Updated comment references to draft-ietf-tls-ecc-12 to refer to RFC4492 instead
[openssl.git] / ssl / t1_lib.c
1 /* ssl/t1_lib.c */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3  * All rights reserved.
4  *
5  * This package is an SSL implementation written
6  * by Eric Young (eay@cryptsoft.com).
7  * The implementation was written so as to conform with Netscapes SSL.
8  * 
9  * This library is free for commercial and non-commercial use as long as
10  * the following conditions are aheared to.  The following conditions
11  * apply to all code found in this distribution, be it the RC4, RSA,
12  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
13  * included with this distribution is covered by the same copyright terms
14  * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15  * 
16  * Copyright remains Eric Young's, and as such any Copyright notices in
17  * the code are not to be removed.
18  * If this package is used in a product, Eric Young should be given attribution
19  * as the author of the parts of the library used.
20  * This can be in the form of a textual message at program startup or
21  * in documentation (online or textual) provided with the package.
22  * 
23  * Redistribution and use in source and binary forms, with or without
24  * modification, are permitted provided that the following conditions
25  * are met:
26  * 1. Redistributions of source code must retain the copyright
27  *    notice, this list of conditions and the following disclaimer.
28  * 2. Redistributions in binary form must reproduce the above copyright
29  *    notice, this list of conditions and the following disclaimer in the
30  *    documentation and/or other materials provided with the distribution.
31  * 3. All advertising materials mentioning features or use of this software
32  *    must display the following acknowledgement:
33  *    "This product includes cryptographic software written by
34  *     Eric Young (eay@cryptsoft.com)"
35  *    The word 'cryptographic' can be left out if the rouines from the library
36  *    being used are not cryptographic related :-).
37  * 4. If you include any Windows specific code (or a derivative thereof) from 
38  *    the apps directory (application code) you must include an acknowledgement:
39  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40  * 
41  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51  * SUCH DAMAGE.
52  * 
53  * The licence and distribution terms for any publically available version or
54  * derivative of this code cannot be changed.  i.e. this code cannot simply be
55  * copied and put under another distribution licence
56  * [including the GNU Public Licence.]
57  */
58 /* ====================================================================
59  * Copyright (c) 1998-2007 The OpenSSL Project.  All rights reserved.
60  *
61  * Redistribution and use in source and binary forms, with or without
62  * modification, are permitted provided that the following conditions
63  * are met:
64  *
65  * 1. Redistributions of source code must retain the above copyright
66  *    notice, this list of conditions and the following disclaimer. 
67  *
68  * 2. Redistributions in binary form must reproduce the above copyright
69  *    notice, this list of conditions and the following disclaimer in
70  *    the documentation and/or other materials provided with the
71  *    distribution.
72  *
73  * 3. All advertising materials mentioning features or use of this
74  *    software must display the following acknowledgment:
75  *    "This product includes software developed by the OpenSSL Project
76  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77  *
78  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79  *    endorse or promote products derived from this software without
80  *    prior written permission. For written permission, please contact
81  *    openssl-core@openssl.org.
82  *
83  * 5. Products derived from this software may not be called "OpenSSL"
84  *    nor may "OpenSSL" appear in their names without prior written
85  *    permission of the OpenSSL Project.
86  *
87  * 6. Redistributions of any form whatsoever must retain the following
88  *    acknowledgment:
89  *    "This product includes software developed by the OpenSSL Project
90  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91  *
92  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
96  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103  * OF THE POSSIBILITY OF SUCH DAMAGE.
104  * ====================================================================
105  *
106  * This product includes cryptographic software written by Eric Young
107  * (eay@cryptsoft.com).  This product includes software written by Tim
108  * Hudson (tjh@cryptsoft.com).
109  *
110  */
111
112 #include <stdio.h>
113 #include <openssl/objects.h>
114 #include <openssl/evp.h>
115 #include <openssl/hmac.h>
116 #include <openssl/ocsp.h>
117 #include <openssl/rand.h>
118 #ifndef OPENSSL_NO_DH
119 #include <openssl/dh.h>
120 #include <openssl/bn.h>
121 #endif
122 #include "ssl_locl.h"
123
124 const char tls1_version_str[]="TLSv1" OPENSSL_VERSION_PTEXT;
125
126 #ifndef OPENSSL_NO_TLSEXT
127 static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen,
128                                 const unsigned char *sess_id, int sesslen,
129                                 SSL_SESSION **psess);
130 static int ssl_check_clienthello_tlsext_early(SSL *s);
131 int ssl_check_serverhello_tlsext(SSL *s);
132 #endif
133
134 SSL3_ENC_METHOD const TLSv1_enc_data={
135         tls1_enc,
136         tls1_mac,
137         tls1_setup_key_block,
138         tls1_generate_master_secret,
139         tls1_change_cipher_state,
140         tls1_final_finish_mac,
141         TLS1_FINISH_MAC_LENGTH,
142         tls1_cert_verify_mac,
143         TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE,
144         TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE,
145         tls1_alert_code,
146         tls1_export_keying_material,
147         0,
148         SSL3_HM_HEADER_LENGTH,
149         ssl3_set_handshake_header,
150         ssl3_handshake_write
151         };
152
153 SSL3_ENC_METHOD const TLSv1_1_enc_data={
154         tls1_enc,
155         tls1_mac,
156         tls1_setup_key_block,
157         tls1_generate_master_secret,
158         tls1_change_cipher_state,
159         tls1_final_finish_mac,
160         TLS1_FINISH_MAC_LENGTH,
161         tls1_cert_verify_mac,
162         TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE,
163         TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE,
164         tls1_alert_code,
165         tls1_export_keying_material,
166         SSL_ENC_FLAG_EXPLICIT_IV,
167         SSL3_HM_HEADER_LENGTH,
168         ssl3_set_handshake_header,
169         ssl3_handshake_write
170         };
171
172 SSL3_ENC_METHOD const TLSv1_2_enc_data={
173         tls1_enc,
174         tls1_mac,
175         tls1_setup_key_block,
176         tls1_generate_master_secret,
177         tls1_change_cipher_state,
178         tls1_final_finish_mac,
179         TLS1_FINISH_MAC_LENGTH,
180         tls1_cert_verify_mac,
181         TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE,
182         TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE,
183         tls1_alert_code,
184         tls1_export_keying_material,
185         SSL_ENC_FLAG_EXPLICIT_IV|SSL_ENC_FLAG_SIGALGS|SSL_ENC_FLAG_SHA256_PRF
186                 |SSL_ENC_FLAG_TLS1_2_CIPHERS,
187         SSL3_HM_HEADER_LENGTH,
188         ssl3_set_handshake_header,
189         ssl3_handshake_write
190         };
191
192 long tls1_default_timeout(void)
193         {
194         /* 2 hours, the 24 hours mentioned in the TLSv1 spec
195          * is way too long for http, the cache would over fill */
196         return(60*60*2);
197         }
198
199 int tls1_new(SSL *s)
200         {
201         if (!ssl3_new(s)) return(0);
202         s->method->ssl_clear(s);
203         return(1);
204         }
205
206 void tls1_free(SSL *s)
207         {
208 #ifndef OPENSSL_NO_TLSEXT
209         if (s->tlsext_session_ticket)
210                 {
211                 OPENSSL_free(s->tlsext_session_ticket);
212                 }
213 #endif /* OPENSSL_NO_TLSEXT */
214         ssl3_free(s);
215         }
216
217 void tls1_clear(SSL *s)
218         {
219         ssl3_clear(s);
220         s->version = s->method->version;
221         }
222
223 #ifndef OPENSSL_NO_EC
224
225 typedef struct
226         {
227         int nid;                /* Curve NID */
228         int secbits;            /* Bits of security (from SP800-57) */
229         unsigned int flags;     /* Flags: currently just field type */
230         } tls_curve_info;
231
232 #define TLS_CURVE_CHAR2         0x1
233 #define TLS_CURVE_PRIME         0x0
234
235 static const tls_curve_info nid_list[] =
236         {
237                 {NID_sect163k1, 80, TLS_CURVE_CHAR2},/* sect163k1 (1) */
238                 {NID_sect163r1, 80, TLS_CURVE_CHAR2},/* sect163r1 (2) */
239                 {NID_sect163r2, 80, TLS_CURVE_CHAR2},/* sect163r2 (3) */
240                 {NID_sect193r1, 80, TLS_CURVE_CHAR2},/* sect193r1 (4) */ 
241                 {NID_sect193r2, 80, TLS_CURVE_CHAR2},/* sect193r2 (5) */ 
242                 {NID_sect233k1, 112, TLS_CURVE_CHAR2},/* sect233k1 (6) */
243                 {NID_sect233r1, 112, TLS_CURVE_CHAR2},/* sect233r1 (7) */ 
244                 {NID_sect239k1, 112, TLS_CURVE_CHAR2},/* sect239k1 (8) */ 
245                 {NID_sect283k1, 128, TLS_CURVE_CHAR2},/* sect283k1 (9) */
246                 {NID_sect283r1, 128, TLS_CURVE_CHAR2},/* sect283r1 (10) */ 
247                 {NID_sect409k1, 192, TLS_CURVE_CHAR2},/* sect409k1 (11) */ 
248                 {NID_sect409r1, 192, TLS_CURVE_CHAR2},/* sect409r1 (12) */
249                 {NID_sect571k1, 256, TLS_CURVE_CHAR2},/* sect571k1 (13) */ 
250                 {NID_sect571r1, 256, TLS_CURVE_CHAR2},/* sect571r1 (14) */ 
251                 {NID_secp160k1, 80, TLS_CURVE_PRIME},/* secp160k1 (15) */
252                 {NID_secp160r1, 80, TLS_CURVE_PRIME},/* secp160r1 (16) */ 
253                 {NID_secp160r2, 80, TLS_CURVE_PRIME},/* secp160r2 (17) */ 
254                 {NID_secp192k1, 80, TLS_CURVE_PRIME},/* secp192k1 (18) */
255                 {NID_X9_62_prime192v1, 80, TLS_CURVE_PRIME},/* secp192r1 (19) */ 
256                 {NID_secp224k1, 112, TLS_CURVE_PRIME},/* secp224k1 (20) */ 
257                 {NID_secp224r1, 112, TLS_CURVE_PRIME},/* secp224r1 (21) */
258                 {NID_secp256k1, 128, TLS_CURVE_PRIME},/* secp256k1 (22) */ 
259                 {NID_X9_62_prime256v1, 128, TLS_CURVE_PRIME},/* secp256r1 (23) */ 
260                 {NID_secp384r1, 192, TLS_CURVE_PRIME},/* secp384r1 (24) */
261                 {NID_secp521r1, 256, TLS_CURVE_PRIME},/* secp521r1 (25) */      
262                 {NID_brainpoolP256r1, 128, TLS_CURVE_PRIME}, /* brainpoolP256r1 (26) */ 
263                 {NID_brainpoolP384r1, 192, TLS_CURVE_PRIME}, /* brainpoolP384r1 (27) */ 
264                 {NID_brainpoolP512r1, 256, TLS_CURVE_PRIME},/* brainpool512r1 (28) */   
265         };
266
267
268 static const unsigned char ecformats_default[] = 
269         {
270         TLSEXT_ECPOINTFORMAT_uncompressed,
271         TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime,
272         TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2
273         };
274
275 static const unsigned char eccurves_default[] =
276         {
277                 0,14, /* sect571r1 (14) */ 
278                 0,13, /* sect571k1 (13) */ 
279                 0,25, /* secp521r1 (25) */      
280                 0,28, /* brainpool512r1 (28) */ 
281                 0,11, /* sect409k1 (11) */ 
282                 0,12, /* sect409r1 (12) */
283                 0,27, /* brainpoolP384r1 (27) */        
284                 0,24, /* secp384r1 (24) */
285                 0,9,  /* sect283k1 (9) */
286                 0,10, /* sect283r1 (10) */ 
287                 0,26, /* brainpoolP256r1 (26) */        
288                 0,22, /* secp256k1 (22) */ 
289                 0,23, /* secp256r1 (23) */ 
290                 0,8,  /* sect239k1 (8) */ 
291                 0,6,  /* sect233k1 (6) */
292                 0,7,  /* sect233r1 (7) */ 
293                 0,20, /* secp224k1 (20) */ 
294                 0,21, /* secp224r1 (21) */
295                 0,4,  /* sect193r1 (4) */ 
296                 0,5,  /* sect193r2 (5) */ 
297                 0,18, /* secp192k1 (18) */
298                 0,19, /* secp192r1 (19) */ 
299                 0,1,  /* sect163k1 (1) */
300                 0,2,  /* sect163r1 (2) */
301                 0,3,  /* sect163r2 (3) */
302                 0,15, /* secp160k1 (15) */
303                 0,16, /* secp160r1 (16) */ 
304                 0,17, /* secp160r2 (17) */ 
305         };
306
307 static const unsigned char suiteb_curves[] =
308         {
309                 0, TLSEXT_curve_P_256,
310                 0, TLSEXT_curve_P_384
311         };
312
313 int tls1_ec_curve_id2nid(int curve_id)
314         {
315         /* ECC curves from RFC 4492 */
316         if ((curve_id < 1) || ((unsigned int)curve_id >
317                                 sizeof(nid_list)/sizeof(nid_list[0])))
318                 return 0;
319         return nid_list[curve_id-1].nid;
320         }
321
322 int tls1_ec_nid2curve_id(int nid)
323         {
324         /* ECC curves from RFC 4492 */
325         switch (nid)
326                 {
327         case NID_sect163k1: /* sect163k1 (1) */
328                 return 1;
329         case NID_sect163r1: /* sect163r1 (2) */
330                 return 2;
331         case NID_sect163r2: /* sect163r2 (3) */
332                 return 3;
333         case NID_sect193r1: /* sect193r1 (4) */ 
334                 return 4;
335         case NID_sect193r2: /* sect193r2 (5) */ 
336                 return 5;
337         case NID_sect233k1: /* sect233k1 (6) */
338                 return 6;
339         case NID_sect233r1: /* sect233r1 (7) */ 
340                 return 7;
341         case NID_sect239k1: /* sect239k1 (8) */ 
342                 return 8;
343         case NID_sect283k1: /* sect283k1 (9) */
344                 return 9;
345         case NID_sect283r1: /* sect283r1 (10) */ 
346                 return 10;
347         case NID_sect409k1: /* sect409k1 (11) */ 
348                 return 11;
349         case NID_sect409r1: /* sect409r1 (12) */
350                 return 12;
351         case NID_sect571k1: /* sect571k1 (13) */ 
352                 return 13;
353         case NID_sect571r1: /* sect571r1 (14) */ 
354                 return 14;
355         case NID_secp160k1: /* secp160k1 (15) */
356                 return 15;
357         case NID_secp160r1: /* secp160r1 (16) */ 
358                 return 16;
359         case NID_secp160r2: /* secp160r2 (17) */ 
360                 return 17;
361         case NID_secp192k1: /* secp192k1 (18) */
362                 return 18;
363         case NID_X9_62_prime192v1: /* secp192r1 (19) */ 
364                 return 19;
365         case NID_secp224k1: /* secp224k1 (20) */ 
366                 return 20;
367         case NID_secp224r1: /* secp224r1 (21) */
368                 return 21;
369         case NID_secp256k1: /* secp256k1 (22) */ 
370                 return 22;
371         case NID_X9_62_prime256v1: /* secp256r1 (23) */ 
372                 return 23;
373         case NID_secp384r1: /* secp384r1 (24) */
