Add new "valid_flags" field to CERT_PKEY structure which determines what
[openssl.git] / ssl / t1_lib.c
1 /* ssl/t1_lib.c */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3  * All rights reserved.
4  *
5  * This package is an SSL implementation written
6  * by Eric Young (eay@cryptsoft.com).
7  * The implementation was written so as to conform with Netscapes SSL.
8  * 
9  * This library is free for commercial and non-commercial use as long as
10  * the following conditions are aheared to.  The following conditions
11  * apply to all code found in this distribution, be it the RC4, RSA,
12  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
13  * included with this distribution is covered by the same copyright terms
14  * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15  * 
16  * Copyright remains Eric Young's, and as such any Copyright notices in
17  * the code are not to be removed.
18  * If this package is used in a product, Eric Young should be given attribution
19  * as the author of the parts of the library used.
20  * This can be in the form of a textual message at program startup or
21  * in documentation (online or textual) provided with the package.
22  * 
23  * Redistribution and use in source and binary forms, with or without
24  * modification, are permitted provided that the following conditions
25  * are met:
26  * 1. Redistributions of source code must retain the copyright
27  *    notice, this list of conditions and the following disclaimer.
28  * 2. Redistributions in binary form must reproduce the above copyright
29  *    notice, this list of conditions and the following disclaimer in the
30  *    documentation and/or other materials provided with the distribution.
31  * 3. All advertising materials mentioning features or use of this software
32  *    must display the following acknowledgement:
33  *    "This product includes cryptographic software written by
34  *     Eric Young (eay@cryptsoft.com)"
35  *    The word 'cryptographic' can be left out if the rouines from the library
36  *    being used are not cryptographic related :-).
37  * 4. If you include any Windows specific code (or a derivative thereof) from 
38  *    the apps directory (application code) you must include an acknowledgement:
39  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40  * 
41  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51  * SUCH DAMAGE.
52  * 
53  * The licence and distribution terms for any publically available version or
54  * derivative of this code cannot be changed.  i.e. this code cannot simply be
55  * copied and put under another distribution licence
56  * [including the GNU Public Licence.]
57  */
58 /* ====================================================================
59  * Copyright (c) 1998-2007 The OpenSSL Project.  All rights reserved.
60  *
61  * Redistribution and use in source and binary forms, with or without
62  * modification, are permitted provided that the following conditions
63  * are met:
64  *
65  * 1. Redistributions of source code must retain the above copyright
66  *    notice, this list of conditions and the following disclaimer. 
67  *
68  * 2. Redistributions in binary form must reproduce the above copyright
69  *    notice, this list of conditions and the following disclaimer in
70  *    the documentation and/or other materials provided with the
71  *    distribution.
72  *
73  * 3. All advertising materials mentioning features or use of this
74  *    software must display the following acknowledgment:
75  *    "This product includes software developed by the OpenSSL Project
76  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77  *
78  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79  *    endorse or promote products derived from this software without
80  *    prior written permission. For written permission, please contact
81  *    openssl-core@openssl.org.
82  *
83  * 5. Products derived from this software may not be called "OpenSSL"
84  *    nor may "OpenSSL" appear in their names without prior written
85  *    permission of the OpenSSL Project.
86  *
87  * 6. Redistributions of any form whatsoever must retain the following
88  *    acknowledgment:
89  *    "This product includes software developed by the OpenSSL Project
90  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91  *
92  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
96  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103  * OF THE POSSIBILITY OF SUCH DAMAGE.
104  * ====================================================================
105  *
106  * This product includes cryptographic software written by Eric Young
107  * (eay@cryptsoft.com).  This product includes software written by Tim
108  * Hudson (tjh@cryptsoft.com).
109  *
110  */
111
112 #include <stdio.h>
113 #include <openssl/objects.h>
114 #include <openssl/evp.h>
115 #include <openssl/hmac.h>
116 #include <openssl/ocsp.h>
117 #include <openssl/rand.h>
118 #include "ssl_locl.h"
119
120 const char tls1_version_str[]="TLSv1" OPENSSL_VERSION_PTEXT;
121
122 #ifndef OPENSSL_NO_TLSEXT
123 static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen,
124                                 const unsigned char *sess_id, int sesslen,
125                                 SSL_SESSION **psess);
126 static int ssl_check_clienthello_tlsext_early(SSL *s);
127 int ssl_check_serverhello_tlsext(SSL *s);
128 #endif
129
130 SSL3_ENC_METHOD TLSv1_enc_data={
131         tls1_enc,
132         tls1_mac,
133         tls1_setup_key_block,
134         tls1_generate_master_secret,
135         tls1_change_cipher_state,
136         tls1_final_finish_mac,
137         TLS1_FINISH_MAC_LENGTH,
138         tls1_cert_verify_mac,
139         TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE,
140         TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE,
141         tls1_alert_code,
142         tls1_export_keying_material,
143         };
144
145 long tls1_default_timeout(void)
146         {
147         /* 2 hours, the 24 hours mentioned in the TLSv1 spec
148          * is way too long for http, the cache would over fill */
149         return(60*60*2);
150         }
151
152 int tls1_new(SSL *s)
153         {
154         if (!ssl3_new(s)) return(0);
155         s->method->ssl_clear(s);
156         return(1);
157         }
158
159 void tls1_free(SSL *s)
160         {
161 #ifndef OPENSSL_NO_TLSEXT
162         if (s->tlsext_session_ticket)
163                 {
164                 OPENSSL_free(s->tlsext_session_ticket);
165                 }
166 #endif /* OPENSSL_NO_TLSEXT */
167         ssl3_free(s);
168         }
169
170 void tls1_clear(SSL *s)
171         {
172         ssl3_clear(s);
173         s->version = s->method->version;
174         }
175
176 #ifndef OPENSSL_NO_EC
177
178 static int nid_list[] =
179         {
180                 NID_sect163k1, /* sect163k1 (1) */
181                 NID_sect163r1, /* sect163r1 (2) */
182                 NID_sect163r2, /* sect163r2 (3) */
183                 NID_sect193r1, /* sect193r1 (4) */ 
184                 NID_sect193r2, /* sect193r2 (5) */ 
185                 NID_sect233k1, /* sect233k1 (6) */
186                 NID_sect233r1, /* sect233r1 (7) */ 
187                 NID_sect239k1, /* sect239k1 (8) */ 
188                 NID_sect283k1, /* sect283k1 (9) */
189                 NID_sect283r1, /* sect283r1 (10) */ 
190                 NID_sect409k1, /* sect409k1 (11) */ 
191                 NID_sect409r1, /* sect409r1 (12) */
192                 NID_sect571k1, /* sect571k1 (13) */ 
193                 NID_sect571r1, /* sect571r1 (14) */ 
194                 NID_secp160k1, /* secp160k1 (15) */
195                 NID_secp160r1, /* secp160r1 (16) */ 
196                 NID_secp160r2, /* secp160r2 (17) */ 
197                 NID_secp192k1, /* secp192k1 (18) */
198                 NID_X9_62_prime192v1, /* secp192r1 (19) */ 
199                 NID_secp224k1, /* secp224k1 (20) */ 
200                 NID_secp224r1, /* secp224r1 (21) */
201                 NID_secp256k1, /* secp256k1 (22) */ 
202                 NID_X9_62_prime256v1, /* secp256r1 (23) */ 
203                 NID_secp384r1, /* secp384r1 (24) */
204                 NID_secp521r1  /* secp521r1 (25) */     
205         };
206
207
208 static const unsigned char ecformats_default[] = 
209         {
210         TLSEXT_ECPOINTFORMAT_uncompressed,
211         TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime,
212         TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2
213         };
214
215 static const unsigned char eccurves_default[] =
216         {
217                 0,14, /* sect571r1 (14) */ 
218                 0,13, /* sect571k1 (13) */ 
219                 0,25, /* secp521r1 (25) */      
220                 0,11, /* sect409k1 (11) */ 
221                 0,12, /* sect409r1 (12) */
222                 0,24, /* secp384r1 (24) */
223                 0,9,  /* sect283k1 (9) */
224                 0,10, /* sect283r1 (10) */ 
225                 0,22, /* secp256k1 (22) */ 
226                 0,23, /* secp256r1 (23) */ 
227                 0,8,  /* sect239k1 (8) */ 
228                 0,6,  /* sect233k1 (6) */
229                 0,7,  /* sect233r1 (7) */ 
230                 0,20, /* secp224k1 (20) */ 
231                 0,21, /* secp224r1 (21) */
232                 0,4,  /* sect193r1 (4) */ 
233                 0,5,  /* sect193r2 (5) */ 
234                 0,18, /* secp192k1 (18) */
235                 0,19, /* secp192r1 (19) */ 
236                 0,1,  /* sect163k1 (1) */
237                 0,2,  /* sect163r1 (2) */
238                 0,3,  /* sect163r2 (3) */
239                 0,15, /* secp160k1 (15) */
240                 0,16, /* secp160r1 (16) */ 
241                 0,17, /* secp160r2 (17) */ 
242         };
243
244 int tls1_ec_curve_id2nid(int curve_id)
245         {
246         /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
247         if ((curve_id < 1) || ((unsigned int)curve_id >
248                                 sizeof(nid_list)/sizeof(nid_list[0])))
249                 return 0;
250         return nid_list[curve_id-1];
251         }
252
253 int tls1_ec_nid2curve_id(int nid)
254         {
255         /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
256         switch (nid)
257                 {
258         case NID_sect163k1: /* sect163k1 (1) */
259                 return 1;
260         case NID_sect163r1: /* sect163r1 (2) */
261                 return 2;
262         case NID_sect163r2: /* sect163r2 (3) */
263                 return 3;
264         case NID_sect193r1: /* sect193r1 (4) */ 
265                 return 4;
266         case NID_sect193r2: /* sect193r2 (5) */ 
267                 return 5;
268         case NID_sect233k1: /* sect233k1 (6) */
269                 return 6;
270         case NID_sect233r1: /* sect233r1 (7) */ 
271                 return 7;
272         case NID_sect239k1: /* sect239k1 (8) */ 
273                 return 8;
274         case NID_sect283k1: /* sect283k1 (9) */
275                 return 9;
276         case NID_sect283r1: /* sect283r1 (10) */ 
277                 return 10;
278         case NID_sect409k1: /* sect409k1 (11) */ 
279                 return 11;
280         case NID_sect409r1: /* sect409r1 (12) */
281                 return 12;
282         case NID_sect571k1: /* sect571k1 (13) */ 
283                 return 13;
284         case NID_sect571r1: /* sect571r1 (14) */ 
285                 return 14;
286         case NID_secp160k1: /* secp160k1 (15) */
287                 return 15;
288         case NID_secp160r1: /* secp160r1 (16) */ 
289                 return 16;
290         case NID_secp160r2: /* secp160r2 (17) */ 
291                 return 17;
292         case NID_secp192k1: /* secp192k1 (18) */
293                 return 18;
294         case NID_X9_62_prime192v1: /* secp192r1 (19) */ 
295                 return 19;
296         case NID_secp224k1: /* secp224k1 (20) */ 
297                 return 20;
298         case NID_secp224r1: /* secp224r1 (21) */
299                 return 21;
300         case NID_secp256k1: /* secp256k1 (22) */ 
301                 return 22;
302         case NID_X9_62_prime256v1: /* secp256r1 (23) */ 
303                 return 23;
304         case NID_secp384r1: /* secp384r1 (24) */
305                 return 24;
306         case NID_secp521r1:  /* secp521r1 (25) */       
307                 return 25;
308         default:
309                 return 0;
310                 }
311         }
312 /* Get curves list, if "sess" is set return client curves otherwise
313  * preferred list
314  */
315 static void tls1_get_curvelist(SSL *s, int sess,
316                                         const unsigned char **pcurves,
317                                         size_t *pcurveslen)
318         {
319         if (sess)
320                 {
321                 *pcurves = s->session->tlsext_ellipticcurvelist;
322                 *pcurveslen = s->session->tlsext_ellipticcurvelist_length;
323                 }
324         else
325                 {
326                 *pcurves = s->tlsext_ellipticcurvelist;
327                 *pcurveslen = s->tlsext_ellipticcurvelist_length;
328                 }
329         /* If not set use default: for now static structure */
330         if (!*pcurves)
331                 {
332                 *pcurves = eccurves_default;
333                 *pcurveslen = sizeof(eccurves_default);
334                 }
335         }
336
337 /* Return nth shared curve. If nmatch == -1 return number of
338  * matches.
