Backport TLS v1.2 support from HEAD.
[openssl.git] / ssl / t1_lib.c
1 /* ssl/t1_lib.c */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3  * All rights reserved.
4  *
5  * This package is an SSL implementation written
6  * by Eric Young (eay@cryptsoft.com).
7  * The implementation was written so as to conform with Netscapes SSL.
8  * 
9  * This library is free for commercial and non-commercial use as long as
10  * the following conditions are aheared to.  The following conditions
11  * apply to all code found in this distribution, be it the RC4, RSA,
12  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
13  * included with this distribution is covered by the same copyright terms
14  * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15  * 
16  * Copyright remains Eric Young's, and as such any Copyright notices in
17  * the code are not to be removed.
18  * If this package is used in a product, Eric Young should be given attribution
19  * as the author of the parts of the library used.
20  * This can be in the form of a textual message at program startup or
21  * in documentation (online or textual) provided with the package.
22  * 
23  * Redistribution and use in source and binary forms, with or without
24  * modification, are permitted provided that the following conditions
25  * are met:
26  * 1. Redistributions of source code must retain the copyright
27  *    notice, this list of conditions and the following disclaimer.
28  * 2. Redistributions in binary form must reproduce the above copyright
29  *    notice, this list of conditions and the following disclaimer in the
30  *    documentation and/or other materials provided with the distribution.
31  * 3. All advertising materials mentioning features or use of this software
32  *    must display the following acknowledgement:
33  *    "This product includes cryptographic software written by
34  *     Eric Young (eay@cryptsoft.com)"
35  *    The word 'cryptographic' can be left out if the rouines from the library
36  *    being used are not cryptographic related :-).
37  * 4. If you include any Windows specific code (or a derivative thereof) from 
38  *    the apps directory (application code) you must include an acknowledgement:
39  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40  * 
41  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51  * SUCH DAMAGE.
52  * 
53  * The licence and distribution terms for any publically available version or
54  * derivative of this code cannot be changed.  i.e. this code cannot simply be
55  * copied and put under another distribution licence
56  * [including the GNU Public Licence.]
57  */
58 /* ====================================================================
59  * Copyright (c) 1998-2007 The OpenSSL Project.  All rights reserved.
60  *
61  * Redistribution and use in source and binary forms, with or without
62  * modification, are permitted provided that the following conditions
63  * are met:
64  *
65  * 1. Redistributions of source code must retain the above copyright
66  *    notice, this list of conditions and the following disclaimer. 
67  *
68  * 2. Redistributions in binary form must reproduce the above copyright
69  *    notice, this list of conditions and the following disclaimer in
70  *    the documentation and/or other materials provided with the
71  *    distribution.
72  *
73  * 3. All advertising materials mentioning features or use of this
74  *    software must display the following acknowledgment:
75  *    "This product includes software developed by the OpenSSL Project
76  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77  *
78  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79  *    endorse or promote products derived from this software without
80  *    prior written permission. For written permission, please contact
81  *    openssl-core@openssl.org.
82  *
83  * 5. Products derived from this software may not be called "OpenSSL"
84  *    nor may "OpenSSL" appear in their names without prior written
85  *    permission of the OpenSSL Project.
86  *
87  * 6. Redistributions of any form whatsoever must retain the following
88  *    acknowledgment:
89  *    "This product includes software developed by the OpenSSL Project
90  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91  *
92  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
96  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103  * OF THE POSSIBILITY OF SUCH DAMAGE.
104  * ====================================================================
105  *
106  * This product includes cryptographic software written by Eric Young
107  * (eay@cryptsoft.com).  This product includes software written by Tim
108  * Hudson (tjh@cryptsoft.com).
109  *
110  */
111
112 #include <stdio.h>
113 #include <openssl/objects.h>
114 #include <openssl/evp.h>
115 #include <openssl/hmac.h>
116 #include <openssl/ocsp.h>
117 #include "ssl_locl.h"
118
119 const char tls1_version_str[]="TLSv1" OPENSSL_VERSION_PTEXT;
120
121 #ifndef OPENSSL_NO_TLSEXT
122 static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen,
123                                 const unsigned char *sess_id, int sesslen,
124                                 SSL_SESSION **psess);
125 static int tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize);
126 #endif
127
128 SSL3_ENC_METHOD TLSv1_enc_data={
129         tls1_enc,
130         tls1_mac,
131         tls1_setup_key_block,
132         tls1_generate_master_secret,
133         tls1_change_cipher_state,
134         tls1_final_finish_mac,
135         TLS1_FINISH_MAC_LENGTH,
136         tls1_cert_verify_mac,
137         TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE,
138         TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE,
139         tls1_alert_code,
140         };
141
142 long tls1_default_timeout(void)
143         {
144         /* 2 hours, the 24 hours mentioned in the TLSv1 spec
145          * is way too long for http, the cache would over fill */
146         return(60*60*2);
147         }
148
149 int tls1_new(SSL *s)
150         {
151         if (!ssl3_new(s)) return(0);
152         s->method->ssl_clear(s);
153         return(1);
154         }
155
156 void tls1_free(SSL *s)
157         {
158 #ifndef OPENSSL_NO_TLSEXT
159         if (s->tlsext_session_ticket)
160                 {
161                 OPENSSL_free(s->tlsext_session_ticket);
162                 }
163 #endif /* OPENSSL_NO_TLSEXT */
164         ssl3_free(s);
165         }
166
167 void tls1_clear(SSL *s)
168         {
169         ssl3_clear(s);
170         s->version = s->method->version;
171         }
172
173 #ifndef OPENSSL_NO_EC
174 static int nid_list[] =
175         {
176                 NID_sect163k1, /* sect163k1 (1) */
177                 NID_sect163r1, /* sect163r1 (2) */
178                 NID_sect163r2, /* sect163r2 (3) */
179                 NID_sect193r1, /* sect193r1 (4) */ 
180                 NID_sect193r2, /* sect193r2 (5) */ 
181                 NID_sect233k1, /* sect233k1 (6) */
182                 NID_sect233r1, /* sect233r1 (7) */ 
183                 NID_sect239k1, /* sect239k1 (8) */ 
184                 NID_sect283k1, /* sect283k1 (9) */
185                 NID_sect283r1, /* sect283r1 (10) */ 
186                 NID_sect409k1, /* sect409k1 (11) */ 
187                 NID_sect409r1, /* sect409r1 (12) */
188                 NID_sect571k1, /* sect571k1 (13) */ 
189                 NID_sect571r1, /* sect571r1 (14) */ 
190                 NID_secp160k1, /* secp160k1 (15) */
191                 NID_secp160r1, /* secp160r1 (16) */ 
192                 NID_secp160r2, /* secp160r2 (17) */ 
193                 NID_secp192k1, /* secp192k1 (18) */
194                 NID_X9_62_prime192v1, /* secp192r1 (19) */ 
195                 NID_secp224k1, /* secp224k1 (20) */ 
196                 NID_secp224r1, /* secp224r1 (21) */
197                 NID_secp256k1, /* secp256k1 (22) */ 
198                 NID_X9_62_prime256v1, /* secp256r1 (23) */ 
199                 NID_secp384r1, /* secp384r1 (24) */
200                 NID_secp521r1  /* secp521r1 (25) */     
201         };
202         
203 int tls1_ec_curve_id2nid(int curve_id)
204         {
205         /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
206         if ((curve_id < 1) || ((unsigned int)curve_id >
207                                 sizeof(nid_list)/sizeof(nid_list[0])))
208                 return 0;
209         return nid_list[curve_id-1];
210         }
211
212 int tls1_ec_nid2curve_id(int nid)
213         {
214         /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
215         switch (nid)
216                 {
217         case NID_sect163k1: /* sect163k1 (1) */
218                 return 1;
219         case NID_sect163r1: /* sect163r1 (2) */
220                 return 2;
221         case NID_sect163r2: /* sect163r2 (3) */
222                 return 3;
223         case NID_sect193r1: /* sect193r1 (4) */ 
224                 return 4;
225         case NID_sect193r2: /* sect193r2 (5) */ 
226                 return 5;
227         case NID_sect233k1: /* sect233k1 (6) */
228                 return 6;
229         case NID_sect233r1: /* sect233r1 (7) */ 
230                 return 7;
231         case NID_sect239k1: /* sect239k1 (8) */ 
232                 return 8;
233         case NID_sect283k1: /* sect283k1 (9) */
234                 return 9;
235         case NID_sect283r1: /* sect283r1 (10) */ 
236                 return 10;
237         case NID_sect409k1: /* sect409k1 (11) */ 
238                 return 11;
239         case NID_sect409r1: /* sect409r1 (12) */
240                 return 12;
241         case NID_sect571k1: /* sect571k1 (13) */ 
242                 return 13;
243         case NID_sect571r1: /* sect571r1 (14) */ 
244                 return 14;
245         case NID_secp160k1: /* secp160k1 (15) */
246                 return 15;
247         case NID_secp160r1: /* secp160r1 (16) */ 
248                 return 16;
249         case NID_secp160r2: /* secp160r2 (17) */ 
250                 return 17;
251         case NID_secp192k1: /* secp192k1 (18) */
252                 return 18;
253         case NID_X9_62_prime192v1: /* secp192r1 (19) */ 
254                 return 19;
255         case NID_secp224k1: /* secp224k1 (20) */ 
256                 return 20;
257         case NID_secp224r1: /* secp224r1 (21) */
258                 return 21;
259         case NID_secp256k1: /* secp256k1 (22) */ 
260                 return 22;
261         case NID_X9_62_prime256v1: /* secp256r1 (23) */ 
262                 return 23;
263         case NID_secp384r1: /* secp384r1 (24) */
264                 return 24;
265         case NID_secp521r1:  /* secp521r1 (25) */       
266                 return 25;
267         default:
268                 return 0;
269                 }
270         }
271 #endif /* OPENSSL_NO_EC */
272
273 #ifndef OPENSSL_NO_TLSEXT
274 unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
275         {
276         int extdatalen=0;
277         unsigned char *ret = p;
278
279         /* don't add extensions for SSLv3 unless doing secure renegotiation */
280         if (s->client_version == SSL3_VERSION
281                                         && !s->s3->send_connection_binding)
282                 return p;
283
284         ret+=2;
285
286         if (ret>=limit) return NULL; /* this really never occurs, but ... */
287
288         if (s->tlsext_hostname != NULL)
289                 { 
290                 /* Add TLS extension servername to the Client Hello message */
291                 unsigned long size_str;
292                 long lenmax; 
293
294                 /* check for enough space.
