39b5e725330aebe4ea6c9e4e113df0addf33865f
[openssl.git] / ssl / t1_lib.c
1 /* ssl/t1_lib.c */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3  * All rights reserved.
4  *
5  * This package is an SSL implementation written
6  * by Eric Young (eay@cryptsoft.com).
7  * The implementation was written so as to conform with Netscapes SSL.
8  * 
9  * This library is free for commercial and non-commercial use as long as
10  * the following conditions are aheared to.  The following conditions
11  * apply to all code found in this distribution, be it the RC4, RSA,
12  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
13  * included with this distribution is covered by the same copyright terms
14  * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15  * 
16  * Copyright remains Eric Young's, and as such any Copyright notices in
17  * the code are not to be removed.
18  * If this package is used in a product, Eric Young should be given attribution
19  * as the author of the parts of the library used.
20  * This can be in the form of a textual message at program startup or
21  * in documentation (online or textual) provided with the package.
22  * 
23  * Redistribution and use in source and binary forms, with or without
24  * modification, are permitted provided that the following conditions
25  * are met:
26  * 1. Redistributions of source code must retain the copyright
27  *    notice, this list of conditions and the following disclaimer.
28  * 2. Redistributions in binary form must reproduce the above copyright
29  *    notice, this list of conditions and the following disclaimer in the
30  *    documentation and/or other materials provided with the distribution.
31  * 3. All advertising materials mentioning features or use of this software
32  *    must display the following acknowledgement:
33  *    "This product includes cryptographic software written by
34  *     Eric Young (eay@cryptsoft.com)"
35  *    The word 'cryptographic' can be left out if the rouines from the library
36  *    being used are not cryptographic related :-).
37  * 4. If you include any Windows specific code (or a derivative thereof) from 
38  *    the apps directory (application code) you must include an acknowledgement:
39  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40  * 
41  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51  * SUCH DAMAGE.
52  * 
53  * The licence and distribution terms for any publically available version or
54  * derivative of this code cannot be changed.  i.e. this code cannot simply be
55  * copied and put under another distribution licence
56  * [including the GNU Public Licence.]
57  */
58 /* ====================================================================
59  * Copyright (c) 1998-2007 The OpenSSL Project.  All rights reserved.
60  *
61  * Redistribution and use in source and binary forms, with or without
62  * modification, are permitted provided that the following conditions
63  * are met:
64  *
65  * 1. Redistributions of source code must retain the above copyright
66  *    notice, this list of conditions and the following disclaimer. 
67  *
68  * 2. Redistributions in binary form must reproduce the above copyright
69  *    notice, this list of conditions and the following disclaimer in
70  *    the documentation and/or other materials provided with the
71  *    distribution.
72  *
73  * 3. All advertising materials mentioning features or use of this
74  *    software must display the following acknowledgment:
75  *    "This product includes software developed by the OpenSSL Project
76  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77  *
78  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79  *    endorse or promote products derived from this software without
80  *    prior written permission. For written permission, please contact
81  *    openssl-core@openssl.org.
82  *
83  * 5. Products derived from this software may not be called "OpenSSL"
84  *    nor may "OpenSSL" appear in their names without prior written
85  *    permission of the OpenSSL Project.
86  *
87  * 6. Redistributions of any form whatsoever must retain the following
88  *    acknowledgment:
89  *    "This product includes software developed by the OpenSSL Project
90  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91  *
92  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
96  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103  * OF THE POSSIBILITY OF SUCH DAMAGE.
104  * ====================================================================
105  *
106  * This product includes cryptographic software written by Eric Young
107  * (eay@cryptsoft.com).  This product includes software written by Tim
108  * Hudson (tjh@cryptsoft.com).
109  *
110  */
111
112 #include <stdio.h>
113 #include <openssl/objects.h>
114 #include <openssl/evp.h>
115 #include <openssl/hmac.h>
116 #include <openssl/ocsp.h>
117 #include "ssl_locl.h"
118
119 const char tls1_version_str[]="TLSv1" OPENSSL_VERSION_PTEXT;
120
121 #ifndef OPENSSL_NO_TLSEXT
122 static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen,
123                                 const unsigned char *sess_id, int sesslen,
124                                 SSL_SESSION **psess);
125 #endif
126
127 SSL3_ENC_METHOD TLSv1_enc_data={
128         tls1_enc,
129         tls1_mac,
130         tls1_setup_key_block,
131         tls1_generate_master_secret,
132         tls1_change_cipher_state,
133         tls1_final_finish_mac,
134         TLS1_FINISH_MAC_LENGTH,
135         tls1_cert_verify_mac,
136         TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE,
137         TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE,
138         tls1_alert_code,
139         };
140
141 long tls1_default_timeout(void)
142         {
143         /* 2 hours, the 24 hours mentioned in the TLSv1 spec
144          * is way too long for http, the cache would over fill */
145         return(60*60*2);
146         }
147
148 int tls1_new(SSL *s)
149         {
150         if (!ssl3_new(s)) return(0);
151         s->method->ssl_clear(s);
152         return(1);
153         }
154
155 void tls1_free(SSL *s)
156         {
157 #ifndef OPENSSL_NO_TLSEXT
158         if (s->tlsext_session_ticket)
159                 {
160                 OPENSSL_free(s->tlsext_session_ticket);
161                 }
162 #endif /* OPENSSL_NO_TLSEXT */
163         ssl3_free(s);
164         }
165
166 void tls1_clear(SSL *s)
167         {
168         ssl3_clear(s);
169         s->version = s->method->version;
170         }
171
172 #ifndef OPENSSL_NO_EC
173 static int nid_list[] =
174         {
175                 NID_sect163k1, /* sect163k1 (1) */
176                 NID_sect163r1, /* sect163r1 (2) */
177                 NID_sect163r2, /* sect163r2 (3) */
178                 NID_sect193r1, /* sect193r1 (4) */ 
179                 NID_sect193r2, /* sect193r2 (5) */ 
180                 NID_sect233k1, /* sect233k1 (6) */
181                 NID_sect233r1, /* sect233r1 (7) */ 
182                 NID_sect239k1, /* sect239k1 (8) */ 
183                 NID_sect283k1, /* sect283k1 (9) */
184                 NID_sect283r1, /* sect283r1 (10) */ 
185                 NID_sect409k1, /* sect409k1 (11) */ 
186                 NID_sect409r1, /* sect409r1 (12) */
187                 NID_sect571k1, /* sect571k1 (13) */ 
188                 NID_sect571r1, /* sect571r1 (14) */ 
189                 NID_secp160k1, /* secp160k1 (15) */
190                 NID_secp160r1, /* secp160r1 (16) */ 
191                 NID_secp160r2, /* secp160r2 (17) */ 
192                 NID_secp192k1, /* secp192k1 (18) */
193                 NID_X9_62_prime192v1, /* secp192r1 (19) */ 
194                 NID_secp224k1, /* secp224k1 (20) */ 
195                 NID_secp224r1, /* secp224r1 (21) */
196                 NID_secp256k1, /* secp256k1 (22) */ 
197                 NID_X9_62_prime256v1, /* secp256r1 (23) */ 
198                 NID_secp384r1, /* secp384r1 (24) */
199                 NID_secp521r1  /* secp521r1 (25) */     
200         };
201         
202 int tls1_ec_curve_id2nid(int curve_id)
203         {
204         /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
205         if ((curve_id < 1) || ((unsigned int)curve_id >
206                                 sizeof(nid_list)/sizeof(nid_list[0])))
207                 return 0;
208         return nid_list[curve_id-1];
209         }
210
211 int tls1_ec_nid2curve_id(int nid)
212         {
213         /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
214         switch (nid)
215                 {
216         case NID_sect163k1: /* sect163k1 (1) */
217                 return 1;
218         case NID_sect163r1: /* sect163r1 (2) */
219                 return 2;
220         case NID_sect163r2: /* sect163r2 (3) */
221                 return 3;
222         case NID_sect193r1: /* sect193r1 (4) */ 
223                 return 4;
224         case NID_sect193r2: /* sect193r2 (5) */ 
225                 return 5;
226         case NID_sect233k1: /* sect233k1 (6) */
227                 return 6;
228         case NID_sect233r1: /* sect233r1 (7) */ 
229                 return 7;
230         case NID_sect239k1: /* sect239k1 (8) */ 
231                 return 8;
232         case NID_sect283k1: /* sect283k1 (9) */
233                 return 9;
234         case NID_sect283r1: /* sect283r1 (10) */ 
235                 return 10;
236         case NID_sect409k1: /* sect409k1 (11) */ 
237                 return 11;
238         case NID_sect409r1: /* sect409r1 (12) */
239                 return 12;
240         case NID_sect571k1: /* sect571k1 (13) */ 
241                 return 13;
242         case NID_sect571r1: /* sect571r1 (14) */ 
243                 return 14;
244         case NID_secp160k1: /* secp160k1 (15) */
245                 return 15;
246         case NID_secp160r1: /* secp160r1 (16) */ 
247                 return 16;
248         case NID_secp160r2: /* secp160r2 (17) */ 
249                 return 17;
250         case NID_secp192k1: /* secp192k1 (18) */
251                 return 18;
252         case NID_X9_62_prime192v1: /* secp192r1 (19) */ 
253                 return 19;
254         case NID_secp224k1: /* secp224k1 (20) */ 
255                 return 20;
256         case NID_secp224r1: /* secp224r1 (21) */
257                 return 21;
258         case NID_secp256k1: /* secp256k1 (22) */ 
259                 return 22;
260         case NID_X9_62_prime256v1: /* secp256r1 (23) */ 
261                 return 23;
262         case NID_secp384r1: /* secp384r1 (24) */
263                 return 24;
264         case NID_secp521r1:  /* secp521r1 (25) */       
265                 return 25;
266         default:
267                 return 0;
268                 }
269         }
270 #endif /* OPENSSL_NO_EC */
271
272 #ifndef OPENSSL_NO_TLSEXT
273 unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
274         {
275         int extdatalen=0;
276         unsigned char *ret = p;
277
278         /* don't add extensions for SSLv3 unless doing secure renegotiation */
279         if (s->client_version == SSL3_VERSION
280                                         && !s->s3->send_connection_binding)
281                 return p;
282
283         ret+=2;
284
285         if (ret>=limit) return NULL; /* this really never occurs, but ... */
286
287         if (s->tlsext_hostname != NULL)
288                 { 
289                 /* Add TLS extension servername to the Client Hello message */
290                 unsigned long size_str;
291                 long lenmax; 
292
293                 /* check for enough space.
