Remove extraneous brackets (clang doesn't like them).
[openssl.git] / ssl / t1_lib.c
1 /* ssl/t1_lib.c */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3  * All rights reserved.
4  *
5  * This package is an SSL implementation written
6  * by Eric Young (eay@cryptsoft.com).
7  * The implementation was written so as to conform with Netscapes SSL.
8  * 
9  * This library is free for commercial and non-commercial use as long as
10  * the following conditions are aheared to.  The following conditions
11  * apply to all code found in this distribution, be it the RC4, RSA,
12  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
13  * included with this distribution is covered by the same copyright terms
14  * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15  * 
16  * Copyright remains Eric Young's, and as such any Copyright notices in
17  * the code are not to be removed.
18  * If this package is used in a product, Eric Young should be given attribution
19  * as the author of the parts of the library used.
20  * This can be in the form of a textual message at program startup or
21  * in documentation (online or textual) provided with the package.
22  * 
23  * Redistribution and use in source and binary forms, with or without
24  * modification, are permitted provided that the following conditions
25  * are met:
26  * 1. Redistributions of source code must retain the copyright
27  *    notice, this list of conditions and the following disclaimer.
28  * 2. Redistributions in binary form must reproduce the above copyright
29  *    notice, this list of conditions and the following disclaimer in the
30  *    documentation and/or other materials provided with the distribution.
31  * 3. All advertising materials mentioning features or use of this software
32  *    must display the following acknowledgement:
33  *    "This product includes cryptographic software written by
34  *     Eric Young (eay@cryptsoft.com)"
35  *    The word 'cryptographic' can be left out if the rouines from the library
36  *    being used are not cryptographic related :-).
37  * 4. If you include any Windows specific code (or a derivative thereof) from 
38  *    the apps directory (application code) you must include an acknowledgement:
39  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40  * 
41  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51  * SUCH DAMAGE.
52  * 
53  * The licence and distribution terms for any publically available version or
54  * derivative of this code cannot be changed.  i.e. this code cannot simply be
55  * copied and put under another distribution licence
56  * [including the GNU Public Licence.]
57  */
58 /* ====================================================================
59  * Copyright (c) 1998-2007 The OpenSSL Project.  All rights reserved.
60  *
61  * Redistribution and use in source and binary forms, with or without
62  * modification, are permitted provided that the following conditions
63  * are met:
64  *
65  * 1. Redistributions of source code must retain the above copyright
66  *    notice, this list of conditions and the following disclaimer. 
67  *
68  * 2. Redistributions in binary form must reproduce the above copyright
69  *    notice, this list of conditions and the following disclaimer in
70  *    the documentation and/or other materials provided with the
71  *    distribution.
72  *
73  * 3. All advertising materials mentioning features or use of this
74  *    software must display the following acknowledgment:
75  *    "This product includes software developed by the OpenSSL Project
76  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77  *
78  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79  *    endorse or promote products derived from this software without
80  *    prior written permission. For written permission, please contact
81  *    openssl-core@openssl.org.
82  *
83  * 5. Products derived from this software may not be called "OpenSSL"
84  *    nor may "OpenSSL" appear in their names without prior written
85  *    permission of the OpenSSL Project.
86  *
87  * 6. Redistributions of any form whatsoever must retain the following
88  *    acknowledgment:
89  *    "This product includes software developed by the OpenSSL Project
90  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91  *
92  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
96  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103  * OF THE POSSIBILITY OF SUCH DAMAGE.
104  * ====================================================================
105  *
106  * This product includes cryptographic software written by Eric Young
107  * (eay@cryptsoft.com).  This product includes software written by Tim
108  * Hudson (tjh@cryptsoft.com).
109  *
110  */
111
112 #include <stdio.h>
113 #include <openssl/objects.h>
114 #include <openssl/evp.h>
115 #include <openssl/hmac.h>
116 #include <openssl/ocsp.h>
117 #include <openssl/rand.h>
118 #include "ssl_locl.h"
119
120 const char tls1_version_str[]="TLSv1" OPENSSL_VERSION_PTEXT;
121
122 #ifndef OPENSSL_NO_TLSEXT
123 static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen,
124                                 const unsigned char *sess_id, int sesslen,
125                                 SSL_SESSION **psess);
126 #endif
127
128 SSL3_ENC_METHOD TLSv1_enc_data={
129         tls1_enc,
130         tls1_mac,
131         tls1_setup_key_block,
132         tls1_generate_master_secret,
133         tls1_change_cipher_state,
134         tls1_final_finish_mac,
135         TLS1_FINISH_MAC_LENGTH,
136         tls1_cert_verify_mac,
137         TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE,
138         TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE,
139         tls1_alert_code,
140         tls1_export_keying_material,
141         };
142
143 long tls1_default_timeout(void)
144         {
145         /* 2 hours, the 24 hours mentioned in the TLSv1 spec
146          * is way too long for http, the cache would over fill */
147         return(60*60*2);
148         }
149
150 int tls1_new(SSL *s)
151         {
152         if (!ssl3_new(s)) return(0);
153         s->method->ssl_clear(s);
154         return(1);
155         }
156
157 void tls1_free(SSL *s)
158         {
159 #ifndef OPENSSL_NO_TLSEXT
160         if (s->tlsext_session_ticket)
161                 {
162                 OPENSSL_free(s->tlsext_session_ticket);
163                 }
164 #endif /* OPENSSL_NO_TLSEXT */
165         ssl3_free(s);
166         }
167
168 void tls1_clear(SSL *s)
169         {
170         ssl3_clear(s);
171         s->version = s->method->version;
172         }
173
174 #ifndef OPENSSL_NO_EC
175
176 static int nid_list[] =
177         {
178                 NID_sect163k1, /* sect163k1 (1) */
179                 NID_sect163r1, /* sect163r1 (2) */
180                 NID_sect163r2, /* sect163r2 (3) */
181                 NID_sect193r1, /* sect193r1 (4) */ 
182                 NID_sect193r2, /* sect193r2 (5) */ 
183                 NID_sect233k1, /* sect233k1 (6) */
184                 NID_sect233r1, /* sect233r1 (7) */ 
185                 NID_sect239k1, /* sect239k1 (8) */ 
186                 NID_sect283k1, /* sect283k1 (9) */
187                 NID_sect283r1, /* sect283r1 (10) */ 
188                 NID_sect409k1, /* sect409k1 (11) */ 
189                 NID_sect409r1, /* sect409r1 (12) */
190                 NID_sect571k1, /* sect571k1 (13) */ 
191                 NID_sect571r1, /* sect571r1 (14) */ 
192                 NID_secp160k1, /* secp160k1 (15) */
193                 NID_secp160r1, /* secp160r1 (16) */ 
194                 NID_secp160r2, /* secp160r2 (17) */ 
195                 NID_secp192k1, /* secp192k1 (18) */
196                 NID_X9_62_prime192v1, /* secp192r1 (19) */ 
197                 NID_secp224k1, /* secp224k1 (20) */ 
198                 NID_secp224r1, /* secp224r1 (21) */
199                 NID_secp256k1, /* secp256k1 (22) */ 
200                 NID_X9_62_prime256v1, /* secp256r1 (23) */ 
201                 NID_secp384r1, /* secp384r1 (24) */
202                 NID_secp521r1  /* secp521r1 (25) */     
203         };
204
205 static int pref_list[] =
206         {
207                 NID_sect571r1, /* sect571r1 (14) */ 
208                 NID_sect571k1, /* sect571k1 (13) */ 
209                 NID_secp521r1, /* secp521r1 (25) */     
210                 NID_sect409k1, /* sect409k1 (11) */ 
211                 NID_sect409r1, /* sect409r1 (12) */
212                 NID_secp384r1, /* secp384r1 (24) */
213                 NID_sect283k1, /* sect283k1 (9) */
214                 NID_sect283r1, /* sect283r1 (10) */ 
215                 NID_secp256k1, /* secp256k1 (22) */ 
216                 NID_X9_62_prime256v1, /* secp256r1 (23) */ 
217                 NID_sect239k1, /* sect239k1 (8) */ 
218                 NID_sect233k1, /* sect233k1 (6) */
219                 NID_sect233r1, /* sect233r1 (7) */ 
220                 NID_secp224k1, /* secp224k1 (20) */ 
221                 NID_secp224r1, /* secp224r1 (21) */
222                 NID_sect193r1, /* sect193r1 (4) */ 
223                 NID_sect193r2, /* sect193r2 (5) */ 
224                 NID_secp192k1, /* secp192k1 (18) */
225                 NID_X9_62_prime192v1, /* secp192r1 (19) */ 
226                 NID_sect163k1, /* sect163k1 (1) */
227                 NID_sect163r1, /* sect163r1 (2) */
228                 NID_sect163r2, /* sect163r2 (3) */
229                 NID_secp160k1, /* secp160k1 (15) */
230                 NID_secp160r1, /* secp160r1 (16) */ 
231                 NID_secp160r2, /* secp160r2 (17) */ 
232         };
233
234 int tls1_ec_curve_id2nid(int curve_id)
235         {
236         /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
237         if ((curve_id < 1) || ((unsigned int)curve_id >
238                                 sizeof(nid_list)/sizeof(nid_list[0])))
239                 return 0;
240         return nid_list[curve_id-1];
241         }
242
243 int tls1_ec_nid2curve_id(int nid)
244         {
245         /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
246         switch (nid)
247                 {
248         case NID_sect163k1: /* sect163k1 (1) */
249                 return 1;
250         case NID_sect163r1: /* sect163r1 (2) */
251                 return 2;
252         case NID_sect163r2: /* sect163r2 (3) */
253                 return 3;
254         case NID_sect193r1: /* sect193r1 (4) */ 
255                 return 4;
256         case NID_sect193r2: /* sect193r2 (5) */ 
257                 return 5;
258         case NID_sect233k1: /* sect233k1 (6) */
259                 return 6;
260         case NID_sect233r1: /* sect233r1 (7) */ 
261                 return 7;
262         case NID_sect239k1: /* sect239k1 (8) */ 
263                 return 8;
264         case NID_sect283k1: /* sect283k1 (9) */
265                 return 9;
266         case NID_sect283r1: /* sect283r1 (10) */ 
267                 return 10;
268         case NID_sect409k1: /* sect409k1 (11) */ 
269                 return 11;
270         case NID_sect409r1: /* sect409r1 (12) */
271                 return 12;
272         case NID_sect571k1: /* sect571k1 (13) */ 
273                 return 13;
274         case NID_sect571r1: /* sect571r1 (14) */ 
275                 return 14;
276         case NID_secp160k1: /* secp160k1 (15) */
277                 return 15;
278         case NID_secp160r1: /* secp160r1 (16) */ 
279                 return 16;
280         case NID_secp160r2: /* secp160r2 (17) */ 
281                 return 17;
282         case NID_secp192k1: /* secp192k1 (18) */
283                 return 18;
284         case NID_X9_62_prime192v1: /* secp192r1 (19) */ 
285                 return 19;
286         case NID_secp224k1: /* secp224k1 (20) */ 
287                 return 20;
288         case NID_secp224r1: /* secp224r1 (21) */
289                 return 21;
290         case NID_secp256k1: /* secp256k1 (22) */ 
291                 return 22;
292         case NID_X9_62_prime256v1: /* secp256r1 (23) */ 
293                 return 23;
294         case NID_secp384r1: /* secp384r1 (24) */
295                 return 24;
296         case NID_secp521r1:  /* secp521r1 (25) */       
297                 return 25;
298         default:
299                 return 0;
300                 }
301         }
302 #endif /* OPENSSL_NO_EC */
303
304 #ifndef OPENSSL_NO_TLSEXT
305
306 /* List of supported signature algorithms and hashes. Should make this
307  * customisable at some point, for now include everything we support.
