no need to check s->server as default_nid is never used for TLS 1.2 client authentication
[openssl.git] / ssl / t1_lib.c
index 3430ea1..eb6aa55 100644 (file)
@@ -123,6 +123,8 @@ const char tls1_version_str[]="TLSv1" OPENSSL_VERSION_PTEXT;
 static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen,
                                const unsigned char *sess_id, int sesslen,
                                SSL_SESSION **psess);
+static int ssl_check_clienthello_tlsext(SSL *s);
+int ssl_check_serverhello_tlsext(SSL *s);
 #endif
 
 SSL3_ENC_METHOD TLSv1_enc_data={
@@ -202,33 +204,41 @@ static int nid_list[] =
                NID_secp521r1  /* secp521r1 (25) */     
        };
 
-static int pref_list[] =
+
+static const unsigned char ecformats_default[] = 
        {
-               NID_sect571r1, /* sect571r1 (14) */ 
-               NID_sect571k1, /* sect571k1 (13) */ 
-               NID_secp521r1, /* secp521r1 (25) */     
-               NID_sect409k1, /* sect409k1 (11) */ 
-               NID_sect409r1, /* sect409r1 (12) */
-               NID_secp384r1, /* secp384r1 (24) */
-               NID_sect283k1, /* sect283k1 (9) */
-               NID_sect283r1, /* sect283r1 (10) */ 
-               NID_secp256k1, /* secp256k1 (22) */ 
-               NID_X9_62_prime256v1, /* secp256r1 (23) */ 
-               NID_sect239k1, /* sect239k1 (8) */ 
-               NID_sect233k1, /* sect233k1 (6) */
-               NID_sect233r1, /* sect233r1 (7) */ 
-               NID_secp224k1, /* secp224k1 (20) */ 
-               NID_secp224r1, /* secp224r1 (21) */
-               NID_sect193r1, /* sect193r1 (4) */ 
-               NID_sect193r2, /* sect193r2 (5) */ 
-               NID_secp192k1, /* secp192k1 (18) */
-               NID_X9_62_prime192v1, /* secp192r1 (19) */ 
-               NID_sect163k1, /* sect163k1 (1) */
-               NID_sect163r1, /* sect163r1 (2) */
-               NID_sect163r2, /* sect163r2 (3) */
-               NID_secp160k1, /* secp160k1 (15) */
-               NID_secp160r1, /* secp160r1 (16) */ 
-               NID_secp160r2, /* secp160r2 (17) */ 
+       TLSEXT_ECPOINTFORMAT_uncompressed,
+       TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime,
+       TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2
+       };
+
+static const unsigned char eccurves_default[] =
+       {
+               0,14, /* sect571r1 (14) */ 
+               0,13, /* sect571k1 (13) */ 
+               0,25, /* secp521r1 (25) */      
+               0,11, /* sect409k1 (11) */ 
+               0,12, /* sect409r1 (12) */
+               0,24, /* secp384r1 (24) */
+               0,9,  /* sect283k1 (9) */
+               0,10, /* sect283r1 (10) */ 
+               0,22, /* secp256k1 (22) */ 
+               0,23, /* secp256r1 (23) */ 
+               0,8,  /* sect239k1 (8) */ 
+               0,6,  /* sect233k1 (6) */
+               0,7,  /* sect233r1 (7) */ 
+               0,20, /* secp224k1 (20) */ 
+               0,21, /* secp224r1 (21) */
+               0,4,  /* sect193r1 (4) */ 
+               0,5,  /* sect193r2 (5) */ 
+               0,18, /* secp192k1 (18) */
+               0,19, /* secp192r1 (19) */ 
+               0,1,  /* sect163k1 (1) */
+               0,2,  /* sect163r1 (2) */
+               0,3,  /* sect163r2 (3) */
+               0,15, /* secp160k1 (15) */
+               0,16, /* secp160r1 (16) */ 
+               0,17, /* secp160r2 (17) */ 
        };
 
