Ensure SSL3_FLAGS_CCS_OK (or d1->change_cipher_spec_ok for DTLS) is reset
[openssl.git] / ssl / t1_lib.c
1 /* ssl/t1_lib.c */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3  * All rights reserved.
4  *
5  * This package is an SSL implementation written
6  * by Eric Young (eay@cryptsoft.com).
7  * The implementation was written so as to conform with Netscapes SSL.
8  * 
9  * This library is free for commercial and non-commercial use as long as
10  * the following conditions are aheared to.  The following conditions
11  * apply to all code found in this distribution, be it the RC4, RSA,
12  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
13  * included with this distribution is covered by the same copyright terms
14  * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15  * 
16  * Copyright remains Eric Young's, and as such any Copyright notices in
17  * the code are not to be removed.
18  * If this package is used in a product, Eric Young should be given attribution
19  * as the author of the parts of the library used.
20  * This can be in the form of a textual message at program startup or
21  * in documentation (online or textual) provided with the package.
22  * 
23  * Redistribution and use in source and binary forms, with or without
24  * modification, are permitted provided that the following conditions
25  * are met:
26  * 1. Redistributions of source code must retain the copyright
27  *    notice, this list of conditions and the following disclaimer.
28  * 2. Redistributions in binary form must reproduce the above copyright
29  *    notice, this list of conditions and the following disclaimer in the
30  *    documentation and/or other materials provided with the distribution.
31  * 3. All advertising materials mentioning features or use of this software
32  *    must display the following acknowledgement:
33  *    "This product includes cryptographic software written by
34  *     Eric Young (eay@cryptsoft.com)"
35  *    The word 'cryptographic' can be left out if the rouines from the library
36  *    being used are not cryptographic related :-).
37  * 4. If you include any Windows specific code (or a derivative thereof) from 
38  *    the apps directory (application code) you must include an acknowledgement:
39  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40  * 
41  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51  * SUCH DAMAGE.
52  * 
53  * The licence and distribution terms for any publically available version or
54  * derivative of this code cannot be changed.  i.e. this code cannot simply be
55  * copied and put under another distribution licence
56  * [including the GNU Public Licence.]
57  */
58 /* ====================================================================
59  * Copyright (c) 1998-2007 The OpenSSL Project.  All rights reserved.
60  *
61  * Redistribution and use in source and binary forms, with or without
62  * modification, are permitted provided that the following conditions
63  * are met:
64  *
65  * 1. Redistributions of source code must retain the above copyright
66  *    notice, this list of conditions and the following disclaimer. 
67  *
68  * 2. Redistributions in binary form must reproduce the above copyright
69  *    notice, this list of conditions and the following disclaimer in
70  *    the documentation and/or other materials provided with the
71  *    distribution.
72  *
73  * 3. All advertising materials mentioning features or use of this
74  *    software must display the following acknowledgment:
75  *    "This product includes software developed by the OpenSSL Project
76  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77  *
78  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79  *    endorse or promote products derived from this software without
80  *    prior written permission. For written permission, please contact
81  *    openssl-core@openssl.org.
82  *
83  * 5. Products derived from this software may not be called "OpenSSL"
84  *    nor may "OpenSSL" appear in their names without prior written
85  *    permission of the OpenSSL Project.
86  *
87  * 6. Redistributions of any form whatsoever must retain the following
88  *    acknowledgment:
89  *    "This product includes software developed by the OpenSSL Project
90  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91  *
92  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
96  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103  * OF THE POSSIBILITY OF SUCH DAMAGE.
104  * ====================================================================
105  *
106  * This product includes cryptographic software written by Eric Young
107  * (eay@cryptsoft.com).  This product includes software written by Tim
108  * Hudson (tjh@cryptsoft.com).
109  *
110  */
111
112 #include <stdio.h>
113 #include <openssl/objects.h>
114 #include <openssl/evp.h>
115 #include <openssl/hmac.h>
116 #include <openssl/ocsp.h>
117 #include <openssl/rand.h>
118 #ifndef OPENSSL_NO_DH
119 #include <openssl/dh.h>
120 #include <openssl/bn.h>
121 #endif
122 #include "ssl_locl.h"
123
124 const char tls1_version_str[]="TLSv1" OPENSSL_VERSION_PTEXT;
125
126 #ifndef OPENSSL_NO_TLSEXT
127 static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen,
128                                 const unsigned char *sess_id, int sesslen,
129                                 SSL_SESSION **psess);
130 static int ssl_check_clienthello_tlsext_early(SSL *s);
131 int ssl_check_serverhello_tlsext(SSL *s);
132 #endif
133
134 SSL3_ENC_METHOD const TLSv1_enc_data={
135         tls1_enc,
136         tls1_mac,
137         tls1_setup_key_block,
138         tls1_generate_master_secret,
139         tls1_change_cipher_state,
140         tls1_final_finish_mac,
141         TLS1_FINISH_MAC_LENGTH,
142         tls1_cert_verify_mac,
143         TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE,
144         TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE,
145         tls1_alert_code,
146         tls1_export_keying_material,
147         0,
148         SSL3_HM_HEADER_LENGTH,
149         ssl3_set_handshake_header,
150         ssl3_handshake_write
151         };
152
153 SSL3_ENC_METHOD const TLSv1_1_enc_data={
154         tls1_enc,
155         tls1_mac,
156         tls1_setup_key_block,
157         tls1_generate_master_secret,
158         tls1_change_cipher_state,
159         tls1_final_finish_mac,
160         TLS1_FINISH_MAC_LENGTH,
161         tls1_cert_verify_mac,
162         TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE,
163         TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE,
164         tls1_alert_code,
165         tls1_export_keying_material,
166         SSL_ENC_FLAG_EXPLICIT_IV,
167         SSL3_HM_HEADER_LENGTH,
168         ssl3_set_handshake_header,
169         ssl3_handshake_write
170         };
171
172 SSL3_ENC_METHOD const TLSv1_2_enc_data={
173         tls1_enc,
174         tls1_mac,
175         tls1_setup_key_block,
176         tls1_generate_master_secret,
177         tls1_change_cipher_state,
178         tls1_final_finish_mac,
179         TLS1_FINISH_MAC_LENGTH,
180         tls1_cert_verify_mac,
181         TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE,
182         TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE,
183         tls1_alert_code,
184         tls1_export_keying_material,
185         SSL_ENC_FLAG_EXPLICIT_IV|SSL_ENC_FLAG_SIGALGS|SSL_ENC_FLAG_SHA256_PRF
186                 |SSL_ENC_FLAG_TLS1_2_CIPHERS,
187         SSL3_HM_HEADER_LENGTH,
188         ssl3_set_handshake_header,
189         ssl3_handshake_write
190         };
191
192 long tls1_default_timeout(void)
193         {
194         /* 2 hours, the 24 hours mentioned in the TLSv1 spec
195          * is way too long for http, the cache would over fill */
196         return(60*60*2);
197         }
198
199 int tls1_new(SSL *s)
200         {
201         if (!ssl3_new(s)) return(0);
202         s->method->ssl_clear(s);
203         return(1);
204         }
205
206 void tls1_free(SSL *s)
207         {
208 #ifndef OPENSSL_NO_TLSEXT
209         if (s->tlsext_session_ticket)
210                 {
211                 OPENSSL_free(s->tlsext_session_ticket);
212                 }
213 #endif /* OPENSSL_NO_TLSEXT */
214         ssl3_free(s);
215         }
216
217 void tls1_clear(SSL *s)
218         {
219         ssl3_clear(s);
220         s->version = s->method->version;
221         }
222
223 #ifndef OPENSSL_NO_EC
224
225 typedef struct
226         {
227         int nid;                /* Curve NID */
228         int secbits;            /* Bits of security (from SP800-57) */
229         unsigned int flags;     /* Flags: currently just field type */
230         } tls_curve_info;
231
232 #define TLS_CURVE_CHAR2         0x1
233 #define TLS_CURVE_PRIME         0x0
234
235 static const tls_curve_info nid_list[] =
236         {
237                 {NID_sect163k1, 80, TLS_CURVE_CHAR2},/* sect163k1 (1) */
238                 {NID_sect163r1, 80, TLS_CURVE_CHAR2},/* sect163r1 (2) */
239                 {NID_sect163r2, 80, TLS_CURVE_CHAR2},/* sect163r2 (3) */
240                 {NID_sect193r1, 80, TLS_CURVE_CHAR2},/* sect193r1 (4) */ 
241                 {NID_sect193r2, 80, TLS_CURVE_CHAR2},/* sect193r2 (5) */ 
242                 {NID_sect233k1, 112, TLS_CURVE_CHAR2},/* sect233k1 (6) */
243                 {NID_sect233r1, 112, TLS_CURVE_CHAR2},/* sect233r1 (7) */ 
244                 {NID_sect239k1, 112, TLS_CURVE_CHAR2},/* sect239k1 (8) */ 
245                 {NID_sect283k1, 128, TLS_CURVE_CHAR2},/* sect283k1 (9) */
246                 {NID_sect283r1, 128, TLS_CURVE_CHAR2},/* sect283r1 (10) */ 
247                 {NID_sect409k1, 192, TLS_CURVE_CHAR2},/* sect409k1 (11) */ 
248                 {NID_sect409r1, 192, TLS_CURVE_CHAR2},/* sect409r1 (12) */
249                 {NID_sect571k1, 256, TLS_CURVE_CHAR2},/* sect571k1 (13) */ 
250                 {NID_sect571r1, 256, TLS_CURVE_CHAR2},/* sect571r1 (14) */ 
251                 {NID_secp160k1, 80, TLS_CURVE_PRIME},/* secp160k1 (15) */
252                 {NID_secp160r1, 80, TLS_CURVE_PRIME},/* secp160r1 (16) */ 
253                 {NID_secp160r2, 80, TLS_CURVE_PRIME},/* secp160r2 (17) */ 
254                 {NID_secp192k1, 80, TLS_CURVE_PRIME},/* secp192k1 (18) */
255                 {NID_X9_62_prime192v1, 80, TLS_CURVE_PRIME},/* secp192r1 (19) */ 
256                 {NID_secp224k1, 112, TLS_CURVE_PRIME},/* secp224k1 (20) */ 
257                 {NID_secp224r1, 112, TLS_CURVE_PRIME},/* secp224r1 (21) */
258                 {NID_secp256k1, 128, TLS_CURVE_PRIME},/* secp256k1 (22) */ 
259                 {NID_X9_62_prime256v1, 128, TLS_CURVE_PRIME},/* secp256r1 (23) */ 
260                 {NID_secp384r1, 192, TLS_CURVE_PRIME},/* secp384r1 (24) */
261                 {NID_secp521r1, 256, TLS_CURVE_PRIME},/* secp521r1 (25) */      
262                 {NID_brainpoolP256r1, 128, TLS_CURVE_PRIME}, /* brainpoolP256r1 (26) */ 
263                 {NID_brainpoolP384r1, 192, TLS_CURVE_PRIME}, /* brainpoolP384r1 (27) */ 
264                 {NID_brainpoolP512r1, 256, TLS_CURVE_PRIME},/* brainpool512r1 (28) */   
265         };
266
267
268 static const unsigned char ecformats_default[] = 
269         {
270         TLSEXT_ECPOINTFORMAT_uncompressed,
271         TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime,
272         TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2
273         };
274
275 static const unsigned char eccurves_default[] =
276         {
277                 0,14, /* sect571r1 (14) */ 
278                 0,13, /* sect571k1 (13) */ 
279                 0,25, /* secp521r1 (25) */      
280                 0,28, /* brainpool512r1 (28) */ 
281                 0,11, /* sect409k1 (11) */ 
282                 0,12, /* sect409r1 (12) */
283                 0,27, /* brainpoolP384r1 (27) */        
284                 0,24, /* secp384r1 (24) */
285                 0,9,  /* sect283k1 (9) */
286                 0,10, /* sect283r1 (10) */ 
287                 0,26, /* brainpoolP256r1 (26) */        
288                 0,22, /* secp256k1 (22) */ 
289                 0,23, /* secp256r1 (23) */ 
290                 0,8,  /* sect239k1 (8) */ 
291                 0,6,  /* sect233k1 (6) */
292                 0,7,  /* sect233r1 (7) */ 
293                 0,20, /* secp224k1 (20) */ 
294                 0,21, /* secp224r1 (21) */
295                 0,4,  /* sect193r1 (4) */ 
296                 0,5,  /* sect193r2 (5) */ 
297                 0,18, /* secp192k1 (18) */
298                 0,19, /* secp192r1 (19) */ 
299                 0,1,  /* sect163k1 (1) */
300                 0,2,  /* sect163r1 (2) */
301                 0,3,  /* sect163r2 (3) */
302                 0,15, /* secp160k1 (15) */
303                 0,16, /* secp160r1 (16) */ 
304                 0,17, /* secp160r2 (17) */ 
305         };
306
307 static const unsigned char suiteb_curves[] =
308         {
309                 0, TLSEXT_curve_P_256,
310                 0, TLSEXT_curve_P_384
311         };
312
313 int tls1_ec_curve_id2nid(int curve_id)
314         {
315         /* ECC curves from RFC 4492 and RFC 7027 */
316         if ((curve_id < 1) || ((unsigned int)curve_id >
317                                 sizeof(nid_list)/sizeof(nid_list[0])))
318                 return 0;
319         return nid_list[curve_id-1].nid;
320         }
321
322 int tls1_ec_nid2curve_id(int nid)
323         {
324         /* ECC curves from RFC 4492 and RFC 7027 */
325         switch (nid)
326                 {
327         case NID_sect163k1: /* sect163k1 (1) */
328                 return 1;
329         case NID_sect163r1: /* sect163r1 (2) */
330                 return 2;
331         case NID_sect163r2: /* sect163r2 (3) */
332                 return 3;
333         case NID_sect193r1: /* sect193r1 (4) */ 
334                 return 4;
335         case NID_sect193r2: /* sect193r2 (5) */ 
336                 return 5;
337         case NID_sect233k1: /* sect233k1 (6) */
338                 return 6;
339         case NID_sect233r1: /* sect233r1 (7) */ 
340                 return 7;
341         case NID_sect239k1: /* sect239k1 (8) */ 
342                 return 8;
343         case NID_sect283k1: /* sect283k1 (9) */
344                 return 9;
345         case NID_sect283r1: /* sect283r1 (10) */ 
346                 return 10;
347         case NID_sect409k1: /* sect409k1 (11) */ 
348                 return 11;
349         case NID_sect409r1: /* sect409r1 (12) */
350                 return 12;
351         case NID_sect571k1: /* sect571k1 (13) */ 
352                 return 13;
353         case NID_sect571r1: /* sect571r1 (14) */ 
354                 return 14;
355         case NID_secp160k1: /* secp160k1 (15) */
356                 return 15;
357         case NID_secp160r1: /* secp160r1 (16) */ 
358                 return 16;
359         case NID_secp160r2: /* secp160r2 (17) */ 
360                 return 17;
361         case NID_secp192k1: /* secp192k1 (18) */
362                 return 18;
363         case NID_X9_62_prime192v1: /* secp192r1 (19) */ 
364                 return 19;
365         case NID_secp224k1: /* secp224k1 (20) */ 
366                 return 20;
367         case NID_secp224r1: /* secp224r1 (21) */
368                 return 21;
369         case NID_secp256k1: /* secp256k1 (22) */ 
370                 return 22;
371         case NID_X9_62_prime256v1: /* secp256r1 (23) */ 
