5fae9fb4260bb972484e6c5e8a19440cd98d8b56
[openssl.git] / ssl / t1_lib.c
1 /* ssl/t1_lib.c */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3  * All rights reserved.
4  *
5  * This package is an SSL implementation written
6  * by Eric Young (eay@cryptsoft.com).
7  * The implementation was written so as to conform with Netscapes SSL.
8  * 
9  * This library is free for commercial and non-commercial use as long as
10  * the following conditions are aheared to.  The following conditions
11  * apply to all code found in this distribution, be it the RC4, RSA,
12  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
13  * included with this distribution is covered by the same copyright terms
14  * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15  * 
16  * Copyright remains Eric Young's, and as such any Copyright notices in
17  * the code are not to be removed.
18  * If this package is used in a product, Eric Young should be given attribution
19  * as the author of the parts of the library used.
20  * This can be in the form of a textual message at program startup or
21  * in documentation (online or textual) provided with the package.
22  * 
23  * Redistribution and use in source and binary forms, with or without
24  * modification, are permitted provided that the following conditions
25  * are met:
26  * 1. Redistributions of source code must retain the copyright
27  *    notice, this list of conditions and the following disclaimer.
28  * 2. Redistributions in binary form must reproduce the above copyright
29  *    notice, this list of conditions and the following disclaimer in the
30  *    documentation and/or other materials provided with the distribution.
31  * 3. All advertising materials mentioning features or use of this software
32  *    must display the following acknowledgement:
33  *    "This product includes cryptographic software written by
34  *     Eric Young (eay@cryptsoft.com)"
35  *    The word 'cryptographic' can be left out if the rouines from the library
36  *    being used are not cryptographic related :-).
37  * 4. If you include any Windows specific code (or a derivative thereof) from 
38  *    the apps directory (application code) you must include an acknowledgement:
39  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40  * 
41  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51  * SUCH DAMAGE.
52  * 
53  * The licence and distribution terms for any publically available version or
54  * derivative of this code cannot be changed.  i.e. this code cannot simply be
55  * copied and put under another distribution licence
56  * [including the GNU Public Licence.]
57  */
58 /* ====================================================================
59  * Copyright (c) 1998-2007 The OpenSSL Project.  All rights reserved.
60  *
61  * Redistribution and use in source and binary forms, with or without
62  * modification, are permitted provided that the following conditions
63  * are met:
64  *
65  * 1. Redistributions of source code must retain the above copyright
66  *    notice, this list of conditions and the following disclaimer. 
67  *
68  * 2. Redistributions in binary form must reproduce the above copyright
69  *    notice, this list of conditions and the following disclaimer in
70  *    the documentation and/or other materials provided with the
71  *    distribution.
72  *
73  * 3. All advertising materials mentioning features or use of this
74  *    software must display the following acknowledgment:
75  *    "This product includes software developed by the OpenSSL Project
76  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77  *
78  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79  *    endorse or promote products derived from this software without
80  *    prior written permission. For written permission, please contact
81  *    openssl-core@openssl.org.
82  *
83  * 5. Products derived from this software may not be called "OpenSSL"
84  *    nor may "OpenSSL" appear in their names without prior written
85  *    permission of the OpenSSL Project.
86  *
87  * 6. Redistributions of any form whatsoever must retain the following
88  *    acknowledgment:
89  *    "This product includes software developed by the OpenSSL Project
90  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91  *
92  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
96  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103  * OF THE POSSIBILITY OF SUCH DAMAGE.
104  * ====================================================================
105  *
106  * This product includes cryptographic software written by Eric Young
107  * (eay@cryptsoft.com).  This product includes software written by Tim
108  * Hudson (tjh@cryptsoft.com).
109  *
110  */
111
112 #include <stdio.h>
113 #include <openssl/objects.h>
114 #include <openssl/evp.h>
115 #include <openssl/hmac.h>
116 #include <openssl/ocsp.h>
117 #include <openssl/rand.h>
118 #include "ssl_locl.h"
119
120 const char tls1_version_str[]="TLSv1" OPENSSL_VERSION_PTEXT;
121
122 #ifndef OPENSSL_NO_TLSEXT
123 static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen,
124                                 const unsigned char *sess_id, int sesslen,
125                                 SSL_SESSION **psess);
126 static int ssl_check_clienthello_tlsext(SSL *s);
127 int ssl_check_serverhello_tlsext(SSL *s);
128 #endif
129
130 SSL3_ENC_METHOD TLSv1_enc_data={
131         tls1_enc,
132         tls1_mac,
133         tls1_setup_key_block,
134         tls1_generate_master_secret,
135         tls1_change_cipher_state,
136         tls1_final_finish_mac,
137         TLS1_FINISH_MAC_LENGTH,
138         tls1_cert_verify_mac,
139         TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE,
140         TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE,
141         tls1_alert_code,
142         tls1_export_keying_material,
143         };
144
145 long tls1_default_timeout(void)
146         {
147         /* 2 hours, the 24 hours mentioned in the TLSv1 spec
148          * is way too long for http, the cache would over fill */
149         return(60*60*2);
150         }
151
152 int tls1_new(SSL *s)
153         {
154         if (!ssl3_new(s)) return(0);
155         s->method->ssl_clear(s);
156         return(1);
157         }
158
159 void tls1_free(SSL *s)
160         {
161 #ifndef OPENSSL_NO_TLSEXT
162         if (s->tlsext_session_ticket)
163                 {
164                 OPENSSL_free(s->tlsext_session_ticket);
165                 }
166 #endif /* OPENSSL_NO_TLSEXT */
167         ssl3_free(s);
168         }
169
170 void tls1_clear(SSL *s)
171         {
172         ssl3_clear(s);
173         s->version = s->method->version;
174         }
175
176 #ifndef OPENSSL_NO_EC
177
178 static int nid_list[] =
179         {
180                 NID_sect163k1, /* sect163k1 (1) */
181                 NID_sect163r1, /* sect163r1 (2) */
182                 NID_sect163r2, /* sect163r2 (3) */
183                 NID_sect193r1, /* sect193r1 (4) */ 
184                 NID_sect193r2, /* sect193r2 (5) */ 
185                 NID_sect233k1, /* sect233k1 (6) */
186                 NID_sect233r1, /* sect233r1 (7) */ 
187                 NID_sect239k1, /* sect239k1 (8) */ 
188                 NID_sect283k1, /* sect283k1 (9) */
189                 NID_sect283r1, /* sect283r1 (10) */ 
190                 NID_sect409k1, /* sect409k1 (11) */ 
191                 NID_sect409r1, /* sect409r1 (12) */
192                 NID_sect571k1, /* sect571k1 (13) */ 
193                 NID_sect571r1, /* sect571r1 (14) */ 
194                 NID_secp160k1, /* secp160k1 (15) */
195                 NID_secp160r1, /* secp160r1 (16) */ 
196                 NID_secp160r2, /* secp160r2 (17) */ 
197                 NID_secp192k1, /* secp192k1 (18) */
198                 NID_X9_62_prime192v1, /* secp192r1 (19) */ 
199                 NID_secp224k1, /* secp224k1 (20) */ 
200                 NID_secp224r1, /* secp224r1 (21) */
201                 NID_secp256k1, /* secp256k1 (22) */ 
202                 NID_X9_62_prime256v1, /* secp256r1 (23) */ 
203                 NID_secp384r1, /* secp384r1 (24) */
204                 NID_secp521r1  /* secp521r1 (25) */     
205         };
206
207
208 static const unsigned char ecformats_default[] = 
209         {
210         TLSEXT_ECPOINTFORMAT_uncompressed,
211         TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime,
212         TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2
213         };
214
215 static const unsigned char eccurves_default[] =
216         {
217                 0,14, /* sect571r1 (14) */ 
218                 0,13, /* sect571k1 (13) */ 
219                 0,25, /* secp521r1 (25) */      
220                 0,11, /* sect409k1 (11) */ 
221                 0,12, /* sect409r1 (12) */
222                 0,24, /* secp384r1 (24) */
223                 0,9,  /* sect283k1 (9) */
224                 0,10, /* sect283r1 (10) */ 
225                 0,22, /* secp256k1 (22) */ 
226                 0,23, /* secp256r1 (23) */ 
227                 0,8,  /* sect239k1 (8) */ 
228                 0,6,  /* sect233k1 (6) */
229                 0,7,  /* sect233r1 (7) */ 
230                 0,20, /* secp224k1 (20) */ 
231                 0,21, /* secp224r1 (21) */
232                 0,4,  /* sect193r1 (4) */ 
233                 0,5,  /* sect193r2 (5) */ 
234                 0,18, /* secp192k1 (18) */
235                 0,19, /* secp192r1 (19) */ 
236                 0,1,  /* sect163k1 (1) */
237                 0,2,  /* sect163r1 (2) */
238                 0,3,  /* sect163r2 (3) */
239                 0,15, /* secp160k1 (15) */
240                 0,16, /* secp160r1 (16) */ 
241                 0,17, /* secp160r2 (17) */ 
242         };
243
244 int tls1_ec_curve_id2nid(int curve_id)
245         {
246         /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
247         if ((curve_id < 1) || ((unsigned int)curve_id >
248                                 sizeof(nid_list)/sizeof(nid_list[0])))
249                 return 0;
250         return nid_list[curve_id-1];
251         }
252
253 int tls1_ec_nid2curve_id(int nid)
254         {
255         /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
256         switch (nid)
257                 {
258         case NID_sect163k1: /* sect163k1 (1) */
259                 return 1;
260         case NID_sect163r1: /* sect163r1 (2) */
261                 return 2;
262         case NID_sect163r2: /* sect163r2 (3) */
263                 return 3;
264         case NID_sect193r1: /* sect193r1 (4) */ 
265                 return 4;
266         case NID_sect193r2: /* sect193r2 (5) */ 
267                 return 5;
268         case NID_sect233k1: /* sect233k1 (6) */
269                 return 6;
270         case NID_sect233r1: /* sect233r1 (7) */ 
271                 return 7;
272         case NID_sect239k1: /* sect239k1 (8) */ 
273                 return 8;
274         case NID_sect283k1: /* sect283k1 (9) */
275                 return 9;
276         case NID_sect283r1: /* sect283r1 (10) */ 
277                 return 10;
278         case NID_sect409k1: /* sect409k1 (11) */ 
279                 return 11;
280         case NID_sect409r1: /* sect409r1 (12) */
281                 return 12;
282         case NID_sect571k1: /* sect571k1 (13) */ 
283                 return 13;
284         case NID_sect571r1: /* sect571r1 (14) */ 
285                 return 14;
286         case NID_secp160k1: /* secp160k1 (15) */
287                 return 15;
288         case NID_secp160r1: /* secp160r1 (16) */ 
289                 return 16;
290         case NID_secp160r2: /* secp160r2 (17) */ 
291                 return 17;
292         case NID_secp192k1: /* secp192k1 (18) */
293                 return 18;
294         case NID_X9_62_prime192v1: /* secp192r1 (19) */ 
295                 return 19;
296         case NID_secp224k1: /* secp224k1 (20) */ 
297                 return 20;
298         case NID_secp224r1: /* secp224r1 (21) */
299                 return 21;
300         case NID_secp256k1: /* secp256k1 (22) */ 
301                 return 22;
302         case NID_X9_62_prime256v1: /* secp256r1 (23) */ 
303                 return 23;
304         case NID_secp384r1: /* secp384r1 (24) */
305                 return 24;
306         case NID_secp521r1:  /* secp521r1 (25) */       
307                 return 25;
308         default:
309                 return 0;
310                 }
311         }
312 /* Get curves list, if "sess" is set return client curves otherwise
313  * preferred list
314  */
315 static void tls1_get_curvelist(SSL *s, int sess,
316                                         const unsigned char **pcurves,
317                                         size_t *pcurveslen)
318         {
319         if (sess)
320                 {
321                 *pcurves = s->session->tlsext_ellipticcurvelist;
322                 *pcurveslen = s->session->tlsext_ellipticcurvelist_length;
323                 }
324         else
325                 {
326                 *pcurves = s->tlsext_ellipticcurvelist;
327                 *pcurveslen = s->tlsext_ellipticcurvelist_length;
328                 }
329         /* If not set use default: for now static structure */
330         if (!*pcurves)
331                 {
332                 *pcurves = eccurves_default;
333                 *pcurveslen = sizeof(eccurves_default);
334                 }
335         }
336
337 /* Return nth shared curve. If nmatch == -1 return number of
338  * matches.
