2 files changed, 88 insertions, 94 deletions
diff --git a/src/lib/libssl/src/ssl/t1_lib.c b/src/lib/libssl/src/ssl/t1_lib.c
index 7e4aba7f23..38f7fcfe7b 100644
--- a/src/lib/libssl/src/ssl/t1_lib.c
+++ b/src/lib/libssl/src/ssl/t1_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: t1_lib.c,v 1.56 2014/09/22 14:26:22 jsing Exp $ */
+/* $OpenBSD: t1_lib.c,v 1.57 2014/09/26 14:58:42 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -349,6 +349,20 @@ tls1_ec_nid2curve_id(int nid)
        }
 }
+static void
+tls1_get_formatlist(SSL *s, const unsigned char **pformats, size_t *pformatslen)
+{
+        /*
+         * If we have a custom point format list use it, otherwise use default.
+         */
+        *pformats = s->tlsext_ecpointformatlist;
+        *pformatslen = s->tlsext_ecpointformatlist_length;
+        if (*pformats == NULL) {
+                *pformats = ecformats_default;
+                *pformatslen = sizeof(ecformats_default);
+        }
+}
 /*
 * List of supported signature algorithms and hashes. Should make this
 * customisable at some point, for now include everything we support.
@@ -486,20 +500,11 @@ ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
                /*
                 * Add TLS extension ECPointFormats to the ClientHello message.
                 */
-                size_t lenmax;
                const unsigned char *plist;
                size_t plistlen;
+                size_t lenmax;
-                /*
+                tls1_get_formatlist(s, &plist, &plistlen);
-                 * If we have a custom point format list use it otherwise
-                 * use default.
-                 */
-                plist = s->tlsext_ecpointformatlist;
-                plistlen = s->tlsext_ecpointformatlist_length;
-                if (plist == NULL) {
-                        plist = ecformats_default;
-                        plistlen = sizeof(ecformats_default);
-                }
                if ((size_t)(limit - ret) < 5)
                        return NULL;
@@ -723,12 +728,19 @@ skip_ext:
 unsigned char *
 ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
 {
-        int extdatalen = 0;
+        int using_ecc, extdatalen = 0;
+        unsigned long alg_a, alg_k;
        unsigned char *ret = p;
 #ifndef OPENSSL_NO_NEXTPROTONEG
        int next_proto_neg_seen;
 #endif
+        alg_a = s->s3->tmp.new_cipher->algorithm_auth;
+        alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
+        using_ecc = (alg_k & (SSL_kECDHE|SSL_kECDHr|SSL_kECDHe) ||
+            alg_a & SSL_aECDSA) &&
+            s->session->tlsext_ecpointformatlist != NULL;
        /* don't add extensions for SSLv3, unless doing secure renegotiation */
        if (s->version == SSL3_VERSION && !s->s3->send_connection_binding)
                return p;
@@ -770,32 +782,39 @@ ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
                ret += el;
        }
-        if (s->tlsext_ecpointformatlist != NULL &&
+        if (using_ecc && s->version != DTLS1_VERSION) {
-            s->version != DTLS1_VERSION) {
+                /*
-                /* Add TLS extension ECPointFormats to the ServerHello message */
+                 * Add TLS extension ECPointFormats to the ServerHello message.
+                 */
+                const unsigned char *plist;
+                size_t plistlen;
                size_t lenmax;
+                tls1_get_formatlist(s, &plist, &plistlen);
                if ((size_t)(limit - ret) < 5)
                        return NULL;
                lenmax = limit - ret - 5;
-                if (s->tlsext_ecpointformatlist_length > lenmax)
+                if (plistlen > lenmax)
                        return NULL;
-                if (s->tlsext_ecpointformatlist_length > 255) {
+                if (plistlen > 255) {
                        SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT,
                            ERR_R_INTERNAL_ERROR);
                        return NULL;
                }
                s2n(TLSEXT_TYPE_ec_point_formats, ret);
-                s2n(s->tlsext_ecpointformatlist_length + 1, ret);
+                s2n(plistlen + 1, ret);
-                *(ret++) = (unsigned char) s->tlsext_ecpointformatlist_length;
+                *(ret++) = (unsigned char)plistlen;
-                memcpy(ret, s->tlsext_ecpointformatlist,
+                memcpy(ret, plist, plistlen);
-                    s->tlsext_ecpointformatlist_length);
+                ret += plistlen;
-                ret += s->tlsext_ecpointformatlist_length;
        }
-        /* Currently the server should not respond with a SupportedCurves extension */
+        /*
+         * Currently the server should not respond with a SupportedCurves
+         * extension.