372                 return 23;
373         case NID_secp384r1: /* secp384r1 (24) */
374                 return 24;
375         case NID_secp521r1:  /* secp521r1 (25) */       
376                 return 25;
377         case NID_brainpoolP256r1:  /* brainpoolP256r1 (26) */
378                 return 26;
379         case NID_brainpoolP384r1:  /* brainpoolP384r1 (27) */
380                 return 27;
381         case NID_brainpoolP512r1:  /* brainpool512r1 (28) */
382                 return 28;
383         default:
384                 return 0;
385                 }
386         }
387 /* Get curves list, if "sess" is set return client curves otherwise
388  * preferred list
389  */
390 static void tls1_get_curvelist(SSL *s, int sess,
391                                         const unsigned char **pcurves,
392                                         size_t *pcurveslen)
393         {
394         if (sess)
395                 {
396                 *pcurves = s->session->tlsext_ellipticcurvelist;
397                 *pcurveslen = s->session->tlsext_ellipticcurvelist_length;
398                 return;
399                 }
400         /* For Suite B mode only include P-256, P-384 */
401         switch (tls1_suiteb(s))
402                 {
403         case SSL_CERT_FLAG_SUITEB_128_LOS:
404                 *pcurves = suiteb_curves;
405                 *pcurveslen = sizeof(suiteb_curves);
406                 break;
407
408         case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY:
409                 *pcurves = suiteb_curves;
410                 *pcurveslen = 2;
411                 break;
412
413         case SSL_CERT_FLAG_SUITEB_192_LOS:
414                 *pcurves = suiteb_curves + 2;
415                 *pcurveslen = 2;
416                 break;
417         default:
418                 *pcurves = s->tlsext_ellipticcurvelist;
419                 *pcurveslen = s->tlsext_ellipticcurvelist_length;
420                 }
421         if (!*pcurves)
422                 {
423                 *pcurves = eccurves_default;
424                 *pcurveslen = sizeof(eccurves_default);
425                 }
426         }
427
428 /* See if curve is allowed by security callback */
429 static int tls_curve_allowed(SSL *s, const unsigned char *curve, int op)
430         {
431         const tls_curve_info *cinfo;
432         if (curve[0])
433                 return 1;
434         if ((curve[1] < 1) || ((size_t)curve[1] >
435                                 sizeof(nid_list)/sizeof(nid_list[0])))
436                 return 0;
437         cinfo = &nid_list[curve[1]-1];
438 #ifdef OPENSSL_NO_EC2M
439         if (cinfo->flags & TLS_CURVE_CHAR2)
440                 return 0;
441 #endif
442         return ssl_security(s, op, cinfo->secbits, cinfo->nid, (void *)curve);
443         }
444
445 /* Check a curve is one of our preferences */
446 int tls1_check_curve(SSL *s, const unsigned char *p, size_t len)
447         {
448         const unsigned char *curves;
449         size_t curveslen, i;
450         unsigned int suiteb_flags = tls1_suiteb(s);
451         if (len != 3 || p[0] != NAMED_CURVE_TYPE)
452                 return 0;
453         /* Check curve matches Suite B preferences */
454         if (suiteb_flags)
455                 {
456                 unsigned long cid = s->s3->tmp.new_cipher->id;
457                 if (p[1])
458                         return 0;
459                 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
460                         {
461                         if (p[2] != TLSEXT_curve_P_256)
462                                 return 0;
463                         }
464                 else if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)
465                         {
466                         if (p[2] != TLSEXT_curve_P_384)
467                                 return 0;
468                         }
469                 else    /* Should never happen */
470                         return 0;
471                 }
472         tls1_get_curvelist(s, 0, &curves, &curveslen);
473         for (i = 0; i < curveslen; i += 2, curves += 2)
474                 {
475                 if (p[1] == curves[0] && p[2] == curves[1])
476                         return tls_curve_allowed(s, p + 1, SSL_SECOP_CURVE_CHECK);
477                 }
478         return 0;
479         }
480
481 /* Return nth shared curve. If nmatch == -1 return number of
482  * matches. For nmatch == -2 return the NID of the curve to use for
483  * an EC tmp key.
484  */
485
486 int tls1_shared_curve(SSL *s, int nmatch)
487         {
488         const unsigned char *pref, *supp;
489         size_t preflen, supplen, i, j;
490         int k;
491         /* Can't do anything on client side */
492         if (s->server == 0)
493                 return -1;
494         if (nmatch == -2)
495                 {
496                 if (tls1_suiteb(s))
497                         {
498                         /* For Suite B ciphersuite determines curve: we 
499                          * already know these are acceptable due to previous
500                          * checks.
501                          */
502                         unsigned long cid = s->s3->tmp.new_cipher->id;
503                         if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
504                                 return NID_X9_62_prime256v1; /* P-256 */
505                         if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)
506                                 return NID_secp384r1; /* P-384 */
507                         /* Should never happen */
508                         return NID_undef;
509                         }
510                 /* If not Suite B just return first preference shared curve */
511                 nmatch = 0;
512                 }
513         tls1_get_curvelist(s, !!(s->options & SSL_OP_CIPHER_SERVER_PREFERENCE),
514                                 &supp, &supplen);
515         tls1_get_curvelist(s, !(s->options & SSL_OP_CIPHER_SERVER_PREFERENCE),
516                                 &pref, &preflen);
517         preflen /= 2;
518         supplen /= 2;
519         k = 0;
520         for (i = 0; i < preflen; i++, pref+=2)
521                 {
522                 const unsigned char *tsupp = supp;
523                 for (j = 0; j < supplen; j++, tsupp+=2)
524                         {
525                         if (pref[0] == tsupp[0] && pref[1] == tsupp[1])
526                                 {
527                                 if (!tls_curve_allowed(s, pref, SSL_SECOP_CURVE_SHARED))
528                                         continue;
529                                 if (nmatch == k)
530                                         {
531                                         int id = (pref[0] << 8) | pref[1];
532                                         return tls1_ec_curve_id2nid(id);
533                                         }
534                                 k++;
535                                 }
536                         }
537                 }
538         if (nmatch == -1)
539                 return k;
540         return 0;
541         }
542
543 int tls1_set_curves(unsigned char **pext, size_t *pextlen,
544                         int *curves, size_t ncurves)
545         {
546         unsigned char *clist, *p;
547         size_t i;
548         /* Bitmap of curves included to detect duplicates: only works
549          * while curve ids < 32 
550          */
551         unsigned long dup_list = 0;
552         clist = OPENSSL_malloc(ncurves * 2);
553         if (!clist)
554                 return 0;
555         for (i = 0, p = clist; i < ncurves; i++)
556                 {
557                 unsigned long idmask;
558                 int id;
559                 id = tls1_ec_nid2curve_id(curves[i]);
560                 idmask = 1L << id;
561                 if (!id || (dup_list & idmask))
562                         {
563                         OPENSSL_free(clist);
564                         return 0;
565                         }
566                 dup_list |= idmask;
567                 s2n(id, p);
568                 }
569         if (*pext)
570                 OPENSSL_free(*pext);
571         *pext = clist;
572         *pextlen = ncurves * 2;
573         return 1;
574         }
575
576 #define MAX_CURVELIST   28
577
578 typedef struct
579         {
580         size_t nidcnt;
581         int nid_arr[MAX_CURVELIST];
582         } nid_cb_st;
583
584 static int nid_cb(const char *elem, int len, void *arg)
585         {
586         nid_cb_st *narg = arg;
587         size_t i;
588         int nid;
589         char etmp[20];
590         if (narg->nidcnt == MAX_CURVELIST)
591                 return 0;
592         if (len > (int)(sizeof(etmp) - 1))
593                 return 0;
594         memcpy(etmp, elem, len);
595         etmp[len] = 0;
596         nid = EC_curve_nist2nid(etmp);
597         if (nid == NID_undef)
598                 nid = OBJ_sn2nid(etmp);
599         if (nid == NID_undef)
600                 nid = OBJ_ln2nid(etmp);
601         if (nid == NID_undef)
602                 return 0;
603         for (i = 0; i < narg->nidcnt; i++)
604                 if (narg->nid_arr[i] == nid)
605                         return 0;
606         narg->nid_arr[narg->nidcnt++] = nid;
607         return 1;
608         }
609 /* Set curves based on a colon separate list */
610 int tls1_set_curves_list(unsigned char **pext, size_t *pextlen, 
611                                 const char *str)
612         {
613         nid_cb_st ncb;
614         ncb.nidcnt = 0;
615         if (!CONF_parse_list(str, ':', 1, nid_cb, &ncb))
616                 return 0;
617         if (pext == NULL)
618                 return 1;
619         return tls1_set_curves(pext, pextlen, ncb.nid_arr, ncb.nidcnt);
620         }
621 /* For an EC key set TLS id and required compression based on parameters */
622 static int tls1_set_ec_id(unsigned char *curve_id, unsigned char *comp_id,
623                                 EC_KEY *ec)
624         {
625         int is_prime, id;
626         const EC_GROUP *grp;
627         const EC_METHOD *meth;
628         if (!ec)
629                 return 0;
630         /* Determine if it is a prime field */
631         grp = EC_KEY_get0_group(ec);
632         if (!grp)
633                 return 0;
634         meth = EC_GROUP_method_of(grp);
635         if (!meth)
636                 return 0;
637         if (EC_METHOD_get_field_type(meth) == NID_X9_62_prime_field)
638                 is_prime = 1;
639         else
640                 is_prime = 0;
641         /* Determine curve ID */
642         id = EC_GROUP_get_curve_name(grp);
643         id = tls1_ec_nid2curve_id(id);
644         /* If we have an ID set it, otherwise set arbitrary explicit curve */
645         if (id)
646                 {
647                 curve_id[0] = 0;
648                 curve_id[1] = (unsigned char)id;
649                 }
650         else
651                 {
652                 curve_id[0] = 0xff;
653                 if (is_prime)
654                         curve_id[1] = 0x01;
655                 else
656                         curve_id[1] = 0x02;
657                 }
658         if (comp_id)
659                 {
660                 if (EC_KEY_get0_public_key(ec) == NULL)
661                         return 0;
662                 if (EC_KEY_get_conv_form(ec) == POINT_CONVERSION_COMPRESSED)
663                         {
664                         if (is_prime)
665                                 *comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
666                         else
667                                 *comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
668                         }
669                 else
670                         *comp_id = TLSEXT_ECPOINTFORMAT_uncompressed;
671                 }
672         return 1;
673         }
674 /* Check an EC key is compatible with extensions */
675 static int tls1_check_ec_key(SSL *s,
676                         unsigned char *curve_id, unsigned char *comp_id)
677         {
678         const unsigned char *p;
679         size_t plen, i;
680         int j;
681         /* If point formats extension present check it, otherwise everything
682          * is supported (see RFC4492).
683          */
684         if (comp_id && s->session->tlsext_ecpointformatlist)
685                 {
686                 p = s->session->tlsext_ecpointformatlist;
687                 plen = s->session->tlsext_ecpointformatlist_length;
688                 for (i = 0; i < plen; i++, p++)
689                         {
690                         if (*comp_id == *p)
691                                 break;
692                         }
693                 if (i == plen)
694                         return 0;
695                 }
696         if (!curve_id)
697                 return 1;
698         /* Check curve is consistent with client and server preferences */
699         for (j = 0; j <= 1; j++)
700                 {
701                 tls1_get_curvelist(s, j, &p, &plen);
702                 for (i = 0; i < plen; i+=2, p+=2)
703                         {
704                         if (p[0] == curve_id[0] && p[1] == curve_id[1])
705                                 break;
706                         }
707                 if (i == plen)
708                         return 0;
709                 /* For clients can only check sent curve list */
710                 if (!s->server)
711                         break;
712                 }
713         return 1;
714         }
715
716 static void tls1_get_formatlist(SSL *s, const unsigned char **pformats,
717                                         size_t *pformatslen)
718         {
719         /* If we have a custom point format list use it otherwise
720          * use default */
721         if (s->tlsext_ecpointformatlist)
722                 {
723                 *pformats = s->tlsext_ecpointformatlist;
724                 *pformatslen = s->tlsext_ecpointformatlist_length;
725                 }
726         else
727                 {
728                 *pformats = ecformats_default;
729                 /* For Suite B we don't support char2 fields */
730                 if (tls1_suiteb(s))
731                         *pformatslen = sizeof(ecformats_default) - 1;
732                 else
733                         *pformatslen = sizeof(ecformats_default);
734                 }
735         }
736
737 /* Check cert parameters compatible with extensions: currently just checks
738  * EC certificates have compatible curves and compression.
739  */
740 static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md)
741         {
742         unsigned char comp_id, curve_id[2];
743         EVP_PKEY *pkey;
744         int rv;
745         pkey = X509_get_pubkey(x);
746         if (!pkey)
747                 return 0;
748         /* If not EC nothing to do */
749         if (pkey->type != EVP_PKEY_EC)
750                 {
751                 EVP_PKEY_free(pkey);
752                 return 1;
753                 }
754         rv = tls1_set_ec_id(curve_id, &comp_id, pkey->pkey.ec);
755         EVP_PKEY_free(pkey);
756         if (!rv)
757                 return 0;
758         /* Can't check curve_id for client certs as we don't have a
759          * supported curves extension.