308  */
309
310 #ifdef OPENSSL_NO_RSA
311 #define tlsext_sigalg_rsa(md) /* */
312 #else
313 #define tlsext_sigalg_rsa(md) md, TLSEXT_signature_rsa,
314 #endif
315
316 #ifdef OPENSSL_NO_DSA
317 #define tlsext_sigalg_dsa(md) /* */
318 #else
319 #define tlsext_sigalg_dsa(md) md, TLSEXT_signature_dsa,
320 #endif
321
322 #ifdef OPENSSL_NO_ECDSA
323 #define tlsext_sigalg_ecdsa(md) /* */
324 #else
325 #define tlsext_sigalg_ecdsa(md) md, TLSEXT_signature_ecdsa,
326 #endif
327
328 #define tlsext_sigalg(md) \
329                 tlsext_sigalg_rsa(md) \
330                 tlsext_sigalg_dsa(md) \
331                 tlsext_sigalg_ecdsa(md)
332
333 static unsigned char tls12_sigalgs[] = {
334 #ifndef OPENSSL_NO_SHA512
335         tlsext_sigalg(TLSEXT_hash_sha512)
336         tlsext_sigalg(TLSEXT_hash_sha384)
337 #endif
338 #ifndef OPENSSL_NO_SHA256
339         tlsext_sigalg(TLSEXT_hash_sha256)
340         tlsext_sigalg(TLSEXT_hash_sha224)
341 #endif
342 #ifndef OPENSSL_NO_SHA
343         tlsext_sigalg(TLSEXT_hash_sha1)
344 #endif
345 #ifndef OPENSSL_NO_MD5
346         tlsext_sigalg_rsa(TLSEXT_hash_md5)
347 #endif
348 };
349
350 int tls12_get_req_sig_algs(SSL *s, unsigned char *p)
351         {
352         size_t slen = sizeof(tls12_sigalgs);
353 #ifdef OPENSSL_FIPS
354         /* If FIPS mode don't include MD5 which is last */
355         if (FIPS_mode())
356                 slen -= 2;
357 #endif
358         if (p)
359                 memcpy(p, tls12_sigalgs, slen);
360         return (int)slen;
361         }
362
363 unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
364         {
365         int extdatalen=0;
366         unsigned char *ret = p;
367
368         /* don't add extensions for SSLv3 unless doing secure renegotiation */
369         if (s->client_version == SSL3_VERSION
370                                         && !s->s3->send_connection_binding)
371                 return p;
372
373         ret+=2;
374
375         if (ret>=limit) return NULL; /* this really never occurs, but ... */
376
377         if (s->tlsext_hostname != NULL)
378                 { 
379                 /* Add TLS extension servername to the Client Hello message */
380                 unsigned long size_str;
381                 long lenmax; 
382
383                 /* check for enough space.
384                    4 for the servername type and entension length
385                    2 for servernamelist length
386                    1 for the hostname type
387                    2 for hostname length
388                    + hostname length 
389                 */
390                    
391                 if ((lenmax = limit - ret - 9) < 0 
392                     || (size_str = strlen(s->tlsext_hostname)) > (unsigned long)lenmax) 
393                         return NULL;
394                         
395                 /* extension type and length */
396                 s2n(TLSEXT_TYPE_server_name,ret); 
397                 s2n(size_str+5,ret);
398                 
399                 /* length of servername list */
400                 s2n(size_str+3,ret);
401         
402                 /* hostname type, length and hostname */
403                 *(ret++) = (unsigned char) TLSEXT_NAMETYPE_host_name;
404                 s2n(size_str,ret);
405                 memcpy(ret, s->tlsext_hostname, size_str);
406                 ret+=size_str;
407                 }
408
409         /* Add RI if renegotiating */
410         if (s->renegotiate)
411           {
412           int el;
413           
414           if(!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0))
415               {
416               SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
417               return NULL;
418               }
419
420           if((limit - p - 4 - el) < 0) return NULL;
421           
422           s2n(TLSEXT_TYPE_renegotiate,ret);
423           s2n(el,ret);
424
425           if(!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el))
426               {
427               SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
428               return NULL;
429               }
430
431           ret += el;
432         }
433
434 #ifndef OPENSSL_NO_SRP
435         /* Add SRP username if there is one */
436         if (s->srp_ctx.login != NULL)
437                 { /* Add TLS extension SRP username to the Client Hello message */
438
439                 int login_len = strlen(s->srp_ctx.login);       
440                 if (login_len > 255 || login_len == 0)
441                         {
442                         SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
443                         return NULL;
444                         } 
445
446                 /* check for enough space.
447                    4 for the srp type type and entension length
448                    1 for the srp user identity
449                    + srp user identity length 
450                 */
451                 if ((limit - ret - 5 - login_len) < 0) return NULL; 
452
453                 /* fill in the extension */
454                 s2n(TLSEXT_TYPE_srp,ret);
455                 s2n(login_len+1,ret);
456                 (*ret++) = (unsigned char) login_len;
457                 memcpy(ret, s->srp_ctx.login, login_len);
458                 ret+=login_len;
459                 }
460 #endif
461
462 #ifndef OPENSSL_NO_EC
463         if (s->tlsext_ecpointformatlist != NULL &&
464             s->version != DTLS1_VERSION)
465                 {
466                 /* Add TLS extension ECPointFormats to the ClientHello message */
467                 long lenmax; 
468
469                 if ((lenmax = limit - ret - 5) < 0) return NULL; 
470                 if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax) return NULL;
471                 if (s->tlsext_ecpointformatlist_length > 255)
472                         {
473                         SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
474                         return NULL;
475                         }
476                 
477                 s2n(TLSEXT_TYPE_ec_point_formats,ret);
478                 s2n(s->tlsext_ecpointformatlist_length + 1,ret);
479                 *(ret++) = (unsigned char) s->tlsext_ecpointformatlist_length;
480                 memcpy(ret, s->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist_length);
481                 ret+=s->tlsext_ecpointformatlist_length;
482                 }
483         if (s->tlsext_ellipticcurvelist != NULL &&
484             s->version != DTLS1_VERSION)
485                 {
486                 /* Add TLS extension EllipticCurves to the ClientHello message */
487                 long lenmax; 
488
489                 if ((lenmax = limit - ret - 6) < 0) return NULL; 
490                 if (s->tlsext_ellipticcurvelist_length > (unsigned long)lenmax) return NULL;
491                 if (s->tlsext_ellipticcurvelist_length > 65532)
492                         {
493                         SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
494                         return NULL;
495                         }
496                 
497                 s2n(TLSEXT_TYPE_elliptic_curves,ret);
498                 s2n(s->tlsext_ellipticcurvelist_length + 2, ret);
499
500                 /* NB: draft-ietf-tls-ecc-12.txt uses a one-byte prefix for
501                  * elliptic_curve_list, but the examples use two bytes.
502                  * http://www1.ietf.org/mail-archive/web/tls/current/msg00538.html
503                  * resolves this to two bytes.
504                  */
505                 s2n(s->tlsext_ellipticcurvelist_length, ret);
506                 memcpy(ret, s->tlsext_ellipticcurvelist, s->tlsext_ellipticcurvelist_length);
507                 ret+=s->tlsext_ellipticcurvelist_length;
508                 }
509 #endif /* OPENSSL_NO_EC */
510
511         if (!(SSL_get_options(s) & SSL_OP_NO_TICKET))
512                 {
513                 int ticklen;
514                 if (!s->new_session && s->session && s->session->tlsext_tick)
515                         ticklen = s->session->tlsext_ticklen;
516                 else if (s->session && s->tlsext_session_ticket &&
517                          s->tlsext_session_ticket->data)
518                         {
519                         ticklen = s->tlsext_session_ticket->length;
520                         s->session->tlsext_tick = OPENSSL_malloc(ticklen);
521                         if (!s->session->tlsext_tick)
522                                 return NULL;
523                         memcpy(s->session->tlsext_tick,
524                                s->tlsext_session_ticket->data,
525                                ticklen);
526                         s->session->tlsext_ticklen = ticklen;
527                         }
528                 else
529                         ticklen = 0;
530                 if (ticklen == 0 && s->tlsext_session_ticket &&
531                     s->tlsext_session_ticket->data == NULL)
532                         goto skip_ext;
533                 /* Check for enough room 2 for extension type, 2 for len
534                  * rest for ticket
535                  */
536                 if ((long)(limit - ret - 4 - ticklen) < 0) return NULL;
537                 s2n(TLSEXT_TYPE_session_ticket,ret); 
538                 s2n(ticklen,ret);
539                 if (ticklen)
540                         {
541                         memcpy(ret, s->session->tlsext_tick, ticklen);
542                         ret += ticklen;
543                         }
544                 }
545                 skip_ext:
546
547         if (TLS1_get_client_version(s) >= TLS1_2_VERSION)
548                 {
549                 if ((size_t)(limit - ret) < sizeof(tls12_sigalgs) + 6)
550                         return NULL; 
551                 s2n(TLSEXT_TYPE_signature_algorithms,ret);
552                 s2n(sizeof(tls12_sigalgs) + 2, ret);
553                 s2n(sizeof(tls12_sigalgs), ret);
554                 memcpy(ret, tls12_sigalgs, sizeof(tls12_sigalgs));
555                 ret += sizeof(tls12_sigalgs);
556                 }
557
558 #ifdef TLSEXT_TYPE_opaque_prf_input
559         if (s->s3->client_opaque_prf_input != NULL &&
560             s->version != DTLS1_VERSION)
561                 {
562                 size_t col = s->s3->client_opaque_prf_input_len;
563                 
564                 if ((long)(limit - ret - 6 - col < 0))
565                         return NULL;
566                 if (col > 0xFFFD) /* can't happen */
567                         return NULL;
568
569                 s2n(TLSEXT_TYPE_opaque_prf_input, ret); 
570                 s2n(col + 2, ret);
571                 s2n(col, ret);
572                 memcpy(ret, s->s3->client_opaque_prf_input, col);
573                 ret += col;
574                 }
575 #endif
576
577         if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp &&
578             s->version != DTLS1_VERSION)
579                 {
580                 int i;
581                 long extlen, idlen, itmp;
582                 OCSP_RESPID *id;
583
584                 idlen = 0;
585                 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++)
586                         {
587                         id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
588                         itmp = i2d_OCSP_RESPID(id, NULL);
589                         if (itmp <= 0)
590                                 return NULL;
591                         idlen += itmp + 2;
592                         }
593
594                 if (s->tlsext_ocsp_exts)
595                         {
596                         extlen = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, NULL);
597                         if (extlen < 0)
598                                 return NULL;
599                         }
600                 else
601                         extlen = 0;
602                         
603                 if ((long)(limit - ret - 7 - extlen - idlen) < 0) return NULL;
604                 s2n(TLSEXT_TYPE_status_request, ret);
605                 if (extlen + idlen > 0xFFF0)
606                         return NULL;
607                 s2n(extlen + idlen + 5, ret);
608                 *(ret++) = TLSEXT_STATUSTYPE_ocsp;
609                 s2n(idlen, ret);
610                 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++)
611                         {
612                         /* save position of id len */
613                         unsigned char *q = ret;
