Clear existing extension state.
[openssl.git] / ssl / t1_lib.c
1 /* ssl/t1_lib.c */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3  * All rights reserved.
4  *
5  * This package is an SSL implementation written
6  * by Eric Young (eay@cryptsoft.com).
7  * The implementation was written so as to conform with Netscapes SSL.
8  * 
9  * This library is free for commercial and non-commercial use as long as
10  * the following conditions are aheared to.  The following conditions
11  * apply to all code found in this distribution, be it the RC4, RSA,
12  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
13  * included with this distribution is covered by the same copyright terms
14  * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15  * 
16  * Copyright remains Eric Young's, and as such any Copyright notices in
17  * the code are not to be removed.
18  * If this package is used in a product, Eric Young should be given attribution
19  * as the author of the parts of the library used.
20  * This can be in the form of a textual message at program startup or
21  * in documentation (online or textual) provided with the package.
22  * 
23  * Redistribution and use in source and binary forms, with or without
24  * modification, are permitted provided that the following conditions
25  * are met:
26  * 1. Redistributions of source code must retain the copyright
27  *    notice, this list of conditions and the following disclaimer.
28  * 2. Redistributions in binary form must reproduce the above copyright
29  *    notice, this list of conditions and the following disclaimer in the
30  *    documentation and/or other materials provided with the distribution.
31  * 3. All advertising materials mentioning features or use of this software
32  *    must display the following acknowledgement:
33  *    "This product includes cryptographic software written by
34  *     Eric Young (eay@cryptsoft.com)"
35  *    The word 'cryptographic' can be left out if the rouines from the library
36  *    being used are not cryptographic related :-).
37  * 4. If you include any Windows specific code (or a derivative thereof) from 
38  *    the apps directory (application code) you must include an acknowledgement:
39  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40  * 
41  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51  * SUCH DAMAGE.
52  * 
53  * The licence and distribution terms for any publically available version or
54  * derivative of this code cannot be changed.  i.e. this code cannot simply be
55  * copied and put under another distribution licence
56  * [including the GNU Public Licence.]
57  */
58 /* ====================================================================
59  * Copyright (c) 1998-2007 The OpenSSL Project.  All rights reserved.
60  *
61  * Redistribution and use in source and binary forms, with or without
62  * modification, are permitted provided that the following conditions
63  * are met:
64  *
65  * 1. Redistributions of source code must retain the above copyright
66  *    notice, this list of conditions and the following disclaimer. 
67  *
68  * 2. Redistributions in binary form must reproduce the above copyright
69  *    notice, this list of conditions and the following disclaimer in
70  *    the documentation and/or other materials provided with the
71  *    distribution.
72  *
73  * 3. All advertising materials mentioning features or use of this
74  *    software must display the following acknowledgment:
75  *    "This product includes software developed by the OpenSSL Project
76  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77  *
78  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79  *    endorse or promote products derived from this software without
80  *    prior written permission. For written permission, please contact
81  *    openssl-core@openssl.org.
82  *
83  * 5. Products derived from this software may not be called "OpenSSL"
84  *    nor may "OpenSSL" appear in their names without prior written
85  *    permission of the OpenSSL Project.
86  *
87  * 6. Redistributions of any form whatsoever must retain the following
88  *    acknowledgment:
89  *    "This product includes software developed by the OpenSSL Project
90  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91  *
92  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
96  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103  * OF THE POSSIBILITY OF SUCH DAMAGE.
104  * ====================================================================
105  *
106  * This product includes cryptographic software written by Eric Young
107  * (eay@cryptsoft.com).  This product includes software written by Tim
108  * Hudson (tjh@cryptsoft.com).
109  *
110  */
111
112 #include <stdio.h>
113 #include <openssl/objects.h>
114 #include <openssl/evp.h>
115 #include <openssl/hmac.h>
116 #include <openssl/ocsp.h>
117 #include <openssl/rand.h>
118 #include "ssl_locl.h"
119
120 const char tls1_version_str[]="TLSv1" OPENSSL_VERSION_PTEXT;
121
122 #ifndef OPENSSL_NO_TLSEXT
123 static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen,
124                                 const unsigned char *sess_id, int sesslen,
125                                 SSL_SESSION **psess);
126 #endif
127
128 SSL3_ENC_METHOD TLSv1_enc_data={
129         tls1_enc,
130         tls1_mac,
131         tls1_setup_key_block,
132         tls1_generate_master_secret,
133         tls1_change_cipher_state,
134         tls1_final_finish_mac,
135         TLS1_FINISH_MAC_LENGTH,
136         tls1_cert_verify_mac,
137         TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE,
138         TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE,
139         tls1_alert_code,
140         tls1_export_keying_material,
141         };
142
143 long tls1_default_timeout(void)
144         {
145         /* 2 hours, the 24 hours mentioned in the TLSv1 spec
146          * is way too long for http, the cache would over fill */
147         return(60*60*2);
148         }
149
150 int tls1_new(SSL *s)
151         {
152         if (!ssl3_new(s)) return(0);
153         s->method->ssl_clear(s);
154         return(1);
155         }
156
157 void tls1_free(SSL *s)
158         {
159 #ifndef OPENSSL_NO_TLSEXT
160         if (s->tlsext_session_ticket)
161                 {
162                 OPENSSL_free(s->tlsext_session_ticket);
163                 }
164 #endif /* OPENSSL_NO_TLSEXT */
165         ssl3_free(s);
166         }
167
168 void tls1_clear(SSL *s)
169         {
170         ssl3_clear(s);
171         s->version = s->method->version;
172         }
173
174 #ifndef OPENSSL_NO_EC
175
176 static int nid_list[] =
177         {
178                 NID_sect163k1, /* sect163k1 (1) */
179                 NID_sect163r1, /* sect163r1 (2) */
180                 NID_sect163r2, /* sect163r2 (3) */
181                 NID_sect193r1, /* sect193r1 (4) */ 
182                 NID_sect193r2, /* sect193r2 (5) */ 
183                 NID_sect233k1, /* sect233k1 (6) */
184                 NID_sect233r1, /* sect233r1 (7) */ 
185                 NID_sect239k1, /* sect239k1 (8) */ 
186                 NID_sect283k1, /* sect283k1 (9) */
187                 NID_sect283r1, /* sect283r1 (10) */ 
188                 NID_sect409k1, /* sect409k1 (11) */ 
189                 NID_sect409r1, /* sect409r1 (12) */
190                 NID_sect571k1, /* sect571k1 (13) */ 
191                 NID_sect571r1, /* sect571r1 (14) */ 
192                 NID_secp160k1, /* secp160k1 (15) */
193                 NID_secp160r1, /* secp160r1 (16) */ 
194                 NID_secp160r2, /* secp160r2 (17) */ 
195                 NID_secp192k1, /* secp192k1 (18) */
196                 NID_X9_62_prime192v1, /* secp192r1 (19) */ 
197                 NID_secp224k1, /* secp224k1 (20) */ 
198                 NID_secp224r1, /* secp224r1 (21) */
199                 NID_secp256k1, /* secp256k1 (22) */ 
200                 NID_X9_62_prime256v1, /* secp256r1 (23) */ 
201                 NID_secp384r1, /* secp384r1 (24) */
202                 NID_secp521r1  /* secp521r1 (25) */     
203         };
204
205 static int pref_list[] =
206         {
207 #ifndef OPENSSL_NO_EC2M
208                 NID_sect571r1, /* sect571r1 (14) */ 
209                 NID_sect571k1, /* sect571k1 (13) */ 
210 #endif
211                 NID_secp521r1, /* secp521r1 (25) */     
212 #ifndef OPENSSL_NO_EC2M
213                 NID_sect409k1, /* sect409k1 (11) */ 
214                 NID_sect409r1, /* sect409r1 (12) */
215 #endif
216                 NID_secp384r1, /* secp384r1 (24) */
217 #ifndef OPENSSL_NO_EC2M
218                 NID_sect283k1, /* sect283k1 (9) */
219                 NID_sect283r1, /* sect283r1 (10) */ 
220 #endif
221                 NID_secp256k1, /* secp256k1 (22) */ 
222                 NID_X9_62_prime256v1, /* secp256r1 (23) */ 
223 #ifndef OPENSSL_NO_EC2M
224                 NID_sect239k1, /* sect239k1 (8) */ 
225                 NID_sect233k1, /* sect233k1 (6) */
226                 NID_sect233r1, /* sect233r1 (7) */ 
227 #endif
228                 NID_secp224k1, /* secp224k1 (20) */ 
229                 NID_secp224r1, /* secp224r1 (21) */
230 #ifndef OPENSSL_NO_EC2M
231                 NID_sect193r1, /* sect193r1 (4) */ 
232                 NID_sect193r2, /* sect193r2 (5) */ 
233 #endif
234                 NID_secp192k1, /* secp192k1 (18) */
235                 NID_X9_62_prime192v1, /* secp192r1 (19) */ 
236 #ifndef OPENSSL_NO_EC2M
237                 NID_sect163k1, /* sect163k1 (1) */
238                 NID_sect163r1, /* sect163r1 (2) */
239                 NID_sect163r2, /* sect163r2 (3) */
240 #endif
241                 NID_secp160k1, /* secp160k1 (15) */
242                 NID_secp160r1, /* secp160r1 (16) */ 
243                 NID_secp160r2, /* secp160r2 (17) */ 
244         };
245
246 int tls1_ec_curve_id2nid(int curve_id)
247         {
248         /* ECC curves from RFC 4492 */
249         if ((curve_id < 1) || ((unsigned int)curve_id >
250                                 sizeof(nid_list)/sizeof(nid_list[0])))
251                 return 0;
252         return nid_list[curve_id-1];
253         }
254
255 int tls1_ec_nid2curve_id(int nid)
256         {
257         /* ECC curves from RFC 4492 */
258         switch (nid)
259                 {
260         case NID_sect163k1: /* sect163k1 (1) */
261                 return 1;
262         case NID_sect163r1: /* sect163r1 (2) */
263                 return 2;
264         case NID_sect163r2: /* sect163r2 (3) */
265                 return 3;
266         case NID_sect193r1: /* sect193r1 (4) */ 
267                 return 4;
268         case NID_sect193r2: /* sect193r2 (5) */ 
269                 return 5;
270         case NID_sect233k1: /* sect233k1 (6) */
271                 return 6;
272         case NID_sect233r1: /* sect233r1 (7) */ 
273                 return 7;
274         case NID_sect239k1: /* sect239k1 (8) */ 
275                 return 8;
276         case NID_sect283k1: /* sect283k1 (9) */
277                 return 9;
278         case NID_sect283r1: /* sect283r1 (10) */ 
279                 return 10;
280         case NID_sect409k1: /* sect409k1 (11) */ 
281                 return 11;
282         case NID_sect409r1: /* sect409r1 (12) */
283                 return 12;
284         case NID_sect571k1: /* sect571k1 (13) */ 
285                 return 13;
286         case NID_sect571r1: /* sect571r1 (14) */ 
287                 return 14;
288         case NID_secp160k1: /* secp160k1 (15) */
289                 return 15;
290         case NID_secp160r1: /* secp160r1 (16) */ 
291                 return 16;
292         case NID_secp160r2: /* secp160r2 (17) */ 
293                 return 17;
294         case NID_secp192k1: /* secp192k1 (18) */
295                 return 18;
296         case NID_X9_62_prime192v1: /* secp192r1 (19) */ 
297                 return 19;
298         case NID_secp224k1: /* secp224k1 (20) */ 
299                 return 20;
300         case NID_secp224r1: /* secp224r1 (21) */
301                 return 21;
302         case NID_secp256k1: /* secp256k1 (22) */ 
303                 return 22;
304         case NID_X9_62_prime256v1: /* secp256r1 (23) */ 
305                 return 23;
306         case NID_secp384r1: /* secp384r1 (24) */
307                 return 24;
308         case NID_secp521r1:  /* secp521r1 (25) */       
309                 return 25;
310         default:
311                 return 0;
312                 }
313         }
314 #endif /* OPENSSL_NO_EC */
315
316 #ifndef OPENSSL_NO_TLSEXT
317
318 /* List of supported signature algorithms and hashes. Should make this
319  * customisable at some point, for now include everything we support.
