Resolve signed vs. unsigned issues
[openssl.git] / ssl / t1_lib.c
1 /* ssl/t1_lib.c */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3  * All rights reserved.
4  *
5  * This package is an SSL implementation written
6  * by Eric Young (eay@cryptsoft.com).
7  * The implementation was written so as to conform with Netscapes SSL.
8  * 
9  * This library is free for commercial and non-commercial use as long as
10  * the following conditions are aheared to.  The following conditions
11  * apply to all code found in this distribution, be it the RC4, RSA,
12  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
13  * included with this distribution is covered by the same copyright terms
14  * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15  * 
16  * Copyright remains Eric Young's, and as such any Copyright notices in
17  * the code are not to be removed.
18  * If this package is used in a product, Eric Young should be given attribution
19  * as the author of the parts of the library used.
20  * This can be in the form of a textual message at program startup or
21  * in documentation (online or textual) provided with the package.
22  * 
23  * Redistribution and use in source and binary forms, with or without
24  * modification, are permitted provided that the following conditions
25  * are met:
26  * 1. Redistributions of source code must retain the copyright
27  *    notice, this list of conditions and the following disclaimer.
28  * 2. Redistributions in binary form must reproduce the above copyright
29  *    notice, this list of conditions and the following disclaimer in the
30  *    documentation and/or other materials provided with the distribution.
31  * 3. All advertising materials mentioning features or use of this software
32  *    must display the following acknowledgement:
33  *    "This product includes cryptographic software written by
34  *     Eric Young (eay@cryptsoft.com)"
35  *    The word 'cryptographic' can be left out if the rouines from the library
36  *    being used are not cryptographic related :-).
37  * 4. If you include any Windows specific code (or a derivative thereof) from 
38  *    the apps directory (application code) you must include an acknowledgement:
39  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40  * 
41  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51  * SUCH DAMAGE.
52  * 
53  * The licence and distribution terms for any publically available version or
54  * derivative of this code cannot be changed.  i.e. this code cannot simply be
55  * copied and put under another distribution licence
56  * [including the GNU Public Licence.]
57  */
58 /* ====================================================================
59  * Copyright (c) 1998-2006 The OpenSSL Project.  All rights reserved.
60  *
61  * Redistribution and use in source and binary forms, with or without
62  * modification, are permitted provided that the following conditions
63  * are met:
64  *
65  * 1. Redistributions of source code must retain the above copyright
66  *    notice, this list of conditions and the following disclaimer. 
67  *
68  * 2. Redistributions in binary form must reproduce the above copyright
69  *    notice, this list of conditions and the following disclaimer in
70  *    the documentation and/or other materials provided with the
71  *    distribution.
72  *
73  * 3. All advertising materials mentioning features or use of this
74  *    software must display the following acknowledgment:
75  *    "This product includes software developed by the OpenSSL Project
76  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77  *
78  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79  *    endorse or promote products derived from this software without
80  *    prior written permission. For written permission, please contact
81  *    openssl-core@openssl.org.
82  *
83  * 5. Products derived from this software may not be called "OpenSSL"
84  *    nor may "OpenSSL" appear in their names without prior written
85  *    permission of the OpenSSL Project.
86  *
87  * 6. Redistributions of any form whatsoever must retain the following
88  *    acknowledgment:
89  *    "This product includes software developed by the OpenSSL Project
90  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91  *
92  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
96  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103  * OF THE POSSIBILITY OF SUCH DAMAGE.
104  * ====================================================================
105  *
106  * This product includes cryptographic software written by Eric Young
107  * (eay@cryptsoft.com).  This product includes software written by Tim
108  * Hudson (tjh@cryptsoft.com).
