indent has problems with comments that are on the right hand side of a line.
[openssl.git] / ssl / t1_lib.c
1 /* ssl/t1_lib.c */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3  * All rights reserved.
4  *
5  * This package is an SSL implementation written
6  * by Eric Young (eay@cryptsoft.com).
7  * The implementation was written so as to conform with Netscapes SSL.
8  * 
9  * This library is free for commercial and non-commercial use as long as
10  * the following conditions are aheared to.  The following conditions
11  * apply to all code found in this distribution, be it the RC4, RSA,
12  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
13  * included with this distribution is covered by the same copyright terms
14  * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15  * 
16  * Copyright remains Eric Young's, and as such any Copyright notices in
17  * the code are not to be removed.
18  * If this package is used in a product, Eric Young should be given attribution
19  * as the author of the parts of the library used.
20  * This can be in the form of a textual message at program startup or
21  * in documentation (online or textual) provided with the package.
22  * 
23  * Redistribution and use in source and binary forms, with or without
24  * modification, are permitted provided that the following conditions
25  * are met:
26  * 1. Redistributions of source code must retain the copyright
27  *    notice, this list of conditions and the following disclaimer.
28  * 2. Redistributions in binary form must reproduce the above copyright
29  *    notice, this list of conditions and the following disclaimer in the
30  *    documentation and/or other materials provided with the distribution.
31  * 3. All advertising materials mentioning features or use of this software
32  *    must display the following acknowledgement:
33  *    "This product includes cryptographic software written by
34  *     Eric Young (eay@cryptsoft.com)"
35  *    The word 'cryptographic' can be left out if the rouines from the library
36  *    being used are not cryptographic related :-).
37  * 4. If you include any Windows specific code (or a derivative thereof) from 
38  *    the apps directory (application code) you must include an acknowledgement:
39  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40  * 
41  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51  * SUCH DAMAGE.
52  * 
53  * The licence and distribution terms for any publically available version or
54  * derivative of this code cannot be changed.  i.e. this code cannot simply be
55  * copied and put under another distribution licence
56  * [including the GNU Public Licence.]
57  */
58 /* ====================================================================
59  * Copyright (c) 1998-2007 The OpenSSL Project.  All rights reserved.
60  *
61  * Redistribution and use in source and binary forms, with or without
62  * modification, are permitted provided that the following conditions
63  * are met:
64  *
65  * 1. Redistributions of source code must retain the above copyright
66  *    notice, this list of conditions and the following disclaimer. 
67  *
68  * 2. Redistributions in binary form must reproduce the above copyright
69  *    notice, this list of conditions and the following disclaimer in
70  *    the documentation and/or other materials provided with the
71  *    distribution.
72  *
73  * 3. All advertising materials mentioning features or use of this
74  *    software must display the following acknowledgment:
75  *    "This product includes software developed by the OpenSSL Project
76  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77  *
78  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79  *    endorse or promote products derived from this software without
80  *    prior written permission. For written permission, please contact
81  *    openssl-core@openssl.org.
82  *
83  * 5. Products derived from this software may not be called "OpenSSL"
84  *    nor may "OpenSSL" appear in their names without prior written
85  *    permission of the OpenSSL Project.
86  *
87  * 6. Redistributions of any form whatsoever must retain the following
88  *    acknowledgment:
89  *    "This product includes software developed by the OpenSSL Project
90  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91  *
92  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
96  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103  * OF THE POSSIBILITY OF SUCH DAMAGE.
104  * ====================================================================
105  *
106  * This product includes cryptographic software written by Eric Young
107  * (eay@cryptsoft.com).  This product includes software written by Tim
108  * Hudson (tjh@cryptsoft.com).
109  *
110  */
111
112 #include <stdio.h>
113 #include <openssl/objects.h>
114 #include <openssl/evp.h>
115 #include <openssl/hmac.h>
116 #include <openssl/ocsp.h>
117 #include <openssl/rand.h>
118 #include "ssl_locl.h"
119
120 const char tls1_version_str[]="TLSv1" OPENSSL_VERSION_PTEXT;
121
122 #ifndef OPENSSL_NO_TLSEXT
123 static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen,
124                                 const unsigned char *sess_id, int sesslen,
125                                 SSL_SESSION **psess);
126 #endif
127
128 SSL3_ENC_METHOD TLSv1_enc_data={
129         tls1_enc,
130         tls1_mac,
131         tls1_setup_key_block,
132         tls1_generate_master_secret,
133         tls1_change_cipher_state,
134         tls1_final_finish_mac,
135         TLS1_FINISH_MAC_LENGTH,
136         tls1_cert_verify_mac,
137         TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE,
138         TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE,
139         tls1_alert_code,
140         tls1_export_keying_material,
141         };
142
143 long tls1_default_timeout(void)
144         {
145         /* 2 hours, the 24 hours mentioned in the TLSv1 spec
146          * is way too long for http, the cache would over fill */
147         return(60*60*2);
148         }
149
150 int tls1_new(SSL *s)
151         {
152         if (!ssl3_new(s)) return(0);
153         s->method->ssl_clear(s);
154         return(1);
155         }
156
157 void tls1_free(SSL *s)
158         {
159 #ifndef OPENSSL_NO_TLSEXT
160         if (s->tlsext_session_ticket)
161                 {
162                 OPENSSL_free(s->tlsext_session_ticket);
163                 }
164 #endif /* OPENSSL_NO_TLSEXT */
165         ssl3_free(s);
166         }
167
168 void tls1_clear(SSL *s)
169         {
170         ssl3_clear(s);
171         s->version = s->method->version;
172         }
173
174 #ifndef OPENSSL_NO_EC
175
176 static int nid_list[] =
177         {
178                 NID_sect163k1, /* sect163k1 (1) */
179                 NID_sect163r1, /* sect163r1 (2) */
180                 NID_sect163r2, /* sect163r2 (3) */
181                 NID_sect193r1, /* sect193r1 (4) */ 
182                 NID_sect193r2, /* sect193r2 (5) */ 
183                 NID_sect233k1, /* sect233k1 (6) */
184                 NID_sect233r1, /* sect233r1 (7) */ 
185                 NID_sect239k1, /* sect239k1 (8) */ 
186                 NID_sect283k1, /* sect283k1 (9) */
187                 NID_sect283r1, /* sect283r1 (10) */ 
188                 NID_sect409k1, /* sect409k1 (11) */ 
189                 NID_sect409r1, /* sect409r1 (12) */
190                 NID_sect571k1, /* sect571k1 (13) */ 
191                 NID_sect571r1, /* sect571r1 (14) */ 
192                 NID_secp160k1, /* secp160k1 (15) */
193                 NID_secp160r1, /* secp160r1 (16) */ 
194                 NID_secp160r2, /* secp160r2 (17) */ 
195                 NID_secp192k1, /* secp192k1 (18) */
196                 NID_X9_62_prime192v1, /* secp192r1 (19) */ 
197                 NID_secp224k1, /* secp224k1 (20) */ 
198                 NID_secp224r1, /* secp224r1 (21) */
199                 NID_secp256k1, /* secp256k1 (22) */ 
200                 NID_X9_62_prime256v1, /* secp256r1 (23) */ 
201                 NID_secp384r1, /* secp384r1 (24) */
202                 NID_secp521r1  /* secp521r1 (25) */     
203         };
204
205 static int pref_list[] =
206         {
207 #ifndef OPENSSL_NO_EC2M
208                 NID_sect571r1, /* sect571r1 (14) */ 
209                 NID_sect571k1, /* sect571k1 (13) */ 
210 #endif
211                 NID_secp521r1, /* secp521r1 (25) */     
212 #ifndef OPENSSL_NO_EC2M
213                 NID_sect409k1, /* sect409k1 (11) */ 
214                 NID_sect409r1, /* sect409r1 (12) */
215 #endif
216                 NID_secp384r1, /* secp384r1 (24) */
217 #ifndef OPENSSL_NO_EC2M
218                 NID_sect283k1, /* sect283k1 (9) */
219                 NID_sect283r1, /* sect283r1 (10) */ 
220 #endif
221                 NID_secp256k1, /* secp256k1 (22) */ 
222                 NID_X9_62_prime256v1, /* secp256r1 (23) */ 
223 #ifndef OPENSSL_NO_EC2M
224                 NID_sect239k1, /* sect239k1 (8) */ 
225                 NID_sect233k1, /* sect233k1 (6) */
226                 NID_sect233r1, /* sect233r1 (7) */ 
227 #endif
228                 NID_secp224k1, /* secp224k1 (20) */ 
229                 NID_secp224r1, /* secp224r1 (21) */
230 #ifndef OPENSSL_NO_EC2M
231                 NID_sect193r1, /* sect193r1 (4) */ 
232                 NID_sect193r2, /* sect193r2 (5) */ 
233 #endif
234                 NID_secp192k1, /* secp192k1 (18) */
235                 NID_X9_62_prime192v1, /* secp192r1 (19) */ 
236 #ifndef OPENSSL_NO_EC2M
237                 NID_sect163k1, /* sect163k1 (1) */
238                 NID_sect163r1, /* sect163r1 (2) */
239                 NID_sect163r2, /* sect163r2 (3) */
240 #endif
241                 NID_secp160k1, /* secp160k1 (15) */
242                 NID_secp160r1, /* secp160r1 (16) */ 
243                 NID_secp160r2, /* secp160r2 (17) */ 
244         };
245
246 int tls1_ec_curve_id2nid(int curve_id)
247         {
248         /* ECC curves from RFC 4492 */
249         if ((curve_id < 1) || ((unsigned int)curve_id >
250                                 sizeof(nid_list)/sizeof(nid_list[0])))
251                 return 0;
252         return nid_list[curve_id-1];
253         }
254
255 int tls1_ec_nid2curve_id(int nid)
256         {
257         /* ECC curves from RFC 4492 */
258         switch (nid)
259                 {
260         case NID_sect163k1: /* sect163k1 (1) */
261                 return 1;
262         case NID_sect163r1: /* sect163r1 (2) */
263                 return 2;
264         case NID_sect163r2: /* sect163r2 (3) */
265                 return 3;
266         case NID_sect193r1: /* sect193r1 (4) */ 
267                 return 4;
268         case NID_sect193r2: /* sect193r2 (5) */ 
269                 return 5;
270         case NID_sect233k1: /* sect233k1 (6) */
271                 return 6;
272         case NID_sect233r1: /* sect233r1 (7) */ 
273                 return 7;
274         case NID_sect239k1: /* sect239k1 (8) */ 
275                 return 8;
276         case NID_sect283k1: /* sect283k1 (9) */
277                 return 9;
278         case NID_sect283r1: /* sect283r1 (10) */ 
279                 return 10;
280         case NID_sect409k1: /* sect409k1 (11) */ 
281                 return 11;
282         case NID_sect409r1: /* sect409r1 (12) */
283                 return 12;
284         case NID_sect571k1: /* sect571k1 (13) */ 
285                 return 13;
286         case NID_sect571r1: /* sect571r1 (14) */ 
287                 return 14;
288         case NID_secp160k1: /* secp160k1 (15) */
289                 return 15;
290         case NID_secp160r1: /* secp160r1 (16) */ 
291                 return 16;
292         case NID_secp160r2: /* secp160r2 (17) */ 
293                 return 17;
294         case NID_secp192k1: /* secp192k1 (18) */
295                 return 18;
296         case NID_X9_62_prime192v1: /* secp192r1 (19) */ 
297                 return 19;
298         case NID_secp224k1: /* secp224k1 (20) */ 
299                 return 20;
300         case NID_secp224r1: /* secp224r1 (21) */
301                 return 21;
302         case NID_secp256k1: /* secp256k1 (22) */ 
303                 return 22;
304         case NID_X9_62_prime256v1: /* secp256r1 (23) */ 
305                 return 23;
306         case NID_secp384r1: /* secp384r1 (24) */
307                 return 24;
308         case NID_secp521r1:  /* secp521r1 (25) */       
309                 return 25;
310         default:
311                 return 0;
312                 }
313         }
314 #endif /* OPENSSL_NO_EC */
315
316 #ifndef OPENSSL_NO_TLSEXT
317
318 /* List of supported signature algorithms and hashes. Should make this
319  * customisable at some point, for now include everything we support.
