Home | History | Annotate | Download | only in ssl
      1 /* Copyright (C) 1995-1998 Eric Young (eay (at) cryptsoft.com)
      2  * All rights reserved.
      3  *
      4  * This package is an SSL implementation written
      5  * by Eric Young (eay (at) cryptsoft.com).
      6  * The implementation was written so as to conform with Netscapes SSL.
      7  *
      8  * This library is free for commercial and non-commercial use as long as
      9  * the following conditions are aheared to.  The following conditions
     10  * apply to all code found in this distribution, be it the RC4, RSA,
     11  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
     12  * included with this distribution is covered by the same copyright terms
     13  * except that the holder is Tim Hudson (tjh (at) cryptsoft.com).
     14  *
     15  * Copyright remains Eric Young's, and as such any Copyright notices in
     16  * the code are not to be removed.
     17  * If this package is used in a product, Eric Young should be given attribution
     18  * as the author of the parts of the library used.
     19  * This can be in the form of a textual message at program startup or
     20  * in documentation (online or textual) provided with the package.
     21  *
     22  * Redistribution and use in source and binary forms, with or without
     23  * modification, are permitted provided that the following conditions
     24  * are met:
     25  * 1. Redistributions of source code must retain the copyright
     26  *    notice, this list of conditions and the following disclaimer.
     27  * 2. Redistributions in binary form must reproduce the above copyright
     28  *    notice, this list of conditions and the following disclaimer in the
     29  *    documentation and/or other materials provided with the distribution.
     30  * 3. All advertising materials mentioning features or use of this software
     31  *    must display the following acknowledgement:
     32  *    "This product includes cryptographic software written by
     33  *     Eric Young (eay (at) cryptsoft.com)"
     34  *    The word 'cryptographic' can be left out if the rouines from the library
     35  *    being used are not cryptographic related :-).
     36  * 4. If you include any Windows specific code (or a derivative thereof) from
     37  *    the apps directory (application code) you must include an acknowledgement:
     38  *    "This product includes software written by Tim Hudson (tjh (at) cryptsoft.com)"
     39  *
     40  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
     41  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
     42  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
     43  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
     44  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
     45  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
     46  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
     47  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
     48  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
     49  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
     50  * SUCH DAMAGE.
     51  *
     52  * The licence and distribution terms for any publically available version or
     53  * derivative of this code cannot be changed.  i.e. this code cannot simply be
     54  * copied and put under another distribution licence
     55  * [including the GNU Public Licence.]
     56  */
     57 /* ====================================================================
     58  * Copyright (c) 1998-2007 The OpenSSL Project.  All rights reserved.
     59  *
     60  * Redistribution and use in source and binary forms, with or without
     61  * modification, are permitted provided that the following conditions
     62  * are met:
     63  *
     64  * 1. Redistributions of source code must retain the above copyright
     65  *    notice, this list of conditions and the following disclaimer.
     66  *
     67  * 2. Redistributions in binary form must reproduce the above copyright
     68  *    notice, this list of conditions and the following disclaimer in
     69  *    the documentation and/or other materials provided with the
     70  *    distribution.
     71  *
     72  * 3. All advertising materials mentioning features or use of this
     73  *    software must display the following acknowledgment:
     74  *    "This product includes software developed by the OpenSSL Project
     75  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
     76  *
     77  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
     78  *    endorse or promote products derived from this software without
     79  *    prior written permission. For written permission, please contact
     80  *    openssl-core (at) openssl.org.
     81  *
     82  * 5. Products derived from this software may not be called "OpenSSL"
     83  *    nor may "OpenSSL" appear in their names without prior written
     84  *    permission of the OpenSSL Project.
     85  *
     86  * 6. Redistributions of any form whatsoever must retain the following
     87  *    acknowledgment:
     88  *    "This product includes software developed by the OpenSSL Project
     89  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
     90  *
     91  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
     92  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
     93  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
     94  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
     95  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
     96  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
     97  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
     98  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
     99  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
    100  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
    101  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
    102  * OF THE POSSIBILITY OF SUCH DAMAGE.
