add105d27276980183de0cd291c403fbbcb11d48
[openssl.git] / ssl / t1_lib.c
1 /* ssl/t1_lib.c */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3  * All rights reserved.
4  *
5  * This package is an SSL implementation written
6  * by Eric Young (eay@cryptsoft.com).
7  * The implementation was written so as to conform with Netscapes SSL.
8  * 
9  * This library is free for commercial and non-commercial use as long as
10  * the following conditions are aheared to.  The following conditions
11  * apply to all code found in this distribution, be it the RC4, RSA,
12  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
13  * included with this distribution is covered by the same copyright terms
14  * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15  * 
16  * Copyright remains Eric Young's, and as such any Copyright notices in
17  * the code are not to be removed.
18  * If this package is used in a product, Eric Young should be given attribution
19  * as the author of the parts of the library used.
20  * This can be in the form of a textual message at program startup or
21  * in documentation (online or textual) provided with the package.
22  * 
23  * Redistribution and use in source and binary forms, with or without
24  * modification, are permitted provided that the following conditions
25  * are met:
26  * 1. Redistributions of source code must retain the copyright
27  *    notice, this list of conditions and the following disclaimer.
28  * 2. Redistributions in binary form must reproduce the above copyright
29  *    notice, this list of conditions and the following disclaimer in the
30  *    documentation and/or other materials provided with the distribution.
31  * 3. All advertising materials mentioning features or use of this software
32  *    must display the following acknowledgement:
33  *    "This product includes cryptographic software written by
34  *     Eric Young (eay@cryptsoft.com)"
35  *    The word 'cryptographic' can be left out if the rouines from the library
36  *    being used are not cryptographic related :-).
37  * 4. If you include any Windows specific code (or a derivative thereof) from 
38  *    the apps directory (application code) you must include an acknowledgement:
39  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40  * 
41  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51  * SUCH DAMAGE.
52  * 
53  * The licence and distribution terms for any publically available version or
54  * derivative of this code cannot be changed.  i.e. this code cannot simply be
55  * copied and put under another distribution licence
56  * [including the GNU Public Licence.]
57  */
58 /* ====================================================================
59  * Copyright (c) 1998-2007 The OpenSSL Project.  All rights reserved.
60  *
61  * Redistribution and use in source and binary forms, with or without
62  * modification, are permitted provided that the following conditions
63  * are met:
64  *
65  * 1. Redistributions of source code must retain the above copyright
66  *    notice, this list of conditions and the following disclaimer. 
67  *
68  * 2. Redistributions in binary form must reproduce the above copyright
69  *    notice, this list of conditions and the following disclaimer in
70  *    the documentation and/or other materials provided with the
71  *    distribution.
72  *
73  * 3. All advertising materials mentioning features or use of this
74  *    software must display the following acknowledgment:
75  *    "This product includes software developed by the OpenSSL Project
76  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77  *
78  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79  *    endorse or promote products derived from this software without
80  *    prior written permission. For written permission, please contact
81  *    openssl-core@openssl.org.
82  *
83  * 5. Products derived from this software may not be called "OpenSSL"
84  *    nor may "OpenSSL" appear in their names without prior written
85  *    permission of the OpenSSL Project.
86  *
87  * 6. Redistributions of any form whatsoever must retain the following
88  *    acknowledgment:
89  *    "This product includes software developed by the OpenSSL Project
90  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91  *
92  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
96  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103  * OF THE POSSIBILITY OF SUCH DAMAGE.
104  * ====================================================================
105  *
106  * This product includes cryptographic software written by Eric Young
107  * (eay@cryptsoft.com).  This product includes software written by Tim
108  * Hudson (tjh@cryptsoft.com).
109  *
110  */
111
112 #include <stdio.h>
113 #include <openssl/objects.h>
114 #include <openssl/evp.h>
115 #include <openssl/hmac.h>
116 #include <openssl/ocsp.h>
117 #include <openssl/rand.h>
118 #include "ssl_locl.h"
119
120 const char tls1_version_str[]="TLSv1" OPENSSL_VERSION_PTEXT;
121
122 #ifndef OPENSSL_NO_TLSEXT
123 static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen,
124                                 const unsigned char *sess_id, int sesslen,
125                                 SSL_SESSION **psess);
126 static int ssl_check_clienthello_tlsext(SSL *s);
127 int ssl_check_serverhello_tlsext(SSL *s);
128 #endif
129
130 SSL3_ENC_METHOD TLSv1_enc_data={
131         tls1_enc,
132         tls1_mac,
133         tls1_setup_key_block,
134         tls1_generate_master_secret,
135         tls1_change_cipher_state,
136         tls1_final_finish_mac,
137         TLS1_FINISH_MAC_LENGTH,
138         tls1_cert_verify_mac,
139         TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE,
140         TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE,
141         tls1_alert_code,
142         tls1_export_keying_material,
143         };
144
145 long tls1_default_timeout(void)
146         {
147         /* 2 hours, the 24 hours mentioned in the TLSv1 spec
148          * is way too long for http, the cache would over fill */
149         return(60*60*2);
150         }
151
152 int tls1_new(SSL *s)
153         {
154         if (!ssl3_new(s)) return(0);
155         s->method->ssl_clear(s);
156         return(1);
157         }
158
159 void tls1_free(SSL *s)
160         {
161 #ifndef OPENSSL_NO_TLSEXT
162         if (s->tlsext_session_ticket)
163                 {
164                 OPENSSL_free(s->tlsext_session_ticket);
165                 }
166 #endif /* OPENSSL_NO_TLSEXT */
167         ssl3_free(s);
168         }
169
170 void tls1_clear(SSL *s)
171         {
172         ssl3_clear(s);
173         s->version = s->method->version;
174         }
175
176 #ifndef OPENSSL_NO_EC
177
178 static int nid_list[] =
179         {
180                 NID_sect163k1, /* sect163k1 (1) */
181                 NID_sect163r1, /* sect163r1 (2) */
182                 NID_sect163r2, /* sect163r2 (3) */
183                 NID_sect193r1, /* sect193r1 (4) */ 
184                 NID_sect193r2, /* sect193r2 (5) */ 
185                 NID_sect233k1, /* sect233k1 (6) */
186                 NID_sect233r1, /* sect233r1 (7) */ 
187                 NID_sect239k1, /* sect239k1 (8) */ 
188                 NID_sect283k1, /* sect283k1 (9) */
189                 NID_sect283r1, /* sect283r1 (10) */ 
190                 NID_sect409k1, /* sect409k1 (11) */ 
191                 NID_sect409r1, /* sect409r1 (12) */
192                 NID_sect571k1, /* sect571k1 (13) */ 
193                 NID_sect571r1, /* sect571r1 (14) */ 
194                 NID_secp160k1, /* secp160k1 (15) */
195                 NID_secp160r1, /* secp160r1 (16) */ 
196                 NID_secp160r2, /* secp160r2 (17) */ 
197                 NID_secp192k1, /* secp192k1 (18) */
198                 NID_X9_62_prime192v1, /* secp192r1 (19) */ 
199                 NID_secp224k1, /* secp224k1 (20) */ 
200                 NID_secp224r1, /* secp224r1 (21) */
201                 NID_secp256k1, /* secp256k1 (22) */ 
202                 NID_X9_62_prime256v1, /* secp256r1 (23) */ 
203                 NID_secp384r1, /* secp384r1 (24) */
204                 NID_secp521r1  /* secp521r1 (25) */     
205         };
206
207
208 static const unsigned char ecformats_default[] = 
209         {
210         TLSEXT_ECPOINTFORMAT_uncompressed,
211         TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime,
212         TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2
213         };
214
215 static const unsigned char eccurves_default[] =
216         {
217                 0,14, /* sect571r1 (14) */ 
218                 0,13, /* sect571k1 (13) */ 
219                 0,25, /* secp521r1 (25) */      
220                 0,11, /* sect409k1 (11) */ 
221                 0,12, /* sect409r1 (12) */
222                 0,24, /* secp384r1 (24) */
223                 0,9,  /* sect283k1 (9) */
224                 0,10, /* sect283r1 (10) */ 
225                 0,22, /* secp256k1 (22) */ 
226                 0,23, /* secp256r1 (23) */ 
227                 0,8,  /* sect239k1 (8) */ 
228                 0,6,  /* sect233k1 (6) */
229                 0,7,  /* sect233r1 (7) */ 
230                 0,20, /* secp224k1 (20) */ 
231                 0,21, /* secp224r1 (21) */
232                 0,4,  /* sect193r1 (4) */ 
233                 0,5,  /* sect193r2 (5) */ 
234                 0,18, /* secp192k1 (18) */
235                 0,19, /* secp192r1 (19) */ 
236                 0,1,  /* sect163k1 (1) */
237                 0,2,  /* sect163r1 (2) */
238                 0,3,  /* sect163r2 (3) */
239                 0,15, /* secp160k1 (15) */
240                 0,16, /* secp160r1 (16) */ 
241                 0,17, /* secp160r2 (17) */ 
242         };
243
244 int tls1_ec_curve_id2nid(int curve_id)
245         {
246         /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
247         if ((curve_id < 1) || ((unsigned int)curve_id >
248                                 sizeof(nid_list)/sizeof(nid_list[0])))
249                 return 0;
250         return nid_list[curve_id-1];
251         }
252
253 int tls1_ec_nid2curve_id(int nid)
254         {
255         /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
256         switch (nid)
257                 {
258         case NID_sect163k1: /* sect163k1 (1) */
259                 return 1;
260         case NID_sect163r1: /* sect163r1 (2) */
261                 return 2;
262         case NID_sect163r2: /* sect163r2 (3) */
263                 return 3;
264         case NID_sect193r1: /* sect193r1 (4) */ 
265                 return 4;
266         case NID_sect193r2: /* sect193r2 (5) */ 
267                 return 5;
268         case NID_sect233k1: /* sect233k1 (6) */
269                 return 6;
270         case NID_sect233r1: /* sect233r1 (7) */ 
271                 return 7;
272         case NID_sect239k1: /* sect239k1 (8) */ 
273                 return 8;
274         case NID_sect283k1: /* sect283k1 (9) */
275                 return 9;
276         case NID_sect283r1: /* sect283r1 (10) */ 
277                 return 10;
278         case NID_sect409k1: /* sect409k1 (11) */ 
279                 return 11;
280         case NID_sect409r1: /* sect409r1 (12) */
281                 return 12;
282         case NID_sect571k1: /* sect571k1 (13) */ 
283                 return 13;
284         case NID_sect571r1: /* sect571r1 (14) */ 
285                 return 14;
286         case NID_secp160k1: /* secp160k1 (15) */
287                 return 15;
288         case NID_secp160r1: /* secp160r1 (16) */ 
289                 return 16;
290         case NID_secp160r2: /* secp160r2 (17) */ 
291                 return 17;
292         case NID_secp192k1: /* secp192k1 (18) */
293                 return 18;
294         case NID_X9_62_prime192v1: /* secp192r1 (19) */ 
295                 return 19;
296         case NID_secp224k1: /* secp224k1 (20) */ 
297                 return 20;
298         case NID_secp224r1: /* secp224r1 (21) */
299                 return 21;
300         case NID_secp256k1: /* secp256k1 (22) */ 
301                 return 22;
302         case NID_X9_62_prime256v1: /* secp256r1 (23) */ 
303                 return 23;
304         case NID_secp384r1: /* secp384r1 (24) */
305                 return 24;
306         case NID_secp521r1:  /* secp521r1 (25) */       
307                 return 25;
308         default:
309                 return 0;
310                 }
311         }
312 /* Get curves list, if "sess" is set return client curves otherwise
313  * preferred list
314  */
315 static void tls1_get_curvelist(SSL *s, int sess,
316                                         const unsigned char **pcurves,
317                                         size_t *pcurveslen)
318         {
319         if (sess)
320                 {
321                 *pcurves = s->session->tlsext_ellipticcurvelist;
322                 *pcurveslen = s->session->tlsext_ellipticcurvelist_length;
323                 }
324         else
325                 {
326                 *pcurves = s->tlsext_ellipticcurvelist;
327                 *pcurveslen = s->tlsext_ellipticcurvelist_length;
328                 }
329         /* If not set use default: for now static structure */
330         if (!*pcurves)
331                 {
332                 *pcurves = eccurves_default;
333                 *pcurveslen = sizeof(eccurves_default);
334                 }
335         }
336
337 /* Return nth shared curve. If nmatch == -1 return number of
338  * matches.