109  *
110  */
111
112 #include <stdio.h>
113 #include <openssl/objects.h>
114 #include "ssl_locl.h"
115
116 const char *tls1_version_str="TLSv1" OPENSSL_VERSION_PTEXT;
117
118 SSL3_ENC_METHOD TLSv1_enc_data={
119         tls1_enc,
120         tls1_mac,
121         tls1_setup_key_block,
122         tls1_generate_master_secret,
123         tls1_change_cipher_state,
124         tls1_final_finish_mac,
125         TLS1_FINISH_MAC_LENGTH,
126         tls1_cert_verify_mac,
127         TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE,
128         TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE,
129         tls1_alert_code,
130         };
131
132 long tls1_default_timeout(void)
133         {
134         /* 2 hours, the 24 hours mentioned in the TLSv1 spec
135          * is way too long for http, the cache would over fill */
136         return(60*60*2);
137         }
138
139 int tls1_new(SSL *s)
140         {
141         if (!ssl3_new(s)) return(0);
142         s->method->ssl_clear(s);
143         return(1);
144         }
145
146 void tls1_free(SSL *s)
147         {
148         ssl3_free(s);
149         }
150
151 void tls1_clear(SSL *s)
152         {
153         ssl3_clear(s);
154         s->version=TLS1_VERSION;
155         }
156
157
158 #ifndef OPENSSL_NO_TLSEXT
159 unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
160         {
161         int extdatalen=0;
162         unsigned char *ret = p;
163
164         ret+=2;
165
166         if (ret>=limit) return NULL; /* this really never occurs, but ... */
167         if (s->servername_done == 0 && s->tlsext_hostname != NULL)
168                 { 
169                 /* Add TLS extension servername to the Client Hello message */
170                 unsigned long size_str;
171                 long lenmax; 
172
173                 if ((lenmax = limit - p - 7) < 0) return NULL; 
174                 if ((size_str = strlen(s->tlsext_hostname)) > (unsigned long)lenmax) return NULL;
175                 
176                 s2n(TLSEXT_TYPE_server_name,ret);
177                 s2n(size_str+3,ret);
178                 *(ret++) = (unsigned char) TLSEXT_NAMETYPE_host_name;
179                 s2n(size_str,ret);
180         
181                 memcpy(ret, s->tlsext_hostname, size_str);
182                 ret+=size_str;
183                 }
184 #ifndef OPENSSL_NO_EC
185         if (s->tlsext_ecpointformatlist != NULL)
186                 {
187                 /* Add TLS extension ECPointFormats to the ClientHello message */
188                 long lenmax; 
189
190                 if ((lenmax = limit - p - 5) < 0) return NULL; 
191                 if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax) return NULL;
192                 if (s->tlsext_ecpointformatlist_length > 255)
193                         {
194                         SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
195                         return NULL;
196                         }
197                 
198                 s2n(TLSEXT_TYPE_ec_point_formats,ret);
199                 s2n(s->tlsext_ecpointformatlist_length + 1,ret);
200                 *(ret++) = (unsigned char) s->tlsext_ecpointformatlist_length;
201                 memcpy(ret, s->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist_length);
202                 ret+=s->tlsext_ecpointformatlist_length;
203                 }
204 #endif /* OPENSSL_NO_EC */
205
206         if ((extdatalen = ret-p-2)== 0) 
207                 return p;
208
209         s2n(extdatalen,p);
210         return ret;
211 }
212
213 unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
214         {
215         int extdatalen=0;
216         unsigned char *ret = p;
217
218         ret+=2;
219         if (ret>=limit) return NULL; /* this really never occurs, but ... */
220
221         if (!s->hit && s->servername_done == 1 && s->session->tlsext_hostname != NULL)
222                 { 
223                 if (limit - p - 4 < 0) return NULL; 
224
225                 s2n(TLSEXT_TYPE_server_name,ret);
226                 s2n(0,ret);
227                 }
228 #ifndef OPENSSL_NO_EC
229         if (s->tlsext_ecpointformatlist != NULL)
230                 {
231                 /* Add TLS extension ECPointFormats to the ServerHello message */
232                 long lenmax; 
233
234                 if ((lenmax = limit - p - 5) < 0) return NULL; 
235                 if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax) return NULL;
236                 if (s->tlsext_ecpointformatlist_length > 255)
237                         {
238                         SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
239                         return NULL;
240                         }
241                 
242                 s2n(TLSEXT_TYPE_ec_point_formats,ret);
243                 s2n(s->tlsext_ecpointformatlist_length + 1,ret);
244                 *(ret++) = (unsigned char) s->tlsext_ecpointformatlist_length;
245                 memcpy(ret, s->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist_length);
246                 ret+=s->tlsext_ecpointformatlist_length;
247                 }
248 #endif /* OPENSSL_NO_EC */
249         
250         if ((extdatalen = ret-p-2)== 0) 
251                 return p;
252
253         s2n(extdatalen,p);
254         return ret;
255 }
256
257 int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
258         {
259         unsigned short type;
260         unsigned short size;
261         unsigned short len;
262         unsigned char *data = *p;
263 #if 0
264         fprintf(stderr,"ssl_parse_clienthello_tlsext %s\n",s->session->tlsext_hostname?s->session->tlsext_hostname:"NULL");
265 #endif
266         s->servername_done = 0;
267
268         if (data >= (d+n-2))
269                 return 1;
270         n2s(data,len);
271
272         if (data > (d+n-len)) 
273                 return 1;
274
275         while (data <= (d+n-4))
276                 {
277                 n2s(data,type);
278                 n2s(data,size);
279
280                 if (data+size > (d+n))
281                         return 1;
282                 
283 /* The servername extension is treated as follows:
284
285    - Only the hostname type is supported with a maximum length of 255.