339  */
340
341 int tls1_shared_curve(SSL *s, int nmatch)
342         {
343         const unsigned char *pref, *supp;
344         size_t preflen, supplen, i, j;
345         int k;
346         /* Can't do anything on client side */
347         if (s->server == 0)
348                 return -1;
349         tls1_get_curvelist(s, !!(s->options & SSL_OP_CIPHER_SERVER_PREFERENCE),
350                                 &supp, &supplen);
351         tls1_get_curvelist(s, !(s->options & SSL_OP_CIPHER_SERVER_PREFERENCE),
352                                 &pref, &preflen);
353         preflen /= 2;
354         supplen /= 2;
355         k = 0;
356         for (i = 0; i < preflen; i++, pref+=2)
357                 {
358                 const unsigned char *tsupp = supp;
359                 for (j = 0; j < supplen; j++, tsupp+=2)
360                         {
361                         if (pref[0] == tsupp[0] && pref[1] == tsupp[1])
362                                 {
363                                 if (nmatch == k)
364                                         {
365                                         int id = (pref[0] << 8) | pref[1];
366                                         return tls1_ec_curve_id2nid(id);
367                                         }
368                                 k++;
369                                 }
370                         }
371                 }
372         if (nmatch == -1)
373                 return k;
374         return 0;
375         }
376
377 int tls1_set_curves(unsigned char **pext, size_t *pextlen,
378                         int *curves, size_t ncurves)
379         {
380         unsigned char *clist, *p;
381         size_t i;
382         /* Bitmap of curves included to detect duplicates: only works
383          * while curve ids < 32 
384          */
385         unsigned long dup_list = 0;
386         clist = OPENSSL_malloc(ncurves * 2);
387         if (!clist)
388                 return 0;
389         for (i = 0, p = clist; i < ncurves; i++)
390                 {
391                 unsigned long idmask;
392                 int id;
393                 id = tls1_ec_nid2curve_id(curves[i]);
394                 idmask = 1L << id;
395                 if (!id || (dup_list & idmask))
396                         {
397                         OPENSSL_free(clist);
398                         return 0;
399                         }
400                 dup_list |= idmask;
401                 s2n(id, p);
402                 }
403         if (*pext)
404                 OPENSSL_free(*pext);
405         *pext = clist;
406         *pextlen = ncurves * 2;
407         return 1;
408         }
409
410 #define MAX_CURVELIST   25
411
412 typedef struct
413         {
414         size_t nidcnt;
415         int nid_arr[MAX_CURVELIST];
416         } nid_cb_st;
417
418 static int nid_cb(const char *elem, int len, void *arg)
419         {
420         nid_cb_st *narg = arg;
421         size_t i;
422         int nid;
423         char etmp[20];
424         if (narg->nidcnt == MAX_CURVELIST)
425                 return 0;
426         if (len > (int)(sizeof(etmp) - 1))
427                 return 0;
428         memcpy(etmp, elem, len);
429         etmp[len] = 0;
430         nid = EC_curve_nist2nid(etmp);
431         if (nid == NID_undef)
432                 nid = OBJ_sn2nid(etmp);
433         if (nid == NID_undef)
434                 nid = OBJ_ln2nid(etmp);
435         if (nid == NID_undef)
436                 return 0;
437         for (i = 0; i < narg->nidcnt; i++)
438                 if (narg->nid_arr[i] == nid)
439                         return 0;
440         narg->nid_arr[narg->nidcnt++] = nid;
441         return 1;
442         }
443 /* Set curves based on a colon separate list */
444 int tls1_set_curves_list(unsigned char **pext, size_t *pextlen, 
445                                 const char *str)
446         {
447         nid_cb_st ncb;
448         ncb.nidcnt = 0;
449         if (!CONF_parse_list(str, ':', 1, nid_cb, &ncb))
450                 return 0;
451         return tls1_set_curves(pext, pextlen, ncb.nid_arr, ncb.nidcnt);
452         }
453 /* For an EC key set TLS id and required compression based on parameters */
454 static int tls1_set_ec_id(unsigned char *curve_id, unsigned char *comp_id,
455                                 EC_KEY *ec)
456         {
457         int is_prime, id;
458         const EC_GROUP *grp;
459         const EC_POINT *pt;
460         const EC_METHOD *meth;
461         if (!ec)
462                 return 0;
463         /* Determine if it is a prime field */
464         grp = EC_KEY_get0_group(ec);
465         pt = EC_KEY_get0_public_key(ec);
466         if (!grp || !pt)
467                 return 0;
468         meth = EC_GROUP_method_of(grp);
469         if (!meth)
470                 return 0;
471         if (EC_METHOD_get_field_type(meth) == NID_X9_62_prime_field)
472                 is_prime = 1;
473         else
474                 is_prime = 0;
475         /* Determine curve ID */
476         id = EC_GROUP_get_curve_name(grp);
477         id = tls1_ec_nid2curve_id(id);
478         /* If we have an ID set it, otherwise set arbitrary explicit curve */
479         if (id)
480                 {
481                 curve_id[0] = 0;
482                 curve_id[1] = (unsigned char)id;
483                 }
484         else
485                 {
486                 curve_id[0] = 0xff;
487                 if (is_prime)
488                         curve_id[1] = 0x01;
489                 else
490                         curve_id[1] = 0x02;
491                 }
492         if (comp_id)
493                 {
494                 if (EC_KEY_get_conv_form(ec) == POINT_CONVERSION_COMPRESSED)
495                         {
496                         if (is_prime)
497                                 *comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
498                         else
499                                 *comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
500                         }
501                 else
502                         *comp_id = TLSEXT_ECPOINTFORMAT_uncompressed;
503                 }
504         return 1;
505         }
506 /* Check an EC key is compatible with extensions */
507 static int tls1_check_ec_key(SSL *s,
508                         unsigned char *curve_id, unsigned char *comp_id)
509         {
510         const unsigned char *p;
511         size_t plen, i;
512         int j;
513         /* If point formats extension present check it, otherwise everything
514          * is supported (see RFC4492).
515          */
516         if (comp_id && s->session->tlsext_ecpointformatlist)
517                 {
518                 p = s->session->tlsext_ecpointformatlist;
519                 plen = s->session->tlsext_ecpointformatlist_length;
520                 for (i = 0; i < plen; i++, p++)
521                         {
522                         if (*comp_id == *p)
523                                 break;
524                         }
525                 if (i == plen)
526                         return 0;
527                 }
528         /* Check curve is consistent with client and server preferences */
529         for (j = 0; j <= 1; j++)
530                 {
531                 tls1_get_curvelist(s, j, &p, &plen);
532                 for (i = 0; i < plen; i+=2, p+=2)
533                         {
534                         if (p[0] == curve_id[0] && p[1] == curve_id[1])
535                                 break;
536                         }
537                 if (i == plen)
538                         return 0;
539                 }
540         return 1;
541         }
542 /* Check EC server key is compatible with client extensions */
543 int tls1_check_ec_server_key(SSL *s)
544         {
545         int rv;
546         CERT_PKEY *cpk = s->cert->pkeys + SSL_PKEY_ECC;
547         EVP_PKEY *pkey;
548         unsigned char comp_id, curve_id[2];
549         if (!cpk->x509 || !cpk->privatekey)
550                 return 0;
551         pkey = X509_get_pubkey(cpk->x509);
552         if (!pkey)
553                 return 0;
554         rv = tls1_set_ec_id(curve_id, &comp_id, pkey->pkey.ec);
555         EVP_PKEY_free(pkey);
556         if (!rv)
557                 return 0;
558         return tls1_check_ec_key(s, curve_id, &comp_id);
559         }
560 /* Check EC temporary key is compatible with client extensions */
561 int tls1_check_ec_tmp_key(SSL *s)
562         {
563         unsigned char curve_id[2];
564         EC_KEY *ec = s->cert->ecdh_tmp;
565         if (s->cert->ecdh_tmp_auto)
566                 {
567                 /* Need a shared curve */
568                 if (tls1_shared_curve(s, 0))
569                         return 1;
570                 else return 0;
571                 }
572         if (!ec)
573                 {
574                 if (s->cert->ecdh_tmp_cb)
575                         return 1;
576                 else
577                         return 0;
578                 }
579         if (!tls1_set_ec_id(curve_id, NULL, ec))
580                 return 1;
581         return tls1_check_ec_key(s, curve_id, NULL);
582         }
583
584 #endif /* OPENSSL_NO_EC */
585
586 #ifndef OPENSSL_NO_TLSEXT
587
588 /* List of supported signature algorithms and hashes. Should make this
589  * customisable at some point, for now include everything we support.
590  */
591
592 #ifdef OPENSSL_NO_RSA
593 #define tlsext_sigalg_rsa(md) /* */
594 #else
595 #define tlsext_sigalg_rsa(md) md, TLSEXT_signature_rsa,
596 #endif
597
598 #ifdef OPENSSL_NO_DSA
599 #define tlsext_sigalg_dsa(md) /* */
600 #else
601 #define tlsext_sigalg_dsa(md) md, TLSEXT_signature_dsa,
602 #endif
603
604 #ifdef OPENSSL_NO_ECDSA
605 #define tlsext_sigalg_ecdsa(md) /* */
606 #else
607 #define tlsext_sigalg_ecdsa(md) md, TLSEXT_signature_ecdsa,
608 #endif
609
610 #define tlsext_sigalg(md) \
611                 tlsext_sigalg_rsa(md) \
612                 tlsext_sigalg_dsa(md) \
613                 tlsext_sigalg_ecdsa(md)
614
615 static unsigned char tls12_sigalgs[] = {
616 #ifndef OPENSSL_NO_SHA512
617         tlsext_sigalg(TLSEXT_hash_sha512)
618         tlsext_sigalg(TLSEXT_hash_sha384)
619 #endif
620 #ifndef OPENSSL_NO_SHA256
621         tlsext_sigalg(TLSEXT_hash_sha256)
622         tlsext_sigalg(TLSEXT_hash_sha224)
623 #endif
624 #ifndef OPENSSL_NO_SHA
625         tlsext_sigalg(TLSEXT_hash_sha1)
626 #endif
627 #ifndef OPENSSL_NO_MD5
628         tlsext_sigalg_rsa(TLSEXT_hash_md5)
629 #endif
630 };
631
632 size_t tls12_get_sig_algs(SSL *s, unsigned char *p)
633         {
634         const unsigned char *sigs;
635         size_t sigslen;
636         sigs = s->cert->conf_sigalgs;
637
638         if (sigs)
639                 sigslen = s->cert->conf_sigalgslen;
640         else
641                 {
642                 sigs = tls12_sigalgs;
643                 sigslen = sizeof(tls12_sigalgs);
644 #ifdef OPENSSL_FIPS
645                 /* If FIPS mode don't include MD5 which is last */
646                 if (FIPS_mode())
647                         sigslen -= 2;
648 #endif
649                 }
650
651         if (p)
652                 memcpy(p, sigs, sigslen);
653         return sigslen;
654         }
655
656 /* byte_compare is a compare function for qsort(3) that compares bytes. */
657 static int byte_compare(const void *in_a, const void *in_b)
658         {
659         unsigned char a = *((const unsigned char*) in_a);
660         unsigned char b = *((const unsigned char*) in_b);
661
662         if (a > b)
663                 return 1;
664         else if (a < b)
665                 return -1;
666         return 0;
667 }
668
669 unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
670         {
671         int extdatalen=0;
672         unsigned char *ret = p;
673 #ifndef OPENSSL_NO_EC
674         /* See if we support any ECC ciphersuites */
675         int using_ecc = 0;
676         if (s->version != DTLS1_VERSION && s->version >= TLS1_VERSION)
677                 {
678                 int i;
679                 unsigned long alg_k, alg_a;
680                 STACK_OF(SSL_CIPHER) *cipher_stack = SSL_get_ciphers(s);
681
682                 for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++)
683                         {
684                         SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i);
685
686                         alg_k = c->algorithm_mkey;
687                         alg_a = c->algorithm_auth;
688                         if ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)
689                                 || (alg_a & SSL_aECDSA)))
690                                 {
691                                 using_ecc = 1;
692                                 break;
693                                 }
694                         }
695                 }
696 #endif
697
698         /* don't add extensions for SSLv3 unless doing secure renegotiation */
699         if (s->client_version == SSL3_VERSION
700                                         && !s->s3->send_connection_binding)
701                 return p;
702
703         ret+=2;
704
705         if (ret>=limit) return NULL; /* this really never occurs, but ... */
706
707         if (s->tlsext_hostname != NULL)
708                 { 
709                 /* Add TLS extension servername to the Client Hello message */
710                 unsigned long size_str;
711                 long lenmax; 
712
713                 /* check for enough space.
714                    4 for the servername type and entension length
715                    2 for servernamelist length
716                    1 for the hostname type
717                    2 for hostname length
718                    + hostname length 
719                 */
720                    
721                 if ((lenmax = limit - ret - 9) < 0 
722                     || (size_str = strlen(s->tlsext_hostname)) > (unsigned long)lenmax) 
723                         return NULL;
724                         
725                 /* extension type and length */
726                 s2n(TLSEXT_TYPE_server_name,ret); 
727                 s2n(size_str+5,ret);
728                 
729                 /* length of servername list */
730                 s2n(size_str+3,ret);
731         
732                 /* hostname type, length and hostname */
733                 *(ret++) = (unsigned char) TLSEXT_NAMETYPE_host_name;
734                 s2n(size_str,ret);
735                 memcpy(ret, s->tlsext_hostname, size_str);
736                 ret+=size_str;
737                 }
738
739         /* Add RI if renegotiating */
740         if (s->renegotiate)
741           {
742           int el;
743           
744           if(!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0))
745               {
746               SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
747               return NULL;
748               }
749
750           if((limit - p - 4 - el) < 0) return NULL;
751           
752           s2n(TLSEXT_TYPE_renegotiate,ret);
753           s2n(el,ret);
754
755           if(!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el))
756               {
757               SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
758               return NULL;
759               }
760
761           ret += el;
762         }
763
764 #ifndef OPENSSL_NO_SRP
765         /* Add SRP username if there is one */
766         if (s->srp_ctx.login != NULL)
767                 { /* Add TLS extension SRP username to the Client Hello message */
768
769                 int login_len = strlen(s->srp_ctx.login);       
770                 if (login_len > 255 || login_len == 0)
771                         {
772                         SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
773                         return NULL;
774                         } 
775
776                 /* check for enough space.
777                    4 for the srp type type and entension length
778                    1 for the srp user identity
779                    + srp user identity length 
780                 */
781                 if ((limit - ret - 5 - login_len) < 0) return NULL; 
782
783                 /* fill in the extension */
784                 s2n(TLSEXT_TYPE_srp,ret);
785                 s2n(login_len+1,ret);
786                 (*ret++) = (unsigned char) login_len;
787                 memcpy(ret, s->srp_ctx.login, login_len);
788                 ret+=login_len;
789                 }
790 #endif
791
792 #ifndef OPENSSL_NO_EC
793         if (using_ecc)
794                 {
795                 /* Add TLS extension ECPointFormats to the ClientHello message */
796                 long lenmax; 
797                 const unsigned char *plist;
798                 size_t plistlen;
799                 /* If we have a custom point format list use it otherwise
800                  * use default */
801                 plist = s->tlsext_ecpointformatlist;
802                 if (plist)
803                         plistlen = s->tlsext_ecpointformatlist_length;
804                 else
805                         {
806                         plist = ecformats_default;
807                         plistlen = sizeof(ecformats_default);
808                         }
809
810                 if ((lenmax = limit - ret - 5) < 0) return NULL; 
811                 if (plistlen > (size_t)lenmax) return NULL;
812                 if (plistlen > 255)
813                         {
814                         SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
815                         return NULL;
816                         }
817                 
818                 s2n(TLSEXT_TYPE_ec_point_formats,ret);
819                 s2n(plistlen + 1,ret);
820                 *(ret++) = (unsigned char)plistlen ;
821                 memcpy(ret, plist, plistlen);
822                 ret+=plistlen;
823
824                 /* Add TLS extension EllipticCurves to the ClientHello message */
825                 plist = s->tlsext_ellipticcurvelist;
826                 tls1_get_curvelist(s, 0, &plist, &plistlen);
827
828                 if ((lenmax = limit - ret - 6) < 0) return NULL; 
829                 if (plistlen > (size_t)lenmax) return NULL;
830                 if (plistlen > 65532)
831                         {
832                         SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
833                         return NULL;
834                         }
835                 
836                 s2n(TLSEXT_TYPE_elliptic_curves,ret);
837                 s2n(plistlen + 2, ret);
838
839                 /* NB: draft-ietf-tls-ecc-12.txt uses a one-byte prefix for
840                  * elliptic_curve_list, but the examples use two bytes.
841                  * http://www1.ietf.org/mail-archive/web/tls/current/msg00538.html
842                  * resolves this to two bytes.