760          */
761         rv = tls1_check_ec_key(s, s->server ? curve_id : NULL, &comp_id);
762         if (!rv)
763                 return 0;
764         /* Special case for suite B. We *MUST* sign using SHA256+P-256 or
765          * SHA384+P-384, adjust digest if necessary.
766          */
767         if (set_ee_md && tls1_suiteb(s))
768                 {
769                 int check_md;
770                 size_t i;
771                 CERT *c = s->cert;
772                 if (curve_id[0])
773                         return 0;
774                 /* Check to see we have necessary signing algorithm */
775                 if (curve_id[1] == TLSEXT_curve_P_256)
776                         check_md = NID_ecdsa_with_SHA256;
777                 else if (curve_id[1] == TLSEXT_curve_P_384)
778                         check_md = NID_ecdsa_with_SHA384;
779                 else
780                         return 0; /* Should never happen */
781                 for (i = 0; i < c->shared_sigalgslen; i++)
782                         if (check_md == c->shared_sigalgs[i].signandhash_nid)
783                                 break;
784                 if (i == c->shared_sigalgslen)
785                         return 0;
786                 if (set_ee_md == 2)
787                         {
788                         if (check_md == NID_ecdsa_with_SHA256)
789                                 c->pkeys[SSL_PKEY_ECC].digest = EVP_sha256();
790                         else
791                                 c->pkeys[SSL_PKEY_ECC].digest = EVP_sha384();
792                         }
793                 }
794         return rv;
795         }
796 /* Check EC temporary key is compatible with client extensions */
797 int tls1_check_ec_tmp_key(SSL *s, unsigned long cid)
798         {
799         unsigned char curve_id[2];
800         EC_KEY *ec = s->cert->ecdh_tmp;
801 #ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
802         /* Allow any curve: not just those peer supports */
803         if (s->cert->cert_flags & SSL_CERT_FLAG_BROKEN_PROTOCOL)
804                 return 1;
805 #endif
806         /* If Suite B, AES128 MUST use P-256 and AES256 MUST use P-384,
807          * no other curves permitted.
808          */
809         if (tls1_suiteb(s))
810                 {
811                 /* Curve to check determined by ciphersuite */
812                 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
813                         curve_id[1] = TLSEXT_curve_P_256;
814                 else if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)
815                         curve_id[1] = TLSEXT_curve_P_384;
816                 else
817                         return 0;
818                 curve_id[0] = 0;
819                 /* Check this curve is acceptable */
820                 if (!tls1_check_ec_key(s, curve_id, NULL))
821                         return 0;
822                 /* If auto or setting curve from callback assume OK */
823                 if (s->cert->ecdh_tmp_auto || s->cert->ecdh_tmp_cb)
824                         return 1;
825                 /* Otherwise check curve is acceptable */
826                 else 
827                         {
828                         unsigned char curve_tmp[2];
829                         if (!ec)
830                                 return 0;
831                         if (!tls1_set_ec_id(curve_tmp, NULL, ec))
832                                 return 0;
833                         if (!curve_tmp[0] || curve_tmp[1] == curve_id[1])
834                                 return 1;
835                         return 0;
836                         }
837                         
838                 }
839         if (s->cert->ecdh_tmp_auto)
840                 {
841                 /* Need a shared curve */
842                 if (tls1_shared_curve(s, 0))
843                         return 1;
844                 else return 0;
845                 }
846         if (!ec)
847                 {
848                 if (s->cert->ecdh_tmp_cb)
849                         return 1;
850                 else
851                         return 0;
852                 }
853         if (!tls1_set_ec_id(curve_id, NULL, ec))
854                 return 0;
855 /* Set this to allow use of invalid curves for testing */
856 #if 0
857         return 1;
858 #else
859         return tls1_check_ec_key(s, curve_id, NULL);
860 #endif
861         }
862
863 #else
864
865 static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md)
866         {
867         return 1;
868         }
869
870 #endif /* OPENSSL_NO_EC */
871
872 #ifndef OPENSSL_NO_TLSEXT
873
874 /* List of supported signature algorithms and hashes. Should make this
875  * customisable at some point, for now include everything we support.
876  */
877
878 #ifdef OPENSSL_NO_RSA
879 #define tlsext_sigalg_rsa(md) /* */
880 #else
881 #define tlsext_sigalg_rsa(md) md, TLSEXT_signature_rsa,
882 #endif
883
884 #ifdef OPENSSL_NO_DSA
885 #define tlsext_sigalg_dsa(md) /* */
886 #else
887 #define tlsext_sigalg_dsa(md) md, TLSEXT_signature_dsa,
888 #endif
889
890 #ifdef OPENSSL_NO_ECDSA
891 #define tlsext_sigalg_ecdsa(md) /* */
892 #else
893 #define tlsext_sigalg_ecdsa(md) md, TLSEXT_signature_ecdsa,
894 #endif
895
896 #define tlsext_sigalg(md) \
897                 tlsext_sigalg_rsa(md) \
898                 tlsext_sigalg_dsa(md) \
899                 tlsext_sigalg_ecdsa(md)
900
901 static unsigned char tls12_sigalgs[] = {
902 #ifndef OPENSSL_NO_SHA512
903         tlsext_sigalg(TLSEXT_hash_sha512)
904         tlsext_sigalg(TLSEXT_hash_sha384)
905 #endif
906 #ifndef OPENSSL_NO_SHA256
907         tlsext_sigalg(TLSEXT_hash_sha256)
908         tlsext_sigalg(TLSEXT_hash_sha224)
909 #endif
910 #ifndef OPENSSL_NO_SHA
911         tlsext_sigalg(TLSEXT_hash_sha1)
912 #endif
913 };
914 #ifndef OPENSSL_NO_ECDSA
915 static unsigned char suiteb_sigalgs[] = {
916         tlsext_sigalg_ecdsa(TLSEXT_hash_sha256)
917         tlsext_sigalg_ecdsa(TLSEXT_hash_sha384)
918 };
919 #endif
920 size_t tls12_get_psigalgs(SSL *s, const unsigned char **psigs)
921         {
922         /* If Suite B mode use Suite B sigalgs only, ignore any other
923          * preferences.
924          */
925 #ifndef OPENSSL_NO_EC
926         switch (tls1_suiteb(s))
927                 {
928         case SSL_CERT_FLAG_SUITEB_128_LOS:
929                 *psigs = suiteb_sigalgs;
930                 return sizeof(suiteb_sigalgs);
931
932         case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY:
933                 *psigs = suiteb_sigalgs;
934                 return 2;
935
936         case SSL_CERT_FLAG_SUITEB_192_LOS:
937                 *psigs = suiteb_sigalgs + 2;
938                 return 2;
939                 }
940 #endif
941         /* If server use client authentication sigalgs if not NULL */
942         if (s->server && s->cert->client_sigalgs)
943                 {
944                 *psigs = s->cert->client_sigalgs;
945                 return s->cert->client_sigalgslen;
946                 }
947         else if (s->cert->conf_sigalgs)
948                 {
949                 *psigs = s->cert->conf_sigalgs;
950                 return s->cert->conf_sigalgslen;
951                 }
952         else
953                 {
954                 *psigs = tls12_sigalgs;
955                 return sizeof(tls12_sigalgs);
956                 }
957         }
958 /* Check signature algorithm is consistent with sent supported signature
959  * algorithms and if so return relevant digest.
960  */
961 int tls12_check_peer_sigalg(const EVP_MD **pmd, SSL *s,
962                                 const unsigned char *sig, EVP_PKEY *pkey)
963         {
964         const unsigned char *sent_sigs;
965         size_t sent_sigslen, i;
966         int sigalg = tls12_get_sigid(pkey);
967         /* Should never happen */
968         if (sigalg == -1)
969                 return -1;
970         /* Check key type is consistent with signature */
971         if (sigalg != (int)sig[1])
972                 {
973                 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG,SSL_R_WRONG_SIGNATURE_TYPE);
974                 return 0;
975                 }
976 #ifndef OPENSSL_NO_EC
977         if (pkey->type == EVP_PKEY_EC)
978                 {
979                 unsigned char curve_id[2], comp_id;
980                 /* Check compression and curve matches extensions */
981                 if (!tls1_set_ec_id(curve_id, &comp_id, pkey->pkey.ec))
982                         return 0;
983                 if (!s->server && !tls1_check_ec_key(s, curve_id, &comp_id))
984                         {
985                         SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG,SSL_R_WRONG_CURVE);
986                         return 0;
987                         }
988                 /* If Suite B only P-384+SHA384 or P-256+SHA-256 allowed */
989                 if (tls1_suiteb(s))
990                         {
991                         if (curve_id[0])
992                                 return 0;
993                         if (curve_id[1] == TLSEXT_curve_P_256)
994                                 {
995                                 if (sig[0] != TLSEXT_hash_sha256)
996                                         {
997                                         SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG,
998                                                 SSL_R_ILLEGAL_SUITEB_DIGEST);
999                                         return 0;
1000                                         }
1001                                 }
1002                         else if (curve_id[1] == TLSEXT_curve_P_384)
1003                                 {
1004                                 if (sig[0] != TLSEXT_hash_sha384)
1005                                         {
1006                                         SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG,
1007                                                 SSL_R_ILLEGAL_SUITEB_DIGEST);
1008                                         return 0;
1009                                         }
1010                                 }
1011                         else
1012                                 return 0;
1013                         }
1014                 }
1015         else if (tls1_suiteb(s))
1016                 return 0;
1017 #endif
1018
1019         /* Check signature matches a type we sent */
1020         sent_sigslen = tls12_get_psigalgs(s, &sent_sigs);
1021         for (i = 0; i < sent_sigslen; i+=2, sent_sigs+=2)
1022                 {
1023                 if (sig[0] == sent_sigs[0] && sig[1] == sent_sigs[1])
1024                         break;
1025                 }
1026         /* Allow fallback to SHA1 if not strict mode */
1027         if (i == sent_sigslen && (sig[0] != TLSEXT_hash_sha1 || s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT))
1028                 {
1029                 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG,SSL_R_WRONG_SIGNATURE_TYPE);
1030                 return 0;
1031                 }
1032         *pmd = tls12_get_hash(sig[0]);
1033         if (*pmd == NULL)
1034                 {
1035                 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG,SSL_R_UNKNOWN_DIGEST);
1036                 return 0;
1037                 }
1038         /* Make sure security callback allows algorithm */
1039         if (!ssl_security(s, SSL_SECOP_SIGALG_CHECK,
1040                                 EVP_MD_size(*pmd) * 4, EVP_MD_type(*pmd),
1041                                                                 (void *)sig))
1042                 {
1043                 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG,SSL_R_WRONG_SIGNATURE_TYPE);
1044                 return 0;
1045                 }
1046         /* Store the digest used so applications can retrieve it if they
1047          * wish.
1048          */
1049         if (s->session && s->session->sess_cert)
1050                 s->session->sess_cert->peer_key->digest = *pmd;
1051         return 1;
1052         }
1053
1054 /* Get a mask of disabled algorithms: an algorithm is disabled
1055  * if it isn't supported or doesn't appear in supported signature
1056  * algorithms. Unlike ssl_cipher_get_disabled this applies to a specific
1057  * session and not global settings.
1058  * 
1059  */
1060 void ssl_set_client_disabled(SSL *s)
1061         {
1062         CERT *c = s->cert;
1063         c->mask_a = 0;
1064         c->mask_k = 0;
1065         /* Don't allow TLS 1.2 only ciphers if we don't suppport them */
1066         if (!SSL_CLIENT_USE_TLS1_2_CIPHERS(s))
1067                 c->mask_ssl = SSL_TLSV1_2;
1068         else
1069                 c->mask_ssl = 0;
1070         ssl_set_sig_mask(&c->mask_a, s, SSL_SECOP_SIGALG_MASK);
1071         /* Disable static DH if we don't include any appropriate
1072          * signature algorithms.
1073          */
1074         if (c->mask_a & SSL_aRSA)
1075                 c->mask_k |= SSL_kDHr|SSL_kECDHr;
1076         if (c->mask_a & SSL_aDSS)
1077                 c->mask_k |= SSL_kDHd;
1078         if (c->mask_a & SSL_aECDSA)
1079                 c->mask_k |= SSL_kECDHe;
1080 #ifndef OPENSSL_NO_KRB5
1081         if (!kssl_tgt_is_available(s->kssl_ctx))
1082                 {
1083                 c->mask_a |= SSL_aKRB5;
1084                 c->mask_k |= SSL_kKRB5;
1085                 }
1086 #endif
1087 #ifndef OPENSSL_NO_PSK
1088         /* with PSK there must be client callback set */
1089         if (!s->psk_client_callback)
1090                 {
1091                 c->mask_a |= SSL_aPSK;
1092                 c->mask_k |= SSL_kPSK;
1093                 }
1094 #endif /* OPENSSL_NO_PSK */
1095 #ifndef OPENSSL_NO_SRP
1096         if (!(s->srp_ctx.srp_Mask & SSL_kSRP))
1097                 {
1098                 c->mask_a |= SSL_aSRP;
1099                 c->mask_k |= SSL_kSRP;
1100                 }
1101 #endif
1102         c->valid = 1;
1103         }
1104
1105 int ssl_cipher_disabled(SSL *s, const SSL_CIPHER *c, int op)
1106         {
1107         CERT *ct = s->cert;
1108         if (c->algorithm_ssl & ct->mask_ssl || c->algorithm_mkey & ct->mask_k || c->algorithm_auth & ct->mask_a)
1109                 return 1;
1110         return !ssl_security(s, op, c->strength_bits, 0, (void *)c);
1111         }
1112
1113 static int tls_use_ticket(SSL *s)
1114         {
1115         if (s->options & SSL_OP_NO_TICKET)
1116                 return 0;
1117         return ssl_security(s, SSL_SECOP_TICKET, 0, 0, NULL);
1118         }
1119
1120 unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf, unsigned char *limit, int *al)
1121         {
1122         int extdatalen=0;
1123         unsigned char *orig = buf;
1124         unsigned char *ret = buf;
1125 #ifndef OPENSSL_NO_EC
1126         /* See if we support any ECC ciphersuites */
1127         int using_ecc = 0;
1128         if (s->version >= TLS1_VERSION || SSL_IS_DTLS(s))
1129                 {
1130                 int i;
1131                 unsigned long alg_k, alg_a;
1132                 STACK_OF(SSL_CIPHER) *cipher_stack = SSL_get_ciphers(s);
1133
1134                 for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++)
1135                         {
1136                         SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i);
1137
1138                         alg_k = c->algorithm_mkey;
1139                         alg_a = c->algorithm_auth;
1140                         if ((alg_k & (SSL_kECDHE|SSL_kECDHr|SSL_kECDHe)
1141                                 || (alg_a & SSL_aECDSA)))
1142                                 {
1143                                 using_ecc = 1;
1144                                 break;
1145                                 }
1146                         }
1147                 }
1148 #endif
1149
1150         ret+=2;
1151
1152         if (ret>=limit) return NULL; /* this really never occurs, but ... */
1153
1154         /* Add RI if renegotiating */
1155         if (s->renegotiate)
1156           {
1157           int el;
1158
1159           if(!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0))
1160               {
1161               SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1162               return NULL;
1163               }
1164
1165           if((limit - ret - 4 - el) < 0) return NULL;
1166
1167           s2n(TLSEXT_TYPE_renegotiate,ret);
1168           s2n(el,ret);
1169
1170           if(!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el))
1171               {
1172               SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1173               return NULL;
1174               }
1175
1176           ret += el;
1177         }
1178         /* Only add RI for SSLv3 */
1179         if (s->client_version == SSL3_VERSION)
1180                 goto done;
1181
1182         if (s->tlsext_hostname != NULL)
1183                 { 
1184                 /* Add TLS extension servername to the Client Hello message */
1185                 unsigned long size_str;
1186                 long lenmax; 
1187
1188                 /* check for enough space.
