Process signature algorithms before deciding on certificate.
[openssl.git] / ssl / t1_lib.c
1 /* ssl/t1_lib.c */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3  * All rights reserved.
4  *
5  * This package is an SSL implementation written
6  * by Eric Young (eay@cryptsoft.com).
7  * The implementation was written so as to conform with Netscapes SSL.
8  * 
9  * This library is free for commercial and non-commercial use as long as
10  * the following conditions are aheared to.  The following conditions
11  * apply to all code found in this distribution, be it the RC4, RSA,
12  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
13  * included with this distribution is covered by the same copyright terms
14  * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15  * 
16  * Copyright remains Eric Young's, and as such any Copyright notices in
17  * the code are not to be removed.
18  * If this package is used in a product, Eric Young should be given attribution
19  * as the author of the parts of the library used.
20  * This can be in the form of a textual message at program startup or
21  * in documentation (online or textual) provided with the package.
22  * 
23  * Redistribution and use in source and binary forms, with or without
24  * modification, are permitted provided that the following conditions
25  * are met:
26  * 1. Redistributions of source code must retain the copyright
27  *    notice, this list of conditions and the following disclaimer.
28  * 2. Redistributions in binary form must reproduce the above copyright
29  *    notice, this list of conditions and the following disclaimer in the
30  *    documentation and/or other materials provided with the distribution.
31  * 3. All advertising materials mentioning features or use of this software
32  *    must display the following acknowledgement:
33  *    "This product includes cryptographic software written by
34  *     Eric Young (eay@cryptsoft.com)"
35  *    The word 'cryptographic' can be left out if the rouines from the library
36  *    being used are not cryptographic related :-).
37  * 4. If you include any Windows specific code (or a derivative thereof) from 
38  *    the apps directory (application code) you must include an acknowledgement:
39  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40  * 
41  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51  * SUCH DAMAGE.
52  * 
53  * The licence and distribution terms for any publically available version or
54  * derivative of this code cannot be changed.  i.e. this code cannot simply be
55  * copied and put under another distribution licence
56  * [including the GNU Public Licence.]
57  */
58 /* ====================================================================
59  * Copyright (c) 1998-2007 The OpenSSL Project.  All rights reserved.
60  *
61  * Redistribution and use in source and binary forms, with or without
62  * modification, are permitted provided that the following conditions
63  * are met:
64  *
65  * 1. Redistributions of source code must retain the above copyright
66  *    notice, this list of conditions and the following disclaimer. 
67  *
68  * 2. Redistributions in binary form must reproduce the above copyright
69  *    notice, this list of conditions and the following disclaimer in
70  *    the documentation and/or other materials provided with the
71  *    distribution.
72  *
73  * 3. All advertising materials mentioning features or use of this
74  *    software must display the following acknowledgment:
75  *    "This product includes software developed by the OpenSSL Project
76  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77  *
78  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79  *    endorse or promote products derived from this software without
80  *    prior written permission. For written permission, please contact
81  *    openssl-core@openssl.org.
82  *
83  * 5. Products derived from this software may not be called "OpenSSL"
84  *    nor may "OpenSSL" appear in their names without prior written
85  *    permission of the OpenSSL Project.
86  *
87  * 6. Redistributions of any form whatsoever must retain the following
88  *    acknowledgment:
89  *    "This product includes software developed by the OpenSSL Project
90  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91  *
92  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
96  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103  * OF THE POSSIBILITY OF SUCH DAMAGE.
104  * ====================================================================
105  *
106  * This product includes cryptographic software written by Eric Young
107  * (eay@cryptsoft.com).  This product includes software written by Tim
108  * Hudson (tjh@cryptsoft.com).
109  *
110  */
111
112 #include <stdio.h>
113 #include <openssl/objects.h>
114 #include <openssl/evp.h>
115 #include <openssl/hmac.h>
116 #include <openssl/ocsp.h>
117 #include <openssl/rand.h>
118 #ifndef OPENSSL_NO_DH
119 #include <openssl/dh.h>
120 #include <openssl/bn.h>
121 #endif
122 #include "ssl_locl.h"
123
124 const char tls1_version_str[]="TLSv1" OPENSSL_VERSION_PTEXT;
125
126 #ifndef OPENSSL_NO_TLSEXT
127 static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen,
128                                 const unsigned char *sess_id, int sesslen,
129                                 SSL_SESSION **psess);
130 static int ssl_check_clienthello_tlsext_early(SSL *s);
131 int ssl_check_serverhello_tlsext(SSL *s);
132 #endif
133
134 SSL3_ENC_METHOD const TLSv1_enc_data={
135         tls1_enc,
136         tls1_mac,
137         tls1_setup_key_block,
138         tls1_generate_master_secret,
139         tls1_change_cipher_state,
140         tls1_final_finish_mac,
141         TLS1_FINISH_MAC_LENGTH,
142         tls1_cert_verify_mac,
143         TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE,
144         TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE,
145         tls1_alert_code,
146         tls1_export_keying_material,
147         0,
148         SSL3_HM_HEADER_LENGTH,
149         ssl3_set_handshake_header,
150         ssl3_handshake_write
151         };
152
153 SSL3_ENC_METHOD const TLSv1_1_enc_data={
154         tls1_enc,
155         tls1_mac,
156         tls1_setup_key_block,
157         tls1_generate_master_secret,
158         tls1_change_cipher_state,
159         tls1_final_finish_mac,
160         TLS1_FINISH_MAC_LENGTH,
161         tls1_cert_verify_mac,
162         TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE,
163         TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE,
164         tls1_alert_code,
165         tls1_export_keying_material,
166         SSL_ENC_FLAG_EXPLICIT_IV,
167         SSL3_HM_HEADER_LENGTH,
168         ssl3_set_handshake_header,
169         ssl3_handshake_write
170         };
171
172 SSL3_ENC_METHOD const TLSv1_2_enc_data={
173         tls1_enc,
174         tls1_mac,
175         tls1_setup_key_block,
176         tls1_generate_master_secret,
177         tls1_change_cipher_state,
178         tls1_final_finish_mac,
179         TLS1_FINISH_MAC_LENGTH,
180         tls1_cert_verify_mac,
181         TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE,
182         TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE,
183         tls1_alert_code,
184         tls1_export_keying_material,
185         SSL_ENC_FLAG_EXPLICIT_IV|SSL_ENC_FLAG_SIGALGS|SSL_ENC_FLAG_SHA256_PRF
186                 |SSL_ENC_FLAG_TLS1_2_CIPHERS,
187         SSL3_HM_HEADER_LENGTH,
188         ssl3_set_handshake_header,
189         ssl3_handshake_write
190         };
191
192 long tls1_default_timeout(void)
193         {
194         /* 2 hours, the 24 hours mentioned in the TLSv1 spec
195          * is way too long for http, the cache would over fill */
196         return(60*60*2);
197         }
198
199 int tls1_new(SSL *s)
200         {
201         if (!ssl3_new(s)) return(0);
202         s->method->ssl_clear(s);
203         return(1);
204         }
205
206 void tls1_free(SSL *s)
207         {
208 #ifndef OPENSSL_NO_TLSEXT
209         if (s->tlsext_session_ticket)
210                 {
211                 OPENSSL_free(s->tlsext_session_ticket);
212                 }
213 #endif /* OPENSSL_NO_TLSEXT */
214         ssl3_free(s);
215         }
216
217 void tls1_clear(SSL *s)
218         {
219         ssl3_clear(s);
220         s->version = s->method->version;
221         }
222
223 #ifndef OPENSSL_NO_EC
224
225 typedef struct
226         {
227         int nid;                /* Curve NID */
228         int secbits;            /* Bits of security (from SP800-57) */
229         unsigned int flags;     /* Flags: currently just field type */
230         } tls_curve_info;
231
232 #define TLS_CURVE_CHAR2         0x1
233 #define TLS_CURVE_PRIME         0x0
234
235 static const tls_curve_info nid_list[] =
236         {
237                 {NID_sect163k1, 80, TLS_CURVE_CHAR2},/* sect163k1 (1) */
238                 {NID_sect163r1, 80, TLS_CURVE_CHAR2},/* sect163r1 (2) */
239                 {NID_sect163r2, 80, TLS_CURVE_CHAR2},/* sect163r2 (3) */
240                 {NID_sect193r1, 80, TLS_CURVE_CHAR2},/* sect193r1 (4) */ 
241                 {NID_sect193r2, 80, TLS_CURVE_CHAR2},/* sect193r2 (5) */ 
242                 {NID_sect233k1, 112, TLS_CURVE_CHAR2},/* sect233k1 (6) */
243                 {NID_sect233r1, 112, TLS_CURVE_CHAR2},/* sect233r1 (7) */ 
244                 {NID_sect239k1, 112, TLS_CURVE_CHAR2},/* sect239k1 (8) */ 
245                 {NID_sect283k1, 128, TLS_CURVE_CHAR2},/* sect283k1 (9) */
246                 {NID_sect283r1, 128, TLS_CURVE_CHAR2},/* sect283r1 (10) */ 
247                 {NID_sect409k1, 192, TLS_CURVE_CHAR2},/* sect409k1 (11) */ 
248                 {NID_sect409r1, 192, TLS_CURVE_CHAR2},/* sect409r1 (12) */
249                 {NID_sect571k1, 256, TLS_CURVE_CHAR2},/* sect571k1 (13) */ 
250                 {NID_sect571r1, 256, TLS_CURVE_CHAR2},/* sect571r1 (14) */ 
251                 {NID_secp160k1, 80, TLS_CURVE_PRIME},/* secp160k1 (15) */
252                 {NID_secp160r1, 80, TLS_CURVE_PRIME},/* secp160r1 (16) */ 
253                 {NID_secp160r2, 80, TLS_CURVE_PRIME},/* secp160r2 (17) */ 
254                 {NID_secp192k1, 80, TLS_CURVE_PRIME},/* secp192k1 (18) */
255                 {NID_X9_62_prime192v1, 80, TLS_CURVE_PRIME},/* secp192r1 (19) */ 
256                 {NID_secp224k1, 112, TLS_CURVE_PRIME},/* secp224k1 (20) */ 
257                 {NID_secp224r1, 112, TLS_CURVE_PRIME},/* secp224r1 (21) */
258                 {NID_secp256k1, 128, TLS_CURVE_PRIME},/* secp256k1 (22) */ 
259                 {NID_X9_62_prime256v1, 128, TLS_CURVE_PRIME},/* secp256r1 (23) */ 
260                 {NID_secp384r1, 192, TLS_CURVE_PRIME},/* secp384r1 (24) */
261                 {NID_secp521r1, 256, TLS_CURVE_PRIME},/* secp521r1 (25) */      
262                 {NID_brainpoolP256r1, 128, TLS_CURVE_PRIME}, /* brainpoolP256r1 (26) */ 
263                 {NID_brainpoolP384r1, 192, TLS_CURVE_PRIME}, /* brainpoolP384r1 (27) */ 
264                 {NID_brainpoolP512r1, 256, TLS_CURVE_PRIME},/* brainpool512r1 (28) */   
265         };
266
267
268 static const unsigned char ecformats_default[] = 
269         {
270         TLSEXT_ECPOINTFORMAT_uncompressed,
271         TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime,
272         TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2
273         };
274
275 static const unsigned char eccurves_default[] =
276         {
277                 0,14, /* sect571r1 (14) */ 
278                 0,13, /* sect571k1 (13) */ 
279                 0,25, /* secp521r1 (25) */      
280                 0,28, /* brainpool512r1 (28) */ 
281                 0,11, /* sect409k1 (11) */ 
282                 0,12, /* sect409r1 (12) */
283                 0,27, /* brainpoolP384r1 (27) */        
284                 0,24, /* secp384r1 (24) */
285                 0,9,  /* sect283k1 (9) */
286                 0,10, /* sect283r1 (10) */ 
287                 0,26, /* brainpoolP256r1 (26) */        
288                 0,22, /* secp256k1 (22) */ 
289                 0,23, /* secp256r1 (23) */ 
290                 0,8,  /* sect239k1 (8) */ 
291                 0,6,  /* sect233k1 (6) */
292                 0,7,  /* sect233r1 (7) */ 
293                 0,20, /* secp224k1 (20) */ 
294                 0,21, /* secp224r1 (21) */
295                 0,4,  /* sect193r1 (4) */ 
296                 0,5,  /* sect193r2 (5) */ 
297                 0,18, /* secp192k1 (18) */
298                 0,19, /* secp192r1 (19) */ 
299                 0,1,  /* sect163k1 (1) */
300                 0,2,  /* sect163r1 (2) */
301                 0,3,  /* sect163r2 (3) */
302                 0,15, /* secp160k1 (15) */
303                 0,16, /* secp160r1 (16) */ 
304                 0,17, /* secp160r2 (17) */ 
305         };
306
307 static const unsigned char suiteb_curves[] =
308         {
309                 0, TLSEXT_curve_P_256,
310                 0, TLSEXT_curve_P_384
311         };
312
313 int tls1_ec_curve_id2nid(int curve_id)
314         {
315         /* ECC curves from RFC 4492 and RFC 7027 */
316         if ((curve_id < 1) || ((unsigned int)curve_id >
317                                 sizeof(nid_list)/sizeof(nid_list[0])))
318                 return 0;
319         return nid_list[curve_id-1].nid;
320         }
321
322 int tls1_ec_nid2curve_id(int nid)
323         {
324         /* ECC curves from RFC 4492 and RFC 7027 */
325         switch (nid)
326                 {
327         case NID_sect163k1: /* sect163k1 (1) */
328                 return 1;
329         case NID_sect163r1: /* sect163r1 (2) */
330                 return 2;
331         case NID_sect163r2: /* sect163r2 (3) */
332                 return 3;
333         case NID_sect193r1: /* sect193r1 (4) */ 
334                 return 4;
335         case NID_sect193r2: /* sect193r2 (5) */ 
336                 return 5;
337         case NID_sect233k1: /* sect233k1 (6) */
338                 return 6;
339         case NID_sect233r1: /* sect233r1 (7) */ 
340                 return 7;
341         case NID_sect239k1: /* sect239k1 (8) */ 
342                 return 8;
343         case NID_sect283k1: /* sect283k1 (9) */
344                 return 9;
345         case NID_sect283r1: /* sect283r1 (10) */ 
346                 return 10;
347         case NID_sect409k1: /* sect409k1 (11) */ 
348                 return 11;
349         case NID_sect409r1: /* sect409r1 (12) */
350                 return 12;
351         case NID_sect571k1: /* sect571k1 (13) */ 
352                 return 13;
353         case NID_sect571r1: /* sect571r1 (14) */ 
354                 return 14;
355         case NID_secp160k1: /* secp160k1 (15) */
356                 return 15;
357         case NID_secp160r1: /* secp160r1 (16) */ 
358                 return 16;
359         case NID_secp160r2: /* secp160r2 (17) */ 
360                 return 17;
361         case NID_secp192k1: /* secp192k1 (18) */
362                 return 18;
363         case NID_X9_62_prime192v1: /* secp192r1 (19) */ 
364                 return 19;
365         case NID_secp224k1: /* secp224k1 (20) */ 
366                 return 20;
367         case NID_secp224r1: /* secp224r1 (21) */
368                 return 21;
369         case NID_secp256k1: /* secp256k1 (22) */ 
370                 return 22;
371         case NID_X9_62_prime256v1: /* secp256r1 (23) */ 