320  */
321
322 #ifdef OPENSSL_NO_RSA
323 #define tlsext_sigalg_rsa(md) /* */
324 #else
325 #define tlsext_sigalg_rsa(md) md, TLSEXT_signature_rsa,
326 #endif
327
328 #ifdef OPENSSL_NO_DSA
329 #define tlsext_sigalg_dsa(md) /* */
330 #else
331 #define tlsext_sigalg_dsa(md) md, TLSEXT_signature_dsa,
332 #endif
333
334 #ifdef OPENSSL_NO_ECDSA
335 #define tlsext_sigalg_ecdsa(md) /* */
336 #else
337 #define tlsext_sigalg_ecdsa(md) md, TLSEXT_signature_ecdsa,
338 #endif
339
340 #define tlsext_sigalg(md) \
341                 tlsext_sigalg_rsa(md) \
342                 tlsext_sigalg_dsa(md) \
343                 tlsext_sigalg_ecdsa(md)
344
345 static unsigned char tls12_sigalgs[] = {
346 #ifndef OPENSSL_NO_SHA512
347         tlsext_sigalg(TLSEXT_hash_sha512)
348         tlsext_sigalg(TLSEXT_hash_sha384)
349 #endif
350 #ifndef OPENSSL_NO_SHA256
351         tlsext_sigalg(TLSEXT_hash_sha256)
352         tlsext_sigalg(TLSEXT_hash_sha224)
353 #endif
354 #ifndef OPENSSL_NO_SHA
355         tlsext_sigalg(TLSEXT_hash_sha1)
356 #endif
357 };
358
359 int tls12_get_req_sig_algs(SSL *s, unsigned char *p)
360         {
361         size_t slen = sizeof(tls12_sigalgs);
362         if (p)
363                 memcpy(p, tls12_sigalgs, slen);
364         return (int)slen;
365         }
366
367 unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf, unsigned char *limit)
368         {
369         int extdatalen=0;
370         unsigned char *orig = buf;
371         unsigned char *ret = buf;
372
373         /* don't add extensions for SSLv3 unless doing secure renegotiation */
374         if (s->client_version == SSL3_VERSION
375                                         && !s->s3->send_connection_binding)
376                 return orig;
377
378         ret+=2;
379
380         if (ret>=limit) return NULL; /* this really never occurs, but ... */
381
382         if (s->tlsext_hostname != NULL)
383                 { 
384                 /* Add TLS extension servername to the Client Hello message */
385                 unsigned long size_str;
386                 long lenmax; 
387
388                 /*-
389                  * check for enough space.
390                  * 4 for the servername type and entension length
391                  * 2 for servernamelist length
392                  * 1 for the hostname type
393                  * 2 for hostname length
394                  * + hostname length 
395                  */
396                    
397                 if ((lenmax = limit - ret - 9) < 0 
398                     || (size_str = strlen(s->tlsext_hostname)) > (unsigned long)lenmax) 
399                         return NULL;
400                         
401                 /* extension type and length */
402                 s2n(TLSEXT_TYPE_server_name,ret); 
403                 s2n(size_str+5,ret);
404                 
405                 /* length of servername list */
406                 s2n(size_str+3,ret);
407         
408                 /* hostname type, length and hostname */
409                 *(ret++) = (unsigned char) TLSEXT_NAMETYPE_host_name;
410                 s2n(size_str,ret);
411                 memcpy(ret, s->tlsext_hostname, size_str);
412                 ret+=size_str;
413                 }
414
415         /* Add RI if renegotiating */
416         if (s->renegotiate)
417           {
418           int el;
419           
420           if(!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0))
421               {
422               SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
423               return NULL;
424               }
425
426           if((limit - ret - 4 - el) < 0) return NULL;
427           
428           s2n(TLSEXT_TYPE_renegotiate,ret);
429           s2n(el,ret);
430
431           if(!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el))
432               {
433               SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
434               return NULL;
435               }
436
437           ret += el;
438         }
439
440 #ifndef OPENSSL_NO_SRP
441         /* Add SRP username if there is one */
442         if (s->srp_ctx.login != NULL)
443                 { /* Add TLS extension SRP username to the Client Hello message */
444
445                 int login_len = strlen(s->srp_ctx.login);       
446                 if (login_len > 255 || login_len == 0)
447                         {
448                         SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
449                         return NULL;
450                         } 
451
452                 /*-
453                  * check for enough space.
454                  * 4 for the srp type type and entension length
455                  * 1 for the srp user identity
456                  * + srp user identity length 
457                  */
458                 if ((limit - ret - 5 - login_len) < 0) return NULL; 
459
460                 /* fill in the extension */
461                 s2n(TLSEXT_TYPE_srp,ret);
462                 s2n(login_len+1,ret);
463                 (*ret++) = (unsigned char) login_len;
464                 memcpy(ret, s->srp_ctx.login, login_len);
465                 ret+=login_len;
466                 }
467 #endif
468
469 #ifndef OPENSSL_NO_EC
470         if (s->tlsext_ecpointformatlist != NULL)
471                 {
472                 /* Add TLS extension ECPointFormats to the ClientHello message */
473                 long lenmax; 
474
475                 if ((lenmax = limit - ret - 5) < 0) return NULL; 
476                 if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax) return NULL;
477                 if (s->tlsext_ecpointformatlist_length > 255)
478                         {
479                         SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
480                         return NULL;
481                         }
482                 
483                 s2n(TLSEXT_TYPE_ec_point_formats,ret);
484                 s2n(s->tlsext_ecpointformatlist_length + 1,ret);
485                 *(ret++) = (unsigned char) s->tlsext_ecpointformatlist_length;
486                 memcpy(ret, s->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist_length);
487                 ret+=s->tlsext_ecpointformatlist_length;
488                 }
489         if (s->tlsext_ellipticcurvelist != NULL)
490                 {
491                 /* Add TLS extension EllipticCurves to the ClientHello message */
492                 long lenmax; 
493
494                 if ((lenmax = limit - ret - 6) < 0) return NULL; 
495                 if (s->tlsext_ellipticcurvelist_length > (unsigned long)lenmax) return NULL;
496                 if (s->tlsext_ellipticcurvelist_length > 65532)
497                         {
498                         SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
499                         return NULL;
500                         }
501                 
502                 s2n(TLSEXT_TYPE_elliptic_curves,ret);
503                 s2n(s->tlsext_ellipticcurvelist_length + 2, ret);
504
505                 s2n(s->tlsext_ellipticcurvelist_length, ret);
506                 memcpy(ret, s->tlsext_ellipticcurvelist, s->tlsext_ellipticcurvelist_length);
507                 ret+=s->tlsext_ellipticcurvelist_length;
508                 }
509 #endif /* OPENSSL_NO_EC */
510
511         if (!(SSL_get_options(s) & SSL_OP_NO_TICKET))
512                 {
513                 int ticklen;
514                 if (!s->new_session && s->session && s->session->tlsext_tick)
515                         ticklen = s->session->tlsext_ticklen;
516                 else if (s->session && s->tlsext_session_ticket &&
517                          s->tlsext_session_ticket->data)
518                         {
519                         ticklen = s->tlsext_session_ticket->length;
520                         s->session->tlsext_tick = OPENSSL_malloc(ticklen);
521                         if (!s->session->tlsext_tick)
522                                 return NULL;
523                         memcpy(s->session->tlsext_tick,
524                                s->tlsext_session_ticket->data,
525                                ticklen);
526                         s->session->tlsext_ticklen = ticklen;
527                         }
528                 else
529                         ticklen = 0;
530                 if (ticklen == 0 && s->tlsext_session_ticket &&
531                     s->tlsext_session_ticket->data == NULL)
532                         goto skip_ext;
533                 /* Check for enough room 2 for extension type, 2 for len
534                  * rest for ticket
535                  */
536                 if ((long)(limit - ret - 4 - ticklen) < 0) return NULL;
537                 s2n(TLSEXT_TYPE_session_ticket,ret); 
538                 s2n(ticklen,ret);
539                 if (ticklen)
540                         {
541                         memcpy(ret, s->session->tlsext_tick, ticklen);
542                         ret += ticklen;
543                         }
544                 }
545                 skip_ext:
546
547         if (TLS1_get_client_version(s) >= TLS1_2_VERSION)
548                 {
549                 if ((size_t)(limit - ret) < sizeof(tls12_sigalgs) + 6)
550                         return NULL; 
551                 s2n(TLSEXT_TYPE_signature_algorithms,ret);
552                 s2n(sizeof(tls12_sigalgs) + 2, ret);
553                 s2n(sizeof(tls12_sigalgs), ret);
554                 memcpy(ret, tls12_sigalgs, sizeof(tls12_sigalgs));
555                 ret += sizeof(tls12_sigalgs);
556                 }
557
558 #ifdef TLSEXT_TYPE_opaque_prf_input
559         if (s->s3->client_opaque_prf_input != NULL &&
560             s->version != DTLS1_VERSION)
561                 {
562                 size_t col = s->s3->client_opaque_prf_input_len;
563                 
564                 if ((long)(limit - ret - 6 - col < 0))
565                         return NULL;
566                 if (col > 0xFFFD) /* can't happen */
567                         return NULL;
568
569                 s2n(TLSEXT_TYPE_opaque_prf_input, ret); 
570                 s2n(col + 2, ret);
571                 s2n(col, ret);
572                 memcpy(ret, s->s3->client_opaque_prf_input, col);
573                 ret += col;
574                 }
575 #endif
576
577         if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp &&
578             s->version != DTLS1_VERSION)
579                 {
580                 int i;
581                 long extlen, idlen, itmp;
582                 OCSP_RESPID *id;
583
584                 idlen = 0;
585                 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++)
586                         {
587                         id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
588                         itmp = i2d_OCSP_RESPID(id, NULL);
589                         if (itmp <= 0)
590                                 return NULL;
591                         idlen += itmp + 2;
592                         }
593
594                 if (s->tlsext_ocsp_exts)
595                         {
596                         extlen = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, NULL);
597                         if (extlen < 0)
598                                 return NULL;
599                         }
600                 else
601                         extlen = 0;
602                         
603                 if ((long)(limit - ret - 7 - extlen - idlen) < 0) return NULL;
604                 s2n(TLSEXT_TYPE_status_request, ret);
605                 if (extlen + idlen > 0xFFF0)
606                         return NULL;
607                 s2n(extlen + idlen + 5, ret);
608                 *(ret++) = TLSEXT_STATUSTYPE_ocsp;
609                 s2n(idlen, ret);
610                 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++)
611                         {
612                         /* save position of id len */
613                         unsigned char *q = ret;
614                         id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
615                         /* skip over id len */
616                         ret += 2;
617                         itmp = i2d_OCSP_RESPID(id, &ret);
618                         /* write id len */
619                         s2n(itmp, q);
620                         }
621                 s2n(extlen, ret);
622                 if (extlen > 0)
623                         i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret);
624                 }
625
626 #ifndef OPENSSL_NO_HEARTBEATS
627         /* Add Heartbeat extension */
628         if ((limit - ret - 4 - 1) < 0)
629                 return NULL;
630         s2n(TLSEXT_TYPE_heartbeat,ret);
631         s2n(1,ret);
632         /*-
633          * Set mode:
634          * 1: peer may send requests
635          * 2: peer not allowed to send requests
636          */
637         if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS)
638                 *(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
639         else
640                 *(ret++) = SSL_TLSEXT_HB_ENABLED;
641 #endif
642
643 #ifndef OPENSSL_NO_NEXTPROTONEG
644         if (s->ctx->next_proto_select_cb && !s->s3->tmp.finish_md_len)
645                 {
646                 /* The client advertises an emtpy extension to indicate its
647                  * support for Next Protocol Negotiation */
648                 if (limit - ret - 4 < 0)
649                         return NULL;
650                 s2n(TLSEXT_TYPE_next_proto_neg,ret);
651                 s2n(0,ret);
652                 }
653 #endif
654
655 #ifndef OPENSSL_NO_SRTP
656         if(SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s))
657                 {
658                 int el;
659
660                 ssl_add_clienthello_use_srtp_ext(s, 0, &el, 0);
661                 
662                 if((limit - ret - 4 - el) < 0) return NULL;
663
664                 s2n(TLSEXT_TYPE_use_srtp,ret);
665                 s2n(el,ret);
666
667                 if(ssl_add_clienthello_use_srtp_ext(s, ret, &el, el))
668                         {
669                         SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
670                         return NULL;
671                         }
672                 ret += el;
673                 }
674 #endif
675         /* Add padding to workaround bugs in F5 terminators.
676          * See https://tools.ietf.org/html/draft-agl-tls-padding-03
677          *
678          * NB: because this code works out the length of all existing
679          * extensions it MUST always appear last.
680          */
681         if (s->options & SSL_OP_TLSEXT_PADDING)
682                 {
683                 int hlen = ret - (unsigned char *)s->init_buf->data;
684                 /* The code in s23_clnt.c to build ClientHello messages
685                  * includes the 5-byte record header in the buffer, while
686                  * the code in s3_clnt.c does not.