339  */
340
341 int tls1_shared_curve(SSL *s, int nmatch)
342         {
343         const unsigned char *pref, *supp;
344         size_t preflen, supplen, i, j;
345         int k;
346         /* Can't do anything on client side */
347         if (s->server == 0)
348                 return -1;
349         tls1_get_curvelist(s, !!(s->options & SSL_OP_CIPHER_SERVER_PREFERENCE),
350                                 &supp, &supplen);
351         tls1_get_curvelist(s, !(s->options & SSL_OP_CIPHER_SERVER_PREFERENCE),
352                                 &pref, &preflen);
353         preflen /= 2;
354         supplen /= 2;
355         k = 0;
356         for (i = 0; i < preflen; i++, pref+=2)
357                 {
358                 const unsigned char *tsupp = supp;
359                 for (j = 0; j < supplen; j++, tsupp+=2)
360                         {
361                         if (pref[0] == tsupp[0] && pref[1] == tsupp[1])
362                                 {
363                                 if (nmatch == k)
364                                         {
365                                         int id = (pref[0] << 8) | pref[1];
366                                         return tls1_ec_curve_id2nid(id);
367                                         }
368                                 k++;
369                                 }
370                         }
371                 }
372         if (nmatch == -1)
373                 return k;
374         return 0;
375         }
376
377 int tls1_set_curves(unsigned char **pext, size_t *pextlen,
378                         int *curves, size_t ncurves)
379         {
380         unsigned char *clist, *p;
381         size_t i;
382         /* Bitmap of curves included to detect duplicates: only works
383          * while curve ids < 32 
384          */
385         unsigned long dup_list = 0;
386         clist = OPENSSL_malloc(ncurves * 2);
387         if (!clist)
388                 return 0;
389         for (i = 0, p = clist; i < ncurves; i++)
390                 {
391                 unsigned long idmask;
392                 int id;
393                 id = tls1_ec_nid2curve_id(curves[i]);
394                 idmask = 1L << id;
395                 if (!id || (dup_list & idmask))
396                         {
397                         OPENSSL_free(clist);
398                         return 0;
399                         }
400                 dup_list |= idmask;
401                 s2n(id, p);
402                 }
403         if (*pext)
404                 OPENSSL_free(*pext);
405         *pext = clist;
406         *pextlen = ncurves * 2;
407         return 1;
408         }
409
410 #define MAX_CURVELIST   25
411
412 typedef struct
413         {
414         size_t nidcnt;
415         int nid_arr[MAX_CURVELIST];
416         } nid_cb_st;
417
418 static int nid_cb(const char *elem, int len, void *arg)
419         {
420         nid_cb_st *narg = arg;
421         size_t i;
422         int nid;
423         char etmp[20];
424         if (narg->nidcnt == MAX_CURVELIST)
425                 return 0;
426         if (len > (int)(sizeof(etmp) - 1))
427                 return 0;
428         memcpy(etmp, elem, len);
429         etmp[len] = 0;
430         nid = EC_curve_nist2nid(etmp);
431         if (nid == NID_undef)
432                 nid = OBJ_sn2nid(etmp);
433         if (nid == NID_undef)
434                 nid = OBJ_ln2nid(etmp);
435         if (nid == NID_undef)
436                 return 0;
437         for (i = 0; i < narg->nidcnt; i++)
438                 if (narg->nid_arr[i] == nid)
439                         return 0;
440         narg->nid_arr[narg->nidcnt++] = nid;
441         return 1;
442         }
443 /* Set curves based on a colon separate list */
444 int tls1_set_curves_list(unsigned char **pext, size_t *pextlen, 
445                                 const char *str)
446         {
447         nid_cb_st ncb;
448         ncb.nidcnt = 0;
449         if (!CONF_parse_list(str, ':', 1, nid_cb, &ncb))
450                 return 0;
451         return tls1_set_curves(pext, pextlen, ncb.nid_arr, ncb.nidcnt);
452         }
453 /* For an EC key set TLS id and required compression based on parameters */
454 static int tls1_set_ec_id(unsigned char *curve_id, unsigned char *comp_id,
455                                 EC_KEY *ec)
456         {
457         int is_prime, id;
458         const EC_GROUP *grp;
459         const EC_POINT *pt;
460         const EC_METHOD *meth;
461         if (!ec)
462                 return 0;
463         /* Determine if it is a prime field */
464         grp = EC_KEY_get0_group(ec);
465         pt = EC_KEY_get0_public_key(ec);
466         if (!grp || !pt)
467                 return 0;
468         meth = EC_GROUP_method_of(grp);
469         if (!meth)
470                 return 0;
471         if (EC_METHOD_get_field_type(meth) == NID_X9_62_prime_field)
472                 is_prime = 1;
473         else
474                 is_prime = 0;
475         /* Determine curve ID */
476         id = EC_GROUP_get_curve_name(grp);
477         id = tls1_ec_nid2curve_id(id);
478         /* If we have an ID set it, otherwise set arbitrary explicit curve */
479         if (id)
480                 {
481                 curve_id[0] = 0;
482                 curve_id[1] = (unsigned char)id;
483                 }
484         else
485                 {
486                 curve_id[0] = 0xff;
487                 if (is_prime)
488                         curve_id[1] = 0x01;
489                 else
490                         curve_id[1] = 0x02;
491                 }
492         if (comp_id)
493                 {
494                 if (EC_KEY_get_conv_form(ec) == POINT_CONVERSION_COMPRESSED)
495                         {
496                         if (is_prime)
497                                 *comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
498                         else
499                                 *comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
500                         }
501                 else
502                         *comp_id = TLSEXT_ECPOINTFORMAT_uncompressed;
503                 }
504         return 1;
505         }
506 /* Check an EC key is compatible with extensions */
507 static int tls1_check_ec_key(SSL *s,
508                         unsigned char *curve_id, unsigned char *comp_id)
509         {
510         const unsigned char *p;
511         size_t plen, i;
512         int j;
513         /* If point formats extension present check it, otherwise everything
514          * is supported (see RFC4492).
515          */
516         if (comp_id && s->session->tlsext_ecpointformatlist)
517                 {
518                 p = s->session->tlsext_ecpointformatlist;
519                 plen = s->session->tlsext_ecpointformatlist_length;
520                 for (i = 0; i < plen; i++, p++)
521                         {
522                         if (*comp_id == *p)
523                                 break;
524                         }
525                 if (i == plen)
526                         return 0;
527                 }
528         /* Check curve is consistent with client and server preferences */
529         for (j = 0; j <= 1; j++)
530                 {
531                 tls1_get_curvelist(s, j, &p, &plen);
532                 for (i = 0; i < plen; i+=2, p+=2)
533                         {
534                         if (p[0] == curve_id[0] && p[1] == curve_id[1])
535                                 break;
536                         }
537                 if (i == plen)
538                         return 0;
539                 }
540         return 1;
541         }
542
543 /* Check cert parameters compatible with extensions: currently just checks
544  * EC certificates have compatible curves and compression.
545  */
546 static int tls1_check_cert_param(SSL *s, X509 *x)
547         {
548         unsigned char comp_id, curve_id[2];
549         EVP_PKEY *pkey;
550         int rv;
551         pkey = X509_get_pubkey(x);
552         if (!pkey)
553                 return 0;
554         /* If not EC nothing to do */
555         if (pkey->type != EVP_PKEY_EC)
556                 {
557                 EVP_PKEY_free(pkey);
558                 return 1;
559                 }
560         rv = tls1_set_ec_id(curve_id, &comp_id, pkey->pkey.ec);
561         EVP_PKEY_free(pkey);
562         if (!rv)
563                 return 0;
564         return tls1_check_ec_key(s, curve_id, &comp_id);
565         }
566 /* Check EC server key is compatible with client extensions */
567 int tls1_check_ec_server_key(SSL *s)
568         {
569         CERT_PKEY *cpk = s->cert->pkeys + SSL_PKEY_ECC;
570         if (!cpk->x509 || !cpk->privatekey)
571                 return 0;
572         return tls1_check_cert_param(s, cpk->x509);
573         }
574 /* Check EC temporary key is compatible with client extensions */
575 int tls1_check_ec_tmp_key(SSL *s)
576         {
577         unsigned char curve_id[2];
578         EC_KEY *ec = s->cert->ecdh_tmp;
579         if (s->cert->ecdh_tmp_auto)
580                 {
581                 /* Need a shared curve */
582                 if (tls1_shared_curve(s, 0))
583                         return 1;
584                 else return 0;
585                 }
586         if (!ec)
587                 {
588                 if (s->cert->ecdh_tmp_cb)
589                         return 1;
590                 else
591                         return 0;
592                 }
593         if (!tls1_set_ec_id(curve_id, NULL, ec))
594                 return 1;
595         return tls1_check_ec_key(s, curve_id, NULL);
596         }
597
598 #endif /* OPENSSL_NO_EC */
599
600 #ifndef OPENSSL_NO_TLSEXT
601
602 /* List of supported signature algorithms and hashes. Should make this
603  * customisable at some point, for now include everything we support.
604  */
605
606 #ifdef OPENSSL_NO_RSA
607 #define tlsext_sigalg_rsa(md) /* */
608 #else
609 #define tlsext_sigalg_rsa(md) md, TLSEXT_signature_rsa,
610 #endif
611
612 #ifdef OPENSSL_NO_DSA
613 #define tlsext_sigalg_dsa(md) /* */
614 #else
615 #define tlsext_sigalg_dsa(md) md, TLSEXT_signature_dsa,
616 #endif
617
618 #ifdef OPENSSL_NO_ECDSA
619 #define tlsext_sigalg_ecdsa(md) /* */
620 #else
621 #define tlsext_sigalg_ecdsa(md) md, TLSEXT_signature_ecdsa,
622 #endif
623
624 #define tlsext_sigalg(md) \
625                 tlsext_sigalg_rsa(md) \
626                 tlsext_sigalg_dsa(md) \
627                 tlsext_sigalg_ecdsa(md)
628
629 static unsigned char tls12_sigalgs[] = {
630 #ifndef OPENSSL_NO_SHA512
631         tlsext_sigalg(TLSEXT_hash_sha512)
632         tlsext_sigalg(TLSEXT_hash_sha384)
633 #endif
634 #ifndef OPENSSL_NO_SHA256
635         tlsext_sigalg(TLSEXT_hash_sha256)
636         tlsext_sigalg(TLSEXT_hash_sha224)
637 #endif
638 #ifndef OPENSSL_NO_SHA
639         tlsext_sigalg(TLSEXT_hash_sha1)
640 #endif
641 #ifndef OPENSSL_NO_MD5
642         tlsext_sigalg_rsa(TLSEXT_hash_md5)
643 #endif
644 };
645
646 size_t tls12_get_sig_algs(SSL *s, unsigned char *p)
647         {
648         const unsigned char *sigs;
649         size_t sigslen;
650         sigs = s->cert->conf_sigalgs;
651
652         if (sigs)
653                 sigslen = s->cert->conf_sigalgslen;
654         else
655                 {
656                 sigs = tls12_sigalgs;
657                 sigslen = sizeof(tls12_sigalgs);
658 #ifdef OPENSSL_FIPS
659                 /* If FIPS mode don't include MD5 which is last */
660                 if (FIPS_mode())
661                         sigslen -= 2;
662 #endif
663                 }
664
665         if (p)
666                 memcpy(p, sigs, sigslen);
667         return sigslen;
668         }
669
670 /* byte_compare is a compare function for qsort(3) that compares bytes. */
671 static int byte_compare(const void *in_a, const void *in_b)
672         {
673         unsigned char a = *((const unsigned char*) in_a);
674         unsigned char b = *((const unsigned char*) in_b);
675
676         if (a > b)
677                 return 1;
678         else if (a < b)
679                 return -1;
680         return 0;
681 }
682
683 unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
684         {
685         int extdatalen=0;
686         unsigned char *ret = p;
687 #ifndef OPENSSL_NO_EC
688         /* See if we support any ECC ciphersuites */
689         int using_ecc = 0;
690         if (s->version != DTLS1_VERSION && s->version >= TLS1_VERSION)
691                 {
692                 int i;
693                 unsigned long alg_k, alg_a;
694                 STACK_OF(SSL_CIPHER) *cipher_stack = SSL_get_ciphers(s);
695
696                 for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++)
697                         {
698                         SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i);
699
700                         alg_k = c->algorithm_mkey;
701                         alg_a = c->algorithm_auth;
702                         if ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)
703                                 || (alg_a & SSL_aECDSA)))
704                                 {
705                                 using_ecc = 1;
706                                 break;
707                                 }
708                         }
709                 }
710 #endif
711
712         /* don't add extensions for SSLv3 unless doing secure renegotiation */
713         if (s->client_version == SSL3_VERSION
714                                         && !s->s3->send_connection_binding)
715                 return p;
716
717         ret+=2;
718
719         if (ret>=limit) return NULL; /* this really never occurs, but ... */
720
721         if (s->tlsext_hostname != NULL)
722                 { 
723                 /* Add TLS extension servername to the Client Hello message */
724                 unsigned long size_str;
725                 long lenmax; 
726
727                 /* check for enough space.
728                    4 for the servername type and entension length
729                    2 for servernamelist length
730                    1 for the hostname type
731                    2 for hostname length
732                    + hostname length 
733                 */
734                    
735                 if ((lenmax = limit - ret - 9) < 0 
736                     || (size_str = strlen(s->tlsext_hostname)) > (unsigned long)lenmax) 
737                         return NULL;
738                         
739                 /* extension type and length */
740                 s2n(TLSEXT_TYPE_server_name,ret); 
741                 s2n(size_str+5,ret);
742                 
743                 /* length of servername list */
744                 s2n(size_str+3,ret);
745         
746                 /* hostname type, length and hostname */
747                 *(ret++) = (unsigned char) TLSEXT_NAMETYPE_host_name;
748                 s2n(size_str,ret);
749                 memcpy(ret, s->tlsext_hostname, size_str);
750                 ret+=size_str;
751                 }
752
753         /* Add RI if renegotiating */
754         if (s->renegotiate)
755           {
756           int el;
757           
758           if(!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0))
759               {
760               SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
761               return NULL;
762               }
763
764           if((limit - p - 4 - el) < 0) return NULL;
765           
766           s2n(TLSEXT_TYPE_renegotiate,ret);
767           s2n(el,ret);
768
769           if(!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el))
770               {
771               SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
772               return NULL;
773               }
774
775           ret += el;
776         }
777
778 #ifndef OPENSSL_NO_SRP
779         /* Add SRP username if there is one */
780         if (s->srp_ctx.login != NULL)
781                 { /* Add TLS extension SRP username to the Client Hello message */
782
783                 int login_len = strlen(s->srp_ctx.login);       
784                 if (login_len > 255 || login_len == 0)
785                         {
786                         SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
787                         return NULL;
788                         } 
789
790                 /* check for enough space.