1189                    4 for the servername type and entension length
1190                    2 for servernamelist length
1191                    1 for the hostname type
1192                    2 for hostname length
1193                    + hostname length 
1194                 */
1195                    
1196                 if ((lenmax = limit - ret - 9) < 0 
1197                     || (size_str = strlen(s->tlsext_hostname)) > (unsigned long)lenmax) 
1198                         return NULL;
1199                         
1200                 /* extension type and length */
1201                 s2n(TLSEXT_TYPE_server_name,ret); 
1202                 s2n(size_str+5,ret);
1203                 
1204                 /* length of servername list */
1205                 s2n(size_str+3,ret);
1206         
1207                 /* hostname type, length and hostname */
1208                 *(ret++) = (unsigned char) TLSEXT_NAMETYPE_host_name;
1209                 s2n(size_str,ret);
1210                 memcpy(ret, s->tlsext_hostname, size_str);
1211                 ret+=size_str;
1212                 }
1213
1214 #ifndef OPENSSL_NO_SRP
1215         /* Add SRP username if there is one */
1216         if (s->srp_ctx.login != NULL)
1217                 { /* Add TLS extension SRP username to the Client Hello message */
1218
1219                 int login_len = strlen(s->srp_ctx.login);       
1220                 if (login_len > 255 || login_len == 0)
1221                         {
1222                         SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1223                         return NULL;
1224                         } 
1225
1226                 /* check for enough space.
1227                    4 for the srp type type and entension length
1228                    1 for the srp user identity
1229                    + srp user identity length 
1230                 */
1231                 if ((limit - ret - 5 - login_len) < 0) return NULL; 
1232
1233                 /* fill in the extension */
1234                 s2n(TLSEXT_TYPE_srp,ret);
1235                 s2n(login_len+1,ret);
1236                 (*ret++) = (unsigned char) login_len;
1237                 memcpy(ret, s->srp_ctx.login, login_len);
1238                 ret+=login_len;
1239                 }
1240 #endif
1241
1242 #ifndef OPENSSL_NO_EC
1243         if (using_ecc)
1244                 {
1245                 /* Add TLS extension ECPointFormats to the ClientHello message */
1246                 long lenmax; 
1247                 const unsigned char *plist;
1248                 size_t plistlen;
1249                 size_t i;
1250                 unsigned char *etmp;
1251
1252                 tls1_get_formatlist(s, &plist, &plistlen);
1253
1254                 if ((lenmax = limit - ret - 5) < 0) return NULL; 
1255                 if (plistlen > (size_t)lenmax) return NULL;
1256                 if (plistlen > 255)
1257                         {
1258                         SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1259                         return NULL;
1260                         }
1261                 
1262                 s2n(TLSEXT_TYPE_ec_point_formats,ret);
1263                 s2n(plistlen + 1,ret);
1264                 *(ret++) = (unsigned char)plistlen ;
1265                 memcpy(ret, plist, plistlen);
1266                 ret+=plistlen;
1267
1268                 /* Add TLS extension EllipticCurves to the ClientHello message */
1269                 plist = s->tlsext_ellipticcurvelist;
1270                 tls1_get_curvelist(s, 0, &plist, &plistlen);
1271
1272                 if ((lenmax = limit - ret - 6) < 0) return NULL; 
1273                 if (plistlen > (size_t)lenmax) return NULL;
1274                 if (plistlen > 65532)
1275                         {
1276                         SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1277                         return NULL;
1278                         }
1279
1280                 
1281                 s2n(TLSEXT_TYPE_elliptic_curves,ret);
1282                 etmp = ret + 4;
1283                 /* Copy curve ID if supported */
1284                 for (i = 0; i < plistlen; i += 2, plist += 2)
1285                         {
1286                         if (tls_curve_allowed(s, plist, SSL_SECOP_CURVE_SUPPORTED))
1287                                 {
1288                                 *etmp++ = plist[0];
1289                                 *etmp++ = plist[1];
1290                                 }
1291                         }
1292
1293                 plistlen = etmp - ret - 4;
1294
1295                 s2n(plistlen + 2, ret);
1296                 s2n(plistlen, ret);
1297                 ret+=plistlen;
1298                 }
1299 #endif /* OPENSSL_NO_EC */
1300
1301         if (tls_use_ticket(s))
1302                 {
1303                 int ticklen;
1304                 if (!s->new_session && s->session && s->session->tlsext_tick)
1305                         ticklen = s->session->tlsext_ticklen;
1306                 else if (s->session && s->tlsext_session_ticket &&
1307                          s->tlsext_session_ticket->data)
1308                         {
1309                         ticklen = s->tlsext_session_ticket->length;
1310                         s->session->tlsext_tick = OPENSSL_malloc(ticklen);
1311                         if (!s->session->tlsext_tick)
1312                                 return NULL;
1313                         memcpy(s->session->tlsext_tick,
1314                                s->tlsext_session_ticket->data,
1315                                ticklen);
1316                         s->session->tlsext_ticklen = ticklen;
1317                         }
1318                 else
1319                         ticklen = 0;
1320                 if (ticklen == 0 && s->tlsext_session_ticket &&
1321                     s->tlsext_session_ticket->data == NULL)
1322                         goto skip_ext;
1323                 /* Check for enough room 2 for extension type, 2 for len
1324                  * rest for ticket
1325                  */
1326                 if ((long)(limit - ret - 4 - ticklen) < 0) return NULL;
1327                 s2n(TLSEXT_TYPE_session_ticket,ret); 
1328                 s2n(ticklen,ret);
1329                 if (ticklen)
1330                         {
1331                         memcpy(ret, s->session->tlsext_tick, ticklen);
1332                         ret += ticklen;
1333                         }
1334                 }
1335                 skip_ext:
1336
1337         if (SSL_USE_SIGALGS(s))
1338                 {
1339                 size_t salglen;
1340                 const unsigned char *salg;
1341                 unsigned char *etmp;
1342                 salglen = tls12_get_psigalgs(s, &salg);
1343                 if ((size_t)(limit - ret) < salglen + 6)
1344                         return NULL; 
1345                 s2n(TLSEXT_TYPE_signature_algorithms,ret);
1346                 etmp = ret;
1347                 /* Skip over lengths for now */
1348                 ret += 4;
1349                 salglen = tls12_copy_sigalgs(s, ret, salg, salglen);
1350                 /* Fill in lengths */
1351                 s2n(salglen + 2, etmp);
1352                 s2n(salglen, etmp);
1353                 ret += salglen;
1354                 }
1355
1356 #ifdef TLSEXT_TYPE_opaque_prf_input
1357         if (s->s3->client_opaque_prf_input != NULL)
1358                 {
1359                 size_t col = s->s3->client_opaque_prf_input_len;
1360                 
1361                 if ((long)(limit - ret - 6 - col) < 0)
1362                         return NULL;
1363                 if (col > 0xFFFD) /* can't happen */
1364                         return NULL;
1365
1366                 s2n(TLSEXT_TYPE_opaque_prf_input, ret); 
1367                 s2n(col + 2, ret);
1368                 s2n(col, ret);
1369                 memcpy(ret, s->s3->client_opaque_prf_input, col);
1370                 ret += col;
1371                 }
1372 #endif
1373
1374         if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp)
1375                 {
1376                 int i;
1377                 long extlen, idlen, itmp;
1378                 OCSP_RESPID *id;
1379
1380                 idlen = 0;
1381                 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++)
1382                         {
1383                         id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
1384                         itmp = i2d_OCSP_RESPID(id, NULL);
1385                         if (itmp <= 0)
1386                                 return NULL;
1387                         idlen += itmp + 2;
1388                         }
1389
1390                 if (s->tlsext_ocsp_exts)
1391                         {
1392                         extlen = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, NULL);
1393                         if (extlen < 0)
1394                                 return NULL;
1395                         }
1396                 else
1397                         extlen = 0;
1398                         
1399                 if ((long)(limit - ret - 7 - extlen - idlen) < 0) return NULL;
1400                 s2n(TLSEXT_TYPE_status_request, ret);
1401                 if (extlen + idlen > 0xFFF0)
1402                         return NULL;
1403                 s2n(extlen + idlen + 5, ret);
1404                 *(ret++) = TLSEXT_STATUSTYPE_ocsp;
1405                 s2n(idlen, ret);
1406                 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++)
1407                         {
1408                         /* save position of id len */
1409                         unsigned char *q = ret;
1410                         id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
1411                         /* skip over id len */
1412                         ret += 2;
1413                         itmp = i2d_OCSP_RESPID(id, &ret);
1414                         /* write id len */
1415                         s2n(itmp, q);
1416                         }
1417                 s2n(extlen, ret);
1418                 if (extlen > 0)
1419                         i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret);
1420                 }
1421
1422 #ifndef OPENSSL_NO_HEARTBEATS
1423         /* Add Heartbeat extension */
1424         if ((limit - ret - 4 - 1) < 0)
1425                 return NULL;
1426         s2n(TLSEXT_TYPE_heartbeat,ret);
1427         s2n(1,ret);
1428         /* Set mode:
1429          * 1: peer may send requests
1430          * 2: peer not allowed to send requests
1431          */
1432         if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS)
1433                 *(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
1434         else
1435                 *(ret++) = SSL_TLSEXT_HB_ENABLED;
1436 #endif
1437
1438 #ifndef OPENSSL_NO_NEXTPROTONEG
1439         if (s->ctx->next_proto_select_cb && !s->s3->tmp.finish_md_len)
1440                 {
1441                 /* The client advertises an emtpy extension to indicate its
1442                  * support for Next Protocol Negotiation */
1443                 if (limit - ret - 4 < 0)
1444                         return NULL;
1445                 s2n(TLSEXT_TYPE_next_proto_neg,ret);
1446                 s2n(0,ret);
1447                 }
1448 #endif
1449
1450         if (s->alpn_client_proto_list && !s->s3->tmp.finish_md_len)
1451                 {
1452                 if ((size_t)(limit - ret) < 6 + s->alpn_client_proto_list_len)
1453                         return NULL;
1454                 s2n(TLSEXT_TYPE_application_layer_protocol_negotiation,ret);
1455                 s2n(2 + s->alpn_client_proto_list_len,ret);
1456                 s2n(s->alpn_client_proto_list_len,ret);
1457                 memcpy(ret, s->alpn_client_proto_list,
1458                        s->alpn_client_proto_list_len);
1459                 ret += s->alpn_client_proto_list_len;
1460                 }
1461
1462         if(SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s))
1463                 {
1464                 int el;
1465
1466                 ssl_add_clienthello_use_srtp_ext(s, 0, &el, 0);
1467                 
1468                 if((limit - ret - 4 - el) < 0) return NULL;
1469
1470                 s2n(TLSEXT_TYPE_use_srtp,ret);
1471                 s2n(el,ret);
1472
1473                 if(ssl_add_clienthello_use_srtp_ext(s, ret, &el, el))
1474                         {
1475                         SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1476                         return NULL;
1477                         }
1478                 ret += el;
1479                 }
1480         custom_ext_init(&s->cert->cli_ext);
1481         /* Add custom TLS Extensions to ClientHello */
1482         if (!custom_ext_add(s, 0, &ret, limit, al))
1483                 return NULL;
1484 #ifdef TLSEXT_TYPE_encrypt_then_mac
1485         s2n(TLSEXT_TYPE_encrypt_then_mac,ret);
1486         s2n(0,ret);
1487 #endif
1488
1489         /* Add padding to workaround bugs in F5 terminators.
1490          * See https://tools.ietf.org/html/draft-agl-tls-padding-03
1491          *
1492          * NB: because this code works out the length of all existing
1493          * extensions it MUST always appear last.
1494          */
1495         if (s->options & SSL_OP_TLSEXT_PADDING)
1496                 {
1497                 int hlen = ret - (unsigned char *)s->init_buf->data;
1498                 /* The code in s23_clnt.c to build ClientHello messages
1499                  * includes the 5-byte record header in the buffer, while
1500                  * the code in s3_clnt.c does not.