843                  */
844                 s2n(plistlen, ret);
845                 memcpy(ret, plist, plistlen);
846                 ret+=plistlen;
847                 }
848 #endif /* OPENSSL_NO_EC */
849
850         if (!(SSL_get_options(s) & SSL_OP_NO_TICKET))
851                 {
852                 int ticklen;
853                 if (!s->new_session && s->session && s->session->tlsext_tick)
854                         ticklen = s->session->tlsext_ticklen;
855                 else if (s->session && s->tlsext_session_ticket &&
856                          s->tlsext_session_ticket->data)
857                         {
858                         ticklen = s->tlsext_session_ticket->length;
859                         s->session->tlsext_tick = OPENSSL_malloc(ticklen);
860                         if (!s->session->tlsext_tick)
861                                 return NULL;
862                         memcpy(s->session->tlsext_tick,
863                                s->tlsext_session_ticket->data,
864                                ticklen);
865                         s->session->tlsext_ticklen = ticklen;
866                         }
867                 else
868                         ticklen = 0;
869                 if (ticklen == 0 && s->tlsext_session_ticket &&
870                     s->tlsext_session_ticket->data == NULL)
871                         goto skip_ext;
872                 /* Check for enough room 2 for extension type, 2 for len
873                  * rest for ticket
874                  */
875                 if ((long)(limit - ret - 4 - ticklen) < 0) return NULL;
876                 s2n(TLSEXT_TYPE_session_ticket,ret); 
877                 s2n(ticklen,ret);
878                 if (ticklen)
879                         {
880                         memcpy(ret, s->session->tlsext_tick, ticklen);
881                         ret += ticklen;
882                         }
883                 }
884                 skip_ext:
885
886         if (TLS1_get_client_version(s) >= TLS1_2_VERSION)
887                 {
888                 size_t salglen;
889                 salglen = tls12_get_sig_algs(s, NULL);
890                 if ((size_t)(limit - ret) < salglen + 6)
891                         return NULL; 
892                 s2n(TLSEXT_TYPE_signature_algorithms,ret);
893                 s2n(salglen + 2, ret);
894                 s2n(salglen, ret);
895                 tls12_get_sig_algs(s, ret);
896                 ret += salglen;
897                 }
898
899 #ifdef TLSEXT_TYPE_opaque_prf_input
900         if (s->s3->client_opaque_prf_input != NULL &&
901             s->version != DTLS1_VERSION)
902                 {
903                 size_t col = s->s3->client_opaque_prf_input_len;
904                 
905                 if ((long)(limit - ret - 6 - col < 0))
906                         return NULL;
907                 if (col > 0xFFFD) /* can't happen */
908                         return NULL;
909
910                 s2n(TLSEXT_TYPE_opaque_prf_input, ret); 
911                 s2n(col + 2, ret);
912                 s2n(col, ret);
913                 memcpy(ret, s->s3->client_opaque_prf_input, col);
914                 ret += col;
915                 }
916 #endif
917
918         if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp &&
919             s->version != DTLS1_VERSION)
920                 {
921                 int i;
922                 long extlen, idlen, itmp;
923                 OCSP_RESPID *id;
924
925                 idlen = 0;
926                 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++)
927                         {
928                         id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
929                         itmp = i2d_OCSP_RESPID(id, NULL);
930                         if (itmp <= 0)
931                                 return NULL;
932                         idlen += itmp + 2;
933                         }
934
935                 if (s->tlsext_ocsp_exts)
936                         {
937                         extlen = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, NULL);
938                         if (extlen < 0)
939                                 return NULL;
940                         }
941                 else
942                         extlen = 0;
943                         
944                 if ((long)(limit - ret - 7 - extlen - idlen) < 0) return NULL;
945                 s2n(TLSEXT_TYPE_status_request, ret);
946                 if (extlen + idlen > 0xFFF0)
947                         return NULL;
948                 s2n(extlen + idlen + 5, ret);
949                 *(ret++) = TLSEXT_STATUSTYPE_ocsp;
950                 s2n(idlen, ret);
951                 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++)
952                         {
953                         /* save position of id len */
954                         unsigned char *q = ret;
955                         id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
956                         /* skip over id len */
957                         ret += 2;
958                         itmp = i2d_OCSP_RESPID(id, &ret);
959                         /* write id len */
960                         s2n(itmp, q);
961                         }
962                 s2n(extlen, ret);
963                 if (extlen > 0)
964                         i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret);
965                 }
966
967 #ifndef OPENSSL_NO_HEARTBEATS
968         /* Add Heartbeat extension */
969         s2n(TLSEXT_TYPE_heartbeat,ret);
970         s2n(1,ret);
971         /* Set mode:
972          * 1: peer may send requests
973          * 2: peer not allowed to send requests
974          */
975         if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS)
976                 *(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
977         else
978                 *(ret++) = SSL_TLSEXT_HB_ENABLED;
979 #endif
980
981 #ifndef OPENSSL_NO_NEXTPROTONEG
982         if (s->ctx->next_proto_select_cb && !s->s3->tmp.finish_md_len)
983                 {
984                 /* The client advertises an emtpy extension to indicate its
985                  * support for Next Protocol Negotiation */
986                 if (limit - ret - 4 < 0)
987                         return NULL;
988                 s2n(TLSEXT_TYPE_next_proto_neg,ret);
989                 s2n(0,ret);
990                 }
991 #endif
992
993         if(SSL_get_srtp_profiles(s))
994                 {
995                 int el;
996
997                 ssl_add_clienthello_use_srtp_ext(s, 0, &el, 0);
998                 
999                 if((limit - p - 4 - el) < 0) return NULL;
1000
1001                 s2n(TLSEXT_TYPE_use_srtp,ret);
1002                 s2n(el,ret);
1003
1004                 if(ssl_add_clienthello_use_srtp_ext(s, ret, &el, el))
1005                         {
1006                         SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1007                         return NULL;
1008                         }
1009                 ret += el;
1010                 }
1011
1012         /* Add TLS extension Server_Authz_DataFormats to the ClientHello */
1013         /* 2 bytes for extension type */
1014         /* 2 bytes for extension length */
1015         /* 1 byte for the list length */
1016         /* 1 byte for the list (we only support audit proofs) */
1017         if (s->ctx->tlsext_authz_server_audit_proof_cb != NULL)
1018                 {
1019                 size_t lenmax;
1020                 const unsigned short ext_len = 2;
1021                 const unsigned char list_len = 1;
1022
1023                 if ((lenmax = limit - ret - 6) < 0) return NULL;
1024
1025                 s2n(TLSEXT_TYPE_server_authz, ret);
1026                 /* Extension length: 2 bytes */
1027                 s2n(ext_len, ret);
1028                 *(ret++) = list_len;
1029                 *(ret++) = TLSEXT_AUTHZDATAFORMAT_audit_proof;
1030                 }
1031
1032         if ((extdatalen = ret-p-2) == 0)
1033                 return p;
1034
1035         s2n(extdatalen,p);
1036         return ret;
1037         }
1038
1039 unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
1040         {
1041         int extdatalen=0;
1042         unsigned char *ret = p;
1043 #ifndef OPENSSL_NO_NEXTPROTONEG
1044         int next_proto_neg_seen;
1045 #endif
1046
1047         /* don't add extensions for SSLv3, unless doing secure renegotiation */
1048         if (s->version == SSL3_VERSION && !s->s3->send_connection_binding)
1049                 return p;
1050         
1051         ret+=2;
1052         if (ret>=limit) return NULL; /* this really never occurs, but ... */
1053
1054         if (!s->hit && s->servername_done == 1 && s->session->tlsext_hostname != NULL)
1055                 { 
1056                 if ((long)(limit - ret - 4) < 0) return NULL; 
1057
1058                 s2n(TLSEXT_TYPE_server_name,ret);
1059                 s2n(0,ret);
1060                 }
1061
1062         if(s->s3->send_connection_binding)
1063         {
1064           int el;
1065           
1066           if(!ssl_add_serverhello_renegotiate_ext(s, 0, &el, 0))
1067               {
1068               SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1069               return NULL;
1070               }
1071
1072           if((limit - p - 4 - el) < 0) return NULL;
1073           
1074           s2n(TLSEXT_TYPE_renegotiate,ret);
1075           s2n(el,ret);
1076
1077           if(!ssl_add_serverhello_renegotiate_ext(s, ret, &el, el))
1078               {
1079               SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1080               return NULL;
1081               }
1082
1083           ret += el;
1084         }
1085
1086 #ifndef OPENSSL_NO_EC
1087         if (s->tlsext_ecpointformatlist != NULL &&
1088             s->version != DTLS1_VERSION)
1089                 {
1090                 /* Add TLS extension ECPointFormats to the ServerHello message */
1091                 long lenmax; 
1092
1093                 if ((lenmax = limit - ret - 5) < 0) return NULL; 
1094                 if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax) return NULL;
1095                 if (s->tlsext_ecpointformatlist_length > 255)
1096                         {
1097                         SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1098                         return NULL;
1099                         }
1100                 
1101                 s2n(TLSEXT_TYPE_ec_point_formats,ret);
1102                 s2n(s->tlsext_ecpointformatlist_length + 1,ret);
1103                 *(ret++) = (unsigned char) s->tlsext_ecpointformatlist_length;
1104                 memcpy(ret, s->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist_length);
1105                 ret+=s->tlsext_ecpointformatlist_length;
1106
1107                 }
1108         /* Currently the server should not respond with a SupportedCurves extension */
1109 #endif /* OPENSSL_NO_EC */
1110
1111         if (s->tlsext_ticket_expected
1112                 && !(SSL_get_options(s) & SSL_OP_NO_TICKET)) 
1113                 { 
1114                 if ((long)(limit - ret - 4) < 0) return NULL; 
1115                 s2n(TLSEXT_TYPE_session_ticket,ret);
1116                 s2n(0,ret);
1117                 }
1118
1119         if (s->tlsext_status_expected)
1120                 { 
1121                 if ((long)(limit - ret - 4) < 0) return NULL; 
1122                 s2n(TLSEXT_TYPE_status_request,ret);
1123                 s2n(0,ret);
1124                 }
1125
1126 #ifdef TLSEXT_TYPE_opaque_prf_input
1127         if (s->s3->server_opaque_prf_input != NULL &&
1128             s->version != DTLS1_VERSION)
1129                 {
1130                 size_t sol = s->s3->server_opaque_prf_input_len;
1131                 
1132                 if ((long)(limit - ret - 6 - sol) < 0)
1133                         return NULL;
1134                 if (sol > 0xFFFD) /* can't happen */
1135                         return NULL;
1136
1137                 s2n(TLSEXT_TYPE_opaque_prf_input, ret); 
1138                 s2n(sol + 2, ret);
1139                 s2n(sol, ret);
1140                 memcpy(ret, s->s3->server_opaque_prf_input, sol);
1141                 ret += sol;
1142                 }
1143 #endif
1144
1145         if(s->srtp_profile)
1146                 {
1147                 int el;
1148
1149                 ssl_add_serverhello_use_srtp_ext(s, 0, &el, 0);
1150                 
1151                 if((limit - p - 4 - el) < 0) return NULL;
1152
1153                 s2n(TLSEXT_TYPE_use_srtp,ret);
1154                 s2n(el,ret);
1155
1156                 if(ssl_add_serverhello_use_srtp_ext(s, ret, &el, el))
1157                         {
1158                         SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1159                         return NULL;
1160                         }
1161                 ret+=el;
1162                 }
1163
1164         if (((s->s3->tmp.new_cipher->id & 0xFFFF)==0x80 || (s->s3->tmp.new_cipher->id & 0xFFFF)==0x81) 
1165                 && (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG))
1166                 { const unsigned char cryptopro_ext[36] = {
1167                         0xfd, 0xe8, /*65000*/
1168                         0x00, 0x20, /*32 bytes length*/
1169                         0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85, 
1170                         0x03,   0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06, 
1171                         0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08, 
1172                         0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17};
1173                         if (limit-ret<36) return NULL;
1174                         memcpy(ret,cryptopro_ext,36);
1175                         ret+=36;
1176
1177                 }
1178
1179 #ifndef OPENSSL_NO_HEARTBEATS
1180         /* Add Heartbeat extension if we've received one */
1181         if (s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED)
1182                 {
1183                 s2n(TLSEXT_TYPE_heartbeat,ret);
1184                 s2n(1,ret);
1185                 /* Set mode:
1186                  * 1: peer may send requests
1187                  * 2: peer not allowed to send requests
1188                  */
1189                 if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS)
1190                         *(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
1191                 else
1192                         *(ret++) = SSL_TLSEXT_HB_ENABLED;
1193
1194                 }
1195 #endif
1196
1197 #ifndef OPENSSL_NO_NEXTPROTONEG
1198         next_proto_neg_seen = s->s3->next_proto_neg_seen;
1199         s->s3->next_proto_neg_seen = 0;
1200         if (next_proto_neg_seen && s->ctx->next_protos_advertised_cb)
1201                 {
1202                 const unsigned char *npa;
1203                 unsigned int npalen;
1204                 int r;
1205
1206                 r = s->ctx->next_protos_advertised_cb(s, &npa, &npalen, s->ctx->next_protos_advertised_cb_arg);
1207                 if (r == SSL_TLSEXT_ERR_OK)
1208                         {
1209                         if ((long)(limit - ret - 4 - npalen) < 0) return NULL;
1210                         s2n(TLSEXT_TYPE_next_proto_neg,ret);
1211                         s2n(npalen,ret);
1212                         memcpy(ret, npa, npalen);
1213                         ret += npalen;
1214                         s->s3->next_proto_neg_seen = 1;
1215                         }
1216                 }
1217 #endif
1218
1219         /* If the client supports authz then see whether we have any to offer
1220          * to it. */
1221         if (s->s3->tlsext_authz_client_types_len)
1222                 {
1223                 size_t authz_length;
1224                 /* By now we already know the new cipher, so we can look ahead
1225                  * to see whether the cert we are going to send
1226                  * has any authz data attached to it. */
1227                 const unsigned char* authz = ssl_get_authz_data(s, &authz_length);
1228                 const unsigned char* const orig_authz = authz;
1229                 size_t i;
1230                 unsigned authz_count = 0;
1231
1232                 /* The authz data contains a number of the following structures:
1233                  *      uint8_t authz_type
1234                  *      uint16_t length
1235                  *      uint8_t data[length]
1236                  *
1237                  * First we walk over it to find the number of authz elements. */
1238                 for (i = 0; i < authz_length; i++)
1239                         {
1240                         unsigned short length;
1241                         unsigned char type;
1242
1243                         type = *(authz++);
1244                         if (memchr(s->s3->tlsext_authz_client_types,
1245                                    type,
1246                                    s->s3->tlsext_authz_client_types_len) != NULL)
1247                                 authz_count++;
1248
1249                         n2s(authz, length);
1250                         /* n2s increments authz by 2 */
1251                         i += 2;
1252                         authz += length;
1253                         i += length;
1254                         }
1255
1256                 if (authz_count)
1257                         {
1258                         /* Add TLS extension server_authz to the ServerHello message
1259                          * 2 bytes for extension type
1260                          * 2 bytes for extension length
1261                          * 1 byte for the list length
1262                          * n bytes for the list */
1263                         const unsigned short ext_len = 1 + authz_count;
1264
1265                         if ((long)(limit - ret - 4 - ext_len) < 0) return NULL;
1266                         s2n(TLSEXT_TYPE_server_authz, ret);
1267                         s2n(ext_len, ret);
1268                         *(ret++) = authz_count;
1269                         s->s3->tlsext_authz_promised_to_client = 1;
1270                         }
1271
1272                 authz = orig_authz;
1273                 for (i = 0; i < authz_length; i++)
1274                         {
1275                         unsigned short length;
1276                         unsigned char type;
1277
1278                         authz_count++;
1279                         type = *(authz++);
1280                         if (memchr(s->s3->tlsext_authz_client_types,
1281                                    type,
1282                                    s->s3->tlsext_authz_client_types_len) != NULL)
1283                                 *(ret++) = type;
1284                         n2s(authz, length);
1285                         /* n2s increments authz by 2 */
1286                         i += 2;
1287                         authz += length;
1288                         i += length;
1289                         }
1290                 }
1291
1292         if ((extdatalen = ret-p-2)== 0) 
1293                 return p;
1294
1295         s2n(extdatalen,p);
1296         return ret;
1297         }
1298
1299 static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al) 
1300         {       
1301         unsigned short type;
1302         unsigned short size;
1303         unsigned short len;
1304         unsigned char *data = *p;
1305         int renegotiate_seen = 0;
1306
1307         s->servername_done = 0;
1308         s->tlsext_status_type = -1;
1309 #ifndef OPENSSL_NO_NEXTPROTONEG
1310         s->s3->next_proto_neg_seen = 0;
1311 #endif
1312
1313 #ifndef OPENSSL_NO_HEARTBEATS
1314         s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED |
1315                                SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
1316 #endif
1317         /* Clear any signature algorithms extension received */
1318         if (s->cert->peer_sigalgs)
1319                 {
1320                 OPENSSL_free(s->cert->peer_sigalgs);
1321                 s->cert->peer_sigalgs = NULL;
1322                 }
1323         /* Clear any shared sigtnature algorithms */
1324         if (s->cert->shared_sigalgs)
1325                 {
1326                 OPENSSL_free(s->cert->shared_sigalgs);
1327                 s->cert->shared_sigalgs = NULL;
1328                 }
1329
1330         if (data >= (d+n-2))
1331                 goto ri_check;
1332         n2s(data,len);
1333
1334         if (data > (d+n-len)) 
1335                 goto ri_check;
1336
1337         while (data <= (d+n-4))
1338                 {
1339                 n2s(data,type);
1340                 n2s(data,size);
1341
1342                 if (data+size > (d+n))
1343                         goto ri_check;
1344 #if 0
1345                 fprintf(stderr,"Received extension type %d size %d\n",type,size);
1346 #endif
1347                 if (s->tlsext_debug_cb)
1348                         s->tlsext_debug_cb(s, 0, type, data, size,
1349                                                 s->tlsext_debug_arg);
1350 /* The servername extension is treated as follows:
1351
1352    - Only the hostname type is supported with a maximum length of 255.