 int tls1_ec_curve_id2nid(int curve_id)
@@ -299,6 +309,284 @@ int tls1_ec_nid2curve_id(int nid)
                return 0;
                }
        }
+/* Get curves list, if "sess" is set return client curves otherwise
+ * preferred list
+ */
+static void tls1_get_curvelist(SSL *s, int sess,
+                                       const unsigned char **pcurves,
+                                       size_t *pcurveslen)
+       {
+       if (sess)
+               {
+               *pcurves = s->session->tlsext_ellipticcurvelist;
+               *pcurveslen = s->session->tlsext_ellipticcurvelist_length;
+               }
+       else
+               {
+               *pcurves = s->tlsext_ellipticcurvelist;
+               *pcurveslen = s->tlsext_ellipticcurvelist_length;
+               }
+       /* If not set use default: for now static structure */
+       if (!*pcurves)
+               {
+               *pcurves = eccurves_default;
+               *pcurveslen = sizeof(eccurves_default);
+               }
+       }
+
+/* Return nth shared curve. If nmatch == -1 return number of
+ * matches.
+ */
+
+int tls1_shared_curve(SSL *s, int nmatch)
+       {
+       const unsigned char *pref, *supp;
+       size_t preflen, supplen, i, j;
+       int k;
+       /* Can't do anything on client side */
+       if (s->server == 0)
+               return -1;
+       tls1_get_curvelist(s, !!(s->options & SSL_OP_CIPHER_SERVER_PREFERENCE),
+                               &supp, &supplen);
+       tls1_get_curvelist(s, !(s->options & SSL_OP_CIPHER_SERVER_PREFERENCE),
+                               &pref, &preflen);
+       preflen /= 2;
+       supplen /= 2;
+       k = 0;
+       for (i = 0; i < preflen; i++, pref+=2)
+               {
+               const unsigned char *tsupp = supp;
+               for (j = 0; j < supplen; j++, tsupp+=2)
+                       {
+                       if (pref[0] == tsupp[0] && pref[1] == tsupp[1])
+                               {
+                               if (nmatch == k)
+                                       {
+                                       int id = (pref[0] << 8) | pref[1];
+                                       return tls1_ec_curve_id2nid(id);
+                                       }
+                               k++;
+                               }
+                       }
+               }
+       if (nmatch == -1)
+               return k;
+       return 0;
+       }
+
+int tls1_set_curves(unsigned char **pext, size_t *pextlen,
+                       int *curves, size_t ncurves)
+       {
+       unsigned char *clist, *p;
+       size_t i;
+       /* Bitmap of curves included to detect duplicates: only works
+        * while curve ids < 32 
+        */
+       unsigned long dup_list = 0;
+       clist = OPENSSL_malloc(ncurves * 2);
+       if (!clist)
+               return 0;
+       for (i = 0, p = clist; i < ncurves; i++)
+               {
+               unsigned long idmask;
+               int id;
+               id = tls1_ec_nid2curve_id(curves[i]);
+               idmask = 1L << id;
+               if (!id || (dup_list & idmask))
+                       {
+                       OPENSSL_free(clist);
+                       return 0;
+                       }
+               dup_list |= idmask;
+               s2n(id, p);
+               }
+       if (*pext)
+               OPENSSL_free(*pext);
+       *pext = clist;
+       *pextlen = ncurves * 2;
+       return 1;
+       }
+
+#define MAX_CURVELIST  25
+
+typedef struct
+       {
+       size_t nidcnt;
+       int nid_arr[MAX_CURVELIST];
+       } nid_cb_st;
+
+static int nid_cb(const char *elem, int len, void *arg)
+       {
+       nid_cb_st *narg = arg;
+       size_t i;
+       int nid;
+       char etmp[20];
+       if (narg->nidcnt == MAX_CURVELIST)
+               return 0;
+       if (len > (int)(sizeof(etmp) - 1))
+               return 0;
+       memcpy(etmp, elem, len);
+       etmp[len] = 0;
+       nid = EC_curve_nist2nid(etmp);
+       if (nid == NID_undef)
+               nid = OBJ_sn2nid(etmp);
+       if (nid == NID_undef)
+               nid = OBJ_ln2nid(etmp);
+       if (nid == NID_undef)
+               return 0;
+       for (i = 0; i < narg->nidcnt; i++)
+               if (narg->nid_arr[i] == nid)
+                       return 0;
+       narg->nid_arr[narg->nidcnt++] = nid;
+       return 1;
+       }
+/* Set curves based on a colon separate list */
+int tls1_set_curves_list(unsigned char **pext, size_t *pextlen, 
+                               const char *str)
+       {
+       nid_cb_st ncb;
+       ncb.nidcnt = 0;
+       if (!CONF_parse_list(str, ':', 1, nid_cb, &ncb))
+               return 0;
+       return tls1_set_curves(pext, pextlen, ncb.nid_arr, ncb.nidcnt);
+       }
+/* For an EC key set TLS id and required compression based on parameters */
+static int tls1_set_ec_id(unsigned char *curve_id, unsigned char *comp_id,
+                               EC_KEY *ec)
+       {
+       int is_prime, id;
+       const EC_GROUP *grp;
+       const EC_POINT *pt;
+       const EC_METHOD *meth;
+       if (!ec)
+               return 0;
+       /* Determine if it is a prime field */
+       grp = EC_KEY_get0_group(ec);
+        pt = EC_KEY_get0_public_key(ec);
+       if (!grp || !pt)
+               return 0;
+        meth = EC_GROUP_method_of(grp);
+       if (!meth)
+               return 0;
+        if (EC_METHOD_get_field_type(meth) == NID_X9_62_prime_field)
+               is_prime = 1;
+       else
+               is_prime = 0;
+       /* Determine curve ID */
+       id = EC_GROUP_get_curve_name(grp);
+       id = tls1_ec_nid2curve_id(id);
+       /* If we have an ID set it, otherwise set arbitrary explicit curve */
+       if (id)
+               {
+               curve_id[0] = 0;
+               curve_id[1] = (unsigned char)id;
+               }
+       else
+               {
+               curve_id[0] = 0xff;
+               if (is_prime)
+                       curve_id[1] = 0x01;
+               else
+                       curve_id[1] = 0x02;
+               }
+       if (comp_id)
+               {
+               if (EC_KEY_get_conv_form(ec) == POINT_CONVERSION_COMPRESSED)
+                       {
+                       if (is_prime)
+                               *comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
+                       else
+                               *comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
+                       }
+               else
+                       *comp_id = TLSEXT_ECPOINTFORMAT_uncompressed;
+               }
+       return 1;
+       }
+/* Check an EC key is compatible with extensions */
+static int tls1_check_ec_key(SSL *s,
+                       unsigned char *curve_id, unsigned char *comp_id)
+       {
+       const unsigned char *p;
+       size_t plen, i;
+       int j;
+       /* If point formats extension present check it, otherwise everything
+        * is supported (see RFC4492).
+        */
+       if (comp_id && s->session->tlsext_ecpointformatlist)
+               {
+               p = s->session->tlsext_ecpointformatlist;
+               plen = s->session->tlsext_ecpointformatlist_length;
+               for (i = 0; i < plen; i++, p++)
+                       {
+                       if (*comp_id == *p)
+                               break;
+                       }
+               if (i == plen)
+                       return 0;
+               }
+       /* Check curve is consistent with client and server preferences */
+       for (j = 0; j <= 1; j++)
+               {
+               tls1_get_curvelist(s, j, &p, &plen);
+               for (i = 0; i < plen; i+=2, p+=2)
+                       {
+                       if (p[0] == curve_id[0] && p[1] == curve_id[1])
+                               break;
+                       }
+               if (i == plen)
+                       return 0;
+               }
+       return 1;
+       }
+
+/* Check cert parameters compatible with extensions: currently just checks
+ * EC certificates have compatible curves and compression.
+ */
+static int tls1_check_cert_param(SSL *s, X509 *x)
+       {
+       unsigned char comp_id, curve_id[2];
+       EVP_PKEY *pkey;
+       int rv;
+       pkey = X509_get_pubkey(x);
+       if (!pkey)
+               return 0;
+       /* If not EC nothing to do */
+       if (pkey->type != EVP_PKEY_EC)
+               {
+               EVP_PKEY_free(pkey);
+               return 1;
+               }
+       rv = tls1_set_ec_id(curve_id, &comp_id, pkey->pkey.ec);
+       EVP_PKEY_free(pkey);
+       if (!rv)
+               return 0;
+       return tls1_check_ec_key(s, curve_id, &comp_id);
+       }
+/* Check EC temporary key is compatible with client extensions */
+int tls1_check_ec_tmp_key(SSL *s)
+       {
+       unsigned char curve_id[2];
+       EC_KEY *ec = s->cert->ecdh_tmp;
+       if (s->cert->ecdh_tmp_auto)
+               {
+               /* Need a shared curve */
+               if (tls1_shared_curve(s, 0))
+                       return 1;
+               else return 0;
+               }
+       if (!ec)
+               {
+               if (s->cert->ecdh_tmp_cb)
+                       return 1;
+               else
+                       return 0;
+               }
+       if (!tls1_set_ec_id(curve_id, NULL, ec))
+               return 1;
+       return tls1_check_ec_key(s, curve_id, NULL);
+       }
+
 #endif /* OPENSSL_NO_EC */
 
 #ifndef OPENSSL_NO_TLSEXT
@@ -347,23 +635,78 @@ static unsigned char tls12_sigalgs[] = {
 #endif
 };
 
-int tls12_get_req_sig_algs(SSL *s, unsigned char *p)
+size_t tls12_get_sig_algs(SSL *s, unsigned char *p)
        {
-       size_t slen = sizeof(tls12_sigalgs);
+       const unsigned char *sigs;
+       size_t sigslen;
+       /* If server use client authentication sigalgs if not NULL */
+       if (s->server && s->cert->client_sigalgs)
+               {
+               sigs = s->cert->client_sigalgs;
+               sigslen = s->cert->client_sigalgslen;
+               }
+       else if (s->cert->conf_sigalgs)
+               {
+               sigs = s->cert->conf_sigalgs;
+               sigslen = s->cert->conf_sigalgslen;
+               }
+       else
+               {
+               sigs = tls12_sigalgs;
+               sigslen = sizeof(tls12_sigalgs);
 #ifdef OPENSSL_FIPS
-       /* If FIPS mode don't include MD5 which is last */
-       if (FIPS_mode())
-               slen -= 2;
+               /* If FIPS mode don't include MD5 which is last */
+               if (FIPS_mode())
+                       sigslen -= 2;
 #endif
+               }
+
        if (p)
-               memcpy(p, tls12_sigalgs, slen);
-       return (int)slen;
+               memcpy(p, sigs, sigslen);
+       return sigslen;
        }
 
+/* byte_compare is a compare function for qsort(3) that compares bytes. */
+static int byte_compare(const void *in_a, const void *in_b)
+       {
+       unsigned char a = *((const unsigned char*) in_a);
+       unsigned char b = *((const unsigned char*) in_b);
+
+       if (a > b)
+               return 1;
+       else if (a < b)
+               return -1;
+       return 0;
+}
+
 unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
        {
        int extdatalen=0;
        unsigned char *ret = p;
+#ifndef OPENSSL_NO_EC
+       /* See if we support any ECC ciphersuites */
+       int using_ecc = 0;
+       if (s->version != DTLS1_VERSION && s->version >= TLS1_VERSION)
+               {
+               int i;
+               unsigned long alg_k, alg_a;
+               STACK_OF(SSL_CIPHER) *cipher_stack = SSL_get_ciphers(s);
+
+               for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++)
+                       {
+                       SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i);
+
+                       alg_k = c->algorithm_mkey;
+                       alg_a = c->algorithm_auth;
+                       if ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)
+                               || (alg_a & SSL_aECDSA)))
+                               {
+                               using_ecc = 1;
+                               break;
+                               }
+                       }
+               }
+#endif
 