    103  * ====================================================================
    104  *
    105  * This product includes cryptographic software written by Eric Young
    106  * (eay (at) cryptsoft.com).  This product includes software written by Tim
    107  * Hudson (tjh (at) cryptsoft.com).
    108  *
    109  */
    110 /* ====================================================================
    111  * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
    112  *
    113  * Portions of the attached software ("Contribution") are developed by
    114  * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project.
    115  *
    116  * The Contribution is licensed pursuant to the OpenSSL open source
    117  * license provided above.
    118  *
    119  * ECC cipher suite support in OpenSSL originally written by
    120  * Vipul Gupta and Sumit Gupta of Sun Microsystems Laboratories.
    121  *
    122  */
    123 /* ====================================================================
    124  * Copyright 2005 Nokia. All rights reserved.
    125  *
    126  * The portions of the attached software ("Contribution") is developed by
    127  * Nokia Corporation and is licensed pursuant to the OpenSSL open source
    128  * license.
    129  *
    130  * The Contribution, originally written by Mika Kousa and Pasi Eronen of
    131  * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
    132  * support (see RFC 4279) to OpenSSL.
    133  *
    134  * No patent licenses or other rights except those expressly stated in
    135  * the OpenSSL open source license shall be deemed granted or received
    136  * expressly, by implication, estoppel, or otherwise.
    137  *
    138  * No assurances are provided by Nokia that the Contribution does not
    139  * infringe the patent or other intellectual property rights of any third
    140  * party or that the license provides you with all the necessary rights
    141  * to make use of the Contribution.
    142  *
    143  * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
    144  * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
    145  * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
    146  * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
    147  * OTHERWISE. */
    148 
    149 #include <openssl/ssl.h>
    150 
    151 #include <assert.h>
    152 #include <stdio.h>
    153 #include <string.h>
    154 
    155 #include <openssl/buf.h>
    156 #include <openssl/dh.h>
    157 #include <openssl/digest.h>
    158 #include <openssl/err.h>
    159 #include <openssl/md5.h>
    160 #include <openssl/mem.h>
    161 #include <openssl/obj.h>
    162 
    163 #include "internal.h"
    164 
    165 
    166 const SSL3_ENC_METHOD SSLv3_enc_data = {
    167     ssl3_prf,
    168     tls1_setup_key_block,
    169     tls1_generate_master_secret,
    170     tls1_change_cipher_state,
    171     ssl3_final_finish_mac,
    172     ssl3_cert_verify_mac,
    173     SSL3_MD_CLIENT_FINISHED_CONST, 4,
    174     SSL3_MD_SERVER_FINISHED_CONST, 4,
    175     ssl3_alert_code,
    176     tls1_export_keying_material,
    177     0,
    178 };
    179 
    180 int ssl3_supports_cipher(const SSL_CIPHER *cipher) {
    181   return 1;
    182 }
    183 
    184 int ssl3_set_handshake_header(SSL *ssl, int htype, unsigned long len) {
    185   uint8_t *p = (uint8_t *)ssl->init_buf->data;
    186   *(p++) = htype;
    187   l2n3(len, p);
    188   ssl->init_num = (int)len + SSL3_HM_HEADER_LENGTH;
    189   ssl->init_off = 0;
    190 
    191   /* Add the message to the handshake hash. */
    192   return ssl3_update_handshake_hash(ssl, (uint8_t *)ssl->init_buf->data,
    193                                     ssl->init_num);
    194 }
    195 
    196 int ssl3_handshake_write(SSL *ssl) {
    197   return ssl3_do_write(ssl, SSL3_RT_HANDSHAKE);
    198 }
    199 
    200 int ssl3_new(SSL *ssl) {
    201   SSL3_STATE *s3;
    202 
    203   s3 = OPENSSL_malloc(sizeof *s3);
    204   if (s3 == NULL) {
    205     goto err;
    206   }
    207   memset(s3, 0, sizeof *s3);
    208 
    209   EVP_MD_CTX_init(&s3->handshake_hash);
    210   EVP_MD_CTX_init(&s3->handshake_md5);
    211 
    212   ssl->s3 = s3;
    213 
    214   /* Set the version to the highest supported version for TLS. This controls the
    215    * initial state of |ssl->enc_method| and what the API reports as the version
    216    * prior to negotiation.