614                         id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
615                         /* skip over id len */
616                         ret += 2;
617                         itmp = i2d_OCSP_RESPID(id, &ret);
618                         /* write id len */
619                         s2n(itmp, q);
620                         }
621                 s2n(extlen, ret);
622                 if (extlen > 0)
623                         i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret);
624                 }
625
626 #ifndef OPENSSL_NO_HEARTBEATS
627         /* Add Heartbeat extension */
628         s2n(TLSEXT_TYPE_heartbeat,ret);
629         s2n(1,ret);
630         /* Set mode:
631          * 1: peer may send requests
632          * 2: peer not allowed to send requests
633          */
634         if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS)
635                 *(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
636         else
637                 *(ret++) = SSL_TLSEXT_HB_ENABLED;
638 #endif
639
640 #ifndef OPENSSL_NO_NEXTPROTONEG
641         if (s->ctx->next_proto_select_cb && !s->s3->tmp.finish_md_len)
642                 {
643                 /* The client advertises an emtpy extension to indicate its
644                  * support for Next Protocol Negotiation */
645                 if (limit - ret - 4 < 0)
646                         return NULL;
647                 s2n(TLSEXT_TYPE_next_proto_neg,ret);
648                 s2n(0,ret);
649                 }
650 #endif
651
652         if(SSL_get_srtp_profiles(s))
653                 {
654                 int el;
655
656                 ssl_add_clienthello_use_srtp_ext(s, 0, &el, 0);
657                 
658                 if((limit - p - 4 - el) < 0) return NULL;
659
660                 s2n(TLSEXT_TYPE_use_srtp,ret);
661                 s2n(el,ret);
662
663                 if(ssl_add_clienthello_use_srtp_ext(s, ret, &el, el))
664                         {
665                         SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
666                         return NULL;
667                         }
668                 ret += el;
669                 }
670
671         if ((extdatalen = ret-p-2)== 0) 
672                 return p;
673
674         s2n(extdatalen,p);
675         return ret;
676         }
677
678 unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
679         {
680         int extdatalen=0;
681         unsigned char *ret = p;
682 #ifndef OPENSSL_NO_NEXTPROTONEG
683         int next_proto_neg_seen;
684 #endif
685
686         /* don't add extensions for SSLv3, unless doing secure renegotiation */
687         if (s->version == SSL3_VERSION && !s->s3->send_connection_binding)
688                 return p;
689         
690         ret+=2;
691         if (ret>=limit) return NULL; /* this really never occurs, but ... */
692
693         if (!s->hit && s->servername_done == 1 && s->session->tlsext_hostname != NULL)
694                 { 
695                 if ((long)(limit - ret - 4) < 0) return NULL; 
696
697                 s2n(TLSEXT_TYPE_server_name,ret);
698                 s2n(0,ret);
699                 }
700
701         if(s->s3->send_connection_binding)
702         {
703           int el;
704           
705           if(!ssl_add_serverhello_renegotiate_ext(s, 0, &el, 0))
706               {
707               SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
708               return NULL;
709               }
710
711           if((limit - p - 4 - el) < 0) return NULL;
712           
713           s2n(TLSEXT_TYPE_renegotiate,ret);
714           s2n(el,ret);
715
716           if(!ssl_add_serverhello_renegotiate_ext(s, ret, &el, el))
717               {
718               SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
719               return NULL;
720               }
721
722           ret += el;
723         }
724
725 #ifndef OPENSSL_NO_EC
726         if (s->tlsext_ecpointformatlist != NULL &&
727             s->version != DTLS1_VERSION)
728                 {
729                 /* Add TLS extension ECPointFormats to the ServerHello message */
730                 long lenmax; 
731
732                 if ((lenmax = limit - ret - 5) < 0) return NULL; 
733                 if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax) return NULL;
734                 if (s->tlsext_ecpointformatlist_length > 255)
735                         {
736                         SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
737                         return NULL;
738                         }
739                 
740                 s2n(TLSEXT_TYPE_ec_point_formats,ret);
741                 s2n(s->tlsext_ecpointformatlist_length + 1,ret);
742                 *(ret++) = (unsigned char) s->tlsext_ecpointformatlist_length;
743                 memcpy(ret, s->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist_length);
744                 ret+=s->tlsext_ecpointformatlist_length;
745
746                 }
747         /* Currently the server should not respond with a SupportedCurves extension */
748 #endif /* OPENSSL_NO_EC */
749
750         if (s->tlsext_ticket_expected
751                 && !(SSL_get_options(s) & SSL_OP_NO_TICKET)) 
752                 { 
753                 if ((long)(limit - ret - 4) < 0) return NULL; 
754                 s2n(TLSEXT_TYPE_session_ticket,ret);
755                 s2n(0,ret);
756                 }
757
758         if (s->tlsext_status_expected)
759                 { 
760                 if ((long)(limit - ret - 4) < 0) return NULL; 
761                 s2n(TLSEXT_TYPE_status_request,ret);
762                 s2n(0,ret);
763                 }
764
765 #ifdef TLSEXT_TYPE_opaque_prf_input
766         if (s->s3->server_opaque_prf_input != NULL &&
767             s->version != DTLS1_VERSION)
768                 {
769                 size_t sol = s->s3->server_opaque_prf_input_len;
770                 
771                 if ((long)(limit - ret - 6 - sol) < 0)
772                         return NULL;
773                 if (sol > 0xFFFD) /* can't happen */
774                         return NULL;
775
776                 s2n(TLSEXT_TYPE_opaque_prf_input, ret); 
777                 s2n(sol + 2, ret);
778                 s2n(sol, ret);
779                 memcpy(ret, s->s3->server_opaque_prf_input, sol);
780                 ret += sol;
781                 }
782 #endif
783
784         if(s->srtp_profile)
785                 {
786                 int el;
787
788                 ssl_add_serverhello_use_srtp_ext(s, 0, &el, 0);
789                 
790                 if((limit - p - 4 - el) < 0) return NULL;
791
792                 s2n(TLSEXT_TYPE_use_srtp,ret);
793                 s2n(el,ret);
794
795                 if(ssl_add_serverhello_use_srtp_ext(s, ret, &el, el))
796                         {
797                         SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
798                         return NULL;
799                         }
800                 ret+=el;
801                 }
802
803         if (((s->s3->tmp.new_cipher->id & 0xFFFF)==0x80 || (s->s3->tmp.new_cipher->id & 0xFFFF)==0x81) 
804                 && (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG))
805                 { const unsigned char cryptopro_ext[36] = {
806                         0xfd, 0xe8, /*65000*/
807                         0x00, 0x20, /*32 bytes length*/
808                         0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85, 
809                         0x03,   0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06, 
810                         0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08, 
811                         0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17};
812                         if (limit-ret<36) return NULL;
813                         memcpy(ret,cryptopro_ext,36);
814                         ret+=36;
815
816                 }
817
818 #ifndef OPENSSL_NO_HEARTBEATS
819         /* Add Heartbeat extension if we've received one */
820         if (s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED)
821                 {
822                 s2n(TLSEXT_TYPE_heartbeat,ret);
823                 s2n(1,ret);
824                 /* Set mode:
825                  * 1: peer may send requests
826                  * 2: peer not allowed to send requests
827                  */
828                 if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS)
829                         *(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
830                 else
831                         *(ret++) = SSL_TLSEXT_HB_ENABLED;
832
833                 }
834 #endif
835
836 #ifndef OPENSSL_NO_NEXTPROTONEG
837         next_proto_neg_seen = s->s3->next_proto_neg_seen;
838         s->s3->next_proto_neg_seen = 0;
839         if (next_proto_neg_seen && s->ctx->next_protos_advertised_cb)
840                 {
841                 const unsigned char *npa;
842                 unsigned int npalen;
843                 int r;
844
845                 r = s->ctx->next_protos_advertised_cb(s, &npa, &npalen, s->ctx->next_protos_advertised_cb_arg);
846                 if (r == SSL_TLSEXT_ERR_OK)
847                         {
848                         if ((long)(limit - ret - 4 - npalen) < 0) return NULL;
849                         s2n(TLSEXT_TYPE_next_proto_neg,ret);
850                         s2n(npalen,ret);
851                         memcpy(ret, npa, npalen);
852                         ret += npalen;
853                         s->s3->next_proto_neg_seen = 1;
854                         }
855                 }
856 #endif
857
858         if ((extdatalen = ret-p-2)== 0) 
859                 return p;
860
861         s2n(extdatalen,p);
862         return ret;
863         }
864
865 int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
866         {
867         unsigned short type;
868         unsigned short size;
869         unsigned short len;
870         unsigned char *data = *p;
871         int renegotiate_seen = 0;
872         int sigalg_seen = 0;
873
874         s->servername_done = 0;
875         s->tlsext_status_type = -1;
876 #ifndef OPENSSL_NO_NEXTPROTONEG
877         s->s3->next_proto_neg_seen = 0;
878 #endif
879
880 #ifndef OPENSSL_NO_HEARTBEATS
881         s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED |
882                                SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
883 #endif
884
885         if (data >= (d+n-2))
886                 goto ri_check;
887         n2s(data,len);
888
889         if (data > (d+n-len)) 
890                 goto ri_check;
891
892         while (data <= (d+n-4))
893                 {
894                 n2s(data,type);
895                 n2s(data,size);
896
897                 if (data+size > (d+n))
898                         goto ri_check;
899 #if 0
900                 fprintf(stderr,"Received extension type %d size %d\n",type,size);
901 #endif
902                 if (s->tlsext_debug_cb)
903                         s->tlsext_debug_cb(s, 0, type, data, size,
904                                                 s->tlsext_debug_arg);
905 /* The servername extension is treated as follows:
906
907    - Only the hostname type is supported with a maximum length of 255.
908    - The servername is rejected if too long or if it contains zeros,
909      in which case an fatal alert is generated.
910    - The servername field is maintained together with the session cache.
911    - When a session is resumed, the servername call back invoked in order
912      to allow the application to position itself to the right context. 
913    - The servername is acknowledged if it is new for a session or when 
914      it is identical to a previously used for the same session. 
915      Applications can control the behaviour.  They can at any time
916      set a 'desirable' servername for a new SSL object. This can be the
917      case for example with HTTPS when a Host: header field is received and
918      a renegotiation is requested. In this case, a possible servername
919      presented in the new client hello is only acknowledged if it matches
920      the value of the Host: field. 
921    - Applications must  use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
922      if they provide for changing an explicit servername context for the session,
923      i.e. when the session has been established with a servername extension. 
924    - On session reconnect, the servername extension may be absent. 