294                    4 for the servername type and entension length
295                    2 for servernamelist length
296                    1 for the hostname type
297                    2 for hostname length
298                    + hostname length 
299                 */
300                    
301                 if ((lenmax = limit - ret - 9) < 0 
302                     || (size_str = strlen(s->tlsext_hostname)) > (unsigned long)lenmax) 
303                         return NULL;
304                         
305                 /* extension type and length */
306                 s2n(TLSEXT_TYPE_server_name,ret); 
307                 s2n(size_str+5,ret);
308                 
309                 /* length of servername list */
310                 s2n(size_str+3,ret);
311         
312                 /* hostname type, length and hostname */
313                 *(ret++) = (unsigned char) TLSEXT_NAMETYPE_host_name;
314                 s2n(size_str,ret);
315                 memcpy(ret, s->tlsext_hostname, size_str);
316                 ret+=size_str;
317                 }
318
319         /* Add RI if renegotiating */
320         if (s->new_session)
321           {
322           int el;
323           
324           if(!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0))
325               {
326               SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
327               return NULL;
328               }
329
330           if((limit - p - 4 - el) < 0) return NULL;
331           
332           s2n(TLSEXT_TYPE_renegotiate,ret);
333           s2n(el,ret);
334
335           if(!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el))
336               {
337               SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
338               return NULL;
339               }
340
341           ret += el;
342         }
343
344 #ifndef OPENSSL_NO_EC
345         if (s->tlsext_ecpointformatlist != NULL &&
346             s->version != DTLS1_VERSION)
347                 {
348                 /* Add TLS extension ECPointFormats to the ClientHello message */
349                 long lenmax; 
350
351                 if ((lenmax = limit - ret - 5) < 0) return NULL; 
352                 if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax) return NULL;
353                 if (s->tlsext_ecpointformatlist_length > 255)
354                         {
355                         SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
356                         return NULL;
357                         }
358                 
359                 s2n(TLSEXT_TYPE_ec_point_formats,ret);
360                 s2n(s->tlsext_ecpointformatlist_length + 1,ret);
361                 *(ret++) = (unsigned char) s->tlsext_ecpointformatlist_length;
362                 memcpy(ret, s->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist_length);
363                 ret+=s->tlsext_ecpointformatlist_length;
364                 }
365         if (s->tlsext_ellipticcurvelist != NULL &&
366             s->version != DTLS1_VERSION)
367                 {
368                 /* Add TLS extension EllipticCurves to the ClientHello message */
369                 long lenmax; 
370
371                 if ((lenmax = limit - ret - 6) < 0) return NULL; 
372                 if (s->tlsext_ellipticcurvelist_length > (unsigned long)lenmax) return NULL;
373                 if (s->tlsext_ellipticcurvelist_length > 65532)
374                         {
375                         SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
376                         return NULL;
377                         }
378                 
379                 s2n(TLSEXT_TYPE_elliptic_curves,ret);
380                 s2n(s->tlsext_ellipticcurvelist_length + 2, ret);
381
382                 /* NB: draft-ietf-tls-ecc-12.txt uses a one-byte prefix for
383                  * elliptic_curve_list, but the examples use two bytes.
384                  * http://www1.ietf.org/mail-archive/web/tls/current/msg00538.html
385                  * resolves this to two bytes.
386                  */
387                 s2n(s->tlsext_ellipticcurvelist_length, ret);
388                 memcpy(ret, s->tlsext_ellipticcurvelist, s->tlsext_ellipticcurvelist_length);
389                 ret+=s->tlsext_ellipticcurvelist_length;
390                 }
391 #endif /* OPENSSL_NO_EC */
392
393         if (!(SSL_get_options(s) & SSL_OP_NO_TICKET))
394                 {
395                 int ticklen;
396                 if (!s->new_session && s->session && s->session->tlsext_tick)
397                         ticklen = s->session->tlsext_ticklen;
398                 else if (s->session && s->tlsext_session_ticket &&
399                          s->tlsext_session_ticket->data)
400                         {
401                         ticklen = s->tlsext_session_ticket->length;
402                         s->session->tlsext_tick = OPENSSL_malloc(ticklen);
403                         if (!s->session->tlsext_tick)
404                                 return NULL;
405                         memcpy(s->session->tlsext_tick,
406                                s->tlsext_session_ticket->data,
407                                ticklen);
408                         s->session->tlsext_ticklen = ticklen;
409                         }
410                 else
411                         ticklen = 0;
412                 if (ticklen == 0 && s->tlsext_session_ticket &&
413                     s->tlsext_session_ticket->data == NULL)
414                         goto skip_ext;
415                 /* Check for enough room 2 for extension type, 2 for len
416                  * rest for ticket
417                  */
418                 if ((long)(limit - ret - 4 - ticklen) < 0) return NULL;
419                 s2n(TLSEXT_TYPE_session_ticket,ret); 
420                 s2n(ticklen,ret);
421                 if (ticklen)
422                         {
423                         memcpy(ret, s->session->tlsext_tick, ticklen);
424                         ret += ticklen;
425                         }
426                 }
427                 skip_ext:
428
429 #ifdef TLSEXT_TYPE_opaque_prf_input
430         if (s->s3->client_opaque_prf_input != NULL &&
431             s->version != DTLS1_VERSION)
432                 {
433                 size_t col = s->s3->client_opaque_prf_input_len;
434                 
435                 if ((long)(limit - ret - 6 - col < 0))
436                         return NULL;
437                 if (col > 0xFFFD) /* can't happen */
438                         return NULL;
439
440                 s2n(TLSEXT_TYPE_opaque_prf_input, ret); 
441                 s2n(col + 2, ret);
442                 s2n(col, ret);
443                 memcpy(ret, s->s3->client_opaque_prf_input, col);
444                 ret += col;
445                 }
446 #endif
447
448         if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp &&
449             s->version != DTLS1_VERSION)
450                 {
451                 int i;
452                 long extlen, idlen, itmp;
453                 OCSP_RESPID *id;
454
455                 idlen = 0;
456                 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++)
457                         {
458                         id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
459                         itmp = i2d_OCSP_RESPID(id, NULL);
460                         if (itmp <= 0)
461                                 return NULL;
462                         idlen += itmp + 2;
463                         }
464
465                 if (s->tlsext_ocsp_exts)
466                         {
467                         extlen = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, NULL);
468                         if (extlen < 0)
469                                 return NULL;
470                         }
471                 else
472                         extlen = 0;
473                         
474                 if ((long)(limit - ret - 7 - extlen - idlen) < 0) return NULL;
475                 s2n(TLSEXT_TYPE_status_request, ret);
476                 if (extlen + idlen > 0xFFF0)
477                         return NULL;
478                 s2n(extlen + idlen + 5, ret);
479                 *(ret++) = TLSEXT_STATUSTYPE_ocsp;
480                 s2n(idlen, ret);
481                 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++)
482                         {
483                         /* save position of id len */