1353    - The servername is rejected if too long or if it contains zeros,
1354      in which case an fatal alert is generated.
1355    - The servername field is maintained together with the session cache.
1356    - When a session is resumed, the servername call back invoked in order
1357      to allow the application to position itself to the right context. 
1358    - The servername is acknowledged if it is new for a session or when 
1359      it is identical to a previously used for the same session. 
1360      Applications can control the behaviour.  They can at any time
1361      set a 'desirable' servername for a new SSL object. This can be the
1362      case for example with HTTPS when a Host: header field is received and
1363      a renegotiation is requested. In this case, a possible servername
1364      presented in the new client hello is only acknowledged if it matches
1365      the value of the Host: field. 
1366    - Applications must  use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
1367      if they provide for changing an explicit servername context for the session,
1368      i.e. when the session has been established with a servername extension. 
1369    - On session reconnect, the servername extension may be absent. 
1370
1371 */      
1372
1373                 if (type == TLSEXT_TYPE_server_name)
1374                         {
1375                         unsigned char *sdata;
1376                         int servname_type;
1377                         int dsize; 
1378                 
1379                         if (size < 2) 
1380                                 {
1381                                 *al = SSL_AD_DECODE_ERROR;
1382                                 return 0;
1383                                 }
1384                         n2s(data,dsize);  
1385                         size -= 2;
1386                         if (dsize > size  ) 
1387                                 {
1388                                 *al = SSL_AD_DECODE_ERROR;
1389                                 return 0;
1390                                 } 
1391
1392                         sdata = data;
1393                         while (dsize > 3) 
1394                                 {
1395                                 servname_type = *(sdata++); 
1396                                 n2s(sdata,len);
1397                                 dsize -= 3;
1398
1399                                 if (len > dsize) 
1400                                         {
1401                                         *al = SSL_AD_DECODE_ERROR;
1402                                         return 0;
1403                                         }
1404                                 if (s->servername_done == 0)
1405                                 switch (servname_type)
1406                                         {
1407                                 case TLSEXT_NAMETYPE_host_name:
1408                                         if (!s->hit)
1409                                                 {
1410                                                 if(s->session->tlsext_hostname)
1411                                                         {
1412                                                         *al = SSL_AD_DECODE_ERROR;
1413                                                         return 0;
1414                                                         }
1415                                                 if (len > TLSEXT_MAXLEN_host_name)
1416                                                         {
1417                                                         *al = TLS1_AD_UNRECOGNIZED_NAME;
1418                                                         return 0;
1419                                                         }
1420                                                 if ((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL)
1421                                                         {
1422                                                         *al = TLS1_AD_INTERNAL_ERROR;
1423                                                         return 0;
1424                                                         }
1425                                                 memcpy(s->session->tlsext_hostname, sdata, len);
1426                                                 s->session->tlsext_hostname[len]='\0';
1427                                                 if (strlen(s->session->tlsext_hostname) != len) {
1428                                                         OPENSSL_free(s->session->tlsext_hostname);
1429                                                         s->session->tlsext_hostname = NULL;
1430                                                         *al = TLS1_AD_UNRECOGNIZED_NAME;
1431                                                         return 0;
1432                                                 }
1433                                                 s->servername_done = 1; 
1434
1435                                                 }
1436                                         else 
1437                                                 s->servername_done = s->session->tlsext_hostname
1438                                                         && strlen(s->session->tlsext_hostname) == len 
1439                                                         && strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0;
1440                                         
1441                                         break;
1442
1443                                 default:
1444                                         break;
1445                                         }
1446                                  
1447                                 dsize -= len;
1448                                 }
1449                         if (dsize != 0) 
1450                                 {
1451                                 *al = SSL_AD_DECODE_ERROR;
1452                                 return 0;
1453                                 }
1454
1455                         }
1456 #ifndef OPENSSL_NO_SRP
1457                 else if (type == TLSEXT_TYPE_srp)
1458                         {
1459                         if (size <= 0 || ((len = data[0])) != (size -1))
1460                                 {
1461                                 *al = SSL_AD_DECODE_ERROR;
1462                                 return 0;
1463                                 }
1464                         if (s->srp_ctx.login != NULL)
1465                                 {
1466                                 *al = SSL_AD_DECODE_ERROR;
1467                                 return 0;
1468                                 }
1469                         if ((s->srp_ctx.login = OPENSSL_malloc(len+1)) == NULL)
1470                                 return -1;
1471                         memcpy(s->srp_ctx.login, &data[1], len);
1472                         s->srp_ctx.login[len]='\0';
1473   
1474                         if (strlen(s->srp_ctx.login) != len) 
1475                                 {
1476                                 *al = SSL_AD_DECODE_ERROR;
1477                                 return 0;
1478                                 }
1479                         }
1480 #endif
1481
1482 #ifndef OPENSSL_NO_EC
1483                 else if (type == TLSEXT_TYPE_ec_point_formats &&
1484                      s->version != DTLS1_VERSION)
1485                         {
1486                         unsigned char *sdata = data;
1487                         int ecpointformatlist_length = *(sdata++);
1488
1489                         if (ecpointformatlist_length != size - 1)
1490                                 {
1491                                 *al = TLS1_AD_DECODE_ERROR;
1492                                 return 0;
1493                                 }
1494                         if (!s->hit)
1495                                 {
1496                                 if(s->session->tlsext_ecpointformatlist)
1497                                         {
1498                                         OPENSSL_free(s->session->tlsext_ecpointformatlist);
1499                                         s->session->tlsext_ecpointformatlist = NULL;
1500                                         }
1501                                 s->session->tlsext_ecpointformatlist_length = 0;
1502                                 if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
1503                                         {
1504                                         *al = TLS1_AD_INTERNAL_ERROR;
1505                                         return 0;
1506                                         }
1507                                 s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
1508                                 memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
1509                                 }
1510 #if 0
1511                         fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ecpointformatlist (length=%i) ", s->session->tlsext_ecpointformatlist_length);
1512                         sdata = s->session->tlsext_ecpointformatlist;
1513                         for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
1514                                 fprintf(stderr,"%i ",*(sdata++));
1515                         fprintf(stderr,"\n");
1516 #endif
1517                         }
1518                 else if (type == TLSEXT_TYPE_elliptic_curves &&
1519                      s->version != DTLS1_VERSION)
1520                         {
1521                         unsigned char *sdata = data;
1522                         int ellipticcurvelist_length = (*(sdata++) << 8);
1523                         ellipticcurvelist_length += (*(sdata++));
1524
1525                         if (ellipticcurvelist_length != size - 2)
1526                                 {
1527                                 *al = TLS1_AD_DECODE_ERROR;
1528                                 return 0;
1529                                 }
1530                         if (!s->hit)
1531                                 {
1532                                 if(s->session->tlsext_ellipticcurvelist)
1533                                         {
1534                                         *al = TLS1_AD_DECODE_ERROR;
1535                                         return 0;
1536                                         }
1537                                 s->session->tlsext_ellipticcurvelist_length = 0;
1538                                 if ((s->session->tlsext_ellipticcurvelist = OPENSSL_malloc(ellipticcurvelist_length)) == NULL)
1539                                         {
1540                                         *al = TLS1_AD_INTERNAL_ERROR;
1541                                         return 0;
1542                                         }
1543                                 s->session->tlsext_ellipticcurvelist_length = ellipticcurvelist_length;
1544                                 memcpy(s->session->tlsext_ellipticcurvelist, sdata, ellipticcurvelist_length);
1545                                 }
1546 #if 0
1547                         fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ellipticcurvelist (length=%i) ", s->session->tlsext_ellipticcurvelist_length);
1548                         sdata = s->session->tlsext_ellipticcurvelist;
1549                         for (i = 0; i < s->session->tlsext_ellipticcurvelist_length; i++)
1550                                 fprintf(stderr,"%i ",*(sdata++));
1551                         fprintf(stderr,"\n");
1552 #endif
1553                         }
1554 #endif /* OPENSSL_NO_EC */
1555 #ifdef TLSEXT_TYPE_opaque_prf_input
1556                 else if (type == TLSEXT_TYPE_opaque_prf_input &&
1557                      s->version != DTLS1_VERSION)
1558                         {
1559                         unsigned char *sdata = data;
1560
1561                         if (size < 2)
1562                                 {
1563                                 *al = SSL_AD_DECODE_ERROR;
1564                                 return 0;
1565                                 }
1566                         n2s(sdata, s->s3->client_opaque_prf_input_len);
1567                         if (s->s3->client_opaque_prf_input_len != size - 2)
1568                                 {
1569                                 *al = SSL_AD_DECODE_ERROR;
1570                                 return 0;
1571                                 }
1572
1573                         if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */
1574                                 OPENSSL_free(s->s3->client_opaque_prf_input);
1575                         if (s->s3->client_opaque_prf_input_len == 0)
1576                                 s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
1577                         else
1578                                 s->s3->client_opaque_prf_input = BUF_memdup(sdata, s->s3->client_opaque_prf_input_len);
1579                         if (s->s3->client_opaque_prf_input == NULL)
1580                                 {
1581                                 *al = TLS1_AD_INTERNAL_ERROR;
1582                                 return 0;
1583                                 }
1584                         }
1585 #endif
1586                 else if (type == TLSEXT_TYPE_session_ticket)
1587                         {
1588                         if (s->tls_session_ticket_ext_cb &&
1589                             !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg))
1590                                 {
1591                                 *al = TLS1_AD_INTERNAL_ERROR;
1592                                 return 0;
1593                                 }
1594                         }
1595                 else if (type == TLSEXT_TYPE_renegotiate)
1596                         {
1597                         if(!ssl_parse_clienthello_renegotiate_ext(s, data, size, al))
1598                                 return 0;
1599                         renegotiate_seen = 1;
1600                         }
1601                 else if (type == TLSEXT_TYPE_signature_algorithms)
1602                         {
1603                         int dsize;
1604                         if (s->cert->peer_sigalgs || size < 2) 
1605                                 {
1606                                 *al = SSL_AD_DECODE_ERROR;
1607                                 return 0;
1608                                 }
1609                         n2s(data,dsize);
1610                         size -= 2;
1611                         if (dsize != size || dsize & 1 || !dsize) 
1612                                 {
1613                                 *al = SSL_AD_DECODE_ERROR;
1614                                 return 0;
1615                                 }
1616                         if (!tls1_process_sigalgs(s, data, dsize))
1617                                 {
1618                                 *al = SSL_AD_DECODE_ERROR;
1619                                 return 0;
1620                                 }
1621                         /* If sigalgs received and no shared algorithms fatal
1622                          * error.
1623                          */
1624                         if (s->cert->peer_sigalgs && !s->cert->shared_sigalgs)
1625                                 {
1626                                 SSLerr(SSL_F_SSL_SCAN_CLIENTHELLO_TLSEXT,
1627                                         SSL_R_NO_SHARED_SIGATURE_ALGORITHMS);
1628                                 *al = SSL_AD_ILLEGAL_PARAMETER;
1629                                 return 0;
1630                                 }
1631                         }
1632                 else if (type == TLSEXT_TYPE_status_request &&
1633                          s->version != DTLS1_VERSION && s->ctx->tlsext_status_cb)
1634                         {
1635                 
1636                         if (size < 5) 
1637                                 {
1638                                 *al = SSL_AD_DECODE_ERROR;
1639                                 return 0;
1640                                 }
1641
1642                         s->tlsext_status_type = *data++;
1643                         size--;
1644                         if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp)
1645                                 {
1646                                 const unsigned char *sdata;
1647                                 int dsize;
1648                                 /* Read in responder_id_list */
1649                                 n2s(data,dsize);
1650                                 size -= 2;
1651                                 if (dsize > size  ) 
1652                                         {
1653                                         *al = SSL_AD_DECODE_ERROR;
1654                                         return 0;
1655                                         }
1656                                 while (dsize > 0)
1657                                         {
1658                                         OCSP_RESPID *id;
1659                                         int idsize;
1660                                         if (dsize < 4)
1661                                                 {
1662                                                 *al = SSL_AD_DECODE_ERROR;
1663                                                 return 0;
1664                                                 }
1665                                         n2s(data, idsize);
1666                                         dsize -= 2 + idsize;
1667                                         size -= 2 + idsize;
1668                                         if (dsize < 0)
1669                                                 {
1670                                                 *al = SSL_AD_DECODE_ERROR;
1671                                                 return 0;
1672                                                 }
1673                                         sdata = data;
1674                                         data += idsize;
1675                                         id = d2i_OCSP_RESPID(NULL,
1676                                                                 &sdata, idsize);
1677                                         if (!id)
1678                                                 {
1679                                                 *al = SSL_AD_DECODE_ERROR;
1680                                                 return 0;
1681                                                 }
1682                                         if (data != sdata)
1683                                                 {
1684                                                 OCSP_RESPID_free(id);
1685                                                 *al = SSL_AD_DECODE_ERROR;
1686                                                 return 0;
1687                                                 }
1688                                         if (!s->tlsext_ocsp_ids
1689                                                 && !(s->tlsext_ocsp_ids =
1690                                                 sk_OCSP_RESPID_new_null()))
1691                                                 {
1692                                                 OCSP_RESPID_free(id);
1693                                                 *al = SSL_AD_INTERNAL_ERROR;
1694                                                 return 0;
1695                                                 }
1696                                         if (!sk_OCSP_RESPID_push(
1697                                                         s->tlsext_ocsp_ids, id))
1698                                                 {
1699                                                 OCSP_RESPID_free(id);
1700                                                 *al = SSL_AD_INTERNAL_ERROR;
1701                                                 return 0;
1702                                                 }
1703                                         }
1704
1705                                 /* Read in request_extensions */
1706                                 if (size < 2)
1707                                         {
1708                                         *al = SSL_AD_DECODE_ERROR;
1709                                         return 0;
1710                                         }
1711                                 n2s(data,dsize);
1712                                 size -= 2;
1713                                 if (dsize != size)
1714                                         {
1715                                         *al = SSL_AD_DECODE_ERROR;
1716                                         return 0;
1717                                         }
1718                                 sdata = data;
1719                                 if (dsize > 0)
1720                                         {
1721                                         if (s->tlsext_ocsp_exts)
1722                                                 {
1723                                                 sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts,
1724                                                                            X509_EXTENSION_free);
1725                                                 }
1726
1727                                         s->tlsext_ocsp_exts =
1728                                                 d2i_X509_EXTENSIONS(NULL,
1729                                                         &sdata, dsize);
1730                                         if (!s->tlsext_ocsp_exts
1731                                                 || (data + dsize != sdata))
1732                                                 {
1733                                                 *al = SSL_AD_DECODE_ERROR;
1734                                                 return 0;
1735                                                 }
1736                                         }
1737                                 }
1738                                 /* We don't know what to do with any other type
1739                                 * so ignore it.
