Adapt the rest of the source to the opaque HMAC_CTX

[openssl.git] / ssl / t1_lib.c
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c

index f08eb84ad1387d5bd6fdfb43143ce4513795141e..a6f2502c7214ab33cc4c50159679270c9296e349 100644 (file)
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -121,8 +121,6 @@
  #endif
  #include "ssl_locl.h"
  
-const char tls1_version_str[] = "TLSv1" OPENSSL_VERSION_PTEXT;
-
  static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen,
                                const unsigned char *sess_id, int sesslen,
                                SSL_SESSION **psess);
@@ -137,7 +135,6 @@ SSL3_ENC_METHOD const TLSv1_enc_data = {
      tls1_change_cipher_state,
      tls1_final_finish_mac,
      TLS1_FINISH_MAC_LENGTH,
-    tls1_cert_verify_mac,
      TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
      TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
      tls1_alert_code,
@@ -156,7 +153,6 @@ SSL3_ENC_METHOD const TLSv1_1_enc_data = {
      tls1_change_cipher_state,
      tls1_final_finish_mac,
      TLS1_FINISH_MAC_LENGTH,
-    tls1_cert_verify_mac,
      TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
      TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
      tls1_alert_code,
@@ -175,7 +171,6 @@ SSL3_ENC_METHOD const TLSv1_2_enc_data = {
      tls1_change_cipher_state,
      tls1_final_finish_mac,
      TLS1_FINISH_MAC_LENGTH,
-    tls1_cert_verify_mac,
      TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
      TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
      tls1_alert_code,
@@ -264,8 +259,8 @@ static const unsigned char ecformats_default[] = {
      TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2
  };
  
-/* The client's default curves / the server's 'auto' curves. */
-static const unsigned char eccurves_auto[] = {
+/* The default curves */
+static const unsigned char eccurves_default[] = {
      /* Prefer P-256 which has the fastest and most secure implementations. */
      0, 23,                      /* secp256r1 (23) */
      /* Other >= 256-bit prime curves. */
@@ -443,13 +438,8 @@ static int tls1_get_curvelist(SSL *s, int sess,
              pcurveslen = s->tlsext_ellipticcurvelist_length;
          }
          if (!*pcurves) {
-            if (!s->server || (s->cert && s->cert->ecdh_tmp_auto)) {
-                *pcurves = eccurves_auto;
-                pcurveslen = sizeof(eccurves_auto);
-            } else {
-                *pcurves = eccurves_all;
-                pcurveslen = sizeof(eccurves_all);
-            }
+            *pcurves = eccurves_default;
+            pcurveslen = sizeof(eccurves_default);
          }
      }
  
@@ -512,8 +502,9 @@ int tls1_check_curve(SSL *s, const unsigned char *p, size_t len)
  }
  
  /*-
- * Return |nmatch|th shared curve or NID_undef if there is no match.
- * For nmatch == -1, return number of  matches
+ * For nmatch >= 0, return the NID of the |nmatch|th shared curve or NID_undef
+ * if there is no match.
+ * For nmatch == -1, return number of matches
   * For nmatch == -2, return the NID of the curve to use for
   * an EC tmp key, or NID_undef if there is no match.
   */
@@ -601,7 +592,7 @@ int tls1_set_curves(unsigned char **pext, size_t *pextlen,
       */
      unsigned long dup_list = 0;
      clist = OPENSSL_malloc(ncurves * 2);
-    if (!clist)
+    if (clist == NULL)
          return 0;
      for (i = 0, p = clist; i < ncurves; i++) {
          unsigned long idmask;
@@ -847,11 +838,18 @@ static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md)
  }
  
  # ifndef OPENSSL_NO_EC
-/* Check EC temporary key is compatible with client extensions */
+/*
+ * tls1_check_ec_tmp_key - Check EC temporary key compatiblity
+ * @s: SSL connection
+ * @cid: Cipher ID we're considering using
+ *
+ * Checks that the kECDHE cipher suite we're considering using
+ * is compatible with the client extensions.
+ *
+ * Returns 0 when the cipher can't be used or 1 when it can.
+ */
  int tls1_check_ec_tmp_key(SSL *s, unsigned long cid)
  {
-    unsigned char curve_id[2];
-    EC_KEY *ec = s->cert->ecdh_tmp;
  #  ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
      /* Allow any curve: not just those peer supports */
      if (s->cert->cert_flags & SSL_CERT_FLAG_BROKEN_PROTOCOL)
@@ -862,6 +860,7 @@ int tls1_check_ec_tmp_key(SSL *s, unsigned long cid)
       * curves permitted.
       */
      if (tls1_suiteb(s)) {
+        unsigned char curve_id[2];
          /* Curve to check determined by ciphersuite */
          if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
              curve_id[1] = TLSEXT_curve_P_256;
@@ -873,43 +872,12 @@ int tls1_check_ec_tmp_key(SSL *s, unsigned long cid)
          /* Check this curve is acceptable */
          if (!tls1_check_ec_key(s, curve_id, NULL))
              return 0;
-        /* If auto or setting curve from callback assume OK */
-        if (s->cert->ecdh_tmp_auto || s->cert->ecdh_tmp_cb)
-            return 1;
-        /* Otherwise check curve is acceptable */
-        else {
-            unsigned char curve_tmp[2];
-            if (!ec)
-                return 0;
-            if (!tls1_set_ec_id(curve_tmp, NULL, ec))
-                return 0;
-            if (!curve_tmp[0] || curve_tmp[1] == curve_id[1])
-                return 1;
-            return 0;
-        }
-
-    }
-    if (s->cert->ecdh_tmp_auto) {
-        /* Need a shared curve */
-        if (tls1_shared_curve(s, 0))
-            return 1;
-        else
-            return 0;
-    }
-    if (!ec) {
-        if (s->cert->ecdh_tmp_cb)
-            return 1;
-        else
-            return 0;
+        return 1;
      }
-    if (!tls1_set_ec_id(curve_id, NULL, ec))
-        return 0;
-/* Set this to allow use of invalid curves for testing */
-#  if 0
-    return 1;
-#  else
-    return tls1_check_ec_key(s, curve_id, NULL);
-#  endif
+    /* Need a shared curve */
+    if (tls1_shared_curve(s, 0))
+        return 1;
+    return 0;
  }
  # endif                         /* OPENSSL_NO_EC */
  
@@ -956,6 +924,11 @@ static const unsigned char tls12_sigalgs[] = {
          tlsext_sigalg(TLSEXT_hash_sha256)
          tlsext_sigalg(TLSEXT_hash_sha224)
          tlsext_sigalg(TLSEXT_hash_sha1)
+#ifndef OPENSSL_NO_GOST
+        TLSEXT_hash_gostr3411, TLSEXT_signature_gostr34102001,
+        TLSEXT_hash_gostr34112012_256, TLSEXT_signature_gostr34102012_256,
+        TLSEXT_hash_gostr34112012_512, TLSEXT_signature_gostr34102012_512
+#endif
  };
  