+         */
        if (s->tlsext_ticket_expected &&
            !(SSL_get_options(s) & SSL_OP_NO_TICKET)) {
@@ -1526,28 +1545,6 @@ ssl_prepare_clienthello_tlsext(SSL *s)
 int
 ssl_prepare_serverhello_tlsext(SSL *s)
 {
-        /* If we are server and using an ECC cipher suite, send the point formats we support
-         * if the client sent us an ECPointsFormat extension.  Note that the server is not
-         * supposed to send an EllipticCurves extension.
-         */
-        unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
-        unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
-        int using_ecc = (alg_k & (SSL_kECDHE|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA);
-        using_ecc = using_ecc && (s->session->tlsext_ecpointformatlist != NULL);
-        if (using_ecc) {
-                free(s->tlsext_ecpointformatlist);
-                if ((s->tlsext_ecpointformatlist = malloc(3)) == NULL) {
-                        SSLerr(SSL_F_SSL_PREPARE_SERVERHELLO_TLSEXT, ERR_R_MALLOC_FAILURE);
-                        return -1;
-                }
-                s->tlsext_ecpointformatlist_length = 3;
-                s->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_uncompressed;
-                s->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
-                s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
-        }
        return 1;
 }
diff --git a/src/lib/libssl/t1_lib.c b/src/lib/libssl/t1_lib.c
index 7e4aba7f23..38f7fcfe7b 100644
--- a/src/lib/libssl/t1_lib.c
+++ b/src/lib/libssl/t1_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: t1_lib.c,v 1.56 2014/09/22 14:26:22 jsing Exp $ */
+/* $OpenBSD: t1_lib.c,v 1.57 2014/09/26 14:58:42 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -349,6 +349,20 @@ tls1_ec_nid2curve_id(int nid)
        }
 }
+static void
+tls1_get_formatlist(SSL *s, const unsigned char **pformats, size_t *pformatslen)
+{
+        /*
+         * If we have a custom point format list use it, otherwise use default.
+         */
+        *pformats = s->tlsext_ecpointformatlist;
+        *pformatslen = s->tlsext_ecpointformatlist_length;
+        if (*pformats == NULL) {
+                *pformats = ecformats_default;
+                *pformatslen = sizeof(ecformats_default);
+        }
+}
 /*
 * List of supported signature algorithms and hashes. Should make this
 * customisable at some point, for now include everything we support.
@@ -486,20 +500,11 @@ ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
                /*
                 * Add TLS extension ECPointFormats to the ClientHello message.
                 */
-                size_t lenmax;
                const unsigned char *plist;
                size_t plistlen;
+                size_t lenmax;
-                /*
+                tls1_get_formatlist(s, &plist, &plistlen);
-                 * If we have a custom point format list use it otherwise
-                 * use default.
