170b45d3366884e4b90398407f1bf00581d5a023
[openssl.git] / ssl / t1_lib.c
1 /* ssl/t1_lib.c */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3  * All rights reserved.
4  *
5  * This package is an SSL implementation written
6  * by Eric Young (eay@cryptsoft.com).
7  * The implementation was written so as to conform with Netscapes SSL.
8  * 
9  * This library is free for commercial and non-commercial use as long as
10  * the following conditions are aheared to.  The following conditions
11  * apply to all code found in this distribution, be it the RC4, RSA,
12  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
13  * included with this distribution is covered by the same copyright terms
14  * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15  * 
16  * Copyright remains Eric Young's, and as such any Copyright notices in
17  * the code are not to be removed.
18  * If this package is used in a product, Eric Young should be given attribution
19  * as the author of the parts of the library used.
20  * This can be in the form of a textual message at program startup or
21  * in documentation (online or textual) provided with the package.
22  * 
23  * Redistribution and use in source and binary forms, with or without
24  * modification, are permitted provided that the following conditions
25  * are met:
26  * 1. Redistributions of source code must retain the copyright
27  *    notice, this list of conditions and the following disclaimer.
28  * 2. Redistributions in binary form must reproduce the above copyright
29  *    notice, this list of conditions and the following disclaimer in the
30  *    documentation and/or other materials provided with the distribution.
31  * 3. All advertising materials mentioning features or use of this software
32  *    must display the following acknowledgement:
33  *    "This product includes cryptographic software written by
34  *     Eric Young (eay@cryptsoft.com)"
35  *    The word 'cryptographic' can be left out if the rouines from the library
36  *    being used are not cryptographic related :-).
37  * 4. If you include any Windows specific code (or a derivative thereof) from 
38  *    the apps directory (application code) you must include an acknowledgement:
39  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40  * 
41  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51  * SUCH DAMAGE.
52  * 
53  * The licence and distribution terms for any publically available version or
54  * derivative of this code cannot be changed.  i.e. this code cannot simply be
55  * copied and put under another distribution licence
56  * [including the GNU Public Licence.]
57  */
58 /* ====================================================================
59  * Copyright (c) 1998-2007 The OpenSSL Project.  All rights reserved.
60  *
61  * Redistribution and use in source and binary forms, with or without
62  * modification, are permitted provided that the following conditions
63  * are met:
64  *
65  * 1. Redistributions of source code must retain the above copyright
66  *    notice, this list of conditions and the following disclaimer. 
67  *
68  * 2. Redistributions in binary form must reproduce the above copyright
69  *    notice, this list of conditions and the following disclaimer in
70  *    the documentation and/or other materials provided with the
71  *    distribution.
72  *
73  * 3. All advertising materials mentioning features or use of this
74  *    software must display the following acknowledgment:
75  *    "This product includes software developed by the OpenSSL Project
76  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77  *
78  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79  *    endorse or promote products derived from this software without
80  *    prior written permission. For written permission, please contact
81  *    openssl-core@openssl.org.
82  *
83  * 5. Products derived from this software may not be called "OpenSSL"
84  *    nor may "OpenSSL" appear in their names without prior written
85  *    permission of the OpenSSL Project.
86  *
87  * 6. Redistributions of any form whatsoever must retain the following
88  *    acknowledgment:
89  *    "This product includes software developed by the OpenSSL Project
90  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91  *
92  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
96  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103  * OF THE POSSIBILITY OF SUCH DAMAGE.
104  * ====================================================================
105  *
106  * This product includes cryptographic software written by Eric Young
107  * (eay@cryptsoft.com).  This product includes software written by Tim
108  * Hudson (tjh@cryptsoft.com).
109  *
110  */
111
112 #include <stdio.h>
113 #include <openssl/objects.h>
114 #include <openssl/evp.h>
115 #include <openssl/hmac.h>
116 #include <openssl/ocsp.h>
117 #include "ssl_locl.h"
118
119 const char tls1_version_str[]="TLSv1" OPENSSL_VERSION_PTEXT;
120
121 #ifndef OPENSSL_NO_TLSEXT
122 static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen,
123                                 const unsigned char *sess_id, int sesslen,
124                                 SSL_SESSION **psess);
125 #endif
126
127 SSL3_ENC_METHOD TLSv1_enc_data={
128         tls1_enc,
129         tls1_mac,
130         tls1_setup_key_block,
131         tls1_generate_master_secret,
132         tls1_change_cipher_state,
133         tls1_final_finish_mac,
134         TLS1_FINISH_MAC_LENGTH,
135         tls1_cert_verify_mac,
136         TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE,
137         TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE,
138         tls1_alert_code,
139         };
140
141 long tls1_default_timeout(void)
142         {
143         /* 2 hours, the 24 hours mentioned in the TLSv1 spec
144          * is way too long for http, the cache would over fill */
145         return(60*60*2);
146         }
147
148 int tls1_new(SSL *s)
149         {
150         if (!ssl3_new(s)) return(0);
151         s->method->ssl_clear(s);
152         return(1);
153         }
154
155 void tls1_free(SSL *s)
156         {
157         ssl3_free(s);
158         }
159
160 void tls1_clear(SSL *s)
161         {
162         ssl3_clear(s);
163         s->version=TLS1_VERSION;
164         }
165
166 #ifndef OPENSSL_NO_EC
167 static int nid_list[] =
168         {
169                 NID_sect163k1, /* sect163k1 (1) */
170                 NID_sect163r1, /* sect163r1 (2) */
171                 NID_sect163r2, /* sect163r2 (3) */
172                 NID_sect193r1, /* sect193r1 (4) */ 
173                 NID_sect193r2, /* sect193r2 (5) */ 
174                 NID_sect233k1, /* sect233k1 (6) */
175                 NID_sect233r1, /* sect233r1 (7) */ 
176                 NID_sect239k1, /* sect239k1 (8) */ 
177                 NID_sect283k1, /* sect283k1 (9) */
178                 NID_sect283r1, /* sect283r1 (10) */ 
179                 NID_sect409k1, /* sect409k1 (11) */ 
180                 NID_sect409r1, /* sect409r1 (12) */
181                 NID_sect571k1, /* sect571k1 (13) */ 
182                 NID_sect571r1, /* sect571r1 (14) */ 