339  */
340
341 int tls1_shared_curve(SSL *s, int nmatch)
342         {
343         const unsigned char *pref, *supp;
344         size_t preflen, supplen, i, j;
345         int k;
346         /* Can't do anything on client side */
347         if (s->server == 0)
348                 return -1;
349         tls1_get_curvelist(s, !!(s->options & SSL_OP_CIPHER_SERVER_PREFERENCE),
350                                 &supp, &supplen);
351         tls1_get_curvelist(s, !(s->options & SSL_OP_CIPHER_SERVER_PREFERENCE),
352                                 &pref, &preflen);
353         preflen /= 2;
354         supplen /= 2;
355         k = 0;
356         for (i = 0; i < preflen; i++, pref+=2)
357                 {
358                 const unsigned char *tsupp = supp;
359                 for (j = 0; j < supplen; j++, tsupp+=2)
360                         {
361                         if (pref[0] == tsupp[0] && pref[1] == tsupp[1])
362                                 {
363                                 if (nmatch == k)
364                                         {
365                                         int id = (pref[0] << 8) | pref[1];
366                                         return tls1_ec_curve_id2nid(id);
367                                         }
368                                 k++;
369                                 }
370                         }
371                 }
372         if (nmatch == -1)
373                 return k;
374         return 0;
375         }
376
377 int tls1_set_curves(unsigned char **pext, size_t *pextlen,
378                         int *curves, size_t ncurves)
379         {
380         unsigned char *clist, *p;
381         size_t i;
382         /* Bitmap of curves included to detect duplicates: only works
383          * while curve ids < 32 
384          */
385         unsigned long dup_list = 0;
386         clist = OPENSSL_malloc(ncurves * 2);
387         if (!clist)
388                 return 0;
389         for (i = 0, p = clist; i < ncurves; i++)
390                 {
391                 unsigned long idmask;
392                 int id;
393                 id = tls1_ec_nid2curve_id(curves[i]);
394                 idmask = 1L << id;
395                 if (!id || (dup_list & idmask))
396                         {
397                         OPENSSL_free(clist);
398                         return 0;
399                         }
400                 dup_list |= idmask;
401                 s2n(id, p);
402                 }
403         if (*pext)
404                 OPENSSL_free(*pext);
405         *pext = clist;
406         *pextlen = ncurves * 2;
407         return 1;
408         }
409
410 #define MAX_CURVELIST   25
411
412 typedef struct
413         {
414         size_t nidcnt;
415         int nid_arr[MAX_CURVELIST];
416         } nid_cb_st;
417
418 static int nid_cb(const char *elem, int len, void *arg)
419         {
420         nid_cb_st *narg = arg;
421         size_t i;
422         int nid;
423         char etmp[20];
424         if (narg->nidcnt == MAX_CURVELIST)
425                 return 0;
426         if (len > (int)(sizeof(etmp) - 1))
427                 return 0;
428         memcpy(etmp, elem, len);
429         etmp[len] = 0;
430         nid = EC_curve_nist2nid(etmp);
431         if (nid == NID_undef)
432                 nid = OBJ_sn2nid(etmp);
433         if (nid == NID_undef)
434                 nid = OBJ_ln2nid(etmp);
435         if (nid == NID_undef)
436                 return 0;
437         for (i = 0; i < narg->nidcnt; i++)
438                 if (narg->nid_arr[i] == nid)
439                         return 0;
440         narg->nid_arr[narg->nidcnt++] = nid;
441         return 1;
442         }
443 /* Set curves based on a colon separate list */
444 int tls1_set_curves_list(unsigned char **pext, size_t *pextlen, 
445                                 const char *str)
446         {
447         nid_cb_st ncb;
448         ncb.nidcnt = 0;
449         if (!CONF_parse_list(str, ':', 1, nid_cb, &ncb))
450                 return 0;
451         return tls1_set_curves(pext, pextlen, ncb.nid_arr, ncb.nidcnt);
452         }
453 /* For an EC key set TLS id and required compression based on parameters */
454 static int tls1_set_ec_id(unsigned char *curve_id, unsigned char *comp_id,
455                                 EC_KEY *ec)
456         {
457         int is_prime, id;
458         const EC_GROUP *grp;
459         const EC_POINT *pt;
460         const EC_METHOD *meth;
461         if (!ec)
462                 return 0;
463         /* Determine if it is a prime field */
464         grp = EC_KEY_get0_group(ec);
465         pt = EC_KEY_get0_public_key(ec);
466         if (!grp || !pt)
467                 return 0;
468         meth = EC_GROUP_method_of(grp);
469         if (!meth)
470                 return 0;
471         if (EC_METHOD_get_field_type(meth) == NID_X9_62_prime_field)
472                 is_prime = 1;
473         else
474                 is_prime = 0;
475         /* Determine curve ID */
476         id = EC_GROUP_get_curve_name(grp);
477         id = tls1_ec_nid2curve_id(id);
478         /* If we have an ID set it, otherwise set arbitrary explicit curve */
479         if (id)
480                 {
481                 curve_id[0] = 0;
482                 curve_id[1] = (unsigned char)id;
483                 }
484         else
485                 {
486                 curve_id[0] = 0xff;
487                 if (is_prime)
488                         curve_id[1] = 0x01;
489                 else
490                         curve_id[1] = 0x02;
491                 }
492         if (comp_id)
493                 {
494                 if (EC_KEY_get_conv_form(ec) == POINT_CONVERSION_COMPRESSED)
495                         {
496                         if (is_prime)
497                                 *comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
498                         else
499                                 *comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
500                         }
501                 else
502                         *comp_id = TLSEXT_ECPOINTFORMAT_uncompressed;
503                 }
504         return 1;
505         }
506 /* Check an EC key is compatible with extensions */
507 static int tls1_check_ec_key(SSL *s,
508                         unsigned char *curve_id, unsigned char *comp_id)
509         {
510         const unsigned char *p;
511         size_t plen, i;
512         int j;
513         /* If point formats extension present check it, otherwise everything
514          * is supported (see RFC4492).
515          */
516         if (comp_id && s->session->tlsext_ecpointformatlist)
517                 {
518                 p = s->session->tlsext_ecpointformatlist;
519                 plen = s->session->tlsext_ecpointformatlist_length;
520                 for (i = 0; i < plen; i++, p++)
521                         {
522                         if (*comp_id == *p)
523                                 break;
524                         }
525                 if (i == plen)
526                         return 0;
527                 }
528         /* Check curve is consistent with client and server preferences */
529         for (j = 0; j <= 1; j++)
530                 {
531                 tls1_get_curvelist(s, j, &p, &plen);
532                 for (i = 0; i < plen; i+=2, p+=2)
533                         {
534                         if (p[0] == curve_id[0] && p[1] == curve_id[1])
535                                 break;
536                         }
537                 if (i == plen)
538                         return 0;
539                 }
540         return 1;
541         }
542
543 /* Check cert parameters compatible with extensions: currently just checks
544  * EC certificates have compatible curves and compression.
545  */
546 static int tls1_check_cert_param(SSL *s, X509 *x)
547         {
548         unsigned char comp_id, curve_id[2];
549         EVP_PKEY *pkey;
550         int rv;
551         pkey = X509_get_pubkey(x);
552         if (!pkey)
553                 return 0;
554         /* If not EC nothing to do */
555         if (pkey->type != EVP_PKEY_EC)
556                 {
557                 EVP_PKEY_free(pkey);
558                 return 1;
559                 }
560         rv = tls1_set_ec_id(curve_id, &comp_id, pkey->pkey.ec);
561         EVP_PKEY_free(pkey);
562         if (!rv)
563                 return 0;
564         return tls1_check_ec_key(s, curve_id, &comp_id);
565         }
566 /* Check EC server key is compatible with client extensions */
567 int tls1_check_ec_server_key(SSL *s)
568         {
569         CERT_PKEY *cpk = s->cert->pkeys + SSL_PKEY_ECC;
570         if (!cpk->x509 || !cpk->privatekey)
571                 return 0;
572         return tls1_check_cert_param(s, cpk->x509);
573         }
574 /* Check EC temporary key is compatible with client extensions */
575 int tls1_check_ec_tmp_key(SSL *s)
576         {
577         unsigned char curve_id[2];
578         EC_KEY *ec = s->cert->ecdh_tmp;
579         if (s->cert->ecdh_tmp_auto)
580                 {
581                 /* Need a shared curve */
582                 if (tls1_shared_curve(s, 0))
583                         return 1;
584                 else return 0;
585                 }
586         if (!ec)
587                 {
588                 if (s->cert->ecdh_tmp_cb)
589                         return 1;
590                 else
591                         return 0;
592                 }
593         if (!tls1_set_ec_id(curve_id, NULL, ec))
594                 return 1;
595         return tls1_check_ec_key(s, curve_id, NULL);
596         }
597
598 #endif /* OPENSSL_NO_EC */
599
600 #ifndef OPENSSL_NO_TLSEXT
601
602 /* List of supported signature algorithms and hashes. Should make this
603  * customisable at some point, for now include everything we support.
604  */
605
606 #ifdef OPENSSL_NO_RSA
607 #define tlsext_sigalg_rsa(md) /* */
608 #else
609 #define tlsext_sigalg_rsa(md) md, TLSEXT_signature_rsa,
610 #endif
611
612 #ifdef OPENSSL_NO_DSA
613 #define tlsext_sigalg_dsa(md) /* */
614 #else
615 #define tlsext_sigalg_dsa(md) md, TLSEXT_signature_dsa,
616 #endif
617
618 #ifdef OPENSSL_NO_ECDSA
619 #define tlsext_sigalg_ecdsa(md) /* */
620 #else
621 #define tlsext_sigalg_ecdsa(md) md, TLSEXT_signature_ecdsa,
622 #endif
623
624 #define tlsext_sigalg(md) \
625                 tlsext_sigalg_rsa(md) \
626                 tlsext_sigalg_dsa(md) \
627                 tlsext_sigalg_ecdsa(md)
628
629 static unsigned char tls12_sigalgs[] = {
630 #ifndef OPENSSL_NO_SHA512
631         tlsext_sigalg(TLSEXT_hash_sha512)
632         tlsext_sigalg(TLSEXT_hash_sha384)
633 #endif
634 #ifndef OPENSSL_NO_SHA256
635         tlsext_sigalg(TLSEXT_hash_sha256)
636         tlsext_sigalg(TLSEXT_hash_sha224)
637 #endif
638 #ifndef OPENSSL_NO_SHA
639         tlsext_sigalg(TLSEXT_hash_sha1)
640 #endif
641 #ifndef OPENSSL_NO_MD5
642         tlsext_sigalg_rsa(TLSEXT_hash_md5)
643 #endif
644 };
645
646 size_t tls12_get_sig_algs(SSL *s, unsigned char *p)
647         {
648         const unsigned char *sigs;
649         size_t sigslen;
650         sigs = s->cert->conf_sigalgs;
651
652         if (sigs)
653                 sigslen = s->cert->conf_sigalgslen;
654         else
655                 {
656                 sigs = tls12_sigalgs;
657                 sigslen = sizeof(tls12_sigalgs);
658 #ifdef OPENSSL_FIPS
659                 /* If FIPS mode don't include MD5 which is last */
660                 if (FIPS_mode())
661                         sigslen -= 2;
662 #endif
663                 }
664
665         if (p)
666                 memcpy(p, sigs, sigslen);
667         return sigslen;
668         }
669
670 /* byte_compare is a compare function for qsort(3) that compares bytes. */
671 static int byte_compare(const void *in_a, const void *in_b)
672         {
673         unsigned char a = *((const unsigned char*) in_a);
674         unsigned char b = *((const unsigned char*) in_b);
675
676         if (a > b)
677                 return 1;
678         else if (a < b)
679                 return -1;
680         return 0;
681 }
682
683 unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
684         {
685         int extdatalen=0;
686         unsigned char *ret = p;
687 #ifndef OPENSSL_NO_EC
688         /* See if we support any ECC ciphersuites */
689         int using_ecc = 0;
690         if (s->version != DTLS1_VERSION && s->version >= TLS1_VERSION)
691                 {
692                 int i;
693                 unsigned long alg_k, alg_a;
694                 STACK_OF(SSL_CIPHER) *cipher_stack = SSL_get_ciphers(s);
695
696                 for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++)
697                         {
698                         SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i);
699
700                         alg_k = c->algorithm_mkey;
701                         alg_a = c->algorithm_auth;
702                         if ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)
703                                 || (alg_a & SSL_aECDSA)))
704                                 {
705                                 using_ecc = 1;
706                                 break;
707                                 }
708                         }
709                 }
710 #endif
711
712         /* don't add extensions for SSLv3 unless doing secure renegotiation */
713         if (s->client_version == SSL3_VERSION
714                                         && !s->s3->send_connection_binding)
715                 return p;
716
717         ret+=2;
718
719         if (ret>=limit) return NULL; /* this really never occurs, but ... */
720
721         if (s->tlsext_hostname != NULL)
722                 { 
723                 /* Add TLS extension servername to the Client Hello message */
724                 unsigned long size_str;
725                 long lenmax; 
726
727                 /* check for enough space.
728                    4 for the servername type and entension length
729                    2 for servernamelist length
730                    1 for the hostname type
731                    2 for hostname length
732                    + hostname length 
733                 */
734                    
735                 if ((lenmax = limit - ret - 9) < 0 
736                     || (size_str = strlen(s->tlsext_hostname)) > (unsigned long)lenmax) 
737                         return NULL;
738                         
739                 /* extension type and length */
740                 s2n(TLSEXT_TYPE_server_name,ret); 
741                 s2n(size_str+5,ret);
742                 
743                 /* length of servername list */
744                 s2n(size_str+3,ret);
745         
746                 /* hostname type, length and hostname */
747                 *(ret++) = (unsigned char) TLSEXT_NAMETYPE_host_name;
748                 s2n(size_str,ret);
749                 memcpy(ret, s->tlsext_hostname, size_str);
750                 ret+=size_str;
751                 }
752
753         /* Add RI if renegotiating */
754         if (s->renegotiate)
755           {
756           int el;
757           
758           if(!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0))
759               {
760               SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
761               return NULL;
762               }
763
764           if((limit - p - 4 - el) < 0) return NULL;
765           
766           s2n(TLSEXT_TYPE_renegotiate,ret);
767           s2n(el,ret);
768
769           if(!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el))
770               {
771               SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
772               return NULL;
773               }
774
775           ret += el;
776         }
777
778 #ifndef OPENSSL_NO_SRP
779         /* Add SRP username if there is one */
780         if (s->srp_ctx.login != NULL)
781                 { /* Add TLS extension SRP username to the Client Hello message */
782
783                 int login_len = strlen(s->srp_ctx.login);       
784                 if (login_len > 255 || login_len == 0)
785                         {
786                         SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
787                         return NULL;
788                         } 
789
790                 /* check for enough space.
