Disable debugging fprintf.
[openssl.git] / ssl / t1_lib.c
1 /* ssl/t1_lib.c */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3  * All rights reserved.
4  *
5  * This package is an SSL implementation written
6  * by Eric Young (eay@cryptsoft.com).
7  * The implementation was written so as to conform with Netscapes SSL.
8  * 
9  * This library is free for commercial and non-commercial use as long as
10  * the following conditions are aheared to.  The following conditions
11  * apply to all code found in this distribution, be it the RC4, RSA,
12  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
13  * included with this distribution is covered by the same copyright terms
14  * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15  * 
16  * Copyright remains Eric Young's, and as such any Copyright notices in
17  * the code are not to be removed.
18  * If this package is used in a product, Eric Young should be given attribution
19  * as the author of the parts of the library used.
20  * This can be in the form of a textual message at program startup or
21  * in documentation (online or textual) provided with the package.
22  * 
23  * Redistribution and use in source and binary forms, with or without
24  * modification, are permitted provided that the following conditions
25  * are met:
26  * 1. Redistributions of source code must retain the copyright
27  *    notice, this list of conditions and the following disclaimer.
28  * 2. Redistributions in binary form must reproduce the above copyright
29  *    notice, this list of conditions and the following disclaimer in the
30  *    documentation and/or other materials provided with the distribution.
31  * 3. All advertising materials mentioning features or use of this software
32  *    must display the following acknowledgement:
33  *    "This product includes cryptographic software written by
34  *     Eric Young (eay@cryptsoft.com)"
35  *    The word 'cryptographic' can be left out if the rouines from the library
36  *    being used are not cryptographic related :-).
37  * 4. If you include any Windows specific code (or a derivative thereof) from 
38  *    the apps directory (application code) you must include an acknowledgement:
39  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40  * 
41  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51  * SUCH DAMAGE.
52  * 
53  * The licence and distribution terms for any publically available version or
54  * derivative of this code cannot be changed.  i.e. this code cannot simply be
55  * copied and put under another distribution licence
56  * [including the GNU Public Licence.]
57  */
58 /* ====================================================================
59  * Copyright (c) 1998-2007 The OpenSSL Project.  All rights reserved.
60  *
61  * Redistribution and use in source and binary forms, with or without
62  * modification, are permitted provided that the following conditions
63  * are met:
64  *
65  * 1. Redistributions of source code must retain the above copyright
66  *    notice, this list of conditions and the following disclaimer. 
67  *
68  * 2. Redistributions in binary form must reproduce the above copyright
69  *    notice, this list of conditions and the following disclaimer in
70  *    the documentation and/or other materials provided with the
71  *    distribution.
72  *
73  * 3. All advertising materials mentioning features or use of this
74  *    software must display the following acknowledgment:
75  *    "This product includes software developed by the OpenSSL Project
76  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77  *
78  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79  *    endorse or promote products derived from this software without
80  *    prior written permission. For written permission, please contact
81  *    openssl-core@openssl.org.
82  *
83  * 5. Products derived from this software may not be called "OpenSSL"
84  *    nor may "OpenSSL" appear in their names without prior written
85  *    permission of the OpenSSL Project.
86  *
87  * 6. Redistributions of any form whatsoever must retain the following
88  *    acknowledgment:
89  *    "This product includes software developed by the OpenSSL Project
90  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91  *
92  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
96  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103  * OF THE POSSIBILITY OF SUCH DAMAGE.
104  * ====================================================================
105  *
106  * This product includes cryptographic software written by Eric Young
107  * (eay@cryptsoft.com).  This product includes software written by Tim
108  * Hudson (tjh@cryptsoft.com).
109  *
110  */
111
112 #include <stdio.h>
113 #include <openssl/objects.h>
114 #include <openssl/evp.h>
115 #include <openssl/hmac.h>
116 #include <openssl/ocsp.h>
117 #include "ssl_locl.h"
118
119 const char tls1_version_str[]="TLSv1" OPENSSL_VERSION_PTEXT;
120
121 #ifndef OPENSSL_NO_TLSEXT
122 static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen,
123                                 const unsigned char *sess_id, int sesslen,
124                                 SSL_SESSION **psess);
125 #endif
126
127 SSL3_ENC_METHOD TLSv1_enc_data={
128         tls1_enc,
129         tls1_mac,
130         tls1_setup_key_block,
131         tls1_generate_master_secret,
132         tls1_change_cipher_state,
133         tls1_final_finish_mac,
134         TLS1_FINISH_MAC_LENGTH,
135         tls1_cert_verify_mac,
136         TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE,
137         TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE,
138         tls1_alert_code,
139         };
140
141 long tls1_default_timeout(void)
142         {
143         /* 2 hours, the 24 hours mentioned in the TLSv1 spec
144          * is way too long for http, the cache would over fill */
145         return(60*60*2);
146         }
147
148 int tls1_new(SSL *s)
149         {
150         if (!ssl3_new(s)) return(0);
151         s->method->ssl_clear(s);
152         return(1);
153         }
154
155 void tls1_free(SSL *s)
156         {
157         ssl3_free(s);
158         }
159
160 void tls1_clear(SSL *s)
161         {
162         ssl3_clear(s);
163         s->version=TLS1_VERSION;
164         }
165
166 #ifndef OPENSSL_NO_EC
167 static int nid_list[] =
168         {
169                 NID_sect163k1, /* sect163k1 (1) */
170                 NID_sect163r1, /* sect163r1 (2) */
171                 NID_sect163r2, /* sect163r2 (3) */
172                 NID_sect193r1, /* sect193r1 (4) */ 
173                 NID_sect193r2, /* sect193r2 (5) */ 
174                 NID_sect233k1, /* sect233k1 (6) */
175                 NID_sect233r1, /* sect233r1 (7) */ 
176                 NID_sect239k1, /* sect239k1 (8) */ 
177                 NID_sect283k1, /* sect283k1 (9) */
178                 NID_sect283r1, /* sect283r1 (10) */ 
179                 NID_sect409k1, /* sect409k1 (11) */ 
180                 NID_sect409r1, /* sect409r1 (12) */
181                 NID_sect571k1, /* sect571k1 (13) */ 
182                 NID_sect571r1, /* sect571r1 (14) */ 
