xref: /freebsd/crypto/openssl/ssl/t1_lib.c (revision b3404919397b789ea3b30e993784dafa7fed371c)
1 /* ssl/t1_lib.c */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3  * All rights reserved.
4  *
5  * This package is an SSL implementation written
6  * by Eric Young (eay@cryptsoft.com).
7  * The implementation was written so as to conform with Netscapes SSL.
8  *
9  * This library is free for commercial and non-commercial use as long as
10  * the following conditions are aheared to.  The following conditions
11  * apply to all code found in this distribution, be it the RC4, RSA,
12  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
13  * included with this distribution is covered by the same copyright terms
14  * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15  *
16  * Copyright remains Eric Young's, and as such any Copyright notices in
17  * the code are not to be removed.
18  * If this package is used in a product, Eric Young should be given attribution
19  * as the author of the parts of the library used.
20  * This can be in the form of a textual message at program startup or
21  * in documentation (online or textual) provided with the package.
22  *
23  * Redistribution and use in source and binary forms, with or without
24  * modification, are permitted provided that the following conditions
25  * are met:
26  * 1. Redistributions of source code must retain the copyright
27  *    notice, this list of conditions and the following disclaimer.
28  * 2. Redistributions in binary form must reproduce the above copyright
29  *    notice, this list of conditions and the following disclaimer in the
30  *    documentation and/or other materials provided with the distribution.
31  * 3. All advertising materials mentioning features or use of this software
32  *    must display the following acknowledgement:
33  *    "This product includes cryptographic software written by
34  *     Eric Young (eay@cryptsoft.com)"
35  *    The word 'cryptographic' can be left out if the rouines from the library
36  *    being used are not cryptographic related :-).
37  * 4. If you include any Windows specific code (or a derivative thereof) from
38  *    the apps directory (application code) you must include an acknowledgement:
39  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40  *
41  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51  * SUCH DAMAGE.
52  *
53  * The licence and distribution terms for any publically available version or
54  * derivative of this code cannot be changed.  i.e. this code cannot simply be
55  * copied and put under another distribution licence
56  * [including the GNU Public Licence.]
57  */
58 /* ====================================================================
59  * Copyright (c) 1998-2007 The OpenSSL Project.  All rights reserved.
60  *
61  * Redistribution and use in source and binary forms, with or without
62  * modification, are permitted provided that the following conditions
63  * are met:
64  *
65  * 1. Redistributions of source code must retain the above copyright
66  *    notice, this list of conditions and the following disclaimer.
67  *
68  * 2. Redistributions in binary form must reproduce the above copyright
69  *    notice, this list of conditions and the following disclaimer in
70  *    the documentation and/or other materials provided with the
71  *    distribution.
72  *
73  * 3. All advertising materials mentioning features or use of this
74  *    software must display the following acknowledgment:
75  *    "This product includes software developed by the OpenSSL Project
76  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77  *
78  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79  *    endorse or promote products derived from this software without
80  *    prior written permission. For written permission, please contact
81  *    openssl-core@openssl.org.
82  *
83  * 5. Products derived from this software may not be called "OpenSSL"
84  *    nor may "OpenSSL" appear in their names without prior written
85  *    permission of the OpenSSL Project.
86  *
87  * 6. Redistributions of any form whatsoever must retain the following
88  *    acknowledgment:
89  *    "This product includes software developed by the OpenSSL Project
90  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91  *
92  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
96  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103  * OF THE POSSIBILITY OF SUCH DAMAGE.
104  * ====================================================================
105  *
106  * This product includes cryptographic software written by Eric Young
107  * (eay@cryptsoft.com).  This product includes software written by Tim
108  * Hudson (tjh@cryptsoft.com).
109  *
110  */
111 
112 #include <stdio.h>
113 #include <openssl/objects.h>
114 #include <openssl/evp.h>
115 #include <openssl/hmac.h>
116 #ifndef OPENSSL_NO_EC
117 #ifdef OPENSSL_NO_EC2M
118 # include <openssl/ec.h>
119 #endif
120 #endif
121 #include <openssl/ocsp.h>
122 #include <openssl/rand.h>
123 #include "ssl_locl.h"
124 
125 const char tls1_version_str[] = "TLSv1" OPENSSL_VERSION_PTEXT;
126 
127 #ifndef OPENSSL_NO_TLSEXT
128 static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen,
129                               const unsigned char *sess_id, int sesslen,
130                               SSL_SESSION **psess);
131 static int ssl_check_clienthello_tlsext_early(SSL *s);
132 int ssl_check_serverhello_tlsext(SSL *s);
133 #endif
134 
135 SSL3_ENC_METHOD TLSv1_enc_data = {
136     tls1_enc,
137     tls1_mac,
138     tls1_setup_key_block,
139     tls1_generate_master_secret,
140     tls1_change_cipher_state,
141     tls1_final_finish_mac,
142     TLS1_FINISH_MAC_LENGTH,
143     tls1_cert_verify_mac,
144     TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
145     TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
146     tls1_alert_code,
147     tls1_export_keying_material,
148     0,
149     SSL3_HM_HEADER_LENGTH,
150     ssl3_set_handshake_header,
151     ssl3_handshake_write
152 };
153 
154 SSL3_ENC_METHOD TLSv1_1_enc_data = {
155     tls1_enc,
156     tls1_mac,
157     tls1_setup_key_block,
158     tls1_generate_master_secret,
159     tls1_change_cipher_state,
160     tls1_final_finish_mac,
161     TLS1_FINISH_MAC_LENGTH,
162     tls1_cert_verify_mac,
163     TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
164     TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
165     tls1_alert_code,
166     tls1_export_keying_material,
167     SSL_ENC_FLAG_EXPLICIT_IV,
168     SSL3_HM_HEADER_LENGTH,
169     ssl3_set_handshake_header,
170     ssl3_handshake_write
171 };
172 
173 SSL3_ENC_METHOD TLSv1_2_enc_data = {
174     tls1_enc,
175     tls1_mac,
176     tls1_setup_key_block,
177     tls1_generate_master_secret,
178     tls1_change_cipher_state,
179     tls1_final_finish_mac,
180     TLS1_FINISH_MAC_LENGTH,
181     tls1_cert_verify_mac,
182     TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
183     TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
184     tls1_alert_code,
185     tls1_export_keying_material,
186     SSL_ENC_FLAG_EXPLICIT_IV | SSL_ENC_FLAG_SIGALGS | SSL_ENC_FLAG_SHA256_PRF
187         | SSL_ENC_FLAG_TLS1_2_CIPHERS,
188     SSL3_HM_HEADER_LENGTH,
189     ssl3_set_handshake_header,
190     ssl3_handshake_write
191 };
192 
193 long tls1_default_timeout(void)
194 {
195     /*
196      * 2 hours, the 24 hours mentioned in the TLSv1 spec is way too long for
197      * http, the cache would over fill
198      */
199     return (60 * 60 * 2);
200 }
201 
202 int tls1_new(SSL *s)
203 {
204     if (!ssl3_new(s))
205         return (0);
206     s->method->ssl_clear(s);
207     return (1);
208 }
209 
210 void tls1_free(SSL *s)
211 {
212 #ifndef OPENSSL_NO_TLSEXT
213     if (s->tlsext_session_ticket) {
214         OPENSSL_free(s->tlsext_session_ticket);
215     }
216 #endif                          /* OPENSSL_NO_TLSEXT */
217     ssl3_free(s);
218 }
219 
220 void tls1_clear(SSL *s)
221 {
222     ssl3_clear(s);
223     s->version = s->method->version;
224 }
225 
226 #ifndef OPENSSL_NO_EC
227 
228 static int nid_list[] = {
229     NID_sect163k1,              /* sect163k1 (1) */
230     NID_sect163r1,              /* sect163r1 (2) */
231     NID_sect163r2,              /* sect163r2 (3) */
232     NID_sect193r1,              /* sect193r1 (4) */
233     NID_sect193r2,              /* sect193r2 (5) */
234     NID_sect233k1,              /* sect233k1 (6) */
235     NID_sect233r1,              /* sect233r1 (7) */
236     NID_sect239k1,              /* sect239k1 (8) */
237     NID_sect283k1,              /* sect283k1 (9) */
238     NID_sect283r1,              /* sect283r1 (10) */
239     NID_sect409k1,              /* sect409k1 (11) */
240     NID_sect409r1,              /* sect409r1 (12) */
241     NID_sect571k1,              /* sect571k1 (13) */
242     NID_sect571r1,              /* sect571r1 (14) */
243     NID_secp160k1,              /* secp160k1 (15) */
244     NID_secp160r1,              /* secp160r1 (16) */
245     NID_secp160r2,              /* secp160r2 (17) */
246     NID_secp192k1,              /* secp192k1 (18) */
247     NID_X9_62_prime192v1,       /* secp192r1 (19) */
248     NID_secp224k1,              /* secp224k1 (20) */
249     NID_secp224r1,              /* secp224r1 (21) */
250     NID_secp256k1,              /* secp256k1 (22) */
251     NID_X9_62_prime256v1,       /* secp256r1 (23) */
252     NID_secp384r1,              /* secp384r1 (24) */
253     NID_secp521r1,              /* secp521r1 (25) */
254     NID_brainpoolP256r1,        /* brainpoolP256r1 (26) */
255     NID_brainpoolP384r1,        /* brainpoolP384r1 (27) */
256     NID_brainpoolP512r1         /* brainpool512r1 (28) */
257 };
258 
259 static const unsigned char ecformats_default[] = {
260     TLSEXT_ECPOINTFORMAT_uncompressed,
261     TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime,
262     TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2
263 };
264 
265 /* The client's default curves / the server's 'auto' curves. */
266 static const unsigned char eccurves_auto[] = {
267     /* Prefer P-256 which has the fastest and most secure implementations. */
268     0, 23,                      /* secp256r1 (23) */
269     /* Other >= 256-bit prime curves. */
270     0, 25,                      /* secp521r1 (25) */
271     0, 28,                      /* brainpool512r1 (28) */
272     0, 27,                      /* brainpoolP384r1 (27) */
273     0, 24,                      /* secp384r1 (24) */
274     0, 26,                      /* brainpoolP256r1 (26) */
275     0, 22,                      /* secp256k1 (22) */
276 # ifndef OPENSSL_NO_EC2M
277     /* >= 256-bit binary curves. */
278     0, 14,                      /* sect571r1 (14) */
279     0, 13,                      /* sect571k1 (13) */
280     0, 11,                      /* sect409k1 (11) */
281     0, 12,                      /* sect409r1 (12) */
282     0, 9,                       /* sect283k1 (9) */
283     0, 10,                      /* sect283r1 (10) */
284 # endif
285 };
286 
287 static const unsigned char eccurves_all[] = {
288     /* Prefer P-256 which has the fastest and most secure implementations. */
289     0, 23,                      /* secp256r1 (23) */
290     /* Other >= 256-bit prime curves. */
291     0, 25,                      /* secp521r1 (25) */
292     0, 28,                      /* brainpool512r1 (28) */
293     0, 27,                      /* brainpoolP384r1 (27) */
294     0, 24,                      /* secp384r1 (24) */
295     0, 26,                      /* brainpoolP256r1 (26) */
296     0, 22,                      /* secp256k1 (22) */
297 # ifndef OPENSSL_NO_EC2M
298     /* >= 256-bit binary curves. */
299     0, 14,                      /* sect571r1 (14) */
300     0, 13,                      /* sect571k1 (13) */
301     0, 11,                      /* sect409k1 (11) */
302     0, 12,                      /* sect409r1 (12) */
303     0, 9,                       /* sect283k1 (9) */
304     0, 10,                      /* sect283r1 (10) */
305 # endif
306     /*
307      * Remaining curves disabled by default but still permitted if set
308      * via an explicit callback or parameters.
309      */
310     0, 20,                      /* secp224k1 (20) */
311     0, 21,                      /* secp224r1 (21) */
312     0, 18,                      /* secp192k1 (18) */
313     0, 19,                      /* secp192r1 (19) */
314     0, 15,                      /* secp160k1 (15) */
315     0, 16,                      /* secp160r1 (16) */
316     0, 17,                      /* secp160r2 (17) */
317 # ifndef OPENSSL_NO_EC2M
318     0, 8,                       /* sect239k1 (8) */
319     0, 6,                       /* sect233k1 (6) */
320     0, 7,                       /* sect233r1 (7) */
321     0, 4,                       /* sect193r1 (4) */
322     0, 5,                       /* sect193r2 (5) */
323     0, 1,                       /* sect163k1 (1) */
324     0, 2,                       /* sect163r1 (2) */
325     0, 3,                       /* sect163r2 (3) */
326 # endif
327 };
328 
329 static const unsigned char suiteb_curves[] = {
330     0, TLSEXT_curve_P_256,
331     0, TLSEXT_curve_P_384
332 };
333 
334 # ifdef OPENSSL_FIPS
335 /* Brainpool not allowed in FIPS mode */
336 static const unsigned char fips_curves_default[] = {
337 #  ifndef OPENSSL_NO_EC2M
338     0, 14,                      /* sect571r1 (14) */
339     0, 13,                      /* sect571k1 (13) */
340 #  endif
341     0, 25,                      /* secp521r1 (25) */
342 #  ifndef OPENSSL_NO_EC2M
343     0, 11,                      /* sect409k1 (11) */
344     0, 12,                      /* sect409r1 (12) */
345 #  endif
346     0, 24,                      /* secp384r1 (24) */
347 #  ifndef OPENSSL_NO_EC2M
348     0, 9,                       /* sect283k1 (9) */
349     0, 10,                      /* sect283r1 (10) */
350 #  endif
351     0, 22,                      /* secp256k1 (22) */
352     0, 23,                      /* secp256r1 (23) */
353 #  ifndef OPENSSL_NO_EC2M
354     0, 8,                       /* sect239k1 (8) */
355     0, 6,                       /* sect233k1 (6) */
356     0, 7,                       /* sect233r1 (7) */
357 #  endif
358     0, 20,                      /* secp224k1 (20) */
359     0, 21,                      /* secp224r1 (21) */
360 #  ifndef OPENSSL_NO_EC2M
361     0, 4,                       /* sect193r1 (4) */
362     0, 5,                       /* sect193r2 (5) */
363 #  endif
364     0, 18,                      /* secp192k1 (18) */
365     0, 19,                      /* secp192r1 (19) */
366 #  ifndef OPENSSL_NO_EC2M
367     0, 1,                       /* sect163k1 (1) */
368     0, 2,                       /* sect163r1 (2) */
369     0, 3,                       /* sect163r2 (3) */
370 #  endif
371     0, 15,                      /* secp160k1 (15) */
372     0, 16,                      /* secp160r1 (16) */
373     0, 17,                      /* secp160r2 (17) */
374 };
375 # endif
376 
377 int tls1_ec_curve_id2nid(int curve_id)
378 {
379     /* ECC curves from RFC 4492 and RFC 7027 */
380     if ((curve_id < 1) || ((unsigned int)curve_id >
381                            sizeof(nid_list) / sizeof(nid_list[0])))
382         return 0;
383     return nid_list[curve_id - 1];
384 }
385 
386 int tls1_ec_nid2curve_id(int nid)
387 {
388     /* ECC curves from RFC 4492 and RFC 7027 */
389     switch (nid) {
390     case NID_sect163k1:        /* sect163k1 (1) */
391         return 1;
392     case NID_sect163r1:        /* sect163r1 (2) */
393         return 2;
394     case NID_sect163r2:        /* sect163r2 (3) */
395         return 3;
396     case NID_sect193r1:        /* sect193r1 (4) */
397         return 4;
398     case NID_sect193r2:        /* sect193r2 (5) */
399         return 5;
400     case NID_sect233k1:        /* sect233k1 (6) */
401         return 6;
402     case NID_sect233r1:        /* sect233r1 (7) */
403         return 7;
404     case NID_sect239k1:        /* sect239k1 (8) */
405         return 8;
406     case NID_sect283k1:        /* sect283k1 (9) */
407         return 9;
408     case NID_sect283r1:        /* sect283r1 (10) */
409         return 10;
410     case NID_sect409k1:        /* sect409k1 (11) */
411         return 11;
412     case NID_sect409r1:        /* sect409r1 (12) */
413         return 12;
414     case NID_sect571k1:        /* sect571k1 (13) */
415         return 13;
416     case NID_sect571r1:        /* sect571r1 (14) */
417         return 14;
418     case NID_secp160k1:        /* secp160k1 (15) */
419         return 15;
420     case NID_secp160r1:        /* secp160r1 (16) */
421         return 16;
422     case NID_secp160r2:        /* secp160r2 (17) */
423         return 17;
424     case NID_secp192k1:        /* secp192k1 (18) */
425         return 18;
426     case NID_X9_62_prime192v1: /* secp192r1 (19) */
427         return 19;
428     case NID_secp224k1:        /* secp224k1 (20) */
429         return 20;
430     case NID_secp224r1:        /* secp224r1 (21) */
431         return 21;
432     case NID_secp256k1:        /* secp256k1 (22) */
433         return 22;
434     case NID_X9_62_prime256v1: /* secp256r1 (23) */
435         return 23;
436     case NID_secp384r1:        /* secp384r1 (24) */
437         return 24;
438     case NID_secp521r1:        /* secp521r1 (25) */
439         return 25;
440     case NID_brainpoolP256r1:  /* brainpoolP256r1 (26) */
441         return 26;
442     case NID_brainpoolP384r1:  /* brainpoolP384r1 (27) */
443         return 27;
444     case NID_brainpoolP512r1:  /* brainpool512r1 (28) */
445         return 28;
446     default:
447         return 0;
448     }
449 }
450 
451 /*
452  * Get curves list, if "sess" is set return client curves otherwise
453  * preferred list.
454  * Sets |num_curves| to the number of curves in the list, i.e.,
455  * the length of |pcurves| is 2 * num_curves.
456  * Returns 1 on success and 0 if the client curves list has invalid format.
457  * The latter indicates an internal error: we should not be accepting such
458  * lists in the first place.
459  * TODO(emilia): we should really be storing the curves list in explicitly
460  * parsed form instead. (However, this would affect binary compatibility
461  * so cannot happen in the 1.0.x series.)
462  */
463 static int tls1_get_curvelist(SSL *s, int sess,
464                               const unsigned char **pcurves,
465                               size_t *num_curves)
466 {
467     size_t pcurveslen = 0;
468     if (sess) {
469         *pcurves = s->session->tlsext_ellipticcurvelist;
470         pcurveslen = s->session->tlsext_ellipticcurvelist_length;
471     } else {
472         /* For Suite B mode only include P-256, P-384 */
473         switch (tls1_suiteb(s)) {
474         case SSL_CERT_FLAG_SUITEB_128_LOS:
475             *pcurves = suiteb_curves;
476             pcurveslen = sizeof(suiteb_curves);
477             break;
478 
479         case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY:
480             *pcurves = suiteb_curves;
481             pcurveslen = 2;
482             break;
483 
484         case SSL_CERT_FLAG_SUITEB_192_LOS:
485             *pcurves = suiteb_curves + 2;
486             pcurveslen = 2;
487             break;
488         default:
489             *pcurves = s->tlsext_ellipticcurvelist;
490             pcurveslen = s->tlsext_ellipticcurvelist_length;
491         }
492         if (!*pcurves) {
493 # ifdef OPENSSL_FIPS
494             if (FIPS_mode()) {
495                 *pcurves = fips_curves_default;
496                 pcurveslen = sizeof(fips_curves_default);
497             } else
498 # endif
499             {
500                 if (!s->server || s->cert->ecdh_tmp_auto) {
501                     *pcurves = eccurves_auto;
502                     pcurveslen = sizeof(eccurves_auto);
503                 } else {
504                     *pcurves = eccurves_all;
505                     pcurveslen = sizeof(eccurves_all);
506                 }
507             }
508         }
509     }
510     /* We do not allow odd length arrays to enter the system. */
511     if (pcurveslen & 1) {
512         SSLerr(SSL_F_TLS1_GET_CURVELIST, ERR_R_INTERNAL_ERROR);
513         *num_curves = 0;
514         return 0;
515     } else {
516         *num_curves = pcurveslen / 2;
517         return 1;
518     }
519 }
520 
521 /* Check a curve is one of our preferences */
522 int tls1_check_curve(SSL *s, const unsigned char *p, size_t len)
523 {
524     const unsigned char *curves;
525     size_t num_curves, i;
526     unsigned int suiteb_flags = tls1_suiteb(s);
527     if (len != 3 || p[0] != NAMED_CURVE_TYPE)
528         return 0;
529     /* Check curve matches Suite B preferences */
530     if (suiteb_flags) {
531         unsigned long cid = s->s3->tmp.new_cipher->id;
532         if (p[1])
533             return 0;
534         if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256) {
535             if (p[2] != TLSEXT_curve_P_256)
536                 return 0;
537         } else if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384) {
538             if (p[2] != TLSEXT_curve_P_384)
539                 return 0;
540         } else                  /* Should never happen */
541             return 0;
542     }
543     if (!tls1_get_curvelist(s, 0, &curves, &num_curves))
544         return 0;
545     for (i = 0; i < num_curves; i++, curves += 2) {
546         if (p[1] == curves[0] && p[2] == curves[1])
547             return 1;
548     }
549     return 0;
550 }
551 
552 /*-
553  * Return |nmatch|th shared curve or NID_undef if there is no match.