183                 NID_secp160k1, /* secp160k1 (15) */
184                 NID_secp160r1, /* secp160r1 (16) */ 
185                 NID_secp160r2, /* secp160r2 (17) */ 
186                 NID_secp192k1, /* secp192k1 (18) */
187                 NID_X9_62_prime192v1, /* secp192r1 (19) */ 
188                 NID_secp224k1, /* secp224k1 (20) */ 
189                 NID_secp224r1, /* secp224r1 (21) */
190                 NID_secp256k1, /* secp256k1 (22) */ 
191                 NID_X9_62_prime256v1, /* secp256r1 (23) */ 
192                 NID_secp384r1, /* secp384r1 (24) */
193                 NID_secp521r1  /* secp521r1 (25) */     
194         };
195         
196 int tls1_ec_curve_id2nid(int curve_id)
197         {
198         /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
199         if ((curve_id < 1) || ((unsigned int)curve_id >
200                                 sizeof(nid_list)/sizeof(nid_list[0])))
201                 return 0;
202         return nid_list[curve_id-1];
203         }
204
205 int tls1_ec_nid2curve_id(int nid)
206         {
207         /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
208         switch (nid)
209                 {
210         case NID_sect163k1: /* sect163k1 (1) */
211                 return 1;
212         case NID_sect163r1: /* sect163r1 (2) */
213                 return 2;
214         case NID_sect163r2: /* sect163r2 (3) */
215                 return 3;
216         case NID_sect193r1: /* sect193r1 (4) */ 
217                 return 4;
218         case NID_sect193r2: /* sect193r2 (5) */ 
219                 return 5;
220         case NID_sect233k1: /* sect233k1 (6) */
221                 return 6;
222         case NID_sect233r1: /* sect233r1 (7) */ 
223                 return 7;
224         case NID_sect239k1: /* sect239k1 (8) */ 
225                 return 8;
226         case NID_sect283k1: /* sect283k1 (9) */
227                 return 9;
228         case NID_sect283r1: /* sect283r1 (10) */ 
229                 return 10;
230         case NID_sect409k1: /* sect409k1 (11) */ 
231                 return 11;
232         case NID_sect409r1: /* sect409r1 (12) */
233                 return 12;
234         case NID_sect571k1: /* sect571k1 (13) */ 
235                 return 13;
236         case NID_sect571r1: /* sect571r1 (14) */ 
237                 return 14;
238         case NID_secp160k1: /* secp160k1 (15) */
239                 return 15;
240         case NID_secp160r1: /* secp160r1 (16) */ 
241                 return 16;
242         case NID_secp160r2: /* secp160r2 (17) */ 
243                 return 17;
244         case NID_secp192k1: /* secp192k1 (18) */
245                 return 18;
246         case NID_X9_62_prime192v1: /* secp192r1 (19) */ 
247                 return 19;
248         case NID_secp224k1: /* secp224k1 (20) */ 
249                 return 20;
250         case NID_secp224r1: /* secp224r1 (21) */
251                 return 21;
252         case NID_secp256k1: /* secp256k1 (22) */ 
253                 return 22;
254         case NID_X9_62_prime256v1: /* secp256r1 (23) */ 
255                 return 23;
256         case NID_secp384r1: /* secp384r1 (24) */
257                 return 24;
258         case NID_secp521r1:  /* secp521r1 (25) */       
259                 return 25;
260         default:
261                 return 0;
262                 }
263         }
264 #endif /* OPENSSL_NO_EC */
265
266 #ifndef OPENSSL_NO_TLSEXT
267 unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
268         {
269         int extdatalen=0;
270         unsigned char *ret = p;
271
272         ret+=2;
273
274         if (ret>=limit) return NULL; /* this really never occurs, but ... */
275
276         if (s->tlsext_hostname != NULL)
277                 { 
278                 /* Add TLS extension servername to the Client Hello message */
279                 unsigned long size_str;
280                 long lenmax; 
281
282                 /* check for enough space.
283                    4 for the servername type and entension length
284                    2 for servernamelist length
285                    1 for the hostname type
286                    2 for hostname length
287                    + hostname length 
288                 */
289                    
290                 if ((lenmax = limit - ret - 9) < 0 
291                     || (size_str = strlen(s->tlsext_hostname)) > (unsigned long)lenmax) 
292                         return NULL;
293                         
294                 /* extension type and length */
295                 s2n(TLSEXT_TYPE_server_name,ret); 
296                 s2n(size_str+5,ret);
297                 
298                 /* length of servername list */
299                 s2n(size_str+3,ret);
300         
301                 /* hostname type, length and hostname */
302                 *(ret++) = (unsigned char) TLSEXT_NAMETYPE_host_name;
303                 s2n(size_str,ret);
304                 memcpy(ret, s->tlsext_hostname, size_str);
305                 ret+=size_str;
306                 }
307
308 #ifndef OPENSSL_NO_EC
309         if (s->tlsext_ecpointformatlist != NULL)
310                 {
311                 /* Add TLS extension ECPointFormats to the ClientHello message */
312                 long lenmax; 
313
314                 if ((lenmax = limit - ret - 5) < 0) return NULL; 
315                 if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax) return NULL;
316                 if (s->tlsext_ecpointformatlist_length > 255)
317                         {
318                         SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
319                         return NULL;
320                         }
321                 
322                 s2n(TLSEXT_TYPE_ec_point_formats,ret);
323                 s2n(s->tlsext_ecpointformatlist_length + 1,ret);
324                 *(ret++) = (unsigned char) s->tlsext_ecpointformatlist_length;
325                 memcpy(ret, s->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist_length);
326                 ret+=s->tlsext_ecpointformatlist_length;
327                 }
328         if (s->tlsext_ellipticcurvelist != NULL)
329                 {
330                 /* Add TLS extension EllipticCurves to the ClientHello message */
331                 long lenmax; 
332
333                 if ((lenmax = limit - ret - 6) < 0) return NULL; 
334                 if (s->tlsext_ellipticcurvelist_length > (unsigned long)lenmax) return NULL;
335                 if (s->tlsext_ellipticcurvelist_length > 65532)
336                         {
337                         SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
338                         return NULL;
339                         }
340                 
341                 s2n(TLSEXT_TYPE_elliptic_curves,ret);
342                 s2n(s->tlsext_ellipticcurvelist_length + 2, ret);
343
344                 /* NB: draft-ietf-tls-ecc-12.txt uses a one-byte prefix for
345                  * elliptic_curve_list, but the examples use two bytes.
346                  * http://www1.ietf.org/mail-archive/web/tls/current/msg00538.html
347                  * resolves this to two bytes.