1740                                 */
1741                                 else
1742                                         s->tlsext_status_type = -1;
1743                         }
1744 #ifndef OPENSSL_NO_HEARTBEATS
1745                 else if (type == TLSEXT_TYPE_heartbeat)
1746                         {
1747                         switch(data[0])
1748                                 {
1749                                 case 0x01:      /* Client allows us to send HB requests */
1750                                                         s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
1751                                                         break;
1752                                 case 0x02:      /* Client doesn't accept HB requests */
1753                                                         s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
1754                                                         s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
1755                                                         break;
1756                                 default:        *al = SSL_AD_ILLEGAL_PARAMETER;
1757                                                         return 0;
1758                                 }
1759                         }
1760 #endif
1761 #ifndef OPENSSL_NO_NEXTPROTONEG
1762                 else if (type == TLSEXT_TYPE_next_proto_neg &&
1763                          s->s3->tmp.finish_md_len == 0)
1764                         {
1765                         /* We shouldn't accept this extension on a
1766                          * renegotiation.
1767                          *
1768                          * s->new_session will be set on renegotiation, but we
1769                          * probably shouldn't rely that it couldn't be set on
1770                          * the initial renegotation too in certain cases (when
1771                          * there's some other reason to disallow resuming an
1772                          * earlier session -- the current code won't be doing
1773                          * anything like that, but this might change).
1774
1775                          * A valid sign that there's been a previous handshake
1776                          * in this connection is if s->s3->tmp.finish_md_len >
1777                          * 0.  (We are talking about a check that will happen
1778                          * in the Hello protocol round, well before a new
1779                          * Finished message could have been computed.) */
1780                         s->s3->next_proto_neg_seen = 1;
1781                         }
1782 #endif
1783
1784                 /* session ticket processed earlier */
1785                 else if (type == TLSEXT_TYPE_use_srtp)
1786                         {
1787                         if(ssl_parse_clienthello_use_srtp_ext(s, data, size,
1788                                                               al))
1789                                 return 0;
1790                         }
1791
1792                 else if (type == TLSEXT_TYPE_server_authz)
1793                         {
1794                         unsigned char *sdata = data;
1795                         unsigned char server_authz_dataformatlist_length;
1796
1797                         if (size == 0)
1798                                 {
1799                                 *al = TLS1_AD_DECODE_ERROR;
1800                                 return 0;
1801                                 }
1802
1803                         server_authz_dataformatlist_length = *(sdata++);
1804
1805                         if (server_authz_dataformatlist_length != size - 1)
1806                                 {
1807                                 *al = TLS1_AD_DECODE_ERROR;
1808                                 return 0;
1809                                 }
1810
1811                         /* Successful session resumption uses the same authz
1812                          * information as the original session so we ignore this
1813                          * in the case of a session resumption. */
1814                         if (!s->hit)
1815                                 {
1816                                 size_t i;
1817                                 if (s->s3->tlsext_authz_client_types != NULL)
1818                                         OPENSSL_free(s->s3->tlsext_authz_client_types);
1819                                 s->s3->tlsext_authz_client_types =
1820                                         OPENSSL_malloc(server_authz_dataformatlist_length);
1821                                 if (!s->s3->tlsext_authz_client_types)
1822                                         {
1823                                         *al = TLS1_AD_INTERNAL_ERROR;
1824                                         return 0;
1825                                         }
1826
1827                                 s->s3->tlsext_authz_client_types_len =
1828                                         server_authz_dataformatlist_length;
1829                                 memcpy(s->s3->tlsext_authz_client_types,
1830                                        sdata,
1831                                        server_authz_dataformatlist_length);
1832
1833                                 /* Sort the types in order to check for duplicates. */
1834                                 qsort(s->s3->tlsext_authz_client_types,
1835                                       server_authz_dataformatlist_length,
1836                                       1 /* element size */,
1837                                       byte_compare);
1838
1839                                 for (i = 0; i < server_authz_dataformatlist_length; i++)
1840                                         {
1841                                         if (i > 0 &&
1842                                             s->s3->tlsext_authz_client_types[i] ==
1843                                               s->s3->tlsext_authz_client_types[i-1])
1844                                                 {
1845                                                 *al = TLS1_AD_DECODE_ERROR;
1846                                                 return 0;
1847                                                 }
1848                                         }
1849                                 }
1850                         }
1851
1852                 data+=size;
1853                 }
1854
1855         *p = data;
1856
1857         ri_check:
1858
1859         /* Need RI if renegotiating */
1860
1861         if (!renegotiate_seen && s->renegotiate &&
1862                 !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
1863                 {
1864                 *al = SSL_AD_HANDSHAKE_FAILURE;
1865                 SSLerr(SSL_F_SSL_SCAN_CLIENTHELLO_TLSEXT,
1866                                 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
1867                 return 0;
1868                 }
1869         /* If no signature algorithms extension set default values */
1870         if (!s->cert->peer_sigalgs)
1871                 ssl_cert_set_default_md(s->cert);
1872
1873         return 1;
1874         }
1875
1876 int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n) 
1877         {
1878         int al = -1;
1879         if (ssl_scan_clienthello_tlsext(s, p, d, n, &al) <= 0) 
1880                 {
1881                 ssl3_send_alert(s,SSL3_AL_FATAL,al); 
1882                 return 0;
1883                 }
1884
1885         if (ssl_check_clienthello_tlsext(s) <= 0) 
1886                 {
1887                 SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT,SSL_R_CLIENTHELLO_TLSEXT);
1888                 return 0;
1889                 }
1890         return 1;
1891 }
1892
1893 #ifndef OPENSSL_NO_NEXTPROTONEG
1894 /* ssl_next_proto_validate validates a Next Protocol Negotiation block. No
1895  * elements of zero length are allowed and the set of elements must exactly fill
1896  * the length of the block. */
1897 static char ssl_next_proto_validate(unsigned char *d, unsigned len)
1898         {
1899         unsigned int off = 0;
1900
1901         while (off < len)
1902                 {
1903                 if (d[off] == 0)
1904                         return 0;
1905                 off += d[off];
1906                 off++;
1907                 }
1908
1909         return off == len;
1910         }
1911 #endif
1912
1913 static int ssl_scan_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
1914         {
1915         unsigned short length;
1916         unsigned short type;
1917         unsigned short size;
1918         unsigned char *data = *p;
1919         int tlsext_servername = 0;
1920         int renegotiate_seen = 0;
1921
1922 #ifndef OPENSSL_NO_NEXTPROTONEG
1923         s->s3->next_proto_neg_seen = 0;
1924 #endif
1925
1926 #ifndef OPENSSL_NO_HEARTBEATS
1927         s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED |
1928                                SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
1929 #endif
1930
1931         if (data >= (d+n-2))
1932                 goto ri_check;
1933
1934         n2s(data,length);
1935         if (data+length != d+n)
1936                 {
1937                 *al = SSL_AD_DECODE_ERROR;
1938                 return 0;
1939                 }
1940
1941         while(data <= (d+n-4))
1942                 {
1943                 n2s(data,type);
1944                 n2s(data,size);
1945
1946                 if (data+size > (d+n))
1947                         goto ri_check;
1948
1949                 if (s->tlsext_debug_cb)
1950                         s->tlsext_debug_cb(s, 1, type, data, size,
1951                                                 s->tlsext_debug_arg);
1952
1953                 if (type == TLSEXT_TYPE_server_name)
1954                         {
1955                         if (s->tlsext_hostname == NULL || size > 0)
1956                                 {
1957                                 *al = TLS1_AD_UNRECOGNIZED_NAME;
1958                                 return 0;
1959                                 }
1960                         tlsext_servername = 1;   
1961                         }
1962
1963 #ifndef OPENSSL_NO_EC
1964                 else if (type == TLSEXT_TYPE_ec_point_formats &&
1965                      s->version != DTLS1_VERSION)
1966                         {
1967                         unsigned char *sdata = data;
1968                         int ecpointformatlist_length = *(sdata++);
1969
1970                         if (ecpointformatlist_length != size - 1)
1971                                 {
1972                                 *al = TLS1_AD_DECODE_ERROR;
1973                                 return 0;
1974                                 }
1975                         s->session->tlsext_ecpointformatlist_length = 0;
1976                         if (s->session->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->session->tlsext_ecpointformatlist);
1977                         if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
1978                                 {
1979                                 *al = TLS1_AD_INTERNAL_ERROR;
1980                                 return 0;
1981                                 }
1982                         s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
1983                         memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
1984 #if 0
1985                         fprintf(stderr,"ssl_parse_serverhello_tlsext s->session->tlsext_ecpointformatlist ");
1986                         sdata = s->session->tlsext_ecpointformatlist;
1987                         for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
1988                                 fprintf(stderr,"%i ",*(sdata++));
1989                         fprintf(stderr,"\n");
1990 #endif
1991                         }
1992 #endif /* OPENSSL_NO_EC */
1993
1994                 else if (type == TLSEXT_TYPE_session_ticket)
1995                         {
1996                         if (s->tls_session_ticket_ext_cb &&
1997                             !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg))
1998                                 {
1999                                 *al = TLS1_AD_INTERNAL_ERROR;
2000                                 return 0;
2001                                 }
2002                         if ((SSL_get_options(s) & SSL_OP_NO_TICKET)
2003                                 || (size > 0))
2004                                 {
2005                                 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2006                                 return 0;
2007                                 }
2008                         s->tlsext_ticket_expected = 1;
2009                         }
2010 #ifdef TLSEXT_TYPE_opaque_prf_input
2011                 else if (type == TLSEXT_TYPE_opaque_prf_input &&
2012                      s->version != DTLS1_VERSION)
2013                         {
2014                         unsigned char *sdata = data;
2015
2016                         if (size < 2)
2017                                 {
2018                                 *al = SSL_AD_DECODE_ERROR;
2019                                 return 0;
2020                                 }
2021                         n2s(sdata, s->s3->server_opaque_prf_input_len);
2022                         if (s->s3->server_opaque_prf_input_len != size - 2)
2023                                 {
2024                                 *al = SSL_AD_DECODE_ERROR;
2025                                 return 0;
2026                                 }
2027                         
2028                         if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */
2029                                 OPENSSL_free(s->s3->server_opaque_prf_input);
2030                         if (s->s3->server_opaque_prf_input_len == 0)
2031                                 s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
2032                         else
2033                                 s->s3->server_opaque_prf_input = BUF_memdup(sdata, s->s3->server_opaque_prf_input_len);
2034
2035                         if (s->s3->server_opaque_prf_input == NULL)
2036                                 {
2037                                 *al = TLS1_AD_INTERNAL_ERROR;
2038                                 return 0;
2039                                 }
2040                         }
2041 #endif
2042                 else if (type == TLSEXT_TYPE_status_request &&
2043                          s->version != DTLS1_VERSION)
2044                         {
2045                         /* MUST be empty and only sent if we've requested
2046                          * a status request message.
2047                          */ 
2048                         if ((s->tlsext_status_type == -1) || (size > 0))
2049                                 {
2050                                 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2051                                 return 0;
2052                                 }
2053                         /* Set flag to expect CertificateStatus message */
2054                         s->tlsext_status_expected = 1;
2055                         }
2056 #ifndef OPENSSL_NO_NEXTPROTONEG
2057                 else if (type == TLSEXT_TYPE_next_proto_neg &&
2058                          s->s3->tmp.finish_md_len == 0)
2059                         {
2060                         unsigned char *selected;
2061                         unsigned char selected_len;
2062
2063                         /* We must have requested it. */
2064                         if ((s->ctx->next_proto_select_cb == NULL))
2065                                 {
2066                                 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2067                                 return 0;
2068                                 }
2069                         /* The data must be valid */
2070                         if (!ssl_next_proto_validate(data, size))
2071                                 {
2072                                 *al = TLS1_AD_DECODE_ERROR;
2073                                 return 0;
2074                                 }
2075                         if (s->ctx->next_proto_select_cb(s, &selected, &selected_len, data, size, s->ctx->next_proto_select_cb_arg) != SSL_TLSEXT_ERR_OK)
2076                                 {
2077                                 *al = TLS1_AD_INTERNAL_ERROR;
2078                                 return 0;
2079                                 }
2080                         s->next_proto_negotiated = OPENSSL_malloc(selected_len);
2081                         if (!s->next_proto_negotiated)
2082                                 {
2083                                 *al = TLS1_AD_INTERNAL_ERROR;
2084                                 return 0;
2085                                 }
2086                         memcpy(s->next_proto_negotiated, selected, selected_len);
2087                         s->next_proto_negotiated_len = selected_len;
2088                         s->s3->next_proto_neg_seen = 1;
2089                         }
2090 #endif
2091                 else if (type == TLSEXT_TYPE_renegotiate)
2092                         {
2093                         if(!ssl_parse_serverhello_renegotiate_ext(s, data, size, al))
2094                                 return 0;
2095                         renegotiate_seen = 1;
2096                         }
2097 #ifndef OPENSSL_NO_HEARTBEATS
2098                 else if (type == TLSEXT_TYPE_heartbeat)
2099                         {
2100                         switch(data[0])
2101                                 {
2102                                 case 0x01:      /* Server allows us to send HB requests */
2103                                                         s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
2104                                                         break;
2105                                 case 0x02:      /* Server doesn't accept HB requests */
2106                                                         s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
2107                                                         s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
2108                                                         break;
2109                                 default:        *al = SSL_AD_ILLEGAL_PARAMETER;
2110                                                         return 0;
2111                                 }
2112                         }
2113 #endif
2114                 else if (type == TLSEXT_TYPE_use_srtp)
2115                         {
2116                         if(ssl_parse_serverhello_use_srtp_ext(s, data, size,
2117                                                               al))
2118                                 return 0;
2119                         }
2120
2121                 else if (type == TLSEXT_TYPE_server_authz)
2122                         {
2123                         /* We only support audit proofs. It's an error to send
2124                          * an authz hello extension if the client
2125                          * didn't request a proof. */
2126                         unsigned char *sdata = data;
2127                         unsigned char server_authz_dataformatlist_length;
2128
2129                         if (!s->ctx->tlsext_authz_server_audit_proof_cb)
2130                                 {
2131                                 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2132                                 return 0;
2133                                 }
2134
2135                         if (!size)
2136                                 {
2137                                 *al = TLS1_AD_DECODE_ERROR;
2138                                 return 0;
2139                                 }
2140
2141                         server_authz_dataformatlist_length = *(sdata++);
2142                         if (server_authz_dataformatlist_length != size - 1)
2143                                 {
2144                                 *al = TLS1_AD_DECODE_ERROR;
2145                                 return 0;
2146                                 }
2147
2148                         /* We only support audit proofs, so a legal ServerHello
2149                          * authz list contains exactly one entry. */
2150                         if (server_authz_dataformatlist_length != 1 ||
2151                                 sdata[0] != TLSEXT_AUTHZDATAFORMAT_audit_proof)
2152                                 {
2153                                 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2154                                 return 0;
2155                                 }
2156
2157                         s->s3->tlsext_authz_server_promised = 1;
2158                         }
2159  
2160                 data += size;
2161                 }
2162
2163         if (data != d+n)
2164                 {
2165                 *al = SSL_AD_DECODE_ERROR;
2166                 return 0;
2167                 }
2168
2169         if (!s->hit && tlsext_servername == 1)
2170                 {
2171                 if (s->tlsext_hostname)
2172                         {
2173                         if (s->session->tlsext_hostname == NULL)
2174                                 {
2175                                 s->session->tlsext_hostname = BUF_strdup(s->tlsext_hostname);   
2176                                 if (!s->session->tlsext_hostname)
2177                                         {
2178                                         *al = SSL_AD_UNRECOGNIZED_NAME;
2179                                         return 0;
2180                                         }
2181                                 }
2182                         else 
2183                                 {
2184                                 *al = SSL_AD_DECODE_ERROR;
2185                                 return 0;
2186                                 }
2187                         }
2188                 }
2189
2190         *p = data;
2191
2192         ri_check:
2193
2194         /* Determine if we need to see RI. Strictly speaking if we want to
2195          * avoid an attack we should *always* see RI even on initial server
2196          * hello because the client doesn't see any renegotiation during an
2197          * attack. However this would mean we could not connect to any server
2198          * which doesn't support RI so for the immediate future tolerate RI
2199          * absence on initial connect only.
