fix for hostname extension
[openssl.git] / ssl / t1_lib.c
1 /* ssl/t1_lib.c */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3  * All rights reserved.
4  *
5  * This package is an SSL implementation written
6  * by Eric Young (eay@cryptsoft.com).
7  * The implementation was written so as to conform with Netscapes SSL.
8  * 
9  * This library is free for commercial and non-commercial use as long as
10  * the following conditions are aheared to.  The following conditions
11  * apply to all code found in this distribution, be it the RC4, RSA,
12  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
13  * included with this distribution is covered by the same copyright terms
14  * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15  * 
16  * Copyright remains Eric Young's, and as such any Copyright notices in
17  * the code are not to be removed.
18  * If this package is used in a product, Eric Young should be given attribution
19  * as the author of the parts of the library used.
20  * This can be in the form of a textual message at program startup or
21  * in documentation (online or textual) provided with the package.
22  * 
23  * Redistribution and use in source and binary forms, with or without
24  * modification, are permitted provided that the following conditions
25  * are met:
26  * 1. Redistributions of source code must retain the copyright
27  *    notice, this list of conditions and the following disclaimer.
28  * 2. Redistributions in binary form must reproduce the above copyright
29  *    notice, this list of conditions and the following disclaimer in the
30  *    documentation and/or other materials provided with the distribution.
31  * 3. All advertising materials mentioning features or use of this software
32  *    must display the following acknowledgement:
33  *    "This product includes cryptographic software written by
34  *     Eric Young (eay@cryptsoft.com)"
35  *    The word 'cryptographic' can be left out if the rouines from the library
36  *    being used are not cryptographic related :-).
37  * 4. If you include any Windows specific code (or a derivative thereof) from 
38  *    the apps directory (application code) you must include an acknowledgement:
39  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40  * 
41  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51  * SUCH DAMAGE.
52  * 
53  * The licence and distribution terms for any publically available version or
54  * derivative of this code cannot be changed.  i.e. this code cannot simply be
55  * copied and put under another distribution licence
56  * [including the GNU Public Licence.]
57  */
58 /* ====================================================================
59  * Copyright (c) 1998-2006 The OpenSSL Project.  All rights reserved.
60  *
61  * Redistribution and use in source and binary forms, with or without
62  * modification, are permitted provided that the following conditions
63  * are met:
64  *
65  * 1. Redistributions of source code must retain the above copyright
66  *    notice, this list of conditions and the following disclaimer. 
67  *
68  * 2. Redistributions in binary form must reproduce the above copyright
69  *    notice, this list of conditions and the following disclaimer in
70  *    the documentation and/or other materials provided with the
71  *    distribution.
72  *
73  * 3. All advertising materials mentioning features or use of this
74  *    software must display the following acknowledgment:
75  *    "This product includes software developed by the OpenSSL Project
76  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77  *
78  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79  *    endorse or promote products derived from this software without
80  *    prior written permission. For written permission, please contact
81  *    openssl-core@openssl.org.
82  *
83  * 5. Products derived from this software may not be called "OpenSSL"
84  *    nor may "OpenSSL" appear in their names without prior written
85  *    permission of the OpenSSL Project.
86  *
87  * 6. Redistributions of any form whatsoever must retain the following
88  *    acknowledgment:
89  *    "This product includes software developed by the OpenSSL Project
90  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91  *
92  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
96  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103  * OF THE POSSIBILITY OF SUCH DAMAGE.
104  * ====================================================================
105  *
106  * This product includes cryptographic software written by Eric Young
107  * (eay@cryptsoft.com).  This product includes software written by Tim
108  * Hudson (tjh@cryptsoft.com).