320  */
321
322 #ifdef OPENSSL_NO_RSA
323 #define tlsext_sigalg_rsa(md) /* */
324 #else
325 #define tlsext_sigalg_rsa(md) md, TLSEXT_signature_rsa,
326 #endif
327
328 #ifdef OPENSSL_NO_DSA
329 #define tlsext_sigalg_dsa(md) /* */
330 #else
331 #define tlsext_sigalg_dsa(md) md, TLSEXT_signature_dsa,
332 #endif
333
334 #ifdef OPENSSL_NO_ECDSA
335 #define tlsext_sigalg_ecdsa(md) /* */
336 #else
337 #define tlsext_sigalg_ecdsa(md) md, TLSEXT_signature_ecdsa,
338 #endif
339
340 #define tlsext_sigalg(md) \
341                 tlsext_sigalg_rsa(md) \
342                 tlsext_sigalg_dsa(md) \
343                 tlsext_sigalg_ecdsa(md)
344
345 static unsigned char tls12_sigalgs[] = {
346 #ifndef OPENSSL_NO_SHA512
347         tlsext_sigalg(TLSEXT_hash_sha512)
348         tlsext_sigalg(TLSEXT_hash_sha384)
349 #endif
350 #ifndef OPENSSL_NO_SHA256
351         tlsext_sigalg(TLSEXT_hash_sha256)
352         tlsext_sigalg(TLSEXT_hash_sha224)
353 #endif
354 #ifndef OPENSSL_NO_SHA
355         tlsext_sigalg(TLSEXT_hash_sha1)
356 #endif
357 };
358
359 int tls12_get_req_sig_algs(SSL *s, unsigned char *p)
360         {
361         size_t slen = sizeof(tls12_sigalgs);
362         if (p)
363                 memcpy(p, tls12_sigalgs, slen);
364         return (int)slen;
365         }
366
367 unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf, unsigned char *limit)
368         {
369         int extdatalen=0;
370         unsigned char *orig = buf;
371         unsigned char *ret = buf;
372
373         /* don't add extensions for SSLv3 unless doing secure renegotiation */
374         if (s->client_version == SSL3_VERSION
375                                         && !s->s3->send_connection_binding)
376                 return orig;
377
378         ret+=2;
379
380         if (ret>=limit) return NULL; /* this really never occurs, but ... */
381
382         if (s->tlsext_hostname != NULL)
383                 { 
384                 /* Add TLS extension servername to the Client Hello message */
385                 unsigned long size_str;
386                 long lenmax; 
387
388                 /* check for enough space.
389                    4 for the servername type and entension length
390                    2 for servernamelist length
391                    1 for the hostname type
392                    2 for hostname length
393                    + hostname length 
394                 */
395                    
396                 if ((lenmax = limit - ret - 9) < 0 
397                     || (size_str = strlen(s->tlsext_hostname)) > (unsigned long)lenmax) 
398                         return NULL;
399                         
400                 /* extension type and length */
401                 s2n(TLSEXT_TYPE_server_name,ret); 
402                 s2n(size_str+5,ret);
403                 
404                 /* length of servername list */
405                 s2n(size_str+3,ret);
406         
407                 /* hostname type, length and hostname */
408                 *(ret++) = (unsigned char) TLSEXT_NAMETYPE_host_name;
409                 s2n(size_str,ret);
410                 memcpy(ret, s->tlsext_hostname, size_str);
411                 ret+=size_str;
412                 }
413
414         /* Add RI if renegotiating */
415         if (s->renegotiate)
416           {
417           int el;
418           
419           if(!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0))
420               {
421               SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
422               return NULL;
423               }
424
425           if((limit - ret - 4 - el) < 0) return NULL;
426           
427           s2n(TLSEXT_TYPE_renegotiate,ret);
428           s2n(el,ret);
429
430           if(!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el))
431               {
432               SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
433               return NULL;
434               }
435
436           ret += el;
437         }
438
439 #ifndef OPENSSL_NO_SRP
440         /* Add SRP username if there is one */
441         if (s->srp_ctx.login != NULL)
442                 { /* Add TLS extension SRP username to the Client Hello message */
443
444                 int login_len = strlen(s->srp_ctx.login);       
445                 if (login_len > 255 || login_len == 0)
446                         {
447                         SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
448                         return NULL;
449                         } 
450
451                 /* check for enough space.
452                    4 for the srp type type and entension length
453                    1 for the srp user identity
454                    + srp user identity length 
455                 */
456                 if ((limit - ret - 5 - login_len) < 0) return NULL; 
457
458                 /* fill in the extension */
459                 s2n(TLSEXT_TYPE_srp,ret);
460                 s2n(login_len+1,ret);
461                 (*ret++) = (unsigned char) login_len;
462                 memcpy(ret, s->srp_ctx.login, login_len);
463                 ret+=login_len;
464                 }
465 #endif
466
467 #ifndef OPENSSL_NO_EC
468         if (s->tlsext_ecpointformatlist != NULL)
469                 {
470                 /* Add TLS extension ECPointFormats to the ClientHello message */
471                 long lenmax; 
472
473                 if ((lenmax = limit - ret - 5) < 0) return NULL; 
474                 if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax) return NULL;
475                 if (s->tlsext_ecpointformatlist_length > 255)
476                         {
477                         SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
478                         return NULL;
479                         }
480                 
481                 s2n(TLSEXT_TYPE_ec_point_formats,ret);
482                 s2n(s->tlsext_ecpointformatlist_length + 1,ret);
483                 *(ret++) = (unsigned char) s->tlsext_ecpointformatlist_length;
484                 memcpy(ret, s->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist_length);
485                 ret+=s->tlsext_ecpointformatlist_length;
486                 }
487         if (s->tlsext_ellipticcurvelist != NULL)
488                 {
489                 /* Add TLS extension EllipticCurves to the ClientHello message */
490                 long lenmax; 
491
492                 if ((lenmax = limit - ret - 6) < 0) return NULL; 
493                 if (s->tlsext_ellipticcurvelist_length > (unsigned long)lenmax) return NULL;
494                 if (s->tlsext_ellipticcurvelist_length > 65532)
495                         {
496                         SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
497                         return NULL;
498                         }
499                 
500                 s2n(TLSEXT_TYPE_elliptic_curves,ret);
501                 s2n(s->tlsext_ellipticcurvelist_length + 2, ret);
502
503                 s2n(s->tlsext_ellipticcurvelist_length, ret);
504                 memcpy(ret, s->tlsext_ellipticcurvelist, s->tlsext_ellipticcurvelist_length);
505                 ret+=s->tlsext_ellipticcurvelist_length;
506                 }
507 #endif /* OPENSSL_NO_EC */
508
509         if (!(SSL_get_options(s) & SSL_OP_NO_TICKET))
510                 {
511                 int ticklen;
512                 if (!s->new_session && s->session && s->session->tlsext_tick)
513                         ticklen = s->session->tlsext_ticklen;
514                 else if (s->session && s->tlsext_session_ticket &&
515                          s->tlsext_session_ticket->data)
516                         {
517                         ticklen = s->tlsext_session_ticket->length;
518                         s->session->tlsext_tick = OPENSSL_malloc(ticklen);
519                         if (!s->session->tlsext_tick)
520                                 return NULL;
521                         memcpy(s->session->tlsext_tick,
522                                s->tlsext_session_ticket->data,
523                                ticklen);
524                         s->session->tlsext_ticklen = ticklen;
525                         }
526                 else
527                         ticklen = 0;
528                 if (ticklen == 0 && s->tlsext_session_ticket &&
529                     s->tlsext_session_ticket->data == NULL)
530                         goto skip_ext;
531                 /* Check for enough room 2 for extension type, 2 for len
532                  * rest for ticket
533                  */
534                 if ((long)(limit - ret - 4 - ticklen) < 0) return NULL;
535                 s2n(TLSEXT_TYPE_session_ticket,ret); 
536                 s2n(ticklen,ret);
537                 if (ticklen)
538                         {
539                         memcpy(ret, s->session->tlsext_tick, ticklen);
540                         ret += ticklen;
541                         }
542                 }
543                 skip_ext:
544
545         if (TLS1_get_client_version(s) >= TLS1_2_VERSION)
546                 {
547                 if ((size_t)(limit - ret) < sizeof(tls12_sigalgs) + 6)
548                         return NULL; 
549                 s2n(TLSEXT_TYPE_signature_algorithms,ret);
550                 s2n(sizeof(tls12_sigalgs) + 2, ret);
551                 s2n(sizeof(tls12_sigalgs), ret);
552                 memcpy(ret, tls12_sigalgs, sizeof(tls12_sigalgs));
553                 ret += sizeof(tls12_sigalgs);
554                 }
555
556 #ifdef TLSEXT_TYPE_opaque_prf_input
557         if (s->s3->client_opaque_prf_input != NULL &&
558             s->version != DTLS1_VERSION)
559                 {
560                 size_t col = s->s3->client_opaque_prf_input_len;
561                 
562                 if ((long)(limit - ret - 6 - col < 0))
563                         return NULL;
564                 if (col > 0xFFFD) /* can't happen */
565                         return NULL;
566
567                 s2n(TLSEXT_TYPE_opaque_prf_input, ret); 
568                 s2n(col + 2, ret);
569                 s2n(col, ret);
570                 memcpy(ret, s->s3->client_opaque_prf_input, col);
571                 ret += col;
572                 }
573 #endif
574
575         if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp &&
576             s->version != DTLS1_VERSION)
577                 {
578                 int i;
579                 long extlen, idlen, itmp;
580                 OCSP_RESPID *id;
581
582                 idlen = 0;
583                 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++)
584                         {
585                         id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
586                         itmp = i2d_OCSP_RESPID(id, NULL);
587                         if (itmp <= 0)
588                                 return NULL;
589                         idlen += itmp + 2;
590                         }
591
592                 if (s->tlsext_ocsp_exts)
593                         {
594                         extlen = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, NULL);
595                         if (extlen < 0)
596                                 return NULL;
597                         }
598                 else
599                         extlen = 0;
600                         
601                 if ((long)(limit - ret - 7 - extlen - idlen) < 0) return NULL;
602                 s2n(TLSEXT_TYPE_status_request, ret);
603                 if (extlen + idlen > 0xFFF0)
604                         return NULL;
605                 s2n(extlen + idlen + 5, ret);
606                 *(ret++) = TLSEXT_STATUSTYPE_ocsp;
607                 s2n(idlen, ret);
608                 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++)
609                         {
610                         /* save position of id len */
611                         unsigned char *q = ret;
612                         id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
613                         /* skip over id len */
614                         ret += 2;
615                         itmp = i2d_OCSP_RESPID(id, &ret);
616                         /* write id len */
617                         s2n(itmp, q);
618                         }
619                 s2n(extlen, ret);
620                 if (extlen > 0)
621                         i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret);
622                 }
623
624 #ifndef OPENSSL_NO_HEARTBEATS
625         /* Add Heartbeat extension */
626         if ((limit - ret - 4 - 1) < 0)
627                 return NULL;
628         s2n(TLSEXT_TYPE_heartbeat,ret);
629         s2n(1,ret);
630         /* Set mode:
631          * 1: peer may send requests
632          * 2: peer not allowed to send requests
633          */
634         if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS)
635                 *(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
636         else
637                 *(ret++) = SSL_TLSEXT_HB_ENABLED;
638 #endif
639
640 #ifndef OPENSSL_NO_NEXTPROTONEG
641         if (s->ctx->next_proto_select_cb && !s->s3->tmp.finish_md_len)
642                 {
643                 /* The client advertises an emtpy extension to indicate its
644                  * support for Next Protocol Negotiation */
645                 if (limit - ret - 4 < 0)
646                         return NULL;
647                 s2n(TLSEXT_TYPE_next_proto_neg,ret);
648                 s2n(0,ret);
649                 }
650 #endif
651
652 #ifndef OPENSSL_NO_SRTP
653         if(SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s))
654                 {
655                 int el;
656
657                 ssl_add_clienthello_use_srtp_ext(s, 0, &el, 0);
658                 
659                 if((limit - ret - 4 - el) < 0) return NULL;
660
661                 s2n(TLSEXT_TYPE_use_srtp,ret);
662                 s2n(el,ret);
663
664                 if(ssl_add_clienthello_use_srtp_ext(s, ret, &el, el))
665                         {
666                         SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
667                         return NULL;
668                         }
669                 ret += el;
670                 }
671 #endif
672         /* Add padding to workaround bugs in F5 terminators.
673          * See https://tools.ietf.org/html/draft-agl-tls-padding-03
674          *
675          * NB: because this code works out the length of all existing
676          * extensions it MUST always appear last.
677          */
678         if (s->options & SSL_OP_TLSEXT_PADDING)
679                 {
680                 int hlen = ret - (unsigned char *)s->init_buf->data;
681                 /* The code in s23_clnt.c to build ClientHello messages
682                  * includes the 5-byte record header in the buffer, while
683                  * the code in s3_clnt.c does not.
