a2e2475d136f33fa26958fd192b8ace158c4899d
[openssl.git] / ssl / t1_lib.c
1 /* ssl/t1_lib.c */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3  * All rights reserved.
4  *
5  * This package is an SSL implementation written
6  * by Eric Young (eay@cryptsoft.com).
7  * The implementation was written so as to conform with Netscapes SSL.
8  * 
9  * This library is free for commercial and non-commercial use as long as
10  * the following conditions are aheared to.  The following conditions
11  * apply to all code found in this distribution, be it the RC4, RSA,
12  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
13  * included with this distribution is covered by the same copyright terms
14  * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15  * 
16  * Copyright remains Eric Young's, and as such any Copyright notices in
17  * the code are not to be removed.
18  * If this package is used in a product, Eric Young should be given attribution
19  * as the author of the parts of the library used.
20  * This can be in the form of a textual message at program startup or
21  * in documentation (online or textual) provided with the package.
22  * 
23  * Redistribution and use in source and binary forms, with or without
24  * modification, are permitted provided that the following conditions
25  * are met:
26  * 1. Redistributions of source code must retain the copyright
27  *    notice, this list of conditions and the following disclaimer.
28  * 2. Redistributions in binary form must reproduce the above copyright
29  *    notice, this list of conditions and the following disclaimer in the
30  *    documentation and/or other materials provided with the distribution.
31  * 3. All advertising materials mentioning features or use of this software
32  *    must display the following acknowledgement:
33  *    "This product includes cryptographic software written by
34  *     Eric Young (eay@cryptsoft.com)"
35  *    The word 'cryptographic' can be left out if the rouines from the library
36  *    being used are not cryptographic related :-).
37  * 4. If you include any Windows specific code (or a derivative thereof) from 
38  *    the apps directory (application code) you must include an acknowledgement:
39  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40  * 
41  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51  * SUCH DAMAGE.
52  * 
53  * The licence and distribution terms for any publically available version or
54  * derivative of this code cannot be changed.  i.e. this code cannot simply be
55  * copied and put under another distribution licence
56  * [including the GNU Public Licence.]
57  */
58 /* ====================================================================
59  * Copyright (c) 1998-2007 The OpenSSL Project.  All rights reserved.
60  *
61  * Redistribution and use in source and binary forms, with or without
62  * modification, are permitted provided that the following conditions
63  * are met:
64  *
65  * 1. Redistributions of source code must retain the above copyright
66  *    notice, this list of conditions and the following disclaimer. 
67  *
68  * 2. Redistributions in binary form must reproduce the above copyright
69  *    notice, this list of conditions and the following disclaimer in
70  *    the documentation and/or other materials provided with the
71  *    distribution.
72  *
73  * 3. All advertising materials mentioning features or use of this
74  *    software must display the following acknowledgment:
75  *    "This product includes software developed by the OpenSSL Project
76  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77  *
78  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79  *    endorse or promote products derived from this software without
80  *    prior written permission. For written permission, please contact
81  *    openssl-core@openssl.org.
82  *
83  * 5. Products derived from this software may not be called "OpenSSL"
84  *    nor may "OpenSSL" appear in their names without prior written
85  *    permission of the OpenSSL Project.
86  *
87  * 6. Redistributions of any form whatsoever must retain the following
88  *    acknowledgment:
89  *    "This product includes software developed by the OpenSSL Project
90  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91  *
92  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
96  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103  * OF THE POSSIBILITY OF SUCH DAMAGE.
104  * ====================================================================
105  *
106  * This product includes cryptographic software written by Eric Young
107  * (eay@cryptsoft.com).  This product includes software written by Tim
108  * Hudson (tjh@cryptsoft.com).
109  *
110  */
111
112 #include <stdio.h>
113 #include <openssl/objects.h>
114 #include <openssl/evp.h>
115 #include <openssl/hmac.h>
116 #include <openssl/ocsp.h>
117 #include <openssl/rand.h>
118 #ifndef OPENSSL_NO_DH
119 #include <openssl/dh.h>
120 #include <openssl/bn.h>
121 #endif
122 #include "ssl_locl.h"
123
124 const char tls1_version_str[]="TLSv1" OPENSSL_VERSION_PTEXT;
125
126 #ifndef OPENSSL_NO_TLSEXT
127 static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen,
128                                 const unsigned char *sess_id, int sesslen,
129                                 SSL_SESSION **psess);
130 static int ssl_check_clienthello_tlsext_early(SSL *s);
131 int ssl_check_serverhello_tlsext(SSL *s);
132 #endif
133
134 SSL3_ENC_METHOD TLSv1_enc_data={
135         tls1_enc,
136         tls1_mac,
137         tls1_setup_key_block,
138         tls1_generate_master_secret,
139         tls1_change_cipher_state,
140         tls1_final_finish_mac,
141         TLS1_FINISH_MAC_LENGTH,
142         tls1_cert_verify_mac,
143         TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE,
144         TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE,
145         tls1_alert_code,
146         tls1_export_keying_material,
147         0,
148         SSL3_HM_HEADER_LENGTH,
149         ssl3_set_handshake_header,
150         ssl3_handshake_write
151         };
152
153 SSL3_ENC_METHOD TLSv1_1_enc_data={
154         tls1_enc,
155         tls1_mac,
156         tls1_setup_key_block,
157         tls1_generate_master_secret,
158         tls1_change_cipher_state,
159         tls1_final_finish_mac,
160         TLS1_FINISH_MAC_LENGTH,
161         tls1_cert_verify_mac,
162         TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE,
163         TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE,
164         tls1_alert_code,
165         tls1_export_keying_material,
166         SSL_ENC_FLAG_EXPLICIT_IV,
167         SSL3_HM_HEADER_LENGTH,
168         ssl3_set_handshake_header,
169         ssl3_handshake_write
170         };
171
172 SSL3_ENC_METHOD TLSv1_2_enc_data={
173         tls1_enc,
174         tls1_mac,
175         tls1_setup_key_block,
176         tls1_generate_master_secret,
177         tls1_change_cipher_state,
178         tls1_final_finish_mac,
179         TLS1_FINISH_MAC_LENGTH,
180         tls1_cert_verify_mac,
181         TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE,
182         TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE,
183         tls1_alert_code,
184         tls1_export_keying_material,
185         SSL_ENC_FLAG_EXPLICIT_IV|SSL_ENC_FLAG_SIGALGS|SSL_ENC_FLAG_SHA256_PRF
186                 |SSL_ENC_FLAG_TLS1_2_CIPHERS,
187         SSL3_HM_HEADER_LENGTH,
188         ssl3_set_handshake_header,
189         ssl3_handshake_write
190         };
191
192 long tls1_default_timeout(void)
193         {
194         /* 2 hours, the 24 hours mentioned in the TLSv1 spec
195          * is way too long for http, the cache would over fill */
196         return(60*60*2);
197         }
198
199 int tls1_new(SSL *s)
200         {
201         if (!ssl3_new(s)) return(0);
202         s->method->ssl_clear(s);
203         return(1);
204         }
205
206 void tls1_free(SSL *s)
207         {
208 #ifndef OPENSSL_NO_TLSEXT
209         if (s->tlsext_session_ticket)
210                 {
211                 OPENSSL_free(s->tlsext_session_ticket);
212                 }
213 #endif /* OPENSSL_NO_TLSEXT */
214         ssl3_free(s);
215         }
216
217 void tls1_clear(SSL *s)
218         {
219         ssl3_clear(s);
220         s->version = s->method->version;
221         }
222
223 #ifndef OPENSSL_NO_EC
224
225 typedef struct
226         {
227         int nid;                /* Curve NID */
228         int secbits;            /* Bits of security (from SP800-57) */
229         unsigned int flags;     /* Flags: currently just field type */
230         } tls_curve_info;
231
232 #define TLS_CURVE_CHAR2         0x1
233 #define TLS_CURVE_PRIME         0x0
234
235 static tls_curve_info nid_list[] =
236         {
237                 {NID_sect163k1, 80, TLS_CURVE_CHAR2},/* sect163k1 (1) */
238                 {NID_sect163r1, 80, TLS_CURVE_CHAR2},/* sect163r1 (2) */
239                 {NID_sect163r2, 80, TLS_CURVE_CHAR2},/* sect163r2 (3) */
240                 {NID_sect193r1, 80, TLS_CURVE_CHAR2},/* sect193r1 (4) */ 
241                 {NID_sect193r2, 80, TLS_CURVE_CHAR2},/* sect193r2 (5) */ 
242                 {NID_sect233k1, 112, TLS_CURVE_CHAR2},/* sect233k1 (6) */
243                 {NID_sect233r1, 112, TLS_CURVE_CHAR2},/* sect233r1 (7) */ 
244                 {NID_sect239k1, 112, TLS_CURVE_CHAR2},/* sect239k1 (8) */ 
245                 {NID_sect283k1, 128, TLS_CURVE_CHAR2},/* sect283k1 (9) */
246                 {NID_sect283r1, 128, TLS_CURVE_CHAR2},/* sect283r1 (10) */ 
247                 {NID_sect409k1, 192, TLS_CURVE_CHAR2},/* sect409k1 (11) */ 
248                 {NID_sect409r1, 192, TLS_CURVE_CHAR2},/* sect409r1 (12) */
249                 {NID_sect571k1, 256, TLS_CURVE_CHAR2},/* sect571k1 (13) */ 
250                 {NID_sect571r1, 256, TLS_CURVE_CHAR2},/* sect571r1 (14) */ 
251                 {NID_secp160k1, 80, TLS_CURVE_PRIME},/* secp160k1 (15) */
252                 {NID_secp160r1, 80, TLS_CURVE_PRIME},/* secp160r1 (16) */ 
253                 {NID_secp160r2, 80, TLS_CURVE_PRIME},/* secp160r2 (17) */ 
254                 {NID_secp192k1, 80, TLS_CURVE_PRIME},/* secp192k1 (18) */
255                 {NID_X9_62_prime192v1, 80, TLS_CURVE_PRIME},/* secp192r1 (19) */ 
256                 {NID_secp224k1, 112, TLS_CURVE_PRIME},/* secp224k1 (20) */ 
257                 {NID_secp224r1, 112, TLS_CURVE_PRIME},/* secp224r1 (21) */
258                 {NID_secp256k1, 128, TLS_CURVE_PRIME},/* secp256k1 (22) */ 
259                 {NID_X9_62_prime256v1, 128, TLS_CURVE_PRIME},/* secp256r1 (23) */ 
260                 {NID_secp384r1, 192, TLS_CURVE_PRIME},/* secp384r1 (24) */
261                 {NID_secp521r1, 256, TLS_CURVE_PRIME},/* secp521r1 (25) */      
262                 {NID_brainpoolP256r1, 128, TLS_CURVE_PRIME}, /* brainpoolP256r1 (26) */ 
263                 {NID_brainpoolP384r1, 192, TLS_CURVE_PRIME}, /* brainpoolP384r1 (27) */ 
264                 {NID_brainpoolP512r1, 256, TLS_CURVE_PRIME},/* brainpool512r1 (28) */   
265         };
266
267
268 static const unsigned char ecformats_default[] = 
269         {
270         TLSEXT_ECPOINTFORMAT_uncompressed,
271         TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime,
272         TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2
273         };
274
275 static const unsigned char eccurves_default[] =
276         {
277                 0,14, /* sect571r1 (14) */ 
278                 0,13, /* sect571k1 (13) */ 
279                 0,25, /* secp521r1 (25) */      
280                 0,28, /* brainpool512r1 (28) */ 
281                 0,11, /* sect409k1 (11) */ 
282                 0,12, /* sect409r1 (12) */
283                 0,27, /* brainpoolP384r1 (27) */        
284                 0,24, /* secp384r1 (24) */
285                 0,9,  /* sect283k1 (9) */
286                 0,10, /* sect283r1 (10) */ 
287                 0,26, /* brainpoolP256r1 (26) */        
288                 0,22, /* secp256k1 (22) */ 
289                 0,23, /* secp256r1 (23) */ 
290                 0,8,  /* sect239k1 (8) */ 
291                 0,6,  /* sect233k1 (6) */
292                 0,7,  /* sect233r1 (7) */ 
293                 0,20, /* secp224k1 (20) */ 
294                 0,21, /* secp224r1 (21) */
295                 0,4,  /* sect193r1 (4) */ 
296                 0,5,  /* sect193r2 (5) */ 
297                 0,18, /* secp192k1 (18) */
298                 0,19, /* secp192r1 (19) */ 
299                 0,1,  /* sect163k1 (1) */
300                 0,2,  /* sect163r1 (2) */
301                 0,3,  /* sect163r2 (3) */
302                 0,15, /* secp160k1 (15) */
303                 0,16, /* secp160r1 (16) */ 
304                 0,17, /* secp160r2 (17) */ 
305         };
306
307 static const unsigned char suiteb_curves[] =
308         {
309                 0, TLSEXT_curve_P_256,
310                 0, TLSEXT_curve_P_384
311         };
312
313 int tls1_ec_curve_id2nid(int curve_id)
314         {
315         /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
316         if ((curve_id < 1) || ((unsigned int)curve_id >
317                                 sizeof(nid_list)/sizeof(nid_list[0])))
318                 return 0;
319         return nid_list[curve_id-1].nid;
320         }
321
322 int tls1_ec_nid2curve_id(int nid)
323         {
324         /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
325         switch (nid)
326                 {
327         case NID_sect163k1: /* sect163k1 (1) */
328                 return 1;
329         case NID_sect163r1: /* sect163r1 (2) */
330                 return 2;
331         case NID_sect163r2: /* sect163r2 (3) */
332                 return 3;
333         case NID_sect193r1: /* sect193r1 (4) */ 
334                 return 4;
335         case NID_sect193r2: /* sect193r2 (5) */ 
336                 return 5;
337         case NID_sect233k1: /* sect233k1 (6) */
338                 return 6;
339         case NID_sect233r1: /* sect233r1 (7) */ 
340                 return 7;
341         case NID_sect239k1: /* sect239k1 (8) */ 
342                 return 8;
343         case NID_sect283k1: /* sect283k1 (9) */
344                 return 9;
345         case NID_sect283r1: /* sect283r1 (10) */ 
346                 return 10;
347         case NID_sect409k1: /* sect409k1 (11) */ 
348                 return 11;
349         case NID_sect409r1: /* sect409r1 (12) */
350                 return 12;
351         case NID_sect571k1: /* sect571k1 (13) */ 
352                 return 13;
353         case NID_sect571r1: /* sect571r1 (14) */ 
354                 return 14;
355         case NID_secp160k1: /* secp160k1 (15) */
356                 return 15;
357         case NID_secp160r1: /* secp160r1 (16) */ 
358                 return 16;
359         case NID_secp160r2: /* secp160r2 (17) */ 
360                 return 17;
361         case NID_secp192k1: /* secp192k1 (18) */
362                 return 18;
363         case NID_X9_62_prime192v1: /* secp192r1 (19) */ 
364                 return 19;
365         case NID_secp224k1: /* secp224k1 (20) */ 
366                 return 20;
367         case NID_secp224r1: /* secp224r1 (21) */
368                 return 21;
369         case NID_secp256k1: /* secp256k1 (22) */ 
370                 return 22;
371         case NID_X9_62_prime256v1: /* secp256r1 (23) */ 
372                 return 23;
373         case NID_secp384r1: /* secp384r1 (24) */
374                 return 24;
375         case NID_secp521r1:  /* secp521r1 (25) */       
376                 return 25;
377         case NID_brainpoolP256r1:  /* brainpoolP256r1 (26) */
378                 return 26;
379         case NID_brainpoolP384r1:  /* brainpoolP384r1 (27) */
380                 return 27;
381         case NID_brainpoolP512r1:  /* brainpool512r1 (28) */
382                 return 28;
383         default:
384                 return 0;
385                 }
386         }
387 /* Get curves list, if "sess" is set return client curves otherwise
388  * preferred list
389  */
390 static void tls1_get_curvelist(SSL *s, int sess,
391                                         const unsigned char **pcurves,
392                                         size_t *pcurveslen)
393         {
394         if (sess)
395                 {
396                 *pcurves = s->session->tlsext_ellipticcurvelist;
397                 *pcurveslen = s->session->tlsext_ellipticcurvelist_length;
398                 return;
399                 }
400         /* For Suite B mode only include P-256, P-384 */
401         switch (tls1_suiteb(s))
402                 {
403         case SSL_CERT_FLAG_SUITEB_128_LOS:
404                 *pcurves = suiteb_curves;
405                 *pcurveslen = sizeof(suiteb_curves);
406                 break;
407
408         case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY:
409                 *pcurves = suiteb_curves;
410                 *pcurveslen = 2;
411                 break;
412
413         case SSL_CERT_FLAG_SUITEB_192_LOS:
414                 *pcurves = suiteb_curves + 2;
415                 *pcurveslen = 2;
416                 break;
417         default:
418                 *pcurves = s->tlsext_ellipticcurvelist;
419                 *pcurveslen = s->tlsext_ellipticcurvelist_length;
420                 }
421         if (!*pcurves)
422                 {
423                 *pcurves = eccurves_default;
424                 *pcurveslen = sizeof(eccurves_default);
425                 }
426         }
427
428 /* See if curve is allowed by security callback */
429 static int tls_curve_allowed(SSL *s, const unsigned char *curve, int op)
430         {
431         tls_curve_info *cinfo;
432         if (curve[0])
433                 return 1;
434         if ((curve[1] < 1) || ((size_t)curve[1] >
435                                 sizeof(nid_list)/sizeof(nid_list[0])))
436                 return 0;
437         cinfo = &nid_list[curve[1]-1];
438         return ssl_security(s, op, cinfo->secbits, cinfo->nid, (void *)curve);
439         }
440
441 /* Check a curve is one of our preferences */
442 int tls1_check_curve(SSL *s, const unsigned char *p, size_t len)
443         {
444         const unsigned char *curves;
445         size_t curveslen, i;
446         unsigned int suiteb_flags = tls1_suiteb(s);
447         if (len != 3 || p[0] != NAMED_CURVE_TYPE)
448                 return 0;
449         /* Check curve matches Suite B preferences */
450         if (suiteb_flags)
451                 {
452                 unsigned long cid = s->s3->tmp.new_cipher->id;
453                 if (p[1])
454                         return 0;
455                 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
456                         {
457                         if (p[2] != TLSEXT_curve_P_256)
458                                 return 0;
459                         }
460                 else if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)
461                         {
462                         if (p[2] != TLSEXT_curve_P_384)
463                                 return 0;
464                         }
465                 else    /* Should never happen */
466                         return 0;
467                 }
468         tls1_get_curvelist(s, 0, &curves, &curveslen);
469         for (i = 0; i < curveslen; i += 2, curves += 2)
470                 {
471                 if (p[1] == curves[0] && p[2] == curves[1])
472                         return tls_curve_allowed(s, p + 1, SSL_SECOP_CURVE_CHECK);
473                 }
474         return 0;
475         }
476
477 /* Return nth shared curve. If nmatch == -1 return number of
478  * matches. For nmatch == -2 return the NID of the curve to use for
479  * an EC tmp key.