295                    4 for the servername type and entension length
296                    2 for servernamelist length
297                    1 for the hostname type
298                    2 for hostname length
299                    + hostname length 
300                 */
301                    
302                 if ((lenmax = limit - ret - 9) < 0 
303                     || (size_str = strlen(s->tlsext_hostname)) > (unsigned long)lenmax) 
304                         return NULL;
305                         
306                 /* extension type and length */
307                 s2n(TLSEXT_TYPE_server_name,ret); 
308                 s2n(size_str+5,ret);
309                 
310                 /* length of servername list */
311                 s2n(size_str+3,ret);
312         
313                 /* hostname type, length and hostname */
314                 *(ret++) = (unsigned char) TLSEXT_NAMETYPE_host_name;
315                 s2n(size_str,ret);
316                 memcpy(ret, s->tlsext_hostname, size_str);
317                 ret+=size_str;
318                 }
319
320         /* Add RI if renegotiating */
321         if (s->renegotiate)
322           {
323           int el;
324           
325           if(!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0))
326               {
327               SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
328               return NULL;
329               }
330
331           if((limit - p - 4 - el) < 0) return NULL;
332           
333           s2n(TLSEXT_TYPE_renegotiate,ret);
334           s2n(el,ret);
335
336           if(!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el))
337               {
338               SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
339               return NULL;
340               }
341
342           ret += el;
343         }
344
345 #ifndef OPENSSL_NO_SRP
346 #define MIN(x,y) (((x)<(y))?(x):(y))
347         /* we add SRP username the first time only if we have one! */
348         if (s->srp_ctx.login != NULL)
349                 {/* Add TLS extension SRP username to the Client Hello message */
350                 int login_len = MIN(strlen(s->srp_ctx.login) + 1, 255);
351                 long lenmax; 
352
353                 if ((lenmax = limit - ret - 5) < 0) return NULL; 
354                 if (login_len > lenmax) return NULL;
355                 if (login_len > 255)
356                         {
357                         SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
358                         return NULL;
359                         }
360                 s2n(TLSEXT_TYPE_srp,ret);
361                 s2n(login_len+1,ret);
362
363                 (*ret++) = (unsigned char) MIN(strlen(s->srp_ctx.login), 254);
364                 memcpy(ret, s->srp_ctx.login, MIN(strlen(s->srp_ctx.login), 254));
365                 ret+=login_len;
366                 }
367 #endif
368
369 #ifndef OPENSSL_NO_EC
370         if (s->tlsext_ecpointformatlist != NULL &&
371             s->version != DTLS1_VERSION)
372                 {
373                 /* Add TLS extension ECPointFormats to the ClientHello message */
374                 long lenmax; 
375
376                 if ((lenmax = limit - ret - 5) < 0) return NULL; 
377                 if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax) return NULL;
378                 if (s->tlsext_ecpointformatlist_length > 255)
379                         {
380                         SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
381                         return NULL;
382                         }
383                 
384                 s2n(TLSEXT_TYPE_ec_point_formats,ret);
385                 s2n(s->tlsext_ecpointformatlist_length + 1,ret);
386                 *(ret++) = (unsigned char) s->tlsext_ecpointformatlist_length;
387                 memcpy(ret, s->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist_length);
388                 ret+=s->tlsext_ecpointformatlist_length;
389                 }
390         if (s->tlsext_ellipticcurvelist != NULL &&
391             s->version != DTLS1_VERSION)
392                 {
393                 /* Add TLS extension EllipticCurves to the ClientHello message */
394                 long lenmax; 
395
396                 if ((lenmax = limit - ret - 6) < 0) return NULL; 
397                 if (s->tlsext_ellipticcurvelist_length > (unsigned long)lenmax) return NULL;
398                 if (s->tlsext_ellipticcurvelist_length > 65532)
399                         {
400                         SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
401                         return NULL;
402                         }
403                 
404                 s2n(TLSEXT_TYPE_elliptic_curves,ret);
405                 s2n(s->tlsext_ellipticcurvelist_length + 2, ret);
406
407                 /* NB: draft-ietf-tls-ecc-12.txt uses a one-byte prefix for
408                  * elliptic_curve_list, but the examples use two bytes.
409                  * http://www1.ietf.org/mail-archive/web/tls/current/msg00538.html
410                  * resolves this to two bytes.
411                  */
412                 s2n(s->tlsext_ellipticcurvelist_length, ret);
413                 memcpy(ret, s->tlsext_ellipticcurvelist, s->tlsext_ellipticcurvelist_length);
414                 ret+=s->tlsext_ellipticcurvelist_length;
415                 }
416 #endif /* OPENSSL_NO_EC */
417
418         if (!(SSL_get_options(s) & SSL_OP_NO_TICKET))
419                 {
420                 int ticklen;
421                 if (!s->new_session && s->session && s->session->tlsext_tick)
422                         ticklen = s->session->tlsext_ticklen;
423                 else if (s->session && s->tlsext_session_ticket &&
424                          s->tlsext_session_ticket->data)
425                         {
426                         ticklen = s->tlsext_session_ticket->length;
427                         s->session->tlsext_tick = OPENSSL_malloc(ticklen);
428                         if (!s->session->tlsext_tick)
429                                 return NULL;
430                         memcpy(s->session->tlsext_tick,
431                                s->tlsext_session_ticket->data,
432                                ticklen);
433                         s->session->tlsext_ticklen = ticklen;
434                         }
435                 else
436                         ticklen = 0;
437                 if (ticklen == 0 && s->tlsext_session_ticket &&
438                     s->tlsext_session_ticket->data == NULL)
439                         goto skip_ext;
440                 /* Check for enough room 2 for extension type, 2 for len
441                  * rest for ticket
442                  */
443                 if ((long)(limit - ret - 4 - ticklen) < 0) return NULL;
444                 s2n(TLSEXT_TYPE_session_ticket,ret); 
445                 s2n(ticklen,ret);
446                 if (ticklen)
447                         {
448                         memcpy(ret, s->session->tlsext_tick, ticklen);
449                         ret += ticklen;
450                         }
451                 }
452                 skip_ext:
453
454         if (s->version >= TLS1_2_VERSION)
455                 {
456                 /* List of supported signature algorithms and hashes.
457                  * Should make this customisable at some point, for
458                  * now include everything we support.