791                    4 for the srp type type and entension length
792                    1 for the srp user identity
793                    + srp user identity length 
794                 */
795                 if ((limit - ret - 5 - login_len) < 0) return NULL; 
796
797                 /* fill in the extension */
798                 s2n(TLSEXT_TYPE_srp,ret);
799                 s2n(login_len+1,ret);
800                 (*ret++) = (unsigned char) login_len;
801                 memcpy(ret, s->srp_ctx.login, login_len);
802                 ret+=login_len;
803                 }
804 #endif
805
806 #ifndef OPENSSL_NO_EC
807         if (using_ecc)
808                 {
809                 /* Add TLS extension ECPointFormats to the ClientHello message */
810                 long lenmax; 
811                 const unsigned char *plist;
812                 size_t plistlen;
813                 /* If we have a custom point format list use it otherwise
814                  * use default */
815                 plist = s->tlsext_ecpointformatlist;
816                 if (plist)
817                         plistlen = s->tlsext_ecpointformatlist_length;
818                 else
819                         {
820                         plist = ecformats_default;
821                         plistlen = sizeof(ecformats_default);
822                         }
823
824                 if ((lenmax = limit - ret - 5) < 0) return NULL; 
825                 if (plistlen > (size_t)lenmax) return NULL;
826                 if (plistlen > 255)
827                         {
828                         SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
829                         return NULL;
830                         }
831                 
832                 s2n(TLSEXT_TYPE_ec_point_formats,ret);
833                 s2n(plistlen + 1,ret);
834                 *(ret++) = (unsigned char)plistlen ;
835                 memcpy(ret, plist, plistlen);
836                 ret+=plistlen;
837
838                 /* Add TLS extension EllipticCurves to the ClientHello message */
839                 plist = s->tlsext_ellipticcurvelist;
840                 tls1_get_curvelist(s, 0, &plist, &plistlen);
841
842                 if ((lenmax = limit - ret - 6) < 0) return NULL; 
843                 if (plistlen > (size_t)lenmax) return NULL;
844                 if (plistlen > 65532)
845                         {
846                         SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
847                         return NULL;
848                         }
849                 
850                 s2n(TLSEXT_TYPE_elliptic_curves,ret);
851                 s2n(plistlen + 2, ret);
852
853                 /* NB: draft-ietf-tls-ecc-12.txt uses a one-byte prefix for
854                  * elliptic_curve_list, but the examples use two bytes.
855                  * http://www1.ietf.org/mail-archive/web/tls/current/msg00538.html
856                  * resolves this to two bytes.
857                  */
858                 s2n(plistlen, ret);
859                 memcpy(ret, plist, plistlen);
860                 ret+=plistlen;
861                 }
862 #endif /* OPENSSL_NO_EC */
863
864         if (!(SSL_get_options(s) & SSL_OP_NO_TICKET))
865                 {
866                 int ticklen;
867                 if (!s->new_session && s->session && s->session->tlsext_tick)
868                         ticklen = s->session->tlsext_ticklen;
869                 else if (s->session && s->tlsext_session_ticket &&
870                          s->tlsext_session_ticket->data)
871                         {
872                         ticklen = s->tlsext_session_ticket->length;
873                         s->session->tlsext_tick = OPENSSL_malloc(ticklen);
874                         if (!s->session->tlsext_tick)
875                                 return NULL;
876                         memcpy(s->session->tlsext_tick,
877                                s->tlsext_session_ticket->data,
878                                ticklen);
879                         s->session->tlsext_ticklen = ticklen;
880                         }
881                 else
882                         ticklen = 0;
883                 if (ticklen == 0 && s->tlsext_session_ticket &&
884                     s->tlsext_session_ticket->data == NULL)
885                         goto skip_ext;
886                 /* Check for enough room 2 for extension type, 2 for len
887                  * rest for ticket
888                  */
889                 if ((long)(limit - ret - 4 - ticklen) < 0) return NULL;
890                 s2n(TLSEXT_TYPE_session_ticket,ret); 
891                 s2n(ticklen,ret);
892                 if (ticklen)
893                         {
894                         memcpy(ret, s->session->tlsext_tick, ticklen);
895                         ret += ticklen;
896                         }
897                 }
898                 skip_ext:
899
900         if (TLS1_get_client_version(s) >= TLS1_2_VERSION)
901                 {
902                 size_t salglen;
903                 salglen = tls12_get_sig_algs(s, NULL);
904                 if ((size_t)(limit - ret) < salglen + 6)
905                         return NULL; 
906                 s2n(TLSEXT_TYPE_signature_algorithms,ret);
907                 s2n(salglen + 2, ret);
908                 s2n(salglen, ret);
909                 tls12_get_sig_algs(s, ret);
910                 ret += salglen;
911                 }
912
913 #ifdef TLSEXT_TYPE_opaque_prf_input
914         if (s->s3->client_opaque_prf_input != NULL &&
915             s->version != DTLS1_VERSION)
916                 {
917                 size_t col = s->s3->client_opaque_prf_input_len;
918                 
919                 if ((long)(limit - ret - 6 - col < 0))
920                         return NULL;
921                 if (col > 0xFFFD) /* can't happen */
922                         return NULL;
923
924                 s2n(TLSEXT_TYPE_opaque_prf_input, ret); 
925                 s2n(col + 2, ret);
926                 s2n(col, ret);
927                 memcpy(ret, s->s3->client_opaque_prf_input, col);
928                 ret += col;
929                 }
930 #endif
931
932         if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp &&
933             s->version != DTLS1_VERSION)
934                 {
935                 int i;
936                 long extlen, idlen, itmp;
937                 OCSP_RESPID *id;
938
939                 idlen = 0;
940                 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++)
941                         {
942                         id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
943                         itmp = i2d_OCSP_RESPID(id, NULL);
944                         if (itmp <= 0)
945                                 return NULL;
946                         idlen += itmp + 2;
947                         }
948
949                 if (s->tlsext_ocsp_exts)
950                         {
951                         extlen = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, NULL);
952                         if (extlen < 0)
953                                 return NULL;
954                         }
955                 else
956                         extlen = 0;
957                         
958                 if ((long)(limit - ret - 7 - extlen - idlen) < 0) return NULL;
959                 s2n(TLSEXT_TYPE_status_request, ret);
960                 if (extlen + idlen > 0xFFF0)
961                         return NULL;
962                 s2n(extlen + idlen + 5, ret);
963                 *(ret++) = TLSEXT_STATUSTYPE_ocsp;
964                 s2n(idlen, ret);
965                 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++)
966                         {
967                         /* save position of id len */
968                         unsigned char *q = ret;
969                         id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
970                         /* skip over id len */
971                         ret += 2;
972                         itmp = i2d_OCSP_RESPID(id, &ret);
973                         /* write id len */
974                         s2n(itmp, q);
975                         }
976                 s2n(extlen, ret);
977                 if (extlen > 0)
978                         i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret);
979                 }
980
981 #ifndef OPENSSL_NO_HEARTBEATS
982         /* Add Heartbeat extension */
983         s2n(TLSEXT_TYPE_heartbeat,ret);
984         s2n(1,ret);
985         /* Set mode:
986          * 1: peer may send requests
987          * 2: peer not allowed to send requests
988          */
989         if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS)
990                 *(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
991         else
992                 *(ret++) = SSL_TLSEXT_HB_ENABLED;
993 #endif
994
995 #ifndef OPENSSL_NO_NEXTPROTONEG
996         if (s->ctx->next_proto_select_cb && !s->s3->tmp.finish_md_len)
997                 {
998                 /* The client advertises an emtpy extension to indicate its
999                  * support for Next Protocol Negotiation */
1000                 if (limit - ret - 4 < 0)
1001                         return NULL;
1002                 s2n(TLSEXT_TYPE_next_proto_neg,ret);
1003                 s2n(0,ret);
1004                 }
1005 #endif
1006
1007         if(SSL_get_srtp_profiles(s))
1008                 {
1009                 int el;
1010
1011                 ssl_add_clienthello_use_srtp_ext(s, 0, &el, 0);
1012                 
1013                 if((limit - p - 4 - el) < 0) return NULL;
1014
1015                 s2n(TLSEXT_TYPE_use_srtp,ret);
1016                 s2n(el,ret);
1017
1018                 if(ssl_add_clienthello_use_srtp_ext(s, ret, &el, el))
1019                         {
1020                         SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1021                         return NULL;
1022                         }
1023                 ret += el;
1024                 }
1025
1026         /* Add TLS extension Server_Authz_DataFormats to the ClientHello */
1027         /* 2 bytes for extension type */
1028         /* 2 bytes for extension length */
1029         /* 1 byte for the list length */
1030         /* 1 byte for the list (we only support audit proofs) */
1031         if (s->ctx->tlsext_authz_server_audit_proof_cb != NULL)
1032                 {
1033                 size_t lenmax;
1034                 const unsigned short ext_len = 2;
1035                 const unsigned char list_len = 1;
1036
1037                 if ((lenmax = limit - ret - 6) < 0) return NULL;
1038
1039                 s2n(TLSEXT_TYPE_server_authz, ret);
1040                 /* Extension length: 2 bytes */
1041                 s2n(ext_len, ret);
1042                 *(ret++) = list_len;
1043                 *(ret++) = TLSEXT_AUTHZDATAFORMAT_audit_proof;
1044                 }
1045
1046         if ((extdatalen = ret-p-2) == 0)
1047                 return p;
1048
1049         s2n(extdatalen,p);
1050         return ret;
1051         }
1052
1053 unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
1054         {
1055         int extdatalen=0;
1056         unsigned char *ret = p;
1057 #ifndef OPENSSL_NO_NEXTPROTONEG
1058         int next_proto_neg_seen;
1059 #endif
1060
1061         /* don't add extensions for SSLv3, unless doing secure renegotiation */
1062         if (s->version == SSL3_VERSION && !s->s3->send_connection_binding)
1063                 return p;
1064         
1065         ret+=2;
1066         if (ret>=limit) return NULL; /* this really never occurs, but ... */
1067
1068         if (!s->hit && s->servername_done == 1 && s->session->tlsext_hostname != NULL)
1069                 { 
1070                 if ((long)(limit - ret - 4) < 0) return NULL; 
1071
1072                 s2n(TLSEXT_TYPE_server_name,ret);
1073                 s2n(0,ret);
1074                 }
1075
1076         if(s->s3->send_connection_binding)
1077         {
1078           int el;
1079           
1080           if(!ssl_add_serverhello_renegotiate_ext(s, 0, &el, 0))
1081               {
1082               SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1083               return NULL;
1084               }
1085
1086           if((limit - p - 4 - el) < 0) return NULL;
1087           
1088           s2n(TLSEXT_TYPE_renegotiate,ret);
1089           s2n(el,ret);
1090
1091           if(!ssl_add_serverhello_renegotiate_ext(s, ret, &el, el))
1092               {
1093               SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1094               return NULL;
1095               }
1096
1097           ret += el;
1098         }
1099
1100 #ifndef OPENSSL_NO_EC
1101         if (s->tlsext_ecpointformatlist != NULL &&
1102             s->version != DTLS1_VERSION)
1103                 {
1104                 /* Add TLS extension ECPointFormats to the ServerHello message */
1105                 long lenmax; 
1106
1107                 if ((lenmax = limit - ret - 5) < 0) return NULL; 
1108                 if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax) return NULL;
1109                 if (s->tlsext_ecpointformatlist_length > 255)
1110                         {
1111                         SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1112                         return NULL;
1113                         }
1114                 
1115                 s2n(TLSEXT_TYPE_ec_point_formats,ret);
1116                 s2n(s->tlsext_ecpointformatlist_length + 1,ret);
1117                 *(ret++) = (unsigned char) s->tlsext_ecpointformatlist_length;
1118                 memcpy(ret, s->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist_length);
1119                 ret+=s->tlsext_ecpointformatlist_length;
1120
1121                 }
1122         /* Currently the server should not respond with a SupportedCurves extension */
1123 #endif /* OPENSSL_NO_EC */
1124
1125         if (s->tlsext_ticket_expected
1126                 && !(SSL_get_options(s) & SSL_OP_NO_TICKET)) 
1127                 { 
1128                 if ((long)(limit - ret - 4) < 0) return NULL; 
1129                 s2n(TLSEXT_TYPE_session_ticket,ret);
1130                 s2n(0,ret);
1131                 }
1132
1133         if (s->tlsext_status_expected)
1134                 { 
1135                 if ((long)(limit - ret - 4) < 0) return NULL; 
1136                 s2n(TLSEXT_TYPE_status_request,ret);
1137                 s2n(0,ret);
1138                 }
1139
1140 #ifdef TLSEXT_TYPE_opaque_prf_input
1141         if (s->s3->server_opaque_prf_input != NULL &&
1142             s->version != DTLS1_VERSION)
1143                 {
1144                 size_t sol = s->s3->server_opaque_prf_input_len;
1145                 
1146                 if ((long)(limit - ret - 6 - sol) < 0)
1147                         return NULL;
1148                 if (sol > 0xFFFD) /* can't happen */
1149                         return NULL;
1150
1151                 s2n(TLSEXT_TYPE_opaque_prf_input, ret); 
1152                 s2n(sol + 2, ret);
1153                 s2n(sol, ret);
1154                 memcpy(ret, s->s3->server_opaque_prf_input, sol);
1155                 ret += sol;
1156                 }
1157 #endif
1158
1159         if(s->srtp_profile)
1160                 {
1161                 int el;
1162
1163                 ssl_add_serverhello_use_srtp_ext(s, 0, &el, 0);
1164                 
1165                 if((limit - p - 4 - el) < 0) return NULL;
1166
1167                 s2n(TLSEXT_TYPE_use_srtp,ret);
1168                 s2n(el,ret);
1169
1170                 if(ssl_add_serverhello_use_srtp_ext(s, ret, &el, el))
1171                         {
1172                         SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1173                         return NULL;
1174                         }
1175                 ret+=el;
1176                 }
1177
1178         if (((s->s3->tmp.new_cipher->id & 0xFFFF)==0x80 || (s->s3->tmp.new_cipher->id & 0xFFFF)==0x81) 
1179                 && (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG))
1180                 { const unsigned char cryptopro_ext[36] = {
1181                         0xfd, 0xe8, /*65000*/
1182                         0x00, 0x20, /*32 bytes length*/
1183                         0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85, 
1184                         0x03,   0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06, 
1185                         0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08, 
1186                         0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17};
1187                         if (limit-ret<36) return NULL;
1188                         memcpy(ret,cryptopro_ext,36);
1189                         ret+=36;
1190
1191                 }
1192
1193 #ifndef OPENSSL_NO_HEARTBEATS
1194         /* Add Heartbeat extension if we've received one */
1195         if (s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED)
1196                 {
1197                 s2n(TLSEXT_TYPE_heartbeat,ret);
1198                 s2n(1,ret);
1199                 /* Set mode:
1200                  * 1: peer may send requests
1201                  * 2: peer not allowed to send requests
1202                  */
1203                 if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS)
1204                         *(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
1205                 else
1206                         *(ret++) = SSL_TLSEXT_HB_ENABLED;
1207
1208                 }
1209 #endif
1210
1211 #ifndef OPENSSL_NO_NEXTPROTONEG
1212         next_proto_neg_seen = s->s3->next_proto_neg_seen;
1213         s->s3->next_proto_neg_seen = 0;
1214         if (next_proto_neg_seen && s->ctx->next_protos_advertised_cb)
1215                 {
1216                 const unsigned char *npa;
1217                 unsigned int npalen;
1218                 int r;
1219
1220                 r = s->ctx->next_protos_advertised_cb(s, &npa, &npalen, s->ctx->next_protos_advertised_cb_arg);
1221                 if (r == SSL_TLSEXT_ERR_OK)
1222                         {
1223                         if ((long)(limit - ret - 4 - npalen) < 0) return NULL;
1224                         s2n(TLSEXT_TYPE_next_proto_neg,ret);
1225                         s2n(npalen,ret);
1226                         memcpy(ret, npa, npalen);
1227                         ret += npalen;
1228                         s->s3->next_proto_neg_seen = 1;
1229                         }
1230                 }
1231 #endif
1232
1233         /* If the client supports authz then see whether we have any to offer
1234          * to it. */
1235         if (s->s3->tlsext_authz_client_types_len)
1236                 {
1237                 size_t authz_length;
1238                 /* By now we already know the new cipher, so we can look ahead
1239                  * to see whether the cert we are going to send
1240                  * has any authz data attached to it. */
1241                 const unsigned char* authz = ssl_get_authz_data(s, &authz_length);
1242                 const unsigned char* const orig_authz = authz;
1243                 size_t i;
1244                 unsigned authz_count = 0;
1245
1246                 /* The authz data contains a number of the following structures:
1247                  *      uint8_t authz_type
1248                  *      uint16_t length
1249                  *      uint8_t data[length]
1250                  *
1251                  * First we walk over it to find the number of authz elements. */
1252                 for (i = 0; i < authz_length; i++)
1253                         {