684                  */
685                 if (s->state == SSL23_ST_CW_CLNT_HELLO_A)
686                         hlen -= 5;
687                 if (hlen > 0xff && hlen < 0x200)
688                         {
689                         hlen = 0x200 - hlen;
690                         if (hlen >= 4)
691                                 hlen -= 4;
692                         else
693                                 hlen = 0;
694
695                         s2n(TLSEXT_TYPE_padding, ret);
696                         s2n(hlen, ret);
697                         memset(ret, 0, hlen);
698                         ret += hlen;
699                         }
700                 }
701
702         if ((extdatalen = ret-orig-2)== 0) 
703                 return orig;
704
705         s2n(extdatalen, orig);
706         return ret;
707         }
708
709 unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *buf, unsigned char *limit)
710         {
711         int extdatalen=0;
712         unsigned char *orig = buf;
713         unsigned char *ret = buf;
714 #ifndef OPENSSL_NO_NEXTPROTONEG
715         int next_proto_neg_seen;
716 #endif
717
718         /* don't add extensions for SSLv3, unless doing secure renegotiation */
719         if (s->version == SSL3_VERSION && !s->s3->send_connection_binding)
720                 return orig;
721         
722         ret+=2;
723         if (ret>=limit) return NULL; /* this really never occurs, but ... */
724
725         if (!s->hit && s->servername_done == 1 && s->session->tlsext_hostname != NULL)
726                 { 
727                 if ((long)(limit - ret - 4) < 0) return NULL; 
728
729                 s2n(TLSEXT_TYPE_server_name,ret);
730                 s2n(0,ret);
731                 }
732
733         if(s->s3->send_connection_binding)
734         {
735           int el;
736           
737           if(!ssl_add_serverhello_renegotiate_ext(s, 0, &el, 0))
738               {
739               SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
740               return NULL;
741               }
742
743           if((limit - ret - 4 - el) < 0) return NULL;
744           
745           s2n(TLSEXT_TYPE_renegotiate,ret);
746           s2n(el,ret);
747
748           if(!ssl_add_serverhello_renegotiate_ext(s, ret, &el, el))
749               {
750               SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
751               return NULL;
752               }
753
754           ret += el;
755         }
756
757 #ifndef OPENSSL_NO_EC
758         if (s->tlsext_ecpointformatlist != NULL)
759                 {
760                 /* Add TLS extension ECPointFormats to the ServerHello message */
761                 long lenmax; 
762
763                 if ((lenmax = limit - ret - 5) < 0) return NULL; 
764                 if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax) return NULL;
765                 if (s->tlsext_ecpointformatlist_length > 255)
766                         {
767                         SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
768                         return NULL;
769                         }
770                 
771                 s2n(TLSEXT_TYPE_ec_point_formats,ret);
772                 s2n(s->tlsext_ecpointformatlist_length + 1,ret);
773                 *(ret++) = (unsigned char) s->tlsext_ecpointformatlist_length;
774                 memcpy(ret, s->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist_length);
775                 ret+=s->tlsext_ecpointformatlist_length;
776
777                 }
778         /* Currently the server should not respond with a SupportedCurves extension */
779 #endif /* OPENSSL_NO_EC */
780
781         if (s->tlsext_ticket_expected
782                 && !(SSL_get_options(s) & SSL_OP_NO_TICKET)) 
783                 { 
784                 if ((long)(limit - ret - 4) < 0) return NULL; 
785                 s2n(TLSEXT_TYPE_session_ticket,ret);
786                 s2n(0,ret);
787                 }
788
789         if (s->tlsext_status_expected)
790                 { 
791                 if ((long)(limit - ret - 4) < 0) return NULL; 
792                 s2n(TLSEXT_TYPE_status_request,ret);
793                 s2n(0,ret);
794                 }
795
796 #ifdef TLSEXT_TYPE_opaque_prf_input
797         if (s->s3->server_opaque_prf_input != NULL &&
798             s->version != DTLS1_VERSION)
799                 {
800                 size_t sol = s->s3->server_opaque_prf_input_len;
801                 
802                 if ((long)(limit - ret - 6 - sol) < 0)
803                         return NULL;
804                 if (sol > 0xFFFD) /* can't happen */
805                         return NULL;
806
807                 s2n(TLSEXT_TYPE_opaque_prf_input, ret); 
808                 s2n(sol + 2, ret);
809                 s2n(sol, ret);
810                 memcpy(ret, s->s3->server_opaque_prf_input, sol);
811                 ret += sol;
812                 }
813 #endif
814
815 #ifndef OPENSSL_NO_SRTP
816         if(SSL_IS_DTLS(s) && s->srtp_profile)
817                 {
818                 int el;
819
820                 ssl_add_serverhello_use_srtp_ext(s, 0, &el, 0);
821                 
822                 if((limit - ret - 4 - el) < 0) return NULL;
823
824                 s2n(TLSEXT_TYPE_use_srtp,ret);
825                 s2n(el,ret);
826
827                 if(ssl_add_serverhello_use_srtp_ext(s, ret, &el, el))
828                         {
829                         SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
830                         return NULL;
831                         }
832                 ret+=el;
833                 }
834 #endif
835
836         if (((s->s3->tmp.new_cipher->id & 0xFFFF)==0x80 || (s->s3->tmp.new_cipher->id & 0xFFFF)==0x81) 
837                 && (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG))
838                 { const unsigned char cryptopro_ext[36] = {
839                         0xfd, 0xe8, /*65000*/
840                         0x00, 0x20, /*32 bytes length*/
841                         0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85, 
842                         0x03,   0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06, 
843                         0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08, 
844                         0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17};
845                         if (limit-ret<36) return NULL;
846                         memcpy(ret,cryptopro_ext,36);
847                         ret+=36;
848
849                 }
850
851 #ifndef OPENSSL_NO_HEARTBEATS
852         /* Add Heartbeat extension if we've received one */
853         if (s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED)
854                 {
855                 if ((limit - ret - 4 - 1) < 0)
856                         return NULL;
857                 s2n(TLSEXT_TYPE_heartbeat,ret);
858                 s2n(1,ret);
859                 /* Set mode:
860                  * 1: peer may send requests
861                  * 2: peer not allowed to send requests
862                  */
863                 if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS)
864                         *(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
865                 else
866                         *(ret++) = SSL_TLSEXT_HB_ENABLED;
867
868                 }
869 #endif
870
871 #ifndef OPENSSL_NO_NEXTPROTONEG
872         next_proto_neg_seen = s->s3->next_proto_neg_seen;
873         s->s3->next_proto_neg_seen = 0;
874         if (next_proto_neg_seen && s->ctx->next_protos_advertised_cb)
875                 {
876                 const unsigned char *npa;
877                 unsigned int npalen;
878                 int r;
879
880                 r = s->ctx->next_protos_advertised_cb(s, &npa, &npalen, s->ctx->next_protos_advertised_cb_arg);
881                 if (r == SSL_TLSEXT_ERR_OK)
882                         {
883                         if ((long)(limit - ret - 4 - npalen) < 0) return NULL;
884                         s2n(TLSEXT_TYPE_next_proto_neg,ret);
885                         s2n(npalen,ret);
886                         memcpy(ret, npa, npalen);
887                         ret += npalen;
888                         s->s3->next_proto_neg_seen = 1;
889                         }
890                 }
891 #endif
892
893         if ((extdatalen = ret-orig-2)== 0) 
894                 return orig;
895
896         s2n(extdatalen, orig);
897         return ret;
898         }
899
900 #ifndef OPENSSL_NO_EC
901 /* ssl_check_for_safari attempts to fingerprint Safari using OS X
902  * SecureTransport using the TLS extension block in |d|, of length |n|.
903  * Safari, since 10.6, sends exactly these extensions, in this order:
904  *   SNI,
905  *   elliptic_curves
906  *   ec_point_formats
907  *
908  * We wish to fingerprint Safari because they broke ECDHE-ECDSA support in 10.8,
909  * but they advertise support. So enabling ECDHE-ECDSA ciphers breaks them.
910  * Sadly we cannot differentiate 10.6, 10.7 and 10.8.4 (which work), from
911  * 10.8..10.8.3 (which don't work).
912  */
913 static void ssl_check_for_safari(SSL *s, const unsigned char *data, const unsigned char *d, int n) {
914         unsigned short type, size;
915         static const unsigned char kSafariExtensionsBlock[] = {
916                 0x00, 0x0a,  /* elliptic_curves extension */
917                 0x00, 0x08,  /* 8 bytes */
918                 0x00, 0x06,  /* 6 bytes of curve ids */
919                 0x00, 0x17,  /* P-256 */
920                 0x00, 0x18,  /* P-384 */
921                 0x00, 0x19,  /* P-521 */
922
923                 0x00, 0x0b,  /* ec_point_formats */
924                 0x00, 0x02,  /* 2 bytes */
925                 0x01,        /* 1 point format */
926                 0x00,        /* uncompressed */
927         };
928
929         /* The following is only present in TLS 1.2 */
930         static const unsigned char kSafariTLS12ExtensionsBlock[] = {
931                 0x00, 0x0d,  /* signature_algorithms */
932                 0x00, 0x0c,  /* 12 bytes */
933                 0x00, 0x0a,  /* 10 bytes */
934                 0x05, 0x01,  /* SHA-384/RSA */
935                 0x04, 0x01,  /* SHA-256/RSA */
936                 0x02, 0x01,  /* SHA-1/RSA */
937                 0x04, 0x03,  /* SHA-256/ECDSA */
938                 0x02, 0x03,  /* SHA-1/ECDSA */
939         };
940
941         if (data >= (d+n-2))
942                 return;
943         data += 2;
944
945         if (data > (d+n-4))
946                 return;
947         n2s(data,type);
948         n2s(data,size);
949
950         if (type != TLSEXT_TYPE_server_name)
951                 return;
952
953         if (data+size > d+n)
954                 return;
955         data += size;
956
957         if (TLS1_get_client_version(s) >= TLS1_2_VERSION)
958                 {
959                 const size_t len1 = sizeof(kSafariExtensionsBlock);
960                 const size_t len2 = sizeof(kSafariTLS12ExtensionsBlock);
961
962                 if (data + len1 + len2 != d+n)
963                         return;
964                 if (memcmp(data, kSafariExtensionsBlock, len1) != 0)
965                         return;
966                 if (memcmp(data + len1, kSafariTLS12ExtensionsBlock, len2) != 0)
967                         return;
968                 }
969         else
970                 {
971                 const size_t len = sizeof(kSafariExtensionsBlock);
972
973                 if (data + len != d+n)
974                         return;
975                 if (memcmp(data, kSafariExtensionsBlock, len) != 0)
976                         return;
977                 }
978
979         s->s3->is_probably_safari = 1;
980 }
981 #endif /* !OPENSSL_NO_EC */
982
983 int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
984         {
985         unsigned short type;
986         unsigned short size;
987         unsigned short len;
988         unsigned char *data = *p;
989         int renegotiate_seen = 0;
990         int sigalg_seen = 0;
991
992         s->servername_done = 0;
993         s->tlsext_status_type = -1;
994 #ifndef OPENSSL_NO_NEXTPROTONEG
995         s->s3->next_proto_neg_seen = 0;
996 #endif
997
998 #ifndef OPENSSL_NO_HEARTBEATS
999         s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED |
1000                                SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
1001 #endif
1002
1003 #ifndef OPENSSL_NO_EC
1004         if (s->options & SSL_OP_SAFARI_ECDHE_ECDSA_BUG)
1005                 ssl_check_for_safari(s, data, d, n);
1006 #endif /* !OPENSSL_NO_EC */
1007
1008 #ifndef OPENSSL_NO_SRP
1009         if (s->srp_ctx.login != NULL)
1010                 {
1011                 OPENSSL_free(s->srp_ctx.login);
1012                 s->srp_ctx.login = NULL;
1013                 }
1014 #endif
1015
1016         s->srtp_profile = NULL;
1017
1018         if (data >= (d+n-2))
1019                 goto ri_check;
1020         n2s(data,len);
1021
1022         if (data > (d+n-len)) 
1023                 goto ri_check;
1024
1025         while (data <= (d+n-4))
1026                 {
1027                 n2s(data,type);
1028                 n2s(data,size);
1029
1030                 if (data+size > (d+n))
1031                         goto ri_check;
1032 #if 0
1033                 fprintf(stderr,"Received extension type %d size %d\n",type,size);
1034 #endif
1035                 if (s->tlsext_debug_cb)
1036                         s->tlsext_debug_cb(s, 0, type, data, size,
1037                                                 s->tlsext_debug_arg);
1038 /* The servername extension is treated as follows:
1039
1040    - Only the hostname type is supported with a maximum length of 255.