109  *
110  */
111
112 #include <stdio.h>
113 #include <openssl/objects.h>
114 #include "ssl_locl.h"
115
116 const char *tls1_version_str="TLSv1" OPENSSL_VERSION_PTEXT;
117
118 SSL3_ENC_METHOD TLSv1_enc_data={
119         tls1_enc,
120         tls1_mac,
121         tls1_setup_key_block,
122         tls1_generate_master_secret,
123         tls1_change_cipher_state,
124         tls1_final_finish_mac,
125         TLS1_FINISH_MAC_LENGTH,
126         tls1_cert_verify_mac,
127         TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE,
128         TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE,
129         tls1_alert_code,
130         };
131
132 long tls1_default_timeout(void)
133         {
134         /* 2 hours, the 24 hours mentioned in the TLSv1 spec
135          * is way too long for http, the cache would over fill */
136         return(60*60*2);
137         }
138
139 int tls1_new(SSL *s)
140         {
141         if (!ssl3_new(s)) return(0);
142         s->method->ssl_clear(s);
143         return(1);
144         }
145
146 void tls1_free(SSL *s)
147         {
148         ssl3_free(s);
149         }
150
151 void tls1_clear(SSL *s)
152         {
153         ssl3_clear(s);
154         s->version=TLS1_VERSION;
155         }
156
157
158 #ifndef OPENSSL_NO_TLSEXT
159 unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
160         {
161         int extdatalen=0;
162         unsigned char *ret = p;
163
164         ret+=2;
165
166         if (ret>=limit) return NULL; /* this really never occurs, but ... */
167         if (s->tlsext_hostname != NULL)
168                 { 
169                 /* Add TLS extension servername to the Client Hello message */
170                 unsigned long size_str;
171                 long lenmax; 
172
173                 /* check for enough space.
174                    4 for the servername type and entension length
175                    2 for servernamelist length
176                    1 for the hostname type
177                    2 for hostname length
178                    + hostname length 
179                 */
180                    
181                 if ((lenmax = limit - p - 9) < 0 
182                 || (size_str = strlen(s->tlsext_hostname)) > (unsigned long)lenmax) 
183                         return NULL;
184                         
185                 /* extension type and length */
186                 s2n(TLSEXT_TYPE_server_name,ret); 
187                 s2n(size_str+5,ret);
188                 
189                 /* length of servername list */
190                 s2n(size_str+3,ret);
191         
192                 /* hostname type, length and hostname */
193                 *(ret++) = (unsigned char) TLSEXT_NAMETYPE_host_name;
194                 s2n(size_str,ret);
195                 memcpy(ret, s->tlsext_hostname, size_str);
196                 ret+=size_str;
197
198                 }
199 #ifndef OPENSSL_NO_EC
200         if (s->tlsext_ecpointformatlist != NULL)
201                 {
202                 /* Add TLS extension ECPointFormats to the ClientHello message */
203                 long lenmax; 
204
205                 if ((lenmax = limit - p - 5) < 0) return NULL; 
206                 if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax) return NULL;
207                 if (s->tlsext_ecpointformatlist_length > 255)
208                         {
209                         SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
210                         return NULL;
211                         }
212                 
213                 s2n(TLSEXT_TYPE_ec_point_formats,ret);
214                 s2n(s->tlsext_ecpointformatlist_length + 1,ret);
215                 *(ret++) = (unsigned char) s->tlsext_ecpointformatlist_length;
216                 memcpy(ret, s->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist_length);
217                 ret+=s->tlsext_ecpointformatlist_length;
218                 }
219         if (s->tlsext_ellipticcurvelist != NULL)
220                 {
221                 /* Add TLS extension EllipticCurves to the ClientHello message */
222                 long lenmax; 
223
224                 if ((lenmax = limit - p - 5) < 0) return NULL; 
225                 if (s->tlsext_ellipticcurvelist_length > (unsigned long)lenmax) return NULL;
226                 if (s->tlsext_ellipticcurvelist_length > 255)
227                         {
228                         SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
229                         return NULL;
230                         }
231                 
232                 s2n(TLSEXT_TYPE_elliptic_curves,ret);
233                 s2n(s->tlsext_ellipticcurvelist_length + 2,ret);
234                 *(ret++) = (unsigned char) ((s->tlsext_ellipticcurvelist_length >> 8) & 0xFF);
235                 *(ret++) = (unsigned char) (s->tlsext_ellipticcurvelist_length & 0xFF);
236                 memcpy(ret, s->tlsext_ellipticcurvelist, s->tlsext_ellipticcurvelist_length);
237                 ret+=s->tlsext_ellipticcurvelist_length;
238                 }
239 #endif /* OPENSSL_NO_EC */
240
241         if ((extdatalen = ret-p-2)== 0) 
242                 return p;
243
244         s2n(extdatalen,p);
245         return ret;
246 }
247
248 unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
249         {
250         int extdatalen=0;
251         unsigned char *ret = p;
252
253         ret+=2;
254         if (ret>=limit) return NULL; /* this really never occurs, but ... */
255
256         if (!s->hit && s->servername_done == 1 && s->session->tlsext_hostname != NULL)
257                 { 
258                 if (limit - p - 4 < 0) return NULL; 
259
260                 s2n(TLSEXT_TYPE_server_name,ret);
261                 s2n(0,ret);
262                 }
263 #ifndef OPENSSL_NO_EC
264         if (s->tlsext_ecpointformatlist != NULL)