348                  */
349                 s2n(s->tlsext_ellipticcurvelist_length, ret);
350                 memcpy(ret, s->tlsext_ellipticcurvelist, s->tlsext_ellipticcurvelist_length);
351                 ret+=s->tlsext_ellipticcurvelist_length;
352                 }
353 #endif /* OPENSSL_NO_EC */
354
355         if (!(SSL_get_options(s) & SSL_OP_NO_TICKET))
356                 {
357                 int ticklen;
358                 if (s->session && s->session->tlsext_tick)
359                         ticklen = s->session->tlsext_ticklen;
360                 else
361                         ticklen = 0;
362                 /* Check for enough room 2 for extension type, 2 for len
363                  * rest for ticket
364                  */
365                 if ((long)(limit - ret - 4 - ticklen) < 0) return NULL;
366                 s2n(TLSEXT_TYPE_session_ticket,ret); 
367                 s2n(ticklen,ret);
368                 if (ticklen)
369                         {
370                         memcpy(ret, s->session->tlsext_tick, ticklen);
371                         ret += ticklen;
372                         }
373                 }
374
375 #ifdef TLSEXT_TYPE_opaque_prf_input
376         if (s->s3->client_opaque_prf_input != NULL)
377                 {
378                 size_t col = s->s3->client_opaque_prf_input_len;
379                 
380                 if ((long)(limit - ret - 6 - col < 0))
381                         return NULL;
382                 if (col > 0xFFFD) /* can't happen */
383                         return NULL;
384
385                 s2n(TLSEXT_TYPE_opaque_prf_input, ret); 
386                 s2n(col + 2, ret);
387                 s2n(col, ret);
388                 memcpy(ret, s->s3->client_opaque_prf_input, col);
389                 ret += col;
390                 }
391 #endif
392
393         if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp)
394                 {
395                 int i;
396                 long extlen, idlen, itmp;
397                 OCSP_RESPID *id;
398
399                 idlen = 0;
400                 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++)
401                         {
402                         id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
403                         itmp = i2d_OCSP_RESPID(id, NULL);
404                         if (itmp <= 0)
405                                 return NULL;
406                         idlen += itmp + 2;
407                         }
408
409                 if (s->tlsext_ocsp_exts)
410                         {
411                         extlen = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, NULL);
412                         if (extlen < 0)
413                                 return NULL;
414                         }
415                 else
416                         extlen = 0;
417                         
418                 if ((long)(limit - ret - 7 - extlen - idlen) < 0) return NULL;
419                 s2n(TLSEXT_TYPE_status_request, ret);
420                 if (extlen + idlen > 0xFFF0)
421                         return NULL;
422                 s2n(extlen + idlen + 5, ret);
423                 *(ret++) = TLSEXT_STATUSTYPE_ocsp;
424                 s2n(idlen, ret);
425                 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++)
426                         {
427                         /* save position of id len */
428                         unsigned char *q = ret;
429                         id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
430                         /* skip over id len */
431                         ret += 2;
432                         itmp = i2d_OCSP_RESPID(id, &ret);
433                         /* write id len */
434                         s2n(itmp, q);
435                         }
436                 s2n(extlen, ret);
437                 if (extlen > 0)
438                         i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret);
439                 }
440
441         if ((extdatalen = ret-p-2)== 0) 
442                 return p;
443
444         s2n(extdatalen,p);
445         return ret;
446         }
447
448 unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
449         {
450         int extdatalen=0;
451         unsigned char *ret = p;
452
453         ret+=2;
454         if (ret>=limit) return NULL; /* this really never occurs, but ... */
455
456         if (!s->hit && s->servername_done == 1 && s->session->tlsext_hostname != NULL)
457                 { 
458                 if ((long)(limit - ret - 4) < 0) return NULL; 
459
460                 s2n(TLSEXT_TYPE_server_name,ret);
461                 s2n(0,ret);
462                 }
463 #ifndef OPENSSL_NO_EC
464         if (s->tlsext_ecpointformatlist != NULL)
465                 {
466                 /* Add TLS extension ECPointFormats to the ServerHello message */
467                 long lenmax; 
468
469                 if ((lenmax = limit - ret - 5) < 0) return NULL; 
470                 if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax) return NULL;
471                 if (s->tlsext_ecpointformatlist_length > 255)
472                         {
473                         SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
474                         return NULL;
475                         }
476                 
477                 s2n(TLSEXT_TYPE_ec_point_formats,ret);
478                 s2n(s->tlsext_ecpointformatlist_length + 1,ret);
479                 *(ret++) = (unsigned char) s->tlsext_ecpointformatlist_length;
480                 memcpy(ret, s->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist_length);
481                 ret+=s->tlsext_ecpointformatlist_length;
482
483                 }
484         /* Currently the server should not respond with a SupportedCurves extension */
485 #endif /* OPENSSL_NO_EC */
486
487         if (s->tlsext_ticket_expected
488                 && !(SSL_get_options(s) & SSL_OP_NO_TICKET)) 
489                 { 
490                 if ((long)(limit - ret - 4) < 0) return NULL; 
491                 s2n(TLSEXT_TYPE_session_ticket,ret);
492                 s2n(0,ret);
493                 }
494
495         if (s->tlsext_status_expected)
496                 { 
497                 if ((long)(limit - ret - 4) < 0) return NULL; 
498                 s2n(TLSEXT_TYPE_status_request,ret);
499                 s2n(0,ret);
500                 }
501
502 #ifdef TLSEXT_TYPE_opaque_prf_input
503         if (s->s3->server_opaque_prf_input != NULL)
504                 {
505                 size_t sol = s->s3->server_opaque_prf_input_len;
506                 
507                 if ((long)(limit - ret - 6 - sol) < 0)
508                         return NULL;
509                 if (sol > 0xFFFD) /* can't happen */
510                         return NULL;
511
512                 s2n(TLSEXT_TYPE_opaque_prf_input, ret); 
513                 s2n(sol + 2, ret);
514                 s2n(sol, ret);
515                 memcpy(ret, s->s3->server_opaque_prf_input, sol);
516                 ret += sol;
517                 }
518 #endif
519         if (((s->s3->tmp.new_cipher->id & 0xFFFF)==0x80 || (s->s3->tmp.new_cipher->id & 0xFFFF)==0x81) 
520                 && (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG))
521                 { const unsigned char cryptopro_ext[36] = {
522                         0xfd, 0xe8, /*65000*/
523                         0x00, 0x20, /*32 bytes length*/
524                         0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85, 
525                         0x03,   0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06, 
526                         0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08, 
527                         0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17};
528                         if (limit-ret<36) return NULL;
529                         memcpy(ret,cryptopro_ext,36);
530                         ret+=36;
531
532                 }
533
534         if ((extdatalen = ret-p-2)== 0) 
535                 return p;
536
537         s2n(extdatalen,p);
538         return ret;
539         }
540
541 int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
542         {
543         unsigned short type;
544         unsigned short size;
545         unsigned short len;
546         unsigned char *data = *p;
547         s->servername_done = 0;
548         s->tlsext_status_type = -1;
549
550         if (data >= (d+n-2))
551                 return 1;
552         n2s(data,len);
553
554         if (data > (d+n-len)) 
555                 return 1;
556
557         while (data <= (d+n-4))
558                 {
559                 n2s(data,type);
560                 n2s(data,size);
561
562                 if (data+size > (d+n))
563                         return 1;
564                 fprintf(stderr,"Received extension type %d size %d\n",type,size);
565                 if (s->tlsext_debug_cb)
566                         s->tlsext_debug_cb(s, 0, type, data, size,
567                                                 s->tlsext_debug_arg);
568 /* The servername extension is treated as follows:
569
570    - Only the hostname type is supported with a maximum length of 255.