    217    *
    218    * TODO(davidben): This is fragile and confusing. */
    219   ssl->version = TLS1_2_VERSION;
    220   return 1;
    221 err:
    222   return 0;
    223 }
    224 
    225 void ssl3_free(SSL *ssl) {
    226   if (ssl == NULL || ssl->s3 == NULL) {
    227     return;
    228   }
    229 
    230   ssl3_cleanup_key_block(ssl);
    231   ssl_read_buffer_clear(ssl);
    232   ssl_write_buffer_clear(ssl);
    233   SSL_ECDH_CTX_cleanup(&ssl->s3->tmp.ecdh_ctx);
    234   OPENSSL_free(ssl->s3->tmp.peer_key);
    235 
    236   sk_X509_NAME_pop_free(ssl->s3->tmp.ca_names, X509_NAME_free);
    237   OPENSSL_free(ssl->s3->tmp.certificate_types);
    238   OPENSSL_free(ssl->s3->tmp.peer_ellipticcurvelist);
    239   OPENSSL_free(ssl->s3->tmp.peer_psk_identity_hint);
    240   ssl3_free_handshake_buffer(ssl);
    241   ssl3_free_handshake_hash(ssl);
    242   OPENSSL_free(ssl->s3->alpn_selected);
    243 
    244   OPENSSL_cleanse(ssl->s3, sizeof *ssl->s3);
    245   OPENSSL_free(ssl->s3);
    246   ssl->s3 = NULL;
    247 }
    248 
    249 int SSL_session_reused(const SSL *ssl) {
    250   return ssl->hit;
    251 }
    252 
    253 int SSL_total_renegotiations(const SSL *ssl) {
    254   return ssl->s3->total_renegotiations;
    255 }
    256 
    257 int SSL_num_renegotiations(const SSL *ssl) {
    258   return SSL_total_renegotiations(ssl);
    259 }
    260 
    261 int SSL_CTX_need_tmp_RSA(const SSL_CTX *ctx) {
    262   return 0;
    263 }
    264 
    265 int SSL_need_rsa(const SSL *ssl) {
    266   return 0;
    267 }
    268 
    269 int SSL_CTX_set_tmp_rsa(SSL_CTX *ctx, const RSA *rsa) {
    270   return 1;
    271 }
    272 
    273 int SSL_set_tmp_rsa(SSL *ssl, const RSA *rsa) {
    274   return 1;
    275 }
    276 
    277 int SSL_CTX_set_tmp_dh(SSL_CTX *ctx, const DH *dh) {
    278   DH_free(ctx->cert->dh_tmp);
    279   ctx->cert->dh_tmp = DHparams_dup(dh);
    280   if (ctx->cert->dh_tmp == NULL) {
    281     OPENSSL_PUT_ERROR(SSL, ERR_R_DH_LIB);
    282     return 0;
    283   }
    284   return 1;
    285 }
    286 
    287 int SSL_set_tmp_dh(SSL *ssl, const DH *dh) {
    288   DH_free(ssl->cert->dh_tmp);
    289   ssl->cert->dh_tmp = DHparams_dup(dh);
    290   if (ssl->cert->dh_tmp == NULL) {
    291     OPENSSL_PUT_ERROR(SSL, ERR_R_DH_LIB);
    292     return 0;
    293   }
    294   return 1;
    295 }
    296 
    297 int SSL_CTX_set_tmp_ecdh(SSL_CTX *ctx, const EC_KEY *ec_key) {
    298   if (ec_key == NULL || EC_KEY_get0_group(ec_key) == NULL) {
    299     OPENSSL_PUT_ERROR(SSL, ERR_R_PASSED_NULL_PARAMETER);
    300     return 0;
    301   }
    302   int nid = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec_key));
    303   return SSL_CTX_set1_curves(ctx, &nid, 1);
    304 }
    305 
    306 int SSL_set_tmp_ecdh(SSL *ssl, const EC_KEY *ec_key) {
    307   if (ec_key == NULL || EC_KEY_get0_group(ec_key) == NULL) {
    308     OPENSSL_PUT_ERROR(SSL, ERR_R_PASSED_NULL_PARAMETER);
    309     return 0;
    310   }
    311   int nid = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec_key));
    312   return SSL_set1_curves(ssl, &nid, 1);
    313 }
    314 
    315 int SSL_CTX_enable_tls_channel_id(SSL_CTX *ctx) {
    316   ctx->tlsext_channel_id_enabled = 1;
    317   return 1;
    318 }
    319 