374                 return 24;
375         case NID_secp521r1:  /* secp521r1 (25) */       
376                 return 25;
377         case NID_brainpoolP256r1:  /* brainpoolP256r1 (26) */
378                 return 26;
379         case NID_brainpoolP384r1:  /* brainpoolP384r1 (27) */
380                 return 27;
381         case NID_brainpoolP512r1:  /* brainpool512r1 (28) */
382                 return 28;
383         default:
384                 return 0;
385                 }
386         }
387 /* Get curves list, if "sess" is set return client curves otherwise
388  * preferred list
389  */
390 static void tls1_get_curvelist(SSL *s, int sess,
391                                         const unsigned char **pcurves,
392                                         size_t *pcurveslen)
393         {
394         if (sess)
395                 {
396                 *pcurves = s->session->tlsext_ellipticcurvelist;
397                 *pcurveslen = s->session->tlsext_ellipticcurvelist_length;
398                 return;
399                 }
400         /* For Suite B mode only include P-256, P-384 */
401         switch (tls1_suiteb(s))
402                 {
403         case SSL_CERT_FLAG_SUITEB_128_LOS:
404                 *pcurves = suiteb_curves;
405                 *pcurveslen = sizeof(suiteb_curves);
406                 break;
407
408         case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY:
409                 *pcurves = suiteb_curves;
410                 *pcurveslen = 2;
411                 break;
412
413         case SSL_CERT_FLAG_SUITEB_192_LOS:
414                 *pcurves = suiteb_curves + 2;
415                 *pcurveslen = 2;
416                 break;
417         default:
418                 *pcurves = s->tlsext_ellipticcurvelist;
419                 *pcurveslen = s->tlsext_ellipticcurvelist_length;
420                 }
421         if (!*pcurves)
422                 {
423                 *pcurves = eccurves_default;
424                 *pcurveslen = sizeof(eccurves_default);
425                 }
426         }
427
428 /* See if curve is allowed by security callback */
429 static int tls_curve_allowed(SSL *s, const unsigned char *curve, int op)
430         {
431         const tls_curve_info *cinfo;
432         if (curve[0])
433                 return 1;
434         if ((curve[1] < 1) || ((size_t)curve[1] >
435                                 sizeof(nid_list)/sizeof(nid_list[0])))
436                 return 0;
437         cinfo = &nid_list[curve[1]-1];
438         return ssl_security(s, op, cinfo->secbits, cinfo->nid, (void *)curve);
439         }
440
441 /* Check a curve is one of our preferences */
442 int tls1_check_curve(SSL *s, const unsigned char *p, size_t len)
443         {
444         const unsigned char *curves;
445         size_t curveslen, i;
446         unsigned int suiteb_flags = tls1_suiteb(s);
447         if (len != 3 || p[0] != NAMED_CURVE_TYPE)
448                 return 0;
449         /* Check curve matches Suite B preferences */
450         if (suiteb_flags)
451                 {
452                 unsigned long cid = s->s3->tmp.new_cipher->id;
453                 if (p[1])
454                         return 0;
455                 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
456                         {
457                         if (p[2] != TLSEXT_curve_P_256)
458                                 return 0;
459                         }
460                 else if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)
461                         {
462                         if (p[2] != TLSEXT_curve_P_384)
463                                 return 0;
464                         }
465                 else    /* Should never happen */
466                         return 0;
467                 }
468         tls1_get_curvelist(s, 0, &curves, &curveslen);
469         for (i = 0; i < curveslen; i += 2, curves += 2)
470                 {
471                 if (p[1] == curves[0] && p[2] == curves[1])
472                         return tls_curve_allowed(s, p + 1, SSL_SECOP_CURVE_CHECK);
473                 }
474         return 0;
475         }
476
477 /* Return nth shared curve. If nmatch == -1 return number of
478  * matches. For nmatch == -2 return the NID of the curve to use for
479  * an EC tmp key.
480  */
481
482 int tls1_shared_curve(SSL *s, int nmatch)
483         {
484         const unsigned char *pref, *supp;
485         size_t preflen, supplen, i, j;
486         int k;
487         /* Can't do anything on client side */
488         if (s->server == 0)
489                 return -1;
490         if (nmatch == -2)
491                 {
492                 if (tls1_suiteb(s))
493                         {
494                         /* For Suite B ciphersuite determines curve: we 
495                          * already know these are acceptable due to previous
496                          * checks.
497                          */
498                         unsigned long cid = s->s3->tmp.new_cipher->id;
499                         if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
500                                 return NID_X9_62_prime256v1; /* P-256 */
501                         if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)
502                                 return NID_secp384r1; /* P-384 */
503                         /* Should never happen */
504                         return NID_undef;
505                         }
506                 /* If not Suite B just return first preference shared curve */
507                 nmatch = 0;
508                 }
509         tls1_get_curvelist(s, !!(s->options & SSL_OP_CIPHER_SERVER_PREFERENCE),
510                                 &supp, &supplen);
511         tls1_get_curvelist(s, !(s->options & SSL_OP_CIPHER_SERVER_PREFERENCE),
512                                 &pref, &preflen);
513         preflen /= 2;
514         supplen /= 2;
515         k = 0;
516         for (i = 0; i < preflen; i++, pref+=2)
517                 {
518                 const unsigned char *tsupp = supp;
519                 for (j = 0; j < supplen; j++, tsupp+=2)
520                         {
521                         if (pref[0] == tsupp[0] && pref[1] == tsupp[1])
522                                 {
523                                 if (!tls_curve_allowed(s, pref, SSL_SECOP_CURVE_SHARED))
524                                         continue;
525                                 if (nmatch == k)
526                                         {
527                                         int id = (pref[0] << 8) | pref[1];
528                                         return tls1_ec_curve_id2nid(id);
529                                         }
530                                 k++;
531                                 }
532                         }
533                 }
534         if (nmatch == -1)
535                 return k;
536         return 0;
537         }
538
539 int tls1_set_curves(unsigned char **pext, size_t *pextlen,
540                         int *curves, size_t ncurves)
541         {
542         unsigned char *clist, *p;
543         size_t i;
544         /* Bitmap of curves included to detect duplicates: only works
545          * while curve ids < 32 
546          */
547         unsigned long dup_list = 0;
548         clist = OPENSSL_malloc(ncurves * 2);
549         if (!clist)
550                 return 0;
551         for (i = 0, p = clist; i < ncurves; i++)
552                 {
553                 unsigned long idmask;
554                 int id;
555                 id = tls1_ec_nid2curve_id(curves[i]);
556                 idmask = 1L << id;
557                 if (!id || (dup_list & idmask))
558                         {
559                         OPENSSL_free(clist);
560                         return 0;
561                         }
562                 dup_list |= idmask;
563                 s2n(id, p);
564                 }
565         if (*pext)
566                 OPENSSL_free(*pext);
567         *pext = clist;
568         *pextlen = ncurves * 2;
569         return 1;
570         }
571
572 #define MAX_CURVELIST   28
573
574 typedef struct
575         {
576         size_t nidcnt;
577         int nid_arr[MAX_CURVELIST];
578         } nid_cb_st;
579
580 static int nid_cb(const char *elem, int len, void *arg)
581         {
582         nid_cb_st *narg = arg;
583         size_t i;
584         int nid;
585         char etmp[20];
586         if (narg->nidcnt == MAX_CURVELIST)
587                 return 0;
588         if (len > (int)(sizeof(etmp) - 1))
589                 return 0;
590         memcpy(etmp, elem, len);
591         etmp[len] = 0;
592         nid = EC_curve_nist2nid(etmp);
593         if (nid == NID_undef)
594                 nid = OBJ_sn2nid(etmp);
595         if (nid == NID_undef)
596                 nid = OBJ_ln2nid(etmp);
597         if (nid == NID_undef)
598                 return 0;
599         for (i = 0; i < narg->nidcnt; i++)
600                 if (narg->nid_arr[i] == nid)
601                         return 0;
602         narg->nid_arr[narg->nidcnt++] = nid;
603         return 1;
604         }
605 /* Set curves based on a colon separate list */
606 int tls1_set_curves_list(unsigned char **pext, size_t *pextlen, 
607                                 const char *str)
608         {
609         nid_cb_st ncb;
610         ncb.nidcnt = 0;
611         if (!CONF_parse_list(str, ':', 1, nid_cb, &ncb))
612                 return 0;
613         if (pext == NULL)
614                 return 1;
615         return tls1_set_curves(pext, pextlen, ncb.nid_arr, ncb.nidcnt);
616         }
617 /* For an EC key set TLS id and required compression based on parameters */
618 static int tls1_set_ec_id(unsigned char *curve_id, unsigned char *comp_id,
619                                 EC_KEY *ec)
620         {
621         int is_prime, id;
622         const EC_GROUP *grp;
623         const EC_METHOD *meth;
624         if (!ec)
625                 return 0;
626         /* Determine if it is a prime field */
627         grp = EC_KEY_get0_group(ec);
628         if (!grp)
629                 return 0;
630         meth = EC_GROUP_method_of(grp);
631         if (!meth)
632                 return 0;
633         if (EC_METHOD_get_field_type(meth) == NID_X9_62_prime_field)
634                 is_prime = 1;
635         else
636                 is_prime = 0;
637         /* Determine curve ID */
638         id = EC_GROUP_get_curve_name(grp);
639         id = tls1_ec_nid2curve_id(id);
640         /* If we have an ID set it, otherwise set arbitrary explicit curve */
641         if (id)
642                 {
643                 curve_id[0] = 0;
644                 curve_id[1] = (unsigned char)id;
645                 }
646         else
647                 {
648                 curve_id[0] = 0xff;
649                 if (is_prime)
650                         curve_id[1] = 0x01;
651                 else
652                         curve_id[1] = 0x02;
653                 }
654         if (comp_id)
655                 {
656                 if (EC_KEY_get0_public_key(ec) == NULL)
657                         return 0;
658                 if (EC_KEY_get_conv_form(ec) == POINT_CONVERSION_COMPRESSED)
659                         {
660                         if (is_prime)
661                                 *comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
662                         else
663                                 *comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
664                         }
665                 else
666                         *comp_id = TLSEXT_ECPOINTFORMAT_uncompressed;
667                 }
668         return 1;
669         }
670 /* Check an EC key is compatible with extensions */
671 static int tls1_check_ec_key(SSL *s,
672                         unsigned char *curve_id, unsigned char *comp_id)
673         {
674         const unsigned char *p;
675         size_t plen, i;
676         int j;
677         /* If point formats extension present check it, otherwise everything
678          * is supported (see RFC4492).
679          */
680         if (comp_id && s->session->tlsext_ecpointformatlist)
681                 {
682                 p = s->session->tlsext_ecpointformatlist;
683                 plen = s->session->tlsext_ecpointformatlist_length;
684                 for (i = 0; i < plen; i++, p++)
685                         {
686                         if (*comp_id == *p)
687                                 break;
688                         }
689                 if (i == plen)
690                         return 0;
691                 }
692         if (!curve_id)
693                 return 1;
694         /* Check curve is consistent with client and server preferences */
695         for (j = 0; j <= 1; j++)
696                 {
697                 tls1_get_curvelist(s, j, &p, &plen);
698                 for (i = 0; i < plen; i+=2, p+=2)
699                         {
700                         if (p[0] == curve_id[0] && p[1] == curve_id[1])
701                                 break;
702                         }
703                 if (i == plen)
704                         return 0;
705                 /* For clients can only check sent curve list */
706                 if (!s->server)
707                         break;
708                 }
709         return 1;
710         }
711
712 static void tls1_get_formatlist(SSL *s, const unsigned char **pformats,
713                                         size_t *pformatslen)
714         {
715         /* If we have a custom point format list use it otherwise
716          * use default */
717         if (s->tlsext_ecpointformatlist)
718                 {
719                 *pformats = s->tlsext_ecpointformatlist;
720                 *pformatslen = s->tlsext_ecpointformatlist_length;
721                 }
722         else
723                 {
724                 *pformats = ecformats_default;
725                 /* For Suite B we don't support char2 fields */
726                 if (tls1_suiteb(s))
727                         *pformatslen = sizeof(ecformats_default) - 1;
728                 else
729                         *pformatslen = sizeof(ecformats_default);
730                 }
731         }
732
733 /* Check cert parameters compatible with extensions: currently just checks
734  * EC certificates have compatible curves and compression.
735  */
736 static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md)
737         {
738         unsigned char comp_id, curve_id[2];
739         EVP_PKEY *pkey;
740         int rv;
741         pkey = X509_get_pubkey(x);
742         if (!pkey)
743                 return 0;
744         /* If not EC nothing to do */
745         if (pkey->type != EVP_PKEY_EC)
746                 {
747                 EVP_PKEY_free(pkey);
748                 return 1;
749                 }
750         rv = tls1_set_ec_id(curve_id, &comp_id, pkey->pkey.ec);
751         EVP_PKEY_free(pkey);
752         if (!rv)
753                 return 0;
754         /* Can't check curve_id for client certs as we don't have a
755          * supported curves extension.
756          */
757         rv = tls1_check_ec_key(s, s->server ? curve_id : NULL, &comp_id);
758         if (!rv)
759                 return 0;
760         /* Special case for suite B. We *MUST* sign using SHA256+P-256 or
761          * SHA384+P-384, adjust digest if necessary.