  #ifndef OPENSSL_NO_EC
@@ -1096,6 +1069,9 @@ void ssl_set_client_disabled(SSL *s)
          s->s3->tmp.mask_ssl = SSL_TLSV1_2;
      else
          s->s3->tmp.mask_ssl = 0;
+    /* Disable TLS 1.0 ciphers if using SSL v3 */
+    if (s->client_version == SSL3_VERSION)
+        s->s3->tmp.mask_ssl |= SSL_TLSV1;
      ssl_set_sig_mask(&s->s3->tmp.mask_a, s, SSL_SECOP_SIGALG_MASK);
      /*
       * Disable static DH if we don't include any appropriate signature
@@ -1111,7 +1087,7 @@ void ssl_set_client_disabled(SSL *s)
      /* with PSK there must be client callback set */
      if (!s->psk_client_callback) {
          s->s3->tmp.mask_a |= SSL_aPSK;
-        s->s3->tmp.mask_k |= SSL_kPSK;
+        s->s3->tmp.mask_k |= SSL_PSK;
      }
  #endif                         /* OPENSSL_NO_PSK */
  #ifndef OPENSSL_NO_SRP
@@ -1157,7 +1133,7 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf,
  
              alg_k = c->algorithm_mkey;
              alg_a = c->algorithm_auth;
-            if ((alg_k & (SSL_kECDHE | SSL_kECDHr | SSL_kECDHe)
+            if ((alg_k & (SSL_kECDHE | SSL_kECDHr | SSL_kECDHe | SSL_kECDHEPSK)
                   || (alg_a & SSL_aECDSA))) {
                  using_ecc = 1;
                  break;
@@ -1329,7 +1305,7 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf,
                   s->tlsext_session_ticket->data) {
              ticklen = s->tlsext_session_ticket->length;
              s->session->tlsext_tick = OPENSSL_malloc(ticklen);
-            if (!s->session->tlsext_tick)
+            if (s->session->tlsext_tick == NULL)
                  return NULL;
              memcpy(s->session->tlsext_tick,
                     s->tlsext_session_ticket->data, ticklen);
@@ -1713,7 +1689,9 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *buf,
           * for other cases too.
           */
          if (s->s3->tmp.new_cipher->algorithm_mac == SSL_AEAD
-            || s->s3->tmp.new_cipher->algorithm_enc == SSL_RC4)
+            || s->s3->tmp.new_cipher->algorithm_enc == SSL_RC4
+            || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT
+            || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT12)
              s->s3->flags &= ~TLS1_FLAGS_ENCRYPT_THEN_MAC;
          else {
              s2n(TLSEXT_TYPE_encrypt_then_mac, ret);
@@ -1756,53 +1734,40 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *buf,
   * alert value to send in the event of a non-zero return.  returns: 0 on
   * success.
   */
-static int tls1_alpn_handle_client_hello(SSL *s, const unsigned char *data,
-                                         unsigned data_len, int *al)
+static int tls1_alpn_handle_client_hello(SSL *s, PACKET *pkt, int *al)
  {
-    unsigned i;
-    unsigned proto_len;
+    unsigned int data_len;
+    unsigned int proto_len;
      const unsigned char *selected;
+    unsigned char *data;
      unsigned char selected_len;
      int r;
  
      if (s->ctx->alpn_select_cb == NULL)
          return 0;
  
-    if (data_len < 2)
-        goto parse_error;
-
      /*
       * data should contain a uint16 length followed by a series of 8-bit,
       * length-prefixed strings.
       */
-    i = ((unsigned)data[0]) << 8 | ((unsigned)data[1]);
-    data_len -= 2;
-    data += 2;
-    if (data_len != i)
-        goto parse_error;
-
-    if (data_len < 2)
+    if (!PACKET_get_net_2(pkt, &data_len)
+            || PACKET_remaining(pkt) != data_len
+            || !PACKET_peek_bytes(pkt, &data, data_len))
          goto parse_error;
  
-    for (i = 0; i < data_len;) {
-        proto_len = data[i];
-        i++;
-
-        if (proto_len == 0)
-            goto parse_error;
-
-        if (i + proto_len < i || i + proto_len > data_len)
+    do {
+        if (!PACKET_get_1(pkt, &proto_len)
+                || proto_len == 0
+                || !PACKET_forward(pkt, proto_len))
              goto parse_error;
-
-        i += proto_len;
-    }
+    } while (PACKET_remaining(pkt));
  
      r = s->ctx->alpn_select_cb(s, &selected, &selected_len, data, data_len,
                                 s->ctx->alpn_select_cb_arg);
      if (r == SSL_TLSEXT_ERR_OK) {
          OPENSSL_free(s->s3->alpn_selected);
          s->s3->alpn_selected = OPENSSL_malloc(selected_len);
-        if (!s->s3->alpn_selected) {
+        if (s->s3->alpn_selected == NULL) {
              *al = SSL_AD_INTERNAL_ERROR;
              return -1;
          }
@@ -1830,10 +1795,12 @@ static int tls1_alpn_handle_client_hello(SSL *s, const unsigned char *data,
   * Sadly we cannot differentiate 10.6, 10.7 and 10.8.4 (which work), from
   * 10.8..10.8.3 (which don't work).
   */
-static void ssl_check_for_safari(SSL *s, const unsigned char *data,
-                                 const unsigned char *d, int n)
+static void ssl_check_for_safari(SSL *s, const PACKET *pkt)
  {
-    unsigned short type, size;
+    unsigned int type, size;
+    unsigned char *eblock1, *eblock2;
+    PACKET tmppkt;
+
      static const unsigned char kSafariExtensionsBlock[] = {
          0x00, 0x0a,             /* elliptic_curves extension */
          0x00, 0x08,             /* 8 bytes */
@@ -1860,38 +1827,36 @@ static void ssl_check_for_safari(SSL *s, const unsigned char *data,
          0x02, 0x03,             /* SHA-1/ECDSA */
      };
  
-    if (data >= (d + n - 2))
-        return;
-    data += 2;
+    tmppkt = *pkt;
  
-    if (data > (d + n - 4))
+    if (!PACKET_forward(&tmppkt, 2)
+            || !PACKET_get_net_2(&tmppkt, &type)
+            || !PACKET_get_net_2(&tmppkt, &size)
+            || !PACKET_forward(&tmppkt, size))
          return;
-    n2s(data, type);
-    n2s(data, size);
  
      if (type != TLSEXT_TYPE_server_name)
          return;
  
-    if (data + size > d + n)
-        return;
-    data += size;
-
      if (TLS1_get_client_version(s) >= TLS1_2_VERSION) {
          const size_t len1 = sizeof(kSafariExtensionsBlock);
          const size_t len2 = sizeof(kSafariTLS12ExtensionsBlock);
  
-        if (data + len1 + len2 != d + n)
+        if (!PACKET_get_bytes(&tmppkt, &eblock1, len1)
+                || !PACKET_get_bytes(&tmppkt, &eblock2, len2)
+                || PACKET_remaining(&tmppkt))
              return;
-        if (memcmp(data, kSafariExtensionsBlock, len1) != 0)
+        if (memcmp(eblock1, kSafariExtensionsBlock, len1) != 0)
              return;
-        if (memcmp(data + len1, kSafariTLS12ExtensionsBlock, len2) != 0)
+        if (memcmp(eblock2, kSafariTLS12ExtensionsBlock, len2) != 0)
              return;
      } else {
          const size_t len = sizeof(kSafariExtensionsBlock);
  
-        if (data + len != d + n)
+        if (!PACKET_get_bytes(&tmppkt, &eblock1, len)
+                || PACKET_remaining(&tmppkt))
              return;
-        if (memcmp(data, kSafariExtensionsBlock, len) != 0)
+        if (memcmp(eblock1, kSafariExtensionsBlock, len) != 0)
              return;
      }
  
@@ -1899,13 +1864,12 @@ static void ssl_check_for_safari(SSL *s, const unsigned char *data,
  }
  #endif                         /* !OPENSSL_NO_EC */
  
-static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p,
-                                       unsigned char *d, int n, int *al)
+static int ssl_scan_clienthello_tlsext(SSL *s, PACKET *pkt, int *al)
  {
-    unsigned short type;
-    unsigned short size;
-    unsigned short len;
-    unsigned char *data = *p;
+    unsigned int type;
+    unsigned int size;
+    unsigned int len;
+    unsigned char *data;
      int renegotiate_seen = 0;
  
      s->servername_done = 0;
@@ -1923,8 +1887,8 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p,
  
  #ifndef OPENSSL_NO_EC
      if (s->options & SSL_OP_SAFARI_ECDHE_ECDSA_BUG)
-        ssl_check_for_safari(s, data, d, n);
-#endif                         /* !OPENSSL_NO_EC */
+        ssl_check_for_safari(s, pkt);
+# endif /* !OPENSSL_NO_EC */
  
