Separate client and server permitted signature algorithm support: by default
[openssl.git] / ssl / t1_lib.c
1 /* ssl/t1_lib.c */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3  * All rights reserved.
4  *
5  * This package is an SSL implementation written
6  * by Eric Young (eay@cryptsoft.com).
7  * The implementation was written so as to conform with Netscapes SSL.
8  * 
9  * This library is free for commercial and non-commercial use as long as
10  * the following conditions are aheared to.  The following conditions
11  * apply to all code found in this distribution, be it the RC4, RSA,
12  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
13  * included with this distribution is covered by the same copyright terms
14  * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15  * 
16  * Copyright remains Eric Young's, and as such any Copyright notices in
17  * the code are not to be removed.
18  * If this package is used in a product, Eric Young should be given attribution
19  * as the author of the parts of the library used.
20  * This can be in the form of a textual message at program startup or
21  * in documentation (online or textual) provided with the package.
22  * 
23  * Redistribution and use in source and binary forms, with or without
24  * modification, are permitted provided that the following conditions
25  * are met:
26  * 1. Redistributions of source code must retain the copyright
27  *    notice, this list of conditions and the following disclaimer.
28  * 2. Redistributions in binary form must reproduce the above copyright
29  *    notice, this list of conditions and the following disclaimer in the
30  *    documentation and/or other materials provided with the distribution.
31  * 3. All advertising materials mentioning features or use of this software
32  *    must display the following acknowledgement:
33  *    "This product includes cryptographic software written by
34  *     Eric Young (eay@cryptsoft.com)"
35  *    The word 'cryptographic' can be left out if the rouines from the library
36  *    being used are not cryptographic related :-).
37  * 4. If you include any Windows specific code (or a derivative thereof) from 
38  *    the apps directory (application code) you must include an acknowledgement:
39  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40  * 
41  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51  * SUCH DAMAGE.
52  * 
53  * The licence and distribution terms for any publically available version or
54  * derivative of this code cannot be changed.  i.e. this code cannot simply be
55  * copied and put under another distribution licence
56  * [including the GNU Public Licence.]
57  */
58 /* ====================================================================
59  * Copyright (c) 1998-2007 The OpenSSL Project.  All rights reserved.
60  *
61  * Redistribution and use in source and binary forms, with or without
62  * modification, are permitted provided that the following conditions
63  * are met:
64  *
65  * 1. Redistributions of source code must retain the above copyright
66  *    notice, this list of conditions and the following disclaimer. 
67  *
68  * 2. Redistributions in binary form must reproduce the above copyright
69  *    notice, this list of conditions and the following disclaimer in
70  *    the documentation and/or other materials provided with the
71  *    distribution.
72  *
73  * 3. All advertising materials mentioning features or use of this
74  *    software must display the following acknowledgment:
75  *    "This product includes software developed by the OpenSSL Project
76  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77  *
78  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79  *    endorse or promote products derived from this software without
80  *    prior written permission. For written permission, please contact
81  *    openssl-core@openssl.org.
82  *
83  * 5. Products derived from this software may not be called "OpenSSL"
84  *    nor may "OpenSSL" appear in their names without prior written
85  *    permission of the OpenSSL Project.
86  *
87  * 6. Redistributions of any form whatsoever must retain the following
88  *    acknowledgment:
89  *    "This product includes software developed by the OpenSSL Project
90  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91  *
92  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
96  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103  * OF THE POSSIBILITY OF SUCH DAMAGE.
104  * ====================================================================
105  *
106  * This product includes cryptographic software written by Eric Young
107  * (eay@cryptsoft.com).  This product includes software written by Tim
108  * Hudson (tjh@cryptsoft.com).
109  *
110  */
111
112 #include <stdio.h>
113 #include <openssl/objects.h>
114 #include <openssl/evp.h>
115 #include <openssl/hmac.h>
116 #include <openssl/ocsp.h>
117 #include <openssl/rand.h>
118 #include "ssl_locl.h"
119
120 const char tls1_version_str[]="TLSv1" OPENSSL_VERSION_PTEXT;
121
122 #ifndef OPENSSL_NO_TLSEXT
123 static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen,
124                                 const unsigned char *sess_id, int sesslen,
125                                 SSL_SESSION **psess);
126 static int ssl_check_clienthello_tlsext(SSL *s);
127 int ssl_check_serverhello_tlsext(SSL *s);
128 #endif
129
130 SSL3_ENC_METHOD TLSv1_enc_data={
131         tls1_enc,
132         tls1_mac,
133         tls1_setup_key_block,
134         tls1_generate_master_secret,
135         tls1_change_cipher_state,
136         tls1_final_finish_mac,
137         TLS1_FINISH_MAC_LENGTH,
138         tls1_cert_verify_mac,
139         TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE,
140         TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE,
141         tls1_alert_code,
142         tls1_export_keying_material,
143         };
144
145 long tls1_default_timeout(void)
146         {
147         /* 2 hours, the 24 hours mentioned in the TLSv1 spec
148          * is way too long for http, the cache would over fill */
149         return(60*60*2);
150         }
151
152 int tls1_new(SSL *s)
153         {
154         if (!ssl3_new(s)) return(0);
155         s->method->ssl_clear(s);
156         return(1);
157         }
158
159 void tls1_free(SSL *s)
160         {
161 #ifndef OPENSSL_NO_TLSEXT
162         if (s->tlsext_session_ticket)
163                 {
164                 OPENSSL_free(s->tlsext_session_ticket);
165                 }
166 #endif /* OPENSSL_NO_TLSEXT */
167         ssl3_free(s);
168         }
169
170 void tls1_clear(SSL *s)
171         {
172         ssl3_clear(s);
173         s->version = s->method->version;
174         }
175
176 #ifndef OPENSSL_NO_EC
177
178 static int nid_list[] =
179         {
180                 NID_sect163k1, /* sect163k1 (1) */
181                 NID_sect163r1, /* sect163r1 (2) */
182                 NID_sect163r2, /* sect163r2 (3) */
183                 NID_sect193r1, /* sect193r1 (4) */ 
184                 NID_sect193r2, /* sect193r2 (5) */ 
185                 NID_sect233k1, /* sect233k1 (6) */
186                 NID_sect233r1, /* sect233r1 (7) */ 
187                 NID_sect239k1, /* sect239k1 (8) */ 
188                 NID_sect283k1, /* sect283k1 (9) */
189                 NID_sect283r1, /* sect283r1 (10) */ 
190                 NID_sect409k1, /* sect409k1 (11) */ 
191                 NID_sect409r1, /* sect409r1 (12) */
192                 NID_sect571k1, /* sect571k1 (13) */ 
193                 NID_sect571r1, /* sect571r1 (14) */ 
194                 NID_secp160k1, /* secp160k1 (15) */
195                 NID_secp160r1, /* secp160r1 (16) */ 
196                 NID_secp160r2, /* secp160r2 (17) */ 
197                 NID_secp192k1, /* secp192k1 (18) */
198                 NID_X9_62_prime192v1, /* secp192r1 (19) */ 
199                 NID_secp224k1, /* secp224k1 (20) */ 
200                 NID_secp224r1, /* secp224r1 (21) */
201                 NID_secp256k1, /* secp256k1 (22) */ 
202                 NID_X9_62_prime256v1, /* secp256r1 (23) */ 
203                 NID_secp384r1, /* secp384r1 (24) */
204                 NID_secp521r1  /* secp521r1 (25) */     
205         };
206
207
208 static const unsigned char ecformats_default[] = 
209         {
210         TLSEXT_ECPOINTFORMAT_uncompressed,
211         TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime,
212         TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2
213         };
214
215 static const unsigned char eccurves_default[] =
216         {
217                 0,14, /* sect571r1 (14) */ 
218                 0,13, /* sect571k1 (13) */ 
219                 0,25, /* secp521r1 (25) */      
220                 0,11, /* sect409k1 (11) */ 
221                 0,12, /* sect409r1 (12) */
222                 0,24, /* secp384r1 (24) */
223                 0,9,  /* sect283k1 (9) */
224                 0,10, /* sect283r1 (10) */ 
225                 0,22, /* secp256k1 (22) */ 
226                 0,23, /* secp256r1 (23) */ 
227                 0,8,  /* sect239k1 (8) */ 
228                 0,6,  /* sect233k1 (6) */
229                 0,7,  /* sect233r1 (7) */ 
230                 0,20, /* secp224k1 (20) */ 
231                 0,21, /* secp224r1 (21) */
232                 0,4,  /* sect193r1 (4) */ 
233                 0,5,  /* sect193r2 (5) */ 
234                 0,18, /* secp192k1 (18) */
235                 0,19, /* secp192r1 (19) */ 
236                 0,1,  /* sect163k1 (1) */
237                 0,2,  /* sect163r1 (2) */
238                 0,3,  /* sect163r2 (3) */
239                 0,15, /* secp160k1 (15) */
240                 0,16, /* secp160r1 (16) */ 
241                 0,17, /* secp160r2 (17) */ 
242         };
243
244 int tls1_ec_curve_id2nid(int curve_id)
245         {
246         /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
247         if ((curve_id < 1) || ((unsigned int)curve_id >
248                                 sizeof(nid_list)/sizeof(nid_list[0])))
249                 return 0;
250         return nid_list[curve_id-1];
251         }
252
253 int tls1_ec_nid2curve_id(int nid)
254         {
255         /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
256         switch (nid)
257                 {
258         case NID_sect163k1: /* sect163k1 (1) */
259                 return 1;
260         case NID_sect163r1: /* sect163r1 (2) */
261                 return 2;
262         case NID_sect163r2: /* sect163r2 (3) */
263                 return 3;
264         case NID_sect193r1: /* sect193r1 (4) */ 
265                 return 4;
266         case NID_sect193r2: /* sect193r2 (5) */ 
267                 return 5;
268         case NID_sect233k1: /* sect233k1 (6) */
269                 return 6;
270         case NID_sect233r1: /* sect233r1 (7) */ 
271                 return 7;
272         case NID_sect239k1: /* sect239k1 (8) */ 
273                 return 8;
274         case NID_sect283k1: /* sect283k1 (9) */
275                 return 9;
276         case NID_sect283r1: /* sect283r1 (10) */ 
277                 return 10;
278         case NID_sect409k1: /* sect409k1 (11) */ 
279                 return 11;
280         case NID_sect409r1: /* sect409r1 (12) */
281                 return 12;
282         case NID_sect571k1: /* sect571k1 (13) */ 
283                 return 13;
284         case NID_sect571r1: /* sect571r1 (14) */ 
285                 return 14;
286         case NID_secp160k1: /* secp160k1 (15) */
287                 return 15;
288         case NID_secp160r1: /* secp160r1 (16) */ 
289                 return 16;
290         case NID_secp160r2: /* secp160r2 (17) */ 
291                 return 17;
292         case NID_secp192k1: /* secp192k1 (18) */
293                 return 18;
294         case NID_X9_62_prime192v1: /* secp192r1 (19) */ 
295                 return 19;
296         case NID_secp224k1: /* secp224k1 (20) */ 
297                 return 20;
298         case NID_secp224r1: /* secp224r1 (21) */
299                 return 21;
300         case NID_secp256k1: /* secp256k1 (22) */ 
301                 return 22;
302         case NID_X9_62_prime256v1: /* secp256r1 (23) */ 
303                 return 23;
304         case NID_secp384r1: /* secp384r1 (24) */
305                 return 24;
306         case NID_secp521r1:  /* secp521r1 (25) */       
307                 return 25;
308         default:
309                 return 0;
310                 }
311         }
312 /* Get curves list, if "sess" is set return client curves otherwise
313  * preferred list
314  */
315 static void tls1_get_curvelist(SSL *s, int sess,
316                                         const unsigned char **pcurves,
317                                         size_t *pcurveslen)
318         {
319         if (sess)
320                 {
321                 *pcurves = s->session->tlsext_ellipticcurvelist;
322                 *pcurveslen = s->session->tlsext_ellipticcurvelist_length;
323                 }
324         else
325                 {
326                 *pcurves = s->tlsext_ellipticcurvelist;
327                 *pcurveslen = s->tlsext_ellipticcurvelist_length;
328                 }
329         /* If not set use default: for now static structure */
330         if (!*pcurves)
331                 {
332                 *pcurves = eccurves_default;
333                 *pcurveslen = sizeof(eccurves_default);
334                 }
335         }
336
337 /* Return nth shared curve. If nmatch == -1 return number of
338  * matches.
339  */
340
341 int tls1_shared_curve(SSL *s, int nmatch)
342         {
343         const unsigned char *pref, *supp;
344         size_t preflen, supplen, i, j;
345         int k;
346         /* Can't do anything on client side */
347         if (s->server == 0)
348                 return -1;
349         tls1_get_curvelist(s, !!(s->options & SSL_OP_CIPHER_SERVER_PREFERENCE),
350                                 &supp, &supplen);
351         tls1_get_curvelist(s, !(s->options & SSL_OP_CIPHER_SERVER_PREFERENCE),
352                                 &pref, &preflen);
353         preflen /= 2;
354         supplen /= 2;
355         k = 0;
356         for (i = 0; i < preflen; i++, pref+=2)
357                 {
358                 const unsigned char *tsupp = supp;
359                 for (j = 0; j < supplen; j++, tsupp+=2)
360                         {
361                         if (pref[0] == tsupp[0] && pref[1] == tsupp[1])
362                                 {
363                                 if (nmatch == k)
364                                         {
365                                         int id = (pref[0] << 8) | pref[1];
366                                         return tls1_ec_curve_id2nid(id);
367                                         }
368                                 k++;
369                                 }
370                         }
371                 }
372         if (nmatch == -1)
373                 return k;
374         return 0;
375         }
376
377 int tls1_set_curves(unsigned char **pext, size_t *pextlen,
378                         int *curves, size_t ncurves)
379         {
380         unsigned char *clist, *p;
381         size_t i;
382         /* Bitmap of curves included to detect duplicates: only works
383          * while curve ids < 32 
384          */
385         unsigned long dup_list = 0;
386         clist = OPENSSL_malloc(ncurves * 2);
387         if (!clist)
388                 return 0;
389         for (i = 0, p = clist; i < ncurves; i++)
390                 {
391                 unsigned long idmask;
392                 int id;
393                 id = tls1_ec_nid2curve_id(curves[i]);
394                 idmask = 1L << id;
395                 if (!id || (dup_list & idmask))
396                         {
397                         OPENSSL_free(clist);
398                         return 0;
399                         }
400                 dup_list |= idmask;
401                 s2n(id, p);
402                 }
403         if (*pext)
404                 OPENSSL_free(*pext);
405         *pext = clist;
406         *pextlen = ncurves * 2;
407         return 1;
408         }
409
410 #define MAX_CURVELIST   25
411
412 typedef struct
413         {
414         size_t nidcnt;
415         int nid_arr[MAX_CURVELIST];
416         } nid_cb_st;
417
418 static int nid_cb(const char *elem, int len, void *arg)
419         {
420         nid_cb_st *narg = arg;
421         size_t i;
422         int nid;
423         char etmp[20];
424         if (narg->nidcnt == MAX_CURVELIST)
425                 return 0;
426         if (len > (int)(sizeof(etmp) - 1))
427                 return 0;
428         memcpy(etmp, elem, len);
429         etmp[len] = 0;
430         nid = EC_curve_nist2nid(etmp);
431         if (nid == NID_undef)
432                 nid = OBJ_sn2nid(etmp);
433         if (nid == NID_undef)
434                 nid = OBJ_ln2nid(etmp);
435         if (nid == NID_undef)
436                 return 0;
437         for (i = 0; i < narg->nidcnt; i++)
438                 if (narg->nid_arr[i] == nid)
439                         return 0;
440         narg->nid_arr[narg->nidcnt++] = nid;
441         return 1;
442         }
443 /* Set curves based on a colon separate list */
444 int tls1_set_curves_list(unsigned char **pext, size_t *pextlen, 
445                                 const char *str)
446         {
447         nid_cb_st ncb;
448         ncb.nidcnt = 0;
449         if (!CONF_parse_list(str, ':', 1, nid_cb, &ncb))
450                 return 0;
451         return tls1_set_curves(pext, pextlen, ncb.nid_arr, ncb.nidcnt);
452         }
453 /* For an EC key set TLS id and required compression based on parameters */
454 static int tls1_set_ec_id(unsigned char *curve_id, unsigned char *comp_id,
455                                 EC_KEY *ec)
456         {
457         int is_prime, id;
458         const EC_GROUP *grp;
459         const EC_POINT *pt;
460         const EC_METHOD *meth;
461         if (!ec)
462                 return 0;
463         /* Determine if it is a prime field */
464         grp = EC_KEY_get0_group(ec);
465         pt = EC_KEY_get0_public_key(ec);
466         if (!grp || !pt)
467                 return 0;
468         meth = EC_GROUP_method_of(grp);
469         if (!meth)
470                 return 0;
471         if (EC_METHOD_get_field_type(meth) == NID_X9_62_prime_field)
472                 is_prime = 1;
473         else
474                 is_prime = 0;
475         /* Determine curve ID */
476         id = EC_GROUP_get_curve_name(grp);
477         id = tls1_ec_nid2curve_id(id);
478         /* If we have an ID set it, otherwise set arbitrary explicit curve */
479         if (id)
480                 {
481                 curve_id[0] = 0;
482                 curve_id[1] = (unsigned char)id;
483                 }
484         else
485                 {
486                 curve_id[0] = 0xff;
487                 if (is_prime)
488                         curve_id[1] = 0x01;
489                 else
490                         curve_id[1] = 0x02;
491                 }
492         if (comp_id)
493                 {
494                 if (EC_KEY_get_conv_form(ec) == POINT_CONVERSION_COMPRESSED)
495                         {
496                         if (is_prime)
497                                 *comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
498                         else
499                                 *comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
500                         }
501                 else
502                         *comp_id = TLSEXT_ECPOINTFORMAT_uncompressed;
503                 }
504         return 1;
505         }
506 /* Check an EC key is compatible with extensions */
507 static int tls1_check_ec_key(SSL *s,
508                         unsigned char *curve_id, unsigned char *comp_id)
509         {
510         const unsigned char *p;
511         size_t plen, i;
512         int j;
513         /* If point formats extension present check it, otherwise everything
514          * is supported (see RFC4492).