183                 NID_secp160k1, /* secp160k1 (15) */
184                 NID_secp160r1, /* secp160r1 (16) */ 
185                 NID_secp160r2, /* secp160r2 (17) */ 
186                 NID_secp192k1, /* secp192k1 (18) */
187                 NID_X9_62_prime192v1, /* secp192r1 (19) */ 
188                 NID_secp224k1, /* secp224k1 (20) */ 
189                 NID_secp224r1, /* secp224r1 (21) */
190                 NID_secp256k1, /* secp256k1 (22) */ 
191                 NID_X9_62_prime256v1, /* secp256r1 (23) */ 
192                 NID_secp384r1, /* secp384r1 (24) */
193                 NID_secp521r1  /* secp521r1 (25) */     
194         };
195         
196 int tls1_ec_curve_id2nid(int curve_id)
197         {
198         /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
199         if ((curve_id < 1) || ((unsigned int)curve_id >
200                                 sizeof(nid_list)/sizeof(nid_list[0])))
201                 return 0;
202         return nid_list[curve_id-1];
203         }
204
205 int tls1_ec_nid2curve_id(int nid)
206         {
207         /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
208         switch (nid)
209                 {
210         case NID_sect163k1: /* sect163k1 (1) */
211                 return 1;
212         case NID_sect163r1: /* sect163r1 (2) */
213                 return 2;
214         case NID_sect163r2: /* sect163r2 (3) */
215                 return 3;
216         case NID_sect193r1: /* sect193r1 (4) */ 
217                 return 4;
218         case NID_sect193r2: /* sect193r2 (5) */ 
219                 return 5;
220         case NID_sect233k1: /* sect233k1 (6) */
221                 return 6;
222         case NID_sect233r1: /* sect233r1 (7) */ 
223                 return 7;
224         case NID_sect239k1: /* sect239k1 (8) */ 
225                 return 8;
226         case NID_sect283k1: /* sect283k1 (9) */
227                 return 9;
228         case NID_sect283r1: /* sect283r1 (10) */ 
229                 return 10;
230         case NID_sect409k1: /* sect409k1 (11) */ 
231                 return 11;
232         case NID_sect409r1: /* sect409r1 (12) */
233                 return 12;
234         case NID_sect571k1: /* sect571k1 (13) */ 
235                 return 13;
236         case NID_sect571r1: /* sect571r1 (14) */ 
237                 return 14;
238         case NID_secp160k1: /* secp160k1 (15) */
239                 return 15;
240         case NID_secp160r1: /* secp160r1 (16) */ 
241                 return 16;
242         case NID_secp160r2: /* secp160r2 (17) */ 
243                 return 17;
244         case NID_secp192k1: /* secp192k1 (18) */
245                 return 18;
246         case NID_X9_62_prime192v1: /* secp192r1 (19) */ 
247                 return 19;
248         case NID_secp224k1: /* secp224k1 (20) */ 
249                 return 20;
250         case NID_secp224r1: /* secp224r1 (21) */
251                 return 21;
252         case NID_secp256k1: /* secp256k1 (22) */ 
253                 return 22;
254         case NID_X9_62_prime256v1: /* secp256r1 (23) */ 
255                 return 23;
256         case NID_secp384r1: /* secp384r1 (24) */
257                 return 24;
258         case NID_secp521r1:  /* secp521r1 (25) */       
259                 return 25;
260         default:
261                 return 0;
262                 }
263         }
264 #endif /* OPENSSL_NO_EC */
265
266 #ifndef OPENSSL_NO_TLSEXT
267 unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
268         {
269         int extdatalen=0;
270         unsigned char *ret = p;
271
272         ret+=2;
273
274         if (ret>=limit) return NULL; /* this really never occurs, but ... */
275
276         if (s->tlsext_hostname != NULL)
277                 { 
278                 /* Add TLS extension servername to the Client Hello message */
279                 unsigned long size_str;
280                 long lenmax; 
281
282                 /* check for enough space.
283                    4 for the servername type and entension length
284                    2 for servernamelist length
285                    1 for the hostname type
286                    2 for hostname length
287                    + hostname length 
288                 */
289                    
290                 if ((lenmax = limit - ret - 9) < 0 
291                     || (size_str = strlen(s->tlsext_hostname)) > (unsigned long)lenmax) 
292                         return NULL;
293                         
294                 /* extension type and length */
295                 s2n(TLSEXT_TYPE_server_name,ret); 
296                 s2n(size_str+5,ret);
297                 
298                 /* length of servername list */
299                 s2n(size_str+3,ret);
300         
301                 /* hostname type, length and hostname */
302                 *(ret++) = (unsigned char) TLSEXT_NAMETYPE_host_name;
303                 s2n(size_str,ret);
304                 memcpy(ret, s->tlsext_hostname, size_str);
305                 ret+=size_str;
306                 }
307
308 #ifndef OPENSSL_NO_EC
309         if (s->tlsext_ecpointformatlist != NULL)
310                 {
311                 /* Add TLS extension ECPointFormats to the ClientHello message */
312                 long lenmax; 
313
314                 if ((lenmax = limit - ret - 5) < 0) return NULL; 
315                 if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax) return NULL;
316                 if (s->tlsext_ecpointformatlist_length > 255)
317                         {
318                         SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
319                         return NULL;
320                         }
321                 
322                 s2n(TLSEXT_TYPE_ec_point_formats,ret);
323                 s2n(s->tlsext_ecpointformatlist_length + 1,ret);
324                 *(ret++) = (unsigned char) s->tlsext_ecpointformatlist_length;
325                 memcpy(ret, s->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist_length);
326                 ret+=s->tlsext_ecpointformatlist_length;
327                 }
328         if (s->tlsext_ellipticcurvelist != NULL)
329                 {
330                 /* Add TLS extension EllipticCurves to the ClientHello message */
331                 long lenmax; 
332
333                 if ((lenmax = limit - ret - 6) < 0) return NULL; 
334                 if (s->tlsext_ellipticcurvelist_length > (unsigned long)lenmax) return NULL;
335                 if (s->tlsext_ellipticcurvelist_length > 65532)
336                         {
337                         SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
338                         return NULL;
339                         }
340                 
341                 s2n(TLSEXT_TYPE_elliptic_curves,ret);
342                 s2n(s->tlsext_ellipticcurvelist_length + 2, ret);
343
344                 /* NB: draft-ietf-tls-ecc-12.txt uses a one-byte prefix for
345                  * elliptic_curve_list, but the examples use two bytes.
346                  * http://www1.ietf.org/mail-archive/web/tls/current/msg00538.html
347                  * resolves this to two bytes.
