xref: /freebsd/crypto/openssl/ssl/t1_lib.c (revision 361e428888e630eb708c72cf31579a25ba5d4f03)
1 /* ssl/t1_lib.c */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3  * All rights reserved.
4  *
5  * This package is an SSL implementation written
6  * by Eric Young (eay@cryptsoft.com).
7  * The implementation was written so as to conform with Netscapes SSL.
8  *
9  * This library is free for commercial and non-commercial use as long as
10  * the following conditions are aheared to.  The following conditions
11  * apply to all code found in this distribution, be it the RC4, RSA,
12  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
13  * included with this distribution is covered by the same copyright terms
14  * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15  *
16  * Copyright remains Eric Young's, and as such any Copyright notices in
17  * the code are not to be removed.
18  * If this package is used in a product, Eric Young should be given attribution
19  * as the author of the parts of the library used.
20  * This can be in the form of a textual message at program startup or
21  * in documentation (online or textual) provided with the package.
22  *
23  * Redistribution and use in source and binary forms, with or without
24  * modification, are permitted provided that the following conditions
25  * are met:
26  * 1. Redistributions of source code must retain the copyright
27  *    notice, this list of conditions and the following disclaimer.
28  * 2. Redistributions in binary form must reproduce the above copyright
29  *    notice, this list of conditions and the following disclaimer in the
30  *    documentation and/or other materials provided with the distribution.
31  * 3. All advertising materials mentioning features or use of this software
32  *    must display the following acknowledgement:
33  *    "This product includes cryptographic software written by
34  *     Eric Young (eay@cryptsoft.com)"
35  *    The word 'cryptographic' can be left out if the rouines from the library
36  *    being used are not cryptographic related :-).
37  * 4. If you include any Windows specific code (or a derivative thereof) from
38  *    the apps directory (application code) you must include an acknowledgement:
39  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40  *
41  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51  * SUCH DAMAGE.
52  *
53  * The licence and distribution terms for any publically available version or
54  * derivative of this code cannot be changed.  i.e. this code cannot simply be
55  * copied and put under another distribution licence
56  * [including the GNU Public Licence.]
57  */
58 /* ====================================================================
59  * Copyright (c) 1998-2007 The OpenSSL Project.  All rights reserved.
60  *
61  * Redistribution and use in source and binary forms, with or without
62  * modification, are permitted provided that the following conditions
63  * are met:
64  *
65  * 1. Redistributions of source code must retain the above copyright
66  *    notice, this list of conditions and the following disclaimer.
67  *
68  * 2. Redistributions in binary form must reproduce the above copyright
69  *    notice, this list of conditions and the following disclaimer in
70  *    the documentation and/or other materials provided with the
71  *    distribution.
72  *
73  * 3. All advertising materials mentioning features or use of this
74  *    software must display the following acknowledgment:
75  *    "This product includes software developed by the OpenSSL Project
76  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77  *
78  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79  *    endorse or promote products derived from this software without
80  *    prior written permission. For written permission, please contact
81  *    openssl-core@openssl.org.
82  *
83  * 5. Products derived from this software may not be called "OpenSSL"
84  *    nor may "OpenSSL" appear in their names without prior written
85  *    permission of the OpenSSL Project.
86  *
87  * 6. Redistributions of any form whatsoever must retain the following
88  *    acknowledgment:
89  *    "This product includes software developed by the OpenSSL Project
90  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91  *
92  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
96  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103  * OF THE POSSIBILITY OF SUCH DAMAGE.
104  * ====================================================================
105  *
106  * This product includes cryptographic software written by Eric Young
107  * (eay@cryptsoft.com).  This product includes software written by Tim
108  * Hudson (tjh@cryptsoft.com).
109  *
110  */
111 
112 #include <stdio.h>
113 #include <openssl/objects.h>
114 #include <openssl/evp.h>
115 #include <openssl/hmac.h>
116 #ifndef OPENSSL_NO_EC
117 #ifdef OPENSSL_NO_EC2M
118 # include <openssl/ec.h>
119 #endif
120 #endif
121 #include <openssl/ocsp.h>
122 #include <openssl/rand.h>
123 #include "ssl_locl.h"
124 
125 const char tls1_version_str[] = "TLSv1" OPENSSL_VERSION_PTEXT;
126 
127 #ifndef OPENSSL_NO_TLSEXT
128 static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen,
129                               const unsigned char *sess_id, int sesslen,
130                               SSL_SESSION **psess);
131 static int ssl_check_clienthello_tlsext_early(SSL *s);
132 int ssl_check_serverhello_tlsext(SSL *s);
133 #endif
134 
135 SSL3_ENC_METHOD TLSv1_enc_data = {
136     tls1_enc,
137     tls1_mac,
138     tls1_setup_key_block,
139     tls1_generate_master_secret,
140     tls1_change_cipher_state,
141     tls1_final_finish_mac,
142     TLS1_FINISH_MAC_LENGTH,
143     tls1_cert_verify_mac,
144     TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
145     TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
146     tls1_alert_code,
147     tls1_export_keying_material,
148     0,
149     SSL3_HM_HEADER_LENGTH,
150     ssl3_set_handshake_header,
151     ssl3_handshake_write
152 };
153 
154 SSL3_ENC_METHOD TLSv1_1_enc_data = {
155     tls1_enc,
156     tls1_mac,
157     tls1_setup_key_block,
158     tls1_generate_master_secret,
159     tls1_change_cipher_state,
160     tls1_final_finish_mac,
161     TLS1_FINISH_MAC_LENGTH,
162     tls1_cert_verify_mac,
163     TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
164     TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
165     tls1_alert_code,
166     tls1_export_keying_material,
167     SSL_ENC_FLAG_EXPLICIT_IV,
168     SSL3_HM_HEADER_LENGTH,
169     ssl3_set_handshake_header,
170     ssl3_handshake_write
171 };
172 
173 SSL3_ENC_METHOD TLSv1_2_enc_data = {
174     tls1_enc,
175     tls1_mac,
176     tls1_setup_key_block,
177     tls1_generate_master_secret,
178     tls1_change_cipher_state,
179     tls1_final_finish_mac,
180     TLS1_FINISH_MAC_LENGTH,
181     tls1_cert_verify_mac,
182     TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
183     TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
184     tls1_alert_code,
185     tls1_export_keying_material,
186     SSL_ENC_FLAG_EXPLICIT_IV | SSL_ENC_FLAG_SIGALGS | SSL_ENC_FLAG_SHA256_PRF
187         | SSL_ENC_FLAG_TLS1_2_CIPHERS,
188     SSL3_HM_HEADER_LENGTH,
189     ssl3_set_handshake_header,
190     ssl3_handshake_write
191 };
192 
193 long tls1_default_timeout(void)
194 {
195     /*
196      * 2 hours, the 24 hours mentioned in the TLSv1 spec is way too long for
197      * http, the cache would over fill
198      */
199     return (60 * 60 * 2);
200 }
201 
202 int tls1_new(SSL *s)
203 {
204     if (!ssl3_new(s))
205         return (0);
206     s->method->ssl_clear(s);
207     return (1);
208 }
209 
210 void tls1_free(SSL *s)
211 {
212 #ifndef OPENSSL_NO_TLSEXT
213     if (s->tlsext_session_ticket) {
214         OPENSSL_free(s->tlsext_session_ticket);
215     }
216 #endif                          /* OPENSSL_NO_TLSEXT */
217     ssl3_free(s);
218 }
219 
220 void tls1_clear(SSL *s)
221 {
222     ssl3_clear(s);
223     s->version = s->method->version;
224 }
225 
226 #ifndef OPENSSL_NO_EC
227 
228 static int nid_list[] = {
229     NID_sect163k1,              /* sect163k1 (1) */
230     NID_sect163r1,              /* sect163r1 (2) */
231     NID_sect163r2,              /* sect163r2 (3) */
232     NID_sect193r1,              /* sect193r1 (4) */
233     NID_sect193r2,              /* sect193r2 (5) */
234     NID_sect233k1,              /* sect233k1 (6) */
235     NID_sect233r1,              /* sect233r1 (7) */
236     NID_sect239k1,              /* sect239k1 (8) */
237     NID_sect283k1,              /* sect283k1 (9) */
238     NID_sect283r1,              /* sect283r1 (10) */
239     NID_sect409k1,              /* sect409k1 (11) */
240     NID_sect409r1,              /* sect409r1 (12) */
241     NID_sect571k1,              /* sect571k1 (13) */
242     NID_sect571r1,              /* sect571r1 (14) */
243     NID_secp160k1,              /* secp160k1 (15) */
244     NID_secp160r1,              /* secp160r1 (16) */
245     NID_secp160r2,              /* secp160r2 (17) */
246     NID_secp192k1,              /* secp192k1 (18) */
247     NID_X9_62_prime192v1,       /* secp192r1 (19) */
248     NID_secp224k1,              /* secp224k1 (20) */
249     NID_secp224r1,              /* secp224r1 (21) */
250     NID_secp256k1,              /* secp256k1 (22) */
251     NID_X9_62_prime256v1,       /* secp256r1 (23) */
252     NID_secp384r1,              /* secp384r1 (24) */
253     NID_secp521r1,              /* secp521r1 (25) */
254     NID_brainpoolP256r1,        /* brainpoolP256r1 (26) */
255     NID_brainpoolP384r1,        /* brainpoolP384r1 (27) */
256     NID_brainpoolP512r1         /* brainpool512r1 (28) */
257 };
258 
259 static const unsigned char ecformats_default[] = {
260     TLSEXT_ECPOINTFORMAT_uncompressed,
261     TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime,
262     TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2
263 };
264 
265 /* The client's default curves / the server's 'auto' curves. */
266 static const unsigned char eccurves_auto[] = {
267     /* Prefer P-256 which has the fastest and most secure implementations. */
268     0, 23,                      /* secp256r1 (23) */
269     /* Other >= 256-bit prime curves. */
270     0, 25,                      /* secp521r1 (25) */
271     0, 28,                      /* brainpool512r1 (28) */
272     0, 27,                      /* brainpoolP384r1 (27) */
273     0, 24,                      /* secp384r1 (24) */
274     0, 26,                      /* brainpoolP256r1 (26) */
275     0, 22,                      /* secp256k1 (22) */
276 # ifndef OPENSSL_NO_EC2M
277     /* >= 256-bit binary curves. */
278     0, 14,                      /* sect571r1 (14) */
279     0, 13,                      /* sect571k1 (13) */
280     0, 11,                      /* sect409k1 (11) */
281     0, 12,                      /* sect409r1 (12) */
282     0, 9,                       /* sect283k1 (9) */
283     0, 10,                      /* sect283r1 (10) */
284 # endif
285 };
286 
287 static const unsigned char eccurves_all[] = {
288     /* Prefer P-256 which has the fastest and most secure implementations. */
289     0, 23,                      /* secp256r1 (23) */
290     /* Other >= 256-bit prime curves. */
291     0, 25,                      /* secp521r1 (25) */
292     0, 28,                      /* brainpool512r1 (28) */
293     0, 27,                      /* brainpoolP384r1 (27) */
294     0, 24,                      /* secp384r1 (24) */
295     0, 26,                      /* brainpoolP256r1 (26) */
296     0, 22,                      /* secp256k1 (22) */
297 # ifndef OPENSSL_NO_EC2M
298     /* >= 256-bit binary curves. */
299     0, 14,                      /* sect571r1 (14) */
300     0, 13,                      /* sect571k1 (13) */
301     0, 11,                      /* sect409k1 (11) */
302     0, 12,                      /* sect409r1 (12) */
303     0, 9,                       /* sect283k1 (9) */
304     0, 10,                      /* sect283r1 (10) */
305 # endif
306     /*
307      * Remaining curves disabled by default but still permitted if set
308      * via an explicit callback or parameters.
309      */
310     0, 20,                      /* secp224k1 (20) */
311     0, 21,                      /* secp224r1 (21) */
312     0, 18,                      /* secp192k1 (18) */
313     0, 19,                      /* secp192r1 (19) */
314     0, 15,                      /* secp160k1 (15) */
315     0, 16,                      /* secp160r1 (16) */
316     0, 17,                      /* secp160r2 (17) */
317 # ifndef OPENSSL_NO_EC2M
318     0, 8,                       /* sect239k1 (8) */
319     0, 6,                       /* sect233k1 (6) */
320     0, 7,                       /* sect233r1 (7) */
321     0, 4,                       /* sect193r1 (4) */
322     0, 5,                       /* sect193r2 (5) */
323     0, 1,                       /* sect163k1 (1) */
324     0, 2,                       /* sect163r1 (2) */
325     0, 3,                       /* sect163r2 (3) */
326 # endif
327 };
328 
329 static const unsigned char suiteb_curves[] = {
330     0, TLSEXT_curve_P_256,
331     0, TLSEXT_curve_P_384
332 };
333 
334 # ifdef OPENSSL_FIPS
335 /* Brainpool not allowed in FIPS mode */
336 static const unsigned char fips_curves_default[] = {
337 #  ifndef OPENSSL_NO_EC2M
338     0, 14,                      /* sect571r1 (14) */
339     0, 13,                      /* sect571k1 (13) */
340 #  endif
341     0, 25,                      /* secp521r1 (25) */
342 #  ifndef OPENSSL_NO_EC2M
343     0, 11,                      /* sect409k1 (11) */
344     0, 12,                      /* sect409r1 (12) */
345 #  endif
346     0, 24,                      /* secp384r1 (24) */
347 #  ifndef OPENSSL_NO_EC2M
348     0, 9,                       /* sect283k1 (9) */
349     0, 10,                      /* sect283r1 (10) */
350 #  endif
351     0, 22,                      /* secp256k1 (22) */
352     0, 23,                      /* secp256r1 (23) */
353 #  ifndef OPENSSL_NO_EC2M
354     0, 8,                       /* sect239k1 (8) */
355     0, 6,                       /* sect233k1 (6) */
356     0, 7,                       /* sect233r1 (7) */
357 #  endif
358     0, 20,                      /* secp224k1 (20) */
359     0, 21,                      /* secp224r1 (21) */
360 #  ifndef OPENSSL_NO_EC2M
361     0, 4,                       /* sect193r1 (4) */
362     0, 5,                       /* sect193r2 (5) */
363 #  endif
364     0, 18,                      /* secp192k1 (18) */
365     0, 19,                      /* secp192r1 (19) */
366 #  ifndef OPENSSL_NO_EC2M
367     0, 1,                       /* sect163k1 (1) */
368     0, 2,                       /* sect163r1 (2) */
369     0, 3,                       /* sect163r2 (3) */
370 #  endif
371     0, 15,                      /* secp160k1 (15) */
372     0, 16,                      /* secp160r1 (16) */
373     0, 17,                      /* secp160r2 (17) */
374 };
375 # endif
376 
377 int tls1_ec_curve_id2nid(int curve_id)
378 {
379     /* ECC curves from RFC 4492 and RFC 7027 */
380     if ((curve_id < 1) || ((unsigned int)curve_id >
381                            sizeof(nid_list) / sizeof(nid_list[0])))
382         return 0;
383     return nid_list[curve_id - 1];
384 }
385 
386 int tls1_ec_nid2curve_id(int nid)
387 {
388     /* ECC curves from RFC 4492 and RFC 7027 */
389     switch (nid) {
390     case NID_sect163k1:        /* sect163k1 (1) */
391         return 1;
392     case NID_sect163r1:        /* sect163r1 (2) */
393         return 2;
394     case NID_sect163r2:        /* sect163r2 (3) */
395         return 3;
396     case NID_sect193r1:        /* sect193r1 (4) */
397         return 4;
398     case NID_sect193r2:        /* sect193r2 (5) */
399         return 5;
400     case NID_sect233k1:        /* sect233k1 (6) */
401         return 6;
402     case NID_sect233r1:        /* sect233r1 (7) */
403         return 7;
404     case NID_sect239k1:        /* sect239k1 (8) */
405         return 8;
406     case NID_sect283k1:        /* sect283k1 (9) */
407         return 9;
408     case NID_sect283r1:        /* sect283r1 (10) */
409         return 10;
410     case NID_sect409k1:        /* sect409k1 (11) */
411         return 11;
412     case NID_sect409r1:        /* sect409r1 (12) */
413         return 12;
414     case NID_sect571k1:        /* sect571k1 (13) */
415         return 13;
416     case NID_sect571r1:        /* sect571r1 (14) */
417         return 14;
418     case NID_secp160k1:        /* secp160k1 (15) */
419         return 15;
420     case NID_secp160r1:        /* secp160r1 (16) */
421         return 16;
422     case NID_secp160r2:        /* secp160r2 (17) */
423         return 17;
424     case NID_secp192k1:        /* secp192k1 (18) */
425         return 18;
426     case NID_X9_62_prime192v1: /* secp192r1 (19) */
427         return 19;
428     case NID_secp224k1:        /* secp224k1 (20) */
429         return 20;
430     case NID_secp224r1:        /* secp224r1 (21) */
431         return 21;
432     case NID_secp256k1:        /* secp256k1 (22) */
433         return 22;
434     case NID_X9_62_prime256v1: /* secp256r1 (23) */
435         return 23;
436     case NID_secp384r1:        /* secp384r1 (24) */
437         return 24;
438     case NID_secp521r1:        /* secp521r1 (25) */
439         return 25;
440     case NID_brainpoolP256r1:  /* brainpoolP256r1 (26) */
441         return 26;
442     case NID_brainpoolP384r1:  /* brainpoolP384r1 (27) */
443         return 27;
444     case NID_brainpoolP512r1:  /* brainpool512r1 (28) */
445         return 28;
446     default:
447         return 0;
448     }
449 }
450 
451 /*
452  * Get curves list, if "sess" is set return client curves otherwise
453  * preferred list.
454  * Sets |num_curves| to the number of curves in the list, i.e.,
455  * the length of |pcurves| is 2 * num_curves.
456  * Returns 1 on success and 0 if the client curves list has invalid format.
457  * The latter indicates an internal error: we should not be accepting such
458  * lists in the first place.
459  * TODO(emilia): we should really be storing the curves list in explicitly
460  * parsed form instead. (However, this would affect binary compatibility
461  * so cannot happen in the 1.0.x series.)
462  */
463 static int tls1_get_curvelist(SSL *s, int sess,
464                               const unsigned char **pcurves,
465                               size_t *num_curves)
466 {
467     size_t pcurveslen = 0;
468     if (sess) {
469         *pcurves = s->session->tlsext_ellipticcurvelist;
470         pcurveslen = s->session->tlsext_ellipticcurvelist_length;
471     } else {
472         /* For Suite B mode only include P-256, P-384 */
473         switch (tls1_suiteb(s)) {
474         case SSL_CERT_FLAG_SUITEB_128_LOS:
475             *pcurves = suiteb_curves;
476             pcurveslen = sizeof(suiteb_curves);
477             break;
478 
479         case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY:
480             *pcurves = suiteb_curves;
481             pcurveslen = 2;
482             break;
483 
484         case SSL_CERT_FLAG_SUITEB_192_LOS:
485             *pcurves = suiteb_curves + 2;
486             pcurveslen = 2;
487             break;
488         default:
489             *pcurves = s->tlsext_ellipticcurvelist;
490             pcurveslen = s->tlsext_ellipticcurvelist_length;
491         }
492         if (!*pcurves) {
493 # ifdef OPENSSL_FIPS
494             if (FIPS_mode()) {
495                 *pcurves = fips_curves_default;
496                 pcurveslen = sizeof(fips_curves_default);
497             } else
498 # endif
499             {
500                 if (!s->server || s->cert->ecdh_tmp_auto) {
501                     *pcurves = eccurves_auto;
502                     pcurveslen = sizeof(eccurves_auto);
503                 } else {
504                     *pcurves = eccurves_all;
505                     pcurveslen = sizeof(eccurves_all);
506                 }
507             }
508         }
509     }
510     /* We do not allow odd length arrays to enter the system. */
511     if (pcurveslen & 1) {
512         SSLerr(SSL_F_TLS1_GET_CURVELIST, ERR_R_INTERNAL_ERROR);
513         *num_curves = 0;
514         return 0;
515     } else {
516         *num_curves = pcurveslen / 2;
517         return 1;
518     }
519 }
520 
521 /* Check a curve is one of our preferences */
522 int tls1_check_curve(SSL *s, const unsigned char *p, size_t len)
523 {
524     const unsigned char *curves;
525     size_t num_curves, i;
526     unsigned int suiteb_flags = tls1_suiteb(s);
527     if (len != 3 || p[0] != NAMED_CURVE_TYPE)
528         return 0;
529     /* Check curve matches Suite B preferences */
530     if (suiteb_flags) {
531         unsigned long cid = s->s3->tmp.new_cipher->id;
532         if (p[1])
533             return 0;
534         if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256) {
535             if (p[2] != TLSEXT_curve_P_256)
536                 return 0;
537         } else if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384) {
538             if (p[2] != TLSEXT_curve_P_384)
539                 return 0;
540         } else                  /* Should never happen */
541             return 0;
542     }
543     if (!tls1_get_curvelist(s, 0, &curves, &num_curves))
544         return 0;
545     for (i = 0; i < num_curves; i++, curves += 2) {
546         if (p[1] == curves[0] && p[2] == curves[1])
547             return 1;
548     }
549     return 0;
550 }
551 
552 /*-
553  * Return |nmatch|th shared curve or NID_undef if there is no match.