762          */
763         if (set_ee_md && tls1_suiteb(s))
764                 {
765                 int check_md;
766                 size_t i;
767                 CERT *c = s->cert;
768                 if (curve_id[0])
769                         return 0;
770                 /* Check to see we have necessary signing algorithm */
771                 if (curve_id[1] == TLSEXT_curve_P_256)
772                         check_md = NID_ecdsa_with_SHA256;
773                 else if (curve_id[1] == TLSEXT_curve_P_384)
774                         check_md = NID_ecdsa_with_SHA384;
775                 else
776                         return 0; /* Should never happen */
777                 for (i = 0; i < c->shared_sigalgslen; i++)
778                         if (check_md == c->shared_sigalgs[i].signandhash_nid)
779                                 break;
780                 if (i == c->shared_sigalgslen)
781                         return 0;
782                 if (set_ee_md == 2)
783                         {
784                         if (check_md == NID_ecdsa_with_SHA256)
785                                 c->pkeys[SSL_PKEY_ECC].digest = EVP_sha256();
786                         else
787                                 c->pkeys[SSL_PKEY_ECC].digest = EVP_sha384();
788                         }
789                 }
790         return rv;
791         }
792 /* Check EC temporary key is compatible with client extensions */
793 int tls1_check_ec_tmp_key(SSL *s, unsigned long cid)
794         {
795         unsigned char curve_id[2];
796         EC_KEY *ec = s->cert->ecdh_tmp;
797 #ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
798         /* Allow any curve: not just those peer supports */
799         if (s->cert->cert_flags & SSL_CERT_FLAG_BROKEN_PROTOCOL)
800                 return 1;
801 #endif
802         /* If Suite B, AES128 MUST use P-256 and AES256 MUST use P-384,
803          * no other curves permitted.
804          */
805         if (tls1_suiteb(s))
806                 {
807                 /* Curve to check determined by ciphersuite */
808                 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
809                         curve_id[1] = TLSEXT_curve_P_256;
810                 else if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)
811                         curve_id[1] = TLSEXT_curve_P_384;
812                 else
813                         return 0;
814                 curve_id[0] = 0;
815                 /* Check this curve is acceptable */
816                 if (!tls1_check_ec_key(s, curve_id, NULL))
817                         return 0;
818                 /* If auto or setting curve from callback assume OK */
819                 if (s->cert->ecdh_tmp_auto || s->cert->ecdh_tmp_cb)
820                         return 1;
821                 /* Otherwise check curve is acceptable */
822                 else 
823                         {
824                         unsigned char curve_tmp[2];
825                         if (!ec)
826                                 return 0;
827                         if (!tls1_set_ec_id(curve_tmp, NULL, ec))
828                                 return 0;
829                         if (!curve_tmp[0] || curve_tmp[1] == curve_id[1])
830                                 return 1;
831                         return 0;
832                         }
833                         
834                 }
835         if (s->cert->ecdh_tmp_auto)
836                 {
837                 /* Need a shared curve */
838                 if (tls1_shared_curve(s, 0))
839                         return 1;
840                 else return 0;
841                 }
842         if (!ec)
843                 {
844                 if (s->cert->ecdh_tmp_cb)
845                         return 1;
846                 else
847                         return 0;
848                 }
849         if (!tls1_set_ec_id(curve_id, NULL, ec))
850                 return 0;
851 /* Set this to allow use of invalid curves for testing */
852 #if 0
853         return 1;
854 #else
855         return tls1_check_ec_key(s, curve_id, NULL);
856 #endif
857         }
858
859 #else
860
861 static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md)
862         {
863         return 1;
864         }
865
866 #endif /* OPENSSL_NO_EC */
867
868 #ifndef OPENSSL_NO_TLSEXT
869
870 /* List of supported signature algorithms and hashes. Should make this
871  * customisable at some point, for now include everything we support.
872  */
873
874 #ifdef OPENSSL_NO_RSA
875 #define tlsext_sigalg_rsa(md) /* */
876 #else
877 #define tlsext_sigalg_rsa(md) md, TLSEXT_signature_rsa,
878 #endif
879
880 #ifdef OPENSSL_NO_DSA
881 #define tlsext_sigalg_dsa(md) /* */
882 #else
883 #define tlsext_sigalg_dsa(md) md, TLSEXT_signature_dsa,
884 #endif
885
886 #ifdef OPENSSL_NO_ECDSA
887 #define tlsext_sigalg_ecdsa(md) /* */
888 #else
889 #define tlsext_sigalg_ecdsa(md) md, TLSEXT_signature_ecdsa,
890 #endif
891
892 #define tlsext_sigalg(md) \
893                 tlsext_sigalg_rsa(md) \
894                 tlsext_sigalg_dsa(md) \
895                 tlsext_sigalg_ecdsa(md)
896
897 static unsigned char tls12_sigalgs[] = {
898 #ifndef OPENSSL_NO_SHA512
899         tlsext_sigalg(TLSEXT_hash_sha512)
900         tlsext_sigalg(TLSEXT_hash_sha384)
901 #endif
902 #ifndef OPENSSL_NO_SHA256
903         tlsext_sigalg(TLSEXT_hash_sha256)
904         tlsext_sigalg(TLSEXT_hash_sha224)
905 #endif
906 #ifndef OPENSSL_NO_SHA
907         tlsext_sigalg(TLSEXT_hash_sha1)
908 #endif
909 };
910 #ifndef OPENSSL_NO_ECDSA
911 static unsigned char suiteb_sigalgs[] = {
912         tlsext_sigalg_ecdsa(TLSEXT_hash_sha256)
913         tlsext_sigalg_ecdsa(TLSEXT_hash_sha384)
914 };
915 #endif
916 size_t tls12_get_psigalgs(SSL *s, const unsigned char **psigs)
917         {
918         /* If Suite B mode use Suite B sigalgs only, ignore any other
919          * preferences.
920          */
921 #ifndef OPENSSL_NO_EC
922         switch (tls1_suiteb(s))
923                 {
924         case SSL_CERT_FLAG_SUITEB_128_LOS:
925                 *psigs = suiteb_sigalgs;
926                 return sizeof(suiteb_sigalgs);
927
928         case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY:
929                 *psigs = suiteb_sigalgs;
930                 return 2;
931
932         case SSL_CERT_FLAG_SUITEB_192_LOS:
933                 *psigs = suiteb_sigalgs + 2;
934                 return 2;
935                 }
936 #endif
937         /* If server use client authentication sigalgs if not NULL */
938         if (s->server && s->cert->client_sigalgs)
939                 {
940                 *psigs = s->cert->client_sigalgs;
941                 return s->cert->client_sigalgslen;
942                 }
943         else if (s->cert->conf_sigalgs)
944                 {
945                 *psigs = s->cert->conf_sigalgs;
946                 return s->cert->conf_sigalgslen;
947                 }
948         else
949                 {
950                 *psigs = tls12_sigalgs;
951                 return sizeof(tls12_sigalgs);
952                 }
953         }
954 /* Check signature algorithm is consistent with sent supported signature
955  * algorithms and if so return relevant digest.
956  */
957 int tls12_check_peer_sigalg(const EVP_MD **pmd, SSL *s,
958                                 const unsigned char *sig, EVP_PKEY *pkey)
959         {
960         const unsigned char *sent_sigs;
961         size_t sent_sigslen, i;
962         int sigalg = tls12_get_sigid(pkey);
963         /* Should never happen */
964         if (sigalg == -1)
965                 return -1;
966         /* Check key type is consistent with signature */
967         if (sigalg != (int)sig[1])
968                 {
969                 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG,SSL_R_WRONG_SIGNATURE_TYPE);
970                 return 0;
971                 }
972 #ifndef OPENSSL_NO_EC
973         if (pkey->type == EVP_PKEY_EC)
974                 {
975                 unsigned char curve_id[2], comp_id;
976                 /* Check compression and curve matches extensions */
977                 if (!tls1_set_ec_id(curve_id, &comp_id, pkey->pkey.ec))
978                         return 0;
979                 if (!s->server && !tls1_check_ec_key(s, curve_id, &comp_id))
980                         {
981                         SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG,SSL_R_WRONG_CURVE);
982                         return 0;
983                         }
984                 /* If Suite B only P-384+SHA384 or P-256+SHA-256 allowed */
985                 if (tls1_suiteb(s))
986                         {
987                         if (curve_id[0])
988                                 return 0;
989                         if (curve_id[1] == TLSEXT_curve_P_256)
990                                 {
991                                 if (sig[0] != TLSEXT_hash_sha256)
992                                         {
993                                         SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG,
994                                                 SSL_R_ILLEGAL_SUITEB_DIGEST);
995                                         return 0;
996                                         }
997                                 }
998                         else if (curve_id[1] == TLSEXT_curve_P_384)
999                                 {
1000                                 if (sig[0] != TLSEXT_hash_sha384)
1001                                         {
1002                                         SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG,
1003                                                 SSL_R_ILLEGAL_SUITEB_DIGEST);
1004                                         return 0;
1005                                         }
1006                                 }
1007                         else
1008                                 return 0;
1009                         }
1010                 }
1011         else if (tls1_suiteb(s))
1012                 return 0;
1013 #endif
1014
1015         /* Check signature matches a type we sent */
1016         sent_sigslen = tls12_get_psigalgs(s, &sent_sigs);
1017         for (i = 0; i < sent_sigslen; i+=2, sent_sigs+=2)
1018                 {
1019                 if (sig[0] == sent_sigs[0] && sig[1] == sent_sigs[1])
1020                         break;
1021                 }
1022         /* Allow fallback to SHA1 if not strict mode */
1023         if (i == sent_sigslen && (sig[0] != TLSEXT_hash_sha1 || s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT))
1024                 {
1025                 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG,SSL_R_WRONG_SIGNATURE_TYPE);
1026                 return 0;
1027                 }
1028         *pmd = tls12_get_hash(sig[0]);
1029         if (*pmd == NULL)
1030                 {
1031                 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG,SSL_R_UNKNOWN_DIGEST);
1032                 return 0;
1033                 }
1034         /* Make sure security callback allows algorithm */
1035         if (!ssl_security(s, SSL_SECOP_SIGALG_CHECK,
1036                                 EVP_MD_size(*pmd) * 4, EVP_MD_type(*pmd),
1037                                                                 (void *)sig))
1038                 {
1039                 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG,SSL_R_WRONG_SIGNATURE_TYPE);
1040                 return 0;
1041                 }
1042         /* Store the digest used so applications can retrieve it if they
1043          * wish.
1044          */
1045         if (s->session && s->session->sess_cert)
1046                 s->session->sess_cert->peer_key->digest = *pmd;
1047         return 1;
1048         }
1049
1050 /* Get a mask of disabled algorithms: an algorithm is disabled
1051  * if it isn't supported or doesn't appear in supported signature
1052  * algorithms. Unlike ssl_cipher_get_disabled this applies to a specific
1053  * session and not global settings.
1054  * 
1055  */
1056 void ssl_set_client_disabled(SSL *s)
1057         {
1058         CERT *c = s->cert;
1059         c->mask_a = 0;
1060         c->mask_k = 0;
1061         /* Don't allow TLS 1.2 only ciphers if we don't suppport them */
1062         if (!SSL_CLIENT_USE_TLS1_2_CIPHERS(s))
1063                 c->mask_ssl = SSL_TLSV1_2;
1064         else
1065                 c->mask_ssl = 0;
1066         ssl_set_sig_mask(&c->mask_a, s, SSL_SECOP_SIGALG_MASK);
1067         /* Disable static DH if we don't include any appropriate
1068          * signature algorithms.
1069          */
1070         if (c->mask_a & SSL_aRSA)
1071                 c->mask_k |= SSL_kDHr|SSL_kECDHr;
1072         if (c->mask_a & SSL_aDSS)
1073                 c->mask_k |= SSL_kDHd;
1074         if (c->mask_a & SSL_aECDSA)
1075                 c->mask_k |= SSL_kECDHe;
1076 #ifndef OPENSSL_NO_KRB5
1077         if (!kssl_tgt_is_available(s->kssl_ctx))
1078                 {
1079                 c->mask_a |= SSL_aKRB5;
1080                 c->mask_k |= SSL_kKRB5;
1081                 }
1082 #endif
1083 #ifndef OPENSSL_NO_PSK
1084         /* with PSK there must be client callback set */
1085         if (!s->psk_client_callback)
1086                 {
1087                 c->mask_a |= SSL_aPSK;
1088                 c->mask_k |= SSL_kPSK;
1089                 }
1090 #endif /* OPENSSL_NO_PSK */
1091 #ifndef OPENSSL_NO_SRP
1092         if (!(s->srp_ctx.srp_Mask & SSL_kSRP))
1093                 {
1094                 c->mask_a |= SSL_aSRP;
1095                 c->mask_k |= SSL_kSRP;
1096                 }
1097 #endif
1098         c->valid = 1;
1099         }
1100
1101 int ssl_cipher_disabled(SSL *s, const SSL_CIPHER *c, int op)
1102         {
1103         CERT *ct = s->cert;
1104         if (c->algorithm_ssl & ct->mask_ssl || c->algorithm_mkey & ct->mask_k || c->algorithm_auth & ct->mask_a)
1105                 return 1;
1106         return !ssl_security(s, op, c->strength_bits, 0, (void *)c);
1107         }
1108
1109 static int tls_use_ticket(SSL *s)
1110         {
1111         if (s->options & SSL_OP_NO_TICKET)
1112                 return 0;
1113         return ssl_security(s, SSL_SECOP_TICKET, 0, 0, NULL);
1114         }
1115
1116 unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf, unsigned char *limit, int *al)
1117         {
1118         int extdatalen=0;
1119         unsigned char *orig = buf;
1120         unsigned char *ret = buf;
1121 #ifndef OPENSSL_NO_EC
1122         /* See if we support any ECC ciphersuites */
1123         int using_ecc = 0;
1124         if (s->version >= TLS1_VERSION || SSL_IS_DTLS(s))
1125                 {
1126                 int i;
1127                 unsigned long alg_k, alg_a;
1128                 STACK_OF(SSL_CIPHER) *cipher_stack = SSL_get_ciphers(s);
1129
1130                 for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++)
1131                         {
1132                         SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i);
1133
1134                         alg_k = c->algorithm_mkey;
1135                         alg_a = c->algorithm_auth;
1136                         if ((alg_k & (SSL_kECDHE|SSL_kECDHr|SSL_kECDHe)
1137                                 || (alg_a & SSL_aECDSA)))
1138                                 {
1139                                 using_ecc = 1;
1140                                 break;
1141                                 }
1142                         }
1143                 }
1144 #endif
1145
1146         /* don't add extensions for SSLv3 unless doing secure renegotiation */
1147         if (s->client_version == SSL3_VERSION
1148                                         && !s->s3->send_connection_binding)
1149                 return orig;
1150
1151         ret+=2;
1152
1153         if (ret>=limit) return NULL; /* this really never occurs, but ... */
1154
1155         if (s->tlsext_hostname != NULL)
1156                 { 
1157                 /* Add TLS extension servername to the Client Hello message */
1158                 unsigned long size_str;
1159                 long lenmax; 
1160
1161                 /* check for enough space.
