digest = md;
3054                         if (idx == SSL_PKEY_RSA_SIGN)
3055                                 c->pkeys[SSL_PKEY_RSA_ENC].digest = md;
3056                         }
3057
3058                 }
3059         /* In strict mode leave unset digests as NULL to indicate we can't
3060          * use the certificate for signing.
3061          */
3062         if (!(s->cert->cert_flags & SSL_CERT_FLAG_TLS_STRICT))
3063                 {
3064                 /* Set any remaining keys to default values. NOTE: if alg is