459                  */
460                 static unsigned char sigalgs[] = {
461 #ifndef OPENSSL_NO_RSA
462 # ifndef OPENSSL_NO_SHA512
463                         TLSEXT_hash_sha512, TLSEXT_signature_rsa,
464                         TLSEXT_hash_sha384, TLSEXT_signature_rsa,
465 # endif
466 # ifndef OPENSSL_NO_SHA256
467                         TLSEXT_hash_sha256, TLSEXT_signature_rsa,
468                         TLSEXT_hash_sha224, TLSEXT_signature_rsa,
469 # endif
470 # ifndef OPENSSL_NO_SHA
471                         TLSEXT_hash_sha1, TLSEXT_signature_rsa,
472 # endif
473 #endif
474 #ifndef OPENSSL_NO_ECDSA
475 # ifndef OPENSSL_NO_SHA512
476                         TLSEXT_hash_sha512, TLSEXT_signature_ecdsa,
477                         TLSEXT_hash_sha384, TLSEXT_signature_ecdsa,
478 # endif
479 # ifndef OPENSSL_NO_SHA256
480                         TLSEXT_hash_sha256, TLSEXT_signature_ecdsa,
481                         TLSEXT_hash_sha224, TLSEXT_signature_ecdsa,
482 # endif
483 # ifndef OPENSSL_NO_SHA
484                         TLSEXT_hash_sha1, TLSEXT_signature_ecdsa,
485 # endif
486 #endif
487 #ifndef OPENSSL_NO_DSA
488 # ifndef OPENSSL_NO_SHA512
489                         TLSEXT_hash_sha512, TLSEXT_signature_dsa,
490                         TLSEXT_hash_sha384, TLSEXT_signature_dsa,
491 # endif
492 # ifndef OPENSSL_NO_SHA256
493                         TLSEXT_hash_sha256, TLSEXT_signature_dsa,
494                         TLSEXT_hash_sha224, TLSEXT_signature_dsa,
495 # endif
496 # ifndef OPENSSL_NO_SHA
497                         TLSEXT_hash_sha1, TLSEXT_signature_dsa
498 # endif
499 #endif
500                 };
501                 if ((size_t)(limit - ret) < sizeof(sigalgs) + 6)
502                         return NULL; 
503                 s2n(TLSEXT_TYPE_signature_algorithms,ret);
504                 s2n(sizeof(sigalgs) + 2, ret);
505                 s2n(sizeof(sigalgs), ret);
506                 memcpy(ret, sigalgs, sizeof(sigalgs));
507                 ret += sizeof(sigalgs);
508                 }
509
510 #ifdef TLSEXT_TYPE_opaque_prf_input
511         if (s->s3->client_opaque_prf_input != NULL &&
512             s->version != DTLS1_VERSION)
513                 {
514                 size_t col = s->s3->client_opaque_prf_input_len;
515                 
516                 if ((long)(limit - ret - 6 - col < 0))
517                         return NULL;
518                 if (col > 0xFFFD) /* can't happen */
519                         return NULL;
520
521                 s2n(TLSEXT_TYPE_opaque_prf_input, ret); 
522                 s2n(col + 2, ret);
523                 s2n(col, ret);
524                 memcpy(ret, s->s3->client_opaque_prf_input, col);
525                 ret += col;
526                 }
527 #endif
528
529         if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp &&
530             s->version != DTLS1_VERSION)
531                 {
532                 int i;
533                 long extlen, idlen, itmp;
534                 OCSP_RESPID *id;
535
536                 idlen = 0;
537                 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++)
538                         {
539                         id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
540                         itmp = i2d_OCSP_RESPID(id, NULL);
541                         if (itmp <= 0)
542                                 return NULL;
543                         idlen += itmp + 2;
544                         }
545
546                 if (s->tlsext_ocsp_exts)
547                         {
548                         extlen = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, NULL);
549                         if (extlen < 0)
550                                 return NULL;
551                         }
552                 else
553                         extlen = 0;
554                         
555                 if ((long)(limit - ret - 7 - extlen - idlen) < 0) return NULL;
556                 s2n(TLSEXT_TYPE_status_request, ret);
557                 if (extlen + idlen > 0xFFF0)
558                         return NULL;
559                 s2n(extlen + idlen + 5, ret);
560                 *(ret++) = TLSEXT_STATUSTYPE_ocsp;
561                 s2n(idlen, ret);
562                 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++)
563                         {
564                         /* save position of id len */
565                         unsigned char *q = ret;
566                         id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
567                         /* skip over id len */
568                         ret += 2;
569                         itmp = i2d_OCSP_RESPID(id, &ret);
570                         /* write id len */
571                         s2n(itmp, q);
572                         }
573                 s2n(extlen, ret);
574                 if (extlen > 0)
575                         i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret);
576                 }
577
578         if ((extdatalen = ret-p-2)== 0) 
579                 return p;
580
581         s2n(extdatalen,p);
582         return ret;
583         }
584
585 unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
586         {
587         int extdatalen=0;
588         unsigned char *ret = p;
589
590         /* don't add extensions for SSLv3, unless doing secure renegotiation */
591         if (s->version == SSL3_VERSION && !s->s3->send_connection_binding)
592                 return p;
593         
594         ret+=2;
595         if (ret>=limit) return NULL; /* this really never occurs, but ... */
596
597         if (!s->hit && s->servername_done == 1 && s->session->tlsext_hostname != NULL)
598                 { 
599                 if ((long)(limit - ret - 4) < 0) return NULL; 
600
601                 s2n(TLSEXT_TYPE_server_name,ret);
602                 s2n(0,ret);
603                 }
604
605         if(s->s3->send_connection_binding)
606         {
607           int el;
608           
609           if(!ssl_add_serverhello_renegotiate_ext(s, 0, &el, 0))
610               {
611               SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
612               return NULL;
613               }
614
615           if((limit - p - 4 - el) < 0) return NULL;
616           
617           s2n(TLSEXT_TYPE_renegotiate,ret);
618           s2n(el,ret);
619
620           if(!ssl_add_serverhello_renegotiate_ext(s, ret, &el, el))
621               {
622               SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
623               return NULL;
624               }
625
626           ret += el;
627         }
628
629 #ifndef OPENSSL_NO_EC
630         if (s->tlsext_ecpointformatlist != NULL &&
631             s->version != DTLS1_VERSION)
632                 {
633                 /* Add TLS extension ECPointFormats to the ServerHello message */
634                 long lenmax; 
635
636                 if ((lenmax = limit - ret - 5) < 0) return NULL; 
637                 if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax) return NULL;
638                 if (s->tlsext_ecpointformatlist_length > 255)
639                         {
640                         SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
641                         return NULL;
642                         }
643                 
644                 s2n(TLSEXT_TYPE_ec_point_formats,ret);
645                 s2n(s->tlsext_ecpointformatlist_length + 1,ret);
646                 *(ret++) = (unsigned char) s->tlsext_ecpointformatlist_length;
647                 memcpy(ret, s->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist_length);
648                 ret+=s->tlsext_ecpointformatlist_length;
649
650                 }
651         /* Currently the server should not respond with a SupportedCurves extension */
652 #endif /* OPENSSL_NO_EC */
653
654         if (s->tlsext_ticket_expected
655                 && !(SSL_get_options(s) & SSL_OP_NO_TICKET)) 
656                 { 
657                 if ((long)(limit - ret - 4) < 0) return NULL; 
658                 s2n(TLSEXT_TYPE_session_ticket,ret);
659                 s2n(0,ret);
660                 }
661
662         if (s->tlsext_status_expected)
663                 { 
664                 if ((long)(limit - ret - 4) < 0) return NULL; 
665                 s2n(TLSEXT_TYPE_status_request,ret);
666                 s2n(0,ret);
667                 }
668
669 #ifdef TLSEXT_TYPE_opaque_prf_input
670         if (s->s3->server_opaque_prf_input != NULL &&
671             s->version != DTLS1_VERSION)
672                 {
673                 size_t sol = s->s3->server_opaque_prf_input_len;
674                 
675                 if ((long)(limit - ret - 6 - sol) < 0)
676                         return NULL;
677                 if (sol > 0xFFFD) /* can't happen */
678                         return NULL;
679
680                 s2n(TLSEXT_TYPE_opaque_prf_input, ret); 
681                 s2n(sol + 2, ret);
682                 s2n(sol, ret);
683                 memcpy(ret, s->s3->server_opaque_prf_input, sol);
684                 ret += sol;
685                 }
686 #endif
687         if (((s->s3->tmp.new_cipher->id & 0xFFFF)==0x80 || (s->s3->tmp.new_cipher->id & 0xFFFF)==0x81) 
688                 && (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG))
689                 { const unsigned char cryptopro_ext[36] = {
690                         0xfd, 0xe8, /*65000*/
691                         0x00, 0x20, /*32 bytes length*/
692                         0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85, 
693                         0x03,   0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06, 
694                         0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08, 
695                         0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17};
696                         if (limit-ret<36) return NULL;
697                         memcpy(ret,cryptopro_ext,36);
698                         ret+=36;
699
700                 }
701
702         if ((extdatalen = ret-p-2)== 0) 
703                 return p;
704
705         s2n(extdatalen,p);
706         return ret;
707         }
708
709 int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
710         {
711         unsigned short type;
712         unsigned short size;
713         unsigned short len;
714         unsigned char *data = *p;
715         int renegotiate_seen = 0;
716         int sigalg_seen = 0;
717
718         s->servername_done = 0;
719         s->tlsext_status_type = -1;
720
721         if (data >= (d+n-2))
722                 goto ri_check;
723         n2s(data,len);
724
725         if (data > (d+n-len)) 
726                 goto ri_check;
727
728         while (data <= (d+n-4))
729                 {
730                 n2s(data,type);
731                 n2s(data,size);
732
733                 if (data+size > (d+n))
734                         goto ri_check;
735 #if 0
736                 fprintf(stderr,"Received extension type %d size %d\n",type,size);
737 #endif
738                 if (s->tlsext_debug_cb)
739                         s->tlsext_debug_cb(s, 0, type, data, size,
740                                                 s->tlsext_debug_arg);
741 /* The servername extension is treated as follows:
742
743    - Only the hostname type is supported with a maximum length of 255.
744    - The servername is rejected if too long or if it contains zeros,
745      in which case an fatal alert is generated.
746    - The servername field is maintained together with the session cache.
747    - When a session is resumed, the servername call back invoked in order
748      to allow the application to position itself to the right context. 
749    - The servername is acknowledged if it is new for a session or when 
750      it is identical to a previously used for the same session. 
751      Applications can control the behaviour.  They can at any time
752      set a 'desirable' servername for a new SSL object. This can be the
753      case for example with HTTPS when a Host: header field is received and
754      a renegotiation is requested. In this case, a possible servername
755      presented in the new client hello is only acknowledged if it matches
756      the value of the Host: field. 