286    - The servername is rejected if too long or if it contains zeros,
287      in which case an fatal alert is generated.
288    - The servername field is maintained together with the session cache.
289    - When a session is resumed, the servername call back invoked in order
290      to allow the application to position itself to the right context. 
291    - The servername is acknowledged if it is new for a session or when 
292      it is identical to a previously used for the same session. 
293      Applications can control the behaviour.  They can at any time
294      set a 'desirable' servername for a new SSL object. This can be the
295      case for example with HTTPS when a Host: header field is received and
296      a renegotiation is requested. In this case, a possible servername
297      presented in the new client hello is only acknowledged if it matches
298      the value of the Host: field. 
299    - Applications must  use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
300      if they provide for changing an explicit servername context for the session,
301      i.e. when the session has been established with a servername extension. 
302    - On session reconnect, the servername extension may be absent. 
303
304 */      
305
306                 if (type == TLSEXT_TYPE_server_name)
307                         {
308                         unsigned char *sdata = data;
309                         int servname_type;
310                         int dsize = size-3 ;
311                         
312                         if (dsize > 0 )
313                                 {
314                                 servname_type = *(sdata++); 
315                                 n2s(sdata,len);
316                                 if (len != dsize) 
317                                         {
318                                         *al = SSL_AD_DECODE_ERROR;
319                                         return 0;
320                                         }
321
322                                 switch (servname_type)
323                                         {
324                                 case TLSEXT_NAMETYPE_host_name:
325                                         if (s->session->tlsext_hostname == NULL)
326                                                 {
327                                                 if (len > TLSEXT_MAXLEN_host_name || 
328                                                         ((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL))
329                                                         {
330                                                         *al = TLS1_AD_UNRECOGNIZED_NAME;
331                                                         return 0;
332                                                         }
333                                                 memcpy(s->session->tlsext_hostname, sdata, len);
334                                                 s->session->tlsext_hostname[len]='\0';
335                                                 if (strlen(s->session->tlsext_hostname) != len) {
336                                                         OPENSSL_free(s->session->tlsext_hostname);
337                                                         *al = TLS1_AD_UNRECOGNIZED_NAME;
338                                                         return 0;
339                                                 }
340                                                 s->servername_done = 1; 
341
342 #if 0
343                                                 fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_hostname %s\n",s->session->tlsext_hostname);
344 #endif
345                                                 }
346                                         else 
347                                                 s->servername_done = strlen(s->session->tlsext_hostname) == len 
348                                                         && strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0;
349                                         
350                                         break;
351
352                                 default:
353                                         break;
354                                         }
355                                  
356                                 }
357                         }
358
359 #ifndef OPENSSL_NO_EC
360                 else if (type == TLSEXT_TYPE_ec_point_formats)
361                         {
362                         unsigned char *sdata = data;
363                         int ecpointformatlist_length = *(sdata++);
364
365                         if (ecpointformatlist_length != size - 1)
366                                 {
367                                 *al = TLS1_AD_DECODE_ERROR;
368                                 return 0;
369                                 }
370                         s->session->tlsext_ecpointformatlist_length = 0;
371                         if (s->session->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->session->tlsext_ecpointformatlist);
372                         if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
373                                 {
374                                 *al = TLS1_AD_INTERNAL_ERROR;
375                                 return 0;
376                                 }
377                         s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
378                         memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
379 #if 0
380                         fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ecpointformatlist (length=%i) ", s->session->tlsext_ecpointformatlist_length);
381                         sdata = s->session->tlsext_ecpointformatlist;
382                         for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
383                                 fprintf(stderr,"%i ",*(sdata++));
384                         fprintf(stderr,"\n");
385 #endif
386                         }
387                 data+=size;             
388                 }
389 #endif /* OPENSSL_NO_EC */
390
391         *p = data;
392         return 1;
393 }
394
395 int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
396         {
397         unsigned short type;
398         unsigned short size;
399         unsigned short len;  
400         unsigned char *data = *p;
401
402         int tlsext_servername = 0;
403 #ifndef OPENSSL_NO_EC
404         int tlsext_ecpointformats = 0;
405 #endif /* OPENSSL_NO_EC */
406
407         if (data >= (d+n-2))
408                 return 1;
409
410         n2s(data,len);
411
412         while(data <= (d+n-4))
413                 {
414                 n2s(data,type);
415                 n2s(data,size);