791                    4 for the srp type type and entension length
792                    1 for the srp user identity
793                    + srp user identity length 
794                 */
795                 if ((limit - ret - 5 - login_len) < 0) return NULL; 
796
797                 /* fill in the extension */
798                 s2n(TLSEXT_TYPE_srp,ret);
799                 s2n(login_len+1,ret);
800                 (*ret++) = (unsigned char) login_len;
801                 memcpy(ret, s->srp_ctx.login, login_len);
802                 ret+=login_len;
803                 }
804 #endif
805
806 #ifndef OPENSSL_NO_EC
807         if (using_ecc)
808                 {
809                 /* Add TLS extension ECPointFormats to the ClientHello message */
810                 long lenmax; 
811                 const unsigned char *plist;
812                 size_t plistlen;
813                 /* If we have a custom point format list use it otherwise
814                  * use default */
815                 plist = s->tlsext_ecpointformatlist;
816                 if (plist)
817                         plistlen = s->tlsext_ecpointformatlist_length;
818                 else
819                         {
820                         plist = ecformats_default;
821                         plistlen = sizeof(ecformats_default);
822                         }
823
824                 if ((lenmax = limit - ret - 5) < 0) return NULL; 
825                 if (plistlen > (size_t)lenmax) return NULL;
826                 if (plistlen > 255)
827                         {
828                         SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
829                         return NULL;
830                         }
831                 
832                 s2n(TLSEXT_TYPE_ec_point_formats,ret);
833                 s2n(plistlen + 1,ret);
834                 *(ret++) = (unsigned char)plistlen ;
835                 memcpy(ret, plist, plistlen);
836                 ret+=plistlen;
837
838                 /* Add TLS extension EllipticCurves to the ClientHello message */
839                 plist = s->tlsext_ellipticcurvelist;
840                 tls1_get_curvelist(s, 0, &plist, &plistlen);
841
842                 if ((lenmax = limit - ret - 6) < 0) return NULL; 
843                 if (plistlen > (size_t)lenmax) return NULL;
844                 if (plistlen > 65532)
845                         {
846                         SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
847                         return NULL;
848                         }
849                 
850                 s2n(TLSEXT_TYPE_elliptic_curves,ret);
851                 s2n(plistlen + 2, ret);
852
853                 /* NB: draft-ietf-tls-ecc-12.txt uses a one-byte prefix for
854                  * elliptic_curve_list, but the examples use two bytes.
855                  * http://www1.ietf.org/mail-archive/web/tls/current/msg00538.html
856                  * resolves this to two bytes.
857                  */
858                 s2n(plistlen, ret);
859                 memcpy(ret, plist, plistlen);
860                 ret+=plistlen;
861                 }
862 #endif /* OPENSSL_NO_EC */
863
864         if (!(SSL_get_options(s) & SSL_OP_NO_TICKET))
865                 {
866                 int ticklen;
867                 if (!s->new_session && s->session && s->session->tlsext_tick)
868                         ticklen = s->session->tlsext_ticklen;
869                 else if (s->session && s->tlsext_session_ticket &&
870                          s->tlsext_session_ticket->data)
871                         {
872                         ticklen = s->tlsext_session_ticket->length;
873                         s->session->tlsext_tick = OPENSSL_malloc(ticklen);
874                         if (!s->session->tlsext_tick)
875                                 return NULL;
876                         memcpy(s->session->tlsext_tick,
877                                s->tlsext_session_ticket->data,
878                                ticklen);
879                         s->session->tlsext_ticklen = ticklen;
880                         }
881                 else
882                         ticklen = 0;
883                 if (ticklen == 0 && s->tlsext_session_ticket &&
884                     s->tlsext_session_ticket->data == NULL)
885                         goto skip_ext;
886                 /* Check for enough room 2 for extension type, 2 for len
887                  * rest for ticket
888                  */
889                 if ((long)(limit - ret - 4 - ticklen) < 0) return NULL;
890                 s2n(TLSEXT_TYPE_session_ticket,ret); 
891                 s2n(ticklen,ret);
892                 if (ticklen)
893                         {
894                         memcpy(ret, s->session->tlsext_tick, ticklen);
895                         ret += ticklen;
896                         }
897                 }
898                 skip_ext:
899
900         if (TLS1_get_client_version(s) >= TLS1_2_VERSION)
901                 {
902                 size_t salglen;
903                 salglen = tls12_get_sig_algs(s, NULL);
904                 if ((size_t)(limit - ret) < salglen + 6)
905                         return NULL; 
906                 s2n(TLSEXT_TYPE_signature_algorithms,ret);
907                 s2n(salglen + 2, ret);
908                 s2n(salglen, ret);
909                 tls12_get_sig_algs(s, ret);
910                 ret += salglen;
911                 }
912
913 #ifdef TLSEXT_TYPE_opaque_prf_input
914         if (s->s3->client_opaque_prf_input != NULL &&
915             s->version != DTLS1_VERSION)
916                 {
917                 size_t col = s->s3->client_opaque_prf_input_len;
918                 
919                 if ((long)(limit - ret - 6 - col < 0))
920                         return NULL;
921                 if (col > 0xFFFD) /* can't happen */
922                         return NULL;
923
924                 s2n(TLSEXT_TYPE_opaque_prf_input, ret); 
925                 s2n(col + 2, ret);
926                 s2n(col, ret);
927                 memcpy(ret, s->s3->client_opaque_prf_input, col);
928                 ret += col;
929                 }
930 #endif
931
932         if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp &&
933             s->version != DTLS1_VERSION)
934                 {
935                 int i;
936                 long extlen, idlen, itmp;
937                 OCSP_RESPID *id;
938
939                 idlen = 0;
940                 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++)
941                         {
942                         id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
943                         itmp = i2d_OCSP_RESPID(id, NULL);
944                         if (itmp <= 0)
945                                 return NULL;
946                         idlen += itmp + 2;
947                         }
948
949                 if (s->tlsext_ocsp_exts)
950                         {
951                         extlen = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, NULL);
952                         if (extlen < 0)
953                                 return NULL;
954                         }
955                 else
956                         extlen = 0;
957                         
958                 if ((long)(limit - ret - 7 - extlen - idlen) < 0) return NULL;
959                 s2n(TLSEXT_TYPE_status_request, ret);
960                 if (extlen + idlen > 0xFFF0)
961                         return NULL;
962                 s2n(extlen + idlen + 5, ret);
963                 *(ret++) = TLSEXT_STATUSTYPE_ocsp;
964                 s2n(idlen, ret);
965                 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++)
966                         {
967                         /* save position of id len */
968                         unsigned char *q = ret;
969                         id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
970                         /* skip over id len */
971                         ret += 2;
972                         itmp = i2d_OCSP_RESPID(id, &ret);
973                         /* write id len */
974                         s2n(itmp, q);
975                         }
976                 s2n(extlen, ret);
977                 if (extlen > 0)
978                         i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret);
979                 }
980
981 #ifndef OPENSSL_NO_HEARTBEATS
982         /* Add Heartbeat extension */
983         s2n(TLSEXT_TYPE_heartbeat,ret);
984         s2n(1,ret);
985         /* Set mode:
986          * 1: peer may send requests
987          * 2: peer not allowed to send requests
988          */
989         if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS)
990                 *(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
991         else
992                 *(ret++) = SSL_TLSEXT_HB_ENABLED;
993 #endif
994
995 #ifndef OPENSSL_NO_NEXTPROTONEG
996         if (s->ctx->next_proto_select_cb && !s->s3->tmp.finish_md_len)
997                 {
998                 /* The client advertises an emtpy extension to indicate its
999                  * support for Next Protocol Negotiation */
1000                 if (limit - ret - 4 < 0)
1001                         return NULL;
1002                 s2n(TLSEXT_TYPE_next_proto_neg,ret);
1003                 s2n(0,ret);
1004                 }
1005 #endif
1006
1007         if(SSL_get_srtp_profiles(s))
1008                 {
1009                 int el;
1010
1011                 ssl_add_clienthello_use_srtp_ext(s, 0, &el, 0);
1012                 
1013                 if((limit - p - 4 - el) < 0) return NULL;
1014
1015                 s2n(TLSEXT_TYPE_use_srtp,ret);
1016                 s2n(el,ret);
1017
1018                 if(ssl_add_clienthello_use_srtp_ext(s, ret, &el, el))
1019                         {
1020                         SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1021                         return NULL;
1022                         }
1023                 ret += el;
1024                 }
1025
1026         /* Add TLS extension Server_Authz_DataFormats to the ClientHello */
1027         /* 2 bytes for extension type */
1028         /* 2 bytes for extension length */
1029         /* 1 byte for the list length */
1030         /* 1 byte for the list (we only support audit proofs) */
1031         if (s->ctx->tlsext_authz_server_audit_proof_cb != NULL)
1032                 {
1033                 size_t lenmax;
1034                 const unsigned short ext_len = 2;
1035                 const unsigned char list_len = 1;
1036
1037                 if ((lenmax = limit - ret - 6) < 0) return NULL;
1038
1039                 s2n(TLSEXT_TYPE_server_authz, ret);
1040                 /* Extension length: 2 bytes */
1041                 s2n(ext_len, ret);
1042                 *(ret++) = list_len;
1043                 *(ret++) = TLSEXT_AUTHZDATAFORMAT_audit_proof;
1044                 }
1045
1046         if ((extdatalen = ret-p-2) == 0)
1047                 return p;
1048
1049         s2n(extdatalen,p);
1050         return ret;
1051         }
1052
1053 unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
1054         {
1055         int extdatalen=0;
1056         unsigned char *ret = p;
1057 #ifndef OPENSSL_NO_NEXTPROTONEG
1058         int next_proto_neg_seen;
1059 #endif
1060
1061         /* don't add extensions for SSLv3, unless doing secure renegotiation */
1062         if (s->version == SSL3_VERSION && !s->s3->send_connection_binding)
1063                 return p;
1064         
1065         ret+=2;
1066         if (ret>=limit) return NULL; /* this really never occurs, but ... */
1067
1068         if (!s->hit && s->servername_done == 1 && s->session->tlsext_hostname != NULL)
1069                 { 
1070                 if ((long)(limit - ret - 4) < 0) return NULL; 
1071
1072                 s2n(TLSEXT_TYPE_server_name,ret);
1073                 s2n(0,ret);
1074                 }
1075
1076         if(s->s3->send_connection_binding)
1077         {
1078           int el;
1079           
1080           if(!ssl_add_serverhello_renegotiate_ext(s, 0, &el, 0))
1081               {
1082               SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1083               return NULL;
1084               }
1085
1086           if((limit - p - 4 - el) < 0) return NULL;
1087           
1088           s2n(TLSEXT_TYPE_renegotiate,ret);
1089           s2n(el,ret);
1090
1091           if(!ssl_add_serverhello_renegotiate_ext(s, ret, &el, el))
1092               {
1093               SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1094               return NULL;
1095               }
1096
1097           ret += el;
1098         }
1099
1100 #ifndef OPENSSL_NO_EC
1101         if (s->tlsext_ecpointformatlist != NULL &&
1102             s->version != DTLS1_VERSION)
1103                 {
1104                 /* Add TLS extension ECPointFormats to the ServerHello message */
1105                 long lenmax; 
1106
1107                 if ((lenmax = limit - ret - 5) < 0) return NULL; 
1108                 if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax) return NULL;
1109                 if (s->tlsext_ecpointformatlist_length > 255)
1110                         {
1111                         SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1112                         return NULL;
1113                         }
1114                 
1115                 s2n(TLSEXT_TYPE_ec_point_formats,ret);
1116                 s2n(s->tlsext_ecpointformatlist_length + 1,ret);
1117                 *(ret++) = (unsigned char) s->tlsext_ecpointformatlist_length;
1118                 memcpy(ret, s->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist_length);
1119                 ret+=s->tlsext_ecpointformatlist_length;
1120
1121                 }
1122         /* Currently the server should not respond with a SupportedCurves extension */
1123 #endif /* OPENSSL_NO_EC */
1124
1125         if (s->tlsext_ticket_expected
1126                 && !(SSL_get_options(s) & SSL_OP_NO_TICKET)) 
1127                 { 
1128                 if ((long)(limit - ret - 4) < 0) return NULL; 
1129                 s2n(TLSEXT_TYPE_session_ticket,ret);
1130                 s2n(0,ret);
1131                 }
1132
1133         if (s->tlsext_status_expected)
1134                 { 
1135                 if ((long)(limit - ret - 4) < 0) return NULL; 
1136                 s2n(TLSEXT_TYPE_status_request,ret);
1137                 s2n(0,ret);
1138                 }
1139
1140 #ifdef TLSEXT_TYPE_opaque_prf_input
1141         if (s->s3->server_opaque_prf_input != NULL &&
1142             s->version != DTLS1_VERSION)
1143                 {
1144                 size_t sol = s->s3->server_opaque_prf_input_len;
1145                 
1146                 if ((long)(limit - ret - 6 - sol) < 0)
1147                         return NULL;
1148                 if (sol > 0xFFFD) /* can't happen */
1149                         return NULL;
1150
1151                 s2n(TLSEXT_TYPE_opaque_prf_input, ret); 
1152                 s2n(sol + 2, ret);
1153                 s2n(sol, ret);
1154                 memcpy(ret, s->s3->server_opaque_prf_input, sol);
1155                 ret += sol;
1156                 }
1157 #endif
1158
1159         if(s->srtp_profile)
1160                 {
1161                 int el;
1162
1163                 ssl_add_serverhello_use_srtp_ext(s, 0, &el, 0);
1164                 
1165                 if((limit - p - 4 - el) < 0) return NULL;
1166
1167                 s2n(TLSEXT_TYPE_use_srtp,ret);
1168                 s2n(el,ret);
1169
1170                 if(ssl_add_serverhello_use_srtp_ext(s, ret, &el, el))
1171                         {
1172                         SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1173                         return NULL;
1174                         }
1175                 ret+=el;
1176                 }
1177
1178         if (((s->s3->tmp.new_cipher->id & 0xFFFF)==0x80 || (s->s3->tmp.new_cipher->id & 0xFFFF)==0x81) 
1179                 && (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG))
1180                 { const unsigned char cryptopro_ext[36] = {
1181                         0xfd, 0xe8, /*65000*/
1182                         0x00, 0x20, /*32 bytes length*/
1183                         0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85, 
1184                         0x03,   0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06, 
1185                         0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08, 
1186                         0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17};
1187                         if (limit-ret<36) return NULL;
1188                         memcpy(ret,cryptopro_ext,36);
1189                         ret+=36;
1190
1191                 }
1192
1193 #ifndef OPENSSL_NO_HEARTBEATS
1194         /* Add Heartbeat extension if we've received one */
1195         if (s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED)
1196                 {
1197                 s2n(TLSEXT_TYPE_heartbeat,ret);
1198                 s2n(1,ret);
1199                 /* Set mode:
1200                  * 1: peer may send requests
1201                  * 2: peer not allowed to send requests
1202                  */
1203                 if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS)
1204                         *(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
1205                 else
1206                         *(ret++) = SSL_TLSEXT_HB_ENABLED;
1207
1208                 }
1209 #endif
1210
1211 #ifndef OPENSSL_NO_NEXTPROTONEG
1212         next_proto_neg_seen = s->s3->next_proto_neg_seen;
1213         s->s3->next_proto_neg_seen = 0;
1214         if (next_proto_neg_seen && s->ctx->next_protos_advertised_cb)
1215                 {
1216                 const unsigned char *npa;
1217                 unsigned int npalen;
1218                 int r;
1219
1220                 r = s->ctx->next_protos_advertised_cb(s, &npa, &npalen, s->ctx->next_protos_advertised_cb_arg);
1221                 if (r == SSL_TLSEXT_ERR_OK)
1222                         {
1223                         if ((long)(limit - ret - 4 - npalen) < 0) return NULL;
1224                         s2n(TLSEXT_TYPE_next_proto_neg,ret);
1225                         s2n(npalen,ret);
1226                         memcpy(ret, npa, npalen);
1227                         ret += npalen;
1228                         s->s3->next_proto_neg_seen = 1;
1229                         }
1230                 }
1231 #endif
1232
1233         /* If the client supports authz then see whether we have any to offer
1234          * to it. */
1235         if (s->s3->tlsext_authz_client_types_len)
1236                 {
1237                 size_t authz_length;
1238                 /* By now we already know the new cipher, so we can look ahead
1239                  * to see whether the cert we are going to send
1240                  * has any authz data attached to it. */
1241                 const unsigned char* authz = ssl_get_authz_data(s, &authz_length);
1242                 const unsigned char* const orig_authz = authz;
1243                 size_t i;
1244                 unsigned authz_count = 0;
1245
1246                 /* The authz data contains a number of the following structures:
1247                  *      uint8_t authz_type
1248                  *      uint16_t length
1249                  *      uint8_t data[length]
1250                  *
1251                  * First we walk over it to find the number of authz elements. */
1252                 for (i = 0; i < authz_length; i++)
1253                         {
1254                         unsigned short length;