1501                  */
1502                 if (s->state == SSL23_ST_CW_CLNT_HELLO_A)
1503                         hlen -= 5;
1504                 if (hlen > 0xff && hlen < 0x200)
1505                         {
1506                         hlen = 0x200 - hlen;
1507                         if (hlen >= 4)
1508                                 hlen -= 4;
1509                         else
1510                                 hlen = 0;
1511
1512                         s2n(TLSEXT_TYPE_padding, ret);
1513                         s2n(hlen, ret);
1514                         memset(ret, 0, hlen);
1515                         ret += hlen;
1516                         }
1517                 }
1518
1519         done:
1520
1521         if ((extdatalen = ret-orig-2)== 0) 
1522                 return orig;
1523
1524         s2n(extdatalen, orig);
1525         return ret;
1526         }
1527
1528 unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *buf, unsigned char *limit, int *al)
1529         {
1530         int extdatalen=0;
1531         unsigned char *orig = buf;
1532         unsigned char *ret = buf;
1533 #ifndef OPENSSL_NO_NEXTPROTONEG
1534         int next_proto_neg_seen;
1535 #endif
1536 #ifndef OPENSSL_NO_EC
1537         unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
1538         unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
1539         int using_ecc = (alg_k & (SSL_kECDHE|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA);
1540         using_ecc = using_ecc && (s->session->tlsext_ecpointformatlist != NULL);
1541 #endif
1542         
1543         ret+=2;
1544         if (ret>=limit) return NULL; /* this really never occurs, but ... */
1545
1546         if(s->s3->send_connection_binding)
1547         {
1548           int el;
1549           
1550           if(!ssl_add_serverhello_renegotiate_ext(s, 0, &el, 0))
1551               {
1552               SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1553               return NULL;
1554               }
1555
1556           if((limit - ret - 4 - el) < 0) return NULL;
1557           
1558           s2n(TLSEXT_TYPE_renegotiate,ret);
1559           s2n(el,ret);
1560
1561           if(!ssl_add_serverhello_renegotiate_ext(s, ret, &el, el))
1562               {
1563               SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1564               return NULL;
1565               }
1566
1567           ret += el;
1568         }
1569
1570         /* Only add RI for SSLv3 */
1571         if (s->version == SSL3_VERSION)
1572                 goto done;
1573
1574         if (!s->hit && s->servername_done == 1 && s->session->tlsext_hostname != NULL)
1575                 {
1576                 if ((long)(limit - ret - 4) < 0) return NULL;
1577
1578                 s2n(TLSEXT_TYPE_server_name,ret);
1579                 s2n(0,ret);
1580                 }
1581
1582 #ifndef OPENSSL_NO_EC
1583         if (using_ecc)
1584                 {
1585                 const unsigned char *plist;
1586                 size_t plistlen;
1587                 /* Add TLS extension ECPointFormats to the ServerHello message */
1588                 long lenmax; 
1589
1590                 tls1_get_formatlist(s, &plist, &plistlen);
1591
1592                 if ((lenmax = limit - ret - 5) < 0) return NULL; 
1593                 if (plistlen > (size_t)lenmax) return NULL;
1594                 if (plistlen > 255)
1595                         {
1596                         SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1597                         return NULL;
1598                         }
1599                 
1600                 s2n(TLSEXT_TYPE_ec_point_formats,ret);
1601                 s2n(plistlen + 1,ret);
1602                 *(ret++) = (unsigned char) plistlen;
1603                 memcpy(ret, plist, plistlen);
1604                 ret+=plistlen;
1605
1606                 }
1607         /* Currently the server should not respond with a SupportedCurves extension */
1608 #endif /* OPENSSL_NO_EC */
1609
1610         if (s->tlsext_ticket_expected && tls_use_ticket(s))
1611                 { 
1612                 if ((long)(limit - ret - 4) < 0) return NULL; 
1613                 s2n(TLSEXT_TYPE_session_ticket,ret);
1614                 s2n(0,ret);
1615                 }
1616
1617         if (s->tlsext_status_expected)
1618                 { 
1619                 if ((long)(limit - ret - 4) < 0) return NULL; 
1620                 s2n(TLSEXT_TYPE_status_request,ret);
1621                 s2n(0,ret);
1622                 }
1623
1624 #ifdef TLSEXT_TYPE_opaque_prf_input
1625         if (s->s3->server_opaque_prf_input != NULL)
1626                 {
1627                 size_t sol = s->s3->server_opaque_prf_input_len;
1628                 
1629                 if ((long)(limit - ret - 6 - sol) < 0)
1630                         return NULL;
1631                 if (sol > 0xFFFD) /* can't happen */
1632                         return NULL;
1633
1634                 s2n(TLSEXT_TYPE_opaque_prf_input, ret); 
1635                 s2n(sol + 2, ret);
1636                 s2n(sol, ret);
1637                 memcpy(ret, s->s3->server_opaque_prf_input, sol);
1638                 ret += sol;
1639                 }
1640 #endif
1641
1642         if(SSL_IS_DTLS(s) && s->srtp_profile)
1643                 {
1644                 int el;
1645
1646                 ssl_add_serverhello_use_srtp_ext(s, 0, &el, 0);
1647                 
1648                 if((limit - ret - 4 - el) < 0) return NULL;
1649
1650                 s2n(TLSEXT_TYPE_use_srtp,ret);
1651                 s2n(el,ret);
1652
1653                 if(ssl_add_serverhello_use_srtp_ext(s, ret, &el, el))
1654                         {
1655                         SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1656                         return NULL;
1657                         }
1658                 ret+=el;
1659                 }
1660
1661         if (((s->s3->tmp.new_cipher->id & 0xFFFF)==0x80 || (s->s3->tmp.new_cipher->id & 0xFFFF)==0x81) 
1662                 && (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG))
1663                 { const unsigned char cryptopro_ext[36] = {
1664                         0xfd, 0xe8, /*65000*/
1665                         0x00, 0x20, /*32 bytes length*/
1666                         0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85, 
1667                         0x03,   0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06, 
1668                         0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08, 
1669                         0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17};
1670                         if (limit-ret<36) return NULL;
1671                         memcpy(ret,cryptopro_ext,36);
1672                         ret+=36;
1673
1674                 }
1675
1676 #ifndef OPENSSL_NO_HEARTBEATS
1677         /* Add Heartbeat extension if we've received one */
1678         if (s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED)
1679                 {
1680                 if ((limit - ret - 4 - 1) < 0)
1681                         return NULL;
1682                 s2n(TLSEXT_TYPE_heartbeat,ret);
1683                 s2n(1,ret);
1684                 /* Set mode:
1685                  * 1: peer may send requests
1686                  * 2: peer not allowed to send requests
1687                  */
1688                 if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS)
1689                         *(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
1690                 else
1691                         *(ret++) = SSL_TLSEXT_HB_ENABLED;
1692
1693                 }
1694 #endif
1695
1696 #ifndef OPENSSL_NO_NEXTPROTONEG
1697         next_proto_neg_seen = s->s3->next_proto_neg_seen;
1698         s->s3->next_proto_neg_seen = 0;
1699         if (next_proto_neg_seen && s->ctx->next_protos_advertised_cb)
1700                 {
1701                 const unsigned char *npa;
1702                 unsigned int npalen;
1703                 int r;
1704
1705                 r = s->ctx->next_protos_advertised_cb(s, &npa, &npalen, s->ctx->next_protos_advertised_cb_arg);
1706                 if (r == SSL_TLSEXT_ERR_OK)
1707                         {
1708                         if ((long)(limit - ret - 4 - npalen) < 0) return NULL;
1709                         s2n(TLSEXT_TYPE_next_proto_neg,ret);
1710                         s2n(npalen,ret);
1711                         memcpy(ret, npa, npalen);
1712                         ret += npalen;
1713                         s->s3->next_proto_neg_seen = 1;
1714                         }
1715                 }
1716 #endif
1717         if (!custom_ext_add(s, 1, &ret, limit, al))
1718                 return NULL;
1719 #ifdef TLSEXT_TYPE_encrypt_then_mac
1720         if (s->s3->flags & TLS1_FLAGS_ENCRYPT_THEN_MAC)
1721                 {
1722                 /* Don't use encrypt_then_mac if AEAD or RC4
1723                  * might want to disable for other cases too.
1724                  */
1725                 if (s->s3->tmp.new_cipher->algorithm_mac == SSL_AEAD
1726                     || s->s3->tmp.new_cipher->algorithm_enc == SSL_RC4)
1727                         s->s3->flags &= ~TLS1_FLAGS_ENCRYPT_THEN_MAC;
1728                 else
1729                         {
1730                         s2n(TLSEXT_TYPE_encrypt_then_mac,ret);
1731                         s2n(0,ret);
1732                         }
1733                 }
1734 #endif
1735
1736         if (s->s3->alpn_selected)
1737                 {
1738                 const unsigned char *selected = s->s3->alpn_selected;
1739                 unsigned len = s->s3->alpn_selected_len;
1740
1741                 if ((long)(limit - ret - 4 - 2 - 1 - len) < 0)
1742                         return NULL;
1743                 s2n(TLSEXT_TYPE_application_layer_protocol_negotiation,ret);
1744                 s2n(3 + len,ret);
1745                 s2n(1 + len,ret);
1746                 *ret++ = len;
1747                 memcpy(ret, selected, len);
1748                 ret += len;
1749                 }
1750
1751         done:
1752
1753         if ((extdatalen = ret-orig-2)== 0) 
1754                 return orig;
1755
1756         s2n(extdatalen, orig);
1757         return ret;
1758         }
1759
1760 /* tls1_alpn_handle_client_hello is called to process the ALPN extension in a
1761  * ClientHello.
1762  *   data: the contents of the extension, not including the type and length.
1763  *   data_len: the number of bytes in |data|
1764  *   al: a pointer to the alert value to send in the event of a non-zero
1765  *       return.
1766  *
1767  *   returns: 0 on success. */
1768 static int tls1_alpn_handle_client_hello(SSL *s, const unsigned char *data,
1769                                          unsigned data_len, int *al)
1770         {
1771         unsigned i;
1772         unsigned proto_len;
1773         const unsigned char *selected;
1774         unsigned char selected_len;
1775         int r;
1776
1777         if (s->ctx->alpn_select_cb == NULL)
1778                 return 0;
1779
1780         if (data_len < 2)
1781                 goto parse_error;
1782
1783         /* data should contain a uint16 length followed by a series of 8-bit,
1784          * length-prefixed strings. */
1785         i = ((unsigned) data[0]) << 8 |
1786             ((unsigned) data[1]);
1787         data_len -= 2;
1788         data += 2;
1789         if (data_len != i)
1790                 goto parse_error;
1791
1792         if (data_len < 2)
1793                 goto parse_error;
1794
1795         for (i = 0; i < data_len;)
1796                 {
1797                 proto_len = data[i];
1798                 i++;
1799
1800                 if (proto_len == 0)
1801                         goto parse_error;
1802
1803                 if (i + proto_len < i || i + proto_len > data_len)
1804                         goto parse_error;
1805
1806                 i += proto_len;
1807                 }
1808
1809         r = s->ctx->alpn_select_cb(s, &selected, &selected_len, data, data_len,
1810                                    s->ctx->alpn_select_cb_arg);
1811         if (r == SSL_TLSEXT_ERR_OK) {
1812                 if (s->s3->alpn_selected)
1813                         OPENSSL_free(s->s3->alpn_selected);
1814                 s->s3->alpn_selected = OPENSSL_malloc(selected_len);
1815                 if (!s->s3->alpn_selected)
1816                         {
1817                         *al = SSL_AD_INTERNAL_ERROR;
1818                         return -1;
1819                         }
1820                 memcpy(s->s3->alpn_selected, selected, selected_len);
1821                 s->s3->alpn_selected_len = selected_len;
1822         }
1823         return 0;
1824
1825 parse_error:
1826         *al = SSL_AD_DECODE_ERROR;
1827         return -1;
1828         }
1829
1830 #ifndef OPENSSL_NO_EC
1831 /* ssl_check_for_safari attempts to fingerprint Safari using OS X
1832  * SecureTransport using the TLS extension block in |d|, of length |n|.
1833  * Safari, since 10.6, sends exactly these extensions, in this order:
1834  *   SNI,
1835  *   elliptic_curves
1836  *   ec_point_formats
1837  *
1838  * We wish to fingerprint Safari because they broke ECDHE-ECDSA support in 10.8,
1839  * but they advertise support. So enabling ECDHE-ECDSA ciphers breaks them.
1840  * Sadly we cannot differentiate 10.6, 10.7 and 10.8.4 (which work), from
1841  * 10.8..10.8.3 (which don't work).