687                  */
688                 if (s->state == SSL23_ST_CW_CLNT_HELLO_A)
689                         hlen -= 5;
690                 if (hlen > 0xff && hlen < 0x200)
691                         {
692                         hlen = 0x200 - hlen;
693                         if (hlen >= 4)
694                                 hlen -= 4;
695                         else
696                                 hlen = 0;
697
698                         s2n(TLSEXT_TYPE_padding, ret);
699                         s2n(hlen, ret);
700                         memset(ret, 0, hlen);
701                         ret += hlen;
702                         }
703                 }
704
705         if ((extdatalen = ret-orig-2)== 0) 
706                 return orig;
707
708         s2n(extdatalen, orig);
709         return ret;
710         }
711
712 unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *buf, unsigned char *limit)
713         {
714         int extdatalen=0;
715         unsigned char *orig = buf;
716         unsigned char *ret = buf;
717 #ifndef OPENSSL_NO_NEXTPROTONEG
718         int next_proto_neg_seen;
719 #endif
720
721         /* don't add extensions for SSLv3, unless doing secure renegotiation */
722         if (s->version == SSL3_VERSION && !s->s3->send_connection_binding)
723                 return orig;
724         
725         ret+=2;
726         if (ret>=limit) return NULL; /* this really never occurs, but ... */
727
728         if (!s->hit && s->servername_done == 1 && s->session->tlsext_hostname != NULL)
729                 { 
730                 if ((long)(limit - ret - 4) < 0) return NULL; 
731
732                 s2n(TLSEXT_TYPE_server_name,ret);
733                 s2n(0,ret);
734                 }
735
736         if(s->s3->send_connection_binding)
737         {
738           int el;
739           
740           if(!ssl_add_serverhello_renegotiate_ext(s, 0, &el, 0))
741               {
742               SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
743               return NULL;
744               }
745
746           if((limit - ret - 4 - el) < 0) return NULL;
747           
748           s2n(TLSEXT_TYPE_renegotiate,ret);
749           s2n(el,ret);
750
751           if(!ssl_add_serverhello_renegotiate_ext(s, ret, &el, el))
752               {
753               SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
754               return NULL;
755               }
756
757           ret += el;
758         }
759
760 #ifndef OPENSSL_NO_EC
761         if (s->tlsext_ecpointformatlist != NULL)
762                 {
763                 /* Add TLS extension ECPointFormats to the ServerHello message */
764                 long lenmax; 
765
766                 if ((lenmax = limit - ret - 5) < 0) return NULL; 
767                 if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax) return NULL;
768                 if (s->tlsext_ecpointformatlist_length > 255)
769                         {
770                         SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
771                         return NULL;
772                         }
773                 
774                 s2n(TLSEXT_TYPE_ec_point_formats,ret);
775                 s2n(s->tlsext_ecpointformatlist_length + 1,ret);
776                 *(ret++) = (unsigned char) s->tlsext_ecpointformatlist_length;
777                 memcpy(ret, s->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist_length);
778                 ret+=s->tlsext_ecpointformatlist_length;
779
780                 }
781         /* Currently the server should not respond with a SupportedCurves extension */
782 #endif /* OPENSSL_NO_EC */
783
784         if (s->tlsext_ticket_expected
785                 && !(SSL_get_options(s) & SSL_OP_NO_TICKET)) 
786                 { 
787                 if ((long)(limit - ret - 4) < 0) return NULL; 
788                 s2n(TLSEXT_TYPE_session_ticket,ret);
789                 s2n(0,ret);
790                 }
791
792         if (s->tlsext_status_expected)
793                 { 
794                 if ((long)(limit - ret - 4) < 0) return NULL; 
795                 s2n(TLSEXT_TYPE_status_request,ret);
796                 s2n(0,ret);
797                 }
798
799 #ifdef TLSEXT_TYPE_opaque_prf_input
800         if (s->s3->server_opaque_prf_input != NULL &&
801             s->version != DTLS1_VERSION)
802                 {
803                 size_t sol = s->s3->server_opaque_prf_input_len;
804                 
805                 if ((long)(limit - ret - 6 - sol) < 0)
806                         return NULL;
807                 if (sol > 0xFFFD) /* can't happen */
808                         return NULL;
809
810                 s2n(TLSEXT_TYPE_opaque_prf_input, ret); 
811                 s2n(sol + 2, ret);
812                 s2n(sol, ret);
813                 memcpy(ret, s->s3->server_opaque_prf_input, sol);
814                 ret += sol;
815                 }
816 #endif
817
818 #ifndef OPENSSL_NO_SRTP
819         if(SSL_IS_DTLS(s) && s->srtp_profile)
820                 {
821                 int el;
822
823                 ssl_add_serverhello_use_srtp_ext(s, 0, &el, 0);
824                 
825                 if((limit - ret - 4 - el) < 0) return NULL;
826
827                 s2n(TLSEXT_TYPE_use_srtp,ret);
828                 s2n(el,ret);
829
830                 if(ssl_add_serverhello_use_srtp_ext(s, ret, &el, el))
831                         {
832                         SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
833                         return NULL;
834                         }
835                 ret+=el;
836                 }
837 #endif
838
839         if (((s->s3->tmp.new_cipher->id & 0xFFFF)==0x80 || (s->s3->tmp.new_cipher->id & 0xFFFF)==0x81) 
840                 && (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG))
841                 { const unsigned char cryptopro_ext[36] = {
842                         0xfd, 0xe8, /*65000*/
843                         0x00, 0x20, /*32 bytes length*/
844                         0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85, 
845                         0x03,   0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06, 
846                         0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08, 
847                         0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17};
848                         if (limit-ret<36) return NULL;
849                         memcpy(ret,cryptopro_ext,36);
850                         ret+=36;
851
852                 }
853
854 #ifndef OPENSSL_NO_HEARTBEATS
855         /* Add Heartbeat extension if we've received one */
856         if (s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED)
857                 {
858                 if ((limit - ret - 4 - 1) < 0)
859                         return NULL;
860                 s2n(TLSEXT_TYPE_heartbeat,ret);
861                 s2n(1,ret);
862                 /*-
863                  * Set mode:
864                  * 1: peer may send requests
865                  * 2: peer not allowed to send requests
866                  */
867                 if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS)
868                         *(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
869                 else
870                         *(ret++) = SSL_TLSEXT_HB_ENABLED;
871
872                 }
873 #endif
874
875 #ifndef OPENSSL_NO_NEXTPROTONEG
876         next_proto_neg_seen = s->s3->next_proto_neg_seen;
877         s->s3->next_proto_neg_seen = 0;
878         if (next_proto_neg_seen && s->ctx->next_protos_advertised_cb)
879                 {
880                 const unsigned char *npa;
881                 unsigned int npalen;
882                 int r;
883
884                 r = s->ctx->next_protos_advertised_cb(s, &npa, &npalen, s->ctx->next_protos_advertised_cb_arg);
885                 if (r == SSL_TLSEXT_ERR_OK)
886                         {
887                         if ((long)(limit - ret - 4 - npalen) < 0) return NULL;
888                         s2n(TLSEXT_TYPE_next_proto_neg,ret);
889                         s2n(npalen,ret);
890                         memcpy(ret, npa, npalen);
891                         ret += npalen;
892                         s->s3->next_proto_neg_seen = 1;
893                         }
894                 }
895 #endif
896
897         if ((extdatalen = ret-orig-2)== 0) 
898                 return orig;
899
900         s2n(extdatalen, orig);
901         return ret;
902         }
903
904 #ifndef OPENSSL_NO_EC
905 /*-
906  * ssl_check_for_safari attempts to fingerprint Safari using OS X
907  * SecureTransport using the TLS extension block in |d|, of length |n|.
908  * Safari, since 10.6, sends exactly these extensions, in this order:
909  *   SNI,
910  *   elliptic_curves
911  *   ec_point_formats
912  *
913  * We wish to fingerprint Safari because they broke ECDHE-ECDSA support in 10.8,
914  * but they advertise support. So enabling ECDHE-ECDSA ciphers breaks them.
915  * Sadly we cannot differentiate 10.6, 10.7 and 10.8.4 (which work), from
916  * 10.8..10.8.3 (which don't work).
917  */
918 static void ssl_check_for_safari(SSL *s, const unsigned char *data, const unsigned char *d, int n) {
919         unsigned short type, size;
920         static const unsigned char kSafariExtensionsBlock[] = {
921                 0x00, 0x0a,  /* elliptic_curves extension */
922                 0x00, 0x08,  /* 8 bytes */
923                 0x00, 0x06,  /* 6 bytes of curve ids */
924                 0x00, 0x17,  /* P-256 */
925                 0x00, 0x18,  /* P-384 */
926                 0x00, 0x19,  /* P-521 */
927
928                 0x00, 0x0b,  /* ec_point_formats */
929                 0x00, 0x02,  /* 2 bytes */
930                 0x01,        /* 1 point format */
931                 0x00,        /* uncompressed */
932         };
933
934         /* The following is only present in TLS 1.2 */
935         static const unsigned char kSafariTLS12ExtensionsBlock[] = {
936                 0x00, 0x0d,  /* signature_algorithms */
937                 0x00, 0x0c,  /* 12 bytes */
938                 0x00, 0x0a,  /* 10 bytes */
939                 0x05, 0x01,  /* SHA-384/RSA */
940                 0x04, 0x01,  /* SHA-256/RSA */
941                 0x02, 0x01,  /* SHA-1/RSA */
942                 0x04, 0x03,  /* SHA-256/ECDSA */
943                 0x02, 0x03,  /* SHA-1/ECDSA */
944         };
945
946         if (data >= (d+n-2))
947                 return;
948         data += 2;
949
950         if (data > (d+n-4))
951                 return;
952         n2s(data,type);
953         n2s(data,size);
954
955         if (type != TLSEXT_TYPE_server_name)
956                 return;
957
958         if (data+size > d+n)
959                 return;
960         data += size;
961
962         if (TLS1_get_client_version(s) >= TLS1_2_VERSION)
963                 {
964                 const size_t len1 = sizeof(kSafariExtensionsBlock);
965                 const size_t len2 = sizeof(kSafariTLS12ExtensionsBlock);
966
967                 if (data + len1 + len2 != d+n)
968                         return;
969                 if (memcmp(data, kSafariExtensionsBlock, len1) != 0)
970                         return;
971                 if (memcmp(data + len1, kSafariTLS12ExtensionsBlock, len2) != 0)
972                         return;
973                 }
974         else
975                 {
976                 const size_t len = sizeof(kSafariExtensionsBlock);
977
978                 if (data + len != d+n)
979                         return;
980                 if (memcmp(data, kSafariExtensionsBlock, len) != 0)
981                         return;
982                 }
983
984         s->s3->is_probably_safari = 1;
985 }
986 #endif /* !OPENSSL_NO_EC */
987
988 int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
989         {
990         unsigned short type;
991         unsigned short size;
992         unsigned short len;
993         unsigned char *data = *p;
994         int renegotiate_seen = 0;
995         int sigalg_seen = 0;
996
997         s->servername_done = 0;
998         s->tlsext_status_type = -1;
999 #ifndef OPENSSL_NO_NEXTPROTONEG
1000         s->s3->next_proto_neg_seen = 0;
1001 #endif
1002
1003 #ifndef OPENSSL_NO_HEARTBEATS
1004         s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED |
1005                                SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
1006 #endif
1007
1008 #ifndef OPENSSL_NO_EC
1009         if (s->options & SSL_OP_SAFARI_ECDHE_ECDSA_BUG)
1010                 ssl_check_for_safari(s, data, d, n);
1011 #endif /* !OPENSSL_NO_EC */
1012
1013 #ifndef OPENSSL_NO_SRP
1014         if (s->srp_ctx.login != NULL)
1015                 {
1016                 OPENSSL_free(s->srp_ctx.login);
1017                 s->srp_ctx.login = NULL;
1018                 }
1019 #endif
1020
1021         s->srtp_profile = NULL;
1022
1023         if (data >= (d+n-2))
1024                 goto ri_check;
1025         n2s(data,len);
1026
1027         if (data > (d+n-len)) 
1028                 goto ri_check;
1029
1030         while (data <= (d+n-4))
1031                 {
1032                 n2s(data,type);
1033                 n2s(data,size);
1034
1035                 if (data+size > (d+n))
1036                         goto ri_check;
1037 #if 0
1038                 fprintf(stderr,"Received extension type %d size %d\n",type,size);
1039 #endif
1040                 if (s->tlsext_debug_cb)
1041                         s->tlsext_debug_cb(s, 0, type, data, size,
1042                                                 s->tlsext_debug_arg);
1043 /*-
1044  * The servername extension is treated as follows:
1045  *
1046  * - Only the hostname type is supported with a maximum length of 255.
1047  * - The servername is rejected if too long or if it contains zeros,
1048  *   in which case an fatal alert is generated.
1049  * - The servername field is maintained together with the session cache.
1050  * - When a session is resumed, the servername call back invoked in order
1051  *   to allow the application to position itself to the right context. 