554  * For nmatch == -1, return number of  matches
555  * For nmatch == -2, return the NID of the curve to use for
556  * an EC tmp key, or NID_undef if there is no match.
557  */
558 int tls1_shared_curve(SSL *s, int nmatch)
559 {
560     const unsigned char *pref, *supp;
561     size_t num_pref, num_supp, i, j;
562     int k;
563     /* Can't do anything on client side */
564     if (s->server == 0)
565         return -1;
566     if (nmatch == -2) {
567         if (tls1_suiteb(s)) {
568             /*
569              * For Suite B ciphersuite determines curve: we already know
570              * these are acceptable due to previous checks.
571              */
572             unsigned long cid = s->s3->tmp.new_cipher->id;
573             if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
574                 return NID_X9_62_prime256v1; /* P-256 */
575             if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)
576                 return NID_secp384r1; /* P-384 */
577             /* Should never happen */
578             return NID_undef;
579         }
580         /* If not Suite B just return first preference shared curve */
581         nmatch = 0;
582     }
583     /*
584      * Avoid truncation. tls1_get_curvelist takes an int
585      * but s->options is a long...
586      */
587     if (!tls1_get_curvelist
588         (s, (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) != 0, &supp,
589          &num_supp))
590         /* In practice, NID_undef == 0 but let's be precise. */
591         return nmatch == -1 ? 0 : NID_undef;
592     if (!tls1_get_curvelist
593         (s, !(s->options & SSL_OP_CIPHER_SERVER_PREFERENCE), &pref,
594          &num_pref))
595         return nmatch == -1 ? 0 : NID_undef;
596 
597     /*
598      * If the client didn't send the elliptic_curves extension all of them
599      * are allowed.
600      */
601     if (num_supp == 0 && (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) != 0) {
602         supp = eccurves_all;
603         num_supp = sizeof(eccurves_all) / 2;
604     } else if (num_pref == 0 &&
605         (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) == 0) {
606         pref = eccurves_all;
607         num_pref = sizeof(eccurves_all) / 2;
608     }
609 
610     k = 0;
611     for (i = 0; i < num_pref; i++, pref += 2) {
612         const unsigned char *tsupp = supp;
613         for (j = 0; j < num_supp; j++, tsupp += 2) {
614             if (pref[0] == tsupp[0] && pref[1] == tsupp[1]) {
615                 if (nmatch == k) {
616                     int id = (pref[0] << 8) | pref[1];
617                     return tls1_ec_curve_id2nid(id);
618                 }
619                 k++;
620             }
621         }
622     }
623     if (nmatch == -1)
624         return k;
625     /* Out of range (nmatch > k). */
626     return NID_undef;
627 }
628 
629 int tls1_set_curves(unsigned char **pext, size_t *pextlen,
630                     int *curves, size_t ncurves)
631 {
632     unsigned char *clist, *p;
633     size_t i;
634     /*
635      * Bitmap of curves included to detect duplicates: only works while curve
636      * ids < 32
637      */
638     unsigned long dup_list = 0;
639 # ifdef OPENSSL_NO_EC2M
640     EC_GROUP *curve;
641 # endif
642 
643     clist = OPENSSL_malloc(ncurves * 2);
644     if (!clist)
645         return 0;
646     for (i = 0, p = clist; i < ncurves; i++) {
647         unsigned long idmask;
648         int id;
649         id = tls1_ec_nid2curve_id(curves[i]);
650 # ifdef OPENSSL_FIPS
651         /* NB: 25 is last curve ID supported by FIPS module */
652         if (FIPS_mode() && id > 25) {
653             OPENSSL_free(clist);
654             return 0;
655         }
656 # endif
657 # ifdef OPENSSL_NO_EC2M
658         curve = EC_GROUP_new_by_curve_name(curves[i]);
659         if (!curve || EC_METHOD_get_field_type(EC_GROUP_method_of(curve))
660             == NID_X9_62_characteristic_two_field) {
661             if (curve)
662                 EC_GROUP_free(curve);
663             OPENSSL_free(clist);
664             return 0;
665         } else
666             EC_GROUP_free(curve);
667 # endif
668         idmask = 1L << id;
669         if (!id || (dup_list & idmask)) {
670             OPENSSL_free(clist);
671             return 0;
672         }
673         dup_list |= idmask;
674         s2n(id, p);
675     }
676     if (*pext)
677         OPENSSL_free(*pext);
678     *pext = clist;
679     *pextlen = ncurves * 2;
680     return 1;
681 }
682 
683 # define MAX_CURVELIST   28
684 
685 typedef struct {
686     size_t nidcnt;
687     int nid_arr[MAX_CURVELIST];
688 } nid_cb_st;
689 
690 static int nid_cb(const char *elem, int len, void *arg)
691 {
692     nid_cb_st *narg = arg;
693     size_t i;
694     int nid;
695     char etmp[20];
696     if (elem == NULL)
697         return 0;
698     if (narg->nidcnt == MAX_CURVELIST)
699         return 0;
700     if (len > (int)(sizeof(etmp) - 1))
701         return 0;
702     memcpy(etmp, elem, len);
703     etmp[len] = 0;
704     nid = EC_curve_nist2nid(etmp);
705     if (nid == NID_undef)
706         nid = OBJ_sn2nid(etmp);
707     if (nid == NID_undef)
708         nid = OBJ_ln2nid(etmp);
709     if (nid == NID_undef)
710         return 0;
711     for (i = 0; i < narg->nidcnt; i++)
712         if (narg->nid_arr[i] == nid)
713             return 0;
714     narg->nid_arr[narg->nidcnt++] = nid;
715     return 1;
716 }
717 
718 /* Set curves based on a colon separate list */
719 int tls1_set_curves_list(unsigned char **pext, size_t *pextlen,
720                          const char *str)
721 {
722     nid_cb_st ncb;
723     ncb.nidcnt = 0;
724     if (!CONF_parse_list(str, ':', 1, nid_cb, &ncb))
725         return 0;
726     if (pext == NULL)
727         return 1;
728     return tls1_set_curves(pext, pextlen, ncb.nid_arr, ncb.nidcnt);
729 }
730 
731 /* For an EC key set TLS id and required compression based on parameters */
732 static int tls1_set_ec_id(unsigned char *curve_id, unsigned char *comp_id,
733                           EC_KEY *ec)
734 {
735     int is_prime, id;
736     const EC_GROUP *grp;
737     const EC_METHOD *meth;
738     if (!ec)
739         return 0;
740     /* Determine if it is a prime field */
741     grp = EC_KEY_get0_group(ec);
742     if (!grp)
743         return 0;
744     meth = EC_GROUP_method_of(grp);
745     if (!meth)
746         return 0;
747     if (EC_METHOD_get_field_type(meth) == NID_X9_62_prime_field)
748         is_prime = 1;
749     else
750         is_prime = 0;
751     /* Determine curve ID */
752     id = EC_GROUP_get_curve_name(grp);
753     id = tls1_ec_nid2curve_id(id);
754     /* If we have an ID set it, otherwise set arbitrary explicit curve */
755     if (id) {
756         curve_id[0] = 0;
757         curve_id[1] = (unsigned char)id;
758     } else {
759         curve_id[0] = 0xff;
760         if (is_prime)
761             curve_id[1] = 0x01;
762         else
763             curve_id[1] = 0x02;
764     }
765     if (comp_id) {
766         if (EC_KEY_get0_public_key(ec) == NULL)
767             return 0;
768         if (EC_KEY_get_conv_form(ec) == POINT_CONVERSION_COMPRESSED) {
769             if (is_prime)
770                 *comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
771             else
772                 *comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
773         } else
774             *comp_id = TLSEXT_ECPOINTFORMAT_uncompressed;
775     }
776     return 1;
777 }
778 
779 /* Check an EC key is compatible with extensions */
780 static int tls1_check_ec_key(SSL *s,
781                              unsigned char *curve_id, unsigned char *comp_id)
782 {
783     const unsigned char *pformats, *pcurves;
784     size_t num_formats, num_curves, i;
785     int j;
786     /*
787      * If point formats extension present check it, otherwise everything is
788      * supported (see RFC4492).
789      */
790     if (comp_id && s->session->tlsext_ecpointformatlist) {
791         pformats = s->session->tlsext_ecpointformatlist;
792         num_formats = s->session->tlsext_ecpointformatlist_length;
793         for (i = 0; i < num_formats; i++, pformats++) {
794             if (*comp_id == *pformats)
795                 break;
796         }
797         if (i == num_formats)
798             return 0;
799     }
800     if (!curve_id)
801         return 1;
802     /* Check curve is consistent with client and server preferences */
803     for (j = 0; j <= 1; j++) {
804         if (!tls1_get_curvelist(s, j, &pcurves, &num_curves))
805             return 0;
806         if (j == 1 && num_curves == 0) {
807             /*
808              * If we've not received any curves then skip this check.
809              * RFC 4492 does not require the supported elliptic curves extension
810              * so if it is not sent we can just choose any curve.
811              * It is invalid to send an empty list in the elliptic curves
812              * extension, so num_curves == 0 always means no extension.
813              */
814             break;
815         }
816         for (i = 0; i < num_curves; i++, pcurves += 2) {
817             if (pcurves[0] == curve_id[0] && pcurves[1] == curve_id[1])
818                 break;
819         }
820         if (i == num_curves)
821             return 0;
822         /* For clients can only check sent curve list */
823         if (!s->server)
824             return 1;
825     }
826     return 1;
827 }
828 
829 static void tls1_get_formatlist(SSL *s, const unsigned char **pformats,
830                                 size_t *num_formats)
831 {
832     /*
833      * If we have a custom point format list use it otherwise use default
834      */
835     if (s->tlsext_ecpointformatlist) {
836         *pformats = s->tlsext_ecpointformatlist;
837         *num_formats = s->tlsext_ecpointformatlist_length;
838     } else {
839         *pformats = ecformats_default;
840         /* For Suite B we don't support char2 fields */
841         if (tls1_suiteb(s))
842             *num_formats = sizeof(ecformats_default) - 1;
843         else
844             *num_formats = sizeof(ecformats_default);
845     }
846 }
847 
848 /*
849  * Check cert parameters compatible with extensions: currently just checks EC
850  * certificates have compatible curves and compression.
851  */
852 static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md)
853 {
854     unsigned char comp_id, curve_id[2];
855     EVP_PKEY *pkey;
856     int rv;
857     pkey = X509_get_pubkey(x);
858     if (!pkey)
859         return 0;
860     /* If not EC nothing to do */
861     if (pkey->type != EVP_PKEY_EC) {
862         EVP_PKEY_free(pkey);
863         return 1;
864     }
865     rv = tls1_set_ec_id(curve_id, &comp_id, pkey->pkey.ec);
866     EVP_PKEY_free(pkey);
867     if (!rv)
868         return 0;
869     /*
870      * Can't check curve_id for client certs as we don't have a supported
871      * curves extension.
872      */
873     rv = tls1_check_ec_key(s, s->server ? curve_id : NULL, &comp_id);
874     if (!rv)
875         return 0;
876     /*
877      * Special case for suite B. We *MUST* sign using SHA256+P-256 or
878      * SHA384+P-384, adjust digest if necessary.
879      */
880     if (set_ee_md && tls1_suiteb(s)) {
881         int check_md;
882         size_t i;
883         CERT *c = s->cert;
884         if (curve_id[0])
885             return 0;
886         /* Check to see we have necessary signing algorithm */
887         if (curve_id[1] == TLSEXT_curve_P_256)
888             check_md = NID_ecdsa_with_SHA256;
889         else if (curve_id[1] == TLSEXT_curve_P_384)
890             check_md = NID_ecdsa_with_SHA384;
891         else
892             return 0;           /* Should never happen */
893         for (i = 0; i < c->shared_sigalgslen; i++)
894             if (check_md == c->shared_sigalgs[i].signandhash_nid)
895                 break;
896         if (i == c->shared_sigalgslen)
897             return 0;
898         if (set_ee_md == 2) {
899             if (check_md == NID_ecdsa_with_SHA256)
900                 c->pkeys[SSL_PKEY_ECC].digest = EVP_sha256();
901             else
902                 c->pkeys[SSL_PKEY_ECC].digest = EVP_sha384();
903         }
904     }
905     return rv;
906 }
907 
908 # ifndef OPENSSL_NO_ECDH
909 /* Check EC temporary key is compatible with client extensions */
910 int tls1_check_ec_tmp_key(SSL *s, unsigned long cid)
911 {
912     unsigned char curve_id[2];
913     EC_KEY *ec = s->cert->ecdh_tmp;
914 #  ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
915     /* Allow any curve: not just those peer supports */
916     if (s->cert->cert_flags & SSL_CERT_FLAG_BROKEN_PROTOCOL)
917         return 1;
918 #  endif
919     /*
920      * If Suite B, AES128 MUST use P-256 and AES256 MUST use P-384, no other
921      * curves permitted.
922      */
923     if (tls1_suiteb(s)) {
924         /* Curve to check determined by ciphersuite */
925         if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
926             curve_id[1] = TLSEXT_curve_P_256;
927         else if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)
928             curve_id[1] = TLSEXT_curve_P_384;
929         else
930             return 0;
931         curve_id[0] = 0;
932         /* Check this curve is acceptable */
933         if (!tls1_check_ec_key(s, curve_id, NULL))
934             return 0;
935         /* If auto or setting curve from callback assume OK */
936         if (s->cert->ecdh_tmp_auto || s->cert->ecdh_tmp_cb)
937             return 1;
938         /* Otherwise check curve is acceptable */
939         else {
940             unsigned char curve_tmp[2];
941             if (!ec)
942                 return 0;
943             if (!tls1_set_ec_id(curve_tmp, NULL, ec))
944                 return 0;
945             if (!curve_tmp[0] || curve_tmp[1] == curve_id[1])
946                 return 1;
947             return 0;
948         }
949 
950     }
951     if (s->cert->ecdh_tmp_auto) {
952         /* Need a shared curve */
953         if (tls1_shared_curve(s, 0))
954             return 1;
955         else
956             return 0;
957     }
958     if (!ec) {
959         if (s->cert->ecdh_tmp_cb)
960             return 1;
961         else
962             return 0;
963     }
964     if (!tls1_set_ec_id(curve_id, NULL, ec))
965         return 0;
966 /* Set this to allow use of invalid curves for testing */
967 #  if 0
968     return 1;
969 #  else
970     return tls1_check_ec_key(s, curve_id, NULL);
971 #  endif
972 }
973 # endif                         /* OPENSSL_NO_ECDH */
974 
975 #else
976 
977 static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md)
978 {
979     return 1;
980 }
981 
982 #endif                          /* OPENSSL_NO_EC */
983 
984 #ifndef OPENSSL_NO_TLSEXT
985 
986 /*
987  * List of supported signature algorithms and hashes. Should make this
988  * customisable at some point, for now include everything we support.
989  */
990 
991 # ifdef OPENSSL_NO_RSA
992 #  define tlsext_sigalg_rsa(md) /* */
993 # else
994 #  define tlsext_sigalg_rsa(md) md, TLSEXT_signature_rsa,
995 # endif
996 
997 # ifdef OPENSSL_NO_DSA
998 #  define tlsext_sigalg_dsa(md) /* */
999 # else
1000 #  define tlsext_sigalg_dsa(md) md, TLSEXT_signature_dsa,
1001 # endif
1002 
1003 # ifdef OPENSSL_NO_ECDSA
1004 #  define tlsext_sigalg_ecdsa(md)
1005                                 /* */
1006 # else
1007 #  define tlsext_sigalg_ecdsa(md) md, TLSEXT_signature_ecdsa,
1008 # endif
1009 
1010 # define tlsext_sigalg(md) \
1011                 tlsext_sigalg_rsa(md) \
1012                 tlsext_sigalg_dsa(md) \
1013                 tlsext_sigalg_ecdsa(md)
1014 
1015 static unsigned char tls12_sigalgs[] = {
1016 # ifndef OPENSSL_NO_SHA512
1017     tlsext_sigalg(TLSEXT_hash_sha512)
1018         tlsext_sigalg(TLSEXT_hash_sha384)
1019 # endif
1020 # ifndef OPENSSL_NO_SHA256
1021         tlsext_sigalg(TLSEXT_hash_sha256)
1022         tlsext_sigalg(TLSEXT_hash_sha224)
1023 # endif
1024 # ifndef OPENSSL_NO_SHA
1025         tlsext_sigalg(TLSEXT_hash_sha1)
1026 # endif
1027 };
1028 
1029 # ifndef OPENSSL_NO_ECDSA
1030 static unsigned char suiteb_sigalgs[] = {
1031     tlsext_sigalg_ecdsa(TLSEXT_hash_sha256)
1032         tlsext_sigalg_ecdsa(TLSEXT_hash_sha384)
1033 };
1034 # endif
1035 size_t tls12_get_psigalgs(SSL *s, const unsigned char **psigs)
1036 {
1037     /*
1038      * If Suite B mode use Suite B sigalgs only, ignore any other
1039      * preferences.
1040      */
1041 # ifndef OPENSSL_NO_EC
1042     switch (tls1_suiteb(s)) {
1043     case SSL_CERT_FLAG_SUITEB_128_LOS:
1044         *psigs = suiteb_sigalgs;
1045         return sizeof(suiteb_sigalgs);
1046 
1047     case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY:
1048         *psigs = suiteb_sigalgs;
1049         return 2;
1050 
1051     case SSL_CERT_FLAG_SUITEB_192_LOS:
1052         *psigs = suiteb_sigalgs + 2;
1053         return 2;
1054     }
1055 # endif
1056     /* If server use client authentication sigalgs if not NULL */
1057     if (s->server && s->cert->client_sigalgs) {
1058         *psigs = s->cert->client_sigalgs;
1059         return s->cert->client_sigalgslen;
1060     } else if (s->cert->conf_sigalgs) {
1061         *psigs = s->cert->conf_sigalgs;
1062         return s->cert->conf_sigalgslen;
1063     } else {
1064         *psigs = tls12_sigalgs;
1065         return sizeof(tls12_sigalgs);
1066     }
1067 }
1068 
1069 /*
1070  * Check signature algorithm is consistent with sent supported signature
1071  * algorithms and if so return relevant digest.
1072  */
1073 int tls12_check_peer_sigalg(const EVP_MD **pmd, SSL *s,
1074                             const unsigned char *sig, EVP_PKEY *pkey)
1075 {
1076     const unsigned char *sent_sigs;
1077     size_t sent_sigslen, i;
1078     int sigalg = tls12_get_sigid(pkey);
1079     /* Should never happen */
1080     if (sigalg == -1)
1081         return -1;
1082     /* Check key type is consistent with signature */
1083     if (sigalg != (int)sig[1]) {
1084         SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_SIGNATURE_TYPE);
1085         return 0;
1086     }
1087 # ifndef OPENSSL_NO_EC
1088     if (pkey->type == EVP_PKEY_EC) {
1089         unsigned char curve_id[2], comp_id;
1090         /* Check compression and curve matches extensions */
1091         if (!tls1_set_ec_id(curve_id, &comp_id, pkey->pkey.ec))
1092             return 0;
1093         if (!s->server && !tls1_check_ec_key(s, curve_id, &comp_id)) {
1094             SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_CURVE);
1095             return 0;
1096         }
1097         /* If Suite B only P-384+SHA384 or P-256+SHA-256 allowed */
1098         if (tls1_suiteb(s)) {
1099             if (curve_id[0])
1100                 return 0;
1101             if (curve_id[1] == TLSEXT_curve_P_256) {
1102                 if (sig[0] != TLSEXT_hash_sha256) {
1103                     SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG,
1104                            SSL_R_ILLEGAL_SUITEB_DIGEST);
1105                     return 0;
1106                 }
1107             } else if (curve_id[1] == TLSEXT_curve_P_384) {
1108                 if (sig[0] != TLSEXT_hash_sha384) {
1109                     SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG,
1110                            SSL_R_ILLEGAL_SUITEB_DIGEST);
1111                     return 0;
1112                 }
1113             } else
1114                 return 0;
1115         }
1116     } else if (tls1_suiteb(s))
1117         return 0;
1118 # endif
1119 
1120     /* Check signature matches a type we sent */
1121     sent_sigslen = tls12_get_psigalgs(s, &sent_sigs);
1122     for (i = 0; i < sent_sigslen; i += 2, sent_sigs += 2) {
1123         if (sig[0] == sent_sigs[0] && sig[1] == sent_sigs[1])
1124             break;
1125     }
1126     /* Allow fallback to SHA1 if not strict mode */
1127     if (i == sent_sigslen
1128         && (sig[0] != TLSEXT_hash_sha1
1129             || s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)) {
1130         SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_SIGNATURE_TYPE);
1131         return 0;
1132     }
1133     *pmd = tls12_get_hash(sig[0]);
1134     if (*pmd == NULL) {
1135         SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_UNKNOWN_DIGEST);
1136         return 0;
1137     }
1138     /*
1139      * Store the digest used so applications can retrieve it if they wish.