484                         unsigned char *q = ret;
485                         id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
486                         /* skip over id len */
487                         ret += 2;
488                         itmp = i2d_OCSP_RESPID(id, &ret);
489                         /* write id len */
490                         s2n(itmp, q);
491                         }
492                 s2n(extlen, ret);
493                 if (extlen > 0)
494                         i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret);
495                 }
496
497 #ifndef OPENSSL_NO_NPN
498         if (s->ctx->next_proto_select_cb && !s->s3->tmp.finish_md_len)
499                 {
500                 /* The client advertises an emtpy extension to indicate its
501                  * support for Next Protocol Negotiation */
502                 if (limit - ret - 4 < 0)
503                         return NULL;
504                 s2n(TLSEXT_TYPE_next_proto_neg,ret);
505                 s2n(0,ret);
506                 }
507 #endif
508
509         if ((extdatalen = ret-p-2)== 0) 
510                 return p;
511
512         s2n(extdatalen,p);
513         return ret;
514         }
515
516 unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
517         {
518         int extdatalen=0;
519         unsigned char *ret = p;
520 #ifndef OPENSSL_NO_NPN
521         char next_proto_neg_seen;
522 #endif
523
524         /* don't add extensions for SSLv3, unless doing secure renegotiation */
525         if (s->version == SSL3_VERSION && !s->s3->send_connection_binding)
526                 return p;
527         
528         ret+=2;
529         if (ret>=limit) return NULL; /* this really never occurs, but ... */
530
531         if (!s->hit && s->servername_done == 1 && s->session->tlsext_hostname != NULL)
532                 { 
533                 if ((long)(limit - ret - 4) < 0) return NULL; 
534
535                 s2n(TLSEXT_TYPE_server_name,ret);
536                 s2n(0,ret);
537                 }
538
539         if(s->s3->send_connection_binding)
540         {
541           int el;
542           
543           if(!ssl_add_serverhello_renegotiate_ext(s, 0, &el, 0))
544               {
545               SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
546               return NULL;
547               }
548
549           if((limit - p - 4 - el) < 0) return NULL;
550           
551           s2n(TLSEXT_TYPE_renegotiate,ret);
552           s2n(el,ret);
553
554           if(!ssl_add_serverhello_renegotiate_ext(s, ret, &el, el))
555               {
556               SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
557               return NULL;
558               }
559
560           ret += el;
561         }
562
563 #ifndef OPENSSL_NO_EC
564         if (s->tlsext_ecpointformatlist != NULL &&
565             s->version != DTLS1_VERSION)
566                 {
567                 /* Add TLS extension ECPointFormats to the ServerHello message */
568                 long lenmax; 
569
570                 if ((lenmax = limit - ret - 5) < 0) return NULL; 
571                 if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax) return NULL;
572                 if (s->tlsext_ecpointformatlist_length > 255)
573                         {
574                         SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
575                         return NULL;
576                         }
577                 
578                 s2n(TLSEXT_TYPE_ec_point_formats,ret);
579                 s2n(s->tlsext_ecpointformatlist_length + 1,ret);
580                 *(ret++) = (unsigned char) s->tlsext_ecpointformatlist_length;
581                 memcpy(ret, s->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist_length);
582                 ret+=s->tlsext_ecpointformatlist_length;
583
584                 }
585         /* Currently the server should not respond with a SupportedCurves extension */
586 #endif /* OPENSSL_NO_EC */
587
588         if (s->tlsext_ticket_expected
589                 && !(SSL_get_options(s) & SSL_OP_NO_TICKET)) 
590                 { 
591                 if ((long)(limit - ret - 4) < 0) return NULL; 
592                 s2n(TLSEXT_TYPE_session_ticket,ret);
593                 s2n(0,ret);
594                 }
595
596         if (s->tlsext_status_expected)
597                 { 
598                 if ((long)(limit - ret - 4) < 0) return NULL; 
599                 s2n(TLSEXT_TYPE_status_request,ret);
600                 s2n(0,ret);
601                 }
602
603 #ifdef TLSEXT_TYPE_opaque_prf_input
604         if (s->s3->server_opaque_prf_input != NULL &&
605             s->version != DTLS1_VERSION)
606                 {
607                 size_t sol = s->s3->server_opaque_prf_input_len;
608                 
609                 if ((long)(limit - ret - 6 - sol) < 0)
610                         return NULL;
611                 if (sol > 0xFFFD) /* can't happen */
612                         return NULL;
613
614                 s2n(TLSEXT_TYPE_opaque_prf_input, ret); 
615                 s2n(sol + 2, ret);
616                 s2n(sol, ret);
617                 memcpy(ret, s->s3->server_opaque_prf_input, sol);
618                 ret += sol;
619                 }
620 #endif
621         if (((s->s3->tmp.new_cipher->id & 0xFFFF)==0x80 || (s->s3->tmp.new_cipher->id & 0xFFFF)==0x81) 
622                 && (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG))
623                 { const unsigned char cryptopro_ext[36] = {
624                         0xfd, 0xe8, /*65000*/
625                         0x00, 0x20, /*32 bytes length*/
626                         0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85, 
627                         0x03,   0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06, 
628                         0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08, 
629                         0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17};
630                         if (limit-ret<36) return NULL;
631                         memcpy(ret,cryptopro_ext,36);
632                         ret+=36;
633
634                 }
635
636 #ifndef OPENSSL_NO_NPN
637         next_proto_neg_seen = s->s3->next_proto_neg_seen;
638         s->s3->next_proto_neg_seen = 0;
639         if (next_proto_neg_seen && s->ctx->next_protos_advertised_cb)
640                 {
641                 const unsigned char *npa;
642                 unsigned int npalen;
643                 int r;
644
645                 r = s->ctx->next_protos_advertised_cb(s, &npa, &npalen, s->ctx->next_protos_advertised_cb_arg);
646                 if (r == SSL_TLSEXT_ERR_OK)
647                         {
648                         if ((long)(limit - ret - 4 - npalen) < 0) return NULL;
649                         s2n(TLSEXT_TYPE_next_proto_neg,ret);
650                         s2n(npalen,ret);
651                         memcpy(ret, npa, npalen);
652                         ret += npalen;
653                         s->s3->next_proto_neg_seen = 1;
654                         }
655                 }
656 #endif
657
658         if ((extdatalen = ret-p-2)== 0) 
659                 return p;
660
661         s2n(extdatalen,p);
662         return ret;
663         }
664
665 int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
666         {
667         unsigned short type;
668         unsigned short size;
669         unsigned short len;
670         unsigned char *data = *p;
671         int renegotiate_seen = 0;
672
673         s->servername_done = 0;
674         s->tlsext_status_type = -1;
675
676         if (data >= (d+n-2))
677                 goto ri_check;
678         n2s(data,len);
679
680         if (data > (d+n-len)) 
681                 goto ri_check;
682
683         while (data <= (d+n-4))
684                 {
685                 n2s(data,type);
686                 n2s(data,size);
687
688                 if (data+size > (d+n))
689                         goto ri_check;
690 #if 0
691                 fprintf(stderr,"Received extension type %d size %d\n",type,size);
692 #endif
693                 if (s->tlsext_debug_cb)
694                         s->tlsext_debug_cb(s, 0, type, data, size,
695                                                 s->tlsext_debug_arg);
696 /* The servername extension is treated as follows:
697
698    - Only the hostname type is supported with a maximum length of 255.