    320 int SSL_enable_tls_channel_id(SSL *ssl) {
    321   ssl->tlsext_channel_id_enabled = 1;
    322   return 1;
    323 }
    324 
    325 int SSL_CTX_set1_tls_channel_id(SSL_CTX *ctx, EVP_PKEY *private_key) {
    326   ctx->tlsext_channel_id_enabled = 1;
    327   if (EVP_PKEY_id(private_key) != EVP_PKEY_EC ||
    328       EVP_PKEY_bits(private_key) != 256) {
    329     OPENSSL_PUT_ERROR(SSL, SSL_R_CHANNEL_ID_NOT_P256);
    330     return 0;
    331   }
    332   EVP_PKEY_free(ctx->tlsext_channel_id_private);
    333   ctx->tlsext_channel_id_private = EVP_PKEY_up_ref(private_key);
    334   return 1;
    335 }
    336 
    337 int SSL_set1_tls_channel_id(SSL *ssl, EVP_PKEY *private_key) {
    338   EC_KEY *ec_key = EVP_PKEY_get0_EC_KEY(private_key);
    339   if (ec_key == NULL ||
    340       EC_GROUP_get_curve_name(EC_KEY_get0_group(ec_key)) !=
    341           NID_X9_62_prime256v1) {
    342     OPENSSL_PUT_ERROR(SSL, SSL_R_CHANNEL_ID_NOT_P256);
    343     return 0;
    344   }
    345 
    346   EVP_PKEY_free(ssl->tlsext_channel_id_private);
    347   ssl->tlsext_channel_id_private = EVP_PKEY_up_ref(private_key);
    348   ssl->tlsext_channel_id_enabled = 1;
    349 
    350   return 1;
    351 }
    352 
    353 size_t SSL_get_tls_channel_id(SSL *ssl, uint8_t *out, size_t max_out) {
    354   if (!ssl->s3->tlsext_channel_id_valid) {
    355     return 0;
    356   }
    357   memcpy(out, ssl->s3->tlsext_channel_id, (max_out < 64) ? max_out : 64);
    358   return 64;
    359 }
    360 
    361 int SSL_set_tlsext_host_name(SSL *ssl, const char *name) {
    362   OPENSSL_free(ssl->tlsext_hostname);
    363   ssl->tlsext_hostname = NULL;
    364 
    365   if (name == NULL) {
    366     return 1;
    367   }
    368   if (strlen(name) > TLSEXT_MAXLEN_host_name) {
    369     OPENSSL_PUT_ERROR(SSL, SSL_R_SSL3_EXT_INVALID_SERVERNAME);
    370     return 0;
    371   }
    372   ssl->tlsext_hostname = BUF_strdup(name);
    373   if (ssl->tlsext_hostname == NULL) {
    374     OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
    375     return 0;
    376   }
    377   return 1;
    378 }
    379 
    380 size_t SSL_get0_certificate_types(SSL *ssl, const uint8_t **out_types) {
    381   if (ssl->server || !ssl->s3->tmp.cert_req) {
    382     *out_types = NULL;
    383     return 0;
    384   }
    385   *out_types = ssl->s3->tmp.certificate_types;
    386   return ssl->s3->tmp.num_certificate_types;
    387 }
    388 
    389 int SSL_CTX_set1_curves(SSL_CTX *ctx, const int *curves, size_t curves_len) {
    390   return tls1_set_curves(&ctx->tlsext_ellipticcurvelist,
    391                          &ctx->tlsext_ellipticcurvelist_length, curves,
    392                          curves_len);
    393 }
    394 
    395 int SSL_set1_curves(SSL *ssl, const int *curves, size_t curves_len) {
    396   return tls1_set_curves(&ssl->tlsext_ellipticcurvelist,
    397                          &ssl->tlsext_ellipticcurvelist_length, curves,
    398                          curves_len);
    399 }
    400 
    401 int SSL_CTX_set_tlsext_servername_callback(
    402     SSL_CTX *ctx, int (*callback)(SSL *ssl, int *out_alert, void *arg)) {
    403   ctx->tlsext_servername_callback = callback;
    404   return 1;
    405 }
    406 
    407 int SSL_CTX_set_tlsext_servername_arg(SSL_CTX *ctx, void *arg) {