925
926 */      
927
928                 if (type == TLSEXT_TYPE_server_name)
929                         {
930                         unsigned char *sdata;
931                         int servname_type;
932                         int dsize; 
933                 
934                         if (size < 2) 
935                                 {
936                                 *al = SSL_AD_DECODE_ERROR;
937                                 return 0;
938                                 }
939                         n2s(data,dsize);  
940                         size -= 2;
941                         if (dsize > size  ) 
942                                 {
943                                 *al = SSL_AD_DECODE_ERROR;
944                                 return 0;
945                                 } 
946
947                         sdata = data;
948                         while (dsize > 3) 
949                                 {
950                                 servname_type = *(sdata++); 
951                                 n2s(sdata,len);
952                                 dsize -= 3;
953
954                                 if (len > dsize) 
955                                         {
956                                         *al = SSL_AD_DECODE_ERROR;
957                                         return 0;
958                                         }
959                                 if (s->servername_done == 0)
960                                 switch (servname_type)
961                                         {
962                                 case TLSEXT_NAMETYPE_host_name:
963                                         if (!s->hit)
964                                                 {
965                                                 if(s->session->tlsext_hostname)
966                                                         {
967                                                         *al = SSL_AD_DECODE_ERROR;
968                                                         return 0;
969                                                         }
970                                                 if (len > TLSEXT_MAXLEN_host_name)
971                                                         {
972                                                         *al = TLS1_AD_UNRECOGNIZED_NAME;
973                                                         return 0;
974                                                         }
975                                                 if ((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL)
976                                                         {
977                                                         *al = TLS1_AD_INTERNAL_ERROR;
978                                                         return 0;
979                                                         }
980                                                 memcpy(s->session->tlsext_hostname, sdata, len);
981                                                 s->session->tlsext_hostname[len]='\0';
982                                                 if (strlen(s->session->tlsext_hostname) != len) {
983                                                         OPENSSL_free(s->session->tlsext_hostname);
984                                                         s->session->tlsext_hostname = NULL;
985                                                         *al = TLS1_AD_UNRECOGNIZED_NAME;
986                                                         return 0;
987                                                 }
988                                                 s->servername_done = 1; 
989
990                                                 }
991                                         else 
992                                                 s->servername_done = s->session->tlsext_hostname
993                                                         && strlen(s->session->tlsext_hostname) == len 
994                                                         && strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0;
995                                         
996                                         break;
997
998                                 default:
999                                         break;
1000                                         }
1001                                  
1002                                 dsize -= len;
1003                                 }
1004                         if (dsize != 0) 
1005                                 {
1006                                 *al = SSL_AD_DECODE_ERROR;
1007                                 return 0;
1008                                 }
1009
1010                         }
1011 #ifndef OPENSSL_NO_SRP
1012                 else if (type == TLSEXT_TYPE_srp)
1013                         {
1014                         if (size <= 0 || ((len = data[0])) != (size -1))
1015                                 {
1016                                 *al = SSL_AD_DECODE_ERROR;
1017                                 return 0;
1018                                 }
1019                         if (s->srp_ctx.login != NULL)
1020                                 {
1021                                 *al = SSL_AD_DECODE_ERROR;
1022                                 return 0;
1023                                 }
1024                         if ((s->srp_ctx.login = OPENSSL_malloc(len+1)) == NULL)
1025                                 return -1;
1026                         memcpy(s->srp_ctx.login, &data[1], len);
1027                         s->srp_ctx.login[len]='\0';
1028   
1029                         if (strlen(s->srp_ctx.login) != len) 
1030                                 {
1031                                 *al = SSL_AD_DECODE_ERROR;
1032                                 return 0;
1033                                 }
1034                         }
1035 #endif
1036
1037 #ifndef OPENSSL_NO_EC
1038                 else if (type == TLSEXT_TYPE_ec_point_formats &&
1039                      s->version != DTLS1_VERSION)
1040                         {
1041                         unsigned char *sdata = data;
1042                         int ecpointformatlist_length = *(sdata++);
1043
1044                         if (ecpointformatlist_length != size - 1)
1045                                 {
1046                                 *al = TLS1_AD_DECODE_ERROR;
1047                                 return 0;
1048                                 }
1049                         if (!s->hit)
1050                                 {
1051                                 if(s->session->tlsext_ecpointformatlist)
1052                                         {
1053                                         OPENSSL_free(s->session->tlsext_ecpointformatlist);
1054                                         s->session->tlsext_ecpointformatlist = NULL;
1055                                         }
1056                                 s->session->tlsext_ecpointformatlist_length = 0;
1057                                 if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
1058                                         {
1059                                         *al = TLS1_AD_INTERNAL_ERROR;
1060                                         return 0;
1061                                         }
1062                                 s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
1063                                 memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
1064                                 }
1065 #if 0
1066                         fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ecpointformatlist (length=%i) ", s->session->tlsext_ecpointformatlist_length);
1067                         sdata = s->session->tlsext_ecpointformatlist;
1068                         for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
1069                                 fprintf(stderr,"%i ",*(sdata++));
1070                         fprintf(stderr,"\n");
1071 #endif
1072                         }
1073                 else if (type == TLSEXT_TYPE_elliptic_curves &&
1074                      s->version != DTLS1_VERSION)
1075                         {
1076                         unsigned char *sdata = data;
1077                         int ellipticcurvelist_length = (*(sdata++) << 8);
1078                         ellipticcurvelist_length += (*(sdata++));
1079
1080                         if (ellipticcurvelist_length != size - 2 ||
1081                                 ellipticcurvelist_length < 1)
1082                                 {
1083                                 *al = TLS1_AD_DECODE_ERROR;
1084                                 return 0;
1085                                 }
1086                         if (!s->hit)
1087                                 {
1088                                 if(s->session->tlsext_ellipticcurvelist)
1089                                         {
1090                                         *al = TLS1_AD_DECODE_ERROR;
1091                                         return 0;
1092                                         }
1093                                 s->session->tlsext_ellipticcurvelist_length = 0;
1094                                 if ((s->session->tlsext_ellipticcurvelist = OPENSSL_malloc(ellipticcurvelist_length)) == NULL)
1095                                         {
1096                                         *al = TLS1_AD_INTERNAL_ERROR;
1097                                         return 0;
1098                                         }
1099                                 s->session->tlsext_ellipticcurvelist_length = ellipticcurvelist_length;
1100                                 memcpy(s->session->tlsext_ellipticcurvelist, sdata, ellipticcurvelist_length);
1101                                 }
1102 #if 0
1103                         fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ellipticcurvelist (length=%i) ", s->session->tlsext_ellipticcurvelist_length);
1104                         sdata = s->session->tlsext_ellipticcurvelist;
1105                         for (i = 0; i < s->session->tlsext_ellipticcurvelist_length; i++)
1106                                 fprintf(stderr,"%i ",*(sdata++));
1107                         fprintf(stderr,"\n");
1108 #endif
1109                         }
1110 #endif /* OPENSSL_NO_EC */
1111 #ifdef TLSEXT_TYPE_opaque_prf_input
1112                 else if (type == TLSEXT_TYPE_opaque_prf_input &&
1113                      s->version != DTLS1_VERSION)
1114                         {
1115                         unsigned char *sdata = data;
1116
1117                         if (size < 2)
1118                                 {
1119                                 *al = SSL_AD_DECODE_ERROR;
1120                                 return 0;
1121                                 }
1122                         n2s(sdata, s->s3->client_opaque_prf_input_len);
1123                         if (s->s3->client_opaque_prf_input_len != size - 2)
1124                                 {
1125                                 *al = SSL_AD_DECODE_ERROR;
1126                                 return 0;
1127                                 }
1128
1129                         if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */
1130                                 OPENSSL_free(s->s3->client_opaque_prf_input);
1131                         if (s->s3->client_opaque_prf_input_len == 0)
1132                                 s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
1133                         else
1134                                 s->s3->client_opaque_prf_input = BUF_memdup(sdata, s->s3->client_opaque_prf_input_len);
1135                         if (s->s3->client_opaque_prf_input == NULL)
1136                                 {
1137                                 *al = TLS1_AD_INTERNAL_ERROR;
1138                                 return 0;
1139                                 }
1140                         }
1141 #endif
1142                 else if (type == TLSEXT_TYPE_session_ticket)
1143                         {
1144                         if (s->tls_session_ticket_ext_cb &&
1145                             !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg))
1146                                 {
1147                                 *al = TLS1_AD_INTERNAL_ERROR;
1148                                 return 0;
1149                                 }
1150                         }
1151                 else if (type == TLSEXT_TYPE_renegotiate)
1152                         {
1153                         if(!ssl_parse_clienthello_renegotiate_ext(s, data, size, al))
1154                                 return 0;
1155                         renegotiate_seen = 1;
1156                         }
1157                 else if (type == TLSEXT_TYPE_signature_algorithms)
1158                         {
1159                         int dsize;
1160                         if (sigalg_seen || size < 2) 
1161                                 {
1162                                 *al = SSL_AD_DECODE_ERROR;
1163                                 return 0;
1164                                 }
1165                         sigalg_seen = 1;
1166                         n2s(data,dsize);
1167                         size -= 2;
1168                         if (dsize != size || dsize & 1) 
1169                                 {
1170                                 *al = SSL_AD_DECODE_ERROR;
1171                                 return 0;
1172                                 }
1173                         if (!tls1_process_sigalgs(s, data, dsize))
1174                                 {
1175                                 *al = SSL_AD_DECODE_ERROR;
1176                                 return 0;
1177                                 }
1178                         }
1179                 else if (type == TLSEXT_TYPE_status_request &&
1180                          s->version != DTLS1_VERSION && s->ctx->tlsext_status_cb)
1181                         {
1182                 
1183                         if (size < 5) 
1184                                 {
1185                                 *al = SSL_AD_DECODE_ERROR;
1186                                 return 0;
1187                                 }
1188
1189                         s->tlsext_status_type = *data++;
1190                         size--;
1191                         if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp)
1192                                 {
1193                                 const unsigned char *sdata;
1194                                 int dsize;
1195                                 /* Read in responder_id_list */
1196                                 n2s(data,dsize);
1197                                 size -= 2;
1198                                 if (dsize > size  ) 
1199                                         {
1200                                         *al = SSL_AD_DECODE_ERROR;
1201                                         return 0;
1202                                         }
1203                                 while (dsize > 0)
1204                                         {
1205                                         OCSP_RESPID *id;
1206                                         int idsize;
1207                                         if (dsize < 4)
1208                                                 {
1209                                                 *al = SSL_AD_DECODE_ERROR;
1210                                                 return 0;
1211                                                 }
1212                                         n2s(data, idsize);
1213                                         dsize -= 2 + idsize;
1214                                         size -= 2 + idsize;
1215                                         if (dsize < 0)
1216                                                 {
1217                                                 *al = SSL_AD_DECODE_ERROR;
1218                                                 return 0;
1219                                                 }
1220                                         sdata = data;
1221                                         data += idsize;
1222                                         id = d2i_OCSP_RESPID(NULL,
1223                                                                 &sdata, idsize);
1224                                         if (!id)
1225                                                 {
1226                                                 *al = SSL_AD_DECODE_ERROR;
1227                                                 return 0;
1228                                                 }
1229                                         if (data != sdata)
1230                                                 {
1231                                                 OCSP_RESPID_free(id);
1232                                                 *al = SSL_AD_DECODE_ERROR;
1233                                                 return 0;
1234                                                 }
1235                                         if (!s->tlsext_ocsp_ids
1236                                                 && !(s->tlsext_ocsp_ids =
1237                                                 sk_OCSP_RESPID_new_null()))
1238                                                 {
1239                                                 OCSP_RESPID_free(id);
1240                                                 *al = SSL_AD_INTERNAL_ERROR;
1241                                                 return 0;
1242                                                 }
1243                                         if (!sk_OCSP_RESPID_push(
1244                                                         s->tlsext_ocsp_ids, id))
1245                                                 {
1246                                                 OCSP_RESPID_free(id);
1247                                                 *al = SSL_AD_INTERNAL_ERROR;
1248                                                 return 0;
1249                                                 }
1250                                         }
1251
1252                                 /* Read in request_extensions */
1253                                 if (size < 2)
1254                                         {
1255                                         *al = SSL_AD_DECODE_ERROR;
1256                                         return 0;
1257                                         }
1258                                 n2s(data,dsize);
1259                                 size -= 2;
1260                                 if (dsize != size)
1261                                         {
1262                                         *al = SSL_AD_DECODE_ERROR;
1263                                         return 0;
1264                                         }
1265                                 sdata = data;
1266                                 if (dsize > 0)
1267                                         {
1268                                         if (s->tlsext_ocsp_exts)
1269                                                 {
1270                                                 sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts,
1271                                                                            X509_EXTENSION_free);
1272                                                 }
1273
1274                                         s->tlsext_ocsp_exts =
1275                                                 d2i_X509_EXTENSIONS(NULL,
1276                                                         &sdata, dsize);
1277                                         if (!s->tlsext_ocsp_exts
1278                                                 || (data + dsize != sdata))
1279                                                 {
1280                                                 *al = SSL_AD_DECODE_ERROR;
1281                                                 return 0;
1282                                                 }
1283                                         }
1284                                 }
1285                                 /* We don't know what to do with any other type
1286                                 * so ignore it.
1287                                 */
1288                                 else
1289                                         s->tlsext_status_type = -1;
1290                         }
1291 #ifndef OPENSSL_NO_HEARTBEATS
1292                 else if (type == TLSEXT_TYPE_heartbeat)
1293                         {
1294                         switch(data[0])
1295                                 {
1296                                 case 0x01:      /* Client allows us to send HB requests */
1297                                                         s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
1298                                                         break;
1299                                 case 0x02:      /* Client doesn't accept HB requests */
1300                                                         s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
1301                                                         s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
1302                                                         break;
1303                                 default:        *al = SSL_AD_ILLEGAL_PARAMETER;
1304                                                         return 0;
1305                                 }
1306                         }
1307 #endif
1308 #ifndef OPENSSL_NO_NEXTPROTONEG
1309                 else if (type == TLSEXT_TYPE_next_proto_neg &&
1310                          s->s3->tmp.finish_md_len == 0)
1311                         {
1312                         /* We shouldn't accept this extension on a
1313                          * renegotiation.