1041    - The servername is rejected if too long or if it contains zeros,
1042      in which case an fatal alert is generated.
1043    - The servername field is maintained together with the session cache.
1044    - When a session is resumed, the servername call back invoked in order
1045      to allow the application to position itself to the right context. 
1046    - The servername is acknowledged if it is new for a session or when 
1047      it is identical to a previously used for the same session. 
1048      Applications can control the behaviour.  They can at any time
1049      set a 'desirable' servername for a new SSL object. This can be the
1050      case for example with HTTPS when a Host: header field is received and
1051      a renegotiation is requested. In this case, a possible servername
1052      presented in the new client hello is only acknowledged if it matches
1053      the value of the Host: field. 
1054    - Applications must  use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
1055      if they provide for changing an explicit servername context for the session,
1056      i.e. when the session has been established with a servername extension. 
1057    - On session reconnect, the servername extension may be absent. 
1058
1059 */      
1060
1061                 if (type == TLSEXT_TYPE_server_name)
1062                         {
1063                         unsigned char *sdata;
1064                         int servname_type;
1065                         int dsize; 
1066                 
1067                         if (size < 2) 
1068                                 {
1069                                 *al = SSL_AD_DECODE_ERROR;
1070                                 return 0;
1071                                 }
1072                         n2s(data,dsize);  
1073                         size -= 2;
1074                         if (dsize > size  ) 
1075                                 {
1076                                 *al = SSL_AD_DECODE_ERROR;
1077                                 return 0;
1078                                 } 
1079
1080                         sdata = data;
1081                         while (dsize > 3) 
1082                                 {
1083                                 servname_type = *(sdata++); 
1084                                 n2s(sdata,len);
1085                                 dsize -= 3;
1086
1087                                 if (len > dsize) 
1088                                         {
1089                                         *al = SSL_AD_DECODE_ERROR;
1090                                         return 0;
1091                                         }
1092                                 if (s->servername_done == 0)
1093                                 switch (servname_type)
1094                                         {
1095                                 case TLSEXT_NAMETYPE_host_name:
1096                                         if (!s->hit)
1097                                                 {
1098                                                 if(s->session->tlsext_hostname)
1099                                                         {
1100                                                         *al = SSL_AD_DECODE_ERROR;
1101                                                         return 0;
1102                                                         }
1103                                                 if (len > TLSEXT_MAXLEN_host_name)
1104                                                         {
1105                                                         *al = TLS1_AD_UNRECOGNIZED_NAME;
1106                                                         return 0;
1107                                                         }
1108                                                 if ((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL)
1109                                                         {
1110                                                         *al = TLS1_AD_INTERNAL_ERROR;
1111                                                         return 0;
1112                                                         }
1113                                                 memcpy(s->session->tlsext_hostname, sdata, len);
1114                                                 s->session->tlsext_hostname[len]='\0';
1115                                                 if (strlen(s->session->tlsext_hostname) != len) {
1116                                                         OPENSSL_free(s->session->tlsext_hostname);
1117                                                         s->session->tlsext_hostname = NULL;
1118                                                         *al = TLS1_AD_UNRECOGNIZED_NAME;
1119                                                         return 0;
1120                                                 }
1121                                                 s->servername_done = 1; 
1122
1123                                                 }
1124                                         else 
1125                                                 s->servername_done = s->session->tlsext_hostname
1126                                                         && strlen(s->session->tlsext_hostname) == len 
1127                                                         && strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0;
1128                                         
1129                                         break;
1130
1131                                 default:
1132                                         break;
1133                                         }
1134                                  
1135                                 dsize -= len;
1136                                 }
1137                         if (dsize != 0) 
1138                                 {
1139                                 *al = SSL_AD_DECODE_ERROR;
1140                                 return 0;
1141                                 }
1142
1143                         }
1144 #ifndef OPENSSL_NO_SRP
1145                 else if (type == TLSEXT_TYPE_srp)
1146                         {
1147                         if (size <= 0 || ((len = data[0])) != (size -1))
1148                                 {
1149                                 *al = SSL_AD_DECODE_ERROR;
1150                                 return 0;
1151                                 }
1152                         if (s->srp_ctx.login != NULL)
1153                                 {
1154                                 *al = SSL_AD_DECODE_ERROR;
1155                                 return 0;
1156                                 }
1157                         if ((s->srp_ctx.login = OPENSSL_malloc(len+1)) == NULL)
1158                                 return -1;
1159                         memcpy(s->srp_ctx.login, &data[1], len);
1160                         s->srp_ctx.login[len]='\0';
1161   
1162                         if (strlen(s->srp_ctx.login) != len) 
1163                                 {
1164                                 *al = SSL_AD_DECODE_ERROR;
1165                                 return 0;
1166                                 }
1167                         }
1168 #endif
1169
1170 #ifndef OPENSSL_NO_EC
1171                 else if (type == TLSEXT_TYPE_ec_point_formats)
1172                         {
1173                         unsigned char *sdata = data;
1174                         int ecpointformatlist_length = *(sdata++);
1175
1176                         if (ecpointformatlist_length != size - 1)
1177                                 {
1178                                 *al = TLS1_AD_DECODE_ERROR;
1179                                 return 0;
1180                                 }
1181                         if (!s->hit)
1182                                 {
1183                                 if(s->session->tlsext_ecpointformatlist)
1184                                         {
1185                                         OPENSSL_free(s->session->tlsext_ecpointformatlist);
1186                                         s->session->tlsext_ecpointformatlist = NULL;
1187                                         }
1188                                 s->session->tlsext_ecpointformatlist_length = 0;
1189                                 if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
1190                                         {
1191                                         *al = TLS1_AD_INTERNAL_ERROR;
1192                                         return 0;
1193                                         }
1194                                 s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
1195                                 memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
1196                                 }
1197 #if 0
1198                         fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ecpointformatlist (length=%i) ", s->session->tlsext_ecpointformatlist_length);
1199                         sdata = s->session->tlsext_ecpointformatlist;
1200                         for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
1201                                 fprintf(stderr,"%i ",*(sdata++));
1202                         fprintf(stderr,"\n");
1203 #endif
1204                         }
1205                 else if (type == TLSEXT_TYPE_elliptic_curves)
1206                         {
1207                         unsigned char *sdata = data;
1208                         int ellipticcurvelist_length = (*(sdata++) << 8);
1209                         ellipticcurvelist_length += (*(sdata++));
1210
1211                         if (ellipticcurvelist_length != size - 2 ||
1212                                 ellipticcurvelist_length < 1 ||
1213                                 /* Each NamedCurve is 2 bytes. */
1214                                 ellipticcurvelist_length & 1)
1215                                 {
1216                                 *al = TLS1_AD_DECODE_ERROR;
1217                                 return 0;
1218                                 }
1219                         if (!s->hit)
1220                                 {
1221                                 if(s->session->tlsext_ellipticcurvelist)
1222                                         {
1223                                         *al = TLS1_AD_DECODE_ERROR;
1224                                         return 0;
1225                                         }
1226                                 s->session->tlsext_ellipticcurvelist_length = 0;
1227                                 if ((s->session->tlsext_ellipticcurvelist = OPENSSL_malloc(ellipticcurvelist_length)) == NULL)
1228                                         {
1229                                         *al = TLS1_AD_INTERNAL_ERROR;
1230                                         return 0;
1231                                         }
1232                                 s->session->tlsext_ellipticcurvelist_length = ellipticcurvelist_length;
1233                                 memcpy(s->session->tlsext_ellipticcurvelist, sdata, ellipticcurvelist_length);
1234                                 }
1235 #if 0
1236                         fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ellipticcurvelist (length=%i) ", s->session->tlsext_ellipticcurvelist_length);
1237                         sdata = s->session->tlsext_ellipticcurvelist;
1238                         for (i = 0; i < s->session->tlsext_ellipticcurvelist_length; i++)
1239                                 fprintf(stderr,"%i ",*(sdata++));
1240                         fprintf(stderr,"\n");
1241 #endif
1242                         }
1243 #endif /* OPENSSL_NO_EC */
1244 #ifdef TLSEXT_TYPE_opaque_prf_input
1245                 else if (type == TLSEXT_TYPE_opaque_prf_input &&
1246                      s->version != DTLS1_VERSION)
1247                         {
1248                         unsigned char *sdata = data;
1249
1250                         if (size < 2)
1251                                 {
1252                                 *al = SSL_AD_DECODE_ERROR;
1253                                 return 0;
1254                                 }
1255                         n2s(sdata, s->s3->client_opaque_prf_input_len);
1256                         if (s->s3->client_opaque_prf_input_len != size - 2)
1257                                 {
1258                                 *al = SSL_AD_DECODE_ERROR;
1259                                 return 0;
1260                                 }
1261
1262                         if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */
1263                                 OPENSSL_free(s->s3->client_opaque_prf_input);
1264                         if (s->s3->client_opaque_prf_input_len == 0)
1265                                 s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
1266                         else
1267                                 s->s3->client_opaque_prf_input = BUF_memdup(sdata, s->s3->client_opaque_prf_input_len);
1268                         if (s->s3->client_opaque_prf_input == NULL)
1269                                 {
1270                                 *al = TLS1_AD_INTERNAL_ERROR;
1271                                 return 0;
1272                                 }
1273                         }
1274 #endif
1275                 else if (type == TLSEXT_TYPE_session_ticket)
1276                         {
1277                         if (s->tls_session_ticket_ext_cb &&
1278                             !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg))
1279                                 {
1280                                 *al = TLS1_AD_INTERNAL_ERROR;
1281                                 return 0;
1282                                 }
1283                         }
1284                 else if (type == TLSEXT_TYPE_renegotiate)
1285                         {
1286                         if(!ssl_parse_clienthello_renegotiate_ext(s, data, size, al))
1287                                 return 0;
1288                         renegotiate_seen = 1;
1289                         }
1290                 else if (type == TLSEXT_TYPE_signature_algorithms)
1291                         {
1292                         int dsize;
1293                         if (sigalg_seen || size < 2) 
1294                                 {
1295                                 *al = SSL_AD_DECODE_ERROR;
1296                                 return 0;
1297                                 }
1298                         sigalg_seen = 1;
1299                         n2s(data,dsize);
1300                         size -= 2;
1301                         if (dsize != size || dsize & 1) 
1302                                 {
1303                                 *al = SSL_AD_DECODE_ERROR;
1304                                 return 0;
1305                                 }
1306                         if (!tls1_process_sigalgs(s, data, dsize))
1307                                 {
1308                                 *al = SSL_AD_DECODE_ERROR;
1309                                 return 0;
1310                                 }
1311                         }
1312                 else if (type == TLSEXT_TYPE_status_request &&
1313                          s->version != DTLS1_VERSION)
1314                         {
1315                 
1316                         if (size < 5) 
1317                                 {
1318                                 *al = SSL_AD_DECODE_ERROR;
1319                                 return 0;
1320                                 }
1321
1322                         s->tlsext_status_type = *data++;
1323                         size--;
1324                         if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp)
1325                                 {
1326                                 const unsigned char *sdata;
1327                                 int dsize;
1328                                 /* Read in responder_id_list */
1329                                 n2s(data,dsize);
1330                                 size -= 2;
1331                                 if (dsize > size  ) 
1332                                         {
1333                                         *al = SSL_AD_DECODE_ERROR;
1334                                         return 0;
1335                                         }
1336                                 while (dsize > 0)
1337                                         {
1338                                         OCSP_RESPID *id;
1339                                         int idsize;
1340                                         if (dsize < 4)
1341                                                 {
1342                                                 *al = SSL_AD_DECODE_ERROR;
1343                                                 return 0;
1344                                                 }
1345                                         n2s(data, idsize);
1346                                         dsize -= 2 + idsize;
1347                                         size -= 2 + idsize;
1348                                         if (dsize < 0)
1349                                                 {
1350                                                 *al = SSL_AD_DECODE_ERROR;
1351                                                 return 0;
1352                                                 }
1353                                         sdata = data;
1354                                         data += idsize;
1355                                         id = d2i_OCSP_RESPID(NULL,
1356                                                                 &sdata, idsize);
1357                                         if (!id)
1358                                                 {
1359                                                 *al = SSL_AD_DECODE_ERROR;
1360                                                 return 0;
1361                                                 }
1362                                         if (data != sdata)
1363                                                 {
1364                                                 OCSP_RESPID_free(id);
1365                                                 *al = SSL_AD_DECODE_ERROR;
1366                                                 return 0;
1367                                                 }
1368                                         if (!s->tlsext_ocsp_ids
1369                                                 && !(s->tlsext_ocsp_ids =
1370                                                 sk_OCSP_RESPID_new_null()))
1371                                                 {
1372                                                 OCSP_RESPID_free(id);
1373                                                 *al = SSL_AD_INTERNAL_ERROR;
1374                                                 return 0;
1375                                                 }
1376                                         if (!sk_OCSP_RESPID_push(
1377                                                         s->tlsext_ocsp_ids, id))
1378                                                 {
1379                                                 OCSP_RESPID_free(id);
1380                                                 *al = SSL_AD_INTERNAL_ERROR;
1381                                                 return 0;
1382                                                 }
1383                                         }
1384
1385                                 /* Read in request_extensions */
1386                                 if (size < 2)
1387                                         {
1388                                         *al = SSL_AD_DECODE_ERROR;
1389                                         return 0;
1390                                         }
1391                                 n2s(data,dsize);
1392                                 size -= 2;
1393                                 if (dsize != size)
1394                                         {
1395                                         *al = SSL_AD_DECODE_ERROR;
1396                                         return 0;
1397                                         }
1398                                 sdata = data;
1399                                 if (dsize > 0)
1400                                         {
1401                                         if (s->tlsext_ocsp_exts)
1402                                                 {
1403                                                 sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts,
1404                                                                            X509_EXTENSION_free);
1405                                                 }
1406
1407                                         s->tlsext_ocsp_exts =
1408                                                 d2i_X509_EXTENSIONS(NULL,
1409                                                         &sdata, dsize);
1410                                         if (!s->tlsext_ocsp_exts
1411                                                 || (data + dsize != sdata))
1412                                                 {
1413                                                 *al = SSL_AD_DECODE_ERROR;
1414                                                 return 0;
1415                                                 }
1416                                         }
1417                                 }
1418                                 /* We don't know what to do with any other type
1419                                 * so ignore it.