515          */
516         if (comp_id && s->session->tlsext_ecpointformatlist)
517                 {
518                 p = s->session->tlsext_ecpointformatlist;
519                 plen = s->session->tlsext_ecpointformatlist_length;
520                 for (i = 0; i < plen; i++, p++)
521                         {
522                         if (*comp_id == *p)
523                                 break;
524                         }
525                 if (i == plen)
526                         return 0;
527                 }
528         /* Check curve is consistent with client and server preferences */
529         for (j = 0; j <= 1; j++)
530                 {
531                 tls1_get_curvelist(s, j, &p, &plen);
532                 for (i = 0; i < plen; i+=2, p+=2)
533                         {
534                         if (p[0] == curve_id[0] && p[1] == curve_id[1])
535                                 break;
536                         }
537                 if (i == plen)
538                         return 0;
539                 }
540         return 1;
541         }
542
543 /* Check cert parameters compatible with extensions: currently just checks
544  * EC certificates have compatible curves and compression.
545  */
546 static int tls1_check_cert_param(SSL *s, X509 *x)
547         {
548         unsigned char comp_id, curve_id[2];
549         EVP_PKEY *pkey;
550         int rv;
551         pkey = X509_get_pubkey(x);
552         if (!pkey)
553                 return 0;
554         /* If not EC nothing to do */
555         if (pkey->type != EVP_PKEY_EC)
556                 {
557                 EVP_PKEY_free(pkey);
558                 return 1;
559                 }
560         rv = tls1_set_ec_id(curve_id, &comp_id, pkey->pkey.ec);
561         EVP_PKEY_free(pkey);
562         if (!rv)
563                 return 0;
564         return tls1_check_ec_key(s, curve_id, &comp_id);
565         }
566 /* Check EC temporary key is compatible with client extensions */
567 int tls1_check_ec_tmp_key(SSL *s)
568         {
569         unsigned char curve_id[2];
570         EC_KEY *ec = s->cert->ecdh_tmp;
571         if (s->cert->ecdh_tmp_auto)
572                 {
573                 /* Need a shared curve */
574                 if (tls1_shared_curve(s, 0))
575                         return 1;
576                 else return 0;
577                 }
578         if (!ec)
579                 {
580                 if (s->cert->ecdh_tmp_cb)
581                         return 1;
582                 else
583                         return 0;
584                 }
585         if (!tls1_set_ec_id(curve_id, NULL, ec))
586                 return 1;
587         return tls1_check_ec_key(s, curve_id, NULL);
588         }
589
590 #endif /* OPENSSL_NO_EC */
591
592 #ifndef OPENSSL_NO_TLSEXT
593
594 /* List of supported signature algorithms and hashes. Should make this
595  * customisable at some point, for now include everything we support.
596  */
597
598 #ifdef OPENSSL_NO_RSA
599 #define tlsext_sigalg_rsa(md) /* */
600 #else
601 #define tlsext_sigalg_rsa(md) md, TLSEXT_signature_rsa,
602 #endif
603
604 #ifdef OPENSSL_NO_DSA
605 #define tlsext_sigalg_dsa(md) /* */
606 #else
607 #define tlsext_sigalg_dsa(md) md, TLSEXT_signature_dsa,
608 #endif
609
610 #ifdef OPENSSL_NO_ECDSA
611 #define tlsext_sigalg_ecdsa(md) /* */
612 #else
613 #define tlsext_sigalg_ecdsa(md) md, TLSEXT_signature_ecdsa,
614 #endif
615
616 #define tlsext_sigalg(md) \
617                 tlsext_sigalg_rsa(md) \
618                 tlsext_sigalg_dsa(md) \
619                 tlsext_sigalg_ecdsa(md)
620
621 static unsigned char tls12_sigalgs[] = {
622 #ifndef OPENSSL_NO_SHA512
623         tlsext_sigalg(TLSEXT_hash_sha512)
624         tlsext_sigalg(TLSEXT_hash_sha384)
625 #endif
626 #ifndef OPENSSL_NO_SHA256
627         tlsext_sigalg(TLSEXT_hash_sha256)
628         tlsext_sigalg(TLSEXT_hash_sha224)
629 #endif
630 #ifndef OPENSSL_NO_SHA
631         tlsext_sigalg(TLSEXT_hash_sha1)
632 #endif
633 #ifndef OPENSSL_NO_MD5
634         tlsext_sigalg_rsa(TLSEXT_hash_md5)
635 #endif
636 };
637
638 size_t tls12_get_sig_algs(SSL *s, unsigned char *p)
639         {
640         const unsigned char *sigs;
641         size_t sigslen;
642         /* If server use client authentication sigalgs if not NULL */
643         if (s->server && s->cert->client_sigalgs)
644                 {
645                 sigs = s->cert->client_sigalgs;
646                 sigslen = s->cert->client_sigalgslen;
647                 }
648         else if (s->cert->conf_sigalgs)
649                 {
650                 sigs = s->cert->conf_sigalgs;
651                 sigslen = s->cert->conf_sigalgslen;
652                 }
653         else
654                 {
655                 sigs = tls12_sigalgs;
656                 sigslen = sizeof(tls12_sigalgs);
657 #ifdef OPENSSL_FIPS
658                 /* If FIPS mode don't include MD5 which is last */
659                 if (FIPS_mode())
660                         sigslen -= 2;
661 #endif
662                 }
663
664         if (p)
665                 memcpy(p, sigs, sigslen);
666         return sigslen;
667         }
668
669 /* byte_compare is a compare function for qsort(3) that compares bytes. */
670 static int byte_compare(const void *in_a, const void *in_b)
671         {
672         unsigned char a = *((const unsigned char*) in_a);
673         unsigned char b = *((const unsigned char*) in_b);
674
675         if (a > b)
676                 return 1;
677         else if (a < b)
678                 return -1;
679         return 0;
680 }
681
682 unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
683         {
684         int extdatalen=0;
685         unsigned char *ret = p;
686 #ifndef OPENSSL_NO_EC
687         /* See if we support any ECC ciphersuites */
688         int using_ecc = 0;
689         if (s->version != DTLS1_VERSION && s->version >= TLS1_VERSION)
690                 {
691                 int i;
692                 unsigned long alg_k, alg_a;
693                 STACK_OF(SSL_CIPHER) *cipher_stack = SSL_get_ciphers(s);
694
695                 for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++)
696                         {
697                         SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i);
698
699                         alg_k = c->algorithm_mkey;
700                         alg_a = c->algorithm_auth;
701                         if ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)
702                                 || (alg_a & SSL_aECDSA)))
703                                 {
704                                 using_ecc = 1;
705                                 break;
706                                 }
707                         }
708                 }
709 #endif
710
711         /* don't add extensions for SSLv3 unless doing secure renegotiation */
712         if (s->client_version == SSL3_VERSION
713                                         && !s->s3->send_connection_binding)
714                 return p;
715
716         ret+=2;
717
718         if (ret>=limit) return NULL; /* this really never occurs, but ... */
719
720         if (s->tlsext_hostname != NULL)
721                 { 
722                 /* Add TLS extension servername to the Client Hello message */
723                 unsigned long size_str;
724                 long lenmax; 
725
726                 /* check for enough space.
727                    4 for the servername type and entension length
728                    2 for servernamelist length
729                    1 for the hostname type
730                    2 for hostname length
731                    + hostname length 
732                 */
733                    
734                 if ((lenmax = limit - ret - 9) < 0 
735                     || (size_str = strlen(s->tlsext_hostname)) > (unsigned long)lenmax) 
736                         return NULL;
737                         
738                 /* extension type and length */
739                 s2n(TLSEXT_TYPE_server_name,ret); 
740                 s2n(size_str+5,ret);
741                 
742                 /* length of servername list */
743                 s2n(size_str+3,ret);
744         
745                 /* hostname type, length and hostname */
746                 *(ret++) = (unsigned char) TLSEXT_NAMETYPE_host_name;
747                 s2n(size_str,ret);
748                 memcpy(ret, s->tlsext_hostname, size_str);
749                 ret+=size_str;
750                 }
751
752         /* Add RI if renegotiating */
753         if (s->renegotiate)
754           {
755           int el;
756           
757           if(!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0))
758               {
759               SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
760               return NULL;
761               }
762
763           if((limit - p - 4 - el) < 0) return NULL;
764           
765           s2n(TLSEXT_TYPE_renegotiate,ret);
766           s2n(el,ret);
767
768           if(!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el))
769               {
770               SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
771               return NULL;
772               }
773
774           ret += el;
775         }
776
777 #ifndef OPENSSL_NO_SRP
778         /* Add SRP username if there is one */
779         if (s->srp_ctx.login != NULL)
780                 { /* Add TLS extension SRP username to the Client Hello message */
781
782                 int login_len = strlen(s->srp_ctx.login);       
783                 if (login_len > 255 || login_len == 0)
784                         {
785                         SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
786                         return NULL;
787                         } 
788
789                 /* check for enough space.
790                    4 for the srp type type and entension length
791                    1 for the srp user identity
792                    + srp user identity length 
793                 */
794                 if ((limit - ret - 5 - login_len) < 0) return NULL; 
795
796                 /* fill in the extension */
797                 s2n(TLSEXT_TYPE_srp,ret);
798                 s2n(login_len+1,ret);
799                 (*ret++) = (unsigned char) login_len;
800                 memcpy(ret, s->srp_ctx.login, login_len);
801                 ret+=login_len;
802                 }
803 #endif
804
805 #ifndef OPENSSL_NO_EC
806         if (using_ecc)
807                 {
808                 /* Add TLS extension ECPointFormats to the ClientHello message */
809                 long lenmax; 
810                 const unsigned char *plist;
811                 size_t plistlen;
812                 /* If we have a custom point format list use it otherwise
813                  * use default */
814                 plist = s->tlsext_ecpointformatlist;
815                 if (plist)
816                         plistlen = s->tlsext_ecpointformatlist_length;
817                 else
818                         {
819                         plist = ecformats_default;
820                         plistlen = sizeof(ecformats_default);
821                         }
822
823                 if ((lenmax = limit - ret - 5) < 0) return NULL; 
824                 if (plistlen > (size_t)lenmax) return NULL;
825                 if (plistlen > 255)
826                         {
827                         SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
828                         return NULL;
829                         }
830                 
831                 s2n(TLSEXT_TYPE_ec_point_formats,ret);
832                 s2n(plistlen + 1,ret);
833                 *(ret++) = (unsigned char)plistlen ;
834                 memcpy(ret, plist, plistlen);
835                 ret+=plistlen;
836
837                 /* Add TLS extension EllipticCurves to the ClientHello message */
838                 plist = s->tlsext_ellipticcurvelist;
839                 tls1_get_curvelist(s, 0, &plist, &plistlen);
840
841                 if ((lenmax = limit - ret - 6) < 0) return NULL; 
842                 if (plistlen > (size_t)lenmax) return NULL;
843                 if (plistlen > 65532)
844                         {
845                         SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
846                         return NULL;
847                         }
848                 
849                 s2n(TLSEXT_TYPE_elliptic_curves,ret);
850                 s2n(plistlen + 2, ret);
851
852                 /* NB: draft-ietf-tls-ecc-12.txt uses a one-byte prefix for
853                  * elliptic_curve_list, but the examples use two bytes.
854                  * http://www1.ietf.org/mail-archive/web/tls/current/msg00538.html
855                  * resolves this to two bytes.