-                 */
-                plist = s->tlsext_ecpointformatlist;
-                plistlen = s->tlsext_ecpointformatlist_length;
-                if (plist == NULL) {
-                        plist = ecformats_default;
-                        plistlen = sizeof(ecformats_default);
-                }
                if ((size_t)(limit - ret) < 5)
                        return NULL;
@@ -723,12 +728,19 @@ skip_ext:
 unsigned char *
 ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
 {
-        int extdatalen = 0;
+        int using_ecc, extdatalen = 0;
+        unsigned long alg_a, alg_k;
        unsigned char *ret = p;
 #ifndef OPENSSL_NO_NEXTPROTONEG
        int next_proto_neg_seen;
 #endif
+        alg_a = s->s3->tmp.new_cipher->algorithm_auth;
+        alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
+        using_ecc = (alg_k & (SSL_kECDHE|SSL_kECDHr|SSL_kECDHe) ||
+            alg_a & SSL_aECDSA) &&
+            s->session->tlsext_ecpointformatlist != NULL;
        /* don't add extensions for SSLv3, unless doing secure renegotiation */
        if (s->version == SSL3_VERSION && !s->s3->send_connection_binding)
                return p;
@@ -770,32 +782,39 @@ ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
                ret += el;
        }
-        if (s->tlsext_ecpointformatlist != NULL &&
+        if (using_ecc && s->version != DTLS1_VERSION) {
-            s->version != DTLS1_VERSION) {
+                /*
-                /* Add TLS extension ECPointFormats to the ServerHello message */
+                 * Add TLS extension ECPointFormats to the ServerHello message.
+                 */
+                const unsigned char *plist;
+                size_t plistlen;
                size_t lenmax;
+                tls1_get_formatlist(s, &plist, &plistlen);
                if ((size_t)(limit - ret) < 5)
                        return NULL;
                lenmax = limit - ret - 5;
-                if (s->tlsext_ecpointformatlist_length > lenmax)
+                if (plistlen > lenmax)
                        return NULL;
-                if (s->tlsext_ecpointformatlist_length > 255) {
+                if (plistlen > 255) {
                        SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT,
                            ERR_R_INTERNAL_ERROR);
                        return NULL;
                }
                s2n(TLSEXT_TYPE_ec_point_formats, ret);
-                s2n(s->tlsext_ecpointformatlist_length + 1, ret);
+                s2n(plistlen + 1, ret);
-                *(ret++) = (unsigned char) s->tlsext_ecpointformatlist_length;
+                *(ret++) = (unsigned char)plistlen;
-                memcpy(ret, s->tlsext_ecpointformatlist,
+                memcpy(ret, plist, plistlen);
-                    s->tlsext_ecpointformatlist_length);
+                ret += plistlen;
-                ret += s->tlsext_ecpointformatlist_length;
        }
-        /* Currently the server should not respond with a SupportedCurves extension */
+        /*
+         * Currently the server should not respond with a SupportedCurves
+         * extension.
+         */
        if (s->tlsext_ticket_expected &&
            !(SSL_get_options(s) & SSL_OP_NO_TICKET)) {
@@ -1526,28 +1545,6 @@ ssl_prepare_clienthello_tlsext(SSL *s)
 int
 ssl_prepare_serverhello_tlsext(SSL *s)
 {
-        /* If we are server and using an ECC cipher suite, send the point formats we support
-         * if the client sent us an ECPointsFormat extension.  Note that the server is not
-         * supposed to send an EllipticCurves extension.
-         */
-        unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
-        unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
-        int using_ecc = (alg_k & (SSL_kECDHE|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA);
-        using_ecc = using_ecc && (s->session->tlsext_ecpointformatlist != NULL);
-        if (using_ecc) {
-                free(s->tlsext_ecpointformatlist);
-                if ((s->tlsext_ecpointformatlist = malloc(3)) == NULL) {
-                        SSLerr(SSL_F_SSL_PREPARE_SERVERHELLO_TLSEXT, ERR_R_MALLOC_FAILURE);
-                        return -1;
-                }
-                s->tlsext_ecpointformatlist_length = 3;
-                s->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_uncompressed;
-                s->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
-                s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
-        }
        return 1;
 }

diff --git a/src/lib/libssl/src/ssl/t1_lib.c b/src/lib/libssl/src/ssl/t1_lib.c index 7e4aba7f23..38f7fcfe7b 100644 --- a/src/lib/libssl/src/ssl/t1_lib.c +++ b/src/lib/libssl/src/ssl/t1_lib.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: t1_lib.c,v 1.56 2014/09/22 14:26:22 jsing Exp $ */	1	/* $OpenBSD: t1_lib.c,v 1.57 2014/09/26 14:58:42 jsing Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -349,6 +349,20 @@ tls1_ec_nid2curve_id(int nid)
349	}	349	}
350	}	350	}
351		351
		352	static void
		353	tls1_get_formatlist(SSL s, const unsigned char pformats, size_t pformatslen)
		354	{
		355	/*
		356	* If we have a custom point format list use it, otherwise use default.