699    - The servername is rejected if too long or if it contains zeros,
700      in which case an fatal alert is generated.
701    - The servername field is maintained together with the session cache.
702    - When a session is resumed, the servername call back invoked in order
703      to allow the application to position itself to the right context. 
704    - The servername is acknowledged if it is new for a session or when 
705      it is identical to a previously used for the same session. 
706      Applications can control the behaviour.  They can at any time
707      set a 'desirable' servername for a new SSL object. This can be the
708      case for example with HTTPS when a Host: header field is received and
709      a renegotiation is requested. In this case, a possible servername
710      presented in the new client hello is only acknowledged if it matches
711      the value of the Host: field. 
712    - Applications must  use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
713      if they provide for changing an explicit servername context for the session,
714      i.e. when the session has been established with a servername extension. 
715    - On session reconnect, the servername extension may be absent. 
716
717 */      
718
719                 if (type == TLSEXT_TYPE_server_name)
720                         {
721                         unsigned char *sdata;
722                         int servname_type;
723                         int dsize; 
724                 
725                         if (size < 2) 
726                                 {
727                                 *al = SSL_AD_DECODE_ERROR;
728                                 return 0;
729                                 }
730                         n2s(data,dsize);  
731                         size -= 2;
732                         if (dsize > size  ) 
733                                 {
734                                 *al = SSL_AD_DECODE_ERROR;
735                                 return 0;
736                                 } 
737
738                         sdata = data;
739                         while (dsize > 3) 
740                                 {
741                                 servname_type = *(sdata++); 
742                                 n2s(sdata,len);
743                                 dsize -= 3;
744
745                                 if (len > dsize) 
746                                         {
747                                         *al = SSL_AD_DECODE_ERROR;
748                                         return 0;
749                                         }
750                                 if (s->servername_done == 0)
751                                 switch (servname_type)
752                                         {
753                                 case TLSEXT_NAMETYPE_host_name:
754                                         if (s->session->tlsext_hostname == NULL)
755                                                 {
756                                                 if (len > TLSEXT_MAXLEN_host_name || 
757                                                         ((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL))
758                                                         {
759                                                         *al = TLS1_AD_UNRECOGNIZED_NAME;
760                                                         return 0;
761                                                         }
762                                                 memcpy(s->session->tlsext_hostname, sdata, len);
763                                                 s->session->tlsext_hostname[len]='\0';
764                                                 if (strlen(s->session->tlsext_hostname) != len) {
765                                                         OPENSSL_free(s->session->tlsext_hostname);
766                                                         s->session->tlsext_hostname = NULL;
767                                                         *al = TLS1_AD_UNRECOGNIZED_NAME;
768                                                         return 0;
769                                                 }
770                                                 s->servername_done = 1; 
771
772                                                 }
773                                         else 
774                                                 s->servername_done = strlen(s->session->tlsext_hostname) == len 
775                                                         && strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0;
776                                         
777                                         break;
778
779                                 default:
780                                         break;
781                                         }
782                                  
783                                 dsize -= len;
784                                 }
785                         if (dsize != 0) 
786                                 {
787                                 *al = SSL_AD_DECODE_ERROR;
788                                 return 0;
789                                 }
790
791                         }
792
793 #ifndef OPENSSL_NO_EC
794                 else if (type == TLSEXT_TYPE_ec_point_formats &&
795                      s->version != DTLS1_VERSION)
796                         {
797                         unsigned char *sdata = data;
798                         int ecpointformatlist_length = *(sdata++);
799
800                         if (ecpointformatlist_length != size - 1)
801                                 {
802                                 *al = TLS1_AD_DECODE_ERROR;
803                                 return 0;
804                                 }
805                         s->session->tlsext_ecpointformatlist_length = 0;
806                         if (s->session->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->session->tlsext_ecpointformatlist);
807                         if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
808                                 {
809                                 *al = TLS1_AD_INTERNAL_ERROR;
810                                 return 0;
811                                 }
812                         s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
813                         memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
814 #if 0
815                         fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ecpointformatlist (length=%i) ", s->session->tlsext_ecpointformatlist_length);
816                         sdata = s->session->tlsext_ecpointformatlist;
817                         for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
818                                 fprintf(stderr,"%i ",*(sdata++));
819                         fprintf(stderr,"\n");
820 #endif
821                         }
822                 else if (type == TLSEXT_TYPE_elliptic_curves &&
823                      s->version != DTLS1_VERSION)
824                         {
825                         unsigned char *sdata = data;
826                         int ellipticcurvelist_length = (*(sdata++) << 8);
827                         ellipticcurvelist_length += (*(sdata++));
828
829                         if (ellipticcurvelist_length != size - 2)
830                                 {
831                                 *al = TLS1_AD_DECODE_ERROR;
832                                 return 0;
833                                 }
834                         s->session->tlsext_ellipticcurvelist_length = 0;
835                         if (s->session->tlsext_ellipticcurvelist != NULL) OPENSSL_free(s->session->tlsext_ellipticcurvelist);
836                         if ((s->session->tlsext_ellipticcurvelist = OPENSSL_malloc(ellipticcurvelist_length)) == NULL)
837                                 {
838                                 *al = TLS1_AD_INTERNAL_ERROR;
839                                 return 0;
840                                 }
841                         s->session->tlsext_ellipticcurvelist_length = ellipticcurvelist_length;
842                         memcpy(s->session->tlsext_ellipticcurvelist, sdata, ellipticcurvelist_length);
843 #if 0
844                         fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ellipticcurvelist (length=%i) ", s->session->tlsext_ellipticcurvelist_length);
845                         sdata = s->session->tlsext_ellipticcurvelist;
846                         for (i = 0; i < s->session->tlsext_ellipticcurvelist_length; i++)
847                                 fprintf(stderr,"%i ",*(sdata++));
848                         fprintf(stderr,"\n");
849 #endif
850                         }
851 #endif /* OPENSSL_NO_EC */
852 #ifdef TLSEXT_TYPE_opaque_prf_input
853                 else if (type == TLSEXT_TYPE_opaque_prf_input &&
854                      s->version != DTLS1_VERSION)
855                         {
856                         unsigned char *sdata = data;
857
858                         if (size < 2)
859                                 {
860                                 *al = SSL_AD_DECODE_ERROR;
861                                 return 0;
862                                 }
863                         n2s(sdata, s->s3->client_opaque_prf_input_len);
864                         if (s->s3->client_opaque_prf_input_len != size - 2)
865                                 {
866                                 *al = SSL_AD_DECODE_ERROR;
867                                 return 0;
868                                 }
869
870                         if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */
871                                 OPENSSL_free(s->s3->client_opaque_prf_input);
872                         if (s->s3->client_opaque_prf_input_len == 0)
873                                 s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
874                         else
875                                 s->s3->client_opaque_prf_input = BUF_memdup(sdata, s->s3->client_opaque_prf_input_len);
876                         if (s->s3->client_opaque_prf_input == NULL)
877                                 {
878                                 *al = TLS1_AD_INTERNAL_ERROR;
879                                 return 0;
880                                 }
881                         }
882 #endif
883                 else if (type == TLSEXT_TYPE_session_ticket)
884                         {
885                         if (s->tls_session_ticket_ext_cb &&
886                             !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg))
887                                 {
888                                 *al = TLS1_AD_INTERNAL_ERROR;
889                                 return 0;
890                                 }
891                         }
892                 else if (type == TLSEXT_TYPE_renegotiate)
893                         {
894                         if(!ssl_parse_clienthello_renegotiate_ext(s, data, size, al))
895                                 return 0;
896                         renegotiate_seen = 1;
897                         }
898                 else if (type == TLSEXT_TYPE_status_request &&
899                          s->version != DTLS1_VERSION && s->ctx->tlsext_status_cb)
900                         {
901                 
902                         if (size < 5) 
903                                 {
904                                 *al = SSL_AD_DECODE_ERROR;
905                                 return 0;
906                                 }
907
908                         s->tlsext_status_type = *data++;
909                         size--;
910                         if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp)
911                                 {
912                                 const unsigned char *sdata;
913                                 int dsize;
914                                 /* Read in responder_id_list */
915                                 n2s(data,dsize);
916                                 size -= 2;
917                                 if (dsize > size  ) 
918                                         {
919                                         *al = SSL_AD_DECODE_ERROR;
920                                         return 0;
921                                         }
922                                 while (dsize > 0)
923                                         {
924                                         OCSP_RESPID *id;
925                                         int idsize;
926                                         if (dsize < 4)
927                                                 {
928                                                 *al = SSL_AD_DECODE_ERROR;
929                                                 return 0;