1052  * - The servername is acknowledged if it is new for a session or when 
1053  *   it is identical to a previously used for the same session. 
1054  *   Applications can control the behaviour.  They can at any time
1055  *   set a 'desirable' servername for a new SSL object. This can be the
1056  *   case for example with HTTPS when a Host: header field is received and
1057  *   a renegotiation is requested. In this case, a possible servername
1058  *   presented in the new client hello is only acknowledged if it matches
1059  *   the value of the Host: field. 
1060  * - Applications must  use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
1061  *   if they provide for changing an explicit servername context for the 
1062  *   session, i.e. when the session has been established with a servername 
1063  *   extension. 
1064  * - On session reconnect, the servername extension may be absent. 
1065  *
1066  */      
1067
1068                 if (type == TLSEXT_TYPE_server_name)
1069                         {
1070                         unsigned char *sdata;
1071                         int servname_type;
1072                         int dsize; 
1073                 
1074                         if (size < 2) 
1075                                 {
1076                                 *al = SSL_AD_DECODE_ERROR;
1077                                 return 0;
1078                                 }
1079                         n2s(data,dsize);  
1080                         size -= 2;
1081                         if (dsize > size  ) 
1082                                 {
1083                                 *al = SSL_AD_DECODE_ERROR;
1084                                 return 0;
1085                                 } 
1086
1087                         sdata = data;
1088                         while (dsize > 3) 
1089                                 {
1090                                 servname_type = *(sdata++); 
1091                                 n2s(sdata,len);
1092                                 dsize -= 3;
1093
1094                                 if (len > dsize) 
1095                                         {
1096                                         *al = SSL_AD_DECODE_ERROR;
1097                                         return 0;
1098                                         }
1099                                 if (s->servername_done == 0)
1100                                 switch (servname_type)
1101                                         {
1102                                 case TLSEXT_NAMETYPE_host_name:
1103                                         if (!s->hit)
1104                                                 {
1105                                                 if(s->session->tlsext_hostname)
1106                                                         {
1107                                                         *al = SSL_AD_DECODE_ERROR;
1108                                                         return 0;
1109                                                         }
1110                                                 if (len > TLSEXT_MAXLEN_host_name)
1111                                                         {
1112                                                         *al = TLS1_AD_UNRECOGNIZED_NAME;
1113                                                         return 0;
1114                                                         }
1115                                                 if ((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL)
1116                                                         {
1117                                                         *al = TLS1_AD_INTERNAL_ERROR;
1118                                                         return 0;
1119                                                         }
1120                                                 memcpy(s->session->tlsext_hostname, sdata, len);
1121                                                 s->session->tlsext_hostname[len]='\0';
1122                                                 if (strlen(s->session->tlsext_hostname) != len) {
1123                                                         OPENSSL_free(s->session->tlsext_hostname);
1124                                                         s->session->tlsext_hostname = NULL;
1125                                                         *al = TLS1_AD_UNRECOGNIZED_NAME;
1126                                                         return 0;
1127                                                 }
1128                                                 s->servername_done = 1; 
1129
1130                                                 }
1131                                         else 
1132                                                 s->servername_done = s->session->tlsext_hostname
1133                                                         && strlen(s->session->tlsext_hostname) == len 
1134                                                         && strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0;
1135                                         
1136                                         break;
1137
1138                                 default:
1139                                         break;
1140                                         }
1141                                  
1142                                 dsize -= len;
1143                                 }
1144                         if (dsize != 0) 
1145                                 {
1146                                 *al = SSL_AD_DECODE_ERROR;
1147                                 return 0;
1148                                 }
1149
1150                         }
1151 #ifndef OPENSSL_NO_SRP
1152                 else if (type == TLSEXT_TYPE_srp)
1153                         {
1154                         if (size <= 0 || ((len = data[0])) != (size -1))
1155                                 {
1156                                 *al = SSL_AD_DECODE_ERROR;
1157                                 return 0;
1158                                 }
1159                         if (s->srp_ctx.login != NULL)
1160                                 {
1161                                 *al = SSL_AD_DECODE_ERROR;
1162                                 return 0;
1163                                 }
1164                         if ((s->srp_ctx.login = OPENSSL_malloc(len+1)) == NULL)
1165                                 return -1;
1166                         memcpy(s->srp_ctx.login, &data[1], len);
1167                         s->srp_ctx.login[len]='\0';
1168   
1169                         if (strlen(s->srp_ctx.login) != len) 
1170                                 {
1171                                 *al = SSL_AD_DECODE_ERROR;
1172                                 return 0;
1173                                 }
1174                         }
1175 #endif
1176
1177 #ifndef OPENSSL_NO_EC
1178                 else if (type == TLSEXT_TYPE_ec_point_formats)
1179                         {
1180                         unsigned char *sdata = data;
1181                         int ecpointformatlist_length = *(sdata++);
1182
1183                         if (ecpointformatlist_length != size - 1)
1184                                 {
1185                                 *al = TLS1_AD_DECODE_ERROR;
1186                                 return 0;
1187                                 }
1188                         if (!s->hit)
1189                                 {
1190                                 if(s->session->tlsext_ecpointformatlist)
1191                                         {
1192                                         OPENSSL_free(s->session->tlsext_ecpointformatlist);
1193                                         s->session->tlsext_ecpointformatlist = NULL;
1194                                         }
1195                                 s->session->tlsext_ecpointformatlist_length = 0;
1196                                 if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
1197                                         {
1198                                         *al = TLS1_AD_INTERNAL_ERROR;
1199                                         return 0;
1200                                         }
1201                                 s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
1202                                 memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
1203                                 }
1204 #if 0
1205                         fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ecpointformatlist (length=%i) ", s->session->tlsext_ecpointformatlist_length);
1206                         sdata = s->session->tlsext_ecpointformatlist;
1207                         for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
1208                                 fprintf(stderr,"%i ",*(sdata++));
1209                         fprintf(stderr,"\n");
1210 #endif
1211                         }
1212                 else if (type == TLSEXT_TYPE_elliptic_curves)
1213                         {
1214                         unsigned char *sdata = data;
1215                         int ellipticcurvelist_length = (*(sdata++) << 8);
1216                         ellipticcurvelist_length += (*(sdata++));
1217
1218                         if (ellipticcurvelist_length != size - 2 ||
1219                                 ellipticcurvelist_length < 1 ||
1220                                 /* Each NamedCurve is 2 bytes. */
1221                                 ellipticcurvelist_length & 1)
1222                                 {
1223                                 *al = TLS1_AD_DECODE_ERROR;
1224                                 return 0;
1225                                 }
1226                         if (!s->hit)
1227                                 {
1228                                 if(s->session->tlsext_ellipticcurvelist)
1229                                         {
1230                                         *al = TLS1_AD_DECODE_ERROR;
1231                                         return 0;
1232                                         }
1233                                 s->session->tlsext_ellipticcurvelist_length = 0;
1234                                 if ((s->session->tlsext_ellipticcurvelist = OPENSSL_malloc(ellipticcurvelist_length)) == NULL)
1235                                         {
1236                                         *al = TLS1_AD_INTERNAL_ERROR;
1237                                         return 0;
1238                                         }
1239                                 s->session->tlsext_ellipticcurvelist_length = ellipticcurvelist_length;
1240                                 memcpy(s->session->tlsext_ellipticcurvelist, sdata, ellipticcurvelist_length);
1241                                 }
1242 #if 0
1243                         fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ellipticcurvelist (length=%i) ", s->session->tlsext_ellipticcurvelist_length);
1244                         sdata = s->session->tlsext_ellipticcurvelist;
1245                         for (i = 0; i < s->session->tlsext_ellipticcurvelist_length; i++)
1246                                 fprintf(stderr,"%i ",*(sdata++));
1247                         fprintf(stderr,"\n");
1248 #endif
1249                         }
1250 #endif /* OPENSSL_NO_EC */
1251 #ifdef TLSEXT_TYPE_opaque_prf_input
1252                 else if (type == TLSEXT_TYPE_opaque_prf_input &&
1253                      s->version != DTLS1_VERSION)
1254                         {
1255                         unsigned char *sdata = data;
1256
1257                         if (size < 2)
1258                                 {
1259                                 *al = SSL_AD_DECODE_ERROR;
1260                                 return 0;
1261                                 }
1262                         n2s(sdata, s->s3->client_opaque_prf_input_len);
1263                         if (s->s3->client_opaque_prf_input_len != size - 2)
1264                                 {
1265                                 *al = SSL_AD_DECODE_ERROR;
1266                                 return 0;
1267                                 }
1268
1269                         if (s->s3->client_opaque_prf_input != NULL)
1270                                 {
1271                                 /* shouldn't really happen */
1272                                 OPENSSL_free(s->s3->client_opaque_prf_input);
1273                                 }
1274                                 
1275                         /* dummy byte just to get non-NULL */
1276                         if (s->s3->client_opaque_prf_input_len == 0)
1277                                 s->s3->client_opaque_prf_input = OPENSSL_malloc(1);
1278                         else
1279                                 s->s3->client_opaque_prf_input = BUF_memdup(sdata, s->s3->client_opaque_prf_input_len);
1280                         if (s->s3->client_opaque_prf_input == NULL)
1281                                 {
1282                                 *al = TLS1_AD_INTERNAL_ERROR;
1283                                 return 0;
1284                                 }
1285                         }
1286 #endif
1287                 else if (type == TLSEXT_TYPE_session_ticket)
1288                         {
1289                         if (s->tls_session_ticket_ext_cb &&
1290                             !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg))
1291                                 {
1292                                 *al = TLS1_AD_INTERNAL_ERROR;
1293                                 return 0;
1294                                 }
1295                         }
1296                 else if (type == TLSEXT_TYPE_renegotiate)
1297                         {
1298                         if(!ssl_parse_clienthello_renegotiate_ext(s, data, size, al))
1299                                 return 0;
1300                         renegotiate_seen = 1;
1301                         }
1302                 else if (type == TLSEXT_TYPE_signature_algorithms)
1303                         {
1304                         int dsize;
1305                         if (sigalg_seen || size < 2) 
1306                                 {
1307                                 *al = SSL_AD_DECODE_ERROR;
1308                                 return 0;
1309                                 }
1310                         sigalg_seen = 1;
1311                         n2s(data,dsize);
1312                         size -= 2;
1313                         if (dsize != size || dsize & 1) 
1314                                 {
1315                                 *al = SSL_AD_DECODE_ERROR;
1316                                 return 0;
1317                                 }
1318                         if (!tls1_process_sigalgs(s, data, dsize))
1319                                 {
1320                                 *al = SSL_AD_DECODE_ERROR;
1321                                 return 0;
1322                                 }
1323                         }
1324                 else if (type == TLSEXT_TYPE_status_request &&
1325                          s->version != DTLS1_VERSION)
1326                         {
1327                 
1328                         if (size < 5) 
1329                                 {
1330                                 *al = SSL_AD_DECODE_ERROR;
1331                                 return 0;
1332                                 }
1333
1334                         s->tlsext_status_type = *data++;
1335                         size--;
1336                         if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp)
1337                                 {
1338                                 const unsigned char *sdata;
1339                                 int dsize;
1340                                 /* Read in responder_id_list */
1341                                 n2s(data,dsize);
1342                                 size -= 2;
1343                                 if (dsize > size  ) 
1344                                         {
1345                                         *al = SSL_AD_DECODE_ERROR;
1346                                         return 0;
1347                                         }
1348                                 while (dsize > 0)
1349                                         {
1350                                         OCSP_RESPID *id;
1351                                         int idsize;
1352                                         if (dsize < 4)
1353                                                 {
1354                                                 *al = SSL_AD_DECODE_ERROR;
1355                                                 return 0;
1356                                                 }
1357                                         n2s(data, idsize);
1358                                         dsize -= 2 + idsize;
1359                                         size -= 2 + idsize;
1360                                         if (dsize < 0)
1361                                                 {
1362                                                 *al = SSL_AD_DECODE_ERROR;
1363                                                 return 0;
1364                                                 }
1365                                         sdata = data;
1366                                         data += idsize;
1367                                         id = d2i_OCSP_RESPID(NULL,
1368                                                                 &sdata, idsize);
1369                                         if (!id)
1370                                                 {
1371                                                 *al = SSL_AD_DECODE_ERROR;
1372                                                 return 0;
1373                                                 }
1374                                         if (data != sdata)
1375                                                 {
1376                                                 OCSP_RESPID_free(id);
1377                                                 *al = SSL_AD_DECODE_ERROR;
1378                                                 return 0;
1379                                                 }
1380                                         if (!s->tlsext_ocsp_ids
1381                                                 && !(s->tlsext_ocsp_ids =
1382                                                 sk_OCSP_RESPID_new_null()))
1383                                                 {
1384                                                 OCSP_RESPID_free(id);
1385                                                 *al = SSL_AD_INTERNAL_ERROR;
1386                                                 return 0;
1387                                                 }
1388                                         if (!sk_OCSP_RESPID_push(
1389                                                         s->tlsext_ocsp_ids, id))
1390                                                 {
1391                                                 OCSP_RESPID_free(id);
1392                                                 *al = SSL_AD_INTERNAL_ERROR;
1393                                                 return 0;
1394                                                 }
1395                                         }
1396
1397                                 /* Read in request_extensions */
1398                                 if (size < 2)
1399                                         {
1400                                         *al = SSL_AD_DECODE_ERROR;
1401                                         return 0;
1402                                         }
1403                                 n2s(data,dsize);
1404                                 size -= 2;
1405                                 if (dsize != size)
1406                                         {
1407                                         *al = SSL_AD_DECODE_ERROR;
1408                                         return 0;
1409                                         }
1410                                 sdata = data;
1411                                 if (dsize > 0)
1412                                         {
1413                                         if (s->tlsext_ocsp_exts)
1414                                                 {
1415                                                 sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts,
1416                                                                            X509_EXTENSION_free);
1417                                                 }
1418
1419                                         s->tlsext_ocsp_exts =
1420                                                 d2i_X509_EXTENSIONS(NULL,
1421                                                         &sdata, dsize);
1422                                         if (!s->tlsext_ocsp_exts
1423                                                 || (data + dsize != sdata))
1424                                                 {
1425                                                 *al = SSL_AD_DECODE_ERROR;
1426                                                 return 0;
1427                                                 }
1428                                         }
1429                                 }
1430                                 /* We don't know what to do with any other type
1431                                 * so ignore it.