1314                          *
1315                          * s->new_session will be set on renegotiation, but we
1316                          * probably shouldn't rely that it couldn't be set on
1317                          * the initial renegotation too in certain cases (when
1318                          * there's some other reason to disallow resuming an
1319                          * earlier session -- the current code won't be doing
1320                          * anything like that, but this might change).
1321
1322                          * A valid sign that there's been a previous handshake
1323                          * in this connection is if s->s3->tmp.finish_md_len >
1324                          * 0.  (We are talking about a check that will happen
1325                          * in the Hello protocol round, well before a new
1326                          * Finished message could have been computed.) */
1327                         s->s3->next_proto_neg_seen = 1;
1328                         }
1329 #endif
1330
1331                 /* session ticket processed earlier */
1332                 else if (type == TLSEXT_TYPE_use_srtp)
1333                         {
1334                         if(ssl_parse_clienthello_use_srtp_ext(s, data, size,
1335                                                               al))
1336                                 return 0;
1337                         }
1338
1339                 data+=size;
1340                 }
1341                                 
1342         *p = data;
1343
1344         ri_check:
1345
1346         /* Need RI if renegotiating */
1347
1348         if (!renegotiate_seen && s->renegotiate &&
1349                 !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
1350                 {
1351                 *al = SSL_AD_HANDSHAKE_FAILURE;
1352                 SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT,
1353                                 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
1354                 return 0;
1355                 }
1356
1357         return 1;
1358         }
1359
1360 #ifndef OPENSSL_NO_NEXTPROTONEG
1361 /* ssl_next_proto_validate validates a Next Protocol Negotiation block. No
1362  * elements of zero length are allowed and the set of elements must exactly fill
1363  * the length of the block. */
1364 static char ssl_next_proto_validate(unsigned char *d, unsigned len)
1365         {
1366         unsigned int off = 0;
1367
1368         while (off < len)
1369                 {
1370                 if (d[off] == 0)
1371                         return 0;
1372                 off += d[off];
1373                 off++;
1374                 }
1375
1376         return off == len;
1377         }
1378 #endif
1379
1380 int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
1381         {
1382         unsigned short length;
1383         unsigned short type;
1384         unsigned short size;
1385         unsigned char *data = *p;
1386         int tlsext_servername = 0;
1387         int renegotiate_seen = 0;
1388
1389 #ifndef OPENSSL_NO_NEXTPROTONEG
1390         s->s3->next_proto_neg_seen = 0;
1391 #endif
1392
1393 #ifndef OPENSSL_NO_HEARTBEATS
1394         s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED |
1395                                SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
1396 #endif
1397
1398         if (data >= (d+n-2))
1399                 goto ri_check;
1400
1401         n2s(data,length);
1402         if (data+length != d+n)
1403                 {
1404                 *al = SSL_AD_DECODE_ERROR;
1405                 return 0;
1406                 }
1407
1408         while(data <= (d+n-4))
1409                 {
1410                 n2s(data,type);
1411                 n2s(data,size);
1412
1413                 if (data+size > (d+n))
1414                         goto ri_check;
1415
1416                 if (s->tlsext_debug_cb)
1417                         s->tlsext_debug_cb(s, 1, type, data, size,
1418                                                 s->tlsext_debug_arg);
1419
1420                 if (type == TLSEXT_TYPE_server_name)
1421                         {
1422                         if (s->tlsext_hostname == NULL || size > 0)
1423                                 {
1424                                 *al = TLS1_AD_UNRECOGNIZED_NAME;
1425                                 return 0;
1426                                 }
1427                         tlsext_servername = 1;   
1428                         }
1429
1430 #ifndef OPENSSL_NO_EC
1431                 else if (type == TLSEXT_TYPE_ec_point_formats &&
1432                      s->version != DTLS1_VERSION)
1433                         {
1434                         unsigned char *sdata = data;
1435                         int ecpointformatlist_length = *(sdata++);
1436
1437                         if (ecpointformatlist_length != size - 1 || 
1438                                 ecpointformatlist_length < 1)
1439                                 {
1440                                 *al = TLS1_AD_DECODE_ERROR;
1441                                 return 0;
1442                                 }
1443                         s->session->tlsext_ecpointformatlist_length = 0;
1444                         if (s->session->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->session->tlsext_ecpointformatlist);
1445                         if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
1446                                 {
1447                                 *al = TLS1_AD_INTERNAL_ERROR;
1448                                 return 0;
1449                                 }
1450                         s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
1451                         memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
1452 #if 0
1453                         fprintf(stderr,"ssl_parse_serverhello_tlsext s->session->tlsext_ecpointformatlist ");
1454                         sdata = s->session->tlsext_ecpointformatlist;
1455                         for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
1456                                 fprintf(stderr,"%i ",*(sdata++));
1457                         fprintf(stderr,"\n");
1458 #endif
1459                         }
1460 #endif /* OPENSSL_NO_EC */
1461
1462                 else if (type == TLSEXT_TYPE_session_ticket)
1463                         {
1464                         if (s->tls_session_ticket_ext_cb &&
1465                             !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg))
1466                                 {
1467                                 *al = TLS1_AD_INTERNAL_ERROR;
1468                                 return 0;
1469                                 }
1470                         if ((SSL_get_options(s) & SSL_OP_NO_TICKET)
1471                                 || (size > 0))
1472                                 {
1473                                 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
1474                                 return 0;
1475                                 }
1476                         s->tlsext_ticket_expected = 1;
1477                         }
1478 #ifdef TLSEXT_TYPE_opaque_prf_input
1479                 else if (type == TLSEXT_TYPE_opaque_prf_input &&
1480                      s->version != DTLS1_VERSION)
1481                         {
1482                         unsigned char *sdata = data;
1483
1484                         if (size < 2)
1485                                 {
1486                                 *al = SSL_AD_DECODE_ERROR;
1487                                 return 0;
1488                                 }
1489                         n2s(sdata, s->s3->server_opaque_prf_input_len);
1490                         if (s->s3->server_opaque_prf_input_len != size - 2)
1491                                 {
1492                                 *al = SSL_AD_DECODE_ERROR;
1493                                 return 0;
1494                                 }
1495                         
1496                         if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */
1497                                 OPENSSL_free(s->s3->server_opaque_prf_input);
1498                         if (s->s3->server_opaque_prf_input_len == 0)
1499                                 s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
1500                         else
1501                                 s->s3->server_opaque_prf_input = BUF_memdup(sdata, s->s3->server_opaque_prf_input_len);
1502
1503                         if (s->s3->server_opaque_prf_input == NULL)
1504                                 {
1505                                 *al = TLS1_AD_INTERNAL_ERROR;
1506                                 return 0;
1507                                 }
1508                         }
1509 #endif
1510                 else if (type == TLSEXT_TYPE_status_request &&
1511                          s->version != DTLS1_VERSION)
1512                         {
1513                         /* MUST be empty and only sent if we've requested
1514                          * a status request message.
1515                          */ 
1516                         if ((s->tlsext_status_type == -1) || (size > 0))
1517                                 {
1518                                 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
1519                                 return 0;
1520                                 }
1521                         /* Set flag to expect CertificateStatus message */
1522                         s->tlsext_status_expected = 1;
1523                         }
1524 #ifndef OPENSSL_NO_NEXTPROTONEG
1525                 else if (type == TLSEXT_TYPE_next_proto_neg &&
1526                          s->s3->tmp.finish_md_len == 0)
1527                         {
1528                         unsigned char *selected;
1529                         unsigned char selected_len;
1530
1531                         /* We must have requested it. */
1532                         if (s->ctx->next_proto_select_cb == NULL)
1533                                 {
1534                                 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
1535                                 return 0;
1536                                 }
1537                         /* The data must be valid */
1538                         if (!ssl_next_proto_validate(data, size))
1539                                 {
1540                                 *al = TLS1_AD_DECODE_ERROR;
1541                                 return 0;
1542                                 }
1543                         if (s->ctx->next_proto_select_cb(s, &selected, &selected_len, data, size, s->ctx->next_proto_select_cb_arg) != SSL_TLSEXT_ERR_OK)
1544                                 {
1545                                 *al = TLS1_AD_INTERNAL_ERROR;
1546                                 return 0;
1547                                 }
1548                         s->next_proto_negotiated = OPENSSL_malloc(selected_len);
1549                         if (!s->next_proto_negotiated)
1550                                 {
1551                                 *al = TLS1_AD_INTERNAL_ERROR;
1552                                 return 0;
1553                                 }
1554                         memcpy(s->next_proto_negotiated, selected, selected_len);
1555                         s->next_proto_negotiated_len = selected_len;
1556                         s->s3->next_proto_neg_seen = 1;
1557                         }
1558 #endif
1559                 else if (type == TLSEXT_TYPE_renegotiate)
1560                         {
1561                         if(!ssl_parse_serverhello_renegotiate_ext(s, data, size, al))
1562                                 return 0;
1563                         renegotiate_seen = 1;
1564                         }
1565 #ifndef OPENSSL_NO_HEARTBEATS
1566                 else if (type == TLSEXT_TYPE_heartbeat)
1567                         {
1568                         switch(data[0])
1569                                 {
1570                                 case 0x01:      /* Server allows us to send HB requests */
1571                                                         s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
1572                                                         break;
1573                                 case 0x02:      /* Server doesn't accept HB requests */
1574                                                         s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
1575                                                         s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
1576                                                         break;
1577                                 default:        *al = SSL_AD_ILLEGAL_PARAMETER;
1578                                                         return 0;
1579                                 }
1580                         }
1581 #endif
1582                 else if (type == TLSEXT_TYPE_use_srtp)
1583                         {
1584                         if(ssl_parse_serverhello_use_srtp_ext(s, data, size,
1585                                                               al))
1586                                 return 0;
1587                         }
1588
1589                 data+=size;             
1590                 }
1591
1592         if (data != d+n)
1593                 {
1594                 *al = SSL_AD_DECODE_ERROR;
1595                 return 0;
1596                 }
1597
1598         if (!s->hit && tlsext_servername == 1)
1599                 {
1600                 if (s->tlsext_hostname)
1601                         {
1602                         if (s->session->tlsext_hostname == NULL)
1603                                 {
1604                                 s->session->tlsext_hostname = BUF_strdup(s->tlsext_hostname);   
1605                                 if (!s->session->tlsext_hostname)
1606                                         {
1607                                         *al = SSL_AD_UNRECOGNIZED_NAME;
1608                                         return 0;
1609                                         }
1610                                 }
1611                         else 
1612                                 {
1613                                 *al = SSL_AD_DECODE_ERROR;
1614                                 return 0;
1615                                 }
1616                         }
1617                 }
1618
1619         *p = data;
1620
1621         ri_check:
1622
1623         /* Determine if we need to see RI. Strictly speaking if we want to
1624          * avoid an attack we should *always* see RI even on initial server
1625          * hello because the client doesn't see any renegotiation during an
1626          * attack. However this would mean we could not connect to any server
1627          * which doesn't support RI so for the immediate future tolerate RI
1628          * absence on initial connect only.
1629          */
1630         if (!renegotiate_seen
1631                 && !(s->options & SSL_OP_LEGACY_SERVER_CONNECT)
1632                 && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
1633                 {
1634                 *al = SSL_AD_HANDSHAKE_FAILURE;
1635                 SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT,
1636                                 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
1637                 return 0;
1638                 }
1639
1640         return 1;
1641         }
1642
1643
1644 int ssl_prepare_clienthello_tlsext(SSL *s)
1645         {
1646 #ifndef OPENSSL_NO_EC
1647         /* If we are client and using an elliptic curve cryptography cipher suite, send the point formats 
1648          * and elliptic curves we support.