372                 return 23;
373         case NID_secp384r1: /* secp384r1 (24) */
374                 return 24;
375         case NID_secp521r1:  /* secp521r1 (25) */       
376                 return 25;
377         case NID_brainpoolP256r1:  /* brainpoolP256r1 (26) */
378                 return 26;
379         case NID_brainpoolP384r1:  /* brainpoolP384r1 (27) */
380                 return 27;
381         case NID_brainpoolP512r1:  /* brainpool512r1 (28) */
382                 return 28;
383         default:
384                 return 0;
385                 }
386         }
387 /* Get curves list, if "sess" is set return client curves otherwise
388  * preferred list
389  */
390 static void tls1_get_curvelist(SSL *s, int sess,
391                                         const unsigned char **pcurves,
392                                         size_t *pcurveslen)
393         {
394         if (sess)
395                 {
396                 *pcurves = s->session->tlsext_ellipticcurvelist;
397                 *pcurveslen = s->session->tlsext_ellipticcurvelist_length;
398                 return;
399                 }
400         /* For Suite B mode only include P-256, P-384 */
401         switch (tls1_suiteb(s))
402                 {
403         case SSL_CERT_FLAG_SUITEB_128_LOS:
404                 *pcurves = suiteb_curves;
405                 *pcurveslen = sizeof(suiteb_curves);
406                 break;
407
408         case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY:
409                 *pcurves = suiteb_curves;
410                 *pcurveslen = 2;
411                 break;
412
413         case SSL_CERT_FLAG_SUITEB_192_LOS:
414                 *pcurves = suiteb_curves + 2;
415                 *pcurveslen = 2;
416                 break;
417         default:
418                 *pcurves = s->tlsext_ellipticcurvelist;
419                 *pcurveslen = s->tlsext_ellipticcurvelist_length;
420                 }
421         if (!*pcurves)
422                 {
423                 *pcurves = eccurves_default;
424                 *pcurveslen = sizeof(eccurves_default);
425                 }
426         }
427
428 /* See if curve is allowed by security callback */
429 static int tls_curve_allowed(SSL *s, const unsigned char *curve, int op)
430         {
431         const tls_curve_info *cinfo;
432         if (curve[0])
433                 return 1;
434         if ((curve[1] < 1) || ((size_t)curve[1] >
435                                 sizeof(nid_list)/sizeof(nid_list[0])))
436                 return 0;
437         cinfo = &nid_list[curve[1]-1];
438 #ifdef OPENSSL_NO_EC2M
439         if (cinfo->flags & TLS_CURVE_CHAR2)
440                 return 0;
441 #endif
442         return ssl_security(s, op, cinfo->secbits, cinfo->nid, (void *)curve);
443         }
444
445 /* Check a curve is one of our preferences */
446 int tls1_check_curve(SSL *s, const unsigned char *p, size_t len)
447         {
448         const unsigned char *curves;
449         size_t curveslen, i;
450         unsigned int suiteb_flags = tls1_suiteb(s);
451         if (len != 3 || p[0] != NAMED_CURVE_TYPE)
452                 return 0;
453         /* Check curve matches Suite B preferences */
454         if (suiteb_flags)
455                 {
456                 unsigned long cid = s->s3->tmp.new_cipher->id;
457                 if (p[1])
458                         return 0;
459                 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
460                         {
461                         if (p[2] != TLSEXT_curve_P_256)
462                                 return 0;
463                         }
464                 else if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)
465                         {
466                         if (p[2] != TLSEXT_curve_P_384)
467                                 return 0;
468                         }
469                 else    /* Should never happen */
470                         return 0;
471                 }
472         tls1_get_curvelist(s, 0, &curves, &curveslen);
473         for (i = 0; i < curveslen; i += 2, curves += 2)
474                 {
475                 if (p[1] == curves[0] && p[2] == curves[1])
476                         return tls_curve_allowed(s, p + 1, SSL_SECOP_CURVE_CHECK);
477                 }
478         return 0;
479         }
480
481 /* Return nth shared curve. If nmatch == -1 return number of
482  * matches. For nmatch == -2 return the NID of the curve to use for
483  * an EC tmp key.
484  */
485
486 int tls1_shared_curve(SSL *s, int nmatch)
487         {
488         const unsigned char *pref, *supp;
489         size_t preflen, supplen, i, j;
490         int k;
491         /* Can't do anything on client side */
492         if (s->server == 0)
493                 return -1;
494         if (nmatch == -2)
495                 {
496                 if (tls1_suiteb(s))
497                         {
498                         /* For Suite B ciphersuite determines curve: we 
499                          * already know these are acceptable due to previous
500                          * checks.
501                          */
502                         unsigned long cid = s->s3->tmp.new_cipher->id;
503                         if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
504                                 return NID_X9_62_prime256v1; /* P-256 */
505                         if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)
506                                 return NID_secp384r1; /* P-384 */
507                         /* Should never happen */
508                         return NID_undef;
509                         }
510                 /* If not Suite B just return first preference shared curve */
511                 nmatch = 0;
512                 }
513         tls1_get_curvelist(s, !!(s->options & SSL_OP_CIPHER_SERVER_PREFERENCE),
514                                 &supp, &supplen);
515         tls1_get_curvelist(s, !(s->options & SSL_OP_CIPHER_SERVER_PREFERENCE),
516                                 &pref, &preflen);
517         preflen /= 2;
518         supplen /= 2;
519         k = 0;
520         for (i = 0; i < preflen; i++, pref+=2)
521                 {
522                 const unsigned char *tsupp = supp;
523                 for (j = 0; j < supplen; j++, tsupp+=2)
524                         {
525                         if (pref[0] == tsupp[0] && pref[1] == tsupp[1])
526                                 {
527                                 if (!tls_curve_allowed(s, pref, SSL_SECOP_CURVE_SHARED))
528                                         continue;
529                                 if (nmatch == k)
530                                         {
531                                         int id = (pref[0] << 8) | pref[1];
532                                         return tls1_ec_curve_id2nid(id);
533                                         }
534                                 k++;
535                                 }
536                         }
537                 }
538         if (nmatch == -1)
539                 return k;
540         return 0;
541         }
542
543 int tls1_set_curves(unsigned char **pext, size_t *pextlen,
544                         int *curves, size_t ncurves)
545         {
546         unsigned char *clist, *p;
547         size_t i;
548         /* Bitmap of curves included to detect duplicates: only works
549          * while curve ids < 32 
550          */
551         unsigned long dup_list = 0;
552         clist = OPENSSL_malloc(ncurves * 2);
553         if (!clist)
554                 return 0;
555         for (i = 0, p = clist; i < ncurves; i++)
556                 {
557                 unsigned long idmask;
558                 int id;
559                 id = tls1_ec_nid2curve_id(curves[i]);
560                 idmask = 1L << id;
561                 if (!id || (dup_list & idmask))
562                         {
563                         OPENSSL_free(clist);
564                         return 0;
565                         }
566                 dup_list |= idmask;
567                 s2n(id, p);
568                 }
569         if (*pext)
570                 OPENSSL_free(*pext);
571         *pext = clist;
572         *pextlen = ncurves * 2;
573         return 1;
574         }
575
576 #define MAX_CURVELIST   28
577
578 typedef struct
579         {
580         size_t nidcnt;
581         int nid_arr[MAX_CURVELIST];
582         } nid_cb_st;
583
584 static int nid_cb(const char *elem, int len, void *arg)
585         {
586         nid_cb_st *narg = arg;
587         size_t i;
588         int nid;
589         char etmp[20];
590         if (narg->nidcnt == MAX_CURVELIST)
591                 return 0;
592         if (len > (int)(sizeof(etmp) - 1))
593                 return 0;
594         memcpy(etmp, elem, len);
595         etmp[len] = 0;
596         nid = EC_curve_nist2nid(etmp);
597         if (nid == NID_undef)
598                 nid = OBJ_sn2nid(etmp);
599         if (nid == NID_undef)
600                 nid = OBJ_ln2nid(etmp);
601         if (nid == NID_undef)
602                 return 0;
603         for (i = 0; i < narg->nidcnt; i++)
604                 if (narg->nid_arr[i] == nid)
605                         return 0;
606         narg->nid_arr[narg->nidcnt++] = nid;
607         return 1;
608         }
609 /* Set curves based on a colon separate list */
610 int tls1_set_curves_list(unsigned char **pext, size_t *pextlen, 
611                                 const char *str)
612         {
613         nid_cb_st ncb;
614         ncb.nidcnt = 0;
615         if (!CONF_parse_list(str, ':', 1, nid_cb, &ncb))
616                 return 0;
617         if (pext == NULL)
618                 return 1;
619         return tls1_set_curves(pext, pextlen, ncb.nid_arr, ncb.nidcnt);
620         }
621 /* For an EC key set TLS id and required compression based on parameters */
622 static int tls1_set_ec_id(unsigned char *curve_id, unsigned char *comp_id,
623                                 EC_KEY *ec)
624         {
625         int is_prime, id;
626         const EC_GROUP *grp;
627         const EC_METHOD *meth;
628         if (!ec)
629                 return 0;
630         /* Determine if it is a prime field */
631         grp = EC_KEY_get0_group(ec);
632         if (!grp)
633                 return 0;
634         meth = EC_GROUP_method_of(grp);
635         if (!meth)
636                 return 0;
637         if (EC_METHOD_get_field_type(meth) == NID_X9_62_prime_field)
638                 is_prime = 1;
639         else
640                 is_prime = 0;
641         /* Determine curve ID */
642         id = EC_GROUP_get_curve_name(grp);
643         id = tls1_ec_nid2curve_id(id);
644         /* If we have an ID set it, otherwise set arbitrary explicit curve */
645         if (id)
646                 {
647                 curve_id[0] = 0;
648                 curve_id[1] = (unsigned char)id;
649                 }
650         else
651                 {
652                 curve_id[0] = 0xff;
653                 if (is_prime)
654                         curve_id[1] = 0x01;
655                 else
656                         curve_id[1] = 0x02;
657                 }
658         if (comp_id)
659                 {
660                 if (EC_KEY_get0_public_key(ec) == NULL)
661                         return 0;
662                 if (EC_KEY_get_conv_form(ec) == POINT_CONVERSION_COMPRESSED)
663                         {
664                         if (is_prime)
665                                 *comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
666                         else
667                                 *comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
668                         }
669                 else
670                         *comp_id = TLSEXT_ECPOINTFORMAT_uncompressed;
671                 }
672         return 1;
673         }
674 /* Check an EC key is compatible with extensions */
675 static int tls1_check_ec_key(SSL *s,
676                         unsigned char *curve_id, unsigned char *comp_id)
677         {
678         const unsigned char *p;
679         size_t plen, i;
680         int j;
681         /* If point formats extension present check it, otherwise everything
682          * is supported (see RFC4492).
683          */
684         if (comp_id && s->session->tlsext_ecpointformatlist)
685                 {
686                 p = s->session->tlsext_ecpointformatlist;
687                 plen = s->session->tlsext_ecpointformatlist_length;
688                 for (i = 0; i < plen; i++, p++)
689                         {
690                         if (*comp_id == *p)
691                                 break;
692                         }
693                 if (i == plen)
694                         return 0;
695                 }
696         if (!curve_id)
697                 return 1;
698         /* Check curve is consistent with client and server preferences */
699         for (j = 0; j <= 1; j++)
700                 {
701                 tls1_get_curvelist(s, j, &p, &plen);
702                 for (i = 0; i < plen; i+=2, p+=2)
703                         {
704                         if (p[0] == curve_id[0] && p[1] == curve_id[1])
705                                 break;
706                         }
707                 if (i == plen)
708                         return 0;
709                 /* For clients can only check sent curve list */
710                 if (!s->server)
711                         break;
712                 }
713         return 1;
714         }
715
716 static void tls1_get_formatlist(SSL *s, const unsigned char **pformats,
717                                         size_t *pformatslen)
718         {
719         /* If we have a custom point format list use it otherwise
720          * use default */
721         if (s->tlsext_ecpointformatlist)
722                 {
723                 *pformats = s->tlsext_ecpointformatlist;
724                 *pformatslen = s->tlsext_ecpointformatlist_length;
725                 }
726         else
727                 {
728                 *pformats = ecformats_default;
729                 /* For Suite B we don't support char2 fields */
730                 if (tls1_suiteb(s))
731                         *pformatslen = sizeof(ecformats_default) - 1;
732                 else
733                         *pformatslen = sizeof(ecformats_default);
734                 }
735         }
736
737 /* Check cert parameters compatible with extensions: currently just checks
738  * EC certificates have compatible curves and compression.
739  */
740 static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md)
741         {
742         unsigned char comp_id, curve_id[2];
743         EVP_PKEY *pkey;
744         int rv;
745         pkey = X509_get_pubkey(x);
746         if (!pkey)
747                 return 0;
748         /* If not EC nothing to do */
749         if (pkey->type != EVP_PKEY_EC)
750                 {
751                 EVP_PKEY_free(pkey);
752                 return 1;
753                 }
754         rv = tls1_set_ec_id(curve_id, &comp_id, pkey->pkey.ec);
755         EVP_PKEY_free(pkey);
756         if (!rv)
757                 return 0;
758         /* Can't check curve_id for client certs as we don't have a
759          * supported curves extension.