      /* Clear any signature algorithms extension received */
      OPENSSL_free(s->s3->tmp.peer_sigalgs);
@@ -1940,27 +1904,29 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p,
  
      s->srtp_profile = NULL;
  
-    if (data == d + n)
+    if (PACKET_remaining(pkt) == 0)
          goto ri_check;
  
-    if (data > (d + n - 2))
+    if (!PACKET_get_net_2(pkt, &len))
          goto err;
  
-    n2s(data, len);
-
-    if (data > (d + n - len))
+    if (PACKET_remaining(pkt) != len)
          goto err;
  
-    while (data <= (d + n - 4)) {
-        n2s(data, type);
-        n2s(data, size);
+    while (PACKET_get_net_2(pkt, &type) && PACKET_get_net_2(pkt, &size)) {
+        PACKET subpkt;
  
-        if (data + size > (d + n))
+        if (!PACKET_peek_bytes(pkt, &data, size))
              goto err;
+
          if (s->tlsext_debug_cb)
              s->tlsext_debug_cb(s, 0, type, data, size, s->tlsext_debug_arg);
+
+        if (!PACKET_get_sub_packet(pkt, &subpkt, size))
+            goto err;
+
          if (type == TLSEXT_TYPE_renegotiate) {
-            if (!ssl_parse_clienthello_renegotiate_ext(s, data, size, al))
+            if (!ssl_parse_clienthello_renegotiate_ext(s, &subpkt, al))
                  return 0;
              renegotiate_seen = 1;
          } else if (s->version == SSL3_VERSION) {
@@ -1992,23 +1958,18 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p,
  
          else if (type == TLSEXT_TYPE_server_name) {
              unsigned char *sdata;
-            int servname_type;
-            int dsize;
+            unsigned int servname_type;
+            unsigned int dsize;
+            PACKET ssubpkt;
  
-            if (size < 2)
-                goto err;
-            n2s(data, dsize);
-            size -= 2;
-            if (dsize > size)
+            if (!PACKET_get_net_2(&subpkt, &dsize)
+                    || !PACKET_get_sub_packet(&subpkt, &ssubpkt, dsize))
                  goto err;
  
-            sdata = data;
-            while (dsize > 3) {
-                servname_type = *(sdata++);
-                n2s(sdata, len);
-                dsize -= 3;
-
-                if (len > dsize)
+            while (PACKET_remaining(&ssubpkt) > 3) {
+                if (!PACKET_get_1(&ssubpkt, &servname_type)
+                        || !PACKET_get_net_2(&ssubpkt, &len)
+                        || PACKET_remaining(&ssubpkt) < len)
                      goto err;
  
                  if (s->servername_done == 0)
@@ -2027,7 +1988,13 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p,
                                  *al = TLS1_AD_INTERNAL_ERROR;
                                  return 0;
                              }
-                            memcpy(s->session->tlsext_hostname, sdata, len);
+                            if (!PACKET_copy_bytes(&ssubpkt,
+                                    (unsigned char *)s->session
+                                        ->tlsext_hostname,
+                                    len)) {
+                                *al = SSL_AD_DECODE_ERROR;
+                                return 0;
+                            }
                              s->session->tlsext_hostname[len] = '\0';
                              if (strlen(s->session->tlsext_hostname) != len) {
                                  OPENSSL_free(s->session->tlsext_hostname);
@@ -2037,48 +2004,55 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p,
                              }
                              s->servername_done = 1;
  
-                        } else
+                        } else {
+                            if (!PACKET_get_bytes(&ssubpkt, &sdata, len)) {
+                                *al = SSL_AD_DECODE_ERROR;
+                                return 0;
+                            }
                              s->servername_done = s->session->tlsext_hostname
                                  && strlen(s->session->tlsext_hostname) == len
                                  && strncmp(s->session->tlsext_hostname,
                                             (char *)sdata, len) == 0;
+                        }
  
                          break;
  
                      default:
                          break;
                      }
-
-                dsize -= len;
              }
-            if (dsize != 0)
+            /* We shouldn't have any bytes left */
+            if (PACKET_remaining(&ssubpkt) != 0)
                  goto err;
  
          }
  #ifndef OPENSSL_NO_SRP
          else if (type == TLSEXT_TYPE_srp) {
-            if (size == 0 || ((len = data[0])) != (size - 1))
-                goto err;
-            if (s->srp_ctx.login != NULL)
+            if (!PACKET_get_1(&subpkt, &len)
+                    || s->srp_ctx.login != NULL)
                  goto err;
+
              if ((s->srp_ctx.login = OPENSSL_malloc(len + 1)) == NULL)
                  return -1;
-            memcpy(s->srp_ctx.login, &data[1], len);
+            if (!PACKET_copy_bytes(&subpkt, (unsigned char *)s->srp_ctx.login,
+                                   len))
+                goto err;
              s->srp_ctx.login[len] = '\0';
  
-            if (strlen(s->srp_ctx.login) != len)
+            if (strlen(s->srp_ctx.login) != len
+                    || PACKET_remaining(&subpkt))
                  goto err;
          }
  #endif
  
  #ifndef OPENSSL_NO_EC
          else if (type == TLSEXT_TYPE_ec_point_formats) {
-            unsigned char *sdata = data;
-            int ecpointformatlist_length = *(sdata++);
+            unsigned int ecpointformatlist_length;
  
-            if (ecpointformatlist_length != size - 1 ||
-                ecpointformatlist_length < 1)
+            if (!PACKET_get_1(&subpkt, &ecpointformatlist_length)
+                    || ecpointformatlist_length == 0)
                  goto err;
+
              if (!s->hit) {
                  OPENSSL_free(s->session->tlsext_ecpointformatlist);
                  s->session->tlsext_ecpointformatlist = NULL;
@@ -2090,19 +2064,26 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p,
                  }
                  s->session->tlsext_ecpointformatlist_length =
                      ecpointformatlist_length;
-                memcpy(s->session->tlsext_ecpointformatlist, sdata,
-                       ecpointformatlist_length);
+                if (!PACKET_copy_bytes(&subpkt,
+                        s->session->tlsext_ecpointformatlist,
+                        ecpointformatlist_length))
+                    goto err;
+            } else if (!PACKET_forward(&subpkt, ecpointformatlist_length)) {
+                goto err;
+            }
+            /* We should have consumed all the bytes by now */
+            if (PACKET_remaining(&subpkt)) {
+                *al = TLS1_AD_DECODE_ERROR;
+                return 0;
              }
          } else if (type == TLSEXT_TYPE_elliptic_curves) {
-            unsigned char *sdata = data;
-            int ellipticcurvelist_length = (*(sdata++) << 8);
-            ellipticcurvelist_length += (*(sdata++));
-
-            if (ellipticcurvelist_length != size - 2 ||
-                ellipticcurvelist_length < 1 ||
-                /* Each NamedCurve is 2 bytes. */
-                ellipticcurvelist_length & 1)
-                    goto err;
+            unsigned int ellipticcurvelist_length;
+
+            /* Each NamedCurve is 2 bytes and we must have at least 1 */
+            if (!PACKET_get_net_2(&subpkt, &ellipticcurvelist_length)
+                    || ellipticcurvelist_length == 0
+                    || (ellipticcurvelist_length & 1) != 0)
+                goto err;
  