1254                         unsigned short length;
1255                         unsigned char type;
1256
1257                         type = *(authz++);
1258                         if (memchr(s->s3->tlsext_authz_client_types,
1259                                    type,
1260                                    s->s3->tlsext_authz_client_types_len) != NULL)
1261                                 authz_count++;
1262
1263                         n2s(authz, length);
1264                         /* n2s increments authz by 2 */
1265                         i += 2;
1266                         authz += length;
1267                         i += length;
1268                         }
1269
1270                 if (authz_count)
1271                         {
1272                         /* Add TLS extension server_authz to the ServerHello message
1273                          * 2 bytes for extension type
1274                          * 2 bytes for extension length
1275                          * 1 byte for the list length
1276                          * n bytes for the list */
1277                         const unsigned short ext_len = 1 + authz_count;
1278
1279                         if ((long)(limit - ret - 4 - ext_len) < 0) return NULL;
1280                         s2n(TLSEXT_TYPE_server_authz, ret);
1281                         s2n(ext_len, ret);
1282                         *(ret++) = authz_count;
1283                         s->s3->tlsext_authz_promised_to_client = 1;
1284                         }
1285
1286                 authz = orig_authz;
1287                 for (i = 0; i < authz_length; i++)
1288                         {
1289                         unsigned short length;
1290                         unsigned char type;
1291
1292                         authz_count++;
1293                         type = *(authz++);
1294                         if (memchr(s->s3->tlsext_authz_client_types,
1295                                    type,
1296                                    s->s3->tlsext_authz_client_types_len) != NULL)
1297                                 *(ret++) = type;
1298                         n2s(authz, length);
1299                         /* n2s increments authz by 2 */
1300                         i += 2;
1301                         authz += length;
1302                         i += length;
1303                         }
1304                 }
1305
1306         if ((extdatalen = ret-p-2)== 0) 
1307                 return p;
1308
1309         s2n(extdatalen,p);
1310         return ret;
1311         }
1312
1313 static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al) 
1314         {       
1315         unsigned short type;
1316         unsigned short size;
1317         unsigned short len;
1318         unsigned char *data = *p;
1319         int renegotiate_seen = 0;
1320
1321         s->servername_done = 0;
1322         s->tlsext_status_type = -1;
1323 #ifndef OPENSSL_NO_NEXTPROTONEG
1324         s->s3->next_proto_neg_seen = 0;
1325 #endif
1326
1327 #ifndef OPENSSL_NO_HEARTBEATS
1328         s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED |
1329                                SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
1330 #endif
1331         /* Clear any signature algorithms extension received */
1332         if (s->cert->peer_sigalgs)
1333                 {
1334                 OPENSSL_free(s->cert->peer_sigalgs);
1335                 s->cert->peer_sigalgs = NULL;
1336                 }
1337         /* Clear any shared sigtnature algorithms */
1338         if (s->cert->shared_sigalgs)
1339                 {
1340                 OPENSSL_free(s->cert->shared_sigalgs);
1341                 s->cert->shared_sigalgs = NULL;
1342                 }
1343
1344         if (data >= (d+n-2))
1345                 goto ri_check;
1346         n2s(data,len);
1347
1348         if (data > (d+n-len)) 
1349                 goto ri_check;
1350
1351         while (data <= (d+n-4))
1352                 {
1353                 n2s(data,type);
1354                 n2s(data,size);
1355
1356                 if (data+size > (d+n))
1357                         goto ri_check;
1358 #if 0
1359                 fprintf(stderr,"Received extension type %d size %d\n",type,size);
1360 #endif
1361                 if (s->tlsext_debug_cb)
1362                         s->tlsext_debug_cb(s, 0, type, data, size,
1363                                                 s->tlsext_debug_arg);
1364 /* The servername extension is treated as follows:
1365
1366    - Only the hostname type is supported with a maximum length of 255.
1367    - The servername is rejected if too long or if it contains zeros,
1368      in which case an fatal alert is generated.
1369    - The servername field is maintained together with the session cache.
1370    - When a session is resumed, the servername call back invoked in order
1371      to allow the application to position itself to the right context. 
1372    - The servername is acknowledged if it is new for a session or when 
1373      it is identical to a previously used for the same session. 
1374      Applications can control the behaviour.  They can at any time
1375      set a 'desirable' servername for a new SSL object. This can be the
1376      case for example with HTTPS when a Host: header field is received and
1377      a renegotiation is requested. In this case, a possible servername
1378      presented in the new client hello is only acknowledged if it matches
1379      the value of the Host: field. 
1380    - Applications must  use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
1381      if they provide for changing an explicit servername context for the session,
1382      i.e. when the session has been established with a servername extension. 
1383    - On session reconnect, the servername extension may be absent. 
1384
1385 */      
1386
1387                 if (type == TLSEXT_TYPE_server_name)
1388                         {
1389                         unsigned char *sdata;
1390                         int servname_type;
1391                         int dsize; 
1392                 
1393                         if (size < 2) 
1394                                 {
1395                                 *al = SSL_AD_DECODE_ERROR;
1396                                 return 0;
1397                                 }
1398                         n2s(data,dsize);  
1399                         size -= 2;
1400                         if (dsize > size  ) 
1401                                 {
1402                                 *al = SSL_AD_DECODE_ERROR;
1403                                 return 0;
1404                                 } 
1405
1406                         sdata = data;
1407                         while (dsize > 3) 
1408                                 {
1409                                 servname_type = *(sdata++); 
1410                                 n2s(sdata,len);
1411                                 dsize -= 3;
1412
1413                                 if (len > dsize) 
1414                                         {
1415                                         *al = SSL_AD_DECODE_ERROR;
1416                                         return 0;
1417                                         }
1418                                 if (s->servername_done == 0)
1419                                 switch (servname_type)
1420                                         {
1421                                 case TLSEXT_NAMETYPE_host_name:
1422                                         if (!s->hit)
1423                                                 {
1424                                                 if(s->session->tlsext_hostname)
1425                                                         {
1426                                                         *al = SSL_AD_DECODE_ERROR;
1427                                                         return 0;
1428                                                         }
1429                                                 if (len > TLSEXT_MAXLEN_host_name)
1430                                                         {
1431                                                         *al = TLS1_AD_UNRECOGNIZED_NAME;
1432                                                         return 0;
1433                                                         }
1434                                                 if ((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL)
1435                                                         {
1436                                                         *al = TLS1_AD_INTERNAL_ERROR;
1437                                                         return 0;
1438                                                         }
1439                                                 memcpy(s->session->tlsext_hostname, sdata, len);
1440                                                 s->session->tlsext_hostname[len]='\0';
1441                                                 if (strlen(s->session->tlsext_hostname) != len) {
1442                                                         OPENSSL_free(s->session->tlsext_hostname);
1443                                                         s->session->tlsext_hostname = NULL;
1444                                                         *al = TLS1_AD_UNRECOGNIZED_NAME;
1445                                                         return 0;
1446                                                 }
1447                                                 s->servername_done = 1; 
1448
1449                                                 }
1450                                         else 
1451                                                 s->servername_done = s->session->tlsext_hostname
1452                                                         && strlen(s->session->tlsext_hostname) == len 
1453                                                         && strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0;
1454                                         
1455                                         break;
1456
1457                                 default:
1458                                         break;
1459                                         }
1460                                  
1461                                 dsize -= len;
1462                                 }
1463                         if (dsize != 0) 
1464                                 {
1465                                 *al = SSL_AD_DECODE_ERROR;
1466                                 return 0;
1467                                 }
1468
1469                         }
1470 #ifndef OPENSSL_NO_SRP
1471                 else if (type == TLSEXT_TYPE_srp)
1472                         {
1473                         if (size <= 0 || ((len = data[0])) != (size -1))
1474                                 {
1475                                 *al = SSL_AD_DECODE_ERROR;
1476                                 return 0;
1477                                 }
1478                         if (s->srp_ctx.login != NULL)
1479                                 {
1480                                 *al = SSL_AD_DECODE_ERROR;
1481                                 return 0;
1482                                 }
1483                         if ((s->srp_ctx.login = OPENSSL_malloc(len+1)) == NULL)
1484                                 return -1;
1485                         memcpy(s->srp_ctx.login, &data[1], len);
1486                         s->srp_ctx.login[len]='\0';
1487   
1488                         if (strlen(s->srp_ctx.login) != len) 
1489                                 {
1490                                 *al = SSL_AD_DECODE_ERROR;
1491                                 return 0;
1492                                 }
1493                         }
1494 #endif
1495
1496 #ifndef OPENSSL_NO_EC
1497                 else if (type == TLSEXT_TYPE_ec_point_formats &&
1498                      s->version != DTLS1_VERSION)
1499                         {
1500                         unsigned char *sdata = data;
1501                         int ecpointformatlist_length = *(sdata++);
1502
1503                         if (ecpointformatlist_length != size - 1)
1504                                 {
1505                                 *al = TLS1_AD_DECODE_ERROR;
1506                                 return 0;
1507                                 }
1508                         if (!s->hit)
1509                                 {
1510                                 if(s->session->tlsext_ecpointformatlist)
1511                                         {
1512                                         OPENSSL_free(s->session->tlsext_ecpointformatlist);
1513                                         s->session->tlsext_ecpointformatlist = NULL;
1514                                         }
1515                                 s->session->tlsext_ecpointformatlist_length = 0;
1516                                 if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
1517                                         {
1518                                         *al = TLS1_AD_INTERNAL_ERROR;
1519                                         return 0;
1520                                         }
1521                                 s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
1522                                 memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
1523                                 }
1524 #if 0
1525                         fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ecpointformatlist (length=%i) ", s->session->tlsext_ecpointformatlist_length);
1526                         sdata = s->session->tlsext_ecpointformatlist;
1527                         for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
1528                                 fprintf(stderr,"%i ",*(sdata++));
1529                         fprintf(stderr,"\n");
1530 #endif
1531                         }
1532                 else if (type == TLSEXT_TYPE_elliptic_curves &&
1533                      s->version != DTLS1_VERSION)
1534                         {
1535                         unsigned char *sdata = data;
1536                         int ellipticcurvelist_length = (*(sdata++) << 8);
1537                         ellipticcurvelist_length += (*(sdata++));
1538
1539                         if (ellipticcurvelist_length != size - 2)
1540                                 {
1541                                 *al = TLS1_AD_DECODE_ERROR;
1542                                 return 0;
1543                                 }
1544                         if (!s->hit)
1545                                 {
1546                                 if(s->session->tlsext_ellipticcurvelist)
1547                                         {
1548                                         *al = TLS1_AD_DECODE_ERROR;
1549                                         return 0;
1550                                         }
1551                                 s->session->tlsext_ellipticcurvelist_length = 0;
1552                                 if ((s->session->tlsext_ellipticcurvelist = OPENSSL_malloc(ellipticcurvelist_length)) == NULL)
1553                                         {
1554                                         *al = TLS1_AD_INTERNAL_ERROR;
1555                                         return 0;
1556                                         }
1557                                 s->session->tlsext_ellipticcurvelist_length = ellipticcurvelist_length;
1558                                 memcpy(s->session->tlsext_ellipticcurvelist, sdata, ellipticcurvelist_length);
1559                                 }
1560 #if 0
1561                         fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ellipticcurvelist (length=%i) ", s->session->tlsext_ellipticcurvelist_length);
1562                         sdata = s->session->tlsext_ellipticcurvelist;
1563                         for (i = 0; i < s->session->tlsext_ellipticcurvelist_length; i++)
1564                                 fprintf(stderr,"%i ",*(sdata++));
1565                         fprintf(stderr,"\n");
1566 #endif
1567                         }
1568 #endif /* OPENSSL_NO_EC */
1569 #ifdef TLSEXT_TYPE_opaque_prf_input
1570                 else if (type == TLSEXT_TYPE_opaque_prf_input &&
1571                      s->version != DTLS1_VERSION)
1572                         {
1573                         unsigned char *sdata = data;
1574
1575                         if (size < 2)
1576                                 {
1577                                 *al = SSL_AD_DECODE_ERROR;
1578                                 return 0;
1579                                 }
1580                         n2s(sdata, s->s3->client_opaque_prf_input_len);
1581                         if (s->s3->client_opaque_prf_input_len != size - 2)
1582                                 {
1583                                 *al = SSL_AD_DECODE_ERROR;
1584                                 return 0;
1585                                 }
1586
1587                         if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */
1588                                 OPENSSL_free(s->s3->client_opaque_prf_input);
1589                         if (s->s3->client_opaque_prf_input_len == 0)
1590                                 s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
1591                         else
1592                                 s->s3->client_opaque_prf_input = BUF_memdup(sdata, s->s3->client_opaque_prf_input_len);
1593                         if (s->s3->client_opaque_prf_input == NULL)
1594                                 {
1595                                 *al = TLS1_AD_INTERNAL_ERROR;
1596                                 return 0;
1597                                 }
1598                         }
1599 #endif
1600                 else if (type == TLSEXT_TYPE_session_ticket)
1601                         {
1602                         if (s->tls_session_ticket_ext_cb &&
1603                             !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg))
1604                                 {
1605                                 *al = TLS1_AD_INTERNAL_ERROR;
1606                                 return 0;
1607                                 }
1608                         }
1609                 else if (type == TLSEXT_TYPE_renegotiate)
1610                         {
1611                         if(!ssl_parse_clienthello_renegotiate_ext(s, data, size, al))
1612                                 return 0;
1613                         renegotiate_seen = 1;
1614                         }
1615                 else if (type == TLSEXT_TYPE_signature_algorithms)
1616                         {
1617                         int dsize;
1618                         if (s->cert->peer_sigalgs || size < 2) 
1619                                 {
1620                                 *al = SSL_AD_DECODE_ERROR;
1621                                 return 0;
1622                                 }
1623                         n2s(data,dsize);
1624                         size -= 2;
1625                         if (dsize != size || dsize & 1 || !dsize) 
1626                                 {
1627                                 *al = SSL_AD_DECODE_ERROR;
1628                                 return 0;
1629                                 }
1630                         if (!tls1_process_sigalgs(s, data, dsize))
1631                                 {
1632                                 *al = SSL_AD_DECODE_ERROR;
1633                                 return 0;
1634                                 }
1635                         /* If sigalgs received and no shared algorithms fatal
1636                          * error.