1420                                 */
1421                                 else
1422                                         s->tlsext_status_type = -1;
1423                         }
1424 #ifndef OPENSSL_NO_HEARTBEATS
1425                 else if (type == TLSEXT_TYPE_heartbeat)
1426                         {
1427                         switch(data[0])
1428                                 {
1429                                 case 0x01:      /* Client allows us to send HB requests */
1430                                                         s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
1431                                                         break;
1432                                 case 0x02:      /* Client doesn't accept HB requests */
1433                                                         s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
1434                                                         s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
1435                                                         break;
1436                                 default:        *al = SSL_AD_ILLEGAL_PARAMETER;
1437                                                         return 0;
1438                                 }
1439                         }
1440 #endif
1441 #ifndef OPENSSL_NO_NEXTPROTONEG
1442                 else if (type == TLSEXT_TYPE_next_proto_neg &&
1443                          s->s3->tmp.finish_md_len == 0)
1444                         {
1445                         /* We shouldn't accept this extension on a
1446                          * renegotiation.
1447                          *
1448                          * s->new_session will be set on renegotiation, but we
1449                          * probably shouldn't rely that it couldn't be set on
1450                          * the initial renegotation too in certain cases (when
1451                          * there's some other reason to disallow resuming an
1452                          * earlier session -- the current code won't be doing
1453                          * anything like that, but this might change).
1454
1455                          * A valid sign that there's been a previous handshake
1456                          * in this connection is if s->s3->tmp.finish_md_len >
1457                          * 0.  (We are talking about a check that will happen
1458                          * in the Hello protocol round, well before a new
1459                          * Finished message could have been computed.) */
1460                         s->s3->next_proto_neg_seen = 1;
1461                         }
1462 #endif
1463
1464                 /* session ticket processed earlier */
1465 #ifndef OPENSSL_NO_SRTP
1466                 else if (SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s)
1467                          && type == TLSEXT_TYPE_use_srtp)
1468                         {
1469                         if(ssl_parse_clienthello_use_srtp_ext(s, data, size,
1470                                                               al))
1471                                 return 0;
1472                         }
1473 #endif
1474
1475                 data+=size;
1476                 }
1477                                 
1478         *p = data;
1479
1480         ri_check:
1481
1482         /* Need RI if renegotiating */
1483
1484         if (!renegotiate_seen && s->renegotiate &&
1485                 !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
1486                 {
1487                 *al = SSL_AD_HANDSHAKE_FAILURE;
1488                 SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT,
1489                                 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
1490                 return 0;
1491                 }
1492
1493         return 1;
1494         }
1495
1496 #ifndef OPENSSL_NO_NEXTPROTONEG
1497 /* ssl_next_proto_validate validates a Next Protocol Negotiation block. No
1498  * elements of zero length are allowed and the set of elements must exactly fill
1499  * the length of the block. */
1500 static char ssl_next_proto_validate(unsigned char *d, unsigned len)
1501         {
1502         unsigned int off = 0;
1503
1504         while (off < len)
1505                 {
1506                 if (d[off] == 0)
1507                         return 0;
1508                 off += d[off];
1509                 off++;
1510                 }
1511
1512         return off == len;
1513         }
1514 #endif
1515
1516 int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
1517         {
1518         unsigned short length;
1519         unsigned short type;
1520         unsigned short size;
1521         unsigned char *data = *p;
1522         int tlsext_servername = 0;
1523         int renegotiate_seen = 0;
1524
1525 #ifndef OPENSSL_NO_NEXTPROTONEG
1526         s->s3->next_proto_neg_seen = 0;
1527 #endif
1528         s->tlsext_ticket_expected = 0;
1529
1530 #ifndef OPENSSL_NO_HEARTBEATS
1531         s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED |
1532                                SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
1533 #endif
1534
1535         if (data >= (d+n-2))
1536                 goto ri_check;
1537
1538         n2s(data,length);
1539         if (data+length != d+n)
1540                 {
1541                 *al = SSL_AD_DECODE_ERROR;
1542                 return 0;
1543                 }
1544
1545         while(data <= (d+n-4))
1546                 {
1547                 n2s(data,type);
1548                 n2s(data,size);
1549
1550                 if (data+size > (d+n))
1551                         goto ri_check;
1552
1553                 if (s->tlsext_debug_cb)
1554                         s->tlsext_debug_cb(s, 1, type, data, size,
1555                                                 s->tlsext_debug_arg);
1556
1557                 if (type == TLSEXT_TYPE_server_name)
1558                         {
1559                         if (s->tlsext_hostname == NULL || size > 0)
1560                                 {
1561                                 *al = TLS1_AD_UNRECOGNIZED_NAME;
1562                                 return 0;
1563                                 }
1564                         tlsext_servername = 1;   
1565                         }
1566
1567 #ifndef OPENSSL_NO_EC
1568                 else if (type == TLSEXT_TYPE_ec_point_formats)
1569                         {
1570                         unsigned char *sdata = data;
1571                         int ecpointformatlist_length = *(sdata++);
1572
1573                         if (ecpointformatlist_length != size - 1 || 
1574                                 ecpointformatlist_length < 1)
1575                                 {
1576                                 *al = TLS1_AD_DECODE_ERROR;
1577                                 return 0;
1578                                 }
1579                         if (!s->hit)
1580                                 {
1581                                 s->session->tlsext_ecpointformatlist_length = 0;
1582                                 if (s->session->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->session->tlsext_ecpointformatlist);
1583                                 if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
1584                                         {
1585                                         *al = TLS1_AD_INTERNAL_ERROR;
1586                                         return 0;
1587                                         }
1588                                 s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
1589                                 memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
1590                                 }
1591 #if 0
1592                         fprintf(stderr,"ssl_parse_serverhello_tlsext s->session->tlsext_ecpointformatlist ");
1593                         sdata = s->session->tlsext_ecpointformatlist;
1594                         for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
1595                                 fprintf(stderr,"%i ",*(sdata++));
1596                         fprintf(stderr,"\n");
1597 #endif
1598                         }
1599 #endif /* OPENSSL_NO_EC */
1600
1601                 else if (type == TLSEXT_TYPE_session_ticket)
1602                         {
1603                         if (s->tls_session_ticket_ext_cb &&
1604                             !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg))
1605                                 {
1606                                 *al = TLS1_AD_INTERNAL_ERROR;
1607                                 return 0;
1608                                 }
1609                         if ((SSL_get_options(s) & SSL_OP_NO_TICKET)
1610                                 || (size > 0))
1611                                 {
1612                                 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
1613                                 return 0;
1614                                 }
1615                         s->tlsext_ticket_expected = 1;
1616                         }
1617 #ifdef TLSEXT_TYPE_opaque_prf_input
1618                 else if (type == TLSEXT_TYPE_opaque_prf_input &&
1619                      s->version != DTLS1_VERSION)
1620                         {
1621                         unsigned char *sdata = data;
1622
1623                         if (size < 2)
1624                                 {
1625                                 *al = SSL_AD_DECODE_ERROR;
1626                                 return 0;
1627                                 }
1628                         n2s(sdata, s->s3->server_opaque_prf_input_len);
1629                         if (s->s3->server_opaque_prf_input_len != size - 2)
1630                                 {
1631                                 *al = SSL_AD_DECODE_ERROR;
1632                                 return 0;
1633                                 }
1634                         
1635                         if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */
1636                                 OPENSSL_free(s->s3->server_opaque_prf_input);
1637                         if (s->s3->server_opaque_prf_input_len == 0)
1638                                 s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
1639                         else
1640                                 s->s3->server_opaque_prf_input = BUF_memdup(sdata, s->s3->server_opaque_prf_input_len);
1641
1642                         if (s->s3->server_opaque_prf_input == NULL)
1643                                 {
1644                                 *al = TLS1_AD_INTERNAL_ERROR;
1645                                 return 0;
1646                                 }
1647                         }
1648 #endif
1649                 else if (type == TLSEXT_TYPE_status_request &&
1650                          s->version != DTLS1_VERSION)
1651                         {
1652                         /* MUST be empty and only sent if we've requested
1653                          * a status request message.
1654                          */ 
1655                         if ((s->tlsext_status_type == -1) || (size > 0))
1656                                 {
1657                                 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
1658                                 return 0;
1659                                 }
1660                         /* Set flag to expect CertificateStatus message */
1661                         s->tlsext_status_expected = 1;
1662                         }
1663 #ifndef OPENSSL_NO_NEXTPROTONEG
1664                 else if (type == TLSEXT_TYPE_next_proto_neg &&
1665                          s->s3->tmp.finish_md_len == 0)
1666                         {
1667                         unsigned char *selected;
1668                         unsigned char selected_len;
1669
1670                         /* We must have requested it. */
1671                         if (s->ctx->next_proto_select_cb == NULL)
1672                                 {
1673                                 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
1674                                 return 0;
1675                                 }
1676                         /* The data must be valid */
1677                         if (!ssl_next_proto_validate(data, size))
1678                                 {
1679                                 *al = TLS1_AD_DECODE_ERROR;
1680                                 return 0;
1681                                 }
1682                         if (s->ctx->next_proto_select_cb(s, &selected, &selected_len, data, size, s->ctx->next_proto_select_cb_arg) != SSL_TLSEXT_ERR_OK)
1683                                 {
1684                                 *al = TLS1_AD_INTERNAL_ERROR;
1685                                 return 0;
1686                                 }
1687                         s->next_proto_negotiated = OPENSSL_malloc(selected_len);
1688                         if (!s->next_proto_negotiated)
1689                                 {
1690                                 *al = TLS1_AD_INTERNAL_ERROR;
1691                                 return 0;
1692                                 }
1693                         memcpy(s->next_proto_negotiated, selected, selected_len);
1694                         s->next_proto_negotiated_len = selected_len;
1695                         s->s3->next_proto_neg_seen = 1;
1696                         }
1697 #endif
1698                 else if (type == TLSEXT_TYPE_renegotiate)
1699                         {
1700                         if(!ssl_parse_serverhello_renegotiate_ext(s, data, size, al))
1701                                 return 0;
1702                         renegotiate_seen = 1;
1703                         }
1704 #ifndef OPENSSL_NO_HEARTBEATS
1705                 else if (type == TLSEXT_TYPE_heartbeat)
1706                         {
1707                         switch(data[0])
1708                                 {
1709                                 case 0x01:      /* Server allows us to send HB requests */
1710                                                         s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
1711                                                         break;
1712                                 case 0x02:      /* Server doesn't accept HB requests */
1713                                                         s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
1714                                                         s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
1715                                                         break;
1716                                 default:        *al = SSL_AD_ILLEGAL_PARAMETER;
1717                                                         return 0;
1718                                 }
1719                         }
1720 #endif
1721 #ifndef OPENSSL_NO_SRTP
1722                 else if (SSL_IS_DTLS(s) && type == TLSEXT_TYPE_use_srtp)
1723                         {
1724                         if(ssl_parse_serverhello_use_srtp_ext(s, data, size,
1725                                                               al))
1726                                 return 0;
1727                         }
1728 #endif
1729
1730                 data+=size;             
1731                 }
1732
1733         if (data != d+n)
1734                 {
1735                 *al = SSL_AD_DECODE_ERROR;
1736                 return 0;
1737                 }
1738
1739         if (!s->hit && tlsext_servername == 1)
1740                 {
1741                 if (s->tlsext_hostname)
1742                         {
1743                         if (s->session->tlsext_hostname == NULL)
1744                                 {
1745                                 s->session->tlsext_hostname = BUF_strdup(s->tlsext_hostname);   
1746                                 if (!s->session->tlsext_hostname)
1747                                         {
1748                                         *al = SSL_AD_UNRECOGNIZED_NAME;
1749                                         return 0;
1750                                         }
1751                                 }
1752                         else 
1753                                 {
1754                                 *al = SSL_AD_DECODE_ERROR;
1755                                 return 0;
1756                                 }
1757                         }
1758                 }
1759
1760         *p = data;
1761
1762         ri_check:
1763
1764         /* Determine if we need to see RI. Strictly speaking if we want to
1765          * avoid an attack we should *always* see RI even on initial server
1766          * hello because the client doesn't see any renegotiation during an
1767          * attack. However this would mean we could not connect to any server
1768          * which doesn't support RI so for the immediate future tolerate RI
1769          * absence on initial connect only.