554  * For nmatch == -1, return number of  matches
555  * For nmatch == -2, return the NID of the curve to use for
556  * an EC tmp key, or NID_undef if there is no match.
557  */
558 int tls1_shared_curve(SSL *s, int nmatch)
559 {
560     const unsigned char *pref, *supp;
561     size_t num_pref, num_supp, i, j;
562     int k;
563     /* Can't do anything on client side */
564     if (s->server == 0)
565         return -1;
566     if (nmatch == -2) {
567         if (tls1_suiteb(s)) {
568             /*
569              * For Suite B ciphersuite determines curve: we already know
570              * these are acceptable due to previous checks.
571              */
572             unsigned long cid = s->s3->tmp.new_cipher->id;
573             if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
574                 return NID_X9_62_prime256v1; /* P-256 */
575             if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)
576                 return NID_secp384r1; /* P-384 */
577             /* Should never happen */
578             return NID_undef;
579         }
580         /* If not Suite B just return first preference shared curve */
581         nmatch = 0;
582     }
583     /*
584      * Avoid truncation. tls1_get_curvelist takes an int
585      * but s->options is a long...
586      */
587     if (!tls1_get_curvelist
588         (s, (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) != 0, &supp,
589          &num_supp))
590         /* In practice, NID_undef == 0 but let's be precise. */
591         return nmatch == -1 ? 0 : NID_undef;
592     if (!tls1_get_curvelist
593         (s, !(s->options & SSL_OP_CIPHER_SERVER_PREFERENCE), &pref,
594          &num_pref))
595         return nmatch == -1 ? 0 : NID_undef;
596 
597     /*
598      * If the client didn't send the elliptic_curves extension all of them
599      * are allowed.
600      */
601     if (num_supp == 0 && (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) != 0) {
602         supp = eccurves_all;
603         num_supp = sizeof(eccurves_all) / 2;
604     } else if (num_pref == 0 &&
605         (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) == 0) {
606         pref = eccurves_all;
607         num_pref = sizeof(eccurves_all) / 2;
608     }
609 
610     k = 0;
611     for (i = 0; i < num_pref; i++, pref += 2) {
612         const unsigned char *tsupp = supp;
613         for (j = 0; j < num_supp; j++, tsupp += 2) {
614             if (pref[0] == tsupp[0] && pref[1] == tsupp[1]) {
615                 if (nmatch == k) {
616                     int id = (pref[0] << 8) | pref[1];
617                     return tls1_ec_curve_id2nid(id);
618                 }
619                 k++;
620             }
621         }
622     }
623     if (nmatch == -1)
624         return k;
625     /* Out of range (nmatch > k). */
626     return NID_undef;
627 }
628 
629 int tls1_set_curves(unsigned char **pext, size_t *pextlen,
630                     int *curves, size_t ncurves)
631 {
632     unsigned char *clist, *p;
633     size_t i;
634     /*
635      * Bitmap of curves included to detect duplicates: only works while curve
636      * ids < 32
637      */
638     unsigned long dup_list = 0;
639 # ifdef OPENSSL_NO_EC2M
640     EC_GROUP *curve;
641 # endif
642 
643     clist = OPENSSL_malloc(ncurves * 2);
644     if (!clist)
645         return 0;
646     for (i = 0, p = clist; i < ncurves; i++) {
647         unsigned long idmask;
648         int id;
649         id = tls1_ec_nid2curve_id(curves[i]);
650 # ifdef OPENSSL_FIPS
651         /* NB: 25 is last curve ID supported by FIPS module */
652         if (FIPS_mode() && id > 25) {
653             OPENSSL_free(clist);
654             return 0;
655         }
656 # endif
657 # ifdef OPENSSL_NO_EC2M
658         curve = EC_GROUP_new_by_curve_name(curves[i]);
659         if (!curve || EC_METHOD_get_field_type(EC_GROUP_method_of(curve))
660             == NID_X9_62_characteristic_two_field) {
661             if (curve)
662                 EC_GROUP_free(curve);
663             OPENSSL_free(clist);
664             return 0;
665         } else
666             EC_GROUP_free(curve);
667 # endif
668         idmask = 1L << id;
669         if (!id || (dup_list & idmask)) {
670             OPENSSL_free(clist);
671             return 0;
672         }
673         dup_list |= idmask;
674         s2n(id, p);
675     }
676     if (*pext)
677         OPENSSL_free(*pext);
678     *pext = clist;
679     *pextlen = ncurves * 2;
680     return 1;
681 }
682 
683 # define MAX_CURVELIST   28
684 
685 typedef struct {
686     size_t nidcnt;
687     int nid_arr[MAX_CURVELIST];
688 } nid_cb_st;
689 
690 static int nid_cb(const char *elem, int len, void *arg)
691 {
692     nid_cb_st *narg = arg;
693     size_t i;
694     int nid;
695     char etmp[20];
696     if (elem == NULL)
697         return 0;
698     if (narg->nidcnt == MAX_CURVELIST)
699         return 0;
700     if (len > (int)(sizeof(etmp) - 1))
701         return 0;
702     memcpy(etmp, elem, len);
703     etmp[len] = 0;
704     nid = EC_curve_nist2nid(etmp);
705     if (nid == NID_undef)
706         nid = OBJ_sn2nid(etmp);
707     if (nid == NID_undef)
708         nid = OBJ_ln2nid(etmp);
709     if (nid == NID_undef)
710         return 0;
711     for (i = 0; i < narg->nidcnt; i++)
712         if (narg->nid_arr[i] == nid)
713             return 0;
714     narg->nid_arr[narg->nidcnt++] = nid;
715     return 1;
716 }
717 
718 /* Set curves based on a colon separate list */
719 int tls1_set_curves_list(unsigned char **pext, size_t *pextlen,
720                          const char *str)
721 {
722     nid_cb_st ncb;
723     ncb.nidcnt = 0;
724     if (!CONF_parse_list(str, ':', 1, nid_cb, &ncb))
725         return 0;
726     if (pext == NULL)
727         return 1;
728     return tls1_set_curves(pext, pextlen, ncb.nid_arr, ncb.nidcnt);
729 }
730 
731 /* For an EC key set TLS id and required compression based on parameters */
732 static int tls1_set_ec_id(unsigned char *curve_id, unsigned char *comp_id,
733                           EC_KEY *ec)
734 {
735     int is_prime, id;
736     const EC_GROUP *grp;
737     const EC_METHOD *meth;
738     if (!ec)
739         return 0;
740     /* Determine if it is a prime field */
741     grp = EC_KEY_get0_group(ec);
742     if (!grp)
743         return 0;
744     meth = EC_GROUP_method_of(grp);
745     if (!meth)
746         return 0;
747     if (EC_METHOD_get_field_type(meth) == NID_X9_62_prime_field)
748         is_prime = 1;
749     else
750         is_prime = 0;
751     /* Determine curve ID */
752     id = EC_GROUP_get_curve_name(grp);
753     id = tls1_ec_nid2curve_id(id);
754     /* If we have an ID set it, otherwise set arbitrary explicit curve */
755     if (id) {
756         curve_id[0] = 0;
757         curve_id[1] = (unsigned char)id;
758     } else {
759         curve_id[0] = 0xff;
760         if (is_prime)
761             curve_id[1] = 0x01;
762         else
763             curve_id[1] = 0x02;
764     }
765     if (comp_id) {
766         if (EC_KEY_get0_public_key(ec) == NULL)
767             return 0;
768         if (EC_KEY_get_conv_form(ec) == POINT_CONVERSION_COMPRESSED) {
769             if (is_prime)
770                 *comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
771             else
772                 *comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
773         } else
774             *comp_id = TLSEXT_ECPOINTFORMAT_uncompressed;
775     }
776     return 1;
777 }
778 
779 /* Check an EC key is compatible with extensions */
780 static int tls1_check_ec_key(SSL *s,
781                              unsigned char *curve_id, unsigned char *comp_id)
782 {
783     const unsigned char *pformats, *pcurves;
784     size_t num_formats, num_curves, i;
785     int j;
786     /*
787      * If point formats extension present check it, otherwise everything is
788      * supported (see RFC4492).
789      */
790     if (comp_id && s->session->tlsext_ecpointformatlist) {
791         pformats = s->session->tlsext_ecpointformatlist;
792         num_formats = s->session->tlsext_ecpointformatlist_length;
793         for (i = 0; i < num_formats; i++, pformats++) {
794             if (*comp_id == *pformats)
795                 break;
796         }
797         if (i == num_formats)
798             return 0;
799     }
800     if (!curve_id)
801         return 1;
802     /* Check curve is consistent with client and server preferences */
803     for (j = 0; j <= 1; j++) {
804         if (!tls1_get_curvelist(s, j, &pcurves, &num_curves))
805             return 0;
806         if (j == 1 && num_curves == 0) {
807             /*
808              * If we've not received any curves then skip this check.
809              * RFC 4492 does not require the supported elliptic curves extension
810              * so if it is not sent we can just choose any curve.
811              * It is invalid to send an empty list in the elliptic curves
812              * extension, so num_curves == 0 always means no extension.
813              */
814             break;
815         }
816         for (i = 0; i < num_curves; i++, pcurves += 2) {
817             if (pcurves[0] == curve_id[0] && pcurves[1] == curve_id[1])
818                 break;
819         }
820         if (i == num_curves)
821             return 0;
822         /* For clients can only check sent curve list */
823         if (!s->server)
824             return 1;
825     }
826     return 1;
827 }
828 
829 static void tls1_get_formatlist(SSL *s, const unsigned char **pformats,
830                                 size_t *num_formats)
831 {
832     /*
833      * If we have a custom point format list use it otherwise use default
834      */
835     if (s->tlsext_ecpointformatlist) {
836         *pformats = s->tlsext_ecpointformatlist;
837         *num_formats = s->tlsext_ecpointformatlist_length;
838     } else {
839         *pformats = ecformats_default;
840         /* For Suite B we don't support char2 fields */
841         if (tls1_suiteb(s))
842             *num_formats = sizeof(ecformats_default) - 1;
843         else
844             *num_formats = sizeof(ecformats_default);
845     }
846 }
847 
848 /*
849  * Check cert parameters compatible with extensions: currently just checks EC
850  * certificates have compatible curves and compression.
851  */
852 static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md)
853 {
854     unsigned char comp_id, curve_id[2];
855     EVP_PKEY *pkey;
856     int rv;
857     pkey = X509_get_pubkey(x);
858     if (!pkey)
859         return 0;
860     /* If not EC nothing to do */
861     if (pkey->type != EVP_PKEY_EC) {
862         EVP_PKEY_free(pkey);
863         return 1;
864     }
865     rv = tls1_set_ec_id(curve_id, &comp_id, pkey->pkey.ec);
866     EVP_PKEY_free(pkey);
867     if (!rv)
868         return 0;
869     /*
870      * Can't check curve_id for client certs as we don't have a supported
871      * curves extension.
872      */
873     rv = tls1_check_ec_key(s, s->server ? curve_id : NULL, &comp_id);
874     if (!rv)
875         return 0;
876     /*
877      * Special case for suite B. We *MUST* sign using SHA256+P-256 or
878      * SHA384+P-384, adjust digest if necessary.
879      */
880     if (set_ee_md && tls1_suiteb(s)) {
881         int check_md;
882         size_t i;
883         CERT *c = s->cert;
884         if (curve_id[0])
885             return 0;
886         /* Check to see we have necessary signing algorithm */
887         if (curve_id[1] == TLSEXT_curve_P_256)
888             check_md = NID_ecdsa_with_SHA256;
889         else if (curve_id[1] == TLSEXT_curve_P_384)
890             check_md = NID_ecdsa_with_SHA384;
891         else
892             return 0;           /* Should never happen */
893         for (i = 0; i < c->shared_sigalgslen; i++)
894             if (check_md == c->shared_sigalgs[i].signandhash_nid)
895                 break;
896         if (i == c->shared_sigalgslen)
897             return 0;
898         if (set_ee_md == 2) {
899             if (check_md == NID_ecdsa_with_SHA256)
900                 c->pkeys[SSL_PKEY_ECC].digest = EVP_sha256();
901             else
902                 c->pkeys[SSL_PKEY_ECC].digest = EVP_sha384();
903         }
904     }
905     return rv;
906 }
907 
908 # ifndef OPENSSL_NO_ECDH
909 /* Check EC temporary key is compatible with client extensions */
910 int tls1_check_ec_tmp_key(SSL *s, unsigned long cid)
911 {
912     unsigned char curve_id[2];
913     EC_KEY *ec = s->cert->ecdh_tmp;
914 #  ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
915     /* Allow any curve: not just those peer supports */
916     if (s->cert->cert_flags & SSL_CERT_FLAG_BROKEN_PROTOCOL)
917         return 1;
918 #  endif
919     /*
920      * If Suite B, AES128 MUST use P-256 and AES256 MUST use P-384, no other
921      * curves permitted.
922      */
923     if (tls1_suiteb(s)) {
924         /* Curve to check determined by ciphersuite */
925         if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
926             curve_id[1] = TLSEXT_curve_P_256;
927         else if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)
928             curve_id[1] = TLSEXT_curve_P_384;
929         else
930             return 0;
931         curve_id[0] = 0;
932         /* Check this curve is acceptable */
933         if (!tls1_check_ec_key(s, curve_id, NULL))
934             return 0;
935         /* If auto or setting curve from callback assume OK */
936         if (s->cert->ecdh_tmp_auto || s->cert->ecdh_tmp_cb)
937             return 1;
938         /* Otherwise check curve is acceptable */
939         else {
940             unsigned char curve_tmp[2];
941             if (!ec)
942                 return 0;
943             if (!tls1_set_ec_id(curve_tmp, NULL, ec))
944                 return 0;
945             if (!curve_tmp[0] || curve_tmp[1] == curve_id[1])
946                 return 1;
947             return 0;
948         }
949 
950     }
951     if (s->cert->ecdh_tmp_auto) {
952         /* Need a shared curve */
953         if (tls1_shared_curve(s, 0))
954             return 1;
955         else
956             return 0;
957     }
958     if (!ec) {
959         if (s->cert->ecdh_tmp_cb)
960             return 1;
961         else
962             return 0;
963     }
964     if (!tls1_set_ec_id(curve_id, NULL, ec))
965         return 0;
966 /* Set this to allow use of invalid curves for testing */
967 #  if 0
968     return 1;
969 #  else
970     return tls1_check_ec_key(s, curve_id, NULL);
971 #  endif
972 }
973 # endif                         /* OPENSSL_NO_ECDH */
974 
975 #else
976 
977 static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md)
978 {
979     return 1;
980 }
981 
982 #endif                          /* OPENSSL_NO_EC */
983 
984 #ifndef OPENSSL_NO_TLSEXT
985 
986 /*
987  * List of supported signature algorithms and hashes. Should make this
988  * customisable at some point, for now include everything we support.
989  */
990 
991 # ifdef OPENSSL_NO_RSA
992 #  define tlsext_sigalg_rsa(md) /* */
993 # else
994 #  define tlsext_sigalg_rsa(md) md, TLSEXT_signature_rsa,
995 # endif
996 
997 # ifdef OPENSSL_NO_DSA
998 #  define tlsext_sigalg_dsa(md) /* */
999 # else
1000 #  define tlsext_sigalg_dsa(md) md, TLSEXT_signature_dsa,
1001 # endif
1002 
1003 # ifdef OPENSSL_NO_ECDSA
1004 #  define tlsext_sigalg_ecdsa(md)
1005                                 /* */
1006 # else
1007 #  define tlsext_sigalg_ecdsa(md) md, TLSEXT_signature_ecdsa,
1008 # endif
1009 
1010 # define tlsext_sigalg(md) \
1011                 tlsext_sigalg_rsa(md) \
1012                 tlsext_sigalg_dsa(md) \
1013                 tlsext_sigalg_ecdsa(md)
1014 
1015 static unsigned char tls12_sigalgs[] = {
1016 # ifndef OPENSSL_NO_SHA512
1017     tlsext_sigalg(TLSEXT_hash_sha512)
1018         tlsext_sigalg(TLSEXT_hash_sha384)
1019 # endif
1020 # ifndef OPENSSL_NO_SHA256
1021         tlsext_sigalg(TLSEXT_hash_sha256)
1022         tlsext_sigalg(TLSEXT_hash_sha224)
1023 # endif
1024 # ifndef OPENSSL_NO_SHA
1025         tlsext_sigalg(TLSEXT_hash_sha1)
1026 # endif
1027 };
1028 
1029 # ifndef OPENSSL_NO_ECDSA
1030 static unsigned char suiteb_sigalgs[] = {
1031     tlsext_sigalg_ecdsa(TLSEXT_hash_sha256)
1032         tlsext_sigalg_ecdsa(TLSEXT_hash_sha384)
1033 };
1034 # endif
1035 size_t tls12_get_psigalgs(SSL *s, const unsigned char **psigs)
1036 {
1037     /*
1038      * If Suite B mode use Suite B sigalgs only, ignore any other
1039      * preferences.
1040      */
1041 # ifndef OPENSSL_NO_EC
1042     switch (tls1_suiteb(s)) {
1043     case SSL_CERT_FLAG_SUITEB_128_LOS:
1044         *psigs = suiteb_sigalgs;
1045         return sizeof(suiteb_sigalgs);
1046 
1047     case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY:
1048         *psigs = suiteb_sigalgs;
1049         return 2;
1050 
1051     case SSL_CERT_FLAG_SUITEB_192_LOS:
1052         *psigs = suiteb_sigalgs + 2;
1053         return 2;
1054     }
1055 # endif
1056     /* If server use client authentication sigalgs if not NULL */
1057     if (s->server && s->cert->client_sigalgs) {
1058         *psigs = s->cert->client_sigalgs;
1059         return s->cert->client_sigalgslen;
1060     } else if (s->cert->conf_sigalgs) {
1061         *psigs = s->cert->conf_sigalgs;
1062         return s->cert->conf_sigalgslen;
1063     } else {
1064         *psigs = tls12_sigalgs;
1065         return sizeof(tls12_sigalgs);
1066     }
1067 }
1068 
1069 /*
1070  * Check signature algorithm is consistent with sent supported signature
1071  * algorithms and if so return relevant digest.
1072  */
1073 int tls12_check_peer_sigalg(const EVP_MD **pmd, SSL *s,
1074                             const unsigned char *sig, EVP_PKEY *pkey)
1075 {
1076     const unsigned char *sent_sigs;
1077     size_t sent_sigslen, i;
1078     int sigalg = tls12_get_sigid(pkey);
1079     /* Should never happen */
1080     if (sigalg == -1)
1081         return -1;
1082     /* Check key type is consistent with signature */
1083     if (sigalg != (int)sig[1]) {
1084         SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_SIGNATURE_TYPE);
1085         return 0;
1086     }
1087 # ifndef OPENSSL_NO_EC
1088     if (pkey->type == EVP_PKEY_EC) {
1089         unsigned char curve_id[2], comp_id;
1090         /* Check compression and curve matches extensions */
1091         if (!tls1_set_ec_id(curve_id, &comp_id, pkey->pkey.ec))
1092             return 0;
1093         if (!s->server && !tls1_check_ec_key(s, curve_id, &comp_id)) {
1094             SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_CURVE);
1095             return 0;
1096         }
1097         /* If Suite B only P-384+SHA384 or P-256+SHA-256 allowed */
1098         if (tls1_suiteb(s)) {
1099             if (curve_id[0])
1100                 return 0;
1101             if (curve_id[1] == TLSEXT_curve_P_256) {
1102                 if (sig[0] != TLSEXT_hash_sha256) {
1103                     SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG,
1104                            SSL_R_ILLEGAL_SUITEB_DIGEST);
1105                     return 0;
1106                 }
1107             } else if (curve_id[1] == TLSEXT_curve_P_384) {
1108                 if (sig[0] != TLSEXT_hash_sha384) {
1109                     SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG,
1110                            SSL_R_ILLEGAL_SUITEB_DIGEST);
1111                     return 0;
1112                 }
1113             } else
1114                 return 0;
1115         }
1116     } else if (tls1_suiteb(s))
1117         return 0;
1118 # endif
1119 
1120     /* Check signature matches a type we sent */
1121     sent_sigslen = tls12_get_psigalgs(s, &sent_sigs);
1122     for (i = 0; i < sent_sigslen; i += 2, sent_sigs += 2) {
1123         if (sig[0] == sent_sigs[0] && sig[1] == sent_sigs[1])
1124             break;
1125     }
1126     /* Allow fallback to SHA1 if not strict mode */
1127     if (i == sent_sigslen
1128         && (sig[0] != TLSEXT_hash_sha1
1129             || s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)) {
1130         SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_SIGNATURE_TYPE);
1131         return 0;
1132     }
1133     *pmd = tls12_get_hash(sig[0]);
1134     if (*pmd == NULL) {
1135         SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_UNKNOWN_DIGEST);
1136         return 0;
1137     }
1138     /*
1139      * Store the digest used so applications can retrieve it if they wish.