1255                         unsigned char type;
1256
1257                         type = *(authz++);
1258                         if (memchr(s->s3->tlsext_authz_client_types,
1259                                    type,
1260                                    s->s3->tlsext_authz_client_types_len) != NULL)
1261                                 authz_count++;
1262
1263                         n2s(authz, length);
1264                         /* n2s increments authz by 2 */
1265                         i += 2;
1266                         authz += length;
1267                         i += length;
1268                         }
1269
1270                 if (authz_count)
1271                         {
1272                         /* Add TLS extension server_authz to the ServerHello message
1273                          * 2 bytes for extension type
1274                          * 2 bytes for extension length
1275                          * 1 byte for the list length
1276                          * n bytes for the list */
1277                         const unsigned short ext_len = 1 + authz_count;
1278
1279                         if ((long)(limit - ret - 4 - ext_len) < 0) return NULL;
1280                         s2n(TLSEXT_TYPE_server_authz, ret);
1281                         s2n(ext_len, ret);
1282                         *(ret++) = authz_count;
1283                         s->s3->tlsext_authz_promised_to_client = 1;
1284                         }
1285
1286                 authz = orig_authz;
1287                 for (i = 0; i < authz_length; i++)
1288                         {
1289                         unsigned short length;
1290                         unsigned char type;
1291
1292                         authz_count++;
1293                         type = *(authz++);
1294                         if (memchr(s->s3->tlsext_authz_client_types,
1295                                    type,
1296                                    s->s3->tlsext_authz_client_types_len) != NULL)
1297                                 *(ret++) = type;
1298                         n2s(authz, length);
1299                         /* n2s increments authz by 2 */
1300                         i += 2;
1301                         authz += length;
1302                         i += length;
1303                         }
1304                 }
1305
1306         if ((extdatalen = ret-p-2)== 0) 
1307                 return p;
1308
1309         s2n(extdatalen,p);
1310         return ret;
1311         }
1312
1313 static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al) 
1314         {       
1315         unsigned short type;
1316         unsigned short size;
1317         unsigned short len;
1318         unsigned char *data = *p;
1319         int renegotiate_seen = 0;
1320
1321         s->servername_done = 0;
1322         s->tlsext_status_type = -1;
1323 #ifndef OPENSSL_NO_NEXTPROTONEG
1324         s->s3->next_proto_neg_seen = 0;
1325 #endif
1326
1327 #ifndef OPENSSL_NO_HEARTBEATS
1328         s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED |
1329                                SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
1330 #endif
1331         /* Clear any signature algorithms extension received */
1332         if (s->cert->peer_sigalgs)
1333                 {
1334                 OPENSSL_free(s->cert->peer_sigalgs);
1335                 s->cert->peer_sigalgs = NULL;
1336                 }
1337         /* Clear any shared sigtnature algorithms */
1338         if (s->cert->shared_sigalgs)
1339                 {
1340                 OPENSSL_free(s->cert->shared_sigalgs);
1341                 s->cert->shared_sigalgs = NULL;
1342                 }
1343
1344         if (data >= (d+n-2))
1345                 goto ri_check;
1346         n2s(data,len);
1347
1348         if (data > (d+n-len)) 
1349                 goto ri_check;
1350
1351         while (data <= (d+n-4))
1352                 {
1353                 n2s(data,type);
1354                 n2s(data,size);
1355
1356                 if (data+size > (d+n))
1357                         goto ri_check;
1358 #if 0
1359                 fprintf(stderr,"Received extension type %d size %d\n",type,size);
1360 #endif
1361                 if (s->tlsext_debug_cb)
1362                         s->tlsext_debug_cb(s, 0, type, data, size,
1363                                                 s->tlsext_debug_arg);
1364 /* The servername extension is treated as follows:
1365
1366    - Only the hostname type is supported with a maximum length of 255.
1367    - The servername is rejected if too long or if it contains zeros,
1368      in which case an fatal alert is generated.
1369    - The servername field is maintained together with the session cache.
1370    - When a session is resumed, the servername call back invoked in order
1371      to allow the application to position itself to the right context. 
1372    - The servername is acknowledged if it is new for a session or when 
1373      it is identical to a previously used for the same session. 
1374      Applications can control the behaviour.  They can at any time
1375      set a 'desirable' servername for a new SSL object. This can be the
1376      case for example with HTTPS when a Host: header field is received and
1377      a renegotiation is requested. In this case, a possible servername
1378      presented in the new client hello is only acknowledged if it matches
1379      the value of the Host: field. 
1380    - Applications must  use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
1381      if they provide for changing an explicit servername context for the session,
1382      i.e. when the session has been established with a servername extension. 
1383    - On session reconnect, the servername extension may be absent. 
1384
1385 */      
1386
1387                 if (type == TLSEXT_TYPE_server_name)
1388                         {
1389                         unsigned char *sdata;
1390                         int servname_type;
1391                         int dsize; 
1392                 
1393                         if (size < 2) 
1394                                 {
1395                                 *al = SSL_AD_DECODE_ERROR;
1396                                 return 0;
1397                                 }
1398                         n2s(data,dsize);  
1399                         size -= 2;
1400                         if (dsize > size  ) 
1401                                 {
1402                                 *al = SSL_AD_DECODE_ERROR;
1403                                 return 0;
1404                                 } 
1405
1406                         sdata = data;
1407                         while (dsize > 3) 
1408                                 {
1409                                 servname_type = *(sdata++); 
1410                                 n2s(sdata,len);
1411                                 dsize -= 3;
1412
1413                                 if (len > dsize) 
1414                                         {
1415                                         *al = SSL_AD_DECODE_ERROR;
1416                                         return 0;
1417                                         }
1418                                 if (s->servername_done == 0)
1419                                 switch (servname_type)
1420                                         {
1421                                 case TLSEXT_NAMETYPE_host_name:
1422                                         if (!s->hit)
1423                                                 {
1424                                                 if(s->session->tlsext_hostname)
1425                                                         {
1426                                                         *al = SSL_AD_DECODE_ERROR;
1427                                                         return 0;
1428                                                         }
1429                                                 if (len > TLSEXT_MAXLEN_host_name)
1430                                                         {
1431                                                         *al = TLS1_AD_UNRECOGNIZED_NAME;
1432                                                         return 0;
1433                                                         }
1434                                                 if ((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL)
1435                                                         {
1436                                                         *al = TLS1_AD_INTERNAL_ERROR;
1437                                                         return 0;
1438                                                         }
1439                                                 memcpy(s->session->tlsext_hostname, sdata, len);
1440                                                 s->session->tlsext_hostname[len]='\0';
1441                                                 if (strlen(s->session->tlsext_hostname) != len) {
1442                                                         OPENSSL_free(s->session->tlsext_hostname);
1443                                                         s->session->tlsext_hostname = NULL;
1444                                                         *al = TLS1_AD_UNRECOGNIZED_NAME;
1445                                                         return 0;
1446                                                 }
1447                                                 s->servername_done = 1; 
1448
1449                                                 }
1450                                         else 
1451                                                 s->servername_done = s->session->tlsext_hostname
1452                                                         && strlen(s->session->tlsext_hostname) == len 
1453                                                         && strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0;
1454                                         
1455                                         break;
1456
1457                                 default:
1458                                         break;
1459                                         }
1460                                  
1461                                 dsize -= len;
1462                                 }
1463                         if (dsize != 0) 
1464                                 {
1465                                 *al = SSL_AD_DECODE_ERROR;
1466                                 return 0;
1467                                 }
1468
1469                         }
1470 #ifndef OPENSSL_NO_SRP
1471                 else if (type == TLSEXT_TYPE_srp)
1472                         {
1473                         if (size <= 0 || ((len = data[0])) != (size -1))
1474                                 {
1475                                 *al = SSL_AD_DECODE_ERROR;
1476                                 return 0;
1477                                 }
1478                         if (s->srp_ctx.login != NULL)
1479                                 {
1480                                 *al = SSL_AD_DECODE_ERROR;
1481                                 return 0;
1482                                 }
1483                         if ((s->srp_ctx.login = OPENSSL_malloc(len+1)) == NULL)
1484                                 return -1;
1485                         memcpy(s->srp_ctx.login, &data[1], len);
1486                         s->srp_ctx.login[len]='\0';
1487   
1488                         if (strlen(s->srp_ctx.login) != len) 
1489                                 {
1490                                 *al = SSL_AD_DECODE_ERROR;
1491                                 return 0;
1492                                 }
1493                         }
1494 #endif
1495
1496 #ifndef OPENSSL_NO_EC
1497                 else if (type == TLSEXT_TYPE_ec_point_formats &&
1498                      s->version != DTLS1_VERSION)
1499                         {
1500                         unsigned char *sdata = data;
1501                         int ecpointformatlist_length = *(sdata++);
1502
1503                         if (ecpointformatlist_length != size - 1)
1504                                 {
1505                                 *al = TLS1_AD_DECODE_ERROR;
1506                                 return 0;
1507                                 }
1508                         if (!s->hit)
1509                                 {
1510                                 if(s->session->tlsext_ecpointformatlist)
1511                                         {
1512                                         OPENSSL_free(s->session->tlsext_ecpointformatlist);
1513                                         s->session->tlsext_ecpointformatlist = NULL;
1514                                         }
1515                                 s->session->tlsext_ecpointformatlist_length = 0;
1516                                 if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
1517                                         {
1518                                         *al = TLS1_AD_INTERNAL_ERROR;
1519                                         return 0;
1520                                         }
1521                                 s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
1522                                 memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
1523                                 }
1524 #if 0
1525                         fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ecpointformatlist (length=%i) ", s->session->tlsext_ecpointformatlist_length);
1526                         sdata = s->session->tlsext_ecpointformatlist;
1527                         for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
1528                                 fprintf(stderr,"%i ",*(sdata++));
1529                         fprintf(stderr,"\n");
1530 #endif
1531                         }
1532                 else if (type == TLSEXT_TYPE_elliptic_curves &&
1533                      s->version != DTLS1_VERSION)
1534                         {
1535                         unsigned char *sdata = data;
1536                         int ellipticcurvelist_length = (*(sdata++) << 8);
1537                         ellipticcurvelist_length += (*(sdata++));
1538
1539                         if (ellipticcurvelist_length != size - 2 ||
1540                                 ellipticcurvelist_length < 1)
1541                                 {
1542                                 *al = TLS1_AD_DECODE_ERROR;
1543                                 return 0;
1544                                 }
1545                         if (!s->hit)
1546                                 {
1547                                 if(s->session->tlsext_ellipticcurvelist)
1548                                         {
1549                                         *al = TLS1_AD_DECODE_ERROR;
1550                                         return 0;
1551                                         }
1552                                 s->session->tlsext_ellipticcurvelist_length = 0;
1553                                 if ((s->session->tlsext_ellipticcurvelist = OPENSSL_malloc(ellipticcurvelist_length)) == NULL)
1554                                         {
1555                                         *al = TLS1_AD_INTERNAL_ERROR;
1556                                         return 0;
1557                                         }
1558                                 s->session->tlsext_ellipticcurvelist_length = ellipticcurvelist_length;
1559                                 memcpy(s->session->tlsext_ellipticcurvelist, sdata, ellipticcurvelist_length);
1560                                 }
1561 #if 0
1562                         fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ellipticcurvelist (length=%i) ", s->session->tlsext_ellipticcurvelist_length);
1563                         sdata = s->session->tlsext_ellipticcurvelist;
1564                         for (i = 0; i < s->session->tlsext_ellipticcurvelist_length; i++)
1565                                 fprintf(stderr,"%i ",*(sdata++));
1566                         fprintf(stderr,"\n");
1567 #endif
1568                         }
1569 #endif /* OPENSSL_NO_EC */
1570 #ifdef TLSEXT_TYPE_opaque_prf_input
1571                 else if (type == TLSEXT_TYPE_opaque_prf_input &&
1572                      s->version != DTLS1_VERSION)
1573                         {
1574                         unsigned char *sdata = data;
1575
1576                         if (size < 2)
1577                                 {
1578                                 *al = SSL_AD_DECODE_ERROR;
1579                                 return 0;
1580                                 }
1581                         n2s(sdata, s->s3->client_opaque_prf_input_len);
1582                         if (s->s3->client_opaque_prf_input_len != size - 2)
1583                                 {
1584                                 *al = SSL_AD_DECODE_ERROR;
1585                                 return 0;
1586                                 }
1587
1588                         if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */
1589                                 OPENSSL_free(s->s3->client_opaque_prf_input);
1590                         if (s->s3->client_opaque_prf_input_len == 0)
1591                                 s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
1592                         else
1593                                 s->s3->client_opaque_prf_input = BUF_memdup(sdata, s->s3->client_opaque_prf_input_len);
1594                         if (s->s3->client_opaque_prf_input == NULL)
1595                                 {
1596                                 *al = TLS1_AD_INTERNAL_ERROR;
1597                                 return 0;
1598                                 }
1599                         }
1600 #endif
1601                 else if (type == TLSEXT_TYPE_session_ticket)
1602                         {
1603                         if (s->tls_session_ticket_ext_cb &&
1604                             !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg))
1605                                 {
1606                                 *al = TLS1_AD_INTERNAL_ERROR;
1607                                 return 0;
1608                                 }
1609                         }
1610                 else if (type == TLSEXT_TYPE_renegotiate)
1611                         {
1612                         if(!ssl_parse_clienthello_renegotiate_ext(s, data, size, al))
1613                                 return 0;
1614                         renegotiate_seen = 1;
1615                         }
1616                 else if (type == TLSEXT_TYPE_signature_algorithms)
1617                         {
1618                         int dsize;
1619                         if (s->cert->peer_sigalgs || size < 2) 
1620                                 {
1621                                 *al = SSL_AD_DECODE_ERROR;
1622                                 return 0;
1623                                 }
1624                         n2s(data,dsize);
1625                         size -= 2;
1626                         if (dsize != size || dsize & 1 || !dsize) 
1627                                 {
1628                                 *al = SSL_AD_DECODE_ERROR;
1629                                 return 0;
1630                                 }
1631                         if (!tls1_process_sigalgs(s, data, dsize))
1632                                 {
1633                                 *al = SSL_AD_DECODE_ERROR;
1634                                 return 0;
1635                                 }
1636                         /* If sigalgs received and no shared algorithms fatal
1637                          * error.