1162                    4 for the servername type and entension length
1163                    2 for servernamelist length
1164                    1 for the hostname type
1165                    2 for hostname length
1166                    + hostname length 
1167                 */
1168                    
1169                 if ((lenmax = limit - ret - 9) < 0 
1170                     || (size_str = strlen(s->tlsext_hostname)) > (unsigned long)lenmax) 
1171                         return NULL;
1172                         
1173                 /* extension type and length */
1174                 s2n(TLSEXT_TYPE_server_name,ret); 
1175                 s2n(size_str+5,ret);
1176                 
1177                 /* length of servername list */
1178                 s2n(size_str+3,ret);
1179         
1180                 /* hostname type, length and hostname */
1181                 *(ret++) = (unsigned char) TLSEXT_NAMETYPE_host_name;
1182                 s2n(size_str,ret);
1183                 memcpy(ret, s->tlsext_hostname, size_str);
1184                 ret+=size_str;
1185                 }
1186
1187         /* Add RI if renegotiating */
1188         if (s->renegotiate)
1189           {
1190           int el;
1191           
1192           if(!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0))
1193               {
1194               SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1195               return NULL;
1196               }
1197
1198           if((limit - ret - 4 - el) < 0) return NULL;
1199           
1200           s2n(TLSEXT_TYPE_renegotiate,ret);
1201           s2n(el,ret);
1202
1203           if(!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el))
1204               {
1205               SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1206               return NULL;
1207               }
1208
1209           ret += el;
1210         }
1211
1212 #ifndef OPENSSL_NO_SRP
1213         /* Add SRP username if there is one */
1214         if (s->srp_ctx.login != NULL)
1215                 { /* Add TLS extension SRP username to the Client Hello message */
1216
1217                 int login_len = strlen(s->srp_ctx.login);       
1218                 if (login_len > 255 || login_len == 0)
1219                         {
1220                         SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1221                         return NULL;
1222                         } 
1223
1224                 /* check for enough space.
1225                    4 for the srp type type and entension length
1226                    1 for the srp user identity
1227                    + srp user identity length 
1228                 */
1229                 if ((limit - ret - 5 - login_len) < 0) return NULL; 
1230
1231                 /* fill in the extension */
1232                 s2n(TLSEXT_TYPE_srp,ret);
1233                 s2n(login_len+1,ret);
1234                 (*ret++) = (unsigned char) login_len;
1235                 memcpy(ret, s->srp_ctx.login, login_len);
1236                 ret+=login_len;
1237                 }
1238 #endif
1239
1240 #ifndef OPENSSL_NO_EC
1241         if (using_ecc)
1242                 {
1243                 /* Add TLS extension ECPointFormats to the ClientHello message */
1244                 long lenmax; 
1245                 const unsigned char *plist;
1246                 size_t plistlen;
1247                 size_t i;
1248                 unsigned char *etmp;
1249
1250                 tls1_get_formatlist(s, &plist, &plistlen);
1251
1252                 if ((lenmax = limit - ret - 5) < 0) return NULL; 
1253                 if (plistlen > (size_t)lenmax) return NULL;
1254                 if (plistlen > 255)
1255                         {
1256                         SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1257                         return NULL;
1258                         }
1259                 
1260                 s2n(TLSEXT_TYPE_ec_point_formats,ret);
1261                 s2n(plistlen + 1,ret);
1262                 *(ret++) = (unsigned char)plistlen ;
1263                 memcpy(ret, plist, plistlen);
1264                 ret+=plistlen;
1265
1266                 /* Add TLS extension EllipticCurves to the ClientHello message */
1267                 plist = s->tlsext_ellipticcurvelist;
1268                 tls1_get_curvelist(s, 0, &plist, &plistlen);
1269
1270                 if ((lenmax = limit - ret - 6) < 0) return NULL; 
1271                 if (plistlen > (size_t)lenmax) return NULL;
1272                 if (plistlen > 65532)
1273                         {
1274                         SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1275                         return NULL;
1276                         }
1277
1278                 
1279                 s2n(TLSEXT_TYPE_elliptic_curves,ret);
1280                 etmp = ret + 4;
1281                 /* Copy curve ID if supported */
1282                 for (i = 0; i < plistlen; i += 2, plist += 2)
1283                         {
1284                         if (tls_curve_allowed(s, plist, SSL_SECOP_CURVE_SUPPORTED))
1285                                 {
1286                                 *etmp++ = plist[0];
1287                                 *etmp++ = plist[1];
1288                                 }
1289                         }
1290
1291                 plistlen = etmp - ret - 4;
1292
1293                 s2n(plistlen + 2, ret);
1294                 s2n(plistlen, ret);
1295                 ret+=plistlen;
1296                 }
1297 #endif /* OPENSSL_NO_EC */
1298
1299         if (tls_use_ticket(s))
1300                 {
1301                 int ticklen;
1302                 if (!s->new_session && s->session && s->session->tlsext_tick)
1303                         ticklen = s->session->tlsext_ticklen;
1304                 else if (s->session && s->tlsext_session_ticket &&
1305                          s->tlsext_session_ticket->data)
1306                         {
1307                         ticklen = s->tlsext_session_ticket->length;
1308                         s->session->tlsext_tick = OPENSSL_malloc(ticklen);
1309                         if (!s->session->tlsext_tick)
1310                                 return NULL;
1311                         memcpy(s->session->tlsext_tick,
1312                                s->tlsext_session_ticket->data,
1313                                ticklen);
1314                         s->session->tlsext_ticklen = ticklen;
1315                         }
1316                 else
1317                         ticklen = 0;
1318                 if (ticklen == 0 && s->tlsext_session_ticket &&
1319                     s->tlsext_session_ticket->data == NULL)
1320                         goto skip_ext;
1321                 /* Check for enough room 2 for extension type, 2 for len
1322                  * rest for ticket
1323                  */
1324                 if ((long)(limit - ret - 4 - ticklen) < 0) return NULL;
1325                 s2n(TLSEXT_TYPE_session_ticket,ret); 
1326                 s2n(ticklen,ret);
1327                 if (ticklen)
1328                         {
1329                         memcpy(ret, s->session->tlsext_tick, ticklen);
1330                         ret += ticklen;
1331                         }
1332                 }
1333                 skip_ext:
1334
1335         if (SSL_USE_SIGALGS(s))
1336                 {
1337                 size_t salglen;
1338                 const unsigned char *salg;
1339                 unsigned char *etmp;
1340                 salglen = tls12_get_psigalgs(s, &salg);
1341                 if ((size_t)(limit - ret) < salglen + 6)
1342                         return NULL; 
1343                 s2n(TLSEXT_TYPE_signature_algorithms,ret);
1344                 etmp = ret;
1345                 /* Skip over lengths for now */
1346                 ret += 4;
1347                 salglen = tls12_copy_sigalgs(s, ret, salg, salglen);
1348                 /* Fill in lengths */
1349                 s2n(salglen + 2, etmp);
1350                 s2n(salglen, etmp);
1351                 ret += salglen;
1352                 }
1353
1354 #ifdef TLSEXT_TYPE_opaque_prf_input
1355         if (s->s3->client_opaque_prf_input != NULL)
1356                 {
1357                 size_t col = s->s3->client_opaque_prf_input_len;
1358                 
1359                 if ((long)(limit - ret - 6 - col) < 0)
1360                         return NULL;
1361                 if (col > 0xFFFD) /* can't happen */
1362                         return NULL;
1363
1364                 s2n(TLSEXT_TYPE_opaque_prf_input, ret); 
1365                 s2n(col + 2, ret);
1366                 s2n(col, ret);
1367                 memcpy(ret, s->s3->client_opaque_prf_input, col);
1368                 ret += col;
1369                 }
1370 #endif
1371
1372         if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp)
1373                 {
1374                 int i;
1375                 long extlen, idlen, itmp;
1376                 OCSP_RESPID *id;
1377
1378                 idlen = 0;
1379                 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++)
1380                         {
1381                         id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
1382                         itmp = i2d_OCSP_RESPID(id, NULL);
1383                         if (itmp <= 0)
1384                                 return NULL;
1385                         idlen += itmp + 2;
1386                         }
1387
1388                 if (s->tlsext_ocsp_exts)
1389                         {
1390                         extlen = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, NULL);
1391                         if (extlen < 0)
1392                                 return NULL;
1393                         }
1394                 else
1395                         extlen = 0;
1396                         
1397                 if ((long)(limit - ret - 7 - extlen - idlen) < 0) return NULL;
1398                 s2n(TLSEXT_TYPE_status_request, ret);
1399                 if (extlen + idlen > 0xFFF0)
1400                         return NULL;
1401                 s2n(extlen + idlen + 5, ret);
1402                 *(ret++) = TLSEXT_STATUSTYPE_ocsp;
1403                 s2n(idlen, ret);
1404                 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++)
1405                         {
1406                         /* save position of id len */
1407                         unsigned char *q = ret;
1408                         id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
1409                         /* skip over id len */
1410                         ret += 2;
1411                         itmp = i2d_OCSP_RESPID(id, &ret);
1412                         /* write id len */
1413                         s2n(itmp, q);
1414                         }
1415                 s2n(extlen, ret);
1416                 if (extlen > 0)
1417                         i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret);
1418                 }
1419
1420 #ifndef OPENSSL_NO_HEARTBEATS
1421         /* Add Heartbeat extension */
1422         if ((limit - ret - 4 - 1) < 0)
1423                 return NULL;
1424         s2n(TLSEXT_TYPE_heartbeat,ret);
1425         s2n(1,ret);
1426         /* Set mode:
1427          * 1: peer may send requests
1428          * 2: peer not allowed to send requests
1429          */
1430         if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS)
1431                 *(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
1432         else
1433                 *(ret++) = SSL_TLSEXT_HB_ENABLED;
1434 #endif
1435
1436 #ifndef OPENSSL_NO_NEXTPROTONEG
1437         if (s->ctx->next_proto_select_cb && !s->s3->tmp.finish_md_len)
1438                 {
1439                 /* The client advertises an emtpy extension to indicate its
1440                  * support for Next Protocol Negotiation */
1441                 if (limit - ret - 4 < 0)
1442                         return NULL;
1443                 s2n(TLSEXT_TYPE_next_proto_neg,ret);
1444                 s2n(0,ret);
1445                 }
1446 #endif
1447
1448         if (s->alpn_client_proto_list && !s->s3->tmp.finish_md_len)
1449                 {
1450                 if ((size_t)(limit - ret) < 6 + s->alpn_client_proto_list_len)
1451                         return NULL;
1452                 s2n(TLSEXT_TYPE_application_layer_protocol_negotiation,ret);
1453                 s2n(2 + s->alpn_client_proto_list_len,ret);
1454                 s2n(s->alpn_client_proto_list_len,ret);
1455                 memcpy(ret, s->alpn_client_proto_list,
1456                        s->alpn_client_proto_list_len);
1457                 ret += s->alpn_client_proto_list_len;
1458                 }
1459
1460         if(SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s))
1461                 {
1462                 int el;
1463
1464                 ssl_add_clienthello_use_srtp_ext(s, 0, &el, 0);
1465                 
1466                 if((limit - ret - 4 - el) < 0) return NULL;
1467
1468                 s2n(TLSEXT_TYPE_use_srtp,ret);
1469                 s2n(el,ret);
1470
1471                 if(ssl_add_clienthello_use_srtp_ext(s, ret, &el, el))
1472                         {
1473                         SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1474                         return NULL;
1475                         }
1476                 ret += el;
1477                 }
1478         custom_ext_init(&s->cert->cli_ext);
1479         /* Add custom TLS Extensions to ClientHello */
1480         if (!custom_ext_add(s, 0, &ret, limit, al))
1481                 return NULL;
1482 #ifdef TLSEXT_TYPE_encrypt_then_mac
1483         if (s->version != SSL3_VERSION)
1484                 {
1485                 s2n(TLSEXT_TYPE_encrypt_then_mac,ret);
1486                 s2n(0,ret);
1487                 }
1488 #endif
1489
1490         /* Add padding to workaround bugs in F5 terminators.
1491          * See https://tools.ietf.org/html/draft-agl-tls-padding-03
1492          *
1493          * NB: because this code works out the length of all existing
1494          * extensions it MUST always appear last.
1495          */
1496         if (s->options & SSL_OP_TLSEXT_PADDING)
1497                 {
1498                 int hlen = ret - (unsigned char *)s->init_buf->data;
1499                 /* The code in s23_clnt.c to build ClientHello messages
1500                  * includes the 5-byte record header in the buffer, while
1501                  * the code in s3_clnt.c does not.