1140      */
1141     if (s->session && s->session->sess_cert)
1142         s->session->sess_cert->peer_key->digest = *pmd;
1143     return 1;
1144 }
1145 
1146 /*
1147  * Get a mask of disabled algorithms: an algorithm is disabled if it isn't
1148  * supported or doesn't appear in supported signature algorithms. Unlike
1149  * ssl_cipher_get_disabled this applies to a specific session and not global
1150  * settings.
1151  */
1152 void ssl_set_client_disabled(SSL *s)
1153 {
1154     CERT *c = s->cert;
1155     const unsigned char *sigalgs;
1156     size_t i, sigalgslen;
1157     int have_rsa = 0, have_dsa = 0, have_ecdsa = 0;
1158     c->mask_a = 0;
1159     c->mask_k = 0;
1160     /* Don't allow TLS 1.2 only ciphers if we don't suppport them */
1161     if (!SSL_CLIENT_USE_TLS1_2_CIPHERS(s))
1162         c->mask_ssl = SSL_TLSV1_2;
1163     else
1164         c->mask_ssl = 0;
1165     /*
1166      * Now go through all signature algorithms seeing if we support any for
1167      * RSA, DSA, ECDSA. Do this for all versions not just TLS 1.2.
1168      */
1169     sigalgslen = tls12_get_psigalgs(s, &sigalgs);
1170     for (i = 0; i < sigalgslen; i += 2, sigalgs += 2) {
1171         switch (sigalgs[1]) {
1172 # ifndef OPENSSL_NO_RSA
1173         case TLSEXT_signature_rsa:
1174             have_rsa = 1;
1175             break;
1176 # endif
1177 # ifndef OPENSSL_NO_DSA
1178         case TLSEXT_signature_dsa:
1179             have_dsa = 1;
1180             break;
1181 # endif
1182 # ifndef OPENSSL_NO_ECDSA
1183         case TLSEXT_signature_ecdsa:
1184             have_ecdsa = 1;
1185             break;
1186 # endif
1187         }
1188     }
1189     /*
1190      * Disable auth and static DH if we don't include any appropriate
1191      * signature algorithms.
1192      */
1193     if (!have_rsa) {
1194         c->mask_a |= SSL_aRSA;
1195         c->mask_k |= SSL_kDHr | SSL_kECDHr;
1196     }
1197     if (!have_dsa) {
1198         c->mask_a |= SSL_aDSS;
1199         c->mask_k |= SSL_kDHd;
1200     }
1201     if (!have_ecdsa) {
1202         c->mask_a |= SSL_aECDSA;
1203         c->mask_k |= SSL_kECDHe;
1204     }
1205 # ifndef OPENSSL_NO_KRB5
1206     if (!kssl_tgt_is_available(s->kssl_ctx)) {
1207         c->mask_a |= SSL_aKRB5;
1208         c->mask_k |= SSL_kKRB5;
1209     }
1210 # endif
1211 # ifndef OPENSSL_NO_PSK
1212     /* with PSK there must be client callback set */
1213     if (!s->psk_client_callback) {
1214         c->mask_a |= SSL_aPSK;
1215         c->mask_k |= SSL_kPSK;
1216     }
1217 # endif                         /* OPENSSL_NO_PSK */
1218 # ifndef OPENSSL_NO_SRP
1219     if (!(s->srp_ctx.srp_Mask & SSL_kSRP)) {
1220         c->mask_a |= SSL_aSRP;
1221         c->mask_k |= SSL_kSRP;
1222     }
1223 # endif
1224     c->valid = 1;
1225 }
1226 
1227 unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf,
1228                                           unsigned char *limit, int *al)
1229 {
1230     int extdatalen = 0;
1231     unsigned char *orig = buf;
1232     unsigned char *ret = buf;
1233 # ifndef OPENSSL_NO_EC
1234     /* See if we support any ECC ciphersuites */
1235     int using_ecc = 0;
1236     if (s->version >= TLS1_VERSION || SSL_IS_DTLS(s)) {
1237         int i;
1238         unsigned long alg_k, alg_a;
1239         STACK_OF(SSL_CIPHER) *cipher_stack = SSL_get_ciphers(s);
1240 
1241         for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++) {
1242             SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i);
1243 
1244             alg_k = c->algorithm_mkey;
1245             alg_a = c->algorithm_auth;
1246             if ((alg_k & (SSL_kEECDH | SSL_kECDHr | SSL_kECDHe)
1247                  || (alg_a & SSL_aECDSA))) {
1248                 using_ecc = 1;
1249                 break;
1250             }
1251         }
1252     }
1253 # endif
1254 
1255     /* don't add extensions for SSLv3 unless doing secure renegotiation */
1256     if (s->client_version == SSL3_VERSION && !s->s3->send_connection_binding)
1257         return orig;
1258 
1259     ret += 2;
1260 
1261     if (ret >= limit)
1262         return NULL;            /* this really never occurs, but ... */
1263 
1264     if (s->tlsext_hostname != NULL) {
1265         /* Add TLS extension servername to the Client Hello message */
1266         unsigned long size_str;
1267         long lenmax;
1268 
1269         /*-
1270          * check for enough space.
1271          * 4 for the servername type and entension length
1272          * 2 for servernamelist length
1273          * 1 for the hostname type
1274          * 2 for hostname length
1275          * + hostname length
1276          */
1277 
1278         if ((lenmax = limit - ret - 9) < 0
1279             || (size_str =
1280                 strlen(s->tlsext_hostname)) > (unsigned long)lenmax)
1281             return NULL;
1282 
1283         /* extension type and length */
1284         s2n(TLSEXT_TYPE_server_name, ret);
1285         s2n(size_str + 5, ret);
1286 
1287         /* length of servername list */
1288         s2n(size_str + 3, ret);
1289 
1290         /* hostname type, length and hostname */
1291         *(ret++) = (unsigned char)TLSEXT_NAMETYPE_host_name;
1292         s2n(size_str, ret);
1293         memcpy(ret, s->tlsext_hostname, size_str);
1294         ret += size_str;
1295     }
1296 
1297     /* Add RI if renegotiating */
1298     if (s->renegotiate) {
1299         int el;
1300 
1301         if (!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0)) {
1302             SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1303             return NULL;
1304         }
1305 
1306         if ((limit - ret - 4 - el) < 0)
1307             return NULL;
1308 
1309         s2n(TLSEXT_TYPE_renegotiate, ret);
1310         s2n(el, ret);
1311 
1312         if (!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el)) {
1313             SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1314             return NULL;
1315         }
1316 
1317         ret += el;
1318     }
1319 # ifndef OPENSSL_NO_SRP
1320     /* Add SRP username if there is one */
1321     if (s->srp_ctx.login != NULL) { /* Add TLS extension SRP username to the
1322                                      * Client Hello message */
1323 
1324         int login_len = strlen(s->srp_ctx.login);
1325         if (login_len > 255 || login_len == 0) {
1326             SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1327             return NULL;
1328         }
1329 
1330         /*-
1331          * check for enough space.
1332          * 4 for the srp type type and entension length
1333          * 1 for the srp user identity
1334          * + srp user identity length
1335          */
1336         if ((limit - ret - 5 - login_len) < 0)
1337             return NULL;
1338 
1339         /* fill in the extension */
1340         s2n(TLSEXT_TYPE_srp, ret);
1341         s2n(login_len + 1, ret);
1342         (*ret++) = (unsigned char)login_len;
1343         memcpy(ret, s->srp_ctx.login, login_len);
1344         ret += login_len;
1345     }
1346 # endif
1347 
1348 # ifndef OPENSSL_NO_EC
1349     if (using_ecc) {
1350         /*
1351          * Add TLS extension ECPointFormats to the ClientHello message
1352          */
1353         long lenmax;
1354         const unsigned char *pcurves, *pformats;
1355         size_t num_curves, num_formats, curves_list_len;
1356 
1357         tls1_get_formatlist(s, &pformats, &num_formats);
1358 
1359         if ((lenmax = limit - ret - 5) < 0)
1360             return NULL;
1361         if (num_formats > (size_t)lenmax)
1362             return NULL;
1363         if (num_formats > 255) {
1364             SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1365             return NULL;
1366         }
1367 
1368         s2n(TLSEXT_TYPE_ec_point_formats, ret);
1369         /* The point format list has 1-byte length. */
1370         s2n(num_formats + 1, ret);
1371         *(ret++) = (unsigned char)num_formats;
1372         memcpy(ret, pformats, num_formats);
1373         ret += num_formats;
1374 
1375         /*
1376          * Add TLS extension EllipticCurves to the ClientHello message
1377          */
1378         pcurves = s->tlsext_ellipticcurvelist;
1379         if (!tls1_get_curvelist(s, 0, &pcurves, &num_curves))
1380             return NULL;
1381 
1382         if ((lenmax = limit - ret - 6) < 0)
1383             return NULL;
1384         if (num_curves > (size_t)lenmax / 2)
1385             return NULL;
1386         if (num_curves > 65532 / 2) {
1387             SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1388             return NULL;
1389         }
1390         curves_list_len = 2 * num_curves;
1391         s2n(TLSEXT_TYPE_elliptic_curves, ret);
1392         s2n(curves_list_len + 2, ret);
1393         s2n(curves_list_len, ret);
1394         memcpy(ret, pcurves, curves_list_len);
1395         ret += curves_list_len;
1396     }
1397 # endif                         /* OPENSSL_NO_EC */
1398 
1399     if (!(SSL_get_options(s) & SSL_OP_NO_TICKET)) {
1400         int ticklen;
1401         if (!s->new_session && s->session && s->session->tlsext_tick)
1402             ticklen = s->session->tlsext_ticklen;
1403         else if (s->session && s->tlsext_session_ticket &&
1404                  s->tlsext_session_ticket->data) {
1405             ticklen = s->tlsext_session_ticket->length;
1406             s->session->tlsext_tick = OPENSSL_malloc(ticklen);
1407             if (!s->session->tlsext_tick)
1408                 return NULL;
1409             memcpy(s->session->tlsext_tick,
1410                    s->tlsext_session_ticket->data, ticklen);
1411             s->session->tlsext_ticklen = ticklen;
1412         } else
1413             ticklen = 0;
1414         if (ticklen == 0 && s->tlsext_session_ticket &&
1415             s->tlsext_session_ticket->data == NULL)
1416             goto skip_ext;
1417         /*
1418          * Check for enough room 2 for extension type, 2 for len rest for
1419          * ticket
1420          */
1421         if ((long)(limit - ret - 4 - ticklen) < 0)
1422             return NULL;
1423         s2n(TLSEXT_TYPE_session_ticket, ret);
1424         s2n(ticklen, ret);
1425         if (ticklen) {
1426             memcpy(ret, s->session->tlsext_tick, ticklen);
1427             ret += ticklen;
1428         }
1429     }
1430  skip_ext:
1431 
1432     if (SSL_USE_SIGALGS(s)) {
1433         size_t salglen;
1434         const unsigned char *salg;
1435         salglen = tls12_get_psigalgs(s, &salg);
1436         if ((size_t)(limit - ret) < salglen + 6)
1437             return NULL;
1438         s2n(TLSEXT_TYPE_signature_algorithms, ret);
1439         s2n(salglen + 2, ret);
1440         s2n(salglen, ret);
1441         memcpy(ret, salg, salglen);
1442         ret += salglen;
1443     }
1444 # ifdef TLSEXT_TYPE_opaque_prf_input
1445     if (s->s3->client_opaque_prf_input != NULL) {
1446         size_t col = s->s3->client_opaque_prf_input_len;
1447 
1448         if ((long)(limit - ret - 6 - col < 0))
1449             return NULL;
1450         if (col > 0xFFFD)       /* can't happen */
1451             return NULL;
1452 
1453         s2n(TLSEXT_TYPE_opaque_prf_input, ret);
1454         s2n(col + 2, ret);
1455         s2n(col, ret);
1456         memcpy(ret, s->s3->client_opaque_prf_input, col);
1457         ret += col;
1458     }
1459 # endif
1460 
1461     if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp) {
1462         int i;
1463         long extlen, idlen, itmp;
1464         OCSP_RESPID *id;
1465 
1466         idlen = 0;
1467         for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) {
1468             id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
1469             itmp = i2d_OCSP_RESPID(id, NULL);
1470             if (itmp <= 0)
1471                 return NULL;
1472             idlen += itmp + 2;
1473         }
1474 
1475         if (s->tlsext_ocsp_exts) {
1476             extlen = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, NULL);
1477             if (extlen < 0)
1478                 return NULL;
1479         } else
1480             extlen = 0;
1481 
1482         if ((long)(limit - ret - 7 - extlen - idlen) < 0)
1483             return NULL;
1484         s2n(TLSEXT_TYPE_status_request, ret);
1485         if (extlen + idlen > 0xFFF0)
1486             return NULL;
1487         s2n(extlen + idlen + 5, ret);
1488         *(ret++) = TLSEXT_STATUSTYPE_ocsp;
1489         s2n(idlen, ret);
1490         for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) {
1491             /* save position of id len */
1492             unsigned char *q = ret;
1493             id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
1494             /* skip over id len */
1495             ret += 2;
1496             itmp = i2d_OCSP_RESPID(id, &ret);
1497             /* write id len */
1498             s2n(itmp, q);
1499         }
1500         s2n(extlen, ret);
1501         if (extlen > 0)
1502             i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret);
1503     }
1504 # ifndef OPENSSL_NO_HEARTBEATS
1505     /* Add Heartbeat extension */
1506     if ((limit - ret - 4 - 1) < 0)
1507         return NULL;
1508     s2n(TLSEXT_TYPE_heartbeat, ret);
1509     s2n(1, ret);
1510     /*-
1511      * Set mode:
1512      * 1: peer may send requests
1513      * 2: peer not allowed to send requests
1514      */
1515     if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS)
1516         *(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
1517     else
1518         *(ret++) = SSL_TLSEXT_HB_ENABLED;
1519 # endif
1520 
1521 # ifndef OPENSSL_NO_NEXTPROTONEG
1522     if (s->ctx->next_proto_select_cb && !s->s3->tmp.finish_md_len) {
1523         /*
1524          * The client advertises an emtpy extension to indicate its support
1525          * for Next Protocol Negotiation
1526          */
1527         if (limit - ret - 4 < 0)
1528             return NULL;
1529         s2n(TLSEXT_TYPE_next_proto_neg, ret);
1530         s2n(0, ret);
1531     }
1532 # endif
1533 
1534     if (s->alpn_client_proto_list && !s->s3->tmp.finish_md_len) {
1535         if ((size_t)(limit - ret) < 6 + s->alpn_client_proto_list_len)
1536             return NULL;
1537         s2n(TLSEXT_TYPE_application_layer_protocol_negotiation, ret);
1538         s2n(2 + s->alpn_client_proto_list_len, ret);
1539         s2n(s->alpn_client_proto_list_len, ret);
1540         memcpy(ret, s->alpn_client_proto_list, s->alpn_client_proto_list_len);
1541         ret += s->alpn_client_proto_list_len;
1542     }
1543 # ifndef OPENSSL_NO_SRTP
1544     if (SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s)) {
1545         int el;
1546 
1547         ssl_add_clienthello_use_srtp_ext(s, 0, &el, 0);
1548 
1549         if ((limit - ret - 4 - el) < 0)
1550             return NULL;
1551 
1552         s2n(TLSEXT_TYPE_use_srtp, ret);
1553         s2n(el, ret);
1554 
1555         if (ssl_add_clienthello_use_srtp_ext(s, ret, &el, el)) {
1556             SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1557             return NULL;
1558         }
1559         ret += el;
1560     }
1561 # endif
1562     custom_ext_init(&s->cert->cli_ext);
1563     /* Add custom TLS Extensions to ClientHello */
1564     if (!custom_ext_add(s, 0, &ret, limit, al))
1565         return NULL;
1566 
1567     /*
1568      * Add padding to workaround bugs in F5 terminators. See
1569      * https://tools.ietf.org/html/draft-agl-tls-padding-03 NB: because this
1570      * code works out the length of all existing extensions it MUST always
1571      * appear last.
1572      */
1573     if (s->options & SSL_OP_TLSEXT_PADDING) {
1574         int hlen = ret - (unsigned char *)s->init_buf->data;
1575         /*
1576          * The code in s23_clnt.c to build ClientHello messages includes the
1577          * 5-byte record header in the buffer, while the code in s3_clnt.c
1578          * does not.