856                  */
857                 s2n(plistlen, ret);
858                 memcpy(ret, plist, plistlen);
859                 ret+=plistlen;
860                 }
861 #endif /* OPENSSL_NO_EC */
862
863         if (!(SSL_get_options(s) & SSL_OP_NO_TICKET))
864                 {
865                 int ticklen;
866                 if (!s->new_session && s->session && s->session->tlsext_tick)
867                         ticklen = s->session->tlsext_ticklen;
868                 else if (s->session && s->tlsext_session_ticket &&
869                          s->tlsext_session_ticket->data)
870                         {
871                         ticklen = s->tlsext_session_ticket->length;
872                         s->session->tlsext_tick = OPENSSL_malloc(ticklen);
873                         if (!s->session->tlsext_tick)
874                                 return NULL;
875                         memcpy(s->session->tlsext_tick,
876                                s->tlsext_session_ticket->data,
877                                ticklen);
878                         s->session->tlsext_ticklen = ticklen;
879                         }
880                 else
881                         ticklen = 0;
882                 if (ticklen == 0 && s->tlsext_session_ticket &&
883                     s->tlsext_session_ticket->data == NULL)
884                         goto skip_ext;
885                 /* Check for enough room 2 for extension type, 2 for len
886                  * rest for ticket
887                  */
888                 if ((long)(limit - ret - 4 - ticklen) < 0) return NULL;
889                 s2n(TLSEXT_TYPE_session_ticket,ret); 
890                 s2n(ticklen,ret);
891                 if (ticklen)
892                         {
893                         memcpy(ret, s->session->tlsext_tick, ticklen);
894                         ret += ticklen;
895                         }
896                 }
897                 skip_ext:
898
899         if (TLS1_get_client_version(s) >= TLS1_2_VERSION)
900                 {
901                 size_t salglen;
902                 salglen = tls12_get_sig_algs(s, NULL);
903                 if ((size_t)(limit - ret) < salglen + 6)
904                         return NULL; 
905                 s2n(TLSEXT_TYPE_signature_algorithms,ret);
906                 s2n(salglen + 2, ret);
907                 s2n(salglen, ret);
908                 tls12_get_sig_algs(s, ret);
909                 ret += salglen;
910                 }
911
912 #ifdef TLSEXT_TYPE_opaque_prf_input
913         if (s->s3->client_opaque_prf_input != NULL &&
914             s->version != DTLS1_VERSION)
915                 {
916                 size_t col = s->s3->client_opaque_prf_input_len;
917                 
918                 if ((long)(limit - ret - 6 - col < 0))
919                         return NULL;
920                 if (col > 0xFFFD) /* can't happen */
921                         return NULL;
922
923                 s2n(TLSEXT_TYPE_opaque_prf_input, ret); 
924                 s2n(col + 2, ret);
925                 s2n(col, ret);
926                 memcpy(ret, s->s3->client_opaque_prf_input, col);
927                 ret += col;
928                 }
929 #endif
930
931         if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp &&
932             s->version != DTLS1_VERSION)
933                 {
934                 int i;
935                 long extlen, idlen, itmp;
936                 OCSP_RESPID *id;
937
938                 idlen = 0;
939                 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++)
940                         {
941                         id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
942                         itmp = i2d_OCSP_RESPID(id, NULL);
943                         if (itmp <= 0)
944                                 return NULL;
945                         idlen += itmp + 2;
946                         }
947
948                 if (s->tlsext_ocsp_exts)
949                         {
950                         extlen = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, NULL);
951                         if (extlen < 0)
952                                 return NULL;
953                         }
954                 else
955                         extlen = 0;
956                         
957                 if ((long)(limit - ret - 7 - extlen - idlen) < 0) return NULL;
958                 s2n(TLSEXT_TYPE_status_request, ret);
959                 if (extlen + idlen > 0xFFF0)
960                         return NULL;
961                 s2n(extlen + idlen + 5, ret);
962                 *(ret++) = TLSEXT_STATUSTYPE_ocsp;
963                 s2n(idlen, ret);
964                 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++)
965                         {
966                         /* save position of id len */
967                         unsigned char *q = ret;
968                         id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
969                         /* skip over id len */
970                         ret += 2;
971                         itmp = i2d_OCSP_RESPID(id, &ret);
972                         /* write id len */
973                         s2n(itmp, q);
974                         }
975                 s2n(extlen, ret);
976                 if (extlen > 0)
977                         i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret);
978                 }
979
980 #ifndef OPENSSL_NO_HEARTBEATS
981         /* Add Heartbeat extension */
982         s2n(TLSEXT_TYPE_heartbeat,ret);
983         s2n(1,ret);
984         /* Set mode:
985          * 1: peer may send requests
986          * 2: peer not allowed to send requests
987          */
988         if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS)
989                 *(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
990         else
991                 *(ret++) = SSL_TLSEXT_HB_ENABLED;
992 #endif
993
994 #ifndef OPENSSL_NO_NEXTPROTONEG
995         if (s->ctx->next_proto_select_cb && !s->s3->tmp.finish_md_len)
996                 {
997                 /* The client advertises an emtpy extension to indicate its
998                  * support for Next Protocol Negotiation */
999                 if (limit - ret - 4 < 0)
1000                         return NULL;
1001                 s2n(TLSEXT_TYPE_next_proto_neg,ret);
1002                 s2n(0,ret);
1003                 }
1004 #endif
1005
1006         if(SSL_get_srtp_profiles(s))
1007                 {
1008                 int el;
1009
1010                 ssl_add_clienthello_use_srtp_ext(s, 0, &el, 0);
1011                 
1012                 if((limit - p - 4 - el) < 0) return NULL;
1013
1014                 s2n(TLSEXT_TYPE_use_srtp,ret);
1015                 s2n(el,ret);
1016
1017                 if(ssl_add_clienthello_use_srtp_ext(s, ret, &el, el))
1018                         {
1019                         SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1020                         return NULL;
1021                         }
1022                 ret += el;
1023                 }
1024
1025         /* Add TLS extension Server_Authz_DataFormats to the ClientHello */
1026         /* 2 bytes for extension type */
1027         /* 2 bytes for extension length */
1028         /* 1 byte for the list length */
1029         /* 1 byte for the list (we only support audit proofs) */
1030         if (s->ctx->tlsext_authz_server_audit_proof_cb != NULL)
1031                 {
1032                 size_t lenmax;
1033                 const unsigned short ext_len = 2;
1034                 const unsigned char list_len = 1;
1035
1036                 if ((lenmax = limit - ret - 6) < 0) return NULL;
1037
1038                 s2n(TLSEXT_TYPE_server_authz, ret);
1039                 /* Extension length: 2 bytes */
1040                 s2n(ext_len, ret);
1041                 *(ret++) = list_len;
1042                 *(ret++) = TLSEXT_AUTHZDATAFORMAT_audit_proof;
1043                 }
1044
1045         if ((extdatalen = ret-p-2) == 0)
1046                 return p;
1047
1048         s2n(extdatalen,p);
1049         return ret;
1050         }
1051
1052 unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
1053         {
1054         int extdatalen=0;
1055         unsigned char *ret = p;
1056 #ifndef OPENSSL_NO_NEXTPROTONEG
1057         int next_proto_neg_seen;
1058 #endif
1059
1060         /* don't add extensions for SSLv3, unless doing secure renegotiation */
1061         if (s->version == SSL3_VERSION && !s->s3->send_connection_binding)
1062                 return p;
1063         
1064         ret+=2;
1065         if (ret>=limit) return NULL; /* this really never occurs, but ... */
1066
1067         if (!s->hit && s->servername_done == 1 && s->session->tlsext_hostname != NULL)
1068                 { 
1069                 if ((long)(limit - ret - 4) < 0) return NULL; 
1070
1071                 s2n(TLSEXT_TYPE_server_name,ret);
1072                 s2n(0,ret);
1073                 }
1074
1075         if(s->s3->send_connection_binding)
1076         {
1077           int el;
1078           
1079           if(!ssl_add_serverhello_renegotiate_ext(s, 0, &el, 0))
1080               {
1081               SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1082               return NULL;
1083               }
1084
1085           if((limit - p - 4 - el) < 0) return NULL;
1086           
1087           s2n(TLSEXT_TYPE_renegotiate,ret);
1088           s2n(el,ret);
1089
1090           if(!ssl_add_serverhello_renegotiate_ext(s, ret, &el, el))
1091               {
1092               SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1093               return NULL;
1094               }
1095
1096           ret += el;
1097         }
1098
1099 #ifndef OPENSSL_NO_EC
1100         if (s->tlsext_ecpointformatlist != NULL &&
1101             s->version != DTLS1_VERSION)
1102                 {
1103                 /* Add TLS extension ECPointFormats to the ServerHello message */
1104                 long lenmax; 
1105
1106                 if ((lenmax = limit - ret - 5) < 0) return NULL; 
1107                 if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax) return NULL;
1108                 if (s->tlsext_ecpointformatlist_length > 255)
1109                         {
1110                         SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1111                         return NULL;
1112                         }
1113                 
1114                 s2n(TLSEXT_TYPE_ec_point_formats,ret);
1115                 s2n(s->tlsext_ecpointformatlist_length + 1,ret);
1116                 *(ret++) = (unsigned char) s->tlsext_ecpointformatlist_length;
1117                 memcpy(ret, s->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist_length);
1118                 ret+=s->tlsext_ecpointformatlist_length;
1119
1120                 }
1121         /* Currently the server should not respond with a SupportedCurves extension */
1122 #endif /* OPENSSL_NO_EC */
1123
1124         if (s->tlsext_ticket_expected
1125                 && !(SSL_get_options(s) & SSL_OP_NO_TICKET)) 
1126                 { 
1127                 if ((long)(limit - ret - 4) < 0) return NULL; 
1128                 s2n(TLSEXT_TYPE_session_ticket,ret);
1129                 s2n(0,ret);
1130                 }
1131
1132         if (s->tlsext_status_expected)
1133                 { 
1134                 if ((long)(limit - ret - 4) < 0) return NULL; 
1135                 s2n(TLSEXT_TYPE_status_request,ret);
1136                 s2n(0,ret);
1137                 }
1138
1139 #ifdef TLSEXT_TYPE_opaque_prf_input
1140         if (s->s3->server_opaque_prf_input != NULL &&
1141             s->version != DTLS1_VERSION)
1142                 {
1143                 size_t sol = s->s3->server_opaque_prf_input_len;
1144                 
1145                 if ((long)(limit - ret - 6 - sol) < 0)
1146                         return NULL;
1147                 if (sol > 0xFFFD) /* can't happen */
1148                         return NULL;
1149
1150                 s2n(TLSEXT_TYPE_opaque_prf_input, ret); 
1151                 s2n(sol + 2, ret);
1152                 s2n(sol, ret);
1153                 memcpy(ret, s->s3->server_opaque_prf_input, sol);
1154                 ret += sol;
1155                 }
1156 #endif
1157
1158         if(s->srtp_profile)
1159                 {
1160                 int el;
1161
1162                 ssl_add_serverhello_use_srtp_ext(s, 0, &el, 0);
1163                 
1164                 if((limit - p - 4 - el) < 0) return NULL;
1165
1166                 s2n(TLSEXT_TYPE_use_srtp,ret);
1167                 s2n(el,ret);
1168
1169                 if(ssl_add_serverhello_use_srtp_ext(s, ret, &el, el))
1170                         {
1171                         SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1172                         return NULL;
1173                         }
1174                 ret+=el;
1175                 }
1176
1177         if (((s->s3->tmp.new_cipher->id & 0xFFFF)==0x80 || (s->s3->tmp.new_cipher->id & 0xFFFF)==0x81) 
1178                 && (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG))
1179                 { const unsigned char cryptopro_ext[36] = {
1180                         0xfd, 0xe8, /*65000*/
1181                         0x00, 0x20, /*32 bytes length*/
1182                         0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85, 
1183                         0x03,   0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06, 
1184                         0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08, 
1185                         0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17};
1186                         if (limit-ret<36) return NULL;
1187                         memcpy(ret,cryptopro_ext,36);
1188                         ret+=36;
1189
1190                 }
1191
1192 #ifndef OPENSSL_NO_HEARTBEATS
1193         /* Add Heartbeat extension if we've received one */
1194         if (s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED)
1195                 {
1196                 s2n(TLSEXT_TYPE_heartbeat,ret);
1197                 s2n(1,ret);
1198                 /* Set mode:
1199                  * 1: peer may send requests
1200                  * 2: peer not allowed to send requests
1201                  */
1202                 if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS)
1203                         *(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
1204                 else
1205                         *(ret++) = SSL_TLSEXT_HB_ENABLED;
1206
1207                 }
1208 #endif
1209
1210 #ifndef OPENSSL_NO_NEXTPROTONEG
1211         next_proto_neg_seen = s->s3->next_proto_neg_seen;
1212         s->s3->next_proto_neg_seen = 0;
1213         if (next_proto_neg_seen && s->ctx->next_protos_advertised_cb)
1214                 {
1215                 const unsigned char *npa;
1216                 unsigned int npalen;
1217                 int r;
1218
1219                 r = s->ctx->next_protos_advertised_cb(s, &npa, &npalen, s->ctx->next_protos_advertised_cb_arg);
1220                 if (r == SSL_TLSEXT_ERR_OK)
1221                         {
1222                         if ((long)(limit - ret - 4 - npalen) < 0) return NULL;
1223                         s2n(TLSEXT_TYPE_next_proto_neg,ret);
1224                         s2n(npalen,ret);
1225                         memcpy(ret, npa, npalen);
1226                         ret += npalen;
1227                         s->s3->next_proto_neg_seen = 1;
1228                         }
1229                 }
1230 #endif
1231
1232         /* If the client supports authz then see whether we have any to offer
1233          * to it. */
1234         if (s->s3->tlsext_authz_client_types_len)
1235                 {
1236                 size_t authz_length;
1237                 /* By now we already know the new cipher, so we can look ahead
1238                  * to see whether the cert we are going to send
1239                  * has any authz data attached to it. */
1240                 const unsigned char* authz = ssl_get_authz_data(s, &authz_length);
1241                 const unsigned char* const orig_authz = authz;
1242                 size_t i;
1243                 unsigned authz_count = 0;
1244
1245                 /* The authz data contains a number of the following structures:
1246                  *      uint8_t authz_type
1247                  *      uint16_t length
1248                  *      uint8_t data[length]
1249                  *
1250                  * First we walk over it to find the number of authz elements. */
1251                 for (i = 0; i < authz_length; i++)
1252                         {
1253                         unsigned short length;
1254                         unsigned char type;
1255
1256                         type = *(authz++);
1257                         if (memchr(s->s3->tlsext_authz_client_types,
1258                                    type,
1259                                    s->s3->tlsext_authz_client_types_len) != NULL)
1260                                 authz_count++;
1261
1262                         n2s(authz, length);
1263                         /* n2s increments authz by 2 */
1264                         i += 2;
1265                         authz += length;
1266                         i += length;
1267                         }
1268
1269                 if (authz_count)
1270                         {
1271                         /* Add TLS extension server_authz to the ServerHello message
1272                          * 2 bytes for extension type
1273                          * 2 bytes for extension length
1274                          * 1 byte for the list length
1275                          * n bytes for the list */
1276                         const unsigned short ext_len = 1 + authz_count;
1277
1278                         if ((long)(limit - ret - 4 - ext_len) < 0) return NULL;
1279                         s2n(TLSEXT_TYPE_server_authz, ret);
1280                         s2n(ext_len, ret);
1281                         *(ret++) = authz_count;
1282                         s->s3->tlsext_authz_promised_to_client = 1;
1283                         }
1284
1285                 authz = orig_authz;
1286                 for (i = 0; i < authz_length; i++)
1287                         {
1288                         unsigned short length;
1289                         unsigned char type;
1290
1291                         authz_count++;
1292                         type = *(authz++);
1293                         if (memchr(s->s3->tlsext_authz_client_types,
1294                                    type,
1295                                    s->s3->tlsext_authz_client_types_len) != NULL)
1296                                 *(ret++) = type;
1297                         n2s(authz, length);
1298                         /* n2s increments authz by 2 */
1299                         i += 2;
1300                         authz += length;
1301                         i += length;
1302                         }
1303                 }
1304
1305         if ((extdatalen = ret-p-2)== 0) 
1306                 return p;
1307
1308         s2n(extdatalen,p);
1309         return ret;
1310         }
1311
1312 static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al) 
1313         {       
1314         unsigned short type;
1315         unsigned short size;
1316         unsigned short len;
1317         unsigned char *data = *p;
1318         int renegotiate_seen = 0;
1319
1320         s->servername_done = 0;
1321         s->tlsext_status_type = -1;
1322 #ifndef OPENSSL_NO_NEXTPROTONEG
1323         s->s3->next_proto_neg_seen = 0;
1324 #endif
1325
1326 #ifndef OPENSSL_NO_HEARTBEATS
1327         s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED |
1328                                SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
1329 #endif
1330         /* Clear any signature algorithms extension received */
1331         if (s->cert->peer_sigalgs)
1332                 {
1333                 OPENSSL_free(s->cert->peer_sigalgs);
1334                 s->cert->peer_sigalgs = NULL;
1335                 }
1336         /* Clear any shared sigtnature algorithms */
1337         if (s->cert->shared_sigalgs)
1338                 {
1339                 OPENSSL_free(s->cert->shared_sigalgs);
1340                 s->cert->shared_sigalgs = NULL;
1341                 }
1342
1343         if (data >= (d+n-2))
1344                 goto ri_check;
1345         n2s(data,len);
1346
1347         if (data > (d+n-len)) 
1348                 goto ri_check;
1349
1350         while (data <= (d+n-4))
1351                 {
1352                 n2s(data,type);
1353                 n2s(data,size);
1354
1355                 if (data+size > (d+n))
1356                         goto ri_check;
1357 #if 0
1358                 fprintf(stderr,"Received extension type %d size %d\n",type,size);
1359 #endif
1360                 if (s->tlsext_debug_cb)
1361                         s->tlsext_debug_cb(s, 0, type, data, size,
1362                                                 s->tlsext_debug_arg);
1363 /* The servername extension is treated as follows:
1364
1365    - Only the hostname type is supported with a maximum length of 255.
1366    - The servername is rejected if too long or if it contains zeros,
1367      in which case an fatal alert is generated.