480  */
481
482 int tls1_shared_curve(SSL *s, int nmatch)
483         {
484         const unsigned char *pref, *supp;
485         size_t preflen, supplen, i, j;
486         int k;
487         /* Can't do anything on client side */
488         if (s->server == 0)
489                 return -1;
490         if (nmatch == -2)
491                 {
492                 if (tls1_suiteb(s))
493                         {
494                         /* For Suite B ciphersuite determines curve: we 
495                          * already know these are acceptable due to previous
496                          * checks.
497                          */
498                         unsigned long cid = s->s3->tmp.new_cipher->id;
499                         if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
500                                 return NID_X9_62_prime256v1; /* P-256 */
501                         if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)
502                                 return NID_secp384r1; /* P-384 */
503                         /* Should never happen */
504                         return NID_undef;
505                         }
506                 /* If not Suite B just return first preference shared curve */
507                 nmatch = 0;
508                 }
509         tls1_get_curvelist(s, !!(s->options & SSL_OP_CIPHER_SERVER_PREFERENCE),
510                                 &supp, &supplen);
511         tls1_get_curvelist(s, !(s->options & SSL_OP_CIPHER_SERVER_PREFERENCE),
512                                 &pref, &preflen);
513         preflen /= 2;
514         supplen /= 2;
515         k = 0;
516         for (i = 0; i < preflen; i++, pref+=2)
517                 {
518                 const unsigned char *tsupp = supp;
519                 for (j = 0; j < supplen; j++, tsupp+=2)
520                         {
521                         if (pref[0] == tsupp[0] && pref[1] == tsupp[1])
522                                 {
523                                 if (!tls_curve_allowed(s, pref, SSL_SECOP_CURVE_SHARED))
524                                         continue;
525                                 if (nmatch == k)
526                                         {
527                                         int id = (pref[0] << 8) | pref[1];
528                                         return tls1_ec_curve_id2nid(id);
529                                         }
530                                 k++;
531                                 }
532                         }
533                 }
534         if (nmatch == -1)
535                 return k;
536         return 0;
537         }
538
539 int tls1_set_curves(unsigned char **pext, size_t *pextlen,
540                         int *curves, size_t ncurves)
541         {
542         unsigned char *clist, *p;
543         size_t i;
544         /* Bitmap of curves included to detect duplicates: only works
545          * while curve ids < 32 
546          */
547         unsigned long dup_list = 0;
548         clist = OPENSSL_malloc(ncurves * 2);
549         if (!clist)
550                 return 0;
551         for (i = 0, p = clist; i < ncurves; i++)
552                 {
553                 unsigned long idmask;
554                 int id;
555                 id = tls1_ec_nid2curve_id(curves[i]);
556                 idmask = 1L << id;
557                 if (!id || (dup_list & idmask))
558                         {
559                         OPENSSL_free(clist);
560                         return 0;
561                         }
562                 dup_list |= idmask;
563                 s2n(id, p);
564                 }
565         if (*pext)
566                 OPENSSL_free(*pext);
567         *pext = clist;
568         *pextlen = ncurves * 2;
569         return 1;
570         }
571
572 #define MAX_CURVELIST   28
573
574 typedef struct
575         {
576         size_t nidcnt;
577         int nid_arr[MAX_CURVELIST];
578         } nid_cb_st;
579
580 static int nid_cb(const char *elem, int len, void *arg)
581         {
582         nid_cb_st *narg = arg;
583         size_t i;
584         int nid;
585         char etmp[20];
586         if (narg->nidcnt == MAX_CURVELIST)
587                 return 0;
588         if (len > (int)(sizeof(etmp) - 1))
589                 return 0;
590         memcpy(etmp, elem, len);
591         etmp[len] = 0;
592         nid = EC_curve_nist2nid(etmp);
593         if (nid == NID_undef)
594                 nid = OBJ_sn2nid(etmp);
595         if (nid == NID_undef)
596                 nid = OBJ_ln2nid(etmp);
597         if (nid == NID_undef)
598                 return 0;
599         for (i = 0; i < narg->nidcnt; i++)
600                 if (narg->nid_arr[i] == nid)
601                         return 0;
602         narg->nid_arr[narg->nidcnt++] = nid;
603         return 1;
604         }
605 /* Set curves based on a colon separate list */
606 int tls1_set_curves_list(unsigned char **pext, size_t *pextlen, 
607                                 const char *str)
608         {
609         nid_cb_st ncb;
610         ncb.nidcnt = 0;
611         if (!CONF_parse_list(str, ':', 1, nid_cb, &ncb))
612                 return 0;
613         if (pext == NULL)
614                 return 1;
615         return tls1_set_curves(pext, pextlen, ncb.nid_arr, ncb.nidcnt);
616         }
617 /* For an EC key set TLS id and required compression based on parameters */
618 static int tls1_set_ec_id(unsigned char *curve_id, unsigned char *comp_id,
619                                 EC_KEY *ec)
620         {
621         int is_prime, id;
622         const EC_GROUP *grp;
623         const EC_METHOD *meth;
624         if (!ec)
625                 return 0;
626         /* Determine if it is a prime field */
627         grp = EC_KEY_get0_group(ec);
628         if (!grp)
629                 return 0;
630         meth = EC_GROUP_method_of(grp);
631         if (!meth)
632                 return 0;
633         if (EC_METHOD_get_field_type(meth) == NID_X9_62_prime_field)
634                 is_prime = 1;
635         else
636                 is_prime = 0;
637         /* Determine curve ID */
638         id = EC_GROUP_get_curve_name(grp);
639         id = tls1_ec_nid2curve_id(id);
640         /* If we have an ID set it, otherwise set arbitrary explicit curve */
641         if (id)
642                 {
643                 curve_id[0] = 0;
644                 curve_id[1] = (unsigned char)id;
645                 }
646         else
647                 {
648                 curve_id[0] = 0xff;
649                 if (is_prime)
650                         curve_id[1] = 0x01;
651                 else
652                         curve_id[1] = 0x02;
653                 }
654         if (comp_id)
655                 {
656                 if (EC_KEY_get0_public_key(ec) == NULL)
657                         return 0;
658                 if (EC_KEY_get_conv_form(ec) == POINT_CONVERSION_COMPRESSED)
659                         {
660                         if (is_prime)
661                                 *comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
662                         else
663                                 *comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
664                         }
665                 else
666                         *comp_id = TLSEXT_ECPOINTFORMAT_uncompressed;
667                 }
668         return 1;
669         }
670 /* Check an EC key is compatible with extensions */
671 static int tls1_check_ec_key(SSL *s,
672                         unsigned char *curve_id, unsigned char *comp_id)
673         {
674         const unsigned char *p;
675         size_t plen, i;
676         int j;
677         /* If point formats extension present check it, otherwise everything
678          * is supported (see RFC4492).
679          */
680         if (comp_id && s->session->tlsext_ecpointformatlist)
681                 {
682                 p = s->session->tlsext_ecpointformatlist;
683                 plen = s->session->tlsext_ecpointformatlist_length;
684                 for (i = 0; i < plen; i++, p++)
685                         {
686                         if (*comp_id == *p)
687                                 break;
688                         }
689                 if (i == plen)
690                         return 0;
691                 }
692         if (!curve_id)
693                 return 1;
694         /* Check curve is consistent with client and server preferences */
695         for (j = 0; j <= 1; j++)
696                 {
697                 tls1_get_curvelist(s, j, &p, &plen);
698                 for (i = 0; i < plen; i+=2, p+=2)
699                         {
700                         if (p[0] == curve_id[0] && p[1] == curve_id[1])
701                                 break;
702                         }
703                 if (i == plen)
704                         return 0;
705                 /* For clients can only check sent curve list */
706                 if (!s->server)
707                         break;
708                 }
709         return 1;
710         }
711
712 static void tls1_get_formatlist(SSL *s, const unsigned char **pformats,
713                                         size_t *pformatslen)
714         {
715         /* If we have a custom point format list use it otherwise
716          * use default */
717         if (s->tlsext_ecpointformatlist)
718                 {
719                 *pformats = s->tlsext_ecpointformatlist;
720                 *pformatslen = s->tlsext_ecpointformatlist_length;
721                 }
722         else
723                 {
724                 *pformats = ecformats_default;
725                 /* For Suite B we don't support char2 fields */
726                 if (tls1_suiteb(s))
727                         *pformatslen = sizeof(ecformats_default) - 1;
728                 else
729                         *pformatslen = sizeof(ecformats_default);
730                 }
731         }
732
733 /* Check cert parameters compatible with extensions: currently just checks
734  * EC certificates have compatible curves and compression.
735  */
736 static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md)
737         {
738         unsigned char comp_id, curve_id[2];
739         EVP_PKEY *pkey;
740         int rv;
741         pkey = X509_get_pubkey(x);
742         if (!pkey)
743                 return 0;
744         /* If not EC nothing to do */
745         if (pkey->type != EVP_PKEY_EC)
746                 {
747                 EVP_PKEY_free(pkey);
748                 return 1;
749                 }
750         rv = tls1_set_ec_id(curve_id, &comp_id, pkey->pkey.ec);
751         EVP_PKEY_free(pkey);
752         if (!rv)
753                 return 0;
754         /* Can't check curve_id for client certs as we don't have a
755          * supported curves extension.
756          */
757         rv = tls1_check_ec_key(s, s->server ? curve_id : NULL, &comp_id);
758         if (!rv)
759                 return 0;
760         /* Special case for suite B. We *MUST* sign using SHA256+P-256 or
761          * SHA384+P-384, adjust digest if necessary.
762          */
763         if (set_ee_md && tls1_suiteb(s))
764                 {
765                 int check_md;
766                 size_t i;
767                 CERT *c = s->cert;
768                 if (curve_id[0])
769                         return 0;
770                 /* Check to see we have necessary signing algorithm */
771                 if (curve_id[1] == TLSEXT_curve_P_256)
772                         check_md = NID_ecdsa_with_SHA256;
773                 else if (curve_id[1] == TLSEXT_curve_P_384)
774                         check_md = NID_ecdsa_with_SHA384;
775                 else
776                         return 0; /* Should never happen */
777                 for (i = 0; i < c->shared_sigalgslen; i++)
778                         if (check_md == c->shared_sigalgs[i].signandhash_nid)
779                                 break;
780                 if (i == c->shared_sigalgslen)
781                         return 0;
782                 if (set_ee_md == 2)
783                         {
784                         if (check_md == NID_ecdsa_with_SHA256)
785                                 c->pkeys[SSL_PKEY_ECC].digest = EVP_sha256();
786                         else
787                                 c->pkeys[SSL_PKEY_ECC].digest = EVP_sha384();
788                         }
789                 }
790         return rv;
791         }
792 /* Check EC temporary key is compatible with client extensions */
793 int tls1_check_ec_tmp_key(SSL *s, unsigned long cid)
794         {
795         unsigned char curve_id[2];
796         EC_KEY *ec = s->cert->ecdh_tmp;
797 #ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
798         /* Allow any curve: not just those peer supports */
799         if (s->cert->cert_flags & SSL_CERT_FLAG_BROKEN_PROTOCOL)
800                 return 1;
801 #endif
802         /* If Suite B, AES128 MUST use P-256 and AES256 MUST use P-384,
803          * no other curves permitted.
804          */
805         if (tls1_suiteb(s))
806                 {
807                 /* Curve to check determined by ciphersuite */
808                 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
809                         curve_id[1] = TLSEXT_curve_P_256;
810                 else if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)
811                         curve_id[1] = TLSEXT_curve_P_384;
812                 else
813                         return 0;
814                 curve_id[0] = 0;
815                 /* Check this curve is acceptable */
816                 if (!tls1_check_ec_key(s, curve_id, NULL))
817                         return 0;
818                 /* If auto or setting curve from callback assume OK */
819                 if (s->cert->ecdh_tmp_auto || s->cert->ecdh_tmp_cb)
820                         return 1;
821                 /* Otherwise check curve is acceptable */
822                 else 
823                         {
824                         unsigned char curve_tmp[2];
825                         if (!ec)
826                                 return 0;
827                         if (!tls1_set_ec_id(curve_tmp, NULL, ec))
828                                 return 0;
829                         if (!curve_tmp[0] || curve_tmp[1] == curve_id[1])
830                                 return 1;
831                         return 0;
832                         }
833                         
834                 }
835         if (s->cert->ecdh_tmp_auto)
836                 {
837                 /* Need a shared curve */
838                 if (tls1_shared_curve(s, 0))
839                         return 1;
840                 else return 0;
841                 }
842         if (!ec)
843                 {
844                 if (s->cert->ecdh_tmp_cb)
845                         return 1;
846                 else
847                         return 0;
848                 }
849         if (!tls1_set_ec_id(curve_id, NULL, ec))
850                 return 0;
851 /* Set this to allow use of invalid curves for testing */
852 #if 0
853         return 1;
854 #else
855         return tls1_check_ec_key(s, curve_id, NULL);
856 #endif
857         }
858
859 #else
860
861 static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md)
862         {
863         return 1;
864         }
865
866 #endif /* OPENSSL_NO_EC */
867
868 #ifndef OPENSSL_NO_TLSEXT
869
870 /* List of supported signature algorithms and hashes. Should make this
871  * customisable at some point, for now include everything we support.