1770          */
1771         if (!renegotiate_seen
1772                 && !(s->options & SSL_OP_LEGACY_SERVER_CONNECT)
1773                 && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
1774                 {
1775                 *al = SSL_AD_HANDSHAKE_FAILURE;
1776                 SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT,
1777                                 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
1778                 return 0;
1779                 }
1780
1781         return 1;
1782         }
1783
1784
1785 int ssl_prepare_clienthello_tlsext(SSL *s)
1786         {
1787 #ifndef OPENSSL_NO_EC
1788         /* If we are client and using an elliptic curve cryptography cipher suite, send the point formats 
1789          * and elliptic curves we support.
1790          */
1791         int using_ecc = 0;
1792         int i;
1793         unsigned char *j;
1794         unsigned long alg_k, alg_a;
1795         STACK_OF(SSL_CIPHER) *cipher_stack = SSL_get_ciphers(s);
1796
1797         for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++)
1798                 {
1799                 SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i);
1800
1801                 alg_k = c->algorithm_mkey;
1802                 alg_a = c->algorithm_auth;
1803                 if ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe) || (alg_a & SSL_aECDSA)))
1804                         {
1805                         using_ecc = 1;
1806                         break;
1807                         }
1808                 }
1809         using_ecc = using_ecc && (s->version >= TLS1_VERSION);
1810         if (using_ecc)
1811                 {
1812                 if (s->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->tlsext_ecpointformatlist);
1813                 if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(3)) == NULL)
1814                         {
1815                         SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
1816                         return -1;
1817                         }
1818                 s->tlsext_ecpointformatlist_length = 3;
1819                 s->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_uncompressed;
1820                 s->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
1821                 s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
1822
1823                 /* we support all named elliptic curves in RFC 4492 */
1824                 if (s->tlsext_ellipticcurvelist != NULL) OPENSSL_free(s->tlsext_ellipticcurvelist);
1825                 s->tlsext_ellipticcurvelist_length = sizeof(pref_list)/sizeof(pref_list[0]) * 2;
1826                 if ((s->tlsext_ellipticcurvelist = OPENSSL_malloc(s->tlsext_ellipticcurvelist_length)) == NULL)
1827                         {
1828                         s->tlsext_ellipticcurvelist_length = 0;
1829                         SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
1830                         return -1;
1831                         }
1832                 for (i = 0, j = s->tlsext_ellipticcurvelist; (unsigned int)i <
1833                                 sizeof(pref_list)/sizeof(pref_list[0]); i++)
1834                         {
1835                         int id = tls1_ec_nid2curve_id(pref_list[i]);
1836                         s2n(id,j);
1837                         }
1838                 }
1839 #endif /* OPENSSL_NO_EC */
1840
1841 #ifdef TLSEXT_TYPE_opaque_prf_input
1842         {
1843                 int r = 1;
1844         
1845                 if (s->ctx->tlsext_opaque_prf_input_callback != 0)
1846                         {
1847                         r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg);
1848                         if (!r)
1849                                 return -1;
1850                         }
1851
1852                 if (s->tlsext_opaque_prf_input != NULL)
1853                         {
1854                         if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */
1855                                 OPENSSL_free(s->s3->client_opaque_prf_input);
1856
1857                         if (s->tlsext_opaque_prf_input_len == 0)
1858                                 s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
1859                         else
1860                                 s->s3->client_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len);
1861                         if (s->s3->client_opaque_prf_input == NULL)
1862                                 {
1863                                 SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
1864                                 return -1;
1865                                 }
1866                         s->s3->client_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
1867                         }
1868
1869                 if (r == 2)
1870                         /* at callback's request, insist on receiving an appropriate server opaque PRF input */
1871                         s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
1872         }
1873 #endif
1874
1875         return 1;
1876         }
1877
1878 int ssl_prepare_serverhello_tlsext(SSL *s)
1879         {
1880 #ifndef OPENSSL_NO_EC
1881         /* If we are server and using an ECC cipher suite, send the point formats we support 
1882          * if the client sent us an ECPointsFormat extension.  Note that the server is not
1883          * supposed to send an EllipticCurves extension.
1884          */
1885
1886         unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
1887         unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
1888         int using_ecc = (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA);
1889         using_ecc = using_ecc && (s->session->tlsext_ecpointformatlist != NULL);
1890         
1891         if (using_ecc)
1892                 {
1893                 if (s->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->tlsext_ecpointformatlist);
1894                 if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(3)) == NULL)
1895                         {
1896                         SSLerr(SSL_F_SSL_PREPARE_SERVERHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
1897                         return -1;
1898                         }
1899                 s->tlsext_ecpointformatlist_length = 3;
1900                 s->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_uncompressed;
1901                 s->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
1902                 s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
1903                 }
1904 #endif /* OPENSSL_NO_EC */
1905
1906         return 1;
1907         }
1908
1909 int ssl_check_clienthello_tlsext_early(SSL *s)
1910         {
1911         int ret=SSL_TLSEXT_ERR_NOACK;
1912         int al = SSL_AD_UNRECOGNIZED_NAME;
1913
1914 #ifndef OPENSSL_NO_EC
1915         /* The handling of the ECPointFormats extension is done elsewhere, namely in 
1916          * ssl3_choose_cipher in s3_lib.c.
1917          */
1918         /* The handling of the EllipticCurves extension is done elsewhere, namely in 
1919          * ssl3_choose_cipher in s3_lib.c.
1920          */
1921 #endif
1922
1923         if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) 
1924                 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
1925         else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)             
1926                 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
1927
1928 #ifdef TLSEXT_TYPE_opaque_prf_input
1929         {
1930                 /* This sort of belongs into ssl_prepare_serverhello_tlsext(),
1931                  * but we might be sending an alert in response to the client hello,
1932                  * so this has to happen here in
1933                  * ssl_check_clienthello_tlsext_early(). */
1934
1935                 int r = 1;
1936         
1937                 if (s->ctx->tlsext_opaque_prf_input_callback != 0)
1938                         {
1939                         r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg);
1940                         if (!r)
1941                                 {
1942                                 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1943                                 al = SSL_AD_INTERNAL_ERROR;
1944                                 goto err;
1945                                 }
1946                         }
1947
1948                 if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */
1949                         OPENSSL_free(s->s3->server_opaque_prf_input);
1950                 s->s3->server_opaque_prf_input = NULL;
1951
1952                 if (s->tlsext_opaque_prf_input != NULL)
1953                         {
1954                         if (s->s3->client_opaque_prf_input != NULL &&
1955                                 s->s3->client_opaque_prf_input_len == s->tlsext_opaque_prf_input_len)
1956                                 {
1957                                 /* can only use this extension if we have a server opaque PRF input
1958                                  * of the same length as the client opaque PRF input! */
1959
1960                                 if (s->tlsext_opaque_prf_input_len == 0)
1961                                         s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
1962                                 else
1963                                         s->s3->server_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len);
1964                                 if (s->s3->server_opaque_prf_input == NULL)
1965                                         {
1966                                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1967                                         al = SSL_AD_INTERNAL_ERROR;
1968                                         goto err;
1969                                         }
1970                                 s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
1971                                 }
1972                         }
1973
1974                 if (r == 2 && s->s3->server_opaque_prf_input == NULL)
1975                         {
1976                         /* The callback wants to enforce use of the extension,
1977                          * but we can't do that with the client opaque PRF input;
1978                          * abort the handshake.
1979                          */
1980                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1981                         al = SSL_AD_HANDSHAKE_FAILURE;
1982                         }
1983         }
1984
1985  err:
1986 #endif
1987         switch (ret)
1988                 {
1989                 case SSL_TLSEXT_ERR_ALERT_FATAL:
1990                         ssl3_send_alert(s,SSL3_AL_FATAL,al); 
1991                         return -1;
1992
1993                 case SSL_TLSEXT_ERR_ALERT_WARNING:
1994                         ssl3_send_alert(s,SSL3_AL_WARNING,al);
1995                         return 1; 
1996                                         
1997                 case SSL_TLSEXT_ERR_NOACK:
1998                         s->servername_done=0;
1999                         default:
2000                 return 1;
2001                 }
2002         }
2003
2004 int ssl_check_clienthello_tlsext_late(SSL *s)
2005         {
2006         int ret = SSL_TLSEXT_ERR_OK;
2007         int al;
2008
2009         /* If status request then ask callback what to do.
2010          * Note: this must be called after servername callbacks in case 
2011          * the certificate has changed, and must be called after the cipher
2012          * has been chosen because this may influence which certificate is sent
2013          */
2014         if ((s->tlsext_status_type != -1) && s->ctx && s->ctx->tlsext_status_cb)
2015                 {
2016                 int r;
2017                 CERT_PKEY *certpkey;
2018                 certpkey = ssl_get_server_send_pkey(s);
2019                 /* If no certificate can't return certificate status */
2020                 if (certpkey == NULL)
2021                         {
2022                         s->tlsext_status_expected = 0;
2023                         return 1;
2024                         }
2025                 /* Set current certificate to one we will use so
2026                  * SSL_get_certificate et al can pick it up.
2027                  */
2028                 s->cert->key = certpkey;
2029                 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
2030                 switch (r)
2031                         {
2032                         /* We don't want to send a status request response */
2033                         case SSL_TLSEXT_ERR_NOACK:
2034                                 s->tlsext_status_expected = 0;
2035                                 break;
2036                         /* status request response should be sent */
2037                         case SSL_TLSEXT_ERR_OK:
2038                                 if (s->tlsext_ocsp_resp)
2039                                         s->tlsext_status_expected = 1;
2040                                 else
2041                                         s->tlsext_status_expected = 0;
2042                                 break;
2043                         /* something bad happened */
2044                         case SSL_TLSEXT_ERR_ALERT_FATAL:
2045                                 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2046                                 al = SSL_AD_INTERNAL_ERROR;
2047                                 goto err;
2048                         }
2049                 }
2050         else
2051                 s->tlsext_status_expected = 0;
2052
2053  err:
2054         switch (ret)
2055                 {
2056                 case SSL_TLSEXT_ERR_ALERT_FATAL:
2057                         ssl3_send_alert(s,SSL3_AL_FATAL,al); 
2058                         return -1;
2059
2060                 case SSL_TLSEXT_ERR_ALERT_WARNING:
2061                         ssl3_send_alert(s,SSL3_AL_WARNING,al);
2062                         return 1; 
2063
2064                 default:
2065                         return 1;
2066                 }
2067         }
2068
2069 int ssl_check_serverhello_tlsext(SSL *s)
2070         {
2071         int ret=SSL_TLSEXT_ERR_NOACK;
2072         int al = SSL_AD_UNRECOGNIZED_NAME;
2073
2074 #ifndef OPENSSL_NO_EC
2075         /* If we are client and using an elliptic curve cryptography cipher
2076          * suite, then if server returns an EC point formats lists extension
2077          * it must contain uncompressed.