1637                          */
1638                         if (s->cert->peer_sigalgs && !s->cert->shared_sigalgs)
1639                                 {
1640                                 SSLerr(SSL_F_SSL_SCAN_CLIENTHELLO_TLSEXT,
1641                                         SSL_R_NO_SHARED_SIGATURE_ALGORITHMS);
1642                                 *al = SSL_AD_ILLEGAL_PARAMETER;
1643                                 return 0;
1644                                 }
1645                         }
1646                 else if (type == TLSEXT_TYPE_status_request &&
1647                          s->version != DTLS1_VERSION && s->ctx->tlsext_status_cb)
1648                         {
1649                 
1650                         if (size < 5) 
1651                                 {
1652                                 *al = SSL_AD_DECODE_ERROR;
1653                                 return 0;
1654                                 }
1655
1656                         s->tlsext_status_type = *data++;
1657                         size--;
1658                         if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp)
1659                                 {
1660                                 const unsigned char *sdata;
1661                                 int dsize;
1662                                 /* Read in responder_id_list */
1663                                 n2s(data,dsize);
1664                                 size -= 2;
1665                                 if (dsize > size  ) 
1666                                         {
1667                                         *al = SSL_AD_DECODE_ERROR;
1668                                         return 0;
1669                                         }
1670                                 while (dsize > 0)
1671                                         {
1672                                         OCSP_RESPID *id;
1673                                         int idsize;
1674                                         if (dsize < 4)
1675                                                 {
1676                                                 *al = SSL_AD_DECODE_ERROR;
1677                                                 return 0;
1678                                                 }
1679                                         n2s(data, idsize);
1680                                         dsize -= 2 + idsize;
1681                                         size -= 2 + idsize;
1682                                         if (dsize < 0)
1683                                                 {
1684                                                 *al = SSL_AD_DECODE_ERROR;
1685                                                 return 0;
1686                                                 }
1687                                         sdata = data;
1688                                         data += idsize;
1689                                         id = d2i_OCSP_RESPID(NULL,
1690                                                                 &sdata, idsize);
1691                                         if (!id)
1692                                                 {
1693                                                 *al = SSL_AD_DECODE_ERROR;
1694                                                 return 0;
1695                                                 }
1696                                         if (data != sdata)
1697                                                 {
1698                                                 OCSP_RESPID_free(id);
1699                                                 *al = SSL_AD_DECODE_ERROR;
1700                                                 return 0;
1701                                                 }
1702                                         if (!s->tlsext_ocsp_ids
1703                                                 && !(s->tlsext_ocsp_ids =
1704                                                 sk_OCSP_RESPID_new_null()))
1705                                                 {
1706                                                 OCSP_RESPID_free(id);
1707                                                 *al = SSL_AD_INTERNAL_ERROR;
1708                                                 return 0;
1709                                                 }
1710                                         if (!sk_OCSP_RESPID_push(
1711                                                         s->tlsext_ocsp_ids, id))
1712                                                 {
1713                                                 OCSP_RESPID_free(id);
1714                                                 *al = SSL_AD_INTERNAL_ERROR;
1715                                                 return 0;
1716                                                 }
1717                                         }
1718
1719                                 /* Read in request_extensions */
1720                                 if (size < 2)
1721                                         {
1722                                         *al = SSL_AD_DECODE_ERROR;
1723                                         return 0;
1724                                         }
1725                                 n2s(data,dsize);
1726                                 size -= 2;
1727                                 if (dsize != size)
1728                                         {
1729                                         *al = SSL_AD_DECODE_ERROR;
1730                                         return 0;
1731                                         }
1732                                 sdata = data;
1733                                 if (dsize > 0)
1734                                         {
1735                                         if (s->tlsext_ocsp_exts)
1736                                                 {
1737                                                 sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts,
1738                                                                            X509_EXTENSION_free);
1739                                                 }
1740
1741                                         s->tlsext_ocsp_exts =
1742                                                 d2i_X509_EXTENSIONS(NULL,
1743                                                         &sdata, dsize);
1744                                         if (!s->tlsext_ocsp_exts
1745                                                 || (data + dsize != sdata))
1746                                                 {
1747                                                 *al = SSL_AD_DECODE_ERROR;
1748                                                 return 0;
1749                                                 }
1750                                         }
1751                                 }
1752                                 /* We don't know what to do with any other type
1753                                 * so ignore it.
1754                                 */
1755                                 else
1756                                         s->tlsext_status_type = -1;
1757                         }
1758 #ifndef OPENSSL_NO_HEARTBEATS
1759                 else if (type == TLSEXT_TYPE_heartbeat)
1760                         {
1761                         switch(data[0])
1762                                 {
1763                                 case 0x01:      /* Client allows us to send HB requests */
1764                                                         s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
1765                                                         break;
1766                                 case 0x02:      /* Client doesn't accept HB requests */
1767                                                         s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
1768                                                         s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
1769                                                         break;
1770                                 default:        *al = SSL_AD_ILLEGAL_PARAMETER;
1771                                                         return 0;
1772                                 }
1773                         }
1774 #endif
1775 #ifndef OPENSSL_NO_NEXTPROTONEG
1776                 else if (type == TLSEXT_TYPE_next_proto_neg &&
1777                          s->s3->tmp.finish_md_len == 0)
1778                         {
1779                         /* We shouldn't accept this extension on a
1780                          * renegotiation.
1781                          *
1782                          * s->new_session will be set on renegotiation, but we
1783                          * probably shouldn't rely that it couldn't be set on
1784                          * the initial renegotation too in certain cases (when
1785                          * there's some other reason to disallow resuming an
1786                          * earlier session -- the current code won't be doing
1787                          * anything like that, but this might change).
1788
1789                          * A valid sign that there's been a previous handshake
1790                          * in this connection is if s->s3->tmp.finish_md_len >
1791                          * 0.  (We are talking about a check that will happen
1792                          * in the Hello protocol round, well before a new
1793                          * Finished message could have been computed.) */
1794                         s->s3->next_proto_neg_seen = 1;
1795                         }
1796 #endif
1797
1798                 /* session ticket processed earlier */
1799                 else if (type == TLSEXT_TYPE_use_srtp)
1800                         {
1801                         if(ssl_parse_clienthello_use_srtp_ext(s, data, size,
1802                                                               al))
1803                                 return 0;
1804                         }
1805
1806                 else if (type == TLSEXT_TYPE_server_authz)
1807                         {
1808                         unsigned char *sdata = data;
1809                         unsigned char server_authz_dataformatlist_length;
1810
1811                         if (size == 0)
1812                                 {
1813                                 *al = TLS1_AD_DECODE_ERROR;
1814                                 return 0;
1815                                 }
1816
1817                         server_authz_dataformatlist_length = *(sdata++);
1818
1819                         if (server_authz_dataformatlist_length != size - 1)
1820                                 {
1821                                 *al = TLS1_AD_DECODE_ERROR;
1822                                 return 0;
1823                                 }
1824
1825                         /* Successful session resumption uses the same authz
1826                          * information as the original session so we ignore this
1827                          * in the case of a session resumption. */
1828                         if (!s->hit)
1829                                 {
1830                                 size_t i;
1831                                 if (s->s3->tlsext_authz_client_types != NULL)
1832                                         OPENSSL_free(s->s3->tlsext_authz_client_types);
1833                                 s->s3->tlsext_authz_client_types =
1834                                         OPENSSL_malloc(server_authz_dataformatlist_length);
1835                                 if (!s->s3->tlsext_authz_client_types)
1836                                         {
1837                                         *al = TLS1_AD_INTERNAL_ERROR;
1838                                         return 0;
1839                                         }
1840
1841                                 s->s3->tlsext_authz_client_types_len =
1842                                         server_authz_dataformatlist_length;
1843                                 memcpy(s->s3->tlsext_authz_client_types,
1844                                        sdata,
1845                                        server_authz_dataformatlist_length);
1846
1847                                 /* Sort the types in order to check for duplicates. */
1848                                 qsort(s->s3->tlsext_authz_client_types,
1849                                       server_authz_dataformatlist_length,
1850                                       1 /* element size */,
1851                                       byte_compare);
1852
1853                                 for (i = 0; i < server_authz_dataformatlist_length; i++)
1854                                         {
1855                                         if (i > 0 &&
1856                                             s->s3->tlsext_authz_client_types[i] ==
1857                                               s->s3->tlsext_authz_client_types[i-1])
1858                                                 {
1859                                                 *al = TLS1_AD_DECODE_ERROR;
1860                                                 return 0;
1861                                                 }
1862                                         }
1863                                 }
1864                         }
1865
1866                 data+=size;
1867                 }
1868
1869         *p = data;
1870
1871         ri_check:
1872
1873         /* Need RI if renegotiating */
1874
1875         if (!renegotiate_seen && s->renegotiate &&
1876                 !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
1877                 {
1878                 *al = SSL_AD_HANDSHAKE_FAILURE;
1879                 SSLerr(SSL_F_SSL_SCAN_CLIENTHELLO_TLSEXT,
1880                                 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
1881                 return 0;
1882                 }
1883         /* If no signature algorithms extension set default values */
1884         if (!s->cert->peer_sigalgs)
1885                 ssl_cert_set_default_md(s->cert);
1886
1887         return 1;
1888         }
1889
1890 int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n) 
1891         {
1892         int al = -1;
1893         if (ssl_scan_clienthello_tlsext(s, p, d, n, &al) <= 0) 
1894                 {
1895                 ssl3_send_alert(s,SSL3_AL_FATAL,al); 
1896                 return 0;
1897                 }
1898
1899         if (ssl_check_clienthello_tlsext(s) <= 0) 
1900                 {
1901                 SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT,SSL_R_CLIENTHELLO_TLSEXT);
1902                 return 0;
1903                 }
1904         return 1;
1905 }
1906
1907 #ifndef OPENSSL_NO_NEXTPROTONEG
1908 /* ssl_next_proto_validate validates a Next Protocol Negotiation block. No
1909  * elements of zero length are allowed and the set of elements must exactly fill
1910  * the length of the block. */
1911 static char ssl_next_proto_validate(unsigned char *d, unsigned len)
1912         {
1913         unsigned int off = 0;
1914
1915         while (off < len)
1916                 {
1917                 if (d[off] == 0)
1918                         return 0;
1919                 off += d[off];
1920                 off++;
1921                 }
1922
1923         return off == len;
1924         }
1925 #endif
1926
1927 static int ssl_scan_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
1928         {
1929         unsigned short length;
1930         unsigned short type;
1931         unsigned short size;
1932         unsigned char *data = *p;
1933         int tlsext_servername = 0;
1934         int renegotiate_seen = 0;
1935
1936 #ifndef OPENSSL_NO_NEXTPROTONEG
1937         s->s3->next_proto_neg_seen = 0;
1938 #endif
1939
1940 #ifndef OPENSSL_NO_HEARTBEATS
1941         s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED |
1942                                SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
1943 #endif
1944
1945         if (data >= (d+n-2))
1946                 goto ri_check;
1947
1948         n2s(data,length);
1949         if (data+length != d+n)
1950                 {
1951                 *al = SSL_AD_DECODE_ERROR;
1952                 return 0;
1953                 }
1954
1955         while(data <= (d+n-4))
1956                 {
1957                 n2s(data,type);
1958                 n2s(data,size);
1959
1960                 if (data+size > (d+n))
1961                         goto ri_check;
1962
1963                 if (s->tlsext_debug_cb)
1964                         s->tlsext_debug_cb(s, 1, type, data, size,
1965                                                 s->tlsext_debug_arg);
1966
1967                 if (type == TLSEXT_TYPE_server_name)
1968                         {
1969                         if (s->tlsext_hostname == NULL || size > 0)
1970                                 {
1971                                 *al = TLS1_AD_UNRECOGNIZED_NAME;
1972                                 return 0;
1973                                 }
1974                         tlsext_servername = 1;   
1975                         }
1976
1977 #ifndef OPENSSL_NO_EC
1978                 else if (type == TLSEXT_TYPE_ec_point_formats &&