        /* don't add extensions for SSLv3 unless doing secure renegotiation */
        if (s->client_version == SSL3_VERSION
@@ -432,75 +775,88 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned cha
         }
 
 #ifndef OPENSSL_NO_SRP
-#define MIN(x,y) (((x)<(y))?(x):(y))
-       /* we add SRP username the first time only if we have one! */
+       /* Add SRP username if there is one */
        if (s->srp_ctx.login != NULL)
-               {/* Add TLS extension SRP username to the Client Hello message */
-               int login_len = MIN(strlen(s->srp_ctx.login) + 1, 255);
-               long lenmax; 
+               { /* Add TLS extension SRP username to the Client Hello message */
 
-               if ((lenmax = limit - ret - 5) < 0) return NULL; 
-               if (login_len > lenmax) return NULL;
-               if (login_len > 255)
+               int login_len = strlen(s->srp_ctx.login);       
+               if (login_len > 255 || login_len == 0)
                        {
                        SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
                        return NULL;
-                       }
+                       } 
+
+               /* check for enough space.
+                  4 for the srp type type and entension length
+                  1 for the srp user identity
+                  + srp user identity length 
+               */
+               if ((limit - ret - 5 - login_len) < 0) return NULL; 
+
+               /* fill in the extension */
                s2n(TLSEXT_TYPE_srp,ret);
                s2n(login_len+1,ret);
-
-               (*ret++) = (unsigned char) MIN(strlen(s->srp_ctx.login), 254);
-               memcpy(ret, s->srp_ctx.login, MIN(strlen(s->srp_ctx.login), 254));
+               (*ret++) = (unsigned char) login_len;
+               memcpy(ret, s->srp_ctx.login, login_len);
                ret+=login_len;
                }
 #endif
 
 #ifndef OPENSSL_NO_EC
-       if (s->tlsext_ecpointformatlist != NULL &&
-           s->version != DTLS1_VERSION)
+       if (using_ecc)
                {
                /* Add TLS extension ECPointFormats to the ClientHello message */
                long lenmax; 
+               const unsigned char *plist;
+               size_t plistlen;
+               /* If we have a custom point format list use it otherwise
+                * use default */
+               plist = s->tlsext_ecpointformatlist;
+               if (plist)
+                       plistlen = s->tlsext_ecpointformatlist_length;
+               else
+                       {
+                       plist = ecformats_default;
+                       plistlen = sizeof(ecformats_default);
+                       }
 
                if ((lenmax = limit - ret - 5) < 0) return NULL; 
-               if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax) return NULL;
-               if (s->tlsext_ecpointformatlist_length > 255)
+               if (plistlen > (size_t)lenmax) return NULL;
+               if (plistlen > 255)
                        {
                        SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
                        return NULL;
                        }
                
                s2n(TLSEXT_TYPE_ec_point_formats,ret);
-               s2n(s->tlsext_ecpointformatlist_length + 1,ret);
-               *(ret++) = (unsigned char) s->tlsext_ecpointformatlist_length;
-               memcpy(ret, s->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist_length);
-               ret+=s->tlsext_ecpointformatlist_length;
-               }
-       if (s->tlsext_ellipticcurvelist != NULL &&
-           s->version != DTLS1_VERSION)
-               {
+               s2n(plistlen + 1,ret);
+               *(ret++) = (unsigned char)plistlen ;
+               memcpy(ret, plist, plistlen);
+               ret+=plistlen;
+
                /* Add TLS extension EllipticCurves to the ClientHello message */
-               long lenmax; 
+               plist = s->tlsext_ellipticcurvelist;
+               tls1_get_curvelist(s, 0, &plist, &plistlen);
 
                if ((lenmax = limit - ret - 6) < 0) return NULL; 
-               if (s->tlsext_ellipticcurvelist_length > (unsigned long)lenmax) return NULL;
-               if (s->tlsext_ellipticcurvelist_length > 65532)
+               if (plistlen > (size_t)lenmax) return NULL;
+               if (plistlen > 65532)
                        {
                        SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
                        return NULL;
                        }
                
                s2n(TLSEXT_TYPE_elliptic_curves,ret);
-               s2n(s->tlsext_ellipticcurvelist_length + 2, ret);
+               s2n(plistlen + 2, ret);
 
                /* NB: draft-ietf-tls-ecc-12.txt uses a one-byte prefix for
                 * elliptic_curve_list, but the examples use two bytes.
                 * http://www1.ietf.org/mail-archive/web/tls/current/msg00538.html
                 * resolves this to two bytes.
                 */
-               s2n(s->tlsext_ellipticcurvelist_length, ret);
-               memcpy(ret, s->tlsext_ellipticcurvelist, s->tlsext_ellipticcurvelist_length);
-               ret+=s->tlsext_ellipticcurvelist_length;
+               s2n(plistlen, ret);
+               memcpy(ret, plist, plistlen);
+               ret+=plistlen;
                }
 #endif /* OPENSSL_NO_EC */
 
@@ -540,15 +896,17 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned cha
                }
                skip_ext:
 
-       if (TLS1_get_version(s) >= TLS1_2_VERSION)
+       if (TLS1_get_client_version(s) >= TLS1_2_VERSION)
                {
-               if ((size_t)(limit - ret) < sizeof(tls12_sigalgs) + 6)
+               size_t salglen;
+               salglen = tls12_get_sig_algs(s, NULL);
+               if ((size_t)(limit - ret) < salglen + 6)
                        return NULL; 
                s2n(TLSEXT_TYPE_signature_algorithms,ret);
-               s2n(sizeof(tls12_sigalgs) + 2, ret);
-               s2n(sizeof(tls12_sigalgs), ret);
-               memcpy(ret, tls12_sigalgs, sizeof(tls12_sigalgs));
-               ret += sizeof(tls12_sigalgs);
+               s2n(salglen + 2, ret);
+               s2n(salglen, ret);
+               tls12_get_sig_algs(s, ret);
+               ret += salglen;
                }
 
 #ifdef TLSEXT_TYPE_opaque_prf_input
@@ -664,7 +1022,27 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned cha
                 ret += el;
                 }
 
-       if ((extdatalen = ret-p-2)== 0) 
+       /* Add TLS extension Server_Authz_DataFormats to the ClientHello */
+       /* 2 bytes for extension type */
+       /* 2 bytes for extension length */
+       /* 1 byte for the list length */
+       /* 1 byte for the list (we only support audit proofs) */
+       if (s->ctx->tlsext_authz_server_audit_proof_cb != NULL)
+               {
+               size_t lenmax;
+                const unsigned short ext_len = 2;
+                const unsigned char list_len = 1;
+
+               if ((lenmax = limit - ret - 6) < 0) return NULL;
+
+               s2n(TLSEXT_TYPE_server_authz, ret);
+                /* Extension length: 2 bytes */
+               s2n(ext_len, ret);
+               *(ret++) = list_len;
+               *(ret++) = TLSEXT_AUTHZDATAFORMAT_audit_proof;
+               }
+
+       if ((extdatalen = ret-p-2) == 0)
                return p;
 
        s2n(extdatalen,p);
@@ -825,6 +1203,7 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned cha
                        *(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
                else
                        *(ret++) = SSL_TLSEXT_HB_ENABLED;
+
                }
 #endif
 
@@ -850,6 +1229,79 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned cha
                }
 #endif
 