1140      */
1141     if (s->session && s->session->sess_cert)
1142         s->session->sess_cert->peer_key->digest = *pmd;
1143     return 1;
1144 }
1145 
1146 /*
1147  * Get a mask of disabled algorithms: an algorithm is disabled if it isn't
1148  * supported or doesn't appear in supported signature algorithms. Unlike
1149  * ssl_cipher_get_disabled this applies to a specific session and not global
1150  * settings.
1151  */
1152 void ssl_set_client_disabled(SSL *s)
1153 {
1154     CERT *c = s->cert;
1155     const unsigned char *sigalgs;
1156     size_t i, sigalgslen;
1157     int have_rsa = 0, have_dsa = 0, have_ecdsa = 0;
1158     c->mask_a = 0;
1159     c->mask_k = 0;
1160     /* Don't allow TLS 1.2 only ciphers if we don't suppport them */
1161     if (!SSL_CLIENT_USE_TLS1_2_CIPHERS(s))
1162         c->mask_ssl = SSL_TLSV1_2;
1163     else
1164         c->mask_ssl = 0;
1165     /*
1166      * Now go through all signature algorithms seeing if we support any for
1167      * RSA, DSA, ECDSA. Do this for all versions not just TLS 1.2.
1168      */
1169     sigalgslen = tls12_get_psigalgs(s, &sigalgs);
1170     for (i = 0; i < sigalgslen; i += 2, sigalgs += 2) {
1171         switch (sigalgs[1]) {
1172 # ifndef OPENSSL_NO_RSA
1173         case TLSEXT_signature_rsa:
1174             have_rsa = 1;
1175             break;
1176 # endif
1177 # ifndef OPENSSL_NO_DSA
1178         case TLSEXT_signature_dsa:
1179             have_dsa = 1;
1180             break;
1181 # endif
1182 # ifndef OPENSSL_NO_ECDSA
1183         case TLSEXT_signature_ecdsa:
1184             have_ecdsa = 1;
1185             break;
1186 # endif
1187         }
1188     }
1189     /*
1190      * Disable auth and static DH if we don't include any appropriate
1191      * signature algorithms.
1192      */
1193     if (!have_rsa) {
1194         c->mask_a |= SSL_aRSA;
1195         c->mask_k |= SSL_kDHr | SSL_kECDHr;
1196     }
1197     if (!have_dsa) {
1198         c->mask_a |= SSL_aDSS;
1199         c->mask_k |= SSL_kDHd;
1200     }
1201     if (!have_ecdsa) {
1202         c->mask_a |= SSL_aECDSA;
1203         c->mask_k |= SSL_kECDHe;
1204     }
1205 # ifndef OPENSSL_NO_KRB5
1206     if (!kssl_tgt_is_available(s->kssl_ctx)) {
1207         c->mask_a |= SSL_aKRB5;
1208         c->mask_k |= SSL_kKRB5;
1209     }
1210 # endif
1211 # ifndef OPENSSL_NO_PSK
1212     /* with PSK there must be client callback set */
1213     if (!s->psk_client_callback) {
1214         c->mask_a |= SSL_aPSK;
1215         c->mask_k |= SSL_kPSK;
1216     }
1217 # endif                         /* OPENSSL_NO_PSK */
1218 # ifndef OPENSSL_NO_SRP
1219     if (!(s->srp_ctx.srp_Mask & SSL_kSRP)) {
1220         c->mask_a |= SSL_aSRP;
1221         c->mask_k |= SSL_kSRP;
1222     }
1223 # endif
1224     c->valid = 1;
1225 }
1226 
1227 unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf,
1228                                           unsigned char *limit, int *al)
1229 {
1230     int extdatalen = 0;
1231     unsigned char *orig = buf;
1232     unsigned char *ret = buf;
1233 # ifndef OPENSSL_NO_EC
1234     /* See if we support any ECC ciphersuites */
1235     int using_ecc = 0;
1236     if (s->version >= TLS1_VERSION || SSL_IS_DTLS(s)) {
1237         int i;
1238         unsigned long alg_k, alg_a;
1239         STACK_OF(SSL_CIPHER) *cipher_stack = SSL_get_ciphers(s);
1240 
1241         for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++) {
1242             SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i);
1243 
1244             alg_k = c->algorithm_mkey;
1245             alg_a = c->algorithm_auth;
1246             if ((alg_k & (SSL_kEECDH | SSL_kECDHr | SSL_kECDHe)
1247                  || (alg_a & SSL_aECDSA))) {
1248                 using_ecc = 1;
1249                 break;
1250             }
1251         }
1252     }
1253 # endif
1254 
1255     /* don't add extensions for SSLv3 unless doing secure renegotiation */
1256     if (s->client_version == SSL3_VERSION && !s->s3->send_connection_binding)
1257         return orig;
1258 
1259     ret += 2;
1260 
1261     if (ret >= limit)
1262         return NULL;            /* this really never occurs, but ... */
1263 
1264     if (s->tlsext_hostname != NULL) {
1265         /* Add TLS extension servername to the Client Hello message */
1266         unsigned long size_str;
1267         long lenmax;
1268 
1269         /*-
1270          * check for enough space.
1271          * 4 for the servername type and entension length
1272          * 2 for servernamelist length
1273          * 1 for the hostname type
1274          * 2 for hostname length
1275          * + hostname length
1276          */
1277 
1278         if ((lenmax = limit - ret - 9) < 0
1279             || (size_str =
1280                 strlen(s->tlsext_hostname)) > (unsigned long)lenmax)
1281             return NULL;
1282 
1283         /* extension type and length */
1284         s2n(TLSEXT_TYPE_server_name, ret);
1285         s2n(size_str + 5, ret);
1286 
1287         /* length of servername list */
1288         s2n(size_str + 3, ret);
1289 
1290         /* hostname type, length and hostname */
1291         *(ret++) = (unsigned char)TLSEXT_NAMETYPE_host_name;
1292         s2n(size_str, ret);
1293         memcpy(ret, s->tlsext_hostname, size_str);
1294         ret += size_str;
1295     }
1296 
1297     /* Add RI if renegotiating */
1298     if (s->renegotiate) {
1299         int el;
1300 
1301         if (!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0)) {
1302             SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1303             return NULL;
1304         }
1305 
1306         if ((limit - ret - 4 - el) < 0)
1307             return NULL;
1308 
1309         s2n(TLSEXT_TYPE_renegotiate, ret);
1310         s2n(el, ret);
1311 
1312         if (!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el)) {
1313             SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1314             return NULL;
1315         }
1316 
1317         ret += el;
1318     }
1319 # ifndef OPENSSL_NO_SRP
1320     /* Add SRP username if there is one */
1321     if (s->srp_ctx.login != NULL) { /* Add TLS extension SRP username to the
1322                                      * Client Hello message */
1323 
1324         int login_len = strlen(s->srp_ctx.login);
1325         if (login_len > 255 || login_len == 0) {
1326             SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1327             return NULL;
1328         }
1329 
1330         /*-
1331          * check for enough space.
1332          * 4 for the srp type type and entension length
1333          * 1 for the srp user identity
1334          * + srp user identity length
1335          */
1336         if ((limit - ret - 5 - login_len) < 0)
1337             return NULL;
1338 
1339         /* fill in the extension */
1340         s2n(TLSEXT_TYPE_srp, ret);
1341         s2n(login_len + 1, ret);
1342         (*ret++) = (unsigned char)login_len;
1343         memcpy(ret, s->srp_ctx.login, login_len);
1344         ret += login_len;
1345     }
1346 # endif
1347 
1348 # ifndef OPENSSL_NO_EC
1349     if (using_ecc) {
1350         /*
1351          * Add TLS extension ECPointFormats to the ClientHello message
1352          */
1353         long lenmax;
1354         const unsigned char *pcurves, *pformats;
1355         size_t num_curves, num_formats, curves_list_len;
1356 
1357         tls1_get_formatlist(s, &pformats, &num_formats);
1358 
1359         if ((lenmax = limit - ret - 5) < 0)
1360             return NULL;
1361         if (num_formats > (size_t)lenmax)
1362             return NULL;
1363         if (num_formats > 255) {
1364             SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1365             return NULL;
1366         }
1367 
1368         s2n(TLSEXT_TYPE_ec_point_formats, ret);
1369         /* The point format list has 1-byte length. */
1370         s2n(num_formats + 1, ret);
1371         *(ret++) = (unsigned char)num_formats;
1372         memcpy(ret, pformats, num_formats);
1373         ret += num_formats;
1374 
1375         /*
1376          * Add TLS extension EllipticCurves to the ClientHello message
1377          */
1378         pcurves = s->tlsext_ellipticcurvelist;
1379         if (!tls1_get_curvelist(s, 0, &pcurves, &num_curves))
1380             return NULL;
1381 
1382         if ((lenmax = limit - ret - 6) < 0)
1383             return NULL;
1384         if (num_curves > (size_t)lenmax / 2)
1385             return NULL;
1386         if (num_curves > 65532 / 2) {
1387             SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1388             return NULL;
1389         }
1390         curves_list_len = 2 * num_curves;
1391         s2n(TLSEXT_TYPE_elliptic_curves, ret);
1392         s2n(curves_list_len + 2, ret);
1393         s2n(curves_list_len, ret);
1394         memcpy(ret, pcurves, curves_list_len);
1395         ret += curves_list_len;
1396     }
1397 # endif                         /* OPENSSL_NO_EC */
1398 
1399     if (!(SSL_get_options(s) & SSL_OP_NO_TICKET)) {
1400         int ticklen;
1401         if (!s->new_session && s->session && s->session->tlsext_tick)
1402             ticklen = s->session->tlsext_ticklen;
1403         else if (s->session && s->tlsext_session_ticket &&
1404                  s->tlsext_session_ticket->data) {
1405             ticklen = s->tlsext_session_ticket->length;
1406             s->session->tlsext_tick = OPENSSL_malloc(ticklen);
1407             if (!s->session->tlsext_tick)
1408                 return NULL;
1409             memcpy(s->session->tlsext_tick,
1410                    s->tlsext_session_ticket->data, ticklen);
1411             s->session->tlsext_ticklen = ticklen;
1412         } else
1413             ticklen = 0;
1414         if (ticklen == 0 && s->tlsext_session_ticket &&
1415             s->tlsext_session_ticket->data == NULL)
1416             goto skip_ext;
1417         /*
1418          * Check for enough room 2 for extension type, 2 for len rest for
1419          * ticket
1420          */
1421         if ((long)(limit - ret - 4 - ticklen) < 0)
1422             return NULL;
1423         s2n(TLSEXT_TYPE_session_ticket, ret);
1424         s2n(ticklen, ret);
1425         if (ticklen) {
1426             memcpy(ret, s->session->tlsext_tick, ticklen);
1427             ret += ticklen;
1428         }
1429     }
1430  skip_ext:
1431 
1432     if (SSL_USE_SIGALGS(s)) {
1433         size_t salglen;
1434         const unsigned char *salg;
1435         salglen = tls12_get_psigalgs(s, &salg);
1436         if ((size_t)(limit - ret) < salglen + 6)
1437             return NULL;
1438         s2n(TLSEXT_TYPE_signature_algorithms, ret);
1439         s2n(salglen + 2, ret);
1440         s2n(salglen, ret);
1441         memcpy(ret, salg, salglen);
1442         ret += salglen;
1443     }
1444 # ifdef TLSEXT_TYPE_opaque_prf_input
1445     if (s->s3->client_opaque_prf_input != NULL) {
1446         size_t col = s->s3->client_opaque_prf_input_len;
1447 
1448         if ((long)(limit - ret - 6 - col < 0))
1449             return NULL;
1450         if (col > 0xFFFD)       /* can't happen */
1451             return NULL;
1452 
1453         s2n(TLSEXT_TYPE_opaque_prf_input, ret);
1454         s2n(col + 2, ret);
1455         s2n(col, ret);
1456         memcpy(ret, s->s3->client_opaque_prf_input, col);
1457         ret += col;
1458     }
1459 # endif
1460 
1461     if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp) {
1462         int i;
1463         long extlen, idlen, itmp;
1464         OCSP_RESPID *id;
1465 
1466         idlen = 0;
1467         for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) {
1468             id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
1469             itmp = i2d_OCSP_RESPID(id, NULL);
1470             if (itmp <= 0)
1471                 return NULL;
1472             idlen += itmp + 2;
1473         }
1474 
1475         if (s->tlsext_ocsp_exts) {
1476             extlen = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, NULL);
1477             if (extlen < 0)
1478                 return NULL;
1479         } else
1480             extlen = 0;
1481 
1482         if ((long)(limit - ret - 7 - extlen - idlen) < 0)
1483             return NULL;
1484         s2n(TLSEXT_TYPE_status_request, ret);
1485         if (extlen + idlen > 0xFFF0)
1486             return NULL;
1487         s2n(extlen + idlen + 5, ret);
1488         *(ret++) = TLSEXT_STATUSTYPE_ocsp;
1489         s2n(idlen, ret);
1490         for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) {
1491             /* save position of id len */
1492             unsigned char *q = ret;
1493             id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
1494             /* skip over id len */
1495             ret += 2;
1496             itmp = i2d_OCSP_RESPID(id, &ret);
1497             /* write id len */
1498             s2n(itmp, q);
1499         }
1500         s2n(extlen, ret);
1501         if (extlen > 0)
1502             i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret);
1503     }
1504 # ifndef OPENSSL_NO_HEARTBEATS
1505     /* Add Heartbeat extension */
1506     if ((limit - ret - 4 - 1) < 0)
1507         return NULL;
1508     s2n(TLSEXT_TYPE_heartbeat, ret);
1509     s2n(1, ret);
1510     /*-
1511      * Set mode:
1512      * 1: peer may send requests
1513      * 2: peer not allowed to send requests
1514      */
1515     if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS)
1516         *(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
1517     else
1518         *(ret++) = SSL_TLSEXT_HB_ENABLED;
1519 # endif
1520 
1521 # ifndef OPENSSL_NO_NEXTPROTONEG
1522     if (s->ctx->next_proto_select_cb && !s->s3->tmp.finish_md_len) {
1523         /*
1524          * The client advertises an emtpy extension to indicate its support
1525          * for Next Protocol Negotiation
1526          */
1527         if (limit - ret - 4 < 0)
1528             return NULL;
1529         s2n(TLSEXT_TYPE_next_proto_neg, ret);
1530         s2n(0, ret);
1531     }
1532 # endif
1533 
1534     if (s->alpn_client_proto_list && !s->s3->tmp.finish_md_len) {
1535         if ((size_t)(limit - ret) < 6 + s->alpn_client_proto_list_len)
1536             return NULL;
1537         s2n(TLSEXT_TYPE_application_layer_protocol_negotiation, ret);
1538         s2n(2 + s->alpn_client_proto_list_len, ret);
1539         s2n(s->alpn_client_proto_list_len, ret);
1540         memcpy(ret, s->alpn_client_proto_list, s->alpn_client_proto_list_len);
1541         ret += s->alpn_client_proto_list_len;
1542     }
1543 # ifndef OPENSSL_NO_SRTP
1544     if (SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s)) {
1545         int el;
1546 
1547         ssl_add_clienthello_use_srtp_ext(s, 0, &el, 0);
1548 
1549         if ((limit - ret - 4 - el) < 0)
1550             return NULL;
1551 
1552         s2n(TLSEXT_TYPE_use_srtp, ret);
1553         s2n(el, ret);
1554 
1555         if (ssl_add_clienthello_use_srtp_ext(s, ret, &el, el)) {
1556             SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1557             return NULL;
1558         }
1559         ret += el;
1560     }
1561 # endif
1562     custom_ext_init(&s->cert->cli_ext);
1563     /* Add custom TLS Extensions to ClientHello */
1564     if (!custom_ext_add(s, 0, &ret, limit, al))
1565         return NULL;
1566 
1567     /*
1568      * Add padding to workaround bugs in F5 terminators. See
1569      * https://tools.ietf.org/html/draft-agl-tls-padding-03 NB: because this
1570      * code works out the length of all existing extensions it MUST always
1571      * appear last.
1572      */
1573     if (s->options & SSL_OP_TLSEXT_PADDING) {
1574         int hlen = ret - (unsigned char *)s->init_buf->data;
1575         /*
1576          * The code in s23_clnt.c to build ClientHello messages includes the
1577          * 5-byte record header in the buffer, while the code in s3_clnt.c
1578          * does not.