571    - The servername is rejected if too long or if it contains zeros,
572      in which case an fatal alert is generated.
573    - The servername field is maintained together with the session cache.
574    - When a session is resumed, the servername call back invoked in order
575      to allow the application to position itself to the right context. 
576    - The servername is acknowledged if it is new for a session or when 
577      it is identical to a previously used for the same session. 
578      Applications can control the behaviour.  They can at any time
579      set a 'desirable' servername for a new SSL object. This can be the
580      case for example with HTTPS when a Host: header field is received and
581      a renegotiation is requested. In this case, a possible servername
582      presented in the new client hello is only acknowledged if it matches
583      the value of the Host: field. 
584    - Applications must  use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
585      if they provide for changing an explicit servername context for the session,
586      i.e. when the session has been established with a servername extension. 
587    - On session reconnect, the servername extension may be absent. 
588
589 */      
590
591                 if (type == TLSEXT_TYPE_server_name)
592                         {
593                         unsigned char *sdata;
594                         int servname_type;
595                         int dsize; 
596                 
597                         if (size < 2) 
598                                 {
599                                 *al = SSL_AD_DECODE_ERROR;
600                                 return 0;
601                                 }
602                         n2s(data,dsize);  
603                         size -= 2;
604                         if (dsize > size  ) 
605                                 {
606                                 *al = SSL_AD_DECODE_ERROR;
607                                 return 0;
608                                 } 
609
610                         sdata = data;
611                         while (dsize > 3) 
612                                 {
613                                 servname_type = *(sdata++); 
614                                 n2s(sdata,len);
615                                 dsize -= 3;
616
617                                 if (len > dsize) 
618                                         {
619                                         *al = SSL_AD_DECODE_ERROR;
620                                         return 0;
621                                         }
622                                 if (s->servername_done == 0)
623                                 switch (servname_type)
624                                         {
625                                 case TLSEXT_NAMETYPE_host_name:
626                                         if (s->session->tlsext_hostname == NULL)
627                                                 {
628                                                 if (len > TLSEXT_MAXLEN_host_name || 
629                                                         ((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL))
630                                                         {
631                                                         *al = TLS1_AD_UNRECOGNIZED_NAME;
632                                                         return 0;
633                                                         }
634                                                 memcpy(s->session->tlsext_hostname, sdata, len);
635                                                 s->session->tlsext_hostname[len]='\0';
636                                                 if (strlen(s->session->tlsext_hostname) != len) {
637                                                         OPENSSL_free(s->session->tlsext_hostname);
638                                                         *al = TLS1_AD_UNRECOGNIZED_NAME;
639                                                         return 0;
640                                                 }
641                                                 s->servername_done = 1; 
642
643                                                 }
644                                         else 
645                                                 s->servername_done = strlen(s->session->tlsext_hostname) == len 
646                                                         && strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0;
647                                         
648                                         break;
649
650                                 default:
651                                         break;
652                                         }
653                                  
654                                 dsize -= len;
655                                 }
656                         if (dsize != 0) 
657                                 {
658                                 *al = SSL_AD_DECODE_ERROR;
659                                 return 0;
660                                 }
661
662                         }
663
664 #ifndef OPENSSL_NO_EC
665                 else if (type == TLSEXT_TYPE_ec_point_formats)
666                         {
667                         unsigned char *sdata = data;
668                         int ecpointformatlist_length = *(sdata++);
669
670                         if (ecpointformatlist_length != size - 1)
671                                 {
672                                 *al = TLS1_AD_DECODE_ERROR;
673                                 return 0;
674                                 }
675                         s->session->tlsext_ecpointformatlist_length = 0;
676                         if (s->session->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->session->tlsext_ecpointformatlist);
677                         if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
678                                 {
679                                 *al = TLS1_AD_INTERNAL_ERROR;
680                                 return 0;
681                                 }
682                         s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
683                         memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
684 #if 0
685                         fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ecpointformatlist (length=%i) ", s->session->tlsext_ecpointformatlist_length);
686                         sdata = s->session->tlsext_ecpointformatlist;
687                         for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
688                                 fprintf(stderr,"%i ",*(sdata++));
689                         fprintf(stderr,"\n");
690 #endif
691                         }
692                 else if (type == TLSEXT_TYPE_elliptic_curves)
693                         {
694                         unsigned char *sdata = data;
695                         int ellipticcurvelist_length = (*(sdata++) << 8);
696                         ellipticcurvelist_length += (*(sdata++));
697
698                         if (ellipticcurvelist_length != size - 2)
699                                 {
700                                 *al = TLS1_AD_DECODE_ERROR;
701                                 return 0;
702                                 }
703                         s->session->tlsext_ellipticcurvelist_length = 0;
704                         if (s->session->tlsext_ellipticcurvelist != NULL) OPENSSL_free(s->session->tlsext_ellipticcurvelist);
705                         if ((s->session->tlsext_ellipticcurvelist = OPENSSL_malloc(ellipticcurvelist_length)) == NULL)
706                                 {
707                                 *al = TLS1_AD_INTERNAL_ERROR;
708                                 return 0;
709                                 }
710                         s->session->tlsext_ellipticcurvelist_length = ellipticcurvelist_length;
711                         memcpy(s->session->tlsext_ellipticcurvelist, sdata, ellipticcurvelist_length);
712 #if 0
713                         fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ellipticcurvelist (length=%i) ", s->session->tlsext_ellipticcurvelist_length);
714                         sdata = s->session->tlsext_ellipticcurvelist;
715                         for (i = 0; i < s->session->tlsext_ellipticcurvelist_length; i++)
716                                 fprintf(stderr,"%i ",*(sdata++));
717                         fprintf(stderr,"\n");
718 #endif
719                         }
720 #endif /* OPENSSL_NO_EC */
721 #ifdef TLSEXT_TYPE_opaque_prf_input
722                 else if (type == TLSEXT_TYPE_opaque_prf_input)
723                         {
724                         unsigned char *sdata = data;
725
726                         if (size < 2)
727                                 {
728                                 *al = SSL_AD_DECODE_ERROR;
729                                 return 0;
730                                 }
731                         n2s(sdata, s->s3->client_opaque_prf_input_len);
732                         if (s->s3->client_opaque_prf_input_len != size - 2)
733                                 {
734                                 *al = SSL_AD_DECODE_ERROR;
735                                 return 0;
736                                 }
737
738                         if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */
739                                 OPENSSL_free(s->s3->client_opaque_prf_input);
740                         if (s->s3->client_opaque_prf_input_len == 0)
741                                 s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
742                         else
743                                 s->s3->client_opaque_prf_input = BUF_memdup(sdata, s->s3->client_opaque_prf_input_len);
744                         if (s->s3->client_opaque_prf_input == NULL)
745                                 {
746                                 *al = TLS1_AD_INTERNAL_ERROR;
747                                 return 0;
748                                 }
749                         }
750 #endif
751                 else if (type == TLSEXT_TYPE_status_request
752                                                 && s->ctx->tlsext_status_cb)
753                         {
754                 
755                         if (size < 5) 
756                                 {
757                                 *al = SSL_AD_DECODE_ERROR;
758                                 return 0;
759                                 }
760
761                         s->tlsext_status_type = *data++;
