make update
[openssl.git] / ssl / t1_lib.c
1 /* ssl/t1_lib.c */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3  * All rights reserved.
4  *
5  * This package is an SSL implementation written
6  * by Eric Young (eay@cryptsoft.com).
7  * The implementation was written so as to conform with Netscapes SSL.
8  * 
9  * This library is free for commercial and non-commercial use as long as
10  * the following conditions are aheared to.  The following conditions
11  * apply to all code found in this distribution, be it the RC4, RSA,
12  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
13  * included with this distribution is covered by the same copyright terms
14  * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15  * 
16  * Copyright remains Eric Young's, and as such any Copyright notices in
17  * the code are not to be removed.
18  * If this package is used in a product, Eric Young should be given attribution
19  * as the author of the parts of the library used.
20  * This can be in the form of a textual message at program startup or
21  * in documentation (online or textual) provided with the package.
22  * 
23  * Redistribution and use in source and binary forms, with or without
24  * modification, are permitted provided that the following conditions
25  * are met:
26  * 1. Redistributions of source code must retain the copyright
27  *    notice, this list of conditions and the following disclaimer.
28  * 2. Redistributions in binary form must reproduce the above copyright
29  *    notice, this list of conditions and the following disclaimer in the
30  *    documentation and/or other materials provided with the distribution.
31  * 3. All advertising materials mentioning features or use of this software
32  *    must display the following acknowledgement:
33  *    "This product includes cryptographic software written by
34  *     Eric Young (eay@cryptsoft.com)"
35  *    The word 'cryptographic' can be left out if the rouines from the library
36  *    being used are not cryptographic related :-).
37  * 4. If you include any Windows specific code (or a derivative thereof) from 
38  *    the apps directory (application code) you must include an acknowledgement:
39  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40  * 
41  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51  * SUCH DAMAGE.
52  * 
53  * The licence and distribution terms for any publically available version or
54  * derivative of this code cannot be changed.  i.e. this code cannot simply be
55  * copied and put under another distribution licence
56  * [including the GNU Public Licence.]
57  */
58 /* ====================================================================
59  * Copyright (c) 1998-2007 The OpenSSL Project.  All rights reserved.
60  *
61  * Redistribution and use in source and binary forms, with or without
62  * modification, are permitted provided that the following conditions
63  * are met:
64  *
65  * 1. Redistributions of source code must retain the above copyright
66  *    notice, this list of conditions and the following disclaimer. 
67  *
68  * 2. Redistributions in binary form must reproduce the above copyright
69  *    notice, this list of conditions and the following disclaimer in
70  *    the documentation and/or other materials provided with the
71  *    distribution.
72  *
73  * 3. All advertising materials mentioning features or use of this
74  *    software must display the following acknowledgment:
75  *    "This product includes software developed by the OpenSSL Project
76  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77  *
78  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79  *    endorse or promote products derived from this software without
80  *    prior written permission. For written permission, please contact
81  *    openssl-core@openssl.org.
82  *
83  * 5. Products derived from this software may not be called "OpenSSL"
84  *    nor may "OpenSSL" appear in their names without prior written
85  *    permission of the OpenSSL Project.
86  *
87  * 6. Redistributions of any form whatsoever must retain the following
88  *    acknowledgment:
89  *    "This product includes software developed by the OpenSSL Project
90  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91  *
92  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
96  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103  * OF THE POSSIBILITY OF SUCH DAMAGE.
104  * ====================================================================
105  *
106  * This product includes cryptographic software written by Eric Young
107  * (eay@cryptsoft.com).  This product includes software written by Tim
108  * Hudson (tjh@cryptsoft.com).
109  *
110  */
111
112 #include <stdio.h>
113 #include <openssl/objects.h>
114 #include <openssl/evp.h>
115 #include <openssl/hmac.h>
116 #include <openssl/ocsp.h>
117 #include "ssl_locl.h"
118
119 const char tls1_version_str[]="TLSv1" OPENSSL_VERSION_PTEXT;
120
121 #ifndef OPENSSL_NO_TLSEXT
122 static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen,
123                                 const unsigned char *sess_id, int sesslen,
124                                 SSL_SESSION **psess);
125 #endif
126
127 SSL3_ENC_METHOD TLSv1_enc_data={
128         tls1_enc,
129         tls1_mac,
130         tls1_setup_key_block,
131         tls1_generate_master_secret,
132         tls1_change_cipher_state,
133         tls1_final_finish_mac,
134         TLS1_FINISH_MAC_LENGTH,
135         tls1_cert_verify_mac,
136         TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE,
137         TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE,
138         tls1_alert_code,
139         tls1_export_keying_material,
140         };
141
142 long tls1_default_timeout(void)
143         {
144         /* 2 hours, the 24 hours mentioned in the TLSv1 spec
145          * is way too long for http, the cache would over fill */
146         return(60*60*2);
147         }
148
149 int tls1_new(SSL *s)
150         {
151         if (!ssl3_new(s)) return(0);
152         s->method->ssl_clear(s);
153         return(1);
154         }
155
156 void tls1_free(SSL *s)
157         {
158 #ifndef OPENSSL_NO_TLSEXT
159         if (s->tlsext_session_ticket)
160                 {
161                 OPENSSL_free(s->tlsext_session_ticket);
162                 }
163 #endif /* OPENSSL_NO_TLSEXT */
164         ssl3_free(s);
165         }
166
167 void tls1_clear(SSL *s)
168         {
169         ssl3_clear(s);
170         s->version = s->method->version;
171         }
172
173 #ifndef OPENSSL_NO_EC
174
175 static int nid_list[] =
176         {
177                 NID_sect163k1, /* sect163k1 (1) */
178                 NID_sect163r1, /* sect163r1 (2) */
179                 NID_sect163r2, /* sect163r2 (3) */
180                 NID_sect193r1, /* sect193r1 (4) */ 
181                 NID_sect193r2, /* sect193r2 (5) */ 
182                 NID_sect233k1, /* sect233k1 (6) */
183                 NID_sect233r1, /* sect233r1 (7) */ 
184                 NID_sect239k1, /* sect239k1 (8) */ 
185                 NID_sect283k1, /* sect283k1 (9) */
186                 NID_sect283r1, /* sect283r1 (10) */ 
187                 NID_sect409k1, /* sect409k1 (11) */ 
188                 NID_sect409r1, /* sect409r1 (12) */
189                 NID_sect571k1, /* sect571k1 (13) */ 
190                 NID_sect571r1, /* sect571r1 (14) */ 
191                 NID_secp160k1, /* secp160k1 (15) */
192                 NID_secp160r1, /* secp160r1 (16) */ 
193                 NID_secp160r2, /* secp160r2 (17) */ 
194                 NID_secp192k1, /* secp192k1 (18) */
195                 NID_X9_62_prime192v1, /* secp192r1 (19) */ 
196                 NID_secp224k1, /* secp224k1 (20) */ 
197                 NID_secp224r1, /* secp224r1 (21) */
198                 NID_secp256k1, /* secp256k1 (22) */ 
199                 NID_X9_62_prime256v1, /* secp256r1 (23) */ 
200                 NID_secp384r1, /* secp384r1 (24) */
201                 NID_secp521r1  /* secp521r1 (25) */     
202         };
203
204 static int pref_list[] =
205         {
206                 NID_sect571r1, /* sect571r1 (14) */ 
207                 NID_sect571k1, /* sect571k1 (13) */ 
208                 NID_secp521r1, /* secp521r1 (25) */     
209                 NID_sect409k1, /* sect409k1 (11) */ 
210                 NID_sect409r1, /* sect409r1 (12) */
211                 NID_secp384r1, /* secp384r1 (24) */
212                 NID_sect283k1, /* sect283k1 (9) */
213                 NID_sect283r1, /* sect283r1 (10) */ 
214                 NID_secp256k1, /* secp256k1 (22) */ 
215                 NID_X9_62_prime256v1, /* secp256r1 (23) */ 
216                 NID_sect239k1, /* sect239k1 (8) */ 
217                 NID_sect233k1, /* sect233k1 (6) */
218                 NID_sect233r1, /* sect233r1 (7) */ 
219                 NID_secp224k1, /* secp224k1 (20) */ 
220                 NID_secp224r1, /* secp224r1 (21) */
221                 NID_sect193r1, /* sect193r1 (4) */ 
222                 NID_sect193r2, /* sect193r2 (5) */ 
223                 NID_secp192k1, /* secp192k1 (18) */
224                 NID_X9_62_prime192v1, /* secp192r1 (19) */ 
225                 NID_sect163k1, /* sect163k1 (1) */
226                 NID_sect163r1, /* sect163r1 (2) */
227                 NID_sect163r2, /* sect163r2 (3) */
228                 NID_secp160k1, /* secp160k1 (15) */
229                 NID_secp160r1, /* secp160r1 (16) */ 
230                 NID_secp160r2, /* secp160r2 (17) */ 
231         };
232
233 int tls1_ec_curve_id2nid(int curve_id)
234         {
235         /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
236         if ((curve_id < 1) || ((unsigned int)curve_id >
237                                 sizeof(nid_list)/sizeof(nid_list[0])))
238                 return 0;
239         return nid_list[curve_id-1];
240         }
241
242 int tls1_ec_nid2curve_id(int nid)
243         {
244         /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
245         switch (nid)
246                 {
247         case NID_sect163k1: /* sect163k1 (1) */
248                 return 1;
249         case NID_sect163r1: /* sect163r1 (2) */
250                 return 2;
251         case NID_sect163r2: /* sect163r2 (3) */
252                 return 3;
253         case NID_sect193r1: /* sect193r1 (4) */ 
254                 return 4;
255         case NID_sect193r2: /* sect193r2 (5) */ 
256                 return 5;
257         case NID_sect233k1: /* sect233k1 (6) */
258                 return 6;
259         case NID_sect233r1: /* sect233r1 (7) */ 
260                 return 7;
261         case NID_sect239k1: /* sect239k1 (8) */ 
262                 return 8;
263         case NID_sect283k1: /* sect283k1 (9) */
264                 return 9;
265         case NID_sect283r1: /* sect283r1 (10) */ 
266                 return 10;
267         case NID_sect409k1: /* sect409k1 (11) */ 
268                 return 11;
269         case NID_sect409r1: /* sect409r1 (12) */
270                 return 12;
271         case NID_sect571k1: /* sect571k1 (13) */ 
272                 return 13;
273         case NID_sect571r1: /* sect571r1 (14) */ 
274                 return 14;
275         case NID_secp160k1: /* secp160k1 (15) */
276                 return 15;
277         case NID_secp160r1: /* secp160r1 (16) */ 
278                 return 16;
279         case NID_secp160r2: /* secp160r2 (17) */ 
280                 return 17;
281         case NID_secp192k1: /* secp192k1 (18) */
282                 return 18;
283         case NID_X9_62_prime192v1: /* secp192r1 (19) */ 
284                 return 19;
285         case NID_secp224k1: /* secp224k1 (20) */ 
286                 return 20;
287         case NID_secp224r1: /* secp224r1 (21) */
288                 return 21;
289         case NID_secp256k1: /* secp256k1 (22) */ 
290                 return 22;
291         case NID_X9_62_prime256v1: /* secp256r1 (23) */ 
292                 return 23;
293         case NID_secp384r1: /* secp384r1 (24) */
294                 return 24;
295         case NID_secp521r1:  /* secp521r1 (25) */       
296                 return 25;
297         default:
298                 return 0;
299                 }
300         }
301 #endif /* OPENSSL_NO_EC */
302
303 #ifndef OPENSSL_NO_TLSEXT
304
305 /* List of supported signature algorithms and hashes. Should make this
306  * customisable at some point, for now include everything we support.