		357	*/
		358	*pformats = s->tlsext_ecpointformatlist;
		359	*pformatslen = s->tlsext_ecpointformatlist_length;
		360	if (*pformats == NULL) {
		361	*pformats = ecformats_default;
		362	*pformatslen = sizeof(ecformats_default);
		363	}
		364	}
		365
352	/*	366	/*
353	* List of supported signature algorithms and hashes. Should make this	367	* List of supported signature algorithms and hashes. Should make this
354	* customisable at some point, for now include everything we support.	368	* customisable at some point, for now include everything we support.
@@ -486,20 +500,11 @@ ssl_add_clienthello_tlsext(SSL s, unsigned char p, unsigned char *limit)
486	/*	500	/*
487	* Add TLS extension ECPointFormats to the ClientHello message.	501	* Add TLS extension ECPointFormats to the ClientHello message.
488	*/	502	*/
489	size_t lenmax;
490	const unsigned char *plist;	503	const unsigned char *plist;
491	size_t plistlen;	504	size_t plistlen;
		505	size_t lenmax;
492		506
493	/*	507	tls1_get_formatlist(s, &plist, &plistlen);
494	* If we have a custom point format list use it otherwise
495	* use default.
496	*/
497	plist = s->tlsext_ecpointformatlist;
498	plistlen = s->tlsext_ecpointformatlist_length;
499	if (plist == NULL) {
500	plist = ecformats_default;
501	plistlen = sizeof(ecformats_default);
502	}
503		508
504	if ((size_t)(limit - ret) < 5)	509	if ((size_t)(limit - ret) < 5)
505	return NULL;	510	return NULL;
@@ -723,12 +728,19 @@ skip_ext:
723	unsigned char *	728	unsigned char *
724	ssl_add_serverhello_tlsext(SSL s, unsigned char p, unsigned char *limit)	729	ssl_add_serverhello_tlsext(SSL s, unsigned char p, unsigned char *limit)
725	{	730	{
726	int extdatalen = 0;	731	int using_ecc, extdatalen = 0;
		732	unsigned long alg_a, alg_k;
727	unsigned char *ret = p;	733	unsigned char *ret = p;
728	#ifndef OPENSSL_NO_NEXTPROTONEG	734	#ifndef OPENSSL_NO_NEXTPROTONEG
729	int next_proto_neg_seen;	735	int next_proto_neg_seen;
730	#endif	736	#endif
731		737
		738	alg_a = s->s3->tmp.new_cipher->algorithm_auth;
		739	alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
		740	using_ecc = (alg_k & (SSL_kECDHE\|SSL_kECDHr\|SSL_kECDHe) \|\|
		741	alg_a & SSL_aECDSA) &&
		742	s->session->tlsext_ecpointformatlist != NULL;
		743
732	/* don't add extensions for SSLv3, unless doing secure renegotiation */	744	/* don't add extensions for SSLv3, unless doing secure renegotiation */
733	if (s->version == SSL3_VERSION && !s->s3->send_connection_binding)	745	if (s->version == SSL3_VERSION && !s->s3->send_connection_binding)
734	return p;	746	return p;
@@ -770,32 +782,39 @@ ssl_add_serverhello_tlsext(SSL s, unsigned char p, unsigned char *limit)
770	ret += el;	782	ret += el;
771	}	783	}
772		784
773	if (s->tlsext_ecpointformatlist != NULL &&	785	if (using_ecc && s->version != DTLS1_VERSION) {
774	s->version != DTLS1_VERSION) {	786	/*
775	/* Add TLS extension ECPointFormats to the ServerHello message */	787	* Add TLS extension ECPointFormats to the ServerHello message.