              if (!s->hit) {
                  if (s->session->tlsext_ellipticcurvelist)
@@ -2116,54 +2097,63 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p,
                  }
                  s->session->tlsext_ellipticcurvelist_length =
                      ellipticcurvelist_length;
-                memcpy(s->session->tlsext_ellipticcurvelist, sdata,
-                       ellipticcurvelist_length);
+                if (!PACKET_copy_bytes(&subpkt,
+                        s->session->tlsext_ellipticcurvelist,
+                        ellipticcurvelist_length))
+                    goto err;
+            } else if (!PACKET_forward(&subpkt, ellipticcurvelist_length)) {
+                goto err;
+            }
+            /* We should have consumed all the bytes by now */
+            if (PACKET_remaining(&subpkt)) {
+                goto err;
              }
          }
  #endif                         /* OPENSSL_NO_EC */
          else if (type == TLSEXT_TYPE_session_ticket) {
-            if (s->tls_session_ticket_ext_cb &&
-                !s->tls_session_ticket_ext_cb(s, data, size,
-                                              s->tls_session_ticket_ext_cb_arg))
-            {
+            if (!PACKET_forward(&subpkt, size)
+                || (s->tls_session_ticket_ext_cb &&
+                    !s->tls_session_ticket_ext_cb(s, data, size,
+                                        s->tls_session_ticket_ext_cb_arg))) {
                  *al = TLS1_AD_INTERNAL_ERROR;
                  return 0;
              }
          } else if (type == TLSEXT_TYPE_signature_algorithms) {
-            int dsize;
-            if (s->s3->tmp.peer_sigalgs || size < 2)
-                goto err;
-            n2s(data, dsize);
-            size -= 2;
-            if (dsize != size || dsize & 1 || !dsize)
-                goto err;
-            if (!tls1_save_sigalgs(s, data, dsize))
+            unsigned int dsize;
+
+            if (s->s3->tmp.peer_sigalgs
+                    || !PACKET_get_net_2(&subpkt, &dsize)
+                    || (dsize & 1) != 0
+                    || (dsize == 0)
+                    || !PACKET_get_bytes(&subpkt, &data, dsize)
+                    || PACKET_remaining(&subpkt) != 0
+                    || !tls1_save_sigalgs(s, data, dsize)) {
                  goto err;
+            }
          } else if (type == TLSEXT_TYPE_status_request) {
+            PACKET ssubpkt;
  
-            if (size < 5)
+            if (!PACKET_get_1(&subpkt,
+                              (unsigned int *)&s->tlsext_status_type))
                  goto err;
  
-            s->tlsext_status_type = *data++;
-            size--;
              if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp) {
                  const unsigned char *sdata;
-                int dsize;
+                unsigned int dsize;
                  /* Read in responder_id_list */
-                n2s(data, dsize);
-                size -= 2;
-                if (dsize > size)
+                if (!PACKET_get_net_2(&subpkt, &dsize)
+                        || !PACKET_get_sub_packet(&subpkt, &ssubpkt, dsize))
                      goto err;
-                while (dsize > 0) {
+
+                while (PACKET_remaining(&ssubpkt)) {
                      OCSP_RESPID *id;
-                    int idsize;
-                    if (dsize < 4)
-                        goto err;
-                    n2s(data, idsize);
-                    dsize -= 2 + idsize;
-                    size -= 2 + idsize;
-                    if (dsize < 0)
+                    unsigned int idsize;
+
+                    if (PACKET_remaining(&ssubpkt) < 4
+                            || !PACKET_get_net_2(&ssubpkt, &idsize)
+                            || !PACKET_get_bytes(&ssubpkt, &data, idsize)) {
                          goto err;
+                    }
                      sdata = data;
                      data += idsize;
                      id = d2i_OCSP_RESPID(NULL, &sdata, idsize);
@@ -2188,12 +2178,11 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p,
                  }
  
                  /* Read in request_extensions */
-                if (size < 2)
-                    goto err;
-                n2s(data, dsize);
-                size -= 2;
-                if (dsize != size)
+                if (!PACKET_get_net_2(&subpkt, &dsize)
+                        || !PACKET_get_bytes(&subpkt, &data, dsize)
+                        || PACKET_remaining(&subpkt)) {
                      goto err;
+                }
                  sdata = data;
                  if (dsize > 0) {
                      sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts,
@@ -2212,7 +2201,14 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p,
          }
  #ifndef OPENSSL_NO_HEARTBEATS
          else if (type == TLSEXT_TYPE_heartbeat) {
-            switch (data[0]) {
+            unsigned int hbtype;
+
+            if (!PACKET_get_1(&subpkt, &hbtype)
+                    || PACKET_remaining(&subpkt)) {
+                *al = SSL_AD_DECODE_ERROR;
+                return 0;
+            }
+            switch (hbtype) {
              case 0x01:         /* Client allows us to send HB requests */
                  s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
                  break;
@@ -2253,7 +2249,7 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p,
  
          else if (type == TLSEXT_TYPE_application_layer_protocol_negotiation &&
                   s->ctx->alpn_select_cb && s->s3->tmp.finish_md_len == 0) {
-            if (tls1_alpn_handle_client_hello(s, data, size, al) != 0)
+            if (tls1_alpn_handle_client_hello(s, &subpkt, al) != 0)
                  return 0;
  #ifndef OPENSSL_NO_NEXTPROTONEG
              /* ALPN takes precedence over NPN. */
@@ -2265,7 +2261,7 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p,
  #ifndef OPENSSL_NO_SRTP
          else if (SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s)
                   && type == TLSEXT_TYPE_use_srtp) {
-            if (ssl_parse_clienthello_use_srtp_ext(s, data, size, al))
+            if (ssl_parse_clienthello_use_srtp_ext(s, &subpkt, al))
                  return 0;
          }
  #endif
@@ -2288,16 +2284,12 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p,
              if (custom_ext_parse(s, 1, type, data, size, al) <= 0)
                  return 0;
          }
-
-        data += size;
      }
  
      /* Spurious data on the end */
-    if (data != d + n)
+    if (PACKET_remaining(pkt) != 0)
          goto err;
  
-    *p = data;
-
   ri_check:
  
      /* Need RI if renegotiating */
@@ -2316,12 +2308,11 @@ err:
      return 0;
  }
  
-int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d,
-                                 int n)
+int ssl_parse_clienthello_tlsext(SSL *s, PACKET *pkt)
  {
      int al = -1;
      custom_ext_init(&s->cert->srv_ext);
-    if (ssl_scan_clienthello_tlsext(s, p, d, n, &al) <= 0) {
+    if (ssl_scan_clienthello_tlsext(s, pkt, &al) <= 0) {
          ssl3_send_alert(s, SSL3_AL_FATAL, al);
          return 0;
      }
@@ -2339,28 +2330,23 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d,
   * elements of zero length are allowed and the set of elements must exactly
   * fill the length of the block.
   */
-static char ssl_next_proto_validate(unsigned char *d, unsigned len)
+static char ssl_next_proto_validate(PACKET *pkt)
  {
-    unsigned int off = 0;
+    unsigned int len;
  
-    while (off < len) {
-        if (d[off] == 0)
+    while (PACKET_remaining(pkt)) {
+        if (!PACKET_get_1(pkt, &len)
+                || !PACKET_forward(pkt, len))
              return 0;
-        off += d[off];
-        off++;
      }
  
-    return off == len;
+    return 1;
  }
  #endif
  
-static int ssl_scan_serverhello_tlsext(SSL *s, unsigned char **p,
-                                       unsigned char *d, int n, int *al)
+static int ssl_scan_serverhello_tlsext(SSL *s, PACKET *pkt, int *al)
  {
-    unsigned short length;
-    unsigned short type;
-    unsigned short size;
-    unsigned char *data = *p;
+    unsigned int length, type, size;
      int tlsext_servername = 0;
      int renegotiate_seen = 0;
  
@@ -2380,27 +2366,27 @@ static int ssl_scan_serverhello_tlsext(SSL *s, unsigned char **p,
      s->s3->flags &= ~TLS1_FLAGS_ENCRYPT_THEN_MAC;
  #endif
  
-    if (data >= (d + n - 2))
+    if (!PACKET_get_net_2(pkt, &length))
          goto ri_check;
  
-    n2s(data, length);
-    if (data + length != d + n) {
+    if (PACKET_remaining(pkt) != length) {
          *al = SSL_AD_DECODE_ERROR;
          return 0;
      }
  