1579          */
1580         if (s->state == SSL23_ST_CW_CLNT_HELLO_A)
1581             hlen -= 5;
1582         if (hlen > 0xff && hlen < 0x200) {
1583             hlen = 0x200 - hlen;
1584             if (hlen >= 4)
1585                 hlen -= 4;
1586             else
1587                 hlen = 0;
1588 
1589             s2n(TLSEXT_TYPE_padding, ret);
1590             s2n(hlen, ret);
1591             memset(ret, 0, hlen);
1592             ret += hlen;
1593         }
1594     }
1595 
1596     if ((extdatalen = ret - orig - 2) == 0)
1597         return orig;
1598 
1599     s2n(extdatalen, orig);
1600     return ret;
1601 }
1602 
1603 unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *buf,
1604                                           unsigned char *limit, int *al)
1605 {
1606     int extdatalen = 0;
1607     unsigned char *orig = buf;
1608     unsigned char *ret = buf;
1609 # ifndef OPENSSL_NO_NEXTPROTONEG
1610     int next_proto_neg_seen;
1611 # endif
1612 # ifndef OPENSSL_NO_EC
1613     unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
1614     unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
1615     int using_ecc = (alg_k & (SSL_kEECDH | SSL_kECDHr | SSL_kECDHe))
1616         || (alg_a & SSL_aECDSA);
1617     using_ecc = using_ecc && (s->session->tlsext_ecpointformatlist != NULL);
1618 # endif
1619     /*
1620      * don't add extensions for SSLv3, unless doing secure renegotiation
1621      */
1622     if (s->version == SSL3_VERSION && !s->s3->send_connection_binding)
1623         return orig;
1624 
1625     ret += 2;
1626     if (ret >= limit)
1627         return NULL;            /* this really never occurs, but ... */
1628 
1629     if (!s->hit && s->servername_done == 1
1630         && s->session->tlsext_hostname != NULL) {
1631         if ((long)(limit - ret - 4) < 0)
1632             return NULL;
1633 
1634         s2n(TLSEXT_TYPE_server_name, ret);
1635         s2n(0, ret);
1636     }
1637 
1638     if (s->s3->send_connection_binding) {
1639         int el;
1640 
1641         if (!ssl_add_serverhello_renegotiate_ext(s, 0, &el, 0)) {
1642             SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1643             return NULL;
1644         }
1645 
1646         if ((limit - ret - 4 - el) < 0)
1647             return NULL;
1648 
1649         s2n(TLSEXT_TYPE_renegotiate, ret);
1650         s2n(el, ret);
1651 
1652         if (!ssl_add_serverhello_renegotiate_ext(s, ret, &el, el)) {
1653             SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1654             return NULL;
1655         }
1656 
1657         ret += el;
1658     }
1659 # ifndef OPENSSL_NO_EC
1660     if (using_ecc) {
1661         const unsigned char *plist;
1662         size_t plistlen;
1663         /*
1664          * Add TLS extension ECPointFormats to the ServerHello message
1665          */
1666         long lenmax;
1667 
1668         tls1_get_formatlist(s, &plist, &plistlen);
1669 
1670         if ((lenmax = limit - ret - 5) < 0)
1671             return NULL;
1672         if (plistlen > (size_t)lenmax)
1673             return NULL;
1674         if (plistlen > 255) {
1675             SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1676             return NULL;
1677         }
1678 
1679         s2n(TLSEXT_TYPE_ec_point_formats, ret);
1680         s2n(plistlen + 1, ret);
1681         *(ret++) = (unsigned char)plistlen;
1682         memcpy(ret, plist, plistlen);
1683         ret += plistlen;
1684 
1685     }
1686     /*
1687      * Currently the server should not respond with a SupportedCurves
1688      * extension
1689      */
1690 # endif                         /* OPENSSL_NO_EC */
1691 
1692     if (s->tlsext_ticket_expected && !(SSL_get_options(s) & SSL_OP_NO_TICKET)) {
1693         if ((long)(limit - ret - 4) < 0)
1694             return NULL;
1695         s2n(TLSEXT_TYPE_session_ticket, ret);
1696         s2n(0, ret);
1697     }
1698 
1699     if (s->tlsext_status_expected) {
1700         if ((long)(limit - ret - 4) < 0)
1701             return NULL;
1702         s2n(TLSEXT_TYPE_status_request, ret);
1703         s2n(0, ret);
1704     }
1705 # ifdef TLSEXT_TYPE_opaque_prf_input
1706     if (s->s3->server_opaque_prf_input != NULL) {
1707         size_t sol = s->s3->server_opaque_prf_input_len;
1708 
1709         if ((long)(limit - ret - 6 - sol) < 0)
1710             return NULL;
1711         if (sol > 0xFFFD)       /* can't happen */
1712             return NULL;
1713 
1714         s2n(TLSEXT_TYPE_opaque_prf_input, ret);
1715         s2n(sol + 2, ret);
1716         s2n(sol, ret);
1717         memcpy(ret, s->s3->server_opaque_prf_input, sol);
1718         ret += sol;
1719     }
1720 # endif
1721 
1722 # ifndef OPENSSL_NO_SRTP
1723     if (SSL_IS_DTLS(s) && s->srtp_profile) {
1724         int el;
1725 
1726         ssl_add_serverhello_use_srtp_ext(s, 0, &el, 0);
1727 
1728         if ((limit - ret - 4 - el) < 0)
1729             return NULL;
1730 
1731         s2n(TLSEXT_TYPE_use_srtp, ret);
1732         s2n(el, ret);
1733 
1734         if (ssl_add_serverhello_use_srtp_ext(s, ret, &el, el)) {
1735             SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1736             return NULL;
1737         }
1738         ret += el;
1739     }
1740 # endif
1741 
1742     if (((s->s3->tmp.new_cipher->id & 0xFFFF) == 0x80
1743          || (s->s3->tmp.new_cipher->id & 0xFFFF) == 0x81)
1744         && (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG)) {
1745         const unsigned char cryptopro_ext[36] = {
1746             0xfd, 0xe8,         /* 65000 */
1747             0x00, 0x20,         /* 32 bytes length */
1748             0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85,
1749             0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06,
1750             0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08,
1751             0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17
1752         };
1753         if (limit - ret < 36)
1754             return NULL;
1755         memcpy(ret, cryptopro_ext, 36);
1756         ret += 36;
1757 
1758     }
1759 # ifndef OPENSSL_NO_HEARTBEATS
1760     /* Add Heartbeat extension if we've received one */
1761     if (s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED) {
1762         if ((limit - ret - 4 - 1) < 0)
1763             return NULL;
1764         s2n(TLSEXT_TYPE_heartbeat, ret);
1765         s2n(1, ret);
1766         /*-
1767          * Set mode:
1768          * 1: peer may send requests
1769          * 2: peer not allowed to send requests
1770          */
1771         if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS)
1772             *(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
1773         else
1774             *(ret++) = SSL_TLSEXT_HB_ENABLED;
1775 
1776     }
1777 # endif
1778 
1779 # ifndef OPENSSL_NO_NEXTPROTONEG
1780     next_proto_neg_seen = s->s3->next_proto_neg_seen;
1781     s->s3->next_proto_neg_seen = 0;
1782     if (next_proto_neg_seen && s->ctx->next_protos_advertised_cb) {
1783         const unsigned char *npa;
1784         unsigned int npalen;
1785         int r;
1786 
1787         r = s->ctx->next_protos_advertised_cb(s, &npa, &npalen,
1788                                               s->
1789                                               ctx->next_protos_advertised_cb_arg);
1790         if (r == SSL_TLSEXT_ERR_OK) {
1791             if ((long)(limit - ret - 4 - npalen) < 0)
1792                 return NULL;
1793             s2n(TLSEXT_TYPE_next_proto_neg, ret);
1794             s2n(npalen, ret);
1795             memcpy(ret, npa, npalen);
1796             ret += npalen;
1797             s->s3->next_proto_neg_seen = 1;
1798         }
1799     }
1800 # endif
1801     if (!custom_ext_add(s, 1, &ret, limit, al))
1802         return NULL;
1803 
1804     if (s->s3->alpn_selected) {
1805         const unsigned char *selected = s->s3->alpn_selected;
1806         unsigned len = s->s3->alpn_selected_len;
1807 
1808         if ((long)(limit - ret - 4 - 2 - 1 - len) < 0)
1809             return NULL;
1810         s2n(TLSEXT_TYPE_application_layer_protocol_negotiation, ret);
1811         s2n(3 + len, ret);
1812         s2n(1 + len, ret);
1813         *ret++ = len;
1814         memcpy(ret, selected, len);
1815         ret += len;
1816     }
1817 
1818     if ((extdatalen = ret - orig - 2) == 0)
1819         return orig;
1820 
1821     s2n(extdatalen, orig);
1822     return ret;
1823 }
1824 
1825 # ifndef OPENSSL_NO_EC
1826 /*-
1827  * ssl_check_for_safari attempts to fingerprint Safari using OS X
1828  * SecureTransport using the TLS extension block in |d|, of length |n|.
1829  * Safari, since 10.6, sends exactly these extensions, in this order:
1830  *   SNI,
1831  *   elliptic_curves
1832  *   ec_point_formats
1833  *
1834  * We wish to fingerprint Safari because they broke ECDHE-ECDSA support in 10.8,
1835  * but they advertise support. So enabling ECDHE-ECDSA ciphers breaks them.
1836  * Sadly we cannot differentiate 10.6, 10.7 and 10.8.4 (which work), from
1837  * 10.8..10.8.3 (which don't work).
1838  */
1839 static void ssl_check_for_safari(SSL *s, const unsigned char *data,
1840                                  const unsigned char *limit)
1841 {
1842     unsigned short type, size;
1843     static const unsigned char kSafariExtensionsBlock[] = {
1844         0x00, 0x0a,             /* elliptic_curves extension */
1845         0x00, 0x08,             /* 8 bytes */
1846         0x00, 0x06,             /* 6 bytes of curve ids */
1847         0x00, 0x17,             /* P-256 */
1848         0x00, 0x18,             /* P-384 */
1849         0x00, 0x19,             /* P-521 */
1850 
1851         0x00, 0x0b,             /* ec_point_formats */
1852         0x00, 0x02,             /* 2 bytes */
1853         0x01,                   /* 1 point format */
1854         0x00,                   /* uncompressed */
1855     };
1856 
1857     /* The following is only present in TLS 1.2 */
1858     static const unsigned char kSafariTLS12ExtensionsBlock[] = {
1859         0x00, 0x0d,             /* signature_algorithms */
1860         0x00, 0x0c,             /* 12 bytes */
1861         0x00, 0x0a,             /* 10 bytes */
1862         0x05, 0x01,             /* SHA-384/RSA */
1863         0x04, 0x01,             /* SHA-256/RSA */
1864         0x02, 0x01,             /* SHA-1/RSA */
1865         0x04, 0x03,             /* SHA-256/ECDSA */
1866         0x02, 0x03,             /* SHA-1/ECDSA */
1867     };
1868 
1869     if (data >= (limit - 2))
1870         return;
1871     data += 2;
1872 
1873     if (data > (limit - 4))
1874         return;
1875     n2s(data, type);
1876     n2s(data, size);
1877 
1878     if (type != TLSEXT_TYPE_server_name)
1879         return;
1880 
1881     if (data + size > limit)
1882         return;
1883     data += size;
1884 
1885     if (TLS1_get_client_version(s) >= TLS1_2_VERSION) {
1886         const size_t len1 = sizeof(kSafariExtensionsBlock);
1887         const size_t len2 = sizeof(kSafariTLS12ExtensionsBlock);
1888 
1889         if (data + len1 + len2 != limit)
1890             return;
1891         if (memcmp(data, kSafariExtensionsBlock, len1) != 0)
1892             return;
1893         if (memcmp(data + len1, kSafariTLS12ExtensionsBlock, len2) != 0)
1894             return;
1895     } else {
1896         const size_t len = sizeof(kSafariExtensionsBlock);
1897 
1898         if (data + len != limit)
1899             return;
1900         if (memcmp(data, kSafariExtensionsBlock, len) != 0)
1901             return;
1902     }
1903 
1904     s->s3->is_probably_safari = 1;
1905 }
1906 # endif                         /* !OPENSSL_NO_EC */
1907 
1908 /*
1909  * tls1_alpn_handle_client_hello is called to process the ALPN extension in a
1910  * ClientHello.  data: the contents of the extension, not including the type
1911  * and length.  data_len: the number of bytes in |data| al: a pointer to the
1912  * alert value to send in the event of a non-zero return.  returns: 0 on
1913  * success.
1914  */
1915 static int tls1_alpn_handle_client_hello(SSL *s, const unsigned char *data,
1916                                          unsigned data_len, int *al)
1917 {
1918     unsigned i;
1919     unsigned proto_len;
1920     const unsigned char *selected;
1921     unsigned char selected_len;
1922     int r;
1923 
1924     if (s->ctx->alpn_select_cb == NULL)
1925         return 0;
1926 
1927     if (data_len < 2)
1928         goto parse_error;
1929 
1930     /*
1931      * data should contain a uint16 length followed by a series of 8-bit,
1932      * length-prefixed strings.
1933      */
1934     i = ((unsigned)data[0]) << 8 | ((unsigned)data[1]);
1935     data_len -= 2;
1936     data += 2;
1937     if (data_len != i)
1938         goto parse_error;
1939 
1940     if (data_len < 2)
1941         goto parse_error;
1942 
1943     for (i = 0; i < data_len;) {
1944         proto_len = data[i];
1945         i++;
1946 
1947         if (proto_len == 0)
1948             goto parse_error;
1949 
1950         if (i + proto_len < i || i + proto_len > data_len)
1951             goto parse_error;
1952 
1953         i += proto_len;
1954     }
1955 
1956     r = s->ctx->alpn_select_cb(s, &selected, &selected_len, data, data_len,
1957                                s->ctx->alpn_select_cb_arg);
1958     if (r == SSL_TLSEXT_ERR_OK) {
1959         if (s->s3->alpn_selected)
1960             OPENSSL_free(s->s3->alpn_selected);
1961         s->s3->alpn_selected = OPENSSL_malloc(selected_len);
1962         if (!s->s3->alpn_selected) {
1963             *al = SSL_AD_INTERNAL_ERROR;
1964             return -1;
1965         }
1966         memcpy(s->s3->alpn_selected, selected, selected_len);
1967         s->s3->alpn_selected_len = selected_len;
1968     }
1969     return 0;
1970 
1971  parse_error:
1972     *al = SSL_AD_DECODE_ERROR;
1973     return -1;
1974 }
1975 
1976 static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p,
1977                                        unsigned char *limit, int *al)
1978 {
1979     unsigned short type;
1980     unsigned short size;
1981     unsigned short len;
1982     unsigned char *data = *p;
1983     int renegotiate_seen = 0;
1984 
1985     s->servername_done = 0;
1986     s->tlsext_status_type = -1;
1987 # ifndef OPENSSL_NO_NEXTPROTONEG
1988     s->s3->next_proto_neg_seen = 0;
1989 # endif
1990 
1991     if (s->s3->alpn_selected) {
1992         OPENSSL_free(s->s3->alpn_selected);
1993         s->s3->alpn_selected = NULL;
1994     }
1995 # ifndef OPENSSL_NO_HEARTBEATS
1996     s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED |
1997                              SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
1998 # endif
1999 
2000 # ifndef OPENSSL_NO_EC
2001     if (s->options & SSL_OP_SAFARI_ECDHE_ECDSA_BUG)
2002         ssl_check_for_safari(s, data, limit);
2003 # endif                         /* !OPENSSL_NO_EC */
2004 
2005     /* Clear any signature algorithms extension received */
2006     if (s->cert->peer_sigalgs) {
2007         OPENSSL_free(s->cert->peer_sigalgs);
2008         s->cert->peer_sigalgs = NULL;
2009     }
2010 # ifndef OPENSSL_NO_SRP
2011     if (s->srp_ctx.login != NULL) {
2012         OPENSSL_free(s->srp_ctx.login);
2013         s->srp_ctx.login = NULL;
2014     }
2015 # endif
2016 
2017     s->srtp_profile = NULL;
2018 
2019     if (data == limit)
2020         goto ri_check;
2021 
2022     if (data > (limit - 2))
2023         goto err;
2024 
2025     n2s(data, len);
2026 
2027     if (data + len != limit)
2028         goto err;
2029 
2030     while (data <= (limit - 4)) {
2031         n2s(data, type);
2032         n2s(data, size);
2033 
2034         if (data + size > (limit))
2035             goto err;
2036 # if 0
2037         fprintf(stderr, "Received extension type %d size %d\n", type, size);
2038 # endif
2039         if (s->tlsext_debug_cb)
2040             s->tlsext_debug_cb(s, 0, type, data, size, s->tlsext_debug_arg);
2041 /*-
2042  * The servername extension is treated as follows:
2043  *
2044  * - Only the hostname type is supported with a maximum length of 255.
2045  * - The servername is rejected if too long or if it contains zeros,
2046  *   in which case an fatal alert is generated.
2047  * - The servername field is maintained together with the session cache.
2048  * - When a session is resumed, the servername call back invoked in order
2049  *   to allow the application to position itself to the right context.
2050  * - The servername is acknowledged if it is new for a session or when
2051  *   it is identical to a previously used for the same session.
2052  *   Applications can control the behaviour.  They can at any time
2053  *   set a 'desirable' servername for a new SSL object. This can be the
2054  *   case for example with HTTPS when a Host: header field is received and
2055  *   a renegotiation is requested. In this case, a possible servername
2056  *   presented in the new client hello is only acknowledged if it matches
2057  *   the value of the Host: field.
2058  * - Applications must  use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
2059  *   if they provide for changing an explicit servername context for the
2060  *   session, i.e. when the session has been established with a servername
2061  *   extension.
2062  * - On session reconnect, the servername extension may be absent.
2063  *
2064  */
2065 
2066         if (type == TLSEXT_TYPE_server_name) {
2067             unsigned char *sdata;
2068             int servname_type;
2069             int dsize;
2070 
2071             if (size < 2)
2072                 goto err;
2073             n2s(data, dsize);
2074             size -= 2;
2075             if (dsize > size)
2076                 goto err;
2077 
2078             sdata = data;
2079             while (dsize > 3) {
2080                 servname_type = *(sdata++);
2081                 n2s(sdata, len);
2082                 dsize -= 3;
2083 
2084                 if (len > dsize)
2085                     goto err;
2086 
2087                 if (s->servername_done == 0)
2088                     switch (servname_type) {
2089                     case TLSEXT_NAMETYPE_host_name:
2090                         if (!s->hit) {
2091                             if (s->session->tlsext_hostname)
2092                                 goto err;
2093 
2094                             if (len > TLSEXT_MAXLEN_host_name) {
2095                                 *al = TLS1_AD_UNRECOGNIZED_NAME;
2096                                 return 0;
2097                             }
2098                             if ((s->session->tlsext_hostname =
2099                                  OPENSSL_malloc(len + 1)) == NULL) {
2100                                 *al = TLS1_AD_INTERNAL_ERROR;
2101                                 return 0;
2102                             }
2103                             memcpy(s->session->tlsext_hostname, sdata, len);
2104                             s->session->tlsext_hostname[len] = '\0';
2105                             if (strlen(s->session->tlsext_hostname) != len) {
2106                                 OPENSSL_free(s->session->tlsext_hostname);
2107                                 s->session->tlsext_hostname = NULL;
2108                                 *al = TLS1_AD_UNRECOGNIZED_NAME;
2109                                 return 0;
2110                             }
2111                             s->servername_done = 1;
2112 
2113                         } else
2114                             s->servername_done = s->session->tlsext_hostname
2115                                 && strlen(s->session->tlsext_hostname) == len
2116                                 && strncmp(s->session->tlsext_hostname,
2117                                            (char *)sdata, len) == 0;
2118 
2119                         break;
2120 
2121                     default:
2122                         break;
2123                     }
2124 
2125                 dsize -= len;
2126             }
2127             if (dsize != 0)
2128                 goto err;
2129 
2130         }
2131 # ifndef OPENSSL_NO_SRP
2132         else if (type == TLSEXT_TYPE_srp) {
2133             if (size == 0 || ((len = data[0])) != (size - 1))
2134                 goto err;
2135             if (s->srp_ctx.login != NULL)
2136                 goto err;
2137             if ((s->srp_ctx.login = OPENSSL_malloc(len + 1)) == NULL)
2138                 return -1;
2139             memcpy(s->srp_ctx.login, &data[1], len);
2140             s->srp_ctx.login[len] = '\0';
2141 
2142             if (strlen(s->srp_ctx.login) != len)
2143                 goto err;
2144         }
2145 # endif
2146 
2147 # ifndef OPENSSL_NO_EC
2148         else if (type == TLSEXT_TYPE_ec_point_formats) {
2149             unsigned char *sdata = data;
2150             int ecpointformatlist_length = *(sdata++);
2151 
2152             if (ecpointformatlist_length != size - 1 ||
2153                 ecpointformatlist_length < 1)
2154                 goto err;
2155             if (!s->hit) {
2156                 if (s->session->tlsext_ecpointformatlist) {
2157                     OPENSSL_free(s->session->tlsext_ecpointformatlist);
2158                     s->session->tlsext_ecpointformatlist = NULL;
2159                 }
2160                 s->session->tlsext_ecpointformatlist_length = 0;
2161                 if ((s->session->tlsext_ecpointformatlist =
2162                      OPENSSL_malloc(ecpointformatlist_length)) == NULL) {
2163                     *al = TLS1_AD_INTERNAL_ERROR;
2164                     return 0;
2165                 }
2166                 s->session->tlsext_ecpointformatlist_length =
2167                     ecpointformatlist_length;
2168                 memcpy(s->session->tlsext_ecpointformatlist, sdata,
2169                        ecpointformatlist_length);
2170             }
2171 #  if 0
2172             fprintf(stderr,
2173                     "ssl_parse_clienthello_tlsext s->session->tlsext_ecpointformatlist (length=%i) ",
2174                     s->session->tlsext_ecpointformatlist_length);
2175             sdata = s->session->tlsext_ecpointformatlist;
2176             for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
2177                 fprintf(stderr, "%i ", *(sdata++));
2178             fprintf(stderr, "\n");
2179 #  endif
2180         } else if (type == TLSEXT_TYPE_elliptic_curves) {
2181             unsigned char *sdata = data;
2182             int ellipticcurvelist_length = (*(sdata++) << 8);
2183             ellipticcurvelist_length += (*(sdata++));
2184 
2185             if (ellipticcurvelist_length != size - 2 ||
2186                 ellipticcurvelist_length < 1 ||
2187                 /* Each NamedCurve is 2 bytes. */
2188                 ellipticcurvelist_length & 1)
2189                     goto err;
2190 
2191             if (!s->hit) {
2192                 if (s->session->tlsext_ellipticcurvelist)
2193                     goto err;
2194 
2195                 s->session->tlsext_ellipticcurvelist_length = 0;
2196                 if ((s->session->tlsext_ellipticcurvelist =
2197                      OPENSSL_malloc(ellipticcurvelist_length)) == NULL) {
2198                     *al = TLS1_AD_INTERNAL_ERROR;
2199                     return 0;
2200                 }
2201                 s->session->tlsext_ellipticcurvelist_length =
2202                     ellipticcurvelist_length;
2203                 memcpy(s->session->tlsext_ellipticcurvelist, sdata,
2204                        ellipticcurvelist_length);
2205             }
2206 #  if 0
2207             fprintf(stderr,
2208                     "ssl_parse_clienthello_tlsext s->session->tlsext_ellipticcurvelist (length=%i) ",
2209                     s->session->tlsext_ellipticcurvelist_length);
2210             sdata = s->session->tlsext_ellipticcurvelist;
2211             for (i = 0; i < s->session->tlsext_ellipticcurvelist_length; i++)
2212                 fprintf(stderr, "%i ", *(sdata++));
2213             fprintf(stderr, "\n");
2214 #  endif
2215         }
2216 # endif                         /* OPENSSL_NO_EC */
2217 # ifdef TLSEXT_TYPE_opaque_prf_input
2218         else if (type == TLSEXT_TYPE_opaque_prf_input) {
2219             unsigned char *sdata = data;
2220 
2221             if (size < 2) {
2222                 *al = SSL_AD_DECODE_ERROR;
2223                 return 0;
2224             }
2225             n2s(sdata, s->s3->client_opaque_prf_input_len);
2226             if (s->s3->client_opaque_prf_input_len != size - 2) {
2227                 *al = SSL_AD_DECODE_ERROR;
2228                 return 0;
2229             }
2230 
2231             if (s->s3->client_opaque_prf_input != NULL) {
2232                 /* shouldn't really happen */
2233                 OPENSSL_free(s->s3->client_opaque_prf_input);
2234             }
2235 
2236             /* dummy byte just to get non-NULL */
2237             if (s->s3->client_opaque_prf_input_len == 0)
2238                 s->s3->client_opaque_prf_input = OPENSSL_malloc(1);
2239             else
2240                 s->s3->client_opaque_prf_input =
2241                     BUF_memdup(sdata, s->s3->client_opaque_prf_input_len);
2242             if (s->s3->client_opaque_prf_input == NULL) {
2243                 *al = TLS1_AD_INTERNAL_ERROR;
2244                 return 0;
2245             }
2246         }
2247 # endif
2248         else if (type == TLSEXT_TYPE_session_ticket) {
2249             if (s->tls_session_ticket_ext_cb &&
2250                 !s->tls_session_ticket_ext_cb(s, data, size,
2251                                               s->tls_session_ticket_ext_cb_arg))
2252             {
2253                 *al = TLS1_AD_INTERNAL_ERROR;
2254                 return 0;
2255             }
2256         } else if (type == TLSEXT_TYPE_renegotiate) {
2257             if (!ssl_parse_clienthello_renegotiate_ext(s, data, size, al))
2258                 return 0;
2259             renegotiate_seen = 1;
2260         } else if (type == TLSEXT_TYPE_signature_algorithms) {
2261             int dsize;
2262             if (s->cert->peer_sigalgs || size < 2)
2263                 goto err;
2264             n2s(data, dsize);
2265             size -= 2;
2266             if (dsize != size || dsize & 1 || !dsize)
2267                 goto err;
2268             if (!tls1_save_sigalgs(s, data, dsize))
2269                 goto err;
2270         } else if (type == TLSEXT_TYPE_status_request) {
2271 
2272             if (size < 5)
2273                 goto err;
2274 
2275             s->tlsext_status_type = *data++;
2276             size--;
2277             if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp) {
2278                 const unsigned char *sdata;
2279                 int dsize;
2280                 /* Read in responder_id_list */
2281                 n2s(data, dsize);
2282                 size -= 2;
2283                 if (dsize > size)
2284                     goto err;
2285                 while (dsize > 0) {
2286                     OCSP_RESPID *id;
2287                     int idsize;
2288                     if (dsize < 4)
2289                         goto err;
2290                     n2s(data, idsize);
2291                     dsize -= 2 + idsize;
2292                     size -= 2 + idsize;
2293                     if (dsize < 0)
2294                         goto err;
2295                     sdata = data;
2296                     data += idsize;
2297                     id = d2i_OCSP_RESPID(NULL, &sdata, idsize);
2298                     if (!id)
2299                         goto err;
2300                     if (data != sdata) {
2301                         OCSP_RESPID_free(id);
2302                         goto err;
2303                     }
2304                     if (!s->tlsext_ocsp_ids
2305                         && !(s->tlsext_ocsp_ids =
2306                              sk_OCSP_RESPID_new_null())) {
2307                         OCSP_RESPID_free(id);
2308                         *al = SSL_AD_INTERNAL_ERROR;
2309                         return 0;
2310                     }
2311                     if (!sk_OCSP_RESPID_push(s->tlsext_ocsp_ids, id)) {
2312                         OCSP_RESPID_free(id);
2313                         *al = SSL_AD_INTERNAL_ERROR;
2314                         return 0;
2315                     }
2316                 }
2317 
2318                 /* Read in request_extensions */
2319                 if (size < 2)
2320                     goto err;
2321                 n2s(data, dsize);
2322                 size -= 2;
2323                 if (dsize != size)
2324                     goto err;
2325                 sdata = data;
2326                 if (dsize > 0) {
2327                     if (s->tlsext_ocsp_exts) {
2328                         sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts,
2329                                                    X509_EXTENSION_free);
2330                     }
2331 
2332                     s->tlsext_ocsp_exts =
2333                         d2i_X509_EXTENSIONS(NULL, &sdata, dsize);
2334                     if (!s->tlsext_ocsp_exts || (data + dsize != sdata))
2335                         goto err;
2336                 }
2337             }
2338             /*
2339              * We don't know what to do with any other type * so ignore it.