757    - Applications must  use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
758      if they provide for changing an explicit servername context for the session,
759      i.e. when the session has been established with a servername extension. 
760    - On session reconnect, the servername extension may be absent. 
761
762 */      
763
764                 if (type == TLSEXT_TYPE_server_name)
765                         {
766                         unsigned char *sdata;
767                         int servname_type;
768                         int dsize; 
769                 
770                         if (size < 2) 
771                                 {
772                                 *al = SSL_AD_DECODE_ERROR;
773                                 return 0;
774                                 }
775                         n2s(data,dsize);  
776                         size -= 2;
777                         if (dsize > size  ) 
778                                 {
779                                 *al = SSL_AD_DECODE_ERROR;
780                                 return 0;
781                                 } 
782
783                         sdata = data;
784                         while (dsize > 3) 
785                                 {
786                                 servname_type = *(sdata++); 
787                                 n2s(sdata,len);
788                                 dsize -= 3;
789
790                                 if (len > dsize) 
791                                         {
792                                         *al = SSL_AD_DECODE_ERROR;
793                                         return 0;
794                                         }
795                                 if (s->servername_done == 0)
796                                 switch (servname_type)
797                                         {
798                                 case TLSEXT_NAMETYPE_host_name:
799                                         if (!s->hit)
800                                                 {
801                                                 if(s->session->tlsext_hostname)
802                                                         {
803                                                         *al = SSL_AD_DECODE_ERROR;
804                                                         return 0;
805                                                         }
806                                                 if (len > TLSEXT_MAXLEN_host_name)
807                                                         {
808                                                         *al = TLS1_AD_UNRECOGNIZED_NAME;
809                                                         return 0;
810                                                         }
811                                                 if ((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL)
812                                                         {
813                                                         *al = TLS1_AD_INTERNAL_ERROR;
814                                                         return 0;
815                                                         }
816                                                 memcpy(s->session->tlsext_hostname, sdata, len);
817                                                 s->session->tlsext_hostname[len]='\0';
818                                                 if (strlen(s->session->tlsext_hostname) != len) {
819                                                         OPENSSL_free(s->session->tlsext_hostname);
820                                                         s->session->tlsext_hostname = NULL;
821                                                         *al = TLS1_AD_UNRECOGNIZED_NAME;
822                                                         return 0;
823                                                 }
824                                                 s->servername_done = 1; 
825
826                                                 }
827                                         else 
828                                                 s->servername_done = s->session->tlsext_hostname
829                                                         && strlen(s->session->tlsext_hostname) == len 
830                                                         && strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0;
831                                         
832                                         break;
833
834                                 default:
835                                         break;
836                                         }
837                                  
838                                 dsize -= len;
839                                 }
840                         if (dsize != 0) 
841                                 {
842                                 *al = SSL_AD_DECODE_ERROR;
843                                 return 0;
844                                 }
845
846                         }
847 #ifndef OPENSSL_NO_SRP
848                 else if (type == TLSEXT_TYPE_srp)
849                         {
850                         if (size > 0)
851                                 {
852                                 len = data[0];
853                                 if ((s->srp_ctx.login = OPENSSL_malloc(len+1)) == NULL)
854                                         return -1;
855                                 memcpy(s->srp_ctx.login, &data[1], len);
856                                 s->srp_ctx.login[len]='\0';  
857                                 }
858                         }
859 #endif
860
861 #ifndef OPENSSL_NO_EC
862                 else if (type == TLSEXT_TYPE_ec_point_formats &&
863                      s->version != DTLS1_VERSION)
864                         {
865                         unsigned char *sdata = data;
866                         int ecpointformatlist_length = *(sdata++);
867
868                         if (ecpointformatlist_length != size - 1)
869                                 {
870                                 *al = TLS1_AD_DECODE_ERROR;
871                                 return 0;
872                                 }
873                         if (!s->hit)
874                                 {
875                                 if(s->session->tlsext_ecpointformatlist)
876                                         {
877                                         OPENSSL_free(s->session->tlsext_ecpointformatlist);
878                                         s->session->tlsext_ecpointformatlist = NULL;
879                                         }
880                                 s->session->tlsext_ecpointformatlist_length = 0;
881                                 if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
882                                         {
883                                         *al = TLS1_AD_INTERNAL_ERROR;
884                                         return 0;
885                                         }
886                                 s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
887                                 memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
888                                 }
889 #if 0
890                         fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ecpointformatlist (length=%i) ", s->session->tlsext_ecpointformatlist_length);
891                         sdata = s->session->tlsext_ecpointformatlist;
892                         for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
893                                 fprintf(stderr,"%i ",*(sdata++));
894                         fprintf(stderr,"\n");
895 #endif
896                         }
897                 else if (type == TLSEXT_TYPE_elliptic_curves &&
898                      s->version != DTLS1_VERSION)
899                         {
900                         unsigned char *sdata = data;
901                         int ellipticcurvelist_length = (*(sdata++) << 8);
902                         ellipticcurvelist_length += (*(sdata++));
903
904                         if (ellipticcurvelist_length != size - 2)
905                                 {
906                                 *al = TLS1_AD_DECODE_ERROR;
907                                 return 0;
908                                 }
909                         if (!s->hit)
910                                 {
911                                 if(s->session->tlsext_ellipticcurvelist)
912                                         {
913                                         *al = TLS1_AD_DECODE_ERROR;
914                                         return 0;
915                                         }
916                                 s->session->tlsext_ellipticcurvelist_length = 0;
917                                 if ((s->session->tlsext_ellipticcurvelist = OPENSSL_malloc(ellipticcurvelist_length)) == NULL)
918                                         {
919                                         *al = TLS1_AD_INTERNAL_ERROR;
920                                         return 0;
921                                         }
922                                 s->session->tlsext_ellipticcurvelist_length = ellipticcurvelist_length;
923                                 memcpy(s->session->tlsext_ellipticcurvelist, sdata, ellipticcurvelist_length);
924                                 }
925 #if 0
926                         fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ellipticcurvelist (length=%i) ", s->session->tlsext_ellipticcurvelist_length);
927                         sdata = s->session->tlsext_ellipticcurvelist;
928                         for (i = 0; i < s->session->tlsext_ellipticcurvelist_length; i++)
929                                 fprintf(stderr,"%i ",*(sdata++));
930                         fprintf(stderr,"\n");
931 #endif
932                         }
933 #endif /* OPENSSL_NO_EC */
934 #ifdef TLSEXT_TYPE_opaque_prf_input
935                 else if (type == TLSEXT_TYPE_opaque_prf_input &&
936                      s->version != DTLS1_VERSION)
937                         {
938                         unsigned char *sdata = data;
939
940                         if (size < 2)
941                                 {
942                                 *al = SSL_AD_DECODE_ERROR;
943                                 return 0;
944                                 }
945                         n2s(sdata, s->s3->client_opaque_prf_input_len);
946                         if (s->s3->client_opaque_prf_input_len != size - 2)
947                                 {
948                                 *al = SSL_AD_DECODE_ERROR;
949                                 return 0;
950                                 }
951
952                         if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */
953                                 OPENSSL_free(s->s3->client_opaque_prf_input);
954                         if (s->s3->client_opaque_prf_input_len == 0)
955                                 s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
956                         else
957                                 s->s3->client_opaque_prf_input = BUF_memdup(sdata, s->s3->client_opaque_prf_input_len);
958                         if (s->s3->client_opaque_prf_input == NULL)
959                                 {
960                                 *al = TLS1_AD_INTERNAL_ERROR;
961                                 return 0;
962                                 }
963                         }
964 #endif
965                 else if (type == TLSEXT_TYPE_session_ticket)
966                         {
967                         if (s->tls_session_ticket_ext_cb &&
968                             !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg))
969                                 {
970                                 *al = TLS1_AD_INTERNAL_ERROR;
971                                 return 0;
972                                 }
973                         }
974                 else if (type == TLSEXT_TYPE_renegotiate)
975                         {
976                         if(!ssl_parse_clienthello_renegotiate_ext(s, data, size, al))
977                                 return 0;
978                         renegotiate_seen = 1;
979                         }
980                 else if (type == TLSEXT_TYPE_signature_algorithms)
981                         {
982                         int dsize;
983                         if (sigalg_seen || size < 2) 
984                                 {
985                                 *al = SSL_AD_DECODE_ERROR;
986                                 return 0;
987                                 }
988                         sigalg_seen = 1;
989                         n2s(data,dsize);
990                         size -= 2;
991                         if (dsize != size || dsize & 1) 
992                                 {
993                                 *al = SSL_AD_DECODE_ERROR;
994                                 return 0;
995                                 }
996                         if (!tls1_process_sigalgs(s, data, dsize))
997                                 {
998                                 *al = SSL_AD_DECODE_ERROR;
999                                 return 0;
1000                                 }
1001                         }
1002                 else if (type == TLSEXT_TYPE_status_request &&
1003                          s->version != DTLS1_VERSION && s->ctx->tlsext_status_cb)
1004                         {
1005                 
1006                         if (size < 5) 
1007                                 {
1008                                 *al = SSL_AD_DECODE_ERROR;
1009                                 return 0;
1010                                 }
1011
1012                         s->tlsext_status_type = *data++;
1013                         size--;
1014                         if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp)
1015                                 {
1016                                 const unsigned char *sdata;
1017                                 int dsize;
1018                                 /* Read in responder_id_list */
1019                                 n2s(data,dsize);
1020                                 size -= 2;
1021                                 if (dsize > size  ) 
1022                                         {