		788	*/
		789	const unsigned char *plist;
		790	size_t plistlen;
776	size_t lenmax;	791	size_t lenmax;
777		792
		793	tls1_get_formatlist(s, &plist, &plistlen);
		794
778	if ((size_t)(limit - ret) < 5)	795	if ((size_t)(limit - ret) < 5)
779	return NULL;	796	return NULL;
780		797
781	lenmax = limit - ret - 5;	798	lenmax = limit - ret - 5;
782	if (s->tlsext_ecpointformatlist_length > lenmax)	799	if (plistlen > lenmax)
783	return NULL;	800	return NULL;
784	if (s->tlsext_ecpointformatlist_length > 255) {	801	if (plistlen > 255) {
785	SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT,	802	SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT,
786	ERR_R_INTERNAL_ERROR);	803	ERR_R_INTERNAL_ERROR);
787	return NULL;	804	return NULL;
788	}	805	}
789		806
790	s2n(TLSEXT_TYPE_ec_point_formats, ret);	807	s2n(TLSEXT_TYPE_ec_point_formats, ret);
791	s2n(s->tlsext_ecpointformatlist_length + 1, ret);	808	s2n(plistlen + 1, ret);
792	*(ret++) = (unsigned char) s->tlsext_ecpointformatlist_length;	809	*(ret++) = (unsigned char)plistlen;
793	memcpy(ret, s->tlsext_ecpointformatlist,	810	memcpy(ret, plist, plistlen);
794	s->tlsext_ecpointformatlist_length);	811	ret += plistlen;
795	ret += s->tlsext_ecpointformatlist_length;
796
797	}	812	}
798	/* Currently the server should not respond with a SupportedCurves extension */	813
		814	/*
		815	* Currently the server should not respond with a SupportedCurves
		816	* extension.
		817	*/
799		818
800	if (s->tlsext_ticket_expected &&	819	if (s->tlsext_ticket_expected &&
801	!(SSL_get_options(s) & SSL_OP_NO_TICKET)) {	820	!(SSL_get_options(s) & SSL_OP_NO_TICKET)) {
@@ -1526,28 +1545,6 @@ ssl_prepare_clienthello_tlsext(SSL *s)
1526	int	1545	int
1527	ssl_prepare_serverhello_tlsext(SSL *s)	1546	ssl_prepare_serverhello_tlsext(SSL *s)
1528	{	1547	{
1529	/* If we are server and using an ECC cipher suite, send the point formats we support
1530	* if the client sent us an ECPointsFormat extension. Note that the server is not
1531	* supposed to send an EllipticCurves extension.
1532	*/
1533
1534	unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
1535	unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
1536	int using_ecc = (alg_k & (SSL_kECDHE\|SSL_kECDHr\|SSL_kECDHe)) \|\| (alg_a & SSL_aECDSA);
1537	using_ecc = using_ecc && (s->session->tlsext_ecpointformatlist != NULL);
1538
1539	if (using_ecc) {
1540	free(s->tlsext_ecpointformatlist);
1541	if ((s->tlsext_ecpointformatlist = malloc(3)) == NULL) {
1542	SSLerr(SSL_F_SSL_PREPARE_SERVERHELLO_TLSEXT, ERR_R_MALLOC_FAILURE);
1543	return -1;
1544	}
1545	s->tlsext_ecpointformatlist_length = 3;
1546	s->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_uncompressed;
1547	s->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
1548	s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
1549	}
1550
1551	return 1;	1548	return 1;
1552	}	1549	}
1553		1550


diff --git a/src/lib/libssl/t1_lib.c b/src/lib/libssl/t1_lib.c index 7e4aba7f23..38f7fcfe7b 100644 --- a/src/lib/libssl/t1_lib.c +++ b/src/lib/libssl/t1_lib.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: t1_lib.c,v 1.56 2014/09/22 14:26:22 jsing Exp $ */	1	/* $OpenBSD: t1_lib.c,v 1.57 2014/09/26 14:58:42 jsing Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -349,6 +349,20 @@ tls1_ec_nid2curve_id(int nid)
349	}	349	}
350	}	350	}
351		351
		352	static void
		353	tls1_get_formatlist(SSL s, const unsigned char pformats, size_t pformatslen)
		354	{
		355	/*
		356	* If we have a custom point format list use it, otherwise use default.