1649          */
1650         int using_ecc = 0;
1651         int i;
1652         unsigned char *j;
1653         unsigned long alg_k, alg_a;
1654         STACK_OF(SSL_CIPHER) *cipher_stack = SSL_get_ciphers(s);
1655
1656         for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++)
1657                 {
1658                 SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i);
1659
1660                 alg_k = c->algorithm_mkey;
1661                 alg_a = c->algorithm_auth;
1662                 if ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe) || (alg_a & SSL_aECDSA)))
1663                         {
1664                         using_ecc = 1;
1665                         break;
1666                         }
1667                 }
1668         using_ecc = using_ecc && (s->version >= TLS1_VERSION);
1669         if (using_ecc)
1670                 {
1671                 if (s->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->tlsext_ecpointformatlist);
1672                 if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(3)) == NULL)
1673                         {
1674                         SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
1675                         return -1;
1676                         }
1677                 s->tlsext_ecpointformatlist_length = 3;
1678                 s->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_uncompressed;
1679                 s->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
1680                 s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
1681
1682                 /* we support all named elliptic curves in draft-ietf-tls-ecc-12 */
1683                 if (s->tlsext_ellipticcurvelist != NULL) OPENSSL_free(s->tlsext_ellipticcurvelist);
1684                 s->tlsext_ellipticcurvelist_length = sizeof(pref_list)/sizeof(pref_list[0]) * 2;
1685                 if ((s->tlsext_ellipticcurvelist = OPENSSL_malloc(s->tlsext_ellipticcurvelist_length)) == NULL)
1686                         {
1687                         s->tlsext_ellipticcurvelist_length = 0;
1688                         SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
1689                         return -1;
1690                         }
1691                 for (i = 0, j = s->tlsext_ellipticcurvelist; (unsigned int)i <
1692                                 sizeof(pref_list)/sizeof(pref_list[0]); i++)
1693                         {
1694                         int id = tls1_ec_nid2curve_id(pref_list[i]);
1695                         s2n(id,j);
1696                         }
1697                 }
1698 #endif /* OPENSSL_NO_EC */
1699
1700 #ifdef TLSEXT_TYPE_opaque_prf_input
1701         {
1702                 int r = 1;
1703         
1704                 if (s->ctx->tlsext_opaque_prf_input_callback != 0)
1705                         {
1706                         r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg);
1707                         if (!r)
1708                                 return -1;
1709                         }
1710
1711                 if (s->tlsext_opaque_prf_input != NULL)
1712                         {
1713                         if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */
1714                                 OPENSSL_free(s->s3->client_opaque_prf_input);
1715
1716                         if (s->tlsext_opaque_prf_input_len == 0)
1717                                 s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
1718                         else
1719                                 s->s3->client_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len);
1720                         if (s->s3->client_opaque_prf_input == NULL)
1721                                 {
1722                                 SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
1723                                 return -1;
1724                                 }
1725                         s->s3->client_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
1726                         }
1727
1728                 if (r == 2)
1729                         /* at callback's request, insist on receiving an appropriate server opaque PRF input */
1730                         s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
1731         }
1732 #endif
1733
1734         return 1;
1735         }
1736
1737 int ssl_prepare_serverhello_tlsext(SSL *s)
1738         {
1739 #ifndef OPENSSL_NO_EC
1740         /* If we are server and using an ECC cipher suite, send the point formats we support 
1741          * if the client sent us an ECPointsFormat extension.  Note that the server is not
1742          * supposed to send an EllipticCurves extension.
1743          */
1744
1745         unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
1746         unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
1747         int using_ecc = (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA);
1748         using_ecc = using_ecc && (s->session->tlsext_ecpointformatlist != NULL);
1749         
1750         if (using_ecc)
1751                 {
1752                 if (s->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->tlsext_ecpointformatlist);
1753                 if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(3)) == NULL)
1754                         {
1755                         SSLerr(SSL_F_SSL_PREPARE_SERVERHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
1756                         return -1;
1757                         }
1758                 s->tlsext_ecpointformatlist_length = 3;
1759                 s->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_uncompressed;
1760                 s->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
1761                 s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
1762                 }
1763 #endif /* OPENSSL_NO_EC */
1764
1765         return 1;
1766         }
1767
1768 int ssl_check_clienthello_tlsext_early(SSL *s)
1769         {
1770         int ret=SSL_TLSEXT_ERR_NOACK;
1771         int al = SSL_AD_UNRECOGNIZED_NAME;
1772
1773 #ifndef OPENSSL_NO_EC
1774         /* The handling of the ECPointFormats extension is done elsewhere, namely in 
1775          * ssl3_choose_cipher in s3_lib.c.
1776          */
1777         /* The handling of the EllipticCurves extension is done elsewhere, namely in 
1778          * ssl3_choose_cipher in s3_lib.c.
1779          */
1780 #endif
1781
1782         if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) 
1783                 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
1784         else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)             
1785                 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
1786
1787 #ifdef TLSEXT_TYPE_opaque_prf_input
1788         {
1789                 /* This sort of belongs into ssl_prepare_serverhello_tlsext(),
1790                  * but we might be sending an alert in response to the client hello,
1791                  * so this has to happen here in
1792                  * ssl_check_clienthello_tlsext_early(). */
1793
1794                 int r = 1;
1795         
1796                 if (s->ctx->tlsext_opaque_prf_input_callback != 0)
1797                         {
1798                         r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg);
1799                         if (!r)
1800                                 {
1801                                 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1802                                 al = SSL_AD_INTERNAL_ERROR;
1803                                 goto err;
1804                                 }
1805                         }
1806
1807                 if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */
1808                         OPENSSL_free(s->s3->server_opaque_prf_input);
1809                 s->s3->server_opaque_prf_input = NULL;
1810
1811                 if (s->tlsext_opaque_prf_input != NULL)
1812                         {
1813                         if (s->s3->client_opaque_prf_input != NULL &&
1814                                 s->s3->client_opaque_prf_input_len == s->tlsext_opaque_prf_input_len)
1815                                 {
1816                                 /* can only use this extension if we have a server opaque PRF input
1817                                  * of the same length as the client opaque PRF input! */
1818
1819                                 if (s->tlsext_opaque_prf_input_len == 0)
1820                                         s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
1821                                 else
1822                                         s->s3->server_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len);
1823                                 if (s->s3->server_opaque_prf_input == NULL)
1824                                         {
1825                                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1826                                         al = SSL_AD_INTERNAL_ERROR;
1827                                         goto err;
1828                                         }
1829                                 s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
1830                                 }
1831                         }
1832
1833                 if (r == 2 && s->s3->server_opaque_prf_input == NULL)
1834                         {
1835                         /* The callback wants to enforce use of the extension,
1836                          * but we can't do that with the client opaque PRF input;
1837                          * abort the handshake.
1838                          */
1839                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1840                         al = SSL_AD_HANDSHAKE_FAILURE;
1841                         }
1842         }
1843
1844  err:
1845 #endif
1846         switch (ret)
1847                 {
1848                 case SSL_TLSEXT_ERR_ALERT_FATAL:
1849                         ssl3_send_alert(s,SSL3_AL_FATAL,al); 
1850                         return -1;
1851
1852                 case SSL_TLSEXT_ERR_ALERT_WARNING:
1853                         ssl3_send_alert(s,SSL3_AL_WARNING,al);
1854                         return 1; 
1855                                         
1856                 case SSL_TLSEXT_ERR_NOACK:
1857                         s->servername_done=0;
1858                         default:
1859                 return 1;
1860                 }
1861         }
1862
1863 int ssl_check_clienthello_tlsext_late(SSL *s)
1864         {
1865         int ret = SSL_TLSEXT_ERR_OK;
1866         int al;
1867
1868         /* If status request then ask callback what to do.
1869          * Note: this must be called after servername callbacks in case 
1870          * the certificate has changed, and must be called after the cipher
1871          * has been chosen because this may influence which certificate is sent
1872          */
1873         if ((s->tlsext_status_type != -1) && s->ctx && s->ctx->tlsext_status_cb)
1874                 {
1875                 int r;
1876                 CERT_PKEY *certpkey;
1877                 certpkey = ssl_get_server_send_pkey(s);
1878                 /* If no certificate can't return certificate status */
1879                 if (certpkey == NULL)
1880                         {
1881                         s->tlsext_status_expected = 0;
1882                         return 1;
1883                         }
1884                 /* Set current certificate to one we will use so
1885                  * SSL_get_certificate et al can pick it up.
1886                  */
1887                 s->cert->key = certpkey;
1888                 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
1889                 switch (r)
1890                         {
1891                         /* We don't want to send a status request response */
1892                         case SSL_TLSEXT_ERR_NOACK:
1893                                 s->tlsext_status_expected = 0;
1894                                 break;
1895                         /* status request response should be sent */
1896                         case SSL_TLSEXT_ERR_OK:
1897                                 if (s->tlsext_ocsp_resp)
1898                                         s->tlsext_status_expected = 1;
1899                                 else
1900                                         s->tlsext_status_expected = 0;
1901                                 break;
1902                         /* something bad happened */
1903                         case SSL_TLSEXT_ERR_ALERT_FATAL:
1904                                 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1905                                 al = SSL_AD_INTERNAL_ERROR;
1906                                 goto err;
1907                         }
1908                 }
1909         else
1910                 s->tlsext_status_expected = 0;
1911
1912  err:
1913         switch (ret)
1914                 {
1915                 case SSL_TLSEXT_ERR_ALERT_FATAL:
1916                         ssl3_send_alert(s,SSL3_AL_FATAL,al); 
1917                         return -1;
1918
1919                 case SSL_TLSEXT_ERR_ALERT_WARNING:
1920                         ssl3_send_alert(s,SSL3_AL_WARNING,al);
1921                         return 1; 
1922
1923                 default:
1924                         return 1;
1925                 }
1926         }
1927
1928 int ssl_check_serverhello_tlsext(SSL *s)
1929         {
1930         int ret=SSL_TLSEXT_ERR_NOACK;
1931         int al = SSL_AD_UNRECOGNIZED_NAME;
1932
1933 #ifndef OPENSSL_NO_EC
1934         /* If we are client and using an elliptic curve cryptography cipher
1935          * suite, then if server returns an EC point formats lists extension
1936          * it must contain uncompressed.
1937          */
1938         unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
1939         unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
1940         if ((s->tlsext_ecpointformatlist != NULL) && (s->tlsext_ecpointformatlist_length > 0) && 
1941             (s->session->tlsext_ecpointformatlist != NULL) && (s->session->tlsext_ecpointformatlist_length > 0) && 
1942             ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA)))
1943                 {
1944                 /* we are using an ECC cipher */
1945                 size_t i;
1946                 unsigned char *list;
1947                 int found_uncompressed = 0;
1948                 list = s->session->tlsext_ecpointformatlist;
1949                 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
1950                         {
1951                         if (*(list++) == TLSEXT_ECPOINTFORMAT_uncompressed)
1952                                 {
1953                                 found_uncompressed = 1;
1954                                 break;
1955                                 }
1956                         }
1957                 if (!found_uncompressed)
1958                         {
1959                         SSLerr(SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT,SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
1960                         return -1;
1961                         }
1962                 }
1963         ret = SSL_TLSEXT_ERR_OK;
1964 #endif /* OPENSSL_NO_EC */
1965
1966         if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) 
1967                 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
1968         else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)             
1969                 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
1970
1971 #ifdef TLSEXT_TYPE_opaque_prf_input
1972         if (s->s3->server_opaque_prf_input_len > 0)
1973                 {
1974                 /* This case may indicate that we, as a client, want to insist on using opaque PRF inputs.