265                 {
266                 /* Add TLS extension ECPointFormats to the ServerHello message */
267                 long lenmax; 
268
269                 if ((lenmax = limit - p - 5) < 0) return NULL; 
270                 if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax) return NULL;
271                 if (s->tlsext_ecpointformatlist_length > 255)
272                         {
273                         SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
274                         return NULL;
275                         }
276                 
277                 s2n(TLSEXT_TYPE_ec_point_formats,ret);
278                 s2n(s->tlsext_ecpointformatlist_length + 1,ret);
279                 *(ret++) = (unsigned char) s->tlsext_ecpointformatlist_length;
280                 memcpy(ret, s->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist_length);
281                 ret+=s->tlsext_ecpointformatlist_length;
282
283                 }
284         /* Currently the server should not respond with a SupportedCurves extension */
285 #endif /* OPENSSL_NO_EC */
286         
287         if ((extdatalen = ret-p-2)== 0) 
288                 return p;
289
290         s2n(extdatalen,p);
291         return ret;
292 }
293
294 int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
295         {
296         unsigned short type;
297         unsigned short size;
298         unsigned short len;
299         unsigned char *data = *p;
300         s->servername_done = 0;
301
302         if (data >= (d+n-2))
303                 return 1;
304         n2s(data,len);
305
306         if (data > (d+n-len)) 
307                 return 1;
308
309         while (data <= (d+n-4))
310                 {
311                 n2s(data,type);
312                 n2s(data,size);
313
314                 if (data+size > (d+n))
315                         return 1;
316                 
317 /* The servername extension is treated as follows:
318
319    - Only the hostname type is supported with a maximum length of 255.
320    - The servername is rejected if too long or if it contains zeros,
321      in which case an fatal alert is generated.
322    - The servername field is maintained together with the session cache.
323    - When a session is resumed, the servername call back invoked in order
324      to allow the application to position itself to the right context. 
325    - The servername is acknowledged if it is new for a session or when 
326      it is identical to a previously used for the same session. 
327      Applications can control the behaviour.  They can at any time
328      set a 'desirable' servername for a new SSL object. This can be the
329      case for example with HTTPS when a Host: header field is received and
330      a renegotiation is requested. In this case, a possible servername
331      presented in the new client hello is only acknowledged if it matches
332      the value of the Host: field. 
333    - Applications must  use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
334      if they provide for changing an explicit servername context for the session,
335      i.e. when the session has been established with a servername extension. 
336    - On session reconnect, the servername extension may be absent. 
337
338 */      
339
340                 if (type == TLSEXT_TYPE_server_name)
341                         {
342                         unsigned char *sdata;
343                         int servname_type;
344                         int dsize; 
345                 
346                         if (size < 2) 
347                                 {
348                                 *al = SSL_AD_DECODE_ERROR;
349                                 return 0;
350                                 }
351                         n2s(data,dsize);  
352                         size -= 2;                    
353                         if (dsize > size  ) 
354                                 {
355                                 *al = SSL_AD_DECODE_ERROR;
356                                 return 0;
357                                 } 
358
359                         sdata = data;
360                         while (dsize > 3) 
361                                 {
362                                 servname_type = *(sdata++); 
363                                 n2s(sdata,len);
364                                 dsize -= 3;
365
366                                 if (len > dsize) 
367                                         {
368                                         *al = SSL_AD_DECODE_ERROR;
369                                         return 0;
370                                         }
371                                 if (s->servername_done == 0)
372                                 switch (servname_type)
373                                         {
374                                 case TLSEXT_NAMETYPE_host_name:
375                                         if (s->session->tlsext_hostname == NULL)
376                                                 {
377                                                 if (len > TLSEXT_MAXLEN_host_name || 
378                                                         ((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL))
379                                                         {
380                                                         *al = TLS1_AD_UNRECOGNIZED_NAME;
381                                                         return 0;
382                                                         }
383                                                 memcpy(s->session->tlsext_hostname, sdata, len);
384                                                 s->session->tlsext_hostname[len]='\0';
385                                                 if (strlen(s->session->tlsext_hostname) != len) {