    408   ctx->tlsext_servername_arg = arg;
    409   return 1;
    410 }
    411 
    412 int SSL_CTX_get_tlsext_ticket_keys(SSL_CTX *ctx, void *out, size_t len) {
    413   if (out == NULL) {
    414     return 48;
    415   }
    416   if (len != 48) {
    417     OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_TICKET_KEYS_LENGTH);
    418     return 0;
    419   }
    420   uint8_t *out_bytes = out;
    421   memcpy(out_bytes, ctx->tlsext_tick_key_name, 16);
    422   memcpy(out_bytes + 16, ctx->tlsext_tick_hmac_key, 16);
    423   memcpy(out_bytes + 32, ctx->tlsext_tick_aes_key, 16);
    424   return 1;
    425 }
    426 
    427 int SSL_CTX_set_tlsext_ticket_keys(SSL_CTX *ctx, const void *in, size_t len) {
    428   if (in == NULL) {
    429     return 48;
    430   }
    431   if (len != 48) {
    432     OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_TICKET_KEYS_LENGTH);
    433     return 0;
    434   }
    435   const uint8_t *in_bytes = in;
    436   memcpy(ctx->tlsext_tick_key_name, in_bytes, 16);
    437   memcpy(ctx->tlsext_tick_hmac_key, in_bytes + 16, 16);
    438   memcpy(ctx->tlsext_tick_aes_key, in_bytes + 32, 16);
    439   return 1;
    440 }
    441 
    442 int SSL_CTX_set_tlsext_ticket_key_cb(
    443     SSL_CTX *ctx, int (*callback)(SSL *ssl, uint8_t *key_name, uint8_t *iv,
    444                                   EVP_CIPHER_CTX *ctx, HMAC_CTX *hmac_ctx,
    445                                   int encrypt)) {
    446   ctx->tlsext_ticket_key_cb = callback;
    447   return 1;
    448 }
    449 
    450 struct ssl_cipher_preference_list_st *ssl_get_cipher_preferences(SSL *ssl) {
    451   if (ssl->cipher_list != NULL) {
    452     return ssl->cipher_list;
    453   }
    454 
    455   if (ssl->version >= TLS1_1_VERSION && ssl->ctx != NULL &&
    456       ssl->ctx->cipher_list_tls11 != NULL) {
    457     return ssl->ctx->cipher_list_tls11;
    458   }
    459 
    460   if (ssl->version >= TLS1_VERSION && ssl->ctx != NULL &&
    461       ssl->ctx->cipher_list_tls10 != NULL) {
    462     return ssl->ctx->cipher_list_tls10;
    463   }
    464 
    465   if (ssl->ctx != NULL && ssl->ctx->cipher_list != NULL) {
    466     return ssl->ctx->cipher_list;
    467   }
    468 
    469   return NULL;
    470 }
    471 
    472 const SSL_CIPHER *ssl3_choose_cipher(
    473     SSL *ssl, STACK_OF(SSL_CIPHER) *clnt,
    474     struct ssl_cipher_preference_list_st *server_pref) {
    475   const SSL_CIPHER *c, *ret = NULL;
    476   STACK_OF(SSL_CIPHER) *srvr = server_pref->ciphers, *prio, *allow;
    477   size_t i;
    478   int ok;
    479   size_t cipher_index;
    480   uint32_t alg_k, alg_a, mask_k, mask_a;
    481   /* in_group_flags will either be NULL, or will point to an array of bytes
    482    * which indicate equal-preference groups in the |prio| stack. See the
    483    * comment about |in_group_flags| in the |ssl_cipher_preference_list_st|
    484    * struct. */
    485   const uint8_t *in_group_flags;
    486   /* group_min contains the minimal index so far found in a group, or -1 if no
    487    * such value exists yet. */
    488   int group_min = -1;
    489 
    490   if (ssl->options & SSL_OP_CIPHER_SERVER_PREFERENCE) {
    491     prio = srvr;
    492     in_group_flags = server_pref->in_group_flags;