1975                  * So first verify that we really have a value from the server too. */
1976
1977                 if (s->s3->server_opaque_prf_input == NULL)
1978                         {
1979                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1980                         al = SSL_AD_HANDSHAKE_FAILURE;
1981                         }
1982                 
1983                 /* Anytime the server *has* sent an opaque PRF input, we need to check
1984                  * that we have a client opaque PRF input of the same size. */
1985                 if (s->s3->client_opaque_prf_input == NULL ||
1986                     s->s3->client_opaque_prf_input_len != s->s3->server_opaque_prf_input_len)
1987                         {
1988                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1989                         al = SSL_AD_ILLEGAL_PARAMETER;
1990                         }
1991                 }
1992 #endif
1993
1994         /* If we've requested certificate status and we wont get one
1995          * tell the callback
1996          */
1997         if ((s->tlsext_status_type != -1) && !(s->tlsext_status_expected)
1998                         && s->ctx && s->ctx->tlsext_status_cb)
1999                 {
2000                 int r;
2001                 /* Set resp to NULL, resplen to -1 so callback knows
2002                  * there is no response.
2003                  */
2004                 if (s->tlsext_ocsp_resp)
2005                         {
2006                         OPENSSL_free(s->tlsext_ocsp_resp);
2007                         s->tlsext_ocsp_resp = NULL;
2008                         }
2009                 s->tlsext_ocsp_resplen = -1;
2010                 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
2011                 if (r == 0)
2012                         {
2013                         al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE;
2014                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2015                         }
2016                 if (r < 0)
2017                         {
2018                         al = SSL_AD_INTERNAL_ERROR;
2019                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2020                         }
2021                 }
2022
2023         switch (ret)
2024                 {
2025                 case SSL_TLSEXT_ERR_ALERT_FATAL:
2026                         ssl3_send_alert(s,SSL3_AL_FATAL,al); 
2027                         return -1;
2028
2029                 case SSL_TLSEXT_ERR_ALERT_WARNING:
2030                         ssl3_send_alert(s,SSL3_AL_WARNING,al);
2031                         return 1; 
2032                                         
2033                 case SSL_TLSEXT_ERR_NOACK:
2034                         s->servername_done=0;
2035                         default:
2036                 return 1;
2037                 }
2038         }
2039
2040 /* Since the server cache lookup is done early on in the processing of the
2041  * ClientHello, and other operations depend on the result, we need to handle
2042  * any TLS session ticket extension at the same time.
2043  *
2044  *   session_id: points at the session ID in the ClientHello. This code will
2045  *       read past the end of this in order to parse out the session ticket
2046  *       extension, if any.
2047  *   len: the length of the session ID.
2048  *   limit: a pointer to the first byte after the ClientHello.
2049  *   ret: (output) on return, if a ticket was decrypted, then this is set to
2050  *       point to the resulting session.
2051  *
2052  * If s->tls_session_secret_cb is set then we are expecting a pre-shared key
2053  * ciphersuite, in which case we have no use for session tickets and one will
2054  * never be decrypted, nor will s->tlsext_ticket_expected be set to 1.
2055  *
2056  * Returns:
2057  *   -1: fatal error, either from parsing or decrypting the ticket.
2058  *    0: no ticket was found (or was ignored, based on settings).
2059  *    1: a zero length extension was found, indicating that the client supports
2060  *       session tickets but doesn't currently have one to offer.
2061  *    2: either s->tls_session_secret_cb was set, or a ticket was offered but
2062  *       couldn't be decrypted because of a non-fatal error.
2063  *    3: a ticket was successfully decrypted and *ret was set.
2064  *
2065  * Side effects:
2066  *   Sets s->tlsext_ticket_expected to 1 if the server will have to issue
2067  *   a new session ticket to the client because the client indicated support
2068  *   (and s->tls_session_secret_cb is NULL) but the client either doesn't have
2069  *   a session ticket or we couldn't use the one it gave us, or if
2070  *   s->ctx->tlsext_ticket_key_cb asked to renew the client's ticket.
2071  *   Otherwise, s->tlsext_ticket_expected is set to 0.
2072  */
2073 int tls1_process_ticket(SSL *s, unsigned char *session_id, int len,
2074                         const unsigned char *limit, SSL_SESSION **ret)
2075         {
2076         /* Point after session ID in client hello */
2077         const unsigned char *p = session_id + len;
2078         unsigned short i;
2079
2080         *ret = NULL;
2081         s->tlsext_ticket_expected = 0;
2082
2083         /* If tickets disabled behave as if no ticket present
2084          * to permit stateful resumption.
2085          */
2086         if (SSL_get_options(s) & SSL_OP_NO_TICKET)
2087                 return 0;
2088         if ((s->version <= SSL3_VERSION) || !limit)
2089                 return 0;
2090         if (p >= limit)
2091                 return -1;
2092         /* Skip past DTLS cookie */
2093         if (s->version == DTLS1_VERSION || s->version == DTLS1_BAD_VER)
2094                 {
2095                 i = *(p++);
2096                 p+= i;
2097                 if (p >= limit)
2098                         return -1;
2099                 }
2100         /* Skip past cipher list */
2101         n2s(p, i);
2102         p+= i;
2103         if (p >= limit)
2104                 return -1;
2105         /* Skip past compression algorithm list */
2106         i = *(p++);
2107         p += i;
2108         if (p > limit)
2109                 return -1;
2110         /* Now at start of extensions */
2111         if ((p + 2) >= limit)
2112                 return 0;
2113         n2s(p, i);
2114         while ((p + 4) <= limit)
2115                 {
2116                 unsigned short type, size;
2117                 n2s(p, type);
2118                 n2s(p, size);
2119                 if (p + size > limit)
2120                         return 0;
2121                 if (type == TLSEXT_TYPE_session_ticket)
2122                         {
2123                         int r;
2124                         if (size == 0)
2125                                 {
2126                                 /* The client will accept a ticket but doesn't
2127                                  * currently have one. */
2128                                 s->tlsext_ticket_expected = 1;
2129                                 return 1;
2130                                 }
2131                         if (s->tls_session_secret_cb)
2132                                 {
2133                                 /* Indicate that the ticket couldn't be
2134                                  * decrypted rather than generating the session
2135                                  * from ticket now, trigger abbreviated
2136                                  * handshake based on external mechanism to
2137                                  * calculate the master secret later. */
2138                                 return 2;
2139                                 }
2140                         r = tls_decrypt_ticket(s, p, size, session_id, len, ret);
2141                         switch (r)
2142                                 {
2143                                 case 2: /* ticket couldn't be decrypted */
2144                                         s->tlsext_ticket_expected = 1;
2145                                         return 2;
2146                                 case 3: /* ticket was decrypted */
2147                                         return r;
2148                                 case 4: /* ticket decrypted but need to renew */
2149                                         s->tlsext_ticket_expected = 1;
2150                                         return 3;
2151                                 default: /* fatal error */
2152                                         return -1;
2153                                 }
2154                         }
2155                 p += size;
2156                 }
2157         return 0;
2158         }
2159
2160 /* tls_decrypt_ticket attempts to decrypt a session ticket.
2161  *
2162  *   etick: points to the body of the session ticket extension.
2163  *   eticklen: the length of the session tickets extenion.
2164  *   sess_id: points at the session ID.
2165  *   sesslen: the length of the session ID.
2166  *   psess: (output) on return, if a ticket was decrypted, then this is set to
2167  *       point to the resulting session.
2168  *
2169  * Returns:
2170  *   -1: fatal error, either from parsing or decrypting the ticket.
2171  *    2: the ticket couldn't be decrypted.
2172  *    3: a ticket was successfully decrypted and *psess was set.
2173  *    4: same as 3, but the ticket needs to be renewed.
2174  */
2175 static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen,
2176                                 const unsigned char *sess_id, int sesslen,
2177                                 SSL_SESSION **psess)
2178         {
2179         SSL_SESSION *sess;
2180         unsigned char *sdec;
2181         const unsigned char *p;
2182         int slen, mlen, renew_ticket = 0;
2183         unsigned char tick_hmac[EVP_MAX_MD_SIZE];
2184         HMAC_CTX hctx;
2185         EVP_CIPHER_CTX ctx;
2186         SSL_CTX *tctx = s->initial_ctx;
2187         /* Need at least keyname + iv + some encrypted data */
2188         if (eticklen < 48)
2189                 return 2;
2190         /* Initialize session ticket encryption and HMAC contexts */
2191         HMAC_CTX_init(&hctx);
2192         EVP_CIPHER_CTX_init(&ctx);
2193         if (tctx->tlsext_ticket_key_cb)
2194                 {
2195                 unsigned char *nctick = (unsigned char *)etick;
2196                 int rv = tctx->tlsext_ticket_key_cb(s, nctick, nctick + 16,
2197                                                         &ctx, &hctx, 0);
2198                 if (rv < 0)
2199                         return -1;
2200                 if (rv == 0)
2201                         return 2;
2202                 if (rv == 2)
2203                         renew_ticket = 1;
2204                 }
2205         else
2206                 {
2207                 /* Check key name matches */
2208                 if (memcmp(etick, tctx->tlsext_tick_key_name, 16))
2209                         return 2;
2210                 HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16,
2211                                         tlsext_tick_md(), NULL);
2212                 EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL,
2213                                 tctx->tlsext_tick_aes_key, etick + 16);
2214                 }
2215         /* Attempt to process session ticket, first conduct sanity and
2216          * integrity checks on ticket.
2217          */
2218         mlen = HMAC_size(&hctx);
2219         if (mlen < 0)
2220                 {
2221                 EVP_CIPHER_CTX_cleanup(&ctx);
2222                 return -1;
2223                 }
2224         eticklen -= mlen;
2225         /* Check HMAC of encrypted ticket */
2226         HMAC_Update(&hctx, etick, eticklen);
2227         HMAC_Final(&hctx, tick_hmac, NULL);
2228         HMAC_CTX_cleanup(&hctx);
2229         if (CRYPTO_memcmp(tick_hmac, etick + eticklen, mlen))
2230                 return 2;
2231         /* Attempt to decrypt session data */
2232         /* Move p after IV to start of encrypted ticket, update length */
2233         p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx);
2234         eticklen -= 16 + EVP_CIPHER_CTX_iv_length(&ctx);
2235         sdec = OPENSSL_malloc(eticklen);
2236         if (!sdec)
2237                 {
2238                 EVP_CIPHER_CTX_cleanup(&ctx);
2239                 return -1;
2240                 }
2241         EVP_DecryptUpdate(&ctx, sdec, &slen, p, eticklen);
2242         if (EVP_DecryptFinal(&ctx, sdec + slen, &mlen) <= 0)
2243                 return 2;
2244         slen += mlen;
2245         EVP_CIPHER_CTX_cleanup(&ctx);
2246         p = sdec;
2247
2248         sess = d2i_SSL_SESSION(NULL, &p, slen);
2249         OPENSSL_free(sdec);
2250         if (sess)
2251                 {
2252                 /* The session ID, if non-empty, is used by some clients to
2253                  * detect that the ticket has been accepted. So we copy it to
2254                  * the session structure. If it is empty set length to zero
2255                  * as required by standard.