307  */
308
309 #ifdef OPENSSL_NO_RSA
310 #define tlsext_sigalg_rsa(md) /* */
311 #else
312 #define tlsext_sigalg_rsa(md) md, TLSEXT_signature_rsa,
313 #endif
314
315 #ifdef OPENSSL_NO_DSA
316 #define tlsext_sigalg_dsa(md) /* */
317 #else
318 #define tlsext_sigalg_dsa(md) md, TLSEXT_signature_dsa,
319 #endif
320
321 #ifdef OPENSSL_NO_ECDSA
322 #define tlsext_sigalg_ecdsa(md) /* */
323 #else
324 #define tlsext_sigalg_ecdsa(md) md, TLSEXT_signature_ecdsa,
325 #endif
326
327 #define tlsext_sigalg(md) \
328                 tlsext_sigalg_rsa(md) \
329                 tlsext_sigalg_dsa(md) \
330                 tlsext_sigalg_ecdsa(md)
331
332 static unsigned char tls12_sigalgs[] = {
333 #ifndef OPENSSL_NO_SHA512
334         tlsext_sigalg(TLSEXT_hash_sha512)
335         tlsext_sigalg(TLSEXT_hash_sha384)
336 #endif
337 #ifndef OPENSSL_NO_SHA256
338         tlsext_sigalg(TLSEXT_hash_sha256)
339         tlsext_sigalg(TLSEXT_hash_sha224)
340 #endif
341 #ifndef OPENSSL_NO_SHA
342         tlsext_sigalg(TLSEXT_hash_sha1)
343 #endif
344 #ifndef OPENSSL_NO_MD5
345         tlsext_sigalg_rsa(TLSEXT_hash_md5)
346 #endif
347 };
348
349 int tls12_get_req_sig_algs(SSL *s, unsigned char *p)
350         {
351         size_t slen = sizeof(tls12_sigalgs);
352 #ifdef OPENSSL_FIPS
353         /* If FIPS mode don't include MD5 which is last */
354         if (FIPS_mode())
355                 slen -= 2;
356 #endif
357         if (p)
358                 memcpy(p, tls12_sigalgs, slen);
359         return (int)slen;
360         }
361
362 unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
363         {
364         int extdatalen=0;
365         unsigned char *ret = p;
366
367         /* don't add extensions for SSLv3 unless doing secure renegotiation */
368         if (s->client_version == SSL3_VERSION
369                                         && !s->s3->send_connection_binding)
370                 return p;
371
372         ret+=2;
373
374         if (ret>=limit) return NULL; /* this really never occurs, but ... */
375
376         if (s->tlsext_hostname != NULL)
377                 { 
378                 /* Add TLS extension servername to the Client Hello message */
379                 unsigned long size_str;
380                 long lenmax; 
381
382                 /* check for enough space.
383                    4 for the servername type and entension length
384                    2 for servernamelist length
385                    1 for the hostname type
386                    2 for hostname length
387                    + hostname length 
388                 */
389                    
390                 if ((lenmax = limit - ret - 9) < 0 
391                     || (size_str = strlen(s->tlsext_hostname)) > (unsigned long)lenmax) 
392                         return NULL;
393                         
394                 /* extension type and length */
395                 s2n(TLSEXT_TYPE_server_name,ret); 
396                 s2n(size_str+5,ret);
397                 
398                 /* length of servername list */
399                 s2n(size_str+3,ret);
400         
401                 /* hostname type, length and hostname */
402                 *(ret++) = (unsigned char) TLSEXT_NAMETYPE_host_name;
403                 s2n(size_str,ret);
404                 memcpy(ret, s->tlsext_hostname, size_str);
405                 ret+=size_str;
406                 }
407
408         /* Add RI if renegotiating */
409         if (s->renegotiate)
410           {
411           int el;
412           
413           if(!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0))
414               {
415               SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
416               return NULL;
417               }
418
419           if((limit - p - 4 - el) < 0) return NULL;
420           
421           s2n(TLSEXT_TYPE_renegotiate,ret);
422           s2n(el,ret);
423
424           if(!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el))
425               {
426               SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
427               return NULL;
428               }
429
430           ret += el;
431         }
432
433 #ifndef OPENSSL_NO_SRP
434 #define MIN(x,y) (((x)<(y))?(x):(y))
435         /* we add SRP username the first time only if we have one! */
436         if (s->srp_ctx.login != NULL)
437                 {/* Add TLS extension SRP username to the Client Hello message */
438                 int login_len = MIN(strlen(s->srp_ctx.login) + 1, 255);
439                 long lenmax; 
440
441                 if ((lenmax = limit - ret - 5) < 0) return NULL; 
442                 if (login_len > lenmax) return NULL;
443                 if (login_len > 255)
444                         {
445                         SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
446                         return NULL;
447                         }
448                 s2n(TLSEXT_TYPE_srp,ret);
449                 s2n(login_len+1,ret);
450
451                 (*ret++) = (unsigned char) MIN(strlen(s->srp_ctx.login), 254);
452                 memcpy(ret, s->srp_ctx.login, MIN(strlen(s->srp_ctx.login), 254));
453                 ret+=login_len;
454                 }
455 #endif
456
457 #ifndef OPENSSL_NO_EC
458         if (s->tlsext_ecpointformatlist != NULL &&
459             s->version != DTLS1_VERSION)
460                 {
461                 /* Add TLS extension ECPointFormats to the ClientHello message */
462                 long lenmax; 
463
464                 if ((lenmax = limit - ret - 5) < 0) return NULL; 
465                 if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax) return NULL;
466                 if (s->tlsext_ecpointformatlist_length > 255)
467                         {
468                         SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
469                         return NULL;
470                         }
471                 
472                 s2n(TLSEXT_TYPE_ec_point_formats,ret);
473                 s2n(s->tlsext_ecpointformatlist_length + 1,ret);
474                 *(ret++) = (unsigned char) s->tlsext_ecpointformatlist_length;
475                 memcpy(ret, s->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist_length);
476                 ret+=s->tlsext_ecpointformatlist_length;
477                 }
478         if (s->tlsext_ellipticcurvelist != NULL &&
479             s->version != DTLS1_VERSION)
480                 {
481                 /* Add TLS extension EllipticCurves to the ClientHello message */
482                 long lenmax; 
483
484                 if ((lenmax = limit - ret - 6) < 0) return NULL; 
485                 if (s->tlsext_ellipticcurvelist_length > (unsigned long)lenmax) return NULL;
486                 if (s->tlsext_ellipticcurvelist_length > 65532)
487                         {
488                         SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
489                         return NULL;
490                         }
491                 
492                 s2n(TLSEXT_TYPE_elliptic_curves,ret);
493                 s2n(s->tlsext_ellipticcurvelist_length + 2, ret);
494
495                 /* NB: draft-ietf-tls-ecc-12.txt uses a one-byte prefix for
496                  * elliptic_curve_list, but the examples use two bytes.
497                  * http://www1.ietf.org/mail-archive/web/tls/current/msg00538.html
498                  * resolves this to two bytes.