    493     allow = clnt;
    494   } else {
    495     prio = clnt;
    496     in_group_flags = NULL;
    497     allow = srvr;
    498   }
    499 
    500   ssl_get_compatible_server_ciphers(ssl, &mask_k, &mask_a);
    501 
    502   for (i = 0; i < sk_SSL_CIPHER_num(prio); i++) {
    503     c = sk_SSL_CIPHER_value(prio, i);
    504 
    505     ok = 1;
    506 
    507     /* Check the TLS version. */
    508     if (SSL_CIPHER_get_min_version(c) >
    509         ssl3_version_from_wire(ssl, ssl->version)) {
    510       ok = 0;
    511     }
    512 
    513     alg_k = c->algorithm_mkey;
    514     alg_a = c->algorithm_auth;
    515 
    516     ok = ok && (alg_k & mask_k) && (alg_a & mask_a);
    517 
    518     if (ok && sk_SSL_CIPHER_find(allow, &cipher_index, c)) {
    519       if (in_group_flags != NULL && in_group_flags[i] == 1) {
    520         /* This element of |prio| is in a group. Update the minimum index found
    521          * so far and continue looking. */
    522         if (group_min == -1 || (size_t)group_min > cipher_index) {
    523           group_min = cipher_index;
    524         }
    525       } else {
    526         if (group_min != -1 && (size_t)group_min < cipher_index) {
    527           cipher_index = group_min;
    528         }
    529         ret = sk_SSL_CIPHER_value(allow, cipher_index);
    530         break;
    531       }
    532     }
    533 
    534     if (in_group_flags != NULL && in_group_flags[i] == 0 && group_min != -1) {
    535       /* We are about to leave a group, but we found a match in it, so that's
    536        * our answer. */
    537       ret = sk_SSL_CIPHER_value(allow, group_min);
    538       break;
    539     }
    540   }
    541 
    542   return ret;
    543 }
    544 
    545 int ssl3_get_req_cert_type(SSL *ssl, uint8_t *p) {
    546   int ret = 0;
    547   const uint8_t *sig;
    548   size_t i, siglen;
    549   int have_rsa_sign = 0;
    550   int have_ecdsa_sign = 0;
    551 
    552   /* get configured sigalgs */
    553   siglen = tls12_get_psigalgs(ssl, &sig);
    554   for (i = 0; i < siglen; i += 2, sig += 2) {
    555     switch (sig[1]) {
    556       case TLSEXT_signature_rsa:
    557         have_rsa_sign = 1;
    558         break;
    559 
    560       case TLSEXT_signature_ecdsa:
    561         have_ecdsa_sign = 1;
    562         break;
    563     }
    564   }
    565 
    566   if (have_rsa_sign) {
    567     p[ret++] = SSL3_CT_RSA_SIGN;
    568   }
    569 
    570   /* ECDSA certs can be used with RSA cipher suites as well so we don't need to
    571    * check for SSL_kECDH or SSL_kECDHE. */
    572   if (ssl->version >= TLS1_VERSION && have_ecdsa_sign) {
    573       p[ret++] = TLS_CT_ECDSA_SIGN;
    574   }
    575 
    576   return ret;
    577 }
    578 
    579 /* If we are using default SHA1+MD5 algorithms switch to new SHA256 PRF and
    580  * handshake macs if required. */
    581 uint32_t ssl_get_algorithm_prf(SSL *ssl) {
    582   uint32_t algorithm_prf = ssl->s3->tmp.new_cipher->algorithm_prf;
    583   if (ssl->enc_method->enc_flags & SSL_ENC_FLAG_SHA256_PRF &&
    584       algorithm_prf == SSL_HANDSHAKE_MAC_DEFAULT) {
    585     return SSL_HANDSHAKE_MAC_SHA256;
    586   }
    587   return algorithm_prf;
    588 }
    589