760          */
761         rv = tls1_check_ec_key(s, s->server ? curve_id : NULL, &comp_id);
762         if (!rv)
763                 return 0;
764         /* Special case for suite B. We *MUST* sign using SHA256+P-256 or
765          * SHA384+P-384, adjust digest if necessary.
766          */
767         if (set_ee_md && tls1_suiteb(s))
768                 {
769                 int check_md;
770                 size_t i;
771                 CERT *c = s->cert;
772                 if (curve_id[0])
773                         return 0;
774                 /* Check to see we have necessary signing algorithm */
775                 if (curve_id[1] == TLSEXT_curve_P_256)
776                         check_md = NID_ecdsa_with_SHA256;
777                 else if (curve_id[1] == TLSEXT_curve_P_384)
778                         check_md = NID_ecdsa_with_SHA384;
779                 else
780                         return 0; /* Should never happen */
781                 for (i = 0; i < c->shared_sigalgslen; i++)
782                         if (check_md == c->shared_sigalgs[i].signandhash_nid)
783                                 break;
784                 if (i == c->shared_sigalgslen)
785                         return 0;
786                 if (set_ee_md == 2)
787                         {
788                         if (check_md == NID_ecdsa_with_SHA256)
789                                 c->pkeys[SSL_PKEY_ECC].digest = EVP_sha256();
790                         else
791                                 c->pkeys[SSL_PKEY_ECC].digest = EVP_sha384();
792                         }
793                 }
794         return rv;
795         }
796 /* Check EC temporary key is compatible with client extensions */
797 int tls1_check_ec_tmp_key(SSL *s, unsigned long cid)
798         {
799         unsigned char curve_id[2];
800         EC_KEY *ec = s->cert->ecdh_tmp;
801 #ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
802         /* Allow any curve: not just those peer supports */
803         if (s->cert->cert_flags & SSL_CERT_FLAG_BROKEN_PROTOCOL)
804                 return 1;
805 #endif
806         /* If Suite B, AES128 MUST use P-256 and AES256 MUST use P-384,
807          * no other curves permitted.
808          */
809         if (tls1_suiteb(s))
810                 {
811                 /* Curve to check determined by ciphersuite */
812                 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
813                         curve_id[1] = TLSEXT_curve_P_256;
814                 else if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)
815                         curve_id[1] = TLSEXT_curve_P_384;
816                 else
817                         return 0;
818                 curve_id[0] = 0;
819                 /* Check this curve is acceptable */
820                 if (!tls1_check_ec_key(s, curve_id, NULL))
821                         return 0;
822                 /* If auto or setting curve from callback assume OK */
823                 if (s->cert->ecdh_tmp_auto || s->cert->ecdh_tmp_cb)
824                         return 1;
825                 /* Otherwise check curve is acceptable */
826                 else 
827                         {
828                         unsigned char curve_tmp[2];
829                         if (!ec)
830                                 return 0;
831                         if (!tls1_set_ec_id(curve_tmp, NULL, ec))
832                                 return 0;
833                         if (!curve_tmp[0] || curve_tmp[1] == curve_id[1])
834                                 return 1;
835                         return 0;
836                         }
837                         
838                 }
839         if (s->cert->ecdh_tmp_auto)
840                 {
841                 /* Need a shared curve */
842                 if (tls1_shared_curve(s, 0))
843                         return 1;
844                 else return 0;
845                 }
846         if (!ec)
847                 {
848                 if (s->cert->ecdh_tmp_cb)
849                         return 1;
850                 else
851                         return 0;
852                 }
853         if (!tls1_set_ec_id(curve_id, NULL, ec))
854                 return 0;
855 /* Set this to allow use of invalid curves for testing */
856 #if 0
857         return 1;
858 #else
859         return tls1_check_ec_key(s, curve_id, NULL);
860 #endif
861         }
862
863 #else
864
865 static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md)
866         {
867         return 1;
868         }
869
870 #endif /* OPENSSL_NO_EC */
871
872 #ifndef OPENSSL_NO_TLSEXT
873
874 /* List of supported signature algorithms and hashes. Should make this
875  * customisable at some point, for now include everything we support.
876  */
877
878 #ifdef OPENSSL_NO_RSA
879 #define tlsext_sigalg_rsa(md) /* */
880 #else
881 #define tlsext_sigalg_rsa(md) md, TLSEXT_signature_rsa,
882 #endif
883
884 #ifdef OPENSSL_NO_DSA
885 #define tlsext_sigalg_dsa(md) /* */
886 #else
887 #define tlsext_sigalg_dsa(md) md, TLSEXT_signature_dsa,
888 #endif
889
890 #ifdef OPENSSL_NO_ECDSA
891 #define tlsext_sigalg_ecdsa(md) /* */
892 #else
893 #define tlsext_sigalg_ecdsa(md) md, TLSEXT_signature_ecdsa,
894 #endif
895
896 #define tlsext_sigalg(md) \
897                 tlsext_sigalg_rsa(md) \
898                 tlsext_sigalg_dsa(md) \
899                 tlsext_sigalg_ecdsa(md)
900
901 static unsigned char tls12_sigalgs[] = {
902 #ifndef OPENSSL_NO_SHA512
903         tlsext_sigalg(TLSEXT_hash_sha512)
904         tlsext_sigalg(TLSEXT_hash_sha384)
905 #endif
906 #ifndef OPENSSL_NO_SHA256
907         tlsext_sigalg(TLSEXT_hash_sha256)
908         tlsext_sigalg(TLSEXT_hash_sha224)
909 #endif
910 #ifndef OPENSSL_NO_SHA
911         tlsext_sigalg(TLSEXT_hash_sha1)
912 #endif
913 };
914 #ifndef OPENSSL_NO_ECDSA
915 static unsigned char suiteb_sigalgs[] = {
916         tlsext_sigalg_ecdsa(TLSEXT_hash_sha256)
917         tlsext_sigalg_ecdsa(TLSEXT_hash_sha384)
918 };
919 #endif
920 size_t tls12_get_psigalgs(SSL *s, const unsigned char **psigs)
921         {
922         /* If Suite B mode use Suite B sigalgs only, ignore any other
923          * preferences.
924          */
925 #ifndef OPENSSL_NO_EC
926         switch (tls1_suiteb(s))
927                 {
928         case SSL_CERT_FLAG_SUITEB_128_LOS:
929                 *psigs = suiteb_sigalgs;
930                 return sizeof(suiteb_sigalgs);
931
932         case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY:
933                 *psigs = suiteb_sigalgs;
934                 return 2;
935
936         case SSL_CERT_FLAG_SUITEB_192_LOS:
937                 *psigs = suiteb_sigalgs + 2;
938                 return 2;
939                 }
940 #endif
941         /* If server use client authentication sigalgs if not NULL */
942         if (s->server && s->cert->client_sigalgs)
943                 {
944                 *psigs = s->cert->client_sigalgs;
945                 return s->cert->client_sigalgslen;
946                 }
947         else if (s->cert->conf_sigalgs)
948                 {
949                 *psigs = s->cert->conf_sigalgs;
950                 return s->cert->conf_sigalgslen;
951                 }
952         else
953                 {
954                 *psigs = tls12_sigalgs;
955                 return sizeof(tls12_sigalgs);
956                 }
957         }
958 /* Check signature algorithm is consistent with sent supported signature
959  * algorithms and if so return relevant digest.
960  */
961 int tls12_check_peer_sigalg(const EVP_MD **pmd, SSL *s,
962                                 const unsigned char *sig, EVP_PKEY *pkey)
963         {
964         const unsigned char *sent_sigs;
965         size_t sent_sigslen, i;
966         int sigalg = tls12_get_sigid(pkey);
967         /* Should never happen */
968         if (sigalg == -1)
969                 return -1;
970         /* Check key type is consistent with signature */
971         if (sigalg != (int)sig[1])
972                 {
973                 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG,SSL_R_WRONG_SIGNATURE_TYPE);
974                 return 0;
975                 }
976 #ifndef OPENSSL_NO_EC
977         if (pkey->type == EVP_PKEY_EC)
978                 {
979                 unsigned char curve_id[2], comp_id;
980                 /* Check compression and curve matches extensions */
981                 if (!tls1_set_ec_id(curve_id, &comp_id, pkey->pkey.ec))
982                         return 0;
983                 if (!s->server && !tls1_check_ec_key(s, curve_id, &comp_id))
984                         {
985                         SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG,SSL_R_WRONG_CURVE);
986                         return 0;
987                         }
988                 /* If Suite B only P-384+SHA384 or P-256+SHA-256 allowed */
989                 if (tls1_suiteb(s))
990                         {
991                         if (curve_id[0])
992                                 return 0;
993                         if (curve_id[1] == TLSEXT_curve_P_256)
994                                 {
995                                 if (sig[0] != TLSEXT_hash_sha256)
996                                         {
997                                         SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG,
998                                                 SSL_R_ILLEGAL_SUITEB_DIGEST);
999                                         return 0;
1000                                         }
1001                                 }
1002                         else if (curve_id[1] == TLSEXT_curve_P_384)
1003                                 {
1004                                 if (sig[0] != TLSEXT_hash_sha384)
1005                                         {
1006                                         SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG,
1007                                                 SSL_R_ILLEGAL_SUITEB_DIGEST);
1008                                         return 0;
1009                                         }
1010                                 }
1011                         else
1012                                 return 0;
1013                         }
1014                 }
1015         else if (tls1_suiteb(s))
1016                 return 0;
1017 #endif
1018
1019         /* Check signature matches a type we sent */
1020         sent_sigslen = tls12_get_psigalgs(s, &sent_sigs);
1021         for (i = 0; i < sent_sigslen; i+=2, sent_sigs+=2)
1022                 {
1023                 if (sig[0] == sent_sigs[0] && sig[1] == sent_sigs[1])
1024                         break;
1025                 }
1026         /* Allow fallback to SHA1 if not strict mode */
1027         if (i == sent_sigslen && (sig[0] != TLSEXT_hash_sha1 || s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT))
1028                 {
1029                 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG,SSL_R_WRONG_SIGNATURE_TYPE);
1030                 return 0;
1031                 }
1032         *pmd = tls12_get_hash(sig[0]);
1033         if (*pmd == NULL)
1034                 {
1035                 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG,SSL_R_UNKNOWN_DIGEST);
1036                 return 0;
1037                 }
1038         /* Make sure security callback allows algorithm */
1039         if (!ssl_security(s, SSL_SECOP_SIGALG_CHECK,
1040                                 EVP_MD_size(*pmd) * 4, EVP_MD_type(*pmd),
1041                                                                 (void *)sig))
1042                 {
1043                 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG,SSL_R_WRONG_SIGNATURE_TYPE);
1044                 return 0;
1045                 }
1046         /* Store the digest used so applications can retrieve it if they
1047          * wish.
1048          */
1049         if (s->session && s->session->sess_cert)
1050                 s->session->sess_cert->peer_key->digest = *pmd;
1051         return 1;
1052         }
1053
1054 /* Get a mask of disabled algorithms: an algorithm is disabled
1055  * if it isn't supported or doesn't appear in supported signature
1056  * algorithms. Unlike ssl_cipher_get_disabled this applies to a specific
1057  * session and not global settings.
1058  * 
1059  */
1060 void ssl_set_client_disabled(SSL *s)
1061         {
1062         CERT *c = s->cert;
1063         c->mask_a = 0;
1064         c->mask_k = 0;
1065         /* Don't allow TLS 1.2 only ciphers if we don't suppport them */
1066         if (!SSL_CLIENT_USE_TLS1_2_CIPHERS(s))
1067                 c->mask_ssl = SSL_TLSV1_2;
1068         else
1069                 c->mask_ssl = 0;
1070         ssl_set_sig_mask(&c->mask_a, s, SSL_SECOP_SIGALG_MASK);
1071         /* Disable static DH if we don't include any appropriate
1072          * signature algorithms.
1073          */
1074         if (c->mask_a & SSL_aRSA)
1075                 c->mask_k |= SSL_kDHr|SSL_kECDHr;
1076         if (c->mask_a & SSL_aDSS)
1077                 c->mask_k |= SSL_kDHd;
1078         if (c->mask_a & SSL_aECDSA)
1079                 c->mask_k |= SSL_kECDHe;
1080 #ifndef OPENSSL_NO_KRB5
1081         if (!kssl_tgt_is_available(s->kssl_ctx))
1082                 {
1083                 c->mask_a |= SSL_aKRB5;
1084                 c->mask_k |= SSL_kKRB5;
1085                 }
1086 #endif
1087 #ifndef OPENSSL_NO_PSK
1088         /* with PSK there must be client callback set */
1089         if (!s->psk_client_callback)
1090                 {
1091                 c->mask_a |= SSL_aPSK;
1092                 c->mask_k |= SSL_kPSK;
1093                 }
1094 #endif /* OPENSSL_NO_PSK */
1095 #ifndef OPENSSL_NO_SRP
1096         if (!(s->srp_ctx.srp_Mask & SSL_kSRP))
1097                 {
1098                 c->mask_a |= SSL_aSRP;
1099                 c->mask_k |= SSL_kSRP;
1100                 }
1101 #endif
1102         c->valid = 1;
1103         }
1104
1105 int ssl_cipher_disabled(SSL *s, const SSL_CIPHER *c, int op)
1106         {
1107         CERT *ct = s->cert;
1108         if (c->algorithm_ssl & ct->mask_ssl || c->algorithm_mkey & ct->mask_k || c->algorithm_auth & ct->mask_a)
1109                 return 1;
1110         return !ssl_security(s, op, c->strength_bits, 0, (void *)c);
1111         }
1112
1113 static int tls_use_ticket(SSL *s)
1114         {
1115         if (s->options & SSL_OP_NO_TICKET)
1116                 return 0;
1117         return ssl_security(s, SSL_SECOP_TICKET, 0, 0, NULL);
1118         }
1119
1120 unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf, unsigned char *limit, int *al)
1121         {
1122         int extdatalen=0;
1123         unsigned char *orig = buf;
1124         unsigned char *ret = buf;
1125 #ifndef OPENSSL_NO_EC
1126         /* See if we support any ECC ciphersuites */
1127         int using_ecc = 0;
1128         if (s->version >= TLS1_VERSION || SSL_IS_DTLS(s))
1129                 {
1130                 int i;
1131                 unsigned long alg_k, alg_a;
1132                 STACK_OF(SSL_CIPHER) *cipher_stack = SSL_get_ciphers(s);
1133
1134                 for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++)
1135                         {
1136                         SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i);
1137
1138                         alg_k = c->algorithm_mkey;
1139                         alg_a = c->algorithm_auth;
1140                         if ((alg_k & (SSL_kECDHE|SSL_kECDHr|SSL_kECDHe)
1141                                 || (alg_a & SSL_aECDSA)))
1142                                 {
1143                                 using_ecc = 1;
1144                                 break;
1145                                 }
1146                         }
1147                 }
1148 #endif
1149
1150         /* don't add extensions for SSLv3 unless doing secure renegotiation */
1151         if (s->client_version == SSL3_VERSION
1152                                         && !s->s3->send_connection_binding)
1153                 return orig;
1154
1155         ret+=2;
1156
1157         if (ret>=limit) return NULL; /* this really never occurs, but ... */
1158
1159         if (s->tlsext_hostname != NULL)
1160                 { 
1161                 /* Add TLS extension servername to the Client Hello message */
1162                 unsigned long size_str;
1163                 long lenmax; 
1164
1165                 /* check for enough space.