499                  */
500                 s2n(s->tlsext_ellipticcurvelist_length, ret);
501                 memcpy(ret, s->tlsext_ellipticcurvelist, s->tlsext_ellipticcurvelist_length);
502                 ret+=s->tlsext_ellipticcurvelist_length;
503                 }
504 #endif /* OPENSSL_NO_EC */
505
506         if (!(SSL_get_options(s) & SSL_OP_NO_TICKET))
507                 {
508                 int ticklen;
509                 if (!s->new_session && s->session && s->session->tlsext_tick)
510                         ticklen = s->session->tlsext_ticklen;
511                 else if (s->session && s->tlsext_session_ticket &&
512                          s->tlsext_session_ticket->data)
513                         {
514                         ticklen = s->tlsext_session_ticket->length;
515                         s->session->tlsext_tick = OPENSSL_malloc(ticklen);
516                         if (!s->session->tlsext_tick)
517                                 return NULL;
518                         memcpy(s->session->tlsext_tick,
519                                s->tlsext_session_ticket->data,
520                                ticklen);
521                         s->session->tlsext_ticklen = ticklen;
522                         }
523                 else
524                         ticklen = 0;
525                 if (ticklen == 0 && s->tlsext_session_ticket &&
526                     s->tlsext_session_ticket->data == NULL)
527                         goto skip_ext;
528                 /* Check for enough room 2 for extension type, 2 for len
529                  * rest for ticket
530                  */
531                 if ((long)(limit - ret - 4 - ticklen) < 0) return NULL;
532                 s2n(TLSEXT_TYPE_session_ticket,ret); 
533                 s2n(ticklen,ret);
534                 if (ticklen)
535                         {
536                         memcpy(ret, s->session->tlsext_tick, ticklen);
537                         ret += ticklen;
538                         }
539                 }
540                 skip_ext:
541
542         if (TLS1_get_version(s) >= TLS1_2_VERSION)
543                 {
544                 if ((size_t)(limit - ret) < sizeof(tls12_sigalgs) + 6)
545                         return NULL; 
546                 s2n(TLSEXT_TYPE_signature_algorithms,ret);
547                 s2n(sizeof(tls12_sigalgs) + 2, ret);
548                 s2n(sizeof(tls12_sigalgs), ret);
549                 memcpy(ret, tls12_sigalgs, sizeof(tls12_sigalgs));
550                 ret += sizeof(tls12_sigalgs);
551                 }
552
553 #ifdef TLSEXT_TYPE_opaque_prf_input
554         if (s->s3->client_opaque_prf_input != NULL &&
555             s->version != DTLS1_VERSION)
556                 {
557                 size_t col = s->s3->client_opaque_prf_input_len;
558                 
559                 if ((long)(limit - ret - 6 - col < 0))
560                         return NULL;
561                 if (col > 0xFFFD) /* can't happen */
562                         return NULL;
563
564                 s2n(TLSEXT_TYPE_opaque_prf_input, ret); 
565                 s2n(col + 2, ret);
566                 s2n(col, ret);
567                 memcpy(ret, s->s3->client_opaque_prf_input, col);
568                 ret += col;
569                 }
570 #endif
571
572         if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp &&
573             s->version != DTLS1_VERSION)
574                 {
575                 int i;
576                 long extlen, idlen, itmp;
577                 OCSP_RESPID *id;
578
579                 idlen = 0;
580                 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++)
581                         {
582                         id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
583                         itmp = i2d_OCSP_RESPID(id, NULL);
584                         if (itmp <= 0)
585                                 return NULL;
586                         idlen += itmp + 2;
587                         }
588
589                 if (s->tlsext_ocsp_exts)
590                         {
591                         extlen = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, NULL);
592                         if (extlen < 0)
593                                 return NULL;
594                         }
595                 else
596                         extlen = 0;
597                         
598                 if ((long)(limit - ret - 7 - extlen - idlen) < 0) return NULL;
599                 s2n(TLSEXT_TYPE_status_request, ret);
600                 if (extlen + idlen > 0xFFF0)
601                         return NULL;
602                 s2n(extlen + idlen + 5, ret);
603                 *(ret++) = TLSEXT_STATUSTYPE_ocsp;
604                 s2n(idlen, ret);
605                 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++)
606                         {
607                         /* save position of id len */
608                         unsigned char *q = ret;
609                         id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
610                         /* skip over id len */
611                         ret += 2;
612                         itmp = i2d_OCSP_RESPID(id, &ret);
613                         /* write id len */
614                         s2n(itmp, q);
615                         }
616                 s2n(extlen, ret);
617                 if (extlen > 0)
618                         i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret);
619                 }
620
621 #ifndef OPENSSL_NO_NEXTPROTONEG
622         if (s->ctx->next_proto_select_cb && !s->s3->tmp.finish_md_len)
623                 {
624                 /* The client advertises an emtpy extension to indicate its
625                  * support for Next Protocol Negotiation */
626                 if (limit - ret - 4 < 0)
627                         return NULL;
628                 s2n(TLSEXT_TYPE_next_proto_neg,ret);
629                 s2n(0,ret);
630                 }
631 #endif
632
633         if(SSL_get_srtp_profiles(s))
634                 {
635                 int el;
636
637                 ssl_add_clienthello_use_srtp_ext(s, 0, &el, 0);
638                 
639                 if((limit - p - 4 - el) < 0) return NULL;
640
641                 s2n(TLSEXT_TYPE_use_srtp,ret);
642                 s2n(el,ret);
643
644                 if(ssl_add_clienthello_use_srtp_ext(s, ret, &el, el))
645                         {
646                         SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
647                         return NULL;
648                         }
649                 ret += el;
650                 }
651
652         if ((extdatalen = ret-p-2)== 0) 
653                 return p;
654
655         s2n(extdatalen,p);
656         return ret;
657         }
658
659 unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
660         {
661         int extdatalen=0;
662         unsigned char *ret = p;
663 #ifndef OPENSSL_NO_NEXTPROTONEG
664         int next_proto_neg_seen;
665 #endif
666
667         /* don't add extensions for SSLv3, unless doing secure renegotiation */
668         if (s->version == SSL3_VERSION && !s->s3->send_connection_binding)
669                 return p;
670         
671         ret+=2;
672         if (ret>=limit) return NULL; /* this really never occurs, but ... */
673
674         if (!s->hit && s->servername_done == 1 && s->session->tlsext_hostname != NULL)
675                 { 
676                 if ((long)(limit - ret - 4) < 0) return NULL; 
677
678                 s2n(TLSEXT_TYPE_server_name,ret);
679                 s2n(0,ret);
680                 }
681
682         if(s->s3->send_connection_binding)
683         {
684           int el;
685           
686           if(!ssl_add_serverhello_renegotiate_ext(s, 0, &el, 0))
687               {
688               SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
689               return NULL;
690               }
691
692           if((limit - p - 4 - el) < 0) return NULL;
693           
694           s2n(TLSEXT_TYPE_renegotiate,ret);
695           s2n(el,ret);
696
697           if(!ssl_add_serverhello_renegotiate_ext(s, ret, &el, el))
698               {
699               SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
700               return NULL;
701               }
702
703           ret += el;
704         }
705
706 #ifndef OPENSSL_NO_EC
707         if (s->tlsext_ecpointformatlist != NULL &&
708             s->version != DTLS1_VERSION)
709                 {
710                 /* Add TLS extension ECPointFormats to the ServerHello message */
711                 long lenmax; 
712
713                 if ((lenmax = limit - ret - 5) < 0) return NULL; 
714                 if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax) return NULL;
715                 if (s->tlsext_ecpointformatlist_length > 255)
716                         {
717                         SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
718                         return NULL;
719                         }
720                 
721                 s2n(TLSEXT_TYPE_ec_point_formats,ret);
722                 s2n(s->tlsext_ecpointformatlist_length + 1,ret);
723                 *(ret++) = (unsigned char) s->tlsext_ecpointformatlist_length;
724                 memcpy(ret, s->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist_length);
725                 ret+=s->tlsext_ecpointformatlist_length;
726
727                 }
728         /* Currently the server should not respond with a SupportedCurves extension */
729 #endif /* OPENSSL_NO_EC */
730
731         if (s->tlsext_ticket_expected
732                 && !(SSL_get_options(s) & SSL_OP_NO_TICKET)) 
733                 { 
734                 if ((long)(limit - ret - 4) < 0) return NULL; 
735                 s2n(TLSEXT_TYPE_session_ticket,ret);
736                 s2n(0,ret);
737                 }
738
739         if (s->tlsext_status_expected)
740                 { 
741                 if ((long)(limit - ret - 4) < 0) return NULL; 
742                 s2n(TLSEXT_TYPE_status_request,ret);
743                 s2n(0,ret);
744                 }
745
746 #ifdef TLSEXT_TYPE_opaque_prf_input
747         if (s->s3->server_opaque_prf_input != NULL &&
748             s->version != DTLS1_VERSION)
749                 {
750                 size_t sol = s->s3->server_opaque_prf_input_len;
751                 
752                 if ((long)(limit - ret - 6 - sol) < 0)
753                         return NULL;
754                 if (sol > 0xFFFD) /* can't happen */
755                         return NULL;
756
757                 s2n(TLSEXT_TYPE_opaque_prf_input, ret); 
758                 s2n(sol + 2, ret);
759                 s2n(sol, ret);
760                 memcpy(ret, s->s3->server_opaque_prf_input, sol);
761                 ret += sol;
762                 }
763 #endif
764
765         if(s->srtp_profile)
766                 {
767                 int el;
768
769                 ssl_add_serverhello_use_srtp_ext(s, 0, &el, 0);
770                 
771                 if((limit - p - 4 - el) < 0) return NULL;
772
773                 s2n(TLSEXT_TYPE_use_srtp,ret);
774                 s2n(el,ret);
775
776                 if(ssl_add_serverhello_use_srtp_ext(s, ret, &el, el))
777                         {
778                         SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
779                         return NULL;
780                         }
781                 ret+=el;
782                 }
783
784         if (((s->s3->tmp.new_cipher->id & 0xFFFF)==0x80 || (s->s3->tmp.new_cipher->id & 0xFFFF)==0x81) 
785                 && (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG))
786                 { const unsigned char cryptopro_ext[36] = {
787                         0xfd, 0xe8, /*65000*/
788                         0x00, 0x20, /*32 bytes length*/
789                         0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85, 
790                         0x03,   0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06, 
791                         0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08, 
792                         0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17};
793                         if (limit-ret<36) return NULL;
794                         memcpy(ret,cryptopro_ext,36);
795                         ret+=36;
796
797                 }
798
799 #ifndef OPENSSL_NO_NEXTPROTONEG
800         next_proto_neg_seen = s->s3->next_proto_neg_seen;
801         s->s3->next_proto_neg_seen = 0;
802         if (next_proto_neg_seen && s->ctx->next_protos_advertised_cb)
803                 {
804                 const unsigned char *npa;
805                 unsigned int npalen;
806                 int r;
807
808                 r = s->ctx->next_protos_advertised_cb(s, &npa, &npalen, s->ctx->next_protos_advertised_cb_arg);
809                 if (r == SSL_TLSEXT_ERR_OK)
810                         {
811                         if ((long)(limit - ret - 4 - npalen) < 0) return NULL;
812                         s2n(TLSEXT_TYPE_next_proto_neg,ret);
813                         s2n(npalen,ret);
814                         memcpy(ret, npa, npalen);
815                         ret += npalen;
816                         s->s3->next_proto_neg_seen = 1;
817                         }
818                 }
819 #endif
820
821         if ((extdatalen = ret-p-2)== 0) 
822                 return p;
823
824         s2n(extdatalen,p);
825         return ret;
826         }
827
828 int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
829         {
830         unsigned short type;
831         unsigned short size;
832         unsigned short len;
833         unsigned char *data = *p;
834         int renegotiate_seen = 0;
835         int sigalg_seen = 0;
836
837         s->servername_done = 0;
838         s->tlsext_status_type = -1;
839 #ifndef OPENSSL_NO_NEXTPROTONEG
840         s->s3->next_proto_neg_seen = 0;
841 #endif
842
843         if (data >= (d+n-2))
844                 goto ri_check;
845         n2s(data,len);
846
847         if (data > (d+n-len)) 
848                 goto ri_check;
849
850         while (data <= (d+n-4))
851                 {
852                 n2s(data,type);
853                 n2s(data,size);
854
855                 if (data+size > (d+n))
856                         goto ri_check;
857 #if 0
858                 fprintf(stderr,"Received extension type %d size %d\n",type,size);
859 #endif
860                 if (s->tlsext_debug_cb)
861                         s->tlsext_debug_cb(s, 0, type, data, size,
862                                                 s->tlsext_debug_arg);
863 /* The servername extension is treated as follows:
864
865    - Only the hostname type is supported with a maximum length of 255.
866    - The servername is rejected if too long or if it contains zeros,
867      in which case an fatal alert is generated.
868    - The servername field is maintained together with the session cache.
869    - When a session is resumed, the servername call back invoked in order
870      to allow the application to position itself to the right context. 
871    - The servername is acknowledged if it is new for a session or when 
872      it is identical to a previously used for the same session. 