416
417                 if (data+size > (d+n))
418                         return 1;
419
420                 if (type == TLSEXT_TYPE_server_name)
421                         {
422                         if (s->tlsext_hostname == NULL || size > 0)
423                                 {
424                                 *al = TLS1_AD_UNRECOGNIZED_NAME;
425                                 return 0;
426                                 }
427                         tlsext_servername = 1;   
428                         }
429
430 #ifndef OPENSSL_NO_EC
431                 else if (type == TLSEXT_TYPE_ec_point_formats)
432                         {
433                         unsigned char *sdata = data;
434                         int ecpointformatlist_length = *(sdata++);
435
436                         if (ecpointformatlist_length != size - 1)
437                                 {
438                                 *al = TLS1_AD_DECODE_ERROR;
439                                 return 0;
440                                 }
441                         s->session->tlsext_ecpointformatlist_length = 0;
442                         if (s->session->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->session->tlsext_ecpointformatlist);
443                         if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
444                                 {
445                                 *al = TLS1_AD_INTERNAL_ERROR;
446                                 return 0;
447                                 }
448                         s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
449                         memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
450 #if 0
451                         fprintf(stderr,"ssl_parse_serverhello_tlsext s->session->tlsext_ecpointformatlist ");
452                         sdata = s->session->tlsext_ecpointformatlist;
453                         for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
454                                 fprintf(stderr,"%i ",*(sdata++));
455                         fprintf(stderr,"\n");
456 #endif
457                         }
458
459                 data+=size;             
460                 }
461 #endif /* OPENSSL_NO_EC */
462
463         if (data != d+n)
464                 {
465                 *al = SSL_AD_DECODE_ERROR;
466                 return 0;
467                 }
468
469         if (!s->hit && tlsext_servername == 1)
470                 {
471                 if (s->tlsext_hostname)
472                         {
473                         if (s->session->tlsext_hostname == NULL)
474                                 {
475                                 s->session->tlsext_hostname = BUF_strdup(s->tlsext_hostname);   
476                                 if (!s->session->tlsext_hostname)
477                                         {
478                                         *al = SSL_AD_UNRECOGNIZED_NAME;
479                                         return 0;
480                                         }
481                                 }
482                         else 
483                                 {
484                                 *al = SSL_AD_DECODE_ERROR;
485                                 return 0;
486                                 }
487                         }
488                 }
489
490 #ifndef OPENSSL_NO_EC
491         if (!s->hit && tlsext_ecpointformats == 1)
492                 {
493                 if (s->tlsext_ecpointformatlist)
494                         {
495                         if (s->session->tlsext_ecpointformatlist == NULL)
496                                 {
497                                 s->session->tlsext_ecpointformatlist_length = s->tlsext_ecpointformatlist_length;
498                                 if (s->session->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->session->tlsext_ecpointformatlist);
499                                 if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(s->tlsext_ecpointformatlist_length)) == NULL)
500                                         {
501                                         *al = TLS1_AD_INTERNAL_ERROR;
502                                         return 0;
503                                         }
504                                 memcpy(s->session->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist_length);
505                                 }
506                         else 
507                                 {
508                                 *al = SSL_AD_DECODE_ERROR;
509                                 return 0;
510                                 }
511                         }
512                 }
513 #endif /* OPENSSL_NO_EC */
514
515         *p = data;
516         return 1;
517 }
518
519 int ssl_prepare_clienthello_tlsext(SSL *s)
520         {
521 #ifndef OPENSSL_NO_EC
522         /* If we are client and using an elliptic curve cryptography cipher suite, send the point formats we 
523          * support.
524          */
525         int using_ecc = 0;
526         int i;
527         int algs;
528         STACK_OF(SSL_CIPHER) *cipher_stack = SSL_get_ciphers(s);
529         for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++)
530                 {
531                 algs = (sk_SSL_CIPHER_value(cipher_stack, i))->algorithms;
532                 if ((algs & SSL_kECDH) || (algs & SSL_kECDHE) || (algs & SSL_aECDSA)) 
533                         {
534                         using_ecc = 1;
535                         break;
536                         }
537
538                 }
539         using_ecc = using_ecc && (s->version == TLS1_VERSION);
540         if (using_ecc)
541                 {
542                 if (s->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->tlsext_ecpointformatlist);
543                 if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(3)) == NULL)
544                         {
545                         SSLerr(SSL_F_TLS1_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
546                         return -1;
547                         }
548                 s->tlsext_ecpointformatlist_length = 3;
549                 s->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_uncompressed;
550                 s->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
551                 s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
552                 }
553 #endif /* OPENSSL_NO_EC */
554         return 1;
555 }
556
557 int ssl_prepare_serverhello_tlsext(SSL *s)
558         {
559 #ifndef OPENSSL_NO_EC
560         /* If we are server and using an ECC cipher suite, send the point formats we support 
561          * if the client sent us an ECPointsFormat extension.