872  */
873
874 #ifdef OPENSSL_NO_RSA
875 #define tlsext_sigalg_rsa(md) /* */
876 #else
877 #define tlsext_sigalg_rsa(md) md, TLSEXT_signature_rsa,
878 #endif
879
880 #ifdef OPENSSL_NO_DSA
881 #define tlsext_sigalg_dsa(md) /* */
882 #else
883 #define tlsext_sigalg_dsa(md) md, TLSEXT_signature_dsa,
884 #endif
885
886 #ifdef OPENSSL_NO_ECDSA
887 #define tlsext_sigalg_ecdsa(md) /* */
888 #else
889 #define tlsext_sigalg_ecdsa(md) md, TLSEXT_signature_ecdsa,
890 #endif
891
892 #define tlsext_sigalg(md) \
893                 tlsext_sigalg_rsa(md) \
894                 tlsext_sigalg_dsa(md) \
895                 tlsext_sigalg_ecdsa(md)
896
897 static unsigned char tls12_sigalgs[] = {
898 #ifndef OPENSSL_NO_SHA512
899         tlsext_sigalg(TLSEXT_hash_sha512)
900         tlsext_sigalg(TLSEXT_hash_sha384)
901 #endif
902 #ifndef OPENSSL_NO_SHA256
903         tlsext_sigalg(TLSEXT_hash_sha256)
904         tlsext_sigalg(TLSEXT_hash_sha224)
905 #endif
906 #ifndef OPENSSL_NO_SHA
907         tlsext_sigalg(TLSEXT_hash_sha1)
908 #endif
909 };
910 #ifndef OPENSSL_NO_ECDSA
911 static unsigned char suiteb_sigalgs[] = {
912         tlsext_sigalg_ecdsa(TLSEXT_hash_sha256)
913         tlsext_sigalg_ecdsa(TLSEXT_hash_sha384)
914 };
915 #endif
916 size_t tls12_get_psigalgs(SSL *s, const unsigned char **psigs)
917         {
918         /* If Suite B mode use Suite B sigalgs only, ignore any other
919          * preferences.
920          */
921 #ifndef OPENSSL_NO_EC
922         switch (tls1_suiteb(s))
923                 {
924         case SSL_CERT_FLAG_SUITEB_128_LOS:
925                 *psigs = suiteb_sigalgs;
926                 return sizeof(suiteb_sigalgs);
927
928         case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY:
929                 *psigs = suiteb_sigalgs;
930                 return 2;
931
932         case SSL_CERT_FLAG_SUITEB_192_LOS:
933                 *psigs = suiteb_sigalgs + 2;
934                 return 2;
935                 }
936 #endif
937         /* If server use client authentication sigalgs if not NULL */
938         if (s->server && s->cert->client_sigalgs)
939                 {
940                 *psigs = s->cert->client_sigalgs;
941                 return s->cert->client_sigalgslen;
942                 }
943         else if (s->cert->conf_sigalgs)
944                 {
945                 *psigs = s->cert->conf_sigalgs;
946                 return s->cert->conf_sigalgslen;
947                 }
948         else
949                 {
950                 *psigs = tls12_sigalgs;
951                 return sizeof(tls12_sigalgs);
952                 }
953         }
954 /* Check signature algorithm is consistent with sent supported signature
955  * algorithms and if so return relevant digest.
956  */
957 int tls12_check_peer_sigalg(const EVP_MD **pmd, SSL *s,
958                                 const unsigned char *sig, EVP_PKEY *pkey)
959         {
960         const unsigned char *sent_sigs;
961         size_t sent_sigslen, i;
962         int sigalg = tls12_get_sigid(pkey);
963         /* Should never happen */
964         if (sigalg == -1)
965                 return -1;
966         /* Check key type is consistent with signature */
967         if (sigalg != (int)sig[1])
968                 {
969                 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG,SSL_R_WRONG_SIGNATURE_TYPE);
970                 return 0;
971                 }
972 #ifndef OPENSSL_NO_EC
973         if (pkey->type == EVP_PKEY_EC)
974                 {
975                 unsigned char curve_id[2], comp_id;
976                 /* Check compression and curve matches extensions */
977                 if (!tls1_set_ec_id(curve_id, &comp_id, pkey->pkey.ec))
978                         return 0;
979                 if (!s->server && !tls1_check_ec_key(s, curve_id, &comp_id))
980                         {
981                         SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG,SSL_R_WRONG_CURVE);
982                         return 0;
983                         }
984                 /* If Suite B only P-384+SHA384 or P-256+SHA-256 allowed */
985                 if (tls1_suiteb(s))
986                         {
987                         if (curve_id[0])
988                                 return 0;
989                         if (curve_id[1] == TLSEXT_curve_P_256)
990                                 {
991                                 if (sig[0] != TLSEXT_hash_sha256)
992                                         {
993                                         SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG,
994                                                 SSL_R_ILLEGAL_SUITEB_DIGEST);
995                                         return 0;
996                                         }
997                                 }
998                         else if (curve_id[1] == TLSEXT_curve_P_384)
999                                 {
1000                                 if (sig[0] != TLSEXT_hash_sha384)
1001                                         {
1002                                         SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG,
1003                                                 SSL_R_ILLEGAL_SUITEB_DIGEST);
1004                                         return 0;
1005                                         }
1006                                 }
1007                         else
1008                                 return 0;
1009                         }
1010                 }
1011         else if (tls1_suiteb(s))
1012                 return 0;
1013 #endif
1014
1015         /* Check signature matches a type we sent */
1016         sent_sigslen = tls12_get_psigalgs(s, &sent_sigs);
1017         for (i = 0; i < sent_sigslen; i+=2, sent_sigs+=2)
1018                 {
1019                 if (sig[0] == sent_sigs[0] && sig[1] == sent_sigs[1])
1020                         break;
1021                 }
1022         /* Allow fallback to SHA1 if not strict mode */
1023         if (i == sent_sigslen && (sig[0] != TLSEXT_hash_sha1 || s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT))
1024                 {
1025                 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG,SSL_R_WRONG_SIGNATURE_TYPE);
1026                 return 0;
1027                 }
1028         *pmd = tls12_get_hash(sig[0]);
1029         if (*pmd == NULL)
1030                 {
1031                 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG,SSL_R_UNKNOWN_DIGEST);
1032                 return 0;
1033                 }
1034         /* Make sure security callback allows algorithm */
1035         if (!ssl_security(s, SSL_SECOP_SIGALG_CHECK,
1036                                 EVP_MD_size(*pmd) * 4, EVP_MD_type(*pmd),
1037                                                                 (void *)sig))
1038                 {
1039                 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG,SSL_R_WRONG_SIGNATURE_TYPE);
1040                 return 0;
1041                 }
1042         /* Store the digest used so applications can retrieve it if they
1043          * wish.
1044          */
1045         if (s->session && s->session->sess_cert)
1046                 s->session->sess_cert->peer_key->digest = *pmd;
1047         return 1;
1048         }
1049
1050 /* Get a mask of disabled algorithms: an algorithm is disabled
1051  * if it isn't supported or doesn't appear in supported signature
1052  * algorithms. Unlike ssl_cipher_get_disabled this applies to a specific
1053  * session and not global settings.
1054  * 
1055  */
1056 void ssl_set_client_disabled(SSL *s)
1057         {
1058         CERT *c = s->cert;
1059         c->mask_a = 0;
1060         c->mask_k = 0;
1061         /* Don't allow TLS 1.2 only ciphers if we don't suppport them */
1062         if (!SSL_CLIENT_USE_TLS1_2_CIPHERS(s))
1063                 c->mask_ssl = SSL_TLSV1_2;
1064         else
1065                 c->mask_ssl = 0;
1066         ssl_set_sig_mask(&c->mask_a, s, SSL_SECOP_SIGALG_MASK);
1067         /* Disable static DH if we don't include any appropriate
1068          * signature algorithms.
1069          */
1070         if (c->mask_a & SSL_aRSA)
1071                 c->mask_k |= SSL_kDHr|SSL_kECDHr;
1072         if (c->mask_a & SSL_aDSS)
1073                 c->mask_k |= SSL_kDHd;
1074         if (c->mask_a & SSL_aECDSA)
1075                 c->mask_k |= SSL_kECDHe;
1076 #ifndef OPENSSL_NO_KRB5
1077         if (!kssl_tgt_is_available(s->kssl_ctx))
1078                 {
1079                 c->mask_a |= SSL_aKRB5;
1080                 c->mask_k |= SSL_kKRB5;
1081                 }
1082 #endif
1083 #ifndef OPENSSL_NO_PSK
1084         /* with PSK there must be client callback set */
1085         if (!s->psk_client_callback)
1086                 {
1087                 c->mask_a |= SSL_aPSK;
1088                 c->mask_k |= SSL_kPSK;
1089                 }
1090 #endif /* OPENSSL_NO_PSK */
1091         c->valid = 1;
1092         }
1093
1094 int ssl_cipher_disabled(SSL *s, const SSL_CIPHER *c, int op)
1095         {
1096         CERT *ct = s->cert;
1097         if (c->algorithm_ssl & ct->mask_ssl || c->algorithm_mkey & ct->mask_k || c->algorithm_auth & ct->mask_a)
1098                 return 1;
1099         return !ssl_security(s, op, c->strength_bits, 0, (void *)c);
1100         }
1101
1102 static int tls_use_ticket(SSL *s)
1103         {
1104         if (s->options & SSL_OP_NO_TICKET)
1105                 return 0;
1106         return ssl_security(s, SSL_SECOP_TICKET, 0, 0, NULL);
1107         }
1108
1109 unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit, int *al)
1110         {
1111         int extdatalen=0;
1112         unsigned char *ret = p;
1113 #ifndef OPENSSL_NO_EC
1114         /* See if we support any ECC ciphersuites */
1115         int using_ecc = 0;
1116         if (s->version >= TLS1_VERSION || SSL_IS_DTLS(s))
1117                 {
1118                 int i;
1119                 unsigned long alg_k, alg_a;
1120                 STACK_OF(SSL_CIPHER) *cipher_stack = SSL_get_ciphers(s);
1121
1122                 for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++)
1123                         {
1124                         SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i);
1125
1126                         alg_k = c->algorithm_mkey;
1127                         alg_a = c->algorithm_auth;
1128                         if ((alg_k & (SSL_kECDHE|SSL_kECDHr|SSL_kECDHe)
1129                                 || (alg_a & SSL_aECDSA)))
1130                                 {
1131                                 using_ecc = 1;
1132                                 break;
1133                                 }
1134                         }
1135                 }
1136 #endif
1137
1138         /* don't add extensions for SSLv3 unless doing secure renegotiation */
1139         if (s->client_version == SSL3_VERSION
1140                                         && !s->s3->send_connection_binding)
1141                 return p;
1142
1143         ret+=2;
1144
1145         if (ret>=limit) return NULL; /* this really never occurs, but ... */
1146
1147         if (s->tlsext_hostname != NULL)
1148                 { 
1149                 /* Add TLS extension servername to the Client Hello message */
1150                 unsigned long size_str;
1151                 long lenmax; 
1152
1153                 /* check for enough space.
1154                    4 for the servername type and entension length
1155                    2 for servernamelist length
1156                    1 for the hostname type
1157                    2 for hostname length
1158                    + hostname length 
1159                 */
1160                    
1161                 if ((lenmax = limit - ret - 9) < 0 
1162                     || (size_str = strlen(s->tlsext_hostname)) > (unsigned long)lenmax) 
1163                         return NULL;
1164                         
1165                 /* extension type and length */
1166                 s2n(TLSEXT_TYPE_server_name,ret); 
1167                 s2n(size_str+5,ret);
1168                 
1169                 /* length of servername list */
1170                 s2n(size_str+3,ret);
1171         
1172                 /* hostname type, length and hostname */
1173                 *(ret++) = (unsigned char) TLSEXT_NAMETYPE_host_name;
1174                 s2n(size_str,ret);
1175                 memcpy(ret, s->tlsext_hostname, size_str);
1176                 ret+=size_str;
1177                 }
1178
1179         /* Add RI if renegotiating */
1180         if (s->renegotiate)
1181           {
1182           int el;
1183           
1184           if(!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0))
1185               {
1186               SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1187               return NULL;
1188               }
1189
1190           if((limit - p - 4 - el) < 0) return NULL;
1191           
1192           s2n(TLSEXT_TYPE_renegotiate,ret);
1193           s2n(el,ret);
1194
1195           if(!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el))
1196               {
1197               SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1198               return NULL;
1199               }
1200
1201           ret += el;
1202         }
1203
1204 #ifndef OPENSSL_NO_SRP
1205         /* Add SRP username if there is one */
1206         if (s->srp_ctx.login != NULL)
1207                 { /* Add TLS extension SRP username to the Client Hello message */
1208
1209                 int login_len = strlen(s->srp_ctx.login);       
1210                 if (login_len > 255 || login_len == 0)
1211                         {
1212                         SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1213                         return NULL;
1214                         } 
1215
1216                 /* check for enough space.
1217                    4 for the srp type type and entension length
1218                    1 for the srp user identity
1219                    + srp user identity length 
1220                 */
1221                 if ((limit - ret - 5 - login_len) < 0) return NULL; 
1222
1223                 /* fill in the extension */
1224                 s2n(TLSEXT_TYPE_srp,ret);
1225                 s2n(login_len+1,ret);
1226                 (*ret++) = (unsigned char) login_len;
1227                 memcpy(ret, s->srp_ctx.login, login_len);
1228                 ret+=login_len;
1229                 }
1230 #endif
1231
1232 #ifndef OPENSSL_NO_EC
1233         if (using_ecc)
1234                 {
1235                 /* Add TLS extension ECPointFormats to the ClientHello message */
1236                 long lenmax; 
1237                 const unsigned char *plist;
1238                 size_t plistlen;
1239                 size_t i;
1240                 unsigned char *etmp;
1241
1242                 tls1_get_formatlist(s, &plist, &plistlen);
1243
1244                 if ((lenmax = limit - ret - 5) < 0) return NULL; 
1245                 if (plistlen > (size_t)lenmax) return NULL;
1246                 if (plistlen > 255)
1247                         {
1248                         SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1249                         return NULL;
1250                         }
1251                 
1252                 s2n(TLSEXT_TYPE_ec_point_formats,ret);
1253                 s2n(plistlen + 1,ret);
1254                 *(ret++) = (unsigned char)plistlen ;
1255                 memcpy(ret, plist, plistlen);
1256                 ret+=plistlen;
1257
1258                 /* Add TLS extension EllipticCurves to the ClientHello message */
1259                 plist = s->tlsext_ellipticcurvelist;
1260                 tls1_get_curvelist(s, 0, &plist, &plistlen);
1261
1262                 if ((lenmax = limit - ret - 6) < 0) return NULL; 
1263                 if (plistlen > (size_t)lenmax) return NULL;
1264                 if (plistlen > 65532)
1265                         {
1266                         SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1267                         return NULL;
1268                         }
1269
1270                 
1271                 s2n(TLSEXT_TYPE_elliptic_curves,ret);
1272                 etmp = ret + 4;
1273                 /* Copy curve ID if supported */
1274                 for (i = 0; i < plistlen; i += 2, plist += 2)
1275                         {
1276                         if (tls_curve_allowed(s, plist, SSL_SECOP_CURVE_SUPPORTED))
1277                                 {
1278                                 *etmp++ = plist[0];
1279                                 *etmp++ = plist[1];
1280                                 }
1281                         }
1282
1283                 plistlen = etmp - ret - 4;
1284
1285                 /* NB: draft-ietf-tls-ecc-12.txt uses a one-byte prefix for
1286                  * elliptic_curve_list, but the examples use two bytes.
1287                  * http://www1.ietf.org/mail-archive/web/tls/current/msg00538.html
1288                  * resolves this to two bytes.