348                  */
349                 s2n(s->tlsext_ellipticcurvelist_length, ret);
350                 memcpy(ret, s->tlsext_ellipticcurvelist, s->tlsext_ellipticcurvelist_length);
351                 ret+=s->tlsext_ellipticcurvelist_length;
352                 }
353 #endif /* OPENSSL_NO_EC */
354
355         if (!(SSL_get_options(s) & SSL_OP_NO_TICKET))
356                 {
357                 int ticklen;
358                 if (s->session && s->session->tlsext_tick)
359                         ticklen = s->session->tlsext_ticklen;
360                 else
361                         ticklen = 0;
362                 /* Check for enough room 2 for extension type, 2 for len
363                  * rest for ticket
364                  */
365                 if ((long)(limit - ret - 4 - ticklen) < 0) return NULL;
366                 s2n(TLSEXT_TYPE_session_ticket,ret); 
367                 s2n(ticklen,ret);
368                 if (ticklen)
369                         {
370                         memcpy(ret, s->session->tlsext_tick, ticklen);
371                         ret += ticklen;
372                         }
373                 }
374
375 #ifdef TLSEXT_TYPE_opaque_prf_input
376         if (s->s3->client_opaque_prf_input != NULL)
377                 {
378                 size_t col = s->s3->client_opaque_prf_input_len;
379                 
380                 if ((long)(limit - ret - 6 - col < 0))
381                         return NULL;
382                 if (col > 0xFFFD) /* can't happen */
383                         return NULL;
384
385                 s2n(TLSEXT_TYPE_opaque_prf_input, ret); 
386                 s2n(col + 2, ret);
387                 s2n(col, ret);
388                 memcpy(ret, s->s3->client_opaque_prf_input, col);
389                 ret += col;
390                 }
391 #endif
392
393         if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp)
394                 {
395                 int i;
396                 long extlen, idlen, itmp;
397                 OCSP_RESPID *id;
398
399                 idlen = 0;
400                 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++)
401                         {
402                         id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
403                         itmp = i2d_OCSP_RESPID(id, NULL);
404                         if (itmp <= 0)
405                                 return NULL;
406                         idlen += itmp + 2;
407                         }
408
409                 if (s->tlsext_ocsp_exts)
410                         {
411                         extlen = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, NULL);
412                         if (extlen < 0)
413                                 return NULL;
414                         }
415                 else
416                         extlen = 0;
417                         
418                 if ((long)(limit - ret - 7 - extlen - idlen) < 0) return NULL;
419                 s2n(TLSEXT_TYPE_status_request, ret);
420                 if (extlen + idlen > 0xFFF0)
421                         return NULL;
422                 s2n(extlen + idlen + 5, ret);
423                 *(ret++) = TLSEXT_STATUSTYPE_ocsp;
424                 s2n(idlen, ret);
425                 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++)
426                         {
427                         /* save position of id len */
428                         unsigned char *q = ret;
429                         id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
430                         /* skip over id len */
431                         ret += 2;
432                         itmp = i2d_OCSP_RESPID(id, &ret);
433                         /* write id len */
434                         s2n(itmp, q);
435                         }
436                 s2n(extlen, ret);
437                 if (extlen > 0)
438                         i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret);
439                 }
440
441         if ((extdatalen = ret-p-2)== 0) 
442                 return p;
443
444         s2n(extdatalen,p);
445         return ret;
446         }
447
448 unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
449         {
450         int extdatalen=0;
451         unsigned char *ret = p;
452
453         ret+=2;
454         if (ret>=limit) return NULL; /* this really never occurs, but ... */
455
456         if (!s->hit && s->servername_done == 1 && s->session->tlsext_hostname != NULL)
457                 { 
458                 if ((long)(limit - ret - 4) < 0) return NULL; 
459
460                 s2n(TLSEXT_TYPE_server_name,ret);
461                 s2n(0,ret);
462                 }
463 #ifndef OPENSSL_NO_EC
464         if (s->tlsext_ecpointformatlist != NULL)
465                 {
466                 /* Add TLS extension ECPointFormats to the ServerHello message */
467                 long lenmax; 
468
469                 if ((lenmax = limit - ret - 5) < 0) return NULL; 
470                 if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax) return NULL;
471                 if (s->tlsext_ecpointformatlist_length > 255)
472                         {
473                         SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
474                         return NULL;
475                         }
476                 
477                 s2n(TLSEXT_TYPE_ec_point_formats,ret);
478                 s2n(s->tlsext_ecpointformatlist_length + 1,ret);
479                 *(ret++) = (unsigned char) s->tlsext_ecpointformatlist_length;
480                 memcpy(ret, s->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist_length);
481                 ret+=s->tlsext_ecpointformatlist_length;
482
483                 }
484         /* Currently the server should not respond with a SupportedCurves extension */
485 #endif /* OPENSSL_NO_EC */
486
487         if (s->tlsext_ticket_expected
488                 && !(SSL_get_options(s) & SSL_OP_NO_TICKET)) 
489                 { 
490                 if ((long)(limit - ret - 4) < 0) return NULL; 
491                 s2n(TLSEXT_TYPE_session_ticket,ret);
492                 s2n(0,ret);
493                 }
494
495         if (s->tlsext_status_expected)
496                 { 
497                 if ((long)(limit - ret - 4) < 0) return NULL; 
498                 s2n(TLSEXT_TYPE_status_request,ret);
499                 s2n(0,ret);
500                 }
501
502 #ifdef TLSEXT_TYPE_opaque_prf_input
503         if (s->s3->server_opaque_prf_input != NULL)
504                 {
505                 size_t sol = s->s3->server_opaque_prf_input_len;
506                 
507                 if ((long)(limit - ret - 6 - sol) < 0)
508                         return NULL;
509                 if (sol > 0xFFFD) /* can't happen */
510                         return NULL;
511
512                 s2n(TLSEXT_TYPE_opaque_prf_input, ret); 
513                 s2n(sol + 2, ret);
514                 s2n(sol, ret);
515                 memcpy(ret, s->s3->server_opaque_prf_input, sol);
516                 ret += sol;
517                 }
518 #endif
519         if (((s->s3->tmp.new_cipher->id & 0xFFFF)==0x80 || (s->s3->tmp.new_cipher->id & 0xFFFF)==0x81) 
520                 && (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG))
521                 { const unsigned char cryptopro_ext[36] = {
522                         0xfd, 0xe8, /*65000*/
523                         0x00, 0x20, /*32 bytes length*/
524                         0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85, 
525                         0x03,   0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06, 
526                         0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08, 
527                         0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17};
528                         if (limit-ret<36) return NULL;
529                         memcpy(ret,cryptopro_ext,36);
530                         ret+=36;
531
532                 }
533
534         if ((extdatalen = ret-p-2)== 0) 
535                 return p;
536
537         s2n(extdatalen,p);
538         return ret;
539         }
540
541 int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
542         {
543         unsigned short type;
544         unsigned short size;
545         unsigned short len;
546         unsigned char *data = *p;
547         s->servername_done = 0;
548         s->tlsext_status_type = -1;
549
550         if (data >= (d+n-2))
551                 return 1;
552         n2s(data,len);
553
554         if (data > (d+n-len)) 
555                 return 1;
556
557         while (data <= (d+n-4))
558                 {
559                 n2s(data,type);
560                 n2s(data,size);
561
562                 if (data+size > (d+n))
563                         return 1;
564 #if 0
565                 fprintf(stderr,"Received extension type %d size %d\n",type,size);
566 #endif
567                 if (s->tlsext_debug_cb)
568                         s->tlsext_debug_cb(s, 0, type, data, size,
569                                                 s->tlsext_debug_arg);
570 /* The servername extension is treated as follows:
571
572    - Only the hostname type is supported with a maximum length of 255.