562          */
563         int algs = s->s3->tmp.new_cipher->algorithms;
564         int using_ecc = (algs & SSL_kECDH) || (algs & SSL_kECDHE) || (algs & SSL_aECDSA);
565         using_ecc = using_ecc && (s->session->tlsext_ecpointformatlist != NULL);
566
567         if (using_ecc)
568                 {
569                 if (s->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->tlsext_ecpointformatlist);
570                 if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(3)) == NULL)
571                         {
572                         SSLerr(SSL_F_TLS1_PREPARE_SERVERHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
573                         return -1;
574                         }
575                 s->tlsext_ecpointformatlist_length = 3;
576                 s->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_uncompressed;
577                 s->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
578                 s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
579                 }
580 #endif /* OPENSSL_NO_EC */
581         return 1;
582 }
583
584 int ssl_check_clienthello_tlsext(SSL *s)
585         {
586         int ret=SSL_TLSEXT_ERR_NOACK;
587         int al = SSL_AD_UNRECOGNIZED_NAME;
588
589 #ifndef OPENSSL_NO_EC
590         /* If we are server and using an elliptic curve cyrptography cipher suite, then we don't
591          * need to check EC point formats since all clients must support uncompressed and it's the
592          * only thing we support; we just need to copy the data in.  We probably ought to check it
593          * for validity, but we never use it.
594          */
595 #endif
596
597         if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) 
598                 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
599         else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)             
600                 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
601
602         switch (ret) {
603                 case SSL_TLSEXT_ERR_ALERT_FATAL:
604                         ssl3_send_alert(s,SSL3_AL_FATAL,al); 
605                         return -1;
606
607                 case SSL_TLSEXT_ERR_ALERT_WARNING:
608                         ssl3_send_alert(s,SSL3_AL_WARNING,al);
609                         return 1; 
610                                         
611                 case SSL_TLSEXT_ERR_NOACK:
612                         s->servername_done=0;
613                         default:
614                 return 1;
615         }
616 }
617
618 int ssl_check_serverhello_tlsext(SSL *s)
619         {
620         int ret=SSL_TLSEXT_ERR_NOACK;
621         int al = SSL_AD_UNRECOGNIZED_NAME;
622
623 #ifndef OPENSSL_NO_EC
624         /* If we are client and using an elliptic curve cryptography cipher suite, then server
625          * must return a an EC point formats lists containing uncompressed.
626          */
627         int algs = s->s3->tmp.new_cipher->algorithms;
628         if ((s->tlsext_ecpointformatlist != NULL) && (s->tlsext_ecpointformatlist_length > 0) && 
629             ((algs & SSL_kECDH) || (algs & SSL_kECDHE) || (algs & SSL_aECDSA))) 
630                 {
631                 /* we are using an ECC cipher */
632                 int i;
633                 unsigned char *list;
634                 int found_uncompressed = 0;
635                 if ((s->session->tlsext_ecpointformatlist == NULL) || (s->session->tlsext_ecpointformatlist_length <= 0))
636                         {
637                         SSLerr(SSL_F_TLS1_CHECK_SERVERHELLO_TLSEXT,SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
638                         return -1;
639                         }
640                 list = (unsigned char *)(s->session->tlsext_ecpointformatlist);
641                 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
642                         {
643                         if (*(list++) == TLSEXT_ECPOINTFORMAT_uncompressed)
644                                 {
645                                 found_uncompressed = 1;
646                                 break;
647                                 }
648                         }
649                 if (!found_uncompressed)
650                         {
651                         SSLerr(SSL_F_TLS1_CHECK_SERVERHELLO_TLSEXT,SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
652                         return -1;
653                         }
654                 }
655         ret = SSL_TLSEXT_ERR_OK;
656 #endif /* OPENSSL_NO_EC */
657
658         if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) 
659                 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
660         else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)             
661                 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
662
663         switch (ret) {
664                 case SSL_TLSEXT_ERR_ALERT_FATAL:
665                         ssl3_send_alert(s,SSL3_AL_FATAL,al); 
666                         return -1;
667
668                 case SSL_TLSEXT_ERR_ALERT_WARNING:
669                         ssl3_send_alert(s,SSL3_AL_WARNING,al);
670                         return 1; 
671                                         
672                 case SSL_TLSEXT_ERR_NOACK:
673                         s->servername_done=0;
674                         default:
675                 return 1;
676         }
677 }
678 #endif