2200          */
2201         if (!renegotiate_seen
2202                 && !(s->options & SSL_OP_LEGACY_SERVER_CONNECT)
2203                 && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
2204                 {
2205                 *al = SSL_AD_HANDSHAKE_FAILURE;
2206                 SSLerr(SSL_F_SSL_SCAN_SERVERHELLO_TLSEXT,
2207                                 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
2208                 return 0;
2209                 }
2210
2211         return 1;
2212         }
2213
2214
2215 int ssl_prepare_clienthello_tlsext(SSL *s)
2216         {
2217
2218 #ifdef TLSEXT_TYPE_opaque_prf_input
2219         {
2220                 int r = 1;
2221         
2222                 if (s->ctx->tlsext_opaque_prf_input_callback != 0)
2223                         {
2224                         r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg);
2225                         if (!r)
2226                                 return -1;
2227                         }
2228
2229                 if (s->tlsext_opaque_prf_input != NULL)
2230                         {
2231                         if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */
2232                                 OPENSSL_free(s->s3->client_opaque_prf_input);
2233
2234                         if (s->tlsext_opaque_prf_input_len == 0)
2235                                 s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
2236                         else
2237                                 s->s3->client_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len);
2238                         if (s->s3->client_opaque_prf_input == NULL)
2239                                 {
2240                                 SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
2241                                 return -1;
2242                                 }
2243                         s->s3->client_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
2244                         }
2245
2246                 if (r == 2)
2247                         /* at callback's request, insist on receiving an appropriate server opaque PRF input */
2248                         s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
2249         }
2250 #endif
2251
2252         return 1;
2253         }
2254
2255 int ssl_prepare_serverhello_tlsext(SSL *s)
2256         {
2257 #ifndef OPENSSL_NO_EC
2258         /* If we are server and using an ECC cipher suite, send the point formats we support 
2259          * if the client sent us an ECPointsFormat extension.  Note that the server is not
2260          * supposed to send an EllipticCurves extension.
2261          */
2262
2263         unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
2264         unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
2265         int using_ecc = (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA);
2266         using_ecc = using_ecc && (s->session->tlsext_ecpointformatlist != NULL);
2267         
2268         if (using_ecc)
2269                 {
2270                 if (s->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->tlsext_ecpointformatlist);
2271                 if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(3)) == NULL)
2272                         {
2273                         SSLerr(SSL_F_SSL_PREPARE_SERVERHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
2274                         return -1;
2275                         }
2276                 s->tlsext_ecpointformatlist_length = 3;
2277                 s->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_uncompressed;
2278                 s->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
2279                 s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
2280                 }
2281 #endif /* OPENSSL_NO_EC */
2282
2283         return 1;
2284         }
2285
2286 static int ssl_check_clienthello_tlsext(SSL *s)
2287         {
2288         int ret=SSL_TLSEXT_ERR_NOACK;
2289         int al = SSL_AD_UNRECOGNIZED_NAME;
2290
2291 #ifndef OPENSSL_NO_EC
2292         /* The handling of the ECPointFormats extension is done elsewhere, namely in 
2293          * ssl3_choose_cipher in s3_lib.c.
2294          */
2295         /* The handling of the EllipticCurves extension is done elsewhere, namely in 
2296          * ssl3_choose_cipher in s3_lib.c.
2297          */
2298 #endif
2299
2300         if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) 
2301                 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
2302         else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)             
2303                 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
2304
2305         /* If status request then ask callback what to do.
2306          * Note: this must be called after servername callbacks in case 
2307          * the certificate has changed.
2308          */
2309         if ((s->tlsext_status_type != -1) && s->ctx && s->ctx->tlsext_status_cb)
2310                 {
2311                 int r;
2312                 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
2313                 switch (r)
2314                         {
2315                         /* We don't want to send a status request response */
2316                         case SSL_TLSEXT_ERR_NOACK:
2317                                 s->tlsext_status_expected = 0;
2318                                 break;
2319                         /* status request response should be sent */
2320                         case SSL_TLSEXT_ERR_OK:
2321                                 if (s->tlsext_ocsp_resp)
2322                                         s->tlsext_status_expected = 1;
2323                                 else
2324                                         s->tlsext_status_expected = 0;
2325                                 break;
2326                         /* something bad happened */
2327                         case SSL_TLSEXT_ERR_ALERT_FATAL:
2328                                 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2329                                 al = SSL_AD_INTERNAL_ERROR;
2330                                 goto err;
2331                         }
2332                 }
2333         else
2334                 s->tlsext_status_expected = 0;
2335
2336 #ifdef TLSEXT_TYPE_opaque_prf_input
2337         {
2338                 /* This sort of belongs into ssl_prepare_serverhello_tlsext(),
2339                  * but we might be sending an alert in response to the client hello,
2340                  * so this has to happen here in ssl_check_clienthello_tlsext(). */
2341
2342                 int r = 1;
2343         
2344                 if (s->ctx->tlsext_opaque_prf_input_callback != 0)
2345                         {
2346                         r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg);
2347                         if (!r)
2348                                 {
2349                                 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2350                                 al = SSL_AD_INTERNAL_ERROR;
2351                                 goto err;
2352                                 }
2353                         }
2354
2355                 if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */
2356                         OPENSSL_free(s->s3->server_opaque_prf_input);
2357                 s->s3->server_opaque_prf_input = NULL;
2358
2359                 if (s->tlsext_opaque_prf_input != NULL)
2360                         {
2361                         if (s->s3->client_opaque_prf_input != NULL &&
2362                                 s->s3->client_opaque_prf_input_len == s->tlsext_opaque_prf_input_len)
2363                                 {
2364                                 /* can only use this extension if we have a server opaque PRF input
2365                                  * of the same length as the client opaque PRF input! */
2366
2367                                 if (s->tlsext_opaque_prf_input_len == 0)
2368                                         s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
2369                                 else
2370                                         s->s3->server_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len);
2371                                 if (s->s3->server_opaque_prf_input == NULL)
2372                                         {
2373                                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2374                                         al = SSL_AD_INTERNAL_ERROR;
2375                                         goto err;
2376                                         }
2377                                 s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
2378                                 }
2379                         }
2380
2381                 if (r == 2 && s->s3->server_opaque_prf_input == NULL)
2382                         {
2383                         /* The callback wants to enforce use of the extension,
2384                          * but we can't do that with the client opaque PRF input;
2385                          * abort the handshake.
2386                          */
2387                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2388                         al = SSL_AD_HANDSHAKE_FAILURE;
2389                         }
2390         }
2391
2392 #endif
2393  err:
2394         switch (ret)
2395                 {
2396                 case SSL_TLSEXT_ERR_ALERT_FATAL:
2397                         ssl3_send_alert(s,SSL3_AL_FATAL,al); 
2398                         return -1;
2399
2400                 case SSL_TLSEXT_ERR_ALERT_WARNING:
2401                         ssl3_send_alert(s,SSL3_AL_WARNING,al);
2402                         return 1; 
2403                                         
2404                 case SSL_TLSEXT_ERR_NOACK:
2405                         s->servername_done=0;
2406                         default:
2407                 return 1;
2408                 }
2409         }
2410
2411 int ssl_check_serverhello_tlsext(SSL *s)
2412         {
2413         int ret=SSL_TLSEXT_ERR_NOACK;
2414         int al = SSL_AD_UNRECOGNIZED_NAME;
2415
2416 #ifndef OPENSSL_NO_EC
2417         /* If we are client and using an elliptic curve cryptography cipher
2418          * suite, then if server returns an EC point formats lists extension
2419          * it must contain uncompressed.
2420          */
2421         unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
2422         unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
2423         if ((s->tlsext_ecpointformatlist != NULL) && (s->tlsext_ecpointformatlist_length > 0) && 
2424             (s->session->tlsext_ecpointformatlist != NULL) && (s->session->tlsext_ecpointformatlist_length > 0) && 
2425             ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA)))
2426                 {
2427                 /* we are using an ECC cipher */
2428                 size_t i;
2429                 unsigned char *list;
2430                 int found_uncompressed = 0;
2431                 list = s->session->tlsext_ecpointformatlist;
2432                 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
2433                         {
2434                         if (*(list++) == TLSEXT_ECPOINTFORMAT_uncompressed)
2435                                 {
2436                                 found_uncompressed = 1;
2437                                 break;
2438                                 }
2439                         }
2440                 if (!found_uncompressed)
2441                         {
2442                         SSLerr(SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT,SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
2443                         return -1;
2444                         }
2445                 }
2446         ret = SSL_TLSEXT_ERR_OK;
2447 #endif /* OPENSSL_NO_EC */
2448
2449         if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) 
2450                 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
2451         else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)             
2452                 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
2453
2454 #ifdef TLSEXT_TYPE_opaque_prf_input
2455         if (s->s3->server_opaque_prf_input_len > 0)
2456                 {
2457                 /* This case may indicate that we, as a client, want to insist on using opaque PRF inputs.
2458                  * So first verify that we really have a value from the server too. */
2459
2460                 if (s->s3->server_opaque_prf_input == NULL)
2461                         {
2462                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2463                         al = SSL_AD_HANDSHAKE_FAILURE;
2464                         }
2465                 
2466                 /* Anytime the server *has* sent an opaque PRF input, we need to check
2467                  * that we have a client opaque PRF input of the same size. */
2468                 if (s->s3->client_opaque_prf_input == NULL ||
2469                     s->s3->client_opaque_prf_input_len != s->s3->server_opaque_prf_input_len)
2470                         {
2471                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2472                         al = SSL_AD_ILLEGAL_PARAMETER;
2473                         }
2474                 }
2475 #endif
2476
2477         /* If we've requested certificate status and we wont get one
2478          * tell the callback
2479          */
2480         if ((s->tlsext_status_type != -1) && !(s->tlsext_status_expected)
2481                         && s->ctx && s->ctx->tlsext_status_cb)
2482                 {
2483                 int r;
2484                 /* Set resp to NULL, resplen to -1 so callback knows
2485                  * there is no response.
2486                  */
2487                 if (s->tlsext_ocsp_resp)
2488                         {
2489                         OPENSSL_free(s->tlsext_ocsp_resp);
2490                         s->tlsext_ocsp_resp = NULL;
2491                         }
2492                 s->tlsext_ocsp_resplen = -1;
2493                 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
2494                 if (r == 0)
2495                         {
2496                         al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE;
2497                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2498                         }
2499                 if (r < 0)
2500                         {
2501                         al = SSL_AD_INTERNAL_ERROR;
2502                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2503                         }
2504                 }
2505
2506         switch (ret)
2507                 {
2508                 case SSL_TLSEXT_ERR_ALERT_FATAL:
2509                         ssl3_send_alert(s,SSL3_AL_FATAL,al); 
2510                         return -1;
2511
2512                 case SSL_TLSEXT_ERR_ALERT_WARNING:
2513                         ssl3_send_alert(s,SSL3_AL_WARNING,al);
2514                         return 1; 
2515                                         
2516                 case SSL_TLSEXT_ERR_NOACK:
2517                         s->servername_done=0;
2518                         default:
2519                 return 1;
2520                 }
2521         }
2522
2523 int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n) 
2524         {
2525         int al = -1;
2526         if (s->version < SSL3_VERSION)
2527                 return 1;
2528         if (ssl_scan_serverhello_tlsext(s, p, d, n, &al) <= 0) 
2529                 {
2530                 ssl3_send_alert(s,SSL3_AL_FATAL,al); 
2531                 return 0;
2532                 }
2533
2534         if (ssl_check_serverhello_tlsext(s) <= 0) 
2535                 {
2536                 SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT,SSL_R_SERVERHELLO_TLSEXT);
2537                 return 0;
2538                 }
2539         return 1;
2540 }
2541
2542 /* Since the server cache lookup is done early on in the processing of the
2543  * ClientHello, and other operations depend on the result, we need to handle
2544  * any TLS session ticket extension at the same time.
2545  *
2546  *   session_id: points at the session ID in the ClientHello. This code will
2547  *       read past the end of this in order to parse out the session ticket
2548  *       extension, if any.
2549  *   len: the length of the session ID.
2550  *   limit: a pointer to the first byte after the ClientHello.
2551  *   ret: (output) on return, if a ticket was decrypted, then this is set to
2552  *       point to the resulting session.
2553  *
2554  * If s->tls_session_secret_cb is set then we are expecting a pre-shared key
2555  * ciphersuite, in which case we have no use for session tickets and one will
2556  * never be decrypted, nor will s->tlsext_ticket_expected be set to 1.
2557  *
2558  * Returns:
2559  *   -1: fatal error, either from parsing or decrypting the ticket.
2560  *    0: no ticket was found (or was ignored, based on settings).
2561  *    1: a zero length extension was found, indicating that the client supports
2562  *       session tickets but doesn't currently have one to offer.