1502                  */
1503                 if (s->state == SSL23_ST_CW_CLNT_HELLO_A)
1504                         hlen -= 5;
1505                 if (hlen > 0xff && hlen < 0x200)
1506                         {
1507                         hlen = 0x200 - hlen;
1508                         if (hlen >= 4)
1509                                 hlen -= 4;
1510                         else
1511                                 hlen = 0;
1512
1513                         s2n(TLSEXT_TYPE_padding, ret);
1514                         s2n(hlen, ret);
1515                         memset(ret, 0, hlen);
1516                         ret += hlen;
1517                         }
1518                 }
1519
1520         if ((extdatalen = ret-orig-2)== 0) 
1521                 return orig;
1522
1523         s2n(extdatalen, orig);
1524         return ret;
1525         }
1526
1527 unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *buf, unsigned char *limit, int *al)
1528         {
1529         int extdatalen=0;
1530         unsigned char *orig = buf;
1531         unsigned char *ret = buf;
1532 #ifndef OPENSSL_NO_NEXTPROTONEG
1533         int next_proto_neg_seen;
1534 #endif
1535 #ifndef OPENSSL_NO_EC
1536         unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
1537         unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
1538         int using_ecc = (alg_k & (SSL_kECDHE|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA);
1539         using_ecc = using_ecc && (s->session->tlsext_ecpointformatlist != NULL);
1540 #endif
1541         /* don't add extensions for SSLv3, unless doing secure renegotiation */
1542         if (s->version == SSL3_VERSION && !s->s3->send_connection_binding)
1543                 return orig;
1544         
1545         ret+=2;
1546         if (ret>=limit) return NULL; /* this really never occurs, but ... */
1547
1548         if (!s->hit && s->servername_done == 1 && s->session->tlsext_hostname != NULL)
1549                 { 
1550                 if ((long)(limit - ret - 4) < 0) return NULL; 
1551
1552                 s2n(TLSEXT_TYPE_server_name,ret);
1553                 s2n(0,ret);
1554                 }
1555
1556         if(s->s3->send_connection_binding)
1557         {
1558           int el;
1559           
1560           if(!ssl_add_serverhello_renegotiate_ext(s, 0, &el, 0))
1561               {
1562               SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1563               return NULL;
1564               }
1565
1566           if((limit - ret - 4 - el) < 0) return NULL;
1567           
1568           s2n(TLSEXT_TYPE_renegotiate,ret);
1569           s2n(el,ret);
1570
1571           if(!ssl_add_serverhello_renegotiate_ext(s, ret, &el, el))
1572               {
1573               SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1574               return NULL;
1575               }
1576
1577           ret += el;
1578         }
1579
1580 #ifndef OPENSSL_NO_EC
1581         if (using_ecc)
1582                 {
1583                 const unsigned char *plist;
1584                 size_t plistlen;
1585                 /* Add TLS extension ECPointFormats to the ServerHello message */
1586                 long lenmax; 
1587
1588                 tls1_get_formatlist(s, &plist, &plistlen);
1589
1590                 if ((lenmax = limit - ret - 5) < 0) return NULL; 
1591                 if (plistlen > (size_t)lenmax) return NULL;
1592                 if (plistlen > 255)
1593                         {
1594                         SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1595                         return NULL;
1596                         }
1597                 
1598                 s2n(TLSEXT_TYPE_ec_point_formats,ret);
1599                 s2n(plistlen + 1,ret);
1600                 *(ret++) = (unsigned char) plistlen;
1601                 memcpy(ret, plist, plistlen);
1602                 ret+=plistlen;
1603
1604                 }
1605         /* Currently the server should not respond with a SupportedCurves extension */
1606 #endif /* OPENSSL_NO_EC */
1607
1608         if (s->tlsext_ticket_expected && tls_use_ticket(s))
1609                 { 
1610                 if ((long)(limit - ret - 4) < 0) return NULL; 
1611                 s2n(TLSEXT_TYPE_session_ticket,ret);
1612                 s2n(0,ret);
1613                 }
1614
1615         if (s->tlsext_status_expected)
1616                 { 
1617                 if ((long)(limit - ret - 4) < 0) return NULL; 
1618                 s2n(TLSEXT_TYPE_status_request,ret);
1619                 s2n(0,ret);
1620                 }
1621
1622 #ifdef TLSEXT_TYPE_opaque_prf_input
1623         if (s->s3->server_opaque_prf_input != NULL)
1624                 {
1625                 size_t sol = s->s3->server_opaque_prf_input_len;
1626                 
1627                 if ((long)(limit - ret - 6 - sol) < 0)
1628                         return NULL;
1629                 if (sol > 0xFFFD) /* can't happen */
1630                         return NULL;
1631
1632                 s2n(TLSEXT_TYPE_opaque_prf_input, ret); 
1633                 s2n(sol + 2, ret);
1634                 s2n(sol, ret);
1635                 memcpy(ret, s->s3->server_opaque_prf_input, sol);
1636                 ret += sol;
1637                 }
1638 #endif
1639
1640         if(SSL_IS_DTLS(s) && s->srtp_profile)
1641                 {
1642                 int el;
1643
1644                 ssl_add_serverhello_use_srtp_ext(s, 0, &el, 0);
1645                 
1646                 if((limit - ret - 4 - el) < 0) return NULL;
1647
1648                 s2n(TLSEXT_TYPE_use_srtp,ret);
1649                 s2n(el,ret);
1650
1651                 if(ssl_add_serverhello_use_srtp_ext(s, ret, &el, el))
1652                         {
1653                         SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1654                         return NULL;
1655                         }
1656                 ret+=el;
1657                 }
1658
1659         if (((s->s3->tmp.new_cipher->id & 0xFFFF)==0x80 || (s->s3->tmp.new_cipher->id & 0xFFFF)==0x81) 
1660                 && (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG))
1661                 { const unsigned char cryptopro_ext[36] = {
1662                         0xfd, 0xe8, /*65000*/
1663                         0x00, 0x20, /*32 bytes length*/
1664                         0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85, 
1665                         0x03,   0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06, 
1666                         0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08, 
1667                         0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17};
1668                         if (limit-ret<36) return NULL;
1669                         memcpy(ret,cryptopro_ext,36);
1670                         ret+=36;
1671
1672                 }
1673
1674 #ifndef OPENSSL_NO_HEARTBEATS
1675         /* Add Heartbeat extension if we've received one */
1676         if (s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED)
1677                 {
1678                 if ((limit - ret - 4 - 1) < 0)
1679                         return NULL;
1680                 s2n(TLSEXT_TYPE_heartbeat,ret);
1681                 s2n(1,ret);
1682                 /* Set mode:
1683                  * 1: peer may send requests
1684                  * 2: peer not allowed to send requests
1685                  */
1686                 if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS)
1687                         *(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
1688                 else
1689                         *(ret++) = SSL_TLSEXT_HB_ENABLED;
1690
1691                 }
1692 #endif
1693
1694 #ifndef OPENSSL_NO_NEXTPROTONEG
1695         next_proto_neg_seen = s->s3->next_proto_neg_seen;
1696         s->s3->next_proto_neg_seen = 0;
1697         if (next_proto_neg_seen && s->ctx->next_protos_advertised_cb)
1698                 {
1699                 const unsigned char *npa;
1700                 unsigned int npalen;
1701                 int r;
1702
1703                 r = s->ctx->next_protos_advertised_cb(s, &npa, &npalen, s->ctx->next_protos_advertised_cb_arg);
1704                 if (r == SSL_TLSEXT_ERR_OK)
1705                         {
1706                         if ((long)(limit - ret - 4 - npalen) < 0) return NULL;
1707                         s2n(TLSEXT_TYPE_next_proto_neg,ret);
1708                         s2n(npalen,ret);
1709                         memcpy(ret, npa, npalen);
1710                         ret += npalen;
1711                         s->s3->next_proto_neg_seen = 1;
1712                         }
1713                 }
1714 #endif
1715         if (!custom_ext_add(s, 1, &ret, limit, al))
1716                 return NULL;
1717 #ifdef TLSEXT_TYPE_encrypt_then_mac
1718         if (s->s3->flags & TLS1_FLAGS_ENCRYPT_THEN_MAC)
1719                 {
1720                 /* Don't use encrypt_then_mac if AEAD, RC4 or SSL 3.0:
1721                  * might want to disable for other cases too.
1722                  */
1723                 if (s->s3->tmp.new_cipher->algorithm_mac == SSL_AEAD
1724                     || s->s3->tmp.new_cipher->algorithm_enc == SSL_RC4
1725                     || s->version == SSL3_VERSION)
1726                         s->s3->flags &= ~TLS1_FLAGS_ENCRYPT_THEN_MAC;
1727                 else
1728                         {
1729                         s2n(TLSEXT_TYPE_encrypt_then_mac,ret);
1730                         s2n(0,ret);
1731                         }
1732                 }
1733 #endif
1734
1735         if (s->s3->alpn_selected)
1736                 {
1737                 const unsigned char *selected = s->s3->alpn_selected;
1738                 unsigned len = s->s3->alpn_selected_len;
1739
1740                 if ((long)(limit - ret - 4 - 2 - 1 - len) < 0)
1741                         return NULL;
1742                 s2n(TLSEXT_TYPE_application_layer_protocol_negotiation,ret);
1743                 s2n(3 + len,ret);
1744                 s2n(1 + len,ret);
1745                 *ret++ = len;
1746                 memcpy(ret, selected, len);
1747                 ret += len;
1748                 }
1749
1750         if ((extdatalen = ret-orig-2)== 0) 
1751                 return orig;
1752
1753         s2n(extdatalen, orig);
1754         return ret;
1755         }
1756
1757 /* tls1_alpn_handle_client_hello is called to process the ALPN extension in a
1758  * ClientHello.
1759  *   data: the contents of the extension, not including the type and length.
1760  *   data_len: the number of bytes in |data|
1761  *   al: a pointer to the alert value to send in the event of a non-zero
1762  *       return.
1763  *
1764  *   returns: 0 on success. */
1765 static int tls1_alpn_handle_client_hello(SSL *s, const unsigned char *data,
1766                                          unsigned data_len, int *al)
1767         {
1768         unsigned i;
1769         unsigned proto_len;
1770         const unsigned char *selected;
1771         unsigned char selected_len;
1772         int r;
1773
1774         if (s->ctx->alpn_select_cb == NULL)
1775                 return 0;
1776
1777         if (data_len < 2)
1778                 goto parse_error;
1779
1780         /* data should contain a uint16 length followed by a series of 8-bit,
1781          * length-prefixed strings. */
1782         i = ((unsigned) data[0]) << 8 |
1783             ((unsigned) data[1]);
1784         data_len -= 2;
1785         data += 2;
1786         if (data_len != i)
1787                 goto parse_error;
1788
1789         if (data_len < 2)
1790                 goto parse_error;
1791
1792         for (i = 0; i < data_len;)
1793                 {
1794                 proto_len = data[i];
1795                 i++;
1796
1797                 if (proto_len == 0)
1798                         goto parse_error;
1799
1800                 if (i + proto_len < i || i + proto_len > data_len)
1801                         goto parse_error;
1802
1803                 i += proto_len;
1804                 }
1805
1806         r = s->ctx->alpn_select_cb(s, &selected, &selected_len, data, data_len,
1807                                    s->ctx->alpn_select_cb_arg);
1808         if (r == SSL_TLSEXT_ERR_OK) {
1809                 if (s->s3->alpn_selected)
1810                         OPENSSL_free(s->s3->alpn_selected);
1811                 s->s3->alpn_selected = OPENSSL_malloc(selected_len);
1812                 if (!s->s3->alpn_selected)
1813                         {
1814                         *al = SSL_AD_INTERNAL_ERROR;
1815                         return -1;
1816                         }
1817                 memcpy(s->s3->alpn_selected, selected, selected_len);
1818                 s->s3->alpn_selected_len = selected_len;
1819         }
1820         return 0;
1821
1822 parse_error:
1823         *al = SSL_AD_DECODE_ERROR;
1824         return -1;
1825         }
1826
1827 #ifndef OPENSSL_NO_EC
1828 /* ssl_check_for_safari attempts to fingerprint Safari using OS X
1829  * SecureTransport using the TLS extension block in |d|, of length |n|.
1830  * Safari, since 10.6, sends exactly these extensions, in this order:
1831  *   SNI,
1832  *   elliptic_curves
1833  *   ec_point_formats
1834  *
1835  * We wish to fingerprint Safari because they broke ECDHE-ECDSA support in 10.8,
1836  * but they advertise support. So enabling ECDHE-ECDSA ciphers breaks them.
1837  * Sadly we cannot differentiate 10.6, 10.7 and 10.8.4 (which work), from
1838  * 10.8..10.8.3 (which don't work).
1839  */
1840 static void ssl_check_for_safari(SSL *s, const unsigned char *data, const unsigned char *d, int n) {
1841         unsigned short type, size;
1842         static const unsigned char kSafariExtensionsBlock[] = {
1843                 0x00, 0x0a,  /* elliptic_curves extension */
1844                 0x00, 0x08,  /* 8 bytes */
1845                 0x00, 0x06,  /* 6 bytes of curve ids */
1846                 0x00, 0x17,  /* P-256 */
1847                 0x00, 0x18,  /* P-384 */
1848                 0x00, 0x19,  /* P-521 */
1849
1850                 0x00, 0x0b,  /* ec_point_formats */
1851                 0x00, 0x02,  /* 2 bytes */
1852                 0x01,        /* 1 point format */
1853                 0x00,        /* uncompressed */
1854         };
1855
1856         /* The following is only present in TLS 1.2 */
1857         static const unsigned char kSafariTLS12ExtensionsBlock[] = {
1858                 0x00, 0x0d,  /* signature_algorithms */
1859                 0x00, 0x0c,  /* 12 bytes */
1860                 0x00, 0x0a,  /* 10 bytes */
1861                 0x05, 0x01,  /* SHA-384/RSA */
1862                 0x04, 0x01,  /* SHA-256/RSA */
1863                 0x02, 0x01,  /* SHA-1/RSA */
1864                 0x04, 0x03,  /* SHA-256/ECDSA */
1865                 0x02, 0x03,  /* SHA-1/ECDSA */
1866         };
1867
1868         if (data >= (d+n-2))
1869                 return;
1870         data += 2;
1871
1872         if (data > (d+n-4))
1873                 return;
1874         n2s(data,type);
1875         n2s(data,size);
1876
1877         if (type != TLSEXT_TYPE_server_name)
1878                 return;
1879
1880         if (data+size > d+n)
1881                 return;
1882         data += size;
1883
1884         if (TLS1_get_client_version(s) >= TLS1_2_VERSION)
1885                 {
1886                 const size_t len1 = sizeof(kSafariExtensionsBlock);
1887                 const size_t len2 = sizeof(kSafariTLS12ExtensionsBlock);
1888
1889                 if (data + len1 + len2 != d+n)
1890                         return;
1891                 if (memcmp(data, kSafariExtensionsBlock, len1) != 0)
1892                         return;
1893                 if (memcmp(data + len1, kSafariTLS12ExtensionsBlock, len2) != 0)
1894                         return;
1895                 }
1896         else
1897                 {
1898                 const size_t len = sizeof(kSafariExtensionsBlock);
1899
1900                 if (data + len != d+n)
1901                         return;
1902                 if (memcmp(data, kSafariExtensionsBlock, len) != 0)
1903                         return;
1904                 }
1905
1906         s->s3->is_probably_safari = 1;
1907 }
1908 #endif /* !OPENSSL_NO_EC */
1909
1910
1911 static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al) 
1912         {       
1913         unsigned short type;
1914         unsigned short size;
1915         unsigned short len;
1916         unsigned char *data = *p;
1917         int renegotiate_seen = 0;
1918
1919         s->servername_done = 0;
1920         s->tlsext_status_type = -1;
1921 #ifndef OPENSSL_NO_NEXTPROTONEG
1922         s->s3->next_proto_neg_seen = 0;
1923 #endif
1924
1925         if (s->s3->alpn_selected)
1926                 {
1927                 OPENSSL_free(s->s3->alpn_selected);
1928                 s->s3->alpn_selected = NULL;
1929                 }
1930
1931 #ifndef OPENSSL_NO_HEARTBEATS
1932         s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED |
1933                                SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
1934 #endif
1935
1936 #ifndef OPENSSL_NO_EC
1937         if (s->options & SSL_OP_SAFARI_ECDHE_ECDSA_BUG)
1938                 ssl_check_for_safari(s, data, d, n);
1939 #endif /* !OPENSSL_NO_EC */
1940
1941         /* Clear any signature algorithms extension received */
1942         if (s->cert->peer_sigalgs)
1943                 {
1944                 OPENSSL_free(s->cert->peer_sigalgs);
1945                 s->cert->peer_sigalgs = NULL;
1946                 }
1947
1948 #ifdef TLSEXT_TYPE_encrypt_then_mac
1949         s->s3->flags &= ~TLS1_FLAGS_ENCRYPT_THEN_MAC;
1950 #endif
1951
1952         if (data >= (d+n-2))
1953                 goto ri_check;
1954         n2s(data,len);
1955
1956         if (data > (d+n-len)) 
1957                 goto ri_check;
1958
1959         while (data <= (d+n-4))
1960                 {
1961                 n2s(data,type);
1962                 n2s(data,size);
1963
1964                 if (data+size > (d+n))
1965                         goto ri_check;
1966 #if 0
1967                 fprintf(stderr,"Received extension type %d size %d\n",type,size);
1968 #endif
1969                 if (s->tlsext_debug_cb)
1970                         s->tlsext_debug_cb(s, 0, type, data, size,
1971                                                 s->tlsext_debug_arg);
1972 /* The servername extension is treated as follows:
1973
1974    - Only the hostname type is supported with a maximum length of 255.