-    while (data <= (d + n - 4)) {
-        n2s(data, type);
-        n2s(data, size);
+    while (PACKET_get_net_2(pkt, &type) && PACKET_get_net_2(pkt, &size)) {
+        unsigned char *data;
+        PACKET spkt;
  
-        if (data + size > (d + n))
+        if (!PACKET_get_sub_packet(pkt, &spkt, size)
+                ||  !PACKET_peek_bytes(&spkt, &data, size))
              goto ri_check;
  
          if (s->tlsext_debug_cb)
              s->tlsext_debug_cb(s, 1, type, data, size, s->tlsext_debug_arg);
  
          if (type == TLSEXT_TYPE_renegotiate) {
-            if (!ssl_parse_serverhello_renegotiate_ext(s, data, size, al))
+            if (!ssl_parse_serverhello_renegotiate_ext(s, &spkt, al))
                  return 0;
              renegotiate_seen = 1;
          } else if (s->version == SSL3_VERSION) {
@@ -2413,10 +2399,9 @@ static int ssl_scan_serverhello_tlsext(SSL *s, unsigned char **p,
          }
  #ifndef OPENSSL_NO_EC
          else if (type == TLSEXT_TYPE_ec_point_formats) {
-            unsigned char *sdata = data;
-            int ecpointformatlist_length = *(sdata++);
-
-            if (ecpointformatlist_length != size - 1) {
+            unsigned int ecpointformatlist_length;
+            if (!PACKET_get_1(&spkt, &ecpointformatlist_length)
+                    || ecpointformatlist_length != size - 1) {
                  *al = TLS1_AD_DECODE_ERROR;
                  return 0;
              }
@@ -2430,8 +2415,13 @@ static int ssl_scan_serverhello_tlsext(SSL *s, unsigned char **p,
                  }
                  s->session->tlsext_ecpointformatlist_length =
                      ecpointformatlist_length;
-                memcpy(s->session->tlsext_ecpointformatlist, sdata,
-                       ecpointformatlist_length);
+                if (!PACKET_copy_bytes(&spkt,
+                                       s->session->tlsext_ecpointformatlist,
+                                       ecpointformatlist_length)) {
+                    *al = TLS1_AD_DECODE_ERROR;
+                    return 0;
+                }
+
              }
          }
  #endif                         /* OPENSSL_NO_EC */
@@ -2467,14 +2457,13 @@ static int ssl_scan_serverhello_tlsext(SSL *s, unsigned char **p,
                   s->s3->tmp.finish_md_len == 0) {
              unsigned char *selected;
              unsigned char selected_len;
-
              /* We must have requested it. */
              if (s->ctx->next_proto_select_cb == NULL) {
                  *al = TLS1_AD_UNSUPPORTED_EXTENSION;
                  return 0;
              }
              /* The data must be valid */
-            if (!ssl_next_proto_validate(data, size)) {
+            if (!ssl_next_proto_validate(&spkt)) {
                  *al = TLS1_AD_DECODE_ERROR;
                  return 0;
              }
@@ -2487,7 +2476,7 @@ static int ssl_scan_serverhello_tlsext(SSL *s, unsigned char **p,
                  return 0;
              }
              s->next_proto_negotiated = OPENSSL_malloc(selected_len);
-            if (!s->next_proto_negotiated) {
+            if (s->next_proto_negotiated == NULL) {
                  *al = TLS1_AD_INTERNAL_ERROR;
                  return 0;
              }
@@ -2499,46 +2488,44 @@ static int ssl_scan_serverhello_tlsext(SSL *s, unsigned char **p,
  
          else if (type == TLSEXT_TYPE_application_layer_protocol_negotiation) {
              unsigned len;
-
              /* We must have requested it. */
              if (s->alpn_client_proto_list == NULL) {
                  *al = TLS1_AD_UNSUPPORTED_EXTENSION;
                  return 0;
              }
-            if (size < 4) {
-                *al = TLS1_AD_DECODE_ERROR;
-                return 0;
-            }
              /*-
               * The extension data consists of:
               *   uint16 list_length
               *   uint8 proto_length;
               *   uint8 proto[proto_length];
               */
-            len = data[0];
-            len <<= 8;
-            len |= data[1];
-            if (len != (unsigned)size - 2) {
-                *al = TLS1_AD_DECODE_ERROR;
-                return 0;
-            }
-            len = data[2];
-            if (len != (unsigned)size - 3) {
+            if (!PACKET_get_net_2(&spkt, &len)
+                    || PACKET_remaining(&spkt) != len
+                    || !PACKET_get_1(&spkt, &len)
+                    || PACKET_remaining(&spkt) != len) {
                  *al = TLS1_AD_DECODE_ERROR;
                  return 0;
              }
              OPENSSL_free(s->s3->alpn_selected);
              s->s3->alpn_selected = OPENSSL_malloc(len);
-            if (!s->s3->alpn_selected) {
+            if (s->s3->alpn_selected == NULL) {
                  *al = TLS1_AD_INTERNAL_ERROR;
                  return 0;
              }
-            memcpy(s->s3->alpn_selected, data + 3, len);
+            if (!PACKET_copy_bytes(&spkt, s->s3->alpn_selected, len)) {
+                *al = TLS1_AD_DECODE_ERROR;
+                return 0;
+            }
              s->s3->alpn_selected_len = len;
          }
  #ifndef OPENSSL_NO_HEARTBEATS
          else if (type == TLSEXT_TYPE_heartbeat) {
-            switch (data[0]) {
+            unsigned int hbtype;
+            if (!PACKET_get_1(&spkt, &hbtype)) {
+                *al = SSL_AD_DECODE_ERROR;
+                return 0;
+            }
+            switch (hbtype) {
              case 0x01:         /* Server allows us to send HB requests */
                  s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
                  break;
@@ -2554,7 +2541,7 @@ static int ssl_scan_serverhello_tlsext(SSL *s, unsigned char **p,
  #endif
  #ifndef OPENSSL_NO_SRTP
          else if (SSL_IS_DTLS(s) && type == TLSEXT_TYPE_use_srtp) {
-            if (ssl_parse_serverhello_use_srtp_ext(s, data, size, al))
+            if (ssl_parse_serverhello_use_srtp_ext(s, &spkt, al))
                  return 0;
          }
  #endif
@@ -2576,11 +2563,9 @@ static int ssl_scan_serverhello_tlsext(SSL *s, unsigned char **p,
           */
          else if (custom_ext_parse(s, 0, type, data, size, al) <= 0)
              return 0;
-
-        data += size;
      }
  
-    if (data != d + n) {
+    if (PACKET_remaining(pkt) != 0) {
          *al = SSL_AD_DECODE_ERROR;
          return 0;
      }
@@ -2600,8 +2585,6 @@ static int ssl_scan_serverhello_tlsext(SSL *s, unsigned char **p,
          }
      }
  
-    *p = data;
-
   ri_check:
  
      /*
@@ -2677,18 +2660,26 @@ static int ssl_check_clienthello_tlsext_early(SSL *s)
      }
  }
  /* Initialise digests to default values */
-static void ssl_set_default_md(SSL *s)
+void ssl_set_default_md(SSL *s)
  {
      const EVP_MD **pmd = s->s3->tmp.md;
  #ifndef OPENSSL_NO_DSA
-    pmd[SSL_PKEY_DSA_SIGN] = EVP_sha1();
+    pmd[SSL_PKEY_DSA_SIGN] = ssl_md(SSL_MD_SHA1_IDX);
  #endif
  #ifndef OPENSSL_NO_RSA
-    pmd[SSL_PKEY_RSA_SIGN] = EVP_sha1();
-    pmd[SSL_PKEY_RSA_ENC] = EVP_sha1();
+    if (SSL_USE_SIGALGS(s))
+        pmd[SSL_PKEY_RSA_SIGN] = ssl_md(SSL_MD_SHA1_IDX);
+    else
+        pmd[SSL_PKEY_RSA_SIGN] = ssl_md(SSL_MD_MD5_SHA1_IDX);
+    pmd[SSL_PKEY_RSA_ENC] = pmd[SSL_PKEY_RSA_SIGN];
  #endif
  #ifndef OPENSSL_NO_EC
-    pmd[SSL_PKEY_ECC] = EVP_sha1();
+    pmd[SSL_PKEY_ECC] = ssl_md(SSL_MD_SHA1_IDX);
+#endif
+#ifndef OPENSSL_NO_GOST
+    pmd[SSL_PKEY_GOST01] = ssl_md(SSL_MD_GOST94_IDX);
+    pmd[SSL_PKEY_GOST12_256] = ssl_md(SSL_MD_GOST12_256_IDX);
+    pmd[SSL_PKEY_GOST12_512] = ssl_md(SSL_MD_GOST12_512_IDX);
  #endif
  }
  