1579          */
1580         if (s->state == SSL23_ST_CW_CLNT_HELLO_A)
1581             hlen -= 5;
1582         if (hlen > 0xff && hlen < 0x200) {
1583             hlen = 0x200 - hlen;
1584             if (hlen >= 4)
1585                 hlen -= 4;
1586             else
1587                 hlen = 0;
1588 
1589             s2n(TLSEXT_TYPE_padding, ret);
1590             s2n(hlen, ret);
1591             memset(ret, 0, hlen);
1592             ret += hlen;
1593         }
1594     }
1595 
1596     if ((extdatalen = ret - orig - 2) == 0)
1597         return orig;
1598 
1599     s2n(extdatalen, orig);
1600     return ret;
1601 }
1602 
1603 unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *buf,
1604                                           unsigned char *limit, int *al)
1605 {
1606     int extdatalen = 0;
1607     unsigned char *orig = buf;
1608     unsigned char *ret = buf;
1609 # ifndef OPENSSL_NO_NEXTPROTONEG
1610     int next_proto_neg_seen;
1611 # endif
1612 # ifndef OPENSSL_NO_EC
1613     unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
1614     unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
1615     int using_ecc = (alg_k & (SSL_kEECDH | SSL_kECDHr | SSL_kECDHe))
1616         || (alg_a & SSL_aECDSA);
1617     using_ecc = using_ecc && (s->session->tlsext_ecpointformatlist != NULL);
1618 # endif
1619     /*
1620      * don't add extensions for SSLv3, unless doing secure renegotiation
1621      */
1622     if (s->version == SSL3_VERSION && !s->s3->send_connection_binding)
1623         return orig;
1624 
1625     ret += 2;
1626     if (ret >= limit)
1627         return NULL;            /* this really never occurs, but ... */
1628 
1629     if (!s->hit && s->servername_done == 1
1630         && s->session->tlsext_hostname != NULL) {
1631         if ((long)(limit - ret - 4) < 0)
1632             return NULL;
1633 
1634         s2n(TLSEXT_TYPE_server_name, ret);
1635         s2n(0, ret);
1636     }
1637 
1638     if (s->s3->send_connection_binding) {
1639         int el;
1640 
1641         if (!ssl_add_serverhello_renegotiate_ext(s, 0, &el, 0)) {
1642             SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1643             return NULL;
1644         }
1645 
1646         if ((limit - ret - 4 - el) < 0)
1647             return NULL;
1648 
1649         s2n(TLSEXT_TYPE_renegotiate, ret);
1650         s2n(el, ret);
1651 
1652         if (!ssl_add_serverhello_renegotiate_ext(s, ret, &el, el)) {
1653             SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1654             return NULL;
1655         }
1656 
1657         ret += el;
1658     }
1659 # ifndef OPENSSL_NO_EC
1660     if (using_ecc) {
1661         const unsigned char *plist;
1662         size_t plistlen;
1663         /*
1664          * Add TLS extension ECPointFormats to the ServerHello message
1665          */
1666         long lenmax;
1667 
1668         tls1_get_formatlist(s, &plist, &plistlen);
1669 
1670         if ((lenmax = limit - ret - 5) < 0)
1671             return NULL;
1672         if (plistlen > (size_t)lenmax)
1673             return NULL;
1674         if (plistlen > 255) {
1675             SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1676             return NULL;
1677         }
1678 
1679         s2n(TLSEXT_TYPE_ec_point_formats, ret);
1680         s2n(plistlen + 1, ret);
1681         *(ret++) = (unsigned char)plistlen;
1682         memcpy(ret, plist, plistlen);
1683         ret += plistlen;
1684 
1685     }
1686     /*
1687      * Currently the server should not respond with a SupportedCurves
1688      * extension
1689      */
1690 # endif                         /* OPENSSL_NO_EC */
1691 
1692     if (s->tlsext_ticket_expected && !(SSL_get_options(s) & SSL_OP_NO_TICKET)) {
1693         if ((long)(limit - ret - 4) < 0)
1694             return NULL;
1695         s2n(TLSEXT_TYPE_session_ticket, ret);
1696         s2n(0, ret);
1697     }
1698 
1699     if (s->tlsext_status_expected) {
1700         if ((long)(limit - ret - 4) < 0)
1701             return NULL;
1702         s2n(TLSEXT_TYPE_status_request, ret);
1703         s2n(0, ret);
1704     }
1705 # ifdef TLSEXT_TYPE_opaque_prf_input
1706     if (s->s3->server_opaque_prf_input != NULL) {
1707         size_t sol = s->s3->server_opaque_prf_input_len;
1708 
1709         if ((long)(limit - ret - 6 - sol) < 0)
1710             return NULL;
1711         if (sol > 0xFFFD)       /* can't happen */
1712             return NULL;
1713 
1714         s2n(TLSEXT_TYPE_opaque_prf_input, ret);
1715         s2n(sol + 2, ret);
1716         s2n(sol, ret);
1717         memcpy(ret, s->s3->server_opaque_prf_input, sol);
1718         ret += sol;
1719     }
1720 # endif
1721 
1722 # ifndef OPENSSL_NO_SRTP
1723     if (SSL_IS_DTLS(s) && s->srtp_profile) {
1724         int el;
1725 
1726         ssl_add_serverhello_use_srtp_ext(s, 0, &el, 0);
1727 
1728         if ((limit - ret - 4 - el) < 0)
1729             return NULL;
1730 
1731         s2n(TLSEXT_TYPE_use_srtp, ret);
1732         s2n(el, ret);
1733 
1734         if (ssl_add_serverhello_use_srtp_ext(s, ret, &el, el)) {
1735             SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1736             return NULL;
1737         }
1738         ret += el;
1739     }
1740 # endif
1741 
1742     if (((s->s3->tmp.new_cipher->id & 0xFFFF) == 0x80
1743          || (s->s3->tmp.new_cipher->id & 0xFFFF) == 0x81)
1744         && (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG)) {
1745         const unsigned char cryptopro_ext[36] = {
1746             0xfd, 0xe8,         /* 65000 */
1747             0x00, 0x20,         /* 32 bytes length */
1748             0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85,
1749             0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06,
1750             0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08,
1751             0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17
1752         };
1753         if (limit - ret < 36)
1754             return NULL;
1755         memcpy(ret, cryptopro_ext, 36);
1756         ret += 36;
1757 
1758     }
1759 # ifndef OPENSSL_NO_HEARTBEATS
1760     /* Add Heartbeat extension if we've received one */
1761     if (s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED) {
1762         if ((limit - ret - 4 - 1) < 0)
1763             return NULL;
1764         s2n(TLSEXT_TYPE_heartbeat, ret);
1765         s2n(1, ret);
1766         /*-
1767          * Set mode:
1768          * 1: peer may send requests
1769          * 2: peer not allowed to send requests
1770          */
1771         if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS)
1772             *(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
1773         else
1774             *(ret++) = SSL_TLSEXT_HB_ENABLED;
1775 
1776     }
1777 # endif
1778 
1779 # ifndef OPENSSL_NO_NEXTPROTONEG
1780     next_proto_neg_seen = s->s3->next_proto_neg_seen;
1781     s->s3->next_proto_neg_seen = 0;
1782     if (next_proto_neg_seen && s->ctx->next_protos_advertised_cb) {
1783         const unsigned char *npa;
1784         unsigned int npalen;
1785         int r;
1786 
1787         r = s->ctx->next_protos_advertised_cb(s, &npa, &npalen,
1788                                               s->
1789                                               ctx->next_protos_advertised_cb_arg);
1790         if (r == SSL_TLSEXT_ERR_OK) {
1791             if ((long)(limit - ret - 4 - npalen) < 0)
1792                 return NULL;
1793             s2n(TLSEXT_TYPE_next_proto_neg, ret);
1794             s2n(npalen, ret);
1795             memcpy(ret, npa, npalen);
1796             ret += npalen;
1797             s->s3->next_proto_neg_seen = 1;
1798         }
1799     }
1800 # endif
1801     if (!custom_ext_add(s, 1, &ret, limit, al))
1802         return NULL;
1803 
1804     if (s->s3->alpn_selected) {
1805         const unsigned char *selected = s->s3->alpn_selected;
1806         unsigned len = s->s3->alpn_selected_len;
1807 
1808         if ((long)(limit - ret - 4 - 2 - 1 - len) < 0)
1809             return NULL;
1810         s2n(TLSEXT_TYPE_application_layer_protocol_negotiation, ret);
1811         s2n(3 + len, ret);
1812         s2n(1 + len, ret);
1813         *ret++ = len;
1814         memcpy(ret, selected, len);
1815         ret += len;
1816     }
1817 
1818     if ((extdatalen = ret - orig - 2) == 0)
1819         return orig;
1820 
1821     s2n(extdatalen, orig);
1822     return ret;
1823 }
1824 
1825 # ifndef OPENSSL_NO_EC
1826 /*-
1827  * ssl_check_for_safari attempts to fingerprint Safari using OS X
1828  * SecureTransport using the TLS extension block in |d|, of length |n|.
1829  * Safari, since 10.6, sends exactly these extensions, in this order:
1830  *   SNI,
1831  *   elliptic_curves
1832  *   ec_point_formats
1833  *
1834  * We wish to fingerprint Safari because they broke ECDHE-ECDSA support in 10.8,
1835  * but they advertise support. So enabling ECDHE-ECDSA ciphers breaks them.
1836  * Sadly we cannot differentiate 10.6, 10.7 and 10.8.4 (which work), from
1837  * 10.8..10.8.3 (which don't work).
1838  */
1839 static void ssl_check_for_safari(SSL *s, const unsigned char *data,
1840                                  const unsigned char *limit)
1841 {
1842     unsigned short type, size;
1843     static const unsigned char kSafariExtensionsBlock[] = {
1844         0x00, 0x0a,             /* elliptic_curves extension */
1845         0x00, 0x08,             /* 8 bytes */
1846         0x00, 0x06,             /* 6 bytes of curve ids */
1847         0x00, 0x17,             /* P-256 */
1848         0x00, 0x18,             /* P-384 */
1849         0x00, 0x19,             /* P-521 */
1850 
1851         0x00, 0x0b,             /* ec_point_formats */
1852         0x00, 0x02,             /* 2 bytes */
1853         0x01,                   /* 1 point format */
1854         0x00,                   /* uncompressed */
1855     };
1856 
1857     /* The following is only present in TLS 1.2 */
1858     static const unsigned char kSafariTLS12ExtensionsBlock[] = {
1859         0x00, 0x0d,             /* signature_algorithms */
1860         0x00, 0x0c,             /* 12 bytes */
1861         0x00, 0x0a,             /* 10 bytes */
1862         0x05, 0x01,             /* SHA-384/RSA */
1863         0x04, 0x01,             /* SHA-256/RSA */
1864         0x02, 0x01,             /* SHA-1/RSA */
1865         0x04, 0x03,             /* SHA-256/ECDSA */
1866         0x02, 0x03,             /* SHA-1/ECDSA */
1867     };
1868 
1869     if (data >= (limit - 2))
1870         return;
1871     data += 2;
1872 
1873     if (data > (limit - 4))
1874         return;
1875     n2s(data, type);
1876     n2s(data, size);
1877 
1878     if (type != TLSEXT_TYPE_server_name)
1879         return;
1880 
1881     if (data + size > limit)
1882         return;
1883     data += size;
1884 
1885     if (TLS1_get_client_version(s) >= TLS1_2_VERSION) {
1886         const size_t len1 = sizeof(kSafariExtensionsBlock);
1887         const size_t len2 = sizeof(kSafariTLS12ExtensionsBlock);
1888 
1889         if (data + len1 + len2 != limit)
1890             return;
1891         if (memcmp(data, kSafariExtensionsBlock, len1) != 0)
1892             return;
1893         if (memcmp(data + len1, kSafariTLS12ExtensionsBlock, len2) != 0)
1894             return;
1895     } else {
1896         const size_t len = sizeof(kSafariExtensionsBlock);
1897 
1898         if (data + len != limit)
1899             return;
1900         if (memcmp(data, kSafariExtensionsBlock, len) != 0)
1901             return;
1902     }
1903 
1904     s->s3->is_probably_safari = 1;
1905 }
1906 # endif                         /* !OPENSSL_NO_EC */
1907 
1908 /*
1909  * tls1_alpn_handle_client_hello is called to process the ALPN extension in a
1910  * ClientHello.  data: the contents of the extension, not including the type
1911  * and length.  data_len: the number of bytes in |data| al: a pointer to the
1912  * alert value to send in the event of a non-zero return.  returns: 0 on
1913  * success.
1914  */
1915 static int tls1_alpn_handle_client_hello(SSL *s, const unsigned char *data,
1916                                          unsigned data_len, int *al)
1917 {
1918     unsigned i;
1919     unsigned proto_len;
1920     const unsigned char *selected;
1921     unsigned char selected_len;
1922     int r;
1923 
1924     if (s->ctx->alpn_select_cb == NULL)
1925         return 0;
1926 
1927     if (data_len < 2)
1928         goto parse_error;
1929 
1930     /*
1931      * data should contain a uint16 length followed by a series of 8-bit,
1932      * length-prefixed strings.
1933      */
1934     i = ((unsigned)data[0]) << 8 | ((unsigned)data[1]);
1935     data_len -= 2;
1936     data += 2;
1937     if (data_len != i)
1938         goto parse_error;
1939 
1940     if (data_len < 2)
1941         goto parse_error;
1942 
1943     for (i = 0; i < data_len;) {
1944         proto_len = data[i];
1945         i++;
1946 
1947         if (proto_len == 0)
1948             goto parse_error;
1949 
1950         if (i + proto_len < i || i + proto_len > data_len)
1951             goto parse_error;
1952 
1953         i += proto_len;
1954     }
1955 
1956     r = s->ctx->alpn_select_cb(s, &selected, &selected_len, data, data_len,
1957                                s->ctx->alpn_select_cb_arg);
1958     if (r == SSL_TLSEXT_ERR_OK) {
1959         if (s->s3->alpn_selected)
1960             OPENSSL_free(s->s3->alpn_selected);
1961         s->s3->alpn_selected = OPENSSL_malloc(selected_len);
1962         if (!s->s3->alpn_selected) {
1963             *al = SSL_AD_INTERNAL_ERROR;
1964             return -1;
1965         }
1966         memcpy(s->s3->alpn_selected, selected, selected_len);
1967         s->s3->alpn_selected_len = selected_len;
1968     }
1969     return 0;
1970 
1971  parse_error:
1972     *al = SSL_AD_DECODE_ERROR;
1973     return -1;
1974 }
1975 
1976 static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p,
1977                                        unsigned char *limit, int *al)
1978 {
1979     unsigned short type;
1980     unsigned short size;
1981     unsigned short len;
1982     unsigned char *data = *p;
1983     int renegotiate_seen = 0;
1984 
1985     s->servername_done = 0;
1986     s->tlsext_status_type = -1;
1987 # ifndef OPENSSL_NO_NEXTPROTONEG
1988     s->s3->next_proto_neg_seen = 0;
1989 # endif
1990 
1991     if (s->s3->alpn_selected) {
1992         OPENSSL_free(s->s3->alpn_selected);
1993         s->s3->alpn_selected = NULL;
1994     }
1995 # ifndef OPENSSL_NO_HEARTBEATS
1996     s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED |
1997                              SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
1998 # endif
1999 
2000 # ifndef OPENSSL_NO_EC
2001     if (s->options & SSL_OP_SAFARI_ECDHE_ECDSA_BUG)
2002         ssl_check_for_safari(s, data, limit);
2003 # endif                         /* !OPENSSL_NO_EC */
2004 
2005     /* Clear any signature algorithms extension received */
2006     if (s->cert->peer_sigalgs) {
2007         OPENSSL_free(s->cert->peer_sigalgs);
2008         s->cert->peer_sigalgs = NULL;
2009     }
2010 # ifndef OPENSSL_NO_SRP
2011     if (s->srp_ctx.login != NULL) {
2012         OPENSSL_free(s->srp_ctx.login);
2013         s->srp_ctx.login = NULL;
2014     }
2015 # endif
2016 
2017     s->srtp_profile = NULL;
2018 
2019     if (data == limit)
2020         goto ri_check;
2021 
2022     if (data > (limit - 2))
2023         goto err;
2024 
2025     n2s(data, len);
2026 
2027     if (data + len != limit)
2028         goto err;
2029 
2030     while (data <= (limit - 4)) {
2031         n2s(data, type);
2032         n2s(data, size);
2033 
2034         if (data + size > (limit))
2035             goto err;
2036 # if 0
2037         fprintf(stderr, "Received extension type %d size %d\n", type, size);
2038 # endif
2039         if (s->tlsext_debug_cb)
2040             s->tlsext_debug_cb(s, 0, type, data, size, s->tlsext_debug_arg);
2041 /*-
2042  * The servername extension is treated as follows:
2043  *
2044  * - Only the hostname type is supported with a maximum length of 255.
2045  * - The servername is rejected if too long or if it contains zeros,
2046  *   in which case an fatal alert is generated.
2047  * - The servername field is maintained together with the session cache.
2048  * - When a session is resumed, the servername call back invoked in order
2049  *   to allow the application to position itself to the right context.
2050  * - The servername is acknowledged if it is new for a session or when
2051  *   it is identical to a previously used for the same session.
2052  *   Applications can control the behaviour.  They can at any time
2053  *   set a 'desirable' servername for a new SSL object. This can be the
2054  *   case for example with HTTPS when a Host: header field is received and
2055  *   a renegotiation is requested. In this case, a possible servername
2056  *   presented in the new client hello is only acknowledged if it matches
2057  *   the value of the Host: field.
2058  * - Applications must  use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
2059  *   if they provide for changing an explicit servername context for the
2060  *   session, i.e. when the session has been established with a servername
2061  *   extension.
2062  * - On session reconnect, the servername extension may be absent.
2063  *
2064  */
2065 
2066         if (type == TLSEXT_TYPE_server_name) {
2067             unsigned char *sdata;
2068             int servname_type;
2069             int dsize;
2070 
2071             if (size < 2)
2072                 goto err;
2073             n2s(data, dsize);
2074             size -= 2;
2075             if (dsize > size)
2076                 goto err;
2077 
2078             sdata = data;
2079             while (dsize > 3) {
2080                 servname_type = *(sdata++);
2081                 n2s(sdata, len);
2082                 dsize -= 3;
2083 
2084                 if (len > dsize)
2085                     goto err;
2086 
2087                 if (s->servername_done == 0)
2088                     switch (servname_type) {
2089                     case TLSEXT_NAMETYPE_host_name:
2090                         if (!s->hit) {
2091                             if (s->session->tlsext_hostname)
2092                                 goto err;
2093 
2094                             if (len > TLSEXT_MAXLEN_host_name) {
2095                                 *al = TLS1_AD_UNRECOGNIZED_NAME;
2096                                 return 0;
2097                             }
2098                             if ((s->session->tlsext_hostname =
2099                                  OPENSSL_malloc(len + 1)) == NULL) {
2100                                 *al = TLS1_AD_INTERNAL_ERROR;
2101                                 return 0;
2102                             }
2103                             memcpy(s->session->tlsext_hostname, sdata, len);
2104                             s->session->tlsext_hostname[len] = '\0';
2105                             if (strlen(s->session->tlsext_hostname) != len) {
2106                                 OPENSSL_free(s->session->tlsext_hostname);
2107                                 s->session->tlsext_hostname = NULL;
2108                                 *al = TLS1_AD_UNRECOGNIZED_NAME;
2109                                 return 0;
2110                             }
2111                             s->servername_done = 1;
2112 
2113                         } else
2114                             s->servername_done = s->session->tlsext_hostname
2115                                 && strlen(s->session->tlsext_hostname) == len
2116                                 && strncmp(s->session->tlsext_hostname,
2117                                            (char *)sdata, len) == 0;
2118 
2119                         break;
2120 
2121                     default:
2122                         break;
2123                     }
2124 
2125                 dsize -= len;
2126             }
2127             if (dsize != 0)
2128                 goto err;
2129 
2130         }
2131 # ifndef OPENSSL_NO_SRP
2132         else if (type == TLSEXT_TYPE_srp) {
2133             if (size == 0 || ((len = data[0])) != (size - 1))
2134                 goto err;
2135             if (s->srp_ctx.login != NULL)
2136                 goto err;
2137             if ((s->srp_ctx.login = OPENSSL_malloc(len + 1)) == NULL)
2138                 return -1;
2139             memcpy(s->srp_ctx.login, &data[1], len);
2140             s->srp_ctx.login[len] = '\0';
2141 
2142             if (strlen(s->srp_ctx.login) != len)
2143                 goto err;
2144         }
2145 # endif
2146 
2147 # ifndef OPENSSL_NO_EC
2148         else if (type == TLSEXT_TYPE_ec_point_formats) {
2149             unsigned char *sdata = data;
2150             int ecpointformatlist_length = *(sdata++);
2151 
2152             if (ecpointformatlist_length != size - 1 ||
2153                 ecpointformatlist_length < 1)
2154                 goto err;
2155             if (!s->hit) {
2156                 if (s->session->tlsext_ecpointformatlist) {
2157                     OPENSSL_free(s->session->tlsext_ecpointformatlist);
2158                     s->session->tlsext_ecpointformatlist = NULL;
2159                 }
2160                 s->session->tlsext_ecpointformatlist_length = 0;
2161                 if ((s->session->tlsext_ecpointformatlist =
2162                      OPENSSL_malloc(ecpointformatlist_length)) == NULL) {
2163                     *al = TLS1_AD_INTERNAL_ERROR;
2164                     return 0;
2165                 }
2166                 s->session->tlsext_ecpointformatlist_length =
2167                     ecpointformatlist_length;
2168                 memcpy(s->session->tlsext_ecpointformatlist, sdata,
2169                        ecpointformatlist_length);
2170             }
2171 #  if 0
2172             fprintf(stderr,
2173                     "ssl_parse_clienthello_tlsext s->session->tlsext_ecpointformatlist (length=%i) ",
2174                     s->session->tlsext_ecpointformatlist_length);
2175             sdata = s->session->tlsext_ecpointformatlist;
2176             for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
2177                 fprintf(stderr, "%i ", *(sdata++));
2178             fprintf(stderr, "\n");
2179 #  endif
2180         } else if (type == TLSEXT_TYPE_elliptic_curves) {
2181             unsigned char *sdata = data;
2182             int ellipticcurvelist_length = (*(sdata++) << 8);
2183             ellipticcurvelist_length += (*(sdata++));
2184 
2185             if (ellipticcurvelist_length != size - 2 ||
2186                 ellipticcurvelist_length < 1 ||
2187                 /* Each NamedCurve is 2 bytes. */
2188                 ellipticcurvelist_length & 1)
2189                     goto err;
2190 
2191             if (!s->hit) {
2192                 if (s->session->tlsext_ellipticcurvelist)
2193                     goto err;
2194 
2195                 s->session->tlsext_ellipticcurvelist_length = 0;
2196                 if ((s->session->tlsext_ellipticcurvelist =
2197                      OPENSSL_malloc(ellipticcurvelist_length)) == NULL) {
2198                     *al = TLS1_AD_INTERNAL_ERROR;
2199                     return 0;
2200                 }
2201                 s->session->tlsext_ellipticcurvelist_length =
2202                     ellipticcurvelist_length;
2203                 memcpy(s->session->tlsext_ellipticcurvelist, sdata,
2204                        ellipticcurvelist_length);
2205             }
2206 #  if 0
2207             fprintf(stderr,
2208                     "ssl_parse_clienthello_tlsext s->session->tlsext_ellipticcurvelist (length=%i) ",
2209                     s->session->tlsext_ellipticcurvelist_length);
2210             sdata = s->session->tlsext_ellipticcurvelist;
2211             for (i = 0; i < s->session->tlsext_ellipticcurvelist_length; i++)
2212                 fprintf(stderr, "%i ", *(sdata++));
2213             fprintf(stderr, "\n");
2214 #  endif
2215         }
2216 # endif                         /* OPENSSL_NO_EC */
2217 # ifdef TLSEXT_TYPE_opaque_prf_input
2218         else if (type == TLSEXT_TYPE_opaque_prf_input) {
2219             unsigned char *sdata = data;
2220 
2221             if (size < 2) {
2222                 *al = SSL_AD_DECODE_ERROR;
2223                 return 0;
2224             }
2225             n2s(sdata, s->s3->client_opaque_prf_input_len);
2226             if (s->s3->client_opaque_prf_input_len != size - 2) {
2227                 *al = SSL_AD_DECODE_ERROR;
2228                 return 0;
2229             }
2230 
2231             if (s->s3->client_opaque_prf_input != NULL) {
2232                 /* shouldn't really happen */
2233                 OPENSSL_free(s->s3->client_opaque_prf_input);
2234             }
2235 
2236             /* dummy byte just to get non-NULL */
2237             if (s->s3->client_opaque_prf_input_len == 0)
2238                 s->s3->client_opaque_prf_input = OPENSSL_malloc(1);
2239             else
2240                 s->s3->client_opaque_prf_input =
2241                     BUF_memdup(sdata, s->s3->client_opaque_prf_input_len);
2242             if (s->s3->client_opaque_prf_input == NULL) {
2243                 *al = TLS1_AD_INTERNAL_ERROR;
2244                 return 0;
2245             }
2246         }
2247 # endif
2248         else if (type == TLSEXT_TYPE_session_ticket) {
2249             if (s->tls_session_ticket_ext_cb &&
2250                 !s->tls_session_ticket_ext_cb(s, data, size,
2251                                               s->tls_session_ticket_ext_cb_arg))
2252             {
2253                 *al = TLS1_AD_INTERNAL_ERROR;
2254                 return 0;
2255             }
2256         } else if (type == TLSEXT_TYPE_renegotiate) {
2257             if (!ssl_parse_clienthello_renegotiate_ext(s, data, size, al))
2258                 return 0;
2259             renegotiate_seen = 1;
2260         } else if (type == TLSEXT_TYPE_signature_algorithms) {
2261             int dsize;
2262             if (s->cert->peer_sigalgs || size < 2)
2263                 goto err;
2264             n2s(data, dsize);
2265             size -= 2;
2266             if (dsize != size || dsize & 1 || !dsize)
2267                 goto err;
2268             if (!tls1_save_sigalgs(s, data, dsize))
2269                 goto err;
2270         } else if (type == TLSEXT_TYPE_status_request) {
2271 
2272             if (size < 5)
2273                 goto err;
2274 
2275             s->tlsext_status_type = *data++;
2276             size--;
2277             if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp) {
2278                 const unsigned char *sdata;
2279                 int dsize;
2280                 /* Read in responder_id_list */
2281                 n2s(data, dsize);
2282                 size -= 2;
2283                 if (dsize > size)
2284                     goto err;
2285                 while (dsize > 0) {
2286                     OCSP_RESPID *id;
2287                     int idsize;
2288                     if (dsize < 4)
2289                         goto err;
2290                     n2s(data, idsize);
2291                     dsize -= 2 + idsize;
2292                     size -= 2 + idsize;
2293                     if (dsize < 0)
2294                         goto err;
2295                     sdata = data;
2296                     data += idsize;
2297                     id = d2i_OCSP_RESPID(NULL, &sdata, idsize);
2298                     if (!id)
2299                         goto err;
2300                     if (data != sdata) {
2301                         OCSP_RESPID_free(id);
2302                         goto err;
2303                     }
2304                     if (!s->tlsext_ocsp_ids
2305                         && !(s->tlsext_ocsp_ids =
2306                              sk_OCSP_RESPID_new_null())) {
2307                         OCSP_RESPID_free(id);
2308                         *al = SSL_AD_INTERNAL_ERROR;
2309                         return 0;
2310                     }
2311                     if (!sk_OCSP_RESPID_push(s->tlsext_ocsp_ids, id)) {
2312                         OCSP_RESPID_free(id);
2313                         *al = SSL_AD_INTERNAL_ERROR;
2314                         return 0;
2315                     }
2316                 }
2317 
2318                 /* Read in request_extensions */
2319                 if (size < 2)
2320                     goto err;
2321                 n2s(data, dsize);
2322                 size -= 2;
2323                 if (dsize != size)
2324                     goto err;
2325                 sdata = data;
2326                 if (dsize > 0) {
2327                     if (s->tlsext_ocsp_exts) {
2328                         sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts,
2329                                                    X509_EXTENSION_free);
2330                     }
2331 
2332                     s->tlsext_ocsp_exts =
2333                         d2i_X509_EXTENSIONS(NULL, &sdata, dsize);
2334                     if (!s->tlsext_ocsp_exts || (data + dsize != sdata))
2335                         goto err;
2336                 }
2337             }
2338             /*
2339              * We don't know what to do with any other type * so ignore it.