873      Applications can control the behaviour.  They can at any time
874      set a 'desirable' servername for a new SSL object. This can be the
875      case for example with HTTPS when a Host: header field is received and
876      a renegotiation is requested. In this case, a possible servername
877      presented in the new client hello is only acknowledged if it matches
878      the value of the Host: field. 
879    - Applications must  use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
880      if they provide for changing an explicit servername context for the session,
881      i.e. when the session has been established with a servername extension. 
882    - On session reconnect, the servername extension may be absent. 
883
884 */      
885
886                 if (type == TLSEXT_TYPE_server_name)
887                         {
888                         unsigned char *sdata;
889                         int servname_type;
890                         int dsize; 
891                 
892                         if (size < 2) 
893                                 {
894                                 *al = SSL_AD_DECODE_ERROR;
895                                 return 0;
896                                 }
897                         n2s(data,dsize);  
898                         size -= 2;
899                         if (dsize > size  ) 
900                                 {
901                                 *al = SSL_AD_DECODE_ERROR;
902                                 return 0;
903                                 } 
904
905                         sdata = data;
906                         while (dsize > 3) 
907                                 {
908                                 servname_type = *(sdata++); 
909                                 n2s(sdata,len);
910                                 dsize -= 3;
911
912                                 if (len > dsize) 
913                                         {
914                                         *al = SSL_AD_DECODE_ERROR;
915                                         return 0;
916                                         }
917                                 if (s->servername_done == 0)
918                                 switch (servname_type)
919                                         {
920                                 case TLSEXT_NAMETYPE_host_name:
921                                         if (!s->hit)
922                                                 {
923                                                 if(s->session->tlsext_hostname)
924                                                         {
925                                                         *al = SSL_AD_DECODE_ERROR;
926                                                         return 0;
927                                                         }
928                                                 if (len > TLSEXT_MAXLEN_host_name)
929                                                         {
930                                                         *al = TLS1_AD_UNRECOGNIZED_NAME;
931                                                         return 0;
932                                                         }
933                                                 if ((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL)
934                                                         {
935                                                         *al = TLS1_AD_INTERNAL_ERROR;
936                                                         return 0;
937                                                         }
938                                                 memcpy(s->session->tlsext_hostname, sdata, len);
939                                                 s->session->tlsext_hostname[len]='\0';
940                                                 if (strlen(s->session->tlsext_hostname) != len) {
941                                                         OPENSSL_free(s->session->tlsext_hostname);
942                                                         s->session->tlsext_hostname = NULL;
943                                                         *al = TLS1_AD_UNRECOGNIZED_NAME;
944                                                         return 0;
945                                                 }
946                                                 s->servername_done = 1; 
947
948                                                 }
949                                         else 
950                                                 s->servername_done = s->session->tlsext_hostname
951                                                         && strlen(s->session->tlsext_hostname) == len 
952                                                         && strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0;
953                                         
954                                         break;
955
956                                 default:
957                                         break;
958                                         }
959                                  
960                                 dsize -= len;
961                                 }
962                         if (dsize != 0) 
963                                 {
964                                 *al = SSL_AD_DECODE_ERROR;
965                                 return 0;
966                                 }
967
968                         }
969 #ifndef OPENSSL_NO_SRP
970                 else if (type == TLSEXT_TYPE_srp)
971                         {
972                         if (size > 0)
973                                 {
974                                 len = data[0];
975                                 if ((s->srp_ctx.login = OPENSSL_malloc(len+1)) == NULL)
976                                         return -1;
977                                 memcpy(s->srp_ctx.login, &data[1], len);
978                                 s->srp_ctx.login[len]='\0';  
979                                 }
980                         }
981 #endif
982
983 #ifndef OPENSSL_NO_EC
984                 else if (type == TLSEXT_TYPE_ec_point_formats &&
985                      s->version != DTLS1_VERSION)
986                         {
987                         unsigned char *sdata = data;
988                         int ecpointformatlist_length = *(sdata++);
989
990                         if (ecpointformatlist_length != size - 1)
991                                 {
992                                 *al = TLS1_AD_DECODE_ERROR;
993                                 return 0;
994                                 }
995                         if (!s->hit)
996                                 {
997                                 if(s->session->tlsext_ecpointformatlist)
998                                         {
999                                         OPENSSL_free(s->session->tlsext_ecpointformatlist);
1000                                         s->session->tlsext_ecpointformatlist = NULL;
1001                                         }
1002                                 s->session->tlsext_ecpointformatlist_length = 0;
1003                                 if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
1004                                         {
1005                                         *al = TLS1_AD_INTERNAL_ERROR;
1006                                         return 0;
1007                                         }
1008                                 s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
1009                                 memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
1010                                 }
1011 #if 0
1012                         fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ecpointformatlist (length=%i) ", s->session->tlsext_ecpointformatlist_length);
1013                         sdata = s->session->tlsext_ecpointformatlist;
1014                         for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
1015                                 fprintf(stderr,"%i ",*(sdata++));
1016                         fprintf(stderr,"\n");
1017 #endif
1018                         }
1019                 else if (type == TLSEXT_TYPE_elliptic_curves &&
1020                      s->version != DTLS1_VERSION)
1021                         {
1022                         unsigned char *sdata = data;
1023                         int ellipticcurvelist_length = (*(sdata++) << 8);
1024                         ellipticcurvelist_length += (*(sdata++));
1025
1026                         if (ellipticcurvelist_length != size - 2)
1027                                 {
1028                                 *al = TLS1_AD_DECODE_ERROR;
1029                                 return 0;
1030                                 }
1031                         if (!s->hit)
1032                                 {
1033                                 if(s->session->tlsext_ellipticcurvelist)
1034                                         {
1035                                         *al = TLS1_AD_DECODE_ERROR;
1036                                         return 0;
1037                                         }
1038                                 s->session->tlsext_ellipticcurvelist_length = 0;
1039                                 if ((s->session->tlsext_ellipticcurvelist = OPENSSL_malloc(ellipticcurvelist_length)) == NULL)
1040                                         {
1041                                         *al = TLS1_AD_INTERNAL_ERROR;
1042                                         return 0;
1043                                         }
1044                                 s->session->tlsext_ellipticcurvelist_length = ellipticcurvelist_length;
1045                                 memcpy(s->session->tlsext_ellipticcurvelist, sdata, ellipticcurvelist_length);
1046                                 }
1047 #if 0
1048                         fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ellipticcurvelist (length=%i) ", s->session->tlsext_ellipticcurvelist_length);
1049                         sdata = s->session->tlsext_ellipticcurvelist;
1050                         for (i = 0; i < s->session->tlsext_ellipticcurvelist_length; i++)
1051                                 fprintf(stderr,"%i ",*(sdata++));
1052                         fprintf(stderr,"\n");
1053 #endif
1054                         }
1055 #endif /* OPENSSL_NO_EC */
1056 #ifdef TLSEXT_TYPE_opaque_prf_input
1057                 else if (type == TLSEXT_TYPE_opaque_prf_input &&
1058                      s->version != DTLS1_VERSION)
1059                         {
1060                         unsigned char *sdata = data;
1061
1062                         if (size < 2)
1063                                 {
1064                                 *al = SSL_AD_DECODE_ERROR;
1065                                 return 0;
1066                                 }
1067                         n2s(sdata, s->s3->client_opaque_prf_input_len);
1068                         if (s->s3->client_opaque_prf_input_len != size - 2)
1069                                 {
1070                                 *al = SSL_AD_DECODE_ERROR;
1071                                 return 0;
1072                                 }
1073
1074                         if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */
1075                                 OPENSSL_free(s->s3->client_opaque_prf_input);
1076                         if (s->s3->client_opaque_prf_input_len == 0)
1077                                 s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
1078                         else
1079                                 s->s3->client_opaque_prf_input = BUF_memdup(sdata, s->s3->client_opaque_prf_input_len);
1080                         if (s->s3->client_opaque_prf_input == NULL)
1081                                 {
1082                                 *al = TLS1_AD_INTERNAL_ERROR;
1083                                 return 0;
1084                                 }
1085                         }
1086 #endif
1087                 else if (type == TLSEXT_TYPE_session_ticket)
1088                         {
1089                         if (s->tls_session_ticket_ext_cb &&
1090                             !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg))
1091                                 {
1092                                 *al = TLS1_AD_INTERNAL_ERROR;
1093                                 return 0;
1094                                 }
1095                         }
1096                 else if (type == TLSEXT_TYPE_renegotiate)
1097                         {
1098                         if(!ssl_parse_clienthello_renegotiate_ext(s, data, size, al))
1099                                 return 0;
1100                         renegotiate_seen = 1;
1101                         }
1102                 else if (type == TLSEXT_TYPE_signature_algorithms)
1103                         {
1104                         int dsize;
1105                         if (sigalg_seen || size < 2) 
1106                                 {
1107                                 *al = SSL_AD_DECODE_ERROR;
1108                                 return 0;
1109                                 }
1110                         sigalg_seen = 1;
1111                         n2s(data,dsize);
1112                         size -= 2;
1113                         if (dsize != size || dsize & 1) 
1114                                 {
1115                                 *al = SSL_AD_DECODE_ERROR;
1116                                 return 0;
1117                                 }
1118                         if (!tls1_process_sigalgs(s, data, dsize))
1119                                 {
1120                                 *al = SSL_AD_DECODE_ERROR;
1121                                 return 0;
1122                                 }
1123                         }
1124                 else if (type == TLSEXT_TYPE_status_request &&
1125                          s->version != DTLS1_VERSION && s->ctx->tlsext_status_cb)
1126                         {
1127                 
1128                         if (size < 5) 
1129                                 {
1130                                 *al = SSL_AD_DECODE_ERROR;
1131                                 return 0;
1132                                 }
1133
1134                         s->tlsext_status_type = *data++;
1135                         size--;
1136                         if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp)
1137                                 {
1138                                 const unsigned char *sdata;
1139                                 int dsize;
1140                                 /* Read in responder_id_list */
1141                                 n2s(data,dsize);
1142                                 size -= 2;
1143                                 if (dsize > size  ) 
1144                                         {
1145                                         *al = SSL_AD_DECODE_ERROR;
1146                                         return 0;
1147                                         }
1148                                 while (dsize > 0)
1149                                         {
1150                                         OCSP_RESPID *id;
1151                                         int idsize;
1152                                         if (dsize < 4)
1153                                                 {
1154                                                 *al = SSL_AD_DECODE_ERROR;
1155                                                 return 0;
1156                                                 }
1157                                         n2s(data, idsize);
1158                                         dsize -= 2 + idsize;
1159                                         size -= 2 + idsize;
1160                                         if (dsize < 0)
1161                                                 {
1162                                                 *al = SSL_AD_DECODE_ERROR;
1163                                                 return 0;
1164                                                 }
1165                                         sdata = data;
1166                                         data += idsize;
1167                                         id = d2i_OCSP_RESPID(NULL,
1168                                                                 &sdata, idsize);
1169                                         if (!id)
1170                                                 {
1171                                                 *al = SSL_AD_DECODE_ERROR;
1172                                                 return 0;
1173                                                 }
1174                                         if (data != sdata)
1175                                                 {
1176                                                 OCSP_RESPID_free(id);
1177                                                 *al = SSL_AD_DECODE_ERROR;
1178                                                 return 0;
1179                                                 }
1180                                         if (!s->tlsext_ocsp_ids
1181                                                 && !(s->tlsext_ocsp_ids =
1182                                                 sk_OCSP_RESPID_new_null()))
1183                                                 {
1184                                                 OCSP_RESPID_free(id);
1185                                                 *al = SSL_AD_INTERNAL_ERROR;
1186                                                 return 0;
1187                                                 }
1188                                         if (!sk_OCSP_RESPID_push(
1189                                                         s->tlsext_ocsp_ids, id))
1190                                                 {
1191                                                 OCSP_RESPID_free(id);
1192                                                 *al = SSL_AD_INTERNAL_ERROR;
1193                                                 return 0;
1194                                                 }
1195                                         }
1196
1197                                 /* Read in request_extensions */
1198                                 if (size < 2)
1199                                         {
1200                                         *al = SSL_AD_DECODE_ERROR;
1201                                         return 0;
1202                                         }
1203                                 n2s(data,dsize);
1204                                 size -= 2;
1205                                 if (dsize != size)
1206                                         {
1207                                         *al = SSL_AD_DECODE_ERROR;
1208                                         return 0;
1209                                         }
1210                                 sdata = data;
1211                                 if (dsize > 0)
1212                                         {
1213                                         s->tlsext_ocsp_exts =
1214                                                 d2i_X509_EXTENSIONS(NULL,
1215                                                         &sdata, dsize);
1216                                         if (!s->tlsext_ocsp_exts
1217                                                 || (data + dsize != sdata))
1218                                                 {
1219                                                 *al = SSL_AD_DECODE_ERROR;
1220                                                 return 0;
1221                                                 }
1222                                         }
1223                                 }
1224                                 /* We don't know what to do with any other type
1225                                 * so ignore it.