1979                      s->version != DTLS1_VERSION)
1980                         {
1981                         unsigned char *sdata = data;
1982                         int ecpointformatlist_length = *(sdata++);
1983
1984                         if (ecpointformatlist_length != size - 1)
1985                                 {
1986                                 *al = TLS1_AD_DECODE_ERROR;
1987                                 return 0;
1988                                 }
1989                         s->session->tlsext_ecpointformatlist_length = 0;
1990                         if (s->session->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->session->tlsext_ecpointformatlist);
1991                         if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
1992                                 {
1993                                 *al = TLS1_AD_INTERNAL_ERROR;
1994                                 return 0;
1995                                 }
1996                         s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
1997                         memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
1998 #if 0
1999                         fprintf(stderr,"ssl_parse_serverhello_tlsext s->session->tlsext_ecpointformatlist ");
2000                         sdata = s->session->tlsext_ecpointformatlist;
2001                         for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
2002                                 fprintf(stderr,"%i ",*(sdata++));
2003                         fprintf(stderr,"\n");
2004 #endif
2005                         }
2006 #endif /* OPENSSL_NO_EC */
2007
2008                 else if (type == TLSEXT_TYPE_session_ticket)
2009                         {
2010                         if (s->tls_session_ticket_ext_cb &&
2011                             !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg))
2012                                 {
2013                                 *al = TLS1_AD_INTERNAL_ERROR;
2014                                 return 0;
2015                                 }
2016                         if ((SSL_get_options(s) & SSL_OP_NO_TICKET)
2017                                 || (size > 0))
2018                                 {
2019                                 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2020                                 return 0;
2021                                 }
2022                         s->tlsext_ticket_expected = 1;
2023                         }
2024 #ifdef TLSEXT_TYPE_opaque_prf_input
2025                 else if (type == TLSEXT_TYPE_opaque_prf_input &&
2026                      s->version != DTLS1_VERSION)
2027                         {
2028                         unsigned char *sdata = data;
2029
2030                         if (size < 2)
2031                                 {
2032                                 *al = SSL_AD_DECODE_ERROR;
2033                                 return 0;
2034                                 }
2035                         n2s(sdata, s->s3->server_opaque_prf_input_len);
2036                         if (s->s3->server_opaque_prf_input_len != size - 2)
2037                                 {
2038                                 *al = SSL_AD_DECODE_ERROR;
2039                                 return 0;
2040                                 }
2041                         
2042                         if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */
2043                                 OPENSSL_free(s->s3->server_opaque_prf_input);
2044                         if (s->s3->server_opaque_prf_input_len == 0)
2045                                 s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
2046                         else
2047                                 s->s3->server_opaque_prf_input = BUF_memdup(sdata, s->s3->server_opaque_prf_input_len);
2048
2049                         if (s->s3->server_opaque_prf_input == NULL)
2050                                 {
2051                                 *al = TLS1_AD_INTERNAL_ERROR;
2052                                 return 0;
2053                                 }
2054                         }
2055 #endif
2056                 else if (type == TLSEXT_TYPE_status_request &&
2057                          s->version != DTLS1_VERSION)
2058                         {
2059                         /* MUST be empty and only sent if we've requested
2060                          * a status request message.
2061                          */ 
2062                         if ((s->tlsext_status_type == -1) || (size > 0))
2063                                 {
2064                                 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2065                                 return 0;
2066                                 }
2067                         /* Set flag to expect CertificateStatus message */
2068                         s->tlsext_status_expected = 1;
2069                         }
2070 #ifndef OPENSSL_NO_NEXTPROTONEG
2071                 else if (type == TLSEXT_TYPE_next_proto_neg &&
2072                          s->s3->tmp.finish_md_len == 0)
2073                         {
2074                         unsigned char *selected;
2075                         unsigned char selected_len;
2076
2077                         /* We must have requested it. */
2078                         if ((s->ctx->next_proto_select_cb == NULL))
2079                                 {
2080                                 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2081                                 return 0;
2082                                 }
2083                         /* The data must be valid */
2084                         if (!ssl_next_proto_validate(data, size))
2085                                 {
2086                                 *al = TLS1_AD_DECODE_ERROR;
2087                                 return 0;
2088                                 }
2089                         if (s->ctx->next_proto_select_cb(s, &selected, &selected_len, data, size, s->ctx->next_proto_select_cb_arg) != SSL_TLSEXT_ERR_OK)
2090                                 {
2091                                 *al = TLS1_AD_INTERNAL_ERROR;
2092                                 return 0;
2093                                 }
2094                         s->next_proto_negotiated = OPENSSL_malloc(selected_len);
2095                         if (!s->next_proto_negotiated)
2096                                 {
2097                                 *al = TLS1_AD_INTERNAL_ERROR;
2098                                 return 0;
2099                                 }
2100                         memcpy(s->next_proto_negotiated, selected, selected_len);
2101                         s->next_proto_negotiated_len = selected_len;
2102                         s->s3->next_proto_neg_seen = 1;
2103                         }
2104 #endif
2105                 else if (type == TLSEXT_TYPE_renegotiate)
2106                         {
2107                         if(!ssl_parse_serverhello_renegotiate_ext(s, data, size, al))
2108                                 return 0;
2109                         renegotiate_seen = 1;
2110                         }
2111 #ifndef OPENSSL_NO_HEARTBEATS
2112                 else if (type == TLSEXT_TYPE_heartbeat)
2113                         {
2114                         switch(data[0])
2115                                 {
2116                                 case 0x01:      /* Server allows us to send HB requests */
2117                                                         s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
2118                                                         break;
2119                                 case 0x02:      /* Server doesn't accept HB requests */
2120                                                         s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
2121                                                         s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
2122                                                         break;
2123                                 default:        *al = SSL_AD_ILLEGAL_PARAMETER;
2124                                                         return 0;
2125                                 }
2126                         }
2127 #endif
2128                 else if (type == TLSEXT_TYPE_use_srtp)
2129                         {
2130                         if(ssl_parse_serverhello_use_srtp_ext(s, data, size,
2131                                                               al))
2132                                 return 0;
2133                         }
2134
2135                 else if (type == TLSEXT_TYPE_server_authz)
2136                         {
2137                         /* We only support audit proofs. It's an error to send
2138                          * an authz hello extension if the client
2139                          * didn't request a proof. */
2140                         unsigned char *sdata = data;
2141                         unsigned char server_authz_dataformatlist_length;
2142
2143                         if (!s->ctx->tlsext_authz_server_audit_proof_cb)
2144                                 {
2145                                 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2146                                 return 0;
2147                                 }
2148
2149                         if (!size)
2150                                 {
2151                                 *al = TLS1_AD_DECODE_ERROR;
2152                                 return 0;
2153                                 }
2154
2155                         server_authz_dataformatlist_length = *(sdata++);
2156                         if (server_authz_dataformatlist_length != size - 1)
2157                                 {
2158                                 *al = TLS1_AD_DECODE_ERROR;
2159                                 return 0;
2160                                 }
2161
2162                         /* We only support audit proofs, so a legal ServerHello
2163                          * authz list contains exactly one entry. */
2164                         if (server_authz_dataformatlist_length != 1 ||
2165                                 sdata[0] != TLSEXT_AUTHZDATAFORMAT_audit_proof)
2166                                 {
2167                                 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2168                                 return 0;
2169                                 }
2170
2171                         s->s3->tlsext_authz_server_promised = 1;
2172                         }
2173  
2174                 data += size;
2175                 }
2176
2177         if (data != d+n)
2178                 {
2179                 *al = SSL_AD_DECODE_ERROR;
2180                 return 0;
2181                 }
2182
2183         if (!s->hit && tlsext_servername == 1)
2184                 {
2185                 if (s->tlsext_hostname)
2186                         {
2187                         if (s->session->tlsext_hostname == NULL)
2188                                 {
2189                                 s->session->tlsext_hostname = BUF_strdup(s->tlsext_hostname);   
2190                                 if (!s->session->tlsext_hostname)
2191                                         {
2192                                         *al = SSL_AD_UNRECOGNIZED_NAME;
2193                                         return 0;
2194                                         }
2195                                 }
2196                         else 
2197                                 {
2198                                 *al = SSL_AD_DECODE_ERROR;
2199                                 return 0;
2200                                 }
2201                         }
2202                 }
2203
2204         *p = data;
2205
2206         ri_check:
2207
2208         /* Determine if we need to see RI. Strictly speaking if we want to
2209          * avoid an attack we should *always* see RI even on initial server
2210          * hello because the client doesn't see any renegotiation during an
2211          * attack. However this would mean we could not connect to any server
2212          * which doesn't support RI so for the immediate future tolerate RI
2213          * absence on initial connect only.
2214          */
2215         if (!renegotiate_seen
2216                 && !(s->options & SSL_OP_LEGACY_SERVER_CONNECT)
2217                 && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
2218                 {
2219                 *al = SSL_AD_HANDSHAKE_FAILURE;
2220                 SSLerr(SSL_F_SSL_SCAN_SERVERHELLO_TLSEXT,
2221                                 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
2222                 return 0;
2223                 }
2224
2225         return 1;
2226         }
2227
2228
2229 int ssl_prepare_clienthello_tlsext(SSL *s)
2230         {
2231
2232 #ifdef TLSEXT_TYPE_opaque_prf_input
2233         {
2234                 int r = 1;
2235         
2236                 if (s->ctx->tlsext_opaque_prf_input_callback != 0)
2237                         {
2238                         r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg);
2239                         if (!r)
2240                                 return -1;
2241                         }
2242
2243                 if (s->tlsext_opaque_prf_input != NULL)
2244                         {
2245                         if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */
2246                                 OPENSSL_free(s->s3->client_opaque_prf_input);
2247
2248                         if (s->tlsext_opaque_prf_input_len == 0)
2249                                 s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
2250                         else
2251                                 s->s3->client_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len);
2252                         if (s->s3->client_opaque_prf_input == NULL)
2253                                 {
2254                                 SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
2255                                 return -1;
2256                                 }
2257                         s->s3->client_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
2258                         }
2259
2260                 if (r == 2)
2261                         /* at callback's request, insist on receiving an appropriate server opaque PRF input */
2262                         s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
2263         }
2264 #endif
2265
2266         return 1;
2267         }
2268
2269 int ssl_prepare_serverhello_tlsext(SSL *s)
2270         {
2271 #ifndef OPENSSL_NO_EC
2272         /* If we are server and using an ECC cipher suite, send the point formats we support 
2273          * if the client sent us an ECPointsFormat extension.  Note that the server is not
2274          * supposed to send an EllipticCurves extension.
2275          */
2276
2277         unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
2278         unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
2279         int using_ecc = (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA);
2280         using_ecc = using_ecc && (s->session->tlsext_ecpointformatlist != NULL);
2281         
2282         if (using_ecc)
2283                 {
2284                 if (s->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->tlsext_ecpointformatlist);
2285                 if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(3)) == NULL)
2286                         {
2287                         SSLerr(SSL_F_SSL_PREPARE_SERVERHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
2288                         return -1;
2289                         }
2290                 s->tlsext_ecpointformatlist_length = 3;
2291                 s->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_uncompressed;
2292                 s->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
2293                 s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
2294                 }
2295 #endif /* OPENSSL_NO_EC */
2296
2297         return 1;
2298         }
2299
2300 static int ssl_check_clienthello_tlsext(SSL *s)
2301         {
2302         int ret=SSL_TLSEXT_ERR_NOACK;
2303         int al = SSL_AD_UNRECOGNIZED_NAME;
2304
2305 #ifndef OPENSSL_NO_EC
2306         /* The handling of the ECPointFormats extension is done elsewhere, namely in 
2307          * ssl3_choose_cipher in s3_lib.c.
2308          */
2309         /* The handling of the EllipticCurves extension is done elsewhere, namely in 
2310          * ssl3_choose_cipher in s3_lib.c.
2311          */
2312 #endif
2313
2314         if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) 
2315                 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
2316         else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)             
2317                 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
2318
2319         /* If status request then ask callback what to do.
2320          * Note: this must be called after servername callbacks in case 
2321          * the certificate has changed.