2078          */
2079         unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
2080         unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
2081         if ((s->tlsext_ecpointformatlist != NULL) && (s->tlsext_ecpointformatlist_length > 0) && 
2082             (s->session->tlsext_ecpointformatlist != NULL) && (s->session->tlsext_ecpointformatlist_length > 0) && 
2083             ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA)))
2084                 {
2085                 /* we are using an ECC cipher */
2086                 size_t i;
2087                 unsigned char *list;
2088                 int found_uncompressed = 0;
2089                 list = s->session->tlsext_ecpointformatlist;
2090                 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
2091                         {
2092                         if (*(list++) == TLSEXT_ECPOINTFORMAT_uncompressed)
2093                                 {
2094                                 found_uncompressed = 1;
2095                                 break;
2096                                 }
2097                         }
2098                 if (!found_uncompressed)
2099                         {
2100                         SSLerr(SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT,SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
2101                         return -1;
2102                         }
2103                 }
2104         ret = SSL_TLSEXT_ERR_OK;
2105 #endif /* OPENSSL_NO_EC */
2106
2107         if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) 
2108                 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
2109         else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)             
2110                 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
2111
2112 #ifdef TLSEXT_TYPE_opaque_prf_input
2113         if (s->s3->server_opaque_prf_input_len > 0)
2114                 {
2115                 /* This case may indicate that we, as a client, want to insist on using opaque PRF inputs.
2116                  * So first verify that we really have a value from the server too. */
2117
2118                 if (s->s3->server_opaque_prf_input == NULL)
2119                         {
2120                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2121                         al = SSL_AD_HANDSHAKE_FAILURE;
2122                         }
2123                 
2124                 /* Anytime the server *has* sent an opaque PRF input, we need to check
2125                  * that we have a client opaque PRF input of the same size. */
2126                 if (s->s3->client_opaque_prf_input == NULL ||
2127                     s->s3->client_opaque_prf_input_len != s->s3->server_opaque_prf_input_len)
2128                         {
2129                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2130                         al = SSL_AD_ILLEGAL_PARAMETER;
2131                         }
2132                 }
2133 #endif
2134
2135         /* If we've requested certificate status and we wont get one
2136          * tell the callback
2137          */
2138         if ((s->tlsext_status_type != -1) && !(s->tlsext_status_expected)
2139                         && s->ctx && s->ctx->tlsext_status_cb)
2140                 {
2141                 int r;
2142                 /* Set resp to NULL, resplen to -1 so callback knows
2143                  * there is no response.
2144                  */
2145                 if (s->tlsext_ocsp_resp)
2146                         {
2147                         OPENSSL_free(s->tlsext_ocsp_resp);
2148                         s->tlsext_ocsp_resp = NULL;
2149                         }
2150                 s->tlsext_ocsp_resplen = -1;
2151                 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
2152                 if (r == 0)
2153                         {
2154                         al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE;
2155                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2156                         }
2157                 if (r < 0)
2158                         {
2159                         al = SSL_AD_INTERNAL_ERROR;
2160                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2161                         }
2162                 }
2163
2164         switch (ret)
2165                 {
2166                 case SSL_TLSEXT_ERR_ALERT_FATAL:
2167                         ssl3_send_alert(s,SSL3_AL_FATAL,al); 
2168                         return -1;
2169
2170                 case SSL_TLSEXT_ERR_ALERT_WARNING:
2171                         ssl3_send_alert(s,SSL3_AL_WARNING,al);
2172                         return 1; 
2173                                         
2174                 case SSL_TLSEXT_ERR_NOACK:
2175                         s->servername_done=0;
2176                         default:
2177                 return 1;
2178                 }
2179         }
2180
2181 /* Since the server cache lookup is done early on in the processing of the
2182  * ClientHello, and other operations depend on the result, we need to handle
2183  * any TLS session ticket extension at the same time.
2184  *
2185  *   session_id: points at the session ID in the ClientHello. This code will
2186  *       read past the end of this in order to parse out the session ticket
2187  *       extension, if any.
2188  *   len: the length of the session ID.
2189  *   limit: a pointer to the first byte after the ClientHello.
2190  *   ret: (output) on return, if a ticket was decrypted, then this is set to
2191  *       point to the resulting session.
2192  *
2193  * If s->tls_session_secret_cb is set then we are expecting a pre-shared key
2194  * ciphersuite, in which case we have no use for session tickets and one will
2195  * never be decrypted, nor will s->tlsext_ticket_expected be set to 1.
2196  *
2197  * Returns:
2198  *   -1: fatal error, either from parsing or decrypting the ticket.
2199  *    0: no ticket was found (or was ignored, based on settings).
2200  *    1: a zero length extension was found, indicating that the client supports
2201  *       session tickets but doesn't currently have one to offer.
2202  *    2: either s->tls_session_secret_cb was set, or a ticket was offered but
2203  *       couldn't be decrypted because of a non-fatal error.
2204  *    3: a ticket was successfully decrypted and *ret was set.
2205  *
2206  * Side effects:
2207  *   Sets s->tlsext_ticket_expected to 1 if the server will have to issue
2208  *   a new session ticket to the client because the client indicated support
2209  *   (and s->tls_session_secret_cb is NULL) but the client either doesn't have
2210  *   a session ticket or we couldn't use the one it gave us, or if
2211  *   s->ctx->tlsext_ticket_key_cb asked to renew the client's ticket.
2212  *   Otherwise, s->tlsext_ticket_expected is set to 0.
2213  */
2214 int tls1_process_ticket(SSL *s, unsigned char *session_id, int len,
2215                         const unsigned char *limit, SSL_SESSION **ret)
2216         {
2217         /* Point after session ID in client hello */
2218         const unsigned char *p = session_id + len;
2219         unsigned short i;
2220
2221         *ret = NULL;
2222         s->tlsext_ticket_expected = 0;
2223
2224         /* If tickets disabled behave as if no ticket present
2225          * to permit stateful resumption.
2226          */
2227         if (SSL_get_options(s) & SSL_OP_NO_TICKET)
2228                 return 0;
2229         if ((s->version <= SSL3_VERSION) || !limit)
2230                 return 0;
2231         if (p >= limit)
2232                 return -1;
2233         /* Skip past DTLS cookie */
2234         if (s->version == DTLS1_VERSION || s->version == DTLS1_BAD_VER)
2235                 {
2236                 i = *(p++);
2237                 p+= i;
2238                 if (p >= limit)
2239                         return -1;
2240                 }
2241         /* Skip past cipher list */
2242         n2s(p, i);
2243         p+= i;
2244         if (p >= limit)
2245                 return -1;
2246         /* Skip past compression algorithm list */
2247         i = *(p++);
2248         p += i;
2249         if (p > limit)
2250                 return -1;
2251         /* Now at start of extensions */
2252         if ((p + 2) >= limit)
2253                 return 0;
2254         n2s(p, i);
2255         while ((p + 4) <= limit)
2256                 {
2257                 unsigned short type, size;
2258                 n2s(p, type);
2259                 n2s(p, size);
2260                 if (p + size > limit)
2261                         return 0;
2262                 if (type == TLSEXT_TYPE_session_ticket)
2263                         {
2264                         int r;
2265                         if (size == 0)
2266                                 {
2267                                 /* The client will accept a ticket but doesn't
2268                                  * currently have one. */
2269                                 s->tlsext_ticket_expected = 1;
2270                                 return 1;
2271                                 }
2272                         if (s->tls_session_secret_cb)
2273                                 {
2274                                 /* Indicate that the ticket couldn't be
2275                                  * decrypted rather than generating the session
2276                                  * from ticket now, trigger abbreviated
2277                                  * handshake based on external mechanism to
2278                                  * calculate the master secret later. */
2279                                 return 2;
2280                                 }
2281                         r = tls_decrypt_ticket(s, p, size, session_id, len, ret);
2282                         switch (r)
2283                                 {
2284                                 case 2: /* ticket couldn't be decrypted */
2285                                         s->tlsext_ticket_expected = 1;
2286                                         return 2;
2287                                 case 3: /* ticket was decrypted */
2288                                         return r;
2289                                 case 4: /* ticket decrypted but need to renew */
2290                                         s->tlsext_ticket_expected = 1;
2291                                         return 3;
2292                                 default: /* fatal error */
2293                                         return -1;
2294                                 }
2295                         }
2296                 p += size;
2297                 }
2298         return 0;
2299         }
2300
2301 /* tls_decrypt_ticket attempts to decrypt a session ticket.
2302  *
2303  *   etick: points to the body of the session ticket extension.
2304  *   eticklen: the length of the session tickets extenion.
2305  *   sess_id: points at the session ID.
2306  *   sesslen: the length of the session ID.
2307  *   psess: (output) on return, if a ticket was decrypted, then this is set to
2308  *       point to the resulting session.
2309  *
2310  * Returns:
2311  *   -1: fatal error, either from parsing or decrypting the ticket.
2312  *    2: the ticket couldn't be decrypted.
2313  *    3: a ticket was successfully decrypted and *psess was set.
2314  *    4: same as 3, but the ticket needs to be renewed.
2315  */
2316 static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen,
2317                                 const unsigned char *sess_id, int sesslen,
2318                                 SSL_SESSION **psess)
2319         {
2320         SSL_SESSION *sess;
2321         unsigned char *sdec;
2322         const unsigned char *p;
2323         int slen, mlen, renew_ticket = 0;
2324         unsigned char tick_hmac[EVP_MAX_MD_SIZE];
2325         HMAC_CTX hctx;
2326         EVP_CIPHER_CTX ctx;
2327         SSL_CTX *tctx = s->initial_ctx;
2328         /* Need at least keyname + iv + some encrypted data */
2329         if (eticklen < 48)
2330                 return 2;
2331         /* Initialize session ticket encryption and HMAC contexts */
2332         HMAC_CTX_init(&hctx);
2333         EVP_CIPHER_CTX_init(&ctx);
2334         if (tctx->tlsext_ticket_key_cb)
2335                 {
2336                 unsigned char *nctick = (unsigned char *)etick;
2337                 int rv = tctx->tlsext_ticket_key_cb(s, nctick, nctick + 16,
2338                                                         &ctx, &hctx, 0);
2339                 if (rv < 0)
2340                         return -1;
2341                 if (rv == 0)
2342                         return 2;
2343                 if (rv == 2)
2344                         renew_ticket = 1;
2345                 }
2346         else
2347                 {
2348                 /* Check key name matches */
2349                 if (memcmp(etick, tctx->tlsext_tick_key_name, 16))
2350                         return 2;
2351                 HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16,
2352                                         tlsext_tick_md(), NULL);
2353                 EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL,
2354                                 tctx->tlsext_tick_aes_key, etick + 16);
2355                 }
2356         /* Attempt to process session ticket, first conduct sanity and
2357          * integrity checks on ticket.
2358          */
2359         mlen = HMAC_size(&hctx);
2360         if (mlen < 0)
2361                 {
2362                 EVP_CIPHER_CTX_cleanup(&ctx);
2363                 return -1;
2364                 }
2365         eticklen -= mlen;
2366         /* Check HMAC of encrypted ticket */
2367         HMAC_Update(&hctx, etick, eticklen);
2368         HMAC_Final(&hctx, tick_hmac, NULL);
2369         HMAC_CTX_cleanup(&hctx);
2370         if (CRYPTO_memcmp(tick_hmac, etick + eticklen, mlen))
2371                 {
2372                 EVP_CIPHER_CTX_cleanup(&ctx);
2373                 return 2;
2374                 }
2375         /* Attempt to decrypt session data */
2376         /* Move p after IV to start of encrypted ticket, update length */
2377         p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx);
2378         eticklen -= 16 + EVP_CIPHER_CTX_iv_length(&ctx);
2379         sdec = OPENSSL_malloc(eticklen);
2380         if (!sdec)
2381                 {
2382                 EVP_CIPHER_CTX_cleanup(&ctx);
2383                 return -1;
2384                 }
2385         EVP_DecryptUpdate(&ctx, sdec, &slen, p, eticklen);
2386         if (EVP_DecryptFinal(&ctx, sdec + slen, &mlen) <= 0)
2387                 {
2388                 EVP_CIPHER_CTX_cleanup(&ctx);
2389                 OPENSSL_free(sdec);
2390                 return 2;
2391                 }
2392         slen += mlen;
2393         EVP_CIPHER_CTX_cleanup(&ctx);
2394         p = sdec;
2395
2396         sess = d2i_SSL_SESSION(NULL, &p, slen);
2397         OPENSSL_free(sdec);
2398         if (sess)
2399                 {
2400                 /* The session ID, if non-empty, is used by some clients to
2401                  * detect that the ticket has been accepted. So we copy it to
2402                  * the session structure. If it is empty set length to zero
2403                  * as required by standard.