+       /* If the client supports authz then see whether we have any to offer
+        * to it. */
+       if (s->s3->tlsext_authz_client_types_len)
+               {
+               size_t authz_length;
+               /* By now we already know the new cipher, so we can look ahead
+                * to see whether the cert we are going to send
+                * has any authz data attached to it. */
+               const unsigned char* authz = ssl_get_authz_data(s, &authz_length);
+               const unsigned char* const orig_authz = authz;
+               size_t i;
+               unsigned authz_count = 0;
+
+               /* The authz data contains a number of the following structures:
+                *      uint8_t authz_type
+                *      uint16_t length
+                *      uint8_t data[length]
+                *
+                * First we walk over it to find the number of authz elements. */
+               for (i = 0; i < authz_length; i++)
+                       {
+                       unsigned short length;
+                       unsigned char type;
+
+                       type = *(authz++);
+                       if (memchr(s->s3->tlsext_authz_client_types,
+                                  type,
+                                  s->s3->tlsext_authz_client_types_len) != NULL)
+                               authz_count++;
+
+                       n2s(authz, length);
+                       /* n2s increments authz by 2 */
+                       i += 2;
+                       authz += length;
+                       i += length;
+                       }
+
+               if (authz_count)
+                       {
+                       /* Add TLS extension server_authz to the ServerHello message
+                        * 2 bytes for extension type
+                        * 2 bytes for extension length
+                        * 1 byte for the list length
+                        * n bytes for the list */
+                       const unsigned short ext_len = 1 + authz_count;
+
+                       if ((long)(limit - ret - 4 - ext_len) < 0) return NULL;
+                       s2n(TLSEXT_TYPE_server_authz, ret);
+                       s2n(ext_len, ret);
+                       *(ret++) = authz_count;
+                       s->s3->tlsext_authz_promised_to_client = 1;
+                       }
+
+               authz = orig_authz;
+               for (i = 0; i < authz_length; i++)
+                       {
+                       unsigned short length;
+                       unsigned char type;
+
+                       authz_count++;
+                       type = *(authz++);
+                       if (memchr(s->s3->tlsext_authz_client_types,
+                                  type,
+                                  s->s3->tlsext_authz_client_types_len) != NULL)
+                               *(ret++) = type;
+                       n2s(authz, length);
+                       /* n2s increments authz by 2 */
+                       i += 2;
+                       authz += length;
+                       i += length;
+                       }
+               }
+
        if ((extdatalen = ret-p-2)== 0) 
                return p;
 
@@ -857,14 +1309,13 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned cha
        return ret;
        }
 
-int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
-       {
+static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al) 
+       {       
        unsigned short type;
        unsigned short size;
        unsigned short len;
        unsigned char *data = *p;
        int renegotiate_seen = 0;
-       int sigalg_seen = 0;
 
        s->servername_done = 0;
        s->tlsext_status_type = -1;
@@ -876,6 +1327,18 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
        s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED |
                               SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
 #endif
+       /* Clear any signature algorithms extension received */
+       if (s->cert->peer_sigalgs)
+               {
+               OPENSSL_free(s->cert->peer_sigalgs);
+               s->cert->peer_sigalgs = NULL;
+               }
+       /* Clear any shared sigtnature algorithms */
+       if (s->cert->shared_sigalgs)
+               {
+               OPENSSL_free(s->cert->shared_sigalgs);
+               s->cert->shared_sigalgs = NULL;
+               }
 
        if (data >= (d+n-2))
                goto ri_check;
@@ -1006,13 +1469,25 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
 #ifndef OPENSSL_NO_SRP
                else if (type == TLSEXT_TYPE_srp)
                        {
-                       if (size > 0)
+                       if (size <= 0 || ((len = data[0])) != (size -1))
                                {
-                               len = data[0];
-                               if ((s->srp_ctx.login = OPENSSL_malloc(len+1)) == NULL)
-                                       return -1;
-                               memcpy(s->srp_ctx.login, &data[1], len);
-                               s->srp_ctx.login[len]='\0';  
+                               *al = SSL_AD_DECODE_ERROR;
+                               return 0;
+                               }
+                       if (s->srp_ctx.login != NULL)
+                               {
+                               *al = SSL_AD_DECODE_ERROR;
+                               return 0;
+                               }
+                       if ((s->srp_ctx.login = OPENSSL_malloc(len+1)) == NULL)
+                               return -1;
+                       memcpy(s->srp_ctx.login, &data[1], len);
+                       s->srp_ctx.login[len]='\0';
+  
+                       if (strlen(s->srp_ctx.login) != len) 
+                               {
+                               *al = SSL_AD_DECODE_ERROR;
+                               return 0;
                                }
                        }
 #endif
@@ -1139,15 +1614,14 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
                else if (type == TLSEXT_TYPE_signature_algorithms)
                        {
                        int dsize;
-                       if (sigalg_seen || size < 2) 
+                       if (s->cert->peer_sigalgs || size < 2) 
                                {
                                *al = SSL_AD_DECODE_ERROR;
                                return 0;
                                }
-                       sigalg_seen = 1;
                        n2s(data,dsize);
                        size -= 2;
-                       if (dsize != size || dsize & 1) 
+                       if (dsize != size || dsize & 1 || !dsize
                                {
                                *al = SSL_AD_DECODE_ERROR;
                                return 0;
@@ -1157,6 +1631,16 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
                                *al = SSL_AD_DECODE_ERROR;
                                return 0;
                                }
+                       /* If sigalgs received and no shared algorithms fatal
+                        * error.
+                        */
+                       if (s->cert->peer_sigalgs && !s->cert->shared_sigalgs)
+                               {
+                               SSLerr(SSL_F_SSL_SCAN_CLIENTHELLO_TLSEXT,
+                                       SSL_R_NO_SHARED_SIGATURE_ALGORITHMS);
+                               *al = SSL_AD_ILLEGAL_PARAMETER;
+                               return 0;
+                               }
                        }
                else if (type == TLSEXT_TYPE_status_request &&
                         s->version != DTLS1_VERSION && s->ctx->tlsext_status_cb)
@@ -1282,12 +1766,14 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
                                                        s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
                                                        s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
                                                        break;
+                               default:        *al = SSL_AD_ILLEGAL_PARAMETER;
+                                                       return 0;
                                }
                        }
 #endif
 #ifndef OPENSSL_NO_NEXTPROTONEG
                else if (type == TLSEXT_TYPE_next_proto_neg &&
-                         s->s3->tmp.finish_md_len == 0)
+                        s->s3->tmp.finish_md_len == 0)
                        {
                        /* We shouldn't accept this extension on a
                         * renegotiation.
@@ -1316,32 +1802,112 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
                                return 0;
                         }
 
-               data+=size;
-               }
-                               
-       *p = data;
+               else if (type == TLSEXT_TYPE_server_authz)
+                       {
+                       unsigned char *sdata = data;
+                       unsigned char server_authz_dataformatlist_length;
 
-       ri_check:
+                       if (size == 0)
+                               {
+                               *al = TLS1_AD_DECODE_ERROR;
+                               return 0;
+                               }
 
-       /* Need RI if renegotiating */
+                       server_authz_dataformatlist_length = *(sdata++);
 
-       if (!renegotiate_seen && s->renegotiate &&
-               !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
-               {
-               *al = SSL_AD_HANDSHAKE_FAILURE;
-               SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT,
-                               SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
-               return 0;
-               }
+                       if (server_authz_dataformatlist_length != size - 1)
+                               {
+                               *al = TLS1_AD_DECODE_ERROR;
+                               return 0;
+                               }
 