1289                  */
1290                 s2n(plistlen + 2, ret);
1291                 s2n(plistlen, ret);
1292                 ret+=plistlen;
1293                 }
1294 #endif /* OPENSSL_NO_EC */
1295
1296         if (tls_use_ticket(s))
1297                 {
1298                 int ticklen;
1299                 if (!s->new_session && s->session && s->session->tlsext_tick)
1300                         ticklen = s->session->tlsext_ticklen;
1301                 else if (s->session && s->tlsext_session_ticket &&
1302                          s->tlsext_session_ticket->data)
1303                         {
1304                         ticklen = s->tlsext_session_ticket->length;
1305                         s->session->tlsext_tick = OPENSSL_malloc(ticklen);
1306                         if (!s->session->tlsext_tick)
1307                                 return NULL;
1308                         memcpy(s->session->tlsext_tick,
1309                                s->tlsext_session_ticket->data,
1310                                ticklen);
1311                         s->session->tlsext_ticklen = ticklen;
1312                         }
1313                 else
1314                         ticklen = 0;
1315                 if (ticklen == 0 && s->tlsext_session_ticket &&
1316                     s->tlsext_session_ticket->data == NULL)
1317                         goto skip_ext;
1318                 /* Check for enough room 2 for extension type, 2 for len
1319                  * rest for ticket
1320                  */
1321                 if ((long)(limit - ret - 4 - ticklen) < 0) return NULL;
1322                 s2n(TLSEXT_TYPE_session_ticket,ret); 
1323                 s2n(ticklen,ret);
1324                 if (ticklen)
1325                         {
1326                         memcpy(ret, s->session->tlsext_tick, ticklen);
1327                         ret += ticklen;
1328                         }
1329                 }
1330                 skip_ext:
1331
1332         if (SSL_USE_SIGALGS(s))
1333                 {
1334                 size_t salglen;
1335                 const unsigned char *salg;
1336                 unsigned char *etmp;
1337                 salglen = tls12_get_psigalgs(s, &salg);
1338                 if ((size_t)(limit - ret) < salglen + 6)
1339                         return NULL; 
1340                 s2n(TLSEXT_TYPE_signature_algorithms,ret);
1341                 etmp = ret;
1342                 /* Skip over lengths for now */
1343                 ret += 4;
1344                 salglen = tls12_copy_sigalgs(s, etmp, salg, salglen);
1345                 /* Fill in lengths */
1346                 s2n(salglen + 2, etmp);
1347                 s2n(salglen, etmp);
1348                 ret += salglen;
1349                 }
1350
1351 #ifdef TLSEXT_TYPE_opaque_prf_input
1352         if (s->s3->client_opaque_prf_input != NULL)
1353                 {
1354                 size_t col = s->s3->client_opaque_prf_input_len;
1355                 
1356                 if ((long)(limit - ret - 6 - col < 0))
1357                         return NULL;
1358                 if (col > 0xFFFD) /* can't happen */
1359                         return NULL;
1360
1361                 s2n(TLSEXT_TYPE_opaque_prf_input, ret); 
1362                 s2n(col + 2, ret);
1363                 s2n(col, ret);
1364                 memcpy(ret, s->s3->client_opaque_prf_input, col);
1365                 ret += col;
1366                 }
1367 #endif
1368
1369         if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp)
1370                 {
1371                 int i;
1372                 long extlen, idlen, itmp;
1373                 OCSP_RESPID *id;
1374
1375                 idlen = 0;
1376                 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++)
1377                         {
1378                         id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
1379                         itmp = i2d_OCSP_RESPID(id, NULL);
1380                         if (itmp <= 0)
1381                                 return NULL;
1382                         idlen += itmp + 2;
1383                         }
1384
1385                 if (s->tlsext_ocsp_exts)
1386                         {
1387                         extlen = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, NULL);
1388                         if (extlen < 0)
1389                                 return NULL;
1390                         }
1391                 else
1392                         extlen = 0;
1393                         
1394                 if ((long)(limit - ret - 7 - extlen - idlen) < 0) return NULL;
1395                 s2n(TLSEXT_TYPE_status_request, ret);
1396                 if (extlen + idlen > 0xFFF0)
1397                         return NULL;
1398                 s2n(extlen + idlen + 5, ret);
1399                 *(ret++) = TLSEXT_STATUSTYPE_ocsp;
1400                 s2n(idlen, ret);
1401                 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++)
1402                         {
1403                         /* save position of id len */
1404                         unsigned char *q = ret;
1405                         id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
1406                         /* skip over id len */
1407                         ret += 2;
1408                         itmp = i2d_OCSP_RESPID(id, &ret);
1409                         /* write id len */
1410                         s2n(itmp, q);
1411                         }
1412                 s2n(extlen, ret);
1413                 if (extlen > 0)
1414                         i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret);
1415                 }
1416
1417 #ifndef OPENSSL_NO_HEARTBEATS
1418         /* Add Heartbeat extension */
1419         s2n(TLSEXT_TYPE_heartbeat,ret);
1420         s2n(1,ret);
1421         /* Set mode:
1422          * 1: peer may send requests
1423          * 2: peer not allowed to send requests
1424          */
1425         if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS)
1426                 *(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
1427         else
1428                 *(ret++) = SSL_TLSEXT_HB_ENABLED;
1429 #endif
1430
1431 #ifndef OPENSSL_NO_NEXTPROTONEG
1432         if (s->ctx->next_proto_select_cb && !s->s3->tmp.finish_md_len)
1433                 {
1434                 /* The client advertises an emtpy extension to indicate its
1435                  * support for Next Protocol Negotiation */
1436                 if (limit - ret - 4 < 0)
1437                         return NULL;
1438                 s2n(TLSEXT_TYPE_next_proto_neg,ret);
1439                 s2n(0,ret);
1440                 }
1441 #endif
1442
1443         if (s->alpn_client_proto_list && !s->s3->tmp.finish_md_len)
1444                 {
1445                 if ((size_t)(limit - ret) < 6 + s->alpn_client_proto_list_len)
1446                         return NULL;
1447                 s2n(TLSEXT_TYPE_application_layer_protocol_negotiation,ret);
1448                 s2n(2 + s->alpn_client_proto_list_len,ret);
1449                 s2n(s->alpn_client_proto_list_len,ret);
1450                 memcpy(ret, s->alpn_client_proto_list,
1451                        s->alpn_client_proto_list_len);
1452                 ret += s->alpn_client_proto_list_len;
1453                 }
1454
1455         if(SSL_get_srtp_profiles(s))
1456                 {
1457                 int el;
1458
1459                 ssl_add_clienthello_use_srtp_ext(s, 0, &el, 0);
1460                 
1461                 if((limit - p - 4 - el) < 0) return NULL;
1462
1463                 s2n(TLSEXT_TYPE_use_srtp,ret);
1464                 s2n(el,ret);
1465
1466                 if(ssl_add_clienthello_use_srtp_ext(s, ret, &el, el))
1467                         {
1468                         SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1469                         return NULL;
1470                         }
1471                 ret += el;
1472                 }
1473
1474         /* Add custom TLS Extensions to ClientHello */
1475         if (s->ctx->custom_cli_ext_records_count)
1476                 {
1477                 size_t i;
1478                 custom_cli_ext_record* record;
1479
1480                 for (i = 0; i < s->ctx->custom_cli_ext_records_count; i++)
1481                         {
1482                         const unsigned char* out = NULL;
1483                         unsigned short outlen = 0;
1484
1485                         record = &s->ctx->custom_cli_ext_records[i];
1486                         /* NULL callback sends empty extension */ 
1487                         /* -1 from callback omits extension */
1488                         if (record->fn1)
1489                                 {
1490                                 int cb_retval = 0;
1491                                 cb_retval = record->fn1(s, record->ext_type,
1492                                                         &out, &outlen, al,
1493                                                         record->arg);
1494                                 if (cb_retval == 0)
1495                                         return NULL; /* error */
1496                                 if (cb_retval == -1)
1497                                         continue; /* skip this extension */
1498                                 }
1499                         if (limit < ret + 4 + outlen)
1500                                 return NULL;
1501                         s2n(record->ext_type, ret);
1502                         s2n(outlen, ret);
1503                         memcpy(ret, out, outlen);
1504                         ret += outlen;
1505                         }
1506                 }
1507 #ifdef TLSEXT_TYPE_encrypt_then_mac
1508         s2n(TLSEXT_TYPE_encrypt_then_mac,ret);
1509         s2n(0,ret);
1510 #endif
1511 #ifdef TLSEXT_TYPE_padding
1512         /* Add padding to workaround bugs in F5 terminators.
1513          * See https://tools.ietf.org/html/draft-agl-tls-padding-03
1514          *
1515          * NB: because this code works out the length of all existing
1516          * extensions it MUST always appear last.
1517          */
1518         {
1519         int hlen = ret - (unsigned char *)s->init_buf->data;
1520         /* The code in s23_clnt.c to build ClientHello messages includes the
1521          * 5-byte record header in the buffer, while the code in s3_clnt.c does
1522          * not. */
1523         if (s->state == SSL23_ST_CW_CLNT_HELLO_A)
1524                 hlen -= 5;
1525         if (hlen > 0xff && hlen < 0x200)
1526                 {
1527                 hlen = 0x200 - hlen;
1528                 if (hlen >= 4)
1529                         hlen -= 4;
1530                 else
1531                         hlen = 0;
1532
1533                 s2n(TLSEXT_TYPE_padding, ret);
1534                 s2n(hlen, ret);
1535                 memset(ret, 0, hlen);
1536                 ret += hlen;
1537                 }
1538         }
1539 #endif
1540
1541         if ((extdatalen = ret-p-2) == 0)
1542                 return p;
1543
1544         s2n(extdatalen,p);
1545         return ret;
1546         }
1547
1548 unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit, int *al)
1549         {
1550         int extdatalen=0;
1551         unsigned char *ret = p;
1552         size_t i;
1553         custom_srv_ext_record *record;
1554 #ifndef OPENSSL_NO_NEXTPROTONEG
1555         int next_proto_neg_seen;
1556 #endif
1557 #ifndef OPENSSL_NO_EC
1558         unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
1559         unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
1560         int using_ecc = (alg_k & (SSL_kECDHE|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA);
1561         using_ecc = using_ecc && (s->session->tlsext_ecpointformatlist != NULL);
1562 #endif
1563         /* don't add extensions for SSLv3, unless doing secure renegotiation */
1564         if (s->version == SSL3_VERSION && !s->s3->send_connection_binding)
1565                 return p;
1566         
1567         ret+=2;
1568         if (ret>=limit) return NULL; /* this really never occurs, but ... */
1569
1570         if (!s->hit && s->servername_done == 1 && s->session->tlsext_hostname != NULL)
1571                 { 
1572                 if ((long)(limit - ret - 4) < 0) return NULL; 
1573
1574                 s2n(TLSEXT_TYPE_server_name,ret);
1575                 s2n(0,ret);
1576                 }
1577
1578         if(s->s3->send_connection_binding)
1579         {
1580           int el;
1581           
1582           if(!ssl_add_serverhello_renegotiate_ext(s, 0, &el, 0))
1583               {
1584               SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1585               return NULL;
1586               }
1587
1588           if((limit - p - 4 - el) < 0) return NULL;
1589           
1590           s2n(TLSEXT_TYPE_renegotiate,ret);
1591           s2n(el,ret);
1592
1593           if(!ssl_add_serverhello_renegotiate_ext(s, ret, &el, el))
1594               {
1595               SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1596               return NULL;
1597               }
1598
1599           ret += el;
1600         }
1601
1602 #ifndef OPENSSL_NO_EC
1603         if (using_ecc)
1604                 {
1605                 const unsigned char *plist;
1606                 size_t plistlen;
1607                 /* Add TLS extension ECPointFormats to the ServerHello message */
1608                 long lenmax; 
1609
1610                 tls1_get_formatlist(s, &plist, &plistlen);
1611
1612                 if ((lenmax = limit - ret - 5) < 0) return NULL; 
1613                 if (plistlen > (size_t)lenmax) return NULL;
1614                 if (plistlen > 255)
1615                         {
1616                         SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1617                         return NULL;
1618                         }
1619                 
1620                 s2n(TLSEXT_TYPE_ec_point_formats,ret);
1621                 s2n(plistlen + 1,ret);
1622                 *(ret++) = (unsigned char) plistlen;
1623                 memcpy(ret, plist, plistlen);
1624                 ret+=plistlen;
1625
1626                 }
1627         /* Currently the server should not respond with a SupportedCurves extension */
1628 #endif /* OPENSSL_NO_EC */
1629
1630         if (s->tlsext_ticket_expected && tls_use_ticket(s))
1631                 { 
1632                 if ((long)(limit - ret - 4) < 0) return NULL; 
1633                 s2n(TLSEXT_TYPE_session_ticket,ret);
1634                 s2n(0,ret);
1635                 }
1636
1637         if (s->tlsext_status_expected)
1638                 { 
1639                 if ((long)(limit - ret - 4) < 0) return NULL; 
1640                 s2n(TLSEXT_TYPE_status_request,ret);
1641                 s2n(0,ret);
1642                 }
1643
1644 #ifdef TLSEXT_TYPE_opaque_prf_input
1645         if (s->s3->server_opaque_prf_input != NULL)
1646                 {
1647                 size_t sol = s->s3->server_opaque_prf_input_len;
1648                 
1649                 if ((long)(limit - ret - 6 - sol) < 0)
1650                         return NULL;
1651                 if (sol > 0xFFFD) /* can't happen */
1652                         return NULL;
1653
1654                 s2n(TLSEXT_TYPE_opaque_prf_input, ret); 
1655                 s2n(sol + 2, ret);
1656                 s2n(sol, ret);
1657                 memcpy(ret, s->s3->server_opaque_prf_input, sol);
1658                 ret += sol;
1659                 }
1660 #endif
1661
1662         if(s->srtp_profile)
1663                 {
1664                 int el;
1665
1666                 ssl_add_serverhello_use_srtp_ext(s, 0, &el, 0);
1667                 
1668                 if((limit - p - 4 - el) < 0) return NULL;
1669
1670                 s2n(TLSEXT_TYPE_use_srtp,ret);
1671                 s2n(el,ret);
1672
1673                 if(ssl_add_serverhello_use_srtp_ext(s, ret, &el, el))
1674                         {
1675                         SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1676                         return NULL;
1677                         }
1678                 ret+=el;
1679                 }
1680
1681         if (((s->s3->tmp.new_cipher->id & 0xFFFF)==0x80 || (s->s3->tmp.new_cipher->id & 0xFFFF)==0x81) 
1682                 && (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG))
1683                 { const unsigned char cryptopro_ext[36] = {
1684                         0xfd, 0xe8, /*65000*/
1685                         0x00, 0x20, /*32 bytes length*/
1686                         0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85, 
1687                         0x03,   0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06, 
1688                         0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08, 
1689                         0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17};
1690                         if (limit-ret<36) return NULL;
1691                         memcpy(ret,cryptopro_ext,36);
1692                         ret+=36;
1693
1694                 }
1695
1696 #ifndef OPENSSL_NO_HEARTBEATS
1697         /* Add Heartbeat extension if we've received one */
1698         if (s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED)
1699                 {
1700                 s2n(TLSEXT_TYPE_heartbeat,ret);
1701                 s2n(1,ret);
1702                 /* Set mode:
1703                  * 1: peer may send requests
1704                  * 2: peer not allowed to send requests
1705                  */
1706                 if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS)
1707                         *(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
1708                 else
1709                         *(ret++) = SSL_TLSEXT_HB_ENABLED;
1710
1711                 }
1712 #endif
1713
1714 #ifndef OPENSSL_NO_NEXTPROTONEG
1715         next_proto_neg_seen = s->s3->next_proto_neg_seen;
1716         s->s3->next_proto_neg_seen = 0;
1717         if (next_proto_neg_seen && s->ctx->next_protos_advertised_cb)
1718                 {
1719                 const unsigned char *npa;
1720                 unsigned int npalen;
1721                 int r;
1722
1723                 r = s->ctx->next_protos_advertised_cb(s, &npa, &npalen, s->ctx->next_protos_advertised_cb_arg);
1724                 if (r == SSL_TLSEXT_ERR_OK)
1725                         {
1726                         if ((long)(limit - ret - 4 - npalen) < 0) return NULL;
1727                         s2n(TLSEXT_TYPE_next_proto_neg,ret);
1728                         s2n(npalen,ret);
1729                         memcpy(ret, npa, npalen);
1730                         ret += npalen;
1731                         s->s3->next_proto_neg_seen = 1;
1732                         }
1733                 }
1734 #endif
1735
1736         for (i = 0; i < s->ctx->custom_srv_ext_records_count; i++)
1737                 {
1738                 const unsigned char *out = NULL;
1739                 unsigned short outlen = 0;
1740                 int cb_retval = 0;
1741
1742                 record = &s->ctx->custom_srv_ext_records[i];
1743
1744                 /* NULL callback or -1 omits extension */
1745                 if (!record->fn2)
1746                         continue;
1747                 cb_retval = record->fn2(s, record->ext_type,
1748                                                                 &out, &outlen, al,
1749                                                                 record->arg);
1750                 if (cb_retval == 0)
1751                         return NULL; /* error */
1752                 if (cb_retval == -1)
1753                         continue; /* skip this extension */
1754                 if (limit < ret + 4 + outlen)
1755                         return NULL;
1756                 s2n(record->ext_type, ret);
1757                 s2n(outlen, ret);
1758                 memcpy(ret, out, outlen);
1759                 ret += outlen;
1760                 }
1761 #ifdef TLSEXT_TYPE_encrypt_then_mac
1762         if (s->s3->flags & TLS1_FLAGS_ENCRYPT_THEN_MAC)
1763                 {
1764                 /* Don't use encrypt_then_mac if AEAD: might want
1765                  * to disable for other ciphersuites too.