1638                          */
1639                         if (s->cert->peer_sigalgs && !s->cert->shared_sigalgs)
1640                                 {
1641                                 SSLerr(SSL_F_SSL_SCAN_CLIENTHELLO_TLSEXT,
1642                                         SSL_R_NO_SHARED_SIGATURE_ALGORITHMS);
1643                                 *al = SSL_AD_ILLEGAL_PARAMETER;
1644                                 return 0;
1645                                 }
1646                         }
1647                 else if (type == TLSEXT_TYPE_status_request &&
1648                          s->version != DTLS1_VERSION && s->ctx->tlsext_status_cb)
1649                         {
1650                 
1651                         if (size < 5) 
1652                                 {
1653                                 *al = SSL_AD_DECODE_ERROR;
1654                                 return 0;
1655                                 }
1656
1657                         s->tlsext_status_type = *data++;
1658                         size--;
1659                         if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp)
1660                                 {
1661                                 const unsigned char *sdata;
1662                                 int dsize;
1663                                 /* Read in responder_id_list */
1664                                 n2s(data,dsize);
1665                                 size -= 2;
1666                                 if (dsize > size  ) 
1667                                         {
1668                                         *al = SSL_AD_DECODE_ERROR;
1669                                         return 0;
1670                                         }
1671                                 while (dsize > 0)
1672                                         {
1673                                         OCSP_RESPID *id;
1674                                         int idsize;
1675                                         if (dsize < 4)
1676                                                 {
1677                                                 *al = SSL_AD_DECODE_ERROR;
1678                                                 return 0;
1679                                                 }
1680                                         n2s(data, idsize);
1681                                         dsize -= 2 + idsize;
1682                                         size -= 2 + idsize;
1683                                         if (dsize < 0)
1684                                                 {
1685                                                 *al = SSL_AD_DECODE_ERROR;
1686                                                 return 0;
1687                                                 }
1688                                         sdata = data;
1689                                         data += idsize;
1690                                         id = d2i_OCSP_RESPID(NULL,
1691                                                                 &sdata, idsize);
1692                                         if (!id)
1693                                                 {
1694                                                 *al = SSL_AD_DECODE_ERROR;
1695                                                 return 0;
1696                                                 }
1697                                         if (data != sdata)
1698                                                 {
1699                                                 OCSP_RESPID_free(id);
1700                                                 *al = SSL_AD_DECODE_ERROR;
1701                                                 return 0;
1702                                                 }
1703                                         if (!s->tlsext_ocsp_ids
1704                                                 && !(s->tlsext_ocsp_ids =
1705                                                 sk_OCSP_RESPID_new_null()))
1706                                                 {
1707                                                 OCSP_RESPID_free(id);
1708                                                 *al = SSL_AD_INTERNAL_ERROR;
1709                                                 return 0;
1710                                                 }
1711                                         if (!sk_OCSP_RESPID_push(
1712                                                         s->tlsext_ocsp_ids, id))
1713                                                 {
1714                                                 OCSP_RESPID_free(id);
1715                                                 *al = SSL_AD_INTERNAL_ERROR;
1716                                                 return 0;
1717                                                 }
1718                                         }
1719
1720                                 /* Read in request_extensions */
1721                                 if (size < 2)
1722                                         {
1723                                         *al = SSL_AD_DECODE_ERROR;
1724                                         return 0;
1725                                         }
1726                                 n2s(data,dsize);
1727                                 size -= 2;
1728                                 if (dsize != size)
1729                                         {
1730                                         *al = SSL_AD_DECODE_ERROR;
1731                                         return 0;
1732                                         }
1733                                 sdata = data;
1734                                 if (dsize > 0)
1735                                         {
1736                                         if (s->tlsext_ocsp_exts)
1737                                                 {
1738                                                 sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts,
1739                                                                            X509_EXTENSION_free);
1740                                                 }
1741
1742                                         s->tlsext_ocsp_exts =
1743                                                 d2i_X509_EXTENSIONS(NULL,
1744                                                         &sdata, dsize);
1745                                         if (!s->tlsext_ocsp_exts
1746                                                 || (data + dsize != sdata))
1747                                                 {
1748                                                 *al = SSL_AD_DECODE_ERROR;
1749                                                 return 0;
1750                                                 }
1751                                         }
1752                                 }
1753                                 /* We don't know what to do with any other type
1754                                 * so ignore it.
1755                                 */
1756                                 else
1757                                         s->tlsext_status_type = -1;
1758                         }
1759 #ifndef OPENSSL_NO_HEARTBEATS
1760                 else if (type == TLSEXT_TYPE_heartbeat)
1761                         {
1762                         switch(data[0])
1763                                 {
1764                                 case 0x01:      /* Client allows us to send HB requests */
1765                                                         s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
1766                                                         break;
1767                                 case 0x02:      /* Client doesn't accept HB requests */
1768                                                         s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
1769                                                         s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
1770                                                         break;
1771                                 default:        *al = SSL_AD_ILLEGAL_PARAMETER;
1772                                                         return 0;
1773                                 }
1774                         }
1775 #endif
1776 #ifndef OPENSSL_NO_NEXTPROTONEG
1777                 else if (type == TLSEXT_TYPE_next_proto_neg &&
1778                          s->s3->tmp.finish_md_len == 0)
1779                         {
1780                         /* We shouldn't accept this extension on a
1781                          * renegotiation.
1782                          *
1783                          * s->new_session will be set on renegotiation, but we
1784                          * probably shouldn't rely that it couldn't be set on
1785                          * the initial renegotation too in certain cases (when
1786                          * there's some other reason to disallow resuming an
1787                          * earlier session -- the current code won't be doing
1788                          * anything like that, but this might change).
1789
1790                          * A valid sign that there's been a previous handshake
1791                          * in this connection is if s->s3->tmp.finish_md_len >
1792                          * 0.  (We are talking about a check that will happen
1793                          * in the Hello protocol round, well before a new
1794                          * Finished message could have been computed.) */
1795                         s->s3->next_proto_neg_seen = 1;
1796                         }
1797 #endif
1798
1799                 /* session ticket processed earlier */
1800                 else if (type == TLSEXT_TYPE_use_srtp)
1801                         {
1802                         if(ssl_parse_clienthello_use_srtp_ext(s, data, size,
1803                                                               al))
1804                                 return 0;
1805                         }
1806
1807                 else if (type == TLSEXT_TYPE_server_authz)
1808                         {
1809                         unsigned char *sdata = data;
1810                         unsigned char server_authz_dataformatlist_length;
1811
1812                         if (size == 0)
1813                                 {
1814                                 *al = TLS1_AD_DECODE_ERROR;
1815                                 return 0;
1816                                 }
1817
1818                         server_authz_dataformatlist_length = *(sdata++);
1819
1820                         if (server_authz_dataformatlist_length != size - 1)
1821                                 {
1822                                 *al = TLS1_AD_DECODE_ERROR;
1823                                 return 0;
1824                                 }
1825
1826                         /* Successful session resumption uses the same authz
1827                          * information as the original session so we ignore this
1828                          * in the case of a session resumption. */
1829                         if (!s->hit)
1830                                 {
1831                                 size_t i;
1832                                 if (s->s3->tlsext_authz_client_types != NULL)
1833                                         OPENSSL_free(s->s3->tlsext_authz_client_types);
1834                                 s->s3->tlsext_authz_client_types =
1835                                         OPENSSL_malloc(server_authz_dataformatlist_length);
1836                                 if (!s->s3->tlsext_authz_client_types)
1837                                         {
1838                                         *al = TLS1_AD_INTERNAL_ERROR;
1839                                         return 0;
1840                                         }
1841
1842                                 s->s3->tlsext_authz_client_types_len =
1843                                         server_authz_dataformatlist_length;
1844                                 memcpy(s->s3->tlsext_authz_client_types,
1845                                        sdata,
1846                                        server_authz_dataformatlist_length);
1847
1848                                 /* Sort the types in order to check for duplicates. */
1849                                 qsort(s->s3->tlsext_authz_client_types,
1850                                       server_authz_dataformatlist_length,
1851                                       1 /* element size */,
1852                                       byte_compare);
1853
1854                                 for (i = 0; i < server_authz_dataformatlist_length; i++)
1855                                         {
1856                                         if (i > 0 &&
1857                                             s->s3->tlsext_authz_client_types[i] ==
1858                                               s->s3->tlsext_authz_client_types[i-1])
1859                                                 {
1860                                                 *al = TLS1_AD_DECODE_ERROR;
1861                                                 return 0;
1862                                                 }
1863                                         }
1864                                 }
1865                         }
1866
1867                 data+=size;
1868                 }
1869
1870         *p = data;
1871
1872         ri_check:
1873
1874         /* Need RI if renegotiating */
1875
1876         if (!renegotiate_seen && s->renegotiate &&
1877                 !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
1878                 {
1879                 *al = SSL_AD_HANDSHAKE_FAILURE;
1880                 SSLerr(SSL_F_SSL_SCAN_CLIENTHELLO_TLSEXT,
1881                                 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
1882                 return 0;
1883                 }
1884         /* If no signature algorithms extension set default values */
1885         if (!s->cert->peer_sigalgs)
1886                 ssl_cert_set_default_md(s->cert);
1887
1888         return 1;
1889         }
1890
1891 int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n) 
1892         {
1893         int al = -1;
1894         if (ssl_scan_clienthello_tlsext(s, p, d, n, &al) <= 0) 
1895                 {
1896                 ssl3_send_alert(s,SSL3_AL_FATAL,al); 
1897                 return 0;
1898                 }
1899
1900         if (ssl_check_clienthello_tlsext_early(s) <= 0) 
1901                 {
1902                 SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT,SSL_R_CLIENTHELLO_TLSEXT);
1903                 return 0;
1904                 }
1905         return 1;
1906 }
1907
1908 #ifndef OPENSSL_NO_NEXTPROTONEG
1909 /* ssl_next_proto_validate validates a Next Protocol Negotiation block. No
1910  * elements of zero length are allowed and the set of elements must exactly fill
1911  * the length of the block. */
1912 static char ssl_next_proto_validate(unsigned char *d, unsigned len)
1913         {
1914         unsigned int off = 0;
1915
1916         while (off < len)
1917                 {
1918                 if (d[off] == 0)
1919                         return 0;
1920                 off += d[off];
1921                 off++;
1922                 }
1923
1924         return off == len;
1925         }
1926 #endif
1927
1928 static int ssl_scan_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
1929         {
1930         unsigned short length;
1931         unsigned short type;
1932         unsigned short size;
1933         unsigned char *data = *p;
1934         int tlsext_servername = 0;
1935         int renegotiate_seen = 0;
1936
1937 #ifndef OPENSSL_NO_NEXTPROTONEG
1938         s->s3->next_proto_neg_seen = 0;
1939 #endif
1940
1941 #ifndef OPENSSL_NO_HEARTBEATS
1942         s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED |
1943                                SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
1944 #endif
1945
1946         if (data >= (d+n-2))
1947                 goto ri_check;
1948
1949         n2s(data,length);
1950         if (data+length != d+n)
1951                 {
1952                 *al = SSL_AD_DECODE_ERROR;
1953                 return 0;
1954                 }
1955
1956         while(data <= (d+n-4))
1957                 {
1958                 n2s(data,type);
1959                 n2s(data,size);
1960
1961                 if (data+size > (d+n))
1962                         goto ri_check;
1963
1964                 if (s->tlsext_debug_cb)
1965                         s->tlsext_debug_cb(s, 1, type, data, size,
1966                                                 s->tlsext_debug_arg);
1967
1968                 if (type == TLSEXT_TYPE_server_name)
1969                         {
1970                         if (s->tlsext_hostname == NULL || size > 0)
1971                                 {
1972                                 *al = TLS1_AD_UNRECOGNIZED_NAME;
1973                                 return 0;