2340              */
2341             else
2342                 s->tlsext_status_type = -1;
2343         }
2344 # ifndef OPENSSL_NO_HEARTBEATS
2345         else if (type == TLSEXT_TYPE_heartbeat) {
2346             switch (data[0]) {
2347             case 0x01:         /* Client allows us to send HB requests */
2348                 s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
2349                 break;
2350             case 0x02:         /* Client doesn't accept HB requests */
2351                 s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
2352                 s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
2353                 break;
2354             default:
2355                 *al = SSL_AD_ILLEGAL_PARAMETER;
2356                 return 0;
2357             }
2358         }
2359 # endif
2360 # ifndef OPENSSL_NO_NEXTPROTONEG
2361         else if (type == TLSEXT_TYPE_next_proto_neg &&
2362                  s->s3->tmp.finish_md_len == 0 &&
2363                  s->s3->alpn_selected == NULL) {
2364             /*-
2365              * We shouldn't accept this extension on a
2366              * renegotiation.
2367              *
2368              * s->new_session will be set on renegotiation, but we
2369              * probably shouldn't rely that it couldn't be set on
2370              * the initial renegotation too in certain cases (when
2371              * there's some other reason to disallow resuming an
2372              * earlier session -- the current code won't be doing
2373              * anything like that, but this might change).
2374              *
2375              * A valid sign that there's been a previous handshake
2376              * in this connection is if s->s3->tmp.finish_md_len >
2377              * 0.  (We are talking about a check that will happen
2378              * in the Hello protocol round, well before a new
2379              * Finished message could have been computed.)
2380              */
2381             s->s3->next_proto_neg_seen = 1;
2382         }
2383 # endif
2384 
2385         else if (type == TLSEXT_TYPE_application_layer_protocol_negotiation &&
2386                  s->ctx->alpn_select_cb && s->s3->tmp.finish_md_len == 0) {
2387             if (tls1_alpn_handle_client_hello(s, data, size, al) != 0)
2388                 return 0;
2389 # ifndef OPENSSL_NO_NEXTPROTONEG
2390             /* ALPN takes precedence over NPN. */
2391             s->s3->next_proto_neg_seen = 0;
2392 # endif
2393         }
2394 
2395         /* session ticket processed earlier */
2396 # ifndef OPENSSL_NO_SRTP
2397         else if (SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s)
2398                  && type == TLSEXT_TYPE_use_srtp) {
2399             if (ssl_parse_clienthello_use_srtp_ext(s, data, size, al))
2400                 return 0;
2401         }
2402 # endif
2403 
2404         data += size;
2405     }
2406 
2407     /* Spurious data on the end */
2408     if (data != limit)
2409         goto err;
2410 
2411     *p = data;
2412 
2413  ri_check:
2414 
2415     /* Need RI if renegotiating */
2416 
2417     if (!renegotiate_seen && s->renegotiate &&
2418         !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) {
2419         *al = SSL_AD_HANDSHAKE_FAILURE;
2420         SSLerr(SSL_F_SSL_SCAN_CLIENTHELLO_TLSEXT,
2421                SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
2422         return 0;
2423     }
2424 
2425     return 1;
2426 err:
2427     *al = SSL_AD_DECODE_ERROR;
2428     return 0;
2429 }
2430 
2431 /*
2432  * Parse any custom extensions found.  "data" is the start of the extension data
2433  * and "limit" is the end of the record. TODO: add strict syntax checking.
2434  */
2435 
2436 static int ssl_scan_clienthello_custom_tlsext(SSL *s,
2437                                               const unsigned char *data,
2438                                               const unsigned char *limit,
2439                                               int *al)
2440 {
2441     unsigned short type, size, len;
2442     /* If resumed session or no custom extensions nothing to do */
2443     if (s->hit || s->cert->srv_ext.meths_count == 0)
2444         return 1;
2445 
2446     if (data >= limit - 2)
2447         return 1;
2448     n2s(data, len);
2449 
2450     if (data > limit - len)
2451         return 1;
2452 
2453     while (data <= limit - 4) {
2454         n2s(data, type);
2455         n2s(data, size);
2456 
2457         if (data + size > limit)
2458             return 1;
2459         if (custom_ext_parse(s, 1 /* server */ , type, data, size, al) <= 0)
2460             return 0;
2461 
2462         data += size;
2463     }
2464 
2465     return 1;
2466 }
2467 
2468 int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p,
2469                                  unsigned char *limit)
2470 {
2471     int al = -1;
2472     unsigned char *ptmp = *p;
2473     /*
2474      * Internally supported extensions are parsed first so SNI can be handled
2475      * before custom extensions. An application processing SNI will typically
2476      * switch the parent context using SSL_set_SSL_CTX and custom extensions
2477      * need to be handled by the new SSL_CTX structure.
2478      */
2479     if (ssl_scan_clienthello_tlsext(s, p, limit, &al) <= 0) {
2480         ssl3_send_alert(s, SSL3_AL_FATAL, al);
2481         return 0;
2482     }
2483 
2484     if (ssl_check_clienthello_tlsext_early(s) <= 0) {
2485         SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT, SSL_R_CLIENTHELLO_TLSEXT);
2486         return 0;
2487     }
2488 
2489     custom_ext_init(&s->cert->srv_ext);
2490     if (ssl_scan_clienthello_custom_tlsext(s, ptmp, limit, &al) <= 0) {
2491         ssl3_send_alert(s, SSL3_AL_FATAL, al);
2492         return 0;
2493     }
2494 
2495     return 1;
2496 }
2497 
2498 # ifndef OPENSSL_NO_NEXTPROTONEG
2499 /*
2500  * ssl_next_proto_validate validates a Next Protocol Negotiation block. No
2501  * elements of zero length are allowed and the set of elements must exactly
2502  * fill the length of the block.
2503  */
2504 static char ssl_next_proto_validate(unsigned char *d, unsigned len)
2505 {
2506     unsigned int off = 0;
2507 
2508     while (off < len) {
2509         if (d[off] == 0)
2510             return 0;
2511         off += d[off];
2512         off++;
2513     }
2514 
2515     return off == len;
2516 }
2517 # endif
2518 
2519 static int ssl_scan_serverhello_tlsext(SSL *s, unsigned char **p,
2520                                        unsigned char *d, int n, int *al)
2521 {
2522     unsigned short length;
2523     unsigned short type;
2524     unsigned short size;
2525     unsigned char *data = *p;
2526     int tlsext_servername = 0;
2527     int renegotiate_seen = 0;
2528 
2529 # ifndef OPENSSL_NO_NEXTPROTONEG
2530     s->s3->next_proto_neg_seen = 0;
2531 # endif
2532     s->tlsext_ticket_expected = 0;
2533 
2534     if (s->s3->alpn_selected) {
2535         OPENSSL_free(s->s3->alpn_selected);
2536         s->s3->alpn_selected = NULL;
2537     }
2538 # ifndef OPENSSL_NO_HEARTBEATS
2539     s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED |
2540                              SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
2541 # endif
2542 
2543     if (data >= (d + n - 2))
2544         goto ri_check;
2545 
2546     n2s(data, length);
2547     if (data + length != d + n) {
2548         *al = SSL_AD_DECODE_ERROR;
2549         return 0;
2550     }
2551 
2552     while (data <= (d + n - 4)) {
2553         n2s(data, type);
2554         n2s(data, size);
2555 
2556         if (data + size > (d + n))
2557             goto ri_check;
2558 
2559         if (s->tlsext_debug_cb)
2560             s->tlsext_debug_cb(s, 1, type, data, size, s->tlsext_debug_arg);
2561 
2562         if (type == TLSEXT_TYPE_server_name) {
2563             if (s->tlsext_hostname == NULL || size > 0) {
2564                 *al = TLS1_AD_UNRECOGNIZED_NAME;
2565                 return 0;
2566             }
2567             tlsext_servername = 1;
2568         }
2569 # ifndef OPENSSL_NO_EC
2570         else if (type == TLSEXT_TYPE_ec_point_formats) {
2571             unsigned char *sdata = data;
2572             int ecpointformatlist_length = *(sdata++);
2573 
2574             if (ecpointformatlist_length != size - 1) {
2575                 *al = TLS1_AD_DECODE_ERROR;
2576                 return 0;
2577             }
2578             if (!s->hit) {
2579                 s->session->tlsext_ecpointformatlist_length = 0;
2580                 if (s->session->tlsext_ecpointformatlist != NULL)
2581                     OPENSSL_free(s->session->tlsext_ecpointformatlist);
2582                 if ((s->session->tlsext_ecpointformatlist =
2583                      OPENSSL_malloc(ecpointformatlist_length)) == NULL) {
2584                     *al = TLS1_AD_INTERNAL_ERROR;
2585                     return 0;
2586                 }
2587                 s->session->tlsext_ecpointformatlist_length =
2588                     ecpointformatlist_length;
2589                 memcpy(s->session->tlsext_ecpointformatlist, sdata,
2590                        ecpointformatlist_length);
2591             }
2592 #  if 0
2593             fprintf(stderr,
2594                     "ssl_parse_serverhello_tlsext s->session->tlsext_ecpointformatlist ");
2595             sdata = s->session->tlsext_ecpointformatlist;
2596             for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
2597                 fprintf(stderr, "%i ", *(sdata++));
2598             fprintf(stderr, "\n");
2599 #  endif
2600         }
2601 # endif                         /* OPENSSL_NO_EC */
2602 
2603         else if (type == TLSEXT_TYPE_session_ticket) {
2604             if (s->tls_session_ticket_ext_cb &&
2605                 !s->tls_session_ticket_ext_cb(s, data, size,
2606                                               s->tls_session_ticket_ext_cb_arg))
2607             {
2608                 *al = TLS1_AD_INTERNAL_ERROR;
2609                 return 0;
2610             }
2611             if ((SSL_get_options(s) & SSL_OP_NO_TICKET)
2612                 || (size > 0)) {
2613                 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2614                 return 0;
2615             }
2616             s->tlsext_ticket_expected = 1;
2617         }
2618 # ifdef TLSEXT_TYPE_opaque_prf_input
2619         else if (type == TLSEXT_TYPE_opaque_prf_input) {
2620             unsigned char *sdata = data;
2621 
2622             if (size < 2) {
2623                 *al = SSL_AD_DECODE_ERROR;
2624                 return 0;
2625             }
2626             n2s(sdata, s->s3->server_opaque_prf_input_len);
2627             if (s->s3->server_opaque_prf_input_len != size - 2) {
2628                 *al = SSL_AD_DECODE_ERROR;
2629                 return 0;
2630             }
2631 
2632             if (s->s3->server_opaque_prf_input != NULL) {
2633                 /* shouldn't really happen */
2634                 OPENSSL_free(s->s3->server_opaque_prf_input);
2635             }
2636             if (s->s3->server_opaque_prf_input_len == 0) {
2637                 /* dummy byte just to get non-NULL */
2638                 s->s3->server_opaque_prf_input = OPENSSL_malloc(1);
2639             } else {
2640                 s->s3->server_opaque_prf_input =
2641                     BUF_memdup(sdata, s->s3->server_opaque_prf_input_len);
2642             }
2643 
2644             if (s->s3->server_opaque_prf_input == NULL) {
2645                 *al = TLS1_AD_INTERNAL_ERROR;
2646                 return 0;
2647             }
2648         }
2649 # endif
2650         else if (type == TLSEXT_TYPE_status_request) {
2651             /*
2652              * MUST be empty and only sent if we've requested a status
2653              * request message.
2654              */
2655             if ((s->tlsext_status_type == -1) || (size > 0)) {
2656                 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2657                 return 0;
2658             }
2659             /* Set flag to expect CertificateStatus message */
2660             s->tlsext_status_expected = 1;
2661         }
2662 # ifndef OPENSSL_NO_NEXTPROTONEG
2663         else if (type == TLSEXT_TYPE_next_proto_neg &&
2664                  s->s3->tmp.finish_md_len == 0) {
2665             unsigned char *selected;
2666             unsigned char selected_len;
2667 
2668             /* We must have requested it. */
2669             if (s->ctx->next_proto_select_cb == NULL) {
2670                 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2671                 return 0;
2672             }
2673             /* The data must be valid */
2674             if (!ssl_next_proto_validate(data, size)) {
2675                 *al = TLS1_AD_DECODE_ERROR;
2676                 return 0;
2677             }
2678             if (s->
2679                 ctx->next_proto_select_cb(s, &selected, &selected_len, data,
2680                                           size,
2681                                           s->ctx->next_proto_select_cb_arg) !=
2682                 SSL_TLSEXT_ERR_OK) {
2683                 *al = TLS1_AD_INTERNAL_ERROR;
2684                 return 0;
2685             }
2686             s->next_proto_negotiated = OPENSSL_malloc(selected_len);
2687             if (!s->next_proto_negotiated) {
2688                 *al = TLS1_AD_INTERNAL_ERROR;
2689                 return 0;
2690             }
2691             memcpy(s->next_proto_negotiated, selected, selected_len);
2692             s->next_proto_negotiated_len = selected_len;
2693             s->s3->next_proto_neg_seen = 1;
2694         }
2695 # endif
2696 
2697         else if (type == TLSEXT_TYPE_application_layer_protocol_negotiation) {
2698             unsigned len;
2699 
2700             /* We must have requested it. */
2701             if (s->alpn_client_proto_list == NULL) {
2702                 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2703                 return 0;
2704             }
2705             if (size < 4) {
2706                 *al = TLS1_AD_DECODE_ERROR;
2707                 return 0;
2708             }
2709             /*-
2710              * The extension data consists of:
2711              *   uint16 list_length
2712              *   uint8 proto_length;
2713              *   uint8 proto[proto_length];
2714              */
2715             len = data[0];
2716             len <<= 8;
2717             len |= data[1];
2718             if (len != (unsigned)size - 2) {
2719                 *al = TLS1_AD_DECODE_ERROR;
2720                 return 0;
2721             }
2722             len = data[2];
2723             if (len != (unsigned)size - 3) {
2724                 *al = TLS1_AD_DECODE_ERROR;
2725                 return 0;
2726             }
2727             if (s->s3->alpn_selected)
2728                 OPENSSL_free(s->s3->alpn_selected);
2729             s->s3->alpn_selected = OPENSSL_malloc(len);
2730             if (!s->s3->alpn_selected) {
2731                 *al = TLS1_AD_INTERNAL_ERROR;
2732                 return 0;
2733             }
2734             memcpy(s->s3->alpn_selected, data + 3, len);
2735             s->s3->alpn_selected_len = len;
2736         }
2737 
2738         else if (type == TLSEXT_TYPE_renegotiate) {
2739             if (!ssl_parse_serverhello_renegotiate_ext(s, data, size, al))
2740                 return 0;
2741             renegotiate_seen = 1;
2742         }
2743 # ifndef OPENSSL_NO_HEARTBEATS
2744         else if (type == TLSEXT_TYPE_heartbeat) {
2745             switch (data[0]) {
2746             case 0x01:         /* Server allows us to send HB requests */
2747                 s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
2748                 break;
2749             case 0x02:         /* Server doesn't accept HB requests */
2750                 s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
2751                 s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
2752                 break;
2753             default:
2754                 *al = SSL_AD_ILLEGAL_PARAMETER;
2755                 return 0;
2756             }
2757         }
2758 # endif
2759 # ifndef OPENSSL_NO_SRTP
2760         else if (SSL_IS_DTLS(s) && type == TLSEXT_TYPE_use_srtp) {
2761             if (ssl_parse_serverhello_use_srtp_ext(s, data, size, al))
2762                 return 0;
2763         }
2764 # endif
2765         /*
2766          * If this extension type was not otherwise handled, but matches a
2767          * custom_cli_ext_record, then send it to the c callback
2768          */
2769         else if (custom_ext_parse(s, 0, type, data, size, al) <= 0)
2770             return 0;
2771 
2772         data += size;
2773     }
2774 
2775     if (data != d + n) {
2776         *al = SSL_AD_DECODE_ERROR;
2777         return 0;
2778     }
2779 
2780     if (!s->hit && tlsext_servername == 1) {
2781         if (s->tlsext_hostname) {
2782             if (s->session->tlsext_hostname == NULL) {
2783                 s->session->tlsext_hostname = BUF_strdup(s->tlsext_hostname);
2784                 if (!s->session->tlsext_hostname) {
2785                     *al = SSL_AD_UNRECOGNIZED_NAME;
2786                     return 0;
2787                 }
2788             } else {
2789                 *al = SSL_AD_DECODE_ERROR;
2790                 return 0;
2791             }
2792         }
2793     }
2794 
2795     *p = data;
2796 
2797  ri_check:
2798 
2799     /*
2800      * Determine if we need to see RI. Strictly speaking if we want to avoid
2801      * an attack we should *always* see RI even on initial server hello
2802      * because the client doesn't see any renegotiation during an attack.