1432                                 */
1433                                 else
1434                                         s->tlsext_status_type = -1;
1435                         }
1436 #ifndef OPENSSL_NO_HEARTBEATS
1437                 else if (type == TLSEXT_TYPE_heartbeat)
1438                         {
1439                         switch(data[0])
1440                                 {
1441                                 case 0x01:      /* Client allows us to send HB requests */
1442                                                         s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
1443                                                         break;
1444                                 case 0x02:      /* Client doesn't accept HB requests */
1445                                                         s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
1446                                                         s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
1447                                                         break;
1448                                 default:        *al = SSL_AD_ILLEGAL_PARAMETER;
1449                                                         return 0;
1450                                 }
1451                         }
1452 #endif
1453 #ifndef OPENSSL_NO_NEXTPROTONEG
1454                 else if (type == TLSEXT_TYPE_next_proto_neg &&
1455                          s->s3->tmp.finish_md_len == 0)
1456                         {
1457                         /*-
1458                          * We shouldn't accept this extension on a
1459                          * renegotiation.
1460                          *
1461                          * s->new_session will be set on renegotiation, but we
1462                          * probably shouldn't rely that it couldn't be set on
1463                          * the initial renegotation too in certain cases (when
1464                          * there's some other reason to disallow resuming an
1465                          * earlier session -- the current code won't be doing
1466                          * anything like that, but this might change).
1467                          *
1468                          * A valid sign that there's been a previous handshake
1469                          * in this connection is if s->s3->tmp.finish_md_len >
1470                          * 0.  (We are talking about a check that will happen
1471                          * in the Hello protocol round, well before a new
1472                          * Finished message could have been computed.) 
1473                          */
1474                         s->s3->next_proto_neg_seen = 1;
1475                         }
1476 #endif
1477
1478                 /* session ticket processed earlier */
1479 #ifndef OPENSSL_NO_SRTP
1480                 else if (SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s)
1481                          && type == TLSEXT_TYPE_use_srtp)
1482                         {
1483                         if(ssl_parse_clienthello_use_srtp_ext(s, data, size,
1484                                                               al))
1485                                 return 0;
1486                         }
1487 #endif
1488
1489                 data+=size;
1490                 }
1491                                 
1492         *p = data;
1493
1494         ri_check:
1495
1496         /* Need RI if renegotiating */
1497
1498         if (!renegotiate_seen && s->renegotiate &&
1499                 !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
1500                 {
1501                 *al = SSL_AD_HANDSHAKE_FAILURE;
1502                 SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT,
1503                                 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
1504                 return 0;
1505                 }
1506
1507         return 1;
1508         }
1509
1510 #ifndef OPENSSL_NO_NEXTPROTONEG
1511 /* ssl_next_proto_validate validates a Next Protocol Negotiation block. No
1512  * elements of zero length are allowed and the set of elements must exactly fill
1513  * the length of the block. */
1514 static char ssl_next_proto_validate(unsigned char *d, unsigned len)
1515         {
1516         unsigned int off = 0;
1517
1518         while (off < len)
1519                 {
1520                 if (d[off] == 0)
1521                         return 0;
1522                 off += d[off];
1523                 off++;
1524                 }
1525
1526         return off == len;
1527         }
1528 #endif
1529
1530 int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
1531         {
1532         unsigned short length;
1533         unsigned short type;
1534         unsigned short size;
1535         unsigned char *data = *p;
1536         int tlsext_servername = 0;
1537         int renegotiate_seen = 0;
1538
1539 #ifndef OPENSSL_NO_NEXTPROTONEG
1540         s->s3->next_proto_neg_seen = 0;
1541 #endif
1542         s->tlsext_ticket_expected = 0;
1543
1544 #ifndef OPENSSL_NO_HEARTBEATS
1545         s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED |
1546                                SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
1547 #endif
1548
1549         if (data >= (d+n-2))
1550                 goto ri_check;
1551
1552         n2s(data,length);
1553         if (data+length != d+n)
1554                 {
1555                 *al = SSL_AD_DECODE_ERROR;
1556                 return 0;
1557                 }
1558
1559         while(data <= (d+n-4))
1560                 {
1561                 n2s(data,type);
1562                 n2s(data,size);
1563
1564                 if (data+size > (d+n))
1565                         goto ri_check;
1566
1567                 if (s->tlsext_debug_cb)
1568                         s->tlsext_debug_cb(s, 1, type, data, size,
1569                                                 s->tlsext_debug_arg);
1570
1571                 if (type == TLSEXT_TYPE_server_name)
1572                         {
1573                         if (s->tlsext_hostname == NULL || size > 0)
1574                                 {
1575                                 *al = TLS1_AD_UNRECOGNIZED_NAME;
1576                                 return 0;
1577                                 }
1578                         tlsext_servername = 1;   
1579                         }
1580
1581 #ifndef OPENSSL_NO_EC
1582                 else if (type == TLSEXT_TYPE_ec_point_formats)
1583                         {
1584                         unsigned char *sdata = data;
1585                         int ecpointformatlist_length = *(sdata++);
1586
1587                         if (ecpointformatlist_length != size - 1 || 
1588                                 ecpointformatlist_length < 1)
1589                                 {
1590                                 *al = TLS1_AD_DECODE_ERROR;
1591                                 return 0;
1592                                 }
1593                         if (!s->hit)
1594                                 {
1595                                 s->session->tlsext_ecpointformatlist_length = 0;
1596                                 if (s->session->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->session->tlsext_ecpointformatlist);
1597                                 if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
1598                                         {
1599                                         *al = TLS1_AD_INTERNAL_ERROR;
1600                                         return 0;
1601                                         }
1602                                 s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
1603                                 memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
1604                                 }
1605 #if 0
1606                         fprintf(stderr,"ssl_parse_serverhello_tlsext s->session->tlsext_ecpointformatlist ");
1607                         sdata = s->session->tlsext_ecpointformatlist;
1608                         for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
1609                                 fprintf(stderr,"%i ",*(sdata++));
1610                         fprintf(stderr,"\n");
1611 #endif
1612                         }
1613 #endif /* OPENSSL_NO_EC */
1614
1615                 else if (type == TLSEXT_TYPE_session_ticket)
1616                         {
1617                         if (s->tls_session_ticket_ext_cb &&
1618                             !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg))
1619                                 {
1620                                 *al = TLS1_AD_INTERNAL_ERROR;
1621                                 return 0;
1622                                 }
1623                         if ((SSL_get_options(s) & SSL_OP_NO_TICKET)
1624                                 || (size > 0))
1625                                 {
1626                                 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
1627                                 return 0;
1628                                 }
1629                         s->tlsext_ticket_expected = 1;
1630                         }
1631 #ifdef TLSEXT_TYPE_opaque_prf_input
1632                 else if (type == TLSEXT_TYPE_opaque_prf_input &&
1633                      s->version != DTLS1_VERSION)
1634                         {
1635                         unsigned char *sdata = data;
1636
1637                         if (size < 2)
1638                                 {
1639                                 *al = SSL_AD_DECODE_ERROR;
1640                                 return 0;
1641                                 }
1642                         n2s(sdata, s->s3->server_opaque_prf_input_len);
1643                         if (s->s3->server_opaque_prf_input_len != size - 2)
1644                                 {
1645                                 *al = SSL_AD_DECODE_ERROR;
1646                                 return 0;
1647                                 }
1648                         
1649                         if (s->s3->server_opaque_prf_input != NULL)
1650                                 {
1651                                 /* shouldn't really happen */
1652                                 OPENSSL_free(s->s3->server_opaque_prf_input);
1653                                 }
1654                         if (s->s3->server_opaque_prf_input_len == 0)
1655                                 {
1656                                 /* dummy byte just to get non-NULL */
1657                                 s->s3->server_opaque_prf_input = OPENSSL_malloc(1);
1658                                 }
1659                         else
1660                                 {
1661                                 s->s3->server_opaque_prf_input = BUF_memdup(sdata, s->s3->server_opaque_prf_input_len);
1662                                 }
1663
1664                         if (s->s3->server_opaque_prf_input == NULL)
1665                                 {
1666                                 *al = TLS1_AD_INTERNAL_ERROR;
1667                                 return 0;
1668                                 }
1669                         }
1670 #endif
1671                 else if (type == TLSEXT_TYPE_status_request &&
1672                          s->version != DTLS1_VERSION)
1673                         {
1674                         /* MUST be empty and only sent if we've requested
1675                          * a status request message.
1676                          */ 
1677                         if ((s->tlsext_status_type == -1) || (size > 0))
1678                                 {
1679                                 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
1680                                 return 0;
1681                                 }
1682                         /* Set flag to expect CertificateStatus message */
1683                         s->tlsext_status_expected = 1;
1684                         }
1685 #ifndef OPENSSL_NO_NEXTPROTONEG
1686                 else if (type == TLSEXT_TYPE_next_proto_neg &&
1687                          s->s3->tmp.finish_md_len == 0)
1688                         {
1689                         unsigned char *selected;
1690                         unsigned char selected_len;
1691
1692                         /* We must have requested it. */
1693                         if (s->ctx->next_proto_select_cb == NULL)
1694                                 {
1695                                 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
1696                                 return 0;
1697                                 }
1698                         /* The data must be valid */
1699                         if (!ssl_next_proto_validate(data, size))
1700                                 {
1701                                 *al = TLS1_AD_DECODE_ERROR;
1702                                 return 0;
1703                                 }
1704                         if (s->ctx->next_proto_select_cb(s, &selected, &selected_len, data, size, s->ctx->next_proto_select_cb_arg) != SSL_TLSEXT_ERR_OK)
1705                                 {
1706                                 *al = TLS1_AD_INTERNAL_ERROR;
1707                                 return 0;
1708                                 }
1709                         s->next_proto_negotiated = OPENSSL_malloc(selected_len);
1710                         if (!s->next_proto_negotiated)
1711                                 {
1712                                 *al = TLS1_AD_INTERNAL_ERROR;
1713                                 return 0;
1714                                 }
1715                         memcpy(s->next_proto_negotiated, selected, selected_len);
1716                         s->next_proto_negotiated_len = selected_len;
1717                         s->s3->next_proto_neg_seen = 1;
1718                         }
1719 #endif
1720                 else if (type == TLSEXT_TYPE_renegotiate)
1721                         {
1722                         if(!ssl_parse_serverhello_renegotiate_ext(s, data, size, al))
1723                                 return 0;
1724                         renegotiate_seen = 1;
1725                         }
1726 #ifndef OPENSSL_NO_HEARTBEATS
1727                 else if (type == TLSEXT_TYPE_heartbeat)
1728                         {
1729                         switch(data[0])
1730                                 {
1731                                 case 0x01:      /* Server allows us to send HB requests */
1732                                                         s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
1733                                                         break;
1734                                 case 0x02:      /* Server doesn't accept HB requests */
1735                                                         s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
1736                                                         s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
1737                                                         break;
1738                                 default:        *al = SSL_AD_ILLEGAL_PARAMETER;
1739                                                         return 0;
1740                                 }
1741                         }
1742 #endif
1743 #ifndef OPENSSL_NO_SRTP
1744                 else if (SSL_IS_DTLS(s) && type == TLSEXT_TYPE_use_srtp)
1745                         {
1746                         if(ssl_parse_serverhello_use_srtp_ext(s, data, size,
1747                                                               al))
1748                                 return 0;
1749                         }
1750 #endif
1751
1752                 data+=size;             
1753                 }
1754
1755         if (data != d+n)
1756                 {
1757                 *al = SSL_AD_DECODE_ERROR;
1758                 return 0;
1759                 }
1760
1761         if (!s->hit && tlsext_servername == 1)
1762                 {
1763                 if (s->tlsext_hostname)
1764                         {
1765                         if (s->session->tlsext_hostname == NULL)
1766                                 {
1767                                 s->session->tlsext_hostname = BUF_strdup(s->tlsext_hostname);   
1768                                 if (!s->session->tlsext_hostname)
1769                                         {
1770                                         *al = SSL_AD_UNRECOGNIZED_NAME;
1771                                         return 0;
1772                                         }
1773                                 }
1774                         else 
1775                                 {
1776                                 *al = SSL_AD_DECODE_ERROR;
1777                                 return 0;
1778                                 }
1779                         }
1780                 }
1781
1782         *p = data;
1783
1784         ri_check:
1785
1786         /* Determine if we need to see RI. Strictly speaking if we want to
1787          * avoid an attack we should *always* see RI even on initial server
1788          * hello because the client doesn't see any renegotiation during an
1789          * attack. However this would mean we could not connect to any server
1790          * which doesn't support RI so for the immediate future tolerate RI
1791          * absence on initial connect only.