		357	*/
		358	*pformats = s->tlsext_ecpointformatlist;
		359	*pformatslen = s->tlsext_ecpointformatlist_length;
		360	if (*pformats == NULL) {
		361	*pformats = ecformats_default;
		362	*pformatslen = sizeof(ecformats_default);
		363	}
		364	}
		365
352	/*	366	/*
353	* List of supported signature algorithms and hashes. Should make this	367	* List of supported signature algorithms and hashes. Should make this
354	* customisable at some point, for now include everything we support.	368	* customisable at some point, for now include everything we support.
@@ -486,20 +500,11 @@ ssl_add_clienthello_tlsext(SSL s, unsigned char p, unsigned char *limit)
486	/*	500	/*
487	* Add TLS extension ECPointFormats to the ClientHello message.	501	* Add TLS extension ECPointFormats to the ClientHello message.
488	*/	502	*/
489	size_t lenmax;
490	const unsigned char *plist;	503	const unsigned char *plist;
491	size_t plistlen;	504	size_t plistlen;
		505	size_t lenmax;
492		506
493	/*	507	tls1_get_formatlist(s, &plist, &plistlen);
494	* If we have a custom point format list use it otherwise
495	* use default.
496	*/
497	plist = s->tlsext_ecpointformatlist;
498	plistlen = s->tlsext_ecpointformatlist_length;
499	if (plist == NULL) {
500	plist = ecformats_default;
501	plistlen = sizeof(ecformats_default);
502	}
503		508
504	if ((size_t)(limit - ret) < 5)	509	if ((size_t)(limit - ret) < 5)
505	return NULL;	510	return NULL;
@@ -723,12 +728,19 @@ skip_ext:
723	unsigned char *	728	unsigned char *
724	ssl_add_serverhello_tlsext(SSL s, unsigned char p, unsigned char *limit)	729	ssl_add_serverhello_tlsext(SSL s, unsigned char p, unsigned char *limit)
725	{	730	{
726	int extdatalen = 0;	731	int using_ecc, extdatalen = 0;
		732	unsigned long alg_a, alg_k;
727	unsigned char *ret = p;	733	unsigned char *ret = p;
728	#ifndef OPENSSL_NO_NEXTPROTONEG	734	#ifndef OPENSSL_NO_NEXTPROTONEG
729	int next_proto_neg_seen;	735	int next_proto_neg_seen;
730	#endif	736	#endif
731		737
		738	alg_a = s->s3->tmp.new_cipher->algorithm_auth;
		739	alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
		740	using_ecc = (alg_k & (SSL_kECDHE\|SSL_kECDHr\|SSL_kECDHe) \|\|
		741	alg_a & SSL_aECDSA) &&
		742	s->session->tlsext_ecpointformatlist != NULL;
		743
732	/* don't add extensions for SSLv3, unless doing secure renegotiation */	744	/* don't add extensions for SSLv3, unless doing secure renegotiation */
733	if (s->version == SSL3_VERSION && !s->s3->send_connection_binding)	745	if (s->version == SSL3_VERSION && !s->s3->send_connection_binding)
734	return p;	746	return p;
@@ -770,32 +782,39 @@ ssl_add_serverhello_tlsext(SSL s, unsigned char p, unsigned char *limit)
770	ret += el;	782	ret += el;
771	}	783	}
772		784
773	if (s->tlsext_ecpointformatlist != NULL &&	785	if (using_ecc && s->version != DTLS1_VERSION) {
774	s->version != DTLS1_VERSION) {	786	/*
775	/* Add TLS extension ECPointFormats to the ServerHello message */	787	* Add TLS extension ECPointFormats to the ServerHello message.
