bring HEAD up to date, add CVE-2010-3864 fix, update NEWS files
[openssl.git] / ssl / t1_lib.c
1 /* ssl/t1_lib.c */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3  * All rights reserved.
4  *
5  * This package is an SSL implementation written
6  * by Eric Young (eay@cryptsoft.com).
7  * The implementation was written so as to conform with Netscapes SSL.
8  * 
9  * This library is free for commercial and non-commercial use as long as
10  * the following conditions are aheared to.  The following conditions
11  * apply to all code found in this distribution, be it the RC4, RSA,
12  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
13  * included with this distribution is covered by the same copyright terms
14  * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15  * 
16  * Copyright remains Eric Young's, and as such any Copyright notices in
17  * the code are not to be removed.
18  * If this package is used in a product, Eric Young should be given attribution
19  * as the author of the parts of the library used.
20  * This can be in the form of a textual message at program startup or
21  * in documentation (online or textual) provided with the package.
22  * 
23  * Redistribution and use in source and binary forms, with or without
24  * modification, are permitted provided that the following conditions
25  * are met:
26  * 1. Redistributions of source code must retain the copyright
27  *    notice, this list of conditions and the following disclaimer.
28  * 2. Redistributions in binary form must reproduce the above copyright
29  *    notice, this list of conditions and the following disclaimer in the
30  *    documentation and/or other materials provided with the distribution.
31  * 3. All advertising materials mentioning features or use of this software
32  *    must display the following acknowledgement:
33  *    "This product includes cryptographic software written by
34  *     Eric Young (eay@cryptsoft.com)"
35  *    The word 'cryptographic' can be left out if the rouines from the library
36  *    being used are not cryptographic related :-).
37  * 4. If you include any Windows specific code (or a derivative thereof) from 
38  *    the apps directory (application code) you must include an acknowledgement:
39  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40  * 
41  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51  * SUCH DAMAGE.
52  * 
53  * The licence and distribution terms for any publically available version or
54  * derivative of this code cannot be changed.  i.e. this code cannot simply be
55  * copied and put under another distribution licence
56  * [including the GNU Public Licence.]
57  */
58 /* ====================================================================
59  * Copyright (c) 1998-2007 The OpenSSL Project.  All rights reserved.
60  *
61  * Redistribution and use in source and binary forms, with or without
62  * modification, are permitted provided that the following conditions
63  * are met:
64  *
65  * 1. Redistributions of source code must retain the above copyright
66  *    notice, this list of conditions and the following disclaimer. 
67  *
68  * 2. Redistributions in binary form must reproduce the above copyright
69  *    notice, this list of conditions and the following disclaimer in
70  *    the documentation and/or other materials provided with the
71  *    distribution.
72  *
73  * 3. All advertising materials mentioning features or use of this
74  *    software must display the following acknowledgment:
75  *    "This product includes software developed by the OpenSSL Project
76  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77  *
78  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79  *    endorse or promote products derived from this software without
80  *    prior written permission. For written permission, please contact
81  *    openssl-core@openssl.org.
82  *
83  * 5. Products derived from this software may not be called "OpenSSL"
84  *    nor may "OpenSSL" appear in their names without prior written
85  *    permission of the OpenSSL Project.
86  *
87  * 6. Redistributions of any form whatsoever must retain the following
88  *    acknowledgment:
89  *    "This product includes software developed by the OpenSSL Project
90  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91  *
92  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
96  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103  * OF THE POSSIBILITY OF SUCH DAMAGE.
104  * ====================================================================
105  *
106  * This product includes cryptographic software written by Eric Young
107  * (eay@cryptsoft.com).  This product includes software written by Tim
108  * Hudson (tjh@cryptsoft.com).
109  *
110  */
111
112 #include <stdio.h>
113 #include <openssl/objects.h>
114 #include <openssl/evp.h>
115 #include <openssl/hmac.h>
116 #include <openssl/ocsp.h>
117 #include "ssl_locl.h"
118
119 const char tls1_version_str[]="TLSv1" OPENSSL_VERSION_PTEXT;
120
121 #ifndef OPENSSL_NO_TLSEXT
122 static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen,
123                                 const unsigned char *sess_id, int sesslen,
124                                 SSL_SESSION **psess);
125 #endif
126
127 SSL3_ENC_METHOD TLSv1_enc_data={
128         tls1_enc,
129         tls1_mac,
130         tls1_setup_key_block,
131         tls1_generate_master_secret,
132         tls1_change_cipher_state,
133         tls1_final_finish_mac,
134         TLS1_FINISH_MAC_LENGTH,
135         tls1_cert_verify_mac,
136         TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE,
137         TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE,
138         tls1_alert_code,
139         };
140
141 long tls1_default_timeout(void)
142         {
143         /* 2 hours, the 24 hours mentioned in the TLSv1 spec
144          * is way too long for http, the cache would over fill */
145         return(60*60*2);
146         }
147
148 int tls1_new(SSL *s)
149         {
150         if (!ssl3_new(s)) return(0);
151         s->method->ssl_clear(s);
152         return(1);
153         }
154
155 void tls1_free(SSL *s)
156         {
157 #ifndef OPENSSL_NO_TLSEXT
158         if (s->tlsext_session_ticket)
159                 {
160                 OPENSSL_free(s->tlsext_session_ticket);
161                 }
162 #endif /* OPENSSL_NO_TLSEXT */
163         ssl3_free(s);
164         }
165
166 void tls1_clear(SSL *s)
167         {
168         ssl3_clear(s);
169         s->version = s->method->version;
170         }
171
172 #ifndef OPENSSL_NO_EC
173 static int nid_list[] =
174         {
175                 NID_sect163k1, /* sect163k1 (1) */
176                 NID_sect163r1, /* sect163r1 (2) */
177                 NID_sect163r2, /* sect163r2 (3) */
178                 NID_sect193r1, /* sect193r1 (4) */ 
179                 NID_sect193r2, /* sect193r2 (5) */ 
180                 NID_sect233k1, /* sect233k1 (6) */
181                 NID_sect233r1, /* sect233r1 (7) */ 
182                 NID_sect239k1, /* sect239k1 (8) */ 
183                 NID_sect283k1, /* sect283k1 (9) */
184                 NID_sect283r1, /* sect283r1 (10) */ 
185                 NID_sect409k1, /* sect409k1 (11) */ 
186                 NID_sect409r1, /* sect409r1 (12) */
187                 NID_sect571k1, /* sect571k1 (13) */ 
188                 NID_sect571r1, /* sect571r1 (14) */ 
189                 NID_secp160k1, /* secp160k1 (15) */
190                 NID_secp160r1, /* secp160r1 (16) */ 
191                 NID_secp160r2, /* secp160r2 (17) */ 
192                 NID_secp192k1, /* secp192k1 (18) */
193                 NID_X9_62_prime192v1, /* secp192r1 (19) */ 
194                 NID_secp224k1, /* secp224k1 (20) */ 
195                 NID_secp224r1, /* secp224r1 (21) */
196                 NID_secp256k1, /* secp256k1 (22) */ 
197                 NID_X9_62_prime256v1, /* secp256r1 (23) */ 
198                 NID_secp384r1, /* secp384r1 (24) */
199                 NID_secp521r1  /* secp521r1 (25) */     
200         };
201         
202 int tls1_ec_curve_id2nid(int curve_id)
203         {
204         /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
205         if ((curve_id < 1) || ((unsigned int)curve_id >
206                                 sizeof(nid_list)/sizeof(nid_list[0])))
207                 return 0;
208         return nid_list[curve_id-1];
209         }
210
211 int tls1_ec_nid2curve_id(int nid)
212         {
213         /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
214         switch (nid)
215                 {
216         case NID_sect163k1: /* sect163k1 (1) */
217                 return 1;
218         case NID_sect163r1: /* sect163r1 (2) */
219                 return 2;
220         case NID_sect163r2: /* sect163r2 (3) */
221                 return 3;
222         case NID_sect193r1: /* sect193r1 (4) */ 
223                 return 4;
224         case NID_sect193r2: /* sect193r2 (5) */ 
225                 return 5;
226         case NID_sect233k1: /* sect233k1 (6) */
227                 return 6;
228         case NID_sect233r1: /* sect233r1 (7) */ 
229                 return 7;
230         case NID_sect239k1: /* sect239k1 (8) */ 
231                 return 8;
232         case NID_sect283k1: /* sect283k1 (9) */
233                 return 9;
234         case NID_sect283r1: /* sect283r1 (10) */ 
235                 return 10;
236         case NID_sect409k1: /* sect409k1 (11) */ 
237                 return 11;
238         case NID_sect409r1: /* sect409r1 (12) */
239                 return 12;
240         case NID_sect571k1: /* sect571k1 (13) */ 
241                 return 13;
242         case NID_sect571r1: /* sect571r1 (14) */ 
243                 return 14;
244         case NID_secp160k1: /* secp160k1 (15) */
245                 return 15;
246         case NID_secp160r1: /* secp160r1 (16) */ 
247                 return 16;
248         case NID_secp160r2: /* secp160r2 (17) */ 
249                 return 17;
250         case NID_secp192k1: /* secp192k1 (18) */
251                 return 18;
252         case NID_X9_62_prime192v1: /* secp192r1 (19) */ 
253                 return 19;
254         case NID_secp224k1: /* secp224k1 (20) */ 
255                 return 20;
256         case NID_secp224r1: /* secp224r1 (21) */
257                 return 21;
258         case NID_secp256k1: /* secp256k1 (22) */ 
259                 return 22;
260         case NID_X9_62_prime256v1: /* secp256r1 (23) */ 
261                 return 23;
262         case NID_secp384r1: /* secp384r1 (24) */
263                 return 24;
264         case NID_secp521r1:  /* secp521r1 (25) */       
265                 return 25;
266         default:
267                 return 0;
268                 }
269         }
270 #endif /* OPENSSL_NO_EC */
271
272 #ifndef OPENSSL_NO_TLSEXT
273 unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
274         {
275         int extdatalen=0;
276         unsigned char *ret = p;
277
278         /* don't add extensions for SSLv3 unless doing secure renegotiation */
279         if (s->client_version == SSL3_VERSION
280                                         && !s->s3->send_connection_binding)
281                 return p;
282
283         ret+=2;
284
285         if (ret>=limit) return NULL; /* this really never occurs, but ... */
286
287         if (s->tlsext_hostname != NULL)
288                 { 
289                 /* Add TLS extension servername to the Client Hello message */
290                 unsigned long size_str;
291                 long lenmax; 
292
293                 /* check for enough space.