386                                                         OPENSSL_free(s->session->tlsext_hostname);
387                                                         *al = TLS1_AD_UNRECOGNIZED_NAME;
388                                                         return 0;
389                                                 }
390                                                 s->servername_done = 1; 
391
392                                                 }
393                                         else 
394                                                 s->servername_done = strlen(s->session->tlsext_hostname) == len 
395                                                         && strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0;
396                                         
397                                         break;
398
399                                 default:
400                                         break;
401                                         }
402                                  
403                                 dsize -= len;
404                                 }
405                         if (dsize != 0) 
406                                 {
407                                 *al = SSL_AD_DECODE_ERROR;
408                                 return 0;
409                                 }
410
411                         }
412
413 #ifndef OPENSSL_NO_EC
414                 else if (type == TLSEXT_TYPE_ec_point_formats)
415                         {
416                         unsigned char *sdata = data;
417                         int ecpointformatlist_length = *(sdata++);
418
419                         if (ecpointformatlist_length != size - 1)
420                                 {
421                                 *al = TLS1_AD_DECODE_ERROR;
422                                 return 0;
423                                 }
424                         s->session->tlsext_ecpointformatlist_length = 0;
425                         if (s->session->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->session->tlsext_ecpointformatlist);
426                         if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
427                                 {
428                                 *al = TLS1_AD_INTERNAL_ERROR;
429                                 return 0;
430                                 }
431                         s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
432                         memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
433 #if 0
434                         fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ecpointformatlist (length=%i) ", s->session->tlsext_ecpointformatlist_length);
435                         sdata = s->session->tlsext_ecpointformatlist;
436                         for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
437                                 fprintf(stderr,"%i ",*(sdata++));
438                         fprintf(stderr,"\n");
439 #endif
440                         }
441                 else if (type == TLSEXT_TYPE_elliptic_curves)
442                         {
443                         unsigned char *sdata = data;
444                         int ellipticcurvelist_length = (*(sdata++) << 8);
445                         ellipticcurvelist_length += (*(sdata++));
446
447                         if (ellipticcurvelist_length != size - 2)
448                                 {
449                                 *al = TLS1_AD_DECODE_ERROR;
450                                 return 0;
451                                 }
452                         s->session->tlsext_ellipticcurvelist_length = 0;
453                         if (s->session->tlsext_ellipticcurvelist != NULL) OPENSSL_free(s->session->tlsext_ellipticcurvelist);
454                         if ((s->session->tlsext_ellipticcurvelist = OPENSSL_malloc(ellipticcurvelist_length)) == NULL)
455                                 {
456                                 *al = TLS1_AD_INTERNAL_ERROR;
457                                 return 0;
458                                 }
459                         s->session->tlsext_ellipticcurvelist_length = ellipticcurvelist_length;
460                         memcpy(s->session->tlsext_ellipticcurvelist, sdata, ellipticcurvelist_length);
461 #if 0
462                         fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ellipticcurvelist (length=%i) ", s->session->tlsext_ellipticcurvelist_length);
463                         sdata = s->session->tlsext_ellipticcurvelist;
464                         for (i = 0; i < s->session->tlsext_ellipticcurvelist_length; i++)
465                                 fprintf(stderr,"%i ",*(sdata++));
466                         fprintf(stderr,"\n");
467 #endif
468                         }
469 #endif /* OPENSSL_NO_EC */
470                 data+=size;             
471                 }
472
473         *p = data;
474         return 1;
475 }
476
477 int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
478         {
479         unsigned short type;
480         unsigned short size;
481         unsigned short len;  
482         unsigned char *data = *p;
483
484         int tlsext_servername = 0;
485
486         if (data >= (d+n-2))
487                 return 1;
488
489         n2s(data,len);
490
491         while(data <= (d+n-4))
492                 {
493                 n2s(data,type);
494                 n2s(data,size);
495
496                 if (data+size > (d+n))
497                         return 1;
498
499                 if (type == TLSEXT_TYPE_server_name)
500                         {
501                         if (s->tlsext_hostname == NULL || size > 0)
502                                 {
503                                 *al = TLS1_AD_UNRECOGNIZED_NAME;
504                                 return 0;