573    - The servername is rejected if too long or if it contains zeros,
574      in which case an fatal alert is generated.
575    - The servername field is maintained together with the session cache.
576    - When a session is resumed, the servername call back invoked in order
577      to allow the application to position itself to the right context. 
578    - The servername is acknowledged if it is new for a session or when 
579      it is identical to a previously used for the same session. 
580      Applications can control the behaviour.  They can at any time
581      set a 'desirable' servername for a new SSL object. This can be the
582      case for example with HTTPS when a Host: header field is received and
583      a renegotiation is requested. In this case, a possible servername
584      presented in the new client hello is only acknowledged if it matches
585      the value of the Host: field. 
586    - Applications must  use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
587      if they provide for changing an explicit servername context for the session,
588      i.e. when the session has been established with a servername extension. 
589    - On session reconnect, the servername extension may be absent. 
590
591 */      
592
593                 if (type == TLSEXT_TYPE_server_name)
594                         {
595                         unsigned char *sdata;
596                         int servname_type;
597                         int dsize; 
598                 
599                         if (size < 2) 
600                                 {
601                                 *al = SSL_AD_DECODE_ERROR;
602                                 return 0;
603                                 }
604                         n2s(data,dsize);  
605                         size -= 2;
606                         if (dsize > size  ) 
607                                 {
608                                 *al = SSL_AD_DECODE_ERROR;
609                                 return 0;
610                                 } 
611
612                         sdata = data;
613                         while (dsize > 3) 
614                                 {
615                                 servname_type = *(sdata++); 
616                                 n2s(sdata,len);
617                                 dsize -= 3;
618
619                                 if (len > dsize) 
620                                         {
621                                         *al = SSL_AD_DECODE_ERROR;
622                                         return 0;
623                                         }
624                                 if (s->servername_done == 0)
625                                 switch (servname_type)
626                                         {
627                                 case TLSEXT_NAMETYPE_host_name:
628                                         if (s->session->tlsext_hostname == NULL)
629                                                 {
630                                                 if (len > TLSEXT_MAXLEN_host_name || 
631                                                         ((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL))
632                                                         {
633                                                         *al = TLS1_AD_UNRECOGNIZED_NAME;
634                                                         return 0;
635                                                         }
636                                                 memcpy(s->session->tlsext_hostname, sdata, len);
637                                                 s->session->tlsext_hostname[len]='\0';
638                                                 if (strlen(s->session->tlsext_hostname) != len) {
639                                                         OPENSSL_free(s->session->tlsext_hostname);
640                                                         *al = TLS1_AD_UNRECOGNIZED_NAME;
641                                                         return 0;
642                                                 }
643                                                 s->servername_done = 1; 
644
645                                                 }
646                                         else 
647                                                 s->servername_done = strlen(s->session->tlsext_hostname) == len 
648                                                         && strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0;
649                                         
650                                         break;
651
652                                 default:
653                                         break;
654                                         }
655                                  
656                                 dsize -= len;
657                                 }
658                         if (dsize != 0) 
659                                 {
660                                 *al = SSL_AD_DECODE_ERROR;
661                                 return 0;
662                                 }
663
664                         }
665
666 #ifndef OPENSSL_NO_EC
667                 else if (type == TLSEXT_TYPE_ec_point_formats)
668                         {
669                         unsigned char *sdata = data;
670                         int ecpointformatlist_length = *(sdata++);
671
672                         if (ecpointformatlist_length != size - 1)
673                                 {
674                                 *al = TLS1_AD_DECODE_ERROR;
675                                 return 0;
676                                 }
677                         s->session->tlsext_ecpointformatlist_length = 0;
678                         if (s->session->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->session->tlsext_ecpointformatlist);
679                         if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
680                                 {
681                                 *al = TLS1_AD_INTERNAL_ERROR;
682                                 return 0;
683                                 }
684                         s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
685                         memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
686 #if 0
687                         fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ecpointformatlist (length=%i) ", s->session->tlsext_ecpointformatlist_length);
688                         sdata = s->session->tlsext_ecpointformatlist;
689                         for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
690                                 fprintf(stderr,"%i ",*(sdata++));
691                         fprintf(stderr,"\n");
692 #endif
693                         }
694                 else if (type == TLSEXT_TYPE_elliptic_curves)
695                         {
696                         unsigned char *sdata = data;
697                         int ellipticcurvelist_length = (*(sdata++) << 8);
698                         ellipticcurvelist_length += (*(sdata++));
699
700                         if (ellipticcurvelist_length != size - 2)
701                                 {
702                                 *al = TLS1_AD_DECODE_ERROR;
703                                 return 0;
704                                 }
705                         s->session->tlsext_ellipticcurvelist_length = 0;
706                         if (s->session->tlsext_ellipticcurvelist != NULL) OPENSSL_free(s->session->tlsext_ellipticcurvelist);
707                         if ((s->session->tlsext_ellipticcurvelist = OPENSSL_malloc(ellipticcurvelist_length)) == NULL)
708                                 {
709                                 *al = TLS1_AD_INTERNAL_ERROR;
710                                 return 0;
711                                 }
712                         s->session->tlsext_ellipticcurvelist_length = ellipticcurvelist_length;
713                         memcpy(s->session->tlsext_ellipticcurvelist, sdata, ellipticcurvelist_length);
714 #if 0
715                         fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ellipticcurvelist (length=%i) ", s->session->tlsext_ellipticcurvelist_length);
716                         sdata = s->session->tlsext_ellipticcurvelist;
717                         for (i = 0; i < s->session->tlsext_ellipticcurvelist_length; i++)
718                                 fprintf(stderr,"%i ",*(sdata++));
719                         fprintf(stderr,"\n");
720 #endif
721                         }
722 #endif /* OPENSSL_NO_EC */
723 #ifdef TLSEXT_TYPE_opaque_prf_input
724                 else if (type == TLSEXT_TYPE_opaque_prf_input)
725                         {
726                         unsigned char *sdata = data;
727
728                         if (size < 2)
729                                 {
730                                 *al = SSL_AD_DECODE_ERROR;
731                                 return 0;
732                                 }
733                         n2s(sdata, s->s3->client_opaque_prf_input_len);
734                         if (s->s3->client_opaque_prf_input_len != size - 2)
735                                 {
736                                 *al = SSL_AD_DECODE_ERROR;
737                                 return 0;
738                                 }
739
740                         if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */
741                                 OPENSSL_free(s->s3->client_opaque_prf_input);
742                         if (s->s3->client_opaque_prf_input_len == 0)
743                                 s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
744                         else
745                                 s->s3->client_opaque_prf_input = BUF_memdup(sdata, s->s3->client_opaque_prf_input_len);
746                         if (s->s3->client_opaque_prf_input == NULL)
747                                 {
748                                 *al = TLS1_AD_INTERNAL_ERROR;
749                                 return 0;
750                                 }
751                         }
752 #endif
753                 else if (type == TLSEXT_TYPE_status_request
754                                                 && s->ctx->tlsext_status_cb)
755                         {
756                 
757                         if (size < 5) 
758                                 {
759                                 *al = SSL_AD_DECODE_ERROR;
760                                 return 0;
761                                 }
762
763                         s->tlsext_status_type = *data++;