1226                                 */
1227                                 else
1228                                         s->tlsext_status_type = -1;
1229                         }
1230 #ifndef OPENSSL_NO_NEXTPROTONEG
1231                 else if (type == TLSEXT_TYPE_next_proto_neg &&
1232                          s->s3->tmp.finish_md_len == 0)
1233                         {
1234                         /* We shouldn't accept this extension on a
1235                          * renegotiation.
1236                          *
1237                          * s->new_session will be set on renegotiation, but we
1238                          * probably shouldn't rely that it couldn't be set on
1239                          * the initial renegotation too in certain cases (when
1240                          * there's some other reason to disallow resuming an
1241                          * earlier session -- the current code won't be doing
1242                          * anything like that, but this might change).
1243
1244                          * A valid sign that there's been a previous handshake
1245                          * in this connection is if s->s3->tmp.finish_md_len >
1246                          * 0.  (We are talking about a check that will happen
1247                          * in the Hello protocol round, well before a new
1248                          * Finished message could have been computed.) */
1249                         s->s3->next_proto_neg_seen = 1;
1250                         }
1251 #endif
1252
1253                 /* session ticket processed earlier */
1254                 else if (type == TLSEXT_TYPE_use_srtp)
1255                         {
1256                         if(ssl_parse_clienthello_use_srtp_ext(s, data, size,
1257                                                               al))
1258                                 return 0;
1259                         }
1260
1261                 data+=size;
1262                 }
1263                                 
1264         *p = data;
1265
1266         ri_check:
1267
1268         /* Need RI if renegotiating */
1269
1270         if (!renegotiate_seen && s->renegotiate &&
1271                 !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
1272                 {
1273                 *al = SSL_AD_HANDSHAKE_FAILURE;
1274                 SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT,
1275                                 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
1276                 return 0;
1277                 }
1278
1279         return 1;
1280         }
1281
1282 #ifndef OPENSSL_NO_NEXTPROTONEG
1283 /* ssl_next_proto_validate validates a Next Protocol Negotiation block. No
1284  * elements of zero length are allowed and the set of elements must exactly fill
1285  * the length of the block. */
1286 static int ssl_next_proto_validate(unsigned char *d, unsigned len)
1287         {
1288         unsigned int off = 0;
1289
1290         while (off < len)
1291                 {
1292                 if (d[off] == 0)
1293                         return 0;
1294                 off += d[off];
1295                 off++;
1296                 }
1297
1298         return off == len;
1299         }
1300 #endif
1301
1302 int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
1303         {
1304         unsigned short length;
1305         unsigned short type;
1306         unsigned short size;
1307         unsigned char *data = *p;
1308         int tlsext_servername = 0;
1309         int renegotiate_seen = 0;
1310
1311 #ifndef OPENSSL_NO_NEXTPROTONEG
1312         s->s3->next_proto_neg_seen = 0;
1313 #endif
1314
1315         if (data >= (d+n-2))
1316                 goto ri_check;
1317
1318         n2s(data,length);
1319         if (data+length != d+n)
1320                 {
1321                 *al = SSL_AD_DECODE_ERROR;
1322                 return 0;
1323                 }
1324
1325         while(data <= (d+n-4))
1326                 {
1327                 n2s(data,type);
1328                 n2s(data,size);
1329
1330                 if (data+size > (d+n))
1331                         goto ri_check;
1332
1333                 if (s->tlsext_debug_cb)
1334                         s->tlsext_debug_cb(s, 1, type, data, size,
1335                                                 s->tlsext_debug_arg);
1336
1337                 if (type == TLSEXT_TYPE_server_name)
1338                         {
1339                         if (s->tlsext_hostname == NULL || size > 0)
1340                                 {
1341                                 *al = TLS1_AD_UNRECOGNIZED_NAME;
1342                                 return 0;
1343                                 }
1344                         tlsext_servername = 1;   
1345                         }
1346
1347 #ifndef OPENSSL_NO_EC
1348                 else if (type == TLSEXT_TYPE_ec_point_formats &&
1349                      s->version != DTLS1_VERSION)
1350                         {
1351                         unsigned char *sdata = data;
1352                         int ecpointformatlist_length = *(sdata++);
1353
1354                         if (ecpointformatlist_length != size - 1)
1355                                 {
1356                                 *al = TLS1_AD_DECODE_ERROR;
1357                                 return 0;
1358                                 }
1359                         s->session->tlsext_ecpointformatlist_length = 0;
1360                         if (s->session->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->session->tlsext_ecpointformatlist);
1361                         if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
1362                                 {
1363                                 *al = TLS1_AD_INTERNAL_ERROR;
1364                                 return 0;
1365                                 }
1366                         s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
1367                         memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
1368 #if 0
1369                         fprintf(stderr,"ssl_parse_serverhello_tlsext s->session->tlsext_ecpointformatlist ");
1370                         sdata = s->session->tlsext_ecpointformatlist;
1371                         for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
1372                                 fprintf(stderr,"%i ",*(sdata++));
1373                         fprintf(stderr,"\n");
1374 #endif
1375                         }
1376 #endif /* OPENSSL_NO_EC */
1377
1378                 else if (type == TLSEXT_TYPE_session_ticket)
1379                         {
1380                         if (s->tls_session_ticket_ext_cb &&
1381                             !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg))
1382                                 {
1383                                 *al = TLS1_AD_INTERNAL_ERROR;
1384                                 return 0;
1385                                 }
1386                         if ((SSL_get_options(s) & SSL_OP_NO_TICKET)
1387                                 || (size > 0))
1388                                 {
1389                                 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
1390                                 return 0;
1391                                 }
1392                         s->tlsext_ticket_expected = 1;
1393                         }
1394 #ifdef TLSEXT_TYPE_opaque_prf_input
1395                 else if (type == TLSEXT_TYPE_opaque_prf_input &&
1396                      s->version != DTLS1_VERSION)
1397                         {
1398                         unsigned char *sdata = data;
1399
1400                         if (size < 2)
1401                                 {
1402                                 *al = SSL_AD_DECODE_ERROR;
1403                                 return 0;
1404                                 }
1405                         n2s(sdata, s->s3->server_opaque_prf_input_len);
1406                         if (s->s3->server_opaque_prf_input_len != size - 2)
1407                                 {
1408                                 *al = SSL_AD_DECODE_ERROR;
1409                                 return 0;
1410                                 }
1411                         
1412                         if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */
1413                                 OPENSSL_free(s->s3->server_opaque_prf_input);
1414                         if (s->s3->server_opaque_prf_input_len == 0)
1415                                 s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
1416                         else
1417                                 s->s3->server_opaque_prf_input = BUF_memdup(sdata, s->s3->server_opaque_prf_input_len);
1418
1419                         if (s->s3->server_opaque_prf_input == NULL)
1420                                 {
1421                                 *al = TLS1_AD_INTERNAL_ERROR;
1422                                 return 0;
1423                                 }
1424                         }
1425 #endif
1426                 else if (type == TLSEXT_TYPE_status_request &&
1427                          s->version != DTLS1_VERSION)
1428                         {
1429                         /* MUST be empty and only sent if we've requested
1430                          * a status request message.