2256                  */
2257                 if (sesslen)
2258                         memcpy(sess->session_id, sess_id, sesslen);
2259                 sess->session_id_length = sesslen;
2260                 *psess = sess;
2261                 if (renew_ticket)
2262                         return 4;
2263                 else
2264                         return 3;
2265                 }
2266         ERR_clear_error();
2267         /* For session parse failure, indicate that we need to send a new
2268          * ticket. */
2269         return 2;
2270         }
2271
2272 /* Tables to translate from NIDs to TLS v1.2 ids */
2273
2274 typedef struct 
2275         {
2276         int nid;
2277         int id;
2278         } tls12_lookup;
2279
2280 static tls12_lookup tls12_md[] = {
2281 #ifndef OPENSSL_NO_MD5
2282         {NID_md5, TLSEXT_hash_md5},
2283 #endif
2284 #ifndef OPENSSL_NO_SHA
2285         {NID_sha1, TLSEXT_hash_sha1},
2286 #endif
2287 #ifndef OPENSSL_NO_SHA256
2288         {NID_sha224, TLSEXT_hash_sha224},
2289         {NID_sha256, TLSEXT_hash_sha256},
2290 #endif
2291 #ifndef OPENSSL_NO_SHA512
2292         {NID_sha384, TLSEXT_hash_sha384},
2293         {NID_sha512, TLSEXT_hash_sha512}
2294 #endif
2295 };
2296
2297 static tls12_lookup tls12_sig[] = {
2298 #ifndef OPENSSL_NO_RSA
2299         {EVP_PKEY_RSA, TLSEXT_signature_rsa},
2300 #endif
2301 #ifndef OPENSSL_NO_DSA
2302         {EVP_PKEY_DSA, TLSEXT_signature_dsa},
2303 #endif
2304 #ifndef OPENSSL_NO_ECDSA
2305         {EVP_PKEY_EC, TLSEXT_signature_ecdsa}
2306 #endif
2307 };
2308
2309 static int tls12_find_id(int nid, tls12_lookup *table, size_t tlen)
2310         {
2311         size_t i;
2312         for (i = 0; i < tlen; i++)
2313                 {
2314                 if (table[i].nid == nid)
2315                         return table[i].id;
2316                 }
2317         return -1;
2318         }
2319 #if 0
2320 static int tls12_find_nid(int id, tls12_lookup *table, size_t tlen)
2321         {
2322         size_t i;
2323         for (i = 0; i < tlen; i++)
2324                 {
2325                 if (table[i].id == id)
2326                         return table[i].nid;
2327                 }
2328         return -1;
2329         }
2330 #endif
2331
2332 int tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk, const EVP_MD *md)
2333         {
2334         int sig_id, md_id;
2335         if (!md)
2336                 return 0;
2337         md_id = tls12_find_id(EVP_MD_type(md), tls12_md,
2338                                 sizeof(tls12_md)/sizeof(tls12_lookup));
2339         if (md_id == -1)
2340                 return 0;
2341         sig_id = tls12_get_sigid(pk);
2342         if (sig_id == -1)
2343                 return 0;
2344         p[0] = (unsigned char)md_id;
2345         p[1] = (unsigned char)sig_id;
2346         return 1;
2347         }
2348
2349 int tls12_get_sigid(const EVP_PKEY *pk)
2350         {
2351         return tls12_find_id(pk->type, tls12_sig,
2352                                 sizeof(tls12_sig)/sizeof(tls12_lookup));
2353         }
2354
2355 const EVP_MD *tls12_get_hash(unsigned char hash_alg)
2356         {
2357         switch(hash_alg)
2358                 {
2359 #ifndef OPENSSL_NO_MD5
2360                 case TLSEXT_hash_md5:
2361 #ifdef OPENSSL_FIPS
2362                 if (FIPS_mode())
2363                         return NULL;
2364 #endif
2365                 return EVP_md5();
2366 #endif
2367 #ifndef OPENSSL_NO_SHA
2368                 case TLSEXT_hash_sha1:
2369                 return EVP_sha1();
2370 #endif
2371 #ifndef OPENSSL_NO_SHA256
2372                 case TLSEXT_hash_sha224:
2373                 return EVP_sha224();
2374
2375                 case TLSEXT_hash_sha256:
2376                 return EVP_sha256();
2377 #endif
2378 #ifndef OPENSSL_NO_SHA512
2379                 case TLSEXT_hash_sha384:
2380                 return EVP_sha384();
2381
2382                 case TLSEXT_hash_sha512:
2383                 return EVP_sha512();
2384 #endif
2385                 default:
2386                 return NULL;
2387
2388                 }
2389         }
2390
2391 /* Set preferred digest for each key type */
2392
2393 int tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize)
2394         {
2395         int i, idx;
2396         const EVP_MD *md;
2397         CERT *c = s->cert;
2398         /* Extension ignored for TLS versions below 1.2 */
2399         if (TLS1_get_version(s) < TLS1_2_VERSION)
2400                 return 1;
2401         /* Should never happen */
2402         if (!c)
2403                 return 0;
2404
2405         c->pkeys[SSL_PKEY_DSA_SIGN].digest = NULL;
2406         c->pkeys[SSL_PKEY_RSA_SIGN].digest = NULL;
2407         c->pkeys[SSL_PKEY_RSA_ENC].digest = NULL;
2408         c->pkeys[SSL_PKEY_ECC].digest = NULL;
2409
2410         for (i = 0; i < dsize; i += 2)
2411                 {
2412                 unsigned char hash_alg = data[i], sig_alg = data[i+1];
2413
2414                 switch(sig_alg)
2415                         {
2416 #ifndef OPENSSL_NO_RSA
2417                         case TLSEXT_signature_rsa:
2418                         idx = SSL_PKEY_RSA_SIGN;
2419                         break;
2420 #endif
2421 #ifndef OPENSSL_NO_DSA
2422                         case TLSEXT_signature_dsa:
2423                         idx = SSL_PKEY_DSA_SIGN;
2424                         break;
2425 #endif
2426 #ifndef OPENSSL_NO_ECDSA
2427                         case TLSEXT_signature_ecdsa:
2428                         idx = SSL_PKEY_ECC;
2429                         break;
2430 #endif
2431                         default:
2432                         continue;
2433                         }
2434
2435                 if (c->pkeys[idx].digest == NULL)
2436                         {
2437                         md = tls12_get_hash(hash_alg);
2438                         if (md)
2439                                 {
2440                                 c->pkeys[idx].digest = md;
2441                                 if (idx == SSL_PKEY_RSA_SIGN)
2442                                         c->pkeys[SSL_PKEY_RSA_ENC].digest = md;
2443                                 }
2444                         }
2445
2446                 }
2447
2448
2449         /* Set any remaining keys to default values. NOTE: if alg is not
2450          * supported it stays as NULL.
2451          */
2452 #ifndef OPENSSL_NO_DSA
2453         if (!c->pkeys[SSL_PKEY_DSA_SIGN].digest)
2454                 c->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_sha1();
2455 #endif
2456 #ifndef OPENSSL_NO_RSA
2457         if (!c->pkeys[SSL_PKEY_RSA_SIGN].digest)
2458                 {
2459                 c->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1();
2460                 c->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1();
2461                 }
2462 #endif
2463 #ifndef OPENSSL_NO_ECDSA
2464         if (!c->pkeys[SSL_PKEY_ECC].digest)
2465                 c->pkeys[SSL_PKEY_ECC].digest = EVP_sha1();
2466 #endif
2467         return 1;
2468         }
2469
2470 #endif
2471
2472 #ifndef OPENSSL_NO_HEARTBEATS
2473 int
2474 tls1_process_heartbeat(SSL *s)
2475         {
2476         unsigned char *p = &s->s3->rrec.data[0], *pl;
2477         unsigned short hbtype;
2478         unsigned int payload;
2479         unsigned int padding = 16; /* Use minimum padding */
2480
2481         /* Read type and payload length first */
2482         hbtype = *p++;
2483         n2s(p, payload);
2484         pl = p;
2485
2486         if (s->msg_callback)
2487                 s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT,
2488                         &s->s3->rrec.data[0], s->s3->rrec.length,
2489                         s, s->msg_callback_arg);
2490
2491         if (hbtype == TLS1_HB_REQUEST)
2492                 {
2493                 unsigned char *buffer, *bp;
2494                 int r;
2495
2496                 /* Allocate memory for the response, size is 1 bytes
2497                  * message type, plus 2 bytes payload length, plus
2498                  * payload, plus padding
2499                  */
2500                 buffer = OPENSSL_malloc(1 + 2 + payload + padding);
2501                 bp = buffer;
2502                 
2503                 /* Enter response type, length and copy payload */
2504                 *bp++ = TLS1_HB_RESPONSE;
2505                 s2n(payload, bp);
2506                 memcpy(bp, pl, payload);
2507                 bp += payload;
2508                 /* Random padding */
2509                 RAND_pseudo_bytes(bp, padding);
2510
2511                 r = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, 3 + payload + padding);
2512
2513                 if (r >= 0 && s->msg_callback)
2514                         s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT,
2515                                 buffer, 3 + payload + padding,
2516                                 s, s->msg_callback_arg);
2517
2518                 OPENSSL_free(buffer);
2519
2520                 if (r < 0)
2521                         return r;
2522                 }
2523         else if (hbtype == TLS1_HB_RESPONSE)
2524                 {
2525                 unsigned int seq;
2526                 
2527                 /* We only send sequence numbers (2 bytes unsigned int),
2528                  * and 16 random bytes, so we just try to read the
2529                  * sequence number */
2530                 n2s(pl, seq);
2531                 
2532                 if (payload == 18 && seq == s->tlsext_hb_seq)
2533                         {
2534                         s->tlsext_hb_seq++;
2535                         s->tlsext_hb_pending = 0;
2536                         }
2537                 }
2538
2539         return 0;
2540         }
2541
2542 int
2543 tls1_heartbeat(SSL *s)
2544         {
2545         unsigned char *buf, *p;
2546         int ret;
2547         unsigned int payload = 18; /* Sequence number + random bytes */
2548         unsigned int padding = 16; /* Use minimum padding */
2549
2550         /* Only send if peer supports and accepts HB requests... */
2551         if (!(s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED) ||
2552             s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_SEND_REQUESTS)
2553                 {
2554                 SSLerr(SSL_F_TLS1_HEARTBEAT,SSL_R_TLS_HEARTBEAT_PEER_DOESNT_ACCEPT);
2555                 return -1;
2556                 }
2557
2558         /* ...and there is none in flight yet... */
2559         if (s->tlsext_hb_pending)
2560                 {
2561                 SSLerr(SSL_F_TLS1_HEARTBEAT,SSL_R_TLS_HEARTBEAT_PENDING);
2562                 return -1;
2563                 }
2564                 
2565         /* ...and no handshake in progress. */
2566         if (SSL_in_init(s) || s->in_handshake)
2567                 {
2568                 SSLerr(SSL_F_TLS1_HEARTBEAT,SSL_R_UNEXPECTED_MESSAGE);
2569                 return -1;
2570                 }
2571                 
2572         /* Check if padding is too long, payload and padding
2573          * must not exceed 2^14 - 3 = 16381 bytes in total.
2574          */
2575         OPENSSL_assert(payload + padding <= 16381);
2576
2577         /* Create HeartBeat message, we just use a sequence number
2578          * as payload to distuingish different messages and add
2579          * some random stuff.
2580          *  - Message Type, 1 byte
2581          *  - Payload Length, 2 bytes (unsigned int)
2582          *  - Payload, the sequence number (2 bytes uint)
2583          *  - Payload, random bytes (16 bytes uint)
2584          *  - Padding
2585          */
2586         buf = OPENSSL_malloc(1 + 2 + payload + padding);
2587         p = buf;
2588         /* Message Type */
2589         *p++ = TLS1_HB_REQUEST;
2590         /* Payload length (18 bytes here) */
2591         s2n(payload, p);
2592         /* Sequence number */
2593         s2n(s->tlsext_hb_seq, p);
2594         /* 16 random bytes */
2595         RAND_pseudo_bytes(p, 16);
2596         p += 16;
2597         /* Random padding */
2598         RAND_pseudo_bytes(p, padding);
2599
2600         ret = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buf, 3 + payload + padding);
2601         if (ret >= 0)
2602                 {
2603                 if (s->msg_callback)
2604                         s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT,
2605                                 buf, 3 + payload + padding,
2606                                 s, s->msg_callback_arg);
2607
2608                 s->tlsext_hb_pending = 1;
2609                 }
2610                 
2611         OPENSSL_free(buf);
2612
2613         return ret;
2614         }
2615 #endif