930                                                 }
931                                         n2s(data, idsize);
932                                         dsize -= 2 + idsize;
933                                         if (dsize < 0)
934                                                 {
935                                                 *al = SSL_AD_DECODE_ERROR;
936                                                 return 0;
937                                                 }
938                                         sdata = data;
939                                         data += idsize;
940                                         id = d2i_OCSP_RESPID(NULL,
941                                                                 &sdata, idsize);
942                                         if (!id)
943                                                 {
944                                                 *al = SSL_AD_DECODE_ERROR;
945                                                 return 0;
946                                                 }
947                                         if (data != sdata)
948                                                 {
949                                                 OCSP_RESPID_free(id);
950                                                 *al = SSL_AD_DECODE_ERROR;
951                                                 return 0;
952                                                 }
953                                         if (!s->tlsext_ocsp_ids
954                                                 && !(s->tlsext_ocsp_ids =
955                                                 sk_OCSP_RESPID_new_null()))
956                                                 {
957                                                 OCSP_RESPID_free(id);
958                                                 *al = SSL_AD_INTERNAL_ERROR;
959                                                 return 0;
960                                                 }
961                                         if (!sk_OCSP_RESPID_push(
962                                                         s->tlsext_ocsp_ids, id))
963                                                 {
964                                                 OCSP_RESPID_free(id);
965                                                 *al = SSL_AD_INTERNAL_ERROR;
966                                                 return 0;
967                                                 }
968                                         }
969
970                                 /* Read in request_extensions */
971                                 n2s(data,dsize);
972                                 size -= 2;
973                                 if (dsize > size) 
974                                         {
975                                         *al = SSL_AD_DECODE_ERROR;
976                                         return 0;
977                                         }
978                                 sdata = data;
979                                 if (dsize > 0)
980                                         {
981                                         s->tlsext_ocsp_exts =
982                                                 d2i_X509_EXTENSIONS(NULL,
983                                                         &sdata, dsize);
984                                         if (!s->tlsext_ocsp_exts
985                                                 || (data + dsize != sdata))
986                                                 {
987                                                 *al = SSL_AD_DECODE_ERROR;
988                                                 return 0;
989                                                 }
990                                         }
991                                 }
992                                 /* We don't know what to do with any other type
993                                 * so ignore it.
994                                 */
995                                 else
996                                         s->tlsext_status_type = -1;
997                         }
998 #ifndef OPENSSL_NO_NPN
999                 else if (type == TLSEXT_TYPE_next_proto_neg &&
1000                          s->s3->tmp.finish_md_len == 0)
1001                         {
1002                         /* We shouldn't accept this extension on a
1003                          * renegotiation.
1004                          *
1005                          * s->new_session will be set on renegotiation, but we
1006                          * probably shouldn't rely that it couldn't be set on
1007                          * the initial renegotation too in certain cases (when
1008                          * there's some other reason to disallow resuming an
1009                          * earlier session -- the current code won't be doing
1010                          * anything like that, but this might change).
1011
1012                          * A valid sign that there's been a previous handshake
1013                          * in this connection is if s->s3->tmp.finish_md_len >
1014                          * 0.  (We are talking about a check that will happen
1015                          * in the Hello protocol round, well before a new
1016                          * Finished message could have been computed.) */
1017                         s->s3->next_proto_neg_seen = 1;
1018                         }
1019 #endif
1020
1021                 /* session ticket processed earlier */
1022                 data+=size;
1023                 }
1024                                 
1025         *p = data;
1026
1027         ri_check:
1028
1029         /* Need RI if renegotiating */
1030
1031         if (!renegotiate_seen && s->new_session &&
1032                 !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
1033                 {
1034                 *al = SSL_AD_HANDSHAKE_FAILURE;
1035                 SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT,
1036                                 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
1037                 return 0;
1038                 }
1039
1040         return 1;
1041         }
1042
1043 #ifndef OPENSSL_NO_NPN
1044 /* ssl_next_proto_validate validates a Next Protocol Negotiation block. No
1045  * elements of zero length are allowed and the set of elements must exactly fill
1046  * the length of the block. */
1047 static char ssl_next_proto_validate(unsigned char *d, unsigned len)
1048         {
1049         unsigned int off = 0;
1050
1051         while (off < len)
1052                 {
1053                 if (d[off] == 0)
1054                         return 0;
1055                 off += d[off];
1056                 off++;
1057                 }
1058
1059         return off == len;
1060         }
1061 #endif
1062
1063 int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
1064         {
1065         unsigned short length;
1066         unsigned short type;
1067         unsigned short size;
1068         unsigned char *data = *p;
1069         int tlsext_servername = 0;
1070         int renegotiate_seen = 0;
1071
1072         if (data >= (d+n-2))
1073                 goto ri_check;
1074
1075         n2s(data,length);
1076         if (data+length != d+n)
1077                 {
1078                 *al = SSL_AD_DECODE_ERROR;
1079                 return 0;
1080                 }
1081
1082         while(data <= (d+n-4))
1083                 {
1084                 n2s(data,type);
1085                 n2s(data,size);
1086
1087                 if (data+size > (d+n))
1088                         goto ri_check;
1089
1090                 if (s->tlsext_debug_cb)
1091                         s->tlsext_debug_cb(s, 1, type, data, size,
1092                                                 s->tlsext_debug_arg);
1093
1094                 if (type == TLSEXT_TYPE_server_name)
1095                         {
1096                         if (s->tlsext_hostname == NULL || size > 0)
1097                                 {
1098                                 *al = TLS1_AD_UNRECOGNIZED_NAME;
1099                                 return 0;
1100                                 }
1101                         tlsext_servername = 1;   
1102                         }
1103
1104 #ifndef OPENSSL_NO_EC
1105                 else if (type == TLSEXT_TYPE_ec_point_formats &&
1106                      s->version != DTLS1_VERSION)
1107                         {
1108                         unsigned char *sdata = data;
1109                         int ecpointformatlist_length = *(sdata++);
1110
1111                         if (ecpointformatlist_length != size - 1)
1112                                 {
1113                                 *al = TLS1_AD_DECODE_ERROR;
1114                                 return 0;
1115                                 }
1116                         s->session->tlsext_ecpointformatlist_length = 0;
1117                         if (s->session->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->session->tlsext_ecpointformatlist);
1118                         if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
1119                                 {
1120                                 *al = TLS1_AD_INTERNAL_ERROR;
1121                                 return 0;
1122                                 }
1123                         s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
1124                         memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
1125 #if 0
1126                         fprintf(stderr,"ssl_parse_serverhello_tlsext s->session->tlsext_ecpointformatlist ");
1127                         sdata = s->session->tlsext_ecpointformatlist;
1128                         for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
1129                                 fprintf(stderr,"%i ",*(sdata++));
1130                         fprintf(stderr,"\n");
1131 #endif
1132                         }
1133 #endif /* OPENSSL_NO_EC */
1134
1135                 else if (type == TLSEXT_TYPE_session_ticket)
1136                         {
1137                         if (s->tls_session_ticket_ext_cb &&
1138                             !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg))
1139                                 {
1140                                 *al = TLS1_AD_INTERNAL_ERROR;
1141                                 return 0;
1142                                 }
1143                         if ((SSL_get_options(s) & SSL_OP_NO_TICKET)
1144                                 || (size > 0))
1145                                 {
1146                                 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
1147                                 return 0;
1148                                 }
1149                         s->tlsext_ticket_expected = 1;
1150                         }
1151 #ifdef TLSEXT_TYPE_opaque_prf_input
1152                 else if (type == TLSEXT_TYPE_opaque_prf_input &&
1153                      s->version != DTLS1_VERSION)
1154                         {
1155                         unsigned char *sdata = data;
1156
1157                         if (size < 2)
1158                                 {
1159                                 *al = SSL_AD_DECODE_ERROR;
1160                                 return 0;
1161                                 }
1162                         n2s(sdata, s->s3->server_opaque_prf_input_len);
1163                         if (s->s3->server_opaque_prf_input_len != size - 2)
1164                                 {
1165                                 *al = SSL_AD_DECODE_ERROR;
1166                                 return 0;
1167                                 }
1168                         
1169                         if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */
1170                                 OPENSSL_free(s->s3->server_opaque_prf_input);
1171                         if (s->s3->server_opaque_prf_input_len == 0)
1172                                 s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
1173                         else
1174                                 s->s3->server_opaque_prf_input = BUF_memdup(sdata, s->s3->server_opaque_prf_input_len);
1175
1176                         if (s->s3->server_opaque_prf_input == NULL)
1177                                 {
1178                                 *al = TLS1_AD_INTERNAL_ERROR;
1179                                 return 0;
1180                                 }
1181                         }
1182 #endif
1183                 else if (type == TLSEXT_TYPE_status_request &&
1184                          s->version != DTLS1_VERSION)
1185                         {
1186                         /* MUST be empty and only sent if we've requested
1187                          * a status request message.