2563  *    2: either s->tls_session_secret_cb was set, or a ticket was offered but
2564  *       couldn't be decrypted because of a non-fatal error.
2565  *    3: a ticket was successfully decrypted and *ret was set.
2566  *
2567  * Side effects:
2568  *   Sets s->tlsext_ticket_expected to 1 if the server will have to issue
2569  *   a new session ticket to the client because the client indicated support
2570  *   (and s->tls_session_secret_cb is NULL) but the client either doesn't have
2571  *   a session ticket or we couldn't use the one it gave us, or if
2572  *   s->ctx->tlsext_ticket_key_cb asked to renew the client's ticket.
2573  *   Otherwise, s->tlsext_ticket_expected is set to 0.
2574  */
2575 int tls1_process_ticket(SSL *s, unsigned char *session_id, int len,
2576                         const unsigned char *limit, SSL_SESSION **ret)
2577         {
2578         /* Point after session ID in client hello */
2579         const unsigned char *p = session_id + len;
2580         unsigned short i;
2581
2582         *ret = NULL;
2583         s->tlsext_ticket_expected = 0;
2584
2585         /* If tickets disabled behave as if no ticket present
2586          * to permit stateful resumption.
2587          */
2588         if (SSL_get_options(s) & SSL_OP_NO_TICKET)
2589                 return 0;
2590         if ((s->version <= SSL3_VERSION) || !limit)
2591                 return 0;
2592         if (p >= limit)
2593                 return -1;
2594         /* Skip past DTLS cookie */
2595         if (s->version == DTLS1_VERSION || s->version == DTLS1_BAD_VER)
2596                 {
2597                 i = *(p++);
2598                 p+= i;
2599                 if (p >= limit)
2600                         return -1;
2601                 }
2602         /* Skip past cipher list */
2603         n2s(p, i);
2604         p+= i;
2605         if (p >= limit)
2606                 return -1;
2607         /* Skip past compression algorithm list */
2608         i = *(p++);
2609         p += i;
2610         if (p > limit)
2611                 return -1;
2612         /* Now at start of extensions */
2613         if ((p + 2) >= limit)
2614                 return 0;
2615         n2s(p, i);
2616         while ((p + 4) <= limit)
2617                 {
2618                 unsigned short type, size;
2619                 n2s(p, type);
2620                 n2s(p, size);
2621                 if (p + size > limit)
2622                         return 0;
2623                 if (type == TLSEXT_TYPE_session_ticket)
2624                         {
2625                         int r;
2626                         if (size == 0)
2627                                 {
2628                                 /* The client will accept a ticket but doesn't
2629                                  * currently have one. */
2630                                 s->tlsext_ticket_expected = 1;
2631                                 return 1;
2632                                 }
2633                         if (s->tls_session_secret_cb)
2634                                 {
2635                                 /* Indicate that the ticket couldn't be
2636                                  * decrypted rather than generating the session
2637                                  * from ticket now, trigger abbreviated
2638                                  * handshake based on external mechanism to
2639                                  * calculate the master secret later. */
2640                                 return 2;
2641                                 }
2642                         r = tls_decrypt_ticket(s, p, size, session_id, len, ret);
2643                         switch (r)
2644                                 {
2645                                 case 2: /* ticket couldn't be decrypted */
2646                                         s->tlsext_ticket_expected = 1;
2647                                         return 2;
2648                                 case 3: /* ticket was decrypted */
2649                                         return r;
2650                                 case 4: /* ticket decrypted but need to renew */
2651                                         s->tlsext_ticket_expected = 1;
2652                                         return 3;
2653                                 default: /* fatal error */
2654                                         return -1;
2655                                 }
2656                         }
2657                 p += size;
2658                 }
2659         return 0;
2660         }
2661
2662 /* tls_decrypt_ticket attempts to decrypt a session ticket.
2663  *
2664  *   etick: points to the body of the session ticket extension.
2665  *   eticklen: the length of the session tickets extenion.
2666  *   sess_id: points at the session ID.
2667  *   sesslen: the length of the session ID.
2668  *   psess: (output) on return, if a ticket was decrypted, then this is set to
2669  *       point to the resulting session.
2670  *
2671  * Returns:
2672  *   -1: fatal error, either from parsing or decrypting the ticket.
2673  *    2: the ticket couldn't be decrypted.
2674  *    3: a ticket was successfully decrypted and *psess was set.
2675  *    4: same as 3, but the ticket needs to be renewed.
2676  */
2677 static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen,
2678                                 const unsigned char *sess_id, int sesslen,
2679                                 SSL_SESSION **psess)
2680         {
2681         SSL_SESSION *sess;
2682         unsigned char *sdec;
2683         const unsigned char *p;
2684         int slen, mlen, renew_ticket = 0;
2685         unsigned char tick_hmac[EVP_MAX_MD_SIZE];
2686         HMAC_CTX hctx;
2687         EVP_CIPHER_CTX ctx;
2688         SSL_CTX *tctx = s->initial_ctx;
2689         /* Need at least keyname + iv + some encrypted data */
2690         if (eticklen < 48)
2691                 return 2;
2692         /* Initialize session ticket encryption and HMAC contexts */
2693         HMAC_CTX_init(&hctx);
2694         EVP_CIPHER_CTX_init(&ctx);
2695         if (tctx->tlsext_ticket_key_cb)
2696                 {
2697                 unsigned char *nctick = (unsigned char *)etick;
2698                 int rv = tctx->tlsext_ticket_key_cb(s, nctick, nctick + 16,
2699                                                         &ctx, &hctx, 0);
2700                 if (rv < 0)
2701                         return -1;
2702                 if (rv == 0)
2703                         return 2;
2704                 if (rv == 2)
2705                         renew_ticket = 1;
2706                 }
2707         else
2708                 {
2709                 /* Check key name matches */
2710                 if (memcmp(etick, tctx->tlsext_tick_key_name, 16))
2711                         return 2;
2712                 HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16,
2713                                         tlsext_tick_md(), NULL);
2714                 EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL,
2715                                 tctx->tlsext_tick_aes_key, etick + 16);
2716                 }
2717         /* Attempt to process session ticket, first conduct sanity and
2718          * integrity checks on ticket.
2719          */
2720         mlen = HMAC_size(&hctx);
2721         if (mlen < 0)
2722                 {
2723                 EVP_CIPHER_CTX_cleanup(&ctx);
2724                 return -1;
2725                 }
2726         eticklen -= mlen;
2727         /* Check HMAC of encrypted ticket */
2728         HMAC_Update(&hctx, etick, eticklen);
2729         HMAC_Final(&hctx, tick_hmac, NULL);
2730         HMAC_CTX_cleanup(&hctx);
2731         if (memcmp(tick_hmac, etick + eticklen, mlen))
2732                 return 2;
2733         /* Attempt to decrypt session data */
2734         /* Move p after IV to start of encrypted ticket, update length */
2735         p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx);
2736         eticklen -= 16 + EVP_CIPHER_CTX_iv_length(&ctx);
2737         sdec = OPENSSL_malloc(eticklen);
2738         if (!sdec)
2739                 {
2740                 EVP_CIPHER_CTX_cleanup(&ctx);
2741                 return -1;
2742                 }
2743         EVP_DecryptUpdate(&ctx, sdec, &slen, p, eticklen);
2744         if (EVP_DecryptFinal(&ctx, sdec + slen, &mlen) <= 0)
2745                 return 2;
2746         slen += mlen;
2747         EVP_CIPHER_CTX_cleanup(&ctx);
2748         p = sdec;
2749
2750         sess = d2i_SSL_SESSION(NULL, &p, slen);
2751         OPENSSL_free(sdec);
2752         if (sess)
2753                 {
2754                 /* The session ID, if non-empty, is used by some clients to
2755                  * detect that the ticket has been accepted. So we copy it to
2756                  * the session structure. If it is empty set length to zero
2757                  * as required by standard.
2758                  */
2759                 if (sesslen)
2760                         memcpy(sess->session_id, sess_id, sesslen);
2761                 sess->session_id_length = sesslen;
2762                 *psess = sess;
2763                 if (renew_ticket)
2764                         return 4;
2765                 else
2766                         return 3;
2767                 }
2768         ERR_clear_error();
2769         /* For session parse failure, indicate that we need to send a new
2770          * ticket. */
2771         return 2;
2772         }
2773
2774 /* Tables to translate from NIDs to TLS v1.2 ids */
2775
2776 typedef struct 
2777         {
2778         int nid;
2779         int id;
2780         } tls12_lookup;
2781
2782 static tls12_lookup tls12_md[] = {
2783         {NID_md5, TLSEXT_hash_md5},
2784         {NID_sha1, TLSEXT_hash_sha1},
2785         {NID_sha224, TLSEXT_hash_sha224},
2786         {NID_sha256, TLSEXT_hash_sha256},
2787         {NID_sha384, TLSEXT_hash_sha384},
2788         {NID_sha512, TLSEXT_hash_sha512}
2789 };
2790
2791 static tls12_lookup tls12_sig[] = {
2792         {EVP_PKEY_RSA, TLSEXT_signature_rsa},
2793         {EVP_PKEY_DSA, TLSEXT_signature_dsa},
2794         {EVP_PKEY_EC, TLSEXT_signature_ecdsa}
2795 };
2796
2797 static int tls12_find_id(int nid, tls12_lookup *table, size_t tlen)
2798         {
2799         size_t i;
2800         for (i = 0; i < tlen; i++)
2801                 {
2802                 if (table[i].nid == nid)
2803                         return table[i].id;
2804                 }
2805         return -1;
2806         }
2807
2808 static int tls12_find_nid(int id, tls12_lookup *table, size_t tlen)
2809         {
2810         size_t i;
2811         for (i = 0; i < tlen; i++)
2812                 {
2813                 if ((table[i].id) == id)
2814                         return table[i].nid;
2815                 }
2816         return NID_undef;
2817         }
2818
2819 int tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk, const EVP_MD *md)
2820         {
2821         int sig_id, md_id;
2822         if (!md)
2823                 return 0;
2824         md_id = tls12_find_id(EVP_MD_type(md), tls12_md,
2825                                 sizeof(tls12_md)/sizeof(tls12_lookup));
2826         if (md_id == -1)
2827                 return 0;
2828         sig_id = tls12_get_sigid(pk);
2829         if (sig_id == -1)
2830                 return 0;
2831         p[0] = (unsigned char)md_id;
2832         p[1] = (unsigned char)sig_id;
2833         return 1;
2834         }
2835
2836 int tls12_get_sigid(const EVP_PKEY *pk)
2837         {
2838         return tls12_find_id(pk->type, tls12_sig,
2839                                 sizeof(tls12_sig)/sizeof(tls12_lookup));
2840         }
2841
2842 const EVP_MD *tls12_get_hash(unsigned char hash_alg)
2843         {
2844         switch(hash_alg)
2845                 {
2846 #ifndef OPENSSL_NO_MD5
2847                 case TLSEXT_hash_md5:
2848 #ifdef OPENSSL_FIPS
2849                 if (FIPS_mode())
2850                         return NULL;
2851 #endif
2852                 return EVP_md5();
2853 #endif
2854 #ifndef OPENSSL_NO_SHA
2855                 case TLSEXT_hash_sha1:
2856                 return EVP_sha1();
2857 #endif
2858 #ifndef OPENSSL_NO_SHA256
2859                 case TLSEXT_hash_sha224:
2860                 return EVP_sha224();
2861
2862                 case TLSEXT_hash_sha256:
2863                 return EVP_sha256();
2864 #endif
2865 #ifndef OPENSSL_NO_SHA512
2866                 case TLSEXT_hash_sha384:
2867                 return EVP_sha384();
2868
2869                 case TLSEXT_hash_sha512:
2870                 return EVP_sha512();
2871 #endif
2872                 default:
2873                 return NULL;
2874
2875                 }
2876         }
2877
2878 static int tls12_get_pkey_idx(unsigned char sig_alg)
2879         {
2880         switch(sig_alg)
2881                 {
2882 #ifndef OPENSSL_NO_RSA
2883         case TLSEXT_signature_rsa:
2884                 return SSL_PKEY_RSA_SIGN;
2885 #endif
2886 #ifndef OPENSSL_NO_DSA
2887         case TLSEXT_signature_dsa:
2888                 return SSL_PKEY_DSA_SIGN;
2889 #endif
2890 #ifndef OPENSSL_NO_ECDSA
2891         case TLSEXT_signature_ecdsa:
2892                 return SSL_PKEY_ECC;
2893 #endif
2894                 }
2895         return -1;
2896         }
2897
2898 /* Convert TLS 1.2 signature algorithm extension values into NIDs */
2899 static void tls1_lookup_sigalg(int *phash_nid, int *psign_nid,
2900                         int *psignhash_nid, const unsigned char *data)
2901         {
2902         int sign_nid, hash_nid;
2903         if (!phash_nid && !psign_nid && !psignhash_nid)
2904                 return;
2905         if (phash_nid || psignhash_nid)
2906                 {
2907                 hash_nid = tls12_find_nid(data[0], tls12_md,
2908                                         sizeof(tls12_md)/sizeof(tls12_lookup));
2909                 if (phash_nid)
2910                         *phash_nid = hash_nid;
2911                 }
2912         if (psign_nid || psignhash_nid)
2913                 {
2914                 sign_nid = tls12_find_nid(data[1], tls12_sig,
2915                                         sizeof(tls12_sig)/sizeof(tls12_lookup));
2916                 if (psign_nid)
2917                         *psign_nid = sign_nid;
2918                 }
2919         if (psignhash_nid)
2920                 {
2921                 if (sign_nid && hash_nid)
2922                         OBJ_find_sigid_by_algs(psignhash_nid,
2923                                                         hash_nid, sign_nid);
2924                 else
2925                         *psignhash_nid = NID_undef;
2926                 }
2927         }
2928 /* Given preference and allowed sigalgs set shared sigalgs */
2929 static int tls12_do_shared_sigalgs(TLS_SIGALGS *shsig,
2930                                 const unsigned char *pref, size_t preflen,
2931                                 const unsigned char *allow, size_t allowlen)
2932         {
2933         const unsigned char *ptmp, *atmp;
2934         size_t i, j, nmatch = 0;
2935         for (i = 0, ptmp = pref; i < preflen; i+=2, ptmp+=2)
2936                 {
2937                 /* Skip disabled hashes or signature algorithms */
2938                 if (tls12_get_hash(ptmp[0]) == NULL)
2939                         continue;
2940                 if (tls12_get_pkey_idx(ptmp[1]) == -1)
2941                         continue;
2942                 for (j = 0, atmp = allow; j < allowlen; j+=2, atmp+=2)
2943                         {
2944                         if (ptmp[0] == atmp[0] && ptmp[1] == atmp[1])
2945                                 {
2946                                 nmatch++;
2947                                 if (shsig)
2948                                         {
2949                                         shsig->rhash = ptmp[0];
2950                                         shsig->rsign = ptmp[1];
2951                                         tls1_lookup_sigalg(&shsig->hash_nid,
2952                                                 &shsig->sign_nid,
2953                                                 &shsig->signandhash_nid,
2954                                                 ptmp);
2955                                         shsig++;
2956                                         }
2957                                 break;
2958                                 }
2959                         }
2960                 }
2961         return nmatch;
2962         }
2963
2964 /* Set shared signature algorithms for SSL structures */
2965 static int tls1_set_shared_sigalgs(SSL *s)
2966         {
2967         const unsigned char *pref, *allow, *conf;
2968         size_t preflen, allowlen, conflen;
2969         size_t nmatch;
2970         TLS_SIGALGS *salgs = NULL;
2971         CERT *c = s->cert;
2972         conf = c->conf_sigalgs;
2973         if (conf)
2974                 conflen = c->conf_sigalgslen;
2975         else
2976                 {
2977                 conf = tls12_sigalgs;
2978                 conflen = sizeof(tls12_sigalgs);
2979 #ifdef OPENSSL_FIPS
2980                 if (FIPS_mode())
2981                         conflen -= 2;
2982 #endif
2983                 }
2984         if(s->options & SSL_OP_CIPHER_SERVER_PREFERENCE)
2985                 {
2986                 pref = conf;
2987                 preflen = conflen;
2988                 allow = c->peer_sigalgs;
2989                 allowlen = c->peer_sigalgslen;
2990                 }
2991         else
2992                 {
2993                 allow = conf;
2994                 allowlen = conflen;
2995                 pref = c->peer_sigalgs;
2996                 preflen = c->peer_sigalgslen;
2997                 }
2998         nmatch = tls12_do_shared_sigalgs(NULL, pref, preflen, allow, allowlen);
2999         if (!nmatch)
3000                 return 1;
3001         salgs = OPENSSL_malloc(nmatch * sizeof(TLS_SIGALGS));
3002         if (!salgs)
3003                 return 0;
3004         nmatch = tls12_do_shared_sigalgs(salgs, pref, preflen, allow, allowlen);
3005         c->shared_sigalgs = salgs;
3006         c->shared_sigalgslen = nmatch;
3007         return 1;
3008         }
3009                 
3010
3011 /* Set preferred digest for each key type */
3012
3013 int tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize)
3014         {
3015         int idx;
3016         size_t i;
3017         const EVP_MD *md;
3018         CERT *c = s->cert;
3019         TLS_SIGALGS *sigptr;
3020         /* Extension ignored for TLS versions below 1.2 */
3021         if (TLS1_get_version(s) < TLS1_2_VERSION)
3022                 return 1;
3023         /* Should never happen */
3024         if (!c)
3025                 return 0;
3026
3027         c->pkeys[SSL_PKEY_DSA_SIGN].digest = NULL;
3028         c->pkeys[SSL_PKEY_RSA_SIGN].digest = NULL;
3029         c->pkeys[SSL_PKEY_RSA_ENC].digest = NULL;
3030         c->pkeys[SSL_PKEY_ECC].digest = NULL;
3031
3032         c->peer_sigalgs = OPENSSL_malloc(dsize);
3033         if (!c->peer_sigalgs)
3034                 return 0;
3035         c->peer_sigalgslen = dsize;
3036         memcpy(c->peer_sigalgs, data, dsize);
3037
3038         tls1_set_shared_sigalgs(s);
3039
3040         for (i = 0, sigptr = c->shared_sigalgs;
3041                         i < c->shared_sigalgslen; i++, sigptr++)
3042                 {
3043                 idx = tls12_get_pkey_idx(sigptr->rsign);
3044                 if (idx > 0 && c->pkeys[idx].digest == NULL)
3045                         {
3046                         md = tls12_get_hash(sigptr->rhash);
3047                         c->pkeys[idx].digest = md;
3048                         if (idx == SSL_PKEY_RSA_SIGN)
3049                                 c->pkeys[SSL_PKEY_RSA_ENC].digest = md;
3050                         }
3051
3052                 }
3053         /* Set any remaining keys to default values. NOTE: if alg is not
3054          * supported it stays as NULL.