762                         size--;
763                         if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp)
764                                 {
765                                 const unsigned char *sdata;
766                                 int dsize;
767                                 /* Read in responder_id_list */
768                                 n2s(data,dsize);
769                                 size -= 2;
770                                 if (dsize > size  ) 
771                                         {
772                                         *al = SSL_AD_DECODE_ERROR;
773                                         return 0;
774                                         }
775                                 while (dsize > 0)
776                                         {
777                                         OCSP_RESPID *id;
778                                         int idsize;
779                                         if (dsize < 4)
780                                                 {
781                                                 *al = SSL_AD_DECODE_ERROR;
782                                                 return 0;
783                                                 }
784                                         n2s(data, idsize);
785                                         dsize -= 2 + idsize;
786                                         if (dsize < 0)
787                                                 {
788                                                 *al = SSL_AD_DECODE_ERROR;
789                                                 return 0;
790                                                 }
791                                         sdata = data;
792                                         data += idsize;
793                                         id = d2i_OCSP_RESPID(NULL,
794                                                                 &sdata, idsize);
795                                         if (!id)
796                                                 {
797                                                 *al = SSL_AD_DECODE_ERROR;
798                                                 return 0;
799                                                 }
800                                         if (data != sdata)
801                                                 {
802                                                 OCSP_RESPID_free(id);
803                                                 *al = SSL_AD_DECODE_ERROR;
804                                                 return 0;
805                                                 }
806                                         if (!s->tlsext_ocsp_ids
807                                                 && !(s->tlsext_ocsp_ids =
808                                                 sk_OCSP_RESPID_new_null()))
809                                                 {
810                                                 OCSP_RESPID_free(id);
811                                                 *al = SSL_AD_INTERNAL_ERROR;
812                                                 return 0;
813                                                 }
814                                         if (!sk_OCSP_RESPID_push(
815                                                         s->tlsext_ocsp_ids, id))
816                                                 {
817                                                 OCSP_RESPID_free(id);
818                                                 *al = SSL_AD_INTERNAL_ERROR;
819                                                 return 0;
820                                                 }
821                                         }
822
823                                 /* Read in request_extensions */
824                                 n2s(data,dsize);
825                                 size -= 2;
826                                 if (dsize > size) 
827                                         {
828                                         *al = SSL_AD_DECODE_ERROR;
829                                         return 0;
830                                         }
831                                 sdata = data;
832                                 if (dsize > 0)
833                                         {
834                                         s->tlsext_ocsp_exts =
835                                                 d2i_X509_EXTENSIONS(NULL,
836                                                         &sdata, dsize);
837                                         if (!s->tlsext_ocsp_exts
838                                                 || (data + dsize != sdata))
839                                                 {
840                                                 *al = SSL_AD_DECODE_ERROR;
841                                                 return 0;
842                                                 }
843                                         }
844                                 }
845                                 /* We don't know what to do with any other type
846                                 * so ignore it.
847                                 */
848                                 else
849                                         s->tlsext_status_type = -1;
850                         }
851
852                 /* session ticket processed earlier */
853                 data+=size;
854                 }
855                                 
856         *p = data;
857         return 1;
858         }
859
860 int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
861         {
862         unsigned short type;
863         unsigned short size;
864         unsigned short len;  
865         unsigned char *data = *p;
866
867         int tlsext_servername = 0;
868
869         if (data >= (d+n-2))
870                 return 1;
871
872         n2s(data,len);
873
874         while(data <= (d+n-4))
875                 {
876                 n2s(data,type);
877                 n2s(data,size);
878
879                 if (data+size > (d+n))
880                         return 1;
881
882                 if (s->tlsext_debug_cb)
883                         s->tlsext_debug_cb(s, 1, type, data, size,
884                                                 s->tlsext_debug_arg);
885
886                 if (type == TLSEXT_TYPE_server_name)
887                         {
888                         if (s->tlsext_hostname == NULL || size > 0)
889                                 {
890                                 *al = TLS1_AD_UNRECOGNIZED_NAME;
891                                 return 0;
892                                 }
893                         tlsext_servername = 1;   
894                         }
895
896 #ifndef OPENSSL_NO_EC
897                 else if (type == TLSEXT_TYPE_ec_point_formats)
898                         {
899                         unsigned char *sdata = data;
900                         int ecpointformatlist_length = *(sdata++);
901
902                         if (ecpointformatlist_length != size - 1)
903                                 {
904                                 *al = TLS1_AD_DECODE_ERROR;
905                                 return 0;
906                                 }
907                         s->session->tlsext_ecpointformatlist_length = 0;
908                         if (s->session->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->session->tlsext_ecpointformatlist);
909                         if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
910                                 {
911                                 *al = TLS1_AD_INTERNAL_ERROR;
912                                 return 0;
913                                 }
914                         s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
915                         memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
916 #if 0
917                         fprintf(stderr,"ssl_parse_serverhello_tlsext s->session->tlsext_ecpointformatlist ");
918                         sdata = s->session->tlsext_ecpointformatlist;
919                         for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
920                                 fprintf(stderr,"%i ",*(sdata++));
921                         fprintf(stderr,"\n");
922 #endif
923                         }
924 #endif /* OPENSSL_NO_EC */
925
926                 else if (type == TLSEXT_TYPE_session_ticket)
927                         {
928                         if ((SSL_get_options(s) & SSL_OP_NO_TICKET)
929                                 || (size > 0))
930                                 {
931                                 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
932                                 return 0;
933                                 }
934                         s->tlsext_ticket_expected = 1;
935                         }
936 #ifdef TLSEXT_TYPE_opaque_prf_input
937                 else if (type == TLSEXT_TYPE_opaque_prf_input)
938                         {
939                         unsigned char *sdata = data;
940
941                         if (size < 2)
942                                 {
943                                 *al = SSL_AD_DECODE_ERROR;
944                                 return 0;
945                                 }
946                         n2s(sdata, s->s3->server_opaque_prf_input_len);
947                         if (s->s3->server_opaque_prf_input_len != size - 2)
948                                 {
949                                 *al = SSL_AD_DECODE_ERROR;
950                                 return 0;
951                                 }
952                         
953                         if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */
954                                 OPENSSL_free(s->s3->server_opaque_prf_input);
955                         if (s->s3->server_opaque_prf_input_len == 0)
956                                 s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
957                         else
958                                 s->s3->server_opaque_prf_input = BUF_memdup(sdata, s->s3->server_opaque_prf_input_len);
959
960                         if (s->s3->server_opaque_prf_input == NULL)
961                                 {
962                                 *al = TLS1_AD_INTERNAL_ERROR;
963                                 return 0;
964                                 }
965                         }
966 #endif
967                 else if (type == TLSEXT_TYPE_status_request)
968                         {
969                         /* MUST be empty and only sent if we've requested
970                          * a status request message.