1368    - The servername field is maintained together with the session cache.
1369    - When a session is resumed, the servername call back invoked in order
1370      to allow the application to position itself to the right context. 
1371    - The servername is acknowledged if it is new for a session or when 
1372      it is identical to a previously used for the same session. 
1373      Applications can control the behaviour.  They can at any time
1374      set a 'desirable' servername for a new SSL object. This can be the
1375      case for example with HTTPS when a Host: header field is received and
1376      a renegotiation is requested. In this case, a possible servername
1377      presented in the new client hello is only acknowledged if it matches
1378      the value of the Host: field. 
1379    - Applications must  use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
1380      if they provide for changing an explicit servername context for the session,
1381      i.e. when the session has been established with a servername extension. 
1382    - On session reconnect, the servername extension may be absent. 
1383
1384 */      
1385
1386                 if (type == TLSEXT_TYPE_server_name)
1387                         {
1388                         unsigned char *sdata;
1389                         int servname_type;
1390                         int dsize; 
1391                 
1392                         if (size < 2) 
1393                                 {
1394                                 *al = SSL_AD_DECODE_ERROR;
1395                                 return 0;
1396                                 }
1397                         n2s(data,dsize);  
1398                         size -= 2;
1399                         if (dsize > size  ) 
1400                                 {
1401                                 *al = SSL_AD_DECODE_ERROR;
1402                                 return 0;
1403                                 } 
1404
1405                         sdata = data;
1406                         while (dsize > 3) 
1407                                 {
1408                                 servname_type = *(sdata++); 
1409                                 n2s(sdata,len);
1410                                 dsize -= 3;
1411
1412                                 if (len > dsize) 
1413                                         {
1414                                         *al = SSL_AD_DECODE_ERROR;
1415                                         return 0;
1416                                         }
1417                                 if (s->servername_done == 0)
1418                                 switch (servname_type)
1419                                         {
1420                                 case TLSEXT_NAMETYPE_host_name:
1421                                         if (!s->hit)
1422                                                 {
1423                                                 if(s->session->tlsext_hostname)
1424                                                         {
1425                                                         *al = SSL_AD_DECODE_ERROR;
1426                                                         return 0;
1427                                                         }
1428                                                 if (len > TLSEXT_MAXLEN_host_name)
1429                                                         {
1430                                                         *al = TLS1_AD_UNRECOGNIZED_NAME;
1431                                                         return 0;
1432                                                         }
1433                                                 if ((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL)
1434                                                         {
1435                                                         *al = TLS1_AD_INTERNAL_ERROR;
1436                                                         return 0;
1437                                                         }
1438                                                 memcpy(s->session->tlsext_hostname, sdata, len);
1439                                                 s->session->tlsext_hostname[len]='\0';
1440                                                 if (strlen(s->session->tlsext_hostname) != len) {
1441                                                         OPENSSL_free(s->session->tlsext_hostname);
1442                                                         s->session->tlsext_hostname = NULL;
1443                                                         *al = TLS1_AD_UNRECOGNIZED_NAME;
1444                                                         return 0;
1445                                                 }
1446                                                 s->servername_done = 1; 
1447
1448                                                 }
1449                                         else 
1450                                                 s->servername_done = s->session->tlsext_hostname
1451                                                         && strlen(s->session->tlsext_hostname) == len 
1452                                                         && strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0;
1453                                         
1454                                         break;
1455
1456                                 default:
1457                                         break;
1458                                         }
1459                                  
1460                                 dsize -= len;
1461                                 }
1462                         if (dsize != 0) 
1463                                 {
1464                                 *al = SSL_AD_DECODE_ERROR;
1465                                 return 0;
1466                                 }
1467
1468                         }
1469 #ifndef OPENSSL_NO_SRP
1470                 else if (type == TLSEXT_TYPE_srp)
1471                         {
1472                         if (size <= 0 || ((len = data[0])) != (size -1))
1473                                 {
1474                                 *al = SSL_AD_DECODE_ERROR;
1475                                 return 0;
1476                                 }
1477                         if (s->srp_ctx.login != NULL)
1478                                 {
1479                                 *al = SSL_AD_DECODE_ERROR;
1480                                 return 0;
1481                                 }
1482                         if ((s->srp_ctx.login = OPENSSL_malloc(len+1)) == NULL)
1483                                 return -1;
1484                         memcpy(s->srp_ctx.login, &data[1], len);
1485                         s->srp_ctx.login[len]='\0';
1486   
1487                         if (strlen(s->srp_ctx.login) != len) 
1488                                 {
1489                                 *al = SSL_AD_DECODE_ERROR;
1490                                 return 0;
1491                                 }
1492                         }
1493 #endif
1494
1495 #ifndef OPENSSL_NO_EC
1496                 else if (type == TLSEXT_TYPE_ec_point_formats &&
1497                      s->version != DTLS1_VERSION)
1498                         {
1499                         unsigned char *sdata = data;
1500                         int ecpointformatlist_length = *(sdata++);
1501
1502                         if (ecpointformatlist_length != size - 1)
1503                                 {
1504                                 *al = TLS1_AD_DECODE_ERROR;
1505                                 return 0;
1506                                 }
1507                         if (!s->hit)
1508                                 {
1509                                 if(s->session->tlsext_ecpointformatlist)
1510                                         {
1511                                         OPENSSL_free(s->session->tlsext_ecpointformatlist);
1512                                         s->session->tlsext_ecpointformatlist = NULL;
1513                                         }
1514                                 s->session->tlsext_ecpointformatlist_length = 0;
1515                                 if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
1516                                         {
1517                                         *al = TLS1_AD_INTERNAL_ERROR;
1518                                         return 0;
1519                                         }
1520                                 s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
1521                                 memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
1522                                 }
1523 #if 0
1524                         fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ecpointformatlist (length=%i) ", s->session->tlsext_ecpointformatlist_length);
1525                         sdata = s->session->tlsext_ecpointformatlist;
1526                         for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
1527                                 fprintf(stderr,"%i ",*(sdata++));
1528                         fprintf(stderr,"\n");
1529 #endif
1530                         }
1531                 else if (type == TLSEXT_TYPE_elliptic_curves &&
1532                      s->version != DTLS1_VERSION)
1533                         {
1534                         unsigned char *sdata = data;
1535                         int ellipticcurvelist_length = (*(sdata++) << 8);
1536                         ellipticcurvelist_length += (*(sdata++));
1537
1538                         if (ellipticcurvelist_length != size - 2)
1539                                 {
1540                                 *al = TLS1_AD_DECODE_ERROR;
1541                                 return 0;
1542                                 }
1543                         if (!s->hit)
1544                                 {
1545                                 if(s->session->tlsext_ellipticcurvelist)
1546                                         {
1547                                         *al = TLS1_AD_DECODE_ERROR;
1548                                         return 0;
1549                                         }
1550                                 s->session->tlsext_ellipticcurvelist_length = 0;
1551                                 if ((s->session->tlsext_ellipticcurvelist = OPENSSL_malloc(ellipticcurvelist_length)) == NULL)
1552                                         {
1553                                         *al = TLS1_AD_INTERNAL_ERROR;
1554                                         return 0;
1555                                         }
1556                                 s->session->tlsext_ellipticcurvelist_length = ellipticcurvelist_length;
1557                                 memcpy(s->session->tlsext_ellipticcurvelist, sdata, ellipticcurvelist_length);
1558                                 }
1559 #if 0
1560                         fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ellipticcurvelist (length=%i) ", s->session->tlsext_ellipticcurvelist_length);
1561                         sdata = s->session->tlsext_ellipticcurvelist;
1562                         for (i = 0; i < s->session->tlsext_ellipticcurvelist_length; i++)
1563                                 fprintf(stderr,"%i ",*(sdata++));
1564                         fprintf(stderr,"\n");
1565 #endif
1566                         }
1567 #endif /* OPENSSL_NO_EC */
1568 #ifdef TLSEXT_TYPE_opaque_prf_input
1569                 else if (type == TLSEXT_TYPE_opaque_prf_input &&
1570                      s->version != DTLS1_VERSION)
1571                         {
1572                         unsigned char *sdata = data;
1573
1574                         if (size < 2)
1575                                 {
1576                                 *al = SSL_AD_DECODE_ERROR;
1577                                 return 0;
1578                                 }
1579                         n2s(sdata, s->s3->client_opaque_prf_input_len);
1580                         if (s->s3->client_opaque_prf_input_len != size - 2)
1581                                 {
1582                                 *al = SSL_AD_DECODE_ERROR;
1583                                 return 0;
1584                                 }
1585
1586                         if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */
1587                                 OPENSSL_free(s->s3->client_opaque_prf_input);
1588                         if (s->s3->client_opaque_prf_input_len == 0)
1589                                 s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
1590                         else
1591                                 s->s3->client_opaque_prf_input = BUF_memdup(sdata, s->s3->client_opaque_prf_input_len);
1592                         if (s->s3->client_opaque_prf_input == NULL)
1593                                 {
1594                                 *al = TLS1_AD_INTERNAL_ERROR;
1595                                 return 0;
1596                                 }
1597                         }
1598 #endif
1599                 else if (type == TLSEXT_TYPE_session_ticket)
1600                         {
1601                         if (s->tls_session_ticket_ext_cb &&
1602                             !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg))
1603                                 {
1604                                 *al = TLS1_AD_INTERNAL_ERROR;
1605                                 return 0;
1606                                 }
1607                         }
1608                 else if (type == TLSEXT_TYPE_renegotiate)
1609                         {
1610                         if(!ssl_parse_clienthello_renegotiate_ext(s, data, size, al))
1611                                 return 0;
1612                         renegotiate_seen = 1;
1613                         }
1614                 else if (type == TLSEXT_TYPE_signature_algorithms)
1615                         {
1616                         int dsize;
1617                         if (s->cert->peer_sigalgs || size < 2) 
1618                                 {
1619                                 *al = SSL_AD_DECODE_ERROR;
1620                                 return 0;
1621                                 }
1622                         n2s(data,dsize);
1623                         size -= 2;
1624                         if (dsize != size || dsize & 1 || !dsize) 
1625                                 {
1626                                 *al = SSL_AD_DECODE_ERROR;
1627                                 return 0;
1628                                 }
1629                         if (!tls1_process_sigalgs(s, data, dsize))
1630                                 {
1631                                 *al = SSL_AD_DECODE_ERROR;
1632                                 return 0;
1633                                 }
1634                         /* If sigalgs received and no shared algorithms fatal
1635                          * error.
1636                          */
1637                         if (s->cert->peer_sigalgs && !s->cert->shared_sigalgs)
1638                                 {
1639                                 SSLerr(SSL_F_SSL_SCAN_CLIENTHELLO_TLSEXT,
1640                                         SSL_R_NO_SHARED_SIGATURE_ALGORITHMS);
1641                                 *al = SSL_AD_ILLEGAL_PARAMETER;
1642                                 return 0;
1643                                 }
1644                         }
1645                 else if (type == TLSEXT_TYPE_status_request &&
1646                          s->version != DTLS1_VERSION && s->ctx->tlsext_status_cb)
1647                         {
1648                 
1649                         if (size < 5) 
1650                                 {
1651                                 *al = SSL_AD_DECODE_ERROR;
1652                                 return 0;
1653                                 }
1654
1655                         s->tlsext_status_type = *data++;
1656                         size--;
1657                         if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp)
1658                                 {
1659                                 const unsigned char *sdata;
1660                                 int dsize;
1661                                 /* Read in responder_id_list */
1662                                 n2s(data,dsize);
1663                                 size -= 2;
1664                                 if (dsize > size  ) 
1665                                         {
1666                                         *al = SSL_AD_DECODE_ERROR;
1667                                         return 0;
1668                                         }
1669                                 while (dsize > 0)
1670                                         {
1671                                         OCSP_RESPID *id;
1672                                         int idsize;
1673                                         if (dsize < 4)
1674                                                 {
1675                                                 *al = SSL_AD_DECODE_ERROR;
1676                                                 return 0;
1677                                                 }
1678                                         n2s(data, idsize);
1679                                         dsize -= 2 + idsize;
1680                                         size -= 2 + idsize;
1681                                         if (dsize < 0)
1682                                                 {
1683                                                 *al = SSL_AD_DECODE_ERROR;
1684                                                 return 0;
1685                                                 }
1686                                         sdata = data;
1687                                         data += idsize;
1688                                         id = d2i_OCSP_RESPID(NULL,
1689                                                                 &sdata, idsize);
1690                                         if (!id)
1691                                                 {
1692                                                 *al = SSL_AD_DECODE_ERROR;
1693                                                 return 0;
1694                                                 }
1695                                         if (data != sdata)
1696                                                 {
1697                                                 OCSP_RESPID_free(id);
1698                                                 *al = SSL_AD_DECODE_ERROR;
1699                                                 return 0;
1700                                                 }
1701                                         if (!s->tlsext_ocsp_ids
1702                                                 && !(s->tlsext_ocsp_ids =
1703                                                 sk_OCSP_RESPID_new_null()))
1704                                                 {
1705                                                 OCSP_RESPID_free(id);
1706                                                 *al = SSL_AD_INTERNAL_ERROR;
1707                                                 return 0;
1708                                                 }
1709                                         if (!sk_OCSP_RESPID_push(
1710                                                         s->tlsext_ocsp_ids, id))
1711                                                 {
1712                                                 OCSP_RESPID_free(id);
1713                                                 *al = SSL_AD_INTERNAL_ERROR;
1714                                                 return 0;
1715                                                 }
1716                                         }
1717
1718                                 /* Read in request_extensions */
1719                                 if (size < 2)
1720                                         {
1721                                         *al = SSL_AD_DECODE_ERROR;
1722                                         return 0;
1723                                         }
1724                                 n2s(data,dsize);
1725                                 size -= 2;
1726                                 if (dsize != size)
1727                                         {
1728                                         *al = SSL_AD_DECODE_ERROR;
1729                                         return 0;
1730                                         }
1731                                 sdata = data;
1732                                 if (dsize > 0)
1733                                         {
1734                                         if (s->tlsext_ocsp_exts)
1735                                                 {
1736                                                 sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts,
1737                                                                            X509_EXTENSION_free);
1738                                                 }
1739
1740                                         s->tlsext_ocsp_exts =
1741                                                 d2i_X509_EXTENSIONS(NULL,
1742                                                         &sdata, dsize);
1743                                         if (!s->tlsext_ocsp_exts
1744                                                 || (data + dsize != sdata))
1745                                                 {
1746                                                 *al = SSL_AD_DECODE_ERROR;
1747                                                 return 0;
1748                                                 }
1749                                         }
1750                                 }
1751                                 /* We don't know what to do with any other type
1752                                 * so ignore it.
1753                                 */
1754                                 else
1755                                         s->tlsext_status_type = -1;
1756                         }
1757 #ifndef OPENSSL_NO_HEARTBEATS
1758                 else if (type == TLSEXT_TYPE_heartbeat)
1759                         {
1760                         switch(data[0])
1761                                 {
1762                                 case 0x01:      /* Client allows us to send HB requests */
1763                                                         s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
1764                                                         break;
1765                                 case 0x02:      /* Client doesn't accept HB requests */
1766                                                         s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
1767                                                         s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
1768                                                         break;
1769                                 default:        *al = SSL_AD_ILLEGAL_PARAMETER;
1770                                                         return 0;
1771                                 }
1772                         }
1773 #endif
1774 #ifndef OPENSSL_NO_NEXTPROTONEG
1775                 else if (type == TLSEXT_TYPE_next_proto_neg &&
1776                          s->s3->tmp.finish_md_len == 0)
1777                         {
1778                         /* We shouldn't accept this extension on a
1779                          * renegotiation.
1780                          *
1781                          * s->new_session will be set on renegotiation, but we
1782                          * probably shouldn't rely that it couldn't be set on
1783                          * the initial renegotation too in certain cases (when
1784                          * there's some other reason to disallow resuming an
1785                          * earlier session -- the current code won't be doing
1786                          * anything like that, but this might change).