1166                    4 for the servername type and entension length
1167                    2 for servernamelist length
1168                    1 for the hostname type
1169                    2 for hostname length
1170                    + hostname length 
1171                 */
1172                    
1173                 if ((lenmax = limit - ret - 9) < 0 
1174                     || (size_str = strlen(s->tlsext_hostname)) > (unsigned long)lenmax) 
1175                         return NULL;
1176                         
1177                 /* extension type and length */
1178                 s2n(TLSEXT_TYPE_server_name,ret); 
1179                 s2n(size_str+5,ret);
1180                 
1181                 /* length of servername list */
1182                 s2n(size_str+3,ret);
1183         
1184                 /* hostname type, length and hostname */
1185                 *(ret++) = (unsigned char) TLSEXT_NAMETYPE_host_name;
1186                 s2n(size_str,ret);
1187                 memcpy(ret, s->tlsext_hostname, size_str);
1188                 ret+=size_str;
1189                 }
1190
1191         /* Add RI if renegotiating */
1192         if (s->renegotiate)
1193           {
1194           int el;
1195           
1196           if(!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0))
1197               {
1198               SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1199               return NULL;
1200               }
1201
1202           if((limit - ret - 4 - el) < 0) return NULL;
1203           
1204           s2n(TLSEXT_TYPE_renegotiate,ret);
1205           s2n(el,ret);
1206
1207           if(!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el))
1208               {
1209               SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1210               return NULL;
1211               }
1212
1213           ret += el;
1214         }
1215
1216 #ifndef OPENSSL_NO_SRP
1217         /* Add SRP username if there is one */
1218         if (s->srp_ctx.login != NULL)
1219                 { /* Add TLS extension SRP username to the Client Hello message */
1220
1221                 int login_len = strlen(s->srp_ctx.login);       
1222                 if (login_len > 255 || login_len == 0)
1223                         {
1224                         SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1225                         return NULL;
1226                         } 
1227
1228                 /* check for enough space.
1229                    4 for the srp type type and entension length
1230                    1 for the srp user identity
1231                    + srp user identity length 
1232                 */
1233                 if ((limit - ret - 5 - login_len) < 0) return NULL; 
1234
1235                 /* fill in the extension */
1236                 s2n(TLSEXT_TYPE_srp,ret);
1237                 s2n(login_len+1,ret);
1238                 (*ret++) = (unsigned char) login_len;
1239                 memcpy(ret, s->srp_ctx.login, login_len);
1240                 ret+=login_len;
1241                 }
1242 #endif
1243
1244 #ifndef OPENSSL_NO_EC
1245         if (using_ecc)
1246                 {
1247                 /* Add TLS extension ECPointFormats to the ClientHello message */
1248                 long lenmax; 
1249                 const unsigned char *plist;
1250                 size_t plistlen;
1251                 size_t i;
1252                 unsigned char *etmp;
1253
1254                 tls1_get_formatlist(s, &plist, &plistlen);
1255
1256                 if ((lenmax = limit - ret - 5) < 0) return NULL; 
1257                 if (plistlen > (size_t)lenmax) return NULL;
1258                 if (plistlen > 255)
1259                         {
1260                         SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1261                         return NULL;
1262                         }
1263                 
1264                 s2n(TLSEXT_TYPE_ec_point_formats,ret);
1265                 s2n(plistlen + 1,ret);
1266                 *(ret++) = (unsigned char)plistlen ;
1267                 memcpy(ret, plist, plistlen);
1268                 ret+=plistlen;
1269
1270                 /* Add TLS extension EllipticCurves to the ClientHello message */
1271                 plist = s->tlsext_ellipticcurvelist;
1272                 tls1_get_curvelist(s, 0, &plist, &plistlen);
1273
1274                 if ((lenmax = limit - ret - 6) < 0) return NULL; 
1275                 if (plistlen > (size_t)lenmax) return NULL;
1276                 if (plistlen > 65532)
1277                         {
1278                         SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1279                         return NULL;
1280                         }
1281
1282                 
1283                 s2n(TLSEXT_TYPE_elliptic_curves,ret);
1284                 etmp = ret + 4;
1285                 /* Copy curve ID if supported */
1286                 for (i = 0; i < plistlen; i += 2, plist += 2)
1287                         {
1288                         if (tls_curve_allowed(s, plist, SSL_SECOP_CURVE_SUPPORTED))
1289                                 {
1290                                 *etmp++ = plist[0];
1291                                 *etmp++ = plist[1];
1292                                 }
1293                         }
1294
1295                 plistlen = etmp - ret - 4;
1296
1297                 s2n(plistlen + 2, ret);
1298                 s2n(plistlen, ret);
1299                 ret+=plistlen;
1300                 }
1301 #endif /* OPENSSL_NO_EC */
1302
1303         if (tls_use_ticket(s))
1304                 {
1305                 int ticklen;
1306                 if (!s->new_session && s->session && s->session->tlsext_tick)
1307                         ticklen = s->session->tlsext_ticklen;
1308                 else if (s->session && s->tlsext_session_ticket &&
1309                          s->tlsext_session_ticket->data)
1310                         {
1311                         ticklen = s->tlsext_session_ticket->length;
1312                         s->session->tlsext_tick = OPENSSL_malloc(ticklen);
1313                         if (!s->session->tlsext_tick)
1314                                 return NULL;
1315                         memcpy(s->session->tlsext_tick,
1316                                s->tlsext_session_ticket->data,
1317                                ticklen);
1318                         s->session->tlsext_ticklen = ticklen;
1319                         }
1320                 else
1321                         ticklen = 0;
1322                 if (ticklen == 0 && s->tlsext_session_ticket &&
1323                     s->tlsext_session_ticket->data == NULL)
1324                         goto skip_ext;
1325                 /* Check for enough room 2 for extension type, 2 for len
1326                  * rest for ticket
1327                  */
1328                 if ((long)(limit - ret - 4 - ticklen) < 0) return NULL;
1329                 s2n(TLSEXT_TYPE_session_ticket,ret); 
1330                 s2n(ticklen,ret);
1331                 if (ticklen)
1332                         {
1333                         memcpy(ret, s->session->tlsext_tick, ticklen);
1334                         ret += ticklen;
1335                         }
1336                 }
1337                 skip_ext:
1338
1339         if (SSL_USE_SIGALGS(s))
1340                 {
1341                 size_t salglen;
1342                 const unsigned char *salg;
1343                 unsigned char *etmp;
1344                 salglen = tls12_get_psigalgs(s, &salg);
1345                 if ((size_t)(limit - ret) < salglen + 6)
1346                         return NULL; 
1347                 s2n(TLSEXT_TYPE_signature_algorithms,ret);
1348                 etmp = ret;
1349                 /* Skip over lengths for now */
1350                 ret += 4;
1351                 salglen = tls12_copy_sigalgs(s, ret, salg, salglen);
1352                 /* Fill in lengths */
1353                 s2n(salglen + 2, etmp);
1354                 s2n(salglen, etmp);
1355                 ret += salglen;
1356                 }
1357
1358 #ifdef TLSEXT_TYPE_opaque_prf_input
1359         if (s->s3->client_opaque_prf_input != NULL)
1360                 {
1361                 size_t col = s->s3->client_opaque_prf_input_len;
1362                 
1363                 if ((long)(limit - ret - 6 - col) < 0)
1364                         return NULL;
1365                 if (col > 0xFFFD) /* can't happen */
1366                         return NULL;
1367
1368                 s2n(TLSEXT_TYPE_opaque_prf_input, ret); 
1369                 s2n(col + 2, ret);
1370                 s2n(col, ret);
1371                 memcpy(ret, s->s3->client_opaque_prf_input, col);
1372                 ret += col;
1373                 }
1374 #endif
1375
1376         if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp)
1377                 {
1378                 int i;
1379                 long extlen, idlen, itmp;
1380                 OCSP_RESPID *id;
1381
1382                 idlen = 0;
1383                 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++)
1384                         {
1385                         id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
1386                         itmp = i2d_OCSP_RESPID(id, NULL);
1387                         if (itmp <= 0)
1388                                 return NULL;
1389                         idlen += itmp + 2;
1390                         }
1391
1392                 if (s->tlsext_ocsp_exts)
1393                         {
1394                         extlen = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, NULL);
1395                         if (extlen < 0)
1396                                 return NULL;
1397                         }
1398                 else
1399                         extlen = 0;
1400                         
1401                 if ((long)(limit - ret - 7 - extlen - idlen) < 0) return NULL;
1402                 s2n(TLSEXT_TYPE_status_request, ret);
1403                 if (extlen + idlen > 0xFFF0)
1404                         return NULL;
1405                 s2n(extlen + idlen + 5, ret);
1406                 *(ret++) = TLSEXT_STATUSTYPE_ocsp;
1407                 s2n(idlen, ret);
1408                 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++)
1409                         {
1410                         /* save position of id len */
1411                         unsigned char *q = ret;
1412                         id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
1413                         /* skip over id len */
1414                         ret += 2;
1415                         itmp = i2d_OCSP_RESPID(id, &ret);
1416                         /* write id len */
1417                         s2n(itmp, q);
1418                         }
1419                 s2n(extlen, ret);
1420                 if (extlen > 0)
1421                         i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret);
1422                 }
1423
1424 #ifndef OPENSSL_NO_HEARTBEATS
1425         /* Add Heartbeat extension */
1426         if ((limit - ret - 4 - 1) < 0)
1427                 return NULL;
1428         s2n(TLSEXT_TYPE_heartbeat,ret);
1429         s2n(1,ret);
1430         /* Set mode:
1431          * 1: peer may send requests
1432          * 2: peer not allowed to send requests
1433          */
1434         if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS)
1435                 *(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
1436         else
1437                 *(ret++) = SSL_TLSEXT_HB_ENABLED;
1438 #endif
1439
1440 #ifndef OPENSSL_NO_NEXTPROTONEG
1441         if (s->ctx->next_proto_select_cb && !s->s3->tmp.finish_md_len)
1442                 {
1443                 /* The client advertises an emtpy extension to indicate its
1444                  * support for Next Protocol Negotiation */
1445                 if (limit - ret - 4 < 0)
1446                         return NULL;
1447                 s2n(TLSEXT_TYPE_next_proto_neg,ret);
1448                 s2n(0,ret);
1449                 }
1450 #endif
1451
1452         if (s->alpn_client_proto_list && !s->s3->tmp.finish_md_len)
1453                 {
1454                 if ((size_t)(limit - ret) < 6 + s->alpn_client_proto_list_len)
1455                         return NULL;
1456                 s2n(TLSEXT_TYPE_application_layer_protocol_negotiation,ret);
1457                 s2n(2 + s->alpn_client_proto_list_len,ret);
1458                 s2n(s->alpn_client_proto_list_len,ret);
1459                 memcpy(ret, s->alpn_client_proto_list,
1460                        s->alpn_client_proto_list_len);
1461                 ret += s->alpn_client_proto_list_len;
1462                 }
1463
1464         if(SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s))
1465                 {
1466                 int el;
1467
1468                 ssl_add_clienthello_use_srtp_ext(s, 0, &el, 0);
1469                 
1470                 if((limit - ret - 4 - el) < 0) return NULL;
1471
1472                 s2n(TLSEXT_TYPE_use_srtp,ret);
1473                 s2n(el,ret);
1474
1475                 if(ssl_add_clienthello_use_srtp_ext(s, ret, &el, el))
1476                         {
1477                         SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1478                         return NULL;
1479                         }
1480                 ret += el;
1481                 }
1482         custom_ext_init(&s->cert->cli_ext);
1483         /* Add custom TLS Extensions to ClientHello */
1484         if (!custom_ext_add(s, 0, &ret, limit, al))
1485                 return NULL;
1486 #ifdef TLSEXT_TYPE_encrypt_then_mac
1487         if (s->version != SSL3_VERSION)
1488                 {
1489                 s2n(TLSEXT_TYPE_encrypt_then_mac,ret);
1490                 s2n(0,ret);
1491                 }
1492 #endif
1493
1494         /* Add padding to workaround bugs in F5 terminators.
1495          * See https://tools.ietf.org/html/draft-agl-tls-padding-03
1496          *
1497          * NB: because this code works out the length of all existing
1498          * extensions it MUST always appear last.
1499          */
1500         if (s->options & SSL_OP_TLSEXT_PADDING)
1501                 {
1502                 int hlen = ret - (unsigned char *)s->init_buf->data;
1503                 /* The code in s23_clnt.c to build ClientHello messages
1504                  * includes the 5-byte record header in the buffer, while
1505                  * the code in s3_clnt.c does not.