1766                  */
1767                 if (s->s3->tmp.new_cipher->algorithm_mac == SSL_AEAD)
1768                         s->s3->flags &= ~TLS1_FLAGS_ENCRYPT_THEN_MAC;
1769                 else
1770                         {
1771                         s2n(TLSEXT_TYPE_encrypt_then_mac,ret);
1772                         s2n(0,ret);
1773                         }
1774                 }
1775 #endif
1776
1777         if (s->s3->alpn_selected)
1778                 {
1779                 const unsigned char *selected = s->s3->alpn_selected;
1780                 unsigned len = s->s3->alpn_selected_len;
1781
1782                 if ((long)(limit - ret - 4 - 2 - 1 - len) < 0)
1783                         return NULL;
1784                 s2n(TLSEXT_TYPE_application_layer_protocol_negotiation,ret);
1785                 s2n(3 + len,ret);
1786                 s2n(1 + len,ret);
1787                 *ret++ = len;
1788                 memcpy(ret, selected, len);
1789                 ret += len;
1790                 }
1791
1792         if ((extdatalen = ret-p-2)== 0) 
1793                 return p;
1794
1795         s2n(extdatalen,p);
1796         return ret;
1797         }
1798
1799 /* tls1_alpn_handle_client_hello is called to process the ALPN extension in a
1800  * ClientHello.
1801  *   data: the contents of the extension, not including the type and length.
1802  *   data_len: the number of bytes in |data|
1803  *   al: a pointer to the alert value to send in the event of a non-zero
1804  *       return.
1805  *
1806  *   returns: 0 on success. */
1807 static int tls1_alpn_handle_client_hello(SSL *s, const unsigned char *data,
1808                                          unsigned data_len, int *al)
1809         {
1810         unsigned i;
1811         unsigned proto_len;
1812         const unsigned char *selected;
1813         unsigned char selected_len;
1814         int r;
1815
1816         if (s->ctx->alpn_select_cb == NULL)
1817                 return 0;
1818
1819         if (data_len < 2)
1820                 goto parse_error;
1821
1822         /* data should contain a uint16 length followed by a series of 8-bit,
1823          * length-prefixed strings. */
1824         i = ((unsigned) data[0]) << 8 |
1825             ((unsigned) data[1]);
1826         data_len -= 2;
1827         data += 2;
1828         if (data_len != i)
1829                 goto parse_error;
1830
1831         if (data_len < 2)
1832                 goto parse_error;
1833
1834         for (i = 0; i < data_len;)
1835                 {
1836                 proto_len = data[i];
1837                 i++;
1838
1839                 if (proto_len == 0)
1840                         goto parse_error;
1841
1842                 if (i + proto_len < i || i + proto_len > data_len)
1843                         goto parse_error;
1844
1845                 i += proto_len;
1846                 }
1847
1848         r = s->ctx->alpn_select_cb(s, &selected, &selected_len, data, data_len,
1849                                    s->ctx->alpn_select_cb_arg);
1850         if (r == SSL_TLSEXT_ERR_OK) {
1851                 if (s->s3->alpn_selected)
1852                         OPENSSL_free(s->s3->alpn_selected);
1853                 s->s3->alpn_selected = OPENSSL_malloc(selected_len);
1854                 if (!s->s3->alpn_selected)
1855                         {
1856                         *al = SSL_AD_INTERNAL_ERROR;
1857                         return -1;
1858                         }
1859                 memcpy(s->s3->alpn_selected, selected, selected_len);
1860                 s->s3->alpn_selected_len = selected_len;
1861         }
1862         return 0;
1863
1864 parse_error:
1865         *al = SSL_AD_DECODE_ERROR;
1866         return -1;
1867         }
1868
1869 #ifndef OPENSSL_NO_EC
1870 /* ssl_check_for_safari attempts to fingerprint Safari using OS X
1871  * SecureTransport using the TLS extension block in |d|, of length |n|.
1872  * Safari, since 10.6, sends exactly these extensions, in this order:
1873  *   SNI,
1874  *   elliptic_curves
1875  *   ec_point_formats
1876  *
1877  * We wish to fingerprint Safari because they broke ECDHE-ECDSA support in 10.8,
1878  * but they advertise support. So enabling ECDHE-ECDSA ciphers breaks them.
1879  * Sadly we cannot differentiate 10.6, 10.7 and 10.8.4 (which work), from
1880  * 10.8..10.8.3 (which don't work).
1881  */
1882 static void ssl_check_for_safari(SSL *s, const unsigned char *data, const unsigned char *d, int n) {
1883         unsigned short type, size;
1884         static const unsigned char kSafariExtensionsBlock[] = {
1885                 0x00, 0x0a,  /* elliptic_curves extension */
1886                 0x00, 0x08,  /* 8 bytes */
1887                 0x00, 0x06,  /* 6 bytes of curve ids */
1888                 0x00, 0x17,  /* P-256 */
1889                 0x00, 0x18,  /* P-384 */
1890                 0x00, 0x19,  /* P-521 */
1891
1892                 0x00, 0x0b,  /* ec_point_formats */
1893                 0x00, 0x02,  /* 2 bytes */
1894                 0x01,        /* 1 point format */
1895                 0x00,        /* uncompressed */
1896         };
1897
1898         /* The following is only present in TLS 1.2 */
1899         static const unsigned char kSafariTLS12ExtensionsBlock[] = {
1900                 0x00, 0x0d,  /* signature_algorithms */
1901                 0x00, 0x0c,  /* 12 bytes */
1902                 0x00, 0x0a,  /* 10 bytes */
1903                 0x05, 0x01,  /* SHA-384/RSA */
1904                 0x04, 0x01,  /* SHA-256/RSA */
1905                 0x02, 0x01,  /* SHA-1/RSA */
1906                 0x04, 0x03,  /* SHA-256/ECDSA */
1907                 0x02, 0x03,  /* SHA-1/ECDSA */
1908         };
1909
1910         if (data >= (d+n-2))
1911                 return;
1912         data += 2;
1913
1914         if (data > (d+n-4))
1915                 return;
1916         n2s(data,type);
1917         n2s(data,size);
1918
1919         if (type != TLSEXT_TYPE_server_name)
1920                 return;
1921
1922         if (data+size > d+n)
1923                 return;
1924         data += size;
1925
1926         if (TLS1_get_client_version(s) >= TLS1_2_VERSION)
1927                 {
1928                 const size_t len1 = sizeof(kSafariExtensionsBlock);
1929                 const size_t len2 = sizeof(kSafariTLS12ExtensionsBlock);
1930
1931                 if (data + len1 + len2 != d+n)
1932                         return;
1933                 if (memcmp(data, kSafariExtensionsBlock, len1) != 0)
1934                         return;
1935                 if (memcmp(data + len1, kSafariTLS12ExtensionsBlock, len2) != 0)
1936                         return;
1937                 }
1938         else
1939                 {
1940                 const size_t len = sizeof(kSafariExtensionsBlock);
1941
1942                 if (data + len != d+n)
1943                         return;
1944                 if (memcmp(data, kSafariExtensionsBlock, len) != 0)
1945                         return;
1946                 }
1947
1948         s->s3->is_probably_safari = 1;
1949 }
1950 #endif /* !OPENSSL_NO_EC */
1951
1952 static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al) 
1953         {       
1954         unsigned short type;
1955         unsigned short size;
1956         unsigned short len;
1957         unsigned char *data = *p;
1958         int renegotiate_seen = 0;
1959         size_t i;
1960
1961         s->servername_done = 0;
1962         s->tlsext_status_type = -1;
1963 #ifndef OPENSSL_NO_NEXTPROTONEG
1964         s->s3->next_proto_neg_seen = 0;
1965 #endif
1966
1967         if (s->s3->alpn_selected)
1968                 {
1969                 OPENSSL_free(s->s3->alpn_selected);
1970                 s->s3->alpn_selected = NULL;
1971                 }
1972
1973         /* Clear observed custom extensions */
1974         s->s3->serverinfo_client_tlsext_custom_types_count = 0;
1975         if (s->s3->serverinfo_client_tlsext_custom_types != NULL)
1976                 {
1977                 OPENSSL_free(s->s3->serverinfo_client_tlsext_custom_types);
1978                 s->s3->serverinfo_client_tlsext_custom_types = NULL;
1979                 }
1980
1981 #ifndef OPENSSL_NO_HEARTBEATS
1982         s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED |
1983                                SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
1984 #endif
1985
1986 #ifndef OPENSSL_NO_EC
1987         if (s->options & SSL_OP_SAFARI_ECDHE_ECDSA_BUG)
1988                 ssl_check_for_safari(s, data, d, n);
1989 #endif /* !OPENSSL_NO_EC */
1990
1991         /* Clear any signature algorithms extension received */
1992         if (s->cert->peer_sigalgs)
1993                 {
1994                 OPENSSL_free(s->cert->peer_sigalgs);
1995                 s->cert->peer_sigalgs = NULL;
1996                 }
1997         /* Clear any shared sigtnature algorithms */
1998         if (s->cert->shared_sigalgs)
1999                 {
2000                 OPENSSL_free(s->cert->shared_sigalgs);
2001                 s->cert->shared_sigalgs = NULL;
2002                 }
2003         /* Clear certificate digests and validity flags */
2004         for (i = 0; i < SSL_PKEY_NUM; i++)
2005                 {
2006                 s->cert->pkeys[i].digest = NULL;
2007                 s->cert->pkeys[i].valid_flags = 0;
2008                 }
2009
2010 #ifdef TLSEXT_TYPE_encrypt_then_mac
2011         s->s3->flags &= ~TLS1_FLAGS_ENCRYPT_THEN_MAC;
2012 #endif
2013
2014         if (data >= (d+n-2))
2015                 goto ri_check;
2016         n2s(data,len);
2017
2018         if (data > (d+n-len)) 
2019                 goto ri_check;
2020
2021         while (data <= (d+n-4))
2022                 {
2023                 n2s(data,type);
2024                 n2s(data,size);
2025
2026                 if (data+size > (d+n))
2027                         goto ri_check;
2028 #if 0
2029                 fprintf(stderr,"Received extension type %d size %d\n",type,size);
2030 #endif
2031                 if (s->tlsext_debug_cb)
2032                         s->tlsext_debug_cb(s, 0, type, data, size,
2033                                                 s->tlsext_debug_arg);
2034 /* The servername extension is treated as follows:
2035
2036    - Only the hostname type is supported with a maximum length of 255.
2037    - The servername is rejected if too long or if it contains zeros,
2038      in which case an fatal alert is generated.
2039    - The servername field is maintained together with the session cache.
2040    - When a session is resumed, the servername call back invoked in order
2041      to allow the application to position itself to the right context. 
2042    - The servername is acknowledged if it is new for a session or when 
2043      it is identical to a previously used for the same session. 
2044      Applications can control the behaviour.  They can at any time
2045      set a 'desirable' servername for a new SSL object. This can be the
2046      case for example with HTTPS when a Host: header field is received and
2047      a renegotiation is requested. In this case, a possible servername
2048      presented in the new client hello is only acknowledged if it matches
2049      the value of the Host: field. 
2050    - Applications must  use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
2051      if they provide for changing an explicit servername context for the session,
2052      i.e. when the session has been established with a servername extension. 
2053    - On session reconnect, the servername extension may be absent. 
2054
2055 */      
2056
2057                 if (type == TLSEXT_TYPE_server_name)
2058                         {
2059                         unsigned char *sdata;
2060                         int servname_type;
2061                         int dsize; 
2062                 
2063                         if (size < 2) 
2064                                 {
2065                                 *al = SSL_AD_DECODE_ERROR;
2066                                 return 0;
2067                                 }
2068                         n2s(data,dsize);  
2069                         size -= 2;
2070                         if (dsize > size  ) 
2071                                 {
2072                                 *al = SSL_AD_DECODE_ERROR;
2073                                 return 0;
2074                                 } 
2075
2076                         sdata = data;
2077                         while (dsize > 3) 
2078                                 {
2079                                 servname_type = *(sdata++); 
2080                                 n2s(sdata,len);
2081                                 dsize -= 3;
2082
2083                                 if (len > dsize) 
2084                                         {
2085                                         *al = SSL_AD_DECODE_ERROR;
2086                                         return 0;
2087                                         }
2088                                 if (s->servername_done == 0)
2089                                 switch (servname_type)
2090                                         {
2091                                 case TLSEXT_NAMETYPE_host_name:
2092                                         if (!s->hit)
2093                                                 {
2094                                                 if(s->session->tlsext_hostname)
2095                                                         {
2096                                                         *al = SSL_AD_DECODE_ERROR;
2097                                                         return 0;
2098                                                         }
2099                                                 if (len > TLSEXT_MAXLEN_host_name)
2100                                                         {
2101                                                         *al = TLS1_AD_UNRECOGNIZED_NAME;
2102                                                         return 0;
2103                                                         }
2104                                                 if ((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL)
2105                                                         {
2106                                                         *al = TLS1_AD_INTERNAL_ERROR;
2107                                                         return 0;
2108                                                         }
2109                                                 memcpy(s->session->tlsext_hostname, sdata, len);
2110                                                 s->session->tlsext_hostname[len]='\0';
2111                                                 if (strlen(s->session->tlsext_hostname) != len) {
2112                                                         OPENSSL_free(s->session->tlsext_hostname);
2113                                                         s->session->tlsext_hostname = NULL;
2114                                                         *al = TLS1_AD_UNRECOGNIZED_NAME;
2115                                                         return 0;
2116                                                 }
2117                                                 s->servername_done = 1; 
2118
2119                                                 }
2120                                         else 
2121                                                 s->servername_done = s->session->tlsext_hostname
2122                                                         && strlen(s->session->tlsext_hostname) == len 
2123                                                         && strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0;
2124                                         
2125                                         break;
2126
2127                                 default:
2128                                         break;
2129                                         }
2130                                  
2131                                 dsize -= len;
2132                                 }
2133                         if (dsize != 0) 
2134                                 {
2135                                 *al = SSL_AD_DECODE_ERROR;
2136                                 return 0;
2137                                 }
2138
2139                         }
2140 #ifndef OPENSSL_NO_SRP
2141                 else if (type == TLSEXT_TYPE_srp)
2142                         {
2143                         if (size <= 0 || ((len = data[0])) != (size -1))
2144                                 {
2145                                 *al = SSL_AD_DECODE_ERROR;
2146                                 return 0;
2147                                 }
2148                         if (s->srp_ctx.login != NULL)
2149                                 {
2150                                 *al = SSL_AD_DECODE_ERROR;
2151                                 return 0;
2152                                 }
2153                         if ((s->srp_ctx.login = OPENSSL_malloc(len+1)) == NULL)
2154                                 return -1;
2155                         memcpy(s->srp_ctx.login, &data[1], len);
2156                         s->srp_ctx.login[len]='\0';
2157   
2158                         if (strlen(s->srp_ctx.login) != len) 
2159                                 {
2160                                 *al = SSL_AD_DECODE_ERROR;
2161                                 return 0;
2162                                 }
2163                         }
2164 #endif
2165
2166 #ifndef OPENSSL_NO_EC
2167                 else if (type == TLSEXT_TYPE_ec_point_formats)
2168                         {
2169                         unsigned char *sdata = data;
2170                         int ecpointformatlist_length = *(sdata++);
2171
2172                         if (ecpointformatlist_length != size - 1 || 
2173                                 ecpointformatlist_length < 1)
2174                                 {
2175                                 *al = TLS1_AD_DECODE_ERROR;
2176                                 return 0;
2177                                 }
2178                         if (!s->hit)
2179                                 {
2180                                 if(s->session->tlsext_ecpointformatlist)
2181                                         {
2182                                         OPENSSL_free(s->session->tlsext_ecpointformatlist);
2183                                         s->session->tlsext_ecpointformatlist = NULL;
2184                                         }
2185                                 s->session->tlsext_ecpointformatlist_length = 0;
2186                                 if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
2187                                         {
2188                                         *al = TLS1_AD_INTERNAL_ERROR;
2189                                         return 0;
2190                                         }
2191                                 s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
2192                                 memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
2193                                 }
2194 #if 0
2195                         fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ecpointformatlist (length=%i) ", s->session->tlsext_ecpointformatlist_length);
2196                         sdata = s->session->tlsext_ecpointformatlist;
2197                         for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
2198                                 fprintf(stderr,"%i ",*(sdata++));
2199                         fprintf(stderr,"\n");
2200 #endif
2201                         }
2202                 else if (type == TLSEXT_TYPE_elliptic_curves)
2203                         {
2204                         unsigned char *sdata = data;
2205                         int ellipticcurvelist_length = (*(sdata++) << 8);
2206                         ellipticcurvelist_length += (*(sdata++));
2207
2208                         if (ellipticcurvelist_length != size - 2 ||
2209                                 ellipticcurvelist_length < 1)
2210                                 {
2211                                 *al = TLS1_AD_DECODE_ERROR;
2212                                 return 0;
2213                                 }
2214                         if (!s->hit)
2215                                 {
2216                                 if(s->session->tlsext_ellipticcurvelist)
2217                                         {
2218                                         *al = TLS1_AD_DECODE_ERROR;
2219                                         return 0;
2220                                         }
2221                                 s->session->tlsext_ellipticcurvelist_length = 0;
2222                                 if ((s->session->tlsext_ellipticcurvelist = OPENSSL_malloc(ellipticcurvelist_length)) == NULL)
2223                                         {
2224                                         *al = TLS1_AD_INTERNAL_ERROR;
2225                                         return 0;
2226                                         }
2227                                 s->session->tlsext_ellipticcurvelist_length = ellipticcurvelist_length;
2228                                 memcpy(s->session->tlsext_ellipticcurvelist, sdata, ellipticcurvelist_length);
2229                                 }
2230 #if 0
2231                         fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ellipticcurvelist (length=%i) ", s->session->tlsext_ellipticcurvelist_length);
2232                         sdata = s->session->tlsext_ellipticcurvelist;
2233                         for (i = 0; i < s->session->tlsext_ellipticcurvelist_length; i++)
2234                                 fprintf(stderr,"%i ",*(sdata++));
2235                         fprintf(stderr,"\n");
2236 #endif
2237                         }
2238 #endif /* OPENSSL_NO_EC */
2239 #ifdef TLSEXT_TYPE_opaque_prf_input
2240                 else if (type == TLSEXT_TYPE_opaque_prf_input)
2241                         {
2242                         unsigned char *sdata = data;
2243
2244                         if (size < 2)
2245                                 {
2246                                 *al = SSL_AD_DECODE_ERROR;
2247                                 return 0;
2248                                 }
2249                         n2s(sdata, s->s3->client_opaque_prf_input_len);
2250                         if (s->s3->client_opaque_prf_input_len != size - 2)
2251                                 {
2252                                 *al = SSL_AD_DECODE_ERROR;
2253                                 return 0;
2254                                 }
2255
2256                         if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */
2257                                 OPENSSL_free(s->s3->client_opaque_prf_input);
2258                         if (s->s3->client_opaque_prf_input_len == 0)
2259                                 s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
2260                         else
2261                                 s->s3->client_opaque_prf_input = BUF_memdup(sdata, s->s3->client_opaque_prf_input_len);
2262                         if (s->s3->client_opaque_prf_input == NULL)
2263                                 {
2264                                 *al = TLS1_AD_INTERNAL_ERROR;
2265                                 return 0;
2266                                 }
2267                         }
2268 #endif
2269                 else if (type == TLSEXT_TYPE_session_ticket)
2270                         {
2271                         if (s->tls_session_ticket_ext_cb &&
2272                             !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg))
2273                                 {
2274                                 *al = TLS1_AD_INTERNAL_ERROR;
2275                                 return 0;
2276                                 }
2277                         }
2278                 else if (type == TLSEXT_TYPE_renegotiate)
2279                         {
2280                         if(!ssl_parse_clienthello_renegotiate_ext(s, data, size, al))
2281                                 return 0;
2282                         renegotiate_seen = 1;
2283                         }
2284                 else if (type == TLSEXT_TYPE_signature_algorithms)
2285                         {
2286                         int dsize;
2287                         if (s->cert->peer_sigalgs || size < 2) 
2288                                 {
2289                                 *al = SSL_AD_DECODE_ERROR;
2290                                 return 0;
2291                                 }
2292                         n2s(data,dsize);
2293                         size -= 2;
2294                         if (dsize != size || dsize & 1 || !dsize) 
2295                                 {
2296                                 *al = SSL_AD_DECODE_ERROR;
2297                                 return 0;
2298                                 }
2299                         if (!tls1_process_sigalgs(s, data, dsize))
2300                                 {
2301                                 *al = SSL_AD_DECODE_ERROR;
2302                                 return 0;
2303                                 }
2304                         /* If sigalgs received and no shared algorithms fatal
2305                          * error.