294                    4 for the servername type and entension length
295                    2 for servernamelist length
296                    1 for the hostname type
297                    2 for hostname length
298                    + hostname length 
299                 */
300                    
301                 if ((lenmax = limit - ret - 9) < 0 
302                     || (size_str = strlen(s->tlsext_hostname)) > (unsigned long)lenmax) 
303                         return NULL;
304                         
305                 /* extension type and length */
306                 s2n(TLSEXT_TYPE_server_name,ret); 
307                 s2n(size_str+5,ret);
308                 
309                 /* length of servername list */
310                 s2n(size_str+3,ret);
311         
312                 /* hostname type, length and hostname */
313                 *(ret++) = (unsigned char) TLSEXT_NAMETYPE_host_name;
314                 s2n(size_str,ret);
315                 memcpy(ret, s->tlsext_hostname, size_str);
316                 ret+=size_str;
317                 }
318
319         /* Add RI if renegotiating */
320         if (s->renegotiate)
321           {
322           int el;
323           
324           if(!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0))
325               {
326               SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
327               return NULL;
328               }
329
330           if((limit - p - 4 - el) < 0) return NULL;
331           
332           s2n(TLSEXT_TYPE_renegotiate,ret);
333           s2n(el,ret);
334
335           if(!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el))
336               {
337               SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
338               return NULL;
339               }
340
341           ret += el;
342         }
343
344 #ifndef OPENSSL_NO_EC
345         if (s->tlsext_ecpointformatlist != NULL &&
346             s->version != DTLS1_VERSION)
347                 {
348                 /* Add TLS extension ECPointFormats to the ClientHello message */
349                 long lenmax; 
350
351                 if ((lenmax = limit - ret - 5) < 0) return NULL; 
352                 if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax) return NULL;
353                 if (s->tlsext_ecpointformatlist_length > 255)
354                         {
355                         SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
356                         return NULL;
357                         }
358                 
359                 s2n(TLSEXT_TYPE_ec_point_formats,ret);
360                 s2n(s->tlsext_ecpointformatlist_length + 1,ret);
361                 *(ret++) = (unsigned char) s->tlsext_ecpointformatlist_length;
362                 memcpy(ret, s->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist_length);
363                 ret+=s->tlsext_ecpointformatlist_length;
364                 }
365         if (s->tlsext_ellipticcurvelist != NULL &&
366             s->version != DTLS1_VERSION)
367                 {
368                 /* Add TLS extension EllipticCurves to the ClientHello message */
369                 long lenmax; 
370
371                 if ((lenmax = limit - ret - 6) < 0) return NULL; 
372                 if (s->tlsext_ellipticcurvelist_length > (unsigned long)lenmax) return NULL;
373                 if (s->tlsext_ellipticcurvelist_length > 65532)
374                         {
375                         SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
376                         return NULL;
377                         }
378                 
379                 s2n(TLSEXT_TYPE_elliptic_curves,ret);
380                 s2n(s->tlsext_ellipticcurvelist_length + 2, ret);
381
382                 /* NB: draft-ietf-tls-ecc-12.txt uses a one-byte prefix for
383                  * elliptic_curve_list, but the examples use two bytes.
384                  * http://www1.ietf.org/mail-archive/web/tls/current/msg00538.html
385                  * resolves this to two bytes.
386                  */
387                 s2n(s->tlsext_ellipticcurvelist_length, ret);
388                 memcpy(ret, s->tlsext_ellipticcurvelist, s->tlsext_ellipticcurvelist_length);
389                 ret+=s->tlsext_ellipticcurvelist_length;
390                 }
391 #endif /* OPENSSL_NO_EC */
392
393         if (!(SSL_get_options(s) & SSL_OP_NO_TICKET))
394                 {
395                 int ticklen;
396                 if (!s->new_session && s->session && s->session->tlsext_tick)
397                         ticklen = s->session->tlsext_ticklen;
398                 else if (s->session && s->tlsext_session_ticket &&
399                          s->tlsext_session_ticket->data)
400                         {
401                         ticklen = s->tlsext_session_ticket->length;
402                         s->session->tlsext_tick = OPENSSL_malloc(ticklen);
403                         if (!s->session->tlsext_tick)
404                                 return NULL;
405                         memcpy(s->session->tlsext_tick,
406                                s->tlsext_session_ticket->data,
407                                ticklen);
408                         s->session->tlsext_ticklen = ticklen;
409                         }
410                 else
411                         ticklen = 0;
412                 if (ticklen == 0 && s->tlsext_session_ticket &&
413                     s->tlsext_session_ticket->data == NULL)
414                         goto skip_ext;
415                 /* Check for enough room 2 for extension type, 2 for len
416                  * rest for ticket
417                  */
418                 if ((long)(limit - ret - 4 - ticklen) < 0) return NULL;
419                 s2n(TLSEXT_TYPE_session_ticket,ret); 
420                 s2n(ticklen,ret);
421                 if (ticklen)
422                         {
423                         memcpy(ret, s->session->tlsext_tick, ticklen);
424                         ret += ticklen;
425                         }
426                 }
427                 skip_ext:
428
429 #ifdef TLSEXT_TYPE_opaque_prf_input
430         if (s->s3->client_opaque_prf_input != NULL &&
431             s->version != DTLS1_VERSION)
432                 {
433                 size_t col = s->s3->client_opaque_prf_input_len;
434                 
435                 if ((long)(limit - ret - 6 - col < 0))
436                         return NULL;
437                 if (col > 0xFFFD) /* can't happen */
438                         return NULL;
439
440                 s2n(TLSEXT_TYPE_opaque_prf_input, ret); 
441                 s2n(col + 2, ret);
442                 s2n(col, ret);
443                 memcpy(ret, s->s3->client_opaque_prf_input, col);
444                 ret += col;
445                 }
446 #endif
447
448         if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp &&
449             s->version != DTLS1_VERSION)
450                 {
451                 int i;
452                 long extlen, idlen, itmp;
453                 OCSP_RESPID *id;
454
455                 idlen = 0;
456                 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++)
457                         {
458                         id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
459                         itmp = i2d_OCSP_RESPID(id, NULL);
460                         if (itmp <= 0)
461                                 return NULL;
462                         idlen += itmp + 2;
463                         }
464
465                 if (s->tlsext_ocsp_exts)
466                         {
467                         extlen = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, NULL);
468                         if (extlen < 0)
469                                 return NULL;
470                         }
471                 else
472                         extlen = 0;
473                         
474                 if ((long)(limit - ret - 7 - extlen - idlen) < 0) return NULL;
475                 s2n(TLSEXT_TYPE_status_request, ret);
476                 if (extlen + idlen > 0xFFF0)
477                         return NULL;
478                 s2n(extlen + idlen + 5, ret);
479                 *(ret++) = TLSEXT_STATUSTYPE_ocsp;
480                 s2n(idlen, ret);
481                 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++)
482                         {
483                         /* save position of id len */