764                         size--;
765                         if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp)
766                                 {
767                                 const unsigned char *sdata;
768                                 int dsize;
769                                 /* Read in responder_id_list */
770                                 n2s(data,dsize);
771                                 size -= 2;
772                                 if (dsize > size  ) 
773                                         {
774                                         *al = SSL_AD_DECODE_ERROR;
775                                         return 0;
776                                         }
777                                 while (dsize > 0)
778                                         {
779                                         OCSP_RESPID *id;
780                                         int idsize;
781                                         if (dsize < 4)
782                                                 {
783                                                 *al = SSL_AD_DECODE_ERROR;
784                                                 return 0;
785                                                 }
786                                         n2s(data, idsize);
787                                         dsize -= 2 + idsize;
788                                         if (dsize < 0)
789                                                 {
790                                                 *al = SSL_AD_DECODE_ERROR;
791                                                 return 0;
792                                                 }
793                                         sdata = data;
794                                         data += idsize;
795                                         id = d2i_OCSP_RESPID(NULL,
796                                                                 &sdata, idsize);
797                                         if (!id)
798                                                 {
799                                                 *al = SSL_AD_DECODE_ERROR;
800                                                 return 0;
801                                                 }
802                                         if (data != sdata)
803                                                 {
804                                                 OCSP_RESPID_free(id);
805                                                 *al = SSL_AD_DECODE_ERROR;
806                                                 return 0;
807                                                 }
808                                         if (!s->tlsext_ocsp_ids
809                                                 && !(s->tlsext_ocsp_ids =
810                                                 sk_OCSP_RESPID_new_null()))
811                                                 {
812                                                 OCSP_RESPID_free(id);
813                                                 *al = SSL_AD_INTERNAL_ERROR;
814                                                 return 0;
815                                                 }
816                                         if (!sk_OCSP_RESPID_push(
817                                                         s->tlsext_ocsp_ids, id))
818                                                 {
819                                                 OCSP_RESPID_free(id);
820                                                 *al = SSL_AD_INTERNAL_ERROR;
821                                                 return 0;
822                                                 }
823                                         }
824
825                                 /* Read in request_extensions */
826                                 n2s(data,dsize);
827                                 size -= 2;
828                                 if (dsize > size) 
829                                         {
830                                         *al = SSL_AD_DECODE_ERROR;
831                                         return 0;
832                                         }
833                                 sdata = data;
834                                 if (dsize > 0)
835                                         {
836                                         s->tlsext_ocsp_exts =
837                                                 d2i_X509_EXTENSIONS(NULL,
838                                                         &sdata, dsize);
839                                         if (!s->tlsext_ocsp_exts
840                                                 || (data + dsize != sdata))
841                                                 {
842                                                 *al = SSL_AD_DECODE_ERROR;
843                                                 return 0;
844                                                 }
845                                         }
846                                 }
847                                 /* We don't know what to do with any other type
848                                 * so ignore it.
849                                 */
850                                 else
851                                         s->tlsext_status_type = -1;
852                         }
853
854                 /* session ticket processed earlier */
855                 data+=size;
856                 }
857                                 
858         *p = data;
859         return 1;
860         }
861
862 int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
863         {
864         unsigned short type;
865         unsigned short size;
866         unsigned short len;  
867         unsigned char *data = *p;
868
869         int tlsext_servername = 0;
870
871         if (data >= (d+n-2))
872                 return 1;
873
874         n2s(data,len);
875
876         while(data <= (d+n-4))
877                 {
878                 n2s(data,type);
879                 n2s(data,size);
880
881                 if (data+size > (d+n))
882                         return 1;
883
884                 if (s->tlsext_debug_cb)
885                         s->tlsext_debug_cb(s, 1, type, data, size,
886                                                 s->tlsext_debug_arg);
887
888                 if (type == TLSEXT_TYPE_server_name)
889                         {
890                         if (s->tlsext_hostname == NULL || size > 0)
891                                 {
892                                 *al = TLS1_AD_UNRECOGNIZED_NAME;
893                                 return 0;
894                                 }
895                         tlsext_servername = 1;   
896                         }
897
898 #ifndef OPENSSL_NO_EC
899                 else if (type == TLSEXT_TYPE_ec_point_formats)
900                         {
901                         unsigned char *sdata = data;
902                         int ecpointformatlist_length = *(sdata++);
903
904                         if (ecpointformatlist_length != size - 1)
905                                 {
906                                 *al = TLS1_AD_DECODE_ERROR;
907                                 return 0;
908                                 }
909                         s->session->tlsext_ecpointformatlist_length = 0;
910                         if (s->session->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->session->tlsext_ecpointformatlist);
911                         if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
912                                 {
913                                 *al = TLS1_AD_INTERNAL_ERROR;
914                                 return 0;
915                                 }
916                         s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
917                         memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
918 #if 0
919                         fprintf(stderr,"ssl_parse_serverhello_tlsext s->session->tlsext_ecpointformatlist ");
920                         sdata = s->session->tlsext_ecpointformatlist;
921                         for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
922                                 fprintf(stderr,"%i ",*(sdata++));
923                         fprintf(stderr,"\n");
924 #endif
925                         }
926 #endif /* OPENSSL_NO_EC */
927
928                 else if (type == TLSEXT_TYPE_session_ticket)
929                         {
930                         if ((SSL_get_options(s) & SSL_OP_NO_TICKET)
931                                 || (size > 0))
932                                 {
933                                 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
934                                 return 0;
935                                 }
936                         s->tlsext_ticket_expected = 1;
937                         }
938 #ifdef TLSEXT_TYPE_opaque_prf_input
939                 else if (type == TLSEXT_TYPE_opaque_prf_input)
940                         {
941                         unsigned char *sdata = data;
942
943                         if (size < 2)
944                                 {
945                                 *al = SSL_AD_DECODE_ERROR;
946                                 return 0;
947                                 }
948                         n2s(sdata, s->s3->server_opaque_prf_input_len);
949                         if (s->s3->server_opaque_prf_input_len != size - 2)
950                                 {
951                                 *al = SSL_AD_DECODE_ERROR;
952                                 return 0;
953                                 }
954                         
955                         if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */
956                                 OPENSSL_free(s->s3->server_opaque_prf_input);
957                         if (s->s3->server_opaque_prf_input_len == 0)
958                                 s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
959                         else
960                                 s->s3->server_opaque_prf_input = BUF_memdup(sdata, s->s3->server_opaque_prf_input_len);
961
962                         if (s->s3->server_opaque_prf_input == NULL)
963                                 {
964                                 *al = TLS1_AD_INTERNAL_ERROR;
965                                 return 0;
966                                 }
967                         }
968 #endif
969                 else if (type == TLSEXT_TYPE_status_request)
970                         {
971                         /* MUST be empty and only sent if we've requested
972                          * a status request message.