1787
1788                          * A valid sign that there's been a previous handshake
1789                          * in this connection is if s->s3->tmp.finish_md_len >
1790                          * 0.  (We are talking about a check that will happen
1791                          * in the Hello protocol round, well before a new
1792                          * Finished message could have been computed.) */
1793                         s->s3->next_proto_neg_seen = 1;
1794                         }
1795 #endif
1796
1797                 /* session ticket processed earlier */
1798                 else if (type == TLSEXT_TYPE_use_srtp)
1799                         {
1800                         if(ssl_parse_clienthello_use_srtp_ext(s, data, size,
1801                                                               al))
1802                                 return 0;
1803                         }
1804
1805                 else if (type == TLSEXT_TYPE_server_authz)
1806                         {
1807                         unsigned char *sdata = data;
1808                         unsigned char server_authz_dataformatlist_length;
1809
1810                         if (size == 0)
1811                                 {
1812                                 *al = TLS1_AD_DECODE_ERROR;
1813                                 return 0;
1814                                 }
1815
1816                         server_authz_dataformatlist_length = *(sdata++);
1817
1818                         if (server_authz_dataformatlist_length != size - 1)
1819                                 {
1820                                 *al = TLS1_AD_DECODE_ERROR;
1821                                 return 0;
1822                                 }
1823
1824                         /* Successful session resumption uses the same authz
1825                          * information as the original session so we ignore this
1826                          * in the case of a session resumption. */
1827                         if (!s->hit)
1828                                 {
1829                                 size_t i;
1830                                 if (s->s3->tlsext_authz_client_types != NULL)
1831                                         OPENSSL_free(s->s3->tlsext_authz_client_types);
1832                                 s->s3->tlsext_authz_client_types =
1833                                         OPENSSL_malloc(server_authz_dataformatlist_length);
1834                                 if (!s->s3->tlsext_authz_client_types)
1835                                         {
1836                                         *al = TLS1_AD_INTERNAL_ERROR;
1837                                         return 0;
1838                                         }
1839
1840                                 s->s3->tlsext_authz_client_types_len =
1841                                         server_authz_dataformatlist_length;
1842                                 memcpy(s->s3->tlsext_authz_client_types,
1843                                        sdata,
1844                                        server_authz_dataformatlist_length);
1845
1846                                 /* Sort the types in order to check for duplicates. */
1847                                 qsort(s->s3->tlsext_authz_client_types,
1848                                       server_authz_dataformatlist_length,
1849                                       1 /* element size */,
1850                                       byte_compare);
1851
1852                                 for (i = 0; i < server_authz_dataformatlist_length; i++)
1853                                         {
1854                                         if (i > 0 &&
1855                                             s->s3->tlsext_authz_client_types[i] ==
1856                                               s->s3->tlsext_authz_client_types[i-1])
1857                                                 {
1858                                                 *al = TLS1_AD_DECODE_ERROR;
1859                                                 return 0;
1860                                                 }
1861                                         }
1862                                 }
1863                         }
1864
1865                 data+=size;
1866                 }
1867
1868         *p = data;
1869
1870         ri_check:
1871
1872         /* Need RI if renegotiating */
1873
1874         if (!renegotiate_seen && s->renegotiate &&
1875                 !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
1876                 {
1877                 *al = SSL_AD_HANDSHAKE_FAILURE;
1878                 SSLerr(SSL_F_SSL_SCAN_CLIENTHELLO_TLSEXT,
1879                                 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
1880                 return 0;
1881                 }
1882         /* If no signature algorithms extension set default values */
1883         if (!s->cert->peer_sigalgs)
1884                 ssl_cert_set_default_md(s->cert);
1885
1886         return 1;
1887         }
1888
1889 int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n) 
1890         {
1891         int al = -1;
1892         if (ssl_scan_clienthello_tlsext(s, p, d, n, &al) <= 0) 
1893                 {
1894                 ssl3_send_alert(s,SSL3_AL_FATAL,al); 
1895                 return 0;
1896                 }
1897
1898         if (ssl_check_clienthello_tlsext(s) <= 0) 
1899                 {
1900                 SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT,SSL_R_CLIENTHELLO_TLSEXT);
1901                 return 0;
1902                 }
1903         return 1;
1904 }
1905
1906 #ifndef OPENSSL_NO_NEXTPROTONEG
1907 /* ssl_next_proto_validate validates a Next Protocol Negotiation block. No
1908  * elements of zero length are allowed and the set of elements must exactly fill
1909  * the length of the block. */
1910 static char ssl_next_proto_validate(unsigned char *d, unsigned len)
1911         {
1912         unsigned int off = 0;
1913
1914         while (off < len)
1915                 {
1916                 if (d[off] == 0)
1917                         return 0;
1918                 off += d[off];
1919                 off++;
1920                 }
1921
1922         return off == len;
1923         }
1924 #endif
1925
1926 static int ssl_scan_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
1927         {
1928         unsigned short length;
1929         unsigned short type;
1930         unsigned short size;
1931         unsigned char *data = *p;
1932         int tlsext_servername = 0;
1933         int renegotiate_seen = 0;
1934
1935 #ifndef OPENSSL_NO_NEXTPROTONEG
1936         s->s3->next_proto_neg_seen = 0;
1937 #endif
1938
1939 #ifndef OPENSSL_NO_HEARTBEATS
1940         s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED |
1941                                SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
1942 #endif
1943
1944         if (data >= (d+n-2))
1945                 goto ri_check;
1946
1947         n2s(data,length);
1948         if (data+length != d+n)
1949                 {
1950                 *al = SSL_AD_DECODE_ERROR;
1951                 return 0;
1952                 }
1953
1954         while(data <= (d+n-4))
1955                 {
1956                 n2s(data,type);
1957                 n2s(data,size);
1958
1959                 if (data+size > (d+n))
1960                         goto ri_check;
1961
1962                 if (s->tlsext_debug_cb)
1963                         s->tlsext_debug_cb(s, 1, type, data, size,
1964                                                 s->tlsext_debug_arg);
1965
1966                 if (type == TLSEXT_TYPE_server_name)
1967                         {
1968                         if (s->tlsext_hostname == NULL || size > 0)
1969                                 {
1970                                 *al = TLS1_AD_UNRECOGNIZED_NAME;
1971                                 return 0;
1972                                 }
1973                         tlsext_servername = 1;   
1974                         }
1975
1976 #ifndef OPENSSL_NO_EC
1977                 else if (type == TLSEXT_TYPE_ec_point_formats &&
1978                      s->version != DTLS1_VERSION)
1979                         {
1980                         unsigned char *sdata = data;
1981                         int ecpointformatlist_length = *(sdata++);
1982
1983                         if (ecpointformatlist_length != size - 1)
1984                                 {
1985                                 *al = TLS1_AD_DECODE_ERROR;
1986                                 return 0;
1987                                 }
1988                         s->session->tlsext_ecpointformatlist_length = 0;
1989                         if (s->session->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->session->tlsext_ecpointformatlist);
1990                         if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
1991                                 {
1992                                 *al = TLS1_AD_INTERNAL_ERROR;
1993                                 return 0;
1994                                 }
1995                         s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
1996                         memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
1997 #if 0
1998                         fprintf(stderr,"ssl_parse_serverhello_tlsext s->session->tlsext_ecpointformatlist ");
1999                         sdata = s->session->tlsext_ecpointformatlist;
2000                         for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
2001                                 fprintf(stderr,"%i ",*(sdata++));
2002                         fprintf(stderr,"\n");
2003 #endif
2004                         }
2005 #endif /* OPENSSL_NO_EC */
2006
2007                 else if (type == TLSEXT_TYPE_session_ticket)
2008                         {
2009                         if (s->tls_session_ticket_ext_cb &&
2010                             !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg))
2011                                 {
2012                                 *al = TLS1_AD_INTERNAL_ERROR;
2013                                 return 0;
2014                                 }
2015                         if ((SSL_get_options(s) & SSL_OP_NO_TICKET)
2016                                 || (size > 0))
2017                                 {
2018                                 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2019                                 return 0;
2020                                 }
2021                         s->tlsext_ticket_expected = 1;
2022                         }
2023 #ifdef TLSEXT_TYPE_opaque_prf_input
2024                 else if (type == TLSEXT_TYPE_opaque_prf_input &&
2025                      s->version != DTLS1_VERSION)
2026                         {
2027                         unsigned char *sdata = data;
2028
2029                         if (size < 2)
2030                                 {
2031                                 *al = SSL_AD_DECODE_ERROR;
2032                                 return 0;
2033                                 }
2034                         n2s(sdata, s->s3->server_opaque_prf_input_len);
2035                         if (s->s3->server_opaque_prf_input_len != size - 2)
2036                                 {
2037                                 *al = SSL_AD_DECODE_ERROR;
2038                                 return 0;
2039                                 }
2040                         
2041                         if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */
2042                                 OPENSSL_free(s->s3->server_opaque_prf_input);
2043                         if (s->s3->server_opaque_prf_input_len == 0)
2044                                 s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
2045                         else
2046                                 s->s3->server_opaque_prf_input = BUF_memdup(sdata, s->s3->server_opaque_prf_input_len);
2047
2048                         if (s->s3->server_opaque_prf_input == NULL)
2049                                 {
2050                                 *al = TLS1_AD_INTERNAL_ERROR;
2051                                 return 0;
2052                                 }
2053                         }
2054 #endif
2055                 else if (type == TLSEXT_TYPE_status_request &&
2056                          s->version != DTLS1_VERSION)
2057                         {
2058                         /* MUST be empty and only sent if we've requested
2059                          * a status request message.
2060                          */ 
2061                         if ((s->tlsext_status_type == -1) || (size > 0))
2062                                 {
2063                                 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2064                                 return 0;
2065                                 }
2066                         /* Set flag to expect CertificateStatus message */
2067                         s->tlsext_status_expected = 1;
2068                         }
2069 #ifndef OPENSSL_NO_NEXTPROTONEG
2070                 else if (type == TLSEXT_TYPE_next_proto_neg &&
2071                          s->s3->tmp.finish_md_len == 0)
2072                         {
2073                         unsigned char *selected;
2074                         unsigned char selected_len;
2075
2076                         /* We must have requested it. */
2077                         if ((s->ctx->next_proto_select_cb == NULL))
2078                                 {
2079                                 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2080                                 return 0;
2081                                 }
2082                         /* The data must be valid */
2083                         if (!ssl_next_proto_validate(data, size))
2084                                 {
2085                                 *al = TLS1_AD_DECODE_ERROR;
2086                                 return 0;
2087                                 }
2088                         if (s->ctx->next_proto_select_cb(s, &selected, &selected_len, data, size, s->ctx->next_proto_select_cb_arg) != SSL_TLSEXT_ERR_OK)
2089                                 {
2090                                 *al = TLS1_AD_INTERNAL_ERROR;
2091                                 return 0;
2092                                 }
2093                         s->next_proto_negotiated = OPENSSL_malloc(selected_len);
2094                         if (!s->next_proto_negotiated)
2095                                 {
2096                                 *al = TLS1_AD_INTERNAL_ERROR;
2097                                 return 0;
2098                                 }
2099                         memcpy(s->next_proto_negotiated, selected, selected_len);
2100                         s->next_proto_negotiated_len = selected_len;
2101                         s->s3->next_proto_neg_seen = 1;
2102                         }
2103 #endif
2104                 else if (type == TLSEXT_TYPE_renegotiate)
2105                         {
2106                         if(!ssl_parse_serverhello_renegotiate_ext(s, data, size, al))
2107                                 return 0;
2108                         renegotiate_seen = 1;
2109                         }
2110 #ifndef OPENSSL_NO_HEARTBEATS
2111                 else if (type == TLSEXT_TYPE_heartbeat)
2112                         {
2113                         switch(data[0])
2114                                 {
2115                                 case 0x01:      /* Server allows us to send HB requests */
2116                                                         s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
2117                                                         break;
2118                                 case 0x02:      /* Server doesn't accept HB requests */
2119                                                         s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
2120                                                         s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
2121                                                         break;
2122                                 default:        *al = SSL_AD_ILLEGAL_PARAMETER;
2123                                                         return 0;
2124                                 }
2125                         }
2126 #endif
2127                 else if (type == TLSEXT_TYPE_use_srtp)
2128                         {
2129                         if(ssl_parse_serverhello_use_srtp_ext(s, data, size,
2130                                                               al))
2131                                 return 0;
2132                         }
2133
2134                 else if (type == TLSEXT_TYPE_server_authz)
2135                         {
2136                         /* We only support audit proofs. It's an error to send
2137                          * an authz hello extension if the client
2138                          * didn't request a proof. */
2139                         unsigned char *sdata = data;
2140                         unsigned char server_authz_dataformatlist_length;
2141
2142                         if (!s->ctx->tlsext_authz_server_audit_proof_cb)
2143                                 {
2144                                 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2145                                 return 0;
2146                                 }
2147
2148                         if (!size)
2149                                 {
2150                                 *al = TLS1_AD_DECODE_ERROR;
2151                                 return 0;
2152                                 }
2153
2154                         server_authz_dataformatlist_length = *(sdata++);
2155                         if (server_authz_dataformatlist_length != size - 1)
2156                                 {
2157                                 *al = TLS1_AD_DECODE_ERROR;
2158                                 return 0;
2159                                 }
2160
2161                         /* We only support audit proofs, so a legal ServerHello
2162                          * authz list contains exactly one entry. */
2163                         if (server_authz_dataformatlist_length != 1 ||
2164                                 sdata[0] != TLSEXT_AUTHZDATAFORMAT_audit_proof)
2165                                 {
2166                                 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2167                                 return 0;
2168                                 }
2169
2170                         s->s3->tlsext_authz_server_promised = 1;
2171                         }
2172  
2173                 data += size;
2174                 }
2175
2176         if (data != d+n)
2177                 {
2178                 *al = SSL_AD_DECODE_ERROR;
2179                 return 0;
2180                 }
2181
2182         if (!s->hit && tlsext_servername == 1)
2183                 {
2184                 if (s->tlsext_hostname)
2185                         {
2186                         if (s->session->tlsext_hostname == NULL)
2187                                 {
2188                                 s->session->tlsext_hostname = BUF_strdup(s->tlsext_hostname);   
2189                                 if (!s->session->tlsext_hostname)
2190                                         {
2191                                         *al = SSL_AD_UNRECOGNIZED_NAME;
2192                                         return 0;
2193                                         }
2194                                 }
2195                         else 
2196                                 {
2197                                 *al = SSL_AD_DECODE_ERROR;
2198                                 return 0;
2199                                 }
2200                         }
2201                 }
2202
2203         *p = data;
2204
2205         ri_check:
2206
2207         /* Determine if we need to see RI. Strictly speaking if we want to
2208          * avoid an attack we should *always* see RI even on initial server
2209          * hello because the client doesn't see any renegotiation during an
2210          * attack. However this would mean we could not connect to any server
2211          * which doesn't support RI so for the immediate future tolerate RI
2212          * absence on initial connect only.
2213          */
2214         if (!renegotiate_seen
2215                 && !(s->options & SSL_OP_LEGACY_SERVER_CONNECT)
2216                 && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
2217                 {
2218                 *al = SSL_AD_HANDSHAKE_FAILURE;
2219                 SSLerr(SSL_F_SSL_SCAN_SERVERHELLO_TLSEXT,
2220                                 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
2221                 return 0;
2222                 }
2223
2224         return 1;
2225         }
2226
2227
2228 int ssl_prepare_clienthello_tlsext(SSL *s)
2229         {
2230
2231 #ifdef TLSEXT_TYPE_opaque_prf_input
2232         {
2233                 int r = 1;
2234         
2235                 if (s->ctx->tlsext_opaque_prf_input_callback != 0)
2236                         {
2237                         r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg);
2238                         if (!r)
2239                                 return -1;
2240                         }
2241
2242                 if (s->tlsext_opaque_prf_input != NULL)
2243                         {
2244                         if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */
2245                                 OPENSSL_free(s->s3->client_opaque_prf_input);
2246
2247                         if (s->tlsext_opaque_prf_input_len == 0)
2248                                 s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
2249                         else
2250                                 s->s3->client_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len);
2251                         if (s->s3->client_opaque_prf_input == NULL)
2252                                 {
2253                                 SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
2254                                 return -1;
2255                                 }
2256                         s->s3->client_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
2257                         }
2258
2259                 if (r == 2)
2260                         /* at callback's request, insist on receiving an appropriate server opaque PRF input */
2261                         s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
2262         }
2263 #endif
2264
2265         return 1;
2266         }
2267
2268 int ssl_prepare_serverhello_tlsext(SSL *s)
2269         {
2270 #ifndef OPENSSL_NO_EC
2271         /* If we are server and using an ECC cipher suite, send the point formats we support 
2272          * if the client sent us an ECPointsFormat extension.  Note that the server is not
2273          * supposed to send an EllipticCurves extension.