-       return 1;
+                       /* Successful session resumption uses the same authz
+                        * information as the original session so we ignore this
+                        * in the case of a session resumption. */
+                       if (!s->hit)
+                               {
+                               size_t i;
+                               if (s->s3->tlsext_authz_client_types != NULL)
+                                       OPENSSL_free(s->s3->tlsext_authz_client_types);
+                               s->s3->tlsext_authz_client_types =
+                                       OPENSSL_malloc(server_authz_dataformatlist_length);
+                               if (!s->s3->tlsext_authz_client_types)
+                                       {
+                                       *al = TLS1_AD_INTERNAL_ERROR;
+                                       return 0;
+                                       }
+
+                               s->s3->tlsext_authz_client_types_len =
+                                       server_authz_dataformatlist_length;
+                               memcpy(s->s3->tlsext_authz_client_types,
+                                      sdata,
+                                      server_authz_dataformatlist_length);
+
+                               /* Sort the types in order to check for duplicates. */
+                               qsort(s->s3->tlsext_authz_client_types,
+                                     server_authz_dataformatlist_length,
+                                     1 /* element size */,
+                                     byte_compare);
+
+                               for (i = 0; i < server_authz_dataformatlist_length; i++)
+                                       {
+                                       if (i > 0 &&
+                                           s->s3->tlsext_authz_client_types[i] ==
+                                             s->s3->tlsext_authz_client_types[i-1])
+                                               {
+                                               *al = TLS1_AD_DECODE_ERROR;
+                                               return 0;
+                                               }
+                                       }
+                               }
+                       }
+
+               data+=size;
+               }
+
+       *p = data;
+
+       ri_check:
+
+       /* Need RI if renegotiating */
+
+       if (!renegotiate_seen && s->renegotiate &&
+               !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
+               {
+               *al = SSL_AD_HANDSHAKE_FAILURE;
+               SSLerr(SSL_F_SSL_SCAN_CLIENTHELLO_TLSEXT,
+                               SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
+               return 0;
+               }
+       /* If no signature algorithms extension set default values */
+       if (!s->cert->peer_sigalgs)
+               ssl_cert_set_default_md(s->cert);
+
+       return 1;
        }
 
+int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n) 
+       {
+       int al = -1;
+       if (ssl_scan_clienthello_tlsext(s, p, d, n, &al) <= 0) 
+               {
+               ssl3_send_alert(s,SSL3_AL_FATAL,al); 
+               return 0;
+               }
+
+       if (ssl_check_clienthello_tlsext(s) <= 0) 
+               {
+               SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT,SSL_R_CLIENTHELLO_TLSEXT);
+               return 0;
+               }
+       return 1;
+}
+
 #ifndef OPENSSL_NO_NEXTPROTONEG
 /* ssl_next_proto_validate validates a Next Protocol Negotiation block. No
  * elements of zero length are allowed and the set of elements must exactly fill
  * the length of the block. */
-static int ssl_next_proto_validate(unsigned char *d, unsigned len)
+static char ssl_next_proto_validate(unsigned char *d, unsigned len)
        {
        unsigned int off = 0;
 
@@ -1357,7 +1923,7 @@ static int ssl_next_proto_validate(unsigned char *d, unsigned len)
        }
 #endif
 
-int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
+static int ssl_scan_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
        {
        unsigned short length;
        unsigned short type;
@@ -1553,6 +2119,8 @@ int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
                                                        s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
                                                        s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
                                                        break;
+                               default:        *al = SSL_AD_ILLEGAL_PARAMETER;
+                                                       return 0;
                                }
                        }
 #endif
@@ -1563,7 +2131,46 @@ int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
                                 return 0;
                         }
 
-               data+=size;             
+               else if (type == TLSEXT_TYPE_server_authz)
+                       {
+                       /* We only support audit proofs. It's an error to send
+                        * an authz hello extension if the client
+                        * didn't request a proof. */
+                       unsigned char *sdata = data;
+                       unsigned char server_authz_dataformatlist_length;
+
+                       if (!s->ctx->tlsext_authz_server_audit_proof_cb)
+                               {
+                               *al = TLS1_AD_UNSUPPORTED_EXTENSION;
+                               return 0;
+                               }
+
+                       if (!size)
+                               {
+                               *al = TLS1_AD_DECODE_ERROR;
+                               return 0;
+                               }
+
+                       server_authz_dataformatlist_length = *(sdata++);
+                       if (server_authz_dataformatlist_length != size - 1)
+                               {
+                               *al = TLS1_AD_DECODE_ERROR;
+                               return 0;
+                               }
+
+                       /* We only support audit proofs, so a legal ServerHello
+                        * authz list contains exactly one entry. */
+                       if (server_authz_dataformatlist_length != 1 ||
+                               sdata[0] != TLSEXT_AUTHZDATAFORMAT_audit_proof)
+                               {
+                               *al = TLS1_AD_UNSUPPORTED_EXTENSION;
+                               return 0;
+                               }
+
+                       s->s3->tlsext_authz_server_promised = 1;
+                       }
+               data += size;
                }
 
        if (data != d+n)
@@ -1609,7 +2216,7 @@ int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
                && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
                {
                *al = SSL_AD_HANDSHAKE_FAILURE;
-               SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT,
+               SSLerr(SSL_F_SSL_SCAN_SERVERHELLO_TLSEXT,
                                SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
                return 0;
                }
@@ -1620,59 +2227,6 @@ int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
 
 int ssl_prepare_clienthello_tlsext(SSL *s)
        {
-#ifndef OPENSSL_NO_EC
-       /* If we are client and using an elliptic curve cryptography cipher suite, send the point formats 
-        * and elliptic curves we support.
-        */
-       int using_ecc = 0;
-       int i;
-       unsigned char *j;
-       unsigned long alg_k, alg_a;
-       STACK_OF(SSL_CIPHER) *cipher_stack = SSL_get_ciphers(s);
-
-       for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++)
-               {
-               SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i);
-
-               alg_k = c->algorithm_mkey;
-               alg_a = c->algorithm_auth;
-               if ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe) || (alg_a & SSL_aECDSA)))
-                       {
-                       using_ecc = 1;
-                       break;
-                       }
-               }
-       using_ecc = using_ecc && (s->version >= TLS1_VERSION);
-       if (using_ecc)
-               {
-               if (s->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->tlsext_ecpointformatlist);
-               if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(3)) == NULL)
-                       {
-                       SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
-                       return -1;
-                       }
-               s->tlsext_ecpointformatlist_length = 3;
-               s->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_uncompressed;
-               s->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
-               s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
-
-               /* we support all named elliptic curves in draft-ietf-tls-ecc-12 */
-               if (s->tlsext_ellipticcurvelist != NULL) OPENSSL_free(s->tlsext_ellipticcurvelist);
-               s->tlsext_ellipticcurvelist_length = sizeof(pref_list)/sizeof(pref_list[0]) * 2;
-               if ((s->tlsext_ellipticcurvelist = OPENSSL_malloc(s->tlsext_ellipticcurvelist_length)) == NULL)
-                       {
-                       s->tlsext_ellipticcurvelist_length = 0;
-                       SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
-                       return -1;
-                       }
-               for (i = 0, j = s->tlsext_ellipticcurvelist; (unsigned int)i <
-                               sizeof(pref_list)/sizeof(pref_list[0]); i++)
-                       {
-                       int id = tls1_ec_nid2curve_id(pref_list[i]);
-                       s2n(id,j);
-                       }
-               }
-#endif /* OPENSSL_NO_EC */
 
 #ifdef TLSEXT_TYPE_opaque_prf_input
        {
@@ -1742,7 +2296,7 @@ int ssl_prepare_serverhello_tlsext(SSL *s)
        return 1;
        }
 