2803      * However this would mean we could not connect to any server which
2804      * doesn't support RI so for the immediate future tolerate RI absence on
2805      * initial connect only.
2806      */
2807     if (!renegotiate_seen && !(s->options & SSL_OP_LEGACY_SERVER_CONNECT)
2808         && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) {
2809         *al = SSL_AD_HANDSHAKE_FAILURE;
2810         SSLerr(SSL_F_SSL_SCAN_SERVERHELLO_TLSEXT,
2811                SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
2812         return 0;
2813     }
2814 
2815     return 1;
2816 }
2817 
2818 int ssl_prepare_clienthello_tlsext(SSL *s)
2819 {
2820 
2821 # ifdef TLSEXT_TYPE_opaque_prf_input
2822     {
2823         int r = 1;
2824 
2825         if (s->ctx->tlsext_opaque_prf_input_callback != 0) {
2826             r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0,
2827                                                          s->
2828                                                          ctx->tlsext_opaque_prf_input_callback_arg);
2829             if (!r)
2830                 return -1;
2831         }
2832 
2833         if (s->tlsext_opaque_prf_input != NULL) {
2834             if (s->s3->client_opaque_prf_input != NULL) {
2835                 /* shouldn't really happen */
2836                 OPENSSL_free(s->s3->client_opaque_prf_input);
2837             }
2838 
2839             if (s->tlsext_opaque_prf_input_len == 0) {
2840                 /* dummy byte just to get non-NULL */
2841                 s->s3->client_opaque_prf_input = OPENSSL_malloc(1);
2842             } else {
2843                 s->s3->client_opaque_prf_input =
2844                     BUF_memdup(s->tlsext_opaque_prf_input,
2845                                s->tlsext_opaque_prf_input_len);
2846             }
2847             if (s->s3->client_opaque_prf_input == NULL) {
2848                 SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,
2849                        ERR_R_MALLOC_FAILURE);
2850                 return -1;
2851             }
2852             s->s3->client_opaque_prf_input_len =
2853                 s->tlsext_opaque_prf_input_len;
2854         }
2855 
2856         if (r == 2)
2857             /*
2858              * at callback's request, insist on receiving an appropriate
2859              * server opaque PRF input
2860              */
2861             s->s3->server_opaque_prf_input_len =
2862                 s->tlsext_opaque_prf_input_len;
2863     }
2864 # endif
2865 
2866     return 1;
2867 }
2868 
2869 int ssl_prepare_serverhello_tlsext(SSL *s)
2870 {
2871     return 1;
2872 }
2873 
2874 static int ssl_check_clienthello_tlsext_early(SSL *s)
2875 {
2876     int ret = SSL_TLSEXT_ERR_NOACK;
2877     int al = SSL_AD_UNRECOGNIZED_NAME;
2878 
2879 # ifndef OPENSSL_NO_EC
2880     /*
2881      * The handling of the ECPointFormats extension is done elsewhere, namely
2882      * in ssl3_choose_cipher in s3_lib.c.
2883      */
2884     /*
2885      * The handling of the EllipticCurves extension is done elsewhere, namely
2886      * in ssl3_choose_cipher in s3_lib.c.
2887      */
2888 # endif
2889 
2890     if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
2891         ret =
2892             s->ctx->tlsext_servername_callback(s, &al,
2893                                                s->ctx->tlsext_servername_arg);
2894     else if (s->initial_ctx != NULL
2895              && s->initial_ctx->tlsext_servername_callback != 0)
2896         ret =
2897             s->initial_ctx->tlsext_servername_callback(s, &al,
2898                                                        s->
2899                                                        initial_ctx->tlsext_servername_arg);
2900 
2901 # ifdef TLSEXT_TYPE_opaque_prf_input
2902     {
2903         /*
2904          * This sort of belongs into ssl_prepare_serverhello_tlsext(), but we
2905          * might be sending an alert in response to the client hello, so this
2906          * has to happen here in ssl_check_clienthello_tlsext_early().
2907          */
2908 
2909         int r = 1;
2910 
2911         if (s->ctx->tlsext_opaque_prf_input_callback != 0) {
2912             r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0,
2913                                                          s->
2914                                                          ctx->tlsext_opaque_prf_input_callback_arg);
2915             if (!r) {
2916                 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2917                 al = SSL_AD_INTERNAL_ERROR;
2918                 goto err;
2919             }
2920         }
2921 
2922         if (s->s3->server_opaque_prf_input != NULL) {
2923             /* shouldn't really happen */
2924             OPENSSL_free(s->s3->server_opaque_prf_input);
2925         }
2926         s->s3->server_opaque_prf_input = NULL;
2927 
2928         if (s->tlsext_opaque_prf_input != NULL) {
2929             if (s->s3->client_opaque_prf_input != NULL &&
2930                 s->s3->client_opaque_prf_input_len ==
2931                 s->tlsext_opaque_prf_input_len) {
2932                 /*
2933                  * can only use this extension if we have a server opaque PRF
2934                  * input of the same length as the client opaque PRF input!
2935                  */
2936 
2937                 if (s->tlsext_opaque_prf_input_len == 0) {
2938                     /* dummy byte just to get non-NULL */
2939                     s->s3->server_opaque_prf_input = OPENSSL_malloc(1);
2940                 } else {
2941                     s->s3->server_opaque_prf_input =
2942                         BUF_memdup(s->tlsext_opaque_prf_input,
2943                                    s->tlsext_opaque_prf_input_len);
2944                 }
2945                 if (s->s3->server_opaque_prf_input == NULL) {
2946                     ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2947                     al = SSL_AD_INTERNAL_ERROR;
2948                     goto err;
2949                 }
2950                 s->s3->server_opaque_prf_input_len =
2951                     s->tlsext_opaque_prf_input_len;
2952             }
2953         }
2954 
2955         if (r == 2 && s->s3->server_opaque_prf_input == NULL) {
2956             /*
2957              * The callback wants to enforce use of the extension, but we
2958              * can't do that with the client opaque PRF input; abort the
2959              * handshake.
2960              */
2961             ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2962             al = SSL_AD_HANDSHAKE_FAILURE;
2963         }
2964     }
2965 
2966  err:
2967 # endif
2968     switch (ret) {
2969     case SSL_TLSEXT_ERR_ALERT_FATAL:
2970         ssl3_send_alert(s, SSL3_AL_FATAL, al);
2971         return -1;
2972 
2973     case SSL_TLSEXT_ERR_ALERT_WARNING:
2974         ssl3_send_alert(s, SSL3_AL_WARNING, al);
2975         return 1;
2976 
2977     case SSL_TLSEXT_ERR_NOACK:
2978         s->servername_done = 0;
2979     default:
2980         return 1;
2981     }
2982 }
2983 
2984 int tls1_set_server_sigalgs(SSL *s)
2985 {
2986     int al;
2987     size_t i;
2988     /* Clear any shared sigtnature algorithms */
2989     if (s->cert->shared_sigalgs) {
2990         OPENSSL_free(s->cert->shared_sigalgs);
2991         s->cert->shared_sigalgs = NULL;
2992         s->cert->shared_sigalgslen = 0;
2993     }
2994     /* Clear certificate digests and validity flags */
2995     for (i = 0; i < SSL_PKEY_NUM; i++) {
2996         s->cert->pkeys[i].digest = NULL;
2997         s->cert->pkeys[i].valid_flags = 0;
2998     }
2999 
3000     /* If sigalgs received process it. */
3001     if (s->cert->peer_sigalgs) {
3002         if (!tls1_process_sigalgs(s)) {
3003             SSLerr(SSL_F_TLS1_SET_SERVER_SIGALGS, ERR_R_MALLOC_FAILURE);
3004             al = SSL_AD_INTERNAL_ERROR;
3005             goto err;
3006         }
3007         /* Fatal error is no shared signature algorithms */
3008         if (!s->cert->shared_sigalgs) {
3009             SSLerr(SSL_F_TLS1_SET_SERVER_SIGALGS,
3010                    SSL_R_NO_SHARED_SIGATURE_ALGORITHMS);
3011             al = SSL_AD_ILLEGAL_PARAMETER;
3012             goto err;
3013         }
3014     } else
3015         ssl_cert_set_default_md(s->cert);
3016     return 1;
3017  err:
3018     ssl3_send_alert(s, SSL3_AL_FATAL, al);
3019     return 0;
3020 }
3021 
3022 int ssl_check_clienthello_tlsext_late(SSL *s)
3023 {
3024     int ret = SSL_TLSEXT_ERR_OK;
3025     int al;
3026 
3027     /*
3028      * If status request then ask callback what to do. Note: this must be
3029      * called after servername callbacks in case the certificate has changed,
3030      * and must be called after the cipher has been chosen because this may
3031      * influence which certificate is sent
3032      */
3033     if ((s->tlsext_status_type != -1) && s->ctx && s->ctx->tlsext_status_cb) {
3034         int r;
3035         CERT_PKEY *certpkey;
3036         certpkey = ssl_get_server_send_pkey(s);
3037         /* If no certificate can't return certificate status */
3038         if (certpkey == NULL) {
3039             s->tlsext_status_expected = 0;
3040             return 1;
3041         }
3042         /*
3043          * Set current certificate to one we will use so SSL_get_certificate
3044          * et al can pick it up.
3045          */
3046         s->cert->key = certpkey;
3047         r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
3048         switch (r) {
3049             /* We don't want to send a status request response */
3050         case SSL_TLSEXT_ERR_NOACK:
3051             s->tlsext_status_expected = 0;
3052             break;
3053             /* status request response should be sent */
3054         case SSL_TLSEXT_ERR_OK:
3055             if (s->tlsext_ocsp_resp)
3056                 s->tlsext_status_expected = 1;
3057             else
3058                 s->tlsext_status_expected = 0;
3059             break;
3060             /* something bad happened */
3061         case SSL_TLSEXT_ERR_ALERT_FATAL:
3062             ret = SSL_TLSEXT_ERR_ALERT_FATAL;
3063             al = SSL_AD_INTERNAL_ERROR;
3064             goto err;
3065         }
3066     } else
3067         s->tlsext_status_expected = 0;
3068 
3069  err:
3070     switch (ret) {
3071     case SSL_TLSEXT_ERR_ALERT_FATAL:
3072         ssl3_send_alert(s, SSL3_AL_FATAL, al);
3073         return -1;
3074 
3075     case SSL_TLSEXT_ERR_ALERT_WARNING:
3076         ssl3_send_alert(s, SSL3_AL_WARNING, al);
3077         return 1;
3078 
3079     default:
3080         return 1;
3081     }
3082 }
3083 
3084 int ssl_check_serverhello_tlsext(SSL *s)
3085 {
3086     int ret = SSL_TLSEXT_ERR_NOACK;
3087     int al = SSL_AD_UNRECOGNIZED_NAME;
3088 
3089 # ifndef OPENSSL_NO_EC
3090     /*
3091      * If we are client and using an elliptic curve cryptography cipher
3092      * suite, then if server returns an EC point formats lists extension it
3093      * must contain uncompressed.
3094      */
3095     unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
3096     unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
3097     if ((s->tlsext_ecpointformatlist != NULL)
3098         && (s->tlsext_ecpointformatlist_length > 0)
3099         && (s->session->tlsext_ecpointformatlist != NULL)
3100         && (s->session->tlsext_ecpointformatlist_length > 0)
3101         && ((alg_k & (SSL_kEECDH | SSL_kECDHr | SSL_kECDHe))
3102             || (alg_a & SSL_aECDSA))) {
3103         /* we are using an ECC cipher */
3104         size_t i;
3105         unsigned char *list;
3106         int found_uncompressed = 0;
3107         list = s->session->tlsext_ecpointformatlist;
3108         for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++) {
3109             if (*(list++) == TLSEXT_ECPOINTFORMAT_uncompressed) {
3110                 found_uncompressed = 1;
3111                 break;
3112             }
3113         }
3114         if (!found_uncompressed) {
3115             SSLerr(SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT,
3116                    SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
3117             return -1;
3118         }
3119     }
3120     ret = SSL_TLSEXT_ERR_OK;
3121 # endif                         /* OPENSSL_NO_EC */
3122 
3123     if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
3124         ret =
3125             s->ctx->tlsext_servername_callback(s, &al,
3126                                                s->ctx->tlsext_servername_arg);
3127     else if (s->initial_ctx != NULL
3128              && s->initial_ctx->tlsext_servername_callback != 0)
3129         ret =
3130             s->initial_ctx->tlsext_servername_callback(s, &al,
3131                                                        s->
3132                                                        initial_ctx->tlsext_servername_arg);
3133 
3134 # ifdef TLSEXT_TYPE_opaque_prf_input
3135     if (s->s3->server_opaque_prf_input_len > 0) {
3136         /*
3137          * This case may indicate that we, as a client, want to insist on
3138          * using opaque PRF inputs. So first verify that we really have a
3139          * value from the server too.
3140          */
3141 
3142         if (s->s3->server_opaque_prf_input == NULL) {
3143             ret = SSL_TLSEXT_ERR_ALERT_FATAL;
3144             al = SSL_AD_HANDSHAKE_FAILURE;
3145         }
3146 
3147         /*
3148          * Anytime the server *has* sent an opaque PRF input, we need to
3149          * check that we have a client opaque PRF input of the same size.
3150          */
3151         if (s->s3->client_opaque_prf_input == NULL ||
3152             s->s3->client_opaque_prf_input_len !=
3153             s->s3->server_opaque_prf_input_len) {
3154             ret = SSL_TLSEXT_ERR_ALERT_FATAL;
3155             al = SSL_AD_ILLEGAL_PARAMETER;
3156         }
3157     }
3158 # endif
3159 
3160     OPENSSL_free(s->tlsext_ocsp_resp);
3161     s->tlsext_ocsp_resp = NULL;
3162     s->tlsext_ocsp_resplen = -1;
3163     /*
3164      * If we've requested certificate status and we wont get one tell the
3165      * callback
3166      */
3167     if ((s->tlsext_status_type != -1) && !(s->tlsext_status_expected)
3168         && !(s->hit) && s->ctx && s->ctx->tlsext_status_cb) {
3169         int r;
3170         /*
3171          * Call callback with resp == NULL and resplen == -1 so callback
3172          * knows there is no response
3173          */
3174         r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
3175         if (r == 0) {
3176             al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE;
3177             ret = SSL_TLSEXT_ERR_ALERT_FATAL;
3178         }
3179         if (r < 0) {
3180             al = SSL_AD_INTERNAL_ERROR;
3181             ret = SSL_TLSEXT_ERR_ALERT_FATAL;
3182         }
3183     }
3184 
3185     switch (ret) {
3186     case SSL_TLSEXT_ERR_ALERT_FATAL:
3187         ssl3_send_alert(s, SSL3_AL_FATAL, al);
3188         return -1;
3189 
3190     case SSL_TLSEXT_ERR_ALERT_WARNING:
3191         ssl3_send_alert(s, SSL3_AL_WARNING, al);
3192         return 1;
3193 
3194     case SSL_TLSEXT_ERR_NOACK:
3195         s->servername_done = 0;
3196     default:
3197         return 1;
3198     }
3199 }
3200 
3201 int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d,
3202                                  int n)
3203 {
3204     int al = -1;
3205     if (s->version < SSL3_VERSION)
3206         return 1;
3207     if (ssl_scan_serverhello_tlsext(s, p, d, n, &al) <= 0) {
3208         ssl3_send_alert(s, SSL3_AL_FATAL, al);
3209         return 0;
3210     }
3211 
3212     if (ssl_check_serverhello_tlsext(s) <= 0) {
3213         SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT, SSL_R_SERVERHELLO_TLSEXT);
3214         return 0;
3215     }
3216     return 1;
3217 }
3218 
3219 /*-
3220  * Since the server cache lookup is done early on in the processing of the
3221  * ClientHello, and other operations depend on the result, we need to handle
3222  * any TLS session ticket extension at the same time.
3223  *
3224  *   session_id: points at the session ID in the ClientHello. This code will
3225  *       read past the end of this in order to parse out the session ticket
3226  *       extension, if any.
3227  *   len: the length of the session ID.
3228  *   limit: a pointer to the first byte after the ClientHello.
3229  *   ret: (output) on return, if a ticket was decrypted, then this is set to
3230  *       point to the resulting session.
3231  *
3232  * If s->tls_session_secret_cb is set then we are expecting a pre-shared key
3233  * ciphersuite, in which case we have no use for session tickets and one will
3234  * never be decrypted, nor will s->tlsext_ticket_expected be set to 1.
3235  *
3236  * Returns:
3237  *   -1: fatal error, either from parsing or decrypting the ticket.
3238  *    0: no ticket was found (or was ignored, based on settings).
3239  *    1: a zero length extension was found, indicating that the client supports
3240  *       session tickets but doesn't currently have one to offer.
3241  *    2: either s->tls_session_secret_cb was set, or a ticket was offered but
3242  *       couldn't be decrypted because of a non-fatal error.
3243  *    3: a ticket was successfully decrypted and *ret was set.
3244  *
3245  * Side effects:
3246  *   Sets s->tlsext_ticket_expected to 1 if the server will have to issue
3247  *   a new session ticket to the client because the client indicated support
3248  *   (and s->tls_session_secret_cb is NULL) but the client either doesn't have
3249  *   a session ticket or we couldn't use the one it gave us, or if
3250  *   s->ctx->tlsext_ticket_key_cb asked to renew the client's ticket.
3251  *   Otherwise, s->tlsext_ticket_expected is set to 0.
3252  */
3253 int tls1_process_ticket(SSL *s, unsigned char *session_id, int len,
3254                         const unsigned char *limit, SSL_SESSION **ret)
3255 {
3256     /* Point after session ID in client hello */
3257     const unsigned char *p = session_id + len;
3258     unsigned short i;
3259 
3260     *ret = NULL;
3261     s->tlsext_ticket_expected = 0;
3262 
3263     /*
3264      * If tickets disabled behave as if no ticket present to permit stateful
3265      * resumption.
3266      */
3267     if (SSL_get_options(s) & SSL_OP_NO_TICKET)
3268         return 0;
3269     if ((s->version <= SSL3_VERSION) || !limit)
3270         return 0;
3271     if (p >= limit)
3272         return -1;
3273     /* Skip past DTLS cookie */
3274     if (SSL_IS_DTLS(s)) {
3275         i = *(p++);
3276         p += i;
3277         if (p >= limit)
3278             return -1;
3279     }
3280     /* Skip past cipher list */
3281     n2s(p, i);
3282     p += i;
3283     if (p >= limit)
3284         return -1;
3285     /* Skip past compression algorithm list */
3286     i = *(p++);
3287     p += i;
3288     if (p > limit)
3289         return -1;
3290     /* Now at start of extensions */
3291     if ((p + 2) >= limit)
3292         return 0;
3293     n2s(p, i);
3294     while ((p + 4) <= limit) {
3295         unsigned short type, size;
3296         n2s(p, type);
3297         n2s(p, size);
3298         if (p + size > limit)
3299             return 0;
3300         if (type == TLSEXT_TYPE_session_ticket) {
3301             int r;
3302             if (size == 0) {
3303                 /*
3304                  * The client will accept a ticket but doesn't currently have
3305                  * one.
3306                  */
3307                 s->tlsext_ticket_expected = 1;
3308                 return 1;
3309             }
3310             if (s->tls_session_secret_cb) {
3311                 /*
3312                  * Indicate that the ticket couldn't be decrypted rather than
3313                  * generating the session from ticket now, trigger
3314                  * abbreviated handshake based on external mechanism to
3315                  * calculate the master secret later.
3316                  */
3317                 return 2;
3318             }
3319             r = tls_decrypt_ticket(s, p, size, session_id, len, ret);
3320             switch (r) {
3321             case 2:            /* ticket couldn't be decrypted */
3322                 s->tlsext_ticket_expected = 1;
3323                 return 2;
3324             case 3:            /* ticket was decrypted */
3325                 return r;
3326             case 4:            /* ticket decrypted but need to renew */
3327                 s->tlsext_ticket_expected = 1;
3328                 return 3;
3329             default:           /* fatal error */
3330                 return -1;
3331             }
3332         }
3333         p += size;
3334     }
3335     return 0;
3336 }
3337 
3338 /*-
3339  * tls_decrypt_ticket attempts to decrypt a session ticket.
3340  *
3341  *   etick: points to the body of the session ticket extension.