1792          */
1793         if (!renegotiate_seen
1794                 && !(s->options & SSL_OP_LEGACY_SERVER_CONNECT)
1795                 && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
1796                 {
1797                 *al = SSL_AD_HANDSHAKE_FAILURE;
1798                 SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT,
1799                                 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
1800                 return 0;
1801                 }
1802
1803         return 1;
1804         }
1805
1806
1807 int ssl_prepare_clienthello_tlsext(SSL *s)
1808         {
1809 #ifndef OPENSSL_NO_EC
1810         /* If we are client and using an elliptic curve cryptography cipher suite, send the point formats 
1811          * and elliptic curves we support.
1812          */
1813         int using_ecc = 0;
1814         int i;
1815         unsigned char *j;
1816         unsigned long alg_k, alg_a;
1817         STACK_OF(SSL_CIPHER) *cipher_stack = SSL_get_ciphers(s);
1818
1819         for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++)
1820                 {
1821                 SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i);
1822
1823                 alg_k = c->algorithm_mkey;
1824                 alg_a = c->algorithm_auth;
1825                 if ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe) || (alg_a & SSL_aECDSA)))
1826                         {
1827                         using_ecc = 1;
1828                         break;
1829                         }
1830                 }
1831         using_ecc = using_ecc && (s->version >= TLS1_VERSION);
1832         if (using_ecc)
1833                 {
1834                 if (s->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->tlsext_ecpointformatlist);
1835                 if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(3)) == NULL)
1836                         {
1837                         SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
1838                         return -1;
1839                         }
1840                 s->tlsext_ecpointformatlist_length = 3;
1841                 s->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_uncompressed;
1842                 s->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
1843                 s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
1844
1845                 /* we support all named elliptic curves in RFC 4492 */
1846                 if (s->tlsext_ellipticcurvelist != NULL) OPENSSL_free(s->tlsext_ellipticcurvelist);
1847                 s->tlsext_ellipticcurvelist_length = sizeof(pref_list)/sizeof(pref_list[0]) * 2;
1848                 if ((s->tlsext_ellipticcurvelist = OPENSSL_malloc(s->tlsext_ellipticcurvelist_length)) == NULL)
1849                         {
1850                         s->tlsext_ellipticcurvelist_length = 0;
1851                         SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
1852                         return -1;
1853                         }
1854                 for (i = 0, j = s->tlsext_ellipticcurvelist; (unsigned int)i <
1855                                 sizeof(pref_list)/sizeof(pref_list[0]); i++)
1856                         {
1857                         int id = tls1_ec_nid2curve_id(pref_list[i]);
1858                         s2n(id,j);
1859                         }
1860                 }
1861 #endif /* OPENSSL_NO_EC */
1862
1863 #ifdef TLSEXT_TYPE_opaque_prf_input
1864         {
1865                 int r = 1;
1866         
1867                 if (s->ctx->tlsext_opaque_prf_input_callback != 0)
1868                         {
1869                         r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg);
1870                         if (!r)
1871                                 return -1;
1872                         }
1873
1874                 if (s->tlsext_opaque_prf_input != NULL)
1875                         {
1876                         if (s->s3->client_opaque_prf_input != NULL)
1877                                 {
1878                                 /* shouldn't really happen */
1879                                 OPENSSL_free(s->s3->client_opaque_prf_input);
1880                                 }
1881
1882                         if (s->tlsext_opaque_prf_input_len == 0)
1883                                 {
1884                                 /* dummy byte just to get non-NULL */
1885                                 s->s3->client_opaque_prf_input = OPENSSL_malloc(1);
1886                                 }
1887                         else
1888                                 {
1889                                 s->s3->client_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len);
1890                                 }
1891                         if (s->s3->client_opaque_prf_input == NULL)
1892                                 {
1893                                 SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
1894                                 return -1;
1895                                 }
1896                         s->s3->client_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
1897                         }
1898
1899                 if (r == 2)
1900                         /* at callback's request, insist on receiving an appropriate server opaque PRF input */
1901                         s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
1902         }
1903 #endif
1904
1905         return 1;
1906         }
1907
1908 int ssl_prepare_serverhello_tlsext(SSL *s)
1909         {
1910 #ifndef OPENSSL_NO_EC
1911         /* If we are server and using an ECC cipher suite, send the point formats we support 
1912          * if the client sent us an ECPointsFormat extension.  Note that the server is not
1913          * supposed to send an EllipticCurves extension.
1914          */
1915
1916         unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
1917         unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
1918         int using_ecc = (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA);
1919         using_ecc = using_ecc && (s->session->tlsext_ecpointformatlist != NULL);
1920         
1921         if (using_ecc)
1922                 {
1923                 if (s->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->tlsext_ecpointformatlist);
1924                 if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(3)) == NULL)
1925                         {
1926                         SSLerr(SSL_F_SSL_PREPARE_SERVERHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
1927                         return -1;
1928                         }
1929                 s->tlsext_ecpointformatlist_length = 3;
1930                 s->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_uncompressed;
1931                 s->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
1932                 s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
1933                 }
1934 #endif /* OPENSSL_NO_EC */
1935
1936         return 1;
1937         }
1938
1939 int ssl_check_clienthello_tlsext_early(SSL *s)
1940         {
1941         int ret=SSL_TLSEXT_ERR_NOACK;
1942         int al = SSL_AD_UNRECOGNIZED_NAME;
1943
1944 #ifndef OPENSSL_NO_EC
1945         /* The handling of the ECPointFormats extension is done elsewhere, namely in 
1946          * ssl3_choose_cipher in s3_lib.c.
1947          */
1948         /* The handling of the EllipticCurves extension is done elsewhere, namely in 
1949          * ssl3_choose_cipher in s3_lib.c.
1950          */
1951 #endif
1952
1953         if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) 
1954                 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
1955         else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)             
1956                 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
1957
1958 #ifdef TLSEXT_TYPE_opaque_prf_input
1959         {
1960                 /* This sort of belongs into ssl_prepare_serverhello_tlsext(),
1961                  * but we might be sending an alert in response to the client hello,
1962                  * so this has to happen here in
1963                  * ssl_check_clienthello_tlsext_early(). */
1964
1965                 int r = 1;
1966         
1967                 if (s->ctx->tlsext_opaque_prf_input_callback != 0)
1968                         {
1969                         r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg);
1970                         if (!r)
1971                                 {
1972                                 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1973                                 al = SSL_AD_INTERNAL_ERROR;
1974                                 goto err;
1975                                 }
1976                         }
1977
1978                 if (s->s3->server_opaque_prf_input != NULL)
1979                         {
1980                         /* shouldn't really happen */
1981                         OPENSSL_free(s->s3->server_opaque_prf_input);
1982                         }
1983                 s->s3->server_opaque_prf_input = NULL;
1984
1985                 if (s->tlsext_opaque_prf_input != NULL)
1986                         {
1987                         if (s->s3->client_opaque_prf_input != NULL &&
1988                                 s->s3->client_opaque_prf_input_len == s->tlsext_opaque_prf_input_len)
1989                                 {
1990                                 /* can only use this extension if we have a server opaque PRF input
1991                                  * of the same length as the client opaque PRF input! */
1992
1993                                 if (s->tlsext_opaque_prf_input_len == 0)
1994                                         {
1995                                         /* dummy byte just to get non-NULL */
1996                                         s->s3->server_opaque_prf_input = OPENSSL_malloc(1);
1997                                         }
1998                                 else
1999                                         {
2000                                         s->s3->server_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len);
2001                                         }
2002                                 if (s->s3->server_opaque_prf_input == NULL)
2003                                         {
2004                                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2005                                         al = SSL_AD_INTERNAL_ERROR;
2006                                         goto err;
2007                                         }
2008                                 s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
2009                                 }
2010                         }
2011
2012                 if (r == 2 && s->s3->server_opaque_prf_input == NULL)
2013                         {
2014                         /* The callback wants to enforce use of the extension,
2015                          * but we can't do that with the client opaque PRF input;
2016                          * abort the handshake.
2017                          */
2018                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2019                         al = SSL_AD_HANDSHAKE_FAILURE;
2020                         }
2021         }
2022
2023  err:
2024 #endif
2025         switch (ret)
2026                 {
2027                 case SSL_TLSEXT_ERR_ALERT_FATAL:
2028                         ssl3_send_alert(s,SSL3_AL_FATAL,al); 
2029                         return -1;
2030
2031                 case SSL_TLSEXT_ERR_ALERT_WARNING:
2032                         ssl3_send_alert(s,SSL3_AL_WARNING,al);
2033                         return 1; 
2034                                         
2035                 case SSL_TLSEXT_ERR_NOACK:
2036                         s->servername_done=0;
2037                         default:
2038                 return 1;
2039                 }
2040         }
2041
2042 int ssl_check_clienthello_tlsext_late(SSL *s)
2043         {
2044         int ret = SSL_TLSEXT_ERR_OK;
2045         int al;
2046
2047         /* If status request then ask callback what to do.
2048          * Note: this must be called after servername callbacks in case 
2049          * the certificate has changed, and must be called after the cipher
2050          * has been chosen because this may influence which certificate is sent
2051          */
2052         if ((s->tlsext_status_type != -1) && s->ctx && s->ctx->tlsext_status_cb)
2053                 {
2054                 int r;
2055                 CERT_PKEY *certpkey;
2056                 certpkey = ssl_get_server_send_pkey(s);
2057                 /* If no certificate can't return certificate status */
2058                 if (certpkey == NULL)
2059                         {
2060                         s->tlsext_status_expected = 0;
2061                         return 1;
2062                         }
2063                 /* Set current certificate to one we will use so
2064                  * SSL_get_certificate et al can pick it up.
2065                  */
2066                 s->cert->key = certpkey;
2067                 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
2068                 switch (r)
2069                         {
2070                         /* We don't want to send a status request response */
2071                         case SSL_TLSEXT_ERR_NOACK:
2072                                 s->tlsext_status_expected = 0;
2073                                 break;
2074                         /* status request response should be sent */
2075                         case SSL_TLSEXT_ERR_OK:
2076                                 if (s->tlsext_ocsp_resp)
2077                                         s->tlsext_status_expected = 1;
2078                                 else
2079                                         s->tlsext_status_expected = 0;
2080                                 break;
2081                         /* something bad happened */
2082                         case SSL_TLSEXT_ERR_ALERT_FATAL:
2083                                 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2084                                 al = SSL_AD_INTERNAL_ERROR;
2085                                 goto err;
2086                         }
2087                 }
2088         else
2089                 s->tlsext_status_expected = 0;
2090
2091  err:
2092         switch (ret)
2093                 {
2094                 case SSL_TLSEXT_ERR_ALERT_FATAL:
2095                         ssl3_send_alert(s,SSL3_AL_FATAL,al); 
2096                         return -1;
2097
2098                 case SSL_TLSEXT_ERR_ALERT_WARNING:
2099                         ssl3_send_alert(s,SSL3_AL_WARNING,al);
2100                         return 1; 
2101
2102                 default:
2103                         return 1;
2104                 }
2105         }
2106
2107 int ssl_check_serverhello_tlsext(SSL *s)
2108         {
2109         int ret=SSL_TLSEXT_ERR_NOACK;
2110         int al = SSL_AD_UNRECOGNIZED_NAME;
2111
2112 #ifndef OPENSSL_NO_EC
2113         /* If we are client and using an elliptic curve cryptography cipher
2114          * suite, then if server returns an EC point formats lists extension
2115          * it must contain uncompressed.