1506                  */
1507                 if (s->state == SSL23_ST_CW_CLNT_HELLO_A)
1508                         hlen -= 5;
1509                 if (hlen > 0xff && hlen < 0x200)
1510                         {
1511                         hlen = 0x200 - hlen;
1512                         if (hlen >= 4)
1513                                 hlen -= 4;
1514                         else
1515                                 hlen = 0;
1516
1517                         s2n(TLSEXT_TYPE_padding, ret);
1518                         s2n(hlen, ret);
1519                         memset(ret, 0, hlen);
1520                         ret += hlen;
1521                         }
1522                 }
1523
1524         if ((extdatalen = ret-orig-2)== 0) 
1525                 return orig;
1526
1527         s2n(extdatalen, orig);
1528         return ret;
1529         }
1530
1531 unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *buf, unsigned char *limit, int *al)
1532         {
1533         int extdatalen=0;
1534         unsigned char *orig = buf;
1535         unsigned char *ret = buf;
1536 #ifndef OPENSSL_NO_NEXTPROTONEG
1537         int next_proto_neg_seen;
1538 #endif
1539 #ifndef OPENSSL_NO_EC
1540         unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
1541         unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
1542         int using_ecc = (alg_k & (SSL_kECDHE|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA);
1543         using_ecc = using_ecc && (s->session->tlsext_ecpointformatlist != NULL);
1544 #endif
1545         /* don't add extensions for SSLv3, unless doing secure renegotiation */
1546         if (s->version == SSL3_VERSION && !s->s3->send_connection_binding)
1547                 return orig;
1548         
1549         ret+=2;
1550         if (ret>=limit) return NULL; /* this really never occurs, but ... */
1551
1552         if (!s->hit && s->servername_done == 1 && s->session->tlsext_hostname != NULL)
1553                 { 
1554                 if ((long)(limit - ret - 4) < 0) return NULL; 
1555
1556                 s2n(TLSEXT_TYPE_server_name,ret);
1557                 s2n(0,ret);
1558                 }
1559
1560         if(s->s3->send_connection_binding)
1561         {
1562           int el;
1563           
1564           if(!ssl_add_serverhello_renegotiate_ext(s, 0, &el, 0))
1565               {
1566               SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1567               return NULL;
1568               }
1569
1570           if((limit - ret - 4 - el) < 0) return NULL;
1571           
1572           s2n(TLSEXT_TYPE_renegotiate,ret);
1573           s2n(el,ret);
1574
1575           if(!ssl_add_serverhello_renegotiate_ext(s, ret, &el, el))
1576               {
1577               SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1578               return NULL;
1579               }
1580
1581           ret += el;
1582         }
1583
1584 #ifndef OPENSSL_NO_EC
1585         if (using_ecc)
1586                 {
1587                 const unsigned char *plist;
1588                 size_t plistlen;
1589                 /* Add TLS extension ECPointFormats to the ServerHello message */
1590                 long lenmax; 
1591
1592                 tls1_get_formatlist(s, &plist, &plistlen);
1593
1594                 if ((lenmax = limit - ret - 5) < 0) return NULL; 
1595                 if (plistlen > (size_t)lenmax) return NULL;
1596                 if (plistlen > 255)
1597                         {
1598                         SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1599                         return NULL;
1600                         }
1601                 
1602                 s2n(TLSEXT_TYPE_ec_point_formats,ret);
1603                 s2n(plistlen + 1,ret);
1604                 *(ret++) = (unsigned char) plistlen;
1605                 memcpy(ret, plist, plistlen);
1606                 ret+=plistlen;
1607
1608                 }
1609         /* Currently the server should not respond with a SupportedCurves extension */
1610 #endif /* OPENSSL_NO_EC */
1611
1612         if (s->tlsext_ticket_expected && tls_use_ticket(s))
1613                 { 
1614                 if ((long)(limit - ret - 4) < 0) return NULL; 
1615                 s2n(TLSEXT_TYPE_session_ticket,ret);
1616                 s2n(0,ret);
1617                 }
1618
1619         if (s->tlsext_status_expected)
1620                 { 
1621                 if ((long)(limit - ret - 4) < 0) return NULL; 
1622                 s2n(TLSEXT_TYPE_status_request,ret);
1623                 s2n(0,ret);
1624                 }
1625
1626 #ifdef TLSEXT_TYPE_opaque_prf_input
1627         if (s->s3->server_opaque_prf_input != NULL)
1628                 {
1629                 size_t sol = s->s3->server_opaque_prf_input_len;
1630                 
1631                 if ((long)(limit - ret - 6 - sol) < 0)
1632                         return NULL;
1633                 if (sol > 0xFFFD) /* can't happen */
1634                         return NULL;
1635
1636                 s2n(TLSEXT_TYPE_opaque_prf_input, ret); 
1637                 s2n(sol + 2, ret);
1638                 s2n(sol, ret);
1639                 memcpy(ret, s->s3->server_opaque_prf_input, sol);
1640                 ret += sol;
1641                 }
1642 #endif
1643
1644         if(SSL_IS_DTLS(s) && s->srtp_profile)
1645                 {
1646                 int el;
1647
1648                 ssl_add_serverhello_use_srtp_ext(s, 0, &el, 0);
1649                 
1650                 if((limit - ret - 4 - el) < 0) return NULL;
1651
1652                 s2n(TLSEXT_TYPE_use_srtp,ret);
1653                 s2n(el,ret);
1654
1655                 if(ssl_add_serverhello_use_srtp_ext(s, ret, &el, el))
1656                         {
1657                         SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1658                         return NULL;
1659                         }
1660                 ret+=el;
1661                 }
1662
1663         if (((s->s3->tmp.new_cipher->id & 0xFFFF)==0x80 || (s->s3->tmp.new_cipher->id & 0xFFFF)==0x81) 
1664                 && (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG))
1665                 { const unsigned char cryptopro_ext[36] = {
1666                         0xfd, 0xe8, /*65000*/
1667                         0x00, 0x20, /*32 bytes length*/
1668                         0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85, 
1669                         0x03,   0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06, 
1670                         0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08, 
1671                         0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17};
1672                         if (limit-ret<36) return NULL;
1673                         memcpy(ret,cryptopro_ext,36);
1674                         ret+=36;
1675
1676                 }
1677
1678 #ifndef OPENSSL_NO_HEARTBEATS
1679         /* Add Heartbeat extension if we've received one */
1680         if (s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED)
1681                 {
1682                 if ((limit - ret - 4 - 1) < 0)
1683                         return NULL;
1684                 s2n(TLSEXT_TYPE_heartbeat,ret);
1685                 s2n(1,ret);
1686                 /* Set mode:
1687                  * 1: peer may send requests
1688                  * 2: peer not allowed to send requests
1689                  */
1690                 if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS)
1691                         *(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
1692                 else
1693                         *(ret++) = SSL_TLSEXT_HB_ENABLED;
1694
1695                 }
1696 #endif
1697
1698 #ifndef OPENSSL_NO_NEXTPROTONEG
1699         next_proto_neg_seen = s->s3->next_proto_neg_seen;
1700         s->s3->next_proto_neg_seen = 0;
1701         if (next_proto_neg_seen && s->ctx->next_protos_advertised_cb)
1702                 {
1703                 const unsigned char *npa;
1704                 unsigned int npalen;
1705                 int r;
1706
1707                 r = s->ctx->next_protos_advertised_cb(s, &npa, &npalen, s->ctx->next_protos_advertised_cb_arg);
1708                 if (r == SSL_TLSEXT_ERR_OK)
1709                         {
1710                         if ((long)(limit - ret - 4 - npalen) < 0) return NULL;
1711                         s2n(TLSEXT_TYPE_next_proto_neg,ret);
1712                         s2n(npalen,ret);
1713                         memcpy(ret, npa, npalen);
1714                         ret += npalen;
1715                         s->s3->next_proto_neg_seen = 1;
1716                         }
1717                 }
1718 #endif
1719         if (!custom_ext_add(s, 1, &ret, limit, al))
1720                 return NULL;
1721 #ifdef TLSEXT_TYPE_encrypt_then_mac
1722         if (s->s3->flags & TLS1_FLAGS_ENCRYPT_THEN_MAC)
1723                 {
1724                 /* Don't use encrypt_then_mac if AEAD, RC4 or SSL 3.0:
1725                  * might want to disable for other cases too.
1726                  */
1727                 if (s->s3->tmp.new_cipher->algorithm_mac == SSL_AEAD
1728                     || s->s3->tmp.new_cipher->algorithm_enc == SSL_RC4
1729                     || s->version == SSL3_VERSION)
1730                         s->s3->flags &= ~TLS1_FLAGS_ENCRYPT_THEN_MAC;
1731                 else
1732                         {
1733                         s2n(TLSEXT_TYPE_encrypt_then_mac,ret);
1734                         s2n(0,ret);
1735                         }
1736                 }
1737 #endif
1738
1739         if (s->s3->alpn_selected)
1740                 {
1741                 const unsigned char *selected = s->s3->alpn_selected;
1742                 unsigned len = s->s3->alpn_selected_len;
1743
1744                 if ((long)(limit - ret - 4 - 2 - 1 - len) < 0)
1745                         return NULL;
1746                 s2n(TLSEXT_TYPE_application_layer_protocol_negotiation,ret);
1747                 s2n(3 + len,ret);
1748                 s2n(1 + len,ret);
1749                 *ret++ = len;
1750                 memcpy(ret, selected, len);
1751                 ret += len;
1752                 }
1753
1754         if ((extdatalen = ret-orig-2)== 0) 
1755                 return orig;
1756
1757         s2n(extdatalen, orig);
1758         return ret;
1759         }
1760
1761 /* tls1_alpn_handle_client_hello is called to process the ALPN extension in a
1762  * ClientHello.
1763  *   data: the contents of the extension, not including the type and length.
1764  *   data_len: the number of bytes in |data|
1765  *   al: a pointer to the alert value to send in the event of a non-zero
1766  *       return.
1767  *
1768  *   returns: 0 on success. */
1769 static int tls1_alpn_handle_client_hello(SSL *s, const unsigned char *data,
1770                                          unsigned data_len, int *al)
1771         {
1772         unsigned i;
1773         unsigned proto_len;
1774         const unsigned char *selected;
1775         unsigned char selected_len;
1776         int r;
1777
1778         if (s->ctx->alpn_select_cb == NULL)
1779                 return 0;
1780
1781         if (data_len < 2)
1782                 goto parse_error;
1783
1784         /* data should contain a uint16 length followed by a series of 8-bit,
1785          * length-prefixed strings. */
1786         i = ((unsigned) data[0]) << 8 |
1787             ((unsigned) data[1]);
1788         data_len -= 2;
1789         data += 2;
1790         if (data_len != i)
1791                 goto parse_error;
1792
1793         if (data_len < 2)
1794                 goto parse_error;
1795
1796         for (i = 0; i < data_len;)
1797                 {
1798                 proto_len = data[i];
1799                 i++;
1800
1801                 if (proto_len == 0)
1802                         goto parse_error;
1803
1804                 if (i + proto_len < i || i + proto_len > data_len)
1805                         goto parse_error;
1806
1807                 i += proto_len;
1808                 }
1809
1810         r = s->ctx->alpn_select_cb(s, &selected, &selected_len, data, data_len,
1811                                    s->ctx->alpn_select_cb_arg);
1812         if (r == SSL_TLSEXT_ERR_OK) {
1813                 if (s->s3->alpn_selected)
1814                         OPENSSL_free(s->s3->alpn_selected);
1815                 s->s3->alpn_selected = OPENSSL_malloc(selected_len);
1816                 if (!s->s3->alpn_selected)
1817                         {
1818                         *al = SSL_AD_INTERNAL_ERROR;
1819                         return -1;
1820                         }
1821                 memcpy(s->s3->alpn_selected, selected, selected_len);
1822                 s->s3->alpn_selected_len = selected_len;
1823         }
1824         return 0;
1825
1826 parse_error:
1827         *al = SSL_AD_DECODE_ERROR;
1828         return -1;
1829         }
1830
1831 #ifndef OPENSSL_NO_EC
1832 /* ssl_check_for_safari attempts to fingerprint Safari using OS X
1833  * SecureTransport using the TLS extension block in |d|, of length |n|.
1834  * Safari, since 10.6, sends exactly these extensions, in this order:
1835  *   SNI,
1836  *   elliptic_curves
1837  *   ec_point_formats
1838  *
1839  * We wish to fingerprint Safari because they broke ECDHE-ECDSA support in 10.8,
1840  * but they advertise support. So enabling ECDHE-ECDSA ciphers breaks them.
1841  * Sadly we cannot differentiate 10.6, 10.7 and 10.8.4 (which work), from
1842  * 10.8..10.8.3 (which don't work).