3342  *   eticklen: the length of the session tickets extenion.
3343  *   sess_id: points at the session ID.
3344  *   sesslen: the length of the session ID.
3345  *   psess: (output) on return, if a ticket was decrypted, then this is set to
3346  *       point to the resulting session.
3347  *
3348  * Returns:
3349  *   -1: fatal error, either from parsing or decrypting the ticket.
3350  *    2: the ticket couldn't be decrypted.
3351  *    3: a ticket was successfully decrypted and *psess was set.
3352  *    4: same as 3, but the ticket needs to be renewed.
3353  */
3354 static int tls_decrypt_ticket(SSL *s, const unsigned char *etick,
3355                               int eticklen, const unsigned char *sess_id,
3356                               int sesslen, SSL_SESSION **psess)
3357 {
3358     SSL_SESSION *sess;
3359     unsigned char *sdec;
3360     const unsigned char *p;
3361     int slen, mlen, renew_ticket = 0;
3362     unsigned char tick_hmac[EVP_MAX_MD_SIZE];
3363     HMAC_CTX hctx;
3364     EVP_CIPHER_CTX ctx;
3365     SSL_CTX *tctx = s->initial_ctx;
3366     /* Need at least keyname + iv + some encrypted data */
3367     if (eticklen < 48)
3368         return 2;
3369     /* Initialize session ticket encryption and HMAC contexts */
3370     HMAC_CTX_init(&hctx);
3371     EVP_CIPHER_CTX_init(&ctx);
3372     if (tctx->tlsext_ticket_key_cb) {
3373         unsigned char *nctick = (unsigned char *)etick;
3374         int rv = tctx->tlsext_ticket_key_cb(s, nctick, nctick + 16,
3375                                             &ctx, &hctx, 0);
3376         if (rv < 0)
3377             return -1;
3378         if (rv == 0)
3379             return 2;
3380         if (rv == 2)
3381             renew_ticket = 1;
3382     } else {
3383         /* Check key name matches */
3384         if (memcmp(etick, tctx->tlsext_tick_key_name, 16))
3385             return 2;
3386         if (HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16,
3387                          tlsext_tick_md(), NULL) <= 0
3388                 || EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL,
3389                                       tctx->tlsext_tick_aes_key,
3390                                       etick + 16) <= 0) {
3391             goto err;
3392        }
3393     }
3394     /*
3395      * Attempt to process session ticket, first conduct sanity and integrity
3396      * checks on ticket.
3397      */
3398     mlen = HMAC_size(&hctx);
3399     if (mlen < 0) {
3400         goto err;
3401     }
3402     eticklen -= mlen;
3403     /* Check HMAC of encrypted ticket */
3404     if (HMAC_Update(&hctx, etick, eticklen) <= 0
3405             || HMAC_Final(&hctx, tick_hmac, NULL) <= 0) {
3406         goto err;
3407     }
3408     HMAC_CTX_cleanup(&hctx);
3409     if (CRYPTO_memcmp(tick_hmac, etick + eticklen, mlen)) {
3410         EVP_CIPHER_CTX_cleanup(&ctx);
3411         return 2;
3412     }
3413     /* Attempt to decrypt session data */
3414     /* Move p after IV to start of encrypted ticket, update length */
3415     p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx);
3416     eticklen -= 16 + EVP_CIPHER_CTX_iv_length(&ctx);
3417     sdec = OPENSSL_malloc(eticklen);
3418     if (!sdec || EVP_DecryptUpdate(&ctx, sdec, &slen, p, eticklen) <= 0) {
3419         EVP_CIPHER_CTX_cleanup(&ctx);
3420         return -1;
3421     }
3422     if (EVP_DecryptFinal(&ctx, sdec + slen, &mlen) <= 0) {
3423         EVP_CIPHER_CTX_cleanup(&ctx);
3424         OPENSSL_free(sdec);
3425         return 2;
3426     }
3427     slen += mlen;
3428     EVP_CIPHER_CTX_cleanup(&ctx);
3429     p = sdec;
3430 
3431     sess = d2i_SSL_SESSION(NULL, &p, slen);
3432     OPENSSL_free(sdec);
3433     if (sess) {
3434         /*
3435          * The session ID, if non-empty, is used by some clients to detect
3436          * that the ticket has been accepted. So we copy it to the session
3437          * structure. If it is empty set length to zero as required by
3438          * standard.
3439          */
3440         if (sesslen)
3441             memcpy(sess->session_id, sess_id, sesslen);
3442         sess->session_id_length = sesslen;
3443         *psess = sess;
3444         if (renew_ticket)
3445             return 4;
3446         else
3447             return 3;
3448     }
3449     ERR_clear_error();
3450     /*
3451      * For session parse failure, indicate that we need to send a new ticket.
3452      */
3453     return 2;
3454 err:
3455     EVP_CIPHER_CTX_cleanup(&ctx);
3456     HMAC_CTX_cleanup(&hctx);
3457     return -1;
3458 }
3459 
3460 /* Tables to translate from NIDs to TLS v1.2 ids */
3461 
3462 typedef struct {
3463     int nid;
3464     int id;
3465 } tls12_lookup;
3466 
3467 static tls12_lookup tls12_md[] = {
3468     {NID_md5, TLSEXT_hash_md5},
3469     {NID_sha1, TLSEXT_hash_sha1},
3470     {NID_sha224, TLSEXT_hash_sha224},
3471     {NID_sha256, TLSEXT_hash_sha256},
3472     {NID_sha384, TLSEXT_hash_sha384},
3473     {NID_sha512, TLSEXT_hash_sha512}
3474 };
3475 
3476 static tls12_lookup tls12_sig[] = {
3477     {EVP_PKEY_RSA, TLSEXT_signature_rsa},
3478     {EVP_PKEY_DSA, TLSEXT_signature_dsa},
3479     {EVP_PKEY_EC, TLSEXT_signature_ecdsa}
3480 };
3481 
3482 static int tls12_find_id(int nid, tls12_lookup *table, size_t tlen)
3483 {
3484     size_t i;
3485     for (i = 0; i < tlen; i++) {
3486         if (table[i].nid == nid)
3487             return table[i].id;
3488     }
3489     return -1;
3490 }
3491 
3492 static int tls12_find_nid(int id, tls12_lookup *table, size_t tlen)
3493 {
3494     size_t i;
3495     for (i = 0; i < tlen; i++) {
3496         if ((table[i].id) == id)
3497             return table[i].nid;
3498     }
3499     return NID_undef;
3500 }
3501 
3502 int tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk,
3503                          const EVP_MD *md)
3504 {
3505     int sig_id, md_id;
3506     if (!md)
3507         return 0;
3508     md_id = tls12_find_id(EVP_MD_type(md), tls12_md,
3509                           sizeof(tls12_md) / sizeof(tls12_lookup));
3510     if (md_id == -1)
3511         return 0;
3512     sig_id = tls12_get_sigid(pk);
3513     if (sig_id == -1)
3514         return 0;
3515     p[0] = (unsigned char)md_id;
3516     p[1] = (unsigned char)sig_id;
3517     return 1;
3518 }
3519 
3520 int tls12_get_sigid(const EVP_PKEY *pk)
3521 {
3522     return tls12_find_id(pk->type, tls12_sig,
3523                          sizeof(tls12_sig) / sizeof(tls12_lookup));
3524 }
3525 
3526 const EVP_MD *tls12_get_hash(unsigned char hash_alg)
3527 {
3528     switch (hash_alg) {
3529 # ifndef OPENSSL_NO_MD5
3530     case TLSEXT_hash_md5:
3531 #  ifdef OPENSSL_FIPS
3532         if (FIPS_mode())
3533             return NULL;
3534 #  endif
3535         return EVP_md5();
3536 # endif
3537 # ifndef OPENSSL_NO_SHA
3538     case TLSEXT_hash_sha1:
3539         return EVP_sha1();
3540 # endif
3541 # ifndef OPENSSL_NO_SHA256
3542     case TLSEXT_hash_sha224:
3543         return EVP_sha224();
3544 
3545     case TLSEXT_hash_sha256:
3546         return EVP_sha256();
3547 # endif
3548 # ifndef OPENSSL_NO_SHA512
3549     case TLSEXT_hash_sha384:
3550         return EVP_sha384();
3551 
3552     case TLSEXT_hash_sha512:
3553         return EVP_sha512();
3554 # endif
3555     default:
3556         return NULL;
3557 
3558     }
3559 }
3560 
3561 static int tls12_get_pkey_idx(unsigned char sig_alg)
3562 {
3563     switch (sig_alg) {
3564 # ifndef OPENSSL_NO_RSA
3565     case TLSEXT_signature_rsa:
3566         return SSL_PKEY_RSA_SIGN;
3567 # endif
3568 # ifndef OPENSSL_NO_DSA
3569     case TLSEXT_signature_dsa:
3570         return SSL_PKEY_DSA_SIGN;
3571 # endif
3572 # ifndef OPENSSL_NO_ECDSA
3573     case TLSEXT_signature_ecdsa:
3574         return SSL_PKEY_ECC;
3575 # endif
3576     }
3577     return -1;
3578 }
3579 
3580 /* Convert TLS 1.2 signature algorithm extension values into NIDs */
3581 static void tls1_lookup_sigalg(int *phash_nid, int *psign_nid,
3582                                int *psignhash_nid, const unsigned char *data)
3583 {
3584     int sign_nid = NID_undef, hash_nid = NID_undef;
3585     if (!phash_nid && !psign_nid && !psignhash_nid)
3586         return;
3587     if (phash_nid || psignhash_nid) {
3588         hash_nid = tls12_find_nid(data[0], tls12_md,
3589                                   sizeof(tls12_md) / sizeof(tls12_lookup));
3590         if (phash_nid)
3591             *phash_nid = hash_nid;
3592     }
3593     if (psign_nid || psignhash_nid) {
3594         sign_nid = tls12_find_nid(data[1], tls12_sig,
3595                                   sizeof(tls12_sig) / sizeof(tls12_lookup));
3596         if (psign_nid)
3597             *psign_nid = sign_nid;
3598     }
3599     if (psignhash_nid) {
3600         if (sign_nid == NID_undef || hash_nid == NID_undef
3601                 || OBJ_find_sigid_by_algs(psignhash_nid, hash_nid,
3602                                           sign_nid) <= 0)
3603             *psignhash_nid = NID_undef;
3604     }
3605 }
3606 
3607 /* Given preference and allowed sigalgs set shared sigalgs */
3608 static int tls12_do_shared_sigalgs(TLS_SIGALGS *shsig,
3609                                    const unsigned char *pref, size_t preflen,
3610                                    const unsigned char *allow,
3611                                    size_t allowlen)
3612 {
3613     const unsigned char *ptmp, *atmp;
3614     size_t i, j, nmatch = 0;
3615     for (i = 0, ptmp = pref; i < preflen; i += 2, ptmp += 2) {
3616         /* Skip disabled hashes or signature algorithms */
3617         if (tls12_get_hash(ptmp[0]) == NULL)
3618             continue;
3619         if (tls12_get_pkey_idx(ptmp[1]) == -1)
3620             continue;
3621         for (j = 0, atmp = allow; j < allowlen; j += 2, atmp += 2) {
3622             if (ptmp[0] == atmp[0] && ptmp[1] == atmp[1]) {
3623                 nmatch++;
3624                 if (shsig) {
3625                     shsig->rhash = ptmp[0];
3626                     shsig->rsign = ptmp[1];
3627                     tls1_lookup_sigalg(&shsig->hash_nid,
3628                                        &shsig->sign_nid,
3629                                        &shsig->signandhash_nid, ptmp);
3630                     shsig++;
3631                 }
3632                 break;
3633             }
3634         }
3635     }
3636     return nmatch;
3637 }
3638 
3639 /* Set shared signature algorithms for SSL structures */
3640 static int tls1_set_shared_sigalgs(SSL *s)
3641 {
3642     const unsigned char *pref, *allow, *conf;
3643     size_t preflen, allowlen, conflen;
3644     size_t nmatch;
3645     TLS_SIGALGS *salgs = NULL;
3646     CERT *c = s->cert;
3647     unsigned int is_suiteb = tls1_suiteb(s);
3648     if (c->shared_sigalgs) {
3649         OPENSSL_free(c->shared_sigalgs);
3650         c->shared_sigalgs = NULL;
3651         c->shared_sigalgslen = 0;
3652     }
3653     /* If client use client signature algorithms if not NULL */
3654     if (!s->server && c->client_sigalgs && !is_suiteb) {
3655         conf = c->client_sigalgs;
3656         conflen = c->client_sigalgslen;
3657     } else if (c->conf_sigalgs && !is_suiteb) {
3658         conf = c->conf_sigalgs;
3659         conflen = c->conf_sigalgslen;
3660     } else
3661         conflen = tls12_get_psigalgs(s, &conf);
3662     if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE || is_suiteb) {
3663         pref = conf;
3664         preflen = conflen;
3665         allow = c->peer_sigalgs;
3666         allowlen = c->peer_sigalgslen;
3667     } else {
3668         allow = conf;
3669         allowlen = conflen;
3670         pref = c->peer_sigalgs;
3671         preflen = c->peer_sigalgslen;
3672     }
3673     nmatch = tls12_do_shared_sigalgs(NULL, pref, preflen, allow, allowlen);
3674     if (nmatch) {
3675         salgs = OPENSSL_malloc(nmatch * sizeof(TLS_SIGALGS));
3676         if (!salgs)
3677             return 0;
3678         nmatch = tls12_do_shared_sigalgs(salgs, pref, preflen, allow, allowlen);
3679     } else {
3680         salgs = NULL;
3681     }
3682     c->shared_sigalgs = salgs;
3683     c->shared_sigalgslen = nmatch;
3684     return 1;
3685 }
3686 
3687 /* Set preferred digest for each key type */
3688 
3689 int tls1_save_sigalgs(SSL *s, const unsigned char *data, int dsize)
3690 {
3691     CERT *c = s->cert;
3692     /* Extension ignored for inappropriate versions */
3693     if (!SSL_USE_SIGALGS(s))
3694         return 1;
3695     /* Should never happen */
3696     if (!c)
3697         return 0;
3698 
3699     if (c->peer_sigalgs)
3700         OPENSSL_free(c->peer_sigalgs);
3701     c->peer_sigalgs = OPENSSL_malloc(dsize);
3702     if (!c->peer_sigalgs)
3703         return 0;
3704     c->peer_sigalgslen = dsize;
3705     memcpy(c->peer_sigalgs, data, dsize);
3706     return 1;
3707 }
3708 
3709 int tls1_process_sigalgs(SSL *s)
3710 {
3711     int idx;
3712     size_t i;
3713     const EVP_MD *md;
3714     CERT *c = s->cert;
3715     TLS_SIGALGS *sigptr;
3716     if (!tls1_set_shared_sigalgs(s))
3717         return 0;
3718 
3719 # ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
3720     if (s->cert->cert_flags & SSL_CERT_FLAG_BROKEN_PROTOCOL) {
3721         /*
3722          * Use first set signature preference to force message digest,
3723          * ignoring any peer preferences.
3724          */
3725         const unsigned char *sigs = NULL;
3726         if (s->server)
3727             sigs = c->conf_sigalgs;
3728         else
3729             sigs = c->client_sigalgs;
3730         if (sigs) {
3731             idx = tls12_get_pkey_idx(sigs[1]);
3732             md = tls12_get_hash(sigs[0]);
3733             c->pkeys[idx].digest = md;
3734             c->pkeys[idx].valid_flags = CERT_PKEY_EXPLICIT_SIGN;
3735             if (idx == SSL_PKEY_RSA_SIGN) {
3736                 c->pkeys[SSL_PKEY_RSA_ENC].valid_flags =
3737                     CERT_PKEY_EXPLICIT_SIGN;
3738                 c->pkeys[SSL_PKEY_RSA_ENC].digest = md;
3739             }
3740         }
3741     }
3742 # endif
3743 
3744     for (i = 0, sigptr = c->shared_sigalgs;
3745          i < c->shared_sigalgslen; i++, sigptr++) {
3746         idx = tls12_get_pkey_idx(sigptr->rsign);
3747         if (idx > 0 && c->pkeys[idx].digest == NULL) {
3748             md = tls12_get_hash(sigptr->rhash);
3749             c->pkeys[idx].digest = md;
3750             c->pkeys[idx].valid_flags = CERT_PKEY_EXPLICIT_SIGN;
3751             if (idx == SSL_PKEY_RSA_SIGN) {
3752                 c->pkeys[SSL_PKEY_RSA_ENC].valid_flags =
3753                     CERT_PKEY_EXPLICIT_SIGN;
3754                 c->pkeys[SSL_PKEY_RSA_ENC].digest = md;
3755             }
3756         }
3757 
3758     }
3759     /*
3760      * In strict mode leave unset digests as NULL to indicate we can't use
3761      * the certificate for signing.
3762      */
3763     if (!(s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)) {
3764         /*
3765          * Set any remaining keys to default values. NOTE: if alg is not
3766          * supported it stays as NULL.
3767          */
3768 # ifndef OPENSSL_NO_DSA
3769         if (!c->pkeys[SSL_PKEY_DSA_SIGN].digest)
3770             c->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_sha1();
3771 # endif
3772 # ifndef OPENSSL_NO_RSA
3773         if (!c->pkeys[SSL_PKEY_RSA_SIGN].digest) {
3774             c->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1();
3775             c->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1();
3776         }
3777 # endif
3778 # ifndef OPENSSL_NO_ECDSA
3779         if (!c->pkeys[SSL_PKEY_ECC].digest)
3780             c->pkeys[SSL_PKEY_ECC].digest = EVP_sha1();
3781 # endif
3782     }
3783     return 1;
3784 }
3785 
3786 int SSL_get_sigalgs(SSL *s, int idx,
3787                     int *psign, int *phash, int *psignhash,
3788                     unsigned char *rsig, unsigned char *rhash)
3789 {
3790     const unsigned char *psig = s->cert->peer_sigalgs;
3791     if (psig == NULL)
3792         return 0;
3793     if (idx >= 0) {
3794         idx <<= 1;
3795         if (idx >= (int)s->cert->peer_sigalgslen)
3796             return 0;
3797         psig += idx;
3798         if (rhash)
3799             *rhash = psig[0];
3800         if (rsig)
3801             *rsig = psig[1];
3802         tls1_lookup_sigalg(phash, psign, psignhash, psig);
3803     }
3804     return s->cert->peer_sigalgslen / 2;
3805 }
3806 
3807 int SSL_get_shared_sigalgs(SSL *s, int idx,
3808                            int *psign, int *phash, int *psignhash,
3809                            unsigned char *rsig, unsigned char *rhash)
3810 {
3811     TLS_SIGALGS *shsigalgs = s->cert->shared_sigalgs;
3812     if (!shsigalgs || idx >= (int)s->cert->shared_sigalgslen)
3813         return 0;
3814     shsigalgs += idx;
3815     if (phash)
3816         *phash = shsigalgs->hash_nid;
3817     if (psign)
3818         *psign = shsigalgs->sign_nid;
3819     if (psignhash)
3820         *psignhash = shsigalgs->signandhash_nid;
3821     if (rsig)
3822         *rsig = shsigalgs->rsign;
3823     if (rhash)
3824         *rhash = shsigalgs->rhash;
3825     return s->cert->shared_sigalgslen;
3826 }
3827 
3828 # ifndef OPENSSL_NO_HEARTBEATS
3829 int tls1_process_heartbeat(SSL *s)
3830 {
3831     unsigned char *p = &s->s3->rrec.data[0], *pl;
3832     unsigned short hbtype;
3833     unsigned int payload;
3834     unsigned int padding = 16;  /* Use minimum padding */
3835 
3836     if (s->msg_callback)
3837         s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT,
3838                         &s->s3->rrec.data[0], s->s3->rrec.length,
3839                         s, s->msg_callback_arg);
3840 
3841     /* Read type and payload length first */
3842     if (1 + 2 + 16 > s->s3->rrec.length)
3843         return 0;               /* silently discard */
3844     hbtype = *p++;
3845     n2s(p, payload);
3846     if (1 + 2 + payload + 16 > s->s3->rrec.length)
3847         return 0;               /* silently discard per RFC 6520 sec. 4 */
3848     pl = p;
3849 
3850     if (hbtype == TLS1_HB_REQUEST) {
3851         unsigned char *buffer, *bp;
3852         int r;
3853 
3854         /*
3855          * Allocate memory for the response, size is 1 bytes message type,
3856          * plus 2 bytes payload length, plus payload, plus padding
3857          */
3858         buffer = OPENSSL_malloc(1 + 2 + payload + padding);
3859         bp = buffer;
3860 
3861         /* Enter response type, length and copy payload */
3862         *bp++ = TLS1_HB_RESPONSE;
3863         s2n(payload, bp);
3864         memcpy(bp, pl, payload);
3865         bp += payload;
3866         /* Random padding */
3867         if (RAND_pseudo_bytes(bp, padding) < 0) {
3868             OPENSSL_free(buffer);
3869             return -1;
3870         }
3871 
3872         r = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buffer,
3873                              3 + payload + padding);
3874 
3875         if (r >= 0 && s->msg_callback)
3876             s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT,
3877                             buffer, 3 + payload + padding,
3878                             s, s->msg_callback_arg);
3879 
3880         OPENSSL_free(buffer);
3881 
3882         if (r < 0)
3883             return r;
3884     } else if (hbtype == TLS1_HB_RESPONSE) {
3885         unsigned int seq;
3886 
3887         /*
3888          * We only send sequence numbers (2 bytes unsigned int), and 16
3889          * random bytes, so we just try to read the sequence number
3890          */
3891         n2s(pl, seq);
3892 
3893         if (payload == 18 && seq == s->tlsext_hb_seq) {
3894             s->tlsext_hb_seq++;
3895             s->tlsext_hb_pending = 0;
3896         }
3897     }
3898 
3899     return 0;
3900 }
3901 
3902 int tls1_heartbeat(SSL *s)
3903 {
3904     unsigned char *buf, *p;
3905     int ret = -1;
3906     unsigned int payload = 18;  /* Sequence number + random bytes */
3907     unsigned int padding = 16;  /* Use minimum padding */
3908 
3909     /* Only send if peer supports and accepts HB requests... */
3910     if (!(s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED) ||
3911         s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_SEND_REQUESTS) {
3912         SSLerr(SSL_F_TLS1_HEARTBEAT, SSL_R_TLS_HEARTBEAT_PEER_DOESNT_ACCEPT);
3913         return -1;
3914     }
3915 
3916     /* ...and there is none in flight yet... */
3917     if (s->tlsext_hb_pending) {
3918         SSLerr(SSL_F_TLS1_HEARTBEAT, SSL_R_TLS_HEARTBEAT_PENDING);
3919         return -1;
3920     }
3921 
3922     /* ...and no handshake in progress. */
3923     if (SSL_in_init(s) || s->in_handshake) {
3924         SSLerr(SSL_F_TLS1_HEARTBEAT, SSL_R_UNEXPECTED_MESSAGE);
3925         return -1;
3926     }
3927 
3928     /*
3929      * Check if padding is too long, payload and padding must not exceed 2^14
3930      * - 3 = 16381 bytes in total.