484                         unsigned char *q = ret;
485                         id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
486                         /* skip over id len */
487                         ret += 2;
488                         itmp = i2d_OCSP_RESPID(id, &ret);
489                         /* write id len */
490                         s2n(itmp, q);
491                         }
492                 s2n(extlen, ret);
493                 if (extlen > 0)
494                         i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret);
495                 }
496
497 #ifndef OPENSSL_NO_NEXTPROTONEG
498         if (s->ctx->next_proto_select_cb && !s->s3->tmp.finish_md_len)
499                 {
500                 /* The client advertises an emtpy extension to indicate its
501                  * support for Next Protocol Negotiation */
502                 if (limit - ret - 4 < 0)
503                         return NULL;
504                 s2n(TLSEXT_TYPE_next_proto_neg,ret);
505                 s2n(0,ret);
506                 }
507 #endif
508
509         if ((extdatalen = ret-p-2)== 0) 
510                 return p;
511
512         s2n(extdatalen,p);
513         return ret;
514         }
515
516 unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
517         {
518         int extdatalen=0;
519         unsigned char *ret = p;
520 #ifndef OPENSSL_NO_NEXTPROTONEG
521         int next_proto_neg_seen;
522 #endif
523
524         /* don't add extensions for SSLv3, unless doing secure renegotiation */
525         if (s->version == SSL3_VERSION && !s->s3->send_connection_binding)
526                 return p;
527         
528         ret+=2;
529         if (ret>=limit) return NULL; /* this really never occurs, but ... */
530
531         if (!s->hit && s->servername_done == 1 && s->session->tlsext_hostname != NULL)
532                 { 
533                 if ((long)(limit - ret - 4) < 0) return NULL; 
534
535                 s2n(TLSEXT_TYPE_server_name,ret);
536                 s2n(0,ret);
537                 }
538
539         if(s->s3->send_connection_binding)
540         {
541           int el;
542           
543           if(!ssl_add_serverhello_renegotiate_ext(s, 0, &el, 0))
544               {
545               SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
546               return NULL;
547               }
548
549           if((limit - p - 4 - el) < 0) return NULL;
550           
551           s2n(TLSEXT_TYPE_renegotiate,ret);
552           s2n(el,ret);
553
554           if(!ssl_add_serverhello_renegotiate_ext(s, ret, &el, el))
555               {
556               SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
557               return NULL;
558               }
559
560           ret += el;
561         }
562
563 #ifndef OPENSSL_NO_EC
564         if (s->tlsext_ecpointformatlist != NULL &&
565             s->version != DTLS1_VERSION)
566                 {
567                 /* Add TLS extension ECPointFormats to the ServerHello message */
568                 long lenmax; 
569
570                 if ((lenmax = limit - ret - 5) < 0) return NULL; 
571                 if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax) return NULL;
572                 if (s->tlsext_ecpointformatlist_length > 255)
573                         {
574                         SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
575                         return NULL;
576                         }
577                 
578                 s2n(TLSEXT_TYPE_ec_point_formats,ret);
579                 s2n(s->tlsext_ecpointformatlist_length + 1,ret);
580                 *(ret++) = (unsigned char) s->tlsext_ecpointformatlist_length;
581                 memcpy(ret, s->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist_length);
582                 ret+=s->tlsext_ecpointformatlist_length;
583
584                 }
585         /* Currently the server should not respond with a SupportedCurves extension */
586 #endif /* OPENSSL_NO_EC */
587
588         if (s->tlsext_ticket_expected
589                 && !(SSL_get_options(s) & SSL_OP_NO_TICKET)) 
590                 { 
591                 if ((long)(limit - ret - 4) < 0) return NULL; 
592                 s2n(TLSEXT_TYPE_session_ticket,ret);
593                 s2n(0,ret);
594                 }
595
596         if (s->tlsext_status_expected)
597                 { 
598                 if ((long)(limit - ret - 4) < 0) return NULL; 
599                 s2n(TLSEXT_TYPE_status_request,ret);
600                 s2n(0,ret);
601                 }
602
603 #ifdef TLSEXT_TYPE_opaque_prf_input
604         if (s->s3->server_opaque_prf_input != NULL &&
605             s->version != DTLS1_VERSION)
606                 {
607                 size_t sol = s->s3->server_opaque_prf_input_len;
608                 
609                 if ((long)(limit - ret - 6 - sol) < 0)
610                         return NULL;
611                 if (sol > 0xFFFD) /* can't happen */
612                         return NULL;
613
614                 s2n(TLSEXT_TYPE_opaque_prf_input, ret); 
615                 s2n(sol + 2, ret);
616                 s2n(sol, ret);
617                 memcpy(ret, s->s3->server_opaque_prf_input, sol);
618                 ret += sol;
619                 }
620 #endif
621         if (((s->s3->tmp.new_cipher->id & 0xFFFF)==0x80 || (s->s3->tmp.new_cipher->id & 0xFFFF)==0x81) 
622                 && (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG))
623                 { const unsigned char cryptopro_ext[36] = {
624                         0xfd, 0xe8, /*65000*/
625                         0x00, 0x20, /*32 bytes length*/
626                         0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85, 
627                         0x03,   0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06, 
628                         0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08, 
629                         0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17};
630                         if (limit-ret<36) return NULL;
631                         memcpy(ret,cryptopro_ext,36);
632                         ret+=36;
633
634                 }
635
636 #ifndef OPENSSL_NO_NEXTPROTONEG
637         next_proto_neg_seen = s->s3->next_proto_neg_seen;
638         s->s3->next_proto_neg_seen = 0;
639         if (next_proto_neg_seen && s->ctx->next_protos_advertised_cb)
640                 {
641                 const unsigned char *npa;
642                 unsigned int npalen;
643                 int r;
644
645                 r = s->ctx->next_protos_advertised_cb(s, &npa, &npalen, s->ctx->next_protos_advertised_cb_arg);
646                 if (r == SSL_TLSEXT_ERR_OK)
647                         {
648                         if ((long)(limit - ret - 4 - npalen) < 0) return NULL;
649                         s2n(TLSEXT_TYPE_next_proto_neg,ret);
650                         s2n(npalen,ret);
651                         memcpy(ret, npa, npalen);
652                         ret += npalen;
653                         s->s3->next_proto_neg_seen = 1;
654                         }
655                 }
656 #endif
657
658         if ((extdatalen = ret-p-2)== 0) 
659                 return p;
660
661         s2n(extdatalen,p);
662         return ret;
663         }
664
665 int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
666         {
667         unsigned short type;
668         unsigned short size;
669         unsigned short len;
670         unsigned char *data = *p;
671         int renegotiate_seen = 0;
672
673         s->servername_done = 0;
674         s->tlsext_status_type = -1;
675
676         if (data >= (d+n-2))
677                 goto ri_check;
678         n2s(data,len);
679
680         if (data > (d+n-len)) 
681                 goto ri_check;
682
683         while (data <= (d+n-4))
684                 {
685                 n2s(data,type);
686                 n2s(data,size);
687
688                 if (data+size > (d+n))
689                         goto ri_check;
690 #if 0
691                 fprintf(stderr,"Received extension type %d size %d\n",type,size);
692 #endif
693                 if (s->tlsext_debug_cb)
694                         s->tlsext_debug_cb(s, 0, type, data, size,
695                                                 s->tlsext_debug_arg);
696 /* The servername extension is treated as follows:
697
698    - Only the hostname type is supported with a maximum length of 255.