1843  */
1844 static void ssl_check_for_safari(SSL *s, const unsigned char *data, const unsigned char *d, int n) {
1845         unsigned short type, size;
1846         static const unsigned char kSafariExtensionsBlock[] = {
1847                 0x00, 0x0a,  /* elliptic_curves extension */
1848                 0x00, 0x08,  /* 8 bytes */
1849                 0x00, 0x06,  /* 6 bytes of curve ids */
1850                 0x00, 0x17,  /* P-256 */
1851                 0x00, 0x18,  /* P-384 */
1852                 0x00, 0x19,  /* P-521 */
1853
1854                 0x00, 0x0b,  /* ec_point_formats */
1855                 0x00, 0x02,  /* 2 bytes */
1856                 0x01,        /* 1 point format */
1857                 0x00,        /* uncompressed */
1858         };
1859
1860         /* The following is only present in TLS 1.2 */
1861         static const unsigned char kSafariTLS12ExtensionsBlock[] = {
1862                 0x00, 0x0d,  /* signature_algorithms */
1863                 0x00, 0x0c,  /* 12 bytes */
1864                 0x00, 0x0a,  /* 10 bytes */
1865                 0x05, 0x01,  /* SHA-384/RSA */
1866                 0x04, 0x01,  /* SHA-256/RSA */
1867                 0x02, 0x01,  /* SHA-1/RSA */
1868                 0x04, 0x03,  /* SHA-256/ECDSA */
1869                 0x02, 0x03,  /* SHA-1/ECDSA */
1870         };
1871
1872         if (data >= (d+n-2))
1873                 return;
1874         data += 2;
1875
1876         if (data > (d+n-4))
1877                 return;
1878         n2s(data,type);
1879         n2s(data,size);
1880
1881         if (type != TLSEXT_TYPE_server_name)
1882                 return;
1883
1884         if (data+size > d+n)
1885                 return;
1886         data += size;
1887
1888         if (TLS1_get_client_version(s) >= TLS1_2_VERSION)
1889                 {
1890                 const size_t len1 = sizeof(kSafariExtensionsBlock);
1891                 const size_t len2 = sizeof(kSafariTLS12ExtensionsBlock);
1892
1893                 if (data + len1 + len2 != d+n)
1894                         return;
1895                 if (memcmp(data, kSafariExtensionsBlock, len1) != 0)
1896                         return;
1897                 if (memcmp(data + len1, kSafariTLS12ExtensionsBlock, len2) != 0)
1898                         return;
1899                 }
1900         else
1901                 {
1902                 const size_t len = sizeof(kSafariExtensionsBlock);
1903
1904                 if (data + len != d+n)
1905                         return;
1906                 if (memcmp(data, kSafariExtensionsBlock, len) != 0)
1907                         return;
1908                 }
1909
1910         s->s3->is_probably_safari = 1;
1911 }
1912 #endif /* !OPENSSL_NO_EC */
1913
1914
1915 static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al) 
1916         {       
1917         unsigned short type;
1918         unsigned short size;
1919         unsigned short len;
1920         unsigned char *data = *p;
1921         int renegotiate_seen = 0;
1922
1923         s->servername_done = 0;
1924         s->tlsext_status_type = -1;
1925 #ifndef OPENSSL_NO_NEXTPROTONEG
1926         s->s3->next_proto_neg_seen = 0;
1927 #endif
1928
1929         if (s->s3->alpn_selected)
1930                 {
1931                 OPENSSL_free(s->s3->alpn_selected);
1932                 s->s3->alpn_selected = NULL;
1933                 }
1934
1935 #ifndef OPENSSL_NO_HEARTBEATS
1936         s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED |
1937                                SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
1938 #endif
1939
1940 #ifndef OPENSSL_NO_EC
1941         if (s->options & SSL_OP_SAFARI_ECDHE_ECDSA_BUG)
1942                 ssl_check_for_safari(s, data, d, n);
1943 #endif /* !OPENSSL_NO_EC */
1944
1945         /* Clear any signature algorithms extension received */
1946         if (s->cert->peer_sigalgs)
1947                 {
1948                 OPENSSL_free(s->cert->peer_sigalgs);
1949                 s->cert->peer_sigalgs = NULL;
1950                 }
1951
1952 #ifdef TLSEXT_TYPE_encrypt_then_mac
1953         s->s3->flags &= ~TLS1_FLAGS_ENCRYPT_THEN_MAC;
1954 #endif
1955
1956         if (data >= (d+n-2))
1957                 goto ri_check;
1958         n2s(data,len);
1959
1960         if (data > (d+n-len)) 
1961                 goto ri_check;
1962
1963         while (data <= (d+n-4))
1964                 {
1965                 n2s(data,type);
1966                 n2s(data,size);
1967
1968                 if (data+size > (d+n))
1969                         goto ri_check;
1970 #if 0
1971                 fprintf(stderr,"Received extension type %d size %d\n",type,size);
1972 #endif
1973                 if (s->tlsext_debug_cb)
1974                         s->tlsext_debug_cb(s, 0, type, data, size,
1975                                                 s->tlsext_debug_arg);
1976 /* The servername extension is treated as follows:
1977
1978    - Only the hostname type is supported with a maximum length of 255.
1979    - The servername is rejected if too long or if it contains zeros,
1980      in which case an fatal alert is generated.
1981    - The servername field is maintained together with the session cache.
1982    - When a session is resumed, the servername call back invoked in order
1983      to allow the application to position itself to the right context. 
1984    - The servername is acknowledged if it is new for a session or when 
1985      it is identical to a previously used for the same session. 
1986      Applications can control the behaviour.  They can at any time
1987      set a 'desirable' servername for a new SSL object. This can be the
1988      case for example with HTTPS when a Host: header field is received and
1989      a renegotiation is requested. In this case, a possible servername
1990      presented in the new client hello is only acknowledged if it matches
1991      the value of the Host: field. 
1992    - Applications must  use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
1993      if they provide for changing an explicit servername context for the session,
1994      i.e. when the session has been established with a servername extension. 
1995    - On session reconnect, the servername extension may be absent. 
1996
1997 */      
1998
1999                 if (type == TLSEXT_TYPE_server_name)
2000                         {
2001                         unsigned char *sdata;
2002                         int servname_type;
2003                         int dsize; 
2004                 
2005                         if (size < 2) 
2006                                 {
2007                                 *al = SSL_AD_DECODE_ERROR;
2008                                 return 0;
2009                                 }
2010                         n2s(data,dsize);  
2011                         size -= 2;
2012                         if (dsize > size  ) 
2013                                 {
2014                                 *al = SSL_AD_DECODE_ERROR;
2015                                 return 0;
2016                                 } 
2017
2018                         sdata = data;
2019                         while (dsize > 3) 
2020                                 {
2021                                 servname_type = *(sdata++); 
2022                                 n2s(sdata,len);
2023                                 dsize -= 3;
2024
2025                                 if (len > dsize) 
2026                                         {
2027                                         *al = SSL_AD_DECODE_ERROR;
2028                                         return 0;
2029                                         }
2030                                 if (s->servername_done == 0)
2031                                 switch (servname_type)
2032                                         {
2033                                 case TLSEXT_NAMETYPE_host_name:
2034                                         if (!s->hit)
2035                                                 {
2036                                                 if(s->session->tlsext_hostname)
2037                                                         {
2038                                                         *al = SSL_AD_DECODE_ERROR;
2039                                                         return 0;
2040                                                         }
2041                                                 if (len > TLSEXT_MAXLEN_host_name)
2042                                                         {
2043                                                         *al = TLS1_AD_UNRECOGNIZED_NAME;
2044                                                         return 0;
2045                                                         }
2046                                                 if ((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL)
2047                                                         {
2048                                                         *al = TLS1_AD_INTERNAL_ERROR;
2049                                                         return 0;
2050                                                         }
2051                                                 memcpy(s->session->tlsext_hostname, sdata, len);
2052                                                 s->session->tlsext_hostname[len]='\0';
2053                                                 if (strlen(s->session->tlsext_hostname) != len) {
2054                                                         OPENSSL_free(s->session->tlsext_hostname);
2055                                                         s->session->tlsext_hostname = NULL;
2056                                                         *al = TLS1_AD_UNRECOGNIZED_NAME;
2057                                                         return 0;
2058                                                 }
2059                                                 s->servername_done = 1; 
2060
2061                                                 }
2062                                         else 
2063                                                 s->servername_done = s->session->tlsext_hostname
2064                                                         && strlen(s->session->tlsext_hostname) == len 
2065                                                         && strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0;
2066                                         
2067                                         break;
2068
2069                                 default:
2070                                         break;
2071                                         }
2072                                  
2073                                 dsize -= len;
2074                                 }
2075                         if (dsize != 0) 
2076                                 {
2077                                 *al = SSL_AD_DECODE_ERROR;
2078                                 return 0;
2079                                 }
2080
2081                         }
2082 #ifndef OPENSSL_NO_SRP
2083                 else if (type == TLSEXT_TYPE_srp)
2084                         {
2085                         if (size <= 0 || ((len = data[0])) != (size -1))
2086                                 {
2087                                 *al = SSL_AD_DECODE_ERROR;
2088                                 return 0;
2089                                 }
2090                         if (s->srp_ctx.login != NULL)
2091                                 {
2092                                 *al = SSL_AD_DECODE_ERROR;
2093                                 return 0;
2094                                 }
2095                         if ((s->srp_ctx.login = OPENSSL_malloc(len+1)) == NULL)
2096                                 return -1;
2097                         memcpy(s->srp_ctx.login, &data[1], len);
2098                         s->srp_ctx.login[len]='\0';
2099   
2100                         if (strlen(s->srp_ctx.login) != len) 
2101                                 {
2102                                 *al = SSL_AD_DECODE_ERROR;
2103                                 return 0;
2104                                 }
2105                         }
2106 #endif
2107
2108 #ifndef OPENSSL_NO_EC
2109                 else if (type == TLSEXT_TYPE_ec_point_formats)
2110                         {
2111                         unsigned char *sdata = data;
2112                         int ecpointformatlist_length = *(sdata++);
2113
2114                         if (ecpointformatlist_length != size - 1 || 
2115                                 ecpointformatlist_length < 1)
2116                                 {
2117                                 *al = TLS1_AD_DECODE_ERROR;
2118                                 return 0;
2119                                 }
2120                         if (!s->hit)
2121                                 {
2122                                 if(s->session->tlsext_ecpointformatlist)
2123                                         {
2124                                         OPENSSL_free(s->session->tlsext_ecpointformatlist);
2125                                         s->session->tlsext_ecpointformatlist = NULL;
2126                                         }
2127                                 s->session->tlsext_ecpointformatlist_length = 0;
2128                                 if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
2129                                         {
2130                                         *al = TLS1_AD_INTERNAL_ERROR;
2131                                         return 0;
2132                                         }
2133                                 s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
2134                                 memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
2135                                 }
2136 #if 0
2137                         fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ecpointformatlist (length=%i) ", s->session->tlsext_ecpointformatlist_length);
2138                         sdata = s->session->tlsext_ecpointformatlist;
2139                         for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
2140                                 fprintf(stderr,"%i ",*(sdata++));
2141                         fprintf(stderr,"\n");
2142 #endif
2143                         }
2144                 else if (type == TLSEXT_TYPE_elliptic_curves)
2145                         {
2146                         unsigned char *sdata = data;
2147                         int ellipticcurvelist_length = (*(sdata++) << 8);
2148                         ellipticcurvelist_length += (*(sdata++));
2149
2150                         if (ellipticcurvelist_length != size - 2 ||
2151                                 ellipticcurvelist_length < 1)
2152                                 {
2153                                 *al = TLS1_AD_DECODE_ERROR;
2154                                 return 0;
2155                                 }
2156                         if (!s->hit)
2157                                 {
2158                                 if(s->session->tlsext_ellipticcurvelist)
2159                                         {
2160                                         *al = TLS1_AD_DECODE_ERROR;
2161                                         return 0;
2162                                         }
2163                                 s->session->tlsext_ellipticcurvelist_length = 0;
2164                                 if ((s->session->tlsext_ellipticcurvelist = OPENSSL_malloc(ellipticcurvelist_length)) == NULL)
2165                                         {
2166                                         *al = TLS1_AD_INTERNAL_ERROR;
2167                                         return 0;
2168                                         }
2169                                 s->session->tlsext_ellipticcurvelist_length = ellipticcurvelist_length;
2170                                 memcpy(s->session->tlsext_ellipticcurvelist, sdata, ellipticcurvelist_length);
2171                                 }
2172 #if 0
2173                         fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ellipticcurvelist (length=%i) ", s->session->tlsext_ellipticcurvelist_length);
2174                         sdata = s->session->tlsext_ellipticcurvelist;
2175                         for (i = 0; i < s->session->tlsext_ellipticcurvelist_length; i++)
2176                                 fprintf(stderr,"%i ",*(sdata++));
2177                         fprintf(stderr,"\n");
2178 #endif
2179                         }
2180 #endif /* OPENSSL_NO_EC */
2181 #ifdef TLSEXT_TYPE_opaque_prf_input
2182                 else if (type == TLSEXT_TYPE_opaque_prf_input)
2183                         {
2184                         unsigned char *sdata = data;
2185
2186                         if (size < 2)
2187                                 {
2188                                 *al = SSL_AD_DECODE_ERROR;
2189                                 return 0;
2190                                 }
2191                         n2s(sdata, s->s3->client_opaque_prf_input_len);
2192                         if (s->s3->client_opaque_prf_input_len != size - 2)
2193                                 {
2194                                 *al = SSL_AD_DECODE_ERROR;
2195                                 return 0;
2196                                 }
2197
2198                         if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */
2199                                 OPENSSL_free(s->s3->client_opaque_prf_input);
2200                         if (s->s3->client_opaque_prf_input_len == 0)
2201                                 s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
2202                         else
2203                                 s->s3->client_opaque_prf_input = BUF_memdup(sdata, s->s3->client_opaque_prf_input_len);
2204                         if (s->s3->client_opaque_prf_input == NULL)
2205                                 {
2206                                 *al = TLS1_AD_INTERNAL_ERROR;
2207                                 return 0;
2208                                 }
2209                         }
2210 #endif
2211                 else if (type == TLSEXT_TYPE_session_ticket)
2212                         {
2213                         if (s->tls_session_ticket_ext_cb &&
2214                             !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg))
2215                                 {
2216                                 *al = TLS1_AD_INTERNAL_ERROR;
2217                                 return 0;
2218                                 }
2219                         }
2220                 else if (type == TLSEXT_TYPE_renegotiate)
2221                         {
2222                         if(!ssl_parse_clienthello_renegotiate_ext(s, data, size, al))
2223                                 return 0;
2224                         renegotiate_seen = 1;
2225                         }
2226                 else if (type == TLSEXT_TYPE_signature_algorithms)
2227                         {
2228                         int dsize;
2229                         if (s->cert->peer_sigalgs || size < 2) 
2230                                 {
2231                                 *al = SSL_AD_DECODE_ERROR;
2232                                 return 0;
2233                                 }
2234                         n2s(data,dsize);
2235                         size -= 2;
2236                         if (dsize != size || dsize & 1 || !dsize) 
2237                                 {
2238                                 *al = SSL_AD_DECODE_ERROR;
2239                                 return 0;
2240                                 }
2241                         if (!tls1_save_sigalgs(s, data, dsize))
2242                                 {
2243                                 *al = SSL_AD_DECODE_ERROR;
2244                                 return 0;
2245                                 }
2246                         }
2247                 else if (type == TLSEXT_TYPE_status_request)
2248                         {
2249                 
2250                         if (size < 5) 
2251                                 {
2252                                 *al = SSL_AD_DECODE_ERROR;
2253                                 return 0;
2254                                 }
2255
2256                         s->tlsext_status_type = *data++;
2257                         size--;
2258                         if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp)
2259                                 {
2260                                 const unsigned char *sdata;
2261                                 int dsize;
2262                                 /* Read in responder_id_list */
2263                                 n2s(data,dsize);
2264                                 size -= 2;
2265                                 if (dsize > size  ) 
2266                                         {
2267                                         *al = SSL_AD_DECODE_ERROR;
2268                                         return 0;
2269                                         }
2270                                 while (dsize > 0)
2271                                         {
2272                                         OCSP_RESPID *id;
2273                                         int idsize;
2274                                         if (dsize < 4)
2275                                                 {
2276                                                 *al = SSL_AD_DECODE_ERROR;
2277                                                 return 0;
2278                                                 }
2279                                         n2s(data, idsize);
2280                                         dsize -= 2 + idsize;
2281                                         size -= 2 + idsize;
2282                                         if (dsize < 0)
2283                                                 {
2284                                                 *al = SSL_AD_DECODE_ERROR;
2285                                                 return 0;
2286                                                 }
2287                                         sdata = data;
2288                                         data += idsize;
2289                                         id = d2i_OCSP_RESPID(NULL,
2290                                                                 &sdata, idsize);
2291                                         if (!id)
2292                                                 {
2293                                                 *al = SSL_AD_DECODE_ERROR;
2294                                                 return 0;
2295                                                 }
2296                                         if (data != sdata)
2297                                                 {
2298                                                 OCSP_RESPID_free(id);
2299                                                 *al = SSL_AD_DECODE_ERROR;
2300                                                 return 0;
2301                                                 }
2302                                         if (!s->tlsext_ocsp_ids
2303                                                 && !(s->tlsext_ocsp_ids =
2304                                                 sk_OCSP_RESPID_new_null()))
2305                                                 {
2306                                                 OCSP_RESPID_free(id);
2307                                                 *al = SSL_AD_INTERNAL_ERROR;
2308                                                 return 0;
2309                                                 }
2310                                         if (!sk_OCSP_RESPID_push(
2311                                                         s->tlsext_ocsp_ids, id))
2312                                                 {
2313                                                 OCSP_RESPID_free(id);
2314                                                 *al = SSL_AD_INTERNAL_ERROR;
2315                                                 return 0;
2316                                                 }
2317                                         }
2318
2319                                 /* Read in request_extensions */
2320                                 if (size < 2)
2321                                         {
2322                                         *al = SSL_AD_DECODE_ERROR;
2323                                         return 0;
2324                                         }
2325                                 n2s(data,dsize);
2326                                 size -= 2;
2327                                 if (dsize != size)
2328                                         {
2329                                         *al = SSL_AD_DECODE_ERROR;
2330                                         return 0;
2331                                         }
2332                                 sdata = data;
2333                                 if (dsize > 0)
2334                                         {
2335                                         if (s->tlsext_ocsp_exts)
2336                                                 {
2337                                                 sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts,
2338                                                                            X509_EXTENSION_free);
2339                                                 }
2340
2341                                         s->tlsext_ocsp_exts =
2342                                                 d2i_X509_EXTENSIONS(NULL,
2343                                                         &sdata, dsize);
2344                                         if (!s->tlsext_ocsp_exts
2345                                                 || (data + dsize != sdata))
2346                                                 {
2347                                                 *al = SSL_AD_DECODE_ERROR;
2348                                                 return 0;
2349                                                 }
2350                                         }
2351                                 }
2352                                 /* We don't know what to do with any other type
2353                                 * so ignore it.