505                                 }
506                         tlsext_servername = 1;   
507                         }
508
509 #ifndef OPENSSL_NO_EC
510                 else if (type == TLSEXT_TYPE_ec_point_formats)
511                         {
512                         unsigned char *sdata = data;
513                         int ecpointformatlist_length = *(sdata++);
514
515                         if (ecpointformatlist_length != size - 1)
516                                 {
517                                 *al = TLS1_AD_DECODE_ERROR;
518                                 return 0;
519                                 }
520                         s->session->tlsext_ecpointformatlist_length = 0;
521                         if (s->session->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->session->tlsext_ecpointformatlist);
522                         if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
523                                 {
524                                 *al = TLS1_AD_INTERNAL_ERROR;
525                                 return 0;
526                                 }
527                         s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
528                         memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
529 #if 0
530                         fprintf(stderr,"ssl_parse_serverhello_tlsext s->session->tlsext_ecpointformatlist ");
531                         sdata = s->session->tlsext_ecpointformatlist;
532                         for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
533                                 fprintf(stderr,"%i ",*(sdata++));
534                         fprintf(stderr,"\n");
535 #endif
536                         }
537 #endif /* OPENSSL_NO_EC */
538                 data+=size;             
539                 }
540
541         if (data != d+n)
542                 {
543                 *al = SSL_AD_DECODE_ERROR;
544                 return 0;
545                 }
546
547         if (!s->hit && tlsext_servername == 1)
548                 {
549                 if (s->tlsext_hostname)
550                         {
551                         if (s->session->tlsext_hostname == NULL)
552                                 {
553                                 s->session->tlsext_hostname = BUF_strdup(s->tlsext_hostname);   
554                                 if (!s->session->tlsext_hostname)
555                                         {
556                                         *al = SSL_AD_UNRECOGNIZED_NAME;
557                                         return 0;
558                                         }
559                                 }
560                         else 
561                                 {
562                                 *al = SSL_AD_DECODE_ERROR;
563                                 return 0;
564                                 }
565                         }
566                 }
567
568         *p = data;
569         return 1;
570 }
571
572 int ssl_prepare_clienthello_tlsext(SSL *s)
573         {
574 #ifndef OPENSSL_NO_EC
575         /* If we are client and using an elliptic curve cryptography cipher suite, send the point formats 
576          * and elliptic curves we support.
577          */
578         int using_ecc = 0;
579         int i;
580         unsigned char *j;
581         int algs;
582         STACK_OF(SSL_CIPHER) *cipher_stack = SSL_get_ciphers(s);
583         for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++)
584                 {
585                 algs = (sk_SSL_CIPHER_value(cipher_stack, i))->algorithms;
586                 if ((algs & SSL_kECDH) || (algs & SSL_kECDHE) || (algs & SSL_aECDSA)) 
587                         {
588                         using_ecc = 1;
589                         break;
590                         }
591
592                 }
593         using_ecc = using_ecc && (s->version == TLS1_VERSION);
594         if (using_ecc)
595                 {
596                 if (s->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->tlsext_ecpointformatlist);
597                 if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(3)) == NULL)
598                         {
599                         SSLerr(SSL_F_TLS1_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
600                         return -1;
601                         }
602                 s->tlsext_ecpointformatlist_length = 3;
603                 s->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_uncompressed;
604                 s->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
605                 s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
606                 /* we support all named elliptic curves in draft-ietf-tls-ecc-12 */
607                 if (s->tlsext_ellipticcurvelist != NULL) OPENSSL_free(s->tlsext_ellipticcurvelist);
608                 if ((s->tlsext_ellipticcurvelist = OPENSSL_malloc(50)) == NULL)
609                         {
610                         SSLerr(SSL_F_TLS1_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
611                         return -1;
612                         }
613                 s->tlsext_ellipticcurvelist_length = 50;
614                 for (i = 1, j = s->tlsext_ellipticcurvelist; i <= 25; i++)
615                         {
616                         *(j++) = 0x00;
617                         *(j++) = i;
618                         }
619                 }
620 #endif /* OPENSSL_NO_EC */
621         return 1;
622 }
623
624 int ssl_prepare_serverhello_tlsext(SSL *s)
625         {
626 #ifndef OPENSSL_NO_EC
627         /* If we are server and using an ECC cipher suite, send the point formats we support 
628          * if the client sent us an ECPointsFormat extension.  Note that the server is not
629          * supposed to send an EllipticCurves extension.