1023                                         *al = SSL_AD_DECODE_ERROR;
1024                                         return 0;
1025                                         }
1026                                 while (dsize > 0)
1027                                         {
1028                                         OCSP_RESPID *id;
1029                                         int idsize;
1030                                         if (dsize < 4)
1031                                                 {
1032                                                 *al = SSL_AD_DECODE_ERROR;
1033                                                 return 0;
1034                                                 }
1035                                         n2s(data, idsize);
1036                                         dsize -= 2 + idsize;
1037                                         size -= 2 + idsize;
1038                                         if (dsize < 0)
1039                                                 {
1040                                                 *al = SSL_AD_DECODE_ERROR;
1041                                                 return 0;
1042                                                 }
1043                                         sdata = data;
1044                                         data += idsize;
1045                                         id = d2i_OCSP_RESPID(NULL,
1046                                                                 &sdata, idsize);
1047                                         if (!id)
1048                                                 {
1049                                                 *al = SSL_AD_DECODE_ERROR;
1050                                                 return 0;
1051                                                 }
1052                                         if (data != sdata)
1053                                                 {
1054                                                 OCSP_RESPID_free(id);
1055                                                 *al = SSL_AD_DECODE_ERROR;
1056                                                 return 0;
1057                                                 }
1058                                         if (!s->tlsext_ocsp_ids
1059                                                 && !(s->tlsext_ocsp_ids =
1060                                                 sk_OCSP_RESPID_new_null()))
1061                                                 {
1062                                                 OCSP_RESPID_free(id);
1063                                                 *al = SSL_AD_INTERNAL_ERROR;
1064                                                 return 0;
1065                                                 }
1066                                         if (!sk_OCSP_RESPID_push(
1067                                                         s->tlsext_ocsp_ids, id))
1068                                                 {
1069                                                 OCSP_RESPID_free(id);
1070                                                 *al = SSL_AD_INTERNAL_ERROR;
1071                                                 return 0;
1072                                                 }
1073                                         }
1074
1075                                 /* Read in request_extensions */
1076                                 if (size < 2)
1077                                         {
1078                                         *al = SSL_AD_DECODE_ERROR;
1079                                         return 0;
1080                                         }
1081                                 n2s(data,dsize);
1082                                 size -= 2;
1083                                 if (dsize != size)
1084                                         {
1085                                         *al = SSL_AD_DECODE_ERROR;
1086                                         return 0;
1087                                         }
1088                                 sdata = data;
1089                                 if (dsize > 0)
1090                                         {
1091                                         s->tlsext_ocsp_exts =
1092                                                 d2i_X509_EXTENSIONS(NULL,
1093                                                         &sdata, dsize);
1094                                         if (!s->tlsext_ocsp_exts
1095                                                 || (data + dsize != sdata))
1096                                                 {
1097                                                 *al = SSL_AD_DECODE_ERROR;
1098                                                 return 0;
1099                                                 }
1100                                         }
1101                                 }
1102                                 /* We don't know what to do with any other type
1103                                 * so ignore it.
1104                                 */
1105                                 else
1106                                         s->tlsext_status_type = -1;
1107                         }
1108
1109                 /* session ticket processed earlier */
1110                 data+=size;
1111                 }
1112                                 
1113         *p = data;
1114
1115         ri_check:
1116
1117         /* Need RI if renegotiating */
1118
1119         if (!renegotiate_seen && s->renegotiate &&
1120                 !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
1121                 {
1122                 *al = SSL_AD_HANDSHAKE_FAILURE;
1123                 SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT,
1124                                 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
1125                 return 0;
1126                 }
1127
1128         return 1;
1129         }
1130
1131 int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
1132         {
1133         unsigned short length;
1134         unsigned short type;
1135         unsigned short size;
1136         unsigned char *data = *p;
1137         int tlsext_servername = 0;
1138         int renegotiate_seen = 0;
1139
1140         if (data >= (d+n-2))
1141                 goto ri_check;
1142
1143         n2s(data,length);
1144         if (data+length != d+n)
1145                 {
1146                 *al = SSL_AD_DECODE_ERROR;
1147                 return 0;
1148                 }
1149
1150         while(data <= (d+n-4))
1151                 {
1152                 n2s(data,type);
1153                 n2s(data,size);
1154
1155                 if (data+size > (d+n))
1156                         goto ri_check;
1157
1158                 if (s->tlsext_debug_cb)
1159                         s->tlsext_debug_cb(s, 1, type, data, size,
1160                                                 s->tlsext_debug_arg);
1161
1162                 if (type == TLSEXT_TYPE_server_name)
1163                         {
1164                         if (s->tlsext_hostname == NULL || size > 0)
1165                                 {
1166                                 *al = TLS1_AD_UNRECOGNIZED_NAME;
1167                                 return 0;
1168                                 }
1169                         tlsext_servername = 1;   
1170                         }
1171
1172 #ifndef OPENSSL_NO_EC
1173                 else if (type == TLSEXT_TYPE_ec_point_formats &&
1174                      s->version != DTLS1_VERSION)
1175                         {
1176                         unsigned char *sdata = data;
1177                         int ecpointformatlist_length = *(sdata++);
1178
1179                         if (ecpointformatlist_length != size - 1)
1180                                 {
1181                                 *al = TLS1_AD_DECODE_ERROR;
1182                                 return 0;
1183                                 }
1184                         s->session->tlsext_ecpointformatlist_length = 0;
1185                         if (s->session->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->session->tlsext_ecpointformatlist);
1186                         if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
1187                                 {
1188                                 *al = TLS1_AD_INTERNAL_ERROR;
1189                                 return 0;
1190                                 }
1191                         s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
1192                         memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
1193 #if 0
1194                         fprintf(stderr,"ssl_parse_serverhello_tlsext s->session->tlsext_ecpointformatlist ");
1195                         sdata = s->session->tlsext_ecpointformatlist;
1196                         for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
1197                                 fprintf(stderr,"%i ",*(sdata++));
1198                         fprintf(stderr,"\n");
1199 #endif
1200                         }
1201 #endif /* OPENSSL_NO_EC */
1202
1203                 else if (type == TLSEXT_TYPE_session_ticket)
1204                         {
1205                         if (s->tls_session_ticket_ext_cb &&
1206                             !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg))
1207                                 {
1208                                 *al = TLS1_AD_INTERNAL_ERROR;
1209                                 return 0;
1210                                 }
1211                         if ((SSL_get_options(s) & SSL_OP_NO_TICKET)
1212                                 || (size > 0))
1213                                 {
1214                                 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
1215                                 return 0;
1216                                 }
1217                         s->tlsext_ticket_expected = 1;
1218                         }
1219 #ifdef TLSEXT_TYPE_opaque_prf_input
1220                 else if (type == TLSEXT_TYPE_opaque_prf_input &&
1221                      s->version != DTLS1_VERSION)
1222                         {
1223                         unsigned char *sdata = data;
1224
1225                         if (size < 2)
1226                                 {
1227                                 *al = SSL_AD_DECODE_ERROR;
1228                                 return 0;
1229                                 }
1230                         n2s(sdata, s->s3->server_opaque_prf_input_len);
1231                         if (s->s3->server_opaque_prf_input_len != size - 2)
1232                                 {
1233                                 *al = SSL_AD_DECODE_ERROR;
1234                                 return 0;
1235                                 }
1236                         
1237                         if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */
1238                                 OPENSSL_free(s->s3->server_opaque_prf_input);
1239                         if (s->s3->server_opaque_prf_input_len == 0)
1240                                 s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
1241                         else
1242                                 s->s3->server_opaque_prf_input = BUF_memdup(sdata, s->s3->server_opaque_prf_input_len);
1243
1244                         if (s->s3->server_opaque_prf_input == NULL)
1245                                 {
1246                                 *al = TLS1_AD_INTERNAL_ERROR;
1247                                 return 0;
1248                                 }
1249                         }
1250 #endif
1251                 else if (type == TLSEXT_TYPE_status_request &&
1252                          s->version != DTLS1_VERSION)
1253                         {
1254                         /* MUST be empty and only sent if we've requested
1255                          * a status request message.
1256                          */ 
1257                         if ((s->tlsext_status_type == -1) || (size > 0))
1258                                 {
1259                                 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
1260                                 return 0;
1261                                 }
1262                         /* Set flag to expect CertificateStatus message */
1263                         s->tlsext_status_expected = 1;
1264                         }
1265                 else if (type == TLSEXT_TYPE_renegotiate)
1266                         {
1267                         if(!ssl_parse_serverhello_renegotiate_ext(s, data, size, al))
1268                                 return 0;
1269                         renegotiate_seen = 1;
1270                         }
1271                 data+=size;             
1272                 }
1273
1274         if (data != d+n)
1275                 {
1276                 *al = SSL_AD_DECODE_ERROR;
1277                 return 0;
1278                 }
1279
1280         if (!s->hit && tlsext_servername == 1)
1281                 {
1282                 if (s->tlsext_hostname)
1283                         {
1284                         if (s->session->tlsext_hostname == NULL)
1285                                 {
1286                                 s->session->tlsext_hostname = BUF_strdup(s->tlsext_hostname);   
1287                                 if (!s->session->tlsext_hostname)
1288                                         {
1289                                         *al = SSL_AD_UNRECOGNIZED_NAME;
1290                                         return 0;
1291                                         }
1292                                 }
1293                         else 
1294                                 {
1295                                 *al = SSL_AD_DECODE_ERROR;
1296                                 return 0;
1297                                 }
1298                         }
1299                 }
1300
1301         *p = data;
1302
1303         ri_check:
1304
1305         /* Determine if we need to see RI. Strictly speaking if we want to
1306          * avoid an attack we should *always* see RI even on initial server
1307          * hello because the client doesn't see any renegotiation during an
1308          * attack. However this would mean we could not connect to any server
1309          * which doesn't support RI so for the immediate future tolerate RI
1310          * absence on initial connect only.