-int ssl_check_clienthello_tlsext(SSL *s)
+static int ssl_check_clienthello_tlsext(SSL *s)
        {
        int ret=SSL_TLSEXT_ERR_NOACK;
        int al = SSL_AD_UNRECOGNIZED_NAME;
@@ -1979,6 +2533,25 @@ int ssl_check_serverhello_tlsext(SSL *s)
                }
        }
 
+int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n) 
+       {
+       int al = -1;
+       if (s->version < SSL3_VERSION)
+               return 1;
+       if (ssl_scan_serverhello_tlsext(s, p, d, n, &al) <= 0) 
+               {
+               ssl3_send_alert(s,SSL3_AL_FATAL,al); 
+               return 0;
+               }
+
+       if (ssl_check_serverhello_tlsext(s) <= 0) 
+               {
+               SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT,SSL_R_SERVERHELLO_TLSEXT);
+               return 0;
+               }
+       return 1;
+}
+
 /* Since the server cache lookup is done early on in the processing of the
  * ClientHello, and other operations depend on the result, we need to handle
  * any TLS session ticket extension at the same time.
@@ -2220,32 +2793,18 @@ typedef struct
        } tls12_lookup;
 
 static tls12_lookup tls12_md[] = {
-#ifndef OPENSSL_NO_MD5
        {NID_md5, TLSEXT_hash_md5},
-#endif
-#ifndef OPENSSL_NO_SHA
        {NID_sha1, TLSEXT_hash_sha1},
-#endif
-#ifndef OPENSSL_NO_SHA256
        {NID_sha224, TLSEXT_hash_sha224},
        {NID_sha256, TLSEXT_hash_sha256},
-#endif
-#ifndef OPENSSL_NO_SHA512
        {NID_sha384, TLSEXT_hash_sha384},
        {NID_sha512, TLSEXT_hash_sha512}
-#endif
 };
 
 static tls12_lookup tls12_sig[] = {
-#ifndef OPENSSL_NO_RSA
        {EVP_PKEY_RSA, TLSEXT_signature_rsa},
-#endif
-#ifndef OPENSSL_NO_RSA
        {EVP_PKEY_DSA, TLSEXT_signature_dsa},
-#endif
-#ifndef OPENSSL_NO_ECDSA
        {EVP_PKEY_EC, TLSEXT_signature_ecdsa}
-#endif
 };
 
 static int tls12_find_id(int nid, tls12_lookup *table, size_t tlen)
@@ -2258,22 +2817,23 @@ static int tls12_find_id(int nid, tls12_lookup *table, size_t tlen)
                }
        return -1;
        }
-#if 0
+
 static int tls12_find_nid(int id, tls12_lookup *table, size_t tlen)
        {
        size_t i;
        for (i = 0; i < tlen; i++)
                {
-               if (table[i].id == id)
+               if ((table[i].id) == id)
                        return table[i].nid;
                }
-       return -1;
+       return NID_undef;
        }
-#endif
 
 int tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk, const EVP_MD *md)
        {
        int sig_id, md_id;
+       if (!md)
+               return 0;
        md_id = tls12_find_id(EVP_MD_type(md), tls12_md,
                                sizeof(tls12_md)/sizeof(tls12_lookup));
        if (md_id == -1)
@@ -2328,13 +2888,156 @@ const EVP_MD *tls12_get_hash(unsigned char hash_alg)
                }
        }
 
+static int tls12_get_pkey_idx(unsigned char sig_alg)
+       {
+       switch(sig_alg)
+               {
+#ifndef OPENSSL_NO_RSA
+       case TLSEXT_signature_rsa:
+               return SSL_PKEY_RSA_SIGN;
+#endif
+#ifndef OPENSSL_NO_DSA
+       case TLSEXT_signature_dsa:
+               return SSL_PKEY_DSA_SIGN;
+#endif
+#ifndef OPENSSL_NO_ECDSA
+       case TLSEXT_signature_ecdsa:
+               return SSL_PKEY_ECC;
+#endif
+               }
+       return -1;
+       }
+
+/* Convert TLS 1.2 signature algorithm extension values into NIDs */
+static void tls1_lookup_sigalg(int *phash_nid, int *psign_nid,
+                       int *psignhash_nid, const unsigned char *data)
+       {
+       int sign_nid, hash_nid;
+       if (!phash_nid && !psign_nid && !psignhash_nid)
+               return;
+       if (phash_nid || psignhash_nid)
+               {
+               hash_nid = tls12_find_nid(data[0], tls12_md,
+                                       sizeof(tls12_md)/sizeof(tls12_lookup));
+               if (phash_nid)
+                       *phash_nid = hash_nid;
+               }
+       if (psign_nid || psignhash_nid)
+               {
+               sign_nid = tls12_find_nid(data[1], tls12_sig,
+                                       sizeof(tls12_sig)/sizeof(tls12_lookup));
+               if (psign_nid)
+                       *psign_nid = sign_nid;
+               }
+       if (psignhash_nid)
+               {
+               if (sign_nid && hash_nid)
+                       OBJ_find_sigid_by_algs(psignhash_nid,
+                                                       hash_nid, sign_nid);
+               else
+                       *psignhash_nid = NID_undef;
+               }
+       }
+/* Given preference and allowed sigalgs set shared sigalgs */
+static int tls12_do_shared_sigalgs(TLS_SIGALGS *shsig,
+                               const unsigned char *pref, size_t preflen,
+                               const unsigned char *allow, size_t allowlen)
+       {
+       const unsigned char *ptmp, *atmp;
+       size_t i, j, nmatch = 0;
+       for (i = 0, ptmp = pref; i < preflen; i+=2, ptmp+=2)
+               {
+               /* Skip disabled hashes or signature algorithms */
+               if (tls12_get_hash(ptmp[0]) == NULL)
+                       continue;
+               if (tls12_get_pkey_idx(ptmp[1]) == -1)
+                       continue;
+               for (j = 0, atmp = allow; j < allowlen; j+=2, atmp+=2)
+                       {
+                       if (ptmp[0] == atmp[0] && ptmp[1] == atmp[1])
+                               {
+                               nmatch++;
+                               if (shsig)
+                                       {
+                                       shsig->rhash = ptmp[0];
+                                       shsig->rsign = ptmp[1];
+                                       tls1_lookup_sigalg(&shsig->hash_nid,
+                                               &shsig->sign_nid,
+                                               &shsig->signandhash_nid,
+                                               ptmp);
+                                       shsig++;
+                                       }
+                               break;
+                               }
+                       }
+               }
+       return nmatch;
+       }
+
+/* Set shared signature algorithms for SSL structures */
+static int tls1_set_shared_sigalgs(SSL *s)
+       {
+       const unsigned char *pref, *allow, *conf;
+       size_t preflen, allowlen, conflen;
+       size_t nmatch;
+       TLS_SIGALGS *salgs = NULL;
+       CERT *c = s->cert;
+       /* If client use client signature algorithms if not NULL */
+       if (!s->server && c->client_sigalgs)
+               {
+               conf = c->client_sigalgs;
+               conflen = c->client_sigalgslen;
+               }
+       else if (c->conf_sigalgs)
+               {
+               conf = c->conf_sigalgs;
+               conflen = c->conf_sigalgslen;
+               }
+       else
+               {
+               conf = tls12_sigalgs;
+               conflen = sizeof(tls12_sigalgs);
+#ifdef OPENSSL_FIPS
+               if (FIPS_mode())
+                       conflen -= 2;
+#endif
+               }
+       if(s->options & SSL_OP_CIPHER_SERVER_PREFERENCE)
+               {
+               pref = conf;
+               preflen = conflen;
+               allow = c->peer_sigalgs;
+               allowlen = c->peer_sigalgslen;
+               }
+       else
+               {
+               allow = conf;
+               allowlen = conflen;
+               pref = c->peer_sigalgs;
+               preflen = c->peer_sigalgslen;
+               }
+       nmatch = tls12_do_shared_sigalgs(NULL, pref, preflen, allow, allowlen);
+       if (!nmatch)
+               return 1;
+       salgs = OPENSSL_malloc(nmatch * sizeof(TLS_SIGALGS));
+       if (!salgs)
+               return 0;
+       nmatch = tls12_do_shared_sigalgs(salgs, pref, preflen, allow, allowlen);
+       c->shared_sigalgs = salgs;
+       c->shared_sigalgslen = nmatch;
+       return 1;
+       }
+               
+
 /* Set preferred digest for each key type */
 
 int tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize)
        {
-       int i, idx;
+       int idx;
+       size_t i;
        const EVP_MD *md;
        CERT *c = s->cert;
+       TLS_SIGALGS *sigptr;
        /* Extension ignored for TLS versions below 1.2 */
        if (TLS1_get_version(s) < TLS1_2_VERSION)
                return 1;
@@ -2347,67 +3050,98 @@ int tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize)
        c->pkeys[SSL_PKEY_RSA_ENC].digest = NULL;
        c->pkeys[SSL_PKEY_ECC].digest = NULL;
 