971                          */ 
972                         if ((s->tlsext_status_type == -1) || (size > 0))
973                                 {
974                                 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
975                                 return 0;
976                                 }
977                         /* Set flag to expect CertificateStatus message */
978                         s->tlsext_status_expected = 1;
979                         }
980
981                 data+=size;             
982                 }
983
984         if (data != d+n)
985                 {
986                 *al = SSL_AD_DECODE_ERROR;
987                 return 0;
988                 }
989
990         if (!s->hit && tlsext_servername == 1)
991                 {
992                 if (s->tlsext_hostname)
993                         {
994                         if (s->session->tlsext_hostname == NULL)
995                                 {
996                                 s->session->tlsext_hostname = BUF_strdup(s->tlsext_hostname);   
997                                 if (!s->session->tlsext_hostname)
998                                         {
999                                         *al = SSL_AD_UNRECOGNIZED_NAME;
1000                                         return 0;
1001                                         }
1002                                 }
1003                         else 
1004                                 {
1005                                 *al = SSL_AD_DECODE_ERROR;
1006                                 return 0;
1007                                 }
1008                         }
1009                 }
1010
1011         *p = data;
1012         return 1;
1013         }
1014
1015
1016 int ssl_prepare_clienthello_tlsext(SSL *s)
1017         {
1018 #ifndef OPENSSL_NO_EC
1019         /* If we are client and using an elliptic curve cryptography cipher suite, send the point formats 
1020          * and elliptic curves we support.
1021          */
1022         int using_ecc = 0;
1023         int i;
1024         unsigned char *j;
1025         unsigned long alg_k, alg_a;
1026         STACK_OF(SSL_CIPHER) *cipher_stack = SSL_get_ciphers(s);
1027
1028         for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++)
1029                 {
1030                 SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i);
1031
1032                 alg_k = c->algorithm_mkey;
1033                 alg_a = c->algorithm_auth;
1034                 if ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe) || (alg_a & SSL_aECDSA)))
1035                         {
1036                         using_ecc = 1;
1037                         break;
1038                         }
1039                 }
1040         using_ecc = using_ecc && (s->version == TLS1_VERSION);
1041         if (using_ecc)
1042                 {
1043                 if (s->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->tlsext_ecpointformatlist);
1044                 if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(3)) == NULL)
1045                         {
1046                         SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
1047                         return -1;
1048                         }
1049                 s->tlsext_ecpointformatlist_length = 3;
1050                 s->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_uncompressed;
1051                 s->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
1052                 s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
1053
1054                 /* we support all named elliptic curves in draft-ietf-tls-ecc-12 */
1055                 if (s->tlsext_ellipticcurvelist != NULL) OPENSSL_free(s->tlsext_ellipticcurvelist);
1056                 s->tlsext_ellipticcurvelist_length = sizeof(nid_list)/sizeof(nid_list[0]) * 2;
1057                 if ((s->tlsext_ellipticcurvelist = OPENSSL_malloc(s->tlsext_ellipticcurvelist_length)) == NULL)
1058                         {
1059                         s->tlsext_ellipticcurvelist_length = 0;
1060                         SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
1061                         return -1;
1062                         }
1063                 for (i = 1, j = s->tlsext_ellipticcurvelist; (unsigned int)i <=
1064                                 sizeof(nid_list)/sizeof(nid_list[0]); i++)
1065                         s2n(i,j);
1066                 }
1067 #endif /* OPENSSL_NO_EC */
1068
1069 #ifdef TLSEXT_TYPE_opaque_prf_input
1070         {
1071                 int r = 1;
1072         
1073                 if (s->ctx->tlsext_opaque_prf_input_callback != 0)
1074                         {
1075                         r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg);
1076                         if (!r)
1077                                 return -1;
1078                         }
1079
1080                 if (s->tlsext_opaque_prf_input != NULL)
1081                         {
1082                         if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */
1083                                 OPENSSL_free(s->s3->client_opaque_prf_input);
1084
1085                         if (s->tlsext_opaque_prf_input_len == 0)
1086                                 s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
1087                         else
1088                                 s->s3->client_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len);
1089                         if (s->s3->client_opaque_prf_input == NULL)
1090                                 {
1091                                 SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
1092                                 return -1;
1093                                 }
1094                         s->s3->client_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
1095                         }
1096
1097                 if (r == 2)
1098                         /* at callback's request, insist on receiving an appropriate server opaque PRF input */
1099                         s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
1100         }
1101 #endif
1102
1103         return 1;
1104         }
1105
1106 int ssl_prepare_serverhello_tlsext(SSL *s)
1107         {
1108 #ifndef OPENSSL_NO_EC
1109         /* If we are server and using an ECC cipher suite, send the point formats we support 
1110          * if the client sent us an ECPointsFormat extension.  Note that the server is not
1111          * supposed to send an EllipticCurves extension.
1112          */
1113
1114         unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
1115         unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
1116         int using_ecc = (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA);
1117         using_ecc = using_ecc && (s->session->tlsext_ecpointformatlist != NULL);
1118         
1119         if (using_ecc)
1120                 {
1121                 if (s->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->tlsext_ecpointformatlist);
1122                 if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(3)) == NULL)
1123                         {
1124                         SSLerr(SSL_F_SSL_PREPARE_SERVERHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
1125                         return -1;
1126                         }
1127                 s->tlsext_ecpointformatlist_length = 3;
1128                 s->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_uncompressed;
1129                 s->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
1130                 s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
1131                 }
1132 #endif /* OPENSSL_NO_EC */
1133
1134         return 1;
1135         }
1136
1137 int ssl_check_clienthello_tlsext(SSL *s)
1138         {
1139         int ret=SSL_TLSEXT_ERR_NOACK;
1140         int al = SSL_AD_UNRECOGNIZED_NAME;
1141
1142 #ifndef OPENSSL_NO_EC
1143         /* The handling of the ECPointFormats extension is done elsewhere, namely in 
1144          * ssl3_choose_cipher in s3_lib.c.