1311          */
1312         if (!renegotiate_seen
1313                 && !(s->options & SSL_OP_LEGACY_SERVER_CONNECT)
1314                 && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
1315                 {
1316                 *al = SSL_AD_HANDSHAKE_FAILURE;
1317                 SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT,
1318                                 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
1319                 return 0;
1320                 }
1321
1322         return 1;
1323         }
1324
1325
1326 int ssl_prepare_clienthello_tlsext(SSL *s)
1327         {
1328 #ifndef OPENSSL_NO_EC
1329         /* If we are client and using an elliptic curve cryptography cipher suite, send the point formats 
1330          * and elliptic curves we support.
1331          */
1332         int using_ecc = 0;
1333         int i;
1334         unsigned char *j;
1335         unsigned long alg_k, alg_a;
1336         STACK_OF(SSL_CIPHER) *cipher_stack = SSL_get_ciphers(s);
1337
1338         for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++)
1339                 {
1340                 SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i);
1341
1342                 alg_k = c->algorithm_mkey;
1343                 alg_a = c->algorithm_auth;
1344                 if ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe) || (alg_a & SSL_aECDSA)))
1345                         {
1346                         using_ecc = 1;
1347                         break;
1348                         }
1349                 }
1350         using_ecc = using_ecc && (s->version >= TLS1_VERSION);
1351         if (using_ecc)
1352                 {
1353                 if (s->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->tlsext_ecpointformatlist);
1354                 if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(3)) == NULL)
1355                         {
1356                         SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
1357                         return -1;
1358                         }
1359                 s->tlsext_ecpointformatlist_length = 3;
1360                 s->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_uncompressed;
1361                 s->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
1362                 s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
1363
1364                 /* we support all named elliptic curves in draft-ietf-tls-ecc-12 */
1365                 if (s->tlsext_ellipticcurvelist != NULL) OPENSSL_free(s->tlsext_ellipticcurvelist);
1366                 s->tlsext_ellipticcurvelist_length = sizeof(nid_list)/sizeof(nid_list[0]) * 2;
1367                 if ((s->tlsext_ellipticcurvelist = OPENSSL_malloc(s->tlsext_ellipticcurvelist_length)) == NULL)
1368                         {
1369                         s->tlsext_ellipticcurvelist_length = 0;
1370                         SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
1371                         return -1;
1372                         }
1373                 for (i = 1, j = s->tlsext_ellipticcurvelist; (unsigned int)i <=
1374                                 sizeof(nid_list)/sizeof(nid_list[0]); i++)
1375                         s2n(i,j);
1376                 }
1377 #endif /* OPENSSL_NO_EC */
1378
1379 #ifdef TLSEXT_TYPE_opaque_prf_input
1380         {
1381                 int r = 1;
1382         
1383                 if (s->ctx->tlsext_opaque_prf_input_callback != 0)
1384                         {
1385                         r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg);
1386                         if (!r)
1387                                 return -1;
1388                         }
1389
1390                 if (s->tlsext_opaque_prf_input != NULL)
1391                         {
1392                         if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */
1393                                 OPENSSL_free(s->s3->client_opaque_prf_input);
1394
1395                         if (s->tlsext_opaque_prf_input_len == 0)
1396                                 s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
1397                         else
1398                                 s->s3->client_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len);
1399                         if (s->s3->client_opaque_prf_input == NULL)
1400                                 {
1401                                 SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
1402                                 return -1;
1403                                 }
1404                         s->s3->client_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
1405                         }
1406
1407                 if (r == 2)
1408                         /* at callback's request, insist on receiving an appropriate server opaque PRF input */
1409                         s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
1410         }
1411 #endif
1412
1413         return 1;
1414         }
1415
1416 int ssl_prepare_serverhello_tlsext(SSL *s)
1417         {
1418 #ifndef OPENSSL_NO_EC
1419         /* If we are server and using an ECC cipher suite, send the point formats we support 
1420          * if the client sent us an ECPointsFormat extension.  Note that the server is not
1421          * supposed to send an EllipticCurves extension.
1422          */
1423
1424         unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
1425         unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
1426         int using_ecc = (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA);
1427         using_ecc = using_ecc && (s->session->tlsext_ecpointformatlist != NULL);
1428         
1429         if (using_ecc)
1430                 {
1431                 if (s->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->tlsext_ecpointformatlist);
1432                 if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(3)) == NULL)
1433                         {
1434                         SSLerr(SSL_F_SSL_PREPARE_SERVERHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
1435                         return -1;
1436                         }
1437                 s->tlsext_ecpointformatlist_length = 3;
1438                 s->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_uncompressed;
1439                 s->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
1440                 s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
1441                 }
1442 #endif /* OPENSSL_NO_EC */
1443
1444         return 1;
1445         }
1446
1447 int ssl_check_clienthello_tlsext(SSL *s)
1448         {
1449         int ret=SSL_TLSEXT_ERR_NOACK;
1450         int al = SSL_AD_UNRECOGNIZED_NAME;
1451
1452 #ifndef OPENSSL_NO_EC
1453         /* The handling of the ECPointFormats extension is done elsewhere, namely in 
1454          * ssl3_choose_cipher in s3_lib.c.
1455          */
1456         /* The handling of the EllipticCurves extension is done elsewhere, namely in 
1457          * ssl3_choose_cipher in s3_lib.c.
1458          */
1459 #endif
1460
1461         if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) 
1462                 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
1463         else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)             
1464                 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
1465
1466         /* If status request then ask callback what to do.
1467          * Note: this must be called after servername callbacks in case 
1468          * the certificate has changed.
1469          */
1470         if ((s->tlsext_status_type != -1) && s->ctx && s->ctx->tlsext_status_cb)
1471                 {
1472                 int r;
1473                 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
1474                 switch (r)
1475                         {
1476                         /* We don't want to send a status request response */
1477                         case SSL_TLSEXT_ERR_NOACK:
1478                                 s->tlsext_status_expected = 0;
1479                                 break;
1480                         /* status request response should be sent */
1481                         case SSL_TLSEXT_ERR_OK:
1482                                 if (s->tlsext_ocsp_resp)
1483                                         s->tlsext_status_expected = 1;
1484                                 else
1485                                         s->tlsext_status_expected = 0;
1486                                 break;
1487                         /* something bad happened */
1488                         case SSL_TLSEXT_ERR_ALERT_FATAL:
1489                                 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1490                                 al = SSL_AD_INTERNAL_ERROR;
1491                                 goto err;
1492                         }
1493                 }
1494         else
1495                 s->tlsext_status_expected = 0;
1496
1497 #ifdef TLSEXT_TYPE_opaque_prf_input
1498         {
1499                 /* This sort of belongs into ssl_prepare_serverhello_tlsext(),
1500                  * but we might be sending an alert in response to the client hello,
1501                  * so this has to happen here in ssl_check_clienthello_tlsext(). */
1502
1503                 int r = 1;
1504         
1505                 if (s->ctx->tlsext_opaque_prf_input_callback != 0)
1506                         {
1507                         r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg);
1508                         if (!r)
1509                                 {
1510                                 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1511                                 al = SSL_AD_INTERNAL_ERROR;
1512                                 goto err;
1513                                 }
1514                         }
1515
1516                 if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */
1517                         OPENSSL_free(s->s3->server_opaque_prf_input);
1518                 s->s3->server_opaque_prf_input = NULL;
1519
1520                 if (s->tlsext_opaque_prf_input != NULL)
1521                         {
1522                         if (s->s3->client_opaque_prf_input != NULL &&
1523                                 s->s3->client_opaque_prf_input_len == s->tlsext_opaque_prf_input_len)
1524                                 {
1525                                 /* can only use this extension if we have a server opaque PRF input
1526                                  * of the same length as the client opaque PRF input! */
1527
1528                                 if (s->tlsext_opaque_prf_input_len == 0)
1529                                         s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
1530                                 else
1531                                         s->s3->server_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len);
1532                                 if (s->s3->server_opaque_prf_input == NULL)
1533                                         {
1534                                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1535                                         al = SSL_AD_INTERNAL_ERROR;
1536                                         goto err;
1537                                         }
1538                                 s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
1539                                 }
1540                         }
1541
1542                 if (r == 2 && s->s3->server_opaque_prf_input == NULL)
1543                         {
1544                         /* The callback wants to enforce use of the extension,
1545                          * but we can't do that with the client opaque PRF input;
1546                          * abort the handshake.