1975    - The servername is rejected if too long or if it contains zeros,
1976      in which case an fatal alert is generated.
1977    - The servername field is maintained together with the session cache.
1978    - When a session is resumed, the servername call back invoked in order
1979      to allow the application to position itself to the right context. 
1980    - The servername is acknowledged if it is new for a session or when 
1981      it is identical to a previously used for the same session. 
1982      Applications can control the behaviour.  They can at any time
1983      set a 'desirable' servername for a new SSL object. This can be the
1984      case for example with HTTPS when a Host: header field is received and
1985      a renegotiation is requested. In this case, a possible servername
1986      presented in the new client hello is only acknowledged if it matches
1987      the value of the Host: field. 
1988    - Applications must  use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
1989      if they provide for changing an explicit servername context for the session,
1990      i.e. when the session has been established with a servername extension. 
1991    - On session reconnect, the servername extension may be absent. 
1992
1993 */      
1994
1995                 if (type == TLSEXT_TYPE_server_name)
1996                         {
1997                         unsigned char *sdata;
1998                         int servname_type;
1999                         int dsize; 
2000                 
2001                         if (size < 2) 
2002                                 {
2003                                 *al = SSL_AD_DECODE_ERROR;
2004                                 return 0;
2005                                 }
2006                         n2s(data,dsize);  
2007                         size -= 2;
2008                         if (dsize > size  ) 
2009                                 {
2010                                 *al = SSL_AD_DECODE_ERROR;
2011                                 return 0;
2012                                 } 
2013
2014                         sdata = data;
2015                         while (dsize > 3) 
2016                                 {
2017                                 servname_type = *(sdata++); 
2018                                 n2s(sdata,len);
2019                                 dsize -= 3;
2020
2021                                 if (len > dsize) 
2022                                         {
2023                                         *al = SSL_AD_DECODE_ERROR;
2024                                         return 0;
2025                                         }
2026                                 if (s->servername_done == 0)
2027                                 switch (servname_type)
2028                                         {
2029                                 case TLSEXT_NAMETYPE_host_name:
2030                                         if (!s->hit)
2031                                                 {
2032                                                 if(s->session->tlsext_hostname)
2033                                                         {
2034                                                         *al = SSL_AD_DECODE_ERROR;
2035                                                         return 0;
2036                                                         }
2037                                                 if (len > TLSEXT_MAXLEN_host_name)
2038                                                         {
2039                                                         *al = TLS1_AD_UNRECOGNIZED_NAME;
2040                                                         return 0;
2041                                                         }
2042                                                 if ((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL)
2043                                                         {
2044                                                         *al = TLS1_AD_INTERNAL_ERROR;
2045                                                         return 0;
2046                                                         }
2047                                                 memcpy(s->session->tlsext_hostname, sdata, len);
2048                                                 s->session->tlsext_hostname[len]='\0';
2049                                                 if (strlen(s->session->tlsext_hostname) != len) {
2050                                                         OPENSSL_free(s->session->tlsext_hostname);
2051                                                         s->session->tlsext_hostname = NULL;
2052                                                         *al = TLS1_AD_UNRECOGNIZED_NAME;
2053                                                         return 0;
2054                                                 }
2055                                                 s->servername_done = 1; 
2056
2057                                                 }
2058                                         else 
2059                                                 s->servername_done = s->session->tlsext_hostname
2060                                                         && strlen(s->session->tlsext_hostname) == len 
2061                                                         && strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0;
2062                                         
2063                                         break;
2064
2065                                 default:
2066                                         break;
2067                                         }
2068                                  
2069                                 dsize -= len;
2070                                 }
2071                         if (dsize != 0) 
2072                                 {
2073                                 *al = SSL_AD_DECODE_ERROR;
2074                                 return 0;
2075                                 }
2076
2077                         }
2078 #ifndef OPENSSL_NO_SRP
2079                 else if (type == TLSEXT_TYPE_srp)
2080                         {
2081                         if (size <= 0 || ((len = data[0])) != (size -1))
2082                                 {
2083                                 *al = SSL_AD_DECODE_ERROR;
2084                                 return 0;
2085                                 }
2086                         if (s->srp_ctx.login != NULL)
2087                                 {
2088                                 *al = SSL_AD_DECODE_ERROR;
2089                                 return 0;
2090                                 }
2091                         if ((s->srp_ctx.login = OPENSSL_malloc(len+1)) == NULL)
2092                                 return -1;
2093                         memcpy(s->srp_ctx.login, &data[1], len);
2094                         s->srp_ctx.login[len]='\0';
2095   
2096                         if (strlen(s->srp_ctx.login) != len) 
2097                                 {
2098                                 *al = SSL_AD_DECODE_ERROR;
2099                                 return 0;
2100                                 }
2101                         }
2102 #endif
2103
2104 #ifndef OPENSSL_NO_EC
2105                 else if (type == TLSEXT_TYPE_ec_point_formats)
2106                         {
2107                         unsigned char *sdata = data;
2108                         int ecpointformatlist_length = *(sdata++);
2109
2110                         if (ecpointformatlist_length != size - 1 || 
2111                                 ecpointformatlist_length < 1)
2112                                 {
2113                                 *al = TLS1_AD_DECODE_ERROR;
2114                                 return 0;
2115                                 }
2116                         if (!s->hit)
2117                                 {
2118                                 if(s->session->tlsext_ecpointformatlist)
2119                                         {
2120                                         OPENSSL_free(s->session->tlsext_ecpointformatlist);
2121                                         s->session->tlsext_ecpointformatlist = NULL;
2122                                         }
2123                                 s->session->tlsext_ecpointformatlist_length = 0;
2124                                 if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
2125                                         {
2126                                         *al = TLS1_AD_INTERNAL_ERROR;
2127                                         return 0;
2128                                         }
2129                                 s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
2130                                 memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
2131                                 }
2132 #if 0
2133                         fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ecpointformatlist (length=%i) ", s->session->tlsext_ecpointformatlist_length);
2134                         sdata = s->session->tlsext_ecpointformatlist;
2135                         for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
2136                                 fprintf(stderr,"%i ",*(sdata++));
2137                         fprintf(stderr,"\n");
2138 #endif
2139                         }
2140                 else if (type == TLSEXT_TYPE_elliptic_curves)
2141                         {
2142                         unsigned char *sdata = data;
2143                         int ellipticcurvelist_length = (*(sdata++) << 8);
2144                         ellipticcurvelist_length += (*(sdata++));
2145
2146                         if (ellipticcurvelist_length != size - 2 ||
2147                                 ellipticcurvelist_length < 1)
2148                                 {
2149                                 *al = TLS1_AD_DECODE_ERROR;
2150                                 return 0;
2151                                 }
2152                         if (!s->hit)
2153                                 {
2154                                 if(s->session->tlsext_ellipticcurvelist)
2155                                         {
2156                                         *al = TLS1_AD_DECODE_ERROR;
2157                                         return 0;
2158                                         }
2159                                 s->session->tlsext_ellipticcurvelist_length = 0;
2160                                 if ((s->session->tlsext_ellipticcurvelist = OPENSSL_malloc(ellipticcurvelist_length)) == NULL)
2161                                         {
2162                                         *al = TLS1_AD_INTERNAL_ERROR;
2163                                         return 0;
2164                                         }
2165                                 s->session->tlsext_ellipticcurvelist_length = ellipticcurvelist_length;
2166                                 memcpy(s->session->tlsext_ellipticcurvelist, sdata, ellipticcurvelist_length);
2167                                 }
2168 #if 0
2169                         fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ellipticcurvelist (length=%i) ", s->session->tlsext_ellipticcurvelist_length);
2170                         sdata = s->session->tlsext_ellipticcurvelist;
2171                         for (i = 0; i < s->session->tlsext_ellipticcurvelist_length; i++)
2172                                 fprintf(stderr,"%i ",*(sdata++));
2173                         fprintf(stderr,"\n");
2174 #endif
2175                         }
2176 #endif /* OPENSSL_NO_EC */
2177 #ifdef TLSEXT_TYPE_opaque_prf_input
2178                 else if (type == TLSEXT_TYPE_opaque_prf_input)
2179                         {
2180                         unsigned char *sdata = data;
2181
2182                         if (size < 2)
2183                                 {
2184                                 *al = SSL_AD_DECODE_ERROR;
2185                                 return 0;
2186                                 }
2187                         n2s(sdata, s->s3->client_opaque_prf_input_len);
2188                         if (s->s3->client_opaque_prf_input_len != size - 2)
2189                                 {
2190                                 *al = SSL_AD_DECODE_ERROR;
2191                                 return 0;
2192                                 }
2193
2194                         if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */
2195                                 OPENSSL_free(s->s3->client_opaque_prf_input);
2196                         if (s->s3->client_opaque_prf_input_len == 0)
2197                                 s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
2198                         else
2199                                 s->s3->client_opaque_prf_input = BUF_memdup(sdata, s->s3->client_opaque_prf_input_len);
2200                         if (s->s3->client_opaque_prf_input == NULL)
2201                                 {
2202                                 *al = TLS1_AD_INTERNAL_ERROR;
2203                                 return 0;
2204                                 }
2205                         }
2206 #endif
2207                 else if (type == TLSEXT_TYPE_session_ticket)
2208                         {
2209                         if (s->tls_session_ticket_ext_cb &&
2210                             !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg))
2211                                 {
2212                                 *al = TLS1_AD_INTERNAL_ERROR;
2213                                 return 0;
2214                                 }
2215                         }
2216                 else if (type == TLSEXT_TYPE_renegotiate)
2217                         {
2218                         if(!ssl_parse_clienthello_renegotiate_ext(s, data, size, al))
2219                                 return 0;
2220                         renegotiate_seen = 1;
2221                         }
2222                 else if (type == TLSEXT_TYPE_signature_algorithms)
2223                         {
2224                         int dsize;
2225                         if (s->cert->peer_sigalgs || size < 2) 
2226                                 {
2227                                 *al = SSL_AD_DECODE_ERROR;
2228                                 return 0;
2229                                 }
2230                         n2s(data,dsize);
2231                         size -= 2;
2232                         if (dsize != size || dsize & 1 || !dsize) 
2233                                 {
2234                                 *al = SSL_AD_DECODE_ERROR;
2235                                 return 0;
2236                                 }
2237                         if (!tls1_save_sigalgs(s, data, dsize))
2238                                 {
2239                                 *al = SSL_AD_DECODE_ERROR;
2240                                 return 0;
2241                                 }
2242                         }
2243                 else if (type == TLSEXT_TYPE_status_request)
2244                         {
2245                 
2246                         if (size < 5) 
2247                                 {
2248                                 *al = SSL_AD_DECODE_ERROR;
2249                                 return 0;
2250                                 }
2251
2252                         s->tlsext_status_type = *data++;
2253                         size--;
2254                         if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp)
2255                                 {
2256                                 const unsigned char *sdata;
2257                                 int dsize;
2258                                 /* Read in responder_id_list */
2259                                 n2s(data,dsize);
2260                                 size -= 2;
2261                                 if (dsize > size  ) 
2262                                         {
2263                                         *al = SSL_AD_DECODE_ERROR;
2264                                         return 0;
2265                                         }
2266                                 while (dsize > 0)
2267                                         {
2268                                         OCSP_RESPID *id;
2269                                         int idsize;
2270                                         if (dsize < 4)
2271                                                 {
2272                                                 *al = SSL_AD_DECODE_ERROR;
2273                                                 return 0;
2274                                                 }
2275                                         n2s(data, idsize);
2276                                         dsize -= 2 + idsize;
2277                                         size -= 2 + idsize;
2278                                         if (dsize < 0)
2279                                                 {
2280                                                 *al = SSL_AD_DECODE_ERROR;
2281                                                 return 0;
2282                                                 }
2283                                         sdata = data;
2284                                         data += idsize;
2285                                         id = d2i_OCSP_RESPID(NULL,
2286                                                                 &sdata, idsize);
2287                                         if (!id)
2288                                                 {
2289                                                 *al = SSL_AD_DECODE_ERROR;
2290                                                 return 0;
2291                                                 }
2292                                         if (data != sdata)
2293                                                 {
2294                                                 OCSP_RESPID_free(id);
2295                                                 *al = SSL_AD_DECODE_ERROR;
2296                                                 return 0;
2297                                                 }
2298                                         if (!s->tlsext_ocsp_ids
2299                                                 && !(s->tlsext_ocsp_ids =
2300                                                 sk_OCSP_RESPID_new_null()))
2301                                                 {
2302                                                 OCSP_RESPID_free(id);
2303                                                 *al = SSL_AD_INTERNAL_ERROR;
2304                                                 return 0;
2305                                                 }
2306                                         if (!sk_OCSP_RESPID_push(
2307                                                         s->tlsext_ocsp_ids, id))
2308                                                 {
2309                                                 OCSP_RESPID_free(id);
2310                                                 *al = SSL_AD_INTERNAL_ERROR;
2311                                                 return 0;
2312                                                 }
2313                                         }
2314
2315                                 /* Read in request_extensions */
2316                                 if (size < 2)
2317                                         {
2318                                         *al = SSL_AD_DECODE_ERROR;
2319                                         return 0;
2320                                         }
2321                                 n2s(data,dsize);
2322                                 size -= 2;
2323                                 if (dsize != size)
2324                                         {
2325                                         *al = SSL_AD_DECODE_ERROR;
2326                                         return 0;
2327                                         }
2328                                 sdata = data;
2329                                 if (dsize > 0)
2330                                         {
2331                                         if (s->tlsext_ocsp_exts)
2332                                                 {
2333                                                 sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts,
2334                                                                            X509_EXTENSION_free);
2335                                                 }
2336
2337                                         s->tlsext_ocsp_exts =
2338                                                 d2i_X509_EXTENSIONS(NULL,
2339                                                         &sdata, dsize);
2340                                         if (!s->tlsext_ocsp_exts
2341                                                 || (data + dsize != sdata))
2342                                                 {
2343                                                 *al = SSL_AD_DECODE_ERROR;
2344                                                 return 0;
2345                                                 }
2346                                         }
2347                                 }
2348                                 /* We don't know what to do with any other type
2349                                 * so ignore it.