1974                                 }
1975                         tlsext_servername = 1;   
1976                         }
1977
1978 #ifndef OPENSSL_NO_EC
1979                 else if (type == TLSEXT_TYPE_ec_point_formats &&
1980                      s->version != DTLS1_VERSION)
1981                         {
1982                         unsigned char *sdata = data;
1983                         int ecpointformatlist_length = *(sdata++);
1984
1985                         if (ecpointformatlist_length != size - 1 || 
1986                                 ecpointformatlist_length < 1)
1987                                 {
1988                                 *al = TLS1_AD_DECODE_ERROR;
1989                                 return 0;
1990                                 }
1991                         s->session->tlsext_ecpointformatlist_length = 0;
1992                         if (s->session->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->session->tlsext_ecpointformatlist);
1993                         if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
1994                                 {
1995                                 *al = TLS1_AD_INTERNAL_ERROR;
1996                                 return 0;
1997                                 }
1998                         s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
1999                         memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
2000 #if 0
2001                         fprintf(stderr,"ssl_parse_serverhello_tlsext s->session->tlsext_ecpointformatlist ");
2002                         sdata = s->session->tlsext_ecpointformatlist;
2003                         for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
2004                                 fprintf(stderr,"%i ",*(sdata++));
2005                         fprintf(stderr,"\n");
2006 #endif
2007                         }
2008 #endif /* OPENSSL_NO_EC */
2009
2010                 else if (type == TLSEXT_TYPE_session_ticket)
2011                         {
2012                         if (s->tls_session_ticket_ext_cb &&
2013                             !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg))
2014                                 {
2015                                 *al = TLS1_AD_INTERNAL_ERROR;
2016                                 return 0;
2017                                 }
2018                         if ((SSL_get_options(s) & SSL_OP_NO_TICKET)
2019                                 || (size > 0))
2020                                 {
2021                                 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2022                                 return 0;
2023                                 }
2024                         s->tlsext_ticket_expected = 1;
2025                         }
2026 #ifdef TLSEXT_TYPE_opaque_prf_input
2027                 else if (type == TLSEXT_TYPE_opaque_prf_input &&
2028                      s->version != DTLS1_VERSION)
2029                         {
2030                         unsigned char *sdata = data;
2031
2032                         if (size < 2)
2033                                 {
2034                                 *al = SSL_AD_DECODE_ERROR;
2035                                 return 0;
2036                                 }
2037                         n2s(sdata, s->s3->server_opaque_prf_input_len);
2038                         if (s->s3->server_opaque_prf_input_len != size - 2)
2039                                 {
2040                                 *al = SSL_AD_DECODE_ERROR;
2041                                 return 0;
2042                                 }
2043                         
2044                         if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */
2045                                 OPENSSL_free(s->s3->server_opaque_prf_input);
2046                         if (s->s3->server_opaque_prf_input_len == 0)
2047                                 s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
2048                         else
2049                                 s->s3->server_opaque_prf_input = BUF_memdup(sdata, s->s3->server_opaque_prf_input_len);
2050
2051                         if (s->s3->server_opaque_prf_input == NULL)
2052                                 {
2053                                 *al = TLS1_AD_INTERNAL_ERROR;
2054                                 return 0;
2055                                 }
2056                         }
2057 #endif
2058                 else if (type == TLSEXT_TYPE_status_request &&
2059                          s->version != DTLS1_VERSION)
2060                         {
2061                         /* MUST be empty and only sent if we've requested
2062                          * a status request message.
2063                          */ 
2064                         if ((s->tlsext_status_type == -1) || (size > 0))
2065                                 {
2066                                 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2067                                 return 0;
2068                                 }
2069                         /* Set flag to expect CertificateStatus message */
2070                         s->tlsext_status_expected = 1;
2071                         }
2072 #ifndef OPENSSL_NO_NEXTPROTONEG
2073                 else if (type == TLSEXT_TYPE_next_proto_neg &&
2074                          s->s3->tmp.finish_md_len == 0)
2075                         {
2076                         unsigned char *selected;
2077                         unsigned char selected_len;
2078
2079                         /* We must have requested it. */
2080                         if ((s->ctx->next_proto_select_cb == NULL))
2081                                 {
2082                                 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2083                                 return 0;
2084                                 }
2085                         /* The data must be valid */
2086                         if (!ssl_next_proto_validate(data, size))
2087                                 {
2088                                 *al = TLS1_AD_DECODE_ERROR;
2089                                 return 0;
2090                                 }
2091                         if (s->ctx->next_proto_select_cb(s, &selected, &selected_len, data, size, s->ctx->next_proto_select_cb_arg) != SSL_TLSEXT_ERR_OK)
2092                                 {
2093                                 *al = TLS1_AD_INTERNAL_ERROR;
2094                                 return 0;
2095                                 }
2096                         s->next_proto_negotiated = OPENSSL_malloc(selected_len);
2097                         if (!s->next_proto_negotiated)
2098                                 {
2099                                 *al = TLS1_AD_INTERNAL_ERROR;
2100                                 return 0;
2101                                 }
2102                         memcpy(s->next_proto_negotiated, selected, selected_len);
2103                         s->next_proto_negotiated_len = selected_len;
2104                         s->s3->next_proto_neg_seen = 1;
2105                         }
2106 #endif
2107                 else if (type == TLSEXT_TYPE_renegotiate)
2108                         {
2109                         if(!ssl_parse_serverhello_renegotiate_ext(s, data, size, al))
2110                                 return 0;
2111                         renegotiate_seen = 1;
2112                         }
2113 #ifndef OPENSSL_NO_HEARTBEATS
2114                 else if (type == TLSEXT_TYPE_heartbeat)
2115                         {
2116                         switch(data[0])
2117                                 {
2118                                 case 0x01:      /* Server allows us to send HB requests */
2119                                                         s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
2120                                                         break;
2121                                 case 0x02:      /* Server doesn't accept HB requests */
2122                                                         s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
2123                                                         s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
2124                                                         break;
2125                                 default:        *al = SSL_AD_ILLEGAL_PARAMETER;
2126                                                         return 0;
2127                                 }
2128                         }
2129 #endif
2130                 else if (type == TLSEXT_TYPE_use_srtp)
2131                         {
2132                         if(ssl_parse_serverhello_use_srtp_ext(s, data, size,
2133                                                               al))
2134                                 return 0;
2135                         }
2136
2137                 else if (type == TLSEXT_TYPE_server_authz)
2138                         {
2139                         /* We only support audit proofs. It's an error to send
2140                          * an authz hello extension if the client
2141                          * didn't request a proof. */
2142                         unsigned char *sdata = data;
2143                         unsigned char server_authz_dataformatlist_length;
2144
2145                         if (!s->ctx->tlsext_authz_server_audit_proof_cb)
2146                                 {
2147                                 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2148                                 return 0;
2149                                 }
2150
2151                         if (!size)
2152                                 {
2153                                 *al = TLS1_AD_DECODE_ERROR;
2154                                 return 0;
2155                                 }
2156
2157                         server_authz_dataformatlist_length = *(sdata++);
2158                         if (server_authz_dataformatlist_length != size - 1)
2159                                 {
2160                                 *al = TLS1_AD_DECODE_ERROR;
2161                                 return 0;
2162                                 }
2163
2164                         /* We only support audit proofs, so a legal ServerHello
2165                          * authz list contains exactly one entry. */
2166                         if (server_authz_dataformatlist_length != 1 ||
2167                                 sdata[0] != TLSEXT_AUTHZDATAFORMAT_audit_proof)
2168                                 {
2169                                 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2170                                 return 0;
2171                                 }
2172
2173                         s->s3->tlsext_authz_server_promised = 1;
2174                         }
2175  
2176                 data += size;
2177                 }
2178
2179         if (data != d+n)
2180                 {
2181                 *al = SSL_AD_DECODE_ERROR;
2182                 return 0;
2183                 }
2184
2185         if (!s->hit && tlsext_servername == 1)
2186                 {
2187                 if (s->tlsext_hostname)
2188                         {
2189                         if (s->session->tlsext_hostname == NULL)
2190                                 {
2191                                 s->session->tlsext_hostname = BUF_strdup(s->tlsext_hostname);   
2192                                 if (!s->session->tlsext_hostname)
2193                                         {
2194                                         *al = SSL_AD_UNRECOGNIZED_NAME;
2195                                         return 0;
2196                                         }
2197                                 }
2198                         else 
2199                                 {
2200                                 *al = SSL_AD_DECODE_ERROR;
2201                                 return 0;
2202                                 }
2203                         }
2204                 }
2205
2206         *p = data;
2207
2208         ri_check:
2209
2210         /* Determine if we need to see RI. Strictly speaking if we want to
2211          * avoid an attack we should *always* see RI even on initial server
2212          * hello because the client doesn't see any renegotiation during an
2213          * attack. However this would mean we could not connect to any server
2214          * which doesn't support RI so for the immediate future tolerate RI
2215          * absence on initial connect only.
2216          */
2217         if (!renegotiate_seen
2218                 && !(s->options & SSL_OP_LEGACY_SERVER_CONNECT)
2219                 && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
2220                 {
2221                 *al = SSL_AD_HANDSHAKE_FAILURE;
2222                 SSLerr(SSL_F_SSL_SCAN_SERVERHELLO_TLSEXT,
2223                                 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
2224                 return 0;
2225                 }
2226
2227         return 1;
2228         }
2229
2230
2231 int ssl_prepare_clienthello_tlsext(SSL *s)
2232         {
2233
2234 #ifdef TLSEXT_TYPE_opaque_prf_input
2235         {
2236                 int r = 1;
2237         
2238                 if (s->ctx->tlsext_opaque_prf_input_callback != 0)
2239                         {
2240                         r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg);
2241                         if (!r)
2242                                 return -1;
2243                         }
2244
2245                 if (s->tlsext_opaque_prf_input != NULL)
2246                         {
2247                         if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */
2248                                 OPENSSL_free(s->s3->client_opaque_prf_input);
2249
2250                         if (s->tlsext_opaque_prf_input_len == 0)
2251                                 s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
2252                         else
2253                                 s->s3->client_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len);
2254                         if (s->s3->client_opaque_prf_input == NULL)
2255                                 {
2256                                 SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
2257                                 return -1;
2258                                 }
2259                         s->s3->client_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
2260                         }
2261
2262                 if (r == 2)
2263                         /* at callback's request, insist on receiving an appropriate server opaque PRF input */
2264                         s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
2265         }
2266 #endif
2267
2268         return 1;
2269         }
2270
2271 int ssl_prepare_serverhello_tlsext(SSL *s)
2272         {
2273 #ifndef OPENSSL_NO_EC
2274         /* If we are server and using an ECC cipher suite, send the point formats we support 
2275          * if the client sent us an ECPointsFormat extension.  Note that the server is not
2276          * supposed to send an EllipticCurves extension.
2277          */
2278
2279         unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
2280         unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
2281         int using_ecc = (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA);
2282         using_ecc = using_ecc && (s->session->tlsext_ecpointformatlist != NULL);
2283         
2284         if (using_ecc)
2285                 {
2286                 if (s->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->tlsext_ecpointformatlist);
2287                 if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(3)) == NULL)
2288                         {
2289                         SSLerr(SSL_F_SSL_PREPARE_SERVERHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
2290                         return -1;
2291                         }
2292                 s->tlsext_ecpointformatlist_length = 3;
2293                 s->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_uncompressed;
2294                 s->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
2295                 s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
2296                 }
2297 #endif /* OPENSSL_NO_EC */
2298
2299         return 1;
2300         }
2301
2302 static int ssl_check_clienthello_tlsext_early(SSL *s)
2303         {
2304         int ret=SSL_TLSEXT_ERR_NOACK;
2305         int al = SSL_AD_UNRECOGNIZED_NAME;
2306
2307 #ifndef OPENSSL_NO_EC
2308         /* The handling of the ECPointFormats extension is done elsewhere, namely in 
2309          * ssl3_choose_cipher in s3_lib.c.
2310          */
2311         /* The handling of the EllipticCurves extension is done elsewhere, namely in 
2312          * ssl3_choose_cipher in s3_lib.c.