1842  */
1843 static void ssl_check_for_safari(SSL *s, const unsigned char *data, const unsigned char *d, int n) {
1844         unsigned short type, size;
1845         static const unsigned char kSafariExtensionsBlock[] = {
1846                 0x00, 0x0a,  /* elliptic_curves extension */
1847                 0x00, 0x08,  /* 8 bytes */
1848                 0x00, 0x06,  /* 6 bytes of curve ids */
1849                 0x00, 0x17,  /* P-256 */
1850                 0x00, 0x18,  /* P-384 */
1851                 0x00, 0x19,  /* P-521 */
1852
1853                 0x00, 0x0b,  /* ec_point_formats */
1854                 0x00, 0x02,  /* 2 bytes */
1855                 0x01,        /* 1 point format */
1856                 0x00,        /* uncompressed */
1857         };
1858
1859         /* The following is only present in TLS 1.2 */
1860         static const unsigned char kSafariTLS12ExtensionsBlock[] = {
1861                 0x00, 0x0d,  /* signature_algorithms */
1862                 0x00, 0x0c,  /* 12 bytes */
1863                 0x00, 0x0a,  /* 10 bytes */
1864                 0x05, 0x01,  /* SHA-384/RSA */
1865                 0x04, 0x01,  /* SHA-256/RSA */
1866                 0x02, 0x01,  /* SHA-1/RSA */
1867                 0x04, 0x03,  /* SHA-256/ECDSA */
1868                 0x02, 0x03,  /* SHA-1/ECDSA */
1869         };
1870
1871         if (data >= (d+n-2))
1872                 return;
1873         data += 2;
1874
1875         if (data > (d+n-4))
1876                 return;
1877         n2s(data,type);
1878         n2s(data,size);
1879
1880         if (type != TLSEXT_TYPE_server_name)
1881                 return;
1882
1883         if (data+size > d+n)
1884                 return;
1885         data += size;
1886
1887         if (TLS1_get_client_version(s) >= TLS1_2_VERSION)
1888                 {
1889                 const size_t len1 = sizeof(kSafariExtensionsBlock);
1890                 const size_t len2 = sizeof(kSafariTLS12ExtensionsBlock);
1891
1892                 if (data + len1 + len2 != d+n)
1893                         return;
1894                 if (memcmp(data, kSafariExtensionsBlock, len1) != 0)
1895                         return;
1896                 if (memcmp(data + len1, kSafariTLS12ExtensionsBlock, len2) != 0)
1897                         return;
1898                 }
1899         else
1900                 {
1901                 const size_t len = sizeof(kSafariExtensionsBlock);
1902
1903                 if (data + len != d+n)
1904                         return;
1905                 if (memcmp(data, kSafariExtensionsBlock, len) != 0)
1906                         return;
1907                 }
1908
1909         s->s3->is_probably_safari = 1;
1910 }
1911 #endif /* !OPENSSL_NO_EC */
1912
1913
1914 static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al) 
1915         {       
1916         unsigned short type;
1917         unsigned short size;
1918         unsigned short len;
1919         unsigned char *data = *p;
1920         int renegotiate_seen = 0;
1921
1922         s->servername_done = 0;
1923         s->tlsext_status_type = -1;
1924 #ifndef OPENSSL_NO_NEXTPROTONEG
1925         s->s3->next_proto_neg_seen = 0;
1926 #endif
1927
1928         if (s->s3->alpn_selected)
1929                 {
1930                 OPENSSL_free(s->s3->alpn_selected);
1931                 s->s3->alpn_selected = NULL;
1932                 }
1933
1934 #ifndef OPENSSL_NO_HEARTBEATS
1935         s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED |
1936                                SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
1937 #endif
1938
1939 #ifndef OPENSSL_NO_EC
1940         if (s->options & SSL_OP_SAFARI_ECDHE_ECDSA_BUG)
1941                 ssl_check_for_safari(s, data, d, n);
1942 #endif /* !OPENSSL_NO_EC */
1943
1944         /* Clear any signature algorithms extension received */
1945         if (s->cert->peer_sigalgs)
1946                 {
1947                 OPENSSL_free(s->cert->peer_sigalgs);
1948                 s->cert->peer_sigalgs = NULL;
1949                 }
1950
1951 #ifdef TLSEXT_TYPE_encrypt_then_mac
1952         s->s3->flags &= ~TLS1_FLAGS_ENCRYPT_THEN_MAC;
1953 #endif
1954
1955         if (data >= (d+n-2))
1956                 goto ri_check;
1957         n2s(data,len);
1958
1959         if (data > (d+n-len)) 
1960                 goto ri_check;
1961
1962         while (data <= (d+n-4))
1963                 {
1964                 n2s(data,type);
1965                 n2s(data,size);
1966
1967                 if (data+size > (d+n))
1968                         goto ri_check;
1969 #if 0
1970                 fprintf(stderr,"Received extension type %d size %d\n",type,size);
1971 #endif
1972                 if (s->tlsext_debug_cb)
1973                         s->tlsext_debug_cb(s, 0, type, data, size,
1974                                                 s->tlsext_debug_arg);
1975                 if (type == TLSEXT_TYPE_renegotiate)
1976                         {
1977                         if(!ssl_parse_clienthello_renegotiate_ext(s, data, size, al))
1978                                 return 0;
1979                         renegotiate_seen = 1;
1980                         }
1981                 else if (s->version == SSL3_VERSION)
1982                         {}
1983 /* The servername extension is treated as follows:
1984
1985    - Only the hostname type is supported with a maximum length of 255.
1986    - The servername is rejected if too long or if it contains zeros,
1987      in which case an fatal alert is generated.
1988    - The servername field is maintained together with the session cache.
1989    - When a session is resumed, the servername call back invoked in order
1990      to allow the application to position itself to the right context. 
1991    - The servername is acknowledged if it is new for a session or when 
1992      it is identical to a previously used for the same session. 
1993      Applications can control the behaviour.  They can at any time
1994      set a 'desirable' servername for a new SSL object. This can be the
1995      case for example with HTTPS when a Host: header field is received and
1996      a renegotiation is requested. In this case, a possible servername
1997      presented in the new client hello is only acknowledged if it matches
1998      the value of the Host: field. 
1999    - Applications must  use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
2000      if they provide for changing an explicit servername context for the session,
2001      i.e. when the session has been established with a servername extension. 
2002    - On session reconnect, the servername extension may be absent. 
2003
2004 */      
2005
2006                 else if (type == TLSEXT_TYPE_server_name)
2007                         {
2008                         unsigned char *sdata;
2009                         int servname_type;
2010                         int dsize; 
2011                 
2012                         if (size < 2) 
2013                                 {
2014                                 *al = SSL_AD_DECODE_ERROR;
2015                                 return 0;
2016                                 }
2017                         n2s(data,dsize);  
2018                         size -= 2;
2019                         if (dsize > size  ) 
2020                                 {
2021                                 *al = SSL_AD_DECODE_ERROR;
2022                                 return 0;
2023                                 } 
2024
2025                         sdata = data;
2026                         while (dsize > 3) 
2027                                 {
2028                                 servname_type = *(sdata++); 
2029                                 n2s(sdata,len);
2030                                 dsize -= 3;
2031
2032                                 if (len > dsize) 
2033                                         {
2034                                         *al = SSL_AD_DECODE_ERROR;
2035                                         return 0;
2036                                         }
2037                                 if (s->servername_done == 0)
2038                                 switch (servname_type)
2039                                         {
2040                                 case TLSEXT_NAMETYPE_host_name:
2041                                         if (!s->hit)
2042                                                 {
2043                                                 if(s->session->tlsext_hostname)
2044                                                         {
2045                                                         *al = SSL_AD_DECODE_ERROR;
2046                                                         return 0;
2047                                                         }
2048                                                 if (len > TLSEXT_MAXLEN_host_name)
2049                                                         {
2050                                                         *al = TLS1_AD_UNRECOGNIZED_NAME;
2051                                                         return 0;
2052                                                         }
2053                                                 if ((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL)
2054                                                         {
2055                                                         *al = TLS1_AD_INTERNAL_ERROR;
2056                                                         return 0;
2057                                                         }
2058                                                 memcpy(s->session->tlsext_hostname, sdata, len);
2059                                                 s->session->tlsext_hostname[len]='\0';
2060                                                 if (strlen(s->session->tlsext_hostname) != len) {
2061                                                         OPENSSL_free(s->session->tlsext_hostname);
2062                                                         s->session->tlsext_hostname = NULL;
2063                                                         *al = TLS1_AD_UNRECOGNIZED_NAME;
2064                                                         return 0;
2065                                                 }
2066                                                 s->servername_done = 1; 
2067
2068                                                 }
2069                                         else 
2070                                                 s->servername_done = s->session->tlsext_hostname
2071                                                         && strlen(s->session->tlsext_hostname) == len 
2072                                                         && strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0;
2073                                         
2074                                         break;
2075
2076                                 default:
2077                                         break;
2078                                         }
2079                                  
2080                                 dsize -= len;
2081                                 }
2082                         if (dsize != 0) 
2083                                 {
2084                                 *al = SSL_AD_DECODE_ERROR;
2085                                 return 0;
2086                                 }
2087
2088                         }
2089 #ifndef OPENSSL_NO_SRP
2090                 else if (type == TLSEXT_TYPE_srp)
2091                         {
2092                         if (size <= 0 || ((len = data[0])) != (size -1))
2093                                 {
2094                                 *al = SSL_AD_DECODE_ERROR;
2095                                 return 0;
2096                                 }
2097                         if (s->srp_ctx.login != NULL)
2098                                 {
2099                                 *al = SSL_AD_DECODE_ERROR;
2100                                 return 0;
2101                                 }
2102                         if ((s->srp_ctx.login = OPENSSL_malloc(len+1)) == NULL)
2103                                 return -1;
2104                         memcpy(s->srp_ctx.login, &data[1], len);
2105                         s->srp_ctx.login[len]='\0';
2106   
2107                         if (strlen(s->srp_ctx.login) != len) 
2108                                 {
2109                                 *al = SSL_AD_DECODE_ERROR;
2110                                 return 0;
2111                                 }
2112                         }
2113 #endif
2114
2115 #ifndef OPENSSL_NO_EC
2116                 else if (type == TLSEXT_TYPE_ec_point_formats)
2117                         {
2118                         unsigned char *sdata = data;
2119                         int ecpointformatlist_length = *(sdata++);
2120
2121                         if (ecpointformatlist_length != size - 1 || 
2122                                 ecpointformatlist_length < 1)
2123                                 {
2124                                 *al = TLS1_AD_DECODE_ERROR;
2125                                 return 0;
2126                                 }
2127                         if (!s->hit)
2128                                 {
2129                                 if(s->session->tlsext_ecpointformatlist)
2130                                         {
2131                                         OPENSSL_free(s->session->tlsext_ecpointformatlist);
2132                                         s->session->tlsext_ecpointformatlist = NULL;
2133                                         }
2134                                 s->session->tlsext_ecpointformatlist_length = 0;
2135                                 if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
2136                                         {
2137                                         *al = TLS1_AD_INTERNAL_ERROR;
2138                                         return 0;
2139                                         }
2140                                 s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
2141                                 memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
2142                                 }
2143 #if 0
2144                         fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ecpointformatlist (length=%i) ", s->session->tlsext_ecpointformatlist_length);
2145                         sdata = s->session->tlsext_ecpointformatlist;
2146                         for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
2147                                 fprintf(stderr,"%i ",*(sdata++));
2148                         fprintf(stderr,"\n");
2149 #endif
2150                         }
2151                 else if (type == TLSEXT_TYPE_elliptic_curves)
2152                         {
2153                         unsigned char *sdata = data;
2154                         int ellipticcurvelist_length = (*(sdata++) << 8);
2155                         ellipticcurvelist_length += (*(sdata++));
2156
2157                         if (ellipticcurvelist_length != size - 2 ||
2158                                 ellipticcurvelist_length < 1)
2159                                 {
2160                                 *al = TLS1_AD_DECODE_ERROR;
2161                                 return 0;
2162                                 }
2163                         if (!s->hit)
2164                                 {
2165                                 if(s->session->tlsext_ellipticcurvelist)
2166                                         {
2167                                         *al = TLS1_AD_DECODE_ERROR;
2168                                         return 0;
2169                                         }
2170                                 s->session->tlsext_ellipticcurvelist_length = 0;
2171                                 if ((s->session->tlsext_ellipticcurvelist = OPENSSL_malloc(ellipticcurvelist_length)) == NULL)
2172                                         {
2173                                         *al = TLS1_AD_INTERNAL_ERROR;
2174                                         return 0;
2175                                         }
2176                                 s->session->tlsext_ellipticcurvelist_length = ellipticcurvelist_length;
2177                                 memcpy(s->session->tlsext_ellipticcurvelist, sdata, ellipticcurvelist_length);
2178                                 }
2179 #if 0
2180                         fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ellipticcurvelist (length=%i) ", s->session->tlsext_ellipticcurvelist_length);
2181                         sdata = s->session->tlsext_ellipticcurvelist;
2182                         for (i = 0; i < s->session->tlsext_ellipticcurvelist_length; i++)
2183                                 fprintf(stderr,"%i ",*(sdata++));
2184                         fprintf(stderr,"\n");
2185 #endif
2186                         }
2187 #endif /* OPENSSL_NO_EC */
2188 #ifdef TLSEXT_TYPE_opaque_prf_input
2189                 else if (type == TLSEXT_TYPE_opaque_prf_input)
2190                         {
2191                         unsigned char *sdata = data;
2192
2193                         if (size < 2)
2194                                 {
2195                                 *al = SSL_AD_DECODE_ERROR;
2196                                 return 0;
2197                                 }
2198                         n2s(sdata, s->s3->client_opaque_prf_input_len);
2199                         if (s->s3->client_opaque_prf_input_len != size - 2)
2200                                 {
2201                                 *al = SSL_AD_DECODE_ERROR;
2202                                 return 0;
2203                                 }
2204
2205                         if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */
2206                                 OPENSSL_free(s->s3->client_opaque_prf_input);
2207                         if (s->s3->client_opaque_prf_input_len == 0)
2208                                 s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
2209                         else
2210                                 s->s3->client_opaque_prf_input = BUF_memdup(sdata, s->s3->client_opaque_prf_input_len);
2211                         if (s->s3->client_opaque_prf_input == NULL)
2212                                 {
2213                                 *al = TLS1_AD_INTERNAL_ERROR;
2214                                 return 0;
2215                                 }
2216                         }
2217 #endif
2218                 else if (type == TLSEXT_TYPE_session_ticket)
2219                         {
2220                         if (s->tls_session_ticket_ext_cb &&
2221                             !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg))
2222                                 {
2223                                 *al = TLS1_AD_INTERNAL_ERROR;
2224                                 return 0;
2225                                 }
2226                         }
2227                 else if (type == TLSEXT_TYPE_signature_algorithms)
2228                         {
2229                         int dsize;
2230                         if (s->cert->peer_sigalgs || size < 2) 
2231                                 {
2232                                 *al = SSL_AD_DECODE_ERROR;
2233                                 return 0;
2234                                 }
2235                         n2s(data,dsize);
2236                         size -= 2;
2237                         if (dsize != size || dsize & 1 || !dsize) 
2238                                 {
2239                                 *al = SSL_AD_DECODE_ERROR;
2240                                 return 0;
2241                                 }
2242                         if (!tls1_save_sigalgs(s, data, dsize))
2243                                 {
2244                                 *al = SSL_AD_DECODE_ERROR;
2245                                 return 0;
2246                                 }
2247                         }
2248                 else if (type == TLSEXT_TYPE_status_request)
2249                         {
2250                 
2251                         if (size < 5) 
2252                                 {
2253                                 *al = SSL_AD_DECODE_ERROR;
2254                                 return 0;
2255                                 }
2256
2257                         s->tlsext_status_type = *data++;
2258                         size--;
2259                         if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp)
2260                                 {
2261                                 const unsigned char *sdata;
2262                                 int dsize;
2263                                 /* Read in responder_id_list */
2264                                 n2s(data,dsize);
2265                                 size -= 2;
2266                                 if (dsize > size  ) 
2267                                         {
2268                                         *al = SSL_AD_DECODE_ERROR;
2269                                         return 0;
2270                                         }
2271                                 while (dsize > 0)
2272                                         {
2273                                         OCSP_RESPID *id;
2274                                         int idsize;
2275                                         if (dsize < 4)
2276                                                 {
2277                                                 *al = SSL_AD_DECODE_ERROR;
2278                                                 return 0;
2279                                                 }
2280                                         n2s(data, idsize);
2281                                         dsize -= 2 + idsize;
2282                                         size -= 2 + idsize;
2283                                         if (dsize < 0)
2284                                                 {
2285                                                 *al = SSL_AD_DECODE_ERROR;
2286                                                 return 0;
2287                                                 }
2288                                         sdata = data;
2289                                         data += idsize;
2290                                         id = d2i_OCSP_RESPID(NULL,
2291                                                                 &sdata, idsize);
2292                                         if (!id)
2293                                                 {
2294                                                 *al = SSL_AD_DECODE_ERROR;
2295                                                 return 0;
2296                                                 }
2297                                         if (data != sdata)
2298                                                 {
2299                                                 OCSP_RESPID_free(id);
2300                                                 *al = SSL_AD_DECODE_ERROR;
2301                                                 return 0;
2302                                                 }
2303                                         if (!s->tlsext_ocsp_ids
2304                                                 && !(s->tlsext_ocsp_ids =
2305                                                 sk_OCSP_RESPID_new_null()))
2306                                                 {
2307                                                 OCSP_RESPID_free(id);
2308                                                 *al = SSL_AD_INTERNAL_ERROR;
2309                                                 return 0;
2310                                                 }
2311                                         if (!sk_OCSP_RESPID_push(
2312                                                         s->tlsext_ocsp_ids, id))
2313                                                 {
2314                                                 OCSP_RESPID_free(id);
2315                                                 *al = SSL_AD_INTERNAL_ERROR;
2316                                                 return 0;
2317                                                 }
2318                                         }
2319
2320                                 /* Read in request_extensions */
2321                                 if (size < 2)
2322                                         {
2323                                         *al = SSL_AD_DECODE_ERROR;
2324                                         return 0;
2325                                         }
2326                                 n2s(data,dsize);
2327                                 size -= 2;
2328                                 if (dsize != size)
2329                                         {
2330                                         *al = SSL_AD_DECODE_ERROR;
2331                                         return 0;
2332                                         }
2333                                 sdata = data;
2334                                 if (dsize > 0)
2335                                         {
2336                                         if (s->tlsext_ocsp_exts)
2337                                                 {
2338                                                 sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts,
2339                                                                            X509_EXTENSION_free);
2340                                                 }
2341
2342                                         s->tlsext_ocsp_exts =
2343                                                 d2i_X509_EXTENSIONS(NULL,
2344                                                         &sdata, dsize);
2345                                         if (!s->tlsext_ocsp_exts
2346                                                 || (data + dsize != sdata))
2347                                                 {
2348                                                 *al = SSL_AD_DECODE_ERROR;
2349                                                 return 0;
2350                                                 }
2351                                         }
2352                                 }
2353                                 /* We don't know what to do with any other type
2354                                 * so ignore it.