2306                          */
2307                         if (s->cert->peer_sigalgs && !s->cert->shared_sigalgs)
2308                                 {
2309                                 SSLerr(SSL_F_SSL_SCAN_CLIENTHELLO_TLSEXT,
2310                                         SSL_R_NO_SHARED_SIGATURE_ALGORITHMS);
2311                                 *al = SSL_AD_ILLEGAL_PARAMETER;
2312                                 return 0;
2313                                 }
2314                         }
2315                 else if (type == TLSEXT_TYPE_status_request)
2316                         {
2317                 
2318                         if (size < 5) 
2319                                 {
2320                                 *al = SSL_AD_DECODE_ERROR;
2321                                 return 0;
2322                                 }
2323
2324                         s->tlsext_status_type = *data++;
2325                         size--;
2326                         if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp)
2327                                 {
2328                                 const unsigned char *sdata;
2329                                 int dsize;
2330                                 /* Read in responder_id_list */
2331                                 n2s(data,dsize);
2332                                 size -= 2;
2333                                 if (dsize > size  ) 
2334                                         {
2335                                         *al = SSL_AD_DECODE_ERROR;
2336                                         return 0;
2337                                         }
2338                                 while (dsize > 0)
2339                                         {
2340                                         OCSP_RESPID *id;
2341                                         int idsize;
2342                                         if (dsize < 4)
2343                                                 {
2344                                                 *al = SSL_AD_DECODE_ERROR;
2345                                                 return 0;
2346                                                 }
2347                                         n2s(data, idsize);
2348                                         dsize -= 2 + idsize;
2349                                         size -= 2 + idsize;
2350                                         if (dsize < 0)
2351                                                 {
2352                                                 *al = SSL_AD_DECODE_ERROR;
2353                                                 return 0;
2354                                                 }
2355                                         sdata = data;
2356                                         data += idsize;
2357                                         id = d2i_OCSP_RESPID(NULL,
2358                                                                 &sdata, idsize);
2359                                         if (!id)
2360                                                 {
2361                                                 *al = SSL_AD_DECODE_ERROR;
2362                                                 return 0;
2363                                                 }
2364                                         if (data != sdata)
2365                                                 {
2366                                                 OCSP_RESPID_free(id);
2367                                                 *al = SSL_AD_DECODE_ERROR;
2368                                                 return 0;
2369                                                 }
2370                                         if (!s->tlsext_ocsp_ids
2371                                                 && !(s->tlsext_ocsp_ids =
2372                                                 sk_OCSP_RESPID_new_null()))
2373                                                 {
2374                                                 OCSP_RESPID_free(id);
2375                                                 *al = SSL_AD_INTERNAL_ERROR;
2376                                                 return 0;
2377                                                 }
2378                                         if (!sk_OCSP_RESPID_push(
2379                                                         s->tlsext_ocsp_ids, id))
2380                                                 {
2381                                                 OCSP_RESPID_free(id);
2382                                                 *al = SSL_AD_INTERNAL_ERROR;
2383                                                 return 0;
2384                                                 }
2385                                         }
2386
2387                                 /* Read in request_extensions */
2388                                 if (size < 2)
2389                                         {
2390                                         *al = SSL_AD_DECODE_ERROR;
2391                                         return 0;
2392                                         }
2393                                 n2s(data,dsize);
2394                                 size -= 2;
2395                                 if (dsize != size)
2396                                         {
2397                                         *al = SSL_AD_DECODE_ERROR;
2398                                         return 0;
2399                                         }
2400                                 sdata = data;
2401                                 if (dsize > 0)
2402                                         {
2403                                         if (s->tlsext_ocsp_exts)
2404                                                 {
2405                                                 sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts,
2406                                                                            X509_EXTENSION_free);
2407                                                 }
2408
2409                                         s->tlsext_ocsp_exts =
2410                                                 d2i_X509_EXTENSIONS(NULL,
2411                                                         &sdata, dsize);
2412                                         if (!s->tlsext_ocsp_exts
2413                                                 || (data + dsize != sdata))
2414                                                 {
2415                                                 *al = SSL_AD_DECODE_ERROR;
2416                                                 return 0;
2417                                                 }
2418                                         }
2419                                 }
2420                                 /* We don't know what to do with any other type
2421                                 * so ignore it.
2422                                 */
2423                                 else
2424                                         s->tlsext_status_type = -1;
2425                         }
2426 #ifndef OPENSSL_NO_HEARTBEATS
2427                 else if (type == TLSEXT_TYPE_heartbeat)
2428                         {
2429                         switch(data[0])
2430                                 {
2431                                 case 0x01:      /* Client allows us to send HB requests */
2432                                                         s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
2433                                                         break;
2434                                 case 0x02:      /* Client doesn't accept HB requests */
2435                                                         s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
2436                                                         s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
2437                                                         break;
2438                                 default:        *al = SSL_AD_ILLEGAL_PARAMETER;
2439                                                         return 0;
2440                                 }
2441                         }
2442 #endif
2443 #ifndef OPENSSL_NO_NEXTPROTONEG
2444                 else if (type == TLSEXT_TYPE_next_proto_neg &&
2445                          s->s3->tmp.finish_md_len == 0 &&
2446                          s->s3->alpn_selected == NULL)
2447                         {
2448                         /* We shouldn't accept this extension on a
2449                          * renegotiation.
2450                          *
2451                          * s->new_session will be set on renegotiation, but we
2452                          * probably shouldn't rely that it couldn't be set on
2453                          * the initial renegotation too in certain cases (when
2454                          * there's some other reason to disallow resuming an
2455                          * earlier session -- the current code won't be doing
2456                          * anything like that, but this might change).
2457
2458                          * A valid sign that there's been a previous handshake
2459                          * in this connection is if s->s3->tmp.finish_md_len >
2460                          * 0.  (We are talking about a check that will happen
2461                          * in the Hello protocol round, well before a new
2462                          * Finished message could have been computed.) */
2463                         s->s3->next_proto_neg_seen = 1;
2464                         }
2465 #endif
2466
2467                 else if (type == TLSEXT_TYPE_application_layer_protocol_negotiation &&
2468                          s->ctx->alpn_select_cb &&
2469                          s->s3->tmp.finish_md_len == 0)
2470                         {
2471                         if (tls1_alpn_handle_client_hello(s, data, size, al) != 0)
2472                                 return 0;
2473 #ifndef OPENSSL_NO_NEXTPROTONEG
2474                         /* ALPN takes precedence over NPN. */
2475                         s->s3->next_proto_neg_seen = 0;
2476 #endif
2477                         }
2478
2479                 /* session ticket processed earlier */
2480                 else if (type == TLSEXT_TYPE_use_srtp)
2481                         {
2482                         if(ssl_parse_clienthello_use_srtp_ext(s, data, size,
2483                                                               al))
2484                                 return 0;
2485                         }
2486                 /* If this ClientHello extension was unhandled and this is 
2487                  * a nonresumed connection, check whether the extension is a 
2488                  * custom TLS Extension (has a custom_srv_ext_record), and if
2489                  * so call the callback and record the extension number so that
2490                  * an appropriate ServerHello may be later returned.
2491                  */
2492                 else if (!s->hit && s->ctx->custom_srv_ext_records_count)
2493                         {
2494                         custom_srv_ext_record *record;
2495
2496                         for (i=0; i < s->ctx->custom_srv_ext_records_count; i++)
2497                                 {
2498                                 record = &s->ctx->custom_srv_ext_records[i];
2499                                 if (type == record->ext_type)
2500                                         {
2501                                         if (record->fn1 && !record->fn1(s, type, data, size, al, record->arg))
2502                                                 return 0;
2503                                         }                                               
2504                                 }
2505                         }
2506 #ifdef TLSEXT_TYPE_encrypt_then_mac
2507                 else if (type == TLSEXT_TYPE_encrypt_then_mac)
2508                         s->s3->flags |= TLS1_FLAGS_ENCRYPT_THEN_MAC;
2509 #endif
2510
2511                 data+=size;
2512                 }
2513
2514         *p = data;
2515
2516         ri_check:
2517
2518         /* Need RI if renegotiating */
2519
2520         if (!renegotiate_seen && s->renegotiate &&
2521                 !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
2522                 {
2523                 *al = SSL_AD_HANDSHAKE_FAILURE;
2524                 SSLerr(SSL_F_SSL_SCAN_CLIENTHELLO_TLSEXT,
2525                                 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
2526                 return 0;
2527                 }
2528         /* If no signature algorithms extension set default values */
2529         if (!s->cert->peer_sigalgs)
2530                 ssl_cert_set_default_md(s->cert);
2531
2532         return 1;
2533         }
2534
2535 int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n) 
2536         {
2537         int al = -1;
2538         if (ssl_scan_clienthello_tlsext(s, p, d, n, &al) <= 0) 
2539                 {
2540                 ssl3_send_alert(s,SSL3_AL_FATAL,al); 
2541                 return 0;
2542                 }
2543
2544         if (ssl_check_clienthello_tlsext_early(s) <= 0) 
2545                 {
2546                 SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT,SSL_R_CLIENTHELLO_TLSEXT);
2547                 return 0;
2548                 }
2549         return 1;
2550 }
2551
2552 #ifndef OPENSSL_NO_NEXTPROTONEG
2553 /* ssl_next_proto_validate validates a Next Protocol Negotiation block. No
2554  * elements of zero length are allowed and the set of elements must exactly fill
2555  * the length of the block. */
2556 static char ssl_next_proto_validate(unsigned char *d, unsigned len)
2557         {
2558         unsigned int off = 0;
2559
2560         while (off < len)
2561                 {
2562                 if (d[off] == 0)
2563                         return 0;
2564                 off += d[off];
2565                 off++;
2566                 }
2567
2568         return off == len;
2569         }
2570 #endif
2571
2572 static int ssl_scan_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
2573         {
2574         unsigned short length;
2575         unsigned short type;
2576         unsigned short size;
2577         unsigned char *data = *p;
2578         int tlsext_servername = 0;
2579         int renegotiate_seen = 0;
2580
2581 #ifndef OPENSSL_NO_NEXTPROTONEG
2582         s->s3->next_proto_neg_seen = 0;
2583 #endif
2584
2585         if (s->s3->alpn_selected)
2586                 {
2587                 OPENSSL_free(s->s3->alpn_selected);
2588                 s->s3->alpn_selected = NULL;
2589                 }
2590
2591 #ifndef OPENSSL_NO_HEARTBEATS
2592         s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED |
2593                                SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
2594 #endif
2595
2596 #ifdef TLSEXT_TYPE_encrypt_then_mac
2597         s->s3->flags &= ~TLS1_FLAGS_ENCRYPT_THEN_MAC;
2598 #endif
2599
2600         if (data >= (d+n-2))
2601                 goto ri_check;
2602
2603         n2s(data,length);
2604         if (data+length != d+n)
2605                 {
2606                 *al = SSL_AD_DECODE_ERROR;
2607                 return 0;
2608                 }
2609
2610         while(data <= (d+n-4))
2611                 {
2612                 n2s(data,type);
2613                 n2s(data,size);
2614
2615                 if (data+size > (d+n))
2616                         goto ri_check;
2617
2618                 if (s->tlsext_debug_cb)
2619                         s->tlsext_debug_cb(s, 1, type, data, size,
2620                                                 s->tlsext_debug_arg);
2621
2622                 if (type == TLSEXT_TYPE_server_name)
2623                         {
2624                         if (s->tlsext_hostname == NULL || size > 0)
2625                                 {
2626                                 *al = TLS1_AD_UNRECOGNIZED_NAME;
2627                                 return 0;
2628                                 }
2629                         tlsext_servername = 1;   
2630                         }
2631
2632 #ifndef OPENSSL_NO_EC
2633                 else if (type == TLSEXT_TYPE_ec_point_formats)
2634                         {
2635                         unsigned char *sdata = data;
2636                         int ecpointformatlist_length = *(sdata++);
2637
2638                         if (ecpointformatlist_length != size - 1)
2639                                 {
2640                                 *al = TLS1_AD_DECODE_ERROR;
2641                                 return 0;
2642                                 }
2643                         s->session->tlsext_ecpointformatlist_length = 0;
2644                         if (s->session->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->session->tlsext_ecpointformatlist);
2645                         if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
2646                                 {
2647                                 *al = TLS1_AD_INTERNAL_ERROR;
2648                                 return 0;
2649                                 }
2650                         s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
2651                         memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
2652 #if 0
2653                         fprintf(stderr,"ssl_parse_serverhello_tlsext s->session->tlsext_ecpointformatlist ");
2654                         sdata = s->session->tlsext_ecpointformatlist;
2655                         for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
2656                                 fprintf(stderr,"%i ",*(sdata++));
2657                         fprintf(stderr,"\n");
2658 #endif
2659                         }
2660 #endif /* OPENSSL_NO_EC */
2661
2662                 else if (type == TLSEXT_TYPE_session_ticket)
2663                         {
2664                         if (s->tls_session_ticket_ext_cb &&
2665                             !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg))
2666                                 {
2667                                 *al = TLS1_AD_INTERNAL_ERROR;
2668                                 return 0;
2669                                 }
2670                         if (!tls_use_ticket(s) || (size > 0))
2671                                 {
2672                                 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2673                                 return 0;
2674                                 }
2675                         s->tlsext_ticket_expected = 1;
2676                         }
2677 #ifdef TLSEXT_TYPE_opaque_prf_input
2678                 else if (type == TLSEXT_TYPE_opaque_prf_input)
2679                         {
2680                         unsigned char *sdata = data;
2681
2682                         if (size < 2)
2683                                 {
2684                                 *al = SSL_AD_DECODE_ERROR;
2685                                 return 0;
2686                                 }
2687                         n2s(sdata, s->s3->server_opaque_prf_input_len);
2688                         if (s->s3->server_opaque_prf_input_len != size - 2)
2689                                 {
2690                                 *al = SSL_AD_DECODE_ERROR;
2691                                 return 0;
2692                                 }
2693                         
2694                         if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */
2695                                 OPENSSL_free(s->s3->server_opaque_prf_input);
2696                         if (s->s3->server_opaque_prf_input_len == 0)
2697                                 s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
2698                         else
2699                                 s->s3->server_opaque_prf_input = BUF_memdup(sdata, s->s3->server_opaque_prf_input_len);
2700
2701                         if (s->s3->server_opaque_prf_input == NULL)
2702                                 {
2703                                 *al = TLS1_AD_INTERNAL_ERROR;
2704                                 return 0;
2705                                 }
2706                         }
2707 #endif
2708                 else if (type == TLSEXT_TYPE_status_request)
2709                         {
2710                         /* MUST be empty and only sent if we've requested
2711                          * a status request message.