1145          */
1146         /* The handling of the EllipticCurves extension is done elsewhere, namely in 
1147          * ssl3_choose_cipher in s3_lib.c.
1148          */
1149 #endif
1150
1151         if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) 
1152                 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
1153         else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)             
1154                 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
1155
1156         /* If status request then ask callback what to do.
1157          * Note: this must be called after servername callbacks in case 
1158          * the certificate has changed.
1159          */
1160         if ((s->tlsext_status_type != -1) && s->ctx->tlsext_status_cb)
1161                 {
1162                 int r;
1163                 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
1164                 switch (r)
1165                         {
1166                         /* We don't want to send a status request response */
1167                         case SSL_TLSEXT_ERR_NOACK:
1168                                 s->tlsext_status_expected = 0;
1169                                 break;
1170                         /* status request response should be sent */
1171                         case SSL_TLSEXT_ERR_OK:
1172                                 if (s->tlsext_ocsp_resp)
1173                                         s->tlsext_status_expected = 1;
1174                                 else
1175                                         s->tlsext_status_expected = 0;
1176                                 break;
1177                         /* something bad happened */
1178                         case SSL_TLSEXT_ERR_ALERT_FATAL:
1179                                 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1180                                 al = SSL_AD_INTERNAL_ERROR;
1181                                 goto err;
1182                         }
1183                 }
1184         else
1185                 s->tlsext_status_expected = 0;
1186
1187 #ifdef TLSEXT_TYPE_opaque_prf_input
1188         {
1189                 /* This sort of belongs into ssl_prepare_serverhello_tlsext(),
1190                  * but we might be sending an alert in response to the client hello,
1191                  * so this has to happen here in ssl_check_clienthello_tlsext(). */
1192
1193                 int r = 1;
1194         
1195                 if (s->ctx->tlsext_opaque_prf_input_callback != 0)
1196                         {
1197                         r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg);
1198                         if (!r)
1199                                 {
1200                                 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1201                                 al = SSL_AD_INTERNAL_ERROR;
1202                                 goto err;
1203                                 }
1204                         }
1205
1206                 if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */
1207                         OPENSSL_free(s->s3->server_opaque_prf_input);
1208                 s->s3->server_opaque_prf_input = NULL;
1209
1210                 if (s->tlsext_opaque_prf_input != NULL)
1211                         {
1212                         if (s->s3->client_opaque_prf_input != NULL &&
1213                                 s->s3->client_opaque_prf_input_len == s->tlsext_opaque_prf_input_len)
1214                                 {
1215                                 /* can only use this extension if we have a server opaque PRF input
1216                                  * of the same length as the client opaque PRF input! */
1217
1218                                 if (s->tlsext_opaque_prf_input_len == 0)
1219                                         s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
1220                                 else
1221                                         s->s3->server_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len);
1222                                 if (s->s3->server_opaque_prf_input == NULL)
1223                                         {
1224                                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1225                                         al = SSL_AD_INTERNAL_ERROR;
1226                                         goto err;
1227                                         }
1228                                 s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
1229                                 }
1230                         }
1231
1232                 if (r == 2 && s->s3->server_opaque_prf_input == NULL)
1233                         {
1234                         /* The callback wants to enforce use of the extension,
1235                          * but we can't do that with the client opaque PRF input;
1236                          * abort the handshake.
1237                          */
1238                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1239                         al = SSL_AD_HANDSHAKE_FAILURE;
1240                         }
1241         }
1242
1243 #endif
1244  err:
1245         switch (ret)
1246                 {
1247                 case SSL_TLSEXT_ERR_ALERT_FATAL:
1248                         ssl3_send_alert(s,SSL3_AL_FATAL,al); 
1249                         return -1;
1250
1251                 case SSL_TLSEXT_ERR_ALERT_WARNING:
1252                         ssl3_send_alert(s,SSL3_AL_WARNING,al);
1253                         return 1; 
1254                                         
1255                 case SSL_TLSEXT_ERR_NOACK:
1256                         s->servername_done=0;
1257                         default:
1258                 return 1;
1259                 }
1260         }
1261
1262 int ssl_check_serverhello_tlsext(SSL *s)
1263         {
1264         int ret=SSL_TLSEXT_ERR_NOACK;
1265         int al = SSL_AD_UNRECOGNIZED_NAME;
1266
1267 #ifndef OPENSSL_NO_EC
1268         /* If we are client and using an elliptic curve cryptography cipher suite, then server
1269          * must return a an EC point formats lists containing uncompressed.
1270          */
1271         unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
1272         unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
1273         if ((s->tlsext_ecpointformatlist != NULL) && (s->tlsext_ecpointformatlist_length > 0) && 
1274             ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA)))
1275                 {
1276                 /* we are using an ECC cipher */
1277                 size_t i;
1278                 unsigned char *list;
1279                 int found_uncompressed = 0;
1280                 if ((s->session->tlsext_ecpointformatlist == NULL) || (s->session->tlsext_ecpointformatlist_length == 0))
1281                         {
1282                         SSLerr(SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT,SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
1283                         return -1;
1284                         }
1285                 list = s->session->tlsext_ecpointformatlist;
1286                 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
1287                         {
1288                         if (*(list++) == TLSEXT_ECPOINTFORMAT_uncompressed)
1289                                 {
1290                                 found_uncompressed = 1;
1291                                 break;
1292                                 }
1293                         }
1294                 if (!found_uncompressed)
1295                         {
1296                         SSLerr(SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT,SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
1297                         return -1;
1298                         }
1299                 }
1300         ret = SSL_TLSEXT_ERR_OK;
1301 #endif /* OPENSSL_NO_EC */
1302
1303         if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) 
1304                 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
1305         else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)             
1306                 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
1307
1308 #ifdef TLSEXT_TYPE_opaque_prf_input
1309         if (s->s3->server_opaque_prf_input_len > 0)
1310                 {
1311                 /* This case may indicate that we, as a client, want to insist on using opaque PRF inputs.
1312                  * So first verify that we really have a value from the server too. */
1313
1314                 if (s->s3->server_opaque_prf_input == NULL)
1315                         {
1316                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1317                         al = SSL_AD_HANDSHAKE_FAILURE;
1318                         }
1319                 
1320                 /* Anytime the server *has* sent an opaque PRF input, we need to check
1321                  * that we have a client opaque PRF input of the same size. */
1322                 if (s->s3->client_opaque_prf_input == NULL ||
1323                     s->s3->client_opaque_prf_input_len != s->s3->server_opaque_prf_input_len)
1324                         {
1325                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1326                         al = SSL_AD_ILLEGAL_PARAMETER;
1327                         }
1328                 }
1329 #endif
1330
1331         /* If we've requested certificate status and we wont get one
1332          * tell the callback
1333          */
1334         if ((s->tlsext_status_type != -1) && !(s->tlsext_status_expected)
1335                         && s->ctx->tlsext_status_cb)
1336                 {
1337                 int r;
1338                 /* Set resp to NULL, resplen to -1 so callback knows
1339                  * there is no response.