2355                                 */
2356                                 else
2357                                         s->tlsext_status_type = -1;
2358                         }
2359 #ifndef OPENSSL_NO_HEARTBEATS
2360                 else if (type == TLSEXT_TYPE_heartbeat)
2361                         {
2362                         switch(data[0])
2363                                 {
2364                                 case 0x01:      /* Client allows us to send HB requests */
2365                                                         s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
2366                                                         break;
2367                                 case 0x02:      /* Client doesn't accept HB requests */
2368                                                         s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
2369                                                         s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
2370                                                         break;
2371                                 default:        *al = SSL_AD_ILLEGAL_PARAMETER;
2372                                                         return 0;
2373                                 }
2374                         }
2375 #endif
2376 #ifndef OPENSSL_NO_NEXTPROTONEG
2377                 else if (type == TLSEXT_TYPE_next_proto_neg &&
2378                          s->s3->tmp.finish_md_len == 0 &&
2379                          s->s3->alpn_selected == NULL)
2380                         {
2381                         /* We shouldn't accept this extension on a
2382                          * renegotiation.
2383                          *
2384                          * s->new_session will be set on renegotiation, but we
2385                          * probably shouldn't rely that it couldn't be set on
2386                          * the initial renegotation too in certain cases (when
2387                          * there's some other reason to disallow resuming an
2388                          * earlier session -- the current code won't be doing
2389                          * anything like that, but this might change).
2390
2391                          * A valid sign that there's been a previous handshake
2392                          * in this connection is if s->s3->tmp.finish_md_len >
2393                          * 0.  (We are talking about a check that will happen
2394                          * in the Hello protocol round, well before a new
2395                          * Finished message could have been computed.) */
2396                         s->s3->next_proto_neg_seen = 1;
2397                         }
2398 #endif
2399
2400                 else if (type == TLSEXT_TYPE_application_layer_protocol_negotiation &&
2401                          s->ctx->alpn_select_cb &&
2402                          s->s3->tmp.finish_md_len == 0)
2403                         {
2404                         if (tls1_alpn_handle_client_hello(s, data, size, al) != 0)
2405                                 return 0;
2406 #ifndef OPENSSL_NO_NEXTPROTONEG
2407                         /* ALPN takes precedence over NPN. */
2408                         s->s3->next_proto_neg_seen = 0;
2409 #endif
2410                         }
2411
2412                 /* session ticket processed earlier */
2413                 else if (SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s)
2414                                 && type == TLSEXT_TYPE_use_srtp)
2415                         {
2416                         if(ssl_parse_clienthello_use_srtp_ext(s, data, size,
2417                                                               al))
2418                                 return 0;
2419                         }
2420 #ifdef TLSEXT_TYPE_encrypt_then_mac
2421                 else if (type == TLSEXT_TYPE_encrypt_then_mac)
2422                         s->s3->flags |= TLS1_FLAGS_ENCRYPT_THEN_MAC;
2423 #endif
2424                 /* If this ClientHello extension was unhandled and this is 
2425                  * a nonresumed connection, check whether the extension is a 
2426                  * custom TLS Extension (has a custom_srv_ext_record), and if
2427                  * so call the callback and record the extension number so that
2428                  * an appropriate ServerHello may be later returned.
2429                  */
2430                 else if (!s->hit)
2431                         {
2432                         if (custom_ext_parse(s, 1, type, data, size, al) <= 0)
2433                                 return 0;
2434                         }
2435
2436                 data+=size;
2437                 }
2438
2439         *p = data;
2440
2441         ri_check:
2442
2443         /* Need RI if renegotiating */
2444
2445         if (!renegotiate_seen && s->renegotiate &&
2446                 !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
2447                 {
2448                 *al = SSL_AD_HANDSHAKE_FAILURE;
2449                 SSLerr(SSL_F_SSL_SCAN_CLIENTHELLO_TLSEXT,
2450                                 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
2451                 return 0;
2452                 }
2453
2454         return 1;
2455         }
2456
2457 int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n) 
2458         {
2459         int al = -1;
2460         custom_ext_init(&s->cert->srv_ext);
2461         if (ssl_scan_clienthello_tlsext(s, p, d, n, &al) <= 0) 
2462                 {
2463                 ssl3_send_alert(s,SSL3_AL_FATAL,al); 
2464                 return 0;
2465                 }
2466
2467         if (ssl_check_clienthello_tlsext_early(s) <= 0) 
2468                 {
2469                 SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT,SSL_R_CLIENTHELLO_TLSEXT);
2470                 return 0;
2471                 }
2472         return 1;
2473 }
2474
2475 #ifndef OPENSSL_NO_NEXTPROTONEG
2476 /* ssl_next_proto_validate validates a Next Protocol Negotiation block. No
2477  * elements of zero length are allowed and the set of elements must exactly fill
2478  * the length of the block. */
2479 static char ssl_next_proto_validate(unsigned char *d, unsigned len)
2480         {
2481         unsigned int off = 0;
2482
2483         while (off < len)
2484                 {
2485                 if (d[off] == 0)
2486                         return 0;
2487                 off += d[off];
2488                 off++;
2489                 }
2490
2491         return off == len;
2492         }
2493 #endif
2494
2495 static int ssl_scan_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
2496         {
2497         unsigned short length;
2498         unsigned short type;
2499         unsigned short size;
2500         unsigned char *data = *p;
2501         int tlsext_servername = 0;
2502         int renegotiate_seen = 0;
2503
2504 #ifndef OPENSSL_NO_NEXTPROTONEG
2505         s->s3->next_proto_neg_seen = 0;
2506 #endif
2507         s->tlsext_ticket_expected = 0;
2508
2509         if (s->s3->alpn_selected)
2510                 {
2511                 OPENSSL_free(s->s3->alpn_selected);
2512                 s->s3->alpn_selected = NULL;
2513                 }
2514
2515 #ifndef OPENSSL_NO_HEARTBEATS
2516         s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED |
2517                                SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
2518 #endif
2519
2520 #ifdef TLSEXT_TYPE_encrypt_then_mac
2521         s->s3->flags &= ~TLS1_FLAGS_ENCRYPT_THEN_MAC;
2522 #endif
2523
2524         if (data >= (d+n-2))
2525                 goto ri_check;
2526
2527         n2s(data,length);
2528         if (data+length != d+n)
2529                 {
2530                 *al = SSL_AD_DECODE_ERROR;
2531                 return 0;
2532                 }
2533
2534         while(data <= (d+n-4))
2535                 {
2536                 n2s(data,type);
2537                 n2s(data,size);
2538
2539                 if (data+size > (d+n))
2540                         goto ri_check;
2541
2542                 if (s->tlsext_debug_cb)
2543                         s->tlsext_debug_cb(s, 1, type, data, size,
2544                                                 s->tlsext_debug_arg);
2545
2546
2547                 if (type == TLSEXT_TYPE_renegotiate)
2548                         {
2549                         if(!ssl_parse_serverhello_renegotiate_ext(s, data, size, al))
2550                                 return 0;
2551                         renegotiate_seen = 1;
2552                         }
2553                 else if (s->version == SSL3_VERSION)
2554                         {}
2555                 else if (type == TLSEXT_TYPE_server_name)
2556                         {
2557                         if (s->tlsext_hostname == NULL || size > 0)
2558                                 {
2559                                 *al = TLS1_AD_UNRECOGNIZED_NAME;
2560                                 return 0;
2561                                 }
2562                         tlsext_servername = 1;   
2563                         }
2564
2565 #ifndef OPENSSL_NO_EC
2566                 else if (type == TLSEXT_TYPE_ec_point_formats)
2567                         {
2568                         unsigned char *sdata = data;
2569                         int ecpointformatlist_length = *(sdata++);
2570
2571                         if (ecpointformatlist_length != size - 1)
2572                                 {
2573                                 *al = TLS1_AD_DECODE_ERROR;
2574                                 return 0;
2575                                 }
2576                         if (!s->hit)
2577                                 {
2578                                 s->session->tlsext_ecpointformatlist_length = 0;
2579                                 if (s->session->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->session->tlsext_ecpointformatlist);
2580                                 if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
2581                                         {
2582                                         *al = TLS1_AD_INTERNAL_ERROR;
2583                                         return 0;
2584                                         }
2585                                 s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
2586                                 memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
2587                                 }
2588 #if 0
2589                         fprintf(stderr,"ssl_parse_serverhello_tlsext s->session->tlsext_ecpointformatlist ");
2590                         sdata = s->session->tlsext_ecpointformatlist;
2591                         for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
2592                                 fprintf(stderr,"%i ",*(sdata++));
2593                         fprintf(stderr,"\n");
2594 #endif
2595                         }
2596 #endif /* OPENSSL_NO_EC */
2597
2598                 else if (type == TLSEXT_TYPE_session_ticket)
2599                         {
2600                         if (s->tls_session_ticket_ext_cb &&
2601                             !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg))
2602                                 {
2603                                 *al = TLS1_AD_INTERNAL_ERROR;
2604                                 return 0;
2605                                 }
2606                         if (!tls_use_ticket(s) || (size > 0))
2607                                 {
2608                                 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2609                                 return 0;
2610                                 }
2611                         s->tlsext_ticket_expected = 1;
2612                         }
2613 #ifdef TLSEXT_TYPE_opaque_prf_input
2614                 else if (type == TLSEXT_TYPE_opaque_prf_input)
2615                         {
2616                         unsigned char *sdata = data;
2617
2618                         if (size < 2)
2619                                 {
2620                                 *al = SSL_AD_DECODE_ERROR;
2621                                 return 0;
2622                                 }
2623                         n2s(sdata, s->s3->server_opaque_prf_input_len);
2624                         if (s->s3->server_opaque_prf_input_len != size - 2)
2625                                 {
2626                                 *al = SSL_AD_DECODE_ERROR;
2627                                 return 0;
2628                                 }
2629                         
2630                         if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */
2631                                 OPENSSL_free(s->s3->server_opaque_prf_input);
2632                         if (s->s3->server_opaque_prf_input_len == 0)
2633                                 s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
2634                         else
2635                                 s->s3->server_opaque_prf_input = BUF_memdup(sdata, s->s3->server_opaque_prf_input_len);
2636
2637                         if (s->s3->server_opaque_prf_input == NULL)
2638                                 {
2639                                 *al = TLS1_AD_INTERNAL_ERROR;
2640                                 return 0;
2641                                 }
2642                         }
2643 #endif
2644                 else if (type == TLSEXT_TYPE_status_request)
2645                         {
2646                         /* MUST be empty and only sent if we've requested
2647                          * a status request message.