1547                          */
1548                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1549                         al = SSL_AD_HANDSHAKE_FAILURE;
1550                         }
1551         }
1552
1553 #endif
1554  err:
1555         switch (ret)
1556                 {
1557                 case SSL_TLSEXT_ERR_ALERT_FATAL:
1558                         ssl3_send_alert(s,SSL3_AL_FATAL,al); 
1559                         return -1;
1560
1561                 case SSL_TLSEXT_ERR_ALERT_WARNING:
1562                         ssl3_send_alert(s,SSL3_AL_WARNING,al);
1563                         return 1; 
1564                                         
1565                 case SSL_TLSEXT_ERR_NOACK:
1566                         s->servername_done=0;
1567                         default:
1568                 return 1;
1569                 }
1570         }
1571
1572 int ssl_check_serverhello_tlsext(SSL *s)
1573         {
1574         int ret=SSL_TLSEXT_ERR_NOACK;
1575         int al = SSL_AD_UNRECOGNIZED_NAME;
1576
1577 #ifndef OPENSSL_NO_EC
1578         /* If we are client and using an elliptic curve cryptography cipher
1579          * suite, then if server returns an EC point formats lists extension
1580          * it must contain uncompressed.
1581          */
1582         unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
1583         unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
1584         if ((s->tlsext_ecpointformatlist != NULL) && (s->tlsext_ecpointformatlist_length > 0) && 
1585             (s->session->tlsext_ecpointformatlist != NULL) && (s->session->tlsext_ecpointformatlist_length > 0) && 
1586             ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA)))
1587                 {
1588                 /* we are using an ECC cipher */
1589                 size_t i;
1590                 unsigned char *list;
1591                 int found_uncompressed = 0;
1592                 list = s->session->tlsext_ecpointformatlist;
1593                 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
1594                         {
1595                         if (*(list++) == TLSEXT_ECPOINTFORMAT_uncompressed)
1596                                 {
1597                                 found_uncompressed = 1;
1598                                 break;
1599                                 }
1600                         }
1601                 if (!found_uncompressed)
1602                         {
1603                         SSLerr(SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT,SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
1604                         return -1;
1605                         }
1606                 }
1607         ret = SSL_TLSEXT_ERR_OK;
1608 #endif /* OPENSSL_NO_EC */
1609
1610         if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) 
1611                 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
1612         else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)             
1613                 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
1614
1615 #ifdef TLSEXT_TYPE_opaque_prf_input
1616         if (s->s3->server_opaque_prf_input_len > 0)
1617                 {
1618                 /* This case may indicate that we, as a client, want to insist on using opaque PRF inputs.
1619                  * So first verify that we really have a value from the server too. */
1620
1621                 if (s->s3->server_opaque_prf_input == NULL)
1622                         {
1623                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1624                         al = SSL_AD_HANDSHAKE_FAILURE;
1625                         }
1626                 
1627                 /* Anytime the server *has* sent an opaque PRF input, we need to check
1628                  * that we have a client opaque PRF input of the same size. */
1629                 if (s->s3->client_opaque_prf_input == NULL ||
1630                     s->s3->client_opaque_prf_input_len != s->s3->server_opaque_prf_input_len)
1631                         {
1632                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1633                         al = SSL_AD_ILLEGAL_PARAMETER;
1634                         }
1635                 }
1636 #endif
1637
1638         /* If we've requested certificate status and we wont get one
1639          * tell the callback
1640          */
1641         if ((s->tlsext_status_type != -1) && !(s->tlsext_status_expected)
1642                         && s->ctx && s->ctx->tlsext_status_cb)
1643                 {
1644                 int r;
1645                 /* Set resp to NULL, resplen to -1 so callback knows
1646                  * there is no response.
1647                  */
1648                 if (s->tlsext_ocsp_resp)
1649                         {
1650                         OPENSSL_free(s->tlsext_ocsp_resp);
1651                         s->tlsext_ocsp_resp = NULL;
1652                         }
1653                 s->tlsext_ocsp_resplen = -1;
1654                 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
1655                 if (r == 0)
1656                         {
1657                         al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE;
1658                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1659                         }
1660                 if (r < 0)
1661                         {
1662                         al = SSL_AD_INTERNAL_ERROR;
1663                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1664                         }
1665                 }
1666
1667         switch (ret)
1668                 {
1669                 case SSL_TLSEXT_ERR_ALERT_FATAL:
1670                         ssl3_send_alert(s,SSL3_AL_FATAL,al); 
1671                         return -1;
1672
1673                 case SSL_TLSEXT_ERR_ALERT_WARNING:
1674                         ssl3_send_alert(s,SSL3_AL_WARNING,al);
1675                         return 1; 
1676                                         
1677                 case SSL_TLSEXT_ERR_NOACK:
1678                         s->servername_done=0;
1679                         default:
1680                 return 1;
1681                 }
1682         }
1683
1684 /* Since the server cache lookup is done early on in the processing of client
1685  * hello and other operations depend on the result we need to handle any TLS
1686  * session ticket extension at the same time.
1687  */
1688
1689 int tls1_process_ticket(SSL *s, unsigned char *session_id, int len,
1690                                 const unsigned char *limit, SSL_SESSION **ret)
1691         {
1692         /* Point after session ID in client hello */
1693         const unsigned char *p = session_id + len;
1694         unsigned short i;
1695
1696         /* If tickets disabled behave as if no ticket present
1697          * to permit stateful resumption.
1698          */
1699         if (SSL_get_options(s) & SSL_OP_NO_TICKET)
1700                 return 1;
1701
1702         if ((s->version <= SSL3_VERSION) || !limit)
1703                 return 1;
1704         if (p >= limit)
1705                 return -1;
1706         /* Skip past DTLS cookie */
1707         if (s->version == DTLS1_VERSION || s->version == DTLS1_BAD_VER)
1708                 {
1709                 i = *(p++);
1710                 p+= i;
1711                 if (p >= limit)
1712                         return -1;
1713                 }
1714         /* Skip past cipher list */
1715         n2s(p, i);
1716         p+= i;
1717         if (p >= limit)
1718                 return -1;
1719         /* Skip past compression algorithm list */
1720         i = *(p++);
1721         p += i;
1722         if (p > limit)
1723                 return -1;
1724         /* Now at start of extensions */
1725         if ((p + 2) >= limit)
1726                 return 1;
1727         n2s(p, i);
1728         while ((p + 4) <= limit)
1729                 {
1730                 unsigned short type, size;
1731                 n2s(p, type);
1732                 n2s(p, size);
1733                 if (p + size > limit)
1734                         return 1;
1735                 if (type == TLSEXT_TYPE_session_ticket)
1736                         {
1737                         /* If tickets disabled indicate cache miss which will
1738                          * trigger a full handshake
1739                          */
1740                         if (SSL_get_options(s) & SSL_OP_NO_TICKET)
1741                                 return 1;
1742                         /* If zero length note client will accept a ticket
1743                          * and indicate cache miss to trigger full handshake
1744                          */
1745                         if (size == 0)
1746                                 {
1747                                 s->tlsext_ticket_expected = 1;
1748                                 return 0;       /* Cache miss */
1749                                 }
1750                         if (s->tls_session_secret_cb)
1751                                 {
1752                                 /* Indicate cache miss here and instead of
1753                                  * generating the session from ticket now,
1754                                  * trigger abbreviated handshake based on
1755                                  * external mechanism to calculate the master
1756                                  * secret later. */
1757                                 return 0;
1758                                 }
1759                         return tls_decrypt_ticket(s, p, size, session_id, len,
1760                                                                         ret);
1761                         }
1762                 p += size;
1763                 }
1764         return 1;
1765         }
1766
1767 static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen,
1768                                 const unsigned char *sess_id, int sesslen,
1769                                 SSL_SESSION **psess)
1770         {
1771         SSL_SESSION *sess;
1772         unsigned char *sdec;
1773         const unsigned char *p;
1774         int slen, mlen, renew_ticket = 0;
1775         unsigned char tick_hmac[EVP_MAX_MD_SIZE];
1776         HMAC_CTX hctx;
1777         EVP_CIPHER_CTX ctx;
1778         SSL_CTX *tctx = s->initial_ctx;
1779         /* Need at least keyname + iv + some encrypted data */
1780         if (eticklen < 48)
1781                 goto tickerr;
1782         /* Initialize session ticket encryption and HMAC contexts */
1783         HMAC_CTX_init(&hctx);
1784         EVP_CIPHER_CTX_init(&ctx);
1785         if (tctx->tlsext_ticket_key_cb)
1786                 {
1787                 unsigned char *nctick = (unsigned char *)etick;
1788                 int rv = tctx->tlsext_ticket_key_cb(s, nctick, nctick + 16,
1789                                                         &ctx, &hctx, 0);
1790                 if (rv < 0)
1791                         return -1;
1792                 if (rv == 0)
1793                         goto tickerr;
1794                 if (rv == 2)
1795                         renew_ticket = 1;
1796                 }
1797         else
1798                 {
1799                 /* Check key name matches */
1800                 if (memcmp(etick, tctx->tlsext_tick_key_name, 16))
1801                         goto tickerr;
1802                 HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16,
1803                                         tlsext_tick_md(), NULL);
1804                 EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL,
1805                                 tctx->tlsext_tick_aes_key, etick + 16);
1806                 }
1807         /* Attempt to process session ticket, first conduct sanity and
1808          * integrity checks on ticket.