973                          */ 
974                         if ((s->tlsext_status_type == -1) || (size > 0))
975                                 {
976                                 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
977                                 return 0;
978                                 }
979                         /* Set flag to expect CertificateStatus message */
980                         s->tlsext_status_expected = 1;
981                         }
982
983                 data+=size;             
984                 }
985
986         if (data != d+n)
987                 {
988                 *al = SSL_AD_DECODE_ERROR;
989                 return 0;
990                 }
991
992         if (!s->hit && tlsext_servername == 1)
993                 {
994                 if (s->tlsext_hostname)
995                         {
996                         if (s->session->tlsext_hostname == NULL)
997                                 {
998                                 s->session->tlsext_hostname = BUF_strdup(s->tlsext_hostname);   
999                                 if (!s->session->tlsext_hostname)
1000                                         {
1001                                         *al = SSL_AD_UNRECOGNIZED_NAME;
1002                                         return 0;
1003                                         }
1004                                 }
1005                         else 
1006                                 {
1007                                 *al = SSL_AD_DECODE_ERROR;
1008                                 return 0;
1009                                 }
1010                         }
1011                 }
1012
1013         *p = data;
1014         return 1;
1015         }
1016
1017
1018 int ssl_prepare_clienthello_tlsext(SSL *s)
1019         {
1020 #ifndef OPENSSL_NO_EC
1021         /* If we are client and using an elliptic curve cryptography cipher suite, send the point formats 
1022          * and elliptic curves we support.
1023          */
1024         int using_ecc = 0;
1025         int i;
1026         unsigned char *j;
1027         unsigned long alg_k, alg_a;
1028         STACK_OF(SSL_CIPHER) *cipher_stack = SSL_get_ciphers(s);
1029
1030         for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++)
1031                 {
1032                 SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i);
1033
1034                 alg_k = c->algorithm_mkey;
1035                 alg_a = c->algorithm_auth;
1036                 if ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe) || (alg_a & SSL_aECDSA)))
1037                         {
1038                         using_ecc = 1;
1039                         break;
1040                         }
1041                 }
1042         using_ecc = using_ecc && (s->version == TLS1_VERSION);
1043         if (using_ecc)
1044                 {
1045                 if (s->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->tlsext_ecpointformatlist);
1046                 if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(3)) == NULL)
1047                         {
1048                         SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
1049                         return -1;
1050                         }
1051                 s->tlsext_ecpointformatlist_length = 3;
1052                 s->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_uncompressed;
1053                 s->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
1054                 s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
1055
1056                 /* we support all named elliptic curves in draft-ietf-tls-ecc-12 */
1057                 if (s->tlsext_ellipticcurvelist != NULL) OPENSSL_free(s->tlsext_ellipticcurvelist);
1058                 s->tlsext_ellipticcurvelist_length = sizeof(nid_list)/sizeof(nid_list[0]) * 2;
1059                 if ((s->tlsext_ellipticcurvelist = OPENSSL_malloc(s->tlsext_ellipticcurvelist_length)) == NULL)
1060                         {
1061                         s->tlsext_ellipticcurvelist_length = 0;
1062                         SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
1063                         return -1;
1064                         }
1065                 for (i = 1, j = s->tlsext_ellipticcurvelist; (unsigned int)i <=
1066                                 sizeof(nid_list)/sizeof(nid_list[0]); i++)
1067                         s2n(i,j);
1068                 }
1069 #endif /* OPENSSL_NO_EC */
1070
1071 #ifdef TLSEXT_TYPE_opaque_prf_input
1072         {
1073                 int r = 1;
1074         
1075                 if (s->ctx->tlsext_opaque_prf_input_callback != 0)
1076                         {
1077                         r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg);
1078                         if (!r)
1079                                 return -1;
1080                         }
1081
1082                 if (s->tlsext_opaque_prf_input != NULL)
1083                         {
1084                         if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */
1085                                 OPENSSL_free(s->s3->client_opaque_prf_input);
1086
1087                         if (s->tlsext_opaque_prf_input_len == 0)
1088                                 s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
1089                         else
1090                                 s->s3->client_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len);
1091                         if (s->s3->client_opaque_prf_input == NULL)
1092                                 {
1093                                 SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
1094                                 return -1;
1095                                 }
1096                         s->s3->client_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
1097                         }
1098
1099                 if (r == 2)
1100                         /* at callback's request, insist on receiving an appropriate server opaque PRF input */
1101                         s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
1102         }
1103 #endif
1104
1105         return 1;
1106         }
1107
1108 int ssl_prepare_serverhello_tlsext(SSL *s)
1109         {
1110 #ifndef OPENSSL_NO_EC
1111         /* If we are server and using an ECC cipher suite, send the point formats we support 
1112          * if the client sent us an ECPointsFormat extension.  Note that the server is not
1113          * supposed to send an EllipticCurves extension.
1114          */
1115
1116         unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
1117         unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
1118         int using_ecc = (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA);
1119         using_ecc = using_ecc && (s->session->tlsext_ecpointformatlist != NULL);
1120         
1121         if (using_ecc)
1122                 {
1123                 if (s->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->tlsext_ecpointformatlist);
1124                 if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(3)) == NULL)
1125                         {
1126                         SSLerr(SSL_F_SSL_PREPARE_SERVERHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
1127                         return -1;
1128                         }
1129                 s->tlsext_ecpointformatlist_length = 3;
1130                 s->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_uncompressed;
1131                 s->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
1132                 s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
1133                 }
1134 #endif /* OPENSSL_NO_EC */
1135
1136         return 1;
1137         }
1138
1139 int ssl_check_clienthello_tlsext(SSL *s)
1140         {
1141         int ret=SSL_TLSEXT_ERR_NOACK;
1142         int al = SSL_AD_UNRECOGNIZED_NAME;
1143
1144 #ifndef OPENSSL_NO_EC
1145         /* The handling of the ECPointFormats extension is done elsewhere, namely in 
1146          * ssl3_choose_cipher in s3_lib.c.