2648                          */ 
2649                         if ((s->tlsext_status_type == -1) || (size > 0))
2650                                 {
2651                                 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2652                                 return 0;
2653                                 }
2654                         /* Set flag to expect CertificateStatus message */
2655                         s->tlsext_status_expected = 1;
2656                         }
2657 #ifndef OPENSSL_NO_NEXTPROTONEG
2658                 else if (type == TLSEXT_TYPE_next_proto_neg &&
2659                          s->s3->tmp.finish_md_len == 0)
2660                         {
2661                         unsigned char *selected;
2662                         unsigned char selected_len;
2663
2664                         /* We must have requested it. */
2665                         if (s->ctx->next_proto_select_cb == NULL)
2666                                 {
2667                                 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2668                                 return 0;
2669                                 }
2670                         /* The data must be valid */
2671                         if (!ssl_next_proto_validate(data, size))
2672                                 {
2673                                 *al = TLS1_AD_DECODE_ERROR;
2674                                 return 0;
2675                                 }
2676                         if (s->ctx->next_proto_select_cb(s, &selected, &selected_len, data, size, s->ctx->next_proto_select_cb_arg) != SSL_TLSEXT_ERR_OK)
2677                                 {
2678                                 *al = TLS1_AD_INTERNAL_ERROR;
2679                                 return 0;
2680                                 }
2681                         s->next_proto_negotiated = OPENSSL_malloc(selected_len);
2682                         if (!s->next_proto_negotiated)
2683                                 {
2684                                 *al = TLS1_AD_INTERNAL_ERROR;
2685                                 return 0;
2686                                 }
2687                         memcpy(s->next_proto_negotiated, selected, selected_len);
2688                         s->next_proto_negotiated_len = selected_len;
2689                         s->s3->next_proto_neg_seen = 1;
2690                         }
2691 #endif
2692
2693                 else if (type == TLSEXT_TYPE_application_layer_protocol_negotiation)
2694                         {
2695                         unsigned len;
2696
2697                         /* We must have requested it. */
2698                         if (s->alpn_client_proto_list == NULL)
2699                                 {
2700                                 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2701                                 return 0;
2702                                 }
2703                         if (size < 4)
2704                                 {
2705                                 *al = TLS1_AD_DECODE_ERROR;
2706                                 return 0;
2707                                 }
2708                         /* The extension data consists of:
2709                          *   uint16 list_length
2710                          *   uint8 proto_length;
2711                          *   uint8 proto[proto_length]; */
2712                         len = data[0];
2713                         len <<= 8;
2714                         len |= data[1];
2715                         if (len != (unsigned) size - 2)
2716                                 {
2717                                 *al = TLS1_AD_DECODE_ERROR;
2718                                 return 0;
2719                                 }
2720                         len = data[2];
2721                         if (len != (unsigned) size - 3)
2722                                 {
2723                                 *al = TLS1_AD_DECODE_ERROR;
2724                                 return 0;
2725                                 }
2726                         if (s->s3->alpn_selected)
2727                                 OPENSSL_free(s->s3->alpn_selected);
2728                         s->s3->alpn_selected = OPENSSL_malloc(len);
2729                         if (!s->s3->alpn_selected)
2730                                 {
2731                                 *al = TLS1_AD_INTERNAL_ERROR;
2732                                 return 0;
2733                                 }
2734                         memcpy(s->s3->alpn_selected, data + 3, len);
2735                         s->s3->alpn_selected_len = len;
2736                         }
2737 #ifndef OPENSSL_NO_HEARTBEATS
2738                 else if (type == TLSEXT_TYPE_heartbeat)
2739                         {
2740                         switch(data[0])
2741                                 {
2742                                 case 0x01:      /* Server allows us to send HB requests */
2743                                                         s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
2744                                                         break;
2745                                 case 0x02:      /* Server doesn't accept HB requests */
2746                                                         s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
2747                                                         s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
2748                                                         break;
2749                                 default:        *al = SSL_AD_ILLEGAL_PARAMETER;
2750                                                         return 0;
2751                                 }
2752                         }
2753 #endif
2754                 else if (SSL_IS_DTLS(s) && type == TLSEXT_TYPE_use_srtp)
2755                         {
2756                         if(ssl_parse_serverhello_use_srtp_ext(s, data, size,
2757                                                               al))
2758                                 return 0;
2759                         }
2760 #ifdef TLSEXT_TYPE_encrypt_then_mac
2761                 else if (type == TLSEXT_TYPE_encrypt_then_mac)
2762                         {
2763                         /* Ignore if inappropriate ciphersuite */
2764                         if (s->s3->tmp.new_cipher->algorithm_mac != SSL_AEAD
2765                             && s->s3->tmp.new_cipher->algorithm_enc != SSL_RC4)
2766                                 s->s3->flags |= TLS1_FLAGS_ENCRYPT_THEN_MAC;
2767                         }
2768 #endif
2769                 /* If this extension type was not otherwise handled, but 
2770                  * matches a custom_cli_ext_record, then send it to the c
2771                  * callback */
2772                 else if (custom_ext_parse(s, 0, type, data, size, al) <= 0)
2773                                 return 0;
2774  
2775                 data += size;
2776                 }
2777
2778         if (data != d+n)
2779                 {
2780                 *al = SSL_AD_DECODE_ERROR;
2781                 return 0;
2782                 }
2783
2784         if (!s->hit && tlsext_servername == 1)
2785                 {
2786                 if (s->tlsext_hostname)
2787                         {
2788                         if (s->session->tlsext_hostname == NULL)
2789                                 {
2790                                 s->session->tlsext_hostname = BUF_strdup(s->tlsext_hostname);   
2791                                 if (!s->session->tlsext_hostname)
2792                                         {
2793                                         *al = SSL_AD_UNRECOGNIZED_NAME;
2794                                         return 0;
2795                                         }
2796                                 }
2797                         else 
2798                                 {
2799                                 *al = SSL_AD_DECODE_ERROR;
2800                                 return 0;
2801                                 }
2802                         }
2803                 }
2804
2805         *p = data;
2806
2807         ri_check:
2808
2809         /* Determine if we need to see RI. Strictly speaking if we want to
2810          * avoid an attack we should *always* see RI even on initial server
2811          * hello because the client doesn't see any renegotiation during an
2812          * attack. However this would mean we could not connect to any server
2813          * which doesn't support RI so for the immediate future tolerate RI
2814          * absence on initial connect only.
2815          */
2816         if (!renegotiate_seen
2817                 && !(s->options & SSL_OP_LEGACY_SERVER_CONNECT)
2818                 && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
2819                 {
2820                 *al = SSL_AD_HANDSHAKE_FAILURE;
2821                 SSLerr(SSL_F_SSL_SCAN_SERVERHELLO_TLSEXT,
2822                                 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
2823                 return 0;
2824                 }
2825
2826         return 1;
2827         }
2828
2829
2830 int ssl_prepare_clienthello_tlsext(SSL *s)
2831         {
2832
2833 #ifdef TLSEXT_TYPE_opaque_prf_input
2834         {
2835                 int r = 1;
2836         
2837                 if (s->ctx->tlsext_opaque_prf_input_callback != 0)
2838                         {
2839                         r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg);
2840                         if (!r)
2841                                 return -1;
2842                         }
2843
2844                 if (s->tlsext_opaque_prf_input != NULL)
2845                         {
2846                         if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */
2847                                 OPENSSL_free(s->s3->client_opaque_prf_input);
2848
2849                         if (s->tlsext_opaque_prf_input_len == 0)
2850                                 s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
2851                         else
2852                                 s->s3->client_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len);
2853                         if (s->s3->client_opaque_prf_input == NULL)
2854                                 {
2855                                 SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
2856                                 return -1;
2857                                 }
2858                         s->s3->client_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
2859                         }
2860
2861                 if (r == 2)
2862                         /* at callback's request, insist on receiving an appropriate server opaque PRF input */
2863                         s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
2864         }
2865 #endif
2866
2867         return 1;
2868         }
2869
2870 int ssl_prepare_serverhello_tlsext(SSL *s)
2871         {
2872         return 1;
2873         }
2874
2875 static int ssl_check_clienthello_tlsext_early(SSL *s)
2876         {
2877         int ret=SSL_TLSEXT_ERR_NOACK;
2878         int al = SSL_AD_UNRECOGNIZED_NAME;
2879
2880 #ifndef OPENSSL_NO_EC
2881         /* The handling of the ECPointFormats extension is done elsewhere, namely in 
2882          * ssl3_choose_cipher in s3_lib.c.
2883          */
2884         /* The handling of the EllipticCurves extension is done elsewhere, namely in 
2885          * ssl3_choose_cipher in s3_lib.c.
2886          */
2887 #endif
2888
2889         if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) 
2890                 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
2891         else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)             
2892                 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
2893
2894 #ifdef TLSEXT_TYPE_opaque_prf_input
2895         {
2896                 /* This sort of belongs into ssl_prepare_serverhello_tlsext(),
2897                  * but we might be sending an alert in response to the client hello,
2898                  * so this has to happen here in
2899                  * ssl_check_clienthello_tlsext_early(). */
2900
2901                 int r = 1;
2902         
2903                 if (s->ctx->tlsext_opaque_prf_input_callback != 0)
2904                         {
2905                         r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg);
2906                         if (!r)
2907                                 {
2908                                 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2909                                 al = SSL_AD_INTERNAL_ERROR;
2910                                 goto err;
2911                                 }
2912                         }
2913
2914                 if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */
2915                         OPENSSL_free(s->s3->server_opaque_prf_input);
2916                 s->s3->server_opaque_prf_input = NULL;
2917
2918                 if (s->tlsext_opaque_prf_input != NULL)
2919                         {
2920                         if (s->s3->client_opaque_prf_input != NULL &&
2921                                 s->s3->client_opaque_prf_input_len == s->tlsext_opaque_prf_input_len)
2922                                 {
2923                                 /* can only use this extension if we have a server opaque PRF input
2924                                  * of the same length as the client opaque PRF input! */
2925
2926                                 if (s->tlsext_opaque_prf_input_len == 0)
2927                                         s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
2928                                 else
2929                                         s->s3->server_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len);
2930                                 if (s->s3->server_opaque_prf_input == NULL)
2931                                         {
2932                                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2933                                         al = SSL_AD_INTERNAL_ERROR;
2934                                         goto err;
2935                                         }
2936                                 s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
2937                                 }
2938                         }
2939
2940                 if (r == 2 && s->s3->server_opaque_prf_input == NULL)
2941                         {
2942                         /* The callback wants to enforce use of the extension,
2943                          * but we can't do that with the client opaque PRF input;
2944                          * abort the handshake.
2945                          */
2946                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2947                         al = SSL_AD_HANDSHAKE_FAILURE;
2948                         }
2949         }
2950
2951  err:
2952 #endif
2953         switch (ret)
2954                 {
2955                 case SSL_TLSEXT_ERR_ALERT_FATAL:
2956                         ssl3_send_alert(s,SSL3_AL_FATAL,al); 
2957                         return -1;
2958
2959                 case SSL_TLSEXT_ERR_ALERT_WARNING:
2960                         ssl3_send_alert(s,SSL3_AL_WARNING,al);
2961                         return 1; 
2962                                         
2963                 case SSL_TLSEXT_ERR_NOACK:
2964                         s->servername_done=0;
2965                         default:
2966                 return 1;
2967                 }
2968         }
2969
2970 int tls1_set_server_sigalgs(SSL *s)
2971         {
2972         int al;
2973         size_t i;
2974         /* Clear any shared sigtnature algorithms */
2975         if (s->cert->shared_sigalgs)
2976                 {
2977                 OPENSSL_free(s->cert->shared_sigalgs);
2978                 s->cert->shared_sigalgs = NULL;
2979                 }
2980         /* Clear certificate digests and validity flags */
2981         for (i = 0; i < SSL_PKEY_NUM; i++)
2982                 {
2983                 s->cert->pkeys[i].digest = NULL;
2984                 s->cert->pkeys[i].valid_flags = 0;
2985                 }
2986
2987         /* If sigalgs received process it. */
2988         if (s->cert->peer_sigalgs)
2989                 {
2990                 if (!tls1_process_sigalgs(s))
2991                         {
2992                         SSLerr(SSL_F_TLS1_SET_SERVER_SIGALGS,
2993                                         ERR_R_MALLOC_FAILURE);
2994                         al = SSL_AD_INTERNAL_ERROR;
2995                         goto err;
2996                         }
2997                 /* Fatal error is no shared signature algorithms */
2998                 if (!s->cert->shared_sigalgs)
2999                         {
3000                         SSLerr(SSL_F_TLS1_SET_SERVER_SIGALGS,
3001                                         SSL_R_NO_SHARED_SIGATURE_ALGORITHMS);
3002                         al = SSL_AD_ILLEGAL_PARAMETER;
3003                         goto err;
3004                         }
3005                 }
3006         else
3007                 ssl_cert_set_default_md(s->cert);
3008         return 1;
3009         err:
3010         ssl3_send_alert(s, SSL3_AL_FATAL, al);
3011         return 0;
3012         }
3013
3014 int ssl_check_clienthello_tlsext_late(SSL *s)
3015         {
3016         int ret = SSL_TLSEXT_ERR_OK;
3017         int al;
3018
3019         /* If status request then ask callback what to do.
3020          * Note: this must be called after servername callbacks in case
3021          * the certificate has changed, and must be called after the cipher
3022          * has been chosen because this may influence which certificate is sent
3023          */
3024         if ((s->tlsext_status_type != -1) && s->ctx && s->ctx->tlsext_status_cb)
3025                 {
3026                 int r;
3027                 CERT_PKEY *certpkey;
3028                 certpkey = ssl_get_server_send_pkey(s);
3029                 /* If no certificate can't return certificate status */
3030                 if (certpkey == NULL)
3031                         {
3032                         s->tlsext_status_expected = 0;
3033                         return 1;
3034                         }
3035                 /* Set current certificate to one we will use so
3036                  * SSL_get_certificate et al can pick it up.
3037                  */
3038                 s->cert->key = certpkey;
3039                 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
3040                 switch (r)
3041                         {
3042                         /* We don't want to send a status request response */
3043                         case SSL_TLSEXT_ERR_NOACK:
3044                                 s->tlsext_status_expected = 0;
3045                                 break;
3046                         /* status request response should be sent */
3047                         case SSL_TLSEXT_ERR_OK:
3048                                 if (s->tlsext_ocsp_resp)
3049                                         s->tlsext_status_expected = 1;
3050                                 else
3051                                         s->tlsext_status_expected = 0;
3052                                 break;
3053                         /* something bad happened */
3054                         case SSL_TLSEXT_ERR_ALERT_FATAL:
3055                                 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
3056                                 al = SSL_AD_INTERNAL_ERROR;
3057                                 goto err;
3058                         }
3059                 }
3060         else
3061                 s->tlsext_status_expected = 0;
3062
3063  err:
3064         switch (ret)
3065                 {
3066                 case SSL_TLSEXT_ERR_ALERT_FATAL:
3067                         ssl3_send_alert(s, SSL3_AL_FATAL, al);
3068                         return -1;
3069
3070                 case SSL_TLSEXT_ERR_ALERT_WARNING:
3071                         ssl3_send_alert(s, SSL3_AL_WARNING, al);
3072                         return 1; 
3073
3074                 default:
3075                         return 1;
3076                 }
3077         }
3078
3079 int ssl_check_serverhello_tlsext(SSL *s)
3080         {
3081         int ret=SSL_TLSEXT_ERR_NOACK;
3082         int al = SSL_AD_UNRECOGNIZED_NAME;
3083
3084 #ifndef OPENSSL_NO_EC
3085         /* If we are client and using an elliptic curve cryptography cipher
3086          * suite, then if server returns an EC point formats lists extension
3087          * it must contain uncompressed.
3088          */
3089         unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
3090         unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
3091    &