-       for (i = 0; i < dsize; i += 2)
-               {
-               unsigned char hash_alg = data[i], sig_alg = data[i+1];
+       c->peer_sigalgs = OPENSSL_malloc(dsize);
+       if (!c->peer_sigalgs)
+               return 0;
+       c->peer_sigalgslen = dsize;
+       memcpy(c->peer_sigalgs, data, dsize);
 
-               switch(sig_alg)
-                       {
-#ifndef OPENSSL_NO_RSA
-                       case TLSEXT_signature_rsa:
-                       idx = SSL_PKEY_RSA_SIGN;
-                       break;
-#endif
-#ifndef OPENSSL_NO_DSA
-                       case TLSEXT_signature_dsa:
-                       idx = SSL_PKEY_DSA_SIGN;
-                       break;
-#endif
-#ifndef OPENSSL_NO_ECDSA
-                       case TLSEXT_signature_ecdsa:
-                       idx = SSL_PKEY_ECC;
-                       break;
-#endif
-                       default:
-                       continue;
-                       }
+       tls1_set_shared_sigalgs(s);
 
-               if (c->pkeys[idx].digest == NULL)
+       for (i = 0, sigptr = c->shared_sigalgs;
+                       i < c->shared_sigalgslen; i++, sigptr++)
+               {
+               idx = tls12_get_pkey_idx(sigptr->rsign);
+               if (idx > 0 && c->pkeys[idx].digest == NULL)
                        {
-                       md = tls12_get_hash(hash_alg);
-                       if (md)
-                               {
-                               c->pkeys[idx].digest = md;
-                               if (idx == SSL_PKEY_RSA_SIGN)
-                                       c->pkeys[SSL_PKEY_RSA_ENC].digest = md;
-                               }
+                       md = tls12_get_hash(sigptr->rhash);
+                       c->pkeys[idx].digest = md;
+                       if (idx == SSL_PKEY_RSA_SIGN)
+                               c->pkeys[SSL_PKEY_RSA_ENC].digest = md;
                        }
 
                }
-
-
-       /* Set any remaining keys to default values. NOTE: if alg is not
-        * supported it stays as NULL.
+       /* In strict mode leave unset digests as NULL to indicate we can't
+        * use the certificate for signing.
         */
+       if (!(s->cert->cert_flags & SSL_CERT_FLAG_TLS_STRICT))
+               {
+               /* Set any remaining keys to default values. NOTE: if alg is
+                * not supported it stays as NULL.
+                */
 #ifndef OPENSSL_NO_DSA
-       if (!c->pkeys[SSL_PKEY_DSA_SIGN].digest)
-               c->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_dss1();
+               if (!c->pkeys[SSL_PKEY_DSA_SIGN].digest)
+                       c->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_sha1();
 #endif
 #ifndef OPENSSL_NO_RSA
-       if (!c->pkeys[SSL_PKEY_RSA_SIGN].digest)
-               {
-               c->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1();
-               c->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1();
-               }
+               if (!c->pkeys[SSL_PKEY_RSA_SIGN].digest)
+                       {
+                       c->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1();
+                       c->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1();
+                       }
 #endif
 #ifndef OPENSSL_NO_ECDSA
-       if (!c->pkeys[SSL_PKEY_ECC].digest)
-               c->pkeys[SSL_PKEY_ECC].digest = EVP_ecdsa();
+               if (!c->pkeys[SSL_PKEY_ECC].digest)
+                       c->pkeys[SSL_PKEY_ECC].digest = EVP_sha1();
 #endif
+               }
        return 1;
        }
 
-#endif
+
+int SSL_get_sigalgs(SSL *s, int idx,
+                       int *psign, int *phash, int *psignhash,
+                       unsigned char *rsig, unsigned char *rhash)
+       {
+       const unsigned char *psig = s->cert->peer_sigalgs;
+       if (psig == NULL)
+               return 0;
+       if (idx >= 0)
+               {
+               idx <<= 1;
+               if (idx >= (int)s->cert->peer_sigalgslen)
+                       return 0;
+               psig += idx;
+               if (rhash)
+                       *rhash = psig[0];
+               if (rsig)
+                       *rsig = psig[1];
+               tls1_lookup_sigalg(phash, psign, psignhash, psig);
+               }
+       return s->cert->peer_sigalgslen / 2;
+       }
+
+int SSL_get_shared_sigalgs(SSL *s, int idx,
+                       int *psign, int *phash, int *psignhash,
+                       unsigned char *rsig, unsigned char *rhash)
+       {
+       TLS_SIGALGS *shsigalgs = s->cert->shared_sigalgs;
+       if (!shsigalgs || idx >= (int)s->cert->shared_sigalgslen)
+               return 0;
+       shsigalgs += idx;
+       if (phash)
+               *phash = shsigalgs->hash_nid;
+       if (psign)
+               *psign = shsigalgs->sign_nid;
+       if (psignhash)
+               *psignhash = shsigalgs->signandhash_nid;
+       if (rsig)
+               *rsig = shsigalgs->rsign;
+       if (rhash)
+               *rhash = shsigalgs->rhash;
+       return s->cert->shared_sigalgslen;
+       }
+       
 
 #ifndef OPENSSL_NO_HEARTBEATS
 int
@@ -2444,7 +3178,10 @@ tls1_process_heartbeat(SSL *s)
                *bp++ = TLS1_HB_RESPONSE;
                s2n(payload, bp);
                memcpy(bp, pl, payload);
-               
+               bp += payload;
+               /* Random padding */
+               RAND_pseudo_bytes(bp, padding);
+
                r = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, 3 + payload + padding);
 