2322          */
2323         if ((s->tlsext_status_type != -1) && s->ctx && s->ctx->tlsext_status_cb)
2324                 {
2325                 int r;
2326                 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
2327                 switch (r)
2328                         {
2329                         /* We don't want to send a status request response */
2330                         case SSL_TLSEXT_ERR_NOACK:
2331                                 s->tlsext_status_expected = 0;
2332                                 break;
2333                         /* status request response should be sent */
2334                         case SSL_TLSEXT_ERR_OK:
2335                                 if (s->tlsext_ocsp_resp)
2336                                         s->tlsext_status_expected = 1;
2337                                 else
2338                                         s->tlsext_status_expected = 0;
2339                                 break;
2340                         /* something bad happened */
2341                         case SSL_TLSEXT_ERR_ALERT_FATAL:
2342                                 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2343                                 al = SSL_AD_INTERNAL_ERROR;
2344                                 goto err;
2345                         }
2346                 }
2347         else
2348                 s->tlsext_status_expected = 0;
2349
2350 #ifdef TLSEXT_TYPE_opaque_prf_input
2351         {
2352                 /* This sort of belongs into ssl_prepare_serverhello_tlsext(),
2353                  * but we might be sending an alert in response to the client hello,
2354                  * so this has to happen here in ssl_check_clienthello_tlsext(). */
2355
2356                 int r = 1;
2357         
2358                 if (s->ctx->tlsext_opaque_prf_input_callback != 0)
2359                         {
2360                         r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg);
2361                         if (!r)
2362                                 {
2363                                 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2364                                 al = SSL_AD_INTERNAL_ERROR;
2365                                 goto err;
2366                                 }
2367                         }
2368
2369                 if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */
2370                         OPENSSL_free(s->s3->server_opaque_prf_input);
2371                 s->s3->server_opaque_prf_input = NULL;
2372
2373                 if (s->tlsext_opaque_prf_input != NULL)
2374                         {
2375                         if (s->s3->client_opaque_prf_input != NULL &&
2376                                 s->s3->client_opaque_prf_input_len == s->tlsext_opaque_prf_input_len)
2377                                 {
2378                                 /* can only use this extension if we have a server opaque PRF input
2379                                  * of the same length as the client opaque PRF input! */
2380
2381                                 if (s->tlsext_opaque_prf_input_len == 0)
2382                                         s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
2383                                 else
2384                                         s->s3->server_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len);
2385                                 if (s->s3->server_opaque_prf_input == NULL)
2386                                         {
2387                                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2388                                         al = SSL_AD_INTERNAL_ERROR;
2389                                         goto err;
2390                                         }
2391                                 s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
2392                                 }
2393                         }
2394
2395                 if (r == 2 && s->s3->server_opaque_prf_input == NULL)
2396                         {
2397                         /* The callback wants to enforce use of the extension,
2398                          * but we can't do that with the client opaque PRF input;
2399                          * abort the handshake.
2400                          */
2401                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2402                         al = SSL_AD_HANDSHAKE_FAILURE;
2403                         }
2404         }
2405
2406 #endif
2407  err:
2408         switch (ret)
2409                 {
2410                 case SSL_TLSEXT_ERR_ALERT_FATAL:
2411                         ssl3_send_alert(s,SSL3_AL_FATAL,al); 
2412                         return -1;
2413
2414                 case SSL_TLSEXT_ERR_ALERT_WARNING:
2415                         ssl3_send_alert(s,SSL3_AL_WARNING,al);
2416                         return 1; 
2417                                         
2418                 case SSL_TLSEXT_ERR_NOACK:
2419                         s->servername_done=0;
2420                         default:
2421                 return 1;
2422                 }
2423         }
2424
2425 int ssl_check_serverhello_tlsext(SSL *s)
2426         {
2427         int ret=SSL_TLSEXT_ERR_NOACK;
2428         int al = SSL_AD_UNRECOGNIZED_NAME;
2429
2430 #ifndef OPENSSL_NO_EC
2431         /* If we are client and using an elliptic curve cryptography cipher
2432          * suite, then if server returns an EC point formats lists extension
2433          * it must contain uncompressed.
2434          */
2435         unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
2436         unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
2437         if ((s->tlsext_ecpointformatlist != NULL) && (s->tlsext_ecpointformatlist_length > 0) && 
2438             (s->session->tlsext_ecpointformatlist != NULL) && (s->session->tlsext_ecpointformatlist_length > 0) && 
2439             ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA)))
2440                 {
2441                 /* we are using an ECC cipher */
2442                 size_t i;
2443                 unsigned char *list;
2444                 int found_uncompressed = 0;
2445                 list = s->session->tlsext_ecpointformatlist;
2446                 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
2447                         {
2448                         if (*(list++) == TLSEXT_ECPOINTFORMAT_uncompressed)
2449                                 {
2450                                 found_uncompressed = 1;
2451                                 break;
2452                                 }
2453                         }
2454                 if (!found_uncompressed)
2455                         {
2456                         SSLerr(SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT,SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
2457                         return -1;
2458                         }
2459                 }
2460         ret = SSL_TLSEXT_ERR_OK;
2461 #endif /* OPENSSL_NO_EC */
2462
2463         if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) 
2464                 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
2465         else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)             
2466                 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
2467
2468 #ifdef TLSEXT_TYPE_opaque_prf_input
2469         if (s->s3->server_opaque_prf_input_len > 0)
2470                 {
2471                 /* This case may indicate that we, as a client, want to insist on using opaque PRF inputs.
2472                  * So first verify that we really have a value from the server too. */
2473
2474                 if (s->s3->server_opaque_prf_input == NULL)
2475                         {
2476                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2477                         al = SSL_AD_HANDSHAKE_FAILURE;
2478                         }
2479                 
2480                 /* Anytime the server *has* sent an opaque PRF input, we need to check
2481                  * that we have a client opaque PRF input of the same size. */
2482                 if (s->s3->client_opaque_prf_input == NULL ||
2483                     s->s3->client_opaque_prf_input_len != s->s3->server_opaque_prf_input_len)
2484                         {
2485                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2486                         al = SSL_AD_ILLEGAL_PARAMETER;
2487                         }
2488                 }
2489 #endif
2490
2491         /* If we've requested certificate status and we wont get one
2492          * tell the callback
2493          */
2494         if ((s->tlsext_status_type != -1) && !(s->tlsext_status_expected)
2495                         && s->ctx && s->ctx->tlsext_status_cb)
2496                 {
2497                 int r;
2498                 /* Set resp to NULL, resplen to -1 so callback knows
2499                  * there is no response.
2500                  */
2501                 if (s->tlsext_ocsp_resp)
2502                         {
2503                         OPENSSL_free(s->tlsext_ocsp_resp);
2504                         s->tlsext_ocsp_resp = NULL;
2505                         }
2506                 s->tlsext_ocsp_resplen = -1;
2507                 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
2508                 if (r == 0)
2509                         {
2510                         al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE;
2511                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2512                         }
2513                 if (r < 0)
2514                         {
2515                         al = SSL_AD_INTERNAL_ERROR;
2516                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2517                         }
2518                 }
2519
2520         switch (ret)
2521                 {
2522                 case SSL_TLSEXT_ERR_ALERT_FATAL:
2523                         ssl3_send_alert(s,SSL3_AL_FATAL,al); 
2524                         return -1;
2525
2526                 case SSL_TLSEXT_ERR_ALERT_WARNING:
2527                         ssl3_send_alert(s,SSL3_AL_WARNING,al);
2528                         return 1; 
2529                                         
2530                 case SSL_TLSEXT_ERR_NOACK:
2531                         s->servername_done=0;
2532                         default:
2533                 return 1;
2534                 }
2535         }
2536
2537 int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n) 
2538         {
2539         int al = -1;
2540         if (s->version < SSL3_VERSION)
2541                 return 1;
2542         if (ssl_scan_serverhello_tlsext(s, p, d, n, &al) <= 0) 
2543                 {
2544                 ssl3_send_alert(s,SSL3_AL_FATAL,al); 
2545                 return 0;
2546                 }
2547
2548         if (ssl_check_serverhello_tlsext(s) <= 0) 
2549                 {
2550                 SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT,SSL_R_SERVERHELLO_TLSEXT);
2551                 return 0;
2552                 }
2553         return 1;
2554 }
2555
2556 /* Since the server cache lookup is done early on in the processing of the
2557  * ClientHello, and other operations depend on the result, we need to handle
2558  * any TLS session ticket extension at the same time.
2559  *
2560  *   session_id: points at the session ID in the ClientHello. This code will
2561  *       read past the end of this in order to parse out the session ticket
2562  *       extension, if any.
2563  *   len: the length of the session ID.
2564  *   limit: a pointer to the first byte after the ClientHello.
2565  *   ret: (output) on return, if a ticket was decrypted, then this is set to
2566  *       point to the resulting session.
2567  *
2568  * If s->tls_session_secret_cb is set then we are expecting a pre-shared key
2569  * ciphersuite, in which case we have no use for session tickets and one will
2570  * never be decrypted, nor will s->tlsext_ticket_expected be set to 1.
2571  *
2572  * Returns:
2573  *   -1: fatal error, either from parsing or decrypting the ticket.
2574  *    0: no ticket was found (or was ignored, based on settings).
2575  *    1: a zero length extension was found, indicating that the client supports
2576  *       session tickets but doesn't currently have one to offer.
2577  *    2: either s->tls_session_secret_cb was set, or a ticket was offered but
2578  *       couldn't be decrypted because of a non-fatal error.
2579  *    3: a ticket was successfully decrypted and *ret was set.
2580  *
2581  * Side effects:
2582  *   Sets s->tlsext_ticket_expected to 1 if the server will have to issue
2583  *   a new session ticket to the client because the client indicated support
2584  *   (and s->tls_session_secret_cb is NULL) but the client either doesn't have
2585  *   a session ticket or we couldn't use the one it gave us, or if
2586  *   s->ctx->tlsext_ticket_key_cb asked to renew the client's ticket.
2587  *   Otherwise, s->tlsext_ticket_expected is set to 0.
2588  */
2589 int tls1_process_ticket(SSL *s, unsigned char *session_id, int len,
2590                         const unsigned char *limit, SSL_SESSION **ret)
2591         {
2592         /* Point after session ID in client hello */
2593         const unsigned char *p = session_id + len;
2594         unsigned short i;
2595
2596         *ret = NULL;
2597         s->tlsext_ticket_expected = 0;
2598
2599         /* If tickets disabled behave as if no ticket present
2600          * to permit stateful resumption.
2601          */
2602         if (SSL_get_options(s) & SSL_OP_NO_TICKET)
2603                 return 0;
2604         if ((s->version <= SSL3_VERSION) || !limit)
2605                 return 0;
2606         if (p >= limit)
2607                 return -1;
2608         /* Skip past DTLS cookie */
2609         if (s->version == DTLS1_VERSION || s->version == DTLS1_BAD_VER)
2610                 {
2611                 i = *(p++);
2612                 p+= i;
2613                 if (p >= limit)
2614                         return -1;
2615                 }
2616         /* Skip past cipher list */
2617         n2s(p, i);
2618         p+= i;
2619         if (p >= limit)
2620                 return -1;
2621         /* Skip past compression algorithm list */
2622         i = *(p++);
2623         p += i;
2624         if (p > limit)
2625                 return -1;
2626         /* Now at start of extensions */
2627         if ((p + 2) >= limit)
2628                 return 0;
2629         n2s(p, i);
2630         while ((p + 4) <= limit)
2631                 {
2632                 unsigned short type, size;
2633                 n2s(p, type);
2634                 n2s(p, size);
2635                 if (p + size > limit)
2636                         return 0;
2637                 if (type == TLSEXT_TYPE_session_ticket)
2638                         {
2639                         int r;
2640                         if (size == 0)
2641                                 {
2642                                 /* The client will accept a ticket but doesn't
2643                                  * currently have one. */
2644                                 s->tlsext_ticket_expected = 1;
2645                                 return 1;
2646                                 }
2647                         if (s->tls_session_secret_cb)
2648                                 {
2649                                 /* Indicate that the ticket couldn't be
2650                                  * decrypted rather than generating the session
2651                                  * from ticket now, trigger abbreviated
2652                                  * handshake based on external mechanism to
2653                                  * calculate the master secret later. */
2654                                 return 2;
2655                                 }
2656                         r = tls_decrypt_ticket(s, p, size, session_id, len, ret);
2657                         switch (r)
2658                                 {
2659                                 case 2: /* ticket couldn't be decrypted */
2660                                         s->tlsext_ticket_expected = 1;
2661                                         return 2;
2662                                 case 3: /* ticket was decrypted */
2663                                         return r;
2664                                 case 4: /* ticket decrypted but need to renew */
2665                                         s->tlsext_ticket_expected = 1;
2666                                         return 3;
2667                                 default: /* fatal error */
2668                                         return -1;
2669                                 }
2670                         }
2671                 p += size;
2672                 }
2673         return 0;
2674         }
2675
2676 /* tls_decrypt_ticket attempts to decrypt a session ticket.
2677  *
2678  *   etick: points to the body of the session ticket extension.
2679  *   eticklen: the length of the session tickets extenion.
2680  *   sess_id: points at the session ID.
2681  *   sesslen: the length of the session ID.
2682  *   psess: (output) on return, if a ticket was decrypted, then this is set to
2683  *       point to the resulting session.
2684  *
2685  * Returns:
2686  *   -1: fatal error, either from parsing or decrypting the ticket.
2687  *    2: the ticket couldn't be decrypted.
2688  *    3: a ticket was successfully decrypted and *psess was set.
2689  *    4: same as 3, but the ticket needs to be renewed.