2313          */
2314 #endif
2315
2316         if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) 
2317                 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
2318         else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)             
2319                 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
2320
2321 #ifdef TLSEXT_TYPE_opaque_prf_input
2322         {
2323                 /* This sort of belongs into ssl_prepare_serverhello_tlsext(),
2324                  * but we might be sending an alert in response to the client hello,
2325                  * so this has to happen here in
2326                  * ssl_check_clienthello_tlsext_early(). */
2327
2328                 int r = 1;
2329         
2330                 if (s->ctx->tlsext_opaque_prf_input_callback != 0)
2331                         {
2332                         r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg);
2333                         if (!r)
2334                                 {
2335                                 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2336                                 al = SSL_AD_INTERNAL_ERROR;
2337                                 goto err;
2338                                 }
2339                         }
2340
2341                 if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */
2342                         OPENSSL_free(s->s3->server_opaque_prf_input);
2343                 s->s3->server_opaque_prf_input = NULL;
2344
2345                 if (s->tlsext_opaque_prf_input != NULL)
2346                         {
2347                         if (s->s3->client_opaque_prf_input != NULL &&
2348                                 s->s3->client_opaque_prf_input_len == s->tlsext_opaque_prf_input_len)
2349                                 {
2350                                 /* can only use this extension if we have a server opaque PRF input
2351                                  * of the same length as the client opaque PRF input! */
2352
2353                                 if (s->tlsext_opaque_prf_input_len == 0)
2354                                         s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
2355                                 else
2356                                         s->s3->server_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len);
2357                                 if (s->s3->server_opaque_prf_input == NULL)
2358                                         {
2359                                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2360                                         al = SSL_AD_INTERNAL_ERROR;
2361                                         goto err;
2362                                         }
2363                                 s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
2364                                 }
2365                         }
2366
2367                 if (r == 2 && s->s3->server_opaque_prf_input == NULL)
2368                         {
2369                         /* The callback wants to enforce use of the extension,
2370                          * but we can't do that with the client opaque PRF input;
2371                          * abort the handshake.
2372                          */
2373                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2374                         al = SSL_AD_HANDSHAKE_FAILURE;
2375                         }
2376         }
2377
2378  err:
2379 #endif
2380         switch (ret)
2381                 {
2382                 case SSL_TLSEXT_ERR_ALERT_FATAL:
2383                         ssl3_send_alert(s,SSL3_AL_FATAL,al); 
2384                         return -1;
2385
2386                 case SSL_TLSEXT_ERR_ALERT_WARNING:
2387                         ssl3_send_alert(s,SSL3_AL_WARNING,al);
2388                         return 1; 
2389                                         
2390                 case SSL_TLSEXT_ERR_NOACK:
2391                         s->servername_done=0;
2392                         default:
2393                 return 1;
2394                 }
2395         }
2396
2397 int ssl_check_clienthello_tlsext_late(SSL *s)
2398         {
2399         int ret = SSL_TLSEXT_ERR_OK;
2400         int al;
2401
2402         /* If status request then ask callback what to do.
2403          * Note: this must be called after servername callbacks in case
2404          * the certificate has changed, and must be called after the cipher
2405          * has been chosen because this may influence which certificate is sent
2406          */
2407         if ((s->tlsext_status_type != -1) && s->ctx && s->ctx->tlsext_status_cb)
2408                 {
2409                 int r;
2410                 CERT_PKEY *certpkey;
2411                 certpkey = ssl_get_server_send_pkey(s);
2412                 /* If no certificate can't return certificate status */
2413                 if (certpkey == NULL)
2414                         {
2415                         s->tlsext_status_expected = 0;
2416                         return 1;
2417                         }
2418                 /* Set current certificate to one we will use so
2419                  * SSL_get_certificate et al can pick it up.
2420                  */
2421                 s->cert->key = certpkey;
2422                 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
2423                 switch (r)
2424                         {
2425                         /* We don't want to send a status request response */
2426                         case SSL_TLSEXT_ERR_NOACK:
2427                                 s->tlsext_status_expected = 0;
2428                                 break;
2429                         /* status request response should be sent */
2430                         case SSL_TLSEXT_ERR_OK:
2431                                 if (s->tlsext_ocsp_resp)
2432                                         s->tlsext_status_expected = 1;
2433                                 else
2434                                         s->tlsext_status_expected = 0;
2435                                 break;
2436                         /* something bad happened */
2437                         case SSL_TLSEXT_ERR_ALERT_FATAL:
2438                                 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2439                                 al = SSL_AD_INTERNAL_ERROR;
2440                                 goto err;
2441                         }
2442                 }
2443         else
2444                 s->tlsext_status_expected = 0;
2445
2446  err:
2447         switch (ret)
2448                 {
2449                 case SSL_TLSEXT_ERR_ALERT_FATAL:
2450                         ssl3_send_alert(s, SSL3_AL_FATAL,al);
2451                         return -1;
2452
2453                 case SSL_TLSEXT_ERR_ALERT_WARNING:
2454                         ssl3_send_alert(s, SSL3_AL_WARNING,al);
2455                         return 1; 
2456
2457                 default:
2458                         return 1;
2459                 }
2460         }
2461
2462 int ssl_check_serverhello_tlsext(SSL *s)
2463         {
2464         int ret=SSL_TLSEXT_ERR_NOACK;
2465         int al = SSL_AD_UNRECOGNIZED_NAME;
2466
2467 #ifndef OPENSSL_NO_EC
2468         /* If we are client and using an elliptic curve cryptography cipher
2469          * suite, then if server returns an EC point formats lists extension
2470          * it must contain uncompressed.
2471          */
2472         unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
2473         unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
2474         if ((s->tlsext_ecpointformatlist != NULL) && (s->tlsext_ecpointformatlist_length > 0) && 
2475             (s->session->tlsext_ecpointformatlist != NULL) && (s->session->tlsext_ecpointformatlist_length > 0) && 
2476             ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA)))
2477                 {
2478                 /* we are using an ECC cipher */
2479                 size_t i;
2480                 unsigned char *list;
2481                 int found_uncompressed = 0;
2482                 list = s->session->tlsext_ecpointformatlist;
2483                 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
2484                         {
2485                         if (*(list++) == TLSEXT_ECPOINTFORMAT_uncompressed)
2486                                 {
2487                                 found_uncompressed = 1;
2488                                 break;
2489                                 }
2490                         }
2491                 if (!found_uncompressed)
2492                         {
2493                         SSLerr(SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT,SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
2494                         return -1;
2495                         }
2496                 }
2497         ret = SSL_TLSEXT_ERR_OK;
2498 #endif /* OPENSSL_NO_EC */
2499
2500         if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) 
2501                 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
2502         else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)             
2503                 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
2504
2505 #ifdef TLSEXT_TYPE_opaque_prf_input
2506         if (s->s3->server_opaque_prf_input_len > 0)
2507                 {
2508                 /* This case may indicate that we, as a client, want to insist on using opaque PRF inputs.
2509                  * So first verify that we really have a value from the server too. */
2510
2511                 if (s->s3->server_opaque_prf_input == NULL)
2512                         {
2513                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2514                         al = SSL_AD_HANDSHAKE_FAILURE;
2515                         }
2516                 
2517                 /* Anytime the server *has* sent an opaque PRF input, we need to check
2518                  * that we have a client opaque PRF input of the same size. */
2519                 if (s->s3->client_opaque_prf_input == NULL ||
2520                     s->s3->client_opaque_prf_input_len != s->s3->server_opaque_prf_input_len)
2521                         {
2522                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2523                         al = SSL_AD_ILLEGAL_PARAMETER;
2524                         }
2525                 }
2526 #endif
2527
2528         /* If we've requested certificate status and we wont get one
2529          * tell the callback
2530          */
2531         if ((s->tlsext_status_type != -1) && !(s->tlsext_status_expected)
2532                         && s->ctx && s->ctx->tlsext_status_cb)
2533                 {
2534                 int r;
2535                 /* Set resp to NULL, resplen to -1 so callback knows
2536                  * there is no response.
2537                  */
2538                 if (s->tlsext_ocsp_resp)
2539                         {
2540                         OPENSSL_free(s->tlsext_ocsp_resp);
2541                         s->tlsext_ocsp_resp = NULL;
2542                         }
2543                 s->tlsext_ocsp_resplen = -1;
2544                 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
2545                 if (r == 0)
2546                         {
2547                         al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE;
2548                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2549                         }
2550                 if (r < 0)
2551                         {
2552                         al = SSL_AD_INTERNAL_ERROR;
2553                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2554                         }
2555                 }
2556
2557         switch (ret)
2558                 {
2559                 case SSL_TLSEXT_ERR_ALERT_FATAL:
2560                         ssl3_send_alert(s,SSL3_AL_FATAL,al); 
2561                         return -1;
2562
2563                 case SSL_TLSEXT_ERR_ALERT_WARNING:
2564                         ssl3_send_alert(s,SSL3_AL_WARNING,al);
2565                         return 1; 
2566                                         
2567                 case SSL_TLSEXT_ERR_NOACK:
2568                         s->servername_done=0;
2569                         default:
2570                 return 1;
2571                 }
2572         }
2573
2574 int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n) 
2575         {
2576         int al = -1;
2577         if (s->version < SSL3_VERSION)
2578                 return 1;
2579         if (ssl_scan_serverhello_tlsext(s, p, d, n, &al) <= 0) 
2580                 {
2581                 ssl3_send_alert(s,SSL3_AL_FATAL,al); 
2582                 return 0;
2583                 }
2584
2585         if (ssl_check_serverhello_tlsext(s) <= 0) 
2586                 {
2587                 SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT,SSL_R_SERVERHELLO_TLSEXT);
2588                 return 0;
2589                 }
2590         return 1;
2591 }
2592
2593 /* Since the server cache lookup is done early on in the processing of the
2594  * ClientHello, and other operations depend on the result, we need to handle
2595  * any TLS session ticket extension at the same time.
2596  *
2597  *   session_id: points at the session ID in the ClientHello. This code will
2598  *       read past the end of this in order to parse out the session ticket
2599  *       extension, if any.
2600  *   len: the length of the session ID.
2601  *   limit: a pointer to the first byte after the ClientHello.
2602  *   ret: (output) on return, if a ticket was decrypted, then this is set to
2603  *       point to the resulting session.
2604  *
2605  * If s->tls_session_secret_cb is set then we are expecting a pre-shared key
2606  * ciphersuite, in which case we have no use for session tickets and one will
2607  * never be decrypted, nor will s->tlsext_ticket_expected be set to 1.
2608  *
2609  * Returns:
2610  *   -1: fatal error, either from parsing or decrypting the ticket.
2611  *    0: no ticket was found (or was ignored, based on settings).
2612  *    1: a zero length extension was found, indicating that the client supports
2613  *       session tickets but doesn't currently have one to offer.
2614  *    2: either s->tls_session_secret_cb was set, or a ticket was offered but
2615  *       couldn't be decrypted because of a non-fatal error.
2616  *    3: a ticket was successfully decrypted and *ret was set.
2617  *
2618  * Side effects:
2619  *   Sets s->tlsext_ticket_expected to 1 if the server will have to issue
2620  *   a new session ticket to the client because the client indicated support
2621  *   (and s->tls_session_secret_cb is NULL) but the client either doesn't have
2622  *   a session ticket or we couldn't use the one it gave us, or if
2623  *   s->ctx->tlsext_ticket_key_cb asked to renew the client's ticket.
2624  *   Otherwise, s->tlsext_ticket_expected is set to 0.
2625  */
2626 int tls1_process_ticket(SSL *s, unsigned char *session_id, int len,
2627                         const unsigned char *limit, SSL_SESSION **ret)
2628         {
2629         /* Point after session ID in client hello */
2630         const unsigned char *p = session_id + len;
2631         unsigned short i;
2632
2633         *ret = NULL;
2634         s->tlsext_ticket_expected = 0;
2635
2636         /* If tickets disabled behave as if no ticket present
2637          * to permit stateful resumption.
2638          */
2639         if (SSL_get_options(s) & SSL_OP_NO_TICKET)
2640                 return 0;
2641         if ((s->version <= SSL3_VERSION) || !limit)
2642                 return 0;
2643         if (p >= limit)
2644                 return -1;
2645         /* Skip past DTLS cookie */
2646         if (s->version == DTLS1_VERSION || s->version == DTLS1_BAD_VER)
2647                 {
2648                 i = *(p++);
2649                 p+= i;
2650                 if (p >= limit)
2651                         return -1;
2652                 }
2653         /* Skip past cipher list */
2654         n2s(p, i);
2655         p+= i;
2656         if (p >= limit)
2657                 return -1;
2658         /* Skip past compression algorithm list */
2659         i = *(p++);
2660         p += i;
2661         if (p > limit)
2662                 return -1;
2663         /* Now at start of extensions */
2664         if ((p + 2) >= limit)
2665                 return 0;
2666         n2s(p, i);
2667         while ((p + 4) <= limit)
2668                 {
2669                 unsigned short type, size;
2670                 n2s(p, type);
2671                 n2s(p, size);
2672                 if (p + size > limit)
2673                         return 0;
2674                 if (type == TLSEXT_TYPE_session_ticket)
2675                         {
2676                         int r;
2677                         if (size == 0)
2678                                 {
2679                                 /* The client will accept a ticket but doesn't
2680                                  * currently have one. */
2681                                 s->tlsext_ticket_expected = 1;
2682                                 return 1;
2683                                 }
2684                         if (s->tls_session_secret_cb)
2685                                 {
2686                                 /* Indicate that the ticket couldn't be
2687                                  * decrypted rather than generating the session
2688                                  * from ticket now, trigger abbreviated
2689                                  * handshake based on external mechanism to
2690                                  * calculate the master secret later. */
2691                                 return 2;
2692                                 }
2693                         r = tls_decrypt_ticket(s, p, size, session_id, len, ret);
2694                         switch (r)
2695                                 {
2696                                 case 2: /* ticket couldn't be decrypted */
2697                                         s->tlsext_ticket_expected = 1;
2698                                         return 2;
2699                                 case 3: /* ticket was decrypted */
2700                                         return r;
2701                                 case 4: /* ticket decrypted but need to renew */
2702                                         s->tlsext_ticket_expected = 1;
2703                                         return 3;
2704                                 default: /* fatal error */
2705                                         return -1;
2706                                 }
2707                         }
2708                 p += size;
2709                 }
2710         return 0;
2711         }
2712
2713 /* tls_decrypt_ticket attempts to decrypt a session ticket.