699    - The servername is rejected if too long or if it contains zeros,
700      in which case an fatal alert is generated.
701    - The servername field is maintained together with the session cache.
702    - When a session is resumed, the servername call back invoked in order
703      to allow the application to position itself to the right context. 
704    - The servername is acknowledged if it is new for a session or when 
705      it is identical to a previously used for the same session. 
706      Applications can control the behaviour.  They can at any time
707      set a 'desirable' servername for a new SSL object. This can be the
708      case for example with HTTPS when a Host: header field is received and
709      a renegotiation is requested. In this case, a possible servername
710      presented in the new client hello is only acknowledged if it matches
711      the value of the Host: field. 
712    - Applications must  use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
713      if they provide for changing an explicit servername context for the session,
714      i.e. when the session has been established with a servername extension. 
715    - On session reconnect, the servername extension may be absent. 
716
717 */      
718
719                 if (type == TLSEXT_TYPE_server_name)
720                         {
721                         unsigned char *sdata;
722                         int servname_type;
723                         int dsize; 
724                 
725                         if (size < 2) 
726                                 {
727                                 *al = SSL_AD_DECODE_ERROR;
728                                 return 0;
729                                 }
730                         n2s(data,dsize);  
731                         size -= 2;
732                         if (dsize > size  ) 
733                                 {
734                                 *al = SSL_AD_DECODE_ERROR;
735                                 return 0;
736                                 } 
737
738                         sdata = data;
739                         while (dsize > 3) 
740                                 {
741                                 servname_type = *(sdata++); 
742                                 n2s(sdata,len);
743                                 dsize -= 3;
744
745                                 if (len > dsize) 
746                                         {
747                                         *al = SSL_AD_DECODE_ERROR;
748                                         return 0;
749                                         }
750                                 if (s->servername_done == 0)
751                                 switch (servname_type)
752                                         {
753                                 case TLSEXT_NAMETYPE_host_name:
754                                         if (!s->hit)
755                                                 {
756                                                 if(s->session->tlsext_hostname)
757                                                         {
758                                                         *al = SSL_AD_DECODE_ERROR;
759                                                         return 0;
760                                                         }
761                                                 if (len > TLSEXT_MAXLEN_host_name)
762                                                         {
763                                                         *al = TLS1_AD_UNRECOGNIZED_NAME;
764                                                         return 0;
765                                                         }
766                                                 if ((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL)
767                                                         {
768                                                         *al = TLS1_AD_INTERNAL_ERROR;
769                                                         return 0;
770                                                         }
771                                                 memcpy(s->session->tlsext_hostname, sdata, len);
772                                                 s->session->tlsext_hostname[len]='\0';
773                                                 if (strlen(s->session->tlsext_hostname) != len) {
774                                                         OPENSSL_free(s->session->tlsext_hostname);
775                                                         s->session->tlsext_hostname = NULL;
776                                                         *al = TLS1_AD_UNRECOGNIZED_NAME;
777                                                         return 0;
778                                                 }
779                                                 s->servername_done = 1; 
780
781                                                 }
782                                         else 
783                                                 s->servername_done = s->session->tlsext_hostname
784                                                         && strlen(s->session->tlsext_hostname) == len 
785                                                         && strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0;
786                                         
787                                         break;
788
789                                 default:
790                                         break;
791                                         }
792                                  
793                                 dsize -= len;
794                                 }
795                         if (dsize != 0) 
796                                 {
797                                 *al = SSL_AD_DECODE_ERROR;
798                                 return 0;
799                                 }
800
801                         }
802
803 #ifndef OPENSSL_NO_EC
804                 else if (type == TLSEXT_TYPE_ec_point_formats &&
805                      s->version != DTLS1_VERSION)
806                         {
807                         unsigned char *sdata = data;
808                         int ecpointformatlist_length = *(sdata++);
809
810                         if (ecpointformatlist_length != size - 1)
811                                 {
812                                 *al = TLS1_AD_DECODE_ERROR;
813                                 return 0;
814                                 }
815                         if (!s->hit)
816                                 {
817                                 if(s->session->tlsext_ecpointformatlist)
818                                         {
819                                         *al = TLS1_AD_DECODE_ERROR;
820                                         return 0;
821                                         }
822                                 s->session->tlsext_ecpointformatlist_length = 0;
823                                 if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
824                                         {
825                                         *al = TLS1_AD_INTERNAL_ERROR;
826                                         return 0;
827                                         }
828                                 s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
829                                 memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
830                                 }
831 #if 0
832                         fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ecpointformatlist (length=%i) ", s->session->tlsext_ecpointformatlist_length);
833                         sdata = s->session->tlsext_ecpointformatlist;
834                         for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
835                                 fprintf(stderr,"%i ",*(sdata++));
836                         fprintf(stderr,"\n");
837 #endif
838                         }
839                 else if (type == TLSEXT_TYPE_elliptic_curves &&
840                      s->version != DTLS1_VERSION)
841                         {
842                         unsigned char *sdata = data;
843                         int ellipticcurvelist_length = (*(sdata++) << 8);
844                         ellipticcurvelist_length += (*(sdata++));
845
846                         if (ellipticcurvelist_length != size - 2)
847                                 {
848                                 *al = TLS1_AD_DECODE_ERROR;
849                                 return 0;
850                                 }
851                         if (!s->hit)
852                                 {
853                                 if(s->session->tlsext_ellipticcurvelist)
854                                         {
855                                         *al = TLS1_AD_DECODE_ERROR;
856                                         return 0;
857                                         }
858                                 s->session->tlsext_ellipticcurvelist_length = 0;
859                                 if ((s->session->tlsext_ellipticcurvelist = OPENSSL_malloc(ellipticcurvelist_length)) == NULL)
860                                         {
861                                         *al = TLS1_AD_INTERNAL_ERROR;
862                                         return 0;
863                                         }
864                                 s->session->tlsext_ellipticcurvelist_length = ellipticcurvelist_length;
865                                 memcpy(s->session->tlsext_ellipticcurvelist, sdata, ellipticcurvelist_length);
866                                 }
867 #if 0
868                         fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ellipticcurvelist (length=%i) ", s->session->tlsext_ellipticcurvelist_length);
869                         sdata = s->session->tlsext_ellipticcurvelist;
870                         for (i = 0; i < s->session->tlsext_ellipticcurvelist_length; i++)
871                                 fprintf(stderr,"%i ",*(sdata++));
872                         fprintf(stderr,"\n");
873 #endif
874                         }
875 #endif /* OPENSSL_NO_EC */
876 #ifdef TLSEXT_TYPE_opaque_prf_input
877                 else if (type == TLSEXT_TYPE_opaque_prf_input &&
878                      s->version != DTLS1_VERSION)
879                         {
880                         unsigned char *sdata = data;
881
882                         if (size < 2)
883                                 {
884                                 *al = SSL_AD_DECODE_ERROR;
885                                 return 0;
886                                 }
887                         n2s(sdata, s->s3->client_opaque_prf_input_len);
888                         if (s->s3->client_opaque_prf_input_len != size - 2)
889                                 {
890                                 *al = SSL_AD_DECODE_ERROR;
891                                 return 0;
892                                 }
893
894                         if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */
895                                 OPENSSL_free(s->s3->client_opaque_prf_input);
896                         if (s->s3->client_opaque_prf_input_len == 0)
897                                 s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
898                         else
899                                 s->s3->client_opaque_prf_input = BUF_memdup(sdata, s->s3->client_opaque_prf_input_len);
900                         if (s->s3->client_opaque_prf_input == NULL)
901                                 {
902                                 *al = TLS1_AD_INTERNAL_ERROR;
903                                 return 0;
904                                 }
905                         }
906 #endif
907                 else if (type == TLSEXT_TYPE_session_ticket)
908                         {
909                         if (s->tls_session_ticket_ext_cb &&
910                             !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg))
911                                 {
912                                 *al = TLS1_AD_INTERNAL_ERROR;
913                                 return 0;
914                                 }
915                         }
916                 else if (type == TLSEXT_TYPE_renegotiate)
917                         {
918                         if(!ssl_parse_clienthello_renegotiate_ext(s, data, size, al))
919                                 return 0;
920                         renegotiate_seen = 1;
921                         }
922                 else if (type == TLSEXT_TYPE_status_request &&
923                          s->version != DTLS1_VERSION && s->ctx->tlsext_status_cb)
924                         {
925                 
926                         if (size < 5) 
927                                 {
928                                 *al = SSL_AD_DECODE_ERROR;
929                                 return 0;
930                                 }
931
932                         s->tlsext_status_type = *data++;
933                         size--;
934                         if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp)
935                                 {
936                                 const unsigned char *sdata;
937                                 int dsize;
938                                 /* Read in responder_id_list */
939                                 n2s(data,dsize);
940                                 size -= 2;
941                                 if (dsize > size  ) 