1431                          */ 
1432                         if ((s->tlsext_status_type == -1) || (size > 0))
1433                                 {
1434                                 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
1435                                 return 0;
1436                                 }
1437                         /* Set flag to expect CertificateStatus message */
1438                         s->tlsext_status_expected = 1;
1439                         }
1440 #ifndef OPENSSL_NO_NEXTPROTONEG
1441                 else if (type == TLSEXT_TYPE_next_proto_neg &&
1442                          s->s3->tmp.finish_md_len == 0)
1443                         {
1444                         unsigned char *selected;
1445                         unsigned char selected_len;
1446
1447                         /* We must have requested it. */
1448                         if ((s->ctx->next_proto_select_cb == NULL))
1449                                 {
1450                                 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
1451                                 return 0;
1452                                 }
1453                         /* The data must be valid */
1454                         if (!ssl_next_proto_validate(data, size))
1455                                 {
1456                                 *al = TLS1_AD_DECODE_ERROR;
1457                                 return 0;
1458                                 }
1459                         if (s->ctx->next_proto_select_cb(s, &selected, &selected_len, data, size, s->ctx->next_proto_select_cb_arg) != SSL_TLSEXT_ERR_OK)
1460                                 {
1461                                 *al = TLS1_AD_INTERNAL_ERROR;
1462                                 return 0;
1463                                 }
1464                         s->next_proto_negotiated = OPENSSL_malloc(selected_len);
1465                         if (!s->next_proto_negotiated)
1466                                 {
1467                                 *al = TLS1_AD_INTERNAL_ERROR;
1468                                 return 0;
1469                                 }
1470                         memcpy(s->next_proto_negotiated, selected, selected_len);
1471                         s->next_proto_negotiated_len = selected_len;
1472                         s->s3->next_proto_neg_seen = 1;
1473                         }
1474 #endif
1475                 else if (type == TLSEXT_TYPE_renegotiate)
1476                         {
1477                         if(!ssl_parse_serverhello_renegotiate_ext(s, data, size, al))
1478                                 return 0;
1479                         renegotiate_seen = 1;
1480                         }
1481                 else if (type == TLSEXT_TYPE_use_srtp)
1482                         {
1483                         if(ssl_parse_serverhello_use_srtp_ext(s, data, size,
1484                                                               al))
1485                                 return 0;
1486                         }
1487
1488                 data+=size;             
1489                 }
1490
1491         if (data != d+n)
1492                 {
1493                 *al = SSL_AD_DECODE_ERROR;
1494                 return 0;
1495                 }
1496
1497         if (!s->hit && tlsext_servername == 1)
1498                 {
1499                 if (s->tlsext_hostname)
1500                         {
1501                         if (s->session->tlsext_hostname == NULL)
1502                                 {
1503                                 s->session->tlsext_hostname = BUF_strdup(s->tlsext_hostname);   
1504                                 if (!s->session->tlsext_hostname)
1505                                         {
1506                                         *al = SSL_AD_UNRECOGNIZED_NAME;
1507                                         return 0;
1508                                         }
1509                                 }
1510                         else 
1511                                 {
1512                                 *al = SSL_AD_DECODE_ERROR;
1513                                 return 0;
1514                                 }
1515                         }
1516                 }
1517
1518         *p = data;
1519
1520         ri_check:
1521
1522         /* Determine if we need to see RI. Strictly speaking if we want to
1523          * avoid an attack we should *always* see RI even on initial server
1524          * hello because the client doesn't see any renegotiation during an
1525          * attack. However this would mean we could not connect to any server
1526          * which doesn't support RI so for the immediate future tolerate RI
1527          * absence on initial connect only.
1528          */
1529         if (!renegotiate_seen
1530                 && !(s->options & SSL_OP_LEGACY_SERVER_CONNECT)
1531                 && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
1532                 {
1533                 *al = SSL_AD_HANDSHAKE_FAILURE;
1534                 SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT,
1535                                 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
1536                 return 0;
1537                 }
1538
1539         return 1;
1540         }
1541
1542
1543 int ssl_prepare_clienthello_tlsext(SSL *s)
1544         {
1545 #ifndef OPENSSL_NO_EC
1546         /* If we are client and using an elliptic curve cryptography cipher suite, send the point formats 
1547          * and elliptic curves we support.
1548          */
1549         int using_ecc = 0;
1550         int i;
1551         unsigned char *j;
1552         unsigned long alg_k, alg_a;
1553         STACK_OF(SSL_CIPHER) *cipher_stack = SSL_get_ciphers(s);
1554
1555         for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++)
1556                 {
1557                 SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i);
1558
1559                 alg_k = c->algorithm_mkey;
1560                 alg_a = c->algorithm_auth;
1561                 if ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe) || (alg_a & SSL_aECDSA)))
1562                         {
1563                         using_ecc = 1;
1564                         break;
1565                         }
1566                 }
1567         using_ecc = using_ecc && (s->version >= TLS1_VERSION);
1568         if (using_ecc)
1569                 {
1570                 if (s->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->tlsext_ecpointformatlist);
1571                 if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(3)) == NULL)
1572                         {
1573                         SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
1574                         return -1;
1575                         }
1576                 s->tlsext_ecpointformatlist_length = 3;
1577                 s->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_uncompressed;
1578                 s->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
1579                 s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
1580
1581                 /* we support all named elliptic curves in draft-ietf-tls-ecc-12 */
1582                 if (s->tlsext_ellipticcurvelist != NULL) OPENSSL_free(s->tlsext_ellipticcurvelist);
1583                 s->tlsext_ellipticcurvelist_length = sizeof(pref_list)/sizeof(pref_list[0]) * 2;
1584                 if ((s->tlsext_ellipticcurvelist = OPENSSL_malloc(s->tlsext_ellipticcurvelist_length)) == NULL)
1585                         {
1586                         s->tlsext_ellipticcurvelist_length = 0;
1587                         SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
1588                         return -1;
1589                         }
1590                 for (i = 0, j = s->tlsext_ellipticcurvelist; (unsigned int)i <
1591                                 sizeof(pref_list)/sizeof(pref_list[0]); i++)
1592                         {
1593                         int id = tls1_ec_nid2curve_id(pref_list[i]);
1594                         s2n(id,j);
1595                         }
1596                 }
1597 #endif /* OPENSSL_NO_EC */
1598
1599 #ifdef TLSEXT_TYPE_opaque_prf_input
1600         {
1601                 int r = 1;
1602         
1603                 if (s->ctx->tlsext_opaque_prf_input_callback != 0)
1604                         {
1605                         r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg);
1606                         if (!r)
1607                                 return -1;
1608                         }
1609
1610                 if (s->tlsext_opaque_prf_input != NULL)
1611                         {
1612                         if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */
1613                                 OPENSSL_free(s->s3->client_opaque_prf_input);
1614
1615                         if (s->tlsext_opaque_prf_input_len == 0)
1616                                 s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
1617                         else
1618                                 s->s3->client_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len);
1619                         if (s->s3->client_opaque_prf_input == NULL)
1620                                 {
1621                                 SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
1622                                 return -1;
1623                                 }
1624                         s->s3->client_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
1625                         }
1626
1627                 if (r == 2)
1628                         /* at callback's request, insist on receiving an appropriate server opaque PRF input */
1629                         s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
1630         }
1631 #endif
1632
1633         return 1;
1634         }
1635
1636 int ssl_prepare_serverhello_tlsext(SSL *s)
1637         {
1638 #ifndef OPENSSL_NO_EC
1639         /* If we are server and using an ECC cipher suite, send the point formats we support 
1640          * if the client sent us an ECPointsFormat extension.  Note that the server is not
1641          * supposed to send an EllipticCurves extension.
1642          */
1643
1644         unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
1645         unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
1646         int using_ecc = (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA);
1647         using_ecc = using_ecc && (s->session->tlsext_ecpointformatlist != NULL);
1648         
1649         if (using_ecc)
1650                 {
1651                 if (s->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->tlsext_ecpointformatlist);
1652                 if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(3)) == NULL)
1653                         {
1654                         SSLerr(SSL_F_SSL_PREPARE_SERVERHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
1655                         return -1;
1656                         }
1657                 s->tlsext_ecpointformatlist_length = 3;
1658                 s->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_uncompressed;
1659                 s->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
1660                 s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
1661                 }
1662 #endif /* OPENSSL_NO_EC */
1663
1664         return 1;
1665         }
1666
1667 int ssl_check_clienthello_tlsext(SSL *s)
1668         {
1669         int ret=SSL_TLSEXT_ERR_NOACK;
1670         int al = SSL_AD_UNRECOGNIZED_NAME;
1671
1672 #ifndef OPENSSL_NO_EC
1673         /* The handling of the ECPointFormats extension is done elsewhere, namely in 
1674          * ssl3_choose_cipher in s3_lib.c.
1675          */
1676         /* The handling of the EllipticCurves extension is done elsewhere, namely in 
1677          * ssl3_choose_cipher in s3_lib.c.
1678          */
1679 #endif
1680
1681         if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) 
1682                 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
1683         else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)             
1684                 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
1685
1686         /* If status request then ask callback what to do.
1687          * Note: this must be called after servername callbacks in case 
1688          * the certificate has changed.
1689          */
1690         if ((s->tlsext_status_type != -1) && s->ctx && s->ctx->tlsext_status_cb)
1691                 {
1692                 int r;
1693                 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
1694                 switch (r)
1695                         {
1696                         /* We don't want to send a status request response */
1697                         case SSL_TLSEXT_ERR_NOACK:
1698                                 s->tlsext_status_expected = 0;
1699                                 break;
1700                         /* status request response should be sent */
1701                         case SSL_TLSEXT_ERR_OK:
1702                                 if (s->tlsext_ocsp_resp)
1703                                         s->tlsext_status_expected = 1;
1704                                 else
1705                                         s->tlsext_status_expected = 0;
1706                                 break;
1707                         /* something bad happened */
1708                         case SSL_TLSEXT_ERR_ALERT_FATAL:
1709                                 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1710                                 al = SSL_AD_INTERNAL_ERROR;
1711                                 goto err;
1712                         }
1713                 }
1714         else
1715                 s->tlsext_status_expected = 0;
1716
1717 #ifdef TLSEXT_TYPE_opaque_prf_input
1718         {
1719                 /* This sort of belongs into ssl_prepare_serverhello_tlsext(),
1720                  * but we might be sending an alert in response to the client hello,
1721                  * so this has to happen here in ssl_check_clienthello_tlsext(). */
1722
1723                 int r = 1;
1724         
1725                 if (s->ctx->tlsext_opaque_prf_input_callback != 0)
1726                         {
1727                         r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg);
1728                         if (!r)
1729                                 {
1730                                 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1731                                 al = SSL_AD_INTERNAL_ERROR;
1732                                 goto err;
1733                                 }
1734                         }
1735
1736                 if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */
1737                         OPENSSL_free(s->s3->server_opaque_prf_input);
1738                 s->s3->server_opaque_prf_input = NULL;
1739
1740                 if (s->tlsext_opaque_prf_input != NULL)
1741                         {
1742                         if (s->s3->client_opaque_prf_input != NULL &&
1743                                 s->s3->client_opaque_prf_input_len == s->tlsext_opaque_prf_input_len)
1744                                 {
1745                                 /* can only use this extension if we have a server opaque PRF input
1746                                  * of the same length as the client opaque PRF input! */
1747
1748                                 if (s->tlsext_opaque_prf_input_len == 0)
1749                                         s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
1750                                 else
1751                                         s->s3->server_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len);
1752                                 if (s->s3->server_opaque_prf_input == NULL)
1753                                         {
1754                                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1755                                         al = SSL_AD_INTERNAL_ERROR;
1756                                         goto err;
1757                                         }
1758                                 s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
1759                                 }
1760                         }
1761
1762                 if (r == 2 && s->s3->server_opaque_prf_input == NULL)
1763                         {
1764                         /* The callback wants to enforce use of the extension,
1765                          * but we can't do that with the client opaque PRF input;
1766                          * abort the handshake.