		788	*/
		789	const unsigned char *plist;
		790	size_t plistlen;
776	size_t lenmax;	791	size_t lenmax;
777		792
		793	tls1_get_formatlist(s, &plist, &plistlen);
		794
778	if ((size_t)(limit - ret) < 5)	795	if ((size_t)(limit - ret) < 5)
779	return NULL;	796	return NULL;
780		797
781	lenmax = limit - ret - 5;	798	lenmax = limit - ret - 5;
782	if (s->tlsext_ecpointformatlist_length > lenmax)	799	if (plistlen > lenmax)
783	return NULL;	800	return NULL;
784	if (s->tlsext_ecpointformatlist_length > 255) {	801	if (plistlen > 255) {
785	SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT,	802	SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT,
786	ERR_R_INTERNAL_ERROR);	803	ERR_R_INTERNAL_ERROR);
787	return NULL;	804	return NULL;
788	}	805	}
789		806
790	s2n(TLSEXT_TYPE_ec_point_formats, ret);	807	s2n(TLSEXT_TYPE_ec_point_formats, ret);
791	s2n(s->tlsext_ecpointformatlist_length + 1, ret);	808	s2n(plistlen + 1, ret);
792	*(ret++) = (unsigned char) s->tlsext_ecpointformatlist_length;	809	*(ret++) = (unsigned char)plistlen;
793	memcpy(ret, s->tlsext_ecpointformatlist,	810	memcpy(ret, plist, plistlen);
794	s->tlsext_ecpointformatlist_length);	811	ret += plistlen;
795	ret += s->tlsext_ecpointformatlist_length;
796
797	}	812	}
798	/* Currently the server should not respond with a SupportedCurves extension */	813
		814	/*
		815	* Currently the server should not respond with a SupportedCurves
		816	* extension.
		817	*/
799		818
800	if (s->tlsext_ticket_expected &&	819	if (s->tlsext_ticket_expected &&
801	!(SSL_get_options(s) & SSL_OP_NO_TICKET)) {	820	!(SSL_get_options(s) & SSL_OP_NO_TICKET)) {
@@ -1526,28 +1545,6 @@ ssl_prepare_clienthello_tlsext(SSL *s)
1526	int	1545	int
1527	ssl_prepare_serverhello_tlsext(SSL *s)	1546	ssl_prepare_serverhello_tlsext(SSL *s)
1528	{	1547	{
1529	/* If we are server and using an ECC cipher suite, send the point formats we support
1530	* if the client sent us an ECPointsFormat extension. Note that the server is not
1531	* supposed to send an EllipticCurves extension.
1532	*/
1533
1534	unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
1535	unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
1536	int using_ecc = (alg_k & (SSL_kECDHE\|SSL_kECDHr\|SSL_kECDHe)) \|\| (alg_a & SSL_aECDSA);
1537	using_ecc = using_ecc && (s->session->tlsext_ecpointformatlist != NULL);
1538
1539	if (using_ecc) {
1540	free(s->tlsext_ecpointformatlist);
1541	if ((s->tlsext_ecpointformatlist = malloc(3)) == NULL) {
1542	SSLerr(SSL_F_SSL_PREPARE_SERVERHELLO_TLSEXT, ERR_R_MALLOC_FAILURE);
1543	return -1;
1544	}
1545	s->tlsext_ecpointformatlist_length = 3;
1546	s->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_uncompressed;
1547	s->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
1548	s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
1549	}
1550
1551	return 1;	1548	return 1;
1552	}	1549	}
1553		1550