942                                         {
943                                         *al = SSL_AD_DECODE_ERROR;
944                                         return 0;
945                                         }
946                                 while (dsize > 0)
947                                         {
948                                         OCSP_RESPID *id;
949                                         int idsize;
950                                         if (dsize < 4)
951                                                 {
952                                                 *al = SSL_AD_DECODE_ERROR;
953                                                 return 0;
954                                                 }
955                                         n2s(data, idsize);
956                                         dsize -= 2 + idsize;
957                                         if (dsize < 0)
958                                                 {
959                                                 *al = SSL_AD_DECODE_ERROR;
960                                                 return 0;
961                                                 }
962                                         sdata = data;
963                                         data += idsize;
964                                         id = d2i_OCSP_RESPID(NULL,
965                                                                 &sdata, idsize);
966                                         if (!id)
967                                                 {
968                                                 *al = SSL_AD_DECODE_ERROR;
969                                                 return 0;
970                                                 }
971                                         if (data != sdata)
972                                                 {
973                                                 OCSP_RESPID_free(id);
974                                                 *al = SSL_AD_DECODE_ERROR;
975                                                 return 0;
976                                                 }
977                                         if (!s->tlsext_ocsp_ids
978                                                 && !(s->tlsext_ocsp_ids =
979                                                 sk_OCSP_RESPID_new_null()))
980                                                 {
981                                                 OCSP_RESPID_free(id);
982                                                 *al = SSL_AD_INTERNAL_ERROR;
983                                                 return 0;
984                                                 }
985                                         if (!sk_OCSP_RESPID_push(
986                                                         s->tlsext_ocsp_ids, id))
987                                                 {
988                                                 OCSP_RESPID_free(id);
989                                                 *al = SSL_AD_INTERNAL_ERROR;
990                                                 return 0;
991                                                 }
992                                         }
993
994                                 /* Read in request_extensions */
995                                 n2s(data,dsize);
996                                 size -= 2;
997                                 if (dsize > size) 
998                                         {
999                                         *al = SSL_AD_DECODE_ERROR;
1000                                         return 0;
1001                                         }
1002                                 sdata = data;
1003                                 if (dsize > 0)
1004                                         {
1005                                         s->tlsext_ocsp_exts =
1006                                                 d2i_X509_EXTENSIONS(NULL,
1007                                                         &sdata, dsize);
1008                                         if (!s->tlsext_ocsp_exts
1009                                                 || (data + dsize != sdata))
1010                                                 {
1011                                                 *al = SSL_AD_DECODE_ERROR;
1012                                                 return 0;
1013                                                 }
1014                                         }
1015                                 }
1016                                 /* We don't know what to do with any other type
1017                                 * so ignore it.
1018                                 */
1019                                 else
1020                                         s->tlsext_status_type = -1;
1021                         }
1022 #ifndef OPENSSL_NO_NEXTPROTONEG
1023                 else if (type == TLSEXT_TYPE_next_proto_neg &&
1024                          s->s3->tmp.finish_md_len == 0)
1025                         {
1026                         /* We shouldn't accept this extension on a
1027                          * renegotiation.
1028                          *
1029                          * s->new_session will be set on renegotiation, but we
1030                          * probably shouldn't rely that it couldn't be set on
1031                          * the initial renegotation too in certain cases (when
1032                          * there's some other reason to disallow resuming an
1033                          * earlier session -- the current code won't be doing
1034                          * anything like that, but this might change).
1035
1036                          * A valid sign that there's been a previous handshake
1037                          * in this connection is if s->s3->tmp.finish_md_len >
1038                          * 0.  (We are talking about a check that will happen
1039                          * in the Hello protocol round, well before a new
1040                          * Finished message could have been computed.) */
1041                         s->s3->next_proto_neg_seen = 1;
1042                         }
1043 #endif
1044
1045                 /* session ticket processed earlier */
1046                 data+=size;
1047                 }
1048                                 
1049         *p = data;
1050
1051         ri_check:
1052
1053         /* Need RI if renegotiating */
1054
1055         if (!renegotiate_seen && s->renegotiate &&
1056                 !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
1057                 {
1058                 *al = SSL_AD_HANDSHAKE_FAILURE;
1059                 SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT,
1060                                 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
1061                 return 0;
1062                 }
1063
1064         return 1;
1065         }
1066
1067 #ifndef OPENSSL_NO_NEXTPROTONEG
1068 /* ssl_next_proto_validate validates a Next Protocol Negotiation block. No
1069  * elements of zero length are allowed and the set of elements must exactly fill
1070  * the length of the block. */
1071 static int ssl_next_proto_validate(unsigned char *d, unsigned len)
1072         {
1073         unsigned int off = 0;
1074
1075         while (off < len)
1076                 {
1077                 if (d[off] == 0)
1078                         return 0;
1079                 off += d[off];
1080                 off++;
1081                 }
1082
1083         return off == len;
1084         }
1085 #endif
1086
1087 int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
1088         {
1089         unsigned short length;
1090         unsigned short type;
1091         unsigned short size;
1092         unsigned char *data = *p;
1093         int tlsext_servername = 0;
1094         int renegotiate_seen = 0;
1095
1096         if (data >= (d+n-2))
1097                 goto ri_check;
1098
1099         n2s(data,length);
1100         if (data+length != d+n)
1101                 {
1102                 *al = SSL_AD_DECODE_ERROR;
1103                 return 0;
1104                 }
1105
1106         while(data <= (d+n-4))
1107                 {
1108                 n2s(data,type);
1109                 n2s(data,size);
1110
1111                 if (data+size > (d+n))
1112                         goto ri_check;
1113
1114                 if (s->tlsext_debug_cb)
1115                         s->tlsext_debug_cb(s, 1, type, data, size,
1116                                                 s->tlsext_debug_arg);
1117
1118                 if (type == TLSEXT_TYPE_server_name)
1119                         {
1120                         if (s->tlsext_hostname == NULL || size > 0)
1121                                 {
1122                                 *al = TLS1_AD_UNRECOGNIZED_NAME;
1123                                 return 0;
1124                                 }
1125                         tlsext_servername = 1;   
1126                         }
1127
1128 #ifndef OPENSSL_NO_EC
1129                 else if (type == TLSEXT_TYPE_ec_point_formats &&
1130                      s->version != DTLS1_VERSION)
1131                         {
1132                         unsigned char *sdata = data;
1133                         int ecpointformatlist_length = *(sdata++);
1134
1135                         if (ecpointformatlist_length != size - 1)
1136                                 {
1137                                 *al = TLS1_AD_DECODE_ERROR;
1138                                 return 0;
1139                                 }
1140                         s->session->tlsext_ecpointformatlist_length = 0;
1141                         if (s->session->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->session->tlsext_ecpointformatlist);
1142                         if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
1143                                 {
1144                                 *al = TLS1_AD_INTERNAL_ERROR;
1145                                 return 0;
1146                                 }
1147                         s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
1148                         memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
1149 #if 0
1150                         fprintf(stderr,"ssl_parse_serverhello_tlsext s->session->tlsext_ecpointformatlist ");
1151                         sdata = s->session->tlsext_ecpointformatlist;
1152                         for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
1153                                 fprintf(stderr,"%i ",*(sdata++));
1154                         fprintf(stderr,"\n");
1155 #endif
1156                         }
1157 #endif /* OPENSSL_NO_EC */
1158
1159                 else if (type == TLSEXT_TYPE_session_ticket)
1160                         {
1161                         if (s->tls_session_ticket_ext_cb &&
1162                             !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg))
1163                                 {
1164                                 *al = TLS1_AD_INTERNAL_ERROR;
1165                                 return 0;
1166                                 }
1167                         if ((SSL_get_options(s) & SSL_OP_NO_TICKET)
1168                                 || (size > 0))
1169                                 {
1170                                 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
1171                                 return 0;
1172                                 }
1173                         s->tlsext_ticket_expected = 1;
1174                         }
1175 #ifdef TLSEXT_TYPE_opaque_prf_input
1176                 else if (type == TLSEXT_TYPE_opaque_prf_input &&
1177                      s->version != DTLS1_VERSION)
1178                         {
1179                         unsigned char *sdata = data;
1180
1181                         if (size < 2)
1182                                 {
1183                                 *al = SSL_AD_DECODE_ERROR;
1184                                 return 0;
1185                                 }
1186                         n2s(sdata, s->s3->server_opaque_prf_input_len);
1187                         if (s->s3->server_opaque_prf_input_len != size - 2)
1188                                 {
1189                                 *al = SSL_AD_DECODE_ERROR;
1190                                 return 0;
1191                                 }
1192                         
1193                         if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */
1194                                 OPENSSL_free(s->s3->server_opaque_prf_input);
1195                         if (s->s3->server_opaque_prf_input_len == 0)
1196                                 s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
1197                         else
1198                                 s->s3->server_opaque_prf_input = BUF_memdup(sdata, s->s3->server_opaque_prf_input_len);
1199
1200                         if (s->s3->server_opaque_prf_input == NULL)
1201                                 {
1202                                 *al = TLS1_AD_INTERNAL_ERROR;
1203                                 return 0;
1204                                 }
1205                         }
1206 #endif
1207                 else if (type == TLSEXT_TYPE_status_request &&
1208                          s->version != DTLS1_VERSION)
1209                         {
1210                         /* MUST be empty and only sent if we've requested
1211                          * a status request message.