1767                          */
1768                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1769                         al = SSL_AD_HANDSHAKE_FAILURE;
1770                         }
1771         }
1772
1773 #endif
1774  err:
1775         switch (ret)
1776                 {
1777                 case SSL_TLSEXT_ERR_ALERT_FATAL:
1778                         ssl3_send_alert(s,SSL3_AL_FATAL,al); 
1779                         return -1;
1780
1781                 case SSL_TLSEXT_ERR_ALERT_WARNING:
1782                         ssl3_send_alert(s,SSL3_AL_WARNING,al);
1783                         return 1; 
1784                                         
1785                 case SSL_TLSEXT_ERR_NOACK:
1786                         s->servername_done=0;
1787                         default:
1788                 return 1;
1789                 }
1790         }
1791
1792 int ssl_check_serverhello_tlsext(SSL *s)
1793         {
1794         int ret=SSL_TLSEXT_ERR_NOACK;
1795         int al = SSL_AD_UNRECOGNIZED_NAME;
1796
1797 #ifndef OPENSSL_NO_EC
1798         /* If we are client and using an elliptic curve cryptography cipher
1799          * suite, then if server returns an EC point formats lists extension
1800          * it must contain uncompressed.
1801          */
1802         unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
1803         unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
1804         if ((s->tlsext_ecpointformatlist != NULL) && (s->tlsext_ecpointformatlist_length > 0) && 
1805             (s->session->tlsext_ecpointformatlist != NULL) && (s->session->tlsext_ecpointformatlist_length > 0) && 
1806             ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA)))
1807                 {
1808                 /* we are using an ECC cipher */
1809                 size_t i;
1810                 unsigned char *list;
1811                 int found_uncompressed = 0;
1812                 list = s->session->tlsext_ecpointformatlist;
1813                 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
1814                         {
1815                         if (*(list++) == TLSEXT_ECPOINTFORMAT_uncompressed)
1816                                 {
1817                                 found_uncompressed = 1;
1818                                 break;
1819                                 }
1820                         }
1821                 if (!found_uncompressed)
1822                         {
1823                         SSLerr(SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT,SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
1824                         return -1;
1825                         }
1826                 }
1827         ret = SSL_TLSEXT_ERR_OK;
1828 #endif /* OPENSSL_NO_EC */
1829
1830         if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) 
1831                 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
1832         else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)             
1833                 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
1834
1835 #ifdef TLSEXT_TYPE_opaque_prf_input
1836         if (s->s3->server_opaque_prf_input_len > 0)
1837                 {
1838                 /* This case may indicate that we, as a client, want to insist on using opaque PRF inputs.
1839                  * So first verify that we really have a value from the server too. */
1840
1841                 if (s->s3->server_opaque_prf_input == NULL)
1842                         {
1843                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1844                         al = SSL_AD_HANDSHAKE_FAILURE;
1845                         }
1846                 
1847                 /* Anytime the server *has* sent an opaque PRF input, we need to check
1848                  * that we have a client opaque PRF input of the same size. */
1849                 if (s->s3->client_opaque_prf_input == NULL ||
1850                     s->s3->client_opaque_prf_input_len != s->s3->server_opaque_prf_input_len)
1851                         {
1852                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1853                         al = SSL_AD_ILLEGAL_PARAMETER;
1854                         }
1855                 }
1856 #endif
1857
1858         /* If we've requested certificate status and we wont get one
1859          * tell the callback
1860          */
1861         if ((s->tlsext_status_type != -1) && !(s->tlsext_status_expected)
1862                         && s->ctx && s->ctx->tlsext_status_cb)
1863                 {
1864                 int r;
1865                 /* Set resp to NULL, resplen to -1 so callback knows
1866                  * there is no response.
1867                  */
1868                 if (s->tlsext_ocsp_resp)
1869                         {
1870                         OPENSSL_free(s->tlsext_ocsp_resp);
1871                         s->tlsext_ocsp_resp = NULL;
1872                         }
1873                 s->tlsext_ocsp_resplen = -1;
1874                 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
1875                 if (r == 0)
1876                         {
1877                         al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE;
1878                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1879                         }
1880                 if (r < 0)
1881                         {
1882                         al = SSL_AD_INTERNAL_ERROR;
1883                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1884                         }
1885                 }
1886
1887         switch (ret)
1888                 {
1889                 case SSL_TLSEXT_ERR_ALERT_FATAL:
1890                         ssl3_send_alert(s,SSL3_AL_FATAL,al); 
1891                         return -1;
1892
1893                 case SSL_TLSEXT_ERR_ALERT_WARNING:
1894                         ssl3_send_alert(s,SSL3_AL_WARNING,al);
1895                         return 1; 
1896                                         
1897                 case SSL_TLSEXT_ERR_NOACK:
1898                         s->servername_done=0;
1899                         default:
1900                 return 1;
1901                 }
1902         }
1903
1904 /* Since the server cache lookup is done early on in the processing of the
1905  * ClientHello, and other operations depend on the result, we need to handle
1906  * any TLS session ticket extension at the same time.
1907  *
1908  *   session_id: points at the session ID in the ClientHello. This code will
1909  *       read past the end of this in order to parse out the session ticket
1910  *       extension, if any.
1911  *   len: the length of the session ID.
1912  *   limit: a pointer to the first byte after the ClientHello.
1913  *   ret: (output) on return, if a ticket was decrypted, then this is set to
1914  *       point to the resulting session.
1915  *
1916  * If s->tls_session_secret_cb is set then we are expecting a pre-shared key
1917  * ciphersuite, in which case we have no use for session tickets and one will
1918  * never be decrypted, nor will s->tlsext_ticket_expected be set to 1.
1919  *
1920  * Returns:
1921  *   -1: fatal error, either from parsing or decrypting the ticket.
1922  *    0: no ticket was found (or was ignored, based on settings).
1923  *    1: a zero length extension was found, indicating that the client supports
1924  *       session tickets but doesn't currently have one to offer.
1925  *    2: either s->tls_session_secret_cb was set, or a ticket was offered but
1926  *       couldn't be decrypted because of a non-fatal error.
1927  *    3: a ticket was successfully decrypted and *ret was set.
1928  *
1929  * Side effects:
1930  *   Sets s->tlsext_ticket_expected to 1 if the server will have to issue
1931  *   a new session ticket to the client because the client indicated support
1932  *   (and s->tls_session_secret_cb is NULL) but the client either doesn't have
1933  *   a session ticket or we couldn't use the one it gave us, or if
1934  *   s->ctx->tlsext_ticket_key_cb asked to renew the client's ticket.
1935  *   Otherwise, s->tlsext_ticket_expected is set to 0.
1936  */
1937 int tls1_process_ticket(SSL *s, unsigned char *session_id, int len,
1938                         const unsigned char *limit, SSL_SESSION **ret)
1939         {
1940         /* Point after session ID in client hello */
1941         const unsigned char *p = session_id + len;
1942         unsigned short i;
1943
1944         *ret = NULL;
1945         s->tlsext_ticket_expected = 0;
1946
1947         /* If tickets disabled behave as if no ticket present
1948          * to permit stateful resumption.
1949          */
1950         if (SSL_get_options(s) & SSL_OP_NO_TICKET)
1951                 return 0;
1952         if ((s->version <= SSL3_VERSION) || !limit)
1953                 return 0;
1954         if (p >= limit)
1955                 return -1;
1956         /* Skip past DTLS cookie */
1957         if (s->version == DTLS1_VERSION || s->version == DTLS1_BAD_VER)
1958                 {
1959                 i = *(p++);
1960                 p+= i;
1961                 if (p >= limit)
1962                         return -1;
1963                 }
1964         /* Skip past cipher list */
1965         n2s(p, i);
1966         p+= i;
1967         if (p >= limit)
1968                 return -1;
1969         /* Skip past compression algorithm list */
1970         i = *(p++);
1971         p += i;
1972         if (p > limit)
1973                 return -1;
1974         /* Now at start of extensions */
1975         if ((p + 2) >= limit)
1976                 return 0;
1977         n2s(p, i);
1978         while ((p + 4) <= limit)
1979                 {
1980                 unsigned short type, size;
1981                 n2s(p, type);
1982                 n2s(p, size);
1983                 if (p + size > limit)
1984                         return 0;
1985                 if (type == TLSEXT_TYPE_session_ticket)
1986                         {
1987                         int r;
1988                         if (size == 0)
1989                                 {
1990                                 /* The client will accept a ticket but doesn't
1991                                  * currently have one. */
1992                                 s->tlsext_ticket_expected = 1;
1993                                 return 1;
1994                                 }
1995                         if (s->tls_session_secret_cb)
1996                                 {
1997                                 /* Indicate that the ticket couldn't be
1998                                  * decrypted rather than generating the session
1999                                  * from ticket now, trigger abbreviated
2000                                  * handshake based on external mechanism to
2001                                  * calculate the master secret later. */
2002                                 return 2;
2003                                 }
2004                         r = tls_decrypt_ticket(s, p, size, session_id, len, ret);
2005                         switch (r)
2006                                 {
2007                                 case 2: /* ticket couldn't be decrypted */
2008                                         s->tlsext_ticket_expected = 1;
2009                                         return 2;
2010                                 case 3: /* ticket was decrypted */
2011                                         return r;
2012                                 case 4: /* ticket decrypted but need to renew */
2013                                         s->tlsext_ticket_expected = 1;
2014                                         return 3;
2015                                 default: /* fatal error */
2016                                         return -1;
2017                                 }
2018                         }
2019                 p += size;
2020                 }
2021         return 0;
2022         }
2023
2024 /* tls_decrypt_ticket attempts to decrypt a session ticket.
2025  *
2026  *   etick: points to the body of the session ticket extension.
2027  *   eticklen: the length of the session tickets extenion.
2028  *   sess_id: points at the session ID.
2029  *   sesslen: the length of the session ID.
2030  *   psess: (output) on return, if a ticket was decrypted, then this is set to
2031  *       point to the resulting session.
2032  *
2033  * Returns:
2034  *   -1: fatal error, either from parsing or decrypting the ticket.
2035  *    2: the ticket couldn't be decrypted.
2036  *    3: a ticket was successfully decrypted and *psess was set.
2037  *    4: same as 3, but the ticket needs to be renewed.