2340              */
2341             else
2342                 s->tlsext_status_type = -1;
2343         }
2344 # ifndef OPENSSL_NO_HEARTBEATS
2345         else if (type == TLSEXT_TYPE_heartbeat) {
2346             switch (data[0]) {
2347             case 0x01:         /* Client allows us to send HB requests */
2348                 s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
2349                 break;
2350             case 0x02:         /* Client doesn't accept HB requests */
2351                 s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
2352                 s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
2353                 break;
2354             default:
2355                 *al = SSL_AD_ILLEGAL_PARAMETER;
2356                 return 0;
2357             }
2358         }
2359 # endif
2360 # ifndef OPENSSL_NO_NEXTPROTONEG
2361         else if (type == TLSEXT_TYPE_next_proto_neg &&
2362                  s->s3->tmp.finish_md_len == 0 &&
2363                  s->s3->alpn_selected == NULL) {
2364             /*-
2365              * We shouldn't accept this extension on a
2366              * renegotiation.
2367              *
2368              * s->new_session will be set on renegotiation, but we
2369              * probably shouldn't rely that it couldn't be set on
2370              * the initial renegotation too in certain cases (when
2371              * there's some other reason to disallow resuming an
2372              * earlier session -- the current code won't be doing
2373              * anything like that, but this might change).
2374              *
2375              * A valid sign that there's been a previous handshake
2376              * in this connection is if s->s3->tmp.finish_md_len >
2377              * 0.  (We are talking about a check that will happen
2378              * in the Hello protocol round, well before a new
2379              * Finished message could have been computed.)
2380              */
2381             s->s3->next_proto_neg_seen = 1;
2382         }
2383 # endif
2384 
2385         else if (type == TLSEXT_TYPE_application_layer_protocol_negotiation &&
2386                  s->ctx->alpn_select_cb && s->s3->tmp.finish_md_len == 0) {
2387             if (tls1_alpn_handle_client_hello(s, data, size, al) != 0)
2388                 return 0;
2389 # ifndef OPENSSL_NO_NEXTPROTONEG
2390             /* ALPN takes precedence over NPN. */
2391             s->s3->next_proto_neg_seen = 0;
2392 # endif
2393         }
2394 
2395         /* session ticket processed earlier */
2396 # ifndef OPENSSL_NO_SRTP
2397         else if (SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s)
2398                  && type == TLSEXT_TYPE_use_srtp) {
2399             if (ssl_parse_clienthello_use_srtp_ext(s, data, size, al))
2400                 return 0;
2401         }
2402 # endif
2403 
2404         data += size;
2405     }
2406 
2407     /* Spurious data on the end */
2408     if (data != limit)
2409         goto err;
2410 
2411     *p = data;
2412 
2413  ri_check:
2414 
2415     /* Need RI if renegotiating */
2416 
2417     if (!renegotiate_seen && s->renegotiate &&
2418         !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) {
2419         *al = SSL_AD_HANDSHAKE_FAILURE;
2420         SSLerr(SSL_F_SSL_SCAN_CLIENTHELLO_TLSEXT,
2421                SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
2422         return 0;
2423     }
2424 
2425     return 1;
2426 err:
2427     *al = SSL_AD_DECODE_ERROR;
2428     return 0;
2429 }
2430 
2431 /*
2432  * Parse any custom extensions found.  "data" is the start of the extension data
2433  * and "limit" is the end of the record. TODO: add strict syntax checking.
2434  */
2435 
2436 static int ssl_scan_clienthello_custom_tlsext(SSL *s,
2437                                               const unsigned char *data,
2438                                               const unsigned char *limit,
2439                                               int *al)
2440 {
2441     unsigned short type, size, len;
2442     /* If resumed session or no custom extensions nothing to do */
2443     if (s->hit || s->cert->srv_ext.meths_count == 0)
2444         return 1;
2445 
2446     if (data >= limit - 2)
2447         return 1;
2448     n2s(data, len);
2449 
2450     if (data > limit - len)
2451         return 1;
2452 
2453     while (data <= limit - 4) {
2454         n2s(data, type);
2455         n2s(data, size);
2456 
2457         if (data + size > limit)
2458             return 1;
2459         if (custom_ext_parse(s, 1 /* server */ , type, data, size, al) <= 0)
2460             return 0;
2461 
2462         data += size;
2463     }
2464 
2465     return 1;
2466 }
2467 
2468 int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p,
2469                                  unsigned char *limit)
2470 {
2471     int al = -1;
2472     unsigned char *ptmp = *p;
2473     /*
2474      * Internally supported extensions are parsed first so SNI can be handled
2475      * before custom extensions. An application processing SNI will typically
2476      * switch the parent context using SSL_set_SSL_CTX and custom extensions
2477      * need to be handled by the new SSL_CTX structure.
2478      */
2479     if (ssl_scan_clienthello_tlsext(s, p, limit, &al) <= 0) {
2480         ssl3_send_alert(s, SSL3_AL_FATAL, al);
2481         return 0;
2482     }
2483 
2484     if (ssl_check_clienthello_tlsext_early(s) <= 0) {
2485         SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT, SSL_R_CLIENTHELLO_TLSEXT);
2486         return 0;
2487     }
2488 
2489     custom_ext_init(&s->cert->srv_ext);
2490     if (ssl_scan_clienthello_custom_tlsext(s, ptmp, limit, &al) <= 0) {
2491         ssl3_send_alert(s, SSL3_AL_FATAL, al);
2492         return 0;
2493     }
2494 
2495     return 1;
2496 }
2497 
2498 # ifndef OPENSSL_NO_NEXTPROTONEG
2499 /*
2500  * ssl_next_proto_validate validates a Next Protocol Negotiation block. No
2501  * elements of zero length are allowed and the set of elements must exactly
2502  * fill the length of the block.
2503  */
2504 static char ssl_next_proto_validate(unsigned char *d, unsigned len)
2505 {
2506     unsigned int off = 0;
2507 
2508     while (off < len) {
2509         if (d[off] == 0)
2510             return 0;
2511         off += d[off];
2512         off++;
2513     }
2514 
2515     return off == len;
2516 }
2517 # endif
2518 
2519 static int ssl_scan_serverhello_tlsext(SSL *s, unsigned char **p,
2520                                        unsigned char *d, int n, int *al)
2521 {
2522     unsigned short length;
2523     unsigned short type;
2524     unsigned short size;
2525     unsigned char *data = *p;
2526     int tlsext_servername = 0;
2527     int renegotiate_seen = 0;
2528 
2529 # ifndef OPENSSL_NO_NEXTPROTONEG
2530     s->s3->next_proto_neg_seen = 0;
2531 # endif
2532     s->tlsext_ticket_expected = 0;
2533 
2534     if (s->s3->alpn_selected) {
2535         OPENSSL_free(s->s3->alpn_selected);
2536         s->s3->alpn_selected = NULL;
2537     }
2538 # ifndef OPENSSL_NO_HEARTBEATS
2539     s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED |
2540                              SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
2541 # endif
2542 
2543     if (data >= (d + n - 2))
2544         goto ri_check;
2545 
2546     n2s(data, length);
2547     if (data + length != d + n) {
2548         *al = SSL_AD_DECODE_ERROR;
2549         return 0;
2550     }
2551 
2552     while (data <= (d + n - 4)) {
2553         n2s(data, type);
2554         n2s(data, size);
2555 
2556         if (data + size > (d + n))
2557             goto ri_check;
2558 
2559         if (s->tlsext_debug_cb)
2560             s->tlsext_debug_cb(s, 1, type, data, size, s->tlsext_debug_arg);
2561 
2562         if (type == TLSEXT_TYPE_server_name) {
2563             if (s->tlsext_hostname == NULL || size > 0) {
2564                 *al = TLS1_AD_UNRECOGNIZED_NAME;
2565                 return 0;
2566             }
2567             tlsext_servername = 1;
2568         }
2569 # ifndef OPENSSL_NO_EC
2570         else if (type == TLSEXT_TYPE_ec_point_formats) {
2571             unsigned char *sdata = data;
2572             int ecpointformatlist_length = *(sdata++);
2573 
2574             if (ecpointformatlist_length != size - 1) {
2575                 *al = TLS1_AD_DECODE_ERROR;
2576                 return 0;
2577             }
2578             if (!s->hit) {
2579                 s->session->tlsext_ecpointformatlist_length = 0;
2580                 if (s->session->tlsext_ecpointformatlist != NULL)
2581                     OPENSSL_free(s->session->tlsext_ecpointformatlist);
2582                 if ((s->session->tlsext_ecpointformatlist =
2583                      OPENSSL_malloc(ecpointformatlist_length)) == NULL) {
2584                     *al = TLS1_AD_INTERNAL_ERROR;
2585                     return 0;
2586                 }
2587                 s->session->tlsext_ecpointformatlist_length =
2588                     ecpointformatlist_length;
2589                 memcpy(s->session->tlsext_ecpointformatlist, sdata,
2590                        ecpointformatlist_length);
2591             }
2592 #  if 0
2593             fprintf(stderr,
2594                     "ssl_parse_serverhello_tlsext s->session->tlsext_ecpointformatlist ");
2595             sdata = s->session->tlsext_ecpointformatlist;
2596             for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
2597                 fprintf(stderr, "%i ", *(sdata++));
2598             fprintf(stderr, "\n");
2599 #  endif
2600         }
2601 # endif                         /* OPENSSL_NO_EC */
2602 
2603         else if (type == TLSEXT_TYPE_session_ticket) {
2604             if (s->tls_session_ticket_ext_cb &&
2605                 !s->tls_session_ticket_ext_cb(s, data, size,
2606                                               s->tls_session_ticket_ext_cb_arg))
2607             {
2608                 *al = TLS1_AD_INTERNAL_ERROR;
2609                 return 0;
2610             }
2611             if ((SSL_get_options(s) & SSL_OP_NO_TICKET)
2612                 || (size > 0)) {
2613                 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2614                 return 0;
2615             }
2616             s->tlsext_ticket_expected = 1;
2617         }
2618 # ifdef TLSEXT_TYPE_opaque_prf_input
2619         else if (type == TLSEXT_TYPE_opaque_prf_input) {
2620             unsigned char *sdata = data;
2621 
2622             if (size < 2) {
2623                 *al = SSL_AD_DECODE_ERROR;
2624                 return 0;
2625             }
2626             n2s(sdata, s->s3->server_opaque_prf_input_len);
2627             if (s->s3->server_opaque_prf_input_len != size - 2) {
2628                 *al = SSL_AD_DECODE_ERROR;
2629                 return 0;
2630             }
2631 
2632             if (s->s3->server_opaque_prf_input != NULL) {
2633                 /* shouldn't really happen */
2634                 OPENSSL_free(s->s3->server_opaque_prf_input);
2635             }
2636             if (s->s3->server_opaque_prf_input_len == 0) {
2637                 /* dummy byte just to get non-NULL */
2638                 s->s3->server_opaque_prf_input = OPENSSL_malloc(1);
2639             } else {
2640                 s->s3->server_opaque_prf_input =
2641                     BUF_memdup(sdata, s->s3->server_opaque_prf_input_len);
2642             }
2643 
2644             if (s->s3->server_opaque_prf_input == NULL) {
2645                 *al = TLS1_AD_INTERNAL_ERROR;
2646                 return 0;
2647             }
2648         }
2649 # endif
2650         else if (type == TLSEXT_TYPE_status_request) {
2651             /*
2652              * MUST be empty and only sent if we've requested a status
2653              * request message.
2654              */
2655             if ((s->tlsext_status_type == -1) || (size > 0)) {
2656                 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2657                 return 0;
2658             }
2659             /* Set flag to expect CertificateStatus message */
2660             s->tlsext_status_expected = 1;
2661         }
2662 # ifndef OPENSSL_NO_NEXTPROTONEG
2663         else if (type == TLSEXT_TYPE_next_proto_neg &&
2664                  s->s3->tmp.finish_md_len == 0) {
2665             unsigned char *selected;
2666             unsigned char selected_len;
2667 
2668             /* We must have requested it. */
2669             if (s->ctx->next_proto_select_cb == NULL) {
2670                 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2671                 return 0;
2672             }
2673             /* The data must be valid */
2674             if (!ssl_next_proto_validate(data, size)) {
2675                 *al = TLS1_AD_DECODE_ERROR;
2676                 return 0;
2677             }
2678             if (s->
2679                 ctx->next_proto_select_cb(s, &selected, &selected_len, data,
2680                                           size,
2681                                           s->ctx->next_proto_select_cb_arg) !=
2682                 SSL_TLSEXT_ERR_OK) {
2683                 *al = TLS1_AD_INTERNAL_ERROR;
2684                 return 0;
2685             }
2686             s->next_proto_negotiated = OPENSSL_malloc(selected_len);
2687             if (!s->next_proto_negotiated) {
2688                 *al = TLS1_AD_INTERNAL_ERROR;
2689                 return 0;
2690             }
2691             memcpy(s->next_proto_negotiated, selected, selected_len);
2692             s->next_proto_negotiated_len = selected_len;
2693             s->s3->next_proto_neg_seen = 1;
2694         }
2695 # endif
2696 
2697         else if (type == TLSEXT_TYPE_application_layer_protocol_negotiation) {
2698             unsigned len;
2699 
2700             /* We must have requested it. */
2701             if (s->alpn_client_proto_list == NULL) {
2702                 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2703                 return 0;
2704             }
2705             if (size < 4) {
2706                 *al = TLS1_AD_DECODE_ERROR;
2707                 return 0;
2708             }
2709             /*-
2710              * The extension data consists of:
2711              *   uint16 list_length
2712              *   uint8 proto_length;
2713              *   uint8 proto[proto_length];
2714              */
2715             len = data[0];
2716             len <<= 8;
2717             len |= data[1];
2718             if (len != (unsigned)size - 2) {
2719                 *al = TLS1_AD_DECODE_ERROR;
2720                 return 0;
2721             }
2722             len = data[2];
2723             if (len != (unsigned)size - 3) {
2724                 *al = TLS1_AD_DECODE_ERROR;
2725                 return 0;
2726             }
2727             if (s->s3->alpn_selected)
2728                 OPENSSL_free(s->s3->alpn_selected);
2729             s->s3->alpn_selected = OPENSSL_malloc(len);
2730             if (!s->s3->alpn_selected) {
2731                 *al = TLS1_AD_INTERNAL_ERROR;
2732                 return 0;
2733             }
2734             memcpy(s->s3->alpn_selected, data + 3, len);
2735             s->s3->alpn_selected_len = len;
2736         }
2737 
2738         else if (type == TLSEXT_TYPE_renegotiate) {
2739             if (!ssl_parse_serverhello_renegotiate_ext(s, data, size, al))
2740                 return 0;
2741             renegotiate_seen = 1;
2742         }
2743 # ifndef OPENSSL_NO_HEARTBEATS
2744         else if (type == TLSEXT_TYPE_heartbeat) {
2745             switch (data[0]) {
2746             case 0x01:         /* Server allows us to send HB requests */
2747                 s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
2748                 break;
2749             case 0x02:         /* Server doesn't accept HB requests */
2750                 s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
2751                 s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
2752                 break;
2753             default:
2754                 *al = SSL_AD_ILLEGAL_PARAMETER;
2755                 return 0;
2756             }
2757         }
2758 # endif
2759 # ifndef OPENSSL_NO_SRTP
2760         else if (SSL_IS_DTLS(s) && type == TLSEXT_TYPE_use_srtp) {
2761             if (ssl_parse_serverhello_use_srtp_ext(s, data, size, al))
2762                 return 0;
2763         }
2764 # endif
2765         /*
2766          * If this extension type was not otherwise handled, but matches a
2767          * custom_cli_ext_record, then send it to the c callback
2768          */
2769         else if (custom_ext_parse(s, 0, type, data, size, al) <= 0)
2770             return 0;
2771 
2772         data += size;
2773     }
2774 
2775     if (data != d + n) {
2776         *al = SSL_AD_DECODE_ERROR;
2777         return 0;
2778     }
2779 
2780     if (!s->hit && tlsext_servername == 1) {
2781         if (s->tlsext_hostname) {
2782             if (s->session->tlsext_hostname == NULL) {
2783                 s->session->tlsext_hostname = BUF_strdup(s->tlsext_hostname);
2784                 if (!s->session->tlsext_hostname) {
2785                     *al = SSL_AD_UNRECOGNIZED_NAME;
2786                     return 0;
2787                 }
2788             } else {
2789                 *al = SSL_AD_DECODE_ERROR;
2790                 return 0;
2791             }
2792         }
2793     }
2794 
2795     *p = data;
2796 
2797  ri_check:
2798 
2799     /*
2800      * Determine if we need to see RI. Strictly speaking if we want to avoid
2801      * an attack we should *always* see RI even on initial server hello
2802      * because the client doesn't see any renegotiation during an attack.