1212                          */ 
1213                         if ((s->tlsext_status_type == -1) || (size > 0))
1214                                 {
1215                                 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
1216                                 return 0;
1217                                 }
1218                         /* Set flag to expect CertificateStatus message */
1219                         s->tlsext_status_expected = 1;
1220                         }
1221 #ifndef OPENSSL_NO_NEXTPROTONEG
1222                 else if (type == TLSEXT_TYPE_next_proto_neg)
1223                         {
1224                         unsigned char *selected;
1225                         unsigned char selected_len;
1226
1227                         /* We must have requested it. */
1228                         if ((s->ctx->next_proto_select_cb == NULL))
1229                                 {
1230                                 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
1231                                 return 0;
1232                                 }
1233                         /* The data must be valid */
1234                         if (!ssl_next_proto_validate(data, size))
1235                                 {
1236                                 *al = TLS1_AD_DECODE_ERROR;
1237                                 return 0;
1238                                 }
1239                         if (s->ctx->next_proto_select_cb(s, &selected, &selected_len, data, size, s->ctx->next_proto_select_cb_arg) != SSL_TLSEXT_ERR_OK)
1240                                 {
1241                                 *al = TLS1_AD_INTERNAL_ERROR;
1242                                 return 0;
1243                                 }
1244                         s->next_proto_negotiated = OPENSSL_malloc(selected_len);
1245                         if (!s->next_proto_negotiated)
1246                                 {
1247                                 *al = TLS1_AD_INTERNAL_ERROR;
1248                                 return 0;
1249                                 }
1250                         memcpy(s->next_proto_negotiated, selected, selected_len);
1251                         s->next_proto_negotiated_len = selected_len;
1252                         }
1253 #endif
1254                 else if (type == TLSEXT_TYPE_renegotiate)
1255                         {
1256                         if(!ssl_parse_serverhello_renegotiate_ext(s, data, size, al))
1257                                 return 0;
1258                         renegotiate_seen = 1;
1259                         }
1260                 data+=size;             
1261                 }
1262
1263         if (data != d+n)
1264                 {
1265                 *al = SSL_AD_DECODE_ERROR;
1266                 return 0;
1267                 }
1268
1269         if (!s->hit && tlsext_servername == 1)
1270                 {
1271                 if (s->tlsext_hostname)
1272                         {
1273                         if (s->session->tlsext_hostname == NULL)
1274                                 {
1275                                 s->session->tlsext_hostname = BUF_strdup(s->tlsext_hostname);   
1276                                 if (!s->session->tlsext_hostname)
1277                                         {
1278                                         *al = SSL_AD_UNRECOGNIZED_NAME;
1279                                         return 0;
1280                                         }
1281                                 }
1282                         else 
1283                                 {
1284                                 *al = SSL_AD_DECODE_ERROR;
1285                                 return 0;
1286                                 }
1287                         }
1288                 }
1289
1290         *p = data;
1291
1292         ri_check:
1293
1294         /* Determine if we need to see RI. Strictly speaking if we want to
1295          * avoid an attack we should *always* see RI even on initial server
1296          * hello because the client doesn't see any renegotiation during an
1297          * attack. However this would mean we could not connect to any server
1298          * which doesn't support RI so for the immediate future tolerate RI
1299          * absence on initial connect only.
1300          */
1301         if (!renegotiate_seen
1302                 && !(s->options & SSL_OP_LEGACY_SERVER_CONNECT)
1303                 && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
1304                 {
1305                 *al = SSL_AD_HANDSHAKE_FAILURE;
1306                 SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT,
1307                                 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
1308                 return 0;
1309                 }
1310
1311         return 1;
1312         }
1313
1314
1315 int ssl_prepare_clienthello_tlsext(SSL *s)
1316         {
1317 #ifndef OPENSSL_NO_EC
1318         /* If we are client and using an elliptic curve cryptography cipher suite, send the point formats 
1319          * and elliptic curves we support.
1320          */
1321         int using_ecc = 0;
1322         int i;
1323         unsigned char *j;
1324         unsigned long alg_k, alg_a;
1325         STACK_OF(SSL_CIPHER) *cipher_stack = SSL_get_ciphers(s);
1326
1327         for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++)
1328                 {
1329                 SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i);
1330
1331                 alg_k = c->algorithm_mkey;
1332                 alg_a = c->algorithm_auth;
1333                 if ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe) || (alg_a & SSL_aECDSA)))
1334                         {
1335                         using_ecc = 1;
1336                         break;
1337                         }
1338                 }
1339         using_ecc = using_ecc && (s->version == TLS1_VERSION);
1340         if (using_ecc)
1341                 {
1342                 if (s->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->tlsext_ecpointformatlist);
1343                 if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(3)) == NULL)
1344                         {
1345                         SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
1346                         return -1;
1347                         }
1348                 s->tlsext_ecpointformatlist_length = 3;
1349                 s->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_uncompressed;
1350                 s->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
1351                 s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
1352
1353                 /* we support all named elliptic curves in draft-ietf-tls-ecc-12 */
1354                 if (s->tlsext_ellipticcurvelist != NULL) OPENSSL_free(s->tlsext_ellipticcurvelist);
1355                 s->tlsext_ellipticcurvelist_length = sizeof(nid_list)/sizeof(nid_list[0]) * 2;
1356                 if ((s->tlsext_ellipticcurvelist = OPENSSL_malloc(s->tlsext_ellipticcurvelist_length)) == NULL)
1357                         {
1358                         s->tlsext_ellipticcurvelist_length = 0;
1359                         SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
1360                         return -1;
1361                         }
1362                 for (i = 1, j = s->tlsext_ellipticcurvelist; (unsigned int)i <=
1363                                 sizeof(nid_list)/sizeof(nid_list[0]); i++)
1364                         s2n(i,j);
1365                 }
1366 #endif /* OPENSSL_NO_EC */
1367
1368 #ifdef TLSEXT_TYPE_opaque_prf_input
1369         {
1370                 int r = 1;
1371         
1372                 if (s->ctx->tlsext_opaque_prf_input_callback != 0)
1373                         {
1374                         r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg);
1375                         if (!r)
1376                                 return -1;
1377                         }
1378
1379                 if (s->tlsext_opaque_prf_input != NULL)
1380                         {
1381                         if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */
1382                                 OPENSSL_free(s->s3->client_opaque_prf_input);
1383
1384                         if (s->tlsext_opaque_prf_input_len == 0)
1385                                 s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
1386                         else
1387                                 s->s3->client_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len);
1388                         if (s->s3->client_opaque_prf_input == NULL)
1389                                 {
1390                                 SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
1391                                 return -1;
1392                                 }
1393                         s->s3->client_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
1394                         }
1395
1396                 if (r == 2)
1397                         /* at callback's request, insist on receiving an appropriate server opaque PRF input */
1398                         s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
1399         }
1400 #endif
1401
1402         return 1;
1403         }
1404
1405 int ssl_prepare_serverhello_tlsext(SSL *s)
1406         {
1407 #ifndef OPENSSL_NO_EC
1408         /* If we are server and using an ECC cipher suite, send the point formats we support 
1409          * if the client sent us an ECPointsFormat extension.  Note that the server is not
1410          * supposed to send an EllipticCurves extension.