630          */
631         int algs = s->s3->tmp.new_cipher->algorithms;
632         int using_ecc = (algs & SSL_kECDH) || (algs & SSL_kECDHE) || (algs & SSL_aECDSA);
633         using_ecc = using_ecc && (s->session->tlsext_ecpointformatlist != NULL);
634
635         if (using_ecc)
636                 {
637                 if (s->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->tlsext_ecpointformatlist);
638                 if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(3)) == NULL)
639                         {
640                         SSLerr(SSL_F_TLS1_PREPARE_SERVERHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
641                         return -1;
642                         }
643                 s->tlsext_ecpointformatlist_length = 3;
644                 s->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_uncompressed;
645                 s->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
646                 s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
647                 }
648 #endif /* OPENSSL_NO_EC */
649         return 1;
650 }
651
652 int ssl_check_clienthello_tlsext(SSL *s)
653         {
654         int ret=SSL_TLSEXT_ERR_NOACK;
655         int al = SSL_AD_UNRECOGNIZED_NAME;
656
657 #ifndef OPENSSL_NO_EC
658         /* The handling of the ECPointFormats extension is done elsewhere, namely in 
659          * ssl3_choose_cipher in s3_lib.c.
660          */
661         /* The handling of the EllipticCurves extension is done elsewhere, namely in 
662          * ssl3_choose_cipher in s3_lib.c.
663          */
664 #endif
665
666         if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) 
667                 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
668         else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)             
669                 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
670
671         switch (ret) {
672                 case SSL_TLSEXT_ERR_ALERT_FATAL:
673                         ssl3_send_alert(s,SSL3_AL_FATAL,al); 
674                         return -1;
675
676                 case SSL_TLSEXT_ERR_ALERT_WARNING:
677                         ssl3_send_alert(s,SSL3_AL_WARNING,al);
678                         return 1; 
679                                         
680                 case SSL_TLSEXT_ERR_NOACK:
681                         s->servername_done=0;
682                         default:
683                 return 1;
684         }
685 }
686
687 int ssl_check_serverhello_tlsext(SSL *s)
688         {
689         int ret=SSL_TLSEXT_ERR_NOACK;
690         int al = SSL_AD_UNRECOGNIZED_NAME;
691
692 #ifndef OPENSSL_NO_EC
693         /* If we are client and using an elliptic curve cryptography cipher suite, then server
694          * must return a an EC point formats lists containing uncompressed.
695          */
696         int algs = s->s3->tmp.new_cipher->algorithms;
697         if ((s->tlsext_ecpointformatlist != NULL) && (s->tlsext_ecpointformatlist_length > 0) && 
698             ((algs & SSL_kECDH) || (algs & SSL_kECDHE) || (algs & SSL_aECDSA))) 
699                 {
700                 /* we are using an ECC cipher */
701                 size_t i;
702                 unsigned char *list;
703                 int found_uncompressed = 0;
704                 if ((s->session->tlsext_ecpointformatlist == NULL) || (s->session->tlsext_ecpointformatlist_length == 0))
705                         {
706                         SSLerr(SSL_F_TLS1_CHECK_SERVERHELLO_TLSEXT,SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
707                         return -1;
708                         }
709                 list = s->session->tlsext_ecpointformatlist;
710                 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
711                         {
712                         if (*(list++) == TLSEXT_ECPOINTFORMAT_uncompressed)
713                                 {
714                                 found_uncompressed = 1;
715                                 break;
716                                 }
717                         }
718                 if (!found_uncompressed)
719                         {
720                         SSLerr(SSL_F_TLS1_CHECK_SERVERHELLO_TLSEXT,SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
721                         return -1;
722                         }
723                 }
724         ret = SSL_TLSEXT_ERR_OK;
725 #endif /* OPENSSL_NO_EC */
726
727         if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) 
728                 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
729         else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)             
730                 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