1188                          */ 
1189                         if ((s->tlsext_status_type == -1) || (size > 0))
1190                                 {
1191                                 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
1192                                 return 0;
1193                                 }
1194                         /* Set flag to expect CertificateStatus message */
1195                         s->tlsext_status_expected = 1;
1196                         }
1197 #ifndef OPENSSL_NO_NPN
1198                 else if (type == TLSEXT_TYPE_next_proto_neg)
1199                         {
1200                         unsigned char *selected;
1201                         unsigned char selected_len;
1202
1203                         /* We must have requested it. */
1204                         if ((s->ctx->next_proto_select_cb == NULL))
1205                                 {
1206                                 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
1207                                 return 0;
1208                                 }
1209                         /* The data must be valid */
1210                         if (!ssl_next_proto_validate(data, size))
1211                                 {
1212                                 *al = TLS1_AD_DECODE_ERROR;
1213                                 return 0;
1214                                 }
1215                         if (s->ctx->next_proto_select_cb(s, &selected, &selected_len, data, size, s->ctx->next_proto_select_cb_arg) != SSL_TLSEXT_ERR_OK)
1216                                 {
1217                                 *al = TLS1_AD_INTERNAL_ERROR;
1218                                 return 0;
1219                                 }
1220                         s->next_proto_negotiated = OPENSSL_malloc(selected_len);
1221                         if (!s->next_proto_negotiated)
1222                                 {
1223                                 *al = TLS1_AD_INTERNAL_ERROR;
1224                                 return 0;
1225                                 }
1226                         memcpy(s->next_proto_negotiated, selected, selected_len);
1227                         s->next_proto_negotiated_len = selected_len;
1228                         }
1229 #endif
1230                 else if (type == TLSEXT_TYPE_renegotiate)
1231                         {
1232                         if(!ssl_parse_serverhello_renegotiate_ext(s, data, size, al))
1233                                 return 0;
1234                         renegotiate_seen = 1;
1235                         }
1236                 data+=size;             
1237                 }
1238
1239         if (data != d+n)
1240                 {
1241                 *al = SSL_AD_DECODE_ERROR;
1242                 return 0;
1243                 }
1244
1245         if (!s->hit && tlsext_servername == 1)
1246                 {
1247                 if (s->tlsext_hostname)
1248                         {
1249                         if (s->session->tlsext_hostname == NULL)
1250                                 {
1251                                 s->session->tlsext_hostname = BUF_strdup(s->tlsext_hostname);   
1252                                 if (!s->session->tlsext_hostname)
1253                                         {
1254                                         *al = SSL_AD_UNRECOGNIZED_NAME;
1255                                         return 0;
1256                                         }
1257                                 }
1258                         else 
1259                                 {
1260                                 *al = SSL_AD_DECODE_ERROR;
1261                                 return 0;
1262                                 }
1263                         }
1264                 }
1265
1266         *p = data;
1267
1268         ri_check:
1269
1270         /* Determine if we need to see RI. Strictly speaking if we want to
1271          * avoid an attack we should *always* see RI even on initial server
1272          * hello because the client doesn't see any renegotiation during an
1273          * attack. However this would mean we could not connect to any server
1274          * which doesn't support RI so for the immediate future tolerate RI
1275          * absence on initial connect only.
1276          */
1277         if (!renegotiate_seen
1278                 && !(s->options & SSL_OP_LEGACY_SERVER_CONNECT)
1279                 && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
1280                 {
1281                 *al = SSL_AD_HANDSHAKE_FAILURE;
1282                 SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT,
1283                                 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
1284                 return 0;
1285                 }
1286
1287         return 1;
1288         }
1289
1290
1291 int ssl_prepare_clienthello_tlsext(SSL *s)
1292         {
1293 #ifndef OPENSSL_NO_EC
1294         /* If we are client and using an elliptic curve cryptography cipher suite, send the point formats 
1295          * and elliptic curves we support.
1296          */
1297         int using_ecc = 0;
1298         int i;
1299         unsigned char *j;
1300         unsigned long alg_k, alg_a;
1301         STACK_OF(SSL_CIPHER) *cipher_stack = SSL_get_ciphers(s);
1302
1303         for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++)
1304                 {
1305                 SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i);
1306
1307                 alg_k = c->algorithm_mkey;
1308                 alg_a = c->algorithm_auth;
1309                 if ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe) || (alg_a & SSL_aECDSA)))
1310                         {
1311                         using_ecc = 1;
1312                         break;
1313                         }
1314                 }
1315         using_ecc = using_ecc && (s->version == TLS1_VERSION);
1316         if (using_ecc)
1317                 {
1318                 if (s->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->tlsext_ecpointformatlist);
1319                 if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(3)) == NULL)
1320                         {
1321                         SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
1322                         return -1;
1323                         }
1324                 s->tlsext_ecpointformatlist_length = 3;
1325                 s->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_uncompressed;
1326                 s->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
1327                 s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
1328
1329                 /* we support all named elliptic curves in draft-ietf-tls-ecc-12 */
1330                 if (s->tlsext_ellipticcurvelist != NULL) OPENSSL_free(s->tlsext_ellipticcurvelist);
1331                 s->tlsext_ellipticcurvelist_length = sizeof(nid_list)/sizeof(nid_list[0]) * 2;
1332                 if ((s->tlsext_ellipticcurvelist = OPENSSL_malloc(s->tlsext_ellipticcurvelist_length)) == NULL)
1333                         {
1334                         s->tlsext_ellipticcurvelist_length = 0;
1335                         SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
1336                         return -1;
1337                         }
1338                 for (i = 1, j = s->tlsext_ellipticcurvelist; (unsigned int)i <=
1339                                 sizeof(nid_list)/sizeof(nid_list[0]); i++)
1340                         s2n(i,j);
1341                 }
1342 #endif /* OPENSSL_NO_EC */
1343
1344 #ifdef TLSEXT_TYPE_opaque_prf_input
1345         {
1346                 int r = 1;
1347         
1348                 if (s->ctx->tlsext_opaque_prf_input_callback != 0)
1349                         {
1350                         r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg);
1351                         if (!r)
1352                                 return -1;
1353                         }
1354
1355                 if (s->tlsext_opaque_prf_input != NULL)
1356                         {
1357                         if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */
1358                                 OPENSSL_free(s->s3->client_opaque_prf_input);
1359
1360                         if (s->tlsext_opaque_prf_input_len == 0)
1361                                 s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
1362                         else
1363                                 s->s3->client_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len);
1364                         if (s->s3->client_opaque_prf_input == NULL)
1365                                 {
1366                                 SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
1367                                 return -1;
1368                                 }
1369                         s->s3->client_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
1370                         }
1371
1372                 if (r == 2)
1373                         /* at callback's request, insist on receiving an appropriate server opaque PRF input */
1374                         s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
1375         }
1376 #endif
1377
1378         return 1;
1379         }
1380
1381 int ssl_prepare_serverhello_tlsext(SSL *s)
1382         {
1383 #ifndef OPENSSL_NO_EC
1384         /* If we are server and using an ECC cipher suite, send the point formats we support 
1385          * if the client sent us an ECPointsFormat extension.  Note that the server is not
1386          * supposed to send an EllipticCurves extension.