1147          */
1148         /* The handling of the EllipticCurves extension is done elsewhere, namely in 
1149          * ssl3_choose_cipher in s3_lib.c.
1150          */
1151 #endif
1152
1153         if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) 
1154                 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
1155         else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)             
1156                 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
1157
1158         /* If status request then ask callback what to do.
1159          * Note: this must be called after servername callbacks in case 
1160          * the certificate has changed.
1161          */
1162         if ((s->tlsext_status_type != -1) && s->ctx->tlsext_status_cb)
1163                 {
1164                 int r;
1165                 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
1166                 switch (r)
1167                         {
1168                         /* We don't want to send a status request response */
1169                         case SSL_TLSEXT_ERR_NOACK:
1170                                 s->tlsext_status_expected = 0;
1171                                 break;
1172                         /* status request response should be sent */
1173                         case SSL_TLSEXT_ERR_OK:
1174                                 if (s->tlsext_ocsp_resp)
1175                                         s->tlsext_status_expected = 1;
1176                                 else
1177                                         s->tlsext_status_expected = 0;
1178                                 break;
1179                         /* something bad happened */
1180                         case SSL_TLSEXT_ERR_ALERT_FATAL:
1181                                 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1182                                 al = SSL_AD_INTERNAL_ERROR;
1183                                 goto err;
1184                         }
1185                 }
1186         else
1187                 s->tlsext_status_expected = 0;
1188
1189 #ifdef TLSEXT_TYPE_opaque_prf_input
1190         {
1191                 /* This sort of belongs into ssl_prepare_serverhello_tlsext(),
1192                  * but we might be sending an alert in response to the client hello,
1193                  * so this has to happen here in ssl_check_clienthello_tlsext(). */
1194
1195                 int r = 1;
1196         
1197                 if (s->ctx->tlsext_opaque_prf_input_callback != 0)
1198                         {
1199                         r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg);
1200                         if (!r)
1201                                 {
1202                                 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1203                                 al = SSL_AD_INTERNAL_ERROR;
1204                                 goto err;
1205                                 }
1206                         }
1207
1208                 if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */
1209                         OPENSSL_free(s->s3->server_opaque_prf_input);
1210                 s->s3->server_opaque_prf_input = NULL;
1211
1212                 if (s->tlsext_opaque_prf_input != NULL)
1213                         {
1214                         if (s->s3->client_opaque_prf_input != NULL &&
1215                                 s->s3->client_opaque_prf_input_len == s->tlsext_opaque_prf_input_len)
1216                                 {
1217                                 /* can only use this extension if we have a server opaque PRF input
1218                                  * of the same length as the client opaque PRF input! */
1219
1220                                 if (s->tlsext_opaque_prf_input_len == 0)
1221                                         s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
1222                                 else
1223                                         s->s3->server_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len);
1224                                 if (s->s3->server_opaque_prf_input == NULL)
1225                                         {
1226                                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1227                                         al = SSL_AD_INTERNAL_ERROR;
1228                                         goto err;
1229                                         }
1230                                 s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
1231                                 }
1232                         }
1233
1234                 if (r == 2 && s->s3->server_opaque_prf_input == NULL)
1235                         {
1236                         /* The callback wants to enforce use of the extension,
1237                          * but we can't do that with the client opaque PRF input;
1238                          * abort the handshake.
1239                          */
1240                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1241                         al = SSL_AD_HANDSHAKE_FAILURE;
1242                         }
1243         }
1244
1245 #endif
1246  err:
1247         switch (ret)
1248                 {
1249                 case SSL_TLSEXT_ERR_ALERT_FATAL:
1250                         ssl3_send_alert(s,SSL3_AL_FATAL,al); 
1251                         return -1;
1252
1253                 case SSL_TLSEXT_ERR_ALERT_WARNING:
1254                         ssl3_send_alert(s,SSL3_AL_WARNING,al);
1255                         return 1; 
1256                                         
1257                 case SSL_TLSEXT_ERR_NOACK:
1258                         s->servername_done=0;
1259                         default:
1260                 return 1;
1261                 }
1262         }
1263
1264 int ssl_check_serverhello_tlsext(SSL *s)
1265         {
1266         int ret=SSL_TLSEXT_ERR_NOACK;
1267         int al = SSL_AD_UNRECOGNIZED_NAME;
1268
1269 #ifndef OPENSSL_NO_EC
1270         /* If we are client and using an elliptic curve cryptography cipher suite, then server
1271          * must return a an EC point formats lists containing uncompressed.
1272          */
1273         unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
1274         unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
1275         if ((s->tlsext_ecpointformatlist != NULL) && (s->tlsext_ecpointformatlist_length > 0) && 
1276             ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA)))
1277                 {
1278                 /* we are using an ECC cipher */
1279                 size_t i;
1280                 unsigned char *list;
1281                 int found_uncompressed = 0;
1282                 if ((s->session->tlsext_ecpointformatlist == NULL) || (s->session->tlsext_ecpointformatlist_length == 0))
1283                         {
1284                         SSLerr(SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT,SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
1285                         return -1;
1286                         }
1287                 list = s->session->tlsext_ecpointformatlist;
1288                 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
1289                         {
1290                         if (*(list++) == TLSEXT_ECPOINTFORMAT_uncompressed)
1291                                 {
1292                                 found_uncompressed = 1;
1293                                 break;
1294                                 }
1295                         }
1296                 if (!found_uncompressed)
1297                         {
1298                         SSLerr(SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT,SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
1299                         return -1;
1300                         }
1301                 }
1302         ret = SSL_TLSEXT_ERR_OK;
1303 #endif /* OPENSSL_NO_EC */
1304
1305         if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) 
1306                 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
1307         else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)             
1308                 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
1309
1310 #ifdef TLSEXT_TYPE_opaque_prf_input
1311         if (s->s3->server_opaque_prf_input_len > 0)
1312                 {
1313                 /* This case may indicate that we, as a client, want to insist on using opaque PRF inputs.
1314                  * So first verify that we really have a value from the server too. */
1315
1316                 if (s->s3->server_opaque_prf_input == NULL)
1317                         {
1318                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1319                         al = SSL_AD_HANDSHAKE_FAILURE;
1320                         }
1321                 
1322                 /* Anytime the server *has* sent an opaque PRF input, we need to check
1323                  * that we have a client opaque PRF input of the same size. */
1324                 if (s->s3->client_opaque_prf_input == NULL ||
1325                     s->s3->client_opaque_prf_input_len != s->s3->server_opaque_prf_input_len)
1326                         {
1327                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1328                         al = SSL_AD_ILLEGAL_PARAMETER;
1329                         }
1330                 }
1331 #endif
1332
1333         /* If we've requested certificate status and we wont get one
1334          * tell the callback
1335          */
1336         if ((s->tlsext_status_type != -1) && !(s->tlsext_status_expected)
1337                         && s->ctx->tlsext_status_cb)
1338                 {
1339                 int r;
1340                 /* Set resp to NULL, resplen to -1 so callback knows
1341                  * there is no response.