2274          */
2275
2276         unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
2277         unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
2278         int using_ecc = (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA);
2279         using_ecc = using_ecc && (s->session->tlsext_ecpointformatlist != NULL);
2280         
2281         if (using_ecc)
2282                 {
2283                 if (s->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->tlsext_ecpointformatlist);
2284                 if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(3)) == NULL)
2285                         {
2286                         SSLerr(SSL_F_SSL_PREPARE_SERVERHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
2287                         return -1;
2288                         }
2289                 s->tlsext_ecpointformatlist_length = 3;
2290                 s->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_uncompressed;
2291                 s->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
2292                 s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
2293                 }
2294 #endif /* OPENSSL_NO_EC */
2295
2296         return 1;
2297         }
2298
2299 static int ssl_check_clienthello_tlsext(SSL *s)
2300         {
2301         int ret=SSL_TLSEXT_ERR_NOACK;
2302         int al = SSL_AD_UNRECOGNIZED_NAME;
2303
2304 #ifndef OPENSSL_NO_EC
2305         /* The handling of the ECPointFormats extension is done elsewhere, namely in 
2306          * ssl3_choose_cipher in s3_lib.c.
2307          */
2308         /* The handling of the EllipticCurves extension is done elsewhere, namely in 
2309          * ssl3_choose_cipher in s3_lib.c.
2310          */
2311 #endif
2312
2313         if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) 
2314                 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
2315         else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)             
2316                 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
2317
2318         /* If status request then ask callback what to do.
2319          * Note: this must be called after servername callbacks in case 
2320          * the certificate has changed.
2321          */
2322         if ((s->tlsext_status_type != -1) && s->ctx && s->ctx->tlsext_status_cb)
2323                 {
2324                 int r;
2325                 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
2326                 switch (r)
2327                         {
2328                         /* We don't want to send a status request response */
2329                         case SSL_TLSEXT_ERR_NOACK:
2330                                 s->tlsext_status_expected = 0;
2331                                 break;
2332                         /* status request response should be sent */
2333                         case SSL_TLSEXT_ERR_OK:
2334                                 if (s->tlsext_ocsp_resp)
2335                                         s->tlsext_status_expected = 1;
2336                                 else
2337                                         s->tlsext_status_expected = 0;
2338                                 break;
2339                         /* something bad happened */
2340                         case SSL_TLSEXT_ERR_ALERT_FATAL:
2341                                 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2342                                 al = SSL_AD_INTERNAL_ERROR;
2343                                 goto err;
2344                         }
2345                 }
2346         else
2347                 s->tlsext_status_expected = 0;
2348
2349 #ifdef TLSEXT_TYPE_opaque_prf_input
2350         {
2351                 /* This sort of belongs into ssl_prepare_serverhello_tlsext(),
2352                  * but we might be sending an alert in response to the client hello,
2353                  * so this has to happen here in ssl_check_clienthello_tlsext(). */
2354
2355                 int r = 1;
2356         
2357                 if (s->ctx->tlsext_opaque_prf_input_callback != 0)
2358                         {
2359                         r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg);
2360                         if (!r)
2361                                 {
2362                                 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2363                                 al = SSL_AD_INTERNAL_ERROR;
2364                                 goto err;
2365                                 }
2366                         }
2367
2368                 if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */
2369                         OPENSSL_free(s->s3->server_opaque_prf_input);
2370                 s->s3->server_opaque_prf_input = NULL;
2371
2372                 if (s->tlsext_opaque_prf_input != NULL)
2373                         {
2374                         if (s->s3->client_opaque_prf_input != NULL &&
2375                                 s->s3->client_opaque_prf_input_len == s->tlsext_opaque_prf_input_len)
2376                                 {
2377                                 /* can only use this extension if we have a server opaque PRF input
2378                                  * of the same length as the client opaque PRF input! */
2379
2380                                 if (s->tlsext_opaque_prf_input_len == 0)
2381                                         s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
2382                                 else
2383                                         s->s3->server_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len);
2384                                 if (s->s3->server_opaque_prf_input == NULL)
2385                                         {
2386                                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2387                                         al = SSL_AD_INTERNAL_ERROR;
2388                                         goto err;
2389                                         }
2390                                 s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
2391                                 }
2392                         }
2393
2394                 if (r == 2 && s->s3->server_opaque_prf_input == NULL)
2395                         {
2396                         /* The callback wants to enforce use of the extension,
2397                          * but we can't do that with the client opaque PRF input;
2398                          * abort the handshake.
2399                          */
2400                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2401                         al = SSL_AD_HANDSHAKE_FAILURE;
2402                         }
2403         }
2404
2405 #endif
2406  err:
2407         switch (ret)
2408                 {
2409                 case SSL_TLSEXT_ERR_ALERT_FATAL:
2410                         ssl3_send_alert(s,SSL3_AL_FATAL,al); 
2411                         return -1;
2412
2413                 case SSL_TLSEXT_ERR_ALERT_WARNING:
2414                         ssl3_send_alert(s,SSL3_AL_WARNING,al);
2415                         return 1; 
2416                                         
2417                 case SSL_TLSEXT_ERR_NOACK:
2418                         s->servername_done=0;
2419                         default:
2420                 return 1;
2421                 }
2422         }
2423
2424 int ssl_check_serverhello_tlsext(SSL *s)
2425         {
2426         int ret=SSL_TLSEXT_ERR_NOACK;
2427         int al = SSL_AD_UNRECOGNIZED_NAME;
2428
2429 #ifndef OPENSSL_NO_EC
2430         /* If we are client and using an elliptic curve cryptography cipher
2431          * suite, then if server returns an EC point formats lists extension
2432          * it must contain uncompressed.
2433          */
2434         unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
2435         unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
2436         if ((s->tlsext_ecpointformatlist != NULL) && (s->tlsext_ecpointformatlist_length > 0) && 
2437             (s->session->tlsext_ecpointformatlist != NULL) && (s->session->tlsext_ecpointformatlist_length > 0) && 
2438             ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA)))
2439                 {
2440                 /* we are using an ECC cipher */
2441                 size_t i;
2442                 unsigned char *list;
2443                 int found_uncompressed = 0;
2444                 list = s->session->tlsext_ecpointformatlist;
2445                 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
2446                         {
2447                         if (*(list++) == TLSEXT_ECPOINTFORMAT_uncompressed)
2448                                 {
2449                                 found_uncompressed = 1;
2450                                 break;
2451                                 }
2452                         }
2453                 if (!found_uncompressed)
2454                         {
2455                         SSLerr(SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT,SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
2456                         return -1;
2457                         }
2458                 }
2459         ret = SSL_TLSEXT_ERR_OK;
2460 #endif /* OPENSSL_NO_EC */
2461
2462         if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) 
2463                 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
2464         else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)             
2465                 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
2466
2467 #ifdef TLSEXT_TYPE_opaque_prf_input
2468         if (s->s3->server_opaque_prf_input_len > 0)
2469                 {
2470                 /* This case may indicate that we, as a client, want to insist on using opaque PRF inputs.
2471                  * So first verify that we really have a value from the server too. */
2472
2473                 if (s->s3->server_opaque_prf_input == NULL)
2474                         {
2475                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2476                         al = SSL_AD_HANDSHAKE_FAILURE;
2477                         }
2478                 
2479                 /* Anytime the server *has* sent an opaque PRF input, we need to check
2480                  * that we have a client opaque PRF input of the same size. */
2481                 if (s->s3->client_opaque_prf_input == NULL ||
2482                     s->s3->client_opaque_prf_input_len != s->s3->server_opaque_prf_input_len)
2483                         {
2484                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2485                         al = SSL_AD_ILLEGAL_PARAMETER;
2486                         }
2487                 }
2488 #endif
2489
2490         /* If we've requested certificate status and we wont get one
2491          * tell the callback
2492          */
2493         if ((s->tlsext_status_type != -1) && !(s->tlsext_status_expected)
2494                         && s->ctx && s->ctx->tlsext_status_cb)
2495                 {
2496                 int r;
2497                 /* Set resp to NULL, resplen to -1 so callback knows
2498                  * there is no response.
2499                  */
2500                 if (s->tlsext_ocsp_resp)
2501                         {
2502                         OPENSSL_free(s->tlsext_ocsp_resp);
2503                         s->tlsext_ocsp_resp = NULL;
2504                         }
2505                 s->tlsext_ocsp_resplen = -1;
2506                 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
2507                 if (r == 0)
2508                         {
2509                         al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE;
2510                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2511                         }
2512                 if (r < 0)
2513                         {
2514                         al = SSL_AD_INTERNAL_ERROR;
2515                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2516                         }
2517                 }
2518
2519         switch (ret)
2520                 {
2521                 case SSL_TLSEXT_ERR_ALERT_FATAL:
2522                         ssl3_send_alert(s,SSL3_AL_FATAL,al); 
2523                         return -1;
2524
2525                 case SSL_TLSEXT_ERR_ALERT_WARNING:
2526                         ssl3_send_alert(s,SSL3_AL_WARNING,al);
2527                         return 1; 
2528                                         
2529                 case SSL_TLSEXT_ERR_NOACK:
2530                         s->servername_done=0;
2531                         default:
2532                 return 1;
2533                 }
2534         }
2535
2536 int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n) 
2537         {
2538         int al = -1;
2539         if (s->version < SSL3_VERSION)
2540                 return 1;
2541         if (ssl_scan_serverhello_tlsext(s, p, d, n, &al) <= 0) 
2542                 {
2543                 ssl3_send_alert(s,SSL3_AL_FATAL,al); 
2544                 return 0;
2545                 }
2546
2547         if (ssl_check_serverhello_tlsext(s) <= 0) 
2548                 {
2549                 SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT,SSL_R_SERVERHELLO_TLSEXT);
2550                 return 0;
2551                 }
2552         return 1;
2553 }
2554
2555 /* Since the server cache lookup is done early on in the processing of the
2556  * ClientHello, and other operations depend on the result, we need to handle
2557  * any TLS session ticket extension at the same time.
2558  *
2559  *   session_id: points at the session ID in the ClientHello. This code will
2560  *       read past the end of this in order to parse out the session ticket
2561  *       extension, if any.
2562  *   len: the length of the session ID.
2563  *   limit: a pointer to the first byte after the ClientHello.
2564  *   ret: (output) on return, if a ticket was decrypted, then this is set to
2565  *       point to the resulting session.
2566  *
2567  * If s->tls_session_secret_cb is set then we are expecting a pre-shared key
2568  * ciphersuite, in which case we have no use for session tickets and one will
2569  * never be decrypted, nor will s->tlsext_ticket_expected be set to 1.
2570  *
2571  * Returns:
2572  *   -1: fatal error, either from parsing or decrypting the ticket.
2573  *    0: no ticket was found (or was ignored, based on settings).
2574  *    1: a zero length extension was found, indicating that the client supports
2575  *       session tickets but doesn't currently have one to offer.
2576  *    2: either s->tls_session_secret_cb was set, or a ticket was offered but
2577  *       couldn't be decrypted because of a non-fatal error.
2578  *    3: a ticket was successfully decrypted and *ret was set.
2579  *
2580  * Side effects:
2581  *   Sets s->tlsext_ticket_expected to 1 if the server will have to issue
2582  *   a new session ticket to the client because the client indicated support
2583  *   (and s->tls_session_secret_cb is NULL) but the client either doesn't have
2584  *   a session ticket or we couldn't use the one it gave us, or if
2585  *   s->ctx->tlsext_ticket_key_cb asked to renew the client's ticket.
2586  *   Otherwise, s->tlsext_ticket_expected is set to 0.
2587  */
2588 int tls1_process_ticket(SSL *s, unsigned char *session_id, int len,
2589                         const unsigned char *limit, SSL_SESSION **ret)
2590         {
2591         /* Point after session ID in client hello */
2592         const unsigned char *p = session_id + len;
2593         unsigned short i;
2594
2595         *ret = NULL;
2596         s->tlsext_ticket_expected = 0;
2597
2598         /* If tickets disabled behave as if no ticket present
2599          * to permit stateful resumption.
2600          */
2601         if (SSL_get_options(s) & SSL_OP_NO_TICKET)
2602                 return 0;
2603         if ((s->version <= SSL3_VERSION) || !limit)
2604                 return 0;
2605         if (p >= limit)
2606                 return -1;
2607         /* Skip past DTLS cookie */
2608         if (s->version == DTLS1_VERSION || s->version == DTLS1_BAD_VER)
2609                 {
2610                 i = *(p++);
2611                 p+= i;
2612                 if (p >= limit)
2613                         return -1;
2614                 }
2615         /* Skip past cipher list */
2616         n2s(p, i);
2617         p+= i;
2618         if (p >= limit)
2619                 return -1;
2620         /* Skip past compression algorithm list */
2621         i = *(p++);
2622         p += i;
2623         if (p > limit)
2624                 return -1;
2625         /* Now at start of extensions */
2626         if ((p + 2) >= limit)
2627                 return 0;
2628         n2s(p, i);
2629         while ((p + 4) <= limit)
2630                 {
2631                 unsigned short type, size;
2632                 n2s(p, type);
2633                 n2s(p, size);
2634                 if (p + size > limit)
2635                         return 0;
2636                 if (type == TLSEXT_TYPE_session_ticket)
2637                         {
2638                         int r;
2639                         if (size == 0)
2640                                 {
2641                                 /* The client will accept a ticket but doesn't
2642                                  * currently have one. */
2643                                 s->tlsext_ticket_expected = 1;
2644                                 return 1;
2645                                 }
2646                         if (s->tls_session_secret_cb)
2647                                 {
2648                                 /* Indicate that the ticket couldn't be
2649                                  * decrypted rather than generating the session
2650                                  * from ticket now, trigger abbreviated
2651                                  * handshake based on external mechanism to
2652                                  * calculate the master secret later. */
2653                                 return 2;
2654                                 }
2655                         r = tls_decrypt_ticket(s, p, size, session_id, len, ret);
2656                         switch (r)
2657                                 {
2658                                 case 2: /* ticket couldn't be decrypted */
2659                                         s->tlsext_ticket_expected = 1;
2660                                         return 2;
2661                                 case 3: /* ticket was decrypted */
2662                                         return r;
2663                                 case 4: /* ticket decrypted but need to renew */
2664                                         s->tlsext_ticket_expected = 1;
2665                                         return 3;
2666                                 default: /* fatal error */
2667                                         return -1;
2668                                 }
2669                         }
2670                 p += size;
2671                 }
2672         return 0;
2673         }
2674
2675 /* tls_decrypt_ticket attempts to decrypt a session ticket.
2676  *
2677  *   etick: points to the body of the session ticket extension.
2678  *   eticklen: the length of the session tickets extenion.
2679  *   sess_id: points at the session ID.
2680  *   sesslen: the length of the session ID.
2681  *   psess: (output) on return, if a ticket was decrypted, then this is set to
2682  *       point to the resulting session.
2683  *
2684  * Returns:
2685  *   -1: fatal error, either from parsing or decrypting the ticket.
2686  *    2: the ticket couldn't be decrypted.
2687  *    3: a ticket was successfully decrypted and *psess was set.
2688  *    4: same as 3, but the ticket needs to be renewed.