2714  *
2715  *   etick: points to the body of the session ticket extension.
2716  *   eticklen: the length of the session tickets extenion.
2717  *   sess_id: points at the session ID.
2718  *   sesslen: the length of the session ID.
2719  *   psess: (output) on return, if a ticket was decrypted, then this is set to
2720  *       point to the resulting session.
2721  *
2722  * Returns:
2723  *   -1: fatal error, either from parsing or decrypting the ticket.
2724  *    2: the ticket couldn't be decrypted.
2725  *    3: a ticket was successfully decrypted and *psess was set.
2726  *    4: same as 3, but the ticket needs to be renewed.
2727  */
2728 static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen,
2729                                 const unsigned char *sess_id, int sesslen,
2730                                 SSL_SESSION **psess)
2731         {
2732         SSL_SESSION *sess;
2733         unsigned char *sdec;
2734         const unsigned char *p;
2735         int slen, mlen, renew_ticket = 0;
2736         unsigned char tick_hmac[EVP_MAX_MD_SIZE];
2737         HMAC_CTX hctx;
2738         EVP_CIPHER_CTX ctx;
2739         SSL_CTX *tctx = s->initial_ctx;
2740         /* Need at least keyname + iv + some encrypted data */
2741         if (eticklen < 48)
2742                 return 2;
2743         /* Initialize session ticket encryption and HMAC contexts */
2744         HMAC_CTX_init(&hctx);
2745         EVP_CIPHER_CTX_init(&ctx);
2746         if (tctx->tlsext_ticket_key_cb)
2747                 {
2748                 unsigned char *nctick = (unsigned char *)etick;
2749                 int rv = tctx->tlsext_ticket_key_cb(s, nctick, nctick + 16,
2750                                                         &ctx, &hctx, 0);
2751                 if (rv < 0)
2752                         return -1;
2753                 if (rv == 0)
2754                         return 2;
2755                 if (rv == 2)
2756                         renew_ticket = 1;
2757                 }
2758         else
2759                 {
2760                 /* Check key name matches */
2761                 if (memcmp(etick, tctx->tlsext_tick_key_name, 16))
2762                         return 2;
2763                 HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16,
2764                                         tlsext_tick_md(), NULL);
2765                 EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL,
2766                                 tctx->tlsext_tick_aes_key, etick + 16);
2767                 }
2768         /* Attempt to process session ticket, first conduct sanity and
2769          * integrity checks on ticket.
2770          */
2771         mlen = HMAC_size(&hctx);
2772         if (mlen < 0)
2773                 {
2774                 EVP_CIPHER_CTX_cleanup(&ctx);
2775                 return -1;
2776                 }
2777         eticklen -= mlen;
2778         /* Check HMAC of encrypted ticket */
2779         HMAC_Update(&hctx, etick, eticklen);
2780         HMAC_Final(&hctx, tick_hmac, NULL);
2781         HMAC_CTX_cleanup(&hctx);
2782         if (memcmp(tick_hmac, etick + eticklen, mlen))
2783                 return 2;
2784         /* Attempt to decrypt session data */
2785         /* Move p after IV to start of encrypted ticket, update length */
2786         p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx);
2787         eticklen -= 16 + EVP_CIPHER_CTX_iv_length(&ctx);
2788         sdec = OPENSSL_malloc(eticklen);
2789         if (!sdec)
2790                 {
2791                 EVP_CIPHER_CTX_cleanup(&ctx);
2792                 return -1;
2793                 }
2794         EVP_DecryptUpdate(&ctx, sdec, &slen, p, eticklen);
2795         if (EVP_DecryptFinal(&ctx, sdec + slen, &mlen) <= 0)
2796                 return 2;
2797         slen += mlen;
2798         EVP_CIPHER_CTX_cleanup(&ctx);
2799         p = sdec;
2800
2801         sess = d2i_SSL_SESSION(NULL, &p, slen);
2802         OPENSSL_free(sdec);
2803         if (sess)
2804                 {
2805                 /* The session ID, if non-empty, is used by some clients to
2806                  * detect that the ticket has been accepted. So we copy it to
2807                  * the session structure. If it is empty set length to zero
2808                  * as required by standard.
2809                  */
2810                 if (sesslen)
2811                         memcpy(sess->session_id, sess_id, sesslen);
2812                 sess->session_id_length = sesslen;
2813                 *psess = sess;
2814                 if (renew_ticket)
2815                         return 4;
2816                 else
2817                         return 3;
2818                 }
2819         ERR_clear_error();
2820         /* For session parse failure, indicate that we need to send a new
2821          * ticket. */
2822         return 2;
2823         }
2824
2825 /* Tables to translate from NIDs to TLS v1.2 ids */
2826
2827 typedef struct 
2828         {
2829         int nid;
2830         int id;
2831         } tls12_lookup;
2832
2833 static tls12_lookup tls12_md[] = {
2834         {NID_md5, TLSEXT_hash_md5},
2835         {NID_sha1, TLSEXT_hash_sha1},
2836         {NID_sha224, TLSEXT_hash_sha224},
2837         {NID_sha256, TLSEXT_hash_sha256},
2838         {NID_sha384, TLSEXT_hash_sha384},
2839         {NID_sha512, TLSEXT_hash_sha512}
2840 };
2841
2842 static tls12_lookup tls12_sig[] = {
2843         {EVP_PKEY_RSA, TLSEXT_signature_rsa},
2844         {EVP_PKEY_DSA, TLSEXT_signature_dsa},
2845         {EVP_PKEY_EC, TLSEXT_signature_ecdsa}
2846 };
2847
2848 static int tls12_find_id(int nid, tls12_lookup *table, size_t tlen)
2849         {
2850         size_t i;
2851         for (i = 0; i < tlen; i++)
2852                 {
2853                 if (table[i].nid == nid)
2854                         return table[i].id;
2855                 }
2856         return -1;
2857         }
2858
2859 static int tls12_find_nid(int id, tls12_lookup *table, size_t tlen)
2860         {
2861         size_t i;
2862         for (i = 0; i < tlen; i++)
2863                 {
2864                 if ((table[i].id) == id)
2865                         return table[i].nid;
2866                 }
2867         return NID_undef;
2868         }
2869
2870 int tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk, const EVP_MD *md)
2871         {
2872         int sig_id, md_id;
2873         if (!md)
2874                 return 0;
2875         md_id = tls12_find_id(EVP_MD_type(md), tls12_md,
2876                                 sizeof(tls12_md)/sizeof(tls12_lookup));
2877         if (md_id == -1)
2878                 return 0;
2879         sig_id = tls12_get_sigid(pk);
2880         if (sig_id == -1)
2881                 return 0;
2882         p[0] = (unsigned char)md_id;
2883         p[1] = (unsigned char)sig_id;
2884         return 1;
2885         }
2886
2887 int tls12_get_sigid(const EVP_PKEY *pk)
2888         {
2889         return tls12_find_id(pk->type, tls12_sig,
2890                                 sizeof(tls12_sig)/sizeof(tls12_lookup));
2891         }
2892
2893 const EVP_MD *tls12_get_hash(unsigned char hash_alg)
2894         {
2895         switch(hash_alg)
2896                 {
2897 #ifndef OPENSSL_NO_MD5
2898                 case TLSEXT_hash_md5:
2899 #ifdef OPENSSL_FIPS
2900                 if (FIPS_mode())
2901                         return NULL;
2902 #endif
2903                 return EVP_md5();
2904 #endif
2905 #ifndef OPENSSL_NO_SHA
2906                 case TLSEXT_hash_sha1:
2907                 return EVP_sha1();
2908 #endif
2909 #ifndef OPENSSL_NO_SHA256
2910                 case TLSEXT_hash_sha224:
2911                 return EVP_sha224();
2912
2913                 case TLSEXT_hash_sha256:
2914                 return EVP_sha256();
2915 #endif
2916 #ifndef OPENSSL_NO_SHA512
2917                 case TLSEXT_hash_sha384:
2918                 return EVP_sha384();
2919
2920                 case TLSEXT_hash_sha512:
2921                 return EVP_sha512();
2922 #endif
2923                 default:
2924                 return NULL;
2925
2926                 }
2927         }
2928
2929 static int tls12_get_pkey_idx(unsigned char sig_alg)
2930         {
2931         switch(sig_alg)
2932                 {
2933 #ifndef OPENSSL_NO_RSA
2934         case TLSEXT_signature_rsa:
2935                 return SSL_PKEY_RSA_SIGN;
2936 #endif
2937 #ifndef OPENSSL_NO_DSA
2938         case TLSEXT_signature_dsa:
2939                 return SSL_PKEY_DSA_SIGN;
2940 #endif
2941 #ifndef OPENSSL_NO_ECDSA
2942         case TLSEXT_signature_ecdsa:
2943                 return SSL_PKEY_ECC;
2944 #endif
2945                 }
2946         return -1;
2947         }
2948
2949 /* Convert TLS 1.2 signature algorithm extension values into NIDs */
2950 static void tls1_lookup_sigalg(int *phash_nid, int *psign_nid,
2951                         int *psignhash_nid, const unsigned char *data)
2952         {
2953         int sign_nid, hash_nid;
2954         if (!phash_nid && !psign_nid && !psignhash_nid)
2955                 return;
2956         if (phash_nid || psignhash_nid)
2957                 {
2958                 hash_nid = tls12_find_nid(data[0], tls12_md,
2959                                         sizeof(tls12_md)/sizeof(tls12_lookup));
2960                 if (phash_nid)
2961                         *phash_nid = hash_nid;
2962                 }
2963         if (psign_nid || psignhash_nid)
2964                 {
2965                 sign_nid = tls12_find_nid(data[1], tls12_sig,
2966                                         sizeof(tls12_sig)/sizeof(tls12_lookup));
2967                 if (psign_nid)
2968                         *psign_nid = sign_nid;
2969                 }
2970         if (psignhash_nid)
2971                 {
2972                 if (sign_nid && hash_nid)
2973                         OBJ_find_sigid_by_algs(psignhash_nid,
2974                                                         hash_nid, sign_nid);
2975                 else
2976                         *psignhash_nid = NID_undef;
2977                 }
2978         }
2979 /* Given preference and allowed sigalgs set shared sigalgs */
2980 static int tls12_do_shared_sigalgs(TLS_SIGALGS *shsig,
2981                                 const unsigned char *pref, size_t preflen,
2982                                 const unsigned char *allow, size_t allowlen)
2983         {
2984         const unsigned char *ptmp, *atmp;
2985         size_t i, j, nmatch = 0;
2986         for (i = 0, ptmp = pref; i < preflen; i+=2, ptmp+=2)
2987                 {
2988                 /* Skip disabled hashes or signature algorithms */
2989                 if (tls12_get_hash(ptmp[0]) == NULL)
2990                         continue;
2991                 if (tls12_get_pkey_idx(ptmp[1]) == -1)
2992                         continue;
2993                 for (j = 0, atmp = allow; j < allowlen; j+=2, atmp+=2)
2994                         {
2995                         if (ptmp[0] == atmp[0] && ptmp[1] == atmp[1])
2996                                 {
2997                                 nmatch++;
2998                                 if (shsig)
2999                                         {
3000                                         shsig->rhash = ptmp[0];
3001                                         shsig->rsign = ptmp[1];
3002                                         tls1_lookup_sigalg(&shsig->hash_nid,
3003                                                 &shsig->sign_nid,
3004                                                 &shsig->signandhash_nid,
3005                                                 ptmp);
3006                                         shsig++;
3007                                         }
3008                                 break;
3009                                 }
3010                         }
3011                 }
3012         return nmatch;
3013         }
3014
3015 /* Set shared signature algorithms for SSL structures */
3016 static int tls1_set_shared_sigalgs(SSL *s)
3017         {
3018         const unsigned char *pref, *allow, *conf;
3019         size_t preflen, allowlen, conflen;
3020         size_t nmatch;
3021         TLS_SIGALGS *salgs = NULL;
3022         CERT *c = s->cert;
3023         conf = c->conf_sigalgs;
3024         if (conf)
3025                 conflen = c->conf_sigalgslen;
3026         else
3027                 {
3028                 conf = tls12_sigalgs;
3029                 conflen = sizeof(tls12_sigalgs);
3030 #ifdef OPENSSL_FIPS
3031                 if (FIPS_mode())
3032                         conflen -= 2;
3033 #endif
3034                 }
3035         if(s->options & SSL_OP_CIPHER_SERVER_PREFERENCE)
3036                 {
3037                 pref = conf;
3038                 preflen = conflen;
3039                 allow = c->peer_sigalgs;
3040                 allowlen = c->peer_sigalgslen;
3041                 }
3042         else
3043                 {
3044                 allow = conf;
3045                 allowlen = conflen;
3046                 pref = c->peer_sigalgs;
3047                 preflen = c->peer_sigalgslen;
3048                 }
3049         nmatch = tls12_do_shared_sigalgs(NULL, pref, preflen, allow, allowlen);
3050         if (!nmatch)
3051                 return 1;
3052         salgs = OPENSSL_malloc(nmatch * sizeof(TLS_SIGALGS));
3053         if (!salgs)
3054                 return 0;
3055         nmatch = tls12_do_shared_sigalgs(salgs, pref, preflen, allow, allowlen);
3056         c->shared_sigalgs = salgs;
3057         c->shared_sigalgslen = nmatch;
3058         return 1;
3059         }
3060                 
3061
3062 /* Set preferred digest for each key type */