1342                  */
1343                 if (s->tlsext_ocsp_resp)
1344                         {
1345                         OPENSSL_free(s->tlsext_ocsp_resp);
1346                         s->tlsext_ocsp_resp = NULL;
1347                         }
1348                 s->tlsext_ocsp_resplen = -1;
1349                 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
1350                 if (r == 0)
1351                         {
1352                         al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE;
1353                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1354                         }
1355                 if (r < 0)
1356                         {
1357                         al = SSL_AD_INTERNAL_ERROR;
1358                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1359                         }
1360                 }
1361
1362         switch (ret)
1363                 {
1364                 case SSL_TLSEXT_ERR_ALERT_FATAL:
1365                         ssl3_send_alert(s,SSL3_AL_FATAL,al); 
1366                         return -1;
1367
1368                 case SSL_TLSEXT_ERR_ALERT_WARNING:
1369                         ssl3_send_alert(s,SSL3_AL_WARNING,al);
1370                         return 1; 
1371                                         
1372                 case SSL_TLSEXT_ERR_NOACK:
1373                         s->servername_done=0;
1374                         default:
1375                 return 1;
1376                 }
1377         }
1378
1379 /* Since the server cache lookup is done early on in the processing of client
1380  * hello and other operations depend on the result we need to handle any TLS
1381  * session ticket extension at the same time.
1382  */
1383
1384 int tls1_process_ticket(SSL *s, unsigned char *session_id, int len,
1385                                 const unsigned char *limit, SSL_SESSION **ret)
1386         {
1387         /* Point after session ID in client hello */
1388         const unsigned char *p = session_id + len;
1389         unsigned short i;
1390         if ((s->version <= SSL3_VERSION) || !limit)
1391                 return 1;
1392         if (p >= limit)
1393                 return -1;
1394         /* Skip past cipher list */
1395         n2s(p, i);
1396         p+= i;
1397         if (p >= limit)
1398                 return -1;
1399         /* Skip past compression algorithm list */
1400         i = *(p++);
1401         p += i;
1402         if (p > limit)
1403                 return -1;
1404         /* Now at start of extensions */
1405         if ((p + 2) >= limit)
1406                 return 1;
1407         n2s(p, i);
1408         while ((p + 4) <= limit)
1409                 {
1410                 unsigned short type, size;
1411                 n2s(p, type);
1412                 n2s(p, size);
1413                 if (p + size > limit)
1414                         return 1;
1415                 if (type == TLSEXT_TYPE_session_ticket)
1416                         {
1417                         /* If tickets disabled indicate cache miss which will
1418                          * trigger a full handshake
1419                          */
1420                         if (SSL_get_options(s) & SSL_OP_NO_TICKET)
1421                                 return 0;
1422                         /* If zero length not client will accept a ticket
1423                          * and indicate cache miss to trigger full handshake
1424                          */
1425                         if (size == 0)
1426                                 {
1427                                 s->tlsext_ticket_expected = 1;
1428                                 return 0;       /* Cache miss */
1429                                 }
1430                         return tls_decrypt_ticket(s, p, size, session_id, len,
1431                                                                         ret);
1432                         }
1433                 p += size;
1434                 }
1435         return 1;
1436         }
1437
1438 static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen,
1439                                 const unsigned char *sess_id, int sesslen,
1440                                 SSL_SESSION **psess)
1441         {
1442         SSL_SESSION *sess;
1443         unsigned char *sdec;
1444         const unsigned char *p;
1445         int slen, mlen;
1446         unsigned char tick_hmac[EVP_MAX_MD_SIZE];
1447         HMAC_CTX hctx;
1448         EVP_CIPHER_CTX ctx;
1449         /* Attempt to process session ticket, first conduct sanity and
1450          * integrity checks on ticket.
1451          */
1452         mlen = EVP_MD_size(tlsext_tick_md());
1453         eticklen -= mlen;
1454         /* Need at least keyname + iv + some encrypted data */
1455         if (eticklen < 48)
1456                 goto tickerr;
1457         /* Check key name matches */
1458         if (memcmp(etick, s->ctx->tlsext_tick_key_name, 16))
1459                 goto tickerr;
1460         /* Check HMAC of encrypted ticket */
1461         HMAC_CTX_init(&hctx);
1462         HMAC_Init_ex(&hctx, s->ctx->tlsext_tick_hmac_key, 16,
1463                                 tlsext_tick_md(), NULL);
1464         HMAC_Update(&hctx, etick, eticklen);
1465         HMAC_Final(&hctx, tick_hmac, NULL);
1466         HMAC_CTX_cleanup(&hctx);
1467         if (memcmp(tick_hmac, etick + eticklen, mlen))
1468                 goto tickerr;
1469         /* Set p to start of IV */
1470         p = etick + 16;
1471         EVP_CIPHER_CTX_init(&ctx);
1472         /* Attempt to decrypt session data */
1473         EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL,
1474                                         s->ctx->tlsext_tick_aes_key, p);
1475         /* Move p after IV to start of encrypted ticket, update length */
1476         p += 16;
1477         eticklen -= 32;
1478         sdec = OPENSSL_malloc(eticklen);
1479         if (!sdec)
1480                 {
1481                 EVP_CIPHER_CTX_cleanup(&ctx);
1482                 return -1;
1483                 }
1484         EVP_DecryptUpdate(&ctx, sdec, &slen, p, eticklen);
1485         if (EVP_DecryptFinal(&ctx, sdec + slen, &mlen) <= 0)
1486                 goto tickerr;
1487         slen += mlen;
1488         EVP_CIPHER_CTX_cleanup(&ctx);
1489         p = sdec;
1490                 
1491         sess = d2i_SSL_SESSION(NULL, &p, slen);
1492         OPENSSL_free(sdec);
1493         if (sess)
1494                 {
1495                 /* The session ID if non-empty is used by some clients to
1496                  * detect that the ticket has been accepted. So we copy it to
1497                  * the session structure. If it is empty set length to zero
1498                  * as required by standard.
1499                  */
1500                 if (sesslen)
1501                         memcpy(sess->session_id, sess_id, sesslen);
1502                 sess->session_id_length = sesslen;
1503                 *psess = sess;
1504                 s->tlsext_ticket_expected = 0;
1505                 return 1;
1506                 }
1507         /* If session decrypt failure indicate a cache miss and set state to
1508          * send a new ticket
1509          */
1510         tickerr:        
1511         s->tlsext_ticket_expected = 1;
1512         return 0;
1513         }
1514
1515 #endif