2803      * However this would mean we could not connect to any server which
2804      * doesn't support RI so for the immediate future tolerate RI absence on
2805      * initial connect only.
2806      */
2807     if (!renegotiate_seen && !(s->options & SSL_OP_LEGACY_SERVER_CONNECT)
2808         && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) {
2809         *al = SSL_AD_HANDSHAKE_FAILURE;
2810         SSLerr(SSL_F_SSL_SCAN_SERVERHELLO_TLSEXT,
2811                SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
2812         return 0;
2813     }
2814 
2815     return 1;
2816 }
2817 
2818 int ssl_prepare_clienthello_tlsext(SSL *s)
2819 {
2820 
2821 # ifdef TLSEXT_TYPE_opaque_prf_input
2822     {
2823         int r = 1;
2824 
2825         if (s->ctx->tlsext_opaque_prf_input_callback != 0) {
2826             r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0,
2827                                                          s->
2828                                                          ctx->tlsext_opaque_prf_input_callback_arg);
2829             if (!r)
2830                 return -1;
2831         }
2832 
2833         if (s->tlsext_opaque_prf_input != NULL) {
2834             if (s->s3->client_opaque_prf_input != NULL) {
2835                 /* shouldn't really happen */
2836                 OPENSSL_free(s->s3->client_opaque_prf_input);
2837             }
2838 
2839             if (s->tlsext_opaque_prf_input_len == 0) {
2840                 /* dummy byte just to get non-NULL */
2841                 s->s3->client_opaque_prf_input = OPENSSL_malloc(1);
2842             } else {
2843                 s->s3->client_opaque_prf_input =
2844                     BUF_memdup(s->tlsext_opaque_prf_input,
2845                                s->tlsext_opaque_prf_input_len);
2846             }
2847             if (s->s3->client_opaque_prf_input == NULL) {
2848                 SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,
2849                        ERR_R_MALLOC_FAILURE);
2850                 return -1;
2851             }
2852             s->s3->client_opaque_prf_input_len =
2853                 s->tlsext_opaque_prf_input_len;
2854         }
2855 
2856         if (r == 2)
2857             /*
2858              * at callback's request, insist on receiving an appropriate
2859              * server opaque PRF input
2860              */
2861             s->s3->server_opaque_prf_input_len =
2862                 s->tlsext_opaque_prf_input_len;
2863     }
2864 # endif
2865 
2866     return 1;
2867 }
2868 
2869 int ssl_prepare_serverhello_tlsext(SSL *s)
2870 {
2871     return 1;
2872 }
2873 
2874 static int ssl_check_clienthello_tlsext_early(SSL *s)
2875 {
2876     int ret = SSL_TLSEXT_ERR_NOACK;
2877     int al = SSL_AD_UNRECOGNIZED_NAME;
2878 
2879 # ifndef OPENSSL_NO_EC
2880     /*
2881      * The handling of the ECPointFormats extension is done elsewhere, namely
2882      * in ssl3_choose_cipher in s3_lib.c.
2883      */
2884     /*
2885      * The handling of the EllipticCurves extension is done elsewhere, namely
2886      * in ssl3_choose_cipher in s3_lib.c.
2887      */
2888 # endif
2889 
2890     if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
2891         ret =
2892             s->ctx->tlsext_servername_callback(s, &al,
2893                                                s->ctx->tlsext_servername_arg);
2894     else if (s->initial_ctx != NULL
2895              && s->initial_ctx->tlsext_servername_callback != 0)
2896         ret =
2897             s->initial_ctx->tlsext_servername_callback(s, &al,
2898                                                        s->
2899                                                        initial_ctx->tlsext_servername_arg);
2900 
2901 # ifdef TLSEXT_TYPE_opaque_prf_input
2902     {
2903         /*
2904          * This sort of belongs into ssl_prepare_serverhello_tlsext(), but we
2905          * might be sending an alert in response to the client hello, so this
2906          * has to happen here in ssl_check_clienthello_tlsext_early().
2907          */
2908 
2909         int r = 1;
2910 
2911         if (s->ctx->tlsext_opaque_prf_input_callback != 0) {
2912             r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0,
2913                                                          s->
2914                                                          ctx->tlsext_opaque_prf_input_callback_arg);
2915             if (!r) {
2916                 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2917                 al = SSL_AD_INTERNAL_ERROR;
2918                 goto err;
2919             }
2920         }
2921 
2922         if (s->s3->server_opaque_prf_input != NULL) {
2923             /* shouldn't really happen */
2924             OPENSSL_free(s->s3->server_opaque_prf_input);
2925         }
2926         s->s3->server_opaque_prf_input = NULL;
2927 
2928         if (s->tlsext_opaque_prf_input != NULL) {
2929             if (s->s3->client_opaque_prf_input != NULL &&
2930                 s->s3->client_opaque_prf_input_len ==
2931                 s->tlsext_opaque_prf_input_len) {
2932                 /*
2933                  * can only use this extension if we have a server opaque PRF
2934                  * input of the same length as the client opaque PRF input!
2935                  */
2936 
2937                 if (s->tlsext_opaque_prf_input_len == 0) {
2938                     /* dummy byte just to get non-NULL */
2939                     s->s3->server_opaque_prf_input = OPENSSL_malloc(1);
2940                 } else {
2941                     s->s3->server_opaque_prf_input =
2942                         BUF_memdup(s->tlsext_opaque_prf_input,
2943                                    s->tlsext_opaque_prf_input_len);
2944                 }
2945                 if (s->s3->server_opaque_prf_input == NULL) {
2946                     ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2947                     al = SSL_AD_INTERNAL_ERROR;
2948                     goto err;
2949                 }
2950                 s->s3->server_opaque_prf_input_len =
2951                     s->tlsext_opaque_prf_input_len;
2952             }
2953         }
2954 
2955         if (r == 2 && s->s3->server_opaque_prf_input == NULL) {
2956             /*
2957              * The callback wants to enforce use of the extension, but we
2958              * can't do that with the client opaque PRF input; abort the
2959              * handshake.
2960              */
2961             ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2962             al = SSL_AD_HANDSHAKE_FAILURE;
2963         }
2964     }
2965 
2966  err:
2967 # endif
2968     switch (ret) {
2969     case SSL_TLSEXT_ERR_ALERT_FATAL:
2970         ssl3_send_alert(s, SSL3_AL_FATAL, al);
2971         return -1;
2972 
2973     case SSL_TLSEXT_ERR_ALERT_WARNING:
2974         ssl3_send_alert(s, SSL3_AL_WARNING, al);
2975         return 1;
2976 
2977     case SSL_TLSEXT_ERR_NOACK:
2978         s->servername_done = 0;
2979     default:
2980         return 1;
2981     }
2982 }
2983 
2984 int tls1_set_server_sigalgs(SSL *s)
2985 {
2986     int al;
2987     size_t i;
2988     /* Clear any shared sigtnature algorithms */
2989     if (s->cert->shared_sigalgs) {
2990         OPENSSL_free(s->cert->shared_sigalgs);
2991         s->cert->shared_sigalgs = NULL;
2992         s->cert->shared_sigalgslen = 0;
2993     }
2994     /* Clear certificate digests and validity flags */
2995     for (i = 0; i < SSL_PKEY_NUM; i++) {
2996         s->cert->pkeys[i].digest = NULL;
2997         s->cert->pkeys[i].valid_flags = 0;
2998     }
2999 
3000     /* If sigalgs received process it. */
3001     if (s->cert->peer_sigalgs) {
3002         if (!tls1_process_sigalgs(s)) {
3003             SSLerr(SSL_F_TLS1_SET_SERVER_SIGALGS, ERR_R_MALLOC_FAILURE);
3004             al = SSL_AD_INTERNAL_ERROR;
3005             goto err;
3006         }
3007         /* Fatal error is no shared signature algorithms */
3008         if (!s->cert->shared_sigalgs) {
3009             SSLerr(SSL_F_TLS1_SET_SERVER_SIGALGS,
3010                    SSL_R_NO_SHARED_SIGATURE_ALGORITHMS);
3011             al = SSL_AD_ILLEGAL_PARAMETER;
3012             goto err;
3013         }
3014     } else
3015         ssl_cert_set_default_md(s->cert);
3016     return 1;
3017  err:
3018     ssl3_send_alert(s, SSL3_AL_FATAL, al);
3019     return 0;
3020 }
3021 
3022 int ssl_check_clienthello_tlsext_late(SSL *s)
3023 {
3024     int ret = SSL_TLSEXT_ERR_OK;
3025     int al;
3026 
3027     /*
3028      * If status request then ask callback what to do. Note: this must be
3029      * called after servername callbacks in case the certificate has changed,
3030      * and must be called after the cipher has been chosen because this may
3031      * influence which certificate is sent
3032      */
3033     if ((s->tlsext_status_type != -1) && s->ctx && s->ctx->tlsext_status_cb) {
3034         int r;
3035         CERT_PKEY *certpkey;
3036         certpkey = ssl_get_server_send_pkey(s);
3037         /* If no certificate can't return certificate status */
3038         if (certpkey == NULL) {
3039             s->tlsext_status_expected = 0;
3040             return 1;
3041         }
3042         /*
3043          * Set current certificate to one we will use so SSL_get_certificate
3044          * et al can pick it up.
3045          */
3046         s->cert->key = certpkey;
3047         r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
3048         switch (r) {
3049             /* We don't want to send a status request response */
3050         case SSL_TLSEXT_ERR_NOACK:
3051             s->tlsext_status_expected = 0;
3052             break;
3053             /* status request response should be sent */
3054         case SSL_TLSEXT_ERR_OK:
3055             if (s->tlsext_ocsp_resp)
3056                 s->tlsext_status_expected = 1;
3057             else
3058                 s->tlsext_status_expected = 0;
3059             break;
3060             /* something bad happened */
3061         case SSL_TLSEXT_ERR_ALERT_FATAL:
3062             ret = SSL_TLSEXT_ERR_ALERT_FATAL;
3063             al = SSL_AD_INTERNAL_ERROR;
3064             goto err;
3065         }
3066     } else
3067         s->tlsext_status_expected = 0;
3068 
3069  err:
3070     switch (ret) {
3071     case SSL_TLSEXT_ERR_ALERT_FATAL:
3072         ssl3_send_alert(s, SSL3_AL_FATAL, al);
3073         return -1;
3074 
3075     case SSL_TLSEXT_ERR_ALERT_WARNING:
3076         ssl3_send_alert(s, SSL3_AL_WARNING, al);
3077         return 1;
3078 
3079     default:
3080         return 1;
3081     }
3082 }
3083 
3084 int ssl_check_serverhello_tlsext(SSL *s)
3085 {
3086     int ret = SSL_TLSEXT_ERR_NOACK;
3087     int al = SSL_AD_UNRECOGNIZED_NAME;
3088 
3089 # ifndef OPENSSL_NO_EC
3090     /*
3091      * If we are client and using an elliptic curve cryptography cipher
3092      * suite, then if server returns an EC point formats lists extension it
3093      * must contain uncompressed.
3094      */
3095     unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
3096     unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
3097     if ((s->tlsext_ecpointformatlist != NULL)
3098         && (s->tlsext_ecpointformatlist_length > 0)
3099         && (s->session->tlsext_ecpointformatlist != NULL)
3100         && (s->session->tlsext_ecpointformatlist_length > 0)
3101         && ((alg_k & (SSL_kEECDH | SSL_kECDHr | SSL_kECDHe))
3102             || (alg_a & SSL_aECDSA))) {
3103         /* we are using an ECC cipher */
3104         size_t i;
3105         unsigned char *list;
3106         int found_uncompressed = 0;
3107         list = s->session->tlsext_ecpointformatlist;
3108         for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++) {
3109             if (*(list++) == TLSEXT_ECPOINTFORMAT_uncompressed) {
3110                 found_uncompressed = 1;
3111                 break;
3112             }
3113         }
3114         if (!found_uncompressed) {
3115             SSLerr(SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT,
3116                    SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
3117             return -1;
3118         }
3119     }
3120     ret = SSL_TLSEXT_ERR_OK;
3121 # endif                         /* OPENSSL_NO_EC */
3122 
3123     if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
3124         ret =
3125             s->ctx->tlsext_servername_callback(s, &al,
3126                                                s->ctx->tlsext_servername_arg);
3127     else if (s->initial_ctx != NULL
3128              && s->initial_ctx->tlsext_servername_callback != 0)
3129         ret =
3130             s->initial_ctx->tlsext_servername_callback(s, &al,
3131                                                        s->
3132                                                        initial_ctx->tlsext_servername_arg);
3133 
3134 # ifdef TLSEXT_TYPE_opaque_prf_input
3135     if (s->s3->server_opaque_prf_input_len > 0) {
3136         /*
3137          * This case may indicate that we, as a client, want to insist on
3138          * using opaque PRF inputs. So first verify that we really have a
3139          * value from the server too.
3140          */
3141 
3142         if (s->s3->server_opaque_prf_input == NULL) {
3143             ret = SSL_TLSEXT_ERR_ALERT_FATAL;
3144             al = SSL_AD_HANDSHAKE_FAILURE;
3145         }
3146 
3147         /*
3148          * Anytime the server *has* sent an opaque PRF input, we need to
3149          * check that we have a client opaque PRF input of the same size.
3150          */
3151         if (s->s3->client_opaque_prf_input == NULL ||
3152             s->s3->client_opaque_prf_input_len !=
3153             s->s3->server_opaque_prf_input_len) {
3154             ret = SSL_TLSEXT_ERR_ALERT_FATAL;
3155             al = SSL_AD_ILLEGAL_PARAMETER;
3156         }
3157     }
3158 # endif
3159 
3160     /*
3161      * If we've requested certificate status and we wont get one tell the
3162      * callback
3163      */
3164     if ((s->tlsext_status_type != -1) && !(s->tlsext_status_expected)
3165         && s->ctx && s->ctx->tlsext_status_cb) {
3166         int r;
3167         /*
3168          * Set resp to NULL, resplen to -1 so callback knows there is no
3169          * response.
3170          */
3171         if (s->tlsext_ocsp_resp) {
3172             OPENSSL_free(s->tlsext_ocsp_resp);
3173             s->tlsext_ocsp_resp = NULL;
3174         }
3175         s->tlsext_ocsp_resplen = -1;
3176         r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
3177         if (r == 0) {
3178             al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE;
3179             ret = SSL_TLSEXT_ERR_ALERT_FATAL;
3180         }
3181         if (r < 0) {
3182             al = SSL_AD_INTERNAL_ERROR;
3183             ret = SSL_TLSEXT_ERR_ALERT_FATAL;
3184         }
3185     }
3186 
3187     switch (ret) {
3188     case SSL_TLSEXT_ERR_ALERT_FATAL:
3189         ssl3_send_alert(s, SSL3_AL_FATAL, al);
3190         return -1;
3191 
3192     case SSL_TLSEXT_ERR_ALERT_WARNING:
3193         ssl3_send_alert(s, SSL3_AL_WARNING, al);
3194         return 1;
3195 
3196     case SSL_TLSEXT_ERR_NOACK:
3197         s->servername_done = 0;
3198     default:
3199         return 1;
3200     }
3201 }
3202 
3203 int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d,
3204                                  int n)
3205 {
3206     int al = -1;
3207     if (s->version < SSL3_VERSION)
3208         return 1;
3209     if (ssl_scan_serverhello_tlsext(s, p, d, n, &al) <= 0) {
3210         ssl3_send_alert(s, SSL3_AL_FATAL, al);
3211         return 0;
3212     }
3213 
3214     if (ssl_check_serverhello_tlsext(s) <= 0) {
3215         SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT, SSL_R_SERVERHELLO_TLSEXT);
3216         return 0;
3217     }
3218     return 1;
3219 }
3220 
3221 /*-
3222  * Since the server cache lookup is done early on in the processing of the
3223  * ClientHello, and other operations depend on the result, we need to handle
3224  * any TLS session ticket extension at the same time.
3225  *
3226  *   session_id: points at the session ID in the ClientHello. This code will
3227  *       read past the end of this in order to parse out the session ticket
3228  *       extension, if any.
3229  *   len: the length of the session ID.
3230  *   limit: a pointer to the first byte after the ClientHello.
3231  *   ret: (output) on return, if a ticket was decrypted, then this is set to
3232  *       point to the resulting session.
3233  *
3234  * If s->tls_session_secret_cb is set then we are expecting a pre-shared key
3235  * ciphersuite, in which case we have no use for session tickets and one will
3236  * never be decrypted, nor will s->tlsext_ticket_expected be set to 1.
3237  *
3238  * Returns:
3239  *   -1: fatal error, either from parsing or decrypting the ticket.
3240  *    0: no ticket was found (or was ignored, based on settings).
3241  *    1: a zero length extension was found, indicating that the client supports
3242  *       session tickets but doesn't currently have one to offer.
3243  *    2: either s->tls_session_secret_cb was set, or a ticket was offered but
3244  *       couldn't be decrypted because of a non-fatal error.
3245  *    3: a ticket was successfully decrypted and *ret was set.
3246  *
3247  * Side effects:
3248  *   Sets s->tlsext_ticket_expected to 1 if the server will have to issue
3249  *   a new session ticket to the client because the client indicated support
3250  *   (and s->tls_session_secret_cb is NULL) but the client either doesn't have
3251  *   a session ticket or we couldn't use the one it gave us, or if
3252  *   s->ctx->tlsext_ticket_key_cb asked to renew the client's ticket.
3253  *   Otherwise, s->tlsext_ticket_expected is set to 0.
3254  */
3255 int tls1_process_ticket(SSL *s, unsigned char *session_id, int len,
3256                         const unsigned char *limit, SSL_SESSION **ret)
3257 {
3258     /* Point after session ID in client hello */
3259     const unsigned char *p = session_id + len;
3260     unsigned short i;
3261 
3262     *ret = NULL;
3263     s->tlsext_ticket_expected = 0;
3264 
3265     /*
3266      * If tickets disabled behave as if no ticket present to permit stateful
3267      * resumption.
3268      */
3269     if (SSL_get_options(s) & SSL_OP_NO_TICKET)
3270         return 0;
3271     if ((s->version <= SSL3_VERSION) || !limit)
3272         return 0;
3273     if (p >= limit)
3274         return -1;
3275     /* Skip past DTLS cookie */
3276     if (SSL_IS_DTLS(s)) {
3277         i = *(p++);
3278         p += i;
3279         if (p >= limit)
3280             return -1;
3281     }
3282     /* Skip past cipher list */
3283     n2s(p, i);
3284     p += i;
3285     if (p >= limit)
3286         return -1;
3287     /* Skip past compression algorithm list */
3288     i = *(p++);
3289     p += i;
3290     if (p > limit)
3291         return -1;
3292     /* Now at start of extensions */
3293     if ((p + 2) >= limit)
3294         return 0;
3295     n2s(p, i);
3296     while ((p + 4) <= limit) {
3297         unsigned short type, size;
3298         n2s(p, type);
3299         n2s(p, size);
3300         if (p + size > limit)
3301             return 0;
3302         if (type == TLSEXT_TYPE_session_ticket) {
3303             int r;
3304             if (size == 0) {
3305                 /*
3306                  * The client will accept a ticket but doesn't currently have
3307                  * one.
3308                  */
3309                 s->tlsext_ticket_expected = 1;
3310                 return 1;
3311             }
3312             if (s->tls_session_secret_cb) {
3313                 /*
3314                  * Indicate that the ticket couldn't be decrypted rather than
3315                  * generating the session from ticket now, trigger
3316                  * abbreviated handshake based on external mechanism to
3317                  * calculate the master secret later.
3318                  */
3319                 return 2;
3320             }
3321             r = tls_decrypt_ticket(s, p, size, session_id, len, ret);
3322             switch (r) {
3323             case 2:            /* ticket couldn't be decrypted */
3324                 s->tlsext_ticket_expected = 1;
3325                 return 2;
3326             case 3:            /* ticket was decrypted */
3327                 return r;
3328             case 4:            /* ticket decrypted but need to renew */
3329                 s->tlsext_ticket_expected = 1;
3330                 return 3;
3331             default:           /* fatal error */
3332                 return -1;
3333             }
3334         }
3335         p += size;
3336     }
3337     return 0;
3338 }
3339 
3340 /*-
3341  * tls_decrypt_ticket attempts to decrypt a session ticket.