2689  */
2690 static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen,
2691                                 const unsigned char *sess_id, int sesslen,
2692                                 SSL_SESSION **psess)
2693         {
2694         SSL_SESSION *sess;
2695         unsigned char *sdec;
2696         const unsigned char *p;
2697         int slen, mlen, renew_ticket = 0;
2698         unsigned char tick_hmac[EVP_MAX_MD_SIZE];
2699         HMAC_CTX hctx;
2700         EVP_CIPHER_CTX ctx;
2701         SSL_CTX *tctx = s->initial_ctx;
2702         /* Need at least keyname + iv + some encrypted data */
2703         if (eticklen < 48)
2704                 return 2;
2705         /* Initialize session ticket encryption and HMAC contexts */
2706         HMAC_CTX_init(&hctx);
2707         EVP_CIPHER_CTX_init(&ctx);
2708         if (tctx->tlsext_ticket_key_cb)
2709                 {
2710                 unsigned char *nctick = (unsigned char *)etick;
2711                 int rv = tctx->tlsext_ticket_key_cb(s, nctick, nctick + 16,
2712                                                         &ctx, &hctx, 0);
2713                 if (rv < 0)
2714                         return -1;
2715                 if (rv == 0)
2716                         return 2;
2717                 if (rv == 2)
2718                         renew_ticket = 1;
2719                 }
2720         else
2721                 {
2722                 /* Check key name matches */
2723                 if (memcmp(etick, tctx->tlsext_tick_key_name, 16))
2724                         return 2;
2725                 HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16,
2726                                         tlsext_tick_md(), NULL);
2727                 EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL,
2728                                 tctx->tlsext_tick_aes_key, etick + 16);
2729                 }
2730         /* Attempt to process session ticket, first conduct sanity and
2731          * integrity checks on ticket.
2732          */
2733         mlen = HMAC_size(&hctx);
2734         if (mlen < 0)
2735                 {
2736                 EVP_CIPHER_CTX_cleanup(&ctx);
2737                 return -1;
2738                 }
2739         eticklen -= mlen;
2740         /* Check HMAC of encrypted ticket */
2741         HMAC_Update(&hctx, etick, eticklen);
2742         HMAC_Final(&hctx, tick_hmac, NULL);
2743         HMAC_CTX_cleanup(&hctx);
2744         if (memcmp(tick_hmac, etick + eticklen, mlen))
2745                 return 2;
2746         /* Attempt to decrypt session data */
2747         /* Move p after IV to start of encrypted ticket, update length */
2748         p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx);
2749         eticklen -= 16 + EVP_CIPHER_CTX_iv_length(&ctx);
2750         sdec = OPENSSL_malloc(eticklen);
2751         if (!sdec)
2752                 {
2753                 EVP_CIPHER_CTX_cleanup(&ctx);
2754                 return -1;
2755                 }
2756         EVP_DecryptUpdate(&ctx, sdec, &slen, p, eticklen);
2757         if (EVP_DecryptFinal(&ctx, sdec + slen, &mlen) <= 0)
2758                 return 2;
2759         slen += mlen;
2760         EVP_CIPHER_CTX_cleanup(&ctx);
2761         p = sdec;
2762
2763         sess = d2i_SSL_SESSION(NULL, &p, slen);
2764         OPENSSL_free(sdec);
2765         if (sess)
2766                 {
2767                 /* The session ID, if non-empty, is used by some clients to
2768                  * detect that the ticket has been accepted. So we copy it to
2769                  * the session structure. If it is empty set length to zero
2770                  * as required by standard.
2771                  */
2772                 if (sesslen)
2773                         memcpy(sess->session_id, sess_id, sesslen);
2774                 sess->session_id_length = sesslen;
2775                 *psess = sess;
2776                 if (renew_ticket)
2777                         return 4;
2778                 else
2779                         return 3;
2780                 }
2781         ERR_clear_error();
2782         /* For session parse failure, indicate that we need to send a new
2783          * ticket. */
2784         return 2;
2785         }
2786
2787 /* Tables to translate from NIDs to TLS v1.2 ids */
2788
2789 typedef struct 
2790         {
2791         int nid;
2792         int id;
2793         } tls12_lookup;
2794
2795 static tls12_lookup tls12_md[] = {
2796         {NID_md5, TLSEXT_hash_md5},
2797         {NID_sha1, TLSEXT_hash_sha1},
2798         {NID_sha224, TLSEXT_hash_sha224},
2799         {NID_sha256, TLSEXT_hash_sha256},
2800         {NID_sha384, TLSEXT_hash_sha384},
2801         {NID_sha512, TLSEXT_hash_sha512}
2802 };
2803
2804 static tls12_lookup tls12_sig[] = {
2805         {EVP_PKEY_RSA, TLSEXT_signature_rsa},
2806         {EVP_PKEY_DSA, TLSEXT_signature_dsa},
2807         {EVP_PKEY_EC, TLSEXT_signature_ecdsa}
2808 };
2809
2810 static int tls12_find_id(int nid, tls12_lookup *table, size_t tlen)
2811         {
2812         size_t i;
2813         for (i = 0; i < tlen; i++)
2814                 {
2815                 if (table[i].nid == nid)
2816                         return table[i].id;
2817                 }
2818         return -1;
2819         }
2820
2821 static int tls12_find_nid(int id, tls12_lookup *table, size_t tlen)
2822         {
2823         size_t i;
2824         for (i = 0; i < tlen; i++)
2825                 {
2826                 if ((table[i].id) == id)
2827                         return table[i].nid;
2828                 }
2829         return NID_undef;
2830         }
2831
2832 int tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk, const EVP_MD *md)
2833         {
2834         int sig_id, md_id;
2835         if (!md)
2836                 return 0;
2837         md_id = tls12_find_id(EVP_MD_type(md), tls12_md,
2838                                 sizeof(tls12_md)/sizeof(tls12_lookup));
2839         if (md_id == -1)
2840                 return 0;
2841         sig_id = tls12_get_sigid(pk);
2842         if (sig_id == -1)
2843                 return 0;
2844         p[0] = (unsigned char)md_id;
2845         p[1] = (unsigned char)sig_id;
2846         return 1;
2847         }
2848
2849 int tls12_get_sigid(const EVP_PKEY *pk)
2850         {
2851         return tls12_find_id(pk->type, tls12_sig,
2852                                 sizeof(tls12_sig)/sizeof(tls12_lookup));
2853         }
2854
2855 const EVP_MD *tls12_get_hash(unsigned char hash_alg)
2856         {
2857         switch(hash_alg)
2858                 {
2859 #ifndef OPENSSL_NO_MD5
2860                 case TLSEXT_hash_md5:
2861 #ifdef OPENSSL_FIPS
2862                 if (FIPS_mode())
2863                         return NULL;
2864 #endif
2865                 return EVP_md5();
2866 #endif
2867 #ifndef OPENSSL_NO_SHA
2868                 case TLSEXT_hash_sha1:
2869                 return EVP_sha1();
2870 #endif
2871 #ifndef OPENSSL_NO_SHA256
2872                 case TLSEXT_hash_sha224:
2873                 return EVP_sha224();
2874
2875                 case TLSEXT_hash_sha256:
2876                 return EVP_sha256();
2877 #endif
2878 #ifndef OPENSSL_NO_SHA512
2879                 case TLSEXT_hash_sha384:
2880                 return EVP_sha384();
2881
2882                 case TLSEXT_hash_sha512:
2883                 return EVP_sha512();
2884 #endif
2885                 default:
2886                 return NULL;
2887
2888                 }
2889         }
2890
2891 static int tls12_get_pkey_idx(unsigned char sig_alg)
2892         {
2893         switch(sig_alg)
2894                 {
2895 #ifndef OPENSSL_NO_RSA
2896         case TLSEXT_signature_rsa:
2897                 return SSL_PKEY_RSA_SIGN;
2898 #endif
2899 #ifndef OPENSSL_NO_DSA
2900         case TLSEXT_signature_dsa:
2901                 return SSL_PKEY_DSA_SIGN;
2902 #endif
2903 #ifndef OPENSSL_NO_ECDSA
2904         case TLSEXT_signature_ecdsa:
2905                 return SSL_PKEY_ECC;
2906 #endif
2907                 }
2908         return -1;
2909         }
2910
2911 /* Convert TLS 1.2 signature algorithm extension values into NIDs */
2912 static void tls1_lookup_sigalg(int *phash_nid, int *psign_nid,
2913                         int *psignhash_nid, const unsigned char *data)
2914         {
2915         int sign_nid, hash_nid;
2916         if (!phash_nid && !psign_nid && !psignhash_nid)
2917                 return;
2918         if (phash_nid || psignhash_nid)
2919                 {
2920                 hash_nid = tls12_find_nid(data[0], tls12_md,
2921                                         sizeof(tls12_md)/sizeof(tls12_lookup));
2922                 if (phash_nid)
2923                         *phash_nid = hash_nid;
2924                 }
2925         if (psign_nid || psignhash_nid)
2926                 {
2927                 sign_nid = tls12_find_nid(data[1], tls12_sig,
2928                                         sizeof(tls12_sig)/sizeof(tls12_lookup));
2929                 if (psign_nid)
2930                         *psign_nid = sign_nid;
2931                 }
2932         if (psignhash_nid)
2933                 {
2934                 if (sign_nid && hash_nid)
2935                         OBJ_find_sigid_by_algs(psignhash_nid,
2936                                                         hash_nid, sign_nid);
2937                 else
2938                         *psignhash_nid = NID_undef;
2939                 }
2940         }
2941 /* Given preference and allowed sigalgs set shared sigalgs */
2942 static int tls12_do_shared_sigalgs(TLS_SIGALGS *shsig,
2943                                 const unsigned char *pref, size_t preflen,
2944                                 const unsigned char *allow, size_t allowlen)
2945         {
2946         const unsigned char *ptmp, *atmp;
2947         size_t i, j, nmatch = 0;
2948         for (i = 0, ptmp = pref; i < preflen; i+=2, ptmp+=2)
2949                 {
2950                 /* Skip disabled hashes or signature algorithms */
2951                 if (tls12_get_hash(ptmp[0]) == NULL)
2952                         continue;
2953                 if (tls12_get_pkey_idx(ptmp[1]) == -1)
2954                         continue;
2955                 for (j = 0, atmp = allow; j < allowlen; j+=2, atmp+=2)
2956                         {
2957                         if (ptmp[0] == atmp[0] && ptmp[1] == atmp[1])
2958                                 {
2959                                 nmatch++;
2960                                 if (shsig)
2961                                         {
2962                                         shsig->rhash = ptmp[0];
2963                                         shsig->rsign = ptmp[1];
2964                                         tls1_lookup_sigalg(&shsig->hash_nid,
2965                                                 &shsig->sign_nid,
2966                                                 &shsig->signandhash_nid,
2967                                                 ptmp);
2968                                         shsig++;
2969                                         }
2970                                 break;
2971                                 }
2972                         }
2973                 }
2974         return nmatch;
2975         }
2976
2977 /* Set shared signature algorithms for SSL structures */
2978 static int tls1_set_shared_sigalgs(SSL *s)
2979         {
2980         const unsigned char *pref, *allow, *conf;
2981         size_t preflen, allowlen, conflen;
2982         size_t nmatch;
2983         TLS_SIGALGS *salgs = NULL;
2984         CERT *c = s->cert;
2985         /* If client use client signature algorithms if not NULL */
2986         if (!s->server && c->client_sigalgs)
2987                 {
2988                 conf = c->client_sigalgs;
2989                 conflen = c->client_sigalgslen;
2990                 }
2991         else if (c->conf_sigalgs)
2992                 {
2993                 conf = c->conf_sigalgs;
2994                 conflen = c->conf_sigalgslen;
2995                 }
2996         else
2997                 {
2998                 conf = tls12_sigalgs;
2999                 conflen = sizeof(tls12_sigalgs);
3000 #ifdef OPENSSL_FIPS
3001                 if (FIPS_mode())
3002                         conflen -= 2;
3003 #endif
3004                 }
3005         if(s->options & SSL_OP_CIPHER_SERVER_PREFERENCE)
3006                 {
3007                 pref = conf;
3008                 preflen = conflen;
3009                 allow = c->peer_sigalgs;
3010                 allowlen = c->peer_sigalgslen;
3011                 }
3012         else
3013                 {
3014                 allow = conf;
3015                 allowlen = conflen;
3016                 pref = c->peer_sigalgs;
3017                 preflen = c->peer_sigalgslen;
3018                 }
3019         nmatch = tls12_do_shared_sigalgs(NULL, pref, preflen, allow, allowlen);
3020         if (!nmatch)
3021                 return 1;
3022         salgs = OPENSSL_malloc(nmatch * sizeof(TLS_SIGALGS));
3023         if (!salgs)
3024                 return 0;
3025         nmatch = tls12_do_shared_sigalgs(salgs, pref, preflen, allow, allowlen);
3026         c->shared_sigalgs = salgs;
3027         c->shared_sigalgslen = nmatch;
3028         return 1;
3029         }
3030                 
3031
3032 /* Set preferred digest for each key type */
3033
3034 int tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize)
3035         {
3036         int idx;
3037         size_t i;
3038         const EVP_MD *md;
3039         CERT *c = s->cert;
3040         TLS_SIGALGS *sigptr;
3041         /* Extension ignored for TLS versions below 1.2 */
3042         if (TLS1_get_version(s) < TLS1_2_VERSION)
3043                 return 1;
3044         /* Should never happen */
3045         if (!c)
3046                 return 0;
3047
3048         c->pkeys[SSL_PKEY_DSA_SIGN].digest = NULL;
3049         c->pkeys[SSL_PKEY_RSA_SIGN].digest = NULL;
3050         c->pkeys[SSL_PKEY_RSA_ENC].digest = NULL;
3051         c->pkeys[SSL_PKEY_ECC].digest = NULL;
3052
3053         c->peer_sigalgs = OPENSSL_malloc(dsize);
3054         if (!c->peer_sigalgs)
3055                 return 0;
3056         c->peer_sigalgslen = dsize;
3057         memcpy(c->peer_sigalgs, data, dsize);
3058
3059         tls1_set_shared_sigalgs(s);
3060
3061         for (i = 0, sigptr = c->shared_sigalgs;
3062                         i < c->shared_sigalgslen; i++, sigptr++)
3063                 {
3064                 idx = tls12_get_pkey_idx(sigptr->rsign);
3065                 if (idx > 0 && c->pkeys[idx].digest == NULL)
3066                         {
3067                         md = tls12_get_hash(sigptr->rhash);
3068                         c->pkeys[idx].digest = md;
3069                         if (idx == SSL_PKEY_RSA_SIGN)
3070                                 c->pkeys[SSL_PKEY_RSA_ENC].digest = md;
3071                         }
3072
3073                 }
3074         /* In strict mode leave unset digests as NULL to indicate we can't
3075          * use the certificate for signing.
3076          */
3077         if (!(s->cert->cert_flags & SSL_CERT_FLAG_TLS_STRICT))
3078                 {
3079                 /* Set any remaining keys to default values. NOTE: if alg is
3080                  * not supported it stays as NULL.