731
732         switch (ret) {
733                 case SSL_TLSEXT_ERR_ALERT_FATAL:
734                         ssl3_send_alert(s,SSL3_AL_FATAL,al); 
735                         return -1;
736
737                 case SSL_TLSEXT_ERR_ALERT_WARNING:
738                         ssl3_send_alert(s,SSL3_AL_WARNING,al);
739                         return 1; 
740                                         
741                 case SSL_TLSEXT_ERR_NOACK:
742                         s->servername_done=0;
743                         default:
744                 return 1;
745         }
746 }
747 #endif
748
749 #ifndef OPENSSL_NO_EC
750 int tls1_ec_curve_id2nid(int curve_id)
751 {
752         /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
753         static int nid_list[26] =
754         {
755                 0,
756                 NID_sect163k1, /* sect163k1 (1) */
757                 NID_sect163r1, /* sect163r1 (2) */
758                 NID_sect163r2, /* sect163r2 (3) */
759                 NID_sect193r1, /* sect193r1 (4) */ 
760                 NID_sect193r2, /* sect193r2 (5) */ 
761                 NID_sect233k1, /* sect233k1 (6) */
762                 NID_sect233r1, /* sect233r1 (7) */ 
763                 NID_sect239k1, /* sect239k1 (8) */ 
764                 NID_sect283k1, /* sect283k1 (9) */
765                 NID_sect283r1, /* sect283r1 (10) */ 
766                 NID_sect409k1, /* sect409k1 (11) */ 
767                 NID_sect409r1, /* sect409r1 (12) */
768                 NID_sect571k1, /* sect571k1 (13) */ 
769                 NID_sect571r1, /* sect571r1 (14) */ 
770                 NID_secp160k1, /* secp160k1 (15) */
771                 NID_secp160r1, /* secp160r1 (16) */ 
772                 NID_secp160r2, /* secp160r2 (17) */ 
773                 NID_secp192k1, /* secp192k1 (18) */
774                 NID_X9_62_prime192v1, /* secp192r1 (19) */ 
775                 NID_secp224k1, /* secp224k1 (20) */ 
776                 NID_secp224r1, /* secp224r1 (21) */
777                 NID_secp256k1, /* secp256k1 (22) */ 
778                 NID_X9_62_prime256v1, /* secp256r1 (23) */ 
779                 NID_secp384r1, /* secp384r1 (24) */
780                 NID_secp521r1  /* secp521r1 (25) */     
781         };
782         
783         if ((curve_id < 1) || (curve_id > 25)) return 0;
784
785         return nid_list[curve_id];
786 }
787
788 int tls1_ec_nid2curve_id(int nid)
789 {
790         /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
791         switch (nid) {
792         case NID_sect163k1: /* sect163k1 (1) */
793                 return 1;
794         case NID_sect163r1: /* sect163r1 (2) */
795                 return 2;
796         case NID_sect163r2: /* sect163r2 (3) */
797                 return 3;
798         case NID_sect193r1: /* sect193r1 (4) */ 
799                 return 4;
800         case NID_sect193r2: /* sect193r2 (5) */ 
801                 return 5;
802         case NID_sect233k1: /* sect233k1 (6) */
803                 return 6;
804         case NID_sect233r1: /* sect233r1 (7) */ 
805                 return 7;
806         case NID_sect239k1: /* sect239k1 (8) */ 
807                 return 8;
808         case NID_sect283k1: /* sect283k1 (9) */
809                 return 9;
810         case NID_sect283r1: /* sect283r1 (10) */ 
811                 return 10;
812         case NID_sect409k1: /* sect409k1 (11) */ 
813                 return 11;
814         case NID_sect409r1: /* sect409r1 (12) */
815                 return 12;
816         case NID_sect571k1: /* sect571k1 (13) */ 
817                 return 13;
818         case NID_sect571r1: /* sect571r1 (14) */ 
819                 return 14;
820         case NID_secp160k1: /* secp160k1 (15) */
821                 return 15;
822         case NID_secp160r1: /* secp160r1 (16) */ 
823                 return 16;
824         case NID_secp160r2: /* secp160r2 (17) */ 
825                 return 17;
826         case NID_secp192k1: /* secp192k1 (18) */
827                 return 18;
828         case NID_X9_62_prime192v1: /* secp192r1 (19) */ 
829                 return 19;
830         case NID_secp224k1: /* secp224k1 (20) */ 
831                 return 20;
832         case NID_secp224r1: /* secp224r1 (21) */
833                 return 21;
834         case NID_secp256k1: /* secp256k1 (22) */ 
835                 return 22;
836         case NID_X9_62_prime256v1: /* secp256r1 (23) */ 
837                 return 23;
838         case NID_secp384r1: /* secp384r1 (24) */
839                 return 24;
840         case NID_secp521r1:  /* secp521r1 (25) */       
841                 return 25;
842         default:
843                 return 0;
844         }
845 }
846 #endif /* OPENSSL_NO_EC */