3342  *
3343  *   etick: points to the body of the session ticket extension.
3344  *   eticklen: the length of the session tickets extenion.
3345  *   sess_id: points at the session ID.
3346  *   sesslen: the length of the session ID.
3347  *   psess: (output) on return, if a ticket was decrypted, then this is set to
3348  *       point to the resulting session.
3349  *
3350  * Returns:
3351  *   -1: fatal error, either from parsing or decrypting the ticket.
3352  *    2: the ticket couldn't be decrypted.
3353  *    3: a ticket was successfully decrypted and *psess was set.
3354  *    4: same as 3, but the ticket needs to be renewed.
3355  */
3356 static int tls_decrypt_ticket(SSL *s, const unsigned char *etick,
3357                               int eticklen, const unsigned char *sess_id,
3358                               int sesslen, SSL_SESSION **psess)
3359 {
3360     SSL_SESSION *sess;
3361     unsigned char *sdec;
3362     const unsigned char *p;
3363     int slen, mlen, renew_ticket = 0;
3364     unsigned char tick_hmac[EVP_MAX_MD_SIZE];
3365     HMAC_CTX hctx;
3366     EVP_CIPHER_CTX ctx;
3367     SSL_CTX *tctx = s->initial_ctx;
3368     /* Need at least keyname + iv + some encrypted data */
3369     if (eticklen < 48)
3370         return 2;
3371     /* Initialize session ticket encryption and HMAC contexts */
3372     HMAC_CTX_init(&hctx);
3373     EVP_CIPHER_CTX_init(&ctx);
3374     if (tctx->tlsext_ticket_key_cb) {
3375         unsigned char *nctick = (unsigned char *)etick;
3376         int rv = tctx->tlsext_ticket_key_cb(s, nctick, nctick + 16,
3377                                             &ctx, &hctx, 0);
3378         if (rv < 0)
3379             return -1;
3380         if (rv == 0)
3381             return 2;
3382         if (rv == 2)
3383             renew_ticket = 1;
3384     } else {
3385         /* Check key name matches */
3386         if (memcmp(etick, tctx->tlsext_tick_key_name, 16))
3387             return 2;
3388         if (HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16,
3389                          tlsext_tick_md(), NULL) <= 0
3390                 || EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL,
3391                                       tctx->tlsext_tick_aes_key,
3392                                       etick + 16) <= 0) {
3393             goto err;
3394        }
3395     }
3396     /*
3397      * Attempt to process session ticket, first conduct sanity and integrity
3398      * checks on ticket.
3399      */
3400     mlen = HMAC_size(&hctx);
3401     if (mlen < 0) {
3402         goto err;
3403     }
3404     eticklen -= mlen;
3405     /* Check HMAC of encrypted ticket */
3406     if (HMAC_Update(&hctx, etick, eticklen) <= 0
3407             || HMAC_Final(&hctx, tick_hmac, NULL) <= 0) {
3408         goto err;
3409     }
3410     HMAC_CTX_cleanup(&hctx);
3411     if (CRYPTO_memcmp(tick_hmac, etick + eticklen, mlen)) {
3412         EVP_CIPHER_CTX_cleanup(&ctx);
3413         return 2;
3414     }
3415     /* Attempt to decrypt session data */
3416     /* Move p after IV to start of encrypted ticket, update length */
3417     p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx);
3418     eticklen -= 16 + EVP_CIPHER_CTX_iv_length(&ctx);
3419     sdec = OPENSSL_malloc(eticklen);
3420     if (!sdec || EVP_DecryptUpdate(&ctx, sdec, &slen, p, eticklen) <= 0) {
3421         EVP_CIPHER_CTX_cleanup(&ctx);
3422         return -1;
3423     }
3424     if (EVP_DecryptFinal(&ctx, sdec + slen, &mlen) <= 0) {
3425         EVP_CIPHER_CTX_cleanup(&ctx);
3426         OPENSSL_free(sdec);
3427         return 2;
3428     }
3429     slen += mlen;
3430     EVP_CIPHER_CTX_cleanup(&ctx);
3431     p = sdec;
3432 
3433     sess = d2i_SSL_SESSION(NULL, &p, slen);
3434     OPENSSL_free(sdec);
3435     if (sess) {
3436         /*
3437          * The session ID, if non-empty, is used by some clients to detect
3438          * that the ticket has been accepted. So we copy it to the session
3439          * structure. If it is empty set length to zero as required by
3440          * standard.
3441          */
3442         if (sesslen)
3443             memcpy(sess->session_id, sess_id, sesslen);
3444         sess->session_id_length = sesslen;
3445         *psess = sess;
3446         if (renew_ticket)
3447             return 4;
3448         else
3449             return 3;
3450     }
3451     ERR_clear_error();
3452     /*
3453      * For session parse failure, indicate that we need to send a new ticket.
3454      */
3455     return 2;
3456 err:
3457     EVP_CIPHER_CTX_cleanup(&ctx);
3458     HMAC_CTX_cleanup(&hctx);
3459     return -1;
3460 }
3461 
3462 /* Tables to translate from NIDs to TLS v1.2 ids */
3463 
3464 typedef struct {
3465     int nid;
3466     int id;
3467 } tls12_lookup;
3468 
3469 static tls12_lookup tls12_md[] = {
3470     {NID_md5, TLSEXT_hash_md5},
3471     {NID_sha1, TLSEXT_hash_sha1},
3472     {NID_sha224, TLSEXT_hash_sha224},
3473     {NID_sha256, TLSEXT_hash_sha256},
3474     {NID_sha384, TLSEXT_hash_sha384},
3475     {NID_sha512, TLSEXT_hash_sha512}
3476 };
3477 
3478 static tls12_lookup tls12_sig[] = {
3479     {EVP_PKEY_RSA, TLSEXT_signature_rsa},
3480     {EVP_PKEY_DSA, TLSEXT_signature_dsa},
3481     {EVP_PKEY_EC, TLSEXT_signature_ecdsa}
3482 };
3483 
3484 static int tls12_find_id(int nid, tls12_lookup *table, size_t tlen)
3485 {
3486     size_t i;
3487     for (i = 0; i < tlen; i++) {
3488         if (table[i].nid == nid)
3489             return table[i].id;
3490     }
3491     return -1;
3492 }
3493 
3494 static int tls12_find_nid(int id, tls12_lookup *table, size_t tlen)
3495 {
3496     size_t i;
3497     for (i = 0; i < tlen; i++) {
3498         if ((table[i].id) == id)
3499             return table[i].nid;
3500     }
3501     return NID_undef;
3502 }
3503 
3504 int tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk,
3505                          const EVP_MD *md)
3506 {
3507     int sig_id, md_id;
3508     if (!md)
3509         return 0;
3510     md_id = tls12_find_id(EVP_MD_type(md), tls12_md,
3511                           sizeof(tls12_md) / sizeof(tls12_lookup));
3512     if (md_id == -1)
3513         return 0;
3514     sig_id = tls12_get_sigid(pk);
3515     if (sig_id == -1)
3516         return 0;
3517     p[0] = (unsigned char)md_id;
3518     p[1] = (unsigned char)sig_id;
3519     return 1;
3520 }
3521 
3522 int tls12_get_sigid(const EVP_PKEY *pk)
3523 {
3524     return tls12_find_id(pk->type, tls12_sig,
3525                          sizeof(tls12_sig) / sizeof(tls12_lookup));
3526 }
3527 
3528 const EVP_MD *tls12_get_hash(unsigned char hash_alg)
3529 {
3530     switch (hash_alg) {
3531 # ifndef OPENSSL_NO_MD5
3532     case TLSEXT_hash_md5:
3533 #  ifdef OPENSSL_FIPS
3534         if (FIPS_mode())
3535             return NULL;
3536 #  endif
3537         return EVP_md5();
3538 # endif
3539 # ifndef OPENSSL_NO_SHA
3540     case TLSEXT_hash_sha1:
3541         return EVP_sha1();
3542 # endif
3543 # ifndef OPENSSL_NO_SHA256
3544     case TLSEXT_hash_sha224:
3545         return EVP_sha224();
3546 
3547     case TLSEXT_hash_sha256:
3548         return EVP_sha256();
3549 # endif
3550 # ifndef OPENSSL_NO_SHA512
3551     case TLSEXT_hash_sha384:
3552         return EVP_sha384();
3553 
3554     case TLSEXT_hash_sha512:
3555         return EVP_sha512();
3556 # endif
3557     default:
3558         return NULL;
3559 
3560     }
3561 }
3562 
3563 static int tls12_get_pkey_idx(unsigned char sig_alg)
3564 {
3565     switch (sig_alg) {
3566 # ifndef OPENSSL_NO_RSA
3567     case TLSEXT_signature_rsa:
3568         return SSL_PKEY_RSA_SIGN;
3569 # endif
3570 # ifndef OPENSSL_NO_DSA
3571     case TLSEXT_signature_dsa:
3572         return SSL_PKEY_DSA_SIGN;
3573 # endif
3574 # ifndef OPENSSL_NO_ECDSA
3575     case TLSEXT_signature_ecdsa:
3576         return SSL_PKEY_ECC;
3577 # endif
3578     }
3579     return -1;
3580 }
3581 
3582 /* Convert TLS 1.2 signature algorithm extension values into NIDs */
3583 static void tls1_lookup_sigalg(int *phash_nid, int *psign_nid,
3584                                int *psignhash_nid, const unsigned char *data)
3585 {
3586     int sign_nid = 0, hash_nid = 0;
3587     if (!phash_nid && !psign_nid && !psignhash_nid)
3588         return;
3589     if (phash_nid || psignhash_nid) {
3590         hash_nid = tls12_find_nid(data[0], tls12_md,
3591                                   sizeof(tls12_md) / sizeof(tls12_lookup));
3592         if (phash_nid)
3593             *phash_nid = hash_nid;
3594     }
3595     if (psign_nid || psignhash_nid) {
3596         sign_nid = tls12_find_nid(data[1], tls12_sig,
3597                                   sizeof(tls12_sig) / sizeof(tls12_lookup));
3598         if (psign_nid)
3599             *psign_nid = sign_nid;
3600     }
3601     if (psignhash_nid) {
3602         if (sign_nid && hash_nid)
3603             OBJ_find_sigid_by_algs(psignhash_nid, hash_nid, sign_nid);
3604         else
3605             *psignhash_nid = NID_undef;
3606     }
3607 }
3608 
3609 /* Given preference and allowed sigalgs set shared sigalgs */
3610 static int tls12_do_shared_sigalgs(TLS_SIGALGS *shsig,
3611                                    const unsigned char *pref, size_t preflen,
3612                                    const unsigned char *allow,
3613                                    size_t allowlen)
3614 {
3615     const unsigned char *ptmp, *atmp;
3616     size_t i, j, nmatch = 0;
3617     for (i = 0, ptmp = pref; i < preflen; i += 2, ptmp += 2) {
3618         /* Skip disabled hashes or signature algorithms */
3619         if (tls12_get_hash(ptmp[0]) == NULL)
3620             continue;
3621         if (tls12_get_pkey_idx(ptmp[1]) == -1)
3622             continue;
3623         for (j = 0, atmp = allow; j < allowlen; j += 2, atmp += 2) {
3624             if (ptmp[0] == atmp[0] && ptmp[1] == atmp[1]) {
3625                 nmatch++;
3626                 if (shsig) {
3627                     shsig->rhash = ptmp[0];
3628                     shsig->rsign = ptmp[1];
3629                     tls1_lookup_sigalg(&shsig->hash_nid,
3630                                        &shsig->sign_nid,
3631                                        &shsig->signandhash_nid, ptmp);
3632                     shsig++;
3633                 }
3634                 break;
3635             }
3636         }
3637     }
3638     return nmatch;
3639 }
3640 
3641 /* Set shared signature algorithms for SSL structures */
3642 static int tls1_set_shared_sigalgs(SSL *s)
3643 {
3644     const unsigned char *pref, *allow, *conf;
3645     size_t preflen, allowlen, conflen;
3646     size_t nmatch;
3647     TLS_SIGALGS *salgs = NULL;
3648     CERT *c = s->cert;
3649     unsigned int is_suiteb = tls1_suiteb(s);
3650     if (c->shared_sigalgs) {
3651         OPENSSL_free(c->shared_sigalgs);
3652         c->shared_sigalgs = NULL;
3653         c->shared_sigalgslen = 0;
3654     }
3655     /* If client use client signature algorithms if not NULL */
3656     if (!s->server && c->client_sigalgs && !is_suiteb) {
3657         conf = c->client_sigalgs;
3658         conflen = c->client_sigalgslen;
3659     } else if (c->conf_sigalgs && !is_suiteb) {
3660         conf = c->conf_sigalgs;
3661         conflen = c->conf_sigalgslen;
3662     } else
3663         conflen = tls12_get_psigalgs(s, &conf);
3664     if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE || is_suiteb) {
3665         pref = conf;
3666         preflen = conflen;
3667         allow = c->peer_sigalgs;
3668         allowlen = c->peer_sigalgslen;
3669     } else {
3670         allow = conf;
3671         allowlen = conflen;
3672         pref = c->peer_sigalgs;
3673         preflen = c->peer_sigalgslen;
3674     }
3675     nmatch = tls12_do_shared_sigalgs(NULL, pref, preflen, allow, allowlen);
3676     if (nmatch) {
3677         salgs = OPENSSL_malloc(nmatch * sizeof(TLS_SIGALGS));
3678         if (!salgs)
3679             return 0;
3680         nmatch = tls12_do_shared_sigalgs(salgs, pref, preflen, allow, allowlen);
3681     } else {
3682         salgs = NULL;
3683     }
3684     c->shared_sigalgs = salgs;
3685     c->shared_sigalgslen = nmatch;
3686     return 1;
3687 }
3688 
3689 /* Set preferred digest for each key type */
3690 
3691 int tls1_save_sigalgs(SSL *s, const unsigned char *data, int dsize)
3692 {
3693     CERT *c = s->cert;
3694     /* Extension ignored for inappropriate versions */
3695     if (!SSL_USE_SIGALGS(s))
3696         return 1;
3697     /* Should never happen */
3698     if (!c)
3699         return 0;
3700 
3701     if (c->peer_sigalgs)
3702         OPENSSL_free(c->peer_sigalgs);
3703     c->peer_sigalgs = OPENSSL_malloc(dsize);
3704     if (!c->peer_sigalgs)
3705         return 0;
3706     c->peer_sigalgslen = dsize;
3707     memcpy(c->peer_sigalgs, data, dsize);
3708     return 1;
3709 }
3710 
3711 int tls1_process_sigalgs(SSL *s)
3712 {
3713     int idx;
3714     size_t i;
3715     const EVP_MD *md;
3716     CERT *c = s->cert;
3717     TLS_SIGALGS *sigptr;
3718     if (!tls1_set_shared_sigalgs(s))
3719         return 0;
3720 
3721 # ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
3722     if (s->cert->cert_flags & SSL_CERT_FLAG_BROKEN_PROTOCOL) {
3723         /*
3724          * Use first set signature preference to force message digest,
3725          * ignoring any peer preferences.
3726          */
3727         const unsigned char *sigs = NULL;
3728         if (s->server)
3729             sigs = c->conf_sigalgs;
3730         else
3731             sigs = c->client_sigalgs;
3732         if (sigs) {
3733             idx = tls12_get_pkey_idx(sigs[1]);
3734             md = tls12_get_hash(sigs[0]);
3735             c->pkeys[idx].digest = md;
3736             c->pkeys[idx].valid_flags = CERT_PKEY_EXPLICIT_SIGN;
3737             if (idx == SSL_PKEY_RSA_SIGN) {
3738                 c->pkeys[SSL_PKEY_RSA_ENC].valid_flags =
3739                     CERT_PKEY_EXPLICIT_SIGN;
3740                 c->pkeys[SSL_PKEY_RSA_ENC].digest = md;
3741             }
3742         }
3743     }
3744 # endif
3745 
3746     for (i = 0, sigptr = c->shared_sigalgs;
3747          i < c->shared_sigalgslen; i++, sigptr++) {
3748         idx = tls12_get_pkey_idx(sigptr->rsign);
3749         if (idx > 0 && c->pkeys[idx].digest == NULL) {
3750             md = tls12_get_hash(sigptr->rhash);
3751             c->pkeys[idx].digest = md;
3752             c->pkeys[idx].valid_flags = CERT_PKEY_EXPLICIT_SIGN;
3753             if (idx == SSL_PKEY_RSA_SIGN) {
3754                 c->pkeys[SSL_PKEY_RSA_ENC].valid_flags =
3755                     CERT_PKEY_EXPLICIT_SIGN;
3756                 c->pkeys[SSL_PKEY_RSA_ENC].digest = md;
3757             }
3758         }
3759 
3760     }
3761     /*
3762      * In strict mode leave unset digests as NULL to indicate we can't use
3763      * the certificate for signing.
3764      */
3765     if (!(s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)) {
3766         /*
3767          * Set any remaining keys to default values. NOTE: if alg is not
3768          * supported it stays as NULL.
3769          */
3770 # ifndef OPENSSL_NO_DSA
3771         if (!c->pkeys[SSL_PKEY_DSA_SIGN].digest)
3772             c->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_sha1();
3773 # endif
3774 # ifndef OPENSSL_NO_RSA
3775         if (!c->pkeys[SSL_PKEY_RSA_SIGN].digest) {
3776             c->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1();
3777             c->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1();
3778         }
3779 # endif
3780 # ifndef OPENSSL_NO_ECDSA
3781         if (!c->pkeys[SSL_PKEY_ECC].digest)
3782             c->pkeys[SSL_PKEY_ECC].digest = EVP_sha1();
3783 # endif
3784     }
3785     return 1;
3786 }
3787 
3788 int SSL_get_sigalgs(SSL *s, int idx,
3789                     int *psign, int *phash, int *psignhash,
3790                     unsigned char *rsig, unsigned char *rhash)
3791 {
3792     const unsigned char *psig = s->cert->peer_sigalgs;
3793     if (psig == NULL)
3794         return 0;
3795     if (idx >= 0) {
3796         idx <<= 1;
3797         if (idx >= (int)s->cert->peer_sigalgslen)
3798             return 0;
3799         psig += idx;
3800         if (rhash)
3801             *rhash = psig[0];
3802         if (rsig)
3803             *rsig = psig[1];
3804         tls1_lookup_sigalg(phash, psign, psignhash, psig);
3805     }
3806     return s->cert->peer_sigalgslen / 2;
3807 }
3808 
3809 int SSL_get_shared_sigalgs(SSL *s, int idx,
3810                            int *psign, int *phash, int *psignhash,
3811                            unsigned char *rsig, unsigned char *rhash)
3812 {
3813     TLS_SIGALGS *shsigalgs = s->cert->shared_sigalgs;
3814     if (!shsigalgs || idx >= (int)s->cert->shared_sigalgslen)
3815         return 0;
3816     shsigalgs += idx;
3817     if (phash)
3818         *phash = shsigalgs->hash_nid;
3819     if (psign)
3820         *psign = shsigalgs->sign_nid;
3821     if (psignhash)
3822         *psignhash = shsigalgs->signandhash_nid;
3823     if (rsig)
3824         *rsig = shsigalgs->rsign;
3825     if (rhash)
3826         *rhash = shsigalgs->rhash;
3827     return s->cert->shared_sigalgslen;
3828 }
3829 
3830 # ifndef OPENSSL_NO_HEARTBEATS
3831 int tls1_process_heartbeat(SSL *s)
3832 {
3833     unsigned char *p = &s->s3->rrec.data[0], *pl;
3834     unsigned short hbtype;
3835     unsigned int payload;
3836     unsigned int padding = 16;  /* Use minimum padding */
3837 
3838     if (s->msg_callback)
3839         s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT,
3840                         &s->s3->rrec.data[0], s->s3->rrec.length,
3841                         s, s->msg_callback_arg);
3842 
3843     /* Read type and payload length first */
3844     if (1 + 2 + 16 > s->s3->rrec.length)
3845         return 0;               /* silently discard */
3846     hbtype = *p++;
3847     n2s(p, payload);
3848     if (1 + 2 + payload + 16 > s->s3->rrec.length)
3849         return 0;               /* silently discard per RFC 6520 sec. 4 */
3850     pl = p;
3851 
3852     if (hbtype == TLS1_HB_REQUEST) {
3853         unsigned char *buffer, *bp;
3854         int r;
3855 
3856         /*
3857          * Allocate memory for the response, size is 1 bytes message type,
3858          * plus 2 bytes payload length, plus payload, plus padding
3859          */
3860         buffer = OPENSSL_malloc(1 + 2 + payload + padding);
3861         bp = buffer;
3862 
3863         /* Enter response type, length and copy payload */
3864         *bp++ = TLS1_HB_RESPONSE;
3865         s2n(payload, bp);
3866         memcpy(bp, pl, payload);
3867         bp += payload;
3868         /* Random padding */
3869         if (RAND_pseudo_bytes(bp, padding) < 0) {
3870             OPENSSL_free(buffer);
3871             return -1;
3872         }
3873 
3874         r = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buffer,
3875                              3 + payload + padding);
3876 
3877         if (r >= 0 && s->msg_callback)
3878             s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT,
3879                             buffer, 3 + payload + padding,
3880                             s, s->msg_callback_arg);
3881 
3882         OPENSSL_free(buffer);
3883 
3884         if (r < 0)
3885             return r;
3886     } else if (hbtype == TLS1_HB_RESPONSE) {
3887         unsigned int seq;
3888 
3889         /*
3890          * We only send sequence numbers (2 bytes unsigned int), and 16
3891          * random bytes, so we just try to read the sequence number
3892          */
3893         n2s(pl, seq);
3894 
3895         if (payload == 18 && seq == s->tlsext_hb_seq) {
3896             s->tlsext_hb_seq++;
3897             s->tlsext_hb_pending = 0;
3898         }
3899     }
3900 
3901     return 0;
3902 }
3903 
3904 int tls1_heartbeat(SSL *s)
3905 {
3906     unsigned char *buf, *p;
3907     int ret = -1;
3908     unsigned int payload = 18;  /* Sequence number + random bytes */
3909     unsigned int padding = 16;  /* Use minimum padding */
3910 
3911     /* Only send if peer supports and accepts HB requests... */
3912     if (!(s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED) ||
3913         s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_SEND_REQUESTS) {
3914         SSLerr(SSL_F_TLS1_HEARTBEAT, SSL_R_TLS_HEARTBEAT_PEER_DOESNT_ACCEPT);
3915         return -1;
3916     }
3917 
3918     /* ...and there is none in flight yet... */
3919     if (s->tlsext_hb_pending) {
3920         SSLerr(SSL_F_TLS1_HEARTBEAT, SSL_R_TLS_HEARTBEAT_PENDING);
3921         return -1;
3922     }
3923 
3924     /* ...and no handshake in progress. */
3925     if (SSL_in_init(s) || s->in_handshake) {
3926         SSLerr(SSL_F_TLS1_HEARTBEAT, SSL_R_UNEXPECTED_MESSAGE);
3927         return -1;
3928     }
3929 
3930     /*
3931      * Check if padding is too long, payload and padding must not exceed 2^14
3932      * - 3 = 16381 bytes in total.