2350                                 */
2351                                 else
2352                                         s->tlsext_status_type = -1;
2353                         }
2354 #ifndef OPENSSL_NO_HEARTBEATS
2355                 else if (type == TLSEXT_TYPE_heartbeat)
2356                         {
2357                         switch(data[0])
2358                                 {
2359                                 case 0x01:      /* Client allows us to send HB requests */
2360                                                         s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
2361                                                         break;
2362                                 case 0x02:      /* Client doesn't accept HB requests */
2363                                                         s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
2364                                                         s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
2365                                                         break;
2366                                 default:        *al = SSL_AD_ILLEGAL_PARAMETER;
2367                                                         return 0;
2368                                 }
2369                         }
2370 #endif
2371 #ifndef OPENSSL_NO_NEXTPROTONEG
2372                 else if (type == TLSEXT_TYPE_next_proto_neg &&
2373                          s->s3->tmp.finish_md_len == 0 &&
2374                          s->s3->alpn_selected == NULL)
2375                         {
2376                         /* We shouldn't accept this extension on a
2377                          * renegotiation.
2378                          *
2379                          * s->new_session will be set on renegotiation, but we
2380                          * probably shouldn't rely that it couldn't be set on
2381                          * the initial renegotation too in certain cases (when
2382                          * there's some other reason to disallow resuming an
2383                          * earlier session -- the current code won't be doing
2384                          * anything like that, but this might change).
2385
2386                          * A valid sign that there's been a previous handshake
2387                          * in this connection is if s->s3->tmp.finish_md_len >
2388                          * 0.  (We are talking about a check that will happen
2389                          * in the Hello protocol round, well before a new
2390                          * Finished message could have been computed.) */
2391                         s->s3->next_proto_neg_seen = 1;
2392                         }
2393 #endif
2394
2395                 else if (type == TLSEXT_TYPE_application_layer_protocol_negotiation &&
2396                          s->ctx->alpn_select_cb &&
2397                          s->s3->tmp.finish_md_len == 0)
2398                         {
2399                         if (tls1_alpn_handle_client_hello(s, data, size, al) != 0)
2400                                 return 0;
2401 #ifndef OPENSSL_NO_NEXTPROTONEG
2402                         /* ALPN takes precedence over NPN. */
2403                         s->s3->next_proto_neg_seen = 0;
2404 #endif
2405                         }
2406
2407                 /* session ticket processed earlier */
2408                 else if (SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s)
2409                                 && type == TLSEXT_TYPE_use_srtp)
2410                         {
2411                         if(ssl_parse_clienthello_use_srtp_ext(s, data, size,
2412                                                               al))
2413                                 return 0;
2414                         }
2415 #ifdef TLSEXT_TYPE_encrypt_then_mac
2416                 else if (type == TLSEXT_TYPE_encrypt_then_mac)
2417                         {
2418                         if (s->version != SSL3_VERSION)
2419                                 s->s3->flags |= TLS1_FLAGS_ENCRYPT_THEN_MAC;
2420                         }
2421 #endif
2422                 /* If this ClientHello extension was unhandled and this is 
2423                  * a nonresumed connection, check whether the extension is a 
2424                  * custom TLS Extension (has a custom_srv_ext_record), and if
2425                  * so call the callback and record the extension number so that
2426                  * an appropriate ServerHello may be later returned.
2427                  */
2428                 else if (!s->hit)
2429                         {
2430                         if (custom_ext_parse(s, 1, type, data, size, al) <= 0)
2431                                 return 0;
2432                         }
2433
2434                 data+=size;
2435                 }
2436
2437         *p = data;
2438
2439         ri_check:
2440
2441         /* Need RI if renegotiating */
2442
2443         if (!renegotiate_seen && s->renegotiate &&
2444                 !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
2445                 {
2446                 *al = SSL_AD_HANDSHAKE_FAILURE;
2447                 SSLerr(SSL_F_SSL_SCAN_CLIENTHELLO_TLSEXT,
2448                                 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
2449                 return 0;
2450                 }
2451
2452         return 1;
2453         }
2454
2455 int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n) 
2456         {
2457         int al = -1;
2458         custom_ext_init(&s->cert->srv_ext);
2459         if (ssl_scan_clienthello_tlsext(s, p, d, n, &al) <= 0) 
2460                 {
2461                 ssl3_send_alert(s,SSL3_AL_FATAL,al); 
2462                 return 0;
2463                 }
2464
2465         if (ssl_check_clienthello_tlsext_early(s) <= 0) 
2466                 {
2467                 SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT,SSL_R_CLIENTHELLO_TLSEXT);
2468                 return 0;
2469                 }
2470         return 1;
2471 }
2472
2473 #ifndef OPENSSL_NO_NEXTPROTONEG
2474 /* ssl_next_proto_validate validates a Next Protocol Negotiation block. No
2475  * elements of zero length are allowed and the set of elements must exactly fill
2476  * the length of the block. */
2477 static char ssl_next_proto_validate(unsigned char *d, unsigned len)
2478         {
2479         unsigned int off = 0;
2480
2481         while (off < len)
2482                 {
2483                 if (d[off] == 0)
2484                         return 0;
2485                 off += d[off];
2486                 off++;
2487                 }
2488
2489         return off == len;
2490         }
2491 #endif
2492
2493 static int ssl_scan_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
2494         {
2495         unsigned short length;
2496         unsigned short type;
2497         unsigned short size;
2498         unsigned char *data = *p;
2499         int tlsext_servername = 0;
2500         int renegotiate_seen = 0;
2501
2502 #ifndef OPENSSL_NO_NEXTPROTONEG
2503         s->s3->next_proto_neg_seen = 0;
2504 #endif
2505
2506         if (s->s3->alpn_selected)
2507                 {
2508                 OPENSSL_free(s->s3->alpn_selected);
2509                 s->s3->alpn_selected = NULL;
2510                 }
2511
2512 #ifndef OPENSSL_NO_HEARTBEATS
2513         s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED |
2514                                SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
2515 #endif
2516
2517 #ifdef TLSEXT_TYPE_encrypt_then_mac
2518         s->s3->flags &= ~TLS1_FLAGS_ENCRYPT_THEN_MAC;
2519 #endif
2520
2521         if (data >= (d+n-2))
2522                 goto ri_check;
2523
2524         n2s(data,length);
2525         if (data+length != d+n)
2526                 {
2527                 *al = SSL_AD_DECODE_ERROR;
2528                 return 0;
2529                 }
2530
2531         while(data <= (d+n-4))
2532                 {
2533                 n2s(data,type);
2534                 n2s(data,size);
2535
2536                 if (data+size > (d+n))
2537                         goto ri_check;
2538
2539                 if (s->tlsext_debug_cb)
2540                         s->tlsext_debug_cb(s, 1, type, data, size,
2541                                                 s->tlsext_debug_arg);
2542
2543                 if (type == TLSEXT_TYPE_server_name)
2544                         {
2545                         if (s->tlsext_hostname == NULL || size > 0)
2546                                 {
2547                                 *al = TLS1_AD_UNRECOGNIZED_NAME;
2548                                 return 0;
2549                                 }
2550                         tlsext_servername = 1;   
2551                         }
2552
2553 #ifndef OPENSSL_NO_EC
2554                 else if (type == TLSEXT_TYPE_ec_point_formats)
2555                         {
2556                         unsigned char *sdata = data;
2557                         int ecpointformatlist_length = *(sdata++);
2558
2559                         if (ecpointformatlist_length != size - 1)
2560                                 {
2561                                 *al = TLS1_AD_DECODE_ERROR;
2562                                 return 0;
2563                                 }
2564                         if (!s->hit)
2565                                 {
2566                                 s->session->tlsext_ecpointformatlist_length = 0;
2567                                 if (s->session->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->session->tlsext_ecpointformatlist);
2568                                 if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
2569                                         {
2570                                         *al = TLS1_AD_INTERNAL_ERROR;
2571                                         return 0;
2572                                         }
2573                                 s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
2574                                 memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
2575                                 }
2576 #if 0
2577                         fprintf(stderr,"ssl_parse_serverhello_tlsext s->session->tlsext_ecpointformatlist ");
2578                         sdata = s->session->tlsext_ecpointformatlist;
2579                         for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
2580                                 fprintf(stderr,"%i ",*(sdata++));
2581                         fprintf(stderr,"\n");
2582 #endif
2583                         }
2584 #endif /* OPENSSL_NO_EC */
2585
2586                 else if (type == TLSEXT_TYPE_session_ticket)
2587                         {
2588                         if (s->tls_session_ticket_ext_cb &&
2589                             !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg))
2590                                 {
2591                                 *al = TLS1_AD_INTERNAL_ERROR;
2592                                 return 0;
2593                                 }
2594                         if (!tls_use_ticket(s) || (size > 0))
2595                                 {
2596                                 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2597                                 return 0;
2598                                 }
2599                         s->tlsext_ticket_expected = 1;
2600                         }
2601 #ifdef TLSEXT_TYPE_opaque_prf_input
2602                 else if (type == TLSEXT_TYPE_opaque_prf_input)
2603                         {
2604                         unsigned char *sdata = data;
2605
2606                         if (size < 2)
2607                                 {
2608                                 *al = SSL_AD_DECODE_ERROR;
2609                                 return 0;
2610                                 }
2611                         n2s(sdata, s->s3->server_opaque_prf_input_len);
2612                         if (s->s3->server_opaque_prf_input_len != size - 2)
2613                                 {
2614                                 *al = SSL_AD_DECODE_ERROR;
2615                                 return 0;
2616                                 }
2617                         
2618                         if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */
2619                                 OPENSSL_free(s->s3->server_opaque_prf_input);
2620                         if (s->s3->server_opaque_prf_input_len == 0)
2621                                 s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
2622                         else
2623                                 s->s3->server_opaque_prf_input = BUF_memdup(sdata, s->s3->server_opaque_prf_input_len);
2624
2625                         if (s->s3->server_opaque_prf_input == NULL)
2626                                 {
2627                                 *al = TLS1_AD_INTERNAL_ERROR;
2628                                 return 0;
2629                                 }
2630                         }
2631 #endif
2632                 else if (type == TLSEXT_TYPE_status_request)
2633                         {
2634                         /* MUST be empty and only sent if we've requested
2635                          * a status request message.