@@ -2882,13 +2873,12 @@ int ssl_check_serverhello_tlsext(SSL *s)
      }
  }
  
-int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d,
-                                 int n)
+int ssl_parse_serverhello_tlsext(SSL *s, PACKET *pkt)
  {
      int al = -1;
      if (s->version < SSL3_VERSION)
          return 1;
-    if (ssl_scan_serverhello_tlsext(s, p, d, n, &al) <= 0) {
+    if (ssl_scan_serverhello_tlsext(s, pkt, &al) <= 0) {
          ssl3_send_alert(s, SSL3_AL_FATAL, al);
          return 0;
      }
@@ -2905,11 +2895,8 @@ int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d,
   * ClientHello, and other operations depend on the result, we need to handle
   * any TLS session ticket extension at the same time.
   *
- *   session_id: points at the session ID in the ClientHello. This code will
- *       read past the end of this in order to parse out the session ticket
- *       extension, if any.
- *   len: the length of the session ID.
- *   limit: a pointer to the first byte after the ClientHello.
+ *   session_id: ClientHello session ID.
+ *   ext: ClientHello extensions (including length prefix)
   *   ret: (output) on return, if a ticket was decrypted, then this is set to
   *       point to the resulting session.
   *
@@ -2934,12 +2921,12 @@ int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d,
   *   s->ctx->tlsext_ticket_key_cb asked to renew the client's ticket.
   *   Otherwise, s->tlsext_ticket_expected is set to 0.
   */
-int tls1_process_ticket(SSL *s, unsigned char *session_id, int len,
-                        const unsigned char *limit, SSL_SESSION **ret)
+int tls1_process_ticket(SSL *s, const PACKET *ext, const PACKET *session_id,
+                        SSL_SESSION **ret)
  {
-    /* Point after session ID in client hello */
-    const unsigned char *p = session_id + len;
-    unsigned short i;
+    unsigned int i;
+    PACKET local_ext = *ext;
+    int retv = -1;
  
      *ret = NULL;
      s->tlsext_ticket_expected = 0;
@@ -2950,46 +2937,38 @@ int tls1_process_ticket(SSL *s, unsigned char *session_id, int len,
       */
      if (!tls_use_ticket(s))
          return 0;
-    if ((s->version <= SSL3_VERSION) || !limit)
+    if ((s->version <= SSL3_VERSION))
          return 0;
-    if (p >= limit)
-        return -1;
-    /* Skip past DTLS cookie */
-    if (SSL_IS_DTLS(s)) {
-        i = *(p++);
-        p += i;
-        if (p >= limit)
-            return -1;
+
+    if (!PACKET_get_net_2(&local_ext, &i)) {
+        retv = 0;
+        goto end;
      }
-    /* Skip past cipher list */
-    n2s(p, i);
-    p += i;
-    if (p >= limit)
-        return -1;
-    /* Skip past compression algorithm list */
-    i = *(p++);
-    p += i;
-    if (p > limit)
-        return -1;
-    /* Now at start of extensions */
-    if ((p + 2) >= limit)
-        return 0;
-    n2s(p, i);
-    while ((p + 4) <= limit) {
-        unsigned short type, size;
-        n2s(p, type);
-        n2s(p, size);
-        if (p + size > limit)
-            return 0;
+    while (PACKET_remaining(&local_ext) >= 4) {
+        unsigned int type, size;
+
+        if (!PACKET_get_net_2(&local_ext, &type)
+                || !PACKET_get_net_2(&local_ext, &size)) {
+            /* Shouldn't ever happen */
+            retv = -1;
+            goto end;
+        }
+        if (PACKET_remaining(&local_ext) < size) {
+            retv = 0;
+            goto end;
+        }
          if (type == TLSEXT_TYPE_session_ticket) {
              int r;
+            unsigned char *etick;
+
              if (size == 0) {
                  /*
                   * The client will accept a ticket but doesn't currently have
                   * one.
                   */
                  s->tlsext_ticket_expected = 1;
-                return 1;
+                retv = 1;
+                goto end;
              }
              if (s->tls_session_secret_cb) {
                  /*
@@ -2998,25 +2977,43 @@ int tls1_process_ticket(SSL *s, unsigned char *session_id, int len,
                   * abbreviated handshake based on external mechanism to
                   * calculate the master secret later.
                   */
-                return 2;
+                retv = 2;
+                goto end;
+            }
+            if (!PACKET_get_bytes(&local_ext, &etick, size)) {
+                /* Shouldn't ever happen */
+                retv = -1;
+                goto end;
              }
-            r = tls_decrypt_ticket(s, p, size, session_id, len, ret);
+            r = tls_decrypt_ticket(s, etick, size, PACKET_data(session_id),
+                                   PACKET_remaining(session_id), ret);
              switch (r) {
              case 2:            /* ticket couldn't be decrypted */
                  s->tlsext_ticket_expected = 1;
-                return 2;
+                retv = 2;
+                break;
              case 3:            /* ticket was decrypted */
-                return r;
+                retv = r;
+                break;
              case 4:            /* ticket decrypted but need to renew */
                  s->tlsext_ticket_expected = 1;
-                return 3;
+                retv = 3;
+                break;
              default:           /* fatal error */
-                return -1;
+                retv = -1;
+                break;
+            }
+            goto end;
+        } else {
+            if (!PACKET_forward(&local_ext, size)) {
+                retv = -1;
+                goto end;
              }
          }
-        p += size;
      }
-    return 0;
+    retv = 0;
+end:
+    return retv;
  }
  