3933      */
3934     OPENSSL_assert(payload + padding <= 16381);
3935 
3936     /*-
3937      * Create HeartBeat message, we just use a sequence number
3938      * as payload to distuingish different messages and add
3939      * some random stuff.
3940      *  - Message Type, 1 byte
3941      *  - Payload Length, 2 bytes (unsigned int)
3942      *  - Payload, the sequence number (2 bytes uint)
3943      *  - Payload, random bytes (16 bytes uint)
3944      *  - Padding
3945      */
3946     buf = OPENSSL_malloc(1 + 2 + payload + padding);
3947     p = buf;
3948     /* Message Type */
3949     *p++ = TLS1_HB_REQUEST;
3950     /* Payload length (18 bytes here) */
3951     s2n(payload, p);
3952     /* Sequence number */
3953     s2n(s->tlsext_hb_seq, p);
3954     /* 16 random bytes */
3955     if (RAND_pseudo_bytes(p, 16) < 0) {
3956         SSLerr(SSL_F_TLS1_HEARTBEAT, ERR_R_INTERNAL_ERROR);
3957         goto err;
3958     }
3959     p += 16;
3960     /* Random padding */
3961     if (RAND_pseudo_bytes(p, padding) < 0) {
3962         SSLerr(SSL_F_TLS1_HEARTBEAT, ERR_R_INTERNAL_ERROR);
3963         goto err;
3964     }
3965 
3966     ret = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buf, 3 + payload + padding);
3967     if (ret >= 0) {
3968         if (s->msg_callback)
3969             s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT,
3970                             buf, 3 + payload + padding,
3971                             s, s->msg_callback_arg);
3972 
3973         s->tlsext_hb_pending = 1;
3974     }
3975 
3976 err:
3977     OPENSSL_free(buf);
3978 
3979     return ret;
3980 }
3981 # endif
3982 
3983 # define MAX_SIGALGLEN   (TLSEXT_hash_num * TLSEXT_signature_num * 2)
3984 
3985 typedef struct {
3986     size_t sigalgcnt;
3987     int sigalgs[MAX_SIGALGLEN];
3988 } sig_cb_st;
3989 
3990 static int sig_cb(const char *elem, int len, void *arg)
3991 {
3992     sig_cb_st *sarg = arg;
3993     size_t i;
3994     char etmp[20], *p;
3995     int sig_alg, hash_alg;
3996     if (elem == NULL)
3997         return 0;
3998     if (sarg->sigalgcnt == MAX_SIGALGLEN)
3999         return 0;
4000     if (len > (int)(sizeof(etmp) - 1))
4001         return 0;
4002     memcpy(etmp, elem, len);
4003     etmp[len] = 0;
4004     p = strchr(etmp, '+');
4005     if (!p)
4006         return 0;
4007     *p = 0;
4008     p++;
4009     if (!*p)
4010         return 0;
4011 
4012     if (!strcmp(etmp, "RSA"))
4013         sig_alg = EVP_PKEY_RSA;
4014     else if (!strcmp(etmp, "DSA"))
4015         sig_alg = EVP_PKEY_DSA;
4016     else if (!strcmp(etmp, "ECDSA"))
4017         sig_alg = EVP_PKEY_EC;
4018     else
4019         return 0;
4020 
4021     hash_alg = OBJ_sn2nid(p);
4022     if (hash_alg == NID_undef)
4023         hash_alg = OBJ_ln2nid(p);
4024     if (hash_alg == NID_undef)
4025         return 0;
4026 
4027     for (i = 0; i < sarg->sigalgcnt; i += 2) {
4028         if (sarg->sigalgs[i] == sig_alg && sarg->sigalgs[i + 1] == hash_alg)
4029             return 0;
4030     }
4031     sarg->sigalgs[sarg->sigalgcnt++] = hash_alg;
4032     sarg->sigalgs[sarg->sigalgcnt++] = sig_alg;
4033     return 1;
4034 }
4035 
4036 /*
4037  * Set suppored signature algorithms based on a colon separated list of the
4038  * form sig+hash e.g. RSA+SHA512:DSA+SHA512
4039  */
4040 int tls1_set_sigalgs_list(CERT *c, const char *str, int client)
4041 {
4042     sig_cb_st sig;
4043     sig.sigalgcnt = 0;
4044     if (!CONF_parse_list(str, ':', 1, sig_cb, &sig))
4045         return 0;
4046     if (c == NULL)
4047         return 1;
4048     return tls1_set_sigalgs(c, sig.sigalgs, sig.sigalgcnt, client);
4049 }
4050 
4051 int tls1_set_sigalgs(CERT *c, const int *psig_nids, size_t salglen,
4052                      int client)
4053 {
4054     unsigned char *sigalgs, *sptr;
4055     int rhash, rsign;
4056     size_t i;
4057     if (salglen & 1)
4058         return 0;
4059     sigalgs = OPENSSL_malloc(salglen);
4060     if (sigalgs == NULL)
4061         return 0;
4062     for (i = 0, sptr = sigalgs; i < salglen; i += 2) {
4063         rhash = tls12_find_id(*psig_nids++, tls12_md,
4064                               sizeof(tls12_md) / sizeof(tls12_lookup));
4065         rsign = tls12_find_id(*psig_nids++, tls12_sig,
4066                               sizeof(tls12_sig) / sizeof(tls12_lookup));
4067 
4068         if (rhash == -1 || rsign == -1)
4069             goto err;
4070         *sptr++ = rhash;
4071         *sptr++ = rsign;
4072     }
4073 
4074     if (client) {
4075         if (c->client_sigalgs)
4076             OPENSSL_free(c->client_sigalgs);
4077         c->client_sigalgs = sigalgs;
4078         c->client_sigalgslen = salglen;
4079     } else {
4080         if (c->conf_sigalgs)
4081             OPENSSL_free(c->conf_sigalgs);
4082         c->conf_sigalgs = sigalgs;
4083         c->conf_sigalgslen = salglen;
4084     }
4085 
4086     return 1;
4087 
4088  err:
4089     OPENSSL_free(sigalgs);
4090     return 0;
4091 }
4092 
4093 static int tls1_check_sig_alg(CERT *c, X509 *x, int default_nid)
4094 {
4095     int sig_nid;
4096     size_t i;
4097     if (default_nid == -1)
4098         return 1;
4099     sig_nid = X509_get_signature_nid(x);
4100     if (default_nid)
4101         return sig_nid == default_nid ? 1 : 0;
4102     for (i = 0; i < c->shared_sigalgslen; i++)
4103         if (sig_nid == c->shared_sigalgs[i].signandhash_nid)
4104             return 1;
4105     return 0;
4106 }
4107 
4108 /* Check to see if a certificate issuer name matches list of CA names */
4109 static int ssl_check_ca_name(STACK_OF(X509_NAME) *names, X509 *x)
4110 {
4111     X509_NAME *nm;
4112     int i;
4113     nm = X509_get_issuer_name(x);
4114     for (i = 0; i < sk_X509_NAME_num(names); i++) {
4115         if (!X509_NAME_cmp(nm, sk_X509_NAME_value(names, i)))
4116             return 1;
4117     }
4118     return 0;
4119 }
4120 
4121 /*
4122  * Check certificate chain is consistent with TLS extensions and is usable by
4123  * server. This servers two purposes: it allows users to check chains before
4124  * passing them to the server and it allows the server to check chains before
4125  * attempting to use them.
4126  */
4127 
4128 /* Flags which need to be set for a certificate when stict mode not set */
4129 
4130 # define CERT_PKEY_VALID_FLAGS \
4131         (CERT_PKEY_EE_SIGNATURE|CERT_PKEY_EE_PARAM)
4132 /* Strict mode flags */
4133 # define CERT_PKEY_STRICT_FLAGS \
4134          (CERT_PKEY_VALID_FLAGS|CERT_PKEY_CA_SIGNATURE|CERT_PKEY_CA_PARAM \
4135          | CERT_PKEY_ISSUER_NAME|CERT_PKEY_CERT_TYPE)
4136 
4137 int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain,
4138                      int idx)
4139 {
4140     int i;
4141     int rv = 0;
4142     int check_flags = 0, strict_mode;
4143     CERT_PKEY *cpk = NULL;
4144     CERT *c = s->cert;
4145     unsigned int suiteb_flags = tls1_suiteb(s);
4146     /* idx == -1 means checking server chains */
4147     if (idx != -1) {
4148         /* idx == -2 means checking client certificate chains */
4149         if (idx == -2) {
4150             cpk = c->key;
4151             idx = cpk - c->pkeys;
4152         } else
4153             cpk = c->pkeys + idx;
4154         x = cpk->x509;
4155         pk = cpk->privatekey;
4156         chain = cpk->chain;
4157         strict_mode = c->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT;
4158         /* If no cert or key, forget it */
4159         if (!x || !pk)
4160             goto end;
4161 # ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
4162         /* Allow any certificate to pass test */
4163         if (s->cert->cert_flags & SSL_CERT_FLAG_BROKEN_PROTOCOL) {
4164             rv = CERT_PKEY_STRICT_FLAGS | CERT_PKEY_EXPLICIT_SIGN |
4165                 CERT_PKEY_VALID | CERT_PKEY_SIGN;
4166             cpk->valid_flags = rv;
4167             return rv;
4168         }
4169 # endif
4170     } else {
4171         if (!x || !pk)
4172             return 0;
4173         idx = ssl_cert_type(x, pk);
4174         if (idx == -1)
4175             return 0;
4176         cpk = c->pkeys + idx;
4177         if (c->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)
4178             check_flags = CERT_PKEY_STRICT_FLAGS;
4179         else
4180             check_flags = CERT_PKEY_VALID_FLAGS;
4181         strict_mode = 1;
4182     }
4183 
4184     if (suiteb_flags) {
4185         int ok;
4186         if (check_flags)
4187             check_flags |= CERT_PKEY_SUITEB;
4188         ok = X509_chain_check_suiteb(NULL, x, chain, suiteb_flags);
4189         if (ok == X509_V_OK)
4190             rv |= CERT_PKEY_SUITEB;
4191         else if (!check_flags)
4192             goto end;
4193     }
4194 
4195     /*
4196      * Check all signature algorithms are consistent with signature
4197      * algorithms extension if TLS 1.2 or later and strict mode.
4198      */
4199     if (TLS1_get_version(s) >= TLS1_2_VERSION && strict_mode) {
4200         int default_nid;
4201         unsigned char rsign = 0;
4202         if (c->peer_sigalgs)
4203             default_nid = 0;
4204         /* If no sigalgs extension use defaults from RFC5246 */
4205         else {
4206             switch (idx) {
4207             case SSL_PKEY_RSA_ENC:
4208             case SSL_PKEY_RSA_SIGN:
4209             case SSL_PKEY_DH_RSA:
4210                 rsign = TLSEXT_signature_rsa;
4211                 default_nid = NID_sha1WithRSAEncryption;
4212                 break;
4213 
4214             case SSL_PKEY_DSA_SIGN:
4215             case SSL_PKEY_DH_DSA:
4216                 rsign = TLSEXT_signature_dsa;
4217                 default_nid = NID_dsaWithSHA1;
4218                 break;
4219 
4220             case SSL_PKEY_ECC:
4221                 rsign = TLSEXT_signature_ecdsa;
4222                 default_nid = NID_ecdsa_with_SHA1;
4223                 break;
4224 
4225             default:
4226                 default_nid = -1;
4227                 break;
4228             }
4229         }
4230         /*
4231          * If peer sent no signature algorithms extension and we have set
4232          * preferred signature algorithms check we support sha1.
4233          */
4234         if (default_nid > 0 && c->conf_sigalgs) {
4235             size_t j;
4236             const unsigned char *p = c->conf_sigalgs;
4237             for (j = 0; j < c->conf_sigalgslen; j += 2, p += 2) {
4238                 if (p[0] == TLSEXT_hash_sha1 && p[1] == rsign)
4239                     break;
4240             }
4241             if (j == c->conf_sigalgslen) {
4242                 if (check_flags)
4243                     goto skip_sigs;
4244                 else
4245                     goto end;
4246             }
4247         }
4248         /* Check signature algorithm of each cert in chain */
4249         if (!tls1_check_sig_alg(c, x, default_nid)) {
4250             if (!check_flags)
4251                 goto end;
4252         } else
4253             rv |= CERT_PKEY_EE_SIGNATURE;
4254         rv |= CERT_PKEY_CA_SIGNATURE;
4255         for (i = 0; i < sk_X509_num(chain); i++) {
4256             if (!tls1_check_sig_alg(c, sk_X509_value(chain, i), default_nid)) {
4257                 if (check_flags) {
4258                     rv &= ~CERT_PKEY_CA_SIGNATURE;
4259                     break;
4260                 } else
4261                     goto end;
4262             }
4263         }
4264     }
4265     /* Else not TLS 1.2, so mark EE and CA signing algorithms OK */
4266     else if (check_flags)
4267         rv |= CERT_PKEY_EE_SIGNATURE | CERT_PKEY_CA_SIGNATURE;
4268  skip_sigs:
4269     /* Check cert parameters are consistent */
4270     if (tls1_check_cert_param(s, x, check_flags ? 1 : 2))
4271         rv |= CERT_PKEY_EE_PARAM;
4272     else if (!check_flags)
4273         goto end;
4274     if (!s->server)
4275         rv |= CERT_PKEY_CA_PARAM;
4276     /* In strict mode check rest of chain too */
4277     else if (strict_mode) {
4278         rv |= CERT_PKEY_CA_PARAM;
4279         for (i = 0; i < sk_X509_num(chain); i++) {
4280             X509 *ca = sk_X509_value(chain, i);
4281             if (!tls1_check_cert_param(s, ca, 0)) {
4282                 if (check_flags) {
4283                     rv &= ~CERT_PKEY_CA_PARAM;
4284                     break;
4285                 } else
4286                     goto end;
4287             }
4288         }
4289     }
4290     if (!s->server && strict_mode) {
4291         STACK_OF(X509_NAME) *ca_dn;
4292         int check_type = 0;
4293         switch (pk->type) {
4294         case EVP_PKEY_RSA:
4295             check_type = TLS_CT_RSA_SIGN;
4296             break;
4297         case EVP_PKEY_DSA:
4298             check_type = TLS_CT_DSS_SIGN;
4299             break;
4300         case EVP_PKEY_EC:
4301             check_type = TLS_CT_ECDSA_SIGN;
4302             break;
4303         case EVP_PKEY_DH:
4304         case EVP_PKEY_DHX:
4305             {
4306                 int cert_type = X509_certificate_type(x, pk);
4307                 if (cert_type & EVP_PKS_RSA)
4308                     check_type = TLS_CT_RSA_FIXED_DH;
4309                 if (cert_type & EVP_PKS_DSA)
4310                     check_type = TLS_CT_DSS_FIXED_DH;
4311             }
4312         }
4313         if (check_type) {
4314             const unsigned char *ctypes;
4315             int ctypelen;
4316             if (c->ctypes) {
4317                 ctypes = c->ctypes;
4318                 ctypelen = (int)c->ctype_num;
4319             } else {
4320                 ctypes = (unsigned char *)s->s3->tmp.ctype;
4321                 ctypelen = s->s3->tmp.ctype_num;
4322             }
4323             for (i = 0; i < ctypelen; i++) {
4324                 if (ctypes[i] == check_type) {
4325                     rv |= CERT_PKEY_CERT_TYPE;
4326                     break;
4327                 }
4328             }
4329             if (!(rv & CERT_PKEY_CERT_TYPE) && !check_flags)
4330                 goto end;
4331         } else
4332             rv |= CERT_PKEY_CERT_TYPE;
4333 
4334         ca_dn = s->s3->tmp.ca_names;
4335 
4336         if (!sk_X509_NAME_num(ca_dn))
4337             rv |= CERT_PKEY_ISSUER_NAME;
4338 
4339         if (!(rv & CERT_PKEY_ISSUER_NAME)) {
4340             if (ssl_check_ca_name(ca_dn, x))
4341                 rv |= CERT_PKEY_ISSUER_NAME;
4342         }
4343         if (!(rv & CERT_PKEY_ISSUER_NAME)) {
4344             for (i = 0; i < sk_X509_num(chain); i++) {
4345                 X509 *xtmp = sk_X509_value(chain, i);
4346                 if (ssl_check_ca_name(ca_dn, xtmp)) {
4347                     rv |= CERT_PKEY_ISSUER_NAME;
4348                     break;
4349                 }
4350             }
4351         }
4352         if (!check_flags && !(rv & CERT_PKEY_ISSUER_NAME))
4353             goto end;
4354     } else
4355         rv |= CERT_PKEY_ISSUER_NAME | CERT_PKEY_CERT_TYPE;
4356 
4357     if (!check_flags || (rv & check_flags) == check_flags)
4358         rv |= CERT_PKEY_VALID;
4359 
4360  end:
4361 
4362     if (TLS1_get_version(s) >= TLS1_2_VERSION) {
4363         if (cpk->valid_flags & CERT_PKEY_EXPLICIT_SIGN)
4364             rv |= CERT_PKEY_EXPLICIT_SIGN | CERT_PKEY_SIGN;
4365         else if (cpk->digest)
4366             rv |= CERT_PKEY_SIGN;
4367     } else
4368         rv |= CERT_PKEY_SIGN | CERT_PKEY_EXPLICIT_SIGN;
4369 
4370     /*
4371      * When checking a CERT_PKEY structure all flags are irrelevant if the
4372      * chain is invalid.
4373      */
4374     if (!check_flags) {
4375         if (rv & CERT_PKEY_VALID)
4376             cpk->valid_flags = rv;
4377         else {
4378             /* Preserve explicit sign flag, clear rest */
4379             cpk->valid_flags &= CERT_PKEY_EXPLICIT_SIGN;
4380             return 0;
4381         }
4382     }
4383     return rv;
4384 }
4385 
4386 /* Set validity of certificates in an SSL structure */
4387 void tls1_set_cert_validity(SSL *s)
4388 {
4389     tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA_ENC);
4390     tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA_SIGN);
4391     tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DSA_SIGN);
4392     tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DH_RSA);
4393     tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DH_DSA);
4394     tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_ECC);
4395 }
4396 
4397 /* User level utiity function to check a chain is suitable */
4398 int SSL_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain)
4399 {
4400     return tls1_check_chain(s, x, pk, chain, -1);
4401 }
4402 
4403 #endif
4404