2636                          */ 
2637                         if ((s->tlsext_status_type == -1) || (size > 0))
2638                                 {
2639                                 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2640                                 return 0;
2641                                 }
2642                         /* Set flag to expect CertificateStatus message */
2643                         s->tlsext_status_expected = 1;
2644                         }
2645 #ifndef OPENSSL_NO_NEXTPROTONEG
2646                 else if (type == TLSEXT_TYPE_next_proto_neg &&
2647                          s->s3->tmp.finish_md_len == 0)
2648                         {
2649                         unsigned char *selected;
2650                         unsigned char selected_len;
2651
2652                         /* We must have requested it. */
2653                         if (s->ctx->next_proto_select_cb == NULL)
2654                                 {
2655                                 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2656                                 return 0;
2657                                 }
2658                         /* The data must be valid */
2659                         if (!ssl_next_proto_validate(data, size))
2660                                 {
2661                                 *al = TLS1_AD_DECODE_ERROR;
2662                                 return 0;
2663                                 }
2664                         if (s->ctx->next_proto_select_cb(s, &selected, &selected_len, data, size, s->ctx->next_proto_select_cb_arg) != SSL_TLSEXT_ERR_OK)
2665                                 {
2666                                 *al = TLS1_AD_INTERNAL_ERROR;
2667                                 return 0;
2668                                 }
2669                         s->next_proto_negotiated = OPENSSL_malloc(selected_len);
2670                         if (!s->next_proto_negotiated)
2671                                 {
2672                                 *al = TLS1_AD_INTERNAL_ERROR;
2673                                 return 0;
2674                                 }
2675                         memcpy(s->next_proto_negotiated, selected, selected_len);
2676                         s->next_proto_negotiated_len = selected_len;
2677                         s->s3->next_proto_neg_seen = 1;
2678                         }
2679 #endif
2680
2681                 else if (type == TLSEXT_TYPE_application_layer_protocol_negotiation)
2682                         {
2683                         unsigned len;
2684
2685                         /* We must have requested it. */
2686                         if (s->alpn_client_proto_list == NULL)
2687                                 {
2688                                 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2689                                 return 0;
2690                                 }
2691                         if (size < 4)
2692                                 {
2693                                 *al = TLS1_AD_DECODE_ERROR;
2694                                 return 0;
2695                                 }
2696                         /* The extension data consists of:
2697                          *   uint16 list_length
2698                          *   uint8 proto_length;
2699                          *   uint8 proto[proto_length]; */
2700                         len = data[0];
2701                         len <<= 8;
2702                         len |= data[1];
2703                         if (len != (unsigned) size - 2)
2704                                 {
2705                                 *al = TLS1_AD_DECODE_ERROR;
2706                                 return 0;
2707                                 }
2708                         len = data[2];
2709                         if (len != (unsigned) size - 3)
2710                                 {
2711                                 *al = TLS1_AD_DECODE_ERROR;
2712                                 return 0;
2713                                 }
2714                         if (s->s3->alpn_selected)
2715                                 OPENSSL_free(s->s3->alpn_selected);
2716                         s->s3->alpn_selected = OPENSSL_malloc(len);
2717                         if (!s->s3->alpn_selected)
2718                                 {
2719                                 *al = TLS1_AD_INTERNAL_ERROR;
2720                                 return 0;
2721                                 }
2722                         memcpy(s->s3->alpn_selected, data + 3, len);
2723                         s->s3->alpn_selected_len = len;
2724                         }
2725
2726                 else if (type == TLSEXT_TYPE_renegotiate)
2727                         {
2728                         if(!ssl_parse_serverhello_renegotiate_ext(s, data, size, al))
2729                                 return 0;
2730                         renegotiate_seen = 1;
2731                         }
2732 #ifndef OPENSSL_NO_HEARTBEATS
2733                 else if (type == TLSEXT_TYPE_heartbeat)
2734                         {
2735                         switch(data[0])
2736                                 {
2737                                 case 0x01:      /* Server allows us to send HB requests */
2738                                                         s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
2739                                                         break;
2740                                 case 0x02:      /* Server doesn't accept HB requests */
2741                                                         s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
2742                                                         s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
2743                                                         break;
2744                                 default:        *al = SSL_AD_ILLEGAL_PARAMETER;
2745                                                         return 0;
2746                                 }
2747                         }
2748 #endif
2749                 else if (SSL_IS_DTLS(s) && type == TLSEXT_TYPE_use_srtp)
2750                         {
2751                         if(ssl_parse_serverhello_use_srtp_ext(s, data, size,
2752                                                               al))
2753                                 return 0;
2754                         }
2755 #ifdef TLSEXT_TYPE_encrypt_then_mac
2756                 else if (type == TLSEXT_TYPE_encrypt_then_mac)
2757                         {
2758                         /* Ignore if inappropriate ciphersuite or SSL 3.0 */
2759                         if (s->s3->tmp.new_cipher->algorithm_mac != SSL_AEAD
2760                             && s->s3->tmp.new_cipher->algorithm_enc != SSL_RC4
2761                             && s->version != SSL3_VERSION)
2762                                 s->s3->flags |= TLS1_FLAGS_ENCRYPT_THEN_MAC;
2763                         }
2764 #endif
2765                 /* If this extension type was not otherwise handled, but 
2766                  * matches a custom_cli_ext_record, then send it to the c
2767                  * callback */
2768                 else if (custom_ext_parse(s, 0, type, data, size, al) <= 0)
2769                                 return 0;
2770  
2771                 data += size;
2772                 }
2773
2774         if (data != d+n)
2775                 {
2776                 *al = SSL_AD_DECODE_ERROR;
2777                 return 0;
2778                 }
2779
2780         if (!s->hit && tlsext_servername == 1)
2781                 {
2782                 if (s->tlsext_hostname)
2783                         {
2784                         if (s->session->tlsext_hostname == NULL)
2785                                 {
2786                                 s->session->tlsext_hostname = BUF_strdup(s->tlsext_hostname);   
2787                                 if (!s->session->tlsext_hostname)
2788                                         {
2789                                         *al = SSL_AD_UNRECOGNIZED_NAME;
2790                                         return 0;
2791                                         }
2792                                 }
2793                         else 
2794                                 {
2795                                 *al = SSL_AD_DECODE_ERROR;
2796                                 return 0;
2797                                 }
2798                         }
2799                 }
2800
2801         *p = data;
2802
2803         ri_check:
2804
2805         /* Determine if we need to see RI. Strictly speaking if we want to
2806          * avoid an attack we should *always* see RI even on initial server
2807          * hello because the client doesn't see any renegotiation during an
2808          * attack. However this would mean we could not connect to any server
2809          * which doesn't support RI so for the immediate future tolerate RI
2810          * absence on initial connect only.
2811          */
2812         if (!renegotiate_seen
2813                 && !(s->options & SSL_OP_LEGACY_SERVER_CONNECT)
2814                 && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
2815                 {
2816                 *al = SSL_AD_HANDSHAKE_FAILURE;
2817                 SSLerr(SSL_F_SSL_SCAN_SERVERHELLO_TLSEXT,
2818                                 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
2819                 return 0;
2820                 }
2821
2822         return 1;
2823         }
2824
2825
2826 int ssl_prepare_clienthello_tlsext(SSL *s)
2827         {
2828
2829 #ifdef TLSEXT_TYPE_opaque_prf_input
2830         {
2831                 int r = 1;
2832         
2833                 if (s->ctx->tlsext_opaque_prf_input_callback != 0)
2834                         {
2835                         r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg);
2836                         if (!r)
2837                                 return -1;
2838                         }
2839
2840                 if (s->tlsext_opaque_prf_input != NULL)
2841                         {
2842                         if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */
2843                                 OPENSSL_free(s->s3->client_opaque_prf_input);
2844
2845                         if (s->tlsext_opaque_prf_input_len == 0)
2846                                 s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
2847                         else
2848                                 s->s3->client_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len);
2849                         if (s->s3->client_opaque_prf_input == NULL)
2850                                 {
2851                                 SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
2852                                 return -1;
2853                                 }
2854                         s->s3->client_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
2855                         }
2856
2857                 if (r == 2)
2858                         /* at callback's request, insist on receiving an appropriate server opaque PRF input */
2859                         s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
2860         }
2861 #endif
2862
2863         return 1;
2864         }
2865
2866 int ssl_prepare_serverhello_tlsext(SSL *s)
2867         {
2868         return 1;
2869         }
2870
2871 static int ssl_check_clienthello_tlsext_early(SSL *s)
2872         {
2873         int ret=SSL_TLSEXT_ERR_NOACK;
2874         int al = SSL_AD_UNRECOGNIZED_NAME;
2875
2876 #ifndef OPENSSL_NO_EC
2877         /* The handling of the ECPointFormats extension is done elsewhere, namely in 
2878          * ssl3_choose_cipher in s3_lib.c.
2879          */
2880         /* The handling of the EllipticCurves extension is done elsewhere, namely in 
2881          * ssl3_choose_cipher in s3_lib.c.
2882          */
2883 #endif
2884
2885         if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) 
2886                 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
2887         else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)             
2888                 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
2889
2890 #ifdef TLSEXT_TYPE_opaque_prf_input
2891         {
2892                 /* This sort of belongs into ssl_prepare_serverhello_tlsext(),
2893                  * but we might be sending an alert in response to the client hello,
2894                  * so this has to happen here in
2895                  * ssl_check_clienthello_tlsext_early(). */
2896
2897                 int r = 1;
2898         
2899                 if (s->ctx->tlsext_opaque_prf_input_callback != 0)
2900                         {
2901                         r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg);
2902                         if (!r)
2903                                 {
2904                                 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2905                                 al = SSL_AD_INTERNAL_ERROR;
2906                                 goto err;
2907                                 }
2908                         }
2909
2910                 if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */
2911                         OPENSSL_free(s->s3->server_opaque_prf_input);
2912                 s->s3->server_opaque_prf_input = NULL;
2913
2914                 if (s->tlsext_opaque_prf_input != NULL)
2915                         {
2916                         if (s->s3->client_opaque_prf_input != NULL &&
2917                                 s->s3->client_opaque_prf_input_len == s->tlsext_opaque_prf_input_len)
2918                                 {
2919                                 /* can only use this extension if we have a server opaque PRF input
2920                                  * of the same length as the client opaque PRF input! */
2921
2922                                 if (s->tlsext_opaque_prf_input_len == 0)
2923                                         s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
2924                                 else
2925                                         s->s3->server_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len);
2926                                 if (s->s3->server_opaque_prf_input == NULL)
2927                                         {
2928                                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2929                                         al = SSL_AD_INTERNAL_ERROR;
2930                                         goto err;
2931                                         }
2932                                 s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
2933                                 }
2934                         }
2935
2936                 if (r == 2 && s->s3->server_opaque_prf_input == NULL)
2937                         {
2938                         /* The callback wants to enforce use of the extension,
2939                          * but we can't do that with the client opaque PRF input;
2940                          * abort the handshake.
2941                          */
2942                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2943                         al = SSL_AD_HANDSHAKE_FAILURE;
2944                         }
2945         }
2946
2947  err:
2948 #endif
2949         switch (ret)
2950                 {
2951                 case SSL_TLSEXT_ERR_ALERT_FATAL:
2952                         ssl3_send_alert(s,SSL3_AL_FATAL,al); 
2953                         return -1;
2954
2955                 case SSL_TLSEXT_ERR_ALERT_WARNING:
2956                         ssl3_send_alert(s,SSL3_AL_WARNING,al);
2957                         return 1; 
2958                                         
2959                 case SSL_TLSEXT_ERR_NOACK:
2960                         s->servername_done=0;
2961                         default:
2962                 return 1;
2963                 }
2964         }
2965
2966 int ssl_check_clienthello_tlsext_late(SSL *s)
2967         {
2968         int ret = SSL_TLSEXT_ERR_OK;
2969         int al;
2970         size_t i;
2971
2972         /* If status request then ask callback what to do.
2973          * Note: this must be called after servername callbacks in case
2974          * the certificate has changed, and must be called after the cipher
2975          * has been chosen because this may influence which certificate is sent
2976          */
2977         if ((s->tlsext_status_type != -1) && s->ctx && s->ctx->tlsext_status_cb)
2978                 {
2979                 int r;
2980                 CERT_PKEY *certpkey;
2981                 certpkey = ssl_get_server_send_pkey(s);
2982                 /* If no certificate can't return certificate status */
2983                 if (certpkey == NULL)
2984                         {
2985                         s->tlsext_status_expected = 0;
2986                         return 1;
2987                         }
2988                 /* Set current certificate to one we will use so
2989                  * SSL_get_certificate et al can pick it up.
2990                  */
2991                 s->cert->key = certpkey;
2992                 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
2993                 switch (r)
2994                         {
2995                         /* We don't want to send a status request response */
2996                         case SSL_TLSEXT_ERR_NOACK:
2997                                 s->tlsext_status_expected = 0;
2998                                 break;
2999                         /* status request response should be sent */
3000                         case SSL_TLSEXT_ERR_OK:
3001                                 if (s->tlsext_ocsp_resp)
3002                                         s->tlsext_status_expected = 1;
3003                                 else
3004                                         s->tlsext_status_expected = 0;
3005                                 break;
3006                         /* something bad happened */
3007                         case SSL_TLSEXT_ERR_ALERT_FATAL:
3008                                 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
3009                                 al = SSL_AD_INTERNAL_ERROR;
3010                                 goto err;
3011                         }
3012                 }
3013         else
3014                 s->tlsext_status_expected = 0;
3015
3016         /* Clear any shared sigtnature algorithms */
3017         if (s->cert->shared_sigalgs)
3018                 {
3019                 OPENSSL_free(s->cert->shared_sigalgs);
3020                 s->cert->shared_sigalgs = NULL;
3021                 }
3022         /* Clear certificate digests and validity flags */
3023         for (i = 0; i < SSL_PKEY_NUM; i++)
3024                 {
3025                 s->cert->pkeys[i].digest = NULL;
3026                 s->cert->pkeys[i].valid_flags = 0;
3027                 }
3028
3029         /* If sigalgs received process it. */
3030         if (s->cert->peer_sigalgs)
3031                 {
3032                 if (!tls1_process_sigalgs(s))
3033                         {
3034                         SSLerr(SSL_F_SSL_CHECK_CLIENTHELLO_TLSEXT_LATE,
3035                                         ERR_R_MALLOC_FAILURE);
3036                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
3037                         al = SSL_AD_INTERNAL_ERROR;
3038                         goto err;
3039                         }
3040                 /* Fatal error is no shared signature algorithms */
3041                 if (!s->cert->shared_sigalgs)
3042                         {
3043                         SSLerr(SSL_F_SSL_CHECK_CLIENTHELLO_TLSEXT_LATE,
3044                                         SSL_R_NO_SHARED_SIGATURE_ALGORITHMS);
3045                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
3046                         al = SSL_AD_ILLEGAL_PARAMETER;
3047                         goto err;
3048                         }
3049                 }
3050         else
3051                 ssl_cert_set_default_md(s->cert);
3052
3053  err:
3054         switch (ret)
3055                 {
3056                 case SSL_TLSEXT_ERR_ALERT_FATAL:
3057                         ssl3_send_alert(s, SSL3_AL_FATAL, al);
3058                         return -1;
3059
3060                 case SSL_TLSEXT_ERR_ALERT_WARNING:
3061                         ssl3_send_alert(s, SSL3_AL_WARNING, al);
3062                         return 1; 
3063
3064                 default:
3065                         return 1;
3066                 }
3067         }
3068
3069 int ssl_check_serverhello_tlsext(SSL *s)
3070         {
3071         int ret=SSL_TLSEXT_ERR_NOACK;
3072         int al = SSL_AD_UNRECOGNIZED_NAME;
3073
3074 #ifndef OPENSSL_NO_EC
3075         /* If we are client and using an elliptic curve cryptography cipher
3076          * suite, then if server returns an EC point formats lists extension
3077          * it must contain uncompressed.
3078          */
3079         unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
3080         unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
3081         if ((s->tlsext_ecpointformatlist != NULL) && (s->tlsext_ecpointformatlist_length > 0) && 
3082             (s->session->tlsext_ecpointformatlist != NULL) && (s->session->tlsext_ecpointformatlist_length > 0) && 
3083             ((alg_k & (SSL_kECDHE|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA)))
3084       &n