2712                          */ 
2713                         if ((s->tlsext_status_type == -1) || (size > 0))
2714                                 {
2715                                 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2716                                 return 0;
2717                                 }
2718                         /* Set flag to expect CertificateStatus message */
2719                         s->tlsext_status_expected = 1;
2720                         }
2721 #ifndef OPENSSL_NO_NEXTPROTONEG
2722                 else if (type == TLSEXT_TYPE_next_proto_neg &&
2723                          s->s3->tmp.finish_md_len == 0)
2724                         {
2725                         unsigned char *selected;
2726                         unsigned char selected_len;
2727
2728                         /* We must have requested it. */
2729                         if (s->ctx->next_proto_select_cb == NULL)
2730                                 {
2731                                 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2732                                 return 0;
2733                                 }
2734                         /* The data must be valid */
2735                         if (!ssl_next_proto_validate(data, size))
2736                                 {
2737                                 *al = TLS1_AD_DECODE_ERROR;
2738                                 return 0;
2739                                 }
2740                         if (s->ctx->next_proto_select_cb(s, &selected, &selected_len, data, size, s->ctx->next_proto_select_cb_arg) != SSL_TLSEXT_ERR_OK)
2741                                 {
2742                                 *al = TLS1_AD_INTERNAL_ERROR;
2743                                 return 0;
2744                                 }
2745                         s->next_proto_negotiated = OPENSSL_malloc(selected_len);
2746                         if (!s->next_proto_negotiated)
2747                                 {
2748                                 *al = TLS1_AD_INTERNAL_ERROR;
2749                                 return 0;
2750                                 }
2751                         memcpy(s->next_proto_negotiated, selected, selected_len);
2752                         s->next_proto_negotiated_len = selected_len;
2753                         s->s3->next_proto_neg_seen = 1;
2754                         }
2755 #endif
2756
2757                 else if (type == TLSEXT_TYPE_application_layer_protocol_negotiation)
2758                         {
2759                         unsigned len;
2760
2761                         /* We must have requested it. */
2762                         if (s->alpn_client_proto_list == NULL)
2763                                 {
2764                                 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2765                                 return 0;
2766                                 }
2767                         if (size < 4)
2768                                 {
2769                                 *al = TLS1_AD_DECODE_ERROR;
2770                                 return 0;
2771                                 }
2772                         /* The extension data consists of:
2773                          *   uint16 list_length
2774                          *   uint8 proto_length;
2775                          *   uint8 proto[proto_length]; */
2776                         len = data[0];
2777                         len <<= 8;
2778                         len |= data[1];
2779                         if (len != (unsigned) size - 2)
2780                                 {
2781                                 *al = TLS1_AD_DECODE_ERROR;
2782                                 return 0;
2783                                 }
2784                         len = data[2];
2785                         if (len != (unsigned) size - 3)
2786                                 {
2787                                 *al = TLS1_AD_DECODE_ERROR;
2788                                 return 0;
2789                                 }
2790                         if (s->s3->alpn_selected)
2791                                 OPENSSL_free(s->s3->alpn_selected);
2792                         s->s3->alpn_selected = OPENSSL_malloc(len);
2793                         if (!s->s3->alpn_selected)
2794                                 {
2795                                 *al = TLS1_AD_INTERNAL_ERROR;
2796                                 return 0;
2797                                 }
2798                         memcpy(s->s3->alpn_selected, data + 3, len);
2799                         s->s3->alpn_selected_len = len;
2800                         }
2801
2802                 else if (type == TLSEXT_TYPE_renegotiate)
2803                         {
2804                         if(!ssl_parse_serverhello_renegotiate_ext(s, data, size, al))
2805                                 return 0;
2806                         renegotiate_seen = 1;
2807                         }
2808 #ifndef OPENSSL_NO_HEARTBEATS
2809                 else if (type == TLSEXT_TYPE_heartbeat)
2810                         {
2811                         switch(data[0])
2812                                 {
2813                                 case 0x01:      /* Server allows us to send HB requests */
2814                                                         s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
2815                                                         break;
2816                                 case 0x02:      /* Server doesn't accept HB requests */
2817                                                         s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
2818                                                         s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
2819                                                         break;
2820                                 default:        *al = SSL_AD_ILLEGAL_PARAMETER;
2821                                                         return 0;
2822                                 }
2823                         }
2824 #endif
2825                 else if (type == TLSEXT_TYPE_use_srtp)
2826                         {
2827                         if(ssl_parse_serverhello_use_srtp_ext(s, data, size,
2828                                                               al))
2829                                 return 0;
2830                         }
2831                 /* If this extension type was not otherwise handled, but 
2832                  * matches a custom_cli_ext_record, then send it to the c
2833                  * callback */
2834                 else if (s->ctx->custom_cli_ext_records_count)
2835                         {
2836                         size_t i;
2837                         custom_cli_ext_record* record;
2838
2839                         for (i = 0; i < s->ctx->custom_cli_ext_records_count; i++)
2840                                 {
2841                                 record = &s->ctx->custom_cli_ext_records[i];
2842                                 if (record->ext_type == type)
2843                                         {
2844                                         if (record->fn2 && !record->fn2(s, type, data, size, al, record->arg))
2845                                                 return 0;
2846                                         break;
2847                                         }
2848                                 }                       
2849                         }
2850 #ifdef TLSEXT_TYPE_encrypt_then_mac
2851                 else if (type == TLSEXT_TYPE_encrypt_then_mac)
2852                         {
2853                         /* Ignore if inappropriate ciphersuite */
2854                         if (s->s3->tmp.new_cipher->algorithm_mac != SSL_AEAD)
2855                                 s->s3->flags |= TLS1_FLAGS_ENCRYPT_THEN_MAC;
2856                         }
2857 #endif
2858  
2859                 data += size;
2860                 }
2861
2862         if (data != d+n)
2863                 {
2864                 *al = SSL_AD_DECODE_ERROR;
2865                 return 0;
2866                 }
2867
2868         if (!s->hit && tlsext_servername == 1)
2869                 {
2870                 if (s->tlsext_hostname)
2871                         {
2872                         if (s->session->tlsext_hostname == NULL)
2873                                 {
2874                                 s->session->tlsext_hostname = BUF_strdup(s->tlsext_hostname);   
2875                                 if (!s->session->tlsext_hostname)
2876                                         {
2877                                         *al = SSL_AD_UNRECOGNIZED_NAME;
2878                                         return 0;
2879                                         }
2880                                 }
2881                         else 
2882                                 {
2883                                 *al = SSL_AD_DECODE_ERROR;
2884                                 return 0;
2885                                 }
2886                         }
2887                 }
2888
2889         *p = data;
2890
2891         ri_check:
2892
2893         /* Determine if we need to see RI. Strictly speaking if we want to
2894          * avoid an attack we should *always* see RI even on initial server
2895          * hello because the client doesn't see any renegotiation during an
2896          * attack. However this would mean we could not connect to any server
2897          * which doesn't support RI so for the immediate future tolerate RI
2898          * absence on initial connect only.
2899          */
2900         if (!renegotiate_seen
2901                 && !(s->options & SSL_OP_LEGACY_SERVER_CONNECT)
2902                 && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
2903                 {
2904                 *al = SSL_AD_HANDSHAKE_FAILURE;
2905                 SSLerr(SSL_F_SSL_SCAN_SERVERHELLO_TLSEXT,
2906                                 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
2907                 return 0;
2908                 }
2909
2910         return 1;
2911         }
2912
2913
2914 int ssl_prepare_clienthello_tlsext(SSL *s)
2915         {
2916
2917 #ifdef TLSEXT_TYPE_opaque_prf_input
2918         {
2919                 int r = 1;
2920         
2921                 if (s->ctx->tlsext_opaque_prf_input_callback != 0)
2922                         {
2923                         r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg);
2924                         if (!r)
2925                                 return -1;
2926                         }
2927
2928                 if (s->tlsext_opaque_prf_input != NULL)
2929                         {
2930                         if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */
2931                                 OPENSSL_free(s->s3->client_opaque_prf_input);
2932
2933                         if (s->tlsext_opaque_prf_input_len == 0)
2934                                 s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
2935                         else
2936                                 s->s3->client_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len);
2937                         if (s->s3->client_opaque_prf_input == NULL)
2938                                 {
2939                                 SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
2940                                 return -1;
2941                                 }
2942                         s->s3->client_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
2943                         }
2944
2945                 if (r == 2)
2946                         /* at callback's request, insist on receiving an appropriate server opaque PRF input */
2947                         s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
2948         }
2949 #endif
2950
2951         return 1;
2952         }
2953
2954 int ssl_prepare_serverhello_tlsext(SSL *s)
2955         {
2956         return 1;
2957         }
2958
2959 static int ssl_check_clienthello_tlsext_early(SSL *s)
2960         {
2961         int ret=SSL_TLSEXT_ERR_NOACK;
2962         int al = SSL_AD_UNRECOGNIZED_NAME;
2963
2964 #ifndef OPENSSL_NO_EC
2965         /* The handling of the ECPointFormats extension is done elsewhere, namely in 
2966          * ssl3_choose_cipher in s3_lib.c.
2967          */
2968         /* The handling of the EllipticCurves extension is done elsewhere, namely in 
2969          * ssl3_choose_cipher in s3_lib.c.
2970          */
2971 #endif
2972
2973         if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) 
2974                 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
2975         else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)             
2976                 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
2977
2978 #ifdef TLSEXT_TYPE_opaque_prf_input
2979         {
2980                 /* This sort of belongs into ssl_prepare_serverhello_tlsext(),
2981                  * but we might be sending an alert in response to the client hello,
2982                  * so this has to happen here in
2983                  * ssl_check_clienthello_tlsext_early(). */
2984
2985                 int r = 1;
2986         
2987                 if (s->ctx->tlsext_opaque_prf_input_callback != 0)
2988                         {
2989                         r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg);
2990                         if (!r)
2991                                 {
2992                                 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2993                                 al = SSL_AD_INTERNAL_ERROR;
2994                                 goto err;
2995                                 }
2996                         }
2997
2998                 if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */
2999                         OPENSSL_free(s->s3->server_opaque_prf_input);
3000                 s->s3->server_opaque_prf_input = NULL;
3001
3002                 if (s->tlsext_opaque_prf_input != NULL)
3003                         {
3004                         if (s->s3->client_opaque_prf_input != NULL &&
3005                                 s->s3->client_opaque_prf_input_len == s->tlsext_opaque_prf_input_len)
3006                                 {
3007                                 /* can only use this extension if we have a server opaque PRF input
3008                                  * of the same length as the client opaque PRF input! */
3009
3010                                 if (s->tlsext_opaque_prf_input_len == 0)
3011                                         s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
3012                                 else
3013                                         s->s3->server_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len);
3014                                 if (s->s3->server_opaque_prf_input == NULL)
3015                                         {
3016                                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
3017                                         al = SSL_AD_INTERNAL_ERROR;
3018                                         goto err;
3019                                         }
3020                                 s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
3021                                 }
3022                         }
3023
3024                 if (r == 2 && s->s3->server_opaque_prf_input == NULL)
3025                         {
3026                         /* The callback wants to enforce use of the extension,
3027                          * but we can't do that with the client opaque PRF input;
3028                          * abort the handshake.
3029                          */
3030                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
3031                         al = SSL_AD_HANDSHAKE_FAILURE;
3032                         }
3033         }
3034
3035  err:
3036 #endif
3037         switch (ret)
3038                 {
3039                 case SSL_TLSEXT_ERR_ALERT_FATAL:
3040                         ssl3_send_alert(s,SSL3_AL_FATAL,al); 
3041                         return -1;
3042
3043                 case SSL_TLSEXT_ERR_ALERT_WARNING:
3044                         ssl3_send_alert(s,SSL3_AL_WARNING,al);
3045                         return 1; 
3046                                         
3047                 case SSL_TLSEXT_ERR_NOACK:
3048                         s->servername_done=0;
3049                         default:
3050                 return 1;
3051                 }
3052         }
3053
3054 int ssl_check_clienthello_tlsext_late(SSL *s)
3055         {
3056         int ret = SSL_TLSEXT_ERR_OK;
3057         int al;
3058
3059         /* If status request then ask callback what to do.
3060          * Note: this must be called after servername callbacks in case
3061          * the certificate has changed, and must be called after the cipher
3062          * has been chosen because this may influence which certificate is sent
3063          */
3064         if ((s->tlsext_status_type != -1) && s->ctx && s->ctx->tlsext_status_cb)
3065                 {
3066                 int r;
3067                 CERT_PKEY *certpkey;
3068                 certpkey = ssl_get_server_send_pkey(s);
3069                 /* If no certificate can't return certificate status */
3070                 if (certpkey == NULL)
3071                         {
3072                         s->tlsext_status_expected = 0;
3073                         return 1;
3074                         }
3075                 /* Set current certificate to one we will use so
3076                  * SSL_get_certificate et al can pick it up.
3077                  */
3078                 s->cert->key = certpkey;
3079                 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
3080                 switch (r)
3081                         {
3082                         /* We don't want to send a status request response */
3083                         case SSL_TLSEXT_ERR_NOACK:
3084                                 s->tlsext_status_expected = 0;
3085                                 break;
3086                         /* status request response should be sent */
3087                         case SSL_TLSEXT_ERR_OK:
3088                                 if (s->tlsext_ocsp_resp)
3089                                         s->tlsext_status_expected = 1;
3090                                 else
3091                                         s->tlsext_status_expected = 0;
3092                                 break;
3093                         /* something bad happened */
3094                         case SSL_TLSEXT_ERR_ALERT_FATAL:
3095                                 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
3096                                 al = SSL_AD_INTERNAL_ERROR;
3097                                 goto err;
3098                         }
3099                 }
3100         else
3101                 s->tlsext_status_expected = 0;
3102
3103  err:
3104         switch (ret)
3105                 {
3106                 case SSL_TLSEXT_ERR_ALERT_FATAL:
3107                         ssl3_send_alert(s, SSL3_AL_FATAL, al);
3108                         return -1;
3109
3110                 case SSL_TLSEXT_ERR_ALERT_WARNING:
3111                         ssl3_send_alert(s, SSL3_AL_WARNING, al);
3112                         return 1; 
3113
3114                 default:
3115                         return 1;
3116                 }
3117         }
3118
3119 int ssl_check_serverhello_tlsext(SSL *s)
3120         {
3121         int ret=SSL_TLSEXT_ERR_NOACK;
3122         int al = SSL_AD_UNRECOGNIZED_NAME;
3123
3124 #ifndef OPENSSL_NO_EC
3125         /* If we are client and using an elliptic curve cryptography cipher
3126          * suite, then if server returns an EC point formats lists extension
3127          * it must contain uncompressed.