1411          */
1412
1413         unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
1414         unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
1415         int using_ecc = (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA);
1416         using_ecc = using_ecc && (s->session->tlsext_ecpointformatlist != NULL);
1417         
1418         if (using_ecc)
1419                 {
1420                 if (s->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->tlsext_ecpointformatlist);
1421                 if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(3)) == NULL)
1422                         {
1423                         SSLerr(SSL_F_SSL_PREPARE_SERVERHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
1424                         return -1;
1425                         }
1426                 s->tlsext_ecpointformatlist_length = 3;
1427                 s->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_uncompressed;
1428                 s->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
1429                 s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
1430                 }
1431 #endif /* OPENSSL_NO_EC */
1432
1433         return 1;
1434         }
1435
1436 int ssl_check_clienthello_tlsext(SSL *s)
1437         {
1438         int ret=SSL_TLSEXT_ERR_NOACK;
1439         int al = SSL_AD_UNRECOGNIZED_NAME;
1440
1441 #ifndef OPENSSL_NO_EC
1442         /* The handling of the ECPointFormats extension is done elsewhere, namely in 
1443          * ssl3_choose_cipher in s3_lib.c.
1444          */
1445         /* The handling of the EllipticCurves extension is done elsewhere, namely in 
1446          * ssl3_choose_cipher in s3_lib.c.
1447          */
1448 #endif
1449
1450         if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) 
1451                 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
1452         else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)             
1453                 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
1454
1455         /* If status request then ask callback what to do.
1456          * Note: this must be called after servername callbacks in case 
1457          * the certificate has changed.
1458          */
1459         if ((s->tlsext_status_type != -1) && s->ctx && s->ctx->tlsext_status_cb)
1460                 {
1461                 int r;
1462                 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
1463                 switch (r)
1464                         {
1465                         /* We don't want to send a status request response */
1466                         case SSL_TLSEXT_ERR_NOACK:
1467                                 s->tlsext_status_expected = 0;
1468                                 break;
1469                         /* status request response should be sent */
1470                         case SSL_TLSEXT_ERR_OK:
1471                                 if (s->tlsext_ocsp_resp)
1472                                         s->tlsext_status_expected = 1;
1473                                 else
1474                                         s->tlsext_status_expected = 0;
1475                                 break;
1476                         /* something bad happened */
1477                         case SSL_TLSEXT_ERR_ALERT_FATAL:
1478                                 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1479                                 al = SSL_AD_INTERNAL_ERROR;
1480                                 goto err;
1481                         }
1482                 }
1483         else
1484                 s->tlsext_status_expected = 0;
1485
1486 #ifdef TLSEXT_TYPE_opaque_prf_input
1487         {
1488                 /* This sort of belongs into ssl_prepare_serverhello_tlsext(),
1489                  * but we might be sending an alert in response to the client hello,
1490                  * so this has to happen here in ssl_check_clienthello_tlsext(). */
1491
1492                 int r = 1;
1493         
1494                 if (s->ctx->tlsext_opaque_prf_input_callback != 0)
1495                         {
1496                         r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg);
1497                         if (!r)
1498                                 {
1499                                 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1500                                 al = SSL_AD_INTERNAL_ERROR;
1501                                 goto err;
1502                                 }
1503                         }
1504
1505                 if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */
1506                         OPENSSL_free(s->s3->server_opaque_prf_input);
1507                 s->s3->server_opaque_prf_input = NULL;
1508
1509                 if (s->tlsext_opaque_prf_input != NULL)
1510                         {
1511                         if (s->s3->client_opaque_prf_input != NULL &&
1512                                 s->s3->client_opaque_prf_input_len == s->tlsext_opaque_prf_input_len)
1513                                 {
1514                                 /* can only use this extension if we have a server opaque PRF input
1515                                  * of the same length as the client opaque PRF input! */
1516
1517                                 if (s->tlsext_opaque_prf_input_len == 0)
1518                                         s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
1519                                 else
1520                                         s->s3->server_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len);
1521                                 if (s->s3->server_opaque_prf_input == NULL)
1522                                         {
1523                                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1524                                         al = SSL_AD_INTERNAL_ERROR;
1525                                         goto err;
1526                                         }
1527                                 s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
1528                                 }
1529                         }
1530
1531                 if (r == 2 && s->s3->server_opaque_prf_input == NULL)
1532                         {
1533                         /* The callback wants to enforce use of the extension,
1534                          * but we can't do that with the client opaque PRF input;
1535                          * abort the handshake.
1536                          */
1537                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1538                         al = SSL_AD_HANDSHAKE_FAILURE;
1539                         }
1540         }
1541
1542 #endif
1543  err:
1544         switch (ret)
1545                 {
1546                 case SSL_TLSEXT_ERR_ALERT_FATAL:
1547                         ssl3_send_alert(s,SSL3_AL_FATAL,al); 
1548                         return -1;
1549
1550                 case SSL_TLSEXT_ERR_ALERT_WARNING:
1551                         ssl3_send_alert(s,SSL3_AL_WARNING,al);
1552                         return 1; 
1553                                         
1554                 case SSL_TLSEXT_ERR_NOACK:
1555                         s->servername_done=0;
1556                         default:
1557                 return 1;
1558                 }
1559         }
1560
1561 int ssl_check_serverhello_tlsext(SSL *s)
1562         {
1563         int ret=SSL_TLSEXT_ERR_NOACK;
1564         int al = SSL_AD_UNRECOGNIZED_NAME;
1565
1566 #ifndef OPENSSL_NO_EC
1567         /* If we are client and using an elliptic curve cryptography cipher suite, then server
1568          * must return a an EC point formats lists containing uncompressed.
1569          */
1570         unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
1571         unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
1572         if ((s->tlsext_ecpointformatlist != NULL) && (s->tlsext_ecpointformatlist_length > 0) && 
1573             ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA)))
1574                 {
1575                 /* we are using an ECC cipher */
1576                 size_t i;
1577                 unsigned char *list;
1578                 int found_uncompressed = 0;
1579                 if ((s->session->tlsext_ecpointformatlist == NULL) || (s->session->tlsext_ecpointformatlist_length == 0))
1580                         {
1581                         SSLerr(SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT,SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
1582                         return -1;
1583                         }
1584                 list = s->session->tlsext_ecpointformatlist;
1585                 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
1586                         {
1587                         if (*(list++) == TLSEXT_ECPOINTFORMAT_uncompressed)
1588                                 {
1589                                 found_uncompressed = 1;
1590                                 break;
1591                                 }
1592                         }
1593                 if (!found_uncompressed)
1594                         {
1595                         SSLerr(SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT,SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
1596                         return -1;
1597                         }
1598                 }
1599         ret = SSL_TLSEXT_ERR_OK;
1600 #endif /* OPENSSL_NO_EC */
1601
1602         if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) 
1603                 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
1604         else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)             
1605                 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
1606
1607 #ifdef TLSEXT_TYPE_opaque_prf_input
1608         if (s->s3->server_opaque_prf_input_len > 0)
1609                 {
1610                 /* This case may indicate that we, as a client, want to insist on using opaque PRF inputs.
1611                  * So first verify that we really have a value from the server too. */
1612
1613                 if (s->s3->server_opaque_prf_input == NULL)
1614                         {
1615                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1616                         al = SSL_AD_HANDSHAKE_FAILURE;
1617                         }
1618                 
1619                 /* Anytime the server *has* sent an opaque PRF input, we need to check
1620                  * that we have a client opaque PRF input of the same size. */
1621                 if (s->s3->client_opaque_prf_input == NULL ||
1622                     s->s3->client_opaque_prf_input_len != s->s3->server_opaque_prf_input_len)
1623                         {
1624                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1625                         al = SSL_AD_ILLEGAL_PARAMETER;
1626                         }
1627                 }
1628 #endif
1629
1630         /* If we've requested certificate status and we wont get one
1631          * tell the callback
1632          */
1633         if ((s->tlsext_status_type != -1) && !(s->tlsext_status_expected)
1634                         && s->ctx && s->ctx->tlsext_status_cb)
1635                 {
1636                 int r;
1637                 /* Set resp to NULL, resplen to -1 so callback knows
1638                  * there is no response.