                if (r >= 0 && s->msg_callback)
@@ -2550,3 +3287,262 @@ tls1_heartbeat(SSL *s)
        return ret;
        }
 #endif
+
+#define MAX_SIGALGLEN  (TLSEXT_hash_num * TLSEXT_signature_num * 2)
+
+typedef struct
+       {
+       size_t sigalgcnt;
+       int sigalgs[MAX_SIGALGLEN];
+       } sig_cb_st;
+
+static int sig_cb(const char *elem, int len, void *arg)
+       {
+       sig_cb_st *sarg = arg;
+       size_t i;
+       char etmp[20], *p;
+       int sig_alg, hash_alg;
+       if (sarg->sigalgcnt == MAX_SIGALGLEN)
+               return 0;
+       if (len > (int)(sizeof(etmp) - 1))
+               return 0;
+       memcpy(etmp, elem, len);
+       etmp[len] = 0;
+       p = strchr(etmp, '+');
+       if (!p)
+               return 0;
+       *p = 0;
+       p++;
+       if (!*p)
+               return 0;
+
+       if (!strcmp(etmp, "RSA"))
+               sig_alg = EVP_PKEY_RSA;
+       else if (!strcmp(etmp, "DSA"))
+               sig_alg = EVP_PKEY_DSA;
+       else if (!strcmp(etmp, "ECDSA"))
+               sig_alg = EVP_PKEY_EC;
+       else return 0;
+
+       hash_alg = OBJ_sn2nid(p);
+       if (hash_alg == NID_undef)
+               hash_alg = OBJ_ln2nid(p);
+       if (hash_alg == NID_undef)
+               return 0;
+
+       for (i = 0; i < sarg->sigalgcnt; i+=2)
+               {
+               if (sarg->sigalgs[i] == sig_alg
+                       && sarg->sigalgs[i + 1] == hash_alg)
+                       return 0;
+               }
+       sarg->sigalgs[sarg->sigalgcnt++] = hash_alg;
+       sarg->sigalgs[sarg->sigalgcnt++] = sig_alg;
+       return 1;
+       }
+
+/* Set suppored signature algorithms based on a colon separated list
+ * of the form sig+hash e.g. RSA+SHA512:DSA+SHA512 */
+int tls1_set_sigalgs_list(CERT *c, const char *str, int client)
+       {
+       sig_cb_st sig;
+       sig.sigalgcnt = 0;
+       if (!CONF_parse_list(str, ':', 1, sig_cb, &sig))
+               return 0;
+       return tls1_set_sigalgs(c, sig.sigalgs, sig.sigalgcnt, client);
+       }
+
+int tls1_set_sigalgs(CERT *c, const int *psig_nids, size_t salglen, int client)
+       {
+       unsigned char *sigalgs, *sptr;
+       int rhash, rsign;
+       size_t i;
+       if (salglen & 1)
+               return 0;
+       sigalgs = OPENSSL_malloc(salglen);
+       if (sigalgs == NULL)
+               return 0;
+       for (i = 0, sptr = sigalgs; i < salglen; i+=2)
+               {
+               rhash = tls12_find_id(*psig_nids++, tls12_md,
+                                       sizeof(tls12_md)/sizeof(tls12_lookup));
+               rsign = tls12_find_id(*psig_nids++, tls12_sig,
+                               sizeof(tls12_sig)/sizeof(tls12_lookup));
+
+               if (rhash == -1 || rsign == -1)
+                       goto err;
+               *sptr++ = rhash;
+               *sptr++ = rsign;
+               }
+
+       if (client)
+               {
+               if (c->client_sigalgs)
+                       OPENSSL_free(c->client_sigalgs);
+               c->client_sigalgs = sigalgs;
+               c->client_sigalgslen = salglen;
+               }
+       else
+               {
+               if (c->conf_sigalgs)
+                       OPENSSL_free(c->conf_sigalgs);
+               c->conf_sigalgs = sigalgs;
+               c->conf_sigalgslen = salglen;
+               }
+
+       return 1;
+
+       err:
+       OPENSSL_free(sigalgs);
+       return 0;
+       }
+
+static int tls1_check_sig_alg(CERT *c, X509 *x, int default_nid)
+       {
+       int sig_nid;
+       size_t i;
+       if (default_nid == -1)
+               return 1;
+       sig_nid = X509_get_signature_nid(x);
+       if (default_nid)
+               return sig_nid == default_nid ? 1 : 0;
+       for (i = 0; i < c->shared_sigalgslen; i++)
+               if (sig_nid == c->shared_sigalgs[i].signandhash_nid)
+                       return 1;
+       return 0;
+       }
+
+/* Check certificate chain is consistent with TLS extensions and is
+ * usable by server.
+ */
+int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain,
+                                                                       int idx)
+       {
+       int i;
+       int rv = CERT_PKEY_INVALID;
+       CERT_PKEY *cpk = NULL;
+       CERT *c = s->cert;
+       if (idx != -1)
+               {
+               cpk = c->pkeys + idx;
+               x = cpk->x509;
+               pk = cpk->privatekey;
+               chain = cpk->chain;
+               /* If no cert or key, forget it */
+               if (!x || !pk)
+                       goto end;
+               }
+       else
+               {
+               idx = ssl_cert_type(x, pk);
+               if (idx == -1)
+                       goto end;
+               }
+
+       /* Check all signature algorithms are consistent with
+        * signature algorithms extension if TLS 1.2 or later
+        * and strict mode.
+        */
+       if (TLS1_get_version(s) >= TLS1_2_VERSION
+               && c->cert_flags & SSL_CERT_FLAG_TLS_STRICT)
+               {
+               int default_nid;
+               unsigned char rsign = 0;
+               if (c->peer_sigalgs)
+                       default_nid = 0;
+               /* If no sigalgs extension use defaults from RFC5246 */
+               else
+                       {
+                       switch(idx)
+                               {       
+                       case SSL_PKEY_RSA_ENC:
+                       case SSL_PKEY_RSA_SIGN:
+                       case SSL_PKEY_DH_RSA:
+                               rsign = TLSEXT_signature_rsa;
+                               default_nid = NID_sha1WithRSAEncryption;
+                               break;
+
+                       case SSL_PKEY_DSA_SIGN:
+                       case SSL_PKEY_DH_DSA:
+                               rsign = TLSEXT_signature_dsa;
+                               default_nid = NID_dsaWithSHA1;
+                               break;
+
+                       case SSL_PKEY_ECC:
+                               rsign = TLSEXT_signature_ecdsa;
+                               default_nid = NID_ecdsa_with_SHA1;
+                               break;
+
+                       default:
+                               default_nid = -1;
+                               break;
+                               }
+                       }
+               /* If peer sent no signature algorithms extension and we
+                * have set preferred signature algorithms check we support
+                * sha1.
+                */
+               if (default_nid > 0 && c->conf_sigalgs)
+                       {
+                       size_t j;
+                       const unsigned char *p = c->conf_sigalgs;
+                       for (j = 0; j < c->conf_sigalgslen; j += 2, p += 2)
+                               {
+                               if (p[0] == TLSEXT_hash_sha1 && p[1] == rsign)
+                                       break;
+                               }
+                       if (j == c->conf_sigalgslen)
+                               goto end;
+                       }
+               /* Check signature algorithm of each cert in chain */
+               if (!tls1_check_sig_alg(c, x, default_nid))
+                       goto end;
+               for (i = 0; i < sk_X509_num(chain); i++)
+                       {
+                       if (!tls1_check_sig_alg(c, sk_X509_value(chain, i),
+                                                       default_nid))
+                               goto end;
+                       }
+               }
+
+       /* Check cert parameters are consistent */
+       if (!tls1_check_cert_param(s, x))
+               goto end;
+       /* In strict mode check rest of chain too */
+       if (c->cert_flags & SSL_CERT_FLAG_TLS_STRICT)
+               {
+               for (i = 0; i < sk_X509_num(chain); i++)
+                       {
+                       if (!tls1_check_cert_param(s, sk_X509_value(chain, i)))
+                               goto end;
+                       }
+               }
+       rv = CERT_PKEY_VALID;
+
+       end:
+       if (cpk)
+               {
+               if (rv && cpk->digest)
+                       rv |= CERT_PKEY_SIGN;
+               cpk->valid_flags = rv;
+               }
+       return rv;
+       }
+
+/* Set validity of certificates in an SSL structure */
+void tls1_set_cert_validity(SSL *s)
+       {
+       tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA_ENC);
+       tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA_SIGN);
+       tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DSA_SIGN);
+       tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DH_RSA);
+       tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DH_DSA);
+       tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_ECC);
+       }
+/* User level utiity function to check a chain is suitable */
+int SSL_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain)
+       {
+       return tls1_check_chain(s, x, pk, chain, -1);
+       }
+
+#endif