2690  */
2691 static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen,
2692                                 const unsigned char *sess_id, int sesslen,
2693                                 SSL_SESSION **psess)
2694         {
2695         SSL_SESSION *sess;
2696         unsigned char *sdec;
2697         const unsigned char *p;
2698         int slen, mlen, renew_ticket = 0;
2699         unsigned char tick_hmac[EVP_MAX_MD_SIZE];
2700         HMAC_CTX hctx;
2701         EVP_CIPHER_CTX ctx;
2702         SSL_CTX *tctx = s->initial_ctx;
2703         /* Need at least keyname + iv + some encrypted data */
2704         if (eticklen < 48)
2705                 return 2;
2706         /* Initialize session ticket encryption and HMAC contexts */
2707         HMAC_CTX_init(&hctx);
2708         EVP_CIPHER_CTX_init(&ctx);
2709         if (tctx->tlsext_ticket_key_cb)
2710                 {
2711                 unsigned char *nctick = (unsigned char *)etick;
2712                 int rv = tctx->tlsext_ticket_key_cb(s, nctick, nctick + 16,
2713                                                         &ctx, &hctx, 0);
2714                 if (rv < 0)
2715                         return -1;
2716                 if (rv == 0)
2717                         return 2;
2718                 if (rv == 2)
2719                         renew_ticket = 1;
2720                 }
2721         else
2722                 {
2723                 /* Check key name matches */
2724                 if (memcmp(etick, tctx->tlsext_tick_key_name, 16))
2725                         return 2;
2726                 HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16,
2727                                         tlsext_tick_md(), NULL);
2728                 EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL,
2729                                 tctx->tlsext_tick_aes_key, etick + 16);
2730                 }
2731         /* Attempt to process session ticket, first conduct sanity and
2732          * integrity checks on ticket.
2733          */
2734         mlen = HMAC_size(&hctx);
2735         if (mlen < 0)
2736                 {
2737                 EVP_CIPHER_CTX_cleanup(&ctx);
2738                 return -1;
2739                 }
2740         eticklen -= mlen;
2741         /* Check HMAC of encrypted ticket */
2742         HMAC_Update(&hctx, etick, eticklen);
2743         HMAC_Final(&hctx, tick_hmac, NULL);
2744         HMAC_CTX_cleanup(&hctx);
2745         if (memcmp(tick_hmac, etick + eticklen, mlen))
2746                 return 2;
2747         /* Attempt to decrypt session data */
2748         /* Move p after IV to start of encrypted ticket, update length */
2749         p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx);
2750         eticklen -= 16 + EVP_CIPHER_CTX_iv_length(&ctx);
2751         sdec = OPENSSL_malloc(eticklen);
2752         if (!sdec)
2753                 {
2754                 EVP_CIPHER_CTX_cleanup(&ctx);
2755                 return -1;
2756                 }
2757         EVP_DecryptUpdate(&ctx, sdec, &slen, p, eticklen);
2758         if (EVP_DecryptFinal(&ctx, sdec + slen, &mlen) <= 0)
2759                 return 2;
2760         slen += mlen;
2761         EVP_CIPHER_CTX_cleanup(&ctx);
2762         p = sdec;
2763
2764         sess = d2i_SSL_SESSION(NULL, &p, slen);
2765         OPENSSL_free(sdec);
2766         if (sess)
2767                 {
2768                 /* The session ID, if non-empty, is used by some clients to
2769                  * detect that the ticket has been accepted. So we copy it to
2770                  * the session structure. If it is empty set length to zero
2771                  * as required by standard.
2772                  */
2773                 if (sesslen)
2774                         memcpy(sess->session_id, sess_id, sesslen);
2775                 sess->session_id_length = sesslen;
2776                 *psess = sess;
2777                 if (renew_ticket)
2778                         return 4;
2779                 else
2780                         return 3;
2781                 }
2782         ERR_clear_error();
2783         /* For session parse failure, indicate that we need to send a new
2784          * ticket. */
2785         return 2;
2786         }
2787
2788 /* Tables to translate from NIDs to TLS v1.2 ids */
2789
2790 typedef struct 
2791         {
2792         int nid;
2793         int id;
2794         } tls12_lookup;
2795
2796 static tls12_lookup tls12_md[] = {
2797         {NID_md5, TLSEXT_hash_md5},
2798         {NID_sha1, TLSEXT_hash_sha1},
2799         {NID_sha224, TLSEXT_hash_sha224},
2800         {NID_sha256, TLSEXT_hash_sha256},
2801         {NID_sha384, TLSEXT_hash_sha384},
2802         {NID_sha512, TLSEXT_hash_sha512}
2803 };
2804
2805 static tls12_lookup tls12_sig[] = {
2806         {EVP_PKEY_RSA, TLSEXT_signature_rsa},
2807         {EVP_PKEY_DSA, TLSEXT_signature_dsa},
2808         {EVP_PKEY_EC, TLSEXT_signature_ecdsa}
2809 };
2810
2811 static int tls12_find_id(int nid, tls12_lookup *table, size_t tlen)
2812         {
2813         size_t i;
2814         for (i = 0; i < tlen; i++)
2815                 {
2816                 if (table[i].nid == nid)
2817                         return table[i].id;
2818                 }
2819         return -1;
2820         }
2821
2822 static int tls12_find_nid(int id, tls12_lookup *table, size_t tlen)
2823         {
2824         size_t i;
2825         for (i = 0; i < tlen; i++)
2826                 {
2827                 if ((table[i].id) == id)
2828                         return table[i].nid;
2829                 }
2830         return NID_undef;
2831         }
2832
2833 int tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk, const EVP_MD *md)
2834         {
2835         int sig_id, md_id;
2836         if (!md)
2837                 return 0;
2838         md_id = tls12_find_id(EVP_MD_type(md), tls12_md,
2839                                 sizeof(tls12_md)/sizeof(tls12_lookup));
2840         if (md_id == -1)
2841                 return 0;
2842         sig_id = tls12_get_sigid(pk);
2843         if (sig_id == -1)
2844                 return 0;
2845         p[0] = (unsigned char)md_id;
2846         p[1] = (unsigned char)sig_id;
2847         return 1;
2848         }
2849
2850 int tls12_get_sigid(const EVP_PKEY *pk)
2851         {
2852         return tls12_find_id(pk->type, tls12_sig,
2853                                 sizeof(tls12_sig)/sizeof(tls12_lookup));
2854         }
2855
2856 const EVP_MD *tls12_get_hash(unsigned char hash_alg)
2857         {
2858         switch(hash_alg)
2859                 {
2860 #ifndef OPENSSL_NO_MD5
2861                 case TLSEXT_hash_md5:
2862 #ifdef OPENSSL_FIPS
2863                 if (FIPS_mode())
2864                         return NULL;
2865 #endif
2866                 return EVP_md5();
2867 #endif
2868 #ifndef OPENSSL_NO_SHA
2869                 case TLSEXT_hash_sha1:
2870                 return EVP_sha1();
2871 #endif
2872 #ifndef OPENSSL_NO_SHA256
2873                 case TLSEXT_hash_sha224:
2874                 return EVP_sha224();
2875
2876                 case TLSEXT_hash_sha256:
2877                 return EVP_sha256();
2878 #endif
2879 #ifndef OPENSSL_NO_SHA512
2880                 case TLSEXT_hash_sha384:
2881                 return EVP_sha384();
2882
2883                 case TLSEXT_hash_sha512:
2884                 return EVP_sha512();
2885 #endif
2886                 default:
2887                 return NULL;
2888
2889                 }
2890         }
2891
2892 static int tls12_get_pkey_idx(unsigned char sig_alg)
2893         {
2894         switch(sig_alg)
2895                 {
2896 #ifndef OPENSSL_NO_RSA
2897         case TLSEXT_signature_rsa:
2898                 return SSL_PKEY_RSA_SIGN;
2899 #endif
2900 #ifndef OPENSSL_NO_DSA
2901         case TLSEXT_signature_dsa:
2902                 return SSL_PKEY_DSA_SIGN;
2903 #endif
2904 #ifndef OPENSSL_NO_ECDSA
2905         case TLSEXT_signature_ecdsa:
2906                 return SSL_PKEY_ECC;
2907 #endif
2908                 }
2909         return -1;
2910         }
2911
2912 /* Convert TLS 1.2 signature algorithm extension values into NIDs */
2913 static void tls1_lookup_sigalg(int *phash_nid, int *psign_nid,
2914                         int *psignhash_nid, const unsigned char *data)
2915         {
2916         int sign_nid, hash_nid;
2917         if (!phash_nid && !psign_nid && !psignhash_nid)
2918                 return;
2919         if (phash_nid || psignhash_nid)
2920                 {
2921                 hash_nid = tls12_find_nid(data[0], tls12_md,
2922                                         sizeof(tls12_md)/sizeof(tls12_lookup));
2923                 if (phash_nid)
2924                         *phash_nid = hash_nid;
2925                 }
2926         if (psign_nid || psignhash_nid)
2927                 {
2928                 sign_nid = tls12_find_nid(data[1], tls12_sig,
2929                                         sizeof(tls12_sig)/sizeof(tls12_lookup));
2930                 if (psign_nid)
2931                         *psign_nid = sign_nid;
2932                 }
2933         if (psignhash_nid)
2934                 {
2935                 if (sign_nid && hash_nid)
2936                         OBJ_find_sigid_by_algs(psignhash_nid,
2937                                                         hash_nid, sign_nid);
2938                 else
2939                         *psignhash_nid = NID_undef;
2940                 }
2941         }
2942 /* Given preference and allowed sigalgs set shared sigalgs */
2943 static int tls12_do_shared_sigalgs(TLS_SIGALGS *shsig,
2944                                 const unsigned char *pref, size_t preflen,
2945                                 const unsigned char *allow, size_t allowlen)
2946         {
2947         const unsigned char *ptmp, *atmp;
2948         size_t i, j, nmatch = 0;
2949         for (i = 0, ptmp = pref; i < preflen; i+=2, ptmp+=2)
2950                 {
2951                 /* Skip disabled hashes or signature algorithms */
2952                 if (tls12_get_hash(ptmp[0]) == NULL)
2953                         continue;
2954                 if (tls12_get_pkey_idx(ptmp[1]) == -1)
2955                         continue;
2956                 for (j = 0, atmp = allow; j < allowlen; j+=2, atmp+=2)
2957                         {
2958                         if (ptmp[0] == atmp[0] && ptmp[1] == atmp[1])
2959                                 {
2960                                 nmatch++;
2961                                 if (shsig)
2962                                         {
2963                                         shsig->rhash = ptmp[0];
2964                                         shsig->rsign = ptmp[1];
2965                                         tls1_lookup_sigalg(&shsig->hash_nid,
2966                                                 &shsig->sign_nid,
2967                                                 &shsig->signandhash_nid,
2968                                                 ptmp);
2969                                         shsig++;
2970                                         }
2971                                 break;
2972                                 }
2973                         }
2974                 }
2975         return nmatch;
2976         }
2977
2978 /* Set shared signature algorithms for SSL structures */
2979 static int tls1_set_shared_sigalgs(SSL *s)
2980         {
2981         const unsigned char *pref, *allow, *conf;
2982         size_t preflen, allowlen, conflen;
2983         size_t nmatch;
2984         TLS_SIGALGS *salgs = NULL;
2985         CERT *c = s->cert;
2986         conf = c->conf_sigalgs;
2987         if (conf)
2988                 conflen = c->conf_sigalgslen;
2989         else
2990                 {
2991                 conf = tls12_sigalgs;
2992                 conflen = sizeof(tls12_sigalgs);
2993 #ifdef OPENSSL_FIPS
2994                 if (FIPS_mode())
2995                         conflen -= 2;
2996 #endif
2997                 }
2998         if(s->options & SSL_OP_CIPHER_SERVER_PREFERENCE)
2999                 {
3000                 pref = conf;
3001                 preflen = conflen;
3002                 allow = c->peer_sigalgs;
3003                 allowlen = c->peer_sigalgslen;
3004                 }
3005         else
3006                 {
3007                 allow = conf;
3008                 allowlen = conflen;
3009                 pref = c->peer_sigalgs;
3010                 preflen = c->peer_sigalgslen;
3011                 }
3012         nmatch = tls12_do_shared_sigalgs(NULL, pref, preflen, allow, allowlen);
3013         if (!nmatch)
3014                 return 1;
3015         salgs = OPENSSL_malloc(nmatch * sizeof(TLS_SIGALGS));
3016         if (!salgs)
3017                 return 0;
3018         nmatch = tls12_do_shared_sigalgs(salgs, pref, preflen, allow, allowlen);
3019         c->shared_sigalgs = salgs;
3020         c->shared_sigalgslen = nmatch;
3021         return 1;
3022         }
3023                 
3024
3025 /* Set preferred digest for each key type */
3026
3027 int tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize)
3028         {
3029         int idx;
3030         size_t i;
3031         const EVP_MD *md;
3032         CERT *c = s->cert;
3033         TLS_SIGALGS *sigptr;
3034         /* Extension ignored for TLS versions below 1.2 */
3035         if (TLS1_get_version(s) < TLS1_2_VERSION)
3036                 return 1;
3037         /* Should never happen */
3038         if (!c)
3039                 return 0;
3040
3041         c->pkeys[SSL_PKEY_DSA_SIGN].digest = NULL;
3042         c->pkeys[SSL_PKEY_RSA_SIGN].digest = NULL;
3043         c->pkeys[SSL_PKEY_RSA_ENC].digest = NULL;
3044         c->pkeys[SSL_PKEY_ECC].digest = NULL;
3045
3046         c->peer_sigalgs = OPENSSL_malloc(dsize);
3047         if (!c->peer_sigalgs)
3048                 return 0;
3049         c->peer_sigalgslen = dsize;
3050         memcpy(c->peer_sigalgs, data, dsize);
3051
3052         tls1_set_shared_sigalgs(s);
3053
3054         for (i = 0, sigptr = c->shared_sigalgs;
3055                         i < c->shared_sigalgslen; i++, sigptr++)
3056                 {
3057                 idx = tls12_get_pkey_idx(sigptr->rsign);
3058                 if (idx > 0 && c->pkeys[idx].digest == NULL)
3059                         {
3060                         md = tls12_get_hash(sigptr->rhash);
3061                         c->pkeys[idx].digest = md;
3062                         if (idx == SSL_PKEY_RSA_SIGN)
3063                                 c->pkeys[SSL_PKEY_RSA_ENC].digest = md;
3064                         }
3065
3066                 }
3067         /* In strict mode leave unset digests as NULL to indicate we can't
3068          * use the certificate for signing.