2354                                 */
2355                                 else
2356                                         s->tlsext_status_type = -1;
2357                         }
2358 #ifndef OPENSSL_NO_HEARTBEATS
2359                 else if (type == TLSEXT_TYPE_heartbeat)
2360                         {
2361                         switch(data[0])
2362                                 {
2363                                 case 0x01:      /* Client allows us to send HB requests */
2364                                                         s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
2365                                                         break;
2366                                 case 0x02:      /* Client doesn't accept HB requests */
2367                                                         s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
2368                                                         s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
2369                                                         break;
2370                                 default:        *al = SSL_AD_ILLEGAL_PARAMETER;
2371                                                         return 0;
2372                                 }
2373                         }
2374 #endif
2375 #ifndef OPENSSL_NO_NEXTPROTONEG
2376                 else if (type == TLSEXT_TYPE_next_proto_neg &&
2377                          s->s3->tmp.finish_md_len == 0 &&
2378                          s->s3->alpn_selected == NULL)
2379                         {
2380                         /* We shouldn't accept this extension on a
2381                          * renegotiation.
2382                          *
2383                          * s->new_session will be set on renegotiation, but we
2384                          * probably shouldn't rely that it couldn't be set on
2385                          * the initial renegotation too in certain cases (when
2386                          * there's some other reason to disallow resuming an
2387                          * earlier session -- the current code won't be doing
2388                          * anything like that, but this might change).
2389
2390                          * A valid sign that there's been a previous handshake
2391                          * in this connection is if s->s3->tmp.finish_md_len >
2392                          * 0.  (We are talking about a check that will happen
2393                          * in the Hello protocol round, well before a new
2394                          * Finished message could have been computed.) */
2395                         s->s3->next_proto_neg_seen = 1;
2396                         }
2397 #endif
2398
2399                 else if (type == TLSEXT_TYPE_application_layer_protocol_negotiation &&
2400                          s->ctx->alpn_select_cb &&
2401                          s->s3->tmp.finish_md_len == 0)
2402                         {
2403                         if (tls1_alpn_handle_client_hello(s, data, size, al) != 0)
2404                                 return 0;
2405 #ifndef OPENSSL_NO_NEXTPROTONEG
2406                         /* ALPN takes precedence over NPN. */
2407                         s->s3->next_proto_neg_seen = 0;
2408 #endif
2409                         }
2410
2411                 /* session ticket processed earlier */
2412                 else if (SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s)
2413                                 && type == TLSEXT_TYPE_use_srtp)
2414                         {
2415                         if(ssl_parse_clienthello_use_srtp_ext(s, data, size,
2416                                                               al))
2417                                 return 0;
2418                         }
2419 #ifdef TLSEXT_TYPE_encrypt_then_mac
2420                 else if (type == TLSEXT_TYPE_encrypt_then_mac)
2421                         {
2422                         if (s->version != SSL3_VERSION)
2423                                 s->s3->flags |= TLS1_FLAGS_ENCRYPT_THEN_MAC;
2424                         }
2425 #endif
2426                 /* If this ClientHello extension was unhandled and this is 
2427                  * a nonresumed connection, check whether the extension is a 
2428                  * custom TLS Extension (has a custom_srv_ext_record), and if
2429                  * so call the callback and record the extension number so that
2430                  * an appropriate ServerHello may be later returned.
2431                  */
2432                 else if (!s->hit)
2433                         {
2434                         if (custom_ext_parse(s, 1, type, data, size, al) <= 0)
2435                                 return 0;
2436                         }
2437
2438                 data+=size;
2439                 }
2440
2441         *p = data;
2442
2443         ri_check:
2444
2445         /* Need RI if renegotiating */
2446
2447         if (!renegotiate_seen && s->renegotiate &&
2448                 !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
2449                 {
2450                 *al = SSL_AD_HANDSHAKE_FAILURE;
2451                 SSLerr(SSL_F_SSL_SCAN_CLIENTHELLO_TLSEXT,
2452                                 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
2453                 return 0;
2454                 }
2455
2456         return 1;
2457         }
2458
2459 int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n) 
2460         {
2461         int al = -1;
2462         custom_ext_init(&s->cert->srv_ext);
2463         if (ssl_scan_clienthello_tlsext(s, p, d, n, &al) <= 0) 
2464                 {
2465                 ssl3_send_alert(s,SSL3_AL_FATAL,al); 
2466                 return 0;
2467                 }
2468
2469         if (ssl_check_clienthello_tlsext_early(s) <= 0) 
2470                 {
2471                 SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT,SSL_R_CLIENTHELLO_TLSEXT);
2472                 return 0;
2473                 }
2474         return 1;
2475 }
2476
2477 #ifndef OPENSSL_NO_NEXTPROTONEG
2478 /* ssl_next_proto_validate validates a Next Protocol Negotiation block. No
2479  * elements of zero length are allowed and the set of elements must exactly fill
2480  * the length of the block. */
2481 static char ssl_next_proto_validate(unsigned char *d, unsigned len)
2482         {
2483         unsigned int off = 0;
2484
2485         while (off < len)
2486                 {
2487                 if (d[off] == 0)
2488                         return 0;
2489                 off += d[off];
2490                 off++;
2491                 }
2492
2493         return off == len;
2494         }
2495 #endif
2496
2497 static int ssl_scan_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
2498         {
2499         unsigned short length;
2500         unsigned short type;
2501         unsigned short size;
2502         unsigned char *data = *p;
2503         int tlsext_servername = 0;
2504         int renegotiate_seen = 0;
2505
2506 #ifndef OPENSSL_NO_NEXTPROTONEG
2507         s->s3->next_proto_neg_seen = 0;
2508 #endif
2509
2510         if (s->s3->alpn_selected)
2511                 {
2512                 OPENSSL_free(s->s3->alpn_selected);
2513                 s->s3->alpn_selected = NULL;
2514                 }
2515
2516 #ifndef OPENSSL_NO_HEARTBEATS
2517         s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED |
2518                                SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
2519 #endif
2520
2521 #ifdef TLSEXT_TYPE_encrypt_then_mac
2522         s->s3->flags &= ~TLS1_FLAGS_ENCRYPT_THEN_MAC;
2523 #endif
2524
2525         if (data >= (d+n-2))
2526                 goto ri_check;
2527
2528         n2s(data,length);
2529         if (data+length != d+n)
2530                 {
2531                 *al = SSL_AD_DECODE_ERROR;
2532                 return 0;
2533                 }
2534
2535         while(data <= (d+n-4))
2536                 {
2537                 n2s(data,type);
2538                 n2s(data,size);
2539
2540                 if (data+size > (d+n))
2541                         goto ri_check;
2542
2543                 if (s->tlsext_debug_cb)
2544                         s->tlsext_debug_cb(s, 1, type, data, size,
2545                                                 s->tlsext_debug_arg);
2546
2547                 if (type == TLSEXT_TYPE_server_name)
2548                         {
2549                         if (s->tlsext_hostname == NULL || size > 0)
2550                                 {
2551                                 *al = TLS1_AD_UNRECOGNIZED_NAME;
2552                                 return 0;
2553                                 }
2554                         tlsext_servername = 1;   
2555                         }
2556
2557 #ifndef OPENSSL_NO_EC
2558                 else if (type == TLSEXT_TYPE_ec_point_formats)
2559                         {
2560                         unsigned char *sdata = data;
2561                         int ecpointformatlist_length = *(sdata++);
2562
2563                         if (ecpointformatlist_length != size - 1)
2564                                 {
2565                                 *al = TLS1_AD_DECODE_ERROR;
2566                                 return 0;
2567                                 }
2568                         if (!s->hit)
2569                                 {
2570                                 s->session->tlsext_ecpointformatlist_length = 0;
2571                                 if (s->session->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->session->tlsext_ecpointformatlist);
2572                                 if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
2573                                         {
2574                                         *al = TLS1_AD_INTERNAL_ERROR;
2575                                         return 0;
2576                                         }
2577                                 s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
2578                                 memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
2579                                 }
2580 #if 0
2581                         fprintf(stderr,"ssl_parse_serverhello_tlsext s->session->tlsext_ecpointformatlist ");
2582                         sdata = s->session->tlsext_ecpointformatlist;
2583                         for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
2584                                 fprintf(stderr,"%i ",*(sdata++));
2585                         fprintf(stderr,"\n");
2586 #endif
2587                         }
2588 #endif /* OPENSSL_NO_EC */
2589
2590                 else if (type == TLSEXT_TYPE_session_ticket)
2591                         {
2592                         if (s->tls_session_ticket_ext_cb &&
2593                             !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg))
2594                                 {
2595                                 *al = TLS1_AD_INTERNAL_ERROR;
2596                                 return 0;
2597                                 }
2598                         if (!tls_use_ticket(s) || (size > 0))
2599                                 {
2600                                 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2601                                 return 0;
2602                                 }
2603                         s->tlsext_ticket_expected = 1;
2604                         }
2605 #ifdef TLSEXT_TYPE_opaque_prf_input
2606                 else if (type == TLSEXT_TYPE_opaque_prf_input)
2607                         {
2608                         unsigned char *sdata = data;
2609
2610                         if (size < 2)
2611                                 {
2612                                 *al = SSL_AD_DECODE_ERROR;
2613                                 return 0;
2614                                 }
2615                         n2s(sdata, s->s3->server_opaque_prf_input_len);
2616                         if (s->s3->server_opaque_prf_input_len != size - 2)
2617                                 {
2618                                 *al = SSL_AD_DECODE_ERROR;
2619                                 return 0;
2620                                 }
2621                         
2622                         if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */
2623                                 OPENSSL_free(s->s3->server_opaque_prf_input);
2624                         if (s->s3->server_opaque_prf_input_len == 0)
2625                                 s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
2626                         else
2627                                 s->s3->server_opaque_prf_input = BUF_memdup(sdata, s->s3->server_opaque_prf_input_len);
2628
2629                         if (s->s3->server_opaque_prf_input == NULL)
2630                                 {
2631                                 *al = TLS1_AD_INTERNAL_ERROR;
2632                                 return 0;
2633                                 }
2634                         }
2635 #endif
2636                 else if (type == TLSEXT_TYPE_status_request)
2637                         {
2638                         /* MUST be empty and only sent if we've requested
2639                          * a status request message.