3081                  */
3082 #ifndef OPENSSL_NO_DSA
3083                 if (!c->pkeys[SSL_PKEY_DSA_SIGN].digest)
3084                         c->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_sha1();
3085 #endif
3086 #ifndef OPENSSL_NO_RSA
3087                 if (!c->pkeys[SSL_PKEY_RSA_SIGN].digest)
3088                         {
3089                         c->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1();
3090                         c->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1();
3091                         }
3092 #endif
3093 #ifndef OPENSSL_NO_ECDSA
3094                 if (!c->pkeys[SSL_PKEY_ECC].digest)
3095                         c->pkeys[SSL_PKEY_ECC].digest = EVP_sha1();
3096 #endif
3097                 }
3098         return 1;
3099         }
3100
3101
3102 int SSL_get_sigalgs(SSL *s, int idx,
3103                         int *psign, int *phash, int *psignhash,
3104                         unsigned char *rsig, unsigned char *rhash)
3105         {
3106         const unsigned char *psig = s->cert->peer_sigalgs;
3107         if (psig == NULL)
3108                 return 0;
3109         if (idx >= 0)
3110                 {
3111                 idx <<= 1;
3112                 if (idx >= (int)s->cert->peer_sigalgslen)
3113                         return 0;
3114                 psig += idx;
3115                 if (rhash)
3116                         *rhash = psig[0];
3117                 if (rsig)
3118                         *rsig = psig[1];
3119                 tls1_lookup_sigalg(phash, psign, psignhash, psig);
3120                 }
3121         return s->cert->peer_sigalgslen / 2;
3122         }
3123
3124 int SSL_get_shared_sigalgs(SSL *s, int idx,
3125                         int *psign, int *phash, int *psignhash,
3126                         unsigned char *rsig, unsigned char *rhash)
3127         {
3128         TLS_SIGALGS *shsigalgs = s->cert->shared_sigalgs;
3129         if (!shsigalgs || idx >= (int)s->cert->shared_sigalgslen)
3130                 return 0;
3131         shsigalgs += idx;
3132         if (phash)
3133                 *phash = shsigalgs->hash_nid;
3134         if (psign)
3135                 *psign = shsigalgs->sign_nid;
3136         if (psignhash)
3137                 *psignhash = shsigalgs->signandhash_nid;
3138         if (rsig)
3139                 *rsig = shsigalgs->rsign;
3140         if (rhash)
3141                 *rhash = shsigalgs->rhash;
3142         return s->cert->shared_sigalgslen;
3143         }
3144         
3145
3146 #ifndef OPENSSL_NO_HEARTBEATS
3147 int
3148 tls1_process_heartbeat(SSL *s)
3149         {
3150         unsigned char *p = &s->s3->rrec.data[0], *pl;
3151         unsigned short hbtype;
3152         unsigned int payload;
3153         unsigned int padding = 16; /* Use minimum padding */
3154
3155         /* Read type and payload length first */
3156         hbtype = *p++;
3157         n2s(p, payload);
3158         pl = p;
3159
3160         if (s->msg_callback)
3161                 s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT,
3162                         &s->s3->rrec.data[0], s->s3->rrec.length,
3163                         s, s->msg_callback_arg);
3164
3165         if (hbtype == TLS1_HB_REQUEST)
3166                 {
3167                 unsigned char *buffer, *bp;
3168                 int r;
3169
3170                 /* Allocate memory for the response, size is 1 bytes
3171                  * message type, plus 2 bytes payload length, plus
3172                  * payload, plus padding
3173                  */
3174                 buffer = OPENSSL_malloc(1 + 2 + payload + padding);
3175                 bp = buffer;
3176                 
3177                 /* Enter response type, length and copy payload */
3178                 *bp++ = TLS1_HB_RESPONSE;
3179                 s2n(payload, bp);
3180                 memcpy(bp, pl, payload);
3181                 bp += payload;
3182                 /* Random padding */
3183                 RAND_pseudo_bytes(bp, padding);
3184
3185                 r = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, 3 + payload + padding);
3186
3187                 if (r >= 0 && s->msg_callback)
3188                         s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT,
3189                                 buffer, 3 + payload + padding,
3190                                 s, s->msg_callback_arg);
3191
3192                 OPENSSL_free(buffer);
3193
3194                 if (r < 0)
3195                         return r;
3196                 }
3197         else if (hbtype == TLS1_HB_RESPONSE)
3198                 {
3199                 unsigned int seq;
3200                 
3201                 /* We only send sequence numbers (2 bytes unsigned int),
3202                  * and 16 random bytes, so we just try to read the
3203                  * sequence number */
3204                 n2s(pl, seq);
3205                 
3206                 if (payload == 18 && seq == s->tlsext_hb_seq)
3207                         {
3208                         s->tlsext_hb_seq++;
3209                         s->tlsext_hb_pending = 0;
3210                         }
3211                 }
3212
3213         return 0;
3214         }
3215
3216 int
3217 tls1_heartbeat(SSL *s)
3218         {
3219         unsigned char *buf, *p;
3220         int ret;
3221         unsigned int payload = 18; /* Sequence number + random bytes */
3222         unsigned int padding = 16; /* Use minimum padding */
3223
3224         /* Only send if peer supports and accepts HB requests... */
3225         if (!(s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED) ||
3226             s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_SEND_REQUESTS)
3227                 {
3228                 SSLerr(SSL_F_TLS1_HEARTBEAT,SSL_R_TLS_HEARTBEAT_PEER_DOESNT_ACCEPT);
3229                 return -1;
3230                 }
3231
3232         /* ...and there is none in flight yet... */
3233         if (s->tlsext_hb_pending)
3234                 {
3235                 SSLerr(SSL_F_TLS1_HEARTBEAT,SSL_R_TLS_HEARTBEAT_PENDING);
3236                 return -1;
3237                 }
3238                 
3239         /* ...and no handshake in progress. */
3240         if (SSL_in_init(s) || s->in_handshake)
3241                 {
3242                 SSLerr(SSL_F_TLS1_HEARTBEAT,SSL_R_UNEXPECTED_MESSAGE);
3243                 return -1;
3244                 }
3245                 
3246         /* Check if padding is too long, payload and padding
3247          * must not exceed 2^14 - 3 = 16381 bytes in total.
3248          */
3249         OPENSSL_assert(payload + padding <= 16381);
3250
3251         /* Create HeartBeat message, we just use a sequence number
3252          * as payload to distuingish different messages and add
3253          * some random stuff.
3254          *  - Message Type, 1 byte
3255          *  - Payload Length, 2 bytes (unsigned int)
3256          *  - Payload, the sequence number (2 bytes uint)
3257          *  - Payload, random bytes (16 bytes uint)
3258          *  - Padding
3259          */
3260         buf = OPENSSL_malloc(1 + 2 + payload + padding);
3261         p = buf;
3262         /* Message Type */
3263         *p++ = TLS1_HB_REQUEST;
3264         /* Payload length (18 bytes here) */
3265         s2n(payload, p);
3266         /* Sequence number */
3267         s2n(s->tlsext_hb_seq, p);
3268         /* 16 random bytes */
3269         RAND_pseudo_bytes(p, 16);
3270         p += 16;
3271         /* Random padding */
3272         RAND_pseudo_bytes(p, padding);
3273
3274         ret = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buf, 3 + payload + padding);
3275         if (ret >= 0)
3276                 {
3277                 if (s->msg_callback)
3278                         s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT,
3279                                 buf, 3 + payload + padding,
3280                                 s, s->msg_callback_arg);
3281
3282                 s->tlsext_hb_pending = 1;
3283                 }
3284                 
3285         OPENSSL_free(buf);
3286
3287         return ret;
3288         }
3289 #endif
3290
3291 #define MAX_SIGALGLEN   (TLSEXT_hash_num * TLSEXT_signature_num * 2)
3292
3293 typedef struct
3294         {
3295         size_t sigalgcnt;
3296         int sigalgs[MAX_SIGALGLEN];
3297         } sig_cb_st;
3298
3299 static int sig_cb(const char *elem, int len, void *arg)
3300         {
3301         sig_cb_st *sarg = arg;
3302         size_t i;
3303         char etmp[20], *p;
3304         int sig_alg, hash_alg;
3305         if (sarg->sigalgcnt == MAX_SIGALGLEN)
3306                 return 0;
3307         if (len > (int)(sizeof(etmp) - 1))
3308                 return 0;
3309         memcpy(etmp, elem, len);
3310         etmp[len] = 0;
3311         p = strchr(etmp, '+');
3312         if (!p)
3313                 return 0;
3314         *p = 0;
3315         p++;
3316         if (!*p)
3317                 return 0;
3318
3319         if (!strcmp(etmp, "RSA"))
3320                 sig_alg = EVP_PKEY_RSA;
3321         else if (!strcmp(etmp, "DSA"))
3322                 sig_alg = EVP_PKEY_DSA;
3323         else if (!strcmp(etmp, "ECDSA"))
3324                 sig_alg = EVP_PKEY_EC;
3325         else return 0;
3326
3327         hash_alg = OBJ_sn2nid(p);
3328         if (hash_alg == NID_undef)
3329                 hash_alg = OBJ_ln2nid(p);
3330         if (hash_alg == NID_undef)
3331                 return 0;
3332
3333         for (i = 0; i < sarg->sigalgcnt; i+=2)
3334                 {
3335                 if (sarg->sigalgs[i] == sig_alg
3336                         && sarg->sigalgs[i + 1] == hash_alg)
3337                         return 0;
3338                 }
3339         sarg->sigalgs[sarg->sigalgcnt++] = hash_alg;
3340         sarg->sigalgs[sarg->sigalgcnt++] = sig_alg;
3341         return 1;
3342         }
3343
3344 /* Set suppored signature algorithms based on a colon separated list
3345  * of the form sig+hash e.g. RSA+SHA512:DSA+SHA512 */
3346 int tls1_set_sigalgs_list(CERT *c, const char *str, int client)
3347         {
3348         sig_cb_st sig;
3349         sig.sigalgcnt = 0;
3350         if (!CONF_parse_list(str, ':', 1, sig_cb, &sig))
3351                 return 0;
3352         return tls1_set_sigalgs(c, sig.sigalgs, sig.sigalgcnt, client);
3353         }
3354
3355 int tls1_set_sigalgs(CERT *c, const int *psig_nids, size_t salglen, int client)
3356         {
3357         unsigned char *sigalgs, *sptr;
3358         int rhash, rsign;
3359         size_t i;
3360         if (salglen & 1)
3361                 return 0;
3362         sigalgs = OPENSSL_malloc(salglen);
3363         if (sigalgs == NULL)
3364                 return 0;
3365         for (i = 0, sptr = sigalgs; i < salglen; i+=2)
3366                 {
3367                 rhash = tls12_find_id(*psig_nids++, tls12_md,
3368                                         sizeof(tls12_md)/sizeof(tls12_lookup));
3369                 rsign = tls12_find_id(*psig_nids++, tls12_sig,
3370                                 sizeof(tls12_sig)/sizeof(tls12_lookup));
3371
3372                 if (rhash == -1 || rsign == -1)
3373                         goto err;
3374                 *sptr++ = rhash;
3375                 *sptr++ = rsign;
3376                 }
3377
3378         if (client)
3379                 {
3380                 if (c->client_sigalgs)
3381                         OPENSSL_free(c->client_sigalgs);
3382                 c->client_sigalgs = sigalgs;
3383                 c->client_sigalgslen = salglen;
3384                 }
3385         else
3386                 {
3387                 if (c->conf_sigalgs)
3388                         OPENSSL_free(c->conf_sigalgs);
3389                 c->conf_sigalgs = sigalgs;
3390                 c->conf_sigalgslen = salglen;
3391                 }
3392
3393         return 1;
3394
3395         err:
3396         OPENSSL_free(sigalgs);
3397         return 0;
3398         }
3399
3400 static int tls1_check_sig_alg(CERT *c, X509 *x, int default_nid)
3401         {
3402         int sig_nid;
3403         size_t i;
3404         if (default_nid == -1)
3405                 return 1;
3406         sig_nid = X509_get_signature_nid(x);
3407         if (default_nid)
3408                 return sig_nid == default_nid ? 1 : 0;
3409         for (i = 0; i < c->shared_sigalgslen; i++)
3410                 if (sig_nid == c->shared_sigalgs[i].signandhash_nid)
3411                         return 1;
3412         return 0;
3413         }
3414
3415 /* Check certificate chain is consistent with TLS extensions and is
3416  * usable by server.
3417  */
3418 int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain,
3419                                                                         int idx)
3420         {
3421         int i;
3422         int rv = CERT_PKEY_INVALID;
3423         CERT_PKEY *cpk = NULL;
3424         CERT *c = s->cert;
3425         if (idx != -1)
3426                 {
3427                 cpk = c->pkeys + idx;
3428                 x = cpk->x509;
3429                 pk = cpk->privatekey;
3430                 chain = cpk->chain;
3431                 /* If no cert or key, forget it */
3432                 if (!x || !pk)
3433                         goto end;
3434                 }
3435         else
3436                 {
3437                 idx = ssl_cert_type(x, pk);
3438                 if (idx == -1)
3439                         goto end;
3440                 }
3441
3442         /* Check all signature algorithms are consistent with
3443          * signature algorithms extension if TLS 1.2 or later
3444          * and strict mode.
3445          */
3446         if (TLS1_get_version(s) >= TLS1_2_VERSION
3447                 && c->cert_flags & SSL_CERT_FLAG_TLS_STRICT)
3448                 {
3449                 int default_nid;
3450                 unsigned char rsign = 0;
3451                 if (c->peer_sigalgs)
3452                         default_nid = 0;
3453                 /* If no sigalgs extension use defaults from RFC5246 */
3454                 else
3455                         {
3456                         switch(idx)
3457                                 {       
3458                         case SSL_PKEY_RSA_ENC:
3459                         case SSL_PKEY_RSA_SIGN:
3460                         case SSL_PKEY_DH_RSA:
3461                                 rsign = TLSEXT_signature_rsa;
3462                                 default_nid = NID_sha1WithRSAEncryption;
3463                                 break;
3464
3465                         case SSL_PKEY_DSA_SIGN:
3466                         case SSL_PKEY_DH_DSA:
3467                                 rsign = TLSEXT_signature_dsa;
3468                                 default_nid = NID_dsaWithSHA1;
3469                                 break;
3470
3471                         case SSL_PKEY_ECC:
3472                                 rsign = TLSEXT_signature_ecdsa;
3473                                 default_nid = NID_ecdsa_with_SHA1;
3474                                 break;
3475
3476                         default:
3477                                 default_nid = -1;
3478                                 break;
3479                                 }
3480                         }
3481                 /* If peer sent no signature algorithms extension and we
3482                  * have set preferred signature algorithms check we support
3483                  * sha1.
3484                  */
3485                 if (s->server && default_nid > 0 && c->conf_sigalgs)
3486                         {
3487                         size_t j;
3488                         const unsigned char *p = c->conf_sigalgs;
3489                         for (j = 0; j < c->conf_sigalgslen; j += 2, p += 2)
3490                                 {
3491                                 if (p[0] == TLSEXT_hash_sha1 && p[1] == rsign)
3492                                         break;
3493                                 }
3494                         if (j == c->conf_sigalgslen)
3495                                 goto end;
3496                         }
3497                 /* Check signature algorithm of each cert in chain */
3498                 if (!tls1_check_sig_alg(c, x, default_nid))
3499                         goto end;
3500                 for (i = 0; i < sk_X509_num(chain); i++)
3501                         {
3502                         if (!tls1_check_sig_alg(c, sk_X509_value(chain, i),
3503                                                         default_nid))
3504                                 goto end;
3505                         }
3506                 }
3507
3508         /* Check cert parameters are consistent */
3509         if (!tls1_check_cert_param(s, x))
3510                 goto end;
3511         /* In strict mode check rest of chain too */
3512         if (c->cert_flags & SSL_CERT_FLAG_TLS_STRICT)
3513                 {
3514                 for (i = 0; i < sk_X509_num(chain); i++)
3515                         {
3516                         if (!tls1_check_cert_param(s, sk_X509_value(chain, i)))
3517                                 goto end;
3518                         }
3519                 }
3520         rv = CERT_PKEY_VALID;
3521
3522         end:
3523         if (cpk)
3524                 {
3525                 if (rv && cpk->digest)
3526                         rv |= CERT_PKEY_SIGN;
3527                 cpk->valid_flags = rv;
3528                 }
3529         return rv;
3530         }
3531
3532 /* Set validity of certificates in an SSL structure */
3533 void tls1_set_cert_validity(SSL *s)
3534         {
3535         tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA_ENC);
3536         tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA_SIGN);
3537         tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DSA_SIGN);
3538         tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DH_RSA);
3539         tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DH_DSA);
3540         tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_ECC);
3541         }
3542 /* User level utiity function to check a chain is suitable */
3543 int SSL_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain)
3544         {
3545