1340                  */
1341                 if (s->tlsext_ocsp_resp)
1342                         {
1343                         OPENSSL_free(s->tlsext_ocsp_resp);
1344                         s->tlsext_ocsp_resp = NULL;
1345                         }
1346                 s->tlsext_ocsp_resplen = -1;
1347                 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
1348                 if (r == 0)
1349                         {
1350                         al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE;
1351                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1352                         }
1353                 if (r < 0)
1354                         {
1355                         al = SSL_AD_INTERNAL_ERROR;
1356                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1357                         }
1358                 }
1359
1360         switch (ret)
1361                 {
1362                 case SSL_TLSEXT_ERR_ALERT_FATAL:
1363                         ssl3_send_alert(s,SSL3_AL_FATAL,al); 
1364                         return -1;
1365
1366                 case SSL_TLSEXT_ERR_ALERT_WARNING:
1367                         ssl3_send_alert(s,SSL3_AL_WARNING,al);
1368                         return 1; 
1369                                         
1370                 case SSL_TLSEXT_ERR_NOACK:
1371                         s->servername_done=0;
1372                         default:
1373                 return 1;
1374                 }
1375         }
1376
1377 /* Since the server cache lookup is done early on in the processing of client
1378  * hello and other operations depend on the result we need to handle any TLS
1379  * session ticket extension at the same time.
1380  */
1381
1382 int tls1_process_ticket(SSL *s, unsigned char *session_id, int len,
1383                                 const unsigned char *limit, SSL_SESSION **ret)
1384         {
1385         /* Point after session ID in client hello */
1386         const unsigned char *p = session_id + len;
1387         unsigned short i;
1388         if ((s->version <= SSL3_VERSION) || !limit)
1389                 return 1;
1390         if (p >= limit)
1391                 return -1;
1392         /* Skip past cipher list */
1393         n2s(p, i);
1394         p+= i;
1395         if (p >= limit)
1396                 return -1;
1397         /* Skip past compression algorithm list */
1398         i = *(p++);
1399         p += i;
1400         if (p > limit)
1401                 return -1;
1402         /* Now at start of extensions */
1403         if ((p + 2) >= limit)
1404                 return 1;
1405         n2s(p, i);
1406         while ((p + 4) <= limit)
1407                 {
1408                 unsigned short type, size;
1409                 n2s(p, type);
1410                 n2s(p, size);
1411                 if (p + size > limit)
1412                         return 1;
1413                 if (type == TLSEXT_TYPE_session_ticket)
1414                         {
1415                         /* If tickets disabled indicate cache miss which will
1416                          * trigger a full handshake
1417                          */
1418                         if (SSL_get_options(s) & SSL_OP_NO_TICKET)
1419                                 return 0;
1420                         /* If zero length not client will accept a ticket
1421                          * and indicate cache miss to trigger full handshake
1422                          */
1423                         if (size == 0)
1424                                 {
1425                                 s->tlsext_ticket_expected = 1;
1426                                 return 0;       /* Cache miss */
1427                                 }
1428                         return tls_decrypt_ticket(s, p, size, session_id, len,
1429                                                                         ret);
1430                         }
1431                 p += size;
1432                 }
1433         return 1;
1434         }
1435
1436 static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen,
1437                                 const unsigned char *sess_id, int sesslen,
1438                                 SSL_SESSION **psess)
1439         {
1440         SSL_SESSION *sess;
1441         unsigned char *sdec;
1442         const unsigned char *p;
1443         int slen, mlen;
1444         unsigned char tick_hmac[EVP_MAX_MD_SIZE];
1445         HMAC_CTX hctx;
1446         EVP_CIPHER_CTX ctx;
1447         /* Attempt to process session ticket, first conduct sanity and
1448          * integrity checks on ticket.
1449          */
1450         mlen = EVP_MD_size(tlsext_tick_md());
1451         eticklen -= mlen;
1452         /* Need at least keyname + iv + some encrypted data */
1453         if (eticklen < 48)
1454                 goto tickerr;
1455         /* Check key name matches */
1456         if (memcmp(etick, s->ctx->tlsext_tick_key_name, 16))
1457                 goto tickerr;
1458         /* Check HMAC of encrypted ticket */
1459         HMAC_CTX_init(&hctx);
1460         HMAC_Init_ex(&hctx, s->ctx->tlsext_tick_hmac_key, 16,
1461                                 tlsext_tick_md(), NULL);
1462         HMAC_Update(&hctx, etick, eticklen);
1463         HMAC_Final(&hctx, tick_hmac, NULL);
1464         HMAC_CTX_cleanup(&hctx);
1465         if (memcmp(tick_hmac, etick + eticklen, mlen))
1466                 goto tickerr;
1467         /* Set p to start of IV */
1468         p = etick + 16;
1469         EVP_CIPHER_CTX_init(&ctx);
1470         /* Attempt to decrypt session data */
1471         EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL,
1472                                         s->ctx->tlsext_tick_aes_key, p);
1473         /* Move p after IV to start of encrypted ticket, update length */
1474         p += 16;
1475         eticklen -= 32;
1476         sdec = OPENSSL_malloc(eticklen);
1477         if (!sdec)
1478                 {
1479                 EVP_CIPHER_CTX_cleanup(&ctx);
1480                 return -1;
1481                 }
1482         EVP_DecryptUpdate(&ctx, sdec, &slen, p, eticklen);
1483         if (EVP_DecryptFinal(&ctx, sdec + slen, &mlen) <= 0)
1484                 goto tickerr;
1485         slen += mlen;
1486         EVP_CIPHER_CTX_cleanup(&ctx);
1487         p = sdec;
1488                 
1489         sess = d2i_SSL_SESSION(NULL, &p, slen);
1490         OPENSSL_free(sdec);
1491         if (sess)
1492                 {
1493                 /* The session ID if non-empty is used by some clients to
1494                  * detect that the ticket has been accepted. So we copy it to
1495                  * the session structure. If it is empty set length to zero
1496                  * as required by standard.
1497                  */
1498                 if (sesslen)
1499                         memcpy(sess->session_id, sess_id, sesslen);
1500                 sess->session_id_length = sesslen;
1501                 *psess = sess;
1502                 s->tlsext_ticket_expected = 0;
1503                 return 1;
1504                 }
1505         /* If session decrypt failure indicate a cache miss and set state to
1506          * send a new ticket
1507          */
1508         tickerr:        
1509         s->tlsext_ticket_expected = 1;
1510         return 0;
1511         }
1512
1513 #endif