2640                          */ 
2641                         if ((s->tlsext_status_type == -1) || (size > 0))
2642                                 {
2643                                 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2644                                 return 0;
2645                                 }
2646                         /* Set flag to expect CertificateStatus message */
2647                         s->tlsext_status_expected = 1;
2648                         }
2649 #ifndef OPENSSL_NO_NEXTPROTONEG
2650                 else if (type == TLSEXT_TYPE_next_proto_neg &&
2651                          s->s3->tmp.finish_md_len == 0)
2652                         {
2653                         unsigned char *selected;
2654                         unsigned char selected_len;
2655
2656                         /* We must have requested it. */
2657                         if (s->ctx->next_proto_select_cb == NULL)
2658                                 {
2659                                 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2660                                 return 0;
2661                                 }
2662                         /* The data must be valid */
2663                         if (!ssl_next_proto_validate(data, size))
2664                                 {
2665                                 *al = TLS1_AD_DECODE_ERROR;
2666                                 return 0;
2667                                 }
2668                         if (s->ctx->next_proto_select_cb(s, &selected, &selected_len, data, size, s->ctx->next_proto_select_cb_arg) != SSL_TLSEXT_ERR_OK)
2669                                 {
2670                                 *al = TLS1_AD_INTERNAL_ERROR;
2671                                 return 0;
2672                                 }
2673                         s->next_proto_negotiated = OPENSSL_malloc(selected_len);
2674                         if (!s->next_proto_negotiated)
2675                                 {
2676                                 *al = TLS1_AD_INTERNAL_ERROR;
2677                                 return 0;
2678                                 }
2679                         memcpy(s->next_proto_negotiated, selected, selected_len);
2680                         s->next_proto_negotiated_len = selected_len;
2681                         s->s3->next_proto_neg_seen = 1;
2682                         }
2683 #endif
2684
2685                 else if (type == TLSEXT_TYPE_application_layer_protocol_negotiation)
2686                         {
2687                         unsigned len;
2688
2689                         /* We must have requested it. */
2690                         if (s->alpn_client_proto_list == NULL)
2691                                 {
2692                                 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2693                                 return 0;
2694                                 }
2695                         if (size < 4)
2696                                 {
2697                                 *al = TLS1_AD_DECODE_ERROR;
2698                                 return 0;
2699                                 }
2700                         /* The extension data consists of:
2701                          *   uint16 list_length
2702                          *   uint8 proto_length;
2703                          *   uint8 proto[proto_length]; */
2704                         len = data[0];
2705                         len <<= 8;
2706                         len |= data[1];
2707                         if (len != (unsigned) size - 2)
2708                                 {
2709                                 *al = TLS1_AD_DECODE_ERROR;
2710                                 return 0;
2711                                 }
2712                         len = data[2];
2713                         if (len != (unsigned) size - 3)
2714                                 {
2715                                 *al = TLS1_AD_DECODE_ERROR;
2716                                 return 0;
2717                                 }
2718                         if (s->s3->alpn_selected)
2719                                 OPENSSL_free(s->s3->alpn_selected);
2720                         s->s3->alpn_selected = OPENSSL_malloc(len);
2721                         if (!s->s3->alpn_selected)
2722                                 {
2723                                 *al = TLS1_AD_INTERNAL_ERROR;
2724                                 return 0;
2725                                 }
2726                         memcpy(s->s3->alpn_selected, data + 3, len);
2727                         s->s3->alpn_selected_len = len;
2728                         }
2729
2730                 else if (type == TLSEXT_TYPE_renegotiate)
2731                         {
2732                         if(!ssl_parse_serverhello_renegotiate_ext(s, data, size, al))
2733                                 return 0;
2734                         renegotiate_seen = 1;
2735                         }
2736 #ifndef OPENSSL_NO_HEARTBEATS
2737                 else if (type == TLSEXT_TYPE_heartbeat)
2738                         {
2739                         switch(data[0])
2740                                 {
2741                                 case 0x01:      /* Server allows us to send HB requests */
2742                                                         s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
2743                                                         break;
2744                                 case 0x02:      /* Server doesn't accept HB requests */
2745                                                         s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
2746                                                         s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
2747                                                         break;
2748                                 default:        *al = SSL_AD_ILLEGAL_PARAMETER;
2749                                                         return 0;
2750                                 }
2751                         }
2752 #endif
2753                 else if (SSL_IS_DTLS(s) && type == TLSEXT_TYPE_use_srtp)
2754                         {
2755                         if(ssl_parse_serverhello_use_srtp_ext(s, data, size,
2756                                                               al))
2757                                 return 0;
2758                         }
2759 #ifdef TLSEXT_TYPE_encrypt_then_mac
2760                 else if (type == TLSEXT_TYPE_encrypt_then_mac)
2761                         {
2762                         /* Ignore if inappropriate ciphersuite or SSL 3.0 */
2763                         if (s->s3->tmp.new_cipher->algorithm_mac != SSL_AEAD
2764                             && s->s3->tmp.new_cipher->algorithm_enc != SSL_RC4
2765                             && s->version != SSL3_VERSION)
2766                                 s->s3->flags |= TLS1_FLAGS_ENCRYPT_THEN_MAC;
2767                         }
2768 #endif
2769                 /* If this extension type was not otherwise handled, but 
2770                  * matches a custom_cli_ext_record, then send it to the c
2771                  * callback */
2772                 else if (custom_ext_parse(s, 0, type, data, size, al) <= 0)
2773                                 return 0;
2774  
2775                 data += size;
2776                 }
2777
2778         if (data != d+n)
2779                 {
2780                 *al = SSL_AD_DECODE_ERROR;
2781                 return 0;
2782                 }
2783
2784         if (!s->hit && tlsext_servername == 1)
2785                 {
2786                 if (s->tlsext_hostname)
2787                         {
2788                         if (s->session->tlsext_hostname == NULL)
2789                                 {
2790                                 s->session->tlsext_hostname = BUF_strdup(s->tlsext_hostname);   
2791                                 if (!s->session->tlsext_hostname)
2792                                         {
2793                                         *al = SSL_AD_UNRECOGNIZED_NAME;
2794                                         return 0;
2795                                         }
2796                                 }
2797                         else 
2798                                 {
2799                                 *al = SSL_AD_DECODE_ERROR;
2800                                 return 0;
2801                                 }
2802                         }
2803                 }
2804
2805         *p = data;
2806
2807         ri_check:
2808
2809         /* Determine if we need to see RI. Strictly speaking if we want to
2810          * avoid an attack we should *always* see RI even on initial server
2811          * hello because the client doesn't see any renegotiation during an
2812          * attack. However this would mean we could not connect to any server
2813          * which doesn't support RI so for the immediate future tolerate RI
2814          * absence on initial connect only.
2815          */
2816         if (!renegotiate_seen
2817                 && !(s->options & SSL_OP_LEGACY_SERVER_CONNECT)
2818                 && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
2819                 {
2820                 *al = SSL_AD_HANDSHAKE_FAILURE;
2821                 SSLerr(SSL_F_SSL_SCAN_SERVERHELLO_TLSEXT,
2822                                 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
2823                 return 0;
2824                 }
2825
2826         return 1;
2827         }
2828
2829
2830 int ssl_prepare_clienthello_tlsext(SSL *s)
2831         {
2832
2833 #ifdef TLSEXT_TYPE_opaque_prf_input
2834         {
2835                 int r = 1;
2836         
2837                 if (s->ctx->tlsext_opaque_prf_input_callback != 0)
2838                         {
2839                         r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg);
2840                         if (!r)
2841                                 return -1;
2842                         }
2843
2844                 if (s->tlsext_opaque_prf_input != NULL)
2845                         {
2846                         if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */
2847                                 OPENSSL_free(s->s3->client_opaque_prf_input);
2848
2849                         if (s->tlsext_opaque_prf_input_len == 0)
2850                                 s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
2851                         else
2852                                 s->s3->client_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len);
2853                         if (s->s3->client_opaque_prf_input == NULL)
2854                                 {
2855                                 SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
2856                                 return -1;
2857                                 }
2858                         s->s3->client_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
2859                         }
2860
2861                 if (r == 2)
2862                         /* at callback's request, insist on receiving an appropriate server opaque PRF input */
2863                         s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
2864         }
2865 #endif
2866
2867         return 1;
2868         }
2869
2870 int ssl_prepare_serverhello_tlsext(SSL *s)
2871         {
2872         return 1;
2873         }
2874
2875 static int ssl_check_clienthello_tlsext_early(SSL *s)
2876         {
2877         int ret=SSL_TLSEXT_ERR_NOACK;
2878         int al = SSL_AD_UNRECOGNIZED_NAME;
2879
2880 #ifndef OPENSSL_NO_EC
2881         /* The handling of the ECPointFormats extension is done elsewhere, namely in 
2882          * ssl3_choose_cipher in s3_lib.c.
2883          */
2884         /* The handling of the EllipticCurves extension is done elsewhere, namely in 
2885          * ssl3_choose_cipher in s3_lib.c.
2886          */
2887 #endif
2888
2889         if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) 
2890                 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
2891         else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)             
2892                 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
2893
2894 #ifdef TLSEXT_TYPE_opaque_prf_input
2895         {
2896                 /* This sort of belongs into ssl_prepare_serverhello_tlsext(),
2897                  * but we might be sending an alert in response to the client hello,
2898                  * so this has to happen here in
2899                  * ssl_check_clienthello_tlsext_early(). */
2900
2901                 int r = 1;
2902         
2903                 if (s->ctx->tlsext_opaque_prf_input_callback != 0)
2904                         {
2905                         r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg);
2906                         if (!r)
2907                                 {
2908                                 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2909                                 al = SSL_AD_INTERNAL_ERROR;
2910                                 goto err;
2911                                 }
2912                         }
2913
2914                 if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */
2915                         OPENSSL_free(s->s3->server_opaque_prf_input);
2916                 s->s3->server_opaque_prf_input = NULL;
2917
2918                 if (s->tlsext_opaque_prf_input != NULL)
2919                         {
2920                         if (s->s3->client_opaque_prf_input != NULL &&
2921                                 s->s3->client_opaque_prf_input_len == s->tlsext_opaque_prf_input_len)
2922                                 {
2923                                 /* can only use this extension if we have a server opaque PRF input
2924                                  * of the same length as the client opaque PRF input! */
2925
2926                                 if (s->tlsext_opaque_prf_input_len == 0)
2927                                         s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
2928                                 else
2929                                         s->s3->server_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len);
2930                                 if (s->s3->server_opaque_prf_input == NULL)
2931                                         {
2932                                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2933                                         al = SSL_AD_INTERNAL_ERROR;
2934                                         goto err;
2935                                         }
2936                                 s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
2937                                 }
2938                         }
2939
2940                 if (r == 2 && s->s3->server_opaque_prf_input == NULL)
2941                         {
2942                         /* The callback wants to enforce use of the extension,
2943                          * but we can't do that with the client opaque PRF input;
2944                          * abort the handshake.
2945                          */
2946                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2947                         al = SSL_AD_HANDSHAKE_FAILURE;
2948                         }
2949         }
2950
2951  err:
2952 #endif
2953         switch (ret)
2954                 {
2955                 case SSL_TLSEXT_ERR_ALERT_FATAL:
2956                         ssl3_send_alert(s,SSL3_AL_FATAL,al); 
2957                         return -1;
2958
2959                 case SSL_TLSEXT_ERR_ALERT_WARNING:
2960                         ssl3_send_alert(s,SSL3_AL_WARNING,al);
2961                         return 1; 
2962                                         
2963                 case SSL_TLSEXT_ERR_NOACK:
2964                         s->servername_done=0;
2965                         default:
2966                 return 1;
2967                 }
2968         }
2969
2970 int tls1_set_server_sigalgs(SSL *s)
2971         {
2972         int al;
2973         size_t i;
2974         /* Clear any shared sigtnature algorithms */
2975         if (s->cert->shared_sigalgs)
2976                 {
2977                 OPENSSL_free(s->cert->shared_sigalgs);
2978                 s->cert->shared_sigalgs = NULL;
2979                 }
2980         /* Clear certificate digests and validity flags */
2981         for (i = 0; i < SSL_PKEY_NUM; i++)
2982                 {
2983                 s->cert->pkeys[i].digest = NULL;
2984                 s->cert->pkeys[i].valid_flags = 0;
2985                 }
2986
2987         /* If sigalgs received process it. */
2988         if (s->cert->peer_sigalgs)
2989                 {
2990                 if (!tls1_process_sigalgs(s))
2991                         {
2992                         SSLerr(SSL_F_TLS1_SET_SERVER_SIGALGS,
2993                                         ERR_R_MALLOC_FAILURE);
2994                         al = SSL_AD_INTERNAL_ERROR;
2995                         goto err;
2996                         }
2997                 /* Fatal error is no shared signature algorithms */
2998                 if (!s->cert->shared_sigalgs)
2999                         {
3000                         SSLerr(SSL_F_TLS1_SET_SERVER_SIGALGS,
3001                                         SSL_R_NO_SHARED_SIGATURE_ALGORITHMS);
3002                         al = SSL_AD_ILLEGAL_PARAMETER;
3003                         goto err;
3004                         }
3005                 }
3006         else
3007                 ssl_cert_set_default_md(s->cert);
3008         return 1;
3009         err:
3010         ssl3_send_alert(s, SSL3_AL_FATAL, al);
3011         return 0;
3012         }
3013
3014 int ssl_check_clienthello_tlsext_late(SSL *s)
3015         {
3016         int ret = SSL_TLSEXT_ERR_OK;
3017         int al;
3018
3019         /* If status request then ask callback what to do.
3020          * Note: this must be called after servername callbacks in case
3021          * the certificate has changed, and must be called after the cipher
3022          * has been chosen because this may influence which certificate is sent
3023          */
3024         if ((s->tlsext_status_type != -1) && s->ctx && s->ctx->tlsext_status_cb)
3025                 {
3026                 int r;
3027                 CERT_PKEY *certpkey;
3028                 certpkey = ssl_get_server_send_pkey(s);
3029                 /* If no certificate can't return certificate status */
3030                 if (certpkey == NULL)
3031                         {
3032                         s->tlsext_status_expected = 0;
3033                         return 1;
3034                         }
3035                 /* Set current certificate to one we will use so
3036                  * SSL_get_certificate et al can pick it up.
3037                  */
3038                 s->cert->key = certpkey;
3039                 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
3040                 switch (r)
3041                         {
3042                         /* We don't want to send a status request response */
3043                         case SSL_TLSEXT_ERR_NOACK:
3044                                 s->tlsext_status_expected = 0;
3045                                 break;
3046                         /* status request response should be sent */
3047                         case SSL_TLSEXT_ERR_OK:
3048                                 if (s->tlsext_ocsp_resp)
3049                                         s->tlsext_status_expected = 1;
3050                                 else
3051                                         s->tlsext_status_expected = 0;
3052                                 break;
3053                         /* something bad happened */
3054                         case SSL_TLSEXT_ERR_ALERT_FATAL:
3055                                 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
3056                                 al = SSL_AD_INTERNAL_ERROR;
3057                                 goto err;
3058                         }
3059                 }
3060         else
3061                 s->tlsext_status_expected = 0;
3062
3063  err:
3064         switch (ret)
3065                 {
3066                 case SSL_TLSEXT_ERR_ALERT_FATAL:
3067                         ssl3_send_alert(s, SSL3_AL_FATAL, al);
3068                         return -1;
3069
3070                 case SSL_TLSEXT_ERR_ALERT_WARNING:
3071                         ssl3_send_alert(s, SSL3_AL_WARNING, al);
3072                         return 1; 
3073
3074                 default:
3075                         return 1;
3076                 }
3077         }
3078
3079 int ssl_check_serverhello_tlsext(SSL *s)
3080         {
3081         int ret=SSL_TLSEXT_ERR_NOACK;
3082         int al = SSL_AD_UNRECOGNIZED_NAME;
3083
3084 #ifndef OPENSSL_NO_EC
3085         /* If we are client and using an elliptic curve cryptography cipher
3086          * suite, then if server returns an EC point formats lists extension
3087          * it must contain uncompressed.