2038  */
2039 static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen,
2040                                 const unsigned char *sess_id, int sesslen,
2041                                 SSL_SESSION **psess)
2042         {
2043         SSL_SESSION *sess;
2044         unsigned char *sdec;
2045         const unsigned char *p;
2046         int slen, mlen, renew_ticket = 0;
2047         unsigned char tick_hmac[EVP_MAX_MD_SIZE];
2048         HMAC_CTX hctx;
2049         EVP_CIPHER_CTX ctx;
2050         SSL_CTX *tctx = s->initial_ctx;
2051         /* Need at least keyname + iv + some encrypted data */
2052         if (eticklen < 48)
2053                 return 2;
2054         /* Initialize session ticket encryption and HMAC contexts */
2055         HMAC_CTX_init(&hctx);
2056         EVP_CIPHER_CTX_init(&ctx);
2057         if (tctx->tlsext_ticket_key_cb)
2058                 {
2059                 unsigned char *nctick = (unsigned char *)etick;
2060                 int rv = tctx->tlsext_ticket_key_cb(s, nctick, nctick + 16,
2061                                                         &ctx, &hctx, 0);
2062                 if (rv < 0)
2063                         return -1;
2064                 if (rv == 0)
2065                         return 2;
2066                 if (rv == 2)
2067                         renew_ticket = 1;
2068                 }
2069         else
2070                 {
2071                 /* Check key name matches */
2072                 if (memcmp(etick, tctx->tlsext_tick_key_name, 16))
2073                         return 2;
2074                 HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16,
2075                                         tlsext_tick_md(), NULL);
2076                 EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL,
2077                                 tctx->tlsext_tick_aes_key, etick + 16);
2078                 }
2079         /* Attempt to process session ticket, first conduct sanity and
2080          * integrity checks on ticket.
2081          */
2082         mlen = HMAC_size(&hctx);
2083         if (mlen < 0)
2084                 {
2085                 EVP_CIPHER_CTX_cleanup(&ctx);
2086                 return -1;
2087                 }
2088         eticklen -= mlen;
2089         /* Check HMAC of encrypted ticket */
2090         HMAC_Update(&hctx, etick, eticklen);
2091         HMAC_Final(&hctx, tick_hmac, NULL);
2092         HMAC_CTX_cleanup(&hctx);
2093         if (memcmp(tick_hmac, etick + eticklen, mlen))
2094                 return 2;
2095         /* Attempt to decrypt session data */
2096         /* Move p after IV to start of encrypted ticket, update length */
2097         p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx);
2098         eticklen -= 16 + EVP_CIPHER_CTX_iv_length(&ctx);
2099         sdec = OPENSSL_malloc(eticklen);
2100         if (!sdec)
2101                 {
2102                 EVP_CIPHER_CTX_cleanup(&ctx);
2103                 return -1;
2104                 }
2105         EVP_DecryptUpdate(&ctx, sdec, &slen, p, eticklen);
2106         if (EVP_DecryptFinal(&ctx, sdec + slen, &mlen) <= 0)
2107                 return 2;
2108         slen += mlen;
2109         EVP_CIPHER_CTX_cleanup(&ctx);
2110         p = sdec;
2111
2112         sess = d2i_SSL_SESSION(NULL, &p, slen);
2113         OPENSSL_free(sdec);
2114         if (sess)
2115                 {
2116                 /* The session ID, if non-empty, is used by some clients to
2117                  * detect that the ticket has been accepted. So we copy it to
2118                  * the session structure. If it is empty set length to zero
2119                  * as required by standard.
2120                  */
2121                 if (sesslen)
2122                         memcpy(sess->session_id, sess_id, sesslen);
2123                 sess->session_id_length = sesslen;
2124                 *psess = sess;
2125                 if (renew_ticket)
2126                         return 4;
2127                 else
2128                         return 3;
2129                 }
2130         ERR_clear_error();
2131         /* For session parse failure, indicate that we need to send a new
2132          * ticket. */
2133         return 2;
2134         }
2135
2136 /* Tables to translate from NIDs to TLS v1.2 ids */
2137
2138 typedef struct 
2139         {
2140         int nid;
2141         int id;
2142         } tls12_lookup;
2143
2144 static tls12_lookup tls12_md[] = {
2145 #ifndef OPENSSL_NO_MD5
2146         {NID_md5, TLSEXT_hash_md5},
2147 #endif
2148 #ifndef OPENSSL_NO_SHA
2149         {NID_sha1, TLSEXT_hash_sha1},
2150 #endif
2151 #ifndef OPENSSL_NO_SHA256
2152         {NID_sha224, TLSEXT_hash_sha224},
2153         {NID_sha256, TLSEXT_hash_sha256},
2154 #endif
2155 #ifndef OPENSSL_NO_SHA512
2156         {NID_sha384, TLSEXT_hash_sha384},
2157         {NID_sha512, TLSEXT_hash_sha512}
2158 #endif
2159 };
2160
2161 static tls12_lookup tls12_sig[] = {
2162 #ifndef OPENSSL_NO_RSA
2163         {EVP_PKEY_RSA, TLSEXT_signature_rsa},
2164 #endif
2165 #ifndef OPENSSL_NO_RSA
2166         {EVP_PKEY_DSA, TLSEXT_signature_dsa},
2167 #endif
2168 #ifndef OPENSSL_NO_ECDSA
2169         {EVP_PKEY_EC, TLSEXT_signature_ecdsa}
2170 #endif
2171 };
2172
2173 static int tls12_find_id(int nid, tls12_lookup *table, size_t tlen)
2174         {
2175         size_t i;
2176         for (i = 0; i < tlen; i++)
2177                 {
2178                 if (table[i].nid == nid)
2179                         return table[i].id;
2180                 }
2181         return -1;
2182         }
2183 #if 0
2184 static int tls12_find_nid(int id, tls12_lookup *table, size_t tlen)
2185         {
2186         size_t i;
2187         for (i = 0; i < tlen; i++)
2188                 {
2189                 if (table[i].id == id)
2190                         return table[i].nid;
2191                 }
2192         return -1;
2193         }
2194 #endif
2195
2196 int tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk, const EVP_MD *md)
2197         {
2198         int sig_id, md_id;
2199         md_id = tls12_find_id(EVP_MD_type(md), tls12_md,
2200                                 sizeof(tls12_md)/sizeof(tls12_lookup));
2201         if (md_id == -1)
2202                 return 0;
2203         sig_id = tls12_get_sigid(pk);
2204         if (sig_id == -1)
2205                 return 0;
2206         p[0] = (unsigned char)md_id;
2207         p[1] = (unsigned char)sig_id;
2208         return 1;
2209         }
2210
2211 int tls12_get_sigid(const EVP_PKEY *pk)
2212         {
2213         return tls12_find_id(pk->type, tls12_sig,
2214                                 sizeof(tls12_sig)/sizeof(tls12_lookup));
2215         }
2216
2217 const EVP_MD *tls12_get_hash(unsigned char hash_alg)
2218         {
2219         switch(hash_alg)
2220                 {
2221 #ifndef OPENSSL_NO_MD5
2222                 case TLSEXT_hash_md5:
2223 #ifdef OPENSSL_FIPS
2224                 if (FIPS_mode())
2225                         return NULL;
2226 #endif
2227                 return EVP_md5();
2228 #endif
2229 #ifndef OPENSSL_NO_SHA
2230                 case TLSEXT_hash_sha1:
2231                 return EVP_sha1();
2232 #endif
2233 #ifndef OPENSSL_NO_SHA256
2234                 case TLSEXT_hash_sha224:
2235                 return EVP_sha224();
2236
2237                 case TLSEXT_hash_sha256:
2238                 return EVP_sha256();
2239 #endif
2240 #ifndef OPENSSL_NO_SHA512
2241                 case TLSEXT_hash_sha384:
2242                 return EVP_sha384();
2243
2244                 case TLSEXT_hash_sha512:
2245                 return EVP_sha512();
2246 #endif
2247                 default:
2248                 return NULL;
2249
2250                 }
2251         }
2252
2253 /* Set preferred digest for each key type */
2254
2255 int tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize)
2256         {
2257         int i, idx;
2258         const EVP_MD *md;
2259         CERT *c = s->cert;
2260         /* Extension ignored for TLS versions below 1.2 */
2261         if (TLS1_get_version(s) < TLS1_2_VERSION)
2262                 return 1;
2263         /* Should never happen */
2264         if (!c)
2265                 return 0;
2266
2267         c->pkeys[SSL_PKEY_DSA_SIGN].digest = NULL;
2268         c->pkeys[SSL_PKEY_RSA_SIGN].digest = NULL;
2269         c->pkeys[SSL_PKEY_RSA_ENC].digest = NULL;
2270         c->pkeys[SSL_PKEY_ECC].digest = NULL;
2271
2272         for (i = 0; i < dsize; i += 2)
2273                 {
2274                 unsigned char hash_alg = data[i], sig_alg = data[i+1];
2275
2276                 switch(sig_alg)
2277                         {
2278 #ifndef OPENSSL_NO_RSA
2279                         case TLSEXT_signature_rsa:
2280                         idx = SSL_PKEY_RSA_SIGN;
2281                         break;
2282 #endif
2283 #ifndef OPENSSL_NO_DSA
2284                         case TLSEXT_signature_dsa:
2285                         idx = SSL_PKEY_DSA_SIGN;
2286                         break;
2287 #endif
2288 #ifndef OPENSSL_NO_ECDSA
2289                         case TLSEXT_signature_ecdsa:
2290                         idx = SSL_PKEY_ECC;
2291                         break;
2292 #endif
2293                         default:
2294                         continue;
2295                         }
2296
2297                 if (c->pkeys[idx].digest == NULL)
2298                         {
2299                         md = tls12_get_hash(hash_alg);
2300                         if (md)
2301                                 {
2302                                 c->pkeys[idx].digest = md;
2303                                 if (idx == SSL_PKEY_RSA_SIGN)
2304                                         c->pkeys[SSL_PKEY_RSA_ENC].digest = md;
2305                                 }
2306                         }
2307
2308                 }
2309
2310
2311         /* Set any remaining keys to default values. NOTE: if alg is not
2312          * supported it stays as NULL.
2313          */
2314 #ifndef OPENSSL_NO_DSA
2315         if (!c->pkeys[SSL_PKEY_DSA_SIGN].digest)
2316                 c->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_dss1();
2317 #endif
2318 #ifndef OPENSSL_NO_RSA
2319         if (!c->pkeys[SSL_PKEY_RSA_SIGN].digest)
2320                 {
2321                 c->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1();
2322                 c->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1();
2323                 }
2324 #endif
2325 #ifndef OPENSSL_NO_ECDSA
2326         if (!c->pkeys[SSL_PKEY_ECC].digest)
2327                 c->pkeys[SSL_PKEY_ECC].digest = EVP_ecdsa();
2328 #endif
2329         return 1;
2330         }
2331
2332 #endif