2404                  */
2405                 if (sesslen)
2406                         memcpy(sess->session_id, sess_id, sesslen);
2407                 sess->session_id_length = sesslen;
2408                 *psess = sess;
2409                 if (renew_ticket)
2410                         return 4;
2411                 else
2412                         return 3;
2413                 }
2414         ERR_clear_error();
2415         /* For session parse failure, indicate that we need to send a new
2416          * ticket. */
2417         return 2;
2418         }
2419
2420 /* Tables to translate from NIDs to TLS v1.2 ids */
2421
2422 typedef struct 
2423         {
2424         int nid;
2425         int id;
2426         } tls12_lookup;
2427
2428 static tls12_lookup tls12_md[] = {
2429 #ifndef OPENSSL_NO_MD5
2430         {NID_md5, TLSEXT_hash_md5},
2431 #endif
2432 #ifndef OPENSSL_NO_SHA
2433         {NID_sha1, TLSEXT_hash_sha1},
2434 #endif
2435 #ifndef OPENSSL_NO_SHA256
2436         {NID_sha224, TLSEXT_hash_sha224},
2437         {NID_sha256, TLSEXT_hash_sha256},
2438 #endif
2439 #ifndef OPENSSL_NO_SHA512
2440         {NID_sha384, TLSEXT_hash_sha384},
2441         {NID_sha512, TLSEXT_hash_sha512}
2442 #endif
2443 };
2444
2445 static tls12_lookup tls12_sig[] = {
2446 #ifndef OPENSSL_NO_RSA
2447         {EVP_PKEY_RSA, TLSEXT_signature_rsa},
2448 #endif
2449 #ifndef OPENSSL_NO_DSA
2450         {EVP_PKEY_DSA, TLSEXT_signature_dsa},
2451 #endif
2452 #ifndef OPENSSL_NO_ECDSA
2453         {EVP_PKEY_EC, TLSEXT_signature_ecdsa}
2454 #endif
2455 };
2456
2457 static int tls12_find_id(int nid, tls12_lookup *table, size_t tlen)
2458         {
2459         size_t i;
2460         for (i = 0; i < tlen; i++)
2461                 {
2462                 if (table[i].nid == nid)
2463                         return table[i].id;
2464                 }
2465         return -1;
2466         }
2467 #if 0
2468 static int tls12_find_nid(int id, tls12_lookup *table, size_t tlen)
2469         {
2470         size_t i;
2471         for (i = 0; i < tlen; i++)
2472                 {
2473                 if (table[i].id == id)
2474                         return table[i].nid;
2475                 }
2476         return -1;
2477         }
2478 #endif
2479
2480 int tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk, const EVP_MD *md)
2481         {
2482         int sig_id, md_id;
2483         if (!md)
2484                 return 0;
2485         md_id = tls12_find_id(EVP_MD_type(md), tls12_md,
2486                                 sizeof(tls12_md)/sizeof(tls12_lookup));
2487         if (md_id == -1)
2488                 return 0;
2489         sig_id = tls12_get_sigid(pk);
2490         if (sig_id == -1)
2491                 return 0;
2492         p[0] = (unsigned char)md_id;
2493         p[1] = (unsigned char)sig_id;
2494         return 1;
2495         }
2496
2497 int tls12_get_sigid(const EVP_PKEY *pk)
2498         {
2499         return tls12_find_id(pk->type, tls12_sig,
2500                                 sizeof(tls12_sig)/sizeof(tls12_lookup));
2501         }
2502
2503 const EVP_MD *tls12_get_hash(unsigned char hash_alg)
2504         {
2505         switch(hash_alg)
2506                 {
2507 #ifndef OPENSSL_NO_SHA
2508                 case TLSEXT_hash_sha1:
2509                 return EVP_sha1();
2510 #endif
2511 #ifndef OPENSSL_NO_SHA256
2512                 case TLSEXT_hash_sha224:
2513                 return EVP_sha224();
2514
2515                 case TLSEXT_hash_sha256:
2516                 return EVP_sha256();
2517 #endif
2518 #ifndef OPENSSL_NO_SHA512
2519                 case TLSEXT_hash_sha384:
2520                 return EVP_sha384();
2521
2522                 case TLSEXT_hash_sha512:
2523                 return EVP_sha512();
2524 #endif
2525                 default:
2526                 return NULL;
2527
2528                 }
2529         }
2530
2531 /* Set preferred digest for each key type */
2532
2533 int tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize)
2534         {
2535         int i, idx;
2536         const EVP_MD *md;
2537         CERT *c = s->cert;
2538         /* Extension ignored for TLS versions below 1.2 */
2539         if (TLS1_get_version(s) < TLS1_2_VERSION)
2540                 return 1;
2541         /* Should never happen */
2542         if (!c)
2543                 return 0;
2544
2545         c->pkeys[SSL_PKEY_DSA_SIGN].digest = NULL;
2546         c->pkeys[SSL_PKEY_RSA_SIGN].digest = NULL;
2547         c->pkeys[SSL_PKEY_RSA_ENC].digest = NULL;
2548         c->pkeys[SSL_PKEY_ECC].digest = NULL;
2549
2550         for (i = 0; i < dsize; i += 2)
2551                 {
2552                 unsigned char hash_alg = data[i], sig_alg = data[i+1];
2553
2554                 switch(sig_alg)
2555                         {
2556 #ifndef OPENSSL_NO_RSA
2557                         case TLSEXT_signature_rsa:
2558                         idx = SSL_PKEY_RSA_SIGN;
2559                         break;
2560 #endif
2561 #ifndef OPENSSL_NO_DSA
2562                         case TLSEXT_signature_dsa:
2563                         idx = SSL_PKEY_DSA_SIGN;
2564                         break;
2565 #endif
2566 #ifndef OPENSSL_NO_ECDSA
2567                         case TLSEXT_signature_ecdsa:
2568                         idx = SSL_PKEY_ECC;
2569                         break;
2570 #endif
2571                         default:
2572                         continue;
2573                         }
2574
2575                 if (c->pkeys[idx].digest == NULL)
2576                         {
2577                         md = tls12_get_hash(hash_alg);
2578                         if (md)
2579                                 {
2580                                 c->pkeys[idx].digest = md;
2581                                 if (idx == SSL_PKEY_RSA_SIGN)
2582                                         c->pkeys[SSL_PKEY_RSA_ENC].digest = md;
2583                                 }
2584                         }
2585
2586                 }
2587
2588
2589         /* Set any remaining keys to default values. NOTE: if alg is not
2590          * supported it stays as NULL.
2591          */
2592 #ifndef OPENSSL_NO_DSA
2593         if (!c->pkeys[SSL_PKEY_DSA_SIGN].digest)
2594                 c->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_sha1();
2595 #endif
2596 #ifndef OPENSSL_NO_RSA
2597         if (!c->pkeys[SSL_PKEY_RSA_SIGN].digest)
2598                 {
2599                 c->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1();
2600                 c->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1();
2601                 }
2602 #endif
2603 #ifndef OPENSSL_NO_ECDSA
2604         if (!c->pkeys[SSL_PKEY_ECC].digest)
2605                 c->pkeys[SSL_PKEY_ECC].digest = EVP_sha1();
2606 #endif
2607         return 1;
2608         }
2609
2610 #endif
2611
2612 #ifndef OPENSSL_NO_HEARTBEATS
2613 int
2614 tls1_process_heartbeat(SSL *s)
2615         {
2616         unsigned char *p = &s->s3->rrec.data[0], *pl;
2617         unsigned short hbtype;
2618         unsigned int payload;
2619         unsigned int padding = 16; /* Use minimum padding */
2620
2621         if (s->msg_callback)
2622                 s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT,
2623                         &s->s3->rrec.data[0], s->s3->rrec.length,
2624                         s, s->msg_callback_arg);
2625
2626         /* Read type and payload length first */
2627         if (1 + 2 + 16 > s->s3->rrec.length)
2628                 return 0; /* silently discard */
2629         hbtype = *p++;
2630         n2s(p, payload);
2631         if (1 + 2 + payload + 16 > s->s3->rrec.length)
2632                 return 0; /* silently discard per RFC 6520 sec. 4 */
2633         pl = p;
2634
2635         if (hbtype == TLS1_HB_REQUEST)
2636                 {
2637                 unsigned char *buffer, *bp;
2638                 int r;
2639
2640                 /* Allocate memory for the response, size is 1 bytes
2641                  * message type, plus 2 bytes payload length, plus
2642                  * payload, plus padding
2643                  */
2644                 buffer = OPENSSL_malloc(1 + 2 + payload + padding);
2645                 bp = buffer;
2646                 
2647                 /* Enter response type, length and copy payload */
2648                 *bp++ = TLS1_HB_RESPONSE;
2649                 s2n(payload, bp);
2650                 memcpy(bp, pl, payload);
2651                 bp += payload;
2652                 /* Random padding */
2653                 RAND_pseudo_bytes(bp, padding);
2654
2655                 r = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, 3 + payload + padding);
2656
2657                 if (r >= 0 && s->msg_callback)
2658                         s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT,
2659                                 buffer, 3 + payload + padding,
2660                                 s, s->msg_callback_arg);
2661
2662                 OPENSSL_free(buffer);
2663
2664                 if (r < 0)
2665                         return r;
2666                 }
2667         else if (hbtype == TLS1_HB_RESPONSE)
2668                 {
2669                 unsigned int seq;
2670                 
2671                 /* We only send sequence numbers (2 bytes unsigned int),
2672                  * and 16 random bytes, so we just try to read the
2673                  * sequence number */
2674                 n2s(pl, seq);
2675                 
2676                 if (payload == 18 && seq == s->tlsext_hb_seq)
2677                         {
2678                         s->tlsext_hb_seq++;
2679                         s->tlsext_hb_pending = 0;
2680                         }
2681                 }
2682
2683         return 0;
2684         }
2685
2686 int
2687 tls1_heartbeat(SSL *s)
2688         {
2689         unsigned char *buf, *p;
2690         int ret;
2691         unsigned int payload = 18; /* Sequence number + random bytes */
2692         unsigned int padding = 16; /* Use minimum padding */
2693
2694         /* Only send if peer supports and accepts HB requests... */
2695         if (!(s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED) ||
2696             s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_SEND_REQUESTS)
2697                 {
2698                 SSLerr(SSL_F_TLS1_HEARTBEAT,SSL_R_TLS_HEARTBEAT_PEER_DOESNT_ACCEPT);
2699                 return -1;
2700                 }
2701
2702         /* ...and there is none in flight yet... */
2703         if (s->tlsext_hb_pending)
2704                 {
2705                 SSLerr(SSL_F_TLS1_HEARTBEAT,SSL_R_TLS_HEARTBEAT_PENDING);
2706                 return -1;
2707                 }
2708                 
2709         /* ...and no handshake in progress. */
2710         if (SSL_in_init(s) || s->in_handshake)
2711                 {
2712                 SSLerr(SSL_F_TLS1_HEARTBEAT,SSL_R_UNEXPECTED_MESSAGE);
2713                 return -1;
2714                 }
2715                 
2716         /* Check if padding is too long, payload and padding
2717          * must not exceed 2^14 - 3 = 16381 bytes in total.
2718          */
2719         OPENSSL_assert(payload + padding <= 16381);
2720
2721         /* Create HeartBeat message, we just use a sequence number
2722          * as payload to distuingish different messages and add
2723          * some random stuff.
2724          *  - Message Type, 1 byte
2725          *  - Payload Length, 2 bytes (unsigned int)
2726          *  - Payload, the sequence number (2 bytes uint)
2727          *  - Payload, random bytes (16 bytes uint)
2728          *  - Padding
2729          */
2730         buf = OPENSSL_malloc(1 + 2 + payload + padding);
2731         p = buf;
2732         /* Message Type */
2733         *p++ = TLS1_HB_REQUEST;
2734         /* Payload length (18 bytes here) */
2735         s2n(payload, p);
2736         /* Sequence number */
2737         s2n(s->tlsext_hb_seq, p);
2738         /* 16 random bytes */
2739         RAND_pseudo_bytes(p, 16);
2740         p += 16;
2741         /* Random padding */
2742         RAND_pseudo_bytes(p, padding);
2743
2744         ret = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buf, 3 + payload + padding);
2745         if (ret >= 0)
2746                 {
2747                 if (s->msg_callback)
2748                         s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT,
2749                                 buf, 3 + payload + padding,
2750                                 s, s->msg_callback_arg);
2751
2752                 s->tlsext_hb_pending = 1;
2753                 }
2754                 
2755         OPENSSL_free(buf);
2756
2757         return ret;
2758         }
2759 #endif