3128          */
3129         unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
3130         unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
3131         if ((s->tlsext_ecpointformatlist != NULL) && (s->tlsext_ecpointformatlist_length > 0) && 
3132             (s->session->tlsext_ecpointformatlist != NULL) && (s->session->tlsext_ecpointformatlist_length > 0) && 
3133             ((alg_k & (SSL_kECDHE|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA)))
3134                 {
3135                 /* we are using an ECC cipher */
3136                 size_t i;
3137                 unsigned char *list;
3138                 int found_uncompressed = 0;
3139                 list = s->session->tlsext_ecpointformatlist;
3140                 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
3141                         {
3142                         if (*(list++) == TLSEXT_ECPOINTFORMAT_uncompressed)
3143                                 {
3144                                 found_uncompressed = 1;
3145                                 break;
3146                                 }
3147                         }
3148                 if (!found_uncompressed)
3149                         {
3150                         SSLerr(SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT,SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
3151                         return -1;
3152                         }
3153                 }
3154         ret = SSL_TLSEXT_ERR_OK;
3155 #endif /* OPENSSL_NO_EC */
3156
3157         if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) 
3158                 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
3159         else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)             
3160                 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
3161
3162 #ifdef TLSEXT_TYPE_opaque_prf_input
3163         if (s->s3->server_opaque_prf_input_len > 0)
3164                 {
3165                 /* This case may indicate that we, as a client, want to insist on using opaque PRF inputs.
3166                  * So first verify that we really have a value from the server too. */
3167
3168                 if (s->s3->server_opaque_prf_input == NULL)
3169                         {
3170                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
3171                         al = SSL_AD_HANDSHAKE_FAILURE;
3172                         }
3173                 
3174                 /* Anytime the server *has* sent an opaque PRF input, we need to check
3175                  * that we have a client opaque PRF input of the same size. */
3176                 if (s->s3->client_opaque_prf_input == NULL ||
3177                     s->s3->client_opaque_prf_input_len != s->s3->server_opaque_prf_input_len)
3178                         {
3179                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
3180                         al = SSL_AD_ILLEGAL_PARAMETER;
3181                         }
3182                 }
3183 #endif
3184
3185         /* If we've requested certificate status and we wont get one
3186          * tell the callback
3187          */
3188         if ((s->tlsext_status_type != -1) && !(s->tlsext_status_expected)
3189                         && s->ctx && s->ctx->tlsext_status_cb)
3190                 {
3191                 int r;
3192                 /* Set resp to NULL, resplen to -1 so callback knows
3193                  * there is no response.
3194                  */
3195                 if (s->tlsext_ocsp_resp)
3196                         {
3197                         OPENSSL_free(s->tlsext_ocsp_resp);
3198                         s->tlsext_ocsp_resp = NULL;
3199                         }
3200                 s->tlsext_ocsp_resplen = -1;
3201                 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
3202                 if (r == 0)
3203                         {
3204                         al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE;
3205                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
3206                         }
3207                 if (r < 0)
3208                         {
3209                         al = SSL_AD_INTERNAL_ERROR;
3210                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
3211                         }
3212                 }
3213
3214         switch (ret)
3215                 {
3216                 case SSL_TLSEXT_ERR_ALERT_FATAL:
3217                         ssl3_send_alert(s,SSL3_AL_FATAL,al); 
3218                         return -1;
3219
3220                 case SSL_TLSEXT_ERR_ALERT_WARNING:
3221                         ssl3_send_alert(s,SSL3_AL_WARNING,al);
3222                         return 1; 
3223                                         
3224                 case SSL_TLSEXT_ERR_NOACK:
3225                         s->servername_done=0;
3226                         default:
3227                 return 1;
3228                 }
3229         }
3230
3231 int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n) 
3232         {
3233         int al = -1;
3234         if (s->version < SSL3_VERSION)
3235                 return 1;
3236         if (ssl_scan_serverhello_tlsext(s, p, d, n, &al) <= 0) 
3237                 {
3238                 ssl3_send_alert(s,SSL3_AL_FATAL,al); 
3239                 return 0;
3240                 }
3241
3242         if (ssl_check_serverhello_tlsext(s) <= 0) 
3243                 {
3244                 SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT,SSL_R_SERVERHELLO_TLSEXT);
3245                 return 0;
3246                 }
3247         return 1;
3248 }
3249
3250 /* Since the server cache lookup is done early on in the processing of the
3251  * ClientHello, and other operations depend on the result, we need to handle
3252  * any TLS session ticket extension at the same time.
3253  *
3254  *   session_id: points at the session ID in the ClientHello. This code will
3255  *       read past the end of this in order to parse out the session ticket
3256  *       extension, if any.
3257  *   len: the length of the session ID.
3258  *   limit: a pointer to the first byte after the ClientHello.
3259  *   ret: (output) on return, if a ticket was decrypted, then this is set to
3260  *       point to the resulting session.
3261  *
3262  * If s->tls_session_secret_cb is set then we are expecting a pre-shared key
3263  * ciphersuite, in which case we have no use for session tickets and one will
3264  * never be decrypted, nor will s->tlsext_ticket_expected be set to 1.
3265  *
3266  * Returns:
3267  *   -1: fatal error, either from parsing or decrypting the ticket.
3268  *    0: no ticket was found (or was ignored, based on settings).
3269  *    1: a zero length extension was found, indicating that the client supports
3270  *       session tickets but doesn't currently have one to offer.
3271  *    2: either s->tls_session_secret_cb was set, or a ticket was offered but
3272  *       couldn't be decrypted because of a non-fatal error.
3273  *    3: a ticket was successfully decrypted and *ret was set.
3274  *
3275  * Side effects:
3276  *   Sets s->tlsext_ticket_expected to 1 if the server will have to issue
3277  *   a new session ticket to the client because the client indicated support
3278  *   (and s->tls_session_secret_cb is NULL) but the client either doesn't have
3279  *   a session ticket or we couldn't use the one it gave us, or if
3280  *   s->ctx->tlsext_ticket_key_cb asked to renew the client's ticket.
3281  *   Otherwise, s->tlsext_ticket_expected is set to 0.
3282  */
3283 int tls1_process_ticket(SSL *s, unsigned char *session_id, int len,
3284                         const unsigned char *limit, SSL_SESSION **ret)
3285         {
3286         /* Point after session ID in client hello */
3287         const unsigned char *p = session_id + len;
3288         unsigned short i;
3289
3290         *ret = NULL;
3291         s->tlsext_ticket_expected = 0;
3292
3293         /* If tickets disabled behave as if no ticket present
3294          * to permit stateful resumption.
3295          */
3296         if (!tls_use_ticket(s))
3297                 return 0;
3298         if ((s->version <= SSL3_VERSION) || !limit)
3299                 return 0;
3300         if (p >= limit)
3301                 return -1;
3302         /* Skip past DTLS cookie */
3303         if (SSL_IS_DTLS(s))
3304                 {
3305                 i = *(p++);
3306                 p+= i;
3307                 if (p >= limit)
3308                         return -1;
3309                 }
3310         /* Skip past cipher list */
3311         n2s(p, i);
3312         p+= i;
3313         if (p >= limit)
3314                 return -1;
3315         /* Skip past compression algorithm list */
3316         i = *(p++);
3317         p += i;
3318         if (p > limit)
3319                 return -1;
3320         /* Now at start of extensions */
3321         if ((p + 2) >= limit)
3322                 return 0;
3323         n2s(p, i);
3324         while ((p + 4) <= limit)
3325                 {
3326                 unsigned short type, size;
3327                 n2s(p, type);
3328                 n2s(p, size);
3329                 if (p + size > limit)
3330                         return 0;
3331                 if (type == TLSEXT_TYPE_session_ticket)
3332                         {
3333                         int r;
3334                         if (size == 0)
3335                                 {
3336                                 /* The client will accept a ticket but doesn't
3337                                  * currently have one. */
3338                                 s->tlsext_ticket_expected = 1;
3339                                 return 1;
3340                                 }
3341                         if (s->tls_session_secret_cb)
3342                                 {
3343                                 /* Indicate that the ticket couldn't be
3344                                  * decrypted rather than generating the session
3345                                  * from ticket now, trigger abbreviated
3346                                  * handshake based on external mechanism to
3347                                  * calculate the master secret later. */
3348                                 return 2;
3349                                 }
3350                         r = tls_decrypt_ticket(s, p, size, session_id, len, ret);
3351                         switch (r)
3352                                 {
3353                                 case 2: /* ticket couldn't be decrypted */
3354                                         s->tlsext_ticket_expected = 1;
3355                                         return 2;
3356                                 case 3: /* ticket was decrypted */
3357                                         return r;
3358                                 case 4: /* ticket decrypted but need to renew */
3359                                         s->tlsext_ticket_expected = 1;
3360                                         return 3;
3361                                 default: /* fatal error */
3362                                         return -1;
3363                                 }
3364                         }
3365                 p += size;
3366                 }
3367         return 0;
3368         }
3369
3370 /* tls_decrypt_ticket attempts to decrypt a session ticket.
3371  *
3372  *   etick: points to the body of the session ticket extension.
3373  *   eticklen: the length of the session tickets extenion.
3374  *   sess_id: points at the session ID.
3375  *   sesslen: the length of the session ID.
3376  *   psess: (output) on return, if a ticket was decrypted, then this is set to
3377  *       point to the resulting session.
3378  *
3379  * Returns:
3380  *   -1: fatal error, either from parsing or decrypting the ticket.
3381  *    2: the ticket couldn't be decrypted.
3382  *    3: a ticket was successfully decrypted and *psess was set.
3383  *    4: same as 3, but the ticket needs to be renewed.
3384  */
3385 static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen,
3386                                 const unsigned char *sess_id, int sesslen,
3387                                 SSL_SESSION **psess)
3388         {
3389         SSL_SESSION *sess;
3390         unsigned char *sdec;
3391         const unsigned char *p;
3392         int slen, mlen, renew_ticket = 0;
3393         unsigned char tick_hmac[EVP_MAX_MD_SIZE];
3394         HMAC_CTX hctx;
3395         EVP_CIPHER_CTX ctx;
3396         SSL_CTX *tctx = s->initial_ctx;
3397         /* Need at least keyname + iv + some encrypted data */
3398         if (eticklen < 48)
3399                 return 2;
3400         /* Initialize session ticket encryption and HMAC contexts */
3401         HMAC_CTX_init(&hctx);
3402         EVP_CIPHER_CTX_init(&ctx);
3403         if (tctx->tlsext_ticket_key_cb)
3404                 {
3405                 unsigned char *nctick = (unsigned char *)etick;
3406                 int rv = tctx->tlsext_ticket_key_cb(s, nctick, nctick + 16,
3407                                                         &ctx, &hctx, 0);
3408                 if (rv < 0)
3409                         return -1;
3410                 if (rv == 0)
3411                         return 2;
3412                 if (rv == 2)
3413                         renew_ticket = 1;
3414                 }
3415         else
3416                 {
3417                 /* Check key name matches */
3418                 if (memcmp(etick, tctx->tlsext_tick_key_name, 16))
3419                         return 2;
3420                 HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16,
3421                                         tlsext_tick_md(), NULL);
3422                 EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL,
3423                                 tctx->tlsext_tick_aes_key, etick + 16);
3424                 }
3425         /* Attempt to process session ticket, first conduct sanity and
3426          * integrity checks on ticket.
3427          */
3428         mlen = HMAC_size(&hctx);
3429         if (mlen < 0)
3430                 {
3431                 EVP_CIPHER_CTX_cleanup(&ctx);
3432                 return -1;
3433                 }
3434         eticklen -= mlen;
3435         /* Check HMAC of encrypted ticket */
3436         HMAC_Update(&hctx, etick, eticklen);
3437         HMAC_Final(&hctx, tick_hmac, NULL);
3438         HMAC_CTX_cleanup(&hctx);
3439         if (CRYPTO_memcmp(tick_hmac, etick + eticklen, mlen))
3440                 return 2;
3441         /* Attempt to decrypt session data */
3442         /* Move p after IV to start of encrypted ticket, update length */
3443         p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx);
3444         eticklen -= 16 + EVP_CIPHER_CTX_iv_length(&ctx);
3445         sdec = OPENSSL_malloc(eticklen);
3446         if (!sdec)
3447                 {
3448                 EVP_CIPHER_CTX_cleanup(&ctx);
3449                 return -1;
3450                 }
3451         EVP_DecryptUpdate(&ctx, sdec, &slen, p, eticklen);
3452         if (EVP_DecryptFinal(&ctx, sdec + slen, &mlen) <= 0)
3453                 return 2;
3454         slen += mlen;
3455         EVP_CIPHER_CTX_cleanup(&ctx);
3456         p = sdec;
3457
3458         sess = d2i_SSL_SESSION(NULL, &p, slen);
3459         OPENSSL_free(sdec);
3460         if (sess)
3461                 {
3462                 /* The session ID, if non-empty, is used by some clients to
3463                  * detect that the ticket has been accepted. So we copy it to
3464                  * the session structure. If it is empty set length to zero
3465                  * as required by standard.
3466                  */
3467                 if (sesslen)
3468                         memcpy(sess->session_id, sess_id, sesslen);
3469                 sess->session_id_length = sesslen;
3470                 *psess = sess;
3471                 if (renew_ticket)
3472                         return 4;
3473                 else
3474                         return 3;
3475                 }
3476         ERR_clear_error();
3477         /* For session parse failure, indicate that we need to send a new
3478          * ticket. */
3479         return 2;
3480         }
3481
3482 /* Tables to translate from NIDs to TLS v1.2 ids */
3483
3484 typedef struct 
3485         {
3486         int nid;
3487         int id;
3488         } tls12_lookup;
3489
3490 static tls12_lookup tls12_md[] = {
3491         {NID_md5, TLSEXT_hash_md5},
3492         {NID_sha1, TLSEXT_hash_sha1},
3493         {NID_sha224, TLSEXT_hash_sha224},
3494         {NID_sha256, TLSEXT_hash_sha256},
3495         {NID_sha384, TLSEXT_hash_sha384},
3496         {NID_sha512, TLSEXT_hash_sha512}
3497 };
3498
3499 static tls12_lookup tls12_sig[] = {
3500         {EVP_PKEY_RSA, TLSEXT_signature_rsa},
3501         {EVP_PKEY_DSA, TLSEXT_signature_dsa},
3502         {EVP_PKEY_EC, TLSEXT_signature_ecdsa}
3503 };
3504
3505 static int tls12_find_id(int nid, tls12_lookup *table, size_t tlen)
3506         {
3507         size_t i;
3508         for (i = 0; i < tlen; i++)
3509                 {
3510                 if (table[i].nid == nid)
3511                         return table[i].id;
3512                 }
3513         return -1;
3514         }
3515
3516 static int tls12_find_nid(int id, tls12_lookup *table, size_t tlen)
3517         {
3518         size_t i;
3519         for (i = 0; i < tlen; i++)
3520                 {
3521                 if ((table[i].id) == id)
3522                         return table[i].nid;
3523                 }
3524         return NID_undef;
3525         }
3526
3527 int tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk, const EVP_MD *md)
3528         {
3529         int sig_id, md_id;
3530         if (!md)
3531                 return 0;
3532         md_id = tls12_find_id(EVP_MD_type(md), tls12_md,
3533                                 sizeof(tls12_md)/sizeof(tls12_lookup));
3534         if (md_id == -1)
3535                 return 0;
3536         sig_id = tls12_get_sigid(pk);
3537         if (sig_id == -1)
3538                 return 0;
3539         p[0] = (unsigned char)md_id;
3540         p[1] = (unsigned char)sig_id;
3541         return 1;
3542         }
3543
3544 int tls12_get_sigid(const EVP_PKEY *pk)
3545         {
3546         return tls12_find_id(pk->type, tls12_sig,
3547                                 sizeof(tls12_sig)/sizeof(tls12_lookup));
3548         }
3549
3550 typedef struct 
3551         {
3552         int nid;
3553         int secbits;
3554         const EVP_MD *(*mfunc)(