1387          */
1388
1389         unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
1390         unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
1391         int using_ecc = (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA);
1392         using_ecc = using_ecc && (s->session->tlsext_ecpointformatlist != NULL);
1393         
1394         if (using_ecc)
1395                 {
1396                 if (s->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->tlsext_ecpointformatlist);
1397                 if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(3)) == NULL)
1398                         {
1399                         SSLerr(SSL_F_SSL_PREPARE_SERVERHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
1400                         return -1;
1401                         }
1402                 s->tlsext_ecpointformatlist_length = 3;
1403                 s->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_uncompressed;
1404                 s->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
1405                 s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
1406                 }
1407 #endif /* OPENSSL_NO_EC */
1408
1409         return 1;
1410         }
1411
1412 int ssl_check_clienthello_tlsext(SSL *s)
1413         {
1414         int ret=SSL_TLSEXT_ERR_NOACK;
1415         int al = SSL_AD_UNRECOGNIZED_NAME;
1416
1417 #ifndef OPENSSL_NO_EC
1418         /* The handling of the ECPointFormats extension is done elsewhere, namely in 
1419          * ssl3_choose_cipher in s3_lib.c.
1420          */
1421         /* The handling of the EllipticCurves extension is done elsewhere, namely in 
1422          * ssl3_choose_cipher in s3_lib.c.
1423          */
1424 #endif
1425
1426         if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) 
1427                 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
1428         else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)             
1429                 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
1430
1431         /* If status request then ask callback what to do.
1432          * Note: this must be called after servername callbacks in case 
1433          * the certificate has changed.
1434          */
1435         if ((s->tlsext_status_type != -1) && s->ctx && s->ctx->tlsext_status_cb)
1436                 {
1437                 int r;
1438                 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
1439                 switch (r)
1440                         {
1441                         /* We don't want to send a status request response */
1442                         case SSL_TLSEXT_ERR_NOACK:
1443                                 s->tlsext_status_expected = 0;
1444                                 break;
1445                         /* status request response should be sent */
1446                         case SSL_TLSEXT_ERR_OK:
1447                                 if (s->tlsext_ocsp_resp)
1448                                         s->tlsext_status_expected = 1;
1449                                 else
1450                                         s->tlsext_status_expected = 0;
1451                                 break;
1452                         /* something bad happened */
1453                         case SSL_TLSEXT_ERR_ALERT_FATAL:
1454                                 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1455                                 al = SSL_AD_INTERNAL_ERROR;
1456                                 goto err;
1457                         }
1458                 }
1459         else
1460                 s->tlsext_status_expected = 0;
1461
1462 #ifdef TLSEXT_TYPE_opaque_prf_input
1463         {
1464                 /* This sort of belongs into ssl_prepare_serverhello_tlsext(),
1465                  * but we might be sending an alert in response to the client hello,
1466                  * so this has to happen here in ssl_check_clienthello_tlsext(). */
1467
1468                 int r = 1;
1469         
1470                 if (s->ctx->tlsext_opaque_prf_input_callback != 0)
1471                         {
1472                         r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg);
1473                         if (!r)
1474                                 {
1475                                 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1476                                 al = SSL_AD_INTERNAL_ERROR;
1477                                 goto err;
1478                                 }
1479                         }
1480
1481                 if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */
1482                         OPENSSL_free(s->s3->server_opaque_prf_input);
1483                 s->s3->server_opaque_prf_input = NULL;
1484
1485                 if (s->tlsext_opaque_prf_input != NULL)
1486                         {
1487                         if (s->s3->client_opaque_prf_input != NULL &&
1488                                 s->s3->client_opaque_prf_input_len == s->tlsext_opaque_prf_input_len)
1489                                 {
1490                                 /* can only use this extension if we have a server opaque PRF input
1491                                  * of the same length as the client opaque PRF input! */
1492
1493                                 if (s->tlsext_opaque_prf_input_len == 0)
1494                                         s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
1495                                 else
1496                                         s->s3->server_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len);
1497                                 if (s->s3->server_opaque_prf_input == NULL)
1498                                         {
1499                                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1500                                         al = SSL_AD_INTERNAL_ERROR;
1501                                         goto err;
1502                                         }
1503                                 s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
1504                                 }
1505                         }
1506
1507                 if (r == 2 && s->s3->server_opaque_prf_input == NULL)
1508                         {
1509                         /* The callback wants to enforce use of the extension,
1510                          * but we can't do that with the client opaque PRF input;
1511                          * abort the handshake.
1512                          */
1513                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1514                         al = SSL_AD_HANDSHAKE_FAILURE;
1515                         }
1516         }
1517
1518 #endif
1519  err:
1520         switch (ret)
1521                 {
1522                 case SSL_TLSEXT_ERR_ALERT_FATAL:
1523                         ssl3_send_alert(s,SSL3_AL_FATAL,al); 
1524                         return -1;
1525
1526                 case SSL_TLSEXT_ERR_ALERT_WARNING:
1527                         ssl3_send_alert(s,SSL3_AL_WARNING,al);
1528                         return 1; 
1529                                         
1530                 case SSL_TLSEXT_ERR_NOACK:
1531                         s->servername_done=0;
1532                         default:
1533                 return 1;
1534                 }
1535         }
1536
1537 int ssl_check_serverhello_tlsext(SSL *s)
1538         {
1539         int ret=SSL_TLSEXT_ERR_NOACK;
1540         int al = SSL_AD_UNRECOGNIZED_NAME;
1541
1542 #ifndef OPENSSL_NO_EC
1543         /* If we are client and using an elliptic curve cryptography cipher suite, then server
1544          * must return a an EC point formats lists containing uncompressed.
1545          */
1546         unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
1547         unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
1548         if ((s->tlsext_ecpointformatlist != NULL) && (s->tlsext_ecpointformatlist_length > 0) && 
1549             ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA)))
1550                 {
1551                 /* we are using an ECC cipher */
1552                 size_t i;
1553                 unsigned char *list;
1554                 int found_uncompressed = 0;
1555                 if ((s->session->tlsext_ecpointformatlist == NULL) || (s->session->tlsext_ecpointformatlist_length == 0))
1556                         {
1557                         SSLerr(SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT,SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
1558                         return -1;
1559                         }
1560                 list = s->session->tlsext_ecpointformatlist;
1561                 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
1562                         {
1563                         if (*(list++) == TLSEXT_ECPOINTFORMAT_uncompressed)
1564                                 {
1565                                 found_uncompressed = 1;
1566                                 break;
1567                                 }
1568                         }
1569                 if (!found_uncompressed)
1570                         {
1571                         SSLerr(SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT,SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
1572                         return -1;
1573                         }
1574                 }
1575         ret = SSL_TLSEXT_ERR_OK;
1576 #endif /* OPENSSL_NO_EC */
1577
1578         if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) 
1579                 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
1580         else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)             
1581                 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
1582
1583 #ifdef TLSEXT_TYPE_opaque_prf_input
1584         if (s->s3->server_opaque_prf_input_len > 0)
1585                 {
1586                 /* This case may indicate that we, as a client, want to insist on using opaque PRF inputs.
1587                  * So first verify that we really have a value from the server too. */
1588
1589                 if (s->s3->server_opaque_prf_input == NULL)
1590                         {
1591                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1592                         al = SSL_AD_HANDSHAKE_FAILURE;
1593                         }
1594                 
1595                 /* Anytime the server *has* sent an opaque PRF input, we need to check
1596                  * that we have a client opaque PRF input of the same size. */
1597                 if (s->s3->client_opaque_prf_input == NULL ||
1598                     s->s3->client_opaque_prf_input_len != s->s3->server_opaque_prf_input_len)
1599                         {
1600                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1601                         al = SSL_AD_ILLEGAL_PARAMETER;
1602                         }
1603                 }
1604 #endif
1605
1606         /* If we've requested certificate status and we wont get one
1607          * tell the callback
1608          */
1609         if ((s->tlsext_status_type != -1) && !(s->tlsext_status_expected)
1610                         && s->ctx && s->ctx->tlsext_status_cb)
1611                 {
1612                 int r;
1613                 /* Set resp to NULL, resplen to -1 so callback knows
1614                  * there is no response.