1639                  */
1640                 if (s->tlsext_ocsp_resp)
1641                         {
1642                         OPENSSL_free(s->tlsext_ocsp_resp);
1643                         s->tlsext_ocsp_resp = NULL;
1644                         }
1645                 s->tlsext_ocsp_resplen = -1;
1646                 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
1647                 if (r == 0)
1648                         {
1649                         al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE;
1650                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1651                         }
1652                 if (r < 0)
1653                         {
1654                         al = SSL_AD_INTERNAL_ERROR;
1655                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1656                         }
1657                 }
1658
1659         switch (ret)
1660                 {
1661                 case SSL_TLSEXT_ERR_ALERT_FATAL:
1662                         ssl3_send_alert(s,SSL3_AL_FATAL,al); 
1663                         return -1;
1664
1665                 case SSL_TLSEXT_ERR_ALERT_WARNING:
1666                         ssl3_send_alert(s,SSL3_AL_WARNING,al);
1667                         return 1; 
1668                                         
1669                 case SSL_TLSEXT_ERR_NOACK:
1670                         s->servername_done=0;
1671                         default:
1672                 return 1;
1673                 }
1674         }
1675
1676 /* Since the server cache lookup is done early on in the processing of client
1677  * hello and other operations depend on the result we need to handle any TLS
1678  * session ticket extension at the same time.
1679  */
1680
1681 int tls1_process_ticket(SSL *s, unsigned char *session_id, int len,
1682                                 const unsigned char *limit, SSL_SESSION **ret)
1683         {
1684         /* Point after session ID in client hello */
1685         const unsigned char *p = session_id + len;
1686         unsigned short i;
1687
1688         /* If tickets disabled behave as if no ticket present
1689          * to permit stateful resumption.
1690          */
1691         if (SSL_get_options(s) & SSL_OP_NO_TICKET)
1692                 return 1;
1693
1694         if ((s->version <= SSL3_VERSION) || !limit)
1695                 return 1;
1696         if (p >= limit)
1697                 return -1;
1698         /* Skip past DTLS cookie */
1699         if (s->version == DTLS1_VERSION || s->version == DTLS1_BAD_VER)
1700                 {
1701                 i = *(p++);
1702                 p+= i;
1703                 if (p >= limit)
1704                         return -1;
1705                 }
1706         /* Skip past cipher list */
1707         n2s(p, i);
1708         p+= i;
1709         if (p >= limit)
1710                 return -1;
1711         /* Skip past compression algorithm list */
1712         i = *(p++);
1713         p += i;
1714         if (p > limit)
1715                 return -1;
1716         /* Now at start of extensions */
1717         if ((p + 2) >= limit)
1718                 return 1;
1719         n2s(p, i);
1720         while ((p + 4) <= limit)
1721                 {
1722                 unsigned short type, size;
1723                 n2s(p, type);
1724                 n2s(p, size);
1725                 if (p + size > limit)
1726                         return 1;
1727                 if (type == TLSEXT_TYPE_session_ticket)
1728                         {
1729                         /* If tickets disabled indicate cache miss which will
1730                          * trigger a full handshake
1731                          */
1732                         if (SSL_get_options(s) & SSL_OP_NO_TICKET)
1733                                 return 1;
1734                         /* If zero length note client will accept a ticket
1735                          * and indicate cache miss to trigger full handshake
1736                          */
1737                         if (size == 0)
1738                                 {
1739                                 s->tlsext_ticket_expected = 1;
1740                                 return 0;       /* Cache miss */
1741                                 }
1742                         if (s->tls_session_secret_cb)
1743                                 {
1744                                 /* Indicate cache miss here and instead of
1745                                  * generating the session from ticket now,
1746                                  * trigger abbreviated handshake based on
1747                                  * external mechanism to calculate the master
1748                                  * secret later. */
1749                                 return 0;
1750                                 }
1751                         return tls_decrypt_ticket(s, p, size, session_id, len,
1752                                                                         ret);
1753                         }
1754                 p += size;
1755                 }
1756         return 1;
1757         }
1758
1759 static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen,
1760                                 const unsigned char *sess_id, int sesslen,
1761                                 SSL_SESSION **psess)
1762         {
1763         SSL_SESSION *sess;
1764         unsigned char *sdec;
1765         const unsigned char *p;
1766         int slen, mlen, renew_ticket = 0;
1767         unsigned char tick_hmac[EVP_MAX_MD_SIZE];
1768         HMAC_CTX hctx;
1769         EVP_CIPHER_CTX ctx;
1770         SSL_CTX *tctx = s->initial_ctx;
1771         /* Need at least keyname + iv + some encrypted data */
1772         if (eticklen < 48)
1773                 goto tickerr;
1774         /* Initialize session ticket encryption and HMAC contexts */
1775         HMAC_CTX_init(&hctx);
1776         EVP_CIPHER_CTX_init(&ctx);
1777         if (tctx->tlsext_ticket_key_cb)
1778                 {
1779                 unsigned char *nctick = (unsigned char *)etick;
1780                 int rv = tctx->tlsext_ticket_key_cb(s, nctick, nctick + 16,
1781                                                         &ctx, &hctx, 0);
1782                 if (rv < 0)
1783                         return -1;
1784                 if (rv == 0)
1785                         goto tickerr;
1786                 if (rv == 2)
1787                         renew_ticket = 1;
1788                 }
1789         else
1790                 {
1791                 /* Check key name matches */
1792                 if (memcmp(etick, tctx->tlsext_tick_key_name, 16))
1793                         goto tickerr;
1794                 HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16,
1795                                         tlsext_tick_md(), NULL);
1796                 EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL,
1797                                 tctx->tlsext_tick_aes_key, etick + 16);
1798                 }
1799         /* Attempt to process session ticket, first conduct sanity and
1800          * integrity checks on ticket.
1801          */
1802         mlen = HMAC_size(&hctx);
1803         if (mlen < 0)
1804                 {
1805                 EVP_CIPHER_CTX_cleanup(&ctx);
1806                 return -1;
1807                 }
1808         eticklen -= mlen;
1809         /* Check HMAC of encrypted ticket */
1810         HMAC_Update(&hctx, etick, eticklen);
1811         HMAC_Final(&hctx, tick_hmac, NULL);
1812         HMAC_CTX_cleanup(&hctx);
1813         if (memcmp(tick_hmac, etick + eticklen, mlen))
1814                 goto tickerr;
1815         /* Attempt to decrypt session data */
1816         /* Move p after IV to start of encrypted ticket, update length */
1817         p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx);
1818         eticklen -= 16 + EVP_CIPHER_CTX_iv_length(&ctx);
1819         sdec = OPENSSL_malloc(eticklen);
1820         if (!sdec)
1821                 {
1822                 EVP_CIPHER_CTX_cleanup(&ctx);
1823                 return -1;
1824                 }
1825         EVP_DecryptUpdate(&ctx, sdec, &slen, p, eticklen);
1826         if (EVP_DecryptFinal(&ctx, sdec + slen, &mlen) <= 0)
1827                 goto tickerr;
1828         slen += mlen;
1829         EVP_CIPHER_CTX_cleanup(&ctx);
1830         p = sdec;
1831                 
1832         sess = d2i_SSL_SESSION(NULL, &p, slen);
1833         OPENSSL_free(sdec);
1834         if (sess)
1835                 {
1836                 /* The session ID if non-empty is used by some clients to
1837                  * detect that the ticket has been accepted. So we copy it to
1838                  * the session structure. If it is empty set length to zero
1839                  * as required by standard.
1840                  */
1841                 if (sesslen)
1842                         memcpy(sess->session_id, sess_id, sesslen);
1843                 sess->session_id_length = sesslen;
1844                 *psess = sess;
1845                 s->tlsext_ticket_expected = renew_ticket;
1846                 return 1;
1847                 }
1848         /* If session decrypt failure indicate a cache miss and set state to
1849          * send a new ticket
1850          */
1851         tickerr:        
1852         s->tlsext_ticket_expected = 1;
1853         return 0;
1854         }
1855
1856 #endif