3931      */
3932     OPENSSL_assert(payload + padding <= 16381);
3933 
3934     /*-
3935      * Create HeartBeat message, we just use a sequence number
3936      * as payload to distuingish different messages and add
3937      * some random stuff.
3938      *  - Message Type, 1 byte
3939      *  - Payload Length, 2 bytes (unsigned int)
3940      *  - Payload, the sequence number (2 bytes uint)
3941      *  - Payload, random bytes (16 bytes uint)
3942      *  - Padding
3943      */
3944     buf = OPENSSL_malloc(1 + 2 + payload + padding);
3945     p = buf;
3946     /* Message Type */
3947     *p++ = TLS1_HB_REQUEST;
3948     /* Payload length (18 bytes here) */
3949     s2n(payload, p);
3950     /* Sequence number */
3951     s2n(s->tlsext_hb_seq, p);
3952     /* 16 random bytes */
3953     if (RAND_pseudo_bytes(p, 16) < 0) {
3954         SSLerr(SSL_F_TLS1_HEARTBEAT, ERR_R_INTERNAL_ERROR);
3955         goto err;
3956     }
3957     p += 16;
3958     /* Random padding */
3959     if (RAND_pseudo_bytes(p, padding) < 0) {
3960         SSLerr(SSL_F_TLS1_HEARTBEAT, ERR_R_INTERNAL_ERROR);
3961         goto err;
3962     }
3963 
3964     ret = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buf, 3 + payload + padding);
3965     if (ret >= 0) {
3966         if (s->msg_callback)
3967             s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT,
3968                             buf, 3 + payload + padding,
3969                             s, s->msg_callback_arg);
3970 
3971         s->tlsext_hb_pending = 1;
3972     }
3973 
3974 err:
3975     OPENSSL_free(buf);
3976 
3977     return ret;
3978 }
3979 # endif
3980 
3981 # define MAX_SIGALGLEN   (TLSEXT_hash_num * TLSEXT_signature_num * 2)
3982 
3983 typedef struct {
3984     size_t sigalgcnt;
3985     int sigalgs[MAX_SIGALGLEN];
3986 } sig_cb_st;
3987 
3988 static int sig_cb(const char *elem, int len, void *arg)
3989 {
3990     sig_cb_st *sarg = arg;
3991     size_t i;
3992     char etmp[20], *p;
3993     int sig_alg, hash_alg;
3994     if (elem == NULL)
3995         return 0;
3996     if (sarg->sigalgcnt == MAX_SIGALGLEN)
3997         return 0;
3998     if (len > (int)(sizeof(etmp) - 1))
3999         return 0;
4000     memcpy(etmp, elem, len);
4001     etmp[len] = 0;
4002     p = strchr(etmp, '+');
4003     if (!p)
4004         return 0;
4005     *p = 0;
4006     p++;
4007     if (!*p)
4008         return 0;
4009 
4010     if (!strcmp(etmp, "RSA"))
4011         sig_alg = EVP_PKEY_RSA;
4012     else if (!strcmp(etmp, "DSA"))
4013         sig_alg = EVP_PKEY_DSA;
4014     else if (!strcmp(etmp, "ECDSA"))
4015         sig_alg = EVP_PKEY_EC;
4016     else
4017         return 0;
4018 
4019     hash_alg = OBJ_sn2nid(p);
4020     if (hash_alg == NID_undef)
4021         hash_alg = OBJ_ln2nid(p);
4022     if (hash_alg == NID_undef)
4023         return 0;
4024 
4025     for (i = 0; i < sarg->sigalgcnt; i += 2) {
4026         if (sarg->sigalgs[i] == sig_alg && sarg->sigalgs[i + 1] == hash_alg)
4027             return 0;
4028     }
4029     sarg->sigalgs[sarg->sigalgcnt++] = hash_alg;
4030     sarg->sigalgs[sarg->sigalgcnt++] = sig_alg;
4031     return 1;
4032 }
4033 
4034 /*
4035  * Set suppored signature algorithms based on a colon separated list of the
4036  * form sig+hash e.g. RSA+SHA512:DSA+SHA512
4037  */
4038 int tls1_set_sigalgs_list(CERT *c, const char *str, int client)
4039 {
4040     sig_cb_st sig;
4041     sig.sigalgcnt = 0;
4042     if (!CONF_parse_list(str, ':', 1, sig_cb, &sig))
4043         return 0;
4044     if (c == NULL)
4045         return 1;
4046     return tls1_set_sigalgs(c, sig.sigalgs, sig.sigalgcnt, client);
4047 }
4048 
4049 int tls1_set_sigalgs(CERT *c, const int *psig_nids, size_t salglen,
4050                      int client)
4051 {
4052     unsigned char *sigalgs, *sptr;
4053     int rhash, rsign;
4054     size_t i;
4055     if (salglen & 1)
4056         return 0;
4057     sigalgs = OPENSSL_malloc(salglen);
4058     if (sigalgs == NULL)
4059         return 0;
4060     for (i = 0, sptr = sigalgs; i < salglen; i += 2) {
4061         rhash = tls12_find_id(*psig_nids++, tls12_md,
4062                               sizeof(tls12_md) / sizeof(tls12_lookup));
4063         rsign = tls12_find_id(*psig_nids++, tls12_sig,
4064                               sizeof(tls12_sig) / sizeof(tls12_lookup));
4065 
4066         if (rhash == -1 || rsign == -1)
4067             goto err;
4068         *sptr++ = rhash;
4069         *sptr++ = rsign;
4070     }
4071 
4072     if (client) {
4073         if (c->client_sigalgs)
4074             OPENSSL_free(c->client_sigalgs);
4075         c->client_sigalgs = sigalgs;
4076         c->client_sigalgslen = salglen;
4077     } else {
4078         if (c->conf_sigalgs)
4079             OPENSSL_free(c->conf_sigalgs);
4080         c->conf_sigalgs = sigalgs;
4081         c->conf_sigalgslen = salglen;
4082     }
4083 
4084     return 1;
4085 
4086  err:
4087     OPENSSL_free(sigalgs);
4088     return 0;
4089 }
4090 
4091 static int tls1_check_sig_alg(CERT *c, X509 *x, int default_nid)
4092 {
4093     int sig_nid;
4094     size_t i;
4095     if (default_nid == -1)
4096         return 1;
4097     sig_nid = X509_get_signature_nid(x);
4098     if (default_nid)
4099         return sig_nid == default_nid ? 1 : 0;
4100     for (i = 0; i < c->shared_sigalgslen; i++)
4101         if (sig_nid == c->shared_sigalgs[i].signandhash_nid)
4102             return 1;
4103     return 0;
4104 }
4105 
4106 /* Check to see if a certificate issuer name matches list of CA names */
4107 static int ssl_check_ca_name(STACK_OF(X509_NAME) *names, X509 *x)
4108 {
4109     X509_NAME *nm;
4110     int i;
4111     nm = X509_get_issuer_name(x);
4112     for (i = 0; i < sk_X509_NAME_num(names); i++) {
4113         if (!X509_NAME_cmp(nm, sk_X509_NAME_value(names, i)))
4114             return 1;
4115     }
4116     return 0;
4117 }
4118 
4119 /*
4120  * Check certificate chain is consistent with TLS extensions and is usable by
4121  * server. This servers two purposes: it allows users to check chains before
4122  * passing them to the server and it allows the server to check chains before
4123  * attempting to use them.
4124  */
4125 
4126 /* Flags which need to be set for a certificate when stict mode not set */
4127 
4128 # define CERT_PKEY_VALID_FLAGS \
4129         (CERT_PKEY_EE_SIGNATURE|CERT_PKEY_EE_PARAM)
4130 /* Strict mode flags */
4131 # define CERT_PKEY_STRICT_FLAGS \
4132          (CERT_PKEY_VALID_FLAGS|CERT_PKEY_CA_SIGNATURE|CERT_PKEY_CA_PARAM \
4133          | CERT_PKEY_ISSUER_NAME|CERT_PKEY_CERT_TYPE)
4134 
4135 int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain,
4136                      int idx)
4137 {
4138     int i;
4139     int rv = 0;
4140     int check_flags = 0, strict_mode;
4141     CERT_PKEY *cpk = NULL;
4142     CERT *c = s->cert;
4143     unsigned int suiteb_flags = tls1_suiteb(s);
4144     /* idx == -1 means checking server chains */
4145     if (idx != -1) {
4146         /* idx == -2 means checking client certificate chains */
4147         if (idx == -2) {
4148             cpk = c->key;
4149             idx = cpk - c->pkeys;
4150         } else
4151             cpk = c->pkeys + idx;
4152         x = cpk->x509;
4153         pk = cpk->privatekey;
4154         chain = cpk->chain;
4155         strict_mode = c->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT;
4156         /* If no cert or key, forget it */
4157         if (!x || !pk)
4158             goto end;
4159 # ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
4160         /* Allow any certificate to pass test */
4161         if (s->cert->cert_flags & SSL_CERT_FLAG_BROKEN_PROTOCOL) {
4162             rv = CERT_PKEY_STRICT_FLAGS | CERT_PKEY_EXPLICIT_SIGN |
4163                 CERT_PKEY_VALID | CERT_PKEY_SIGN;
4164             cpk->valid_flags = rv;
4165             return rv;
4166         }
4167 # endif
4168     } else {
4169         if (!x || !pk)
4170             return 0;
4171         idx = ssl_cert_type(x, pk);
4172         if (idx == -1)
4173             return 0;
4174         cpk = c->pkeys + idx;
4175         if (c->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)
4176             check_flags = CERT_PKEY_STRICT_FLAGS;
4177         else
4178             check_flags = CERT_PKEY_VALID_FLAGS;
4179         strict_mode = 1;
4180     }
4181 
4182     if (suiteb_flags) {
4183         int ok;
4184         if (check_flags)
4185             check_flags |= CERT_PKEY_SUITEB;
4186         ok = X509_chain_check_suiteb(NULL, x, chain, suiteb_flags);
4187         if (ok == X509_V_OK)
4188             rv |= CERT_PKEY_SUITEB;
4189         else if (!check_flags)
4190             goto end;
4191     }
4192 
4193     /*
4194      * Check all signature algorithms are consistent with signature
4195      * algorithms extension if TLS 1.2 or later and strict mode.
4196      */
4197     if (TLS1_get_version(s) >= TLS1_2_VERSION && strict_mode) {
4198         int default_nid;
4199         unsigned char rsign = 0;
4200         if (c->peer_sigalgs)
4201             default_nid = 0;
4202         /* If no sigalgs extension use defaults from RFC5246 */
4203         else {
4204             switch (idx) {
4205             case SSL_PKEY_RSA_ENC:
4206             case SSL_PKEY_RSA_SIGN:
4207             case SSL_PKEY_DH_RSA:
4208                 rsign = TLSEXT_signature_rsa;
4209                 default_nid = NID_sha1WithRSAEncryption;
4210                 break;
4211 
4212             case SSL_PKEY_DSA_SIGN:
4213             case SSL_PKEY_DH_DSA:
4214                 rsign = TLSEXT_signature_dsa;
4215                 default_nid = NID_dsaWithSHA1;
4216                 break;
4217 
4218             case SSL_PKEY_ECC:
4219                 rsign = TLSEXT_signature_ecdsa;
4220                 default_nid = NID_ecdsa_with_SHA1;
4221                 break;
4222 
4223             default:
4224                 default_nid = -1;
4225                 break;
4226             }
4227         }
4228         /*
4229          * If peer sent no signature algorithms extension and we have set
4230          * preferred signature algorithms check we support sha1.
4231          */
4232         if (default_nid > 0 && c->conf_sigalgs) {
4233             size_t j;
4234             const unsigned char *p = c->conf_sigalgs;
4235             for (j = 0; j < c->conf_sigalgslen; j += 2, p += 2) {
4236                 if (p[0] == TLSEXT_hash_sha1 && p[1] == rsign)
4237                     break;
4238             }
4239             if (j == c->conf_sigalgslen) {
4240                 if (check_flags)
4241                     goto skip_sigs;
4242                 else
4243                     goto end;
4244             }
4245         }
4246         /* Check signature algorithm of each cert in chain */
4247         if (!tls1_check_sig_alg(c, x, default_nid)) {
4248             if (!check_flags)
4249                 goto end;
4250         } else
4251             rv |= CERT_PKEY_EE_SIGNATURE;
4252         rv |= CERT_PKEY_CA_SIGNATURE;
4253         for (i = 0; i < sk_X509_num(chain); i++) {
4254             if (!tls1_check_sig_alg(c, sk_X509_value(chain, i), default_nid)) {
4255                 if (check_flags) {
4256                     rv &= ~CERT_PKEY_CA_SIGNATURE;
4257                     break;
4258                 } else
4259                     goto end;
4260             }
4261         }
4262     }
4263     /* Else not TLS 1.2, so mark EE and CA signing algorithms OK */
4264     else if (check_flags)
4265         rv |= CERT_PKEY_EE_SIGNATURE | CERT_PKEY_CA_SIGNATURE;
4266  skip_sigs:
4267     /* Check cert parameters are consistent */
4268     if (tls1_check_cert_param(s, x, check_flags ? 1 : 2))
4269         rv |= CERT_PKEY_EE_PARAM;
4270     else if (!check_flags)
4271         goto end;
4272     if (!s->server)
4273         rv |= CERT_PKEY_CA_PARAM;
4274     /* In strict mode check rest of chain too */
4275     else if (strict_mode) {
4276         rv |= CERT_PKEY_CA_PARAM;
4277         for (i = 0; i < sk_X509_num(chain); i++) {
4278             X509 *ca = sk_X509_value(chain, i);
4279             if (!tls1_check_cert_param(s, ca, 0)) {
4280                 if (check_flags) {
4281                     rv &= ~CERT_PKEY_CA_PARAM;
4282                     break;
4283                 } else
4284                     goto end;
4285             }
4286         }
4287     }
4288     if (!s->server && strict_mode) {
4289         STACK_OF(X509_NAME) *ca_dn;
4290         int check_type = 0;
4291         switch (pk->type) {
4292         case EVP_PKEY_RSA:
4293             check_type = TLS_CT_RSA_SIGN;
4294             break;
4295         case EVP_PKEY_DSA:
4296             check_type = TLS_CT_DSS_SIGN;
4297             break;
4298         case EVP_PKEY_EC:
4299             check_type = TLS_CT_ECDSA_SIGN;
4300             break;
4301         case EVP_PKEY_DH:
4302         case EVP_PKEY_DHX:
4303             {
4304                 int cert_type = X509_certificate_type(x, pk);
4305                 if (cert_type & EVP_PKS_RSA)
4306                     check_type = TLS_CT_RSA_FIXED_DH;
4307                 if (cert_type & EVP_PKS_DSA)
4308                     check_type = TLS_CT_DSS_FIXED_DH;
4309             }
4310         }
4311         if (check_type) {
4312             const unsigned char *ctypes;
4313             int ctypelen;
4314             if (c->ctypes) {
4315                 ctypes = c->ctypes;
4316                 ctypelen = (int)c->ctype_num;
4317             } else {
4318                 ctypes = (unsigned char *)s->s3->tmp.ctype;
4319                 ctypelen = s->s3->tmp.ctype_num;
4320             }
4321             for (i = 0; i < ctypelen; i++) {
4322                 if (ctypes[i] == check_type) {
4323                     rv |= CERT_PKEY_CERT_TYPE;
4324                     break;
4325                 }
4326             }
4327             if (!(rv & CERT_PKEY_CERT_TYPE) && !check_flags)
4328                 goto end;
4329         } else
4330             rv |= CERT_PKEY_CERT_TYPE;
4331 
4332         ca_dn = s->s3->tmp.ca_names;
4333 
4334         if (!sk_X509_NAME_num(ca_dn))
4335             rv |= CERT_PKEY_ISSUER_NAME;
4336 
4337         if (!(rv & CERT_PKEY_ISSUER_NAME)) {
4338             if (ssl_check_ca_name(ca_dn, x))
4339                 rv |= CERT_PKEY_ISSUER_NAME;
4340         }
4341         if (!(rv & CERT_PKEY_ISSUER_NAME)) {
4342             for (i = 0; i < sk_X509_num(chain); i++) {
4343                 X509 *xtmp = sk_X509_value(chain, i);
4344                 if (ssl_check_ca_name(ca_dn, xtmp)) {
4345                     rv |= CERT_PKEY_ISSUER_NAME;
4346                     break;
4347                 }
4348             }
4349         }
4350         if (!check_flags && !(rv & CERT_PKEY_ISSUER_NAME))
4351             goto end;
4352     } else
4353         rv |= CERT_PKEY_ISSUER_NAME | CERT_PKEY_CERT_TYPE;
4354 
4355     if (!check_flags || (rv & check_flags) == check_flags)
4356         rv |= CERT_PKEY_VALID;
4357 
4358  end:
4359 
4360     if (TLS1_get_version(s) >= TLS1_2_VERSION) {
4361         if (cpk->valid_flags & CERT_PKEY_EXPLICIT_SIGN)
4362             rv |= CERT_PKEY_EXPLICIT_SIGN | CERT_PKEY_SIGN;
4363         else if (cpk->digest)
4364             rv |= CERT_PKEY_SIGN;
4365     } else
4366         rv |= CERT_PKEY_SIGN | CERT_PKEY_EXPLICIT_SIGN;
4367 
4368     /*
4369      * When checking a CERT_PKEY structure all flags are irrelevant if the
4370      * chain is invalid.
4371      */
4372     if (!check_flags) {
4373         if (rv & CERT_PKEY_VALID)
4374             cpk->valid_flags = rv;
4375         else {
4376             /* Preserve explicit sign flag, clear rest */
4377             cpk->valid_flags &= CERT_PKEY_EXPLICIT_SIGN;
4378             return 0;
4379         }
4380     }
4381     return rv;
4382 }
4383 
4384 /* Set validity of certificates in an SSL structure */
4385 void tls1_set_cert_validity(SSL *s)
4386 {
4387     tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA_ENC);
4388     tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA_SIGN);
4389     tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DSA_SIGN);
4390     tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DH_RSA);
4391     tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DH_DSA);
4392     tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_ECC);
4393 }
4394 
4395 /* User level utiity function to check a chain is suitable */
4396 int SSL_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain)
4397 {
4398     return tls1_check_chain(s, x, pk, chain, -1);
4399 }
4400 
4401 #endif
4402