1615                  */
1616                 if (s->tlsext_ocsp_resp)
1617                         {
1618                         OPENSSL_free(s->tlsext_ocsp_resp);
1619                         s->tlsext_ocsp_resp = NULL;
1620                         }
1621                 s->tlsext_ocsp_resplen = -1;
1622                 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
1623                 if (r == 0)
1624                         {
1625                         al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE;
1626                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1627                         }
1628                 if (r < 0)
1629                         {
1630                         al = SSL_AD_INTERNAL_ERROR;
1631                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1632                         }
1633                 }
1634
1635         switch (ret)
1636                 {
1637                 case SSL_TLSEXT_ERR_ALERT_FATAL:
1638                         ssl3_send_alert(s,SSL3_AL_FATAL,al); 
1639                         return -1;
1640
1641                 case SSL_TLSEXT_ERR_ALERT_WARNING:
1642                         ssl3_send_alert(s,SSL3_AL_WARNING,al);
1643                         return 1; 
1644                                         
1645                 case SSL_TLSEXT_ERR_NOACK:
1646                         s->servername_done=0;
1647                         default:
1648                 return 1;
1649                 }
1650         }
1651
1652 /* Since the server cache lookup is done early on in the processing of client
1653  * hello and other operations depend on the result we need to handle any TLS
1654  * session ticket extension at the same time.
1655  */
1656
1657 int tls1_process_ticket(SSL *s, unsigned char *session_id, int len,
1658                                 const unsigned char *limit, SSL_SESSION **ret)
1659         {
1660         /* Point after session ID in client hello */
1661         const unsigned char *p = session_id + len;
1662         unsigned short i;
1663
1664         /* If tickets disabled behave as if no ticket present
1665          * to permit stateful resumption.
1666          */
1667         if (SSL_get_options(s) & SSL_OP_NO_TICKET)
1668                 return 1;
1669
1670         if ((s->version <= SSL3_VERSION) || !limit)
1671                 return 1;
1672         if (p >= limit)
1673                 return -1;
1674         /* Skip past DTLS cookie */
1675         if (s->version == DTLS1_VERSION || s->version == DTLS1_BAD_VER)
1676                 {
1677                 i = *(p++);
1678                 p+= i;
1679                 if (p >= limit)
1680                         return -1;
1681                 }
1682         /* Skip past cipher list */
1683         n2s(p, i);
1684         p+= i;
1685         if (p >= limit)
1686                 return -1;
1687         /* Skip past compression algorithm list */
1688         i = *(p++);
1689         p += i;
1690         if (p > limit)
1691                 return -1;
1692         /* Now at start of extensions */
1693         if ((p + 2) >= limit)
1694                 return 1;
1695         n2s(p, i);
1696         while ((p + 4) <= limit)
1697                 {
1698                 unsigned short type, size;
1699                 n2s(p, type);
1700                 n2s(p, size);
1701                 if (p + size > limit)
1702                         return 1;
1703                 if (type == TLSEXT_TYPE_session_ticket)
1704                         {
1705                         /* If tickets disabled indicate cache miss which will
1706                          * trigger a full handshake
1707                          */
1708                         if (SSL_get_options(s) & SSL_OP_NO_TICKET)
1709                                 return 1;
1710                         /* If zero length note client will accept a ticket
1711                          * and indicate cache miss to trigger full handshake
1712                          */
1713                         if (size == 0)
1714                                 {
1715                                 s->tlsext_ticket_expected = 1;
1716                                 return 0;       /* Cache miss */
1717                                 }
1718                         if (s->tls_session_secret_cb)
1719                                 {
1720                                 /* Indicate cache miss here and instead of
1721                                  * generating the session from ticket now,
1722                                  * trigger abbreviated handshake based on
1723                                  * external mechanism to calculate the master
1724                                  * secret later. */
1725                                 return 0;
1726                                 }
1727                         return tls_decrypt_ticket(s, p, size, session_id, len,
1728                                                                         ret);
1729                         }
1730                 p += size;
1731                 }
1732         return 1;
1733         }
1734
1735 static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen,
1736                                 const unsigned char *sess_id, int sesslen,
1737                                 SSL_SESSION **psess)
1738         {
1739         SSL_SESSION *sess;
1740         unsigned char *sdec;
1741         const unsigned char *p;
1742         int slen, mlen, renew_ticket = 0;
1743         unsigned char tick_hmac[EVP_MAX_MD_SIZE];
1744         HMAC_CTX hctx;
1745         EVP_CIPHER_CTX ctx;
1746         SSL_CTX *tctx = s->initial_ctx;
1747         /* Need at least keyname + iv + some encrypted data */
1748         if (eticklen < 48)
1749                 goto tickerr;
1750         /* Initialize session ticket encryption and HMAC contexts */
1751         HMAC_CTX_init(&hctx);
1752         EVP_CIPHER_CTX_init(&ctx);
1753         if (tctx->tlsext_ticket_key_cb)
1754                 {
1755                 unsigned char *nctick = (unsigned char *)etick;
1756                 int rv = tctx->tlsext_ticket_key_cb(s, nctick, nctick + 16,
1757                                                         &ctx, &hctx, 0);
1758                 if (rv < 0)
1759                         return -1;
1760                 if (rv == 0)
1761                         goto tickerr;
1762                 if (rv == 2)
1763                         renew_ticket = 1;
1764                 }
1765         else
1766                 {
1767                 /* Check key name matches */
1768                 if (memcmp(etick, tctx->tlsext_tick_key_name, 16))
1769                         goto tickerr;
1770                 HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16,
1771                                         tlsext_tick_md(), NULL);
1772                 EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL,
1773                                 tctx->tlsext_tick_aes_key, etick + 16);
1774                 }
1775         /* Attempt to process session ticket, first conduct sanity and
1776          * integrity checks on ticket.
1777          */
1778         mlen = HMAC_size(&hctx);
1779         if (mlen < 0)
1780                 {
1781                 EVP_CIPHER_CTX_cleanup(&ctx);
1782                 return -1;
1783                 }
1784         eticklen -= mlen;
1785         /* Check HMAC of encrypted ticket */
1786         HMAC_Update(&hctx, etick, eticklen);
1787         HMAC_Final(&hctx, tick_hmac, NULL);
1788         HMAC_CTX_cleanup(&hctx);
1789         if (memcmp(tick_hmac, etick + eticklen, mlen))
1790                 goto tickerr;
1791         /* Attempt to decrypt session data */
1792         /* Move p after IV to start of encrypted ticket, update length */
1793         p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx);
1794         eticklen -= 16 + EVP_CIPHER_CTX_iv_length(&ctx);
1795         sdec = OPENSSL_malloc(eticklen);
1796         if (!sdec)
1797                 {
1798                 EVP_CIPHER_CTX_cleanup(&ctx);
1799                 return -1;
1800                 }
1801         EVP_DecryptUpdate(&ctx, sdec, &slen, p, eticklen);
1802         if (EVP_DecryptFinal(&ctx, sdec + slen, &mlen) <= 0)
1803                 goto tickerr;
1804         slen += mlen;
1805         EVP_CIPHER_CTX_cleanup(&ctx);
1806         p = sdec;
1807                 
1808         sess = d2i_SSL_SESSION(NULL, &p, slen);
1809         OPENSSL_free(sdec);
1810         if (sess)
1811                 {
1812                 /* The session ID if non-empty is used by some clients to
1813                  * detect that the ticket has been accepted. So we copy it to
1814                  * the session structure. If it is empty set length to zero
1815                  * as required by standard.
1816                  */
1817                 if (sesslen)
1818                         memcpy(sess->session_id, sess_id, sesslen);
1819                 sess->session_id_length = sesslen;
1820                 *psess = sess;
1821                 s->tlsext_ticket_expected = renew_ticket;
1822                 return 1;
1823                 }
1824         /* If session decrypt failure indicate a cache miss and set state to
1825          * send a new ticket
1826          */
1827         tickerr:        
1828         s->tlsext_ticket_expected = 1;
1829         return 0;
1830         }
1831
1832 #endif