2116          */
2117         unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
2118         unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
2119         if ((s->tlsext_ecpointformatlist != NULL) && (s->tlsext_ecpointformatlist_length > 0) && 
2120             (s->session->tlsext_ecpointformatlist != NULL) && (s->session->tlsext_ecpointformatlist_length > 0) && 
2121             ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA)))
2122                 {
2123                 /* we are using an ECC cipher */
2124                 size_t i;
2125                 unsigned char *list;
2126                 int found_uncompressed = 0;
2127                 list = s->session->tlsext_ecpointformatlist;
2128                 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
2129                         {
2130                         if (*(list++) == TLSEXT_ECPOINTFORMAT_uncompressed)
2131                                 {
2132                                 found_uncompressed = 1;
2133                                 break;
2134                                 }
2135                         }
2136                 if (!found_uncompressed)
2137                         {
2138                         SSLerr(SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT,SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
2139                         return -1;
2140                         }
2141                 }
2142         ret = SSL_TLSEXT_ERR_OK;
2143 #endif /* OPENSSL_NO_EC */
2144
2145         if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) 
2146                 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
2147         else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)             
2148                 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
2149
2150 #ifdef TLSEXT_TYPE_opaque_prf_input
2151         if (s->s3->server_opaque_prf_input_len > 0)
2152                 {
2153                 /* This case may indicate that we, as a client, want to insist on using opaque PRF inputs.
2154                  * So first verify that we really have a value from the server too. */
2155
2156                 if (s->s3->server_opaque_prf_input == NULL)
2157                         {
2158                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2159                         al = SSL_AD_HANDSHAKE_FAILURE;
2160                         }
2161                 
2162                 /* Anytime the server *has* sent an opaque PRF input, we need to check
2163                  * that we have a client opaque PRF input of the same size. */
2164                 if (s->s3->client_opaque_prf_input == NULL ||
2165                     s->s3->client_opaque_prf_input_len != s->s3->server_opaque_prf_input_len)
2166                         {
2167                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2168                         al = SSL_AD_ILLEGAL_PARAMETER;
2169                         }
2170                 }
2171 #endif
2172
2173         /* If we've requested certificate status and we wont get one
2174          * tell the callback
2175          */
2176         if ((s->tlsext_status_type != -1) && !(s->tlsext_status_expected)
2177                         && s->ctx && s->ctx->tlsext_status_cb)
2178                 {
2179                 int r;
2180                 /* Set resp to NULL, resplen to -1 so callback knows
2181                  * there is no response.
2182                  */
2183                 if (s->tlsext_ocsp_resp)
2184                         {
2185                         OPENSSL_free(s->tlsext_ocsp_resp);
2186                         s->tlsext_ocsp_resp = NULL;
2187                         }
2188                 s->tlsext_ocsp_resplen = -1;
2189                 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
2190                 if (r == 0)
2191                         {
2192                         al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE;
2193                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2194                         }
2195                 if (r < 0)
2196                         {
2197                         al = SSL_AD_INTERNAL_ERROR;
2198                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2199                         }
2200                 }
2201
2202         switch (ret)
2203                 {
2204                 case SSL_TLSEXT_ERR_ALERT_FATAL:
2205                         ssl3_send_alert(s,SSL3_AL_FATAL,al); 
2206                         return -1;
2207
2208                 case SSL_TLSEXT_ERR_ALERT_WARNING:
2209                         ssl3_send_alert(s,SSL3_AL_WARNING,al);
2210                         return 1; 
2211                                         
2212                 case SSL_TLSEXT_ERR_NOACK:
2213                         s->servername_done=0;
2214                         default:
2215                 return 1;
2216                 }
2217         }
2218
2219 /*-
2220  * Since the server cache lookup is done early on in the processing of the
2221  * ClientHello, and other operations depend on the result, we need to handle
2222  * any TLS session ticket extension at the same time.
2223  *
2224  *   session_id: points at the session ID in the ClientHello. This code will
2225  *       read past the end of this in order to parse out the session ticket
2226  *       extension, if any.
2227  *   len: the length of the session ID.
2228  *   limit: a pointer to the first byte after the ClientHello.
2229  *   ret: (output) on return, if a ticket was decrypted, then this is set to
2230  *       point to the resulting session.
2231  *
2232  * If s->tls_session_secret_cb is set then we are expecting a pre-shared key
2233  * ciphersuite, in which case we have no use for session tickets and one will
2234  * never be decrypted, nor will s->tlsext_ticket_expected be set to 1.
2235  *
2236  * Returns:
2237  *   -1: fatal error, either from parsing or decrypting the ticket.
2238  *    0: no ticket was found (or was ignored, based on settings).
2239  *    1: a zero length extension was found, indicating that the client supports
2240  *       session tickets but doesn't currently have one to offer.
2241  *    2: either s->tls_session_secret_cb was set, or a ticket was offered but
2242  *       couldn't be decrypted because of a non-fatal error.
2243  *    3: a ticket was successfully decrypted and *ret was set.
2244  *
2245  * Side effects:
2246  *   Sets s->tlsext_ticket_expected to 1 if the server will have to issue
2247  *   a new session ticket to the client because the client indicated support
2248  *   (and s->tls_session_secret_cb is NULL) but the client either doesn't have
2249  *   a session ticket or we couldn't use the one it gave us, or if
2250  *   s->ctx->tlsext_ticket_key_cb asked to renew the client's ticket.
2251  *   Otherwise, s->tlsext_ticket_expected is set to 0.
2252  */
2253 int tls1_process_ticket(SSL *s, unsigned char *session_id, int len,
2254                         const unsigned char *limit, SSL_SESSION **ret)
2255         {
2256         /* Point after session ID in client hello */
2257         const unsigned char *p = session_id + len;
2258         unsigned short i;
2259
2260         *ret = NULL;
2261         s->tlsext_ticket_expected = 0;
2262
2263         /* If tickets disabled behave as if no ticket present
2264          * to permit stateful resumption.
2265          */
2266         if (SSL_get_options(s) & SSL_OP_NO_TICKET)
2267                 return 0;
2268         if ((s->version <= SSL3_VERSION) || !limit)
2269                 return 0;
2270         if (p >= limit)
2271                 return -1;
2272         /* Skip past DTLS cookie */
2273         if (s->version == DTLS1_VERSION || s->version == DTLS1_BAD_VER)
2274                 {
2275                 i = *(p++);
2276                 p+= i;
2277                 if (p >= limit)
2278                         return -1;
2279                 }
2280         /* Skip past cipher list */
2281         n2s(p, i);
2282         p+= i;
2283         if (p >= limit)
2284                 return -1;
2285         /* Skip past compression algorithm list */
2286         i = *(p++);
2287         p += i;
2288         if (p > limit)
2289                 return -1;
2290         /* Now at start of extensions */
2291         if ((p + 2) >= limit)
2292                 return 0;
2293         n2s(p, i);
2294         while ((p + 4) <= limit)
2295                 {
2296                 unsigned short type, size;
2297                 n2s(p, type);
2298                 n2s(p, size);
2299                 if (p + size > limit)
2300                         return 0;
2301                 if (type == TLSEXT_TYPE_session_ticket)
2302                         {
2303                         int r;
2304                         if (size == 0)
2305                                 {
2306                                 /* The client will accept a ticket but doesn't
2307                                  * currently have one. */
2308                                 s->tlsext_ticket_expected = 1;
2309                                 return 1;
2310                                 }
2311                         if (s->tls_session_secret_cb)
2312                                 {
2313                                 /* Indicate that the ticket couldn't be
2314                                  * decrypted rather than generating the session
2315                                  * from ticket now, trigger abbreviated
2316                                  * handshake based on external mechanism to
2317                                  * calculate the master secret later. */
2318                                 return 2;
2319                                 }
2320                         r = tls_decrypt_ticket(s, p, size, session_id, len, ret);
2321                         switch (r)
2322                                 {
2323                                 case 2: /* ticket couldn't be decrypted */
2324                                         s->tlsext_ticket_expected = 1;
2325                                         return 2;
2326                                 case 3: /* ticket was decrypted */
2327                                         return r;
2328                                 case 4: /* ticket decrypted but need to renew */
2329                                         s->tlsext_ticket_expected = 1;
2330                                         return 3;
2331                                 default: /* fatal error */
2332                                         return -1;
2333                                 }
2334                         }
2335                 p += size;
2336                 }
2337         return 0;
2338         }
2339
2340 /*-
2341  * tls_decrypt_ticket attempts to decrypt a session ticket.
2342  *
2343  *   etick: points to the body of the session ticket extension.
2344  *   eticklen: the length of the session tickets extenion.
2345  *   sess_id: points at the session ID.
2346  *   sesslen: the length of the session ID.
2347  *   psess: (output) on return, if a ticket was decrypted, then this is set to
2348  *       point to the resulting session.
2349  *
2350  * Returns:
2351  *   -1: fatal error, either from parsing or decrypting the ticket.
2352  *    2: the ticket couldn't be decrypted.
2353  *    3: a ticket was successfully decrypted and *psess was set.
2354  *    4: same as 3, but the ticket needs to be renewed.
2355  */
2356 static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen,
2357                                 const unsigned char *sess_id, int sesslen,
2358                                 SSL_SESSION **psess)
2359         {
2360         SSL_SESSION *sess;
2361         unsigned char *sdec;
2362         const unsigned char *p;
2363         int slen, mlen, renew_ticket = 0;
2364         unsigned char tick_hmac[EVP_MAX_MD_SIZE];
2365         HMAC_CTX hctx;
2366         EVP_CIPHER_CTX ctx;
2367         SSL_CTX *tctx = s->initial_ctx;
2368         /* Need at least keyname + iv + some encrypted data */
2369         if (eticklen < 48)
2370                 return 2;
2371         /* Initialize session ticket encryption and HMAC contexts */
2372         HMAC_CTX_init(&hctx);
2373         EVP_CIPHER_CTX_init(&ctx);
2374         if (tctx->tlsext_ticket_key_cb)
2375                 {
2376                 unsigned char *nctick = (unsigned char *)etick;
2377                 int rv = tctx->tlsext_ticket_key_cb(s, nctick, nctick + 16,
2378                                                         &ctx, &hctx, 0);
2379                 if (rv < 0)
2380                         return -1;
2381                 if (rv == 0)
2382                         return 2;
2383                 if (rv == 2)
2384                         renew_ticket = 1;
2385                 }
2386         else
2387                 {
2388                 /* Check key name matches */
2389                 if (memcmp(etick, tctx->tlsext_tick_key_name, 16))
2390                         return 2;
2391                 HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16,
2392                                         tlsext_tick_md(), NULL);
2393                 EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL,
2394                                 tctx->tlsext_tick_aes_key, etick + 16);
2395                 }
2396         /* Attempt to process session ticket, first conduct sanity and
2397          * integrity checks on ticket.
2398          */
2399         mlen = HMAC_size(&hctx);
2400         if (mlen < 0)
2401                 {
2402                 EVP_CIPHER_CTX_cleanup(&ctx);
2403                 return -1;
2404                 }
2405         eticklen -= mlen;
2406         /* Check HMAC of encrypted ticket */
2407         HMAC_Update(&hctx, etick, eticklen);
2408         HMAC_Final(&hctx, tick_hmac, NULL);
2409         HMAC_CTX_cleanup(&hctx);
2410         if (CRYPTO_memcmp(tick_hmac, etick + eticklen, mlen))
2411                 {
2412                 EVP_CIPHER_CTX_cleanup(&ctx);
2413                 return 2;
2414                 }
2415         /* Attempt to decrypt session data */
2416         /* Move p after IV to start of encrypted ticket, update length */
2417         p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx);
2418         eticklen -= 16 + EVP_CIPHER_CTX_iv_length(&ctx);
2419         sdec = OPENSSL_malloc(eticklen);
2420         if (!sdec)
2421                 {
2422                 EVP_CIPHER_CTX_cleanup(&ctx);
2423                 return -1;
2424                 }
2425         EVP_DecryptUpdate(&ctx, sdec, &slen, p, eticklen);
2426         if (EVP_DecryptFinal(&ctx, sdec + slen, &mlen) <= 0)
2427                 {
2428                 EVP_CIPHER_CTX_cleanup(&ctx);
2429                 OPENSSL_free(sdec);
2430                 return 2;
2431                 }
2432         slen += mlen;
2433         EVP_CIPHER_CTX_cleanup(&ctx);
2434         p = sdec;
2435
2436         sess = d2i_SSL_SESSION(NULL, &p, slen);
2437         OPENSSL_free(sdec);
2438         if (sess)
2439                 {
2440                 /* The session ID, if non-empty, is used by some clients to
2441                  * detect that the ticket has been accepted. So we copy it to
2442                  * the session structure. If it is empty set length to zero
2443                  * as required by standard.