1809          */
1810         mlen = HMAC_size(&hctx);
1811         if (mlen < 0)
1812                 {
1813                 EVP_CIPHER_CTX_cleanup(&ctx);
1814                 return -1;
1815                 }
1816         eticklen -= mlen;
1817         /* Check HMAC of encrypted ticket */
1818         HMAC_Update(&hctx, etick, eticklen);
1819         HMAC_Final(&hctx, tick_hmac, NULL);
1820         HMAC_CTX_cleanup(&hctx);
1821         if (memcmp(tick_hmac, etick + eticklen, mlen))
1822                 goto tickerr;
1823         /* Attempt to decrypt session data */
1824         /* Move p after IV to start of encrypted ticket, update length */
1825         p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx);
1826         eticklen -= 16 + EVP_CIPHER_CTX_iv_length(&ctx);
1827         sdec = OPENSSL_malloc(eticklen);
1828         if (!sdec)
1829                 {
1830                 EVP_CIPHER_CTX_cleanup(&ctx);
1831                 return -1;
1832                 }
1833         EVP_DecryptUpdate(&ctx, sdec, &slen, p, eticklen);
1834         if (EVP_DecryptFinal(&ctx, sdec + slen, &mlen) <= 0)
1835                 goto tickerr;
1836         slen += mlen;
1837         EVP_CIPHER_CTX_cleanup(&ctx);
1838         p = sdec;
1839                 
1840         sess = d2i_SSL_SESSION(NULL, &p, slen);
1841         OPENSSL_free(sdec);
1842         if (sess)
1843                 {
1844                 /* The session ID if non-empty is used by some clients to
1845                  * detect that the ticket has been accepted. So we copy it to
1846                  * the session structure. If it is empty set length to zero
1847                  * as required by standard.
1848                  */
1849                 if (sesslen)
1850                         memcpy(sess->session_id, sess_id, sesslen);
1851                 sess->session_id_length = sesslen;
1852                 *psess = sess;
1853                 s->tlsext_ticket_expected = renew_ticket;
1854                 return 1;
1855                 }
1856         /* If session decrypt failure indicate a cache miss and set state to
1857          * send a new ticket
1858          */
1859         tickerr:        
1860         s->tlsext_ticket_expected = 1;
1861         return 0;
1862         }
1863
1864 /* Tables to translate from NIDs to TLS v1.2 ids */
1865
1866 typedef struct 
1867         {
1868         int nid;
1869         int id;
1870         } tls12_lookup;
1871
1872 static tls12_lookup tls12_md[] = {
1873 #ifndef OPENSSL_NO_MD5
1874         {NID_md5, TLSEXT_hash_md5},
1875 #endif
1876 #ifndef OPENSSL_NO_SHA
1877         {NID_sha1, TLSEXT_hash_sha1},
1878 #endif
1879 #ifndef OPENSSL_NO_SHA256
1880         {NID_sha224, TLSEXT_hash_sha224},
1881         {NID_sha256, TLSEXT_hash_sha256},
1882 #endif
1883 #ifndef OPENSSL_NO_SHA512
1884         {NID_sha384, TLSEXT_hash_sha384},
1885         {NID_sha512, TLSEXT_hash_sha512}
1886 #endif
1887 };
1888
1889 static tls12_lookup tls12_sig[] = {
1890 #ifndef OPENSSL_NO_RSA
1891         {EVP_PKEY_RSA, TLSEXT_signature_rsa},
1892 #endif
1893 #ifndef OPENSSL_NO_RSA
1894         {EVP_PKEY_DSA, TLSEXT_signature_dsa},
1895 #endif
1896 #ifndef OPENSSL_NO_ECDSA
1897         {EVP_PKEY_EC, TLSEXT_signature_ecdsa}
1898 #endif
1899 };
1900
1901 static int tls12_find_id(int nid, tls12_lookup *table, size_t tlen)
1902         {
1903         size_t i;
1904         for (i = 0; i < tlen; i++)
1905                 {
1906                 if (table[i].nid == nid)
1907                         return table[i].id;
1908                 }
1909         return -1;
1910         }
1911 #if 0
1912 static int tls12_find_nid(int id, tls12_lookup *table, size_t tlen)
1913         {
1914         size_t i;
1915         for (i = 0; i < tlen; i++)
1916                 {
1917                 if (table[i].id == id)
1918                         return table[i].nid;
1919                 }
1920         return -1;
1921         }
1922 #endif
1923
1924 int tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk, const EVP_MD *md)
1925         {
1926         int sig_id, md_id;
1927         md_id = tls12_find_id(EVP_MD_type(md), tls12_md,
1928                                 sizeof(tls12_md)/sizeof(tls12_lookup));
1929         if (md_id == -1)
1930                 return 0;
1931         sig_id = tls12_get_sigid(pk);
1932         if (sig_id == -1)
1933                 return 0;
1934         p[0] = (unsigned char)md_id;
1935         p[1] = (unsigned char)sig_id;
1936         return 1;
1937         }
1938
1939 int tls12_get_sigid(const EVP_PKEY *pk)
1940         {
1941         return tls12_find_id(pk->type, tls12_sig,
1942                                 sizeof(tls12_sig)/sizeof(tls12_lookup));
1943         }
1944
1945 const EVP_MD *tls12_get_hash(unsigned char hash_alg)
1946         {
1947         switch(hash_alg)
1948                 {
1949 #ifndef OPENSSL_NO_MD5
1950                 case TLSEXT_hash_md5:
1951                 return EVP_md5();
1952 #endif
1953 #ifndef OPENSSL_NO_SHA
1954                 case TLSEXT_hash_sha1:
1955                 return EVP_sha1();
1956 #endif
1957 #ifndef OPENSSL_NO_SHA256
1958                 case TLSEXT_hash_sha224:
1959                 return EVP_sha224();
1960
1961                 case TLSEXT_hash_sha256:
1962                 return EVP_sha256();
1963 #endif
1964 #ifndef OPENSSL_NO_SHA512
1965                 case TLSEXT_hash_sha384:
1966                 return EVP_sha384();
1967
1968                 case TLSEXT_hash_sha512:
1969                 return EVP_sha512();
1970 #endif
1971                 default:
1972                 return NULL;
1973
1974                 }
1975         }
1976
1977 /* Set preferred digest for each key type */
1978
1979 static int tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize)
1980         {
1981         int i, idx;
1982         const EVP_MD *md;
1983         CERT *c = s->cert;
1984         /* Extension ignored for TLS versions below 1.2 */
1985         if (s->version < TLS1_2_VERSION)
1986                 return 1;
1987
1988         c->pkeys[SSL_PKEY_DSA_SIGN].digest = NULL;
1989         c->pkeys[SSL_PKEY_RSA_SIGN].digest = NULL;
1990         c->pkeys[SSL_PKEY_RSA_ENC].digest = NULL;
1991         c->pkeys[SSL_PKEY_ECC].digest = NULL;
1992
1993         for (i = 0; i < dsize; i += 2)
1994                 {
1995                 unsigned char hash_alg = data[i], sig_alg = data[i+1];
1996
1997                 switch(sig_alg)
1998                         {
1999 #ifndef OPENSSL_NO_RSA
2000                         case TLSEXT_signature_rsa:
2001                         idx = SSL_PKEY_RSA_SIGN;
2002                         break;
2003 #endif
2004 #ifndef OPENSSL_NO_DSA
2005                         case TLSEXT_signature_dsa:
2006                         idx = SSL_PKEY_DSA_SIGN;
2007                         break;
2008 #endif
2009 #ifndef OPENSSL_NO_ECDSA
2010                         case TLSEXT_signature_ecdsa:
2011                         idx = SSL_PKEY_ECC;
2012                         break;
2013 #endif
2014                         default:
2015                         continue;
2016                         }
2017
2018                 if (c->pkeys[idx].digest == NULL)
2019                         {
2020                         md = tls12_get_hash(hash_alg);
2021                         if (md)
2022                                 {
2023                                 c->pkeys[idx].digest = md;
2024                                 if (idx == SSL_PKEY_RSA_SIGN)
2025                                         c->pkeys[SSL_PKEY_RSA_ENC].digest = md;
2026                                 }
2027                         }
2028
2029                 }
2030
2031         /* Set any remaining keys to default values. NOTE: if alg is not
2032          * supported it stays as NULL.
2033          */
2034 #ifndef OPENSSL_NO_DSA
2035         if (!c->pkeys[SSL_PKEY_DSA_SIGN].digest)
2036                 c->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_dss1();
2037 #endif
2038 #ifndef OPENSSL_NO_RSA
2039         if (!c->pkeys[SSL_PKEY_RSA_SIGN].digest)
2040                 {
2041                 c->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1();
2042                 c->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1();
2043                 }
2044 #endif
2045 #ifndef OPENSSL_NO_ECDSA
2046         if (!c->pkeys[SSL_PKEY_ECC].digest)
2047                 c->pkeys[SSL_PKEY_ECC].digest = EVP_ecdsa();
2048 #endif
2049         return 1;
2050         }
2051
2052 #endif