  /*-
@@ -3030,6 +3027,7 @@ int tls1_process_ticket(SSL *s, unsigned char *session_id, int len,
   *       point to the resulting session.
   *
   * Returns:
+ *   -2: fatal error, malloc failure.
   *   -1: fatal error, either from parsing or decrypting the ticket.
   *    2: the ticket couldn't be decrypted.
   *    3: a ticket was successfully decrypted and *psess was set.
@@ -3044,19 +3042,21 @@ static int tls_decrypt_ticket(SSL *s, const unsigned char *etick,
      const unsigned char *p;
      int slen, mlen, renew_ticket = 0;
      unsigned char tick_hmac[EVP_MAX_MD_SIZE];
-    HMAC_CTX hctx;
+    HMAC_CTX *hctx = NULL;
      EVP_CIPHER_CTX ctx;
      SSL_CTX *tctx = s->initial_ctx;
      /* Need at least keyname + iv + some encrypted data */
      if (eticklen < 48)
          return 2;
      /* Initialize session ticket encryption and HMAC contexts */
-    HMAC_CTX_init(&hctx);
+    hctx = HMAC_CTX_new();
+    if (hctx == NULL)
+        return -2;
      EVP_CIPHER_CTX_init(&ctx);
      if (tctx->tlsext_ticket_key_cb) {
          unsigned char *nctick = (unsigned char *)etick;
          int rv = tctx->tlsext_ticket_key_cb(s, nctick, nctick + 16,
-                                            &ctx, &hctx, 0);
+                                            &ctx, hctx, 0);
          if (rv < 0)
              return -1;
          if (rv == 0)
@@ -3067,25 +3067,29 @@ static int tls_decrypt_ticket(SSL *s, const unsigned char *etick,
          /* Check key name matches */
          if (memcmp(etick, tctx->tlsext_tick_key_name, 16))
              return 2;
-        HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16,
-                     EVP_sha256(), NULL);
-        EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL,
-                           tctx->tlsext_tick_aes_key, etick + 16);
+        if (HMAC_Init_ex(hctx, tctx->tlsext_tick_hmac_key, 16,
+                         EVP_sha256(), NULL) <= 0
+                || EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL,
+                                      tctx->tlsext_tick_aes_key,
+                                      etick + 16) <= 0) {
+            goto err;
+       }
      }
      /*
       * Attempt to process session ticket, first conduct sanity and integrity
       * checks on ticket.
       */
-    mlen = HMAC_size(&hctx);
+    mlen = HMAC_size(hctx);
      if (mlen < 0) {
-        EVP_CIPHER_CTX_cleanup(&ctx);
-        return -1;
+        goto err;
      }
      eticklen -= mlen;
      /* Check HMAC of encrypted ticket */
-    HMAC_Update(&hctx, etick, eticklen);
-    HMAC_Final(&hctx, tick_hmac, NULL);
-    HMAC_CTX_cleanup(&hctx);
+    if (HMAC_Update(hctx, etick, eticklen) <= 0
+            || HMAC_Final(hctx, tick_hmac, NULL) <= 0) {
+        goto err;
+    }
+    HMAC_CTX_free(hctx);
      if (CRYPTO_memcmp(tick_hmac, etick + eticklen, mlen)) {
          EVP_CIPHER_CTX_cleanup(&ctx);
          return 2;
@@ -3095,11 +3099,11 @@ static int tls_decrypt_ticket(SSL *s, const unsigned char *etick,
      p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx);
      eticklen -= 16 + EVP_CIPHER_CTX_iv_length(&ctx);
      sdec = OPENSSL_malloc(eticklen);
-    if (!sdec) {
+    if (sdec == NULL
+            || EVP_DecryptUpdate(&ctx, sdec, &slen, p, eticklen) <= 0) {
          EVP_CIPHER_CTX_cleanup(&ctx);
          return -1;
      }
-    EVP_DecryptUpdate(&ctx, sdec, &slen, p, eticklen);
      if (EVP_DecryptFinal(&ctx, sdec + slen, &mlen) <= 0) {
          EVP_CIPHER_CTX_cleanup(&ctx);
          OPENSSL_free(sdec);
@@ -3132,6 +3136,10 @@ static int tls_decrypt_ticket(SSL *s, const unsigned char *etick,
       * For session parse failure, indicate that we need to send a new ticket.
       */
      return 2;
+err:
+    EVP_CIPHER_CTX_cleanup(&ctx);
+    HMAC_CTX_free(hctx);
+    return -1;
  }
  
  /* Tables to translate from NIDs to TLS v1.2 ids */
@@ -3147,13 +3155,19 @@ static const tls12_lookup tls12_md[] = {
      {NID_sha224, TLSEXT_hash_sha224},
      {NID_sha256, TLSEXT_hash_sha256},
      {NID_sha384, TLSEXT_hash_sha384},
-    {NID_sha512, TLSEXT_hash_sha512}
+    {NID_sha512, TLSEXT_hash_sha512},
+    {NID_id_GostR3411_94, TLSEXT_hash_gostr3411},
+    {NID_id_GostR3411_2012_256, TLSEXT_hash_gostr34112012_256},
+    {NID_id_GostR3411_2012_512, TLSEXT_hash_gostr34112012_512},
  };
  
  static const tls12_lookup tls12_sig[] = {
      {EVP_PKEY_RSA, TLSEXT_signature_rsa},
      {EVP_PKEY_DSA, TLSEXT_signature_dsa},
-    {EVP_PKEY_EC, TLSEXT_signature_ecdsa}
+    {EVP_PKEY_EC, TLSEXT_signature_ecdsa},
+    {NID_id_GostR3410_2001, TLSEXT_signature_gostr34102001},
+    {NID_id_GostR3410_2012_256, TLSEXT_signature_gostr34102012_256},
+    {NID_id_GostR3410_2012_512, TLSEXT_signature_gostr34102012_512}
  };
  
  static int tls12_find_id(int nid, const tls12_lookup *table, size_t tlen)
@@ -3201,29 +3215,35 @@ int tls12_get_sigid(const EVP_PKEY *pk)
  typedef struct {
      int nid;
      int secbits;
-    const EVP_MD *(*mfunc) (void);
+    int md_idx;
+    unsigned char tlsext_hash;
  } tls12_hash_info;
  
  static const tls12_hash_info tls12_md_info[] = {
-#ifdef OPENSSL_NO_MD5
-    {NID_md5, 64, 0},
-#else
-    {NID_md5, 64, EVP_md5},
-#endif
-    {NID_sha1, 80, EVP_sha1},
-    {NID_sha224, 112, EVP_sha224},
-    {NID_sha256, 128, EVP_sha256},
-    {NID_sha384, 192, EVP_sha384},
-    {NID_sha512, 256, EVP_sha512}
+    {NID_md5, 64, SSL_MD_MD5_IDX, TLSEXT_hash_md5},
+    {NID_sha1, 80, SSL_MD_SHA1_IDX, TLSEXT_hash_sha1},
+    {NID_sha224, 112, SSL_MD_SHA224_IDX, TLSEXT_hash_sha224},
+    {NID_sha256, 128, SSL_MD_SHA256_IDX, TLSEXT_hash_sha256},
+    {NID_sha384, 192, SSL_MD_SHA384_IDX, TLSEXT_hash_sha384},
+    {NID_sha512, 256, SSL_MD_SHA512_IDX, TLSEXT_hash_sha512},
+    {NID_id_GostR3411_94,       128, SSL_MD_GOST94_IDX, TLSEXT_hash_gostr3411},
+    {NID_id_GostR3411_2012_256, 128, SSL_MD_GOST12_256_IDX, TLSEXT_hash_gostr34112012_256},
+    {NID_id_GostR3411_2012_512, 256, SSL_MD_GOST12_512_IDX, TLSEXT_hash_gostr34112012_512},
  };
  
  static const tls12_hash_info *tls12_get_hash_info(unsigned char hash_alg)
  {
+    unsigned int i;
      if (hash_alg == 0)
          return NULL;
-    if (hash_alg > OSSL_NELEM(tls12_md_info))
-        return NULL;
-    return tls12_md_info + hash_alg - 1;
+
+    for (i=0; i < OSSL_NELEM(tls12_md_info); i++)
+    {
+        if (tls12_md_info[i].tlsext_hash == hash_alg)
+            return tls12_md_info + i;
+    }
+
+    return NULL;
  }
  
  const EVP_MD *tls12_get_hash(unsigned char hash_alg)
@@ -3232,9 +3252,9 @@ const EVP_MD *tls12_get_hash(unsigned char hash_alg)
      if (hash_alg == TLSEXT_hash_md5 && FIPS_mode())
          return NULL;
      inf = tls12_get_hash_info(hash_alg);
-    if (!inf || !inf->mfunc)
+    if (!inf)
          return NULL;
-    return inf->mfunc();
+    return ssl_md(inf->md_idx);
  }
  
  static int tls12_get_pkey_idx(unsigned char sig_alg)
@@ -3252,6 +3272,16 @@ static int tls12_get_pkey_idx(unsigned char sig_alg)
      case TLSEXT_signature_ecdsa:
          return SSL_PKEY_ECC;
  #endif
+# ifndef OPENSSL_NO_GOST
+    case TLSEXT_signature_gostr34102001:
+        return SSL_PKEY_GOST01;
+
+    case TLSEXT_signature_gostr34102012_256:
+        return SSL_PKEY_GOST12_256;
+
+    case TLSEXT_signature_gostr34102012_512:
+        return SSL_PKEY_GOST12_512;
+# endif
      }
      return -1;
  }
@@ -3286,7 +3316,7 @@ static int tls12_sigalg_allowed(SSL *s, int op, const unsigned char *ptmp)
  {
      /* See if we have an entry in the hash table and it is enabled */
      const tls12_hash_info *hinf = tls12_get_hash_info(ptmp[0]);
-    if (!hinf || !hinf->mfunc)
+    if (hinf == NULL || ssl_md(hinf->md_idx) == NULL)
          return 0;
      /* See if public key algorithm allowed */
      if (tls12_get_pkey_idx(ptmp[1]) == -1)
@@ -3301,7 +3331,7 @@ static int tls12_sigalg_allowed(SSL *s, int op, const unsigned char *ptmp)
   * disabled.
   */
  