2444                  */
2445                 if (sesslen)
2446                         memcpy(sess->session_id, sess_id, sesslen);
2447                 sess->session_id_length = sesslen;
2448                 *psess = sess;
2449                 if (renew_ticket)
2450                         return 4;
2451                 else
2452                         return 3;
2453                 }
2454         ERR_clear_error();
2455         /* For session parse failure, indicate that we need to send a new
2456          * ticket. */
2457         return 2;
2458         }
2459
2460 /* Tables to translate from NIDs to TLS v1.2 ids */
2461
2462 typedef struct 
2463         {
2464         int nid;
2465         int id;
2466         } tls12_lookup;
2467
2468 static tls12_lookup tls12_md[] = {
2469 #ifndef OPENSSL_NO_MD5
2470         {NID_md5, TLSEXT_hash_md5},
2471 #endif
2472 #ifndef OPENSSL_NO_SHA
2473         {NID_sha1, TLSEXT_hash_sha1},
2474 #endif
2475 #ifndef OPENSSL_NO_SHA256
2476         {NID_sha224, TLSEXT_hash_sha224},
2477         {NID_sha256, TLSEXT_hash_sha256},
2478 #endif
2479 #ifndef OPENSSL_NO_SHA512
2480         {NID_sha384, TLSEXT_hash_sha384},
2481         {NID_sha512, TLSEXT_hash_sha512}
2482 #endif
2483 };
2484
2485 static tls12_lookup tls12_sig[] = {
2486 #ifndef OPENSSL_NO_RSA
2487         {EVP_PKEY_RSA, TLSEXT_signature_rsa},
2488 #endif
2489 #ifndef OPENSSL_NO_DSA
2490         {EVP_PKEY_DSA, TLSEXT_signature_dsa},
2491 #endif
2492 #ifndef OPENSSL_NO_ECDSA
2493         {EVP_PKEY_EC, TLSEXT_signature_ecdsa}
2494 #endif
2495 };
2496
2497 static int tls12_find_id(int nid, tls12_lookup *table, size_t tlen)
2498         {
2499         size_t i;
2500         for (i = 0; i < tlen; i++)
2501                 {
2502                 if (table[i].nid == nid)
2503                         return table[i].id;
2504                 }
2505         return -1;
2506         }
2507 #if 0
2508 static int tls12_find_nid(int id, tls12_lookup *table, size_t tlen)
2509         {
2510         size_t i;
2511         for (i = 0; i < tlen; i++)
2512                 {
2513                 if (table[i].id == id)
2514                         return table[i].nid;
2515                 }
2516         return -1;
2517         }
2518 #endif
2519
2520 int tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk, const EVP_MD *md)
2521         {
2522         int sig_id, md_id;
2523         if (!md)
2524                 return 0;
2525         md_id = tls12_find_id(EVP_MD_type(md), tls12_md,
2526                                 sizeof(tls12_md)/sizeof(tls12_lookup));
2527         if (md_id == -1)
2528                 return 0;
2529         sig_id = tls12_get_sigid(pk);
2530         if (sig_id == -1)
2531                 return 0;
2532         p[0] = (unsigned char)md_id;
2533         p[1] = (unsigned char)sig_id;
2534         return 1;
2535         }
2536
2537 int tls12_get_sigid(const EVP_PKEY *pk)
2538         {
2539         return tls12_find_id(pk->type, tls12_sig,
2540                                 sizeof(tls12_sig)/sizeof(tls12_lookup));
2541         }
2542
2543 const EVP_MD *tls12_get_hash(unsigned char hash_alg)
2544         {
2545         switch(hash_alg)
2546                 {
2547 #ifndef OPENSSL_NO_SHA
2548                 case TLSEXT_hash_sha1:
2549                 return EVP_sha1();
2550 #endif
2551 #ifndef OPENSSL_NO_SHA256
2552                 case TLSEXT_hash_sha224:
2553                 return EVP_sha224();
2554
2555                 case TLSEXT_hash_sha256:
2556                 return EVP_sha256();
2557 #endif
2558 #ifndef OPENSSL_NO_SHA512
2559                 case TLSEXT_hash_sha384:
2560                 return EVP_sha384();
2561
2562                 case TLSEXT_hash_sha512:
2563                 return EVP_sha512();
2564 #endif
2565                 default:
2566                 return NULL;
2567
2568                 }
2569         }
2570
2571 /* Set preferred digest for each key type */
2572
2573 int tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize)
2574         {
2575         int i, idx;
2576         const EVP_MD *md;
2577         CERT *c = s->cert;
2578         /* Extension ignored for TLS versions below 1.2 */
2579         if (TLS1_get_version(s) < TLS1_2_VERSION)
2580                 return 1;
2581         /* Should never happen */
2582         if (!c)
2583                 return 0;
2584
2585         c->pkeys[SSL_PKEY_DSA_SIGN].digest = NULL;
2586         c->pkeys[SSL_PKEY_RSA_SIGN].digest = NULL;
2587         c->pkeys[SSL_PKEY_RSA_ENC].digest = NULL;
2588         c->pkeys[SSL_PKEY_ECC].digest = NULL;
2589
2590         for (i = 0; i < dsize; i += 2)
2591                 {
2592                 unsigned char hash_alg = data[i], sig_alg = data[i+1];
2593
2594                 switch(sig_alg)
2595                         {
2596 #ifndef OPENSSL_NO_RSA
2597                         case TLSEXT_signature_rsa:
2598                         idx = SSL_PKEY_RSA_SIGN;
2599                         break;
2600 #endif
2601 #ifndef OPENSSL_NO_DSA
2602                         case TLSEXT_signature_dsa:
2603                         idx = SSL_PKEY_DSA_SIGN;
2604                         break;
2605 #endif
2606 #ifndef OPENSSL_NO_ECDSA
2607                         case TLSEXT_signature_ecdsa:
2608                         idx = SSL_PKEY_ECC;
2609                         break;
2610 #endif
2611                         default:
2612                         continue;
2613                         }
2614
2615                 if (c->pkeys[idx].digest == NULL)
2616                         {
2617                         md = tls12_get_hash(hash_alg);
2618                         if (md)
2619                                 {
2620                                 c->pkeys[idx].digest = md;
2621                                 if (idx == SSL_PKEY_RSA_SIGN)
2622                                         c->pkeys[SSL_PKEY_RSA_ENC].digest = md;
2623                                 }
2624                         }
2625
2626                 }
2627
2628
2629         /* Set any remaining keys to default values. NOTE: if alg is not
2630          * supported it stays as NULL.
2631          */
2632 #ifndef OPENSSL_NO_DSA
2633         if (!c->pkeys[SSL_PKEY_DSA_SIGN].digest)
2634                 c->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_sha1();
2635 #endif
2636 #ifndef OPENSSL_NO_RSA
2637         if (!c->pkeys[SSL_PKEY_RSA_SIGN].digest)
2638                 {
2639                 c->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1();
2640                 c->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1();
2641                 }
2642 #endif
2643 #ifndef OPENSSL_NO_ECDSA
2644         if (!c->pkeys[SSL_PKEY_ECC].digest)
2645                 c->pkeys[SSL_PKEY_ECC].digest = EVP_sha1();
2646 #endif
2647         return 1;
2648         }
2649
2650 #endif
2651
2652 #ifndef OPENSSL_NO_HEARTBEATS
2653 int
2654 tls1_process_heartbeat(SSL *s)
2655         {
2656         unsigned char *p = &s->s3->rrec.data[0], *pl;
2657         unsigned short hbtype;
2658         unsigned int payload;
2659         unsigned int padding = 16; /* Use minimum padding */
2660
2661         if (s->msg_callback)
2662                 s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT,
2663                         &s->s3->rrec.data[0], s->s3->rrec.length,
2664                         s, s->msg_callback_arg);
2665
2666         /* Read type and payload length first */
2667         if (1 + 2 + 16 > s->s3->rrec.length)
2668                 return 0; /* silently discard */
2669         hbtype = *p++;
2670         n2s(p, payload);
2671         if (1 + 2 + payload + 16 > s->s3->rrec.length)
2672                 return 0; /* silently discard per RFC 6520 sec. 4 */
2673         pl = p;
2674
2675         if (hbtype == TLS1_HB_REQUEST)
2676                 {
2677                 unsigned char *buffer, *bp;
2678                 int r;
2679
2680                 /* Allocate memory for the response, size is 1 bytes
2681                  * message type, plus 2 bytes payload length, plus
2682                  * payload, plus padding
2683                  */
2684                 buffer = OPENSSL_malloc(1 + 2 + payload + padding);
2685                 bp = buffer;
2686                 
2687                 /* Enter response type, length and copy payload */
2688                 *bp++ = TLS1_HB_RESPONSE;
2689                 s2n(payload, bp);
2690                 memcpy(bp, pl, payload);
2691                 bp += payload;
2692                 /* Random padding */
2693                 RAND_pseudo_bytes(bp, padding);
2694
2695                 r = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, 3 + payload + padding);
2696
2697                 if (r >= 0 && s->msg_callback)
2698                         s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT,
2699                                 buffer, 3 + payload + padding,
2700                                 s, s->msg_callback_arg);
2701
2702                 OPENSSL_free(buffer);
2703
2704                 if (r < 0)
2705                         return r;
2706                 }
2707         else if (hbtype == TLS1_HB_RESPONSE)
2708                 {
2709                 unsigned int seq;
2710                 
2711                 /* We only send sequence numbers (2 bytes unsigned int),
2712                  * and 16 random bytes, so we just try to read the
2713                  * sequence number */
2714                 n2s(pl, seq);
2715                 
2716                 if (payload == 18 && seq == s->tlsext_hb_seq)
2717                         {
2718                         s->tlsext_hb_seq++;
2719                         s->tlsext_hb_pending = 0;
2720                         }
2721                 }
2722
2723         return 0;
2724         }
2725
2726 int
2727 tls1_heartbeat(SSL *s)
2728         {
2729         unsigned char *buf, *p;
2730         int ret;
2731         unsigned int payload = 18; /* Sequence number + random bytes */
2732         unsigned int padding = 16; /* Use minimum padding */
2733
2734         /* Only send if peer supports and accepts HB requests... */
2735         if (!(s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED) ||
2736             s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_SEND_REQUESTS)
2737                 {
2738                 SSLerr(SSL_F_TLS1_HEARTBEAT,SSL_R_TLS_HEARTBEAT_PEER_DOESNT_ACCEPT);
2739                 return -1;
2740                 }
2741
2742         /* ...and there is none in flight yet... */
2743         if (s->tlsext_hb_pending)
2744                 {
2745                 SSLerr(SSL_F_TLS1_HEARTBEAT,SSL_R_TLS_HEARTBEAT_PENDING);
2746                 return -1;
2747                 }
2748                 
2749         /* ...and no handshake in progress. */
2750         if (SSL_in_init(s) || s->in_handshake)
2751                 {
2752                 SSLerr(SSL_F_TLS1_HEARTBEAT,SSL_R_UNEXPECTED_MESSAGE);
2753                 return -1;
2754                 }
2755                 
2756         /* Check if padding is too long, payload and padding
2757          * must not exceed 2^14 - 3 = 16381 bytes in total.
2758          */
2759         OPENSSL_assert(payload + padding <= 16381);
2760
2761         /*-
2762          * Create HeartBeat message, we just use a sequence number
2763          * as payload to distuingish different messages and add
2764          * some random stuff.
2765          *  - Message Type, 1 byte
2766          *  - Payload Length, 2 bytes (unsigned int)
2767          *  - Payload, the sequence number (2 bytes uint)
2768          *  - Payload, random bytes (16 bytes uint)
2769          *  - Padding
2770          */
2771         buf = OPENSSL_malloc(1 + 2 + payload + padding);
2772         p = buf;
2773         /* Message Type */
2774         *p++ = TLS1_HB_REQUEST;
2775         /* Payload length (18 bytes here) */
2776         s2n(payload, p);
2777         /* Sequence number */
2778         s2n(s->tlsext_hb_seq, p);
2779         /* 16 random bytes */
2780         RAND_pseudo_bytes(p, 16);
2781         p += 16;
2782         /* Random padding */
2783         RAND_pseudo_bytes(p, padding);
2784
2785         ret = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buf, 3 + payload + padding);
2786         if (ret >= 0)
2787                 {
2788                 if (s->msg_callback)
2789                         s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT,
2790                                 buf, 3 + payload + padding,
2791                                 s, s->msg_callback_arg);
2792
2793                 s->tlsext_hb_pending = 1;
2794                 }
2795                 
2796         OPENSSL_free(buf);
2797
2798         return ret;
2799         }
2800 #endif