3055          */
3056 #ifndef OPENSSL_NO_DSA
3057         if (!c->pkeys[SSL_PKEY_DSA_SIGN].digest)
3058                 c->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_dss1();
3059 #endif
3060 #ifndef OPENSSL_NO_RSA
3061         if (!c->pkeys[SSL_PKEY_RSA_SIGN].digest)
3062                 {
3063                 c->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1();
3064                 c->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1();
3065                 }
3066 #endif
3067 #ifndef OPENSSL_NO_ECDSA
3068         if (!c->pkeys[SSL_PKEY_ECC].digest)
3069                 c->pkeys[SSL_PKEY_ECC].digest = EVP_ecdsa();
3070 #endif
3071         return 1;
3072         }
3073
3074
3075 int SSL_get_sigalgs(SSL *s, int idx,
3076                         int *psign, int *phash, int *psignhash,
3077                         unsigned char *rsig, unsigned char *rhash)
3078         {
3079         const unsigned char *psig = s->cert->peer_sigalgs;
3080         if (psig == NULL)
3081                 return 0;
3082         if (idx >= 0)
3083                 {
3084                 idx <<= 1;
3085                 if (idx >= (int)s->cert->peer_sigalgslen)
3086                         return 0;
3087                 psig += idx;
3088                 if (rhash)
3089                         *rhash = psig[0];
3090                 if (rsig)
3091                         *rsig = psig[1];
3092                 tls1_lookup_sigalg(phash, psign, psignhash, psig);
3093                 }
3094         return s->cert->peer_sigalgslen / 2;
3095         }
3096
3097 int SSL_get_shared_sigalgs(SSL *s, int idx,
3098                         int *psign, int *phash, int *psignhash,
3099                         unsigned char *rsig, unsigned char *rhash)
3100         {
3101         TLS_SIGALGS *shsigalgs = s->cert->shared_sigalgs;
3102         if (!shsigalgs || idx >= (int)s->cert->shared_sigalgslen)
3103                 return 0;
3104         shsigalgs += idx;
3105         if (phash)
3106                 *phash = shsigalgs->hash_nid;
3107         if (psign)
3108                 *psign = shsigalgs->sign_nid;
3109         if (psignhash)
3110                 *psignhash = shsigalgs->signandhash_nid;
3111         if (rsig)
3112                 *rsig = shsigalgs->rsign;
3113         if (rhash)
3114                 *rhash = shsigalgs->rhash;
3115         return s->cert->shared_sigalgslen;
3116         }
3117         
3118
3119 #ifndef OPENSSL_NO_HEARTBEATS
3120 int
3121 tls1_process_heartbeat(SSL *s)
3122         {
3123         unsigned char *p = &s->s3->rrec.data[0], *pl;
3124         unsigned short hbtype;
3125         unsigned int payload;
3126         unsigned int padding = 16; /* Use minimum padding */
3127
3128         /* Read type and payload length first */
3129         hbtype = *p++;
3130         n2s(p, payload);
3131         pl = p;
3132
3133         if (s->msg_callback)
3134                 s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT,
3135                         &s->s3->rrec.data[0], s->s3->rrec.length,
3136                         s, s->msg_callback_arg);
3137
3138         if (hbtype == TLS1_HB_REQUEST)
3139                 {
3140                 unsigned char *buffer, *bp;
3141                 int r;
3142
3143                 /* Allocate memory for the response, size is 1 bytes
3144                  * message type, plus 2 bytes payload length, plus
3145                  * payload, plus padding
3146                  */
3147                 buffer = OPENSSL_malloc(1 + 2 + payload + padding);
3148                 bp = buffer;
3149                 
3150                 /* Enter response type, length and copy payload */
3151                 *bp++ = TLS1_HB_RESPONSE;
3152                 s2n(payload, bp);
3153                 memcpy(bp, pl, payload);
3154                 bp += payload;
3155                 /* Random padding */
3156                 RAND_pseudo_bytes(bp, padding);
3157
3158                 r = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, 3 + payload + padding);
3159
3160                 if (r >= 0 && s->msg_callback)
3161                         s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT,
3162                                 buffer, 3 + payload + padding,
3163                                 s, s->msg_callback_arg);
3164
3165                 OPENSSL_free(buffer);
3166
3167                 if (r < 0)
3168                         return r;
3169                 }
3170         else if (hbtype == TLS1_HB_RESPONSE)
3171                 {
3172                 unsigned int seq;
3173                 
3174                 /* We only send sequence numbers (2 bytes unsigned int),
3175                  * and 16 random bytes, so we just try to read the
3176                  * sequence number */
3177                 n2s(pl, seq);
3178                 
3179                 if (payload == 18 && seq == s->tlsext_hb_seq)
3180                         {
3181                         s->tlsext_hb_seq++;
3182                         s->tlsext_hb_pending = 0;
3183                         }
3184                 }
3185
3186         return 0;
3187         }
3188
3189 int
3190 tls1_heartbeat(SSL *s)
3191         {
3192         unsigned char *buf, *p;
3193         int ret;
3194         unsigned int payload = 18; /* Sequence number + random bytes */
3195         unsigned int padding = 16; /* Use minimum padding */
3196
3197         /* Only send if peer supports and accepts HB requests... */
3198         if (!(s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED) ||
3199             s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_SEND_REQUESTS)
3200                 {
3201                 SSLerr(SSL_F_TLS1_HEARTBEAT,SSL_R_TLS_HEARTBEAT_PEER_DOESNT_ACCEPT);
3202                 return -1;
3203                 }
3204
3205         /* ...and there is none in flight yet... */
3206         if (s->tlsext_hb_pending)
3207                 {
3208                 SSLerr(SSL_F_TLS1_HEARTBEAT,SSL_R_TLS_HEARTBEAT_PENDING);
3209                 return -1;
3210                 }
3211                 
3212         /* ...and no handshake in progress. */
3213         if (SSL_in_init(s) || s->in_handshake)
3214                 {
3215                 SSLerr(SSL_F_TLS1_HEARTBEAT,SSL_R_UNEXPECTED_MESSAGE);
3216                 return -1;
3217                 }
3218                 
3219         /* Check if padding is too long, payload and padding
3220          * must not exceed 2^14 - 3 = 16381 bytes in total.
3221          */
3222         OPENSSL_assert(payload + padding <= 16381);
3223
3224         /* Create HeartBeat message, we just use a sequence number
3225          * as payload to distuingish different messages and add
3226          * some random stuff.
3227          *  - Message Type, 1 byte
3228          *  - Payload Length, 2 bytes (unsigned int)
3229          *  - Payload, the sequence number (2 bytes uint)
3230          *  - Payload, random bytes (16 bytes uint)
3231          *  - Padding
3232          */
3233         buf = OPENSSL_malloc(1 + 2 + payload + padding);
3234         p = buf;
3235         /* Message Type */
3236         *p++ = TLS1_HB_REQUEST;
3237         /* Payload length (18 bytes here) */
3238         s2n(payload, p);
3239         /* Sequence number */
3240         s2n(s->tlsext_hb_seq, p);
3241         /* 16 random bytes */
3242         RAND_pseudo_bytes(p, 16);
3243         p += 16;
3244         /* Random padding */
3245         RAND_pseudo_bytes(p, padding);
3246
3247         ret = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buf, 3 + payload + padding);
3248         if (ret >= 0)
3249                 {
3250                 if (s->msg_callback)
3251                         s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT,
3252                                 buf, 3 + payload + padding,
3253                                 s, s->msg_callback_arg);
3254
3255                 s->tlsext_hb_pending = 1;
3256                 }
3257                 
3258         OPENSSL_free(buf);
3259
3260         return ret;
3261         }
3262 #endif
3263
3264 #define MAX_SIGALGLEN   (TLSEXT_hash_num * TLSEXT_signature_num * 2)
3265
3266 typedef struct
3267         {
3268         size_t sigalgcnt;
3269         int sigalgs[MAX_SIGALGLEN];
3270         } sig_cb_st;
3271
3272 static int sig_cb(const char *elem, int len, void *arg)
3273         {
3274         sig_cb_st *sarg = arg;
3275         size_t i;
3276         char etmp[20], *p;
3277         int sig_alg, hash_alg;
3278         if (sarg->sigalgcnt == MAX_SIGALGLEN)
3279                 return 0;
3280         if (len > (int)(sizeof(etmp) - 1))
3281                 return 0;
3282         memcpy(etmp, elem, len);
3283         etmp[len] = 0;
3284         p = strchr(etmp, '+');
3285         if (!p)
3286                 return 0;
3287         *p = 0;
3288         p++;
3289         if (!*p)
3290                 return 0;
3291
3292         if (!strcmp(etmp, "RSA"))
3293                 sig_alg = EVP_PKEY_RSA;
3294         else if (!strcmp(etmp, "DSA"))
3295                 sig_alg = EVP_PKEY_DSA;
3296         else if (!strcmp(etmp, "ECDSA"))
3297                 sig_alg = EVP_PKEY_EC;
3298         else return 0;
3299
3300         hash_alg = OBJ_sn2nid(p);
3301         if (hash_alg == NID_undef)
3302                 hash_alg = OBJ_ln2nid(p);
3303         if (hash_alg == NID_undef)
3304                 return 0;
3305
3306         for (i = 0; i < sarg->sigalgcnt; i+=2)
3307                 {
3308                 if (sarg->sigalgs[i] == sig_alg
3309                         && sarg->sigalgs[i + 1] == hash_alg)
3310                         return 0;
3311                 }
3312         sarg->sigalgs[sarg->sigalgcnt++] = hash_alg;
3313         sarg->sigalgs[sarg->sigalgcnt++] = sig_alg;
3314         return 1;
3315         }
3316
3317 /* Set suppored signature algorithms based on a colon separated list
3318  * of the form sig+hash e.g. RSA+SHA512:DSA+SHA512 */
3319 int tls1_set_sigalgs_list(CERT *c, const char *str)
3320         {
3321         sig_cb_st sig;
3322         sig.sigalgcnt = 0;
3323         if (!CONF_parse_list(str, ':', 1, sig_cb, &sig))
3324                 return 0;
3325         return tls1_set_sigalgs(c, sig.sigalgs, sig.sigalgcnt);
3326         }
3327
3328 int tls1_set_sigalgs(CERT *c, const int *psig_nids, size_t salglen)
3329         {
3330         unsigned char *sigalgs, *sptr;
3331         int rhash, rsign;
3332         size_t i;
3333         if (salglen & 1)
3334                 return 0;
3335         sigalgs = OPENSSL_malloc(salglen);
3336         if (sigalgs == NULL)
3337                 return 0;
3338         for (i = 0, sptr = sigalgs; i < salglen; i+=2)
3339                 {
3340                 rhash = tls12_find_id(*psig_nids++, tls12_md,
3341                                         sizeof(tls12_md)/sizeof(tls12_lookup));
3342                 rsign = tls12_find_id(*psig_nids++, tls12_sig,
3343                                 sizeof(tls12_sig)/sizeof(tls12_lookup));
3344
3345                 if (rhash == -1 || rsign == -1)
3346                         goto err;
3347                 *sptr++ = rhash;
3348                 *sptr++ = rsign;
3349                 }
3350
3351         if (c->conf_sigalgs)
3352                 OPENSSL_free(c->conf_sigalgs);
3353
3354         c->conf_sigalgs = sigalgs;
3355         c->conf_sigalgslen = salglen;
3356         return 1;
3357
3358         err:
3359         OPENSSL_free(sigalgs);
3360         return 0;
3361         }
3362
3363 #endif