-void ssl_set_sig_mask(unsigned long *pmask_a, SSL *s, int op)
+void ssl_set_sig_mask(uint32_t *pmask_a, SSL *s, int op)
  {
      const unsigned char *sigalgs;
      size_t i, sigalgslen;
@@ -3421,7 +3451,7 @@ static int tls1_set_shared_sigalgs(SSL *s)
      nmatch = tls12_shared_sigalgs(s, NULL, pref, preflen, allow, allowlen);
      if (nmatch) {
          salgs = OPENSSL_malloc(nmatch * sizeof(TLS_SIGALGS));
-        if (!salgs)
+        if (salgs == NULL)
              return 0;
          nmatch = tls12_shared_sigalgs(s, salgs, pref, preflen, allow, allowlen);
      } else {
@@ -3526,6 +3556,14 @@ int tls1_process_sigalgs(SSL *s)
          if (pmd[SSL_PKEY_ECC] == NULL)
              pmd[SSL_PKEY_ECC] = EVP_sha1();
  #endif
+# ifndef OPENSSL_NO_GOST
+        if (pmd[SSL_PKEY_GOST01] == NULL)
+            pmd[SSL_PKEY_GOST01] = EVP_get_digestbynid(NID_id_GostR3411_94);
+        if (pmd[SSL_PKEY_GOST12_256] == NULL)
+            pmd[SSL_PKEY_GOST12_256] = EVP_get_digestbynid(NID_id_GostR3411_2012_256);
+        if (pmd[SSL_PKEY_GOST12_512] == NULL)
+            pmd[SSL_PKEY_GOST12_512] = EVP_get_digestbynid(NID_id_GostR3411_2012_512);
+# endif
      }
      return 1;
  }
@@ -3671,17 +3709,11 @@ int tls1_heartbeat(SSL *s)
      }
  
      /* ...and no handshake in progress. */
-    if (SSL_in_init(s) || s->in_handshake) {
+    if (SSL_in_init(s) || ossl_statem_get_in_handshake(s)) {
          SSLerr(SSL_F_TLS1_HEARTBEAT, SSL_R_UNEXPECTED_MESSAGE);
          return -1;
      }
  
-    /*
-     * Check if padding is too long, payload and padding must not exceed 2^14
-     * - 3 = 16381 bytes in total.
-     */
-    OPENSSL_assert(payload + padding <= 16381);
-
      /*-
       * Create HeartBeat message, we just use a sequence number
       * as payload to distuingish different messages and add
@@ -3739,12 +3771,27 @@ typedef struct {
      int sigalgs[MAX_SIGALGLEN];
  } sig_cb_st;
  
+static void get_sigorhash(int *psig, int *phash, const char *str)
+{
+    if (strcmp(str, "RSA") == 0) {
+        *psig = EVP_PKEY_RSA;
+    } else if (strcmp(str, "DSA") == 0) {
+        *psig = EVP_PKEY_DSA;
+    } else if (strcmp(str, "ECDSA") == 0) {
+        *psig = EVP_PKEY_EC;
+    } else {
+        *phash = OBJ_sn2nid(str);
+        if (*phash == NID_undef)
+            *phash = OBJ_ln2nid(str);
+    }
+}
+
  static int sig_cb(const char *elem, int len, void *arg)
  {
      sig_cb_st *sarg = arg;
      size_t i;
      char etmp[20], *p;
-    int sig_alg, hash_alg;
+    int sig_alg = NID_undef, hash_alg = NID_undef;
      if (elem == NULL)
          return 0;
      if (sarg->sigalgcnt == MAX_SIGALGLEN)
@@ -3761,19 +3808,10 @@ static int sig_cb(const char *elem, int len, void *arg)
      if (!*p)
          return 0;
  
-    if (strcmp(etmp, "RSA") == 0)
-        sig_alg = EVP_PKEY_RSA;
-    else if (strcmp(etmp, "DSA") == 0)
-        sig_alg = EVP_PKEY_DSA;
-    else if (strcmp(etmp, "ECDSA") == 0)
-        sig_alg = EVP_PKEY_EC;
-    else
-        return 0;
+    get_sigorhash(&sig_alg, &hash_alg, etmp);
+    get_sigorhash(&sig_alg, &hash_alg, p);
  
-    hash_alg = OBJ_sn2nid(p);
-    if (hash_alg == NID_undef)
-        hash_alg = OBJ_ln2nid(p);
-    if (hash_alg == NID_undef)
+    if (sig_alg == NID_undef || hash_alg == NID_undef)
          return 0;
  
      for (i = 0; i < sarg->sigalgcnt; i += 2) {
@@ -3923,7 +3961,6 @@ int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain,
          idx = ssl_cert_type(x, pk);
          if (idx == -1)
              return 0;
-        cpk = c->pkeys + idx;
          pvalid = s->s3->tmp.valid_flags + idx;
  
          if (c->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)
@@ -3974,6 +4011,21 @@ int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain,
                  default_nid = NID_ecdsa_with_SHA1;
                  break;
  
+            case SSL_PKEY_GOST01:
+                rsign = TLSEXT_signature_gostr34102001;
+                default_nid = NID_id_GostR3411_94_with_GostR3410_2001;
+                break;
+
+            case SSL_PKEY_GOST12_256:
+                rsign = TLSEXT_signature_gostr34102012_256;
+                default_nid = NID_id_tc26_signwithdigest_gost3410_2012_256;
+                break;
+
+            case SSL_PKEY_GOST12_512:
+                rsign = TLSEXT_signature_gostr34102012_512;
+                default_nid = NID_id_tc26_signwithdigest_gost3410_2012_512;
+                break;
+
              default:
                  default_nid = -1;
                  break;
@@ -4144,6 +4196,9 @@ void tls1_set_cert_validity(SSL *s)
      tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DH_RSA);
      tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DH_DSA);
      tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_ECC);
+    tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_GOST01);
+    tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_GOST12_256);
+    tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_GOST12_512);
  }
  
  /* User level utiity function to check a chain is suitable */
@@ -4159,7 +4214,7 @@ DH *ssl_get_auto_dh(SSL *s)
      int dh_secbits = 80;
      if (s->cert->dh_tmp_auto == 2)
          return DH_get_1024_160();
-    if (s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) {
+    if (s->s3->tmp.new_cipher->algorithm_auth & (SSL_aNULL | SSL_aPSK)) {
          if (s->s3->tmp.new_cipher->strength_bits == 256)
              dh_secbits = 128;
          else
@@ -4171,16 +4226,16 @@ DH *ssl_get_auto_dh(SSL *s)
  
      if (dh_secbits >= 128) {
          DH *dhp = DH_new();
-        if (!dhp)
+        if (dhp == NULL)
              return NULL;
          dhp->g = BN_new();
-        if (dhp->g)
+        if (dhp->g != NULL)
              BN_set_word(dhp->g, 2);
          if (dh_secbits >= 192)
              dhp->p = get_rfc3526_prime_8192(NULL);
          else
              dhp->p = get_rfc3526_prime_3072(NULL);
-        if (!dhp->p || !dhp->g) {
+        if (dhp->p == NULL || dhp->g == NULL) {
              DH_free(dhp);
              return NULL;
          }